diff --git a/go.mod b/go.mod index 515d479a68..91669f8167 100644 --- a/go.mod +++ b/go.mod @@ -20,65 +20,84 @@ require ( github.com/google/go-cmp v0.7.0 github.com/google/gopacket v1.1.19 github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b - github.com/openshift/api v0.0.0-20251120154321-0952bf66a5db - github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 + github.com/openshift/api v0.0.0-20260602200800-1d79f30d4668 + github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030 github.com/operator-framework/api v0.30.0 github.com/pkg/errors v0.9.1 - github.com/prometheus/client_golang v1.22.0 - github.com/prometheus/common v0.63.0 + github.com/prometheus/client_golang v1.23.2 + github.com/prometheus/common v0.66.1 github.com/spf13/cobra v1.9.1 github.com/stretchr/testify v1.11.1 github.com/summerwind/h2spec v0.0.0-20200804131034-70ac22940108 github.com/tcnksm/go-httpstat v0.2.1-0.20191008022543-e866bb274419 go.uber.org/zap v1.27.0 - golang.org/x/time v0.11.0 + golang.org/x/time v0.14.0 google.golang.org/api v0.126.0 google.golang.org/grpc v1.79.3 gopkg.in/fsnotify.v1 v1.4.7 gopkg.in/yaml.v2 v2.4.0 - k8s.io/api v0.34.1 - k8s.io/apiextensions-apiserver v0.34.1 - k8s.io/apimachinery v0.34.1 - k8s.io/apiserver v0.34.1 - k8s.io/client-go v0.34.1 - k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 - sigs.k8s.io/controller-runtime v0.21.0 - sigs.k8s.io/gateway-api v1.3.0 + k8s.io/api v0.34.3 + k8s.io/apiextensions-apiserver v0.34.3 + k8s.io/apimachinery v0.34.3 + k8s.io/apiserver v0.34.3 + k8s.io/client-go v0.34.3 + k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d + sigs.k8s.io/controller-runtime v0.22.5 // Replaced at bottom of file; see replace directives for actual version used. + sigs.k8s.io/gateway-api v1.4.1 // Replaced at bottom of file; see replace directives for actual version used. ) require ( cloud.google.com/go/compute/metadata v0.9.0 // indirect + dario.cat/mergo v1.0.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect + github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/adal v0.9.20 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect + github.com/BurntSushi/toml v1.5.0 // indirect + github.com/MakeNowJust/heredoc v1.0.0 // indirect + github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect + github.com/Masterminds/sprig/v3 v3.3.0 // indirect + github.com/Masterminds/squirrel v1.5.4 // indirect github.com/antlr4-go/antlr/v4 v4.13.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect + github.com/chai2010/gettext-go v1.0.3 // indirect github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 // indirect - github.com/emicklei/go-restful/v3 v3.12.2 // indirect + github.com/containerd/containerd v1.7.27 // indirect + github.com/containerd/errdefs v0.3.0 // indirect + github.com/containerd/log v0.1.0 // indirect + github.com/containerd/platforms v0.2.1 // indirect + github.com/cyphar/filepath-securejoin v0.4.1 // indirect + github.com/emicklei/go-restful/v3 v3.13.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.3.0 // indirect + github.com/evanphx/json-patch v5.9.11+incompatible // indirect github.com/evanphx/json-patch/v5 v5.9.11 // indirect + github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.18.0 // indirect github.com/fsnotify/fsnotify v1.9.0 // indirect github.com/fxamacker/cbor/v2 v2.9.0 // indirect github.com/gabriel-vasile/mimetype v1.4.3 // indirect + github.com/go-errors/errors v1.5.1 // indirect + github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-openapi/errors v0.21.0 // indirect - github.com/go-openapi/jsonpointer v0.21.1 // indirect + github.com/go-openapi/jsonpointer v0.21.2 // indirect github.com/go-openapi/jsonreference v0.21.0 // indirect github.com/go-openapi/strfmt v0.22.1 // indirect github.com/go-openapi/swag v0.23.1 // indirect github.com/go-playground/locales v0.14.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/validator/v10 v10.19.0 // indirect + github.com/gobwas/glob v0.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.2 // indirect github.com/golang-jwt/jwt/v5 v5.2.2 // indirect @@ -87,40 +106,69 @@ require ( github.com/google/btree v1.1.3 // indirect github.com/google/gnostic-models v0.7.0 // indirect github.com/google/s2a-go v0.1.4 // indirect + github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect github.com/googleapis/gax-go/v2 v2.10.0 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect + github.com/gosuri/uitable v0.0.4 // indirect + github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-retryablehttp v0.7.7 // indirect + github.com/huandu/xstrings v1.5.0 // indirect github.com/imdario/mergo v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jmoiron/sqlx v1.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/josharian/native v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect + github.com/klauspost/compress v1.18.0 // indirect github.com/kylelemons/godebug v1.1.0 // indirect + github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect + github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect github.com/leodido/go-urn v1.4.0 // indirect + github.com/lib/pq v1.10.9 // indirect + github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect + github.com/magiconair/properties v1.8.9 // indirect github.com/mailru/easyjson v0.9.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mattn/go-runewidth v0.0.16 // indirect github.com/mdlayher/netlink v1.6.0 // indirect github.com/mdlayher/socket v0.1.1 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/spdystream v0.5.0 // indirect + github.com/moby/term v0.5.2 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect + github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/oklog/ulid v1.3.1 // indirect + github.com/opencontainers/go-digest v1.0.0 // indirect + github.com/opencontainers/image-spec v1.1.1 // indirect + github.com/peterbourgon/diskv v2.0.1+incompatible // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/procfs v0.16.1 // indirect + github.com/prometheus/procfs v0.17.0 // indirect + github.com/rivo/uniseg v0.4.7 // indirect github.com/robfig/cron v1.2.0 // indirect + github.com/rubenv/sql-migrate v1.8.0 // indirect + github.com/russross/blackfriday/v2 v2.1.0 // indirect + github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect + github.com/shopspring/decimal v1.4.0 // indirect github.com/sirupsen/logrus v1.9.3 // indirect - github.com/spf13/pflag v1.0.6 // indirect + github.com/spf13/cast v1.8.0 // indirect + github.com/spf13/pflag v1.0.7 // indirect github.com/x448/float16 v0.8.4 // indirect + github.com/xlab/treeprint v1.2.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect go.opentelemetry.io/otel v1.39.0 // indirect @@ -129,7 +177,7 @@ require ( go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/crypto v0.46.0 // indirect - golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 // indirect + golang.org/x/exp v0.0.0-20251017212417-90e834f514db // indirect golang.org/x/net v0.48.0 // indirect golang.org/x/oauth2 v0.34.0 // indirect golang.org/x/sync v0.19.0 // indirect @@ -140,15 +188,23 @@ require ( google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect google.golang.org/protobuf v1.36.10 // indirect - gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect + gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect + gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/component-base v0.34.1 // indirect + helm.sh/helm/v3 v3.18.6 // indirect + istio.io/istio v0.0.0-20260306174229-7da666217518 // indirect + k8s.io/cli-runtime v0.33.3 // indirect + k8s.io/component-base v0.34.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-aggregator v0.34.1 // indirect - k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect + k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect + k8s.io/kubectl v0.33.3 // indirect + oras.land/oras-go/v2 v2.6.0 // indirect + sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 // indirect + sigs.k8s.io/kustomize/api v0.19.0 // indirect + sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect sigs.k8s.io/yaml v1.6.0 // indirect @@ -157,3 +213,17 @@ require ( // This replace stanza is necessary to import // github.com/istio-ecosystem/sail-operator. replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5 + +// Pin controller-runtime and gateway-api to 4.21 versions. The sail-operator +// requires controller-runtime 0.22 and gateway-api v1.4.1, but the install +// package only uses basic client CRUD operations unchanged across 0.20-0.22, +// and CRD manifests shipped in this release are v1.3.0. Pinned to minimize +// dependency changes on a post-GA branch, consistent with the 4.20 backport. +replace ( + sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.21.0 + sigs.k8s.io/gateway-api => sigs.k8s.io/gateway-api v1.3.0 +) + +// Use OSSM 3.3.1 for Sail Library integration. +// Replace needed because the fork keeps upstream module name for compatibility. +replace github.com/istio-ecosystem/sail-operator => github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68 diff --git a/go.sum b/go.sum index b1f488e725..b68444199b 100644 --- a/go.sum +++ b/go.sum @@ -2,6 +2,12 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs= cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10= +dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= +dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA= +filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk= +github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 h1:g0EZJwz7xkXQiZAI5xi9f3WWFYBlX1CPTrR+NDToRkQ= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0/go.mod h1:XCW7KnZet0Opnr7HccfUw1PLc4CjHqpcaxW8DHklNkQ= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 h1:F0gBpfdPLGsw+nsgk6aqqkZS1jiixa5WwFe3fk/T3Ys= @@ -22,6 +28,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1 h1:mrkD github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.1/go.mod h1:hPv41DbqMmnxcGralanA/kVlfdH5jv3T4LxGku2E1BY= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg= +github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= @@ -47,11 +55,25 @@ github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mo github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 h1:H5xDQaE3XowWfhZRUpnfC+rGZMEVoSiji+b+/HFAPU4= github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg= +github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= +github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= +github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/IBM/go-sdk-core/v5 v5.8.0/go.mod h1:+YbdhrjCHC84ls4MeBp+Hj4NZCni+tDAc0XQUqRO9Jc= github.com/IBM/go-sdk-core/v5 v5.17.4 h1:VGb9+mRrnS2HpHZFM5hy4J6ppIWnwNrw0G+tLSgcJLc= github.com/IBM/go-sdk-core/v5 v5.17.4/go.mod h1:KsAAI7eStAWwQa4F96MLy+whYSh39JzNjklZRbN/8ns= github.com/IBM/networking-go-sdk v0.26.0 h1:K/geWMCgg5P0pbaVQ0eZLhim2G6yOZc8rjszbv2Kmzc= github.com/IBM/networking-go-sdk v0.26.0/go.mod h1:tVxXclpQs8nQJYPTr9ZPNC1voaPNQLy8iy/72oVfFtM= +github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= +github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs= +github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0= +github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM= +github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ= github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw= @@ -67,10 +89,18 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8= +github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs= github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80= +github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -80,16 +110,42 @@ github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w= github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI= +github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII= +github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0= +github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4= +github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M= +github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= +github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= +github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A= +github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= +github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= +github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= -github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU= -github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM= +github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU= +github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk= +github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= +github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= +github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= +github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8= +github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= +github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= +github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= +github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= +github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -98,15 +154,23 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go. github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4= github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA= -github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls= -github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8= +github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU= github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= +github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= github.com/fatih/color v0.0.0-20161025120501-bf82308e8c85/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM= github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU= +github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= +github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/florianl/go-nfqueue v1.3.2 h1:8DPzhKJHywpHJAE/4ktgcqveCL7qmMLsEsVD68C4x4I= github.com/florianl/go-nfqueue v1.3.2/go.mod h1:eSnAor2YCfMCVYrVNEhkLGN/r1L+J4uDjc0EUy0tfq4= +github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI= +github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k= @@ -116,6 +180,10 @@ github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj2 github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= +github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= +github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= +github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= @@ -125,8 +193,8 @@ github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR github.com/go-openapi/errors v0.19.8/go.mod h1:cM//ZKUKyO06HSwqAelJ5NsEMMcpa6VpXe8DOa1Mi1M= github.com/go-openapi/errors v0.21.0 h1:FhChC/duCnfoLj1gZ0BgaBmzhJC2SL/sJr8a2vAobSY= github.com/go-openapi/errors v0.21.0/go.mod h1:jxNTMUxRCKj65yb/okJGEtahVd7uvWnuWfj53bse4ho= -github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic= -github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= +github.com/go-openapi/jsonpointer v0.21.2 h1:AqQaNADVwq/VnkCmQg6ogE+M3FOsKTytwges0JdwVuA= +github.com/go-openapi/jsonpointer v0.21.2/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk= github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ= github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4= github.com/go-openapi/strfmt v0.20.2/go.mod h1:43urheQI9dNtE5lTZQfuFJvjYJKPrxicATpEfZwHUNk= @@ -145,6 +213,8 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91 github.com/go-playground/validator/v10 v10.19.0 h1:ol+5Fu+cSq9JD7SoSqe04GMI92cbn0+wvQ3bZ8b/AU4= github.com/go-playground/validator/v10 v10.19.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= +github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y= +github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= @@ -173,6 +243,8 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ= github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0= github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= @@ -223,10 +295,12 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8= github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo= -github.com/google/pprof v0.0.0-20250501235452-c0086092b71a h1:rDA3FfmxwXR+BVKKdz55WwMJ1pD2hJQNW31d+l3mPk4= -github.com/google/pprof v0.0.0-20250501235452-c0086092b71a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a h1://KbezygeMJZCSHH+HgUZiTeSoiuFspbMg1ge+eFj18= +github.com/google/pprof v0.0.0-20250607225305-033d6d78b36a/go.mod h1:5hDyRhoBCxViHszMt12TnOpEI4VVi+U8Gm9iphldiMA= github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc= github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= +github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -235,30 +309,55 @@ github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.10.0 h1:ebSgKfMxynOdxw8QQuFOKMgomqeLGPqNLQox2bo42zg= github.com/googleapis/gax-go/v2 v2.10.0/go.mod h1:4UOEnMCrxsSqQ940WnTiD6qJ63le2ev3xfyagutxiPw= +github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE= +github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w= +github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= +github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA= +github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY= +github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo= +github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248= +github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= +github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA= +github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.0/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw= +github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU= +github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= +github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI= +github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q= github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b h1:jQokaEG8FFjsl7DQ6sb/pEMemZonFQ6Uu1puaCyXzF0= -github.com/istio-ecosystem/sail-operator v0.0.0-20250513111011-30be83268d6b/go.mod h1:Es2YI34zqMGgV0gpf+KM5SaXMNcJ+9BnFMUSE32atcM= github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= +github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o= +github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY= github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc= github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -269,6 +368,8 @@ github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2E github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0 h1:VzM3TYHDgqPkettiP6I6q2jOeQFL4nrJM+UcAc4f6Fs= +github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.4.0/go.mod h1:nqCI7aelBJU61wiBeeZWJ6oi4bJy5nrjkM6lWIMA4j0= github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4= github.com/karrick/godirwalk v1.10.3/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA= github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= @@ -289,9 +390,19 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw= +github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk= +github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ= github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI= +github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= +github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0= +github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE= +github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM= +github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4= github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU= github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE= @@ -302,21 +413,37 @@ github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stg github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc= +github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= +github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU= +github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz0= github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA= github.com/mdlayher/socket v0.1.1 h1:q3uOGirUPfAV2MUoaC7BavjQ154J7+JOkTWyiV+intI= github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs= +github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA= +github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU= github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI= +github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ= +github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0= +github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4= github.com/montanaflynn/stats v0.0.0-20171201202039-1bf9dbcd8cbe/go.mod h1:wL8QJuTMNUDYhXwkmfOly8iTdp5TEcJFWZD2D7SIkUc= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= @@ -335,22 +462,32 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus= -github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8= +github.com/onsi/ginkgo/v2 v2.25.1 h1:Fwp6crTREKM+oA6Cz4MsO8RhKQzs2/gOIVOUscMAfZY= +github.com/onsi/ginkgo/v2 v2.25.1/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.5/go.mod h1:gza4q3jKQJijlu05nKWRCW/GavJumGt8aNRxWg7mt48= -github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y= -github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0= -github.com/openshift/api v0.0.0-20251120154321-0952bf66a5db h1:PlacUG7XpFA+5UTHgCE5qCLXMQop+QVDgMePMasMzEQ= -github.com/openshift/api v0.0.0-20251120154321-0952bf66a5db/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= -github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY= -github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235/go.mod h1:L49W6pfrZkfOE5iC1PqEkuLkXG4W0BX4w8b+L2Bv7fM= +github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A= +github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k= +github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= +github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= +github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040= +github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M= +github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68 h1:qbJWOmvwtzZJT6u7b2HHMF3g0wWvbcYmv9keKcJlb+k= +github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68/go.mod h1:l5/9fIFLMnrArPGvg49DBrWZzi8LojS5OcGe9nJeeI4= +github.com/openshift/api v0.0.0-20260602200800-1d79f30d4668 h1:aQdvqyCvjYYz+lRYimcht9II7PrabeZfrh5VfGxDA6I= +github.com/openshift/api v0.0.0-20260602200800-1d79f30d4668/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY= +github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c h1:TBE0Gl+oCo/SNEhLKZQNNH/SWHXrpGyhAw7P0lAqdHg= +github.com/openshift/client-go v0.0.0-20251205093018-96a6cbc1420c/go.mod h1:IsynOWZAfdH+BgWimcFQRtI41Id9sgdhsCEjIk8ACLw= github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030 h1:dbv8ZYDWIl22A5WBjQJTKeENM08f8HwMBuv8glDXO/0= github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030/go.mod h1:OlFFws1AO51uzfc48MsStGE4SFMWlMZD0+f5a/zCtKI= github.com/operator-framework/api v0.30.0 h1:44hCmGnEnZk/Miol5o44dhSldNH0EToQUG7vZTl29kk= github.com/operator-framework/api v0.30.0/go.mod h1:FYxAPhjtlXSAty/fbn5YJnFagt6SpJZJgFNNbvDe5W0= github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE= +github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= +github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -360,19 +497,30 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= +github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE= github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0/go.mod h1:wAR5JopumPtAZnu0Cjv2PSqV4p4QB09LMhc6fZZTXuA= -github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q= -github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0= +github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o= +github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk= github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE= -github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k= -github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18= -github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg= -github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is= -github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= -github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= +github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs= +github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA= +github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f h1:QQB6SuvGZjK8kdc2YaLJpYhV8fxauOsjE6jgcL6YJ8Q= +github.com/prometheus/otlptranslator v0.0.0-20250717125610-8549f4ab4f8f/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI= +github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0= +github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw= +github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho= +github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U= +github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc= +github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ= +github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM= +github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA= +github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ= +github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88= github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ= github.com/robfig/cron v1.2.0/go.mod h1:JGuDeoQd7Z6yL4zQhZ3OPEVHB7fL6Ka6skscFHfmt2k= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= @@ -381,19 +529,31 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= +github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o= +github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw= +github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 h1:KRzFb2m7YtdldCEkzs6KqmJw4nqEVZGK7IN2kJkjTuQ= +github.com/santhosh-tekuri/jsonschema/v6 v6.0.2/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k= +github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/spf13/cast v1.8.0 h1:gEN9K4b8Xws4EX0+a0reLmhq8moKn7ntRlQYgjPeCDk= +github.com/spf13/cast v1.8.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v0.0.0-20170118185516-dc208f4211e7/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ= github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M= +github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= @@ -421,6 +581,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6+da4O5kxM= +github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ= +github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d/go.mod h1:rHwXgn7JulP+udvsHwJoVG1YGAP6VLg4y9I5dyZdqmA= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -432,17 +594,53 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64= go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y= +go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w= +go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk= +go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4= +go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q= go.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48= go.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8= +go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU= +go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0/go.mod h1:QjUEoiGCPkvFZ/MjK6ZZfNOS6mfVEVKYE99dFhuN2LI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0 h1:bDMKF3RUSxshZ5OjOTi8rsHGaPKsAt76FaqgvIUySLc= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.37.0/go.mod h1:dDT67G/IkA46Mr2l9Uj7HsQVwsjASyV9SjGofsiUZDA= +go.opentelemetry.io/otel/exporters/prometheus v0.59.1 h1:HcpSkTkJbggT8bjYP+BjyqPWlD17BH9C5CYNKeDzmcA= +go.opentelemetry.io/otel/exporters/prometheus v0.59.1/go.mod h1:0FJL+gjuUoM07xzik3KPBaN+nz/CoB15kV6WLMiXZag= +go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU= +go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8= +go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw= +go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s= +go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk= +go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8= go.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0= go.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs= go.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18= go.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE= +go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs= +go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo= go.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8= go.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew= go.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI= go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4= +go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs= go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -467,8 +665,8 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0 golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU= golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6 h1:y5zboxd6LQAqYIhHnB48p0ByQ/GnQx2BE33L8BOHQkI= -golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6/go.mod h1:U6Lno4MTRCDY+Ba7aCcauB9T60gsv5s4ralQzP72ZoQ= +golang.org/x/exp v0.0.0-20251017212417-90e834f514db h1:by6IehL4BH5k3e3SJmcoNbOobMey2SLpAF79iPOEBvw= +golang.org/x/exp v0.0.0-20251017212417-90e834f514db/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -477,6 +675,8 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk= +golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc= golang.org/x/net v0.0.0-20161104230106-55a3084c9119/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -535,6 +735,7 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -558,8 +759,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY= -golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0= -golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg= +golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= +golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -594,7 +795,7 @@ google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoA google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c= google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo= -google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao= +google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 h1:1hfbdAfFbkmpg41000wDVqr7jUpK/Yo+LPnIxxGzmkg= google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 h1:fCvbg86sFXwdrl5LgVcTEvNC+2txB5mgROGmRL5mrls= google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217/go.mod h1:+rXWjjaukWZun3mLfjmVnQi18E1AsFbDN9QdJ5YXLto= google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 h1:gRkg/vSppuSQoDjxyiGfN4Upv/h/DQmIR10ZU8dh4Ww= @@ -628,14 +829,16 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= -gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4= -gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= +gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo= +gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M= gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE= gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= +gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc= +gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= @@ -649,36 +852,54 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +helm.sh/helm/v3 v3.18.6 h1:S/2CqcYnNfLckkHLI0VgQbxgcDaU3N4A/46E3n9wSNY= +helm.sh/helm/v3 v3.18.6/go.mod h1:L/dXDR2r539oPlFP1PJqKAC1CUgqHJDLkxKpDGrWnyg= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= -k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= -k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= -k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA= -k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0= -k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= -k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= -k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A= -k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0= +istio.io/api v1.28.5-0.20260306154401-b08bd5908741 h1:DK00OZIwDVG/METF5BCf5x+6Rcy1fLCm4FVoK/eSSh4= +istio.io/api v1.28.5-0.20260306154401-b08bd5908741/go.mod h1:BD3qv/ekm16kvSgvSpuiDawgKhEwG97wx849CednJSg= +istio.io/client-go v1.28.5 h1:fkT84vKKwr2LYnvXDZo67SogByJfsSrRwVPlCxsOGEg= +istio.io/client-go v1.28.5/go.mod h1:DBtlSnmVgdxwjlAL572sM+q5YjyWJRwfN9Oa95ohzPI= +istio.io/istio v0.0.0-20260306174229-7da666217518 h1:wTSzA6ySwn5SU5vs6hAIYruAc+39MwGNwJzKYy7YlSw= +istio.io/istio v0.0.0-20260306174229-7da666217518/go.mod h1:AvwW8kBsPEMitVvHD7YF5MZ8Kqf8OgJoUtwB8O1gtog= +k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4= +k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk= +k8s.io/apiextensions-apiserver v0.34.3 h1:p10fGlkDY09eWKOTeUSioxwLukJnm+KuDZdrW71y40g= +k8s.io/apiextensions-apiserver v0.34.3/go.mod h1:aujxvqGFRdb/cmXYfcRTeppN7S2XV/t7WMEc64zB5A0= +k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE= +k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= +k8s.io/apiserver v0.34.3 h1:uGH1qpDvSiYG4HVFqc6A3L4CKiX+aBWDrrsxHYK0Bdo= +k8s.io/apiserver v0.34.3/go.mod h1:QPnnahMO5C2m3lm6fPW3+JmyQbvHZQ8uudAu/493P2w= +k8s.io/cli-runtime v0.33.3 h1:Dgy4vPjNIu8LMJBSvs8W0LcdV0PX/8aGG1DA1W8lklA= +k8s.io/cli-runtime v0.33.3/go.mod h1:yklhLklD4vLS8HNGgC9wGiuHWze4g7x6XQZ+8edsKEo= +k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A= +k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM= +k8s.io/component-base v0.34.3 h1:zsEgw6ELqK0XncCQomgO9DpUIzlrYuZYA0Cgo+JWpVk= +k8s.io/component-base v0.34.3/go.mod h1:5iIlD8wPfWE/xSHTRfbjuvUul2WZbI2nOUK65XL0E/c= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-aggregator v0.34.1 h1:WNLV0dVNoFKmuyvdWLd92iDSyD/TSTjqwaPj0U9XAEU= k8s.io/kube-aggregator v0.34.1/go.mod h1:RU8j+5ERfp0h+gIvWtxRPfsa5nK7rboDm8RST8BJfYQ= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA= -k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 h1:liMHz39T5dJO1aOKHLvwaCjDbf07wVh6yaUlTpunnkE= +k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= +k8s.io/kubectl v0.33.3 h1:r/phHvH1iU7gO/l7tTjQk2K01ER7/OAJi8uFHHyWSac= +k8s.io/kubectl v0.33.3/go.mod h1:euj2bG56L6kUGOE/ckZbCoudPwuj4Kud7BR0GzyNiT0= +k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0= +k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc= +oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o= sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8= sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM= sigs.k8s.io/gateway-api v1.3.0 h1:q6okN+/UKDATola4JY7zXzx40WO4VISk7i9DIfOvr9M= sigs.k8s.io/gateway-api v1.3.0/go.mod h1:d8NV8nJbaRbEKem+5IuxkL8gJGOZ+FJ+NvOIltV8gDk= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= +sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96 h1:PFWFSkpArPNJxFX4ZKWAk9NSeRoZaXschn+ULa4xVek= sigs.k8s.io/kube-storage-version-migrator v0.0.6-0.20230721195810-5c8923c5ff96/go.mod h1:EOBQyBowOUsd7U4CJnMHNE0ri+zCXyouGdLwC/jZU+I= +sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ= +sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o= +sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA= +sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= diff --git a/manifests/00-cluster-role-sail-library.yaml b/manifests/00-cluster-role-sail-library.yaml new file mode 100644 index 0000000000..71d4c4f80b --- /dev/null +++ b/manifests/00-cluster-role-sail-library.yaml @@ -0,0 +1,95 @@ +# ClusterRole for Sail Library-based Istio installation. +# This role grants the cluster-ingress-operator permissions required to install +# and manage Istio via the Sail Library for Gateway API support. +# +# RBAC Context: +# The Sail Operator has its own ClusterRole defined in the Helm chart at +# https://github.com/istio-ecosystem/sail-operator/blob/main/chart/templates/rbac/role.yaml +# and the Sail Library provides install.LibraryRBACRules() in +# pkg/install/rbac.go for consumers to generate required permissions. +# +# Why We Define a Custom ClusterRole Instead of Using LibraryRBACRules(): +# LibraryRBACRules() is overly broad for our Gateway API use case. We provide a +# curated subset with only the permissions needed for our integration. +# +# ClusterRole Escalation: +# When the Sail Library creates ClusterRoles for istiod service accounts, it needs +# either (a) a superset of all permissions being granted, or (b) the 'escalate' verb. +# Currently, Sail Operator uses escalate, and we follow the same pattern. We grant +# 'escalate' on rbac.authorization.k8s.io resources to allow creating ClusterRoles +# with permissions that CIO itself holds. +# +# TODO - Future Improvements: +# 1. Consider removing 'escalate' and instead explicitly grant istiod the exact +# permissions it needs (from istiod Helm chart ClusterRoles) as a superset here +# 2. Add automated generation/verification against install.LibraryRBACRules() to +# ensure we stay in sync with upstream Sail Library requirements while +# maintaining our custom additions and restrictions +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-ingress-operator-sail-library + annotations: + capability.openshift.io/name: Ingress + release.openshift.io/feature-set: DevPreviewNoUpgrade,TechPreviewNoUpgrade # Remove when GA + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +rules: +# Gateway autoscaling - Sail Library can potentially create HPAs +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + +# RBAC management - Sail Library creates and manages ClusterRoles/Roles for istiod service accounts +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + +# RBAC escalation - 'bind' and 'escalate' allow creating ClusterRoles with permissions that CIO holds +- apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - roles + verbs: + - bind + - escalate + +# Admission webhooks - Sail Library creates webhook configurations from istiod Helm chart +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingadmissionpolicies + - validatingadmissionpolicybindings + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/manifests/00-cluster-role.yaml b/manifests/00-cluster-role.yaml index e29ed4bd76..d073d4e32c 100644 --- a/manifests/00-cluster-role.yaml +++ b/manifests/00-cluster-role.yaml @@ -162,6 +162,7 @@ rules: - gateway.networking.k8s.io resources: - gatewayclasses + - gatewayclasses/status - gateways - httproutes - grpcroutes @@ -187,6 +188,7 @@ rules: - sailoperator.io resources: - istios + - istiorevisions verbs: - '*' diff --git a/manifests/01-cluster-role-binding-sail-library.yaml b/manifests/01-cluster-role-binding-sail-library.yaml new file mode 100644 index 0000000000..467193d47b --- /dev/null +++ b/manifests/01-cluster-role-binding-sail-library.yaml @@ -0,0 +1,21 @@ +# Binds the Sail Library cluster role to the operator's Service Account. +# This grants the cluster-ingress-operator permissions required to install +# and manage Istio via the Sail Library for Gateway API support. +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: openshift-ingress-operator-sail-library + annotations: + capability.openshift.io/name: Ingress + release.openshift.io/feature-set: DevPreviewNoUpgrade,TechPreviewNoUpgrade # Remove when GA + include.release.openshift.io/ibm-cloud-managed: "true" + include.release.openshift.io/self-managed-high-availability: "true" + include.release.openshift.io/single-node-developer: "true" +subjects: +- kind: ServiceAccount + name: ingress-operator + namespace: openshift-ingress-operator +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: openshift-ingress-operator-sail-library diff --git a/pkg/log/log.go b/pkg/log/log.go index 8d6876a447..9768814eed 100644 --- a/pkg/log/log.go +++ b/pkg/log/log.go @@ -6,6 +6,7 @@ import ( "github.com/go-logr/logr" "github.com/go-logr/zapr" "go.uber.org/zap" + "go.uber.org/zap/zapcore" "sigs.k8s.io/controller-runtime/pkg/log" ) @@ -13,8 +14,10 @@ import ( var Logger logr.Logger func init() { - // Build a zap development logger. - zapLogger, err := zap.NewDevelopment(zap.AddCallerSkip(1), zap.AddStacktrace(zap.FatalLevel)) + // Build a zap development logger with INFO level. + config := zap.NewDevelopmentConfig() + config.Level = zap.NewAtomicLevelAt(zapcore.InfoLevel) + zapLogger, err := config.Build(zap.AddCallerSkip(1), zap.AddStacktrace(zap.FatalLevel)) if err != nil { panic(fmt.Sprintf("error building logger: %v", err)) } diff --git a/pkg/operator/controller/gatewayapi/controller.go b/pkg/operator/controller/gatewayapi/controller.go index ec1f588511..42b2d0544b 100644 --- a/pkg/operator/controller/gatewayapi/controller.go +++ b/pkg/operator/controller/gatewayapi/controller.go @@ -110,6 +110,9 @@ type Config struct { // OperatorLifecycleManagerEnabled indicates whether the // "OperatorLifecycleManager" capability is enabled. OperatorLifecycleManagerEnabled bool + // GatewayAPIWithoutOLMEnabled indicates whether the GatewayAPIWithoutOLM + // feature gate is enabled, allowing Sail Library-based installation. + GatewayAPIWithoutOLMEnabled bool // DependentControllers is a list of controllers that watch Gateway API // resources. The gatewayapi controller starts these controllers once @@ -158,10 +161,12 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( // The subscriptions resource only exists if the // "OperatorLifecycleManager" capability is enabled, and the default // catalog only exists if the "marketplace" capability is enabled. We - // cannot install OSSM if the subscriptions resource or default catalog - // does not exist, and accordingly, we should not start these - // controllers if the capabilities are not enabled. - if !r.config.MarketplaceEnabled || !r.config.OperatorLifecycleManagerEnabled { + // cannot install OSSM via OLM if the subscriptions resource or default + // catalog does not exist. However, when the GatewayAPIWithoutOLM feature + // is enabled, we can install Istio directly using the Sail Library. + useOLM := r.config.MarketplaceEnabled && r.config.OperatorLifecycleManagerEnabled + useSailLibrary := r.config.GatewayAPIWithoutOLMEnabled + if !useOLM && !useSailLibrary { return reconcile.Result{}, nil } diff --git a/pkg/operator/controller/gatewayclass/controller.go b/pkg/operator/controller/gatewayclass/controller.go index f409d3c4e9..77d31c6366 100644 --- a/pkg/operator/controller/gatewayclass/controller.go +++ b/pkg/operator/controller/gatewayclass/controller.go @@ -3,19 +3,26 @@ package gatewayclass import ( "context" "fmt" + "slices" + "strings" "sync" + "time" logf "github.com/openshift/cluster-ingress-operator/pkg/log" operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" - - sailv1 "github.com/istio-ecosystem/sail-operator/api/v1" operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" "k8s.io/client-go/tools/record" + "k8s.io/client-go/util/workqueue" gatewayapiv1 "sigs.k8s.io/gateway-api/apis/v1" + sailv1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/install" + "github.com/istio-ecosystem/sail-operator/resources" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" utilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -23,6 +30,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/cache" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/controller" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/manager" "sigs.k8s.io/controller-runtime/pkg/predicate" @@ -71,6 +79,11 @@ const ( // can be specified. This annotation is only intended for use by // OpenShift developers. istioVersionOverrideAnnotationKey = "unsupported.do-not-use.openshift.io/istio-version" + // sailLibraryFinalizer is added to GatewayClasses using Sail Library installation. + // When a GatewayClass with this finalizer is deleted: + // 1. Sail Library mode: Uninstall Istio if this is the last GatewayClass, then remove finalizer + // 2. Downgrade to OLM: Clean up Sail Library status and finalizer (then OLM takes over Istio) + sailLibraryFinalizer = "openshift.io/ingress-operator-sail-finalizer" ) var log = logf.Logger.WithName(controllerName) @@ -81,6 +94,7 @@ var gatewayClassController controller.Controller // that the manager does not start it. func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, error) { operatorCache := mgr.GetCache() + reconciler := &reconciler{ config: config, client: mgr.GetClient(), @@ -104,21 +118,11 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er return nil, err } - isServiceMeshSubscription := predicate.NewPredicateFuncs(func(o client.Object) bool { - return o.GetName() == operatorcontroller.ServiceMeshOperatorSubscriptionName().Name - }) - if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{}, - reconciler.enqueueRequestForSomeGatewayClass(), isServiceMeshSubscription)); err != nil { - return nil, err - } - isOurInstallPlan := predicate.NewPredicateFuncs(func(o client.Object) bool { installPlan := o.(*operatorsv1alpha1.InstallPlan) if len(installPlan.Spec.ClusterServiceVersionNames) > 0 { - for _, csv := range installPlan.Spec.ClusterServiceVersionNames { - if csv == config.GatewayAPIOperatorVersion { - return true - } + if slices.Contains(installPlan.Spec.ClusterServiceVersionNames, config.GatewayAPIOperatorVersion) { + return true } } return false @@ -130,9 +134,6 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er installPlan := o.(*operatorsv1alpha1.InstallPlan) return !installPlan.Spec.Approved && installPlan.Status.Phase == operatorsv1alpha1.InstallPlanPhaseRequiresApproval }) - if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForSomeGatewayClass(), isOurInstallPlan, isInstallPlanReadyForApproval)); err != nil { - return nil, err - } // Watch for the InferencePool CRD to determine whether to enable // Gateway API Inference Extension (GIE) on the Istio control-plane. @@ -148,6 +149,67 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er return nil, err } + if !config.GatewayAPIWithoutOLMEnabled { + isServiceMeshSubscription := predicate.NewPredicateFuncs(func(o client.Object) bool { + return o.GetName() == operatorcontroller.ServiceMeshOperatorSubscriptionName().Name + }) + if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{}, + reconciler.enqueueRequestForSomeGatewayClass(), isServiceMeshSubscription)); err != nil { + return nil, err + } + if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForSomeGatewayClass(), isOurInstallPlan, isInstallPlanReadyForApproval)); err != nil { + return nil, err + } + } else { + // Start the Sail Library's background reconciliation loop (runs in a goroutine). + // Returns a notification channel that signals when library reconciliation completes, + // allowing us to update GatewayClass status conditions accordingly. + installer, err := install.New(mgr.GetConfig(), resources.FS) + if err != nil { + return nil, fmt.Errorf("failed to initialize sail-operator installation library: %w", err) + } + notifyCh := installer.Start(config.Context) + reconciler.sailInstaller = installer + + // Reconciliation Triggers with the Sail Library: + // + // 1. CIO-initiated reconciliation (GatewayClass controller triggers): + // Watches GatewayClass resources, OLM Subscriptions, OLM InstallPlans, and Istio/GIE CRDs. + // All events trigger GatewayClass reconciliation, which computes Options and calls + // sailInstaller.Apply(). For CRD management events (Subscription/InstallPlan/Istio CRD changes), + // we additionally call sailInstaller.Enqueue() to trigger CRD ownership re-evaluation. + // + // 2. Sail Library-initiated reconciliation (notification channel): + // The Sail Library runs its own reconciliation loop with drift detection for Istio + // Helm-managed resources (Deployments, Services, ConfigMaps, etc.). When reconciliation + // completes (install, uninstall, drift repair, or error), it signals via notifyCh, + // which triggers reconciliation to update GatewayClass status conditions. + isIstioCRD := predicate.NewPredicateFuncs(func(o client.Object) bool { + return strings.Contains(o.GetName(), "istio.io") + }) + isServiceMeshSubscription := predicate.NewPredicateFuncs(func(o client.Object) bool { + sub, ok := o.(*operatorsv1alpha1.Subscription) + if !ok { + return false + } + // Check if package name starts with "servicemeshoperator" + return sub.Spec != nil && strings.HasPrefix(sub.Spec.Package, "servicemeshoperator") + }) + + if err = c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.Subscription{}, reconciler.enqueueRequestForCRDOwnershipChange(), isServiceMeshSubscription)); err != nil { + return nil, err + } + if err := c.Watch(source.Kind[client.Object](operatorCache, &operatorsv1alpha1.InstallPlan{}, reconciler.enqueueRequestForCRDOwnershipChange(), isOurInstallPlan)); err != nil { + return nil, err + } + if err := c.Watch(source.Kind[client.Object](operatorCache, &apiextensionsv1.CustomResourceDefinition{}, reconciler.enqueueRequestForCRDOwnershipChange(), isIstioCRD)); err != nil { + return nil, err + } + if err := c.Watch(&SailLibrarySource[client.Object]{NotifyCh: notifyCh, RequestsFunc: reconciler.requestsForAllManagedGatewayClasses}); err != nil { + return nil, err + } + } + gatewayClassController = c return c, nil } @@ -155,8 +217,7 @@ func NewUnmanaged(mgr manager.Manager, config Config) (controller.Controller, er // Config holds all the configuration that must be provided when creating the // controller. type Config struct { - // OperatorNamespace is the namespace in which the operator should - // create the Istio CR. + // OperatorNamespace is the namespace in which the operator is deployed. OperatorNamespace string // OperandNamespace is the namespace in which Istio should be deployed. OperandNamespace string @@ -166,8 +227,22 @@ type Config struct { GatewayAPIOperatorChannel string // GatewayAPIOperatorVersion is the name and release of the Gateway API implementation to install. GatewayAPIOperatorVersion string - // IstioVersion is the version of Istio to configure on the Istio CR. + // GatewayAPIWithoutOLMEnabled indicates whether the GatewayAPIWithoutOLM feature gate is enabled. + GatewayAPIWithoutOLMEnabled bool + // IstioVersion is the version of Istio to install. IstioVersion string + // Context is the context for controller lifecycle. + Context context.Context +} + +// SailLibraryInstaller implements the methods of sail library but in a way we can +// also mock and test +type SailLibraryInstaller interface { + Start(ctx context.Context) <-chan struct{} + Apply(opts install.Options) + Uninstall(ctx context.Context, namespace, revision string) error + Status() install.Status + Enqueue() } // reconciler reconciles gatewayclasses. @@ -179,65 +254,161 @@ type reconciler struct { recorder record.EventRecorder startIstioWatch sync.Once + + // sailInstaller manages Istio control plane lifecycle (install, upgrade, uninstall) via the sail library. + sailInstaller SailLibraryInstaller } -// enqueueRequestForSomeGatewayClass enqueues a reconciliation request for the -// gatewayclass that has the earliest creation timestamp and that specifies our -// controller name. +// enqueueRequestForCRDOwnershipChange handles events that may affect CRD ownership. +// This is used for OLM Subscriptions, InstallPlans, and Istio CRDs. When these +// resources change, CRD ownership may transition between OLM and CIO management. +// +// Calls sailInstaller.Enqueue() to trigger the Sail Library to re-evaluate which +// CRDs it can manage, then enqueues reconciliation requests for all GatewayClasses +// so they can update their status based on the new installation state. +func (r *reconciler) enqueueRequestForCRDOwnershipChange() handler.EventHandler { + return handler.EnqueueRequestsFromMapFunc( + func(ctx context.Context, obj client.Object) []reconcile.Request { + // We can call Enqueue as many times as we want, as sail-library should enqueue and filter + // and not make concurrent operations + r.sailInstaller.Enqueue() + return r.requestsForAllManagedGatewayClasses(ctx, obj) + }) +} + +// enqueueRequestForSomeGatewayClass enqueues GatewayClass reconciliation. +// Sail Library mode: all classes. OLM mode: oldest class only (to avoid subscription conflicts). func (r *reconciler) enqueueRequestForSomeGatewayClass() handler.EventHandler { return handler.EnqueueRequestsFromMapFunc( - func(ctx context.Context, _ client.Object) []reconcile.Request { - requests := []reconcile.Request{} + func(ctx context.Context, obj client.Object) []reconcile.Request { + if r.config.GatewayAPIWithoutOLMEnabled { + return r.requestsForAllManagedGatewayClasses(ctx, obj) + } + return r.requestsForSomeGatewayClass(ctx, obj) + }, + ) +} - var gatewayClasses gatewayapiv1.GatewayClassList - if err := r.cache.List(context.Background(), &gatewayClasses); err != nil { - log.Error(err, "Failed to list gatewayclasses") +// requestsForSomeGatewayClass returns a reconciliation request for the +// gatewayclass that has the earliest creation timestamp and that specifies our +// controller name. +func (r *reconciler) requestsForSomeGatewayClass(ctx context.Context, _ client.Object) []reconcile.Request { + requests := []reconcile.Request{} + var gatewayClasses gatewayapiv1.GatewayClassList + if err := r.cache.List(ctx, &gatewayClasses); err != nil { + log.Error(err, "Failed to list gatewayclasses") - return requests - } + return requests + } - var ( - found bool - oldest metav1.Time - name string - ) - for i := range gatewayClasses.Items { - if gatewayClasses.Items[i].Spec.ControllerName != operatorcontroller.OpenShiftGatewayClassControllerName { - continue - } + var ( + found bool + oldest metav1.Time + name string + ) + for i := range gatewayClasses.Items { + if gatewayClasses.Items[i].Spec.ControllerName != operatorcontroller.OpenShiftGatewayClassControllerName { + continue + } - ctime := gatewayClasses.Items[i].CreationTimestamp - if !found || ctime.Before(&oldest) { - found, oldest, name = true, ctime, gatewayClasses.Items[i].Name - } + // If we ever added the sail library finalizer, this means this is a rollback so + // we need to be sure that the OLM process removes the finalizer and the status + if controllerutil.ContainsFinalizer(&gatewayClasses.Items[i], sailLibraryFinalizer) { + request := reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: "", + Name: gatewayClasses.Items[i].Name, + }, } + requests = append(requests, request) + continue + } - if found { - request := reconcile.Request{ - NamespacedName: types.NamespacedName{ - Namespace: "", // GatewayClass is cluster-scoped. - Name: name, - }, - } - requests = append(requests, request) - } + ctime := gatewayClasses.Items[i].CreationTimestamp + if !found || ctime.Before(&oldest) { + found, oldest, name = true, ctime, gatewayClasses.Items[i].Name + } + } - return requests - }, - ) + if found { + request := reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: "", // GatewayClass is cluster-scoped. + Name: name, + }, + } + requests = append(requests, request) + } + + return requests +} + +// requestsForAllManagedGatewayClasses enqueues all GatewayClasses managed by this controller. +// Used when shared installation state changes (Sail Library events, CRD ownership). +func (r *reconciler) requestsForAllManagedGatewayClasses(ctx context.Context, _ client.Object) []reconcile.Request { + requests := []reconcile.Request{} + var gatewayClasses gatewayapiv1.GatewayClassList + if err := r.cache.List(ctx, &gatewayClasses, client.MatchingFields{ + operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName, + }); err != nil { + log.Error(err, "Failed to list gatewayclasses") + return requests + } + + for _, class := range gatewayClasses.Items { + request := reconcile.Request{ + NamespacedName: types.NamespacedName{ + Namespace: "", // GatewayClass is cluster-scoped. + Name: class.Name, + }, + } + requests = append(requests, request) + } + + return requests } // Reconcile expects request to refer to a GatewayClass and creates or // reconciles an Istio deployment. func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { - log.Info("reconciling", "request", request) + if r.config.GatewayAPIWithoutOLMEnabled { + return r.reconcileWithSailLibrary(ctx, request) + } + return r.reconcileWithOLM(ctx, request) +} + +// reconcileWithOLM reconciles a GatewayClass using OLM to install OSSM, +// which then manages an Istio CR for the Istio installation. +func (r *reconciler) reconcileWithOLM(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { + log.Info("reconciling with OLM", "request", request) + var errs []error - var gatewayclass gatewayapiv1.GatewayClass - if err := r.cache.Get(ctx, request.NamespacedName, &gatewayclass); err != nil { + gatewayclass := &gatewayapiv1.GatewayClass{} + if err := r.cache.Get(ctx, request.NamespacedName, gatewayclass); err != nil { + if errors.IsNotFound(err) { + return reconcile.Result{}, nil + } return reconcile.Result{}, err } - var errs []error + // Downgrade scenario: transitioning from Sail Library installation back to OLM-based installation. + // Clean up Sail Library finalizers and status to allow OLM to take over. + updatedGatewayClass := gatewayclass.DeepCopy() + if controllerutil.ContainsFinalizer(updatedGatewayClass, sailLibraryFinalizer) { + removeSailInstallConditions(&updatedGatewayClass.Status.Conditions) + if err := r.client.Status().Patch(ctx, updatedGatewayClass, client.MergeFrom(gatewayclass)); err != nil { + log.Error(err, "error patching the gatewayclass status") + return reconcile.Result{}, err + } + controllerutil.RemoveFinalizer(updatedGatewayClass, sailLibraryFinalizer) + if err := r.client.Patch(ctx, updatedGatewayClass, client.MergeFrom(gatewayclass)); err != nil { + log.Error(err, "failed to remove finalizer from gatewayclass") + return reconcile.Result{}, err + } + + return reconcile.Result{}, nil // Removing the finalizer should kick a new reconciliation + } + ossmCatalog := r.config.GatewayAPIOperatorCatalog if v, ok := gatewayclass.Annotations[subscriptionCatalogOverrideAnnotationKey]; ok { ossmCatalog = v @@ -260,7 +431,7 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( if v, ok := gatewayclass.Annotations[istioVersionOverrideAnnotationKey]; ok { istioVersion = v } - if _, _, err := r.ensureIstio(ctx, &gatewayclass, istioVersion); err != nil { + if _, _, err := r.ensureIstioOLM(ctx, gatewayclass, istioVersion); err != nil { errs = append(errs, err) } else { // The OSSM operator installs the istios.sailoperator.io CRD. @@ -280,3 +451,139 @@ func (r *reconciler) Reconcile(ctx context.Context, request reconcile.Request) ( return reconcile.Result{}, utilerrors.NewAggregate(errs) } + +// reconcileWithSailLibrary reconciles a GatewayClass using the Sail Library +// for direct Helm-based installation of Istio. +func (r *reconciler) reconcileWithSailLibrary(ctx context.Context, request reconcile.Request) (reconcile.Result, error) { + log.Info("reconciling with sail library", "request", request) + + gatewayClass := &gatewayapiv1.GatewayClass{} + if err := r.cache.Get(ctx, request.NamespacedName, gatewayClass); err != nil { + if errors.IsNotFound(err) { + return reconcile.Result{}, nil + } + return reconcile.Result{}, err + } + + if !gatewayClass.DeletionTimestamp.IsZero() { + return r.ensureGatewayClassDeleted(ctx, gatewayClass) + } + + updatedGatewayClass := gatewayClass.DeepCopy() + if controllerutil.AddFinalizer(updatedGatewayClass, sailLibraryFinalizer) { + if err := r.client.Patch(ctx, updatedGatewayClass, client.MergeFrom(gatewayClass)); err != nil { + log.Error(err, "failed to add finalizer to gatewayclass") + return reconcile.Result{}, err + } + return reconcile.Result{}, nil // Finalizer add successful: watch will trigger another reconciliation + } + + // Ensure migration from OLM to Sail Library. + if migrationComplete, err := r.ensureOSSMtoSailLibraryMigration(ctx); err != nil { + return reconcile.Result{}, fmt.Errorf("error validating sail library migration: %w", err) + } else if !migrationComplete { + // Migration isn't complete - give OSSM time to clean up. + return reconcile.Result{RequeueAfter: 5 * time.Second}, nil + } + + var errs []error + + istioVersion := r.config.IstioVersion + if v, ok := gatewayClass.Annotations[istioVersionOverrideAnnotationKey]; ok { + istioVersion = v + } + + if err := r.ensureIstio(ctx, istioVersion); err != nil { + log.Error(err, "failed to ensure Istio") + errs = append(errs, err) + } + + // Update status for indicating installation success, CRD management, etc. + status := r.sailInstaller.Status() + if changed := mapStatusToConditions(status, gatewayClass.Generation, &updatedGatewayClass.Status.Conditions); changed { + if err := r.client.Status().Patch(ctx, updatedGatewayClass, client.MergeFrom(gatewayClass)); err != nil { + log.Error(err, "error patching the gatewayclass status") + errs = append(errs, err) + } + } + + return reconcile.Result{}, utilerrors.NewAggregate(errs) +} + +// countActiveGatewayClasses returns the number of managed GatewayClasses that +// are not being deleted, excluding the given name. +func countActiveGatewayClasses(list *gatewayapiv1.GatewayClassList, excludeName string) int { + count := 0 + for i := range list.Items { + gc := &list.Items[i] + if gc.Name == excludeName || !gc.DeletionTimestamp.IsZero() { + continue + } + count++ + } + return count +} + +// ensureGatewayClassDeleted handles cleanup when a GatewayClass is being deleted. +// Uninstalls Istio if this is the last managed GatewayClass, then removes the finalizer. +func (r *reconciler) ensureGatewayClassDeleted(ctx context.Context, gatewayClass *gatewayapiv1.GatewayClass) (reconcile.Result, error) { + if !controllerutil.ContainsFinalizer(gatewayClass, sailLibraryFinalizer) { + // No finalizer present; nothing to clean up + return reconcile.Result{}, nil + } + + // Check if this is the last active GatewayClass - if so, uninstall Istio + updatedGatewayClass := gatewayClass.DeepCopy() + gatewayClassList := gatewayapiv1.GatewayClassList{} + if err := r.cache.List(ctx, &gatewayClassList, client.MatchingFields{ + operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName, + }); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to list gateway classes: %w", err) + } + if countActiveGatewayClasses(&gatewayClassList, gatewayClass.Name) == 0 { + if err := r.sailInstaller.Uninstall(ctx, r.config.OperandNamespace, operatorcontroller.IstioName("").Name); err != nil { + return reconcile.Result{}, fmt.Errorf("failed to uninstall Istio: %w", err) + } + } + + // Remove finalizer to allow Kubernetes to delete the object + if controllerutil.RemoveFinalizer(updatedGatewayClass, sailLibraryFinalizer) { + if err := r.client.Patch(ctx, updatedGatewayClass, client.MergeFrom(gatewayClass)); err != nil { + log.Error(err, "failed to remove finalizer from gatewayclass") + return reconcile.Result{}, err + } + } + return reconcile.Result{}, nil +} + +// SailLibrarySource bridges a Sail Library channel to a MapFunc logic. +// The Sail Library contains a source channel where notification for changes (like drifts) +// can be sent back to our controller, so we trigger a reconciliation of our GatewayClass and its status. +type SailLibrarySource[T client.Object] struct { + NotifyCh <-chan struct{} + RequestsFunc func(context.Context, client.Object) []reconcile.Request +} + +func (s *SailLibrarySource[T]) Start(ctx context.Context, queue workqueue.TypedRateLimitingInterface[reconcile.Request]) error { + go func() { + for { + select { + case <-ctx.Done(): + return + case _, ok := <-s.NotifyCh: + if !ok { + log.Info("Sail Library notification channel closed, stopping watch") + return + } + var empty T + requests := s.RequestsFunc(ctx, empty) + log.Info("Sail Library reconciliation complete, enqueuing GatewayClass reconciliations", + "count", len(requests), "gatewayclasses", requests) + for _, req := range requests { + queue.Add(req) + } + } + } + }() + return nil +} diff --git a/pkg/operator/controller/gatewayclass/controller_test.go b/pkg/operator/controller/gatewayclass/controller_test.go index f3c193c2ee..50b56740d7 100644 --- a/pkg/operator/controller/gatewayclass/controller_test.go +++ b/pkg/operator/controller/gatewayclass/controller_test.go @@ -2,14 +2,19 @@ package gatewayclass import ( "context" + "fmt" "testing" + "time" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" sailv1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/install" configv1 "github.com/openshift/api/config/v1" + operatorcontroller "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -51,6 +56,22 @@ func Test_Reconcile(t *testing.T) { } } + istioCRD := func() *apiextensionsv1.CustomResourceDefinition { + return &apiextensionsv1.CustomResourceDefinition{ + ObjectMeta: metav1.ObjectMeta{ + Name: "istios.sailoperator.io", + }, + } + } + + istioRevisionCRD := func() *apiextensionsv1.CustomResourceDefinition { + return &apiextensionsv1.CustomResourceDefinition{ + ObjectMeta: metav1.ObjectMeta{ + Name: "istiorevisions.sailoperator.io", + }, + } + } + istio := func(version string, gieEnabled bool) *sailv1.Istio { ret := &sailv1.Istio{ ObjectMeta: metav1.ObjectMeta{ @@ -125,36 +146,127 @@ func Test_Reconcile(t *testing.T) { return ret } + istioRevision := func() *sailv1.IstioRevision { + return &sailv1.IstioRevision{ + ObjectMeta: metav1.ObjectMeta{ + Name: "openshift-gateway", + }, + } + } + + gatewayClass := func(name string, finalizer bool, annotations map[string]string, conditions []metav1.Condition, deletionTimestamp bool) *gatewayapiv1.GatewayClass { + gc := &gatewayapiv1.GatewayClass{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + }, + Spec: gatewayapiv1.GatewayClassSpec{ + ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), + }, + } + + if finalizer { + gc.ObjectMeta.Finalizers = []string{"openshift.io/ingress-operator-sail-finalizer"} + } + + if annotations != nil { + gc.ObjectMeta.Annotations = annotations + } + + if conditions != nil { + gc.Status = gatewayapiv1.GatewayClassStatus{ + Conditions: conditions, + } + } + + if deletionTimestamp { + now := metav1.Now() + gc.ObjectMeta.DeletionTimestamp = &now + } + + return gc + } + + installedConditions := func() []metav1.Condition { + return []metav1.Condition{ + { + Type: "ControllerInstalled", + Status: metav1.ConditionTrue, + Reason: "Installed", + }, + { + Type: "CRDsReady", + Status: metav1.ConditionUnknown, + Reason: "NoneExist", + }, + } + } + + expectedSailLibraryOptions := func(version string, gieEnabled bool) *install.Options { + // Start with sail-operator's Gateway API defaults aka trust upstream defaults + values := install.GatewayAPIDefaults() + + // Apply our OpenShift-specific overrides + pilotEnv := map[string]string{ + "PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME": "openshift-default", + "PILOT_GATEWAY_API_CONTROLLER_NAME": "openshift.io/gateway-controller/v1", + } + if gieEnabled { + pilotEnv["ENABLE_GATEWAY_API_INFERENCE_EXTENSION"] = "true" + } + + openshiftOverrides := &sailv1.Values{ + Global: &sailv1.GlobalConfig{ + IstioNamespace: ptr.To("openshift-ingress"), + TrustBundleName: ptr.To("openshift-gw-ca-root-cert"), + }, + Pilot: &sailv1.PilotConfig{ + Env: pilotEnv, + PodAnnotations: map[string]string{ + "target.workload.openshift.io/management": `{"effect": "PreferredDuringScheduling"}`, + }, + }, + } + values = install.MergeValues(values, openshiftOverrides) + + return &install.Options{ + Namespace: "openshift-ingress", + Version: version, + Revision: "openshift-gateway", + Values: values, + ManageCRDs: ptr.To(true), + IncludeAllCRDs: ptr.To(true), + } + } + tests := []struct { - name string - request reconcile.Request - existingObjects []runtime.Object - expectCreate []client.Object - expectUpdate []client.Object - expectDelete []client.Object - expectError string + name string + request reconcile.Request + expectedResult reconcile.Result + fakeSailInstaller SailLibraryInstaller + existingObjects []client.Object + expectCreate []client.Object + expectUpdate []client.Object + expectPatched []client.Object + expectDelete []client.Object + expectedStatusPatched []client.Object + expectError string + expectedSailLibraryOptions *install.Options + expectSailLibraryUninstallCalled bool }{ { - name: "Nonexistent gatewayclass", + name: "OLM mode: Nonexistent gatewayclass", request: req("openshift-default"), - existingObjects: []runtime.Object{}, + existingObjects: []client.Object{}, expectCreate: []client.Object{}, expectUpdate: []client.Object{}, expectDelete: []client.Object{}, - expectError: `"openshift-default" not found`, + //expectError: `"openshift-default" not found`, // We should not expect an error when a class is not found }, { - name: "Minimal gatewayclass", + name: "OLM mode: Minimal gatewayclass", request: req("openshift-default"), - existingObjects: []runtime.Object{ - &gatewayapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Name: "openshift-default", - }, - Spec: gatewayapiv1.GatewayClassSpec{ - ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), - }, - }, + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, false), }, expectCreate: []client.Object{ subscription("redhat-operators", "stable", "servicemeshoperator3.v3.0.1"), @@ -164,17 +276,10 @@ func Test_Reconcile(t *testing.T) { expectDelete: []client.Object{}, }, { - name: "Minimal gatewayclass with experimental InferencePool CRD", + name: "OLM mode: Minimal gatewayclass with experimental InferencePool CRD", request: req("openshift-default"), - existingObjects: []runtime.Object{ - &gatewayapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Name: "openshift-default", - }, - Spec: gatewayapiv1.GatewayClassSpec{ - ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), - }, - }, + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, false), &apiextensionsv1.CustomResourceDefinition{ ObjectMeta: metav1.ObjectMeta{ Name: "inferencepools.inference.networking.x-k8s.io", @@ -189,17 +294,10 @@ func Test_Reconcile(t *testing.T) { expectDelete: []client.Object{}, }, { - name: "Minimal gatewayclass with stable InferencePool CRD", + name: "OLM mode: Minimal gatewayclass with stable InferencePool CRD", request: req("openshift-default"), - existingObjects: []runtime.Object{ - &gatewayapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Name: "openshift-default", - }, - Spec: gatewayapiv1.GatewayClassSpec{ - ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), - }, - }, + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, false), &apiextensionsv1.CustomResourceDefinition{ ObjectMeta: metav1.ObjectMeta{ Name: "inferencepools.inference.networking.k8s.io", @@ -214,20 +312,12 @@ func Test_Reconcile(t *testing.T) { expectDelete: []client.Object{}, }, { - name: "Gatewayclass with Istio version override", + name: "OLM mode: Gatewayclass with Istio version override", request: req("openshift-default"), - existingObjects: []runtime.Object{ - &gatewayapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - "unsupported.do-not-use.openshift.io/istio-version": "v1.24-latest", - }, - Name: "openshift-default", - }, - Spec: gatewayapiv1.GatewayClassSpec{ - ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), - }, - }, + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, map[string]string{ + "unsupported.do-not-use.openshift.io/istio-version": "v1.24-latest", + }, nil, false), }, expectCreate: []client.Object{ subscription("redhat-operators", "stable", "servicemeshoperator3.v3.0.1"), @@ -237,23 +327,15 @@ func Test_Reconcile(t *testing.T) { expectDelete: []client.Object{}, }, { - name: "Gatewayclass with OSSM and Istio overrides", + name: "OLM mode: Gatewayclass with OSSM and Istio overrides", request: req("openshift-default"), - existingObjects: []runtime.Object{ - &gatewayapiv1.GatewayClass{ - ObjectMeta: metav1.ObjectMeta{ - Annotations: map[string]string{ - "unsupported.do-not-use.openshift.io/ossm-catalog": "foo", - "unsupported.do-not-use.openshift.io/ossm-channel": "bar", - "unsupported.do-not-use.openshift.io/ossm-version": "baz", - "unsupported.do-not-use.openshift.io/istio-version": "quux", - }, - Name: "openshift-default", - }, - Spec: gatewayapiv1.GatewayClassSpec{ - ControllerName: gatewayapiv1.GatewayController("openshift.io/gateway-controller/v1"), - }, - }, + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, map[string]string{ + "unsupported.do-not-use.openshift.io/ossm-catalog": "foo", + "unsupported.do-not-use.openshift.io/ossm-channel": "bar", + "unsupported.do-not-use.openshift.io/ossm-version": "baz", + "unsupported.do-not-use.openshift.io/istio-version": "quux", + }, nil, false), }, expectCreate: []client.Object{ subscription("foo", "bar", "baz"), @@ -262,6 +344,205 @@ func Test_Reconcile(t *testing.T) { expectUpdate: []client.Object{}, expectDelete: []client.Object{}, }, + { + name: "Sail Library: nonexistent GatewayClass", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{}, + expectCreate: []client.Object{}, + expectUpdate: []client.Object{}, + expectDelete: []client.Object{}, + //expectError: `"openshift-default" not found`, // We should not expect an error when a class is not found + expectedSailLibraryOptions: &install.Options{}, + }, + { + name: "Sail Library: disabled - removes finalizer and status", + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Reason: "Something", + Status: metav1.ConditionUnknown, + }, + { + Type: CRDsReadyConditionType, + Reason: "Otherthing", + Status: metav1.ConditionTrue, + }, + }, false), + }, + expectPatched: []client.Object{ + gatewayClass("openshift-default", false, nil, []metav1.Condition{}, false), + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", false, nil, []metav1.Condition{}, false), + }, + }, + { + name: "Sail Library: adds finalizer to GatewayClass", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, false), + }, + expectPatched: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + }, + expectDelete: []client.Object{}, + expectedSailLibraryOptions: &install.Options{}, + }, + { + name: "Sail Library: migrates old Istio CR instances", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + istioCRD(), + istio("v1.24.4", true), + }, + expectPatched: []client.Object{}, + expectDelete: []client.Object{ + istio("v1.24.4", true), + }, + expectedResult: reconcile.Result{ + RequeueAfter: 5 * time.Second, + }, + expectedSailLibraryOptions: &install.Options{}, + }, + { + name: "Sail Library: migration waiting for IstioRevision cleanup", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + istioCRD(), + istioRevisionCRD(), + istioRevision(), + }, + expectPatched: []client.Object{}, + expectDelete: []client.Object{}, + expectedResult: reconcile.Result{ + RequeueAfter: 5 * time.Second, + }, + expectedSailLibraryOptions: &install.Options{}, + }, + { + name: "Sail Library: migration complete, proceed with install", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + istioCRD(), + istioRevisionCRD(), + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", true, nil, installedConditions(), false), + }, + expectedSailLibraryOptions: expectedSailLibraryOptions("v1.24.4", false), + }, + { + name: "Sail Library: installs Istio", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", true, nil, installedConditions(), false), + }, + expectedSailLibraryOptions: expectedSailLibraryOptions("v1.24.4", false), + }, + { + name: "Sail Library: experimental InferencePool CRD", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + &apiextensionsv1.CustomResourceDefinition{ + ObjectMeta: metav1.ObjectMeta{ + Name: "inferencepools.inference.networking.x-k8s.io", + }, + }, + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", true, nil, installedConditions(), false), + }, + expectedSailLibraryOptions: expectedSailLibraryOptions("v1.24.4", true), + }, + { + name: "Sail Library: stable InferencePool CRD", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, false), + &apiextensionsv1.CustomResourceDefinition{ + ObjectMeta: metav1.ObjectMeta{ + Name: "inferencepools.inference.networking.k8s.io", + }, + }, + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", true, nil, installedConditions(), false), + }, + expectedSailLibraryOptions: expectedSailLibraryOptions("v1.24.4", true), + }, + { + name: "Sail Library: Istio version override", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, map[string]string{ + "unsupported.do-not-use.openshift.io/istio-version": "v1.24-latest", + }, nil, false), + }, + expectedStatusPatched: []client.Object{ + gatewayClass("openshift-default", true, map[string]string{ + "unsupported.do-not-use.openshift.io/istio-version": "v1.24-latest", + }, installedConditions(), false), + }, + expectedSailLibraryOptions: expectedSailLibraryOptions("v1.24-latest", false), + }, + { + name: "Sail Library: full removal of last GatewayClass", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, true), + }, + expectPatched: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, true), + }, + expectedSailLibraryOptions: &install.Options{}, + expectSailLibraryUninstallCalled: true, + }, + { + name: "Sail Library: removes finalizer when other GatewayClasses exist", + fakeSailInstaller: &fakeSailInstaller{}, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, true), + gatewayClass("openshift-secondary", true, nil, nil, false), + }, + expectPatched: []client.Object{ + gatewayClass("openshift-default", false, nil, nil, true), + }, + expectedSailLibraryOptions: &install.Options{}, + expectSailLibraryUninstallCalled: false, + }, + { + name: "Sail Library: error on Uninstall failure", + fakeSailInstaller: &fakeSailInstaller{ + uninstallError: fmt.Errorf("failed to cleanup resources"), + }, + request: req("openshift-default"), + existingObjects: []client.Object{ + gatewayClass("openshift-default", true, nil, nil, true), + }, + expectError: "failed to uninstall Istio: failed to cleanup resources", + expectedSailLibraryOptions: &install.Options{}, + expectSailLibraryUninstallCalled: true, + }, } scheme := runtime.NewScheme() @@ -275,14 +556,23 @@ func Test_Reconcile(t *testing.T) { t.Run(tc.name, func(t *testing.T) { fakeClient := fake.NewClientBuilder(). WithScheme(scheme). - WithRuntimeObjects(tc.existingObjects...). + WithStatusSubresource(tc.existingObjects...). + WithObjects(tc.existingObjects...). + WithIndex(&gatewayapiv1.GatewayClass{}, operatorcontroller.GatewayClassIndexFieldName, func(o client.Object) []string { + gc := o.(*gatewayapiv1.GatewayClass) + return []string{string(gc.Spec.ControllerName)} + }). Build() cl := &testutil.FakeClientRecorder{ - Client: fakeClient, + Client: fakeClient, + StatusWriter: &testutil.FakeStatusWriter{ + StatusWriter: fakeClient.Status(), + }, T: t, Added: []client.Object{}, Updated: []client.Object{}, Deleted: []client.Object{}, + Patched: []client.Object{}, } gatewayClassController = &testutil.FakeController{ T: t, @@ -303,17 +593,24 @@ func Test_Reconcile(t *testing.T) { IstioVersion: "v1.24.4", }, } + if tc.fakeSailInstaller != nil { + reconciler.config.GatewayAPIWithoutOLMEnabled = true + reconciler.sailInstaller = tc.fakeSailInstaller + } res, err := reconciler.Reconcile(context.Background(), tc.request) if tc.expectError != "" { + require.NotNil(t, err) assert.Contains(t, err.Error(), tc.expectError) } else { assert.NoError(t, err) } - assert.Equal(t, reconcile.Result{}, res) + + assert.Equal(t, tc.expectedResult, res) cmpOpts := []cmp.Option{ cmpopts.EquateEmpty(), - cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ResourceVersion", "OwnerReferences"), + cmpopts.IgnoreFields(metav1.ObjectMeta{}, "ResourceVersion", "OwnerReferences", "DeletionTimestamp"), cmpopts.IgnoreFields(metav1.TypeMeta{}, "Kind", "APIVersion"), + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime", "Message"), cmpopts.IgnoreFields(operatorsv1alpha1.SubscriptionSpec{}, "Config"), cmpopts.IgnoreFields(apiextensionsv1.CustomResourceDefinition{}, "Spec"), } @@ -326,6 +623,31 @@ func Test_Reconcile(t *testing.T) { if diff := cmp.Diff(tc.expectDelete, cl.Deleted, cmpOpts...); diff != "" { t.Fatalf("found diff between expected and actual deletes: %s", diff) } + if diff := cmp.Diff(tc.expectPatched, cl.Patched, cmpOpts...); diff != "" { + t.Fatalf("found diff between expected and actual patches: %s", diff) + } + if diff := cmp.Diff(tc.expectedStatusPatched, cl.StatusWriter.Patched, cmpOpts...); diff != "" { + t.Fatalf("found diff between expected and actual patches: %s", diff) + } + if tc.fakeSailInstaller != nil { + fakeInstaller := tc.fakeSailInstaller.(*fakeSailInstaller) + + if tc.expectedSailLibraryOptions != nil { + optsDiff := cmp.Diff( + tc.expectedSailLibraryOptions, + &fakeInstaller.internalOpts, + cmpopts.IgnoreFields(install.Options{}, "OverwriteOLMManagedCRD"), + ) + if optsDiff != "" { + t.Fatalf("found diff between Sail Library options:\n%s", optsDiff) + } + } + + if tc.expectSailLibraryUninstallCalled != fakeInstaller.uninstallCalled { + t.Fatalf("expected uninstallCalled=%v, got %v", tc.expectSailLibraryUninstallCalled, fakeInstaller.uninstallCalled) + } + } + }) } } diff --git a/pkg/operator/controller/gatewayclass/istio.go b/pkg/operator/controller/gatewayclass/istio_olm.go similarity index 94% rename from pkg/operator/controller/gatewayclass/istio.go rename to pkg/operator/controller/gatewayclass/istio_olm.go index 4e1a1c2b40..05440c81a3 100644 --- a/pkg/operator/controller/gatewayclass/istio.go +++ b/pkg/operator/controller/gatewayclass/istio_olm.go @@ -23,10 +23,10 @@ import ( // cluster-critical priority class in a pod's spec.priorityClassName. const systemClusterCriticalPriorityClassName = "system-cluster-critical" -// ensureIstio attempts to ensure that an Istio CR is present and returns a +// ensureIstioOLM attempts to ensure that an Istio CR is present and returns a // Boolean indicating whether it exists, the CR if it exists, and an error // value. -func (r *reconciler) ensureIstio(ctx context.Context, gatewayclass *gatewayapiv1.GatewayClass, istioVersion string) (bool, *sailv1.Istio, error) { +func (r *reconciler) ensureIstioOLM(ctx context.Context, gatewayclass *gatewayapiv1.GatewayClass, istioVersion string) (bool, *sailv1.Istio, error) { name := controller.IstioName(r.config.OperandNamespace) have, current, err := r.currentIstio(ctx, name) if err != nil { @@ -95,9 +95,10 @@ func (r *reconciler) crdExists(ctx context.Context, crdName string) (bool, error return true, nil } -// desiredIstio returns the desired Istio CR. -func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, istioVersion string, enableInferenceExtension bool) *sailv1.Istio { - pilotContainerEnv := map[string]string{ +// gatewayAPIPilotEnv returns the pilot environment variables for configuring +// Istio's Gateway API controller with OpenShift-specific settings. +func gatewayAPIPilotEnv(enableInferenceExtension bool) map[string]string { + env := map[string]string{ // Enable Gateway API. "PILOT_ENABLE_GATEWAY_API": "true", // Do not enable experimental Gateway API features. @@ -146,8 +147,14 @@ func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, ist "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", } if enableInferenceExtension { - pilotContainerEnv["ENABLE_GATEWAY_API_INFERENCE_EXTENSION"] = "true" + env["ENABLE_GATEWAY_API_INFERENCE_EXTENSION"] = "true" } + return env +} + +// desiredIstio returns the desired Istio CR. +func desiredIstio(name types.NamespacedName, ownerRef metav1.OwnerReference, istioVersion string, enableInferenceExtension bool) *sailv1.Istio { + pilotContainerEnv := gatewayAPIPilotEnv(enableInferenceExtension) return &sailv1.Istio{ ObjectMeta: metav1.ObjectMeta{ Namespace: name.Namespace, diff --git a/pkg/operator/controller/gatewayclass/istio_sail_installer.go b/pkg/operator/controller/gatewayclass/istio_sail_installer.go new file mode 100644 index 0000000000..21f352f6fc --- /dev/null +++ b/pkg/operator/controller/gatewayclass/istio_sail_installer.go @@ -0,0 +1,182 @@ +package gatewayclass + +import ( + "context" + "fmt" + "strings" + + sailv1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/install" + + "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" + + operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" + + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/utils/ptr" + + "sigs.k8s.io/controller-runtime/pkg/client" +) + +const ( + // subscriptionPrefix is the OLM label prefix indicating subscription ownership. + subscriptionPrefix = "operators.coreos.com/" +) + +// overwriteOLMManagedCRDFunc is used as a predicate function by the Sail Library to determine +// whether to take ownership of a CRD. Returns true if the owning OLM subscription +// no longer exists (allowing CIO to take ownership), false otherwise. +func (r *reconciler) overwriteOLMManagedCRDFunc(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition) bool { + // defensive measure + if ctx == nil || crd == nil { + return false + } + + logOverwrite := log.WithValues("crd", crd.GetName()) + + labels := crd.GetLabels() + if labels == nil { + // no labels, we can override + return true + } + + // This is not a OLM managed CRD + if val, ok := labels["olm.managed"]; !ok || val != "true" { + return true + } + + // Look for OLM subscription labels (format: "operators.coreos.com/.") + // Example: "operators.coreos.com/servicemeshoperator.openshift-operators" + // Note: Multiple labels may exist; check all to avoid non-deterministic behavior from map iteration + type subscriptionInfo struct { + name, namespace, label string + } + var subscriptions []subscriptionInfo + + for label := range labels { + if after, ok := strings.CutPrefix(label, subscriptionPrefix); ok { + // Split on last dot since subscription names can contain dots + lastDot := strings.LastIndex(after, ".") + if lastDot == -1 { + logOverwrite.Info("ignoring invalid OLM label", "label", label) + continue + } + subscriptions = append(subscriptions, subscriptionInfo{ + name: after[:lastDot], + namespace: after[lastDot+1:], + label: label, + }) + } + } + + if len(subscriptions) == 0 { + logOverwrite.Info("no subscription label found") + return true + } + + // Check each subscription we found - if ANY have active resources, do not overwrite + for _, sub := range subscriptions { + // Check for InstallPlan, which effectively installs CRDs. Even if invalid it + // may become valid at some point and overwrite CRDs. + installPlanList := operatorsv1alpha1.InstallPlanList{} + if err := r.cache.List(ctx, &installPlanList, client.HasLabels([]string{sub.label})); err != nil { + log.Error(err, "error trying to list InstallPlans") + return false + } + if len(installPlanList.Items) > 0 { + logOverwrite.Info("CRD has valid InstallPlans, not overwriting") + return false + } + + // Next check for subscriptions. + subscription := operatorsv1alpha1.Subscription{} + subscription.SetNamespace(sub.namespace) + subscription.SetName(sub.name) + err := r.cache.Get(ctx, client.ObjectKeyFromObject(&subscription), &subscription) + if err != nil { + if errors.IsNotFound(err) { + // No subscription was found, continue to check other subscriptions. + continue + } + log.Error(err, "error trying to get subscription") + return false + } + + // If we are here means we don't have InstallPlans, but we do have a subscription + // which means we may be in an intermediate state. + return false + } + + // No active subscriptions or InstallPlans found + return true +} + +// ensureIstio installs or updates Istio using the Sail Library. +// It returns an error if the installation fails. +func (r *reconciler) ensureIstio(ctx context.Context, istioVersion string) error { + sailInstaller := r.sailInstaller + + enableInferenceExtension, err := r.inferencepoolCrdExists(ctx) + if err != nil { + return fmt.Errorf("failed to check for InferencePool CRD: %w", err) + } + + // Build options from current state + opts := r.buildInstallerOptions(enableInferenceExtension, istioVersion) + + opts.OverwriteOLMManagedCRD = r.overwriteOLMManagedCRDFunc + + // Apply triggers asynchronous installation/update. Helm charts are only applied + // if options or values have changed. Status is checked later via r.sailInstaller.Status() + // and mapped to GatewayClass conditions. + sailInstaller.Apply(opts) + + return nil +} + +// buildInstallerOptions creates Sail Library installation options by merging +// Gateway API defaults with OpenShift-specific overrides +func (r *reconciler) buildInstallerOptions(enableInferenceExtension bool, istioVersion string) install.Options { + // Start with Gateway API defaults + values := install.GatewayAPIDefaults() + + // Apply OpenShift-specific overrides + openshiftOverrides := openshiftValues(enableInferenceExtension, r.config.OperandNamespace) + values = install.MergeValues(values, openshiftOverrides) + + return install.Options{ + Namespace: r.config.OperandNamespace, + Revision: controller.IstioName("").Name, + Values: values, + Version: istioVersion, + ManageCRDs: ptr.To(true), + IncludeAllCRDs: ptr.To(true), + } +} + +// openshiftValues returns the OpenShift-specific value overrides for Istio. +// These values are merged on top of the gateway-api preset defaults. +func openshiftValues(enableInferenceExtension bool, operandNamespace string) *sailv1.Values { + pilotEnv := gatewayAPIPilotEnv(enableInferenceExtension) + + return &sailv1.Values{ + Global: &sailv1.GlobalConfig{ + DefaultPodDisruptionBudget: &sailv1.DefaultPodDisruptionBudgetConfig{ + Enabled: ptr.To(false), + }, + IstioNamespace: ptr.To(operandNamespace), + // Use system-cluster-critical priority for OpenShift system workloads + PriorityClassName: ptr.To(systemClusterCriticalPriorityClassName), + // OpenShift-specific CA trust bundle + TrustBundleName: ptr.To(controller.OpenShiftGatewayCARootCertName), + }, + Pilot: &sailv1.PilotConfig{ + Env: pilotEnv, + // Workload partitioning for OpenShift management workloads + PodAnnotations: map[string]string{ + WorkloadPartitioningManagementAnnotationKey: WorkloadPartitioningManagementPreferredScheduling, + }, + }, + } +} diff --git a/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go b/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go new file mode 100644 index 0000000000..0a0b177c73 --- /dev/null +++ b/pkg/operator/controller/gatewayclass/istio_sail_installer_test.go @@ -0,0 +1,586 @@ +package gatewayclass + +import ( + "context" + "fmt" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + "github.com/stretchr/testify/assert" + + "github.com/istio-ecosystem/sail-operator/pkg/install" + + testutil "github.com/openshift/cluster-ingress-operator/pkg/operator/controller/test/util" + + operatorsv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1" + + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + + "sigs.k8s.io/controller-runtime/pkg/cache/informertest" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/fake" +) + +// fakeSailInstaller implements the Istio methods for installation +// We care for now just about Apply, Uninstall and Status for the reconciliation tests +type fakeSailInstaller struct { + notifyCh chan struct{} + internalOpts install.Options + status install.Status + uninstallCalled bool + uninstallError error +} + +// Test if implementation adheres the interface +var _ SailLibraryInstaller = &fakeSailInstaller{} + +func (i *fakeSailInstaller) Start(ctx context.Context) <-chan struct{} { + i.notifyCh = make(chan struct{}) + return i.notifyCh +} + +func (i *fakeSailInstaller) Apply(opts install.Options) { + i.internalOpts = opts // Capture the options passed in + + // Simulate successful installation with CRDs not yet installed + i.status.Installed = true + i.status.Version = opts.Version + i.status.CRDState = install.CRDNoneExist +} + +func (i *fakeSailInstaller) Uninstall(ctx context.Context, namespace, revision string) error { + i.uninstallCalled = true + return i.uninstallError +} + +func (i *fakeSailInstaller) Status() install.Status { + return i.status +} + +func (i *fakeSailInstaller) Enqueue() {} + +func Test_overwriteOLMManagedCRDFunc(t *testing.T) { + crd := func(name string, labels map[string]string) *apiextensionsv1.CustomResourceDefinition { + return &apiextensionsv1.CustomResourceDefinition{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Labels: labels, + }, + } + } + + subscription := func(name, namespace, label string) *operatorsv1alpha1.Subscription { + sub := &operatorsv1alpha1.Subscription{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + } + if label != "" { + sub.Labels = map[string]string{label: ""} + } + return sub + } + + installPlan := func(label string) *operatorsv1alpha1.InstallPlan { + return &operatorsv1alpha1.InstallPlan{ + ObjectMeta: metav1.ObjectMeta{ + Name: "install-plan-1", + Namespace: "openshift-operators", + Labels: map[string]string{label: ""}, + }, + } + } + + tests := []struct { + name string + crd *apiextensionsv1.CustomResourceDefinition + existingObjects []client.Object + expectedResult bool + }{ + { + name: "nil CRD returns false", + crd: nil, + expectedResult: false, + }, + { + name: "CRD with no labels can be overwritten", + crd: crd("test-crd", nil), + expectedResult: true, + }, + { + name: "CRD without olm.managed label can be overwritten", + crd: crd("test-crd", map[string]string{ + "some-other-label": "value", + }), + expectedResult: true, + }, + { + name: "CRD with olm.managed=false can be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "false", + }), + expectedResult: true, + }, + { + name: "CRD with olm.managed but no subscription label can be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + }), + expectedResult: true, + }, + { + name: "CRD with olm.managed and invalid subscription label can be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/invalid": "", + "operators.coreos.com/too.many.dots": "", + }), + expectedResult: true, + }, + { + name: "CRD with active InstallPlans cannot be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/servicemeshoperator.openshift-operators": "", + }), + existingObjects: []client.Object{ + installPlan("operators.coreos.com/servicemeshoperator.openshift-operators"), + }, + expectedResult: false, + }, + { + name: "CRD with subscription but no InstallPlans cannot be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/servicemeshoperator.openshift-operators": "", + }), + existingObjects: []client.Object{ + subscription("servicemeshoperator", "openshift-operators", "operators.coreos.com/servicemeshoperator.openshift-operators"), + }, + expectedResult: false, + }, + { + name: "CRD without subscription can be overwritten", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/servicemeshoperator.openshift-operators": "", + }), + existingObjects: []client.Object{}, + expectedResult: true, + }, + { + name: "CRD with subscription name containing dots - parses correctly", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/my.service.operator.openshift-operators": "", + }), + existingObjects: []client.Object{ + subscription("my.service.operator", "openshift-operators", "operators.coreos.com/my.service.operator.openshift-operators"), + }, + expectedResult: false, + }, + { + name: "CRD with subscription name containing dots - subscription deleted", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/my.service.operator.openshift-operators": "", + }), + existingObjects: []client.Object{}, + expectedResult: true, + }, + { + name: "CRD with multiple subscription labels - one active subscription exists", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/operator-one.openshift-operators": "", + "operators.coreos.com/operator-two.openshift-operators": "", + }), + existingObjects: []client.Object{ + subscription("operator-two", "openshift-operators", "operators.coreos.com/operator-two.openshift-operators"), + }, + expectedResult: false, + }, + { + name: "CRD with multiple subscription labels - all subscriptions deleted", + crd: crd("test-crd", map[string]string{ + "olm.managed": "true", + "operators.coreos.com/operator-one.openshift-operators": "", + "operators.coreos.com/operator-two.openshift-operators": "", + }), + existingObjects: []client.Object{}, + expectedResult: true, + }, + } + + scheme := runtime.NewScheme() + operatorsv1alpha1.AddToScheme(scheme) + apiextensionsv1.AddToScheme(scheme) + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + fakeClient := fake.NewClientBuilder(). + WithScheme(scheme). + WithObjects(tc.existingObjects...). + Build() + informer := informertest.FakeInformers{Scheme: scheme} + cache := &testutil.FakeCache{Informers: &informer, Reader: fakeClient} + + reconciler := &reconciler{ + cache: cache, + } + + result := reconciler.overwriteOLMManagedCRDFunc(context.Background(), tc.crd) + assert.Equal(t, tc.expectedResult, result) + }) + } +} + +func Test_mapStatusToConditions(t *testing.T) { + tests := []struct { + name string + status install.Status + generation int64 + initialConditions []metav1.Condition + expectedConditions []metav1.Condition + expectedChanged bool + }{ + { + name: "Installed with CRDs managed by CIO", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDManagedByCIO, + CRDMessage: "CRDs installed by cluster-ingress-operator", + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionTrue, + Reason: "ManagedByCIO", + Message: "CRDs installed by cluster-ingress-operator", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "Installed with CRDs managed by OLM", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDManagedByOLM, + CRDMessage: "CRDs managed by OLM", + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionTrue, + Reason: "ManagedByOLM", + Message: "CRDs managed by OLM", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "Installed with no CRDs", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDNoneExist, + }, + generation: 2, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 2, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionUnknown, + Reason: "NoneExist", + Message: "CRDs not yet installed", + ObservedGeneration: 2, + }, + }, + expectedChanged: true, + }, + { + name: "Installed with mixed CRD ownership", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDMixedOwnership, + CRDMessage: "Mixed ownership detected", + CRDs: []install.CRDInfo{ + {Name: "gateways.gateway.networking.k8s.io", State: install.CRDManagedByOLM}, + {Name: "httproutes.gateway.networking.k8s.io", State: install.CRDManagedByCIO}, + }, + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionFalse, + Reason: "MixedOwnership", + Message: "Mixed ownership detected\n- gateways.gateway.networking.k8s.io: ManagedByOLM\n- httproutes.gateway.networking.k8s.io: ManagedByCIO", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "Install failed", + status: install.Status{ + Installed: false, + Error: fmt.Errorf("failed to apply helm chart"), + CRDState: install.CRDUnknownManagement, + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionFalse, + Reason: "InstallFailed", + Message: "failed to apply helm chart", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionFalse, + Reason: "UnknownManagement", + Message: "unable to determine CRD ownership", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "Pending installation", + status: install.Status{ + Installed: false, + CRDState: install.CRDNoneExist, + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionUnknown, + Reason: "Pending", + Message: "waiting for first reconciliation", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionUnknown, + Reason: "NoneExist", + Message: "CRDs not yet installed", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "Installed with warning", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + Error: fmt.Errorf("drift detected in deployment"), + CRDState: install.CRDManagedByCIO, + CRDMessage: "CRDs managed", + }, + generation: 3, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed (with warning: drift detected in deployment)", + ObservedGeneration: 3, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionTrue, + Reason: "ManagedByCIO", + Message: "CRDs managed", + ObservedGeneration: 3, + }, + }, + expectedChanged: true, + }, + { + name: "Unknown CRD management", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDUnknownManagement, + CRDMessage: "Cannot determine CRD ownership", + }, + generation: 1, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionFalse, + Reason: "UnknownManagement", + Message: "Cannot determine CRD ownership", + ObservedGeneration: 1, + }, + }, + expectedChanged: true, + }, + { + name: "No change when conditions already set", + status: install.Status{ + Installed: true, + Version: "v1.24.4", + CRDState: install.CRDManagedByCIO, + CRDMessage: "CRDs installed by cluster-ingress-operator", + }, + generation: 1, + initialConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + LastTransitionTime: metav1.Now(), + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionTrue, + Reason: "ManagedByCIO", + Message: "CRDs installed by cluster-ingress-operator", + ObservedGeneration: 1, + LastTransitionTime: metav1.Now(), + }, + }, + expectedConditions: []metav1.Condition{ + { + Type: ControllerInstalledConditionType, + Status: metav1.ConditionTrue, + Reason: "Installed", + Message: "istiod v1.24.4 installed", + ObservedGeneration: 1, + }, + { + Type: CRDsReadyConditionType, + Status: metav1.ConditionTrue, + Reason: "ManagedByCIO", + Message: "CRDs installed by cluster-ingress-operator", + ObservedGeneration: 1, + }, + }, + expectedChanged: false, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + conditions := tc.initialConditions + if conditions == nil { + conditions = []metav1.Condition{} + } + changed := mapStatusToConditions(tc.status, tc.generation, &conditions) + if changed != tc.expectedChanged { + t.Errorf("expected changed=%v, got changed=%v", tc.expectedChanged, changed) + } + + cmpOpts := []cmp.Option{ + cmpopts.IgnoreFields(metav1.Condition{}, "LastTransitionTime"), + cmpopts.SortSlices(func(a, b metav1.Condition) bool { return a.Type < b.Type }), + } + if diff := cmp.Diff(tc.expectedConditions, conditions, cmpOpts...); diff != "" { + t.Fatalf("found diff between expected and actual conditions: %s", diff) + } + }) + } +} + +// TestOLMAndSailLibraryValuesMatch ensures that the OpenShift-specific Istio configuration +// is identical between the OLM path (desiredIstio) and Sail Library path (openshiftValues) +// during the transition period. This test can be removed once the OLM path is deleted. +func TestOLMAndSailLibraryValuesMatch(t *testing.T) { + testCases := []struct { + name string + enableInferenceExtension bool + }{ + { + name: "without inference extension", + enableInferenceExtension: false, + }, + { + name: "with inference extension", + enableInferenceExtension: true, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + // Get values from Sail Library path (GatewayAPIDefaults + OpenShift overrides) + sailValues := install.GatewayAPIDefaults() + openshiftOverrides := openshiftValues(tc.enableInferenceExtension, "openshift-ingress") + sailValues = install.MergeValues(sailValues, openshiftOverrides) + + // Get values from OLM path + olmIstio := desiredIstio( + types.NamespacedName{Name: "test", Namespace: "test-ns"}, + metav1.OwnerReference{}, + "v1.24.4", + tc.enableInferenceExtension, + ) + + cmpOpts := []cmp.Option{ + cmpopts.EquateEmpty(), + // Ignore X_PILOT_IGNORE_RESOURCES and X_PILOT_INCLUDE_RESOURCES env variables. + // These were added in the Sail Library update and are not present in the OLM path. + cmpopts.IgnoreMapEntries(func(k string, v string) bool { + return k == "X_PILOT_IGNORE_RESOURCES" || k == "X_PILOT_INCLUDE_RESOURCES" + }), + } + + // Compare entire Values struct + if diff := cmp.Diff(olmIstio.Spec.Values, sailValues, cmpOpts...); diff != "" { + t.Errorf("Values differ between OLM and Sail Library paths:\n%s", diff) + } + }) + } +} diff --git a/pkg/operator/controller/gatewayclass/migration.go b/pkg/operator/controller/gatewayclass/migration.go new file mode 100644 index 0000000000..cb5ab59355 --- /dev/null +++ b/pkg/operator/controller/gatewayclass/migration.go @@ -0,0 +1,106 @@ +package gatewayclass + +import ( + "context" + "fmt" + + sailv1 "github.com/istio-ecosystem/sail-operator/api/v1" + + "github.com/openshift/cluster-ingress-operator/pkg/operator/controller" + + "k8s.io/apimachinery/pkg/api/errors" +) + +// ensureOSSMtoSailLibraryMigration handles the upgrade migration from OLM-based +// Istio installation to Helm-based installation via Sail Library. +// +// Steps: +// 1. Check if old Istio CR exists and delete it if present +// 2. Wait for Sail Operator to clean up IstioRevision and Helm resources +// 3. Return nil when cleanup is complete to proceed with Helm-based installation +// +// Returns a bool whether the migration is complete and an error. +// +// This migration logic can be removed in 4.23+ (all clusters will have migrated). +func (r *reconciler) ensureOSSMtoSailLibraryMigration(ctx context.Context) (bool, error) { + // Check if migration is needed. + needsMigration, istio, err := r.needsOSSMtoSailLibraryMigration(ctx) + if err != nil { + return false, fmt.Errorf("failed to check migration status: %w", err) + } + if !needsMigration { + // No Istio CR found, check if we're waiting for IstioRevision cleanup. + istioRevisionExists, err := r.istioRevisionExists(ctx) + if err != nil { + return false, fmt.Errorf("failed to check for IstioRevision: %w", err) + } + if istioRevisionExists { + log.Info("IstioRevision still exists, requeueing to wait for cleanup", "name", controller.IstioName("").Name) + return false, nil + } + return true, nil + } + + // Istio CR exists - delete it to trigger Sail Operator cleanup. + log.Info("Migrating from OSSM to Sail Library: deleting Istio CR", "name", controller.IstioName("")) + + if err := r.client.Delete(ctx, istio); err != nil { + if errors.IsNotFound(err) { + // Already deleted between Get and Delete, that's fine. + log.Info("Istio CR already deleted during migration", "name", controller.IstioName("")) + return false, nil + } + return false, fmt.Errorf("failed to delete Istio CR: %w", err) + } + + // Waiting for istio revision cleanup. + return false, nil +} + +// needsOSSMtoSailLibraryMigration checks if an Istio CR exists from the OLM-based +// installation, indicating that migration to Sail Library is needed. +func (r *reconciler) needsOSSMtoSailLibraryMigration(ctx context.Context) (bool, *sailv1.Istio, error) { + // First check if the Istio CRD exists. + istioCrdExists, err := r.crdExists(ctx, "istios.sailoperator.io") + if err != nil { + return false, nil, fmt.Errorf("failed to check for Istio CRD: %w", err) + } + if !istioCrdExists { + return false, nil, nil + } + + // Check if the specific Istio CR "openshift-gateway" exists. + name := controller.IstioName(r.config.OperandNamespace) + exists, istio, err := r.currentIstio(ctx, name) + if err != nil { + return false, nil, fmt.Errorf("failed to check for Istio CR: %w", err) + } + if !exists { + return false, nil, nil + } + + return true, istio, nil +} + +// istioRevisionExists checks if an IstioRevision resource exists with the expected name. +func (r *reconciler) istioRevisionExists(ctx context.Context) (bool, error) { + istioRevisionCrdExists, err := r.crdExists(ctx, "istiorevisions.sailoperator.io") + if err != nil { + return false, fmt.Errorf("failed to check for IstioRevision CRD: %w", err) + } + if !istioRevisionCrdExists { + return false, nil + } + + // Check if the IstioRevision resource exists. + istioRevisionName := controller.IstioName("") + istioRevision := &sailv1.IstioRevision{} + err = r.client.Get(ctx, istioRevisionName, istioRevision) + if err != nil { + if errors.IsNotFound(err) { + return false, nil + } + return false, fmt.Errorf("failed to get IstioRevision: %w", err) + } + return true, nil +} diff --git a/pkg/operator/controller/gatewayclass/status.go b/pkg/operator/controller/gatewayclass/status.go new file mode 100644 index 0000000000..a65a08fafe --- /dev/null +++ b/pkg/operator/controller/gatewayclass/status.go @@ -0,0 +1,115 @@ +package gatewayclass + +import ( + "bytes" + "fmt" + + "github.com/istio-ecosystem/sail-operator/pkg/install" + + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + // ControllerInstalledConditionType indicates whether the Istio control plane (istiod) + // has been successfully installed by the Sail Library. + // Status values: + // - True (Installed): istiod is installed and running + // - False (InstallFailed): installation failed with an error + // - Unknown (Pending): waiting for first reconciliation + ControllerInstalledConditionType = "ControllerInstalled" + + // CRDsReadyConditionType indicates the ownership and readiness state of Istio CRDs. + // Status values: + // - True (ManagedByCIO/ManagedByOLM): CRDs are managed by CIO or OLM respectively + // - Unknown (NoneExist): CRDs have not yet been installed + // - False (MixedOwnership/UnknownManagement): CRDs have conflicting ownership or unknown management + CRDsReadyConditionType = "CRDsReady" +) + +// mapStatusToConditions translates the Sail Library Status into GatewayClass conditions. +// Returns true if any conditions were added or updated. +func mapStatusToConditions(status install.Status, generation int64, conditions *[]metav1.Condition) bool { + installed := metav1.Condition{ + Type: ControllerInstalledConditionType, + ObservedGeneration: generation, + LastTransitionTime: metav1.Now(), + } + if status.Installed { + installed.Status = metav1.ConditionTrue + installed.Reason = "Installed" + if status.Error != nil { + installed.Message = fmt.Sprintf("istiod %s installed (with warning: %v)", status.Version, status.Error) + } else { + installed.Message = fmt.Sprintf("istiod %s installed", status.Version) + } + } else if status.Error != nil { + installed.Status = metav1.ConditionFalse + installed.Reason = "InstallFailed" + installed.Message = status.Error.Error() + } else { + installed.Status = metav1.ConditionUnknown + installed.Reason = "Pending" + installed.Message = "waiting for first reconciliation" + } + + changed := meta.SetStatusCondition(conditions, installed) + + // CRD condition: reflects CRD ownership state. + crd := metav1.Condition{ + Type: CRDsReadyConditionType, + ObservedGeneration: generation, + LastTransitionTime: metav1.Now(), + } + switch status.CRDState { + case install.CRDManagedByCIO: + crd.Status = metav1.ConditionTrue + crd.Reason = "ManagedByCIO" + crd.Message = status.CRDMessage + case install.CRDManagedByOLM: + crd.Status = metav1.ConditionTrue + crd.Reason = "ManagedByOLM" + crd.Message = status.CRDMessage + case install.CRDNoneExist: + crd.Status = metav1.ConditionUnknown + crd.Reason = "NoneExist" + crd.Message = "CRDs not yet installed" + case install.CRDMixedOwnership: + crd.Status = metav1.ConditionFalse + crd.Reason = "MixedOwnership" + crd.Message = getCRDStatusMessage(status) + default: + crd.Status = metav1.ConditionFalse + crd.Reason = "UnknownManagement" + crd.Message = getCRDStatusMessage(status) + } + changed = meta.SetStatusCondition(conditions, crd) || changed + + return changed +} + +// removeSailInstallConditions removes conditions that track Sail Library installation state. +func removeSailInstallConditions(conditions *[]metav1.Condition) { + meta.RemoveStatusCondition(conditions, ControllerInstalledConditionType) + meta.RemoveStatusCondition(conditions, CRDsReadyConditionType) +} + +// getCRDStatusMessage formats a detailed CRD status message including the overall +// state and a bulleted list of individual CRD ownership states. +func getCRDStatusMessage(status install.Status) string { + if status.CRDMessage == "" && len(status.CRDs) == 0 { + return "unable to determine CRD ownership" + } + var message bytes.Buffer + if _, err := message.WriteString(status.CRDMessage); err != nil { + log.Error(err, "error writing CRD status", "status", status.CRDMessage) + } + for _, info := range status.CRDs { + crdMsg := fmt.Sprintf("\n- %s: %s", info.Name, info.State) + _, err := message.WriteString(crdMsg) + if err != nil { + log.Error(err, "error writing CRD message", "crd", info.Name) + } + } + return message.String() +} diff --git a/pkg/operator/controller/status/controller.go b/pkg/operator/controller/status/controller.go index fc1d94e3b9..8437a8d1ec 100644 --- a/pkg/operator/controller/status/controller.go +++ b/pkg/operator/controller/status/controller.go @@ -204,6 +204,7 @@ type Config struct { // OperatorLifecycleManagerEnabled indicates whether the // "OperatorLifecycleManager" capability is enabled. OperatorLifecycleManagerEnabled bool + GatewayAPIWithoutOLMEnabled bool IngressControllerImage string CanaryImage string OperatorReleaseVersion string @@ -388,6 +389,8 @@ type operatorState struct { DNSRecords []iov1.DNSRecord unmanagedGatewayAPICRDNames string + // useSailLibrary indicates whether the GatewayAPIWithoutOLM feature is enabled. + useSailLibrary bool // haveOSSMSubscription means that the subscription for OSSM 3 exists. haveOSSMSubscription bool // haveIstiosResource means that the "istios.sailproject.io" CRD exists. @@ -447,7 +450,13 @@ func (r *reconciler) getOperatorState(ctx context.Context, ingressNamespace, can state.unmanagedGatewayAPICRDNames = extension.UnmanagedGatewayAPICRDNames } - if r.config.GatewayAPIControllerEnabled && r.config.MarketplaceEnabled && r.config.OperatorLifecycleManagerEnabled { + // Check for Gateway API resources. + // OLM related objects are kept to handle failed migration scenarios, even though + // Sail Library doesn't use OLM. Can be removed after all clusters migrate + useOLM := r.config.MarketplaceEnabled && r.config.OperatorLifecycleManagerEnabled + useSailLibrary := r.config.GatewayAPIWithoutOLMEnabled + state.useSailLibrary = useSailLibrary + if r.config.GatewayAPIControllerEnabled && (useOLM || useSailLibrary) { var subscription operatorsv1alpha1.Subscription subscriptionName := operatorcontroller.ServiceMeshOperatorSubscriptionName() if err := r.cache.Get(ctx, subscriptionName, &subscription); err != nil { @@ -456,7 +465,6 @@ func (r *reconciler) getOperatorState(ctx context.Context, ingressNamespace, can } } else { state.haveOSSMSubscription = true - } var ( @@ -466,6 +474,22 @@ func (r *reconciler) getOperatorState(ctx context.Context, ingressNamespace, can istiosResourceNamespacedName = types.NamespacedName{Name: istiosResourceName} ) + state.expectedGatewayAPIOperatorVersion = r.config.GatewayAPIOperatorVersion + + // List OSSM subscriptions (OLM-specific only). + // In Sail Library mode, we don't check for subscription conflicts, so no need to list them. + if useOLM { + subscriptionList := operatorsv1alpha1.SubscriptionList{} + if err := r.subscriptionCache.List(ctx, &subscriptionList); err != nil { + return state, fmt.Errorf("failed to get subscriptions: %w", err) + } + for _, subscription := range subscriptionList.Items { + if subscription.Spec != nil && ossmSubscriptions.Has(subscription.Spec.Package) { + state.ossmSubscriptions = append(state.ossmSubscriptions, subscription) + } + } + } + if err := r.cache.Get(ctx, gatewaysResourceNamespacedName, &crd); err != nil { if !errors.IsNotFound(err) { return state, fmt.Errorf("failed to get CRD %q: %v", gatewaysResourceName, err) @@ -488,17 +512,6 @@ func (r *reconciler) getOperatorState(ctx context.Context, ingressNamespace, can state.haveIstiosResource = true } - state.expectedGatewayAPIOperatorVersion = r.config.GatewayAPIOperatorVersion - subscriptionList := operatorsv1alpha1.SubscriptionList{} - if err := r.subscriptionCache.List(ctx, &subscriptionList); err != nil { - return state, fmt.Errorf("failed to get subscriptions: %w", err) - } - for _, subscription := range subscriptionList.Items { - if subscription.Spec != nil && ossmSubscriptions.Has(subscription.Spec.Package) { - state.ossmSubscriptions = append(state.ossmSubscriptions, subscription) - } - } - gatewayClassList := gatewayapiv1.GatewayClassList{} if err := r.cache.List(ctx, &gatewayClassList, client.MatchingFields{ operatorcontroller.GatewayClassIndexFieldName: operatorcontroller.OpenShiftGatewayClassControllerName, @@ -638,6 +651,12 @@ func computeGatewayAPICRDsDegradedCondition(state operatorState) configv1.Cluste func computeGatewayAPIInstallDegradedCondition(state operatorState) configv1.ClusterOperatorStatusCondition { degradedCondition := configv1.ClusterOperatorStatusCondition{} + // Subscription conflicts only apply to OLM-based installations. + // In Sail Library mode, we install Istio directly via Helm, so OLM subscriptions are irrelevant. + if state.useSailLibrary { + return degradedCondition + } + // If OSSM doesn't need to be installed, or there are no possible conflicting subscriptions, return degraded=false. if !state.shouldInstallOSSM || len(state.ossmSubscriptions) == 0 { return degradedCondition diff --git a/pkg/operator/controller/status/controller_test.go b/pkg/operator/controller/status/controller_test.go index 704d6935aa..a3e39a8107 100644 --- a/pkg/operator/controller/status/controller_test.go +++ b/pkg/operator/controller/status/controller_test.go @@ -695,13 +695,23 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { return ic } + type mode string + const ( + olmMode mode = "OLM" + sailLibraryMode mode = "SailLibrary" + both mode = "Both" + ) + testCases := []struct { description string + modes mode // Which modes this test applies to state operatorState expectCondition configv1.ClusterOperatorStatusCondition }{ + // Common tests (run in both modes) { description: "no ingresscontrollers exist", + modes: both, state: operatorState{}, expectCondition: configv1.ClusterOperatorStatusCondition{ Type: configv1.OperatorDegraded, @@ -712,6 +722,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "no default ingresscontroller", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("test1", false), @@ -727,6 +738,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "default ingresscontroller degraded", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", true), @@ -742,6 +754,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "default ingresscontroller not degraded", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -757,6 +770,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "default ingresscontroller status unknown", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ ic("default"), @@ -771,6 +785,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "default ingresscontroller not degraded but unmanaged gateway api crds exist", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -786,6 +801,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "default ingresscontroller degraded and unmanaged gateway api crds exist", + modes: both, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", true), @@ -799,8 +815,10 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { Message: `The "default" ingress controller reports Degraded=True: dummy: dummy.` + "\n" + `Unmanaged Gateway API CRDs found: notvalid.gateway.networking.k8s.io.`, }, }, + // OLM-specific tests { description: "Gateway API Enabled", + modes: olmMode, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -820,6 +838,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "Gateway API Enabled, Sail Operator present", + modes: olmMode, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -840,6 +859,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "Gateway API Enabled, Sail Operator present, older OSSM3 present", + modes: olmMode, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -861,6 +881,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "Gateway API Enabled, newer OSSM3 present", + modes: olmMode, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -880,6 +901,7 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { }, { description: "Gateway API Enabled, OSSM3 present with unexpected version number", + modes: olmMode, state: operatorState{ IngressControllers: []operatorv1.IngressController{ icWithStatus("default", false), @@ -897,15 +919,79 @@ func Test_computeOperatorDegradedCondition(t *testing.T) { Message: "The \"default\" ingress controller reports Degraded=False.\nfailed to compare installed OSSM version to expected: \"servicemeshoperator3.v3.5-beta\" does not match expected format", }, }, + // Sail Library-specific tests + { + description: "OSSM subscription conflicts ignored", + modes: sailLibraryMode, + state: operatorState{ + IngressControllers: []operatorv1.IngressController{ + icWithStatus("default", false), + }, + ossmSubscriptions: []operatorsv1alpha1.Subscription{ + sub("sailoperator", "sailoperator", "sailoperator.v1.0.0", false), + sub("servicemeshoperator3", "servicemeshoperator3", "servicemeshoperator3.v3.0.0", false), + }, + shouldInstallOSSM: true, + expectedGatewayAPIOperatorVersion: "servicemeshoperator3.v3.1.0", + }, + expectCondition: configv1.ClusterOperatorStatusCondition{ + Type: configv1.OperatorDegraded, + Status: configv1.ConditionFalse, + Reason: "IngressNotDegraded", + Message: `The "default" ingress controller reports Degraded=False.`, + }, + }, + { + description: "OSSM conflicts ignored but unmanaged CRDs still degrade", + modes: sailLibraryMode, + state: operatorState{ + IngressControllers: []operatorv1.IngressController{ + icWithStatus("default", false), + }, + ossmSubscriptions: []operatorsv1alpha1.Subscription{ + sub("sailoperator", "sailoperator", "sailoperator.v1.0.0", false), + }, + shouldInstallOSSM: true, + expectedGatewayAPIOperatorVersion: "servicemeshoperator3.v3.1.0", + unmanagedGatewayAPICRDNames: "httproutes.gateway.networking.k8s.io", + }, + expectCondition: configv1.ClusterOperatorStatusCondition{ + Type: configv1.OperatorDegraded, + Status: configv1.ConditionTrue, + Reason: "GatewayAPICRDsDegraded", + Message: "Unmanaged Gateway API CRDs found: httproutes.gateway.networking.k8s.io.", + }, + }, } for _, tc := range testCases { - t.Run(tc.description, func(t *testing.T) { - actual := computeOperatorDegradedCondition(tc.state) - if diff := cmp.Diff(actual, tc.expectCondition); diff != "" { - t.Fatalf("actual condition differs from expected: %v", diff) + var modesToRun []bool // false = OLM, true = Sail + switch tc.modes { + case olmMode: + modesToRun = []bool{false} + case sailLibraryMode: + modesToRun = []bool{true} + case both: + modesToRun = []bool{false, true} + } + + for _, useSail := range modesToRun { + modeLabel := "OLM" + if useSail { + modeLabel = "SailLibrary" } - }) + testName := fmt.Sprintf("%s [%s]", tc.description, modeLabel) + + t.Run(testName, func(t *testing.T) { + state := tc.state + state.useSailLibrary = useSail + + actual := computeOperatorDegradedCondition(state) + if diff := cmp.Diff(actual, tc.expectCondition); diff != "" { + t.Fatalf("actual condition differs from expected: %v", diff) + } + }) + } } } diff --git a/pkg/operator/controller/test/util/fake.go b/pkg/operator/controller/test/util/fake.go index f49acd5af8..026dde81d9 100644 --- a/pkg/operator/controller/test/util/fake.go +++ b/pkg/operator/controller/test/util/fake.go @@ -29,6 +29,7 @@ type FakeClientRecorder struct { Added []client.Object Updated []client.Object Deleted []client.Object + Patched []client.Object StatusWriter *FakeStatusWriter } @@ -69,6 +70,7 @@ func (c *FakeClientRecorder) Update(ctx context.Context, obj client.Object, opts } func (c *FakeClientRecorder) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { + c.Patched = append(c.Patched, obj) return c.Client.Patch(ctx, obj, patch, opts...) } @@ -84,6 +86,7 @@ type FakeStatusWriter struct { Added []client.Object Updated []client.Object + Patched []client.Object } func (w *FakeStatusWriter) Create(ctx context.Context, obj client.Object, subResource client.Object, opts ...client.SubResourceCreateOption) error { @@ -97,6 +100,7 @@ func (w *FakeStatusWriter) Update(ctx context.Context, obj client.Object, opts . } func (w *FakeStatusWriter) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.SubResourcePatchOption) error { + w.Patched = append(w.Patched, obj) return w.StatusWriter.Patch(ctx, obj, patch, opts...) } diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go index ff5457f84b..188a0d330d 100644 --- a/pkg/operator/operator.go +++ b/pkg/operator/operator.go @@ -137,6 +137,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro gatewayAPIEnabled := featureGates.Enabled(features.FeatureGateGatewayAPI) gatewayAPIControllerEnabled := featureGates.Enabled(features.FeatureGateGatewayAPIController) routeExternalCertificateEnabled := featureGates.Enabled(features.FeatureGateRouteExternalCertificate) + gatewayAPIWithoutOLMEnabled := featureGates.Enabled(features.FeatureGateGatewayAPIWithoutOLM) ingressControllerDCMEnabled := featureGates.Enabled(features.FeatureGateIngressControllerDynamicConfigurationManager) cv, err := configClient.ConfigV1().ClusterVersions().Get(ctx, "version", metav1.GetOptions{}) @@ -223,6 +224,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro GatewayAPIControllerEnabled: gatewayAPIControllerEnabled, MarketplaceEnabled: marketplaceEnabled, OperatorLifecycleManagerEnabled: olmEnabled, + GatewayAPIWithoutOLMEnabled: gatewayAPIWithoutOLMEnabled, GatewayAPIOperatorVersion: config.GatewayAPIOperatorVersion, }); err != nil { return nil, fmt.Errorf("failed to create status controller: %v", err) @@ -313,14 +315,18 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro // Set up the gatewayclass controller. This controller is unmanaged by // the manager; the gatewayapi controller starts it after it creates the // Gateway API CRDs. - gatewayClassController, err := gatewayclasscontroller.NewUnmanaged(mgr, gatewayclasscontroller.Config{ - OperatorNamespace: config.Namespace, - OperandNamespace: operatorcontroller.DefaultOperandNamespace, - GatewayAPIOperatorCatalog: config.GatewayAPIOperatorCatalog, - GatewayAPIOperatorChannel: config.GatewayAPIOperatorChannel, - GatewayAPIOperatorVersion: config.GatewayAPIOperatorVersion, - IstioVersion: config.IstioVersion, - }) + gatewayclassControllerConfig := gatewayclasscontroller.Config{ + OperatorNamespace: config.Namespace, + OperandNamespace: operatorcontroller.DefaultOperandNamespace, + GatewayAPIOperatorCatalog: config.GatewayAPIOperatorCatalog, + GatewayAPIOperatorChannel: config.GatewayAPIOperatorChannel, + GatewayAPIOperatorVersion: config.GatewayAPIOperatorVersion, + GatewayAPIWithoutOLMEnabled: gatewayAPIWithoutOLMEnabled, + IstioVersion: config.IstioVersion, + Context: ctx, + } + + gatewayClassController, err := gatewayclasscontroller.NewUnmanaged(mgr, gatewayclassControllerConfig) if err != nil { return nil, fmt.Errorf("failed to create gatewayclass controller: %w", err) } @@ -347,6 +353,7 @@ func New(config operatorconfig.Config, kubeConfig *rest.Config) (*Operator, erro GatewayAPIControllerEnabled: gatewayAPIControllerEnabled, MarketplaceEnabled: marketplaceEnabled, OperatorLifecycleManagerEnabled: olmEnabled, + GatewayAPIWithoutOLMEnabled: gatewayAPIWithoutOLMEnabled, DependentControllers: []controller.Controller{ gatewayClassController, gatewayServiceDNSController, diff --git a/test/e2e/gateway_api_test.go b/test/e2e/gateway_api_test.go index db3b9b540c..da851542e2 100644 --- a/test/e2e/gateway_api_test.go +++ b/test/e2e/gateway_api_test.go @@ -57,6 +57,28 @@ var testCRDNames = []string{ "tests.gateway.networking.k8s.io", } +// List of Istio CRDs for testing installation and ownership. +var istioCRDNames = []string{ + // extensions.istio.io + "wasmplugins.extensions.istio.io", + // networking.istio.io + "destinationrules.networking.istio.io", + "envoyfilters.networking.istio.io", + "gateways.networking.istio.io", + "proxyconfigs.networking.istio.io", + "serviceentries.networking.istio.io", + "sidecars.networking.istio.io", + "virtualservices.networking.istio.io", + "workloadentries.networking.istio.io", + "workloadgroups.networking.istio.io", + // security.istio.io + "authorizationpolicies.security.istio.io", + "peerauthentications.security.istio.io", + "requestauthentications.security.istio.io", + // telemetry.istio.io + "telemetries.telemetry.istio.io", +} + // Global variables for testing. // The default route name to be constructed. var defaultRoutename = "" @@ -81,6 +103,11 @@ func TestGatewayAPI(t *testing.T) { t.Fatalf("error checking controller feature gate enabled status: %v", err) } + gatewayAPIWithoutOLMEnabled, err := isFeatureGateEnabled(features.FeatureGateGatewayAPIWithoutOLM) + if err != nil { + t.Fatalf("error checking without olm feature gate enabled status: %v", err) + } + // Defer the cleanup of the test gateway. t.Cleanup(func() { testGateway := gatewayapiv1.Gateway{ObjectMeta: metav1.ObjectMeta{Name: testGatewayName, Namespace: operatorcontroller.DefaultOperandNamespace}} @@ -97,17 +124,23 @@ func TestGatewayAPI(t *testing.T) { if gatewayAPIControllerEnabled { t.Run("testGatewayAPIObjects", testGatewayAPIObjects) t.Run("testGatewayAPIManualDeployment", testGatewayAPIManualDeployment) - t.Run("testGatewayAPIIstioInstallation", testGatewayAPIIstioInstallation) + if gatewayAPIWithoutOLMEnabled { + t.Run("testGatewayAPIIstioInstallationSailLibrary", testGatewayAPIIstioInstallationSailLibrary) + } else { + t.Run("testGatewayAPIIstioInstallationOLM", testGatewayAPIIstioInstallationOLM) + } t.Run("testGatewayAPIDNS", testGatewayAPIDNS) t.Run("testGatewayAPIDNSListenerUpdate", testGatewayAPIDNSListenerUpdate) t.Run("testGatewayAPIDNSListenerWithNoHostname", testGatewayAPIDNSListenerWithNoHostname) - } else { t.Log("Gateway API Controller not enabled, skipping controller tests") } t.Run("testGatewayAPIResourcesProtection", testGatewayAPIResourcesProtection) t.Run("testGatewayAPIRBAC", testGatewayAPIRBAC) t.Run("testOperatorDegradedCondition", testOperatorDegradedCondition) + if gatewayAPIWithoutOLMEnabled { + t.Run("testGatewayAPIIstioUninstallSailLibrary", testGatewayAPIIstioUninstallSailLibrary) + } } // testGatewayAPIResources tests that Gateway API Custom Resource Definitions are available. @@ -125,7 +158,7 @@ func testGatewayAPIResources(t *testing.T) { ensureCRDs(t) } -// testGatewayAPIIstioInstallation verifies that once the gatewayclass is +// testGatewayAPIIstioInstallationOLM verifies that once the gatewayclass is // created, the following operations are completed automatically and // successfully: // @@ -140,7 +173,7 @@ func testGatewayAPIResources(t *testing.T) { // // - If the Istio and Subscription CRs are deleted, they are recreated // automatically. -func testGatewayAPIIstioInstallation(t *testing.T) { +func testGatewayAPIIstioInstallationOLM(t *testing.T) { t.Log("Checking for the Subscription...") if err := assertSubscription(t, openshiftOperatorsNamespace, expectedSubscriptionName); err != nil { t.Fatalf("failed to find expected Subscription %s: %v", expectedSubscriptionName, err) @@ -179,6 +212,71 @@ func testGatewayAPIIstioInstallation(t *testing.T) { } } +// testGatewayAPIIstioInstallationSailLibrary verifies that when using the Sail +// Library installation path (without OLM), the following operations are +// completed automatically and successfully: +// +// - Istiod is installed successfully and has status Running and Ready. +// +// - Istio CRDs are installed and owned by CIO. +// +// - The GatewayClass has the sail library finalizer. +// +// - The GatewayClass has ControllerInstalled and CRDsReady status conditions. +// +// - No Subscription exists (unlike the OLM path). +// +// - No Istio CR exists (unlike the OLM path). +func testGatewayAPIIstioInstallationSailLibrary(t *testing.T) { + t.Log("Checking for the Istiod pods...") + if err := assertIstiodControlPlane(t); err != nil { + t.Fatalf("failed to find expected Istiod control plane: %v", err) + } + t.Log("Validating Istio CRDs are installed...") + if err := assertIstioCRDs(t); err != nil { + t.Fatalf("failed to validate Istio CRDs: %v", err) + } + t.Log("Checking that GatewayClass has the sail library finalizer...") + if err := assertGatewayClassFinalizer(t, "openshift-default"); err != nil { + t.Fatalf("GatewayClass does not have expected finalizer: %v", err) + } + t.Log("Checking that GatewayClass has required status conditions...") + if err := assertGatewayClassConditions(t, "openshift-default"); err != nil { + t.Fatalf("GatewayClass does not have expected conditions: %v", err) + } + t.Log("Verifying that no OLM Subscription exists...") + if err := assertNoSubscription(t, openshiftOperatorsNamespace, expectedSubscriptionName); err != nil { + t.Fatalf("unexpected OLM Subscription found: %v", err) + } + t.Log("Verifying that no Istio CR exists...") + if err := assertNoIstio(t); err != nil { + t.Fatalf("unexpected Istio CR found: %v", err) + } +} + +// testGatewayAPIIstioUninstallSailLibrary verifies that when the GatewayClass +// is deleted, Istio is fully uninstalled via the Sail Library. +func testGatewayAPIIstioUninstallSailLibrary(t *testing.T) { + t.Log("Deleting the GatewayClass openshift-default...") + gwc := &gatewayapiv1.GatewayClass{} + gwc.Name = "openshift-default" + if err := kclient.Delete(context.Background(), gwc); err != nil { + t.Fatalf("failed to delete GatewayClass: %v", err) + } + t.Log("Waiting for Istiod deployment to be removed...") + if err := assertIstiodControlPlaneRemoved(t); err != nil { + t.Fatalf("Istiod was not removed: %v", err) + } + t.Log("Verifying GatewayClass is deleted...") + if err := assertGatewayClassDeleted(t, "openshift-default"); err != nil { + t.Fatalf("GatewayClass was not deleted: %v", err) + } + t.Log("Verifying Istio CRDs still exist after uninstall...") + if err := assertIstioCRDs(t); err != nil { + t.Fatalf("Istio CRDs should persist after uninstall: %v", err) + } +} + // testGatewayAPIObjects tests that Gateway API objects can be created successfully. func testGatewayAPIObjects(t *testing.T) { // Create a test namespace that cleans itself up and sets up its own service account and role binding. diff --git a/test/e2e/util_gatewayapi_test.go b/test/e2e/util_gatewayapi_test.go index c572891dd2..eb5918c6b3 100644 --- a/test/e2e/util_gatewayapi_test.go +++ b/test/e2e/util_gatewayapi_test.go @@ -30,6 +30,7 @@ import ( rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/wait" @@ -467,6 +468,28 @@ func assertSubscription(t *testing.T, namespace, subName string) error { return err } +// assertNoSubscription verifies that no Subscription exists with the given name +// and returns an error if one is found. +func assertNoSubscription(t *testing.T, namespace, subName string) error { + t.Helper() + subscription := &operatorsv1alpha1.Subscription{} + nsName := types.NamespacedName{Namespace: namespace, Name: subName} + + err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) { + if err := kclient.Get(context, nsName, subscription); err != nil { + if kerrors.IsNotFound(err) { + t.Logf("verified that subscription %s does not exist (as expected)", subName) + return true, nil + } + t.Logf("failed to get subscription %s, retrying...", subName) + return false, nil + } + t.Logf("found subscription %s at installed version %s, but it should not exist", subscription.Name, subscription.Status.InstalledCSV) + return false, fmt.Errorf("subscription %s should not exist in Sail Library mode", subName) + }) + return err +} + // deleteExistingSubscription deletes if the subscription of the given name exists and returns an error if not. func deleteExistingSubscription(t *testing.T, namespace, subName string) error { t.Helper() @@ -584,6 +607,65 @@ func assertIstiodControlPlane(t *testing.T) error { return nil } +// assertIstioCRDs validates that all required Istio CRDs are installed and owned by CIO. +// It checks that each CRD exists and has the CIO ownership label. +func assertIstioCRDs(t *testing.T) error { + t.Helper() + const cioOwnershipLabel = "ingress.operator.openshift.io/owned" + + for _, crdName := range istioCRDNames { + _, err := assertCRDExists(t, crdName) + if err != nil { + return fmt.Errorf("failed to find istio crd %s: %w", crdName, err) + } + + // Wait for CIO ownership label + crd := &apiextensionsv1.CustomResourceDefinition{} + name := types.NamespacedName{Name: crdName} + if err := wait.PollUntilContextTimeout(context.Background(), 2*time.Second, 1*time.Minute, false, func(ctx context.Context) (bool, error) { + if err := kclient.Get(ctx, name, crd); err != nil { + t.Logf("failed to get crd %s: %v", name, err) + return false, nil + } + labels := crd.GetLabels() + if labels == nil || labels[cioOwnershipLabel] != "true" { + t.Logf("istio crd %s is missing CIO ownership label %s...retrying", crdName, cioOwnershipLabel) + return false, nil + } + return true, nil + }); err != nil { + return fmt.Errorf("timed out waiting for CIO ownership label on CRD %s: %w", crdName, err) + } + t.Logf("Verified Istio CRD %s has CIO ownership label", crdName) + } + return nil +} + +// assertIstiodControlPlaneRemoved checks if the Istiod control plane has been successfully removed +// and returns an error if not. +func assertIstiodControlPlaneRemoved(t *testing.T) error { + t.Helper() + dep := &appsv1.Deployment{} + ns := types.NamespacedName{Namespace: operatorcontroller.DefaultOperandNamespace, Name: openshiftIstiodDeploymentName} + + err := wait.PollUntilContextTimeout(context.Background(), 2*time.Second, 2*time.Minute, false, func(context context.Context) (bool, error) { + if err := kclient.Get(context, ns, dep); err != nil { + if kerrors.IsNotFound(err) { + t.Logf("verified that istiod deployment %v has been removed", ns) + return true, nil + } + t.Logf("failed to get deployment %v, retrying...", ns) + return false, nil + } + t.Logf("istiod deployment %v still exists, waiting for removal...", ns) + return false, nil + }) + if err != nil { + return fmt.Errorf("error waiting for deployment %v to be removed: %v", ns, err) + } + return nil +} + // assertGatewayClassSuccessful checks if the gateway class was created and accepted successfully // and returns an error if not. func assertGatewayClassSuccessful(t *testing.T, name string) (*gatewayapiv1.GatewayClass, error) { @@ -660,7 +742,7 @@ func assertGatewaySuccessful(t *testing.T, namespace, name string) (*gatewayapiv if acceptedConditionFound && programmedConditionFound { return true, nil } - t.Logf("[%s] Not all expected gateway conditions are found, checking gateway service...", time.Now().Format(time.DateTime)) + t.Logf("[%s] Not all expected gateway conditions are found (Accepted=%v, Programmed=%v), checking gateway service...", time.Now().Format(time.DateTime), acceptedConditionFound, programmedConditionFound) // The creation of the gateway service may be delayed. // Check the current status of the service to see where we are. @@ -1029,6 +1111,32 @@ func assertIstio(t *testing.T) error { return err } +// assertNoIstio verifies that no Istio CR exists +// and returns an error if one is found. +func assertNoIstio(t *testing.T) error { + t.Helper() + istio := &sailv1.Istio{} + nsName := types.NamespacedName{Namespace: operatorcontroller.DefaultOperandNamespace, Name: openshiftIstioName} + + err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) { + if err := kclient.Get(context, nsName, istio); err != nil { + if kerrors.IsNotFound(err) { + t.Logf("Verified that Istio %s/%s does not exist (as expected)", nsName.Namespace, nsName.Name) + return true, nil + } + if meta.IsNoMatchError(err) { + t.Logf("Verified that Istio CRD does not exist (Sail Library mode)") + return true, nil + } + t.Logf("Got unexpected error when checking for Istio %s/%s: %v. Retrying...", nsName.Namespace, nsName.Name, err) + return false, nil + } + t.Logf("Found Istio %s/%s, but it should not exist", istio.Namespace, istio.Name) + return false, fmt.Errorf("Istio %s/%s should not exist in Sail Library mode", istio.Namespace, istio.Name) + }) + return err +} + // deleteExistingIstio deletes if the Istio exists and returns an error if not. func deleteExistingIstio(t *testing.T) error { t.Helper() @@ -1076,6 +1184,91 @@ func deleteExistingIstio(t *testing.T) error { return nil } +// assertGatewayClassFinalizer verifies that the GatewayClass has the expected +// sail library finalizer and returns an error if not. +func assertGatewayClassFinalizer(t *testing.T, name string) error { + t.Helper() + gwc := &gatewayapiv1.GatewayClass{} + nsName := types.NamespacedName{Namespace: "", Name: name} + expectedFinalizer := "openshift.io/ingress-operator-sail-finalizer" + + err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 30*time.Second, false, func(context context.Context) (bool, error) { + if err := kclient.Get(context, nsName, gwc); err != nil { + t.Logf("Failed to get GatewayClass %s: %v; retrying...", name, err) + return false, nil + } + for _, finalizer := range gwc.Finalizers { + if finalizer == expectedFinalizer { + t.Logf("Verified that GatewayClass %s has finalizer %s", name, expectedFinalizer) + return true, nil + } + } + t.Logf("GatewayClass %s does not have expected finalizer %s; retrying...", name, expectedFinalizer) + return false, nil + }) + if err != nil { + return fmt.Errorf("GatewayClass %s does not have expected finalizer %s", name, expectedFinalizer) + } + return nil +} + +// assertGatewayClassConditions verifies that the GatewayClass has the expected +// ControllerInstalled and CRDsReady conditions and returns an error if not. +func assertGatewayClassConditions(t *testing.T, name string) error { + t.Helper() + gwc := &gatewayapiv1.GatewayClass{} + nsName := types.NamespacedName{Namespace: "", Name: name} + + err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 2*time.Minute, false, func(context context.Context) (bool, error) { + if err := kclient.Get(context, nsName, gwc); err != nil { + t.Logf("Failed to get GatewayClass %s: %v; retrying...", name, err) + return false, nil + } + + controllerInstalledFound := meta.IsStatusConditionTrue(gwc.Status.Conditions, "ControllerInstalled") + crdsReadyFound := meta.IsStatusConditionTrue(gwc.Status.Conditions, "CRDsReady") + if controllerInstalledFound && crdsReadyFound { + t.Logf("Verified that GatewayClass %s has required conditions (ControllerInstalled: %v, CRDsReady: %v)", + name, controllerInstalledFound, crdsReadyFound) + return true, nil + } + + t.Logf("GatewayClass %s does not yet have all required conditions (ControllerInstalled: %v, CRDsReady: %v); retrying...", + name, controllerInstalledFound, crdsReadyFound) + return false, nil + }) + if err != nil { + t.Logf("Last observed GatewayClass:\n%s", util.ToYaml(gwc)) + return fmt.Errorf("GatewayClass %s does not have expected conditions", name) + } + return nil +} + +// assertGatewayClassDeleted verifies that the GatewayClass has been deleted. +func assertGatewayClassDeleted(t *testing.T, name string) error { + t.Helper() + gwc := &gatewayapiv1.GatewayClass{} + nsName := types.NamespacedName{Namespace: "", Name: name} + + err := wait.PollUntilContextTimeout(context.Background(), 1*time.Second, 1*time.Minute, false, func(ctx context.Context) (bool, error) { + if err := kclient.Get(ctx, nsName, gwc); err != nil { + if kerrors.IsNotFound(err) { + t.Logf("Verified that GatewayClass %s has been deleted", name) + return true, nil + } + t.Logf("Error checking for GatewayClass: %v, retrying...", err) + return false, nil + } + t.Logf("GatewayClass %s still exists (DeletionTimestamp: %v, Finalizers: %v), waiting for deletion...", + gwc.Name, gwc.DeletionTimestamp, gwc.Finalizers) + return false, nil + }) + if err != nil { + return fmt.Errorf("GatewayClass %s was not deleted within timeout", name) + } + return nil +} + // assertDNSRecord checks to make sure a DNSRecord exists in a ready state, // and returns an error if not. func assertDNSRecord(t *testing.T, recordName types.NamespacedName) error { diff --git a/vendor/dario.cat/mergo/.deepsource.toml b/vendor/dario.cat/mergo/.deepsource.toml new file mode 100644 index 0000000000..a8bc979e02 --- /dev/null +++ b/vendor/dario.cat/mergo/.deepsource.toml @@ -0,0 +1,12 @@ +version = 1 + +test_patterns = [ + "*_test.go" +] + +[[analyzers]] +name = "go" +enabled = true + + [analyzers.meta] + import_path = "dario.cat/mergo" \ No newline at end of file diff --git a/vendor/dario.cat/mergo/.gitignore b/vendor/dario.cat/mergo/.gitignore new file mode 100644 index 0000000000..45ad0f1ae3 --- /dev/null +++ b/vendor/dario.cat/mergo/.gitignore @@ -0,0 +1,36 @@ +#### joe made this: http://goel.io/joe + +#### go #### +# Binaries for programs and plugins +*.exe +*.dll +*.so +*.dylib + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Golang/Intellij +.idea + +# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736 +.glide/ + +#### vim #### +# Swap +[._]*.s[a-v][a-z] +[._]*.sw[a-p] +[._]s[a-v][a-z] +[._]sw[a-p] + +# Session +Session.vim + +# Temporary +.netrwhist +*~ +# Auto-generated tag files +tags diff --git a/vendor/dario.cat/mergo/.travis.yml b/vendor/dario.cat/mergo/.travis.yml new file mode 100644 index 0000000000..d324c43ba4 --- /dev/null +++ b/vendor/dario.cat/mergo/.travis.yml @@ -0,0 +1,12 @@ +language: go +arch: + - amd64 + - ppc64le +install: + - go get -t + - go get golang.org/x/tools/cmd/cover + - go get github.com/mattn/goveralls +script: + - go test -race -v ./... +after_script: + - $HOME/gopath/bin/goveralls -service=travis-ci -repotoken $COVERALLS_TOKEN diff --git a/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md b/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..469b44907a --- /dev/null +++ b/vendor/dario.cat/mergo/CODE_OF_CONDUCT.md @@ -0,0 +1,46 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at i@dario.im. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version] + +[homepage]: http://contributor-covenant.org +[version]: http://contributor-covenant.org/version/1/4/ diff --git a/vendor/dario.cat/mergo/CONTRIBUTING.md b/vendor/dario.cat/mergo/CONTRIBUTING.md new file mode 100644 index 0000000000..0a1ff9f94d --- /dev/null +++ b/vendor/dario.cat/mergo/CONTRIBUTING.md @@ -0,0 +1,112 @@ + +# Contributing to mergo + +First off, thanks for taking the time to contribute! â¤ï¸ + +All types of contributions are encouraged and valued. See the [Table of Contents](#table-of-contents) for different ways to help and details about how this project handles them. Please make sure to read the relevant section before making your contribution. It will make it a lot easier for us maintainers and smooth out the experience for all involved. The community looks forward to your contributions. 🎉 + +> And if you like the project, but just don't have time to contribute, that's fine. There are other easy ways to support the project and show your appreciation, which we would also be very happy about: +> - Star the project +> - Tweet about it +> - Refer this project in your project's readme +> - Mention the project at local meetups and tell your friends/colleagues + + +## Table of Contents + +- [Code of Conduct](#code-of-conduct) +- [I Have a Question](#i-have-a-question) +- [I Want To Contribute](#i-want-to-contribute) +- [Reporting Bugs](#reporting-bugs) +- [Suggesting Enhancements](#suggesting-enhancements) + +## Code of Conduct + +This project and everyone participating in it is governed by the +[mergo Code of Conduct](https://github.com/imdario/mergoblob/master/CODE_OF_CONDUCT.md). +By participating, you are expected to uphold this code. Please report unacceptable behavior +to <>. + + +## I Have a Question + +> If you want to ask a question, we assume that you have read the available [Documentation](https://pkg.go.dev/github.com/imdario/mergo). + +Before you ask a question, it is best to search for existing [Issues](https://github.com/imdario/mergo/issues) that might help you. In case you have found a suitable issue and still need clarification, you can write your question in this issue. It is also advisable to search the internet for answers first. + +If you then still feel the need to ask a question and need clarification, we recommend the following: + +- Open an [Issue](https://github.com/imdario/mergo/issues/new). +- Provide as much context as you can about what you're running into. +- Provide project and platform versions (nodejs, npm, etc), depending on what seems relevant. + +We will then take care of the issue as soon as possible. + +## I Want To Contribute + +> ### Legal Notice +> When contributing to this project, you must agree that you have authored 100% of the content, that you have the necessary rights to the content and that the content you contribute may be provided under the project license. + +### Reporting Bugs + + +#### Before Submitting a Bug Report + +A good bug report shouldn't leave others needing to chase you up for more information. Therefore, we ask you to investigate carefully, collect information and describe the issue in detail in your report. Please complete the following steps in advance to help us fix any potential bug as fast as possible. + +- Make sure that you are using the latest version. +- Determine if your bug is really a bug and not an error on your side e.g. using incompatible environment components/versions (Make sure that you have read the [documentation](). If you are looking for support, you might want to check [this section](#i-have-a-question)). +- To see if other users have experienced (and potentially already solved) the same issue you are having, check if there is not already a bug report existing for your bug or error in the [bug tracker](https://github.com/imdario/mergoissues?q=label%3Abug). +- Also make sure to search the internet (including Stack Overflow) to see if users outside of the GitHub community have discussed the issue. +- Collect information about the bug: +- Stack trace (Traceback) +- OS, Platform and Version (Windows, Linux, macOS, x86, ARM) +- Version of the interpreter, compiler, SDK, runtime environment, package manager, depending on what seems relevant. +- Possibly your input and the output +- Can you reliably reproduce the issue? And can you also reproduce it with older versions? + + +#### How Do I Submit a Good Bug Report? + +> You must never report security related issues, vulnerabilities or bugs including sensitive information to the issue tracker, or elsewhere in public. Instead sensitive bugs must be sent by email to . + + +We use GitHub issues to track bugs and errors. If you run into an issue with the project: + +- Open an [Issue](https://github.com/imdario/mergo/issues/new). (Since we can't be sure at this point whether it is a bug or not, we ask you not to talk about a bug yet and not to label the issue.) +- Explain the behavior you would expect and the actual behavior. +- Please provide as much context as possible and describe the *reproduction steps* that someone else can follow to recreate the issue on their own. This usually includes your code. For good bug reports you should isolate the problem and create a reduced test case. +- Provide the information you collected in the previous section. + +Once it's filed: + +- The project team will label the issue accordingly. +- A team member will try to reproduce the issue with your provided steps. If there are no reproduction steps or no obvious way to reproduce the issue, the team will ask you for those steps and mark the issue as `needs-repro`. Bugs with the `needs-repro` tag will not be addressed until they are reproduced. +- If the team is able to reproduce the issue, it will be marked `needs-fix`, as well as possibly other tags (such as `critical`), and the issue will be left to be implemented by someone. + +### Suggesting Enhancements + +This section guides you through submitting an enhancement suggestion for mergo, **including completely new features and minor improvements to existing functionality**. Following these guidelines will help maintainers and the community to understand your suggestion and find related suggestions. + + +#### Before Submitting an Enhancement + +- Make sure that you are using the latest version. +- Read the [documentation]() carefully and find out if the functionality is already covered, maybe by an individual configuration. +- Perform a [search](https://github.com/imdario/mergo/issues) to see if the enhancement has already been suggested. If it has, add a comment to the existing issue instead of opening a new one. +- Find out whether your idea fits with the scope and aims of the project. It's up to you to make a strong case to convince the project's developers of the merits of this feature. Keep in mind that we want features that will be useful to the majority of our users and not just a small subset. If you're just targeting a minority of users, consider writing an add-on/plugin library. + + +#### How Do I Submit a Good Enhancement Suggestion? + +Enhancement suggestions are tracked as [GitHub issues](https://github.com/imdario/mergo/issues). + +- Use a **clear and descriptive title** for the issue to identify the suggestion. +- Provide a **step-by-step description of the suggested enhancement** in as many details as possible. +- **Describe the current behavior** and **explain which behavior you expected to see instead** and why. At this point you can also tell which alternatives do not work for you. +- You may want to **include screenshots and animated GIFs** which help you demonstrate the steps or point out the part which the suggestion is related to. You can use [this tool](https://www.cockos.com/licecap/) to record GIFs on macOS and Windows, and [this tool](https://github.com/colinkeenan/silentcast) or [this tool](https://github.com/GNOME/byzanz) on Linux. +- **Explain why this enhancement would be useful** to most mergo users. You may also want to point out the other projects that solved it better and which could serve as inspiration. + + +## Attribution +This guide is based on the **contributing-gen**. [Make your own](https://github.com/bttger/contributing-gen)! diff --git a/vendor/dario.cat/mergo/FUNDING.json b/vendor/dario.cat/mergo/FUNDING.json new file mode 100644 index 0000000000..0585e1fe13 --- /dev/null +++ b/vendor/dario.cat/mergo/FUNDING.json @@ -0,0 +1,7 @@ +{ + "drips": { + "ethereum": { + "ownedBy": "0x6160020e7102237aC41bdb156e94401692D76930" + } + } +} diff --git a/vendor/dario.cat/mergo/LICENSE b/vendor/dario.cat/mergo/LICENSE new file mode 100644 index 0000000000..686680298d --- /dev/null +++ b/vendor/dario.cat/mergo/LICENSE @@ -0,0 +1,28 @@ +Copyright (c) 2013 Dario Castañé. All rights reserved. +Copyright (c) 2012 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/dario.cat/mergo/README.md b/vendor/dario.cat/mergo/README.md new file mode 100644 index 0000000000..0e4a59afd9 --- /dev/null +++ b/vendor/dario.cat/mergo/README.md @@ -0,0 +1,253 @@ +# Mergo + +[![GitHub release][5]][6] +[![GoCard][7]][8] +[![Test status][1]][2] +[![OpenSSF Scorecard][21]][22] +[![OpenSSF Best Practices][19]][20] +[![Coverage status][9]][10] +[![Sourcegraph][11]][12] +[![FOSSA status][13]][14] + +[![GoDoc][3]][4] +[![Become my sponsor][15]][16] +[![Tidelift][17]][18] + +[1]: https://github.com/imdario/mergo/workflows/tests/badge.svg?branch=master +[2]: https://github.com/imdario/mergo/actions/workflows/tests.yml +[3]: https://godoc.org/github.com/imdario/mergo?status.svg +[4]: https://godoc.org/github.com/imdario/mergo +[5]: https://img.shields.io/github/release/imdario/mergo.svg +[6]: https://github.com/imdario/mergo/releases +[7]: https://goreportcard.com/badge/imdario/mergo +[8]: https://goreportcard.com/report/github.com/imdario/mergo +[9]: https://coveralls.io/repos/github/imdario/mergo/badge.svg?branch=master +[10]: https://coveralls.io/github/imdario/mergo?branch=master +[11]: https://sourcegraph.com/github.com/imdario/mergo/-/badge.svg +[12]: https://sourcegraph.com/github.com/imdario/mergo?badge +[13]: https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=shield +[14]: https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_shield +[15]: https://img.shields.io/github/sponsors/imdario +[16]: https://github.com/sponsors/imdario +[17]: https://tidelift.com/badges/package/go/github.com%2Fimdario%2Fmergo +[18]: https://tidelift.com/subscription/pkg/go-github.com-imdario-mergo +[19]: https://bestpractices.coreinfrastructure.org/projects/7177/badge +[20]: https://bestpractices.coreinfrastructure.org/projects/7177 +[21]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo/badge +[22]: https://api.securityscorecards.dev/projects/github.com/imdario/mergo + +A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements. + +Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection). + +Also a lovely [comune](http://en.wikipedia.org/wiki/Mergo) (municipality) in the Province of Ancona in the Italian region of Marche. + +## Status + +Mergo is stable and frozen, ready for production. Check a short list of the projects using at large scale it [here](https://github.com/imdario/mergo#mergo-in-the-wild). + +No new features are accepted. They will be considered for a future v2 that improves the implementation and fixes bugs for corner cases. + +### Important notes + +#### 1.0.0 + +In [1.0.0](//github.com/imdario/mergo/releases/tag/1.0.0) Mergo moves to a vanity URL `dario.cat/mergo`. No more v1 versions will be released. + +If the vanity URL is causing issues in your project due to a dependency pulling Mergo - it isn't a direct dependency in your project - it is recommended to use [replace](https://github.com/golang/go/wiki/Modules#when-should-i-use-the-replace-directive) to pin the version to the last one with the old import URL: + +``` +replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.16 +``` + +#### 0.3.9 + +Please keep in mind that a problematic PR broke [0.3.9](//github.com/imdario/mergo/releases/tag/0.3.9). I reverted it in [0.3.10](//github.com/imdario/mergo/releases/tag/0.3.10), and I consider it stable but not bug-free. Also, this version adds support for go modules. + +Keep in mind that in [0.3.2](//github.com/imdario/mergo/releases/tag/0.3.2), Mergo changed `Merge()`and `Map()` signatures to support [transformers](#transformers). I added an optional/variadic argument so that it won't break the existing code. + +If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with ```go get -u dario.cat/mergo```. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0). + +### Donations + +If Mergo is useful to you, consider buying me a coffee, a beer, or making a monthly donation to allow me to keep building great free software. :heart_eyes: + +Donate using Liberapay +Become my sponsor + +### Mergo in the wild + +Mergo is used by [thousands](https://deps.dev/go/dario.cat%2Fmergo/v1.0.0/dependents) [of](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.16/dependents) [projects](https://deps.dev/go/github.com%2Fimdario%2Fmergo/v0.3.12), including: + +* [containerd/containerd](https://github.com/containerd/containerd) +* [datadog/datadog-agent](https://github.com/datadog/datadog-agent) +* [docker/cli/](https://github.com/docker/cli/) +* [goreleaser/goreleaser](https://github.com/goreleaser/goreleaser) +* [go-micro/go-micro](https://github.com/go-micro/go-micro) +* [grafana/loki](https://github.com/grafana/loki) +* [masterminds/sprig](github.com/Masterminds/sprig) +* [moby/moby](https://github.com/moby/moby) +* [slackhq/nebula](https://github.com/slackhq/nebula) +* [volcano-sh/volcano](https://github.com/volcano-sh/volcano) + +## Install + + go get dario.cat/mergo + + // use in your .go code + import ( + "dario.cat/mergo" + ) + +## Usage + +You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as [they are zero values](https://golang.org/ref/spec#The_zero_value) too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection). + +```go +if err := mergo.Merge(&dst, src); err != nil { + // ... +} +``` + +Also, you can merge overwriting values using the transformer `WithOverride`. + +```go +if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil { + // ... +} +``` + +If you need to override pointers, so the source pointer's value is assigned to the destination's pointer, you must use `WithoutDereference`: + +```go +package main + +import ( + "fmt" + + "dario.cat/mergo" +) + +type Foo struct { + A *string + B int64 +} + +func main() { + first := "first" + second := "second" + src := Foo{ + A: &first, + B: 2, + } + + dest := Foo{ + A: &second, + B: 1, + } + + mergo.Merge(&dest, src, mergo.WithOverride, mergo.WithoutDereference) +} +``` + +Additionally, you can map a `map[string]interface{}` to a struct (and otherwise, from struct to map), following the same restrictions as in `Merge()`. Keys are capitalized to find each corresponding exported field. + +```go +if err := mergo.Map(&dst, srcMap); err != nil { + // ... +} +``` + +Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as `map[string]interface{}`. They will be just assigned as values. + +Here is a nice example: + +```go +package main + +import ( + "fmt" + "dario.cat/mergo" +) + +type Foo struct { + A string + B int64 +} + +func main() { + src := Foo{ + A: "one", + B: 2, + } + dest := Foo{ + A: "two", + } + mergo.Merge(&dest, src) + fmt.Println(dest) + // Will print + // {two 2} +} +``` + +### Transformers + +Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, `time.Time` is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero `time.Time`? + +```go +package main + +import ( + "fmt" + "dario.cat/mergo" + "reflect" + "time" +) + +type timeTransformer struct { +} + +func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error { + if typ == reflect.TypeOf(time.Time{}) { + return func(dst, src reflect.Value) error { + if dst.CanSet() { + isZero := dst.MethodByName("IsZero") + result := isZero.Call([]reflect.Value{}) + if result[0].Bool() { + dst.Set(src) + } + } + return nil + } + } + return nil +} + +type Snapshot struct { + Time time.Time + // ... +} + +func main() { + src := Snapshot{time.Now()} + dest := Snapshot{} + mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{})) + fmt.Println(dest) + // Will print + // { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 } +} +``` + +## Contact me + +If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): [@im_dario](https://twitter.com/im_dario) + +## About + +Written by [Dario Castañé](http://dario.im). + +## License + +[BSD 3-Clause](http://opensource.org/licenses/BSD-3-Clause) license, as [Go language](http://golang.org/LICENSE). + +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fimdario%2Fmergo.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fimdario%2Fmergo?ref=badge_large) diff --git a/vendor/dario.cat/mergo/SECURITY.md b/vendor/dario.cat/mergo/SECURITY.md new file mode 100644 index 0000000000..3788fcc1c2 --- /dev/null +++ b/vendor/dario.cat/mergo/SECURITY.md @@ -0,0 +1,14 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: | +| < 1.0 | :x: | + +## Security contact information + +To report a security vulnerability, please use the +[Tidelift security contact](https://tidelift.com/security). +Tidelift will coordinate the fix and disclosure. diff --git a/vendor/dario.cat/mergo/doc.go b/vendor/dario.cat/mergo/doc.go new file mode 100644 index 0000000000..7d96ec0546 --- /dev/null +++ b/vendor/dario.cat/mergo/doc.go @@ -0,0 +1,148 @@ +// Copyright 2013 Dario Castañé. All rights reserved. +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +A helper to merge structs and maps in Golang. Useful for configuration default values, avoiding messy if-statements. + +Mergo merges same-type structs and maps by setting default values in zero-value fields. Mergo won't merge unexported (private) fields. It will do recursively any exported one. It also won't merge structs inside maps (because they are not addressable using Go reflection). + +# Status + +It is ready for production use. It is used in several projects by Docker, Google, The Linux Foundation, VMWare, Shopify, etc. + +# Important notes + +1.0.0 + +In 1.0.0 Mergo moves to a vanity URL `dario.cat/mergo`. + +0.3.9 + +Please keep in mind that a problematic PR broke 0.3.9. We reverted it in 0.3.10. We consider 0.3.10 as stable but not bug-free. . Also, this version adds suppot for go modules. + +Keep in mind that in 0.3.2, Mergo changed Merge() and Map() signatures to support transformers. We added an optional/variadic argument so that it won't break the existing code. + +If you were using Mergo before April 6th, 2015, please check your project works as intended after updating your local copy with go get -u dario.cat/mergo. I apologize for any issue caused by its previous behavior and any future bug that Mergo could cause in existing projects after the change (release 0.2.0). + +# Install + +Do your usual installation procedure: + + go get dario.cat/mergo + + // use in your .go code + import ( + "dario.cat/mergo" + ) + +# Usage + +You can only merge same-type structs with exported fields initialized as zero value of their type and same-types maps. Mergo won't merge unexported (private) fields but will do recursively any exported one. It won't merge empty structs value as they are zero values too. Also, maps will be merged recursively except for structs inside maps (because they are not addressable using Go reflection). + + if err := mergo.Merge(&dst, src); err != nil { + // ... + } + +Also, you can merge overwriting values using the transformer WithOverride. + + if err := mergo.Merge(&dst, src, mergo.WithOverride); err != nil { + // ... + } + +Additionally, you can map a map[string]interface{} to a struct (and otherwise, from struct to map), following the same restrictions as in Merge(). Keys are capitalized to find each corresponding exported field. + + if err := mergo.Map(&dst, srcMap); err != nil { + // ... + } + +Warning: if you map a struct to map, it won't do it recursively. Don't expect Mergo to map struct members of your struct as map[string]interface{}. They will be just assigned as values. + +Here is a nice example: + + package main + + import ( + "fmt" + "dario.cat/mergo" + ) + + type Foo struct { + A string + B int64 + } + + func main() { + src := Foo{ + A: "one", + B: 2, + } + dest := Foo{ + A: "two", + } + mergo.Merge(&dest, src) + fmt.Println(dest) + // Will print + // {two 2} + } + +# Transformers + +Transformers allow to merge specific types differently than in the default behavior. In other words, now you can customize how some types are merged. For example, time.Time is a struct; it doesn't have zero value but IsZero can return true because it has fields with zero value. How can we merge a non-zero time.Time? + + package main + + import ( + "fmt" + "dario.cat/mergo" + "reflect" + "time" + ) + + type timeTransformer struct { + } + + func (t timeTransformer) Transformer(typ reflect.Type) func(dst, src reflect.Value) error { + if typ == reflect.TypeOf(time.Time{}) { + return func(dst, src reflect.Value) error { + if dst.CanSet() { + isZero := dst.MethodByName("IsZero") + result := isZero.Call([]reflect.Value{}) + if result[0].Bool() { + dst.Set(src) + } + } + return nil + } + } + return nil + } + + type Snapshot struct { + Time time.Time + // ... + } + + func main() { + src := Snapshot{time.Now()} + dest := Snapshot{} + mergo.Merge(&dest, src, mergo.WithTransformers(timeTransformer{})) + fmt.Println(dest) + // Will print + // { 2018-01-12 01:15:00 +0000 UTC m=+0.000000001 } + } + +# Contact me + +If I can help you, you have an idea or you are using Mergo in your projects, don't hesitate to drop me a line (or a pull request): https://twitter.com/im_dario + +# About + +Written by Dario Castañé: https://da.rio.hn + +# License + +BSD 3-Clause license, as Go language. +*/ +package mergo diff --git a/vendor/dario.cat/mergo/map.go b/vendor/dario.cat/mergo/map.go new file mode 100644 index 0000000000..759b4f74fd --- /dev/null +++ b/vendor/dario.cat/mergo/map.go @@ -0,0 +1,178 @@ +// Copyright 2014 Dario Castañé. All rights reserved. +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Based on src/pkg/reflect/deepequal.go from official +// golang's stdlib. + +package mergo + +import ( + "fmt" + "reflect" + "unicode" + "unicode/utf8" +) + +func changeInitialCase(s string, mapper func(rune) rune) string { + if s == "" { + return s + } + r, n := utf8.DecodeRuneInString(s) + return string(mapper(r)) + s[n:] +} + +func isExported(field reflect.StructField) bool { + r, _ := utf8.DecodeRuneInString(field.Name) + return r >= 'A' && r <= 'Z' +} + +// Traverses recursively both values, assigning src's fields values to dst. +// The map argument tracks comparisons that have already been seen, which allows +// short circuiting on recursive types. +func deepMap(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) { + overwrite := config.Overwrite + if dst.CanAddr() { + addr := dst.UnsafeAddr() + h := 17 * addr + seen := visited[h] + typ := dst.Type() + for p := seen; p != nil; p = p.next { + if p.ptr == addr && p.typ == typ { + return nil + } + } + // Remember, remember... + visited[h] = &visit{typ, seen, addr} + } + zeroValue := reflect.Value{} + switch dst.Kind() { + case reflect.Map: + dstMap := dst.Interface().(map[string]interface{}) + for i, n := 0, src.NumField(); i < n; i++ { + srcType := src.Type() + field := srcType.Field(i) + if !isExported(field) { + continue + } + fieldName := field.Name + fieldName = changeInitialCase(fieldName, unicode.ToLower) + if _, ok := dstMap[fieldName]; !ok || (!isEmptyValue(reflect.ValueOf(src.Field(i).Interface()), !config.ShouldNotDereference) && overwrite) || config.overwriteWithEmptyValue { + dstMap[fieldName] = src.Field(i).Interface() + } + } + case reflect.Ptr: + if dst.IsNil() { + v := reflect.New(dst.Type().Elem()) + dst.Set(v) + } + dst = dst.Elem() + fallthrough + case reflect.Struct: + srcMap := src.Interface().(map[string]interface{}) + for key := range srcMap { + config.overwriteWithEmptyValue = true + srcValue := srcMap[key] + fieldName := changeInitialCase(key, unicode.ToUpper) + dstElement := dst.FieldByName(fieldName) + if dstElement == zeroValue { + // We discard it because the field doesn't exist. + continue + } + srcElement := reflect.ValueOf(srcValue) + dstKind := dstElement.Kind() + srcKind := srcElement.Kind() + if srcKind == reflect.Ptr && dstKind != reflect.Ptr { + srcElement = srcElement.Elem() + srcKind = reflect.TypeOf(srcElement.Interface()).Kind() + } else if dstKind == reflect.Ptr { + // Can this work? I guess it can't. + if srcKind != reflect.Ptr && srcElement.CanAddr() { + srcPtr := srcElement.Addr() + srcElement = reflect.ValueOf(srcPtr) + srcKind = reflect.Ptr + } + } + + if !srcElement.IsValid() { + continue + } + if srcKind == dstKind { + if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil { + return + } + } else if dstKind == reflect.Interface && dstElement.Kind() == reflect.Interface { + if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil { + return + } + } else if srcKind == reflect.Map { + if err = deepMap(dstElement, srcElement, visited, depth+1, config); err != nil { + return + } + } else { + return fmt.Errorf("type mismatch on %s field: found %v, expected %v", fieldName, srcKind, dstKind) + } + } + } + return +} + +// Map sets fields' values in dst from src. +// src can be a map with string keys or a struct. dst must be the opposite: +// if src is a map, dst must be a valid pointer to struct. If src is a struct, +// dst must be map[string]interface{}. +// It won't merge unexported (private) fields and will do recursively +// any exported field. +// If dst is a map, keys will be src fields' names in lower camel case. +// Missing key in src that doesn't match a field in dst will be skipped. This +// doesn't apply if dst is a map. +// This is separated method from Merge because it is cleaner and it keeps sane +// semantics: merging equal types, mapping different (restricted) types. +func Map(dst, src interface{}, opts ...func(*Config)) error { + return _map(dst, src, opts...) +} + +// MapWithOverwrite will do the same as Map except that non-empty dst attributes will be overridden by +// non-empty src attribute values. +// Deprecated: Use Map(…) with WithOverride +func MapWithOverwrite(dst, src interface{}, opts ...func(*Config)) error { + return _map(dst, src, append(opts, WithOverride)...) +} + +func _map(dst, src interface{}, opts ...func(*Config)) error { + if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr { + return ErrNonPointerArgument + } + var ( + vDst, vSrc reflect.Value + err error + ) + config := &Config{} + + for _, opt := range opts { + opt(config) + } + + if vDst, vSrc, err = resolveValues(dst, src); err != nil { + return err + } + // To be friction-less, we redirect equal-type arguments + // to deepMerge. Only because arguments can be anything. + if vSrc.Kind() == vDst.Kind() { + return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config) + } + switch vSrc.Kind() { + case reflect.Struct: + if vDst.Kind() != reflect.Map { + return ErrExpectedMapAsDestination + } + case reflect.Map: + if vDst.Kind() != reflect.Struct { + return ErrExpectedStructAsDestination + } + default: + return ErrNotSupported + } + return deepMap(vDst, vSrc, make(map[uintptr]*visit), 0, config) +} diff --git a/vendor/dario.cat/mergo/merge.go b/vendor/dario.cat/mergo/merge.go new file mode 100644 index 0000000000..fd47c95b2b --- /dev/null +++ b/vendor/dario.cat/mergo/merge.go @@ -0,0 +1,409 @@ +// Copyright 2013 Dario Castañé. All rights reserved. +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Based on src/pkg/reflect/deepequal.go from official +// golang's stdlib. + +package mergo + +import ( + "fmt" + "reflect" +) + +func hasMergeableFields(dst reflect.Value) (exported bool) { + for i, n := 0, dst.NumField(); i < n; i++ { + field := dst.Type().Field(i) + if field.Anonymous && dst.Field(i).Kind() == reflect.Struct { + exported = exported || hasMergeableFields(dst.Field(i)) + } else if isExportedComponent(&field) { + exported = exported || len(field.PkgPath) == 0 + } + } + return +} + +func isExportedComponent(field *reflect.StructField) bool { + pkgPath := field.PkgPath + if len(pkgPath) > 0 { + return false + } + c := field.Name[0] + if 'a' <= c && c <= 'z' || c == '_' { + return false + } + return true +} + +type Config struct { + Transformers Transformers + Overwrite bool + ShouldNotDereference bool + AppendSlice bool + TypeCheck bool + overwriteWithEmptyValue bool + overwriteSliceWithEmptyValue bool + sliceDeepCopy bool + debug bool +} + +type Transformers interface { + Transformer(reflect.Type) func(dst, src reflect.Value) error +} + +// Traverses recursively both values, assigning src's fields values to dst. +// The map argument tracks comparisons that have already been seen, which allows +// short circuiting on recursive types. +func deepMerge(dst, src reflect.Value, visited map[uintptr]*visit, depth int, config *Config) (err error) { + overwrite := config.Overwrite + typeCheck := config.TypeCheck + overwriteWithEmptySrc := config.overwriteWithEmptyValue + overwriteSliceWithEmptySrc := config.overwriteSliceWithEmptyValue + sliceDeepCopy := config.sliceDeepCopy + + if !src.IsValid() { + return + } + if dst.CanAddr() { + addr := dst.UnsafeAddr() + h := 17 * addr + seen := visited[h] + typ := dst.Type() + for p := seen; p != nil; p = p.next { + if p.ptr == addr && p.typ == typ { + return nil + } + } + // Remember, remember... + visited[h] = &visit{typ, seen, addr} + } + + if config.Transformers != nil && !isReflectNil(dst) && dst.IsValid() { + if fn := config.Transformers.Transformer(dst.Type()); fn != nil { + err = fn(dst, src) + return + } + } + + switch dst.Kind() { + case reflect.Struct: + if hasMergeableFields(dst) { + for i, n := 0, dst.NumField(); i < n; i++ { + if err = deepMerge(dst.Field(i), src.Field(i), visited, depth+1, config); err != nil { + return + } + } + } else { + if dst.CanSet() && (isReflectNil(dst) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc) { + dst.Set(src) + } + } + case reflect.Map: + if dst.IsNil() && !src.IsNil() { + if dst.CanSet() { + dst.Set(reflect.MakeMap(dst.Type())) + } else { + dst = src + return + } + } + + if src.Kind() != reflect.Map { + if overwrite && dst.CanSet() { + dst.Set(src) + } + return + } + + for _, key := range src.MapKeys() { + srcElement := src.MapIndex(key) + if !srcElement.IsValid() { + continue + } + dstElement := dst.MapIndex(key) + switch srcElement.Kind() { + case reflect.Chan, reflect.Func, reflect.Map, reflect.Interface, reflect.Slice: + if srcElement.IsNil() { + if overwrite { + dst.SetMapIndex(key, srcElement) + } + continue + } + fallthrough + default: + if !srcElement.CanInterface() { + continue + } + switch reflect.TypeOf(srcElement.Interface()).Kind() { + case reflect.Struct: + fallthrough + case reflect.Ptr: + fallthrough + case reflect.Map: + srcMapElm := srcElement + dstMapElm := dstElement + if srcMapElm.CanInterface() { + srcMapElm = reflect.ValueOf(srcMapElm.Interface()) + if dstMapElm.IsValid() { + dstMapElm = reflect.ValueOf(dstMapElm.Interface()) + } + } + if err = deepMerge(dstMapElm, srcMapElm, visited, depth+1, config); err != nil { + return + } + case reflect.Slice: + srcSlice := reflect.ValueOf(srcElement.Interface()) + + var dstSlice reflect.Value + if !dstElement.IsValid() || dstElement.IsNil() { + dstSlice = reflect.MakeSlice(srcSlice.Type(), 0, srcSlice.Len()) + } else { + dstSlice = reflect.ValueOf(dstElement.Interface()) + } + + if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy { + if typeCheck && srcSlice.Type() != dstSlice.Type() { + return fmt.Errorf("cannot override two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type()) + } + dstSlice = srcSlice + } else if config.AppendSlice { + if srcSlice.Type() != dstSlice.Type() { + return fmt.Errorf("cannot append two slices with different type (%s, %s)", srcSlice.Type(), dstSlice.Type()) + } + dstSlice = reflect.AppendSlice(dstSlice, srcSlice) + } else if sliceDeepCopy { + i := 0 + for ; i < srcSlice.Len() && i < dstSlice.Len(); i++ { + srcElement := srcSlice.Index(i) + dstElement := dstSlice.Index(i) + + if srcElement.CanInterface() { + srcElement = reflect.ValueOf(srcElement.Interface()) + } + if dstElement.CanInterface() { + dstElement = reflect.ValueOf(dstElement.Interface()) + } + + if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil { + return + } + } + + } + dst.SetMapIndex(key, dstSlice) + } + } + + if dstElement.IsValid() && !isEmptyValue(dstElement, !config.ShouldNotDereference) { + if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Slice { + continue + } + if reflect.TypeOf(srcElement.Interface()).Kind() == reflect.Map && reflect.TypeOf(dstElement.Interface()).Kind() == reflect.Map { + continue + } + } + + if srcElement.IsValid() && ((srcElement.Kind() != reflect.Ptr && overwrite) || !dstElement.IsValid() || isEmptyValue(dstElement, !config.ShouldNotDereference)) { + if dst.IsNil() { + dst.Set(reflect.MakeMap(dst.Type())) + } + dst.SetMapIndex(key, srcElement) + } + } + + // Ensure that all keys in dst are deleted if they are not in src. + if overwriteWithEmptySrc { + for _, key := range dst.MapKeys() { + srcElement := src.MapIndex(key) + if !srcElement.IsValid() { + dst.SetMapIndex(key, reflect.Value{}) + } + } + } + case reflect.Slice: + if !dst.CanSet() { + break + } + if (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc || overwriteSliceWithEmptySrc) && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) && !config.AppendSlice && !sliceDeepCopy { + dst.Set(src) + } else if config.AppendSlice { + if src.Type() != dst.Type() { + return fmt.Errorf("cannot append two slice with different type (%s, %s)", src.Type(), dst.Type()) + } + dst.Set(reflect.AppendSlice(dst, src)) + } else if sliceDeepCopy { + for i := 0; i < src.Len() && i < dst.Len(); i++ { + srcElement := src.Index(i) + dstElement := dst.Index(i) + if srcElement.CanInterface() { + srcElement = reflect.ValueOf(srcElement.Interface()) + } + if dstElement.CanInterface() { + dstElement = reflect.ValueOf(dstElement.Interface()) + } + + if err = deepMerge(dstElement, srcElement, visited, depth+1, config); err != nil { + return + } + } + } + case reflect.Ptr: + fallthrough + case reflect.Interface: + if isReflectNil(src) { + if overwriteWithEmptySrc && dst.CanSet() && src.Type().AssignableTo(dst.Type()) { + dst.Set(src) + } + break + } + + if src.Kind() != reflect.Interface { + if dst.IsNil() || (src.Kind() != reflect.Ptr && overwrite) { + if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) { + dst.Set(src) + } + } else if src.Kind() == reflect.Ptr { + if !config.ShouldNotDereference { + if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil { + return + } + } else if src.Elem().Kind() != reflect.Struct { + if overwriteWithEmptySrc || (overwrite && !src.IsNil()) || dst.IsNil() { + dst.Set(src) + } + } + } else if dst.Elem().Type() == src.Type() { + if err = deepMerge(dst.Elem(), src, visited, depth+1, config); err != nil { + return + } + } else { + return ErrDifferentArgumentsTypes + } + break + } + + if dst.IsNil() || overwrite { + if dst.CanSet() && (overwrite || isEmptyValue(dst, !config.ShouldNotDereference)) { + dst.Set(src) + } + break + } + + if dst.Elem().Kind() == src.Elem().Kind() { + if err = deepMerge(dst.Elem(), src.Elem(), visited, depth+1, config); err != nil { + return + } + break + } + default: + mustSet := (isEmptyValue(dst, !config.ShouldNotDereference) || overwrite) && (!isEmptyValue(src, !config.ShouldNotDereference) || overwriteWithEmptySrc) + if mustSet { + if dst.CanSet() { + dst.Set(src) + } else { + dst = src + } + } + } + + return +} + +// Merge will fill any empty for value type attributes on the dst struct using corresponding +// src attributes if they themselves are not empty. dst and src must be valid same-type structs +// and dst must be a pointer to struct. +// It won't merge unexported (private) fields and will do recursively any exported field. +func Merge(dst, src interface{}, opts ...func(*Config)) error { + return merge(dst, src, opts...) +} + +// MergeWithOverwrite will do the same as Merge except that non-empty dst attributes will be overridden by +// non-empty src attribute values. +// Deprecated: use Merge(…) with WithOverride +func MergeWithOverwrite(dst, src interface{}, opts ...func(*Config)) error { + return merge(dst, src, append(opts, WithOverride)...) +} + +// WithTransformers adds transformers to merge, allowing to customize the merging of some types. +func WithTransformers(transformers Transformers) func(*Config) { + return func(config *Config) { + config.Transformers = transformers + } +} + +// WithOverride will make merge override non-empty dst attributes with non-empty src attributes values. +func WithOverride(config *Config) { + config.Overwrite = true +} + +// WithOverwriteWithEmptyValue will make merge override non empty dst attributes with empty src attributes values. +func WithOverwriteWithEmptyValue(config *Config) { + config.Overwrite = true + config.overwriteWithEmptyValue = true +} + +// WithOverrideEmptySlice will make merge override empty dst slice with empty src slice. +func WithOverrideEmptySlice(config *Config) { + config.overwriteSliceWithEmptyValue = true +} + +// WithoutDereference prevents dereferencing pointers when evaluating whether they are empty +// (i.e. a non-nil pointer is never considered empty). +func WithoutDereference(config *Config) { + config.ShouldNotDereference = true +} + +// WithAppendSlice will make merge append slices instead of overwriting it. +func WithAppendSlice(config *Config) { + config.AppendSlice = true +} + +// WithTypeCheck will make merge check types while overwriting it (must be used with WithOverride). +func WithTypeCheck(config *Config) { + config.TypeCheck = true +} + +// WithSliceDeepCopy will merge slice element one by one with Overwrite flag. +func WithSliceDeepCopy(config *Config) { + config.sliceDeepCopy = true + config.Overwrite = true +} + +func merge(dst, src interface{}, opts ...func(*Config)) error { + if dst != nil && reflect.ValueOf(dst).Kind() != reflect.Ptr { + return ErrNonPointerArgument + } + var ( + vDst, vSrc reflect.Value + err error + ) + + config := &Config{} + + for _, opt := range opts { + opt(config) + } + + if vDst, vSrc, err = resolveValues(dst, src); err != nil { + return err + } + if vDst.Type() != vSrc.Type() { + return ErrDifferentArgumentsTypes + } + return deepMerge(vDst, vSrc, make(map[uintptr]*visit), 0, config) +} + +// IsReflectNil is the reflect value provided nil +func isReflectNil(v reflect.Value) bool { + k := v.Kind() + switch k { + case reflect.Interface, reflect.Slice, reflect.Chan, reflect.Func, reflect.Map, reflect.Ptr: + // Both interface and slice are nil if first word is 0. + // Both are always bigger than a word; assume flagIndir. + return v.IsNil() + default: + return false + } +} diff --git a/vendor/dario.cat/mergo/mergo.go b/vendor/dario.cat/mergo/mergo.go new file mode 100644 index 0000000000..0a721e2d85 --- /dev/null +++ b/vendor/dario.cat/mergo/mergo.go @@ -0,0 +1,81 @@ +// Copyright 2013 Dario Castañé. All rights reserved. +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Based on src/pkg/reflect/deepequal.go from official +// golang's stdlib. + +package mergo + +import ( + "errors" + "reflect" +) + +// Errors reported by Mergo when it finds invalid arguments. +var ( + ErrNilArguments = errors.New("src and dst must not be nil") + ErrDifferentArgumentsTypes = errors.New("src and dst must be of same type") + ErrNotSupported = errors.New("only structs, maps, and slices are supported") + ErrExpectedMapAsDestination = errors.New("dst was expected to be a map") + ErrExpectedStructAsDestination = errors.New("dst was expected to be a struct") + ErrNonPointerArgument = errors.New("dst must be a pointer") +) + +// During deepMerge, must keep track of checks that are +// in progress. The comparison algorithm assumes that all +// checks in progress are true when it reencounters them. +// Visited are stored in a map indexed by 17 * a1 + a2; +type visit struct { + typ reflect.Type + next *visit + ptr uintptr +} + +// From src/pkg/encoding/json/encode.go. +func isEmptyValue(v reflect.Value, shouldDereference bool) bool { + switch v.Kind() { + case reflect.Array, reflect.Map, reflect.Slice, reflect.String: + return v.Len() == 0 + case reflect.Bool: + return !v.Bool() + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + return v.Int() == 0 + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + return v.Uint() == 0 + case reflect.Float32, reflect.Float64: + return v.Float() == 0 + case reflect.Interface, reflect.Ptr: + if v.IsNil() { + return true + } + if shouldDereference { + return isEmptyValue(v.Elem(), shouldDereference) + } + return false + case reflect.Func: + return v.IsNil() + case reflect.Invalid: + return true + } + return false +} + +func resolveValues(dst, src interface{}) (vDst, vSrc reflect.Value, err error) { + if dst == nil || src == nil { + err = ErrNilArguments + return + } + vDst = reflect.ValueOf(dst).Elem() + if vDst.Kind() != reflect.Struct && vDst.Kind() != reflect.Map && vDst.Kind() != reflect.Slice { + err = ErrNotSupported + return + } + vSrc = reflect.ValueOf(src) + // We check if vSrc is a pointer to dereference it. + if vSrc.Kind() == reflect.Ptr { + vSrc = vSrc.Elem() + } + return +} diff --git a/vendor/github.com/Azure/go-ansiterm/LICENSE b/vendor/github.com/Azure/go-ansiterm/LICENSE new file mode 100644 index 0000000000..e3d9a64d1d --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Microsoft Corporation + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/Azure/go-ansiterm/README.md b/vendor/github.com/Azure/go-ansiterm/README.md new file mode 100644 index 0000000000..261c041e7a --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/README.md @@ -0,0 +1,12 @@ +# go-ansiterm + +This is a cross platform Ansi Terminal Emulation library. It reads a stream of Ansi characters and produces the appropriate function calls. The results of the function calls are platform dependent. + +For example the parser might receive "ESC, [, A" as a stream of three characters. This is the code for Cursor Up (http://www.vt100.net/docs/vt510-rm/CUU). The parser then calls the cursor up function (CUU()) on an event handler. The event handler determines what platform specific work must be done to cause the cursor to move up one position. + +The parser (parser.go) is a partial implementation of this state machine (http://vt100.net/emu/vt500_parser.png). There are also two event handler implementations, one for tests (test_event_handler.go) to validate that the expected events are being produced and called, the other is a Windows implementation (winterm/win_event_handler.go). + +See parser_test.go for examples exercising the state machine and generating appropriate function calls. + +----- +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. diff --git a/vendor/github.com/Azure/go-ansiterm/SECURITY.md b/vendor/github.com/Azure/go-ansiterm/SECURITY.md new file mode 100644 index 0000000000..e138ec5d6a --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/SECURITY.md @@ -0,0 +1,41 @@ + + +## Security + +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). + +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. + +## Reporting Security Issues + +**Please do not report security vulnerabilities through public GitHub issues.** + +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). + +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). + +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). + +Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: + + * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) + * Full paths of source file(s) related to the manifestation of the issue + * The location of the affected source code (tag/branch/commit or direct URL) + * Any special configuration required to reproduce the issue + * Step-by-step instructions to reproduce the issue + * Proof-of-concept or exploit code (if possible) + * Impact of the issue, including how an attacker might exploit the issue + +This information will help us triage your report more quickly. + +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. + +## Preferred Languages + +We prefer all communications to be in English. + +## Policy + +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). + + diff --git a/vendor/github.com/Azure/go-ansiterm/constants.go b/vendor/github.com/Azure/go-ansiterm/constants.go new file mode 100644 index 0000000000..96504a33bc --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/constants.go @@ -0,0 +1,188 @@ +package ansiterm + +const LogEnv = "DEBUG_TERMINAL" + +// ANSI constants +// References: +// -- http://www.ecma-international.org/publications/standards/Ecma-048.htm +// -- http://man7.org/linux/man-pages/man4/console_codes.4.html +// -- http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html +// -- http://en.wikipedia.org/wiki/ANSI_escape_code +// -- http://vt100.net/emu/dec_ansi_parser +// -- http://vt100.net/emu/vt500_parser.svg +// -- http://invisible-island.net/xterm/ctlseqs/ctlseqs.html +// -- http://www.inwap.com/pdp10/ansicode.txt +const ( + // ECMA-48 Set Graphics Rendition + // Note: + // -- Constants leading with an underscore (e.g., _ANSI_xxx) are unsupported or reserved + // -- Fonts could possibly be supported via SetCurrentConsoleFontEx + // -- Windows does not expose the per-window cursor (i.e., caret) blink times + ANSI_SGR_RESET = 0 + ANSI_SGR_BOLD = 1 + ANSI_SGR_DIM = 2 + _ANSI_SGR_ITALIC = 3 + ANSI_SGR_UNDERLINE = 4 + _ANSI_SGR_BLINKSLOW = 5 + _ANSI_SGR_BLINKFAST = 6 + ANSI_SGR_REVERSE = 7 + _ANSI_SGR_INVISIBLE = 8 + _ANSI_SGR_LINETHROUGH = 9 + _ANSI_SGR_FONT_00 = 10 + _ANSI_SGR_FONT_01 = 11 + _ANSI_SGR_FONT_02 = 12 + _ANSI_SGR_FONT_03 = 13 + _ANSI_SGR_FONT_04 = 14 + _ANSI_SGR_FONT_05 = 15 + _ANSI_SGR_FONT_06 = 16 + _ANSI_SGR_FONT_07 = 17 + _ANSI_SGR_FONT_08 = 18 + _ANSI_SGR_FONT_09 = 19 + _ANSI_SGR_FONT_10 = 20 + _ANSI_SGR_DOUBLEUNDERLINE = 21 + ANSI_SGR_BOLD_DIM_OFF = 22 + _ANSI_SGR_ITALIC_OFF = 23 + ANSI_SGR_UNDERLINE_OFF = 24 + _ANSI_SGR_BLINK_OFF = 25 + _ANSI_SGR_RESERVED_00 = 26 + ANSI_SGR_REVERSE_OFF = 27 + _ANSI_SGR_INVISIBLE_OFF = 28 + _ANSI_SGR_LINETHROUGH_OFF = 29 + ANSI_SGR_FOREGROUND_BLACK = 30 + ANSI_SGR_FOREGROUND_RED = 31 + ANSI_SGR_FOREGROUND_GREEN = 32 + ANSI_SGR_FOREGROUND_YELLOW = 33 + ANSI_SGR_FOREGROUND_BLUE = 34 + ANSI_SGR_FOREGROUND_MAGENTA = 35 + ANSI_SGR_FOREGROUND_CYAN = 36 + ANSI_SGR_FOREGROUND_WHITE = 37 + _ANSI_SGR_RESERVED_01 = 38 + ANSI_SGR_FOREGROUND_DEFAULT = 39 + ANSI_SGR_BACKGROUND_BLACK = 40 + ANSI_SGR_BACKGROUND_RED = 41 + ANSI_SGR_BACKGROUND_GREEN = 42 + ANSI_SGR_BACKGROUND_YELLOW = 43 + ANSI_SGR_BACKGROUND_BLUE = 44 + ANSI_SGR_BACKGROUND_MAGENTA = 45 + ANSI_SGR_BACKGROUND_CYAN = 46 + ANSI_SGR_BACKGROUND_WHITE = 47 + _ANSI_SGR_RESERVED_02 = 48 + ANSI_SGR_BACKGROUND_DEFAULT = 49 + // 50 - 65: Unsupported + + ANSI_MAX_CMD_LENGTH = 4096 + + MAX_INPUT_EVENTS = 128 + DEFAULT_WIDTH = 80 + DEFAULT_HEIGHT = 24 + + ANSI_BEL = 0x07 + ANSI_BACKSPACE = 0x08 + ANSI_TAB = 0x09 + ANSI_LINE_FEED = 0x0A + ANSI_VERTICAL_TAB = 0x0B + ANSI_FORM_FEED = 0x0C + ANSI_CARRIAGE_RETURN = 0x0D + ANSI_ESCAPE_PRIMARY = 0x1B + ANSI_ESCAPE_SECONDARY = 0x5B + ANSI_OSC_STRING_ENTRY = 0x5D + ANSI_COMMAND_FIRST = 0x40 + ANSI_COMMAND_LAST = 0x7E + DCS_ENTRY = 0x90 + CSI_ENTRY = 0x9B + OSC_STRING = 0x9D + ANSI_PARAMETER_SEP = ";" + ANSI_CMD_G0 = '(' + ANSI_CMD_G1 = ')' + ANSI_CMD_G2 = '*' + ANSI_CMD_G3 = '+' + ANSI_CMD_DECPNM = '>' + ANSI_CMD_DECPAM = '=' + ANSI_CMD_OSC = ']' + ANSI_CMD_STR_TERM = '\\' + + KEY_CONTROL_PARAM_2 = ";2" + KEY_CONTROL_PARAM_3 = ";3" + KEY_CONTROL_PARAM_4 = ";4" + KEY_CONTROL_PARAM_5 = ";5" + KEY_CONTROL_PARAM_6 = ";6" + KEY_CONTROL_PARAM_7 = ";7" + KEY_CONTROL_PARAM_8 = ";8" + KEY_ESC_CSI = "\x1B[" + KEY_ESC_N = "\x1BN" + KEY_ESC_O = "\x1BO" + + FILL_CHARACTER = ' ' +) + +func getByteRange(start byte, end byte) []byte { + bytes := make([]byte, 0, 32) + for i := start; i <= end; i++ { + bytes = append(bytes, byte(i)) + } + + return bytes +} + +var toGroundBytes = getToGroundBytes() +var executors = getExecuteBytes() + +// SPACE 20+A0 hex Always and everywhere a blank space +// Intermediate 20-2F hex !"#$%&'()*+,-./ +var intermeds = getByteRange(0x20, 0x2F) + +// Parameters 30-3F hex 0123456789:;<=>? +// CSI Parameters 30-39, 3B hex 0123456789; +var csiParams = getByteRange(0x30, 0x3F) + +var csiCollectables = append(getByteRange(0x30, 0x39), getByteRange(0x3B, 0x3F)...) + +// Uppercase 40-5F hex @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ +var upperCase = getByteRange(0x40, 0x5F) + +// Lowercase 60-7E hex `abcdefghijlkmnopqrstuvwxyz{|}~ +var lowerCase = getByteRange(0x60, 0x7E) + +// Alphabetics 40-7E hex (all of upper and lower case) +var alphabetics = append(upperCase, lowerCase...) + +var printables = getByteRange(0x20, 0x7F) + +var escapeIntermediateToGroundBytes = getByteRange(0x30, 0x7E) +var escapeToGroundBytes = getEscapeToGroundBytes() + +// See http://www.vt100.net/emu/vt500_parser.png for description of the complex +// byte ranges below + +func getEscapeToGroundBytes() []byte { + escapeToGroundBytes := getByteRange(0x30, 0x4F) + escapeToGroundBytes = append(escapeToGroundBytes, getByteRange(0x51, 0x57)...) + escapeToGroundBytes = append(escapeToGroundBytes, 0x59) + escapeToGroundBytes = append(escapeToGroundBytes, 0x5A) + escapeToGroundBytes = append(escapeToGroundBytes, 0x5C) + escapeToGroundBytes = append(escapeToGroundBytes, getByteRange(0x60, 0x7E)...) + return escapeToGroundBytes +} + +func getExecuteBytes() []byte { + executeBytes := getByteRange(0x00, 0x17) + executeBytes = append(executeBytes, 0x19) + executeBytes = append(executeBytes, getByteRange(0x1C, 0x1F)...) + return executeBytes +} + +func getToGroundBytes() []byte { + groundBytes := []byte{0x18} + groundBytes = append(groundBytes, 0x1A) + groundBytes = append(groundBytes, getByteRange(0x80, 0x8F)...) + groundBytes = append(groundBytes, getByteRange(0x91, 0x97)...) + groundBytes = append(groundBytes, 0x99) + groundBytes = append(groundBytes, 0x9A) + groundBytes = append(groundBytes, 0x9C) + return groundBytes +} + +// Delete 7F hex Always and everywhere ignored +// C1 Control 80-9F hex 32 additional control characters +// G1 Displayable A1-FE hex 94 additional displayable characters +// Special A0+FF hex Same as SPACE and DELETE diff --git a/vendor/github.com/Azure/go-ansiterm/context.go b/vendor/github.com/Azure/go-ansiterm/context.go new file mode 100644 index 0000000000..8d66e777c0 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/context.go @@ -0,0 +1,7 @@ +package ansiterm + +type ansiContext struct { + currentChar byte + paramBuffer []byte + interBuffer []byte +} diff --git a/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go b/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go new file mode 100644 index 0000000000..bcbe00d0c5 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/csi_entry_state.go @@ -0,0 +1,49 @@ +package ansiterm + +type csiEntryState struct { + baseState +} + +func (csiState csiEntryState) Handle(b byte) (s state, e error) { + csiState.parser.logf("CsiEntry::Handle %#x", b) + + nextState, err := csiState.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + switch { + case sliceContains(alphabetics, b): + return csiState.parser.ground, nil + case sliceContains(csiCollectables, b): + return csiState.parser.csiParam, nil + case sliceContains(executors, b): + return csiState, csiState.parser.execute() + } + + return csiState, nil +} + +func (csiState csiEntryState) Transition(s state) error { + csiState.parser.logf("CsiEntry::Transition %s --> %s", csiState.Name(), s.Name()) + csiState.baseState.Transition(s) + + switch s { + case csiState.parser.ground: + return csiState.parser.csiDispatch() + case csiState.parser.csiParam: + switch { + case sliceContains(csiParams, csiState.parser.context.currentChar): + csiState.parser.collectParam() + case sliceContains(intermeds, csiState.parser.context.currentChar): + csiState.parser.collectInter() + } + } + + return nil +} + +func (csiState csiEntryState) Enter() error { + csiState.parser.clear() + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/csi_param_state.go b/vendor/github.com/Azure/go-ansiterm/csi_param_state.go new file mode 100644 index 0000000000..7ed5e01c34 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/csi_param_state.go @@ -0,0 +1,38 @@ +package ansiterm + +type csiParamState struct { + baseState +} + +func (csiState csiParamState) Handle(b byte) (s state, e error) { + csiState.parser.logf("CsiParam::Handle %#x", b) + + nextState, err := csiState.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + switch { + case sliceContains(alphabetics, b): + return csiState.parser.ground, nil + case sliceContains(csiCollectables, b): + csiState.parser.collectParam() + return csiState, nil + case sliceContains(executors, b): + return csiState, csiState.parser.execute() + } + + return csiState, nil +} + +func (csiState csiParamState) Transition(s state) error { + csiState.parser.logf("CsiParam::Transition %s --> %s", csiState.Name(), s.Name()) + csiState.baseState.Transition(s) + + switch s { + case csiState.parser.ground: + return csiState.parser.csiDispatch() + } + + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go b/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go new file mode 100644 index 0000000000..1c719db9e4 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/escape_intermediate_state.go @@ -0,0 +1,36 @@ +package ansiterm + +type escapeIntermediateState struct { + baseState +} + +func (escState escapeIntermediateState) Handle(b byte) (s state, e error) { + escState.parser.logf("escapeIntermediateState::Handle %#x", b) + nextState, err := escState.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + switch { + case sliceContains(intermeds, b): + return escState, escState.parser.collectInter() + case sliceContains(executors, b): + return escState, escState.parser.execute() + case sliceContains(escapeIntermediateToGroundBytes, b): + return escState.parser.ground, nil + } + + return escState, nil +} + +func (escState escapeIntermediateState) Transition(s state) error { + escState.parser.logf("escapeIntermediateState::Transition %s --> %s", escState.Name(), s.Name()) + escState.baseState.Transition(s) + + switch s { + case escState.parser.ground: + return escState.parser.escDispatch() + } + + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/escape_state.go b/vendor/github.com/Azure/go-ansiterm/escape_state.go new file mode 100644 index 0000000000..6390abd231 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/escape_state.go @@ -0,0 +1,47 @@ +package ansiterm + +type escapeState struct { + baseState +} + +func (escState escapeState) Handle(b byte) (s state, e error) { + escState.parser.logf("escapeState::Handle %#x", b) + nextState, err := escState.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + switch { + case b == ANSI_ESCAPE_SECONDARY: + return escState.parser.csiEntry, nil + case b == ANSI_OSC_STRING_ENTRY: + return escState.parser.oscString, nil + case sliceContains(executors, b): + return escState, escState.parser.execute() + case sliceContains(escapeToGroundBytes, b): + return escState.parser.ground, nil + case sliceContains(intermeds, b): + return escState.parser.escapeIntermediate, nil + } + + return escState, nil +} + +func (escState escapeState) Transition(s state) error { + escState.parser.logf("Escape::Transition %s --> %s", escState.Name(), s.Name()) + escState.baseState.Transition(s) + + switch s { + case escState.parser.ground: + return escState.parser.escDispatch() + case escState.parser.escapeIntermediate: + return escState.parser.collectInter() + } + + return nil +} + +func (escState escapeState) Enter() error { + escState.parser.clear() + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/event_handler.go b/vendor/github.com/Azure/go-ansiterm/event_handler.go new file mode 100644 index 0000000000..98087b38c2 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/event_handler.go @@ -0,0 +1,90 @@ +package ansiterm + +type AnsiEventHandler interface { + // Print + Print(b byte) error + + // Execute C0 commands + Execute(b byte) error + + // CUrsor Up + CUU(int) error + + // CUrsor Down + CUD(int) error + + // CUrsor Forward + CUF(int) error + + // CUrsor Backward + CUB(int) error + + // Cursor to Next Line + CNL(int) error + + // Cursor to Previous Line + CPL(int) error + + // Cursor Horizontal position Absolute + CHA(int) error + + // Vertical line Position Absolute + VPA(int) error + + // CUrsor Position + CUP(int, int) error + + // Horizontal and Vertical Position (depends on PUM) + HVP(int, int) error + + // Text Cursor Enable Mode + DECTCEM(bool) error + + // Origin Mode + DECOM(bool) error + + // 132 Column Mode + DECCOLM(bool) error + + // Erase in Display + ED(int) error + + // Erase in Line + EL(int) error + + // Insert Line + IL(int) error + + // Delete Line + DL(int) error + + // Insert Character + ICH(int) error + + // Delete Character + DCH(int) error + + // Set Graphics Rendition + SGR([]int) error + + // Pan Down + SU(int) error + + // Pan Up + SD(int) error + + // Device Attributes + DA([]string) error + + // Set Top and Bottom Margins + DECSTBM(int, int) error + + // Index + IND() error + + // Reverse Index + RI() error + + // Flush updates from previous commands + Flush() error +} diff --git a/vendor/github.com/Azure/go-ansiterm/ground_state.go b/vendor/github.com/Azure/go-ansiterm/ground_state.go new file mode 100644 index 0000000000..52451e9469 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/ground_state.go @@ -0,0 +1,24 @@ +package ansiterm + +type groundState struct { + baseState +} + +func (gs groundState) Handle(b byte) (s state, e error) { + gs.parser.context.currentChar = b + + nextState, err := gs.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + switch { + case sliceContains(printables, b): + return gs, gs.parser.print() + + case sliceContains(executors, b): + return gs, gs.parser.execute() + } + + return gs, nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/osc_string_state.go b/vendor/github.com/Azure/go-ansiterm/osc_string_state.go new file mode 100644 index 0000000000..194d5e9c94 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/osc_string_state.go @@ -0,0 +1,23 @@ +package ansiterm + +type oscStringState struct { + baseState +} + +func (oscState oscStringState) Handle(b byte) (s state, e error) { + oscState.parser.logf("OscString::Handle %#x", b) + nextState, err := oscState.baseState.Handle(b) + if nextState != nil || err != nil { + return nextState, err + } + + // There are several control characters and sequences which can + // terminate an OSC string. Most of them are handled by the baseState + // handler. The ANSI_BEL character is a special case which behaves as a + // terminator only for an OSC string. + if b == ANSI_BEL { + return oscState.parser.ground, nil + } + + return oscState, nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/parser.go b/vendor/github.com/Azure/go-ansiterm/parser.go new file mode 100644 index 0000000000..03cec7ada6 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/parser.go @@ -0,0 +1,151 @@ +package ansiterm + +import ( + "errors" + "log" + "os" +) + +type AnsiParser struct { + currState state + eventHandler AnsiEventHandler + context *ansiContext + csiEntry state + csiParam state + dcsEntry state + escape state + escapeIntermediate state + error state + ground state + oscString state + stateMap []state + + logf func(string, ...interface{}) +} + +type Option func(*AnsiParser) + +func WithLogf(f func(string, ...interface{})) Option { + return func(ap *AnsiParser) { + ap.logf = f + } +} + +func CreateParser(initialState string, evtHandler AnsiEventHandler, opts ...Option) *AnsiParser { + ap := &AnsiParser{ + eventHandler: evtHandler, + context: &ansiContext{}, + } + for _, o := range opts { + o(ap) + } + + if isDebugEnv := os.Getenv(LogEnv); isDebugEnv == "1" { + logFile, _ := os.Create("ansiParser.log") + logger := log.New(logFile, "", log.LstdFlags) + if ap.logf != nil { + l := ap.logf + ap.logf = func(s string, v ...interface{}) { + l(s, v...) + logger.Printf(s, v...) + } + } else { + ap.logf = logger.Printf + } + } + + if ap.logf == nil { + ap.logf = func(string, ...interface{}) {} + } + + ap.csiEntry = csiEntryState{baseState{name: "CsiEntry", parser: ap}} + ap.csiParam = csiParamState{baseState{name: "CsiParam", parser: ap}} + ap.dcsEntry = dcsEntryState{baseState{name: "DcsEntry", parser: ap}} + ap.escape = escapeState{baseState{name: "Escape", parser: ap}} + ap.escapeIntermediate = escapeIntermediateState{baseState{name: "EscapeIntermediate", parser: ap}} + ap.error = errorState{baseState{name: "Error", parser: ap}} + ap.ground = groundState{baseState{name: "Ground", parser: ap}} + ap.oscString = oscStringState{baseState{name: "OscString", parser: ap}} + + ap.stateMap = []state{ + ap.csiEntry, + ap.csiParam, + ap.dcsEntry, + ap.escape, + ap.escapeIntermediate, + ap.error, + ap.ground, + ap.oscString, + } + + ap.currState = getState(initialState, ap.stateMap) + + ap.logf("CreateParser: parser %p", ap) + return ap +} + +func getState(name string, states []state) state { + for _, el := range states { + if el.Name() == name { + return el + } + } + + return nil +} + +func (ap *AnsiParser) Parse(bytes []byte) (int, error) { + for i, b := range bytes { + if err := ap.handle(b); err != nil { + return i, err + } + } + + return len(bytes), ap.eventHandler.Flush() +} + +func (ap *AnsiParser) handle(b byte) error { + ap.context.currentChar = b + newState, err := ap.currState.Handle(b) + if err != nil { + return err + } + + if newState == nil { + ap.logf("WARNING: newState is nil") + return errors.New("New state of 'nil' is invalid.") + } + + if newState != ap.currState { + if err := ap.changeState(newState); err != nil { + return err + } + } + + return nil +} + +func (ap *AnsiParser) changeState(newState state) error { + ap.logf("ChangeState %s --> %s", ap.currState.Name(), newState.Name()) + + // Exit old state + if err := ap.currState.Exit(); err != nil { + ap.logf("Exit state '%s' failed with : '%v'", ap.currState.Name(), err) + return err + } + + // Perform transition action + if err := ap.currState.Transition(newState); err != nil { + ap.logf("Transition from '%s' to '%s' failed with: '%v'", ap.currState.Name(), newState.Name, err) + return err + } + + // Enter new state + if err := newState.Enter(); err != nil { + ap.logf("Enter state '%s' failed with: '%v'", newState.Name(), err) + return err + } + + ap.currState = newState + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go b/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go new file mode 100644 index 0000000000..de0a1f9cde --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/parser_action_helpers.go @@ -0,0 +1,99 @@ +package ansiterm + +import ( + "strconv" +) + +func parseParams(bytes []byte) ([]string, error) { + paramBuff := make([]byte, 0, 0) + params := []string{} + + for _, v := range bytes { + if v == ';' { + if len(paramBuff) > 0 { + // Completed parameter, append it to the list + s := string(paramBuff) + params = append(params, s) + paramBuff = make([]byte, 0, 0) + } + } else { + paramBuff = append(paramBuff, v) + } + } + + // Last parameter may not be terminated with ';' + if len(paramBuff) > 0 { + s := string(paramBuff) + params = append(params, s) + } + + return params, nil +} + +func parseCmd(context ansiContext) (string, error) { + return string(context.currentChar), nil +} + +func getInt(params []string, dflt int) int { + i := getInts(params, 1, dflt)[0] + return i +} + +func getInts(params []string, minCount int, dflt int) []int { + ints := []int{} + + for _, v := range params { + i, _ := strconv.Atoi(v) + // Zero is mapped to the default value in VT100. + if i == 0 { + i = dflt + } + ints = append(ints, i) + } + + if len(ints) < minCount { + remaining := minCount - len(ints) + for i := 0; i < remaining; i++ { + ints = append(ints, dflt) + } + } + + return ints +} + +func (ap *AnsiParser) modeDispatch(param string, set bool) error { + switch param { + case "?3": + return ap.eventHandler.DECCOLM(set) + case "?6": + return ap.eventHandler.DECOM(set) + case "?25": + return ap.eventHandler.DECTCEM(set) + } + return nil +} + +func (ap *AnsiParser) hDispatch(params []string) error { + if len(params) == 1 { + return ap.modeDispatch(params[0], true) + } + + return nil +} + +func (ap *AnsiParser) lDispatch(params []string) error { + if len(params) == 1 { + return ap.modeDispatch(params[0], false) + } + + return nil +} + +func getEraseParam(params []string) int { + param := getInt(params, 0) + if param < 0 || 3 < param { + param = 0 + } + + return param +} diff --git a/vendor/github.com/Azure/go-ansiterm/parser_actions.go b/vendor/github.com/Azure/go-ansiterm/parser_actions.go new file mode 100644 index 0000000000..0bb5e51e9a --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/parser_actions.go @@ -0,0 +1,119 @@ +package ansiterm + +func (ap *AnsiParser) collectParam() error { + currChar := ap.context.currentChar + ap.logf("collectParam %#x", currChar) + ap.context.paramBuffer = append(ap.context.paramBuffer, currChar) + return nil +} + +func (ap *AnsiParser) collectInter() error { + currChar := ap.context.currentChar + ap.logf("collectInter %#x", currChar) + ap.context.paramBuffer = append(ap.context.interBuffer, currChar) + return nil +} + +func (ap *AnsiParser) escDispatch() error { + cmd, _ := parseCmd(*ap.context) + intermeds := ap.context.interBuffer + ap.logf("escDispatch currentChar: %#x", ap.context.currentChar) + ap.logf("escDispatch: %v(%v)", cmd, intermeds) + + switch cmd { + case "D": // IND + return ap.eventHandler.IND() + case "E": // NEL, equivalent to CRLF + err := ap.eventHandler.Execute(ANSI_CARRIAGE_RETURN) + if err == nil { + err = ap.eventHandler.Execute(ANSI_LINE_FEED) + } + return err + case "M": // RI + return ap.eventHandler.RI() + } + + return nil +} + +func (ap *AnsiParser) csiDispatch() error { + cmd, _ := parseCmd(*ap.context) + params, _ := parseParams(ap.context.paramBuffer) + ap.logf("Parsed params: %v with length: %d", params, len(params)) + + ap.logf("csiDispatch: %v(%v)", cmd, params) + + switch cmd { + case "@": + return ap.eventHandler.ICH(getInt(params, 1)) + case "A": + return ap.eventHandler.CUU(getInt(params, 1)) + case "B": + return ap.eventHandler.CUD(getInt(params, 1)) + case "C": + return ap.eventHandler.CUF(getInt(params, 1)) + case "D": + return ap.eventHandler.CUB(getInt(params, 1)) + case "E": + return ap.eventHandler.CNL(getInt(params, 1)) + case "F": + return ap.eventHandler.CPL(getInt(params, 1)) + case "G": + return ap.eventHandler.CHA(getInt(params, 1)) + case "H": + ints := getInts(params, 2, 1) + x, y := ints[0], ints[1] + return ap.eventHandler.CUP(x, y) + case "J": + param := getEraseParam(params) + return ap.eventHandler.ED(param) + case "K": + param := getEraseParam(params) + return ap.eventHandler.EL(param) + case "L": + return ap.eventHandler.IL(getInt(params, 1)) + case "M": + return ap.eventHandler.DL(getInt(params, 1)) + case "P": + return ap.eventHandler.DCH(getInt(params, 1)) + case "S": + return ap.eventHandler.SU(getInt(params, 1)) + case "T": + return ap.eventHandler.SD(getInt(params, 1)) + case "c": + return ap.eventHandler.DA(params) + case "d": + return ap.eventHandler.VPA(getInt(params, 1)) + case "f": + ints := getInts(params, 2, 1) + x, y := ints[0], ints[1] + return ap.eventHandler.HVP(x, y) + case "h": + return ap.hDispatch(params) + case "l": + return ap.lDispatch(params) + case "m": + return ap.eventHandler.SGR(getInts(params, 1, 0)) + case "r": + ints := getInts(params, 2, 1) + top, bottom := ints[0], ints[1] + return ap.eventHandler.DECSTBM(top, bottom) + default: + ap.logf("ERROR: Unsupported CSI command: '%s', with full context: %v", cmd, ap.context) + return nil + } + +} + +func (ap *AnsiParser) print() error { + return ap.eventHandler.Print(ap.context.currentChar) +} + +func (ap *AnsiParser) clear() error { + ap.context = &ansiContext{} + return nil +} + +func (ap *AnsiParser) execute() error { + return ap.eventHandler.Execute(ap.context.currentChar) +} diff --git a/vendor/github.com/Azure/go-ansiterm/states.go b/vendor/github.com/Azure/go-ansiterm/states.go new file mode 100644 index 0000000000..f2ea1fcd12 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/states.go @@ -0,0 +1,71 @@ +package ansiterm + +type stateID int + +type state interface { + Enter() error + Exit() error + Handle(byte) (state, error) + Name() string + Transition(state) error +} + +type baseState struct { + name string + parser *AnsiParser +} + +func (base baseState) Enter() error { + return nil +} + +func (base baseState) Exit() error { + return nil +} + +func (base baseState) Handle(b byte) (s state, e error) { + + switch { + case b == CSI_ENTRY: + return base.parser.csiEntry, nil + case b == DCS_ENTRY: + return base.parser.dcsEntry, nil + case b == ANSI_ESCAPE_PRIMARY: + return base.parser.escape, nil + case b == OSC_STRING: + return base.parser.oscString, nil + case sliceContains(toGroundBytes, b): + return base.parser.ground, nil + } + + return nil, nil +} + +func (base baseState) Name() string { + return base.name +} + +func (base baseState) Transition(s state) error { + if s == base.parser.ground { + execBytes := []byte{0x18} + execBytes = append(execBytes, 0x1A) + execBytes = append(execBytes, getByteRange(0x80, 0x8F)...) + execBytes = append(execBytes, getByteRange(0x91, 0x97)...) + execBytes = append(execBytes, 0x99) + execBytes = append(execBytes, 0x9A) + + if sliceContains(execBytes, base.parser.context.currentChar) { + return base.parser.execute() + } + } + + return nil +} + +type dcsEntryState struct { + baseState +} + +type errorState struct { + baseState +} diff --git a/vendor/github.com/Azure/go-ansiterm/utilities.go b/vendor/github.com/Azure/go-ansiterm/utilities.go new file mode 100644 index 0000000000..392114493a --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/utilities.go @@ -0,0 +1,21 @@ +package ansiterm + +import ( + "strconv" +) + +func sliceContains(bytes []byte, b byte) bool { + for _, v := range bytes { + if v == b { + return true + } + } + + return false +} + +func convertBytesToInteger(bytes []byte) int { + s := string(bytes) + i, _ := strconv.Atoi(s) + return i +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go b/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go new file mode 100644 index 0000000000..5599082ae9 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go @@ -0,0 +1,196 @@ +// +build windows + +package winterm + +import ( + "fmt" + "os" + "strconv" + "strings" + "syscall" + + "github.com/Azure/go-ansiterm" + windows "golang.org/x/sys/windows" +) + +// Windows keyboard constants +// See https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx. +const ( + VK_PRIOR = 0x21 // PAGE UP key + VK_NEXT = 0x22 // PAGE DOWN key + VK_END = 0x23 // END key + VK_HOME = 0x24 // HOME key + VK_LEFT = 0x25 // LEFT ARROW key + VK_UP = 0x26 // UP ARROW key + VK_RIGHT = 0x27 // RIGHT ARROW key + VK_DOWN = 0x28 // DOWN ARROW key + VK_SELECT = 0x29 // SELECT key + VK_PRINT = 0x2A // PRINT key + VK_EXECUTE = 0x2B // EXECUTE key + VK_SNAPSHOT = 0x2C // PRINT SCREEN key + VK_INSERT = 0x2D // INS key + VK_DELETE = 0x2E // DEL key + VK_HELP = 0x2F // HELP key + VK_F1 = 0x70 // F1 key + VK_F2 = 0x71 // F2 key + VK_F3 = 0x72 // F3 key + VK_F4 = 0x73 // F4 key + VK_F5 = 0x74 // F5 key + VK_F6 = 0x75 // F6 key + VK_F7 = 0x76 // F7 key + VK_F8 = 0x77 // F8 key + VK_F9 = 0x78 // F9 key + VK_F10 = 0x79 // F10 key + VK_F11 = 0x7A // F11 key + VK_F12 = 0x7B // F12 key + + RIGHT_ALT_PRESSED = 0x0001 + LEFT_ALT_PRESSED = 0x0002 + RIGHT_CTRL_PRESSED = 0x0004 + LEFT_CTRL_PRESSED = 0x0008 + SHIFT_PRESSED = 0x0010 + NUMLOCK_ON = 0x0020 + SCROLLLOCK_ON = 0x0040 + CAPSLOCK_ON = 0x0080 + ENHANCED_KEY = 0x0100 +) + +type ansiCommand struct { + CommandBytes []byte + Command string + Parameters []string + IsSpecial bool +} + +func newAnsiCommand(command []byte) *ansiCommand { + + if isCharacterSelectionCmdChar(command[1]) { + // Is Character Set Selection commands + return &ansiCommand{ + CommandBytes: command, + Command: string(command), + IsSpecial: true, + } + } + + // last char is command character + lastCharIndex := len(command) - 1 + + ac := &ansiCommand{ + CommandBytes: command, + Command: string(command[lastCharIndex]), + IsSpecial: false, + } + + // more than a single escape + if lastCharIndex != 0 { + start := 1 + // skip if double char escape sequence + if command[0] == ansiterm.ANSI_ESCAPE_PRIMARY && command[1] == ansiterm.ANSI_ESCAPE_SECONDARY { + start++ + } + // convert this to GetNextParam method + ac.Parameters = strings.Split(string(command[start:lastCharIndex]), ansiterm.ANSI_PARAMETER_SEP) + } + + return ac +} + +func (ac *ansiCommand) paramAsSHORT(index int, defaultValue int16) int16 { + if index < 0 || index >= len(ac.Parameters) { + return defaultValue + } + + param, err := strconv.ParseInt(ac.Parameters[index], 10, 16) + if err != nil { + return defaultValue + } + + return int16(param) +} + +func (ac *ansiCommand) String() string { + return fmt.Sprintf("0x%v \"%v\" (\"%v\")", + bytesToHex(ac.CommandBytes), + ac.Command, + strings.Join(ac.Parameters, "\",\"")) +} + +// isAnsiCommandChar returns true if the passed byte falls within the range of ANSI commands. +// See http://manpages.ubuntu.com/manpages/intrepid/man4/console_codes.4.html. +func isAnsiCommandChar(b byte) bool { + switch { + case ansiterm.ANSI_COMMAND_FIRST <= b && b <= ansiterm.ANSI_COMMAND_LAST && b != ansiterm.ANSI_ESCAPE_SECONDARY: + return true + case b == ansiterm.ANSI_CMD_G1 || b == ansiterm.ANSI_CMD_OSC || b == ansiterm.ANSI_CMD_DECPAM || b == ansiterm.ANSI_CMD_DECPNM: + // non-CSI escape sequence terminator + return true + case b == ansiterm.ANSI_CMD_STR_TERM || b == ansiterm.ANSI_BEL: + // String escape sequence terminator + return true + } + return false +} + +func isXtermOscSequence(command []byte, current byte) bool { + return (len(command) >= 2 && command[0] == ansiterm.ANSI_ESCAPE_PRIMARY && command[1] == ansiterm.ANSI_CMD_OSC && current != ansiterm.ANSI_BEL) +} + +func isCharacterSelectionCmdChar(b byte) bool { + return (b == ansiterm.ANSI_CMD_G0 || b == ansiterm.ANSI_CMD_G1 || b == ansiterm.ANSI_CMD_G2 || b == ansiterm.ANSI_CMD_G3) +} + +// bytesToHex converts a slice of bytes to a human-readable string. +func bytesToHex(b []byte) string { + hex := make([]string, len(b)) + for i, ch := range b { + hex[i] = fmt.Sprintf("%X", ch) + } + return strings.Join(hex, "") +} + +// ensureInRange adjusts the passed value, if necessary, to ensure it is within +// the passed min / max range. +func ensureInRange(n int16, min int16, max int16) int16 { + if n < min { + return min + } else if n > max { + return max + } else { + return n + } +} + +func GetStdFile(nFile int) (*os.File, uintptr) { + var file *os.File + + // syscall uses negative numbers + // windows package uses very big uint32 + // Keep these switches split so we don't have to convert ints too much. + switch uint32(nFile) { + case windows.STD_INPUT_HANDLE: + file = os.Stdin + case windows.STD_OUTPUT_HANDLE: + file = os.Stdout + case windows.STD_ERROR_HANDLE: + file = os.Stderr + default: + switch nFile { + case syscall.STD_INPUT_HANDLE: + file = os.Stdin + case syscall.STD_OUTPUT_HANDLE: + file = os.Stdout + case syscall.STD_ERROR_HANDLE: + file = os.Stderr + default: + panic(fmt.Errorf("Invalid standard handle identifier: %v", nFile)) + } + } + + fd, err := syscall.GetStdHandle(nFile) + if err != nil { + panic(fmt.Errorf("Invalid standard handle identifier: %v -- %v", nFile, err)) + } + + return file, uintptr(fd) +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/api.go b/vendor/github.com/Azure/go-ansiterm/winterm/api.go new file mode 100644 index 0000000000..6055e33b91 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/api.go @@ -0,0 +1,327 @@ +// +build windows + +package winterm + +import ( + "fmt" + "syscall" + "unsafe" +) + +//=========================================================================================================== +// IMPORTANT NOTE: +// +// The methods below make extensive use of the "unsafe" package to obtain the required pointers. +// Beginning in Go 1.3, the garbage collector may release local variables (e.g., incoming arguments, stack +// variables) the pointers reference *before* the API completes. +// +// As a result, in those cases, the code must hint that the variables remain in active by invoking the +// dummy method "use" (see below). Newer versions of Go are planned to change the mechanism to no longer +// require unsafe pointers. +// +// If you add or modify methods, ENSURE protection of local variables through the "use" builtin to inform +// the garbage collector the variables remain in use if: +// +// -- The value is not a pointer (e.g., int32, struct) +// -- The value is not referenced by the method after passing the pointer to Windows +// +// See http://golang.org/doc/go1.3. +//=========================================================================================================== + +var ( + kernel32DLL = syscall.NewLazyDLL("kernel32.dll") + + getConsoleCursorInfoProc = kernel32DLL.NewProc("GetConsoleCursorInfo") + setConsoleCursorInfoProc = kernel32DLL.NewProc("SetConsoleCursorInfo") + setConsoleCursorPositionProc = kernel32DLL.NewProc("SetConsoleCursorPosition") + setConsoleModeProc = kernel32DLL.NewProc("SetConsoleMode") + getConsoleScreenBufferInfoProc = kernel32DLL.NewProc("GetConsoleScreenBufferInfo") + setConsoleScreenBufferSizeProc = kernel32DLL.NewProc("SetConsoleScreenBufferSize") + scrollConsoleScreenBufferProc = kernel32DLL.NewProc("ScrollConsoleScreenBufferA") + setConsoleTextAttributeProc = kernel32DLL.NewProc("SetConsoleTextAttribute") + setConsoleWindowInfoProc = kernel32DLL.NewProc("SetConsoleWindowInfo") + writeConsoleOutputProc = kernel32DLL.NewProc("WriteConsoleOutputW") + readConsoleInputProc = kernel32DLL.NewProc("ReadConsoleInputW") + waitForSingleObjectProc = kernel32DLL.NewProc("WaitForSingleObject") +) + +// Windows Console constants +const ( + // Console modes + // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx. + ENABLE_PROCESSED_INPUT = 0x0001 + ENABLE_LINE_INPUT = 0x0002 + ENABLE_ECHO_INPUT = 0x0004 + ENABLE_WINDOW_INPUT = 0x0008 + ENABLE_MOUSE_INPUT = 0x0010 + ENABLE_INSERT_MODE = 0x0020 + ENABLE_QUICK_EDIT_MODE = 0x0040 + ENABLE_EXTENDED_FLAGS = 0x0080 + ENABLE_AUTO_POSITION = 0x0100 + ENABLE_VIRTUAL_TERMINAL_INPUT = 0x0200 + + ENABLE_PROCESSED_OUTPUT = 0x0001 + ENABLE_WRAP_AT_EOL_OUTPUT = 0x0002 + ENABLE_VIRTUAL_TERMINAL_PROCESSING = 0x0004 + DISABLE_NEWLINE_AUTO_RETURN = 0x0008 + ENABLE_LVB_GRID_WORLDWIDE = 0x0010 + + // Character attributes + // Note: + // -- The attributes are combined to produce various colors (e.g., Blue + Green will create Cyan). + // Clearing all foreground or background colors results in black; setting all creates white. + // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms682088(v=vs.85).aspx#_win32_character_attributes. + FOREGROUND_BLUE uint16 = 0x0001 + FOREGROUND_GREEN uint16 = 0x0002 + FOREGROUND_RED uint16 = 0x0004 + FOREGROUND_INTENSITY uint16 = 0x0008 + FOREGROUND_MASK uint16 = 0x000F + + BACKGROUND_BLUE uint16 = 0x0010 + BACKGROUND_GREEN uint16 = 0x0020 + BACKGROUND_RED uint16 = 0x0040 + BACKGROUND_INTENSITY uint16 = 0x0080 + BACKGROUND_MASK uint16 = 0x00F0 + + COMMON_LVB_MASK uint16 = 0xFF00 + COMMON_LVB_REVERSE_VIDEO uint16 = 0x4000 + COMMON_LVB_UNDERSCORE uint16 = 0x8000 + + // Input event types + // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683499(v=vs.85).aspx. + KEY_EVENT = 0x0001 + MOUSE_EVENT = 0x0002 + WINDOW_BUFFER_SIZE_EVENT = 0x0004 + MENU_EVENT = 0x0008 + FOCUS_EVENT = 0x0010 + + // WaitForSingleObject return codes + WAIT_ABANDONED = 0x00000080 + WAIT_FAILED = 0xFFFFFFFF + WAIT_SIGNALED = 0x0000000 + WAIT_TIMEOUT = 0x00000102 + + // WaitForSingleObject wait duration + WAIT_INFINITE = 0xFFFFFFFF + WAIT_ONE_SECOND = 1000 + WAIT_HALF_SECOND = 500 + WAIT_QUARTER_SECOND = 250 +) + +// Windows API Console types +// -- See https://msdn.microsoft.com/en-us/library/windows/desktop/ms682101(v=vs.85).aspx for Console specific types (e.g., COORD) +// -- See https://msdn.microsoft.com/en-us/library/aa296569(v=vs.60).aspx for comments on alignment +type ( + CHAR_INFO struct { + UnicodeChar uint16 + Attributes uint16 + } + + CONSOLE_CURSOR_INFO struct { + Size uint32 + Visible int32 + } + + CONSOLE_SCREEN_BUFFER_INFO struct { + Size COORD + CursorPosition COORD + Attributes uint16 + Window SMALL_RECT + MaximumWindowSize COORD + } + + COORD struct { + X int16 + Y int16 + } + + SMALL_RECT struct { + Left int16 + Top int16 + Right int16 + Bottom int16 + } + + // INPUT_RECORD is a C/C++ union of which KEY_EVENT_RECORD is one case, it is also the largest + // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683499(v=vs.85).aspx. + INPUT_RECORD struct { + EventType uint16 + KeyEvent KEY_EVENT_RECORD + } + + KEY_EVENT_RECORD struct { + KeyDown int32 + RepeatCount uint16 + VirtualKeyCode uint16 + VirtualScanCode uint16 + UnicodeChar uint16 + ControlKeyState uint32 + } + + WINDOW_BUFFER_SIZE struct { + Size COORD + } +) + +// boolToBOOL converts a Go bool into a Windows int32. +func boolToBOOL(f bool) int32 { + if f { + return int32(1) + } else { + return int32(0) + } +} + +// GetConsoleCursorInfo retrieves information about the size and visiblity of the console cursor. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683163(v=vs.85).aspx. +func GetConsoleCursorInfo(handle uintptr, cursorInfo *CONSOLE_CURSOR_INFO) error { + r1, r2, err := getConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0) + return checkError(r1, r2, err) +} + +// SetConsoleCursorInfo sets the size and visiblity of the console cursor. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686019(v=vs.85).aspx. +func SetConsoleCursorInfo(handle uintptr, cursorInfo *CONSOLE_CURSOR_INFO) error { + r1, r2, err := setConsoleCursorInfoProc.Call(handle, uintptr(unsafe.Pointer(cursorInfo)), 0) + return checkError(r1, r2, err) +} + +// SetConsoleCursorPosition location of the console cursor. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686025(v=vs.85).aspx. +func SetConsoleCursorPosition(handle uintptr, coord COORD) error { + r1, r2, err := setConsoleCursorPositionProc.Call(handle, coordToPointer(coord)) + use(coord) + return checkError(r1, r2, err) +} + +// GetConsoleMode gets the console mode for given file descriptor +// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms683167(v=vs.85).aspx. +func GetConsoleMode(handle uintptr) (mode uint32, err error) { + err = syscall.GetConsoleMode(syscall.Handle(handle), &mode) + return mode, err +} + +// SetConsoleMode sets the console mode for given file descriptor +// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx. +func SetConsoleMode(handle uintptr, mode uint32) error { + r1, r2, err := setConsoleModeProc.Call(handle, uintptr(mode), 0) + use(mode) + return checkError(r1, r2, err) +} + +// GetConsoleScreenBufferInfo retrieves information about the specified console screen buffer. +// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms683171(v=vs.85).aspx. +func GetConsoleScreenBufferInfo(handle uintptr) (*CONSOLE_SCREEN_BUFFER_INFO, error) { + info := CONSOLE_SCREEN_BUFFER_INFO{} + err := checkError(getConsoleScreenBufferInfoProc.Call(handle, uintptr(unsafe.Pointer(&info)), 0)) + if err != nil { + return nil, err + } + return &info, nil +} + +func ScrollConsoleScreenBuffer(handle uintptr, scrollRect SMALL_RECT, clipRect SMALL_RECT, destOrigin COORD, char CHAR_INFO) error { + r1, r2, err := scrollConsoleScreenBufferProc.Call(handle, uintptr(unsafe.Pointer(&scrollRect)), uintptr(unsafe.Pointer(&clipRect)), coordToPointer(destOrigin), uintptr(unsafe.Pointer(&char))) + use(scrollRect) + use(clipRect) + use(destOrigin) + use(char) + return checkError(r1, r2, err) +} + +// SetConsoleScreenBufferSize sets the size of the console screen buffer. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686044(v=vs.85).aspx. +func SetConsoleScreenBufferSize(handle uintptr, coord COORD) error { + r1, r2, err := setConsoleScreenBufferSizeProc.Call(handle, coordToPointer(coord)) + use(coord) + return checkError(r1, r2, err) +} + +// SetConsoleTextAttribute sets the attributes of characters written to the +// console screen buffer by the WriteFile or WriteConsole function. +// See http://msdn.microsoft.com/en-us/library/windows/desktop/ms686047(v=vs.85).aspx. +func SetConsoleTextAttribute(handle uintptr, attribute uint16) error { + r1, r2, err := setConsoleTextAttributeProc.Call(handle, uintptr(attribute), 0) + use(attribute) + return checkError(r1, r2, err) +} + +// SetConsoleWindowInfo sets the size and position of the console screen buffer's window. +// Note that the size and location must be within and no larger than the backing console screen buffer. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms686125(v=vs.85).aspx. +func SetConsoleWindowInfo(handle uintptr, isAbsolute bool, rect SMALL_RECT) error { + r1, r2, err := setConsoleWindowInfoProc.Call(handle, uintptr(boolToBOOL(isAbsolute)), uintptr(unsafe.Pointer(&rect))) + use(isAbsolute) + use(rect) + return checkError(r1, r2, err) +} + +// WriteConsoleOutput writes the CHAR_INFOs from the provided buffer to the active console buffer. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687404(v=vs.85).aspx. +func WriteConsoleOutput(handle uintptr, buffer []CHAR_INFO, bufferSize COORD, bufferCoord COORD, writeRegion *SMALL_RECT) error { + r1, r2, err := writeConsoleOutputProc.Call(handle, uintptr(unsafe.Pointer(&buffer[0])), coordToPointer(bufferSize), coordToPointer(bufferCoord), uintptr(unsafe.Pointer(writeRegion))) + use(buffer) + use(bufferSize) + use(bufferCoord) + return checkError(r1, r2, err) +} + +// ReadConsoleInput reads (and removes) data from the console input buffer. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms684961(v=vs.85).aspx. +func ReadConsoleInput(handle uintptr, buffer []INPUT_RECORD, count *uint32) error { + r1, r2, err := readConsoleInputProc.Call(handle, uintptr(unsafe.Pointer(&buffer[0])), uintptr(len(buffer)), uintptr(unsafe.Pointer(count))) + use(buffer) + return checkError(r1, r2, err) +} + +// WaitForSingleObject waits for the passed handle to be signaled. +// It returns true if the handle was signaled; false otherwise. +// See https://msdn.microsoft.com/en-us/library/windows/desktop/ms687032(v=vs.85).aspx. +func WaitForSingleObject(handle uintptr, msWait uint32) (bool, error) { + r1, _, err := waitForSingleObjectProc.Call(handle, uintptr(uint32(msWait))) + switch r1 { + case WAIT_ABANDONED, WAIT_TIMEOUT: + return false, nil + case WAIT_SIGNALED: + return true, nil + } + use(msWait) + return false, err +} + +// String helpers +func (info CONSOLE_SCREEN_BUFFER_INFO) String() string { + return fmt.Sprintf("Size(%v) Cursor(%v) Window(%v) Max(%v)", info.Size, info.CursorPosition, info.Window, info.MaximumWindowSize) +} + +func (coord COORD) String() string { + return fmt.Sprintf("%v,%v", coord.X, coord.Y) +} + +func (rect SMALL_RECT) String() string { + return fmt.Sprintf("(%v,%v),(%v,%v)", rect.Left, rect.Top, rect.Right, rect.Bottom) +} + +// checkError evaluates the results of a Windows API call and returns the error if it failed. +func checkError(r1, r2 uintptr, err error) error { + // Windows APIs return non-zero to indicate success + if r1 != 0 { + return nil + } + + // Return the error if provided, otherwise default to EINVAL + if err != nil { + return err + } + return syscall.EINVAL +} + +// coordToPointer converts a COORD into a uintptr (by fooling the type system). +func coordToPointer(c COORD) uintptr { + // Note: This code assumes the two SHORTs are correctly laid out; the "cast" to uint32 is just to get a pointer to pass. + return uintptr(*((*uint32)(unsafe.Pointer(&c)))) +} + +// use is a no-op, but the compiler cannot see that it is. +// Calling use(p) ensures that p is kept live until that point. +func use(p interface{}) {} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go b/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go new file mode 100644 index 0000000000..cbec8f728f --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/attr_translation.go @@ -0,0 +1,100 @@ +// +build windows + +package winterm + +import "github.com/Azure/go-ansiterm" + +const ( + FOREGROUND_COLOR_MASK = FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE + BACKGROUND_COLOR_MASK = BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE +) + +// collectAnsiIntoWindowsAttributes modifies the passed Windows text mode flags to reflect the +// request represented by the passed ANSI mode. +func collectAnsiIntoWindowsAttributes(windowsMode uint16, inverted bool, baseMode uint16, ansiMode int16) (uint16, bool) { + switch ansiMode { + + // Mode styles + case ansiterm.ANSI_SGR_BOLD: + windowsMode = windowsMode | FOREGROUND_INTENSITY + + case ansiterm.ANSI_SGR_DIM, ansiterm.ANSI_SGR_BOLD_DIM_OFF: + windowsMode &^= FOREGROUND_INTENSITY + + case ansiterm.ANSI_SGR_UNDERLINE: + windowsMode = windowsMode | COMMON_LVB_UNDERSCORE + + case ansiterm.ANSI_SGR_REVERSE: + inverted = true + + case ansiterm.ANSI_SGR_REVERSE_OFF: + inverted = false + + case ansiterm.ANSI_SGR_UNDERLINE_OFF: + windowsMode &^= COMMON_LVB_UNDERSCORE + + // Foreground colors + case ansiterm.ANSI_SGR_FOREGROUND_DEFAULT: + windowsMode = (windowsMode &^ FOREGROUND_MASK) | (baseMode & FOREGROUND_MASK) + + case ansiterm.ANSI_SGR_FOREGROUND_BLACK: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) + + case ansiterm.ANSI_SGR_FOREGROUND_RED: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED + + case ansiterm.ANSI_SGR_FOREGROUND_GREEN: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_GREEN + + case ansiterm.ANSI_SGR_FOREGROUND_YELLOW: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_GREEN + + case ansiterm.ANSI_SGR_FOREGROUND_BLUE: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_BLUE + + case ansiterm.ANSI_SGR_FOREGROUND_MAGENTA: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_BLUE + + case ansiterm.ANSI_SGR_FOREGROUND_CYAN: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_GREEN | FOREGROUND_BLUE + + case ansiterm.ANSI_SGR_FOREGROUND_WHITE: + windowsMode = (windowsMode &^ FOREGROUND_COLOR_MASK) | FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE + + // Background colors + case ansiterm.ANSI_SGR_BACKGROUND_DEFAULT: + // Black with no intensity + windowsMode = (windowsMode &^ BACKGROUND_MASK) | (baseMode & BACKGROUND_MASK) + + case ansiterm.ANSI_SGR_BACKGROUND_BLACK: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) + + case ansiterm.ANSI_SGR_BACKGROUND_RED: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED + + case ansiterm.ANSI_SGR_BACKGROUND_GREEN: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_GREEN + + case ansiterm.ANSI_SGR_BACKGROUND_YELLOW: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_GREEN + + case ansiterm.ANSI_SGR_BACKGROUND_BLUE: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_BLUE + + case ansiterm.ANSI_SGR_BACKGROUND_MAGENTA: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_BLUE + + case ansiterm.ANSI_SGR_BACKGROUND_CYAN: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_GREEN | BACKGROUND_BLUE + + case ansiterm.ANSI_SGR_BACKGROUND_WHITE: + windowsMode = (windowsMode &^ BACKGROUND_COLOR_MASK) | BACKGROUND_RED | BACKGROUND_GREEN | BACKGROUND_BLUE + } + + return windowsMode, inverted +} + +// invertAttributes inverts the foreground and background colors of a Windows attributes value +func invertAttributes(windowsMode uint16) uint16 { + return (COMMON_LVB_MASK & windowsMode) | ((FOREGROUND_MASK & windowsMode) << 4) | ((BACKGROUND_MASK & windowsMode) >> 4) +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go b/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go new file mode 100644 index 0000000000..3ee06ea728 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/cursor_helpers.go @@ -0,0 +1,101 @@ +// +build windows + +package winterm + +const ( + horizontal = iota + vertical +) + +func (h *windowsAnsiEventHandler) getCursorWindow(info *CONSOLE_SCREEN_BUFFER_INFO) SMALL_RECT { + if h.originMode { + sr := h.effectiveSr(info.Window) + return SMALL_RECT{ + Top: sr.top, + Bottom: sr.bottom, + Left: 0, + Right: info.Size.X - 1, + } + } else { + return SMALL_RECT{ + Top: info.Window.Top, + Bottom: info.Window.Bottom, + Left: 0, + Right: info.Size.X - 1, + } + } +} + +// setCursorPosition sets the cursor to the specified position, bounded to the screen size +func (h *windowsAnsiEventHandler) setCursorPosition(position COORD, window SMALL_RECT) error { + position.X = ensureInRange(position.X, window.Left, window.Right) + position.Y = ensureInRange(position.Y, window.Top, window.Bottom) + err := SetConsoleCursorPosition(h.fd, position) + if err != nil { + return err + } + h.logf("Cursor position set: (%d, %d)", position.X, position.Y) + return err +} + +func (h *windowsAnsiEventHandler) moveCursorVertical(param int) error { + return h.moveCursor(vertical, param) +} + +func (h *windowsAnsiEventHandler) moveCursorHorizontal(param int) error { + return h.moveCursor(horizontal, param) +} + +func (h *windowsAnsiEventHandler) moveCursor(moveMode int, param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + position := info.CursorPosition + switch moveMode { + case horizontal: + position.X += int16(param) + case vertical: + position.Y += int16(param) + } + + if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil { + return err + } + + return nil +} + +func (h *windowsAnsiEventHandler) moveCursorLine(param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + position := info.CursorPosition + position.X = 0 + position.Y += int16(param) + + if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil { + return err + } + + return nil +} + +func (h *windowsAnsiEventHandler) moveCursorColumn(param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + position := info.CursorPosition + position.X = int16(param) - 1 + + if err = h.setCursorPosition(position, h.getCursorWindow(info)); err != nil { + return err + } + + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go b/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go new file mode 100644 index 0000000000..244b5fa25e --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/erase_helpers.go @@ -0,0 +1,84 @@ +// +build windows + +package winterm + +import "github.com/Azure/go-ansiterm" + +func (h *windowsAnsiEventHandler) clearRange(attributes uint16, fromCoord COORD, toCoord COORD) error { + // Ignore an invalid (negative area) request + if toCoord.Y < fromCoord.Y { + return nil + } + + var err error + + var coordStart = COORD{} + var coordEnd = COORD{} + + xCurrent, yCurrent := fromCoord.X, fromCoord.Y + xEnd, yEnd := toCoord.X, toCoord.Y + + // Clear any partial initial line + if xCurrent > 0 { + coordStart.X, coordStart.Y = xCurrent, yCurrent + coordEnd.X, coordEnd.Y = xEnd, yCurrent + + err = h.clearRect(attributes, coordStart, coordEnd) + if err != nil { + return err + } + + xCurrent = 0 + yCurrent += 1 + } + + // Clear intervening rectangular section + if yCurrent < yEnd { + coordStart.X, coordStart.Y = xCurrent, yCurrent + coordEnd.X, coordEnd.Y = xEnd, yEnd-1 + + err = h.clearRect(attributes, coordStart, coordEnd) + if err != nil { + return err + } + + xCurrent = 0 + yCurrent = yEnd + } + + // Clear remaining partial ending line + coordStart.X, coordStart.Y = xCurrent, yCurrent + coordEnd.X, coordEnd.Y = xEnd, yEnd + + err = h.clearRect(attributes, coordStart, coordEnd) + if err != nil { + return err + } + + return nil +} + +func (h *windowsAnsiEventHandler) clearRect(attributes uint16, fromCoord COORD, toCoord COORD) error { + region := SMALL_RECT{Top: fromCoord.Y, Left: fromCoord.X, Bottom: toCoord.Y, Right: toCoord.X} + width := toCoord.X - fromCoord.X + 1 + height := toCoord.Y - fromCoord.Y + 1 + size := uint32(width) * uint32(height) + + if size <= 0 { + return nil + } + + buffer := make([]CHAR_INFO, size) + + char := CHAR_INFO{ansiterm.FILL_CHARACTER, attributes} + for i := 0; i < int(size); i++ { + buffer[i] = char + } + + err := WriteConsoleOutput(h.fd, buffer, COORD{X: width, Y: height}, COORD{X: 0, Y: 0}, ®ion) + if err != nil { + return err + } + + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go b/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go new file mode 100644 index 0000000000..2d27fa1d02 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/scroll_helper.go @@ -0,0 +1,118 @@ +// +build windows + +package winterm + +// effectiveSr gets the current effective scroll region in buffer coordinates +func (h *windowsAnsiEventHandler) effectiveSr(window SMALL_RECT) scrollRegion { + top := addInRange(window.Top, h.sr.top, window.Top, window.Bottom) + bottom := addInRange(window.Top, h.sr.bottom, window.Top, window.Bottom) + if top >= bottom { + top = window.Top + bottom = window.Bottom + } + return scrollRegion{top: top, bottom: bottom} +} + +func (h *windowsAnsiEventHandler) scrollUp(param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + sr := h.effectiveSr(info.Window) + return h.scroll(param, sr, info) +} + +func (h *windowsAnsiEventHandler) scrollDown(param int) error { + return h.scrollUp(-param) +} + +func (h *windowsAnsiEventHandler) deleteLines(param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + start := info.CursorPosition.Y + sr := h.effectiveSr(info.Window) + // Lines cannot be inserted or deleted outside the scrolling region. + if start >= sr.top && start <= sr.bottom { + sr.top = start + return h.scroll(param, sr, info) + } else { + return nil + } +} + +func (h *windowsAnsiEventHandler) insertLines(param int) error { + return h.deleteLines(-param) +} + +// scroll scrolls the provided scroll region by param lines. The scroll region is in buffer coordinates. +func (h *windowsAnsiEventHandler) scroll(param int, sr scrollRegion, info *CONSOLE_SCREEN_BUFFER_INFO) error { + h.logf("scroll: scrollTop: %d, scrollBottom: %d", sr.top, sr.bottom) + h.logf("scroll: windowTop: %d, windowBottom: %d", info.Window.Top, info.Window.Bottom) + + // Copy from and clip to the scroll region (full buffer width) + scrollRect := SMALL_RECT{ + Top: sr.top, + Bottom: sr.bottom, + Left: 0, + Right: info.Size.X - 1, + } + + // Origin to which area should be copied + destOrigin := COORD{ + X: 0, + Y: sr.top - int16(param), + } + + char := CHAR_INFO{ + UnicodeChar: ' ', + Attributes: h.attributes, + } + + if err := ScrollConsoleScreenBuffer(h.fd, scrollRect, scrollRect, destOrigin, char); err != nil { + return err + } + return nil +} + +func (h *windowsAnsiEventHandler) deleteCharacters(param int) error { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + return h.scrollLine(param, info.CursorPosition, info) +} + +func (h *windowsAnsiEventHandler) insertCharacters(param int) error { + return h.deleteCharacters(-param) +} + +// scrollLine scrolls a line horizontally starting at the provided position by a number of columns. +func (h *windowsAnsiEventHandler) scrollLine(columns int, position COORD, info *CONSOLE_SCREEN_BUFFER_INFO) error { + // Copy from and clip to the scroll region (full buffer width) + scrollRect := SMALL_RECT{ + Top: position.Y, + Bottom: position.Y, + Left: position.X, + Right: info.Size.X - 1, + } + + // Origin to which area should be copied + destOrigin := COORD{ + X: position.X - int16(columns), + Y: position.Y, + } + + char := CHAR_INFO{ + UnicodeChar: ' ', + Attributes: h.attributes, + } + + if err := ScrollConsoleScreenBuffer(h.fd, scrollRect, scrollRect, destOrigin, char); err != nil { + return err + } + return nil +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go b/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go new file mode 100644 index 0000000000..afa7635d77 --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/utilities.go @@ -0,0 +1,9 @@ +// +build windows + +package winterm + +// AddInRange increments a value by the passed quantity while ensuring the values +// always remain within the supplied min / max range. +func addInRange(n int16, increment int16, min int16, max int16) int16 { + return ensureInRange(n+increment, min, max) +} diff --git a/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go b/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go new file mode 100644 index 0000000000..2d40fb75ad --- /dev/null +++ b/vendor/github.com/Azure/go-ansiterm/winterm/win_event_handler.go @@ -0,0 +1,743 @@ +// +build windows + +package winterm + +import ( + "bytes" + "log" + "os" + "strconv" + + "github.com/Azure/go-ansiterm" +) + +type windowsAnsiEventHandler struct { + fd uintptr + file *os.File + infoReset *CONSOLE_SCREEN_BUFFER_INFO + sr scrollRegion + buffer bytes.Buffer + attributes uint16 + inverted bool + wrapNext bool + drewMarginByte bool + originMode bool + marginByte byte + curInfo *CONSOLE_SCREEN_BUFFER_INFO + curPos COORD + logf func(string, ...interface{}) +} + +type Option func(*windowsAnsiEventHandler) + +func WithLogf(f func(string, ...interface{})) Option { + return func(w *windowsAnsiEventHandler) { + w.logf = f + } +} + +func CreateWinEventHandler(fd uintptr, file *os.File, opts ...Option) ansiterm.AnsiEventHandler { + infoReset, err := GetConsoleScreenBufferInfo(fd) + if err != nil { + return nil + } + + h := &windowsAnsiEventHandler{ + fd: fd, + file: file, + infoReset: infoReset, + attributes: infoReset.Attributes, + } + for _, o := range opts { + o(h) + } + + if isDebugEnv := os.Getenv(ansiterm.LogEnv); isDebugEnv == "1" { + logFile, _ := os.Create("winEventHandler.log") + logger := log.New(logFile, "", log.LstdFlags) + if h.logf != nil { + l := h.logf + h.logf = func(s string, v ...interface{}) { + l(s, v...) + logger.Printf(s, v...) + } + } else { + h.logf = logger.Printf + } + } + + if h.logf == nil { + h.logf = func(string, ...interface{}) {} + } + + return h +} + +type scrollRegion struct { + top int16 + bottom int16 +} + +// simulateLF simulates a LF or CR+LF by scrolling if necessary to handle the +// current cursor position and scroll region settings, in which case it returns +// true. If no special handling is necessary, then it does nothing and returns +// false. +// +// In the false case, the caller should ensure that a carriage return +// and line feed are inserted or that the text is otherwise wrapped. +func (h *windowsAnsiEventHandler) simulateLF(includeCR bool) (bool, error) { + if h.wrapNext { + if err := h.Flush(); err != nil { + return false, err + } + h.clearWrap() + } + pos, info, err := h.getCurrentInfo() + if err != nil { + return false, err + } + sr := h.effectiveSr(info.Window) + if pos.Y == sr.bottom { + // Scrolling is necessary. Let Windows automatically scroll if the scrolling region + // is the full window. + if sr.top == info.Window.Top && sr.bottom == info.Window.Bottom { + if includeCR { + pos.X = 0 + h.updatePos(pos) + } + return false, nil + } + + // A custom scroll region is active. Scroll the window manually to simulate + // the LF. + if err := h.Flush(); err != nil { + return false, err + } + h.logf("Simulating LF inside scroll region") + if err := h.scrollUp(1); err != nil { + return false, err + } + if includeCR { + pos.X = 0 + if err := SetConsoleCursorPosition(h.fd, pos); err != nil { + return false, err + } + } + return true, nil + + } else if pos.Y < info.Window.Bottom { + // Let Windows handle the LF. + pos.Y++ + if includeCR { + pos.X = 0 + } + h.updatePos(pos) + return false, nil + } else { + // The cursor is at the bottom of the screen but outside the scroll + // region. Skip the LF. + h.logf("Simulating LF outside scroll region") + if includeCR { + if err := h.Flush(); err != nil { + return false, err + } + pos.X = 0 + if err := SetConsoleCursorPosition(h.fd, pos); err != nil { + return false, err + } + } + return true, nil + } +} + +// executeLF executes a LF without a CR. +func (h *windowsAnsiEventHandler) executeLF() error { + handled, err := h.simulateLF(false) + if err != nil { + return err + } + if !handled { + // Windows LF will reset the cursor column position. Write the LF + // and restore the cursor position. + pos, _, err := h.getCurrentInfo() + if err != nil { + return err + } + h.buffer.WriteByte(ansiterm.ANSI_LINE_FEED) + if pos.X != 0 { + if err := h.Flush(); err != nil { + return err + } + h.logf("Resetting cursor position for LF without CR") + if err := SetConsoleCursorPosition(h.fd, pos); err != nil { + return err + } + } + } + return nil +} + +func (h *windowsAnsiEventHandler) Print(b byte) error { + if h.wrapNext { + h.buffer.WriteByte(h.marginByte) + h.clearWrap() + if _, err := h.simulateLF(true); err != nil { + return err + } + } + pos, info, err := h.getCurrentInfo() + if err != nil { + return err + } + if pos.X == info.Size.X-1 { + h.wrapNext = true + h.marginByte = b + } else { + pos.X++ + h.updatePos(pos) + h.buffer.WriteByte(b) + } + return nil +} + +func (h *windowsAnsiEventHandler) Execute(b byte) error { + switch b { + case ansiterm.ANSI_TAB: + h.logf("Execute(TAB)") + // Move to the next tab stop, but preserve auto-wrap if already set. + if !h.wrapNext { + pos, info, err := h.getCurrentInfo() + if err != nil { + return err + } + pos.X = (pos.X + 8) - pos.X%8 + if pos.X >= info.Size.X { + pos.X = info.Size.X - 1 + } + if err := h.Flush(); err != nil { + return err + } + if err := SetConsoleCursorPosition(h.fd, pos); err != nil { + return err + } + } + return nil + + case ansiterm.ANSI_BEL: + h.buffer.WriteByte(ansiterm.ANSI_BEL) + return nil + + case ansiterm.ANSI_BACKSPACE: + if h.wrapNext { + if err := h.Flush(); err != nil { + return err + } + h.clearWrap() + } + pos, _, err := h.getCurrentInfo() + if err != nil { + return err + } + if pos.X > 0 { + pos.X-- + h.updatePos(pos) + h.buffer.WriteByte(ansiterm.ANSI_BACKSPACE) + } + return nil + + case ansiterm.ANSI_VERTICAL_TAB, ansiterm.ANSI_FORM_FEED: + // Treat as true LF. + return h.executeLF() + + case ansiterm.ANSI_LINE_FEED: + // Simulate a CR and LF for now since there is no way in go-ansiterm + // to tell if the LF should include CR (and more things break when it's + // missing than when it's incorrectly added). + handled, err := h.simulateLF(true) + if handled || err != nil { + return err + } + return h.buffer.WriteByte(ansiterm.ANSI_LINE_FEED) + + case ansiterm.ANSI_CARRIAGE_RETURN: + if h.wrapNext { + if err := h.Flush(); err != nil { + return err + } + h.clearWrap() + } + pos, _, err := h.getCurrentInfo() + if err != nil { + return err + } + if pos.X != 0 { + pos.X = 0 + h.updatePos(pos) + h.buffer.WriteByte(ansiterm.ANSI_CARRIAGE_RETURN) + } + return nil + + default: + return nil + } +} + +func (h *windowsAnsiEventHandler) CUU(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CUU: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorVertical(-param) +} + +func (h *windowsAnsiEventHandler) CUD(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CUD: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorVertical(param) +} + +func (h *windowsAnsiEventHandler) CUF(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CUF: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorHorizontal(param) +} + +func (h *windowsAnsiEventHandler) CUB(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CUB: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorHorizontal(-param) +} + +func (h *windowsAnsiEventHandler) CNL(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CNL: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorLine(param) +} + +func (h *windowsAnsiEventHandler) CPL(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CPL: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorLine(-param) +} + +func (h *windowsAnsiEventHandler) CHA(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CHA: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.moveCursorColumn(param) +} + +func (h *windowsAnsiEventHandler) VPA(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("VPA: [[%d]]", param) + h.clearWrap() + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + window := h.getCursorWindow(info) + position := info.CursorPosition + position.Y = window.Top + int16(param) - 1 + return h.setCursorPosition(position, window) +} + +func (h *windowsAnsiEventHandler) CUP(row int, col int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("CUP: [[%d %d]]", row, col) + h.clearWrap() + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + window := h.getCursorWindow(info) + position := COORD{window.Left + int16(col) - 1, window.Top + int16(row) - 1} + return h.setCursorPosition(position, window) +} + +func (h *windowsAnsiEventHandler) HVP(row int, col int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("HVP: [[%d %d]]", row, col) + h.clearWrap() + return h.CUP(row, col) +} + +func (h *windowsAnsiEventHandler) DECTCEM(visible bool) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DECTCEM: [%v]", []string{strconv.FormatBool(visible)}) + h.clearWrap() + return nil +} + +func (h *windowsAnsiEventHandler) DECOM(enable bool) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DECOM: [%v]", []string{strconv.FormatBool(enable)}) + h.clearWrap() + h.originMode = enable + return h.CUP(1, 1) +} + +func (h *windowsAnsiEventHandler) DECCOLM(use132 bool) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DECCOLM: [%v]", []string{strconv.FormatBool(use132)}) + h.clearWrap() + if err := h.ED(2); err != nil { + return err + } + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + targetWidth := int16(80) + if use132 { + targetWidth = 132 + } + if info.Size.X < targetWidth { + if err := SetConsoleScreenBufferSize(h.fd, COORD{targetWidth, info.Size.Y}); err != nil { + h.logf("set buffer failed: %v", err) + return err + } + } + window := info.Window + window.Left = 0 + window.Right = targetWidth - 1 + if err := SetConsoleWindowInfo(h.fd, true, window); err != nil { + h.logf("set window failed: %v", err) + return err + } + if info.Size.X > targetWidth { + if err := SetConsoleScreenBufferSize(h.fd, COORD{targetWidth, info.Size.Y}); err != nil { + h.logf("set buffer failed: %v", err) + return err + } + } + return SetConsoleCursorPosition(h.fd, COORD{0, 0}) +} + +func (h *windowsAnsiEventHandler) ED(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("ED: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + + // [J -- Erases from the cursor to the end of the screen, including the cursor position. + // [1J -- Erases from the beginning of the screen to the cursor, including the cursor position. + // [2J -- Erases the complete display. The cursor does not move. + // Notes: + // -- Clearing the entire buffer, versus just the Window, works best for Windows Consoles + + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + var start COORD + var end COORD + + switch param { + case 0: + start = info.CursorPosition + end = COORD{info.Size.X - 1, info.Size.Y - 1} + + case 1: + start = COORD{0, 0} + end = info.CursorPosition + + case 2: + start = COORD{0, 0} + end = COORD{info.Size.X - 1, info.Size.Y - 1} + } + + err = h.clearRange(h.attributes, start, end) + if err != nil { + return err + } + + // If the whole buffer was cleared, move the window to the top while preserving + // the window-relative cursor position. + if param == 2 { + pos := info.CursorPosition + window := info.Window + pos.Y -= window.Top + window.Bottom -= window.Top + window.Top = 0 + if err := SetConsoleCursorPosition(h.fd, pos); err != nil { + return err + } + if err := SetConsoleWindowInfo(h.fd, true, window); err != nil { + return err + } + } + + return nil +} + +func (h *windowsAnsiEventHandler) EL(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("EL: [%v]", strconv.Itoa(param)) + h.clearWrap() + + // [K -- Erases from the cursor to the end of the line, including the cursor position. + // [1K -- Erases from the beginning of the line to the cursor, including the cursor position. + // [2K -- Erases the complete line. + + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + var start COORD + var end COORD + + switch param { + case 0: + start = info.CursorPosition + end = COORD{info.Size.X, info.CursorPosition.Y} + + case 1: + start = COORD{0, info.CursorPosition.Y} + end = info.CursorPosition + + case 2: + start = COORD{0, info.CursorPosition.Y} + end = COORD{info.Size.X, info.CursorPosition.Y} + } + + err = h.clearRange(h.attributes, start, end) + if err != nil { + return err + } + + return nil +} + +func (h *windowsAnsiEventHandler) IL(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("IL: [%v]", strconv.Itoa(param)) + h.clearWrap() + return h.insertLines(param) +} + +func (h *windowsAnsiEventHandler) DL(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DL: [%v]", strconv.Itoa(param)) + h.clearWrap() + return h.deleteLines(param) +} + +func (h *windowsAnsiEventHandler) ICH(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("ICH: [%v]", strconv.Itoa(param)) + h.clearWrap() + return h.insertCharacters(param) +} + +func (h *windowsAnsiEventHandler) DCH(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DCH: [%v]", strconv.Itoa(param)) + h.clearWrap() + return h.deleteCharacters(param) +} + +func (h *windowsAnsiEventHandler) SGR(params []int) error { + if err := h.Flush(); err != nil { + return err + } + strings := []string{} + for _, v := range params { + strings = append(strings, strconv.Itoa(v)) + } + + h.logf("SGR: [%v]", strings) + + if len(params) <= 0 { + h.attributes = h.infoReset.Attributes + h.inverted = false + } else { + for _, attr := range params { + + if attr == ansiterm.ANSI_SGR_RESET { + h.attributes = h.infoReset.Attributes + h.inverted = false + continue + } + + h.attributes, h.inverted = collectAnsiIntoWindowsAttributes(h.attributes, h.inverted, h.infoReset.Attributes, int16(attr)) + } + } + + attributes := h.attributes + if h.inverted { + attributes = invertAttributes(attributes) + } + err := SetConsoleTextAttribute(h.fd, attributes) + if err != nil { + return err + } + + return nil +} + +func (h *windowsAnsiEventHandler) SU(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("SU: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.scrollUp(param) +} + +func (h *windowsAnsiEventHandler) SD(param int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("SD: [%v]", []string{strconv.Itoa(param)}) + h.clearWrap() + return h.scrollDown(param) +} + +func (h *windowsAnsiEventHandler) DA(params []string) error { + h.logf("DA: [%v]", params) + // DA cannot be implemented because it must send data on the VT100 input stream, + // which is not available to go-ansiterm. + return nil +} + +func (h *windowsAnsiEventHandler) DECSTBM(top int, bottom int) error { + if err := h.Flush(); err != nil { + return err + } + h.logf("DECSTBM: [%d, %d]", top, bottom) + + // Windows is 0 indexed, Linux is 1 indexed + h.sr.top = int16(top - 1) + h.sr.bottom = int16(bottom - 1) + + // This command also moves the cursor to the origin. + h.clearWrap() + return h.CUP(1, 1) +} + +func (h *windowsAnsiEventHandler) RI() error { + if err := h.Flush(); err != nil { + return err + } + h.logf("RI: []") + h.clearWrap() + + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + sr := h.effectiveSr(info.Window) + if info.CursorPosition.Y == sr.top { + return h.scrollDown(1) + } + + return h.moveCursorVertical(-1) +} + +func (h *windowsAnsiEventHandler) IND() error { + h.logf("IND: []") + return h.executeLF() +} + +func (h *windowsAnsiEventHandler) Flush() error { + h.curInfo = nil + if h.buffer.Len() > 0 { + h.logf("Flush: [%s]", h.buffer.Bytes()) + if _, err := h.buffer.WriteTo(h.file); err != nil { + return err + } + } + + if h.wrapNext && !h.drewMarginByte { + h.logf("Flush: drawing margin byte '%c'", h.marginByte) + + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return err + } + + charInfo := []CHAR_INFO{{UnicodeChar: uint16(h.marginByte), Attributes: info.Attributes}} + size := COORD{1, 1} + position := COORD{0, 0} + region := SMALL_RECT{Left: info.CursorPosition.X, Top: info.CursorPosition.Y, Right: info.CursorPosition.X, Bottom: info.CursorPosition.Y} + if err := WriteConsoleOutput(h.fd, charInfo, size, position, ®ion); err != nil { + return err + } + h.drewMarginByte = true + } + return nil +} + +// cacheConsoleInfo ensures that the current console screen information has been queried +// since the last call to Flush(). It must be called before accessing h.curInfo or h.curPos. +func (h *windowsAnsiEventHandler) getCurrentInfo() (COORD, *CONSOLE_SCREEN_BUFFER_INFO, error) { + if h.curInfo == nil { + info, err := GetConsoleScreenBufferInfo(h.fd) + if err != nil { + return COORD{}, nil, err + } + h.curInfo = info + h.curPos = info.CursorPosition + } + return h.curPos, h.curInfo, nil +} + +func (h *windowsAnsiEventHandler) updatePos(pos COORD) { + if h.curInfo == nil { + panic("failed to call getCurrentInfo before calling updatePos") + } + h.curPos = pos +} + +// clearWrap clears the state where the cursor is in the margin +// waiting for the next character before wrapping the line. This must +// be done before most operations that act on the cursor. +func (h *windowsAnsiEventHandler) clearWrap() { + h.wrapNext = false + h.drewMarginByte = false +} diff --git a/vendor/github.com/BurntSushi/toml/.gitignore b/vendor/github.com/BurntSushi/toml/.gitignore new file mode 100644 index 0000000000..fe79e3adda --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/.gitignore @@ -0,0 +1,2 @@ +/toml.test +/toml-test diff --git a/vendor/github.com/BurntSushi/toml/COPYING b/vendor/github.com/BurntSushi/toml/COPYING new file mode 100644 index 0000000000..01b5743200 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/COPYING @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2013 TOML authors + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/BurntSushi/toml/README.md b/vendor/github.com/BurntSushi/toml/README.md new file mode 100644 index 0000000000..235496eeb2 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/README.md @@ -0,0 +1,120 @@ +TOML stands for Tom's Obvious, Minimal Language. This Go package provides a +reflection interface similar to Go's standard library `json` and `xml` packages. + +Compatible with TOML version [v1.0.0](https://toml.io/en/v1.0.0). + +Documentation: https://pkg.go.dev/github.com/BurntSushi/toml + +See the [releases page](https://github.com/BurntSushi/toml/releases) for a +changelog; this information is also in the git tag annotations (e.g. `git show +v0.4.0`). + +This library requires Go 1.18 or newer; add it to your go.mod with: + + % go get github.com/BurntSushi/toml@latest + +It also comes with a TOML validator CLI tool: + + % go install github.com/BurntSushi/toml/cmd/tomlv@latest + % tomlv some-toml-file.toml + +### Examples +For the simplest example, consider some TOML file as just a list of keys and +values: + +```toml +Age = 25 +Cats = [ "Cauchy", "Plato" ] +Pi = 3.14 +Perfection = [ 6, 28, 496, 8128 ] +DOB = 1987-07-05T05:45:00Z +``` + +Which can be decoded with: + +```go +type Config struct { + Age int + Cats []string + Pi float64 + Perfection []int + DOB time.Time +} + +var conf Config +_, err := toml.Decode(tomlData, &conf) +``` + +You can also use struct tags if your struct field name doesn't map to a TOML key +value directly: + +```toml +some_key_NAME = "wat" +``` + +```go +type TOML struct { + ObscureKey string `toml:"some_key_NAME"` +} +``` + +Beware that like other decoders **only exported fields** are considered when +encoding and decoding; private fields are silently ignored. + +### Using the `Marshaler` and `encoding.TextUnmarshaler` interfaces +Here's an example that automatically parses values in a `mail.Address`: + +```toml +contacts = [ + "Donald Duck ", + "Scrooge McDuck ", +] +``` + +Can be decoded with: + +```go +// Create address type which satisfies the encoding.TextUnmarshaler interface. +type address struct { + *mail.Address +} + +func (a *address) UnmarshalText(text []byte) error { + var err error + a.Address, err = mail.ParseAddress(string(text)) + return err +} + +// Decode it. +func decode() { + blob := ` + contacts = [ + "Donald Duck ", + "Scrooge McDuck ", + ] + ` + + var contacts struct { + Contacts []address + } + + _, err := toml.Decode(blob, &contacts) + if err != nil { + log.Fatal(err) + } + + for _, c := range contacts.Contacts { + fmt.Printf("%#v\n", c.Address) + } + + // Output: + // &mail.Address{Name:"Donald Duck", Address:"donald@duckburg.com"} + // &mail.Address{Name:"Scrooge McDuck", Address:"scrooge@duckburg.com"} +} +``` + +To target TOML specifically you can implement `UnmarshalTOML` TOML interface in +a similar way. + +### More complex usage +See the [`_example/`](/_example) directory for a more complex example. diff --git a/vendor/github.com/BurntSushi/toml/decode.go b/vendor/github.com/BurntSushi/toml/decode.go new file mode 100644 index 0000000000..3fa516caa2 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/decode.go @@ -0,0 +1,638 @@ +package toml + +import ( + "bytes" + "encoding" + "encoding/json" + "fmt" + "io" + "io/fs" + "math" + "os" + "reflect" + "strconv" + "strings" + "time" +) + +// Unmarshaler is the interface implemented by objects that can unmarshal a +// TOML description of themselves. +type Unmarshaler interface { + UnmarshalTOML(any) error +} + +// Unmarshal decodes the contents of data in TOML format into a pointer v. +// +// See [Decoder] for a description of the decoding process. +func Unmarshal(data []byte, v any) error { + _, err := NewDecoder(bytes.NewReader(data)).Decode(v) + return err +} + +// Decode the TOML data in to the pointer v. +// +// See [Decoder] for a description of the decoding process. +func Decode(data string, v any) (MetaData, error) { + return NewDecoder(strings.NewReader(data)).Decode(v) +} + +// DecodeFile reads the contents of a file and decodes it with [Decode]. +func DecodeFile(path string, v any) (MetaData, error) { + fp, err := os.Open(path) + if err != nil { + return MetaData{}, err + } + defer fp.Close() + return NewDecoder(fp).Decode(v) +} + +// DecodeFS reads the contents of a file from [fs.FS] and decodes it with +// [Decode]. +func DecodeFS(fsys fs.FS, path string, v any) (MetaData, error) { + fp, err := fsys.Open(path) + if err != nil { + return MetaData{}, err + } + defer fp.Close() + return NewDecoder(fp).Decode(v) +} + +// Primitive is a TOML value that hasn't been decoded into a Go value. +// +// This type can be used for any value, which will cause decoding to be delayed. +// You can use [PrimitiveDecode] to "manually" decode these values. +// +// NOTE: The underlying representation of a `Primitive` value is subject to +// change. Do not rely on it. +// +// NOTE: Primitive values are still parsed, so using them will only avoid the +// overhead of reflection. They can be useful when you don't know the exact type +// of TOML data until runtime. +type Primitive struct { + undecoded any + context Key +} + +// The significand precision for float32 and float64 is 24 and 53 bits; this is +// the range a natural number can be stored in a float without loss of data. +const ( + maxSafeFloat32Int = 16777215 // 2^24-1 + maxSafeFloat64Int = int64(9007199254740991) // 2^53-1 +) + +// Decoder decodes TOML data. +// +// TOML tables correspond to Go structs or maps; they can be used +// interchangeably, but structs offer better type safety. +// +// TOML table arrays correspond to either a slice of structs or a slice of maps. +// +// TOML datetimes correspond to [time.Time]. Local datetimes are parsed in the +// local timezone. +// +// [time.Duration] types are treated as nanoseconds if the TOML value is an +// integer, or they're parsed with time.ParseDuration() if they're strings. +// +// All other TOML types (float, string, int, bool and array) correspond to the +// obvious Go types. +// +// An exception to the above rules is if a type implements the TextUnmarshaler +// interface, in which case any primitive TOML value (floats, strings, integers, +// booleans, datetimes) will be converted to a []byte and given to the value's +// UnmarshalText method. See the Unmarshaler example for a demonstration with +// email addresses. +// +// # Key mapping +// +// TOML keys can map to either keys in a Go map or field names in a Go struct. +// The special `toml` struct tag can be used to map TOML keys to struct fields +// that don't match the key name exactly (see the example). A case insensitive +// match to struct names will be tried if an exact match can't be found. +// +// The mapping between TOML values and Go values is loose. That is, there may +// exist TOML values that cannot be placed into your representation, and there +// may be parts of your representation that do not correspond to TOML values. +// This loose mapping can be made stricter by using the IsDefined and/or +// Undecoded methods on the MetaData returned. +// +// This decoder does not handle cyclic types. Decode will not terminate if a +// cyclic type is passed. +type Decoder struct { + r io.Reader +} + +// NewDecoder creates a new Decoder. +func NewDecoder(r io.Reader) *Decoder { + return &Decoder{r: r} +} + +var ( + unmarshalToml = reflect.TypeOf((*Unmarshaler)(nil)).Elem() + unmarshalText = reflect.TypeOf((*encoding.TextUnmarshaler)(nil)).Elem() + primitiveType = reflect.TypeOf((*Primitive)(nil)).Elem() +) + +// Decode TOML data in to the pointer `v`. +func (dec *Decoder) Decode(v any) (MetaData, error) { + rv := reflect.ValueOf(v) + if rv.Kind() != reflect.Ptr { + s := "%q" + if reflect.TypeOf(v) == nil { + s = "%v" + } + + return MetaData{}, fmt.Errorf("toml: cannot decode to non-pointer "+s, reflect.TypeOf(v)) + } + if rv.IsNil() { + return MetaData{}, fmt.Errorf("toml: cannot decode to nil value of %q", reflect.TypeOf(v)) + } + + // Check if this is a supported type: struct, map, any, or something that + // implements UnmarshalTOML or UnmarshalText. + rv = indirect(rv) + rt := rv.Type() + if rv.Kind() != reflect.Struct && rv.Kind() != reflect.Map && + !(rv.Kind() == reflect.Interface && rv.NumMethod() == 0) && + !rt.Implements(unmarshalToml) && !rt.Implements(unmarshalText) { + return MetaData{}, fmt.Errorf("toml: cannot decode to type %s", rt) + } + + // TODO: parser should read from io.Reader? Or at the very least, make it + // read from []byte rather than string + data, err := io.ReadAll(dec.r) + if err != nil { + return MetaData{}, err + } + + p, err := parse(string(data)) + if err != nil { + return MetaData{}, err + } + + md := MetaData{ + mapping: p.mapping, + keyInfo: p.keyInfo, + keys: p.ordered, + decoded: make(map[string]struct{}, len(p.ordered)), + context: nil, + data: data, + } + return md, md.unify(p.mapping, rv) +} + +// PrimitiveDecode is just like the other Decode* functions, except it decodes a +// TOML value that has already been parsed. Valid primitive values can *only* be +// obtained from values filled by the decoder functions, including this method. +// (i.e., v may contain more [Primitive] values.) +// +// Meta data for primitive values is included in the meta data returned by the +// Decode* functions with one exception: keys returned by the Undecoded method +// will only reflect keys that were decoded. Namely, any keys hidden behind a +// Primitive will be considered undecoded. Executing this method will update the +// undecoded keys in the meta data. (See the example.) +func (md *MetaData) PrimitiveDecode(primValue Primitive, v any) error { + md.context = primValue.context + defer func() { md.context = nil }() + return md.unify(primValue.undecoded, rvalue(v)) +} + +// markDecodedRecursive is a helper to mark any key under the given tmap as +// decoded, recursing as needed +func markDecodedRecursive(md *MetaData, tmap map[string]any) { + for key := range tmap { + md.decoded[md.context.add(key).String()] = struct{}{} + if tmap, ok := tmap[key].(map[string]any); ok { + md.context = append(md.context, key) + markDecodedRecursive(md, tmap) + md.context = md.context[0 : len(md.context)-1] + } + } +} + +// unify performs a sort of type unification based on the structure of `rv`, +// which is the client representation. +// +// Any type mismatch produces an error. Finding a type that we don't know +// how to handle produces an unsupported type error. +func (md *MetaData) unify(data any, rv reflect.Value) error { + // Special case. Look for a `Primitive` value. + // TODO: #76 would make this superfluous after implemented. + if rv.Type() == primitiveType { + // Save the undecoded data and the key context into the primitive + // value. + context := make(Key, len(md.context)) + copy(context, md.context) + rv.Set(reflect.ValueOf(Primitive{ + undecoded: data, + context: context, + })) + return nil + } + + rvi := rv.Interface() + if v, ok := rvi.(Unmarshaler); ok { + err := v.UnmarshalTOML(data) + if err != nil { + return md.parseErr(err) + } + // Assume the Unmarshaler decoded everything, so mark all keys under + // this table as decoded. + if tmap, ok := data.(map[string]any); ok { + markDecodedRecursive(md, tmap) + } + if aot, ok := data.([]map[string]any); ok { + for _, tmap := range aot { + markDecodedRecursive(md, tmap) + } + } + return nil + } + if v, ok := rvi.(encoding.TextUnmarshaler); ok { + return md.unifyText(data, v) + } + + // TODO: + // The behavior here is incorrect whenever a Go type satisfies the + // encoding.TextUnmarshaler interface but also corresponds to a TOML hash or + // array. In particular, the unmarshaler should only be applied to primitive + // TOML values. But at this point, it will be applied to all kinds of values + // and produce an incorrect error whenever those values are hashes or arrays + // (including arrays of tables). + + k := rv.Kind() + + if k >= reflect.Int && k <= reflect.Uint64 { + return md.unifyInt(data, rv) + } + switch k { + case reflect.Struct: + return md.unifyStruct(data, rv) + case reflect.Map: + return md.unifyMap(data, rv) + case reflect.Array: + return md.unifyArray(data, rv) + case reflect.Slice: + return md.unifySlice(data, rv) + case reflect.String: + return md.unifyString(data, rv) + case reflect.Bool: + return md.unifyBool(data, rv) + case reflect.Interface: + if rv.NumMethod() > 0 { /// Only empty interfaces are supported. + return md.e("unsupported type %s", rv.Type()) + } + return md.unifyAnything(data, rv) + case reflect.Float32, reflect.Float64: + return md.unifyFloat64(data, rv) + } + return md.e("unsupported type %s", rv.Kind()) +} + +func (md *MetaData) unifyStruct(mapping any, rv reflect.Value) error { + tmap, ok := mapping.(map[string]any) + if !ok { + if mapping == nil { + return nil + } + return md.e("type mismatch for %s: expected table but found %s", rv.Type().String(), fmtType(mapping)) + } + + for key, datum := range tmap { + var f *field + fields := cachedTypeFields(rv.Type()) + for i := range fields { + ff := &fields[i] + if ff.name == key { + f = ff + break + } + if f == nil && strings.EqualFold(ff.name, key) { + f = ff + } + } + if f != nil { + subv := rv + for _, i := range f.index { + subv = indirect(subv.Field(i)) + } + + if isUnifiable(subv) { + md.decoded[md.context.add(key).String()] = struct{}{} + md.context = append(md.context, key) + + err := md.unify(datum, subv) + if err != nil { + return err + } + md.context = md.context[0 : len(md.context)-1] + } else if f.name != "" { + return md.e("cannot write unexported field %s.%s", rv.Type().String(), f.name) + } + } + } + return nil +} + +func (md *MetaData) unifyMap(mapping any, rv reflect.Value) error { + keyType := rv.Type().Key().Kind() + if keyType != reflect.String && keyType != reflect.Interface { + return fmt.Errorf("toml: cannot decode to a map with non-string key type (%s in %q)", + keyType, rv.Type()) + } + + tmap, ok := mapping.(map[string]any) + if !ok { + if tmap == nil { + return nil + } + return md.badtype("map", mapping) + } + if rv.IsNil() { + rv.Set(reflect.MakeMap(rv.Type())) + } + for k, v := range tmap { + md.decoded[md.context.add(k).String()] = struct{}{} + md.context = append(md.context, k) + + rvval := reflect.Indirect(reflect.New(rv.Type().Elem())) + + err := md.unify(v, indirect(rvval)) + if err != nil { + return err + } + md.context = md.context[0 : len(md.context)-1] + + rvkey := indirect(reflect.New(rv.Type().Key())) + + switch keyType { + case reflect.Interface: + rvkey.Set(reflect.ValueOf(k)) + case reflect.String: + rvkey.SetString(k) + } + + rv.SetMapIndex(rvkey, rvval) + } + return nil +} + +func (md *MetaData) unifyArray(data any, rv reflect.Value) error { + datav := reflect.ValueOf(data) + if datav.Kind() != reflect.Slice { + if !datav.IsValid() { + return nil + } + return md.badtype("slice", data) + } + if l := datav.Len(); l != rv.Len() { + return md.e("expected array length %d; got TOML array of length %d", rv.Len(), l) + } + return md.unifySliceArray(datav, rv) +} + +func (md *MetaData) unifySlice(data any, rv reflect.Value) error { + datav := reflect.ValueOf(data) + if datav.Kind() != reflect.Slice { + if !datav.IsValid() { + return nil + } + return md.badtype("slice", data) + } + n := datav.Len() + if rv.IsNil() || rv.Cap() < n { + rv.Set(reflect.MakeSlice(rv.Type(), n, n)) + } + rv.SetLen(n) + return md.unifySliceArray(datav, rv) +} + +func (md *MetaData) unifySliceArray(data, rv reflect.Value) error { + l := data.Len() + for i := 0; i < l; i++ { + err := md.unify(data.Index(i).Interface(), indirect(rv.Index(i))) + if err != nil { + return err + } + } + return nil +} + +func (md *MetaData) unifyString(data any, rv reflect.Value) error { + _, ok := rv.Interface().(json.Number) + if ok { + if i, ok := data.(int64); ok { + rv.SetString(strconv.FormatInt(i, 10)) + } else if f, ok := data.(float64); ok { + rv.SetString(strconv.FormatFloat(f, 'f', -1, 64)) + } else { + return md.badtype("string", data) + } + return nil + } + + if s, ok := data.(string); ok { + rv.SetString(s) + return nil + } + return md.badtype("string", data) +} + +func (md *MetaData) unifyFloat64(data any, rv reflect.Value) error { + rvk := rv.Kind() + + if num, ok := data.(float64); ok { + switch rvk { + case reflect.Float32: + if num < -math.MaxFloat32 || num > math.MaxFloat32 { + return md.parseErr(errParseRange{i: num, size: rvk.String()}) + } + fallthrough + case reflect.Float64: + rv.SetFloat(num) + default: + panic("bug") + } + return nil + } + + if num, ok := data.(int64); ok { + if (rvk == reflect.Float32 && (num < -maxSafeFloat32Int || num > maxSafeFloat32Int)) || + (rvk == reflect.Float64 && (num < -maxSafeFloat64Int || num > maxSafeFloat64Int)) { + return md.parseErr(errUnsafeFloat{i: num, size: rvk.String()}) + } + rv.SetFloat(float64(num)) + return nil + } + + return md.badtype("float", data) +} + +func (md *MetaData) unifyInt(data any, rv reflect.Value) error { + _, ok := rv.Interface().(time.Duration) + if ok { + // Parse as string duration, and fall back to regular integer parsing + // (as nanosecond) if this is not a string. + if s, ok := data.(string); ok { + dur, err := time.ParseDuration(s) + if err != nil { + return md.parseErr(errParseDuration{s}) + } + rv.SetInt(int64(dur)) + return nil + } + } + + num, ok := data.(int64) + if !ok { + return md.badtype("integer", data) + } + + rvk := rv.Kind() + switch { + case rvk >= reflect.Int && rvk <= reflect.Int64: + if (rvk == reflect.Int8 && (num < math.MinInt8 || num > math.MaxInt8)) || + (rvk == reflect.Int16 && (num < math.MinInt16 || num > math.MaxInt16)) || + (rvk == reflect.Int32 && (num < math.MinInt32 || num > math.MaxInt32)) { + return md.parseErr(errParseRange{i: num, size: rvk.String()}) + } + rv.SetInt(num) + case rvk >= reflect.Uint && rvk <= reflect.Uint64: + unum := uint64(num) + if rvk == reflect.Uint8 && (num < 0 || unum > math.MaxUint8) || + rvk == reflect.Uint16 && (num < 0 || unum > math.MaxUint16) || + rvk == reflect.Uint32 && (num < 0 || unum > math.MaxUint32) { + return md.parseErr(errParseRange{i: num, size: rvk.String()}) + } + rv.SetUint(unum) + default: + panic("unreachable") + } + return nil +} + +func (md *MetaData) unifyBool(data any, rv reflect.Value) error { + if b, ok := data.(bool); ok { + rv.SetBool(b) + return nil + } + return md.badtype("boolean", data) +} + +func (md *MetaData) unifyAnything(data any, rv reflect.Value) error { + rv.Set(reflect.ValueOf(data)) + return nil +} + +func (md *MetaData) unifyText(data any, v encoding.TextUnmarshaler) error { + var s string + switch sdata := data.(type) { + case Marshaler: + text, err := sdata.MarshalTOML() + if err != nil { + return err + } + s = string(text) + case encoding.TextMarshaler: + text, err := sdata.MarshalText() + if err != nil { + return err + } + s = string(text) + case fmt.Stringer: + s = sdata.String() + case string: + s = sdata + case bool: + s = fmt.Sprintf("%v", sdata) + case int64: + s = fmt.Sprintf("%d", sdata) + case float64: + s = fmt.Sprintf("%f", sdata) + default: + return md.badtype("primitive (string-like)", data) + } + if err := v.UnmarshalText([]byte(s)); err != nil { + return md.parseErr(err) + } + return nil +} + +func (md *MetaData) badtype(dst string, data any) error { + return md.e("incompatible types: TOML value has type %s; destination has type %s", fmtType(data), dst) +} + +func (md *MetaData) parseErr(err error) error { + k := md.context.String() + d := string(md.data) + return ParseError{ + Message: err.Error(), + err: err, + LastKey: k, + Position: md.keyInfo[k].pos.withCol(d), + Line: md.keyInfo[k].pos.Line, + input: d, + } +} + +func (md *MetaData) e(format string, args ...any) error { + f := "toml: " + if len(md.context) > 0 { + f = fmt.Sprintf("toml: (last key %q): ", md.context) + p := md.keyInfo[md.context.String()].pos + if p.Line > 0 { + f = fmt.Sprintf("toml: line %d (last key %q): ", p.Line, md.context) + } + } + return fmt.Errorf(f+format, args...) +} + +// rvalue returns a reflect.Value of `v`. All pointers are resolved. +func rvalue(v any) reflect.Value { + return indirect(reflect.ValueOf(v)) +} + +// indirect returns the value pointed to by a pointer. +// +// Pointers are followed until the value is not a pointer. New values are +// allocated for each nil pointer. +// +// An exception to this rule is if the value satisfies an interface of interest +// to us (like encoding.TextUnmarshaler). +func indirect(v reflect.Value) reflect.Value { + if v.Kind() != reflect.Ptr { + if v.CanSet() { + pv := v.Addr() + pvi := pv.Interface() + if _, ok := pvi.(encoding.TextUnmarshaler); ok { + return pv + } + if _, ok := pvi.(Unmarshaler); ok { + return pv + } + } + return v + } + if v.IsNil() { + v.Set(reflect.New(v.Type().Elem())) + } + return indirect(reflect.Indirect(v)) +} + +func isUnifiable(rv reflect.Value) bool { + if rv.CanSet() { + return true + } + rvi := rv.Interface() + if _, ok := rvi.(encoding.TextUnmarshaler); ok { + return true + } + if _, ok := rvi.(Unmarshaler); ok { + return true + } + return false +} + +// fmt %T with "interface {}" replaced with "any", which is far more readable. +func fmtType(t any) string { + return strings.ReplaceAll(fmt.Sprintf("%T", t), "interface {}", "any") +} diff --git a/vendor/github.com/BurntSushi/toml/deprecated.go b/vendor/github.com/BurntSushi/toml/deprecated.go new file mode 100644 index 0000000000..155709a80b --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/deprecated.go @@ -0,0 +1,29 @@ +package toml + +import ( + "encoding" + "io" +) + +// TextMarshaler is an alias for encoding.TextMarshaler. +// +// Deprecated: use encoding.TextMarshaler +type TextMarshaler encoding.TextMarshaler + +// TextUnmarshaler is an alias for encoding.TextUnmarshaler. +// +// Deprecated: use encoding.TextUnmarshaler +type TextUnmarshaler encoding.TextUnmarshaler + +// DecodeReader is an alias for NewDecoder(r).Decode(v). +// +// Deprecated: use NewDecoder(reader).Decode(&value). +func DecodeReader(r io.Reader, v any) (MetaData, error) { return NewDecoder(r).Decode(v) } + +// PrimitiveDecode is an alias for MetaData.PrimitiveDecode(). +// +// Deprecated: use MetaData.PrimitiveDecode. +func PrimitiveDecode(primValue Primitive, v any) error { + md := MetaData{decoded: make(map[string]struct{})} + return md.unify(primValue.undecoded, rvalue(v)) +} diff --git a/vendor/github.com/BurntSushi/toml/doc.go b/vendor/github.com/BurntSushi/toml/doc.go new file mode 100644 index 0000000000..82c90a9057 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/doc.go @@ -0,0 +1,8 @@ +// Package toml implements decoding and encoding of TOML files. +// +// This package supports TOML v1.0.0, as specified at https://toml.io +// +// The github.com/BurntSushi/toml/cmd/tomlv package implements a TOML validator, +// and can be used to verify if TOML document is valid. It can also be used to +// print the type of each key. +package toml diff --git a/vendor/github.com/BurntSushi/toml/encode.go b/vendor/github.com/BurntSushi/toml/encode.go new file mode 100644 index 0000000000..ac196e7df8 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/encode.go @@ -0,0 +1,776 @@ +package toml + +import ( + "bufio" + "bytes" + "encoding" + "encoding/json" + "errors" + "fmt" + "io" + "math" + "reflect" + "sort" + "strconv" + "strings" + "time" + + "github.com/BurntSushi/toml/internal" +) + +type tomlEncodeError struct{ error } + +var ( + errArrayNilElement = errors.New("toml: cannot encode array with nil element") + errNonString = errors.New("toml: cannot encode a map with non-string key type") + errNoKey = errors.New("toml: top-level values must be Go maps or structs") + errAnything = errors.New("") // used in testing +) + +var dblQuotedReplacer = strings.NewReplacer( + "\"", "\\\"", + "\\", "\\\\", + "\x00", `\u0000`, + "\x01", `\u0001`, + "\x02", `\u0002`, + "\x03", `\u0003`, + "\x04", `\u0004`, + "\x05", `\u0005`, + "\x06", `\u0006`, + "\x07", `\u0007`, + "\b", `\b`, + "\t", `\t`, + "\n", `\n`, + "\x0b", `\u000b`, + "\f", `\f`, + "\r", `\r`, + "\x0e", `\u000e`, + "\x0f", `\u000f`, + "\x10", `\u0010`, + "\x11", `\u0011`, + "\x12", `\u0012`, + "\x13", `\u0013`, + "\x14", `\u0014`, + "\x15", `\u0015`, + "\x16", `\u0016`, + "\x17", `\u0017`, + "\x18", `\u0018`, + "\x19", `\u0019`, + "\x1a", `\u001a`, + "\x1b", `\u001b`, + "\x1c", `\u001c`, + "\x1d", `\u001d`, + "\x1e", `\u001e`, + "\x1f", `\u001f`, + "\x7f", `\u007f`, +) + +var ( + marshalToml = reflect.TypeOf((*Marshaler)(nil)).Elem() + marshalText = reflect.TypeOf((*encoding.TextMarshaler)(nil)).Elem() + timeType = reflect.TypeOf((*time.Time)(nil)).Elem() +) + +// Marshaler is the interface implemented by types that can marshal themselves +// into valid TOML. +type Marshaler interface { + MarshalTOML() ([]byte, error) +} + +// Marshal returns a TOML representation of the Go value. +// +// See [Encoder] for a description of the encoding process. +func Marshal(v any) ([]byte, error) { + buff := new(bytes.Buffer) + if err := NewEncoder(buff).Encode(v); err != nil { + return nil, err + } + return buff.Bytes(), nil +} + +// Encoder encodes a Go to a TOML document. +// +// The mapping between Go values and TOML values should be precisely the same as +// for [Decode]. +// +// time.Time is encoded as a RFC 3339 string, and time.Duration as its string +// representation. +// +// The [Marshaler] and [encoding.TextMarshaler] interfaces are supported to +// encoding the value as custom TOML. +// +// If you want to write arbitrary binary data then you will need to use +// something like base64 since TOML does not have any binary types. +// +// When encoding TOML hashes (Go maps or structs), keys without any sub-hashes +// are encoded first. +// +// Go maps will be sorted alphabetically by key for deterministic output. +// +// The toml struct tag can be used to provide the key name; if omitted the +// struct field name will be used. If the "omitempty" option is present the +// following value will be skipped: +// +// - arrays, slices, maps, and string with len of 0 +// - struct with all zero values +// - bool false +// +// If omitzero is given all int and float types with a value of 0 will be +// skipped. +// +// Encoding Go values without a corresponding TOML representation will return an +// error. Examples of this includes maps with non-string keys, slices with nil +// elements, embedded non-struct types, and nested slices containing maps or +// structs. (e.g. [][]map[string]string is not allowed but []map[string]string +// is okay, as is []map[string][]string). +// +// NOTE: only exported keys are encoded due to the use of reflection. Unexported +// keys are silently discarded. +type Encoder struct { + Indent string // string for a single indentation level; default is two spaces. + hasWritten bool // written any output to w yet? + w *bufio.Writer +} + +// NewEncoder create a new Encoder. +func NewEncoder(w io.Writer) *Encoder { + return &Encoder{w: bufio.NewWriter(w), Indent: " "} +} + +// Encode writes a TOML representation of the Go value to the [Encoder]'s writer. +// +// An error is returned if the value given cannot be encoded to a valid TOML +// document. +func (enc *Encoder) Encode(v any) error { + rv := eindirect(reflect.ValueOf(v)) + err := enc.safeEncode(Key([]string{}), rv) + if err != nil { + return err + } + return enc.w.Flush() +} + +func (enc *Encoder) safeEncode(key Key, rv reflect.Value) (err error) { + defer func() { + if r := recover(); r != nil { + if terr, ok := r.(tomlEncodeError); ok { + err = terr.error + return + } + panic(r) + } + }() + enc.encode(key, rv) + return nil +} + +func (enc *Encoder) encode(key Key, rv reflect.Value) { + // If we can marshal the type to text, then we use that. This prevents the + // encoder for handling these types as generic structs (or whatever the + // underlying type of a TextMarshaler is). + switch { + case isMarshaler(rv): + enc.writeKeyValue(key, rv, false) + return + case rv.Type() == primitiveType: // TODO: #76 would make this superfluous after implemented. + enc.encode(key, reflect.ValueOf(rv.Interface().(Primitive).undecoded)) + return + } + + k := rv.Kind() + switch k { + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, + reflect.Int64, + reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, + reflect.Uint64, + reflect.Float32, reflect.Float64, reflect.String, reflect.Bool: + enc.writeKeyValue(key, rv, false) + case reflect.Array, reflect.Slice: + if typeEqual(tomlArrayHash, tomlTypeOfGo(rv)) { + enc.eArrayOfTables(key, rv) + } else { + enc.writeKeyValue(key, rv, false) + } + case reflect.Interface: + if rv.IsNil() { + return + } + enc.encode(key, rv.Elem()) + case reflect.Map: + if rv.IsNil() { + return + } + enc.eTable(key, rv) + case reflect.Ptr: + if rv.IsNil() { + return + } + enc.encode(key, rv.Elem()) + case reflect.Struct: + enc.eTable(key, rv) + default: + encPanic(fmt.Errorf("unsupported type for key '%s': %s", key, k)) + } +} + +// eElement encodes any value that can be an array element. +func (enc *Encoder) eElement(rv reflect.Value) { + switch v := rv.Interface().(type) { + case time.Time: // Using TextMarshaler adds extra quotes, which we don't want. + format := time.RFC3339Nano + switch v.Location() { + case internal.LocalDatetime: + format = "2006-01-02T15:04:05.999999999" + case internal.LocalDate: + format = "2006-01-02" + case internal.LocalTime: + format = "15:04:05.999999999" + } + switch v.Location() { + default: + enc.wf(v.Format(format)) + case internal.LocalDatetime, internal.LocalDate, internal.LocalTime: + enc.wf(v.In(time.UTC).Format(format)) + } + return + case Marshaler: + s, err := v.MarshalTOML() + if err != nil { + encPanic(err) + } + if s == nil { + encPanic(errors.New("MarshalTOML returned nil and no error")) + } + enc.w.Write(s) + return + case encoding.TextMarshaler: + s, err := v.MarshalText() + if err != nil { + encPanic(err) + } + if s == nil { + encPanic(errors.New("MarshalText returned nil and no error")) + } + enc.writeQuoted(string(s)) + return + case time.Duration: + enc.writeQuoted(v.String()) + return + case json.Number: + n, _ := rv.Interface().(json.Number) + + if n == "" { /// Useful zero value. + enc.w.WriteByte('0') + return + } else if v, err := n.Int64(); err == nil { + enc.eElement(reflect.ValueOf(v)) + return + } else if v, err := n.Float64(); err == nil { + enc.eElement(reflect.ValueOf(v)) + return + } + encPanic(fmt.Errorf("unable to convert %q to int64 or float64", n)) + } + + switch rv.Kind() { + case reflect.Ptr: + enc.eElement(rv.Elem()) + return + case reflect.String: + enc.writeQuoted(rv.String()) + case reflect.Bool: + enc.wf(strconv.FormatBool(rv.Bool())) + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + enc.wf(strconv.FormatInt(rv.Int(), 10)) + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + enc.wf(strconv.FormatUint(rv.Uint(), 10)) + case reflect.Float32: + f := rv.Float() + if math.IsNaN(f) { + if math.Signbit(f) { + enc.wf("-") + } + enc.wf("nan") + } else if math.IsInf(f, 0) { + if math.Signbit(f) { + enc.wf("-") + } + enc.wf("inf") + } else { + enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 32))) + } + case reflect.Float64: + f := rv.Float() + if math.IsNaN(f) { + if math.Signbit(f) { + enc.wf("-") + } + enc.wf("nan") + } else if math.IsInf(f, 0) { + if math.Signbit(f) { + enc.wf("-") + } + enc.wf("inf") + } else { + enc.wf(floatAddDecimal(strconv.FormatFloat(f, 'f', -1, 64))) + } + case reflect.Array, reflect.Slice: + enc.eArrayOrSliceElement(rv) + case reflect.Struct: + enc.eStruct(nil, rv, true) + case reflect.Map: + enc.eMap(nil, rv, true) + case reflect.Interface: + enc.eElement(rv.Elem()) + default: + encPanic(fmt.Errorf("unexpected type: %s", fmtType(rv.Interface()))) + } +} + +// By the TOML spec, all floats must have a decimal with at least one number on +// either side. +func floatAddDecimal(fstr string) string { + if !strings.Contains(fstr, ".") { + return fstr + ".0" + } + return fstr +} + +func (enc *Encoder) writeQuoted(s string) { + enc.wf("\"%s\"", dblQuotedReplacer.Replace(s)) +} + +func (enc *Encoder) eArrayOrSliceElement(rv reflect.Value) { + length := rv.Len() + enc.wf("[") + for i := 0; i < length; i++ { + elem := eindirect(rv.Index(i)) + enc.eElement(elem) + if i != length-1 { + enc.wf(", ") + } + } + enc.wf("]") +} + +func (enc *Encoder) eArrayOfTables(key Key, rv reflect.Value) { + if len(key) == 0 { + encPanic(errNoKey) + } + for i := 0; i < rv.Len(); i++ { + trv := eindirect(rv.Index(i)) + if isNil(trv) { + continue + } + enc.newline() + enc.wf("%s[[%s]]", enc.indentStr(key), key) + enc.newline() + enc.eMapOrStruct(key, trv, false) + } +} + +func (enc *Encoder) eTable(key Key, rv reflect.Value) { + if len(key) == 1 { + // Output an extra newline between top-level tables. + // (The newline isn't written if nothing else has been written though.) + enc.newline() + } + if len(key) > 0 { + enc.wf("%s[%s]", enc.indentStr(key), key) + enc.newline() + } + enc.eMapOrStruct(key, rv, false) +} + +func (enc *Encoder) eMapOrStruct(key Key, rv reflect.Value, inline bool) { + switch rv.Kind() { + case reflect.Map: + enc.eMap(key, rv, inline) + case reflect.Struct: + enc.eStruct(key, rv, inline) + default: + // Should never happen? + panic("eTable: unhandled reflect.Value Kind: " + rv.Kind().String()) + } +} + +func (enc *Encoder) eMap(key Key, rv reflect.Value, inline bool) { + rt := rv.Type() + if rt.Key().Kind() != reflect.String { + encPanic(errNonString) + } + + // Sort keys so that we have deterministic output. And write keys directly + // underneath this key first, before writing sub-structs or sub-maps. + var mapKeysDirect, mapKeysSub []reflect.Value + for _, mapKey := range rv.MapKeys() { + if typeIsTable(tomlTypeOfGo(eindirect(rv.MapIndex(mapKey)))) { + mapKeysSub = append(mapKeysSub, mapKey) + } else { + mapKeysDirect = append(mapKeysDirect, mapKey) + } + } + + writeMapKeys := func(mapKeys []reflect.Value, trailC bool) { + sort.Slice(mapKeys, func(i, j int) bool { return mapKeys[i].String() < mapKeys[j].String() }) + for i, mapKey := range mapKeys { + val := eindirect(rv.MapIndex(mapKey)) + if isNil(val) { + continue + } + + if inline { + enc.writeKeyValue(Key{mapKey.String()}, val, true) + if trailC || i != len(mapKeys)-1 { + enc.wf(", ") + } + } else { + enc.encode(key.add(mapKey.String()), val) + } + } + } + + if inline { + enc.wf("{") + } + writeMapKeys(mapKeysDirect, len(mapKeysSub) > 0) + writeMapKeys(mapKeysSub, false) + if inline { + enc.wf("}") + } +} + +func pointerTo(t reflect.Type) reflect.Type { + if t.Kind() == reflect.Ptr { + return pointerTo(t.Elem()) + } + return t +} + +func (enc *Encoder) eStruct(key Key, rv reflect.Value, inline bool) { + // Write keys for fields directly under this key first, because if we write + // a field that creates a new table then all keys under it will be in that + // table (not the one we're writing here). + // + // Fields is a [][]int: for fieldsDirect this always has one entry (the + // struct index). For fieldsSub it contains two entries: the parent field + // index from tv, and the field indexes for the fields of the sub. + var ( + rt = rv.Type() + fieldsDirect, fieldsSub [][]int + addFields func(rt reflect.Type, rv reflect.Value, start []int) + ) + addFields = func(rt reflect.Type, rv reflect.Value, start []int) { + for i := 0; i < rt.NumField(); i++ { + f := rt.Field(i) + isEmbed := f.Anonymous && pointerTo(f.Type).Kind() == reflect.Struct + if f.PkgPath != "" && !isEmbed { /// Skip unexported fields. + continue + } + opts := getOptions(f.Tag) + if opts.skip { + continue + } + + frv := eindirect(rv.Field(i)) + + // Need to make a copy because ... ehm, I don't know why... I guess + // allocating a new array can cause it to fail(?) + // + // Done for: https://github.com/BurntSushi/toml/issues/430 + // Previously only on 32bit for: https://github.com/BurntSushi/toml/issues/314 + copyStart := make([]int, len(start)) + copy(copyStart, start) + start = copyStart + + // Treat anonymous struct fields with tag names as though they are + // not anonymous, like encoding/json does. + // + // Non-struct anonymous fields use the normal encoding logic. + if isEmbed { + if getOptions(f.Tag).name == "" && frv.Kind() == reflect.Struct { + addFields(frv.Type(), frv, append(start, f.Index...)) + continue + } + } + + if typeIsTable(tomlTypeOfGo(frv)) { + fieldsSub = append(fieldsSub, append(start, f.Index...)) + } else { + fieldsDirect = append(fieldsDirect, append(start, f.Index...)) + } + } + } + addFields(rt, rv, nil) + + writeFields := func(fields [][]int, totalFields int) { + for _, fieldIndex := range fields { + fieldType := rt.FieldByIndex(fieldIndex) + fieldVal := rv.FieldByIndex(fieldIndex) + + opts := getOptions(fieldType.Tag) + if opts.skip { + continue + } + if opts.omitempty && isEmpty(fieldVal) { + continue + } + + fieldVal = eindirect(fieldVal) + + if isNil(fieldVal) { /// Don't write anything for nil fields. + continue + } + + keyName := fieldType.Name + if opts.name != "" { + keyName = opts.name + } + + if opts.omitzero && isZero(fieldVal) { + continue + } + + if inline { + enc.writeKeyValue(Key{keyName}, fieldVal, true) + if fieldIndex[0] != totalFields-1 { + enc.wf(", ") + } + } else { + enc.encode(key.add(keyName), fieldVal) + } + } + } + + if inline { + enc.wf("{") + } + + l := len(fieldsDirect) + len(fieldsSub) + writeFields(fieldsDirect, l) + writeFields(fieldsSub, l) + if inline { + enc.wf("}") + } +} + +// tomlTypeOfGo returns the TOML type name of the Go value's type. +// +// It is used to determine whether the types of array elements are mixed (which +// is forbidden). If the Go value is nil, then it is illegal for it to be an +// array element, and valueIsNil is returned as true. +// +// The type may be `nil`, which means no concrete TOML type could be found. +func tomlTypeOfGo(rv reflect.Value) tomlType { + if isNil(rv) || !rv.IsValid() { + return nil + } + + if rv.Kind() == reflect.Struct { + if rv.Type() == timeType { + return tomlDatetime + } + if isMarshaler(rv) { + return tomlString + } + return tomlHash + } + + if isMarshaler(rv) { + return tomlString + } + + switch rv.Kind() { + case reflect.Bool: + return tomlBool + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, + reflect.Int64, + reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, + reflect.Uint64: + return tomlInteger + case reflect.Float32, reflect.Float64: + return tomlFloat + case reflect.Array, reflect.Slice: + if isTableArray(rv) { + return tomlArrayHash + } + return tomlArray + case reflect.Ptr, reflect.Interface: + return tomlTypeOfGo(rv.Elem()) + case reflect.String: + return tomlString + case reflect.Map: + return tomlHash + default: + encPanic(errors.New("unsupported type: " + rv.Kind().String())) + panic("unreachable") + } +} + +func isMarshaler(rv reflect.Value) bool { + return rv.Type().Implements(marshalText) || rv.Type().Implements(marshalToml) +} + +// isTableArray reports if all entries in the array or slice are a table. +func isTableArray(arr reflect.Value) bool { + if isNil(arr) || !arr.IsValid() || arr.Len() == 0 { + return false + } + + ret := true + for i := 0; i < arr.Len(); i++ { + tt := tomlTypeOfGo(eindirect(arr.Index(i))) + // Don't allow nil. + if tt == nil { + encPanic(errArrayNilElement) + } + + if ret && !typeEqual(tomlHash, tt) { + ret = false + } + } + return ret +} + +type tagOptions struct { + skip bool // "-" + name string + omitempty bool + omitzero bool +} + +func getOptions(tag reflect.StructTag) tagOptions { + t := tag.Get("toml") + if t == "-" { + return tagOptions{skip: true} + } + var opts tagOptions + parts := strings.Split(t, ",") + opts.name = parts[0] + for _, s := range parts[1:] { + switch s { + case "omitempty": + opts.omitempty = true + case "omitzero": + opts.omitzero = true + } + } + return opts +} + +func isZero(rv reflect.Value) bool { + switch rv.Kind() { + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + return rv.Int() == 0 + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + return rv.Uint() == 0 + case reflect.Float32, reflect.Float64: + return rv.Float() == 0.0 + } + return false +} + +func isEmpty(rv reflect.Value) bool { + switch rv.Kind() { + case reflect.Array, reflect.Slice, reflect.Map, reflect.String: + return rv.Len() == 0 + case reflect.Struct: + if rv.Type().Comparable() { + return reflect.Zero(rv.Type()).Interface() == rv.Interface() + } + // Need to also check if all the fields are empty, otherwise something + // like this with uncomparable types will always return true: + // + // type a struct{ field b } + // type b struct{ s []string } + // s := a{field: b{s: []string{"AAA"}}} + for i := 0; i < rv.NumField(); i++ { + if !isEmpty(rv.Field(i)) { + return false + } + } + return true + case reflect.Bool: + return !rv.Bool() + case reflect.Ptr: + return rv.IsNil() + } + return false +} + +func (enc *Encoder) newline() { + if enc.hasWritten { + enc.wf("\n") + } +} + +// Write a key/value pair: +// +// key = +// +// This is also used for "k = v" in inline tables; so something like this will +// be written in three calls: +// +// ┌───────────────────┠+// │ ┌───┠┌────â”│ +// v v v v vv +// key = {k = 1, k2 = 2} +func (enc *Encoder) writeKeyValue(key Key, val reflect.Value, inline bool) { + /// Marshaler used on top-level document; call eElement() to just call + /// Marshal{TOML,Text}. + if len(key) == 0 { + enc.eElement(val) + return + } + enc.wf("%s%s = ", enc.indentStr(key), key.maybeQuoted(len(key)-1)) + enc.eElement(val) + if !inline { + enc.newline() + } +} + +func (enc *Encoder) wf(format string, v ...any) { + _, err := fmt.Fprintf(enc.w, format, v...) + if err != nil { + encPanic(err) + } + enc.hasWritten = true +} + +func (enc *Encoder) indentStr(key Key) string { + return strings.Repeat(enc.Indent, len(key)-1) +} + +func encPanic(err error) { + panic(tomlEncodeError{err}) +} + +// Resolve any level of pointers to the actual value (e.g. **string → string). +func eindirect(v reflect.Value) reflect.Value { + if v.Kind() != reflect.Ptr && v.Kind() != reflect.Interface { + if isMarshaler(v) { + return v + } + if v.CanAddr() { /// Special case for marshalers; see #358. + if pv := v.Addr(); isMarshaler(pv) { + return pv + } + } + return v + } + + if v.IsNil() { + return v + } + + return eindirect(v.Elem()) +} + +func isNil(rv reflect.Value) bool { + switch rv.Kind() { + case reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice: + return rv.IsNil() + default: + return false + } +} diff --git a/vendor/github.com/BurntSushi/toml/error.go b/vendor/github.com/BurntSushi/toml/error.go new file mode 100644 index 0000000000..b7077d3ae3 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/error.go @@ -0,0 +1,347 @@ +package toml + +import ( + "fmt" + "strings" +) + +// ParseError is returned when there is an error parsing the TOML syntax such as +// invalid syntax, duplicate keys, etc. +// +// In addition to the error message itself, you can also print detailed location +// information with context by using [ErrorWithPosition]: +// +// toml: error: Key 'fruit' was already created and cannot be used as an array. +// +// At line 4, column 2-7: +// +// 2 | fruit = [] +// 3 | +// 4 | [[fruit]] # Not allowed +// ^^^^^ +// +// [ErrorWithUsage] can be used to print the above with some more detailed usage +// guidance: +// +// toml: error: newlines not allowed within inline tables +// +// At line 1, column 18: +// +// 1 | x = [{ key = 42 # +// ^ +// +// Error help: +// +// Inline tables must always be on a single line: +// +// table = {key = 42, second = 43} +// +// It is invalid to split them over multiple lines like so: +// +// # INVALID +// table = { +// key = 42, +// second = 43 +// } +// +// Use regular for this: +// +// [table] +// key = 42 +// second = 43 +type ParseError struct { + Message string // Short technical message. + Usage string // Longer message with usage guidance; may be blank. + Position Position // Position of the error + LastKey string // Last parsed key, may be blank. + + // Line the error occurred. + // + // Deprecated: use [Position]. + Line int + + err error + input string +} + +// Position of an error. +type Position struct { + Line int // Line number, starting at 1. + Col int // Error column, starting at 1. + Start int // Start of error, as byte offset starting at 0. + Len int // Length of the error in bytes. +} + +func (p Position) withCol(tomlFile string) Position { + var ( + pos int + lines = strings.Split(tomlFile, "\n") + ) + for i := range lines { + ll := len(lines[i]) + 1 // +1 for the removed newline + if pos+ll >= p.Start { + p.Col = p.Start - pos + 1 + if p.Col < 1 { // Should never happen, but just in case. + p.Col = 1 + } + break + } + pos += ll + } + return p +} + +func (pe ParseError) Error() string { + if pe.LastKey == "" { + return fmt.Sprintf("toml: line %d: %s", pe.Position.Line, pe.Message) + } + return fmt.Sprintf("toml: line %d (last key %q): %s", + pe.Position.Line, pe.LastKey, pe.Message) +} + +// ErrorWithPosition returns the error with detailed location context. +// +// See the documentation on [ParseError]. +func (pe ParseError) ErrorWithPosition() string { + if pe.input == "" { // Should never happen, but just in case. + return pe.Error() + } + + // TODO: don't show control characters as literals? This may not show up + // well everywhere. + + var ( + lines = strings.Split(pe.input, "\n") + b = new(strings.Builder) + ) + if pe.Position.Len == 1 { + fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d:\n\n", + pe.Message, pe.Position.Line, pe.Position.Col) + } else { + fmt.Fprintf(b, "toml: error: %s\n\nAt line %d, column %d-%d:\n\n", + pe.Message, pe.Position.Line, pe.Position.Col, pe.Position.Col+pe.Position.Len-1) + } + if pe.Position.Line > 2 { + fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line-2, expandTab(lines[pe.Position.Line-3])) + } + if pe.Position.Line > 1 { + fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line-1, expandTab(lines[pe.Position.Line-2])) + } + + /// Expand tabs, so that the ^^^s are at the correct position, but leave + /// "column 10-13" intact. Adjusting this to the visual column would be + /// better, but we don't know the tabsize of the user in their editor, which + /// can be 8, 4, 2, or something else. We can't know. So leaving it as the + /// character index is probably the "most correct". + expanded := expandTab(lines[pe.Position.Line-1]) + diff := len(expanded) - len(lines[pe.Position.Line-1]) + + fmt.Fprintf(b, "% 7d | %s\n", pe.Position.Line, expanded) + fmt.Fprintf(b, "% 10s%s%s\n", "", strings.Repeat(" ", pe.Position.Col-1+diff), strings.Repeat("^", pe.Position.Len)) + return b.String() +} + +// ErrorWithUsage returns the error with detailed location context and usage +// guidance. +// +// See the documentation on [ParseError]. +func (pe ParseError) ErrorWithUsage() string { + m := pe.ErrorWithPosition() + if u, ok := pe.err.(interface{ Usage() string }); ok && u.Usage() != "" { + lines := strings.Split(strings.TrimSpace(u.Usage()), "\n") + for i := range lines { + if lines[i] != "" { + lines[i] = " " + lines[i] + } + } + return m + "Error help:\n\n" + strings.Join(lines, "\n") + "\n" + } + return m +} + +func expandTab(s string) string { + var ( + b strings.Builder + l int + fill = func(n int) string { + b := make([]byte, n) + for i := range b { + b[i] = ' ' + } + return string(b) + } + ) + b.Grow(len(s)) + for _, r := range s { + switch r { + case '\t': + tw := 8 - l%8 + b.WriteString(fill(tw)) + l += tw + default: + b.WriteRune(r) + l += 1 + } + } + return b.String() +} + +type ( + errLexControl struct{ r rune } + errLexEscape struct{ r rune } + errLexUTF8 struct{ b byte } + errParseDate struct{ v string } + errLexInlineTableNL struct{} + errLexStringNL struct{} + errParseRange struct { + i any // int or float + size string // "int64", "uint16", etc. + } + errUnsafeFloat struct { + i interface{} // float32 or float64 + size string // "float32" or "float64" + } + errParseDuration struct{ d string } +) + +func (e errLexControl) Error() string { + return fmt.Sprintf("TOML files cannot contain control characters: '0x%02x'", e.r) +} +func (e errLexControl) Usage() string { return "" } + +func (e errLexEscape) Error() string { return fmt.Sprintf(`invalid escape in string '\%c'`, e.r) } +func (e errLexEscape) Usage() string { return usageEscape } +func (e errLexUTF8) Error() string { return fmt.Sprintf("invalid UTF-8 byte: 0x%02x", e.b) } +func (e errLexUTF8) Usage() string { return "" } +func (e errParseDate) Error() string { return fmt.Sprintf("invalid datetime: %q", e.v) } +func (e errParseDate) Usage() string { return usageDate } +func (e errLexInlineTableNL) Error() string { return "newlines not allowed within inline tables" } +func (e errLexInlineTableNL) Usage() string { return usageInlineNewline } +func (e errLexStringNL) Error() string { return "strings cannot contain newlines" } +func (e errLexStringNL) Usage() string { return usageStringNewline } +func (e errParseRange) Error() string { return fmt.Sprintf("%v is out of range for %s", e.i, e.size) } +func (e errParseRange) Usage() string { return usageIntOverflow } +func (e errUnsafeFloat) Error() string { + return fmt.Sprintf("%v is out of the safe %s range", e.i, e.size) +} +func (e errUnsafeFloat) Usage() string { return usageUnsafeFloat } +func (e errParseDuration) Error() string { return fmt.Sprintf("invalid duration: %q", e.d) } +func (e errParseDuration) Usage() string { return usageDuration } + +const usageEscape = ` +A '\' inside a "-delimited string is interpreted as an escape character. + +The following escape sequences are supported: +\b, \t, \n, \f, \r, \", \\, \uXXXX, and \UXXXXXXXX + +To prevent a '\' from being recognized as an escape character, use either: + +- a ' or '''-delimited string; escape characters aren't processed in them; or +- write two backslashes to get a single backslash: '\\'. + +If you're trying to add a Windows path (e.g. "C:\Users\martin") then using '/' +instead of '\' will usually also work: "C:/Users/martin". +` + +const usageInlineNewline = ` +Inline tables must always be on a single line: + + table = {key = 42, second = 43} + +It is invalid to split them over multiple lines like so: + + # INVALID + table = { + key = 42, + second = 43 + } + +Use regular for this: + + [table] + key = 42 + second = 43 +` + +const usageStringNewline = ` +Strings must always be on a single line, and cannot span more than one line: + + # INVALID + string = "Hello, + world!" + +Instead use """ or ''' to split strings over multiple lines: + + string = """Hello, + world!""" +` + +const usageIntOverflow = ` +This number is too large; this may be an error in the TOML, but it can also be a +bug in the program that uses too small of an integer. + +The maximum and minimum values are: + + size │ lowest │ highest + ───────┼────────────────┼────────────── + int8 │ -128 │ 127 + int16 │ -32,768 │ 32,767 + int32 │ -2,147,483,648 │ 2,147,483,647 + int64 │ -9.2 × 10¹ⷠ│ 9.2 × 10¹ⷠ+ uint8 │ 0 │ 255 + uint16 │ 0 │ 65,535 + uint32 │ 0 │ 4,294,967,295 + uint64 │ 0 │ 1.8 × 10¹⸠+ +int refers to int32 on 32-bit systems and int64 on 64-bit systems. +` + +const usageUnsafeFloat = ` +This number is outside of the "safe" range for floating point numbers; whole +(non-fractional) numbers outside the below range can not always be represented +accurately in a float, leading to some loss of accuracy. + +Explicitly mark a number as a fractional unit by adding ".0", which will incur +some loss of accuracy; for example: + + f = 2_000_000_000.0 + +Accuracy ranges: + + float32 = 16,777,215 + float64 = 9,007,199,254,740,991 +` + +const usageDuration = ` +A duration must be as "number", without any spaces. Valid units are: + + ns nanoseconds (billionth of a second) + us, µs microseconds (millionth of a second) + ms milliseconds (thousands of a second) + s seconds + m minutes + h hours + +You can combine multiple units; for example "5m10s" for 5 minutes and 10 +seconds. +` + +const usageDate = ` +A TOML datetime must be in one of the following formats: + + 2006-01-02T15:04:05Z07:00 Date and time, with timezone. + 2006-01-02T15:04:05 Date and time, but without timezone. + 2006-01-02 Date without a time or timezone. + 15:04:05 Just a time, without any timezone. + +Seconds may optionally have a fraction, up to nanosecond precision: + + 15:04:05.123 + 15:04:05.856018510 +` + +// TOML 1.1: +// The seconds part in times is optional, and may be omitted: +// 2006-01-02T15:04Z07:00 +// 2006-01-02T15:04 +// 15:04 diff --git a/vendor/github.com/BurntSushi/toml/internal/tz.go b/vendor/github.com/BurntSushi/toml/internal/tz.go new file mode 100644 index 0000000000..022f15bc2b --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/internal/tz.go @@ -0,0 +1,36 @@ +package internal + +import "time" + +// Timezones used for local datetime, date, and time TOML types. +// +// The exact way times and dates without a timezone should be interpreted is not +// well-defined in the TOML specification and left to the implementation. These +// defaults to current local timezone offset of the computer, but this can be +// changed by changing these variables before decoding. +// +// TODO: +// Ideally we'd like to offer people the ability to configure the used timezone +// by setting Decoder.Timezone and Encoder.Timezone; however, this is a bit +// tricky: the reason we use three different variables for this is to support +// round-tripping – without these specific TZ names we wouldn't know which +// format to use. +// +// There isn't a good way to encode this right now though, and passing this sort +// of information also ties in to various related issues such as string format +// encoding, encoding of comments, etc. +// +// So, for the time being, just put this in internal until we can write a good +// comprehensive API for doing all of this. +// +// The reason they're exported is because they're referred from in e.g. +// internal/tag. +// +// Note that this behaviour is valid according to the TOML spec as the exact +// behaviour is left up to implementations. +var ( + localOffset = func() int { _, o := time.Now().Zone(); return o }() + LocalDatetime = time.FixedZone("datetime-local", localOffset) + LocalDate = time.FixedZone("date-local", localOffset) + LocalTime = time.FixedZone("time-local", localOffset) +) diff --git a/vendor/github.com/BurntSushi/toml/lex.go b/vendor/github.com/BurntSushi/toml/lex.go new file mode 100644 index 0000000000..1c3b477029 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/lex.go @@ -0,0 +1,1272 @@ +package toml + +import ( + "fmt" + "reflect" + "runtime" + "strings" + "unicode" + "unicode/utf8" +) + +type itemType int + +const ( + itemError itemType = iota + itemNIL // used in the parser to indicate no type + itemEOF + itemText + itemString + itemStringEsc + itemRawString + itemMultilineString + itemRawMultilineString + itemBool + itemInteger + itemFloat + itemDatetime + itemArray // the start of an array + itemArrayEnd + itemTableStart + itemTableEnd + itemArrayTableStart + itemArrayTableEnd + itemKeyStart + itemKeyEnd + itemCommentStart + itemInlineTableStart + itemInlineTableEnd +) + +const eof = 0 + +type stateFn func(lx *lexer) stateFn + +func (p Position) String() string { + return fmt.Sprintf("at line %d; start %d; length %d", p.Line, p.Start, p.Len) +} + +type lexer struct { + input string + start int + pos int + line int + state stateFn + items chan item + tomlNext bool + esc bool + + // Allow for backing up up to 4 runes. This is necessary because TOML + // contains 3-rune tokens (""" and '''). + prevWidths [4]int + nprev int // how many of prevWidths are in use + atEOF bool // If we emit an eof, we can still back up, but it is not OK to call next again. + + // A stack of state functions used to maintain context. + // + // The idea is to reuse parts of the state machine in various places. For + // example, values can appear at the top level or within arbitrarily nested + // arrays. The last state on the stack is used after a value has been lexed. + // Similarly for comments. + stack []stateFn +} + +type item struct { + typ itemType + val string + err error + pos Position +} + +func (lx *lexer) nextItem() item { + for { + select { + case item := <-lx.items: + return item + default: + lx.state = lx.state(lx) + //fmt.Printf(" STATE %-24s current: %-10s stack: %s\n", lx.state, lx.current(), lx.stack) + } + } +} + +func lex(input string, tomlNext bool) *lexer { + lx := &lexer{ + input: input, + state: lexTop, + items: make(chan item, 10), + stack: make([]stateFn, 0, 10), + line: 1, + tomlNext: tomlNext, + } + return lx +} + +func (lx *lexer) push(state stateFn) { + lx.stack = append(lx.stack, state) +} + +func (lx *lexer) pop() stateFn { + if len(lx.stack) == 0 { + return lx.errorf("BUG in lexer: no states to pop") + } + last := lx.stack[len(lx.stack)-1] + lx.stack = lx.stack[0 : len(lx.stack)-1] + return last +} + +func (lx *lexer) current() string { + return lx.input[lx.start:lx.pos] +} + +func (lx lexer) getPos() Position { + p := Position{ + Line: lx.line, + Start: lx.start, + Len: lx.pos - lx.start, + } + if p.Len <= 0 { + p.Len = 1 + } + return p +} + +func (lx *lexer) emit(typ itemType) { + // Needed for multiline strings ending with an incomplete UTF-8 sequence. + if lx.start > lx.pos { + lx.error(errLexUTF8{lx.input[lx.pos]}) + return + } + lx.items <- item{typ: typ, pos: lx.getPos(), val: lx.current()} + lx.start = lx.pos +} + +func (lx *lexer) emitTrim(typ itemType) { + lx.items <- item{typ: typ, pos: lx.getPos(), val: strings.TrimSpace(lx.current())} + lx.start = lx.pos +} + +func (lx *lexer) next() (r rune) { + if lx.atEOF { + panic("BUG in lexer: next called after EOF") + } + if lx.pos >= len(lx.input) { + lx.atEOF = true + return eof + } + + if lx.input[lx.pos] == '\n' { + lx.line++ + } + lx.prevWidths[3] = lx.prevWidths[2] + lx.prevWidths[2] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[0] + if lx.nprev < 4 { + lx.nprev++ + } + + r, w := utf8.DecodeRuneInString(lx.input[lx.pos:]) + if r == utf8.RuneError && w == 1 { + lx.error(errLexUTF8{lx.input[lx.pos]}) + return utf8.RuneError + } + + // Note: don't use peek() here, as this calls next(). + if isControl(r) || (r == '\r' && (len(lx.input)-1 == lx.pos || lx.input[lx.pos+1] != '\n')) { + lx.errorControlChar(r) + return utf8.RuneError + } + + lx.prevWidths[0] = w + lx.pos += w + return r +} + +// ignore skips over the pending input before this point. +func (lx *lexer) ignore() { + lx.start = lx.pos +} + +// backup steps back one rune. Can be called 4 times between calls to next. +func (lx *lexer) backup() { + if lx.atEOF { + lx.atEOF = false + return + } + if lx.nprev < 1 { + panic("BUG in lexer: backed up too far") + } + w := lx.prevWidths[0] + lx.prevWidths[0] = lx.prevWidths[1] + lx.prevWidths[1] = lx.prevWidths[2] + lx.prevWidths[2] = lx.prevWidths[3] + lx.nprev-- + + lx.pos -= w + if lx.pos < len(lx.input) && lx.input[lx.pos] == '\n' { + lx.line-- + } +} + +// accept consumes the next rune if it's equal to `valid`. +func (lx *lexer) accept(valid rune) bool { + if lx.next() == valid { + return true + } + lx.backup() + return false +} + +// peek returns but does not consume the next rune in the input. +func (lx *lexer) peek() rune { + r := lx.next() + lx.backup() + return r +} + +// skip ignores all input that matches the given predicate. +func (lx *lexer) skip(pred func(rune) bool) { + for { + r := lx.next() + if pred(r) { + continue + } + lx.backup() + lx.ignore() + return + } +} + +// error stops all lexing by emitting an error and returning `nil`. +// +// Note that any value that is a character is escaped if it's a special +// character (newlines, tabs, etc.). +func (lx *lexer) error(err error) stateFn { + if lx.atEOF { + return lx.errorPrevLine(err) + } + lx.items <- item{typ: itemError, pos: lx.getPos(), err: err} + return nil +} + +// errorfPrevline is like error(), but sets the position to the last column of +// the previous line. +// +// This is so that unexpected EOF or NL errors don't show on a new blank line. +func (lx *lexer) errorPrevLine(err error) stateFn { + pos := lx.getPos() + pos.Line-- + pos.Len = 1 + pos.Start = lx.pos - 1 + lx.items <- item{typ: itemError, pos: pos, err: err} + return nil +} + +// errorPos is like error(), but allows explicitly setting the position. +func (lx *lexer) errorPos(start, length int, err error) stateFn { + pos := lx.getPos() + pos.Start = start + pos.Len = length + lx.items <- item{typ: itemError, pos: pos, err: err} + return nil +} + +// errorf is like error, and creates a new error. +func (lx *lexer) errorf(format string, values ...any) stateFn { + if lx.atEOF { + pos := lx.getPos() + if lx.pos >= 1 && lx.input[lx.pos-1] == '\n' { + pos.Line-- + } + pos.Len = 1 + pos.Start = lx.pos - 1 + lx.items <- item{typ: itemError, pos: pos, err: fmt.Errorf(format, values...)} + return nil + } + lx.items <- item{typ: itemError, pos: lx.getPos(), err: fmt.Errorf(format, values...)} + return nil +} + +func (lx *lexer) errorControlChar(cc rune) stateFn { + return lx.errorPos(lx.pos-1, 1, errLexControl{cc}) +} + +// lexTop consumes elements at the top level of TOML data. +func lexTop(lx *lexer) stateFn { + r := lx.next() + if isWhitespace(r) || isNL(r) { + return lexSkip(lx, lexTop) + } + switch r { + case '#': + lx.push(lexTop) + return lexCommentStart + case '[': + return lexTableStart + case eof: + if lx.pos > lx.start { + return lx.errorf("unexpected EOF") + } + lx.emit(itemEOF) + return nil + } + + // At this point, the only valid item can be a key, so we back up + // and let the key lexer do the rest. + lx.backup() + lx.push(lexTopEnd) + return lexKeyStart +} + +// lexTopEnd is entered whenever a top-level item has been consumed. (A value +// or a table.) It must see only whitespace, and will turn back to lexTop +// upon a newline. If it sees EOF, it will quit the lexer successfully. +func lexTopEnd(lx *lexer) stateFn { + r := lx.next() + switch { + case r == '#': + // a comment will read to a newline for us. + lx.push(lexTop) + return lexCommentStart + case isWhitespace(r): + return lexTopEnd + case isNL(r): + lx.ignore() + return lexTop + case r == eof: + lx.emit(itemEOF) + return nil + } + return lx.errorf("expected a top-level item to end with a newline, comment, or EOF, but got %q instead", r) +} + +// lexTable lexes the beginning of a table. Namely, it makes sure that +// it starts with a character other than '.' and ']'. +// It assumes that '[' has already been consumed. +// It also handles the case that this is an item in an array of tables. +// e.g., '[[name]]'. +func lexTableStart(lx *lexer) stateFn { + if lx.peek() == '[' { + lx.next() + lx.emit(itemArrayTableStart) + lx.push(lexArrayTableEnd) + } else { + lx.emit(itemTableStart) + lx.push(lexTableEnd) + } + return lexTableNameStart +} + +func lexTableEnd(lx *lexer) stateFn { + lx.emit(itemTableEnd) + return lexTopEnd +} + +func lexArrayTableEnd(lx *lexer) stateFn { + if r := lx.next(); r != ']' { + return lx.errorf("expected end of table array name delimiter ']', but got %q instead", r) + } + lx.emit(itemArrayTableEnd) + return lexTopEnd +} + +func lexTableNameStart(lx *lexer) stateFn { + lx.skip(isWhitespace) + switch r := lx.peek(); { + case r == ']' || r == eof: + return lx.errorf("unexpected end of table name (table names cannot be empty)") + case r == '.': + return lx.errorf("unexpected table separator (table names cannot be empty)") + case r == '"' || r == '\'': + lx.ignore() + lx.push(lexTableNameEnd) + return lexQuotedName + default: + lx.push(lexTableNameEnd) + return lexBareName + } +} + +// lexTableNameEnd reads the end of a piece of a table name, optionally +// consuming whitespace. +func lexTableNameEnd(lx *lexer) stateFn { + lx.skip(isWhitespace) + switch r := lx.next(); { + case isWhitespace(r): + return lexTableNameEnd + case r == '.': + lx.ignore() + return lexTableNameStart + case r == ']': + return lx.pop() + default: + return lx.errorf("expected '.' or ']' to end table name, but got %q instead", r) + } +} + +// lexBareName lexes one part of a key or table. +// +// It assumes that at least one valid character for the table has already been +// read. +// +// Lexes only one part, e.g. only 'a' inside 'a.b'. +func lexBareName(lx *lexer) stateFn { + r := lx.next() + if isBareKeyChar(r, lx.tomlNext) { + return lexBareName + } + lx.backup() + lx.emit(itemText) + return lx.pop() +} + +// lexBareName lexes one part of a key or table. +// +// It assumes that at least one valid character for the table has already been +// read. +// +// Lexes only one part, e.g. only '"a"' inside '"a".b'. +func lexQuotedName(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexValue) + case r == '"': + lx.ignore() // ignore the '"' + return lexString + case r == '\'': + lx.ignore() // ignore the "'" + return lexRawString + case r == eof: + return lx.errorf("unexpected EOF; expected value") + default: + return lx.errorf("expected value but found %q instead", r) + } +} + +// lexKeyStart consumes all key parts until a '='. +func lexKeyStart(lx *lexer) stateFn { + lx.skip(isWhitespace) + switch r := lx.peek(); { + case r == '=' || r == eof: + return lx.errorf("unexpected '=': key name appears blank") + case r == '.': + return lx.errorf("unexpected '.': keys cannot start with a '.'") + case r == '"' || r == '\'': + lx.ignore() + fallthrough + default: // Bare key + lx.emit(itemKeyStart) + return lexKeyNameStart + } +} + +func lexKeyNameStart(lx *lexer) stateFn { + lx.skip(isWhitespace) + switch r := lx.peek(); { + case r == '=' || r == eof: + return lx.errorf("unexpected '='") + case r == '.': + return lx.errorf("unexpected '.'") + case r == '"' || r == '\'': + lx.ignore() + lx.push(lexKeyEnd) + return lexQuotedName + default: + lx.push(lexKeyEnd) + return lexBareName + } +} + +// lexKeyEnd consumes the end of a key and trims whitespace (up to the key +// separator). +func lexKeyEnd(lx *lexer) stateFn { + lx.skip(isWhitespace) + switch r := lx.next(); { + case isWhitespace(r): + return lexSkip(lx, lexKeyEnd) + case r == eof: + return lx.errorf("unexpected EOF; expected key separator '='") + case r == '.': + lx.ignore() + return lexKeyNameStart + case r == '=': + lx.emit(itemKeyEnd) + return lexSkip(lx, lexValue) + default: + if r == '\n' { + return lx.errorPrevLine(fmt.Errorf("expected '.' or '=', but got %q instead", r)) + } + return lx.errorf("expected '.' or '=', but got %q instead", r) + } +} + +// lexValue starts the consumption of a value anywhere a value is expected. +// lexValue will ignore whitespace. +// After a value is lexed, the last state on the next is popped and returned. +func lexValue(lx *lexer) stateFn { + // We allow whitespace to precede a value, but NOT newlines. + // In array syntax, the array states are responsible for ignoring newlines. + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexValue) + case isDigit(r): + lx.backup() // avoid an extra state and use the same as above + return lexNumberOrDateStart + } + switch r { + case '[': + lx.ignore() + lx.emit(itemArray) + return lexArrayValue + case '{': + lx.ignore() + lx.emit(itemInlineTableStart) + return lexInlineTableValue + case '"': + if lx.accept('"') { + if lx.accept('"') { + lx.ignore() // Ignore """ + return lexMultilineString + } + lx.backup() + } + lx.ignore() // ignore the '"' + return lexString + case '\'': + if lx.accept('\'') { + if lx.accept('\'') { + lx.ignore() // Ignore """ + return lexMultilineRawString + } + lx.backup() + } + lx.ignore() // ignore the "'" + return lexRawString + case '.': // special error case, be kind to users + return lx.errorf("floats must start with a digit, not '.'") + case 'i', 'n': + if (lx.accept('n') && lx.accept('f')) || (lx.accept('a') && lx.accept('n')) { + lx.emit(itemFloat) + return lx.pop() + } + case '-', '+': + return lexDecimalNumberStart + } + if unicode.IsLetter(r) { + // Be permissive here; lexBool will give a nice error if the + // user wrote something like + // x = foo + // (i.e. not 'true' or 'false' but is something else word-like.) + lx.backup() + return lexBool + } + if r == eof { + return lx.errorf("unexpected EOF; expected value") + } + if r == '\n' { + return lx.errorPrevLine(fmt.Errorf("expected value but found %q instead", r)) + } + return lx.errorf("expected value but found %q instead", r) +} + +// lexArrayValue consumes one value in an array. It assumes that '[' or ',' +// have already been consumed. All whitespace and newlines are ignored. +func lexArrayValue(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r) || isNL(r): + return lexSkip(lx, lexArrayValue) + case r == '#': + lx.push(lexArrayValue) + return lexCommentStart + case r == ',': + return lx.errorf("unexpected comma") + case r == ']': + return lexArrayEnd + } + + lx.backup() + lx.push(lexArrayValueEnd) + return lexValue +} + +// lexArrayValueEnd consumes everything between the end of an array value and +// the next value (or the end of the array): it ignores whitespace and newlines +// and expects either a ',' or a ']'. +func lexArrayValueEnd(lx *lexer) stateFn { + switch r := lx.next(); { + case isWhitespace(r) || isNL(r): + return lexSkip(lx, lexArrayValueEnd) + case r == '#': + lx.push(lexArrayValueEnd) + return lexCommentStart + case r == ',': + lx.ignore() + return lexArrayValue // move on to the next value + case r == ']': + return lexArrayEnd + default: + return lx.errorf("expected a comma (',') or array terminator (']'), but got %s", runeOrEOF(r)) + } +} + +// lexArrayEnd finishes the lexing of an array. +// It assumes that a ']' has just been consumed. +func lexArrayEnd(lx *lexer) stateFn { + lx.ignore() + lx.emit(itemArrayEnd) + return lx.pop() +} + +// lexInlineTableValue consumes one key/value pair in an inline table. +// It assumes that '{' or ',' have already been consumed. Whitespace is ignored. +func lexInlineTableValue(lx *lexer) stateFn { + r := lx.next() + switch { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValue) + case isNL(r): + if lx.tomlNext { + return lexSkip(lx, lexInlineTableValue) + } + return lx.errorPrevLine(errLexInlineTableNL{}) + case r == '#': + lx.push(lexInlineTableValue) + return lexCommentStart + case r == ',': + return lx.errorf("unexpected comma") + case r == '}': + return lexInlineTableEnd + } + lx.backup() + lx.push(lexInlineTableValueEnd) + return lexKeyStart +} + +// lexInlineTableValueEnd consumes everything between the end of an inline table +// key/value pair and the next pair (or the end of the table): +// it ignores whitespace and expects either a ',' or a '}'. +func lexInlineTableValueEnd(lx *lexer) stateFn { + switch r := lx.next(); { + case isWhitespace(r): + return lexSkip(lx, lexInlineTableValueEnd) + case isNL(r): + if lx.tomlNext { + return lexSkip(lx, lexInlineTableValueEnd) + } + return lx.errorPrevLine(errLexInlineTableNL{}) + case r == '#': + lx.push(lexInlineTableValueEnd) + return lexCommentStart + case r == ',': + lx.ignore() + lx.skip(isWhitespace) + if lx.peek() == '}' { + if lx.tomlNext { + return lexInlineTableValueEnd + } + return lx.errorf("trailing comma not allowed in inline tables") + } + return lexInlineTableValue + case r == '}': + return lexInlineTableEnd + default: + return lx.errorf("expected a comma or an inline table terminator '}', but got %s instead", runeOrEOF(r)) + } +} + +func runeOrEOF(r rune) string { + if r == eof { + return "end of file" + } + return "'" + string(r) + "'" +} + +// lexInlineTableEnd finishes the lexing of an inline table. +// It assumes that a '}' has just been consumed. +func lexInlineTableEnd(lx *lexer) stateFn { + lx.ignore() + lx.emit(itemInlineTableEnd) + return lx.pop() +} + +// lexString consumes the inner contents of a string. It assumes that the +// beginning '"' has already been consumed and ignored. +func lexString(lx *lexer) stateFn { + r := lx.next() + switch { + case r == eof: + return lx.errorf(`unexpected EOF; expected '"'`) + case isNL(r): + return lx.errorPrevLine(errLexStringNL{}) + case r == '\\': + lx.push(lexString) + return lexStringEscape + case r == '"': + lx.backup() + if lx.esc { + lx.esc = false + lx.emit(itemStringEsc) + } else { + lx.emit(itemString) + } + lx.next() + lx.ignore() + return lx.pop() + } + return lexString +} + +// lexMultilineString consumes the inner contents of a string. It assumes that +// the beginning '"""' has already been consumed and ignored. +func lexMultilineString(lx *lexer) stateFn { + r := lx.next() + switch r { + default: + return lexMultilineString + case eof: + return lx.errorf(`unexpected EOF; expected '"""'`) + case '\\': + return lexMultilineStringEscape + case '"': + /// Found " → try to read two more "". + if lx.accept('"') { + if lx.accept('"') { + /// Peek ahead: the string can contain " and "", including at the + /// end: """str""""" + /// 6 or more at the end, however, is an error. + if lx.peek() == '"' { + /// Check if we already lexed 5 's; if so we have 6 now, and + /// that's just too many man! + /// + /// Second check is for the edge case: + /// + /// two quotes allowed. + /// vv + /// """lol \"""""" + /// ^^ ^^^---- closing three + /// escaped + /// + /// But ugly, but it works + if strings.HasSuffix(lx.current(), `"""""`) && !strings.HasSuffix(lx.current(), `\"""""`) { + return lx.errorf(`unexpected '""""""'`) + } + lx.backup() + lx.backup() + return lexMultilineString + } + + lx.backup() /// backup: don't include the """ in the item. + lx.backup() + lx.backup() + lx.esc = false + lx.emit(itemMultilineString) + lx.next() /// Read over ''' again and discard it. + lx.next() + lx.next() + lx.ignore() + return lx.pop() + } + lx.backup() + } + return lexMultilineString + } +} + +// lexRawString consumes a raw string. Nothing can be escaped in such a string. +// It assumes that the beginning "'" has already been consumed and ignored. +func lexRawString(lx *lexer) stateFn { + r := lx.next() + switch { + default: + return lexRawString + case r == eof: + return lx.errorf(`unexpected EOF; expected "'"`) + case isNL(r): + return lx.errorPrevLine(errLexStringNL{}) + case r == '\'': + lx.backup() + lx.emit(itemRawString) + lx.next() + lx.ignore() + return lx.pop() + } +} + +// lexMultilineRawString consumes a raw string. Nothing can be escaped in such a +// string. It assumes that the beginning triple-' has already been consumed and +// ignored. +func lexMultilineRawString(lx *lexer) stateFn { + r := lx.next() + switch r { + default: + return lexMultilineRawString + case eof: + return lx.errorf(`unexpected EOF; expected "'''"`) + case '\'': + /// Found ' → try to read two more ''. + if lx.accept('\'') { + if lx.accept('\'') { + /// Peek ahead: the string can contain ' and '', including at the + /// end: '''str''''' + /// 6 or more at the end, however, is an error. + if lx.peek() == '\'' { + /// Check if we already lexed 5 's; if so we have 6 now, and + /// that's just too many man! + if strings.HasSuffix(lx.current(), "'''''") { + return lx.errorf(`unexpected "''''''"`) + } + lx.backup() + lx.backup() + return lexMultilineRawString + } + + lx.backup() /// backup: don't include the ''' in the item. + lx.backup() + lx.backup() + lx.emit(itemRawMultilineString) + lx.next() /// Read over ''' again and discard it. + lx.next() + lx.next() + lx.ignore() + return lx.pop() + } + lx.backup() + } + return lexMultilineRawString + } +} + +// lexMultilineStringEscape consumes an escaped character. It assumes that the +// preceding '\\' has already been consumed. +func lexMultilineStringEscape(lx *lexer) stateFn { + if isNL(lx.next()) { /// \ escaping newline. + return lexMultilineString + } + lx.backup() + lx.push(lexMultilineString) + return lexStringEscape(lx) +} + +func lexStringEscape(lx *lexer) stateFn { + lx.esc = true + r := lx.next() + switch r { + case 'e': + if !lx.tomlNext { + return lx.error(errLexEscape{r}) + } + fallthrough + case 'b': + fallthrough + case 't': + fallthrough + case 'n': + fallthrough + case 'f': + fallthrough + case 'r': + fallthrough + case '"': + fallthrough + case ' ', '\t': + // Inside """ .. """ strings you can use \ to escape newlines, and any + // amount of whitespace can be between the \ and \n. + fallthrough + case '\\': + return lx.pop() + case 'x': + if !lx.tomlNext { + return lx.error(errLexEscape{r}) + } + return lexHexEscape + case 'u': + return lexShortUnicodeEscape + case 'U': + return lexLongUnicodeEscape + } + return lx.error(errLexEscape{r}) +} + +func lexHexEscape(lx *lexer) stateFn { + var r rune + for i := 0; i < 2; i++ { + r = lx.next() + if !isHex(r) { + return lx.errorf(`expected two hexadecimal digits after '\x', but got %q instead`, lx.current()) + } + } + return lx.pop() +} + +func lexShortUnicodeEscape(lx *lexer) stateFn { + var r rune + for i := 0; i < 4; i++ { + r = lx.next() + if !isHex(r) { + return lx.errorf(`expected four hexadecimal digits after '\u', but got %q instead`, lx.current()) + } + } + return lx.pop() +} + +func lexLongUnicodeEscape(lx *lexer) stateFn { + var r rune + for i := 0; i < 8; i++ { + r = lx.next() + if !isHex(r) { + return lx.errorf(`expected eight hexadecimal digits after '\U', but got %q instead`, lx.current()) + } + } + return lx.pop() +} + +// lexNumberOrDateStart processes the first character of a value which begins +// with a digit. It exists to catch values starting with '0', so that +// lexBaseNumberOrDate can differentiate base prefixed integers from other +// types. +func lexNumberOrDateStart(lx *lexer) stateFn { + r := lx.next() + switch r { + case '0': + return lexBaseNumberOrDate + } + + if !isDigit(r) { + // The only way to reach this state is if the value starts + // with a digit, so specifically treat anything else as an + // error. + return lx.errorf("expected a digit but got %q", r) + } + + return lexNumberOrDate +} + +// lexNumberOrDate consumes either an integer, float or datetime. +func lexNumberOrDate(lx *lexer) stateFn { + r := lx.next() + if isDigit(r) { + return lexNumberOrDate + } + switch r { + case '-', ':': + return lexDatetime + case '_': + return lexDecimalNumber + case '.', 'e', 'E': + return lexFloat + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexDatetime consumes a Datetime, to a first approximation. +// The parser validates that it matches one of the accepted formats. +func lexDatetime(lx *lexer) stateFn { + r := lx.next() + if isDigit(r) { + return lexDatetime + } + switch r { + case '-', ':', 'T', 't', ' ', '.', 'Z', 'z', '+': + return lexDatetime + } + + lx.backup() + lx.emitTrim(itemDatetime) + return lx.pop() +} + +// lexHexInteger consumes a hexadecimal integer after seeing the '0x' prefix. +func lexHexInteger(lx *lexer) stateFn { + r := lx.next() + if isHex(r) { + return lexHexInteger + } + switch r { + case '_': + return lexHexInteger + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexOctalInteger consumes an octal integer after seeing the '0o' prefix. +func lexOctalInteger(lx *lexer) stateFn { + r := lx.next() + if isOctal(r) { + return lexOctalInteger + } + switch r { + case '_': + return lexOctalInteger + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexBinaryInteger consumes a binary integer after seeing the '0b' prefix. +func lexBinaryInteger(lx *lexer) stateFn { + r := lx.next() + if isBinary(r) { + return lexBinaryInteger + } + switch r { + case '_': + return lexBinaryInteger + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexDecimalNumber consumes a decimal float or integer. +func lexDecimalNumber(lx *lexer) stateFn { + r := lx.next() + if isDigit(r) { + return lexDecimalNumber + } + switch r { + case '.', 'e', 'E': + return lexFloat + case '_': + return lexDecimalNumber + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexDecimalNumber consumes the first digit of a number beginning with a sign. +// It assumes the sign has already been consumed. Values which start with a sign +// are only allowed to be decimal integers or floats. +// +// The special "nan" and "inf" values are also recognized. +func lexDecimalNumberStart(lx *lexer) stateFn { + r := lx.next() + + // Special error cases to give users better error messages + switch r { + case 'i': + if !lx.accept('n') || !lx.accept('f') { + return lx.errorf("invalid float: '%s'", lx.current()) + } + lx.emit(itemFloat) + return lx.pop() + case 'n': + if !lx.accept('a') || !lx.accept('n') { + return lx.errorf("invalid float: '%s'", lx.current()) + } + lx.emit(itemFloat) + return lx.pop() + case '0': + p := lx.peek() + switch p { + case 'b', 'o', 'x': + return lx.errorf("cannot use sign with non-decimal numbers: '%s%c'", lx.current(), p) + } + case '.': + return lx.errorf("floats must start with a digit, not '.'") + } + + if isDigit(r) { + return lexDecimalNumber + } + + return lx.errorf("expected a digit but got %q", r) +} + +// lexBaseNumberOrDate differentiates between the possible values which +// start with '0'. It assumes that before reaching this state, the initial '0' +// has been consumed. +func lexBaseNumberOrDate(lx *lexer) stateFn { + r := lx.next() + // Note: All datetimes start with at least two digits, so we don't + // handle date characters (':', '-', etc.) here. + if isDigit(r) { + return lexNumberOrDate + } + switch r { + case '_': + // Can only be decimal, because there can't be an underscore + // between the '0' and the base designator, and dates can't + // contain underscores. + return lexDecimalNumber + case '.', 'e', 'E': + return lexFloat + case 'b': + r = lx.peek() + if !isBinary(r) { + lx.errorf("not a binary number: '%s%c'", lx.current(), r) + } + return lexBinaryInteger + case 'o': + r = lx.peek() + if !isOctal(r) { + lx.errorf("not an octal number: '%s%c'", lx.current(), r) + } + return lexOctalInteger + case 'x': + r = lx.peek() + if !isHex(r) { + lx.errorf("not a hexadecimal number: '%s%c'", lx.current(), r) + } + return lexHexInteger + } + + lx.backup() + lx.emit(itemInteger) + return lx.pop() +} + +// lexFloat consumes the elements of a float. It allows any sequence of +// float-like characters, so floats emitted by the lexer are only a first +// approximation and must be validated by the parser. +func lexFloat(lx *lexer) stateFn { + r := lx.next() + if isDigit(r) { + return lexFloat + } + switch r { + case '_', '.', '-', '+', 'e', 'E': + return lexFloat + } + + lx.backup() + lx.emit(itemFloat) + return lx.pop() +} + +// lexBool consumes a bool string: 'true' or 'false. +func lexBool(lx *lexer) stateFn { + var rs []rune + for { + r := lx.next() + if !unicode.IsLetter(r) { + lx.backup() + break + } + rs = append(rs, r) + } + s := string(rs) + switch s { + case "true", "false": + lx.emit(itemBool) + return lx.pop() + } + return lx.errorf("expected value but found %q instead", s) +} + +// lexCommentStart begins the lexing of a comment. It will emit +// itemCommentStart and consume no characters, passing control to lexComment. +func lexCommentStart(lx *lexer) stateFn { + lx.ignore() + lx.emit(itemCommentStart) + return lexComment +} + +// lexComment lexes an entire comment. It assumes that '#' has been consumed. +// It will consume *up to* the first newline character, and pass control +// back to the last state on the stack. +func lexComment(lx *lexer) stateFn { + switch r := lx.next(); { + case isNL(r) || r == eof: + lx.backup() + lx.emit(itemText) + return lx.pop() + default: + return lexComment + } +} + +// lexSkip ignores all slurped input and moves on to the next state. +func lexSkip(lx *lexer, nextState stateFn) stateFn { + lx.ignore() + return nextState +} + +func (s stateFn) String() string { + name := runtime.FuncForPC(reflect.ValueOf(s).Pointer()).Name() + if i := strings.LastIndexByte(name, '.'); i > -1 { + name = name[i+1:] + } + if s == nil { + name = "" + } + return name + "()" +} + +func (itype itemType) String() string { + switch itype { + case itemError: + return "Error" + case itemNIL: + return "NIL" + case itemEOF: + return "EOF" + case itemText: + return "Text" + case itemString, itemStringEsc, itemRawString, itemMultilineString, itemRawMultilineString: + return "String" + case itemBool: + return "Bool" + case itemInteger: + return "Integer" + case itemFloat: + return "Float" + case itemDatetime: + return "DateTime" + case itemTableStart: + return "TableStart" + case itemTableEnd: + return "TableEnd" + case itemKeyStart: + return "KeyStart" + case itemKeyEnd: + return "KeyEnd" + case itemArray: + return "Array" + case itemArrayEnd: + return "ArrayEnd" + case itemCommentStart: + return "CommentStart" + case itemInlineTableStart: + return "InlineTableStart" + case itemInlineTableEnd: + return "InlineTableEnd" + } + panic(fmt.Sprintf("BUG: Unknown type '%d'.", int(itype))) +} + +func (item item) String() string { + return fmt.Sprintf("(%s, %s)", item.typ, item.val) +} + +func isWhitespace(r rune) bool { return r == '\t' || r == ' ' } +func isNL(r rune) bool { return r == '\n' || r == '\r' } +func isControl(r rune) bool { // Control characters except \t, \r, \n + switch r { + case '\t', '\r', '\n': + return false + default: + return (r >= 0x00 && r <= 0x1f) || r == 0x7f + } +} +func isDigit(r rune) bool { return r >= '0' && r <= '9' } +func isBinary(r rune) bool { return r == '0' || r == '1' } +func isOctal(r rune) bool { return r >= '0' && r <= '7' } +func isHex(r rune) bool { return (r >= '0' && r <= '9') || (r|0x20 >= 'a' && r|0x20 <= 'f') } +func isBareKeyChar(r rune, tomlNext bool) bool { + return (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') || + (r >= '0' && r <= '9') || r == '_' || r == '-' +} diff --git a/vendor/github.com/BurntSushi/toml/meta.go b/vendor/github.com/BurntSushi/toml/meta.go new file mode 100644 index 0000000000..0d337026c1 --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/meta.go @@ -0,0 +1,145 @@ +package toml + +import ( + "strings" +) + +// MetaData allows access to meta information about TOML data that's not +// accessible otherwise. +// +// It allows checking if a key is defined in the TOML data, whether any keys +// were undecoded, and the TOML type of a key. +type MetaData struct { + context Key // Used only during decoding. + + keyInfo map[string]keyInfo + mapping map[string]any + keys []Key + decoded map[string]struct{} + data []byte // Input file; for errors. +} + +// IsDefined reports if the key exists in the TOML data. +// +// The key should be specified hierarchically, for example to access the TOML +// key "a.b.c" you would use IsDefined("a", "b", "c"). Keys are case sensitive. +// +// Returns false for an empty key. +func (md *MetaData) IsDefined(key ...string) bool { + if len(key) == 0 { + return false + } + + var ( + hash map[string]any + ok bool + hashOrVal any = md.mapping + ) + for _, k := range key { + if hash, ok = hashOrVal.(map[string]any); !ok { + return false + } + if hashOrVal, ok = hash[k]; !ok { + return false + } + } + return true +} + +// Type returns a string representation of the type of the key specified. +// +// Type will return the empty string if given an empty key or a key that does +// not exist. Keys are case sensitive. +func (md *MetaData) Type(key ...string) string { + if ki, ok := md.keyInfo[Key(key).String()]; ok { + return ki.tomlType.typeString() + } + return "" +} + +// Keys returns a slice of every key in the TOML data, including key groups. +// +// Each key is itself a slice, where the first element is the top of the +// hierarchy and the last is the most specific. The list will have the same +// order as the keys appeared in the TOML data. +// +// All keys returned are non-empty. +func (md *MetaData) Keys() []Key { + return md.keys +} + +// Undecoded returns all keys that have not been decoded in the order in which +// they appear in the original TOML document. +// +// This includes keys that haven't been decoded because of a [Primitive] value. +// Once the Primitive value is decoded, the keys will be considered decoded. +// +// Also note that decoding into an empty interface will result in no decoding, +// and so no keys will be considered decoded. +// +// In this sense, the Undecoded keys correspond to keys in the TOML document +// that do not have a concrete type in your representation. +func (md *MetaData) Undecoded() []Key { + undecoded := make([]Key, 0, len(md.keys)) + for _, key := range md.keys { + if _, ok := md.decoded[key.String()]; !ok { + undecoded = append(undecoded, key) + } + } + return undecoded +} + +// Key represents any TOML key, including key groups. Use [MetaData.Keys] to get +// values of this type. +type Key []string + +func (k Key) String() string { + // This is called quite often, so it's a bit funky to make it faster. + var b strings.Builder + b.Grow(len(k) * 25) +outer: + for i, kk := range k { + if i > 0 { + b.WriteByte('.') + } + if kk == "" { + b.WriteString(`""`) + } else { + for _, r := range kk { + // "Inline" isBareKeyChar + if !((r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '_' || r == '-') { + b.WriteByte('"') + b.WriteString(dblQuotedReplacer.Replace(kk)) + b.WriteByte('"') + continue outer + } + } + b.WriteString(kk) + } + } + return b.String() +} + +func (k Key) maybeQuoted(i int) string { + if k[i] == "" { + return `""` + } + for _, r := range k[i] { + if (r >= 'A' && r <= 'Z') || (r >= 'a' && r <= 'z') || (r >= '0' && r <= '9') || r == '_' || r == '-' { + continue + } + return `"` + dblQuotedReplacer.Replace(k[i]) + `"` + } + return k[i] +} + +// Like append(), but only increase the cap by 1. +func (k Key) add(piece string) Key { + newKey := make(Key, len(k)+1) + copy(newKey, k) + newKey[len(k)] = piece + return newKey +} + +func (k Key) parent() Key { return k[:len(k)-1] } // all except the last piece. +func (k Key) last() string { return k[len(k)-1] } // last piece of this key. diff --git a/vendor/github.com/BurntSushi/toml/parse.go b/vendor/github.com/BurntSushi/toml/parse.go new file mode 100644 index 0000000000..e3ea8a9a2d --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/parse.go @@ -0,0 +1,845 @@ +package toml + +import ( + "fmt" + "math" + "os" + "strconv" + "strings" + "time" + "unicode/utf8" + + "github.com/BurntSushi/toml/internal" +) + +type parser struct { + lx *lexer + context Key // Full key for the current hash in scope. + currentKey string // Base key name for everything except hashes. + pos Position // Current position in the TOML file. + tomlNext bool + + ordered []Key // List of keys in the order that they appear in the TOML data. + + keyInfo map[string]keyInfo // Map keyname → info about the TOML key. + mapping map[string]any // Map keyname → key value. + implicits map[string]struct{} // Record implicit keys (e.g. "key.group.names"). +} + +type keyInfo struct { + pos Position + tomlType tomlType +} + +func parse(data string) (p *parser, err error) { + _, tomlNext := os.LookupEnv("BURNTSUSHI_TOML_110") + + defer func() { + if r := recover(); r != nil { + if pErr, ok := r.(ParseError); ok { + pErr.input = data + err = pErr + return + } + panic(r) + } + }() + + // Read over BOM; do this here as the lexer calls utf8.DecodeRuneInString() + // which mangles stuff. UTF-16 BOM isn't strictly valid, but some tools add + // it anyway. + if strings.HasPrefix(data, "\xff\xfe") || strings.HasPrefix(data, "\xfe\xff") { // UTF-16 + data = data[2:] + } else if strings.HasPrefix(data, "\xef\xbb\xbf") { // UTF-8 + data = data[3:] + } + + // Examine first few bytes for NULL bytes; this probably means it's a UTF-16 + // file (second byte in surrogate pair being NULL). Again, do this here to + // avoid having to deal with UTF-8/16 stuff in the lexer. + ex := 6 + if len(data) < 6 { + ex = len(data) + } + if i := strings.IndexRune(data[:ex], 0); i > -1 { + return nil, ParseError{ + Message: "files cannot contain NULL bytes; probably using UTF-16; TOML files must be UTF-8", + Position: Position{Line: 1, Col: 1, Start: i, Len: 1}, + Line: 1, + input: data, + } + } + + p = &parser{ + keyInfo: make(map[string]keyInfo), + mapping: make(map[string]any), + lx: lex(data, tomlNext), + ordered: make([]Key, 0), + implicits: make(map[string]struct{}), + tomlNext: tomlNext, + } + for { + item := p.next() + if item.typ == itemEOF { + break + } + p.topLevel(item) + } + + return p, nil +} + +func (p *parser) panicErr(it item, err error) { + panic(ParseError{ + Message: err.Error(), + err: err, + Position: it.pos.withCol(p.lx.input), + Line: it.pos.Len, + LastKey: p.current(), + }) +} + +func (p *parser) panicItemf(it item, format string, v ...any) { + panic(ParseError{ + Message: fmt.Sprintf(format, v...), + Position: it.pos.withCol(p.lx.input), + Line: it.pos.Len, + LastKey: p.current(), + }) +} + +func (p *parser) panicf(format string, v ...any) { + panic(ParseError{ + Message: fmt.Sprintf(format, v...), + Position: p.pos.withCol(p.lx.input), + Line: p.pos.Line, + LastKey: p.current(), + }) +} + +func (p *parser) next() item { + it := p.lx.nextItem() + //fmt.Printf("ITEM %-18s line %-3d │ %q\n", it.typ, it.pos.Line, it.val) + if it.typ == itemError { + if it.err != nil { + panic(ParseError{ + Message: it.err.Error(), + err: it.err, + Position: it.pos.withCol(p.lx.input), + Line: it.pos.Line, + LastKey: p.current(), + }) + } + + p.panicItemf(it, "%s", it.val) + } + return it +} + +func (p *parser) nextPos() item { + it := p.next() + p.pos = it.pos + return it +} + +func (p *parser) bug(format string, v ...any) { + panic(fmt.Sprintf("BUG: "+format+"\n\n", v...)) +} + +func (p *parser) expect(typ itemType) item { + it := p.next() + p.assertEqual(typ, it.typ) + return it +} + +func (p *parser) assertEqual(expected, got itemType) { + if expected != got { + p.bug("Expected '%s' but got '%s'.", expected, got) + } +} + +func (p *parser) topLevel(item item) { + switch item.typ { + case itemCommentStart: // # .. + p.expect(itemText) + case itemTableStart: // [ .. ] + name := p.nextPos() + + var key Key + for ; name.typ != itemTableEnd && name.typ != itemEOF; name = p.next() { + key = append(key, p.keyString(name)) + } + p.assertEqual(itemTableEnd, name.typ) + + p.addContext(key, false) + p.setType("", tomlHash, item.pos) + p.ordered = append(p.ordered, key) + case itemArrayTableStart: // [[ .. ]] + name := p.nextPos() + + var key Key + for ; name.typ != itemArrayTableEnd && name.typ != itemEOF; name = p.next() { + key = append(key, p.keyString(name)) + } + p.assertEqual(itemArrayTableEnd, name.typ) + + p.addContext(key, true) + p.setType("", tomlArrayHash, item.pos) + p.ordered = append(p.ordered, key) + case itemKeyStart: // key = .. + outerContext := p.context + /// Read all the key parts (e.g. 'a' and 'b' in 'a.b') + k := p.nextPos() + var key Key + for ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() { + key = append(key, p.keyString(k)) + } + p.assertEqual(itemKeyEnd, k.typ) + + /// The current key is the last part. + p.currentKey = key.last() + + /// All the other parts (if any) are the context; need to set each part + /// as implicit. + context := key.parent() + for i := range context { + p.addImplicitContext(append(p.context, context[i:i+1]...)) + } + p.ordered = append(p.ordered, p.context.add(p.currentKey)) + + /// Set value. + vItem := p.next() + val, typ := p.value(vItem, false) + p.setValue(p.currentKey, val) + p.setType(p.currentKey, typ, vItem.pos) + + /// Remove the context we added (preserving any context from [tbl] lines). + p.context = outerContext + p.currentKey = "" + default: + p.bug("Unexpected type at top level: %s", item.typ) + } +} + +// Gets a string for a key (or part of a key in a table name). +func (p *parser) keyString(it item) string { + switch it.typ { + case itemText: + return it.val + case itemString, itemStringEsc, itemMultilineString, + itemRawString, itemRawMultilineString: + s, _ := p.value(it, false) + return s.(string) + default: + p.bug("Unexpected key type: %s", it.typ) + } + panic("unreachable") +} + +var datetimeRepl = strings.NewReplacer( + "z", "Z", + "t", "T", + " ", "T") + +// value translates an expected value from the lexer into a Go value wrapped +// as an empty interface. +func (p *parser) value(it item, parentIsArray bool) (any, tomlType) { + switch it.typ { + case itemString: + return it.val, p.typeOfPrimitive(it) + case itemStringEsc: + return p.replaceEscapes(it, it.val), p.typeOfPrimitive(it) + case itemMultilineString: + return p.replaceEscapes(it, p.stripEscapedNewlines(stripFirstNewline(it.val))), p.typeOfPrimitive(it) + case itemRawString: + return it.val, p.typeOfPrimitive(it) + case itemRawMultilineString: + return stripFirstNewline(it.val), p.typeOfPrimitive(it) + case itemInteger: + return p.valueInteger(it) + case itemFloat: + return p.valueFloat(it) + case itemBool: + switch it.val { + case "true": + return true, p.typeOfPrimitive(it) + case "false": + return false, p.typeOfPrimitive(it) + default: + p.bug("Expected boolean value, but got '%s'.", it.val) + } + case itemDatetime: + return p.valueDatetime(it) + case itemArray: + return p.valueArray(it) + case itemInlineTableStart: + return p.valueInlineTable(it, parentIsArray) + default: + p.bug("Unexpected value type: %s", it.typ) + } + panic("unreachable") +} + +func (p *parser) valueInteger(it item) (any, tomlType) { + if !numUnderscoresOK(it.val) { + p.panicItemf(it, "Invalid integer %q: underscores must be surrounded by digits", it.val) + } + if numHasLeadingZero(it.val) { + p.panicItemf(it, "Invalid integer %q: cannot have leading zeroes", it.val) + } + + num, err := strconv.ParseInt(it.val, 0, 64) + if err != nil { + // Distinguish integer values. Normally, it'd be a bug if the lexer + // provides an invalid integer, but it's possible that the number is + // out of range of valid values (which the lexer cannot determine). + // So mark the former as a bug but the latter as a legitimate user + // error. + if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange { + p.panicErr(it, errParseRange{i: it.val, size: "int64"}) + } else { + p.bug("Expected integer value, but got '%s'.", it.val) + } + } + return num, p.typeOfPrimitive(it) +} + +func (p *parser) valueFloat(it item) (any, tomlType) { + parts := strings.FieldsFunc(it.val, func(r rune) bool { + switch r { + case '.', 'e', 'E': + return true + } + return false + }) + for _, part := range parts { + if !numUnderscoresOK(part) { + p.panicItemf(it, "Invalid float %q: underscores must be surrounded by digits", it.val) + } + } + if len(parts) > 0 && numHasLeadingZero(parts[0]) { + p.panicItemf(it, "Invalid float %q: cannot have leading zeroes", it.val) + } + if !numPeriodsOK(it.val) { + // As a special case, numbers like '123.' or '1.e2', + // which are valid as far as Go/strconv are concerned, + // must be rejected because TOML says that a fractional + // part consists of '.' followed by 1+ digits. + p.panicItemf(it, "Invalid float %q: '.' must be followed by one or more digits", it.val) + } + val := strings.Replace(it.val, "_", "", -1) + signbit := false + if val == "+nan" || val == "-nan" { + signbit = val == "-nan" + val = "nan" + } + num, err := strconv.ParseFloat(val, 64) + if err != nil { + if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange { + p.panicErr(it, errParseRange{i: it.val, size: "float64"}) + } else { + p.panicItemf(it, "Invalid float value: %q", it.val) + } + } + if signbit { + num = math.Copysign(num, -1) + } + return num, p.typeOfPrimitive(it) +} + +var dtTypes = []struct { + fmt string + zone *time.Location + next bool +}{ + {time.RFC3339Nano, time.Local, false}, + {"2006-01-02T15:04:05.999999999", internal.LocalDatetime, false}, + {"2006-01-02", internal.LocalDate, false}, + {"15:04:05.999999999", internal.LocalTime, false}, + + // tomlNext + {"2006-01-02T15:04Z07:00", time.Local, true}, + {"2006-01-02T15:04", internal.LocalDatetime, true}, + {"15:04", internal.LocalTime, true}, +} + +func (p *parser) valueDatetime(it item) (any, tomlType) { + it.val = datetimeRepl.Replace(it.val) + var ( + t time.Time + ok bool + err error + ) + for _, dt := range dtTypes { + if dt.next && !p.tomlNext { + continue + } + t, err = time.ParseInLocation(dt.fmt, it.val, dt.zone) + if err == nil { + if missingLeadingZero(it.val, dt.fmt) { + p.panicErr(it, errParseDate{it.val}) + } + ok = true + break + } + } + if !ok { + p.panicErr(it, errParseDate{it.val}) + } + return t, p.typeOfPrimitive(it) +} + +// Go's time.Parse() will accept numbers without a leading zero; there isn't any +// way to require it. https://github.com/golang/go/issues/29911 +// +// Depend on the fact that the separators (- and :) should always be at the same +// location. +func missingLeadingZero(d, l string) bool { + for i, c := range []byte(l) { + if c == '.' || c == 'Z' { + return false + } + if (c < '0' || c > '9') && d[i] != c { + return true + } + } + return false +} + +func (p *parser) valueArray(it item) (any, tomlType) { + p.setType(p.currentKey, tomlArray, it.pos) + + var ( + // Initialize to a non-nil slice to make it consistent with how S = [] + // decodes into a non-nil slice inside something like struct { S + // []string }. See #338 + array = make([]any, 0, 2) + ) + for it = p.next(); it.typ != itemArrayEnd; it = p.next() { + if it.typ == itemCommentStart { + p.expect(itemText) + continue + } + + val, typ := p.value(it, true) + array = append(array, val) + + // XXX: type isn't used here, we need it to record the accurate type + // information. + // + // Not entirely sure how to best store this; could use "key[0]", + // "key[1]" notation, or maybe store it on the Array type? + _ = typ + } + return array, tomlArray +} + +func (p *parser) valueInlineTable(it item, parentIsArray bool) (any, tomlType) { + var ( + topHash = make(map[string]any) + outerContext = p.context + outerKey = p.currentKey + ) + + p.context = append(p.context, p.currentKey) + prevContext := p.context + p.currentKey = "" + + p.addImplicit(p.context) + p.addContext(p.context, parentIsArray) + + /// Loop over all table key/value pairs. + for it := p.next(); it.typ != itemInlineTableEnd; it = p.next() { + if it.typ == itemCommentStart { + p.expect(itemText) + continue + } + + /// Read all key parts. + k := p.nextPos() + var key Key + for ; k.typ != itemKeyEnd && k.typ != itemEOF; k = p.next() { + key = append(key, p.keyString(k)) + } + p.assertEqual(itemKeyEnd, k.typ) + + /// The current key is the last part. + p.currentKey = key.last() + + /// All the other parts (if any) are the context; need to set each part + /// as implicit. + context := key.parent() + for i := range context { + p.addImplicitContext(append(p.context, context[i:i+1]...)) + } + p.ordered = append(p.ordered, p.context.add(p.currentKey)) + + /// Set the value. + val, typ := p.value(p.next(), false) + p.setValue(p.currentKey, val) + p.setType(p.currentKey, typ, it.pos) + + hash := topHash + for _, c := range context { + h, ok := hash[c] + if !ok { + h = make(map[string]any) + hash[c] = h + } + hash, ok = h.(map[string]any) + if !ok { + p.panicf("%q is not a table", p.context) + } + } + hash[p.currentKey] = val + + /// Restore context. + p.context = prevContext + } + p.context = outerContext + p.currentKey = outerKey + return topHash, tomlHash +} + +// numHasLeadingZero checks if this number has leading zeroes, allowing for '0', +// +/- signs, and base prefixes. +func numHasLeadingZero(s string) bool { + if len(s) > 1 && s[0] == '0' && !(s[1] == 'b' || s[1] == 'o' || s[1] == 'x') { // Allow 0b, 0o, 0x + return true + } + if len(s) > 2 && (s[0] == '-' || s[0] == '+') && s[1] == '0' { + return true + } + return false +} + +// numUnderscoresOK checks whether each underscore in s is surrounded by +// characters that are not underscores. +func numUnderscoresOK(s string) bool { + switch s { + case "nan", "+nan", "-nan", "inf", "-inf", "+inf": + return true + } + accept := false + for _, r := range s { + if r == '_' { + if !accept { + return false + } + } + + // isHex is a superset of all the permissible characters surrounding an + // underscore. + accept = isHex(r) + } + return accept +} + +// numPeriodsOK checks whether every period in s is followed by a digit. +func numPeriodsOK(s string) bool { + period := false + for _, r := range s { + if period && !isDigit(r) { + return false + } + period = r == '.' + } + return !period +} + +// Set the current context of the parser, where the context is either a hash or +// an array of hashes, depending on the value of the `array` parameter. +// +// Establishing the context also makes sure that the key isn't a duplicate, and +// will create implicit hashes automatically. +func (p *parser) addContext(key Key, array bool) { + /// Always start at the top level and drill down for our context. + hashContext := p.mapping + keyContext := make(Key, 0, len(key)-1) + + /// We only need implicit hashes for the parents. + for _, k := range key.parent() { + _, ok := hashContext[k] + keyContext = append(keyContext, k) + + // No key? Make an implicit hash and move on. + if !ok { + p.addImplicit(keyContext) + hashContext[k] = make(map[string]any) + } + + // If the hash context is actually an array of tables, then set + // the hash context to the last element in that array. + // + // Otherwise, it better be a table, since this MUST be a key group (by + // virtue of it not being the last element in a key). + switch t := hashContext[k].(type) { + case []map[string]any: + hashContext = t[len(t)-1] + case map[string]any: + hashContext = t + default: + p.panicf("Key '%s' was already created as a hash.", keyContext) + } + } + + p.context = keyContext + if array { + // If this is the first element for this array, then allocate a new + // list of tables for it. + k := key.last() + if _, ok := hashContext[k]; !ok { + hashContext[k] = make([]map[string]any, 0, 4) + } + + // Add a new table. But make sure the key hasn't already been used + // for something else. + if hash, ok := hashContext[k].([]map[string]any); ok { + hashContext[k] = append(hash, make(map[string]any)) + } else { + p.panicf("Key '%s' was already created and cannot be used as an array.", key) + } + } else { + p.setValue(key.last(), make(map[string]any)) + } + p.context = append(p.context, key.last()) +} + +// setValue sets the given key to the given value in the current context. +// It will make sure that the key hasn't already been defined, account for +// implicit key groups. +func (p *parser) setValue(key string, value any) { + var ( + tmpHash any + ok bool + hash = p.mapping + keyContext = make(Key, 0, len(p.context)+1) + ) + for _, k := range p.context { + keyContext = append(keyContext, k) + if tmpHash, ok = hash[k]; !ok { + p.bug("Context for key '%s' has not been established.", keyContext) + } + switch t := tmpHash.(type) { + case []map[string]any: + // The context is a table of hashes. Pick the most recent table + // defined as the current hash. + hash = t[len(t)-1] + case map[string]any: + hash = t + default: + p.panicf("Key '%s' has already been defined.", keyContext) + } + } + keyContext = append(keyContext, key) + + if _, ok := hash[key]; ok { + // Normally redefining keys isn't allowed, but the key could have been + // defined implicitly and it's allowed to be redefined concretely. (See + // the `valid/implicit-and-explicit-after.toml` in toml-test) + // + // But we have to make sure to stop marking it as an implicit. (So that + // another redefinition provokes an error.) + // + // Note that since it has already been defined (as a hash), we don't + // want to overwrite it. So our business is done. + if p.isArray(keyContext) { + p.removeImplicit(keyContext) + hash[key] = value + return + } + if p.isImplicit(keyContext) { + p.removeImplicit(keyContext) + return + } + // Otherwise, we have a concrete key trying to override a previous key, + // which is *always* wrong. + p.panicf("Key '%s' has already been defined.", keyContext) + } + + hash[key] = value +} + +// setType sets the type of a particular value at a given key. It should be +// called immediately AFTER setValue. +// +// Note that if `key` is empty, then the type given will be applied to the +// current context (which is either a table or an array of tables). +func (p *parser) setType(key string, typ tomlType, pos Position) { + keyContext := make(Key, 0, len(p.context)+1) + keyContext = append(keyContext, p.context...) + if len(key) > 0 { // allow type setting for hashes + keyContext = append(keyContext, key) + } + // Special case to make empty keys ("" = 1) work. + // Without it it will set "" rather than `""`. + // TODO: why is this needed? And why is this only needed here? + if len(keyContext) == 0 { + keyContext = Key{""} + } + p.keyInfo[keyContext.String()] = keyInfo{tomlType: typ, pos: pos} +} + +// Implicit keys need to be created when tables are implied in "a.b.c.d = 1" and +// "[a.b.c]" (the "a", "b", and "c" hashes are never created explicitly). +func (p *parser) addImplicit(key Key) { p.implicits[key.String()] = struct{}{} } +func (p *parser) removeImplicit(key Key) { delete(p.implicits, key.String()) } +func (p *parser) isImplicit(key Key) bool { _, ok := p.implicits[key.String()]; return ok } +func (p *parser) isArray(key Key) bool { return p.keyInfo[key.String()].tomlType == tomlArray } +func (p *parser) addImplicitContext(key Key) { p.addImplicit(key); p.addContext(key, false) } + +// current returns the full key name of the current context. +func (p *parser) current() string { + if len(p.currentKey) == 0 { + return p.context.String() + } + if len(p.context) == 0 { + return p.currentKey + } + return fmt.Sprintf("%s.%s", p.context, p.currentKey) +} + +func stripFirstNewline(s string) string { + if len(s) > 0 && s[0] == '\n' { + return s[1:] + } + if len(s) > 1 && s[0] == '\r' && s[1] == '\n' { + return s[2:] + } + return s +} + +// stripEscapedNewlines removes whitespace after line-ending backslashes in +// multiline strings. +// +// A line-ending backslash is an unescaped \ followed only by whitespace until +// the next newline. After a line-ending backslash, all whitespace is removed +// until the next non-whitespace character. +func (p *parser) stripEscapedNewlines(s string) string { + var ( + b strings.Builder + i int + ) + b.Grow(len(s)) + for { + ix := strings.Index(s[i:], `\`) + if ix < 0 { + b.WriteString(s) + return b.String() + } + i += ix + + if len(s) > i+1 && s[i+1] == '\\' { + // Escaped backslash. + i += 2 + continue + } + // Scan until the next non-whitespace. + j := i + 1 + whitespaceLoop: + for ; j < len(s); j++ { + switch s[j] { + case ' ', '\t', '\r', '\n': + default: + break whitespaceLoop + } + } + if j == i+1 { + // Not a whitespace escape. + i++ + continue + } + if !strings.Contains(s[i:j], "\n") { + // This is not a line-ending backslash. (It's a bad escape sequence, + // but we can let replaceEscapes catch it.) + i++ + continue + } + b.WriteString(s[:i]) + s = s[j:] + i = 0 + } +} + +func (p *parser) replaceEscapes(it item, str string) string { + var ( + b strings.Builder + skip = 0 + ) + b.Grow(len(str)) + for i, c := range str { + if skip > 0 { + skip-- + continue + } + if c != '\\' { + b.WriteRune(c) + continue + } + + if i >= len(str) { + p.bug("Escape sequence at end of string.") + return "" + } + switch str[i+1] { + default: + p.bug("Expected valid escape code after \\, but got %q.", str[i+1]) + case ' ', '\t': + p.panicItemf(it, "invalid escape: '\\%c'", str[i+1]) + case 'b': + b.WriteByte(0x08) + skip = 1 + case 't': + b.WriteByte(0x09) + skip = 1 + case 'n': + b.WriteByte(0x0a) + skip = 1 + case 'f': + b.WriteByte(0x0c) + skip = 1 + case 'r': + b.WriteByte(0x0d) + skip = 1 + case 'e': + if p.tomlNext { + b.WriteByte(0x1b) + skip = 1 + } + case '"': + b.WriteByte(0x22) + skip = 1 + case '\\': + b.WriteByte(0x5c) + skip = 1 + // The lexer guarantees the correct number of characters are present; + // don't need to check here. + case 'x': + if p.tomlNext { + escaped := p.asciiEscapeToUnicode(it, str[i+2:i+4]) + b.WriteRune(escaped) + skip = 3 + } + case 'u': + escaped := p.asciiEscapeToUnicode(it, str[i+2:i+6]) + b.WriteRune(escaped) + skip = 5 + case 'U': + escaped := p.asciiEscapeToUnicode(it, str[i+2:i+10]) + b.WriteRune(escaped) + skip = 9 + } + } + return b.String() +} + +func (p *parser) asciiEscapeToUnicode(it item, s string) rune { + hex, err := strconv.ParseUint(strings.ToLower(s), 16, 32) + if err != nil { + p.bug("Could not parse '%s' as a hexadecimal number, but the lexer claims it's OK: %s", s, err) + } + if !utf8.ValidRune(rune(hex)) { + p.panicItemf(it, "Escaped character '\\u%s' is not valid UTF-8.", s) + } + return rune(hex) +} diff --git a/vendor/github.com/BurntSushi/toml/type_fields.go b/vendor/github.com/BurntSushi/toml/type_fields.go new file mode 100644 index 0000000000..10c51f7eeb --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/type_fields.go @@ -0,0 +1,238 @@ +package toml + +// Struct field handling is adapted from code in encoding/json: +// +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the Go distribution. + +import ( + "reflect" + "sort" + "sync" +) + +// A field represents a single field found in a struct. +type field struct { + name string // the name of the field (`toml` tag included) + tag bool // whether field has a `toml` tag + index []int // represents the depth of an anonymous field + typ reflect.Type // the type of the field +} + +// byName sorts field by name, breaking ties with depth, +// then breaking ties with "name came from toml tag", then +// breaking ties with index sequence. +type byName []field + +func (x byName) Len() int { return len(x) } +func (x byName) Swap(i, j int) { x[i], x[j] = x[j], x[i] } +func (x byName) Less(i, j int) bool { + if x[i].name != x[j].name { + return x[i].name < x[j].name + } + if len(x[i].index) != len(x[j].index) { + return len(x[i].index) < len(x[j].index) + } + if x[i].tag != x[j].tag { + return x[i].tag + } + return byIndex(x).Less(i, j) +} + +// byIndex sorts field by index sequence. +type byIndex []field + +func (x byIndex) Len() int { return len(x) } +func (x byIndex) Swap(i, j int) { x[i], x[j] = x[j], x[i] } +func (x byIndex) Less(i, j int) bool { + for k, xik := range x[i].index { + if k >= len(x[j].index) { + return false + } + if xik != x[j].index[k] { + return xik < x[j].index[k] + } + } + return len(x[i].index) < len(x[j].index) +} + +// typeFields returns a list of fields that TOML should recognize for the given +// type. The algorithm is breadth-first search over the set of structs to +// include - the top struct and then any reachable anonymous structs. +func typeFields(t reflect.Type) []field { + // Anonymous fields to explore at the current level and the next. + current := []field{} + next := []field{{typ: t}} + + // Count of queued names for current level and the next. + var count map[reflect.Type]int + var nextCount map[reflect.Type]int + + // Types already visited at an earlier level. + visited := map[reflect.Type]bool{} + + // Fields found. + var fields []field + + for len(next) > 0 { + current, next = next, current[:0] + count, nextCount = nextCount, map[reflect.Type]int{} + + for _, f := range current { + if visited[f.typ] { + continue + } + visited[f.typ] = true + + // Scan f.typ for fields to include. + for i := 0; i < f.typ.NumField(); i++ { + sf := f.typ.Field(i) + if sf.PkgPath != "" && !sf.Anonymous { // unexported + continue + } + opts := getOptions(sf.Tag) + if opts.skip { + continue + } + index := make([]int, len(f.index)+1) + copy(index, f.index) + index[len(f.index)] = i + + ft := sf.Type + if ft.Name() == "" && ft.Kind() == reflect.Ptr { + // Follow pointer. + ft = ft.Elem() + } + + // Record found field and index sequence. + if opts.name != "" || !sf.Anonymous || ft.Kind() != reflect.Struct { + tagged := opts.name != "" + name := opts.name + if name == "" { + name = sf.Name + } + fields = append(fields, field{name, tagged, index, ft}) + if count[f.typ] > 1 { + // If there were multiple instances, add a second, + // so that the annihilation code will see a duplicate. + // It only cares about the distinction between 1 or 2, + // so don't bother generating any more copies. + fields = append(fields, fields[len(fields)-1]) + } + continue + } + + // Record new anonymous struct to explore in next round. + nextCount[ft]++ + if nextCount[ft] == 1 { + f := field{name: ft.Name(), index: index, typ: ft} + next = append(next, f) + } + } + } + } + + sort.Sort(byName(fields)) + + // Delete all fields that are hidden by the Go rules for embedded fields, + // except that fields with TOML tags are promoted. + + // The fields are sorted in primary order of name, secondary order + // of field index length. Loop over names; for each name, delete + // hidden fields by choosing the one dominant field that survives. + out := fields[:0] + for advance, i := 0, 0; i < len(fields); i += advance { + // One iteration per name. + // Find the sequence of fields with the name of this first field. + fi := fields[i] + name := fi.name + for advance = 1; i+advance < len(fields); advance++ { + fj := fields[i+advance] + if fj.name != name { + break + } + } + if advance == 1 { // Only one field with this name + out = append(out, fi) + continue + } + dominant, ok := dominantField(fields[i : i+advance]) + if ok { + out = append(out, dominant) + } + } + + fields = out + sort.Sort(byIndex(fields)) + + return fields +} + +// dominantField looks through the fields, all of which are known to +// have the same name, to find the single field that dominates the +// others using Go's embedding rules, modified by the presence of +// TOML tags. If there are multiple top-level fields, the boolean +// will be false: This condition is an error in Go and we skip all +// the fields. +func dominantField(fields []field) (field, bool) { + // The fields are sorted in increasing index-length order. The winner + // must therefore be one with the shortest index length. Drop all + // longer entries, which is easy: just truncate the slice. + length := len(fields[0].index) + tagged := -1 // Index of first tagged field. + for i, f := range fields { + if len(f.index) > length { + fields = fields[:i] + break + } + if f.tag { + if tagged >= 0 { + // Multiple tagged fields at the same level: conflict. + // Return no field. + return field{}, false + } + tagged = i + } + } + if tagged >= 0 { + return fields[tagged], true + } + // All remaining fields have the same length. If there's more than one, + // we have a conflict (two fields named "X" at the same level) and we + // return no field. + if len(fields) > 1 { + return field{}, false + } + return fields[0], true +} + +var fieldCache struct { + sync.RWMutex + m map[reflect.Type][]field +} + +// cachedTypeFields is like typeFields but uses a cache to avoid repeated work. +func cachedTypeFields(t reflect.Type) []field { + fieldCache.RLock() + f := fieldCache.m[t] + fieldCache.RUnlock() + if f != nil { + return f + } + + // Compute fields without lock. + // Might duplicate effort but won't hold other computations back. + f = typeFields(t) + if f == nil { + f = []field{} + } + + fieldCache.Lock() + if fieldCache.m == nil { + fieldCache.m = map[reflect.Type][]field{} + } + fieldCache.m[t] = f + fieldCache.Unlock() + return f +} diff --git a/vendor/github.com/BurntSushi/toml/type_toml.go b/vendor/github.com/BurntSushi/toml/type_toml.go new file mode 100644 index 0000000000..1c090d331e --- /dev/null +++ b/vendor/github.com/BurntSushi/toml/type_toml.go @@ -0,0 +1,65 @@ +package toml + +// tomlType represents any Go type that corresponds to a TOML type. +// While the first draft of the TOML spec has a simplistic type system that +// probably doesn't need this level of sophistication, we seem to be militating +// toward adding real composite types. +type tomlType interface { + typeString() string +} + +// typeEqual accepts any two types and returns true if they are equal. +func typeEqual(t1, t2 tomlType) bool { + if t1 == nil || t2 == nil { + return false + } + return t1.typeString() == t2.typeString() +} + +func typeIsTable(t tomlType) bool { + return typeEqual(t, tomlHash) || typeEqual(t, tomlArrayHash) +} + +type tomlBaseType string + +func (btype tomlBaseType) typeString() string { return string(btype) } +func (btype tomlBaseType) String() string { return btype.typeString() } + +var ( + tomlInteger tomlBaseType = "Integer" + tomlFloat tomlBaseType = "Float" + tomlDatetime tomlBaseType = "Datetime" + tomlString tomlBaseType = "String" + tomlBool tomlBaseType = "Bool" + tomlArray tomlBaseType = "Array" + tomlHash tomlBaseType = "Hash" + tomlArrayHash tomlBaseType = "ArrayHash" +) + +// typeOfPrimitive returns a tomlType of any primitive value in TOML. +// Primitive values are: Integer, Float, Datetime, String and Bool. +// +// Passing a lexer item other than the following will cause a BUG message +// to occur: itemString, itemBool, itemInteger, itemFloat, itemDatetime. +func (p *parser) typeOfPrimitive(lexItem item) tomlType { + switch lexItem.typ { + case itemInteger: + return tomlInteger + case itemFloat: + return tomlFloat + case itemDatetime: + return tomlDatetime + case itemString, itemStringEsc: + return tomlString + case itemMultilineString: + return tomlString + case itemRawString: + return tomlString + case itemRawMultilineString: + return tomlString + case itemBool: + return tomlBool + } + p.bug("Cannot infer primitive type of lex item '%s'.", lexItem) + panic("unreachable") +} diff --git a/vendor/github.com/MakeNowJust/heredoc/LICENSE b/vendor/github.com/MakeNowJust/heredoc/LICENSE new file mode 100644 index 0000000000..6d0eb9d5d6 --- /dev/null +++ b/vendor/github.com/MakeNowJust/heredoc/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014-2019 TSUYUSATO Kitsune + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/MakeNowJust/heredoc/README.md b/vendor/github.com/MakeNowJust/heredoc/README.md new file mode 100644 index 0000000000..e9924d2974 --- /dev/null +++ b/vendor/github.com/MakeNowJust/heredoc/README.md @@ -0,0 +1,52 @@ +# heredoc + +[![Build Status](https://circleci.com/gh/MakeNowJust/heredoc.svg?style=svg)](https://circleci.com/gh/MakeNowJust/heredoc) [![GoDoc](https://godoc.org/github.com/MakeNowJusti/heredoc?status.svg)](https://godoc.org/github.com/MakeNowJust/heredoc) + +## About + +Package heredoc provides the here-document with keeping indent. + +## Install + +```console +$ go get github.com/MakeNowJust/heredoc +``` + +## Import + +```go +// usual +import "github.com/MakeNowJust/heredoc" +``` + +## Example + +```go +package main + +import ( + "fmt" + "github.com/MakeNowJust/heredoc" +) + +func main() { + fmt.Println(heredoc.Doc(` + Lorem ipsum dolor sit amet, consectetur adipisicing elit, + sed do eiusmod tempor incididunt ut labore et dolore magna + aliqua. Ut enim ad minim veniam, ... + `)) + // Output: + // Lorem ipsum dolor sit amet, consectetur adipisicing elit, + // sed do eiusmod tempor incididunt ut labore et dolore magna + // aliqua. Ut enim ad minim veniam, ... + // +} +``` + +## API Document + + - [heredoc - GoDoc](https://godoc.org/github.com/MakeNowJust/heredoc) + +## License + +This software is released under the MIT License, see LICENSE. diff --git a/vendor/github.com/MakeNowJust/heredoc/heredoc.go b/vendor/github.com/MakeNowJust/heredoc/heredoc.go new file mode 100644 index 0000000000..1fc0469555 --- /dev/null +++ b/vendor/github.com/MakeNowJust/heredoc/heredoc.go @@ -0,0 +1,105 @@ +// Copyright (c) 2014-2019 TSUYUSATO Kitsune +// This software is released under the MIT License. +// http://opensource.org/licenses/mit-license.php + +// Package heredoc provides creation of here-documents from raw strings. +// +// Golang supports raw-string syntax. +// +// doc := ` +// Foo +// Bar +// ` +// +// But raw-string cannot recognize indentation. Thus such content is an indented string, equivalent to +// +// "\n\tFoo\n\tBar\n" +// +// I dont't want this! +// +// However this problem is solved by package heredoc. +// +// doc := heredoc.Doc(` +// Foo +// Bar +// `) +// +// Is equivalent to +// +// "Foo\nBar\n" +package heredoc + +import ( + "fmt" + "strings" + "unicode" +) + +const maxInt = int(^uint(0) >> 1) + +// Doc returns un-indented string as here-document. +func Doc(raw string) string { + skipFirstLine := false + if len(raw) > 0 && raw[0] == '\n' { + raw = raw[1:] + } else { + skipFirstLine = true + } + + lines := strings.Split(raw, "\n") + + minIndentSize := getMinIndent(lines, skipFirstLine) + lines = removeIndentation(lines, minIndentSize, skipFirstLine) + + return strings.Join(lines, "\n") +} + +// getMinIndent calculates the minimum indentation in lines, excluding empty lines. +func getMinIndent(lines []string, skipFirstLine bool) int { + minIndentSize := maxInt + + for i, line := range lines { + if i == 0 && skipFirstLine { + continue + } + + indentSize := 0 + for _, r := range []rune(line) { + if unicode.IsSpace(r) { + indentSize += 1 + } else { + break + } + } + + if len(line) == indentSize { + if i == len(lines)-1 && indentSize < minIndentSize { + lines[i] = "" + } + } else if indentSize < minIndentSize { + minIndentSize = indentSize + } + } + return minIndentSize +} + +// removeIndentation removes n characters from the front of each line in lines. +// Skips first line if skipFirstLine is true, skips empty lines. +func removeIndentation(lines []string, n int, skipFirstLine bool) []string { + for i, line := range lines { + if i == 0 && skipFirstLine { + continue + } + + if len(lines[i]) >= n { + lines[i] = line[n:] + } + } + return lines +} + +// Docf returns unindented and formatted string as here-document. +// Formatting is done as for fmt.Printf(). +func Docf(raw string, args ...interface{}) string { + return fmt.Sprintf(Doc(raw), args...) +} diff --git a/vendor/github.com/Masterminds/goutils/.travis.yml b/vendor/github.com/Masterminds/goutils/.travis.yml new file mode 100644 index 0000000000..4025e01ec4 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/.travis.yml @@ -0,0 +1,18 @@ +language: go + +go: + - 1.6 + - 1.7 + - 1.8 + - tip + +script: + - go test -v + +notifications: + webhooks: + urls: + - https://webhooks.gitter.im/e/06e3328629952dabe3e0 + on_success: change # options: [always|never|change] default: always + on_failure: always # options: [always|never|change] default: always + on_start: never # options: [always|never|change] default: always diff --git a/vendor/github.com/Masterminds/goutils/CHANGELOG.md b/vendor/github.com/Masterminds/goutils/CHANGELOG.md new file mode 100644 index 0000000000..d700ec47f2 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/CHANGELOG.md @@ -0,0 +1,8 @@ +# 1.0.1 (2017-05-31) + +## Fixed +- #21: Fix generation of alphanumeric strings (thanks @dbarranco) + +# 1.0.0 (2014-04-30) + +- Initial release. diff --git a/vendor/github.com/Masterminds/goutils/LICENSE.txt b/vendor/github.com/Masterminds/goutils/LICENSE.txt new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/LICENSE.txt @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/Masterminds/goutils/README.md b/vendor/github.com/Masterminds/goutils/README.md new file mode 100644 index 0000000000..163ffe72a8 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/README.md @@ -0,0 +1,70 @@ +GoUtils +=========== +[![Stability: Maintenance](https://masterminds.github.io/stability/maintenance.svg)](https://masterminds.github.io/stability/maintenance.html) +[![GoDoc](https://godoc.org/github.com/Masterminds/goutils?status.png)](https://godoc.org/github.com/Masterminds/goutils) [![Build Status](https://travis-ci.org/Masterminds/goutils.svg?branch=master)](https://travis-ci.org/Masterminds/goutils) [![Build status](https://ci.appveyor.com/api/projects/status/sc2b1ew0m7f0aiju?svg=true)](https://ci.appveyor.com/project/mattfarina/goutils) + + +GoUtils provides users with utility functions to manipulate strings in various ways. It is a Go implementation of some +string manipulation libraries of Java Apache Commons. GoUtils includes the following Java Apache Commons classes: +* WordUtils +* RandomStringUtils +* StringUtils (partial implementation) + +## Installation +If you have Go set up on your system, from the GOPATH directory within the command line/terminal, enter this: + + go get github.com/Masterminds/goutils + +If you do not have Go set up on your system, please follow the [Go installation directions from the documenation](http://golang.org/doc/install), and then follow the instructions above to install GoUtils. + + +## Documentation +GoUtils doc is available here: [![GoDoc](https://godoc.org/github.com/Masterminds/goutils?status.png)](https://godoc.org/github.com/Masterminds/goutils) + + +## Usage +The code snippets below show examples of how to use GoUtils. Some functions return errors while others do not. The first instance below, which does not return an error, is the `Initials` function (located within the `wordutils.go` file). + + package main + + import ( + "fmt" + "github.com/Masterminds/goutils" + ) + + func main() { + + // EXAMPLE 1: A goutils function which returns no errors + fmt.Println (goutils.Initials("John Doe Foo")) // Prints out "JDF" + + } +Some functions return errors mainly due to illegal arguements used as parameters. The code example below illustrates how to deal with function that returns an error. In this instance, the function is the `Random` function (located within the `randomstringutils.go` file). + + package main + + import ( + "fmt" + "github.com/Masterminds/goutils" + ) + + func main() { + + // EXAMPLE 2: A goutils function which returns an error + rand1, err1 := goutils.Random (-1, 0, 0, true, true) + + if err1 != nil { + fmt.Println(err1) // Prints out error message because -1 was entered as the first parameter in goutils.Random(...) + } else { + fmt.Println(rand1) + } + + } + +## License +GoUtils is licensed under the Apache License, Version 2.0. Please check the LICENSE.txt file or visit http://www.apache.org/licenses/LICENSE-2.0 for a copy of the license. + +## Issue Reporting +Make suggestions or report issues using the Git issue tracker: https://github.com/Masterminds/goutils/issues + +## Website +* [GoUtils webpage](http://Masterminds.github.io/goutils/) diff --git a/vendor/github.com/Masterminds/goutils/appveyor.yml b/vendor/github.com/Masterminds/goutils/appveyor.yml new file mode 100644 index 0000000000..657564a847 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/appveyor.yml @@ -0,0 +1,21 @@ +version: build-{build}.{branch} + +clone_folder: C:\gopath\src\github.com\Masterminds\goutils +shallow_clone: true + +environment: + GOPATH: C:\gopath + +platform: + - x64 + +build: off + +install: + - go version + - go env + +test_script: + - go test -v + +deploy: off diff --git a/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go b/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go new file mode 100644 index 0000000000..8dbd924858 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/cryptorandomstringutils.go @@ -0,0 +1,230 @@ +/* +Copyright 2014 Alexander Okoli + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package goutils + +import ( + "crypto/rand" + "fmt" + "math" + "math/big" + "unicode" +) + +/* +CryptoRandomNonAlphaNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of all characters (ASCII/Unicode values between 0 to 2,147,483,647 (math.MaxInt32)). + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomNonAlphaNumeric(count int) (string, error) { + return CryptoRandomAlphaNumericCustom(count, false, false) +} + +/* +CryptoRandomAscii creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of characters whose ASCII value is between 32 and 126 (inclusive). + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomAscii(count int) (string, error) { + return CryptoRandom(count, 32, 127, false, false) +} + +/* +CryptoRandomNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of numeric characters. + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomNumeric(count int) (string, error) { + return CryptoRandom(count, 0, 0, false, true) +} + +/* +CryptoRandomAlphabetic creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments. + +Parameters: + count - the length of random string to create + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomAlphabetic(count int) (string, error) { + return CryptoRandom(count, 0, 0, true, false) +} + +/* +CryptoRandomAlphaNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alpha-numeric characters. + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomAlphaNumeric(count int) (string, error) { + return CryptoRandom(count, 0, 0, true, true) +} + +/* +CryptoRandomAlphaNumericCustom creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments. + +Parameters: + count - the length of random string to create + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, CryptoRandom(...) +*/ +func CryptoRandomAlphaNumericCustom(count int, letters bool, numbers bool) (string, error) { + return CryptoRandom(count, 0, 0, letters, numbers) +} + +/* +CryptoRandom creates a random string based on a variety of options, using using golang's crypto/rand source of randomness. +If the parameters start and end are both 0, start and end are set to ' ' and 'z', the ASCII printable characters, will be used, +unless letters and numbers are both false, in which case, start and end are set to 0 and math.MaxInt32, respectively. +If chars is not nil, characters stored in chars that are between start and end are chosen. + +Parameters: + count - the length of random string to create + start - the position in set of chars (ASCII/Unicode int) to start at + end - the position in set of chars (ASCII/Unicode int) to end before + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars. + +Returns: + string - the random string + error - an error stemming from invalid parameters: if count < 0; or the provided chars array is empty; or end <= start; or end > len(chars) +*/ +func CryptoRandom(count int, start int, end int, letters bool, numbers bool, chars ...rune) (string, error) { + if count == 0 { + return "", nil + } else if count < 0 { + err := fmt.Errorf("randomstringutils illegal argument: Requested random string length %v is less than 0.", count) // equiv to err := errors.New("...") + return "", err + } + if chars != nil && len(chars) == 0 { + err := fmt.Errorf("randomstringutils illegal argument: The chars array must not be empty") + return "", err + } + + if start == 0 && end == 0 { + if chars != nil { + end = len(chars) + } else { + if !letters && !numbers { + end = math.MaxInt32 + } else { + end = 'z' + 1 + start = ' ' + } + } + } else { + if end <= start { + err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) must be greater than start (%v)", end, start) + return "", err + } + + if chars != nil && end > len(chars) { + err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) cannot be greater than len(chars) (%v)", end, len(chars)) + return "", err + } + } + + buffer := make([]rune, count) + gap := end - start + + // high-surrogates range, (\uD800-\uDBFF) = 55296 - 56319 + // low-surrogates range, (\uDC00-\uDFFF) = 56320 - 57343 + + for count != 0 { + count-- + var ch rune + if chars == nil { + ch = rune(getCryptoRandomInt(gap) + int64(start)) + } else { + ch = chars[getCryptoRandomInt(gap)+int64(start)] + } + + if letters && unicode.IsLetter(ch) || numbers && unicode.IsDigit(ch) || !letters && !numbers { + if ch >= 56320 && ch <= 57343 { // low surrogate range + if count == 0 { + count++ + } else { + // Insert low surrogate + buffer[count] = ch + count-- + // Insert high surrogate + buffer[count] = rune(55296 + getCryptoRandomInt(128)) + } + } else if ch >= 55296 && ch <= 56191 { // High surrogates range (Partial) + if count == 0 { + count++ + } else { + // Insert low surrogate + buffer[count] = rune(56320 + getCryptoRandomInt(128)) + count-- + // Insert high surrogate + buffer[count] = ch + } + } else if ch >= 56192 && ch <= 56319 { + // private high surrogate, skip it + count++ + } else { + // not one of the surrogates* + buffer[count] = ch + } + } else { + count++ + } + } + return string(buffer), nil +} + +func getCryptoRandomInt(count int) int64 { + nBig, err := rand.Int(rand.Reader, big.NewInt(int64(count))) + if err != nil { + panic(err) + } + return nBig.Int64() +} diff --git a/vendor/github.com/Masterminds/goutils/randomstringutils.go b/vendor/github.com/Masterminds/goutils/randomstringutils.go new file mode 100644 index 0000000000..272670231a --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/randomstringutils.go @@ -0,0 +1,248 @@ +/* +Copyright 2014 Alexander Okoli + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package goutils + +import ( + "fmt" + "math" + "math/rand" + "time" + "unicode" +) + +// RANDOM provides the time-based seed used to generate random numbers +var RANDOM = rand.New(rand.NewSource(time.Now().UnixNano())) + +/* +RandomNonAlphaNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of all characters (ASCII/Unicode values between 0 to 2,147,483,647 (math.MaxInt32)). + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomNonAlphaNumeric(count int) (string, error) { + return RandomAlphaNumericCustom(count, false, false) +} + +/* +RandomAscii creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of characters whose ASCII value is between 32 and 126 (inclusive). + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomAscii(count int) (string, error) { + return Random(count, 32, 127, false, false) +} + +/* +RandomNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of numeric characters. + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomNumeric(count int) (string, error) { + return Random(count, 0, 0, false, true) +} + +/* +RandomAlphabetic creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alphabetic characters. + +Parameters: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomAlphabetic(count int) (string, error) { + return Random(count, 0, 0, true, false) +} + +/* +RandomAlphaNumeric creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alpha-numeric characters. + +Parameter: + count - the length of random string to create + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomAlphaNumeric(count int) (string, error) { + return Random(count, 0, 0, true, true) +} + +/* +RandomAlphaNumericCustom creates a random string whose length is the number of characters specified. +Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments. + +Parameters: + count - the length of random string to create + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func RandomAlphaNumericCustom(count int, letters bool, numbers bool) (string, error) { + return Random(count, 0, 0, letters, numbers) +} + +/* +Random creates a random string based on a variety of options, using default source of randomness. +This method has exactly the same semantics as RandomSeed(int, int, int, bool, bool, []char, *rand.Rand), but +instead of using an externally supplied source of randomness, it uses the internal *rand.Rand instance. + +Parameters: + count - the length of random string to create + start - the position in set of chars (ASCII/Unicode int) to start at + end - the position in set of chars (ASCII/Unicode int) to end before + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars. + +Returns: + string - the random string + error - an error stemming from an invalid parameter within underlying function, RandomSeed(...) +*/ +func Random(count int, start int, end int, letters bool, numbers bool, chars ...rune) (string, error) { + return RandomSeed(count, start, end, letters, numbers, chars, RANDOM) +} + +/* +RandomSeed creates a random string based on a variety of options, using supplied source of randomness. +If the parameters start and end are both 0, start and end are set to ' ' and 'z', the ASCII printable characters, will be used, +unless letters and numbers are both false, in which case, start and end are set to 0 and math.MaxInt32, respectively. +If chars is not nil, characters stored in chars that are between start and end are chosen. +This method accepts a user-supplied *rand.Rand instance to use as a source of randomness. By seeding a single *rand.Rand instance +with a fixed seed and using it for each call, the same random sequence of strings can be generated repeatedly and predictably. + +Parameters: + count - the length of random string to create + start - the position in set of chars (ASCII/Unicode decimals) to start at + end - the position in set of chars (ASCII/Unicode decimals) to end before + letters - if true, generated string may include alphabetic characters + numbers - if true, generated string may include numeric characters + chars - the set of chars to choose randoms from. If nil, then it will use the set of all chars. + random - a source of randomness. + +Returns: + string - the random string + error - an error stemming from invalid parameters: if count < 0; or the provided chars array is empty; or end <= start; or end > len(chars) +*/ +func RandomSeed(count int, start int, end int, letters bool, numbers bool, chars []rune, random *rand.Rand) (string, error) { + + if count == 0 { + return "", nil + } else if count < 0 { + err := fmt.Errorf("randomstringutils illegal argument: Requested random string length %v is less than 0.", count) // equiv to err := errors.New("...") + return "", err + } + if chars != nil && len(chars) == 0 { + err := fmt.Errorf("randomstringutils illegal argument: The chars array must not be empty") + return "", err + } + + if start == 0 && end == 0 { + if chars != nil { + end = len(chars) + } else { + if !letters && !numbers { + end = math.MaxInt32 + } else { + end = 'z' + 1 + start = ' ' + } + } + } else { + if end <= start { + err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) must be greater than start (%v)", end, start) + return "", err + } + + if chars != nil && end > len(chars) { + err := fmt.Errorf("randomstringutils illegal argument: Parameter end (%v) cannot be greater than len(chars) (%v)", end, len(chars)) + return "", err + } + } + + buffer := make([]rune, count) + gap := end - start + + // high-surrogates range, (\uD800-\uDBFF) = 55296 - 56319 + // low-surrogates range, (\uDC00-\uDFFF) = 56320 - 57343 + + for count != 0 { + count-- + var ch rune + if chars == nil { + ch = rune(random.Intn(gap) + start) + } else { + ch = chars[random.Intn(gap)+start] + } + + if letters && unicode.IsLetter(ch) || numbers && unicode.IsDigit(ch) || !letters && !numbers { + if ch >= 56320 && ch <= 57343 { // low surrogate range + if count == 0 { + count++ + } else { + // Insert low surrogate + buffer[count] = ch + count-- + // Insert high surrogate + buffer[count] = rune(55296 + random.Intn(128)) + } + } else if ch >= 55296 && ch <= 56191 { // High surrogates range (Partial) + if count == 0 { + count++ + } else { + // Insert low surrogate + buffer[count] = rune(56320 + random.Intn(128)) + count-- + // Insert high surrogate + buffer[count] = ch + } + } else if ch >= 56192 && ch <= 56319 { + // private high surrogate, skip it + count++ + } else { + // not one of the surrogates* + buffer[count] = ch + } + } else { + count++ + } + } + return string(buffer), nil +} diff --git a/vendor/github.com/Masterminds/goutils/stringutils.go b/vendor/github.com/Masterminds/goutils/stringutils.go new file mode 100644 index 0000000000..741bb530e8 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/stringutils.go @@ -0,0 +1,240 @@ +/* +Copyright 2014 Alexander Okoli + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package goutils + +import ( + "bytes" + "fmt" + "strings" + "unicode" +) + +// Typically returned by functions where a searched item cannot be found +const INDEX_NOT_FOUND = -1 + +/* +Abbreviate abbreviates a string using ellipses. This will turn the string "Now is the time for all good men" into "Now is the time for..." + +Specifically, the algorithm is as follows: + + - If str is less than maxWidth characters long, return it. + - Else abbreviate it to (str[0:maxWidth - 3] + "..."). + - If maxWidth is less than 4, return an illegal argument error. + - In no case will it return a string of length greater than maxWidth. + +Parameters: + str - the string to check + maxWidth - maximum length of result string, must be at least 4 + +Returns: + string - abbreviated string + error - if the width is too small +*/ +func Abbreviate(str string, maxWidth int) (string, error) { + return AbbreviateFull(str, 0, maxWidth) +} + +/* +AbbreviateFull abbreviates a string using ellipses. This will turn the string "Now is the time for all good men" into "...is the time for..." +This function works like Abbreviate(string, int), but allows you to specify a "left edge" offset. Note that this left edge is not +necessarily going to be the leftmost character in the result, or the first character following the ellipses, but it will appear +somewhere in the result. +In no case will it return a string of length greater than maxWidth. + +Parameters: + str - the string to check + offset - left edge of source string + maxWidth - maximum length of result string, must be at least 4 + +Returns: + string - abbreviated string + error - if the width is too small +*/ +func AbbreviateFull(str string, offset int, maxWidth int) (string, error) { + if str == "" { + return "", nil + } + if maxWidth < 4 { + err := fmt.Errorf("stringutils illegal argument: Minimum abbreviation width is 4") + return "", err + } + if len(str) <= maxWidth { + return str, nil + } + if offset > len(str) { + offset = len(str) + } + if len(str)-offset < (maxWidth - 3) { // 15 - 5 < 10 - 3 = 10 < 7 + offset = len(str) - (maxWidth - 3) + } + abrevMarker := "..." + if offset <= 4 { + return str[0:maxWidth-3] + abrevMarker, nil // str.substring(0, maxWidth - 3) + abrevMarker; + } + if maxWidth < 7 { + err := fmt.Errorf("stringutils illegal argument: Minimum abbreviation width with offset is 7") + return "", err + } + if (offset + maxWidth - 3) < len(str) { // 5 + (10-3) < 15 = 12 < 15 + abrevStr, _ := Abbreviate(str[offset:len(str)], (maxWidth - 3)) + return abrevMarker + abrevStr, nil // abrevMarker + abbreviate(str.substring(offset), maxWidth - 3); + } + return abrevMarker + str[(len(str)-(maxWidth-3)):len(str)], nil // abrevMarker + str.substring(str.length() - (maxWidth - 3)); +} + +/* +DeleteWhiteSpace deletes all whitespaces from a string as defined by unicode.IsSpace(rune). +It returns the string without whitespaces. + +Parameter: + str - the string to delete whitespace from, may be nil + +Returns: + the string without whitespaces +*/ +func DeleteWhiteSpace(str string) string { + if str == "" { + return str + } + sz := len(str) + var chs bytes.Buffer + count := 0 + for i := 0; i < sz; i++ { + ch := rune(str[i]) + if !unicode.IsSpace(ch) { + chs.WriteRune(ch) + count++ + } + } + if count == sz { + return str + } + return chs.String() +} + +/* +IndexOfDifference compares two strings, and returns the index at which the strings begin to differ. + +Parameters: + str1 - the first string + str2 - the second string + +Returns: + the index where str1 and str2 begin to differ; -1 if they are equal +*/ +func IndexOfDifference(str1 string, str2 string) int { + if str1 == str2 { + return INDEX_NOT_FOUND + } + if IsEmpty(str1) || IsEmpty(str2) { + return 0 + } + var i int + for i = 0; i < len(str1) && i < len(str2); i++ { + if rune(str1[i]) != rune(str2[i]) { + break + } + } + if i < len(str2) || i < len(str1) { + return i + } + return INDEX_NOT_FOUND +} + +/* +IsBlank checks if a string is whitespace or empty (""). Observe the following behavior: + + goutils.IsBlank("") = true + goutils.IsBlank(" ") = true + goutils.IsBlank("bob") = false + goutils.IsBlank(" bob ") = false + +Parameter: + str - the string to check + +Returns: + true - if the string is whitespace or empty ("") +*/ +func IsBlank(str string) bool { + strLen := len(str) + if str == "" || strLen == 0 { + return true + } + for i := 0; i < strLen; i++ { + if unicode.IsSpace(rune(str[i])) == false { + return false + } + } + return true +} + +/* +IndexOf returns the index of the first instance of sub in str, with the search beginning from the +index start point specified. -1 is returned if sub is not present in str. + +An empty string ("") will return -1 (INDEX_NOT_FOUND). A negative start position is treated as zero. +A start position greater than the string length returns -1. + +Parameters: + str - the string to check + sub - the substring to find + start - the start position; negative treated as zero + +Returns: + the first index where the sub string was found (always >= start) +*/ +func IndexOf(str string, sub string, start int) int { + + if start < 0 { + start = 0 + } + + if len(str) < start { + return INDEX_NOT_FOUND + } + + if IsEmpty(str) || IsEmpty(sub) { + return INDEX_NOT_FOUND + } + + partialIndex := strings.Index(str[start:len(str)], sub) + if partialIndex == -1 { + return INDEX_NOT_FOUND + } + return partialIndex + start +} + +// IsEmpty checks if a string is empty (""). Returns true if empty, and false otherwise. +func IsEmpty(str string) bool { + return len(str) == 0 +} + +// Returns either the passed in string, or if the string is empty, the value of defaultStr. +func DefaultString(str string, defaultStr string) string { + if IsEmpty(str) { + return defaultStr + } + return str +} + +// Returns either the passed in string, or if the string is whitespace, empty (""), the value of defaultStr. +func DefaultIfBlank(str string, defaultStr string) string { + if IsBlank(str) { + return defaultStr + } + return str +} diff --git a/vendor/github.com/Masterminds/goutils/wordutils.go b/vendor/github.com/Masterminds/goutils/wordutils.go new file mode 100644 index 0000000000..034cad8e21 --- /dev/null +++ b/vendor/github.com/Masterminds/goutils/wordutils.go @@ -0,0 +1,357 @@ +/* +Copyright 2014 Alexander Okoli + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package goutils provides utility functions to manipulate strings in various ways. +The code snippets below show examples of how to use goutils. Some functions return +errors while others do not, so usage would vary as a result. + +Example: + + package main + + import ( + "fmt" + "github.com/aokoli/goutils" + ) + + func main() { + + // EXAMPLE 1: A goutils function which returns no errors + fmt.Println (goutils.Initials("John Doe Foo")) // Prints out "JDF" + + + + // EXAMPLE 2: A goutils function which returns an error + rand1, err1 := goutils.Random (-1, 0, 0, true, true) + + if err1 != nil { + fmt.Println(err1) // Prints out error message because -1 was entered as the first parameter in goutils.Random(...) + } else { + fmt.Println(rand1) + } + } +*/ +package goutils + +import ( + "bytes" + "strings" + "unicode" +) + +// VERSION indicates the current version of goutils +const VERSION = "1.0.0" + +/* +Wrap wraps a single line of text, identifying words by ' '. +New lines will be separated by '\n'. Very long words, such as URLs will not be wrapped. +Leading spaces on a new line are stripped. Trailing spaces are not stripped. + +Parameters: + str - the string to be word wrapped + wrapLength - the column (a column can fit only one character) to wrap the words at, less than 1 is treated as 1 + +Returns: + a line with newlines inserted +*/ +func Wrap(str string, wrapLength int) string { + return WrapCustom(str, wrapLength, "", false) +} + +/* +WrapCustom wraps a single line of text, identifying words by ' '. +Leading spaces on a new line are stripped. Trailing spaces are not stripped. + +Parameters: + str - the string to be word wrapped + wrapLength - the column number (a column can fit only one character) to wrap the words at, less than 1 is treated as 1 + newLineStr - the string to insert for a new line, "" uses '\n' + wrapLongWords - true if long words (such as URLs) should be wrapped + +Returns: + a line with newlines inserted +*/ +func WrapCustom(str string, wrapLength int, newLineStr string, wrapLongWords bool) string { + + if str == "" { + return "" + } + if newLineStr == "" { + newLineStr = "\n" // TODO Assumes "\n" is seperator. Explore SystemUtils.LINE_SEPARATOR from Apache Commons + } + if wrapLength < 1 { + wrapLength = 1 + } + + inputLineLength := len(str) + offset := 0 + + var wrappedLine bytes.Buffer + + for inputLineLength-offset > wrapLength { + + if rune(str[offset]) == ' ' { + offset++ + continue + } + + end := wrapLength + offset + 1 + spaceToWrapAt := strings.LastIndex(str[offset:end], " ") + offset + + if spaceToWrapAt >= offset { + // normal word (not longer than wrapLength) + wrappedLine.WriteString(str[offset:spaceToWrapAt]) + wrappedLine.WriteString(newLineStr) + offset = spaceToWrapAt + 1 + + } else { + // long word or URL + if wrapLongWords { + end := wrapLength + offset + // long words are wrapped one line at a time + wrappedLine.WriteString(str[offset:end]) + wrappedLine.WriteString(newLineStr) + offset += wrapLength + } else { + // long words aren't wrapped, just extended beyond limit + end := wrapLength + offset + index := strings.IndexRune(str[end:len(str)], ' ') + if index == -1 { + wrappedLine.WriteString(str[offset:len(str)]) + offset = inputLineLength + } else { + spaceToWrapAt = index + end + wrappedLine.WriteString(str[offset:spaceToWrapAt]) + wrappedLine.WriteString(newLineStr) + offset = spaceToWrapAt + 1 + } + } + } + } + + wrappedLine.WriteString(str[offset:len(str)]) + + return wrappedLine.String() + +} + +/* +Capitalize capitalizes all the delimiter separated words in a string. Only the first letter of each word is changed. +To convert the rest of each word to lowercase at the same time, use CapitalizeFully(str string, delimiters ...rune). +The delimiters represent a set of characters understood to separate words. The first string character +and the first non-delimiter character after a delimiter will be capitalized. A "" input string returns "". +Capitalization uses the Unicode title case, normally equivalent to upper case. + +Parameters: + str - the string to capitalize + delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter + +Returns: + capitalized string +*/ +func Capitalize(str string, delimiters ...rune) string { + + var delimLen int + + if delimiters == nil { + delimLen = -1 + } else { + delimLen = len(delimiters) + } + + if str == "" || delimLen == 0 { + return str + } + + buffer := []rune(str) + capitalizeNext := true + for i := 0; i < len(buffer); i++ { + ch := buffer[i] + if isDelimiter(ch, delimiters...) { + capitalizeNext = true + } else if capitalizeNext { + buffer[i] = unicode.ToTitle(ch) + capitalizeNext = false + } + } + return string(buffer) + +} + +/* +CapitalizeFully converts all the delimiter separated words in a string into capitalized words, that is each word is made up of a +titlecase character and then a series of lowercase characters. The delimiters represent a set of characters understood +to separate words. The first string character and the first non-delimiter character after a delimiter will be capitalized. +Capitalization uses the Unicode title case, normally equivalent to upper case. + +Parameters: + str - the string to capitalize fully + delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter + +Returns: + capitalized string +*/ +func CapitalizeFully(str string, delimiters ...rune) string { + + var delimLen int + + if delimiters == nil { + delimLen = -1 + } else { + delimLen = len(delimiters) + } + + if str == "" || delimLen == 0 { + return str + } + str = strings.ToLower(str) + return Capitalize(str, delimiters...) +} + +/* +Uncapitalize uncapitalizes all the whitespace separated words in a string. Only the first letter of each word is changed. +The delimiters represent a set of characters understood to separate words. The first string character and the first non-delimiter +character after a delimiter will be uncapitalized. Whitespace is defined by unicode.IsSpace(char). + +Parameters: + str - the string to uncapitalize fully + delimiters - set of characters to determine capitalization, exclusion of this parameter means whitespace would be delimeter + +Returns: + uncapitalized string +*/ +func Uncapitalize(str string, delimiters ...rune) string { + + var delimLen int + + if delimiters == nil { + delimLen = -1 + } else { + delimLen = len(delimiters) + } + + if str == "" || delimLen == 0 { + return str + } + + buffer := []rune(str) + uncapitalizeNext := true // TODO Always makes capitalize/un apply to first char. + for i := 0; i < len(buffer); i++ { + ch := buffer[i] + if isDelimiter(ch, delimiters...) { + uncapitalizeNext = true + } else if uncapitalizeNext { + buffer[i] = unicode.ToLower(ch) + uncapitalizeNext = false + } + } + return string(buffer) +} + +/* +SwapCase swaps the case of a string using a word based algorithm. + +Conversion algorithm: + + Upper case character converts to Lower case + Title case character converts to Lower case + Lower case character after Whitespace or at start converts to Title case + Other Lower case character converts to Upper case + Whitespace is defined by unicode.IsSpace(char). + +Parameters: + str - the string to swap case + +Returns: + the changed string +*/ +func SwapCase(str string) string { + if str == "" { + return str + } + buffer := []rune(str) + + whitespace := true + + for i := 0; i < len(buffer); i++ { + ch := buffer[i] + if unicode.IsUpper(ch) { + buffer[i] = unicode.ToLower(ch) + whitespace = false + } else if unicode.IsTitle(ch) { + buffer[i] = unicode.ToLower(ch) + whitespace = false + } else if unicode.IsLower(ch) { + if whitespace { + buffer[i] = unicode.ToTitle(ch) + whitespace = false + } else { + buffer[i] = unicode.ToUpper(ch) + } + } else { + whitespace = unicode.IsSpace(ch) + } + } + return string(buffer) +} + +/* +Initials extracts the initial letters from each word in the string. The first letter of the string and all first +letters after the defined delimiters are returned as a new string. Their case is not changed. If the delimiters +parameter is excluded, then Whitespace is used. Whitespace is defined by unicode.IsSpacea(char). An empty delimiter array returns an empty string. + +Parameters: + str - the string to get initials from + delimiters - set of characters to determine words, exclusion of this parameter means whitespace would be delimeter +Returns: + string of initial letters +*/ +func Initials(str string, delimiters ...rune) string { + if str == "" { + return str + } + if delimiters != nil && len(delimiters) == 0 { + return "" + } + strLen := len(str) + var buf bytes.Buffer + lastWasGap := true + for i := 0; i < strLen; i++ { + ch := rune(str[i]) + + if isDelimiter(ch, delimiters...) { + lastWasGap = true + } else if lastWasGap { + buf.WriteRune(ch) + lastWasGap = false + } + } + return buf.String() +} + +// private function (lower case func name) +func isDelimiter(ch rune, delimiters ...rune) bool { + if delimiters == nil { + return unicode.IsSpace(ch) + } + for _, delimiter := range delimiters { + if ch == delimiter { + return true + } + } + return false +} diff --git a/vendor/github.com/Masterminds/semver/v3/.gitignore b/vendor/github.com/Masterminds/semver/v3/.gitignore new file mode 100644 index 0000000000..6b061e6174 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/.gitignore @@ -0,0 +1 @@ +_fuzz/ \ No newline at end of file diff --git a/vendor/github.com/Masterminds/semver/v3/.golangci.yml b/vendor/github.com/Masterminds/semver/v3/.golangci.yml new file mode 100644 index 0000000000..fbc6332592 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/.golangci.yml @@ -0,0 +1,27 @@ +run: + deadline: 2m + +linters: + disable-all: true + enable: + - misspell + - govet + - staticcheck + - errcheck + - unparam + - ineffassign + - nakedret + - gocyclo + - dupl + - goimports + - revive + - gosec + - gosimple + - typecheck + - unused + +linters-settings: + gofmt: + simplify: true + dupl: + threshold: 600 diff --git a/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md new file mode 100644 index 0000000000..fabe5e43dc --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/CHANGELOG.md @@ -0,0 +1,268 @@ +# Changelog + +## 3.4.0 (2025-06-27) + +### Added + +- #268: Added property to Constraints to include prereleases for Check and Validate + +### Changed + +- #263: Updated Go testing for 1.24, 1.23, and 1.22 +- #269: Updated the error message handling for message case and wrapping errors +- #266: Restore the ability to have leading 0's when parsing with NewVersion. + Opt-out of this by setting CoerceNewVersion to false. + +### Fixed + +- #257: Fixed the CodeQL link (thanks @dmitris) +- #262: Restored detailed errors when failed to parse with NewVersion. Opt-out + of this by setting DetailedNewVersionErrors to false for faster performance. +- #267: Handle pre-releases for an "and" group if one constraint includes them + +## 3.3.1 (2024-11-19) + +### Fixed + +- #253: Fix for allowing some version that were invalid + +## 3.3.0 (2024-08-27) + +### Added + +- #238: Add LessThanEqual and GreaterThanEqual functions (thanks @grosser) +- #213: nil version equality checking (thanks @KnutZuidema) + +### Changed + +- #241: Simplify StrictNewVersion parsing (thanks @grosser) +- Testing support up through Go 1.23 +- Minimum version set to 1.21 as this is what's tested now +- Fuzz testing now supports caching + +## 3.2.1 (2023-04-10) + +### Changed + +- #198: Improved testing around pre-release names +- #200: Improved code scanning with addition of CodeQL +- #201: Testing now includes Go 1.20. Go 1.17 has been dropped +- #202: Migrated Fuzz testing to Go built-in Fuzzing. CI runs daily +- #203: Docs updated for security details + +### Fixed + +- #199: Fixed issue with range transformations + +## 3.2.0 (2022-11-28) + +### Added + +- #190: Added text marshaling and unmarshaling +- #167: Added JSON marshalling for constraints (thanks @SimonTheLeg) +- #173: Implement encoding.TextMarshaler and encoding.TextUnmarshaler on Version (thanks @MarkRosemaker) +- #179: Added New() version constructor (thanks @kazhuravlev) + +### Changed + +- #182/#183: Updated CI testing setup + +### Fixed + +- #186: Fixing issue where validation of constraint section gave false positives +- #176: Fix constraints check with *-0 (thanks @mtt0) +- #181: Fixed Caret operator (^) gives unexpected results when the minor version in constraint is 0 (thanks @arshchimni) +- #161: Fixed godoc (thanks @afirth) + +## 3.1.1 (2020-11-23) + +### Fixed + +- #158: Fixed issue with generated regex operation order that could cause problem + +## 3.1.0 (2020-04-15) + +### Added + +- #131: Add support for serializing/deserializing SQL (thanks @ryancurrah) + +### Changed + +- #148: More accurate validation messages on constraints + +## 3.0.3 (2019-12-13) + +### Fixed + +- #141: Fixed issue with <= comparison + +## 3.0.2 (2019-11-14) + +### Fixed + +- #134: Fixed broken constraint checking with ^0.0 (thanks @krmichelos) + +## 3.0.1 (2019-09-13) + +### Fixed + +- #125: Fixes issue with module path for v3 + +## 3.0.0 (2019-09-12) + +This is a major release of the semver package which includes API changes. The Go +API is compatible with ^1. The Go API was not changed because many people are using +`go get` without Go modules for their applications and API breaking changes cause +errors which we have or would need to support. + +The changes in this release are the handling based on the data passed into the +functions. These are described in the added and changed sections below. + +### Added + +- StrictNewVersion function. This is similar to NewVersion but will return an + error if the version passed in is not a strict semantic version. For example, + 1.2.3 would pass but v1.2.3 or 1.2 would fail because they are not strictly + speaking semantic versions. This function is faster, performs fewer operations, + and uses fewer allocations than NewVersion. +- Fuzzing has been performed on NewVersion, StrictNewVersion, and NewConstraint. + The Makefile contains the operations used. For more information on you can start + on Wikipedia at https://en.wikipedia.org/wiki/Fuzzing +- Now using Go modules + +### Changed + +- NewVersion has proper prerelease and metadata validation with error messages + to signal an issue with either of them +- ^ now operates using a similar set of rules to npm/js and Rust/Cargo. If the + version is >=1 the ^ ranges works the same as v1. For major versions of 0 the + rules have changed. The minor version is treated as the stable version unless + a patch is specified and then it is equivalent to =. One difference from npm/js + is that prereleases there are only to a specific version (e.g. 1.2.3). + Prereleases here look over multiple versions and follow semantic version + ordering rules. This pattern now follows along with the expected and requested + handling of this packaged by numerous users. + +## 1.5.0 (2019-09-11) + +### Added + +- #103: Add basic fuzzing for `NewVersion()` (thanks @jesse-c) + +### Changed + +- #82: Clarify wildcard meaning in range constraints and update tests for it (thanks @greysteil) +- #83: Clarify caret operator range for pre-1.0.0 dependencies (thanks @greysteil) +- #72: Adding docs comment pointing to vert for a cli +- #71: Update the docs on pre-release comparator handling +- #89: Test with new go versions (thanks @thedevsaddam) +- #87: Added $ to ValidPrerelease for better validation (thanks @jeremycarroll) + +### Fixed + +- #78: Fix unchecked error in example code (thanks @ravron) +- #70: Fix the handling of pre-releases and the 0.0.0 release edge case +- #97: Fixed copyright file for proper display on GitHub +- #107: Fix handling prerelease when sorting alphanum and num +- #109: Fixed where Validate sometimes returns wrong message on error + +## 1.4.2 (2018-04-10) + +### Changed + +- #72: Updated the docs to point to vert for a console appliaction +- #71: Update the docs on pre-release comparator handling + +### Fixed + +- #70: Fix the handling of pre-releases and the 0.0.0 release edge case + +## 1.4.1 (2018-04-02) + +### Fixed + +- Fixed #64: Fix pre-release precedence issue (thanks @uudashr) + +## 1.4.0 (2017-10-04) + +### Changed + +- #61: Update NewVersion to parse ints with a 64bit int size (thanks @zknill) + +## 1.3.1 (2017-07-10) + +### Fixed + +- Fixed #57: number comparisons in prerelease sometimes inaccurate + +## 1.3.0 (2017-05-02) + +### Added + +- #45: Added json (un)marshaling support (thanks @mh-cbon) +- Stability marker. See https://masterminds.github.io/stability/ + +### Fixed + +- #51: Fix handling of single digit tilde constraint (thanks @dgodd) + +### Changed + +- #55: The godoc icon moved from png to svg + +## 1.2.3 (2017-04-03) + +### Fixed + +- #46: Fixed 0.x.x and 0.0.x in constraints being treated as * + +## Release 1.2.2 (2016-12-13) + +### Fixed + +- #34: Fixed issue where hyphen range was not working with pre-release parsing. + +## Release 1.2.1 (2016-11-28) + +### Fixed + +- #24: Fixed edge case issue where constraint "> 0" does not handle "0.0.1-alpha" + properly. + +## Release 1.2.0 (2016-11-04) + +### Added + +- #20: Added MustParse function for versions (thanks @adamreese) +- #15: Added increment methods on versions (thanks @mh-cbon) + +### Fixed + +- Issue #21: Per the SemVer spec (section 9) a pre-release is unstable and + might not satisfy the intended compatibility. The change here ignores pre-releases + on constraint checks (e.g., ~ or ^) when a pre-release is not part of the + constraint. For example, `^1.2.3` will ignore pre-releases while + `^1.2.3-alpha` will include them. + +## Release 1.1.1 (2016-06-30) + +### Changed + +- Issue #9: Speed up version comparison performance (thanks @sdboyer) +- Issue #8: Added benchmarks (thanks @sdboyer) +- Updated Go Report Card URL to new location +- Updated Readme to add code snippet formatting (thanks @mh-cbon) +- Updating tagging to v[SemVer] structure for compatibility with other tools. + +## Release 1.1.0 (2016-03-11) + +- Issue #2: Implemented validation to provide reasons a versions failed a + constraint. + +## Release 1.0.1 (2015-12-31) + +- Fixed #1: * constraint failing on valid versions. + +## Release 1.0.0 (2015-10-20) + +- Initial release diff --git a/vendor/github.com/Masterminds/semver/v3/LICENSE.txt b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt new file mode 100644 index 0000000000..9ff7da9c48 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/LICENSE.txt @@ -0,0 +1,19 @@ +Copyright (C) 2014-2019, Matt Butcher and Matt Farina + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/Masterminds/semver/v3/Makefile b/vendor/github.com/Masterminds/semver/v3/Makefile new file mode 100644 index 0000000000..9ca87a2c79 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/Makefile @@ -0,0 +1,31 @@ +GOPATH=$(shell go env GOPATH) +GOLANGCI_LINT=$(GOPATH)/bin/golangci-lint + +.PHONY: lint +lint: $(GOLANGCI_LINT) + @echo "==> Linting codebase" + @$(GOLANGCI_LINT) run + +.PHONY: test +test: + @echo "==> Running tests" + GO111MODULE=on go test -v + +.PHONY: test-cover +test-cover: + @echo "==> Running Tests with coverage" + GO111MODULE=on go test -cover . + +.PHONY: fuzz +fuzz: + @echo "==> Running Fuzz Tests" + go env GOCACHE + go test -fuzz=FuzzNewVersion -fuzztime=15s . + go test -fuzz=FuzzStrictNewVersion -fuzztime=15s . + go test -fuzz=FuzzNewConstraint -fuzztime=15s . + +$(GOLANGCI_LINT): + # Install golangci-lint. The configuration for it is in the .golangci.yml + # file in the root of the repository + echo ${GOPATH} + curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.56.2 diff --git a/vendor/github.com/Masterminds/semver/v3/README.md b/vendor/github.com/Masterminds/semver/v3/README.md new file mode 100644 index 0000000000..2f56c676a5 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/README.md @@ -0,0 +1,274 @@ +# SemVer + +The `semver` package provides the ability to work with [Semantic Versions](http://semver.org) in Go. Specifically it provides the ability to: + +* Parse semantic versions +* Sort semantic versions +* Check if a semantic version fits within a set of constraints +* Optionally work with a `v` prefix + +[![Stability: +Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html) +[![](https://github.com/Masterminds/semver/workflows/Tests/badge.svg)](https://github.com/Masterminds/semver/actions) +[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/semver/v3) +[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/semver)](https://goreportcard.com/report/github.com/Masterminds/semver) + +## Package Versions + +Note, import `github.com/Masterminds/semver/v3` to use the latest version. + +There are three major versions fo the `semver` package. + +* 3.x.x is the stable and active version. This version is focused on constraint + compatibility for range handling in other tools from other languages. It has + a similar API to the v1 releases. The development of this version is on the master + branch. The documentation for this version is below. +* 2.x was developed primarily for [dep](https://github.com/golang/dep). There are + no tagged releases and the development was performed by [@sdboyer](https://github.com/sdboyer). + There are API breaking changes from v1. This version lives on the [2.x branch](https://github.com/Masterminds/semver/tree/2.x). +* 1.x.x is the original release. It is no longer maintained. You should use the + v3 release instead. You can read the documentation for the 1.x.x release + [here](https://github.com/Masterminds/semver/blob/release-1/README.md). + +## Parsing Semantic Versions + +There are two functions that can parse semantic versions. The `StrictNewVersion` +function only parses valid version 2 semantic versions as outlined in the +specification. The `NewVersion` function attempts to coerce a version into a +semantic version and parse it. For example, if there is a leading v or a version +listed without all 3 parts (e.g. `v1.2`) it will attempt to coerce it into a valid +semantic version (e.g., 1.2.0). In both cases a `Version` object is returned +that can be sorted, compared, and used in constraints. + +When parsing a version an error is returned if there is an issue parsing the +version. For example, + + v, err := semver.NewVersion("1.2.3-beta.1+build345") + +The version object has methods to get the parts of the version, compare it to +other versions, convert the version back into a string, and get the original +string. Getting the original string is useful if the semantic version was coerced +into a valid form. + +There are package level variables that affect how `NewVersion` handles parsing. + +- `CoerceNewVersion` is `true` by default. When set to `true` it coerces non-compliant + versions into SemVer. For example, allowing a leading 0 in a major, minor, or patch + part. This enables the use of CalVer in versions even when not compliant with SemVer. + When set to `false` less coercion work is done. +- `DetailedNewVersionErrors` provides more detailed errors. It only has an affect when + `CoerceNewVersion` is set to `false`. When `DetailedNewVersionErrors` is set to `true` + it can provide some more insight into why a version is invalid. Setting + `DetailedNewVersionErrors` to `false` is faster on performance but provides less + detailed error messages if a version fails to parse. + +## Sorting Semantic Versions + +A set of versions can be sorted using the `sort` package from the standard library. +For example, + +```go +raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",} +vs := make([]*semver.Version, len(raw)) +for i, r := range raw { + v, err := semver.NewVersion(r) + if err != nil { + t.Errorf("Error parsing version: %s", err) + } + + vs[i] = v +} + +sort.Sort(semver.Collection(vs)) +``` + +## Checking Version Constraints + +There are two methods for comparing versions. One uses comparison methods on +`Version` instances and the other uses `Constraints`. There are some important +differences to notes between these two methods of comparison. + +1. When two versions are compared using functions such as `Compare`, `LessThan`, + and others it will follow the specification and always include pre-releases + within the comparison. It will provide an answer that is valid with the + comparison section of the spec at https://semver.org/#spec-item-11 +2. When constraint checking is used for checks or validation it will follow a + different set of rules that are common for ranges with tools like npm/js + and Rust/Cargo. This includes considering pre-releases to be invalid if the + ranges does not include one. If you want to have it include pre-releases a + simple solution is to include `-0` in your range. +3. Constraint ranges can have some complex rules including the shorthand use of + ~ and ^. For more details on those see the options below. + +There are differences between the two methods or checking versions because the +comparison methods on `Version` follow the specification while comparison ranges +are not part of the specification. Different packages and tools have taken it +upon themselves to come up with range rules. This has resulted in differences. +For example, npm/js and Cargo/Rust follow similar patterns while PHP has a +different pattern for ^. The comparison features in this package follow the +npm/js and Cargo/Rust lead because applications using it have followed similar +patters with their versions. + +Checking a version against version constraints is one of the most featureful +parts of the package. + +```go +c, err := semver.NewConstraint(">= 1.2.3") +if err != nil { + // Handle constraint not being parsable. +} + +v, err := semver.NewVersion("1.3") +if err != nil { + // Handle version not being parsable. +} +// Check if the version meets the constraints. The variable a will be true. +a := c.Check(v) +``` + +### Basic Comparisons + +There are two elements to the comparisons. First, a comparison string is a list +of space or comma separated AND comparisons. These are then separated by || (OR) +comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a +comparison that's greater than or equal to 1.2 and less than 3.0.0 or is +greater than or equal to 4.2.3. + +The basic comparisons are: + +* `=`: equal (aliased to no operator) +* `!=`: not equal +* `>`: greater than +* `<`: less than +* `>=`: greater than or equal to +* `<=`: less than or equal to + +### Working With Prerelease Versions + +Pre-releases, for those not familiar with them, are used for software releases +prior to stable or generally available releases. Examples of pre-releases include +development, alpha, beta, and release candidate releases. A pre-release may be +a version such as `1.2.3-beta.1` while the stable release would be `1.2.3`. In the +order of precedence, pre-releases come before their associated releases. In this +example `1.2.3-beta.1 < 1.2.3`. + +According to the Semantic Version specification, pre-releases may not be +API compliant with their release counterpart. It says, + +> A pre-release version indicates that the version is unstable and might not satisfy the intended compatibility requirements as denoted by its associated normal version. + +SemVer's comparisons using constraints without a pre-release comparator will skip +pre-release versions. For example, `>=1.2.3` will skip pre-releases when looking +at a list of releases while `>=1.2.3-0` will evaluate and find pre-releases. + +The reason for the `0` as a pre-release version in the example comparison is +because pre-releases can only contain ASCII alphanumerics and hyphens (along with +`.` separators), per the spec. Sorting happens in ASCII sort order, again per the +spec. The lowest character is a `0` in ASCII sort order +(see an [ASCII Table](http://www.asciitable.com/)) + +Understanding ASCII sort ordering is important because A-Z comes before a-z. That +means `>=1.2.3-BETA` will return `1.2.3-alpha`. What you might expect from case +sensitivity doesn't apply here. This is due to ASCII sort ordering which is what +the spec specifies. + +The `Constraints` instance returned from `semver.NewConstraint()` has a property +`IncludePrerelease` that, when set to true, will return prerelease versions when calls +to `Check()` and `Validate()` are made. + +### Hyphen Range Comparisons + +There are multiple methods to handle ranges and the first is hyphens ranges. +These look like: + +* `1.2 - 1.4.5` which is equivalent to `>= 1.2 <= 1.4.5` +* `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5` + +Note that `1.2-1.4.5` without whitespace is parsed completely differently; it's +parsed as a single constraint `1.2.0` with _prerelease_ `1.4.5`. + +### Wildcards In Comparisons + +The `x`, `X`, and `*` characters can be used as a wildcard character. This works +for all comparison operators. When used on the `=` operator it falls +back to the patch level comparison (see tilde below). For example, + +* `1.2.x` is equivalent to `>= 1.2.0, < 1.3.0` +* `>= 1.2.x` is equivalent to `>= 1.2.0` +* `<= 2.x` is equivalent to `< 3` +* `*` is equivalent to `>= 0.0.0` + +### Tilde Range Comparisons (Patch) + +The tilde (`~`) comparison operator is for patch level ranges when a minor +version is specified and major level changes when the minor number is missing. +For example, + +* `~1.2.3` is equivalent to `>= 1.2.3, < 1.3.0` +* `~1` is equivalent to `>= 1, < 2` +* `~2.3` is equivalent to `>= 2.3, < 2.4` +* `~1.2.x` is equivalent to `>= 1.2.0, < 1.3.0` +* `~1.x` is equivalent to `>= 1, < 2` + +### Caret Range Comparisons (Major) + +The caret (`^`) comparison operator is for major level changes once a stable +(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts +as the API stability level. This is useful when comparisons of API versions as a +major change is API breaking. For example, + +* `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0` +* `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0` +* `^2.3` is equivalent to `>= 2.3, < 3` +* `^2.x` is equivalent to `>= 2.0.0, < 3` +* `^0.2.3` is equivalent to `>=0.2.3 <0.3.0` +* `^0.2` is equivalent to `>=0.2.0 <0.3.0` +* `^0.0.3` is equivalent to `>=0.0.3 <0.0.4` +* `^0.0` is equivalent to `>=0.0.0 <0.1.0` +* `^0` is equivalent to `>=0.0.0 <1.0.0` + +## Validation + +In addition to testing a version against a constraint, a version can be validated +against a constraint. When validation fails a slice of errors containing why a +version didn't meet the constraint is returned. For example, + +```go +c, err := semver.NewConstraint("<= 1.2.3, >= 1.4") +if err != nil { + // Handle constraint not being parseable. +} + +v, err := semver.NewVersion("1.3") +if err != nil { + // Handle version not being parseable. +} + +// Validate a version against a constraint. +a, msgs := c.Validate(v) +// a is false +for _, m := range msgs { + fmt.Println(m) + + // Loops over the errors which would read + // "1.3 is greater than 1.2.3" + // "1.3 is less than 1.4" +} +``` + +## Contribute + +If you find an issue or want to contribute please file an [issue](https://github.com/Masterminds/semver/issues) +or [create a pull request](https://github.com/Masterminds/semver/pulls). + +## Security + +Security is an important consideration for this project. The project currently +uses the following tools to help discover security issues: + +* [CodeQL](https://codeql.github.com) +* [gosec](https://github.com/securego/gosec) +* Daily Fuzz testing + +If you believe you have found a security vulnerability you can privately disclose +it through the [GitHub security page](https://github.com/Masterminds/semver/security). diff --git a/vendor/github.com/Masterminds/semver/v3/SECURITY.md b/vendor/github.com/Masterminds/semver/v3/SECURITY.md new file mode 100644 index 0000000000..a30a66b1f7 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +The following versions of semver are currently supported: + +| Version | Supported | +| ------- | ------------------ | +| 3.x | :white_check_mark: | +| 2.x | :x: | +| 1.x | :x: | + +Fixes are only released for the latest minor version in the form of a patch release. + +## Reporting a Vulnerability + +You can privately disclose a vulnerability through GitHubs +[private vulnerability reporting](https://github.com/Masterminds/semver/security/advisories) +mechanism. diff --git a/vendor/github.com/Masterminds/semver/v3/collection.go b/vendor/github.com/Masterminds/semver/v3/collection.go new file mode 100644 index 0000000000..a78235895f --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/collection.go @@ -0,0 +1,24 @@ +package semver + +// Collection is a collection of Version instances and implements the sort +// interface. See the sort package for more details. +// https://golang.org/pkg/sort/ +type Collection []*Version + +// Len returns the length of a collection. The number of Version instances +// on the slice. +func (c Collection) Len() int { + return len(c) +} + +// Less is needed for the sort interface to compare two Version objects on the +// slice. If checks if one is less than the other. +func (c Collection) Less(i, j int) bool { + return c[i].LessThan(c[j]) +} + +// Swap is needed for the sort interface to replace the Version objects +// at two different positions in the slice. +func (c Collection) Swap(i, j int) { + c[i], c[j] = c[j], c[i] +} diff --git a/vendor/github.com/Masterminds/semver/v3/constraints.go b/vendor/github.com/Masterminds/semver/v3/constraints.go new file mode 100644 index 0000000000..8b7a10f836 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/constraints.go @@ -0,0 +1,601 @@ +package semver + +import ( + "bytes" + "errors" + "fmt" + "regexp" + "strings" +) + +// Constraints is one or more constraint that a semantic version can be +// checked against. +type Constraints struct { + constraints [][]*constraint + containsPre []bool + + // IncludePrerelease specifies if pre-releases should be included in + // the results. Note, if a constraint range has a prerelease than + // prereleases will be included for that AND group even if this is + // set to false. + IncludePrerelease bool +} + +// NewConstraint returns a Constraints instance that a Version instance can +// be checked against. If there is a parse error it will be returned. +func NewConstraint(c string) (*Constraints, error) { + + // Rewrite - ranges into a comparison operation. + c = rewriteRange(c) + + ors := strings.Split(c, "||") + lenors := len(ors) + or := make([][]*constraint, lenors) + hasPre := make([]bool, lenors) + for k, v := range ors { + // Validate the segment + if !validConstraintRegex.MatchString(v) { + return nil, fmt.Errorf("improper constraint: %s", v) + } + + cs := findConstraintRegex.FindAllString(v, -1) + if cs == nil { + cs = append(cs, v) + } + result := make([]*constraint, len(cs)) + for i, s := range cs { + pc, err := parseConstraint(s) + if err != nil { + return nil, err + } + + // If one of the constraints has a prerelease record this. + // This information is used when checking all in an "and" + // group to ensure they all check for prereleases. + if pc.con.pre != "" { + hasPre[k] = true + } + + result[i] = pc + } + or[k] = result + } + + o := &Constraints{ + constraints: or, + containsPre: hasPre, + } + return o, nil +} + +// Check tests if a version satisfies the constraints. +func (cs Constraints) Check(v *Version) bool { + // TODO(mattfarina): For v4 of this library consolidate the Check and Validate + // functions as the underlying functions make that possible now. + // loop over the ORs and check the inner ANDs + for i, o := range cs.constraints { + joy := true + for _, c := range o { + if check, _ := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); !check { + joy = false + break + } + } + + if joy { + return true + } + } + + return false +} + +// Validate checks if a version satisfies a constraint. If not a slice of +// reasons for the failure are returned in addition to a bool. +func (cs Constraints) Validate(v *Version) (bool, []error) { + // loop over the ORs and check the inner ANDs + var e []error + + // Capture the prerelease message only once. When it happens the first time + // this var is marked + var prerelesase bool + for i, o := range cs.constraints { + joy := true + for _, c := range o { + // Before running the check handle the case there the version is + // a prerelease and the check is not searching for prereleases. + if !(cs.IncludePrerelease || cs.containsPre[i]) && v.pre != "" { + if !prerelesase { + em := fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + e = append(e, em) + prerelesase = true + } + joy = false + + } else { + + if _, err := c.check(v, (cs.IncludePrerelease || cs.containsPre[i])); err != nil { + e = append(e, err) + joy = false + } + } + } + + if joy { + return true, []error{} + } + } + + return false, e +} + +func (cs Constraints) String() string { + buf := make([]string, len(cs.constraints)) + var tmp bytes.Buffer + + for k, v := range cs.constraints { + tmp.Reset() + vlen := len(v) + for kk, c := range v { + tmp.WriteString(c.string()) + + // Space separate the AND conditions + if vlen > 1 && kk < vlen-1 { + tmp.WriteString(" ") + } + } + buf[k] = tmp.String() + } + + return strings.Join(buf, " || ") +} + +// UnmarshalText implements the encoding.TextUnmarshaler interface. +func (cs *Constraints) UnmarshalText(text []byte) error { + temp, err := NewConstraint(string(text)) + if err != nil { + return err + } + + *cs = *temp + + return nil +} + +// MarshalText implements the encoding.TextMarshaler interface. +func (cs Constraints) MarshalText() ([]byte, error) { + return []byte(cs.String()), nil +} + +var constraintOps map[string]cfunc +var constraintRegex *regexp.Regexp +var constraintRangeRegex *regexp.Regexp + +// Used to find individual constraints within a multi-constraint string +var findConstraintRegex *regexp.Regexp + +// Used to validate an segment of ANDs is valid +var validConstraintRegex *regexp.Regexp + +const cvRegex string = `v?([0-9|x|X|\*]+)(\.[0-9|x|X|\*]+)?(\.[0-9|x|X|\*]+)?` + + `(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` + + `(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` + +func init() { + constraintOps = map[string]cfunc{ + "": constraintTildeOrEqual, + "=": constraintTildeOrEqual, + "!=": constraintNotEqual, + ">": constraintGreaterThan, + "<": constraintLessThan, + ">=": constraintGreaterThanEqual, + "=>": constraintGreaterThanEqual, + "<=": constraintLessThanEqual, + "=<": constraintLessThanEqual, + "~": constraintTilde, + "~>": constraintTilde, + "^": constraintCaret, + } + + ops := `=||!=|>|<|>=|=>|<=|=<|~|~>|\^` + + constraintRegex = regexp.MustCompile(fmt.Sprintf( + `^\s*(%s)\s*(%s)\s*$`, + ops, + cvRegex)) + + constraintRangeRegex = regexp.MustCompile(fmt.Sprintf( + `\s*(%s)\s+-\s+(%s)\s*`, + cvRegex, cvRegex)) + + findConstraintRegex = regexp.MustCompile(fmt.Sprintf( + `(%s)\s*(%s)`, + ops, + cvRegex)) + + // The first time a constraint shows up will look slightly different from + // future times it shows up due to a leading space or comma in a given + // string. + validConstraintRegex = regexp.MustCompile(fmt.Sprintf( + `^(\s*(%s)\s*(%s)\s*)((?:\s+|,\s*)(%s)\s*(%s)\s*)*$`, + ops, + cvRegex, + ops, + cvRegex)) +} + +// An individual constraint +type constraint struct { + // The version used in the constraint check. For example, if a constraint + // is '<= 2.0.0' the con a version instance representing 2.0.0. + con *Version + + // The original parsed version (e.g., 4.x from != 4.x) + orig string + + // The original operator for the constraint + origfunc string + + // When an x is used as part of the version (e.g., 1.x) + minorDirty bool + dirty bool + patchDirty bool +} + +// Check if a version meets the constraint +func (c *constraint) check(v *Version, includePre bool) (bool, error) { + return constraintOps[c.origfunc](v, c, includePre) +} + +// String prints an individual constraint into a string +func (c *constraint) string() string { + return c.origfunc + c.orig +} + +type cfunc func(v *Version, c *constraint, includePre bool) (bool, error) + +func parseConstraint(c string) (*constraint, error) { + if len(c) > 0 { + m := constraintRegex.FindStringSubmatch(c) + if m == nil { + return nil, fmt.Errorf("improper constraint: %s", c) + } + + cs := &constraint{ + orig: m[2], + origfunc: m[1], + } + + ver := m[2] + minorDirty := false + patchDirty := false + dirty := false + if isX(m[3]) || m[3] == "" { + ver = fmt.Sprintf("0.0.0%s", m[6]) + dirty = true + } else if isX(strings.TrimPrefix(m[4], ".")) || m[4] == "" { + minorDirty = true + dirty = true + ver = fmt.Sprintf("%s.0.0%s", m[3], m[6]) + } else if isX(strings.TrimPrefix(m[5], ".")) || m[5] == "" { + dirty = true + patchDirty = true + ver = fmt.Sprintf("%s%s.0%s", m[3], m[4], m[6]) + } + + con, err := NewVersion(ver) + if err != nil { + + // The constraintRegex should catch any regex parsing errors. So, + // we should never get here. + return nil, errors.New("constraint parser error") + } + + cs.con = con + cs.minorDirty = minorDirty + cs.patchDirty = patchDirty + cs.dirty = dirty + + return cs, nil + } + + // The rest is the special case where an empty string was passed in which + // is equivalent to * or >=0.0.0 + con, err := StrictNewVersion("0.0.0") + if err != nil { + + // The constraintRegex should catch any regex parsing errors. So, + // we should never get here. + return nil, errors.New("constraint parser error") + } + + cs := &constraint{ + con: con, + orig: c, + origfunc: "", + minorDirty: false, + patchDirty: false, + dirty: true, + } + return cs, nil +} + +// Constraint functions +func constraintNotEqual(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + if c.dirty { + if c.con.Major() != v.Major() { + return true, nil + } + if c.con.Minor() != v.Minor() && !c.minorDirty { + return true, nil + } else if c.minorDirty { + return false, fmt.Errorf("%s is equal to %s", v, c.orig) + } else if c.con.Patch() != v.Patch() && !c.patchDirty { + return true, nil + } else if c.patchDirty { + // Need to handle prereleases if present + if v.Prerelease() != "" || c.con.Prerelease() != "" { + eq := comparePrerelease(v.Prerelease(), c.con.Prerelease()) != 0 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is equal to %s", v, c.orig) + } + return false, fmt.Errorf("%s is equal to %s", v, c.orig) + } + } + + eq := v.Equal(c.con) + if eq { + return false, fmt.Errorf("%s is equal to %s", v, c.orig) + } + + return true, nil +} + +func constraintGreaterThan(v *Version, c *constraint, includePre bool) (bool, error) { + + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + var eq bool + + if !c.dirty { + eq = v.Compare(c.con) == 1 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + } + + if v.Major() > c.con.Major() { + return true, nil + } else if v.Major() < c.con.Major() { + return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + } else if c.minorDirty { + // This is a range case such as >11. When the version is something like + // 11.1.0 is it not > 11. For that we would need 12 or higher + return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + } else if c.patchDirty { + // This is for ranges such as >11.1. A version of 11.1.1 is not greater + // which one of 11.2.1 is greater + eq = v.Minor() > c.con.Minor() + if eq { + return true, nil + } + return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) + } + + // If we have gotten here we are not comparing pre-preleases and can use the + // Compare function to accomplish that. + eq = v.Compare(c.con) == 1 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is less than or equal to %s", v, c.orig) +} + +func constraintLessThan(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + eq := v.Compare(c.con) < 0 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is greater than or equal to %s", v, c.orig) +} + +func constraintGreaterThanEqual(v *Version, c *constraint, includePre bool) (bool, error) { + + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + eq := v.Compare(c.con) >= 0 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is less than %s", v, c.orig) +} + +func constraintLessThanEqual(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + var eq bool + + if !c.dirty { + eq = v.Compare(c.con) <= 0 + if eq { + return true, nil + } + return false, fmt.Errorf("%s is greater than %s", v, c.orig) + } + + if v.Major() > c.con.Major() { + return false, fmt.Errorf("%s is greater than %s", v, c.orig) + } else if v.Major() == c.con.Major() && v.Minor() > c.con.Minor() && !c.minorDirty { + return false, fmt.Errorf("%s is greater than %s", v, c.orig) + } + + return true, nil +} + +// ~*, ~>* --> >= 0.0.0 (any) +// ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0, <3.0.0 +// ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0, <2.1.0 +// ~1.2, ~1.2.x, ~>1.2, ~>1.2.x --> >=1.2.0, <1.3.0 +// ~1.2.3, ~>1.2.3 --> >=1.2.3, <1.3.0 +// ~1.2.0, ~>1.2.0 --> >=1.2.0, <1.3.0 +func constraintTilde(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + if v.LessThan(c.con) { + return false, fmt.Errorf("%s is less than %s", v, c.orig) + } + + // ~0.0.0 is a special case where all constraints are accepted. It's + // equivalent to >= 0.0.0. + if c.con.Major() == 0 && c.con.Minor() == 0 && c.con.Patch() == 0 && + !c.minorDirty && !c.patchDirty { + return true, nil + } + + if v.Major() != c.con.Major() { + return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + } + + if v.Minor() != c.con.Minor() && !c.minorDirty { + return false, fmt.Errorf("%s does not have same major and minor version as %s", v, c.orig) + } + + return true, nil +} + +// When there is a .x (dirty) status it automatically opts in to ~. Otherwise +// it's a straight = +func constraintTildeOrEqual(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + if c.dirty { + return constraintTilde(v, c, includePre) + } + + eq := v.Equal(c.con) + if eq { + return true, nil + } + + return false, fmt.Errorf("%s is not equal to %s", v, c.orig) +} + +// ^* --> (any) +// ^1.2.3 --> >=1.2.3 <2.0.0 +// ^1.2 --> >=1.2.0 <2.0.0 +// ^1 --> >=1.0.0 <2.0.0 +// ^0.2.3 --> >=0.2.3 <0.3.0 +// ^0.2 --> >=0.2.0 <0.3.0 +// ^0.0.3 --> >=0.0.3 <0.0.4 +// ^0.0 --> >=0.0.0 <0.1.0 +// ^0 --> >=0.0.0 <1.0.0 +func constraintCaret(v *Version, c *constraint, includePre bool) (bool, error) { + // The existence of prereleases is checked at the group level and passed in. + // Exit early if the version has a prerelease but those are to be ignored. + if v.Prerelease() != "" && !includePre { + return false, fmt.Errorf("%s is a prerelease version and the constraint is only looking for release versions", v) + } + + // This less than handles prereleases + if v.LessThan(c.con) { + return false, fmt.Errorf("%s is less than %s", v, c.orig) + } + + var eq bool + + // ^ when the major > 0 is >=x.y.z < x+1 + if c.con.Major() > 0 || c.minorDirty { + + // ^ has to be within a major range for > 0. Everything less than was + // filtered out with the LessThan call above. This filters out those + // that greater but not within the same major range. + eq = v.Major() == c.con.Major() + if eq { + return true, nil + } + return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + } + + // ^ when the major is 0 and minor > 0 is >=0.y.z < 0.y+1 + if c.con.Major() == 0 && v.Major() > 0 { + return false, fmt.Errorf("%s does not have same major version as %s", v, c.orig) + } + // If the con Minor is > 0 it is not dirty + if c.con.Minor() > 0 || c.patchDirty { + eq = v.Minor() == c.con.Minor() + if eq { + return true, nil + } + return false, fmt.Errorf("%s does not have same minor version as %s. Expected minor versions to match when constraint major version is 0", v, c.orig) + } + // ^ when the minor is 0 and minor > 0 is =0.0.z + if c.con.Minor() == 0 && v.Minor() > 0 { + return false, fmt.Errorf("%s does not have same minor version as %s", v, c.orig) + } + + // At this point the major is 0 and the minor is 0 and not dirty. The patch + // is not dirty so we need to check if they are equal. If they are not equal + eq = c.con.Patch() == v.Patch() + if eq { + return true, nil + } + return false, fmt.Errorf("%s does not equal %s. Expect version and constraint to equal when major and minor versions are 0", v, c.orig) +} + +func isX(x string) bool { + switch x { + case "x", "*", "X": + return true + default: + return false + } +} + +func rewriteRange(i string) string { + m := constraintRangeRegex.FindAllStringSubmatch(i, -1) + if m == nil { + return i + } + o := i + for _, v := range m { + t := fmt.Sprintf(">= %s, <= %s ", v[1], v[11]) + o = strings.Replace(o, v[0], t, 1) + } + + return o +} diff --git a/vendor/github.com/Masterminds/semver/v3/doc.go b/vendor/github.com/Masterminds/semver/v3/doc.go new file mode 100644 index 0000000000..74f97caa57 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/doc.go @@ -0,0 +1,184 @@ +/* +Package semver provides the ability to work with Semantic Versions (http://semver.org) in Go. + +Specifically it provides the ability to: + + - Parse semantic versions + - Sort semantic versions + - Check if a semantic version fits within a set of constraints + - Optionally work with a `v` prefix + +# Parsing Semantic Versions + +There are two functions that can parse semantic versions. The `StrictNewVersion` +function only parses valid version 2 semantic versions as outlined in the +specification. The `NewVersion` function attempts to coerce a version into a +semantic version and parse it. For example, if there is a leading v or a version +listed without all 3 parts (e.g. 1.2) it will attempt to coerce it into a valid +semantic version (e.g., 1.2.0). In both cases a `Version` object is returned +that can be sorted, compared, and used in constraints. + +When parsing a version an optional error can be returned if there is an issue +parsing the version. For example, + + v, err := semver.NewVersion("1.2.3-beta.1+b345") + +The version object has methods to get the parts of the version, compare it to +other versions, convert the version back into a string, and get the original +string. For more details please see the documentation +at https://godoc.org/github.com/Masterminds/semver. + +# Sorting Semantic Versions + +A set of versions can be sorted using the `sort` package from the standard library. +For example, + + raw := []string{"1.2.3", "1.0", "1.3", "2", "0.4.2",} + vs := make([]*semver.Version, len(raw)) + for i, r := range raw { + v, err := semver.NewVersion(r) + if err != nil { + t.Errorf("Error parsing version: %s", err) + } + + vs[i] = v + } + + sort.Sort(semver.Collection(vs)) + +# Checking Version Constraints and Comparing Versions + +There are two methods for comparing versions. One uses comparison methods on +`Version` instances and the other is using Constraints. There are some important +differences to notes between these two methods of comparison. + + 1. When two versions are compared using functions such as `Compare`, `LessThan`, + and others it will follow the specification and always include prereleases + within the comparison. It will provide an answer valid with the comparison + spec section at https://semver.org/#spec-item-11 + 2. When constraint checking is used for checks or validation it will follow a + different set of rules that are common for ranges with tools like npm/js + and Rust/Cargo. This includes considering prereleases to be invalid if the + ranges does not include on. If you want to have it include pre-releases a + simple solution is to include `-0` in your range. + 3. Constraint ranges can have some complex rules including the shorthard use of + ~ and ^. For more details on those see the options below. + +There are differences between the two methods or checking versions because the +comparison methods on `Version` follow the specification while comparison ranges +are not part of the specification. Different packages and tools have taken it +upon themselves to come up with range rules. This has resulted in differences. +For example, npm/js and Cargo/Rust follow similar patterns which PHP has a +different pattern for ^. The comparison features in this package follow the +npm/js and Cargo/Rust lead because applications using it have followed similar +patters with their versions. + +Checking a version against version constraints is one of the most featureful +parts of the package. + + c, err := semver.NewConstraint(">= 1.2.3") + if err != nil { + // Handle constraint not being parsable. + } + + v, err := semver.NewVersion("1.3") + if err != nil { + // Handle version not being parsable. + } + // Check if the version meets the constraints. The a variable will be true. + a := c.Check(v) + +# Basic Comparisons + +There are two elements to the comparisons. First, a comparison string is a list +of comma or space separated AND comparisons. These are then separated by || (OR) +comparisons. For example, `">= 1.2 < 3.0.0 || >= 4.2.3"` is looking for a +comparison that's greater than or equal to 1.2 and less than 3.0.0 or is +greater than or equal to 4.2.3. This can also be written as +`">= 1.2, < 3.0.0 || >= 4.2.3"` + +The basic comparisons are: + + - `=`: equal (aliased to no operator) + - `!=`: not equal + - `>`: greater than + - `<`: less than + - `>=`: greater than or equal to + - `<=`: less than or equal to + +# Hyphen Range Comparisons + +There are multiple methods to handle ranges and the first is hyphens ranges. +These look like: + + - `1.2 - 1.4.5` which is equivalent to `>= 1.2, <= 1.4.5` + - `2.3.4 - 4.5` which is equivalent to `>= 2.3.4 <= 4.5` + +# Wildcards In Comparisons + +The `x`, `X`, and `*` characters can be used as a wildcard character. This works +for all comparison operators. When used on the `=` operator it falls +back to the tilde operation. For example, + + - `1.2.x` is equivalent to `>= 1.2.0 < 1.3.0` + - `>= 1.2.x` is equivalent to `>= 1.2.0` + - `<= 2.x` is equivalent to `<= 3` + - `*` is equivalent to `>= 0.0.0` + +Tilde Range Comparisons (Patch) + +The tilde (`~`) comparison operator is for patch level ranges when a minor +version is specified and major level changes when the minor number is missing. +For example, + + - `~1.2.3` is equivalent to `>= 1.2.3 < 1.3.0` + - `~1` is equivalent to `>= 1, < 2` + - `~2.3` is equivalent to `>= 2.3 < 2.4` + - `~1.2.x` is equivalent to `>= 1.2.0 < 1.3.0` + - `~1.x` is equivalent to `>= 1 < 2` + +Caret Range Comparisons (Major) + +The caret (`^`) comparison operator is for major level changes once a stable +(1.0.0) release has occurred. Prior to a 1.0.0 release the minor versions acts +as the API stability level. This is useful when comparisons of API versions as a +major change is API breaking. For example, + + - `^1.2.3` is equivalent to `>= 1.2.3, < 2.0.0` + - `^1.2.x` is equivalent to `>= 1.2.0, < 2.0.0` + - `^2.3` is equivalent to `>= 2.3, < 3` + - `^2.x` is equivalent to `>= 2.0.0, < 3` + - `^0.2.3` is equivalent to `>=0.2.3 <0.3.0` + - `^0.2` is equivalent to `>=0.2.0 <0.3.0` + - `^0.0.3` is equivalent to `>=0.0.3 <0.0.4` + - `^0.0` is equivalent to `>=0.0.0 <0.1.0` + - `^0` is equivalent to `>=0.0.0 <1.0.0` + +# Validation + +In addition to testing a version against a constraint, a version can be validated +against a constraint. When validation fails a slice of errors containing why a +version didn't meet the constraint is returned. For example, + + c, err := semver.NewConstraint("<= 1.2.3, >= 1.4") + if err != nil { + // Handle constraint not being parseable. + } + + v, _ := semver.NewVersion("1.3") + if err != nil { + // Handle version not being parseable. + } + + // Validate a version against a constraint. + a, msgs := c.Validate(v) + // a is false + for _, m := range msgs { + fmt.Println(m) + + // Loops over the errors which would read + // "1.3 is greater than 1.2.3" + // "1.3 is less than 1.4" + } +*/ +package semver diff --git a/vendor/github.com/Masterminds/semver/v3/version.go b/vendor/github.com/Masterminds/semver/v3/version.go new file mode 100644 index 0000000000..7a3ba73887 --- /dev/null +++ b/vendor/github.com/Masterminds/semver/v3/version.go @@ -0,0 +1,788 @@ +package semver + +import ( + "bytes" + "database/sql/driver" + "encoding/json" + "errors" + "fmt" + "regexp" + "strconv" + "strings" +) + +// The compiled version of the regex created at init() is cached here so it +// only needs to be created once. +var versionRegex *regexp.Regexp +var looseVersionRegex *regexp.Regexp + +// CoerceNewVersion sets if leading 0's are allowd in the version part. Leading 0's are +// not allowed in a valid semantic version. When set to true, NewVersion will coerce +// leading 0's into a valid version. +var CoerceNewVersion = true + +// DetailedNewVersionErrors specifies if detailed errors are returned from the NewVersion +// function. This is used when CoerceNewVersion is set to false. If set to false +// ErrInvalidSemVer is returned for an invalid version. This does not apply to +// StrictNewVersion. Setting this function to false returns errors more quickly. +var DetailedNewVersionErrors = true + +var ( + // ErrInvalidSemVer is returned a version is found to be invalid when + // being parsed. + ErrInvalidSemVer = errors.New("invalid semantic version") + + // ErrEmptyString is returned when an empty string is passed in for parsing. + ErrEmptyString = errors.New("version string empty") + + // ErrInvalidCharacters is returned when invalid characters are found as + // part of a version + ErrInvalidCharacters = errors.New("invalid characters in version") + + // ErrSegmentStartsZero is returned when a version segment starts with 0. + // This is invalid in SemVer. + ErrSegmentStartsZero = errors.New("version segment starts with 0") + + // ErrInvalidMetadata is returned when the metadata is an invalid format + ErrInvalidMetadata = errors.New("invalid metadata string") + + // ErrInvalidPrerelease is returned when the pre-release is an invalid format + ErrInvalidPrerelease = errors.New("invalid prerelease string") +) + +// semVerRegex is the regular expression used to parse a semantic version. +// This is not the official regex from the semver spec. It has been modified to allow for loose handling +// where versions like 2.1 are detected. +const semVerRegex string = `v?(0|[1-9]\d*)(?:\.(0|[1-9]\d*))?(?:\.(0|[1-9]\d*))?` + + `(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?` + + `(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?` + +// looseSemVerRegex is a regular expression that lets invalid semver expressions through +// with enough detail that certain errors can be checked for. +const looseSemVerRegex string = `v?([0-9]+)(\.[0-9]+)?(\.[0-9]+)?` + + `(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` + + `(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?` + +// Version represents a single semantic version. +type Version struct { + major, minor, patch uint64 + pre string + metadata string + original string +} + +func init() { + versionRegex = regexp.MustCompile("^" + semVerRegex + "$") + looseVersionRegex = regexp.MustCompile("^" + looseSemVerRegex + "$") +} + +const ( + num string = "0123456789" + allowed string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" + num +) + +// StrictNewVersion parses a given version and returns an instance of Version or +// an error if unable to parse the version. Only parses valid semantic versions. +// Performs checking that can find errors within the version. +// If you want to coerce a version such as 1 or 1.2 and parse it as the 1.x +// releases of semver did, use the NewVersion() function. +func StrictNewVersion(v string) (*Version, error) { + // Parsing here does not use RegEx in order to increase performance and reduce + // allocations. + + if len(v) == 0 { + return nil, ErrEmptyString + } + + // Split the parts into [0]major, [1]minor, and [2]patch,prerelease,build + parts := strings.SplitN(v, ".", 3) + if len(parts) != 3 { + return nil, ErrInvalidSemVer + } + + sv := &Version{ + original: v, + } + + // Extract build metadata + if strings.Contains(parts[2], "+") { + extra := strings.SplitN(parts[2], "+", 2) + sv.metadata = extra[1] + parts[2] = extra[0] + if err := validateMetadata(sv.metadata); err != nil { + return nil, err + } + } + + // Extract build prerelease + if strings.Contains(parts[2], "-") { + extra := strings.SplitN(parts[2], "-", 2) + sv.pre = extra[1] + parts[2] = extra[0] + if err := validatePrerelease(sv.pre); err != nil { + return nil, err + } + } + + // Validate the number segments are valid. This includes only having positive + // numbers and no leading 0's. + for _, p := range parts { + if !containsOnly(p, num) { + return nil, ErrInvalidCharacters + } + + if len(p) > 1 && p[0] == '0' { + return nil, ErrSegmentStartsZero + } + } + + // Extract major, minor, and patch + var err error + sv.major, err = strconv.ParseUint(parts[0], 10, 64) + if err != nil { + return nil, err + } + + sv.minor, err = strconv.ParseUint(parts[1], 10, 64) + if err != nil { + return nil, err + } + + sv.patch, err = strconv.ParseUint(parts[2], 10, 64) + if err != nil { + return nil, err + } + + return sv, nil +} + +// NewVersion parses a given version and returns an instance of Version or +// an error if unable to parse the version. If the version is SemVer-ish it +// attempts to convert it to SemVer. If you want to validate it was a strict +// semantic version at parse time see StrictNewVersion(). +func NewVersion(v string) (*Version, error) { + if CoerceNewVersion { + return coerceNewVersion(v) + } + m := versionRegex.FindStringSubmatch(v) + if m == nil { + + // Disabling detailed errors is first so that it is in the fast path. + if !DetailedNewVersionErrors { + return nil, ErrInvalidSemVer + } + + // Check for specific errors with the semver string and return a more detailed + // error. + m = looseVersionRegex.FindStringSubmatch(v) + if m == nil { + return nil, ErrInvalidSemVer + } + err := validateVersion(m) + if err != nil { + return nil, err + } + return nil, ErrInvalidSemVer + } + + sv := &Version{ + metadata: m[5], + pre: m[4], + original: v, + } + + var err error + sv.major, err = strconv.ParseUint(m[1], 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + + if m[2] != "" { + sv.minor, err = strconv.ParseUint(m[2], 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + } else { + sv.minor = 0 + } + + if m[3] != "" { + sv.patch, err = strconv.ParseUint(m[3], 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + } else { + sv.patch = 0 + } + + // Perform some basic due diligence on the extra parts to ensure they are + // valid. + + if sv.pre != "" { + if err = validatePrerelease(sv.pre); err != nil { + return nil, err + } + } + + if sv.metadata != "" { + if err = validateMetadata(sv.metadata); err != nil { + return nil, err + } + } + + return sv, nil +} + +func coerceNewVersion(v string) (*Version, error) { + m := looseVersionRegex.FindStringSubmatch(v) + if m == nil { + return nil, ErrInvalidSemVer + } + + sv := &Version{ + metadata: m[8], + pre: m[5], + original: v, + } + + var err error + sv.major, err = strconv.ParseUint(m[1], 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + + if m[2] != "" { + sv.minor, err = strconv.ParseUint(strings.TrimPrefix(m[2], "."), 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + } else { + sv.minor = 0 + } + + if m[3] != "" { + sv.patch, err = strconv.ParseUint(strings.TrimPrefix(m[3], "."), 10, 64) + if err != nil { + return nil, fmt.Errorf("error parsing version segment: %w", err) + } + } else { + sv.patch = 0 + } + + // Perform some basic due diligence on the extra parts to ensure they are + // valid. + + if sv.pre != "" { + if err = validatePrerelease(sv.pre); err != nil { + return nil, err + } + } + + if sv.metadata != "" { + if err = validateMetadata(sv.metadata); err != nil { + return nil, err + } + } + + return sv, nil +} + +// New creates a new instance of Version with each of the parts passed in as +// arguments instead of parsing a version string. +func New(major, minor, patch uint64, pre, metadata string) *Version { + v := Version{ + major: major, + minor: minor, + patch: patch, + pre: pre, + metadata: metadata, + original: "", + } + + v.original = v.String() + + return &v +} + +// MustParse parses a given version and panics on error. +func MustParse(v string) *Version { + sv, err := NewVersion(v) + if err != nil { + panic(err) + } + return sv +} + +// String converts a Version object to a string. +// Note, if the original version contained a leading v this version will not. +// See the Original() method to retrieve the original value. Semantic Versions +// don't contain a leading v per the spec. Instead it's optional on +// implementation. +func (v Version) String() string { + var buf bytes.Buffer + + fmt.Fprintf(&buf, "%d.%d.%d", v.major, v.minor, v.patch) + if v.pre != "" { + fmt.Fprintf(&buf, "-%s", v.pre) + } + if v.metadata != "" { + fmt.Fprintf(&buf, "+%s", v.metadata) + } + + return buf.String() +} + +// Original returns the original value passed in to be parsed. +func (v *Version) Original() string { + return v.original +} + +// Major returns the major version. +func (v Version) Major() uint64 { + return v.major +} + +// Minor returns the minor version. +func (v Version) Minor() uint64 { + return v.minor +} + +// Patch returns the patch version. +func (v Version) Patch() uint64 { + return v.patch +} + +// Prerelease returns the pre-release version. +func (v Version) Prerelease() string { + return v.pre +} + +// Metadata returns the metadata on the version. +func (v Version) Metadata() string { + return v.metadata +} + +// originalVPrefix returns the original 'v' prefix if any. +func (v Version) originalVPrefix() string { + // Note, only lowercase v is supported as a prefix by the parser. + if v.original != "" && v.original[:1] == "v" { + return v.original[:1] + } + return "" +} + +// IncPatch produces the next patch version. +// If the current version does not have prerelease/metadata information, +// it unsets metadata and prerelease values, increments patch number. +// If the current version has any of prerelease or metadata information, +// it unsets both values and keeps current patch value +func (v Version) IncPatch() Version { + vNext := v + // according to http://semver.org/#spec-item-9 + // Pre-release versions have a lower precedence than the associated normal version. + // according to http://semver.org/#spec-item-10 + // Build metadata SHOULD be ignored when determining version precedence. + if v.pre != "" { + vNext.metadata = "" + vNext.pre = "" + } else { + vNext.metadata = "" + vNext.pre = "" + vNext.patch = v.patch + 1 + } + vNext.original = v.originalVPrefix() + "" + vNext.String() + return vNext +} + +// IncMinor produces the next minor version. +// Sets patch to 0. +// Increments minor number. +// Unsets metadata. +// Unsets prerelease status. +func (v Version) IncMinor() Version { + vNext := v + vNext.metadata = "" + vNext.pre = "" + vNext.patch = 0 + vNext.minor = v.minor + 1 + vNext.original = v.originalVPrefix() + "" + vNext.String() + return vNext +} + +// IncMajor produces the next major version. +// Sets patch to 0. +// Sets minor to 0. +// Increments major number. +// Unsets metadata. +// Unsets prerelease status. +func (v Version) IncMajor() Version { + vNext := v + vNext.metadata = "" + vNext.pre = "" + vNext.patch = 0 + vNext.minor = 0 + vNext.major = v.major + 1 + vNext.original = v.originalVPrefix() + "" + vNext.String() + return vNext +} + +// SetPrerelease defines the prerelease value. +// Value must not include the required 'hyphen' prefix. +func (v Version) SetPrerelease(prerelease string) (Version, error) { + vNext := v + if len(prerelease) > 0 { + if err := validatePrerelease(prerelease); err != nil { + return vNext, err + } + } + vNext.pre = prerelease + vNext.original = v.originalVPrefix() + "" + vNext.String() + return vNext, nil +} + +// SetMetadata defines metadata value. +// Value must not include the required 'plus' prefix. +func (v Version) SetMetadata(metadata string) (Version, error) { + vNext := v + if len(metadata) > 0 { + if err := validateMetadata(metadata); err != nil { + return vNext, err + } + } + vNext.metadata = metadata + vNext.original = v.originalVPrefix() + "" + vNext.String() + return vNext, nil +} + +// LessThan tests if one version is less than another one. +func (v *Version) LessThan(o *Version) bool { + return v.Compare(o) < 0 +} + +// LessThanEqual tests if one version is less or equal than another one. +func (v *Version) LessThanEqual(o *Version) bool { + return v.Compare(o) <= 0 +} + +// GreaterThan tests if one version is greater than another one. +func (v *Version) GreaterThan(o *Version) bool { + return v.Compare(o) > 0 +} + +// GreaterThanEqual tests if one version is greater or equal than another one. +func (v *Version) GreaterThanEqual(o *Version) bool { + return v.Compare(o) >= 0 +} + +// Equal tests if two versions are equal to each other. +// Note, versions can be equal with different metadata since metadata +// is not considered part of the comparable version. +func (v *Version) Equal(o *Version) bool { + if v == o { + return true + } + if v == nil || o == nil { + return false + } + return v.Compare(o) == 0 +} + +// Compare compares this version to another one. It returns -1, 0, or 1 if +// the version smaller, equal, or larger than the other version. +// +// Versions are compared by X.Y.Z. Build metadata is ignored. Prerelease is +// lower than the version without a prerelease. Compare always takes into account +// prereleases. If you want to work with ranges using typical range syntaxes that +// skip prereleases if the range is not looking for them use constraints. +func (v *Version) Compare(o *Version) int { + // Compare the major, minor, and patch version for differences. If a + // difference is found return the comparison. + if d := compareSegment(v.Major(), o.Major()); d != 0 { + return d + } + if d := compareSegment(v.Minor(), o.Minor()); d != 0 { + return d + } + if d := compareSegment(v.Patch(), o.Patch()); d != 0 { + return d + } + + // At this point the major, minor, and patch versions are the same. + ps := v.pre + po := o.Prerelease() + + if ps == "" && po == "" { + return 0 + } + if ps == "" { + return 1 + } + if po == "" { + return -1 + } + + return comparePrerelease(ps, po) +} + +// UnmarshalJSON implements JSON.Unmarshaler interface. +func (v *Version) UnmarshalJSON(b []byte) error { + var s string + if err := json.Unmarshal(b, &s); err != nil { + return err + } + temp, err := NewVersion(s) + if err != nil { + return err + } + v.major = temp.major + v.minor = temp.minor + v.patch = temp.patch + v.pre = temp.pre + v.metadata = temp.metadata + v.original = temp.original + return nil +} + +// MarshalJSON implements JSON.Marshaler interface. +func (v Version) MarshalJSON() ([]byte, error) { + return json.Marshal(v.String()) +} + +// UnmarshalText implements the encoding.TextUnmarshaler interface. +func (v *Version) UnmarshalText(text []byte) error { + temp, err := NewVersion(string(text)) + if err != nil { + return err + } + + *v = *temp + + return nil +} + +// MarshalText implements the encoding.TextMarshaler interface. +func (v Version) MarshalText() ([]byte, error) { + return []byte(v.String()), nil +} + +// Scan implements the SQL.Scanner interface. +func (v *Version) Scan(value interface{}) error { + var s string + s, _ = value.(string) + temp, err := NewVersion(s) + if err != nil { + return err + } + v.major = temp.major + v.minor = temp.minor + v.patch = temp.patch + v.pre = temp.pre + v.metadata = temp.metadata + v.original = temp.original + return nil +} + +// Value implements the Driver.Valuer interface. +func (v Version) Value() (driver.Value, error) { + return v.String(), nil +} + +func compareSegment(v, o uint64) int { + if v < o { + return -1 + } + if v > o { + return 1 + } + + return 0 +} + +func comparePrerelease(v, o string) int { + // split the prelease versions by their part. The separator, per the spec, + // is a . + sparts := strings.Split(v, ".") + oparts := strings.Split(o, ".") + + // Find the longer length of the parts to know how many loop iterations to + // go through. + slen := len(sparts) + olen := len(oparts) + + l := slen + if olen > slen { + l = olen + } + + // Iterate over each part of the prereleases to compare the differences. + for i := 0; i < l; i++ { + // Since the lentgh of the parts can be different we need to create + // a placeholder. This is to avoid out of bounds issues. + stemp := "" + if i < slen { + stemp = sparts[i] + } + + otemp := "" + if i < olen { + otemp = oparts[i] + } + + d := comparePrePart(stemp, otemp) + if d != 0 { + return d + } + } + + // Reaching here means two versions are of equal value but have different + // metadata (the part following a +). They are not identical in string form + // but the version comparison finds them to be equal. + return 0 +} + +func comparePrePart(s, o string) int { + // Fastpath if they are equal + if s == o { + return 0 + } + + // When s or o are empty we can use the other in an attempt to determine + // the response. + if s == "" { + if o != "" { + return -1 + } + return 1 + } + + if o == "" { + if s != "" { + return 1 + } + return -1 + } + + // When comparing strings "99" is greater than "103". To handle + // cases like this we need to detect numbers and compare them. According + // to the semver spec, numbers are always positive. If there is a - at the + // start like -99 this is to be evaluated as an alphanum. numbers always + // have precedence over alphanum. Parsing as Uints because negative numbers + // are ignored. + + oi, n1 := strconv.ParseUint(o, 10, 64) + si, n2 := strconv.ParseUint(s, 10, 64) + + // The case where both are strings compare the strings + if n1 != nil && n2 != nil { + if s > o { + return 1 + } + return -1 + } else if n1 != nil { + // o is a string and s is a number + return -1 + } else if n2 != nil { + // s is a string and o is a number + return 1 + } + // Both are numbers + if si > oi { + return 1 + } + return -1 +} + +// Like strings.ContainsAny but does an only instead of any. +func containsOnly(s string, comp string) bool { + return strings.IndexFunc(s, func(r rune) bool { + return !strings.ContainsRune(comp, r) + }) == -1 +} + +// From the spec, "Identifiers MUST comprise only +// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty. +// Numeric identifiers MUST NOT include leading zeroes.". These segments can +// be dot separated. +func validatePrerelease(p string) error { + eparts := strings.Split(p, ".") + for _, p := range eparts { + if p == "" { + return ErrInvalidPrerelease + } else if containsOnly(p, num) { + if len(p) > 1 && p[0] == '0' { + return ErrSegmentStartsZero + } + } else if !containsOnly(p, allowed) { + return ErrInvalidPrerelease + } + } + + return nil +} + +// From the spec, "Build metadata MAY be denoted by +// appending a plus sign and a series of dot separated identifiers immediately +// following the patch or pre-release version. Identifiers MUST comprise only +// ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty." +func validateMetadata(m string) error { + eparts := strings.Split(m, ".") + for _, p := range eparts { + if p == "" { + return ErrInvalidMetadata + } else if !containsOnly(p, allowed) { + return ErrInvalidMetadata + } + } + return nil +} + +// validateVersion checks for common validation issues but may not catch all errors +func validateVersion(m []string) error { + var err error + var v string + if m[1] != "" { + if len(m[1]) > 1 && m[1][0] == '0' { + return ErrSegmentStartsZero + } + _, err = strconv.ParseUint(m[1], 10, 64) + if err != nil { + return fmt.Errorf("error parsing version segment: %w", err) + } + } + + if m[2] != "" { + v = strings.TrimPrefix(m[2], ".") + if len(v) > 1 && v[0] == '0' { + return ErrSegmentStartsZero + } + _, err = strconv.ParseUint(v, 10, 64) + if err != nil { + return fmt.Errorf("error parsing version segment: %w", err) + } + } + + if m[3] != "" { + v = strings.TrimPrefix(m[3], ".") + if len(v) > 1 && v[0] == '0' { + return ErrSegmentStartsZero + } + _, err = strconv.ParseUint(v, 10, 64) + if err != nil { + return fmt.Errorf("error parsing version segment: %w", err) + } + } + + if m[5] != "" { + if err = validatePrerelease(m[5]); err != nil { + return err + } + } + + if m[8] != "" { + if err = validateMetadata(m[8]); err != nil { + return err + } + } + + return nil +} diff --git a/vendor/github.com/Masterminds/sprig/v3/.gitignore b/vendor/github.com/Masterminds/sprig/v3/.gitignore new file mode 100644 index 0000000000..5e3002f88f --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/.gitignore @@ -0,0 +1,2 @@ +vendor/ +/.glide diff --git a/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md b/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md new file mode 100644 index 0000000000..b5ef766a7a --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/CHANGELOG.md @@ -0,0 +1,401 @@ +# Changelog + +## Release 3.3.0 (2024-08-29) + +### Added + +- #400: added sha512sum function (thanks @itzik-elayev) + +### Changed + +- #407: Removed duplicate documentation (functions were documentated in 2 places) +- #290: Corrected copy/paster oops in math documentation (thanks @zzhu41) +- #369: Corrected template reference in docs (thanks @chey) +- #375: Added link to URL documenation (thanks @carlpett) +- #406: Updated the mergo dependency which had a breaking change (which was accounted for) +- #376: Fixed documentation error (thanks @jheyduk) +- #404: Updated dependency tree +- #391: Fixed misspelling (thanks @chrishalbert) +- #405: Updated Go versions used in testing + +## Release 3.2.3 (2022-11-29) + +### Changed + +- Updated docs (thanks @book987 @aJetHorn @neelayu @pellizzetti @apricote @SaigyoujiYuyuko233 @AlekSi) +- #348: Updated huandu/xstrings which fixed a snake case bug (thanks @yxxhero) +- #353: Updated masterminds/semver which included bug fixes +- #354: Updated golang.org/x/crypto which included bug fixes + +## Release 3.2.2 (2021-02-04) + +This is a re-release of 3.2.1 to satisfy something with the Go module system. + +## Release 3.2.1 (2021-02-04) + +### Changed + +- Upgraded `Masterminds/goutils` to `v1.1.1`. see the [Security Advisory](https://github.com/Masterminds/goutils/security/advisories/GHSA-xg2h-wx96-xgxr) + +## Release 3.2.0 (2020-12-14) + +### Added + +- #211: Added randInt function (thanks @kochurovro) +- #223: Added fromJson and mustFromJson functions (thanks @mholt) +- #242: Added a bcrypt function (thanks @robbiet480) +- #253: Added randBytes function (thanks @MikaelSmith) +- #254: Added dig function for dicts (thanks @nyarly) +- #257: Added regexQuoteMeta for quoting regex metadata (thanks @rheaton) +- #261: Added filepath functions osBase, osDir, osExt, osClean, osIsAbs (thanks @zugl) +- #268: Added and and all functions for testing conditions (thanks @phuslu) +- #181: Added float64 arithmetic addf, add1f, subf, divf, mulf, maxf, and minf + (thanks @andrewmostello) +- #265: Added chunk function to split array into smaller arrays (thanks @karelbilek) +- #270: Extend certificate functions to handle non-RSA keys + add support for + ed25519 keys (thanks @misberner) + +### Changed + +- Removed testing and support for Go 1.12. ed25519 support requires Go 1.13 or newer +- Using semver 3.1.1 and mergo 0.3.11 + +### Fixed + +- #249: Fix htmlDateInZone example (thanks @spawnia) + +NOTE: The dependency github.com/imdario/mergo reverted the breaking change in +0.3.9 via 0.3.10 release. + +## Release 3.1.0 (2020-04-16) + +NOTE: The dependency github.com/imdario/mergo made a behavior change in 0.3.9 +that impacts sprig functionality. Do not use sprig with a version newer than 0.3.8. + +### Added + +- #225: Added support for generating htpasswd hash (thanks @rustycl0ck) +- #224: Added duration filter (thanks @frebib) +- #205: Added `seq` function (thanks @thadc23) + +### Changed + +- #203: Unlambda functions with correct signature (thanks @muesli) +- #236: Updated the license formatting for GitHub display purposes +- #238: Updated package dependency versions. Note, mergo not updated to 0.3.9 + as it causes a breaking change for sprig. That issue is tracked at + https://github.com/imdario/mergo/issues/139 + +### Fixed + +- #229: Fix `seq` example in docs (thanks @kalmant) + +## Release 3.0.2 (2019-12-13) + +### Fixed + +- #220: Updating to semver v3.0.3 to fix issue with <= ranges +- #218: fix typo elyptical->elliptic in ecdsa key description (thanks @laverya) + +## Release 3.0.1 (2019-12-08) + +### Fixed + +- #212: Updated semver fixing broken constraint checking with ^0.0 + +## Release 3.0.0 (2019-10-02) + +### Added + +- #187: Added durationRound function (thanks @yjp20) +- #189: Added numerous template functions that return errors rather than panic (thanks @nrvnrvn) +- #193: Added toRawJson support (thanks @Dean-Coakley) +- #197: Added get support to dicts (thanks @Dean-Coakley) + +### Changed + +- #186: Moving dependency management to Go modules +- #186: Updated semver to v3. This has changes in the way ^ is handled +- #194: Updated documentation on merging and how it copies. Added example using deepCopy +- #196: trunc now supports negative values (thanks @Dean-Coakley) + +## Release 2.22.0 (2019-10-02) + +### Added + +- #173: Added getHostByName function to resolve dns names to ips (thanks @fcgravalos) +- #195: Added deepCopy function for use with dicts + +### Changed + +- Updated merge and mergeOverwrite documentation to explain copying and how to + use deepCopy with it + +## Release 2.21.0 (2019-09-18) + +### Added + +- #122: Added encryptAES/decryptAES functions (thanks @n0madic) +- #128: Added toDecimal support (thanks @Dean-Coakley) +- #169: Added list contcat (thanks @astorath) +- #174: Added deepEqual function (thanks @bonifaido) +- #170: Added url parse and join functions (thanks @astorath) + +### Changed + +- #171: Updated glide config for Google UUID to v1 and to add ranges to semver and testify + +### Fixed + +- #172: Fix semver wildcard example (thanks @piepmatz) +- #175: Fix dateInZone doc example (thanks @s3than) + +## Release 2.20.0 (2019-06-18) + +### Added + +- #164: Adding function to get unix epoch for a time (@mattfarina) +- #166: Adding tests for date_in_zone (@mattfarina) + +### Changed + +- #144: Fix function comments based on best practices from Effective Go (@CodeLingoTeam) +- #150: Handles pointer type for time.Time in "htmlDate" (@mapreal19) +- #161, #157, #160, #153, #158, #156, #155, #159, #152 documentation updates (@badeadan) + +### Fixed + +## Release 2.19.0 (2019-03-02) + +IMPORTANT: This release reverts a change from 2.18.0 + +In the previous release (2.18), we prematurely merged a partial change to the crypto functions that led to creating two sets of crypto functions (I blame @technosophos -- since that's me). This release rolls back that change, and does what was originally intended: It alters the existing crypto functions to use secure random. + +We debated whether this classifies as a change worthy of major revision, but given the proximity to the last release, we have decided that treating 2.18 as a faulty release is the correct course of action. We apologize for any inconvenience. + +### Changed + +- Fix substr panic 35fb796 (Alexey igrychev) +- Remove extra period 1eb7729 (Matthew Lorimor) +- Make random string functions use crypto by default 6ceff26 (Matthew Lorimor) +- README edits/fixes/suggestions 08fe136 (Lauri Apple) + + +## Release 2.18.0 (2019-02-12) + +### Added + +- Added mergeOverwrite function +- cryptographic functions that use secure random (see fe1de12) + +### Changed + +- Improve documentation of regexMatch function, resolves #139 90b89ce (Jan Tagscherer) +- Handle has for nil list 9c10885 (Daniel Cohen) +- Document behaviour of mergeOverwrite fe0dbe9 (Lukas Rieder) +- doc: adds missing documentation. 4b871e6 (Fernandez Ludovic) +- Replace outdated goutils imports 01893d2 (Matthew Lorimor) +- Surface crypto secure random strings from goutils fe1de12 (Matthew Lorimor) +- Handle untyped nil values as paramters to string functions 2b2ec8f (Morten Torkildsen) + +### Fixed + +- Fix dict merge issue and provide mergeOverwrite .dst .src1 to overwrite from src -> dst 4c59c12 (Lukas Rieder) +- Fix substr var names and comments d581f80 (Dean Coakley) +- Fix substr documentation 2737203 (Dean Coakley) + +## Release 2.17.1 (2019-01-03) + +### Fixed + +The 2.17.0 release did not have a version pinned for xstrings, which caused compilation failures when xstrings < 1.2 was used. This adds the correct version string to glide.yaml. + +## Release 2.17.0 (2019-01-03) + +### Added + +- adds alder32sum function and test 6908fc2 (marshallford) +- Added kebabcase function ca331a1 (Ilyes512) + +### Changed + +- Update goutils to 1.1.0 4e1125d (Matt Butcher) + +### Fixed + +- Fix 'has' documentation e3f2a85 (dean-coakley) +- docs(dict): fix typo in pick example dc424f9 (Dustin Specker) +- fixes spelling errors... not sure how that happened 4cf188a (marshallford) + +## Release 2.16.0 (2018-08-13) + +### Added + +- add splitn function fccb0b0 (Helgi Þorbjörnsson) +- Add slice func df28ca7 (gongdo) +- Generate serial number a3bdffd (Cody Coons) +- Extract values of dict with values function df39312 (Lawrence Jones) + +### Changed + +- Modify panic message for list.slice ae38335 (gongdo) +- Minor improvement in code quality - Removed an unreachable piece of code at defaults.go#L26:6 - Resolve formatting issues. 5834241 (Abhishek Kashyap) +- Remove duplicated documentation 1d97af1 (Matthew Fisher) +- Test on go 1.11 49df809 (Helgi Þormar Þorbjörnsson) + +### Fixed + +- Fix file permissions c5f40b5 (gongdo) +- Fix example for buildCustomCert 7779e0d (Tin Lam) + +## Release 2.15.0 (2018-04-02) + +### Added + +- #68 and #69: Add json helpers to docs (thanks @arunvelsriram) +- #66: Add ternary function (thanks @binoculars) +- #67: Allow keys function to take multiple dicts (thanks @binoculars) +- #89: Added sha1sum to crypto function (thanks @benkeil) +- #81: Allow customizing Root CA that used by genSignedCert (thanks @chenzhiwei) +- #92: Add travis testing for go 1.10 +- #93: Adding appveyor config for windows testing + +### Changed + +- #90: Updating to more recent dependencies +- #73: replace satori/go.uuid with google/uuid (thanks @petterw) + +### Fixed + +- #76: Fixed documentation typos (thanks @Thiht) +- Fixed rounding issue on the `ago` function. Note, the removes support for Go 1.8 and older + +## Release 2.14.1 (2017-12-01) + +### Fixed + +- #60: Fix typo in function name documentation (thanks @neil-ca-moore) +- #61: Removing line with {{ due to blocking github pages genertion +- #64: Update the list functions to handle int, string, and other slices for compatibility + +## Release 2.14.0 (2017-10-06) + +This new version of Sprig adds a set of functions for generating and working with SSL certificates. + +- `genCA` generates an SSL Certificate Authority +- `genSelfSignedCert` generates an SSL self-signed certificate +- `genSignedCert` generates an SSL certificate and key based on a given CA + +## Release 2.13.0 (2017-09-18) + +This release adds new functions, including: + +- `regexMatch`, `regexFindAll`, `regexFind`, `regexReplaceAll`, `regexReplaceAllLiteral`, and `regexSplit` to work with regular expressions +- `floor`, `ceil`, and `round` math functions +- `toDate` converts a string to a date +- `nindent` is just like `indent` but also prepends a new line +- `ago` returns the time from `time.Now` + +### Added + +- #40: Added basic regex functionality (thanks @alanquillin) +- #41: Added ceil floor and round functions (thanks @alanquillin) +- #48: Added toDate function (thanks @andreynering) +- #50: Added nindent function (thanks @binoculars) +- #46: Added ago function (thanks @slayer) + +### Changed + +- #51: Updated godocs to include new string functions (thanks @curtisallen) +- #49: Added ability to merge multiple dicts (thanks @binoculars) + +## Release 2.12.0 (2017-05-17) + +- `snakecase`, `camelcase`, and `shuffle` are three new string functions +- `fail` allows you to bail out of a template render when conditions are not met + +## Release 2.11.0 (2017-05-02) + +- Added `toJson` and `toPrettyJson` +- Added `merge` +- Refactored documentation + +## Release 2.10.0 (2017-03-15) + +- Added `semver` and `semverCompare` for Semantic Versions +- `list` replaces `tuple` +- Fixed issue with `join` +- Added `first`, `last`, `initial`, `rest`, `prepend`, `append`, `toString`, `toStrings`, `sortAlpha`, `reverse`, `coalesce`, `pluck`, `pick`, `compact`, `keys`, `omit`, `uniq`, `has`, `without` + +## Release 2.9.0 (2017-02-23) + +- Added `splitList` to split a list +- Added crypto functions of `genPrivateKey` and `derivePassword` + +## Release 2.8.0 (2016-12-21) + +- Added access to several path functions (`base`, `dir`, `clean`, `ext`, and `abs`) +- Added functions for _mutating_ dictionaries (`set`, `unset`, `hasKey`) + +## Release 2.7.0 (2016-12-01) + +- Added `sha256sum` to generate a hash of an input +- Added functions to convert a numeric or string to `int`, `int64`, `float64` + +## Release 2.6.0 (2016-10-03) + +- Added a `uuidv4` template function for generating UUIDs inside of a template. + +## Release 2.5.0 (2016-08-19) + +- New `trimSuffix`, `trimPrefix`, `hasSuffix`, and `hasPrefix` functions +- New aliases have been added for a few functions that didn't follow the naming conventions (`trimAll` and `abbrevBoth`) +- `trimall` and `abbrevboth` (notice the case) are deprecated and will be removed in 3.0.0 + +## Release 2.4.0 (2016-08-16) + +- Adds two functions: `until` and `untilStep` + +## Release 2.3.0 (2016-06-21) + +- cat: Concatenate strings with whitespace separators. +- replace: Replace parts of a string: `replace " " "-" "Me First"` renders "Me-First" +- plural: Format plurals: `len "foo" | plural "one foo" "many foos"` renders "many foos" +- indent: Indent blocks of text in a way that is sensitive to "\n" characters. + +## Release 2.2.0 (2016-04-21) + +- Added a `genPrivateKey` function (Thanks @bacongobbler) + +## Release 2.1.0 (2016-03-30) + +- `default` now prints the default value when it does not receive a value down the pipeline. It is much safer now to do `{{.Foo | default "bar"}}`. +- Added accessors for "hermetic" functions. These return only functions that, when given the same input, produce the same output. + +## Release 2.0.0 (2016-03-29) + +Because we switched from `int` to `int64` as the return value for all integer math functions, the library's major version number has been incremented. + +- `min` complements `max` (formerly `biggest`) +- `empty` indicates that a value is the empty value for its type +- `tuple` creates a tuple inside of a template: `{{$t := tuple "a", "b" "c"}}` +- `dict` creates a dictionary inside of a template `{{$d := dict "key1" "val1" "key2" "val2"}}` +- Date formatters have been added for HTML dates (as used in `date` input fields) +- Integer math functions can convert from a number of types, including `string` (via `strconv.ParseInt`). + +## Release 1.2.0 (2016-02-01) + +- Added quote and squote +- Added b32enc and b32dec +- add now takes varargs +- biggest now takes varargs + +## Release 1.1.0 (2015-12-29) + +- Added #4: Added contains function. strings.Contains, but with the arguments + switched to simplify common pipelines. (thanks krancour) +- Added Travis-CI testing support + +## Release 1.0.0 (2015-12-23) + +- Initial release diff --git a/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt b/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt new file mode 100644 index 0000000000..f311b1eaaa --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/LICENSE.txt @@ -0,0 +1,19 @@ +Copyright (C) 2013-2020 Masterminds + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/Masterminds/sprig/v3/Makefile b/vendor/github.com/Masterminds/sprig/v3/Makefile new file mode 100644 index 0000000000..78d409cde2 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/Makefile @@ -0,0 +1,9 @@ +.PHONY: test +test: + @echo "==> Running tests" + GO111MODULE=on go test -v + +.PHONY: test-cover +test-cover: + @echo "==> Running Tests with coverage" + GO111MODULE=on go test -cover . diff --git a/vendor/github.com/Masterminds/sprig/v3/README.md b/vendor/github.com/Masterminds/sprig/v3/README.md new file mode 100644 index 0000000000..3e22c60e1a --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/README.md @@ -0,0 +1,100 @@ +# Sprig: Template functions for Go templates + +[![GoDoc](https://img.shields.io/static/v1?label=godoc&message=reference&color=blue)](https://pkg.go.dev/github.com/Masterminds/sprig/v3) +[![Go Report Card](https://goreportcard.com/badge/github.com/Masterminds/sprig)](https://goreportcard.com/report/github.com/Masterminds/sprig) +[![Stability: Sustained](https://masterminds.github.io/stability/sustained.svg)](https://masterminds.github.io/stability/sustained.html) +[![](https://github.com/Masterminds/sprig/workflows/Tests/badge.svg)](https://github.com/Masterminds/sprig/actions) + +The Go language comes with a [built-in template +language](http://golang.org/pkg/text/template/), but not +very many template functions. Sprig is a library that provides more than 100 commonly +used template functions. + +It is inspired by the template functions found in +[Twig](http://twig.sensiolabs.org/documentation) and in various +JavaScript libraries, such as [underscore.js](http://underscorejs.org/). + +## IMPORTANT NOTES + +Sprig leverages [mergo](https://github.com/imdario/mergo) to handle merges. In +its v0.3.9 release, there was a behavior change that impacts merging template +functions in sprig. It is currently recommended to use v0.3.10 or later of that package. +Using v0.3.9 will cause sprig tests to fail. + +## Package Versions + +There are two active major versions of the `sprig` package. + +* v3 is currently stable release series on the `master` branch. The Go API should + remain compatible with v2, the current stable version. Behavior change behind + some functions is the reason for the new major version. +* v2 is the previous stable release series. It has been more than three years since + the initial release of v2. You can read the documentation and see the code + on the [release-2](https://github.com/Masterminds/sprig/tree/release-2) branch. + Bug fixes to this major version will continue for some time. + +## Usage + +**Template developers**: Please use Sprig's [function documentation](http://masterminds.github.io/sprig/) for +detailed instructions and code snippets for the >100 template functions available. + +**Go developers**: If you'd like to include Sprig as a library in your program, +our API documentation is available [at GoDoc.org](http://godoc.org/github.com/Masterminds/sprig). + +For standard usage, read on. + +### Load the Sprig library + +To load the Sprig `FuncMap`: + +```go + +import ( + "github.com/Masterminds/sprig/v3" + "html/template" +) + +// This example illustrates that the FuncMap *must* be set before the +// templates themselves are loaded. +tpl := template.Must( + template.New("base").Funcs(sprig.FuncMap()).ParseGlob("*.html") +) + + +``` + +### Calling the functions inside of templates + +By convention, all functions are lowercase. This seems to follow the Go +idiom for template functions (as opposed to template methods, which are +TitleCase). For example, this: + +``` +{{ "hello!" | upper | repeat 5 }} +``` + +produces this: + +``` +HELLO!HELLO!HELLO!HELLO!HELLO! +``` + +## Principles Driving Our Function Selection + +We followed these principles to decide which functions to add and how to implement them: + +- Use template functions to build layout. The following + types of operations are within the domain of template functions: + - Formatting + - Layout + - Simple type conversions + - Utilities that assist in handling common formatting and layout needs (e.g. arithmetic) +- Template functions should not return errors unless there is no way to print + a sensible value. For example, converting a string to an integer should not + produce an error if conversion fails. Instead, it should display a default + value. +- Simple math is necessary for grid layouts, pagers, and so on. Complex math + (anything other than arithmetic) should be done outside of templates. +- Template functions only deal with the data passed into them. They never retrieve + data from a source. +- Finally, do not override core Go template functions. diff --git a/vendor/github.com/Masterminds/sprig/v3/crypto.go b/vendor/github.com/Masterminds/sprig/v3/crypto.go new file mode 100644 index 0000000000..75fe027e4d --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/crypto.go @@ -0,0 +1,659 @@ +package sprig + +import ( + "bytes" + "crypto" + "crypto/aes" + "crypto/cipher" + "crypto/dsa" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/hmac" + "crypto/rand" + "crypto/rsa" + "crypto/sha1" + "crypto/sha256" + "crypto/sha512" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/base64" + "encoding/binary" + "encoding/hex" + "encoding/pem" + "errors" + "fmt" + "hash/adler32" + "io" + "math/big" + "net" + "time" + + "strings" + + "github.com/google/uuid" + bcrypt_lib "golang.org/x/crypto/bcrypt" + "golang.org/x/crypto/scrypt" +) + +func sha512sum(input string) string { + hash := sha512.Sum512([]byte(input)) + return hex.EncodeToString(hash[:]) +} + +func sha256sum(input string) string { + hash := sha256.Sum256([]byte(input)) + return hex.EncodeToString(hash[:]) +} + +func sha1sum(input string) string { + hash := sha1.Sum([]byte(input)) + return hex.EncodeToString(hash[:]) +} + +func adler32sum(input string) string { + hash := adler32.Checksum([]byte(input)) + return fmt.Sprintf("%d", hash) +} + +func bcrypt(input string) string { + hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost) + if err != nil { + return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err) + } + + return string(hash) +} + +func htpasswd(username string, password string) string { + if strings.Contains(username, ":") { + return fmt.Sprintf("invalid username: %s", username) + } + return fmt.Sprintf("%s:%s", username, bcrypt(password)) +} + +func randBytes(count int) (string, error) { + buf := make([]byte, count) + if _, err := rand.Read(buf); err != nil { + return "", err + } + return base64.StdEncoding.EncodeToString(buf), nil +} + +// uuidv4 provides a safe and secure UUID v4 implementation +func uuidv4() string { + return uuid.New().String() +} + +var masterPasswordSeed = "com.lyndir.masterpassword" + +var passwordTypeTemplates = map[string][][]byte{ + "maximum": {[]byte("anoxxxxxxxxxxxxxxxxx"), []byte("axxxxxxxxxxxxxxxxxno")}, + "long": {[]byte("CvcvnoCvcvCvcv"), []byte("CvcvCvcvnoCvcv"), []byte("CvcvCvcvCvcvno"), []byte("CvccnoCvcvCvcv"), []byte("CvccCvcvnoCvcv"), + []byte("CvccCvcvCvcvno"), []byte("CvcvnoCvccCvcv"), []byte("CvcvCvccnoCvcv"), []byte("CvcvCvccCvcvno"), []byte("CvcvnoCvcvCvcc"), + []byte("CvcvCvcvnoCvcc"), []byte("CvcvCvcvCvccno"), []byte("CvccnoCvccCvcv"), []byte("CvccCvccnoCvcv"), []byte("CvccCvccCvcvno"), + []byte("CvcvnoCvccCvcc"), []byte("CvcvCvccnoCvcc"), []byte("CvcvCvccCvccno"), []byte("CvccnoCvcvCvcc"), []byte("CvccCvcvnoCvcc"), + []byte("CvccCvcvCvccno")}, + "medium": {[]byte("CvcnoCvc"), []byte("CvcCvcno")}, + "short": {[]byte("Cvcn")}, + "basic": {[]byte("aaanaaan"), []byte("aannaaan"), []byte("aaannaaa")}, + "pin": {[]byte("nnnn")}, +} + +var templateCharacters = map[byte]string{ + 'V': "AEIOU", + 'C': "BCDFGHJKLMNPQRSTVWXYZ", + 'v': "aeiou", + 'c': "bcdfghjklmnpqrstvwxyz", + 'A': "AEIOUBCDFGHJKLMNPQRSTVWXYZ", + 'a': "AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz", + 'n': "0123456789", + 'o': "@&%?,=[]_:-+*$#!'^~;()/.", + 'x': "AEIOUaeiouBCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz0123456789!@#$%^&*()", +} + +func derivePassword(counter uint32, passwordType, password, user, site string) string { + var templates = passwordTypeTemplates[passwordType] + if templates == nil { + return fmt.Sprintf("cannot find password template %s", passwordType) + } + + var buffer bytes.Buffer + buffer.WriteString(masterPasswordSeed) + binary.Write(&buffer, binary.BigEndian, uint32(len(user))) + buffer.WriteString(user) + + salt := buffer.Bytes() + key, err := scrypt.Key([]byte(password), salt, 32768, 8, 2, 64) + if err != nil { + return fmt.Sprintf("failed to derive password: %s", err) + } + + buffer.Truncate(len(masterPasswordSeed)) + binary.Write(&buffer, binary.BigEndian, uint32(len(site))) + buffer.WriteString(site) + binary.Write(&buffer, binary.BigEndian, counter) + + var hmacv = hmac.New(sha256.New, key) + hmacv.Write(buffer.Bytes()) + var seed = hmacv.Sum(nil) + var temp = templates[int(seed[0])%len(templates)] + + buffer.Truncate(0) + for i, element := range temp { + passChars := templateCharacters[element] + passChar := passChars[int(seed[i+1])%len(passChars)] + buffer.WriteByte(passChar) + } + + return buffer.String() +} + +func generatePrivateKey(typ string) string { + var priv interface{} + var err error + switch typ { + case "", "rsa": + // good enough for government work + priv, err = rsa.GenerateKey(rand.Reader, 4096) + case "dsa": + key := new(dsa.PrivateKey) + // again, good enough for government work + if err = dsa.GenerateParameters(&key.Parameters, rand.Reader, dsa.L2048N256); err != nil { + return fmt.Sprintf("failed to generate dsa params: %s", err) + } + err = dsa.GenerateKey(key, rand.Reader) + priv = key + case "ecdsa": + // again, good enough for government work + priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + case "ed25519": + _, priv, err = ed25519.GenerateKey(rand.Reader) + default: + return "Unknown type " + typ + } + if err != nil { + return fmt.Sprintf("failed to generate private key: %s", err) + } + + return string(pem.EncodeToMemory(pemBlockForKey(priv))) +} + +// DSAKeyFormat stores the format for DSA keys. +// Used by pemBlockForKey +type DSAKeyFormat struct { + Version int + P, Q, G, Y, X *big.Int +} + +func pemBlockForKey(priv interface{}) *pem.Block { + switch k := priv.(type) { + case *rsa.PrivateKey: + return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)} + case *dsa.PrivateKey: + val := DSAKeyFormat{ + P: k.P, Q: k.Q, G: k.G, + Y: k.Y, X: k.X, + } + bytes, _ := asn1.Marshal(val) + return &pem.Block{Type: "DSA PRIVATE KEY", Bytes: bytes} + case *ecdsa.PrivateKey: + b, _ := x509.MarshalECPrivateKey(k) + return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} + default: + // attempt PKCS#8 format for all other keys + b, err := x509.MarshalPKCS8PrivateKey(k) + if err != nil { + return nil + } + return &pem.Block{Type: "PRIVATE KEY", Bytes: b} + } +} + +func parsePrivateKeyPEM(pemBlock string) (crypto.PrivateKey, error) { + block, _ := pem.Decode([]byte(pemBlock)) + if block == nil { + return nil, errors.New("no PEM data in input") + } + + if block.Type == "PRIVATE KEY" { + priv, err := x509.ParsePKCS8PrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("decoding PEM as PKCS#8: %s", err) + } + return priv, nil + } else if !strings.HasSuffix(block.Type, " PRIVATE KEY") { + return nil, fmt.Errorf("no private key data in PEM block of type %s", block.Type) + } + + switch block.Type[:len(block.Type)-12] { // strip " PRIVATE KEY" + case "RSA": + priv, err := x509.ParsePKCS1PrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("parsing RSA private key from PEM: %s", err) + } + return priv, nil + case "EC": + priv, err := x509.ParseECPrivateKey(block.Bytes) + if err != nil { + return nil, fmt.Errorf("parsing EC private key from PEM: %s", err) + } + return priv, nil + case "DSA": + var k DSAKeyFormat + _, err := asn1.Unmarshal(block.Bytes, &k) + if err != nil { + return nil, fmt.Errorf("parsing DSA private key from PEM: %s", err) + } + priv := &dsa.PrivateKey{ + PublicKey: dsa.PublicKey{ + Parameters: dsa.Parameters{ + P: k.P, Q: k.Q, G: k.G, + }, + Y: k.Y, + }, + X: k.X, + } + return priv, nil + default: + return nil, fmt.Errorf("invalid private key type %s", block.Type) + } +} + +func getPublicKey(priv crypto.PrivateKey) (crypto.PublicKey, error) { + switch k := priv.(type) { + case interface{ Public() crypto.PublicKey }: + return k.Public(), nil + case *dsa.PrivateKey: + return &k.PublicKey, nil + default: + return nil, fmt.Errorf("unable to get public key for type %T", priv) + } +} + +type certificate struct { + Cert string + Key string +} + +func buildCustomCertificate(b64cert string, b64key string) (certificate, error) { + crt := certificate{} + + cert, err := base64.StdEncoding.DecodeString(b64cert) + if err != nil { + return crt, errors.New("unable to decode base64 certificate") + } + + key, err := base64.StdEncoding.DecodeString(b64key) + if err != nil { + return crt, errors.New("unable to decode base64 private key") + } + + decodedCert, _ := pem.Decode(cert) + if decodedCert == nil { + return crt, errors.New("unable to decode certificate") + } + _, err = x509.ParseCertificate(decodedCert.Bytes) + if err != nil { + return crt, fmt.Errorf( + "error parsing certificate: decodedCert.Bytes: %s", + err, + ) + } + + _, err = parsePrivateKeyPEM(string(key)) + if err != nil { + return crt, fmt.Errorf( + "error parsing private key: %s", + err, + ) + } + + crt.Cert = string(cert) + crt.Key = string(key) + + return crt, nil +} + +func generateCertificateAuthority( + cn string, + daysValid int, +) (certificate, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return certificate{}, fmt.Errorf("error generating rsa key: %s", err) + } + + return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv) +} + +func generateCertificateAuthorityWithPEMKey( + cn string, + daysValid int, + privPEM string, +) (certificate, error) { + priv, err := parsePrivateKeyPEM(privPEM) + if err != nil { + return certificate{}, fmt.Errorf("parsing private key: %s", err) + } + return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv) +} + +func generateCertificateAuthorityWithKeyInternal( + cn string, + daysValid int, + priv crypto.PrivateKey, +) (certificate, error) { + ca := certificate{} + + template, err := getBaseCertTemplate(cn, nil, nil, daysValid) + if err != nil { + return ca, err + } + // Override KeyUsage and IsCA + template.KeyUsage = x509.KeyUsageKeyEncipherment | + x509.KeyUsageDigitalSignature | + x509.KeyUsageCertSign + template.IsCA = true + + ca.Cert, ca.Key, err = getCertAndKey(template, priv, template, priv) + + return ca, err +} + +func generateSelfSignedCertificate( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, +) (certificate, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return certificate{}, fmt.Errorf("error generating rsa key: %s", err) + } + return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv) +} + +func generateSelfSignedCertificateWithPEMKey( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, + privPEM string, +) (certificate, error) { + priv, err := parsePrivateKeyPEM(privPEM) + if err != nil { + return certificate{}, fmt.Errorf("parsing private key: %s", err) + } + return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv) +} + +func generateSelfSignedCertificateWithKeyInternal( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, + priv crypto.PrivateKey, +) (certificate, error) { + cert := certificate{} + + template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid) + if err != nil { + return cert, err + } + + cert.Cert, cert.Key, err = getCertAndKey(template, priv, template, priv) + + return cert, err +} + +func generateSignedCertificate( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, + ca certificate, +) (certificate, error) { + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return certificate{}, fmt.Errorf("error generating rsa key: %s", err) + } + return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv) +} + +func generateSignedCertificateWithPEMKey( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, + ca certificate, + privPEM string, +) (certificate, error) { + priv, err := parsePrivateKeyPEM(privPEM) + if err != nil { + return certificate{}, fmt.Errorf("parsing private key: %s", err) + } + return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv) +} + +func generateSignedCertificateWithKeyInternal( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, + ca certificate, + priv crypto.PrivateKey, +) (certificate, error) { + cert := certificate{} + + decodedSignerCert, _ := pem.Decode([]byte(ca.Cert)) + if decodedSignerCert == nil { + return cert, errors.New("unable to decode certificate") + } + signerCert, err := x509.ParseCertificate(decodedSignerCert.Bytes) + if err != nil { + return cert, fmt.Errorf( + "error parsing certificate: decodedSignerCert.Bytes: %s", + err, + ) + } + signerKey, err := parsePrivateKeyPEM(ca.Key) + if err != nil { + return cert, fmt.Errorf( + "error parsing private key: %s", + err, + ) + } + + template, err := getBaseCertTemplate(cn, ips, alternateDNS, daysValid) + if err != nil { + return cert, err + } + + cert.Cert, cert.Key, err = getCertAndKey( + template, + priv, + signerCert, + signerKey, + ) + + return cert, err +} + +func getCertAndKey( + template *x509.Certificate, + signeeKey crypto.PrivateKey, + parent *x509.Certificate, + signingKey crypto.PrivateKey, +) (string, string, error) { + signeePubKey, err := getPublicKey(signeeKey) + if err != nil { + return "", "", fmt.Errorf("error retrieving public key from signee key: %s", err) + } + derBytes, err := x509.CreateCertificate( + rand.Reader, + template, + parent, + signeePubKey, + signingKey, + ) + if err != nil { + return "", "", fmt.Errorf("error creating certificate: %s", err) + } + + certBuffer := bytes.Buffer{} + if err := pem.Encode( + &certBuffer, + &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}, + ); err != nil { + return "", "", fmt.Errorf("error pem-encoding certificate: %s", err) + } + + keyBuffer := bytes.Buffer{} + if err := pem.Encode( + &keyBuffer, + pemBlockForKey(signeeKey), + ); err != nil { + return "", "", fmt.Errorf("error pem-encoding key: %s", err) + } + + return certBuffer.String(), keyBuffer.String(), nil +} + +func getBaseCertTemplate( + cn string, + ips []interface{}, + alternateDNS []interface{}, + daysValid int, +) (*x509.Certificate, error) { + ipAddresses, err := getNetIPs(ips) + if err != nil { + return nil, err + } + dnsNames, err := getAlternateDNSStrs(alternateDNS) + if err != nil { + return nil, err + } + serialNumberUpperBound := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberUpperBound) + if err != nil { + return nil, err + } + return &x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + CommonName: cn, + }, + IPAddresses: ipAddresses, + DNSNames: dnsNames, + NotBefore: time.Now(), + NotAfter: time.Now().Add(time.Hour * 24 * time.Duration(daysValid)), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + x509.ExtKeyUsageClientAuth, + }, + BasicConstraintsValid: true, + }, nil +} + +func getNetIPs(ips []interface{}) ([]net.IP, error) { + if ips == nil { + return []net.IP{}, nil + } + var ipStr string + var ok bool + var netIP net.IP + netIPs := make([]net.IP, len(ips)) + for i, ip := range ips { + ipStr, ok = ip.(string) + if !ok { + return nil, fmt.Errorf("error parsing ip: %v is not a string", ip) + } + netIP = net.ParseIP(ipStr) + if netIP == nil { + return nil, fmt.Errorf("error parsing ip: %s", ipStr) + } + netIPs[i] = netIP + } + return netIPs, nil +} + +func getAlternateDNSStrs(alternateDNS []interface{}) ([]string, error) { + if alternateDNS == nil { + return []string{}, nil + } + var dnsStr string + var ok bool + alternateDNSStrs := make([]string, len(alternateDNS)) + for i, dns := range alternateDNS { + dnsStr, ok = dns.(string) + if !ok { + return nil, fmt.Errorf( + "error processing alternate dns name: %v is not a string", + dns, + ) + } + alternateDNSStrs[i] = dnsStr + } + return alternateDNSStrs, nil +} + +func encryptAES(password string, plaintext string) (string, error) { + if plaintext == "" { + return "", nil + } + + key := make([]byte, 32) + copy(key, []byte(password)) + block, err := aes.NewCipher(key) + if err != nil { + return "", err + } + + content := []byte(plaintext) + blockSize := block.BlockSize() + padding := blockSize - len(content)%blockSize + padtext := bytes.Repeat([]byte{byte(padding)}, padding) + content = append(content, padtext...) + + ciphertext := make([]byte, aes.BlockSize+len(content)) + + iv := ciphertext[:aes.BlockSize] + if _, err := io.ReadFull(rand.Reader, iv); err != nil { + return "", err + } + + mode := cipher.NewCBCEncrypter(block, iv) + mode.CryptBlocks(ciphertext[aes.BlockSize:], content) + + return base64.StdEncoding.EncodeToString(ciphertext), nil +} + +func decryptAES(password string, crypt64 string) (string, error) { + if crypt64 == "" { + return "", nil + } + + key := make([]byte, 32) + copy(key, []byte(password)) + + crypt, err := base64.StdEncoding.DecodeString(crypt64) + if err != nil { + return "", err + } + + block, err := aes.NewCipher(key) + if err != nil { + return "", err + } + + iv := crypt[:aes.BlockSize] + crypt = crypt[aes.BlockSize:] + decrypted := make([]byte, len(crypt)) + mode := cipher.NewCBCDecrypter(block, iv) + mode.CryptBlocks(decrypted, crypt) + + return string(decrypted[:len(decrypted)-int(decrypted[len(decrypted)-1])]), nil +} diff --git a/vendor/github.com/Masterminds/sprig/v3/date.go b/vendor/github.com/Masterminds/sprig/v3/date.go new file mode 100644 index 0000000000..ed022ddaca --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/date.go @@ -0,0 +1,152 @@ +package sprig + +import ( + "strconv" + "time" +) + +// Given a format and a date, format the date string. +// +// Date can be a `time.Time` or an `int, int32, int64`. +// In the later case, it is treated as seconds since UNIX +// epoch. +func date(fmt string, date interface{}) string { + return dateInZone(fmt, date, "Local") +} + +func htmlDate(date interface{}) string { + return dateInZone("2006-01-02", date, "Local") +} + +func htmlDateInZone(date interface{}, zone string) string { + return dateInZone("2006-01-02", date, zone) +} + +func dateInZone(fmt string, date interface{}, zone string) string { + var t time.Time + switch date := date.(type) { + default: + t = time.Now() + case time.Time: + t = date + case *time.Time: + t = *date + case int64: + t = time.Unix(date, 0) + case int: + t = time.Unix(int64(date), 0) + case int32: + t = time.Unix(int64(date), 0) + } + + loc, err := time.LoadLocation(zone) + if err != nil { + loc, _ = time.LoadLocation("UTC") + } + + return t.In(loc).Format(fmt) +} + +func dateModify(fmt string, date time.Time) time.Time { + d, err := time.ParseDuration(fmt) + if err != nil { + return date + } + return date.Add(d) +} + +func mustDateModify(fmt string, date time.Time) (time.Time, error) { + d, err := time.ParseDuration(fmt) + if err != nil { + return time.Time{}, err + } + return date.Add(d), nil +} + +func dateAgo(date interface{}) string { + var t time.Time + + switch date := date.(type) { + default: + t = time.Now() + case time.Time: + t = date + case int64: + t = time.Unix(date, 0) + case int: + t = time.Unix(int64(date), 0) + } + // Drop resolution to seconds + duration := time.Since(t).Round(time.Second) + return duration.String() +} + +func duration(sec interface{}) string { + var n int64 + switch value := sec.(type) { + default: + n = 0 + case string: + n, _ = strconv.ParseInt(value, 10, 64) + case int64: + n = value + } + return (time.Duration(n) * time.Second).String() +} + +func durationRound(duration interface{}) string { + var d time.Duration + switch duration := duration.(type) { + default: + d = 0 + case string: + d, _ = time.ParseDuration(duration) + case int64: + d = time.Duration(duration) + case time.Time: + d = time.Since(duration) + } + + u := uint64(d) + neg := d < 0 + if neg { + u = -u + } + + var ( + year = uint64(time.Hour) * 24 * 365 + month = uint64(time.Hour) * 24 * 30 + day = uint64(time.Hour) * 24 + hour = uint64(time.Hour) + minute = uint64(time.Minute) + second = uint64(time.Second) + ) + switch { + case u > year: + return strconv.FormatUint(u/year, 10) + "y" + case u > month: + return strconv.FormatUint(u/month, 10) + "mo" + case u > day: + return strconv.FormatUint(u/day, 10) + "d" + case u > hour: + return strconv.FormatUint(u/hour, 10) + "h" + case u > minute: + return strconv.FormatUint(u/minute, 10) + "m" + case u > second: + return strconv.FormatUint(u/second, 10) + "s" + } + return "0s" +} + +func toDate(fmt, str string) time.Time { + t, _ := time.ParseInLocation(fmt, str, time.Local) + return t +} + +func mustToDate(fmt, str string) (time.Time, error) { + return time.ParseInLocation(fmt, str, time.Local) +} + +func unixEpoch(date time.Time) string { + return strconv.FormatInt(date.Unix(), 10) +} diff --git a/vendor/github.com/Masterminds/sprig/v3/defaults.go b/vendor/github.com/Masterminds/sprig/v3/defaults.go new file mode 100644 index 0000000000..b9f979666d --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/defaults.go @@ -0,0 +1,163 @@ +package sprig + +import ( + "bytes" + "encoding/json" + "math/rand" + "reflect" + "strings" + "time" +) + +func init() { + rand.Seed(time.Now().UnixNano()) +} + +// dfault checks whether `given` is set, and returns default if not set. +// +// This returns `d` if `given` appears not to be set, and `given` otherwise. +// +// For numeric types 0 is unset. +// For strings, maps, arrays, and slices, len() = 0 is considered unset. +// For bool, false is unset. +// Structs are never considered unset. +// +// For everything else, including pointers, a nil value is unset. +func dfault(d interface{}, given ...interface{}) interface{} { + + if empty(given) || empty(given[0]) { + return d + } + return given[0] +} + +// empty returns true if the given value has the zero value for its type. +func empty(given interface{}) bool { + g := reflect.ValueOf(given) + if !g.IsValid() { + return true + } + + // Basically adapted from text/template.isTrue + switch g.Kind() { + default: + return g.IsNil() + case reflect.Array, reflect.Slice, reflect.Map, reflect.String: + return g.Len() == 0 + case reflect.Bool: + return !g.Bool() + case reflect.Complex64, reflect.Complex128: + return g.Complex() == 0 + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + return g.Int() == 0 + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + return g.Uint() == 0 + case reflect.Float32, reflect.Float64: + return g.Float() == 0 + case reflect.Struct: + return false + } +} + +// coalesce returns the first non-empty value. +func coalesce(v ...interface{}) interface{} { + for _, val := range v { + if !empty(val) { + return val + } + } + return nil +} + +// all returns true if empty(x) is false for all values x in the list. +// If the list is empty, return true. +func all(v ...interface{}) bool { + for _, val := range v { + if empty(val) { + return false + } + } + return true +} + +// any returns true if empty(x) is false for any x in the list. +// If the list is empty, return false. +func any(v ...interface{}) bool { + for _, val := range v { + if !empty(val) { + return true + } + } + return false +} + +// fromJson decodes JSON into a structured value, ignoring errors. +func fromJson(v string) interface{} { + output, _ := mustFromJson(v) + return output +} + +// mustFromJson decodes JSON into a structured value, returning errors. +func mustFromJson(v string) (interface{}, error) { + var output interface{} + err := json.Unmarshal([]byte(v), &output) + return output, err +} + +// toJson encodes an item into a JSON string +func toJson(v interface{}) string { + output, _ := json.Marshal(v) + return string(output) +} + +func mustToJson(v interface{}) (string, error) { + output, err := json.Marshal(v) + if err != nil { + return "", err + } + return string(output), nil +} + +// toPrettyJson encodes an item into a pretty (indented) JSON string +func toPrettyJson(v interface{}) string { + output, _ := json.MarshalIndent(v, "", " ") + return string(output) +} + +func mustToPrettyJson(v interface{}) (string, error) { + output, err := json.MarshalIndent(v, "", " ") + if err != nil { + return "", err + } + return string(output), nil +} + +// toRawJson encodes an item into a JSON string with no escaping of HTML characters. +func toRawJson(v interface{}) string { + output, err := mustToRawJson(v) + if err != nil { + panic(err) + } + return string(output) +} + +// mustToRawJson encodes an item into a JSON string with no escaping of HTML characters. +func mustToRawJson(v interface{}) (string, error) { + buf := new(bytes.Buffer) + enc := json.NewEncoder(buf) + enc.SetEscapeHTML(false) + err := enc.Encode(&v) + if err != nil { + return "", err + } + return strings.TrimSuffix(buf.String(), "\n"), nil +} + +// ternary returns the first value if the last value is true, otherwise returns the second value. +func ternary(vt interface{}, vf interface{}, v bool) interface{} { + if v { + return vt + } + + return vf +} diff --git a/vendor/github.com/Masterminds/sprig/v3/dict.go b/vendor/github.com/Masterminds/sprig/v3/dict.go new file mode 100644 index 0000000000..4315b3542a --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/dict.go @@ -0,0 +1,174 @@ +package sprig + +import ( + "dario.cat/mergo" + "github.com/mitchellh/copystructure" +) + +func get(d map[string]interface{}, key string) interface{} { + if val, ok := d[key]; ok { + return val + } + return "" +} + +func set(d map[string]interface{}, key string, value interface{}) map[string]interface{} { + d[key] = value + return d +} + +func unset(d map[string]interface{}, key string) map[string]interface{} { + delete(d, key) + return d +} + +func hasKey(d map[string]interface{}, key string) bool { + _, ok := d[key] + return ok +} + +func pluck(key string, d ...map[string]interface{}) []interface{} { + res := []interface{}{} + for _, dict := range d { + if val, ok := dict[key]; ok { + res = append(res, val) + } + } + return res +} + +func keys(dicts ...map[string]interface{}) []string { + k := []string{} + for _, dict := range dicts { + for key := range dict { + k = append(k, key) + } + } + return k +} + +func pick(dict map[string]interface{}, keys ...string) map[string]interface{} { + res := map[string]interface{}{} + for _, k := range keys { + if v, ok := dict[k]; ok { + res[k] = v + } + } + return res +} + +func omit(dict map[string]interface{}, keys ...string) map[string]interface{} { + res := map[string]interface{}{} + + omit := make(map[string]bool, len(keys)) + for _, k := range keys { + omit[k] = true + } + + for k, v := range dict { + if _, ok := omit[k]; !ok { + res[k] = v + } + } + return res +} + +func dict(v ...interface{}) map[string]interface{} { + dict := map[string]interface{}{} + lenv := len(v) + for i := 0; i < lenv; i += 2 { + key := strval(v[i]) + if i+1 >= lenv { + dict[key] = "" + continue + } + dict[key] = v[i+1] + } + return dict +} + +func merge(dst map[string]interface{}, srcs ...map[string]interface{}) interface{} { + for _, src := range srcs { + if err := mergo.Merge(&dst, src); err != nil { + // Swallow errors inside of a template. + return "" + } + } + return dst +} + +func mustMerge(dst map[string]interface{}, srcs ...map[string]interface{}) (interface{}, error) { + for _, src := range srcs { + if err := mergo.Merge(&dst, src); err != nil { + return nil, err + } + } + return dst, nil +} + +func mergeOverwrite(dst map[string]interface{}, srcs ...map[string]interface{}) interface{} { + for _, src := range srcs { + if err := mergo.MergeWithOverwrite(&dst, src); err != nil { + // Swallow errors inside of a template. + return "" + } + } + return dst +} + +func mustMergeOverwrite(dst map[string]interface{}, srcs ...map[string]interface{}) (interface{}, error) { + for _, src := range srcs { + if err := mergo.MergeWithOverwrite(&dst, src); err != nil { + return nil, err + } + } + return dst, nil +} + +func values(dict map[string]interface{}) []interface{} { + values := []interface{}{} + for _, value := range dict { + values = append(values, value) + } + + return values +} + +func deepCopy(i interface{}) interface{} { + c, err := mustDeepCopy(i) + if err != nil { + panic("deepCopy error: " + err.Error()) + } + + return c +} + +func mustDeepCopy(i interface{}) (interface{}, error) { + return copystructure.Copy(i) +} + +func dig(ps ...interface{}) (interface{}, error) { + if len(ps) < 3 { + panic("dig needs at least three arguments") + } + dict := ps[len(ps)-1].(map[string]interface{}) + def := ps[len(ps)-2] + ks := make([]string, len(ps)-2) + for i := 0; i < len(ks); i++ { + ks[i] = ps[i].(string) + } + + return digFromDict(dict, def, ks) +} + +func digFromDict(dict map[string]interface{}, d interface{}, ks []string) (interface{}, error) { + k, ns := ks[0], ks[1:len(ks)] + step, has := dict[k] + if !has { + return d, nil + } + if len(ns) == 0 { + return step, nil + } + return digFromDict(step.(map[string]interface{}), d, ns) +} diff --git a/vendor/github.com/Masterminds/sprig/v3/doc.go b/vendor/github.com/Masterminds/sprig/v3/doc.go new file mode 100644 index 0000000000..91031d6d19 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/doc.go @@ -0,0 +1,19 @@ +/* +Package sprig provides template functions for Go. + +This package contains a number of utility functions for working with data +inside of Go `html/template` and `text/template` files. + +To add these functions, use the `template.Funcs()` method: + + t := template.New("foo").Funcs(sprig.FuncMap()) + +Note that you should add the function map before you parse any template files. + + In several cases, Sprig reverses the order of arguments from the way they + appear in the standard library. This is to make it easier to pipe + arguments into functions. + +See http://masterminds.github.io/sprig/ for more detailed documentation on each of the available functions. +*/ +package sprig diff --git a/vendor/github.com/Masterminds/sprig/v3/functions.go b/vendor/github.com/Masterminds/sprig/v3/functions.go new file mode 100644 index 0000000000..cda47d26f2 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/functions.go @@ -0,0 +1,385 @@ +package sprig + +import ( + "errors" + "html/template" + "math/rand" + "os" + "path" + "path/filepath" + "reflect" + "strconv" + "strings" + ttemplate "text/template" + "time" + + util "github.com/Masterminds/goutils" + "github.com/huandu/xstrings" + "github.com/shopspring/decimal" +) + +// FuncMap produces the function map. +// +// Use this to pass the functions into the template engine: +// +// tpl := template.New("foo").Funcs(sprig.FuncMap())) +func FuncMap() template.FuncMap { + return HtmlFuncMap() +} + +// HermeticTxtFuncMap returns a 'text/template'.FuncMap with only repeatable functions. +func HermeticTxtFuncMap() ttemplate.FuncMap { + r := TxtFuncMap() + for _, name := range nonhermeticFunctions { + delete(r, name) + } + return r +} + +// HermeticHtmlFuncMap returns an 'html/template'.Funcmap with only repeatable functions. +func HermeticHtmlFuncMap() template.FuncMap { + r := HtmlFuncMap() + for _, name := range nonhermeticFunctions { + delete(r, name) + } + return r +} + +// TxtFuncMap returns a 'text/template'.FuncMap +func TxtFuncMap() ttemplate.FuncMap { + return ttemplate.FuncMap(GenericFuncMap()) +} + +// HtmlFuncMap returns an 'html/template'.Funcmap +func HtmlFuncMap() template.FuncMap { + return template.FuncMap(GenericFuncMap()) +} + +// GenericFuncMap returns a copy of the basic function map as a map[string]interface{}. +func GenericFuncMap() map[string]interface{} { + gfm := make(map[string]interface{}, len(genericMap)) + for k, v := range genericMap { + gfm[k] = v + } + return gfm +} + +// These functions are not guaranteed to evaluate to the same result for given input, because they +// refer to the environment or global state. +var nonhermeticFunctions = []string{ + // Date functions + "date", + "date_in_zone", + "date_modify", + "now", + "htmlDate", + "htmlDateInZone", + "dateInZone", + "dateModify", + + // Strings + "randAlphaNum", + "randAlpha", + "randAscii", + "randNumeric", + "randBytes", + "uuidv4", + + // OS + "env", + "expandenv", + + // Network + "getHostByName", +} + +var genericMap = map[string]interface{}{ + "hello": func() string { return "Hello!" }, + + // Date functions + "ago": dateAgo, + "date": date, + "date_in_zone": dateInZone, + "date_modify": dateModify, + "dateInZone": dateInZone, + "dateModify": dateModify, + "duration": duration, + "durationRound": durationRound, + "htmlDate": htmlDate, + "htmlDateInZone": htmlDateInZone, + "must_date_modify": mustDateModify, + "mustDateModify": mustDateModify, + "mustToDate": mustToDate, + "now": time.Now, + "toDate": toDate, + "unixEpoch": unixEpoch, + + // Strings + "abbrev": abbrev, + "abbrevboth": abbrevboth, + "trunc": trunc, + "trim": strings.TrimSpace, + "upper": strings.ToUpper, + "lower": strings.ToLower, + "title": strings.Title, + "untitle": untitle, + "substr": substring, + // Switch order so that "foo" | repeat 5 + "repeat": func(count int, str string) string { return strings.Repeat(str, count) }, + // Deprecated: Use trimAll. + "trimall": func(a, b string) string { return strings.Trim(b, a) }, + // Switch order so that "$foo" | trimall "$" + "trimAll": func(a, b string) string { return strings.Trim(b, a) }, + "trimSuffix": func(a, b string) string { return strings.TrimSuffix(b, a) }, + "trimPrefix": func(a, b string) string { return strings.TrimPrefix(b, a) }, + "nospace": util.DeleteWhiteSpace, + "initials": initials, + "randAlphaNum": randAlphaNumeric, + "randAlpha": randAlpha, + "randAscii": randAscii, + "randNumeric": randNumeric, + "swapcase": util.SwapCase, + "shuffle": xstrings.Shuffle, + "snakecase": xstrings.ToSnakeCase, + // camelcase used to call xstrings.ToCamelCase, but that function had a breaking change in version + // 1.5 that moved it from upper camel case to lower camel case. This is a breaking change for sprig. + // A new xstrings.ToPascalCase function was added that provided upper camel case. + "camelcase": xstrings.ToPascalCase, + "kebabcase": xstrings.ToKebabCase, + "wrap": func(l int, s string) string { return util.Wrap(s, l) }, + "wrapWith": func(l int, sep, str string) string { return util.WrapCustom(str, l, sep, true) }, + // Switch order so that "foobar" | contains "foo" + "contains": func(substr string, str string) bool { return strings.Contains(str, substr) }, + "hasPrefix": func(substr string, str string) bool { return strings.HasPrefix(str, substr) }, + "hasSuffix": func(substr string, str string) bool { return strings.HasSuffix(str, substr) }, + "quote": quote, + "squote": squote, + "cat": cat, + "indent": indent, + "nindent": nindent, + "replace": replace, + "plural": plural, + "sha1sum": sha1sum, + "sha256sum": sha256sum, + "sha512sum": sha512sum, + "adler32sum": adler32sum, + "toString": strval, + + // Wrap Atoi to stop errors. + "atoi": func(a string) int { i, _ := strconv.Atoi(a); return i }, + "int64": toInt64, + "int": toInt, + "float64": toFloat64, + "seq": seq, + "toDecimal": toDecimal, + + //"gt": func(a, b int) bool {return a > b}, + //"gte": func(a, b int) bool {return a >= b}, + //"lt": func(a, b int) bool {return a < b}, + //"lte": func(a, b int) bool {return a <= b}, + + // split "/" foo/bar returns map[int]string{0: foo, 1: bar} + "split": split, + "splitList": func(sep, orig string) []string { return strings.Split(orig, sep) }, + // splitn "/" foo/bar/fuu returns map[int]string{0: foo, 1: bar/fuu} + "splitn": splitn, + "toStrings": strslice, + + "until": until, + "untilStep": untilStep, + + // VERY basic arithmetic. + "add1": func(i interface{}) int64 { return toInt64(i) + 1 }, + "add": func(i ...interface{}) int64 { + var a int64 = 0 + for _, b := range i { + a += toInt64(b) + } + return a + }, + "sub": func(a, b interface{}) int64 { return toInt64(a) - toInt64(b) }, + "div": func(a, b interface{}) int64 { return toInt64(a) / toInt64(b) }, + "mod": func(a, b interface{}) int64 { return toInt64(a) % toInt64(b) }, + "mul": func(a interface{}, v ...interface{}) int64 { + val := toInt64(a) + for _, b := range v { + val = val * toInt64(b) + } + return val + }, + "randInt": func(min, max int) int { return rand.Intn(max-min) + min }, + "add1f": func(i interface{}) float64 { + return execDecimalOp(i, []interface{}{1}, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Add(d2) }) + }, + "addf": func(i ...interface{}) float64 { + a := interface{}(float64(0)) + return execDecimalOp(a, i, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Add(d2) }) + }, + "subf": func(a interface{}, v ...interface{}) float64 { + return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Sub(d2) }) + }, + "divf": func(a interface{}, v ...interface{}) float64 { + return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Div(d2) }) + }, + "mulf": func(a interface{}, v ...interface{}) float64 { + return execDecimalOp(a, v, func(d1, d2 decimal.Decimal) decimal.Decimal { return d1.Mul(d2) }) + }, + "biggest": max, + "max": max, + "min": min, + "maxf": maxf, + "minf": minf, + "ceil": ceil, + "floor": floor, + "round": round, + + // string slices. Note that we reverse the order b/c that's better + // for template processing. + "join": join, + "sortAlpha": sortAlpha, + + // Defaults + "default": dfault, + "empty": empty, + "coalesce": coalesce, + "all": all, + "any": any, + "compact": compact, + "mustCompact": mustCompact, + "fromJson": fromJson, + "toJson": toJson, + "toPrettyJson": toPrettyJson, + "toRawJson": toRawJson, + "mustFromJson": mustFromJson, + "mustToJson": mustToJson, + "mustToPrettyJson": mustToPrettyJson, + "mustToRawJson": mustToRawJson, + "ternary": ternary, + "deepCopy": deepCopy, + "mustDeepCopy": mustDeepCopy, + + // Reflection + "typeOf": typeOf, + "typeIs": typeIs, + "typeIsLike": typeIsLike, + "kindOf": kindOf, + "kindIs": kindIs, + "deepEqual": reflect.DeepEqual, + + // OS: + "env": os.Getenv, + "expandenv": os.ExpandEnv, + + // Network: + "getHostByName": getHostByName, + + // Paths: + "base": path.Base, + "dir": path.Dir, + "clean": path.Clean, + "ext": path.Ext, + "isAbs": path.IsAbs, + + // Filepaths: + "osBase": filepath.Base, + "osClean": filepath.Clean, + "osDir": filepath.Dir, + "osExt": filepath.Ext, + "osIsAbs": filepath.IsAbs, + + // Encoding: + "b64enc": base64encode, + "b64dec": base64decode, + "b32enc": base32encode, + "b32dec": base32decode, + + // Data Structures: + "tuple": list, // FIXME: with the addition of append/prepend these are no longer immutable. + "list": list, + "dict": dict, + "get": get, + "set": set, + "unset": unset, + "hasKey": hasKey, + "pluck": pluck, + "keys": keys, + "pick": pick, + "omit": omit, + "merge": merge, + "mergeOverwrite": mergeOverwrite, + "mustMerge": mustMerge, + "mustMergeOverwrite": mustMergeOverwrite, + "values": values, + + "append": push, "push": push, + "mustAppend": mustPush, "mustPush": mustPush, + "prepend": prepend, + "mustPrepend": mustPrepend, + "first": first, + "mustFirst": mustFirst, + "rest": rest, + "mustRest": mustRest, + "last": last, + "mustLast": mustLast, + "initial": initial, + "mustInitial": mustInitial, + "reverse": reverse, + "mustReverse": mustReverse, + "uniq": uniq, + "mustUniq": mustUniq, + "without": without, + "mustWithout": mustWithout, + "has": has, + "mustHas": mustHas, + "slice": slice, + "mustSlice": mustSlice, + "concat": concat, + "dig": dig, + "chunk": chunk, + "mustChunk": mustChunk, + + // Crypto: + "bcrypt": bcrypt, + "htpasswd": htpasswd, + "genPrivateKey": generatePrivateKey, + "derivePassword": derivePassword, + "buildCustomCert": buildCustomCertificate, + "genCA": generateCertificateAuthority, + "genCAWithKey": generateCertificateAuthorityWithPEMKey, + "genSelfSignedCert": generateSelfSignedCertificate, + "genSelfSignedCertWithKey": generateSelfSignedCertificateWithPEMKey, + "genSignedCert": generateSignedCertificate, + "genSignedCertWithKey": generateSignedCertificateWithPEMKey, + "encryptAES": encryptAES, + "decryptAES": decryptAES, + "randBytes": randBytes, + + // UUIDs: + "uuidv4": uuidv4, + + // SemVer: + "semver": semver, + "semverCompare": semverCompare, + + // Flow Control: + "fail": func(msg string) (string, error) { return "", errors.New(msg) }, + + // Regex + "regexMatch": regexMatch, + "mustRegexMatch": mustRegexMatch, + "regexFindAll": regexFindAll, + "mustRegexFindAll": mustRegexFindAll, + "regexFind": regexFind, + "mustRegexFind": mustRegexFind, + "regexReplaceAll": regexReplaceAll, + "mustRegexReplaceAll": mustRegexReplaceAll, + "regexReplaceAllLiteral": regexReplaceAllLiteral, + "mustRegexReplaceAllLiteral": mustRegexReplaceAllLiteral, + "regexSplit": regexSplit, + "mustRegexSplit": mustRegexSplit, + "regexQuoteMeta": regexQuoteMeta, + + // URLs: + "urlParse": urlParse, + "urlJoin": urlJoin, +} diff --git a/vendor/github.com/Masterminds/sprig/v3/list.go b/vendor/github.com/Masterminds/sprig/v3/list.go new file mode 100644 index 0000000000..ca0fbb7893 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/list.go @@ -0,0 +1,464 @@ +package sprig + +import ( + "fmt" + "math" + "reflect" + "sort" +) + +// Reflection is used in these functions so that slices and arrays of strings, +// ints, and other types not implementing []interface{} can be worked with. +// For example, this is useful if you need to work on the output of regexs. + +func list(v ...interface{}) []interface{} { + return v +} + +func push(list interface{}, v interface{}) []interface{} { + l, err := mustPush(list, v) + if err != nil { + panic(err) + } + + return l +} + +func mustPush(list interface{}, v interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + nl := make([]interface{}, l) + for i := 0; i < l; i++ { + nl[i] = l2.Index(i).Interface() + } + + return append(nl, v), nil + + default: + return nil, fmt.Errorf("Cannot push on type %s", tp) + } +} + +func prepend(list interface{}, v interface{}) []interface{} { + l, err := mustPrepend(list, v) + if err != nil { + panic(err) + } + + return l +} + +func mustPrepend(list interface{}, v interface{}) ([]interface{}, error) { + //return append([]interface{}{v}, list...) + + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + nl := make([]interface{}, l) + for i := 0; i < l; i++ { + nl[i] = l2.Index(i).Interface() + } + + return append([]interface{}{v}, nl...), nil + + default: + return nil, fmt.Errorf("Cannot prepend on type %s", tp) + } +} + +func chunk(size int, list interface{}) [][]interface{} { + l, err := mustChunk(size, list) + if err != nil { + panic(err) + } + + return l +} + +func mustChunk(size int, list interface{}) ([][]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + + cs := int(math.Floor(float64(l-1)/float64(size)) + 1) + nl := make([][]interface{}, cs) + + for i := 0; i < cs; i++ { + clen := size + if i == cs-1 { + clen = int(math.Floor(math.Mod(float64(l), float64(size)))) + if clen == 0 { + clen = size + } + } + + nl[i] = make([]interface{}, clen) + + for j := 0; j < clen; j++ { + ix := i*size + j + nl[i][j] = l2.Index(ix).Interface() + } + } + + return nl, nil + + default: + return nil, fmt.Errorf("Cannot chunk type %s", tp) + } +} + +func last(list interface{}) interface{} { + l, err := mustLast(list) + if err != nil { + panic(err) + } + + return l +} + +func mustLast(list interface{}) (interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + if l == 0 { + return nil, nil + } + + return l2.Index(l - 1).Interface(), nil + default: + return nil, fmt.Errorf("Cannot find last on type %s", tp) + } +} + +func first(list interface{}) interface{} { + l, err := mustFirst(list) + if err != nil { + panic(err) + } + + return l +} + +func mustFirst(list interface{}) (interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + if l == 0 { + return nil, nil + } + + return l2.Index(0).Interface(), nil + default: + return nil, fmt.Errorf("Cannot find first on type %s", tp) + } +} + +func rest(list interface{}) []interface{} { + l, err := mustRest(list) + if err != nil { + panic(err) + } + + return l +} + +func mustRest(list interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + if l == 0 { + return nil, nil + } + + nl := make([]interface{}, l-1) + for i := 1; i < l; i++ { + nl[i-1] = l2.Index(i).Interface() + } + + return nl, nil + default: + return nil, fmt.Errorf("Cannot find rest on type %s", tp) + } +} + +func initial(list interface{}) []interface{} { + l, err := mustInitial(list) + if err != nil { + panic(err) + } + + return l +} + +func mustInitial(list interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + if l == 0 { + return nil, nil + } + + nl := make([]interface{}, l-1) + for i := 0; i < l-1; i++ { + nl[i] = l2.Index(i).Interface() + } + + return nl, nil + default: + return nil, fmt.Errorf("Cannot find initial on type %s", tp) + } +} + +func sortAlpha(list interface{}) []string { + k := reflect.Indirect(reflect.ValueOf(list)).Kind() + switch k { + case reflect.Slice, reflect.Array: + a := strslice(list) + s := sort.StringSlice(a) + s.Sort() + return s + } + return []string{strval(list)} +} + +func reverse(v interface{}) []interface{} { + l, err := mustReverse(v) + if err != nil { + panic(err) + } + + return l +} + +func mustReverse(v interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(v).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(v) + + l := l2.Len() + // We do not sort in place because the incoming array should not be altered. + nl := make([]interface{}, l) + for i := 0; i < l; i++ { + nl[l-i-1] = l2.Index(i).Interface() + } + + return nl, nil + default: + return nil, fmt.Errorf("Cannot find reverse on type %s", tp) + } +} + +func compact(list interface{}) []interface{} { + l, err := mustCompact(list) + if err != nil { + panic(err) + } + + return l +} + +func mustCompact(list interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + nl := []interface{}{} + var item interface{} + for i := 0; i < l; i++ { + item = l2.Index(i).Interface() + if !empty(item) { + nl = append(nl, item) + } + } + + return nl, nil + default: + return nil, fmt.Errorf("Cannot compact on type %s", tp) + } +} + +func uniq(list interface{}) []interface{} { + l, err := mustUniq(list) + if err != nil { + panic(err) + } + + return l +} + +func mustUniq(list interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + dest := []interface{}{} + var item interface{} + for i := 0; i < l; i++ { + item = l2.Index(i).Interface() + if !inList(dest, item) { + dest = append(dest, item) + } + } + + return dest, nil + default: + return nil, fmt.Errorf("Cannot find uniq on type %s", tp) + } +} + +func inList(haystack []interface{}, needle interface{}) bool { + for _, h := range haystack { + if reflect.DeepEqual(needle, h) { + return true + } + } + return false +} + +func without(list interface{}, omit ...interface{}) []interface{} { + l, err := mustWithout(list, omit...) + if err != nil { + panic(err) + } + + return l +} + +func mustWithout(list interface{}, omit ...interface{}) ([]interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + res := []interface{}{} + var item interface{} + for i := 0; i < l; i++ { + item = l2.Index(i).Interface() + if !inList(omit, item) { + res = append(res, item) + } + } + + return res, nil + default: + return nil, fmt.Errorf("Cannot find without on type %s", tp) + } +} + +func has(needle interface{}, haystack interface{}) bool { + l, err := mustHas(needle, haystack) + if err != nil { + panic(err) + } + + return l +} + +func mustHas(needle interface{}, haystack interface{}) (bool, error) { + if haystack == nil { + return false, nil + } + tp := reflect.TypeOf(haystack).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(haystack) + var item interface{} + l := l2.Len() + for i := 0; i < l; i++ { + item = l2.Index(i).Interface() + if reflect.DeepEqual(needle, item) { + return true, nil + } + } + + return false, nil + default: + return false, fmt.Errorf("Cannot find has on type %s", tp) + } +} + +// $list := [1, 2, 3, 4, 5] +// slice $list -> list[0:5] = list[:] +// slice $list 0 3 -> list[0:3] = list[:3] +// slice $list 3 5 -> list[3:5] +// slice $list 3 -> list[3:5] = list[3:] +func slice(list interface{}, indices ...interface{}) interface{} { + l, err := mustSlice(list, indices...) + if err != nil { + panic(err) + } + + return l +} + +func mustSlice(list interface{}, indices ...interface{}) (interface{}, error) { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + + l := l2.Len() + if l == 0 { + return nil, nil + } + + var start, end int + if len(indices) > 0 { + start = toInt(indices[0]) + } + if len(indices) < 2 { + end = l + } else { + end = toInt(indices[1]) + } + + return l2.Slice(start, end).Interface(), nil + default: + return nil, fmt.Errorf("list should be type of slice or array but %s", tp) + } +} + +func concat(lists ...interface{}) interface{} { + var res []interface{} + for _, list := range lists { + tp := reflect.TypeOf(list).Kind() + switch tp { + case reflect.Slice, reflect.Array: + l2 := reflect.ValueOf(list) + for i := 0; i < l2.Len(); i++ { + res = append(res, l2.Index(i).Interface()) + } + default: + panic(fmt.Sprintf("Cannot concat type %s as list", tp)) + } + } + return res +} diff --git a/vendor/github.com/Masterminds/sprig/v3/network.go b/vendor/github.com/Masterminds/sprig/v3/network.go new file mode 100644 index 0000000000..108d78a946 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/network.go @@ -0,0 +1,12 @@ +package sprig + +import ( + "math/rand" + "net" +) + +func getHostByName(name string) string { + addrs, _ := net.LookupHost(name) + //TODO: add error handing when release v3 comes out + return addrs[rand.Intn(len(addrs))] +} diff --git a/vendor/github.com/Masterminds/sprig/v3/numeric.go b/vendor/github.com/Masterminds/sprig/v3/numeric.go new file mode 100644 index 0000000000..f68e4182ee --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/numeric.go @@ -0,0 +1,186 @@ +package sprig + +import ( + "fmt" + "math" + "strconv" + "strings" + + "github.com/spf13/cast" + "github.com/shopspring/decimal" +) + +// toFloat64 converts 64-bit floats +func toFloat64(v interface{}) float64 { + return cast.ToFloat64(v) +} + +func toInt(v interface{}) int { + return cast.ToInt(v) +} + +// toInt64 converts integer types to 64-bit integers +func toInt64(v interface{}) int64 { + return cast.ToInt64(v) +} + +func max(a interface{}, i ...interface{}) int64 { + aa := toInt64(a) + for _, b := range i { + bb := toInt64(b) + if bb > aa { + aa = bb + } + } + return aa +} + +func maxf(a interface{}, i ...interface{}) float64 { + aa := toFloat64(a) + for _, b := range i { + bb := toFloat64(b) + aa = math.Max(aa, bb) + } + return aa +} + +func min(a interface{}, i ...interface{}) int64 { + aa := toInt64(a) + for _, b := range i { + bb := toInt64(b) + if bb < aa { + aa = bb + } + } + return aa +} + +func minf(a interface{}, i ...interface{}) float64 { + aa := toFloat64(a) + for _, b := range i { + bb := toFloat64(b) + aa = math.Min(aa, bb) + } + return aa +} + +func until(count int) []int { + step := 1 + if count < 0 { + step = -1 + } + return untilStep(0, count, step) +} + +func untilStep(start, stop, step int) []int { + v := []int{} + + if stop < start { + if step >= 0 { + return v + } + for i := start; i > stop; i += step { + v = append(v, i) + } + return v + } + + if step <= 0 { + return v + } + for i := start; i < stop; i += step { + v = append(v, i) + } + return v +} + +func floor(a interface{}) float64 { + aa := toFloat64(a) + return math.Floor(aa) +} + +func ceil(a interface{}) float64 { + aa := toFloat64(a) + return math.Ceil(aa) +} + +func round(a interface{}, p int, rOpt ...float64) float64 { + roundOn := .5 + if len(rOpt) > 0 { + roundOn = rOpt[0] + } + val := toFloat64(a) + places := toFloat64(p) + + var round float64 + pow := math.Pow(10, places) + digit := pow * val + _, div := math.Modf(digit) + if div >= roundOn { + round = math.Ceil(digit) + } else { + round = math.Floor(digit) + } + return round / pow +} + +// converts unix octal to decimal +func toDecimal(v interface{}) int64 { + result, err := strconv.ParseInt(fmt.Sprint(v), 8, 64) + if err != nil { + return 0 + } + return result +} + +func seq(params ...int) string { + increment := 1 + switch len(params) { + case 0: + return "" + case 1: + start := 1 + end := params[0] + if end < start { + increment = -1 + } + return intArrayToString(untilStep(start, end+increment, increment), " ") + case 3: + start := params[0] + end := params[2] + step := params[1] + if end < start { + increment = -1 + if step > 0 { + return "" + } + } + return intArrayToString(untilStep(start, end+increment, step), " ") + case 2: + start := params[0] + end := params[1] + step := 1 + if end < start { + step = -1 + } + return intArrayToString(untilStep(start, end+step, step), " ") + default: + return "" + } +} + +func intArrayToString(slice []int, delimeter string) string { + return strings.Trim(strings.Join(strings.Fields(fmt.Sprint(slice)), delimeter), "[]") +} + +// performs a float and subsequent decimal.Decimal conversion on inputs, +// and iterates through a and b executing the mathmetical operation f +func execDecimalOp(a interface{}, b []interface{}, f func(d1, d2 decimal.Decimal) decimal.Decimal) float64 { + prt := decimal.NewFromFloat(toFloat64(a)) + for _, x := range b { + dx := decimal.NewFromFloat(toFloat64(x)) + prt = f(prt, dx) + } + rslt, _ := prt.Float64() + return rslt +} diff --git a/vendor/github.com/Masterminds/sprig/v3/reflect.go b/vendor/github.com/Masterminds/sprig/v3/reflect.go new file mode 100644 index 0000000000..8a65c132f0 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/reflect.go @@ -0,0 +1,28 @@ +package sprig + +import ( + "fmt" + "reflect" +) + +// typeIs returns true if the src is the type named in target. +func typeIs(target string, src interface{}) bool { + return target == typeOf(src) +} + +func typeIsLike(target string, src interface{}) bool { + t := typeOf(src) + return target == t || "*"+target == t +} + +func typeOf(src interface{}) string { + return fmt.Sprintf("%T", src) +} + +func kindIs(target string, src interface{}) bool { + return target == kindOf(src) +} + +func kindOf(src interface{}) string { + return reflect.ValueOf(src).Kind().String() +} diff --git a/vendor/github.com/Masterminds/sprig/v3/regex.go b/vendor/github.com/Masterminds/sprig/v3/regex.go new file mode 100644 index 0000000000..fab5510189 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/regex.go @@ -0,0 +1,83 @@ +package sprig + +import ( + "regexp" +) + +func regexMatch(regex string, s string) bool { + match, _ := regexp.MatchString(regex, s) + return match +} + +func mustRegexMatch(regex string, s string) (bool, error) { + return regexp.MatchString(regex, s) +} + +func regexFindAll(regex string, s string, n int) []string { + r := regexp.MustCompile(regex) + return r.FindAllString(s, n) +} + +func mustRegexFindAll(regex string, s string, n int) ([]string, error) { + r, err := regexp.Compile(regex) + if err != nil { + return []string{}, err + } + return r.FindAllString(s, n), nil +} + +func regexFind(regex string, s string) string { + r := regexp.MustCompile(regex) + return r.FindString(s) +} + +func mustRegexFind(regex string, s string) (string, error) { + r, err := regexp.Compile(regex) + if err != nil { + return "", err + } + return r.FindString(s), nil +} + +func regexReplaceAll(regex string, s string, repl string) string { + r := regexp.MustCompile(regex) + return r.ReplaceAllString(s, repl) +} + +func mustRegexReplaceAll(regex string, s string, repl string) (string, error) { + r, err := regexp.Compile(regex) + if err != nil { + return "", err + } + return r.ReplaceAllString(s, repl), nil +} + +func regexReplaceAllLiteral(regex string, s string, repl string) string { + r := regexp.MustCompile(regex) + return r.ReplaceAllLiteralString(s, repl) +} + +func mustRegexReplaceAllLiteral(regex string, s string, repl string) (string, error) { + r, err := regexp.Compile(regex) + if err != nil { + return "", err + } + return r.ReplaceAllLiteralString(s, repl), nil +} + +func regexSplit(regex string, s string, n int) []string { + r := regexp.MustCompile(regex) + return r.Split(s, n) +} + +func mustRegexSplit(regex string, s string, n int) ([]string, error) { + r, err := regexp.Compile(regex) + if err != nil { + return []string{}, err + } + return r.Split(s, n), nil +} + +func regexQuoteMeta(s string) string { + return regexp.QuoteMeta(s) +} diff --git a/vendor/github.com/Masterminds/sprig/v3/semver.go b/vendor/github.com/Masterminds/sprig/v3/semver.go new file mode 100644 index 0000000000..3fbe08aa63 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/semver.go @@ -0,0 +1,23 @@ +package sprig + +import ( + sv2 "github.com/Masterminds/semver/v3" +) + +func semverCompare(constraint, version string) (bool, error) { + c, err := sv2.NewConstraint(constraint) + if err != nil { + return false, err + } + + v, err := sv2.NewVersion(version) + if err != nil { + return false, err + } + + return c.Check(v), nil +} + +func semver(version string) (*sv2.Version, error) { + return sv2.NewVersion(version) +} diff --git a/vendor/github.com/Masterminds/sprig/v3/strings.go b/vendor/github.com/Masterminds/sprig/v3/strings.go new file mode 100644 index 0000000000..e0ae628c84 --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/strings.go @@ -0,0 +1,236 @@ +package sprig + +import ( + "encoding/base32" + "encoding/base64" + "fmt" + "reflect" + "strconv" + "strings" + + util "github.com/Masterminds/goutils" +) + +func base64encode(v string) string { + return base64.StdEncoding.EncodeToString([]byte(v)) +} + +func base64decode(v string) string { + data, err := base64.StdEncoding.DecodeString(v) + if err != nil { + return err.Error() + } + return string(data) +} + +func base32encode(v string) string { + return base32.StdEncoding.EncodeToString([]byte(v)) +} + +func base32decode(v string) string { + data, err := base32.StdEncoding.DecodeString(v) + if err != nil { + return err.Error() + } + return string(data) +} + +func abbrev(width int, s string) string { + if width < 4 { + return s + } + r, _ := util.Abbreviate(s, width) + return r +} + +func abbrevboth(left, right int, s string) string { + if right < 4 || left > 0 && right < 7 { + return s + } + r, _ := util.AbbreviateFull(s, left, right) + return r +} +func initials(s string) string { + // Wrap this just to eliminate the var args, which templates don't do well. + return util.Initials(s) +} + +func randAlphaNumeric(count int) string { + // It is not possible, it appears, to actually generate an error here. + r, _ := util.CryptoRandomAlphaNumeric(count) + return r +} + +func randAlpha(count int) string { + r, _ := util.CryptoRandomAlphabetic(count) + return r +} + +func randAscii(count int) string { + r, _ := util.CryptoRandomAscii(count) + return r +} + +func randNumeric(count int) string { + r, _ := util.CryptoRandomNumeric(count) + return r +} + +func untitle(str string) string { + return util.Uncapitalize(str) +} + +func quote(str ...interface{}) string { + out := make([]string, 0, len(str)) + for _, s := range str { + if s != nil { + out = append(out, fmt.Sprintf("%q", strval(s))) + } + } + return strings.Join(out, " ") +} + +func squote(str ...interface{}) string { + out := make([]string, 0, len(str)) + for _, s := range str { + if s != nil { + out = append(out, fmt.Sprintf("'%v'", s)) + } + } + return strings.Join(out, " ") +} + +func cat(v ...interface{}) string { + v = removeNilElements(v) + r := strings.TrimSpace(strings.Repeat("%v ", len(v))) + return fmt.Sprintf(r, v...) +} + +func indent(spaces int, v string) string { + pad := strings.Repeat(" ", spaces) + return pad + strings.Replace(v, "\n", "\n"+pad, -1) +} + +func nindent(spaces int, v string) string { + return "\n" + indent(spaces, v) +} + +func replace(old, new, src string) string { + return strings.Replace(src, old, new, -1) +} + +func plural(one, many string, count int) string { + if count == 1 { + return one + } + return many +} + +func strslice(v interface{}) []string { + switch v := v.(type) { + case []string: + return v + case []interface{}: + b := make([]string, 0, len(v)) + for _, s := range v { + if s != nil { + b = append(b, strval(s)) + } + } + return b + default: + val := reflect.ValueOf(v) + switch val.Kind() { + case reflect.Array, reflect.Slice: + l := val.Len() + b := make([]string, 0, l) + for i := 0; i < l; i++ { + value := val.Index(i).Interface() + if value != nil { + b = append(b, strval(value)) + } + } + return b + default: + if v == nil { + return []string{} + } + + return []string{strval(v)} + } + } +} + +func removeNilElements(v []interface{}) []interface{} { + newSlice := make([]interface{}, 0, len(v)) + for _, i := range v { + if i != nil { + newSlice = append(newSlice, i) + } + } + return newSlice +} + +func strval(v interface{}) string { + switch v := v.(type) { + case string: + return v + case []byte: + return string(v) + case error: + return v.Error() + case fmt.Stringer: + return v.String() + default: + return fmt.Sprintf("%v", v) + } +} + +func trunc(c int, s string) string { + if c < 0 && len(s)+c > 0 { + return s[len(s)+c:] + } + if c >= 0 && len(s) > c { + return s[:c] + } + return s +} + +func join(sep string, v interface{}) string { + return strings.Join(strslice(v), sep) +} + +func split(sep, orig string) map[string]string { + parts := strings.Split(orig, sep) + res := make(map[string]string, len(parts)) + for i, v := range parts { + res["_"+strconv.Itoa(i)] = v + } + return res +} + +func splitn(sep string, n int, orig string) map[string]string { + parts := strings.SplitN(orig, sep, n) + res := make(map[string]string, len(parts)) + for i, v := range parts { + res["_"+strconv.Itoa(i)] = v + } + return res +} + +// substring creates a substring of the given string. +// +// If start is < 0, this calls string[:end]. +// +// If start is >= 0 and end < 0 or end bigger than s length, this calls string[start:] +// +// Otherwise, this calls string[start, end]. +func substring(start, end int, s string) string { + if start < 0 { + return s[:end] + } + if end < 0 || end > len(s) { + return s[start:] + } + return s[start:end] +} diff --git a/vendor/github.com/Masterminds/sprig/v3/url.go b/vendor/github.com/Masterminds/sprig/v3/url.go new file mode 100644 index 0000000000..b8e120e19b --- /dev/null +++ b/vendor/github.com/Masterminds/sprig/v3/url.go @@ -0,0 +1,66 @@ +package sprig + +import ( + "fmt" + "net/url" + "reflect" +) + +func dictGetOrEmpty(dict map[string]interface{}, key string) string { + value, ok := dict[key] + if !ok { + return "" + } + tp := reflect.TypeOf(value).Kind() + if tp != reflect.String { + panic(fmt.Sprintf("unable to parse %s key, must be of type string, but %s found", key, tp.String())) + } + return reflect.ValueOf(value).String() +} + +// parses given URL to return dict object +func urlParse(v string) map[string]interface{} { + dict := map[string]interface{}{} + parsedURL, err := url.Parse(v) + if err != nil { + panic(fmt.Sprintf("unable to parse url: %s", err)) + } + dict["scheme"] = parsedURL.Scheme + dict["host"] = parsedURL.Host + dict["hostname"] = parsedURL.Hostname() + dict["path"] = parsedURL.Path + dict["query"] = parsedURL.RawQuery + dict["opaque"] = parsedURL.Opaque + dict["fragment"] = parsedURL.Fragment + if parsedURL.User != nil { + dict["userinfo"] = parsedURL.User.String() + } else { + dict["userinfo"] = "" + } + + return dict +} + +// join given dict to URL string +func urlJoin(d map[string]interface{}) string { + resURL := url.URL{ + Scheme: dictGetOrEmpty(d, "scheme"), + Host: dictGetOrEmpty(d, "host"), + Path: dictGetOrEmpty(d, "path"), + RawQuery: dictGetOrEmpty(d, "query"), + Opaque: dictGetOrEmpty(d, "opaque"), + Fragment: dictGetOrEmpty(d, "fragment"), + } + userinfo := dictGetOrEmpty(d, "userinfo") + var user *url.Userinfo + if userinfo != "" { + tempURL, err := url.Parse(fmt.Sprintf("proto://%s@host", userinfo)) + if err != nil { + panic(fmt.Sprintf("unable to parse userinfo in dict: %s", err)) + } + user = tempURL.User + } + + resURL.User = user + return resURL.String() +} diff --git a/vendor/github.com/Masterminds/squirrel/.gitignore b/vendor/github.com/Masterminds/squirrel/.gitignore new file mode 100644 index 0000000000..4a0699f0b7 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/.gitignore @@ -0,0 +1 @@ +squirrel.test \ No newline at end of file diff --git a/vendor/github.com/Masterminds/squirrel/.travis.yml b/vendor/github.com/Masterminds/squirrel/.travis.yml new file mode 100644 index 0000000000..7bb6da4878 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/.travis.yml @@ -0,0 +1,30 @@ +language: go + +go: + - 1.11.x + - 1.12.x + - 1.13.x + +services: + - mysql + - postgresql + +# Setting sudo access to false will let Travis CI use containers rather than +# VMs to run the tests. For more details see: +# - http://docs.travis-ci.com/user/workers/container-based-infrastructure/ +# - http://docs.travis-ci.com/user/workers/standard-infrastructure/ +sudo: false + +before_script: + - mysql -e 'CREATE DATABASE squirrel;' + - psql -c 'CREATE DATABASE squirrel;' -U postgres + +script: + - go test + - cd integration + - go test -args -driver sqlite3 + - go test -args -driver mysql -dataSource travis@/squirrel + - go test -args -driver postgres -dataSource 'postgres://postgres@localhost/squirrel?sslmode=disable' + +notifications: + irc: "irc.freenode.net#masterminds" diff --git a/vendor/github.com/Masterminds/squirrel/LICENSE b/vendor/github.com/Masterminds/squirrel/LICENSE new file mode 100644 index 0000000000..b459007fd8 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/LICENSE @@ -0,0 +1,23 @@ +MIT License + +Squirrel: The Masterminds +Copyright (c) 2014-2015, Lann Martin. Copyright (C) 2015-2016, Google. Copyright (C) 2015, Matt Farina and Matt Butcher. + + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/Masterminds/squirrel/README.md b/vendor/github.com/Masterminds/squirrel/README.md new file mode 100644 index 0000000000..1d37f282f1 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/README.md @@ -0,0 +1,142 @@ +[![Stability: Maintenance](https://masterminds.github.io/stability/maintenance.svg)](https://masterminds.github.io/stability/maintenance.html) +### Squirrel is "complete". +Bug fixes will still be merged (slowly). Bug reports are welcome, but I will not necessarily respond to them. If another fork (or substantially similar project) actively improves on what Squirrel does, let me know and I may link to it here. + + +# Squirrel - fluent SQL generator for Go + +```go +import "github.com/Masterminds/squirrel" +``` + + +[![GoDoc](https://godoc.org/github.com/Masterminds/squirrel?status.png)](https://godoc.org/github.com/Masterminds/squirrel) +[![Build Status](https://api.travis-ci.org/Masterminds/squirrel.svg?branch=master)](https://travis-ci.org/Masterminds/squirrel) + +**Squirrel is not an ORM.** For an application of Squirrel, check out +[structable, a table-struct mapper](https://github.com/Masterminds/structable) + + +Squirrel helps you build SQL queries from composable parts: + +```go +import sq "github.com/Masterminds/squirrel" + +users := sq.Select("*").From("users").Join("emails USING (email_id)") + +active := users.Where(sq.Eq{"deleted_at": nil}) + +sql, args, err := active.ToSql() + +sql == "SELECT * FROM users JOIN emails USING (email_id) WHERE deleted_at IS NULL" +``` + +```go +sql, args, err := sq. + Insert("users").Columns("name", "age"). + Values("moe", 13).Values("larry", sq.Expr("? + 5", 12)). + ToSql() + +sql == "INSERT INTO users (name,age) VALUES (?,?),(?,? + 5)" +``` + +Squirrel can also execute queries directly: + +```go +stooges := users.Where(sq.Eq{"username": []string{"moe", "larry", "curly", "shemp"}}) +three_stooges := stooges.Limit(3) +rows, err := three_stooges.RunWith(db).Query() + +// Behaves like: +rows, err := db.Query("SELECT * FROM users WHERE username IN (?,?,?,?) LIMIT 3", + "moe", "larry", "curly", "shemp") +``` + +Squirrel makes conditional query building a breeze: + +```go +if len(q) > 0 { + users = users.Where("name LIKE ?", fmt.Sprint("%", q, "%")) +} +``` + +Squirrel wants to make your life easier: + +```go +// StmtCache caches Prepared Stmts for you +dbCache := sq.NewStmtCache(db) + +// StatementBuilder keeps your syntax neat +mydb := sq.StatementBuilder.RunWith(dbCache) +select_users := mydb.Select("*").From("users") +``` + +Squirrel loves PostgreSQL: + +```go +psql := sq.StatementBuilder.PlaceholderFormat(sq.Dollar) + +// You use question marks for placeholders... +sql, _, _ := psql.Select("*").From("elephants").Where("name IN (?,?)", "Dumbo", "Verna").ToSql() + +/// ...squirrel replaces them using PlaceholderFormat. +sql == "SELECT * FROM elephants WHERE name IN ($1,$2)" + + +/// You can retrieve id ... +query := sq.Insert("nodes"). + Columns("uuid", "type", "data"). + Values(node.Uuid, node.Type, node.Data). + Suffix("RETURNING \"id\""). + RunWith(m.db). + PlaceholderFormat(sq.Dollar) + +query.QueryRow().Scan(&node.id) +``` + +You can escape question marks by inserting two question marks: + +```sql +SELECT * FROM nodes WHERE meta->'format' ??| array[?,?] +``` + +will generate with the Dollar Placeholder: + +```sql +SELECT * FROM nodes WHERE meta->'format' ?| array[$1,$2] +``` + +## FAQ + +* **How can I build an IN query on composite keys / tuples, e.g. `WHERE (col1, col2) IN ((1,2),(3,4))`? ([#104](https://github.com/Masterminds/squirrel/issues/104))** + + Squirrel does not explicitly support tuples, but you can get the same effect with e.g.: + + ```go + sq.Or{ + sq.Eq{"col1": 1, "col2": 2}, + sq.Eq{"col1": 3, "col2": 4}} + ``` + + ```sql + WHERE (col1 = 1 AND col2 = 2) OR (col1 = 3 AND col2 = 4) + ``` + + (which should produce the same query plan as the tuple version) + +* **Why doesn't `Eq{"mynumber": []uint8{1,2,3}}` turn into an `IN` query? ([#114](https://github.com/Masterminds/squirrel/issues/114))** + + Values of type `[]byte` are handled specially by `database/sql`. In Go, [`byte` is just an alias of `uint8`](https://golang.org/pkg/builtin/#byte), so there is no way to distinguish `[]uint8` from `[]byte`. + +* **Some features are poorly documented!** + + This isn't a frequent complaints section! + +* **Some features are poorly documented?** + + Yes. The tests should be considered a part of the documentation; take a look at those for ideas on how to express more complex queries. + +## License + +Squirrel is released under the +[MIT License](http://www.opensource.org/licenses/MIT). diff --git a/vendor/github.com/Masterminds/squirrel/case.go b/vendor/github.com/Masterminds/squirrel/case.go new file mode 100644 index 0000000000..299e14b9d4 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/case.go @@ -0,0 +1,128 @@ +package squirrel + +import ( + "bytes" + "errors" + + "github.com/lann/builder" +) + +func init() { + builder.Register(CaseBuilder{}, caseData{}) +} + +// sqlizerBuffer is a helper that allows to write many Sqlizers one by one +// without constant checks for errors that may come from Sqlizer +type sqlizerBuffer struct { + bytes.Buffer + args []interface{} + err error +} + +// WriteSql converts Sqlizer to SQL strings and writes it to buffer +func (b *sqlizerBuffer) WriteSql(item Sqlizer) { + if b.err != nil { + return + } + + var str string + var args []interface{} + str, args, b.err = nestedToSql(item) + + if b.err != nil { + return + } + + b.WriteString(str) + b.WriteByte(' ') + b.args = append(b.args, args...) +} + +func (b *sqlizerBuffer) ToSql() (string, []interface{}, error) { + return b.String(), b.args, b.err +} + +// whenPart is a helper structure to describe SQLs "WHEN ... THEN ..." expression +type whenPart struct { + when Sqlizer + then Sqlizer +} + +func newWhenPart(when interface{}, then interface{}) whenPart { + return whenPart{newPart(when), newPart(then)} +} + +// caseData holds all the data required to build a CASE SQL construct +type caseData struct { + What Sqlizer + WhenParts []whenPart + Else Sqlizer +} + +// ToSql implements Sqlizer +func (d *caseData) ToSql() (sqlStr string, args []interface{}, err error) { + if len(d.WhenParts) == 0 { + err = errors.New("case expression must contain at lease one WHEN clause") + + return + } + + sql := sqlizerBuffer{} + + sql.WriteString("CASE ") + if d.What != nil { + sql.WriteSql(d.What) + } + + for _, p := range d.WhenParts { + sql.WriteString("WHEN ") + sql.WriteSql(p.when) + sql.WriteString("THEN ") + sql.WriteSql(p.then) + } + + if d.Else != nil { + sql.WriteString("ELSE ") + sql.WriteSql(d.Else) + } + + sql.WriteString("END") + + return sql.ToSql() +} + +// CaseBuilder builds SQL CASE construct which could be used as parts of queries. +type CaseBuilder builder.Builder + +// ToSql builds the query into a SQL string and bound args. +func (b CaseBuilder) ToSql() (string, []interface{}, error) { + data := builder.GetStruct(b).(caseData) + return data.ToSql() +} + +// MustSql builds the query into a SQL string and bound args. +// It panics if there are any errors. +func (b CaseBuilder) MustSql() (string, []interface{}) { + sql, args, err := b.ToSql() + if err != nil { + panic(err) + } + return sql, args +} + +// what sets optional value for CASE construct "CASE [value] ..." +func (b CaseBuilder) what(expr interface{}) CaseBuilder { + return builder.Set(b, "What", newPart(expr)).(CaseBuilder) +} + +// When adds "WHEN ... THEN ..." part to CASE construct +func (b CaseBuilder) When(when interface{}, then interface{}) CaseBuilder { + // TODO: performance hint: replace slice of WhenPart with just slice of parts + // where even indices of the slice belong to "when"s and odd indices belong to "then"s + return builder.Append(b, "WhenParts", newWhenPart(when, then)).(CaseBuilder) +} + +// What sets optional "ELSE ..." part for CASE construct +func (b CaseBuilder) Else(expr interface{}) CaseBuilder { + return builder.Set(b, "Else", newPart(expr)).(CaseBuilder) +} diff --git a/vendor/github.com/Masterminds/squirrel/delete.go b/vendor/github.com/Masterminds/squirrel/delete.go new file mode 100644 index 0000000000..f3f31e63ef --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/delete.go @@ -0,0 +1,191 @@ +package squirrel + +import ( + "bytes" + "database/sql" + "fmt" + "strings" + + "github.com/lann/builder" +) + +type deleteData struct { + PlaceholderFormat PlaceholderFormat + RunWith BaseRunner + Prefixes []Sqlizer + From string + WhereParts []Sqlizer + OrderBys []string + Limit string + Offset string + Suffixes []Sqlizer +} + +func (d *deleteData) Exec() (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return ExecWith(d.RunWith, d) +} + +func (d *deleteData) ToSql() (sqlStr string, args []interface{}, err error) { + if len(d.From) == 0 { + err = fmt.Errorf("delete statements must specify a From table") + return + } + + sql := &bytes.Buffer{} + + if len(d.Prefixes) > 0 { + args, err = appendToSql(d.Prefixes, sql, " ", args) + if err != nil { + return + } + + sql.WriteString(" ") + } + + sql.WriteString("DELETE FROM ") + sql.WriteString(d.From) + + if len(d.WhereParts) > 0 { + sql.WriteString(" WHERE ") + args, err = appendToSql(d.WhereParts, sql, " AND ", args) + if err != nil { + return + } + } + + if len(d.OrderBys) > 0 { + sql.WriteString(" ORDER BY ") + sql.WriteString(strings.Join(d.OrderBys, ", ")) + } + + if len(d.Limit) > 0 { + sql.WriteString(" LIMIT ") + sql.WriteString(d.Limit) + } + + if len(d.Offset) > 0 { + sql.WriteString(" OFFSET ") + sql.WriteString(d.Offset) + } + + if len(d.Suffixes) > 0 { + sql.WriteString(" ") + args, err = appendToSql(d.Suffixes, sql, " ", args) + if err != nil { + return + } + } + + sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String()) + return +} + +// Builder + +// DeleteBuilder builds SQL DELETE statements. +type DeleteBuilder builder.Builder + +func init() { + builder.Register(DeleteBuilder{}, deleteData{}) +} + +// Format methods + +// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the +// query. +func (b DeleteBuilder) PlaceholderFormat(f PlaceholderFormat) DeleteBuilder { + return builder.Set(b, "PlaceholderFormat", f).(DeleteBuilder) +} + +// Runner methods + +// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec. +func (b DeleteBuilder) RunWith(runner BaseRunner) DeleteBuilder { + return setRunWith(b, runner).(DeleteBuilder) +} + +// Exec builds and Execs the query with the Runner set by RunWith. +func (b DeleteBuilder) Exec() (sql.Result, error) { + data := builder.GetStruct(b).(deleteData) + return data.Exec() +} + +// SQL methods + +// ToSql builds the query into a SQL string and bound args. +func (b DeleteBuilder) ToSql() (string, []interface{}, error) { + data := builder.GetStruct(b).(deleteData) + return data.ToSql() +} + +// MustSql builds the query into a SQL string and bound args. +// It panics if there are any errors. +func (b DeleteBuilder) MustSql() (string, []interface{}) { + sql, args, err := b.ToSql() + if err != nil { + panic(err) + } + return sql, args +} + +// Prefix adds an expression to the beginning of the query +func (b DeleteBuilder) Prefix(sql string, args ...interface{}) DeleteBuilder { + return b.PrefixExpr(Expr(sql, args...)) +} + +// PrefixExpr adds an expression to the very beginning of the query +func (b DeleteBuilder) PrefixExpr(expr Sqlizer) DeleteBuilder { + return builder.Append(b, "Prefixes", expr).(DeleteBuilder) +} + +// From sets the table to be deleted from. +func (b DeleteBuilder) From(from string) DeleteBuilder { + return builder.Set(b, "From", from).(DeleteBuilder) +} + +// Where adds WHERE expressions to the query. +// +// See SelectBuilder.Where for more information. +func (b DeleteBuilder) Where(pred interface{}, args ...interface{}) DeleteBuilder { + return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(DeleteBuilder) +} + +// OrderBy adds ORDER BY expressions to the query. +func (b DeleteBuilder) OrderBy(orderBys ...string) DeleteBuilder { + return builder.Extend(b, "OrderBys", orderBys).(DeleteBuilder) +} + +// Limit sets a LIMIT clause on the query. +func (b DeleteBuilder) Limit(limit uint64) DeleteBuilder { + return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(DeleteBuilder) +} + +// Offset sets a OFFSET clause on the query. +func (b DeleteBuilder) Offset(offset uint64) DeleteBuilder { + return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(DeleteBuilder) +} + +// Suffix adds an expression to the end of the query +func (b DeleteBuilder) Suffix(sql string, args ...interface{}) DeleteBuilder { + return b.SuffixExpr(Expr(sql, args...)) +} + +// SuffixExpr adds an expression to the end of the query +func (b DeleteBuilder) SuffixExpr(expr Sqlizer) DeleteBuilder { + return builder.Append(b, "Suffixes", expr).(DeleteBuilder) +} + +func (b DeleteBuilder) Query() (*sql.Rows, error) { + data := builder.GetStruct(b).(deleteData) + return data.Query() +} + +func (d *deleteData) Query() (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return QueryWith(d.RunWith, d) +} diff --git a/vendor/github.com/Masterminds/squirrel/delete_ctx.go b/vendor/github.com/Masterminds/squirrel/delete_ctx.go new file mode 100644 index 0000000000..de83c55df3 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/delete_ctx.go @@ -0,0 +1,69 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" + + "github.com/lann/builder" +) + +func (d *deleteData) ExecContext(ctx context.Context) (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(ExecerContext) + if !ok { + return nil, NoContextSupport + } + return ExecContextWith(ctx, ctxRunner, d) +} + +func (d *deleteData) QueryContext(ctx context.Context) (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(QueryerContext) + if !ok { + return nil, NoContextSupport + } + return QueryContextWith(ctx, ctxRunner, d) +} + +func (d *deleteData) QueryRowContext(ctx context.Context) RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRowerContext) + if !ok { + if _, ok := d.RunWith.(QueryerContext); !ok { + return &Row{err: RunnerNotQueryRunner} + } + return &Row{err: NoContextSupport} + } + return QueryRowContextWith(ctx, queryRower, d) +} + +// ExecContext builds and ExecContexts the query with the Runner set by RunWith. +func (b DeleteBuilder) ExecContext(ctx context.Context) (sql.Result, error) { + data := builder.GetStruct(b).(deleteData) + return data.ExecContext(ctx) +} + +// QueryContext builds and QueryContexts the query with the Runner set by RunWith. +func (b DeleteBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) { + data := builder.GetStruct(b).(deleteData) + return data.QueryContext(ctx) +} + +// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith. +func (b DeleteBuilder) QueryRowContext(ctx context.Context) RowScanner { + data := builder.GetStruct(b).(deleteData) + return data.QueryRowContext(ctx) +} + +// ScanContext is a shortcut for QueryRowContext().Scan. +func (b DeleteBuilder) ScanContext(ctx context.Context, dest ...interface{}) error { + return b.QueryRowContext(ctx).Scan(dest...) +} diff --git a/vendor/github.com/Masterminds/squirrel/expr.go b/vendor/github.com/Masterminds/squirrel/expr.go new file mode 100644 index 0000000000..eba1b4579e --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/expr.go @@ -0,0 +1,419 @@ +package squirrel + +import ( + "bytes" + "database/sql/driver" + "fmt" + "reflect" + "sort" + "strings" +) + +const ( + // Portable true/false literals. + sqlTrue = "(1=1)" + sqlFalse = "(1=0)" +) + +type expr struct { + sql string + args []interface{} +} + +// Expr builds an expression from a SQL fragment and arguments. +// +// Ex: +// Expr("FROM_UNIXTIME(?)", t) +func Expr(sql string, args ...interface{}) Sqlizer { + return expr{sql: sql, args: args} +} + +func (e expr) ToSql() (sql string, args []interface{}, err error) { + simple := true + for _, arg := range e.args { + if _, ok := arg.(Sqlizer); ok { + simple = false + } + } + if simple { + return e.sql, e.args, nil + } + + buf := &bytes.Buffer{} + ap := e.args + sp := e.sql + + var isql string + var iargs []interface{} + + for err == nil && len(ap) > 0 && len(sp) > 0 { + i := strings.Index(sp, "?") + if i < 0 { + // no more placeholders + break + } + if len(sp) > i+1 && sp[i+1:i+2] == "?" { + // escaped "??"; append it and step past + buf.WriteString(sp[:i+2]) + sp = sp[i+2:] + continue + } + + if as, ok := ap[0].(Sqlizer); ok { + // sqlizer argument; expand it and append the result + isql, iargs, err = as.ToSql() + buf.WriteString(sp[:i]) + buf.WriteString(isql) + args = append(args, iargs...) + } else { + // normal argument; append it and the placeholder + buf.WriteString(sp[:i+1]) + args = append(args, ap[0]) + } + + // step past the argument and placeholder + ap = ap[1:] + sp = sp[i+1:] + } + + // append the remaining sql and arguments + buf.WriteString(sp) + return buf.String(), append(args, ap...), err +} + +type concatExpr []interface{} + +func (ce concatExpr) ToSql() (sql string, args []interface{}, err error) { + for _, part := range ce { + switch p := part.(type) { + case string: + sql += p + case Sqlizer: + pSql, pArgs, err := p.ToSql() + if err != nil { + return "", nil, err + } + sql += pSql + args = append(args, pArgs...) + default: + return "", nil, fmt.Errorf("%#v is not a string or Sqlizer", part) + } + } + return +} + +// ConcatExpr builds an expression by concatenating strings and other expressions. +// +// Ex: +// name_expr := Expr("CONCAT(?, ' ', ?)", firstName, lastName) +// ConcatExpr("COALESCE(full_name,", name_expr, ")") +func ConcatExpr(parts ...interface{}) concatExpr { + return concatExpr(parts) +} + +// aliasExpr helps to alias part of SQL query generated with underlying "expr" +type aliasExpr struct { + expr Sqlizer + alias string +} + +// Alias allows to define alias for column in SelectBuilder. Useful when column is +// defined as complex expression like IF or CASE +// Ex: +// .Column(Alias(caseStmt, "case_column")) +func Alias(expr Sqlizer, alias string) aliasExpr { + return aliasExpr{expr, alias} +} + +func (e aliasExpr) ToSql() (sql string, args []interface{}, err error) { + sql, args, err = e.expr.ToSql() + if err == nil { + sql = fmt.Sprintf("(%s) AS %s", sql, e.alias) + } + return +} + +// Eq is syntactic sugar for use with Where/Having/Set methods. +type Eq map[string]interface{} + +func (eq Eq) toSQL(useNotOpr bool) (sql string, args []interface{}, err error) { + if len(eq) == 0 { + // Empty Sql{} evaluates to true. + sql = sqlTrue + return + } + + var ( + exprs []string + equalOpr = "=" + inOpr = "IN" + nullOpr = "IS" + inEmptyExpr = sqlFalse + ) + + if useNotOpr { + equalOpr = "<>" + inOpr = "NOT IN" + nullOpr = "IS NOT" + inEmptyExpr = sqlTrue + } + + sortedKeys := getSortedKeys(eq) + for _, key := range sortedKeys { + var expr string + val := eq[key] + + switch v := val.(type) { + case driver.Valuer: + if val, err = v.Value(); err != nil { + return + } + } + + r := reflect.ValueOf(val) + if r.Kind() == reflect.Ptr { + if r.IsNil() { + val = nil + } else { + val = r.Elem().Interface() + } + } + + if val == nil { + expr = fmt.Sprintf("%s %s NULL", key, nullOpr) + } else { + if isListType(val) { + valVal := reflect.ValueOf(val) + if valVal.Len() == 0 { + expr = inEmptyExpr + if args == nil { + args = []interface{}{} + } + } else { + for i := 0; i < valVal.Len(); i++ { + args = append(args, valVal.Index(i).Interface()) + } + expr = fmt.Sprintf("%s %s (%s)", key, inOpr, Placeholders(valVal.Len())) + } + } else { + expr = fmt.Sprintf("%s %s ?", key, equalOpr) + args = append(args, val) + } + } + exprs = append(exprs, expr) + } + sql = strings.Join(exprs, " AND ") + return +} + +func (eq Eq) ToSql() (sql string, args []interface{}, err error) { + return eq.toSQL(false) +} + +// NotEq is syntactic sugar for use with Where/Having/Set methods. +// Ex: +// .Where(NotEq{"id": 1}) == "id <> 1" +type NotEq Eq + +func (neq NotEq) ToSql() (sql string, args []interface{}, err error) { + return Eq(neq).toSQL(true) +} + +// Like is syntactic sugar for use with LIKE conditions. +// Ex: +// .Where(Like{"name": "%irrel"}) +type Like map[string]interface{} + +func (lk Like) toSql(opr string) (sql string, args []interface{}, err error) { + var exprs []string + for key, val := range lk { + expr := "" + + switch v := val.(type) { + case driver.Valuer: + if val, err = v.Value(); err != nil { + return + } + } + + if val == nil { + err = fmt.Errorf("cannot use null with like operators") + return + } else { + if isListType(val) { + err = fmt.Errorf("cannot use array or slice with like operators") + return + } else { + expr = fmt.Sprintf("%s %s ?", key, opr) + args = append(args, val) + } + } + exprs = append(exprs, expr) + } + sql = strings.Join(exprs, " AND ") + return +} + +func (lk Like) ToSql() (sql string, args []interface{}, err error) { + return lk.toSql("LIKE") +} + +// NotLike is syntactic sugar for use with LIKE conditions. +// Ex: +// .Where(NotLike{"name": "%irrel"}) +type NotLike Like + +func (nlk NotLike) ToSql() (sql string, args []interface{}, err error) { + return Like(nlk).toSql("NOT LIKE") +} + +// ILike is syntactic sugar for use with ILIKE conditions. +// Ex: +// .Where(ILike{"name": "sq%"}) +type ILike Like + +func (ilk ILike) ToSql() (sql string, args []interface{}, err error) { + return Like(ilk).toSql("ILIKE") +} + +// NotILike is syntactic sugar for use with ILIKE conditions. +// Ex: +// .Where(NotILike{"name": "sq%"}) +type NotILike Like + +func (nilk NotILike) ToSql() (sql string, args []interface{}, err error) { + return Like(nilk).toSql("NOT ILIKE") +} + +// Lt is syntactic sugar for use with Where/Having/Set methods. +// Ex: +// .Where(Lt{"id": 1}) +type Lt map[string]interface{} + +func (lt Lt) toSql(opposite, orEq bool) (sql string, args []interface{}, err error) { + var ( + exprs []string + opr = "<" + ) + + if opposite { + opr = ">" + } + + if orEq { + opr = fmt.Sprintf("%s%s", opr, "=") + } + + sortedKeys := getSortedKeys(lt) + for _, key := range sortedKeys { + var expr string + val := lt[key] + + switch v := val.(type) { + case driver.Valuer: + if val, err = v.Value(); err != nil { + return + } + } + + if val == nil { + err = fmt.Errorf("cannot use null with less than or greater than operators") + return + } + if isListType(val) { + err = fmt.Errorf("cannot use array or slice with less than or greater than operators") + return + } + expr = fmt.Sprintf("%s %s ?", key, opr) + args = append(args, val) + + exprs = append(exprs, expr) + } + sql = strings.Join(exprs, " AND ") + return +} + +func (lt Lt) ToSql() (sql string, args []interface{}, err error) { + return lt.toSql(false, false) +} + +// LtOrEq is syntactic sugar for use with Where/Having/Set methods. +// Ex: +// .Where(LtOrEq{"id": 1}) == "id <= 1" +type LtOrEq Lt + +func (ltOrEq LtOrEq) ToSql() (sql string, args []interface{}, err error) { + return Lt(ltOrEq).toSql(false, true) +} + +// Gt is syntactic sugar for use with Where/Having/Set methods. +// Ex: +// .Where(Gt{"id": 1}) == "id > 1" +type Gt Lt + +func (gt Gt) ToSql() (sql string, args []interface{}, err error) { + return Lt(gt).toSql(true, false) +} + +// GtOrEq is syntactic sugar for use with Where/Having/Set methods. +// Ex: +// .Where(GtOrEq{"id": 1}) == "id >= 1" +type GtOrEq Lt + +func (gtOrEq GtOrEq) ToSql() (sql string, args []interface{}, err error) { + return Lt(gtOrEq).toSql(true, true) +} + +type conj []Sqlizer + +func (c conj) join(sep, defaultExpr string) (sql string, args []interface{}, err error) { + if len(c) == 0 { + return defaultExpr, []interface{}{}, nil + } + var sqlParts []string + for _, sqlizer := range c { + partSQL, partArgs, err := nestedToSql(sqlizer) + if err != nil { + return "", nil, err + } + if partSQL != "" { + sqlParts = append(sqlParts, partSQL) + args = append(args, partArgs...) + } + } + if len(sqlParts) > 0 { + sql = fmt.Sprintf("(%s)", strings.Join(sqlParts, sep)) + } + return +} + +// And conjunction Sqlizers +type And conj + +func (a And) ToSql() (string, []interface{}, error) { + return conj(a).join(" AND ", sqlTrue) +} + +// Or conjunction Sqlizers +type Or conj + +func (o Or) ToSql() (string, []interface{}, error) { + return conj(o).join(" OR ", sqlFalse) +} + +func getSortedKeys(exp map[string]interface{}) []string { + sortedKeys := make([]string, 0, len(exp)) + for k := range exp { + sortedKeys = append(sortedKeys, k) + } + sort.Strings(sortedKeys) + return sortedKeys +} + +func isListType(val interface{}) bool { + if driver.IsValue(val) { + return false + } + valVal := reflect.ValueOf(val) + return valVal.Kind() == reflect.Array || valVal.Kind() == reflect.Slice +} diff --git a/vendor/github.com/Masterminds/squirrel/insert.go b/vendor/github.com/Masterminds/squirrel/insert.go new file mode 100644 index 0000000000..c23a57935b --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/insert.go @@ -0,0 +1,298 @@ +package squirrel + +import ( + "bytes" + "database/sql" + "errors" + "fmt" + "io" + "sort" + "strings" + + "github.com/lann/builder" +) + +type insertData struct { + PlaceholderFormat PlaceholderFormat + RunWith BaseRunner + Prefixes []Sqlizer + StatementKeyword string + Options []string + Into string + Columns []string + Values [][]interface{} + Suffixes []Sqlizer + Select *SelectBuilder +} + +func (d *insertData) Exec() (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return ExecWith(d.RunWith, d) +} + +func (d *insertData) Query() (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return QueryWith(d.RunWith, d) +} + +func (d *insertData) QueryRow() RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRower) + if !ok { + return &Row{err: RunnerNotQueryRunner} + } + return QueryRowWith(queryRower, d) +} + +func (d *insertData) ToSql() (sqlStr string, args []interface{}, err error) { + if len(d.Into) == 0 { + err = errors.New("insert statements must specify a table") + return + } + if len(d.Values) == 0 && d.Select == nil { + err = errors.New("insert statements must have at least one set of values or select clause") + return + } + + sql := &bytes.Buffer{} + + if len(d.Prefixes) > 0 { + args, err = appendToSql(d.Prefixes, sql, " ", args) + if err != nil { + return + } + + sql.WriteString(" ") + } + + if d.StatementKeyword == "" { + sql.WriteString("INSERT ") + } else { + sql.WriteString(d.StatementKeyword) + sql.WriteString(" ") + } + + if len(d.Options) > 0 { + sql.WriteString(strings.Join(d.Options, " ")) + sql.WriteString(" ") + } + + sql.WriteString("INTO ") + sql.WriteString(d.Into) + sql.WriteString(" ") + + if len(d.Columns) > 0 { + sql.WriteString("(") + sql.WriteString(strings.Join(d.Columns, ",")) + sql.WriteString(") ") + } + + if d.Select != nil { + args, err = d.appendSelectToSQL(sql, args) + } else { + args, err = d.appendValuesToSQL(sql, args) + } + if err != nil { + return + } + + if len(d.Suffixes) > 0 { + sql.WriteString(" ") + args, err = appendToSql(d.Suffixes, sql, " ", args) + if err != nil { + return + } + } + + sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String()) + return +} + +func (d *insertData) appendValuesToSQL(w io.Writer, args []interface{}) ([]interface{}, error) { + if len(d.Values) == 0 { + return args, errors.New("values for insert statements are not set") + } + + io.WriteString(w, "VALUES ") + + valuesStrings := make([]string, len(d.Values)) + for r, row := range d.Values { + valueStrings := make([]string, len(row)) + for v, val := range row { + if vs, ok := val.(Sqlizer); ok { + vsql, vargs, err := vs.ToSql() + if err != nil { + return nil, err + } + valueStrings[v] = vsql + args = append(args, vargs...) + } else { + valueStrings[v] = "?" + args = append(args, val) + } + } + valuesStrings[r] = fmt.Sprintf("(%s)", strings.Join(valueStrings, ",")) + } + + io.WriteString(w, strings.Join(valuesStrings, ",")) + + return args, nil +} + +func (d *insertData) appendSelectToSQL(w io.Writer, args []interface{}) ([]interface{}, error) { + if d.Select == nil { + return args, errors.New("select clause for insert statements are not set") + } + + selectClause, sArgs, err := d.Select.ToSql() + if err != nil { + return args, err + } + + io.WriteString(w, selectClause) + args = append(args, sArgs...) + + return args, nil +} + +// Builder + +// InsertBuilder builds SQL INSERT statements. +type InsertBuilder builder.Builder + +func init() { + builder.Register(InsertBuilder{}, insertData{}) +} + +// Format methods + +// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the +// query. +func (b InsertBuilder) PlaceholderFormat(f PlaceholderFormat) InsertBuilder { + return builder.Set(b, "PlaceholderFormat", f).(InsertBuilder) +} + +// Runner methods + +// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec. +func (b InsertBuilder) RunWith(runner BaseRunner) InsertBuilder { + return setRunWith(b, runner).(InsertBuilder) +} + +// Exec builds and Execs the query with the Runner set by RunWith. +func (b InsertBuilder) Exec() (sql.Result, error) { + data := builder.GetStruct(b).(insertData) + return data.Exec() +} + +// Query builds and Querys the query with the Runner set by RunWith. +func (b InsertBuilder) Query() (*sql.Rows, error) { + data := builder.GetStruct(b).(insertData) + return data.Query() +} + +// QueryRow builds and QueryRows the query with the Runner set by RunWith. +func (b InsertBuilder) QueryRow() RowScanner { + data := builder.GetStruct(b).(insertData) + return data.QueryRow() +} + +// Scan is a shortcut for QueryRow().Scan. +func (b InsertBuilder) Scan(dest ...interface{}) error { + return b.QueryRow().Scan(dest...) +} + +// SQL methods + +// ToSql builds the query into a SQL string and bound args. +func (b InsertBuilder) ToSql() (string, []interface{}, error) { + data := builder.GetStruct(b).(insertData) + return data.ToSql() +} + +// MustSql builds the query into a SQL string and bound args. +// It panics if there are any errors. +func (b InsertBuilder) MustSql() (string, []interface{}) { + sql, args, err := b.ToSql() + if err != nil { + panic(err) + } + return sql, args +} + +// Prefix adds an expression to the beginning of the query +func (b InsertBuilder) Prefix(sql string, args ...interface{}) InsertBuilder { + return b.PrefixExpr(Expr(sql, args...)) +} + +// PrefixExpr adds an expression to the very beginning of the query +func (b InsertBuilder) PrefixExpr(expr Sqlizer) InsertBuilder { + return builder.Append(b, "Prefixes", expr).(InsertBuilder) +} + +// Options adds keyword options before the INTO clause of the query. +func (b InsertBuilder) Options(options ...string) InsertBuilder { + return builder.Extend(b, "Options", options).(InsertBuilder) +} + +// Into sets the INTO clause of the query. +func (b InsertBuilder) Into(from string) InsertBuilder { + return builder.Set(b, "Into", from).(InsertBuilder) +} + +// Columns adds insert columns to the query. +func (b InsertBuilder) Columns(columns ...string) InsertBuilder { + return builder.Extend(b, "Columns", columns).(InsertBuilder) +} + +// Values adds a single row's values to the query. +func (b InsertBuilder) Values(values ...interface{}) InsertBuilder { + return builder.Append(b, "Values", values).(InsertBuilder) +} + +// Suffix adds an expression to the end of the query +func (b InsertBuilder) Suffix(sql string, args ...interface{}) InsertBuilder { + return b.SuffixExpr(Expr(sql, args...)) +} + +// SuffixExpr adds an expression to the end of the query +func (b InsertBuilder) SuffixExpr(expr Sqlizer) InsertBuilder { + return builder.Append(b, "Suffixes", expr).(InsertBuilder) +} + +// SetMap set columns and values for insert builder from a map of column name and value +// note that it will reset all previous columns and values was set if any +func (b InsertBuilder) SetMap(clauses map[string]interface{}) InsertBuilder { + // Keep the columns in a consistent order by sorting the column key string. + cols := make([]string, 0, len(clauses)) + for col := range clauses { + cols = append(cols, col) + } + sort.Strings(cols) + + vals := make([]interface{}, 0, len(clauses)) + for _, col := range cols { + vals = append(vals, clauses[col]) + } + + b = builder.Set(b, "Columns", cols).(InsertBuilder) + b = builder.Set(b, "Values", [][]interface{}{vals}).(InsertBuilder) + + return b +} + +// Select set Select clause for insert query +// If Values and Select are used, then Select has higher priority +func (b InsertBuilder) Select(sb SelectBuilder) InsertBuilder { + return builder.Set(b, "Select", &sb).(InsertBuilder) +} + +func (b InsertBuilder) statementKeyword(keyword string) InsertBuilder { + return builder.Set(b, "StatementKeyword", keyword).(InsertBuilder) +} diff --git a/vendor/github.com/Masterminds/squirrel/insert_ctx.go b/vendor/github.com/Masterminds/squirrel/insert_ctx.go new file mode 100644 index 0000000000..4541c2fed3 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/insert_ctx.go @@ -0,0 +1,69 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" + + "github.com/lann/builder" +) + +func (d *insertData) ExecContext(ctx context.Context) (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(ExecerContext) + if !ok { + return nil, NoContextSupport + } + return ExecContextWith(ctx, ctxRunner, d) +} + +func (d *insertData) QueryContext(ctx context.Context) (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(QueryerContext) + if !ok { + return nil, NoContextSupport + } + return QueryContextWith(ctx, ctxRunner, d) +} + +func (d *insertData) QueryRowContext(ctx context.Context) RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRowerContext) + if !ok { + if _, ok := d.RunWith.(QueryerContext); !ok { + return &Row{err: RunnerNotQueryRunner} + } + return &Row{err: NoContextSupport} + } + return QueryRowContextWith(ctx, queryRower, d) +} + +// ExecContext builds and ExecContexts the query with the Runner set by RunWith. +func (b InsertBuilder) ExecContext(ctx context.Context) (sql.Result, error) { + data := builder.GetStruct(b).(insertData) + return data.ExecContext(ctx) +} + +// QueryContext builds and QueryContexts the query with the Runner set by RunWith. +func (b InsertBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) { + data := builder.GetStruct(b).(insertData) + return data.QueryContext(ctx) +} + +// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith. +func (b InsertBuilder) QueryRowContext(ctx context.Context) RowScanner { + data := builder.GetStruct(b).(insertData) + return data.QueryRowContext(ctx) +} + +// ScanContext is a shortcut for QueryRowContext().Scan. +func (b InsertBuilder) ScanContext(ctx context.Context, dest ...interface{}) error { + return b.QueryRowContext(ctx).Scan(dest...) +} diff --git a/vendor/github.com/Masterminds/squirrel/part.go b/vendor/github.com/Masterminds/squirrel/part.go new file mode 100644 index 0000000000..c58f68f1a4 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/part.go @@ -0,0 +1,63 @@ +package squirrel + +import ( + "fmt" + "io" +) + +type part struct { + pred interface{} + args []interface{} +} + +func newPart(pred interface{}, args ...interface{}) Sqlizer { + return &part{pred, args} +} + +func (p part) ToSql() (sql string, args []interface{}, err error) { + switch pred := p.pred.(type) { + case nil: + // no-op + case Sqlizer: + sql, args, err = nestedToSql(pred) + case string: + sql = pred + args = p.args + default: + err = fmt.Errorf("expected string or Sqlizer, not %T", pred) + } + return +} + +func nestedToSql(s Sqlizer) (string, []interface{}, error) { + if raw, ok := s.(rawSqlizer); ok { + return raw.toSqlRaw() + } else { + return s.ToSql() + } +} + +func appendToSql(parts []Sqlizer, w io.Writer, sep string, args []interface{}) ([]interface{}, error) { + for i, p := range parts { + partSql, partArgs, err := nestedToSql(p) + if err != nil { + return nil, err + } else if len(partSql) == 0 { + continue + } + + if i > 0 { + _, err := io.WriteString(w, sep) + if err != nil { + return nil, err + } + } + + _, err = io.WriteString(w, partSql) + if err != nil { + return nil, err + } + args = append(args, partArgs...) + } + return args, nil +} diff --git a/vendor/github.com/Masterminds/squirrel/placeholder.go b/vendor/github.com/Masterminds/squirrel/placeholder.go new file mode 100644 index 0000000000..8e97a6c62d --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/placeholder.go @@ -0,0 +1,114 @@ +package squirrel + +import ( + "bytes" + "fmt" + "strings" +) + +// PlaceholderFormat is the interface that wraps the ReplacePlaceholders method. +// +// ReplacePlaceholders takes a SQL statement and replaces each question mark +// placeholder with a (possibly different) SQL placeholder. +type PlaceholderFormat interface { + ReplacePlaceholders(sql string) (string, error) +} + +type placeholderDebugger interface { + debugPlaceholder() string +} + +var ( + // Question is a PlaceholderFormat instance that leaves placeholders as + // question marks. + Question = questionFormat{} + + // Dollar is a PlaceholderFormat instance that replaces placeholders with + // dollar-prefixed positional placeholders (e.g. $1, $2, $3). + Dollar = dollarFormat{} + + // Colon is a PlaceholderFormat instance that replaces placeholders with + // colon-prefixed positional placeholders (e.g. :1, :2, :3). + Colon = colonFormat{} + + // AtP is a PlaceholderFormat instance that replaces placeholders with + // "@p"-prefixed positional placeholders (e.g. @p1, @p2, @p3). + AtP = atpFormat{} +) + +type questionFormat struct{} + +func (questionFormat) ReplacePlaceholders(sql string) (string, error) { + return sql, nil +} + +func (questionFormat) debugPlaceholder() string { + return "?" +} + +type dollarFormat struct{} + +func (dollarFormat) ReplacePlaceholders(sql string) (string, error) { + return replacePositionalPlaceholders(sql, "$") +} + +func (dollarFormat) debugPlaceholder() string { + return "$" +} + +type colonFormat struct{} + +func (colonFormat) ReplacePlaceholders(sql string) (string, error) { + return replacePositionalPlaceholders(sql, ":") +} + +func (colonFormat) debugPlaceholder() string { + return ":" +} + +type atpFormat struct{} + +func (atpFormat) ReplacePlaceholders(sql string) (string, error) { + return replacePositionalPlaceholders(sql, "@p") +} + +func (atpFormat) debugPlaceholder() string { + return "@p" +} + +// Placeholders returns a string with count ? placeholders joined with commas. +func Placeholders(count int) string { + if count < 1 { + return "" + } + + return strings.Repeat(",?", count)[1:] +} + +func replacePositionalPlaceholders(sql, prefix string) (string, error) { + buf := &bytes.Buffer{} + i := 0 + for { + p := strings.Index(sql, "?") + if p == -1 { + break + } + + if len(sql[p:]) > 1 && sql[p:p+2] == "??" { // escape ?? => ? + buf.WriteString(sql[:p]) + buf.WriteString("?") + if len(sql[p:]) == 1 { + break + } + sql = sql[p+2:] + } else { + i++ + buf.WriteString(sql[:p]) + fmt.Fprintf(buf, "%s%d", prefix, i) + sql = sql[p+1:] + } + } + + buf.WriteString(sql) + return buf.String(), nil +} diff --git a/vendor/github.com/Masterminds/squirrel/row.go b/vendor/github.com/Masterminds/squirrel/row.go new file mode 100644 index 0000000000..74ffda92bd --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/row.go @@ -0,0 +1,22 @@ +package squirrel + +// RowScanner is the interface that wraps the Scan method. +// +// Scan behaves like database/sql.Row.Scan. +type RowScanner interface { + Scan(...interface{}) error +} + +// Row wraps database/sql.Row to let squirrel return new errors on Scan. +type Row struct { + RowScanner + err error +} + +// Scan returns Row.err or calls RowScanner.Scan. +func (r *Row) Scan(dest ...interface{}) error { + if r.err != nil { + return r.err + } + return r.RowScanner.Scan(dest...) +} diff --git a/vendor/github.com/Masterminds/squirrel/select.go b/vendor/github.com/Masterminds/squirrel/select.go new file mode 100644 index 0000000000..d55ce4c740 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/select.go @@ -0,0 +1,403 @@ +package squirrel + +import ( + "bytes" + "database/sql" + "fmt" + "strings" + + "github.com/lann/builder" +) + +type selectData struct { + PlaceholderFormat PlaceholderFormat + RunWith BaseRunner + Prefixes []Sqlizer + Options []string + Columns []Sqlizer + From Sqlizer + Joins []Sqlizer + WhereParts []Sqlizer + GroupBys []string + HavingParts []Sqlizer + OrderByParts []Sqlizer + Limit string + Offset string + Suffixes []Sqlizer +} + +func (d *selectData) Exec() (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return ExecWith(d.RunWith, d) +} + +func (d *selectData) Query() (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return QueryWith(d.RunWith, d) +} + +func (d *selectData) QueryRow() RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRower) + if !ok { + return &Row{err: RunnerNotQueryRunner} + } + return QueryRowWith(queryRower, d) +} + +func (d *selectData) ToSql() (sqlStr string, args []interface{}, err error) { + sqlStr, args, err = d.toSqlRaw() + if err != nil { + return + } + + sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sqlStr) + return +} + +func (d *selectData) toSqlRaw() (sqlStr string, args []interface{}, err error) { + if len(d.Columns) == 0 { + err = fmt.Errorf("select statements must have at least one result column") + return + } + + sql := &bytes.Buffer{} + + if len(d.Prefixes) > 0 { + args, err = appendToSql(d.Prefixes, sql, " ", args) + if err != nil { + return + } + + sql.WriteString(" ") + } + + sql.WriteString("SELECT ") + + if len(d.Options) > 0 { + sql.WriteString(strings.Join(d.Options, " ")) + sql.WriteString(" ") + } + + if len(d.Columns) > 0 { + args, err = appendToSql(d.Columns, sql, ", ", args) + if err != nil { + return + } + } + + if d.From != nil { + sql.WriteString(" FROM ") + args, err = appendToSql([]Sqlizer{d.From}, sql, "", args) + if err != nil { + return + } + } + + if len(d.Joins) > 0 { + sql.WriteString(" ") + args, err = appendToSql(d.Joins, sql, " ", args) + if err != nil { + return + } + } + + if len(d.WhereParts) > 0 { + sql.WriteString(" WHERE ") + args, err = appendToSql(d.WhereParts, sql, " AND ", args) + if err != nil { + return + } + } + + if len(d.GroupBys) > 0 { + sql.WriteString(" GROUP BY ") + sql.WriteString(strings.Join(d.GroupBys, ", ")) + } + + if len(d.HavingParts) > 0 { + sql.WriteString(" HAVING ") + args, err = appendToSql(d.HavingParts, sql, " AND ", args) + if err != nil { + return + } + } + + if len(d.OrderByParts) > 0 { + sql.WriteString(" ORDER BY ") + args, err = appendToSql(d.OrderByParts, sql, ", ", args) + if err != nil { + return + } + } + + if len(d.Limit) > 0 { + sql.WriteString(" LIMIT ") + sql.WriteString(d.Limit) + } + + if len(d.Offset) > 0 { + sql.WriteString(" OFFSET ") + sql.WriteString(d.Offset) + } + + if len(d.Suffixes) > 0 { + sql.WriteString(" ") + + args, err = appendToSql(d.Suffixes, sql, " ", args) + if err != nil { + return + } + } + + sqlStr = sql.String() + return +} + +// Builder + +// SelectBuilder builds SQL SELECT statements. +type SelectBuilder builder.Builder + +func init() { + builder.Register(SelectBuilder{}, selectData{}) +} + +// Format methods + +// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the +// query. +func (b SelectBuilder) PlaceholderFormat(f PlaceholderFormat) SelectBuilder { + return builder.Set(b, "PlaceholderFormat", f).(SelectBuilder) +} + +// Runner methods + +// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec. +// For most cases runner will be a database connection. +// +// Internally we use this to mock out the database connection for testing. +func (b SelectBuilder) RunWith(runner BaseRunner) SelectBuilder { + return setRunWith(b, runner).(SelectBuilder) +} + +// Exec builds and Execs the query with the Runner set by RunWith. +func (b SelectBuilder) Exec() (sql.Result, error) { + data := builder.GetStruct(b).(selectData) + return data.Exec() +} + +// Query builds and Querys the query with the Runner set by RunWith. +func (b SelectBuilder) Query() (*sql.Rows, error) { + data := builder.GetStruct(b).(selectData) + return data.Query() +} + +// QueryRow builds and QueryRows the query with the Runner set by RunWith. +func (b SelectBuilder) QueryRow() RowScanner { + data := builder.GetStruct(b).(selectData) + return data.QueryRow() +} + +// Scan is a shortcut for QueryRow().Scan. +func (b SelectBuilder) Scan(dest ...interface{}) error { + return b.QueryRow().Scan(dest...) +} + +// SQL methods + +// ToSql builds the query into a SQL string and bound args. +func (b SelectBuilder) ToSql() (string, []interface{}, error) { + data := builder.GetStruct(b).(selectData) + return data.ToSql() +} + +func (b SelectBuilder) toSqlRaw() (string, []interface{}, error) { + data := builder.GetStruct(b).(selectData) + return data.toSqlRaw() +} + +// MustSql builds the query into a SQL string and bound args. +// It panics if there are any errors. +func (b SelectBuilder) MustSql() (string, []interface{}) { + sql, args, err := b.ToSql() + if err != nil { + panic(err) + } + return sql, args +} + +// Prefix adds an expression to the beginning of the query +func (b SelectBuilder) Prefix(sql string, args ...interface{}) SelectBuilder { + return b.PrefixExpr(Expr(sql, args...)) +} + +// PrefixExpr adds an expression to the very beginning of the query +func (b SelectBuilder) PrefixExpr(expr Sqlizer) SelectBuilder { + return builder.Append(b, "Prefixes", expr).(SelectBuilder) +} + +// Distinct adds a DISTINCT clause to the query. +func (b SelectBuilder) Distinct() SelectBuilder { + return b.Options("DISTINCT") +} + +// Options adds select option to the query +func (b SelectBuilder) Options(options ...string) SelectBuilder { + return builder.Extend(b, "Options", options).(SelectBuilder) +} + +// Columns adds result columns to the query. +func (b SelectBuilder) Columns(columns ...string) SelectBuilder { + parts := make([]interface{}, 0, len(columns)) + for _, str := range columns { + parts = append(parts, newPart(str)) + } + return builder.Extend(b, "Columns", parts).(SelectBuilder) +} + +// RemoveColumns remove all columns from query. +// Must add a new column with Column or Columns methods, otherwise +// return a error. +func (b SelectBuilder) RemoveColumns() SelectBuilder { + return builder.Delete(b, "Columns").(SelectBuilder) +} + +// Column adds a result column to the query. +// Unlike Columns, Column accepts args which will be bound to placeholders in +// the columns string, for example: +// Column("IF(col IN ("+squirrel.Placeholders(3)+"), 1, 0) as col", 1, 2, 3) +func (b SelectBuilder) Column(column interface{}, args ...interface{}) SelectBuilder { + return builder.Append(b, "Columns", newPart(column, args...)).(SelectBuilder) +} + +// From sets the FROM clause of the query. +func (b SelectBuilder) From(from string) SelectBuilder { + return builder.Set(b, "From", newPart(from)).(SelectBuilder) +} + +// FromSelect sets a subquery into the FROM clause of the query. +func (b SelectBuilder) FromSelect(from SelectBuilder, alias string) SelectBuilder { + // Prevent misnumbered parameters in nested selects (#183). + from = from.PlaceholderFormat(Question) + return builder.Set(b, "From", Alias(from, alias)).(SelectBuilder) +} + +// JoinClause adds a join clause to the query. +func (b SelectBuilder) JoinClause(pred interface{}, args ...interface{}) SelectBuilder { + return builder.Append(b, "Joins", newPart(pred, args...)).(SelectBuilder) +} + +// Join adds a JOIN clause to the query. +func (b SelectBuilder) Join(join string, rest ...interface{}) SelectBuilder { + return b.JoinClause("JOIN "+join, rest...) +} + +// LeftJoin adds a LEFT JOIN clause to the query. +func (b SelectBuilder) LeftJoin(join string, rest ...interface{}) SelectBuilder { + return b.JoinClause("LEFT JOIN "+join, rest...) +} + +// RightJoin adds a RIGHT JOIN clause to the query. +func (b SelectBuilder) RightJoin(join string, rest ...interface{}) SelectBuilder { + return b.JoinClause("RIGHT JOIN "+join, rest...) +} + +// InnerJoin adds a INNER JOIN clause to the query. +func (b SelectBuilder) InnerJoin(join string, rest ...interface{}) SelectBuilder { + return b.JoinClause("INNER JOIN "+join, rest...) +} + +// CrossJoin adds a CROSS JOIN clause to the query. +func (b SelectBuilder) CrossJoin(join string, rest ...interface{}) SelectBuilder { + return b.JoinClause("CROSS JOIN "+join, rest...) +} + +// Where adds an expression to the WHERE clause of the query. +// +// Expressions are ANDed together in the generated SQL. +// +// Where accepts several types for its pred argument: +// +// nil OR "" - ignored. +// +// string - SQL expression. +// If the expression has SQL placeholders then a set of arguments must be passed +// as well, one for each placeholder. +// +// map[string]interface{} OR Eq - map of SQL expressions to values. Each key is +// transformed into an expression like " = ?", with the corresponding value +// bound to the placeholder. If the value is nil, the expression will be " +// IS NULL". If the value is an array or slice, the expression will be " IN +// (?,?,...)", with one placeholder for each item in the value. These expressions +// are ANDed together. +// +// Where will panic if pred isn't any of the above types. +func (b SelectBuilder) Where(pred interface{}, args ...interface{}) SelectBuilder { + if pred == nil || pred == "" { + return b + } + return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(SelectBuilder) +} + +// GroupBy adds GROUP BY expressions to the query. +func (b SelectBuilder) GroupBy(groupBys ...string) SelectBuilder { + return builder.Extend(b, "GroupBys", groupBys).(SelectBuilder) +} + +// Having adds an expression to the HAVING clause of the query. +// +// See Where. +func (b SelectBuilder) Having(pred interface{}, rest ...interface{}) SelectBuilder { + return builder.Append(b, "HavingParts", newWherePart(pred, rest...)).(SelectBuilder) +} + +// OrderByClause adds ORDER BY clause to the query. +func (b SelectBuilder) OrderByClause(pred interface{}, args ...interface{}) SelectBuilder { + return builder.Append(b, "OrderByParts", newPart(pred, args...)).(SelectBuilder) +} + +// OrderBy adds ORDER BY expressions to the query. +func (b SelectBuilder) OrderBy(orderBys ...string) SelectBuilder { + for _, orderBy := range orderBys { + b = b.OrderByClause(orderBy) + } + + return b +} + +// Limit sets a LIMIT clause on the query. +func (b SelectBuilder) Limit(limit uint64) SelectBuilder { + return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(SelectBuilder) +} + +// Limit ALL allows to access all records with limit +func (b SelectBuilder) RemoveLimit() SelectBuilder { + return builder.Delete(b, "Limit").(SelectBuilder) +} + +// Offset sets a OFFSET clause on the query. +func (b SelectBuilder) Offset(offset uint64) SelectBuilder { + return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(SelectBuilder) +} + +// RemoveOffset removes OFFSET clause. +func (b SelectBuilder) RemoveOffset() SelectBuilder { + return builder.Delete(b, "Offset").(SelectBuilder) +} + +// Suffix adds an expression to the end of the query +func (b SelectBuilder) Suffix(sql string, args ...interface{}) SelectBuilder { + return b.SuffixExpr(Expr(sql, args...)) +} + +// SuffixExpr adds an expression to the end of the query +func (b SelectBuilder) SuffixExpr(expr Sqlizer) SelectBuilder { + return builder.Append(b, "Suffixes", expr).(SelectBuilder) +} diff --git a/vendor/github.com/Masterminds/squirrel/select_ctx.go b/vendor/github.com/Masterminds/squirrel/select_ctx.go new file mode 100644 index 0000000000..4c42c13f47 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/select_ctx.go @@ -0,0 +1,69 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" + + "github.com/lann/builder" +) + +func (d *selectData) ExecContext(ctx context.Context) (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(ExecerContext) + if !ok { + return nil, NoContextSupport + } + return ExecContextWith(ctx, ctxRunner, d) +} + +func (d *selectData) QueryContext(ctx context.Context) (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(QueryerContext) + if !ok { + return nil, NoContextSupport + } + return QueryContextWith(ctx, ctxRunner, d) +} + +func (d *selectData) QueryRowContext(ctx context.Context) RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRowerContext) + if !ok { + if _, ok := d.RunWith.(QueryerContext); !ok { + return &Row{err: RunnerNotQueryRunner} + } + return &Row{err: NoContextSupport} + } + return QueryRowContextWith(ctx, queryRower, d) +} + +// ExecContext builds and ExecContexts the query with the Runner set by RunWith. +func (b SelectBuilder) ExecContext(ctx context.Context) (sql.Result, error) { + data := builder.GetStruct(b).(selectData) + return data.ExecContext(ctx) +} + +// QueryContext builds and QueryContexts the query with the Runner set by RunWith. +func (b SelectBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) { + data := builder.GetStruct(b).(selectData) + return data.QueryContext(ctx) +} + +// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith. +func (b SelectBuilder) QueryRowContext(ctx context.Context) RowScanner { + data := builder.GetStruct(b).(selectData) + return data.QueryRowContext(ctx) +} + +// ScanContext is a shortcut for QueryRowContext().Scan. +func (b SelectBuilder) ScanContext(ctx context.Context, dest ...interface{}) error { + return b.QueryRowContext(ctx).Scan(dest...) +} diff --git a/vendor/github.com/Masterminds/squirrel/squirrel.go b/vendor/github.com/Masterminds/squirrel/squirrel.go new file mode 100644 index 0000000000..46d456eb62 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/squirrel.go @@ -0,0 +1,183 @@ +// Package squirrel provides a fluent SQL generator. +// +// See https://github.com/Masterminds/squirrel for examples. +package squirrel + +import ( + "bytes" + "database/sql" + "fmt" + "strings" + + "github.com/lann/builder" +) + +// Sqlizer is the interface that wraps the ToSql method. +// +// ToSql returns a SQL representation of the Sqlizer, along with a slice of args +// as passed to e.g. database/sql.Exec. It can also return an error. +type Sqlizer interface { + ToSql() (string, []interface{}, error) +} + +// rawSqlizer is expected to do what Sqlizer does, but without finalizing placeholders. +// This is useful for nested queries. +type rawSqlizer interface { + toSqlRaw() (string, []interface{}, error) +} + +// Execer is the interface that wraps the Exec method. +// +// Exec executes the given query as implemented by database/sql.Exec. +type Execer interface { + Exec(query string, args ...interface{}) (sql.Result, error) +} + +// Queryer is the interface that wraps the Query method. +// +// Query executes the given query as implemented by database/sql.Query. +type Queryer interface { + Query(query string, args ...interface{}) (*sql.Rows, error) +} + +// QueryRower is the interface that wraps the QueryRow method. +// +// QueryRow executes the given query as implemented by database/sql.QueryRow. +type QueryRower interface { + QueryRow(query string, args ...interface{}) RowScanner +} + +// BaseRunner groups the Execer and Queryer interfaces. +type BaseRunner interface { + Execer + Queryer +} + +// Runner groups the Execer, Queryer, and QueryRower interfaces. +type Runner interface { + Execer + Queryer + QueryRower +} + +// WrapStdSql wraps a type implementing the standard SQL interface with methods that +// squirrel expects. +func WrapStdSql(stdSql StdSql) Runner { + return &stdsqlRunner{stdSql} +} + +// StdSql encompasses the standard methods of the *sql.DB type, and other types that +// wrap these methods. +type StdSql interface { + Query(string, ...interface{}) (*sql.Rows, error) + QueryRow(string, ...interface{}) *sql.Row + Exec(string, ...interface{}) (sql.Result, error) +} + +type stdsqlRunner struct { + StdSql +} + +func (r *stdsqlRunner) QueryRow(query string, args ...interface{}) RowScanner { + return r.StdSql.QueryRow(query, args...) +} + +func setRunWith(b interface{}, runner BaseRunner) interface{} { + switch r := runner.(type) { + case StdSqlCtx: + runner = WrapStdSqlCtx(r) + case StdSql: + runner = WrapStdSql(r) + } + return builder.Set(b, "RunWith", runner) +} + +// RunnerNotSet is returned by methods that need a Runner if it isn't set. +var RunnerNotSet = fmt.Errorf("cannot run; no Runner set (RunWith)") + +// RunnerNotQueryRunner is returned by QueryRow if the RunWith value doesn't implement QueryRower. +var RunnerNotQueryRunner = fmt.Errorf("cannot QueryRow; Runner is not a QueryRower") + +// ExecWith Execs the SQL returned by s with db. +func ExecWith(db Execer, s Sqlizer) (res sql.Result, err error) { + query, args, err := s.ToSql() + if err != nil { + return + } + return db.Exec(query, args...) +} + +// QueryWith Querys the SQL returned by s with db. +func QueryWith(db Queryer, s Sqlizer) (rows *sql.Rows, err error) { + query, args, err := s.ToSql() + if err != nil { + return + } + return db.Query(query, args...) +} + +// QueryRowWith QueryRows the SQL returned by s with db. +func QueryRowWith(db QueryRower, s Sqlizer) RowScanner { + query, args, err := s.ToSql() + return &Row{RowScanner: db.QueryRow(query, args...), err: err} +} + +// DebugSqlizer calls ToSql on s and shows the approximate SQL to be executed +// +// If ToSql returns an error, the result of this method will look like: +// "[ToSql error: %s]" or "[DebugSqlizer error: %s]" +// +// IMPORTANT: As its name suggests, this function should only be used for +// debugging. While the string result *might* be valid SQL, this function does +// not try very hard to ensure it. Additionally, executing the output of this +// function with any untrusted user input is certainly insecure. +func DebugSqlizer(s Sqlizer) string { + sql, args, err := s.ToSql() + if err != nil { + return fmt.Sprintf("[ToSql error: %s]", err) + } + + var placeholder string + downCast, ok := s.(placeholderDebugger) + if !ok { + placeholder = "?" + } else { + placeholder = downCast.debugPlaceholder() + } + // TODO: dedupe this with placeholder.go + buf := &bytes.Buffer{} + i := 0 + for { + p := strings.Index(sql, placeholder) + if p == -1 { + break + } + if len(sql[p:]) > 1 && sql[p:p+2] == "??" { // escape ?? => ? + buf.WriteString(sql[:p]) + buf.WriteString("?") + if len(sql[p:]) == 1 { + break + } + sql = sql[p+2:] + } else { + if i+1 > len(args) { + return fmt.Sprintf( + "[DebugSqlizer error: too many placeholders in %#v for %d args]", + sql, len(args)) + } + buf.WriteString(sql[:p]) + fmt.Fprintf(buf, "'%v'", args[i]) + // advance our sql string "cursor" beyond the arg we placed + sql = sql[p+1:] + i++ + } + } + if i < len(args) { + return fmt.Sprintf( + "[DebugSqlizer error: not enough placeholders in %#v for %d args]", + sql, len(args)) + } + // "append" any remaning sql that won't need interpolating + buf.WriteString(sql) + return buf.String() +} diff --git a/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go b/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go new file mode 100644 index 0000000000..c20148ad33 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/squirrel_ctx.go @@ -0,0 +1,93 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" + "errors" +) + +// NoContextSupport is returned if a db doesn't support Context. +var NoContextSupport = errors.New("DB does not support Context") + +// ExecerContext is the interface that wraps the ExecContext method. +// +// Exec executes the given query as implemented by database/sql.ExecContext. +type ExecerContext interface { + ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error) +} + +// QueryerContext is the interface that wraps the QueryContext method. +// +// QueryContext executes the given query as implemented by database/sql.QueryContext. +type QueryerContext interface { + QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error) +} + +// QueryRowerContext is the interface that wraps the QueryRowContext method. +// +// QueryRowContext executes the given query as implemented by database/sql.QueryRowContext. +type QueryRowerContext interface { + QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner +} + +// RunnerContext groups the Runner interface, along with the Context versions of each of +// its methods +type RunnerContext interface { + Runner + QueryerContext + QueryRowerContext + ExecerContext +} + +// WrapStdSqlCtx wraps a type implementing the standard SQL interface plus the context +// versions of the methods with methods that squirrel expects. +func WrapStdSqlCtx(stdSqlCtx StdSqlCtx) RunnerContext { + return &stdsqlCtxRunner{stdSqlCtx} +} + +// StdSqlCtx encompasses the standard methods of the *sql.DB type, along with the Context +// versions of those methods, and other types that wrap these methods. +type StdSqlCtx interface { + StdSql + QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error) + QueryRowContext(context.Context, string, ...interface{}) *sql.Row + ExecContext(context.Context, string, ...interface{}) (sql.Result, error) +} + +type stdsqlCtxRunner struct { + StdSqlCtx +} + +func (r *stdsqlCtxRunner) QueryRow(query string, args ...interface{}) RowScanner { + return r.StdSqlCtx.QueryRow(query, args...) +} + +func (r *stdsqlCtxRunner) QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner { + return r.StdSqlCtx.QueryRowContext(ctx, query, args...) +} + +// ExecContextWith ExecContexts the SQL returned by s with db. +func ExecContextWith(ctx context.Context, db ExecerContext, s Sqlizer) (res sql.Result, err error) { + query, args, err := s.ToSql() + if err != nil { + return + } + return db.ExecContext(ctx, query, args...) +} + +// QueryContextWith QueryContexts the SQL returned by s with db. +func QueryContextWith(ctx context.Context, db QueryerContext, s Sqlizer) (rows *sql.Rows, err error) { + query, args, err := s.ToSql() + if err != nil { + return + } + return db.QueryContext(ctx, query, args...) +} + +// QueryRowContextWith QueryRowContexts the SQL returned by s with db. +func QueryRowContextWith(ctx context.Context, db QueryRowerContext, s Sqlizer) RowScanner { + query, args, err := s.ToSql() + return &Row{RowScanner: db.QueryRowContext(ctx, query, args...), err: err} +} diff --git a/vendor/github.com/Masterminds/squirrel/statement.go b/vendor/github.com/Masterminds/squirrel/statement.go new file mode 100644 index 0000000000..9420c67f8e --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/statement.go @@ -0,0 +1,104 @@ +package squirrel + +import "github.com/lann/builder" + +// StatementBuilderType is the type of StatementBuilder. +type StatementBuilderType builder.Builder + +// Select returns a SelectBuilder for this StatementBuilderType. +func (b StatementBuilderType) Select(columns ...string) SelectBuilder { + return SelectBuilder(b).Columns(columns...) +} + +// Insert returns a InsertBuilder for this StatementBuilderType. +func (b StatementBuilderType) Insert(into string) InsertBuilder { + return InsertBuilder(b).Into(into) +} + +// Replace returns a InsertBuilder for this StatementBuilderType with the +// statement keyword set to "REPLACE". +func (b StatementBuilderType) Replace(into string) InsertBuilder { + return InsertBuilder(b).statementKeyword("REPLACE").Into(into) +} + +// Update returns a UpdateBuilder for this StatementBuilderType. +func (b StatementBuilderType) Update(table string) UpdateBuilder { + return UpdateBuilder(b).Table(table) +} + +// Delete returns a DeleteBuilder for this StatementBuilderType. +func (b StatementBuilderType) Delete(from string) DeleteBuilder { + return DeleteBuilder(b).From(from) +} + +// PlaceholderFormat sets the PlaceholderFormat field for any child builders. +func (b StatementBuilderType) PlaceholderFormat(f PlaceholderFormat) StatementBuilderType { + return builder.Set(b, "PlaceholderFormat", f).(StatementBuilderType) +} + +// RunWith sets the RunWith field for any child builders. +func (b StatementBuilderType) RunWith(runner BaseRunner) StatementBuilderType { + return setRunWith(b, runner).(StatementBuilderType) +} + +// Where adds WHERE expressions to the query. +// +// See SelectBuilder.Where for more information. +func (b StatementBuilderType) Where(pred interface{}, args ...interface{}) StatementBuilderType { + return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(StatementBuilderType) +} + +// StatementBuilder is a parent builder for other builders, e.g. SelectBuilder. +var StatementBuilder = StatementBuilderType(builder.EmptyBuilder).PlaceholderFormat(Question) + +// Select returns a new SelectBuilder, optionally setting some result columns. +// +// See SelectBuilder.Columns. +func Select(columns ...string) SelectBuilder { + return StatementBuilder.Select(columns...) +} + +// Insert returns a new InsertBuilder with the given table name. +// +// See InsertBuilder.Into. +func Insert(into string) InsertBuilder { + return StatementBuilder.Insert(into) +} + +// Replace returns a new InsertBuilder with the statement keyword set to +// "REPLACE" and with the given table name. +// +// See InsertBuilder.Into. +func Replace(into string) InsertBuilder { + return StatementBuilder.Replace(into) +} + +// Update returns a new UpdateBuilder with the given table name. +// +// See UpdateBuilder.Table. +func Update(table string) UpdateBuilder { + return StatementBuilder.Update(table) +} + +// Delete returns a new DeleteBuilder with the given table name. +// +// See DeleteBuilder.Table. +func Delete(from string) DeleteBuilder { + return StatementBuilder.Delete(from) +} + +// Case returns a new CaseBuilder +// "what" represents case value +func Case(what ...interface{}) CaseBuilder { + b := CaseBuilder(builder.EmptyBuilder) + + switch len(what) { + case 0: + case 1: + b = b.what(what[0]) + default: + b = b.what(newPart(what[0], what[1:]...)) + + } + return b +} diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher.go b/vendor/github.com/Masterminds/squirrel/stmtcacher.go new file mode 100644 index 0000000000..5bf267a136 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/stmtcacher.go @@ -0,0 +1,121 @@ +package squirrel + +import ( + "database/sql" + "fmt" + "sync" +) + +// Prepareer is the interface that wraps the Prepare method. +// +// Prepare executes the given query as implemented by database/sql.Prepare. +type Preparer interface { + Prepare(query string) (*sql.Stmt, error) +} + +// DBProxy groups the Execer, Queryer, QueryRower, and Preparer interfaces. +type DBProxy interface { + Execer + Queryer + QueryRower + Preparer +} + +// NOTE: NewStmtCache is defined in stmtcacher_ctx.go (Go >= 1.8) or stmtcacher_noctx.go (Go < 1.8). + +// StmtCache wraps and delegates down to a Preparer type +// +// It also automatically prepares all statements sent to the underlying Preparer calls +// for Exec, Query and QueryRow and caches the returns *sql.Stmt using the provided +// query as the key. So that it can be automatically re-used. +type StmtCache struct { + prep Preparer + cache map[string]*sql.Stmt + mu sync.Mutex +} + +// Prepare delegates down to the underlying Preparer and caches the result +// using the provided query as a key +func (sc *StmtCache) Prepare(query string) (*sql.Stmt, error) { + sc.mu.Lock() + defer sc.mu.Unlock() + + stmt, ok := sc.cache[query] + if ok { + return stmt, nil + } + stmt, err := sc.prep.Prepare(query) + if err == nil { + sc.cache[query] = stmt + } + return stmt, err +} + +// Exec delegates down to the underlying Preparer using a prepared statement +func (sc *StmtCache) Exec(query string, args ...interface{}) (res sql.Result, err error) { + stmt, err := sc.Prepare(query) + if err != nil { + return + } + return stmt.Exec(args...) +} + +// Query delegates down to the underlying Preparer using a prepared statement +func (sc *StmtCache) Query(query string, args ...interface{}) (rows *sql.Rows, err error) { + stmt, err := sc.Prepare(query) + if err != nil { + return + } + return stmt.Query(args...) +} + +// QueryRow delegates down to the underlying Preparer using a prepared statement +func (sc *StmtCache) QueryRow(query string, args ...interface{}) RowScanner { + stmt, err := sc.Prepare(query) + if err != nil { + return &Row{err: err} + } + return stmt.QueryRow(args...) +} + +// Clear removes and closes all the currently cached prepared statements +func (sc *StmtCache) Clear() (err error) { + sc.mu.Lock() + defer sc.mu.Unlock() + + for key, stmt := range sc.cache { + delete(sc.cache, key) + + if stmt == nil { + continue + } + + if cerr := stmt.Close(); cerr != nil { + err = cerr + } + } + + if err != nil { + return fmt.Errorf("one or more Stmt.Close failed; last error: %v", err) + } + + return +} + +type DBProxyBeginner interface { + DBProxy + Begin() (*sql.Tx, error) +} + +type stmtCacheProxy struct { + DBProxy + db *sql.DB +} + +func NewStmtCacheProxy(db *sql.DB) DBProxyBeginner { + return &stmtCacheProxy{DBProxy: NewStmtCache(db), db: db} +} + +func (sp *stmtCacheProxy) Begin() (*sql.Tx, error) { + return sp.db.Begin() +} diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go b/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go new file mode 100644 index 0000000000..53603cf4c9 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/stmtcacher_ctx.go @@ -0,0 +1,86 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" +) + +// PrepareerContext is the interface that wraps the Prepare and PrepareContext methods. +// +// Prepare executes the given query as implemented by database/sql.Prepare. +// PrepareContext executes the given query as implemented by database/sql.PrepareContext. +type PreparerContext interface { + Preparer + PrepareContext(ctx context.Context, query string) (*sql.Stmt, error) +} + +// DBProxyContext groups the Execer, Queryer, QueryRower and PreparerContext interfaces. +type DBProxyContext interface { + Execer + Queryer + QueryRower + PreparerContext +} + +// NewStmtCache returns a *StmtCache wrapping a PreparerContext that caches Prepared Stmts. +// +// Stmts are cached based on the string value of their queries. +func NewStmtCache(prep PreparerContext) *StmtCache { + return &StmtCache{prep: prep, cache: make(map[string]*sql.Stmt)} +} + +// NewStmtCacher is deprecated +// +// Use NewStmtCache instead +func NewStmtCacher(prep PreparerContext) DBProxyContext { + return NewStmtCache(prep) +} + +// PrepareContext delegates down to the underlying PreparerContext and caches the result +// using the provided query as a key +func (sc *StmtCache) PrepareContext(ctx context.Context, query string) (*sql.Stmt, error) { + ctxPrep, ok := sc.prep.(PreparerContext) + if !ok { + return nil, NoContextSupport + } + sc.mu.Lock() + defer sc.mu.Unlock() + stmt, ok := sc.cache[query] + if ok { + return stmt, nil + } + stmt, err := ctxPrep.PrepareContext(ctx, query) + if err == nil { + sc.cache[query] = stmt + } + return stmt, err +} + +// ExecContext delegates down to the underlying PreparerContext using a prepared statement +func (sc *StmtCache) ExecContext(ctx context.Context, query string, args ...interface{}) (res sql.Result, err error) { + stmt, err := sc.PrepareContext(ctx, query) + if err != nil { + return + } + return stmt.ExecContext(ctx, args...) +} + +// QueryContext delegates down to the underlying PreparerContext using a prepared statement +func (sc *StmtCache) QueryContext(ctx context.Context, query string, args ...interface{}) (rows *sql.Rows, err error) { + stmt, err := sc.PrepareContext(ctx, query) + if err != nil { + return + } + return stmt.QueryContext(ctx, args...) +} + +// QueryRowContext delegates down to the underlying PreparerContext using a prepared statement +func (sc *StmtCache) QueryRowContext(ctx context.Context, query string, args ...interface{}) RowScanner { + stmt, err := sc.PrepareContext(ctx, query) + if err != nil { + return &Row{err: err} + } + return stmt.QueryRowContext(ctx, args...) +} diff --git a/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go b/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go new file mode 100644 index 0000000000..deac96777b --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/stmtcacher_noctx.go @@ -0,0 +1,21 @@ +// +build !go1.8 + +package squirrel + +import ( + "database/sql" +) + +// NewStmtCacher returns a DBProxy wrapping prep that caches Prepared Stmts. +// +// Stmts are cached based on the string value of their queries. +func NewStmtCache(prep Preparer) *StmtCache { + return &StmtCacher{prep: prep, cache: make(map[string]*sql.Stmt)} +} + +// NewStmtCacher is deprecated +// +// Use NewStmtCache instead +func NewStmtCacher(prep Preparer) DBProxy { + return NewStmtCache(prep) +} diff --git a/vendor/github.com/Masterminds/squirrel/update.go b/vendor/github.com/Masterminds/squirrel/update.go new file mode 100644 index 0000000000..eb2a9c4dd9 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/update.go @@ -0,0 +1,288 @@ +package squirrel + +import ( + "bytes" + "database/sql" + "fmt" + "sort" + "strings" + + "github.com/lann/builder" +) + +type updateData struct { + PlaceholderFormat PlaceholderFormat + RunWith BaseRunner + Prefixes []Sqlizer + Table string + SetClauses []setClause + From Sqlizer + WhereParts []Sqlizer + OrderBys []string + Limit string + Offset string + Suffixes []Sqlizer +} + +type setClause struct { + column string + value interface{} +} + +func (d *updateData) Exec() (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return ExecWith(d.RunWith, d) +} + +func (d *updateData) Query() (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + return QueryWith(d.RunWith, d) +} + +func (d *updateData) QueryRow() RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRower) + if !ok { + return &Row{err: RunnerNotQueryRunner} + } + return QueryRowWith(queryRower, d) +} + +func (d *updateData) ToSql() (sqlStr string, args []interface{}, err error) { + if len(d.Table) == 0 { + err = fmt.Errorf("update statements must specify a table") + return + } + if len(d.SetClauses) == 0 { + err = fmt.Errorf("update statements must have at least one Set clause") + return + } + + sql := &bytes.Buffer{} + + if len(d.Prefixes) > 0 { + args, err = appendToSql(d.Prefixes, sql, " ", args) + if err != nil { + return + } + + sql.WriteString(" ") + } + + sql.WriteString("UPDATE ") + sql.WriteString(d.Table) + + sql.WriteString(" SET ") + setSqls := make([]string, len(d.SetClauses)) + for i, setClause := range d.SetClauses { + var valSql string + if vs, ok := setClause.value.(Sqlizer); ok { + vsql, vargs, err := vs.ToSql() + if err != nil { + return "", nil, err + } + if _, ok := vs.(SelectBuilder); ok { + valSql = fmt.Sprintf("(%s)", vsql) + } else { + valSql = vsql + } + args = append(args, vargs...) + } else { + valSql = "?" + args = append(args, setClause.value) + } + setSqls[i] = fmt.Sprintf("%s = %s", setClause.column, valSql) + } + sql.WriteString(strings.Join(setSqls, ", ")) + + if d.From != nil { + sql.WriteString(" FROM ") + args, err = appendToSql([]Sqlizer{d.From}, sql, "", args) + if err != nil { + return + } + } + + if len(d.WhereParts) > 0 { + sql.WriteString(" WHERE ") + args, err = appendToSql(d.WhereParts, sql, " AND ", args) + if err != nil { + return + } + } + + if len(d.OrderBys) > 0 { + sql.WriteString(" ORDER BY ") + sql.WriteString(strings.Join(d.OrderBys, ", ")) + } + + if len(d.Limit) > 0 { + sql.WriteString(" LIMIT ") + sql.WriteString(d.Limit) + } + + if len(d.Offset) > 0 { + sql.WriteString(" OFFSET ") + sql.WriteString(d.Offset) + } + + if len(d.Suffixes) > 0 { + sql.WriteString(" ") + args, err = appendToSql(d.Suffixes, sql, " ", args) + if err != nil { + return + } + } + + sqlStr, err = d.PlaceholderFormat.ReplacePlaceholders(sql.String()) + return +} + +// Builder + +// UpdateBuilder builds SQL UPDATE statements. +type UpdateBuilder builder.Builder + +func init() { + builder.Register(UpdateBuilder{}, updateData{}) +} + +// Format methods + +// PlaceholderFormat sets PlaceholderFormat (e.g. Question or Dollar) for the +// query. +func (b UpdateBuilder) PlaceholderFormat(f PlaceholderFormat) UpdateBuilder { + return builder.Set(b, "PlaceholderFormat", f).(UpdateBuilder) +} + +// Runner methods + +// RunWith sets a Runner (like database/sql.DB) to be used with e.g. Exec. +func (b UpdateBuilder) RunWith(runner BaseRunner) UpdateBuilder { + return setRunWith(b, runner).(UpdateBuilder) +} + +// Exec builds and Execs the query with the Runner set by RunWith. +func (b UpdateBuilder) Exec() (sql.Result, error) { + data := builder.GetStruct(b).(updateData) + return data.Exec() +} + +func (b UpdateBuilder) Query() (*sql.Rows, error) { + data := builder.GetStruct(b).(updateData) + return data.Query() +} + +func (b UpdateBuilder) QueryRow() RowScanner { + data := builder.GetStruct(b).(updateData) + return data.QueryRow() +} + +func (b UpdateBuilder) Scan(dest ...interface{}) error { + return b.QueryRow().Scan(dest...) +} + +// SQL methods + +// ToSql builds the query into a SQL string and bound args. +func (b UpdateBuilder) ToSql() (string, []interface{}, error) { + data := builder.GetStruct(b).(updateData) + return data.ToSql() +} + +// MustSql builds the query into a SQL string and bound args. +// It panics if there are any errors. +func (b UpdateBuilder) MustSql() (string, []interface{}) { + sql, args, err := b.ToSql() + if err != nil { + panic(err) + } + return sql, args +} + +// Prefix adds an expression to the beginning of the query +func (b UpdateBuilder) Prefix(sql string, args ...interface{}) UpdateBuilder { + return b.PrefixExpr(Expr(sql, args...)) +} + +// PrefixExpr adds an expression to the very beginning of the query +func (b UpdateBuilder) PrefixExpr(expr Sqlizer) UpdateBuilder { + return builder.Append(b, "Prefixes", expr).(UpdateBuilder) +} + +// Table sets the table to be updated. +func (b UpdateBuilder) Table(table string) UpdateBuilder { + return builder.Set(b, "Table", table).(UpdateBuilder) +} + +// Set adds SET clauses to the query. +func (b UpdateBuilder) Set(column string, value interface{}) UpdateBuilder { + return builder.Append(b, "SetClauses", setClause{column: column, value: value}).(UpdateBuilder) +} + +// SetMap is a convenience method which calls .Set for each key/value pair in clauses. +func (b UpdateBuilder) SetMap(clauses map[string]interface{}) UpdateBuilder { + keys := make([]string, len(clauses)) + i := 0 + for key := range clauses { + keys[i] = key + i++ + } + sort.Strings(keys) + for _, key := range keys { + val, _ := clauses[key] + b = b.Set(key, val) + } + return b +} + +// From adds FROM clause to the query +// FROM is valid construct in postgresql only. +func (b UpdateBuilder) From(from string) UpdateBuilder { + return builder.Set(b, "From", newPart(from)).(UpdateBuilder) +} + +// FromSelect sets a subquery into the FROM clause of the query. +func (b UpdateBuilder) FromSelect(from SelectBuilder, alias string) UpdateBuilder { + // Prevent misnumbered parameters in nested selects (#183). + from = from.PlaceholderFormat(Question) + return builder.Set(b, "From", Alias(from, alias)).(UpdateBuilder) +} + +// Where adds WHERE expressions to the query. +// +// See SelectBuilder.Where for more information. +func (b UpdateBuilder) Where(pred interface{}, args ...interface{}) UpdateBuilder { + return builder.Append(b, "WhereParts", newWherePart(pred, args...)).(UpdateBuilder) +} + +// OrderBy adds ORDER BY expressions to the query. +func (b UpdateBuilder) OrderBy(orderBys ...string) UpdateBuilder { + return builder.Extend(b, "OrderBys", orderBys).(UpdateBuilder) +} + +// Limit sets a LIMIT clause on the query. +func (b UpdateBuilder) Limit(limit uint64) UpdateBuilder { + return builder.Set(b, "Limit", fmt.Sprintf("%d", limit)).(UpdateBuilder) +} + +// Offset sets a OFFSET clause on the query. +func (b UpdateBuilder) Offset(offset uint64) UpdateBuilder { + return builder.Set(b, "Offset", fmt.Sprintf("%d", offset)).(UpdateBuilder) +} + +// Suffix adds an expression to the end of the query +func (b UpdateBuilder) Suffix(sql string, args ...interface{}) UpdateBuilder { + return b.SuffixExpr(Expr(sql, args...)) +} + +// SuffixExpr adds an expression to the end of the query +func (b UpdateBuilder) SuffixExpr(expr Sqlizer) UpdateBuilder { + return builder.Append(b, "Suffixes", expr).(UpdateBuilder) +} diff --git a/vendor/github.com/Masterminds/squirrel/update_ctx.go b/vendor/github.com/Masterminds/squirrel/update_ctx.go new file mode 100644 index 0000000000..ad479f96f4 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/update_ctx.go @@ -0,0 +1,69 @@ +// +build go1.8 + +package squirrel + +import ( + "context" + "database/sql" + + "github.com/lann/builder" +) + +func (d *updateData) ExecContext(ctx context.Context) (sql.Result, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(ExecerContext) + if !ok { + return nil, NoContextSupport + } + return ExecContextWith(ctx, ctxRunner, d) +} + +func (d *updateData) QueryContext(ctx context.Context) (*sql.Rows, error) { + if d.RunWith == nil { + return nil, RunnerNotSet + } + ctxRunner, ok := d.RunWith.(QueryerContext) + if !ok { + return nil, NoContextSupport + } + return QueryContextWith(ctx, ctxRunner, d) +} + +func (d *updateData) QueryRowContext(ctx context.Context) RowScanner { + if d.RunWith == nil { + return &Row{err: RunnerNotSet} + } + queryRower, ok := d.RunWith.(QueryRowerContext) + if !ok { + if _, ok := d.RunWith.(QueryerContext); !ok { + return &Row{err: RunnerNotQueryRunner} + } + return &Row{err: NoContextSupport} + } + return QueryRowContextWith(ctx, queryRower, d) +} + +// ExecContext builds and ExecContexts the query with the Runner set by RunWith. +func (b UpdateBuilder) ExecContext(ctx context.Context) (sql.Result, error) { + data := builder.GetStruct(b).(updateData) + return data.ExecContext(ctx) +} + +// QueryContext builds and QueryContexts the query with the Runner set by RunWith. +func (b UpdateBuilder) QueryContext(ctx context.Context) (*sql.Rows, error) { + data := builder.GetStruct(b).(updateData) + return data.QueryContext(ctx) +} + +// QueryRowContext builds and QueryRowContexts the query with the Runner set by RunWith. +func (b UpdateBuilder) QueryRowContext(ctx context.Context) RowScanner { + data := builder.GetStruct(b).(updateData) + return data.QueryRowContext(ctx) +} + +// ScanContext is a shortcut for QueryRowContext().Scan. +func (b UpdateBuilder) ScanContext(ctx context.Context, dest ...interface{}) error { + return b.QueryRowContext(ctx).Scan(dest...) +} diff --git a/vendor/github.com/Masterminds/squirrel/where.go b/vendor/github.com/Masterminds/squirrel/where.go new file mode 100644 index 0000000000..976b63ace4 --- /dev/null +++ b/vendor/github.com/Masterminds/squirrel/where.go @@ -0,0 +1,30 @@ +package squirrel + +import ( + "fmt" +) + +type wherePart part + +func newWherePart(pred interface{}, args ...interface{}) Sqlizer { + return &wherePart{pred: pred, args: args} +} + +func (p wherePart) ToSql() (sql string, args []interface{}, err error) { + switch pred := p.pred.(type) { + case nil: + // no-op + case rawSqlizer: + return pred.toSqlRaw() + case Sqlizer: + return pred.ToSql() + case map[string]interface{}: + return Eq(pred).ToSql() + case string: + sql = pred + args = p.args + default: + err = fmt.Errorf("expected string-keyed map or string, not %T", pred) + } + return +} diff --git a/vendor/github.com/chai2010/gettext-go/.travis.yml b/vendor/github.com/chai2010/gettext-go/.travis.yml new file mode 100644 index 0000000000..4eac3982bc --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/.travis.yml @@ -0,0 +1,5 @@ +language: go + +go: + - "1.14" + - tip diff --git a/vendor/github.com/chai2010/gettext-go/LICENSE b/vendor/github.com/chai2010/gettext-go/LICENSE new file mode 100644 index 0000000000..8f39408250 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/LICENSE @@ -0,0 +1,27 @@ +Copyright 2013 ChaiShushan . All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/chai2010/gettext-go/README.md b/vendor/github.com/chai2010/gettext-go/README.md new file mode 100644 index 0000000000..d766fab4d7 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/README.md @@ -0,0 +1,190 @@ +- *Go语言QQ群: 102319854, 1055927514* +- *凹语言(凹读音“Waâ€)(The Wa Programming Language): https://github.com/wa-lang/wa* + +---- + +# gettext-go: GNU gettext for Go ([Imported By Kubernetes](https://pkg.go.dev/github.com/chai2010/gettext-go@v0.1.0/gettext?tab=importedby)) + +- PkgDoc: [http://godoc.org/github.com/chai2010/gettext-go](http://godoc.org/github.com/chai2010/gettext-go) +- PkgDoc: [http://pkg.go.dev/github.com/chai2010/gettext-go](http://pkg.go.dev/github.com/chai2010/gettext-go) + +## Install + +1. `go get github.com/chai2010/gettext-go` +2. `go run hello.go` + +The godoc.org or go.dev has more information. + +## Examples + +```Go +package main + +import ( + "fmt" + + "github.com/chai2010/gettext-go" +) + +func main() { + gettext := gettext.New("hello", "./examples/locale").SetLanguage("zh_CN") + fmt.Println(gettext.Gettext("Hello, world!")) + + // Output: 你好, 世界! +} +``` + +```Go +package main + +import ( + "fmt" + + "github.com/chai2010/gettext-go" +) + +func main() { + gettext.SetLanguage("zh_CN") + gettext.BindLocale(gettext.New("hello", "locale")) + + // gettext.BindLocale("hello", "locale") // from locale dir + // gettext.BindLocale("hello", "locale.zip") // from locale zip file + // gettext.BindLocale("hello", "locale.zip", zipData) // from embedded zip data + + // translate source text + fmt.Println(gettext.Gettext("Hello, world!")) + // Output: 你好, 世界! + + // if no msgctxt in PO file (only msgid and msgstr), + // specify context as "" by + fmt.Println(gettext.PGettext("", "Hello, world!")) + // Output: 你好, 世界! + + // translate resource + fmt.Println(string(gettext.Getdata("poems.txt")))) + // Output: ... +} +``` + +Go file: [hello.go](https://github.com/chai2010/gettext-go/blob/master/examples/hello.go); PO file: [hello.po](https://github.com/chai2010/gettext-go/blob/master/examples/locale/default/LC_MESSAGES/hello.po); + +---- + +## API Changes (v0.1.0 vs v1.0.0) + +### Renamed package path + +| v0.1.0 (old) | v1.0.0 (new) | +| ----------------------------------------------- | --------------------------------------- | +| `github.com/chai2010/gettext-go/gettext` | `github.com/chai2010/gettext-go` | +| `github.com/chai2010/gettext-go/gettext/po` | `github.com/chai2010/gettext-go/po` | +| `github.com/chai2010/gettext-go/gettext/mo` | `github.com/chai2010/gettext-go/mo` | +| `github.com/chai2010/gettext-go/gettext/plural` | `github.com/chai2010/gettext-go/plural` | + +### Renamed functions + +| v0.1.0 (old) | v1.0.0 (new) | +| ---------------------------------- | --------------------------- | +| `gettext-go/gettext.*` | `gettext-go.*` | +| `gettext-go/gettext.DefaultLocal` | `gettext-go.DefaultLanguage`| +| `gettext-go/gettext.BindTextdomain`| `gettext-go.BindLocale` | +| `gettext-go/gettext.Textdomain` | `gettext-go.SetDomain` | +| `gettext-go/gettext.SetLocale` | `gettext-go.SetLanguage` | +| `gettext-go/gettext/po.Load` | `gettext-go/po.LoadFile` | +| `gettext-go/gettext/po.LoadData` | `gettext-go/po.Load` | +| `gettext-go/gettext/mo.Load` | `gettext-go/mo.LoadFile` | +| `gettext-go/gettext/mo.LoadData` | `gettext-go/mo.Load` | + +### Use empty string as the default context for `gettext.Gettext` + +```go +package main + +// v0.1.0 +// if the **context** missing, use `callerName(2)` as the context: + +// v1.0.0 +// if the **context** missing, use empty string as the context: + +func main() { + gettext.Gettext("hello") + // v0.1.0 => gettext.PGettext("main.main", "hello") + // v1.0.0 => gettext.PGettext("", "hello") + + gettext.DGettext("domain", "hello") + // v0.1.0 => gettext.DPGettext("domain", "main.main", "hello") + // v1.0.0 => gettext.DPGettext("domain", "", "hello") + + gettext.NGettext("domain", "hello", "hello2", n) + // v0.1.0 => gettext.PNGettext("domain", "main.main", "hello", "hello2", n) + // v1.0.0 => gettext.PNGettext("domain", "", "hello", "hello2", n) + + gettext.DNGettext("domain", "hello", "hello2", n) + // v0.1.0 => gettext.DPNGettext("domain", "main.main", "hello", "hello2", n) + // v1.0.0 => gettext.DPNGettext("domain", "", "hello", "hello2", n) +} +``` + +### `BindLocale` support `FileSystem` interface + +```go +// Use FileSystem: +// BindLocale(New("poedit", "name", OS("path/to/dir"))) // bind "poedit" domain +// BindLocale(New("poedit", "name", OS("path/to.zip"))) // bind "poedit" domain +``` + +## New API in v1.0.0 + +`Gettexter` interface: + +```go +type Gettexter interface { + FileSystem() FileSystem + + GetDomain() string + SetDomain(domain string) Gettexter + + GetLanguage() string + SetLanguage(lang string) Gettexter + + Gettext(msgid string) string + PGettext(msgctxt, msgid string) string + + NGettext(msgid, msgidPlural string, n int) string + PNGettext(msgctxt, msgid, msgidPlural string, n int) string + + DGettext(domain, msgid string) string + DPGettext(domain, msgctxt, msgid string) string + DNGettext(domain, msgid, msgidPlural string, n int) string + DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string + + Getdata(name string) []byte + DGetdata(domain, name string) []byte +} + +func New(domain, path string, data ...interface{}) Gettexter +``` + +`FileSystem` interface: + +```go +type FileSystem interface { + LocaleList() []string + LoadMessagesFile(domain, lang, ext string) ([]byte, error) + LoadResourceFile(domain, lang, name string) ([]byte, error) + String() string +} + +func NewFS(name string, x interface{}) FileSystem +func OS(root string) FileSystem +func ZipFS(r *zip.Reader, name string) FileSystem +func NilFS(name string) FileSystem +``` + +---- + +## BUGS + +Please report bugs to . + +Thanks! diff --git a/vendor/github.com/chai2010/gettext-go/doc.go b/vendor/github.com/chai2010/gettext-go/doc.go new file mode 100644 index 0000000000..50dfea3305 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/doc.go @@ -0,0 +1,67 @@ +// Copyright 2013 . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package gettext implements a basic GNU's gettext library. + +Example: + import ( + "github.com/chai2010/gettext-go" + ) + + func main() { + gettext.SetLanguage("zh_CN") + + // gettext.BindLocale(gettext.New("hello", "locale")) // from locale dir + // gettext.BindLocale(gettext.New("hello", "locale.zip")) // from locale zip file + // gettext.BindLocale(gettext.New("hello", "locale.zip", zipData)) // from embedded zip data + + gettext.BindLocale(gettext.New("hello", "locale")) + + // translate source text + fmt.Println(gettext.Gettext("Hello, world!")) + // Output: 你好, 世界! + + // translate resource + fmt.Println(string(gettext.Getdata("poems.txt"))) + // Output: ... + } + +Translate directory struct("./examples/locale.zip"): + + Root: "path" or "file.zip/zipBaseName" + +-default # locale: $(LC_MESSAGES) or $(LANG) or "default" + | +-LC_MESSAGES # just for `gettext.Gettext` + | | +-hello.mo # $(Root)/$(lang)/LC_MESSAGES/$(domain).mo + | | +-hello.po # $(Root)/$(lang)/LC_MESSAGES/$(domain).po + | | \-hello.json # $(Root)/$(lang)/LC_MESSAGES/$(domain).json + | | + | \-LC_RESOURCE # just for `gettext.Getdata` + | +-hello # domain map a dir in resource translate + | +-favicon.ico # $(Root)/$(lang)/LC_RESOURCE/$(domain)/$(filename) + | \-poems.txt + | + \-zh_CN # simple chinese translate + +-LC_MESSAGES + | +-hello.po # try "$(domain).po" first + | +-hello.mo # try "$(domain).mo" second + | \-hello.json # try "$(domain).json" third + | + \-LC_RESOURCE + +-hello + +-favicon.ico # $(lang)/$(domain)/favicon.ico + \-poems.txt # $(lang)/$(domain)/poems.txt + +See: + http://en.wikipedia.org/wiki/Gettext + http://www.gnu.org/software/gettext/manual/html_node + http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html + http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html + http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html + http://www.poedit.net/ + +Please report bugs to . +Thanks! +*/ +package gettext diff --git a/vendor/github.com/chai2010/gettext-go/fs.go b/vendor/github.com/chai2010/gettext-go/fs.go new file mode 100644 index 0000000000..4e66fae7c6 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/fs.go @@ -0,0 +1,84 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "archive/zip" + "bytes" + "fmt" +) + +type FileSystem interface { + LocaleList() []string + LoadMessagesFile(domain, lang, ext string) ([]byte, error) + LoadResourceFile(domain, lang, name string) ([]byte, error) + String() string +} + +func NewFS(name string, x interface{}) FileSystem { + if x == nil { + if name != "" { + return OS(name) + } + return NilFS(name) + } + + switch x := x.(type) { + case []byte: + if len(x) == 0 { + return OS(name) + } + if r, err := zip.NewReader(bytes.NewReader(x), int64(len(x))); err == nil { + return ZipFS(r, name) + } + if fs, err := newJson(x, name); err == nil { + return fs + } + case string: + if len(x) == 0 { + return OS(name) + } + if r, err := zip.NewReader(bytes.NewReader([]byte(x)), int64(len(x))); err == nil { + return ZipFS(r, name) + } + if fs, err := newJson([]byte(x), name); err == nil { + return fs + } + case FileSystem: + return x + } + + return NilFS(name) +} + +func OS(root string) FileSystem { + return newOsFS(root) +} + +func ZipFS(r *zip.Reader, name string) FileSystem { + return newZipFS(r, name) +} + +func NilFS(name string) FileSystem { + return &nilFS{name} +} + +type nilFS struct { + name string +} + +func (p *nilFS) LocaleList() []string { + return nil +} + +func (p *nilFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) { + return nil, fmt.Errorf("not found") +} +func (p *nilFS) LoadResourceFile(domain, lang, name string) ([]byte, error) { + return nil, fmt.Errorf("not found") +} +func (p *nilFS) String() string { + return "gettext.nilfs(" + p.name + ")" +} diff --git a/vendor/github.com/chai2010/gettext-go/fs_json.go b/vendor/github.com/chai2010/gettext-go/fs_json.go new file mode 100644 index 0000000000..c7138c9954 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/fs_json.go @@ -0,0 +1,66 @@ +// Copyright 2020 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "encoding/json" + "fmt" + "sort" +) + +type jsonFS struct { + name string + x map[string]struct { + LC_MESSAGES map[string][]struct { + MsgContext string `json:"msgctxt"` // msgctxt context + MsgId string `json:"msgid"` // msgid untranslated-string + MsgIdPlural string `json:"msgid_plural"` // msgid_plural untranslated-string-plural + MsgStr []string `json:"msgstr"` // msgstr translated-string + } + LC_RESOURCE map[string]map[string]string + } +} + +func isJsonData() bool { + return false +} + +func newJson(jsonData []byte, name string) (*jsonFS, error) { + p := &jsonFS{name: name} + if err := json.Unmarshal(jsonData, &p.x); err != nil { + return nil, err + } + + return p, nil +} + +func (p *jsonFS) LocaleList() []string { + var ss []string + for lang := range p.x { + ss = append(ss, lang) + } + sort.Strings(ss) + return ss +} + +func (p *jsonFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) { + if v, ok := p.x[lang]; ok { + if v, ok := v.LC_MESSAGES[domain+ext]; ok { + return json.Marshal(v) + } + } + return nil, fmt.Errorf("not found") +} +func (p *jsonFS) LoadResourceFile(domain, lang, name string) ([]byte, error) { + if v, ok := p.x[lang]; ok { + if v, ok := v.LC_RESOURCE[domain]; ok { + return []byte(v[name]), nil + } + } + return nil, fmt.Errorf("not found") +} +func (p *jsonFS) String() string { + return "gettext.nilfs(" + p.name + ")" +} diff --git a/vendor/github.com/chai2010/gettext-go/fs_os.go b/vendor/github.com/chai2010/gettext-go/fs_os.go new file mode 100644 index 0000000000..80d4f51bac --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/fs_os.go @@ -0,0 +1,91 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "archive/zip" + "bytes" + "fmt" + "io/ioutil" + "os" + "sort" + "strings" +) + +type osFS struct { + root string +} + +func newOsFS(root string) FileSystem { + // locale zip file + if fi, err := os.Stat(root); err == nil && !fi.IsDir() { + if strings.HasSuffix(strings.ToLower(root), ".zip") { + if x, err := ioutil.ReadFile(root); err == nil { + if r, err := zip.NewReader(bytes.NewReader(x), int64(len(x))); err == nil { + return ZipFS(r, root) + } + } + } + if strings.HasSuffix(strings.ToLower(root), ".json") { + if x, err := ioutil.ReadFile(root); err == nil { + if fs, err := newJson(x, root); err == nil { + return fs + } + } + } + } + + // locale dir + return &osFS{root: root} +} + +func (p *osFS) LocaleList() []string { + list, err := ioutil.ReadDir(p.root) + if err != nil { + return nil + } + ssMap := make(map[string]bool) + for _, dir := range list { + if dir.IsDir() { + ssMap[dir.Name()] = true + } + } + var locales = make([]string, 0, len(ssMap)) + for s := range ssMap { + locales = append(locales, s) + } + sort.Strings(locales) + return locales +} + +func (p *osFS) LoadMessagesFile(domain, locale, ext string) ([]byte, error) { + trName := p.makeMessagesFileName(domain, locale, ext) + rcData, err := ioutil.ReadFile(trName) + if err != nil { + return nil, err + } + return rcData, nil +} + +func (p *osFS) LoadResourceFile(domain, locale, name string) ([]byte, error) { + rcName := p.makeResourceFileName(domain, locale, name) + rcData, err := ioutil.ReadFile(rcName) + if err != nil { + return nil, err + } + return rcData, nil +} + +func (p *osFS) String() string { + return "gettext.localfs(" + p.root + ")" +} + +func (p *osFS) makeMessagesFileName(domain, lang, ext string) string { + return fmt.Sprintf("%s/%s/LC_MESSAGES/%s%s", p.root, lang, domain, ext) +} + +func (p *osFS) makeResourceFileName(domain, lang, name string) string { + return fmt.Sprintf("%s/%s/LC_RESOURCE/%s/%s", p.root, lang, domain, name) +} diff --git a/vendor/github.com/chai2010/gettext-go/fs_zip.go b/vendor/github.com/chai2010/gettext-go/fs_zip.go new file mode 100644 index 0000000000..61eb8359da --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/fs_zip.go @@ -0,0 +1,142 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "archive/zip" + "fmt" + "io/ioutil" + "sort" + "strings" +) + +type zipFS struct { + root string + name string + r *zip.Reader +} + +func newZipFS(r *zip.Reader, name string) *zipFS { + fs := &zipFS{r: r, name: name} + fs.root = fs.zipRoot() + return fs +} + +func (p *zipFS) zipName() string { + name := p.name + if x := strings.LastIndexAny(name, `\/`); x != -1 { + name = name[x+1:] + } + name = strings.TrimSuffix(name, ".zip") + return name +} + +func (p *zipFS) zipRoot() string { + var somepath string + for _, f := range p.r.File { + if x := strings.Index(f.Name, "LC_MESSAGES"); x != -1 { + somepath = f.Name + } + if x := strings.Index(f.Name, "LC_RESOURCE"); x != -1 { + somepath = f.Name + } + } + if somepath == "" { + return p.zipName() + } + + ss := strings.Split(somepath, "/") + for i, s := range ss { + // $(root)/$(lang)/LC_MESSAGES + // $(root)/$(lang)/LC_RESOURCE + if (s == "LC_MESSAGES" || s == "LC_RESOURCE") && i >= 2 { + return strings.Join(ss[:i-1], "/") + } + } + + return p.zipName() +} + +func (p *zipFS) LocaleList() []string { + var locals []string + for s := range p.lsZip(p.r) { + locals = append(locals, s) + } + sort.Strings(locals) + return locals +} + +func (p *zipFS) LoadMessagesFile(domain, lang, ext string) ([]byte, error) { + trName := p.makeMessagesFileName(domain, lang, ext) + for _, f := range p.r.File { + if f.Name != trName { + continue + } + rc, err := f.Open() + if err != nil { + return nil, err + } + rcData, err := ioutil.ReadAll(rc) + rc.Close() + return rcData, err + } + return nil, fmt.Errorf("not found") +} + +func (p *zipFS) LoadResourceFile(domain, lang, name string) ([]byte, error) { + rcName := p.makeResourceFileName(domain, lang, name) + for _, f := range p.r.File { + if f.Name != rcName { + continue + } + rc, err := f.Open() + if err != nil { + return nil, err + } + rcData, err := ioutil.ReadAll(rc) + rc.Close() + return rcData, err + } + return nil, fmt.Errorf("not found") +} + +func (p *zipFS) String() string { + return "gettext.zipfs(" + p.name + ")" +} + +func (p *zipFS) makeMessagesFileName(domain, lang, ext string) string { + return fmt.Sprintf("%s/%s/LC_MESSAGES/%s%s", p.root, lang, domain, ext) +} + +func (p *zipFS) makeResourceFileName(domain, lang, name string) string { + return fmt.Sprintf("%s/%s/LC_RESOURCE/%s/%s", p.root, lang, domain, name) +} + +func (p *zipFS) lsZip(r *zip.Reader) map[string]bool { + ssMap := make(map[string]bool) + for _, f := range r.File { + if x := strings.Index(f.Name, "LC_MESSAGES"); x != -1 { + s := strings.TrimRight(f.Name[:x], `\/`) + if x = strings.LastIndexAny(s, `\/`); x != -1 { + s = s[x+1:] + } + if s != "" { + ssMap[s] = true + } + continue + } + if x := strings.Index(f.Name, "LC_RESOURCE"); x != -1 { + s := strings.TrimRight(f.Name[:x], `\/`) + if x = strings.LastIndexAny(s, `\/`); x != -1 { + s = s[x+1:] + } + if s != "" { + ssMap[s] = true + } + continue + } + } + return ssMap +} diff --git a/vendor/github.com/chai2010/gettext-go/gettext.go b/vendor/github.com/chai2010/gettext-go/gettext.go new file mode 100644 index 0000000000..7747188ab4 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/gettext.go @@ -0,0 +1,219 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +var ( + DefaultLanguage string = getDefaultLanguage() // use $(LC_MESSAGES) or $(LANG) or "default" +) + +type Gettexter interface { + FileSystem() FileSystem + + GetDomain() string + SetDomain(domain string) Gettexter + + GetLanguage() string + SetLanguage(lang string) Gettexter + + Gettext(msgid string) string + PGettext(msgctxt, msgid string) string + + NGettext(msgid, msgidPlural string, n int) string + PNGettext(msgctxt, msgid, msgidPlural string, n int) string + + DGettext(domain, msgid string) string + DPGettext(domain, msgctxt, msgid string) string + DNGettext(domain, msgid, msgidPlural string, n int) string + DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string + + Getdata(name string) []byte + DGetdata(domain, name string) []byte +} + +// New create Interface use default language. +func New(domain, path string, data ...interface{}) Gettexter { + return newLocale(domain, path, data...) +} + +var defaultGettexter struct { + lang string + domain string + Gettexter +} + +func init() { + defaultGettexter.lang = getDefaultLanguage() + defaultGettexter.domain = "default" + defaultGettexter.Gettexter = newLocale("", "") +} + +// BindLocale sets and queries program's domains. +// +// Examples: +// BindLocale(New("poedit", "locale")) // bind "poedit" domain +// +// Use zip file: +// BindLocale(New("poedit", "locale.zip")) // bind "poedit" domain +// BindLocale(New("poedit", "locale.zip", zipData)) // bind "poedit" domain +// +// Use FileSystem: +// BindLocale(New("poedit", "name", OS("path/to/dir"))) // bind "poedit" domain +// BindLocale(New("poedit", "name", OS("path/to.zip"))) // bind "poedit" domain +// +func BindLocale(g Gettexter) { + if g != nil { + defaultGettexter.Gettexter = g + defaultGettexter.SetLanguage(defaultGettexter.lang) + } else { + defaultGettexter.Gettexter = newLocale("", "") + defaultGettexter.SetLanguage(defaultGettexter.lang) + } +} + +// SetLanguage sets and queries the program's current lang. +// +// If the lang is not empty string, set the new locale. +// +// If the lang is empty string, don't change anything. +// +// Returns is the current locale. +// +// Examples: +// SetLanguage("") // get locale: return DefaultLocale +// SetLanguage("zh_CN") // set locale: return zh_CN +// SetLanguage("") // get locale: return zh_CN +func SetLanguage(lang string) string { + defaultGettexter.SetLanguage(lang) + return defaultGettexter.GetLanguage() +} + +// SetDomain sets and retrieves the current message domain. +// +// If the domain is not empty string, set the new domains. +// +// If the domain is empty string, don't change anything. +// +// Returns is the all used domains. +// +// Examples: +// SetDomain("poedit") // set domain: poedit +// SetDomain("") // get domain: return poedit +func SetDomain(domain string) string { + defaultGettexter.SetDomain(domain) + return defaultGettexter.GetDomain() +} + +// Gettext attempt to translate a text string into the user's native language, +// by looking up the translation in a message catalog. +// +// It use the caller's function name as the msgctxt. +// +// Examples: +// func Foo() { +// msg := gettext.Gettext("Hello") // msgctxt is "" +// } +func Gettext(msgid string) string { + return defaultGettexter.Gettext(msgid) +} + +// Getdata attempt to translate a resource file into the user's native language, +// by looking up the translation in a message catalog. +// +// Examples: +// func Foo() { +// Textdomain("hello") +// BindLocale("hello", "locale.zip", nilOrZipData) +// poems := gettext.Getdata("poems.txt") +// } +func Getdata(name string) []byte { + return defaultGettexter.Getdata(name) +} + +// NGettext attempt to translate a text string into the user's native language, +// by looking up the appropriate plural form of the translation in a message +// catalog. +// +// It use the caller's function name as the msgctxt. +// +// Examples: +// func Foo() { +// msg := gettext.NGettext("%d people", "%d peoples", 2) +// } +func NGettext(msgid, msgidPlural string, n int) string { + return defaultGettexter.NGettext(msgid, msgidPlural, n) +} + +// PGettext attempt to translate a text string into the user's native language, +// by looking up the translation in a message catalog. +// +// Examples: +// func Foo() { +// msg := gettext.PGettext("gettext-go.example", "Hello") // msgctxt is "gettext-go.example" +// } +func PGettext(msgctxt, msgid string) string { + return defaultGettexter.PGettext(msgctxt, msgid) +} + +// PNGettext attempt to translate a text string into the user's native language, +// by looking up the appropriate plural form of the translation in a message +// catalog. +// +// Examples: +// func Foo() { +// msg := gettext.PNGettext("gettext-go.example", "%d people", "%d peoples", 2) +// } +func PNGettext(msgctxt, msgid, msgidPlural string, n int) string { + return defaultGettexter.PNGettext(msgctxt, msgid, msgidPlural, n) +} + +// DGettext like Gettext(), but looking up the message in the specified domain. +// +// Examples: +// func Foo() { +// msg := gettext.DGettext("poedit", "Hello") +// } +func DGettext(domain, msgid string) string { + return defaultGettexter.DGettext(domain, msgid) +} + +// DNGettext like NGettext(), but looking up the message in the specified domain. +// +// Examples: +// func Foo() { +// msg := gettext.PNGettext("poedit", "gettext-go.example", "%d people", "%d peoples", 2) +// } +func DNGettext(domain, msgid, msgidPlural string, n int) string { + return defaultGettexter.DNGettext(domain, msgid, msgidPlural, n) +} + +// DPGettext like PGettext(), but looking up the message in the specified domain. +// +// Examples: +// func Foo() { +// msg := gettext.DPGettext("poedit", "gettext-go.example", "Hello") +// } +func DPGettext(domain, msgctxt, msgid string) string { + return defaultGettexter.DPGettext(domain, msgctxt, msgid) +} + +// DPNGettext like PNGettext(), but looking up the message in the specified domain. +// +// Examples: +// func Foo() { +// msg := gettext.DPNGettext("poedit", "gettext-go.example", "%d people", "%d peoples", 2) +// } +func DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string { + return defaultGettexter.DPNGettext(domain, msgctxt, msgid, msgidPlural, n) +} + +// DGetdata like Getdata(), but looking up the resource in the specified domain. +// +// Examples: +// func Foo() { +// msg := gettext.DGetdata("hello", "poems.txt") +// } +func DGetdata(domain, name string) []byte { + return defaultGettexter.DGetdata(domain, name) +} diff --git a/vendor/github.com/chai2010/gettext-go/locale.go b/vendor/github.com/chai2010/gettext-go/locale.go new file mode 100644 index 0000000000..e7a2d4b37b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/locale.go @@ -0,0 +1,205 @@ +// Copyright 2020 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "fmt" + "sync" +) + +type _Locale struct { + mutex sync.Mutex + fs FileSystem + lang string + domain string + trMap map[string]*translator + trCurrent *translator +} + +var _ Gettexter = (*_Locale)(nil) + +func newLocale(domain, path string, data ...interface{}) *_Locale { + if domain == "" { + domain = "default" + } + p := &_Locale{ + lang: DefaultLanguage, + domain: domain, + } + if len(data) > 0 { + p.fs = NewFS(path, data[0]) + } else { + p.fs = NewFS(path, nil) + } + + p.syncTrMap() + return p +} + +func (p *_Locale) makeTrMapKey(domain, _Locale string) string { + return domain + "_$$$_" + _Locale +} + +func (p *_Locale) FileSystem() FileSystem { + return p.fs +} + +func (p *_Locale) GetLanguage() string { + p.mutex.Lock() + defer p.mutex.Unlock() + + return p.lang +} +func (p *_Locale) SetLanguage(lang string) Gettexter { + p.mutex.Lock() + defer p.mutex.Unlock() + + if lang == "" { + lang = DefaultLanguage + } + if lang == p.lang { + return p + } + + p.lang = lang + p.syncTrMap() + return p +} + +func (p *_Locale) GetDomain() string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.domain +} + +func (p *_Locale) SetDomain(domain string) Gettexter { + p.mutex.Lock() + defer p.mutex.Unlock() + + if domain == "" || domain == p.domain { + return p + } + + p.domain = domain + p.syncTrMap() + return p +} + +func (p *_Locale) syncTrMap() { + p.trMap = make(map[string]*translator) + trMapKey := p.makeTrMapKey(p.domain, p.lang) + + if tr, ok := p.trMap[trMapKey]; ok { + p.trCurrent = tr + return + } + + // try load po file + if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".po"); err == nil { + if tr, err := newPoTranslator(fmt.Sprintf("%s_%s.po", p.domain, p.lang), data); err == nil { + p.trMap[trMapKey] = tr + p.trCurrent = tr + return + } + } + + // try load mo file + if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".mo"); err == nil { + if tr, err := newMoTranslator(fmt.Sprintf("%s_%s.mo", p.domain, p.lang), data); err == nil { + p.trMap[trMapKey] = tr + p.trCurrent = tr + return + } + } + + // try load json file + if data, err := p.fs.LoadMessagesFile(p.domain, p.lang, ".json"); err == nil { + if tr, err := newJsonTranslator(p.lang, fmt.Sprintf("%s_%s.json", p.domain, p.lang), data); err == nil { + p.trMap[trMapKey] = tr + p.trCurrent = tr + return + } + } + + // no po/mo file + p.trMap[trMapKey] = nilTranslator + p.trCurrent = nilTranslator + return +} + +func (p *_Locale) Gettext(msgid string) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.trCurrent.PGettext("", msgid) +} + +func (p *_Locale) PGettext(msgctxt, msgid string) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.trCurrent.PGettext(msgctxt, msgid) +} + +func (p *_Locale) NGettext(msgid, msgidPlural string, n int) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.trCurrent.PNGettext("", msgid, msgidPlural, n) +} + +func (p *_Locale) PNGettext(msgctxt, msgid, msgidPlural string, n int) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.trCurrent.PNGettext(msgctxt, msgid, msgidPlural, n) +} + +func (p *_Locale) DGettext(domain, msgid string) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.gettext(domain, "", msgid, "", 0) +} + +func (p *_Locale) DNGettext(domain, msgid, msgidPlural string, n int) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.gettext(domain, "", msgid, msgidPlural, n) +} + +func (p *_Locale) DPGettext(domain, msgctxt, msgid string) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.gettext(domain, msgctxt, msgid, "", 0) +} + +func (p *_Locale) DPNGettext(domain, msgctxt, msgid, msgidPlural string, n int) string { + p.mutex.Lock() + defer p.mutex.Unlock() + return p.gettext(domain, msgctxt, msgid, msgidPlural, n) +} + +func (p *_Locale) Getdata(name string) []byte { + return p.getdata(p.domain, name) +} + +func (p *_Locale) DGetdata(domain, name string) []byte { + return p.getdata(domain, name) +} + +func (p *_Locale) gettext(domain, msgctxt, msgid, msgidPlural string, n int) string { + if f, ok := p.trMap[p.makeTrMapKey(domain, p.lang)]; ok { + return f.PNGettext(msgctxt, msgid, msgidPlural, n) + } + return msgid +} + +func (p *_Locale) getdata(domain, name string) []byte { + if data, err := p.fs.LoadResourceFile(domain, p.lang, name); err == nil { + return data + } + if p.lang != "default" { + if data, err := p.fs.LoadResourceFile(domain, "default", name); err == nil { + return data + } + } + return nil +} diff --git a/vendor/github.com/chai2010/gettext-go/mo/doc.go b/vendor/github.com/chai2010/gettext-go/mo/doc.go new file mode 100644 index 0000000000..5fefc18930 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/doc.go @@ -0,0 +1,74 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package mo provides support for reading and writing GNU MO file. + +Examples: + import ( + "github.com/chai2010/gettext-go/mo" + ) + + func main() { + moFile, err := mo.LoadFile("test.mo") + if err != nil { + log.Fatal(err) + } + fmt.Printf("%v", moFile) + } + +GNU MO file struct: + + byte + +------------------------------------------+ + 0 | magic number = 0x950412de | + | | + 4 | file format revision = 0 | + | | + 8 | number of strings | == N + | | + 12 | offset of table with original strings | == O + | | + 16 | offset of table with translation strings | == T + | | + 20 | size of hashing table | == S + | | + 24 | offset of hashing table | == H + | | + . . + . (possibly more entries later) . + . . + | | + O | length & offset 0th string ----------------. + O + 8 | length & offset 1st string ------------------. + ... ... | | + O + ((N-1)*8)| length & offset (N-1)th string | | | + | | | | + T | length & offset 0th translation ---------------. + T + 8 | length & offset 1st translation -----------------. + ... ... | | | | + T + ((N-1)*8)| length & offset (N-1)th translation | | | | | + | | | | | | + H | start hash table | | | | | + ... ... | | | | + H + S * 4 | end hash table | | | | | + | | | | | | + | NUL terminated 0th string <----------------' | | | + | | | | | + | NUL terminated 1st string <------------------' | | + | | | | + ... ... | | + | | | | + | NUL terminated 0th translation <---------------' | + | | | + | NUL terminated 1st translation <-----------------' + | | + ... ... + | | + +------------------------------------------+ + +The GNU MO file specification is at +http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html. +*/ +package mo diff --git a/vendor/github.com/chai2010/gettext-go/mo/encoder.go b/vendor/github.com/chai2010/gettext-go/mo/encoder.go new file mode 100644 index 0000000000..f953fd3cb8 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/encoder.go @@ -0,0 +1,105 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package mo + +import ( + "bytes" + "encoding/binary" + "sort" + "strings" +) + +type moHeader struct { + MagicNumber uint32 + MajorVersion uint16 + MinorVersion uint16 + MsgIdCount uint32 + MsgIdOffset uint32 + MsgStrOffset uint32 + HashSize uint32 + HashOffset uint32 +} + +type moStrPos struct { + Size uint32 // must keep fields order + Addr uint32 +} + +func encodeFile(f *File) []byte { + hdr := &moHeader{ + MagicNumber: MoMagicLittleEndian, + } + data := encodeData(hdr, f) + data = append(encodeHeader(hdr), data...) + return data +} + +// encode data and init moHeader +func encodeData(hdr *moHeader, f *File) []byte { + msgList := []Message{f.MimeHeader.toMessage()} + for _, v := range f.Messages { + if len(v.MsgId) == 0 { + continue + } + if len(v.MsgStr) == 0 && len(v.MsgStrPlural) == 0 { + continue + } + msgList = append(msgList, v) + } + sort.Slice(msgList, func(i, j int) bool { + return msgList[i].less(&msgList[j]) + }) + + var buf bytes.Buffer + var msgIdPosList = make([]moStrPos, len(msgList)) + var msgStrPosList = make([]moStrPos, len(msgList)) + for i, v := range msgList { + // write msgid + msgId := encodeMsgId(v) + msgIdPosList[i].Addr = uint32(buf.Len() + MoHeaderSize) + msgIdPosList[i].Size = uint32(len(msgId)) + buf.WriteString(msgId) + // write msgstr + msgStr := encodeMsgStr(v) + msgStrPosList[i].Addr = uint32(buf.Len() + MoHeaderSize) + msgStrPosList[i].Size = uint32(len(msgStr)) + buf.WriteString(msgStr) + } + + hdr.MsgIdOffset = uint32(buf.Len() + MoHeaderSize) + binary.Write(&buf, binary.LittleEndian, msgIdPosList) + hdr.MsgStrOffset = uint32(buf.Len() + MoHeaderSize) + binary.Write(&buf, binary.LittleEndian, msgStrPosList) + + hdr.MsgIdCount = uint32(len(msgList)) + return buf.Bytes() +} + +// must called after encodeData +func encodeHeader(hdr *moHeader) []byte { + var buf bytes.Buffer + binary.Write(&buf, binary.LittleEndian, hdr) + return buf.Bytes() +} + +func encodeMsgId(v Message) string { + if v.MsgContext != "" && v.MsgIdPlural != "" { + return v.MsgContext + EotSeparator + v.MsgId + NulSeparator + v.MsgIdPlural + } + if v.MsgContext != "" && v.MsgIdPlural == "" { + return v.MsgContext + EotSeparator + v.MsgId + } + if v.MsgContext == "" && v.MsgIdPlural != "" { + return v.MsgId + NulSeparator + v.MsgIdPlural + } + return v.MsgId +} + +func encodeMsgStr(v Message) string { + if v.MsgIdPlural != "" { + return strings.Join(v.MsgStrPlural, NulSeparator) + } + return v.MsgStr +} diff --git a/vendor/github.com/chai2010/gettext-go/mo/file.go b/vendor/github.com/chai2010/gettext-go/mo/file.go new file mode 100644 index 0000000000..6f7ed161c1 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/file.go @@ -0,0 +1,197 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package mo + +import ( + "bytes" + "encoding/binary" + "fmt" + "io/ioutil" + "strings" +) + +const ( + MoHeaderSize = 28 + MoMagicLittleEndian = 0x950412de + MoMagicBigEndian = 0xde120495 + + EotSeparator = "\x04" // msgctxt and msgid separator + NulSeparator = "\x00" // msgid and msgstr separator +) + +// File represents an MO File. +// +// See http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html +type File struct { + MagicNumber uint32 + MajorVersion uint16 + MinorVersion uint16 + MsgIdCount uint32 + MsgIdOffset uint32 + MsgStrOffset uint32 + HashSize uint32 + HashOffset uint32 + MimeHeader Header + Messages []Message +} + +// Load loads mo file format data. +func Load(data []byte) (*File, error) { + return loadData(data) +} + +// Load loads a named mo file. +func LoadFile(path string) (*File, error) { + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + return loadData(data) +} + +func loadData(data []byte) (*File, error) { + r := bytes.NewReader(data) + + var magicNumber uint32 + if err := binary.Read(r, binary.LittleEndian, &magicNumber); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + var bo binary.ByteOrder + switch magicNumber { + case MoMagicLittleEndian: + bo = binary.LittleEndian + case MoMagicBigEndian: + bo = binary.BigEndian + default: + return nil, fmt.Errorf("gettext: %v", "invalid magic number") + } + + var header struct { + MajorVersion uint16 + MinorVersion uint16 + MsgIdCount uint32 + MsgIdOffset uint32 + MsgStrOffset uint32 + HashSize uint32 + HashOffset uint32 + } + if err := binary.Read(r, bo, &header); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + if v := header.MajorVersion; v != 0 && v != 1 { + return nil, fmt.Errorf("gettext: %v", "invalid version number") + } + if v := header.MinorVersion; v != 0 && v != 1 { + return nil, fmt.Errorf("gettext: %v", "invalid version number") + } + + msgIdStart := make([]uint32, header.MsgIdCount) + msgIdLen := make([]uint32, header.MsgIdCount) + if _, err := r.Seek(int64(header.MsgIdOffset), 0); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + for i := 0; i < int(header.MsgIdCount); i++ { + if err := binary.Read(r, bo, &msgIdLen[i]); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + if err := binary.Read(r, bo, &msgIdStart[i]); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + } + + msgStrStart := make([]int32, header.MsgIdCount) + msgStrLen := make([]int32, header.MsgIdCount) + if _, err := r.Seek(int64(header.MsgStrOffset), 0); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + for i := 0; i < int(header.MsgIdCount); i++ { + if err := binary.Read(r, bo, &msgStrLen[i]); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + if err := binary.Read(r, bo, &msgStrStart[i]); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + } + + file := &File{ + MagicNumber: magicNumber, + MajorVersion: header.MajorVersion, + MinorVersion: header.MinorVersion, + MsgIdCount: header.MsgIdCount, + MsgIdOffset: header.MsgIdOffset, + MsgStrOffset: header.MsgStrOffset, + HashSize: header.HashSize, + HashOffset: header.HashOffset, + } + for i := 0; i < int(header.MsgIdCount); i++ { + if _, err := r.Seek(int64(msgIdStart[i]), 0); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + msgIdData := make([]byte, msgIdLen[i]) + if _, err := r.Read(msgIdData); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + + if _, err := r.Seek(int64(msgStrStart[i]), 0); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + msgStrData := make([]byte, msgStrLen[i]) + if _, err := r.Read(msgStrData); err != nil { + return nil, fmt.Errorf("gettext: %v", err) + } + + if len(msgIdData) == 0 { + var msg = Message{ + MsgId: string(msgIdData), + MsgStr: string(msgStrData), + } + file.MimeHeader.fromMessage(&msg) + } else { + var msg = Message{ + MsgId: string(msgIdData), + MsgStr: string(msgStrData), + } + // Is this a context message? + if idx := strings.Index(msg.MsgId, EotSeparator); idx != -1 { + msg.MsgContext, msg.MsgId = msg.MsgId[:idx], msg.MsgId[idx+1:] + } + // Is this a plural message? + if idx := strings.Index(msg.MsgId, NulSeparator); idx != -1 { + msg.MsgId, msg.MsgIdPlural = msg.MsgId[:idx], msg.MsgId[idx+1:] + msg.MsgStrPlural = strings.Split(msg.MsgStr, NulSeparator) + msg.MsgStr = "" + } + file.Messages = append(file.Messages, msg) + } + } + + return file, nil +} + +// Save saves a mo file. +func (f *File) Save(name string) error { + return ioutil.WriteFile(name, f.Data(), 0666) +} + +// Save returns a mo file format data. +func (f *File) Data() []byte { + return encodeFile(f) +} + +// String returns the po format file string. +func (f *File) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, "# version: %d.%d\n", f.MajorVersion, f.MinorVersion) + fmt.Fprintf(&buf, "%s\n", f.MimeHeader.String()) + fmt.Fprintf(&buf, "\n") + + for k, v := range f.Messages { + fmt.Fprintf(&buf, `msgid "%v"`+"\n", k) + fmt.Fprintf(&buf, `msgstr "%s"`+"\n", v.MsgStr) + fmt.Fprintf(&buf, "\n") + } + + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/mo/header.go b/vendor/github.com/chai2010/gettext-go/mo/header.go new file mode 100644 index 0000000000..d8c7a5e3a3 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/header.go @@ -0,0 +1,109 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package mo + +import ( + "bytes" + "fmt" + "strings" +) + +// Header is the initial comments "SOME DESCRIPTIVE TITLE", "YEAR" +// and "FIRST AUTHOR , YEAR" ought to be replaced by sensible information. +// +// See http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html#Header-Entry +type Header struct { + ProjectIdVersion string // Project-Id-Version: PACKAGE VERSION + ReportMsgidBugsTo string // Report-Msgid-Bugs-To: FIRST AUTHOR + POTCreationDate string // POT-Creation-Date: YEAR-MO-DA HO:MI+ZONE + PORevisionDate string // PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE + LastTranslator string // Last-Translator: FIRST AUTHOR + LanguageTeam string // Language-Team: golang-china + Language string // Language: zh_CN + MimeVersion string // MIME-Version: 1.0 + ContentType string // Content-Type: text/plain; charset=UTF-8 + ContentTransferEncoding string // Content-Transfer-Encoding: 8bit + PluralForms string // Plural-Forms: nplurals=2; plural=n == 1 ? 0 : 1; + XGenerator string // X-Generator: Poedit 1.5.5 + UnknowFields map[string]string +} + +func (p *Header) fromMessage(msg *Message) { + if msg.MsgId != "" || msg.MsgStr == "" { + return + } + lines := strings.Split(msg.MsgStr, "\n") + for i := 0; i < len(lines); i++ { + idx := strings.Index(lines[i], ":") + if idx < 0 { + continue + } + key := strings.TrimSpace(lines[i][:idx]) + val := strings.TrimSpace(lines[i][idx+1:]) + switch strings.ToUpper(key) { + case strings.ToUpper("Project-Id-Version"): + p.ProjectIdVersion = val + case strings.ToUpper("Report-Msgid-Bugs-To"): + p.ReportMsgidBugsTo = val + case strings.ToUpper("POT-Creation-Date"): + p.POTCreationDate = val + case strings.ToUpper("PO-Revision-Date"): + p.PORevisionDate = val + case strings.ToUpper("Last-Translator"): + p.LastTranslator = val + case strings.ToUpper("Language-Team"): + p.LanguageTeam = val + case strings.ToUpper("Language"): + p.Language = val + case strings.ToUpper("MIME-Version"): + p.MimeVersion = val + case strings.ToUpper("Content-Type"): + p.ContentType = val + case strings.ToUpper("Content-Transfer-Encoding"): + p.ContentTransferEncoding = val + case strings.ToUpper("Plural-Forms"): + p.PluralForms = val + case strings.ToUpper("X-Generator"): + p.XGenerator = val + default: + if p.UnknowFields == nil { + p.UnknowFields = make(map[string]string) + } + p.UnknowFields[key] = val + } + } +} + +func (p *Header) toMessage() Message { + return Message{ + MsgStr: p.String(), + } +} + +// String returns the po format header string. +func (p Header) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, `msgid ""`+"\n") + fmt.Fprintf(&buf, `msgstr ""`+"\n") + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Project-Id-Version", p.ProjectIdVersion) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Report-Msgid-Bugs-To", p.ReportMsgidBugsTo) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "POT-Creation-Date", p.POTCreationDate) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "PO-Revision-Date", p.PORevisionDate) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Last-Translator", p.LastTranslator) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language-Team", p.LanguageTeam) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language", p.Language) + if p.MimeVersion != "" { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "MIME-Version", p.MimeVersion) + } + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Type", p.ContentType) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Transfer-Encoding", p.ContentTransferEncoding) + if p.XGenerator != "" { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "X-Generator", p.XGenerator) + } + for k, v := range p.UnknowFields { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", k, v) + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/mo/message.go b/vendor/github.com/chai2010/gettext-go/mo/message.go new file mode 100644 index 0000000000..b67bde0b70 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/message.go @@ -0,0 +1,52 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package mo + +import ( + "bytes" + "fmt" +) + +// A MO file is made up of many entries, +// each entry holding the relation between an original untranslated string +// and its corresponding translation. +// +// See http://www.gnu.org/software/gettext/manual/html_node/MO-Files.html +type Message struct { + MsgContext string // msgctxt context + MsgId string // msgid untranslated-string + MsgIdPlural string // msgid_plural untranslated-string-plural + MsgStr string // msgstr translated-string + MsgStrPlural []string // msgstr[0] translated-string-case-0 +} + +// String returns the po format entry string. +func (p Message) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, "msgid %s", encodePoString(p.MsgId)) + if p.MsgIdPlural != "" { + fmt.Fprintf(&buf, "msgid_plural %s", encodePoString(p.MsgIdPlural)) + } + if p.MsgStr != "" { + fmt.Fprintf(&buf, "msgstr %s", encodePoString(p.MsgStr)) + } + for i := 0; i < len(p.MsgStrPlural); i++ { + fmt.Fprintf(&buf, "msgstr[%d] %s", i, encodePoString(p.MsgStrPlural[i])) + } + return buf.String() +} + +func (m_i *Message) less(m_j *Message) bool { + if a, b := m_i.MsgContext, m_j.MsgContext; a != b { + return a < b + } + if a, b := m_i.MsgId, m_j.MsgId; a != b { + return a < b + } + if a, b := m_i.MsgIdPlural, m_j.MsgIdPlural; a != b { + return a < b + } + return false +} diff --git a/vendor/github.com/chai2010/gettext-go/mo/util.go b/vendor/github.com/chai2010/gettext-go/mo/util.go new file mode 100644 index 0000000000..3804511053 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/mo/util.go @@ -0,0 +1,110 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package mo + +import ( + "bytes" + "strings" +) + +func decodePoString(text string) string { + lines := strings.Split(text, "\n") + for i := 0; i < len(lines); i++ { + left := strings.Index(lines[i], `"`) + right := strings.LastIndex(lines[i], `"`) + if left < 0 || right < 0 || left == right { + lines[i] = "" + continue + } + line := lines[i][left+1 : right] + data := make([]byte, 0, len(line)) + for i := 0; i < len(line); i++ { + if line[i] != '\\' { + data = append(data, line[i]) + continue + } + if i+1 >= len(line) { + break + } + switch line[i+1] { + case 'n': // \\n -> \n + data = append(data, '\n') + i++ + case 't': // \\t -> \n + data = append(data, '\t') + i++ + case '\\': // \\\ -> ? + data = append(data, '\\') + i++ + } + } + lines[i] = string(data) + } + return strings.Join(lines, "") +} + +func encodePoString(text string) string { + var buf bytes.Buffer + lines := strings.Split(text, "\n") + for i := 0; i < len(lines); i++ { + if lines[i] == "" { + if i != len(lines)-1 { + buf.WriteString(`"\n"` + "\n") + } + continue + } + buf.WriteRune('"') + for _, r := range lines[i] { + switch r { + case '\\': + buf.WriteString(`\\`) + case '"': + buf.WriteString(`\"`) + case '\n': + buf.WriteString(`\n`) + case '\t': + buf.WriteString(`\t`) + default: + buf.WriteRune(r) + } + } + buf.WriteString(`\n"` + "\n") + } + return buf.String() +} + +func encodeCommentPoString(text string) string { + var buf bytes.Buffer + lines := strings.Split(text, "\n") + if len(lines) > 1 { + buf.WriteString(`""` + "\n") + } + for i := 0; i < len(lines); i++ { + if len(lines) > 0 { + buf.WriteString("#| ") + } + buf.WriteRune('"') + for _, r := range lines[i] { + switch r { + case '\\': + buf.WriteString(`\\`) + case '"': + buf.WriteString(`\"`) + case '\n': + buf.WriteString(`\n`) + case '\t': + buf.WriteString(`\t`) + default: + buf.WriteRune(r) + } + } + if i < len(lines)-1 { + buf.WriteString(`\n"` + "\n") + } else { + buf.WriteString(`"`) + } + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/plural/doc.go b/vendor/github.com/chai2010/gettext-go/plural/doc.go new file mode 100644 index 0000000000..31cb8fae9f --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/plural/doc.go @@ -0,0 +1,36 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package plural provides standard plural formulas. + +Examples: + import ( + "github.com/chai2010/gettext-go/plural" + ) + + func main() { + enFormula := plural.Formula("en_US") + xxFormula := plural.Formula("zh_CN") + + fmt.Printf("%s: %d\n", "en", enFormula(0)) + fmt.Printf("%s: %d\n", "en", enFormula(1)) + fmt.Printf("%s: %d\n", "en", enFormula(2)) + fmt.Printf("%s: %d\n", "??", xxFormula(0)) + fmt.Printf("%s: %d\n", "??", xxFormula(1)) + fmt.Printf("%s: %d\n", "??", xxFormula(2)) + fmt.Printf("%s: %d\n", "??", xxFormula(9)) + // Output: + // en: 0 + // en: 0 + // en: 1 + // ??: 0 + // ??: 0 + // ??: 1 + // ??: 8 + } + +See http://www.gnu.org/software/gettext/manual/html_node/Plural-forms.html +*/ +package plural diff --git a/vendor/github.com/chai2010/gettext-go/plural/formula.go b/vendor/github.com/chai2010/gettext-go/plural/formula.go new file mode 100644 index 0000000000..c92dc19ead --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/plural/formula.go @@ -0,0 +1,181 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package plural + +import ( + "strings" +) + +// Formula provides the language's standard plural formula. +func Formula(lang string) func(n int) int { + if idx := index(lang); idx != -1 { + return formulaTable[fmtForms(FormsTable[idx].Value)] + } + if idx := index("??"); idx != -1 { + return formulaTable[fmtForms(FormsTable[idx].Value)] + } + return func(n int) int { + return n + } +} + +func index(lang string) int { + for i := 0; i < len(FormsTable); i++ { + if strings.HasPrefix(lang, FormsTable[i].Lang) { + return i + } + } + return -1 +} + +func fmtForms(forms string) string { + forms = strings.TrimSpace(forms) + forms = strings.Replace(forms, " ", "", -1) + return forms +} + +var formulaTable = map[string]func(n int) int{ + fmtForms("nplurals=n; plural=n-1;"): func(n int) int { + if n > 0 { + return n - 1 + } + return 0 + }, + fmtForms("nplurals=1; plural=0;"): func(n int) int { + return 0 + }, + fmtForms("nplurals=2; plural=(n != 1);"): func(n int) int { + if n == 1 { + return 0 + } + return 1 + }, + fmtForms("nplurals=2; plural=(n > 1);"): func(n int) int { + if n <= 1 { + return 0 + } + return 1 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n != 0 { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2;"): func(n int) int { + if n == 1 { + return 0 + } + if n == 2 { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < 20)) ? 1 : 2;"): func(n int) int { + if n == 1 { + return 0 + } + if n == 0 || (n%100 > 0 && n%100 < 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n%10 == 1 && n%100 != 11 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"): func(n int) int { + if n == 1 { + return 0 + } + if n >= 2 && n <= 4 { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"): func(n int) int { + if n == 1 { + return 0 + } + if n >= 2 && n <= 4 { + return 1 + } + return 2 + }, + fmtForms("nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"): func(n int) int { + if n == 1 { + return 0 + } + if n%10 >= 2 && n%10 <= 4 && (n%100 < 10 || n%100 >= 20) { + return 1 + } + return 2 + }, + fmtForms("nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);"): func(n int) int { + if n%100 == 1 { + return 0 + } + if n%100 == 2 { + return 1 + } + if n%100 == 3 || n%100 == 4 { + return 2 + } + return 3 + }, +} diff --git a/vendor/github.com/chai2010/gettext-go/plural/table.go b/vendor/github.com/chai2010/gettext-go/plural/table.go new file mode 100644 index 0000000000..cdc50d2110 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/plural/table.go @@ -0,0 +1,55 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package plural + +// FormsTable are standard hard-coded plural rules. +// The application developers and the translators need to understand them. +// +// See GNU's gettext library source code: gettext/gettext-tools/src/plural-table.c +var FormsTable = []struct { + Lang string + Language string + Value string +}{ + {"??", "Unknown", "nplurals=1; plural=0;"}, + {"ja", "Japanese", "nplurals=1; plural=0;"}, + {"vi", "Vietnamese", "nplurals=1; plural=0;"}, + {"ko", "Korean", "nplurals=1; plural=0;"}, + {"en", "English", "nplurals=2; plural=(n != 1);"}, + {"de", "German", "nplurals=2; plural=(n != 1);"}, + {"nl", "Dutch", "nplurals=2; plural=(n != 1);"}, + {"sv", "Swedish", "nplurals=2; plural=(n != 1);"}, + {"da", "Danish", "nplurals=2; plural=(n != 1);"}, + {"no", "Norwegian", "nplurals=2; plural=(n != 1);"}, + {"nb", "Norwegian Bokmal", "nplurals=2; plural=(n != 1);"}, + {"nn", "Norwegian Nynorsk", "nplurals=2; plural=(n != 1);"}, + {"fo", "Faroese", "nplurals=2; plural=(n != 1);"}, + {"es", "Spanish", "nplurals=2; plural=(n != 1);"}, + {"pt", "Portuguese", "nplurals=2; plural=(n != 1);"}, + {"it", "Italian", "nplurals=2; plural=(n != 1);"}, + {"bg", "Bulgarian", "nplurals=2; plural=(n != 1);"}, + {"el", "Greek", "nplurals=2; plural=(n != 1);"}, + {"fi", "Finnish", "nplurals=2; plural=(n != 1);"}, + {"et", "Estonian", "nplurals=2; plural=(n != 1);"}, + {"he", "Hebrew", "nplurals=2; plural=(n != 1);"}, + {"eo", "Esperanto", "nplurals=2; plural=(n != 1);"}, + {"hu", "Hungarian", "nplurals=2; plural=(n != 1);"}, + {"tr", "Turkish", "nplurals=2; plural=(n != 1);"}, + {"pt_BR", "Brazilian", "nplurals=2; plural=(n > 1);"}, + {"fr", "French", "nplurals=2; plural=(n > 1);"}, + {"lv", "Latvian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : 2);"}, + {"ga", "Irish", "nplurals=3; plural=n==1 ? 0 : n==2 ? 1 : 2;"}, + {"ro", "Romanian", "nplurals=3; plural=n==1 ? 0 : (n==0 || (n%100 > 0 && n%100 < 20)) ? 1 : 2;"}, + {"lt", "Lithuanian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"ru", "Russian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"uk", "Ukrainian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"be", "Belarusian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"sr", "Serbian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"hr", "Croatian", "nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"cs", "Czech", "nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"}, + {"sk", "Slovak", "nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;"}, + {"pl", "Polish", "nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);"}, + {"sl", "Slovenian", "nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);"}, +} diff --git a/vendor/github.com/chai2010/gettext-go/po/comment.go b/vendor/github.com/chai2010/gettext-go/po/comment.go new file mode 100644 index 0000000000..d4abe7c106 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/comment.go @@ -0,0 +1,270 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "bytes" + "fmt" + "io" + "strconv" + "strings" +) + +// Comment represents every message's comments. +type Comment struct { + StartLine int // comment start line + TranslatorComment string // # translator-comments // TrimSpace + ExtractedComment string // #. extracted-comments + ReferenceFile []string // #: src/msgcmp.c:338 src/po-lex.c:699 + ReferenceLine []int // #: src/msgcmp.c:338 src/po-lex.c:699 + Flags []string // #, fuzzy,c-format,range:0..10 + PrevMsgContext string // #| msgctxt previous-context + PrevMsgId string // #| msgid previous-untranslated-string +} + +func (p *Comment) less(q *Comment) bool { + if p.StartLine != 0 || q.StartLine != 0 { + return p.StartLine < q.StartLine + } + if a, b := len(p.ReferenceFile), len(q.ReferenceFile); a != b { + return a < b + } + for i := 0; i < len(p.ReferenceFile); i++ { + if a, b := p.ReferenceFile[i], q.ReferenceFile[i]; a != b { + return a < b + } + if a, b := p.ReferenceLine[i], q.ReferenceLine[i]; a != b { + return a < b + } + } + return false +} + +func (p *Comment) readPoComment(r *lineReader) (err error) { + *p = Comment{} + if err = r.skipBlankLine(); err != nil { + return err + } + defer func(oldPos int) { + newPos := r.currentPos() + if newPos != oldPos && err == io.EOF { + err = nil + } + }(r.currentPos()) + + p.StartLine = r.currentPos() + 1 + for { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if len(s) == 0 || s[0] != '#' { + return + } + + if err = p.readTranslatorComment(r); err != nil { + return + } + if err = p.readExtractedComment(r); err != nil { + return + } + if err = p.readReferenceComment(r); err != nil { + return + } + if err = p.readFlagsComment(r); err != nil { + return + } + if err = p.readPrevMsgContext(r); err != nil { + return + } + if err = p.readPrevMsgId(r); err != nil { + return + } + } +} + +func (p *Comment) readTranslatorComment(r *lineReader) (err error) { + const prefix = "# " // .,:| + for { + var s string + if s, _, err = r.readLine(); err != nil { + return err + } + if len(s) < 1 || s[0] != '#' { + r.unreadLine() + return nil + } + if len(s) >= 2 { + switch s[1] { + case '.', ',', ':', '|': + r.unreadLine() + return nil + } + } + if p.TranslatorComment != "" { + p.TranslatorComment += "\n" + } + p.TranslatorComment += strings.TrimSpace(s[1:]) + } +} + +func (p *Comment) readExtractedComment(r *lineReader) (err error) { + const prefix = "#." + for { + var s string + if s, _, err = r.readLine(); err != nil { + return err + } + if len(s) < len(prefix) || s[:len(prefix)] != prefix { + r.unreadLine() + return nil + } + if p.ExtractedComment != "" { + p.ExtractedComment += "\n" + } + p.ExtractedComment += strings.TrimSpace(s[len(prefix):]) + } +} + +func (p *Comment) readReferenceComment(r *lineReader) (err error) { + const prefix = "#:" + for { + var s string + if s, _, err = r.readLine(); err != nil { + return err + } + if len(s) < len(prefix) || s[:len(prefix)] != prefix { + r.unreadLine() + return nil + } + ss := strings.Split(strings.TrimSpace(s[len(prefix):]), " ") + for i := 0; i < len(ss); i++ { + idx := strings.Index(ss[i], ":") + if idx <= 0 { + continue + } + name := strings.TrimSpace(ss[i][:idx]) + line, _ := strconv.Atoi(strings.TrimSpace(ss[i][idx+1:])) + p.ReferenceFile = append(p.ReferenceFile, name) + p.ReferenceLine = append(p.ReferenceLine, line) + } + } +} + +func (p *Comment) readFlagsComment(r *lineReader) (err error) { + const prefix = "#," + for { + var s string + if s, _, err = r.readLine(); err != nil { + return err + } + if len(s) < len(prefix) || s[:len(prefix)] != prefix { + r.unreadLine() + return nil + } + ss := strings.Split(strings.TrimSpace(s[len(prefix):]), ",") + for i := 0; i < len(ss); i++ { + p.Flags = append(p.Flags, strings.TrimSpace(ss[i])) + } + } +} + +func (p *Comment) readPrevMsgContext(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !rePrevMsgContextComments.MatchString(s) { + return + } + p.PrevMsgContext, err = p.readString(r) + return +} + +func (p *Comment) readPrevMsgId(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !rePrevMsgIdComments.MatchString(s) { + return + } + p.PrevMsgId, err = p.readString(r) + return +} + +func (p *Comment) readString(r *lineReader) (msg string, err error) { + var s string + if s, _, err = r.readLine(); err != nil { + return + } + msg += decodePoString(s) + for { + if s, _, err = r.readLine(); err != nil { + return + } + if !reStringLineComments.MatchString(s) { + r.unreadLine() + break + } + msg += decodePoString(s) + } + return +} + +// GetFuzzy gets the fuzzy flag. +func (p *Comment) GetFuzzy() bool { + for _, s := range p.Flags { + if s == "fuzzy" { + return true + } + } + return false +} + +// SetFuzzy sets the fuzzy flag. +func (p *Comment) SetFuzzy(fuzzy bool) { + // +} + +// String returns the po format comment string. +func (p Comment) String() string { + var buf bytes.Buffer + if p.TranslatorComment != "" { + ss := strings.Split(p.TranslatorComment, "\n") + for i := 0; i < len(ss); i++ { + fmt.Fprintf(&buf, "# %s\n", ss[i]) + } + } + if p.ExtractedComment != "" { + ss := strings.Split(p.ExtractedComment, "\n") + for i := 0; i < len(ss); i++ { + fmt.Fprintf(&buf, "#. %s\n", ss[i]) + } + } + if a, b := len(p.ReferenceFile), len(p.ReferenceLine); a != 0 && a == b { + fmt.Fprintf(&buf, "#:") + for i := 0; i < len(p.ReferenceFile); i++ { + fmt.Fprintf(&buf, " %s:%d", p.ReferenceFile[i], p.ReferenceLine[i]) + } + fmt.Fprintf(&buf, "\n") + } + if len(p.Flags) != 0 { + fmt.Fprintf(&buf, "#, %s", p.Flags[0]) + for i := 1; i < len(p.Flags); i++ { + fmt.Fprintf(&buf, ", %s", p.Flags[i]) + } + fmt.Fprintf(&buf, "\n") + } + if p.PrevMsgContext != "" { + s := encodeCommentPoString(p.PrevMsgContext) + fmt.Fprintf(&buf, "#| msgctxt %s\n", s) + } + if p.PrevMsgId != "" { + s := encodeCommentPoString(p.PrevMsgId) + fmt.Fprintf(&buf, "#| msgid %s\n", s) + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/po/doc.go b/vendor/github.com/chai2010/gettext-go/po/doc.go new file mode 100644 index 0000000000..6cfa2a24be --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/doc.go @@ -0,0 +1,24 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package po provides support for reading and writing GNU PO file. + +Examples: + import ( + "github.com/chai2010/gettext-go/po" + ) + + func main() { + poFile, err := po.LoadFile("test.po") + if err != nil { + log.Fatal(err) + } + fmt.Printf("%v", poFile) + } + +The GNU PO file specification is at +http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html. +*/ +package po diff --git a/vendor/github.com/chai2010/gettext-go/po/file.go b/vendor/github.com/chai2010/gettext-go/po/file.go new file mode 100644 index 0000000000..4a122eeb8b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/file.go @@ -0,0 +1,81 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "bytes" + "fmt" + "io" + "io/ioutil" + "sort" +) + +// File represents an PO File. +// +// See http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html +type File struct { + MimeHeader Header + Messages []Message +} + +// Load loads po file format data. +func Load(data []byte) (*File, error) { + return loadData(data) +} + +// LoadFile loads a named po file. +func LoadFile(path string) (*File, error) { + data, err := ioutil.ReadFile(path) + if err != nil { + return nil, err + } + return loadData(data) +} + +func loadData(data []byte) (*File, error) { + r := newLineReader(string(data)) + var file File + for { + var msg Message + if err := msg.readPoEntry(r); err != nil { + if err == io.EOF { + return &file, nil + } + return nil, err + } + if msg.MsgId == "" { + file.MimeHeader.parseHeader(&msg) + continue + } + file.Messages = append(file.Messages, msg) + } +} + +// Save saves a po file. +func (f *File) Save(name string) error { + return ioutil.WriteFile(name, []byte(f.String()), 0666) +} + +// Save returns a po file format data. +func (f *File) Data() []byte { + // sort the massge as ReferenceFile/ReferenceLine field + var messages []Message + messages = append(messages, f.Messages...) + sort.Slice(messages, func(i, j int) bool { + return messages[i].less(&messages[j]) + }) + + var buf bytes.Buffer + fmt.Fprintf(&buf, "%s\n", f.MimeHeader.String()) + for i := 0; i < len(messages); i++ { + fmt.Fprintf(&buf, "%s\n", messages[i].String()) + } + return buf.Bytes() +} + +// String returns the po format file string. +func (f *File) String() string { + return string(f.Data()) +} diff --git a/vendor/github.com/chai2010/gettext-go/po/header.go b/vendor/github.com/chai2010/gettext-go/po/header.go new file mode 100644 index 0000000000..a9b5b6671b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/header.go @@ -0,0 +1,106 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "bytes" + "fmt" + "strings" +) + +// Header is the initial comments "SOME DESCRIPTIVE TITLE", "YEAR" +// and "FIRST AUTHOR , YEAR" ought to be replaced by sensible information. +// +// See http://www.gnu.org/software/gettext/manual/html_node/Header-Entry.html#Header-Entry +type Header struct { + Comment // Header Comments + ProjectIdVersion string // Project-Id-Version: PACKAGE VERSION + ReportMsgidBugsTo string // Report-Msgid-Bugs-To: FIRST AUTHOR + POTCreationDate string // POT-Creation-Date: YEAR-MO-DA HO:MI+ZONE + PORevisionDate string // PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE + LastTranslator string // Last-Translator: FIRST AUTHOR + LanguageTeam string // Language-Team: golang-china + Language string // Language: zh_CN + MimeVersion string // MIME-Version: 1.0 + ContentType string // Content-Type: text/plain; charset=UTF-8 + ContentTransferEncoding string // Content-Transfer-Encoding: 8bit + PluralForms string // Plural-Forms: nplurals=2; plural=n == 1 ? 0 : 1; + XGenerator string // X-Generator: Poedit 1.5.5 + UnknowFields map[string]string +} + +func (p *Header) parseHeader(msg *Message) { + if msg.MsgId != "" || msg.MsgStr == "" { + return + } + lines := strings.Split(msg.MsgStr, "\n") + for i := 0; i < len(lines); i++ { + idx := strings.Index(lines[i], ":") + if idx < 0 { + continue + } + key := strings.TrimSpace(lines[i][:idx]) + val := strings.TrimSpace(lines[i][idx+1:]) + switch strings.ToUpper(key) { + case strings.ToUpper("Project-Id-Version"): + p.ProjectIdVersion = val + case strings.ToUpper("Report-Msgid-Bugs-To"): + p.ReportMsgidBugsTo = val + case strings.ToUpper("POT-Creation-Date"): + p.POTCreationDate = val + case strings.ToUpper("PO-Revision-Date"): + p.PORevisionDate = val + case strings.ToUpper("Last-Translator"): + p.LastTranslator = val + case strings.ToUpper("Language-Team"): + p.LanguageTeam = val + case strings.ToUpper("Language"): + p.Language = val + case strings.ToUpper("MIME-Version"): + p.MimeVersion = val + case strings.ToUpper("Content-Type"): + p.ContentType = val + case strings.ToUpper("Content-Transfer-Encoding"): + p.ContentTransferEncoding = val + case strings.ToUpper("Plural-Forms"): + p.PluralForms = val + case strings.ToUpper("X-Generator"): + p.XGenerator = val + default: + if p.UnknowFields == nil { + p.UnknowFields = make(map[string]string) + } + p.UnknowFields[key] = val + } + } + p.Comment = msg.Comment +} + +// String returns the po format header string. +func (p Header) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, "%s", p.Comment.String()) + fmt.Fprintf(&buf, `msgid ""`+"\n") + fmt.Fprintf(&buf, `msgstr ""`+"\n") + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Project-Id-Version", p.ProjectIdVersion) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Report-Msgid-Bugs-To", p.ReportMsgidBugsTo) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "POT-Creation-Date", p.POTCreationDate) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "PO-Revision-Date", p.PORevisionDate) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Last-Translator", p.LastTranslator) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language-Team", p.LanguageTeam) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Language", p.Language) + if p.MimeVersion != "" { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "MIME-Version", p.MimeVersion) + } + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Type", p.ContentType) + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "Content-Transfer-Encoding", p.ContentTransferEncoding) + if p.XGenerator != "" { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", "X-Generator", p.XGenerator) + } + for k, v := range p.UnknowFields { + fmt.Fprintf(&buf, `"%s: %s\n"`+"\n", k, v) + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/po/line_reader.go b/vendor/github.com/chai2010/gettext-go/po/line_reader.go new file mode 100644 index 0000000000..8597273a2b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/line_reader.go @@ -0,0 +1,62 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "io" + "strings" +) + +type lineReader struct { + lines []string + pos int +} + +func newLineReader(data string) *lineReader { + data = strings.Replace(data, "\r", "", -1) + lines := strings.Split(data, "\n") + return &lineReader{lines: lines} +} + +func (r *lineReader) skipBlankLine() error { + for ; r.pos < len(r.lines); r.pos++ { + if strings.TrimSpace(r.lines[r.pos]) != "" { + break + } + } + if r.pos >= len(r.lines) { + return io.EOF + } + return nil +} + +func (r *lineReader) currentPos() int { + return r.pos +} + +func (r *lineReader) currentLine() (s string, pos int, err error) { + if r.pos >= len(r.lines) { + err = io.EOF + return + } + s, pos = r.lines[r.pos], r.pos + return +} + +func (r *lineReader) readLine() (s string, pos int, err error) { + if r.pos >= len(r.lines) { + err = io.EOF + return + } + s, pos = r.lines[r.pos], r.pos + r.pos++ + return +} + +func (r *lineReader) unreadLine() { + if r.pos >= 0 { + r.pos-- + } +} diff --git a/vendor/github.com/chai2010/gettext-go/po/message.go b/vendor/github.com/chai2010/gettext-go/po/message.go new file mode 100644 index 0000000000..39936dcc7b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/message.go @@ -0,0 +1,193 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "bytes" + "fmt" + "io" + "strconv" + "strings" +) + +// A PO file is made up of many entries, +// each entry holding the relation between an original untranslated string +// and its corresponding translation. +// +// See http://www.gnu.org/software/gettext/manual/html_node/PO-Files.html +type Message struct { + Comment // Coments + MsgContext string // msgctxt context + MsgId string // msgid untranslated-string + MsgIdPlural string // msgid_plural untranslated-string-plural + MsgStr string // msgstr translated-string + MsgStrPlural []string // msgstr[0] translated-string-case-0 +} + +func (p *Message) less(q *Message) bool { + if p.Comment.less(&q.Comment) { + return true + } + if a, b := p.MsgContext, q.MsgContext; a != b { + return a < b + } + if a, b := p.MsgId, q.MsgId; a != b { + return a < b + } + if a, b := p.MsgIdPlural, q.MsgIdPlural; a != b { + return a < b + } + return false +} + +func (p *Message) readPoEntry(r *lineReader) (err error) { + *p = Message{} + if err = r.skipBlankLine(); err != nil { + return + } + defer func(oldPos int) { + newPos := r.currentPos() + if newPos != oldPos && err == io.EOF { + err = nil + } + }(r.currentPos()) + + if err = p.Comment.readPoComment(r); err != nil { + return + } + for { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + + if p.isInvalidLine(s) { + err = fmt.Errorf("gettext: line %d, %v", r.currentPos(), "invalid line") + return + } + if reComment.MatchString(s) || reBlankLine.MatchString(s) { + return + } + + if err = p.readMsgContext(r); err != nil { + return + } + if err = p.readMsgId(r); err != nil { + return + } + if err = p.readMsgIdPlural(r); err != nil { + return + } + if err = p.readMsgStrOrPlural(r); err != nil { + return + } + } +} + +func (p *Message) readMsgContext(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !reMsgContext.MatchString(s) { + return + } + p.MsgContext, err = p.readString(r) + return +} + +func (p *Message) readMsgId(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !reMsgId.MatchString(s) { + return + } + p.MsgId, err = p.readString(r) + return +} + +func (p *Message) readMsgIdPlural(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !reMsgIdPlural.MatchString(s) { + return + } + p.MsgIdPlural, err = p.readString(r) + return nil +} + +func (p *Message) readMsgStrOrPlural(r *lineReader) (err error) { + var s string + if s, _, err = r.currentLine(); err != nil { + return + } + if !reMsgStr.MatchString(s) && !reMsgStrPlural.MatchString(s) { + return + } + if reMsgStrPlural.MatchString(s) { + left, right := strings.Index(s, `[`), strings.LastIndex(s, `]`) + idx, _ := strconv.Atoi(s[left+1 : right]) + s, err = p.readString(r) + if n := len(p.MsgStrPlural); (idx + 1) > n { + p.MsgStrPlural = append(p.MsgStrPlural, make([]string, (idx+1)-n)...) + } + p.MsgStrPlural[idx] = s + } else { + p.MsgStr, err = p.readString(r) + } + return nil +} + +func (p *Message) readString(r *lineReader) (msg string, err error) { + var s string + if s, _, err = r.readLine(); err != nil { + return + } + msg += decodePoString(s) + for { + if s, _, err = r.readLine(); err != nil { + return + } + if !reStringLine.MatchString(s) { + r.unreadLine() + break + } + msg += decodePoString(s) + } + return +} + +// String returns the po format entry string. +func (p Message) String() string { + var buf bytes.Buffer + fmt.Fprintf(&buf, "%s", p.Comment.String()) + if p.MsgContext != "" { + fmt.Fprintf(&buf, "msgctxt %s", encodePoString(p.MsgContext)) + } + fmt.Fprintf(&buf, "msgid %s", encodePoString(p.MsgId)) + if p.MsgIdPlural != "" { + fmt.Fprintf(&buf, "msgid_plural %s", encodePoString(p.MsgIdPlural)) + } + if len(p.MsgStrPlural) == 0 { + if p.MsgStr != "" { + fmt.Fprintf(&buf, "msgstr %s", encodePoString(p.MsgStr)) + } else { + fmt.Fprintf(&buf, "msgstr %s", `""`+"\n") + } + } else { + for i := 0; i < len(p.MsgStrPlural); i++ { + if p.MsgStrPlural[i] != "" { + fmt.Fprintf(&buf, "msgstr[%d] %s", i, encodePoString(p.MsgStrPlural[i])) + } else { + fmt.Fprintf(&buf, "msgstr[%d] %s", i, `""`+"\n") + } + } + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/po/re.go b/vendor/github.com/chai2010/gettext-go/po/re.go new file mode 100644 index 0000000000..67c240a57b --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/re.go @@ -0,0 +1,58 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "regexp" +) + +var ( + reComment = regexp.MustCompile(`^#`) // # + reExtractedComments = regexp.MustCompile(`^#\.`) // #. + reReferenceComments = regexp.MustCompile(`^#:`) // #: + reFlagsComments = regexp.MustCompile(`^#,`) // #, fuzzy,c-format + rePrevMsgContextComments = regexp.MustCompile(`^#\|\s+msgctxt`) // #| msgctxt + rePrevMsgIdComments = regexp.MustCompile(`^#\|\s+msgid`) // #| msgid + reStringLineComments = regexp.MustCompile(`^#\|\s+".*"\s*$`) // #| "message" + + reMsgContext = regexp.MustCompile(`^msgctxt\s+".*"\s*$`) // msgctxt + reMsgId = regexp.MustCompile(`^msgid\s+".*"\s*$`) // msgid + reMsgIdPlural = regexp.MustCompile(`^msgid_plural\s+".*"\s*$`) // msgid_plural + reMsgStr = regexp.MustCompile(`^msgstr\s*".*"\s*$`) // msgstr + reMsgStrPlural = regexp.MustCompile(`^msgstr\s*(\[\d+\])\s*".*"\s*$`) // msgstr[0] + reStringLine = regexp.MustCompile(`^\s*".*"\s*$`) // "message" + reBlankLine = regexp.MustCompile(`^\s*$`) // +) + +func (p *Message) isInvalidLine(s string) bool { + if reComment.MatchString(s) { + return false + } + if reBlankLine.MatchString(s) { + return false + } + + if reMsgContext.MatchString(s) { + return false + } + if reMsgId.MatchString(s) { + return false + } + if reMsgIdPlural.MatchString(s) { + return false + } + if reMsgStr.MatchString(s) { + return false + } + if reMsgStrPlural.MatchString(s) { + return false + } + + if reStringLine.MatchString(s) { + return false + } + + return true +} diff --git a/vendor/github.com/chai2010/gettext-go/po/util.go b/vendor/github.com/chai2010/gettext-go/po/util.go new file mode 100644 index 0000000000..1a0928b111 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/po/util.go @@ -0,0 +1,121 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package po + +import ( + "bytes" + "strings" +) + +func decodePoString(text string) string { + lines := strings.Split(text, "\n") + for i := 0; i < len(lines); i++ { + left := strings.Index(lines[i], `"`) + right := strings.LastIndex(lines[i], `"`) + if left < 0 || right < 0 || left == right { + lines[i] = "" + continue + } + line := lines[i][left+1 : right] + data := make([]byte, 0, len(line)) + for i := 0; i < len(line); i++ { + if line[i] != '\\' { + data = append(data, line[i]) + continue + } + if i+1 >= len(line) { + break + } + switch line[i+1] { + case 'r': // \\r -> \r + data = append(data, '\r') + i++ + case 'n': // \\n -> \n + data = append(data, '\n') + i++ + case 't': // \\t -> \n + data = append(data, '\t') + i++ + case '\\': // \\\ -> ? + data = append(data, '\\') + i++ + } + } + lines[i] = string(data) + } + return strings.Join(lines, "") +} + +func encodePoString(text string) string { + var buf bytes.Buffer + lines := strings.Split(text, "\n") + for i := 0; i < len(lines); i++ { + if lines[i] == "" { + if i != len(lines)-1 { + buf.WriteString(`"\n"` + "\n") + } + continue + } + buf.WriteRune('"') + for _, r := range lines[i] { + switch r { + case '\\': + buf.WriteString(`\\`) + case '"': + buf.WriteString(`\"`) + case '\r': + buf.WriteString(`\r`) + case '\n': + buf.WriteString(`\n`) + case '\t': + buf.WriteString(`\t`) + default: + buf.WriteRune(r) + } + } + if i < len(lines)-1 { + buf.WriteString(`\n"` + "\n") + } else { + buf.WriteString(`"` + "\n") + } + } + return buf.String() +} + +func encodeCommentPoString(text string) string { + var buf bytes.Buffer + lines := strings.Split(text, "\n") + if len(lines) > 1 { + buf.WriteString(`""` + "\n") + } + for i := 0; i < len(lines); i++ { + if len(lines) > 0 { + buf.WriteString("#| ") + } + buf.WriteRune('"') + for _, r := range lines[i] { + switch r { + case '\\': + buf.WriteString(`\\`) + case '"': + buf.WriteString(`\"`) + case '\r': + buf.WriteString(`\r`) + case '\n': + buf.WriteString(`\n`) + case '\t': + buf.WriteString(`\t`) + default: + buf.WriteRune(r) + } + } + if i < len(lines)-1 { + buf.WriteString(`\n"` + "\n") + } else { + buf.WriteString(`"`) + } + } + return buf.String() +} diff --git a/vendor/github.com/chai2010/gettext-go/tr.go b/vendor/github.com/chai2010/gettext-go/tr.go new file mode 100644 index 0000000000..5b9d08f426 --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/tr.go @@ -0,0 +1,175 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "encoding/json" + + "github.com/chai2010/gettext-go/mo" + "github.com/chai2010/gettext-go/plural" + "github.com/chai2010/gettext-go/po" +) + +var nilTranslator = &translator{ + MessageMap: make(map[string]mo.Message), + PluralFormula: plural.Formula("??"), +} + +type translator struct { + MessageMap map[string]mo.Message + PluralFormula func(n int) int +} + +func newMoTranslator(name string, data []byte) (*translator, error) { + var ( + f *mo.File + err error + ) + if len(data) != 0 { + f, err = mo.Load(data) + } else { + f, err = mo.LoadFile(name) + } + if err != nil { + return nil, err + } + var tr = &translator{ + MessageMap: make(map[string]mo.Message), + } + for _, v := range f.Messages { + tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = v + } + if lang := f.MimeHeader.Language; lang != "" { + tr.PluralFormula = plural.Formula(lang) + } else { + tr.PluralFormula = plural.Formula("??") + } + return tr, nil +} + +func newPoTranslator(name string, data []byte) (*translator, error) { + var ( + f *po.File + err error + ) + if len(data) != 0 { + f, err = po.Load(data) + } else { + f, err = po.LoadFile(name) + } + if err != nil { + return nil, err + } + var tr = &translator{ + MessageMap: make(map[string]mo.Message), + } + for _, v := range f.Messages { + tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = mo.Message{ + MsgContext: v.MsgContext, + MsgId: v.MsgId, + MsgIdPlural: v.MsgIdPlural, + MsgStr: v.MsgStr, + MsgStrPlural: v.MsgStrPlural, + } + } + if lang := f.MimeHeader.Language; lang != "" { + tr.PluralFormula = plural.Formula(lang) + } else { + tr.PluralFormula = plural.Formula("??") + } + return tr, nil +} + +func newJsonTranslator(lang, name string, jsonData []byte) (*translator, error) { + var msgList []struct { + MsgContext string `json:"msgctxt"` // msgctxt context + MsgId string `json:"msgid"` // msgid untranslated-string + MsgIdPlural string `json:"msgid_plural"` // msgid_plural untranslated-string-plural + MsgStr []string `json:"msgstr"` // msgstr translated-string + } + if err := json.Unmarshal(jsonData, &msgList); err != nil { + return nil, err + } + + var tr = &translator{ + MessageMap: make(map[string]mo.Message), + PluralFormula: plural.Formula(lang), + } + + for _, v := range msgList { + var v_MsgStr string + var v_MsgStrPlural = v.MsgStr + + if len(v.MsgStr) != 0 { + v_MsgStr = v.MsgStr[0] + } + + tr.MessageMap[tr.makeMapKey(v.MsgContext, v.MsgId)] = mo.Message{ + MsgContext: v.MsgContext, + MsgId: v.MsgId, + MsgIdPlural: v.MsgIdPlural, + MsgStr: v_MsgStr, + MsgStrPlural: v_MsgStrPlural, + } + } + return tr, nil +} + +func (p *translator) PGettext(msgctxt, msgid string) string { + return p.findMsgStr(msgctxt, msgid) +} + +func (p *translator) PNGettext(msgctxt, msgid, msgidPlural string, n int) string { + n = p.PluralFormula(n) + if ss := p.findMsgStrPlural(msgctxt, msgid, msgidPlural); len(ss) != 0 { + if n >= len(ss) { + n = len(ss) - 1 + } + if ss[n] != "" { + return ss[n] + } + } + if msgidPlural != "" && n > 0 { + return msgidPlural + } + return msgid +} + +func (p *translator) findMsgStr(msgctxt, msgid string) string { + key := p.makeMapKey(msgctxt, msgid) + if v, ok := p.MessageMap[key]; ok { + if v.MsgStr != "" { + return v.MsgStr + } + } + return msgid +} + +func (p *translator) findMsgStrPlural(msgctxt, msgid, msgidPlural string) []string { + key := p.makeMapKey(msgctxt, msgid) + if v, ok := p.MessageMap[key]; ok { + if len(v.MsgIdPlural) != 0 { + if len(v.MsgStrPlural) != 0 { + return v.MsgStrPlural + } else { + return nil + } + } else { + if len(v.MsgStr) != 0 { + return []string{v.MsgStr} + } else { + return nil + } + } + } + return nil +} + +func (p *translator) makeMapKey(msgctxt, msgid string) string { + if msgctxt != "" { + return msgctxt + mo.EotSeparator + msgid + } + return msgid +} diff --git a/vendor/github.com/chai2010/gettext-go/util.go b/vendor/github.com/chai2010/gettext-go/util.go new file mode 100644 index 0000000000..b8269a605c --- /dev/null +++ b/vendor/github.com/chai2010/gettext-go/util.go @@ -0,0 +1,34 @@ +// Copyright 2013 ChaiShushan . All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package gettext + +import ( + "os" + "strings" +) + +func getDefaultLanguage() string { + if v := os.Getenv("LC_MESSAGES"); v != "" { + return simplifiedLanguage(v) + } + if v := os.Getenv("LANG"); v != "" { + return simplifiedLanguage(v) + } + return "default" +} + +func simplifiedLanguage(lang string) string { + // en_US/en_US.UTF-8/zh_CN/zh_TW/el_GR@euro/... + if idx := strings.Index(lang, ":"); idx != -1 { + lang = lang[:idx] + } + if idx := strings.Index(lang, "@"); idx != -1 { + lang = lang[:idx] + } + if idx := strings.Index(lang, "."); idx != -1 { + lang = lang[:idx] + } + return strings.TrimSpace(lang) +} diff --git a/vendor/github.com/containerd/containerd/LICENSE b/vendor/github.com/containerd/containerd/LICENSE new file mode 100644 index 0000000000..584149b6ee --- /dev/null +++ b/vendor/github.com/containerd/containerd/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/containerd/containerd/NOTICE b/vendor/github.com/containerd/containerd/NOTICE new file mode 100644 index 0000000000..8915f02773 --- /dev/null +++ b/vendor/github.com/containerd/containerd/NOTICE @@ -0,0 +1,16 @@ +Docker +Copyright 2012-2015 Docker, Inc. + +This product includes software developed at Docker, Inc. (https://www.docker.com). + +The following is courtesy of our legal counsel: + + +Use and transfer of Docker may be subject to certain restrictions by the +United States and other governments. +It is your responsibility to ensure that your use and/or transfer does not +violate applicable laws. + +For more information, please see https://www.bis.doc.gov + +See also https://www.apache.org/dev/crypto.html and/or seek legal counsel. diff --git a/vendor/github.com/containerd/containerd/archive/compression/compression.go b/vendor/github.com/containerd/containerd/archive/compression/compression.go new file mode 100644 index 0000000000..23ddfab1a6 --- /dev/null +++ b/vendor/github.com/containerd/containerd/archive/compression/compression.go @@ -0,0 +1,323 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package compression + +import ( + "bufio" + "bytes" + "compress/gzip" + "context" + "encoding/binary" + "fmt" + "io" + "os" + "os/exec" + "strconv" + "sync" + + "github.com/containerd/log" + "github.com/klauspost/compress/zstd" +) + +type ( + // Compression is the state represents if compressed or not. + Compression int +) + +const ( + // Uncompressed represents the uncompressed. + Uncompressed Compression = iota + // Gzip is gzip compression algorithm. + Gzip + // Zstd is zstd compression algorithm. + Zstd +) + +const disablePigzEnv = "CONTAINERD_DISABLE_PIGZ" + +var ( + initPigz sync.Once + unpigzPath string +) + +var ( + bufioReader32KPool = &sync.Pool{ + New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) }, + } +) + +// DecompressReadCloser include the stream after decompress and the compress method detected. +type DecompressReadCloser interface { + io.ReadCloser + // GetCompression returns the compress method which is used before decompressing + GetCompression() Compression +} + +type readCloserWrapper struct { + io.Reader + compression Compression + closer func() error +} + +func (r *readCloserWrapper) Close() error { + if r.closer != nil { + return r.closer() + } + return nil +} + +func (r *readCloserWrapper) GetCompression() Compression { + return r.compression +} + +type writeCloserWrapper struct { + io.Writer + closer func() error +} + +func (w *writeCloserWrapper) Close() error { + if w.closer != nil { + w.closer() + } + return nil +} + +type bufferedReader struct { + buf *bufio.Reader +} + +func newBufferedReader(r io.Reader) *bufferedReader { + buf := bufioReader32KPool.Get().(*bufio.Reader) + buf.Reset(r) + return &bufferedReader{buf} +} + +func (r *bufferedReader) Read(p []byte) (n int, err error) { + if r.buf == nil { + return 0, io.EOF + } + n, err = r.buf.Read(p) + if err == io.EOF { + r.buf.Reset(nil) + bufioReader32KPool.Put(r.buf) + r.buf = nil + } + return +} + +func (r *bufferedReader) Peek(n int) ([]byte, error) { + if r.buf == nil { + return nil, io.EOF + } + return r.buf.Peek(n) +} + +const ( + zstdMagicSkippableStart = 0x184D2A50 + zstdMagicSkippableMask = 0xFFFFFFF0 +) + +var ( + gzipMagic = []byte{0x1F, 0x8B, 0x08} + zstdMagic = []byte{0x28, 0xb5, 0x2f, 0xfd} +) + +type matcher = func([]byte) bool + +func magicNumberMatcher(m []byte) matcher { + return func(source []byte) bool { + return bytes.HasPrefix(source, m) + } +} + +// zstdMatcher detects zstd compression algorithm. +// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames. +// See https://tools.ietf.org/id/draft-kucherawy-dispatch-zstd-00.html#rfc.section.2 for more details. +func zstdMatcher() matcher { + return func(source []byte) bool { + if bytes.HasPrefix(source, zstdMagic) { + // Zstandard frame + return true + } + // skippable frame + if len(source) < 8 { + return false + } + // magic number from 0x184D2A50 to 0x184D2A5F. + if binary.LittleEndian.Uint32(source[:4])&zstdMagicSkippableMask == zstdMagicSkippableStart { + return true + } + return false + } +} + +// DetectCompression detects the compression algorithm of the source. +func DetectCompression(source []byte) Compression { + for compression, fn := range map[Compression]matcher{ + Gzip: magicNumberMatcher(gzipMagic), + Zstd: zstdMatcher(), + } { + if fn(source) { + return compression + } + } + return Uncompressed +} + +// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive. +func DecompressStream(archive io.Reader) (DecompressReadCloser, error) { + buf := newBufferedReader(archive) + bs, err := buf.Peek(10) + if err != nil && err != io.EOF { + // Note: we'll ignore any io.EOF error because there are some odd + // cases where the layer.tar file will be empty (zero bytes) and + // that results in an io.EOF from the Peek() call. So, in those + // cases we'll just treat it as a non-compressed stream and + // that means just create an empty layer. + // See Issue docker/docker#18170 + return nil, err + } + + switch compression := DetectCompression(bs); compression { + case Uncompressed: + return &readCloserWrapper{ + Reader: buf, + compression: compression, + }, nil + case Gzip: + ctx, cancel := context.WithCancel(context.Background()) + gzReader, err := gzipDecompress(ctx, buf) + if err != nil { + cancel() + return nil, err + } + + return &readCloserWrapper{ + Reader: gzReader, + compression: compression, + closer: func() error { + cancel() + return gzReader.Close() + }, + }, nil + case Zstd: + zstdReader, err := zstd.NewReader(buf) + if err != nil { + return nil, err + } + return &readCloserWrapper{ + Reader: zstdReader, + compression: compression, + closer: func() error { + zstdReader.Close() + return nil + }, + }, nil + + default: + return nil, fmt.Errorf("unsupported compression format %s", (&compression).Extension()) + } +} + +// CompressStream compresses the dest with specified compression algorithm. +func CompressStream(dest io.Writer, compression Compression) (io.WriteCloser, error) { + switch compression { + case Uncompressed: + return &writeCloserWrapper{dest, nil}, nil + case Gzip: + return gzip.NewWriter(dest), nil + case Zstd: + return zstd.NewWriter(dest) + default: + return nil, fmt.Errorf("unsupported compression format %s", (&compression).Extension()) + } +} + +// Extension returns the extension of a file that uses the specified compression algorithm. +func (compression *Compression) Extension() string { + switch *compression { + case Gzip: + return "gz" + case Zstd: + return "zst" + } + return "" +} + +func gzipDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) { + initPigz.Do(func() { + if unpigzPath = detectPigz(); unpigzPath != "" { + log.L.Debug("using pigz for decompression") + } + }) + + if unpigzPath == "" { + return gzip.NewReader(buf) + } + + return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf) +} + +func cmdStream(cmd *exec.Cmd, in io.Reader) (io.ReadCloser, error) { + reader, writer := io.Pipe() + + cmd.Stdin = in + cmd.Stdout = writer + + var errBuf bytes.Buffer + cmd.Stderr = &errBuf + + if err := cmd.Start(); err != nil { + return nil, err + } + + go func() { + if err := cmd.Wait(); err != nil { + writer.CloseWithError(fmt.Errorf("%s: %s", err, errBuf.String())) + } else { + writer.Close() + } + }() + + return reader, nil +} + +func detectPigz() string { + path, err := exec.LookPath("unpigz") + if err != nil { + log.L.WithError(err).Debug("unpigz not found, falling back to go gzip") + return "" + } + + // Check if pigz disabled via CONTAINERD_DISABLE_PIGZ env variable + value := os.Getenv(disablePigzEnv) + if value == "" { + return path + } + + disable, err := strconv.ParseBool(value) + if err != nil { + log.L.WithError(err).Warnf("could not parse %s: %s", disablePigzEnv, value) + return path + } + + if disable { + return "" + } + + return path +} diff --git a/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go b/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go new file mode 100644 index 0000000000..3516494ac0 --- /dev/null +++ b/vendor/github.com/containerd/containerd/archive/compression/compression_fuzzer.go @@ -0,0 +1,28 @@ +//go:build gofuzz + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package compression + +import ( + "bytes" +) + +func FuzzDecompressStream(data []byte) int { + _, _ = DecompressStream(bytes.NewReader(data)) + return 1 +} diff --git a/vendor/github.com/containerd/containerd/content/adaptor.go b/vendor/github.com/containerd/containerd/content/adaptor.go new file mode 100644 index 0000000000..88bad2610e --- /dev/null +++ b/vendor/github.com/containerd/containerd/content/adaptor.go @@ -0,0 +1,52 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package content + +import ( + "strings" + + "github.com/containerd/containerd/filters" +) + +// AdaptInfo returns `filters.Adaptor` that handles `content.Info`. +func AdaptInfo(info Info) filters.Adaptor { + return filters.AdapterFunc(func(fieldpath []string) (string, bool) { + if len(fieldpath) == 0 { + return "", false + } + + switch fieldpath[0] { + case "digest": + return info.Digest.String(), true + case "size": + // TODO: support size based filtering + case "labels": + return checkMap(fieldpath[1:], info.Labels) + } + + return "", false + }) +} + +func checkMap(fieldpath []string, m map[string]string) (string, bool) { + if len(m) == 0 { + return "", false + } + + value, ok := m[strings.Join(fieldpath, ".")] + return value, ok +} diff --git a/vendor/github.com/containerd/containerd/content/content.go b/vendor/github.com/containerd/containerd/content/content.go new file mode 100644 index 0000000000..2dc7bf8b52 --- /dev/null +++ b/vendor/github.com/containerd/containerd/content/content.go @@ -0,0 +1,207 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package content + +import ( + "context" + "io" + "time" + + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// Store combines the methods of content-oriented interfaces into a set that +// are commonly provided by complete implementations. +// +// Overall content lifecycle: +// - Ingester is used to initiate a write operation (aka ingestion) +// - IngestManager is used to manage (e.g. list, abort) active ingestions +// - Once an ingestion is complete (see Writer.Commit), Provider is used to +// query a single piece of content by its digest +// - Manager is used to manage (e.g. list, delete) previously committed content +// +// Note that until ingestion is complete, its content is not visible through +// Provider or Manager. Once ingestion is complete, it is no longer exposed +// through IngestManager. +type Store interface { + Manager + Provider + IngestManager + Ingester +} + +// ReaderAt extends the standard io.ReaderAt interface with reporting of Size and io.Closer +type ReaderAt interface { + io.ReaderAt + io.Closer + Size() int64 +} + +// Provider provides a reader interface for specific content +type Provider interface { + // ReaderAt only requires desc.Digest to be set. + // Other fields in the descriptor may be used internally for resolving + // the location of the actual data. + ReaderAt(ctx context.Context, desc ocispec.Descriptor) (ReaderAt, error) +} + +// Ingester writes content +type Ingester interface { + // Writer initiates a writing operation (aka ingestion). A single ingestion + // is uniquely identified by its ref, provided using a WithRef option. + // Writer can be called multiple times with the same ref to access the same + // ingestion. + // Once all the data is written, use Writer.Commit to complete the ingestion. + Writer(ctx context.Context, opts ...WriterOpt) (Writer, error) +} + +// IngestManager provides methods for managing ingestions. An ingestion is a +// not-yet-complete writing operation initiated using Ingester and identified +// by a ref string. +type IngestManager interface { + // Status returns the status of the provided ref. + Status(ctx context.Context, ref string) (Status, error) + + // ListStatuses returns the status of any active ingestions whose ref match + // the provided regular expression. If empty, all active ingestions will be + // returned. + ListStatuses(ctx context.Context, filters ...string) ([]Status, error) + + // Abort completely cancels the ingest operation targeted by ref. + Abort(ctx context.Context, ref string) error +} + +// Info holds content specific information +type Info struct { + Digest digest.Digest + Size int64 + CreatedAt time.Time + UpdatedAt time.Time + Labels map[string]string +} + +// Status of a content operation (i.e. an ingestion) +type Status struct { + Ref string + Offset int64 + Total int64 + Expected digest.Digest + StartedAt time.Time + UpdatedAt time.Time +} + +// WalkFunc defines the callback for a blob walk. +type WalkFunc func(Info) error + +// InfoReaderProvider provides both info and reader for the specific content. +type InfoReaderProvider interface { + InfoProvider + Provider +} + +// InfoProvider provides info for content inspection. +type InfoProvider interface { + // Info will return metadata about content available in the content store. + // + // If the content is not present, ErrNotFound will be returned. + Info(ctx context.Context, dgst digest.Digest) (Info, error) +} + +// Manager provides methods for inspecting, listing and removing content. +type Manager interface { + InfoProvider + + // Update updates mutable information related to content. + // If one or more fieldpaths are provided, only those + // fields will be updated. + // Mutable fields: + // labels.* + Update(ctx context.Context, info Info, fieldpaths ...string) (Info, error) + + // Walk will call fn for each item in the content store which + // match the provided filters. If no filters are given all + // items will be walked. + Walk(ctx context.Context, fn WalkFunc, filters ...string) error + + // Delete removes the content from the store. + Delete(ctx context.Context, dgst digest.Digest) error +} + +// Writer handles writing of content into a content store +type Writer interface { + // Close closes the writer, if the writer has not been + // committed this allows resuming or aborting. + // Calling Close on a closed writer will not error. + io.WriteCloser + + // Digest may return empty digest or panics until committed. + Digest() digest.Digest + + // Commit commits the blob (but no roll-back is guaranteed on an error). + // size and expected can be zero-value when unknown. + // Commit always closes the writer, even on error. + // ErrAlreadyExists aborts the writer. + Commit(ctx context.Context, size int64, expected digest.Digest, opts ...Opt) error + + // Status returns the current state of write + Status() (Status, error) + + // Truncate updates the size of the target blob + Truncate(size int64) error +} + +// Opt is used to alter the mutable properties of content +type Opt func(*Info) error + +// WithLabels allows labels to be set on content +func WithLabels(labels map[string]string) Opt { + return func(info *Info) error { + info.Labels = labels + return nil + } +} + +// WriterOpts is internally used by WriterOpt. +type WriterOpts struct { + Ref string + Desc ocispec.Descriptor +} + +// WriterOpt is used for passing options to Ingester.Writer. +type WriterOpt func(*WriterOpts) error + +// WithDescriptor specifies an OCI descriptor. +// Writer may optionally use the descriptor internally for resolving +// the location of the actual data. +// Write does not require any field of desc to be set. +// If the data size is unknown, desc.Size should be set to 0. +// Some implementations may also accept negative values as "unknown". +func WithDescriptor(desc ocispec.Descriptor) WriterOpt { + return func(opts *WriterOpts) error { + opts.Desc = desc + return nil + } +} + +// WithRef specifies a ref string. +func WithRef(ref string) WriterOpt { + return func(opts *WriterOpts) error { + opts.Ref = ref + return nil + } +} diff --git a/vendor/github.com/containerd/containerd/content/helpers.go b/vendor/github.com/containerd/containerd/content/helpers.go new file mode 100644 index 0000000000..93bcdde106 --- /dev/null +++ b/vendor/github.com/containerd/containerd/content/helpers.go @@ -0,0 +1,340 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package content + +import ( + "context" + "errors" + "fmt" + "io" + "sync" + "time" + + "github.com/containerd/log" + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + + "github.com/containerd/containerd/errdefs" + "github.com/containerd/containerd/pkg/randutil" +) + +var ErrReset = errors.New("writer has been reset") + +var bufPool = sync.Pool{ + New: func() interface{} { + buffer := make([]byte, 1<<20) + return &buffer + }, +} + +type reader interface { + Reader() io.Reader +} + +// NewReader returns a io.Reader from a ReaderAt +func NewReader(ra ReaderAt) io.Reader { + if rd, ok := ra.(reader); ok { + return rd.Reader() + } + return io.NewSectionReader(ra, 0, ra.Size()) +} + +// ReadBlob retrieves the entire contents of the blob from the provider. +// +// Avoid using this for large blobs, such as layers. +func ReadBlob(ctx context.Context, provider Provider, desc ocispec.Descriptor) ([]byte, error) { + if int64(len(desc.Data)) == desc.Size && digest.FromBytes(desc.Data) == desc.Digest { + return desc.Data, nil + } + + ra, err := provider.ReaderAt(ctx, desc) + if err != nil { + return nil, err + } + defer ra.Close() + + p := make([]byte, ra.Size()) + + n, err := ra.ReadAt(p, 0) + if err == io.EOF { + if int64(n) != ra.Size() { + err = io.ErrUnexpectedEOF + } else { + err = nil + } + } + return p, err +} + +// WriteBlob writes data with the expected digest into the content store. If +// expected already exists, the method returns immediately and the reader will +// not be consumed. +// +// This is useful when the digest and size are known beforehand. +// +// Copy is buffered, so no need to wrap reader in buffered io. +func WriteBlob(ctx context.Context, cs Ingester, ref string, r io.Reader, desc ocispec.Descriptor, opts ...Opt) error { + cw, err := OpenWriter(ctx, cs, WithRef(ref), WithDescriptor(desc)) + if err != nil { + if !errdefs.IsAlreadyExists(err) { + return fmt.Errorf("failed to open writer: %w", err) + } + + return nil // already present + } + defer cw.Close() + + return Copy(ctx, cw, r, desc.Size, desc.Digest, opts...) +} + +// OpenWriter opens a new writer for the given reference, retrying if the writer +// is locked until the reference is available or returns an error. +func OpenWriter(ctx context.Context, cs Ingester, opts ...WriterOpt) (Writer, error) { + var ( + cw Writer + err error + retry = 16 + ) + for { + cw, err = cs.Writer(ctx, opts...) + if err != nil { + if !errdefs.IsUnavailable(err) { + return nil, err + } + + // TODO: Check status to determine if the writer is active, + // continue waiting while active, otherwise return lock + // error or abort. Requires asserting for an ingest manager + + select { + case <-time.After(time.Millisecond * time.Duration(randutil.Intn(retry))): + if retry < 2048 { + retry = retry << 1 + } + continue + case <-ctx.Done(): + // Propagate lock error + return nil, err + } + + } + break + } + + return cw, err +} + +// Copy copies data with the expected digest from the reader into the +// provided content store writer. This copy commits the writer. +// +// This is useful when the digest and size are known beforehand. When +// the size or digest is unknown, these values may be empty. +// +// Copy is buffered, so no need to wrap reader in buffered io. +func Copy(ctx context.Context, cw Writer, or io.Reader, size int64, expected digest.Digest, opts ...Opt) error { + ws, err := cw.Status() + if err != nil { + return fmt.Errorf("failed to get status: %w", err) + } + r := or + if ws.Offset > 0 { + r, err = seekReader(or, ws.Offset, size) + if err != nil { + return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err) + } + } + + for i := 0; ; i++ { + if i >= 1 { + log.G(ctx).WithField("digest", expected).Debugf("retrying copy due to reset") + } + copied, err := copyWithBuffer(cw, r) + if errors.Is(err, ErrReset) { + ws, err := cw.Status() + if err != nil { + return fmt.Errorf("failed to get status: %w", err) + } + r, err = seekReader(or, ws.Offset, size) + if err != nil { + return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err) + } + continue + } + if err != nil { + return fmt.Errorf("failed to copy: %w", err) + } + if size != 0 && copied < size-ws.Offset { + // Short writes would return its own error, this indicates a read failure + return fmt.Errorf("failed to read expected number of bytes: %w", io.ErrUnexpectedEOF) + } + if err := cw.Commit(ctx, size, expected, opts...); err != nil { + if errors.Is(err, ErrReset) { + ws, err := cw.Status() + if err != nil { + return fmt.Errorf("failed to get status: %w", err) + } + r, err = seekReader(or, ws.Offset, size) + if err != nil { + return fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err) + } + continue + } + if !errdefs.IsAlreadyExists(err) { + return fmt.Errorf("failed commit on ref %q: %w", ws.Ref, err) + } + } + return nil + } +} + +// CopyReaderAt copies to a writer from a given reader at for the given +// number of bytes. This copy does not commit the writer. +func CopyReaderAt(cw Writer, ra ReaderAt, n int64) error { + ws, err := cw.Status() + if err != nil { + return err + } + + copied, err := copyWithBuffer(cw, io.NewSectionReader(ra, ws.Offset, n)) + if err != nil { + return fmt.Errorf("failed to copy: %w", err) + } + if copied < n { + // Short writes would return its own error, this indicates a read failure + return fmt.Errorf("failed to read expected number of bytes: %w", io.ErrUnexpectedEOF) + } + return nil +} + +// CopyReader copies to a writer from a given reader, returning +// the number of bytes copied. +// Note: if the writer has a non-zero offset, the total number +// of bytes read may be greater than those copied if the reader +// is not an io.Seeker. +// This copy does not commit the writer. +func CopyReader(cw Writer, r io.Reader) (int64, error) { + ws, err := cw.Status() + if err != nil { + return 0, fmt.Errorf("failed to get status: %w", err) + } + + if ws.Offset > 0 { + r, err = seekReader(r, ws.Offset, 0) + if err != nil { + return 0, fmt.Errorf("unable to resume write to %v: %w", ws.Ref, err) + } + } + + return copyWithBuffer(cw, r) +} + +// seekReader attempts to seek the reader to the given offset, either by +// resolving `io.Seeker`, by detecting `io.ReaderAt`, or discarding +// up to the given offset. +func seekReader(r io.Reader, offset, size int64) (io.Reader, error) { + // attempt to resolve r as a seeker and setup the offset. + seeker, ok := r.(io.Seeker) + if ok { + nn, err := seeker.Seek(offset, io.SeekStart) + if nn != offset { + if err == nil { + err = fmt.Errorf("unexpected seek location without seek error") + } + return nil, fmt.Errorf("failed to seek to offset %v: %w", offset, err) + } + + if err != nil { + return nil, err + } + + return r, nil + } + + // ok, let's try io.ReaderAt! + readerAt, ok := r.(io.ReaderAt) + if ok && size > offset { + sr := io.NewSectionReader(readerAt, offset, size) + return sr, nil + } + + // well then, let's just discard up to the offset + n, err := copyWithBuffer(io.Discard, io.LimitReader(r, offset)) + if err != nil { + return nil, fmt.Errorf("failed to discard to offset: %w", err) + } + if n != offset { + return nil, errors.New("unable to discard to offset") + } + + return r, nil +} + +// copyWithBuffer is very similar to io.CopyBuffer https://golang.org/pkg/io/#CopyBuffer +// but instead of using Read to read from the src, we use ReadAtLeast to make sure we have +// a full buffer before we do a write operation to dst to reduce overheads associated +// with the write operations of small buffers. +func copyWithBuffer(dst io.Writer, src io.Reader) (written int64, err error) { + // If the reader has a WriteTo method, use it to do the copy. + // Avoids an allocation and a copy. + if wt, ok := src.(io.WriterTo); ok { + return wt.WriteTo(dst) + } + // Similarly, if the writer has a ReadFrom method, use it to do the copy. + if rt, ok := dst.(io.ReaderFrom); ok { + return rt.ReadFrom(src) + } + bufRef := bufPool.Get().(*[]byte) + defer bufPool.Put(bufRef) + buf := *bufRef + for { + nr, er := io.ReadAtLeast(src, buf, len(buf)) + if nr > 0 { + nw, ew := dst.Write(buf[0:nr]) + if nw > 0 { + written += int64(nw) + } + if ew != nil { + err = ew + break + } + if nr != nw { + err = io.ErrShortWrite + break + } + } + if er != nil { + // If an EOF happens after reading fewer than the requested bytes, + // ReadAtLeast returns ErrUnexpectedEOF. + if er != io.EOF && er != io.ErrUnexpectedEOF { + err = er + } + break + } + } + return +} + +// Exists returns whether an attempt to access the content would not error out +// with an ErrNotFound error. It will return an encountered error if it was +// different than ErrNotFound. +func Exists(ctx context.Context, provider InfoProvider, desc ocispec.Descriptor) (bool, error) { + _, err := provider.Info(ctx, desc.Digest) + if errdefs.IsNotFound(err) { + return false, nil + } + return err == nil, err +} diff --git a/vendor/github.com/containerd/containerd/errdefs/errors.go b/vendor/github.com/containerd/containerd/errdefs/errors.go new file mode 100644 index 0000000000..de22cadd41 --- /dev/null +++ b/vendor/github.com/containerd/containerd/errdefs/errors.go @@ -0,0 +1,72 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package errdefs defines the common errors used throughout containerd +// packages. +// +// Use with fmt.Errorf to add context to an error. +// +// To detect an error class, use the IsXXX functions to tell whether an error +// is of a certain type. +package errdefs + +import ( + "github.com/containerd/errdefs" +) + +// Definitions of common error types used throughout containerd. All containerd +// errors returned by most packages will map into one of these errors classes. +// Packages should return errors of these types when they want to instruct a +// client to take a particular action. +// +// These errors map closely to grpc errors. +var ( + ErrUnknown = errdefs.ErrUnknown + ErrInvalidArgument = errdefs.ErrInvalidArgument + ErrNotFound = errdefs.ErrNotFound + ErrAlreadyExists = errdefs.ErrAlreadyExists + ErrPermissionDenied = errdefs.ErrPermissionDenied + ErrResourceExhausted = errdefs.ErrResourceExhausted + ErrFailedPrecondition = errdefs.ErrFailedPrecondition + ErrConflict = errdefs.ErrConflict + ErrNotModified = errdefs.ErrNotModified + ErrAborted = errdefs.ErrAborted + ErrOutOfRange = errdefs.ErrOutOfRange + ErrNotImplemented = errdefs.ErrNotImplemented + ErrInternal = errdefs.ErrInternal + ErrUnavailable = errdefs.ErrUnavailable + ErrDataLoss = errdefs.ErrDataLoss + ErrUnauthenticated = errdefs.ErrUnauthenticated + + IsCanceled = errdefs.IsCanceled + IsUnknown = errdefs.IsUnknown + IsInvalidArgument = errdefs.IsInvalidArgument + IsDeadlineExceeded = errdefs.IsDeadlineExceeded + IsNotFound = errdefs.IsNotFound + IsAlreadyExists = errdefs.IsAlreadyExists + IsPermissionDenied = errdefs.IsPermissionDenied + IsResourceExhausted = errdefs.IsResourceExhausted + IsFailedPrecondition = errdefs.IsFailedPrecondition + IsConflict = errdefs.IsConflict + IsNotModified = errdefs.IsNotModified + IsAborted = errdefs.IsAborted + IsOutOfRange = errdefs.IsOutOfRange + IsNotImplemented = errdefs.IsNotImplemented + IsInternal = errdefs.IsInternal + IsUnavailable = errdefs.IsUnavailable + IsDataLoss = errdefs.IsDataLoss + IsUnauthorized = errdefs.IsUnauthorized +) diff --git a/vendor/github.com/containerd/containerd/errdefs/grpc.go b/vendor/github.com/containerd/containerd/errdefs/grpc.go new file mode 100644 index 0000000000..11091b1db0 --- /dev/null +++ b/vendor/github.com/containerd/containerd/errdefs/grpc.go @@ -0,0 +1,147 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package errdefs + +import ( + "context" + "fmt" + "strings" + + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" +) + +// ToGRPC will attempt to map the backend containerd error into a grpc error, +// using the original error message as a description. +// +// Further information may be extracted from certain errors depending on their +// type. +// +// If the error is unmapped, the original error will be returned to be handled +// by the regular grpc error handling stack. +func ToGRPC(err error) error { + if err == nil { + return nil + } + + if isGRPCError(err) { + // error has already been mapped to grpc + return err + } + + switch { + case IsInvalidArgument(err): + return status.Error(codes.InvalidArgument, err.Error()) + case IsNotFound(err): + return status.Error(codes.NotFound, err.Error()) + case IsAlreadyExists(err): + return status.Error(codes.AlreadyExists, err.Error()) + case IsFailedPrecondition(err): + return status.Error(codes.FailedPrecondition, err.Error()) + case IsUnavailable(err): + return status.Error(codes.Unavailable, err.Error()) + case IsNotImplemented(err): + return status.Error(codes.Unimplemented, err.Error()) + case IsCanceled(err): + return status.Error(codes.Canceled, err.Error()) + case IsDeadlineExceeded(err): + return status.Error(codes.DeadlineExceeded, err.Error()) + } + + return err +} + +// ToGRPCf maps the error to grpc error codes, assembling the formatting string +// and combining it with the target error string. +// +// This is equivalent to errdefs.ToGRPC(fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), err)) +func ToGRPCf(err error, format string, args ...interface{}) error { + return ToGRPC(fmt.Errorf("%s: %w", fmt.Sprintf(format, args...), err)) +} + +// FromGRPC returns the underlying error from a grpc service based on the grpc error code +func FromGRPC(err error) error { + if err == nil { + return nil + } + + var cls error // divide these into error classes, becomes the cause + + switch code(err) { + case codes.InvalidArgument: + cls = ErrInvalidArgument + case codes.AlreadyExists: + cls = ErrAlreadyExists + case codes.NotFound: + cls = ErrNotFound + case codes.Unavailable: + cls = ErrUnavailable + case codes.FailedPrecondition: + cls = ErrFailedPrecondition + case codes.Unimplemented: + cls = ErrNotImplemented + case codes.Canceled: + cls = context.Canceled + case codes.DeadlineExceeded: + cls = context.DeadlineExceeded + default: + cls = ErrUnknown + } + + msg := rebaseMessage(cls, err) + if msg != "" { + err = fmt.Errorf("%s: %w", msg, cls) + } else { + err = cls + } + + return err +} + +// rebaseMessage removes the repeats for an error at the end of an error +// string. This will happen when taking an error over grpc then remapping it. +// +// Effectively, we just remove the string of cls from the end of err if it +// appears there. +func rebaseMessage(cls error, err error) string { + desc := errDesc(err) + clss := cls.Error() + if desc == clss { + return "" + } + + return strings.TrimSuffix(desc, ": "+clss) +} + +func isGRPCError(err error) bool { + _, ok := status.FromError(err) + return ok +} + +func code(err error) codes.Code { + if s, ok := status.FromError(err); ok { + return s.Code() + } + return codes.Unknown +} + +func errDesc(err error) string { + if s, ok := status.FromError(err); ok { + return s.Message() + } + return err.Error() +} diff --git a/vendor/github.com/containerd/containerd/filters/adaptor.go b/vendor/github.com/containerd/containerd/filters/adaptor.go new file mode 100644 index 0000000000..5a9c559c1e --- /dev/null +++ b/vendor/github.com/containerd/containerd/filters/adaptor.go @@ -0,0 +1,33 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package filters + +// Adaptor specifies the mapping of fieldpaths to a type. For the given field +// path, the value and whether it is present should be returned. The mapping of +// the fieldpath to a field is deferred to the adaptor implementation, but +// should generally follow protobuf field path/mask semantics. +type Adaptor interface { + Field(fieldpath []string) (value string, present bool) +} + +// AdapterFunc allows implementation specific matching of fieldpaths +type AdapterFunc func(fieldpath []string) (string, bool) + +// Field returns the field name and true if it exists +func (fn AdapterFunc) Field(fieldpath []string) (string, bool) { + return fn(fieldpath) +} diff --git a/vendor/github.com/containerd/containerd/filters/filter.go b/vendor/github.com/containerd/containerd/filters/filter.go new file mode 100644 index 0000000000..dcc569a4b7 --- /dev/null +++ b/vendor/github.com/containerd/containerd/filters/filter.go @@ -0,0 +1,178 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package filters defines a syntax and parser that can be used for the +// filtration of items across the containerd API. The core is built on the +// concept of protobuf field paths, with quoting. Several operators allow the +// user to flexibly select items based on field presence, equality, inequality +// and regular expressions. Flexible adaptors support working with any type. +// +// The syntax is fairly familiar, if you've used container ecosystem +// projects. At the core, we base it on the concept of protobuf field +// paths, augmenting with the ability to quote portions of the field path +// to match arbitrary labels. These "selectors" come in the following +// syntax: +// +// ``` +// [] +// ``` +// +// A basic example is as follows: +// +// ``` +// name==foo +// ``` +// +// This would match all objects that have a field `name` with the value +// `foo`. If we only want to test if the field is present, we can omit the +// operator. This is most useful for matching labels in containerd. The +// following will match objects that have the field "labels" and have the +// label "foo" defined: +// +// ``` +// labels.foo +// ``` +// +// We also allow for quoting of parts of the field path to allow matching +// of arbitrary items: +// +// ``` +// labels."very complex label"==something +// ``` +// +// We also define `!=` and `~=` as operators. The `!=` will match all +// objects that don't match the value for a field and `~=` will compile the +// target value as a regular expression and match the field value against that. +// +// Selectors can be combined using a comma, such that the resulting +// selector will require all selectors are matched for the object to match. +// The following example will match objects that are named `foo` and have +// the label `bar`: +// +// ``` +// name==foo,labels.bar +// ``` +package filters + +import ( + "regexp" + + "github.com/containerd/log" +) + +// Filter matches specific resources based the provided filter +type Filter interface { + Match(adaptor Adaptor) bool +} + +// FilterFunc is a function that handles matching with an adaptor +type FilterFunc func(Adaptor) bool + +// Match matches the FilterFunc returning true if the object matches the filter +func (fn FilterFunc) Match(adaptor Adaptor) bool { + return fn(adaptor) +} + +// Always is a filter that always returns true for any type of object +var Always FilterFunc = func(adaptor Adaptor) bool { + return true +} + +// Any allows multiple filters to be matched against the object +type Any []Filter + +// Match returns true if any of the provided filters are true +func (m Any) Match(adaptor Adaptor) bool { + for _, m := range m { + if m.Match(adaptor) { + return true + } + } + + return false +} + +// All allows multiple filters to be matched against the object +type All []Filter + +// Match only returns true if all filters match the object +func (m All) Match(adaptor Adaptor) bool { + for _, m := range m { + if !m.Match(adaptor) { + return false + } + } + + return true +} + +type operator int + +const ( + operatorPresent = iota + operatorEqual + operatorNotEqual + operatorMatches +) + +func (op operator) String() string { + switch op { + case operatorPresent: + return "?" + case operatorEqual: + return "==" + case operatorNotEqual: + return "!=" + case operatorMatches: + return "~=" + } + + return "unknown" +} + +type selector struct { + fieldpath []string + operator operator + value string + re *regexp.Regexp +} + +func (m selector) Match(adaptor Adaptor) bool { + value, present := adaptor.Field(m.fieldpath) + + switch m.operator { + case operatorPresent: + return present + case operatorEqual: + return present && value == m.value + case operatorNotEqual: + return value != m.value + case operatorMatches: + if m.re == nil { + r, err := regexp.Compile(m.value) + if err != nil { + log.L.Errorf("error compiling regexp %q", m.value) + return false + } + + m.re = r + } + + return m.re.MatchString(value) + default: + return false + } +} diff --git a/vendor/github.com/containerd/containerd/filters/parser.go b/vendor/github.com/containerd/containerd/filters/parser.go new file mode 100644 index 0000000000..790597aaf2 --- /dev/null +++ b/vendor/github.com/containerd/containerd/filters/parser.go @@ -0,0 +1,294 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package filters + +import ( + "fmt" + "io" + + "github.com/containerd/containerd/errdefs" +) + +/* +Parse the strings into a filter that may be used with an adaptor. + +The filter is made up of zero or more selectors. + +The format is a comma separated list of expressions, in the form of +``, known as selectors. All selectors must match the +target object for the filter to be true. + +We define the operators "==" for equality, "!=" for not equal and "~=" for a +regular expression. If the operator and value are not present, the matcher will +test for the presence of a value, as defined by the target object. + +The formal grammar is as follows: + +selectors := selector ("," selector)* +selector := fieldpath (operator value) +fieldpath := field ('.' field)* +field := quoted | [A-Za-z] [A-Za-z0-9_]+ +operator := "==" | "!=" | "~=" +value := quoted | [^\s,]+ +quoted := +*/ +func Parse(s string) (Filter, error) { + // special case empty to match all + if s == "" { + return Always, nil + } + + p := parser{input: s} + return p.parse() +} + +// ParseAll parses each filter in ss and returns a filter that will return true +// if any filter matches the expression. +// +// If no filters are provided, the filter will match anything. +func ParseAll(ss ...string) (Filter, error) { + if len(ss) == 0 { + return Always, nil + } + + var fs []Filter + for _, s := range ss { + f, err := Parse(s) + if err != nil { + return nil, fmt.Errorf("%s: %w", err.Error(), errdefs.ErrInvalidArgument) + } + + fs = append(fs, f) + } + + return Any(fs), nil +} + +type parser struct { + input string + scanner scanner +} + +func (p *parser) parse() (Filter, error) { + p.scanner.init(p.input) + + ss, err := p.selectors() + if err != nil { + return nil, fmt.Errorf("filters: %w", err) + } + + return ss, nil +} + +func (p *parser) selectors() (Filter, error) { + s, err := p.selector() + if err != nil { + return nil, err + } + + ss := All{s} + +loop: + for { + tok := p.scanner.peek() + switch tok { + case ',': + pos, tok, _ := p.scanner.scan() + if tok != tokenSeparator { + return nil, p.mkerr(pos, "expected a separator") + } + + s, err := p.selector() + if err != nil { + return nil, err + } + + ss = append(ss, s) + case tokenEOF: + break loop + default: + return nil, p.mkerrf(p.scanner.ppos, "unexpected input: %v", string(tok)) + } + } + + return ss, nil +} + +func (p *parser) selector() (selector, error) { + fieldpath, err := p.fieldpath() + if err != nil { + return selector{}, err + } + + switch p.scanner.peek() { + case ',', tokenSeparator, tokenEOF: + return selector{ + fieldpath: fieldpath, + operator: operatorPresent, + }, nil + } + + op, err := p.operator() + if err != nil { + return selector{}, err + } + + var allowAltQuotes bool + if op == operatorMatches { + allowAltQuotes = true + } + + value, err := p.value(allowAltQuotes) + if err != nil { + if err == io.EOF { + return selector{}, io.ErrUnexpectedEOF + } + return selector{}, err + } + + return selector{ + fieldpath: fieldpath, + value: value, + operator: op, + }, nil +} + +func (p *parser) fieldpath() ([]string, error) { + f, err := p.field() + if err != nil { + return nil, err + } + + fs := []string{f} +loop: + for { + tok := p.scanner.peek() // lookahead to consume field separator + + switch tok { + case '.': + pos, tok, _ := p.scanner.scan() // consume separator + if tok != tokenSeparator { + return nil, p.mkerr(pos, "expected a field separator (`.`)") + } + + f, err := p.field() + if err != nil { + return nil, err + } + + fs = append(fs, f) + default: + // let the layer above handle the other bad cases. + break loop + } + } + + return fs, nil +} + +func (p *parser) field() (string, error) { + pos, tok, s := p.scanner.scan() + switch tok { + case tokenField: + return s, nil + case tokenQuoted: + return p.unquote(pos, s, false) + case tokenIllegal: + return "", p.mkerr(pos, p.scanner.err) + } + + return "", p.mkerr(pos, "expected field or quoted") +} + +func (p *parser) operator() (operator, error) { + pos, tok, s := p.scanner.scan() + switch tok { + case tokenOperator: + switch s { + case "==": + return operatorEqual, nil + case "!=": + return operatorNotEqual, nil + case "~=": + return operatorMatches, nil + default: + return 0, p.mkerrf(pos, "unsupported operator %q", s) + } + case tokenIllegal: + return 0, p.mkerr(pos, p.scanner.err) + } + + return 0, p.mkerr(pos, `expected an operator ("=="|"!="|"~=")`) +} + +func (p *parser) value(allowAltQuotes bool) (string, error) { + pos, tok, s := p.scanner.scan() + + switch tok { + case tokenValue, tokenField: + return s, nil + case tokenQuoted: + return p.unquote(pos, s, allowAltQuotes) + case tokenIllegal: + return "", p.mkerr(pos, p.scanner.err) + } + + return "", p.mkerr(pos, "expected value or quoted") +} + +func (p *parser) unquote(pos int, s string, allowAlts bool) (string, error) { + if !allowAlts && s[0] != '\'' && s[0] != '"' { + return "", p.mkerr(pos, "invalid quote encountered") + } + + uq, err := unquote(s) + if err != nil { + return "", p.mkerrf(pos, "unquoting failed: %v", err) + } + + return uq, nil +} + +type parseError struct { + input string + pos int + msg string +} + +func (pe parseError) Error() string { + if pe.pos < len(pe.input) { + before := pe.input[:pe.pos] + location := pe.input[pe.pos : pe.pos+1] // need to handle end + after := pe.input[pe.pos+1:] + + return fmt.Sprintf("[%s >|%s|< %s]: %v", before, location, after, pe.msg) + } + + return fmt.Sprintf("[%s]: %v", pe.input, pe.msg) +} + +func (p *parser) mkerrf(pos int, format string, args ...interface{}) error { + return p.mkerr(pos, fmt.Sprintf(format, args...)) +} + +func (p *parser) mkerr(pos int, msg string) error { + return fmt.Errorf("parse error: %w", parseError{ + input: p.input, + pos: pos, + msg: msg, + }) +} diff --git a/vendor/github.com/containerd/containerd/filters/quote.go b/vendor/github.com/containerd/containerd/filters/quote.go new file mode 100644 index 0000000000..5c800ef846 --- /dev/null +++ b/vendor/github.com/containerd/containerd/filters/quote.go @@ -0,0 +1,252 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package filters + +import ( + "errors" + "unicode/utf8" +) + +// NOTE(stevvooe): Most of this code in this file is copied from the stdlib +// strconv package and modified to be able to handle quoting with `/` and `|` +// as delimiters. The copyright is held by the Go authors. + +var errQuoteSyntax = errors.New("quote syntax error") + +// UnquoteChar decodes the first character or byte in the escaped string +// or character literal represented by the string s. +// It returns four values: +// +// 1. value, the decoded Unicode code point or byte value; +// 2. multibyte, a boolean indicating whether the decoded character requires a multibyte UTF-8 representation; +// 3. tail, the remainder of the string after the character; and +// 4. an error that will be nil if the character is syntactically valid. +// +// The second argument, quote, specifies the type of literal being parsed +// and therefore which escaped quote character is permitted. +// If set to a single quote, it permits the sequence \' and disallows unescaped '. +// If set to a double quote, it permits \" and disallows unescaped ". +// If set to zero, it does not permit either escape and allows both quote characters to appear unescaped. +// +// This is from Go strconv package, modified to support `|` and `/` as double +// quotes for use with regular expressions. +func unquoteChar(s string, quote byte) (value rune, multibyte bool, tail string, err error) { + // easy cases + switch c := s[0]; { + case c == quote && (quote == '\'' || quote == '"' || quote == '/' || quote == '|'): + err = errQuoteSyntax + return + case c >= utf8.RuneSelf: + r, size := utf8.DecodeRuneInString(s) + return r, true, s[size:], nil + case c != '\\': + return rune(s[0]), false, s[1:], nil + } + + // hard case: c is backslash + if len(s) <= 1 { + err = errQuoteSyntax + return + } + c := s[1] + s = s[2:] + + switch c { + case 'a': + value = '\a' + case 'b': + value = '\b' + case 'f': + value = '\f' + case 'n': + value = '\n' + case 'r': + value = '\r' + case 't': + value = '\t' + case 'v': + value = '\v' + case 'x', 'u', 'U': + n := 0 + switch c { + case 'x': + n = 2 + case 'u': + n = 4 + case 'U': + n = 8 + } + var v rune + if len(s) < n { + err = errQuoteSyntax + return + } + for j := 0; j < n; j++ { + x, ok := unhex(s[j]) + if !ok { + err = errQuoteSyntax + return + } + v = v<<4 | x + } + s = s[n:] + if c == 'x' { + // single-byte string, possibly not UTF-8 + value = v + break + } + if v > utf8.MaxRune { + err = errQuoteSyntax + return + } + value = v + multibyte = true + case '0', '1', '2', '3', '4', '5', '6', '7': + v := rune(c) - '0' + if len(s) < 2 { + err = errQuoteSyntax + return + } + for j := 0; j < 2; j++ { // one digit already; two more + x := rune(s[j]) - '0' + if x < 0 || x > 7 { + err = errQuoteSyntax + return + } + v = (v << 3) | x + } + s = s[2:] + if v > 255 { + err = errQuoteSyntax + return + } + value = v + case '\\': + value = '\\' + case '\'', '"', '|', '/': + if c != quote { + err = errQuoteSyntax + return + } + value = rune(c) + default: + err = errQuoteSyntax + return + } + tail = s + return +} + +// unquote interprets s as a single-quoted, double-quoted, +// or backquoted Go string literal, returning the string value +// that s quotes. (If s is single-quoted, it would be a Go +// character literal; Unquote returns the corresponding +// one-character string.) +// +// This is modified from the standard library to support `|` and `/` as quote +// characters for use with regular expressions. +func unquote(s string) (string, error) { + n := len(s) + if n < 2 { + return "", errQuoteSyntax + } + quote := s[0] + if quote != s[n-1] { + return "", errQuoteSyntax + } + s = s[1 : n-1] + + if quote == '`' { + if contains(s, '`') { + return "", errQuoteSyntax + } + if contains(s, '\r') { + // -1 because we know there is at least one \r to remove. + buf := make([]byte, 0, len(s)-1) + for i := 0; i < len(s); i++ { + if s[i] != '\r' { + buf = append(buf, s[i]) + } + } + return string(buf), nil + } + return s, nil + } + if quote != '"' && quote != '\'' && quote != '|' && quote != '/' { + return "", errQuoteSyntax + } + if contains(s, '\n') { + return "", errQuoteSyntax + } + + // Is it trivial? Avoid allocation. + if !contains(s, '\\') && !contains(s, quote) { + switch quote { + case '"', '/', '|': // pipe and slash are treated like double quote + return s, nil + case '\'': + r, size := utf8.DecodeRuneInString(s) + if size == len(s) && (r != utf8.RuneError || size != 1) { + return s, nil + } + } + } + + var runeTmp [utf8.UTFMax]byte + buf := make([]byte, 0, 3*len(s)/2) // Try to avoid more allocations. + for len(s) > 0 { + c, multibyte, ss, err := unquoteChar(s, quote) + if err != nil { + return "", err + } + s = ss + if c < utf8.RuneSelf || !multibyte { + buf = append(buf, byte(c)) + } else { + n := utf8.EncodeRune(runeTmp[:], c) + buf = append(buf, runeTmp[:n]...) + } + if quote == '\'' && len(s) != 0 { + // single-quoted must be single character + return "", errQuoteSyntax + } + } + return string(buf), nil +} + +// contains reports whether the string contains the byte c. +func contains(s string, c byte) bool { + for i := 0; i < len(s); i++ { + if s[i] == c { + return true + } + } + return false +} + +func unhex(b byte) (v rune, ok bool) { + c := rune(b) + switch { + case '0' <= c && c <= '9': + return c - '0', true + case 'a' <= c && c <= 'f': + return c - 'a' + 10, true + case 'A' <= c && c <= 'F': + return c - 'A' + 10, true + } + return +} diff --git a/vendor/github.com/containerd/containerd/filters/scanner.go b/vendor/github.com/containerd/containerd/filters/scanner.go new file mode 100644 index 0000000000..6a485467b8 --- /dev/null +++ b/vendor/github.com/containerd/containerd/filters/scanner.go @@ -0,0 +1,297 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package filters + +import ( + "unicode" + "unicode/utf8" +) + +const ( + tokenEOF = -(iota + 1) + tokenQuoted + tokenValue + tokenField + tokenSeparator + tokenOperator + tokenIllegal +) + +type token rune + +func (t token) String() string { + switch t { + case tokenEOF: + return "EOF" + case tokenQuoted: + return "Quoted" + case tokenValue: + return "Value" + case tokenField: + return "Field" + case tokenSeparator: + return "Separator" + case tokenOperator: + return "Operator" + case tokenIllegal: + return "Illegal" + } + + return string(t) +} + +func (t token) GoString() string { + return "token" + t.String() +} + +type scanner struct { + input string + pos int + ppos int // bounds the current rune in the string + value bool + err string +} + +func (s *scanner) init(input string) { + s.input = input + s.pos = 0 + s.ppos = 0 +} + +func (s *scanner) next() rune { + if s.pos >= len(s.input) { + return tokenEOF + } + s.pos = s.ppos + + r, w := utf8.DecodeRuneInString(s.input[s.ppos:]) + s.ppos += w + if r == utf8.RuneError { + if w > 0 { + s.error("rune error") + return tokenIllegal + } + return tokenEOF + } + + if r == 0 { + s.error("unexpected null") + return tokenIllegal + } + + return r +} + +func (s *scanner) peek() rune { + pos := s.pos + ppos := s.ppos + ch := s.next() + s.pos = pos + s.ppos = ppos + return ch +} + +func (s *scanner) scan() (nextp int, tk token, text string) { + var ( + ch = s.next() + pos = s.pos + ) + +chomp: + switch { + case ch == tokenEOF: + case ch == tokenIllegal: + case isQuoteRune(ch): + if !s.scanQuoted(ch) { + return pos, tokenIllegal, s.input[pos:s.ppos] + } + return pos, tokenQuoted, s.input[pos:s.ppos] + case isSeparatorRune(ch): + s.value = false + return pos, tokenSeparator, s.input[pos:s.ppos] + case isOperatorRune(ch): + s.scanOperator() + s.value = true + return pos, tokenOperator, s.input[pos:s.ppos] + case unicode.IsSpace(ch): + // chomp + ch = s.next() + pos = s.pos + goto chomp + case s.value: + s.scanValue() + s.value = false + return pos, tokenValue, s.input[pos:s.ppos] + case isFieldRune(ch): + s.scanField() + return pos, tokenField, s.input[pos:s.ppos] + } + + return s.pos, token(ch), "" +} + +func (s *scanner) scanField() { + for { + ch := s.peek() + if !isFieldRune(ch) { + break + } + s.next() + } +} + +func (s *scanner) scanOperator() { + for { + ch := s.peek() + switch ch { + case '=', '!', '~': + s.next() + default: + return + } + } +} + +func (s *scanner) scanValue() { + for { + ch := s.peek() + if !isValueRune(ch) { + break + } + s.next() + } +} + +func (s *scanner) scanQuoted(quote rune) bool { + var illegal bool + ch := s.next() // read character after quote + for ch != quote { + if ch == '\n' || ch < 0 { + s.error("quoted literal not terminated") + return false + } + if ch == '\\' { + var legal bool + ch, legal = s.scanEscape(quote) + if !legal { + illegal = true + } + } else { + ch = s.next() + } + } + return !illegal +} + +func (s *scanner) scanEscape(quote rune) (ch rune, legal bool) { + ch = s.next() // read character after '/' + switch ch { + case 'a', 'b', 'f', 'n', 'r', 't', 'v', '\\', quote: + // nothing to do + ch = s.next() + legal = true + case '0', '1', '2', '3', '4', '5', '6', '7': + ch, legal = s.scanDigits(ch, 8, 3) + case 'x': + ch, legal = s.scanDigits(s.next(), 16, 2) + case 'u': + ch, legal = s.scanDigits(s.next(), 16, 4) + case 'U': + ch, legal = s.scanDigits(s.next(), 16, 8) + default: + s.error("illegal escape sequence") + } + return +} + +func (s *scanner) scanDigits(ch rune, base, n int) (rune, bool) { + for n > 0 && digitVal(ch) < base { + ch = s.next() + n-- + } + if n > 0 { + s.error("illegal numeric escape sequence") + return ch, false + } + return ch, true +} + +func (s *scanner) error(msg string) { + if s.err == "" { + s.err = msg + } +} + +func digitVal(ch rune) int { + switch { + case '0' <= ch && ch <= '9': + return int(ch - '0') + case 'a' <= ch && ch <= 'f': + return int(ch - 'a' + 10) + case 'A' <= ch && ch <= 'F': + return int(ch - 'A' + 10) + } + return 16 // larger than any legal digit val +} + +func isFieldRune(r rune) bool { + return (r == '_' || isAlphaRune(r) || isDigitRune(r)) +} + +func isAlphaRune(r rune) bool { + return r >= 'A' && r <= 'Z' || r >= 'a' && r <= 'z' +} + +func isDigitRune(r rune) bool { + return r >= '0' && r <= '9' +} + +func isOperatorRune(r rune) bool { + switch r { + case '=', '!', '~': + return true + } + + return false +} + +func isQuoteRune(r rune) bool { + switch r { + case '/', '|', '"': // maybe add single quoting? + return true + } + + return false +} + +func isSeparatorRune(r rune) bool { + switch r { + case ',', '.': + return true + } + + return false +} + +func isValueRune(r rune) bool { + return r != ',' && !unicode.IsSpace(r) && + (unicode.IsLetter(r) || + unicode.IsDigit(r) || + unicode.IsNumber(r) || + unicode.IsGraphic(r) || + unicode.IsPunct(r)) +} diff --git a/vendor/github.com/containerd/containerd/images/annotations.go b/vendor/github.com/containerd/containerd/images/annotations.go new file mode 100644 index 0000000000..47d92104cd --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/annotations.go @@ -0,0 +1,23 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +const ( + // AnnotationImageName is an annotation on a Descriptor in an index.json + // containing the `Name` value as used by an `Image` struct + AnnotationImageName = "io.containerd.image.name" +) diff --git a/vendor/github.com/containerd/containerd/images/diffid.go b/vendor/github.com/containerd/containerd/images/diffid.go new file mode 100644 index 0000000000..85577eedee --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/diffid.go @@ -0,0 +1,81 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +import ( + "context" + "io" + + "github.com/containerd/containerd/archive/compression" + "github.com/containerd/containerd/content" + "github.com/containerd/containerd/labels" + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/sirupsen/logrus" +) + +// GetDiffID gets the diff ID of the layer blob descriptor. +func GetDiffID(ctx context.Context, cs content.Store, desc ocispec.Descriptor) (digest.Digest, error) { + switch desc.MediaType { + case + // If the layer is already uncompressed, we can just return its digest + MediaTypeDockerSchema2Layer, + ocispec.MediaTypeImageLayer, + MediaTypeDockerSchema2LayerForeign, + ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // deprecated + return desc.Digest, nil + } + info, err := cs.Info(ctx, desc.Digest) + if err != nil { + return "", err + } + v, ok := info.Labels[labels.LabelUncompressed] + if ok { + // Fast path: if the image is already unpacked, we can use the label value + return digest.Parse(v) + } + // if the image is not unpacked, we may not have the label + ra, err := cs.ReaderAt(ctx, desc) + if err != nil { + return "", err + } + defer ra.Close() + r := content.NewReader(ra) + uR, err := compression.DecompressStream(r) + if err != nil { + return "", err + } + defer uR.Close() + digester := digest.Canonical.Digester() + hashW := digester.Hash() + if _, err := io.Copy(hashW, uR); err != nil { + return "", err + } + if err := ra.Close(); err != nil { + return "", err + } + digest := digester.Digest() + // memorize the computed value + if info.Labels == nil { + info.Labels = make(map[string]string) + } + info.Labels[labels.LabelUncompressed] = digest.String() + if _, err := cs.Update(ctx, info, "labels"); err != nil { + logrus.WithError(err).Warnf("failed to set %s label for %s", labels.LabelUncompressed, desc.Digest) + } + return digest, nil +} diff --git a/vendor/github.com/containerd/containerd/images/handlers.go b/vendor/github.com/containerd/containerd/images/handlers.go new file mode 100644 index 0000000000..a685092e2c --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/handlers.go @@ -0,0 +1,323 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +import ( + "context" + "errors" + "fmt" + "sort" + + "github.com/containerd/platforms" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/sync/errgroup" + "golang.org/x/sync/semaphore" + + "github.com/containerd/containerd/content" + "github.com/containerd/containerd/errdefs" +) + +var ( + // ErrSkipDesc is used to skip processing of a descriptor and + // its descendants. + ErrSkipDesc = errors.New("skip descriptor") + + // ErrStopHandler is used to signify that the descriptor + // has been handled and should not be handled further. + // This applies only to a single descriptor in a handler + // chain and does not apply to descendant descriptors. + ErrStopHandler = errors.New("stop handler") + + // ErrEmptyWalk is used when the WalkNotEmpty handlers return no + // children (e.g.: they were filtered out). + ErrEmptyWalk = errors.New("image might be filtered out") +) + +// Handler handles image manifests +type Handler interface { + Handle(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) +} + +// HandlerFunc function implementing the Handler interface +type HandlerFunc func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) + +// Handle image manifests +func (fn HandlerFunc) Handle(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) { + return fn(ctx, desc) +} + +// Handlers returns a handler that will run the handlers in sequence. +// +// A handler may return `ErrStopHandler` to stop calling additional handlers +func Handlers(handlers ...Handler) HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) { + var children []ocispec.Descriptor + for _, handler := range handlers { + ch, err := handler.Handle(ctx, desc) + if err != nil { + if errors.Is(err, ErrStopHandler) { + break + } + return nil, err + } + + children = append(children, ch...) + } + + return children, nil + } +} + +// Walk the resources of an image and call the handler for each. If the handler +// decodes the sub-resources for each image, +// +// This differs from dispatch in that each sibling resource is considered +// synchronously. +func Walk(ctx context.Context, handler Handler, descs ...ocispec.Descriptor) error { + for _, desc := range descs { + + children, err := handler.Handle(ctx, desc) + if err != nil { + if errors.Is(err, ErrSkipDesc) { + continue // don't traverse the children. + } + return err + } + + if len(children) > 0 { + if err := Walk(ctx, handler, children...); err != nil { + return err + } + } + } + return nil +} + +// WalkNotEmpty works the same way Walk does, with the exception that it ensures that +// some children are still found by Walking the descriptors (for example, not all of +// them have been filtered out by one of the handlers). If there are no children, +// then an ErrEmptyWalk error is returned. +func WalkNotEmpty(ctx context.Context, handler Handler, descs ...ocispec.Descriptor) error { + isEmpty := true + var notEmptyHandler HandlerFunc = func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := handler.Handle(ctx, desc) + if err != nil { + return children, err + } + + if len(children) > 0 { + isEmpty = false + } + + return children, nil + } + + err := Walk(ctx, notEmptyHandler, descs...) + if err != nil { + return err + } + + if isEmpty { + return ErrEmptyWalk + } + + return nil +} + +// Dispatch runs the provided handler for content specified by the descriptors. +// If the handler decode subresources, they will be visited, as well. +// +// Handlers for siblings are run in parallel on the provided descriptors. A +// handler may return `ErrSkipDesc` to signal to the dispatcher to not traverse +// any children. +// +// A concurrency limiter can be passed in to limit the number of concurrent +// handlers running. When limiter is nil, there is no limit. +// +// Typically, this function will be used with `FetchHandler`, often composed +// with other handlers. +// +// If any handler returns an error, the dispatch session will be canceled. +func Dispatch(ctx context.Context, handler Handler, limiter *semaphore.Weighted, descs ...ocispec.Descriptor) error { + eg, ctx2 := errgroup.WithContext(ctx) + for _, desc := range descs { + desc := desc + + if limiter != nil { + if err := limiter.Acquire(ctx, 1); err != nil { + return err + } + } + + eg.Go(func() error { + desc := desc + + children, err := handler.Handle(ctx2, desc) + if limiter != nil { + limiter.Release(1) + } + if err != nil { + if errors.Is(err, ErrSkipDesc) { + return nil // don't traverse the children. + } + return err + } + + if len(children) > 0 { + return Dispatch(ctx2, handler, limiter, children...) + } + + return nil + }) + } + + return eg.Wait() +} + +// ChildrenHandler decodes well-known manifest types and returns their children. +// +// This is useful for supporting recursive fetch and other use cases where you +// want to do a full walk of resources. +// +// One can also replace this with another implementation to allow descending of +// arbitrary types. +func ChildrenHandler(provider content.Provider) HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + return Children(ctx, provider, desc) + } +} + +// SetChildrenLabels is a handler wrapper which sets labels for the content on +// the children returned by the handler and passes through the children. +// Must follow a handler that returns the children to be labeled. +func SetChildrenLabels(manager content.Manager, f HandlerFunc) HandlerFunc { + return SetChildrenMappedLabels(manager, f, nil) +} + +// SetChildrenMappedLabels is a handler wrapper which sets labels for the content on +// the children returned by the handler and passes through the children. +// Must follow a handler that returns the children to be labeled. +// The label map allows the caller to control the labels per child descriptor. +// For returned labels, the index of the child will be appended to the end +// except for the first index when the returned label does not end with '.'. +func SetChildrenMappedLabels(manager content.Manager, f HandlerFunc, labelMap func(ocispec.Descriptor) []string) HandlerFunc { + if labelMap == nil { + labelMap = ChildGCLabels + } + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f(ctx, desc) + if err != nil { + return children, err + } + + if len(children) > 0 { + var ( + info = content.Info{ + Digest: desc.Digest, + Labels: map[string]string{}, + } + fields = []string{} + keys = map[string]uint{} + ) + for _, ch := range children { + labelKeys := labelMap(ch) + for _, key := range labelKeys { + idx := keys[key] + keys[key] = idx + 1 + if idx > 0 || key[len(key)-1] == '.' { + key = fmt.Sprintf("%s%d", key, idx) + } + + info.Labels[key] = ch.Digest.String() + fields = append(fields, "labels."+key) + } + } + + _, err := manager.Update(ctx, info, fields...) + if err != nil { + return nil, err + } + } + + return children, err + } +} + +// FilterPlatforms is a handler wrapper which limits the descriptors returned +// based on matching the specified platform matcher. +func FilterPlatforms(f HandlerFunc, m platforms.Matcher) HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f(ctx, desc) + if err != nil { + return children, err + } + + var descs []ocispec.Descriptor + + if m == nil { + descs = children + } else { + for _, d := range children { + if d.Platform == nil || m.Match(*d.Platform) { + descs = append(descs, d) + } + } + } + + return descs, nil + } +} + +// LimitManifests is a handler wrapper which filters the manifest descriptors +// returned using the provided platform. +// The results will be ordered according to the comparison operator and +// use the ordering in the manifests for equal matches. +// A limit of 0 or less is considered no limit. +// A not found error is returned if no manifest is matched. +func LimitManifests(f HandlerFunc, m platforms.MatchComparer, n int) HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f(ctx, desc) + if err != nil { + return children, err + } + + switch desc.MediaType { + case ocispec.MediaTypeImageIndex, MediaTypeDockerSchema2ManifestList: + sort.SliceStable(children, func(i, j int) bool { + if children[i].Platform == nil { + return false + } + if children[j].Platform == nil { + return true + } + return m.Less(*children[i].Platform, *children[j].Platform) + }) + + if n > 0 { + if len(children) == 0 { + return children, fmt.Errorf("no match for platform in manifest: %w", errdefs.ErrNotFound) + } + if len(children) > n { + children = children[:n] + } + } + default: + // only limit manifests from an index + } + return children, nil + } +} diff --git a/vendor/github.com/containerd/containerd/images/image.go b/vendor/github.com/containerd/containerd/images/image.go new file mode 100644 index 0000000000..8bebae19b3 --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/image.go @@ -0,0 +1,444 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +import ( + "context" + "encoding/json" + "fmt" + "sort" + "time" + + "github.com/containerd/log" + "github.com/containerd/platforms" + digest "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + + "github.com/containerd/containerd/content" + "github.com/containerd/containerd/errdefs" +) + +// Image provides the model for how containerd views container images. +type Image struct { + // Name of the image. + // + // To be pulled, it must be a reference compatible with resolvers. + // + // This field is required. + Name string + + // Labels provide runtime decoration for the image record. + // + // There is no default behavior for how these labels are propagated. They + // only decorate the static metadata object. + // + // This field is optional. + Labels map[string]string + + // Target describes the root content for this image. Typically, this is + // a manifest, index or manifest list. + Target ocispec.Descriptor + + CreatedAt, UpdatedAt time.Time +} + +// DeleteOptions provide options on image delete +type DeleteOptions struct { + Synchronous bool +} + +// DeleteOpt allows configuring a delete operation +type DeleteOpt func(context.Context, *DeleteOptions) error + +// SynchronousDelete is used to indicate that an image deletion and removal of +// the image resources should occur synchronously before returning a result. +func SynchronousDelete() DeleteOpt { + return func(ctx context.Context, o *DeleteOptions) error { + o.Synchronous = true + return nil + } +} + +// Store and interact with images +type Store interface { + Get(ctx context.Context, name string) (Image, error) + List(ctx context.Context, filters ...string) ([]Image, error) + Create(ctx context.Context, image Image) (Image, error) + + // Update will replace the data in the store with the provided image. If + // one or more fieldpaths are provided, only those fields will be updated. + Update(ctx context.Context, image Image, fieldpaths ...string) (Image, error) + + Delete(ctx context.Context, name string, opts ...DeleteOpt) error +} + +// TODO(stevvooe): Many of these functions make strong platform assumptions, +// which are untrue in a lot of cases. More refactoring must be done here to +// make this work in all cases. + +// Config resolves the image configuration descriptor. +// +// The caller can then use the descriptor to resolve and process the +// configuration of the image. +func (image *Image) Config(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) (ocispec.Descriptor, error) { + return Config(ctx, provider, image.Target, platform) +} + +// RootFS returns the unpacked diffids that make up and images rootfs. +// +// These are used to verify that a set of layers unpacked to the expected +// values. +func (image *Image) RootFS(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) ([]digest.Digest, error) { + desc, err := image.Config(ctx, provider, platform) + if err != nil { + return nil, err + } + return RootFS(ctx, provider, desc) +} + +// Size returns the total size of an image's packed resources. +func (image *Image) Size(ctx context.Context, provider content.Provider, platform platforms.MatchComparer) (int64, error) { + var size int64 + return size, Walk(ctx, Handlers(HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + if desc.Size < 0 { + return nil, fmt.Errorf("invalid size %v in %v (%v)", desc.Size, desc.Digest, desc.MediaType) + } + size += desc.Size + return nil, nil + }), LimitManifests(FilterPlatforms(ChildrenHandler(provider), platform), platform, 1)), image.Target) +} + +type platformManifest struct { + p *ocispec.Platform + m *ocispec.Manifest +} + +// Manifest resolves a manifest from the image for the given platform. +// +// When a manifest descriptor inside of a manifest index does not have +// a platform defined, the platform from the image config is considered. +// +// If the descriptor points to a non-index manifest, then the manifest is +// unmarshalled and returned without considering the platform inside of the +// config. +// +// TODO(stevvooe): This violates the current platform agnostic approach to this +// package by returning a specific manifest type. We'll need to refactor this +// to return a manifest descriptor or decide that we want to bring the API in +// this direction because this abstraction is not needed. +func Manifest(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (ocispec.Manifest, error) { + var ( + limit = 1 + m []platformManifest + wasIndex bool + ) + + if err := Walk(ctx, HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + switch desc.MediaType { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + p, err := content.ReadBlob(ctx, provider, desc) + if err != nil { + return nil, err + } + + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, fmt.Errorf("manifest: invalid desc %s: %w", desc.Digest, err) + } + + var manifest ocispec.Manifest + if err := json.Unmarshal(p, &manifest); err != nil { + return nil, err + } + + if desc.Digest != image.Digest && platform != nil { + if desc.Platform != nil && !platform.Match(*desc.Platform) { + return nil, nil + } + + if desc.Platform == nil { + p, err := content.ReadBlob(ctx, provider, manifest.Config) + if err != nil { + return nil, err + } + + var image ocispec.Image + if err := json.Unmarshal(p, &image); err != nil { + return nil, err + } + + if !platform.Match(platforms.Normalize(ocispec.Platform{OS: image.OS, Architecture: image.Architecture})) { + return nil, nil + } + + } + } + + m = append(m, platformManifest{ + p: desc.Platform, + m: &manifest, + }) + + return nil, nil + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + p, err := content.ReadBlob(ctx, provider, desc) + if err != nil { + return nil, err + } + + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, fmt.Errorf("manifest: invalid desc %s: %w", desc.Digest, err) + } + + var idx ocispec.Index + if err := json.Unmarshal(p, &idx); err != nil { + return nil, err + } + + if platform == nil { + return idx.Manifests, nil + } + + var descs []ocispec.Descriptor + for _, d := range idx.Manifests { + if d.Platform == nil || platform.Match(*d.Platform) { + descs = append(descs, d) + } + } + + sort.SliceStable(descs, func(i, j int) bool { + if descs[i].Platform == nil { + return false + } + if descs[j].Platform == nil { + return true + } + return platform.Less(*descs[i].Platform, *descs[j].Platform) + }) + + wasIndex = true + + if len(descs) > limit { + return descs[:limit], nil + } + return descs, nil + } + return nil, fmt.Errorf("unexpected media type %v for %v: %w", desc.MediaType, desc.Digest, errdefs.ErrNotFound) + }), image); err != nil { + return ocispec.Manifest{}, err + } + + if len(m) == 0 { + err := fmt.Errorf("manifest %v: %w", image.Digest, errdefs.ErrNotFound) + if wasIndex { + err = fmt.Errorf("no match for platform in manifest %v: %w", image.Digest, errdefs.ErrNotFound) + } + return ocispec.Manifest{}, err + } + return *m[0].m, nil +} + +// Config resolves the image configuration descriptor using a content provided +// to resolve child resources on the image. +// +// The caller can then use the descriptor to resolve and process the +// configuration of the image. +func Config(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (ocispec.Descriptor, error) { + manifest, err := Manifest(ctx, provider, image, platform) + if err != nil { + return ocispec.Descriptor{}, err + } + return manifest.Config, err +} + +// Platforms returns one or more platforms supported by the image. +func Platforms(ctx context.Context, provider content.Provider, image ocispec.Descriptor) ([]ocispec.Platform, error) { + var platformSpecs []ocispec.Platform + return platformSpecs, Walk(ctx, Handlers(HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + if desc.Platform != nil { + if desc.Platform.OS == "unknown" || desc.Platform.Architecture == "unknown" { + return nil, ErrSkipDesc + } + platformSpecs = append(platformSpecs, *desc.Platform) + return nil, ErrSkipDesc + } + + switch desc.MediaType { + case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig: + p, err := content.ReadBlob(ctx, provider, desc) + if err != nil { + return nil, err + } + + var image ocispec.Image + if err := json.Unmarshal(p, &image); err != nil { + return nil, err + } + + platformSpecs = append(platformSpecs, + platforms.Normalize(ocispec.Platform{OS: image.OS, Architecture: image.Architecture})) + } + return nil, nil + }), ChildrenHandler(provider)), image) +} + +// Check returns nil if the all components of an image are available in the +// provider for the specified platform. +// +// If available is true, the caller can assume that required represents the +// complete set of content required for the image. +// +// missing will have the components that are part of required but not available +// in the provider. +// +// If there is a problem resolving content, an error will be returned. +func Check(ctx context.Context, provider content.Provider, image ocispec.Descriptor, platform platforms.MatchComparer) (available bool, required, present, missing []ocispec.Descriptor, err error) { + mfst, err := Manifest(ctx, provider, image, platform) + if err != nil { + if errdefs.IsNotFound(err) { + return false, []ocispec.Descriptor{image}, nil, []ocispec.Descriptor{image}, nil + } + + return false, nil, nil, nil, fmt.Errorf("failed to check image %v: %w", image.Digest, err) + } + + // TODO(stevvooe): It is possible that referenced components could have + // children, but this is rare. For now, we ignore this and only verify + // that manifest components are present. + required = append([]ocispec.Descriptor{mfst.Config}, mfst.Layers...) + + for _, desc := range required { + ra, err := provider.ReaderAt(ctx, desc) + if err != nil { + if errdefs.IsNotFound(err) { + missing = append(missing, desc) + continue + } else { + return false, nil, nil, nil, fmt.Errorf("failed to check image %v: %w", desc.Digest, err) + } + } + ra.Close() + present = append(present, desc) + + } + + return true, required, present, missing, nil +} + +// Children returns the immediate children of content described by the descriptor. +func Children(ctx context.Context, provider content.Provider, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + var descs []ocispec.Descriptor + switch desc.MediaType { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + p, err := content.ReadBlob(ctx, provider, desc) + if err != nil { + return nil, err + } + + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, fmt.Errorf("children: invalid desc %s: %w", desc.Digest, err) + } + + // TODO(stevvooe): We just assume oci manifest, for now. There may be + // subtle differences from the docker version. + var manifest ocispec.Manifest + if err := json.Unmarshal(p, &manifest); err != nil { + return nil, err + } + + descs = append(descs, manifest.Config) + descs = append(descs, manifest.Layers...) + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + p, err := content.ReadBlob(ctx, provider, desc) + if err != nil { + return nil, err + } + + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, fmt.Errorf("children: invalid desc %s: %w", desc.Digest, err) + } + + var index ocispec.Index + if err := json.Unmarshal(p, &index); err != nil { + return nil, err + } + + descs = append(descs, index.Manifests...) + default: + if IsLayerType(desc.MediaType) || IsKnownConfig(desc.MediaType) || IsAttestationType(desc.MediaType) { + // childless data types. + return nil, nil + } + log.G(ctx).Debugf("encountered unknown type %v; children may not be fetched", desc.MediaType) + } + + return descs, nil +} + +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated. +type unknownDocument struct { + MediaType string `json:"mediaType,omitempty"` + Config json.RawMessage `json:"config,omitempty"` + Layers json.RawMessage `json:"layers,omitempty"` + Manifests json.RawMessage `json:"manifests,omitempty"` + FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +} + +// validateMediaType returns an error if the byte slice is invalid JSON or if +// the media type identifies the blob as one format but it contains elements of +// another format. +func validateMediaType(b []byte, mt string) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if len(doc.FSLayers) != 0 { + return fmt.Errorf("media-type: schema 1 not supported") + } + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + if len(doc.Manifests) != 0 || + doc.MediaType == MediaTypeDockerSchema2ManifestList || + doc.MediaType == ocispec.MediaTypeImageIndex { + return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) + } + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + if len(doc.Config) != 0 || len(doc.Layers) != 0 || + doc.MediaType == MediaTypeDockerSchema2Manifest || + doc.MediaType == ocispec.MediaTypeImageManifest { + return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) + } + } + return nil +} + +// RootFS returns the unpacked diffids that make up and images rootfs. +// +// These are used to verify that a set of layers unpacked to the expected +// values. +func RootFS(ctx context.Context, provider content.Provider, configDesc ocispec.Descriptor) ([]digest.Digest, error) { + p, err := content.ReadBlob(ctx, provider, configDesc) + if err != nil { + return nil, err + } + + var config ocispec.Image + if err := json.Unmarshal(p, &config); err != nil { + return nil, err + } + return config.RootFS.DiffIDs, nil +} diff --git a/vendor/github.com/containerd/containerd/images/importexport.go b/vendor/github.com/containerd/containerd/images/importexport.go new file mode 100644 index 0000000000..843adcadc7 --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/importexport.go @@ -0,0 +1,37 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +import ( + "context" + "io" + + "github.com/containerd/containerd/content" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// Importer is the interface for image importer. +type Importer interface { + // Import imports an image from a tar stream. + Import(ctx context.Context, store content.Store, reader io.Reader) (ocispec.Descriptor, error) +} + +// Exporter is the interface for image exporter. +type Exporter interface { + // Export exports an image to a tar stream. + Export(ctx context.Context, store content.Provider, desc ocispec.Descriptor, writer io.Writer) error +} diff --git a/vendor/github.com/containerd/containerd/images/labels.go b/vendor/github.com/containerd/containerd/images/labels.go new file mode 100644 index 0000000000..06dfed572d --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/labels.go @@ -0,0 +1,21 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +const ( + ConvertedDockerSchema1LabelKey = "io.containerd.image/converted-docker-schema1" +) diff --git a/vendor/github.com/containerd/containerd/images/mediatypes.go b/vendor/github.com/containerd/containerd/images/mediatypes.go new file mode 100644 index 0000000000..49d2a5b1c5 --- /dev/null +++ b/vendor/github.com/containerd/containerd/images/mediatypes.go @@ -0,0 +1,228 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package images + +import ( + "context" + "fmt" + "sort" + "strings" + + "github.com/containerd/containerd/errdefs" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// mediatype definitions for image components handled in containerd. +// +// oci components are generally referenced directly, although we may centralize +// here for clarity. +const ( + MediaTypeDockerSchema2Layer = "application/vnd.docker.image.rootfs.diff.tar" + MediaTypeDockerSchema2LayerForeign = "application/vnd.docker.image.rootfs.foreign.diff.tar" + MediaTypeDockerSchema2LayerGzip = "application/vnd.docker.image.rootfs.diff.tar.gzip" + MediaTypeDockerSchema2LayerForeignGzip = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip" + MediaTypeDockerSchema2Config = "application/vnd.docker.container.image.v1+json" + MediaTypeDockerSchema2Manifest = "application/vnd.docker.distribution.manifest.v2+json" + MediaTypeDockerSchema2ManifestList = "application/vnd.docker.distribution.manifest.list.v2+json" + + // Checkpoint/Restore Media Types + + MediaTypeContainerd1Checkpoint = "application/vnd.containerd.container.criu.checkpoint.criu.tar" + MediaTypeContainerd1CheckpointPreDump = "application/vnd.containerd.container.criu.checkpoint.predump.tar" + MediaTypeContainerd1Resource = "application/vnd.containerd.container.resource.tar" + MediaTypeContainerd1RW = "application/vnd.containerd.container.rw.tar" + MediaTypeContainerd1CheckpointConfig = "application/vnd.containerd.container.checkpoint.config.v1+proto" + MediaTypeContainerd1CheckpointOptions = "application/vnd.containerd.container.checkpoint.options.v1+proto" + MediaTypeContainerd1CheckpointRuntimeName = "application/vnd.containerd.container.checkpoint.runtime.name" + MediaTypeContainerd1CheckpointRuntimeOptions = "application/vnd.containerd.container.checkpoint.runtime.options+proto" + + // MediaTypeDockerSchema1Manifest is the legacy Docker schema1 manifest + MediaTypeDockerSchema1Manifest = "application/vnd.docker.distribution.manifest.v1+prettyjws" + + // Encrypted media types + + MediaTypeImageLayerEncrypted = ocispec.MediaTypeImageLayer + "+encrypted" + MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted" + + // In-toto attestation + MediaTypeInToto = "application/vnd.in-toto+json" +) + +// DiffCompression returns the compression as defined by the layer diff media +// type. For Docker media types without compression, "unknown" is returned to +// indicate that the media type may be compressed. If the media type is not +// recognized as a layer diff, then it returns errdefs.ErrNotImplemented +func DiffCompression(ctx context.Context, mediaType string) (string, error) { + base, ext := parseMediaTypes(mediaType) + switch base { + case MediaTypeDockerSchema2Layer, MediaTypeDockerSchema2LayerForeign: + if len(ext) > 0 { + // Type is wrapped + return "", nil + } + // These media types may have been compressed but failed to + // use the correct media type. The decompression function + // should detect and handle this case. + return "unknown", nil + case MediaTypeDockerSchema2LayerGzip, MediaTypeDockerSchema2LayerForeignGzip: + if len(ext) > 0 { + // Type is wrapped + return "", nil + } + return "gzip", nil + case ocispec.MediaTypeImageLayer, ocispec.MediaTypeImageLayerNonDistributable: //nolint:staticcheck // Non-distributable layers are deprecated + if len(ext) > 0 { + switch ext[len(ext)-1] { + case "gzip": + return "gzip", nil + case "zstd": + return "zstd", nil + } + } + return "", nil + default: + return "", fmt.Errorf("unrecognised mediatype %s: %w", mediaType, errdefs.ErrNotImplemented) + } +} + +// parseMediaTypes splits the media type into the base type and +// an array of sorted extensions +func parseMediaTypes(mt string) (mediaType string, suffixes []string) { + if mt == "" { + return "", []string{} + } + mediaType, ext, ok := strings.Cut(mt, "+") + if !ok { + return mediaType, []string{} + } + + // Splitting the extensions following the mediatype "(+)gzip+encrypted". + // We expect this to be a limited list, so add an arbitrary limit (50). + // + // Note that DiffCompression is only using the last element, so perhaps we + // should split on the last "+" only. + suffixes = strings.SplitN(ext, "+", 50) + sort.Strings(suffixes) + return mediaType, suffixes +} + +// IsNonDistributable returns true if the media type is non-distributable. +func IsNonDistributable(mt string) bool { + return strings.HasPrefix(mt, "application/vnd.oci.image.layer.nondistributable.") || + strings.HasPrefix(mt, "application/vnd.docker.image.rootfs.foreign.") +} + +// IsLayerType returns true if the media type is a layer +func IsLayerType(mt string) bool { + if strings.HasPrefix(mt, "application/vnd.oci.image.layer.") { + return true + } + + // Parse Docker media types, strip off any + suffixes first + switch base, _ := parseMediaTypes(mt); base { + case MediaTypeDockerSchema2Layer, MediaTypeDockerSchema2LayerGzip, + MediaTypeDockerSchema2LayerForeign, MediaTypeDockerSchema2LayerForeignGzip: + return true + } + return false +} + +// IsDockerType returns true if the media type has "application/vnd.docker." prefix +func IsDockerType(mt string) bool { + return strings.HasPrefix(mt, "application/vnd.docker.") +} + +// IsManifestType returns true if the media type is an OCI-compatible manifest. +// No support for schema1 manifest. +func IsManifestType(mt string) bool { + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + return true + default: + return false + } +} + +// IsIndexType returns true if the media type is an OCI-compatible index. +func IsIndexType(mt string) bool { + switch mt { + case ocispec.MediaTypeImageIndex, MediaTypeDockerSchema2ManifestList: + return true + default: + return false + } +} + +// IsConfigType returns true if the media type is an OCI-compatible image config. +// No support for containerd checkpoint configs. +func IsConfigType(mt string) bool { + switch mt { + case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig: + return true + default: + return false + } +} + +// IsKnownConfig returns true if the media type is a known config type, +// including containerd checkpoint configs +func IsKnownConfig(mt string) bool { + switch mt { + case MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig, + MediaTypeContainerd1Checkpoint, MediaTypeContainerd1CheckpointConfig: + return true + } + return false +} + +// IsAttestationType returns true if the media type is an attestation type +func IsAttestationType(mt string) bool { + switch mt { + case MediaTypeInToto: + return true + default: + return false + } +} + +// ChildGCLabels returns the label for a given descriptor to reference it +func ChildGCLabels(desc ocispec.Descriptor) []string { + mt := desc.MediaType + if IsKnownConfig(mt) { + return []string{"containerd.io/gc.ref.content.config"} + } + + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + return []string{"containerd.io/gc.ref.content.m."} + } + + if IsLayerType(mt) { + return []string{"containerd.io/gc.ref.content.l."} + } + + return []string{"containerd.io/gc.ref.content."} +} + +// ChildGCLabelsFilterLayers returns the labels for a given descriptor to +// reference it, skipping layer media types +func ChildGCLabelsFilterLayers(desc ocispec.Descriptor) []string { + if IsLayerType(desc.MediaType) { + return nil + } + return ChildGCLabels(desc) +} diff --git a/vendor/github.com/containerd/containerd/labels/labels.go b/vendor/github.com/containerd/containerd/labels/labels.go new file mode 100644 index 0000000000..0f9bab5c5d --- /dev/null +++ b/vendor/github.com/containerd/containerd/labels/labels.go @@ -0,0 +1,29 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package labels + +// LabelUncompressed is added to compressed layer contents. +// The value is digest of the uncompressed content. +const LabelUncompressed = "containerd.io/uncompressed" + +// LabelSharedNamespace is added to a namespace to allow that namespaces +// contents to be shared. +const LabelSharedNamespace = "containerd.io/namespace.shareable" + +// LabelDistributionSource is added to content to indicate its origin. +// e.g., "containerd.io/distribution.source.docker.io=library/redis" +const LabelDistributionSource = "containerd.io/distribution.source" diff --git a/vendor/github.com/containerd/containerd/labels/validate.go b/vendor/github.com/containerd/containerd/labels/validate.go new file mode 100644 index 0000000000..f83b5dde29 --- /dev/null +++ b/vendor/github.com/containerd/containerd/labels/validate.go @@ -0,0 +1,41 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package labels + +import ( + "fmt" + + "github.com/containerd/containerd/errdefs" +) + +const ( + maxSize = 4096 + // maximum length of key portion of error message if len of key + len of value > maxSize + keyMaxLen = 64 +) + +// Validate a label's key and value are under 4096 bytes +func Validate(k, v string) error { + total := len(k) + len(v) + if total > maxSize { + if len(k) > keyMaxLen { + k = k[:keyMaxLen] + } + return fmt.Errorf("label key and value length (%d bytes) greater than maximum size (%d bytes), key: %s: %w", total, maxSize, k, errdefs.ErrInvalidArgument) + } + return nil +} diff --git a/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go b/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go new file mode 100644 index 0000000000..f4b657d7dd --- /dev/null +++ b/vendor/github.com/containerd/containerd/pkg/randutil/randutil.go @@ -0,0 +1,48 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package randutil provides utilities for [cyrpto/rand]. +package randutil + +import ( + "crypto/rand" + "math" + "math/big" +) + +// Int63n is similar to [math/rand.Int63n] but uses [crypto/rand.Reader] under the hood. +func Int63n(n int64) int64 { + b, err := rand.Int(rand.Reader, big.NewInt(n)) + if err != nil { + panic(err) + } + return b.Int64() +} + +// Int63 is similar to [math/rand.Int63] but uses [crypto/rand.Reader] under the hood. +func Int63() int64 { + return Int63n(math.MaxInt64) +} + +// Intn is similar to [math/rand.Intn] but uses [crypto/rand.Reader] under the hood. +func Intn(n int) int { + return int(Int63n(int64(n))) +} + +// Int is similar to [math/rand.Int] but uses [crypto/rand.Reader] under the hood. +func Int() int { + return int(Int63()) +} diff --git a/vendor/github.com/containerd/containerd/remotes/handlers.go b/vendor/github.com/containerd/containerd/remotes/handlers.go new file mode 100644 index 0000000000..14af02769c --- /dev/null +++ b/vendor/github.com/containerd/containerd/remotes/handlers.go @@ -0,0 +1,416 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package remotes + +import ( + "bytes" + "context" + "errors" + "fmt" + "io" + "strings" + "sync" + + "github.com/containerd/log" + "github.com/containerd/platforms" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/sync/semaphore" + + "github.com/containerd/containerd/content" + "github.com/containerd/containerd/errdefs" + "github.com/containerd/containerd/images" + "github.com/containerd/containerd/labels" +) + +type refKeyPrefix struct{} + +// WithMediaTypeKeyPrefix adds a custom key prefix for a media type which is used when storing +// data in the content store from the FetchHandler. +// +// Used in `MakeRefKey` to determine what the key prefix should be. +func WithMediaTypeKeyPrefix(ctx context.Context, mediaType, prefix string) context.Context { + var values map[string]string + if v := ctx.Value(refKeyPrefix{}); v != nil { + values = v.(map[string]string) + } else { + values = make(map[string]string) + } + + values[mediaType] = prefix + return context.WithValue(ctx, refKeyPrefix{}, values) +} + +// MakeRefKey returns a unique reference for the descriptor. This reference can be +// used to lookup ongoing processes related to the descriptor. This function +// may look to the context to namespace the reference appropriately. +func MakeRefKey(ctx context.Context, desc ocispec.Descriptor) string { + key := desc.Digest.String() + if desc.Annotations != nil { + if name, ok := desc.Annotations[ocispec.AnnotationRefName]; ok { + key = fmt.Sprintf("%s@%s", name, desc.Digest.String()) + } + } + + if v := ctx.Value(refKeyPrefix{}); v != nil { + values := v.(map[string]string) + if prefix := values[desc.MediaType]; prefix != "" { + return prefix + "-" + key + } + } + + switch mt := desc.MediaType; { + case mt == images.MediaTypeDockerSchema2Manifest || mt == ocispec.MediaTypeImageManifest: + return "manifest-" + key + case mt == images.MediaTypeDockerSchema2ManifestList || mt == ocispec.MediaTypeImageIndex: + return "index-" + key + case images.IsLayerType(mt): + return "layer-" + key + case images.IsKnownConfig(mt): + return "config-" + key + case images.IsAttestationType(desc.MediaType): + return "attestation-" + key + default: + log.G(ctx).Warnf("reference for unknown type: %s", mt) + return "unknown-" + key + } +} + +// FetchHandler returns a handler that will fetch all content into the ingester +// discovered in a call to Dispatch. Use with ChildrenHandler to do a full +// recursive fetch. +func FetchHandler(ingester content.Ingester, fetcher Fetcher) images.HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) (subdescs []ocispec.Descriptor, err error) { + ctx = log.WithLogger(ctx, log.G(ctx).WithFields(log.Fields{ + "digest": desc.Digest, + "mediatype": desc.MediaType, + "size": desc.Size, + })) + + switch desc.MediaType { + case images.MediaTypeDockerSchema1Manifest: + return nil, fmt.Errorf("%v not supported", desc.MediaType) + default: + err := Fetch(ctx, ingester, fetcher, desc) + if errdefs.IsAlreadyExists(err) { + return nil, nil + } + return nil, err + } + } +} + +// Fetch fetches the given digest into the provided ingester +func Fetch(ctx context.Context, ingester content.Ingester, fetcher Fetcher, desc ocispec.Descriptor) error { + log.G(ctx).Debug("fetch") + + cw, err := content.OpenWriter(ctx, ingester, content.WithRef(MakeRefKey(ctx, desc)), content.WithDescriptor(desc)) + if err != nil { + return err + } + defer cw.Close() + + ws, err := cw.Status() + if err != nil { + return err + } + + if desc.Size == 0 { + // most likely a poorly configured registry/web front end which responded with no + // Content-Length header; unable (not to mention useless) to commit a 0-length entry + // into the content store. Error out here otherwise the error sent back is confusing + return fmt.Errorf("unable to fetch descriptor (%s) which reports content size of zero: %w", desc.Digest, errdefs.ErrInvalidArgument) + } + if ws.Offset == desc.Size { + // If writer is already complete, commit and return + err := cw.Commit(ctx, desc.Size, desc.Digest) + if err != nil && !errdefs.IsAlreadyExists(err) { + return fmt.Errorf("failed commit on ref %q: %w", ws.Ref, err) + } + return err + } + + if desc.Size == int64(len(desc.Data)) { + return content.Copy(ctx, cw, bytes.NewReader(desc.Data), desc.Size, desc.Digest) + } + + rc, err := fetcher.Fetch(ctx, desc) + if err != nil { + return err + } + defer rc.Close() + + return content.Copy(ctx, cw, rc, desc.Size, desc.Digest) +} + +// PushHandler returns a handler that will push all content from the provider +// using a writer from the pusher. +func PushHandler(pusher Pusher, provider content.Provider) images.HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + ctx = log.WithLogger(ctx, log.G(ctx).WithFields(log.Fields{ + "digest": desc.Digest, + "mediatype": desc.MediaType, + "size": desc.Size, + })) + + err := push(ctx, provider, pusher, desc) + return nil, err + } +} + +func push(ctx context.Context, provider content.Provider, pusher Pusher, desc ocispec.Descriptor) error { + log.G(ctx).Debug("push") + + var ( + cw content.Writer + err error + ) + if cs, ok := pusher.(content.Ingester); ok { + cw, err = content.OpenWriter(ctx, cs, content.WithRef(MakeRefKey(ctx, desc)), content.WithDescriptor(desc)) + } else { + cw, err = pusher.Push(ctx, desc) + } + if err != nil { + if !errdefs.IsAlreadyExists(err) { + return err + } + + return nil + } + defer cw.Close() + + ra, err := provider.ReaderAt(ctx, desc) + if err != nil { + return err + } + defer ra.Close() + + rd := io.NewSectionReader(ra, 0, desc.Size) + return content.Copy(ctx, cw, rd, desc.Size, desc.Digest) +} + +// PushContent pushes content specified by the descriptor from the provider. +// +// Base handlers can be provided which will be called before any push specific +// handlers. +// +// If the passed in content.Provider is also a content.InfoProvider (such as +// content.Manager) then this will also annotate the distribution sources using +// labels prefixed with "containerd.io/distribution.source". +func PushContent(ctx context.Context, pusher Pusher, desc ocispec.Descriptor, store content.Provider, limiter *semaphore.Weighted, platform platforms.MatchComparer, wrapper func(h images.Handler) images.Handler) error { + + var m sync.Mutex + manifests := []ocispec.Descriptor{} + indexStack := []ocispec.Descriptor{} + + filterHandler := images.HandlerFunc(func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + switch desc.MediaType { + case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + m.Lock() + manifests = append(manifests, desc) + m.Unlock() + return nil, images.ErrStopHandler + case images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + m.Lock() + indexStack = append(indexStack, desc) + m.Unlock() + return nil, images.ErrStopHandler + default: + return nil, nil + } + }) + + pushHandler := PushHandler(pusher, store) + + platformFilterhandler := images.FilterPlatforms(images.ChildrenHandler(store), platform) + + var handler images.Handler + if m, ok := store.(content.InfoProvider); ok { + annotateHandler := annotateDistributionSourceHandler(platformFilterhandler, m) + handler = images.Handlers(annotateHandler, filterHandler, pushHandler) + } else { + handler = images.Handlers(platformFilterhandler, filterHandler, pushHandler) + } + + if wrapper != nil { + handler = wrapper(handler) + } + + if err := images.Dispatch(ctx, handler, limiter, desc); err != nil { + return err + } + + if err := images.Dispatch(ctx, pushHandler, limiter, manifests...); err != nil { + return err + } + + // Iterate in reverse order as seen, parent always uploaded after child + for i := len(indexStack) - 1; i >= 0; i-- { + err := images.Dispatch(ctx, pushHandler, limiter, indexStack[i]) + if err != nil { + // TODO(estesp): until we have a more complete method for index push, we need to report + // missing dependencies in an index/manifest list by sensing the "400 Bad Request" + // as a marker for this problem + if errors.Unwrap(err) != nil && strings.Contains(errors.Unwrap(err).Error(), "400 Bad Request") { + return fmt.Errorf("manifest list/index references to blobs and/or manifests are missing in your target registry: %w", err) + } + return err + } + } + + return nil +} + +// SkipNonDistributableBlobs returns a handler that skips blobs that have a media type that is "non-distributeable". +// An example of this kind of content would be a Windows base layer, which is not supposed to be redistributed. +// +// This is based on the media type of the content: +// - application/vnd.oci.image.layer.nondistributable +// - application/vnd.docker.image.rootfs.foreign +func SkipNonDistributableBlobs(f images.HandlerFunc) images.HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + if images.IsNonDistributable(desc.MediaType) { + log.G(ctx).WithField("digest", desc.Digest).WithField("mediatype", desc.MediaType).Debug("Skipping non-distributable blob") + return nil, images.ErrSkipDesc + } + + if images.IsLayerType(desc.MediaType) { + return nil, nil + } + + children, err := f(ctx, desc) + if err != nil { + return nil, err + } + if len(children) == 0 { + return nil, nil + } + + out := make([]ocispec.Descriptor, 0, len(children)) + for _, child := range children { + if !images.IsNonDistributable(child.MediaType) { + out = append(out, child) + } else { + log.G(ctx).WithField("digest", child.Digest).WithField("mediatype", child.MediaType).Debug("Skipping non-distributable blob") + } + } + return out, nil + } +} + +// FilterManifestByPlatformHandler allows Handler to handle non-target +// platform's manifest and configuration data. +func FilterManifestByPlatformHandler(f images.HandlerFunc, m platforms.Matcher) images.HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f(ctx, desc) + if err != nil { + return nil, err + } + + // no platform information + if desc.Platform == nil || m == nil { + return children, nil + } + + var descs []ocispec.Descriptor + switch desc.MediaType { + case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + if m.Match(*desc.Platform) { + descs = children + } else { + for _, child := range children { + if child.MediaType == images.MediaTypeDockerSchema2Config || + child.MediaType == ocispec.MediaTypeImageConfig { + + descs = append(descs, child) + } + } + } + default: + descs = children + } + return descs, nil + } +} + +// annotateDistributionSourceHandler add distribution source label into +// annotation of config or blob descriptor. +func annotateDistributionSourceHandler(f images.HandlerFunc, provider content.InfoProvider) images.HandlerFunc { + return func(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + children, err := f(ctx, desc) + if err != nil { + return nil, err + } + + // Distribution source is only used for config or blob but may be inherited from + // a manifest or manifest list + switch desc.MediaType { + case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest, + images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + default: + return children, nil + } + + parentSourceAnnotations := desc.Annotations + var parentLabels map[string]string + if pi, err := provider.Info(ctx, desc.Digest); err != nil { + if !errdefs.IsNotFound(err) { + return nil, err + } + } else { + parentLabels = pi.Labels + } + + for i := range children { + child := children[i] + + info, err := provider.Info(ctx, child.Digest) + if err != nil { + if !errdefs.IsNotFound(err) { + return nil, err + } + } + copyDistributionSourceLabels(info.Labels, &child) + + // Annotate with parent labels for cross repo mount or fetch. + // Parent sources may apply to all children since most registries + // enforce that children exist before the manifests. + copyDistributionSourceLabels(parentSourceAnnotations, &child) + copyDistributionSourceLabels(parentLabels, &child) + + children[i] = child + } + return children, nil + } +} + +func copyDistributionSourceLabels(from map[string]string, to *ocispec.Descriptor) { + for k, v := range from { + if !strings.HasPrefix(k, labels.LabelDistributionSource+".") { + continue + } + + if to.Annotations == nil { + to.Annotations = make(map[string]string) + } else { + // Only propagate the parent label if the child doesn't already have it. + if _, has := to.Annotations[k]; has { + continue + } + } + to.Annotations[k] = v + } +} diff --git a/vendor/github.com/containerd/containerd/remotes/resolver.go b/vendor/github.com/containerd/containerd/remotes/resolver.go new file mode 100644 index 0000000000..f200c84bc7 --- /dev/null +++ b/vendor/github.com/containerd/containerd/remotes/resolver.go @@ -0,0 +1,94 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package remotes + +import ( + "context" + "io" + + "github.com/containerd/containerd/content" + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// Resolver provides remotes based on a locator. +type Resolver interface { + // Resolve attempts to resolve the reference into a name and descriptor. + // + // The argument `ref` should be a scheme-less URI representing the remote. + // Structurally, it has a host and path. The "host" can be used to directly + // reference a specific host or be matched against a specific handler. + // + // The returned name should be used to identify the referenced entity. + // Depending on the remote namespace, this may be immutable or mutable. + // While the name may differ from ref, it should itself be a valid ref. + // + // If the resolution fails, an error will be returned. + Resolve(ctx context.Context, ref string) (name string, desc ocispec.Descriptor, err error) + + // Fetcher returns a new fetcher for the provided reference. + // All content fetched from the returned fetcher will be + // from the namespace referred to by ref. + Fetcher(ctx context.Context, ref string) (Fetcher, error) + + // Pusher returns a new pusher for the provided reference + // The returned Pusher should satisfy content.Ingester and concurrent attempts + // to push the same blob using the Ingester API should result in ErrUnavailable. + Pusher(ctx context.Context, ref string) (Pusher, error) +} + +// Fetcher fetches content. +// A fetcher implementation may implement the FetcherByDigest interface too. +type Fetcher interface { + // Fetch the resource identified by the descriptor. + Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) +} + +// FetcherByDigest fetches content by the digest. +type FetcherByDigest interface { + // FetchByDigest fetches the resource identified by the digest. + // + // FetcherByDigest usually returns an incomplete descriptor. + // Typically, the media type is always set to "application/octet-stream", + // and the annotations are unset. + FetchByDigest(ctx context.Context, dgst digest.Digest) (io.ReadCloser, ocispec.Descriptor, error) +} + +// Pusher pushes content +type Pusher interface { + // Push returns a content writer for the given resource identified + // by the descriptor. + Push(ctx context.Context, d ocispec.Descriptor) (content.Writer, error) +} + +// FetcherFunc allows package users to implement a Fetcher with just a +// function. +type FetcherFunc func(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) + +// Fetch content +func (fn FetcherFunc) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.ReadCloser, error) { + return fn(ctx, desc) +} + +// PusherFunc allows package users to implement a Pusher with just a +// function. +type PusherFunc func(ctx context.Context, desc ocispec.Descriptor) (content.Writer, error) + +// Push content +func (fn PusherFunc) Push(ctx context.Context, desc ocispec.Descriptor) (content.Writer, error) { + return fn(ctx, desc) +} diff --git a/vendor/github.com/containerd/errdefs/LICENSE b/vendor/github.com/containerd/errdefs/LICENSE new file mode 100644 index 0000000000..584149b6ee --- /dev/null +++ b/vendor/github.com/containerd/errdefs/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/containerd/errdefs/README.md b/vendor/github.com/containerd/errdefs/README.md new file mode 100644 index 0000000000..bd418c63f9 --- /dev/null +++ b/vendor/github.com/containerd/errdefs/README.md @@ -0,0 +1,13 @@ +# errdefs + +A Go package for defining and checking common containerd errors. + +## Project details + +**errdefs** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE). +As a containerd sub-project, you will find the: + * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md), + * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS), + * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md) + +information in our [`containerd/project`](https://github.com/containerd/project) repository. diff --git a/vendor/github.com/containerd/errdefs/errors.go b/vendor/github.com/containerd/errdefs/errors.go new file mode 100644 index 0000000000..f654d19649 --- /dev/null +++ b/vendor/github.com/containerd/errdefs/errors.go @@ -0,0 +1,443 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package errdefs defines the common errors used throughout containerd +// packages. +// +// Use with fmt.Errorf to add context to an error. +// +// To detect an error class, use the IsXXX functions to tell whether an error +// is of a certain type. +package errdefs + +import ( + "context" + "errors" +) + +// Definitions of common error types used throughout containerd. All containerd +// errors returned by most packages will map into one of these errors classes. +// Packages should return errors of these types when they want to instruct a +// client to take a particular action. +// +// These errors map closely to grpc errors. +var ( + ErrUnknown = errUnknown{} + ErrInvalidArgument = errInvalidArgument{} + ErrNotFound = errNotFound{} + ErrAlreadyExists = errAlreadyExists{} + ErrPermissionDenied = errPermissionDenied{} + ErrResourceExhausted = errResourceExhausted{} + ErrFailedPrecondition = errFailedPrecondition{} + ErrConflict = errConflict{} + ErrNotModified = errNotModified{} + ErrAborted = errAborted{} + ErrOutOfRange = errOutOfRange{} + ErrNotImplemented = errNotImplemented{} + ErrInternal = errInternal{} + ErrUnavailable = errUnavailable{} + ErrDataLoss = errDataLoss{} + ErrUnauthenticated = errUnauthorized{} +) + +// cancelled maps to Moby's "ErrCancelled" +type cancelled interface { + Cancelled() +} + +// IsCanceled returns true if the error is due to `context.Canceled`. +func IsCanceled(err error) bool { + return errors.Is(err, context.Canceled) || isInterface[cancelled](err) +} + +type errUnknown struct{} + +func (errUnknown) Error() string { return "unknown" } + +func (errUnknown) Unknown() {} + +func (e errUnknown) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// unknown maps to Moby's "ErrUnknown" +type unknown interface { + Unknown() +} + +// IsUnknown returns true if the error is due to an unknown error, +// unhandled condition or unexpected response. +func IsUnknown(err error) bool { + return errors.Is(err, errUnknown{}) || isInterface[unknown](err) +} + +type errInvalidArgument struct{} + +func (errInvalidArgument) Error() string { return "invalid argument" } + +func (errInvalidArgument) InvalidParameter() {} + +func (e errInvalidArgument) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// invalidParameter maps to Moby's "ErrInvalidParameter" +type invalidParameter interface { + InvalidParameter() +} + +// IsInvalidArgument returns true if the error is due to an invalid argument +func IsInvalidArgument(err error) bool { + return errors.Is(err, ErrInvalidArgument) || isInterface[invalidParameter](err) +} + +// deadlineExceed maps to Moby's "ErrDeadline" +type deadlineExceeded interface { + DeadlineExceeded() +} + +// IsDeadlineExceeded returns true if the error is due to +// `context.DeadlineExceeded`. +func IsDeadlineExceeded(err error) bool { + return errors.Is(err, context.DeadlineExceeded) || isInterface[deadlineExceeded](err) +} + +type errNotFound struct{} + +func (errNotFound) Error() string { return "not found" } + +func (errNotFound) NotFound() {} + +func (e errNotFound) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// notFound maps to Moby's "ErrNotFound" +type notFound interface { + NotFound() +} + +// IsNotFound returns true if the error is due to a missing object +func IsNotFound(err error) bool { + return errors.Is(err, ErrNotFound) || isInterface[notFound](err) +} + +type errAlreadyExists struct{} + +func (errAlreadyExists) Error() string { return "already exists" } + +func (errAlreadyExists) AlreadyExists() {} + +func (e errAlreadyExists) WithMessage(msg string) error { + return customMessage{e, msg} +} + +type alreadyExists interface { + AlreadyExists() +} + +// IsAlreadyExists returns true if the error is due to an already existing +// metadata item +func IsAlreadyExists(err error) bool { + return errors.Is(err, ErrAlreadyExists) || isInterface[alreadyExists](err) +} + +type errPermissionDenied struct{} + +func (errPermissionDenied) Error() string { return "permission denied" } + +func (errPermissionDenied) Forbidden() {} + +func (e errPermissionDenied) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// forbidden maps to Moby's "ErrForbidden" +type forbidden interface { + Forbidden() +} + +// IsPermissionDenied returns true if the error is due to permission denied +// or forbidden (403) response +func IsPermissionDenied(err error) bool { + return errors.Is(err, ErrPermissionDenied) || isInterface[forbidden](err) +} + +type errResourceExhausted struct{} + +func (errResourceExhausted) Error() string { return "resource exhausted" } + +func (errResourceExhausted) ResourceExhausted() {} + +func (e errResourceExhausted) WithMessage(msg string) error { + return customMessage{e, msg} +} + +type resourceExhausted interface { + ResourceExhausted() +} + +// IsResourceExhausted returns true if the error is due to +// a lack of resources or too many attempts. +func IsResourceExhausted(err error) bool { + return errors.Is(err, errResourceExhausted{}) || isInterface[resourceExhausted](err) +} + +type errFailedPrecondition struct{} + +func (e errFailedPrecondition) Error() string { return "failed precondition" } + +func (errFailedPrecondition) FailedPrecondition() {} + +func (e errFailedPrecondition) WithMessage(msg string) error { + return customMessage{e, msg} +} + +type failedPrecondition interface { + FailedPrecondition() +} + +// IsFailedPrecondition returns true if an operation could not proceed due to +// the lack of a particular condition +func IsFailedPrecondition(err error) bool { + return errors.Is(err, errFailedPrecondition{}) || isInterface[failedPrecondition](err) +} + +type errConflict struct{} + +func (errConflict) Error() string { return "conflict" } + +func (errConflict) Conflict() {} + +func (e errConflict) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// conflict maps to Moby's "ErrConflict" +type conflict interface { + Conflict() +} + +// IsConflict returns true if an operation could not proceed due to +// a conflict. +func IsConflict(err error) bool { + return errors.Is(err, errConflict{}) || isInterface[conflict](err) +} + +type errNotModified struct{} + +func (errNotModified) Error() string { return "not modified" } + +func (errNotModified) NotModified() {} + +func (e errNotModified) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// notModified maps to Moby's "ErrNotModified" +type notModified interface { + NotModified() +} + +// IsNotModified returns true if an operation could not proceed due +// to an object not modified from a previous state. +func IsNotModified(err error) bool { + return errors.Is(err, errNotModified{}) || isInterface[notModified](err) +} + +type errAborted struct{} + +func (errAborted) Error() string { return "aborted" } + +func (errAborted) Aborted() {} + +func (e errAborted) WithMessage(msg string) error { + return customMessage{e, msg} +} + +type aborted interface { + Aborted() +} + +// IsAborted returns true if an operation was aborted. +func IsAborted(err error) bool { + return errors.Is(err, errAborted{}) || isInterface[aborted](err) +} + +type errOutOfRange struct{} + +func (errOutOfRange) Error() string { return "out of range" } + +func (errOutOfRange) OutOfRange() {} + +func (e errOutOfRange) WithMessage(msg string) error { + return customMessage{e, msg} +} + +type outOfRange interface { + OutOfRange() +} + +// IsOutOfRange returns true if an operation could not proceed due +// to data being out of the expected range. +func IsOutOfRange(err error) bool { + return errors.Is(err, errOutOfRange{}) || isInterface[outOfRange](err) +} + +type errNotImplemented struct{} + +func (errNotImplemented) Error() string { return "not implemented" } + +func (errNotImplemented) NotImplemented() {} + +func (e errNotImplemented) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// notImplemented maps to Moby's "ErrNotImplemented" +type notImplemented interface { + NotImplemented() +} + +// IsNotImplemented returns true if the error is due to not being implemented +func IsNotImplemented(err error) bool { + return errors.Is(err, errNotImplemented{}) || isInterface[notImplemented](err) +} + +type errInternal struct{} + +func (errInternal) Error() string { return "internal" } + +func (errInternal) System() {} + +func (e errInternal) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// system maps to Moby's "ErrSystem" +type system interface { + System() +} + +// IsInternal returns true if the error returns to an internal or system error +func IsInternal(err error) bool { + return errors.Is(err, errInternal{}) || isInterface[system](err) +} + +type errUnavailable struct{} + +func (errUnavailable) Error() string { return "unavailable" } + +func (errUnavailable) Unavailable() {} + +func (e errUnavailable) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// unavailable maps to Moby's "ErrUnavailable" +type unavailable interface { + Unavailable() +} + +// IsUnavailable returns true if the error is due to a resource being unavailable +func IsUnavailable(err error) bool { + return errors.Is(err, errUnavailable{}) || isInterface[unavailable](err) +} + +type errDataLoss struct{} + +func (errDataLoss) Error() string { return "data loss" } + +func (errDataLoss) DataLoss() {} + +func (e errDataLoss) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// dataLoss maps to Moby's "ErrDataLoss" +type dataLoss interface { + DataLoss() +} + +// IsDataLoss returns true if data during an operation was lost or corrupted +func IsDataLoss(err error) bool { + return errors.Is(err, errDataLoss{}) || isInterface[dataLoss](err) +} + +type errUnauthorized struct{} + +func (errUnauthorized) Error() string { return "unauthorized" } + +func (errUnauthorized) Unauthorized() {} + +func (e errUnauthorized) WithMessage(msg string) error { + return customMessage{e, msg} +} + +// unauthorized maps to Moby's "ErrUnauthorized" +type unauthorized interface { + Unauthorized() +} + +// IsUnauthorized returns true if the error indicates that the user was +// unauthenticated or unauthorized. +func IsUnauthorized(err error) bool { + return errors.Is(err, errUnauthorized{}) || isInterface[unauthorized](err) +} + +func isInterface[T any](err error) bool { + for { + switch x := err.(type) { + case T: + return true + case customMessage: + err = x.err + case interface{ Unwrap() error }: + err = x.Unwrap() + if err == nil { + return false + } + case interface{ Unwrap() []error }: + for _, err := range x.Unwrap() { + if isInterface[T](err) { + return true + } + } + return false + default: + return false + } + } +} + +// customMessage is used to provide a defined error with a custom message. +// The message is not wrapped but can be compared by the `Is(error) bool` interface. +type customMessage struct { + err error + msg string +} + +func (c customMessage) Is(err error) bool { + return c.err == err +} + +func (c customMessage) As(target any) bool { + return errors.As(c.err, target) +} + +func (c customMessage) Error() string { + return c.msg +} diff --git a/vendor/github.com/containerd/errdefs/resolve.go b/vendor/github.com/containerd/errdefs/resolve.go new file mode 100644 index 0000000000..c02d4a73f4 --- /dev/null +++ b/vendor/github.com/containerd/errdefs/resolve.go @@ -0,0 +1,147 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package errdefs + +import "context" + +// Resolve returns the first error found in the error chain which matches an +// error defined in this package or context error. A raw, unwrapped error is +// returned or ErrUnknown if no matching error is found. +// +// This is useful for determining a response code based on the outermost wrapped +// error rather than the original cause. For example, a not found error deep +// in the code may be wrapped as an invalid argument. When determining status +// code from Is* functions, the depth or ordering of the error is not +// considered. +// +// The search order is depth first, a wrapped error returned from any part of +// the chain from `Unwrap() error` will be returned before any joined errors +// as returned by `Unwrap() []error`. +func Resolve(err error) error { + if err == nil { + return nil + } + err = firstError(err) + if err == nil { + err = ErrUnknown + } + return err +} + +func firstError(err error) error { + for { + switch err { + case ErrUnknown, + ErrInvalidArgument, + ErrNotFound, + ErrAlreadyExists, + ErrPermissionDenied, + ErrResourceExhausted, + ErrFailedPrecondition, + ErrConflict, + ErrNotModified, + ErrAborted, + ErrOutOfRange, + ErrNotImplemented, + ErrInternal, + ErrUnavailable, + ErrDataLoss, + ErrUnauthenticated, + context.DeadlineExceeded, + context.Canceled: + return err + } + switch e := err.(type) { + case customMessage: + err = e.err + case unknown: + return ErrUnknown + case invalidParameter: + return ErrInvalidArgument + case notFound: + return ErrNotFound + case alreadyExists: + return ErrAlreadyExists + case forbidden: + return ErrPermissionDenied + case resourceExhausted: + return ErrResourceExhausted + case failedPrecondition: + return ErrFailedPrecondition + case conflict: + return ErrConflict + case notModified: + return ErrNotModified + case aborted: + return ErrAborted + case errOutOfRange: + return ErrOutOfRange + case notImplemented: + return ErrNotImplemented + case system: + return ErrInternal + case unavailable: + return ErrUnavailable + case dataLoss: + return ErrDataLoss + case unauthorized: + return ErrUnauthenticated + case deadlineExceeded: + return context.DeadlineExceeded + case cancelled: + return context.Canceled + case interface{ Unwrap() error }: + err = e.Unwrap() + if err == nil { + return nil + } + case interface{ Unwrap() []error }: + for _, ue := range e.Unwrap() { + if fe := firstError(ue); fe != nil { + return fe + } + } + return nil + case interface{ Is(error) bool }: + for _, target := range []error{ErrUnknown, + ErrInvalidArgument, + ErrNotFound, + ErrAlreadyExists, + ErrPermissionDenied, + ErrResourceExhausted, + ErrFailedPrecondition, + ErrConflict, + ErrNotModified, + ErrAborted, + ErrOutOfRange, + ErrNotImplemented, + ErrInternal, + ErrUnavailable, + ErrDataLoss, + ErrUnauthenticated, + context.DeadlineExceeded, + context.Canceled} { + if e.Is(target) { + return target + } + } + return nil + default: + return nil + } + } +} diff --git a/vendor/github.com/containerd/log/.golangci.yml b/vendor/github.com/containerd/log/.golangci.yml new file mode 100644 index 0000000000..a695775df4 --- /dev/null +++ b/vendor/github.com/containerd/log/.golangci.yml @@ -0,0 +1,30 @@ +linters: + enable: + - exportloopref # Checks for pointers to enclosing loop variables + - gofmt + - goimports + - gosec + - ineffassign + - misspell + - nolintlint + - revive + - staticcheck + - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17 + - unconvert + - unused + - vet + - dupword # Checks for duplicate words in the source code + disable: + - errcheck + +run: + timeout: 5m + skip-dirs: + - api + - cluster + - design + - docs + - docs/man + - releases + - reports + - test # e2e scripts diff --git a/vendor/github.com/containerd/log/LICENSE b/vendor/github.com/containerd/log/LICENSE new file mode 100644 index 0000000000..584149b6ee --- /dev/null +++ b/vendor/github.com/containerd/log/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/containerd/log/README.md b/vendor/github.com/containerd/log/README.md new file mode 100644 index 0000000000..00e0849880 --- /dev/null +++ b/vendor/github.com/containerd/log/README.md @@ -0,0 +1,17 @@ +# log + +A Go package providing a common logging interface across containerd repositories and a way for clients to use and configure logging in containerd packages. + +This package is not intended to be used as a standalone logging package outside of the containerd ecosystem and is intended as an interface wrapper around a logging implementation. +In the future this package may be replaced with a common go logging interface. + +## Project details + +**log** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE). +As a containerd sub-project, you will find the: + * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md), + * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS), + * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md) + +information in our [`containerd/project`](https://github.com/containerd/project) repository. + diff --git a/vendor/github.com/containerd/log/context.go b/vendor/github.com/containerd/log/context.go new file mode 100644 index 0000000000..20153066f3 --- /dev/null +++ b/vendor/github.com/containerd/log/context.go @@ -0,0 +1,182 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package log provides types and functions related to logging, passing +// loggers through a context, and attaching context to the logger. +// +// # Transitional types +// +// This package contains various types that are aliases for types in [logrus]. +// These aliases are intended for transitioning away from hard-coding logrus +// as logging implementation. Consumers of this package are encouraged to use +// the type-aliases from this package instead of directly using their logrus +// equivalent. +// +// The intent is to replace these aliases with locally defined types and +// interfaces once all consumers are no longer directly importing logrus +// types. +// +// IMPORTANT: due to the transitional purpose of this package, it is not +// guaranteed for the full logrus API to be provided in the future. As +// outlined, these aliases are provided as a step to transition away from +// a specific implementation which, as a result, exposes the full logrus API. +// While no decisions have been made on the ultimate design and interface +// provided by this package, we do not expect carrying "less common" features. +package log + +import ( + "context" + "fmt" + + "github.com/sirupsen/logrus" +) + +// G is a shorthand for [GetLogger]. +// +// We may want to define this locally to a package to get package tagged log +// messages. +var G = GetLogger + +// L is an alias for the standard logger. +var L = &Entry{ + Logger: logrus.StandardLogger(), + // Default is three fields plus a little extra room. + Data: make(Fields, 6), +} + +type loggerKey struct{} + +// Fields type to pass to "WithFields". +type Fields = map[string]any + +// Entry is a logging entry. It contains all the fields passed with +// [Entry.WithFields]. It's finally logged when Trace, Debug, Info, Warn, +// Error, Fatal or Panic is called on it. These objects can be reused and +// passed around as much as you wish to avoid field duplication. +// +// Entry is a transitional type, and currently an alias for [logrus.Entry]. +type Entry = logrus.Entry + +// RFC3339NanoFixed is [time.RFC3339Nano] with nanoseconds padded using +// zeros to ensure the formatted time is always the same number of +// characters. +const RFC3339NanoFixed = "2006-01-02T15:04:05.000000000Z07:00" + +// Level is a logging level. +type Level = logrus.Level + +// Supported log levels. +const ( + // TraceLevel level. Designates finer-grained informational events + // than [DebugLevel]. + TraceLevel Level = logrus.TraceLevel + + // DebugLevel level. Usually only enabled when debugging. Very verbose + // logging. + DebugLevel Level = logrus.DebugLevel + + // InfoLevel level. General operational entries about what's going on + // inside the application. + InfoLevel Level = logrus.InfoLevel + + // WarnLevel level. Non-critical entries that deserve eyes. + WarnLevel Level = logrus.WarnLevel + + // ErrorLevel level. Logs errors that should definitely be noted. + // Commonly used for hooks to send errors to an error tracking service. + ErrorLevel Level = logrus.ErrorLevel + + // FatalLevel level. Logs and then calls "logger.Exit(1)". It exits + // even if the logging level is set to Panic. + FatalLevel Level = logrus.FatalLevel + + // PanicLevel level. This is the highest level of severity. Logs and + // then calls panic with the message passed to Debug, Info, ... + PanicLevel Level = logrus.PanicLevel +) + +// SetLevel sets log level globally. It returns an error if the given +// level is not supported. +// +// level can be one of: +// +// - "trace" ([TraceLevel]) +// - "debug" ([DebugLevel]) +// - "info" ([InfoLevel]) +// - "warn" ([WarnLevel]) +// - "error" ([ErrorLevel]) +// - "fatal" ([FatalLevel]) +// - "panic" ([PanicLevel]) +func SetLevel(level string) error { + lvl, err := logrus.ParseLevel(level) + if err != nil { + return err + } + + L.Logger.SetLevel(lvl) + return nil +} + +// GetLevel returns the current log level. +func GetLevel() Level { + return L.Logger.GetLevel() +} + +// OutputFormat specifies a log output format. +type OutputFormat string + +// Supported log output formats. +const ( + // TextFormat represents the text logging format. + TextFormat OutputFormat = "text" + + // JSONFormat represents the JSON logging format. + JSONFormat OutputFormat = "json" +) + +// SetFormat sets the log output format ([TextFormat] or [JSONFormat]). +func SetFormat(format OutputFormat) error { + switch format { + case TextFormat: + L.Logger.SetFormatter(&logrus.TextFormatter{ + TimestampFormat: RFC3339NanoFixed, + FullTimestamp: true, + }) + return nil + case JSONFormat: + L.Logger.SetFormatter(&logrus.JSONFormatter{ + TimestampFormat: RFC3339NanoFixed, + }) + return nil + default: + return fmt.Errorf("unknown log format: %s", format) + } +} + +// WithLogger returns a new context with the provided logger. Use in +// combination with logger.WithField(s) for great effect. +func WithLogger(ctx context.Context, logger *Entry) context.Context { + return context.WithValue(ctx, loggerKey{}, logger.WithContext(ctx)) +} + +// GetLogger retrieves the current logger from the context. If no logger is +// available, the default logger is returned. +func GetLogger(ctx context.Context) *Entry { + if logger := ctx.Value(loggerKey{}); logger != nil { + return logger.(*Entry) + } + return L.WithContext(ctx) +} diff --git a/vendor/github.com/containerd/platforms/.gitattributes b/vendor/github.com/containerd/platforms/.gitattributes new file mode 100644 index 0000000000..a0717e4b3b --- /dev/null +++ b/vendor/github.com/containerd/platforms/.gitattributes @@ -0,0 +1 @@ +*.go text eol=lf \ No newline at end of file diff --git a/vendor/github.com/containerd/platforms/.golangci.yml b/vendor/github.com/containerd/platforms/.golangci.yml new file mode 100644 index 0000000000..a695775df4 --- /dev/null +++ b/vendor/github.com/containerd/platforms/.golangci.yml @@ -0,0 +1,30 @@ +linters: + enable: + - exportloopref # Checks for pointers to enclosing loop variables + - gofmt + - goimports + - gosec + - ineffassign + - misspell + - nolintlint + - revive + - staticcheck + - tenv # Detects using os.Setenv instead of t.Setenv since Go 1.17 + - unconvert + - unused + - vet + - dupword # Checks for duplicate words in the source code + disable: + - errcheck + +run: + timeout: 5m + skip-dirs: + - api + - cluster + - design + - docs + - docs/man + - releases + - reports + - test # e2e scripts diff --git a/vendor/github.com/containerd/platforms/LICENSE b/vendor/github.com/containerd/platforms/LICENSE new file mode 100644 index 0000000000..584149b6ee --- /dev/null +++ b/vendor/github.com/containerd/platforms/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright The containerd Authors + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/containerd/platforms/README.md b/vendor/github.com/containerd/platforms/README.md new file mode 100644 index 0000000000..2059de771c --- /dev/null +++ b/vendor/github.com/containerd/platforms/README.md @@ -0,0 +1,32 @@ +# platforms + +A Go package for formatting, normalizing and matching container platforms. + +This package is based on the Open Containers Image Spec definition of a [platform](https://github.com/opencontainers/image-spec/blob/main/specs-go/v1/descriptor.go#L52). + +## Platform Specifier + +While the OCI platform specifications provide a tool for components to +specify structured information, user input typically doesn't need the full +context and much can be inferred. To solve this problem, this package introduces +"specifiers". A specifier has the format +`||/[/]`. The user can provide either the +operating system or the architecture or both. + +An example of a common specifier is `linux/amd64`. If the host has a default +runtime that matches this, the user can simply provide the component that +matters. For example, if an image provides `amd64` and `arm64` support, the +operating system, `linux` can be inferred, so they only have to provide +`arm64` or `amd64`. Similar behavior is implemented for operating systems, +where the architecture may be known but a runtime may support images from +different operating systems. + +## Project details + +**platforms** is a containerd sub-project, licensed under the [Apache 2.0 license](./LICENSE). +As a containerd sub-project, you will find the: + * [Project governance](https://github.com/containerd/project/blob/main/GOVERNANCE.md), + * [Maintainers](https://github.com/containerd/project/blob/main/MAINTAINERS), + * and [Contributing guidelines](https://github.com/containerd/project/blob/main/CONTRIBUTING.md) + +information in our [`containerd/project`](https://github.com/containerd/project) repository. \ No newline at end of file diff --git a/vendor/github.com/containerd/platforms/compare.go b/vendor/github.com/containerd/platforms/compare.go new file mode 100644 index 0000000000..3913ef6637 --- /dev/null +++ b/vendor/github.com/containerd/platforms/compare.go @@ -0,0 +1,203 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "strconv" + "strings" + + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// MatchComparer is able to match and compare platforms to +// filter and sort platforms. +type MatchComparer interface { + Matcher + + Less(specs.Platform, specs.Platform) bool +} + +// platformVector returns an (ordered) vector of appropriate specs.Platform +// objects to try matching for the given platform object (see platforms.Only). +func platformVector(platform specs.Platform) []specs.Platform { + vector := []specs.Platform{platform} + + switch platform.Architecture { + case "amd64": + if amd64Version, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && amd64Version > 1 { + for amd64Version--; amd64Version >= 1; amd64Version-- { + vector = append(vector, specs.Platform{ + Architecture: platform.Architecture, + OS: platform.OS, + OSVersion: platform.OSVersion, + OSFeatures: platform.OSFeatures, + Variant: "v" + strconv.Itoa(amd64Version), + }) + } + } + vector = append(vector, specs.Platform{ + Architecture: "386", + OS: platform.OS, + OSVersion: platform.OSVersion, + OSFeatures: platform.OSFeatures, + }) + case "arm": + if armVersion, err := strconv.Atoi(strings.TrimPrefix(platform.Variant, "v")); err == nil && armVersion > 5 { + for armVersion--; armVersion >= 5; armVersion-- { + vector = append(vector, specs.Platform{ + Architecture: platform.Architecture, + OS: platform.OS, + OSVersion: platform.OSVersion, + OSFeatures: platform.OSFeatures, + Variant: "v" + strconv.Itoa(armVersion), + }) + } + } + case "arm64": + variant := platform.Variant + if variant == "" { + variant = "v8" + } + vector = append(vector, platformVector(specs.Platform{ + Architecture: "arm", + OS: platform.OS, + OSVersion: platform.OSVersion, + OSFeatures: platform.OSFeatures, + Variant: variant, + })...) + } + + return vector +} + +// Only returns a match comparer for a single platform +// using default resolution logic for the platform. +// +// For arm/v8, will also match arm/v7, arm/v6 and arm/v5 +// For arm/v7, will also match arm/v6 and arm/v5 +// For arm/v6, will also match arm/v5 +// For amd64, will also match 386 +func Only(platform specs.Platform) MatchComparer { + return Ordered(platformVector(Normalize(platform))...) +} + +// OnlyStrict returns a match comparer for a single platform. +// +// Unlike Only, OnlyStrict does not match sub platforms. +// So, "arm/vN" will not match "arm/vM" where M < N, +// and "amd64" will not also match "386". +// +// OnlyStrict matches non-canonical forms. +// So, "arm64" matches "arm/64/v8". +func OnlyStrict(platform specs.Platform) MatchComparer { + return Ordered(Normalize(platform)) +} + +// Ordered returns a platform MatchComparer which matches any of the platforms +// but orders them in order they are provided. +func Ordered(platforms ...specs.Platform) MatchComparer { + matchers := make([]Matcher, len(platforms)) + for i := range platforms { + matchers[i] = NewMatcher(platforms[i]) + } + return orderedPlatformComparer{ + matchers: matchers, + } +} + +// Any returns a platform MatchComparer which matches any of the platforms +// with no preference for ordering. +func Any(platforms ...specs.Platform) MatchComparer { + matchers := make([]Matcher, len(platforms)) + for i := range platforms { + matchers[i] = NewMatcher(platforms[i]) + } + return anyPlatformComparer{ + matchers: matchers, + } +} + +// All is a platform MatchComparer which matches all platforms +// with preference for ordering. +var All MatchComparer = allPlatformComparer{} + +type orderedPlatformComparer struct { + matchers []Matcher +} + +func (c orderedPlatformComparer) Match(platform specs.Platform) bool { + for _, m := range c.matchers { + if m.Match(platform) { + return true + } + } + return false +} + +func (c orderedPlatformComparer) Less(p1 specs.Platform, p2 specs.Platform) bool { + for _, m := range c.matchers { + p1m := m.Match(p1) + p2m := m.Match(p2) + if p1m && !p2m { + return true + } + if p1m || p2m { + return false + } + } + return false +} + +type anyPlatformComparer struct { + matchers []Matcher +} + +func (c anyPlatformComparer) Match(platform specs.Platform) bool { + for _, m := range c.matchers { + if m.Match(platform) { + return true + } + } + return false +} + +func (c anyPlatformComparer) Less(p1, p2 specs.Platform) bool { + var p1m, p2m bool + for _, m := range c.matchers { + if !p1m && m.Match(p1) { + p1m = true + } + if !p2m && m.Match(p2) { + p2m = true + } + if p1m && p2m { + return false + } + } + // If one matches, and the other does, sort match first + return p1m && !p2m +} + +type allPlatformComparer struct{} + +func (allPlatformComparer) Match(specs.Platform) bool { + return true +} + +func (allPlatformComparer) Less(specs.Platform, specs.Platform) bool { + return false +} diff --git a/vendor/github.com/containerd/platforms/cpuinfo.go b/vendor/github.com/containerd/platforms/cpuinfo.go new file mode 100644 index 0000000000..91f50e8c88 --- /dev/null +++ b/vendor/github.com/containerd/platforms/cpuinfo.go @@ -0,0 +1,43 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "runtime" + "sync" + + "github.com/containerd/log" +) + +// Present the ARM instruction set architecture, eg: v7, v8 +// Don't use this value directly; call cpuVariant() instead. +var cpuVariantValue string + +var cpuVariantOnce sync.Once + +func cpuVariant() string { + cpuVariantOnce.Do(func() { + if isArmArch(runtime.GOARCH) { + var err error + cpuVariantValue, err = getCPUVariant() + if err != nil { + log.L.Errorf("Error getCPUVariant for OS %s: %v", runtime.GOOS, err) + } + } + }) + return cpuVariantValue +} diff --git a/vendor/github.com/containerd/platforms/cpuinfo_linux.go b/vendor/github.com/containerd/platforms/cpuinfo_linux.go new file mode 100644 index 0000000000..98c7001f93 --- /dev/null +++ b/vendor/github.com/containerd/platforms/cpuinfo_linux.go @@ -0,0 +1,160 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "bufio" + "bytes" + "errors" + "fmt" + "os" + "runtime" + "strings" + + "golang.org/x/sys/unix" +) + +// getMachineArch retrieves the machine architecture through system call +func getMachineArch() (string, error) { + var uname unix.Utsname + err := unix.Uname(&uname) + if err != nil { + return "", err + } + + arch := string(uname.Machine[:bytes.IndexByte(uname.Machine[:], 0)]) + + return arch, nil +} + +// For Linux, the kernel has already detected the ABI, ISA and Features. +// So we don't need to access the ARM registers to detect platform information +// by ourselves. We can just parse these information from /proc/cpuinfo +func getCPUInfo(pattern string) (info string, err error) { + + cpuinfo, err := os.Open("/proc/cpuinfo") + if err != nil { + return "", err + } + defer cpuinfo.Close() + + // Start to Parse the Cpuinfo line by line. For SMP SoC, we parse + // the first core is enough. + scanner := bufio.NewScanner(cpuinfo) + for scanner.Scan() { + newline := scanner.Text() + list := strings.Split(newline, ":") + + if len(list) > 1 && strings.EqualFold(strings.TrimSpace(list[0]), pattern) { + return strings.TrimSpace(list[1]), nil + } + } + + // Check whether the scanner encountered errors + err = scanner.Err() + if err != nil { + return "", err + } + + return "", fmt.Errorf("getCPUInfo for pattern %s: %w", pattern, errNotFound) +} + +// getCPUVariantFromArch get CPU variant from arch through a system call +func getCPUVariantFromArch(arch string) (string, error) { + + var variant string + + arch = strings.ToLower(arch) + + if arch == "aarch64" { + variant = "8" + } else if arch[0:4] == "armv" && len(arch) >= 5 { + // Valid arch format is in form of armvXx + switch arch[3:5] { + case "v8": + variant = "8" + case "v7": + variant = "7" + case "v6": + variant = "6" + case "v5": + variant = "5" + case "v4": + variant = "4" + case "v3": + variant = "3" + default: + variant = "unknown" + } + } else { + return "", fmt.Errorf("getCPUVariantFromArch invalid arch: %s, %w", arch, errInvalidArgument) + } + return variant, nil +} + +// getCPUVariant returns cpu variant for ARM +// We first try reading "Cpu architecture" field from /proc/cpuinfo +// If we can't find it, then fall back using a system call +// This is to cover running ARM in emulated environment on x86 host as this field in /proc/cpuinfo +// was not present. +func getCPUVariant() (string, error) { + variant, err := getCPUInfo("Cpu architecture") + if err != nil { + if errors.Is(err, errNotFound) { + // Let's try getting CPU variant from machine architecture + arch, err := getMachineArch() + if err != nil { + return "", fmt.Errorf("failure getting machine architecture: %v", err) + } + + variant, err = getCPUVariantFromArch(arch) + if err != nil { + return "", fmt.Errorf("failure getting CPU variant from machine architecture: %v", err) + } + } else { + return "", fmt.Errorf("failure getting CPU variant: %v", err) + } + } + + // handle edge case for Raspberry Pi ARMv6 devices (which due to a kernel quirk, report "CPU architecture: 7") + // https://www.raspberrypi.org/forums/viewtopic.php?t=12614 + if runtime.GOARCH == "arm" && variant == "7" { + model, err := getCPUInfo("model name") + if err == nil && strings.HasPrefix(strings.ToLower(model), "armv6-compatible") { + variant = "6" + } + } + + switch strings.ToLower(variant) { + case "8", "aarch64": + variant = "v8" + case "7", "7m", "?(12)", "?(13)", "?(14)", "?(15)", "?(16)", "?(17)": + variant = "v7" + case "6", "6tej": + variant = "v6" + case "5", "5t", "5te", "5tej": + variant = "v5" + case "4", "4t": + variant = "v4" + case "3": + variant = "v3" + default: + variant = "unknown" + } + + return variant, nil +} diff --git a/vendor/github.com/containerd/platforms/cpuinfo_other.go b/vendor/github.com/containerd/platforms/cpuinfo_other.go new file mode 100644 index 0000000000..97a1fe8a3e --- /dev/null +++ b/vendor/github.com/containerd/platforms/cpuinfo_other.go @@ -0,0 +1,55 @@ +//go:build !linux + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "fmt" + "runtime" +) + +func getCPUVariant() (string, error) { + + var variant string + + if runtime.GOOS == "windows" || runtime.GOOS == "darwin" { + // Windows/Darwin only supports v7 for ARM32 and v8 for ARM64 and so we can use + // runtime.GOARCH to determine the variants + switch runtime.GOARCH { + case "arm64": + variant = "v8" + case "arm": + variant = "v7" + default: + variant = "unknown" + } + } else if runtime.GOOS == "freebsd" { + // FreeBSD supports ARMv6 and ARMv7 as well as ARMv4 and ARMv5 (though deprecated) + // detecting those variants is currently unimplemented + switch runtime.GOARCH { + case "arm64": + variant = "v8" + default: + variant = "unknown" + } + } else { + return "", fmt.Errorf("getCPUVariant for OS %s: %v", runtime.GOOS, errNotImplemented) + } + + return variant, nil +} diff --git a/vendor/github.com/containerd/platforms/database.go b/vendor/github.com/containerd/platforms/database.go new file mode 100644 index 0000000000..2e26fd3b4f --- /dev/null +++ b/vendor/github.com/containerd/platforms/database.go @@ -0,0 +1,109 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "runtime" + "strings" +) + +// These function are generated from https://golang.org/src/go/build/syslist.go. +// +// We use switch statements because they are slightly faster than map lookups +// and use a little less memory. + +// isKnownOS returns true if we know about the operating system. +// +// The OS value should be normalized before calling this function. +func isKnownOS(os string) bool { + switch os { + case "aix", "android", "darwin", "dragonfly", "freebsd", "hurd", "illumos", "ios", "js", "linux", "nacl", "netbsd", "openbsd", "plan9", "solaris", "windows", "zos": + return true + } + return false +} + +// isArmArch returns true if the architecture is ARM. +// +// The arch value should be normalized before being passed to this function. +func isArmArch(arch string) bool { + switch arch { + case "arm", "arm64": + return true + } + return false +} + +// isKnownArch returns true if we know about the architecture. +// +// The arch value should be normalized before being passed to this function. +func isKnownArch(arch string) bool { + switch arch { + case "386", "amd64", "amd64p32", "arm", "armbe", "arm64", "arm64be", "ppc64", "ppc64le", "loong64", "mips", "mipsle", "mips64", "mips64le", "mips64p32", "mips64p32le", "ppc", "riscv", "riscv64", "s390", "s390x", "sparc", "sparc64", "wasm": + return true + } + return false +} + +func normalizeOS(os string) string { + if os == "" { + return runtime.GOOS + } + os = strings.ToLower(os) + + switch os { + case "macos": + os = "darwin" + } + return os +} + +// normalizeArch normalizes the architecture. +func normalizeArch(arch, variant string) (string, string) { + arch, variant = strings.ToLower(arch), strings.ToLower(variant) + switch arch { + case "i386": + arch = "386" + variant = "" + case "x86_64", "x86-64", "amd64": + arch = "amd64" + if variant == "v1" { + variant = "" + } + case "aarch64", "arm64": + arch = "arm64" + switch variant { + case "8", "v8": + variant = "" + } + case "armhf": + arch = "arm" + variant = "v7" + case "armel": + arch = "arm" + variant = "v6" + case "arm": + switch variant { + case "", "7": + variant = "v7" + case "5", "6", "8": + variant = "v" + variant + } + } + + return arch, variant +} diff --git a/vendor/github.com/containerd/platforms/defaults.go b/vendor/github.com/containerd/platforms/defaults.go new file mode 100644 index 0000000000..9d898d60e6 --- /dev/null +++ b/vendor/github.com/containerd/platforms/defaults.go @@ -0,0 +1,29 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +// DefaultString returns the default string specifier for the platform, +// with [PR#6](https://github.com/containerd/platforms/pull/6) the result +// may now also include the OSVersion from the provided platform specification. +func DefaultString() string { + return FormatAll(DefaultSpec()) +} + +// DefaultStrict returns strict form of Default. +func DefaultStrict() MatchComparer { + return OnlyStrict(DefaultSpec()) +} diff --git a/vendor/github.com/containerd/platforms/defaults_darwin.go b/vendor/github.com/containerd/platforms/defaults_darwin.go new file mode 100644 index 0000000000..72355ca85f --- /dev/null +++ b/vendor/github.com/containerd/platforms/defaults_darwin.go @@ -0,0 +1,44 @@ +//go:build darwin + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "runtime" + + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { + return specs.Platform{ + OS: runtime.GOOS, + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + } +} + +// Default returns the default matcher for the platform. +func Default() MatchComparer { + return Ordered(DefaultSpec(), specs.Platform{ + // darwin runtime also supports Linux binary via runu/LKL + OS: "linux", + Architecture: runtime.GOARCH, + }) +} diff --git a/vendor/github.com/containerd/platforms/defaults_freebsd.go b/vendor/github.com/containerd/platforms/defaults_freebsd.go new file mode 100644 index 0000000000..d3fe89e076 --- /dev/null +++ b/vendor/github.com/containerd/platforms/defaults_freebsd.go @@ -0,0 +1,43 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "runtime" + + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { + return specs.Platform{ + OS: runtime.GOOS, + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + } +} + +// Default returns the default matcher for the platform. +func Default() MatchComparer { + return Ordered(DefaultSpec(), specs.Platform{ + OS: "linux", + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + }) +} diff --git a/vendor/github.com/containerd/platforms/defaults_unix.go b/vendor/github.com/containerd/platforms/defaults_unix.go new file mode 100644 index 0000000000..44acc47eb3 --- /dev/null +++ b/vendor/github.com/containerd/platforms/defaults_unix.go @@ -0,0 +1,40 @@ +//go:build !windows && !darwin && !freebsd + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "runtime" + + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { + return specs.Platform{ + OS: runtime.GOOS, + Architecture: runtime.GOARCH, + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + } +} + +// Default returns the default matcher for the platform. +func Default() MatchComparer { + return Only(DefaultSpec()) +} diff --git a/vendor/github.com/containerd/platforms/defaults_windows.go b/vendor/github.com/containerd/platforms/defaults_windows.go new file mode 100644 index 0000000000..427ed72eb6 --- /dev/null +++ b/vendor/github.com/containerd/platforms/defaults_windows.go @@ -0,0 +1,118 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + "fmt" + "runtime" + "strconv" + "strings" + + specs "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/sys/windows" +) + +// DefaultSpec returns the current platform's default platform specification. +func DefaultSpec() specs.Platform { + major, minor, build := windows.RtlGetNtVersionNumbers() + return specs.Platform{ + OS: runtime.GOOS, + Architecture: runtime.GOARCH, + OSVersion: fmt.Sprintf("%d.%d.%d", major, minor, build), + // The Variant field will be empty if arch != ARM. + Variant: cpuVariant(), + } +} + +type windowsmatcher struct { + specs.Platform + osVersionPrefix string + defaultMatcher Matcher +} + +// Match matches platform with the same windows major, minor +// and build version. +func (m windowsmatcher) Match(p specs.Platform) bool { + match := m.defaultMatcher.Match(p) + + if match && m.OS == "windows" { + // HPC containers do not have OS version filled + if m.OSVersion == "" || p.OSVersion == "" { + return true + } + + hostOsVersion := getOSVersion(m.osVersionPrefix) + ctrOsVersion := getOSVersion(p.OSVersion) + return checkHostAndContainerCompat(hostOsVersion, ctrOsVersion) + } + + return match +} + +func getOSVersion(osVersionPrefix string) osVersion { + parts := strings.Split(osVersionPrefix, ".") + if len(parts) < 3 { + return osVersion{} + } + + majorVersion, _ := strconv.Atoi(parts[0]) + minorVersion, _ := strconv.Atoi(parts[1]) + buildNumber, _ := strconv.Atoi(parts[2]) + + return osVersion{ + MajorVersion: uint8(majorVersion), + MinorVersion: uint8(minorVersion), + Build: uint16(buildNumber), + } +} + +// Less sorts matched platforms in front of other platforms. +// For matched platforms, it puts platforms with larger revision +// number in front. +func (m windowsmatcher) Less(p1, p2 specs.Platform) bool { + m1, m2 := m.Match(p1), m.Match(p2) + if m1 && m2 { + r1, r2 := revision(p1.OSVersion), revision(p2.OSVersion) + return r1 > r2 + } + return m1 && !m2 +} + +func revision(v string) int { + parts := strings.Split(v, ".") + if len(parts) < 4 { + return 0 + } + r, err := strconv.Atoi(parts[3]) + if err != nil { + return 0 + } + return r +} + +func prefix(v string) string { + parts := strings.Split(v, ".") + if len(parts) < 4 { + return v + } + return strings.Join(parts[0:3], ".") +} + +// Default returns the current platform's default platform specification. +func Default() MatchComparer { + return Only(DefaultSpec()) +} diff --git a/vendor/github.com/containerd/platforms/errors.go b/vendor/github.com/containerd/platforms/errors.go new file mode 100644 index 0000000000..5ad721e779 --- /dev/null +++ b/vendor/github.com/containerd/platforms/errors.go @@ -0,0 +1,30 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import "errors" + +// These errors mirror the errors defined in [github.com/containerd/containerd/errdefs], +// however, they are not exported as they are not expected to be used as sentinel +// errors by consumers of this package. +// +//nolint:unused // not all errors are used on all platforms. +var ( + errNotFound = errors.New("not found") + errInvalidArgument = errors.New("invalid argument") + errNotImplemented = errors.New("not implemented") +) diff --git a/vendor/github.com/containerd/platforms/platform_compat_windows.go b/vendor/github.com/containerd/platforms/platform_compat_windows.go new file mode 100644 index 0000000000..89e66f0c09 --- /dev/null +++ b/vendor/github.com/containerd/platforms/platform_compat_windows.go @@ -0,0 +1,78 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +// osVersion is a wrapper for Windows version information +// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx +type osVersion struct { + Version uint32 + MajorVersion uint8 + MinorVersion uint8 + Build uint16 +} + +// Windows Client and Server build numbers. +// +// See: +// https://learn.microsoft.com/en-us/windows/release-health/release-information +// https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info +// https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information +const ( + // rs5 (version 1809, codename "Redstone 5") corresponds to Windows Server + // 2019 (ltsc2019), and Windows 10 (October 2018 Update). + rs5 = 17763 + + // v21H2Server corresponds to Windows Server 2022 (ltsc2022). + v21H2Server = 20348 + + // v22H2Win11 corresponds to Windows 11 (2022 Update). + v22H2Win11 = 22621 +) + +// List of stable ABI compliant ltsc releases +// Note: List must be sorted in ascending order +var compatLTSCReleases = []uint16{ + v21H2Server, +} + +// CheckHostAndContainerCompat checks if given host and container +// OS versions are compatible. +// It includes support for stable ABI compliant versions as well. +// Every release after WS 2022 will support the previous ltsc +// container image. Stable ABI is in preview mode for windows 11 client. +// Refer: https://learn.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/version-compatibility?tabs=windows-server-2022%2Cwindows-10#windows-server-host-os-compatibility +func checkHostAndContainerCompat(host, ctr osVersion) bool { + // check major minor versions of host and guest + if host.MajorVersion != ctr.MajorVersion || + host.MinorVersion != ctr.MinorVersion { + return false + } + + // If host is < WS 2022, exact version match is required + if host.Build < v21H2Server { + return host.Build == ctr.Build + } + + var supportedLtscRelease uint16 + for i := len(compatLTSCReleases) - 1; i >= 0; i-- { + if host.Build >= compatLTSCReleases[i] { + supportedLtscRelease = compatLTSCReleases[i] + break + } + } + return ctr.Build >= supportedLtscRelease && ctr.Build <= host.Build +} diff --git a/vendor/github.com/containerd/platforms/platforms.go b/vendor/github.com/containerd/platforms/platforms.go new file mode 100644 index 0000000000..1bbbdb91db --- /dev/null +++ b/vendor/github.com/containerd/platforms/platforms.go @@ -0,0 +1,308 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +// Package platforms provides a toolkit for normalizing, matching and +// specifying container platforms. +// +// Centered around OCI platform specifications, we define a string-based +// specifier syntax that can be used for user input. With a specifier, users +// only need to specify the parts of the platform that are relevant to their +// context, providing an operating system or architecture or both. +// +// How do I use this package? +// +// The vast majority of use cases should simply use the match function with +// user input. The first step is to parse a specifier into a matcher: +// +// m, err := Parse("linux") +// if err != nil { ... } +// +// Once you have a matcher, use it to match against the platform declared by a +// component, typically from an image or runtime. Since extracting an images +// platform is a little more involved, we'll use an example against the +// platform default: +// +// if ok := m.Match(Default()); !ok { /* doesn't match */ } +// +// This can be composed in loops for resolving runtimes or used as a filter for +// fetch and select images. +// +// More details of the specifier syntax and platform spec follow. +// +// # Declaring Platform Support +// +// Components that have strict platform requirements should use the OCI +// platform specification to declare their support. Typically, this will be +// images and runtimes that should make these declaring which platform they +// support specifically. This looks roughly as follows: +// +// type Platform struct { +// Architecture string +// OS string +// Variant string +// } +// +// Most images and runtimes should at least set Architecture and OS, according +// to their GOARCH and GOOS values, respectively (follow the OCI image +// specification when in doubt). ARM should set variant under certain +// discussions, which are outlined below. +// +// # Platform Specifiers +// +// While the OCI platform specifications provide a tool for components to +// specify structured information, user input typically doesn't need the full +// context and much can be inferred. To solve this problem, we introduced +// "specifiers". A specifier has the format +// `||/[/]`. The user can provide either the +// operating system or the architecture or both. +// +// An example of a common specifier is `linux/amd64`. If the host has a default +// of runtime that matches this, the user can simply provide the component that +// matters. For example, if a image provides amd64 and arm64 support, the +// operating system, `linux` can be inferred, so they only have to provide +// `arm64` or `amd64`. Similar behavior is implemented for operating systems, +// where the architecture may be known but a runtime may support images from +// different operating systems. +// +// # Normalization +// +// Because not all users are familiar with the way the Go runtime represents +// platforms, several normalizations have been provided to make this package +// easier to user. +// +// The following are performed for architectures: +// +// Value Normalized +// aarch64 arm64 +// armhf arm +// armel arm/v6 +// i386 386 +// x86_64 amd64 +// x86-64 amd64 +// +// We also normalize the operating system `macos` to `darwin`. +// +// # ARM Support +// +// To qualify ARM architecture, the Variant field is used to qualify the arm +// version. The most common arm version, v7, is represented without the variant +// unless it is explicitly provided. This is treated as equivalent to armhf. A +// previous architecture, armel, will be normalized to arm/v6. +// +// Similarly, the most common arm64 version v8, and most common amd64 version v1 +// are represented without the variant. +// +// While these normalizations are provided, their support on arm platforms has +// not yet been fully implemented and tested. +package platforms + +import ( + "fmt" + "path" + "regexp" + "runtime" + "strconv" + "strings" + + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +var ( + specifierRe = regexp.MustCompile(`^[A-Za-z0-9_-]+$`) + osAndVersionRe = regexp.MustCompile(`^([A-Za-z0-9_-]+)(?:\(([A-Za-z0-9_.-]*)\))?$`) +) + +const osAndVersionFormat = "%s(%s)" + +// Platform is a type alias for convenience, so there is no need to import image-spec package everywhere. +type Platform = specs.Platform + +// Matcher matches platforms specifications, provided by an image or runtime. +type Matcher interface { + Match(platform specs.Platform) bool +} + +// NewMatcher returns a simple matcher based on the provided platform +// specification. The returned matcher only looks for equality based on os, +// architecture and variant. +// +// One may implement their own matcher if this doesn't provide the required +// functionality. +// +// Applications should opt to use `Match` over directly parsing specifiers. +func NewMatcher(platform specs.Platform) Matcher { + return newDefaultMatcher(platform) +} + +type matcher struct { + specs.Platform +} + +func (m *matcher) Match(platform specs.Platform) bool { + normalized := Normalize(platform) + return m.OS == normalized.OS && + m.Architecture == normalized.Architecture && + m.Variant == normalized.Variant +} + +func (m *matcher) String() string { + return FormatAll(m.Platform) +} + +// ParseAll parses a list of platform specifiers into a list of platform. +func ParseAll(specifiers []string) ([]specs.Platform, error) { + platforms := make([]specs.Platform, len(specifiers)) + for i, s := range specifiers { + p, err := Parse(s) + if err != nil { + return nil, fmt.Errorf("invalid platform %s: %w", s, err) + } + platforms[i] = p + } + return platforms, nil +} + +// Parse parses the platform specifier syntax into a platform declaration. +// +// Platform specifiers are in the format `[()]||[()]/[/]`. +// The minimum required information for a platform specifier is the operating +// system or architecture. The OSVersion can be part of the OS like `windows(10.0.17763)` +// When an OSVersion is specified, then specs.Platform.OSVersion is populated with that value, +// and an empty string otherwise. +// If there is only a single string (no slashes), the +// value will be matched against the known set of operating systems, then fall +// back to the known set of architectures. The missing component will be +// inferred based on the local environment. +func Parse(specifier string) (specs.Platform, error) { + if strings.Contains(specifier, "*") { + // TODO(stevvooe): need to work out exact wildcard handling + return specs.Platform{}, fmt.Errorf("%q: wildcards not yet supported: %w", specifier, errInvalidArgument) + } + + // Limit to 4 elements to prevent unbounded split + parts := strings.SplitN(specifier, "/", 4) + + var p specs.Platform + for i, part := range parts { + if i == 0 { + // First element is [()] + osVer := osAndVersionRe.FindStringSubmatch(part) + if osVer == nil { + return specs.Platform{}, fmt.Errorf("%q is an invalid OS component of %q: OSAndVersion specifier component must match %q: %w", part, specifier, osAndVersionRe.String(), errInvalidArgument) + } + + p.OS = normalizeOS(osVer[1]) + p.OSVersion = osVer[2] + } else { + if !specifierRe.MatchString(part) { + return specs.Platform{}, fmt.Errorf("%q is an invalid component of %q: platform specifier component must match %q: %w", part, specifier, specifierRe.String(), errInvalidArgument) + } + } + } + + switch len(parts) { + case 1: + // in this case, we will test that the value might be an OS (with or + // without the optional OSVersion specified) and look it up. + // If it is not known, we'll treat it as an architecture. Since + // we have very little information about the platform here, we are + // going to be a little more strict if we don't know about the argument + // value. + if isKnownOS(p.OS) { + // picks a default architecture + p.Architecture = runtime.GOARCH + if p.Architecture == "arm" && cpuVariant() != "v7" { + p.Variant = cpuVariant() + } + + return p, nil + } + + p.Architecture, p.Variant = normalizeArch(parts[0], "") + if p.Architecture == "arm" && p.Variant == "v7" { + p.Variant = "" + } + if isKnownArch(p.Architecture) { + p.OS = runtime.GOOS + return p, nil + } + + return specs.Platform{}, fmt.Errorf("%q: unknown operating system or architecture: %w", specifier, errInvalidArgument) + case 2: + // In this case, we treat as a regular OS[(OSVersion)]/arch pair. We don't care + // about whether or not we know of the platform. + p.Architecture, p.Variant = normalizeArch(parts[1], "") + if p.Architecture == "arm" && p.Variant == "v7" { + p.Variant = "" + } + + return p, nil + case 3: + // we have a fully specified variant, this is rare + p.Architecture, p.Variant = normalizeArch(parts[1], parts[2]) + if p.Architecture == "arm64" && p.Variant == "" { + p.Variant = "v8" + } + + return p, nil + } + + return specs.Platform{}, fmt.Errorf("%q: cannot parse platform specifier: %w", specifier, errInvalidArgument) +} + +// MustParse is like Parses but panics if the specifier cannot be parsed. +// Simplifies initialization of global variables. +func MustParse(specifier string) specs.Platform { + p, err := Parse(specifier) + if err != nil { + panic("platform: Parse(" + strconv.Quote(specifier) + "): " + err.Error()) + } + return p +} + +// Format returns a string specifier from the provided platform specification. +func Format(platform specs.Platform) string { + if platform.OS == "" { + return "unknown" + } + + return path.Join(platform.OS, platform.Architecture, platform.Variant) +} + +// FormatAll returns a string specifier that also includes the OSVersion from the +// provided platform specification. +func FormatAll(platform specs.Platform) string { + if platform.OS == "" { + return "unknown" + } + + if platform.OSVersion != "" { + OSAndVersion := fmt.Sprintf(osAndVersionFormat, platform.OS, platform.OSVersion) + return path.Join(OSAndVersion, platform.Architecture, platform.Variant) + } + return path.Join(platform.OS, platform.Architecture, platform.Variant) +} + +// Normalize validates and translate the platform to the canonical value. +// +// For example, if "Aarch64" is encountered, we change it to "arm64" or if +// "x86_64" is encountered, it becomes "amd64". +func Normalize(platform specs.Platform) specs.Platform { + platform.OS = normalizeOS(platform.OS) + platform.Architecture, platform.Variant = normalizeArch(platform.Architecture, platform.Variant) + + return platform +} diff --git a/vendor/github.com/containerd/platforms/platforms_other.go b/vendor/github.com/containerd/platforms/platforms_other.go new file mode 100644 index 0000000000..03f4dcd998 --- /dev/null +++ b/vendor/github.com/containerd/platforms/platforms_other.go @@ -0,0 +1,30 @@ +//go:build !windows + +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// NewMatcher returns the default Matcher for containerd +func newDefaultMatcher(platform specs.Platform) Matcher { + return &matcher{ + Platform: Normalize(platform), + } +} diff --git a/vendor/github.com/containerd/platforms/platforms_windows.go b/vendor/github.com/containerd/platforms/platforms_windows.go new file mode 100644 index 0000000000..950e2a2ddb --- /dev/null +++ b/vendor/github.com/containerd/platforms/platforms_windows.go @@ -0,0 +1,34 @@ +/* + Copyright The containerd Authors. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package platforms + +import ( + specs "github.com/opencontainers/image-spec/specs-go/v1" +) + +// NewMatcher returns a Windows matcher that will match on osVersionPrefix if +// the platform is Windows otherwise use the default matcher +func newDefaultMatcher(platform specs.Platform) Matcher { + prefix := prefix(platform.OSVersion) + return windowsmatcher{ + Platform: platform, + osVersionPrefix: prefix, + defaultMatcher: &matcher{ + Platform: Normalize(platform), + }, + } +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md new file mode 100644 index 0000000000..ca0e3c62c7 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/CHANGELOG.md @@ -0,0 +1,256 @@ +# Changelog # +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](http://keepachangelog.com/) +and this project adheres to [Semantic Versioning](http://semver.org/). + +## [Unreleased] ## + +## [0.4.1] - 2025-01-28 ## + +### Fixed ### +- The restrictions added for `root` paths passed to `SecureJoin` in 0.4.0 was + found to be too strict and caused some regressions when folks tried to + update, so this restriction has been relaxed to only return an error if the + path contains a `..` component. We still recommend users use `filepath.Clean` + (and even `filepath.EvalSymlinks`) on the `root` path they are using, but at + least you will no longer be punished for "trivial" unclean paths. + +## [0.4.0] - 2025-01-13 ## + +### Breaking #### +- `SecureJoin(VFS)` will now return an error if the provided `root` is not a + `filepath.Clean`'d path. + + While it is ultimately the responsibility of the caller to ensure the root is + a safe path to use, passing a path like `/symlink/..` as a root would result + in the `SecureJoin`'d path being placed in `/` even though `/symlink/..` + might be a different directory, and so we should more strongly discourage + such usage. + + All major users of `securejoin.SecureJoin` already ensure that the paths they + provide are safe (and this is ultimately a question of user error), but + removing this foot-gun is probably a good idea. Of course, this is + necessarily a breaking API change (though we expect no real users to be + affected by it). + + Thanks to [Erik Sjölund](https://github.com/eriksjolund), who initially + reported this issue as a possible security issue. + +- `MkdirAll` and `MkdirHandle` now take an `os.FileMode`-style mode argument + instead of a raw `unix.S_*`-style mode argument, which may cause compile-time + type errors depending on how you use `filepath-securejoin`. For most users, + there will be no change in behaviour aside from the type change (as the + bottom `0o777` bits are the same in both formats, and most users are probably + only using those bits). + + However, if you were using `unix.S_ISVTX` to set the sticky bit with + `MkdirAll(Handle)` you will need to switch to `os.ModeSticky` otherwise you + will get a runtime error with this update. In addition, the error message you + will get from passing `unix.S_ISUID` and `unix.S_ISGID` will be different as + they are treated as invalid bits now (note that previously passing said bits + was also an error). + +## [0.3.6] - 2024-12-17 ## + +### Compatibility ### +- The minimum Go version requirement for `filepath-securejoin` is now Go 1.18 + (we use generics internally). + + For reference, `filepath-securejoin@v0.3.0` somewhat-arbitrarily bumped the + Go version requirement to 1.21. + + While we did make some use of Go 1.21 stdlib features (and in principle Go + versions <= 1.21 are no longer even supported by upstream anymore), some + downstreams have complained that the version bump has meant that they have to + do workarounds when backporting fixes that use the new `filepath-securejoin` + API onto old branches. This is not an ideal situation, but since using this + library is probably better for most downstreams than a hand-rolled + workaround, we now have compatibility shims that allow us to build on older + Go versions. +- Lower minimum version requirement for `golang.org/x/sys` to `v0.18.0` (we + need the wrappers for `fsconfig(2)`), which should also make backporting + patches to older branches easier. + +## [0.3.5] - 2024-12-06 ## + +### Fixed ### +- `MkdirAll` will now no longer return an `EEXIST` error if two racing + processes are creating the same directory. We will still verify that the path + is a directory, but this will avoid spurious errors when multiple threads or + programs are trying to `MkdirAll` the same path. opencontainers/runc#4543 + +## [0.3.4] - 2024-10-09 ## + +### Fixed ### +- Previously, some testing mocks we had resulted in us doing `import "testing"` + in non-`_test.go` code, which made some downstreams like Kubernetes unhappy. + This has been fixed. (#32) + +## [0.3.3] - 2024-09-30 ## + +### Fixed ### +- The mode and owner verification logic in `MkdirAll` has been removed. This + was originally intended to protect against some theoretical attacks but upon + further consideration these protections don't actually buy us anything and + they were causing spurious errors with more complicated filesystem setups. +- The "is the created directory empty" logic in `MkdirAll` has also been + removed. This was not causing us issues yet, but some pseudofilesystems (such + as `cgroup`) create non-empty directories and so this logic would've been + wrong for such cases. + +## [0.3.2] - 2024-09-13 ## + +### Changed ### +- Passing the `S_ISUID` or `S_ISGID` modes to `MkdirAllInRoot` will now return + an explicit error saying that those bits are ignored by `mkdirat(2)`. In the + past a different error was returned, but since the silent ignoring behaviour + is codified in the man pages a more explicit error seems apt. While silently + ignoring these bits would be the most compatible option, it could lead to + users thinking their code sets these bits when it doesn't. Programs that need + to deal with compatibility can mask the bits themselves. (#23, #25) + +### Fixed ### +- If a directory has `S_ISGID` set, then all child directories will have + `S_ISGID` set when created and a different gid will be used for any inode + created under the directory. Previously, the "expected owner and mode" + validation in `securejoin.MkdirAll` did not correctly handle this. We now + correctly handle this case. (#24, #25) + +## [0.3.1] - 2024-07-23 ## + +### Changed ### +- By allowing `Open(at)InRoot` to opt-out of the extra work done by `MkdirAll` + to do the necessary "partial lookups", `Open(at)InRoot` now does less work + for both implementations (resulting in a many-fold decrease in the number of + operations for `openat2`, and a modest improvement for non-`openat2`) and is + far more guaranteed to match the correct `openat2(RESOLVE_IN_ROOT)` + behaviour. +- We now use `readlinkat(fd, "")` where possible. For `Open(at)InRoot` this + effectively just means that we no longer risk getting spurious errors during + rename races. However, for our hardened procfs handler, this in theory should + prevent mount attacks from tricking us when doing magic-link readlinks (even + when using the unsafe host `/proc` handle). Unfortunately `Reopen` is still + potentially vulnerable to those kinds of somewhat-esoteric attacks. + + Technically this [will only work on post-2.6.39 kernels][linux-readlinkat-emptypath] + but it seems incredibly unlikely anyone is using `filepath-securejoin` on a + pre-2011 kernel. + +### Fixed ### +- Several improvements were made to the errors returned by `Open(at)InRoot` and + `MkdirAll` when dealing with invalid paths under the emulated (ie. + non-`openat2`) implementation. Previously, some paths would return the wrong + error (`ENOENT` when the last component was a non-directory), and other paths + would be returned as though they were acceptable (trailing-slash components + after a non-directory would be ignored by `Open(at)InRoot`). + + These changes were done to match `openat2`'s behaviour and purely is a + consistency fix (most users are going to be using `openat2` anyway). + +[linux-readlinkat-emptypath]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=65cfc6722361570bfe255698d9cd4dccaf47570d + +## [0.3.0] - 2024-07-11 ## + +### Added ### +- A new set of `*os.File`-based APIs have been added. These are adapted from + [libpathrs][] and we strongly suggest using them if possible (as they provide + far more protection against attacks than `SecureJoin`): + + - `Open(at)InRoot` resolves a path inside a rootfs and returns an `*os.File` + handle to the path. Note that the handle returned is an `O_PATH` handle, + which cannot be used for reading or writing (as well as some other + operations -- [see open(2) for more details][open.2]) + + - `Reopen` takes an `O_PATH` file handle and safely re-opens it to upgrade + it to a regular handle. This can also be used with non-`O_PATH` handles, + but `O_PATH` is the most obvious application. + + - `MkdirAll` is an implementation of `os.MkdirAll` that is safe to use to + create a directory tree within a rootfs. + + As these are new APIs, they may change in the future. However, they should be + safe to start migrating to as we have extensive tests ensuring they behave + correctly and are safe against various races and other attacks. + +[libpathrs]: https://github.com/openSUSE/libpathrs +[open.2]: https://www.man7.org/linux/man-pages/man2/open.2.html + +## [0.2.5] - 2024-05-03 ## + +### Changed ### +- Some minor changes were made to how lexical components (like `..` and `.`) + are handled during path generation in `SecureJoin`. There is no behaviour + change as a result of this fix (the resulting paths are the same). + +### Fixed ### +- The error returned when we hit a symlink loop now references the correct + path. (#10) + +## [0.2.4] - 2023-09-06 ## + +### Security ### +- This release fixes a potential security issue in filepath-securejoin when + used on Windows ([GHSA-6xv5-86q9-7xr8][], which could be used to generate + paths outside of the provided rootfs in certain cases), as well as improving + the overall behaviour of filepath-securejoin when dealing with Windows paths + that contain volume names. Thanks to Paulo Gomes for discovering and fixing + these issues. + +### Fixed ### +- Switch to GitHub Actions for CI so we can test on Windows as well as Linux + and MacOS. + +[GHSA-6xv5-86q9-7xr8]: https://github.com/advisories/GHSA-6xv5-86q9-7xr8 + +## [0.2.3] - 2021-06-04 ## + +### Changed ### +- Switch to Go 1.13-style `%w` error wrapping, letting us drop the dependency + on `github.com/pkg/errors`. + +## [0.2.2] - 2018-09-05 ## + +### Changed ### +- Use `syscall.ELOOP` as the base error for symlink loops, rather than our own + (internal) error. This allows callers to more easily use `errors.Is` to check + for this case. + +## [0.2.1] - 2018-09-05 ## + +### Fixed ### +- Use our own `IsNotExist` implementation, which lets us handle `ENOTDIR` + properly within `SecureJoin`. + +## [0.2.0] - 2017-07-19 ## + +We now have 100% test coverage! + +### Added ### +- Add a `SecureJoinVFS` API that can be used for mocking (as we do in our new + tests) or for implementing custom handling of lookup operations (such as for + rootless containers, where work is necessary to access directories with weird + modes because we don't have `CAP_DAC_READ_SEARCH` or `CAP_DAC_OVERRIDE`). + +## 0.1.0 - 2017-07-19 + +This is our first release of `github.com/cyphar/filepath-securejoin`, +containing a full implementation with a coverage of 93.5% (the only missing +cases are the error cases, which are hard to mocktest at the moment). + +[Unreleased]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.1...HEAD +[0.4.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1 +[0.4.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.6...v0.4.0 +[0.3.6]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.5...v0.3.6 +[0.3.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.4...v0.3.5 +[0.3.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.3...v0.3.4 +[0.3.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.2...v0.3.3 +[0.3.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.1...v0.3.2 +[0.3.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.3.0...v0.3.1 +[0.3.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.5...v0.3.0 +[0.2.5]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.4...v0.2.5 +[0.2.4]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4 +[0.2.3]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.2...v0.2.3 +[0.2.2]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.1...v0.2.2 +[0.2.1]: https://github.com/cyphar/filepath-securejoin/compare/v0.2.0...v0.2.1 +[0.2.0]: https://github.com/cyphar/filepath-securejoin/compare/v0.1.0...v0.2.0 diff --git a/vendor/github.com/cyphar/filepath-securejoin/LICENSE b/vendor/github.com/cyphar/filepath-securejoin/LICENSE new file mode 100644 index 0000000000..cb1ab88da0 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/LICENSE @@ -0,0 +1,28 @@ +Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. +Copyright (C) 2017-2024 SUSE LLC. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md new file mode 100644 index 0000000000..eaeb53fcd0 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/README.md @@ -0,0 +1,169 @@ +## `filepath-securejoin` ## + +[![Go Documentation](https://pkg.go.dev/badge/github.com/cyphar/filepath-securejoin.svg)](https://pkg.go.dev/github.com/cyphar/filepath-securejoin) +[![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml) + +### Old API ### + +This library was originally just an implementation of `SecureJoin` which was +[intended to be included in the Go standard library][go#20126] as a safer +`filepath.Join` that would restrict the path lookup to be inside a root +directory. + +The implementation was based on code that existed in several container +runtimes. Unfortunately, this API is **fundamentally unsafe** against attackers +that can modify path components after `SecureJoin` returns and before the +caller uses the path, allowing for some fairly trivial TOCTOU attacks. + +`SecureJoin` (and `SecureJoinVFS`) are still provided by this library to +support legacy users, but new users are strongly suggested to avoid using +`SecureJoin` and instead use the [new api](#new-api) or switch to +[libpathrs][libpathrs]. + +With the above limitations in mind, this library guarantees the following: + +* If no error is set, the resulting string **must** be a child path of + `root` and will not contain any symlink path components (they will all be + expanded). + +* When expanding symlinks, all symlink path components **must** be resolved + relative to the provided root. In particular, this can be considered a + userspace implementation of how `chroot(2)` operates on file paths. Note that + these symlinks will **not** be expanded lexically (`filepath.Clean` is not + called on the input before processing). + +* Non-existent path components are unaffected by `SecureJoin` (similar to + `filepath.EvalSymlinks`'s semantics). + +* The returned path will always be `filepath.Clean`ed and thus not contain any + `..` components. + +A (trivial) implementation of this function on GNU/Linux systems could be done +with the following (note that this requires root privileges and is far more +opaque than the implementation in this library, and also requires that +`readlink` is inside the `root` path and is trustworthy): + +```go +package securejoin + +import ( + "os/exec" + "path/filepath" +) + +func SecureJoin(root, unsafePath string) (string, error) { + unsafePath = string(filepath.Separator) + unsafePath + cmd := exec.Command("chroot", root, + "readlink", "--canonicalize-missing", "--no-newline", unsafePath) + output, err := cmd.CombinedOutput() + if err != nil { + return "", err + } + expanded := string(output) + return filepath.Join(root, expanded), nil +} +``` + +[libpathrs]: https://github.com/openSUSE/libpathrs +[go#20126]: https://github.com/golang/go/issues/20126 + +### New API ### + +While we recommend users switch to [libpathrs][libpathrs] as soon as it has a +stable release, some methods implemented by libpathrs have been ported to this +library to ease the transition. These APIs are only supported on Linux. + +These APIs are implemented such that `filepath-securejoin` will +opportunistically use certain newer kernel APIs that make these operations far +more secure. In particular: + +* All of the lookup operations will use [`openat2`][openat2.2] on new enough + kernels (Linux 5.6 or later) to restrict lookups through magic-links and + bind-mounts (for certain operations) and to make use of `RESOLVE_IN_ROOT` to + efficiently resolve symlinks within a rootfs. + +* The APIs provide hardening against a malicious `/proc` mount to either detect + or avoid being tricked by a `/proc` that is not legitimate. This is done + using [`openat2`][openat2.2] for all users, and privileged users will also be + further protected by using [`fsopen`][fsopen.2] and [`open_tree`][open_tree.2] + (Linux 5.2 or later). + +[openat2.2]: https://www.man7.org/linux/man-pages/man2/openat2.2.html +[fsopen.2]: https://github.com/brauner/man-pages-md/blob/main/fsopen.md +[open_tree.2]: https://github.com/brauner/man-pages-md/blob/main/open_tree.md + +#### `OpenInRoot` #### + +```go +func OpenInRoot(root, unsafePath string) (*os.File, error) +func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) +func Reopen(handle *os.File, flags int) (*os.File, error) +``` + +`OpenInRoot` is a much safer version of + +```go +path, err := securejoin.SecureJoin(root, unsafePath) +file, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC) +``` + +that protects against various race attacks that could lead to serious security +issues, depending on the application. Note that the returned `*os.File` is an +`O_PATH` file descriptor, which is quite restricted. Callers will probably need +to use `Reopen` to get a more usable handle (this split is done to provide +useful features like PTY spawning and to avoid users accidentally opening bad +inodes that could cause a DoS). + +Callers need to be careful in how they use the returned `*os.File`. Usually it +is only safe to operate on the handle directly, and it is very easy to create a +security issue. [libpathrs][libpathrs] provides far more helpers to make using +these handles safer -- there is currently no plan to port them to +`filepath-securejoin`. + +`OpenatInRoot` is like `OpenInRoot` except that the root is provided using an +`*os.File`. This allows you to ensure that multiple `OpenatInRoot` (or +`MkdirAllHandle`) calls are operating on the same rootfs. + +> **NOTE**: Unlike `SecureJoin`, `OpenInRoot` will error out as soon as it hits +> a dangling symlink or non-existent path. This is in contrast to `SecureJoin` +> which treated non-existent components as though they were real directories, +> and would allow for partial resolution of dangling symlinks. These behaviours +> are at odds with how Linux treats non-existent paths and dangling symlinks, +> and so these are no longer allowed. + +#### `MkdirAll` #### + +```go +func MkdirAll(root, unsafePath string, mode int) error +func MkdirAllHandle(root *os.File, unsafePath string, mode int) (*os.File, error) +``` + +`MkdirAll` is a much safer version of + +```go +path, err := securejoin.SecureJoin(root, unsafePath) +err = os.MkdirAll(path, mode) +``` + +that protects against the same kinds of races that `OpenInRoot` protects +against. + +`MkdirAllHandle` is like `MkdirAll` except that the root is provided using an +`*os.File` (the reason for this is the same as with `OpenatInRoot`) and an +`*os.File` of the final created directory is returned (this directory is +guaranteed to be effectively identical to the directory created by +`MkdirAllHandle`, which is not possible to ensure by just using `OpenatInRoot` +after `MkdirAll`). + +> **NOTE**: Unlike `SecureJoin`, `MkdirAll` will error out as soon as it hits +> a dangling symlink or non-existent path. This is in contrast to `SecureJoin` +> which treated non-existent components as though they were real directories, +> and would allow for partial resolution of dangling symlinks. These behaviours +> are at odds with how Linux treats non-existent paths and dangling symlinks, +> and so these are no longer allowed. This means that `MkdirAll` will not +> create non-existent directories referenced by a dangling symlink. + +### License ### + +The license of this project is the same as Go, which is a BSD 3-clause license +available in the `LICENSE` file. diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION new file mode 100644 index 0000000000..267577d47e --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION @@ -0,0 +1 @@ +0.4.1 diff --git a/vendor/github.com/cyphar/filepath-securejoin/doc.go b/vendor/github.com/cyphar/filepath-securejoin/doc.go new file mode 100644 index 0000000000..1ec7d065ef --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/doc.go @@ -0,0 +1,39 @@ +// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. +// Copyright (C) 2017-2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package securejoin implements a set of helpers to make it easier to write Go +// code that is safe against symlink-related escape attacks. The primary idea +// is to let you resolve a path within a rootfs directory as if the rootfs was +// a chroot. +// +// securejoin has two APIs, a "legacy" API and a "modern" API. +// +// The legacy API is [SecureJoin] and [SecureJoinVFS]. These methods are +// **not** safe against race conditions where an attacker changes the +// filesystem after (or during) the [SecureJoin] operation. +// +// The new API is made up of [OpenInRoot] and [MkdirAll] (and derived +// functions). These are safe against racing attackers and have several other +// protections that are not provided by the legacy API. There are many more +// operations that most programs expect to be able to do safely, but we do not +// provide explicit support for them because we want to encourage users to +// switch to [libpathrs](https://github.com/openSUSE/libpathrs) which is a +// cross-language next-generation library that is entirely designed around +// operating on paths safely. +// +// securejoin has been used by several container runtimes (Docker, runc, +// Kubernetes, etc) for quite a few years as a de-facto standard for operating +// on container filesystem paths "safely". However, most users still use the +// legacy API which is unsafe against various attacks (there is a fairly long +// history of CVEs in dependent as a result). Users should switch to the modern +// API as soon as possible (or even better, switch to libpathrs). +// +// This project was initially intended to be included in the Go standard +// library, but [it was rejected](https://go.dev/issue/20126). There is now a +// [new Go proposal](https://go.dev/issue/67002) for a safe path resolution API +// that shares some of the goals of filepath-securejoin. However, that design +// is intended to work like `openat2(RESOLVE_BENEATH)` which does not fit the +// usecase of container runtimes and most system tools. +package securejoin diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go new file mode 100644 index 0000000000..42452bbf9b --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_go120.go @@ -0,0 +1,18 @@ +//go:build linux && go1.20 + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "fmt" +) + +// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except +// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap) +// is only guaranteed to give you baseErr. +func wrapBaseError(baseErr, extraErr error) error { + return fmt.Errorf("%w: %w", extraErr, baseErr) +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go new file mode 100644 index 0000000000..e7adca3fd1 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_errors_unsupported.go @@ -0,0 +1,38 @@ +//go:build linux && !go1.20 + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "fmt" +) + +type wrappedError struct { + inner error + isError error +} + +func (err wrappedError) Is(target error) bool { + return err.isError == target +} + +func (err wrappedError) Unwrap() error { + return err.inner +} + +func (err wrappedError) Error() string { + return fmt.Sprintf("%v: %v", err.isError, err.inner) +} + +// wrapBaseError is a helper that is equivalent to fmt.Errorf("%w: %w"), except +// that on pre-1.20 Go versions only errors.Is() works properly (errors.Unwrap) +// is only guaranteed to give you baseErr. +func wrapBaseError(baseErr, extraErr error) error { + return wrappedError{ + inner: baseErr, + isError: extraErr, + } +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go new file mode 100644 index 0000000000..ddd6fa9a41 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_go121.go @@ -0,0 +1,32 @@ +//go:build linux && go1.21 + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "slices" + "sync" +) + +func slices_DeleteFunc[S ~[]E, E any](slice S, delFn func(E) bool) S { + return slices.DeleteFunc(slice, delFn) +} + +func slices_Contains[S ~[]E, E comparable](slice S, val E) bool { + return slices.Contains(slice, val) +} + +func slices_Clone[S ~[]E, E any](slice S) S { + return slices.Clone(slice) +} + +func sync_OnceValue[T any](f func() T) func() T { + return sync.OnceValue(f) +} + +func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) { + return sync.OnceValues(f) +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go new file mode 100644 index 0000000000..f1e6fe7e71 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/gocompat_generics_unsupported.go @@ -0,0 +1,124 @@ +//go:build linux && !go1.21 + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "sync" +) + +// These are very minimal implementations of functions that appear in Go 1.21's +// stdlib, included so that we can build on older Go versions. Most are +// borrowed directly from the stdlib, and a few are modified to be "obviously +// correct" without needing to copy too many other helpers. + +// clearSlice is equivalent to the builtin clear from Go 1.21. +// Copied from the Go 1.24 stdlib implementation. +func clearSlice[S ~[]E, E any](slice S) { + var zero E + for i := range slice { + slice[i] = zero + } +} + +// Copied from the Go 1.24 stdlib implementation. +func slices_IndexFunc[S ~[]E, E any](s S, f func(E) bool) int { + for i := range s { + if f(s[i]) { + return i + } + } + return -1 +} + +// Copied from the Go 1.24 stdlib implementation. +func slices_DeleteFunc[S ~[]E, E any](s S, del func(E) bool) S { + i := slices_IndexFunc(s, del) + if i == -1 { + return s + } + // Don't start copying elements until we find one to delete. + for j := i + 1; j < len(s); j++ { + if v := s[j]; !del(v) { + s[i] = v + i++ + } + } + clearSlice(s[i:]) // zero/nil out the obsolete elements, for GC + return s[:i] +} + +// Similar to the stdlib slices.Contains, except that we don't have +// slices.Index so we need to use slices.IndexFunc for this non-Func helper. +func slices_Contains[S ~[]E, E comparable](s S, v E) bool { + return slices_IndexFunc(s, func(e E) bool { return e == v }) >= 0 +} + +// Copied from the Go 1.24 stdlib implementation. +func slices_Clone[S ~[]E, E any](s S) S { + // Preserve nil in case it matters. + if s == nil { + return nil + } + return append(S([]E{}), s...) +} + +// Copied from the Go 1.24 stdlib implementation. +func sync_OnceValue[T any](f func() T) func() T { + var ( + once sync.Once + valid bool + p any + result T + ) + g := func() { + defer func() { + p = recover() + if !valid { + panic(p) + } + }() + result = f() + f = nil + valid = true + } + return func() T { + once.Do(g) + if !valid { + panic(p) + } + return result + } +} + +// Copied from the Go 1.24 stdlib implementation. +func sync_OnceValues[T1, T2 any](f func() (T1, T2)) func() (T1, T2) { + var ( + once sync.Once + valid bool + p any + r1 T1 + r2 T2 + ) + g := func() { + defer func() { + p = recover() + if !valid { + panic(p) + } + }() + r1, r2 = f() + f = nil + valid = true + } + return func() (T1, T2) { + once.Do(g) + if !valid { + panic(p) + } + return r1, r2 + } +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go new file mode 100644 index 0000000000..e6634d4778 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/join.go @@ -0,0 +1,166 @@ +// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved. +// Copyright (C) 2017-2025 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "errors" + "os" + "path/filepath" + "strings" + "syscall" +) + +const maxSymlinkLimit = 255 + +// IsNotExist tells you if err is an error that implies that either the path +// accessed does not exist (or path components don't exist). This is +// effectively a more broad version of [os.IsNotExist]. +func IsNotExist(err error) bool { + // Check that it's not actually an ENOTDIR, which in some cases is a more + // convoluted case of ENOENT (usually involving weird paths). + return errors.Is(err, os.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) || errors.Is(err, syscall.ENOENT) +} + +// errUnsafeRoot is returned if the user provides SecureJoinVFS with a path +// that contains ".." components. +var errUnsafeRoot = errors.New("root path provided to SecureJoin contains '..' components") + +// stripVolume just gets rid of the Windows volume included in a path. Based on +// some godbolt tests, the Go compiler is smart enough to make this a no-op on +// Linux. +func stripVolume(path string) string { + return path[len(filepath.VolumeName(path)):] +} + +// hasDotDot checks if the path contains ".." components in a platform-agnostic +// way. +func hasDotDot(path string) bool { + // If we are on Windows, strip any volume letters. It turns out that + // C:..\foo may (or may not) be a valid pathname and we need to handle that + // leading "..". + path = stripVolume(path) + // Look for "/../" in the path, but we need to handle leading and trailing + // ".."s by adding separators. Doing this with filepath.Separator is ugly + // so just convert to Unix-style "/" first. + path = filepath.ToSlash(path) + return strings.Contains("/"+path+"/", "/../") +} + +// SecureJoinVFS joins the two given path components (similar to [filepath.Join]) except +// that the returned path is guaranteed to be scoped inside the provided root +// path (when evaluated). Any symbolic links in the path are evaluated with the +// given root treated as the root of the filesystem, similar to a chroot. The +// filesystem state is evaluated through the given [VFS] interface (if nil, the +// standard [os].* family of functions are used). +// +// Note that the guarantees provided by this function only apply if the path +// components in the returned string are not modified (in other words are not +// replaced with symlinks on the filesystem) after this function has returned. +// Such a symlink race is necessarily out-of-scope of SecureJoinVFS. +// +// NOTE: Due to the above limitation, Linux users are strongly encouraged to +// use [OpenInRoot] instead, which does safely protect against these kinds of +// attacks. There is no way to solve this problem with SecureJoinVFS because +// the API is fundamentally wrong (you cannot return a "safe" path string and +// guarantee it won't be modified afterwards). +// +// Volume names in unsafePath are always discarded, regardless if they are +// provided via direct input or when evaluating symlinks. Therefore: +// +// "C:\Temp" + "D:\path\to\file.txt" results in "C:\Temp\path\to\file.txt" +// +// If the provided root is not [filepath.Clean] then an error will be returned, +// as such root paths are bordering on somewhat unsafe and using such paths is +// not best practice. We also strongly suggest that any root path is first +// fully resolved using [filepath.EvalSymlinks] or otherwise constructed to +// avoid containing symlink components. Of course, the root also *must not* be +// attacker-controlled. +func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) { + // The root path must not contain ".." components, otherwise when we join + // the subpath we will end up with a weird path. We could work around this + // in other ways but users shouldn't be giving us non-lexical root paths in + // the first place. + if hasDotDot(root) { + return "", errUnsafeRoot + } + + // Use the os.* VFS implementation if none was specified. + if vfs == nil { + vfs = osVFS{} + } + + unsafePath = filepath.FromSlash(unsafePath) + var ( + currentPath string + remainingPath = unsafePath + linksWalked int + ) + for remainingPath != "" { + // On Windows, if we managed to end up at a path referencing a volume, + // drop the volume to make sure we don't end up with broken paths or + // escaping the root volume. + remainingPath = stripVolume(remainingPath) + + // Get the next path component. + var part string + if i := strings.IndexRune(remainingPath, filepath.Separator); i == -1 { + part, remainingPath = remainingPath, "" + } else { + part, remainingPath = remainingPath[:i], remainingPath[i+1:] + } + + // Apply the component lexically to the path we are building. + // currentPath does not contain any symlinks, and we are lexically + // dealing with a single component, so it's okay to do a filepath.Clean + // here. + nextPath := filepath.Join(string(filepath.Separator), currentPath, part) + if nextPath == string(filepath.Separator) { + currentPath = "" + continue + } + fullPath := root + string(filepath.Separator) + nextPath + + // Figure out whether the path is a symlink. + fi, err := vfs.Lstat(fullPath) + if err != nil && !IsNotExist(err) { + return "", err + } + // Treat non-existent path components the same as non-symlinks (we + // can't do any better here). + if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 { + currentPath = nextPath + continue + } + + // It's a symlink, so get its contents and expand it by prepending it + // to the yet-unparsed path. + linksWalked++ + if linksWalked > maxSymlinkLimit { + return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP} + } + + dest, err := vfs.Readlink(fullPath) + if err != nil { + return "", err + } + remainingPath = dest + string(filepath.Separator) + remainingPath + // Absolute symlinks reset any work we've already done. + if filepath.IsAbs(dest) { + currentPath = "" + } + } + + // There should be no lexical components like ".." left in the path here, + // but for safety clean up the path before joining it to the root. + finalPath := filepath.Join(string(filepath.Separator), currentPath) + return filepath.Join(root, finalPath), nil +} + +// SecureJoin is a wrapper around [SecureJoinVFS] that just uses the [os].* library +// of functions as the [VFS]. If in doubt, use this function over [SecureJoinVFS]. +func SecureJoin(root, unsafePath string) (string, error) { + return SecureJoinVFS(root, unsafePath, nil) +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go new file mode 100644 index 0000000000..be81e498d7 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/lookup_linux.go @@ -0,0 +1,388 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "errors" + "fmt" + "os" + "path" + "path/filepath" + "strings" + + "golang.org/x/sys/unix" +) + +type symlinkStackEntry struct { + // (dir, remainingPath) is what we would've returned if the link didn't + // exist. This matches what openat2(RESOLVE_IN_ROOT) would return in + // this case. + dir *os.File + remainingPath string + // linkUnwalked is the remaining path components from the original + // Readlink which we have yet to walk. When this slice is empty, we + // drop the link from the stack. + linkUnwalked []string +} + +func (se symlinkStackEntry) String() string { + return fmt.Sprintf("<%s>/%s [->%s]", se.dir.Name(), se.remainingPath, strings.Join(se.linkUnwalked, "/")) +} + +func (se symlinkStackEntry) Close() { + _ = se.dir.Close() +} + +type symlinkStack []*symlinkStackEntry + +func (s *symlinkStack) IsEmpty() bool { + return s == nil || len(*s) == 0 +} + +func (s *symlinkStack) Close() { + if s != nil { + for _, link := range *s { + link.Close() + } + // TODO: Switch to clear once we switch to Go 1.21. + *s = nil + } +} + +var ( + errEmptyStack = errors.New("[internal] stack is empty") + errBrokenSymlinkStack = errors.New("[internal error] broken symlink stack") +) + +func (s *symlinkStack) popPart(part string) error { + if s == nil || s.IsEmpty() { + // If there is nothing in the symlink stack, then the part was from the + // real path provided by the user, and this is a no-op. + return errEmptyStack + } + if part == "." { + // "." components are no-ops -- we drop them when doing SwapLink. + return nil + } + + tailEntry := (*s)[len(*s)-1] + + // Double-check that we are popping the component we expect. + if len(tailEntry.linkUnwalked) == 0 { + return fmt.Errorf("%w: trying to pop component %q of empty stack entry %s", errBrokenSymlinkStack, part, tailEntry) + } + headPart := tailEntry.linkUnwalked[0] + if headPart != part { + return fmt.Errorf("%w: trying to pop component %q but the last stack entry is %s (%q)", errBrokenSymlinkStack, part, tailEntry, headPart) + } + + // Drop the component, but keep the entry around in case we are dealing + // with a "tail-chained" symlink. + tailEntry.linkUnwalked = tailEntry.linkUnwalked[1:] + return nil +} + +func (s *symlinkStack) PopPart(part string) error { + if err := s.popPart(part); err != nil { + if errors.Is(err, errEmptyStack) { + // Skip empty stacks. + err = nil + } + return err + } + + // Clean up any of the trailing stack entries that are empty. + for lastGood := len(*s) - 1; lastGood >= 0; lastGood-- { + entry := (*s)[lastGood] + if len(entry.linkUnwalked) > 0 { + break + } + entry.Close() + (*s) = (*s)[:lastGood] + } + return nil +} + +func (s *symlinkStack) push(dir *os.File, remainingPath, linkTarget string) error { + if s == nil { + return nil + } + // Split the link target and clean up any "" parts. + linkTargetParts := slices_DeleteFunc( + strings.Split(linkTarget, "/"), + func(part string) bool { return part == "" || part == "." }) + + // Copy the directory so the caller doesn't close our copy. + dirCopy, err := dupFile(dir) + if err != nil { + return err + } + + // Add to the stack. + *s = append(*s, &symlinkStackEntry{ + dir: dirCopy, + remainingPath: remainingPath, + linkUnwalked: linkTargetParts, + }) + return nil +} + +func (s *symlinkStack) SwapLink(linkPart string, dir *os.File, remainingPath, linkTarget string) error { + // If we are currently inside a symlink resolution, remove the symlink + // component from the last symlink entry, but don't remove the entry even + // if it's empty. If we are a "tail-chained" symlink (a trailing symlink we + // hit during a symlink resolution) we need to keep the old symlink until + // we finish the resolution. + if err := s.popPart(linkPart); err != nil { + if !errors.Is(err, errEmptyStack) { + return err + } + // Push the component regardless of whether the stack was empty. + } + return s.push(dir, remainingPath, linkTarget) +} + +func (s *symlinkStack) PopTopSymlink() (*os.File, string, bool) { + if s == nil || s.IsEmpty() { + return nil, "", false + } + tailEntry := (*s)[0] + *s = (*s)[1:] + return tailEntry.dir, tailEntry.remainingPath, true +} + +// partialLookupInRoot tries to lookup as much of the request path as possible +// within the provided root (a-la RESOLVE_IN_ROOT) and opens the final existing +// component of the requested path, returning a file handle to the final +// existing component and a string containing the remaining path components. +func partialLookupInRoot(root *os.File, unsafePath string) (*os.File, string, error) { + return lookupInRoot(root, unsafePath, true) +} + +func completeLookupInRoot(root *os.File, unsafePath string) (*os.File, error) { + handle, remainingPath, err := lookupInRoot(root, unsafePath, false) + if remainingPath != "" && err == nil { + // should never happen + err = fmt.Errorf("[bug] non-empty remaining path when doing a non-partial lookup: %q", remainingPath) + } + // lookupInRoot(partial=false) will always close the handle if an error is + // returned, so no need to double-check here. + return handle, err +} + +func lookupInRoot(root *os.File, unsafePath string, partial bool) (Handle *os.File, _ string, _ error) { + unsafePath = filepath.ToSlash(unsafePath) // noop + + // This is very similar to SecureJoin, except that we operate on the + // components using file descriptors. We then return the last component we + // managed open, along with the remaining path components not opened. + + // Try to use openat2 if possible. + if hasOpenat2() { + return lookupOpenat2(root, unsafePath, partial) + } + + // Get the "actual" root path from /proc/self/fd. This is necessary if the + // root is some magic-link like /proc/$pid/root, in which case we want to + // make sure when we do checkProcSelfFdPath that we are using the correct + // root path. + logicalRootPath, err := procSelfFdReadlink(root) + if err != nil { + return nil, "", fmt.Errorf("get real root path: %w", err) + } + + currentDir, err := dupFile(root) + if err != nil { + return nil, "", fmt.Errorf("clone root fd: %w", err) + } + defer func() { + // If a handle is not returned, close the internal handle. + if Handle == nil { + _ = currentDir.Close() + } + }() + + // symlinkStack is used to emulate how openat2(RESOLVE_IN_ROOT) treats + // dangling symlinks. If we hit a non-existent path while resolving a + // symlink, we need to return the (dir, remainingPath) that we had when we + // hit the symlink (treating the symlink as though it were a regular file). + // The set of (dir, remainingPath) sets is stored within the symlinkStack + // and we add and remove parts when we hit symlink and non-symlink + // components respectively. We need a stack because of recursive symlinks + // (symlinks that contain symlink components in their target). + // + // Note that the stack is ONLY used for book-keeping. All of the actual + // path walking logic is still based on currentPath/remainingPath and + // currentDir (as in SecureJoin). + var symStack *symlinkStack + if partial { + symStack = new(symlinkStack) + defer symStack.Close() + } + + var ( + linksWalked int + currentPath string + remainingPath = unsafePath + ) + for remainingPath != "" { + // Save the current remaining path so if the part is not real we can + // return the path including the component. + oldRemainingPath := remainingPath + + // Get the next path component. + var part string + if i := strings.IndexByte(remainingPath, '/'); i == -1 { + part, remainingPath = remainingPath, "" + } else { + part, remainingPath = remainingPath[:i], remainingPath[i+1:] + } + // If we hit an empty component, we need to treat it as though it is + // "." so that trailing "/" and "//" components on a non-directory + // correctly return the right error code. + if part == "" { + part = "." + } + + // Apply the component lexically to the path we are building. + // currentPath does not contain any symlinks, and we are lexically + // dealing with a single component, so it's okay to do a filepath.Clean + // here. + nextPath := path.Join("/", currentPath, part) + // If we logically hit the root, just clone the root rather than + // opening the part and doing all of the other checks. + if nextPath == "/" { + if err := symStack.PopPart(part); err != nil { + return nil, "", fmt.Errorf("walking into root with part %q failed: %w", part, err) + } + // Jump to root. + rootClone, err := dupFile(root) + if err != nil { + return nil, "", fmt.Errorf("clone root fd: %w", err) + } + _ = currentDir.Close() + currentDir = rootClone + currentPath = nextPath + continue + } + + // Try to open the next component. + nextDir, err := openatFile(currentDir, part, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) + switch { + case err == nil: + st, err := nextDir.Stat() + if err != nil { + _ = nextDir.Close() + return nil, "", fmt.Errorf("stat component %q: %w", part, err) + } + + switch st.Mode() & os.ModeType { + case os.ModeSymlink: + // readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See + // Linux commit 65cfc6722361 ("readlinkat(), fchownat() and + // fstatat() with empty relative pathnames"). + linkDest, err := readlinkatFile(nextDir, "") + // We don't need the handle anymore. + _ = nextDir.Close() + if err != nil { + return nil, "", err + } + + linksWalked++ + if linksWalked > maxSymlinkLimit { + return nil, "", &os.PathError{Op: "securejoin.lookupInRoot", Path: logicalRootPath + "/" + unsafePath, Err: unix.ELOOP} + } + + // Swap out the symlink's component for the link entry itself. + if err := symStack.SwapLink(part, currentDir, oldRemainingPath, linkDest); err != nil { + return nil, "", fmt.Errorf("walking into symlink %q failed: push symlink: %w", part, err) + } + + // Update our logical remaining path. + remainingPath = linkDest + "/" + remainingPath + // Absolute symlinks reset any work we've already done. + if path.IsAbs(linkDest) { + // Jump to root. + rootClone, err := dupFile(root) + if err != nil { + return nil, "", fmt.Errorf("clone root fd: %w", err) + } + _ = currentDir.Close() + currentDir = rootClone + currentPath = "/" + } + + default: + // If we are dealing with a directory, simply walk into it. + _ = currentDir.Close() + currentDir = nextDir + currentPath = nextPath + + // The part was real, so drop it from the symlink stack. + if err := symStack.PopPart(part); err != nil { + return nil, "", fmt.Errorf("walking into directory %q failed: %w", part, err) + } + + // If we are operating on a .., make sure we haven't escaped. + // We only have to check for ".." here because walking down + // into a regular component component cannot cause you to + // escape. This mirrors the logic in RESOLVE_IN_ROOT, except we + // have to check every ".." rather than only checking after a + // rename or mount on the system. + if part == ".." { + // Make sure the root hasn't moved. + if err := checkProcSelfFdPath(logicalRootPath, root); err != nil { + return nil, "", fmt.Errorf("root path moved during lookup: %w", err) + } + // Make sure the path is what we expect. + fullPath := logicalRootPath + nextPath + if err := checkProcSelfFdPath(fullPath, currentDir); err != nil { + return nil, "", fmt.Errorf("walking into %q had unexpected result: %w", part, err) + } + } + } + + default: + if !partial { + return nil, "", err + } + // If there are any remaining components in the symlink stack, we + // are still within a symlink resolution and thus we hit a dangling + // symlink. So pretend that the first symlink in the stack we hit + // was an ENOENT (to match openat2). + if oldDir, remainingPath, ok := symStack.PopTopSymlink(); ok { + _ = currentDir.Close() + return oldDir, remainingPath, err + } + // We have hit a final component that doesn't exist, so we have our + // partial open result. Note that we have to use the OLD remaining + // path, since the lookup failed. + return currentDir, oldRemainingPath, err + } + } + + // If the unsafePath had a trailing slash, we need to make sure we try to + // do a relative "." open so that we will correctly return an error when + // the final component is a non-directory (to match openat2). In the + // context of openat2, a trailing slash and a trailing "/." are completely + // equivalent. + if strings.HasSuffix(unsafePath, "/") { + nextDir, err := openatFile(currentDir, ".", unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) + if err != nil { + if !partial { + _ = currentDir.Close() + currentDir = nil + } + return currentDir, "", err + } + _ = currentDir.Close() + currentDir = nextDir + } + + // All of the components existed! + return currentDir, "", nil +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go new file mode 100644 index 0000000000..a17ae3b038 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/mkdir_linux.go @@ -0,0 +1,236 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "errors" + "fmt" + "os" + "path/filepath" + "strings" + + "golang.org/x/sys/unix" +) + +var ( + errInvalidMode = errors.New("invalid permission mode") + errPossibleAttack = errors.New("possible attack detected") +) + +// modePermExt is like os.ModePerm except that it also includes the set[ug]id +// and sticky bits. +const modePermExt = os.ModePerm | os.ModeSetuid | os.ModeSetgid | os.ModeSticky + +//nolint:cyclop // this function needs to handle a lot of cases +func toUnixMode(mode os.FileMode) (uint32, error) { + sysMode := uint32(mode.Perm()) + if mode&os.ModeSetuid != 0 { + sysMode |= unix.S_ISUID + } + if mode&os.ModeSetgid != 0 { + sysMode |= unix.S_ISGID + } + if mode&os.ModeSticky != 0 { + sysMode |= unix.S_ISVTX + } + // We don't allow file type bits. + if mode&os.ModeType != 0 { + return 0, fmt.Errorf("%w %+.3o (%s): type bits not permitted", errInvalidMode, mode, mode) + } + // We don't allow other unknown modes. + if mode&^modePermExt != 0 || sysMode&unix.S_IFMT != 0 { + return 0, fmt.Errorf("%w %+.3o (%s): unknown mode bits", errInvalidMode, mode, mode) + } + return sysMode, nil +} + +// MkdirAllHandle is equivalent to [MkdirAll], except that it is safer to use +// in two respects: +// +// - The caller provides the root directory as an *[os.File] (preferably O_PATH) +// handle. This means that the caller can be sure which root directory is +// being used. Note that this can be emulated by using /proc/self/fd/... as +// the root path with [os.MkdirAll]. +// +// - Once all of the directories have been created, an *[os.File] O_PATH handle +// to the directory at unsafePath is returned to the caller. This is done in +// an effectively-race-free way (an attacker would only be able to swap the +// final directory component), which is not possible to emulate with +// [MkdirAll]. +// +// In addition, the returned handle is obtained far more efficiently than doing +// a brand new lookup of unsafePath (such as with [SecureJoin] or openat2) after +// doing [MkdirAll]. If you intend to open the directory after creating it, you +// should use MkdirAllHandle. +func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error) { + unixMode, err := toUnixMode(mode) + if err != nil { + return nil, err + } + // On Linux, mkdirat(2) (and os.Mkdir) silently ignore the suid and sgid + // bits. We could also silently ignore them but since we have very few + // users it seems more prudent to return an error so users notice that + // these bits will not be set. + if unixMode&^0o1777 != 0 { + return nil, fmt.Errorf("%w for mkdir %+.3o: suid and sgid are ignored by mkdir", errInvalidMode, mode) + } + + // Try to open as much of the path as possible. + currentDir, remainingPath, err := partialLookupInRoot(root, unsafePath) + defer func() { + if Err != nil { + _ = currentDir.Close() + } + }() + if err != nil && !errors.Is(err, unix.ENOENT) { + return nil, fmt.Errorf("find existing subpath of %q: %w", unsafePath, err) + } + + // If there is an attacker deleting directories as we walk into them, + // detect this proactively. Note this is guaranteed to detect if the + // attacker deleted any part of the tree up to currentDir. + // + // Once we walk into a dead directory, partialLookupInRoot would not be + // able to walk further down the tree (directories must be empty before + // they are deleted), and if the attacker has removed the entire tree we + // can be sure that anything that was originally inside a dead directory + // must also be deleted and thus is a dead directory in its own right. + // + // This is mostly a quality-of-life check, because mkdir will simply fail + // later if the attacker deletes the tree after this check. + if err := isDeadInode(currentDir); err != nil { + return nil, fmt.Errorf("finding existing subpath of %q: %w", unsafePath, err) + } + + // Re-open the path to match the O_DIRECTORY reopen loop later (so that we + // always return a non-O_PATH handle). We also check that we actually got a + // directory. + if reopenDir, err := Reopen(currentDir, unix.O_DIRECTORY|unix.O_CLOEXEC); errors.Is(err, unix.ENOTDIR) { + return nil, fmt.Errorf("cannot create subdirectories in %q: %w", currentDir.Name(), unix.ENOTDIR) + } else if err != nil { + return nil, fmt.Errorf("re-opening handle to %q: %w", currentDir.Name(), err) + } else { + _ = currentDir.Close() + currentDir = reopenDir + } + + remainingParts := strings.Split(remainingPath, string(filepath.Separator)) + if slices_Contains(remainingParts, "..") { + // The path contained ".." components after the end of the "real" + // components. We could try to safely resolve ".." here but that would + // add a bunch of extra logic for something that it's not clear even + // needs to be supported. So just return an error. + // + // If we do filepath.Clean(remainingPath) then we end up with the + // problem that ".." can erase a trailing dangling symlink and produce + // a path that doesn't quite match what the user asked for. + return nil, fmt.Errorf("%w: yet-to-be-created path %q contains '..' components", unix.ENOENT, remainingPath) + } + + // Create the remaining components. + for _, part := range remainingParts { + switch part { + case "", ".": + // Skip over no-op paths. + continue + } + + // NOTE: mkdir(2) will not follow trailing symlinks, so we can safely + // create the final component without worrying about symlink-exchange + // attacks. + // + // If we get -EEXIST, it's possible that another program created the + // directory at the same time as us. In that case, just continue on as + // if we created it (if the created inode is not a directory, the + // following open call will fail). + if err := unix.Mkdirat(int(currentDir.Fd()), part, unixMode); err != nil && !errors.Is(err, unix.EEXIST) { + err = &os.PathError{Op: "mkdirat", Path: currentDir.Name() + "/" + part, Err: err} + // Make the error a bit nicer if the directory is dead. + if deadErr := isDeadInode(currentDir); deadErr != nil { + // TODO: Once we bump the minimum Go version to 1.20, we can use + // multiple %w verbs for this wrapping. For now we need to use a + // compatibility shim for older Go versions. + //err = fmt.Errorf("%w (%w)", err, deadErr) + err = wrapBaseError(err, deadErr) + } + return nil, err + } + + // Get a handle to the next component. O_DIRECTORY means we don't need + // to use O_PATH. + var nextDir *os.File + if hasOpenat2() { + nextDir, err = openat2File(currentDir, part, &unix.OpenHow{ + Flags: unix.O_NOFOLLOW | unix.O_DIRECTORY | unix.O_CLOEXEC, + Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_NO_XDEV, + }) + } else { + nextDir, err = openatFile(currentDir, part, unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) + } + if err != nil { + return nil, err + } + _ = currentDir.Close() + currentDir = nextDir + + // It's possible that the directory we just opened was swapped by an + // attacker. Unfortunately there isn't much we can do to protect + // against this, and MkdirAll's behaviour is that we will reuse + // existing directories anyway so the need to protect against this is + // incredibly limited (and arguably doesn't even deserve mention here). + // + // Ideally we might want to check that the owner and mode match what we + // would've created -- unfortunately, it is non-trivial to verify that + // the owner and mode of the created directory match. While plain Unix + // DAC rules seem simple enough to emulate, there are a bunch of other + // factors that can change the mode or owner of created directories + // (default POSIX ACLs, mount options like uid=1,gid=2,umask=0 on + // filesystems like vfat, etc etc). We used to try to verify this but + // it just lead to a series of spurious errors. + // + // We could also check that the directory is non-empty, but + // unfortunately some pseduofilesystems (like cgroupfs) create + // non-empty directories, which would result in different spurious + // errors. + } + return currentDir, nil +} + +// MkdirAll is a race-safe alternative to the [os.MkdirAll] function, +// where the new directory is guaranteed to be within the root directory (if an +// attacker can move directories from inside the root to outside the root, the +// created directory tree might be outside of the root but the key constraint +// is that at no point will we walk outside of the directory tree we are +// creating). +// +// Effectively, MkdirAll(root, unsafePath, mode) is equivalent to +// +// path, _ := securejoin.SecureJoin(root, unsafePath) +// err := os.MkdirAll(path, mode) +// +// But is much safer. The above implementation is unsafe because if an attacker +// can modify the filesystem tree between [SecureJoin] and [os.MkdirAll], it is +// possible for MkdirAll to resolve unsafe symlink components and create +// directories outside of the root. +// +// If you plan to open the directory after you have created it or want to use +// an open directory handle as the root, you should use [MkdirAllHandle] instead. +// This function is a wrapper around [MkdirAllHandle]. +func MkdirAll(root, unsafePath string, mode os.FileMode) error { + rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) + if err != nil { + return err + } + defer rootDir.Close() + + f, err := MkdirAllHandle(rootDir, unsafePath, mode) + if err != nil { + return err + } + _ = f.Close() + return nil +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/open_linux.go b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go new file mode 100644 index 0000000000..230be73f0e --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/open_linux.go @@ -0,0 +1,103 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "fmt" + "os" + "strconv" + + "golang.org/x/sys/unix" +) + +// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided +// using an *[os.File] handle, to ensure that the correct root directory is used. +func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) { + handle, err := completeLookupInRoot(root, unsafePath) + if err != nil { + return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err} + } + return handle, nil +} + +// OpenInRoot safely opens the provided unsafePath within the root. +// Effectively, OpenInRoot(root, unsafePath) is equivalent to +// +// path, _ := securejoin.SecureJoin(root, unsafePath) +// handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC) +// +// But is much safer. The above implementation is unsafe because if an attacker +// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is +// possible for the returned file to be outside of the root. +// +// Note that the returned handle is an O_PATH handle, meaning that only a very +// limited set of operations will work on the handle. This is done to avoid +// accidentally opening an untrusted file that could cause issues (such as a +// disconnected TTY that could cause a DoS, or some other issue). In order to +// use the returned handle, you can "upgrade" it to a proper handle using +// [Reopen]. +func OpenInRoot(root, unsafePath string) (*os.File, error) { + rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) + if err != nil { + return nil, err + } + defer rootDir.Close() + return OpenatInRoot(rootDir, unsafePath) +} + +// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd. +// Reopen(file, flags) is effectively equivalent to +// +// fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd()) +// os.OpenFile(fdPath, flags|unix.O_CLOEXEC) +// +// But with some extra hardenings to ensure that we are not tricked by a +// maliciously-configured /proc mount. While this attack scenario is not +// common, in container runtimes it is possible for higher-level runtimes to be +// tricked into configuring an unsafe /proc that can be used to attack file +// operations. See [CVE-2019-19921] for more details. +// +// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw +func Reopen(handle *os.File, flags int) (*os.File, error) { + procRoot, err := getProcRoot() + if err != nil { + return nil, err + } + + // We can't operate on /proc/thread-self/fd/$n directly when doing a + // re-open, so we need to open /proc/thread-self/fd and then open a single + // final component. + procFdDir, closer, err := procThreadSelf(procRoot, "fd/") + if err != nil { + return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err) + } + defer procFdDir.Close() + defer closer() + + // Try to detect if there is a mount on top of the magic-link we are about + // to open. If we are using unsafeHostProcRoot(), this could change after + // we check it (and there's nothing we can do about that) but for + // privateProcRoot() this should be guaranteed to be safe (at least since + // Linux 5.12[1], when anonymous mount namespaces were completely isolated + // from external mounts including mount propagation events). + // + // [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts + // onto targets that reside on shared mounts"). + fdStr := strconv.Itoa(int(handle.Fd())) + if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil { + return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err) + } + + flags |= unix.O_CLOEXEC + // Rather than just wrapping openatFile, open-code it so we can copy + // handle.Name(). + reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0) + if err != nil { + return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err) + } + return os.NewFile(uintptr(reopenFd), handle.Name()), nil +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go new file mode 100644 index 0000000000..f7a13e69ce --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go @@ -0,0 +1,127 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "errors" + "fmt" + "os" + "path/filepath" + "strings" + + "golang.org/x/sys/unix" +) + +var hasOpenat2 = sync_OnceValue(func() bool { + fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{ + Flags: unix.O_PATH | unix.O_CLOEXEC, + Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT, + }) + if err != nil { + return false + } + _ = unix.Close(fd) + return true +}) + +func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool { + // RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve + // ".." while a mount or rename occurs anywhere on the system. This could + // happen spuriously, or as the result of an attacker trying to mess with + // us during lookup. + // + // In addition, scoped lookups have a "safety check" at the end of + // complete_walk which will return -EXDEV if the final path is not in the + // root. + return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 && + (errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV)) +} + +const scopedLookupMaxRetries = 10 + +func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) { + fullPath := dir.Name() + "/" + path + // Make sure we always set O_CLOEXEC. + how.Flags |= unix.O_CLOEXEC + var tries int + for tries < scopedLookupMaxRetries { + fd, err := unix.Openat2(int(dir.Fd()), path, how) + if err != nil { + if scopedLookupShouldRetry(how, err) { + // We retry a couple of times to avoid the spurious errors, and + // if we are being attacked then returning -EAGAIN is the best + // we can do. + tries++ + continue + } + return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err} + } + // If we are using RESOLVE_IN_ROOT, the name we generated may be wrong. + // NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise + // you'll get infinite recursion here. + if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT { + if actualPath, err := rawProcSelfFdReadlink(fd); err == nil { + fullPath = actualPath + } + } + return os.NewFile(uintptr(fd), fullPath), nil + } + return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack} +} + +func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) { + if !partial { + file, err := openat2File(root, unsafePath, &unix.OpenHow{ + Flags: unix.O_PATH | unix.O_CLOEXEC, + Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS, + }) + return file, "", err + } + return partialLookupOpenat2(root, unsafePath) +} + +// partialLookupOpenat2 is an alternative implementation of +// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a +// handle to the deepest existing child of the requested path within the root. +func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) { + // TODO: Implement this as a git-bisect-like binary search. + + unsafePath = filepath.ToSlash(unsafePath) // noop + endIdx := len(unsafePath) + var lastError error + for endIdx > 0 { + subpath := unsafePath[:endIdx] + + handle, err := openat2File(root, subpath, &unix.OpenHow{ + Flags: unix.O_PATH | unix.O_CLOEXEC, + Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS, + }) + if err == nil { + // Jump over the slash if we have a non-"" remainingPath. + if endIdx < len(unsafePath) { + endIdx += 1 + } + // We found a subpath! + return handle, unsafePath[endIdx:], lastError + } + if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) { + // That path doesn't exist, let's try the next directory up. + endIdx = strings.LastIndexByte(subpath, '/') + lastError = err + continue + } + return nil, "", fmt.Errorf("open subpath: %w", err) + } + // If we couldn't open anything, the whole subpath is missing. Return a + // copy of the root fd so that the caller doesn't close this one by + // accident. + rootClone, err := dupFile(root) + if err != nil { + return nil, "", err + } + return rootClone, unsafePath, lastError +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go new file mode 100644 index 0000000000..949fb5f2d8 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/openat_linux.go @@ -0,0 +1,59 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "os" + "path/filepath" + + "golang.org/x/sys/unix" +) + +func dupFile(f *os.File) (*os.File, error) { + fd, err := unix.FcntlInt(f.Fd(), unix.F_DUPFD_CLOEXEC, 0) + if err != nil { + return nil, os.NewSyscallError("fcntl(F_DUPFD_CLOEXEC)", err) + } + return os.NewFile(uintptr(fd), f.Name()), nil +} + +func openatFile(dir *os.File, path string, flags int, mode int) (*os.File, error) { + // Make sure we always set O_CLOEXEC. + flags |= unix.O_CLOEXEC + fd, err := unix.Openat(int(dir.Fd()), path, flags, uint32(mode)) + if err != nil { + return nil, &os.PathError{Op: "openat", Path: dir.Name() + "/" + path, Err: err} + } + // All of the paths we use with openatFile(2) are guaranteed to be + // lexically safe, so we can use path.Join here. + fullPath := filepath.Join(dir.Name(), path) + return os.NewFile(uintptr(fd), fullPath), nil +} + +func fstatatFile(dir *os.File, path string, flags int) (unix.Stat_t, error) { + var stat unix.Stat_t + if err := unix.Fstatat(int(dir.Fd()), path, &stat, flags); err != nil { + return stat, &os.PathError{Op: "fstatat", Path: dir.Name() + "/" + path, Err: err} + } + return stat, nil +} + +func readlinkatFile(dir *os.File, path string) (string, error) { + size := 4096 + for { + linkBuf := make([]byte, size) + n, err := unix.Readlinkat(int(dir.Fd()), path, linkBuf) + if err != nil { + return "", &os.PathError{Op: "readlinkat", Path: dir.Name() + "/" + path, Err: err} + } + if n != size { + return string(linkBuf[:n]), nil + } + // Possible truncation, resize the buffer. + size *= 2 + } +} diff --git a/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go new file mode 100644 index 0000000000..809a579cbd --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/procfs_linux.go @@ -0,0 +1,452 @@ +//go:build linux + +// Copyright (C) 2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import ( + "errors" + "fmt" + "os" + "runtime" + "strconv" + + "golang.org/x/sys/unix" +) + +func fstat(f *os.File) (unix.Stat_t, error) { + var stat unix.Stat_t + if err := unix.Fstat(int(f.Fd()), &stat); err != nil { + return stat, &os.PathError{Op: "fstat", Path: f.Name(), Err: err} + } + return stat, nil +} + +func fstatfs(f *os.File) (unix.Statfs_t, error) { + var statfs unix.Statfs_t + if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil { + return statfs, &os.PathError{Op: "fstatfs", Path: f.Name(), Err: err} + } + return statfs, nil +} + +// The kernel guarantees that the root inode of a procfs mount has an +// f_type of PROC_SUPER_MAGIC and st_ino of PROC_ROOT_INO. +const ( + procSuperMagic = 0x9fa0 // PROC_SUPER_MAGIC + procRootIno = 1 // PROC_ROOT_INO +) + +func verifyProcRoot(procRoot *os.File) error { + if statfs, err := fstatfs(procRoot); err != nil { + return err + } else if statfs.Type != procSuperMagic { + return fmt.Errorf("%w: incorrect procfs root filesystem type 0x%x", errUnsafeProcfs, statfs.Type) + } + if stat, err := fstat(procRoot); err != nil { + return err + } else if stat.Ino != procRootIno { + return fmt.Errorf("%w: incorrect procfs root inode number %d", errUnsafeProcfs, stat.Ino) + } + return nil +} + +var hasNewMountApi = sync_OnceValue(func() bool { + // All of the pieces of the new mount API we use (fsopen, fsconfig, + // fsmount, open_tree) were added together in Linux 5.1[1,2], so we can + // just check for one of the syscalls and the others should also be + // available. + // + // Just try to use open_tree(2) to open a file without OPEN_TREE_CLONE. + // This is equivalent to openat(2), but tells us if open_tree is + // available (and thus all of the other basic new mount API syscalls). + // open_tree(2) is most light-weight syscall to test here. + // + // [1]: merge commit 400913252d09 + // [2]: + fd, err := unix.OpenTree(-int(unix.EBADF), "/", unix.OPEN_TREE_CLOEXEC) + if err != nil { + return false + } + _ = unix.Close(fd) + return true +}) + +func fsopen(fsName string, flags int) (*os.File, error) { + // Make sure we always set O_CLOEXEC. + flags |= unix.FSOPEN_CLOEXEC + fd, err := unix.Fsopen(fsName, flags) + if err != nil { + return nil, os.NewSyscallError("fsopen "+fsName, err) + } + return os.NewFile(uintptr(fd), "fscontext:"+fsName), nil +} + +func fsmount(ctx *os.File, flags, mountAttrs int) (*os.File, error) { + // Make sure we always set O_CLOEXEC. + flags |= unix.FSMOUNT_CLOEXEC + fd, err := unix.Fsmount(int(ctx.Fd()), flags, mountAttrs) + if err != nil { + return nil, os.NewSyscallError("fsmount "+ctx.Name(), err) + } + return os.NewFile(uintptr(fd), "fsmount:"+ctx.Name()), nil +} + +func newPrivateProcMount() (*os.File, error) { + procfsCtx, err := fsopen("proc", unix.FSOPEN_CLOEXEC) + if err != nil { + return nil, err + } + defer procfsCtx.Close() + + // Try to configure hidepid=ptraceable,subset=pid if possible, but ignore errors. + _ = unix.FsconfigSetString(int(procfsCtx.Fd()), "hidepid", "ptraceable") + _ = unix.FsconfigSetString(int(procfsCtx.Fd()), "subset", "pid") + + // Get an actual handle. + if err := unix.FsconfigCreate(int(procfsCtx.Fd())); err != nil { + return nil, os.NewSyscallError("fsconfig create procfs", err) + } + return fsmount(procfsCtx, unix.FSMOUNT_CLOEXEC, unix.MS_RDONLY|unix.MS_NODEV|unix.MS_NOEXEC|unix.MS_NOSUID) +} + +func openTree(dir *os.File, path string, flags uint) (*os.File, error) { + dirFd := -int(unix.EBADF) + dirName := "." + if dir != nil { + dirFd = int(dir.Fd()) + dirName = dir.Name() + } + // Make sure we always set O_CLOEXEC. + flags |= unix.OPEN_TREE_CLOEXEC + fd, err := unix.OpenTree(dirFd, path, flags) + if err != nil { + return nil, &os.PathError{Op: "open_tree", Path: path, Err: err} + } + return os.NewFile(uintptr(fd), dirName+"/"+path), nil +} + +func clonePrivateProcMount() (_ *os.File, Err error) { + // Try to make a clone without using AT_RECURSIVE if we can. If this works, + // we can be sure there are no over-mounts and so if the root is valid then + // we're golden. Otherwise, we have to deal with over-mounts. + procfsHandle, err := openTree(nil, "/proc", unix.OPEN_TREE_CLONE) + if err != nil || hookForcePrivateProcRootOpenTreeAtRecursive(procfsHandle) { + procfsHandle, err = openTree(nil, "/proc", unix.OPEN_TREE_CLONE|unix.AT_RECURSIVE) + } + if err != nil { + return nil, fmt.Errorf("creating a detached procfs clone: %w", err) + } + defer func() { + if Err != nil { + _ = procfsHandle.Close() + } + }() + if err := verifyProcRoot(procfsHandle); err != nil { + return nil, err + } + return procfsHandle, nil +} + +func privateProcRoot() (*os.File, error) { + if !hasNewMountApi() || hookForceGetProcRootUnsafe() { + return nil, fmt.Errorf("new mount api: %w", unix.ENOTSUP) + } + // Try to create a new procfs mount from scratch if we can. This ensures we + // can get a procfs mount even if /proc is fake (for whatever reason). + procRoot, err := newPrivateProcMount() + if err != nil || hookForcePrivateProcRootOpenTree(procRoot) { + // Try to clone /proc then... + procRoot, err = clonePrivateProcMount() + } + return procRoot, err +} + +func unsafeHostProcRoot() (_ *os.File, Err error) { + procRoot, err := os.OpenFile("/proc", unix.O_PATH|unix.O_NOFOLLOW|unix.O_DIRECTORY|unix.O_CLOEXEC, 0) + if err != nil { + return nil, err + } + defer func() { + if Err != nil { + _ = procRoot.Close() + } + }() + if err := verifyProcRoot(procRoot); err != nil { + return nil, err + } + return procRoot, nil +} + +func doGetProcRoot() (*os.File, error) { + procRoot, err := privateProcRoot() + if err != nil { + // Fall back to using a /proc handle if making a private mount failed. + // If we have openat2, at least we can avoid some kinds of over-mount + // attacks, but without openat2 there's not much we can do. + procRoot, err = unsafeHostProcRoot() + } + return procRoot, err +} + +var getProcRoot = sync_OnceValues(func() (*os.File, error) { + return doGetProcRoot() +}) + +var hasProcThreadSelf = sync_OnceValue(func() bool { + return unix.Access("/proc/thread-self/", unix.F_OK) == nil +}) + +var errUnsafeProcfs = errors.New("unsafe procfs detected") + +type procThreadSelfCloser func() + +// procThreadSelf returns a handle to /proc/thread-self/ (or an +// equivalent handle on older kernels where /proc/thread-self doesn't exist). +// Once finished with the handle, you must call the returned closer function +// (runtime.UnlockOSThread). You must not pass the returned *os.File to other +// Go threads or use the handle after calling the closer. +// +// This is similar to ProcThreadSelf from runc, but with extra hardening +// applied and using *os.File. +func procThreadSelf(procRoot *os.File, subpath string) (_ *os.File, _ procThreadSelfCloser, Err error) { + // We need to lock our thread until the caller is done with the handle + // because between getting the handle and using it we could get interrupted + // by the Go runtime and hit the case where the underlying thread is + // swapped out and the original thread is killed, resulting in + // pull-your-hair-out-hard-to-debug issues in the caller. + runtime.LockOSThread() + defer func() { + if Err != nil { + runtime.UnlockOSThread() + } + }() + + // Figure out what prefix we want to use. + threadSelf := "thread-self/" + if !hasProcThreadSelf() || hookForceProcSelfTask() { + /// Pre-3.17 kernels don't have /proc/thread-self, so do it manually. + threadSelf = "self/task/" + strconv.Itoa(unix.Gettid()) + "/" + if _, err := fstatatFile(procRoot, threadSelf, unix.AT_SYMLINK_NOFOLLOW); err != nil || hookForceProcSelf() { + // In this case, we running in a pid namespace that doesn't match + // the /proc mount we have. This can happen inside runc. + // + // Unfortunately, there is no nice way to get the correct TID to + // use here because of the age of the kernel, so we have to just + // use /proc/self and hope that it works. + threadSelf = "self/" + } + } + + // Grab the handle. + var ( + handle *os.File + err error + ) + if hasOpenat2() { + // We prefer being able to use RESOLVE_NO_XDEV if we can, to be + // absolutely sure we are operating on a clean /proc handle that + // doesn't have any cheeky overmounts that could trick us (including + // symlink mounts on top of /proc/thread-self). RESOLVE_BENEATH isn't + // strictly needed, but just use it since we have it. + // + // NOTE: /proc/self is technically a magic-link (the contents of the + // symlink are generated dynamically), but it doesn't use + // nd_jump_link() so RESOLVE_NO_MAGICLINKS allows it. + // + // NOTE: We MUST NOT use RESOLVE_IN_ROOT here, as openat2File uses + // procSelfFdReadlink to clean up the returned f.Name() if we use + // RESOLVE_IN_ROOT (which would lead to an infinite recursion). + handle, err = openat2File(procRoot, threadSelf+subpath, &unix.OpenHow{ + Flags: unix.O_PATH | unix.O_NOFOLLOW | unix.O_CLOEXEC, + Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_XDEV | unix.RESOLVE_NO_MAGICLINKS, + }) + if err != nil { + // TODO: Once we bump the minimum Go version to 1.20, we can use + // multiple %w verbs for this wrapping. For now we need to use a + // compatibility shim for older Go versions. + //err = fmt.Errorf("%w: %w", errUnsafeProcfs, err) + return nil, nil, wrapBaseError(err, errUnsafeProcfs) + } + } else { + handle, err = openatFile(procRoot, threadSelf+subpath, unix.O_PATH|unix.O_NOFOLLOW|unix.O_CLOEXEC, 0) + if err != nil { + // TODO: Once we bump the minimum Go version to 1.20, we can use + // multiple %w verbs for this wrapping. For now we need to use a + // compatibility shim for older Go versions. + //err = fmt.Errorf("%w: %w", errUnsafeProcfs, err) + return nil, nil, wrapBaseError(err, errUnsafeProcfs) + } + defer func() { + if Err != nil { + _ = handle.Close() + } + }() + // We can't detect bind-mounts of different parts of procfs on top of + // /proc (a-la RESOLVE_NO_XDEV), but we can at least be sure that we + // aren't on the wrong filesystem here. + if statfs, err := fstatfs(handle); err != nil { + return nil, nil, err + } else if statfs.Type != procSuperMagic { + return nil, nil, fmt.Errorf("%w: incorrect /proc/self/fd filesystem type 0x%x", errUnsafeProcfs, statfs.Type) + } + } + return handle, runtime.UnlockOSThread, nil +} + +// STATX_MNT_ID_UNIQUE is provided in golang.org/x/sys@v0.20.0, but in order to +// avoid bumping the requirement for a single constant we can just define it +// ourselves. +const STATX_MNT_ID_UNIQUE = 0x4000 + +var hasStatxMountId = sync_OnceValue(func() bool { + var ( + stx unix.Statx_t + // We don't care which mount ID we get. The kernel will give us the + // unique one if it is supported. + wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID + ) + err := unix.Statx(-int(unix.EBADF), "/", 0, int(wantStxMask), &stx) + return err == nil && stx.Mask&wantStxMask != 0 +}) + +func getMountId(dir *os.File, path string) (uint64, error) { + // If we don't have statx(STATX_MNT_ID*) support, we can't do anything. + if !hasStatxMountId() { + return 0, nil + } + + var ( + stx unix.Statx_t + // We don't care which mount ID we get. The kernel will give us the + // unique one if it is supported. + wantStxMask uint32 = STATX_MNT_ID_UNIQUE | unix.STATX_MNT_ID + ) + + err := unix.Statx(int(dir.Fd()), path, unix.AT_EMPTY_PATH|unix.AT_SYMLINK_NOFOLLOW, int(wantStxMask), &stx) + if stx.Mask&wantStxMask == 0 { + // It's not a kernel limitation, for some reason we couldn't get a + // mount ID. Assume it's some kind of attack. + err = fmt.Errorf("%w: could not get mount id", errUnsafeProcfs) + } + if err != nil { + return 0, &os.PathError{Op: "statx(STATX_MNT_ID_...)", Path: dir.Name() + "/" + path, Err: err} + } + return stx.Mnt_id, nil +} + +func checkSymlinkOvermount(procRoot *os.File, dir *os.File, path string) error { + // Get the mntId of our procfs handle. + expectedMountId, err := getMountId(procRoot, "") + if err != nil { + return err + } + // Get the mntId of the target magic-link. + gotMountId, err := getMountId(dir, path) + if err != nil { + return err + } + // As long as the directory mount is alive, even with wrapping mount IDs, + // we would expect to see a different mount ID here. (Of course, if we're + // using unsafeHostProcRoot() then an attaker could change this after we + // did this check.) + if expectedMountId != gotMountId { + return fmt.Errorf("%w: symlink %s/%s has an overmount obscuring the real link (mount ids do not match %d != %d)", errUnsafeProcfs, dir.Name(), path, expectedMountId, gotMountId) + } + return nil +} + +func doRawProcSelfFdReadlink(procRoot *os.File, fd int) (string, error) { + fdPath := fmt.Sprintf("fd/%d", fd) + procFdLink, closer, err := procThreadSelf(procRoot, fdPath) + if err != nil { + return "", fmt.Errorf("get safe /proc/thread-self/%s handle: %w", fdPath, err) + } + defer procFdLink.Close() + defer closer() + + // Try to detect if there is a mount on top of the magic-link. Since we use the handle directly + // provide to the closure. If the closure uses the handle directly, this + // should be safe in general (a mount on top of the path afterwards would + // not affect the handle itself) and will definitely be safe if we are + // using privateProcRoot() (at least since Linux 5.12[1], when anonymous + // mount namespaces were completely isolated from external mounts including + // mount propagation events). + // + // [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts + // onto targets that reside on shared mounts"). + if err := checkSymlinkOvermount(procRoot, procFdLink, ""); err != nil { + return "", fmt.Errorf("check safety of /proc/thread-self/fd/%d magiclink: %w", fd, err) + } + + // readlinkat implies AT_EMPTY_PATH since Linux 2.6.39. See Linux commit + // 65cfc6722361 ("readlinkat(), fchownat() and fstatat() with empty + // relative pathnames"). + return readlinkatFile(procFdLink, "") +} + +func rawProcSelfFdReadlink(fd int) (string, error) { + procRoot, err := getProcRoot() + if err != nil { + return "", err + } + return doRawProcSelfFdReadlink(procRoot, fd) +} + +func procSelfFdReadlink(f *os.File) (string, error) { + return rawProcSelfFdReadlink(int(f.Fd())) +} + +var ( + errPossibleBreakout = errors.New("possible breakout detected") + errInvalidDirectory = errors.New("wandered into deleted directory") + errDeletedInode = errors.New("cannot verify path of deleted inode") +) + +func isDeadInode(file *os.File) error { + // If the nlink of a file drops to 0, there is an attacker deleting + // directories during our walk, which could result in weird /proc values. + // It's better to error out in this case. + stat, err := fstat(file) + if err != nil { + return fmt.Errorf("check for dead inode: %w", err) + } + if stat.Nlink == 0 { + err := errDeletedInode + if stat.Mode&unix.S_IFMT == unix.S_IFDIR { + err = errInvalidDirectory + } + return fmt.Errorf("%w %q", err, file.Name()) + } + return nil +} + +func checkProcSelfFdPath(path string, file *os.File) error { + if err := isDeadInode(file); err != nil { + return err + } + actualPath, err := procSelfFdReadlink(file) + if err != nil { + return fmt.Errorf("get path of handle: %w", err) + } + if actualPath != path { + return fmt.Errorf("%w: handle path %q doesn't match expected path %q", errPossibleBreakout, actualPath, path) + } + return nil +} + +// Test hooks used in the procfs tests to verify that the fallback logic works. +// See testing_mocks_linux_test.go and procfs_linux_test.go for more details. +var ( + hookForcePrivateProcRootOpenTree = hookDummyFile + hookForcePrivateProcRootOpenTreeAtRecursive = hookDummyFile + hookForceGetProcRootUnsafe = hookDummy + + hookForceProcSelfTask = hookDummy + hookForceProcSelf = hookDummy +) + +func hookDummy() bool { return false } +func hookDummyFile(_ *os.File) bool { return false } diff --git a/vendor/github.com/cyphar/filepath-securejoin/vfs.go b/vendor/github.com/cyphar/filepath-securejoin/vfs.go new file mode 100644 index 0000000000..36373f8c51 --- /dev/null +++ b/vendor/github.com/cyphar/filepath-securejoin/vfs.go @@ -0,0 +1,35 @@ +// Copyright (C) 2017-2024 SUSE LLC. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package securejoin + +import "os" + +// In future this should be moved into a separate package, because now there +// are several projects (umoci and go-mtree) that are using this sort of +// interface. + +// VFS is the minimal interface necessary to use [SecureJoinVFS]. A nil VFS is +// equivalent to using the standard [os].* family of functions. This is mainly +// used for the purposes of mock testing, but also can be used to otherwise use +// [SecureJoinVFS] with VFS-like system. +type VFS interface { + // Lstat returns an [os.FileInfo] describing the named file. If the + // file is a symbolic link, the returned [os.FileInfo] describes the + // symbolic link. Lstat makes no attempt to follow the link. + // The semantics are identical to [os.Lstat]. + Lstat(name string) (os.FileInfo, error) + + // Readlink returns the destination of the named symbolic link. + // The semantics are identical to [os.Readlink]. + Readlink(name string) (string, error) +} + +// osVFS is the "nil" VFS, in that it just passes everything through to the os +// module. +type osVFS struct{} + +func (o osVFS) Lstat(name string) (os.FileInfo, error) { return os.Lstat(name) } + +func (o osVFS) Readlink(name string) (string, error) { return os.Readlink(name) } diff --git a/vendor/github.com/emicklei/go-restful/v3/.travis.yml b/vendor/github.com/emicklei/go-restful/v3/.travis.yml deleted file mode 100644 index 3a0bf5ff1b..0000000000 --- a/vendor/github.com/emicklei/go-restful/v3/.travis.yml +++ /dev/null @@ -1,13 +0,0 @@ -language: go - -go: - - 1.x - -before_install: - - go test -v - -script: - - go test -race -coverprofile=coverage.txt -covermode=atomic - -after_success: - - bash <(curl -s https://codecov.io/bash) \ No newline at end of file diff --git a/vendor/github.com/emicklei/go-restful/v3/CHANGES.md b/vendor/github.com/emicklei/go-restful/v3/CHANGES.md index 6f24dfff56..4fcd920abe 100644 --- a/vendor/github.com/emicklei/go-restful/v3/CHANGES.md +++ b/vendor/github.com/emicklei/go-restful/v3/CHANGES.md @@ -1,5 +1,9 @@ # Change history of go-restful +## [v3.13.0] - 2025-08-14 + +- optimize performance of path matching in CurlyRouter ( thanks @wenhuang, Wen Huang) + ## [v3.12.2] - 2025-02-21 - allow empty payloads in post,put,patch, issue #580 ( thanks @liggitt, Jordan Liggitt) diff --git a/vendor/github.com/emicklei/go-restful/v3/README.md b/vendor/github.com/emicklei/go-restful/v3/README.md index 3fb40d1980..50a79ab692 100644 --- a/vendor/github.com/emicklei/go-restful/v3/README.md +++ b/vendor/github.com/emicklei/go-restful/v3/README.md @@ -84,6 +84,7 @@ func (u UserResource) findUser(request *restful.Request, response *restful.Respo - Configurable (trace) logging - Customizable gzip/deflate readers and writers using CompressorProvider registration - Inject your own http.Handler using the `HttpMiddlewareHandlerToFilter` function +- Added `SetPathTokenCacheEnabled` and `SetCustomVerbCacheEnabled` to disable regexp caching (default=true) ## How to customize There are several hooks to customize the behavior of the go-restful package. diff --git a/vendor/github.com/emicklei/go-restful/v3/curly.go b/vendor/github.com/emicklei/go-restful/v3/curly.go index 6fd2bcd5a1..eec43bfd06 100644 --- a/vendor/github.com/emicklei/go-restful/v3/curly.go +++ b/vendor/github.com/emicklei/go-restful/v3/curly.go @@ -9,11 +9,35 @@ import ( "regexp" "sort" "strings" + "sync" ) // CurlyRouter expects Routes with paths that contain zero or more parameters in curly brackets. type CurlyRouter struct{} +var ( + regexCache sync.Map // Cache for compiled regex patterns + pathTokenCacheEnabled = true // Enable/disable path token regex caching +) + +// SetPathTokenCacheEnabled enables or disables path token regex caching for CurlyRouter. +// When disabled, regex patterns will be compiled on every request. +// When enabled (default), compiled regex patterns are cached for better performance. +func SetPathTokenCacheEnabled(enabled bool) { + pathTokenCacheEnabled = enabled +} + +// getCachedRegexp retrieves a compiled regex from the cache if found and valid. +// Returns the regex and true if found and valid, nil and false otherwise. +func getCachedRegexp(cache *sync.Map, pattern string) (*regexp.Regexp, bool) { + if cached, found := cache.Load(pattern); found { + if regex, ok := cached.(*regexp.Regexp); ok { + return regex, true + } + } + return nil, false +} + // SelectRoute is part of the Router interface and returns the best match // for the WebService and its Route for the given Request. func (c CurlyRouter) SelectRoute( @@ -113,8 +137,28 @@ func (c CurlyRouter) regularMatchesPathToken(routeToken string, colon int, reque } return true, true } - matched, err := regexp.MatchString(regPart, requestToken) - return (matched && err == nil), false + + // Check cache first (if enabled) + if pathTokenCacheEnabled { + if regex, found := getCachedRegexp(®exCache, regPart); found { + matched := regex.MatchString(requestToken) + return matched, false + } + } + + // Compile the regex + regex, err := regexp.Compile(regPart) + if err != nil { + return false, false + } + + // Cache the regex (if enabled) + if pathTokenCacheEnabled { + regexCache.Store(regPart, regex) + } + + matched := regex.MatchString(requestToken) + return matched, false } var jsr311Router = RouterJSR311{} @@ -168,7 +212,7 @@ func (c CurlyRouter) computeWebserviceScore(requestTokens []string, routeTokens if matchesToken { score++ // extra score for regex match } - } + } } else { // not a parameter if eachRequestToken != eachRouteToken { diff --git a/vendor/github.com/emicklei/go-restful/v3/custom_verb.go b/vendor/github.com/emicklei/go-restful/v3/custom_verb.go index bfc17efde8..0b98eeb091 100644 --- a/vendor/github.com/emicklei/go-restful/v3/custom_verb.go +++ b/vendor/github.com/emicklei/go-restful/v3/custom_verb.go @@ -1,14 +1,28 @@ package restful +// Copyright 2025 Ernest Micklei. All rights reserved. +// Use of this source code is governed by a license +// that can be found in the LICENSE file. + import ( "fmt" "regexp" + "sync" ) var ( - customVerbReg = regexp.MustCompile(":([A-Za-z]+)$") + customVerbReg = regexp.MustCompile(":([A-Za-z]+)$") + customVerbCache sync.Map // Cache for compiled custom verb regexes + customVerbCacheEnabled = true // Enable/disable custom verb regex caching ) +// SetCustomVerbCacheEnabled enables or disables custom verb regex caching. +// When disabled, custom verb regex patterns will be compiled on every request. +// When enabled (default), compiled custom verb regex patterns are cached for better performance. +func SetCustomVerbCacheEnabled(enabled bool) { + customVerbCacheEnabled = enabled +} + func hasCustomVerb(routeToken string) bool { return customVerbReg.MatchString(routeToken) } @@ -20,7 +34,23 @@ func isMatchCustomVerb(routeToken string, pathToken string) bool { } customVerb := rs[1] - specificVerbReg := regexp.MustCompile(fmt.Sprintf(":%s$", customVerb)) + regexPattern := fmt.Sprintf(":%s$", customVerb) + + // Check cache first (if enabled) + if customVerbCacheEnabled { + if specificVerbReg, found := getCachedRegexp(&customVerbCache, regexPattern); found { + return specificVerbReg.MatchString(pathToken) + } + } + + // Compile the regex + specificVerbReg := regexp.MustCompile(regexPattern) + + // Cache the regex (if enabled) + if customVerbCacheEnabled { + customVerbCache.Store(regexPattern, specificVerbReg) + } + return specificVerbReg.MatchString(pathToken) } diff --git a/vendor/github.com/emicklei/go-restful/v3/doc.go b/vendor/github.com/emicklei/go-restful/v3/doc.go index 69b13057d0..80809225b8 100644 --- a/vendor/github.com/emicklei/go-restful/v3/doc.go +++ b/vendor/github.com/emicklei/go-restful/v3/doc.go @@ -1,7 +1,7 @@ /* Package restful , a lean package for creating REST-style WebServices without magic. -WebServices and Routes +### WebServices and Routes A WebService has a collection of Route objects that dispatch incoming Http Requests to a function calls. Typically, a WebService has a root path (e.g. /users) and defines common MIME types for its routes. @@ -30,14 +30,14 @@ The (*Request, *Response) arguments provide functions for reading information fr See the example https://github.com/emicklei/go-restful/blob/v3/examples/user-resource/restful-user-resource.go with a full implementation. -Regular expression matching Routes +### Regular expression matching Routes A Route parameter can be specified using the format "uri/{var[:regexp]}" or the special version "uri/{var:*}" for matching the tail of the path. For example, /persons/{name:[A-Z][A-Z]} can be used to restrict values for the parameter "name" to only contain capital alphabetic characters. Regular expressions must use the standard Go syntax as described in the regexp package. (https://code.google.com/p/re2/wiki/Syntax) This feature requires the use of a CurlyRouter. -Containers +### Containers A Container holds a collection of WebServices, Filters and a http.ServeMux for multiplexing http requests. Using the statements "restful.Add(...) and restful.Filter(...)" will register WebServices and Filters to the Default Container. @@ -47,7 +47,7 @@ You can create your own Container and create a new http.Server for that particul container := restful.NewContainer() server := &http.Server{Addr: ":8081", Handler: container} -Filters +### Filters A filter dynamically intercepts requests and responses to transform or use the information contained in the requests or responses. You can use filters to perform generic logging, measurement, authentication, redirect, set response headers etc. @@ -60,22 +60,21 @@ Use the following statement to pass the request,response pair to the next filter chain.ProcessFilter(req, resp) -Container Filters +### Container Filters These are processed before any registered WebService. // install a (global) filter for the default container (processed before any webservice) restful.Filter(globalLogging) -WebService Filters +### WebService Filters These are processed before any Route of a WebService. // install a webservice filter (processed before any route) ws.Filter(webserviceLogging).Filter(measureTime) - -Route Filters +### Route Filters These are processed before calling the function associated with the Route. @@ -84,7 +83,7 @@ These are processed before calling the function associated with the Route. See the example https://github.com/emicklei/go-restful/blob/v3/examples/filters/restful-filters.go with full implementations. -Response Encoding +### Response Encoding Two encodings are supported: gzip and deflate. To enable this for all responses: @@ -95,20 +94,20 @@ Alternatively, you can create a Filter that performs the encoding and install it See the example https://github.com/emicklei/go-restful/blob/v3/examples/encoding/restful-encoding-filter.go -OPTIONS support +### OPTIONS support By installing a pre-defined container filter, your Webservice(s) can respond to the OPTIONS Http request. Filter(OPTIONSFilter()) -CORS +### CORS By installing the filter of a CrossOriginResourceSharing (CORS), your WebService(s) can handle CORS requests. cors := CrossOriginResourceSharing{ExposeHeaders: []string{"X-My-Header"}, CookiesAllowed: false, Container: DefaultContainer} Filter(cors.Filter) -Error Handling +### Error Handling Unexpected things happen. If a request cannot be processed because of a failure, your service needs to tell via the response what happened and why. For this reason HTTP status codes exist and it is important to use the correct code in every exceptional situation. @@ -137,11 +136,11 @@ The request does not have or has an unknown Accept Header set for this operation The request does not have or has an unknown Content-Type Header set for this operation. -ServiceError +### ServiceError In addition to setting the correct (error) Http status code, you can choose to write a ServiceError message on the response. -Performance options +### Performance options This package has several options that affect the performance of your service. It is important to understand them and how you can change it. @@ -156,30 +155,27 @@ Default value is true If content encoding is enabled then the default strategy for getting new gzip/zlib writers and readers is to use a sync.Pool. Because writers are expensive structures, performance is even more improved when using a preloaded cache. You can also inject your own implementation. -Trouble shooting +### Trouble shooting This package has the means to produce detail logging of the complete Http request matching process and filter invocation. Enabling this feature requires you to set an implementation of restful.StdLogger (e.g. log.Logger) instance such as: restful.TraceLogger(log.New(os.Stdout, "[restful] ", log.LstdFlags|log.Lshortfile)) -Logging +### Logging The restful.SetLogger() method allows you to override the logger used by the package. By default restful uses the standard library `log` package and logs to stdout. Different logging packages are supported as long as they conform to `StdLogger` interface defined in the `log` sub-package, writing an adapter for your preferred package is simple. -Resources +### Resources -[project]: https://github.com/emicklei/go-restful +(c) 2012-2025, http://ernestmicklei.com. MIT License +[project]: https://github.com/emicklei/go-restful [examples]: https://github.com/emicklei/go-restful/blob/master/examples - -[design]: http://ernestmicklei.com/2012/11/11/go-restful-api-design/ - +[design]: http://ernestmicklei.com/2012/11/11/go-restful-api-design/ [showcases]: https://github.com/emicklei/mora, https://github.com/emicklei/landskape - -(c) 2012-2015, http://ernestmicklei.com. MIT License */ package restful diff --git a/vendor/github.com/evanphx/json-patch/.gitignore b/vendor/github.com/evanphx/json-patch/.gitignore new file mode 100644 index 0000000000..b7ed7f956d --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/.gitignore @@ -0,0 +1,6 @@ +# editor and IDE paraphernalia +.idea +.vscode + +# macOS paraphernalia +.DS_Store diff --git a/vendor/github.com/evanphx/json-patch/LICENSE b/vendor/github.com/evanphx/json-patch/LICENSE new file mode 100644 index 0000000000..df76d7d771 --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/LICENSE @@ -0,0 +1,25 @@ +Copyright (c) 2014, Evan Phoenix +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. +* Neither the name of the Evan Phoenix nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/evanphx/json-patch/README.md b/vendor/github.com/evanphx/json-patch/README.md new file mode 100644 index 0000000000..86fefd5bf7 --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/README.md @@ -0,0 +1,315 @@ +# JSON-Patch +`jsonpatch` is a library which provides functionality for both applying +[RFC6902 JSON patches](http://tools.ietf.org/html/rfc6902) against documents, as +well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ietf.org/html/rfc7396). + +[![GoDoc](https://godoc.org/github.com/evanphx/json-patch?status.svg)](http://godoc.org/github.com/evanphx/json-patch) +[![Build Status](https://github.com/evanphx/json-patch/actions/workflows/go.yml/badge.svg)](https://github.com/evanphx/json-patch/actions/workflows/go.yml) +[![Report Card](https://goreportcard.com/badge/github.com/evanphx/json-patch)](https://goreportcard.com/report/github.com/evanphx/json-patch) + +# Get It! + +**Latest and greatest**: +```bash +go get -u github.com/evanphx/json-patch/v5 +``` + +If you need version 4, use `go get -u gopkg.in/evanphx/json-patch.v4` + +(previous versions below `v3` are unavailable) + +# Use It! +* [Create and apply a merge patch](#create-and-apply-a-merge-patch) +* [Create and apply a JSON Patch](#create-and-apply-a-json-patch) +* [Comparing JSON documents](#comparing-json-documents) +* [Combine merge patches](#combine-merge-patches) + + +# Configuration + +* There is a global configuration variable `jsonpatch.SupportNegativeIndices`. + This defaults to `true` and enables the non-standard practice of allowing + negative indices to mean indices starting at the end of an array. This + functionality can be disabled by setting `jsonpatch.SupportNegativeIndices = + false`. + +* There is a global configuration variable `jsonpatch.AccumulatedCopySizeLimit`, + which limits the total size increase in bytes caused by "copy" operations in a + patch. It defaults to 0, which means there is no limit. + +These global variables control the behavior of `jsonpatch.Apply`. + +An alternative to `jsonpatch.Apply` is `jsonpatch.ApplyWithOptions` whose behavior +is controlled by an `options` parameter of type `*jsonpatch.ApplyOptions`. + +Structure `jsonpatch.ApplyOptions` includes the configuration options above +and adds two new options: `AllowMissingPathOnRemove` and `EnsurePathExistsOnAdd`. + +When `AllowMissingPathOnRemove` is set to `true`, `jsonpatch.ApplyWithOptions` will ignore +`remove` operations whose `path` points to a non-existent location in the JSON document. +`AllowMissingPathOnRemove` defaults to `false` which will lead to `jsonpatch.ApplyWithOptions` +returning an error when hitting a missing `path` on `remove`. + +When `EnsurePathExistsOnAdd` is set to `true`, `jsonpatch.ApplyWithOptions` will make sure +that `add` operations produce all the `path` elements that are missing from the target object. + +Use `jsonpatch.NewApplyOptions` to create an instance of `jsonpatch.ApplyOptions` +whose values are populated from the global configuration variables. + +## Create and apply a merge patch +Given both an original JSON document and a modified JSON document, you can create +a [Merge Patch](https://tools.ietf.org/html/rfc7396) document. + +It can describe the changes needed to convert from the original to the +modified JSON document. + +Once you have a merge patch, you can apply it to other JSON documents using the +`jsonpatch.MergePatch(document, patch)` function. + +```go +package main + +import ( + "fmt" + + jsonpatch "github.com/evanphx/json-patch" +) + +func main() { + // Let's create a merge patch from these two documents... + original := []byte(`{"name": "John", "age": 24, "height": 3.21}`) + target := []byte(`{"name": "Jane", "age": 24}`) + + patch, err := jsonpatch.CreateMergePatch(original, target) + if err != nil { + panic(err) + } + + // Now lets apply the patch against a different JSON document... + + alternative := []byte(`{"name": "Tina", "age": 28, "height": 3.75}`) + modifiedAlternative, err := jsonpatch.MergePatch(alternative, patch) + + fmt.Printf("patch document: %s\n", patch) + fmt.Printf("updated alternative doc: %s\n", modifiedAlternative) +} +``` + +When ran, you get the following output: + +```bash +$ go run main.go +patch document: {"height":null,"name":"Jane"} +updated alternative doc: {"age":28,"name":"Jane"} +``` + +## Create and apply a JSON Patch +You can create patch objects using `DecodePatch([]byte)`, which can then +be applied against JSON documents. + +The following is an example of creating a patch from two operations, and +applying it against a JSON document. + +```go +package main + +import ( + "fmt" + + jsonpatch "github.com/evanphx/json-patch" +) + +func main() { + original := []byte(`{"name": "John", "age": 24, "height": 3.21}`) + patchJSON := []byte(`[ + {"op": "replace", "path": "/name", "value": "Jane"}, + {"op": "remove", "path": "/height"} + ]`) + + patch, err := jsonpatch.DecodePatch(patchJSON) + if err != nil { + panic(err) + } + + modified, err := patch.Apply(original) + if err != nil { + panic(err) + } + + fmt.Printf("Original document: %s\n", original) + fmt.Printf("Modified document: %s\n", modified) +} +``` + +When ran, you get the following output: + +```bash +$ go run main.go +Original document: {"name": "John", "age": 24, "height": 3.21} +Modified document: {"age":24,"name":"Jane"} +``` + +## Comparing JSON documents +Due to potential whitespace and ordering differences, one cannot simply compare +JSON strings or byte-arrays directly. + +As such, you can instead use `jsonpatch.Equal(document1, document2)` to +determine if two JSON documents are _structurally_ equal. This ignores +whitespace differences, and key-value ordering. + +```go +package main + +import ( + "fmt" + + jsonpatch "github.com/evanphx/json-patch" +) + +func main() { + original := []byte(`{"name": "John", "age": 24, "height": 3.21}`) + similar := []byte(` + { + "age": 24, + "height": 3.21, + "name": "John" + } + `) + different := []byte(`{"name": "Jane", "age": 20, "height": 3.37}`) + + if jsonpatch.Equal(original, similar) { + fmt.Println(`"original" is structurally equal to "similar"`) + } + + if !jsonpatch.Equal(original, different) { + fmt.Println(`"original" is _not_ structurally equal to "different"`) + } +} +``` + +When ran, you get the following output: +```bash +$ go run main.go +"original" is structurally equal to "similar" +"original" is _not_ structurally equal to "different" +``` + +## Combine merge patches +Given two JSON merge patch documents, it is possible to combine them into a +single merge patch which can describe both set of changes. + +The resulting merge patch can be used such that applying it results in a +document structurally similar as merging each merge patch to the document +in succession. + +```go +package main + +import ( + "fmt" + + jsonpatch "github.com/evanphx/json-patch" +) + +func main() { + original := []byte(`{"name": "John", "age": 24, "height": 3.21}`) + + nameAndHeight := []byte(`{"height":null,"name":"Jane"}`) + ageAndEyes := []byte(`{"age":4.23,"eyes":"blue"}`) + + // Let's combine these merge patch documents... + combinedPatch, err := jsonpatch.MergeMergePatches(nameAndHeight, ageAndEyes) + if err != nil { + panic(err) + } + + // Apply each patch individual against the original document + withoutCombinedPatch, err := jsonpatch.MergePatch(original, nameAndHeight) + if err != nil { + panic(err) + } + + withoutCombinedPatch, err = jsonpatch.MergePatch(withoutCombinedPatch, ageAndEyes) + if err != nil { + panic(err) + } + + // Apply the combined patch against the original document + + withCombinedPatch, err := jsonpatch.MergePatch(original, combinedPatch) + if err != nil { + panic(err) + } + + // Do both result in the same thing? They should! + if jsonpatch.Equal(withCombinedPatch, withoutCombinedPatch) { + fmt.Println("Both JSON documents are structurally the same!") + } + + fmt.Printf("combined merge patch: %s", combinedPatch) +} +``` + +When ran, you get the following output: +```bash +$ go run main.go +Both JSON documents are structurally the same! +combined merge patch: {"age":4.23,"eyes":"blue","height":null,"name":"Jane"} +``` + +# CLI for comparing JSON documents +You can install the commandline program `json-patch`. + +This program can take multiple JSON patch documents as arguments, +and fed a JSON document from `stdin`. It will apply the patch(es) against +the document and output the modified doc. + +**patch.1.json** +```json +[ + {"op": "replace", "path": "/name", "value": "Jane"}, + {"op": "remove", "path": "/height"} +] +``` + +**patch.2.json** +```json +[ + {"op": "add", "path": "/address", "value": "123 Main St"}, + {"op": "replace", "path": "/age", "value": "21"} +] +``` + +**document.json** +```json +{ + "name": "John", + "age": 24, + "height": 3.21 +} +``` + +You can then run: + +```bash +$ go install github.com/evanphx/json-patch/cmd/json-patch +$ cat document.json | json-patch -p patch.1.json -p patch.2.json +{"address":"123 Main St","age":"21","name":"Jane"} +``` + +# Help It! +Contributions are welcomed! Leave [an issue](https://github.com/evanphx/json-patch/issues) +or [create a PR](https://github.com/evanphx/json-patch/compare). + + +Before creating a pull request, we'd ask that you make sure tests are passing +and that you have added new tests when applicable. + +Contributors can run tests using: + +```bash +go test -cover ./... +``` + +Builds for pull requests are tested automatically +using [GitHub Actions](https://github.com/evanphx/json-patch/actions/workflows/go.yml). diff --git a/vendor/github.com/evanphx/json-patch/errors.go b/vendor/github.com/evanphx/json-patch/errors.go new file mode 100644 index 0000000000..75304b4437 --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/errors.go @@ -0,0 +1,38 @@ +package jsonpatch + +import "fmt" + +// AccumulatedCopySizeError is an error type returned when the accumulated size +// increase caused by copy operations in a patch operation has exceeded the +// limit. +type AccumulatedCopySizeError struct { + limit int64 + accumulated int64 +} + +// NewAccumulatedCopySizeError returns an AccumulatedCopySizeError. +func NewAccumulatedCopySizeError(l, a int64) *AccumulatedCopySizeError { + return &AccumulatedCopySizeError{limit: l, accumulated: a} +} + +// Error implements the error interface. +func (a *AccumulatedCopySizeError) Error() string { + return fmt.Sprintf("Unable to complete the copy, the accumulated size increase of copy is %d, exceeding the limit %d", a.accumulated, a.limit) +} + +// ArraySizeError is an error type returned when the array size has exceeded +// the limit. +type ArraySizeError struct { + limit int + size int +} + +// NewArraySizeError returns an ArraySizeError. +func NewArraySizeError(l, s int) *ArraySizeError { + return &ArraySizeError{limit: l, size: s} +} + +// Error implements the error interface. +func (a *ArraySizeError) Error() string { + return fmt.Sprintf("Unable to create array of size %d, limit is %d", a.size, a.limit) +} diff --git a/vendor/github.com/evanphx/json-patch/merge.go b/vendor/github.com/evanphx/json-patch/merge.go new file mode 100644 index 0000000000..ad88d40181 --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/merge.go @@ -0,0 +1,389 @@ +package jsonpatch + +import ( + "bytes" + "encoding/json" + "fmt" + "reflect" +) + +func merge(cur, patch *lazyNode, mergeMerge bool) *lazyNode { + curDoc, err := cur.intoDoc() + + if err != nil { + pruneNulls(patch) + return patch + } + + patchDoc, err := patch.intoDoc() + + if err != nil { + return patch + } + + mergeDocs(curDoc, patchDoc, mergeMerge) + + return cur +} + +func mergeDocs(doc, patch *partialDoc, mergeMerge bool) { + for k, v := range *patch { + if v == nil { + if mergeMerge { + (*doc)[k] = nil + } else { + delete(*doc, k) + } + } else { + cur, ok := (*doc)[k] + + if !ok || cur == nil { + if !mergeMerge { + pruneNulls(v) + } + + (*doc)[k] = v + } else { + (*doc)[k] = merge(cur, v, mergeMerge) + } + } + } +} + +func pruneNulls(n *lazyNode) { + sub, err := n.intoDoc() + + if err == nil { + pruneDocNulls(sub) + } else { + ary, err := n.intoAry() + + if err == nil { + pruneAryNulls(ary) + } + } +} + +func pruneDocNulls(doc *partialDoc) *partialDoc { + for k, v := range *doc { + if v == nil { + delete(*doc, k) + } else { + pruneNulls(v) + } + } + + return doc +} + +func pruneAryNulls(ary *partialArray) *partialArray { + newAry := []*lazyNode{} + + for _, v := range *ary { + if v != nil { + pruneNulls(v) + } + newAry = append(newAry, v) + } + + *ary = newAry + + return ary +} + +var ErrBadJSONDoc = fmt.Errorf("Invalid JSON Document") +var ErrBadJSONPatch = fmt.Errorf("Invalid JSON Patch") +var errBadMergeTypes = fmt.Errorf("Mismatched JSON Documents") + +// MergeMergePatches merges two merge patches together, such that +// applying this resulting merged merge patch to a document yields the same +// as merging each merge patch to the document in succession. +func MergeMergePatches(patch1Data, patch2Data []byte) ([]byte, error) { + return doMergePatch(patch1Data, patch2Data, true) +} + +// MergePatch merges the patchData into the docData. +func MergePatch(docData, patchData []byte) ([]byte, error) { + return doMergePatch(docData, patchData, false) +} + +func doMergePatch(docData, patchData []byte, mergeMerge bool) ([]byte, error) { + doc := &partialDoc{} + + docErr := json.Unmarshal(docData, doc) + + patch := &partialDoc{} + + patchErr := json.Unmarshal(patchData, patch) + + if _, ok := docErr.(*json.SyntaxError); ok { + return nil, ErrBadJSONDoc + } + + if _, ok := patchErr.(*json.SyntaxError); ok { + return nil, ErrBadJSONPatch + } + + if docErr == nil && *doc == nil { + return nil, ErrBadJSONDoc + } + + if patchErr == nil && *patch == nil { + return nil, ErrBadJSONPatch + } + + if docErr != nil || patchErr != nil { + // Not an error, just not a doc, so we turn straight into the patch + if patchErr == nil { + if mergeMerge { + doc = patch + } else { + doc = pruneDocNulls(patch) + } + } else { + patchAry := &partialArray{} + patchErr = json.Unmarshal(patchData, patchAry) + + if patchErr != nil { + return nil, ErrBadJSONPatch + } + + pruneAryNulls(patchAry) + + out, patchErr := json.Marshal(patchAry) + + if patchErr != nil { + return nil, ErrBadJSONPatch + } + + return out, nil + } + } else { + mergeDocs(doc, patch, mergeMerge) + } + + return json.Marshal(doc) +} + +// resemblesJSONArray indicates whether the byte-slice "appears" to be +// a JSON array or not. +// False-positives are possible, as this function does not check the internal +// structure of the array. It only checks that the outer syntax is present and +// correct. +func resemblesJSONArray(input []byte) bool { + input = bytes.TrimSpace(input) + + hasPrefix := bytes.HasPrefix(input, []byte("[")) + hasSuffix := bytes.HasSuffix(input, []byte("]")) + + return hasPrefix && hasSuffix +} + +// CreateMergePatch will return a merge patch document capable of converting +// the original document(s) to the modified document(s). +// The parameters can be bytes of either two JSON Documents, or two arrays of +// JSON documents. +// The merge patch returned follows the specification defined at http://tools.ietf.org/html/draft-ietf-appsawg-json-merge-patch-07 +func CreateMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) { + originalResemblesArray := resemblesJSONArray(originalJSON) + modifiedResemblesArray := resemblesJSONArray(modifiedJSON) + + // Do both byte-slices seem like JSON arrays? + if originalResemblesArray && modifiedResemblesArray { + return createArrayMergePatch(originalJSON, modifiedJSON) + } + + // Are both byte-slices are not arrays? Then they are likely JSON objects... + if !originalResemblesArray && !modifiedResemblesArray { + return createObjectMergePatch(originalJSON, modifiedJSON) + } + + // None of the above? Then return an error because of mismatched types. + return nil, errBadMergeTypes +} + +// createObjectMergePatch will return a merge-patch document capable of +// converting the original document to the modified document. +func createObjectMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) { + originalDoc := map[string]interface{}{} + modifiedDoc := map[string]interface{}{} + + err := json.Unmarshal(originalJSON, &originalDoc) + if err != nil { + return nil, ErrBadJSONDoc + } + + err = json.Unmarshal(modifiedJSON, &modifiedDoc) + if err != nil { + return nil, ErrBadJSONDoc + } + + dest, err := getDiff(originalDoc, modifiedDoc) + if err != nil { + return nil, err + } + + return json.Marshal(dest) +} + +// createArrayMergePatch will return an array of merge-patch documents capable +// of converting the original document to the modified document for each +// pair of JSON documents provided in the arrays. +// Arrays of mismatched sizes will result in an error. +func createArrayMergePatch(originalJSON, modifiedJSON []byte) ([]byte, error) { + originalDocs := []json.RawMessage{} + modifiedDocs := []json.RawMessage{} + + err := json.Unmarshal(originalJSON, &originalDocs) + if err != nil { + return nil, ErrBadJSONDoc + } + + err = json.Unmarshal(modifiedJSON, &modifiedDocs) + if err != nil { + return nil, ErrBadJSONDoc + } + + total := len(originalDocs) + if len(modifiedDocs) != total { + return nil, ErrBadJSONDoc + } + + result := []json.RawMessage{} + for i := 0; i < len(originalDocs); i++ { + original := originalDocs[i] + modified := modifiedDocs[i] + + patch, err := createObjectMergePatch(original, modified) + if err != nil { + return nil, err + } + + result = append(result, json.RawMessage(patch)) + } + + return json.Marshal(result) +} + +// Returns true if the array matches (must be json types). +// As is idiomatic for go, an empty array is not the same as a nil array. +func matchesArray(a, b []interface{}) bool { + if len(a) != len(b) { + return false + } + if (a == nil && b != nil) || (a != nil && b == nil) { + return false + } + for i := range a { + if !matchesValue(a[i], b[i]) { + return false + } + } + return true +} + +// Returns true if the values matches (must be json types) +// The types of the values must match, otherwise it will always return false +// If two map[string]interface{} are given, all elements must match. +func matchesValue(av, bv interface{}) bool { + if reflect.TypeOf(av) != reflect.TypeOf(bv) { + return false + } + switch at := av.(type) { + case string: + bt := bv.(string) + if bt == at { + return true + } + case float64: + bt := bv.(float64) + if bt == at { + return true + } + case bool: + bt := bv.(bool) + if bt == at { + return true + } + case nil: + // Both nil, fine. + return true + case map[string]interface{}: + bt := bv.(map[string]interface{}) + if len(bt) != len(at) { + return false + } + for key := range bt { + av, aOK := at[key] + bv, bOK := bt[key] + if aOK != bOK { + return false + } + if !matchesValue(av, bv) { + return false + } + } + return true + case []interface{}: + bt := bv.([]interface{}) + return matchesArray(at, bt) + } + return false +} + +// getDiff returns the (recursive) difference between a and b as a map[string]interface{}. +func getDiff(a, b map[string]interface{}) (map[string]interface{}, error) { + into := map[string]interface{}{} + for key, bv := range b { + av, ok := a[key] + // value was added + if !ok { + into[key] = bv + continue + } + // If types have changed, replace completely + if reflect.TypeOf(av) != reflect.TypeOf(bv) { + into[key] = bv + continue + } + // Types are the same, compare values + switch at := av.(type) { + case map[string]interface{}: + bt := bv.(map[string]interface{}) + dst := make(map[string]interface{}, len(bt)) + dst, err := getDiff(at, bt) + if err != nil { + return nil, err + } + if len(dst) > 0 { + into[key] = dst + } + case string, float64, bool: + if !matchesValue(av, bv) { + into[key] = bv + } + case []interface{}: + bt := bv.([]interface{}) + if !matchesArray(at, bt) { + into[key] = bv + } + case nil: + switch bv.(type) { + case nil: + // Both nil, fine. + default: + into[key] = bv + } + default: + panic(fmt.Sprintf("Unknown type:%T in key %s", av, key)) + } + } + // Now add all deleted values as nil + for key := range a { + _, found := b[key] + if !found { + into[key] = nil + } + } + return into, nil +} diff --git a/vendor/github.com/evanphx/json-patch/patch.go b/vendor/github.com/evanphx/json-patch/patch.go new file mode 100644 index 0000000000..95136681ba --- /dev/null +++ b/vendor/github.com/evanphx/json-patch/patch.go @@ -0,0 +1,850 @@ +package jsonpatch + +import ( + "bytes" + "encoding/json" + "errors" + "fmt" + "strconv" + "strings" +) + +const ( + eRaw = iota + eDoc + eAry +) + +var ( + // SupportNegativeIndices decides whether to support non-standard practice of + // allowing negative indices to mean indices starting at the end of an array. + // Default to true. + SupportNegativeIndices bool = true + // AccumulatedCopySizeLimit limits the total size increase in bytes caused by + // "copy" operations in a patch. + AccumulatedCopySizeLimit int64 = 0 +) + +var ( + ErrTestFailed = errors.New("test failed") + ErrMissing = errors.New("missing value") + ErrUnknownType = errors.New("unknown object type") + ErrInvalid = errors.New("invalid state detected") + ErrInvalidIndex = errors.New("invalid index referenced") +) + +type lazyNode struct { + raw *json.RawMessage + doc partialDoc + ary partialArray + which int +} + +// Operation is a single JSON-Patch step, such as a single 'add' operation. +type Operation map[string]*json.RawMessage + +// Patch is an ordered collection of Operations. +type Patch []Operation + +type partialDoc map[string]*lazyNode +type partialArray []*lazyNode + +type container interface { + get(key string) (*lazyNode, error) + set(key string, val *lazyNode) error + add(key string, val *lazyNode) error + remove(key string) error +} + +func newLazyNode(raw *json.RawMessage) *lazyNode { + return &lazyNode{raw: raw, doc: nil, ary: nil, which: eRaw} +} + +func (n *lazyNode) MarshalJSON() ([]byte, error) { + switch n.which { + case eRaw: + return json.Marshal(n.raw) + case eDoc: + return json.Marshal(n.doc) + case eAry: + return json.Marshal(n.ary) + default: + return nil, ErrUnknownType + } +} + +func (n *lazyNode) UnmarshalJSON(data []byte) error { + dest := make(json.RawMessage, len(data)) + copy(dest, data) + n.raw = &dest + n.which = eRaw + return nil +} + +func deepCopy(src *lazyNode) (*lazyNode, int, error) { + if src == nil { + return nil, 0, nil + } + a, err := src.MarshalJSON() + if err != nil { + return nil, 0, err + } + sz := len(a) + ra := make(json.RawMessage, sz) + copy(ra, a) + return newLazyNode(&ra), sz, nil +} + +func (n *lazyNode) intoDoc() (*partialDoc, error) { + if n.which == eDoc { + return &n.doc, nil + } + + if n.raw == nil { + return nil, ErrInvalid + } + + err := json.Unmarshal(*n.raw, &n.doc) + + if err != nil { + return nil, err + } + + n.which = eDoc + return &n.doc, nil +} + +func (n *lazyNode) intoAry() (*partialArray, error) { + if n.which == eAry { + return &n.ary, nil + } + + if n.raw == nil { + return nil, ErrInvalid + } + + err := json.Unmarshal(*n.raw, &n.ary) + + if err != nil { + return nil, err + } + + n.which = eAry + return &n.ary, nil +} + +func (n *lazyNode) compact() []byte { + buf := &bytes.Buffer{} + + if n.raw == nil { + return nil + } + + err := json.Compact(buf, *n.raw) + + if err != nil { + return *n.raw + } + + return buf.Bytes() +} + +func (n *lazyNode) tryDoc() bool { + if n.raw == nil { + return false + } + + err := json.Unmarshal(*n.raw, &n.doc) + + if err != nil { + return false + } + + n.which = eDoc + return true +} + +func (n *lazyNode) tryAry() bool { + if n.raw == nil { + return false + } + + err := json.Unmarshal(*n.raw, &n.ary) + + if err != nil { + return false + } + + n.which = eAry + return true +} + +func (n *lazyNode) equal(o *lazyNode) bool { + if n.which == eRaw { + if !n.tryDoc() && !n.tryAry() { + if o.which != eRaw { + return false + } + + return bytes.Equal(n.compact(), o.compact()) + } + } + + if n.which == eDoc { + if o.which == eRaw { + if !o.tryDoc() { + return false + } + } + + if o.which != eDoc { + return false + } + + if len(n.doc) != len(o.doc) { + return false + } + + for k, v := range n.doc { + ov, ok := o.doc[k] + + if !ok { + return false + } + + if (v == nil) != (ov == nil) { + return false + } + + if v == nil && ov == nil { + continue + } + + if !v.equal(ov) { + return false + } + } + + return true + } + + if o.which != eAry && !o.tryAry() { + return false + } + + if len(n.ary) != len(o.ary) { + return false + } + + for idx, val := range n.ary { + if !val.equal(o.ary[idx]) { + return false + } + } + + return true +} + +// Kind reads the "op" field of the Operation. +func (o Operation) Kind() string { + if obj, ok := o["op"]; ok && obj != nil { + var op string + + err := json.Unmarshal(*obj, &op) + + if err != nil { + return "unknown" + } + + return op + } + + return "unknown" +} + +// Path reads the "path" field of the Operation. +func (o Operation) Path() (string, error) { + if obj, ok := o["path"]; ok && obj != nil { + var op string + + err := json.Unmarshal(*obj, &op) + + if err != nil { + return "unknown", err + } + + return op, nil + } + + return "unknown", fmt.Errorf("operation missing path field: %w", ErrMissing) +} + +// From reads the "from" field of the Operation. +func (o Operation) From() (string, error) { + if obj, ok := o["from"]; ok && obj != nil { + var op string + + err := json.Unmarshal(*obj, &op) + + if err != nil { + return "unknown", err + } + + return op, nil + } + + return "unknown", fmt.Errorf("operation, missing from field: %w", ErrMissing) +} + +func (o Operation) value() *lazyNode { + if obj, ok := o["value"]; ok { + return newLazyNode(obj) + } + + return nil +} + +// ValueInterface decodes the operation value into an interface. +func (o Operation) ValueInterface() (interface{}, error) { + if obj, ok := o["value"]; ok && obj != nil { + var v interface{} + + err := json.Unmarshal(*obj, &v) + + if err != nil { + return nil, err + } + + return v, nil + } + + return nil, fmt.Errorf("operation, missing value field: %w", ErrMissing) +} + +func isArray(buf []byte) bool { +Loop: + for _, c := range buf { + switch c { + case ' ': + case '\n': + case '\t': + continue + case '[': + return true + default: + break Loop + } + } + + return false +} + +func findObject(pd *container, path string) (container, string) { + doc := *pd + + split := strings.Split(path, "/") + + if len(split) < 2 { + return nil, "" + } + + parts := split[1 : len(split)-1] + + key := split[len(split)-1] + + var err error + + for _, part := range parts { + + next, ok := doc.get(decodePatchKey(part)) + + if next == nil || ok != nil || next.raw == nil { + return nil, "" + } + + if isArray(*next.raw) { + doc, err = next.intoAry() + + if err != nil { + return nil, "" + } + } else { + doc, err = next.intoDoc() + + if err != nil { + return nil, "" + } + } + } + + return doc, decodePatchKey(key) +} + +func (d *partialDoc) set(key string, val *lazyNode) error { + (*d)[key] = val + return nil +} + +func (d *partialDoc) add(key string, val *lazyNode) error { + (*d)[key] = val + return nil +} + +func (d *partialDoc) get(key string) (*lazyNode, error) { + return (*d)[key], nil +} + +func (d *partialDoc) remove(key string) error { + _, ok := (*d)[key] + if !ok { + return fmt.Errorf("Unable to remove nonexistent key: %s: %w", key, ErrMissing) + } + + delete(*d, key) + return nil +} + +// set should only be used to implement the "replace" operation, so "key" must +// be an already existing index in "d". +func (d *partialArray) set(key string, val *lazyNode) error { + idx, err := strconv.Atoi(key) + if err != nil { + return err + } + + if idx < 0 { + if !SupportNegativeIndices { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + if idx < -len(*d) { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + idx += len(*d) + } + + (*d)[idx] = val + return nil +} + +func (d *partialArray) add(key string, val *lazyNode) error { + if key == "-" { + *d = append(*d, val) + return nil + } + + idx, err := strconv.Atoi(key) + if err != nil { + return fmt.Errorf("value was not a proper array index: '%s': %w", key, err) + } + + sz := len(*d) + 1 + + ary := make([]*lazyNode, sz) + + cur := *d + + if idx >= len(ary) { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + + if idx < 0 { + if !SupportNegativeIndices { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + if idx < -len(ary) { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + idx += len(ary) + } + + copy(ary[0:idx], cur[0:idx]) + ary[idx] = val + copy(ary[idx+1:], cur[idx:]) + + *d = ary + return nil +} + +func (d *partialArray) get(key string) (*lazyNode, error) { + idx, err := strconv.Atoi(key) + + if err != nil { + return nil, err + } + + if idx < 0 { + if !SupportNegativeIndices { + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + if idx < -len(*d) { + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + idx += len(*d) + } + + if idx >= len(*d) { + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + + return (*d)[idx], nil +} + +func (d *partialArray) remove(key string) error { + idx, err := strconv.Atoi(key) + if err != nil { + return err + } + + cur := *d + + if idx >= len(cur) { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + + if idx < 0 { + if !SupportNegativeIndices { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + if idx < -len(cur) { + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) + } + idx += len(cur) + } + + ary := make([]*lazyNode, len(cur)-1) + + copy(ary[0:idx], cur[0:idx]) + copy(ary[idx:], cur[idx+1:]) + + *d = ary + return nil + +} + +func (p Patch) add(doc *container, op Operation) error { + path, err := op.Path() + if err != nil { + return fmt.Errorf("add operation failed to decode path: %w", ErrMissing) + } + + con, key := findObject(doc, path) + + if con == nil { + return fmt.Errorf("add operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) + } + + err = con.add(key, op.value()) + if err != nil { + return fmt.Errorf("error in add for path: '%s': %w", path, err) + } + + return nil +} + +func (p Patch) remove(doc *container, op Operation) error { + path, err := op.Path() + if err != nil { + return fmt.Errorf("remove operation failed to decode path: %w", ErrMissing) + } + + con, key := findObject(doc, path) + + if con == nil { + return fmt.Errorf("remove operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) + } + + err = con.remove(key) + if err != nil { + return fmt.Errorf("error in remove for path: '%s': %w", path, err) + } + + return nil +} + +func (p Patch) replace(doc *container, op Operation) error { + path, err := op.Path() + if err != nil { + return fmt.Errorf("replace operation failed to decode path: %w", err) + } + + if path == "" { + val := op.value() + + if val.which == eRaw { + if !val.tryDoc() { + if !val.tryAry() { + return fmt.Errorf("replace operation value must be object or array: %w", err) + } + } + } + + switch val.which { + case eAry: + *doc = &val.ary + case eDoc: + *doc = &val.doc + case eRaw: + return fmt.Errorf("replace operation hit impossible case: %w", err) + } + + return nil + } + + con, key := findObject(doc, path) + + if con == nil { + return fmt.Errorf("replace operation does not apply: doc is missing path: %s: %w", path, ErrMissing) + } + + _, ok := con.get(key) + if ok != nil { + return fmt.Errorf("replace operation does not apply: doc is missing key: %s: %w", path, ErrMissing) + } + + err = con.set(key, op.value()) + if err != nil { + return fmt.Errorf("error in remove for path: '%s': %w", path, err) + } + + return nil +} + +func (p Patch) move(doc *container, op Operation) error { + from, err := op.From() + if err != nil { + return fmt.Errorf("move operation failed to decode from: %w", err) + } + + con, key := findObject(doc, from) + + if con == nil { + return fmt.Errorf("move operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) + } + + val, err := con.get(key) + if err != nil { + return fmt.Errorf("error in move for path: '%s': %w", key, err) + } + + err = con.remove(key) + if err != nil { + return fmt.Errorf("error in move for path: '%s': %w", key, err) + } + + path, err := op.Path() + if err != nil { + return fmt.Errorf("move operation failed to decode path: %w", err) + } + + con, key = findObject(doc, path) + + if con == nil { + return fmt.Errorf("move operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) + } + + err = con.add(key, val) + if err != nil { + return fmt.Errorf("error in move for path: '%s': %w", path, err) + } + + return nil +} + +func (p Patch) test(doc *container, op Operation) error { + path, err := op.Path() + if err != nil { + return fmt.Errorf("test operation failed to decode path: %w", err) + } + + if path == "" { + var self lazyNode + + switch sv := (*doc).(type) { + case *partialDoc: + self.doc = *sv + self.which = eDoc + case *partialArray: + self.ary = *sv + self.which = eAry + } + + if self.equal(op.value()) { + return nil + } + + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) + } + + con, key := findObject(doc, path) + + if con == nil { + return fmt.Errorf("test operation does not apply: is missing path: %s: %w", path, ErrMissing) + } + + val, err := con.get(key) + if err != nil { + return fmt.Errorf("error in test for path: '%s': %w", path, err) + } + + if val == nil { + if op.value() == nil || op.value().raw == nil { + return nil + } + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) + } else if op.value() == nil { + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) + } + + if val.equal(op.value()) { + return nil + } + + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) +} + +func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) error { + from, err := op.From() + if err != nil { + return fmt.Errorf("copy operation failed to decode from: %w", err) + } + + con, key := findObject(doc, from) + + if con == nil { + return fmt.Errorf("copy operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) + } + + val, err := con.get(key) + if err != nil { + return fmt.Errorf("error in copy for from: '%s': %w", from, err) + } + + path, err := op.Path() + if err != nil { + return fmt.Errorf("copy operation failed to decode path: %w", ErrMissing) + } + + con, key = findObject(doc, path) + + if con == nil { + return fmt.Errorf("copy operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) + } + + valCopy, sz, err := deepCopy(val) + if err != nil { + return fmt.Errorf("error while performing deep copy: %w", err) + } + + (*accumulatedCopySize) += int64(sz) + if AccumulatedCopySizeLimit > 0 && *accumulatedCopySize > AccumulatedCopySizeLimit { + return NewAccumulatedCopySizeError(AccumulatedCopySizeLimit, *accumulatedCopySize) + } + + err = con.add(key, valCopy) + if err != nil { + return fmt.Errorf("error while adding value during copy: %w", err) + } + + return nil +} + +// Equal indicates if 2 JSON documents have the same structural equality. +func Equal(a, b []byte) bool { + ra := make(json.RawMessage, len(a)) + copy(ra, a) + la := newLazyNode(&ra) + + rb := make(json.RawMessage, len(b)) + copy(rb, b) + lb := newLazyNode(&rb) + + return la.equal(lb) +} + +// DecodePatch decodes the passed JSON document as an RFC 6902 patch. +func DecodePatch(buf []byte) (Patch, error) { + var p Patch + + err := json.Unmarshal(buf, &p) + + if err != nil { + return nil, err + } + + return p, nil +} + +// Apply mutates a JSON document according to the patch, and returns the new +// document. +func (p Patch) Apply(doc []byte) ([]byte, error) { + return p.ApplyIndent(doc, "") +} + +// ApplyIndent mutates a JSON document according to the patch, and returns the new +// document indented. +func (p Patch) ApplyIndent(doc []byte, indent string) ([]byte, error) { + if len(doc) == 0 { + return doc, nil + } + + var pd container + if doc[0] == '[' { + pd = &partialArray{} + } else { + pd = &partialDoc{} + } + + err := json.Unmarshal(doc, pd) + + if err != nil { + return nil, err + } + + err = nil + + var accumulatedCopySize int64 + + for _, op := range p { + switch op.Kind() { + case "add": + err = p.add(&pd, op) + case "remove": + err = p.remove(&pd, op) + case "replace": + err = p.replace(&pd, op) + case "move": + err = p.move(&pd, op) + case "test": + err = p.test(&pd, op) + case "copy": + err = p.copy(&pd, op, &accumulatedCopySize) + default: + err = fmt.Errorf("Unexpected kind: %s", op.Kind()) + } + + if err != nil { + return nil, err + } + } + + if indent != "" { + return json.MarshalIndent(pd, "", indent) + } + + return json.Marshal(pd) +} + +// From http://tools.ietf.org/html/rfc6901#section-4 : +// +// Evaluation of each reference token begins by decoding any escaped +// character sequence. This is performed by first transforming any +// occurrence of the sequence '~1' to '/', and then transforming any +// occurrence of the sequence '~0' to '~'. + +var ( + rfc6901Decoder = strings.NewReplacer("~1", "/", "~0", "~") +) + +func decodePatchKey(k string) string { + return rfc6901Decoder.Replace(k) +} diff --git a/vendor/github.com/exponent-io/jsonpath/.gitignore b/vendor/github.com/exponent-io/jsonpath/.gitignore new file mode 100644 index 0000000000..daf913b1b3 --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/.gitignore @@ -0,0 +1,24 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test +*.prof diff --git a/vendor/github.com/exponent-io/jsonpath/.travis.yml b/vendor/github.com/exponent-io/jsonpath/.travis.yml new file mode 100644 index 0000000000..53bb8b3f95 --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/.travis.yml @@ -0,0 +1,7 @@ +language: go +arch: + - amd64 + - ppc64le +go: + - 1.15 + - tip diff --git a/vendor/github.com/exponent-io/jsonpath/LICENSE b/vendor/github.com/exponent-io/jsonpath/LICENSE new file mode 100644 index 0000000000..5419772507 --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Exponent Labs LLC + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/exponent-io/jsonpath/README.md b/vendor/github.com/exponent-io/jsonpath/README.md new file mode 100644 index 0000000000..382fb3138c --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/README.md @@ -0,0 +1,66 @@ +[![GoDoc](https://godoc.org/github.com/exponent-io/jsonpath?status.svg)](https://godoc.org/github.com/exponent-io/jsonpath) +[![Build Status](https://travis-ci.org/exponent-io/jsonpath.svg?branch=master)](https://travis-ci.org/exponent-io/jsonpath) + +# jsonpath + +This package extends the [json.Decoder](https://golang.org/pkg/encoding/json/#Decoder) to support navigating a stream of JSON tokens. You should be able to use this extended Decoder places where a json.Decoder would have been used. + +This Decoder has the following enhancements... + * The [Scan](https://godoc.org/github.com/exponent-io/jsonpath/#Decoder.Scan) method supports scanning a JSON stream while extracting particular values along the way using [PathActions](https://godoc.org/github.com/exponent-io/jsonpath#PathActions). + * The [SeekTo](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.SeekTo) method supports seeking forward in a JSON token stream to a particular path. + * The [Path](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.Path) method returns the path of the most recently parsed token. + * The [Token](https://godoc.org/github.com/exponent-io/jsonpath#Decoder.Token) method has been modified to distinguish between strings that are object keys and strings that are values. Object key strings are returned as the [KeyString](https://godoc.org/github.com/exponent-io/jsonpath#KeyString) type rather than a native string. + +## Installation + + go get -u github.com/exponent-io/jsonpath + +## Example Usage + +#### SeekTo + +```go +import "github.com/exponent-io/jsonpath" + +var j = []byte(`[ + {"Space": "YCbCr", "Point": {"Y": 255, "Cb": 0, "Cr": -10}}, + {"Space": "RGB", "Point": {"R": 98, "G": 218, "B": 255}} +]`) + +w := json.NewDecoder(bytes.NewReader(j)) +var v interface{} + +w.SeekTo(1, "Point", "G") +w.Decode(&v) // v is 218 +``` + +#### Scan with PathActions + +```go +var j = []byte(`{"colors":[ + {"Space": "YCbCr", "Point": {"Y": 255, "Cb": 0, "Cr": -10, "A": 58}}, + {"Space": "RGB", "Point": {"R": 98, "G": 218, "B": 255, "A": 231}} +]}`) + +var actions PathActions + +// Extract the value at Point.A +actions.Add(func(d *Decoder) error { + var alpha int + err := d.Decode(&alpha) + fmt.Printf("Alpha: %v\n", alpha) + return err +}, "Point", "A") + +w := NewDecoder(bytes.NewReader(j)) +w.SeekTo("colors", 0) + +var ok = true +var err error +for ok { + ok, err = w.Scan(&actions) + if err != nil && err != io.EOF { + panic(err) + } +} +``` diff --git a/vendor/github.com/exponent-io/jsonpath/decoder.go b/vendor/github.com/exponent-io/jsonpath/decoder.go new file mode 100644 index 0000000000..5e3a06548a --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/decoder.go @@ -0,0 +1,209 @@ +package jsonpath + +import ( + "encoding/json" + "io" +) + +// KeyString is returned from Decoder.Token to represent each key in a JSON object value. +type KeyString string + +// Decoder extends the Go runtime's encoding/json.Decoder to support navigating in a stream of JSON tokens. +type Decoder struct { + json.Decoder + + path JsonPath + context jsonContext +} + +// NewDecoder creates a new instance of the extended JSON Decoder. +func NewDecoder(r io.Reader) *Decoder { + return &Decoder{Decoder: *json.NewDecoder(r)} +} + +// SeekTo causes the Decoder to move forward to a given path in the JSON structure. +// +// The path argument must consist of strings or integers. Each string specifies an JSON object key, and +// each integer specifies an index into a JSON array. +// +// Consider the JSON structure +// +// { "a": [0,"s",12e4,{"b":0,"v":35} ] } +// +// SeekTo("a",3,"v") will move to the value referenced by the "a" key in the current object, +// followed by a move to the 4th value (index 3) in the array, followed by a move to the value at key "v". +// In this example, a subsequent call to the decoder's Decode() would unmarshal the value 35. +// +// SeekTo returns a boolean value indicating whether a match was found. +// +// Decoder is intended to be used with a stream of tokens. As a result it navigates forward only. +func (d *Decoder) SeekTo(path ...interface{}) (bool, error) { + + if len(path) > 0 { + last := len(path) - 1 + if i, ok := path[last].(int); ok { + path[last] = i - 1 + } + } + + for { + if len(path) == len(d.path) && d.path.Equal(path) { + return true, nil + } + _, err := d.Token() + if err == io.EOF { + return false, nil + } else if err != nil { + return false, err + } + } +} + +// Decode reads the next JSON-encoded value from its input and stores it in the value pointed to by v. This is +// equivalent to encoding/json.Decode(). +func (d *Decoder) Decode(v interface{}) error { + switch d.context { + case objValue: + d.context = objKey + break + case arrValue: + d.path.incTop() + break + } + return d.Decoder.Decode(v) +} + +// Path returns a slice of string and/or int values representing the path from the root of the JSON object to the +// position of the most-recently parsed token. +func (d *Decoder) Path() JsonPath { + p := make(JsonPath, len(d.path)) + copy(p, d.path) + return p +} + +// Token is equivalent to the Token() method on json.Decoder. The primary difference is that it distinguishes +// between strings that are keys and and strings that are values. String tokens that are object keys are returned as a +// KeyString rather than as a native string. +func (d *Decoder) Token() (json.Token, error) { + t, err := d.Decoder.Token() + if err != nil { + return t, err + } + + if t == nil { + switch d.context { + case objValue: + d.context = objKey + break + case arrValue: + d.path.incTop() + break + } + return t, err + } + + switch t := t.(type) { + case json.Delim: + switch t { + case json.Delim('{'): + if d.context == arrValue { + d.path.incTop() + } + d.path.push("") + d.context = objKey + break + case json.Delim('}'): + d.path.pop() + d.context = d.path.inferContext() + break + case json.Delim('['): + if d.context == arrValue { + d.path.incTop() + } + d.path.push(-1) + d.context = arrValue + break + case json.Delim(']'): + d.path.pop() + d.context = d.path.inferContext() + break + } + case float64, json.Number, bool: + switch d.context { + case objValue: + d.context = objKey + break + case arrValue: + d.path.incTop() + break + } + break + case string: + switch d.context { + case objKey: + d.path.nameTop(t) + d.context = objValue + return KeyString(t), err + case objValue: + d.context = objKey + case arrValue: + d.path.incTop() + } + break + } + + return t, err +} + +// Scan moves forward over the JSON stream consuming all the tokens at the current level (current object, current array) +// invoking each matching PathAction along the way. +// +// Scan returns true if there are more contiguous values to scan (for example in an array). +func (d *Decoder) Scan(ext *PathActions) (bool, error) { + + rootPath := d.Path() + + // If this is an array path, increment the root path in our local copy. + if rootPath.inferContext() == arrValue { + rootPath.incTop() + } + + for { + // advance the token position + _, err := d.Token() + if err != nil { + return false, err + } + + match: + var relPath JsonPath + + // capture the new JSON path + path := d.Path() + + if len(path) > len(rootPath) { + // capture the path relative to where the scan started + relPath = path[len(rootPath):] + } else { + // if the path is not longer than the root, then we are done with this scan + // return boolean flag indicating if there are more items to scan at the same level + return d.Decoder.More(), nil + } + + // match the relative path against the path actions + if node := ext.node.match(relPath); node != nil { + if node.action != nil { + // we have a match so execute the action + err = node.action(d) + if err != nil { + return d.Decoder.More(), err + } + // The action may have advanced the decoder. If we are in an array, advancing it further would + // skip tokens. So, if we are scanning an array, jump to the top without advancing the token. + if d.path.inferContext() == arrValue && d.Decoder.More() { + goto match + } + } + } + } +} diff --git a/vendor/github.com/exponent-io/jsonpath/path.go b/vendor/github.com/exponent-io/jsonpath/path.go new file mode 100644 index 0000000000..d7db2ad336 --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/path.go @@ -0,0 +1,67 @@ +// Extends the Go runtime's json.Decoder enabling navigation of a stream of json tokens. +package jsonpath + +import "fmt" + +type jsonContext int + +const ( + none jsonContext = iota + objKey + objValue + arrValue +) + +// AnyIndex can be used in a pattern to match any array index. +const AnyIndex = -2 + +// JsonPath is a slice of strings and/or integers. Each string specifies an JSON object key, and +// each integer specifies an index into a JSON array. +type JsonPath []interface{} + +func (p *JsonPath) push(n interface{}) { *p = append(*p, n) } +func (p *JsonPath) pop() { *p = (*p)[:len(*p)-1] } + +// increment the index at the top of the stack (must be an array index) +func (p *JsonPath) incTop() { (*p)[len(*p)-1] = (*p)[len(*p)-1].(int) + 1 } + +// name the key at the top of the stack (must be an object key) +func (p *JsonPath) nameTop(n string) { (*p)[len(*p)-1] = n } + +// infer the context from the item at the top of the stack +func (p *JsonPath) inferContext() jsonContext { + if len(*p) == 0 { + return none + } + t := (*p)[len(*p)-1] + switch t.(type) { + case string: + return objKey + case int: + return arrValue + default: + panic(fmt.Sprintf("Invalid stack type %T", t)) + } +} + +// Equal tests for equality between two JsonPath types. +func (p *JsonPath) Equal(o JsonPath) bool { + if len(*p) != len(o) { + return false + } + for i, v := range *p { + if v != o[i] { + return false + } + } + return true +} + +func (p *JsonPath) HasPrefix(o JsonPath) bool { + for i, v := range o { + if v != (*p)[i] { + return false + } + } + return true +} diff --git a/vendor/github.com/exponent-io/jsonpath/pathaction.go b/vendor/github.com/exponent-io/jsonpath/pathaction.go new file mode 100644 index 0000000000..497ed686ca --- /dev/null +++ b/vendor/github.com/exponent-io/jsonpath/pathaction.go @@ -0,0 +1,61 @@ +package jsonpath + +// pathNode is used to construct a trie of paths to be matched +type pathNode struct { + matchOn interface{} // string, or integer + childNodes []pathNode + action DecodeAction +} + +// match climbs the trie to find a node that matches the given JSON path. +func (n *pathNode) match(path JsonPath) *pathNode { + var node *pathNode = n + for _, ps := range path { + found := false + for i, n := range node.childNodes { + if n.matchOn == ps { + node = &node.childNodes[i] + found = true + break + } else if _, ok := ps.(int); ok && n.matchOn == AnyIndex { + node = &node.childNodes[i] + found = true + break + } + } + if !found { + return nil + } + } + return node +} + +// PathActions represents a collection of DecodeAction functions that should be called at certain path positions +// when scanning the JSON stream. PathActions can be created once and used many times in one or more JSON streams. +type PathActions struct { + node pathNode +} + +// DecodeAction handlers are called by the Decoder when scanning objects. See PathActions.Add for more detail. +type DecodeAction func(d *Decoder) error + +// Add specifies an action to call on the Decoder when the specified path is encountered. +func (je *PathActions) Add(action DecodeAction, path ...interface{}) { + + var node *pathNode = &je.node + for _, ps := range path { + found := false + for i, n := range node.childNodes { + if n.matchOn == ps { + node = &node.childNodes[i] + found = true + break + } + } + if !found { + node.childNodes = append(node.childNodes, pathNode{matchOn: ps}) + node = &node.childNodes[len(node.childNodes)-1] + } + } + node.action = action +} diff --git a/vendor/github.com/go-errors/errors/.travis.yml b/vendor/github.com/go-errors/errors/.travis.yml new file mode 100644 index 0000000000..1dc296026a --- /dev/null +++ b/vendor/github.com/go-errors/errors/.travis.yml @@ -0,0 +1,7 @@ +language: go + +go: + - "1.8.x" + - "1.11.x" + - "1.16.x" + - "1.21.x" diff --git a/vendor/github.com/go-errors/errors/LICENSE.MIT b/vendor/github.com/go-errors/errors/LICENSE.MIT new file mode 100644 index 0000000000..c9a5b2eeb7 --- /dev/null +++ b/vendor/github.com/go-errors/errors/LICENSE.MIT @@ -0,0 +1,7 @@ +Copyright (c) 2015 Conrad Irwin + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/go-errors/errors/README.md b/vendor/github.com/go-errors/errors/README.md new file mode 100644 index 0000000000..558bc883ef --- /dev/null +++ b/vendor/github.com/go-errors/errors/README.md @@ -0,0 +1,84 @@ +go-errors/errors +================ + +[![Build Status](https://travis-ci.org/go-errors/errors.svg?branch=master)](https://travis-ci.org/go-errors/errors) + +Package errors adds stacktrace support to errors in go. + +This is particularly useful when you want to understand the state of execution +when an error was returned unexpectedly. + +It provides the type \*Error which implements the standard golang error +interface, so you can use this library interchangeably with code that is +expecting a normal error return. + +Usage +----- + +Full documentation is available on +[godoc](https://godoc.org/github.com/go-errors/errors), but here's a simple +example: + +```go +package crashy + +import "github.com/go-errors/errors" + +var Crashed = errors.Errorf("oh dear") + +func Crash() error { + return errors.New(Crashed) +} +``` + +This can be called as follows: + +```go +package main + +import ( + "crashy" + "fmt" + "github.com/go-errors/errors" +) + +func main() { + err := crashy.Crash() + if err != nil { + if errors.Is(err, crashy.Crashed) { + fmt.Println(err.(*errors.Error).ErrorStack()) + } else { + panic(err) + } + } +} +``` + +Meta-fu +------- + +This package was original written to allow reporting to +[Bugsnag](https://bugsnag.com/) from +[bugsnag-go](https://github.com/bugsnag/bugsnag-go), but after I found similar +packages by Facebook and Dropbox, it was moved to one canonical location so +everyone can benefit. + +This package is licensed under the MIT license, see LICENSE.MIT for details. + + +## Changelog +* v1.1.0 updated to use go1.13's standard-library errors.Is method instead of == in errors.Is +* v1.2.0 added `errors.As` from the standard library. +* v1.3.0 *BREAKING* updated error methods to return `error` instead of `*Error`. +> Code that needs access to the underlying `*Error` can use the new errors.AsError(e) +> ``` +> // before +> errors.New(err).ErrorStack() +> // after +>. errors.AsError(errors.Wrap(err)).ErrorStack() +> ``` +* v1.4.0 *BREAKING* v1.4.0 reverted all changes from v1.3.0 and is identical to v1.2.0 +* v1.4.1 no code change, but now without an unnecessary cover.out file. +* v1.4.2 performance improvement to ErrorStack() to avoid unnecessary work https://github.com/go-errors/errors/pull/40 +* v1.5.0 add errors.Join() and errors.Unwrap() copying the stdlib https://github.com/go-errors/errors/pull/40 +* v1.5.1 fix build on go1.13..go1.19 (broken by adding Join and Unwrap with wrong build constraints) diff --git a/vendor/github.com/go-errors/errors/error.go b/vendor/github.com/go-errors/errors/error.go new file mode 100644 index 0000000000..ccbc2e4272 --- /dev/null +++ b/vendor/github.com/go-errors/errors/error.go @@ -0,0 +1,209 @@ +// Package errors provides errors that have stack-traces. +// +// This is particularly useful when you want to understand the +// state of execution when an error was returned unexpectedly. +// +// It provides the type *Error which implements the standard +// golang error interface, so you can use this library interchangably +// with code that is expecting a normal error return. +// +// For example: +// +// package crashy +// +// import "github.com/go-errors/errors" +// +// var Crashed = errors.Errorf("oh dear") +// +// func Crash() error { +// return errors.New(Crashed) +// } +// +// This can be called as follows: +// +// package main +// +// import ( +// "crashy" +// "fmt" +// "github.com/go-errors/errors" +// ) +// +// func main() { +// err := crashy.Crash() +// if err != nil { +// if errors.Is(err, crashy.Crashed) { +// fmt.Println(err.(*errors.Error).ErrorStack()) +// } else { +// panic(err) +// } +// } +// } +// +// This package was original written to allow reporting to Bugsnag, +// but after I found similar packages by Facebook and Dropbox, it +// was moved to one canonical location so everyone can benefit. +package errors + +import ( + "bytes" + "fmt" + "reflect" + "runtime" +) + +// The maximum number of stackframes on any error. +var MaxStackDepth = 50 + +// Error is an error with an attached stacktrace. It can be used +// wherever the builtin error interface is expected. +type Error struct { + Err error + stack []uintptr + frames []StackFrame + prefix string +} + +// New makes an Error from the given value. If that value is already an +// error then it will be used directly, if not, it will be passed to +// fmt.Errorf("%v"). The stacktrace will point to the line of code that +// called New. +func New(e interface{}) *Error { + var err error + + switch e := e.(type) { + case error: + err = e + default: + err = fmt.Errorf("%v", e) + } + + stack := make([]uintptr, MaxStackDepth) + length := runtime.Callers(2, stack[:]) + return &Error{ + Err: err, + stack: stack[:length], + } +} + +// Wrap makes an Error from the given value. If that value is already an +// error then it will be used directly, if not, it will be passed to +// fmt.Errorf("%v"). The skip parameter indicates how far up the stack +// to start the stacktrace. 0 is from the current call, 1 from its caller, etc. +func Wrap(e interface{}, skip int) *Error { + if e == nil { + return nil + } + + var err error + + switch e := e.(type) { + case *Error: + return e + case error: + err = e + default: + err = fmt.Errorf("%v", e) + } + + stack := make([]uintptr, MaxStackDepth) + length := runtime.Callers(2+skip, stack[:]) + return &Error{ + Err: err, + stack: stack[:length], + } +} + +// WrapPrefix makes an Error from the given value. If that value is already an +// error then it will be used directly, if not, it will be passed to +// fmt.Errorf("%v"). The prefix parameter is used to add a prefix to the +// error message when calling Error(). The skip parameter indicates how far +// up the stack to start the stacktrace. 0 is from the current call, +// 1 from its caller, etc. +func WrapPrefix(e interface{}, prefix string, skip int) *Error { + if e == nil { + return nil + } + + err := Wrap(e, 1+skip) + + if err.prefix != "" { + prefix = fmt.Sprintf("%s: %s", prefix, err.prefix) + } + + return &Error{ + Err: err.Err, + stack: err.stack, + prefix: prefix, + } + +} + +// Errorf creates a new error with the given message. You can use it +// as a drop-in replacement for fmt.Errorf() to provide descriptive +// errors in return values. +func Errorf(format string, a ...interface{}) *Error { + return Wrap(fmt.Errorf(format, a...), 1) +} + +// Error returns the underlying error's message. +func (err *Error) Error() string { + + msg := err.Err.Error() + if err.prefix != "" { + msg = fmt.Sprintf("%s: %s", err.prefix, msg) + } + + return msg +} + +// Stack returns the callstack formatted the same way that go does +// in runtime/debug.Stack() +func (err *Error) Stack() []byte { + buf := bytes.Buffer{} + + for _, frame := range err.StackFrames() { + buf.WriteString(frame.String()) + } + + return buf.Bytes() +} + +// Callers satisfies the bugsnag ErrorWithCallerS() interface +// so that the stack can be read out. +func (err *Error) Callers() []uintptr { + return err.stack +} + +// ErrorStack returns a string that contains both the +// error message and the callstack. +func (err *Error) ErrorStack() string { + return err.TypeName() + " " + err.Error() + "\n" + string(err.Stack()) +} + +// StackFrames returns an array of frames containing information about the +// stack. +func (err *Error) StackFrames() []StackFrame { + if err.frames == nil { + err.frames = make([]StackFrame, len(err.stack)) + + for i, pc := range err.stack { + err.frames[i] = NewStackFrame(pc) + } + } + + return err.frames +} + +// TypeName returns the type this error. e.g. *errors.stringError. +func (err *Error) TypeName() string { + if _, ok := err.Err.(uncaughtPanic); ok { + return "panic" + } + return reflect.TypeOf(err.Err).String() +} + +// Return the wrapped error (implements api for As function). +func (err *Error) Unwrap() error { + return err.Err +} diff --git a/vendor/github.com/go-errors/errors/error_1_13.go b/vendor/github.com/go-errors/errors/error_1_13.go new file mode 100644 index 0000000000..34ab3e00eb --- /dev/null +++ b/vendor/github.com/go-errors/errors/error_1_13.go @@ -0,0 +1,35 @@ +//go:build go1.13 +// +build go1.13 + +package errors + +import ( + baseErrors "errors" +) + +// As finds the first error in err's tree that matches target, and if one is found, sets +// target to that error value and returns true. Otherwise, it returns false. +// +// For more information see stdlib errors.As. +func As(err error, target interface{}) bool { + return baseErrors.As(err, target) +} + +// Is detects whether the error is equal to a given error. Errors +// are considered equal by this function if they are matched by errors.Is +// or if their contained errors are matched through errors.Is. +func Is(e error, original error) bool { + if baseErrors.Is(e, original) { + return true + } + + if e, ok := e.(*Error); ok { + return Is(e.Err, original) + } + + if original, ok := original.(*Error); ok { + return Is(e, original.Err) + } + + return false +} diff --git a/vendor/github.com/go-errors/errors/error_backward.go b/vendor/github.com/go-errors/errors/error_backward.go new file mode 100644 index 0000000000..ff14c4bfa2 --- /dev/null +++ b/vendor/github.com/go-errors/errors/error_backward.go @@ -0,0 +1,125 @@ +//go:build !go1.13 +// +build !go1.13 + +package errors + +import ( + "reflect" +) + +type unwrapper interface { + Unwrap() error +} + +// As assigns error or any wrapped error to the value target points +// to. If there is no value of the target type of target As returns +// false. +func As(err error, target interface{}) bool { + targetType := reflect.TypeOf(target) + + for { + errType := reflect.TypeOf(err) + + if errType == nil { + return false + } + + if reflect.PtrTo(errType) == targetType { + reflect.ValueOf(target).Elem().Set(reflect.ValueOf(err)) + return true + } + + wrapped, ok := err.(unwrapper) + if ok { + err = wrapped.Unwrap() + } else { + return false + } + } +} + +// Is detects whether the error is equal to a given error. Errors +// are considered equal by this function if they are the same object, +// or if they both contain the same error inside an errors.Error. +func Is(e error, original error) bool { + if e == original { + return true + } + + if e, ok := e.(*Error); ok { + return Is(e.Err, original) + } + + if original, ok := original.(*Error); ok { + return Is(e, original.Err) + } + + return false +} + +// Disclaimer: functions Join and Unwrap are copied from the stdlib errors +// package v1.21.0. + +// Join returns an error that wraps the given errors. +// Any nil error values are discarded. +// Join returns nil if every value in errs is nil. +// The error formats as the concatenation of the strings obtained +// by calling the Error method of each element of errs, with a newline +// between each string. +// +// A non-nil error returned by Join implements the Unwrap() []error method. +func Join(errs ...error) error { + n := 0 + for _, err := range errs { + if err != nil { + n++ + } + } + if n == 0 { + return nil + } + e := &joinError{ + errs: make([]error, 0, n), + } + for _, err := range errs { + if err != nil { + e.errs = append(e.errs, err) + } + } + return e +} + +type joinError struct { + errs []error +} + +func (e *joinError) Error() string { + var b []byte + for i, err := range e.errs { + if i > 0 { + b = append(b, '\n') + } + b = append(b, err.Error()...) + } + return string(b) +} + +func (e *joinError) Unwrap() []error { + return e.errs +} + +// Unwrap returns the result of calling the Unwrap method on err, if err's +// type contains an Unwrap method returning error. +// Otherwise, Unwrap returns nil. +// +// Unwrap only calls a method of the form "Unwrap() error". +// In particular Unwrap does not unwrap errors returned by [Join]. +func Unwrap(err error) error { + u, ok := err.(interface { + Unwrap() error + }) + if !ok { + return nil + } + return u.Unwrap() +} diff --git a/vendor/github.com/go-errors/errors/join_unwrap_1_20.go b/vendor/github.com/go-errors/errors/join_unwrap_1_20.go new file mode 100644 index 0000000000..44df35ece9 --- /dev/null +++ b/vendor/github.com/go-errors/errors/join_unwrap_1_20.go @@ -0,0 +1,32 @@ +//go:build go1.20 +// +build go1.20 + +package errors + +import baseErrors "errors" + +// Join returns an error that wraps the given errors. +// Any nil error values are discarded. +// Join returns nil if every value in errs is nil. +// The error formats as the concatenation of the strings obtained +// by calling the Error method of each element of errs, with a newline +// between each string. +// +// A non-nil error returned by Join implements the Unwrap() []error method. +// +// For more information see stdlib errors.Join. +func Join(errs ...error) error { + return baseErrors.Join(errs...) +} + +// Unwrap returns the result of calling the Unwrap method on err, if err's +// type contains an Unwrap method returning error. +// Otherwise, Unwrap returns nil. +// +// Unwrap only calls a method of the form "Unwrap() error". +// In particular Unwrap does not unwrap errors returned by [Join]. +// +// For more information see stdlib errors.Unwrap. +func Unwrap(err error) error { + return baseErrors.Unwrap(err) +} diff --git a/vendor/github.com/go-errors/errors/join_unwrap_backward.go b/vendor/github.com/go-errors/errors/join_unwrap_backward.go new file mode 100644 index 0000000000..50c766976c --- /dev/null +++ b/vendor/github.com/go-errors/errors/join_unwrap_backward.go @@ -0,0 +1,71 @@ +//go:build !go1.20 +// +build !go1.20 + +package errors + +// Disclaimer: functions Join and Unwrap are copied from the stdlib errors +// package v1.21.0. + +// Join returns an error that wraps the given errors. +// Any nil error values are discarded. +// Join returns nil if every value in errs is nil. +// The error formats as the concatenation of the strings obtained +// by calling the Error method of each element of errs, with a newline +// between each string. +// +// A non-nil error returned by Join implements the Unwrap() []error method. +func Join(errs ...error) error { + n := 0 + for _, err := range errs { + if err != nil { + n++ + } + } + if n == 0 { + return nil + } + e := &joinError{ + errs: make([]error, 0, n), + } + for _, err := range errs { + if err != nil { + e.errs = append(e.errs, err) + } + } + return e +} + +type joinError struct { + errs []error +} + +func (e *joinError) Error() string { + var b []byte + for i, err := range e.errs { + if i > 0 { + b = append(b, '\n') + } + b = append(b, err.Error()...) + } + return string(b) +} + +func (e *joinError) Unwrap() []error { + return e.errs +} + +// Unwrap returns the result of calling the Unwrap method on err, if err's +// type contains an Unwrap method returning error. +// Otherwise, Unwrap returns nil. +// +// Unwrap only calls a method of the form "Unwrap() error". +// In particular Unwrap does not unwrap errors returned by [Join]. +func Unwrap(err error) error { + u, ok := err.(interface { + Unwrap() error + }) + if !ok { + return nil + } + return u.Unwrap() +} diff --git a/vendor/github.com/go-errors/errors/parse_panic.go b/vendor/github.com/go-errors/errors/parse_panic.go new file mode 100644 index 0000000000..cc37052d78 --- /dev/null +++ b/vendor/github.com/go-errors/errors/parse_panic.go @@ -0,0 +1,127 @@ +package errors + +import ( + "strconv" + "strings" +) + +type uncaughtPanic struct{ message string } + +func (p uncaughtPanic) Error() string { + return p.message +} + +// ParsePanic allows you to get an error object from the output of a go program +// that panicked. This is particularly useful with https://github.com/mitchellh/panicwrap. +func ParsePanic(text string) (*Error, error) { + lines := strings.Split(text, "\n") + + state := "start" + + var message string + var stack []StackFrame + + for i := 0; i < len(lines); i++ { + line := lines[i] + + if state == "start" { + if strings.HasPrefix(line, "panic: ") { + message = strings.TrimPrefix(line, "panic: ") + state = "seek" + } else { + return nil, Errorf("bugsnag.panicParser: Invalid line (no prefix): %s", line) + } + + } else if state == "seek" { + if strings.HasPrefix(line, "goroutine ") && strings.HasSuffix(line, "[running]:") { + state = "parsing" + } + + } else if state == "parsing" { + if line == "" { + state = "done" + break + } + createdBy := false + if strings.HasPrefix(line, "created by ") { + line = strings.TrimPrefix(line, "created by ") + createdBy = true + } + + i++ + + if i >= len(lines) { + return nil, Errorf("bugsnag.panicParser: Invalid line (unpaired): %s", line) + } + + frame, err := parsePanicFrame(line, lines[i], createdBy) + if err != nil { + return nil, err + } + + stack = append(stack, *frame) + if createdBy { + state = "done" + break + } + } + } + + if state == "done" || state == "parsing" { + return &Error{Err: uncaughtPanic{message}, frames: stack}, nil + } + return nil, Errorf("could not parse panic: %v", text) +} + +// The lines we're passing look like this: +// +// main.(*foo).destruct(0xc208067e98) +// /0/go/src/github.com/bugsnag/bugsnag-go/pan/main.go:22 +0x151 +func parsePanicFrame(name string, line string, createdBy bool) (*StackFrame, error) { + idx := strings.LastIndex(name, "(") + if idx == -1 && !createdBy { + return nil, Errorf("bugsnag.panicParser: Invalid line (no call): %s", name) + } + if idx != -1 { + name = name[:idx] + } + pkg := "" + + if lastslash := strings.LastIndex(name, "/"); lastslash >= 0 { + pkg += name[:lastslash] + "/" + name = name[lastslash+1:] + } + if period := strings.Index(name, "."); period >= 0 { + pkg += name[:period] + name = name[period+1:] + } + + name = strings.Replace(name, "·", ".", -1) + + if !strings.HasPrefix(line, "\t") { + return nil, Errorf("bugsnag.panicParser: Invalid line (no tab): %s", line) + } + + idx = strings.LastIndex(line, ":") + if idx == -1 { + return nil, Errorf("bugsnag.panicParser: Invalid line (no line number): %s", line) + } + file := line[1:idx] + + number := line[idx+1:] + if idx = strings.Index(number, " +"); idx > -1 { + number = number[:idx] + } + + lno, err := strconv.ParseInt(number, 10, 32) + if err != nil { + return nil, Errorf("bugsnag.panicParser: Invalid line (bad line number): %s", line) + } + + return &StackFrame{ + File: file, + LineNumber: int(lno), + Package: pkg, + Name: name, + }, nil +} diff --git a/vendor/github.com/go-errors/errors/stackframe.go b/vendor/github.com/go-errors/errors/stackframe.go new file mode 100644 index 0000000000..ef4a8b3f3b --- /dev/null +++ b/vendor/github.com/go-errors/errors/stackframe.go @@ -0,0 +1,122 @@ +package errors + +import ( + "bufio" + "bytes" + "fmt" + "os" + "runtime" + "strings" +) + +// A StackFrame contains all necessary information about to generate a line +// in a callstack. +type StackFrame struct { + // The path to the file containing this ProgramCounter + File string + // The LineNumber in that file + LineNumber int + // The Name of the function that contains this ProgramCounter + Name string + // The Package that contains this function + Package string + // The underlying ProgramCounter + ProgramCounter uintptr +} + +// NewStackFrame popoulates a stack frame object from the program counter. +func NewStackFrame(pc uintptr) (frame StackFrame) { + + frame = StackFrame{ProgramCounter: pc} + if frame.Func() == nil { + return + } + frame.Package, frame.Name = packageAndName(frame.Func()) + + // pc -1 because the program counters we use are usually return addresses, + // and we want to show the line that corresponds to the function call + frame.File, frame.LineNumber = frame.Func().FileLine(pc - 1) + return + +} + +// Func returns the function that contained this frame. +func (frame *StackFrame) Func() *runtime.Func { + if frame.ProgramCounter == 0 { + return nil + } + return runtime.FuncForPC(frame.ProgramCounter) +} + +// String returns the stackframe formatted in the same way as go does +// in runtime/debug.Stack() +func (frame *StackFrame) String() string { + str := fmt.Sprintf("%s:%d (0x%x)\n", frame.File, frame.LineNumber, frame.ProgramCounter) + + source, err := frame.sourceLine() + if err != nil { + return str + } + + return str + fmt.Sprintf("\t%s: %s\n", frame.Name, source) +} + +// SourceLine gets the line of code (from File and Line) of the original source if possible. +func (frame *StackFrame) SourceLine() (string, error) { + source, err := frame.sourceLine() + if err != nil { + return source, New(err) + } + return source, err +} + +func (frame *StackFrame) sourceLine() (string, error) { + if frame.LineNumber <= 0 { + return "???", nil + } + + file, err := os.Open(frame.File) + if err != nil { + return "", err + } + defer file.Close() + + scanner := bufio.NewScanner(file) + currentLine := 1 + for scanner.Scan() { + if currentLine == frame.LineNumber { + return string(bytes.Trim(scanner.Bytes(), " \t")), nil + } + currentLine++ + } + if err := scanner.Err(); err != nil { + return "", err + } + + return "???", nil +} + +func packageAndName(fn *runtime.Func) (string, string) { + name := fn.Name() + pkg := "" + + // The name includes the path name to the package, which is unnecessary + // since the file name is already included. Plus, it has center dots. + // That is, we see + // runtime/debug.*T·ptrmethod + // and want + // *T.ptrmethod + // Since the package path might contains dots (e.g. code.google.com/...), + // we first remove the path prefix if there is one. + if lastslash := strings.LastIndex(name, "/"); lastslash >= 0 { + pkg += name[:lastslash] + "/" + name = name[lastslash+1:] + } + if period := strings.Index(name, "."); period >= 0 { + pkg += name[:period] + name = name[period+1:] + } + + name = strings.Replace(name, "·", ".", -1) + return pkg, name +} diff --git a/vendor/github.com/go-gorp/gorp/v3/.gitignore b/vendor/github.com/go-gorp/gorp/v3/.gitignore new file mode 100644 index 0000000000..a96e5fec57 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/.gitignore @@ -0,0 +1,11 @@ +_test +*.test +_testmain.go +_obj +*~ +*.6 +6.out +gorptest.bin +tmp +.idea +coverage.out diff --git a/vendor/github.com/go-gorp/gorp/v3/.travis.yml b/vendor/github.com/go-gorp/gorp/v3/.travis.yml new file mode 100644 index 0000000000..958d260ace --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/.travis.yml @@ -0,0 +1,36 @@ +language: go +go: +- "1.15.x" +- "1.16.x" +- tip + +matrix: + allow_failures: + - go: tip + +services: +- mysql +- postgresql +- sqlite3 + +env: + global: + - secure: RriLxF6+2yMl67hdVv8ImXlu0h62mhcpqjaOgYNU+IEbUQ7hx96CKY6gkpYubW3BgApvF5RH6j3+HKvh2kGp0XhDOYOQCODfBSaSipZ5Aa5RKjsEYLtuVIobvJ80awR9hUeql69+WXs0/s72WThG0qTbOUY4pqHWfteeY235hWM= + +install: + - go get -t -d + - go get -t -d -tags integration + +before_script: +- mysql -e "CREATE DATABASE gorptest;" +- mysql -u root -e "GRANT ALL ON gorptest.* TO gorptest@localhost IDENTIFIED BY 'gorptest'" +- psql -c "CREATE DATABASE gorptest;" -U postgres +- psql -c "CREATE USER "gorptest" WITH SUPERUSER PASSWORD 'gorptest';" -U postgres +- go get github.com/lib/pq +- go get github.com/mattn/go-sqlite3 +- go get github.com/ziutek/mymysql/godrv +- go get github.com/go-sql-driver/mysql +- go get golang.org/x/tools/cmd/cover +- go get github.com/mattn/goveralls + +script: ./test_all.sh diff --git a/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md b/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md new file mode 100644 index 0000000000..7bc145fd7c --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/CONTRIBUTING.md @@ -0,0 +1,34 @@ +# Contributions are very welcome! + +## First: Create an Issue + +Even if your fix is simple, we'd like to have an issue to relate to +the PR. Discussion about the architecture and value can go on the +issue, leaving PR comments exclusively for coding style. + +## Second: Make Your PR + +- Fork the `master` branch +- Make your change +- Make a PR against the `master` branch + +You don't need to wait for comments on the issue before making your +PR. If you do wait for comments, you'll have a better chance of +getting your PR accepted the first time around, but it's not +necessary. + +## Third: Be Patient + +- If your change breaks backward compatibility, this becomes + especially true. + +We all have lives and jobs, and many of us are no longer on projects +that make use of `gorp`. We will get back to you, but it might take a +while. + +## Fourth: Consider Becoming a Maintainer + +We really do need help. We will likely ask you for help after a good +PR, but if we don't, please create an issue requesting maintainership. +Considering how few of us are currently active, we are unlikely to +refuse good help. diff --git a/vendor/github.com/go-gorp/gorp/v3/LICENSE b/vendor/github.com/go-gorp/gorp/v3/LICENSE new file mode 100644 index 0000000000..b661111d0a --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/LICENSE @@ -0,0 +1,22 @@ +(The MIT License) + +Copyright (c) 2012 James Cooper + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +'Software'), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/go-gorp/gorp/v3/README.md b/vendor/github.com/go-gorp/gorp/v3/README.md new file mode 100644 index 0000000000..983fe4343b --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/README.md @@ -0,0 +1,809 @@ +# Go Relational Persistence + +[![build status](https://github.com/go-gorp/gorp/actions/workflows/go.yml/badge.svg)](https://github.com/go-gorp/gorp/actions) +[![issues](https://img.shields.io/github/issues/go-gorp/gorp.svg)](https://github.com/go-gorp/gorp/issues) +[![Go Reference](https://pkg.go.dev/badge/github.com/go-gorp/gorp/v3.svg)](https://pkg.go.dev/github.com/go-gorp/gorp/v3) + +### Update 2016-11-13: Future versions + +As many of the maintainers have become busy with other projects, +progress toward the ever-elusive v2 has slowed to the point that we're +only occasionally making progress outside of merging pull requests. +In the interest of continuing to release, I'd like to lean toward a +more maintainable path forward. + +For the moment, I am releasing a v2 tag with the current feature set +from master, as some of those features have been actively used and +relied on by more than one project. Our next goal is to continue +cleaning up the code base with non-breaking changes as much as +possible, but if/when a breaking change is needed, we'll just release +new versions. This allows us to continue development at whatever pace +we're capable of, without delaying the release of features or refusing +PRs. + +## Introduction + +I hesitate to call gorp an ORM. Go doesn't really have objects, at +least not in the classic Smalltalk/Java sense. There goes the "O". +gorp doesn't know anything about the relationships between your +structs (at least not yet). So the "R" is questionable too (but I use +it in the name because, well, it seemed more clever). + +The "M" is alive and well. Given some Go structs and a database, gorp +should remove a fair amount of boilerplate busy-work from your code. + +I hope that gorp saves you time, minimizes the drudgery of getting +data in and out of your database, and helps your code focus on +algorithms, not infrastructure. + +* Bind struct fields to table columns via API or tag +* Support for embedded structs +* Support for transactions +* Forward engineer db schema from structs (great for unit tests) +* Pre/post insert/update/delete hooks +* Automatically generate insert/update/delete statements for a struct +* Automatic binding of auto increment PKs back to struct after insert +* Delete by primary key(s) +* Select by primary key(s) +* Optional trace sql logging +* Bind arbitrary SQL queries to a struct +* Bind slice to SELECT query results without type assertions +* Use positional or named bind parameters in custom SELECT queries +* Optional optimistic locking using a version column (for + update/deletes) + +## Installation + +Use `go get` or your favorite vendoring tool, using whichever import +path you'd like. + +## Versioning + +We use semantic version tags. Feel free to import through `gopkg.in` +(e.g. `gopkg.in/gorp.v2`) to get the latest tag for a major version, +or check out the tag using your favorite vendoring tool. + +Development is not very active right now, but we have plans to +restructure `gorp` as we continue to move toward a more extensible +system. Whenever a breaking change is needed, the major version will +be bumped. + +The `master` branch is where all development is done, and breaking +changes may happen from time to time. That said, if you want to live +on the bleeding edge and are comfortable updating your code when we +make a breaking change, you may use `github.com/go-gorp/gorp` as your +import path. + +Check the version tags to see what's available. We'll make a good +faith effort to add badges for new versions, but we make no +guarantees. + +## Supported Go versions + +This package is guaranteed to be compatible with the latest 2 major +versions of Go. + +Any earlier versions are only supported on a best effort basis and can +be dropped any time. Go has a great compatibility promise. Upgrading +your program to a newer version of Go should never really be a +problem. + +## Migration guide + +#### Pre-v2 to v2 +Automatic mapping of the version column used in optimistic locking has +been removed as it could cause problems if the type was not int. The +version column must now explicitly be set with +`tablemap.SetVersionCol()`. + +## Help/Support + +Use our [`gitter` channel](https://gitter.im/go-gorp/gorp). We used +to use IRC, but with most of us being pulled in many directions, we +often need the email notifications from `gitter` to yell at us to sign +in. + +## Quickstart + +```go +package main + +import ( + "database/sql" + "gopkg.in/gorp.v1" + _ "github.com/mattn/go-sqlite3" + "log" + "time" +) + +func main() { + // initialize the DbMap + dbmap := initDb() + defer dbmap.Db.Close() + + // delete any existing rows + err := dbmap.TruncateTables() + checkErr(err, "TruncateTables failed") + + // create two posts + p1 := newPost("Go 1.1 released!", "Lorem ipsum lorem ipsum") + p2 := newPost("Go 1.2 released!", "Lorem ipsum lorem ipsum") + + // insert rows - auto increment PKs will be set properly after the insert + err = dbmap.Insert(&p1, &p2) + checkErr(err, "Insert failed") + + // use convenience SelectInt + count, err := dbmap.SelectInt("select count(*) from posts") + checkErr(err, "select count(*) failed") + log.Println("Rows after inserting:", count) + + // update a row + p2.Title = "Go 1.2 is better than ever" + count, err = dbmap.Update(&p2) + checkErr(err, "Update failed") + log.Println("Rows updated:", count) + + // fetch one row - note use of "post_id" instead of "Id" since column is aliased + // + // Postgres users should use $1 instead of ? placeholders + // See 'Known Issues' below + // + err = dbmap.SelectOne(&p2, "select * from posts where post_id=?", p2.Id) + checkErr(err, "SelectOne failed") + log.Println("p2 row:", p2) + + // fetch all rows + var posts []Post + _, err = dbmap.Select(&posts, "select * from posts order by post_id") + checkErr(err, "Select failed") + log.Println("All rows:") + for x, p := range posts { + log.Printf(" %d: %v\n", x, p) + } + + // delete row by PK + count, err = dbmap.Delete(&p1) + checkErr(err, "Delete failed") + log.Println("Rows deleted:", count) + + // delete row manually via Exec + _, err = dbmap.Exec("delete from posts where post_id=?", p2.Id) + checkErr(err, "Exec failed") + + // confirm count is zero + count, err = dbmap.SelectInt("select count(*) from posts") + checkErr(err, "select count(*) failed") + log.Println("Row count - should be zero:", count) + + log.Println("Done!") +} + +type Post struct { + // db tag lets you specify the column name if it differs from the struct field + Id int64 `db:"post_id"` + Created int64 + Title string `db:",size:50"` // Column size set to 50 + Body string `db:"article_body,size:1024"` // Set both column name and size +} + +func newPost(title, body string) Post { + return Post{ + Created: time.Now().UnixNano(), + Title: title, + Body: body, + } +} + +func initDb() *gorp.DbMap { + // connect to db using standard Go database/sql API + // use whatever database/sql driver you wish + db, err := sql.Open("sqlite3", "/tmp/post_db.bin") + checkErr(err, "sql.Open failed") + + // construct a gorp DbMap + dbmap := &gorp.DbMap{Db: db, Dialect: gorp.SqliteDialect{}} + + // add a table, setting the table name to 'posts' and + // specifying that the Id property is an auto incrementing PK + dbmap.AddTableWithName(Post{}, "posts").SetKeys(true, "Id") + + // create the table. in a production system you'd generally + // use a migration tool, or create the tables via scripts + err = dbmap.CreateTablesIfNotExists() + checkErr(err, "Create tables failed") + + return dbmap +} + +func checkErr(err error, msg string) { + if err != nil { + log.Fatalln(msg, err) + } +} +``` + +## Examples + +### Mapping structs to tables + +First define some types: + +```go +type Invoice struct { + Id int64 + Created int64 + Updated int64 + Memo string + PersonId int64 +} + +type Person struct { + Id int64 + Created int64 + Updated int64 + FName string + LName string +} + +// Example of using tags to alias fields to column names +// The 'db' value is the column name +// +// A hyphen will cause gorp to skip this field, similar to the +// Go json package. +// +// This is equivalent to using the ColMap methods: +// +// table := dbmap.AddTableWithName(Product{}, "product") +// table.ColMap("Id").Rename("product_id") +// table.ColMap("Price").Rename("unit_price") +// table.ColMap("IgnoreMe").SetTransient(true) +// +// You can optionally declare the field to be a primary key and/or autoincrement +// +type Product struct { + Id int64 `db:"product_id, primarykey, autoincrement"` + Price int64 `db:"unit_price"` + IgnoreMe string `db:"-"` +} +``` + +Then create a mapper, typically you'd do this one time at app startup: + +```go +// connect to db using standard Go database/sql API +// use whatever database/sql driver you wish +db, err := sql.Open("mymysql", "tcp:localhost:3306*mydb/myuser/mypassword") + +// construct a gorp DbMap +dbmap := &gorp.DbMap{Db: db, Dialect: gorp.MySQLDialect{"InnoDB", "UTF8"}} + +// register the structs you wish to use with gorp +// you can also use the shorter dbmap.AddTable() if you +// don't want to override the table name +// +// SetKeys(true) means we have a auto increment primary key, which +// will get automatically bound to your struct post-insert +// +t1 := dbmap.AddTableWithName(Invoice{}, "invoice_test").SetKeys(true, "Id") +t2 := dbmap.AddTableWithName(Person{}, "person_test").SetKeys(true, "Id") +t3 := dbmap.AddTableWithName(Product{}, "product_test").SetKeys(true, "Id") +``` + +### Struct Embedding + +gorp supports embedding structs. For example: + +```go +type Names struct { + FirstName string + LastName string +} + +type WithEmbeddedStruct struct { + Id int64 + Names +} + +es := &WithEmbeddedStruct{-1, Names{FirstName: "Alice", LastName: "Smith"}} +err := dbmap.Insert(es) +``` + +See the `TestWithEmbeddedStruct` function in `gorp_test.go` for a full example. + +### Create/Drop Tables ### + +Automatically create / drop registered tables. This is useful for unit tests +but is entirely optional. You can of course use gorp with tables created manually, +or with a separate migration tool (like [sql-migrate](https://github.com/rubenv/sql-migrate), [goose](https://bitbucket.org/liamstask/goose) or [migrate](https://github.com/mattes/migrate)). + +```go +// create all registered tables +dbmap.CreateTables() + +// same as above, but uses "if not exists" clause to skip tables that are +// already defined +dbmap.CreateTablesIfNotExists() + +// drop +dbmap.DropTables() +``` + +### SQL Logging + +Optionally you can pass in a logger to trace all SQL statements. +I recommend enabling this initially while you're getting the feel for what +gorp is doing on your behalf. + +Gorp defines a `GorpLogger` interface that Go's built in `log.Logger` satisfies. +However, you can write your own `GorpLogger` implementation, or use a package such +as `glog` if you want more control over how statements are logged. + +```go +// Will log all SQL statements + args as they are run +// The first arg is a string prefix to prepend to all log messages +dbmap.TraceOn("[gorp]", log.New(os.Stdout, "myapp:", log.Lmicroseconds)) + +// Turn off tracing +dbmap.TraceOff() +``` + +### Insert + +```go +// Must declare as pointers so optional callback hooks +// can operate on your data, not copies +inv1 := &Invoice{0, 100, 200, "first order", 0} +inv2 := &Invoice{0, 100, 200, "second order", 0} + +// Insert your rows +err := dbmap.Insert(inv1, inv2) + +// Because we called SetKeys(true) on Invoice, the Id field +// will be populated after the Insert() automatically +fmt.Printf("inv1.Id=%d inv2.Id=%d\n", inv1.Id, inv2.Id) +``` + +### Update + +Continuing the above example, use the `Update` method to modify an Invoice: + +```go +// count is the # of rows updated, which should be 1 in this example +count, err := dbmap.Update(inv1) +``` + +### Delete + +If you have primary key(s) defined for a struct, you can use the `Delete` +method to remove rows: + +```go +count, err := dbmap.Delete(inv1) +``` + +### Select by Key + +Use the `Get` method to fetch a single row by primary key. It returns +nil if no row is found. + +```go +// fetch Invoice with Id=99 +obj, err := dbmap.Get(Invoice{}, 99) +inv := obj.(*Invoice) +``` + +### Ad Hoc SQL + +#### SELECT + +`Select()` and `SelectOne()` provide a simple way to bind arbitrary queries to a slice +or a single struct. + +```go +// Select a slice - first return value is not needed when a slice pointer is passed to Select() +var posts []Post +_, err := dbmap.Select(&posts, "select * from post order by id") + +// You can also use primitive types +var ids []string +_, err := dbmap.Select(&ids, "select id from post") + +// Select a single row. +// Returns an error if no row found, or if more than one row is found +var post Post +err := dbmap.SelectOne(&post, "select * from post where id=?", id) +``` + +Want to do joins? Just write the SQL and the struct. gorp will bind them: + +```go +// Define a type for your join +// It *must* contain all the columns in your SELECT statement +// +// The names here should match the aliased column names you specify +// in your SQL - no additional binding work required. simple. +// +type InvoicePersonView struct { + InvoiceId int64 + PersonId int64 + Memo string + FName string +} + +// Create some rows +p1 := &Person{0, 0, 0, "bob", "smith"} +err = dbmap.Insert(p1) +checkErr(err, "Insert failed") + +// notice how we can wire up p1.Id to the invoice easily +inv1 := &Invoice{0, 0, 0, "xmas order", p1.Id} +err = dbmap.Insert(inv1) +checkErr(err, "Insert failed") + +// Run your query +query := "select i.Id InvoiceId, p.Id PersonId, i.Memo, p.FName " + + "from invoice_test i, person_test p " + + "where i.PersonId = p.Id" + +// pass a slice to Select() +var list []InvoicePersonView +_, err := dbmap.Select(&list, query) + +// this should test true +expected := InvoicePersonView{inv1.Id, p1.Id, inv1.Memo, p1.FName} +if reflect.DeepEqual(list[0], expected) { + fmt.Println("Woot! My join worked!") +} +``` + +#### SELECT string or int64 + +gorp provides a few convenience methods for selecting a single string or int64. + +```go +// select single int64 from db (use $1 instead of ? for postgresql) +i64, err := dbmap.SelectInt("select count(*) from foo where blah=?", blahVal) + +// select single string from db: +s, err := dbmap.SelectStr("select name from foo where blah=?", blahVal) + +``` + +#### Named bind parameters + +You may use a map or struct to bind parameters by name. This is currently +only supported in SELECT queries. + +```go +_, err := dbm.Select(&dest, "select * from Foo where name = :name and age = :age", map[string]interface{}{ + "name": "Rob", + "age": 31, +}) +``` + +#### UPDATE / DELETE + +You can execute raw SQL if you wish. Particularly good for batch operations. + +```go +res, err := dbmap.Exec("delete from invoice_test where PersonId=?", 10) +``` + +### Transactions + +You can batch operations into a transaction: + +```go +func InsertInv(dbmap *DbMap, inv *Invoice, per *Person) error { + // Start a new transaction + trans, err := dbmap.Begin() + if err != nil { + return err + } + + err = trans.Insert(per) + checkErr(err, "Insert failed") + + inv.PersonId = per.Id + err = trans.Insert(inv) + checkErr(err, "Insert failed") + + // if the commit is successful, a nil error is returned + return trans.Commit() +} +``` + +### Hooks + +Use hooks to update data before/after saving to the db. Good for timestamps: + +```go +// implement the PreInsert and PreUpdate hooks +func (i *Invoice) PreInsert(s gorp.SqlExecutor) error { + i.Created = time.Now().UnixNano() + i.Updated = i.Created + return nil +} + +func (i *Invoice) PreUpdate(s gorp.SqlExecutor) error { + i.Updated = time.Now().UnixNano() + return nil +} + +// You can use the SqlExecutor to cascade additional SQL +// Take care to avoid cycles. gorp won't prevent them. +// +// Here's an example of a cascading delete +// +func (p *Person) PreDelete(s gorp.SqlExecutor) error { + query := "delete from invoice_test where PersonId=?" + + _, err := s.Exec(query, p.Id) + + if err != nil { + return err + } + return nil +} +``` + +Full list of hooks that you can implement: + + PostGet + PreInsert + PostInsert + PreUpdate + PostUpdate + PreDelete + PostDelete + + All have the same signature. for example: + + func (p *MyStruct) PostUpdate(s gorp.SqlExecutor) error + +### Optimistic Locking + +#### Note that this behaviour has changed in v2. See [Migration Guide](#migration-guide). + +gorp provides a simple optimistic locking feature, similar to Java's +JPA, that will raise an error if you try to update/delete a row whose +`version` column has a value different than the one in memory. This +provides a safe way to do "select then update" style operations +without explicit read and write locks. + +```go +// Version is an auto-incremented number, managed by gorp +// If this property is present on your struct, update +// operations will be constrained +// +// For example, say we defined Person as: + +type Person struct { + Id int64 + Created int64 + Updated int64 + FName string + LName string + + // automatically used as the Version col + // use table.SetVersionCol("columnName") to map a different + // struct field as the version field + Version int64 +} + +p1 := &Person{0, 0, 0, "Bob", "Smith", 0} +err = dbmap.Insert(p1) // Version is now 1 +checkErr(err, "Insert failed") + +obj, err := dbmap.Get(Person{}, p1.Id) +p2 := obj.(*Person) +p2.LName = "Edwards" +_,err = dbmap.Update(p2) // Version is now 2 +checkErr(err, "Update failed") + +p1.LName = "Howard" + +// Raises error because p1.Version == 1, which is out of date +count, err := dbmap.Update(p1) +_, ok := err.(gorp.OptimisticLockError) +if ok { + // should reach this statement + + // in a real app you might reload the row and retry, or + // you might propegate this to the user, depending on the desired + // semantics + fmt.Printf("Tried to update row with stale data: %v\n", err) +} else { + // some other db error occurred - log or return up the stack + fmt.Printf("Unknown db err: %v\n", err) +} +``` +### Adding INDEX(es) on column(s) beyond the primary key ### + +Indexes are frequently critical for performance. Here is how to add +them to your tables. + +NB: SqlServer and Oracle need testing and possible adjustment to the +CreateIndexSuffix() and DropIndexSuffix() methods to make AddIndex() +work for them. + +In the example below we put an index both on the Id field, and on the +AcctId field. + +``` +type Account struct { + Id int64 + AcctId string // e.g. this might be a long uuid for portability +} + +// indexType (the 2nd param to AddIndex call) is "Btree" or "Hash" for MySQL. +// demonstrate adding a second index on AcctId, and constrain that field to have unique values. +dbm.AddTable(iptab.Account{}).SetKeys(true, "Id").AddIndex("AcctIdIndex", "Btree", []string{"AcctId"}).SetUnique(true) + +err = dbm.CreateTablesIfNotExists() +checkErr(err, "CreateTablesIfNotExists failed") + +err = dbm.CreateIndex() +checkErr(err, "CreateIndex failed") + +``` +Check the effect of the CreateIndex() call in mysql: +``` +$ mysql + +MariaDB [test]> show create table Account; ++---------+--------------------------+ +| Account | CREATE TABLE `Account` ( + `Id` bigint(20) NOT NULL AUTO_INCREMENT, + `AcctId` varchar(255) DEFAULT NULL, + PRIMARY KEY (`Id`), + UNIQUE KEY `AcctIdIndex` (`AcctId`) USING BTREE <<<--- yes! index added. +) ENGINE=InnoDB DEFAULT CHARSET=utf8 ++---------+--------------------------+ + +``` + + +## Database Drivers + +gorp uses the Go 1 `database/sql` package. A full list of compliant +drivers is available here: + +http://code.google.com/p/go-wiki/wiki/SQLDrivers + +Sadly, SQL databases differ on various issues. gorp provides a Dialect +interface that should be implemented per database vendor. Dialects +are provided for: + +* MySQL +* PostgreSQL +* sqlite3 + +Each of these three databases pass the test suite. See `gorp_test.go` +for example DSNs for these three databases. + +Support is also provided for: + +* Oracle (contributed by @klaidliadon) +* SQL Server (contributed by @qrawl) - use driver: + github.com/denisenkom/go-mssqldb + +Note that these databases are not covered by CI and I (@coopernurse) +have no good way to test them locally. So please try them and send +patches as needed, but expect a bit more unpredicability. + +## Sqlite3 Extensions + +In order to use sqlite3 extensions you need to first register a custom driver: + +```go +import ( + "database/sql" + + // use whatever database/sql driver you wish + sqlite "github.com/mattn/go-sqlite3" +) + +func customDriver() (*sql.DB, error) { + + // create custom driver with extensions defined + sql.Register("sqlite3-custom", &sqlite.SQLiteDriver{ + Extensions: []string{ + "mod_spatialite", + }, + }) + + // now you can then connect using the 'sqlite3-custom' driver instead of 'sqlite3' + return sql.Open("sqlite3-custom", "/tmp/post_db.bin") +} +``` + +## Known Issues + +### SQL placeholder portability + +Different databases use different strings to indicate variable +placeholders in prepared SQL statements. Unlike some database +abstraction layers (such as JDBC), Go's `database/sql` does not +standardize this. + +SQL generated by gorp in the `Insert`, `Update`, `Delete`, and `Get` +methods delegates to a Dialect implementation for each database, and +will generate portable SQL. + +Raw SQL strings passed to `Exec`, `Select`, `SelectOne`, `SelectInt`, +etc will not be parsed. Consequently you may have portability issues +if you write a query like this: + +```go +// works on MySQL and Sqlite3, but not with Postgresql err := +dbmap.SelectOne(&val, "select * from foo where id = ?", 30) +``` + +In `Select` and `SelectOne` you can use named parameters to work +around this. The following is portable: + +```go +err := dbmap.SelectOne(&val, "select * from foo where id = :id", +map[string]interface{} { "id": 30}) +``` + +Additionally, when using Postgres as your database, you should utilize +`$1` instead of `?` placeholders as utilizing `?` placeholders when +querying Postgres will result in `pq: operator does not exist` +errors. Alternatively, use `dbMap.Dialect.BindVar(varIdx)` to get the +proper variable binding for your dialect. + +### time.Time and time zones + +gorp will pass `time.Time` fields through to the `database/sql` +driver, but note that the behavior of this type varies across database +drivers. + +MySQL users should be especially cautious. See: +https://github.com/ziutek/mymysql/pull/77 + +To avoid any potential issues with timezone/DST, consider: + +- Using an integer field for time data and storing UNIX time. +- Using a custom time type that implements some SQL types: + - [`"database/sql".Scanner`](https://golang.org/pkg/database/sql/#Scanner) + - [`"database/sql/driver".Valuer`](https://golang.org/pkg/database/sql/driver/#Valuer) + +## Running the tests + +The included tests may be run against MySQL, Postgresql, or sqlite3. +You must set two environment variables so the test code knows which +driver to use, and how to connect to your database. + +```sh +# MySQL example: +export GORP_TEST_DSN=gomysql_test/gomysql_test/abc123 +export GORP_TEST_DIALECT=mysql + +# run the tests +go test + +# run the tests and benchmarks +go test -bench="Bench" -benchtime 10 +``` + +Valid `GORP_TEST_DIALECT` values are: "mysql"(for mymysql), +"gomysql"(for go-sql-driver), "postgres", "sqlite" See the +`test_all.sh` script for examples of all 3 databases. This is the +script I run locally to test the library. + +## Performance + +gorp uses reflection to construct SQL queries and bind parameters. +See the BenchmarkNativeCrud vs BenchmarkGorpCrud in gorp_test.go for a +simple perf test. On my MacBook Pro gorp is about 2-3% slower than +hand written SQL. + + +## Contributors + +* matthias-margush - column aliasing via tags +* Rob Figueiredo - @robfig +* Quinn Slack - @sqs diff --git a/vendor/github.com/go-gorp/gorp/v3/column.go b/vendor/github.com/go-gorp/gorp/v3/column.go new file mode 100644 index 0000000000..383e9efb65 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/column.go @@ -0,0 +1,76 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import "reflect" + +// ColumnMap represents a mapping between a Go struct field and a single +// column in a table. +// Unique and MaxSize only inform the +// CreateTables() function and are not used by Insert/Update/Delete/Get. +type ColumnMap struct { + // Column name in db table + ColumnName string + + // If true, this column is skipped in generated SQL statements + Transient bool + + // If true, " unique" is added to create table statements. + // Not used elsewhere + Unique bool + + // Query used for getting generated id after insert + GeneratedIdQuery string + + // Passed to Dialect.ToSqlType() to assist in informing the + // correct column type to map to in CreateTables() + MaxSize int + + DefaultValue string + + fieldName string + gotype reflect.Type + isPK bool + isAutoIncr bool + isNotNull bool +} + +// Rename allows you to specify the column name in the table +// +// Example: table.ColMap("Updated").Rename("date_updated") +// +func (c *ColumnMap) Rename(colname string) *ColumnMap { + c.ColumnName = colname + return c +} + +// SetTransient allows you to mark the column as transient. If true +// this column will be skipped when SQL statements are generated +func (c *ColumnMap) SetTransient(b bool) *ColumnMap { + c.Transient = b + return c +} + +// SetUnique adds "unique" to the create table statements for this +// column, if b is true. +func (c *ColumnMap) SetUnique(b bool) *ColumnMap { + c.Unique = b + return c +} + +// SetNotNull adds "not null" to the create table statements for this +// column, if nn is true. +func (c *ColumnMap) SetNotNull(nn bool) *ColumnMap { + c.isNotNull = nn + return c +} + +// SetMaxSize specifies the max length of values of this column. This is +// passed to the dialect.ToSqlType() function, which can use the value +// to alter the generated type for "create table" statements +func (c *ColumnMap) SetMaxSize(size int) *ColumnMap { + c.MaxSize = size + return c +} diff --git a/vendor/github.com/go-gorp/gorp/v3/db.go b/vendor/github.com/go-gorp/gorp/v3/db.go new file mode 100644 index 0000000000..d78062e5b1 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/db.go @@ -0,0 +1,985 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "bytes" + "context" + "database/sql" + "database/sql/driver" + "errors" + "fmt" + "log" + "reflect" + "strconv" + "strings" + "time" +) + +// DbMap is the root gorp mapping object. Create one of these for each +// database schema you wish to map. Each DbMap contains a list of +// mapped tables. +// +// Example: +// +// dialect := gorp.MySQLDialect{"InnoDB", "UTF8"} +// dbmap := &gorp.DbMap{Db: db, Dialect: dialect} +// +type DbMap struct { + ctx context.Context + + // Db handle to use with this map + Db *sql.DB + + // Dialect implementation to use with this map + Dialect Dialect + + TypeConverter TypeConverter + + // ExpandSlices when enabled will convert slice arguments in mappers into flat + // values. It will modify the query, adding more placeholders, and the mapper, + // adding each item of the slice as a new unique entry in the mapper. For + // example, given the scenario bellow: + // + // dbmap.Select(&output, "SELECT 1 FROM example WHERE id IN (:IDs)", map[string]interface{}{ + // "IDs": []int64{1, 2, 3}, + // }) + // + // The executed query would be: + // + // SELECT 1 FROM example WHERE id IN (:IDs0,:IDs1,:IDs2) + // + // With the mapper: + // + // map[string]interface{}{ + // "IDs": []int64{1, 2, 3}, + // "IDs0": int64(1), + // "IDs1": int64(2), + // "IDs2": int64(3), + // } + // + // It is also flexible for custom slice types. The value just need to + // implement stringer or numberer interfaces. + // + // type CustomValue string + // + // const ( + // CustomValueHey CustomValue = "hey" + // CustomValueOh CustomValue = "oh" + // ) + // + // type CustomValues []CustomValue + // + // func (c CustomValues) ToStringSlice() []string { + // values := make([]string, len(c)) + // for i := range c { + // values[i] = string(c[i]) + // } + // return values + // } + // + // func query() { + // // ... + // result, err := dbmap.Select(&output, "SELECT 1 FROM example WHERE value IN (:Values)", map[string]interface{}{ + // "Values": CustomValues([]CustomValue{CustomValueHey}), + // }) + // // ... + // } + ExpandSliceArgs bool + + tables []*TableMap + tablesDynamic map[string]*TableMap // tables that use same go-struct and different db table names + logger GorpLogger + logPrefix string +} + +func (m *DbMap) dynamicTableAdd(tableName string, tbl *TableMap) { + if m.tablesDynamic == nil { + m.tablesDynamic = make(map[string]*TableMap) + } + m.tablesDynamic[tableName] = tbl +} + +func (m *DbMap) dynamicTableFind(tableName string) (*TableMap, bool) { + if m.tablesDynamic == nil { + return nil, false + } + tbl, found := m.tablesDynamic[tableName] + return tbl, found +} + +func (m *DbMap) dynamicTableMap() map[string]*TableMap { + if m.tablesDynamic == nil { + m.tablesDynamic = make(map[string]*TableMap) + } + return m.tablesDynamic +} + +func (m *DbMap) WithContext(ctx context.Context) SqlExecutor { + copy := &DbMap{} + *copy = *m + copy.ctx = ctx + return copy +} + +func (m *DbMap) CreateIndex() error { + var err error + dialect := reflect.TypeOf(m.Dialect) + for _, table := range m.tables { + for _, index := range table.indexes { + err = m.createIndexImpl(dialect, table, index) + if err != nil { + break + } + } + } + + for _, table := range m.dynamicTableMap() { + for _, index := range table.indexes { + err = m.createIndexImpl(dialect, table, index) + if err != nil { + break + } + } + } + + return err +} + +func (m *DbMap) createIndexImpl(dialect reflect.Type, + table *TableMap, + index *IndexMap) error { + s := bytes.Buffer{} + s.WriteString("create") + if index.Unique { + s.WriteString(" unique") + } + s.WriteString(" index") + s.WriteString(fmt.Sprintf(" %s on %s", index.IndexName, table.TableName)) + if dname := dialect.Name(); dname == "PostgresDialect" && index.IndexType != "" { + s.WriteString(fmt.Sprintf(" %s %s", m.Dialect.CreateIndexSuffix(), index.IndexType)) + } + s.WriteString(" (") + for x, col := range index.columns { + if x > 0 { + s.WriteString(", ") + } + s.WriteString(m.Dialect.QuoteField(col)) + } + s.WriteString(")") + + if dname := dialect.Name(); dname == "MySQLDialect" && index.IndexType != "" { + s.WriteString(fmt.Sprintf(" %s %s", m.Dialect.CreateIndexSuffix(), index.IndexType)) + } + s.WriteString(";") + _, err := m.Exec(s.String()) + return err +} + +func (t *TableMap) DropIndex(name string) error { + + var err error + dialect := reflect.TypeOf(t.dbmap.Dialect) + for _, idx := range t.indexes { + if idx.IndexName == name { + s := bytes.Buffer{} + s.WriteString(fmt.Sprintf("DROP INDEX %s", idx.IndexName)) + + if dname := dialect.Name(); dname == "MySQLDialect" { + s.WriteString(fmt.Sprintf(" %s %s", t.dbmap.Dialect.DropIndexSuffix(), t.TableName)) + } + s.WriteString(";") + _, e := t.dbmap.Exec(s.String()) + if e != nil { + err = e + } + break + } + } + t.ResetSql() + return err +} + +// AddTable registers the given interface type with gorp. The table name +// will be given the name of the TypeOf(i). You must call this function, +// or AddTableWithName, for any struct type you wish to persist with +// the given DbMap. +// +// This operation is idempotent. If i's type is already mapped, the +// existing *TableMap is returned +func (m *DbMap) AddTable(i interface{}) *TableMap { + return m.AddTableWithName(i, "") +} + +// AddTableWithName has the same behavior as AddTable, but sets +// table.TableName to name. +func (m *DbMap) AddTableWithName(i interface{}, name string) *TableMap { + return m.AddTableWithNameAndSchema(i, "", name) +} + +// AddTableWithNameAndSchema has the same behavior as AddTable, but sets +// table.TableName to name. +func (m *DbMap) AddTableWithNameAndSchema(i interface{}, schema string, name string) *TableMap { + t := reflect.TypeOf(i) + if name == "" { + name = t.Name() + } + + // check if we have a table for this type already + // if so, update the name and return the existing pointer + for i := range m.tables { + table := m.tables[i] + if table.gotype == t { + table.TableName = name + return table + } + } + + tmap := &TableMap{gotype: t, TableName: name, SchemaName: schema, dbmap: m} + var primaryKey []*ColumnMap + tmap.Columns, primaryKey = m.readStructColumns(t) + m.tables = append(m.tables, tmap) + if len(primaryKey) > 0 { + tmap.keys = append(tmap.keys, primaryKey...) + } + + return tmap +} + +// AddTableDynamic registers the given interface type with gorp. +// The table name will be dynamically determined at runtime by +// using the GetTableName method on DynamicTable interface +func (m *DbMap) AddTableDynamic(inp DynamicTable, schema string) *TableMap { + + val := reflect.ValueOf(inp) + elm := val.Elem() + t := elm.Type() + name := inp.TableName() + if name == "" { + panic("Missing table name in DynamicTable instance") + } + + // Check if there is another dynamic table with the same name + if _, found := m.dynamicTableFind(name); found { + panic(fmt.Sprintf("A table with the same name %v already exists", name)) + } + + tmap := &TableMap{gotype: t, TableName: name, SchemaName: schema, dbmap: m} + var primaryKey []*ColumnMap + tmap.Columns, primaryKey = m.readStructColumns(t) + if len(primaryKey) > 0 { + tmap.keys = append(tmap.keys, primaryKey...) + } + + m.dynamicTableAdd(name, tmap) + + return tmap +} + +func (m *DbMap) readStructColumns(t reflect.Type) (cols []*ColumnMap, primaryKey []*ColumnMap) { + primaryKey = make([]*ColumnMap, 0) + n := t.NumField() + for i := 0; i < n; i++ { + f := t.Field(i) + if f.Anonymous && f.Type.Kind() == reflect.Struct { + // Recursively add nested fields in embedded structs. + subcols, subpk := m.readStructColumns(f.Type) + // Don't append nested fields that have the same field + // name as an already-mapped field. + for _, subcol := range subcols { + shouldAppend := true + for _, col := range cols { + if !subcol.Transient && subcol.fieldName == col.fieldName { + shouldAppend = false + break + } + } + if shouldAppend { + cols = append(cols, subcol) + } + } + if subpk != nil { + primaryKey = append(primaryKey, subpk...) + } + } else { + // Tag = Name { ',' Option } + // Option = OptionKey [ ':' OptionValue ] + cArguments := strings.Split(f.Tag.Get("db"), ",") + columnName := cArguments[0] + var maxSize int + var defaultValue string + var isAuto bool + var isPK bool + var isNotNull bool + for _, argString := range cArguments[1:] { + argString = strings.TrimSpace(argString) + arg := strings.SplitN(argString, ":", 2) + + // check mandatory/unexpected option values + switch arg[0] { + case "size", "default": + // options requiring value + if len(arg) == 1 { + panic(fmt.Sprintf("missing option value for option %v on field %v", arg[0], f.Name)) + } + default: + // options where value is invalid (currently all other options) + if len(arg) == 2 { + panic(fmt.Sprintf("unexpected option value for option %v on field %v", arg[0], f.Name)) + } + } + + switch arg[0] { + case "size": + maxSize, _ = strconv.Atoi(arg[1]) + case "default": + defaultValue = arg[1] + case "primarykey": + isPK = true + case "autoincrement": + isAuto = true + case "notnull": + isNotNull = true + default: + panic(fmt.Sprintf("Unrecognized tag option for field %v: %v", f.Name, arg)) + } + } + if columnName == "" { + columnName = f.Name + } + + gotype := f.Type + valueType := gotype + if valueType.Kind() == reflect.Ptr { + valueType = valueType.Elem() + } + value := reflect.New(valueType).Interface() + if m.TypeConverter != nil { + // Make a new pointer to a value of type gotype and + // pass it to the TypeConverter's FromDb method to see + // if a different type should be used for the column + // type during table creation. + scanner, useHolder := m.TypeConverter.FromDb(value) + if useHolder { + value = scanner.Holder + gotype = reflect.TypeOf(value) + } + } + if typer, ok := value.(SqlTyper); ok { + gotype = reflect.TypeOf(typer.SqlType()) + } else if typer, ok := value.(legacySqlTyper); ok { + log.Printf("Deprecation Warning: update your SqlType methods to return a driver.Value") + gotype = reflect.TypeOf(typer.SqlType()) + } else if valuer, ok := value.(driver.Valuer); ok { + // Only check for driver.Valuer if SqlTyper wasn't + // found. + v, err := valuer.Value() + if err == nil && v != nil { + gotype = reflect.TypeOf(v) + } + } + cm := &ColumnMap{ + ColumnName: columnName, + DefaultValue: defaultValue, + Transient: columnName == "-", + fieldName: f.Name, + gotype: gotype, + isPK: isPK, + isAutoIncr: isAuto, + isNotNull: isNotNull, + MaxSize: maxSize, + } + if isPK { + primaryKey = append(primaryKey, cm) + } + // Check for nested fields of the same field name and + // override them. + shouldAppend := true + for index, col := range cols { + if !col.Transient && col.fieldName == cm.fieldName { + cols[index] = cm + shouldAppend = false + break + } + } + if shouldAppend { + cols = append(cols, cm) + } + } + + } + return +} + +// CreateTables iterates through TableMaps registered to this DbMap and +// executes "create table" statements against the database for each. +// +// This is particularly useful in unit tests where you want to create +// and destroy the schema automatically. +func (m *DbMap) CreateTables() error { + return m.createTables(false) +} + +// CreateTablesIfNotExists is similar to CreateTables, but starts +// each statement with "create table if not exists" so that existing +// tables do not raise errors +func (m *DbMap) CreateTablesIfNotExists() error { + return m.createTables(true) +} + +func (m *DbMap) createTables(ifNotExists bool) error { + var err error + for i := range m.tables { + table := m.tables[i] + sql := table.SqlForCreate(ifNotExists) + _, err = m.Exec(sql) + if err != nil { + return err + } + } + + for _, tbl := range m.dynamicTableMap() { + sql := tbl.SqlForCreate(ifNotExists) + _, err = m.Exec(sql) + if err != nil { + return err + } + } + + return err +} + +// DropTable drops an individual table. +// Returns an error when the table does not exist. +func (m *DbMap) DropTable(table interface{}) error { + t := reflect.TypeOf(table) + + tableName := "" + if dyn, ok := table.(DynamicTable); ok { + tableName = dyn.TableName() + } + + return m.dropTable(t, tableName, false) +} + +// DropTableIfExists drops an individual table when the table exists. +func (m *DbMap) DropTableIfExists(table interface{}) error { + t := reflect.TypeOf(table) + + tableName := "" + if dyn, ok := table.(DynamicTable); ok { + tableName = dyn.TableName() + } + + return m.dropTable(t, tableName, true) +} + +// DropTables iterates through TableMaps registered to this DbMap and +// executes "drop table" statements against the database for each. +func (m *DbMap) DropTables() error { + return m.dropTables(false) +} + +// DropTablesIfExists is the same as DropTables, but uses the "if exists" clause to +// avoid errors for tables that do not exist. +func (m *DbMap) DropTablesIfExists() error { + return m.dropTables(true) +} + +// Goes through all the registered tables, dropping them one by one. +// If an error is encountered, then it is returned and the rest of +// the tables are not dropped. +func (m *DbMap) dropTables(addIfExists bool) (err error) { + for _, table := range m.tables { + err = m.dropTableImpl(table, addIfExists) + if err != nil { + return err + } + } + + for _, table := range m.dynamicTableMap() { + err = m.dropTableImpl(table, addIfExists) + if err != nil { + return err + } + } + + return err +} + +// Implementation of dropping a single table. +func (m *DbMap) dropTable(t reflect.Type, name string, addIfExists bool) error { + table := tableOrNil(m, t, name) + if table == nil { + return fmt.Errorf("table %s was not registered", table.TableName) + } + + return m.dropTableImpl(table, addIfExists) +} + +func (m *DbMap) dropTableImpl(table *TableMap, ifExists bool) (err error) { + tableDrop := "drop table" + if ifExists { + tableDrop = m.Dialect.IfTableExists(tableDrop, table.SchemaName, table.TableName) + } + _, err = m.Exec(fmt.Sprintf("%s %s;", tableDrop, m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName))) + return err +} + +// TruncateTables iterates through TableMaps registered to this DbMap and +// executes "truncate table" statements against the database for each, or in the case of +// sqlite, a "delete from" with no "where" clause, which uses the truncate optimization +// (http://www.sqlite.org/lang_delete.html) +func (m *DbMap) TruncateTables() error { + var err error + for i := range m.tables { + table := m.tables[i] + _, e := m.Exec(fmt.Sprintf("%s %s;", m.Dialect.TruncateClause(), m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName))) + if e != nil { + err = e + } + } + + for _, table := range m.dynamicTableMap() { + _, e := m.Exec(fmt.Sprintf("%s %s;", m.Dialect.TruncateClause(), m.Dialect.QuotedTableForQuery(table.SchemaName, table.TableName))) + if e != nil { + err = e + } + } + + return err +} + +// Insert runs a SQL INSERT statement for each element in list. List +// items must be pointers. +// +// Any interface whose TableMap has an auto-increment primary key will +// have its last insert id bound to the PK field on the struct. +// +// The hook functions PreInsert() and/or PostInsert() will be executed +// before/after the INSERT statement if the interface defines them. +// +// Panics if any interface in the list has not been registered with AddTable +func (m *DbMap) Insert(list ...interface{}) error { + return insert(m, m, list...) +} + +// Update runs a SQL UPDATE statement for each element in list. List +// items must be pointers. +// +// The hook functions PreUpdate() and/or PostUpdate() will be executed +// before/after the UPDATE statement if the interface defines them. +// +// Returns the number of rows updated. +// +// Returns an error if SetKeys has not been called on the TableMap +// Panics if any interface in the list has not been registered with AddTable +func (m *DbMap) Update(list ...interface{}) (int64, error) { + return update(m, m, nil, list...) +} + +// UpdateColumns runs a SQL UPDATE statement for each element in list. List +// items must be pointers. +// +// Only the columns accepted by filter are included in the UPDATE. +// +// The hook functions PreUpdate() and/or PostUpdate() will be executed +// before/after the UPDATE statement if the interface defines them. +// +// Returns the number of rows updated. +// +// Returns an error if SetKeys has not been called on the TableMap +// Panics if any interface in the list has not been registered with AddTable +func (m *DbMap) UpdateColumns(filter ColumnFilter, list ...interface{}) (int64, error) { + return update(m, m, filter, list...) +} + +// Delete runs a SQL DELETE statement for each element in list. List +// items must be pointers. +// +// The hook functions PreDelete() and/or PostDelete() will be executed +// before/after the DELETE statement if the interface defines them. +// +// Returns the number of rows deleted. +// +// Returns an error if SetKeys has not been called on the TableMap +// Panics if any interface in the list has not been registered with AddTable +func (m *DbMap) Delete(list ...interface{}) (int64, error) { + return delete(m, m, list...) +} + +// Get runs a SQL SELECT to fetch a single row from the table based on the +// primary key(s) +// +// i should be an empty value for the struct to load. keys should be +// the primary key value(s) for the row to load. If multiple keys +// exist on the table, the order should match the column order +// specified in SetKeys() when the table mapping was defined. +// +// The hook function PostGet() will be executed after the SELECT +// statement if the interface defines them. +// +// Returns a pointer to a struct that matches or nil if no row is found. +// +// Returns an error if SetKeys has not been called on the TableMap +// Panics if any interface in the list has not been registered with AddTable +func (m *DbMap) Get(i interface{}, keys ...interface{}) (interface{}, error) { + return get(m, m, i, keys...) +} + +// Select runs an arbitrary SQL query, binding the columns in the result +// to fields on the struct specified by i. args represent the bind +// parameters for the SQL statement. +// +// Column names on the SELECT statement should be aliased to the field names +// on the struct i. Returns an error if one or more columns in the result +// do not match. It is OK if fields on i are not part of the SQL +// statement. +// +// The hook function PostGet() will be executed after the SELECT +// statement if the interface defines them. +// +// Values are returned in one of two ways: +// 1. If i is a struct or a pointer to a struct, returns a slice of pointers to +// matching rows of type i. +// 2. If i is a pointer to a slice, the results will be appended to that slice +// and nil returned. +// +// i does NOT need to be registered with AddTable() +func (m *DbMap) Select(i interface{}, query string, args ...interface{}) ([]interface{}, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return hookedselect(m, m, i, query, args...) +} + +// Exec runs an arbitrary SQL statement. args represent the bind parameters. +// This is equivalent to running: Exec() using database/sql +func (m *DbMap) Exec(query string, args ...interface{}) (sql.Result, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + if m.logger != nil { + now := time.Now() + defer m.trace(now, query, args...) + } + return maybeExpandNamedQueryAndExec(m, query, args...) +} + +// SelectInt is a convenience wrapper around the gorp.SelectInt function +func (m *DbMap) SelectInt(query string, args ...interface{}) (int64, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectInt(m, query, args...) +} + +// SelectNullInt is a convenience wrapper around the gorp.SelectNullInt function +func (m *DbMap) SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullInt(m, query, args...) +} + +// SelectFloat is a convenience wrapper around the gorp.SelectFloat function +func (m *DbMap) SelectFloat(query string, args ...interface{}) (float64, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectFloat(m, query, args...) +} + +// SelectNullFloat is a convenience wrapper around the gorp.SelectNullFloat function +func (m *DbMap) SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullFloat(m, query, args...) +} + +// SelectStr is a convenience wrapper around the gorp.SelectStr function +func (m *DbMap) SelectStr(query string, args ...interface{}) (string, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectStr(m, query, args...) +} + +// SelectNullStr is a convenience wrapper around the gorp.SelectNullStr function +func (m *DbMap) SelectNullStr(query string, args ...interface{}) (sql.NullString, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullStr(m, query, args...) +} + +// SelectOne is a convenience wrapper around the gorp.SelectOne function +func (m *DbMap) SelectOne(holder interface{}, query string, args ...interface{}) error { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectOne(m, m, holder, query, args...) +} + +// Begin starts a gorp Transaction +func (m *DbMap) Begin() (*Transaction, error) { + if m.logger != nil { + now := time.Now() + defer m.trace(now, "begin;") + } + tx, err := begin(m) + if err != nil { + return nil, err + } + return &Transaction{ + dbmap: m, + tx: tx, + closed: false, + }, nil +} + +// TableFor returns the *TableMap corresponding to the given Go Type +// If no table is mapped to that type an error is returned. +// If checkPK is true and the mapped table has no registered PKs, an error is returned. +func (m *DbMap) TableFor(t reflect.Type, checkPK bool) (*TableMap, error) { + table := tableOrNil(m, t, "") + if table == nil { + return nil, fmt.Errorf("no table found for type: %v", t.Name()) + } + + if checkPK && len(table.keys) < 1 { + e := fmt.Sprintf("gorp: no keys defined for table: %s", + table.TableName) + return nil, errors.New(e) + } + + return table, nil +} + +// DynamicTableFor returns the *TableMap for the dynamic table corresponding +// to the input tablename +// If no table is mapped to that tablename an error is returned. +// If checkPK is true and the mapped table has no registered PKs, an error is returned. +func (m *DbMap) DynamicTableFor(tableName string, checkPK bool) (*TableMap, error) { + table, found := m.dynamicTableFind(tableName) + if !found { + return nil, fmt.Errorf("gorp: no table found for name: %v", tableName) + } + + if checkPK && len(table.keys) < 1 { + e := fmt.Sprintf("gorp: no keys defined for table: %s", + table.TableName) + return nil, errors.New(e) + } + + return table, nil +} + +// Prepare creates a prepared statement for later queries or executions. +// Multiple queries or executions may be run concurrently from the returned statement. +// This is equivalent to running: Prepare() using database/sql +func (m *DbMap) Prepare(query string) (*sql.Stmt, error) { + if m.logger != nil { + now := time.Now() + defer m.trace(now, query, nil) + } + return prepare(m, query) +} + +func tableOrNil(m *DbMap, t reflect.Type, name string) *TableMap { + if name != "" { + // Search by table name (dynamic tables) + if table, found := m.dynamicTableFind(name); found { + return table + } + return nil + } + + for i := range m.tables { + table := m.tables[i] + if table.gotype == t { + return table + } + } + return nil +} + +func (m *DbMap) tableForPointer(ptr interface{}, checkPK bool) (*TableMap, reflect.Value, error) { + ptrv := reflect.ValueOf(ptr) + if ptrv.Kind() != reflect.Ptr { + e := fmt.Sprintf("gorp: passed non-pointer: %v (kind=%v)", ptr, + ptrv.Kind()) + return nil, reflect.Value{}, errors.New(e) + } + elem := ptrv.Elem() + ifc := elem.Interface() + var t *TableMap + var err error + tableName := "" + if dyn, isDyn := ptr.(DynamicTable); isDyn { + tableName = dyn.TableName() + t, err = m.DynamicTableFor(tableName, checkPK) + } else { + etype := reflect.TypeOf(ifc) + t, err = m.TableFor(etype, checkPK) + } + + if err != nil { + return nil, reflect.Value{}, err + } + + return t, elem, nil +} + +func (m *DbMap) QueryRow(query string, args ...interface{}) *sql.Row { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + if m.logger != nil { + now := time.Now() + defer m.trace(now, query, args...) + } + return queryRow(m, query, args...) +} + +func (m *DbMap) Query(q string, args ...interface{}) (*sql.Rows, error) { + if m.ExpandSliceArgs { + expandSliceArgs(&q, args...) + } + + if m.logger != nil { + now := time.Now() + defer m.trace(now, q, args...) + } + return query(m, q, args...) +} + +func (m *DbMap) trace(started time.Time, query string, args ...interface{}) { + if m.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + if m.logger != nil { + var margs = argsString(args...) + m.logger.Printf("%s%s [%s] (%v)", m.logPrefix, query, margs, (time.Now().Sub(started))) + } +} + +type stringer interface { + ToStringSlice() []string +} + +type numberer interface { + ToInt64Slice() []int64 +} + +func expandSliceArgs(query *string, args ...interface{}) { + for _, arg := range args { + mapper, ok := arg.(map[string]interface{}) + if !ok { + continue + } + + for key, value := range mapper { + var replacements []string + + // add flexibility for any custom type to be convert to one of the + // acceptable formats. + if v, ok := value.(stringer); ok { + value = v.ToStringSlice() + } + if v, ok := value.(numberer); ok { + value = v.ToInt64Slice() + } + + switch v := value.(type) { + case []string: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []uint: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []uint8: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []uint16: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []uint32: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []uint64: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []int: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []int8: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []int16: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []int32: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []int64: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []float32: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + case []float64: + for id, replace := range v { + mapper[fmt.Sprintf("%s%d", key, id)] = replace + replacements = append(replacements, fmt.Sprintf(":%s%d", key, id)) + } + default: + continue + } + + if len(replacements) == 0 { + continue + } + + *query = strings.Replace(*query, fmt.Sprintf(":%s", key), strings.Join(replacements, ","), -1) + } + } +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect.go b/vendor/github.com/go-gorp/gorp/v3/dialect.go new file mode 100644 index 0000000000..fdea2b203c --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect.go @@ -0,0 +1,105 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "reflect" +) + +// The Dialect interface encapsulates behaviors that differ across +// SQL databases. At present the Dialect is only used by CreateTables() +// but this could change in the future +type Dialect interface { + // adds a suffix to any query, usually ";" + QuerySuffix() string + + // ToSqlType returns the SQL column type to use when creating a + // table of the given Go Type. maxsize can be used to switch based on + // size. For example, in MySQL []byte could map to BLOB, MEDIUMBLOB, + // or LONGBLOB depending on the maxsize + ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string + + // string to append to primary key column definitions + AutoIncrStr() string + + // string to bind autoincrement columns to. Empty string will + // remove reference to those columns in the INSERT statement. + AutoIncrBindValue() string + + AutoIncrInsertSuffix(col *ColumnMap) string + + // string to append to "create table" statement for vendor specific + // table attributes + CreateTableSuffix() string + + // string to append to "create index" statement + CreateIndexSuffix() string + + // string to append to "drop index" statement + DropIndexSuffix() string + + // string to truncate tables + TruncateClause() string + + // bind variable string to use when forming SQL statements + // in many dbs it is "?", but Postgres appears to use $1 + // + // i is a zero based index of the bind variable in this statement + // + BindVar(i int) string + + // Handles quoting of a field name to ensure that it doesn't raise any + // SQL parsing exceptions by using a reserved word as a field name. + QuoteField(field string) string + + // Handles building up of a schema.database string that is compatible with + // the given dialect + // + // schema - The schema that lives in + // table - The table name + QuotedTableForQuery(schema string, table string) string + + // Existence clause for table creation / deletion + IfSchemaNotExists(command, schema string) string + IfTableExists(command, schema, table string) string + IfTableNotExists(command, schema, table string) string +} + +// IntegerAutoIncrInserter is implemented by dialects that can perform +// inserts with automatically incremented integer primary keys. If +// the dialect can handle automatic assignment of more than just +// integers, see TargetedAutoIncrInserter. +type IntegerAutoIncrInserter interface { + InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) +} + +// TargetedAutoIncrInserter is implemented by dialects that can +// perform automatic assignment of any primary key type (i.e. strings +// for uuids, integers for serials, etc). +type TargetedAutoIncrInserter interface { + // InsertAutoIncrToTarget runs an insert operation and assigns the + // automatically generated primary key directly to the passed in + // target. The target should be a pointer to the primary key + // field of the value being inserted. + InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error +} + +// TargetQueryInserter is implemented by dialects that can perform +// assignment of integer primary key type by executing a query +// like "select sequence.currval from dual". +type TargetQueryInserter interface { + // TargetQueryInserter runs an insert operation and assigns the + // automatically generated primary key retrived by the query + // extracted from the GeneratedIdQuery field of the id column. + InsertQueryToTarget(exec SqlExecutor, insertSql, idSql string, target interface{}, params ...interface{}) error +} + +func standardInsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) { + res, err := exec.Exec(insertSql, params...) + if err != nil { + return 0, err + } + return res.LastInsertId() +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go b/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go new file mode 100644 index 0000000000..d068ebe85e --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_mysql.go @@ -0,0 +1,169 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" + "strings" + "time" +) + +// Implementation of Dialect for MySQL databases. +type MySQLDialect struct { + + // Engine is the storage engine to use "InnoDB" vs "MyISAM" for example + Engine string + + // Encoding is the character encoding to use for created tables + Encoding string +} + +func (d MySQLDialect) QuerySuffix() string { return ";" } + +func (d MySQLDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "boolean" + case reflect.Int8: + return "tinyint" + case reflect.Uint8: + return "tinyint unsigned" + case reflect.Int16: + return "smallint" + case reflect.Uint16: + return "smallint unsigned" + case reflect.Int, reflect.Int32: + return "int" + case reflect.Uint, reflect.Uint32: + return "int unsigned" + case reflect.Int64: + return "bigint" + case reflect.Uint64: + return "bigint unsigned" + case reflect.Float64, reflect.Float32: + return "double" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "mediumblob" + } + } + + switch val.Name() { + case "NullInt64": + return "bigint" + case "NullFloat64": + return "double" + case "NullBool": + return "tinyint" + case "Time": + return "datetime" + } + + if maxsize < 1 { + maxsize = 255 + } + + /* == About varchar(N) == + * N is number of characters. + * A varchar column can store up to 65535 bytes. + * Remember that 1 character is 3 bytes in utf-8 charset. + * Also remember that each row can store up to 65535 bytes, + * and you have some overheads, so it's not possible for a + * varchar column to have 65535/3 characters really. + * So it would be better to use 'text' type in stead of + * large varchar type. + */ + if maxsize < 256 { + return fmt.Sprintf("varchar(%d)", maxsize) + } else { + return "text" + } +} + +// Returns auto_increment +func (d MySQLDialect) AutoIncrStr() string { + return "auto_increment" +} + +func (d MySQLDialect) AutoIncrBindValue() string { + return "null" +} + +func (d MySQLDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return "" +} + +// Returns engine=%s charset=%s based on values stored on struct +func (d MySQLDialect) CreateTableSuffix() string { + if d.Engine == "" || d.Encoding == "" { + msg := "gorp - undefined" + + if d.Engine == "" { + msg += " MySQLDialect.Engine" + } + if d.Engine == "" && d.Encoding == "" { + msg += "," + } + if d.Encoding == "" { + msg += " MySQLDialect.Encoding" + } + msg += ". Check that your MySQLDialect was correctly initialized when declared." + panic(msg) + } + + return fmt.Sprintf(" engine=%s charset=%s", d.Engine, d.Encoding) +} + +func (d MySQLDialect) CreateIndexSuffix() string { + return "using" +} + +func (d MySQLDialect) DropIndexSuffix() string { + return "on" +} + +func (d MySQLDialect) TruncateClause() string { + return "truncate" +} + +func (d MySQLDialect) SleepClause(s time.Duration) string { + return fmt.Sprintf("sleep(%f)", s.Seconds()) +} + +// Returns "?" +func (d MySQLDialect) BindVar(i int) string { + return "?" +} + +func (d MySQLDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) { + return standardInsertAutoIncr(exec, insertSql, params...) +} + +func (d MySQLDialect) QuoteField(f string) string { + return "`" + f + "`" +} + +func (d MySQLDialect) QuotedTableForQuery(schema string, table string) string { + if strings.TrimSpace(schema) == "" { + return d.QuoteField(table) + } + + return schema + "." + d.QuoteField(table) +} + +func (d MySQLDialect) IfSchemaNotExists(command, schema string) string { + return fmt.Sprintf("%s if not exists", command) +} + +func (d MySQLDialect) IfTableExists(command, schema, table string) string { + return fmt.Sprintf("%s if exists", command) +} + +func (d MySQLDialect) IfTableNotExists(command, schema, table string) string { + return fmt.Sprintf("%s if not exists", command) +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go b/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go new file mode 100644 index 0000000000..01a99b8a19 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_oracle.go @@ -0,0 +1,139 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" + "strings" +) + +// Implementation of Dialect for Oracle databases. +type OracleDialect struct{} + +func (d OracleDialect) QuerySuffix() string { return "" } + +func (d OracleDialect) CreateIndexSuffix() string { return "" } + +func (d OracleDialect) DropIndexSuffix() string { return "" } + +func (d OracleDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "boolean" + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32: + if isAutoIncr { + return "serial" + } + return "integer" + case reflect.Int64, reflect.Uint64: + if isAutoIncr { + return "bigserial" + } + return "bigint" + case reflect.Float64: + return "double precision" + case reflect.Float32: + return "real" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "bytea" + } + } + + switch val.Name() { + case "NullInt64": + return "bigint" + case "NullFloat64": + return "double precision" + case "NullBool": + return "boolean" + case "NullTime", "Time": + return "timestamp with time zone" + } + + if maxsize > 0 { + return fmt.Sprintf("varchar(%d)", maxsize) + } else { + return "text" + } + +} + +// Returns empty string +func (d OracleDialect) AutoIncrStr() string { + return "" +} + +func (d OracleDialect) AutoIncrBindValue() string { + return "NULL" +} + +func (d OracleDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return "" +} + +// Returns suffix +func (d OracleDialect) CreateTableSuffix() string { + return "" +} + +func (d OracleDialect) TruncateClause() string { + return "truncate" +} + +// Returns "$(i+1)" +func (d OracleDialect) BindVar(i int) string { + return fmt.Sprintf(":%d", i+1) +} + +// After executing the insert uses the ColMap IdQuery to get the generated id +func (d OracleDialect) InsertQueryToTarget(exec SqlExecutor, insertSql, idSql string, target interface{}, params ...interface{}) error { + _, err := exec.Exec(insertSql, params...) + if err != nil { + return err + } + id, err := exec.SelectInt(idSql) + if err != nil { + return err + } + switch target.(type) { + case *int64: + *(target.(*int64)) = id + case *int32: + *(target.(*int32)) = int32(id) + case int: + *(target.(*int)) = int(id) + default: + return fmt.Errorf("Id field can be int, int32 or int64") + } + return nil +} + +func (d OracleDialect) QuoteField(f string) string { + return `"` + strings.ToUpper(f) + `"` +} + +func (d OracleDialect) QuotedTableForQuery(schema string, table string) string { + if strings.TrimSpace(schema) == "" { + return d.QuoteField(table) + } + + return schema + "." + d.QuoteField(table) +} + +func (d OracleDialect) IfSchemaNotExists(command, schema string) string { + return fmt.Sprintf("%s if not exists", command) +} + +func (d OracleDialect) IfTableExists(command, schema, table string) string { + return fmt.Sprintf("%s if exists", command) +} + +func (d OracleDialect) IfTableNotExists(command, schema, table string) string { + return fmt.Sprintf("%s if not exists", command) +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go b/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go new file mode 100644 index 0000000000..7a9c50bf8a --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_postgres.go @@ -0,0 +1,149 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" + "strings" + "time" +) + +type PostgresDialect struct { + suffix string + LowercaseFields bool +} + +func (d PostgresDialect) QuerySuffix() string { return ";" } + +func (d PostgresDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "boolean" + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32: + if isAutoIncr { + return "serial" + } + return "integer" + case reflect.Int64, reflect.Uint64: + if isAutoIncr { + return "bigserial" + } + return "bigint" + case reflect.Float64: + return "double precision" + case reflect.Float32: + return "real" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "bytea" + } + } + + switch val.Name() { + case "NullInt64": + return "bigint" + case "NullFloat64": + return "double precision" + case "NullBool": + return "boolean" + case "Time", "NullTime": + return "timestamp with time zone" + } + + if maxsize > 0 { + return fmt.Sprintf("varchar(%d)", maxsize) + } else { + return "text" + } + +} + +// Returns empty string +func (d PostgresDialect) AutoIncrStr() string { + return "" +} + +func (d PostgresDialect) AutoIncrBindValue() string { + return "default" +} + +func (d PostgresDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return " returning " + d.QuoteField(col.ColumnName) +} + +// Returns suffix +func (d PostgresDialect) CreateTableSuffix() string { + return d.suffix +} + +func (d PostgresDialect) CreateIndexSuffix() string { + return "using" +} + +func (d PostgresDialect) DropIndexSuffix() string { + return "" +} + +func (d PostgresDialect) TruncateClause() string { + return "truncate" +} + +func (d PostgresDialect) SleepClause(s time.Duration) string { + return fmt.Sprintf("pg_sleep(%f)", s.Seconds()) +} + +// Returns "$(i+1)" +func (d PostgresDialect) BindVar(i int) string { + return fmt.Sprintf("$%d", i+1) +} + +func (d PostgresDialect) InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error { + rows, err := exec.Query(insertSql, params...) + if err != nil { + return err + } + defer rows.Close() + + if !rows.Next() { + return fmt.Errorf("No serial value returned for insert: %s Encountered error: %s", insertSql, rows.Err()) + } + if err := rows.Scan(target); err != nil { + return err + } + if rows.Next() { + return fmt.Errorf("more than two serial value returned for insert: %s", insertSql) + } + return rows.Err() +} + +func (d PostgresDialect) QuoteField(f string) string { + if d.LowercaseFields { + return `"` + strings.ToLower(f) + `"` + } + return `"` + f + `"` +} + +func (d PostgresDialect) QuotedTableForQuery(schema string, table string) string { + if strings.TrimSpace(schema) == "" { + return d.QuoteField(table) + } + + return schema + "." + d.QuoteField(table) +} + +func (d PostgresDialect) IfSchemaNotExists(command, schema string) string { + return fmt.Sprintf("%s if not exists", command) +} + +func (d PostgresDialect) IfTableExists(command, schema, table string) string { + return fmt.Sprintf("%s if exists", command) +} + +func (d PostgresDialect) IfTableNotExists(command, schema, table string) string { + return fmt.Sprintf("%s if not exists", command) +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go b/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go new file mode 100644 index 0000000000..2e2cb89523 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_snowflake.go @@ -0,0 +1,152 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" + "strings" +) + +type SnowflakeDialect struct { + suffix string + LowercaseFields bool +} + +func (d SnowflakeDialect) QuerySuffix() string { return ";" } + +func (d SnowflakeDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "boolean" + case reflect.Int, + reflect.Int8, + reflect.Int16, + reflect.Int32, + reflect.Uint, + reflect.Uint8, + reflect.Uint16, + reflect.Uint32: + + if isAutoIncr { + return "serial" + } + return "integer" + case reflect.Int64, reflect.Uint64: + if isAutoIncr { + return "bigserial" + } + return "bigint" + case reflect.Float64: + return "double precision" + case reflect.Float32: + return "real" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "binary" + } + } + + switch val.Name() { + case "NullInt64": + return "bigint" + case "NullFloat64": + return "double precision" + case "NullBool": + return "boolean" + case "Time", "NullTime": + return "timestamp with time zone" + } + + if maxsize > 0 { + return fmt.Sprintf("varchar(%d)", maxsize) + } else { + return "text" + } + +} + +// Returns empty string +func (d SnowflakeDialect) AutoIncrStr() string { + return "" +} + +func (d SnowflakeDialect) AutoIncrBindValue() string { + return "default" +} + +func (d SnowflakeDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return "" +} + +// Returns suffix +func (d SnowflakeDialect) CreateTableSuffix() string { + return d.suffix +} + +func (d SnowflakeDialect) CreateIndexSuffix() string { + return "" +} + +func (d SnowflakeDialect) DropIndexSuffix() string { + return "" +} + +func (d SnowflakeDialect) TruncateClause() string { + return "truncate" +} + +// Returns "$(i+1)" +func (d SnowflakeDialect) BindVar(i int) string { + return "?" +} + +func (d SnowflakeDialect) InsertAutoIncrToTarget(exec SqlExecutor, insertSql string, target interface{}, params ...interface{}) error { + rows, err := exec.Query(insertSql, params...) + if err != nil { + return err + } + defer rows.Close() + + if !rows.Next() { + return fmt.Errorf("No serial value returned for insert: %s Encountered error: %s", insertSql, rows.Err()) + } + if err := rows.Scan(target); err != nil { + return err + } + if rows.Next() { + return fmt.Errorf("more than two serial value returned for insert: %s", insertSql) + } + return rows.Err() +} + +func (d SnowflakeDialect) QuoteField(f string) string { + if d.LowercaseFields { + return `"` + strings.ToLower(f) + `"` + } + return `"` + f + `"` +} + +func (d SnowflakeDialect) QuotedTableForQuery(schema string, table string) string { + if strings.TrimSpace(schema) == "" { + return d.QuoteField(table) + } + + return schema + "." + d.QuoteField(table) +} + +func (d SnowflakeDialect) IfSchemaNotExists(command, schema string) string { + return fmt.Sprintf("%s if not exists", command) +} + +func (d SnowflakeDialect) IfTableExists(command, schema, table string) string { + return fmt.Sprintf("%s if exists", command) +} + +func (d SnowflakeDialect) IfTableNotExists(command, schema, table string) string { + return fmt.Sprintf("%s if not exists", command) +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go new file mode 100644 index 0000000000..2296275b95 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlite.go @@ -0,0 +1,112 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" +) + +type SqliteDialect struct { + suffix string +} + +func (d SqliteDialect) QuerySuffix() string { return ";" } + +func (d SqliteDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "integer" + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64: + return "integer" + case reflect.Float64, reflect.Float32: + return "real" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "blob" + } + } + + switch val.Name() { + case "NullInt64": + return "integer" + case "NullFloat64": + return "real" + case "NullBool": + return "integer" + case "Time": + return "datetime" + } + + if maxsize < 1 { + maxsize = 255 + } + return fmt.Sprintf("varchar(%d)", maxsize) +} + +// Returns autoincrement +func (d SqliteDialect) AutoIncrStr() string { + return "autoincrement" +} + +func (d SqliteDialect) AutoIncrBindValue() string { + return "null" +} + +func (d SqliteDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return "" +} + +// Returns suffix +func (d SqliteDialect) CreateTableSuffix() string { + return d.suffix +} + +func (d SqliteDialect) CreateIndexSuffix() string { + return "" +} + +func (d SqliteDialect) DropIndexSuffix() string { + return "" +} + +// With sqlite, there technically isn't a TRUNCATE statement, +// but a DELETE FROM uses a truncate optimization: +// http://www.sqlite.org/lang_delete.html +func (d SqliteDialect) TruncateClause() string { + return "delete from" +} + +// Returns "?" +func (d SqliteDialect) BindVar(i int) string { + return "?" +} + +func (d SqliteDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) { + return standardInsertAutoIncr(exec, insertSql, params...) +} + +func (d SqliteDialect) QuoteField(f string) string { + return `"` + f + `"` +} + +// sqlite does not have schemas like PostgreSQL does, so just escape it like normal +func (d SqliteDialect) QuotedTableForQuery(schema string, table string) string { + return d.QuoteField(table) +} + +func (d SqliteDialect) IfSchemaNotExists(command, schema string) string { + return fmt.Sprintf("%s if not exists", command) +} + +func (d SqliteDialect) IfTableExists(command, schema, table string) string { + return fmt.Sprintf("%s if exists", command) +} + +func (d SqliteDialect) IfTableNotExists(command, schema, table string) string { + return fmt.Sprintf("%s if not exists", command) +} diff --git a/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go new file mode 100644 index 0000000000..ec06aed66f --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/dialect_sqlserver.go @@ -0,0 +1,145 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" + "strings" +) + +// Implementation of Dialect for Microsoft SQL Server databases. +// Use gorp.SqlServerDialect{"2005"} for legacy datatypes. +// Tested with driver: github.com/denisenkom/go-mssqldb + +type SqlServerDialect struct { + + // If set to "2005" legacy datatypes will be used + Version string +} + +func (d SqlServerDialect) ToSqlType(val reflect.Type, maxsize int, isAutoIncr bool) string { + switch val.Kind() { + case reflect.Ptr: + return d.ToSqlType(val.Elem(), maxsize, isAutoIncr) + case reflect.Bool: + return "bit" + case reflect.Int8: + return "tinyint" + case reflect.Uint8: + return "smallint" + case reflect.Int16: + return "smallint" + case reflect.Uint16: + return "int" + case reflect.Int, reflect.Int32: + return "int" + case reflect.Uint, reflect.Uint32: + return "bigint" + case reflect.Int64: + return "bigint" + case reflect.Uint64: + return "numeric(20,0)" + case reflect.Float32: + return "float(24)" + case reflect.Float64: + return "float(53)" + case reflect.Slice: + if val.Elem().Kind() == reflect.Uint8 { + return "varbinary" + } + } + + switch val.Name() { + case "NullInt64": + return "bigint" + case "NullFloat64": + return "float(53)" + case "NullBool": + return "bit" + case "NullTime", "Time": + if d.Version == "2005" { + return "datetime" + } + return "datetime2" + } + + if maxsize < 1 { + if d.Version == "2005" { + maxsize = 255 + } else { + return fmt.Sprintf("nvarchar(max)") + } + } + return fmt.Sprintf("nvarchar(%d)", maxsize) +} + +// Returns auto_increment +func (d SqlServerDialect) AutoIncrStr() string { + return "identity(0,1)" +} + +// Empty string removes autoincrement columns from the INSERT statements. +func (d SqlServerDialect) AutoIncrBindValue() string { + return "" +} + +func (d SqlServerDialect) AutoIncrInsertSuffix(col *ColumnMap) string { + return "" +} + +func (d SqlServerDialect) CreateTableSuffix() string { return ";" } + +func (d SqlServerDialect) TruncateClause() string { + return "truncate table" +} + +// Returns "?" +func (d SqlServerDialect) BindVar(i int) string { + return "?" +} + +func (d SqlServerDialect) InsertAutoIncr(exec SqlExecutor, insertSql string, params ...interface{}) (int64, error) { + return standardInsertAutoIncr(exec, insertSql, params...) +} + +func (d SqlServerDialect) QuoteField(f string) string { + return "[" + strings.Replace(f, "]", "]]", -1) + "]" +} + +func (d SqlServerDialect) QuotedTableForQuery(schema string, table string) string { + if strings.TrimSpace(schema) == "" { + return d.QuoteField(table) + } + return d.QuoteField(schema) + "." + d.QuoteField(table) +} + +func (d SqlServerDialect) QuerySuffix() string { return ";" } + +func (d SqlServerDialect) IfSchemaNotExists(command, schema string) string { + s := fmt.Sprintf("if schema_id(N'%s') is null %s", schema, command) + return s +} + +func (d SqlServerDialect) IfTableExists(command, schema, table string) string { + var schema_clause string + if strings.TrimSpace(schema) != "" { + schema_clause = fmt.Sprintf("%s.", d.QuoteField(schema)) + } + s := fmt.Sprintf("if object_id('%s%s') is not null %s", schema_clause, d.QuoteField(table), command) + return s +} + +func (d SqlServerDialect) IfTableNotExists(command, schema, table string) string { + var schema_clause string + if strings.TrimSpace(schema) != "" { + schema_clause = fmt.Sprintf("%s.", schema) + } + s := fmt.Sprintf("if object_id('%s%s') is null %s", schema_clause, table, command) + return s +} + +func (d SqlServerDialect) CreateIndexSuffix() string { return "" } +func (d SqlServerDialect) DropIndexSuffix() string { return "" } diff --git a/vendor/github.com/go-gorp/gorp/v3/doc.go b/vendor/github.com/go-gorp/gorp/v3/doc.go new file mode 100644 index 0000000000..593f1c3c12 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/doc.go @@ -0,0 +1,11 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +// Package gorp provides a simple way to marshal Go structs to and from +// SQL databases. It uses the database/sql package, and should work with any +// compliant database/sql driver. +// +// Source code and project home: +// https://github.com/go-gorp/gorp +package gorp diff --git a/vendor/github.com/go-gorp/gorp/v3/errors.go b/vendor/github.com/go-gorp/gorp/v3/errors.go new file mode 100644 index 0000000000..752ad1bca4 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/errors.go @@ -0,0 +1,31 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" +) + +// A non-fatal error, when a select query returns columns that do not exist +// as fields in the struct it is being mapped to +// TODO: discuss wether this needs an error. encoding/json silently ignores missing fields +type NoFieldInTypeError struct { + TypeName string + MissingColNames []string +} + +func (err *NoFieldInTypeError) Error() string { + return fmt.Sprintf("gorp: no fields %+v in type %s", err.MissingColNames, err.TypeName) +} + +// returns true if the error is non-fatal (ie, we shouldn't immediately return) +func NonFatalError(err error) bool { + switch err.(type) { + case *NoFieldInTypeError: + return true + default: + return false + } +} diff --git a/vendor/github.com/go-gorp/gorp/v3/gorp.go b/vendor/github.com/go-gorp/gorp/v3/gorp.go new file mode 100644 index 0000000000..fc6545676d --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/gorp.go @@ -0,0 +1,672 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "context" + "database/sql" + "database/sql/driver" + "fmt" + "reflect" + "regexp" + "strings" + "time" +) + +// OracleString (empty string is null) +// TODO: move to dialect/oracle?, rename to String? +type OracleString struct { + sql.NullString +} + +// Scan implements the Scanner interface. +func (os *OracleString) Scan(value interface{}) error { + if value == nil { + os.String, os.Valid = "", false + return nil + } + os.Valid = true + return os.NullString.Scan(value) +} + +// Value implements the driver Valuer interface. +func (os OracleString) Value() (driver.Value, error) { + if !os.Valid || os.String == "" { + return nil, nil + } + return os.String, nil +} + +// SqlTyper is a type that returns its database type. Most of the +// time, the type can just use "database/sql/driver".Valuer; but when +// it returns nil for its empty value, it needs to implement SqlTyper +// to have its column type detected properly during table creation. +type SqlTyper interface { + SqlType() driver.Value +} + +// legacySqlTyper prevents breaking clients who depended on the previous +// SqlTyper interface +type legacySqlTyper interface { + SqlType() driver.Valuer +} + +// for fields that exists in DB table, but not exists in struct +type dummyField struct{} + +// Scan implements the Scanner interface. +func (nt *dummyField) Scan(value interface{}) error { + return nil +} + +var zeroVal reflect.Value +var versFieldConst = "[gorp_ver_field]" + +// The TypeConverter interface provides a way to map a value of one +// type to another type when persisting to, or loading from, a database. +// +// Example use cases: Implement type converter to convert bool types to "y"/"n" strings, +// or serialize a struct member as a JSON blob. +type TypeConverter interface { + // ToDb converts val to another type. Called before INSERT/UPDATE operations + ToDb(val interface{}) (interface{}, error) + + // FromDb returns a CustomScanner appropriate for this type. This will be used + // to hold values returned from SELECT queries. + // + // In particular the CustomScanner returned should implement a Binder + // function appropriate for the Go type you wish to convert the db value to + // + // If bool==false, then no custom scanner will be used for this field. + FromDb(target interface{}) (CustomScanner, bool) +} + +// SqlExecutor exposes gorp operations that can be run from Pre/Post +// hooks. This hides whether the current operation that triggered the +// hook is in a transaction. +// +// See the DbMap function docs for each of the functions below for more +// information. +type SqlExecutor interface { + WithContext(ctx context.Context) SqlExecutor + Get(i interface{}, keys ...interface{}) (interface{}, error) + Insert(list ...interface{}) error + Update(list ...interface{}) (int64, error) + Delete(list ...interface{}) (int64, error) + Exec(query string, args ...interface{}) (sql.Result, error) + Select(i interface{}, query string, args ...interface{}) ([]interface{}, error) + SelectInt(query string, args ...interface{}) (int64, error) + SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error) + SelectFloat(query string, args ...interface{}) (float64, error) + SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error) + SelectStr(query string, args ...interface{}) (string, error) + SelectNullStr(query string, args ...interface{}) (sql.NullString, error) + SelectOne(holder interface{}, query string, args ...interface{}) error + Query(query string, args ...interface{}) (*sql.Rows, error) + QueryRow(query string, args ...interface{}) *sql.Row +} + +// DynamicTable allows the users of gorp to dynamically +// use different database table names during runtime +// while sharing the same golang struct for in-memory data +type DynamicTable interface { + TableName() string + SetTableName(string) +} + +// Compile-time check that DbMap and Transaction implement the SqlExecutor +// interface. +var _, _ SqlExecutor = &DbMap{}, &Transaction{} + +func argValue(a interface{}) interface{} { + v, ok := a.(driver.Valuer) + if !ok { + return a + } + vV := reflect.ValueOf(v) + if vV.Kind() == reflect.Ptr && vV.IsNil() { + return nil + } + ret, err := v.Value() + if err != nil { + return a + } + return ret +} + +func argsString(args ...interface{}) string { + var margs string + for i, a := range args { + v := argValue(a) + switch v.(type) { + case string: + v = fmt.Sprintf("%q", v) + default: + v = fmt.Sprintf("%v", v) + } + margs += fmt.Sprintf("%d:%s", i+1, v) + if i+1 < len(args) { + margs += " " + } + } + return margs +} + +// Calls the Exec function on the executor, but attempts to expand any eligible named +// query arguments first. +func maybeExpandNamedQueryAndExec(e SqlExecutor, query string, args ...interface{}) (sql.Result, error) { + dbMap := extractDbMap(e) + + if len(args) == 1 { + query, args = maybeExpandNamedQuery(dbMap, query, args) + } + + return exec(e, query, args...) +} + +func extractDbMap(e SqlExecutor) *DbMap { + switch m := e.(type) { + case *DbMap: + return m + case *Transaction: + return m.dbmap + } + return nil +} + +// executor exposes the sql.DB and sql.Tx functions so that it can be used +// on internal functions that need to be agnostic to the underlying object. +type executor interface { + Exec(query string, args ...interface{}) (sql.Result, error) + Prepare(query string) (*sql.Stmt, error) + QueryRow(query string, args ...interface{}) *sql.Row + Query(query string, args ...interface{}) (*sql.Rows, error) + ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error) + PrepareContext(ctx context.Context, query string) (*sql.Stmt, error) + QueryRowContext(ctx context.Context, query string, args ...interface{}) *sql.Row + QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error) +} + +func extractExecutorAndContext(e SqlExecutor) (executor, context.Context) { + switch m := e.(type) { + case *DbMap: + return m.Db, m.ctx + case *Transaction: + return m.tx, m.ctx + } + return nil, nil +} + +// maybeExpandNamedQuery checks the given arg to see if it's eligible to be used +// as input to a named query. If so, it rewrites the query to use +// dialect-dependent bindvars and instantiates the corresponding slice of +// parameters by extracting data from the map / struct. +// If not, returns the input values unchanged. +func maybeExpandNamedQuery(m *DbMap, query string, args []interface{}) (string, []interface{}) { + var ( + arg = args[0] + argval = reflect.ValueOf(arg) + ) + if argval.Kind() == reflect.Ptr { + argval = argval.Elem() + } + + if argval.Kind() == reflect.Map && argval.Type().Key().Kind() == reflect.String { + return expandNamedQuery(m, query, func(key string) reflect.Value { + return argval.MapIndex(reflect.ValueOf(key)) + }) + } + if argval.Kind() != reflect.Struct { + return query, args + } + if _, ok := arg.(time.Time); ok { + // time.Time is driver.Value + return query, args + } + if _, ok := arg.(driver.Valuer); ok { + // driver.Valuer will be converted to driver.Value. + return query, args + } + + return expandNamedQuery(m, query, argval.FieldByName) +} + +var keyRegexp = regexp.MustCompile(`:[[:word:]]+`) + +// expandNamedQuery accepts a query with placeholders of the form ":key", and a +// single arg of Kind Struct or Map[string]. It returns the query with the +// dialect's placeholders, and a slice of args ready for positional insertion +// into the query. +func expandNamedQuery(m *DbMap, query string, keyGetter func(key string) reflect.Value) (string, []interface{}) { + var ( + n int + args []interface{} + ) + return keyRegexp.ReplaceAllStringFunc(query, func(key string) string { + val := keyGetter(key[1:]) + if !val.IsValid() { + return key + } + args = append(args, val.Interface()) + newVar := m.Dialect.BindVar(n) + n++ + return newVar + }), args +} + +func columnToFieldIndex(m *DbMap, t reflect.Type, name string, cols []string) ([][]int, error) { + colToFieldIndex := make([][]int, len(cols)) + + // check if type t is a mapped table - if so we'll + // check the table for column aliasing below + tableMapped := false + table := tableOrNil(m, t, name) + if table != nil { + tableMapped = true + } + + // Loop over column names and find field in i to bind to + // based on column name. all returned columns must match + // a field in the i struct + missingColNames := []string{} + for x := range cols { + colName := strings.ToLower(cols[x]) + field, found := t.FieldByNameFunc(func(fieldName string) bool { + field, _ := t.FieldByName(fieldName) + cArguments := strings.Split(field.Tag.Get("db"), ",") + fieldName = cArguments[0] + + if fieldName == "-" { + return false + } else if fieldName == "" { + fieldName = field.Name + } + if tableMapped { + colMap := colMapOrNil(table, fieldName) + if colMap != nil { + fieldName = colMap.ColumnName + } + } + return colName == strings.ToLower(fieldName) + }) + if found { + colToFieldIndex[x] = field.Index + } + if colToFieldIndex[x] == nil { + missingColNames = append(missingColNames, colName) + } + } + if len(missingColNames) > 0 { + return colToFieldIndex, &NoFieldInTypeError{ + TypeName: t.Name(), + MissingColNames: missingColNames, + } + } + return colToFieldIndex, nil +} + +func fieldByName(val reflect.Value, fieldName string) *reflect.Value { + // try to find field by exact match + f := val.FieldByName(fieldName) + + if f != zeroVal { + return &f + } + + // try to find by case insensitive match - only the Postgres driver + // seems to require this - in the case where columns are aliased in the sql + fieldNameL := strings.ToLower(fieldName) + fieldCount := val.NumField() + t := val.Type() + for i := 0; i < fieldCount; i++ { + sf := t.Field(i) + if strings.ToLower(sf.Name) == fieldNameL { + f := val.Field(i) + return &f + } + } + + return nil +} + +// toSliceType returns the element type of the given object, if the object is a +// "*[]*Element" or "*[]Element". If not, returns nil. +// err is returned if the user was trying to pass a pointer-to-slice but failed. +func toSliceType(i interface{}) (reflect.Type, error) { + t := reflect.TypeOf(i) + if t.Kind() != reflect.Ptr { + // If it's a slice, return a more helpful error message + if t.Kind() == reflect.Slice { + return nil, fmt.Errorf("gorp: cannot SELECT into a non-pointer slice: %v", t) + } + return nil, nil + } + if t = t.Elem(); t.Kind() != reflect.Slice { + return nil, nil + } + return t.Elem(), nil +} + +func toType(i interface{}) (reflect.Type, error) { + t := reflect.TypeOf(i) + + // If a Pointer to a type, follow + for t.Kind() == reflect.Ptr { + t = t.Elem() + } + + if t.Kind() != reflect.Struct { + return nil, fmt.Errorf("gorp: cannot SELECT into this type: %v", reflect.TypeOf(i)) + } + return t, nil +} + +type foundTable struct { + table *TableMap + dynName *string +} + +func tableFor(m *DbMap, t reflect.Type, i interface{}) (*foundTable, error) { + if dyn, isDynamic := i.(DynamicTable); isDynamic { + tableName := dyn.TableName() + table, err := m.DynamicTableFor(tableName, true) + if err != nil { + return nil, err + } + return &foundTable{ + table: table, + dynName: &tableName, + }, nil + } + table, err := m.TableFor(t, true) + if err != nil { + return nil, err + } + return &foundTable{table: table}, nil +} + +func get(m *DbMap, exec SqlExecutor, i interface{}, + keys ...interface{}) (interface{}, error) { + + t, err := toType(i) + if err != nil { + return nil, err + } + + foundTable, err := tableFor(m, t, i) + if err != nil { + return nil, err + } + table := foundTable.table + + plan := table.bindGet() + + v := reflect.New(t) + if foundTable.dynName != nil { + retDyn := v.Interface().(DynamicTable) + retDyn.SetTableName(*foundTable.dynName) + } + + dest := make([]interface{}, len(plan.argFields)) + + conv := m.TypeConverter + custScan := make([]CustomScanner, 0) + + for x, fieldName := range plan.argFields { + f := v.Elem().FieldByName(fieldName) + target := f.Addr().Interface() + if conv != nil { + scanner, ok := conv.FromDb(target) + if ok { + target = scanner.Holder + custScan = append(custScan, scanner) + } + } + dest[x] = target + } + + row := exec.QueryRow(plan.query, keys...) + err = row.Scan(dest...) + if err != nil { + if err == sql.ErrNoRows { + err = nil + } + return nil, err + } + + for _, c := range custScan { + err = c.Bind() + if err != nil { + return nil, err + } + } + + if v, ok := v.Interface().(HasPostGet); ok { + err := v.PostGet(exec) + if err != nil { + return nil, err + } + } + + return v.Interface(), nil +} + +func delete(m *DbMap, exec SqlExecutor, list ...interface{}) (int64, error) { + count := int64(0) + for _, ptr := range list { + table, elem, err := m.tableForPointer(ptr, true) + if err != nil { + return -1, err + } + + eval := elem.Addr().Interface() + if v, ok := eval.(HasPreDelete); ok { + err = v.PreDelete(exec) + if err != nil { + return -1, err + } + } + + bi, err := table.bindDelete(elem) + if err != nil { + return -1, err + } + + res, err := exec.Exec(bi.query, bi.args...) + if err != nil { + return -1, err + } + rows, err := res.RowsAffected() + if err != nil { + return -1, err + } + + if rows == 0 && bi.existingVersion > 0 { + return lockError(m, exec, table.TableName, + bi.existingVersion, elem, bi.keys...) + } + + count += rows + + if v, ok := eval.(HasPostDelete); ok { + err := v.PostDelete(exec) + if err != nil { + return -1, err + } + } + } + + return count, nil +} + +func update(m *DbMap, exec SqlExecutor, colFilter ColumnFilter, list ...interface{}) (int64, error) { + count := int64(0) + for _, ptr := range list { + table, elem, err := m.tableForPointer(ptr, true) + if err != nil { + return -1, err + } + + eval := elem.Addr().Interface() + if v, ok := eval.(HasPreUpdate); ok { + err = v.PreUpdate(exec) + if err != nil { + return -1, err + } + } + + bi, err := table.bindUpdate(elem, colFilter) + if err != nil { + return -1, err + } + + res, err := exec.Exec(bi.query, bi.args...) + if err != nil { + return -1, err + } + + rows, err := res.RowsAffected() + if err != nil { + return -1, err + } + + if rows == 0 && bi.existingVersion > 0 { + return lockError(m, exec, table.TableName, + bi.existingVersion, elem, bi.keys...) + } + + if bi.versField != "" { + elem.FieldByName(bi.versField).SetInt(bi.existingVersion + 1) + } + + count += rows + + if v, ok := eval.(HasPostUpdate); ok { + err = v.PostUpdate(exec) + if err != nil { + return -1, err + } + } + } + return count, nil +} + +func insert(m *DbMap, exec SqlExecutor, list ...interface{}) error { + for _, ptr := range list { + table, elem, err := m.tableForPointer(ptr, false) + if err != nil { + return err + } + + eval := elem.Addr().Interface() + if v, ok := eval.(HasPreInsert); ok { + err := v.PreInsert(exec) + if err != nil { + return err + } + } + + bi, err := table.bindInsert(elem) + if err != nil { + return err + } + + if bi.autoIncrIdx > -1 { + f := elem.FieldByName(bi.autoIncrFieldName) + switch inserter := m.Dialect.(type) { + case IntegerAutoIncrInserter: + id, err := inserter.InsertAutoIncr(exec, bi.query, bi.args...) + if err != nil { + return err + } + k := f.Kind() + if (k == reflect.Int) || (k == reflect.Int16) || (k == reflect.Int32) || (k == reflect.Int64) { + f.SetInt(id) + } else if (k == reflect.Uint) || (k == reflect.Uint16) || (k == reflect.Uint32) || (k == reflect.Uint64) { + f.SetUint(uint64(id)) + } else { + return fmt.Errorf("gorp: cannot set autoincrement value on non-Int field. SQL=%s autoIncrIdx=%d autoIncrFieldName=%s", bi.query, bi.autoIncrIdx, bi.autoIncrFieldName) + } + case TargetedAutoIncrInserter: + err := inserter.InsertAutoIncrToTarget(exec, bi.query, f.Addr().Interface(), bi.args...) + if err != nil { + return err + } + case TargetQueryInserter: + var idQuery = table.ColMap(bi.autoIncrFieldName).GeneratedIdQuery + if idQuery == "" { + return fmt.Errorf("gorp: cannot set %s value if its ColumnMap.GeneratedIdQuery is empty", bi.autoIncrFieldName) + } + err := inserter.InsertQueryToTarget(exec, bi.query, idQuery, f.Addr().Interface(), bi.args...) + if err != nil { + return err + } + default: + return fmt.Errorf("gorp: cannot use autoincrement fields on dialects that do not implement an autoincrementing interface") + } + } else { + _, err := exec.Exec(bi.query, bi.args...) + if err != nil { + return err + } + } + + if v, ok := eval.(HasPostInsert); ok { + err := v.PostInsert(exec) + if err != nil { + return err + } + } + } + return nil +} + +func exec(e SqlExecutor, query string, args ...interface{}) (sql.Result, error) { + executor, ctx := extractExecutorAndContext(e) + + if ctx != nil { + return executor.ExecContext(ctx, query, args...) + } + + return executor.Exec(query, args...) +} + +func prepare(e SqlExecutor, query string) (*sql.Stmt, error) { + executor, ctx := extractExecutorAndContext(e) + + if ctx != nil { + return executor.PrepareContext(ctx, query) + } + + return executor.Prepare(query) +} + +func queryRow(e SqlExecutor, query string, args ...interface{}) *sql.Row { + executor, ctx := extractExecutorAndContext(e) + + if ctx != nil { + return executor.QueryRowContext(ctx, query, args...) + } + + return executor.QueryRow(query, args...) +} + +func query(e SqlExecutor, query string, args ...interface{}) (*sql.Rows, error) { + executor, ctx := extractExecutorAndContext(e) + + if ctx != nil { + return executor.QueryContext(ctx, query, args...) + } + + return executor.Query(query, args...) +} + +func begin(m *DbMap) (*sql.Tx, error) { + if m.ctx != nil { + return m.Db.BeginTx(m.ctx, nil) + } + + return m.Db.Begin() +} diff --git a/vendor/github.com/go-gorp/gorp/v3/hooks.go b/vendor/github.com/go-gorp/gorp/v3/hooks.go new file mode 100644 index 0000000000..1e80bca7ee --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/hooks.go @@ -0,0 +1,42 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +//++ TODO v2-phase3: HasPostGet => PostGetter, HasPostDelete => PostDeleter, etc. + +// HasPostGet provides PostGet() which will be executed after the GET statement. +type HasPostGet interface { + PostGet(SqlExecutor) error +} + +// HasPostDelete provides PostDelete() which will be executed after the DELETE statement +type HasPostDelete interface { + PostDelete(SqlExecutor) error +} + +// HasPostUpdate provides PostUpdate() which will be executed after the UPDATE statement +type HasPostUpdate interface { + PostUpdate(SqlExecutor) error +} + +// HasPostInsert provides PostInsert() which will be executed after the INSERT statement +type HasPostInsert interface { + PostInsert(SqlExecutor) error +} + +// HasPreDelete provides PreDelete() which will be executed before the DELETE statement. +type HasPreDelete interface { + PreDelete(SqlExecutor) error +} + +// HasPreUpdate provides PreUpdate() which will be executed before UPDATE statement. +type HasPreUpdate interface { + PreUpdate(SqlExecutor) error +} + +// HasPreInsert provides PreInsert() which will be executed before INSERT statement. +type HasPreInsert interface { + PreInsert(SqlExecutor) error +} diff --git a/vendor/github.com/go-gorp/gorp/v3/index.go b/vendor/github.com/go-gorp/gorp/v3/index.go new file mode 100644 index 0000000000..df1cf55205 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/index.go @@ -0,0 +1,49 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +// IndexMap represents a mapping between a Go struct field and a single +// index in a table. +// Unique and MaxSize only inform the +// CreateTables() function and are not used by Insert/Update/Delete/Get. +type IndexMap struct { + // Index name in db table + IndexName string + + // If true, " unique" is added to create index statements. + // Not used elsewhere + Unique bool + + // Index type supported by Dialect + // Postgres: B-tree, Hash, GiST and GIN. + // Mysql: Btree, Hash. + // Sqlite: nil. + IndexType string + + // Columns name for single and multiple indexes + columns []string +} + +// Rename allows you to specify the index name in the table +// +// Example: table.IndMap("customer_test_idx").Rename("customer_idx") +// +func (idx *IndexMap) Rename(indname string) *IndexMap { + idx.IndexName = indname + return idx +} + +// SetUnique adds "unique" to the create index statements for this +// index, if b is true. +func (idx *IndexMap) SetUnique(b bool) *IndexMap { + idx.Unique = b + return idx +} + +// SetIndexType specifies the index type supported by chousen SQL Dialect +func (idx *IndexMap) SetIndexType(indtype string) *IndexMap { + idx.IndexType = indtype + return idx +} diff --git a/vendor/github.com/go-gorp/gorp/v3/lockerror.go b/vendor/github.com/go-gorp/gorp/v3/lockerror.go new file mode 100644 index 0000000000..7e81891e2b --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/lockerror.go @@ -0,0 +1,56 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "fmt" + "reflect" +) + +// OptimisticLockError is returned by Update() or Delete() if the +// struct being modified has a Version field and the value is not equal to +// the current value in the database +type OptimisticLockError struct { + // Table name where the lock error occurred + TableName string + + // Primary key values of the row being updated/deleted + Keys []interface{} + + // true if a row was found with those keys, indicating the + // LocalVersion is stale. false if no value was found with those + // keys, suggesting the row has been deleted since loaded, or + // was never inserted to begin with + RowExists bool + + // Version value on the struct passed to Update/Delete. This value is + // out of sync with the database. + LocalVersion int64 +} + +// Error returns a description of the cause of the lock error +func (e OptimisticLockError) Error() string { + if e.RowExists { + return fmt.Sprintf("gorp: OptimisticLockError table=%s keys=%v out of date version=%d", e.TableName, e.Keys, e.LocalVersion) + } + + return fmt.Sprintf("gorp: OptimisticLockError no row found for table=%s keys=%v", e.TableName, e.Keys) +} + +func lockError(m *DbMap, exec SqlExecutor, tableName string, + existingVer int64, elem reflect.Value, + keys ...interface{}) (int64, error) { + + existing, err := get(m, exec, elem.Interface(), keys...) + if err != nil { + return -1, err + } + + ole := OptimisticLockError{tableName, keys, true, existingVer} + if existing == nil { + ole.RowExists = false + } + return -1, ole +} diff --git a/vendor/github.com/go-gorp/gorp/v3/logging.go b/vendor/github.com/go-gorp/gorp/v3/logging.go new file mode 100644 index 0000000000..e8cba3db2c --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/logging.go @@ -0,0 +1,42 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import "fmt" + +// GorpLogger is a deprecated alias of Logger. +type GorpLogger = Logger + +// Logger is the type that gorp uses to log SQL statements. +// See DbMap.TraceOn. +type Logger interface { + Printf(format string, v ...interface{}) +} + +// TraceOn turns on SQL statement logging for this DbMap. After this is +// called, all SQL statements will be sent to the logger. If prefix is +// a non-empty string, it will be written to the front of all logged +// strings, which can aid in filtering log lines. +// +// Use TraceOn if you want to spy on the SQL statements that gorp +// generates. +// +// Note that the base log.Logger type satisfies Logger, but adapters can +// easily be written for other logging packages (e.g., the golang-sanctioned +// glog framework). +func (m *DbMap) TraceOn(prefix string, logger Logger) { + m.logger = logger + if prefix == "" { + m.logPrefix = prefix + } else { + m.logPrefix = fmt.Sprintf("%s ", prefix) + } +} + +// TraceOff turns off tracing. It is idempotent. +func (m *DbMap) TraceOff() { + m.logger = nil + m.logPrefix = "" +} diff --git a/vendor/github.com/go-gorp/gorp/v3/nulltypes.go b/vendor/github.com/go-gorp/gorp/v3/nulltypes.go new file mode 100644 index 0000000000..87b21f83fa --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/nulltypes.go @@ -0,0 +1,65 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "database/sql/driver" + "log" + "time" +) + +// A nullable Time value +type NullTime struct { + Time time.Time + Valid bool // Valid is true if Time is not NULL +} + +// Scan implements the Scanner interface. +func (nt *NullTime) Scan(value interface{}) error { + log.Printf("Time scan value is: %#v", value) + switch t := value.(type) { + case time.Time: + nt.Time, nt.Valid = t, true + case []byte: + v := strToTime(string(t)) + if v != nil { + nt.Valid = true + nt.Time = *v + } + case string: + v := strToTime(t) + if v != nil { + nt.Valid = true + nt.Time = *v + } + } + return nil +} + +func strToTime(v string) *time.Time { + for _, dtfmt := range []string{ + "2006-01-02 15:04:05.999999999", + "2006-01-02T15:04:05.999999999", + "2006-01-02 15:04:05", + "2006-01-02T15:04:05", + "2006-01-02 15:04", + "2006-01-02T15:04", + "2006-01-02", + "2006-01-02 15:04:05-07:00", + } { + if t, err := time.Parse(dtfmt, v); err == nil { + return &t + } + } + return nil +} + +// Value implements the driver Valuer interface. +func (nt NullTime) Value() (driver.Value, error) { + if !nt.Valid { + return nil, nil + } + return nt.Time, nil +} diff --git a/vendor/github.com/go-gorp/gorp/v3/select.go b/vendor/github.com/go-gorp/gorp/v3/select.go new file mode 100644 index 0000000000..2d2d596186 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/select.go @@ -0,0 +1,359 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "database/sql" + "fmt" + "reflect" +) + +// SelectInt executes the given query, which should be a SELECT statement for a single +// integer column, and returns the value of the first row returned. If no rows are +// found, zero is returned. +func SelectInt(e SqlExecutor, query string, args ...interface{}) (int64, error) { + var h int64 + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return 0, err + } + return h, nil +} + +// SelectNullInt executes the given query, which should be a SELECT statement for a single +// integer column, and returns the value of the first row returned. If no rows are +// found, the empty sql.NullInt64 value is returned. +func SelectNullInt(e SqlExecutor, query string, args ...interface{}) (sql.NullInt64, error) { + var h sql.NullInt64 + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return h, err + } + return h, nil +} + +// SelectFloat executes the given query, which should be a SELECT statement for a single +// float column, and returns the value of the first row returned. If no rows are +// found, zero is returned. +func SelectFloat(e SqlExecutor, query string, args ...interface{}) (float64, error) { + var h float64 + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return 0, err + } + return h, nil +} + +// SelectNullFloat executes the given query, which should be a SELECT statement for a single +// float column, and returns the value of the first row returned. If no rows are +// found, the empty sql.NullInt64 value is returned. +func SelectNullFloat(e SqlExecutor, query string, args ...interface{}) (sql.NullFloat64, error) { + var h sql.NullFloat64 + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return h, err + } + return h, nil +} + +// SelectStr executes the given query, which should be a SELECT statement for a single +// char/varchar column, and returns the value of the first row returned. If no rows are +// found, an empty string is returned. +func SelectStr(e SqlExecutor, query string, args ...interface{}) (string, error) { + var h string + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return "", err + } + return h, nil +} + +// SelectNullStr executes the given query, which should be a SELECT +// statement for a single char/varchar column, and returns the value +// of the first row returned. If no rows are found, the empty +// sql.NullString is returned. +func SelectNullStr(e SqlExecutor, query string, args ...interface{}) (sql.NullString, error) { + var h sql.NullString + err := selectVal(e, &h, query, args...) + if err != nil && err != sql.ErrNoRows { + return h, err + } + return h, nil +} + +// SelectOne executes the given query (which should be a SELECT statement) +// and binds the result to holder, which must be a pointer. +// +// If no row is found, an error (sql.ErrNoRows specifically) will be returned +// +// If more than one row is found, an error will be returned. +// +func SelectOne(m *DbMap, e SqlExecutor, holder interface{}, query string, args ...interface{}) error { + t := reflect.TypeOf(holder) + if t.Kind() == reflect.Ptr { + t = t.Elem() + } else { + return fmt.Errorf("gorp: SelectOne holder must be a pointer, but got: %t", holder) + } + + // Handle pointer to pointer + isptr := false + if t.Kind() == reflect.Ptr { + isptr = true + t = t.Elem() + } + + if t.Kind() == reflect.Struct { + var nonFatalErr error + + list, err := hookedselect(m, e, holder, query, args...) + if err != nil { + if !NonFatalError(err) { // FIXME: double negative, rename NonFatalError to FatalError + return err + } + nonFatalErr = err + } + + dest := reflect.ValueOf(holder) + if isptr { + dest = dest.Elem() + } + + if list != nil && len(list) > 0 { // FIXME: invert if/else + // check for multiple rows + if len(list) > 1 { + return fmt.Errorf("gorp: multiple rows returned for: %s - %v", query, args) + } + + // Initialize if nil + if dest.IsNil() { + dest.Set(reflect.New(t)) + } + + // only one row found + src := reflect.ValueOf(list[0]) + dest.Elem().Set(src.Elem()) + } else { + // No rows found, return a proper error. + return sql.ErrNoRows + } + + return nonFatalErr + } + + return selectVal(e, holder, query, args...) +} + +func selectVal(e SqlExecutor, holder interface{}, query string, args ...interface{}) error { + if len(args) == 1 { + switch m := e.(type) { + case *DbMap: + query, args = maybeExpandNamedQuery(m, query, args) + case *Transaction: + query, args = maybeExpandNamedQuery(m.dbmap, query, args) + } + } + rows, err := e.Query(query, args...) + if err != nil { + return err + } + defer rows.Close() + + if !rows.Next() { + if err := rows.Err(); err != nil { + return err + } + return sql.ErrNoRows + } + + return rows.Scan(holder) +} + +func hookedselect(m *DbMap, exec SqlExecutor, i interface{}, query string, + args ...interface{}) ([]interface{}, error) { + + var nonFatalErr error + + list, err := rawselect(m, exec, i, query, args...) + if err != nil { + if !NonFatalError(err) { + return nil, err + } + nonFatalErr = err + } + + // Determine where the results are: written to i, or returned in list + if t, _ := toSliceType(i); t == nil { + for _, v := range list { + if v, ok := v.(HasPostGet); ok { + err := v.PostGet(exec) + if err != nil { + return nil, err + } + } + } + } else { + resultsValue := reflect.Indirect(reflect.ValueOf(i)) + for i := 0; i < resultsValue.Len(); i++ { + if v, ok := resultsValue.Index(i).Interface().(HasPostGet); ok { + err := v.PostGet(exec) + if err != nil { + return nil, err + } + } + } + } + return list, nonFatalErr +} + +func rawselect(m *DbMap, exec SqlExecutor, i interface{}, query string, + args ...interface{}) ([]interface{}, error) { + var ( + appendToSlice = false // Write results to i directly? + intoStruct = true // Selecting into a struct? + pointerElements = true // Are the slice elements pointers (vs values)? + ) + + var nonFatalErr error + + tableName := "" + var dynObj DynamicTable + isDynamic := false + if dynObj, isDynamic = i.(DynamicTable); isDynamic { + tableName = dynObj.TableName() + } + + // get type for i, verifying it's a supported destination + t, err := toType(i) + if err != nil { + var err2 error + if t, err2 = toSliceType(i); t == nil { + if err2 != nil { + return nil, err2 + } + return nil, err + } + pointerElements = t.Kind() == reflect.Ptr + if pointerElements { + t = t.Elem() + } + appendToSlice = true + intoStruct = t.Kind() == reflect.Struct + } + + // If the caller supplied a single struct/map argument, assume a "named + // parameter" query. Extract the named arguments from the struct/map, create + // the flat arg slice, and rewrite the query to use the dialect's placeholder. + if len(args) == 1 { + query, args = maybeExpandNamedQuery(m, query, args) + } + + // Run the query + rows, err := exec.Query(query, args...) + if err != nil { + return nil, err + } + defer rows.Close() + + // Fetch the column names as returned from db + cols, err := rows.Columns() + if err != nil { + return nil, err + } + + if !intoStruct && len(cols) > 1 { + return nil, fmt.Errorf("gorp: select into non-struct slice requires 1 column, got %d", len(cols)) + } + + var colToFieldIndex [][]int + if intoStruct { + colToFieldIndex, err = columnToFieldIndex(m, t, tableName, cols) + if err != nil { + if !NonFatalError(err) { + return nil, err + } + nonFatalErr = err + } + } + + conv := m.TypeConverter + + // Add results to one of these two slices. + var ( + list = make([]interface{}, 0) + sliceValue = reflect.Indirect(reflect.ValueOf(i)) + ) + + for { + if !rows.Next() { + // if error occured return rawselect + if rows.Err() != nil { + return nil, rows.Err() + } + // time to exit from outer "for" loop + break + } + v := reflect.New(t) + + if isDynamic { + v.Interface().(DynamicTable).SetTableName(tableName) + } + + dest := make([]interface{}, len(cols)) + + custScan := make([]CustomScanner, 0) + + for x := range cols { + f := v.Elem() + if intoStruct { + index := colToFieldIndex[x] + if index == nil { + // this field is not present in the struct, so create a dummy + // value for rows.Scan to scan into + var dummy dummyField + dest[x] = &dummy + continue + } + f = f.FieldByIndex(index) + } + target := f.Addr().Interface() + if conv != nil { + scanner, ok := conv.FromDb(target) + if ok { + target = scanner.Holder + custScan = append(custScan, scanner) + } + } + dest[x] = target + } + + err = rows.Scan(dest...) + if err != nil { + return nil, err + } + + for _, c := range custScan { + err = c.Bind() + if err != nil { + return nil, err + } + } + + if appendToSlice { + if !pointerElements { + v = v.Elem() + } + sliceValue.Set(reflect.Append(sliceValue, v)) + } else { + list = append(list, v.Interface()) + } + } + + if appendToSlice && sliceValue.IsNil() { + sliceValue.Set(reflect.MakeSlice(sliceValue.Type(), 0, 0)) + } + + return list, nonFatalErr +} diff --git a/vendor/github.com/go-gorp/gorp/v3/table.go b/vendor/github.com/go-gorp/gorp/v3/table.go new file mode 100644 index 0000000000..5931b2d9eb --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/table.go @@ -0,0 +1,258 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "bytes" + "fmt" + "reflect" + "strings" +) + +// TableMap represents a mapping between a Go struct and a database table +// Use dbmap.AddTable() or dbmap.AddTableWithName() to create these +type TableMap struct { + // Name of database table. + TableName string + SchemaName string + gotype reflect.Type + Columns []*ColumnMap + keys []*ColumnMap + indexes []*IndexMap + uniqueTogether [][]string + version *ColumnMap + insertPlan bindPlan + updatePlan bindPlan + deletePlan bindPlan + getPlan bindPlan + dbmap *DbMap +} + +// ResetSql removes cached insert/update/select/delete SQL strings +// associated with this TableMap. Call this if you've modified +// any column names or the table name itself. +func (t *TableMap) ResetSql() { + t.insertPlan = bindPlan{} + t.updatePlan = bindPlan{} + t.deletePlan = bindPlan{} + t.getPlan = bindPlan{} +} + +// SetKeys lets you specify the fields on a struct that map to primary +// key columns on the table. If isAutoIncr is set, result.LastInsertId() +// will be used after INSERT to bind the generated id to the Go struct. +// +// Automatically calls ResetSql() to ensure SQL statements are regenerated. +// +// Panics if isAutoIncr is true, and fieldNames length != 1 +// +func (t *TableMap) SetKeys(isAutoIncr bool, fieldNames ...string) *TableMap { + if isAutoIncr && len(fieldNames) != 1 { + panic(fmt.Sprintf( + "gorp: SetKeys: fieldNames length must be 1 if key is auto-increment. (Saw %v fieldNames)", + len(fieldNames))) + } + t.keys = make([]*ColumnMap, 0) + for _, name := range fieldNames { + colmap := t.ColMap(name) + colmap.isPK = true + colmap.isAutoIncr = isAutoIncr + t.keys = append(t.keys, colmap) + } + t.ResetSql() + + return t +} + +// SetUniqueTogether lets you specify uniqueness constraints across multiple +// columns on the table. Each call adds an additional constraint for the +// specified columns. +// +// Automatically calls ResetSql() to ensure SQL statements are regenerated. +// +// Panics if fieldNames length < 2. +// +func (t *TableMap) SetUniqueTogether(fieldNames ...string) *TableMap { + if len(fieldNames) < 2 { + panic(fmt.Sprintf( + "gorp: SetUniqueTogether: must provide at least two fieldNames to set uniqueness constraint.")) + } + + columns := make([]string, 0, len(fieldNames)) + for _, name := range fieldNames { + columns = append(columns, name) + } + + for _, existingColumns := range t.uniqueTogether { + if equal(existingColumns, columns) { + return t + } + } + t.uniqueTogether = append(t.uniqueTogether, columns) + t.ResetSql() + + return t +} + +// ColMap returns the ColumnMap pointer matching the given struct field +// name. It panics if the struct does not contain a field matching this +// name. +func (t *TableMap) ColMap(field string) *ColumnMap { + col := colMapOrNil(t, field) + if col == nil { + e := fmt.Sprintf("No ColumnMap in table %s type %s with field %s", + t.TableName, t.gotype.Name(), field) + + panic(e) + } + return col +} + +func colMapOrNil(t *TableMap, field string) *ColumnMap { + for _, col := range t.Columns { + if col.fieldName == field || col.ColumnName == field { + return col + } + } + return nil +} + +// IdxMap returns the IndexMap pointer matching the given index name. +func (t *TableMap) IdxMap(field string) *IndexMap { + for _, idx := range t.indexes { + if idx.IndexName == field { + return idx + } + } + return nil +} + +// AddIndex registers the index with gorp for specified table with given parameters. +// This operation is idempotent. If index is already mapped, the +// existing *IndexMap is returned +// Function will panic if one of the given for index columns does not exists +// +// Automatically calls ResetSql() to ensure SQL statements are regenerated. +// +func (t *TableMap) AddIndex(name string, idxtype string, columns []string) *IndexMap { + // check if we have a index with this name already + for _, idx := range t.indexes { + if idx.IndexName == name { + return idx + } + } + for _, icol := range columns { + if res := t.ColMap(icol); res == nil { + e := fmt.Sprintf("No ColumnName in table %s to create index on", t.TableName) + panic(e) + } + } + + idx := &IndexMap{IndexName: name, Unique: false, IndexType: idxtype, columns: columns} + t.indexes = append(t.indexes, idx) + t.ResetSql() + return idx +} + +// SetVersionCol sets the column to use as the Version field. By default +// the "Version" field is used. Returns the column found, or panics +// if the struct does not contain a field matching this name. +// +// Automatically calls ResetSql() to ensure SQL statements are regenerated. +func (t *TableMap) SetVersionCol(field string) *ColumnMap { + c := t.ColMap(field) + t.version = c + t.ResetSql() + return c +} + +// SqlForCreateTable gets a sequence of SQL commands that will create +// the specified table and any associated schema +func (t *TableMap) SqlForCreate(ifNotExists bool) string { + s := bytes.Buffer{} + dialect := t.dbmap.Dialect + + if strings.TrimSpace(t.SchemaName) != "" { + schemaCreate := "create schema" + if ifNotExists { + s.WriteString(dialect.IfSchemaNotExists(schemaCreate, t.SchemaName)) + } else { + s.WriteString(schemaCreate) + } + s.WriteString(fmt.Sprintf(" %s;", t.SchemaName)) + } + + tableCreate := "create table" + if ifNotExists { + s.WriteString(dialect.IfTableNotExists(tableCreate, t.SchemaName, t.TableName)) + } else { + s.WriteString(tableCreate) + } + s.WriteString(fmt.Sprintf(" %s (", dialect.QuotedTableForQuery(t.SchemaName, t.TableName))) + + x := 0 + for _, col := range t.Columns { + if !col.Transient { + if x > 0 { + s.WriteString(", ") + } + stype := dialect.ToSqlType(col.gotype, col.MaxSize, col.isAutoIncr) + s.WriteString(fmt.Sprintf("%s %s", dialect.QuoteField(col.ColumnName), stype)) + + if col.isPK || col.isNotNull { + s.WriteString(" not null") + } + if col.isPK && len(t.keys) == 1 { + s.WriteString(" primary key") + } + if col.Unique { + s.WriteString(" unique") + } + if col.isAutoIncr { + s.WriteString(fmt.Sprintf(" %s", dialect.AutoIncrStr())) + } + + x++ + } + } + if len(t.keys) > 1 { + s.WriteString(", primary key (") + for x := range t.keys { + if x > 0 { + s.WriteString(", ") + } + s.WriteString(dialect.QuoteField(t.keys[x].ColumnName)) + } + s.WriteString(")") + } + if len(t.uniqueTogether) > 0 { + for _, columns := range t.uniqueTogether { + s.WriteString(", unique (") + for i, column := range columns { + if i > 0 { + s.WriteString(", ") + } + s.WriteString(dialect.QuoteField(column)) + } + s.WriteString(")") + } + } + s.WriteString(") ") + s.WriteString(dialect.CreateTableSuffix()) + s.WriteString(dialect.QuerySuffix()) + return s.String() +} + +func equal(a, b []string) bool { + if len(a) != len(b) { + return false + } + for i := range a { + if a[i] != b[i] { + return false + } + } + return true +} diff --git a/vendor/github.com/go-gorp/gorp/v3/table_bindings.go b/vendor/github.com/go-gorp/gorp/v3/table_bindings.go new file mode 100644 index 0000000000..43c0b3dd48 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/table_bindings.go @@ -0,0 +1,305 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "bytes" + "fmt" + "reflect" + "sync" +) + +// CustomScanner binds a database column value to a Go type +type CustomScanner struct { + // After a row is scanned, Holder will contain the value from the database column. + // Initialize the CustomScanner with the concrete Go type you wish the database + // driver to scan the raw column into. + Holder interface{} + // Target typically holds a pointer to the target struct field to bind the Holder + // value to. + Target interface{} + // Binder is a custom function that converts the holder value to the target type + // and sets target accordingly. This function should return error if a problem + // occurs converting the holder to the target. + Binder func(holder interface{}, target interface{}) error +} + +// Used to filter columns when selectively updating +type ColumnFilter func(*ColumnMap) bool + +func acceptAllFilter(col *ColumnMap) bool { + return true +} + +// Bind is called automatically by gorp after Scan() +func (me CustomScanner) Bind() error { + return me.Binder(me.Holder, me.Target) +} + +type bindPlan struct { + query string + argFields []string + keyFields []string + versField string + autoIncrIdx int + autoIncrFieldName string + once sync.Once +} + +func (plan *bindPlan) createBindInstance(elem reflect.Value, conv TypeConverter) (bindInstance, error) { + bi := bindInstance{query: plan.query, autoIncrIdx: plan.autoIncrIdx, autoIncrFieldName: plan.autoIncrFieldName, versField: plan.versField} + if plan.versField != "" { + bi.existingVersion = elem.FieldByName(plan.versField).Int() + } + + var err error + + for i := 0; i < len(plan.argFields); i++ { + k := plan.argFields[i] + if k == versFieldConst { + newVer := bi.existingVersion + 1 + bi.args = append(bi.args, newVer) + if bi.existingVersion == 0 { + elem.FieldByName(plan.versField).SetInt(int64(newVer)) + } + } else { + val := elem.FieldByName(k).Interface() + if conv != nil { + val, err = conv.ToDb(val) + if err != nil { + return bindInstance{}, err + } + } + bi.args = append(bi.args, val) + } + } + + for i := 0; i < len(plan.keyFields); i++ { + k := plan.keyFields[i] + val := elem.FieldByName(k).Interface() + if conv != nil { + val, err = conv.ToDb(val) + if err != nil { + return bindInstance{}, err + } + } + bi.keys = append(bi.keys, val) + } + + return bi, nil +} + +type bindInstance struct { + query string + args []interface{} + keys []interface{} + existingVersion int64 + versField string + autoIncrIdx int + autoIncrFieldName string +} + +func (t *TableMap) bindInsert(elem reflect.Value) (bindInstance, error) { + plan := &t.insertPlan + plan.once.Do(func() { + plan.autoIncrIdx = -1 + + s := bytes.Buffer{} + s2 := bytes.Buffer{} + s.WriteString(fmt.Sprintf("insert into %s (", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName))) + + x := 0 + first := true + for y := range t.Columns { + col := t.Columns[y] + if !(col.isAutoIncr && t.dbmap.Dialect.AutoIncrBindValue() == "") { + if !col.Transient { + if !first { + s.WriteString(",") + s2.WriteString(",") + } + s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName)) + + if col.isAutoIncr { + s2.WriteString(t.dbmap.Dialect.AutoIncrBindValue()) + plan.autoIncrIdx = y + plan.autoIncrFieldName = col.fieldName + } else { + if col.DefaultValue == "" { + s2.WriteString(t.dbmap.Dialect.BindVar(x)) + if col == t.version { + plan.versField = col.fieldName + plan.argFields = append(plan.argFields, versFieldConst) + } else { + plan.argFields = append(plan.argFields, col.fieldName) + } + x++ + } else { + s2.WriteString(col.DefaultValue) + } + } + first = false + } + } else { + plan.autoIncrIdx = y + plan.autoIncrFieldName = col.fieldName + } + } + s.WriteString(") values (") + s.WriteString(s2.String()) + s.WriteString(")") + if plan.autoIncrIdx > -1 { + s.WriteString(t.dbmap.Dialect.AutoIncrInsertSuffix(t.Columns[plan.autoIncrIdx])) + } + s.WriteString(t.dbmap.Dialect.QuerySuffix()) + + plan.query = s.String() + }) + + return plan.createBindInstance(elem, t.dbmap.TypeConverter) +} + +func (t *TableMap) bindUpdate(elem reflect.Value, colFilter ColumnFilter) (bindInstance, error) { + if colFilter == nil { + colFilter = acceptAllFilter + } + + plan := &t.updatePlan + plan.once.Do(func() { + s := bytes.Buffer{} + s.WriteString(fmt.Sprintf("update %s set ", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName))) + x := 0 + + for y := range t.Columns { + col := t.Columns[y] + if !col.isAutoIncr && !col.Transient && colFilter(col) { + if x > 0 { + s.WriteString(", ") + } + s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(x)) + + if col == t.version { + plan.versField = col.fieldName + plan.argFields = append(plan.argFields, versFieldConst) + } else { + plan.argFields = append(plan.argFields, col.fieldName) + } + x++ + } + } + + s.WriteString(" where ") + for y := range t.keys { + col := t.keys[y] + if y > 0 { + s.WriteString(" and ") + } + s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(x)) + + plan.argFields = append(plan.argFields, col.fieldName) + plan.keyFields = append(plan.keyFields, col.fieldName) + x++ + } + if plan.versField != "" { + s.WriteString(" and ") + s.WriteString(t.dbmap.Dialect.QuoteField(t.version.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(x)) + plan.argFields = append(plan.argFields, plan.versField) + } + s.WriteString(t.dbmap.Dialect.QuerySuffix()) + + plan.query = s.String() + }) + + return plan.createBindInstance(elem, t.dbmap.TypeConverter) +} + +func (t *TableMap) bindDelete(elem reflect.Value) (bindInstance, error) { + plan := &t.deletePlan + plan.once.Do(func() { + s := bytes.Buffer{} + s.WriteString(fmt.Sprintf("delete from %s", t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName))) + + for y := range t.Columns { + col := t.Columns[y] + if !col.Transient { + if col == t.version { + plan.versField = col.fieldName + } + } + } + + s.WriteString(" where ") + for x := range t.keys { + k := t.keys[x] + if x > 0 { + s.WriteString(" and ") + } + s.WriteString(t.dbmap.Dialect.QuoteField(k.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(x)) + + plan.keyFields = append(plan.keyFields, k.fieldName) + plan.argFields = append(plan.argFields, k.fieldName) + } + if plan.versField != "" { + s.WriteString(" and ") + s.WriteString(t.dbmap.Dialect.QuoteField(t.version.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(len(plan.argFields))) + + plan.argFields = append(plan.argFields, plan.versField) + } + s.WriteString(t.dbmap.Dialect.QuerySuffix()) + + plan.query = s.String() + }) + + return plan.createBindInstance(elem, t.dbmap.TypeConverter) +} + +func (t *TableMap) bindGet() *bindPlan { + plan := &t.getPlan + plan.once.Do(func() { + s := bytes.Buffer{} + s.WriteString("select ") + + x := 0 + for _, col := range t.Columns { + if !col.Transient { + if x > 0 { + s.WriteString(",") + } + s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName)) + plan.argFields = append(plan.argFields, col.fieldName) + x++ + } + } + s.WriteString(" from ") + s.WriteString(t.dbmap.Dialect.QuotedTableForQuery(t.SchemaName, t.TableName)) + s.WriteString(" where ") + for x := range t.keys { + col := t.keys[x] + if x > 0 { + s.WriteString(" and ") + } + s.WriteString(t.dbmap.Dialect.QuoteField(col.ColumnName)) + s.WriteString("=") + s.WriteString(t.dbmap.Dialect.BindVar(x)) + + plan.keyFields = append(plan.keyFields, col.fieldName) + } + s.WriteString(t.dbmap.Dialect.QuerySuffix()) + + plan.query = s.String() + }) + + return plan +} diff --git a/vendor/github.com/go-gorp/gorp/v3/test_all.sh b/vendor/github.com/go-gorp/gorp/v3/test_all.sh new file mode 100644 index 0000000000..91007d6454 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/test_all.sh @@ -0,0 +1,23 @@ +#!/bin/bash -ex + +# on macs, you may need to: +# export GOBUILDFLAG=-ldflags -linkmode=external + +echo "Running unit tests" +go test -race + +echo "Testing against postgres" +export GORP_TEST_DSN="host=postgres user=gorptest password=gorptest dbname=gorptest sslmode=disable" +export GORP_TEST_DIALECT=postgres +go test -tags integration $GOBUILDFLAG $@ . + +echo "Testing against sqlite" +export GORP_TEST_DSN=/tmp/gorptest.bin +export GORP_TEST_DIALECT=sqlite +go test -tags integration $GOBUILDFLAG $@ . +rm -f /tmp/gorptest.bin + +echo "Testing against mysql" +export GORP_TEST_DSN="gorptest:gorptest@tcp(mysql)/gorptest" +export GORP_TEST_DIALECT=mysql +go test -tags integration $GOBUILDFLAG $@ . diff --git a/vendor/github.com/go-gorp/gorp/v3/transaction.go b/vendor/github.com/go-gorp/gorp/v3/transaction.go new file mode 100644 index 0000000000..d505d94c91 --- /dev/null +++ b/vendor/github.com/go-gorp/gorp/v3/transaction.go @@ -0,0 +1,239 @@ +// Copyright 2012 James Cooper. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package gorp + +import ( + "context" + "database/sql" + "time" +) + +// Transaction represents a database transaction. +// Insert/Update/Delete/Get/Exec operations will be run in the context +// of that transaction. Transactions should be terminated with +// a call to Commit() or Rollback() +type Transaction struct { + ctx context.Context + dbmap *DbMap + tx *sql.Tx + closed bool +} + +func (t *Transaction) WithContext(ctx context.Context) SqlExecutor { + copy := &Transaction{} + *copy = *t + copy.ctx = ctx + return copy +} + +// Insert has the same behavior as DbMap.Insert(), but runs in a transaction. +func (t *Transaction) Insert(list ...interface{}) error { + return insert(t.dbmap, t, list...) +} + +// Update had the same behavior as DbMap.Update(), but runs in a transaction. +func (t *Transaction) Update(list ...interface{}) (int64, error) { + return update(t.dbmap, t, nil, list...) +} + +// UpdateColumns had the same behavior as DbMap.UpdateColumns(), but runs in a transaction. +func (t *Transaction) UpdateColumns(filter ColumnFilter, list ...interface{}) (int64, error) { + return update(t.dbmap, t, filter, list...) +} + +// Delete has the same behavior as DbMap.Delete(), but runs in a transaction. +func (t *Transaction) Delete(list ...interface{}) (int64, error) { + return delete(t.dbmap, t, list...) +} + +// Get has the same behavior as DbMap.Get(), but runs in a transaction. +func (t *Transaction) Get(i interface{}, keys ...interface{}) (interface{}, error) { + return get(t.dbmap, t, i, keys...) +} + +// Select has the same behavior as DbMap.Select(), but runs in a transaction. +func (t *Transaction) Select(i interface{}, query string, args ...interface{}) ([]interface{}, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return hookedselect(t.dbmap, t, i, query, args...) +} + +// Exec has the same behavior as DbMap.Exec(), but runs in a transaction. +func (t *Transaction) Exec(query string, args ...interface{}) (sql.Result, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, args...) + } + return maybeExpandNamedQueryAndExec(t, query, args...) +} + +// SelectInt is a convenience wrapper around the gorp.SelectInt function. +func (t *Transaction) SelectInt(query string, args ...interface{}) (int64, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectInt(t, query, args...) +} + +// SelectNullInt is a convenience wrapper around the gorp.SelectNullInt function. +func (t *Transaction) SelectNullInt(query string, args ...interface{}) (sql.NullInt64, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullInt(t, query, args...) +} + +// SelectFloat is a convenience wrapper around the gorp.SelectFloat function. +func (t *Transaction) SelectFloat(query string, args ...interface{}) (float64, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectFloat(t, query, args...) +} + +// SelectNullFloat is a convenience wrapper around the gorp.SelectNullFloat function. +func (t *Transaction) SelectNullFloat(query string, args ...interface{}) (sql.NullFloat64, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullFloat(t, query, args...) +} + +// SelectStr is a convenience wrapper around the gorp.SelectStr function. +func (t *Transaction) SelectStr(query string, args ...interface{}) (string, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectStr(t, query, args...) +} + +// SelectNullStr is a convenience wrapper around the gorp.SelectNullStr function. +func (t *Transaction) SelectNullStr(query string, args ...interface{}) (sql.NullString, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectNullStr(t, query, args...) +} + +// SelectOne is a convenience wrapper around the gorp.SelectOne function. +func (t *Transaction) SelectOne(holder interface{}, query string, args ...interface{}) error { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + return SelectOne(t.dbmap, t, holder, query, args...) +} + +// Commit commits the underlying database transaction. +func (t *Transaction) Commit() error { + if !t.closed { + t.closed = true + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, "commit;") + } + return t.tx.Commit() + } + + return sql.ErrTxDone +} + +// Rollback rolls back the underlying database transaction. +func (t *Transaction) Rollback() error { + if !t.closed { + t.closed = true + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, "rollback;") + } + return t.tx.Rollback() + } + + return sql.ErrTxDone +} + +// Savepoint creates a savepoint with the given name. The name is interpolated +// directly into the SQL SAVEPOINT statement, so you must sanitize it if it is +// derived from user input. +func (t *Transaction) Savepoint(name string) error { + query := "savepoint " + t.dbmap.Dialect.QuoteField(name) + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, nil) + } + _, err := exec(t, query) + return err +} + +// RollbackToSavepoint rolls back to the savepoint with the given name. The +// name is interpolated directly into the SQL SAVEPOINT statement, so you must +// sanitize it if it is derived from user input. +func (t *Transaction) RollbackToSavepoint(savepoint string) error { + query := "rollback to savepoint " + t.dbmap.Dialect.QuoteField(savepoint) + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, nil) + } + _, err := exec(t, query) + return err +} + +// ReleaseSavepint releases the savepoint with the given name. The name is +// interpolated directly into the SQL SAVEPOINT statement, so you must sanitize +// it if it is derived from user input. +func (t *Transaction) ReleaseSavepoint(savepoint string) error { + query := "release savepoint " + t.dbmap.Dialect.QuoteField(savepoint) + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, nil) + } + _, err := exec(t, query) + return err +} + +// Prepare has the same behavior as DbMap.Prepare(), but runs in a transaction. +func (t *Transaction) Prepare(query string) (*sql.Stmt, error) { + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, nil) + } + return prepare(t, query) +} + +func (t *Transaction) QueryRow(query string, args ...interface{}) *sql.Row { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&query, args...) + } + + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, query, args...) + } + return queryRow(t, query, args...) +} + +func (t *Transaction) Query(q string, args ...interface{}) (*sql.Rows, error) { + if t.dbmap.ExpandSliceArgs { + expandSliceArgs(&q, args...) + } + + if t.dbmap.logger != nil { + now := time.Now() + defer t.dbmap.trace(now, q, args...) + } + return query(t, q, args...) +} diff --git a/vendor/github.com/go-openapi/jsonpointer/.golangci.yml b/vendor/github.com/go-openapi/jsonpointer/.golangci.yml index d2fafb8a2b..500630621f 100644 --- a/vendor/github.com/go-openapi/jsonpointer/.golangci.yml +++ b/vendor/github.com/go-openapi/jsonpointer/.golangci.yml @@ -1,56 +1,62 @@ -linters-settings: - gocyclo: - min-complexity: 45 - dupl: - threshold: 200 - goconst: - min-len: 2 - min-occurrences: 3 - +version: "2" linters: - enable-all: true + default: all disable: - - recvcheck - - unparam - - lll - - gochecknoinits - - gochecknoglobals + - cyclop + - depguard + - errchkjson + - errorlint + - exhaustruct + - forcetypeassert - funlen - - godox + - gochecknoglobals + - gochecknoinits - gocognit - - whitespace - - wsl - - wrapcheck - - testpackage - - nlreturn - - errorlint - - nestif - godot - - gofumpt + - godox + - gosmopolitan + - inamedparam + - ireturn + - lll + - musttag + - nestif + - nlreturn + - nonamedreturns - paralleltest - - tparallel + - testpackage - thelper - - exhaustruct + - tparallel + - unparam - varnamelen - - gci - - depguard - - errchkjson - - inamedparam - - nonamedreturns - - musttag - - ireturn - - forcetypeassert - - cyclop - # deprecated linters - #- deadcode - #- interfacer - #- scopelint - #- varcheck - #- structcheck - #- golint - #- nosnakecase - #- maligned - #- goerr113 - #- ifshort - #- gomnd - #- exhaustivestruct + - whitespace + - wrapcheck + - wsl + settings: + dupl: + threshold: 200 + goconst: + min-len: 2 + min-occurrences: 3 + gocyclo: + min-complexity: 45 + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + paths: + - third_party$ + - builtin$ + - examples$ +formatters: + enable: + - gofmt + - goimports + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/vendor/github.com/go-openapi/jsonpointer/pointer.go b/vendor/github.com/go-openapi/jsonpointer/pointer.go index a08cd68ac0..6136210572 100644 --- a/vendor/github.com/go-openapi/jsonpointer/pointer.go +++ b/vendor/github.com/go-openapi/jsonpointer/pointer.go @@ -179,6 +179,11 @@ func getSingleImpl(node any, decodedToken string, nameProvider *swag.NameProvide func setSingleImpl(node, data any, decodedToken string, nameProvider *swag.NameProvider) error { rValue := reflect.Indirect(reflect.ValueOf(node)) + // Check for nil to prevent panic when calling rValue.Type() + if isNil(node) { + return fmt.Errorf("cannot set field %q on nil value: %w", decodedToken, ErrPointer) + } + if ns, ok := node.(JSONSetable); ok { // pointer impl return ns.JSONSet(decodedToken, data) } @@ -285,6 +290,11 @@ func (p *Pointer) set(node, data any, nameProvider *swag.NameProvider) error { return setSingleImpl(node, data, decodedToken, nameProvider) } + // Check for nil during traversal + if isNil(node) { + return fmt.Errorf("cannot traverse through nil value at %q: %w", decodedToken, ErrPointer) + } + rValue := reflect.Indirect(reflect.ValueOf(node)) kind := rValue.Kind() diff --git a/vendor/github.com/gobwas/glob/.gitignore b/vendor/github.com/gobwas/glob/.gitignore new file mode 100644 index 0000000000..b4ae623be5 --- /dev/null +++ b/vendor/github.com/gobwas/glob/.gitignore @@ -0,0 +1,8 @@ +glob.iml +.idea +*.cpu +*.mem +*.test +*.dot +*.png +*.svg diff --git a/vendor/github.com/gobwas/glob/.travis.yml b/vendor/github.com/gobwas/glob/.travis.yml new file mode 100644 index 0000000000..e8a276826c --- /dev/null +++ b/vendor/github.com/gobwas/glob/.travis.yml @@ -0,0 +1,9 @@ +sudo: false + +language: go + +go: + - 1.5.3 + +script: + - go test -v ./... diff --git a/vendor/github.com/gobwas/glob/LICENSE b/vendor/github.com/gobwas/glob/LICENSE new file mode 100644 index 0000000000..9d4735cad9 --- /dev/null +++ b/vendor/github.com/gobwas/glob/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Sergey Kamardin + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/vendor/github.com/gobwas/glob/bench.sh b/vendor/github.com/gobwas/glob/bench.sh new file mode 100644 index 0000000000..804cf22e64 --- /dev/null +++ b/vendor/github.com/gobwas/glob/bench.sh @@ -0,0 +1,26 @@ +#! /bin/bash + +bench() { + filename="/tmp/$1-$2.bench" + if test -e "${filename}"; + then + echo "Already exists ${filename}" + else + backup=`git rev-parse --abbrev-ref HEAD` + git checkout $1 + echo -n "Creating ${filename}... " + go test ./... -run=NONE -bench=$2 > "${filename}" -benchmem + echo "OK" + git checkout ${backup} + sleep 5 + fi +} + + +to=$1 +current=`git rev-parse --abbrev-ref HEAD` + +bench ${to} $2 +bench ${current} $2 + +benchcmp $3 "/tmp/${to}-$2.bench" "/tmp/${current}-$2.bench" diff --git a/vendor/github.com/gobwas/glob/compiler/compiler.go b/vendor/github.com/gobwas/glob/compiler/compiler.go new file mode 100644 index 0000000000..02e7de80a0 --- /dev/null +++ b/vendor/github.com/gobwas/glob/compiler/compiler.go @@ -0,0 +1,525 @@ +package compiler + +// TODO use constructor with all matchers, and to their structs private +// TODO glue multiple Text nodes (like after QuoteMeta) + +import ( + "fmt" + "reflect" + + "github.com/gobwas/glob/match" + "github.com/gobwas/glob/syntax/ast" + "github.com/gobwas/glob/util/runes" +) + +func optimizeMatcher(matcher match.Matcher) match.Matcher { + switch m := matcher.(type) { + + case match.Any: + if len(m.Separators) == 0 { + return match.NewSuper() + } + + case match.AnyOf: + if len(m.Matchers) == 1 { + return m.Matchers[0] + } + + return m + + case match.List: + if m.Not == false && len(m.List) == 1 { + return match.NewText(string(m.List)) + } + + return m + + case match.BTree: + m.Left = optimizeMatcher(m.Left) + m.Right = optimizeMatcher(m.Right) + + r, ok := m.Value.(match.Text) + if !ok { + return m + } + + var ( + leftNil = m.Left == nil + rightNil = m.Right == nil + ) + if leftNil && rightNil { + return match.NewText(r.Str) + } + + _, leftSuper := m.Left.(match.Super) + lp, leftPrefix := m.Left.(match.Prefix) + la, leftAny := m.Left.(match.Any) + + _, rightSuper := m.Right.(match.Super) + rs, rightSuffix := m.Right.(match.Suffix) + ra, rightAny := m.Right.(match.Any) + + switch { + case leftSuper && rightSuper: + return match.NewContains(r.Str, false) + + case leftSuper && rightNil: + return match.NewSuffix(r.Str) + + case rightSuper && leftNil: + return match.NewPrefix(r.Str) + + case leftNil && rightSuffix: + return match.NewPrefixSuffix(r.Str, rs.Suffix) + + case rightNil && leftPrefix: + return match.NewPrefixSuffix(lp.Prefix, r.Str) + + case rightNil && leftAny: + return match.NewSuffixAny(r.Str, la.Separators) + + case leftNil && rightAny: + return match.NewPrefixAny(r.Str, ra.Separators) + } + + return m + } + + return matcher +} + +func compileMatchers(matchers []match.Matcher) (match.Matcher, error) { + if len(matchers) == 0 { + return nil, fmt.Errorf("compile error: need at least one matcher") + } + if len(matchers) == 1 { + return matchers[0], nil + } + if m := glueMatchers(matchers); m != nil { + return m, nil + } + + idx := -1 + maxLen := -1 + var val match.Matcher + for i, matcher := range matchers { + if l := matcher.Len(); l != -1 && l >= maxLen { + maxLen = l + idx = i + val = matcher + } + } + + if val == nil { // not found matcher with static length + r, err := compileMatchers(matchers[1:]) + if err != nil { + return nil, err + } + return match.NewBTree(matchers[0], nil, r), nil + } + + left := matchers[:idx] + var right []match.Matcher + if len(matchers) > idx+1 { + right = matchers[idx+1:] + } + + var l, r match.Matcher + var err error + if len(left) > 0 { + l, err = compileMatchers(left) + if err != nil { + return nil, err + } + } + + if len(right) > 0 { + r, err = compileMatchers(right) + if err != nil { + return nil, err + } + } + + return match.NewBTree(val, l, r), nil +} + +func glueMatchers(matchers []match.Matcher) match.Matcher { + if m := glueMatchersAsEvery(matchers); m != nil { + return m + } + if m := glueMatchersAsRow(matchers); m != nil { + return m + } + return nil +} + +func glueMatchersAsRow(matchers []match.Matcher) match.Matcher { + if len(matchers) <= 1 { + return nil + } + + var ( + c []match.Matcher + l int + ) + for _, matcher := range matchers { + if ml := matcher.Len(); ml == -1 { + return nil + } else { + c = append(c, matcher) + l += ml + } + } + return match.NewRow(l, c...) +} + +func glueMatchersAsEvery(matchers []match.Matcher) match.Matcher { + if len(matchers) <= 1 { + return nil + } + + var ( + hasAny bool + hasSuper bool + hasSingle bool + min int + separator []rune + ) + + for i, matcher := range matchers { + var sep []rune + + switch m := matcher.(type) { + case match.Super: + sep = []rune{} + hasSuper = true + + case match.Any: + sep = m.Separators + hasAny = true + + case match.Single: + sep = m.Separators + hasSingle = true + min++ + + case match.List: + if !m.Not { + return nil + } + sep = m.List + hasSingle = true + min++ + + default: + return nil + } + + // initialize + if i == 0 { + separator = sep + } + + if runes.Equal(sep, separator) { + continue + } + + return nil + } + + if hasSuper && !hasAny && !hasSingle { + return match.NewSuper() + } + + if hasAny && !hasSuper && !hasSingle { + return match.NewAny(separator) + } + + if (hasAny || hasSuper) && min > 0 && len(separator) == 0 { + return match.NewMin(min) + } + + every := match.NewEveryOf() + + if min > 0 { + every.Add(match.NewMin(min)) + + if !hasAny && !hasSuper { + every.Add(match.NewMax(min)) + } + } + + if len(separator) > 0 { + every.Add(match.NewContains(string(separator), true)) + } + + return every +} + +func minimizeMatchers(matchers []match.Matcher) []match.Matcher { + var done match.Matcher + var left, right, count int + + for l := 0; l < len(matchers); l++ { + for r := len(matchers); r > l; r-- { + if glued := glueMatchers(matchers[l:r]); glued != nil { + var swap bool + + if done == nil { + swap = true + } else { + cl, gl := done.Len(), glued.Len() + swap = cl > -1 && gl > -1 && gl > cl + swap = swap || count < r-l + } + + if swap { + done = glued + left = l + right = r + count = r - l + } + } + } + } + + if done == nil { + return matchers + } + + next := append(append([]match.Matcher{}, matchers[:left]...), done) + if right < len(matchers) { + next = append(next, matchers[right:]...) + } + + if len(next) == len(matchers) { + return next + } + + return minimizeMatchers(next) +} + +// minimizeAnyOf tries to apply some heuristics to minimize number of nodes in given tree +func minimizeTree(tree *ast.Node) *ast.Node { + switch tree.Kind { + case ast.KindAnyOf: + return minimizeTreeAnyOf(tree) + default: + return nil + } +} + +// minimizeAnyOf tries to find common children of given node of AnyOf pattern +// it searches for common children from left and from right +// if any common children are found – then it returns new optimized ast tree +// else it returns nil +func minimizeTreeAnyOf(tree *ast.Node) *ast.Node { + if !areOfSameKind(tree.Children, ast.KindPattern) { + return nil + } + + commonLeft, commonRight := commonChildren(tree.Children) + commonLeftCount, commonRightCount := len(commonLeft), len(commonRight) + if commonLeftCount == 0 && commonRightCount == 0 { // there are no common parts + return nil + } + + var result []*ast.Node + if commonLeftCount > 0 { + result = append(result, ast.NewNode(ast.KindPattern, nil, commonLeft...)) + } + + var anyOf []*ast.Node + for _, child := range tree.Children { + reuse := child.Children[commonLeftCount : len(child.Children)-commonRightCount] + var node *ast.Node + if len(reuse) == 0 { + // this pattern is completely reduced by commonLeft and commonRight patterns + // so it become nothing + node = ast.NewNode(ast.KindNothing, nil) + } else { + node = ast.NewNode(ast.KindPattern, nil, reuse...) + } + anyOf = appendIfUnique(anyOf, node) + } + switch { + case len(anyOf) == 1 && anyOf[0].Kind != ast.KindNothing: + result = append(result, anyOf[0]) + case len(anyOf) > 1: + result = append(result, ast.NewNode(ast.KindAnyOf, nil, anyOf...)) + } + + if commonRightCount > 0 { + result = append(result, ast.NewNode(ast.KindPattern, nil, commonRight...)) + } + + return ast.NewNode(ast.KindPattern, nil, result...) +} + +func commonChildren(nodes []*ast.Node) (commonLeft, commonRight []*ast.Node) { + if len(nodes) <= 1 { + return + } + + // find node that has least number of children + idx := leastChildren(nodes) + if idx == -1 { + return + } + tree := nodes[idx] + treeLength := len(tree.Children) + + // allocate max able size for rightCommon slice + // to get ability insert elements in reverse order (from end to start) + // without sorting + commonRight = make([]*ast.Node, treeLength) + lastRight := treeLength // will use this to get results as commonRight[lastRight:] + + var ( + breakLeft bool + breakRight bool + commonTotal int + ) + for i, j := 0, treeLength-1; commonTotal < treeLength && j >= 0 && !(breakLeft && breakRight); i, j = i+1, j-1 { + treeLeft := tree.Children[i] + treeRight := tree.Children[j] + + for k := 0; k < len(nodes) && !(breakLeft && breakRight); k++ { + // skip least children node + if k == idx { + continue + } + + restLeft := nodes[k].Children[i] + restRight := nodes[k].Children[j+len(nodes[k].Children)-treeLength] + + breakLeft = breakLeft || !treeLeft.Equal(restLeft) + + // disable searching for right common parts, if left part is already overlapping + breakRight = breakRight || (!breakLeft && j <= i) + breakRight = breakRight || !treeRight.Equal(restRight) + } + + if !breakLeft { + commonTotal++ + commonLeft = append(commonLeft, treeLeft) + } + if !breakRight { + commonTotal++ + lastRight = j + commonRight[j] = treeRight + } + } + + commonRight = commonRight[lastRight:] + + return +} + +func appendIfUnique(target []*ast.Node, val *ast.Node) []*ast.Node { + for _, n := range target { + if reflect.DeepEqual(n, val) { + return target + } + } + return append(target, val) +} + +func areOfSameKind(nodes []*ast.Node, kind ast.Kind) bool { + for _, n := range nodes { + if n.Kind != kind { + return false + } + } + return true +} + +func leastChildren(nodes []*ast.Node) int { + min := -1 + idx := -1 + for i, n := range nodes { + if idx == -1 || (len(n.Children) < min) { + min = len(n.Children) + idx = i + } + } + return idx +} + +func compileTreeChildren(tree *ast.Node, sep []rune) ([]match.Matcher, error) { + var matchers []match.Matcher + for _, desc := range tree.Children { + m, err := compile(desc, sep) + if err != nil { + return nil, err + } + matchers = append(matchers, optimizeMatcher(m)) + } + return matchers, nil +} + +func compile(tree *ast.Node, sep []rune) (m match.Matcher, err error) { + switch tree.Kind { + case ast.KindAnyOf: + // todo this could be faster on pattern_alternatives_combine_lite (see glob_test.go) + if n := minimizeTree(tree); n != nil { + return compile(n, sep) + } + matchers, err := compileTreeChildren(tree, sep) + if err != nil { + return nil, err + } + return match.NewAnyOf(matchers...), nil + + case ast.KindPattern: + if len(tree.Children) == 0 { + return match.NewNothing(), nil + } + matchers, err := compileTreeChildren(tree, sep) + if err != nil { + return nil, err + } + m, err = compileMatchers(minimizeMatchers(matchers)) + if err != nil { + return nil, err + } + + case ast.KindAny: + m = match.NewAny(sep) + + case ast.KindSuper: + m = match.NewSuper() + + case ast.KindSingle: + m = match.NewSingle(sep) + + case ast.KindNothing: + m = match.NewNothing() + + case ast.KindList: + l := tree.Value.(ast.List) + m = match.NewList([]rune(l.Chars), l.Not) + + case ast.KindRange: + r := tree.Value.(ast.Range) + m = match.NewRange(r.Lo, r.Hi, r.Not) + + case ast.KindText: + t := tree.Value.(ast.Text) + m = match.NewText(t.Text) + + default: + return nil, fmt.Errorf("could not compile tree: unknown node type") + } + + return optimizeMatcher(m), nil +} + +func Compile(tree *ast.Node, sep []rune) (match.Matcher, error) { + m, err := compile(tree, sep) + if err != nil { + return nil, err + } + + return m, nil +} diff --git a/vendor/github.com/gobwas/glob/glob.go b/vendor/github.com/gobwas/glob/glob.go new file mode 100644 index 0000000000..2afde343af --- /dev/null +++ b/vendor/github.com/gobwas/glob/glob.go @@ -0,0 +1,80 @@ +package glob + +import ( + "github.com/gobwas/glob/compiler" + "github.com/gobwas/glob/syntax" +) + +// Glob represents compiled glob pattern. +type Glob interface { + Match(string) bool +} + +// Compile creates Glob for given pattern and strings (if any present after pattern) as separators. +// The pattern syntax is: +// +// pattern: +// { term } +// +// term: +// `*` matches any sequence of non-separator characters +// `**` matches any sequence of characters +// `?` matches any single non-separator character +// `[` [ `!` ] { character-range } `]` +// character class (must be non-empty) +// `{` pattern-list `}` +// pattern alternatives +// c matches character c (c != `*`, `**`, `?`, `\`, `[`, `{`, `}`) +// `\` c matches character c +// +// character-range: +// c matches character c (c != `\\`, `-`, `]`) +// `\` c matches character c +// lo `-` hi matches character c for lo <= c <= hi +// +// pattern-list: +// pattern { `,` pattern } +// comma-separated (without spaces) patterns +// +func Compile(pattern string, separators ...rune) (Glob, error) { + ast, err := syntax.Parse(pattern) + if err != nil { + return nil, err + } + + matcher, err := compiler.Compile(ast, separators) + if err != nil { + return nil, err + } + + return matcher, nil +} + +// MustCompile is the same as Compile, except that if Compile returns error, this will panic +func MustCompile(pattern string, separators ...rune) Glob { + g, err := Compile(pattern, separators...) + if err != nil { + panic(err) + } + + return g +} + +// QuoteMeta returns a string that quotes all glob pattern meta characters +// inside the argument text; For example, QuoteMeta(`{foo*}`) returns `\[foo\*\]`. +func QuoteMeta(s string) string { + b := make([]byte, 2*len(s)) + + // a byte loop is correct because all meta characters are ASCII + j := 0 + for i := 0; i < len(s); i++ { + if syntax.Special(s[i]) { + b[j] = '\\' + j++ + } + b[j] = s[i] + j++ + } + + return string(b[0:j]) +} diff --git a/vendor/github.com/gobwas/glob/match/any.go b/vendor/github.com/gobwas/glob/match/any.go new file mode 100644 index 0000000000..514a9a5c45 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/any.go @@ -0,0 +1,45 @@ +package match + +import ( + "fmt" + "github.com/gobwas/glob/util/strings" +) + +type Any struct { + Separators []rune +} + +func NewAny(s []rune) Any { + return Any{s} +} + +func (self Any) Match(s string) bool { + return strings.IndexAnyRunes(s, self.Separators) == -1 +} + +func (self Any) Index(s string) (int, []int) { + found := strings.IndexAnyRunes(s, self.Separators) + switch found { + case -1: + case 0: + return 0, segments0 + default: + s = s[:found] + } + + segments := acquireSegments(len(s)) + for i := range s { + segments = append(segments, i) + } + segments = append(segments, len(s)) + + return 0, segments +} + +func (self Any) Len() int { + return lenNo +} + +func (self Any) String() string { + return fmt.Sprintf("", string(self.Separators)) +} diff --git a/vendor/github.com/gobwas/glob/match/any_of.go b/vendor/github.com/gobwas/glob/match/any_of.go new file mode 100644 index 0000000000..8e65356cdc --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/any_of.go @@ -0,0 +1,82 @@ +package match + +import "fmt" + +type AnyOf struct { + Matchers Matchers +} + +func NewAnyOf(m ...Matcher) AnyOf { + return AnyOf{Matchers(m)} +} + +func (self *AnyOf) Add(m Matcher) error { + self.Matchers = append(self.Matchers, m) + return nil +} + +func (self AnyOf) Match(s string) bool { + for _, m := range self.Matchers { + if m.Match(s) { + return true + } + } + + return false +} + +func (self AnyOf) Index(s string) (int, []int) { + index := -1 + + segments := acquireSegments(len(s)) + for _, m := range self.Matchers { + idx, seg := m.Index(s) + if idx == -1 { + continue + } + + if index == -1 || idx < index { + index = idx + segments = append(segments[:0], seg...) + continue + } + + if idx > index { + continue + } + + // here idx == index + segments = appendMerge(segments, seg) + } + + if index == -1 { + releaseSegments(segments) + return -1, nil + } + + return index, segments +} + +func (self AnyOf) Len() (l int) { + l = -1 + for _, m := range self.Matchers { + ml := m.Len() + switch { + case l == -1: + l = ml + continue + + case ml == -1: + return -1 + + case l != ml: + return -1 + } + } + + return +} + +func (self AnyOf) String() string { + return fmt.Sprintf("", self.Matchers) +} diff --git a/vendor/github.com/gobwas/glob/match/btree.go b/vendor/github.com/gobwas/glob/match/btree.go new file mode 100644 index 0000000000..a8130e93ea --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/btree.go @@ -0,0 +1,146 @@ +package match + +import ( + "fmt" + "unicode/utf8" +) + +type BTree struct { + Value Matcher + Left Matcher + Right Matcher + ValueLengthRunes int + LeftLengthRunes int + RightLengthRunes int + LengthRunes int +} + +func NewBTree(Value, Left, Right Matcher) (tree BTree) { + tree.Value = Value + tree.Left = Left + tree.Right = Right + + lenOk := true + if tree.ValueLengthRunes = Value.Len(); tree.ValueLengthRunes == -1 { + lenOk = false + } + + if Left != nil { + if tree.LeftLengthRunes = Left.Len(); tree.LeftLengthRunes == -1 { + lenOk = false + } + } + + if Right != nil { + if tree.RightLengthRunes = Right.Len(); tree.RightLengthRunes == -1 { + lenOk = false + } + } + + if lenOk { + tree.LengthRunes = tree.LeftLengthRunes + tree.ValueLengthRunes + tree.RightLengthRunes + } else { + tree.LengthRunes = -1 + } + + return tree +} + +func (self BTree) Len() int { + return self.LengthRunes +} + +// todo? +func (self BTree) Index(s string) (int, []int) { + return -1, nil +} + +func (self BTree) Match(s string) bool { + inputLen := len(s) + + // self.Length, self.RLen and self.LLen are values meaning the length of runes for each part + // here we manipulating byte length for better optimizations + // but these checks still works, cause minLen of 1-rune string is 1 byte. + if self.LengthRunes != -1 && self.LengthRunes > inputLen { + return false + } + + // try to cut unnecessary parts + // by knowledge of length of right and left part + var offset, limit int + if self.LeftLengthRunes >= 0 { + offset = self.LeftLengthRunes + } + if self.RightLengthRunes >= 0 { + limit = inputLen - self.RightLengthRunes + } else { + limit = inputLen + } + + for offset < limit { + // search for matching part in substring + index, segments := self.Value.Index(s[offset:limit]) + if index == -1 { + releaseSegments(segments) + return false + } + + l := s[:offset+index] + var left bool + if self.Left != nil { + left = self.Left.Match(l) + } else { + left = l == "" + } + + if left { + for i := len(segments) - 1; i >= 0; i-- { + length := segments[i] + + var right bool + var r string + // if there is no string for the right branch + if inputLen <= offset+index+length { + r = "" + } else { + r = s[offset+index+length:] + } + + if self.Right != nil { + right = self.Right.Match(r) + } else { + right = r == "" + } + + if right { + releaseSegments(segments) + return true + } + } + } + + _, step := utf8.DecodeRuneInString(s[offset+index:]) + offset += index + step + + releaseSegments(segments) + } + + return false +} + +func (self BTree) String() string { + const n string = "" + var l, r string + if self.Left == nil { + l = n + } else { + l = self.Left.String() + } + if self.Right == nil { + r = n + } else { + r = self.Right.String() + } + + return fmt.Sprintf("%s]>", l, self.Value, r) +} diff --git a/vendor/github.com/gobwas/glob/match/contains.go b/vendor/github.com/gobwas/glob/match/contains.go new file mode 100644 index 0000000000..0998e95b0e --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/contains.go @@ -0,0 +1,58 @@ +package match + +import ( + "fmt" + "strings" +) + +type Contains struct { + Needle string + Not bool +} + +func NewContains(needle string, not bool) Contains { + return Contains{needle, not} +} + +func (self Contains) Match(s string) bool { + return strings.Contains(s, self.Needle) != self.Not +} + +func (self Contains) Index(s string) (int, []int) { + var offset int + + idx := strings.Index(s, self.Needle) + + if !self.Not { + if idx == -1 { + return -1, nil + } + + offset = idx + len(self.Needle) + if len(s) <= offset { + return 0, []int{offset} + } + s = s[offset:] + } else if idx != -1 { + s = s[:idx] + } + + segments := acquireSegments(len(s) + 1) + for i := range s { + segments = append(segments, offset+i) + } + + return 0, append(segments, offset+len(s)) +} + +func (self Contains) Len() int { + return lenNo +} + +func (self Contains) String() string { + var not string + if self.Not { + not = "!" + } + return fmt.Sprintf("", not, self.Needle) +} diff --git a/vendor/github.com/gobwas/glob/match/every_of.go b/vendor/github.com/gobwas/glob/match/every_of.go new file mode 100644 index 0000000000..7c968ee368 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/every_of.go @@ -0,0 +1,99 @@ +package match + +import ( + "fmt" +) + +type EveryOf struct { + Matchers Matchers +} + +func NewEveryOf(m ...Matcher) EveryOf { + return EveryOf{Matchers(m)} +} + +func (self *EveryOf) Add(m Matcher) error { + self.Matchers = append(self.Matchers, m) + return nil +} + +func (self EveryOf) Len() (l int) { + for _, m := range self.Matchers { + if ml := m.Len(); l > 0 { + l += ml + } else { + return -1 + } + } + + return +} + +func (self EveryOf) Index(s string) (int, []int) { + var index int + var offset int + + // make `in` with cap as len(s), + // cause it is the maximum size of output segments values + next := acquireSegments(len(s)) + current := acquireSegments(len(s)) + + sub := s + for i, m := range self.Matchers { + idx, seg := m.Index(sub) + if idx == -1 { + releaseSegments(next) + releaseSegments(current) + return -1, nil + } + + if i == 0 { + // we use copy here instead of `current = seg` + // cause seg is a slice from reusable buffer `in` + // and it could be overwritten in next iteration + current = append(current, seg...) + } else { + // clear the next + next = next[:0] + + delta := index - (idx + offset) + for _, ex := range current { + for _, n := range seg { + if ex+delta == n { + next = append(next, n) + } + } + } + + if len(next) == 0 { + releaseSegments(next) + releaseSegments(current) + return -1, nil + } + + current = append(current[:0], next...) + } + + index = idx + offset + sub = s[index:] + offset += idx + } + + releaseSegments(next) + + return index, current +} + +func (self EveryOf) Match(s string) bool { + for _, m := range self.Matchers { + if !m.Match(s) { + return false + } + } + + return true +} + +func (self EveryOf) String() string { + return fmt.Sprintf("", self.Matchers) +} diff --git a/vendor/github.com/gobwas/glob/match/list.go b/vendor/github.com/gobwas/glob/match/list.go new file mode 100644 index 0000000000..7fd763ecd8 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/list.go @@ -0,0 +1,49 @@ +package match + +import ( + "fmt" + "github.com/gobwas/glob/util/runes" + "unicode/utf8" +) + +type List struct { + List []rune + Not bool +} + +func NewList(list []rune, not bool) List { + return List{list, not} +} + +func (self List) Match(s string) bool { + r, w := utf8.DecodeRuneInString(s) + if len(s) > w { + return false + } + + inList := runes.IndexRune(self.List, r) != -1 + return inList == !self.Not +} + +func (self List) Len() int { + return lenOne +} + +func (self List) Index(s string) (int, []int) { + for i, r := range s { + if self.Not == (runes.IndexRune(self.List, r) == -1) { + return i, segmentsByRuneLength[utf8.RuneLen(r)] + } + } + + return -1, nil +} + +func (self List) String() string { + var not string + if self.Not { + not = "!" + } + + return fmt.Sprintf("", not, string(self.List)) +} diff --git a/vendor/github.com/gobwas/glob/match/match.go b/vendor/github.com/gobwas/glob/match/match.go new file mode 100644 index 0000000000..f80e007fb8 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/match.go @@ -0,0 +1,81 @@ +package match + +// todo common table of rune's length + +import ( + "fmt" + "strings" +) + +const lenOne = 1 +const lenZero = 0 +const lenNo = -1 + +type Matcher interface { + Match(string) bool + Index(string) (int, []int) + Len() int + String() string +} + +type Matchers []Matcher + +func (m Matchers) String() string { + var s []string + for _, matcher := range m { + s = append(s, fmt.Sprint(matcher)) + } + + return fmt.Sprintf("%s", strings.Join(s, ",")) +} + +// appendMerge merges and sorts given already SORTED and UNIQUE segments. +func appendMerge(target, sub []int) []int { + lt, ls := len(target), len(sub) + out := make([]int, 0, lt+ls) + + for x, y := 0, 0; x < lt || y < ls; { + if x >= lt { + out = append(out, sub[y:]...) + break + } + + if y >= ls { + out = append(out, target[x:]...) + break + } + + xValue := target[x] + yValue := sub[y] + + switch { + + case xValue == yValue: + out = append(out, xValue) + x++ + y++ + + case xValue < yValue: + out = append(out, xValue) + x++ + + case yValue < xValue: + out = append(out, yValue) + y++ + + } + } + + target = append(target[:0], out...) + + return target +} + +func reverseSegments(input []int) { + l := len(input) + m := l / 2 + + for i := 0; i < m; i++ { + input[i], input[l-i-1] = input[l-i-1], input[i] + } +} diff --git a/vendor/github.com/gobwas/glob/match/max.go b/vendor/github.com/gobwas/glob/match/max.go new file mode 100644 index 0000000000..d72f69efff --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/max.go @@ -0,0 +1,49 @@ +package match + +import ( + "fmt" + "unicode/utf8" +) + +type Max struct { + Limit int +} + +func NewMax(l int) Max { + return Max{l} +} + +func (self Max) Match(s string) bool { + var l int + for range s { + l += 1 + if l > self.Limit { + return false + } + } + + return true +} + +func (self Max) Index(s string) (int, []int) { + segments := acquireSegments(self.Limit + 1) + segments = append(segments, 0) + var count int + for i, r := range s { + count++ + if count > self.Limit { + break + } + segments = append(segments, i+utf8.RuneLen(r)) + } + + return 0, segments +} + +func (self Max) Len() int { + return lenNo +} + +func (self Max) String() string { + return fmt.Sprintf("", self.Limit) +} diff --git a/vendor/github.com/gobwas/glob/match/min.go b/vendor/github.com/gobwas/glob/match/min.go new file mode 100644 index 0000000000..db57ac8eb4 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/min.go @@ -0,0 +1,57 @@ +package match + +import ( + "fmt" + "unicode/utf8" +) + +type Min struct { + Limit int +} + +func NewMin(l int) Min { + return Min{l} +} + +func (self Min) Match(s string) bool { + var l int + for range s { + l += 1 + if l >= self.Limit { + return true + } + } + + return false +} + +func (self Min) Index(s string) (int, []int) { + var count int + + c := len(s) - self.Limit + 1 + if c <= 0 { + return -1, nil + } + + segments := acquireSegments(c) + for i, r := range s { + count++ + if count >= self.Limit { + segments = append(segments, i+utf8.RuneLen(r)) + } + } + + if len(segments) == 0 { + return -1, nil + } + + return 0, segments +} + +func (self Min) Len() int { + return lenNo +} + +func (self Min) String() string { + return fmt.Sprintf("", self.Limit) +} diff --git a/vendor/github.com/gobwas/glob/match/nothing.go b/vendor/github.com/gobwas/glob/match/nothing.go new file mode 100644 index 0000000000..0d4ecd36b8 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/nothing.go @@ -0,0 +1,27 @@ +package match + +import ( + "fmt" +) + +type Nothing struct{} + +func NewNothing() Nothing { + return Nothing{} +} + +func (self Nothing) Match(s string) bool { + return len(s) == 0 +} + +func (self Nothing) Index(s string) (int, []int) { + return 0, segments0 +} + +func (self Nothing) Len() int { + return lenZero +} + +func (self Nothing) String() string { + return fmt.Sprintf("") +} diff --git a/vendor/github.com/gobwas/glob/match/prefix.go b/vendor/github.com/gobwas/glob/match/prefix.go new file mode 100644 index 0000000000..a7347250e8 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/prefix.go @@ -0,0 +1,50 @@ +package match + +import ( + "fmt" + "strings" + "unicode/utf8" +) + +type Prefix struct { + Prefix string +} + +func NewPrefix(p string) Prefix { + return Prefix{p} +} + +func (self Prefix) Index(s string) (int, []int) { + idx := strings.Index(s, self.Prefix) + if idx == -1 { + return -1, nil + } + + length := len(self.Prefix) + var sub string + if len(s) > idx+length { + sub = s[idx+length:] + } else { + sub = "" + } + + segments := acquireSegments(len(sub) + 1) + segments = append(segments, length) + for i, r := range sub { + segments = append(segments, length+i+utf8.RuneLen(r)) + } + + return idx, segments +} + +func (self Prefix) Len() int { + return lenNo +} + +func (self Prefix) Match(s string) bool { + return strings.HasPrefix(s, self.Prefix) +} + +func (self Prefix) String() string { + return fmt.Sprintf("", self.Prefix) +} diff --git a/vendor/github.com/gobwas/glob/match/prefix_any.go b/vendor/github.com/gobwas/glob/match/prefix_any.go new file mode 100644 index 0000000000..8ee58fe1b3 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/prefix_any.go @@ -0,0 +1,55 @@ +package match + +import ( + "fmt" + "strings" + "unicode/utf8" + + sutil "github.com/gobwas/glob/util/strings" +) + +type PrefixAny struct { + Prefix string + Separators []rune +} + +func NewPrefixAny(s string, sep []rune) PrefixAny { + return PrefixAny{s, sep} +} + +func (self PrefixAny) Index(s string) (int, []int) { + idx := strings.Index(s, self.Prefix) + if idx == -1 { + return -1, nil + } + + n := len(self.Prefix) + sub := s[idx+n:] + i := sutil.IndexAnyRunes(sub, self.Separators) + if i > -1 { + sub = sub[:i] + } + + seg := acquireSegments(len(sub) + 1) + seg = append(seg, n) + for i, r := range sub { + seg = append(seg, n+i+utf8.RuneLen(r)) + } + + return idx, seg +} + +func (self PrefixAny) Len() int { + return lenNo +} + +func (self PrefixAny) Match(s string) bool { + if !strings.HasPrefix(s, self.Prefix) { + return false + } + return sutil.IndexAnyRunes(s[len(self.Prefix):], self.Separators) == -1 +} + +func (self PrefixAny) String() string { + return fmt.Sprintf("", self.Prefix, string(self.Separators)) +} diff --git a/vendor/github.com/gobwas/glob/match/prefix_suffix.go b/vendor/github.com/gobwas/glob/match/prefix_suffix.go new file mode 100644 index 0000000000..8208085a19 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/prefix_suffix.go @@ -0,0 +1,62 @@ +package match + +import ( + "fmt" + "strings" +) + +type PrefixSuffix struct { + Prefix, Suffix string +} + +func NewPrefixSuffix(p, s string) PrefixSuffix { + return PrefixSuffix{p, s} +} + +func (self PrefixSuffix) Index(s string) (int, []int) { + prefixIdx := strings.Index(s, self.Prefix) + if prefixIdx == -1 { + return -1, nil + } + + suffixLen := len(self.Suffix) + if suffixLen <= 0 { + return prefixIdx, []int{len(s) - prefixIdx} + } + + if (len(s) - prefixIdx) <= 0 { + return -1, nil + } + + segments := acquireSegments(len(s) - prefixIdx) + for sub := s[prefixIdx:]; ; { + suffixIdx := strings.LastIndex(sub, self.Suffix) + if suffixIdx == -1 { + break + } + + segments = append(segments, suffixIdx+suffixLen) + sub = sub[:suffixIdx] + } + + if len(segments) == 0 { + releaseSegments(segments) + return -1, nil + } + + reverseSegments(segments) + + return prefixIdx, segments +} + +func (self PrefixSuffix) Len() int { + return lenNo +} + +func (self PrefixSuffix) Match(s string) bool { + return strings.HasPrefix(s, self.Prefix) && strings.HasSuffix(s, self.Suffix) +} + +func (self PrefixSuffix) String() string { + return fmt.Sprintf("", self.Prefix, self.Suffix) +} diff --git a/vendor/github.com/gobwas/glob/match/range.go b/vendor/github.com/gobwas/glob/match/range.go new file mode 100644 index 0000000000..ce30245a40 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/range.go @@ -0,0 +1,48 @@ +package match + +import ( + "fmt" + "unicode/utf8" +) + +type Range struct { + Lo, Hi rune + Not bool +} + +func NewRange(lo, hi rune, not bool) Range { + return Range{lo, hi, not} +} + +func (self Range) Len() int { + return lenOne +} + +func (self Range) Match(s string) bool { + r, w := utf8.DecodeRuneInString(s) + if len(s) > w { + return false + } + + inRange := r >= self.Lo && r <= self.Hi + + return inRange == !self.Not +} + +func (self Range) Index(s string) (int, []int) { + for i, r := range s { + if self.Not != (r >= self.Lo && r <= self.Hi) { + return i, segmentsByRuneLength[utf8.RuneLen(r)] + } + } + + return -1, nil +} + +func (self Range) String() string { + var not string + if self.Not { + not = "!" + } + return fmt.Sprintf("", not, string(self.Lo), string(self.Hi)) +} diff --git a/vendor/github.com/gobwas/glob/match/row.go b/vendor/github.com/gobwas/glob/match/row.go new file mode 100644 index 0000000000..4379042e42 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/row.go @@ -0,0 +1,77 @@ +package match + +import ( + "fmt" +) + +type Row struct { + Matchers Matchers + RunesLength int + Segments []int +} + +func NewRow(len int, m ...Matcher) Row { + return Row{ + Matchers: Matchers(m), + RunesLength: len, + Segments: []int{len}, + } +} + +func (self Row) matchAll(s string) bool { + var idx int + for _, m := range self.Matchers { + length := m.Len() + + var next, i int + for next = range s[idx:] { + i++ + if i == length { + break + } + } + + if i < length || !m.Match(s[idx:idx+next+1]) { + return false + } + + idx += next + 1 + } + + return true +} + +func (self Row) lenOk(s string) bool { + var i int + for range s { + i++ + if i > self.RunesLength { + return false + } + } + return self.RunesLength == i +} + +func (self Row) Match(s string) bool { + return self.lenOk(s) && self.matchAll(s) +} + +func (self Row) Len() (l int) { + return self.RunesLength +} + +func (self Row) Index(s string) (int, []int) { + for i := range s { + if len(s[i:]) < self.RunesLength { + break + } + if self.matchAll(s[i:]) { + return i, self.Segments + } + } + return -1, nil +} + +func (self Row) String() string { + return fmt.Sprintf("", self.RunesLength, self.Matchers) +} diff --git a/vendor/github.com/gobwas/glob/match/segments.go b/vendor/github.com/gobwas/glob/match/segments.go new file mode 100644 index 0000000000..9ea6f30943 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/segments.go @@ -0,0 +1,91 @@ +package match + +import ( + "sync" +) + +type SomePool interface { + Get() []int + Put([]int) +} + +var segmentsPools [1024]sync.Pool + +func toPowerOfTwo(v int) int { + v-- + v |= v >> 1 + v |= v >> 2 + v |= v >> 4 + v |= v >> 8 + v |= v >> 16 + v++ + + return v +} + +const ( + cacheFrom = 16 + cacheToAndHigher = 1024 + cacheFromIndex = 15 + cacheToAndHigherIndex = 1023 +) + +var ( + segments0 = []int{0} + segments1 = []int{1} + segments2 = []int{2} + segments3 = []int{3} + segments4 = []int{4} +) + +var segmentsByRuneLength [5][]int = [5][]int{ + 0: segments0, + 1: segments1, + 2: segments2, + 3: segments3, + 4: segments4, +} + +func init() { + for i := cacheToAndHigher; i >= cacheFrom; i >>= 1 { + func(i int) { + segmentsPools[i-1] = sync.Pool{New: func() interface{} { + return make([]int, 0, i) + }} + }(i) + } +} + +func getTableIndex(c int) int { + p := toPowerOfTwo(c) + switch { + case p >= cacheToAndHigher: + return cacheToAndHigherIndex + case p <= cacheFrom: + return cacheFromIndex + default: + return p - 1 + } +} + +func acquireSegments(c int) []int { + // make []int with less capacity than cacheFrom + // is faster than acquiring it from pool + if c < cacheFrom { + return make([]int, 0, c) + } + + return segmentsPools[getTableIndex(c)].Get().([]int)[:0] +} + +func releaseSegments(s []int) { + c := cap(s) + + // make []int with less capacity than cacheFrom + // is faster than acquiring it from pool + if c < cacheFrom { + return + } + + segmentsPools[getTableIndex(c)].Put(s) +} diff --git a/vendor/github.com/gobwas/glob/match/single.go b/vendor/github.com/gobwas/glob/match/single.go new file mode 100644 index 0000000000..ee6e3954c1 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/single.go @@ -0,0 +1,43 @@ +package match + +import ( + "fmt" + "github.com/gobwas/glob/util/runes" + "unicode/utf8" +) + +// single represents ? +type Single struct { + Separators []rune +} + +func NewSingle(s []rune) Single { + return Single{s} +} + +func (self Single) Match(s string) bool { + r, w := utf8.DecodeRuneInString(s) + if len(s) > w { + return false + } + + return runes.IndexRune(self.Separators, r) == -1 +} + +func (self Single) Len() int { + return lenOne +} + +func (self Single) Index(s string) (int, []int) { + for i, r := range s { + if runes.IndexRune(self.Separators, r) == -1 { + return i, segmentsByRuneLength[utf8.RuneLen(r)] + } + } + + return -1, nil +} + +func (self Single) String() string { + return fmt.Sprintf("", string(self.Separators)) +} diff --git a/vendor/github.com/gobwas/glob/match/suffix.go b/vendor/github.com/gobwas/glob/match/suffix.go new file mode 100644 index 0000000000..85bea8c68e --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/suffix.go @@ -0,0 +1,35 @@ +package match + +import ( + "fmt" + "strings" +) + +type Suffix struct { + Suffix string +} + +func NewSuffix(s string) Suffix { + return Suffix{s} +} + +func (self Suffix) Len() int { + return lenNo +} + +func (self Suffix) Match(s string) bool { + return strings.HasSuffix(s, self.Suffix) +} + +func (self Suffix) Index(s string) (int, []int) { + idx := strings.Index(s, self.Suffix) + if idx == -1 { + return -1, nil + } + + return 0, []int{idx + len(self.Suffix)} +} + +func (self Suffix) String() string { + return fmt.Sprintf("", self.Suffix) +} diff --git a/vendor/github.com/gobwas/glob/match/suffix_any.go b/vendor/github.com/gobwas/glob/match/suffix_any.go new file mode 100644 index 0000000000..c5106f8196 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/suffix_any.go @@ -0,0 +1,43 @@ +package match + +import ( + "fmt" + "strings" + + sutil "github.com/gobwas/glob/util/strings" +) + +type SuffixAny struct { + Suffix string + Separators []rune +} + +func NewSuffixAny(s string, sep []rune) SuffixAny { + return SuffixAny{s, sep} +} + +func (self SuffixAny) Index(s string) (int, []int) { + idx := strings.Index(s, self.Suffix) + if idx == -1 { + return -1, nil + } + + i := sutil.LastIndexAnyRunes(s[:idx], self.Separators) + 1 + + return i, []int{idx + len(self.Suffix) - i} +} + +func (self SuffixAny) Len() int { + return lenNo +} + +func (self SuffixAny) Match(s string) bool { + if !strings.HasSuffix(s, self.Suffix) { + return false + } + return sutil.IndexAnyRunes(s[:len(s)-len(self.Suffix)], self.Separators) == -1 +} + +func (self SuffixAny) String() string { + return fmt.Sprintf("", string(self.Separators), self.Suffix) +} diff --git a/vendor/github.com/gobwas/glob/match/super.go b/vendor/github.com/gobwas/glob/match/super.go new file mode 100644 index 0000000000..3875950bb8 --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/super.go @@ -0,0 +1,33 @@ +package match + +import ( + "fmt" +) + +type Super struct{} + +func NewSuper() Super { + return Super{} +} + +func (self Super) Match(s string) bool { + return true +} + +func (self Super) Len() int { + return lenNo +} + +func (self Super) Index(s string) (int, []int) { + segments := acquireSegments(len(s) + 1) + for i := range s { + segments = append(segments, i) + } + segments = append(segments, len(s)) + + return 0, segments +} + +func (self Super) String() string { + return fmt.Sprintf("") +} diff --git a/vendor/github.com/gobwas/glob/match/text.go b/vendor/github.com/gobwas/glob/match/text.go new file mode 100644 index 0000000000..0a17616d3c --- /dev/null +++ b/vendor/github.com/gobwas/glob/match/text.go @@ -0,0 +1,45 @@ +package match + +import ( + "fmt" + "strings" + "unicode/utf8" +) + +// raw represents raw string to match +type Text struct { + Str string + RunesLength int + BytesLength int + Segments []int +} + +func NewText(s string) Text { + return Text{ + Str: s, + RunesLength: utf8.RuneCountInString(s), + BytesLength: len(s), + Segments: []int{len(s)}, + } +} + +func (self Text) Match(s string) bool { + return self.Str == s +} + +func (self Text) Len() int { + return self.RunesLength +} + +func (self Text) Index(s string) (int, []int) { + index := strings.Index(s, self.Str) + if index == -1 { + return -1, nil + } + + return index, self.Segments +} + +func (self Text) String() string { + return fmt.Sprintf("", self.Str) +} diff --git a/vendor/github.com/gobwas/glob/readme.md b/vendor/github.com/gobwas/glob/readme.md new file mode 100644 index 0000000000..f58144e733 --- /dev/null +++ b/vendor/github.com/gobwas/glob/readme.md @@ -0,0 +1,148 @@ +# glob.[go](https://golang.org) + +[![GoDoc][godoc-image]][godoc-url] [![Build Status][travis-image]][travis-url] + +> Go Globbing Library. + +## Install + +```shell + go get github.com/gobwas/glob +``` + +## Example + +```go + +package main + +import "github.com/gobwas/glob" + +func main() { + var g glob.Glob + + // create simple glob + g = glob.MustCompile("*.github.com") + g.Match("api.github.com") // true + + // quote meta characters and then create simple glob + g = glob.MustCompile(glob.QuoteMeta("*.github.com")) + g.Match("*.github.com") // true + + // create new glob with set of delimiters as ["."] + g = glob.MustCompile("api.*.com", '.') + g.Match("api.github.com") // true + g.Match("api.gi.hub.com") // false + + // create new glob with set of delimiters as ["."] + // but now with super wildcard + g = glob.MustCompile("api.**.com", '.') + g.Match("api.github.com") // true + g.Match("api.gi.hub.com") // true + + // create glob with single symbol wildcard + g = glob.MustCompile("?at") + g.Match("cat") // true + g.Match("fat") // true + g.Match("at") // false + + // create glob with single symbol wildcard and delimiters ['f'] + g = glob.MustCompile("?at", 'f') + g.Match("cat") // true + g.Match("fat") // false + g.Match("at") // false + + // create glob with character-list matchers + g = glob.MustCompile("[abc]at") + g.Match("cat") // true + g.Match("bat") // true + g.Match("fat") // false + g.Match("at") // false + + // create glob with character-list matchers + g = glob.MustCompile("[!abc]at") + g.Match("cat") // false + g.Match("bat") // false + g.Match("fat") // true + g.Match("at") // false + + // create glob with character-range matchers + g = glob.MustCompile("[a-c]at") + g.Match("cat") // true + g.Match("bat") // true + g.Match("fat") // false + g.Match("at") // false + + // create glob with character-range matchers + g = glob.MustCompile("[!a-c]at") + g.Match("cat") // false + g.Match("bat") // false + g.Match("fat") // true + g.Match("at") // false + + // create glob with pattern-alternatives list + g = glob.MustCompile("{cat,bat,[fr]at}") + g.Match("cat") // true + g.Match("bat") // true + g.Match("fat") // true + g.Match("rat") // true + g.Match("at") // false + g.Match("zat") // false +} + +``` + +## Performance + +This library is created for compile-once patterns. This means, that compilation could take time, but +strings matching is done faster, than in case when always parsing template. + +If you will not use compiled `glob.Glob` object, and do `g := glob.MustCompile(pattern); g.Match(...)` every time, then your code will be much more slower. + +Run `go test -bench=.` from source root to see the benchmarks: + +Pattern | Fixture | Match | Speed (ns/op) +--------|---------|-------|-------------- +`[a-z][!a-x]*cat*[h][!b]*eyes*` | `my cat has very bright eyes` | `true` | 432 +`[a-z][!a-x]*cat*[h][!b]*eyes*` | `my dog has very bright eyes` | `false` | 199 +`https://*.google.*` | `https://account.google.com` | `true` | 96 +`https://*.google.*` | `https://google.com` | `false` | 66 +`{https://*.google.*,*yandex.*,*yahoo.*,*mail.ru}` | `http://yahoo.com` | `true` | 163 +`{https://*.google.*,*yandex.*,*yahoo.*,*mail.ru}` | `http://google.com` | `false` | 197 +`{https://*gobwas.com,http://exclude.gobwas.com}` | `https://safe.gobwas.com` | `true` | 22 +`{https://*gobwas.com,http://exclude.gobwas.com}` | `http://safe.gobwas.com` | `false` | 24 +`abc*` | `abcdef` | `true` | 8.15 +`abc*` | `af` | `false` | 5.68 +`*def` | `abcdef` | `true` | 8.84 +`*def` | `af` | `false` | 5.74 +`ab*ef` | `abcdef` | `true` | 15.2 +`ab*ef` | `af` | `false` | 10.4 + +The same things with `regexp` package: + +Pattern | Fixture | Match | Speed (ns/op) +--------|---------|-------|-------------- +`^[a-z][^a-x].*cat.*[h][^b].*eyes.*$` | `my cat has very bright eyes` | `true` | 2553 +`^[a-z][^a-x].*cat.*[h][^b].*eyes.*$` | `my dog has very bright eyes` | `false` | 1383 +`^https:\/\/.*\.google\..*$` | `https://account.google.com` | `true` | 1205 +`^https:\/\/.*\.google\..*$` | `https://google.com` | `false` | 767 +`^(https:\/\/.*\.google\..*|.*yandex\..*|.*yahoo\..*|.*mail\.ru)$` | `http://yahoo.com` | `true` | 1435 +`^(https:\/\/.*\.google\..*|.*yandex\..*|.*yahoo\..*|.*mail\.ru)$` | `http://google.com` | `false` | 1674 +`^(https:\/\/.*gobwas\.com|http://exclude.gobwas.com)$` | `https://safe.gobwas.com` | `true` | 1039 +`^(https:\/\/.*gobwas\.com|http://exclude.gobwas.com)$` | `http://safe.gobwas.com` | `false` | 272 +`^abc.*$` | `abcdef` | `true` | 237 +`^abc.*$` | `af` | `false` | 100 +`^.*def$` | `abcdef` | `true` | 464 +`^.*def$` | `af` | `false` | 265 +`^ab.*ef$` | `abcdef` | `true` | 375 +`^ab.*ef$` | `af` | `false` | 145 + +[godoc-image]: https://godoc.org/github.com/gobwas/glob?status.svg +[godoc-url]: https://godoc.org/github.com/gobwas/glob +[travis-image]: https://travis-ci.org/gobwas/glob.svg?branch=master +[travis-url]: https://travis-ci.org/gobwas/glob + +## Syntax + +Syntax is inspired by [standard wildcards](http://tldp.org/LDP/GNU-Linux-Tools-Summary/html/x11655.htm), +except that `**` is aka super-asterisk, that do not sensitive for separators. \ No newline at end of file diff --git a/vendor/github.com/gobwas/glob/syntax/ast/ast.go b/vendor/github.com/gobwas/glob/syntax/ast/ast.go new file mode 100644 index 0000000000..3220a694a9 --- /dev/null +++ b/vendor/github.com/gobwas/glob/syntax/ast/ast.go @@ -0,0 +1,122 @@ +package ast + +import ( + "bytes" + "fmt" +) + +type Node struct { + Parent *Node + Children []*Node + Value interface{} + Kind Kind +} + +func NewNode(k Kind, v interface{}, ch ...*Node) *Node { + n := &Node{ + Kind: k, + Value: v, + } + for _, c := range ch { + Insert(n, c) + } + return n +} + +func (a *Node) Equal(b *Node) bool { + if a.Kind != b.Kind { + return false + } + if a.Value != b.Value { + return false + } + if len(a.Children) != len(b.Children) { + return false + } + for i, c := range a.Children { + if !c.Equal(b.Children[i]) { + return false + } + } + return true +} + +func (a *Node) String() string { + var buf bytes.Buffer + buf.WriteString(a.Kind.String()) + if a.Value != nil { + buf.WriteString(" =") + buf.WriteString(fmt.Sprintf("%v", a.Value)) + } + if len(a.Children) > 0 { + buf.WriteString(" [") + for i, c := range a.Children { + if i > 0 { + buf.WriteString(", ") + } + buf.WriteString(c.String()) + } + buf.WriteString("]") + } + return buf.String() +} + +func Insert(parent *Node, children ...*Node) { + parent.Children = append(parent.Children, children...) + for _, ch := range children { + ch.Parent = parent + } +} + +type List struct { + Not bool + Chars string +} + +type Range struct { + Not bool + Lo, Hi rune +} + +type Text struct { + Text string +} + +type Kind int + +const ( + KindNothing Kind = iota + KindPattern + KindList + KindRange + KindText + KindAny + KindSuper + KindSingle + KindAnyOf +) + +func (k Kind) String() string { + switch k { + case KindNothing: + return "Nothing" + case KindPattern: + return "Pattern" + case KindList: + return "List" + case KindRange: + return "Range" + case KindText: + return "Text" + case KindAny: + return "Any" + case KindSuper: + return "Super" + case KindSingle: + return "Single" + case KindAnyOf: + return "AnyOf" + default: + return "" + } +} diff --git a/vendor/github.com/gobwas/glob/syntax/ast/parser.go b/vendor/github.com/gobwas/glob/syntax/ast/parser.go new file mode 100644 index 0000000000..429b409430 --- /dev/null +++ b/vendor/github.com/gobwas/glob/syntax/ast/parser.go @@ -0,0 +1,157 @@ +package ast + +import ( + "errors" + "fmt" + "github.com/gobwas/glob/syntax/lexer" + "unicode/utf8" +) + +type Lexer interface { + Next() lexer.Token +} + +type parseFn func(*Node, Lexer) (parseFn, *Node, error) + +func Parse(lexer Lexer) (*Node, error) { + var parser parseFn + + root := NewNode(KindPattern, nil) + + var ( + tree *Node + err error + ) + for parser, tree = parserMain, root; parser != nil; { + parser, tree, err = parser(tree, lexer) + if err != nil { + return nil, err + } + } + + return root, nil +} + +func parserMain(tree *Node, lex Lexer) (parseFn, *Node, error) { + for { + token := lex.Next() + switch token.Type { + case lexer.EOF: + return nil, tree, nil + + case lexer.Error: + return nil, tree, errors.New(token.Raw) + + case lexer.Text: + Insert(tree, NewNode(KindText, Text{token.Raw})) + return parserMain, tree, nil + + case lexer.Any: + Insert(tree, NewNode(KindAny, nil)) + return parserMain, tree, nil + + case lexer.Super: + Insert(tree, NewNode(KindSuper, nil)) + return parserMain, tree, nil + + case lexer.Single: + Insert(tree, NewNode(KindSingle, nil)) + return parserMain, tree, nil + + case lexer.RangeOpen: + return parserRange, tree, nil + + case lexer.TermsOpen: + a := NewNode(KindAnyOf, nil) + Insert(tree, a) + + p := NewNode(KindPattern, nil) + Insert(a, p) + + return parserMain, p, nil + + case lexer.Separator: + p := NewNode(KindPattern, nil) + Insert(tree.Parent, p) + + return parserMain, p, nil + + case lexer.TermsClose: + return parserMain, tree.Parent.Parent, nil + + default: + return nil, tree, fmt.Errorf("unexpected token: %s", token) + } + } + return nil, tree, fmt.Errorf("unknown error") +} + +func parserRange(tree *Node, lex Lexer) (parseFn, *Node, error) { + var ( + not bool + lo rune + hi rune + chars string + ) + for { + token := lex.Next() + switch token.Type { + case lexer.EOF: + return nil, tree, errors.New("unexpected end") + + case lexer.Error: + return nil, tree, errors.New(token.Raw) + + case lexer.Not: + not = true + + case lexer.RangeLo: + r, w := utf8.DecodeRuneInString(token.Raw) + if len(token.Raw) > w { + return nil, tree, fmt.Errorf("unexpected length of lo character") + } + lo = r + + case lexer.RangeBetween: + // + + case lexer.RangeHi: + r, w := utf8.DecodeRuneInString(token.Raw) + if len(token.Raw) > w { + return nil, tree, fmt.Errorf("unexpected length of lo character") + } + + hi = r + + if hi < lo { + return nil, tree, fmt.Errorf("hi character '%s' should be greater than lo '%s'", string(hi), string(lo)) + } + + case lexer.Text: + chars = token.Raw + + case lexer.RangeClose: + isRange := lo != 0 && hi != 0 + isChars := chars != "" + + if isChars == isRange { + return nil, tree, fmt.Errorf("could not parse range") + } + + if isRange { + Insert(tree, NewNode(KindRange, Range{ + Lo: lo, + Hi: hi, + Not: not, + })) + } else { + Insert(tree, NewNode(KindList, List{ + Chars: chars, + Not: not, + })) + } + + return parserMain, tree, nil + } + } +} diff --git a/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go b/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go new file mode 100644 index 0000000000..a1c8d1962a --- /dev/null +++ b/vendor/github.com/gobwas/glob/syntax/lexer/lexer.go @@ -0,0 +1,273 @@ +package lexer + +import ( + "bytes" + "fmt" + "github.com/gobwas/glob/util/runes" + "unicode/utf8" +) + +const ( + char_any = '*' + char_comma = ',' + char_single = '?' + char_escape = '\\' + char_range_open = '[' + char_range_close = ']' + char_terms_open = '{' + char_terms_close = '}' + char_range_not = '!' + char_range_between = '-' +) + +var specials = []byte{ + char_any, + char_single, + char_escape, + char_range_open, + char_range_close, + char_terms_open, + char_terms_close, +} + +func Special(c byte) bool { + return bytes.IndexByte(specials, c) != -1 +} + +type tokens []Token + +func (i *tokens) shift() (ret Token) { + ret = (*i)[0] + copy(*i, (*i)[1:]) + *i = (*i)[:len(*i)-1] + return +} + +func (i *tokens) push(v Token) { + *i = append(*i, v) +} + +func (i *tokens) empty() bool { + return len(*i) == 0 +} + +var eof rune = 0 + +type lexer struct { + data string + pos int + err error + + tokens tokens + termsLevel int + + lastRune rune + lastRuneSize int + hasRune bool +} + +func NewLexer(source string) *lexer { + l := &lexer{ + data: source, + tokens: tokens(make([]Token, 0, 4)), + } + return l +} + +func (l *lexer) Next() Token { + if l.err != nil { + return Token{Error, l.err.Error()} + } + if !l.tokens.empty() { + return l.tokens.shift() + } + + l.fetchItem() + return l.Next() +} + +func (l *lexer) peek() (r rune, w int) { + if l.pos == len(l.data) { + return eof, 0 + } + + r, w = utf8.DecodeRuneInString(l.data[l.pos:]) + if r == utf8.RuneError { + l.errorf("could not read rune") + r = eof + w = 0 + } + + return +} + +func (l *lexer) read() rune { + if l.hasRune { + l.hasRune = false + l.seek(l.lastRuneSize) + return l.lastRune + } + + r, s := l.peek() + l.seek(s) + + l.lastRune = r + l.lastRuneSize = s + + return r +} + +func (l *lexer) seek(w int) { + l.pos += w +} + +func (l *lexer) unread() { + if l.hasRune { + l.errorf("could not unread rune") + return + } + l.seek(-l.lastRuneSize) + l.hasRune = true +} + +func (l *lexer) errorf(f string, v ...interface{}) { + l.err = fmt.Errorf(f, v...) +} + +func (l *lexer) inTerms() bool { + return l.termsLevel > 0 +} + +func (l *lexer) termsEnter() { + l.termsLevel++ +} + +func (l *lexer) termsLeave() { + l.termsLevel-- +} + +var inTextBreakers = []rune{char_single, char_any, char_range_open, char_terms_open} +var inTermsBreakers = append(inTextBreakers, char_terms_close, char_comma) + +func (l *lexer) fetchItem() { + r := l.read() + switch { + case r == eof: + l.tokens.push(Token{EOF, ""}) + + case r == char_terms_open: + l.termsEnter() + l.tokens.push(Token{TermsOpen, string(r)}) + + case r == char_comma && l.inTerms(): + l.tokens.push(Token{Separator, string(r)}) + + case r == char_terms_close && l.inTerms(): + l.tokens.push(Token{TermsClose, string(r)}) + l.termsLeave() + + case r == char_range_open: + l.tokens.push(Token{RangeOpen, string(r)}) + l.fetchRange() + + case r == char_single: + l.tokens.push(Token{Single, string(r)}) + + case r == char_any: + if l.read() == char_any { + l.tokens.push(Token{Super, string(r) + string(r)}) + } else { + l.unread() + l.tokens.push(Token{Any, string(r)}) + } + + default: + l.unread() + + var breakers []rune + if l.inTerms() { + breakers = inTermsBreakers + } else { + breakers = inTextBreakers + } + l.fetchText(breakers) + } +} + +func (l *lexer) fetchRange() { + var wantHi bool + var wantClose bool + var seenNot bool + for { + r := l.read() + if r == eof { + l.errorf("unexpected end of input") + return + } + + if wantClose { + if r != char_range_close { + l.errorf("expected close range character") + } else { + l.tokens.push(Token{RangeClose, string(r)}) + } + return + } + + if wantHi { + l.tokens.push(Token{RangeHi, string(r)}) + wantClose = true + continue + } + + if !seenNot && r == char_range_not { + l.tokens.push(Token{Not, string(r)}) + seenNot = true + continue + } + + if n, w := l.peek(); n == char_range_between { + l.seek(w) + l.tokens.push(Token{RangeLo, string(r)}) + l.tokens.push(Token{RangeBetween, string(n)}) + wantHi = true + continue + } + + l.unread() // unread first peek and fetch as text + l.fetchText([]rune{char_range_close}) + wantClose = true + } +} + +func (l *lexer) fetchText(breakers []rune) { + var data []rune + var escaped bool + +reading: + for { + r := l.read() + if r == eof { + break + } + + if !escaped { + if r == char_escape { + escaped = true + continue + } + + if runes.IndexRune(breakers, r) != -1 { + l.unread() + break reading + } + } + + escaped = false + data = append(data, r) + } + + if len(data) > 0 { + l.tokens.push(Token{Text, string(data)}) + } +} diff --git a/vendor/github.com/gobwas/glob/syntax/lexer/token.go b/vendor/github.com/gobwas/glob/syntax/lexer/token.go new file mode 100644 index 0000000000..2797c4e83a --- /dev/null +++ b/vendor/github.com/gobwas/glob/syntax/lexer/token.go @@ -0,0 +1,88 @@ +package lexer + +import "fmt" + +type TokenType int + +const ( + EOF TokenType = iota + Error + Text + Char + Any + Super + Single + Not + Separator + RangeOpen + RangeClose + RangeLo + RangeHi + RangeBetween + TermsOpen + TermsClose +) + +func (tt TokenType) String() string { + switch tt { + case EOF: + return "eof" + + case Error: + return "error" + + case Text: + return "text" + + case Char: + return "char" + + case Any: + return "any" + + case Super: + return "super" + + case Single: + return "single" + + case Not: + return "not" + + case Separator: + return "separator" + + case RangeOpen: + return "range_open" + + case RangeClose: + return "range_close" + + case RangeLo: + return "range_lo" + + case RangeHi: + return "range_hi" + + case RangeBetween: + return "range_between" + + case TermsOpen: + return "terms_open" + + case TermsClose: + return "terms_close" + + default: + return "undef" + } +} + +type Token struct { + Type TokenType + Raw string +} + +func (t Token) String() string { + return fmt.Sprintf("%v<%q>", t.Type, t.Raw) +} diff --git a/vendor/github.com/gobwas/glob/syntax/syntax.go b/vendor/github.com/gobwas/glob/syntax/syntax.go new file mode 100644 index 0000000000..1d168b1482 --- /dev/null +++ b/vendor/github.com/gobwas/glob/syntax/syntax.go @@ -0,0 +1,14 @@ +package syntax + +import ( + "github.com/gobwas/glob/syntax/ast" + "github.com/gobwas/glob/syntax/lexer" +) + +func Parse(s string) (*ast.Node, error) { + return ast.Parse(lexer.NewLexer(s)) +} + +func Special(b byte) bool { + return lexer.Special(b) +} diff --git a/vendor/github.com/gobwas/glob/util/runes/runes.go b/vendor/github.com/gobwas/glob/util/runes/runes.go new file mode 100644 index 0000000000..a723556410 --- /dev/null +++ b/vendor/github.com/gobwas/glob/util/runes/runes.go @@ -0,0 +1,154 @@ +package runes + +func Index(s, needle []rune) int { + ls, ln := len(s), len(needle) + + switch { + case ln == 0: + return 0 + case ln == 1: + return IndexRune(s, needle[0]) + case ln == ls: + if Equal(s, needle) { + return 0 + } + return -1 + case ln > ls: + return -1 + } + +head: + for i := 0; i < ls && ls-i >= ln; i++ { + for y := 0; y < ln; y++ { + if s[i+y] != needle[y] { + continue head + } + } + + return i + } + + return -1 +} + +func LastIndex(s, needle []rune) int { + ls, ln := len(s), len(needle) + + switch { + case ln == 0: + if ls == 0 { + return 0 + } + return ls + case ln == 1: + return IndexLastRune(s, needle[0]) + case ln == ls: + if Equal(s, needle) { + return 0 + } + return -1 + case ln > ls: + return -1 + } + +head: + for i := ls - 1; i >= 0 && i >= ln; i-- { + for y := ln - 1; y >= 0; y-- { + if s[i-(ln-y-1)] != needle[y] { + continue head + } + } + + return i - ln + 1 + } + + return -1 +} + +// IndexAny returns the index of the first instance of any Unicode code point +// from chars in s, or -1 if no Unicode code point from chars is present in s. +func IndexAny(s, chars []rune) int { + if len(chars) > 0 { + for i, c := range s { + for _, m := range chars { + if c == m { + return i + } + } + } + } + return -1 +} + +func Contains(s, needle []rune) bool { + return Index(s, needle) >= 0 +} + +func Max(s []rune) (max rune) { + for _, r := range s { + if r > max { + max = r + } + } + + return +} + +func Min(s []rune) rune { + min := rune(-1) + for _, r := range s { + if min == -1 { + min = r + continue + } + + if r < min { + min = r + } + } + + return min +} + +func IndexRune(s []rune, r rune) int { + for i, c := range s { + if c == r { + return i + } + } + return -1 +} + +func IndexLastRune(s []rune, r rune) int { + for i := len(s) - 1; i >= 0; i-- { + if s[i] == r { + return i + } + } + + return -1 +} + +func Equal(a, b []rune) bool { + if len(a) == len(b) { + for i := 0; i < len(a); i++ { + if a[i] != b[i] { + return false + } + } + + return true + } + + return false +} + +// HasPrefix tests whether the string s begins with prefix. +func HasPrefix(s, prefix []rune) bool { + return len(s) >= len(prefix) && Equal(s[0:len(prefix)], prefix) +} + +// HasSuffix tests whether the string s ends with suffix. +func HasSuffix(s, suffix []rune) bool { + return len(s) >= len(suffix) && Equal(s[len(s)-len(suffix):], suffix) +} diff --git a/vendor/github.com/gobwas/glob/util/strings/strings.go b/vendor/github.com/gobwas/glob/util/strings/strings.go new file mode 100644 index 0000000000..e8ee1920b1 --- /dev/null +++ b/vendor/github.com/gobwas/glob/util/strings/strings.go @@ -0,0 +1,39 @@ +package strings + +import ( + "strings" + "unicode/utf8" +) + +func IndexAnyRunes(s string, rs []rune) int { + for _, r := range rs { + if i := strings.IndexRune(s, r); i != -1 { + return i + } + } + + return -1 +} + +func LastIndexAnyRunes(s string, rs []rune) int { + for _, r := range rs { + i := -1 + if 0 <= r && r < utf8.RuneSelf { + i = strings.LastIndexByte(s, byte(r)) + } else { + sub := s + for len(sub) > 0 { + j := strings.IndexRune(s, r) + if j == -1 { + break + } + i = j + sub = sub[i+1:] + } + } + if i != -1 { + return i + } + } + return -1 +} diff --git a/vendor/github.com/google/shlex/COPYING b/vendor/github.com/google/shlex/COPYING new file mode 100644 index 0000000000..d645695673 --- /dev/null +++ b/vendor/github.com/google/shlex/COPYING @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/google/shlex/README b/vendor/github.com/google/shlex/README new file mode 100644 index 0000000000..c86bcc066f --- /dev/null +++ b/vendor/github.com/google/shlex/README @@ -0,0 +1,2 @@ +go-shlex is a simple lexer for go that supports shell-style quoting, +commenting, and escaping. diff --git a/vendor/github.com/google/shlex/shlex.go b/vendor/github.com/google/shlex/shlex.go new file mode 100644 index 0000000000..d98308bce3 --- /dev/null +++ b/vendor/github.com/google/shlex/shlex.go @@ -0,0 +1,416 @@ +/* +Copyright 2012 Google Inc. All Rights Reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package shlex implements a simple lexer which splits input in to tokens using +shell-style rules for quoting and commenting. + +The basic use case uses the default ASCII lexer to split a string into sub-strings: + + shlex.Split("one \"two three\" four") -> []string{"one", "two three", "four"} + +To process a stream of strings: + + l := NewLexer(os.Stdin) + for ; token, err := l.Next(); err != nil { + // process token + } + +To access the raw token stream (which includes tokens for comments): + + t := NewTokenizer(os.Stdin) + for ; token, err := t.Next(); err != nil { + // process token + } + +*/ +package shlex + +import ( + "bufio" + "fmt" + "io" + "strings" +) + +// TokenType is a top-level token classification: A word, space, comment, unknown. +type TokenType int + +// runeTokenClass is the type of a UTF-8 character classification: A quote, space, escape. +type runeTokenClass int + +// the internal state used by the lexer state machine +type lexerState int + +// Token is a (type, value) pair representing a lexographical token. +type Token struct { + tokenType TokenType + value string +} + +// Equal reports whether tokens a, and b, are equal. +// Two tokens are equal if both their types and values are equal. A nil token can +// never be equal to another token. +func (a *Token) Equal(b *Token) bool { + if a == nil || b == nil { + return false + } + if a.tokenType != b.tokenType { + return false + } + return a.value == b.value +} + +// Named classes of UTF-8 runes +const ( + spaceRunes = " \t\r\n" + escapingQuoteRunes = `"` + nonEscapingQuoteRunes = "'" + escapeRunes = `\` + commentRunes = "#" +) + +// Classes of rune token +const ( + unknownRuneClass runeTokenClass = iota + spaceRuneClass + escapingQuoteRuneClass + nonEscapingQuoteRuneClass + escapeRuneClass + commentRuneClass + eofRuneClass +) + +// Classes of lexographic token +const ( + UnknownToken TokenType = iota + WordToken + SpaceToken + CommentToken +) + +// Lexer state machine states +const ( + startState lexerState = iota // no runes have been seen + inWordState // processing regular runes in a word + escapingState // we have just consumed an escape rune; the next rune is literal + escapingQuotedState // we have just consumed an escape rune within a quoted string + quotingEscapingState // we are within a quoted string that supports escaping ("...") + quotingState // we are within a string that does not support escaping ('...') + commentState // we are within a comment (everything following an unquoted or unescaped # +) + +// tokenClassifier is used for classifying rune characters. +type tokenClassifier map[rune]runeTokenClass + +func (typeMap tokenClassifier) addRuneClass(runes string, tokenType runeTokenClass) { + for _, runeChar := range runes { + typeMap[runeChar] = tokenType + } +} + +// newDefaultClassifier creates a new classifier for ASCII characters. +func newDefaultClassifier() tokenClassifier { + t := tokenClassifier{} + t.addRuneClass(spaceRunes, spaceRuneClass) + t.addRuneClass(escapingQuoteRunes, escapingQuoteRuneClass) + t.addRuneClass(nonEscapingQuoteRunes, nonEscapingQuoteRuneClass) + t.addRuneClass(escapeRunes, escapeRuneClass) + t.addRuneClass(commentRunes, commentRuneClass) + return t +} + +// ClassifyRune classifiees a rune +func (t tokenClassifier) ClassifyRune(runeVal rune) runeTokenClass { + return t[runeVal] +} + +// Lexer turns an input stream into a sequence of tokens. Whitespace and comments are skipped. +type Lexer Tokenizer + +// NewLexer creates a new lexer from an input stream. +func NewLexer(r io.Reader) *Lexer { + + return (*Lexer)(NewTokenizer(r)) +} + +// Next returns the next word, or an error. If there are no more words, +// the error will be io.EOF. +func (l *Lexer) Next() (string, error) { + for { + token, err := (*Tokenizer)(l).Next() + if err != nil { + return "", err + } + switch token.tokenType { + case WordToken: + return token.value, nil + case CommentToken: + // skip comments + default: + return "", fmt.Errorf("Unknown token type: %v", token.tokenType) + } + } +} + +// Tokenizer turns an input stream into a sequence of typed tokens +type Tokenizer struct { + input bufio.Reader + classifier tokenClassifier +} + +// NewTokenizer creates a new tokenizer from an input stream. +func NewTokenizer(r io.Reader) *Tokenizer { + input := bufio.NewReader(r) + classifier := newDefaultClassifier() + return &Tokenizer{ + input: *input, + classifier: classifier} +} + +// scanStream scans the stream for the next token using the internal state machine. +// It will panic if it encounters a rune which it does not know how to handle. +func (t *Tokenizer) scanStream() (*Token, error) { + state := startState + var tokenType TokenType + var value []rune + var nextRune rune + var nextRuneType runeTokenClass + var err error + + for { + nextRune, _, err = t.input.ReadRune() + nextRuneType = t.classifier.ClassifyRune(nextRune) + + if err == io.EOF { + nextRuneType = eofRuneClass + err = nil + } else if err != nil { + return nil, err + } + + switch state { + case startState: // no runes read yet + { + switch nextRuneType { + case eofRuneClass: + { + return nil, io.EOF + } + case spaceRuneClass: + { + } + case escapingQuoteRuneClass: + { + tokenType = WordToken + state = quotingEscapingState + } + case nonEscapingQuoteRuneClass: + { + tokenType = WordToken + state = quotingState + } + case escapeRuneClass: + { + tokenType = WordToken + state = escapingState + } + case commentRuneClass: + { + tokenType = CommentToken + state = commentState + } + default: + { + tokenType = WordToken + value = append(value, nextRune) + state = inWordState + } + } + } + case inWordState: // in a regular word + { + switch nextRuneType { + case eofRuneClass: + { + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + case spaceRuneClass: + { + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + case escapingQuoteRuneClass: + { + state = quotingEscapingState + } + case nonEscapingQuoteRuneClass: + { + state = quotingState + } + case escapeRuneClass: + { + state = escapingState + } + default: + { + value = append(value, nextRune) + } + } + } + case escapingState: // the rune after an escape character + { + switch nextRuneType { + case eofRuneClass: + { + err = fmt.Errorf("EOF found after escape character") + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + default: + { + state = inWordState + value = append(value, nextRune) + } + } + } + case escapingQuotedState: // the next rune after an escape character, in double quotes + { + switch nextRuneType { + case eofRuneClass: + { + err = fmt.Errorf("EOF found after escape character") + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + default: + { + state = quotingEscapingState + value = append(value, nextRune) + } + } + } + case quotingEscapingState: // in escaping double quotes + { + switch nextRuneType { + case eofRuneClass: + { + err = fmt.Errorf("EOF found when expecting closing quote") + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + case escapingQuoteRuneClass: + { + state = inWordState + } + case escapeRuneClass: + { + state = escapingQuotedState + } + default: + { + value = append(value, nextRune) + } + } + } + case quotingState: // in non-escaping single quotes + { + switch nextRuneType { + case eofRuneClass: + { + err = fmt.Errorf("EOF found when expecting closing quote") + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + case nonEscapingQuoteRuneClass: + { + state = inWordState + } + default: + { + value = append(value, nextRune) + } + } + } + case commentState: // in a comment + { + switch nextRuneType { + case eofRuneClass: + { + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } + case spaceRuneClass: + { + if nextRune == '\n' { + state = startState + token := &Token{ + tokenType: tokenType, + value: string(value)} + return token, err + } else { + value = append(value, nextRune) + } + } + default: + { + value = append(value, nextRune) + } + } + } + default: + { + return nil, fmt.Errorf("Unexpected state: %v", state) + } + } + } +} + +// Next returns the next token in the stream. +func (t *Tokenizer) Next() (*Token, error) { + return t.scanStream() +} + +// Split partitions a string into a slice of strings. +func Split(s string) ([]string, error) { + l := NewLexer(strings.NewReader(s)) + subStrings := make([]string, 0) + for { + word, err := l.Next() + if err != nil { + if err == io.EOF { + return subStrings, nil + } + return subStrings, err + } + subStrings = append(subStrings, word) + } +} diff --git a/vendor/github.com/gosuri/uitable/.travis.yml b/vendor/github.com/gosuri/uitable/.travis.yml new file mode 100644 index 0000000000..26fc3b438b --- /dev/null +++ b/vendor/github.com/gosuri/uitable/.travis.yml @@ -0,0 +1,6 @@ +language: go +sudo: false +install: + - go get ./... +go: + - tip diff --git a/vendor/github.com/gosuri/uitable/LICENSE b/vendor/github.com/gosuri/uitable/LICENSE new file mode 100644 index 0000000000..e436d90439 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/LICENSE @@ -0,0 +1,10 @@ +MIT License +=========== + +Copyright (c) 2015, Greg Osuri + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/gosuri/uitable/Makefile b/vendor/github.com/gosuri/uitable/Makefile new file mode 100644 index 0000000000..60246a8a93 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/Makefile @@ -0,0 +1,4 @@ +test: + @go test ./... + +.PHONY: test diff --git a/vendor/github.com/gosuri/uitable/README.md b/vendor/github.com/gosuri/uitable/README.md new file mode 100644 index 0000000000..683b538d13 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/README.md @@ -0,0 +1,67 @@ +# uitable [![GoDoc](https://godoc.org/github.com/gosuri/uitable?status.svg)](https://godoc.org/github.com/gosuri/uitable) [![Build Status](https://travis-ci.org/gosuri/uitable.svg?branch=master)](https://travis-ci.org/gosuri/uitable) + +uitable is a go library for representing data as tables for terminal applications. It provides primitives for sizing and wrapping columns to improve readability. + +## Example Usage + +Full source code for the example is available at [example/main.go](example/main.go) + +```go +table := uitable.New() +table.MaxColWidth = 50 + +table.AddRow("NAME", "BIRTHDAY", "BIO") +for _, hacker := range hackers { + table.AddRow(hacker.Name, hacker.Birthday, hacker.Bio) +} +fmt.Println(table) +``` + +Will render the data as: + +```sh +NAME BIRTHDAY BIO +Ada Lovelace December 10, 1815 Ada was a British mathematician and writer, chi... +Alan Turing June 23, 1912 Alan was a British pioneering computer scientis... +``` + +For wrapping in two columns: + +```go +table = uitable.New() +table.MaxColWidth = 80 +table.Wrap = true // wrap columns + +for _, hacker := range hackers { + table.AddRow("Name:", hacker.Name) + table.AddRow("Birthday:", hacker.Birthday) + table.AddRow("Bio:", hacker.Bio) + table.AddRow("") // blank +} +fmt.Println(table) +``` + +Will render the data as: + +``` +Name: Ada Lovelace +Birthday: December 10, 1815 +Bio: Ada was a British mathematician and writer, chiefly known for her work on + Charles Babbage's early mechanical general-purpose computer, the Analytical + Engine + +Name: Alan Turing +Birthday: June 23, 1912 +Bio: Alan was a British pioneering computer scientist, mathematician, logician, + cryptanalyst and theoretical biologist +``` + +## Installation + +``` +$ go get -v github.com/gosuri/uitable +``` + + +[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/gosuri/uitable/trend.png)](https://bitdeli.com/free "Bitdeli Badge") + diff --git a/vendor/github.com/gosuri/uitable/table.go b/vendor/github.com/gosuri/uitable/table.go new file mode 100644 index 0000000000..b764e51502 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/table.go @@ -0,0 +1,205 @@ +// Package uitable provides a decorator for formating data as a table +package uitable + +import ( + "fmt" + "strings" + "sync" + + "github.com/fatih/color" + "github.com/gosuri/uitable/util/strutil" + "github.com/gosuri/uitable/util/wordwrap" +) + +// Separator is the default column seperator +var Separator = "\t" + +// Table represents a decorator that renders the data in formatted in a table +type Table struct { + // Rows is the collection of rows in the table + Rows []*Row + + // MaxColWidth is the maximum allowed width for cells in the table + MaxColWidth uint + + // Wrap when set to true wraps the contents of the columns when the length exceeds the MaxColWidth + Wrap bool + + // Separator is the seperator for columns in the table. Default is "\t" + Separator string + + mtx *sync.RWMutex + rightAlign map[int]bool +} + +// New returns a new Table with default values +func New() *Table { + return &Table{ + Separator: Separator, + mtx: new(sync.RWMutex), + rightAlign: map[int]bool{}, + } +} + +// AddRow adds a new row to the table +func (t *Table) AddRow(data ...interface{}) *Table { + t.mtx.Lock() + defer t.mtx.Unlock() + r := NewRow(data...) + t.Rows = append(t.Rows, r) + return t +} + +// Bytes returns the []byte value of table +func (t *Table) Bytes() []byte { + return []byte(t.String()) +} + +func (t *Table) RightAlign(col int) { + t.mtx.Lock() + t.rightAlign[col] = true + t.mtx.Unlock() +} + +// String returns the string value of table +func (t *Table) String() string { + t.mtx.RLock() + defer t.mtx.RUnlock() + + if len(t.Rows) == 0 { + return "" + } + + // determine the width for each column (cell in a row) + var colwidths []uint + for _, row := range t.Rows { + for i, cell := range row.Cells { + // resize colwidth array + if i+1 > len(colwidths) { + colwidths = append(colwidths, 0) + } + cellwidth := cell.LineWidth() + if t.MaxColWidth != 0 && cellwidth > t.MaxColWidth { + cellwidth = t.MaxColWidth + } + + if cellwidth > colwidths[i] { + colwidths[i] = cellwidth + } + } + } + + var lines []string + for _, row := range t.Rows { + row.Separator = t.Separator + for i, cell := range row.Cells { + cell.Width = colwidths[i] + cell.Wrap = t.Wrap + cell.RightAlign = t.rightAlign[i] + } + lines = append(lines, row.String()) + } + return strutil.Join(lines, "\n") +} + +// Row represents a row in a table +type Row struct { + // Cells is the group of cell for the row + Cells []*Cell + + // Separator for tabular columns + Separator string +} + +// NewRow returns a new Row and adds the data to the row +func NewRow(data ...interface{}) *Row { + r := &Row{Cells: make([]*Cell, len(data))} + for i, d := range data { + r.Cells[i] = &Cell{Data: d} + } + return r +} + +// String returns the string representation of the row +func (r *Row) String() string { + // get the max number of lines for each cell + var lc int // line count + for _, cell := range r.Cells { + if clc := len(strings.Split(cell.String(), "\n")); clc > lc { + lc = clc + } + } + + // allocate a two-dimentional array of cells for each line and add size them + cells := make([][]*Cell, lc) + for x := 0; x < lc; x++ { + cells[x] = make([]*Cell, len(r.Cells)) + for y := 0; y < len(r.Cells); y++ { + cells[x][y] = &Cell{Width: r.Cells[y].Width} + } + } + + // insert each line in a cell as new cell in the cells array + for y, cell := range r.Cells { + lines := strings.Split(cell.String(), "\n") + for x, line := range lines { + cells[x][y].Data = line + } + } + + // format each line + lines := make([]string, lc) + for x := range lines { + line := make([]string, len(cells[x])) + for y := range cells[x] { + line[y] = cells[x][y].String() + } + lines[x] = strutil.Join(line, r.Separator) + } + return strings.Join(lines, "\n") +} + +// Cell represents a column in a row +type Cell struct { + // Width is the width of the cell + Width uint + + // Wrap when true wraps the contents of the cell when the lenght exceeds the width + Wrap bool + + // RightAlign when true aligns contents to the right + RightAlign bool + + // Data is the cell data + Data interface{} +} + +// LineWidth returns the max width of all the lines in a cell +func (c *Cell) LineWidth() uint { + width := 0 + for _, s := range strings.Split(c.String(), "\n") { + w := strutil.StringWidth(s) + if w > width { + width = w + } + } + return uint(width) +} + +// String returns the string formated representation of the cell +func (c *Cell) String() string { + if c.Data == nil { + return strutil.PadLeft(" ", int(c.Width), ' ') + } + col := color.New(color.FgBlack) + col.DisableColor() + s := fmt.Sprintf("%v", col.Sprint(c.Data)) + if c.Width > 0 { + if c.Wrap && uint(len(s)) > c.Width { + return wordwrap.WrapString(s, c.Width) + } else { + return strutil.Resize(s, c.Width, c.RightAlign) + } + } + return s +} diff --git a/vendor/github.com/gosuri/uitable/util/strutil/strutil.go b/vendor/github.com/gosuri/uitable/util/strutil/strutil.go new file mode 100644 index 0000000000..53f30a8fd3 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/util/strutil/strutil.go @@ -0,0 +1,101 @@ +// Package strutil provides various utilities for manipulating strings +package strutil + +import ( + "bytes" + "regexp" + + "github.com/mattn/go-runewidth" +) + +const ansi = "[\u001B\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\u0007)|(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))" + +var re = regexp.MustCompile(ansi) + +// PadRight returns a new string of a specified length in which the end of the current string is padded with spaces or with a specified Unicode character. +func PadRight(str string, length int, pad byte) string { + slen := StringWidth(str) + if slen >= length { + return str + } + buf := bytes.NewBufferString(str) + for i := 0; i < length-slen; i++ { + buf.WriteByte(pad) + } + return buf.String() +} + +// PadLeft returns a new string of a specified length in which the beginning of the current string is padded with spaces or with a specified Unicode character. +func PadLeft(str string, length int, pad byte) string { + slen := StringWidth(str) + if slen >= length { + return str + } + var buf bytes.Buffer + for i := 0; i < length-slen; i++ { + buf.WriteByte(pad) + } + buf.WriteString(str) + return buf.String() +} + +// Resize resizes the string with the given length. It ellipses with '...' when the string's length exceeds +// the desired length or pads spaces to the right of the string when length is smaller than desired +func Resize(s string, length uint, rightAlign bool) string { + slen := StringWidth(s) + n := int(length) + if slen == n { + return s + } + // Pads only when length of the string smaller than len needed + if rightAlign { + s = PadLeft(s, n, ' ') + } else { + s = PadRight(s, n, ' ') + } + if slen > n { + rs := []rune(s) + var buf bytes.Buffer + w := 0 + for _, r := range rs { + buf.WriteRune(r) + rw := RuneWidth(r) + if w+rw >= n-3 { + break + } + w += rw + } + buf.WriteString("...") + s = buf.String() + } + return s +} + +// Join joins the list of the string with the delim provided. +// Returns an empty string for empty list +func Join(list []string, delim string) string { + if len(list) == 0 { + return "" + } + var buf bytes.Buffer + for i := 0; i < len(list)-1; i++ { + buf.WriteString(list[i] + delim) + } + buf.WriteString(list[len(list)-1]) + return buf.String() +} + +// Strip strips the string of all colors +func Strip(s string) string { + return re.ReplaceAllString(s, "") +} + +// StringWidth returns the actual width of the string without colors +func StringWidth(s string) int { + return runewidth.StringWidth(Strip(s)) +} + +// RuneWidth returns the actual width of the rune +func RuneWidth(s rune) int { + return runewidth.RuneWidth(s) +} diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md b/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md new file mode 100644 index 0000000000..2298515904 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/util/wordwrap/LICENSE.md @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Mitchell Hashimoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/README.md b/vendor/github.com/gosuri/uitable/util/wordwrap/README.md new file mode 100644 index 0000000000..60ae311700 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/util/wordwrap/README.md @@ -0,0 +1,39 @@ +# go-wordwrap + +`go-wordwrap` (Golang package: `wordwrap`) is a package for Go that +automatically wraps words into multiple lines. The primary use case for this +is in formatting CLI output, but of course word wrapping is a generally useful +thing to do. + +## Installation and Usage + +Install using `go get github.com/mitchellh/go-wordwrap`. + +Full documentation is available at +http://godoc.org/github.com/mitchellh/go-wordwrap + +Below is an example of its usage ignoring errors: + +```go +wrapped := wordwrap.WrapString("foo bar baz", 3) +fmt.Println(wrapped) +``` + +Would output: + +``` +foo +bar +baz +``` + +## Word Wrap Algorithm + +This library doesn't use any clever algorithm for word wrapping. The wrapping +is actually very naive: whenever there is whitespace or an explicit linebreak. +The goal of this library is for word wrapping CLI output, so the input is +typically pretty well controlled human language. Because of this, the naive +approach typically works just fine. + +In the future, we'd like to make the algorithm more advanced. We would do +so without breaking the API. diff --git a/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go b/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go new file mode 100644 index 0000000000..b2c63b8795 --- /dev/null +++ b/vendor/github.com/gosuri/uitable/util/wordwrap/wordwrap.go @@ -0,0 +1,85 @@ +// Package wordwrap provides methods for wrapping the contents of a string +package wordwrap + +import ( + "bytes" + "unicode" + + "github.com/gosuri/uitable/util/strutil" +) + +// WrapString wraps the given string within lim width in characters. +// +// Wrapping is currently naive and only happens at white-space. A future +// version of the library will implement smarter wrapping. This means that +// pathological cases can dramatically reach past the limit, such as a very +// long word. +func WrapString(s string, lim uint) string { + // Initialize a buffer with a slightly larger size to account for breaks + init := make([]byte, 0, len(s)) + buf := bytes.NewBuffer(init) + + var current uint + var wordBuf, spaceBuf bytes.Buffer + var wordWidth, spaceWidth int + + for _, char := range s { + if char == '\n' { + if wordBuf.Len() == 0 { + if current+uint(spaceWidth) > lim { + current = 0 + } else { + current += uint(spaceWidth) + spaceBuf.WriteTo(buf) + spaceWidth += strutil.StringWidth(buf.String()) + } + spaceBuf.Reset() + spaceWidth = 0 + } else { + current += uint(spaceWidth + wordWidth) + spaceBuf.WriteTo(buf) + spaceBuf.Reset() + wordBuf.WriteTo(buf) + wordBuf.Reset() + spaceWidth = 0 + wordWidth = 0 + } + buf.WriteRune(char) + current = 0 + } else if unicode.IsSpace(char) { + if spaceBuf.Len() == 0 || wordBuf.Len() > 0 { + current += uint(spaceWidth + wordWidth) + spaceBuf.WriteTo(buf) + spaceBuf.Reset() + wordBuf.WriteTo(buf) + wordBuf.Reset() + spaceWidth = 0 + wordWidth = 0 + } + + spaceBuf.WriteRune(char) + spaceWidth += strutil.RuneWidth(char) + } else { + wordBuf.WriteRune(char) + wordWidth += strutil.RuneWidth(char) + + if current+uint(spaceWidth+wordWidth) > lim && uint(wordWidth) < lim { + buf.WriteRune('\n') + current = 0 + spaceBuf.Reset() + spaceWidth = 0 + } + } + } + + if wordBuf.Len() == 0 { + if current+uint(spaceWidth) <= lim { + spaceBuf.WriteTo(buf) + } + } else { + spaceBuf.WriteTo(buf) + wordBuf.WriteTo(buf) + } + + return buf.String() +} diff --git a/vendor/github.com/gregjones/httpcache/.travis.yml b/vendor/github.com/gregjones/httpcache/.travis.yml new file mode 100644 index 0000000000..597bc9996f --- /dev/null +++ b/vendor/github.com/gregjones/httpcache/.travis.yml @@ -0,0 +1,18 @@ +sudo: false +language: go +matrix: + allow_failures: + - go: master + fast_finish: true + include: + - go: 1.10.x + - go: 1.11.x + env: GOFMT=1 + - go: master +install: + - # Do nothing. This is needed to prevent default install action "go get -t -v ./..." from happening here (we want it to happen inside script step). +script: + - go get -t -v ./... + - if test -n "${GOFMT}"; then gofmt -w -s . && git diff --exit-code; fi + - go tool vet . + - go test -v -race ./... diff --git a/vendor/github.com/gregjones/httpcache/LICENSE.txt b/vendor/github.com/gregjones/httpcache/LICENSE.txt new file mode 100644 index 0000000000..81316beb0c --- /dev/null +++ b/vendor/github.com/gregjones/httpcache/LICENSE.txt @@ -0,0 +1,7 @@ +Copyright © 2012 Greg Jones (greg.jones@gmail.com) + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Softwareâ€), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/vendor/github.com/gregjones/httpcache/README.md b/vendor/github.com/gregjones/httpcache/README.md new file mode 100644 index 0000000000..51e7d23d09 --- /dev/null +++ b/vendor/github.com/gregjones/httpcache/README.md @@ -0,0 +1,29 @@ +httpcache +========= + +[![Build Status](https://travis-ci.org/gregjones/httpcache.svg?branch=master)](https://travis-ci.org/gregjones/httpcache) [![GoDoc](https://godoc.org/github.com/gregjones/httpcache?status.svg)](https://godoc.org/github.com/gregjones/httpcache) + +Package httpcache provides a http.RoundTripper implementation that works as a mostly [RFC 7234](https://tools.ietf.org/html/rfc7234) compliant cache for http responses. + +It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client and not for a shared proxy). + +This project isn't actively maintained; it works for what I, and seemingly others, want to do with it, and I consider it "done". That said, if you find any issues, please open a Pull Request and I will try to review it. Any changes now that change the public API won't be considered. + +Cache Backends +-------------- + +- The built-in 'memory' cache stores responses in an in-memory map. +- [`github.com/gregjones/httpcache/diskcache`](https://github.com/gregjones/httpcache/tree/master/diskcache) provides a filesystem-backed cache using the [diskv](https://github.com/peterbourgon/diskv) library. +- [`github.com/gregjones/httpcache/memcache`](https://github.com/gregjones/httpcache/tree/master/memcache) provides memcache implementations, for both App Engine and 'normal' memcache servers. +- [`sourcegraph.com/sourcegraph/s3cache`](https://sourcegraph.com/github.com/sourcegraph/s3cache) uses Amazon S3 for storage. +- [`github.com/gregjones/httpcache/leveldbcache`](https://github.com/gregjones/httpcache/tree/master/leveldbcache) provides a filesystem-backed cache using [leveldb](https://github.com/syndtr/goleveldb/leveldb). +- [`github.com/die-net/lrucache`](https://github.com/die-net/lrucache) provides an in-memory cache that will evict least-recently used entries. +- [`github.com/die-net/lrucache/twotier`](https://github.com/die-net/lrucache/tree/master/twotier) allows caches to be combined, for example to use lrucache above with a persistent disk-cache. +- [`github.com/birkelund/boltdbcache`](https://github.com/birkelund/boltdbcache) provides a BoltDB implementation (based on the [bbolt](https://github.com/coreos/bbolt) fork). + +If you implement any other backend and wish it to be linked here, please send a PR editing this file. + +License +------- + +- [MIT License](LICENSE.txt) diff --git a/vendor/github.com/gregjones/httpcache/httpcache.go b/vendor/github.com/gregjones/httpcache/httpcache.go new file mode 100644 index 0000000000..b41a63d1ff --- /dev/null +++ b/vendor/github.com/gregjones/httpcache/httpcache.go @@ -0,0 +1,551 @@ +// Package httpcache provides a http.RoundTripper implementation that works as a +// mostly RFC-compliant cache for http responses. +// +// It is only suitable for use as a 'private' cache (i.e. for a web-browser or an API-client +// and not for a shared proxy). +// +package httpcache + +import ( + "bufio" + "bytes" + "errors" + "io" + "io/ioutil" + "net/http" + "net/http/httputil" + "strings" + "sync" + "time" +) + +const ( + stale = iota + fresh + transparent + // XFromCache is the header added to responses that are returned from the cache + XFromCache = "X-From-Cache" +) + +// A Cache interface is used by the Transport to store and retrieve responses. +type Cache interface { + // Get returns the []byte representation of a cached response and a bool + // set to true if the value isn't empty + Get(key string) (responseBytes []byte, ok bool) + // Set stores the []byte representation of a response against a key + Set(key string, responseBytes []byte) + // Delete removes the value associated with the key + Delete(key string) +} + +// cacheKey returns the cache key for req. +func cacheKey(req *http.Request) string { + if req.Method == http.MethodGet { + return req.URL.String() + } else { + return req.Method + " " + req.URL.String() + } +} + +// CachedResponse returns the cached http.Response for req if present, and nil +// otherwise. +func CachedResponse(c Cache, req *http.Request) (resp *http.Response, err error) { + cachedVal, ok := c.Get(cacheKey(req)) + if !ok { + return + } + + b := bytes.NewBuffer(cachedVal) + return http.ReadResponse(bufio.NewReader(b), req) +} + +// MemoryCache is an implemtation of Cache that stores responses in an in-memory map. +type MemoryCache struct { + mu sync.RWMutex + items map[string][]byte +} + +// Get returns the []byte representation of the response and true if present, false if not +func (c *MemoryCache) Get(key string) (resp []byte, ok bool) { + c.mu.RLock() + resp, ok = c.items[key] + c.mu.RUnlock() + return resp, ok +} + +// Set saves response resp to the cache with key +func (c *MemoryCache) Set(key string, resp []byte) { + c.mu.Lock() + c.items[key] = resp + c.mu.Unlock() +} + +// Delete removes key from the cache +func (c *MemoryCache) Delete(key string) { + c.mu.Lock() + delete(c.items, key) + c.mu.Unlock() +} + +// NewMemoryCache returns a new Cache that will store items in an in-memory map +func NewMemoryCache() *MemoryCache { + c := &MemoryCache{items: map[string][]byte{}} + return c +} + +// Transport is an implementation of http.RoundTripper that will return values from a cache +// where possible (avoiding a network request) and will additionally add validators (etag/if-modified-since) +// to repeated requests allowing servers to return 304 / Not Modified +type Transport struct { + // The RoundTripper interface actually used to make requests + // If nil, http.DefaultTransport is used + Transport http.RoundTripper + Cache Cache + // If true, responses returned from the cache will be given an extra header, X-From-Cache + MarkCachedResponses bool +} + +// NewTransport returns a new Transport with the +// provided Cache implementation and MarkCachedResponses set to true +func NewTransport(c Cache) *Transport { + return &Transport{Cache: c, MarkCachedResponses: true} +} + +// Client returns an *http.Client that caches responses. +func (t *Transport) Client() *http.Client { + return &http.Client{Transport: t} +} + +// varyMatches will return false unless all of the cached values for the headers listed in Vary +// match the new request +func varyMatches(cachedResp *http.Response, req *http.Request) bool { + for _, header := range headerAllCommaSepValues(cachedResp.Header, "vary") { + header = http.CanonicalHeaderKey(header) + if header != "" && req.Header.Get(header) != cachedResp.Header.Get("X-Varied-"+header) { + return false + } + } + return true +} + +// RoundTrip takes a Request and returns a Response +// +// If there is a fresh Response already in cache, then it will be returned without connecting to +// the server. +// +// If there is a stale Response, then any validators it contains will be set on the new request +// to give the server a chance to respond with NotModified. If this happens, then the cached Response +// will be returned. +func (t *Transport) RoundTrip(req *http.Request) (resp *http.Response, err error) { + cacheKey := cacheKey(req) + cacheable := (req.Method == "GET" || req.Method == "HEAD") && req.Header.Get("range") == "" + var cachedResp *http.Response + if cacheable { + cachedResp, err = CachedResponse(t.Cache, req) + } else { + // Need to invalidate an existing value + t.Cache.Delete(cacheKey) + } + + transport := t.Transport + if transport == nil { + transport = http.DefaultTransport + } + + if cacheable && cachedResp != nil && err == nil { + if t.MarkCachedResponses { + cachedResp.Header.Set(XFromCache, "1") + } + + if varyMatches(cachedResp, req) { + // Can only use cached value if the new request doesn't Vary significantly + freshness := getFreshness(cachedResp.Header, req.Header) + if freshness == fresh { + return cachedResp, nil + } + + if freshness == stale { + var req2 *http.Request + // Add validators if caller hasn't already done so + etag := cachedResp.Header.Get("etag") + if etag != "" && req.Header.Get("etag") == "" { + req2 = cloneRequest(req) + req2.Header.Set("if-none-match", etag) + } + lastModified := cachedResp.Header.Get("last-modified") + if lastModified != "" && req.Header.Get("last-modified") == "" { + if req2 == nil { + req2 = cloneRequest(req) + } + req2.Header.Set("if-modified-since", lastModified) + } + if req2 != nil { + req = req2 + } + } + } + + resp, err = transport.RoundTrip(req) + if err == nil && req.Method == "GET" && resp.StatusCode == http.StatusNotModified { + // Replace the 304 response with the one from cache, but update with some new headers + endToEndHeaders := getEndToEndHeaders(resp.Header) + for _, header := range endToEndHeaders { + cachedResp.Header[header] = resp.Header[header] + } + resp = cachedResp + } else if (err != nil || (cachedResp != nil && resp.StatusCode >= 500)) && + req.Method == "GET" && canStaleOnError(cachedResp.Header, req.Header) { + // In case of transport failure and stale-if-error activated, returns cached content + // when available + return cachedResp, nil + } else { + if err != nil || resp.StatusCode != http.StatusOK { + t.Cache.Delete(cacheKey) + } + if err != nil { + return nil, err + } + } + } else { + reqCacheControl := parseCacheControl(req.Header) + if _, ok := reqCacheControl["only-if-cached"]; ok { + resp = newGatewayTimeoutResponse(req) + } else { + resp, err = transport.RoundTrip(req) + if err != nil { + return nil, err + } + } + } + + if cacheable && canStore(parseCacheControl(req.Header), parseCacheControl(resp.Header)) { + for _, varyKey := range headerAllCommaSepValues(resp.Header, "vary") { + varyKey = http.CanonicalHeaderKey(varyKey) + fakeHeader := "X-Varied-" + varyKey + reqValue := req.Header.Get(varyKey) + if reqValue != "" { + resp.Header.Set(fakeHeader, reqValue) + } + } + switch req.Method { + case "GET": + // Delay caching until EOF is reached. + resp.Body = &cachingReadCloser{ + R: resp.Body, + OnEOF: func(r io.Reader) { + resp := *resp + resp.Body = ioutil.NopCloser(r) + respBytes, err := httputil.DumpResponse(&resp, true) + if err == nil { + t.Cache.Set(cacheKey, respBytes) + } + }, + } + default: + respBytes, err := httputil.DumpResponse(resp, true) + if err == nil { + t.Cache.Set(cacheKey, respBytes) + } + } + } else { + t.Cache.Delete(cacheKey) + } + return resp, nil +} + +// ErrNoDateHeader indicates that the HTTP headers contained no Date header. +var ErrNoDateHeader = errors.New("no Date header") + +// Date parses and returns the value of the Date header. +func Date(respHeaders http.Header) (date time.Time, err error) { + dateHeader := respHeaders.Get("date") + if dateHeader == "" { + err = ErrNoDateHeader + return + } + + return time.Parse(time.RFC1123, dateHeader) +} + +type realClock struct{} + +func (c *realClock) since(d time.Time) time.Duration { + return time.Since(d) +} + +type timer interface { + since(d time.Time) time.Duration +} + +var clock timer = &realClock{} + +// getFreshness will return one of fresh/stale/transparent based on the cache-control +// values of the request and the response +// +// fresh indicates the response can be returned +// stale indicates that the response needs validating before it is returned +// transparent indicates the response should not be used to fulfil the request +// +// Because this is only a private cache, 'public' and 'private' in cache-control aren't +// signficant. Similarly, smax-age isn't used. +func getFreshness(respHeaders, reqHeaders http.Header) (freshness int) { + respCacheControl := parseCacheControl(respHeaders) + reqCacheControl := parseCacheControl(reqHeaders) + if _, ok := reqCacheControl["no-cache"]; ok { + return transparent + } + if _, ok := respCacheControl["no-cache"]; ok { + return stale + } + if _, ok := reqCacheControl["only-if-cached"]; ok { + return fresh + } + + date, err := Date(respHeaders) + if err != nil { + return stale + } + currentAge := clock.since(date) + + var lifetime time.Duration + var zeroDuration time.Duration + + // If a response includes both an Expires header and a max-age directive, + // the max-age directive overrides the Expires header, even if the Expires header is more restrictive. + if maxAge, ok := respCacheControl["max-age"]; ok { + lifetime, err = time.ParseDuration(maxAge + "s") + if err != nil { + lifetime = zeroDuration + } + } else { + expiresHeader := respHeaders.Get("Expires") + if expiresHeader != "" { + expires, err := time.Parse(time.RFC1123, expiresHeader) + if err != nil { + lifetime = zeroDuration + } else { + lifetime = expires.Sub(date) + } + } + } + + if maxAge, ok := reqCacheControl["max-age"]; ok { + // the client is willing to accept a response whose age is no greater than the specified time in seconds + lifetime, err = time.ParseDuration(maxAge + "s") + if err != nil { + lifetime = zeroDuration + } + } + if minfresh, ok := reqCacheControl["min-fresh"]; ok { + // the client wants a response that will still be fresh for at least the specified number of seconds. + minfreshDuration, err := time.ParseDuration(minfresh + "s") + if err == nil { + currentAge = time.Duration(currentAge + minfreshDuration) + } + } + + if maxstale, ok := reqCacheControl["max-stale"]; ok { + // Indicates that the client is willing to accept a response that has exceeded its expiration time. + // If max-stale is assigned a value, then the client is willing to accept a response that has exceeded + // its expiration time by no more than the specified number of seconds. + // If no value is assigned to max-stale, then the client is willing to accept a stale response of any age. + // + // Responses served only because of a max-stale value are supposed to have a Warning header added to them, + // but that seems like a hassle, and is it actually useful? If so, then there needs to be a different + // return-value available here. + if maxstale == "" { + return fresh + } + maxstaleDuration, err := time.ParseDuration(maxstale + "s") + if err == nil { + currentAge = time.Duration(currentAge - maxstaleDuration) + } + } + + if lifetime > currentAge { + return fresh + } + + return stale +} + +// Returns true if either the request or the response includes the stale-if-error +// cache control extension: https://tools.ietf.org/html/rfc5861 +func canStaleOnError(respHeaders, reqHeaders http.Header) bool { + respCacheControl := parseCacheControl(respHeaders) + reqCacheControl := parseCacheControl(reqHeaders) + + var err error + lifetime := time.Duration(-1) + + if staleMaxAge, ok := respCacheControl["stale-if-error"]; ok { + if staleMaxAge != "" { + lifetime, err = time.ParseDuration(staleMaxAge + "s") + if err != nil { + return false + } + } else { + return true + } + } + if staleMaxAge, ok := reqCacheControl["stale-if-error"]; ok { + if staleMaxAge != "" { + lifetime, err = time.ParseDuration(staleMaxAge + "s") + if err != nil { + return false + } + } else { + return true + } + } + + if lifetime >= 0 { + date, err := Date(respHeaders) + if err != nil { + return false + } + currentAge := clock.since(date) + if lifetime > currentAge { + return true + } + } + + return false +} + +func getEndToEndHeaders(respHeaders http.Header) []string { + // These headers are always hop-by-hop + hopByHopHeaders := map[string]struct{}{ + "Connection": {}, + "Keep-Alive": {}, + "Proxy-Authenticate": {}, + "Proxy-Authorization": {}, + "Te": {}, + "Trailers": {}, + "Transfer-Encoding": {}, + "Upgrade": {}, + } + + for _, extra := range strings.Split(respHeaders.Get("connection"), ",") { + // any header listed in connection, if present, is also considered hop-by-hop + if strings.Trim(extra, " ") != "" { + hopByHopHeaders[http.CanonicalHeaderKey(extra)] = struct{}{} + } + } + endToEndHeaders := []string{} + for respHeader := range respHeaders { + if _, ok := hopByHopHeaders[respHeader]; !ok { + endToEndHeaders = append(endToEndHeaders, respHeader) + } + } + return endToEndHeaders +} + +func canStore(reqCacheControl, respCacheControl cacheControl) (canStore bool) { + if _, ok := respCacheControl["no-store"]; ok { + return false + } + if _, ok := reqCacheControl["no-store"]; ok { + return false + } + return true +} + +func newGatewayTimeoutResponse(req *http.Request) *http.Response { + var braw bytes.Buffer + braw.WriteString("HTTP/1.1 504 Gateway Timeout\r\n\r\n") + resp, err := http.ReadResponse(bufio.NewReader(&braw), req) + if err != nil { + panic(err) + } + return resp +} + +// cloneRequest returns a clone of the provided *http.Request. +// The clone is a shallow copy of the struct and its Header map. +// (This function copyright goauth2 authors: https://code.google.com/p/goauth2) +func cloneRequest(r *http.Request) *http.Request { + // shallow copy of the struct + r2 := new(http.Request) + *r2 = *r + // deep copy of the Header + r2.Header = make(http.Header) + for k, s := range r.Header { + r2.Header[k] = s + } + return r2 +} + +type cacheControl map[string]string + +func parseCacheControl(headers http.Header) cacheControl { + cc := cacheControl{} + ccHeader := headers.Get("Cache-Control") + for _, part := range strings.Split(ccHeader, ",") { + part = strings.Trim(part, " ") + if part == "" { + continue + } + if strings.ContainsRune(part, '=') { + keyval := strings.Split(part, "=") + cc[strings.Trim(keyval[0], " ")] = strings.Trim(keyval[1], ",") + } else { + cc[part] = "" + } + } + return cc +} + +// headerAllCommaSepValues returns all comma-separated values (each +// with whitespace trimmed) for header name in headers. According to +// Section 4.2 of the HTTP/1.1 spec +// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2), +// values from multiple occurrences of a header should be concatenated, if +// the header's value is a comma-separated list. +func headerAllCommaSepValues(headers http.Header, name string) []string { + var vals []string + for _, val := range headers[http.CanonicalHeaderKey(name)] { + fields := strings.Split(val, ",") + for i, f := range fields { + fields[i] = strings.TrimSpace(f) + } + vals = append(vals, fields...) + } + return vals +} + +// cachingReadCloser is a wrapper around ReadCloser R that calls OnEOF +// handler with a full copy of the content read from R when EOF is +// reached. +type cachingReadCloser struct { + // Underlying ReadCloser. + R io.ReadCloser + // OnEOF is called with a copy of the content of R when EOF is reached. + OnEOF func(io.Reader) + + buf bytes.Buffer // buf stores a copy of the content of R. +} + +// Read reads the next len(p) bytes from R or until R is drained. The +// return value n is the number of bytes read. If R has no data to +// return, err is io.EOF and OnEOF is called with a full copy of what +// has been read so far. +func (r *cachingReadCloser) Read(p []byte) (n int, err error) { + n, err = r.R.Read(p) + r.buf.Write(p[:n]) + if err == io.EOF { + r.OnEOF(bytes.NewReader(r.buf.Bytes())) + } + return n, err +} + +func (r *cachingReadCloser) Close() error { + return r.R.Close() +} + +// NewMemoryCacheTransport returns a new Transport using the in-memory cache implementation +func NewMemoryCacheTransport() *Transport { + c := NewMemoryCache() + t := NewTransport(c) + return t +} diff --git a/vendor/github.com/hashicorp/errwrap/LICENSE b/vendor/github.com/hashicorp/errwrap/LICENSE new file mode 100644 index 0000000000..c33dcc7c92 --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/LICENSE @@ -0,0 +1,354 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor†+ + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version†+ + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution†+ + means Covered Software of a particular Contributor. + +1.4. “Covered Software†+ + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses†+ means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form†+ + means any form of the work other than Source Code Form. + +1.7. “Larger Work†+ + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License†+ + means this document. + +1.9. “Licensable†+ + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications†+ + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims†of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License†+ + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form†+ + means the form of the work preferred for making modifications. + +1.14. “You†(or “Yourâ€) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You†includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control†means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is†basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses†Notice + + This Source Code Form is “Incompatible + With Secondary Licensesâ€, as defined by + the Mozilla Public License, v. 2.0. + diff --git a/vendor/github.com/hashicorp/errwrap/README.md b/vendor/github.com/hashicorp/errwrap/README.md new file mode 100644 index 0000000000..444df08f8e --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/README.md @@ -0,0 +1,89 @@ +# errwrap + +`errwrap` is a package for Go that formalizes the pattern of wrapping errors +and checking if an error contains another error. + +There is a common pattern in Go of taking a returned `error` value and +then wrapping it (such as with `fmt.Errorf`) before returning it. The problem +with this pattern is that you completely lose the original `error` structure. + +Arguably the _correct_ approach is that you should make a custom structure +implementing the `error` interface, and have the original error as a field +on that structure, such [as this example](http://golang.org/pkg/os/#PathError). +This is a good approach, but you have to know the entire chain of possible +rewrapping that happens, when you might just care about one. + +`errwrap` formalizes this pattern (it doesn't matter what approach you use +above) by giving a single interface for wrapping errors, checking if a specific +error is wrapped, and extracting that error. + +## Installation and Docs + +Install using `go get github.com/hashicorp/errwrap`. + +Full documentation is available at +http://godoc.org/github.com/hashicorp/errwrap + +## Usage + +#### Basic Usage + +Below is a very basic example of its usage: + +```go +// A function that always returns an error, but wraps it, like a real +// function might. +func tryOpen() error { + _, err := os.Open("/i/dont/exist") + if err != nil { + return errwrap.Wrapf("Doesn't exist: {{err}}", err) + } + + return nil +} + +func main() { + err := tryOpen() + + // We can use the Contains helpers to check if an error contains + // another error. It is safe to do this with a nil error, or with + // an error that doesn't even use the errwrap package. + if errwrap.Contains(err, "does not exist") { + // Do something + } + if errwrap.ContainsType(err, new(os.PathError)) { + // Do something + } + + // Or we can use the associated `Get` functions to just extract + // a specific error. This would return nil if that specific error doesn't + // exist. + perr := errwrap.GetType(err, new(os.PathError)) +} +``` + +#### Custom Types + +If you're already making custom types that properly wrap errors, then +you can get all the functionality of `errwraps.Contains` and such by +implementing the `Wrapper` interface with just one function. Example: + +```go +type AppError { + Code ErrorCode + Err error +} + +func (e *AppError) WrappedErrors() []error { + return []error{e.Err} +} +``` + +Now this works: + +```go +err := &AppError{Err: fmt.Errorf("an error")} +if errwrap.ContainsType(err, fmt.Errorf("")) { + // This will work! +} +``` diff --git a/vendor/github.com/hashicorp/errwrap/errwrap.go b/vendor/github.com/hashicorp/errwrap/errwrap.go new file mode 100644 index 0000000000..44e368e569 --- /dev/null +++ b/vendor/github.com/hashicorp/errwrap/errwrap.go @@ -0,0 +1,178 @@ +// Package errwrap implements methods to formalize error wrapping in Go. +// +// All of the top-level functions that take an `error` are built to be able +// to take any error, not just wrapped errors. This allows you to use errwrap +// without having to type-check and type-cast everywhere. +package errwrap + +import ( + "errors" + "reflect" + "strings" +) + +// WalkFunc is the callback called for Walk. +type WalkFunc func(error) + +// Wrapper is an interface that can be implemented by custom types to +// have all the Contains, Get, etc. functions in errwrap work. +// +// When Walk reaches a Wrapper, it will call the callback for every +// wrapped error in addition to the wrapper itself. Since all the top-level +// functions in errwrap use Walk, this means that all those functions work +// with your custom type. +type Wrapper interface { + WrappedErrors() []error +} + +// Wrap defines that outer wraps inner, returning an error type that +// can be cleanly used with the other methods in this package, such as +// Contains, GetAll, etc. +// +// This function won't modify the error message at all (the outer message +// will be used). +func Wrap(outer, inner error) error { + return &wrappedError{ + Outer: outer, + Inner: inner, + } +} + +// Wrapf wraps an error with a formatting message. This is similar to using +// `fmt.Errorf` to wrap an error. If you're using `fmt.Errorf` to wrap +// errors, you should replace it with this. +// +// format is the format of the error message. The string '{{err}}' will +// be replaced with the original error message. +// +// Deprecated: Use fmt.Errorf() +func Wrapf(format string, err error) error { + outerMsg := "" + if err != nil { + outerMsg = err.Error() + } + + outer := errors.New(strings.Replace( + format, "{{err}}", outerMsg, -1)) + + return Wrap(outer, err) +} + +// Contains checks if the given error contains an error with the +// message msg. If err is not a wrapped error, this will always return +// false unless the error itself happens to match this msg. +func Contains(err error, msg string) bool { + return len(GetAll(err, msg)) > 0 +} + +// ContainsType checks if the given error contains an error with +// the same concrete type as v. If err is not a wrapped error, this will +// check the err itself. +func ContainsType(err error, v interface{}) bool { + return len(GetAllType(err, v)) > 0 +} + +// Get is the same as GetAll but returns the deepest matching error. +func Get(err error, msg string) error { + es := GetAll(err, msg) + if len(es) > 0 { + return es[len(es)-1] + } + + return nil +} + +// GetType is the same as GetAllType but returns the deepest matching error. +func GetType(err error, v interface{}) error { + es := GetAllType(err, v) + if len(es) > 0 { + return es[len(es)-1] + } + + return nil +} + +// GetAll gets all the errors that might be wrapped in err with the +// given message. The order of the errors is such that the outermost +// matching error (the most recent wrap) is index zero, and so on. +func GetAll(err error, msg string) []error { + var result []error + + Walk(err, func(err error) { + if err.Error() == msg { + result = append(result, err) + } + }) + + return result +} + +// GetAllType gets all the errors that are the same type as v. +// +// The order of the return value is the same as described in GetAll. +func GetAllType(err error, v interface{}) []error { + var result []error + + var search string + if v != nil { + search = reflect.TypeOf(v).String() + } + Walk(err, func(err error) { + var needle string + if err != nil { + needle = reflect.TypeOf(err).String() + } + + if needle == search { + result = append(result, err) + } + }) + + return result +} + +// Walk walks all the wrapped errors in err and calls the callback. If +// err isn't a wrapped error, this will be called once for err. If err +// is a wrapped error, the callback will be called for both the wrapper +// that implements error as well as the wrapped error itself. +func Walk(err error, cb WalkFunc) { + if err == nil { + return + } + + switch e := err.(type) { + case *wrappedError: + cb(e.Outer) + Walk(e.Inner, cb) + case Wrapper: + cb(err) + + for _, err := range e.WrappedErrors() { + Walk(err, cb) + } + case interface{ Unwrap() error }: + cb(err) + Walk(e.Unwrap(), cb) + default: + cb(err) + } +} + +// wrappedError is an implementation of error that has both the +// outer and inner errors. +type wrappedError struct { + Outer error + Inner error +} + +func (w *wrappedError) Error() string { + return w.Outer.Error() +} + +func (w *wrappedError) WrappedErrors() []error { + return []error{w.Outer, w.Inner} +} + +func (w *wrappedError) Unwrap() error { + return w.Inner +} diff --git a/vendor/github.com/hashicorp/go-multierror/LICENSE b/vendor/github.com/hashicorp/go-multierror/LICENSE new file mode 100644 index 0000000000..82b4de97c7 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/LICENSE @@ -0,0 +1,353 @@ +Mozilla Public License, version 2.0 + +1. Definitions + +1.1. “Contributor†+ + means each individual or legal entity that creates, contributes to the + creation of, or owns Covered Software. + +1.2. “Contributor Version†+ + means the combination of the Contributions of others (if any) used by a + Contributor and that particular Contributor’s Contribution. + +1.3. “Contribution†+ + means Covered Software of a particular Contributor. + +1.4. “Covered Software†+ + means Source Code Form to which the initial Contributor has attached the + notice in Exhibit A, the Executable Form of such Source Code Form, and + Modifications of such Source Code Form, in each case including portions + thereof. + +1.5. “Incompatible With Secondary Licenses†+ means + + a. that the initial Contributor has attached the notice described in + Exhibit B to the Covered Software; or + + b. that the Covered Software was made available under the terms of version + 1.1 or earlier of the License, but not also under the terms of a + Secondary License. + +1.6. “Executable Form†+ + means any form of the work other than Source Code Form. + +1.7. “Larger Work†+ + means a work that combines Covered Software with other material, in a separate + file or files, that is not Covered Software. + +1.8. “License†+ + means this document. + +1.9. “Licensable†+ + means having the right to grant, to the maximum extent possible, whether at the + time of the initial grant or subsequently, any and all of the rights conveyed by + this License. + +1.10. “Modifications†+ + means any of the following: + + a. any file in Source Code Form that results from an addition to, deletion + from, or modification of the contents of Covered Software; or + + b. any new file in Source Code Form that contains any Covered Software. + +1.11. “Patent Claims†of a Contributor + + means any patent claim(s), including without limitation, method, process, + and apparatus claims, in any patent Licensable by such Contributor that + would be infringed, but for the grant of the License, by the making, + using, selling, offering for sale, having made, import, or transfer of + either its Contributions or its Contributor Version. + +1.12. “Secondary License†+ + means either the GNU General Public License, Version 2.0, the GNU Lesser + General Public License, Version 2.1, the GNU Affero General Public + License, Version 3.0, or any later versions of those licenses. + +1.13. “Source Code Form†+ + means the form of the work preferred for making modifications. + +1.14. “You†(or “Yourâ€) + + means an individual or a legal entity exercising rights under this + License. For legal entities, “You†includes any entity that controls, is + controlled by, or is under common control with You. For purposes of this + definition, “control†means (a) the power, direct or indirect, to cause + the direction or management of such entity, whether by contract or + otherwise, or (b) ownership of more than fifty percent (50%) of the + outstanding shares or beneficial ownership of such entity. + + +2. License Grants and Conditions + +2.1. Grants + + Each Contributor hereby grants You a world-wide, royalty-free, + non-exclusive license: + + a. under intellectual property rights (other than patent or trademark) + Licensable by such Contributor to use, reproduce, make available, + modify, display, perform, distribute, and otherwise exploit its + Contributions, either on an unmodified basis, with Modifications, or as + part of a Larger Work; and + + b. under Patent Claims of such Contributor to make, use, sell, offer for + sale, have made, import, and otherwise transfer either its Contributions + or its Contributor Version. + +2.2. Effective Date + + The licenses granted in Section 2.1 with respect to any Contribution become + effective for each Contribution on the date the Contributor first distributes + such Contribution. + +2.3. Limitations on Grant Scope + + The licenses granted in this Section 2 are the only rights granted under this + License. No additional rights or licenses will be implied from the distribution + or licensing of Covered Software under this License. Notwithstanding Section + 2.1(b) above, no patent license is granted by a Contributor: + + a. for any code that a Contributor has removed from Covered Software; or + + b. for infringements caused by: (i) Your and any other third party’s + modifications of Covered Software, or (ii) the combination of its + Contributions with other software (except as part of its Contributor + Version); or + + c. under Patent Claims infringed by Covered Software in the absence of its + Contributions. + + This License does not grant any rights in the trademarks, service marks, or + logos of any Contributor (except as may be necessary to comply with the + notice requirements in Section 3.4). + +2.4. Subsequent Licenses + + No Contributor makes additional grants as a result of Your choice to + distribute the Covered Software under a subsequent version of this License + (see Section 10.2) or under the terms of a Secondary License (if permitted + under the terms of Section 3.3). + +2.5. Representation + + Each Contributor represents that the Contributor believes its Contributions + are its original creation(s) or it has sufficient rights to grant the + rights to its Contributions conveyed by this License. + +2.6. Fair Use + + This License is not intended to limit any rights You have under applicable + copyright doctrines of fair use, fair dealing, or other equivalents. + +2.7. Conditions + + Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in + Section 2.1. + + +3. Responsibilities + +3.1. Distribution of Source Form + + All distribution of Covered Software in Source Code Form, including any + Modifications that You create or to which You contribute, must be under the + terms of this License. You must inform recipients that the Source Code Form + of the Covered Software is governed by the terms of this License, and how + they can obtain a copy of this License. You may not attempt to alter or + restrict the recipients’ rights in the Source Code Form. + +3.2. Distribution of Executable Form + + If You distribute Covered Software in Executable Form then: + + a. such Covered Software must also be made available in Source Code Form, + as described in Section 3.1, and You must inform recipients of the + Executable Form how they can obtain a copy of such Source Code Form by + reasonable means in a timely manner, at a charge no more than the cost + of distribution to the recipient; and + + b. You may distribute such Executable Form under the terms of this License, + or sublicense it under different terms, provided that the license for + the Executable Form does not attempt to limit or alter the recipients’ + rights in the Source Code Form under this License. + +3.3. Distribution of a Larger Work + + You may create and distribute a Larger Work under terms of Your choice, + provided that You also comply with the requirements of this License for the + Covered Software. If the Larger Work is a combination of Covered Software + with a work governed by one or more Secondary Licenses, and the Covered + Software is not Incompatible With Secondary Licenses, this License permits + You to additionally distribute such Covered Software under the terms of + such Secondary License(s), so that the recipient of the Larger Work may, at + their option, further distribute the Covered Software under the terms of + either this License or such Secondary License(s). + +3.4. Notices + + You may not remove or alter the substance of any license notices (including + copyright notices, patent notices, disclaimers of warranty, or limitations + of liability) contained within the Source Code Form of the Covered + Software, except that You may alter any license notices to the extent + required to remedy known factual inaccuracies. + +3.5. Application of Additional Terms + + You may choose to offer, and to charge a fee for, warranty, support, + indemnity or liability obligations to one or more recipients of Covered + Software. However, You may do so only on Your own behalf, and not on behalf + of any Contributor. You must make it absolutely clear that any such + warranty, support, indemnity, or liability obligation is offered by You + alone, and You hereby agree to indemnify every Contributor for any + liability incurred by such Contributor as a result of warranty, support, + indemnity or liability terms You offer. You may include additional + disclaimers of warranty and limitations of liability specific to any + jurisdiction. + +4. Inability to Comply Due to Statute or Regulation + + If it is impossible for You to comply with any of the terms of this License + with respect to some or all of the Covered Software due to statute, judicial + order, or regulation then You must: (a) comply with the terms of this License + to the maximum extent possible; and (b) describe the limitations and the code + they affect. Such description must be placed in a text file included with all + distributions of the Covered Software under this License. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Termination + +5.1. The rights granted under this License will terminate automatically if You + fail to comply with any of its terms. However, if You become compliant, + then the rights granted under this License from a particular Contributor + are reinstated (a) provisionally, unless and until such Contributor + explicitly and finally terminates Your grants, and (b) on an ongoing basis, + if such Contributor fails to notify You of the non-compliance by some + reasonable means prior to 60 days after You have come back into compliance. + Moreover, Your grants from a particular Contributor are reinstated on an + ongoing basis if such Contributor notifies You of the non-compliance by + some reasonable means, this is the first time You have received notice of + non-compliance with this License from such Contributor, and You become + compliant prior to 30 days after Your receipt of the notice. + +5.2. If You initiate litigation against any entity by asserting a patent + infringement claim (excluding declaratory judgment actions, counter-claims, + and cross-claims) alleging that a Contributor Version directly or + indirectly infringes any patent, then the rights granted to You by any and + all Contributors for the Covered Software under Section 2.1 of this License + shall terminate. + +5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user + license agreements (excluding distributors and resellers) which have been + validly granted by You or Your distributors under this License prior to + termination shall survive termination. + +6. Disclaimer of Warranty + + Covered Software is provided under this License on an “as is†basis, without + warranty of any kind, either expressed, implied, or statutory, including, + without limitation, warranties that the Covered Software is free of defects, + merchantable, fit for a particular purpose or non-infringing. The entire + risk as to the quality and performance of the Covered Software is with You. + Should any Covered Software prove defective in any respect, You (not any + Contributor) assume the cost of any necessary servicing, repair, or + correction. This disclaimer of warranty constitutes an essential part of this + License. No use of any Covered Software is authorized under this License + except under this disclaimer. + +7. Limitation of Liability + + Under no circumstances and under no legal theory, whether tort (including + negligence), contract, or otherwise, shall any Contributor, or anyone who + distributes Covered Software as permitted above, be liable to You for any + direct, indirect, special, incidental, or consequential damages of any + character including, without limitation, damages for lost profits, loss of + goodwill, work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses, even if such party shall have been + informed of the possibility of such damages. This limitation of liability + shall not apply to liability for death or personal injury resulting from such + party’s negligence to the extent applicable law prohibits such limitation. + Some jurisdictions do not allow the exclusion or limitation of incidental or + consequential damages, so this exclusion and limitation may not apply to You. + +8. Litigation + + Any litigation relating to this License may be brought only in the courts of + a jurisdiction where the defendant maintains its principal place of business + and such litigation shall be governed by laws of that jurisdiction, without + reference to its conflict-of-law provisions. Nothing in this Section shall + prevent a party’s ability to bring cross-claims or counter-claims. + +9. Miscellaneous + + This License represents the complete agreement concerning the subject matter + hereof. If any provision of this License is held to be unenforceable, such + provision shall be reformed only to the extent necessary to make it + enforceable. Any law or regulation which provides that the language of a + contract shall be construed against the drafter shall not be used to construe + this License against a Contributor. + + +10. Versions of the License + +10.1. New Versions + + Mozilla Foundation is the license steward. Except as provided in Section + 10.3, no one other than the license steward has the right to modify or + publish new versions of this License. Each version will be given a + distinguishing version number. + +10.2. Effect of New Versions + + You may distribute the Covered Software under the terms of the version of + the License under which You originally received the Covered Software, or + under the terms of any subsequent version published by the license + steward. + +10.3. Modified Versions + + If you create software not governed by this License, and you want to + create a new license for such software, you may create and use a modified + version of this License if you rename the license and remove any + references to the name of the license steward (except to note that such + modified license differs from this License). + +10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses + If You choose to distribute Source Code Form that is Incompatible With + Secondary Licenses under the terms of this version of the License, the + notice described in Exhibit B of this License must be attached. + +Exhibit A - Source Code Form License Notice + + This Source Code Form is subject to the + terms of the Mozilla Public License, v. + 2.0. If a copy of the MPL was not + distributed with this file, You can + obtain one at + http://mozilla.org/MPL/2.0/. + +If it is not possible or desirable to put the notice in a particular file, then +You may include the notice in a location (such as a LICENSE file in a relevant +directory) where a recipient would be likely to look for such a notice. + +You may add additional accurate notices of copyright ownership. + +Exhibit B - “Incompatible With Secondary Licenses†Notice + + This Source Code Form is “Incompatible + With Secondary Licensesâ€, as defined by + the Mozilla Public License, v. 2.0. diff --git a/vendor/github.com/hashicorp/go-multierror/Makefile b/vendor/github.com/hashicorp/go-multierror/Makefile new file mode 100644 index 0000000000..b97cd6ed02 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/Makefile @@ -0,0 +1,31 @@ +TEST?=./... + +default: test + +# test runs the test suite and vets the code. +test: generate + @echo "==> Running tests..." + @go list $(TEST) \ + | grep -v "/vendor/" \ + | xargs -n1 go test -timeout=60s -parallel=10 ${TESTARGS} + +# testrace runs the race checker +testrace: generate + @echo "==> Running tests (race)..." + @go list $(TEST) \ + | grep -v "/vendor/" \ + | xargs -n1 go test -timeout=60s -race ${TESTARGS} + +# updatedeps installs all the dependencies needed to run and build. +updatedeps: + @sh -c "'${CURDIR}/scripts/deps.sh' '${NAME}'" + +# generate runs `go generate` to build the dynamically generated source files. +generate: + @echo "==> Generating..." + @find . -type f -name '.DS_Store' -delete + @go list ./... \ + | grep -v "/vendor/" \ + | xargs -n1 go generate + +.PHONY: default test testrace updatedeps generate diff --git a/vendor/github.com/hashicorp/go-multierror/README.md b/vendor/github.com/hashicorp/go-multierror/README.md new file mode 100644 index 0000000000..71dd308ed8 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/README.md @@ -0,0 +1,150 @@ +# go-multierror + +[![CircleCI](https://img.shields.io/circleci/build/github/hashicorp/go-multierror/master)](https://circleci.com/gh/hashicorp/go-multierror) +[![Go Reference](https://pkg.go.dev/badge/github.com/hashicorp/go-multierror.svg)](https://pkg.go.dev/github.com/hashicorp/go-multierror) +![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/hashicorp/go-multierror) + +[circleci]: https://app.circleci.com/pipelines/github/hashicorp/go-multierror +[godocs]: https://pkg.go.dev/github.com/hashicorp/go-multierror + +`go-multierror` is a package for Go that provides a mechanism for +representing a list of `error` values as a single `error`. + +This allows a function in Go to return an `error` that might actually +be a list of errors. If the caller knows this, they can unwrap the +list and access the errors. If the caller doesn't know, the error +formats to a nice human-readable format. + +`go-multierror` is fully compatible with the Go standard library +[errors](https://golang.org/pkg/errors/) package, including the +functions `As`, `Is`, and `Unwrap`. This provides a standardized approach +for introspecting on error values. + +## Installation and Docs + +Install using `go get github.com/hashicorp/go-multierror`. + +Full documentation is available at +https://pkg.go.dev/github.com/hashicorp/go-multierror + +### Requires go version 1.13 or newer + +`go-multierror` requires go version 1.13 or newer. Go 1.13 introduced +[error wrapping](https://golang.org/doc/go1.13#error_wrapping), which +this library takes advantage of. + +If you need to use an earlier version of go, you can use the +[v1.0.0](https://github.com/hashicorp/go-multierror/tree/v1.0.0) +tag, which doesn't rely on features in go 1.13. + +If you see compile errors that look like the below, it's likely that +you're on an older version of go: + +``` +/go/src/github.com/hashicorp/go-multierror/multierror.go:112:9: undefined: errors.As +/go/src/github.com/hashicorp/go-multierror/multierror.go:117:9: undefined: errors.Is +``` + +## Usage + +go-multierror is easy to use and purposely built to be unobtrusive in +existing Go applications/libraries that may not be aware of it. + +**Building a list of errors** + +The `Append` function is used to create a list of errors. This function +behaves a lot like the Go built-in `append` function: it doesn't matter +if the first argument is nil, a `multierror.Error`, or any other `error`, +the function behaves as you would expect. + +```go +var result error + +if err := step1(); err != nil { + result = multierror.Append(result, err) +} +if err := step2(); err != nil { + result = multierror.Append(result, err) +} + +return result +``` + +**Customizing the formatting of the errors** + +By specifying a custom `ErrorFormat`, you can customize the format +of the `Error() string` function: + +```go +var result *multierror.Error + +// ... accumulate errors here, maybe using Append + +if result != nil { + result.ErrorFormat = func([]error) string { + return "errors!" + } +} +``` + +**Accessing the list of errors** + +`multierror.Error` implements `error` so if the caller doesn't know about +multierror, it will work just fine. But if you're aware a multierror might +be returned, you can use type switches to access the list of errors: + +```go +if err := something(); err != nil { + if merr, ok := err.(*multierror.Error); ok { + // Use merr.Errors + } +} +``` + +You can also use the standard [`errors.Unwrap`](https://golang.org/pkg/errors/#Unwrap) +function. This will continue to unwrap into subsequent errors until none exist. + +**Extracting an error** + +The standard library [`errors.As`](https://golang.org/pkg/errors/#As) +function can be used directly with a multierror to extract a specific error: + +```go +// Assume err is a multierror value +err := somefunc() + +// We want to know if "err" has a "RichErrorType" in it and extract it. +var errRich RichErrorType +if errors.As(err, &errRich) { + // It has it, and now errRich is populated. +} +``` + +**Checking for an exact error value** + +Some errors are returned as exact errors such as the [`ErrNotExist`](https://golang.org/pkg/os/#pkg-variables) +error in the `os` package. You can check if this error is present by using +the standard [`errors.Is`](https://golang.org/pkg/errors/#Is) function. + +```go +// Assume err is a multierror value +err := somefunc() +if errors.Is(err, os.ErrNotExist) { + // err contains os.ErrNotExist +} +``` + +**Returning a multierror only if there are errors** + +If you build a `multierror.Error`, you can use the `ErrorOrNil` function +to return an `error` implementation only if there are errors to return: + +```go +var result *multierror.Error + +// ... accumulate errors here + +// Return the `error` only if errors were added to the multierror, otherwise +// return nil since there are no errors. +return result.ErrorOrNil() +``` diff --git a/vendor/github.com/hashicorp/go-multierror/append.go b/vendor/github.com/hashicorp/go-multierror/append.go new file mode 100644 index 0000000000..3e2589bfde --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/append.go @@ -0,0 +1,43 @@ +package multierror + +// Append is a helper function that will append more errors +// onto an Error in order to create a larger multi-error. +// +// If err is not a multierror.Error, then it will be turned into +// one. If any of the errs are multierr.Error, they will be flattened +// one level into err. +// Any nil errors within errs will be ignored. If err is nil, a new +// *Error will be returned. +func Append(err error, errs ...error) *Error { + switch err := err.(type) { + case *Error: + // Typed nils can reach here, so initialize if we are nil + if err == nil { + err = new(Error) + } + + // Go through each error and flatten + for _, e := range errs { + switch e := e.(type) { + case *Error: + if e != nil { + err.Errors = append(err.Errors, e.Errors...) + } + default: + if e != nil { + err.Errors = append(err.Errors, e) + } + } + } + + return err + default: + newErrs := make([]error, 0, len(errs)+1) + if err != nil { + newErrs = append(newErrs, err) + } + newErrs = append(newErrs, errs...) + + return Append(&Error{}, newErrs...) + } +} diff --git a/vendor/github.com/hashicorp/go-multierror/flatten.go b/vendor/github.com/hashicorp/go-multierror/flatten.go new file mode 100644 index 0000000000..aab8e9abec --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/flatten.go @@ -0,0 +1,26 @@ +package multierror + +// Flatten flattens the given error, merging any *Errors together into +// a single *Error. +func Flatten(err error) error { + // If it isn't an *Error, just return the error as-is + if _, ok := err.(*Error); !ok { + return err + } + + // Otherwise, make the result and flatten away! + flatErr := new(Error) + flatten(err, flatErr) + return flatErr +} + +func flatten(err error, flatErr *Error) { + switch err := err.(type) { + case *Error: + for _, e := range err.Errors { + flatten(e, flatErr) + } + default: + flatErr.Errors = append(flatErr.Errors, err) + } +} diff --git a/vendor/github.com/hashicorp/go-multierror/format.go b/vendor/github.com/hashicorp/go-multierror/format.go new file mode 100644 index 0000000000..47f13c49a6 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/format.go @@ -0,0 +1,27 @@ +package multierror + +import ( + "fmt" + "strings" +) + +// ErrorFormatFunc is a function callback that is called by Error to +// turn the list of errors into a string. +type ErrorFormatFunc func([]error) string + +// ListFormatFunc is a basic formatter that outputs the number of errors +// that occurred along with a bullet point list of the errors. +func ListFormatFunc(es []error) string { + if len(es) == 1 { + return fmt.Sprintf("1 error occurred:\n\t* %s\n\n", es[0]) + } + + points := make([]string, len(es)) + for i, err := range es { + points[i] = fmt.Sprintf("* %s", err) + } + + return fmt.Sprintf( + "%d errors occurred:\n\t%s\n\n", + len(es), strings.Join(points, "\n\t")) +} diff --git a/vendor/github.com/hashicorp/go-multierror/group.go b/vendor/github.com/hashicorp/go-multierror/group.go new file mode 100644 index 0000000000..9c29efb7f8 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/group.go @@ -0,0 +1,38 @@ +package multierror + +import "sync" + +// Group is a collection of goroutines which return errors that need to be +// coalesced. +type Group struct { + mutex sync.Mutex + err *Error + wg sync.WaitGroup +} + +// Go calls the given function in a new goroutine. +// +// If the function returns an error it is added to the group multierror which +// is returned by Wait. +func (g *Group) Go(f func() error) { + g.wg.Add(1) + + go func() { + defer g.wg.Done() + + if err := f(); err != nil { + g.mutex.Lock() + g.err = Append(g.err, err) + g.mutex.Unlock() + } + }() +} + +// Wait blocks until all function calls from the Go method have returned, then +// returns the multierror. +func (g *Group) Wait() *Error { + g.wg.Wait() + g.mutex.Lock() + defer g.mutex.Unlock() + return g.err +} diff --git a/vendor/github.com/hashicorp/go-multierror/multierror.go b/vendor/github.com/hashicorp/go-multierror/multierror.go new file mode 100644 index 0000000000..f545743264 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/multierror.go @@ -0,0 +1,121 @@ +package multierror + +import ( + "errors" + "fmt" +) + +// Error is an error type to track multiple errors. This is used to +// accumulate errors in cases and return them as a single "error". +type Error struct { + Errors []error + ErrorFormat ErrorFormatFunc +} + +func (e *Error) Error() string { + fn := e.ErrorFormat + if fn == nil { + fn = ListFormatFunc + } + + return fn(e.Errors) +} + +// ErrorOrNil returns an error interface if this Error represents +// a list of errors, or returns nil if the list of errors is empty. This +// function is useful at the end of accumulation to make sure that the value +// returned represents the existence of errors. +func (e *Error) ErrorOrNil() error { + if e == nil { + return nil + } + if len(e.Errors) == 0 { + return nil + } + + return e +} + +func (e *Error) GoString() string { + return fmt.Sprintf("*%#v", *e) +} + +// WrappedErrors returns the list of errors that this Error is wrapping. It is +// an implementation of the errwrap.Wrapper interface so that multierror.Error +// can be used with that library. +// +// This method is not safe to be called concurrently. Unlike accessing the +// Errors field directly, this function also checks if the multierror is nil to +// prevent a null-pointer panic. It satisfies the errwrap.Wrapper interface. +func (e *Error) WrappedErrors() []error { + if e == nil { + return nil + } + return e.Errors +} + +// Unwrap returns an error from Error (or nil if there are no errors). +// This error returned will further support Unwrap to get the next error, +// etc. The order will match the order of Errors in the multierror.Error +// at the time of calling. +// +// The resulting error supports errors.As/Is/Unwrap so you can continue +// to use the stdlib errors package to introspect further. +// +// This will perform a shallow copy of the errors slice. Any errors appended +// to this error after calling Unwrap will not be available until a new +// Unwrap is called on the multierror.Error. +func (e *Error) Unwrap() error { + // If we have no errors then we do nothing + if e == nil || len(e.Errors) == 0 { + return nil + } + + // If we have exactly one error, we can just return that directly. + if len(e.Errors) == 1 { + return e.Errors[0] + } + + // Shallow copy the slice + errs := make([]error, len(e.Errors)) + copy(errs, e.Errors) + return chain(errs) +} + +// chain implements the interfaces necessary for errors.Is/As/Unwrap to +// work in a deterministic way with multierror. A chain tracks a list of +// errors while accounting for the current represented error. This lets +// Is/As be meaningful. +// +// Unwrap returns the next error. In the cleanest form, Unwrap would return +// the wrapped error here but we can't do that if we want to properly +// get access to all the errors. Instead, users are recommended to use +// Is/As to get the correct error type out. +// +// Precondition: []error is non-empty (len > 0) +type chain []error + +// Error implements the error interface +func (e chain) Error() string { + return e[0].Error() +} + +// Unwrap implements errors.Unwrap by returning the next error in the +// chain or nil if there are no more errors. +func (e chain) Unwrap() error { + if len(e) == 1 { + return nil + } + + return e[1:] +} + +// As implements errors.As by attempting to map to the current value. +func (e chain) As(target interface{}) bool { + return errors.As(e[0], target) +} + +// Is implements errors.Is by comparing the current value directly. +func (e chain) Is(target error) bool { + return errors.Is(e[0], target) +} diff --git a/vendor/github.com/hashicorp/go-multierror/prefix.go b/vendor/github.com/hashicorp/go-multierror/prefix.go new file mode 100644 index 0000000000..5c477abe44 --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/prefix.go @@ -0,0 +1,37 @@ +package multierror + +import ( + "fmt" + + "github.com/hashicorp/errwrap" +) + +// Prefix is a helper function that will prefix some text +// to the given error. If the error is a multierror.Error, then +// it will be prefixed to each wrapped error. +// +// This is useful to use when appending multiple multierrors +// together in order to give better scoping. +func Prefix(err error, prefix string) error { + if err == nil { + return nil + } + + format := fmt.Sprintf("%s {{err}}", prefix) + switch err := err.(type) { + case *Error: + // Typed nils can reach here, so initialize if we are nil + if err == nil { + err = new(Error) + } + + // Wrap each of the errors + for i, e := range err.Errors { + err.Errors[i] = errwrap.Wrapf(format, e) + } + + return err + default: + return errwrap.Wrapf(format, err) + } +} diff --git a/vendor/github.com/hashicorp/go-multierror/sort.go b/vendor/github.com/hashicorp/go-multierror/sort.go new file mode 100644 index 0000000000..fecb14e81c --- /dev/null +++ b/vendor/github.com/hashicorp/go-multierror/sort.go @@ -0,0 +1,16 @@ +package multierror + +// Len implements sort.Interface function for length +func (err Error) Len() int { + return len(err.Errors) +} + +// Swap implements sort.Interface function for swapping elements +func (err Error) Swap(i, j int) { + err.Errors[i], err.Errors[j] = err.Errors[j], err.Errors[i] +} + +// Less implements sort.Interface function for determining order +func (err Error) Less(i, j int) bool { + return err.Errors[i].Error() < err.Errors[j].Error() +} diff --git a/vendor/github.com/huandu/xstrings/.gitignore b/vendor/github.com/huandu/xstrings/.gitignore new file mode 100644 index 0000000000..daf913b1b3 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/.gitignore @@ -0,0 +1,24 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test +*.prof diff --git a/vendor/github.com/huandu/xstrings/CONTRIBUTING.md b/vendor/github.com/huandu/xstrings/CONTRIBUTING.md new file mode 100644 index 0000000000..d7b4b8d584 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/CONTRIBUTING.md @@ -0,0 +1,23 @@ +# Contributing # + +Thanks for your contribution in advance. No matter what you will contribute to this project, pull request or bug report or feature discussion, it's always highly appreciated. + +## New API or feature ## + +I want to speak more about how to add new functions to this package. + +Package `xstring` is a collection of useful string functions which should be implemented in Go. It's a bit subject to say which function should be included and which should not. I set up following rules in order to make it clear and as objective as possible. + +* Rule 1: Only string algorithm, which takes string as input, can be included. +* Rule 2: If a function has been implemented in package `string`, it must not be included. +* Rule 3: If a function is not language neutral, it must not be included. +* Rule 4: If a function is a part of standard library in other languages, it can be included. +* Rule 5: If a function is quite useful in some famous framework or library, it can be included. + +New function must be discussed in project issues before submitting any code. If a pull request with new functions is sent without any ref issue, it will be rejected. + +## Pull request ## + +Pull request is always welcome. Just make sure you have run `go fmt` and all test cases passed before submit. + +If the pull request is to add a new API or feature, don't forget to update README.md and add new API in function list. diff --git a/vendor/github.com/huandu/xstrings/LICENSE b/vendor/github.com/huandu/xstrings/LICENSE new file mode 100644 index 0000000000..2701772593 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2015 Huan Du + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/vendor/github.com/huandu/xstrings/README.md b/vendor/github.com/huandu/xstrings/README.md new file mode 100644 index 0000000000..e809c79abc --- /dev/null +++ b/vendor/github.com/huandu/xstrings/README.md @@ -0,0 +1,118 @@ +# xstrings + +[![Build Status](https://github.com/huandu/xstrings/workflows/Go/badge.svg)](https://github.com/huandu/xstrings/actions) +[![Go Doc](https://godoc.org/github.com/huandu/xstrings?status.svg)](https://pkg.go.dev/github.com/huandu/xstrings) +[![Go Report](https://goreportcard.com/badge/github.com/huandu/xstrings)](https://goreportcard.com/report/github.com/huandu/xstrings) +[![Coverage Status](https://coveralls.io/repos/github/huandu/xstrings/badge.svg?branch=master)](https://coveralls.io/github/huandu/xstrings?branch=master) + +Go package [xstrings](https://godoc.org/github.com/huandu/xstrings) is a collection of string functions, which are widely used in other languages but absent in Go package [strings](http://golang.org/pkg/strings). + +All functions are well tested and carefully tuned for performance. + +## Propose a new function + +Please review [contributing guideline](CONTRIBUTING.md) and [create new issue](https://github.com/huandu/xstrings/issues) to state why it should be included. + +## Install + +Use `go get` to install this library. + + go get github.com/huandu/xstrings + +## API document + +See [GoDoc](https://godoc.org/github.com/huandu/xstrings) for full document. + +## Function list + +Go functions have a unique naming style. One, who has experience in other language but new in Go, may have difficulties to find out right string function to use. + +Here is a list of functions in [strings](http://golang.org/pkg/strings) and [xstrings](https://godoc.org/github.com/huandu/xstrings) with enough extra information about how to map these functions to their friends in other languages. Hope this list could be helpful for fresh gophers. + +### Package `xstrings` functions + +_Keep this table sorted by Function in ascending order._ + +| Function | Friends | # | +| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | --------------------------------------------------- | +| [Center](https://godoc.org/github.com/huandu/xstrings#Center) | `str.center` in Python; `String#center` in Ruby | [#30](https://github.com/huandu/xstrings/issues/30) | +| [Count](https://godoc.org/github.com/huandu/xstrings#Count) | `String#count` in Ruby | [#16](https://github.com/huandu/xstrings/issues/16) | +| [Delete](https://godoc.org/github.com/huandu/xstrings#Delete) | `String#delete` in Ruby | [#17](https://github.com/huandu/xstrings/issues/17) | +| [ExpandTabs](https://godoc.org/github.com/huandu/xstrings#ExpandTabs) | `str.expandtabs` in Python | [#27](https://github.com/huandu/xstrings/issues/27) | +| [FirstRuneToLower](https://godoc.org/github.com/huandu/xstrings#FirstRuneToLower) | `lcfirst` in PHP or Perl | [#15](https://github.com/huandu/xstrings/issues/15) | +| [FirstRuneToUpper](https://godoc.org/github.com/huandu/xstrings#FirstRuneToUpper) | `String#capitalize` in Ruby; `ucfirst` in PHP or Perl | [#15](https://github.com/huandu/xstrings/issues/15) | +| [Insert](https://godoc.org/github.com/huandu/xstrings#Insert) | `String#insert` in Ruby | [#18](https://github.com/huandu/xstrings/issues/18) | +| [LastPartition](https://godoc.org/github.com/huandu/xstrings#LastPartition) | `str.rpartition` in Python; `String#rpartition` in Ruby | [#19](https://github.com/huandu/xstrings/issues/19) | +| [LeftJustify](https://godoc.org/github.com/huandu/xstrings#LeftJustify) | `str.ljust` in Python; `String#ljust` in Ruby | [#28](https://github.com/huandu/xstrings/issues/28) | +| [Len](https://godoc.org/github.com/huandu/xstrings#Len) | `mb_strlen` in PHP | [#23](https://github.com/huandu/xstrings/issues/23) | +| [Partition](https://godoc.org/github.com/huandu/xstrings#Partition) | `str.partition` in Python; `String#partition` in Ruby | [#10](https://github.com/huandu/xstrings/issues/10) | +| [Reverse](https://godoc.org/github.com/huandu/xstrings#Reverse) | `String#reverse` in Ruby; `strrev` in PHP; `reverse` in Perl | [#7](https://github.com/huandu/xstrings/issues/7) | +| [RightJustify](https://godoc.org/github.com/huandu/xstrings#RightJustify) | `str.rjust` in Python; `String#rjust` in Ruby | [#29](https://github.com/huandu/xstrings/issues/29) | +| [RuneWidth](https://godoc.org/github.com/huandu/xstrings#RuneWidth) | - | [#27](https://github.com/huandu/xstrings/issues/27) | +| [Scrub](https://godoc.org/github.com/huandu/xstrings#Scrub) | `String#scrub` in Ruby | [#20](https://github.com/huandu/xstrings/issues/20) | +| [Shuffle](https://godoc.org/github.com/huandu/xstrings#Shuffle) | `str_shuffle` in PHP | [#13](https://github.com/huandu/xstrings/issues/13) | +| [ShuffleSource](https://godoc.org/github.com/huandu/xstrings#ShuffleSource) | `str_shuffle` in PHP | [#13](https://github.com/huandu/xstrings/issues/13) | +| [Slice](https://godoc.org/github.com/huandu/xstrings#Slice) | `mb_substr` in PHP | [#9](https://github.com/huandu/xstrings/issues/9) | +| [Squeeze](https://godoc.org/github.com/huandu/xstrings#Squeeze) | `String#squeeze` in Ruby | [#11](https://github.com/huandu/xstrings/issues/11) | +| [Successor](https://godoc.org/github.com/huandu/xstrings#Successor) | `String#succ` or `String#next` in Ruby | [#22](https://github.com/huandu/xstrings/issues/22) | +| [SwapCase](https://godoc.org/github.com/huandu/xstrings#SwapCase) | `str.swapcase` in Python; `String#swapcase` in Ruby | [#12](https://github.com/huandu/xstrings/issues/12) | +| [ToCamelCase](https://godoc.org/github.com/huandu/xstrings#ToCamelCase) | `String#camelize` in RoR | [#1](https://github.com/huandu/xstrings/issues/1) | +| [ToKebab](https://godoc.org/github.com/huandu/xstrings#ToKebabCase) | - | [#41](https://github.com/huandu/xstrings/issues/41) | +| [ToPascalCase](https://godoc.org/github.com/huandu/xstrings#ToPascalCase) | - | [#1](https://github.com/huandu/xstrings/issues/1) | +| [ToSnakeCase](https://godoc.org/github.com/huandu/xstrings#ToSnakeCase) | `String#underscore` in RoR | [#1](https://github.com/huandu/xstrings/issues/1) | +| [Translate](https://godoc.org/github.com/huandu/xstrings#Translate) | `str.translate` in Python; `String#tr` in Ruby; `strtr` in PHP; `tr///` in Perl | [#21](https://github.com/huandu/xstrings/issues/21) | +| [Width](https://godoc.org/github.com/huandu/xstrings#Width) | `mb_strwidth` in PHP | [#26](https://github.com/huandu/xstrings/issues/26) | +| [WordCount](https://godoc.org/github.com/huandu/xstrings#WordCount) | `str_word_count` in PHP | [#14](https://github.com/huandu/xstrings/issues/14) | +| [WordSplit](https://godoc.org/github.com/huandu/xstrings#WordSplit) | - | [#14](https://github.com/huandu/xstrings/issues/14) | + +### Package `strings` functions + +_Keep this table sorted by Function in ascending order._ + +| Function | Friends | +| --------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| [Contains](http://golang.org/pkg/strings/#Contains) | `String#include?` in Ruby | +| [ContainsAny](http://golang.org/pkg/strings/#ContainsAny) | - | +| [ContainsRune](http://golang.org/pkg/strings/#ContainsRune) | - | +| [Count](http://golang.org/pkg/strings/#Count) | `str.count` in Python; `substr_count` in PHP | +| [EqualFold](http://golang.org/pkg/strings/#EqualFold) | `stricmp` in PHP; `String#casecmp` in Ruby | +| [Fields](http://golang.org/pkg/strings/#Fields) | `str.split` in Python; `split` in Perl; `String#split` in Ruby | +| [FieldsFunc](http://golang.org/pkg/strings/#FieldsFunc) | - | +| [HasPrefix](http://golang.org/pkg/strings/#HasPrefix) | `str.startswith` in Python; `String#start_with?` in Ruby | +| [HasSuffix](http://golang.org/pkg/strings/#HasSuffix) | `str.endswith` in Python; `String#end_with?` in Ruby | +| [Index](http://golang.org/pkg/strings/#Index) | `str.index` in Python; `String#index` in Ruby; `strpos` in PHP; `index` in Perl | +| [IndexAny](http://golang.org/pkg/strings/#IndexAny) | - | +| [IndexByte](http://golang.org/pkg/strings/#IndexByte) | - | +| [IndexFunc](http://golang.org/pkg/strings/#IndexFunc) | - | +| [IndexRune](http://golang.org/pkg/strings/#IndexRune) | - | +| [Join](http://golang.org/pkg/strings/#Join) | `str.join` in Python; `Array#join` in Ruby; `implode` in PHP; `join` in Perl | +| [LastIndex](http://golang.org/pkg/strings/#LastIndex) | `str.rindex` in Python; `String#rindex`; `strrpos` in PHP; `rindex` in Perl | +| [LastIndexAny](http://golang.org/pkg/strings/#LastIndexAny) | - | +| [LastIndexFunc](http://golang.org/pkg/strings/#LastIndexFunc) | - | +| [Map](http://golang.org/pkg/strings/#Map) | `String#each_codepoint` in Ruby | +| [Repeat](http://golang.org/pkg/strings/#Repeat) | operator `*` in Python and Ruby; `str_repeat` in PHP | +| [Replace](http://golang.org/pkg/strings/#Replace) | `str.replace` in Python; `String#sub` in Ruby; `str_replace` in PHP | +| [Split](http://golang.org/pkg/strings/#Split) | `str.split` in Python; `String#split` in Ruby; `explode` in PHP; `split` in Perl | +| [SplitAfter](http://golang.org/pkg/strings/#SplitAfter) | - | +| [SplitAfterN](http://golang.org/pkg/strings/#SplitAfterN) | - | +| [SplitN](http://golang.org/pkg/strings/#SplitN) | `str.split` in Python; `String#split` in Ruby; `explode` in PHP; `split` in Perl | +| [Title](http://golang.org/pkg/strings/#Title) | `str.title` in Python | +| [ToLower](http://golang.org/pkg/strings/#ToLower) | `str.lower` in Python; `String#downcase` in Ruby; `strtolower` in PHP; `lc` in Perl | +| [ToLowerSpecial](http://golang.org/pkg/strings/#ToLowerSpecial) | - | +| [ToTitle](http://golang.org/pkg/strings/#ToTitle) | - | +| [ToTitleSpecial](http://golang.org/pkg/strings/#ToTitleSpecial) | - | +| [ToUpper](http://golang.org/pkg/strings/#ToUpper) | `str.upper` in Python; `String#upcase` in Ruby; `strtoupper` in PHP; `uc` in Perl | +| [ToUpperSpecial](http://golang.org/pkg/strings/#ToUpperSpecial) | - | +| [Trim](http://golang.org/pkg/strings/#Trim) | `str.strip` in Python; `String#strip` in Ruby; `trim` in PHP | +| [TrimFunc](http://golang.org/pkg/strings/#TrimFunc) | - | +| [TrimLeft](http://golang.org/pkg/strings/#TrimLeft) | `str.lstrip` in Python; `String#lstrip` in Ruby; `ltrim` in PHP | +| [TrimLeftFunc](http://golang.org/pkg/strings/#TrimLeftFunc) | - | +| [TrimPrefix](http://golang.org/pkg/strings/#TrimPrefix) | - | +| [TrimRight](http://golang.org/pkg/strings/#TrimRight) | `str.rstrip` in Python; `String#rstrip` in Ruby; `rtrim` in PHP | +| [TrimRightFunc](http://golang.org/pkg/strings/#TrimRightFunc) | - | +| [TrimSpace](http://golang.org/pkg/strings/#TrimSpace) | `str.strip` in Python; `String#strip` in Ruby; `trim` in PHP | +| [TrimSuffix](http://golang.org/pkg/strings/#TrimSuffix) | `String#chomp` in Ruby; `chomp` in Perl | + +## License + +This library is licensed under MIT license. See LICENSE for details. diff --git a/vendor/github.com/huandu/xstrings/common.go b/vendor/github.com/huandu/xstrings/common.go new file mode 100644 index 0000000000..f427cc84e2 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/common.go @@ -0,0 +1,21 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +const bufferMaxInitGrowSize = 2048 + +// Lazy initialize a buffer. +func allocBuffer(orig, cur string) *stringBuilder { + output := &stringBuilder{} + maxSize := len(orig) * 4 + + // Avoid to reserve too much memory at once. + if maxSize > bufferMaxInitGrowSize { + maxSize = bufferMaxInitGrowSize + } + + output.Grow(maxSize) + output.WriteString(orig[:len(orig)-len(cur)]) + return output +} diff --git a/vendor/github.com/huandu/xstrings/convert.go b/vendor/github.com/huandu/xstrings/convert.go new file mode 100644 index 0000000000..5d8cfee470 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/convert.go @@ -0,0 +1,633 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +import ( + "math/rand" + "unicode" + "unicode/utf8" +) + +// ToCamelCase is to convert words separated by space, underscore and hyphen to camel case. +// +// Some samples. +// +// "some_words" => "someWords" +// "http_server" => "httpServer" +// "no_https" => "noHttps" +// "_complex__case_" => "_complex_Case_" +// "some words" => "someWords" +// "GOLANG_IS_GREAT" => "golangIsGreat" +func ToCamelCase(str string) string { + return toCamelCase(str, false) +} + +// ToPascalCase is to convert words separated by space, underscore and hyphen to pascal case. +// +// Some samples. +// +// "some_words" => "SomeWords" +// "http_server" => "HttpServer" +// "no_https" => "NoHttps" +// "_complex__case_" => "_Complex_Case_" +// "some words" => "SomeWords" +// "GOLANG_IS_GREAT" => "GolangIsGreat" +func ToPascalCase(str string) string { + return toCamelCase(str, true) +} + +func toCamelCase(str string, isBig bool) string { + if len(str) == 0 { + return "" + } + + buf := &stringBuilder{} + var isFirstRuneUpper bool + var r0, r1 rune + var size int + + // leading connector will appear in output. + for len(str) > 0 { + r0, size = utf8.DecodeRuneInString(str) + str = str[size:] + + if !isConnector(r0) { + isFirstRuneUpper = unicode.IsUpper(r0) + + if isBig { + r0 = unicode.ToUpper(r0) + } else { + r0 = unicode.ToLower(r0) + } + + break + } + + buf.WriteRune(r0) + } + + if len(str) == 0 { + // A special case for a string contains only 1 rune. + if size != 0 { + buf.WriteRune(r0) + } + + return buf.String() + } + + for len(str) > 0 { + r1 = r0 + r0, size = utf8.DecodeRuneInString(str) + str = str[size:] + + if isConnector(r0) && isConnector(r1) { + buf.WriteRune(r1) + continue + } + + if isConnector(r1) { + isFirstRuneUpper = unicode.IsUpper(r0) + r0 = unicode.ToUpper(r0) + } else { + if isFirstRuneUpper { + if unicode.IsUpper(r0) { + r0 = unicode.ToLower(r0) + } else { + isFirstRuneUpper = false + } + } + + buf.WriteRune(r1) + } + } + + if isFirstRuneUpper && !isBig { + r0 = unicode.ToLower(r0) + } + + buf.WriteRune(r0) + return buf.String() +} + +// ToSnakeCase can convert all upper case characters in a string to +// snake case format. +// +// Some samples. +// +// "FirstName" => "first_name" +// "HTTPServer" => "http_server" +// "NoHTTPS" => "no_https" +// "GO_PATH" => "go_path" +// "GO PATH" => "go_path" // space is converted to underscore. +// "GO-PATH" => "go_path" // hyphen is converted to underscore. +// "http2xx" => "http_2xx" // insert an underscore before a number and after an alphabet. +// "HTTP20xOK" => "http_20x_ok" +// "Duration2m3s" => "duration_2m3s" +// "Bld4Floor3rd" => "bld4_floor_3rd" +func ToSnakeCase(str string) string { + return camelCaseToLowerCase(str, '_') +} + +// ToKebabCase can convert all upper case characters in a string to +// kebab case format. +// +// Some samples. +// +// "FirstName" => "first-name" +// "HTTPServer" => "http-server" +// "NoHTTPS" => "no-https" +// "GO_PATH" => "go-path" +// "GO PATH" => "go-path" // space is converted to '-'. +// "GO-PATH" => "go-path" // hyphen is converted to '-'. +// "http2xx" => "http-2xx" // insert an underscore before a number and after an alphabet. +// "HTTP20xOK" => "http-20x-ok" +// "Duration2m3s" => "duration-2m3s" +// "Bld4Floor3rd" => "bld4-floor-3rd" +func ToKebabCase(str string) string { + return camelCaseToLowerCase(str, '-') +} + +func camelCaseToLowerCase(str string, connector rune) string { + if len(str) == 0 { + return "" + } + + buf := &stringBuilder{} + wt, word, remaining := nextWord(str) + + for len(remaining) > 0 { + if wt != connectorWord { + toLower(buf, wt, word, connector) + } + + prev := wt + last := word + wt, word, remaining = nextWord(remaining) + + switch prev { + case numberWord: + for wt == alphabetWord || wt == numberWord { + toLower(buf, wt, word, connector) + wt, word, remaining = nextWord(remaining) + } + + if wt != invalidWord && wt != punctWord && wt != connectorWord { + buf.WriteRune(connector) + } + + case connectorWord: + toLower(buf, prev, last, connector) + + case punctWord: + // nothing. + + default: + if wt != numberWord { + if wt != connectorWord && wt != punctWord { + buf.WriteRune(connector) + } + + break + } + + if len(remaining) == 0 { + break + } + + last := word + wt, word, remaining = nextWord(remaining) + + // consider number as a part of previous word. + // e.g. "Bld4Floor" => "bld4_floor" + if wt != alphabetWord { + toLower(buf, numberWord, last, connector) + + if wt != connectorWord && wt != punctWord { + buf.WriteRune(connector) + } + + break + } + + // if there are some lower case letters following a number, + // add connector before the number. + // e.g. "HTTP2xx" => "http_2xx" + buf.WriteRune(connector) + toLower(buf, numberWord, last, connector) + + for wt == alphabetWord || wt == numberWord { + toLower(buf, wt, word, connector) + wt, word, remaining = nextWord(remaining) + } + + if wt != invalidWord && wt != connectorWord && wt != punctWord { + buf.WriteRune(connector) + } + } + } + + toLower(buf, wt, word, connector) + return buf.String() +} + +func isConnector(r rune) bool { + return r == '-' || r == '_' || unicode.IsSpace(r) +} + +type wordType int + +const ( + invalidWord wordType = iota + numberWord + upperCaseWord + alphabetWord + connectorWord + punctWord + otherWord +) + +func nextWord(str string) (wt wordType, word, remaining string) { + if len(str) == 0 { + return + } + + var offset int + remaining = str + r, size := nextValidRune(remaining, utf8.RuneError) + offset += size + + if r == utf8.RuneError { + wt = invalidWord + word = str[:offset] + remaining = str[offset:] + return + } + + switch { + case isConnector(r): + wt = connectorWord + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !isConnector(r) { + break + } + + offset += size + remaining = remaining[size:] + } + + case unicode.IsPunct(r): + wt = punctWord + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !unicode.IsPunct(r) { + break + } + + offset += size + remaining = remaining[size:] + } + + case unicode.IsUpper(r): + wt = upperCaseWord + remaining = remaining[size:] + + if len(remaining) == 0 { + break + } + + r, size = nextValidRune(remaining, r) + + switch { + case unicode.IsUpper(r): + prevSize := size + offset += size + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !unicode.IsUpper(r) { + break + } + + prevSize = size + offset += size + remaining = remaining[size:] + } + + // it's a bit complex when dealing with a case like "HTTPStatus". + // it's expected to be splitted into "HTTP" and "Status". + // Therefore "S" should be in remaining instead of word. + if len(remaining) > 0 && isAlphabet(r) { + offset -= prevSize + remaining = str[offset:] + } + + case isAlphabet(r): + offset += size + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !isAlphabet(r) || unicode.IsUpper(r) { + break + } + + offset += size + remaining = remaining[size:] + } + } + + case isAlphabet(r): + wt = alphabetWord + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !isAlphabet(r) || unicode.IsUpper(r) { + break + } + + offset += size + remaining = remaining[size:] + } + + case unicode.IsNumber(r): + wt = numberWord + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if !unicode.IsNumber(r) { + break + } + + offset += size + remaining = remaining[size:] + } + + default: + wt = otherWord + remaining = remaining[size:] + + for len(remaining) > 0 { + r, size = nextValidRune(remaining, r) + + if size == 0 || isConnector(r) || isAlphabet(r) || unicode.IsNumber(r) || unicode.IsPunct(r) { + break + } + + offset += size + remaining = remaining[size:] + } + } + + word = str[:offset] + return +} + +func nextValidRune(str string, prev rune) (r rune, size int) { + var sz int + + for len(str) > 0 { + r, sz = utf8.DecodeRuneInString(str) + size += sz + + if r != utf8.RuneError { + return + } + + str = str[sz:] + } + + r = prev + return +} + +func toLower(buf *stringBuilder, wt wordType, str string, connector rune) { + buf.Grow(buf.Len() + len(str)) + + if wt != upperCaseWord && wt != connectorWord { + buf.WriteString(str) + return + } + + for len(str) > 0 { + r, size := utf8.DecodeRuneInString(str) + str = str[size:] + + if isConnector(r) { + buf.WriteRune(connector) + } else if unicode.IsUpper(r) { + buf.WriteRune(unicode.ToLower(r)) + } else { + buf.WriteRune(r) + } + } +} + +// SwapCase will swap characters case from upper to lower or lower to upper. +func SwapCase(str string) string { + var r rune + var size int + + buf := &stringBuilder{} + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + switch { + case unicode.IsUpper(r): + buf.WriteRune(unicode.ToLower(r)) + + case unicode.IsLower(r): + buf.WriteRune(unicode.ToUpper(r)) + + default: + buf.WriteRune(r) + } + + str = str[size:] + } + + return buf.String() +} + +// FirstRuneToUpper converts first rune to upper case if necessary. +func FirstRuneToUpper(str string) string { + if str == "" { + return str + } + + r, size := utf8.DecodeRuneInString(str) + + if !unicode.IsLower(r) { + return str + } + + buf := &stringBuilder{} + buf.WriteRune(unicode.ToUpper(r)) + buf.WriteString(str[size:]) + return buf.String() +} + +// FirstRuneToLower converts first rune to lower case if necessary. +func FirstRuneToLower(str string) string { + if str == "" { + return str + } + + r, size := utf8.DecodeRuneInString(str) + + if !unicode.IsUpper(r) { + return str + } + + buf := &stringBuilder{} + buf.WriteRune(unicode.ToLower(r)) + buf.WriteString(str[size:]) + return buf.String() +} + +// Shuffle randomizes runes in a string and returns the result. +// It uses default random source in `math/rand`. +func Shuffle(str string) string { + if str == "" { + return str + } + + runes := []rune(str) + index := 0 + + for i := len(runes) - 1; i > 0; i-- { + index = rand.Intn(i + 1) + + if i != index { + runes[i], runes[index] = runes[index], runes[i] + } + } + + return string(runes) +} + +// ShuffleSource randomizes runes in a string with given random source. +func ShuffleSource(str string, src rand.Source) string { + if str == "" { + return str + } + + runes := []rune(str) + index := 0 + r := rand.New(src) + + for i := len(runes) - 1; i > 0; i-- { + index = r.Intn(i + 1) + + if i != index { + runes[i], runes[index] = runes[index], runes[i] + } + } + + return string(runes) +} + +// Successor returns the successor to string. +// +// If there is one alphanumeric rune is found in string, increase the rune by 1. +// If increment generates a "carry", the rune to the left of it is incremented. +// This process repeats until there is no carry, adding an additional rune if necessary. +// +// If there is no alphanumeric rune, the rightmost rune will be increased by 1 +// regardless whether the result is a valid rune or not. +// +// Only following characters are alphanumeric. +// - a - z +// - A - Z +// - 0 - 9 +// +// Samples (borrowed from ruby's String#succ document): +// +// "abcd" => "abce" +// "THX1138" => "THX1139" +// "<>" => "<>" +// "1999zzz" => "2000aaa" +// "ZZZ9999" => "AAAA0000" +// "***" => "**+" +func Successor(str string) string { + if str == "" { + return str + } + + var r rune + var i int + carry := ' ' + runes := []rune(str) + l := len(runes) + lastAlphanumeric := l + + for i = l - 1; i >= 0; i-- { + r = runes[i] + + if ('a' <= r && r <= 'y') || + ('A' <= r && r <= 'Y') || + ('0' <= r && r <= '8') { + runes[i]++ + carry = ' ' + lastAlphanumeric = i + break + } + + switch r { + case 'z': + runes[i] = 'a' + carry = 'a' + lastAlphanumeric = i + + case 'Z': + runes[i] = 'A' + carry = 'A' + lastAlphanumeric = i + + case '9': + runes[i] = '0' + carry = '0' + lastAlphanumeric = i + } + } + + // Needs to add one character for carry. + if i < 0 && carry != ' ' { + buf := &stringBuilder{} + buf.Grow(l + 4) // Reserve enough space for write. + + if lastAlphanumeric != 0 { + buf.WriteString(str[:lastAlphanumeric]) + } + + buf.WriteRune(carry) + + for _, r = range runes[lastAlphanumeric:] { + buf.WriteRune(r) + } + + return buf.String() + } + + // No alphanumeric character. Simply increase last rune's value. + if lastAlphanumeric == l { + runes[l-1]++ + } + + return string(runes) +} diff --git a/vendor/github.com/huandu/xstrings/count.go b/vendor/github.com/huandu/xstrings/count.go new file mode 100644 index 0000000000..f96e38703a --- /dev/null +++ b/vendor/github.com/huandu/xstrings/count.go @@ -0,0 +1,120 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +import ( + "unicode" + "unicode/utf8" +) + +// Len returns str's utf8 rune length. +func Len(str string) int { + return utf8.RuneCountInString(str) +} + +// WordCount returns number of words in a string. +// +// Word is defined as a locale dependent string containing alphabetic characters, +// which may also contain but not start with `'` and `-` characters. +func WordCount(str string) int { + var r rune + var size, n int + + inWord := false + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + switch { + case isAlphabet(r): + if !inWord { + inWord = true + n++ + } + + case inWord && (r == '\'' || r == '-'): + // Still in word. + + default: + inWord = false + } + + str = str[size:] + } + + return n +} + +const minCJKCharacter = '\u3400' + +// Checks r is a letter but not CJK character. +func isAlphabet(r rune) bool { + if !unicode.IsLetter(r) { + return false + } + + switch { + // Quick check for non-CJK character. + case r < minCJKCharacter: + return true + + // Common CJK characters. + case r >= '\u4E00' && r <= '\u9FCC': + return false + + // Rare CJK characters. + case r >= '\u3400' && r <= '\u4D85': + return false + + // Rare and historic CJK characters. + case r >= '\U00020000' && r <= '\U0002B81D': + return false + } + + return true +} + +// Width returns string width in monotype font. +// Multi-byte characters are usually twice the width of single byte characters. +// +// Algorithm comes from `mb_strwidth` in PHP. +// http://php.net/manual/en/function.mb-strwidth.php +func Width(str string) int { + var r rune + var size, n int + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + n += RuneWidth(r) + str = str[size:] + } + + return n +} + +// RuneWidth returns character width in monotype font. +// Multi-byte characters are usually twice the width of single byte characters. +// +// Algorithm comes from `mb_strwidth` in PHP. +// http://php.net/manual/en/function.mb-strwidth.php +func RuneWidth(r rune) int { + switch { + case r == utf8.RuneError || r < '\x20': + return 0 + + case '\x20' <= r && r < '\u2000': + return 1 + + case '\u2000' <= r && r < '\uFF61': + return 2 + + case '\uFF61' <= r && r < '\uFFA0': + return 1 + + case '\uFFA0' <= r: + return 2 + } + + return 0 +} diff --git a/vendor/github.com/huandu/xstrings/doc.go b/vendor/github.com/huandu/xstrings/doc.go new file mode 100644 index 0000000000..1a6ef069f6 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/doc.go @@ -0,0 +1,8 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +// Package xstrings is to provide string algorithms which are useful but not included in `strings` package. +// See project home page for details. https://github.com/huandu/xstrings +// +// Package xstrings assumes all strings are encoded in utf8. +package xstrings diff --git a/vendor/github.com/huandu/xstrings/format.go b/vendor/github.com/huandu/xstrings/format.go new file mode 100644 index 0000000000..b32219bbd5 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/format.go @@ -0,0 +1,173 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +import ( + "unicode/utf8" +) + +// ExpandTabs can expand tabs ('\t') rune in str to one or more spaces dpending on +// current column and tabSize. +// The column number is reset to zero after each newline ('\n') occurring in the str. +// +// ExpandTabs uses RuneWidth to decide rune's width. +// For example, CJK characters will be treated as two characters. +// +// If tabSize <= 0, ExpandTabs panics with error. +// +// Samples: +// +// ExpandTabs("a\tbc\tdef\tghij\tk", 4) => "a bc def ghij k" +// ExpandTabs("abcdefg\thij\nk\tl", 4) => "abcdefg hij\nk l" +// ExpandTabs("z中\tæ–‡\tw", 4) => "z中 æ–‡ w" +func ExpandTabs(str string, tabSize int) string { + if tabSize <= 0 { + panic("tab size must be positive") + } + + var r rune + var i, size, column, expand int + var output *stringBuilder + + orig := str + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + if r == '\t' { + expand = tabSize - column%tabSize + + if output == nil { + output = allocBuffer(orig, str) + } + + for i = 0; i < expand; i++ { + output.WriteRune(' ') + } + + column += expand + } else { + if r == '\n' { + column = 0 + } else { + column += RuneWidth(r) + } + + if output != nil { + output.WriteRune(r) + } + } + + str = str[size:] + } + + if output == nil { + return orig + } + + return output.String() +} + +// LeftJustify returns a string with pad string at right side if str's rune length is smaller than length. +// If str's rune length is larger than length, str itself will be returned. +// +// If pad is an empty string, str will be returned. +// +// Samples: +// +// LeftJustify("hello", 4, " ") => "hello" +// LeftJustify("hello", 10, " ") => "hello " +// LeftJustify("hello", 10, "123") => "hello12312" +func LeftJustify(str string, length int, pad string) string { + l := Len(str) + + if l >= length || pad == "" { + return str + } + + remains := length - l + padLen := Len(pad) + + output := &stringBuilder{} + output.Grow(len(str) + (remains/padLen+1)*len(pad)) + output.WriteString(str) + writePadString(output, pad, padLen, remains) + return output.String() +} + +// RightJustify returns a string with pad string at left side if str's rune length is smaller than length. +// If str's rune length is larger than length, str itself will be returned. +// +// If pad is an empty string, str will be returned. +// +// Samples: +// +// RightJustify("hello", 4, " ") => "hello" +// RightJustify("hello", 10, " ") => " hello" +// RightJustify("hello", 10, "123") => "12312hello" +func RightJustify(str string, length int, pad string) string { + l := Len(str) + + if l >= length || pad == "" { + return str + } + + remains := length - l + padLen := Len(pad) + + output := &stringBuilder{} + output.Grow(len(str) + (remains/padLen+1)*len(pad)) + writePadString(output, pad, padLen, remains) + output.WriteString(str) + return output.String() +} + +// Center returns a string with pad string at both side if str's rune length is smaller than length. +// If str's rune length is larger than length, str itself will be returned. +// +// If pad is an empty string, str will be returned. +// +// Samples: +// +// Center("hello", 4, " ") => "hello" +// Center("hello", 10, " ") => " hello " +// Center("hello", 10, "123") => "12hello123" +func Center(str string, length int, pad string) string { + l := Len(str) + + if l >= length || pad == "" { + return str + } + + remains := length - l + padLen := Len(pad) + + output := &stringBuilder{} + output.Grow(len(str) + (remains/padLen+1)*len(pad)) + writePadString(output, pad, padLen, remains/2) + output.WriteString(str) + writePadString(output, pad, padLen, (remains+1)/2) + return output.String() +} + +func writePadString(output *stringBuilder, pad string, padLen, remains int) { + var r rune + var size int + + repeats := remains / padLen + + for i := 0; i < repeats; i++ { + output.WriteString(pad) + } + + remains = remains % padLen + + if remains != 0 { + for i := 0; i < remains; i++ { + r, size = utf8.DecodeRuneInString(pad) + output.WriteRune(r) + pad = pad[size:] + } + } +} diff --git a/vendor/github.com/huandu/xstrings/manipulate.go b/vendor/github.com/huandu/xstrings/manipulate.go new file mode 100644 index 0000000000..ab42fe0fec --- /dev/null +++ b/vendor/github.com/huandu/xstrings/manipulate.go @@ -0,0 +1,220 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +import ( + "strings" + "unicode/utf8" +) + +// Reverse a utf8 encoded string. +func Reverse(str string) string { + var size int + + tail := len(str) + buf := make([]byte, tail) + s := buf + + for len(str) > 0 { + _, size = utf8.DecodeRuneInString(str) + tail -= size + s = append(s[:tail], []byte(str[:size])...) + str = str[size:] + } + + return string(buf) +} + +// Slice a string by rune. +// +// Start must satisfy 0 <= start <= rune length. +// +// End can be positive, zero or negative. +// If end >= 0, start and end must satisfy start <= end <= rune length. +// If end < 0, it means slice to the end of string. +// +// Otherwise, Slice will panic as out of range. +func Slice(str string, start, end int) string { + var size, startPos, endPos int + + origin := str + + if start < 0 || end > len(str) || (end >= 0 && start > end) { + panic("out of range") + } + + if end >= 0 { + end -= start + } + + for start > 0 && len(str) > 0 { + _, size = utf8.DecodeRuneInString(str) + start-- + startPos += size + str = str[size:] + } + + if end < 0 { + return origin[startPos:] + } + + endPos = startPos + + for end > 0 && len(str) > 0 { + _, size = utf8.DecodeRuneInString(str) + end-- + endPos += size + str = str[size:] + } + + if len(str) == 0 && (start > 0 || end > 0) { + panic("out of range") + } + + return origin[startPos:endPos] +} + +// Partition splits a string by sep into three parts. +// The return value is a slice of strings with head, match and tail. +// +// If str contains sep, for example "hello" and "l", Partition returns +// +// "he", "l", "lo" +// +// If str doesn't contain sep, for example "hello" and "x", Partition returns +// +// "hello", "", "" +func Partition(str, sep string) (head, match, tail string) { + index := strings.Index(str, sep) + + if index == -1 { + head = str + return + } + + head = str[:index] + match = str[index : index+len(sep)] + tail = str[index+len(sep):] + return +} + +// LastPartition splits a string by last instance of sep into three parts. +// The return value is a slice of strings with head, match and tail. +// +// If str contains sep, for example "hello" and "l", LastPartition returns +// +// "hel", "l", "o" +// +// If str doesn't contain sep, for example "hello" and "x", LastPartition returns +// +// "", "", "hello" +func LastPartition(str, sep string) (head, match, tail string) { + index := strings.LastIndex(str, sep) + + if index == -1 { + tail = str + return + } + + head = str[:index] + match = str[index : index+len(sep)] + tail = str[index+len(sep):] + return +} + +// Insert src into dst at given rune index. +// Index is counted by runes instead of bytes. +// +// If index is out of range of dst, panic with out of range. +func Insert(dst, src string, index int) string { + return Slice(dst, 0, index) + src + Slice(dst, index, -1) +} + +// Scrub scrubs invalid utf8 bytes with repl string. +// Adjacent invalid bytes are replaced only once. +func Scrub(str, repl string) string { + var buf *stringBuilder + var r rune + var size, pos int + var hasError bool + + origin := str + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + if r == utf8.RuneError { + if !hasError { + if buf == nil { + buf = &stringBuilder{} + } + + buf.WriteString(origin[:pos]) + hasError = true + } + } else if hasError { + hasError = false + buf.WriteString(repl) + + origin = origin[pos:] + pos = 0 + } + + pos += size + str = str[size:] + } + + if buf != nil { + buf.WriteString(origin) + return buf.String() + } + + // No invalid byte. + return origin +} + +// WordSplit splits a string into words. Returns a slice of words. +// If there is no word in a string, return nil. +// +// Word is defined as a locale dependent string containing alphabetic characters, +// which may also contain but not start with `'` and `-` characters. +func WordSplit(str string) []string { + var word string + var words []string + var r rune + var size, pos int + + inWord := false + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + switch { + case isAlphabet(r): + if !inWord { + inWord = true + word = str + pos = 0 + } + + case inWord && (r == '\'' || r == '-'): + // Still in word. + + default: + if inWord { + inWord = false + words = append(words, word[:pos]) + } + } + + pos += size + str = str[size:] + } + + if inWord { + words = append(words, word[:pos]) + } + + return words +} diff --git a/vendor/github.com/huandu/xstrings/stringbuilder.go b/vendor/github.com/huandu/xstrings/stringbuilder.go new file mode 100644 index 0000000000..06812fea07 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/stringbuilder.go @@ -0,0 +1,8 @@ +//go:build go1.10 +// +build go1.10 + +package xstrings + +import "strings" + +type stringBuilder = strings.Builder diff --git a/vendor/github.com/huandu/xstrings/stringbuilder_go110.go b/vendor/github.com/huandu/xstrings/stringbuilder_go110.go new file mode 100644 index 0000000000..ccaa5aedd3 --- /dev/null +++ b/vendor/github.com/huandu/xstrings/stringbuilder_go110.go @@ -0,0 +1,10 @@ +//go:build !go1.10 +// +build !go1.10 + +package xstrings + +import "bytes" + +type stringBuilder struct { + bytes.Buffer +} diff --git a/vendor/github.com/huandu/xstrings/translate.go b/vendor/github.com/huandu/xstrings/translate.go new file mode 100644 index 0000000000..1fac6a00be --- /dev/null +++ b/vendor/github.com/huandu/xstrings/translate.go @@ -0,0 +1,552 @@ +// Copyright 2015 Huan Du. All rights reserved. +// Licensed under the MIT license that can be found in the LICENSE file. + +package xstrings + +import ( + "unicode" + "unicode/utf8" +) + +type runeRangeMap struct { + FromLo rune // Lower bound of range map. + FromHi rune // An inclusive higher bound of range map. + ToLo rune + ToHi rune +} + +type runeDict struct { + Dict [unicode.MaxASCII + 1]rune +} + +type runeMap map[rune]rune + +// Translator can translate string with pre-compiled from and to patterns. +// If a from/to pattern pair needs to be used more than once, it's recommended +// to create a Translator and reuse it. +type Translator struct { + quickDict *runeDict // A quick dictionary to look up rune by index. Only available for latin runes. + runeMap runeMap // Rune map for translation. + ranges []*runeRangeMap // Ranges of runes. + mappedRune rune // If mappedRune >= 0, all matched runes are translated to the mappedRune. + reverted bool // If to pattern is empty, all matched characters will be deleted. + hasPattern bool +} + +// NewTranslator creates new Translator through a from/to pattern pair. +func NewTranslator(from, to string) *Translator { + tr := &Translator{} + + if from == "" { + return tr + } + + reverted := from[0] == '^' + deletion := len(to) == 0 + + if reverted { + from = from[1:] + } + + var fromStart, fromEnd, fromRangeStep rune + var toStart, toEnd, toRangeStep rune + var fromRangeSize, toRangeSize rune + var singleRunes []rune + + // Update the to rune range. + updateRange := func() { + // No more rune to read in the to rune pattern. + if toEnd == utf8.RuneError { + return + } + + if toRangeStep == 0 { + to, toStart, toEnd, toRangeStep = nextRuneRange(to, toEnd) + return + } + + // Current range is not empty. Consume 1 rune from start. + if toStart != toEnd { + toStart += toRangeStep + return + } + + // No more rune. Repeat the last rune. + if to == "" { + toEnd = utf8.RuneError + return + } + + // Both start and end are used. Read two more runes from the to pattern. + to, toStart, toEnd, toRangeStep = nextRuneRange(to, utf8.RuneError) + } + + if deletion { + toStart = utf8.RuneError + toEnd = utf8.RuneError + } else { + // If from pattern is reverted, only the last rune in the to pattern will be used. + if reverted { + var size int + + for len(to) > 0 { + toStart, size = utf8.DecodeRuneInString(to) + to = to[size:] + } + + toEnd = utf8.RuneError + } else { + to, toStart, toEnd, toRangeStep = nextRuneRange(to, utf8.RuneError) + } + } + + fromEnd = utf8.RuneError + + for len(from) > 0 { + from, fromStart, fromEnd, fromRangeStep = nextRuneRange(from, fromEnd) + + // fromStart is a single character. Just map it with a rune in the to pattern. + if fromRangeStep == 0 { + singleRunes = tr.addRune(fromStart, toStart, singleRunes) + updateRange() + continue + } + + for toEnd != utf8.RuneError && fromStart != fromEnd { + // If mapped rune is a single character instead of a range, simply shift first + // rune in the range. + if toRangeStep == 0 { + singleRunes = tr.addRune(fromStart, toStart, singleRunes) + updateRange() + fromStart += fromRangeStep + continue + } + + fromRangeSize = (fromEnd - fromStart) * fromRangeStep + toRangeSize = (toEnd - toStart) * toRangeStep + + // Not enough runes in the to pattern. Need to read more. + if fromRangeSize > toRangeSize { + fromStart, toStart = tr.addRuneRange(fromStart, fromStart+toRangeSize*fromRangeStep, toStart, toEnd, singleRunes) + fromStart += fromRangeStep + updateRange() + + // Edge case: If fromRangeSize == toRangeSize + 1, the last fromStart value needs be considered + // as a single rune. + if fromStart == fromEnd { + singleRunes = tr.addRune(fromStart, toStart, singleRunes) + updateRange() + } + + continue + } + + fromStart, toStart = tr.addRuneRange(fromStart, fromEnd, toStart, toStart+fromRangeSize*toRangeStep, singleRunes) + updateRange() + break + } + + if fromStart == fromEnd { + fromEnd = utf8.RuneError + continue + } + + _, toStart = tr.addRuneRange(fromStart, fromEnd, toStart, toStart, singleRunes) + fromEnd = utf8.RuneError + } + + if fromEnd != utf8.RuneError { + tr.addRune(fromEnd, toStart, singleRunes) + } + + tr.reverted = reverted + tr.mappedRune = -1 + tr.hasPattern = true + + // Translate RuneError only if in deletion or reverted mode. + if deletion || reverted { + tr.mappedRune = toStart + } + + return tr +} + +func (tr *Translator) addRune(from, to rune, singleRunes []rune) []rune { + if from <= unicode.MaxASCII { + if tr.quickDict == nil { + tr.quickDict = &runeDict{} + } + + tr.quickDict.Dict[from] = to + } else { + if tr.runeMap == nil { + tr.runeMap = make(runeMap) + } + + tr.runeMap[from] = to + } + + singleRunes = append(singleRunes, from) + return singleRunes +} + +func (tr *Translator) addRuneRange(fromLo, fromHi, toLo, toHi rune, singleRunes []rune) (rune, rune) { + var r rune + var rrm *runeRangeMap + + if fromLo < fromHi { + rrm = &runeRangeMap{ + FromLo: fromLo, + FromHi: fromHi, + ToLo: toLo, + ToHi: toHi, + } + } else { + rrm = &runeRangeMap{ + FromLo: fromHi, + FromHi: fromLo, + ToLo: toHi, + ToHi: toLo, + } + } + + // If there is any single rune conflicts with this rune range, clear single rune record. + for _, r = range singleRunes { + if rrm.FromLo <= r && r <= rrm.FromHi { + if r <= unicode.MaxASCII { + tr.quickDict.Dict[r] = 0 + } else { + delete(tr.runeMap, r) + } + } + } + + tr.ranges = append(tr.ranges, rrm) + return fromHi, toHi +} + +func nextRuneRange(str string, last rune) (remaining string, start, end rune, rangeStep rune) { + var r rune + var size int + + remaining = str + escaping := false + isRange := false + + for len(remaining) > 0 { + r, size = utf8.DecodeRuneInString(remaining) + remaining = remaining[size:] + + // Parse special characters. + if !escaping { + if r == '\\' { + escaping = true + continue + } + + if r == '-' { + // Ignore slash at beginning of string. + if last == utf8.RuneError { + continue + } + + start = last + isRange = true + continue + } + } + + escaping = false + + if last != utf8.RuneError { + // This is a range which start and end are the same. + // Considier it as a normal character. + if isRange && last == r { + isRange = false + continue + } + + start = last + end = r + + if isRange { + if start < end { + rangeStep = 1 + } else { + rangeStep = -1 + } + } + + return + } + + last = r + } + + start = last + end = utf8.RuneError + return +} + +// Translate str with a from/to pattern pair. +// +// See comment in Translate function for usage and samples. +func (tr *Translator) Translate(str string) string { + if !tr.hasPattern || str == "" { + return str + } + + var r rune + var size int + var needTr bool + + orig := str + + var output *stringBuilder + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + r, needTr = tr.TranslateRune(r) + + if needTr && output == nil { + output = allocBuffer(orig, str) + } + + if r != utf8.RuneError && output != nil { + output.WriteRune(r) + } + + str = str[size:] + } + + // No character is translated. + if output == nil { + return orig + } + + return output.String() +} + +// TranslateRune return translated rune and true if r matches the from pattern. +// If r doesn't match the pattern, original r is returned and translated is false. +func (tr *Translator) TranslateRune(r rune) (result rune, translated bool) { + switch { + case tr.quickDict != nil: + if r <= unicode.MaxASCII { + result = tr.quickDict.Dict[r] + + if result != 0 { + translated = true + + if tr.mappedRune >= 0 { + result = tr.mappedRune + } + + break + } + } + + fallthrough + + case tr.runeMap != nil: + var ok bool + + if result, ok = tr.runeMap[r]; ok { + translated = true + + if tr.mappedRune >= 0 { + result = tr.mappedRune + } + + break + } + + fallthrough + + default: + var rrm *runeRangeMap + ranges := tr.ranges + + for i := len(ranges) - 1; i >= 0; i-- { + rrm = ranges[i] + + if rrm.FromLo <= r && r <= rrm.FromHi { + translated = true + + if tr.mappedRune >= 0 { + result = tr.mappedRune + break + } + + if rrm.ToLo < rrm.ToHi { + result = rrm.ToLo + r - rrm.FromLo + } else if rrm.ToLo > rrm.ToHi { + // ToHi can be smaller than ToLo if range is from higher to lower. + result = rrm.ToLo - r + rrm.FromLo + } else { + result = rrm.ToLo + } + + break + } + } + } + + if tr.reverted { + if !translated { + result = tr.mappedRune + } + + translated = !translated + } + + if !translated { + result = r + } + + return +} + +// HasPattern returns true if Translator has one pattern at least. +func (tr *Translator) HasPattern() bool { + return tr.hasPattern +} + +// Translate str with the characters defined in from replaced by characters defined in to. +// +// From and to are patterns representing a set of characters. Pattern is defined as following. +// +// Special characters: +// +// 1. '-' means a range of runes, e.g. +// "a-z" means all characters from 'a' to 'z' inclusive; +// "z-a" means all characters from 'z' to 'a' inclusive. +// 2. '^' as first character means a set of all runes excepted listed, e.g. +// "^a-z" means all characters except 'a' to 'z' inclusive. +// 3. '\' escapes special characters. +// +// Normal character represents itself, e.g. "abc" is a set including 'a', 'b' and 'c'. +// +// Translate will try to find a 1:1 mapping from from to to. +// If to is smaller than from, last rune in to will be used to map "out of range" characters in from. +// +// Note that '^' only works in the from pattern. It will be considered as a normal character in the to pattern. +// +// If the to pattern is an empty string, Translate works exactly the same as Delete. +// +// Samples: +// +// Translate("hello", "aeiou", "12345") => "h2ll4" +// Translate("hello", "a-z", "A-Z") => "HELLO" +// Translate("hello", "z-a", "a-z") => "svool" +// Translate("hello", "aeiou", "*") => "h*ll*" +// Translate("hello", "^l", "*") => "**ll*" +// Translate("hello ^ world", `\^lo`, "*") => "he*** * w*r*d" +func Translate(str, from, to string) string { + tr := NewTranslator(from, to) + return tr.Translate(str) +} + +// Delete runes in str matching the pattern. +// Pattern is defined in Translate function. +// +// Samples: +// +// Delete("hello", "aeiou") => "hll" +// Delete("hello", "a-k") => "llo" +// Delete("hello", "^a-k") => "he" +func Delete(str, pattern string) string { + tr := NewTranslator(pattern, "") + return tr.Translate(str) +} + +// Count how many runes in str match the pattern. +// Pattern is defined in Translate function. +// +// Samples: +// +// Count("hello", "aeiou") => 3 +// Count("hello", "a-k") => 3 +// Count("hello", "^a-k") => 2 +func Count(str, pattern string) int { + if pattern == "" || str == "" { + return 0 + } + + var r rune + var size int + var matched bool + + tr := NewTranslator(pattern, "") + cnt := 0 + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + str = str[size:] + + if _, matched = tr.TranslateRune(r); matched { + cnt++ + } + } + + return cnt +} + +// Squeeze deletes adjacent repeated runes in str. +// If pattern is not empty, only runes matching the pattern will be squeezed. +// +// Samples: +// +// Squeeze("hello", "") => "helo" +// Squeeze("hello", "m-z") => "hello" +// Squeeze("hello world", " ") => "hello world" +func Squeeze(str, pattern string) string { + var last, r rune + var size int + var skipSqueeze, matched bool + var tr *Translator + var output *stringBuilder + + orig := str + last = -1 + + if len(pattern) > 0 { + tr = NewTranslator(pattern, "") + } + + for len(str) > 0 { + r, size = utf8.DecodeRuneInString(str) + + // Need to squeeze the str. + if last == r && !skipSqueeze { + if tr != nil { + if _, matched = tr.TranslateRune(r); !matched { + skipSqueeze = true + } + } + + if output == nil { + output = allocBuffer(orig, str) + } + + if skipSqueeze { + output.WriteRune(r) + } + } else { + if output != nil { + output.WriteRune(r) + } + + last = r + skipSqueeze = false + } + + str = str[size:] + } + + if output == nil { + return orig + } + + return output.String() +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go index 9dca59d898..29730d0ed0 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istio_types.go @@ -37,10 +37,10 @@ const ( type IstioSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.25-latest, v1.25.2, v1.25.1, v1.24-latest, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23-latest, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22-latest, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, master, v1.27-alpha.f23c2f66. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"} - // +kubebuilder:validation:Enum=v1.25-latest;v1.25.2;v1.25.1;v1.24-latest;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.27-alpha.f23c2f66 - // +kubebuilder:default=v1.25.2 + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 Version string `json:"version"` // Defines the update strategy to use when the version in the Istio CR is updated. @@ -51,10 +51,9 @@ type IstioSpec struct { // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. - // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} - // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable + // Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:openshift", "urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote", "urn:alm:descriptor:com.tectonic.ui:select:stable"} + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift;openshift-ambient;preview;remote;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio components should be installed. Note that this field is immutable. @@ -262,7 +261,7 @@ const ( // +kubebuilder:resource:scope=Cluster,categories=istio-io // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace for the control plane components." -// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.values.profile",description="The selected profile (collection of value presets)." +// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.profile",description="The selected profile (collection of value presets)." // +kubebuilder:printcolumn:name="Revisions",type="string",JSONPath=".status.revisions.total",description="Total number of IstioRevision objects currently associated with this object." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.revisions.ready",description="Number of revisions that are ready." // +kubebuilder:printcolumn:name="In use",type="string",JSONPath=".status.revisions.inUse",description="Number of revisions that are currently being used by workloads." @@ -283,7 +282,7 @@ type Istio struct { // +optional metav1.ObjectMeta `json:"metadata"` - // +kubebuilder:default={version: "v1.25.2", namespace: "istio-system", updateStrategy: {type:"InPlace"}} + // +kubebuilder:default={version: "v1.28.5", namespace: "istio-system", updateStrategy: {type:"InPlace"}} // +optional Spec IstioSpec `json:"spec"` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go index 3f743c5974..fa5b83ec9c 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiocni_types.go @@ -28,19 +28,18 @@ const ( type IstioCNISpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.25-latest, v1.25.2, v1.25.1, v1.24-latest, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23-latest, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22-latest, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, master, v1.27-alpha.f23c2f66. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:master", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"} - // +kubebuilder:validation:Enum=v1.25-latest;v1.25.2;v1.25.1;v1.24-latest;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23-latest;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22-latest;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;master;v1.27-alpha.f23c2f66 - // +kubebuilder:default=v1.25.2 + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 Version string `json:"version"` // +sail:profile // The built-in installation configuration profile to use. // The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. - // Must be one of: ambient, default, demo, empty, external, openshift-ambient, openshift, preview, remote, stable. - // +++PROFILES-DROPDOWN-HIDDEN-UNTIL-WE-FULLY-IMPLEMENT-THEM+++operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:external", "urn:alm:descriptor:com.tectonic.ui:select:minimal", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote"} - // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:com.tectonic.ui:hidden"} - // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift-ambient;openshift;preview;remote;stable + // Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Profile",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:ambient", "urn:alm:descriptor:com.tectonic.ui:select:default", "urn:alm:descriptor:com.tectonic.ui:select:demo", "urn:alm:descriptor:com.tectonic.ui:select:empty", "urn:alm:descriptor:com.tectonic.ui:select:openshift", "urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient", "urn:alm:descriptor:com.tectonic.ui:select:preview", "urn:alm:descriptor:com.tectonic.ui:select:remote", "urn:alm:descriptor:com.tectonic.ui:select:stable"} + // +kubebuilder:validation:Enum=ambient;default;demo;empty;external;openshift;openshift-ambient;preview;remote;stable Profile string `json:"profile,omitempty"` // Namespace to which the Istio CNI component should be installed. Note that this field is immutable. @@ -169,7 +168,7 @@ const ( // +kubebuilder:resource:scope=Cluster,categories=istio-io // +kubebuilder:subresource:status // +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace of the istio-cni-node DaemonSet." -// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.values.profile",description="The selected profile (collection of value presets)." +// +kubebuilder:printcolumn:name="Profile",type="string",JSONPath=".spec.profile",description="The selected profile (collection of value presets)." // +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Whether the Istio CNI installation is ready to handle requests." // +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object." // +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the Istio CNI installation." @@ -182,7 +181,7 @@ type IstioCNI struct { // +optional metav1.ObjectMeta `json:"metadata"` - // +kubebuilder:default={version: "v1.25.2", namespace: "istio-cni"} + // +kubebuilder:default={version: "v1.28.5", namespace: "istio-cni"} // +optional Spec IstioCNISpec `json:"spec"` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go index 6bd39cea8b..a5e6435315 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevision_types.go @@ -30,9 +30,9 @@ const ( type IstioRevisionSpec struct { // +sail:version // Defines the version of Istio to install. - // Must be one of: v1.25.2, v1.25.1, v1.24.5, v1.24.4, v1.24.3, v1.24.2, v1.24.1, v1.24.0, v1.23.6, v1.23.5, v1.23.4, v1.23.3, v1.23.2, v1.22.8, v1.22.7, v1.22.6, v1.22.5, v1.21.6, v1.27-alpha.f23c2f66. - // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.25.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.1", "urn:alm:descriptor:com.tectonic.ui:select:v1.24.0", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.23.2", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.7", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.22.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.21.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-alpha.f23c2f66"} - // +kubebuilder:validation:Enum=v1.25.2;v1.25.1;v1.24.5;v1.24.4;v1.24.3;v1.24.2;v1.24.1;v1.24.0;v1.23.6;v1.23.5;v1.23.4;v1.23.3;v1.23.2;v1.22.8;v1.22.7;v1.22.6;v1.22.5;v1.21.6;v1.27-alpha.f23c2f66 + // Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28.5;v1.28.4;v1.27.8;v1.27.5;v1.27.3;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 Version string `json:"version"` // Namespace to which the Istio components should be installed. @@ -148,6 +148,9 @@ const ( // IstioRevisionReasonIstiodNotReady indicates that the control plane is fully reconciled, but istiod is not ready. IstioRevisionReasonIstiodNotReady IstioRevisionConditionReason = "IstiodNotReady" + // IstioRevisionTagNameAlreadyExists indicates that a IstioRevisionTag with the same name as the IstioRevision already exists. + IstioRevisionReasonNameAlreadyExists IstioRevisionConditionReason = "NameAlreadyExists" + // IstioRevisionReasonRemoteIstiodNotReady indicates that the remote istiod is not ready. IstioRevisionReasonRemoteIstiodNotReady IstioRevisionConditionReason = "RemoteIstiodNotReady" @@ -182,6 +185,12 @@ const ( // IstioRevisionReasonIstioCNINotHealthy indicates that the IstioCNI resource is not healthy. IstioRevisionReasonIstioCNINotHealthy IstioRevisionConditionReason = "IstioCNINotHealthy" + // IstioRevisionReasonZTunnelNotFound indicates that the ZTunnel resource is not found. + IstioRevisionReasonZTunnelNotFound IstioRevisionConditionReason = "ZTunnelNotFound" + + // IstioRevisionReasonZTunnelNotHealthy indicates that the ZTunnel resource is not healthy. + IstioRevisionReasonZTunnelNotHealthy IstioRevisionConditionReason = "ZTunnelNotHealthy" + // IstioRevisionDependencyCheckFailed indicates that the status of the dependencies could not be ascertained. IstioRevisionDependencyCheckFailed IstioRevisionConditionReason = "DependencyCheckFailed" ) @@ -206,7 +215,7 @@ const ( // Users shouldn't create IstioRevision objects directly. Instead, they should // create an Istio object and allow the operator to create the underlying // IstioRevision object(s). -// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default' ? (!has(self.spec.values.revision) || size(self.spec.values.revision) == 0) : self.spec.values.revision == self.metadata.name",message="spec.values.revision must match metadata.name" +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default' ? (!has(self.spec.values.revision) || size(self.spec.values.revision) == 0) : self.spec.values.revision == self.metadata.name",message="spec.values.revision must match metadata.name or be empty when the name is 'default'" type IstioRevision struct { metav1.TypeMeta `json:",inline"` // +optional diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go index 1558fdd3fc..4ae3330475 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/istiorevisiontags_types.go @@ -145,7 +145,7 @@ const ( // successfully reconciled the resources defined through the CR. IstioRevisionTagConditionReconciled IstioRevisionTagConditionType = "Reconciled" - // IstioRevisionTagNameAlreadyExists indicates that the a revision with the same name as the IstioRevisionTag already exists. + // IstioRevisionTagNameAlreadyExists indicates that an IstioRevision with the same name as the IstioRevisionTag already exists. IstioRevisionTagReasonNameAlreadyExists IstioRevisionTagConditionReason = "NameAlreadyExists" // IstioRevisionTagReasonReferenceNotFound indicates that the resource referenced by the tag's TargetRef was not found diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go index aa2875a561..3eee3f425f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types.gen.go @@ -24,6 +24,16 @@ import ( intstr "k8s.io/apimachinery/pkg/util/intstr" ) +// +kubebuilder:validation:Enum=undefined;all;cluster;namespace +type ResourceScope string + +const ( + ResourceScopeUndefined ResourceScope = "undefined" + ResourceScopeAll ResourceScope = "all" + ResourceScopeCluster ResourceScope = "cluster" + ResourceScopeNamespace ResourceScope = "namespace" +) + // Mode for the ingress controller. // +kubebuilder:validation:Enum=UNSPECIFIED;DEFAULT;STRICT;OFF type IngressControllerMode string @@ -106,10 +116,22 @@ type CNIConfig struct { ExcludeNamespaces []string `json:"excludeNamespaces,omitempty"` // K8s affinity to set on the istio-cni Pods. Can be used to exclude istio-cni from being scheduled on specified nodes. Affinity *k8sv1.Affinity `json:"affinity,omitempty"` + // Environment variables passed to the CNI container. + // + // Examples: + // env: + // + // ENV_VAR_1: value1 + // ENV_VAR_2: value2 + Env map[string]string `json:"env,omitempty"` + // Additional labels to apply to the istio-cni DaemonSet. + DaemonSetLabels map[string]string `json:"daemonSetLabels,omitempty"` // Additional annotations to apply to the istio-cni Pods. // // Deprecated: Marked as deprecated in pkg/apis/values_types.proto. PodAnnotations map[string]string `json:"podAnnotations,omitempty"` + // Additional labels to apply to the istio-cni Pods. + PodLabels map[string]string `json:"podLabels,omitempty"` // PodSecurityPolicy cluster role. No longer used anywhere. PspClusterRole *string `json:"psp_cluster_role,omitempty"` @@ -120,7 +142,7 @@ type CNIConfig struct { // Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, // the configuration is added as a standalone file in the CNI configuration directory. Chained *bool `json:"chained,omitempty"` - // The resource quotas configration for the CNI DaemonSet. + // The resource quotas configuration for the CNI DaemonSet. ResourceQuotas *ResourceQuotas `json:"resource_quotas,omitempty"` // The k8s resource requests and limits for the istio-cni Pods. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` @@ -145,6 +167,9 @@ type CNIConfig struct { // of pods at the start of the update. // +kubebuilder:validation:XIntOrString RollingMaxUnavailable *intstr.IntOrString `json:"rollingMaxUnavailable,omitempty"` + // Specifies if an Istio owned CNI config should be created. + IstioOwnedCNIConfig *bool `json:"istioOwnedCNIConfig,omitempty"` + IstioOwnedCNIConfigFileName *string `json:"istioOwnedCNIConfigFileName,omitempty"` } type CNIUsageConfig struct { @@ -423,7 +448,14 @@ type GlobalConfig struct { // Specifies how waypoints are configured within Istio. Waypoint *WaypointConfig `json:"waypoint,omitempty"` // Select a custom name for istiod's CA Root Cert ConfigMap. - TrustBundleName *string `json:"trustBundleName,omitempty"` // The next available key is 74 + TrustBundleName *string `json:"trustBundleName,omitempty"` + // Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection. + NativeNftables *bool `json:"nativeNftables,omitempty"` + // Settings related to Kubernetes NetworkPolicy. + NetworkPolicy *NetworkPolicyConfig `json:"networkPolicy,omitempty"` + // Specifies resource scope for discovery selectors. + // This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + ResourceScope ResourceScope `json:"resourceScope,omitempty"` // The next available key is 77 } @@ -617,7 +649,7 @@ type PilotConfig struct { // Configuration for the istio-discovery chart when istiod is running in a remote cluster (e.g. "remote control plane"). IstiodRemote *IstiodRemoteConfig `json:"istiodRemote,omitempty"` // Configuration for the istio-discovery chart - EnvVarFrom []k8sv1.EnvFromSource `json:"envVarFrom,omitempty"` + EnvVarFrom []k8sv1.EnvVar `json:"envVarFrom,omitempty"` } type PilotTaintControllerConfig struct { @@ -912,6 +944,9 @@ type IstiodRemoteConfig struct { InjectionCABundle *string `json:"injectionCABundle,omitempty"` // Indicates if this cluster/install should consume a "remote" istiod instance, Enabled *bool `json:"enabled,omitempty"` + // If `true`, indicates that this cluster/install should consume a "local istiod" installation, + // local istiod inject sidecars + EnabledLocalInjectorIstiod *bool `json:"enabledLocalInjectorIstiod,omitempty"` } type Values struct { @@ -955,6 +990,8 @@ type Values struct { // +kubebuilder:validation:Schemaless Experimental json.RawMessage `json:"experimental,omitempty"` // Configuration for Gateway Classes + // +kubebuilder:pruning:PreserveUnknownFields + // +kubebuilder:validation:Schemaless GatewayClasses json.RawMessage `json:"gatewayClasses,omitempty"` } @@ -988,6 +1025,12 @@ type WaypointConfig struct { Toleration []*k8sv1.Toleration `json:"toleration,omitempty"` } +// Configuration for NetworkPolicy +type NetworkPolicyConfig struct { + // Controls whether default NetworkPolicy resources will be created. + Enabled *bool `json:"enabled,omitempty"` +} + const filePkgApisValuesTypesProtoRawDesc = "" + "\n" + "\x1bpkg/apis/values_types.proto\x12\x17istio.operator.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\"k8s.io/api/core/v1/generated.proto\x1a4k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto\"h\n" + @@ -996,7 +1039,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x05amd64\x18\x01 \x01(\rR\x05amd64\x12\x18\n" + "\appc64le\x18\x02 \x01(\rR\appc64le\x12\x14\n" + "\x05s390x\x18\x03 \x01(\rR\x05s390x\x12\x14\n" + - "\x05arm64\x18\x04 \x01(\rR\x05arm64\"\xeb\t\n" + + "\x05arm64\x18\x04 \x01(\rR\x05arm64\"\xa0\f\n" + "\tCNIConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12\x10\n" + "\x03hub\x18\x02 \x01(\tR\x03hub\x12(\n" + @@ -1013,9 +1056,12 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x0fcniConfFileName\x18\b \x01(\tR\x0fcniConfFileName\x12 \n" + "\vcniNetnsDir\x18\x1f \x01(\tR\vcniNetnsDir\x12,\n" + "\x11excludeNamespaces\x18\t \x03(\tR\x11excludeNamespaces\x128\n" + - "\baffinity\x18\x14 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12C\n" + + "\baffinity\x18\x14 \x01(\v2\x1c.k8s.io.api.core.v1.AffinityR\baffinity\x12)\n" + + "\x03env\x18 \x01(\v2\x17.google.protobuf.StructR\x03env\x12A\n" + + "\x0fdaemonSetLabels\x18! \x01(\v2\x17.google.protobuf.StructR\x0fdaemonSetLabels\x12C\n" + "\x0epodAnnotations\x18\n" + - " \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x12(\n" + + " \x01(\v2\x17.google.protobuf.StructB\x02\x18\x01R\x0epodAnnotations\x125\n" + + "\tpodLabels\x18\" \x01(\v2\x17.google.protobuf.StructR\tpodLabels\x12(\n" + "\x10psp_cluster_role\x18\v \x01(\tR\x0epspClusterRole\x12\x1e\n" + "\blogLevel\x18\f \x01(\tB\x02\x18\x01R\blogLevel\x12F\n" + "\alogging\x18\x19 \x01(\v2,.istio.operator.v1alpha1.GlobalLoggingConfigR\alogging\x12@\n" + @@ -1029,7 +1075,9 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x0eseccompProfile\x18\x13 \x01(\v2\".k8s.io.api.core.v1.SeccompProfileR\x0eseccompProfile\x12C\n" + "\aambient\x18\x15 \x01(\v2).istio.operator.v1alpha1.CNIAmbientConfigR\aambient\x12\x1a\n" + "\bprovider\x18\x16 \x01(\tR\bprovider\x12Z\n" + - "\x15rollingMaxUnavailable\x18\x17 \x01(\v2$.istio.operator.v1alpha1.IntOrStringR\x15rollingMaxUnavailable\"\x9c\x01\n" + + "\x15rollingMaxUnavailable\x18\x17 \x01(\v2$.istio.operator.v1alpha1.IntOrStringR\x15rollingMaxUnavailable\x12L\n" + + "\x13istioOwnedCNIConfig\x18# \x01(\v2\x1a.google.protobuf.BoolValueR\x13istioOwnedCNIConfig\x12@\n" + + "\x1bistioOwnedCNIConfigFileName\x18$ \x01(\tR\x1bistioOwnedCNIConfigFileName\"\x9c\x01\n" + "\x0eCNIUsageConfig\x124\n" + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x128\n" + "\achained\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\achained\x12\x1a\n" + @@ -1121,7 +1169,7 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\x14istio_ingressgateway\x18\x04 \x01(\v2-.istio.operator.v1alpha1.IngressGatewayConfigR\x14istio-ingressgateway\x12@\n" + "\x0fsecurityContext\x18\n" + " \x01(\v2\x16.google.protobuf.ValueR\x0fsecurityContext\x12>\n" + - "\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xc7\x12\n" + + "\x0eseccompProfile\x18\f \x01(\v2\x16.google.protobuf.ValueR\x0eseccompProfile\"\xad\x14\n" + "\fGlobalConfig\x12;\n" + "\x04arch\x18\x01 \x01(\v2#.istio.operator.v1alpha1.ArchConfigB\x02\x18\x01R\x04arch\x12 \n" + "\vcertSigners\x18D \x03(\tR\vcertSigners\x12F\n" + @@ -1169,7 +1217,10 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "ipFamilies\x12&\n" + "\x0eipFamilyPolicy\x18G \x01(\tR\x0eipFamilyPolicy\x12C\n" + "\bwaypoint\x18H \x01(\v2'.istio.operator.v1alpha1.WaypointConfigR\bwaypoint\x12(\n" + - "\x0ftrustBundleName\x18I \x01(\tR\x0ftrustBundleName\"-\n" + + "\x0ftrustBundleName\x18I \x01(\tR\x0ftrustBundleName\x12B\n" + + "\x0enativeNftables\x18J \x01(\v2\x1a.google.protobuf.BoolValueR\x0enativeNftables\x12R\n" + + "\rnetworkPolicy\x18K \x01(\v2,.istio.operator.v1alpha1.NetworkPolicyConfigR\rnetworkPolicy\x12L\n" + + "\rresourceScope\x18L \x01(\x0e2&.istio.operator.v1alpha1.ResourceScopeR\rresourceScope\"-\n" + "\tSTSConfig\x12 \n" + "\vservicePort\x18\x01 \x01(\rR\vservicePort\"R\n" + "\fIstiodConfig\x12B\n" + @@ -1383,12 +1434,13 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\rvalidationURL\x18\x02 \x01(\tR\rvalidationURL\x12P\n" + "\x15enableIstioConfigCRDs\x18\x03 \x01(\v2\x1a.google.protobuf.BoolValueR\x15enableIstioConfigCRDs\x12D\n" + "\x0fvalidateGateway\x18\x04 \x01(\v2\x1a.google.protobuf.BoolValueR\x0fvalidateGateway\x12.\n" + - "\x12validationCABundle\x18\x05 \x01(\tR\x12validationCABundle\"\xc2\x01\n" + + "\x12validationCABundle\x18\x05 \x01(\tR\x12validationCABundle\"\x9e\x02\n" + "\x12IstiodRemoteConfig\x12\"\n" + "\finjectionURL\x18\x01 \x01(\tR\finjectionURL\x12$\n" + "\rinjectionPath\x18\x02 \x01(\tR\rinjectionPath\x12,\n" + "\x11injectionCABundle\x18\x03 \x01(\tR\x11injectionCABundle\x124\n" + - "\aenabled\x18\x05 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\"\xd7\b\n" + + "\aenabled\x18\x05 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x12Z\n" + + "\x1aenabledLocalInjectorIstiod\x18\x06 \x01(\v2\x1a.google.protobuf.BoolValueR\x1aenabledLocalInjectorIstiod\"\xd7\b\n" + "\x06Values\x124\n" + "\x03cni\x18\x02 \x01(\v2\".istio.operator.v1alpha1.CNIConfigR\x03cni\x12C\n" + "\bgateways\x18\x05 \x01(\v2'.istio.operator.v1alpha1.GatewaysConfigR\bgateways\x12=\n" + @@ -1425,7 +1477,14 @@ const filePkgApisValuesTypesProtoRawDesc = "" + "\fnodeSelector\x18\x04 \x01(\v2 .k8s.io.api.core.v1.NodeSelectorR\fnodeSelector\x12>\n" + "\n" + "toleration\x18\x05 \x03(\v2\x1e.k8s.io.api.core.v1.TolerationR\n" + - "toleration*J\n" + + "toleration\"K\n" + + "\x13NetworkPolicyConfig\x124\n" + + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled*C\n" + + "\rResourceScope\x12\r\n" + + "\tundefined\x10\x00\x12\a\n" + + "\x03all\x10\x01\x12\v\n" + + "\acluster\x10\x02\x12\r\n" + + "\tnamespace\x10\x03*J\n" + "\x15ingressControllerMode\x12\x0f\n" + "\vUNSPECIFIED\x10\x00\x12\v\n" + "\aDEFAULT\x10\x01\x12\n" + @@ -1474,6 +1533,9 @@ type CNIGlobalConfig struct { // Default k8s resources settings for all Istio co // An empty value means it is a vanilla Kubernetes distribution, therefore no special // treatment will be considered. Platform *string `json:"platform,omitempty"` + + // Specifies whether native nftables rules should be used instead of iptables rules for traffic redirection. + NativeNftables *bool `json:"nativeNftables,omitempty"` } // Resource describes the source of configuration @@ -1569,6 +1631,30 @@ const ( MeshConfigInboundTrafficPolicyModeLocalhost MeshConfigInboundTrafficPolicyMode = "LOCALHOST" ) +// The scope of the matching service. Used to determine if the service is available locally +// (cluster local) or globally (mesh-wide). +// +kubebuilder:validation:Enum=LOCAL;GLOBAL +type MeshConfigServiceScopeConfigsScope string + +const ( + MeshConfigServiceScopeConfigsScopeLocal MeshConfigServiceScopeConfigsScope = "LOCAL" + MeshConfigServiceScopeConfigsScopeGlobal MeshConfigServiceScopeConfigsScope = "GLOBAL" +) + +// Available trace context options for handling different trace header formats. +// +kubebuilder:validation:Enum=USE_B3;USE_B3_WITH_W3C_PROPAGATION +type MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption string + +const ( + // Use B3 headers only (default behavior). + MeshConfigExtensionProviderZipkinTracingProviderTraceContextOptionUseB3 MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption = "USE_B3" + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + MeshConfigExtensionProviderZipkinTracingProviderTraceContextOptionUseB3WithW3cPropagation MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption = "USE_B3_WITH_W3C_PROPAGATION" +) + // TraceContext selects the context propagation headers used for // distributed tracing. // +kubebuilder:validation:Enum=UNSPECIFIED;W3C_TRACE_CONTEXT;GRPC_BIN;CLOUD_TRACE_CONTEXT;B3 @@ -1857,6 +1943,8 @@ type MeshConfig struct { // +hidefromdoc // Settings to be applied to select services. ServiceSettings []*MeshConfigServiceSettings `json:"serviceSettings,omitempty"` + // Scope to be applied to select services. + ServiceScopeConfigs []*MeshConfigServiceScopeConfigs `json:"serviceScopeConfigs,omitempty"` // If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy // and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod // and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. @@ -2068,6 +2156,14 @@ type MeshConfigCertificateData struct { // - "bar.baz.svc.cluster.local" // // ``` +// +// When in ambient mode, if ServiceSettings are defined they will be considered in addition to the +// ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a +// global service scope selector, the service will be considered cluster local. If a service is +// considered global by ServiceSettings and does not match a global service scope selector +// the serive will be considered local. Local scope takes precedence over global scope. Since +// ServiceScopeConfigs is local by default, all services are considered local unless it is considered +// global by ServiceSettings AND ServiceScopeConfigs. type MeshConfigServiceSettings struct { // The settings to apply to the selected services. Settings *MeshConfigServiceSettingsSettings `json:"settings,omitempty"` @@ -2078,6 +2174,43 @@ type MeshConfigServiceSettings struct { Hosts []string `json:"hosts,omitempty"` } +// Configuration for ambient mode multicluster service scope. This setting allows mesh administrators +// to define the criteria by which the cluster's control plane determines which services in other +// clusters in the mesh are treated as global (accessible across multiple clusters) versus local +// (restricted to a single cluster). The configuration can be applied to services based on namespace +// and/or other matching criteria. This is particularly useful in multicluster service mesh deployments +// to control service visibility and access across clusters. This API is not intended to enforce +// security policies. Resources like DestinationRules should be used to enforce authorization policies. +// If a service matches a global service scope selector, the service's endpoints will be globally +// exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster +// services. +// +// For example, the following configures the scope of all services with the "istio.io/global" label +// in matching namespaces to be available globally: +// +// ```yaml +// serviceScopeConfigs: +// - namespacesSelector: +// matchExpressions: +// - key: istio.io/global +// operator: In +// values: [true] +// servicesSelector: +// matchExpressions: +// - key: istio.io/global +// operator: Exists +// scope: GLOBAL +// +// ``` +type MeshConfigServiceScopeConfigs struct { + // Match expression for namespaces. + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` + // Match expression for serivces. + ServicesSelector *metav1.LabelSelector `json:"servicesSelector,omitempty"` + // Specifics the available scope for matching services. + Scope MeshConfigServiceScopeConfigsScope `json:"scope,omitempty"` +} + type MeshConfigCA struct { // REQUIRED. Address of the CA server implementing the Istio CA gRPC API. // Can be IP address or a fully qualified DNS name with port @@ -2100,7 +2233,7 @@ type MeshConfigCA struct { IstiodSide *bool `json:"istiodSide,omitempty"` } -// +kubebuilder:validation:XValidation:message="At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc zipkin lightstep datadog stackdriver opencensus skywalking opentelemetry prometheus envoyFileAccessLog envoyHttpAls envoyTcpAls envoyOtelAls] should be set",rule="(has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) <= 1" +// +kubebuilder:validation:XValidation:message="At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc zipkin lightstep datadog stackdriver opencensus skywalking opentelemetry prometheus envoyFileAccessLog envoyHttpAls envoyTcpAls envoyOtelAls sds] should be set",rule="(has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + (has(self.sds)?1:0) <= 1" type MeshConfigExtensionProvider struct { // REQUIRED. A unique name identifying the extension provider. // +kubebuilder:validation:Required @@ -2156,6 +2289,12 @@ type MeshConfigExtensionProvider struct { // Configures an Envoy Open Telemetry Access Logging Service provider. EnvoyOtelAls *MeshConfigExtensionProviderEnvoyOpenTelemetryLogProvider `json:"envoyOtelAls,omitempty"` + + // Configures an Extension Provider for SDS. This can be used to + // configure an external SDS service to supply secrets for certain Gateways for example. + // This is useful for scenarios where the secrets are stored in an external secret store like Vault. + // The secret should be configured with sds://provider-name format. + Sds *MeshConfigExtensionProviderSDSProvider `json:"sds,omitempty"` } // Holds the name references to the providers that will be used by default @@ -2391,6 +2530,10 @@ type MeshConfigExtensionProviderZipkinTracingProvider struct { // Optional. Specifies the endpoint of Zipkin API. // The default value is "/api/v2/spans". Path *string `json:"path,omitempty"` + // Optional. Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption MeshConfigExtensionProviderZipkinTracingProviderTraceContextOption `json:"traceContextOption,omitempty"` } // Defines configuration for a Lightstep tracer. @@ -2767,6 +2910,24 @@ type MeshConfigExtensionProviderOpenTelemetryTracingProvider struct { DynatraceSampler *MeshConfigExtensionProviderOpenTelemetryTracingProviderDynatraceSampler `json:"dynatraceSampler,omitempty"` } +// Defines configuration for an Gateway SDS provider. +type MeshConfigExtensionProviderSDSProvider struct { + // REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS. + // +kubebuilder:validation:Required + Name *string `json:"name"` + // REQUIRED. Specifies the service that implements the SDS service. + // The format is `[/]`. The specification of `` is required only when it is insufficient + // to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + // service defined by the Kubernetes service or ServiceEntry. + // + // Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com". + // +kubebuilder:validation:Required + Service *string `json:"service"` + // REQUIRED. Specifies the port of the service. + // +kubebuilder:validation:Required + Port *uint32 `json:"port"` +} + // Defines configuration for an HTTP service that can be used by an Extension Provider. // that does communication via HTTP. type MeshConfigExtensionProviderHttpService struct { @@ -2943,7 +3104,7 @@ type MeshConfigExtensionProviderResourceDetectorsDynatraceResourceDetector struc const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\n" + - "\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xebh\n" + + "\x1amesh/v1alpha1/config.proto\x12\x13istio.mesh.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x19mesh/v1alpha1/proxy.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xf7n\n" + "\n" + "MeshConfig\x12*\n" + "\x11proxy_listen_port\x18\x04 \x01(\x05R\x0fproxyListenPort\x129\n" + @@ -2980,7 +3141,8 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x19inbound_cluster_stat_name\x18, \x01(\tR\x16inboundClusterStatName\x12;\n" + "\x1aoutbound_cluster_stat_name\x18- \x01(\tR\x17outboundClusterStatName\x12H\n" + "\fcertificates\x18/ \x03(\v2 .istio.mesh.v1alpha1.CertificateB\x02\x18\x01R\fcertificates\x12Z\n" + - "\x10service_settings\x182 \x03(\v2/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12R\n" + + "\x10service_settings\x182 \x03(\v2/.istio.mesh.v1alpha1.MeshConfig.ServiceSettingsR\x0fserviceSettings\x12g\n" + + "\x15service_scope_configs\x18C \x03(\v23.istio.mesh.v1alpha1.MeshConfig.ServiceScopeConfigsR\x13serviceScopeConfigs\x12R\n" + "\x17enable_prometheus_merge\x183 \x01(\v2\x1a.google.protobuf.BoolValueR\x15enablePrometheusMerge\x12_\n" + "\x1cverify_certificate_at_client\x186 \x01(\v2\x1a.google.protobuf.BoolValueB\x02\x18\x01R\x19verifyCertificateAtClient\x122\n" + "\x02ca\x187 \x01(\v2\".istio.mesh.v1alpha1.MeshConfig.CAR\x02ca\x12b\n" + @@ -3011,13 +3173,21 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\bsettings\x18\x01 \x01(\v28.istio.mesh.v1alpha1.MeshConfig.ServiceSettings.SettingsR\bsettings\x12\x14\n" + "\x05hosts\x18\x02 \x03(\tR\x05hosts\x1a/\n" + "\bSettings\x12#\n" + - "\rcluster_local\x18\x01 \x01(\bR\fclusterLocal\x1a\xd4\x01\n" + + "\rcluster_local\x18\x01 \x01(\bR\fclusterLocal\x1a\xaa\x02\n" + + "\x13ServiceScopeConfigs\x12Q\n" + + "\x12namespace_selector\x18\x01 \x01(\v2\".istio.mesh.v1alpha1.LabelSelectorR\x11namespaceSelector\x12O\n" + + "\x11services_selector\x18\x02 \x01(\v2\".istio.mesh.v1alpha1.LabelSelectorR\x10servicesSelector\x12O\n" + + "\x05scope\x18\x03 \x01(\x0e29.istio.mesh.v1alpha1.MeshConfig.ServiceScopeConfigs.ScopeR\x05scope\"\x1e\n" + + "\x05Scope\x12\t\n" + + "\x05LOCAL\x10\x00\x12\n" + + "\n" + + "\x06GLOBAL\x10\x01\x1a\xd4\x01\n" + "\x02CA\x12\x18\n" + "\aaddress\x18\x01 \x01(\tR\aaddress\x12O\n" + "\ftls_settings\x18\x02 \x01(\v2,.istio.networking.v1alpha3.ClientTLSSettingsR\vtlsSettings\x12B\n" + "\x0frequest_timeout\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\x0erequestTimeout\x12\x1f\n" + "\vistiod_side\x18\x04 \x01(\bR\n" + - "istiodSide\x1a\xcc=\n" + + "istiodSide\x1a\xc2@\n" + "\x11ExtensionProvider\x12\x12\n" + "\x04name\x18\x01 \x01(\tR\x04name\x12\x8b\x01\n" + "\x14envoy_ext_authz_http\x18\x02 \x01(\v2X.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProviderH\x00R\x11envoyExtAuthzHttp\x12\x8b\x01\n" + @@ -3040,7 +3210,8 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x15envoy_file_access_log\x18\v \x01(\v2L.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProviderH\x00R\x12envoyFileAccessLog\x12t\n" + "\x0eenvoy_http_als\x18\f \x01(\v2L.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProviderH\x00R\fenvoyHttpAls\x12q\n" + "\renvoy_tcp_als\x18\r \x01(\v2K.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProviderH\x00R\venvoyTcpAls\x12w\n" + - "\x0eenvoy_otel_als\x18\x0e \x01(\v2O.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProviderH\x00R\fenvoyOtelAls\x1a\xab\x01\n" + + "\x0eenvoy_otel_als\x18\x0e \x01(\v2O.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProviderH\x00R\fenvoyOtelAls\x12Q\n" + + "\x03sds\x18\x10 \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SDSProviderH\x00R\x03sds\x1a\xab\x01\n" + "%EnvoyExternalAuthorizationRequestBody\x12*\n" + "\x11max_request_bytes\x18\x01 \x01(\rR\x0fmaxRequestBytes\x122\n" + "\x15allow_partial_message\x18\x02 \x01(\bR\x13allowPartialMessage\x12\"\n" + @@ -3072,13 +3243,18 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\tfail_open\x18\x03 \x01(\bR\bfailOpen\x12*\n" + "\x11clear_route_cache\x18\a \x01(\bR\x0fclearRouteCache\x12&\n" + "\x0fstatus_on_error\x18\x04 \x01(\tR\rstatusOnError\x12\x99\x01\n" + - "\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\xb2\x01\n" + + "\x1dinclude_request_body_in_check\x18\x06 \x01(\v2W.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBodyR\x19includeRequestBodyInCheck\x1a\x84\x03\n" + "\x15ZipkinTracingProvider\x12\x18\n" + "\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" + "\x04port\x18\x02 \x01(\rR\x04port\x12$\n" + "\x0emax_tag_length\x18\x03 \x01(\rR\fmaxTagLength\x121\n" + "\x15enable_64bit_trace_id\x18\x04 \x01(\bR\x12enable64bitTraceId\x12\x12\n" + - "\x04path\x18\x05 \x01(\tR\x04path\x1a\x91\x01\n" + + "\x04path\x18\x05 \x01(\tR\x04path\x12\x8c\x01\n" + + "\x14trace_context_option\x18\x06 \x01(\x0e2Z.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider.TraceContextOptionR\x12traceContextOption\"A\n" + + "\x12TraceContextOption\x12\n" + + "\n" + + "\x06USE_B3\x10\x00\x12\x1f\n" + + "\x1bUSE_B3_WITH_W3C_PROPAGATION\x10\x01\x1a\x91\x01\n" + "\x18LightstepTracingProvider\x12\x18\n" + "\aservice\x18\x01 \x01(\tR\aservice\x12\x12\n" + "\x04port\x18\x02 \x01(\rR\x04port\x12!\n" + @@ -3167,7 +3343,11 @@ const fileMeshV1alpha1ConfigProtoRawDesc = "" + "\x04port\x18\x02 \x01(\rR\x04port\x12Q\n" + "\x04http\x18\x03 \x01(\v2=.istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.HttpServiceR\x04httpB\n" + "\n" + - "\bsampling\x1a\xae\x01\n" + + "\bsampling\x1aO\n" + + "\vSDSProvider\x12\x12\n" + + "\x04name\x18\x01 \x01(\tR\x04name\x12\x18\n" + + "\aservice\x18\x02 \x01(\tR\aservice\x12\x12\n" + + "\x04port\x18\x03 \x01(\rR\x04port\x1a\xae\x01\n" + "\vHttpService\x12\x12\n" + "\x04path\x18\x01 \x01(\tR\x04path\x123\n" + "\atimeout\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\atimeout\x12V\n" + @@ -3818,7 +3998,7 @@ type MeshConfigProxyConfig struct { // ```yaml // proxyHeaders: // - // perserveHttp1HeaderCase: true + // preserveHttp1HeaderCase: true // // ``` // @@ -4051,6 +4231,15 @@ type ProxyConfigProxyHeaders struct { // requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 // standards. PreserveHttp1HeaderCase *bool `json:"preserveHttp1HeaderCase,omitempty"` + // Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended + // with the original host when it is rewritten. + // This header is disabled by default. + XForwardedHost *ProxyConfigProxyHeadersXForwardedHost `json:"xForwardedHost,omitempty"` + // Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value + // client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any + // trusted proxy in front of Envoy. + // This header is disabled by default. + XForwardedPort *ProxyConfigProxyHeadersXForwardedPort `json:"xForwardedPort,omitempty"` } type ProxyConfigProxyHeadersServer struct { @@ -4067,6 +4256,14 @@ type ProxyConfigProxyHeadersAttemptCount struct { Disabled *bool `json:"disabled,omitempty"` } +type ProxyConfigProxyHeadersXForwardedHost struct { + Enabled *bool `json:"enabled,omitempty"` +} + +type ProxyConfigProxyHeadersXForwardedPort struct { + Enabled *bool `json:"enabled,omitempty"` +} + type ProxyConfigProxyHeadersEnvoyDebugHeaders struct { Disabled *bool `json:"disabled,omitempty"` } @@ -4169,7 +4366,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" + "poll_delay\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\tpollDelay\x126\n" + "\bfallback\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\bfallbackB\n" + "\n" + - "\bprovider\"\xc3#\n" + + "\bprovider\"\xa3&\n" + "\vProxyConfig\x12\x1f\n" + "\vconfig_path\x18\x01 \x01(\tR\n" + "configPath\x12\x1f\n" + @@ -4220,7 +4417,7 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" + "\x11ProxyStatsMatcher\x12-\n" + "\x12inclusion_prefixes\x18\x01 \x03(\tR\x11inclusionPrefixes\x12-\n" + "\x12inclusion_suffixes\x18\x02 \x03(\tR\x11inclusionSuffixes\x12+\n" + - "\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xc5\f\n" + + "\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xa5\x0f\n" + "\fProxyHeaders\x12a\n" + "\x15forwarded_client_cert\x18\x01 \x01(\x0e2-.istio.mesh.v1alpha1.ForwardClientCertDetailsR\x13forwardedClientCert\x12\x8f\x01\n" + "\x1fset_current_client_cert_details\x18\a \x01(\v2I.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetailsR\x1bsetCurrentClientCertDetails\x12V\n" + @@ -4230,14 +4427,20 @@ const fileMeshV1alpha1ProxyProtoRawDesc = "" + "\rattempt_count\x18\x04 \x01(\v2:.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCountR\fattemptCount\x12o\n" + "\x13envoy_debug_headers\x18\x05 \x01(\v2?.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeadersR\x11envoyDebugHeaders\x12\x81\x01\n" + "\x19metadata_exchange_headers\x18\x06 \x01(\v2E.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeadersR\x17metadataExchangeHeaders\x12W\n" + - "\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x1aV\n" + + "\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x12f\n" + + "\x10x_forwarded_host\x18) \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHostR\x0exForwardedHost\x12f\n" + + "\x10x_forwarded_port\x18* \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPortR\x0exForwardedPort\x1aV\n" + "\x06Server\x126\n" + "\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x12\x14\n" + "\x05value\x18\x02 \x01(\tR\x05value\x1aC\n" + "\tRequestId\x126\n" + "\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" + "\fAttemptCount\x126\n" + - "\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aK\n" + + "\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" + + "\x0eXForwardedHost\x124\n" + + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aF\n" + + "\x0eXForwardedPort\x124\n" + + "\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aK\n" + "\x11EnvoyDebugHeaders\x126\n" + "\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aq\n" + "\x17MetadataExchangeHeaders\x12V\n" + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go index 637f8db30e..b6f2a5f059 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/values_types_extra.go @@ -15,6 +15,7 @@ package v1 import ( + appsv1 "k8s.io/api/apps/v1" k8sv1 "k8s.io/api/core/v1" ) @@ -49,6 +50,10 @@ type ZTunnelConfig struct { // Image name to pull from. Image will be `Hub/Image:Tag-Variant`. // If Image contains a "/", it will replace the entire `image` in the pod. Image *string `json:"image,omitempty"` + // defines the network this cluster belong to. This name corresponds to the networks in the map of mesh networks. + Network *string `json:"network,omitempty"` + // K8s affinity to set on the ztunnel Pods. Can be used to exclude ztunnel from being scheduled on specified nodes. + Affinity *k8sv1.Affinity `json:"affinity,omitempty"` // resourceName, if set, will override the naming of resources. If not set, will default to the release name. // It is recommended to not set this; this is primarily for backwards compatibility. ResourceName *string `json:"resourceName,omitempty"` @@ -60,12 +65,20 @@ type ZTunnelConfig struct { VolumeMounts []k8sv1.VolumeMount `json:"volumeMounts,omitempty"` // Additional volumes to add to the ztunnel Pod. Volumes []k8sv1.Volume `json:"volumes,omitempty"` + // Tolerations for the ztunnel pod + Tolerations []k8sv1.Toleration `json:"tolerations,omitempty"` // Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). PodAnnotations map[string]string `json:"podAnnotations,omitempty"` // Additional labels to apply on the pod level. PodLabels map[string]string `json:"podLabels,omitempty"` // The k8s resource requests and limits for the ztunnel Pods. Resources *k8sv1.ResourceRequirements `json:"resources,omitempty"` + // The resource quotas configuration for ztunnel + ResourceQuotas *ResourceQuotas `json:"resourceQuotas,omitempty"` + // K8s node selector settings. + // + // See https://kubernetes.io/docs/user-guide/node-selection/ + NodeSelector map[string]string `json:"nodeSelector,omitempty"` // List of secret names to add to the service account as image pull secrets // to use for pulling any images in pods that reference this ServiceAccount. // Must be set for any cluster configured with private docker registry. @@ -82,9 +95,6 @@ type ZTunnelConfig struct { // The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent // with Istiod configuration. MultiCluster *MultiClusterConfig `json:"multiCluster,omitempty"` - // meshConfig defines runtime configuration of components. - // For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other components. - MeshConfig *MeshConfig `json:"meshConfig,omitempty"` // This value defines: // 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) // 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) @@ -105,6 +115,10 @@ type ZTunnelConfig struct { LogLevel *string `json:"logLevel,omitempty"` // Specifies whether istio components should output logs in json format by adding --log_as_json argument to each container. LogAsJSON *bool `json:"logAsJson,omitempty"` + // Set seLinux options for the ztunnel pod + SeLinuxOptions *k8sv1.SELinuxOptions `json:"seLinuxOptions,omitempty"` + // Defines the update strategy to use when the version in the Ztunnel CR is updated. + UpdateStrategy *appsv1.DaemonSetUpdateStrategy `json:"updateStrategy,omitempty"` } // ZTunnelGlobalConfig is a subset of the Global Configuration used in the Istio ztunnel chart. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go new file mode 100644 index 0000000000..278c000e97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/ztunnel_types.go @@ -0,0 +1,194 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +import ( + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ZTunnelKind = "ZTunnel" +) + +// ZTunnelSpec defines the desired state of ZTunnel +type ZTunnelSpec struct { + // +sail:version + // Defines the version of Istio to install. + // Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + // +operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Istio Version",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:fieldGroup:General", "urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.28.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.5", "urn:alm:descriptor:com.tectonic.ui:select:v1.27.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.8", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.6", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.4", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.3", "urn:alm:descriptor:com.tectonic.ui:select:v1.26.2"} + // +kubebuilder:validation:Enum=v1.28-latest;v1.28.5;v1.28.4;v1.27-latest;v1.27.8;v1.27.5;v1.27.3;v1.26-latest;v1.26.8;v1.26.6;v1.26.4;v1.26.3;v1.26.2 + // +kubebuilder:default=v1.28.5 + Version string `json:"version"` + + // Namespace to which the Istio ztunnel component should be installed. + // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors={"urn:alm:descriptor:io.kubernetes:Namespace"} + // +kubebuilder:default=ztunnel + Namespace string `json:"namespace"` + + // Defines the values to be passed to the Helm charts when installing Istio ztunnel. + // +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Helm Values" + Values *ZTunnelValues `json:"values,omitempty"` +} + +// ZTunnelStatus defines the observed state of ZTunnel +type ZTunnelStatus struct { + // ObservedGeneration is the most recent generation observed for this + // ZTunnel object. It corresponds to the object's generation, which is + // updated on mutation by the API Server. The information in the status + // pertains to this particular generation of the object. + ObservedGeneration int64 `json:"observedGeneration,omitempty"` + + // Represents the latest available observations of the object's current state. + Conditions []ZTunnelCondition `json:"conditions,omitempty"` + + // Reports the current state of the object. + State ZTunnelConditionReason `json:"state,omitempty"` +} + +// GetCondition returns the condition of the specified type +func (s *ZTunnelStatus) GetCondition(conditionType ZTunnelConditionType) ZTunnelCondition { + if s != nil { + for i := range s.Conditions { + if s.Conditions[i].Type == conditionType { + return s.Conditions[i] + } + } + } + return ZTunnelCondition{Type: conditionType, Status: metav1.ConditionUnknown} +} + +// SetCondition sets a specific condition in the list of conditions +func (s *ZTunnelStatus) SetCondition(condition ZTunnelCondition) { + var now time.Time + if testTime == nil { + now = time.Now() + } else { + now = *testTime + } + + // The lastTransitionTime only gets serialized out to the second. This can + // break update skipping, as the time in the resource returned from the client + // may not match the time in our cached status during a reconcile. We truncate + // here to save any problems down the line. + lastTransitionTime := metav1.NewTime(now.Truncate(time.Second)) + + for i, prevCondition := range s.Conditions { + if prevCondition.Type == condition.Type { + if prevCondition.Status != condition.Status { + condition.LastTransitionTime = lastTransitionTime + } else { + condition.LastTransitionTime = prevCondition.LastTransitionTime + } + s.Conditions[i] = condition + return + } + } + + // If the condition does not exist, initialize the lastTransitionTime + condition.LastTransitionTime = lastTransitionTime + s.Conditions = append(s.Conditions, condition) +} + +// ZTunnelCondition represents a specific observation of the ZTunnel object's state. +type ZTunnelCondition struct { + // The type of this condition. + Type ZTunnelConditionType `json:"type,omitempty"` + + // The status of this condition. Can be True, False or Unknown. + Status metav1.ConditionStatus `json:"status,omitempty"` + + // Unique, single-word, CamelCase reason for the condition's last transition. + Reason ZTunnelConditionReason `json:"reason,omitempty"` + + // Human-readable message indicating details about the last transition. + Message string `json:"message,omitempty"` + + // Last time the condition transitioned from one status to another. + // +optional + LastTransitionTime metav1.Time `json:"lastTransitionTime,omitzero"` +} + +// ZTunnelConditionType represents the type of the condition. Condition stages are: +// Installed, Reconciled, Ready +type ZTunnelConditionType string + +// ZTunnelConditionReason represents a short message indicating how the condition came +// to be in its present state. +type ZTunnelConditionReason string + +const ( + // ZTunnelConditionReconciled signifies whether the controller has + // successfully reconciled the resources defined through the CR. + ZTunnelConditionReconciled ZTunnelConditionType = "Reconciled" + + // ZTunnelReasonReconcileError indicates that the reconciliation of the resource has failed, but will be retried. + ZTunnelReasonReconcileError ZTunnelConditionReason = "ReconcileError" +) + +const ( + // ZTunnelConditionReady signifies whether the ztunnel DaemonSet is ready. + ZTunnelConditionReady ZTunnelConditionType = "Ready" + + // ZTunnelDaemonSetNotReady indicates that the ztunnel DaemonSet is not ready. + ZTunnelDaemonSetNotReady ZTunnelConditionReason = "DaemonSetNotReady" + + // ZTunnelReasonReadinessCheckFailed indicates that the DaemonSet readiness status could not be ascertained. + ZTunnelReasonReadinessCheckFailed ZTunnelConditionReason = "ReadinessCheckFailed" +) + +const ( + // ZTunnelReasonHealthy indicates that the control plane is fully reconciled and that all components are ready. + ZTunnelReasonHealthy ZTunnelConditionReason = "Healthy" +) + +// +kubebuilder:object:root=true +// +kubebuilder:resource:scope=Cluster,categories=istio-io +// +kubebuilder:subresource:status +// +kubebuilder:storageversion +// +kubebuilder:printcolumn:name="Namespace",type="string",JSONPath=".spec.namespace",description="The namespace for the ztunnel component." +// +kubebuilder:printcolumn:name="Ready",type="string",JSONPath=".status.conditions[?(@.type==\"Ready\")].status",description="Whether the Istio ztunnel installation is ready to handle requests." +// +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state",description="The current state of this object." +// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version",description="The version of the Istio ztunnel installation." +// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp",description="The age of the object" +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="metadata.name must be 'default'" + +// ZTunnel represents a deployment of the Istio ztunnel component. +type ZTunnel struct { + metav1.TypeMeta `json:",inline"` + // +optional + metav1.ObjectMeta `json:"metadata"` + + // +kubebuilder:default={version: "v1.28.5", namespace: "ztunnel"} + // +optional + Spec ZTunnelSpec `json:"spec"` + + // +optional + Status ZTunnelStatus `json:"status"` +} + +// +kubebuilder:object:root=true + +// ZTunnelList contains a list of ZTunnel +type ZTunnelList struct { + metav1.TypeMeta `json:",inline"` + metav1.ListMeta `json:"metadata"` + Items []ZTunnel `json:"items"` +} + +func init() { + SchemeBuilder.Register(&ZTunnel{}, &ZTunnelList{}) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go index baac7292dc..fd18a2eb1f 100644 --- a/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/istio-ecosystem/sail-operator/api/v1/zz_generated.deepcopy.go @@ -20,6 +20,7 @@ package v1 import ( "encoding/json" + appsv1 "k8s.io/api/apps/v1" "k8s.io/api/autoscaling/v2" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -190,6 +191,20 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) { *out = new(corev1.Affinity) (*in).DeepCopyInto(*out) } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.DaemonSetLabels != nil { + in, out := &in.DaemonSetLabels, &out.DaemonSetLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.PodAnnotations != nil { in, out := &in.PodAnnotations, &out.PodAnnotations *out = make(map[string]string, len(*in)) @@ -197,6 +212,13 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) { (*out)[key] = val } } + if in.PodLabels != nil { + in, out := &in.PodLabels, &out.PodLabels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.PspClusterRole != nil { in, out := &in.PspClusterRole, &out.PspClusterRole *out = new(string) @@ -252,6 +274,16 @@ func (in *CNIConfig) DeepCopyInto(out *CNIConfig) { *out = new(intstr.IntOrString) **out = **in } + if in.IstioOwnedCNIConfig != nil { + in, out := &in.IstioOwnedCNIConfig, &out.IstioOwnedCNIConfig + *out = new(bool) + **out = **in + } + if in.IstioOwnedCNIConfigFileName != nil { + in, out := &in.IstioOwnedCNIConfigFileName, &out.IstioOwnedCNIConfigFileName + *out = new(string) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfig. @@ -312,6 +344,11 @@ func (in *CNIGlobalConfig) DeepCopyInto(out *CNIGlobalConfig) { *out = new(string) **out = **in } + if in.NativeNftables != nil { + in, out := &in.NativeNftables, &out.NativeNftables + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIGlobalConfig. @@ -848,6 +885,16 @@ func (in *GlobalConfig) DeepCopyInto(out *GlobalConfig) { *out = new(string) **out = **in } + if in.NativeNftables != nil { + in, out := &in.NativeNftables, &out.NativeNftables + *out = new(bool) + **out = **in + } + if in.NetworkPolicy != nil { + in, out := &in.NetworkPolicy, &out.NetworkPolicy + *out = new(NetworkPolicyConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalConfig. @@ -1473,6 +1520,11 @@ func (in *IstiodRemoteConfig) DeepCopyInto(out *IstiodRemoteConfig) { *out = new(bool) **out = **in } + if in.EnabledLocalInjectorIstiod != nil { + in, out := &in.EnabledLocalInjectorIstiod, &out.EnabledLocalInjectorIstiod + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodRemoteConfig. @@ -1771,6 +1823,17 @@ func (in *MeshConfig) DeepCopyInto(out *MeshConfig) { } } } + if in.ServiceScopeConfigs != nil { + in, out := &in.ServiceScopeConfigs, &out.ServiceScopeConfigs + *out = make([]*MeshConfigServiceScopeConfigs, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(MeshConfigServiceScopeConfigs) + (*in).DeepCopyInto(*out) + } + } + } if in.EnablePrometheusMerge != nil { in, out := &in.EnablePrometheusMerge, &out.EnablePrometheusMerge *out = new(bool) @@ -2023,6 +2086,11 @@ func (in *MeshConfigExtensionProvider) DeepCopyInto(out *MeshConfigExtensionProv *out = new(MeshConfigExtensionProviderEnvoyOpenTelemetryLogProvider) (*in).DeepCopyInto(*out) } + if in.Sds != nil { + in, out := &in.Sds, &out.Sds + *out = new(MeshConfigExtensionProviderSDSProvider) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProvider. @@ -2788,6 +2856,36 @@ func (in *MeshConfigExtensionProviderResourceDetectorsEnvironmentResourceDetecto return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshConfigExtensionProviderSDSProvider) DeepCopyInto(out *MeshConfigExtensionProviderSDSProvider) { + *out = *in + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Service != nil { + in, out := &in.Service, &out.Service + *out = new(string) + **out = **in + } + if in.Port != nil { + in, out := &in.Port, &out.Port + *out = new(uint32) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigExtensionProviderSDSProvider. +func (in *MeshConfigExtensionProviderSDSProvider) DeepCopy() *MeshConfigExtensionProviderSDSProvider { + if in == nil { + return nil + } + out := new(MeshConfigExtensionProviderSDSProvider) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshConfigExtensionProviderSkyWalkingTracingProvider) DeepCopyInto(out *MeshConfigExtensionProviderSkyWalkingTracingProvider) { *out = *in @@ -3154,6 +3252,31 @@ func (in *MeshConfigProxyPathNormalization) DeepCopy() *MeshConfigProxyPathNorma return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MeshConfigServiceScopeConfigs) DeepCopyInto(out *MeshConfigServiceScopeConfigs) { + *out = *in + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.ServicesSelector != nil { + in, out := &in.ServicesSelector, &out.ServicesSelector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshConfigServiceScopeConfigs. +func (in *MeshConfigServiceScopeConfigs) DeepCopy() *MeshConfigServiceScopeConfigs { + if in == nil { + return nil + } + out := new(MeshConfigServiceScopeConfigs) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *MeshConfigServiceSettings) DeepCopyInto(out *MeshConfigServiceSettings) { *out = *in @@ -3387,6 +3510,26 @@ func (in *NetworkNetworkEndpoints) DeepCopy() *NetworkNetworkEndpoints { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *NetworkPolicyConfig) DeepCopyInto(out *NetworkPolicyConfig) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyConfig. +func (in *NetworkPolicyConfig) DeepCopy() *NetworkPolicyConfig { + if in == nil { + return nil + } + out := new(NetworkPolicyConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OutboundTrafficPolicyConfig) DeepCopyInto(out *OutboundTrafficPolicyConfig) { *out = *in @@ -3624,7 +3767,7 @@ func (in *PilotConfig) DeepCopyInto(out *PilotConfig) { } if in.EnvVarFrom != nil { in, out := &in.EnvVarFrom, &out.EnvVarFrom - *out = make([]corev1.EnvFromSource, len(*in)) + *out = make([]corev1.EnvVar, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } @@ -4019,6 +4162,16 @@ func (in *ProxyConfigProxyHeaders) DeepCopyInto(out *ProxyConfigProxyHeaders) { *out = new(bool) **out = **in } + if in.XForwardedHost != nil { + in, out := &in.XForwardedHost, &out.XForwardedHost + *out = new(ProxyConfigProxyHeadersXForwardedHost) + (*in).DeepCopyInto(*out) + } + if in.XForwardedPort != nil { + in, out := &in.XForwardedPort, &out.XForwardedPort + *out = new(ProxyConfigProxyHeadersXForwardedPort) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeaders. @@ -4171,6 +4324,46 @@ func (in *ProxyConfigProxyHeadersSetCurrentClientCertDetails) DeepCopy() *ProxyC return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyConfigProxyHeadersXForwardedHost) DeepCopyInto(out *ProxyConfigProxyHeadersXForwardedHost) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersXForwardedHost. +func (in *ProxyConfigProxyHeadersXForwardedHost) DeepCopy() *ProxyConfigProxyHeadersXForwardedHost { + if in == nil { + return nil + } + out := new(ProxyConfigProxyHeadersXForwardedHost) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ProxyConfigProxyHeadersXForwardedPort) DeepCopyInto(out *ProxyConfigProxyHeadersXForwardedPort) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigProxyHeadersXForwardedPort. +func (in *ProxyConfigProxyHeadersXForwardedPort) DeepCopy() *ProxyConfigProxyHeadersXForwardedPort { + if in == nil { + return nil + } + out := new(ProxyConfigProxyHeadersXForwardedPort) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProxyConfigProxyStatsMatcher) DeepCopyInto(out *ProxyConfigProxyStatsMatcher) { *out = *in @@ -5289,6 +5482,49 @@ func (in *WorkloadSelector) DeepCopy() *WorkloadSelector { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ZTunnel) DeepCopyInto(out *ZTunnel) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + in.Spec.DeepCopyInto(&out.Spec) + in.Status.DeepCopyInto(&out.Status) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnel. +func (in *ZTunnel) DeepCopy() *ZTunnel { + if in == nil { + return nil + } + out := new(ZTunnel) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ZTunnel) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ZTunnelCondition) DeepCopyInto(out *ZTunnelCondition) { + *out = *in + in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelCondition. +func (in *ZTunnelCondition) DeepCopy() *ZTunnelCondition { + if in == nil { + return nil + } + out := new(ZTunnelCondition) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = *in @@ -5312,6 +5548,16 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(string) **out = **in } + if in.Network != nil { + in, out := &in.Network, &out.Network + *out = new(string) + **out = **in + } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(corev1.Affinity) + (*in).DeepCopyInto(*out) + } if in.ResourceName != nil { in, out := &in.ResourceName, &out.ResourceName *out = new(string) @@ -5345,6 +5591,13 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { (*in)[i].DeepCopyInto(&(*out)[i]) } } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]corev1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.PodAnnotations != nil { in, out := &in.PodAnnotations, &out.PodAnnotations *out = make(map[string]string, len(*in)) @@ -5364,6 +5617,18 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(corev1.ResourceRequirements) (*in).DeepCopyInto(*out) } + if in.ResourceQuotas != nil { + in, out := &in.ResourceQuotas, &out.ResourceQuotas + *out = new(ResourceQuotas) + (*in).DeepCopyInto(*out) + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } if in.ImagePullSecrets != nil { in, out := &in.ImagePullSecrets, &out.ImagePullSecrets *out = make([]string, len(*in)) @@ -5386,11 +5651,6 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(MultiClusterConfig) (*in).DeepCopyInto(*out) } - if in.MeshConfig != nil { - in, out := &in.MeshConfig, &out.MeshConfig - *out = new(MeshConfig) - (*in).DeepCopyInto(*out) - } if in.TerminationGracePeriodSeconds != nil { in, out := &in.TerminationGracePeriodSeconds, &out.TerminationGracePeriodSeconds *out = new(int64) @@ -5426,6 +5686,16 @@ func (in *ZTunnelConfig) DeepCopyInto(out *ZTunnelConfig) { *out = new(bool) **out = **in } + if in.SeLinuxOptions != nil { + in, out := &in.SeLinuxOptions, &out.SeLinuxOptions + *out = new(corev1.SELinuxOptions) + **out = **in + } + if in.UpdateStrategy != nil { + in, out := &in.UpdateStrategy, &out.UpdateStrategy + *out = new(appsv1.DaemonSetUpdateStrategy) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelConfig. @@ -5498,6 +5768,80 @@ func (in *ZTunnelGlobalConfig) DeepCopy() *ZTunnelGlobalConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ZTunnelList) DeepCopyInto(out *ZTunnelList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]ZTunnel, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelList. +func (in *ZTunnelList) DeepCopy() *ZTunnelList { + if in == nil { + return nil + } + out := new(ZTunnelList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *ZTunnelList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ZTunnelSpec) DeepCopyInto(out *ZTunnelSpec) { + *out = *in + if in.Values != nil { + in, out := &in.Values, &out.Values + *out = new(ZTunnelValues) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelSpec. +func (in *ZTunnelSpec) DeepCopy() *ZTunnelSpec { + if in == nil { + return nil + } + out := new(ZTunnelSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ZTunnelStatus) DeepCopyInto(out *ZTunnelStatus) { + *out = *in + if in.Conditions != nil { + in, out := &in.Conditions, &out.Conditions + *out = make([]ZTunnelCondition, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZTunnelStatus. +func (in *ZTunnelStatus) DeepCopy() *ZTunnelStatus { + if in == nil { + return nil + } + out := new(ZTunnelStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ZTunnelValues) DeepCopyInto(out *ZTunnelValues) { *out = *in diff --git a/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md b/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md new file mode 100644 index 0000000000..36863319f5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/bundle/README.md @@ -0,0 +1,211 @@ +# About the Sail Operator + +The Sail Operator is able to install and manage the lifecycle of the Istio +control plane in an OpenShift cluster. + + +## Prerequisites + +You have deployed a cluster on OpenShift Container Platform 4.13 or later. + +You are logged in to the OpenShift Container Platform web console as a user with +the `cluster-admin` role. + +You have access to the OpenShift CLI (oc). + + +## Installing the Sail Operator + +1. Navigate to the OperatorHub. + +1. Click **Operator** -> **Operator Hub**. + +1. Search for "sail". + +1. Locate the Sail Operator, and click to select it. + +1. When the prompt that discusses the community operator appears, click **Continue**. + +1. Verify the Sail Operator is version 0.1, and click **Install**. + +1. Use the default installation settings presented, and click **Install** to continue. + +1. Click **Operators** -> **Installed Operators** to verify that the Sail Operator +is installed. `Succeeded` should appear in the **Status** column. + + +## Deploying Istio + +To deploy Istio, you must create two resources: `Istio` and `IstioCNI`. The +`Istio` resource deploys and configures the Istio Control Plane, whereas the +`IstioCNI` resource deploys and configures the Istio CNI plugin. You should +create these resources in separate projects. + + +### Creating the istio-system and istio-cni Projects + +1. In the OpenShift Container Platform web console, click **Home** -> **Projects**. + +1. Click **Create Project**. + +1. At the prompt, you must enter a name for the project in the **Name** field. +For example, `istio-system`. The Operator deploys Istio to the project you +specify. The other fields provide supplementary information and are optional. + +1. Click **Create**. + +Repeat the process to create a project named `istio-cni`. + + +### Creating the Istio resource + +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Select the `istio-system` project from the **Namespace** drop-down menu. +1. Click the Sail Operator. +1. Click **Istio**. +1. Click **Create Istio**. +1. Click **Create**. This action deploys the Istio control plane. +1. When `State: Healthy` appears in the `Status` column, Istio is successfully deployed. + + +### Creating the IstioCNI resource + +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click the Sail Operator. +1. Click **IstioCNI**. +1. Click **Create IstioCNI**. +1. Ensure that the name is `default`. +1. Select the `istio-cni` project from the **Namespace** drop-down menu. +1. Click **Create**. This action deploys the Istio CNI plugin. +1. When `State: Healthy` appears in the `Status` column, the Istio CNI plugin is successfully deployed. + + +### Selecting the Istio and IstioCNI versions + +The `version` field of the `Istio` and `IstioCNI` resource defines which version +of each component should be deployed. This can be set using the `Istio Version` +drop down menu when creating a new `Istio` with the OpenShift Container Platform +web console. For a list of available versions, see the [versions.yaml](../pkg/istioversion/versions.yaml) file +or use the command: + +```sh +kubectl explain istio.spec.version +``` + +### Customizing Istio configuration + +The `spec.values` field of the `Istio` and `IstioCNI` resource can be used to +customize Istio and Istio CNI plugin configuration using Istio's `Helm` +configuration values. When you create this resource using the OpenShift +Container Platform web console, it is pre-populated with configuration settings +to enable Istio to run on OpenShift. + +To view or modify the `Istio` resource from the OpenShift Container Platform web console: + +1. Click **Operators** -> **Installed Operators**. +1. Click **Istio** in the **Provided APIs** column. +1. Click `Istio` instance, "istio-sample" by default, in the **Name** column. +1. Click **YAML** to view the `Istio` configuration and make modifications. + +An example configuration: + +``` +apiVersion: sailoperator.io/v1 +kind: Istio +metadata: + name: example +spec: + version: v1.20.0 + values: + global: + mtls: + enabled: true + trustDomainAliases: + - example.net + meshConfig: + trustDomain: example.com + trustDomainAliases: + - example.net +``` + +For a list of available configuration for the `spec.values` field, run the +following command: + +```sh +kubectl explain istio.spec.values +``` + +For the `IstioCNI` resource, replace `istio` with `istiocni` in the command above. + +Alternatively, refer to [Istio's artifacthub chart documentation](https://artifacthub.io/packages/search?org=istio&sort=relevance&page=1) for: + +- [Base parameters](https://artifacthub.io/packages/helm/istio-official/base?modal=values) +- [Istiod parameters](https://artifacthub.io/packages/helm/istio-official/istiod?modal=values) +- [Gateway parameters](https://artifacthub.io/packages/helm/istio-official/gateway?modal=values) +- [CNI parameters](https://artifacthub.io/packages/helm/istio-official/cni?modal=values) +- [ZTunnel parameters](https://artifacthub.io/packages/helm/istio-official/ztunnel?modal=values) + + +## Installing the istioctl tool + +The `istioctl` tool is a configuration command line utility that allows service +operators to debug and diagnose Istio service mesh deployments. + +For installation steps, refer to the following [link](../docs/common/install-istioctl-tool.md). + +## Installing the Bookinfo Application + +You can use the `bookinfo` example application to explore service mesh features. +Using the `bookinfo` application, you can easily confirm that requests from a +web browser pass through the mesh and reach the application. + +For installation steps, refer to the following [link](../docs/common/install-bookinfo-app.md). + + +## Creating and Configuring Gateways + +The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not +part of the control plane. As a security best-practice, Ingress and Egress +Gateways should be deployed in a different namespace than the namespace that +contains the control plane. + +You can deploy gateways using either the Gateway API or Gateway Injection methods. + +For installation steps, refer to the following [link](../docs/common/create-and-configure-gateways.md). + + +## Istio Addons Integrations + +Istio can be integrated with other software to provide additional functionality +(More information can be found in: https://istio.io/latest/docs/ops/integrations/). +The following addons are for demonstration or development purposes only and +should not be used in production environments: + +For installation steps, refer to the following [link](../docs/common/istio-addons-integrations.md). + + +## Undeploying Istio and the Sail Operator + +### Deleting Istio +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click **Istio** in the **Provided APIs** column. +1. Click the Options menu, and select **Delete Istio**. +1. At the prompt to confirm the action, click **Delete**. + +### Deleting IstioCNI +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Click **IstioCNI** in the **Provided APIs** column. +1. Click the Options menu, and select **Delete IstioCNI**. +1. At the prompt to confirm the action, click **Delete**. + +### Deleting the Sail Operator +1. In the OpenShift Container Platform web console, click **Operators** -> **Installed Operators**. +1. Locate the Sail Operator. Click the Options menu, and select **Uninstall Operator**. +1. At the prompt to confirm the action, click **Uninstall**. + +### Deleting the Projects +1. In the OpenShift Container Platform web console, click **Home** -> **Projects**. +1. Locate the name of the project and click the Options menu. +1. Click **Delete Project**. +1. At the prompt to confirm the action, enter the name of the project. +1. Click **Delete**. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/bundle/bundle.go b/vendor/github.com/istio-ecosystem/sail-operator/bundle/bundle.go new file mode 100644 index 0000000000..76e9080615 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/bundle/bundle.go @@ -0,0 +1,20 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package bundle + +import _ "embed" + +//go:embed manifests/servicemeshoperator3.clusterserviceversion.yaml +var CSV []byte diff --git a/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml b/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml new file mode 100644 index 0000000000..7748119e0c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/bundle/manifests/servicemeshoperator3.clusterserviceversion.yaml @@ -0,0 +1,891 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "sailoperator.io/v1", + "kind": "Istio", + "metadata": { + "name": "default" + }, + "spec": { + "namespace": "istio-system", + "updateStrategy": { + "inactiveRevisionDeletionGracePeriodSeconds": 30, + "type": "InPlace" + }, + "version": "v1.28.5" + } + }, + { + "apiVersion": "sailoperator.io/v1", + "kind": "IstioCNI", + "metadata": { + "name": "default" + }, + "spec": { + "namespace": "istio-cni", + "version": "v1.28.5" + } + }, + { + "apiVersion": "sailoperator.io/v1", + "kind": "ZTunnel", + "metadata": { + "name": "default" + }, + "spec": { + "namespace": "ztunnel", + "version": "v1.27.3" + } + } + ] + capabilities: Seamless Upgrades + categories: OpenShift Optional, Integration & Delivery, Networking, Security + containerImage: ${OSSM_OPERATOR_3_3} + createdAt: "2026-03-27T14:02:42Z" + description: The OpenShift Service Mesh Operator enables you to install, configure, and manage an instance of Red Hat OpenShift Service Mesh. OpenShift Service Mesh is based on the open source Istio project. + features.operators.openshift.io/cnf: "false" + features.operators.openshift.io/cni: "true" + features.operators.openshift.io/csi: "false" + features.operators.openshift.io/disconnected: "true" + features.operators.openshift.io/fips-compliant: "true" + features.operators.openshift.io/proxy-aware: "false" + features.operators.openshift.io/tls-profiles: "false" + features.operators.openshift.io/token-auth-aws: "false" + features.operators.openshift.io/token-auth-azure: "false" + features.operators.openshift.io/token-auth-gcp: "false" + operators.openshift.io/valid-subscription: '["OpenShift Container Platform", "OpenShift Platform Plus"]' + operators.operatorframework.io/builder: operator-sdk-v1.41.1 + operators.operatorframework.io/internal-objects: '["wasmplugins.extensions.istio.io","destinationrules.networking.istio.io","envoyfilters.networking.istio.io","gateways.networking.istio.io","proxyconfigs.networking.istio.io","serviceentries.networking.istio.io","sidecars.networking.istio.io","virtualservices.networking.istio.io","workloadentries.networking.istio.io","workloadgroups.networking.istio.io","authorizationpolicies.security.istio.io","peerauthentications.security.istio.io","requestauthentications.security.istio.io","telemetries.telemetry.istio.io"]' + operators.operatorframework.io/project_layout: go.kubebuilder.io/v4 + repository: https://github.com/istio-ecosystem/sail-operator + support: Red Hat, Inc. + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/arch.ppc64le: supported + operatorframework.io/arch.s390x: supported + name: servicemeshoperator3.v3.3.1 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - kind: WasmPlugin + name: wasmplugins.extensions.istio.io + version: v1alpha1 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1alpha3 + - kind: DestinationRule + name: destinationrules.networking.istio.io + version: v1beta1 + - kind: EnvoyFilter + name: envoyfilters.networking.istio.io + version: v1alpha3 + - kind: Gateway + name: gateways.networking.istio.io + version: v1 + - kind: Gateway + name: gateways.networking.istio.io + version: v1alpha3 + - kind: Gateway + name: gateways.networking.istio.io + version: v1beta1 + - kind: ProxyConfig + name: proxyconfigs.networking.istio.io + version: v1beta1 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1alpha3 + - kind: ServiceEntry + name: serviceentries.networking.istio.io + version: v1beta1 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1alpha3 + - kind: Sidecar + name: sidecars.networking.istio.io + version: v1beta1 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1alpha3 + - kind: VirtualService + name: virtualservices.networking.istio.io + version: v1beta1 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1alpha3 + - kind: WorkloadEntry + name: workloadentries.networking.istio.io + version: v1beta1 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1alpha3 + - kind: WorkloadGroup + name: workloadgroups.networking.istio.io + version: v1beta1 + - kind: ZTunnel + name: ztunnels.sailoperator.io + version: v1alpha1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1 + - kind: AuthorizationPolicy + name: authorizationpolicies.security.istio.io + version: v1beta1 + - kind: PeerAuthentication + name: peerauthentications.security.istio.io + version: v1 + - kind: PeerAuthentication + name: peerauthentications.security.istio.io + version: v1beta1 + - kind: RequestAuthentication + name: requestauthentications.security.istio.io + version: v1 + - kind: RequestAuthentication + name: requestauthentications.security.istio.io + version: v1beta1 + - kind: Telemetry + name: telemetries.telemetry.istio.io + version: v1 + - kind: Telemetry + name: telemetries.telemetry.istio.io + version: v1alpha1 + - description: IstioCNI represents a deployment of the Istio CNI component. + displayName: Istio CNI + kind: IstioCNI + name: istiocnis.sailoperator.io + specDescriptors: + - description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 + - description: Namespace to which the Istio CNI component should be installed. Note that this field is immutable. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + displayName: Profile + path: profile + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:ambient + - urn:alm:descriptor:com.tectonic.ui:select:default + - urn:alm:descriptor:com.tectonic.ui:select:demo + - urn:alm:descriptor:com.tectonic.ui:select:empty + - urn:alm:descriptor:com.tectonic.ui:select:openshift + - urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient + - urn:alm:descriptor:com.tectonic.ui:select:preview + - urn:alm:descriptor:com.tectonic.ui:select:remote + - urn:alm:descriptor:com.tectonic.ui:select:stable + - description: Defines the values to be passed to the Helm charts when installing Istio CNI. + displayName: Helm Values + path: values + version: v1 + - description: |- + IstioRevision represents a single revision of an Istio Service Mesh deployment. + Users shouldn't create IstioRevision objects directly. Instead, they should + create an Istio object and allow the operator to create the underlying + IstioRevision object(s). + displayName: Istio Revision + kind: IstioRevision + name: istiorevisions.sailoperator.io + specDescriptors: + - description: |- + Defines the version of Istio to install. + Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 + - description: Namespace to which the Istio components should be installed. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Defines the values to be passed to the Helm charts when installing Istio. + displayName: Helm Values + path: values + version: v1 + - description: IstioRevisionTag references an Istio or IstioRevision object and serves as an alias for sidecar injection. It can be used to manage stable revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels for more information on the concept. + displayName: Istio Revision Tag + kind: IstioRevisionTag + name: istiorevisiontags.sailoperator.io + version: v1 + - description: |- + Istio represents an Istio Service Mesh deployment consisting of one or more + control plane instances (represented by one or more IstioRevision objects). + To deploy an Istio Service Mesh, a user creates an Istio object with the + desired Istio version and configuration. The operator then creates + an IstioRevision object, which in turn creates the underlying Deployment + objects for istiod and other control plane components, similar to how a + Deployment object in Kubernetes creates ReplicaSets that create the Pods. + displayName: Istio + kind: Istio + name: istios.sailoperator.io + specDescriptors: + - description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". When the \"InPlace\" strategy\nis used, the existing Istio control plane is updated in-place. The workloads therefore\ndon't need to be moved from one control plane instance to another. When the \"RevisionBased\"\nstrategy is used, a new Istio control plane instance is created for every change to the\nIstio.spec.version field. The old control plane remains in place until all workloads have\nbeen moved to the new control plane instance.\n\nThe \"InPlace\" strategy is the default.\tTODO: change default to \"RevisionBased\"" + displayName: Type + path: updateStrategy.type + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:select:InPlace + - urn:alm:descriptor:com.tectonic.ui:select:RevisionBased + - description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 + - description: |- + Defines how many seconds the operator should wait before removing a non-active revision after all + the workloads have stopped using it. You may want to set this value on the order of minutes. + The minimum is 0 and the default value is 30. + displayName: Inactive Revision Deletion Grace Period (seconds) + path: updateStrategy.inactiveRevisionDeletionGracePeriodSeconds + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:number + - description: |- + Defines whether the workloads should be moved from one control plane instance to another + automatically. If updateWorkloads is true, the operator moves the workloads from the old + control plane instance to the new one after the new control plane is ready. + If updateWorkloads is false, the user must move the workloads manually by updating the + istio.io/rev labels on the namespace and/or the pods. + Defaults to false. + displayName: Update Workloads Automatically + path: updateStrategy.updateWorkloads + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:booleanSwitch + - description: Namespace to which the Istio components should be installed. Note that this field is immutable. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + displayName: Profile + path: profile + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:ambient + - urn:alm:descriptor:com.tectonic.ui:select:default + - urn:alm:descriptor:com.tectonic.ui:select:demo + - urn:alm:descriptor:com.tectonic.ui:select:empty + - urn:alm:descriptor:com.tectonic.ui:select:openshift + - urn:alm:descriptor:com.tectonic.ui:select:openshift-ambient + - urn:alm:descriptor:com.tectonic.ui:select:preview + - urn:alm:descriptor:com.tectonic.ui:select:remote + - urn:alm:descriptor:com.tectonic.ui:select:stable + - description: Defines the update strategy to use when the version in the Istio CR is updated. + displayName: Update Strategy + path: updateStrategy + - description: Defines the values to be passed to the Helm charts when installing Istio. + displayName: Helm Values + path: values + version: v1 + - description: ZTunnel represents a deployment of the Istio ztunnel component. + displayName: ZTunnel + kind: ZTunnel + name: ztunnels.sailoperator.io + specDescriptors: + - description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + displayName: Istio Version + path: version + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:fieldGroup:General + - urn:alm:descriptor:com.tectonic.ui:select:v1.28-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.28.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.5 + - urn:alm:descriptor:com.tectonic.ui:select:v1.27.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26-latest + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.8 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.6 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.4 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.3 + - urn:alm:descriptor:com.tectonic.ui:select:v1.26.2 + - description: Namespace to which the Istio ztunnel component should be installed. + displayName: Namespace + path: namespace + x-descriptors: + - urn:alm:descriptor:io.kubernetes:Namespace + - description: Defines the values to be passed to the Helm charts when installing Istio ztunnel. + displayName: Helm Values + path: values + version: v1 + description: |- + Red Hat OpenShift Service Mesh is a platform that provides behavioral insight and operational control over a service mesh, providing a uniform way to connect, secure, and monitor microservice applications. + + ### Overview + + Red Hat OpenShift Service Mesh, based on the open source [Istio](https://istio.io/) project, adds a transparent layer on existing + distributed applications without requiring any changes to the service code. You add Red Hat OpenShift Service Mesh + support to services by deploying a special sidecar proxy throughout your environment that intercepts all network + communication between microservices. You configure and manage the service mesh using the control plane features. + + Red Hat OpenShift Service Mesh provides an easy way to create a network of deployed services that provides discovery, + load balancing, service-to-service authentication, failure recovery, metrics, and monitoring. A service mesh also + provides more complex operational functionality, including A/B testing, canary releases, rate limiting, access + control, and end-to-end authentication. + + ### Core Capabilities + + Red Hat OpenShift Service Mesh supports uniform application of a number of key capabilities across a network of services: + + + **Traffic Management** - Control the flow of traffic and API calls between services, make calls more reliable, + and make the network more robust in the face of adverse conditions. + + + **Service Identity and Security** - Provide services in the mesh with a verifiable identity and provide the + ability to protect service traffic as it flows over networks of varying degrees of trustworthiness. + + + **Policy Enforcement** - Apply organizational policy to the interaction between services, ensure access policies + are enforced and resources are fairly distributed among consumers. Policy changes are made by configuring the + mesh, not by changing application code. + + + **Telemetry** - Gain understanding of the dependencies between services and the nature and flow of traffic between + them, providing the ability to quickly identify issues. + + ### More Information + + * [Documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_service_mesh/latest/html/about/ossm-about-openshift-service-mesh) + * [Bugs](https://issues.redhat.com/projects/OSSM) + displayName: Red Hat OpenShift Service Mesh 3 + icon: + - base64data: iVBORw0KGgoAAAANSUhEUgAAAXwAAAF8CAYAAADM5wDKAAAACXBIWXMAAG66AABuugHW3rEXAAAgAElEQVR4nO3dW2xj130u8I+b3FskRYmUFXs8qRtxkAJBARekgaIIkGlJvxQF+jA0+uDjAAekgD40Jw3MeSh6SYHRAO1Jgz6Ig9SnfQgg8hwgPnnoGfqhQNsXU6fOQRAUMAc1UARIICp1Mx57JJISxfvlPFBU5LEu3GuvfeX3AwwjE+2L7c1Pi///2mv5JpMJiIjI+xS7b4CIiKzBwCciWhAMfCKiBcHAJyJaEAx8IqIFwcAnIloQDHwiogXBwCciWhABu2+APiNt9w0QSVQ7/YscgIFvknq9fnsymfz6eDxOTSaTtdFo9KXJZBIEgH6/H7P7/ojspmlaAwB8Pl/X7/f/2Ofz1RVF2fX5fP+6trb2nt3350U+Lq1g3OHhYX48HqfG4/GvDYfDzw8Gg5Dd90TkdqqqdgKBwM8VRfk3RVF2n3vuuYLd9+R2DHydGo3Gxng8/oPhcPg7w+HwSwx3Iuuc/hL4cSAQ+EdFUf4uFovt231PbsLAn0O9Xn99OBx+bTAY/AYDnsg5VFXtqKr6o0Ag8Ldra2vft/t+nI6Bf4l6vf76YDD4k36///JoNGKvg8jh/H7/UNO0D1RV/SuG/8UY+OfU6/Xbw+HwL3q93lcY8kTu5ff7h0tLSz8IBAJ/zgbwLzDwARwcHHy33+//HmfPEHmPpmkNTdP+fn19/fftvhe7LWzgNxqNjcFgUOJonmgxzEb9qqpmF7XZu3CBX6/Xbw8Gg+/0er3EeDz22X0/RGQtRVEmS0tLj1RV/cailXsWJvBPg77Y6XS+aPe9EJEzhEKhn6qqmluU4Pd84M9KN+12O2X3vRCRM4XD4d1FKPV4OvCfPn36sNPp3GHphoiuoyjKJBQKvfO5z33uNbvvxSyeDPzDw8N8u93+a6c2YxVFgaZpF/5/S0tLFt8NkXl6vd6Ff97v9zEejy2+m/n4/f5hOBz+Iy8u5eCpwG80GhvdbveHvV7vRbvvRdM0BAIBqKoKTdPOQl5RuCI10cx4PD4L/36/j8FggOFwiH6/b/etYWlp6aNgMPhlL5V5PBP4dpZvAoEAgsHgWbgHg0Grb4HIc7rd7tkvgW63i+FwaPk9eK3M4/rAbzQaG51Op2r1S1PhcBhLS0sIh8MIBBxZOSLylOFwiHa7jV6vh3a7bem1NU1rhEKhpNtH+64O/MPDw2+dnJz8sRWjekVREA6HEQqFEA6Hzb4cEV2j3W6j0+mg3W5b0g9QFGWyvLz87eeee+5PTb+YSVwZ+I1GY6Pf75c7nU7S7GvNQj4SiZh9KSIS1Gq1zsLfbKFQqKppWsaNo33XBX69Xr/d6XT+2cxlihVFwcrKCiKRCMs1RC4yHA7RarVwfHxs6qhfVdVOKBT6bbe9sOWqwDe7hBMIBBCNRjmaJ/KAVquFZrNpWrPXjSUe1wT+06dPH56cnGTMOHcwGMTKygpr80Qe1G63cXx8jG63a8r5l5eXy26ZxeOKwP/4449/YsYaOIFAAOvr65xGSbQAut0uDg4OTBnxh0Khn77wwgu/Iv3Ekjk68M2acqkoCtbW1li6IVpArVYL9Xpdeo3fDVM3HRv4jUZjo91u/7vs5mw0GsXq6irfeCVaYOPxGEdHR2g2m1LPq6pqJxwO/6pTQ9+RgW/GTJxgMIi1tbVL17AhosXT7/dRr9el1vedHPqOC/x6vf56q9V6W9ZMHEVRzkb1REQXmY32ZZV5FEWZRCKRN5y2mbqjAl922Guahueff55z6YnoWsPhEJ988om0hducGPqOCfxGo7FxfHy8Jyvso9EoYjHuSU5E+jQaDWm1fUVRJisrK7ecUt5xRODLbNAqioLnn3+eUy2JSFi328Unn3wipcTjpJq+7YEvM+w1TcONGzc4A4eIDBuPx3jy5ImUEo9TQt/2ZOx0OlUZYR+JRHDz5k2GPRFJoSgKbt68KeV9ncFgEOp0OlUJt2WIren48ccf/0TGS1XRaBTr6+sybomI6FPW19cRjUYNn6ff78c+/vjjn0i4JWG2Bf7pDlWGl0tYX19nc5aITBWLxaQMKjudzhefPn36UMItCbEl8E9XvTS0EJqiKFhfX+fyCERkiUgkgvX1dcNl45OTk8zh4eG3JN2WLpY3bev1+u1Wq/V/jUy/VBQFN27c4FuzRGS5fr+PJ0+eGJrBczpH/7esXk/f0sCXMSOHYU9EdpMR+nbM3LG0pNPv98sMeyJyOxlTwAeDQajf75cl3ta1LAv8w8PDbxndg5aLnxGRU2iahrW1NUPn6HQ6SSvr+ZaUdGQsm8AGLRE5UavVwsHBgfDxVi6/YMkIv9PpVI2EPfeZJSKnikQihubpj8djn1UvZZke+E+fPn1o5OWqSCTCefZE5GixWMzQoLTf78esmJ9vaknHaClH0zTcvHlT9m0REZni8ePHwmvvWFHaMXWE3+12fyga9rMZOUREbmFk5s54PPZ1u90fSr6lTzEt8A8PD/O9Xu9F0eOff/55LoRGRK4yW55dVK/Xe/Hw8DAv8ZY+xbSSzocffjgYjUZCW01x8xIicjMjm6j4/f7hSy+9pEq+JQAmjfCfPn36UDTsNU1j2BORq8ViMeF3hkajUcCsBq70Eb6RRu1s/WnuQUtEbjccDvH48WOh5RfMauBKH+EPBoOSaKM2Go0y7InIEwKBgPD8/PF47BsMBiXJtyQ38Ov1+u12u50SOTYYDGJ1dVXm7RAR2Wp1dVV4f+12u52q1+u3Zd6P1MAfDAZF0WONrklBRORERrLNSKZeRFrg1+v126I7WEWjUS6KRkSepGmacGmn0+l8UeYoX1rgDwaD7wjdgKKwlENEnra6uir8XpFotl5ESuA3Go2NXq+XEDl2bW2NL1gRkacpiiJc2un1eolGo7Eh5T5knER0Zk4gEOAqmES0ECKRiNAsRJkzdqQEfq/X+4rIcTJ2gScicgvRzBPN2GcZDvyDg4PvirxVGwwGhacrERG5kWjujUajwMHBwXeNXt9w4Pf7/d8TOW5lZcXopYmIXEc0+0Sz9jxDgV+v12+LbG4SCAQQDoeNXJqIyJXC4bBQLb/f78eMTtE0FPjD4fAvRI4zsh0YEZHbiWagaObOGAp8kUaCoiicmUNECy0SiQhNRzfavBUO/Hq9/rpIs5a1eyIisSwcjUaBer3+uug1hQN/MBj8ichxHN0TEYlnoWj2AgYCv9/vv6z3GNFmBRGR14hOXhHJ3rNrihwkWs4JhUIilyOSolKpXPjn6XTa0vsgmgmFQmi327qOmZV11tbWvq/3ekKBPxwOv6b3GDZryWq1Wg3lchnFYhGPHj268mcTiQRyuRwymQzi8bg1N0gLLxKJoF6v694V6zSDdQe+0BaHP//5z9uDwUDXcD0SiXApBbJEo9FAPp9HqSS2/Eg2m0WhUODeymSJg4MDtFotXceoqtr5/Oc/r7sepLuG32g0NvSGPcByDlmjWCwiHo8Lhz0AlEolxONxFItFeTdGdAmRbBwMBiGRFTR1B/54PP4DvccA4Ju1ZLpcLofNzU00m03D52o2m9jc3EQulzN+Y0RXEM1GkSzWHfjD4fB39B7DsCez5XI5Q6P6y5RKJYY+mU4kI0WyWCTwv6T3mKWlJb2HEM3NrLCfYeiT2UQyUiSLdQe+SP2eI3wyS7FYNDXsZ0qlEmv6ZBqRjBTJYl2Bf3h4mNd7gUAgwJetyBSz2ThWyefzaDQall2PFodoTurNZF2BPxqNMvpuB9zkhEyTz+elNGjn1Ww2Lf0FQ4tFJCvH43FKz8/rCvzJZPKSvtsBVFXVewjRtWq1miWlnGeVSiXUajXLr0veJ5KV4/H41/T8vK7AHw6Hn9d3O4CmaXoPIbpWuVxeyGuTd4lkpd5M1hX4Ik0ClnTIDHY2UNm8JTOIZKXeTJ57aYV6vX776OjoX/ScXNM03Lx5U88hRHPx+XxCx6VSqbPF0iqVCnZ3d4XOI7IkCdF1Hj9+jH6/r+uY1dXV31xbW3tvnp+duy08mUx+XdddAJydQ6a4bNXL69y7dw9bW1uf+rOtrS3cv39f6B64yibJFggEdAf+aTbPFfhzl3T0doMBNmzJOVKp1GfCHpgGfiql+9EmMoVg43buB3juwJ9MJmt6b4QNW3KKq0bjHKmTU4hkpp5snjvwR6OR/td4BTbpJSJaVCKZqSeb9YzwdbeQOcInp7iq7i/aEyCSTXCEP3c2mzoE5wifnGJ3d/fSGr7oTB0i2czOzLmnZe7v7+uah6YoCn75l39Z6KaIrsNpmeRV//Ef/6F7y8ONjY25PhCmzZtkOYfMlEgkrt2n9iK7u7uGR/SJRMLQ8URX0TQN3W7XlHOz5kKuZOf69Fwbn9yKgU+ulMnoXrjVE9cmMoKBT64Uj8eRzWYtv242m0U8Hrf8ukQymNa0DQaDuHHjhtBNEc2j0WggHo9btiZ+NBpFrVZDLBaz5Hq0mJ48eaK7hj9v03auEf7+/n5c19XBKZlkvlgshkKhYNn1CoUCw55cba5U3tjYqOk9MdfRISvkcjlk33jD9Otks1k2a8kSZmYnh+Hkev/jhRdgZuT/1698hWvgk2XMrI4w8MnVxrUaeg8e4C3AlNB/A8B3PvwQE25eTh7AwCdX65xbLuEtAH8DYFXCeVdPz/UWgPH+ProW9gqIzMLAJ9caViroP7OR+VcBPIKx0f4bp+f46rk/6xUKHOWT6zHwybXa+fyFfx7FdGReBfCXAF6e41wvn/5s9fTY6DP//6TZvPR6RG7BPQjJlTpbWxhds5bOFwB87fQv4PI94G7Pec1+qYSlXA4BbphCLsXAJ9cZ12roCdTU5w32q5zkcojWahLORGQ9lnTIdVqZDCYWvV37rPH+/qcaxURuwsAnV5mnlGO27v37GFWrtt4DkQgGPrnGsFJB9/59u28DwOm3DM7aIZdh4JMrTBoNtBy0LPF4f5+zdsh1GPjkCsfptG11+8v0SyX0ueQCuQgDnxzvJJezvW5/mXY+z3o+uQYDnxytnc9/5m1aJ5k0mzjJ5VjPJ1dg4JNj9YtF9B48sPs2rjV69MhR/QWiyzDwyZH6xSJONjcNnUO9c0fS3VxvuLuLE66XTw7HwCfHkRH2gVQKQYFZNMrGhvA1+6USX8oiR2Pgk6P0CgXDYe+LRhEpl4WODRcK8EWfXTptft379zlzhxyLgU+OcZLLoX33ruHzRMpl+AT3nvXFYsK/LGZONjcZ+uRIDHyy3aTRwHE6LWU2Tnh72/BqloF0GsF79wydg6FPTsTAJ1uNqlUcJZMY7u4aPpeWzWJJ0tuvoa0tBFIpQ+dg6JPTMPDJNr1CAUevvILx/r7hcwVSKSxLDtdIuWyoiQtMQ59LMJBTcD18B6hUKhf+edqjG22MazWc5HJSRvUA4E8kDNfdLzKr5xtd1qH34AEmjca0ISzYW3CTRXue3YSBb4NarYZyuYxisYhH1ywZkEgkkMvlkMlkEI/HrblBE/UKBXS2tqSti+NPJLBSqZgWpP5kEsvFIlqvvWboPP1SCaNqdfqtwQP/Hc9b5OfZbXyTyWSuH9zf35/vB09Fo1HEFmA0o0ej0UA+n0dJsDmZzWZRKBRc+e91WKlM152RuCbOdWE/rFRw/Oqrus658u67FzZ9ZbwbAPxiyqgXtklc5OfZTI1GA02dA6KNjQ3fPD/HGr5FisUi4vG48IcDAEqlEuLxOIouagSOazUcp9M4fvVVS8NeNi2Xg5bNGj7PpNnE8auvur6uv6jPs9sx8C2Qy+Wwubmp+7f2RZrNJjY3N5Fz+Gv8w0oFJ7kcmrduSavVz1gd9jPLxaKU0Aemdf2jZNKVK20u4vPsFQx8k+VyOUOjoMuUSiVHfkj6xeLZiN6MVS7tCvsZmaE/evQIR6+8Mu1puGS1zUV7nr2GgW8isz4cM075kIxrNbTzeTTjcZxsbkof0c9o2SxWq1XbZ7rIDH1guhzDUTKJgQkzjWRalOfZyxj4JikWi6Z+OGZKpZItNdBRtYrO1haOkkk0b91C78EDKfPpLxPe3pY+z94I2aE/3t9H67XXcJxOY3jJtEY7ef15XhScpWOCRqOBeDwupcY5j2g0ilqtZuq/73GthmGlgkGlgmGlYmq4n2dkVovMWTqXOcnlTCldBVKp6du+DpjN48Xn2ck4S8dl8vm8ZR8OYNr4ykuc9TGqVjEol9HZ2sJxOo1GLIbmrVvTpQJKJcvCPpBKYbVadUToXWa5WER4e1v6eYe7uzh+9VUcJZPoF4u21vjd/jzTL3CEL1mtVsOtW7dsufa/v/kmNs79O1cvCcrBMyWDWQlhVK06ZqPw4L17CBlcW96KEf6MrHn6l/FFo1AzGQTzefiTSdOu8yw7n+e9vb2FfDnLzBE+37SVrGxj4+3/PHiAr53739379227F1H+RALLxaKloSaDlsvBn0waXobhMpNmE/1SCf1SCcrGBtRMBmo6DdXkrRXtfJ7L5TJH+pKxpCOZnQ2nt227snG+aBTBe/ewWq26Luxn/MkkorUa/ImEqdcZ7++j9+ABWq+9hrrPh+N0Gp2tLQwrFemlHzufZzZv5eMIX7Lr1hK5TCqVOltcqlKpYFdgauMHQle2n5bNIrS15Yk1ZnyxGFarVbTzecs2YB/u7mK4u3v2jU7Z2IASj8OfTMIXi32qtHdduWpUrZ790hhVq7Y+z6LXpssx8CW6bJXA69y7dw9bz9Srt7a2cF+gJPMegNtCd2E9J81EkS1cKEDLZNDKZCzvi4z39zHe3z97H0K0tPee4PVlPs+VSoWrbErEko7NUqnUZz4cwPQDkjK4AYdTBVIprLz7LlYqFU+G/UwgnUa0VoN6547dt2KZRXye3YSBb7OrRi9eG9mod+4sRNCfN1tTP/LwoeHNVNxgkZ5nN2Lgk6l80SiW3nwT0b09zywLLELNZLBarRreK5fICAa+za6q+4v2BJxAvXMHyzs7iJ3u9OSFhqxRvlgMoa0tRPf2pC7L4CRefZ69goFvs93d3UtrniIzG+x0FvL1OiLlMjQuhHUhJR7HcrE4fcnLY3VtLz3PXsQ3bSXz+eZ64e0zZExjA4BDoaPE+BMJBNJpS14AEmHlm7ZGDCsV9IpFU9bkMeo5weNkPc/z5pOXmPmmLQNfsmQyadv84ZcB/F+Tzu2LRuFPJhFIpxE4/bvdyxRfxy2BPzOu1dAtFKZr5zhkiYvfgn3vdyQSCVRduEGMUVxawUVyuRzu3r1ry7XfMHj87IUdYDqlUInF4E8mz17gIXMp8TjChQLCp6HfKxZN21tgXm8A+KZN1+ba+PJxhC+ZnYtNVQF84Zqf8UWjCG1tnS1f4OUwd9sI/yLjWg2Dchn9ctmW8P8ZALsWuuDiafPj8sg2icfjyNowA+MNXB/2wHQRrvbdu+gVi1Dicc+GvVco8TiW8nmsVCqI1etY3tmBls1aNqf/CzD+zVFENptdyLA3G0f4JrB6w4hVAI8ARHUe54tGsZTPI5jPezL4vTDCv8q4VsOoWsWwWsWwUjFteesmgASAI+lnvhg3QOEI31VisRgKhYJl1/vv0B/2wHS0371/H814HH2uTOg6SjwONZNBaGtr+g2g0cDaZIKVd99F5OFDBO/dQ/DePfiiIk/HL0QxfcasUigUFjbszcbAN0kul7OktPMGgK8aPMek2cTJ5iaa8bgj91MlfQKn02TVdFrajJ+vwprSTjabZbPWRAx8ExWLRVND/w0Ab0k833h/H8evvorjdBqjBZwO5xWjahXH6TSOX31V6naUb8Hc0M9ms1wD32QMfJOZFfqyw/684e4ujl55BSe5HMa1mklXIdnGtRpOcjkcvfKKaTN6zAp9hr01GPgWKBaL2NnZQdRgLRWYNmj/BuaF/Xn9UglHySQ6W1u2bqJNV5s0GuhsbU03PLfgbd23MH0GVyWcKxqNYmdnh2FvEQa+RXK5HGq1mqHR/huYzsYxWrPXg41dZ+sXi2jG4+jev2/p27lfxfRZNDLaz2azqNVqrNlbiIFvoVgshmKxiL29PWxvbyMxx96nLwP4S0xfqnoLYrNxZGBj11mGlQqa8ThONjdtW4YhiukzWcX0GX15jmMSiQS2t7ext7eHYrHI2TgW4zx8B7hs2djbgO555FYJpFIIFwqO3nDci/PwR6f75dq95MJllnd28P8ueWGKG6DMh2vpeNxVHwQtm3XkKoqzxq6XNiB3snGths7WliXPgi8aFfrWEEiloOVySMu/JZKEJR2HC21tCb84o965Y/p662zsmsvKhuxsr2FRYQtfNiQxDHyHm62lImJYqSBSLmPl3XdNXXuFjV1zWNWQVTY2zvYaHlQqQtfSsllHl/doioHvAsF8XmiUP2k20S8WEUinEa3VsLyzY/g1++uux8aucVY1ZH3RKJZ3dhCt1c76Fj2BUfpsBVZyPga+C/hiMeFRfvfcB1jL5RCt1aSsr3IVvrErxqw3ZJ/li0YRvHcP0VrtU9tQii7DsJTPs4fjEgx8lxAd5Y/39zEol8/+92wj7dVq1fSNtPnG7nyseEN2RstmsVqtTntDz8yi6wqO7oOCgxGyHgPfJYyM8nsX1NVnG2mvvv8+G7s2sbohu/r++1g+3QfhWaNqFSOBrTm1XM6TS2t7FQPfRURH+YN33rl0hO1PJrFSqbCxazE7GrJXNVUvGhTMg6N7d2Hgu4iRUf75ss5F2Ni1hp0N2auI/BLWslnW7l2Gge8yS4Lrjsw7gmNj1xx2N2SvMiiXxZq1XAPHdRj4LqPE40LN1tGjR3M3TtnYlccpDdmr9K/59ncRfyLh6CUo6GIMfBfSMhmh464r6zyLjV1xTmrIXkfvcwFwdO9WDHwXUjMZoQaraGOOjV19nNaQvcpQ9M1aBr4rMfBdShUY5esp61yEjd2rObUhexWRco565w6nYroUA9+lRL9SywhQNnY/zckN2euIPA+iJUWyHwPfpfzJpFB5ZSBpxMzGrjsasleZNBpCL1uJfLskZ2Dgu5jIB092iWQRG7tuasheReRZ8CcSLOe4GAPfxUS+Wo/3900ZJS9KY9dNDdnriHzb4+je3Rj4LhZIp4Vq6GY2Qr3a2HVjQ/Y6In0RlXPvXY2B73IioTC0oAHqlcaumxuy1xHpO/BlK3dj4LucyIjLqhkvbm7sur0hex2RZ8CfSJhwJ2QlBr7LidR3zQ6wZ7mpseuVhux1RH4pcnTvfgG7b4CMEf0Qjms1y0Nm1tgdVirTkbhJJZJZY1dE67XXJN/NZykbG1g+3XrSLiJlPT9XxnQ9jvA9QOSrtp3z2a1q7DqNlQ3Z6wiVdLhJuesx8D1A5IPohDdXrWrs2s2Ohux1RMpdDHz3Y+B7gEhpZuyQFSmtbOzawY6G7DxEfuE76f5JDAPfAwICIy8nLVEAWNvYtYKdDdl56H2XgDN0vIGB7wEiIy+nBf6MVW/smsWKN2TtwNG9NzDwPcCJI0ij3NbYdVJD9jpuWnKa5GLge4BI4LtlVymnN3ad2JA1g5e+rSwyBv6CElkW1y5Obew6tSFrBq//8y0KBj65hlMau05vyBJdhoHvEV6Y2TIvuxq7Xm3I0uJg4BMRLQgGPrmOVUsWP8ste+wSXYaBT65h5ZLFV3HqHrtmcsusLroaA98jvDzitHLJYj2csseuFbz8fC0SBr5H6H1V3i1vsVq1h6wou/fYJdKDgb+gnD6d0Ko9ZGWxeo9dI0RmGHn9G8yiYOB7gJc+jHY1ZGVxQ2NX5CUqN72oR5dj4HuAF5a6dUpDVhYvNna9NLBYVAz8BeWUF4ec2pCVxamNXZEX9Zz6jYXmx8D3gIHDa8aXcXpDVhavNHYZ+O7HwPcAkZKBaucG2i5ryMripMauyBLOI4+UphYZA98DRALfjlk6VjVkZ0sWRx4+1H1s5OFD05didkJj1y/w358jfPdj4HuASJPTysC3siFrdMliK5ditrOxK/Lf3wvN9EXHwHc5kVGXVStrWtmQlb1ksZVLMdvR2BXdlcvuUhQZw8B3OZEPoBWje6sasmYvWWzVUsx2NHZFNiZ36wQBmmLgu5zIBzBg4pRMqxqyVu8ha9Ueu1Y2dkV+QXKE724MfJcT+QCaEZBWN2Tt2kPWqj12rWjsiszUGu7uOup9AtKHge9io2pV9yjaF41KLX24qSEri1cau6K/+AflstT7IOsw8F2sL/DBkzW6d3NDVha3N3aVeFyoL8E6vnsx8F1MZKQl44UrrzRkZXFzY1dkADAol1nWcSkGvkuNazWhFQzVTEb4ml5tyMrixsauJvA8TJpNlnVcioHvUt1CQfcxysaGUElkURqysripsSv6C1WknEj2Y+C7lFA5R+dobhEbsrK4pbHri8Wg3rmj+5qDd97xzLLPi4SB70KDcllopL0056iZDVl53NDYFSnrAEDPxSt/LioGvguJfNCUjY25Gp9syJrDyY1d0b5OT6CsSPZi4LvMuFbD4J13dB933YeaDVlrOLGx64vFhMpOk2bT1ev7LyIGvst0traEjgvm8xf+ORuy9nBaY1e0rCP6PJI9GPguMmk0hJq1gVTqM/VxNmTt56TGrprJCJWaxvv7HOW7CAPfRbqFglC55Xyzlg1Z53FKY1f0mxdH+e7BwHeJSaMh1CTzRaNnH2Q2ZJ3N7sbuZWW/63CU7x4MfJdo5/Nio/t8ng1Zl7GrsSvavAU4yncLBr4LjGs14fLLoFxmQ9al7GjsijZvOcp3Bwa+C5wYCFGR9Xb0YEPWXFY3dluvvSZ8fDuf56JqDhew+wYIqFwyTzqdTmNQLjty8+hAKoVwocAavUVmjd1gPo92Pu/IZ2LSbKKztYUfXfItIc0yn+0Y+Dao1Wool8soFot4dM0I/GVNwxsAfhfAFyy5u6spGxtYLhZZo7fJrLE7rFSmUyxNLNXN62cA/gHA2wA+ePAAePDg0p9NJBLI5XLIZDKIc+aW5VjSsVCj0UAul8OtW7dw9+7da8MeAD7o91txrSIAABXwSURBVPFNAEkAXwdgXsv1amzIOotVjd2rNDF9JpMAvgnggzmOefToEe7evYtbt24hl8uhwRKQpRj4FikWi4jH4ygZmPv+NoAEgO9Ju6vrsSHrbFY1dp/1PUyfxbcNnKNUKiEej6PIZq9lGPgWyOVy2NzcRFPClMgjAH+I6cjKbGzIuoOVjV1g+uz9IabPolHNZhObm5vIcTBhCQa+yXK5nKFR/WXehnmhzzdk3cmKN3a/DmOj+suUSiWGvgUY+CYyK+xnZIc+35D1BrPe2DUr7GcY+uZj4JukWCyaGvYzb0NOTV/Z2ICWy2FwOgNEdMs8cg6Zjd3vwdywnymVSqzpm8g3mUzm+sH9/f35fvBUNBpFbEHrvo1GA/F4XErNfh6rAB4BMKNlN9s4xZ9MIpBMIpBOu6aeP6xUcPzqq7qOWXn3XdfPQpqtfz+qVjE+nQUzKJeFX8JrYtqglVGzn0c0GkWtVlvo/NCbHRsbG755fo7z8E2Qz+ctC3tg+kH8MwBvmXDu8f4+xvv7n9p0xZ9IIJBOQ02nXfULwGtG1SpG1SqGp38fVaumrJX0Z7Au7IFpIzefz3OkbwKO8CWr1Wq4deuWLdeuwp6Xs9Q7d6BlMlAzGUeFv9dG+KNqFf1y+azkZuZCeDM/w3SevR329vYW8uUsM0f4rOFLVhbYoESWf7DpuoN33sHJ5iYaa2toZTJcREuSSaOBfrGIk1wOjVgMR6+8gu79+xju7loS9oB9zxRg72fJqxj4ktn5NdSKptp1zsI/FkM7n79wdyW6Wr9YRCuTQWNtDSebm+iXSpYF/LPsfKZY0pGPNXzJ5lku4SKpVOpscalKpYJdgcWx5nm13SqTZhO9Bw/Qe/AAWjaL0NYW5/RfYVStolsoYFAu2xbuFxF9pmQ8z6KfJbocA1+iy1a9vM69e/ew9cwGEltbW7h//77uc70H4LbQXZinXyqhXyohkErxZa5n9ItF9IpFR65++Z7gcTKf50qlwlU2JWJJx2apVOozHw5g+gFJmby/qdWGu7to3rp16Ubai2S23eTJ5qYjw17UIj3PbsTAt9lVoxevjmyu2kjb684HvROWNpZtEZ9nN2Hgky1mG2kfJZNnLwp52fl9hb0Y9OQODHybXVX3F+0JuMlsP9WTXM6To/1xrYbjdNr0fYWdYtGfZ6dj4Ntsd3f30pqnyMwGt5qVebw02u9sbU3/mRbovyOfZ2fjm7aS+XxzvfD2GTKmsQFAb2fnbBaMP5m89s3XSaNxtlDabO2VUbWKca1m+gbolwneu4fQBaGhl11v2o6qVZzkcrb9+7uMLxrVvQrqquBzKOt5njefvMTMN20Z+JIlk0nb5g8nEglUJa9yOXuNf7aKplVzxAOpFCLlsqGlGuwI/F6hMG1G2zSXPpBKQYnHocTjCJz+wjfyz+O159kNuHiai+RyOdy9e9e2a8sWOF0gbSmfB/CL9VyMrL44j+HuLprxuGvW5p80GjjJ5T61yJzZfNHopxaxM+Pfk9ee50XHGr5kmUzG09f2J5Nn2+lF9/aw9OabUjfZOG/SbOI4nXb82jyjahVHyaQlYe9PJBDe3sbq++8j1mggUi5jKZ837Zei15/nRcPAlywejyNrwb6iz8pms5avLKjE4wgXCojWaog8fGjKtnqTZhMnm5voFQrSzy3DoFzGcTpt6gycWchH9/awWq2aGvDPWqTneRGwhm8CqzdAcdKGEbM1Yfom7PalZbNY1jHaN7uG3y8WcbK5qev88/JFo1AzGQQtDPfLLPLzbAcuj+wysVgMBQtHpIVCwTEfDn8yieViEdG9Pekj/n6phBOH1HXb+bwpYe+LRhG8d2+6NWGxaHvYA4v9PHsNA98kuVzOkq/C2WzWkc0t5bThuvLuu/AnEtLO64TQP8nl0HvwQOo5zwd9aGvLURvJAHyevYKBb6JisWjqhySbzTp+zfBAOo3VahXh7W3DG2nP2Bn6J7mc9HKVk4P+PD7P7sfAN5lZHxK3fTiW8nmsVqvSyjx2hL7ssA+kUoju7Tk+6M/j8+xuDHwLFItF7OzsICphhBuNRrGzs+PKD8eszBPe3pZyvn6phPbp+wFmkxn2vmgUkYcPsVKpuHJvAD7P7sXAt0gul0OtVjM0Ospms6jVaq6vcS7l81h9/30p8/d7Dx6YPk+/XyxKC3v1zh1EazWoLp9jzufZnRj4ForFYigWi9jb28P29jYSczQzE4kEtre3sbe3h2Kx6JnZC/5kUlqJ52RzEwOTNryWOfUyvL1teLkIJ+Hz7D6ch+8Aly0buygbRsgol/ii0c8sw2B0Hv6oWsVxOm14XZyL7s3LFv15Nopr6Xjcon8QlotFqOm0oZH0pNlEK5PBarUqZQQ9aTTQymQMh70/kcBKpeKZUf08Fv15djKWdMgRtFwOyzs7hs4x3t9HS1JtvJXJGF4uIZBKLVzYk7Mx8MkxZIT+cHcXHYNr6Xe2tgxvWqJlswx7chwGPjmKjNDv3r8vvHPWqFpF9/59Q9fXu+YPkVUY+OQ4MkJfdI/ctsG13xn25GQMfHIko6E/3t+37KWsmUAqxbAnR2Pgk2NpuRyW3nxT+Hgz16h/lj+RQMSkdwGIZGHgk6OFCwVoNmzAocdsnj0btOR0DHxyvHChIHWJZdkY9uQWDHxyPF8sNl2SQNLyyjKFt7cX5g1acj8GPrmCEo87riGq3rmDJYsbw0RGMPDJNdRMxlATVyZfNOq4X0BE12Hgk6s4pZ7vpVUvaXEw8Ml17B5Za9ns2YqaRG7CwCfX8SeTCN67Z8u1fdEowoWCLdcmMoqBT64U2tqypbQTLhRYyiHX4nr45FrhQkHXBifvXfLnt+c83p9IQON2fORiDHxyrUA6DS2bvXS3rJ8B+AcAbwP44JpzvQzgDQC/C+ALl/wMSznkdizpkKuFC4XPvJDVBPB1AEkA38T1YY/Tn/nm6TFfPz3HeYFUio1acj0GPrmaLxZD6NyGJ98DkMB0VC/q7dNzfO/cn3F0T17AwCfXW8rnoWxs4OsA/hDAkYRzHp2e6+uYTsPk8gnkBQx88oRvvPSSoVH9Zd4G8N8++siEMxNZj4FPrpfL5fC/fvAD087/P//pn5Dj7BzyANMCfzAYmHVqojPFYhGlS2bpyFQqlVDk2jlkgV6vp/uYer0+1+xi32QymeuE+/v78/3gqWAwiBs3bug5hEiXRqOBeDyOZvPZOTXmiEajqNVqiPHFKzLRkydP0O12dR2zsbHhm+fnWNIh18rn85aFPQA0m03kuRwyuRgDn1ypVqtZUsp5VqlUQq1Ws/y6RDIw8MmVyjZuGG7ntYmMYOCTK9nZQGXzltzKtLV0+v2+WacmwqNHj4SOS6VSSJ8ukVCpVLC7u2vZtYnmYWZ2zh34mqY1+v3+3NMTxuOx2B0RXaNSqQgdd+/ePWydW4YBALa2tnD//n2he0hzbR0ygd7s1DStMe/PmlrSYeiTU6RSqc+EPTAN/FQqZf0NEV3A7MycO/B9Pp++iaFgWYec46rROEfq5BQimaknm+cOfL/f/2O9N8IRPhHR/EQyU0826xnh1/XeCEf45BRX1f1FewJEsgmO8OfO5rkDX1EU3dMZuJ4OOcXu7u6lNXyRmTpEZhDJTD3ZPPdaOvV6/fbR0dG/6LkRTdNw8+ZNPYcQzcXnm2vpkM+QMS0TAOb93BDp8fjxY92j/NXV1d9cW1u7bMvmT5k78AH9C6gBwMbGht5DiK6VTCZtmw+fSCRQrVZtuTZ52/7+vu5j5l04DdA5LVNV1Y7em9G76hvRPOxcn55r45MZRLJSbybrCvxAIPBzfbfDxi2ZI5PJLOS1ybtEslJvJusKfEVR/k3f7bBxS+aIx+PIZrOWXzebzSIej1t+XfI+wYatrkzWG/i6O1ws6ZBZCoUCotGoZdeLRqMoFAqWXY8Wi0hW6s1kXYH/3HPP6X7ah8MhhsOh3sOIrhWLxSwN4EKhwN2uyBSiOak3k3WvpSPSuG2323oPIZpLLpezpLSTzWbZrCXTiGSkSBbrDvxAIKB7iQWRTXmJ5lUsFk0N/Ww2yzXwyVQiGSmSxSKB/496j+EIn8xmVugz7MkKIhkpksW6A19RlL/TewzA0CfzFYtF7OzsSGnkRqNR7OzsMOzJdKLZKJLFugM/Fovti9SOOh3dhxDplsvlUKvVDI32s9ksarUaa/ZkCZFsVFW1E4vFdL+WK7QBiqqqP9J7DEf4ZJVYLIZisYi9vT1sb28jkUhce0wikcD29jb29vZQLBY5G4csI9iw1Z3BgM61dGbq9frrR0dH/1vvcevr64hEIrqvRyTDZcsgcwMUskur1cLBwYHu41ZXV//L2tra9/UeJxT4APDhhx8ORqORrk3Qw+Ewnn/+eaHrERF5zSeffKJ7hO/3+4cvvfSSKnI94T1tNU37QO8x7XabL2EREWH6spVIOUcke2eEA19V1b8SOa7VaolekojIM0SzUDR7AQOBv7a29n2/3697uH58fCx6SSIizxDJQr/fPxSp3c8IBz4ALC0t/UDvMePxmKN8IlporVZLaMNykcw9z1DgBwKBPxc5rtlsGrksEZGriWagaObOGAr8tbW19zRNa+g9TrRZQUTkdqKTVzRNa8y7d+1lDAX+6U38vchxrOUT0SISzT7RrD1PeB7+eSJz8gHgxo0bCAaDhq9PROQG3W4XT5480X2ckbn35xke4QPijQSRN8yIiNxKNPOMNmtnpAS+qqpZRVF0f1UYDoecsUNEC6HVagnV7hVFmaiqKmXtbymBH4vF9peWlh6JHFuv14WmJxERucV4PEa9Xhc6dmlp6ZHIypgXkRL4AKCq6jdEjhuPxzg6OpJ1G0REjnN0dCQ8sBXN1otIC/y1tbX3QqHQT0WObTab6Pf7sm6FiMgx+v2+8Lz7UCj0U6NTMc+TFvgAoKpqTvRY0a87REROZiTbjGTqRaQG/tra2nvhcHhX5Nhut8vSDhF5ytHREbrdrtCx4XB4V+boHpAc+ID4jB1gWtrh8slE5AXD4VC4lCNzZs6nziv7hLFYbD8UCr0jcux4PMYnn3wi+5aIiCz3ySefCDdqQ6HQO7Jm5pwn5U3bi4i+fQsA0WiUe4oSkWs1Gg3h0b2st2ovIn2EPxMOh/9I9Nhmsylc9yIislO32zW0IrCR7LyOaSN8APjoo48e93q9F0WOVRQFv/RLvwRFMe13EhGRVOPxGP/5n/8pXMpZWlr66MUXX7wp+bbOmJqmwWDwy6IN3PF4LLTIEBGRXZ48eSIc9oqiTILB4Jcl39Knr2HmyY00cIHpCwtcYI2I3ODg4MDQC6RmNWrPM7WkM/P48eN6v98X7sKyiUtETmakSQtMNze5efPmmsRbupAlBfJQKJQULe0A0yYuV9UkIidqtVqGwl5RlEkoFEpKvKXLr2XFRWKx2P7y8vK3jZzj4OCAoU9EjtJqtQyXnZeXl79tdilnxpKSzszHH3/8fqfTEf5NpigKbty4AU3TZN4WEZFu/X7fUJMWAEKhUPWFF154ReJtXcnSOY+apmVUVe2IHj+bucOVNYnITjLCXlXVjqZpGYm3dS1LA/901s5vG6nnM/SJyE4ywv60bv/bVpVyzq5r5cWA6YqaRuv5s9BnTZ+IrNRqtQyHPTCt28teCXMeltbwz3v69OnDk5MTw19n1tfXEYlEZNwSEdGlZDRoAWB5ebn8uc997jUJt6SbbYEPAB9//PFPOp3OF42eh/P0ichMRufZz4RCoZ++8MILvyLhloTYGviA8ZeyZiKRCNbX12XcEhERgF9sPi6jfGzVy1VXsX1lslAolDQyc2em1Wrh8ePHhmtrRESA3F6hqqodq16uuortI3wAaDQaG+12+98Hg0HI6LkURcHzzz+PYDAo49aIaAF1u11DG5icp6pqJxwO/6rVM3Iu4ojAB6ahf3x8vDcej30yzse6PhGJkFWvB6bTL1dWVm45IewBB5R0ZmKx2H4kEnnDyBz985rNJh4/fsw9coloLsPhEI8fP5Ya9pFI5A2nhD3goBH+TL1ef73Var0ta6SvKAqi0ShWV1dlnI6IPOjo6AjNZlNaD3AW9mtra9+XckJJHBf4gNya/kwwGMTa2hrX4SGiM/1+H/V6XeqWqk6q2T/LkYEPmBP6AM5G+9w6kWhxjcfjs1G9TE4Oe8DBgQ9MQ7/T6VRlzNM/T1EUrK2t8Q1dogXUarVQr9elT+HWNK0RCoWSTg17wOGBPyPrjdxnBQIBrK+vcwon0QLodrs4ODgwZSKH3W/QzssVgQ/IW3vnIsFgECsrKwiHw2acnohs1G63cXx8LLVOf56da+Po5ZrAB4DDw8NvnZyc/LGsGTzPCgQCiEajLPUQecBs60GzpmYrijJZXl7+9nPPPfenplzABK4KfACo1+u3O53OP8tu5p6nKApWVlYQiUQQCATMugwRSTYcDtFqtXB8fGzqMiunSyX8th1LHBvhusAHps3cfr9fNrJd4rzC4TBCoRBH/UQO1mq10Ol00G63Tb9WKBSqapqWcXJz9jKuDPwZs0s85ymKchb+rPUT2a/dbp+FvBWLJrqxhPMsVwc+YN7UzeuEw2EsLS0hHA6z7ENkgeFwiHa7jV6vZ8lI/jw3TLmch+sDf+bp06cPO53OHStG+88KBAIIBoNQVRWapnGaJ5EE3W4X/X4fg8EA3W7XlnWxTveefccts3Cu45nAB6aj/W63+8Ner/ei3feiaRoCgcDZLwFFUc7+TkRT4/EY/X7/7O+DwQDD4RD9ft/uW8PS0tJHwWDwy24f1Z/nqcCfOTw8zLfb7b8ejUaOrbVc9i1gaWnJ4jshMk+v17vwz2ch70R+v38YDof/6LnnnivYfS+yeTLwZ+ws8xCRu3itfHMRTwc+MC3zDAaDUrvdTtl9L0TkTOFweFdV1ayXyjcX8Xzgz9Tr9duDwaBoxpo8ROROoVDop6qq5tz2ApWohQn8mdPg/06v10uw1EO0eBRFmSwtLT1SVfUbixL0MwsX+DOzUk+v1/uKk5u7RCSH3+8fLi0t/WARSjeXWdjAP+/g4OC7/X7/96x+eYuIzKdpWkPTtL9fX1//fbvvxW4M/HPq9frt4XD4Fxz1E7nbbDQfCAT+fNHKNldh4F+iXq+/PhgM/qTf77/M8CdyPr/fP9Q07QNVVf/KaZuHOwUDfw71ev314XD4tcFg8BtmLstMRPqoqtpRVfVHgUDgbxny12Pg69RoNDbG4/EfDIfD3xkOh1/iLwAi66iq2gkEAj8OBAL/qCjK3y1q81UUA1+Cw8PD/Hg8To3H418bDoef5y8BIuNOw/3niqL8m6Iou15c6sBqDHyT1Ov125PJ5NfH43FqMpmsjUajL00mkyAAcDYQ0XT2DAD4fL6u3+//sc/nqyuKsuvz+f6VjVZzMPCdJX76F5FXVAE07L4JmmLgExEtCC7OTkS0IBj4REQLgoFPRLQgGPhERAuCgU9EtCAY+EREC4KBT0S0IBj4REQL4v8DBHp/8P5DHNMAAAAASUVORK5CYII= + mediatype: image/png + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - '*' + verbs: + - '*' + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingadmissionpolicies + - validatingadmissionpolicybindings + - validatingwebhookconfigurations + verbs: + - '*' + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - '*' + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - '*' + - apiGroups: + - networking.istio.io + resources: + - envoyfilters + verbs: + - '*' + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - '*' + - apiGroups: + - sailoperator.io + resources: + - istiorevisions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - istiorevisions/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - istiorevisions/status + verbs: + - get + - patch + - update + - apiGroups: + - sailoperator.io + resources: + - istiorevisiontags + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - istiorevisiontags/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - istiorevisiontags/status + verbs: + - get + - patch + - update + - apiGroups: + - sailoperator.io + resources: + - istiocnis + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - istiocnis/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - istiocnis/status + verbs: + - get + - patch + - update + - apiGroups: + - sailoperator.io + resources: + - istios + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - istios/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - istios/status + verbs: + - get + - patch + - update + - apiGroups: + - sailoperator.io + resources: + - remoteistios + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - remoteistios/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - remoteistios/status + verbs: + - get + - patch + - update + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + - serviceaccount + verbs: + - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - sailoperator.io + resources: + - ztunnels + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - sailoperator.io + resources: + - ztunnels/finalizers + verbs: + - update + - apiGroups: + - sailoperator.io + resources: + - ztunnels/status + verbs: + - get + - patch + - update + serviceAccountName: servicemesh-operator3 + deployments: + - label: + app.kubernetes.io/component: sail-operator + app.kubernetes.io/created-by: servicemeshoperator3 + app.kubernetes.io/instance: servicemesh-operator3 + app.kubernetes.io/managed-by: helm + app.kubernetes.io/name: deployment + app.kubernetes.io/part-of: servicemeshoperator3 + control-plane: servicemesh-operator3 + name: servicemesh-operator3 + spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/created-by: servicemeshoperator3 + app.kubernetes.io/part-of: servicemeshoperator3 + control-plane: servicemesh-operator3 + strategy: {} + template: + metadata: + annotations: + images.v1_26_2.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:14c5a52faf20267baa43d9a72ee6416f56fbc41dd640adc2aba3c4043802a0e9 + images.v1_26_2.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:028e10651db0d1ddb769a27c9483c6d41be6ac597f253afd9d599f395d9c82d8 + images.v1_26_2.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:366266f10e658c4cea86bddf6ee847e1908ea4dd780cb5f7fb0e466bac8995f1 + images.v1_26_2.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:d518f3d1539f45e1253c5c9fa22062802804601d4998cd50344e476a3cc388fe + images.v1_26_2.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:ecc6a22a471f4f4b836648f3a72ea7f57a4ea960ebcbc7dbe3fe729500902d0b + images.v1_26_3.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2ea112ab90b8540f11e9949d77c3e7e3b3ef57ac3bf23f6cf1e883a88430e1f9 + images.v1_26_3.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:33feac0c9c888b375e207e86b3f9a1a289126ca46b64632a7f693e2191cfbbfd + images.v1_26_3.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:2ca96716812d339775d3dfd396c863834dd3810720e98bfcf87bc67c5fbd29b5 + images.v1_26_3.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:26747627ae22bbdffcf9de58077454fc0c890cda83659d7834b15dea2b5aaaf2 + images.v1_26_3.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:f7ab868455b5e887e2d89b7078678531290365f9166cae99ce56119f31fa2ba4 + images.v1_26_4.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:9536c5850961488b3e01e29140d9ace0cbaa1f4bd1c1860cb49d10bf0514a5bf + images.v1_26_4.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:02b82941a92c537233c4f60d9223da2e637b045189b8700dd7030bd9c1c352d5 + images.v1_26_4.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:cadc30c15a54d89de1992624a3641c7d5951dd292b668d026ab9d5e2f3878a77 + images.v1_26_4.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:b45ecae5a9240b40403c4e39c6a81ab66c8c7e8de194dc3e21b1336ff3a0fa38 + images.v1_26_4.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:950e9a2e8fef8740b4909957c2cced52d45abd66324fb056097f2d0782970573 + images.v1_26_6.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:be16b9a7e2693bf294c99d96ba4cf36e98629ebff2ce6f2ce946fd9ae1e9f2dc + images.v1_26_6.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:91229b8d6e932178ddddf0b4878114b65c0451755919996239d1fe6285b644e8 + images.v1_26_6.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:8a21e30593e51f2fd2e51d9ab1d0ed2fc43eaa9b98173d7fb74f799d6b2f163d + images.v1_26_6.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:47100186c27934adeda3002bb04cac28980ca8854eee7d6e4f4b3f85562e9a8e + images.v1_26_6.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:f39e2c28ef36fce9f808f3946cc4e4126047e142ad84cb18c222cecceae29730 + images.v1_26_8.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:edb5aab128bc90ba62a9b1d268be82ea8771ff70b0305ad9d85d8f669a995044 + images.v1_26_8.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:6f9ed59521fab78d5cf576d0519b5aa40ea46963a13772b0a6ecabafbb32778b + images.v1_26_8.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:3e3e4a5f1e644796c13728c6c7f7ca8daab3b9a08d8ffd2a7a8c8f424d47b0b8 + images.v1_26_8.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:6558eba168f2cb50aa40394b9ff9e71882c9e4a4c93ca189ba8f71f324c12ab4 + images.v1_26_8.ztunnel: registry.redhat.io/openshift-service-mesh-tech-preview/istio-ztunnel-rhel9@sha256:af4076fd0bef20612081bd8b0dbf9434a33a879545bba823cdaeeeb01ad39056 + images.v1_27_3.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:ddadd677161ad8c1077dd156821d6b4e32742ccbb210e9c14696fa66a58c0867 + images.v1_27_3.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:0850242436e88f7d82f0f2126de064c7e0f09844f31d8ff0f53dc8d3908075d9 + images.v1_27_3.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:742bc084c26769ff57cb3aa47b7a35c2b94684c3f67a9388da07a0490a942e5c + images.v1_27_3.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:7d15cebf9b62f3f235c0eab5158ac8ff2fda86a1d193490dc94c301402c99da8 + images.v1_27_3.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:b2b3216a05f6136ed9ddb71d72d493030c6d6b431682dddffa692c760b6c9ba1 + images.v1_27_5.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:2929b7df3da8228a728945542647ec5450c0585a2ed5cbdb84f8e3d81ab41806 + images.v1_27_5.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:2e515a40de141bd4e516bfcf4fd0cbb8d236ac02799a7a35d77ae44f53916bc9 + images.v1_27_5.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:d1baba8cb454b62d804dc427d4ccfea928348631c384d1ab3d170e1e2a9d1178 + images.v1_27_5.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:650da1e2ad1cb93e6a0231dba7ca1f27f4cccac84e5925135281adc629a0caea + images.v1_27_5.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:0ae2919cd446e0e1f0a21d0850e7809ba8f44c06d484c023b3bee2787ca4bdd0 + images.v1_27_8.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:f072a10513086f330af8bbd4e70d6922167417cfb15674d4e9834565071f2c20 + images.v1_27_8.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:2a25d47b4bb3bf346563a0ccea986c0ab0466709ca4cb9d2666ba6a02a8a5f31 + images.v1_27_8.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:6eaedfbf16cfc73196e693b97d33e399acf438bce5fd7ec3c91f3f084c87edf0 + images.v1_27_8.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:2b5f5aa5ee9974269d8e3666b1bfc58da10c172bf3f1d6defd555fbd1ac9a6ec + images.v1_27_8.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:4e085c9b6ca08f950798bf5153579e00e8e65226befe9c9043c19ae53f8a3a2d + images.v1_28_4.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:f8abbd0d6c7758cf2ccd49dba34921e3ac9b6e4cdbfed4e5fb38dc9a11d30a5d + images.v1_28_4.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:978f840ceda7eb00c6f15740bcd60e241bee732cd215e9de464ce431b0156ffa + images.v1_28_4.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:d57d23fc8ec4053a3d819ffb87532d6aec6b5874fdf22e22afdd7f0f0712df52 + images.v1_28_4.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:ba78d718627a0662f61ec633fdd2867ba5c24be6bdbc6df672d46456fb399dba + images.v1_28_4.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:2d5a3154e7b6b8d7eadb851a86cc5b7ee556b923843e73ae56197e875c564b03 + images.v1_28_5.cni: registry.redhat.io/openshift-service-mesh/istio-cni-rhel9@sha256:6167fbd27225658213894efcad7eaa172415873ef89c2239e5dd1d18ee15e362 + images.v1_28_5.istiod: registry.redhat.io/openshift-service-mesh/istio-pilot-rhel9@sha256:4813bf7ae960860d28b5ab7b493ce10f1879e3276b1b64732299a9750737bcfd + images.v1_28_5.must-gather: registry.redhat.io/openshift-service-mesh/istio-must-gather-rhel9@sha256:eb58878893732fb5324ccbd07f2c34f85d977ad7067827dc114c14ed2d50dc57 + images.v1_28_5.proxy: registry.redhat.io/openshift-service-mesh/istio-proxyv2-rhel9@sha256:bc34f81266d8b0d2f5a8e71e966098d4edef70ac8dbb077a014a27fe1b71ec0a + images.v1_28_5.ztunnel: registry.redhat.io/openshift-service-mesh/istio-ztunnel-rhel9@sha256:93dddaa0db0510d8c3bbf3376ca49311dd28ac644aa5dfcb3f5888ace89840a4 + kubectl.kubernetes.io/default-container: sail-operator + labels: + app.kubernetes.io/created-by: servicemeshoperator3 + app.kubernetes.io/part-of: servicemeshoperator3 + control-plane: servicemesh-operator3 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --health-probe-bind-address=:8081 + - --metrics-bind-address=:8443 + - --zap-log-level=info + command: + - /sail-operator + image: ${OSSM_OPERATOR_3_3} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: sail-operator + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 1Gi + requests: + cpu: 10m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/sail-operator + name: operator-config + readOnly: true + securityContext: + runAsNonRoot: true + serviceAccountName: servicemesh-operator3 + terminationGracePeriodSeconds: 10 + volumes: + - downwardAPI: + defaultMode: 420 + items: + - fieldRef: + fieldPath: metadata.annotations + path: config.properties + name: operator-config + permissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: servicemesh-operator3 + strategy: deployment + installModes: + - supported: false + type: OwnNamespace + - supported: false + type: SingleNamespace + - supported: false + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - istio + - servicemesh + - envoy + links: + - name: Istio Project + url: https://istio.io + maintainers: + - email: istio-feedback@redhat.com + name: OpenShift Service Mesh Team + maturity: alpha + provider: + name: Red Hat, Inc. + version: 3.3.1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go new file mode 100644 index 0000000000..4c8e382daa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/crds.go @@ -0,0 +1,27 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package crds provides embedded CRD YAML files for Istio and Sail resources. +package crds + +import "embed" + +// FS contains all CRD YAML files from the chart/crds directory. +// This allows programmatic access to CRDs for installation. +// +// CRD files follow the naming convention: {group}_{plural}.yaml +// Example: extensions.istio.io_wasmplugins.yaml +// +//go:embed *.yaml +var FS embed.FS diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml new file mode 100644 index 0000000000..61922e95af --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/extensions.istio.io_wasmplugins.yaml @@ -0,0 +1,361 @@ +# DO NOT EDIT - Generated by Cue OpenAPI generator based on Istio APIs. +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: wasmplugins.extensions.istio.io +spec: + group: extensions.istio.io + names: + categories: + - istio-io + - extensions-istio-io + kind: WasmPlugin + listKind: WasmPluginList + plural: wasmplugins + singular: wasmplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Extend the functionality provided by the Istio proxy through + WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' + properties: + failStrategy: + description: |- + Specifies the failure behavior for the plugin due to fatal errors. + + Valid Options: FAIL_CLOSE, FAIL_OPEN, FAIL_RELOAD + enum: + - FAIL_CLOSE + - FAIL_OPEN + - FAIL_RELOAD + type: string + imagePullPolicy: + description: |- + The pull behaviour to be applied when fetching Wasm module by either OCI image or `http/https`. + + Valid Options: IfNotPresent, Always + enum: + - UNSPECIFIED_POLICY + - IfNotPresent + - Always + type: string + imagePullSecret: + description: Credentials to use for OCI image pulling. + maxLength: 253 + minLength: 1 + type: string + match: + description: Specifies the criteria to determine which traffic is + passed to WasmPlugin. + items: + properties: + mode: + description: |- + Criteria for selecting traffic by their direction. + + Valid Options: CLIENT, SERVER, CLIENT_AND_SERVER + enum: + - UNDEFINED + - CLIENT + - SERVER + - CLIENT_AND_SERVER + type: string + ports: + description: Criteria for selecting traffic by their destination + port. + items: + properties: + number: + maximum: 65535 + minimum: 1 + type: integer + required: + - number + type: object + type: array + x-kubernetes-list-map-keys: + - number + x-kubernetes-list-type: map + type: object + type: array + phase: + description: |- + Determines where in the filter chain this `WasmPlugin` is to be injected. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED_PHASE + - AUTHN + - AUTHZ + - STATS + type: string + pluginConfig: + description: The configuration that will be passed on to the plugin. + type: object + x-kubernetes-preserve-unknown-fields: true + pluginName: + description: The plugin name to be used in the Envoy configuration + (used to be called `rootID`). + maxLength: 256 + minLength: 1 + type: string + priority: + description: Determines ordering of `WasmPlugins` in the same `phase`. + format: int32 + nullable: true + type: integer + selector: + description: Criteria used to select the specific set of pods/VMs + on which this plugin configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + sha256: + description: SHA256 checksum that will be used to verify Wasm module + or OCI container. + pattern: (^$|^[a-f0-9]{64}$) + type: string + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + type: + description: |- + Specifies the type of Wasm Extension to be used. + + Valid Options: HTTP, NETWORK + enum: + - UNSPECIFIED_PLUGIN_TYPE + - HTTP + - NETWORK + type: string + url: + description: URL of a Wasm module or OCI container. + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have schema one of [http, https, file, oci] + rule: |- + isURL(self) ? (url(self).getScheme() in ["", "http", "https", "oci", "file"]) : (isURL("http://" + self) && + url("http://" + self).getScheme() in ["", "http", "https", "oci", "file"]) + verificationKey: + type: string + vmConfig: + description: Configuration for a Wasm VM. + properties: + env: + description: Specifies environment variables to be injected to + this VM. + items: + properties: + name: + description: Name of the environment variable. + maxLength: 256 + minLength: 1 + type: string + value: + description: Value for the environment variable. + maxLength: 2048 + type: string + valueFrom: + description: |- + Source for the environment variable's value. + + Valid Options: INLINE, HOST + enum: + - INLINE + - HOST + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: value may only be set when valueFrom is INLINE + rule: '(has(self.valueFrom) ? self.valueFrom : "") != "HOST" + || !has(self.value)' + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - url + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml new file mode 100644 index 0000000000..eeeb5b0598 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_destinationrules.yaml @@ -0,0 +1,6028 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: destinationrules.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: DestinationRule + listKind: DestinationRuleList + plural: destinationrules + shortNames: + - dr + singular: destinationrule + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for + the cookie. + items: + properties: + name: + description: The name of the cookie + attribute. + type: string + value: + description: The optional value + of the cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least `minHealthPercent` hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in + relation to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency + allowed for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries + as a percentage of the sum of active requests and + active pending requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the cookie + attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least `minHealthPercent` + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in relation + to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency allowed + for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries as + a percentage of the sum of active requests and active pending + requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for + the cookie. + items: + properties: + name: + description: The name of the cookie + attribute. + type: string + value: + description: The optional value + of the cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least `minHealthPercent` hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in + relation to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency + allowed for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries + as a percentage of the sum of active requests and + active pending requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the cookie + attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least `minHealthPercent` + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in relation + to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency allowed + for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries as + a percentage of the sum of active requests and active pending + requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The name of a service from the service registry + jsonPath: .spec.host + name: Host + type: string + - description: CreationTimestamp is a timestamp representing the server time when + this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata) + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting load balancing, outlier detection, + etc. See more details at: https://istio.io/docs/reference/config/networking/destination-rule.html' + properties: + exportTo: + description: A list of namespaces to which this destination rule is + exported. + items: + type: string + type: array + host: + description: The name of a service from the service registry. + type: string + subsets: + description: One or more named sets that represent individual versions + of a service. + items: + properties: + labels: + additionalProperties: + type: string + description: Labels apply a filter over the endpoints of a service + in the service registry. + type: object + name: + description: Name of the subset. + type: string + trafficPolicy: + description: Traffic policies that apply to this subset. + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that + will be queued while waiting for a ready + connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests + to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream + connection pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent + streams allowed for a peer on one HTTP/2 + connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per + connection to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that + can be outstanding to all hosts in a cluster + at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol + will be preserved while initiating connection + to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and + TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP + connections to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE + on the socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between + keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive + probes to send without response before + deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer + algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for + the cookie. + items: + properties: + name: + description: The name of the cookie + attribute. + type: string + value: + description: The optional value + of the cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP + header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP + query parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev + hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend + hosts. + properties: + minimumRingSize: + description: The minimum number of virtual + nodes to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' + separated, e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities + to traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the + traffic will fail over to when endpoints + in the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered + list of labels used to sort endpoints to + do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a + host is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally + originated failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep + analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled + as long as the associated load balancing pool + has at least `minHealthPercent` hosts in healthy + mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish + local origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the + destination service on which this policy is being + applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections + to the upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in + verifying a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use + in verifying a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds + the TLS certs for the client including the CA + certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature + and SAN for the server certificate corresponding + to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server + during TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify + the subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in + relation to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency + allowed for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries + as a percentage of the sum of active requests and + active pending requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream + connection is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream + connection is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + required: + - name + type: object + type: array + trafficPolicy: + description: Traffic policies to apply (load balancing policy, connection + pool sizes, outlier detection). + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to + send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the cookie + attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query parameter. + type: string + maglev: + description: The Maglev load balancer implements consistent + hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer implements + consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes to + use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to traffic + distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, failover + or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic will + fail over to when endpoints in the 'from' region + becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list of labels + used to sort endpoints to do priority based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing pool + for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long as + the associated load balancing pool has at least `minHealthPercent` + hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local origin + failures from external errors. + type: boolean + type: object + portLevelSettings: + description: Traffic policies specific to individual ports. + items: + properties: + connectionPool: + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will + be queued while waiting for a ready connection + pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to + a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can + be outstanding to all hosts in a cluster at a + given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will + be preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the + socket to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the + connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection + needs to be idle before keep-alive probes + start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + loadBalancer: + description: Settings controlling the load balancer algorithms. + oneOf: + - not: + anyOf: + - required: + - simple + - required: + - consistentHash + - required: + - simple + - required: + - consistentHash + properties: + consistentHash: + allOf: + - oneOf: + - not: + anyOf: + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - required: + - httpHeaderName + - required: + - httpCookie + - required: + - useSourceIp + - required: + - httpQueryParameterName + - oneOf: + - not: + anyOf: + - required: + - ringHash + - required: + - maglev + - required: + - ringHash + - required: + - maglev + properties: + httpCookie: + description: Hash based on HTTP cookie. + properties: + attributes: + description: Additional attributes for the cookie. + items: + properties: + name: + description: The name of the cookie attribute. + type: string + value: + description: The optional value of the + cookie attribute. + type: string + required: + - name + type: object + type: array + name: + description: Name of the cookie. + type: string + path: + description: Path to set for the cookie. + type: string + ttl: + description: Lifetime of the cookie. + type: string + required: + - name + type: object + httpHeaderName: + description: Hash based on a specific HTTP header. + type: string + httpQueryParameterName: + description: Hash based on a specific HTTP query + parameter. + type: string + maglev: + description: The Maglev load balancer implements + consistent hashing to backend hosts. + properties: + tableSize: + description: The table size for Maglev hashing. + minimum: 0 + type: integer + type: object + minimumRingSize: + description: Deprecated. + minimum: 0 + type: integer + ringHash: + description: The ring/modulo hash load balancer + implements consistent hashing to backend hosts. + properties: + minimumRingSize: + description: The minimum number of virtual nodes + to use for the hash ring. + minimum: 0 + type: integer + type: object + useSourceIp: + description: Hash based on the source IP address. + type: boolean + type: object + localityLbSetting: + properties: + distribute: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating locality, '/' separated, + e.g. + type: string + to: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + description: Map of upstream localities to + traffic distribution weights. + type: object + type: object + type: array + enabled: + description: Enable locality load balancing. + nullable: true + type: boolean + failover: + description: 'Optional: only one of distribute, + failover or failoverPriority can be set.' + items: + properties: + from: + description: Originating region. + type: string + to: + description: Destination region the traffic + will fail over to when endpoints in the + 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: failoverPriority is an ordered list + of labels used to sort endpoints to do priority + based load balancing. + items: + type: string + type: array + type: object + simple: + description: |2- + + + Valid Options: LEAST_CONN, RANDOM, PASSTHROUGH, ROUND_ROBIN, LEAST_REQUEST + enum: + - UNSPECIFIED + - LEAST_CONN + - RANDOM + - PASSTHROUGH + - ROUND_ROBIN + - LEAST_REQUEST + type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object + warmupDurationSecs: + description: 'Deprecated: use `warmup` instead.' + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + outlierDetection: + properties: + baseEjectionTime: + description: Minimum ejection duration. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + consecutive5xxErrors: + description: Number of 5xx errors before a host is ejected + from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveErrors: + format: int32 + type: integer + consecutiveGatewayErrors: + description: Number of gateway errors before a host + is ejected from the connection pool. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + consecutiveLocalOriginFailures: + description: The number of consecutive locally originated + failures before ejection occurs. + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + interval: + description: Time interval between ejection sweep analysis. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxEjectionPercent: + description: Maximum % of hosts in the load balancing + pool for the upstream service that can be ejected. + format: int32 + type: integer + minHealthPercent: + description: Outlier detection will be enabled as long + as the associated load balancing pool has at least + `minHealthPercent` hosts in healthy mode. + format: int32 + type: integer + splitExternalLocalOriginErrors: + description: Determines whether to distinguish local + origin failures from external errors. + type: boolean + type: object + port: + description: Specifies the number of a port on the destination + service on which this policy is being applied. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: TLS related settings for connections to the + upstream service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing + certificate authority certificates to use in verifying + a presented server certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS + certs for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether + the proxy should skip verifying the CA signature and + SAN for the server certificate corresponding to the + host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during + TLS handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the + subject identity in the certificate. + items: + type: string + type: array + type: object + type: object + maxItems: 4096 + type: array + proxyProtocol: + description: The upstream PROXY protocol settings. + properties: + version: + description: |- + The PROXY protocol version to use. + + Valid Options: V1, V2 + enum: + - V1 + - V2 + type: string + type: object + retryBudget: + description: Specifies a limit on concurrent retries in relation + to the number of active requests. + properties: + minRetryConcurrency: + description: Specifies the minimum retry concurrency allowed + for the retry budget. + maximum: 4294967295 + minimum: 0 + type: integer + percent: + description: Specifies the limit on concurrent retries as + a percentage of the sum of active requests and active pending + requests. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + type: object + tls: + description: TLS related settings for connections to the upstream + service. + properties: + caCertificates: + description: 'OPTIONAL: The path to the file containing certificate + authority certificates to use in verifying a presented server + certificate.' + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing the + certificate revocation list (CRL) to use in verifying a + presented server certificate.' + type: string + clientCertificate: + description: REQUIRED if mode is `MUTUAL`. + type: string + credentialName: + description: The name of the secret that holds the TLS certs + for the client including the CA certificates. + type: string + insecureSkipVerify: + description: '`insecureSkipVerify` specifies whether the proxy + should skip verifying the CA signature and SAN for the server + certificate corresponding to the host.' + nullable: true + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured using TLS. + + Valid Options: DISABLE, SIMPLE, MUTUAL, ISTIO_MUTUAL + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `MUTUAL`. + type: string + sni: + description: SNI string to present to the server during TLS + handshake. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate. + items: + type: string + type: array + type: object + tunnel: + description: Configuration of tunneling TCP over other transport + or application layers for the host configured in the DestinationRule. + properties: + protocol: + description: Specifies which protocol to use for tunneling + the downstream connection. + type: string + targetHost: + description: Specifies a host to which the downstream connection + is tunneled. + type: string + targetPort: + description: Specifies a port to which the downstream connection + is tunneled. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - targetHost + - targetPort + type: object + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `DestinationRule` configuration should be applied. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + required: + - host + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml new file mode 100644 index 0000000000..b976f41da6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_envoyfilters.yaml @@ -0,0 +1,406 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: envoyfilters.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: EnvoyFilter + listKind: EnvoyFilterList + plural: envoyfilters + singular: envoyfilter + scope: Namespaced + versions: + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Customizing Envoy configuration generated by Istio. See + more details at: https://istio.io/docs/reference/config/networking/envoy-filter.html' + properties: + configPatches: + description: One or more patches with match conditions. + items: + properties: + applyTo: + description: |- + Specifies where in the Envoy configuration, the patch should be applied. + + Valid Options: LISTENER, FILTER_CHAIN, NETWORK_FILTER, HTTP_FILTER, ROUTE_CONFIGURATION, VIRTUAL_HOST, HTTP_ROUTE, CLUSTER, EXTENSION_CONFIG, BOOTSTRAP, LISTENER_FILTER + enum: + - INVALID + - LISTENER + - FILTER_CHAIN + - NETWORK_FILTER + - HTTP_FILTER + - ROUTE_CONFIGURATION + - VIRTUAL_HOST + - HTTP_ROUTE + - CLUSTER + - EXTENSION_CONFIG + - BOOTSTRAP + - LISTENER_FILTER + type: string + match: + description: Match on listener/route configuration/cluster. + oneOf: + - not: + anyOf: + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + - required: + - listener + - required: + - routeConfiguration + - required: + - cluster + properties: + cluster: + description: Match on envoy cluster attributes. + properties: + name: + description: The exact name of the cluster to match. + type: string + portNumber: + description: The service port for which this cluster + was generated. + maximum: 4294967295 + minimum: 0 + type: integer + service: + description: The fully qualified service name for this + cluster. + type: string + subset: + description: The subset associated with the service. + type: string + type: object + context: + description: |- + The specific config generation context to match on. + + Valid Options: ANY, SIDECAR_INBOUND, SIDECAR_OUTBOUND, GATEWAY + enum: + - ANY + - SIDECAR_INBOUND + - SIDECAR_OUTBOUND + - GATEWAY + type: string + listener: + description: Match on envoy listener attributes. + properties: + filterChain: + description: Match a specific filter chain in a listener. + properties: + applicationProtocols: + description: Applies only to sidecars. + type: string + destinationPort: + description: The destination_port value used by + a filter chain's match condition. + maximum: 4294967295 + minimum: 0 + type: integer + filter: + description: The name of a specific filter to apply + the patch to. + properties: + name: + description: The filter name to match on. + type: string + subFilter: + description: The next level filter within this + filter to match upon. + properties: + name: + description: The filter name to match on. + type: string + type: object + type: object + name: + description: The name assigned to the filter chain. + type: string + sni: + description: The SNI value used by a filter chain's + match condition. + type: string + transportProtocol: + description: Applies only to `SIDECAR_INBOUND` context. + type: string + type: object + listenerFilter: + description: Match a specific listener filter. + type: string + name: + description: Match a specific listener by its name. + type: string + portName: + type: string + portNumber: + description: The service port/gateway port to which + traffic is being sent/received. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + proxy: + description: Match on properties associated with a proxy. + properties: + metadata: + additionalProperties: + type: string + description: Match on the node metadata supplied by + a proxy when connecting to istiod. + type: object + proxyVersion: + description: A regular expression in golang regex format + (RE2) that can be used to select proxies using a specific + version of istio proxy. + type: string + type: object + routeConfiguration: + description: Match on envoy HTTP route configuration attributes. + properties: + gateway: + description: The Istio gateway config's namespace/name + for which this route configuration was generated. + type: string + name: + description: Route configuration name to match on. + type: string + portName: + description: Applicable only for GATEWAY context. + type: string + portNumber: + description: The service port number or gateway server + port number for which this route configuration was + generated. + maximum: 4294967295 + minimum: 0 + type: integer + vhost: + description: Match a specific virtual host in a route + configuration and apply the patch to the virtual host. + properties: + domainName: + description: Match a domain name in a virtual host. + type: string + name: + description: The VirtualHosts objects generated + by Istio are named as host:port, where the host + typically corresponds to the VirtualService's + host field or the hostname of a service in the + registry. + type: string + route: + description: Match a specific route within the virtual + host. + properties: + action: + description: |- + Match a route with specific action type. + + Valid Options: ANY, ROUTE, REDIRECT, DIRECT_RESPONSE + enum: + - ANY + - ROUTE + - REDIRECT + - DIRECT_RESPONSE + type: string + name: + description: The Route objects generated by + default are named as default. + type: string + type: object + type: object + type: object + type: object + patch: + description: The patch to apply along with the operation. + properties: + filterClass: + description: |- + Determines the filter insertion order. + + Valid Options: AUTHN, AUTHZ, STATS + enum: + - UNSPECIFIED + - AUTHN + - AUTHZ + - STATS + type: string + operation: + description: |- + Determines how the patch should be applied. + + Valid Options: MERGE, ADD, REMOVE, INSERT_BEFORE, INSERT_AFTER, INSERT_FIRST, REPLACE + enum: + - INVALID + - MERGE + - ADD + - REMOVE + - INSERT_BEFORE + - INSERT_AFTER + - INSERT_FIRST + - REPLACE + type: string + value: + description: The JSON config of the object being patched. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: array + priority: + description: Priority defines the order in which patch sets are applied + within a context. + format: int32 + type: integer + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this patch configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.targetRefs) + ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml new file mode 100644 index 0000000000..5e064d2a9d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_gateways.yaml @@ -0,0 +1,850 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: gateways.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gw + singular: gateway + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting edge load balancer. See more details + at: https://istio.io/docs/reference/config/networking/gateway.html' + properties: + selector: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of pods/VMs + on which this gateway configuration should be applied. + type: object + servers: + description: A list of server specifications. + items: + properties: + bind: + description: The ip or the Unix domain socket to which the listener + should be bound to. + type: string + defaultEndpoint: + type: string + hosts: + description: One or more hosts exposed by this gateway. + items: + type: string + type: array + name: + description: An optional name of the server, when set must be + unique across all servers. + type: string + port: + description: The Port on which the proxy should listen for incoming + connections. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + required: + - number + - protocol + - name + type: object + tls: + description: Set of TLS related options that govern the server's + behavior. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + - hosts + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml new file mode 100644 index 0000000000..ff7c7d9ccd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_proxyconfigs.yaml @@ -0,0 +1,151 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: proxyconfigs.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ProxyConfig + listKind: ProxyConfigList + plural: proxyconfigs + singular: proxyconfig + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Provides configuration for individual workloads. See more + details at: https://istio.io/docs/reference/config/networking/proxy-config.html' + properties: + concurrency: + description: The number of worker threads to run. + format: int32 + minimum: 0 + nullable: true + type: integer + environmentVariables: + additionalProperties: + maxLength: 2048 + type: string + description: Additional environment variables for the proxy. + type: object + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: The image type of the image. + type: string + type: object + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml new file mode 100644 index 0000000000..fa28464a9b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_serviceentries.yaml @@ -0,0 +1,922 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: serviceentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: ServiceEntry + listKind: ServiceEntryList + plural: serviceentries + shortNames: + - se + singular: serviceentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) + == "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : + true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + - DYNAMIC_DNS + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ? + 1 : 0) <= 1' + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/")) + && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC", + "NONE"]))' + - message: NONE mode cannot set endpoints + rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE") + ? !has(self.endpoints) : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") + ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) + == "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : + true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + - DYNAMIC_DNS + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ? + 1 : 0) <= 1' + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/")) + && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC", + "NONE"]))' + - message: NONE mode cannot set endpoints + rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE") + ? !has(self.endpoints) : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") + ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The hosts associated with the ServiceEntry + jsonPath: .spec.hosts + name: Hosts + type: string + - description: Whether the service is external to the mesh or part of the mesh + (MESH_EXTERNAL or MESH_INTERNAL) + jsonPath: .spec.location + name: Location + type: string + - description: Service resolution mode for the hosts (NONE, STATIC, or DNS) + jsonPath: .spec.resolution + name: Resolution + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting service registry. See more details + at: https://istio.io/docs/reference/config/networking/service-entry.html' + properties: + addresses: + description: The virtual IP addresses associated with the service. + items: + maxLength: 64 + type: string + maxItems: 256 + type: array + endpoints: + description: One or more endpoints associated with the service. + items: + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) + == "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : + true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + maxItems: 4096 + type: array + exportTo: + description: A list of namespaces to which this service is exported. + items: + type: string + type: array + hosts: + description: The hosts associated with the ServiceEntry. + items: + type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != "*" + maxItems: 256 + minItems: 1 + type: array + location: + description: |- + Specify whether the service should be considered external to the mesh or part of the mesh. + + Valid Options: MESH_EXTERNAL, MESH_INTERNAL + enum: + - MESH_EXTERNAL + - MESH_INTERNAL + type: string + ports: + description: The ports associated with the external service. + items: + properties: + name: + description: Label assigned to the port. + maxLength: 256 + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + protocol: + description: The protocol exposed on the port. + maxLength: 256 + type: string + targetPort: + description: The port number on the endpoint where the traffic + will be received. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - number + - name + type: object + maxItems: 256 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) + resolution: + description: |- + Service resolution mode for the hosts. + + Valid Options: NONE, STATIC, DNS, DNS_ROUND_ROBIN, DYNAMIC_DNS + enum: + - NONE + - STATIC + - DNS + - DNS_ROUND_ROBIN + - DYNAMIC_DNS + type: string + subjectAltNames: + description: If specified, the proxy will verify that the server certificate's + subject alternate name matches one of the specified values. + items: + type: string + type: array + workloadSelector: + description: Applicable only for MESH_INTERNAL services. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + required: + - hosts + type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: '(has(self.workloadSelector) ? 1 : 0) + (has(self.endpoints) ? + 1 : 0) <= 1' + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: '!((has(self.addresses) ? self.addresses : []).exists(k, k.contains("/")) + && !((has(self.resolution) ? self.resolution : "NONE") in ["STATIC", + "NONE"]))' + - message: NONE mode cannot set endpoints + rule: '((has(self.resolution) ? self.resolution : "NONE") == "NONE") + ? !has(self.endpoints) : true' + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: '((has(self.resolution) ? self.resolution : "") == "DNS_ROUND_ROBIN") + ? ((has(self.endpoints) ? self.endpoints : []).size() <= 1) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml new file mode 100644 index 0000000000..e531c557c4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_sidecars.yaml @@ -0,0 +1,1757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: sidecars.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: Sidecar + listKind: SidecarList + plural: sidecars + singular: sidecar + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting network reachability of a sidecar. + See more details at: https://istio.io/docs/reference/config/networking/sidecar.html' + properties: + egress: + description: Egress specifies the configuration of the sidecar for + processing outbound traffic from the attached workload instance + to other services in the mesh. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) or the Unix domain socket + to which the listener should be bound to. + type: string + captureMode: + description: |- + When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + hosts: + description: One or more service hosts exposed by the listener + in `namespace/dnsName` format. + items: + type: string + type: array + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + required: + - hosts + type: object + type: array + inboundConnectionPool: + description: Settings controlling the volume of connections Envoy + will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be queued + while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection pool + connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams allowed + for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection to + a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be preserved + while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections to a + destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket to + enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes to send + without response before deciding the connection is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs to be + idle before keep-alive probes start being sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + ingress: + description: Ingress specifies the configuration of the sidecar for + processing inbound traffic to the attached workload instance. + items: + properties: + bind: + description: The IP(IPv4 or IPv6) to which the listener should + be bound. + type: string + captureMode: + description: |- + The captureMode option dictates how traffic to the listener is expected to be captured (or not). + + Valid Options: DEFAULT, IPTABLES, NONE + enum: + - DEFAULT + - IPTABLES + - NONE + type: string + connectionPool: + description: Settings controlling the volume of connections + Envoy will accept from the network. + properties: + http: + description: HTTP connection pool settings. + properties: + h2UpgradePolicy: + description: |- + Specify if http1.1 connection should be upgraded to http2 for the associated destination. + + Valid Options: DEFAULT, DO_NOT_UPGRADE, UPGRADE + enum: + - DEFAULT + - DO_NOT_UPGRADE + - UPGRADE + type: string + http1MaxPendingRequests: + description: Maximum number of requests that will be + queued while waiting for a ready connection pool connection. + format: int32 + type: integer + http2MaxRequests: + description: Maximum number of active requests to a + destination. + format: int32 + type: integer + idleTimeout: + description: The idle timeout for upstream connection + pool connections. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConcurrentStreams: + description: The maximum number of concurrent streams + allowed for a peer on one HTTP/2 connection. + format: int32 + type: integer + maxRequestsPerConnection: + description: Maximum number of requests per connection + to a backend. + format: int32 + type: integer + maxRetries: + description: Maximum number of retries that can be outstanding + to all hosts in a cluster at a given time. + format: int32 + type: integer + useClientProtocol: + description: If set to true, client protocol will be + preserved while initiating connection to backend. + type: boolean + type: object + tcp: + description: Settings common to both HTTP and TCP upstream + connections. + properties: + connectTimeout: + description: TCP connection timeout. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + idleTimeout: + description: The idle timeout for TCP connections. + type: string + maxConnectionDuration: + description: The maximum duration of a connection. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + maxConnections: + description: Maximum number of HTTP1 /TCP connections + to a destination host. + format: int32 + type: integer + tcpKeepalive: + description: If set then set SO_KEEPALIVE on the socket + to enable TCP Keepalives. + properties: + interval: + description: The time duration between keep-alive + probes. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + probes: + description: Maximum number of keepalive probes + to send without response before deciding the connection + is dead. + maximum: 4294967295 + minimum: 0 + type: integer + time: + description: The time duration a connection needs + to be idle before keep-alive probes start being + sent. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + type: object + type: object + type: object + defaultEndpoint: + description: The IP endpoint or Unix domain socket to which + traffic should be forwarded to. + type: string + port: + description: The port associated with the listener. + properties: + name: + description: Label assigned to the port. + type: string + number: + description: A valid non-negative integer port number. + maximum: 4294967295 + minimum: 0 + type: integer + protocol: + description: The protocol exposed on the port. + type: string + targetPort: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + tls: + description: Set of TLS related options that will enable TLS + termination on the sidecar for requests originating from outside + the mesh. + properties: + caCertCredentialName: + description: For mutual TLS, the name of the secret or the + configmap that holds CA certificates. + type: string + caCertificates: + description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. + type: string + caCrl: + description: 'OPTIONAL: The path to the file containing + the certificate revocation list (CRL) to use in verifying + a presented client side certificate.' + type: string + cipherSuites: + description: 'Optional: If specified, only support the specified + cipher list.' + items: + type: string + type: array + credentialName: + description: For gateways running on Kubernetes, the name + of the secret that holds the TLS certs including the CA + certificates. + type: string + credentialNames: + description: Same as CredentialName but for multiple certificates. + items: + type: string + maxItems: 2 + minItems: 1 + type: array + httpsRedirect: + description: If set to true, the load balancer will send + a 301 redirect for all http connections, asking the clients + to use HTTPS. + type: boolean + maxProtocolVersion: + description: |- + Optional: Maximum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + minProtocolVersion: + description: |- + Optional: Minimum TLS protocol version. + + Valid Options: TLS_AUTO, TLSV1_0, TLSV1_1, TLSV1_2, TLSV1_3 + enum: + - TLS_AUTO + - TLSV1_0 + - TLSV1_1 + - TLSV1_2 + - TLSV1_3 + type: string + mode: + description: |- + Optional: Indicates whether connections to this port should be secured using TLS. + + Valid Options: PASSTHROUGH, SIMPLE, MUTUAL, AUTO_PASSTHROUGH, ISTIO_MUTUAL, OPTIONAL_MUTUAL + enum: + - PASSTHROUGH + - SIMPLE + - MUTUAL + - AUTO_PASSTHROUGH + - ISTIO_MUTUAL + - OPTIONAL_MUTUAL + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + subjectAltNames: + description: A list of alternate names to verify the subject + identity in the certificate presented by the client. + items: + type: string + type: array + tlsCertificates: + description: Only one of `server_certificate`, `private_key` + or `credential_name` or `credential_names` or `tls_certificates` + should be specified. + items: + properties: + caCertificates: + type: string + privateKey: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + serverCertificate: + description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. + type: string + type: object + maxItems: 2 + minItems: 1 + type: array + verifyCertificateHash: + description: An optional list of hex-encoded SHA-256 hashes + of the authorized client certificates. + items: + type: string + type: array + verifyCertificateSpki: + description: An optional list of base64-encoded SHA-256 + hashes of the SPKIs of authorized client certificates. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: only one of credentialNames or tlsCertificates can + be set + rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or credentialNames can + be set + rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames) + ? 1 : 0) <= 1' + - message: only one of credentialName or tlsCertificates can + be set + rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates) + ? 1 : 0) <= 1' + required: + - port + type: object + type: array + outboundTrafficPolicy: + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. + properties: + egressProxy: + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mode: + description: |2- + + + Valid Options: REGISTRY_ONLY, ALLOW_ANY + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + workloadSelector: + description: Criteria used to select the specific set of pods/VMs + on which this `Sidecar` configuration should be applied. + properties: + labels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which the configuration should be applied. + maxProperties: 256 + type: object + type: object + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml new file mode 100644 index 0000000000..c8abbbd387 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_virtualservices.yaml @@ -0,0 +1,3181 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: virtualservices.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: VirtualService + listKind: VirtualServiceList + plural: virtualservices + shortNames: + - vs + singular: virtualservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + backoff: + description: Specifies the minimum duration between retry + attempts. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryIgnorePreviousHosts: + description: Flag to specify whether the retries should + ignore previously tried hosts during retry. + nullable: true + type: boolean + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + backoff: + description: Specifies the minimum duration between retry + attempts. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryIgnorePreviousHosts: + description: Flag to specify whether the retries should + ignore previously tried hosts during retry. + nullable: true + type: boolean + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The names of gateways and sidecars that should apply these routes + jsonPath: .spec.gateways + name: Gateways + type: string + - description: The destination hosts to which traffic is being sent + jsonPath: .spec.hosts + name: Hosts + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting label/content routing, sni routing, + etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' + properties: + exportTo: + description: A list of namespaces to which this virtual service is + exported. + items: + type: string + type: array + gateways: + description: The names of gateways and sidecars that should apply + these routes. + items: + type: string + type: array + hosts: + description: The destination hosts to which traffic is being sent. + items: + type: string + type: array + http: + description: An ordered list of route rules for HTTP traffic. + items: + properties: + corsPolicy: + description: Cross-Origin Resource Sharing policy (CORS). + properties: + allowCredentials: + description: Indicates whether the caller is allowed to + send the actual request (not the preflight) using credentials. + nullable: true + type: boolean + allowHeaders: + description: List of HTTP headers that can be used when + requesting the resource. + items: + type: string + type: array + allowMethods: + description: List of HTTP methods allowed to access the + resource. + items: + type: string + type: array + allowOrigin: + items: + type: string + type: array + allowOrigins: + description: String patterns that match allowed origins. + items: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + type: array + exposeHeaders: + description: A list of HTTP headers that the browsers are + allowed to access. + items: + type: string + type: array + maxAge: + description: Specifies how long the results of a preflight + request can be cached. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string + type: object + delegate: + description: Delegate is used to specify the particular VirtualService + which can be used to define delegate HTTPRoute. + properties: + name: + description: Name specifies the name of the delegate VirtualService. + type: string + namespace: + description: Namespace specifies the namespace where the + delegate VirtualService resides. + type: string + type: object + directResponse: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + properties: + body: + description: Specifies the content of the response body. + oneOf: + - not: + anyOf: + - required: + - string + - required: + - bytes + - required: + - string + - required: + - bytes + properties: + bytes: + description: response body as base64 encoded bytes. + format: binary + type: string + string: + type: string + type: object + status: + description: Specifies the HTTP response status to be returned. + maximum: 4294967295 + minimum: 0 + type: integer + required: + - status + type: object + fault: + description: Fault injection policy to apply on HTTP traffic + at the client side. + properties: + abort: + description: Abort Http request attempts and return error + codes back to downstream service, giving the impression + that the upstream service is faulty. + oneOf: + - not: + anyOf: + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + - required: + - httpStatus + - required: + - grpcStatus + - required: + - http2Error + properties: + grpcStatus: + description: GRPC status code to use to abort the request. + type: string + http2Error: + type: string + httpStatus: + description: HTTP status code to use to abort the Http + request. + format: int32 + type: integer + percentage: + description: Percentage of requests to be aborted with + the error code provided. + properties: + value: + format: double + type: number + type: object + type: object + delay: + description: Delay requests before forwarding, emulating + various failures such as network issues, overloaded upstream + service, etc. + oneOf: + - not: + anyOf: + - required: + - fixedDelay + - required: + - exponentialDelay + - required: + - fixedDelay + - required: + - exponentialDelay + properties: + exponentialDelay: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + fixedDelay: + description: Add a fixed delay before forwarding the + request. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + percent: + description: Percentage of requests on which the delay + will be injected (0-100). + format: int32 + type: integer + percentage: + description: Percentage of requests on which the delay + will be injected. + properties: + value: + format: double + type: number + type: object + type: object + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + authority: + description: 'HTTP Authority values are case-sensitive + and formatted as follows: - `exact: "value"` for exact + string match - `prefix: "value"` for prefix-based match + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + headers: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: The header keys must be lowercase and use + hyphen as the separator, e.g. + type: object + ignoreUriCase: + description: Flag to specify whether the URI matching + should be case-insensitive. + type: boolean + method: + description: 'HTTP Method values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + name: + description: The name assigned to a match. + type: string + port: + description: Specifies the ports on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + queryParams: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: Query parameters for matching. + type: object + scheme: + description: 'URI Scheme values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to source (client) workloads with the given + labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + statPrefix: + description: The human readable prefix to use when emitting + statistics for this route. + type: string + uri: + description: 'URI to match values are case-sensitive and + formatted as follows: - `exact: "value"` for exact string + match - `prefix: "value"` for prefix-based match - `regex: + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + withoutHeaders: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - exact + - required: + - prefix + - required: + - regex + - required: + - exact + - required: + - prefix + - required: + - regex + properties: + exact: + type: string + prefix: + type: string + regex: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + type: object + description: withoutHeader has the same syntax with the + header, but has opposite meaning. + type: object + type: object + type: array + mirror: + description: Mirror HTTP traffic to a another destination in + addition to forwarding the requests to the intended destination. + properties: + host: + description: The name of a service from the service registry. + type: string + port: + description: Specifies the port on the host that is being + addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + mirror_percent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercent: + maximum: 4294967295 + minimum: 0 + nullable: true + type: integer + mirrorPercentage: + description: Percentage of the traffic to be mirrored by the + `mirror` field. + properties: + value: + format: double + type: number + type: object + mirrors: + description: Specifies the destinations to mirror HTTP traffic + in addition to the original destination. + items: + properties: + destination: + description: Destination specifies the target of the mirror + operation. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + percentage: + description: Percentage of the traffic to be mirrored + by the `destination` field. + properties: + value: + format: double + type: number + type: object + required: + - destination + type: object + type: array + name: + description: The name assigned to the route for debugging purposes. + type: string + redirect: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + oneOf: + - not: + anyOf: + - required: + - port + - required: + - derivePort + - required: + - port + - required: + - derivePort + properties: + authority: + description: On a redirect, overwrite the Authority/Host + portion of the URL with this value. + type: string + derivePort: + description: |- + On a redirect, dynamically set the port: * FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS. + + Valid Options: FROM_PROTOCOL_DEFAULT, FROM_REQUEST_PORT + enum: + - FROM_PROTOCOL_DEFAULT + - FROM_REQUEST_PORT + type: string + port: + description: On a redirect, overwrite the port portion of + the URL with this value. + maximum: 4294967295 + minimum: 0 + type: integer + redirectCode: + description: On a redirect, Specifies the HTTP status code + to use in the redirect response. + maximum: 4294967295 + minimum: 0 + type: integer + scheme: + description: On a redirect, overwrite the scheme portion + of the URL with this value. + type: string + uri: + description: On a redirect, overwrite the Path portion of + the URL with this value. + type: string + type: object + retries: + description: Retry policy for HTTP requests. + properties: + attempts: + description: Number of retries to be allowed for a given + request. + format: int32 + type: integer + backoff: + description: Specifies the minimum duration between retry + attempts. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + perTryTimeout: + description: Timeout per attempt for a given request, including + the initial call and any retries. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + retryIgnorePreviousHosts: + description: Flag to specify whether the retries should + ignore previously tried hosts during retry. + nullable: true + type: boolean + retryOn: + description: Specifies the conditions under which retry + takes place. + type: string + retryRemoteLocalities: + description: Flag to specify whether the retries should + retry to other localities. + nullable: true + type: boolean + type: object + rewrite: + description: Rewrite HTTP URIs and Authority headers. + properties: + authority: + description: rewrite the Authority/Host header with this + value. + type: string + uri: + description: rewrite the path (or the prefix) portion of + the URI with this value. + type: string + uriRegexRewrite: + description: rewrite the path portion of the URI with the + specified regex. + properties: + match: + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' + type: string + rewrite: + description: The string that should replace into matching + portions of original URI. + type: string + type: object + type: object + route: + description: A HTTP rule can either return a direct_response, + redirect or forward (default) traffic. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + headers: + properties: + request: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + response: + properties: + add: + additionalProperties: + type: string + type: object + remove: + items: + type: string + type: array + set: + additionalProperties: + type: string + type: object + type: object + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + timeout: + description: Timeout for HTTP requests, default is disabled. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + tcp: + description: An ordered list of route rules for opaque TCP traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + sourceSubnet: + type: string + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + type: object + type: array + tls: + description: An ordered list of route rule for non-terminated TLS + & HTTPS traffic. + items: + properties: + match: + description: Match conditions to be satisfied for the rule to + be activated. + items: + properties: + destinationSubnets: + description: IPv4 or IPv6 ip addresses of destination + with optional subnet. + items: + type: string + type: array + gateways: + description: Names of gateways where the rule should be + applied. + items: + type: string + type: array + port: + description: Specifies the port on the host that is being + addressed. + maximum: 4294967295 + minimum: 0 + type: integer + sniHosts: + description: SNI (server name indicator) to match on. + items: + type: string + type: array + sourceLabels: + additionalProperties: + type: string + description: One or more labels that constrain the applicability + of a rule to workloads with the given labels. + type: object + sourceNamespace: + description: Source namespace constraining the applicability + of a rule to workloads in that namespace. + type: string + required: + - sniHosts + type: object + type: array + route: + description: The destination to which the connection should + be forwarded to. + items: + properties: + destination: + description: Destination uniquely identifies the instances + of a service to which the request/connection should + be forwarded to. + properties: + host: + description: The name of a service from the service + registry. + type: string + port: + description: Specifies the port on the host that is + being addressed. + properties: + number: + maximum: 4294967295 + minimum: 0 + type: integer + type: object + subset: + description: The name of a subset within the service. + type: string + required: + - host + type: object + weight: + description: Weight specifies the relative proportion + of traffic to be forwarded to the destination. + format: int32 + type: integer + required: + - destination + type: object + type: array + required: + - match + type: object + type: array + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml new file mode 100644 index 0000000000..4e254f3683 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadentries.yaml @@ -0,0 +1,505 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadentries.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadEntry + listKind: WorkloadEntryList + plural: workloadentries + shortNames: + - we + singular: workloadentry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/" + || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/" + || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Address associated with the network endpoint. + jsonPath: .spec.address + name: Address + type: string + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration affecting VMs onboarded into the mesh. See + more details at: https://istio.io/docs/reference/config/networking/workload-entry.html' + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == "/" + || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident in + the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload if a + sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml new file mode 100644 index 0000000000..c1e02618f9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/networking.istio.io_workloadgroups.yaml @@ -0,0 +1,949 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + release: istio + name: workloadgroups.networking.istio.io +spec: + group: networking.istio.io + names: + categories: + - istio-io + - networking-istio-io + kind: WorkloadGroup + listKind: WorkloadGroupList + plural: workloadgroups + shortNames: + - wg + singular: workloadgroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + grpc: + description: GRPC call is made and response/error is used to determine + health. + properties: + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + service: + type: string + type: object + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ["", "HTTP", "HTTPS"] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == + "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + grpc: + description: GRPC call is made and response/error is used to determine + health. + properties: + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + service: + type: string + type: object + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ["", "HTTP", "HTTPS"] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == + "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' + properties: + metadata: + description: Metadata that will be used for all corresponding `WorkloadEntries`. + properties: + annotations: + additionalProperties: + type: string + maxProperties: 256 + type: object + labels: + additionalProperties: + type: string + maxProperties: 256 + type: object + type: object + probe: + description: '`ReadinessProbe` describes the configuration the user + must provide for healthchecking on their workload.' + oneOf: + - not: + anyOf: + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + - required: + - httpGet + - required: + - tcpSocket + - required: + - exec + - required: + - grpc + properties: + exec: + description: Health is determined by how the command that is executed + exited. + properties: + command: + description: Command to run. + items: + minLength: 1 + type: string + type: array + required: + - command + type: object + failureThreshold: + description: Minimum consecutive failures for the probe to be + considered failed after having succeeded. + format: int32 + minimum: 0 + type: integer + grpc: + description: GRPC call is made and response/error is used to determine + health. + properties: + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + service: + type: string + type: object + httpGet: + description: '`httpGet` is performed to a given endpoint and the + status/able to connect determines health.' + properties: + host: + description: Host name to connect to, defaults to the pod + IP. + type: string + httpHeaders: + description: Headers the proxy will pass on to make the request. + items: + properties: + name: + pattern: ^[-_A-Za-z0-9]+$ + type: string + value: + type: string + type: object + type: array + path: + description: Path to access on the HTTP server. + type: string + port: + description: Port on which the endpoint lives. + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + scheme: + type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ["", "HTTP", "HTTPS"] + required: + - port + type: object + initialDelaySeconds: + description: Number of seconds after the container has started + before readiness probes are initiated. + format: int32 + minimum: 0 + type: integer + periodSeconds: + description: How often (in seconds) to perform the probe. + format: int32 + minimum: 0 + type: integer + successThreshold: + description: Minimum consecutive successes for the probe to be + considered successful after having failed. + format: int32 + minimum: 0 + type: integer + tcpSocket: + description: Health is determined by if the proxy is able to connect. + properties: + host: + type: string + port: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + required: + - port + type: object + timeoutSeconds: + description: Number of seconds after which the probe times out. + format: int32 + minimum: 0 + type: integer + type: object + template: + description: Template to be used for the generation of `WorkloadEntry` + resources that belong to this `WorkloadGroup`. + properties: + address: + description: Address associated with the network endpoint without + the port. + maxLength: 256 + type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: 'self.startsWith("unix://") ? (self.substring(7, 8) == + "/" || self.substring(7, 8) == "@") : true' + - message: UDS may not be a dir + rule: 'self.startsWith("unix://") ? !self.endsWith("/") : true' + labels: + additionalProperties: + type: string + description: One or more labels associated with the endpoint. + maxProperties: 256 + type: object + locality: + description: The locality associated with the endpoint. + maxLength: 2048 + type: string + network: + description: Network enables Istio to group endpoints resident + in the same L3 domain/network. + maxLength: 2048 + type: string + ports: + additionalProperties: + maximum: 4294967295 + minimum: 0 + type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 + description: Set of ports associated with the endpoint. + maxProperties: 128 + type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches("^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$")) + serviceAccount: + description: The service account associated with the workload + if a sidecar is present in the workload. + maxLength: 253 + type: string + weight: + description: The load balancing weight associated with the endpoint. + maximum: 4294967295 + minimum: 0 + type: integer + type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: '(has(self.address) ? self.address : "").startsWith("unix://") + ? !has(self.ports) : true' + required: + - template + type: object + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml new file mode 100644 index 0000000000..0d53b3feee --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiocnis.yaml @@ -0,0 +1,1540 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: istiocnis.sailoperator.io +spec: + group: sailoperator.io + names: + categories: + - istio-io + kind: IstioCNI + listKind: IstioCNIList + plural: istiocnis + singular: istiocni + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The namespace of the istio-cni-node DaemonSet. + jsonPath: .spec.namespace + name: Namespace + type: string + - description: The selected profile (collection of value presets). + jsonPath: .spec.profile + name: Profile + type: string + - description: Whether the Istio CNI installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: The version of the Istio CNI installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: IstioCNI represents a deployment of the Istio CNI component. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: istio-cni + version: v1.28.5 + description: IstioCNISpec defines the desired state of IstioCNI + properties: + namespace: + default: istio-cni + description: Namespace to which the Istio CNI component should be + installed. Note that this field is immutable. + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + profile: + description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + enum: + - ambient + - default + - demo + - empty + - external + - openshift + - openshift-ambient + - preview + - remote + - stable + type: string + values: + description: Defines the values to be passed to the Helm charts when + installing Istio CNI. + properties: + cni: + description: Configuration for the Istio CNI plugin. + properties: + affinity: + description: K8s affinity to set on the istio-cni Pods. Can + be used to exclude istio-cni from being scheduled on specified + nodes. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + ambient: + description: Configuration for Istio Ambient. + properties: + configDir: + description: The directory path containing the configuration + files for Ambient. Defaults to /etc/ambient-config. + type: string + dnsCapture: + description: If enabled, and ambient is enabled, DNS redirection + will be enabled. + type: boolean + enabled: + description: Controls whether ambient redirection is enabled + type: boolean + ipv6: + description: 'UNSTABLE: If enabled, and ambient is enabled, + enables ipv6 support' + type: boolean + reconcileIptablesOnStartup: + description: If enabled, and ambient is enabled, iptables + reconciliation will be enabled. + type: boolean + type: object + chained: + description: |- + Configure the plugin as a chained CNI plugin. When true, the configuration is added to the CNI chain; when false, + the configuration is added as a standalone file in the CNI configuration directory. + type: boolean + cniBinDir: + description: The directory path within the cluster node's + filesystem where the CNI binaries are to be installed. Typically + /var/lib/cni/bin. + type: string + cniConfDir: + description: The directory path within the cluster node's + filesystem where the CNI configuration files are to be installed. + Typically /etc/cni/net.d. + type: string + cniConfFileName: + description: The name of the CNI plugin configuration file. + Defaults to istio-cni.conf. + type: string + cniNetnsDir: + description: |- + The directory path within the cluster node's filesystem where network namespaces are located. + Defaults to '/var/run/netns', in minikube/docker/others can be '/var/run/docker/netns'. + type: string + daemonSetLabels: + additionalProperties: + type: string + description: Additional labels to apply to the istio-cni DaemonSet. + type: object + env: + additionalProperties: + type: string + description: "Environment variables passed to the CNI container.\n\nExamples:\nenv:\n\n\tENV_VAR_1: + value1\n\tENV_VAR_2: value2" + type: object + excludeNamespaces: + description: List of namespaces that should be ignored by + the CNI plugin. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + istioOwnedCNIConfig: + description: Specifies if an Istio owned CNI config should + be created. + type: boolean + istioOwnedCNIConfigFileName: + type: string + logging: + description: Same as `global.logging.level`, but will override + it if set + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + Additional annotations to apply to the istio-cni Pods. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + podLabels: + additionalProperties: + type: string + description: Additional labels to apply to the istio-cni Pods. + type: object + privileged: + description: |- + No longer used for CNI. See: https://github.com/istio/istio/issues/49004 + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an additional + NetworkAttachmentDefinition resource is deployed to the cluster to allow the istio-cni plugin to be + invoked in a cluster using the Multus CNI plugin. + type: string + psp_cluster_role: + description: PodSecurityPolicy cluster role. No longer used + anywhere. + type: string + pullPolicy: + description: |- + Specifies the image pull policy. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + repair: + description: Configuration for the CNI Repair controller. + properties: + brokenPodLabelKey: + description: The label key to apply to a broken pod when + the controller is in labelPods mode. + type: string + brokenPodLabelValue: + description: The label value to apply to a broken pod + when the controller is in labelPods mode. + type: string + createEvents: + description: |- + No longer used. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: string + deletePods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If deletePods is true, the controller will delete the broken pod. The pod will then be rescheduled, hopefully onto a node that is fully ready. + Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + type: boolean + enabled: + description: Controls whether repair behavior is enabled. + type: boolean + hub: + description: Hub to pull the container image from. Image + will be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + initContainerName: + description: The name of the init container to use for + the repairPods mode. + type: string + labelPods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If labelPods is true, the controller will label all broken pods with =. + This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + type: boolean + repairPods: + description: |- + The Repair controller has 3 modes (labelPods, deletePods, and repairPods). Pick which one meets your use cases. Note only one may be used. + The mode defines the action the controller will take when a pod is detected as broken. + If repairPods is true, the controller will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + This requires no RBAC privilege, but will require the CNI agent to run as a privileged pod. + type: boolean + tag: + description: The container image tag to pull. Image will + be `Hub/Image:Tag-Variant`. + type: string + type: object + resource_quotas: + description: The resource quotas configuration for the CNI + DaemonSet. + properties: + enabled: + description: Controls whether to create resource quotas + or not for the CNI DaemonSet. + type: boolean + pods: + description: The hard limit on the number of pods in the + namespace where the CNI DaemonSet is deployed. + format: int64 + type: integer + type: object + resources: + description: The k8s resource requests and limits for the + istio-cni Pods. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update of the CNI DaemonSet (see + `updateStrategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The Container seccompProfile + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + tag: + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + type: string + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + type: object + global: + description: Part of the global configuration applicable to the + Istio CNI component. + properties: + defaultResources: + description: |- + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + nativeNftables: + description: Specifies whether native nftables rules should + be used instead of iptables rules for traffic redirection. + type: boolean + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + tag: + description: Specifies the tag for the Istio docker images. + type: string + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + type: object + type: object + version: + default: v1.28.5 + description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + enum: + - v1.28-latest + - v1.28.5 + - v1.28.4 + - v1.27-latest + - v1.27.8 + - v1.27.5 + - v1.27.3 + - v1.26-latest + - v1.26.8 + - v1.26.6 + - v1.26.4 + - v1.26.3 + - v1.26.2 + type: string + required: + - namespace + - version + type: object + status: + description: IstioCNIStatus defines the observed state of IstioCNI + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioCNICondition represents a specific observation + of the IstioCNI object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + IstioCNI object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: metadata.name must be 'default' + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml new file mode 100644 index 0000000000..c3a682964f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisions.yaml @@ -0,0 +1,10079 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: istiorevisions.sailoperator.io +spec: + group: sailoperator.io + names: + categories: + - istio-io + kind: IstioRevision + listKind: IstioRevisionList + plural: istiorevisions + shortNames: + - istiorev + singular: istiorevision + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The namespace for the control plane components. + jsonPath: .spec.namespace + name: Namespace + type: string + - description: The selected profile (collection of value presets). + jsonPath: .spec.values.profile + name: Profile + type: string + - description: Whether the control plane installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: Whether the revision is being used by workloads. + jsonPath: .status.conditions[?(@.type=="InUse")].status + name: In use + type: string + - description: The version of the control plane installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + IstioRevision represents a single revision of an Istio Service Mesh deployment. + Users shouldn't create IstioRevision objects directly. Instead, they should + create an Istio object and allow the operator to create the underlying + IstioRevision object(s). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IstioRevisionSpec defines the desired state of IstioRevision + properties: + namespace: + description: Namespace to which the Istio components should be installed. + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + values: + description: Defines the values to be passed to the Helm charts when + installing Istio. + properties: + base: + description: Configuration for the base component. + properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array + validationCABundle: + description: validation webhook CA bundle + type: string + validationURL: + description: URL to use for validating webhook. + type: string + type: object + compatibilityVersion: + description: |- + Specifies the compatibility version to use. When this is set, the control plane will + be configured with the same defaults as the specified version. + type: string + defaultRevision: + description: |- + The name of the default revision in the cluster. + Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere. + type: string + experimental: + description: Specifies experimental helm fields that could be + removed or changed in the future + x-kubernetes-preserve-unknown-fields: true + gatewayClasses: + description: Configuration for Gateway Classes + x-kubernetes-preserve-unknown-fields: true + global: + description: Global configuration for Istio components. + properties: + arch: + description: "Specifies pod scheduling arch(amd64, ppc64le, + s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 + - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: + replaced by the affinity k8s settings which allows architecture + nodeAffinity configuration of this behavior.\n\nDeprecated: + Marked as deprecated in pkg/apis/values_types.proto." + properties: + amd64: + description: Sets pod scheduling weight for amd64 arch + format: int32 + type: integer + arm64: + description: Sets pod scheduling weight for arm64 arch. + format: int32 + type: integer + ppc64le: + description: Sets pod scheduling weight for ppc64le arch. + format: int32 + type: integer + s390x: + description: Sets pod scheduling weight for s390x arch. + format: int32 + type: integer + type: object + caAddress: + description: The address of the CA for CSR. + type: string + caName: + description: |- + The name of the CA for workloads. + For example, when caName=GkeWorkloadCertificate, GKE workload certificates + will be used as the certificates for workloads. + The default value is "" and when caName="", the CA will be configured by other + mechanisms (e.g., environmental variable CA_PROVIDER). + type: string + certSigners: + description: List of certSigners to allow "approve" action + in the ClusterRole + items: + type: string + type: array + configCluster: + description: Controls whether a remote cluster is the config + cluster for an external istiod + type: boolean + configValidation: + description: Controls whether the server-side validation is + enabled. + type: boolean + defaultNodeSelector: + additionalProperties: + type: string + description: |- + Default k8s node selector for all the Istio control plane components + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + defaultPodDisruptionBudget: + description: Specifies the default pod disruption budget configuration. + properties: + enabled: + description: Controls whether a PodDisruptionBudget with + a default minAvailable value of 1 is created for each + deployment. + type: boolean + type: object + defaultResources: + description: |- + Default k8s resources settings for all Istio control plane components. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + defaultTolerations: + description: |- + Default node tolerations to be applied to all deployments so that all pods can be + scheduled to nodes with matching taints. Each component can overwrite + these default values by adding its tolerations block in the relevant section below + and setting the desired values. + Configure this field in case that all pods of Istio control plane are expected to + be scheduled to particular nodes with specified taints. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + externalIstiod: + description: Controls whether one external istiod is enabled. + type: boolean + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + istiod: + description: Specifies the configution of istiod + properties: + enableAnalysis: + description: If enabled, istiod will perform config analysis + type: boolean + type: object + jwtPolicy: + description: |- + Configure the policy for validating JWT. + This is deprecated and has no effect. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + meshID: + description: |- + The Mesh Identifier. It should be unique within the scope where + meshes will interact with each other, but it is not required to be + globally/universally unique. For example, if any of the following are true, + then two meshes must have different Mesh IDs: + - Meshes will have their telemetry aggregated in one place + - Meshes will be federated together + - Policy will be written referencing one mesh from the other + + If an administrator expects that any of these conditions may become true in + the future, they should ensure their meshes have different Mesh IDs + assigned. + + Within a multicluster mesh, each cluster must be (manually or auto) + configured to have the same Mesh ID value. If an existing cluster 'joins' a + multicluster mesh, it will need to be migrated to the new mesh ID. Details + of migration TBD, and it may be a disruptive operation to change the Mesh + ID post-install. + + If the mesh admin does not specify a value, Istio will use the value of the + mesh's Trust Domain. The best practice is to select a proper Trust Domain + value. + type: string + meshNetworks: + additionalProperties: + description: |- + Network provides information about the endpoints in a routable L3 + network. A single routable L3 network can have one or more service + registries. Note that the network has no relation to the locality of the + endpoint. The endpoint locality will be obtained from the service + registry. + properties: + endpoints: + description: |- + The list of endpoints in the network (obtained through the + constituent service registries or from CIDR ranges). All endpoints in + the network are directly accessible to one another. + items: + description: "NetworkEndpoints describes how the network + associated with an endpoint\nshould be inferred. + An endpoint will be assigned to a network based + on\nthe following rules:\n\n1. Implicitly: If the + registry explicitly provides information about\nthe + network to which the endpoint belongs to. In some + cases, its\npossible to indicate the network associated + with the endpoint by\nadding the `ISTIO_META_NETWORK` + environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. + By matching the registry name with one of the \"fromRegistry\"\n\tin + the mesh config. A \"fromRegistry\" can only be + assigned to a\n\tsingle network.\n\n\tb. By matching + the IP against one of the CIDR ranges in a mesh\n\tconfig + network. The CIDR ranges must not overlap and be + assigned to\n\ta single network.\n\n(2) will override + (1) if both are present." + properties: + fromCidr: + description: |- + A CIDR range for the set of endpoints in this network. The CIDR + ranges for endpoints from different networks must not overlap. + type: string + fromRegistry: + description: |- + Add all endpoints from the specified registry into this network. + The names of the registries should correspond to the kubeconfig file name + inside the secret that was used to configure the registry (Kubernetes + multicluster) or supplied by MCP server. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [fromCidr fromRegistry] + should be set + rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) + <= 1 + type: array + gateways: + description: Set of gateways associated with the network. + items: + description: |- + The gateway associated with this network. Traffic from remote networks + will arrive at the specified gateway:port. All incoming traffic must + use mTLS. + properties: + address: + description: IP address or externally resolvable + DNS address associated with the gateway. + type: string + locality: + description: The locality associated with an explicitly + specified gateway (i.e. ip) + type: string + port: + format: int32 + type: integer + registryServiceName: + description: |- + A fully qualified domain name of the gateway service. istiod will + lookup the service from the service registries in the network and + obtain the endpoint IPs of the gateway from the service + registry. Note that while the service name is a fully qualified + domain name, it need not be resolvable outside the orchestration + platform for the registry. e.g., this could be + istio-ingressgateway.istio-system.svc.cluster.local. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [registryServiceName address] + should be set + rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) + <= 1 + type: array + type: object + description: "Configure the mesh networks to be used by the + Split Horizon EDS.\n\nThe following example defines two + networks with different endpoints association methods.\nFor + `network1` all endpoints that their IP belongs to the provided + CIDR range will be\nmapped to network1. The gateway for + this network example is specified by its public IP\naddress + and port.\nThe second network, `network2`, in this example + is defined differently with all endpoints\nretrieved through + the specified Multi-Cluster registry being mapped to network2. + The\ngateway is also defined differently with the name of + the gateway service on the remote\ncluster. The public IP + for the gateway will be determined from that remote service + (only\nLoadBalancer gateway service type is currently supported, + for a NodePort type gateway service,\nit still need to be + configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t + \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t + \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t + \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: + istio-ingressgateway.istio-system.svc.cluster.local\n\t + \ port: 443" + type: object + mountMtlsCerts: + description: Controls whether the in-cluster MTLS key and + certs are loaded from the secret volume mounts. + type: boolean + multiCluster: + description: Specifies the Configuration for Istio mesh across + multiple clusters through Istio gateways. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + nativeNftables: + description: Specifies whether native nftables rules should + be used instead of iptables rules for traffic redirection. + type: boolean + network: + description: |- + Network defines the network this cluster belong to. This name + corresponds to the networks in the map of mesh networks. + type: string + networkPolicy: + description: Settings related to Kubernetes NetworkPolicy. + properties: + enabled: + description: Controls whether default NetworkPolicy resources + will be created. + type: boolean + type: object + omitSidecarInjectorConfigMap: + description: |- + Controls whether the creation of the sidecar injector ConfigMap should be skipped. + Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. + type: boolean + operatorManageWebhooks: + description: |- + Controls whether the WebhookConfiguration resource(s) should be created. The current behavior + of Istiod is to manage its own webhook configurations. + When this option is set to true, Istio Operator, instead of webhooks, manages the + webhook configurations. When this option is set as false, webhooks manage their + own webhook configurations. + type: boolean + pilotCertProvider: + description: |- + Configure the Pilot certificate provider. + Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". + type: string + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + podDNSSearchNamespaces: + description: |- + Custom DNS config for the pod to resolve names of services in other + clusters. Use this to add additional search domains, and other settings. + see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + This does not apply to gateway pods as they typically need a different + set of DNS settings than the normal application pods (e.g. in multicluster scenarios). + items: + type: string + type: array + priorityClassName: + description: |- + Specifies the k8s priorityClassName for the istio control plane components. + + See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: string + proxy: + description: Specifies how proxies are configured within Istio. + properties: + autoInject: + description: Controls the 'policy' in the sidecar injector. + type: string + clusterDomain: + description: |- + Domain for the cluster, default: "cluster.local". + + K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ + type: string + componentLogLevel: + description: |- + Per Component log level for proxy, applies to gateways and sidecars. + + If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. + type: string + enableCoreDump: + description: |- + Enables core dumps for newly injected sidecars. + + If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: boolean + excludeIPRanges: + description: Lists the excluded IP ranges of Istio egress + traffic that the sidecar captures. + type: string + excludeInboundPorts: + description: Specifies the Istio ingress ports not to + capture. + type: string + excludeOutboundPorts: + description: A comma separated list of outbound ports + to be excluded from redirection to Envoy. + type: string + holdApplicationUntilProxyStarts: + description: |- + Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + + Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: boolean + image: + description: |- + Image name or path for the proxy, default: "proxyv2". + + If registry or tag are not specified, global.hub and global.tag are used. + + Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 + type: string + includeIPRanges: + description: |- + Lists the IP ranges of Istio egress traffic that the sidecar captures. + + Example: "172.30.0.0/16,172.20.0.0/16" + This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." + type: string + includeInboundPorts: + description: |- + A comma separated list of inbound ports for which traffic is to be redirected to Envoy. + The wildcard character '*' can be used to configure redirection for all ports. + type: string + includeOutboundPorts: + description: A comma separated list of outbound ports + for which traffic is to be redirected to Envoy, regardless + of the destination IP. + type: string + lifecycle: + description: |- + The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + postStart: + description: |- + PostStart is called immediately after a container is created. If the handler fails, + the container is terminated and restarted according to its restart policy. + Other management of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies a command to execute + in the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents a duration that + the container should sleep. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: |- + PreStop is called immediately before a container is terminated due to an + API request or management event such as liveness/startup probe failure, + preemption, resource contention, etc. The handler is not called if the + container crashes or exits. The Pod's termination grace period countdown begins before the + PreStop hook is executed. Regardless of the outcome of the handler, the + container will eventually terminate within the Pod's termination grace + period (unless delayed by finalizers). Other management of the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies a command to execute + in the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents a duration that + the container should sleep. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + description: |- + StopSignal defines which signal will be sent to a container when it is being stopped. + If not specified, the default is defined by the container runtime in use. + StopSignal can only be set for Pods with a non-empty .spec.os.name + type: string + type: object + logLevel: + description: 'Log level for proxy, applies to gateways + and sidecars. If left empty, "warning" is used. Expected + values are: trace\|debug\|info\|warning\|error\|critical\|off' + type: string + outlierLogPath: + description: |- + Path to the file to which the proxy will write outlier detection logs. + + Example: "/dev/stdout" + This would write the logs to standard output. + type: string + privileged: + description: |- + Enables privileged securityContext for the istio-proxy container. + + See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: boolean + readinessFailureThreshold: + description: Sets the number of successive failed probes + before indicating readiness failure. + format: int32 + type: integer + readinessInitialDelaySeconds: + description: Sets the initial delay for readiness probes + in seconds. + format: int32 + type: integer + readinessPeriodSeconds: + description: Sets the interval between readiness probes + in seconds. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + startupProbe: + description: Configures the startup probe for the istio-proxy + container. + properties: + enabled: + description: |- + Enables or disables a startup probe. + For optimal startup times, changing this should be tied to the readiness probe values. + + If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + and doesn't spam the readiness endpoint too much + + If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + type: boolean + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + format: int32 + type: integer + type: object + statusPort: + description: Default port used for the Pilot agent's health + checks. + format: int32 + type: integer + tracer: + description: |- + Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + enum: + - zipkin + - lightstep + - datadog + - stackdriver + - openCensusAgent + - none + type: string + type: object + proxy_init: + description: Specifies the Configuration for proxy_init container + which sets the pods' networking to intercept the inbound/outbound + traffic. + properties: + image: + description: Specifies the image for the proxy_init container. + type: string + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + remotePilotAddress: + description: Specifies the Istio control plane’s pilot Pod + IP address or remote cluster DNS resolvable hostname. + type: string + resourceScope: + description: |- + Specifies resource scope for discovery selectors. + This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + enum: + - undefined + - all + - cluster + - namespace + type: string + revision: + description: Configures the revision this control plane is + a part of + type: string + sds: + description: Specifies the Configuration for the SecretDiscoveryService + instead of using K8S secrets to mount the certificates. + properties: + token: + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' + properties: + aud: + type: string + type: object + type: object + sts: + description: Specifies the configuration for Security Token + Service. + properties: + servicePort: + format: int32 + type: integer + type: object + tag: + description: Specifies the tag for the Istio docker images. + type: string + tracer: + description: Specifies the Configuration for each of the supported + tracers. + properties: + datadog: + description: Configuration for the datadog tracing service. + properties: + address: + description: Address in host:port format for reporting + trace data to the Datadog agent. + type: string + type: object + lightstep: + description: Configuration for the lightstep tracing service. + properties: + accessToken: + description: Sets the lightstep access token. + type: string + address: + description: Sets the lightstep satellite pool address + in host:port format for reporting trace data. + type: string + type: object + stackdriver: + description: Configuration for the stackdriver tracing + service. + properties: + debug: + description: enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: The global default max number of annotation + events per span. + format: int32 + type: integer + maxNumberOfAttributes: + description: The global default max number of attributes + per span. + format: int32 + type: integer + maxNumberOfMessageEvents: + description: The global default max number of message + events per span. + format: int32 + type: integer + type: object + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + trustBundleName: + description: Select a custom name for istiod's CA Root Cert + ConfigMap. + type: string + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. + + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + resources: + description: |- + K8s resource settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + type: object + istiodRemote: + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean + enabledLocalInjectorIstiod: + description: |- + If `true`, indicates that this cluster/install should consume a "local istiod" installation, + local istiod inject sidecars + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + meshConfig: + description: |- + Defines runtime configuration of components, including Istiod and istio-agent behavior. + See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. + properties: + accessLogEncoding: + description: |- + Encoding for the proxy access log (`TEXT` or `JSON`). + Default value is `TEXT`. + enum: + - TEXT + - JSON + type: string + accessLogFile: + description: |- + File address for the proxy access log (e.g. /dev/stdout). + Empty value disables access logging. + type: string + accessLogFormat: + description: |- + Format for the proxy access log + Empty value results in proxy's default access log format + type: string + ca: + description: |- + If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA + using the Istio CA gRPC API. + properties: + address: + description: |- + REQUIRED. Address of the CA server implementing the Istio CA gRPC API. + Can be IP address or a fully qualified DNS name with port + Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 + type: string + istiodSide: + description: |- + Use istiodSide to specify CA Server integrate to Istiod side or Agent side + Default: true + type: boolean + requestTimeout: + description: |- + timeout for forward CSR requests from Istiod to External CA + Default: 10s + type: string + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: + - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. + DISABLE MODE can also be used for testing + - TLS MUTUAL MODE be on by default. If the CA certificates + (cert bundle to verify the CA server's certificate) is omitted, Istiod will + use the system root certs to verify the CA server's certificate. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + required: + - address + type: object + caCertificates: + description: |- + The extra root certificates for workload-to-workload communication. + The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) + are automatically added by Istiod. + The CA certificate that signs the workload certificates is automatically added by Istio Agent. + items: + properties: + certSigners: + description: |- + when Istiod is acting as RA(registration authority) + If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. + items: + type: string + type: array + pem: + description: The PEM data of the certificate. + type: string + spiffeBundleUrl: + description: |- + The SPIFFE bundle endpoint URL that complies to: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle + The endpoint should support authentication based on Web PKI: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki + The certificate is retrieved from the endpoint. + type: string + trustDomains: + description: |- + Optional. Specify the list of trust domains to which this trustAnchor data belongs. + If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain + and its aliases. + Note that we can have multiple trustAnchor data for a same trustDomain. + In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: At most one of [pem spiffeBundleUrl] should be + set + rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) + <= 1 + type: array + certificates: + description: |- + Configure the provision of certificates. + + Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + description: "Certificate configures the provision of a + certificate and its key.\nExample 1: key and cert stored + in a secret\n```\n{ secretName: galley-cert\n\n\t secretNamespace: + istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t + \ - galley.mydomain.com\n\t}\n\n```\nExample 2: key + and cert stored in a directory\n```\n{ dnsNames:\n - + pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n + \ }\n\n```" + properties: + dnsNames: + description: |- + The DNS names for the certificate. A certificate may contain + multiple DNS names. + items: + type: string + type: array + secretName: + description: |- + Name of the secret the certificate and its key will be stored into. + If it is empty, it will not be stored into a secret. + Instead, the certificate and its key will be stored into a hard-coded directory. + type: string + type: object + type: array + configSources: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + items: + description: |- + ConfigSource describes information about a configuration store inside a + mesh. A single control plane instance can interact with one or more data + sources. + properties: + address: + description: |- + Address of the server implementing the Istio Mesh Configuration + protocol (MCP). Can be IP address or a fully qualified DNS name. + Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or + fs:/// to specify a file-based backend with absolute path to the directory. + type: string + subscribedResources: + description: Describes the source of configuration, + if nothing is specified default is MCP + items: + description: Resource describes the source of configuration + enum: + - SERVICE_REGISTRY + type: string + type: array + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. If the MCP server + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + type: array + connectTimeout: + description: |- + Connection timeout used by Envoy. (MUST be >=1ms) + Default timeout is 10s. + type: string + defaultConfig: + description: |- + Default proxy config used by gateway and sidecars. + In case of Kubernetes, the proxy config is applied once during the injection process, + and remain constant for the duration of the pod. The rest of the mesh config can be changed + at runtime and config gets distributed dynamically. + On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. + properties: + availabilityZone: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + binaryPath: + description: Path to the proxy binary + type: string + caCertificatesPem: + description: |- + The PEM data of the extra root certificates for workload-to-workload communication. + This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. + The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) + are added automatically by Istiod. + items: + type: string + type: array + concurrency: + description: |- + The number of worker threads to run. + If unset, which is recommended, this will be automatically determined based on CPU requests/limits. + If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance + issues if CPU limits are also set. + format: int32 + type: integer + configPath: + description: |- + Path to the generated configuration file directory. + Proxy agent generates the actual configuration and stores it in this directory. + type: string + controlPlaneAuthPolicy: + description: |- + AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. + Default is set to `MUTUAL_TLS`. + enum: + - NONE + - MUTUAL_TLS + - INHERIT + type: string + customConfigFile: + description: |- + File path of custom proxy configuration, currently used by proxies + in front of istiod. + type: string + discoveryAddress: + description: |- + Address of the discovery service exposing xDS with mTLS connection. + The inject configuration may override this value. + type: string + discoveryRefreshDelay: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + drainDuration: + description: |- + restart. MUST be >=1s (e.g., _1s/1m/1h_) + Default drain duration is `45s`. + type: string + envoyAccessLogService: + description: |- + Address of the service to which access logs from Envoys should be + sent. (e.g. `accesslog-service:15000`). See [Access Log + Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) + for details about Envoy's gRPC Access Log Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tlsSettings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + description: |- + Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). + See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) + for details about Envoy's Metrics Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tlsSettings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + envoyMetricsServiceAddress: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + extraStatTags: + description: |- + An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be + added by configuring the telemetry extension. Each additional tag needs to be present in this list. + Extra tags emitted by the telemetry extensions must be listed here so that they can be processed + and exposed as Prometheus metrics. + Deprecated: `istio.stats` is a native filter now, this field is no longer needed. + items: + type: string + type: array + gatewayTopology: + description: |- + Topology encapsulates the configuration which describes where the proxy is + located i.e. behind a (or N) trusted proxy (proxies) or directly exposed + to the internet. This configuration only effects gateways and is applied + to all the gateways in the cluster unless overridden via annotations of the + gateway workloads. + properties: + forwardClientCertDetails: + description: |- + Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) + header in the incoming request. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + numTrustedProxies: + description: |- + Number of trusted proxies deployed in front of the Istio gateway proxy. + When this option is set to value N greater than zero, the trusted client + address is assumed to be the Nth address from the right end of the + X-Forwarded-For (XFF) header from the incoming request. If the + X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the + gateway proxy falls back to using the immediate downstream connection's + source address as the trusted client address. + Note that the gateway proxy will append the downstream connection's source + address to the X-Forwarded-For (XFF) address and set the + X-Envoy-External-Address header to the trusted client address before + forwarding it to the upstream services in the cluster. + The default value of numTrustedProxies is 0. + See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) + header handling for more details. + format: int32 + type: integer + proxyProtocol: + description: |- + Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for + downstream connections on a gateway. + type: object + type: object + holdApplicationUntilProxyStarts: + description: |- + Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. + This feature adds hooks to delay application startup until the pod proxy + is ready to accept traffic, mitigating some startup race conditions. + Default value is 'false'. + type: boolean + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: |- + The image type of the image. + Istio publishes default, debug, and distroless images. + Other values are allowed if those image types (example: centos) are published to the specified hub. + supported values: default, debug, distroless. + type: string + type: object + interceptionMode: + description: The mode used to redirect inbound traffic + to Envoy. + enum: + - REDIRECT + - TPROXY + - NONE + type: string + meshId: + description: |- + The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) + All control planes running in the same service mesh should specify the same mesh ID. + Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. + type: string + privateKeyProvider: + description: Specifies the details of the Private Key + Provider configuration for gateway and sidecar proxies. + properties: + cryptomb: + description: Use CryptoMb private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait until the per-thread processing queue should be processed. If the processing queue + gets full (eight sign or decrypt requests are received) it is processed immediately. + However, if the queue is not filled before the delay has expired, the requests already in the queue + are processed, even if the queue is not full. + In effect, this value controls the balance between latency and throughput. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + qat: + description: Use QAT private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait before polling the hardware accelerator after a request has been submitted there. + Having a small value leads to quicker answers from the hardware but causes more polling loop spins, + leading to potentially larger CPU usage. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [cryptomb qat] should be set + rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) + <= 1 + proxyAdminPort: + description: |- + Port on which Envoy should listen for administrative commands. + Default port is `15000`. + format: int32 + type: integer + proxyBootstrapTemplatePath: + description: Path to the proxy bootstrap template file + type: string + proxyHeaders: + description: "Define the set of headers to add/modify + for HTTP request/responses.\n\nTo enable an optional + header, simply set the field. If no specific configuration + is required, an empty object (`{}`) will enable it.\nNote: + currently all headers are enabled by default.\n\nBelow + shows an example of customizing the `server` header + and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t + \ value: \"my-custom-server\"\n\t# Explicitly enable + Request IDs.\n\t# As this is the default, this has no + effect.\n\trequestId: {}\n\tattemptCount:\n\t disabled: + true\n\n```\n\n# Below shows an example of preserving + the header case for HTTP 1.x requests\n\n```yaml\nproxyHeaders:\n\n\tpreserveHttp1HeaderCase: + true\n\n```\n\nSome headers are enabled by default, + and require explicitly disabling. See below for an example + of disabling all default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert: + SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t + \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t + \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: + IN_MESH\n\n```" + properties: + attemptCount: + description: |- + Controls the `X-Envoy-Attempt-Count` header. + If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. + If disabled, this header will not be set. If it is already present, it will be preserved. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + envoyDebugHeaders: + description: |- + Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled, + these headers will be included. + If disabled, these headers will not be set. If they are already present, they will be preserved. + See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. + These headers are enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + forwardedClientCert: + description: |- + Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. + To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). + By default, `APPEND_FORWARD` will be used. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + metadataExchangeHeaders: + description: |- + Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. + By default, the behavior is unspecified. + If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. + properties: + mode: + enum: + - UNDEFINED + - IN_MESH + type: string + type: object + preserveHttp1HeaderCase: + description: |- + When true, the original case of HTTP/1.x headers will be preserved + as they pass through the proxy, rather than normalizing them to lowercase. + This field is particularly useful for applications that require case-sensitive + headers for interoperability with downstream systems or APIs that expect specific + casing. + The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers + to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 + requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 + standards. + type: boolean + requestId: + description: |- + Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. + This applies to all types of traffic (inbound, outbound, and gateways). + If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. + Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + server: + description: |- + Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). + If disabled, the `Server` header is not modified. If it is already present, it will be preserved. + properties: + disabled: + type: boolean + value: + description: If set, and the server header is + enabled, this value will be set as the server + header. By default, `istio-envoy` will be used. + type: string + type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object + xForwardedHost: + description: |- + Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended + with the original host when it is rewritten. + This header is disabled by default. + properties: + enabled: + type: boolean + type: object + xForwardedPort: + description: |- + Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value + client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any + trusted proxy in front of Envoy. + This header is disabled by default. + properties: + enabled: + type: boolean + type: object + type: object + proxyMetadata: + additionalProperties: + type: string + description: |- + Additional environment variables for the proxy. + Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. + type: object + proxyStatsMatcher: + description: "Proxy stats matcher defines configuration + for reporting custom Envoy stats.\nTo reduce memory + and CPU overhead from Envoy stats system, Istio proxies + by\ndefault create and expose only a subset of Envoy + stats. This option is to\ncontrol creation of additional + Envoy stats with prefix, suffix, and regex\nexpressions + match on the name of the stats. This replaces the stats\ninclusion + annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, + and\n`sidecar.istio.io/statsInclusionSuffixes`). For + example, to enable stats\nfor circuit breakers, request + retries, upstream connections, and request timeouts,\nyou + can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t + \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t + \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n```\nNote + including more Envoy stats might increase number of + time series\ncollected by prometheus significantly. + Care needs to be taken on Prometheus\nresource provision + and configuration to reduce cardinality." + properties: + inclusionPrefixes: + description: Proxy stats name prefix matcher for inclusion. + items: + type: string + type: array + inclusionRegexps: + description: Proxy stats name regexps matcher for + inclusion. + items: + type: string + type: array + inclusionSuffixes: + description: Proxy stats name suffix matcher for inclusion. + items: + type: string + type: array + type: object + readinessProbe: + description: |- + VM Health Checking readiness probe. This health check config exactly mirrors the + kubernetes readiness probe configuration both in schema and logic. + Only one health check method of 3 can be set at a time. + properties: + exec: + description: Exec specifies a command to execute in + the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies a GRPC HealthCheckRequest. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + runtimeValues: + additionalProperties: + type: string + description: |- + Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. + This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. + type: object + sds: + description: |- + Secret Discovery Service(SDS) configuration to be used by the proxy. + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + properties: + enabled: + description: True if SDS is enabled. + type: boolean + k8sSaJwtPath: + description: Path of k8s service account JWT path. + type: string + type: object + serviceCluster: + description: |- + Service cluster defines the name for the `service_cluster` that is + shared by all Envoy instances. This setting corresponds to + `--service-cluster` flag in Envoy. In a typical Envoy deployment, the + `service-cluster` flag is used to identify the caller, for + source-based routing scenarios. + + Since Istio does not assign a local `service/service` version to each + Envoy instance, the name is same for all of them. However, the + source/caller's identity (e.g., IP address) is encoded in the + `--service-node` flag when launching Envoy. When the RDS service + receives API calls from Envoy, it uses the value of the `service-node` + flag to compute routes that are relative to the service instances + located at that IP address. + type: string + statNameLength: + description: |- + Maximum length of name field in Envoy's metrics. The length of the name field + is determined by the length of a name field in a service and the set of labels that + comprise a particular version of the service. The default value is set to 189 characters. + Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. + Increase the value of this field if you find that the metrics from Envoys are truncated. + format: int32 + type: integer + statsdUdpAddress: + description: IP Address and Port of a statsd UDP listener + (e.g. `10.75.241.127:9125`). + type: string + statusPort: + description: |- + Port on which the agent should listen for administrative commands such as readiness probe. + Default is set to port `15020`. + format: int32 + type: integer + terminationDrainDuration: + description: |- + The amount of time allowed for connections to complete on proxy shutdown. + On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, + discouraging any new connections and allowing existing connections to complete. It then + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. + If not set, a default of `5s` will be applied. + type: string + tracing: + description: Tracing configuration to be used by the proxy. + properties: + customTags: + additionalProperties: + description: |- + Configure custom tags that will be added to any active span. + Tags can be generated via literals, environment variables or an incoming request header. + properties: + environment: + description: |- + The custom tag's value should be populated from an environmental + variable + properties: + defaultValue: + description: |- + When the environment variable is not found, + the tag's value will be populated with this default value if specified, + otherwise the tag will not be populated. + type: string + name: + description: Name of the environment variable + used to populate the tag's value + type: string + type: object + header: + description: |- + The custom tag's value is populated by an http header from + an incoming request. + properties: + defaultValue: + description: |- + Default value to be used for the tag when the named HTTP header does not exist. + The tag will be skipped if no default value is provided. + type: string + name: + description: HTTP header name used to obtain + the value from to populate the tag value. + type: string + type: object + literal: + description: The custom tag's value is the specified + literal. + properties: + value: + description: Static literal value used to + populate the tag value. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [literal environment header] + should be set + rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) + + (has(self.header)?1:0) <= 1 + description: "and gateways).\nThe key represents the + name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t + \ header:\n\t name: custom-http-header-name\n\t + \ default_value: defaulted-value-from-custom-header\n\n```" + type: object + datadog: + description: Use a Datadog tracer. + properties: + address: + description: Address of the Datadog Agent. + type: string + type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean + lightstep: + description: |- + Use a Lightstep tracer. + NOTE: For Istio 1.15+, this configuration option will result + in using OpenTelemetry-based Lightstep integration. + properties: + accessToken: + description: The Lightstep access token. + type: string + address: + description: Address of the Lightstep Satellite + pool. + type: string + type: object + maxPathTagLength: + description: |- + Configures the maximum length of the request path to extract and include in the + HttpUrl tag. Used to truncate length request paths to meet the needs of tracing + backend. If not set, then a length of 256 will be used. + format: int32 + type: integer + openCensusAgent: + description: Use an OpenCensus tracer exporting to + an OpenCensus agent. + properties: + address: + description: |- + gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or + unix:path). See [gRPC naming + docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for + details. + type: string + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + type: object + sampling: + description: |- + The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, + if not requested by the client or not forced. Default is 1.0. + type: number + stackdriver: + description: Use a Stackdriver tracer. + properties: + debug: + description: debug enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + format: int64 + type: integer + type: object + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. If the remote tracing service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + zipkin: + description: Use a Zipkin tracer. + properties: + address: + description: Address of the Zipkin service (e.g. + _zipkin:9411_). + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [zipkin lightstep datadog stackdriver + openCensusAgent] should be set + rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.openCensusAgent)?1:0) <= 1 + tracingServiceName: + description: |- + Used by Envoy proxies to assign the values for the service names in trace + spans. + enum: + - APP_LABEL_AND_NAMESPACE + - CANONICAL_NAME_ONLY + - CANONICAL_NAME_AND_NAMESPACE + type: string + zipkinAddress: + description: |- + Address of the Zipkin service (e.g. _zipkin:9411_). + DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [serviceCluster tracingServiceName] + should be set + rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) + <= 1 + defaultDestinationRuleExportTo: + description: |- + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. + + If not set the system will use "*" as the default value which implies that + destination rules are exported to all namespaces + items: + type: string + type: array + defaultHttpRetryPolicy: + description: "Configure the default HTTP retry policy.\nThe + default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting + the number of attempts to 0 disables retry policy globally.\nThis + setting can be overridden on a per-host basis using the + Virtual Service\nAPI.\nAll settings in the retry policy + except `perTryTimeout` can currently be\nconfigured globally + via this field." + properties: + attempts: + description: |- + Number of retries to be allowed for a given request. The interval + between retries will be determined automatically (25ms+). When request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) + or `per_try_timeout` is configured, the actual number of retries attempted also depends on + the specified request `timeout` and `per_try_timeout` values. MUST be >= 0. If `0`, retries will be disabled. + The maximum possible number of requests made will be 1 + `attempts`. + format: int32 + type: integer + backoff: + description: |- + Specifies the minimum duration between retry attempts. + If unset, default minimum duration of 25ms is used as base interval for exponetial backoff. + This has an impact on the total number of retries that will be attempted based on the `attempts` field + and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will + be retried only once. + type: string + perTryTimeout: + description: |- + Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. + Default is same value as request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), + which means no timeout. + type: string + retryIgnorePreviousHosts: + description: |- + Flag to specify whether the retries should ignore previously tried hosts during retry. + Defaults to true. + type: boolean + retryOn: + description: |- + Specifies the conditions under which retry takes place. + One or more policies can be specified using a ‘,’ delimited list. + See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) + and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. + + In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`. + Note these status codes refer to the actual responses received from the destination. + For example, if a connection is reset, Istio will translate this to 503 for it's response. + However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`). + + If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled`. + type: string + retryRemoteLocalities: + description: |- + Flag to specify whether the retries should retry to other localities. + See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. + type: boolean + type: object + defaultProviders: + description: Specifies extension providers to use by default + in Istio configuration resources. + properties: + accessLogging: + description: Name of the default provider(s) for access + logging. + items: + type: string + type: array + metrics: + description: Name of the default provider(s) for metrics. + items: + type: string + type: array + tracing: + description: Name of the default provider(s) for tracing. + items: + type: string + type: array + type: object + defaultServiceExportTo: + description: |- + The default value for the ServiceEntry.exportTo field and services + imported through container registry integrations, e.g. this applies to + Kubernetes Service resources. The value is a list of namespace names and + reserved namespace aliases. The allowed namespace aliases are: + ``` + * - All Namespaces + . - Current Namespace + ~ - No Namespace + ``` + If not set the system will use "*" as the default value which implies that + services are exported to all namespaces. + + `All namespaces` is a reasonable default for implementations that don't + need to restrict access or visibility of services across namespace + boundaries. If that requirement is present it is generally good practice to + make the default `Current namespace` so that services are only visible + within their own namespaces by default. Operators can then expand the + visibility of services to other namespaces as needed. Use of `No Namespace` + is expected to be rare but can have utility for deployments where + dependency management needs to be precise even within the scope of a single + namespace. + + For further discussion see the reference documentation for `ServiceEntry`, + `Sidecar`, and `Gateway`. + items: + type: string + type: array + defaultVirtualServiceExportTo: + description: |- + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. + + If not set the system will use "*" as the default value which implies that + virtual services are exported to all namespaces + items: + type: string + type: array + disableEnvoyListenerLog: + description: |- + This flag disables Envoy Listener logs. + See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) + Istio Enables Envoy's listener access logs on "NoRoute" response flag. + Default value is `false`. + type: boolean + discoverySelectors: + description: |- + A list of Kubernetes selectors that specify the set of namespaces that Istio considers when + computing configuration updates for sidecars. This can be used to reduce Istio's computational load + by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. + If omitted, Istio will use the default behavior of processing all namespaces in the cluster. + Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. + The following example selects any namespace that matches either below: + 1. The namespace has both of these labels: `env: prod` and `region: us-east1` + 2. The namespace has label `app` equal to `cassandra` or `spark`. + ```yaml + discoverySelectors: + - matchLabels: + env: prod + region: us-east1 + - matchExpressions: + - key: app + operator: In + values: + - cassandra + - spark + + ``` + Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) + for additional detail on selector semantics. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + dnsRefreshRate: + description: |- + Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` + Default refresh rate is `60s`. + type: string + enableAutoMtls: + description: |- + This flag is used to enable mutual `TLS` automatically for service to service communication + within the mesh, default true. + If set to true, and a given service does not have a corresponding `DestinationRule` configured, + or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side + TLS configuration appropriately. More specifically, + If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate + for mutual `TLS` to connect to upstream. + If upstream service is in plain text mode, use plain text. + If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use + mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. + If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. + type: boolean + enableEnvoyAccessLogService: + description: |- + This flag enables Envoy's gRPC Access Log Service. + See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) + for details about Envoy's gRPC Access Log Service API. + Default value is `false`. + type: boolean + enablePrometheusMerge: + description: |- + If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy + and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod + and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. + This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and + `prometheus.io/path` annotations. + If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. + In this case, it is recommended to disable aggregation on that deployment with the + `prometheus.istio.io/merge-metrics: "false"` annotation. + If not specified, this will be enabled by default. + type: boolean + enableTracing: + description: |- + Flag to control generation of trace spans and request IDs. + Requires a trace span collector defined in the proxy configuration. + type: boolean + extensionProviders: + description: |- + Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy + can be used with an extension provider to delegate the authorization decision to a custom authorization system. + items: + properties: + datadog: + description: Configures a Datadog tracing provider. + properties: + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Datadog agent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". + type: string + required: + - port + - service + type: object + envoyExtAuthzGrpc: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the gRPC API. + properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean + failOpen: + description: |- + If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. + type: boolean + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. + type: boolean + type: object + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. + type: string + required: + - port + - service + type: object + envoyExtAuthzHttp: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the HTTP API. + properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean + failOpen: + description: |- + If true, the user request will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false and the request will be rejected with "Forbidden" response. + type: boolean + headersToDownstreamOnAllow: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is allowed (HTTP code 200). + If not specified, the original response will not be modified and forwarded to downstream as-is. + Note, any existing headers will be overridden. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToDownstreamOnDeny: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is not allowed (HTTP code other than 200). + If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to + the downstream. + When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are + automatically added. + Note, the body from the authorization service is always included in the response to downstream. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToUpstreamOnAllow: + description: |- + List of headers from the authorization service that should be added or overridden in the original request and + forwarded to the upstream when the authorization check result is allowed (HTTP code 200). + If not specified, the original request will not be modified and forwarded to backend as-is. + Note, any existing headers will be overridden. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + includeAdditionalHeadersInCheck: + additionalProperties: + type: string + description: |- + Set of additional fixed headers that should be included in the authorization request sent to the authorization service. + Key is the header name and value is the header value. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. + type: object + includeHeadersInCheck: + description: |- + DEPRECATED. Use includeRequestHeadersInCheck instead. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + type: string + type: array + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. + type: boolean + type: object + includeRequestHeadersInCheck: + description: |- + List of client request headers that should be included in the authorization request sent to the authorization service. + Note that in addition to the headers specified here following headers are included by default: + 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. + 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), + consequently the value of Content-Length of the authorization request reflects the size of its payload size. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + pathPrefix: + description: |- + Sets a prefix to the value of authorization request header *Path*. + For example, setting this to "/check" for an original user request at path "/admin" will cause the + authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. + type: string + required: + - port + - service + type: object + envoyFileAccessLog: + description: Configures an Envoy File Access Log provider. + properties: + logFormat: + description: Optional. Allows overriding of the + default access log format. + properties: + labels: + additionalProperties: + type: string + description: "JSON structured format for the + envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse + `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + NOTE: Istio will insert a newline ('\n') on all formats (if missing). + + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + x-kubernetes-validations: + - message: At most one of [text labels] should be + set + rule: (has(self.text)?1:0) + (has(self.labels)?1:0) + <= 1 + omitEmptyValues: + description: |- + Optional. If set to true, when command operators are evaluated to null, + For text format, the output of the empty operator is changed from "-" to an empty string. + For json format, the keys with null values are omitted in the output structure. + type: boolean + path: + description: |- + Path to a local file to write the access log entries. + This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` + If unspecified, defaults to `/dev/stdout`. + type: string + type: object + envoyHttpAls: + description: Configures an Envoy Access Logging Service + provider for HTTP traffic. + properties: + additionalRequestHeadersToLog: + description: Optional. Additional request headers + to log. + items: + type: string + type: array + additionalResponseHeadersToLog: + description: Optional. Additional response headers + to log. + items: + type: string + type: array + additionalResponseTrailersToLog: + description: Optional. Additional response trailers + to log. + items: + type: string + type: array + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "http_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyOtelAls: + description: Configures an Envoy Open Telemetry Access + Logging Service provider. + properties: + logFormat: + description: |- + Optional. Format for the proxy access log + Empty value results in proxy's default access log format, following Envoy access logging formatting. + properties: + labels: + additionalProperties: + type: string + description: "Optional. Additional attributes + that describe the specific event occurrence.\nStructured + format for the envoy access logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "otel_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyTcpAls: + description: Configures an Envoy Access Logging Service + provider for TCP traffic. + properties: + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "tcp_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + lightstep: + description: |- + Configures a Lightstep tracing provider. + Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + accessToken: + description: The Lightstep access token. + type: string + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Lightstep collector. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". + type: string + required: + - port + - service + type: object + name: + description: REQUIRED. A unique name identifying the + extension provider. + type: string + opencensus: + description: |- + Configures an OpenCensusAgent tracing provider. + Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the OpenCensusAgent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". + type: string + required: + - port + - service + type: object + opentelemetry: + description: Configures an OpenTelemetry tracing provider. + properties: + dynatraceSampler: + description: |- + The Dynatrace adaptive traffic management (ATM) sampler. + + Example configuration: + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: "{your-environment-id}.live.dynatrace.com" + http: + path: "/api/v2/otlp/v1/traces" + timeout: 10s + headers: + - name: "Authorization" + value: "Api-Token dt0c01." + resourceDetectors: + dynatrace: {} + dynatraceSampler: + tenant: "{your-environment-id}" + clusterId: 1234 + properties: + clusterId: + description: |- + REQUIRED. The identifier of the cluster in the Dynatrace platform. + The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy. + + The value can be obtained from the Istio deployment page in Dynatrace. + format: int32 + type: integer + httpService: + description: |- + Optional. Dynatrace HTTP API to obtain sampling configuration. + + When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter + (`service`, `port` and `http`), including the access token. + properties: + http: + description: REQUIRED. Specifies sampling + configuration URI. + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP + header name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + path: + description: REQUIRED. Specifies the + path on the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + port: + description: REQUIRED. Specifies the port + of the service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. + The format is ``, where `` is the fully qualified Dynatrace environment + host name defined in the ServiceEntry. + + Example: "{your-environment-id}.live.dynatrace.com". + type: string + required: + - http + - port + - service + type: object + rootSpansPerMinute: + description: |- + Optional. Number of sampled spans per minute to be used + when the adaptive value cannot be obtained from the Dynatrace API. + + A default value of `1000` is used when: + + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 + format: int32 + type: integer + tenant: + description: |- + REQUIRED. The Dynatrace customer's tenant identifier. + + The value can be obtained from the Istio deployment page in Dynatrace. + type: string + required: + - clusterId + - tenant + type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to + be injected. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object + http: + description: "Optional. Specifies the configuration + for exporting OTLP traces via HTTP.\nWhen empty, + traces will be exported via gRPC.\n\nThe following + example shows how to configure the OpenTelemetry + ExtensionProvider to export via HTTP:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: otel-tracing\n opentelemetry:\n port: + 443\n service: my.olly-backend.com\n http:\n + \ path: \"/api/otlp/traces\"\n timeout: 10s\n + \ headers:\n - name: \"my-custom-header\"\n + \ value: \"some value\"\n\n```\n\n2. Deploy + a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: + networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname: + my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t- + number: 443\n\t name: https-port\n\t protocol: + HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion: + networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname: + my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t + \ portLevelSettings:\n\t - port:\n\t number: + 443\n\t tls:\n\t mode: SIMPLE\n\n```" + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + path: + description: REQUIRED. Specifies the path on + the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + resourceDetectors: + description: |- + Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) + to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged + according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). + + The following example shows how to configure the Environment Resource Detector, that will + read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: my.olly-backend.com + resourceDetectors: + environment: {} + + ``` + properties: + dynatrace: + description: |- + Dynatrace Resource Detector. + The resource detector reads from the Dynatrace enrichment files + and adds host/process related attributes to the OpenTelemetry resource. + + See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) + type: object + environment: + description: |- + OpenTelemetry Environment Resource Detector. + The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` + and adds them to the OpenTelemetry resource. + + See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) + type: object + type: object + service: + description: |- + REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". + type: string + required: + - port + - service + type: object + x-kubernetes-validations: + - message: At most one of [dynatraceSampler] should + be set + rule: (has(self.dynatraceSampler)?1:0) <= 1 + prometheus: + description: Configures a Prometheus metrics provider. + type: object + sds: + description: |- + Configures an Extension Provider for SDS. This can be used to + configure an external SDS service to supply secrets for certain Gateways for example. + This is useful for scenarios where the secrets are stored in an external secret store like Vault. + The secret should be configured with sds://provider-name format. + properties: + name: + description: REQUIRED. Specifies the name of the + provider. This should be used to configure the + Gateway SDS. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the SDS service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com". + type: string + required: + - name + - port + - service + type: object + skywalking: + description: Configures a Apache SkyWalking provider. + properties: + accessToken: + description: Optional. The SkyWalking OAP access + token. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the SkyWalking receiver. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". + type: string + required: + - port + - service + type: object + stackdriver: + description: Configures a Stackdriver provider. + properties: + debug: + description: |- + debug enables trace output to stdout. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + logging: + description: Optional. Controls Stackdriver logging + behavior. + properties: + labels: + additionalProperties: + type: string + description: "Collection of tag names and tag + expressions to include in the log\nentry. + Conflicts are resolved by the tag name by + overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t + \ path: request.url_path\n\t foo: request.headers['x-foo']" + type: object + type: object + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + type: object + zipkin: + description: Configures a tracing provider that uses + the Zipkin API. + properties: + enable64bitTraceId: + description: |- + Optional. A 128 bit trace id will be used in Istio. + If true, will result in a 64 bit trace id being used. + type: boolean + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that the Zipkin API. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". + type: string + traceContextOption: + description: |- + Optional. Determines which trace context format to use for trace header extraction and propagation. + This controls both downstream request header extraction and upstream request header injection. + The default value is USE_B3 to maintain backward compatibility. + enum: + - USE_B3 + - USE_B3_WITH_W3C_PROPAGATION + type: string + required: + - port + - service + type: object + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc + zipkin lightstep datadog stackdriver opencensus skywalking + opentelemetry prometheus envoyFileAccessLog envoyHttpAls + envoyTcpAls envoyOtelAls sds] should be set + rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + + (has(self.sds)?1:0) <= 1 + maxItems: 1000 + type: array + h2UpgradePolicy: + description: |- + Specify if http1.1 connections should be upgraded to http2 by default. + if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. + If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. + It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. + enum: + - DO_NOT_UPGRADE + - UPGRADE + type: string + inboundClusterStatName: + description: |- + Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `inbound|||`. + For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + - `%SERVICE%` - Will be substituted with short hostname of the service. + - `%SERVICE_NAME%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%TARGET_PORT%` - Will be substituted with the target port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + + Following are some examples of supported patterns for reviews: + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + inboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling inbound + traffic to the application. If your application listens on + localhost, you will need to set this to `LOCALHOST`. + properties: + mode: + enum: + - PASSTHROUGH + - LOCALHOST + type: string + type: object + ingressClass: + description: |- + Class of ingress resources to be processed by Istio ingress + controller. This corresponds to the value of + `kubernetes.io/ingress.class` annotation. + type: string + ingressControllerMode: + description: |- + Defines whether to use Istio ingress controller for annotated or all ingress resources. + Default mode is `STRICT`. + enum: + - UNSPECIFIED + - "OFF" + - DEFAULT + - STRICT + type: string + ingressSelector: + description: |- + Defines which gateway deployment to use as the Ingress controller. This field corresponds to + the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. + By default, `ingressgateway` is used, which will select the default IngressGateway as it has the + `istio: ingressgateway` labels. + It is recommended that this is the same value as ingressService. + type: string + ingressService: + description: |- + Name of the Kubernetes service used for the istio ingress controller. + If no ingress controller is specified, the default value `istio-ingressgateway` is used. + type: string + localityLbSetting: + description: |- + Locality based load balancing distribution or failover settings. + If unspecified, locality based load balancing will be enabled by default. + However, this requires outlierDetection to actually take effect for a particular + service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ + properties: + distribute: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify loadbalancing weight across different zones and geographical locations. + Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints number within it. + items: + description: |- + Describes how traffic originating in the 'from' zone or sub-zone is + distributed over a set of 'to' zones. Syntax for specifying a zone is + {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any + segment of the specification. Examples: + + `*` - matches all localities + + `us-west/*` - all zones and sub-zones within the us-west region + + `us-west/zone-1/*` - all sub-zones within us-west/zone-1 + properties: + from: + description: Originating locality, '/' separated, + e.g. 'region/zone/sub_zone'. + type: string + to: + additionalProperties: + format: int32 + type: integer + description: |- + Map of upstream localities to traffic distribution weights. The sum of + all weights should be 100. Any locality not present will + receive no traffic. + type: object + type: object + type: array + enabled: + description: |- + Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. + e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is. + type: boolean + failover: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. + Should be used together with OutlierDetection to detect unhealthy endpoints. + Note: if no OutlierDetection specified, this will not take effect. + items: + description: |- + Specify the traffic failover policy across regions. Since zone and sub-zone + failover is supported by default this only needs to be specified for + regions when the operator needs to constrain traffic failover so that + the default behavior of failing over to any endpoint globally does not + apply. This is useful when failing over traffic across regions would not + improve service health or may need to be restricted for other reasons + like regulatory controls. + properties: + from: + description: Originating region. + type: string + to: + description: |- + Destination region the traffic will fail over to when endpoints in + the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: |- + failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + This is to support traffic failover across different groups of endpoints. + Two kinds of labels can be specified: + + - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. + Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: + + 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. + Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: + + 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. + + It can be any label specified on both client and server workloads. + The following labels which have special semantic meaning are also supported: + + - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. + - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. + - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. + - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. + - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. + - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`. + + The below topology config indicates the following priority levels: + + ```yaml + failoverPriority: + - "topology.istio.io/network" + - "topology.kubernetes.io/region" + - "topology.kubernetes.io/zone" + - "topology.istio.io/subzone" + ``` + + 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. + 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. + 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. + 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. + 5. all the other endpoints have the same lowest priority. + + Suppose a service associated endpoints reside in multi clusters, the below example represents: + 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. + 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. + 2. all the other endpoints have P(2) priority. + + ```yaml + failoverPriority: + - "version=v1" + - "topology.istio.io/cluster=clusterA" + ``` + + Optional: only one of distribute, failover or failoverPriority can be set. + And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. + items: + type: string + type: array + type: object + meshMTLS: + description: "The below configuration parameters can be used + to specify TLSConfig for mesh traffic.\nFor example, a user + could enable min TLS version for ISTIO_MUTUAL traffic and + specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t + \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: + applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t + \ - P-256\n\t - P-512\n\n```\nConfiguration of mTLS + for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote: + Mesh mTLS does not respect ECDH curves." + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + outboundClusterStatName: + description: |- + Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `outbound|||`. + For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + - `%SERVICE%` - Will be substituted with short hostname of the service. + - `%SERVICE_NAME%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + - `%SUBSET_NAME%` - Will be substituted with subset. + + Following are some examples of supported patterns for reviews: + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + outboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling outbound + traffic from the application. + + Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the + [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). + + Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + pathNormalization: + description: |- + ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are + normalized by the sidecars and gateways. + The normalized paths will be used in all aspects through the requests' lifetime on the + sidecars and gateways, which includes routing decisions in outbound direction (client proxy), + authorization policy match and enforcement in inbound direction (server proxy), and the URL + path proxied to the upstream service. + If not set, the NormalizationType.DEFAULT configuration will be used. + properties: + normalization: + enum: + - DEFAULT + - NONE + - BASE + - MERGE_SLASHES + - DECODE_AND_MERGE_SLASHES + type: string + type: object + protocolDetectionTimeout: + description: |- + Automatic protocol detection uses a set of heuristics to + determine whether the connection is using TLS or not (on the + server side), as well as the application protocol being used + (e.g., http vs tcp). These heuristics rely on the client sending + the first bits of data. For server first protocols like MySQL, + MongoDB, etc. Envoy will timeout on the protocol detection after + the specified period, defaulting to non mTLS plain TCP + traffic. Set this field to tweak the period that Envoy will wait + for the client to send the first bits of data. (MUST be >=1ms or + 0s to disable). Default detection timeout is 0s (no timeout). + + Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit + occasionally, and when they occur the result is typically broken traffic that may not + recover on its own. Exceptionally high values might solve this, but injecting 60s delays + onto new connections is generally not tenable anyways. + type: string + proxyHttpPort: + description: Port on which Envoy should listen for HTTP PROXY + requests if set. + format: int32 + type: integer + proxyInboundListenPort: + description: |- + Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. + Default port is 15006. + format: int32 + type: integer + proxyListenPort: + description: |- + Port on which Envoy should listen for all outbound traffic to other services. + Default port is 15001. + format: int32 + type: integer + rootNamespace: + description: |- + The namespace to treat as the administrative root namespace for + Istio configuration. When processing a leaf namespace Istio will search for + declarations in that namespace first and if none are found it will + search in the root namespace. Any matching declaration found in the root + namespace is processed as if it were declared in the leaf namespace. + + The precise semantics of this processing are documented on each resource + type. + type: string + serviceScopeConfigs: + description: Scope to be applied to select services. + items: + description: |- + Configuration for ambient mode multicluster service scope. This setting allows mesh administrators + to define the criteria by which the cluster's control plane determines which services in other + clusters in the mesh are treated as global (accessible across multiple clusters) versus local + (restricted to a single cluster). The configuration can be applied to services based on namespace + and/or other matching criteria. This is particularly useful in multicluster service mesh deployments + to control service visibility and access across clusters. This API is not intended to enforce + security policies. Resources like DestinationRules should be used to enforce authorization policies. + If a service matches a global service scope selector, the service's endpoints will be globally + exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster + services. + + For example, the following configures the scope of all services with the "istio.io/global" label + in matching namespaces to be available globally: + + ```yaml + serviceScopeConfigs: + - namespacesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: [true] + servicesSelector: + matchExpressions: + - key: istio.io/global + operator: Exists + scope: GLOBAL + + ``` + properties: + namespaceSelector: + description: Match expression for namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + scope: + description: Specifics the available scope for matching + services. + enum: + - LOCAL + - GLOBAL + type: string + servicesSelector: + description: Match expression for serivces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + serviceSettings: + description: Settings to be applied to select services. + items: + description: |- + Settings to be applied to select services. + + For example, the following configures all services in namespace "foo" as well as the + "bar" service in namespace "baz" to be considered cluster-local: + + ```yaml + serviceSettings: + - settings: + clusterLocal: true + hosts: + - "*.foo.svc.cluster.local" + - "bar.baz.svc.cluster.local" + + ``` + + When in ambient mode, if ServiceSettings are defined they will be considered in addition to the + ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a + global service scope selector, the service will be considered cluster local. If a service is + considered global by ServiceSettings and does not match a global service scope selector + the serive will be considered local. Local scope takes precedence over global scope. Since + ServiceScopeConfigs is local by default, all services are considered local unless it is considered + global by ServiceSettings AND ServiceScopeConfigs. + properties: + hosts: + description: |- + The services to which the Settings should be applied. Services are selected using the hostname + matching rules used by DestinationRule. + + For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local + items: + type: string + type: array + settings: + description: The settings to apply to the selected services. + properties: + clusterLocal: + description: |- + If true, specifies that the client and service endpoints must reside in the same cluster. + By default, in multi-cluster deployments, the Istio control plane assumes all service + endpoints to be reachable from any client in any of the clusters which are part of the + mesh. This configuration option limits the set of service endpoints visible to a client + to be cluster scoped. + + There are some common scenarios when this can be useful: + + - A service (or group of services) is inherently local to the cluster and has local storage + for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). + - A mesh administrator wants to slowly migrate services to Istio. They might start by first + having services cluster-local and then slowly transition them to mesh-wide. They could do + this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group + (e.g. *.myns.svc.cluster.local). + + By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all + services in the kube-system namespace to be cluster-local, unless explicitly overridden here. + type: boolean + type: object + type: object + type: array + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the socket + to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsDefaults: + description: |- + Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdhCurves and cipherSuites only. + For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + trustDomain: + description: |- + The trust domain corresponds to the trust root of a system. + Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) + type: string + trustDomainAliases: + description: |- + The trust domain aliases represent the aliases of `trustDomain`. + For example, if we have + ```yaml + trustDomain: td1 + trustDomainAliases: ["td2", "td3"] + ``` + Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, + or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. + items: + type: string + type: array + verifyCertificateAtClient: + description: |- + `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation + at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination + modes are used. This setting can be overridden at the host level via DestinationRule API. + By default, `VerifyCertificateAtClient` is `true`. + + `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, + and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and + `VerifyCertificateAtClient` is false, proxy will not verify the CA. + + `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, + and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. + If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. + + For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level + wildcard if the specified host in DestinationRule doesn't contain a wildcard. + For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will + match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. + For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, + if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches + `.x.y.com` suffix. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + type: object + pilot: + description: Configuration for the Pilot component. + properties: + affinity: + description: K8s affinity to set on the Pilot Pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + autoscaleBehavior: + description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + properties: + scaleDown: + description: |- + scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down to minReplicas pods, with a + 300 second stabilization window (i.e., the highest recommendation for + the last 300sec is used). + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + If not set, use the default values: + - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. + - For scale down: allow all pods to be removed in a 15s window. + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: |- + tolerance is the tolerance on the ratio between the current and desired + metric value under which no updates are made to the desired number of + replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not + set, the default cluster-wide tolerance is applied (by default 10%). + + For example, if autoscaling is configured with a memory consumption target of 100Mi, + and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be + triggered when the actual consumption falls below 95Mi or exceeds 101Mi. + + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + scaleUp: + description: |- + scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + If not set, use the default values: + - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. + - For scale down: allow all pods to be removed in a 15s window. + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: |- + tolerance is the tolerance on the ratio between the current and desired + metric value under which no updates are made to the desired number of + replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not + set, the default cluster-wide tolerance is applied (by default 10%). + + For example, if autoscaling is configured with a memory consumption target of 100Mi, + and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be + triggered when the actual consumption falls below 95Mi or exceeds 101Mi. + + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + autoscaleEnabled: + description: Controls whether a HorizontalPodAutoscaler is + installed for Pilot. + type: boolean + autoscaleMax: + description: Maximum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + autoscaleMin: + description: Minimum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + cni: + description: Configures whether to use an existing CNI installation + for workloads + properties: + enabled: + description: Controls whether CNI should be used. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation + `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition + type: string + type: object + configMap: + description: |- + Configuration settings passed to Pilot as a ConfigMap. + + This controls whether the mesh config map, generated from values.yaml is generated. + If false, pilot wil use default values or user-supplied values, in that order of preference. + type: boolean + cpu: + description: |- + Target CPU utilization used in HorizontalPodAutoscaler. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + deploymentLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot deployment. + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + enabled: + description: Controls whether Pilot is enabled. + type: boolean + env: + additionalProperties: + type: string + description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1: + value1\n\tENV_VAR_2: value2" + type: object + envVarFrom: + description: Configuration for the istio-discovery chart + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + extraContainerArgs: + description: Additional container arguments for the Pilot + container. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name used for Pilot. + + This can be set either to image name if hub is also set, or can be set to the full hub:name string. + + Examples: custom-pilot, docker.io/someuser:custom-pilot + type: string + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + enabledLocalInjectorIstiod: + description: |- + If `true`, indicates that this cluster/install should consume a "local istiod" installation, + local istiod inject sidecars + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + jwksResolverExtraRootCA: + description: |- + Specifies an extra root certificate in PEM format. This certificate will be trusted + by pilot when resolving JWKS URIs. + type: string + keepaliveMaxServerConnectionAge: + description: |- + Maximum duration that a sidecar can be connected to a pilot. + + This setting balances out load across pilot instances, but adds some resource overhead. + + Examples: 300s, 30m, 1h + type: string + memory: + description: |- + Target memory utilization used in HorizontalPodAutoscaler. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector. + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for pods. + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + podLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot pods. + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + replicaCount: + description: |- + Number of replicas in the Pilot Deployment. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxSurge: + anyOf: + - type: integer + - type: string + description: |- + K8s rolling update strategy + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + x-kubernetes-int-or-string: true + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update (see + `strategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The seccompProfile for the Pilot container. + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + serviceAccountAnnotations: + additionalProperties: + type: string + description: K8s annotations for the service account + type: object + serviceAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for the Service. + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + tag: + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + type: string + taint: + properties: + enabled: + description: |- + Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on + new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are + added to the cluster. This is usually done by configuring the cluster infra provider. + type: boolean + namespace: + description: The namespace of the CNI daemonset, incase + it's not the same as istiod. + type: string + type: object + tolerations: + description: |- + The node tolerations to be applied to the Pilot deployment so that it can be + scheduled to particular nodes with matching taints. + More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: The k8s topologySpreadConstraints for the Pilot + pods. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + traceSampling: + description: |- + Trace sampling fraction. + + Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. + + Allowed values: 0.0 to 1.0 + type: number + trustedZtunnelNamespace: + description: |- + If set, `istiod` will allow connections from trusted node proxy ztunnels + in the provided namespace. + type: string + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to add to the Pilot container. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the Pilot Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers. + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. + properties: + endpoints: + description: endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs + will be addressed to this signer. + type: string + required: + - keyType + - signerName + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + profile: + description: Specifies which installation configuration profile + to apply. + type: string + revision: + description: Identifies the revision this installation is associated + with. + type: string + sidecarInjectorWebhook: + description: Configuration for the sidecar injector webhook. + properties: + alwaysInjectSelector: + description: See NeverInjectSelector. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + defaultTemplates: + description: 'defaultTemplates: ["sidecar", "hello"]' + items: + type: string + type: array + enableNamespacesByDefault: + description: Enables sidecar auto-injection in namespaces + by default. + type: boolean + injectedAnnotations: + additionalProperties: + type: string + description: |- + injectedAnnotations are additional annotations that will be added to the pod spec after injection + This is primarily to support PSP annotations. + type: object + injectionURL: + description: Configure the injection url for sidecar injector + webhook + type: string + neverInjectSelector: + description: |- + Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. + + Annotations in the pods have higher precedence than the label selectors. + Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. + See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + reinvocationPolicy: + description: 'Setting this to `IfNeeded` will result in the + sidecar injector being run again if additional mutations + occur. Default: Never' + type: string + rewriteAppHTTPProbe: + description: If true, webhook or istioctl injector will rewrite + PodSpec for liveness health check to redirect request to + sidecar. This makes liveness check work even when mTLS is + enabled. + type: boolean + templates: + additionalProperties: + type: string + description: "Templates defines a set of custom injection + templates that can be used. For example, defining:\n\ntemplates:\n\n\thello: + |\n\t metadata:\n\t labels:\n\t hello: world\n\nThen + starting a pod with the `inject.istio.io/templates: hello` + annotation, will result in the pod\nbeing injected with + the hello=world labels.\nThis is intended for advanced configuration + only; most users should use the built in template" + type: object + type: object + telemetry: + description: Controls whether telemetry is exported for Pilot. + properties: + enabled: + description: Controls whether telemetry is exported for Pilot. + type: boolean + v2: + description: Configuration for Telemetry v2. + properties: + enabled: + description: Controls whether pilot will configure telemetry + v2. + type: boolean + prometheus: + description: Telemetry v2 settings for prometheus. + properties: + enabled: + description: Controls whether stats envoyfilter would + be enabled or not. + type: boolean + type: object + stackdriver: + description: Telemetry v2 settings for stackdriver. + properties: + enabled: + type: boolean + type: object + type: object + type: object + type: object + version: + description: |- + Defines the version of Istio to install. + Must be one of: v1.28.5, v1.28.4, v1.27.8, v1.27.5, v1.27.3, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + enum: + - v1.28.5 + - v1.28.4 + - v1.27.8 + - v1.27.5 + - v1.27.3 + - v1.26.8 + - v1.26.6 + - v1.26.4 + - v1.26.3 + - v1.26.2 + type: string + required: + - namespace + - version + type: object + x-kubernetes-validations: + - message: spec.values.global.istioNamespace must match spec.namespace + rule: self.values.global.istioNamespace == self.__namespace__ + status: + description: IstioRevisionStatus defines the observed state of IstioRevision + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioRevisionCondition represents a specific observation + of the IstioRevision object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + IstioRevision object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: spec.values.revision must match metadata.name or be empty when + the name is 'default' + rule: 'self.metadata.name == ''default'' ? (!has(self.spec.values.revision) + || size(self.spec.values.revision) == 0) : self.spec.values.revision == + self.metadata.name' + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml new file mode 100644 index 0000000000..4ef72dd74f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istiorevisiontags.yaml @@ -0,0 +1,147 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: istiorevisiontags.sailoperator.io +spec: + group: sailoperator.io + names: + categories: + - istio-io + kind: IstioRevisionTag + listKind: IstioRevisionTagList + plural: istiorevisiontags + shortNames: + - istiorevtag + singular: istiorevisiontag + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: Whether the tag is being used by workloads. + jsonPath: .status.conditions[?(@.type=="InUse")].status + name: In use + type: string + - description: The IstioRevision this object is referencing. + jsonPath: .status.istioRevision + name: Revision + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: IstioRevisionTag references an Istio or IstioRevision object + and serves as an alias for sidecar injection. It can be used to manage stable + revision tags without having to use istioctl or helm directly. See https://istio.io/latest/docs/setup/upgrade/canary/#stable-revision-labels + for more information on the concept. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: IstioRevisionTagSpec defines the desired state of IstioRevisionTag + properties: + targetRef: + description: IstioRevisionTagTargetReference can reference either + Istio or IstioRevision objects in the cluster. In the case of referencing + an Istio object, the Sail Operator will automatically update the + reference to the Istio object's Active Revision. + properties: + kind: + description: Kind is the kind of the target resource. + maxLength: 253 + minLength: 1 + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - kind + - name + type: object + required: + - targetRef + type: object + status: + description: IstioRevisionStatus defines the observed state of IstioRevision + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioRevisionCondition represents a specific observation + of the IstioRevision object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + istioRevision: + description: IstioRevision stores the name of the referenced IstioRevision + type: string + istiodNamespace: + description: IstiodNamespace stores the namespace of the corresponding + Istiod instance + type: string + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + IstioRevisionTag object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + required: + - istioRevision + - istiodNamespace + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml new file mode 100644 index 0000000000..d871547ebe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_istios.yaml @@ -0,0 +1,10175 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: istios.sailoperator.io +spec: + group: sailoperator.io + names: + categories: + - istio-io + kind: Istio + listKind: IstioList + plural: istios + singular: istio + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The namespace for the control plane components. + jsonPath: .spec.namespace + name: Namespace + type: string + - description: The selected profile (collection of value presets). + jsonPath: .spec.profile + name: Profile + type: string + - description: Total number of IstioRevision objects currently associated with + this object. + jsonPath: .status.revisions.total + name: Revisions + type: string + - description: Number of revisions that are ready. + jsonPath: .status.revisions.ready + name: Ready + type: string + - description: Number of revisions that are currently being used by workloads. + jsonPath: .status.revisions.inUse + name: In use + type: string + - description: The name of the currently active revision. + jsonPath: .status.activeRevisionName + name: Active Revision + type: string + - description: The current state of the active revision. + jsonPath: .status.state + name: Status + type: string + - description: The version of the control plane installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Istio represents an Istio Service Mesh deployment consisting of one or more + control plane instances (represented by one or more IstioRevision objects). + To deploy an Istio Service Mesh, a user creates an Istio object with the + desired Istio version and configuration. The operator then creates + an IstioRevision object, which in turn creates the underlying Deployment + objects for istiod and other control plane components, similar to how a + Deployment object in Kubernetes creates ReplicaSets that create the Pods. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: istio-system + updateStrategy: + type: InPlace + version: v1.28.5 + description: IstioSpec defines the desired state of Istio + properties: + namespace: + default: istio-system + description: Namespace to which the Istio components should be installed. + Note that this field is immutable. + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + profile: + description: |- + The built-in installation configuration profile to use. + The 'default' profile is always applied. On OpenShift, the 'openshift' profile is also applied on top of 'default'. + Must be one of: ambient, default, demo, empty, openshift, openshift-ambient, preview, remote, stable. + enum: + - ambient + - default + - demo + - empty + - external + - openshift + - openshift-ambient + - preview + - remote + - stable + type: string + updateStrategy: + default: + type: InPlace + description: Defines the update strategy to use when the version in + the Istio CR is updated. + properties: + inactiveRevisionDeletionGracePeriodSeconds: + description: |- + Defines how many seconds the operator should wait before removing a non-active revision after all + the workloads have stopped using it. You may want to set this value on the order of minutes. + The minimum is 0 and the default value is 30. + format: int64 + minimum: 0 + type: integer + type: + default: InPlace + description: "Type of strategy to use. Can be \"InPlace\" or \"RevisionBased\". + When the \"InPlace\" strategy\nis used, the existing Istio control + plane is updated in-place. The workloads therefore\ndon't need + to be moved from one control plane instance to another. When + the \"RevisionBased\"\nstrategy is used, a new Istio control + plane instance is created for every change to the\nIstio.spec.version + field. The old control plane remains in place until all workloads + have\nbeen moved to the new control plane instance.\n\nThe \"InPlace\" + strategy is the default.\tTODO: change default to \"RevisionBased\"" + enum: + - InPlace + - RevisionBased + type: string + updateWorkloads: + description: |- + Defines whether the workloads should be moved from one control plane instance to another + automatically. If updateWorkloads is true, the operator moves the workloads from the old + control plane instance to the new one after the new control plane is ready. + If updateWorkloads is false, the user must move the workloads manually by updating the + istio.io/rev labels on the namespace and/or the pods. + Defaults to false. + type: boolean + type: object + values: + description: Defines the values to be passed to the Helm charts when + installing Istio. + properties: + base: + description: Configuration for the base component. + properties: + excludedCRDs: + description: CRDs to exclude. Requires `enableCRDTemplates` + items: + type: string + type: array + validationCABundle: + description: validation webhook CA bundle + type: string + validationURL: + description: URL to use for validating webhook. + type: string + type: object + compatibilityVersion: + description: |- + Specifies the compatibility version to use. When this is set, the control plane will + be configured with the same defaults as the specified version. + type: string + defaultRevision: + description: |- + The name of the default revision in the cluster. + Deprecated: This field is ignored. The default revision is expected to be configurable elsewhere. + type: string + experimental: + description: Specifies experimental helm fields that could be + removed or changed in the future + x-kubernetes-preserve-unknown-fields: true + gatewayClasses: + description: Configuration for Gateway Classes + x-kubernetes-preserve-unknown-fields: true + global: + description: Global configuration for Istio components. + properties: + arch: + description: "Specifies pod scheduling arch(amd64, ppc64le, + s390x, arm64) and weight as follows:\n\n\t0 - Never scheduled\n\t1 + - Least preferred\n\t2 - No preference\n\t3 - Most preferred\n\nDeprecated: + replaced by the affinity k8s settings which allows architecture + nodeAffinity configuration of this behavior.\n\nDeprecated: + Marked as deprecated in pkg/apis/values_types.proto." + properties: + amd64: + description: Sets pod scheduling weight for amd64 arch + format: int32 + type: integer + arm64: + description: Sets pod scheduling weight for arm64 arch. + format: int32 + type: integer + ppc64le: + description: Sets pod scheduling weight for ppc64le arch. + format: int32 + type: integer + s390x: + description: Sets pod scheduling weight for s390x arch. + format: int32 + type: integer + type: object + caAddress: + description: The address of the CA for CSR. + type: string + caName: + description: |- + The name of the CA for workloads. + For example, when caName=GkeWorkloadCertificate, GKE workload certificates + will be used as the certificates for workloads. + The default value is "" and when caName="", the CA will be configured by other + mechanisms (e.g., environmental variable CA_PROVIDER). + type: string + certSigners: + description: List of certSigners to allow "approve" action + in the ClusterRole + items: + type: string + type: array + configCluster: + description: Controls whether a remote cluster is the config + cluster for an external istiod + type: boolean + configValidation: + description: Controls whether the server-side validation is + enabled. + type: boolean + defaultNodeSelector: + additionalProperties: + type: string + description: |- + Default k8s node selector for all the Istio control plane components + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + defaultPodDisruptionBudget: + description: Specifies the default pod disruption budget configuration. + properties: + enabled: + description: Controls whether a PodDisruptionBudget with + a default minAvailable value of 1 is created for each + deployment. + type: boolean + type: object + defaultResources: + description: |- + Default k8s resources settings for all Istio control plane components. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + defaultTolerations: + description: |- + Default node tolerations to be applied to all deployments so that all pods can be + scheduled to nodes with matching taints. Each component can overwrite + these default values by adding its tolerations block in the relevant section below + and setting the desired values. + Configure this field in case that all pods of Istio control plane are expected to + be scheduled to particular nodes with specified taints. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + externalIstiod: + description: Controls whether one external istiod is enabled. + type: boolean + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + istiod: + description: Specifies the configution of istiod + properties: + enableAnalysis: + description: If enabled, istiod will perform config analysis + type: boolean + type: object + jwtPolicy: + description: |- + Configure the policy for validating JWT. + This is deprecated and has no effect. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + meshID: + description: |- + The Mesh Identifier. It should be unique within the scope where + meshes will interact with each other, but it is not required to be + globally/universally unique. For example, if any of the following are true, + then two meshes must have different Mesh IDs: + - Meshes will have their telemetry aggregated in one place + - Meshes will be federated together + - Policy will be written referencing one mesh from the other + + If an administrator expects that any of these conditions may become true in + the future, they should ensure their meshes have different Mesh IDs + assigned. + + Within a multicluster mesh, each cluster must be (manually or auto) + configured to have the same Mesh ID value. If an existing cluster 'joins' a + multicluster mesh, it will need to be migrated to the new mesh ID. Details + of migration TBD, and it may be a disruptive operation to change the Mesh + ID post-install. + + If the mesh admin does not specify a value, Istio will use the value of the + mesh's Trust Domain. The best practice is to select a proper Trust Domain + value. + type: string + meshNetworks: + additionalProperties: + description: |- + Network provides information about the endpoints in a routable L3 + network. A single routable L3 network can have one or more service + registries. Note that the network has no relation to the locality of the + endpoint. The endpoint locality will be obtained from the service + registry. + properties: + endpoints: + description: |- + The list of endpoints in the network (obtained through the + constituent service registries or from CIDR ranges). All endpoints in + the network are directly accessible to one another. + items: + description: "NetworkEndpoints describes how the network + associated with an endpoint\nshould be inferred. + An endpoint will be assigned to a network based + on\nthe following rules:\n\n1. Implicitly: If the + registry explicitly provides information about\nthe + network to which the endpoint belongs to. In some + cases, its\npossible to indicate the network associated + with the endpoint by\nadding the `ISTIO_META_NETWORK` + environment variable to the sidecar.\n\n2. Explicitly:\n\n\ta. + By matching the registry name with one of the \"fromRegistry\"\n\tin + the mesh config. A \"fromRegistry\" can only be + assigned to a\n\tsingle network.\n\n\tb. By matching + the IP against one of the CIDR ranges in a mesh\n\tconfig + network. The CIDR ranges must not overlap and be + assigned to\n\ta single network.\n\n(2) will override + (1) if both are present." + properties: + fromCidr: + description: |- + A CIDR range for the set of endpoints in this network. The CIDR + ranges for endpoints from different networks must not overlap. + type: string + fromRegistry: + description: |- + Add all endpoints from the specified registry into this network. + The names of the registries should correspond to the kubeconfig file name + inside the secret that was used to configure the registry (Kubernetes + multicluster) or supplied by MCP server. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [fromCidr fromRegistry] + should be set + rule: (has(self.fromCidr)?1:0) + (has(self.fromRegistry)?1:0) + <= 1 + type: array + gateways: + description: Set of gateways associated with the network. + items: + description: |- + The gateway associated with this network. Traffic from remote networks + will arrive at the specified gateway:port. All incoming traffic must + use mTLS. + properties: + address: + description: IP address or externally resolvable + DNS address associated with the gateway. + type: string + locality: + description: The locality associated with an explicitly + specified gateway (i.e. ip) + type: string + port: + format: int32 + type: integer + registryServiceName: + description: |- + A fully qualified domain name of the gateway service. istiod will + lookup the service from the service registries in the network and + obtain the endpoint IPs of the gateway from the service + registry. Note that while the service name is a fully qualified + domain name, it need not be resolvable outside the orchestration + platform for the registry. e.g., this could be + istio-ingressgateway.istio-system.svc.cluster.local. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [registryServiceName address] + should be set + rule: (has(self.registryServiceName)?1:0) + (has(self.address)?1:0) + <= 1 + type: array + type: object + description: "Configure the mesh networks to be used by the + Split Horizon EDS.\n\nThe following example defines two + networks with different endpoints association methods.\nFor + `network1` all endpoints that their IP belongs to the provided + CIDR range will be\nmapped to network1. The gateway for + this network example is specified by its public IP\naddress + and port.\nThe second network, `network2`, in this example + is defined differently with all endpoints\nretrieved through + the specified Multi-Cluster registry being mapped to network2. + The\ngateway is also defined differently with the name of + the gateway service on the remote\ncluster. The public IP + for the gateway will be determined from that remote service + (only\nLoadBalancer gateway service type is currently supported, + for a NodePort type gateway service,\nit still need to be + configured manually).\n\nmeshNetworks:\n\n\tnetwork1:\n\t + \ endpoints:\n\t - fromCidr: \"192.168.0.1/24\"\n\t gateways:\n\t + \ - address: 1.1.1.1\n\t port: 80\n\tnetwork2:\n\t endpoints:\n\t + \ - fromRegistry: reg1\n\t gateways:\n\t - registryServiceName: + istio-ingressgateway.istio-system.svc.cluster.local\n\t + \ port: 443" + type: object + mountMtlsCerts: + description: Controls whether the in-cluster MTLS key and + certs are loaded from the secret volume mounts. + type: boolean + multiCluster: + description: Specifies the Configuration for Istio mesh across + multiple clusters through Istio gateways. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + nativeNftables: + description: Specifies whether native nftables rules should + be used instead of iptables rules for traffic redirection. + type: boolean + network: + description: |- + Network defines the network this cluster belong to. This name + corresponds to the networks in the map of mesh networks. + type: string + networkPolicy: + description: Settings related to Kubernetes NetworkPolicy. + properties: + enabled: + description: Controls whether default NetworkPolicy resources + will be created. + type: boolean + type: object + omitSidecarInjectorConfigMap: + description: |- + Controls whether the creation of the sidecar injector ConfigMap should be skipped. + Defaults to false. When set to true, the sidecar injector ConfigMap will not be created. + type: boolean + operatorManageWebhooks: + description: |- + Controls whether the WebhookConfiguration resource(s) should be created. The current behavior + of Istiod is to manage its own webhook configurations. + When this option is set to true, Istio Operator, instead of webhooks, manages the + webhook configurations. When this option is set as false, webhooks manage their + own webhook configurations. + type: boolean + pilotCertProvider: + description: |- + Configure the Pilot certificate provider. + Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". + type: string + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + podDNSSearchNamespaces: + description: |- + Custom DNS config for the pod to resolve names of services in other + clusters. Use this to add additional search domains, and other settings. + see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + This does not apply to gateway pods as they typically need a different + set of DNS settings than the normal application pods (e.g. in multicluster scenarios). + items: + type: string + type: array + priorityClassName: + description: |- + Specifies the k8s priorityClassName for the istio control plane components. + + See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: string + proxy: + description: Specifies how proxies are configured within Istio. + properties: + autoInject: + description: Controls the 'policy' in the sidecar injector. + type: string + clusterDomain: + description: |- + Domain for the cluster, default: "cluster.local". + + K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ + type: string + componentLogLevel: + description: |- + Per Component log level for proxy, applies to gateways and sidecars. + + If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. + type: string + enableCoreDump: + description: |- + Enables core dumps for newly injected sidecars. + + If set, newly injected sidecars will have core dumps enabled. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: boolean + excludeIPRanges: + description: Lists the excluded IP ranges of Istio egress + traffic that the sidecar captures. + type: string + excludeInboundPorts: + description: Specifies the Istio ingress ports not to + capture. + type: string + excludeOutboundPorts: + description: A comma separated list of outbound ports + to be excluded from redirection to Envoy. + type: string + holdApplicationUntilProxyStarts: + description: |- + Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + + Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: boolean + image: + description: |- + Image name or path for the proxy, default: "proxyv2". + + If registry or tag are not specified, global.hub and global.tag are used. + + Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 + type: string + includeIPRanges: + description: |- + Lists the IP ranges of Istio egress traffic that the sidecar captures. + + Example: "172.30.0.0/16,172.20.0.0/16" + This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." + type: string + includeInboundPorts: + description: |- + A comma separated list of inbound ports for which traffic is to be redirected to Envoy. + The wildcard character '*' can be used to configure redirection for all ports. + type: string + includeOutboundPorts: + description: A comma separated list of outbound ports + for which traffic is to be redirected to Envoy, regardless + of the destination IP. + type: string + lifecycle: + description: |- + The k8s lifecycle hooks definition (pod.spec.containers.lifecycle) for the proxy container. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + postStart: + description: |- + PostStart is called immediately after a container is created. If the handler fails, + the container is terminated and restarted according to its restart policy. + Other management of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies a command to execute + in the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents a duration that + the container should sleep. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: |- + PreStop is called immediately before a container is terminated due to an + API request or management event such as liveness/startup probe failure, + preemption, resource contention, etc. The handler is not called if the + container crashes or exits. The Pod's termination grace period countdown begins before the + PreStop hook is executed. Regardless of the outcome of the handler, the + container will eventually terminate within the Pod's termination grace + period (unless delayed by finalizers). Other management of the container blocks until the hook completes + or until the termination grace period is reached. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks + properties: + exec: + description: Exec specifies a command to execute + in the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the + request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom + header to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + sleep: + description: Sleep represents a duration that + the container should sleep. + properties: + seconds: + description: Seconds is the number of seconds + to sleep. + format: int64 + type: integer + required: + - seconds + type: object + tcpSocket: + description: |- + Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept + for backward compatibility. There is no validation of this field and + lifecycle hooks will fail at runtime when it is specified. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + stopSignal: + description: |- + StopSignal defines which signal will be sent to a container when it is being stopped. + If not specified, the default is defined by the container runtime in use. + StopSignal can only be set for Pods with a non-empty .spec.os.name + type: string + type: object + logLevel: + description: 'Log level for proxy, applies to gateways + and sidecars. If left empty, "warning" is used. Expected + values are: trace\|debug\|info\|warning\|error\|critical\|off' + type: string + outlierLogPath: + description: |- + Path to the file to which the proxy will write outlier detection logs. + + Example: "/dev/stdout" + This would write the logs to standard output. + type: string + privileged: + description: |- + Enables privileged securityContext for the istio-proxy container. + + See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + type: boolean + readinessFailureThreshold: + description: Sets the number of successive failed probes + before indicating readiness failure. + format: int32 + type: integer + readinessInitialDelaySeconds: + description: Sets the initial delay for readiness probes + in seconds. + format: int32 + type: integer + readinessPeriodSeconds: + description: Sets the interval between readiness probes + in seconds. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + startupProbe: + description: Configures the startup probe for the istio-proxy + container. + properties: + enabled: + description: |- + Enables or disables a startup probe. + For optimal startup times, changing this should be tied to the readiness probe values. + + If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + and doesn't spam the readiness endpoint too much + + If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + type: boolean + failureThreshold: + description: Minimum consecutive failures for the + probe to be considered failed after having succeeded. + format: int32 + type: integer + type: object + statusPort: + description: Default port used for the Pilot agent's health + checks. + format: int32 + type: integer + tracer: + description: |- + Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver. + If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + enum: + - zipkin + - lightstep + - datadog + - stackdriver + - openCensusAgent + - none + type: string + type: object + proxy_init: + description: Specifies the Configuration for proxy_init container + which sets the pods' networking to intercept the inbound/outbound + traffic. + properties: + image: + description: Specifies the image for the proxy_init container. + type: string + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + type: object + remotePilotAddress: + description: Specifies the Istio control plane’s pilot Pod + IP address or remote cluster DNS resolvable hostname. + type: string + resourceScope: + description: |- + Specifies resource scope for discovery selectors. + This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + enum: + - undefined + - all + - cluster + - namespace + type: string + revision: + description: Configures the revision this control plane is + a part of + type: string + sds: + description: Specifies the Configuration for the SecretDiscoveryService + instead of using K8S secrets to mount the certificates. + properties: + token: + description: 'Deprecated: Marked as deprecated in pkg/apis/values_types.proto.' + properties: + aud: + type: string + type: object + type: object + sts: + description: Specifies the configuration for Security Token + Service. + properties: + servicePort: + format: int32 + type: integer + type: object + tag: + description: Specifies the tag for the Istio docker images. + type: string + tracer: + description: Specifies the Configuration for each of the supported + tracers. + properties: + datadog: + description: Configuration for the datadog tracing service. + properties: + address: + description: Address in host:port format for reporting + trace data to the Datadog agent. + type: string + type: object + lightstep: + description: Configuration for the lightstep tracing service. + properties: + accessToken: + description: Sets the lightstep access token. + type: string + address: + description: Sets the lightstep satellite pool address + in host:port format for reporting trace data. + type: string + type: object + stackdriver: + description: Configuration for the stackdriver tracing + service. + properties: + debug: + description: enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: The global default max number of annotation + events per span. + format: int32 + type: integer + maxNumberOfAttributes: + description: The global default max number of attributes + per span. + format: int32 + type: integer + maxNumberOfMessageEvents: + description: The global default max number of message + events per span. + format: int32 + type: integer + type: object + zipkin: + description: Configuration for the zipkin tracing service. + properties: + address: + description: |- + Address of zipkin instance in host:port format for reporting trace data. + + Example: .:941 + type: string + type: object + type: object + trustBundleName: + description: Select a custom name for istiod's CA Root Cert + ConfigMap. + type: string + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + waypoint: + description: Specifies how waypoints are configured within + Istio. + properties: + affinity: + description: |- + K8s affinity settings for waypoint pods. + + See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in + the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same node, + zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added per-node + to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is + a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + nodeSelector: + description: |- + K8s node labels settings. + + See https://kubernetes.io/docs/user-guide/node-selection/ + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + resources: + description: |- + K8s resource settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry + in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + toleration: + description: |- + K8s tolerations settings. + + See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: |- + K8s topology spread constraints settings. + + See https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + type: object + type: object + istiodRemote: + description: |- + Configuration for istiod-remote. + DEPRECATED - istiod-remote chart is removed and replaced with + `istio-discovery --set values.istiodRemote.enabled=true` + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + enabled: + description: Indicates if this cluster/install should consume + a "remote" istiod instance, + type: boolean + enabledLocalInjectorIstiod: + description: |- + If `true`, indicates that this cluster/install should consume a "local istiod" installation, + local istiod inject sidecars + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + meshConfig: + description: |- + Defines runtime configuration of components, including Istiod and istio-agent behavior. + See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options. + properties: + accessLogEncoding: + description: |- + Encoding for the proxy access log (`TEXT` or `JSON`). + Default value is `TEXT`. + enum: + - TEXT + - JSON + type: string + accessLogFile: + description: |- + File address for the proxy access log (e.g. /dev/stdout). + Empty value disables access logging. + type: string + accessLogFormat: + description: |- + Format for the proxy access log + Empty value results in proxy's default access log format + type: string + ca: + description: |- + If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA + using the Istio CA gRPC API. + properties: + address: + description: |- + REQUIRED. Address of the CA server implementing the Istio CA gRPC API. + Can be IP address or a fully qualified DNS name with port + Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000 + type: string + istiodSide: + description: |- + Use istiodSide to specify CA Server integrate to Istiod side or Agent side + Default: true + type: boolean + requestTimeout: + description: |- + timeout for forward CSR requests from Istiod to External CA + Default: 10s + type: string + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. + Regarding tlsSettings: + - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. + DISABLE MODE can also be used for testing + - TLS MUTUAL MODE be on by default. If the CA certificates + (cert bundle to verify the CA server's certificate) is omitted, Istiod will + use the system root certs to verify the CA server's certificate. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + required: + - address + type: object + caCertificates: + description: |- + The extra root certificates for workload-to-workload communication. + The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) + are automatically added by Istiod. + The CA certificate that signs the workload certificates is automatically added by Istio Agent. + items: + properties: + certSigners: + description: |- + when Istiod is acting as RA(registration authority) + If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers. + items: + type: string + type: array + pem: + description: The PEM data of the certificate. + type: string + spiffeBundleUrl: + description: |- + The SPIFFE bundle endpoint URL that complies to: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle + The endpoint should support authentication based on Web PKI: + https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki + The certificate is retrieved from the endpoint. + type: string + trustDomains: + description: |- + Optional. Specify the list of trust domains to which this trustAnchor data belongs. + If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain + and its aliases. + Note that we can have multiple trustAnchor data for a same trustDomain. + In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. + If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers. + If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers. + If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains. + If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains. + items: + type: string + type: array + type: object + x-kubernetes-validations: + - message: At most one of [pem spiffeBundleUrl] should be + set + rule: (has(self.pem)?1:0) + (has(self.spiffeBundleUrl)?1:0) + <= 1 + type: array + certificates: + description: |- + Configure the provision of certificates. + + Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + description: "Certificate configures the provision of a + certificate and its key.\nExample 1: key and cert stored + in a secret\n```\n{ secretName: galley-cert\n\n\t secretNamespace: + istio-system\n\t dnsNames:\n\t - galley.istio-system.svc\n\t + \ - galley.mydomain.com\n\t}\n\n```\nExample 2: key + and cert stored in a directory\n```\n{ dnsNames:\n - + pilot.istio-system\n - pilot.istio-system.svc\n - pilot.mydomain.com\n + \ }\n\n```" + properties: + dnsNames: + description: |- + The DNS names for the certificate. A certificate may contain + multiple DNS names. + items: + type: string + type: array + secretName: + description: |- + Name of the secret the certificate and its key will be stored into. + If it is empty, it will not be stored into a secret. + Instead, the certificate and its key will be stored into a hard-coded directory. + type: string + type: object + type: array + configSources: + description: |- + ConfigSource describes a source of configuration data for networking + rules, and other Istio configuration artifacts. Multiple data sources + can be configured for a single control plane. + items: + description: |- + ConfigSource describes information about a configuration store inside a + mesh. A single control plane instance can interact with one or more data + sources. + properties: + address: + description: |- + Address of the server implementing the Istio Mesh Configuration + protocol (MCP). Can be IP address or a fully qualified DNS name. + Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or + fs:/// to specify a file-based backend with absolute path to the directory. + type: string + subscribedResources: + description: Describes the source of configuration, + if nothing is specified default is MCP + items: + description: Resource describes the source of configuration + enum: + - SERVICE_REGISTRY + type: string + type: array + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. If the MCP server + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + type: array + connectTimeout: + description: |- + Connection timeout used by Envoy. (MUST be >=1ms) + Default timeout is 10s. + type: string + defaultConfig: + description: |- + Default proxy config used by gateway and sidecars. + In case of Kubernetes, the proxy config is applied once during the injection process, + and remain constant for the duration of the pod. The rest of the mesh config can be changed + at runtime and config gets distributed dynamically. + On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation. + properties: + availabilityZone: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + binaryPath: + description: Path to the proxy binary + type: string + caCertificatesPem: + description: |- + The PEM data of the extra root certificates for workload-to-workload communication. + This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. + The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) + are added automatically by Istiod. + items: + type: string + type: array + concurrency: + description: |- + The number of worker threads to run. + If unset, which is recommended, this will be automatically determined based on CPU requests/limits. + If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance + issues if CPU limits are also set. + format: int32 + type: integer + configPath: + description: |- + Path to the generated configuration file directory. + Proxy agent generates the actual configuration and stores it in this directory. + type: string + controlPlaneAuthPolicy: + description: |- + AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. + Default is set to `MUTUAL_TLS`. + enum: + - NONE + - MUTUAL_TLS + - INHERIT + type: string + customConfigFile: + description: |- + File path of custom proxy configuration, currently used by proxies + in front of istiod. + type: string + discoveryAddress: + description: |- + Address of the discovery service exposing xDS with mTLS connection. + The inject configuration may override this value. + type: string + discoveryRefreshDelay: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + drainDuration: + description: |- + restart. MUST be >=1s (e.g., _1s/1m/1h_) + Default drain duration is `45s`. + type: string + envoyAccessLogService: + description: |- + Address of the service to which access logs from Envoys should be + sent. (e.g. `accesslog-service:15000`). See [Access Log + Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) + for details about Envoy's gRPC Access Log Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tlsSettings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + envoyMetricsService: + description: |- + Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`). + See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) + for details about Envoy's Metrics Service API. + properties: + address: + description: |- + Address of a remove service used for various purposes (access log + receiver, metrics receiver, etc.). Can be IP address or a fully + qualified DNS name. + type: string + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the + socket to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsSettings: + description: |- + Use the `tlsSettings` to specify the tls mode to use. If the remote service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + type: object + envoyMetricsServiceAddress: + description: 'Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto.' + type: string + extraStatTags: + description: |- + An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be + added by configuring the telemetry extension. Each additional tag needs to be present in this list. + Extra tags emitted by the telemetry extensions must be listed here so that they can be processed + and exposed as Prometheus metrics. + Deprecated: `istio.stats` is a native filter now, this field is no longer needed. + items: + type: string + type: array + gatewayTopology: + description: |- + Topology encapsulates the configuration which describes where the proxy is + located i.e. behind a (or N) trusted proxy (proxies) or directly exposed + to the internet. This configuration only effects gateways and is applied + to all the gateways in the cluster unless overridden via annotations of the + gateway workloads. + properties: + forwardClientCertDetails: + description: |- + Configures how the gateway proxy handles x-forwarded-client-cert (XFCC) + header in the incoming request. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + numTrustedProxies: + description: |- + Number of trusted proxies deployed in front of the Istio gateway proxy. + When this option is set to value N greater than zero, the trusted client + address is assumed to be the Nth address from the right end of the + X-Forwarded-For (XFF) header from the incoming request. If the + X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the + gateway proxy falls back to using the immediate downstream connection's + source address as the trusted client address. + Note that the gateway proxy will append the downstream connection's source + address to the X-Forwarded-For (XFF) address and set the + X-Envoy-External-Address header to the trusted client address before + forwarding it to the upstream services in the cluster. + The default value of numTrustedProxies is 0. + See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) + header handling for more details. + format: int32 + type: integer + proxyProtocol: + description: |- + Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for + downstream connections on a gateway. + type: object + type: object + holdApplicationUntilProxyStarts: + description: |- + Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. + This feature adds hooks to delay application startup until the pod proxy + is ready to accept traffic, mitigating some startup race conditions. + Default value is 'false'. + type: boolean + image: + description: Specifies the details of the proxy image. + properties: + imageType: + description: |- + The image type of the image. + Istio publishes default, debug, and distroless images. + Other values are allowed if those image types (example: centos) are published to the specified hub. + supported values: default, debug, distroless. + type: string + type: object + interceptionMode: + description: The mode used to redirect inbound traffic + to Envoy. + enum: + - REDIRECT + - TPROXY + - NONE + type: string + meshId: + description: |- + The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) + All control planes running in the same service mesh should specify the same mesh ID. + Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together. + type: string + privateKeyProvider: + description: Specifies the details of the Private Key + Provider configuration for gateway and sidecar proxies. + properties: + cryptomb: + description: Use CryptoMb private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait until the per-thread processing queue should be processed. If the processing queue + gets full (eight sign or decrypt requests are received) it is processed immediately. + However, if the queue is not filled before the delay has expired, the requests already in the queue + are processed, even if the queue is not full. + In effect, this value controls the balance between latency and throughput. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + qat: + description: Use QAT private key provider + properties: + fallback: + description: |- + If the private key provider isn’t available (eg. the required hardware capability doesn’t existed) + Envoy will fallback to the BoringSSL default implementation when the fallback is true. + The default value is false. + type: boolean + pollDelay: + description: |- + How long to wait before polling the hardware accelerator after a request has been submitted there. + Having a small value leads to quicker answers from the hardware but causes more polling loop spins, + leading to potentially larger CPU usage. + The duration needs to be set to a value greater than or equal to 1 millisecond. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [cryptomb qat] should be set + rule: (has(self.cryptomb)?1:0) + (has(self.qat)?1:0) + <= 1 + proxyAdminPort: + description: |- + Port on which Envoy should listen for administrative commands. + Default port is `15000`. + format: int32 + type: integer + proxyBootstrapTemplatePath: + description: Path to the proxy bootstrap template file + type: string + proxyHeaders: + description: "Define the set of headers to add/modify + for HTTP request/responses.\n\nTo enable an optional + header, simply set the field. If no specific configuration + is required, an empty object (`{}`) will enable it.\nNote: + currently all headers are enabled by default.\n\nBelow + shows an example of customizing the `server` header + and disabling the `X-Envoy-Attempt-Count` header:\n\n```yaml\nproxyHeaders:\n\n\tserver:\n\t + \ value: \"my-custom-server\"\n\t# Explicitly enable + Request IDs.\n\t# As this is the default, this has no + effect.\n\trequestId: {}\n\tattemptCount:\n\t disabled: + true\n\n```\n\n# Below shows an example of preserving + the header case for HTTP 1.x requests\n\n```yaml\nproxyHeaders:\n\n\tpreserveHttp1HeaderCase: + true\n\n```\n\nSome headers are enabled by default, + and require explicitly disabling. See below for an example + of disabling all default-enabled headers:\n\n```yaml\nproxyHeaders:\n\n\tforwardedClientCert: + SANITIZE\n\tserver:\n\t disabled: true\n\trequestId:\n\t + \ disabled: true\n\tattemptCount:\n\t disabled: true\n\tenvoyDebugHeaders:\n\t + \ disabled: true\n\tmetadataExchangeHeaders:\n\t mode: + IN_MESH\n\n```" + properties: + attemptCount: + description: |- + Controls the `X-Envoy-Attempt-Count` header. + If enabled, this header will be added on outbound request headers (including gateways) that have retries configured. + If disabled, this header will not be set. If it is already present, it will be preserved. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + envoyDebugHeaders: + description: |- + Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled, + these headers will be included. + If disabled, these headers will not be set. If they are already present, they will be preserved. + See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details. + These headers are enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + forwardedClientCert: + description: |- + Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting. + To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is). + By default, `APPEND_FORWARD` will be used. + enum: + - UNDEFINED + - SANITIZE + - FORWARD_ONLY + - APPEND_FORWARD + - SANITIZE_SET + - ALWAYS_FORWARD_ONLY + type: string + metadataExchangeHeaders: + description: |- + Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`. + By default, the behavior is unspecified. + If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh. + properties: + mode: + enum: + - UNDEFINED + - IN_MESH + type: string + type: object + preserveHttp1HeaderCase: + description: |- + When true, the original case of HTTP/1.x headers will be preserved + as they pass through the proxy, rather than normalizing them to lowercase. + This field is particularly useful for applications that require case-sensitive + headers for interoperability with downstream systems or APIs that expect specific + casing. + The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers + to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2 + requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2 + standards. + type: boolean + requestId: + description: |- + Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set. + This applies to all types of traffic (inbound, outbound, and gateways). + If disabled, no request ID will be generate for the request. If it is already present, it will be preserved. + Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended. + This header is enabled by default if not configured. + properties: + disabled: + type: boolean + type: object + server: + description: |- + Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways). + If disabled, the `Server` header is not modified. If it is already present, it will be preserved. + properties: + disabled: + type: boolean + value: + description: If set, and the server header is + enabled, this value will be set as the server + header. By default, `istio-envoy` will be used. + type: string + type: object + setCurrentClientCertDetails: + description: |- + This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET + and the client connection is mTLS. It specifies the fields in + the client certificate to be forwarded. Note that `Hash` is always set, and + `By` is always set when the client certificate presents the URI type Subject Alternative Name value. + properties: + cert: + description: |- + Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + XFCC header comma separated from other values with the value Cert="PEM". + Defaults to false. + type: boolean + chain: + description: |- + Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + format. This will appear in the XFCC header comma separated from other values with the value + Chain="PEM". + Defaults to false. + type: boolean + dns: + description: |- + Whether to forward the DNS type Subject Alternative Names of the client cert. + Defaults to true. + type: boolean + subject: + description: Whether to forward the subject of + the client cert. Defaults to true. + type: boolean + uri: + description: |- + Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + true. + type: boolean + type: object + xForwardedHost: + description: |- + Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended + with the original host when it is rewritten. + This header is disabled by default. + properties: + enabled: + type: boolean + type: object + xForwardedPort: + description: |- + Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value + client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any + trusted proxy in front of Envoy. + This header is disabled by default. + properties: + enabled: + type: boolean + type: object + type: object + proxyMetadata: + additionalProperties: + type: string + description: |- + Additional environment variables for the proxy. + Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server. + type: object + proxyStatsMatcher: + description: "Proxy stats matcher defines configuration + for reporting custom Envoy stats.\nTo reduce memory + and CPU overhead from Envoy stats system, Istio proxies + by\ndefault create and expose only a subset of Envoy + stats. This option is to\ncontrol creation of additional + Envoy stats with prefix, suffix, and regex\nexpressions + match on the name of the stats. This replaces the stats\ninclusion + annotations\n(`sidecar.istio.io/statsInclusionPrefixes`,\n`sidecar.istio.io/statsInclusionRegexps`, + and\n`sidecar.istio.io/statsInclusionSuffixes`). For + example, to enable stats\nfor circuit breakers, request + retries, upstream connections, and request timeouts,\nyou + can specify stats matcher as follows:\n```yaml\nproxyStatsMatcher:\n\n\tinclusionRegexps:\n\t + \ - .*outlier_detection.*\n\t - .*upstream_rq_retry.*\n\t + \ - .*upstream_cx_.*\n\tinclusionSuffixes:\n\t - upstream_rq_timeout\n\n```\nNote + including more Envoy stats might increase number of + time series\ncollected by prometheus significantly. + Care needs to be taken on Prometheus\nresource provision + and configuration to reduce cardinality." + properties: + inclusionPrefixes: + description: Proxy stats name prefix matcher for inclusion. + items: + type: string + type: array + inclusionRegexps: + description: Proxy stats name regexps matcher for + inclusion. + items: + type: string + type: array + inclusionSuffixes: + description: Proxy stats name suffix matcher for inclusion. + items: + type: string + type: array + type: object + readinessProbe: + description: |- + VM Health Checking readiness probe. This health check config exactly mirrors the + kubernetes readiness probe configuration both in schema and logic. + Only one health check method of 3 can be set at a time. + properties: + exec: + description: Exec specifies a command to execute in + the container. + properties: + command: + description: |- + Command is the command line to execute inside the container, the working directory for the + command is root ('/') in the container's filesystem. The command is simply exec'd, it is + not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use + a shell, you need to explicitly call out to that shell. + Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + failureThreshold: + description: |- + Minimum consecutive failures for the probe to be considered failed after having succeeded. + Defaults to 3. Minimum value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies a GRPC HealthCheckRequest. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + default: "" + description: |- + Service is the name of the service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + + If this is not specified, the default behavior is defined by gRPC. + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies an HTTP GET request + to perform. + properties: + host: + description: |- + Host name to connect to, defaults to the pod IP. You probably want to set + "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. + HTTP allows repeated headers. + items: + description: HTTPHeader describes a custom header + to be used in HTTP probes + properties: + name: + description: |- + The header field name. + This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + x-kubernetes-list-type: atomic + path: + description: Path to access on the HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Name or number of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: |- + Scheme to use for connecting to the host. + Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: |- + Number of seconds after the container has started before liveness probes are initiated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + periodSeconds: + description: |- + How often (in seconds) to perform the probe. + Default to 10 seconds. Minimum value is 1. + format: int32 + type: integer + successThreshold: + description: |- + Minimum consecutive successes for the probe to be considered successful after having failed. + Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies a connection to a + TCP port. + properties: + host: + description: 'Optional: Host name to connect to, + defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: |- + Number or name of the port to access on the container. + Number must be in the range 1 to 65535. + Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: |- + Optional duration in seconds the pod needs to terminate gracefully upon probe failure. + The grace period is the duration in seconds after the processes running in the pod are sent + a termination signal and the time when the processes are forcibly halted with a kill signal. + Set this value longer than the expected cleanup time for your process. + If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this + value overrides the value provided by the pod spec. + Value must be non-negative integer. The value zero indicates stop immediately via + the kill signal (no opportunity to shut down). + This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. + Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. + format: int64 + type: integer + timeoutSeconds: + description: |- + Number of seconds after which the probe times out. + Defaults to 1 second. Minimum value is 1. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes + format: int32 + type: integer + type: object + runtimeValues: + additionalProperties: + type: string + description: |- + Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. + This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution. + type: object + sds: + description: |- + Secret Discovery Service(SDS) configuration to be used by the proxy. + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + properties: + enabled: + description: True if SDS is enabled. + type: boolean + k8sSaJwtPath: + description: Path of k8s service account JWT path. + type: string + type: object + serviceCluster: + description: |- + Service cluster defines the name for the `service_cluster` that is + shared by all Envoy instances. This setting corresponds to + `--service-cluster` flag in Envoy. In a typical Envoy deployment, the + `service-cluster` flag is used to identify the caller, for + source-based routing scenarios. + + Since Istio does not assign a local `service/service` version to each + Envoy instance, the name is same for all of them. However, the + source/caller's identity (e.g., IP address) is encoded in the + `--service-node` flag when launching Envoy. When the RDS service + receives API calls from Envoy, it uses the value of the `service-node` + flag to compute routes that are relative to the service instances + located at that IP address. + type: string + statNameLength: + description: |- + Maximum length of name field in Envoy's metrics. The length of the name field + is determined by the length of a name field in a service and the set of labels that + comprise a particular version of the service. The default value is set to 189 characters. + Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. + Increase the value of this field if you find that the metrics from Envoys are truncated. + format: int32 + type: integer + statsdUdpAddress: + description: IP Address and Port of a statsd UDP listener + (e.g. `10.75.241.127:9125`). + type: string + statusPort: + description: |- + Port on which the agent should listen for administrative commands such as readiness probe. + Default is set to port `15020`. + format: int32 + type: integer + terminationDrainDuration: + description: |- + The amount of time allowed for connections to complete on proxy shutdown. + On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining, + discouraging any new connections and allowing existing connections to complete. It then + sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes. + If not set, a default of `5s` will be applied. + type: string + tracing: + description: Tracing configuration to be used by the proxy. + properties: + customTags: + additionalProperties: + description: |- + Configure custom tags that will be added to any active span. + Tags can be generated via literals, environment variables or an incoming request header. + properties: + environment: + description: |- + The custom tag's value should be populated from an environmental + variable + properties: + defaultValue: + description: |- + When the environment variable is not found, + the tag's value will be populated with this default value if specified, + otherwise the tag will not be populated. + type: string + name: + description: Name of the environment variable + used to populate the tag's value + type: string + type: object + header: + description: |- + The custom tag's value is populated by an http header from + an incoming request. + properties: + defaultValue: + description: |- + Default value to be used for the tag when the named HTTP header does not exist. + The tag will be skipped if no default value is provided. + type: string + name: + description: HTTP header name used to obtain + the value from to populate the tag value. + type: string + type: object + literal: + description: The custom tag's value is the specified + literal. + properties: + value: + description: Static literal value used to + populate the tag value. + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [literal environment header] + should be set + rule: (has(self.literal)?1:0) + (has(self.environment)?1:0) + + (has(self.header)?1:0) <= 1 + description: "and gateways).\nThe key represents the + name of the tag.\nEx:\n```yaml\ncustom_tags:\n\n\tnew_tag_name:\n\t + \ header:\n\t name: custom-http-header-name\n\t + \ default_value: defaulted-value-from-custom-header\n\n```" + type: object + datadog: + description: Use a Datadog tracer. + properties: + address: + description: Address of the Datadog Agent. + type: string + type: object + enableIstioTags: + description: |- + Determines whether or not trace spans generated by Envoy will include Istio specific tags. + By default Istio specific tags are included in the trace spans. + type: boolean + lightstep: + description: |- + Use a Lightstep tracer. + NOTE: For Istio 1.15+, this configuration option will result + in using OpenTelemetry-based Lightstep integration. + properties: + accessToken: + description: The Lightstep access token. + type: string + address: + description: Address of the Lightstep Satellite + pool. + type: string + type: object + maxPathTagLength: + description: |- + Configures the maximum length of the request path to extract and include in the + HttpUrl tag. Used to truncate length request paths to meet the needs of tracing + backend. If not set, then a length of 256 will be used. + format: int32 + type: integer + openCensusAgent: + description: Use an OpenCensus tracer exporting to + an OpenCensus agent. + properties: + address: + description: |- + gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or + unix:path). See [gRPC naming + docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for + details. + type: string + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + type: object + sampling: + description: |- + The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, + if not requested by the client or not forced. Default is 1.0. + type: number + stackdriver: + description: Use a Stackdriver tracer. + properties: + debug: + description: debug enables trace output to stdout. + type: boolean + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + format: int64 + type: integer + type: object + tlsSettings: + description: |- + Use the tlsSettings to specify the tls mode to use. If the remote tracing service + uses Istio mutual TLS and shares the root CA with istiod, specify the TLS + mode as `ISTIO_MUTUAL`. + properties: + caCertificates: + description: |- + OPTIONAL: The path to the file containing certificate authority + certificates to use in verifying a presented server certificate. If + omitted, the proxy will verify the server's certificate using + the OS CA certificates. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + caCrl: + description: |- + OPTIONAL: The path to the file containing the certificate revocation list (CRL) + to use in verifying a presented server certificate. `CRL` is a list of certificates + that have been revoked by the CA (Certificate Authority) before their scheduled expiration date. + If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates. + If omitted, the proxy will not verify the certificate against the `crl`. Note that if `credentialName` is set, + `CRL` cannot be specified using `caCrl`, rather it has to be specified inside the credential. + type: string + clientCertificate: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client-side TLS certificate to use. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + credentialName: + description: |- + The name of the secret that holds the TLS certs for the + client including the CA certificates. This secret must exist in + the namespace of the proxy using the certificates. + An Opaque secret should contain the following keys and values: + `key: `, `cert: `, `cacert: `, + `crl: ` + Here CACertificate is used to verify the server certificate. + For mutual TLS, `cacert: ` can be provided in the + same secret or a separate secret named `-cacert`. + A TLS secret for client certificates with an additional + `ca.crt` key for CA certificates and `ca.crl` key for + certificate revocation list(CRL) is also supported. + Only one of client certificates and CA certificate + or credentialName can be specified. + + **NOTE:** This field is applicable at sidecars only if + `DestinationRule` has a `workloadSelector` specified. + Otherwise the field will be applicable only at gateways, and + sidecars will continue to use the certificate paths. + type: string + insecureSkipVerify: + description: |- + `insecureSkipVerify` specifies whether the proxy should skip verifying the + CA signature and SAN for the server certificate corresponding to the host. + The default value of this field is false. + type: boolean + mode: + description: |- + Indicates whether connections to this port should be secured + using TLS. The value of this field determines how TLS is enforced. + enum: + - DISABLE + - SIMPLE + - MUTUAL + - ISTIO_MUTUAL + type: string + privateKey: + description: |- + REQUIRED if mode is `MUTUAL`. The path to the file holding the + client's private key. + Should be empty if mode is `ISTIO_MUTUAL`. + type: string + sni: + description: |- + SNI string to present to the server during TLS handshake. + If unspecified, SNI will be automatically set based on downstream HTTP + host/authority header for SIMPLE and MUTUAL TLS modes. + type: string + subjectAltNames: + description: |- + A list of alternate names to verify the subject identity in the + certificate. If specified, the proxy will verify that the server + certificate's subject alt name matches one of the specified values. + If specified, this list overrides the value of `subjectAltNames` + from the `ServiceEntry`. If unspecified, automatic validation of upstream + presented certificate for new upstream connections will be done based on the + downstream HTTP host/authority header. + items: + type: string + type: array + type: object + zipkin: + description: Use a Zipkin tracer. + properties: + address: + description: Address of the Zipkin service (e.g. + _zipkin:9411_). + type: string + type: object + type: object + x-kubernetes-validations: + - message: At most one of [zipkin lightstep datadog stackdriver + openCensusAgent] should be set + rule: (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.openCensusAgent)?1:0) <= 1 + tracingServiceName: + description: |- + Used by Envoy proxies to assign the values for the service names in trace + spans. + enum: + - APP_LABEL_AND_NAMESPACE + - CANONICAL_NAME_ONLY + - CANONICAL_NAME_AND_NAMESPACE + type: string + zipkinAddress: + description: |- + Address of the Zipkin service (e.g. _zipkin:9411_). + DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead. + + Deprecated: Marked as deprecated in mesh/v1alpha1/proxy.proto. + type: string + type: object + x-kubernetes-validations: + - message: At most one of [serviceCluster tracingServiceName] + should be set + rule: (has(self.serviceCluster)?1:0) + (has(self.tracingServiceName)?1:0) + <= 1 + defaultDestinationRuleExportTo: + description: |- + The default value for the `DestinationRule.exportTo` field. Has the same + syntax as `defaultServiceExportTo`. + + If not set the system will use "*" as the default value which implies that + destination rules are exported to all namespaces + items: + type: string + type: array + defaultHttpRetryPolicy: + description: "Configure the default HTTP retry policy.\nThe + default number of retry attempts is set at 2 for these errors:\n\n\t\"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes\".\n\nSetting + the number of attempts to 0 disables retry policy globally.\nThis + setting can be overridden on a per-host basis using the + Virtual Service\nAPI.\nAll settings in the retry policy + except `perTryTimeout` can currently be\nconfigured globally + via this field." + properties: + attempts: + description: |- + Number of retries to be allowed for a given request. The interval + between retries will be determined automatically (25ms+). When request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) + or `per_try_timeout` is configured, the actual number of retries attempted also depends on + the specified request `timeout` and `per_try_timeout` values. MUST be >= 0. If `0`, retries will be disabled. + The maximum possible number of requests made will be 1 + `attempts`. + format: int32 + type: integer + backoff: + description: |- + Specifies the minimum duration between retry attempts. + If unset, default minimum duration of 25ms is used as base interval for exponetial backoff. + This has an impact on the total number of retries that will be attempted based on the `attempts` field + and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will + be retried only once. + type: string + perTryTimeout: + description: |- + Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms. + Default is same value as request + `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), + which means no timeout. + type: string + retryIgnorePreviousHosts: + description: |- + Flag to specify whether the retries should ignore previously tried hosts during retry. + Defaults to true. + type: boolean + retryOn: + description: |- + Specifies the conditions under which retry takes place. + One or more policies can be specified using a ‘,’ delimited list. + See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) + and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. + + In addition to the policies specified above, a list of HTTP status codes can be passed, such as `retryOn: "503,reset"`. + Note these status codes refer to the actual responses received from the destination. + For example, if a connection is reset, Istio will translate this to 503 for it's response. + However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`). + + If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled`. + type: string + retryRemoteLocalities: + description: |- + Flag to specify whether the retries should retry to other localities. + See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details. + type: boolean + type: object + defaultProviders: + description: Specifies extension providers to use by default + in Istio configuration resources. + properties: + accessLogging: + description: Name of the default provider(s) for access + logging. + items: + type: string + type: array + metrics: + description: Name of the default provider(s) for metrics. + items: + type: string + type: array + tracing: + description: Name of the default provider(s) for tracing. + items: + type: string + type: array + type: object + defaultServiceExportTo: + description: |- + The default value for the ServiceEntry.exportTo field and services + imported through container registry integrations, e.g. this applies to + Kubernetes Service resources. The value is a list of namespace names and + reserved namespace aliases. The allowed namespace aliases are: + ``` + * - All Namespaces + . - Current Namespace + ~ - No Namespace + ``` + If not set the system will use "*" as the default value which implies that + services are exported to all namespaces. + + `All namespaces` is a reasonable default for implementations that don't + need to restrict access or visibility of services across namespace + boundaries. If that requirement is present it is generally good practice to + make the default `Current namespace` so that services are only visible + within their own namespaces by default. Operators can then expand the + visibility of services to other namespaces as needed. Use of `No Namespace` + is expected to be rare but can have utility for deployments where + dependency management needs to be precise even within the scope of a single + namespace. + + For further discussion see the reference documentation for `ServiceEntry`, + `Sidecar`, and `Gateway`. + items: + type: string + type: array + defaultVirtualServiceExportTo: + description: |- + The default value for the VirtualService.exportTo field. Has the same + syntax as `defaultServiceExportTo`. + + If not set the system will use "*" as the default value which implies that + virtual services are exported to all namespaces + items: + type: string + type: array + disableEnvoyListenerLog: + description: |- + This flag disables Envoy Listener logs. + See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) + Istio Enables Envoy's listener access logs on "NoRoute" response flag. + Default value is `false`. + type: boolean + discoverySelectors: + description: |- + A list of Kubernetes selectors that specify the set of namespaces that Istio considers when + computing configuration updates for sidecars. This can be used to reduce Istio's computational load + by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. + If omitted, Istio will use the default behavior of processing all namespaces in the cluster. + Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. + The following example selects any namespace that matches either below: + 1. The namespace has both of these labels: `env: prod` and `region: us-east1` + 2. The namespace has label `app` equal to `cassandra` or `spark`. + ```yaml + discoverySelectors: + - matchLabels: + env: prod + region: us-east1 + - matchExpressions: + - key: app + operator: In + values: + - cassandra + - spark + + ``` + Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) + for additional detail on selector semantics. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + dnsRefreshRate: + description: |- + Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` + Default refresh rate is `60s`. + type: string + enableAutoMtls: + description: |- + This flag is used to enable mutual `TLS` automatically for service to service communication + within the mesh, default true. + If set to true, and a given service does not have a corresponding `DestinationRule` configured, + or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side + TLS configuration appropriately. More specifically, + If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate + for mutual `TLS` to connect to upstream. + If upstream service is in plain text mode, use plain text. + If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use + mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. + If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead. + type: boolean + enableEnvoyAccessLogService: + description: |- + This flag enables Envoy's gRPC Access Log Service. + See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) + for details about Envoy's gRPC Access Log Service API. + Default value is `false`. + type: boolean + enablePrometheusMerge: + description: |- + If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy + and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod + and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. + This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and + `prometheus.io/path` annotations. + If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. + In this case, it is recommended to disable aggregation on that deployment with the + `prometheus.istio.io/merge-metrics: "false"` annotation. + If not specified, this will be enabled by default. + type: boolean + enableTracing: + description: |- + Flag to control generation of trace spans and request IDs. + Requires a trace span collector defined in the proxy configuration. + type: boolean + extensionProviders: + description: |- + Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy + can be used with an extension provider to delegate the authorization decision to a custom authorization system. + items: + properties: + datadog: + description: Configures a Datadog tracing provider. + properties: + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Datadog agent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com". + type: string + required: + - port + - service + type: object + envoyExtAuthzGrpc: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the gRPC API. + properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean + failOpen: + description: |- + If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately. + type: boolean + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. + type: boolean + type: object + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. + type: string + required: + - port + - service + type: object + envoyExtAuthzHttp: + description: Configures an external authorizer that + implements the Envoy ext_authz filter authorization + check service using the HTTP API. + properties: + clearRouteCache: + description: |- + If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions. + If true, recalculate routes with the new ExtAuthZ added/removed headers. + Default is false + type: boolean + failOpen: + description: |- + If true, the user request will be allowed even if the communication with the authorization service has failed, + or if the authorization service has returned a HTTP 5xx error. + Default is false and the request will be rejected with "Forbidden" response. + type: boolean + headersToDownstreamOnAllow: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is allowed (HTTP code 200). + If not specified, the original response will not be modified and forwarded to downstream as-is. + Note, any existing headers will be overridden. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToDownstreamOnDeny: + description: |- + List of headers from the authorization service that should be forwarded to downstream when the authorization + check result is not allowed (HTTP code other than 200). + If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to + the downstream. + When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are + automatically added. + Note, the body from the authorization service is always included in the response to downstream. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + headersToUpstreamOnAllow: + description: |- + List of headers from the authorization service that should be added or overridden in the original request and + forwarded to the upstream when the authorization check result is allowed (HTTP code 200). + If not specified, the original request will not be modified and forwarded to backend as-is. + Note, any existing headers will be overridden. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + includeAdditionalHeadersInCheck: + additionalProperties: + type: string + description: |- + Set of additional fixed headers that should be included in the authorization request sent to the authorization service. + Key is the header name and value is the header value. + Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden. + type: object + includeHeadersInCheck: + description: |- + DEPRECATED. Use includeRequestHeadersInCheck instead. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + items: + type: string + type: array + includeRequestBodyInCheck: + description: If set, the client request body will + be included in the authorization request sent + to the authorization service. + properties: + allowPartialMessage: + description: |- + When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached. + The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. + A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message + indicating if the body data is partial. + type: boolean + maxRequestBytes: + description: |- + Sets the maximum size of a message body that the ext-authz filter will hold in memory. + If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large). + Otherwise the request will be sent to the provider with a partial message. + Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the + failOpen is set to true. + format: int32 + type: integer + packAsBytes: + description: |- + If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes + in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). + Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). + This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider. + type: boolean + type: object + includeRequestHeadersInCheck: + description: |- + List of client request headers that should be included in the authorization request sent to the authorization service. + Note that in addition to the headers specified here following headers are included by default: + 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. + 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization + request can include the buffered client request body (controlled by includeRequestBodyInCheck setting), + consequently the value of Content-Length of the authorization request reflects the size of its payload size. + + Exact, prefix and suffix matches are supported (similar to the + [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule) + except the presence match): + - Exact match: "abc" will match on value "abc". + - Prefix match: "abc*" will match on value "abc" and "abcd". + - Suffix match: "*abc" will match on value "abc" and "xabc". + items: + type: string + type: array + pathPrefix: + description: |- + Sets a prefix to the value of authorization request header *Path*. + For example, setting this to "/check" for an original user request at path "/admin" will cause the + authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com". + type: string + statusOnError: + description: |- + Sets the HTTP status that is returned to the client when there is a network error to the authorization service. + The default status is "403" (HTTP Forbidden). + type: string + timeout: + description: |- + The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). + When this timeout condition is met, the proxy marks the communication to the authorization service as failure. + In this situation, the response sent back to the client will depend on the configured `failOpen` field. + type: string + required: + - port + - service + type: object + envoyFileAccessLog: + description: Configures an Envoy File Access Log provider. + properties: + logFormat: + description: Optional. Allows overriding of the + default access log format. + properties: + labels: + additionalProperties: + type: string + description: "JSON structured format for the + envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).\nUse + `labels: {}` for default envoy JSON log format.\n\nExample:\n```\nlabels:\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + + NOTE: Istio will insert a newline ('\n') on all formats (if missing). + + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + x-kubernetes-validations: + - message: At most one of [text labels] should be + set + rule: (has(self.text)?1:0) + (has(self.labels)?1:0) + <= 1 + omitEmptyValues: + description: |- + Optional. If set to true, when command operators are evaluated to null, + For text format, the output of the empty operator is changed from "-" to an empty string. + For json format, the keys with null values are omitted in the output structure. + type: boolean + path: + description: |- + Path to a local file to write the access log entries. + This may be used to write to streams, via `/dev/stderr` and `/dev/stdout` + If unspecified, defaults to `/dev/stdout`. + type: string + type: object + envoyHttpAls: + description: Configures an Envoy Access Logging Service + provider for HTTP traffic. + properties: + additionalRequestHeadersToLog: + description: Optional. Additional request headers + to log. + items: + type: string + type: array + additionalResponseHeadersToLog: + description: Optional. Additional response headers + to log. + items: + type: string + type: array + additionalResponseTrailersToLog: + description: Optional. Additional response trailers + to log. + items: + type: string + type: array + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "http_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyOtelAls: + description: Configures an Envoy Open Telemetry Access + Logging Service provider. + properties: + logFormat: + description: |- + Optional. Format for the proxy access log + Empty value results in proxy's default access log format, following Envoy access logging formatting. + properties: + labels: + additionalProperties: + type: string + description: "Optional. Additional attributes + that describe the specific event occurrence.\nStructured + format for the envoy access logs. Envoy [command + operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)\ncan + be used as values for fields within the Struct. + Values are rendered\nas strings, numbers, + or boolean values, as appropriate\n(see: [format + dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). + Nested JSON is\nsupported for some command + operators (e.g. FILTER_STATE or DYNAMIC_METADATA).\nAlias + to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)\n\nExample:\n```\nlabels:\n\n\tstatus: + \"%RESPONSE_CODE%\"\n\tmessage: \"%LOCAL_REPLY_BODY%\"\n\n```" + type: object + text: + description: |- + Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be + used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings) + provides more information. + Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto) + Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"` + type: string + type: object + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "otel_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + envoyTcpAls: + description: Configures an Envoy Access Logging Service + provider for TCP traffic. + properties: + filterStateObjectsToLog: + description: Optional. Additional filter state objects + to log. + items: + type: string + type: array + logName: + description: |- + Optional. The friendly name of the access log. + Defaults: + - "tcp_envoy_accesslog" + - "listener_envoy_accesslog" + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com". + type: string + required: + - port + - service + type: object + lightstep: + description: |- + Configures a Lightstep tracing provider. + Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027 + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + accessToken: + description: The Lightstep access token. + type: string + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the Lightstep collector. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com". + type: string + required: + - port + - service + type: object + name: + description: REQUIRED. A unique name identifying the + extension provider. + type: string + opencensus: + description: |- + Configures an OpenCensusAgent tracing provider. + Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/ + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + properties: + context: + description: |- + Specifies the set of context propagation headers used for distributed + tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified, + the proxy will attempt to read each header for each request and will + write all headers. + items: + description: |- + TraceContext selects the context propagation headers used for + distributed tracing. + enum: + - UNSPECIFIED + - W3C_TRACE_CONTEXT + - GRPC_BIN + - CLOUD_TRACE_CONTEXT + - B3 + type: string + type: array + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the OpenCensusAgent. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com". + type: string + required: + - port + - service + type: object + opentelemetry: + description: Configures an OpenTelemetry tracing provider. + properties: + dynatraceSampler: + description: |- + The Dynatrace adaptive traffic management (ATM) sampler. + + Example configuration: + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: "{your-environment-id}.live.dynatrace.com" + http: + path: "/api/v2/otlp/v1/traces" + timeout: 10s + headers: + - name: "Authorization" + value: "Api-Token dt0c01." + resourceDetectors: + dynatrace: {} + dynatraceSampler: + tenant: "{your-environment-id}" + clusterId: 1234 + properties: + clusterId: + description: |- + REQUIRED. The identifier of the cluster in the Dynatrace platform. + The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy. + + The value can be obtained from the Istio deployment page in Dynatrace. + format: int32 + type: integer + httpService: + description: |- + Optional. Dynatrace HTTP API to obtain sampling configuration. + + When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter + (`service`, `port` and `http`), including the access token. + properties: + http: + description: REQUIRED. Specifies sampling + configuration URI. + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP + header name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + path: + description: REQUIRED. Specifies the + path on the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + port: + description: REQUIRED. Specifies the port + of the service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration. + The format is ``, where `` is the fully qualified Dynatrace environment + host name defined in the ServiceEntry. + + Example: "{your-environment-id}.live.dynatrace.com". + type: string + required: + - http + - port + - service + type: object + rootSpansPerMinute: + description: |- + Optional. Number of sampled spans per minute to be used + when the adaptive value cannot be obtained from the Dynatrace API. + + A default value of `1000` is used when: + + - `rootSpansPerMinute` is unset + - `rootSpansPerMinute` is set to 0 + format: int32 + type: integer + tenant: + description: |- + REQUIRED. The Dynatrace customer's tenant identifier. + + The value can be obtained from the Istio deployment page in Dynatrace. + type: string + required: + - clusterId + - tenant + type: object + grpc: + description: "Optional. Specifies the configuration + for exporting OTLP traces via GRPC.\nWhen empty, + traces will check whether HTTP is set.\nIf not, + traces will use default GRPC configurations.\n\nThe + following example shows how to configure the OpenTelemetry + ExtensionProvider to export via GRPC:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: opentelemetry\n opentelemetry:\n + \ port: 8090\n service: tracing.example.com\n + \ grpc:\n timeout: 10s\n initialMetadata:\n + \ - name: \"Authentication\"\n value: \"token-xxxxx\"\n\n```\n\n2. + Deploy a `ServiceEntry` for the observability + back-end\n```yaml\napiVersion: networking.istio.io/v1alpha3\nkind: + ServiceEntry\nmetadata:\n\n\tname: tracing-grpc\n\nspec:\n\n\thosts:\n\t- + tracing.example.com\n\tports:\n\t- number: 8090\n\t + \ name: grpc-port\n\t protocol: GRPC\n\tresolution: + DNS\n\tlocation: MESH_EXTERNAL\n\n```" + properties: + initialMetadata: + description: |- + Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for + scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to + be injected. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + timeout: + description: Optional. Specifies the timeout + for the GRPC request. + type: string + type: object + http: + description: "Optional. Specifies the configuration + for exporting OTLP traces via HTTP.\nWhen empty, + traces will be exported via gRPC.\n\nThe following + example shows how to configure the OpenTelemetry + ExtensionProvider to export via HTTP:\n\n1. Add/change + the OpenTelemetry extension provider in `MeshConfig`\n```yaml\n + \ - name: otel-tracing\n opentelemetry:\n port: + 443\n service: my.olly-backend.com\n http:\n + \ path: \"/api/otlp/traces\"\n timeout: 10s\n + \ headers:\n - name: \"my-custom-header\"\n + \ value: \"some value\"\n\n```\n\n2. Deploy + a `ServiceEntry` for the observability back-end\n```yaml\napiVersion: + networking.istio.io/v1alpha3\nkind: ServiceEntry\nmetadata:\n\n\tname: + my-olly-backend\n\nspec:\n\n\thosts:\n\t- my.olly-backend.com\n\tports:\n\t- + number: 443\n\t name: https-port\n\t protocol: + HTTPS\n\tresolution: DNS\n\tlocation: MESH_EXTERNAL\n\n---\napiVersion: + networking.istio.io/v1alpha3\nkind: DestinationRule\nmetadata:\n\n\tname: + my-olly-backend\n\nspec:\n\n\thost: my.olly-backend.com\n\ttrafficPolicy:\n\t + \ portLevelSettings:\n\t - port:\n\t number: + 443\n\t tls:\n\t mode: SIMPLE\n\n```" + properties: + headers: + description: |- + Optional. Allows specifying custom HTTP headers that will be added + to each HTTP request sent. + items: + properties: + envName: + description: |- + The HTTP header value from the environment variable. + + Warning: + - The environment variable must be set in the istiod pod spec. + - This is not a end-to-end secure. + type: string + name: + description: REQUIRED. The HTTP header + name. + type: string + value: + description: The HTTP header value. + type: string + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [value envName] + should be set + rule: (has(self.value)?1:0) + (has(self.envName)?1:0) + <= 1 + type: array + path: + description: REQUIRED. Specifies the path on + the service. + type: string + timeout: + description: |- + Optional. Specifies the timeout for the HTTP request. + If not specified, the default is 3s. + type: string + required: + - path + type: object + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + resourceDetectors: + description: |- + Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/) + to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged + according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge). + + The following example shows how to configure the Environment Resource Detector, that will + read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`: + + ```yaml + - name: otel-tracing + opentelemetry: + port: 443 + service: my.olly-backend.com + resourceDetectors: + environment: {} + + ``` + properties: + dynatrace: + description: |- + Dynatrace Resource Detector. + The resource detector reads from the Dynatrace enrichment files + and adds host/process related attributes to the OpenTelemetry resource. + + See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files) + type: object + environment: + description: |- + OpenTelemetry Environment Resource Detector. + The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES` + and adds them to the OpenTelemetry resource. + + See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable) + type: object + type: object + service: + description: |- + REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com". + type: string + required: + - port + - service + type: object + x-kubernetes-validations: + - message: At most one of [dynatraceSampler] should + be set + rule: (has(self.dynatraceSampler)?1:0) <= 1 + prometheus: + description: Configures a Prometheus metrics provider. + type: object + sds: + description: |- + Configures an Extension Provider for SDS. This can be used to + configure an external SDS service to supply secrets for certain Gateways for example. + This is useful for scenarios where the secrets are stored in an external secret store like Vault. + The secret should be configured with sds://provider-name format. + properties: + name: + description: REQUIRED. Specifies the name of the + provider. This should be used to configure the + Gateway SDS. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that implements the SDS service. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com". + type: string + required: + - name + - port + - service + type: object + skywalking: + description: Configures a Apache SkyWalking provider. + properties: + accessToken: + description: Optional. The SkyWalking OAP access + token. + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service for the SkyWalking receiver. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com". + type: string + required: + - port + - service + type: object + stackdriver: + description: Configures a Stackdriver provider. + properties: + debug: + description: |- + debug enables trace output to stdout. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + logging: + description: Optional. Controls Stackdriver logging + behavior. + properties: + labels: + additionalProperties: + type: string + description: "Collection of tag names and tag + expressions to include in the log\nentry. + Conflicts are resolved by the tag name by + overriding previously\nsupplied values.\n\nExample:\n\n\tlabels:\n\t + \ path: request.url_path\n\t foo: request.headers['x-foo']" + type: object + type: object + maxNumberOfAnnotations: + description: |- + The global default max number of annotation events per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfAttributes: + description: |- + The global default max number of attributes per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxNumberOfMessageEvents: + description: |- + The global default max number of message events per span. + default is 200. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + format: int64 + type: integer + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + type: object + zipkin: + description: Configures a tracing provider that uses + the Zipkin API. + properties: + enable64bitTraceId: + description: |- + Optional. A 128 bit trace id will be used in Istio. + If true, will result in a 64 bit trace id being used. + type: boolean + maxTagLength: + description: |- + Optional. Controls the overall path length allowed in a reported span. + NOTE: currently only controls max length of the path tag. + format: int32 + type: integer + path: + description: |- + Optional. Specifies the endpoint of Zipkin API. + The default value is "/api/v2/spans". + type: string + port: + description: REQUIRED. Specifies the port of the + service. + format: int32 + type: integer + service: + description: |- + REQUIRED. Specifies the service that the Zipkin API. + The format is `[/]`. The specification of `` is required only when it is insufficient + to unambiguously resolve a service in the service registry. The `` is a fully qualified host name of a + service defined by the Kubernetes service or ServiceEntry. + + Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com". + type: string + traceContextOption: + description: |- + Optional. Determines which trace context format to use for trace header extraction and propagation. + This controls both downstream request header extraction and upstream request header injection. + The default value is USE_B3 to maintain backward compatibility. + enum: + - USE_B3 + - USE_B3_WITH_W3C_PROPAGATION + type: string + required: + - port + - service + type: object + required: + - name + type: object + x-kubernetes-validations: + - message: At most one of [envoyExtAuthzHttp envoyExtAuthzGrpc + zipkin lightstep datadog stackdriver opencensus skywalking + opentelemetry prometheus envoyFileAccessLog envoyHttpAls + envoyTcpAls envoyOtelAls sds] should be set + rule: (has(self.envoyExtAuthzHttp)?1:0) + (has(self.envoyExtAuthzGrpc)?1:0) + + (has(self.zipkin)?1:0) + (has(self.lightstep)?1:0) + + (has(self.datadog)?1:0) + (has(self.stackdriver)?1:0) + + (has(self.opencensus)?1:0) + (has(self.skywalking)?1:0) + + (has(self.opentelemetry)?1:0) + (has(self.prometheus)?1:0) + + (has(self.envoyFileAccessLog)?1:0) + (has(self.envoyHttpAls)?1:0) + + (has(self.envoyTcpAls)?1:0) + (has(self.envoyOtelAls)?1:0) + + (has(self.sds)?1:0) <= 1 + maxItems: 1000 + type: array + h2UpgradePolicy: + description: |- + Specify if http1.1 connections should be upgraded to http2 by default. + if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`. + If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`. + It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override. + enum: + - DO_NOT_UPGRADE + - UPGRADE + type: string + inboundClusterStatName: + description: |- + Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `inbound|||`. + For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + - `%SERVICE%` - Will be substituted with short hostname of the service. + - `%SERVICE_NAME%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%TARGET_PORT%` - Will be substituted with the target port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + + Following are some examples of supported patterns for reviews: + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + inboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling inbound + traffic to the application. If your application listens on + localhost, you will need to set this to `LOCALHOST`. + properties: + mode: + enum: + - PASSTHROUGH + - LOCALHOST + type: string + type: object + ingressClass: + description: |- + Class of ingress resources to be processed by Istio ingress + controller. This corresponds to the value of + `kubernetes.io/ingress.class` annotation. + type: string + ingressControllerMode: + description: |- + Defines whether to use Istio ingress controller for annotated or all ingress resources. + Default mode is `STRICT`. + enum: + - UNSPECIFIED + - "OFF" + - DEFAULT + - STRICT + type: string + ingressSelector: + description: |- + Defines which gateway deployment to use as the Ingress controller. This field corresponds to + the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. + By default, `ingressgateway` is used, which will select the default IngressGateway as it has the + `istio: ingressgateway` labels. + It is recommended that this is the same value as ingressService. + type: string + ingressService: + description: |- + Name of the Kubernetes service used for the istio ingress controller. + If no ingress controller is specified, the default value `istio-ingressgateway` is used. + type: string + localityLbSetting: + description: |- + Locality based load balancing distribution or failover settings. + If unspecified, locality based load balancing will be enabled by default. + However, this requires outlierDetection to actually take effect for a particular + service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/ + properties: + distribute: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify loadbalancing weight across different zones and geographical locations. + Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) + If empty, the locality weight is set according to the endpoints number within it. + items: + description: |- + Describes how traffic originating in the 'from' zone or sub-zone is + distributed over a set of 'to' zones. Syntax for specifying a zone is + {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any + segment of the specification. Examples: + + `*` - matches all localities + + `us-west/*` - all zones and sub-zones within the us-west region + + `us-west/zone-1/*` - all sub-zones within us-west/zone-1 + properties: + from: + description: Originating locality, '/' separated, + e.g. 'region/zone/sub_zone'. + type: string + to: + additionalProperties: + format: int32 + type: integer + description: |- + Map of upstream localities to traffic distribution weights. The sum of + all weights should be 100. Any locality not present will + receive no traffic. + type: object + type: object + type: array + enabled: + description: |- + Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety. + e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is. + type: boolean + failover: + description: |- + Optional: only one of distribute, failover or failoverPriority can be set. + Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. + Should be used together with OutlierDetection to detect unhealthy endpoints. + Note: if no OutlierDetection specified, this will not take effect. + items: + description: |- + Specify the traffic failover policy across regions. Since zone and sub-zone + failover is supported by default this only needs to be specified for + regions when the operator needs to constrain traffic failover so that + the default behavior of failing over to any endpoint globally does not + apply. This is useful when failing over traffic across regions would not + improve service health or may need to be restricted for other reasons + like regulatory controls. + properties: + from: + description: Originating region. + type: string + to: + description: |- + Destination region the traffic will fail over to when endpoints in + the 'from' region becomes unhealthy. + type: string + type: object + type: array + failoverPriority: + description: |- + failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. + This is to support traffic failover across different groups of endpoints. + Two kinds of labels can be specified: + + - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints. + Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified: + + 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints. + Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified: + + 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority. + 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority. + 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority. + 4. All the other endpoints have priority P(N) i.e. lowest priority. + + Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. + + It can be any label specified on both client and server workloads. + The following labels which have special semantic meaning are also supported: + + - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. + - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. + - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. + - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. + - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. + - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`. + + The below topology config indicates the following priority levels: + + ```yaml + failoverPriority: + - "topology.istio.io/network" + - "topology.kubernetes.io/region" + - "topology.kubernetes.io/zone" + - "topology.istio.io/subzone" + ``` + + 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. + 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. + 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. + 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. + 5. all the other endpoints have the same lowest priority. + + Suppose a service associated endpoints reside in multi clusters, the below example represents: + 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority. + 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority. + 2. all the other endpoints have P(2) priority. + + ```yaml + failoverPriority: + - "version=v1" + - "topology.istio.io/cluster=clusterA" + ``` + + Optional: only one of distribute, failover or failoverPriority can be set. + And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect. + items: + type: string + type: array + type: object + meshMTLS: + description: "The below configuration parameters can be used + to specify TLSConfig for mesh traffic.\nFor example, a user + could enable min TLS version for ISTIO_MUTUAL traffic and + specify a curve for non ISTIO_MUTUAL traffic like below:\n```yaml\nmeshConfig:\n\n\tmeshMTLS:\n\t + \ minProtocolVersion: TLSV1_3\n\ttlsDefaults:\n\t Note: + applicable only for non ISTIO_MUTUAL scenarios\n\t ecdhCurves:\n\t + \ - P-256\n\t - P-512\n\n```\nConfiguration of mTLS + for traffic between workloads with ISTIO_MUTUAL TLS traffic.\n\nNote: + Mesh mTLS does not respect ECDH curves." + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + outboundClusterStatName: + description: |- + Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for + network filters like TCP and Redis. + By default, Istio emits statistics with the pattern `outbound|||`. + For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. + + A Pattern can be composed of various pre-defined variables. The following variables are supported. + + - `%SERVICE%` - Will be substituted with short hostname of the service. + - `%SERVICE_NAME%` - Will be substituted with name of the service. + - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. + - `%SERVICE_PORT%` - Will be substituted with port of the service. + - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. + - `%SUBSET_NAME%` - Will be substituted with subset. + + Following are some examples of supported patterns for reviews: + + - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. + - `%SERVICE%` will use reviews.prod as the stats name. + type: string + outboundTrafficPolicy: + description: |- + Set the default behavior of the sidecar for handling outbound + traffic from the application. + + Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the + [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy). + + Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed. + properties: + mode: + enum: + - REGISTRY_ONLY + - ALLOW_ANY + type: string + type: object + pathNormalization: + description: |- + ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are + normalized by the sidecars and gateways. + The normalized paths will be used in all aspects through the requests' lifetime on the + sidecars and gateways, which includes routing decisions in outbound direction (client proxy), + authorization policy match and enforcement in inbound direction (server proxy), and the URL + path proxied to the upstream service. + If not set, the NormalizationType.DEFAULT configuration will be used. + properties: + normalization: + enum: + - DEFAULT + - NONE + - BASE + - MERGE_SLASHES + - DECODE_AND_MERGE_SLASHES + type: string + type: object + protocolDetectionTimeout: + description: |- + Automatic protocol detection uses a set of heuristics to + determine whether the connection is using TLS or not (on the + server side), as well as the application protocol being used + (e.g., http vs tcp). These heuristics rely on the client sending + the first bits of data. For server first protocols like MySQL, + MongoDB, etc. Envoy will timeout on the protocol detection after + the specified period, defaulting to non mTLS plain TCP + traffic. Set this field to tweak the period that Envoy will wait + for the client to send the first bits of data. (MUST be >=1ms or + 0s to disable). Default detection timeout is 0s (no timeout). + + Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit + occasionally, and when they occur the result is typically broken traffic that may not + recover on its own. Exceptionally high values might solve this, but injecting 60s delays + onto new connections is generally not tenable anyways. + type: string + proxyHttpPort: + description: Port on which Envoy should listen for HTTP PROXY + requests if set. + format: int32 + type: integer + proxyInboundListenPort: + description: |- + Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to. + Default port is 15006. + format: int32 + type: integer + proxyListenPort: + description: |- + Port on which Envoy should listen for all outbound traffic to other services. + Default port is 15001. + format: int32 + type: integer + rootNamespace: + description: |- + The namespace to treat as the administrative root namespace for + Istio configuration. When processing a leaf namespace Istio will search for + declarations in that namespace first and if none are found it will + search in the root namespace. Any matching declaration found in the root + namespace is processed as if it were declared in the leaf namespace. + + The precise semantics of this processing are documented on each resource + type. + type: string + serviceScopeConfigs: + description: Scope to be applied to select services. + items: + description: |- + Configuration for ambient mode multicluster service scope. This setting allows mesh administrators + to define the criteria by which the cluster's control plane determines which services in other + clusters in the mesh are treated as global (accessible across multiple clusters) versus local + (restricted to a single cluster). The configuration can be applied to services based on namespace + and/or other matching criteria. This is particularly useful in multicluster service mesh deployments + to control service visibility and access across clusters. This API is not intended to enforce + security policies. Resources like DestinationRules should be used to enforce authorization policies. + If a service matches a global service scope selector, the service's endpoints will be globally + exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster + services. + + For example, the following configures the scope of all services with the "istio.io/global" label + in matching namespaces to be available globally: + + ```yaml + serviceScopeConfigs: + - namespacesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: [true] + servicesSelector: + matchExpressions: + - key: istio.io/global + operator: Exists + scope: GLOBAL + + ``` + properties: + namespaceSelector: + description: Match expression for namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + scope: + description: Specifics the available scope for matching + services. + enum: + - LOCAL + - GLOBAL + type: string + servicesSelector: + description: Match expression for serivces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + serviceSettings: + description: Settings to be applied to select services. + items: + description: |- + Settings to be applied to select services. + + For example, the following configures all services in namespace "foo" as well as the + "bar" service in namespace "baz" to be considered cluster-local: + + ```yaml + serviceSettings: + - settings: + clusterLocal: true + hosts: + - "*.foo.svc.cluster.local" + - "bar.baz.svc.cluster.local" + + ``` + + When in ambient mode, if ServiceSettings are defined they will be considered in addition to the + ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a + global service scope selector, the service will be considered cluster local. If a service is + considered global by ServiceSettings and does not match a global service scope selector + the serive will be considered local. Local scope takes precedence over global scope. Since + ServiceScopeConfigs is local by default, all services are considered local unless it is considered + global by ServiceSettings AND ServiceScopeConfigs. + properties: + hosts: + description: |- + The services to which the Settings should be applied. Services are selected using the hostname + matching rules used by DestinationRule. + + For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local + items: + type: string + type: array + settings: + description: The settings to apply to the selected services. + properties: + clusterLocal: + description: |- + If true, specifies that the client and service endpoints must reside in the same cluster. + By default, in multi-cluster deployments, the Istio control plane assumes all service + endpoints to be reachable from any client in any of the clusters which are part of the + mesh. This configuration option limits the set of service endpoints visible to a client + to be cluster scoped. + + There are some common scenarios when this can be useful: + + - A service (or group of services) is inherently local to the cluster and has local storage + for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). + - A mesh administrator wants to slowly migrate services to Istio. They might start by first + having services cluster-local and then slowly transition them to mesh-wide. They could do + this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group + (e.g. *.myns.svc.cluster.local). + + By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all + services in the kube-system namespace to be cluster-local, unless explicitly overridden here. + type: boolean + type: object + type: object + type: array + tcpKeepalive: + description: If set then set `SO_KEEPALIVE` on the socket + to enable TCP Keepalives. + properties: + interval: + description: |- + The time duration between keep-alive probes. + Default is to use the OS level configuration + (unless overridden, Linux defaults to 75s.) + type: string + probes: + description: |- + Maximum number of keepalive probes to send without response before + deciding the connection is dead. Default is to use the OS level configuration + (unless overridden, Linux defaults to 9.) + format: int32 + type: integer + time: + description: |- + The time duration a connection needs to be idle before keep-alive + probes start being sent. Default is to use the OS level configuration + (unless overridden, Linux defaults to 7200s (ie 2 hours.) + type: string + type: object + tlsDefaults: + description: |- + Configuration of TLS for all traffic except for ISTIO_MUTUAL mode. + Currently, this supports configuration of ecdhCurves and cipherSuites only. + For ISTIO_MUTUAL TLS settings, use meshMTLS configuration. + properties: + cipherSuites: + description: |- + Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2. + If not specified, the following cipher suites will be used: + ``` + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-GCM-SHA256 + ``` + items: + type: string + type: array + ecdhCurves: + description: |- + Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange. + If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to + [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto). + items: + type: string + type: array + minProtocolVersion: + description: |- + Optional: the minimum TLS protocol version. The default minimum + TLS version will be TLS 1.2. As servers may not be Envoy and be + set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the + minimum TLS version for clients may also be TLS 1.2. + In the current Istio implementation, the maximum TLS protocol version + is TLS 1.3. + enum: + - TLS_AUTO + - TLSV1_2 + - TLSV1_3 + type: string + type: object + trustDomain: + description: |- + The trust domain corresponds to the trust root of a system. + Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain) + type: string + trustDomainAliases: + description: |- + The trust domain aliases represent the aliases of `trustDomain`. + For example, if we have + ```yaml + trustDomain: td1 + trustDomainAliases: ["td2", "td3"] + ``` + Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, + or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh. + items: + type: string + type: array + verifyCertificateAtClient: + description: |- + `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation + at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination + modes are used. This setting can be overridden at the host level via DestinationRule API. + By default, `VerifyCertificateAtClient` is `true`. + + `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset, + and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and + `VerifyCertificateAtClient` is false, proxy will not verify the CA. + + `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset, + and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs. + If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs. + + For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level + wildcard if the specified host in DestinationRule doesn't contain a wildcard. + For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will + match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate. + For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, + if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches + `.x.y.com` suffix. + + Deprecated: Marked as deprecated in mesh/v1alpha1/config.proto. + type: boolean + type: object + pilot: + description: Configuration for the Pilot component. + properties: + affinity: + description: K8s affinity to set on the Pilot Pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + autoscaleBehavior: + description: See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + properties: + scaleDown: + description: |- + scaleDown is scaling policy for scaling Down. + If not set, the default value is to allow to scale down to minReplicas pods, with a + 300 second stabilization window (i.e., the highest recommendation for + the last 300sec is used). + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + If not set, use the default values: + - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. + - For scale down: allow all pods to be removed in a 15s window. + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: |- + tolerance is the tolerance on the ratio between the current and desired + metric value under which no updates are made to the desired number of + replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not + set, the default cluster-wide tolerance is applied (by default 10%). + + For example, if autoscaling is configured with a memory consumption target of 100Mi, + and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be + triggered when the actual consumption falls below 95Mi or exceeds 101Mi. + + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + scaleUp: + description: |- + scaleUp is scaling policy for scaling Up. + If not set, the default value is the higher of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds + No stabilization is used. + properties: + policies: + description: |- + policies is a list of potential scaling polices which can be used during scaling. + If not set, use the default values: + - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. + - For scale down: allow all pods to be removed in a 15s window. + items: + description: HPAScalingPolicy is a single policy + which must hold true for a specified past interval. + properties: + periodSeconds: + description: |- + periodSeconds specifies the window of time for which the policy should hold true. + PeriodSeconds must be greater than zero and less than or equal to 1800 (30 min). + format: int32 + type: integer + type: + description: type is used to specify the scaling + policy. + type: string + value: + description: |- + value contains the amount of change which is permitted by the policy. + It must be greater than zero + format: int32 + type: integer + required: + - periodSeconds + - type + - value + type: object + type: array + x-kubernetes-list-type: atomic + selectPolicy: + description: |- + selectPolicy is used to specify which policy should be used. + If not set, the default value Max is used. + type: string + stabilizationWindowSeconds: + description: |- + stabilizationWindowSeconds is the number of seconds for which past recommendations should be + considered while scaling up or scaling down. + StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). + If not set, use the default values: + - For scale up: 0 (i.e. no stabilization is done). + - For scale down: 300 (i.e. the stabilization window is 300 seconds long). + format: int32 + type: integer + tolerance: + anyOf: + - type: integer + - type: string + description: |- + tolerance is the tolerance on the ratio between the current and desired + metric value under which no updates are made to the desired number of + replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not + set, the default cluster-wide tolerance is applied (by default 10%). + + For example, if autoscaling is configured with a memory consumption target of 100Mi, + and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be + triggered when the actual consumption falls below 95Mi or exceeds 101Mi. + + This is an alpha field and requires enabling the HPAConfigurableTolerance + feature gate. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + autoscaleEnabled: + description: Controls whether a HorizontalPodAutoscaler is + installed for Pilot. + type: boolean + autoscaleMax: + description: Maximum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + autoscaleMin: + description: Minimum number of replicas in the HorizontalPodAutoscaler + for Pilot. + format: int32 + type: integer + cni: + description: Configures whether to use an existing CNI installation + for workloads + properties: + enabled: + description: Controls whether CNI should be used. + type: boolean + provider: + description: |- + Specifies the CNI provider. Can be either "default" or "multus". When set to "multus", an annotation + `k8s.v1.cni.cncf.io/networks` is set on injected pods to point to a NetworkAttachmentDefinition + type: string + type: object + configMap: + description: |- + Configuration settings passed to Pilot as a ConfigMap. + + This controls whether the mesh config map, generated from values.yaml is generated. + If false, pilot wil use default values or user-supplied values, in that order of preference. + type: boolean + cpu: + description: |- + Target CPU utilization used in HorizontalPodAutoscaler. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + deploymentLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot deployment. + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + enabled: + description: Controls whether Pilot is enabled. + type: boolean + env: + additionalProperties: + type: string + description: "Environment variables passed to the Pilot container.\n\nExamples:\nenv:\n\n\tENV_VAR_1: + value1\n\tENV_VAR_2: value2" + type: object + envVarFrom: + description: Configuration for the istio-discovery chart + items: + description: EnvVar represents an environment variable present + in a Container. + properties: + name: + description: |- + Name of the environment variable. + May consist of any printable ASCII characters except '='. + type: string + value: + description: |- + Variable references $(VAR_NAME) are expanded + using the previously defined environment variables in the container and + any service environment variables. If a variable cannot be resolved, + the reference in the input string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. + "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". + Escaped references will never be expanded, regardless of whether the variable + exists or not. + Defaults to "". + type: string + valueFrom: + description: Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the ConfigMap or + its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: |- + Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. + properties: + apiVersion: + description: Version of the schema the FieldPath + is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in + the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + fileKeyRef: + description: |- + FileKeyRef selects a key of the env file. + Requires the EnvFiles feature gate to be enabled. + properties: + key: + description: |- + The key within the env file. An invalid key will prevent the pod from starting. + The keys defined within a source may consist of any printable ASCII characters except '='. + During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. + type: string + optional: + default: false + description: |- + Specify whether the file or its key must be defined. If the file or key + does not exist, then the env var is not published. + If optional is set to true and the specified key does not exist, + the environment variable will not be set in the Pod's containers. + + If optional is set to false and the specified key does not exist, + an error will be returned during Pod creation. + type: boolean + path: + description: |- + The path within the volume from which to select the file. + Must be relative and may not contain the '..' path or start with '..'. + type: string + volumeName: + description: The name of the volume mount containing + the env file. + type: string + required: + - key + - path + - volumeName + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. + properties: + containerName: + description: 'Container name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format of + the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's + namespace + properties: + key: + description: The key of the secret to select + from. Must be a valid secret key. + type: string + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: Specify whether the Secret or its + key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + extraContainerArgs: + description: Additional container arguments for the Pilot + container. + items: + type: string + type: array + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name used for Pilot. + + This can be set either to image name if hub is also set, or can be set to the full hub:name string. + + Examples: custom-pilot, docker.io/someuser:custom-pilot + type: string + ipFamilies: + description: |- + Defines which IP family to use for single stack or the order of IP families for dual-stack. + Valid list items are "IPv4", "IPv6". + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + items: + type: string + type: array + ipFamilyPolicy: + description: |- + Controls whether Services are configured to use IPv4, IPv6, or both. Valid options + are PreferDualStack, RequireDualStack, and SingleStack. + More info: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + type: string + istiodRemote: + description: Configuration for the istio-discovery chart when + istiod is running in a remote cluster (e.g. "remote control + plane"). + properties: + enabled: + description: Indicates if this cluster/install should + consume a "remote" istiod instance, + type: boolean + enabledLocalInjectorIstiod: + description: |- + If `true`, indicates that this cluster/install should consume a "local istiod" installation, + local istiod inject sidecars + type: boolean + injectionCABundle: + description: injector ca bundle + type: string + injectionPath: + description: Path to use for the sidecar injector webhook + service. + type: string + injectionURL: + description: URL to use for sidecar injector webhook. + type: string + type: object + jwksResolverExtraRootCA: + description: |- + Specifies an extra root certificate in PEM format. This certificate will be trusted + by pilot when resolving JWKS URIs. + type: string + keepaliveMaxServerConnectionAge: + description: |- + Maximum duration that a sidecar can be connected to a pilot. + + This setting balances out load across pilot instances, but adds some resource overhead. + + Examples: 300s, 30m, 1h + type: string + memory: + description: |- + Target memory utilization used in HorizontalPodAutoscaler. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + targetAverageUtilization: + description: |- + K8s utilization setting for HorizontalPodAutoscaler target. + + See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + format: int32 + type: integer + type: object + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector. + + See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + podAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for pods. + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + type: object + podLabels: + additionalProperties: + type: string + description: |- + Labels that are added to Pilot pods. + + See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + type: object + replicaCount: + description: |- + Number of replicas in the Pilot Deployment. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + format: int32 + type: integer + resources: + description: |- + K8s resources settings. + + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + rollingMaxSurge: + anyOf: + - type: integer + - type: string + description: |- + K8s rolling update strategy + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + x-kubernetes-int-or-string: true + rollingMaxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The number of pods that can be unavailable during a rolling update (see + `strategy.rollingUpdate.maxUnavailable` here: + https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/deployment-v1/#DeploymentSpec). + May be specified as a number of pods or as a percent of the total number + of pods at the start of the update. + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + x-kubernetes-int-or-string: true + seccompProfile: + description: |- + The seccompProfile for the Pilot container. + + See: https://kubernetes.io/docs/tutorials/security/seccomp/ + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + serviceAccountAnnotations: + additionalProperties: + type: string + description: K8s annotations for the service account + type: object + serviceAnnotations: + additionalProperties: + type: string + description: |- + K8s annotations for the Service. + + See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + type: object + tag: + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + type: string + taint: + properties: + enabled: + description: |- + Enable the untaint controller for new nodes. This aims to solve a race for CNI installation on + new nodes. For this to work, the newly added nodes need to have the istio CNI taint as they are + added to the cluster. This is usually done by configuring the cluster infra provider. + type: boolean + namespace: + description: The namespace of the CNI daemonset, incase + it's not the same as istiod. + type: string + type: object + tolerations: + description: |- + The node tolerations to be applied to the Pilot deployment so that it can be + scheduled to particular nodes with matching taints. + More info: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: The k8s topologySpreadConstraints for the Pilot + pods. + items: + description: TopologySpreadConstraint specifies how to spread + matching pods among the given topology. + properties: + labelSelector: + description: |- + LabelSelector is used to find matching pods. + Pods that match this label selector are counted to determine the number of pods + in their corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select the pods over which + spreading will be calculated. The keys are used to lookup values from the + incoming pod labels, those key-value labels are ANDed with labelSelector + to select the group of existing pods over which spreading will be calculated + for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. + MatchLabelKeys cannot be set when LabelSelector isn't set. + Keys that don't exist in the incoming pod labels will + be ignored. A null or empty list means only match against labelSelector. + + This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: |- + MaxSkew describes the degree to which pods may be unevenly distributed. + When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference + between the number of matching pods in the target topology and the global minimum. + The global minimum is the minimum number of matching pods in an eligible domain + or zero if the number of eligible domains is less than MinDomains. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 2/2/1: + In this case, the global minimum is 1. + | zone1 | zone2 | zone3 | + | P P | P P | P | + - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; + scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) + violate MaxSkew(1). + - if MaxSkew is 2, incoming pod can be scheduled onto any zone. + When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence + to topologies that satisfy it. + It's a required field. Default value is 1 and 0 is not allowed. + format: int32 + type: integer + minDomains: + description: |- + MinDomains indicates a minimum number of eligible domains. + When the number of eligible domains with matching topology keys is less than minDomains, + Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. + And when the number of eligible domains with matching topology keys equals or greater than minDomains, + this value has no effect on scheduling. + As a result, when the number of eligible domains is less than minDomains, + scheduler won't schedule more than maxSkew Pods to those domains. + If value is nil, the constraint behaves as if MinDomains is equal to 1. + Valid values are integers greater than 0. + When value is not nil, WhenUnsatisfiable must be DoNotSchedule. + + For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same + labelSelector spread as 2/2/2: + | zone1 | zone2 | zone3 | + | P P | P P | P P | + The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. + In this situation, new pod with the same labelSelector cannot be scheduled, + because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, + it will violate MaxSkew. + format: int32 + type: integer + nodeAffinityPolicy: + description: |- + NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options are: + - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. + - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. + + If this value is nil, the behavior is equivalent to the Honor policy. + type: string + nodeTaintsPolicy: + description: |- + NodeTaintsPolicy indicates how we will treat node taints when calculating + pod topology spread skew. Options are: + - Honor: nodes without taints, along with tainted nodes for which the incoming pod + has a toleration, are included. + - Ignore: node taints are ignored. All nodes are included. + + If this value is nil, the behavior is equivalent to the Ignore policy. + type: string + topologyKey: + description: |- + TopologyKey is the key of node labels. Nodes that have a label with this key + and identical values are considered to be in the same topology. + We consider each as a "bucket", and try to put balanced number + of pods into each bucket. + We define a domain as a particular instance of a topology. + Also, we define an eligible domain as a domain whose nodes meet the requirements of + nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. + And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. + It's a required field. + type: string + whenUnsatisfiable: + description: |- + WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy + the spread constraint. + - DoNotSchedule (default) tells the scheduler not to schedule it. + - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. + A constraint is considered "Unsatisfiable" for an incoming pod + if and only if every possible node assignment for that pod would violate + "MaxSkew" on some topology. + For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same + labelSelector spread as 3/1/1: + | zone1 | zone2 | zone3 | + | P P P | P | P | + If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled + to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies + MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler + won't make it *more* imbalanced. + It's a required field. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + traceSampling: + description: |- + Trace sampling fraction. + + Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. + + Allowed values: 0.0 to 1.0 + type: number + trustedZtunnelNamespace: + description: |- + If set, `istiod` will allow connections from trusted node proxy ztunnels + in the provided namespace. + type: string + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to add to the Pilot container. + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the Pilot Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers. + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. + properties: + endpoints: + description: endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs + will be addressed to this signer. + type: string + required: + - keyType + - signerName + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + type: object + profile: + description: Specifies which installation configuration profile + to apply. + type: string + revision: + description: Identifies the revision this installation is associated + with. + type: string + sidecarInjectorWebhook: + description: Configuration for the sidecar injector webhook. + properties: + alwaysInjectSelector: + description: See NeverInjectSelector. + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + defaultTemplates: + description: 'defaultTemplates: ["sidecar", "hello"]' + items: + type: string + type: array + enableNamespacesByDefault: + description: Enables sidecar auto-injection in namespaces + by default. + type: boolean + injectedAnnotations: + additionalProperties: + type: string + description: |- + injectedAnnotations are additional annotations that will be added to the pod spec after injection + This is primarily to support PSP annotations. + type: object + injectionURL: + description: Configure the injection url for sidecar injector + webhook + type: string + neverInjectSelector: + description: |- + Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. + + Annotations in the pods have higher precedence than the label selectors. + Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. + See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + items: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + reinvocationPolicy: + description: 'Setting this to `IfNeeded` will result in the + sidecar injector being run again if additional mutations + occur. Default: Never' + type: string + rewriteAppHTTPProbe: + description: If true, webhook or istioctl injector will rewrite + PodSpec for liveness health check to redirect request to + sidecar. This makes liveness check work even when mTLS is + enabled. + type: boolean + templates: + additionalProperties: + type: string + description: "Templates defines a set of custom injection + templates that can be used. For example, defining:\n\ntemplates:\n\n\thello: + |\n\t metadata:\n\t labels:\n\t hello: world\n\nThen + starting a pod with the `inject.istio.io/templates: hello` + annotation, will result in the pod\nbeing injected with + the hello=world labels.\nThis is intended for advanced configuration + only; most users should use the built in template" + type: object + type: object + telemetry: + description: Controls whether telemetry is exported for Pilot. + properties: + enabled: + description: Controls whether telemetry is exported for Pilot. + type: boolean + v2: + description: Configuration for Telemetry v2. + properties: + enabled: + description: Controls whether pilot will configure telemetry + v2. + type: boolean + prometheus: + description: Telemetry v2 settings for prometheus. + properties: + enabled: + description: Controls whether stats envoyfilter would + be enabled or not. + type: boolean + type: object + stackdriver: + description: Telemetry v2 settings for stackdriver. + properties: + enabled: + type: boolean + type: object + type: object + type: object + type: object + version: + default: v1.28.5 + description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + enum: + - v1.28-latest + - v1.28.5 + - v1.28.4 + - v1.27-latest + - v1.27.8 + - v1.27.5 + - v1.27.3 + - v1.26-latest + - v1.26.8 + - v1.26.6 + - v1.26.4 + - v1.26.3 + - v1.26.2 + type: string + required: + - namespace + - version + type: object + x-kubernetes-validations: + - message: spec.values.global.istioNamespace must match spec.namespace + rule: '!has(self.values) || !has(self.values.global) || !has(self.values.global.istioNamespace) + || self.values.global.istioNamespace == self.__namespace__' + status: + description: IstioStatus defines the observed state of Istio + properties: + activeRevisionName: + description: The name of the active revision. + type: string + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: IstioCondition represents a specific observation of + the IstioCondition object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + Istio object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + revisions: + description: Reports information about the underlying IstioRevisions. + properties: + inUse: + description: Number of IstioRevisions that are currently in use. + format: int32 + type: integer + ready: + description: Number of IstioRevisions that are Ready. + format: int32 + type: integer + total: + description: Total number of IstioRevisions currently associated + with this Istio. + format: int32 + type: integer + required: + - inUse + - ready + - total + type: object + state: + description: Reports the current state of the object. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml new file mode 100644 index 0000000000..f624c9a08a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/sailoperator.io_ztunnels.yaml @@ -0,0 +1,7008 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.19.0 + name: ztunnels.sailoperator.io +spec: + group: sailoperator.io + names: + categories: + - istio-io + kind: ZTunnel + listKind: ZTunnelList + plural: ztunnels + singular: ztunnel + scope: Cluster + versions: + - additionalPrinterColumns: + - description: The namespace for the ztunnel component. + jsonPath: .spec.namespace + name: Namespace + type: string + - description: Whether the Istio ztunnel installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: The version of the Istio ztunnel installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: ZTunnel represents a deployment of the Istio ztunnel component. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: ztunnel + version: v1.28.5 + description: ZTunnelSpec defines the desired state of ZTunnel + properties: + namespace: + default: ztunnel + description: Namespace to which the Istio ztunnel component should + be installed. + type: string + values: + description: Defines the values to be passed to the Helm charts when + installing Istio ztunnel. + properties: + global: + description: Part of the global configuration applicable to the + Istio ztunnel component. + properties: + defaultResources: + description: |- + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + tag: + description: Specifies the tag for the Istio docker images. + type: string + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + type: object + ztunnel: + description: Configuration for the Istio ztunnel plugin. + properties: + Annotations: + additionalProperties: + type: string + description: Annotations to apply to all top level resources + type: object + Labels: + additionalProperties: + type: string + description: Labels to apply to all top level resources + type: object + affinity: + description: K8s affinity to set on the ztunnel Pods. Can + be used to exclude ztunnel from being scheduled on specified + nodes. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + caAddress: + description: The address of the CA for CSR. + type: string + env: + additionalProperties: + type: string + description: 'A `key: value` mapping of environment variables + to add to the pod' + type: object + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + List of secret names to add to the service account as image pull secrets + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logLevel: + default: info + description: 'Configuration log level of ztunnel binary, default + is info. Valid values are: trace, debug, info, warn, error.' + enum: + - trace + - debug + - info + - warn + - error + type: string + multiCluster: + description: |- + Settings for multicluster. + The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + with Istiod configuration. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + network: + description: defines the network this cluster belong to. This + name corresponds to the networks in the map of mesh networks. + type: string + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector settings. + + See https://kubernetes.io/docs/user-guide/node-selection/ + type: object + podAnnotations: + additionalProperties: + type: string + description: Annotations added to each pod. The default annotations + are required for scraping prometheus (in most environments). + type: object + podLabels: + additionalProperties: + type: string + description: Additional labels to apply on the pod level. + type: object + resourceName: + description: |- + resourceName, if set, will override the naming of resources. If not set, will default to the release name. + It is recommended to not set this; this is primarily for backwards compatibility. + type: string + resourceQuotas: + description: The resource quotas configuration for ztunnel + properties: + enabled: + description: Controls whether to create resource quotas + or not for the CNI DaemonSet. + type: boolean + pods: + description: The hard limit on the number of pods in the + namespace where the CNI DaemonSet is deployed. + format: int64 + type: integer + type: object + resources: + description: The k8s resource requests and limits for the + ztunnel Pods. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + revision: + description: Configures the revision this control plane is + a part of + type: string + seLinuxOptions: + description: Set seLinux options for the ztunnel pod + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + tag: + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + type: string + terminationGracePeriodSeconds: + default: 30 + description: |- + This value defines: + 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + format: int64 + minimum: 0 + type: integer + tolerations: + description: Tolerations for the ztunnel pod + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + updateStrategy: + description: Defines the update strategy to use when the version + in the Ztunnel CR is updated. + properties: + rollingUpdate: + description: Rolling update config params. Present only + if type = "RollingUpdate". + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediately created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to the ztunnel container + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the ztunnel Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers. + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. + properties: + endpoints: + description: endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs + will be addressed to this signer. + type: string + required: + - keyType + - signerName + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + xdsAddress: + description: The customized XDS address to retrieve configuration. + type: string + type: object + type: object + version: + default: v1.28.5 + description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + enum: + - v1.28-latest + - v1.28.5 + - v1.28.4 + - v1.27-latest + - v1.27.8 + - v1.27.5 + - v1.27.3 + - v1.26-latest + - v1.26.8 + - v1.26.6 + - v1.26.4 + - v1.26.3 + - v1.26.2 + type: string + required: + - namespace + - version + type: object + status: + description: ZTunnelStatus defines the observed state of ZTunnel + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: ZTunnelCondition represents a specific observation + of the ZTunnel object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + ZTunnel object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: metadata.name must be 'default' + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The namespace for the ztunnel component. + jsonPath: .spec.namespace + name: Namespace + type: string + - description: The selected profile (collection of value presets). + jsonPath: .spec.values.profile + name: Profile + type: string + - description: Whether the Istio ztunnel installation is ready to handle requests. + jsonPath: .status.conditions[?(@.type=="Ready")].status + name: Ready + type: string + - description: The current state of this object. + jsonPath: .status.state + name: Status + type: string + - description: The version of the Istio ztunnel installation. + jsonPath: .spec.version + name: Version + type: string + - description: The age of the object + jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + name: v1alpha1 + schema: + openAPIV3Schema: + description: ZTunnel represents a deployment of the Istio ztunnel component. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + default: + namespace: ztunnel + profile: ambient + version: v1.28.5 + description: ZTunnelSpec defines the desired state of ZTunnel + properties: + namespace: + default: ztunnel + description: Namespace to which the Istio ztunnel component should + be installed. + type: string + profile: + default: ambient + description: |- + The built-in installation configuration profile to use. + The 'default' profile is 'ambient' and it is always applied. + Must be one of: ambient, default, demo, empty, external, preview, remote, stable. + enum: + - ambient + - default + - demo + - empty + - external + - openshift-ambient + - openshift + - preview + - remote + - stable + type: string + values: + description: Defines the values to be passed to the Helm charts when + installing Istio ztunnel. + properties: + global: + description: Part of the global configuration applicable to the + Istio ztunnel component. + properties: + defaultResources: + description: |- + See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container + + Deprecated: Marked as deprecated in pkg/apis/values_types.proto. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + hub: + description: Specifies the docker hub for Istio images. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + ImagePullSecrets for the control plane ServiceAccount, list of secrets in the same namespace + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logging: + description: Specifies the global logging level settings for + the Istio control plane components. + properties: + level: + description: |- + Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + The control plane has different scopes depending on component, but can configure default log level across all components + If empty, default scope and level will be used as configured in code + type: string + type: object + platform: + description: |- + Platform in which Istio is deployed. Possible values are: "openshift" and "gcp" + An empty value means it is a vanilla Kubernetes distribution, therefore no special + treatment will be considered. + type: string + tag: + description: Specifies the tag for the Istio docker images. + type: string + variant: + description: The variant of the Istio container images to + use. Options are "debug" or "distroless". Unset will use + the default for the given version. + type: string + type: object + ztunnel: + description: Configuration for the Istio ztunnel plugin. + properties: + Annotations: + additionalProperties: + type: string + description: Annotations to apply to all top level resources + type: object + Labels: + additionalProperties: + type: string + description: Labels to apply to all top level resources + type: object + affinity: + description: K8s affinity to set on the ztunnel Pods. Can + be used to exclude ztunnel from being scheduled on specified + nodes. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules + for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: |- + An empty preferred scheduling term matches all objects with implicit weight 0 + (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, in the + range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: |- + A null or empty node selector term matches no objects. The requirements of + them are ANDed. + The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: |- + A node selector requirement is a selector that contains values, a key, and an operator + that relates the key and values. + properties: + key: + description: The label key that the + selector applies to. + type: string + operator: + description: |- + Represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: |- + An array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. If the operator is Gt or Lt, the values + array must have a single element, which will be interpreted as an integer. + This array is replaced during a strategic merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + type: object + x-kubernetes-map-type: atomic + type: array + x-kubernetes-list-type: atomic + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, etc.), + compute a sum by iterating through the elements of this field and adding + "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: |- + The scheduler will prefer to schedule pods to nodes that satisfy + the anti-affinity expressions specified by this field, but it may choose + a node that violates one or more of the expressions. The node that is + most preferred is the one with the greatest sum of weights, i.e. + for each node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field and subtracting + "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, + associated with the corresponding weight. + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: |- + weight associated with matching the corresponding podAffinityTerm, + in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + x-kubernetes-list-type: atomic + requiredDuringSchedulingIgnoredDuringExecution: + description: |- + If the anti-affinity requirements specified by this field are not met at + scheduling time, the pod will not be scheduled onto the node. + If the anti-affinity requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod label update), the + system may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding to each + podAffinityTerm are intersected, i.e. all terms must be satisfied. + items: + description: |- + Defines a set of pods (namely those matching the labelSelector + relative to the given namespace(s)) that this pod should be + co-located (affinity) or not co-located (anti-affinity) with, + where co-located is defined as running on a node whose value of + the label with key matches that of any node on which + a pod of the set of pods is running + properties: + labelSelector: + description: |- + A label query over a set of resources, in this case pods. + If it's null, this PodAffinityTerm matches with no Pods. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: |- + MatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both matchLabelKeys and labelSelector. + Also, matchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: |- + MismatchLabelKeys is a set of pod label keys to select which pods will + be taken into consideration. The keys are used to lookup values from the + incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` + to select the group of existing pods which pods will be taken into consideration + for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming + pod labels will be ignored. The default value is empty. + The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. + Also, mismatchLabelKeys cannot be set when labelSelector isn't set. + items: + type: string + type: array + x-kubernetes-list-type: atomic + namespaceSelector: + description: |- + A label query over the set of namespaces that the term applies to. + The term is applied to the union of the namespaces selected by this field + and the ones listed in the namespaces field. + null selector and null or empty namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: |- + namespaces specifies a static list of namespace names that the term applies to. + The term is applied to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. + null or empty namespaces list and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + x-kubernetes-list-type: atomic + topologyKey: + description: |- + This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where co-located is defined as running on a node + whose value of the label with key topologyKey matches that of any node on which any of the + selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + caAddress: + description: The address of the CA for CSR. + type: string + env: + additionalProperties: + type: string + description: 'A `key: value` mapping of environment variables + to add to the pod' + type: object + hub: + description: Hub to pull the container image from. Image will + be `Hub/Image:Tag-Variant`. + type: string + image: + description: |- + Image name to pull from. Image will be `Hub/Image:Tag-Variant`. + If Image contains a "/", it will replace the entire `image` in the pod. + type: string + imagePullPolicy: + description: |- + Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. + + More info: https://kubernetes.io/docs/concepts/containers/images#updating-images + enum: + - Always + - Never + - IfNotPresent + type: string + imagePullSecrets: + description: |- + List of secret names to add to the service account as image pull secrets + to use for pulling any images in pods that reference this ServiceAccount. + Must be set for any cluster configured with private docker registry. + items: + type: string + type: array + istioNamespace: + description: Specifies the default namespace for the Istio + control plane components. + type: string + logAsJson: + description: Specifies whether istio components should output + logs in json format by adding --log_as_json argument to + each container. + type: boolean + logLevel: + default: info + description: 'Configuration log level of ztunnel binary, default + is info. Valid values are: trace, debug, info, warn, error.' + enum: + - trace + - debug + - info + - warn + - error + type: string + multiCluster: + description: |- + Settings for multicluster. + The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + with Istiod configuration. + properties: + clusterName: + description: |- + The name of the cluster this installation will run in. This is required for sidecar injection + to properly label proxies + type: string + enabled: + description: |- + Enables the connection between two kubernetes clusters via their respective ingressgateway services. + Use if the pods in each cluster cannot directly talk to one another. + type: boolean + globalDomainSuffix: + description: The suffix for global service names. + type: string + includeEnvoyFilter: + description: Enable envoy filter to translate `globalDomainSuffix` + to cluster local suffix for cross cluster communication. + type: boolean + type: object + network: + description: defines the network this cluster belong to. This + name corresponds to the networks in the map of mesh networks. + type: string + nodeSelector: + additionalProperties: + type: string + description: |- + K8s node selector settings. + + See https://kubernetes.io/docs/user-guide/node-selection/ + type: object + podAnnotations: + additionalProperties: + type: string + description: Annotations added to each pod. The default annotations + are required for scraping prometheus (in most environments). + type: object + podLabels: + additionalProperties: + type: string + description: Additional labels to apply on the pod level. + type: object + resourceName: + description: |- + resourceName, if set, will override the naming of resources. If not set, will default to the release name. + It is recommended to not set this; this is primarily for backwards compatibility. + type: string + resourceQuotas: + description: The resource quotas configuration for ztunnel + properties: + enabled: + description: Controls whether to create resource quotas + or not for the CNI DaemonSet. + type: boolean + pods: + description: The hard limit on the number of pods in the + namespace where the CNI DaemonSet is deployed. + format: int64 + type: integer + type: object + resources: + description: The k8s resource requests and limits for the + ztunnel Pods. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + revision: + description: Configures the revision this control plane is + a part of + type: string + seLinuxOptions: + description: Set seLinux options for the ztunnel pod + properties: + level: + description: Level is SELinux level label that applies + to the container. + type: string + role: + description: Role is a SELinux role label that applies + to the container. + type: string + type: + description: Type is a SELinux type label that applies + to the container. + type: string + user: + description: User is a SELinux user label that applies + to the container. + type: string + type: object + tag: + description: The container image tag to pull. Image will be + `Hub/Image:Tag-Variant`. + type: string + terminationGracePeriodSeconds: + default: 30 + description: |- + This value defines: + 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + format: int64 + minimum: 0 + type: integer + tolerations: + description: Tolerations for the ztunnel pod + items: + description: |- + The pod this Toleration is attached to tolerates any taint that matches + the triple using the matching operator . + properties: + effect: + description: |- + Effect indicates the taint effect to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: |- + Key is the taint key that the toleration applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; this combination means to match all values and all keys. + type: string + operator: + description: |- + Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod can + tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: |- + TolerationSeconds represents the period of time the toleration (which must be + of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, + it is not set, which means tolerate the taint forever (do not evict). Zero and + negative values will be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: |- + Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise just a regular string. + type: string + type: object + type: array + updateStrategy: + description: Defines the update strategy to use when the version + in the Ztunnel CR is updated. + properties: + rollingUpdate: + description: Rolling update config params. Present only + if type = "RollingUpdate". + properties: + maxSurge: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of nodes with an existing available DaemonSet pod that + can have an updated DaemonSet pod during during an update. + Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). + This can not be 0 if MaxUnavailable is 0. + Absolute number is calculated from percentage by rounding up to a minimum of 1. + Default value is 0. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their a new pod created before the old pod is marked as deleted. + The update starts by launching new pods on 30% of nodes. Once an updated + pod is available (Ready for at least minReadySeconds) the old DaemonSet pod + on that node is marked deleted. If the old pod becomes unavailable for any + reason (Ready transitions to false, is evicted, or is drained) an updated + pod is immediately created on that node without considering surge limits. + Allowing surge implies the possibility that the resources consumed by the + daemonset on any given node can double if the readiness check fails, and + so resource intensive daemonsets should take into account that they may + cause evictions during disruption. + x-kubernetes-int-or-string: true + maxUnavailable: + anyOf: + - type: integer + - type: string + description: |- + The maximum number of DaemonSet pods that can be unavailable during the + update. Value can be an absolute number (ex: 5) or a percentage of total + number of DaemonSet pods at the start of the update (ex: 10%). Absolute + number is calculated from percentage by rounding up. + This cannot be 0 if MaxSurge is 0 + Default value is 1. + Example: when this is set to 30%, at most 30% of the total number of nodes + that should be running the daemon pod (i.e. status.desiredNumberScheduled) + can have their pods stopped for an update at any given time. The update + starts by stopping at most 30% of those DaemonSet pods and then brings + up new DaemonSet pods in their place. Once the new pods are available, + it then proceeds onto other DaemonSet pods, thus ensuring that at least + 70% of original number of DaemonSet pods are available at all times during + the update. + x-kubernetes-int-or-string: true + type: object + type: + description: Type of daemon set update. Can be "RollingUpdate" + or "OnDelete". Default is RollingUpdate. + type: string + type: object + variant: + description: The container image variant to pull. Options + are "debug" or "distroless". Unset will use the default + for the given version. + type: string + volumeMounts: + description: Additional volumeMounts to the ztunnel container + items: + description: VolumeMount describes a mounting of a Volume + within a container. + properties: + mountPath: + description: |- + Path within the container at which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: |- + mountPropagation determines how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is used. + This field is beta in 1.10. + When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified + (which defaults to None). + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: |- + Mounted read-only if true, read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + recursiveReadOnly: + description: |- + RecursiveReadOnly specifies whether read-only mounts should be handled + recursively. + + If ReadOnly is false, this field has no meaning and must be unspecified. + + If ReadOnly is true, and this field is set to Disabled, the mount is not made + recursively read-only. If this field is set to IfPossible, the mount is made + recursively read-only, if it is supported by the container runtime. If this + field is set to Enabled, the mount is made recursively read-only if it is + supported by the container runtime, otherwise the pod will not be started and + an error will be generated to indicate the reason. + + If this field is set to IfPossible or Enabled, MountPropagation must be set to + None (or be unspecified, which defaults to None). + + If this field is not specified, it is treated as an equivalent of Disabled. + type: string + subPath: + description: |- + Path within the volume from which the container's volume should be mounted. + Defaults to "" (volume's root). + type: string + subPathExpr: + description: |- + Expanded path within the volume from which the container's volume should be mounted. + Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. + Defaults to "" (volume's root). + SubPathExpr and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + volumes: + description: Additional volumes to add to the ztunnel Pod. + items: + description: Volume represents a named volume in a pod that + may be accessed by any container in the pod. + properties: + awsElasticBlockStore: + description: |- + awsElasticBlockStore represents an AWS Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree + awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + format: int32 + type: integer + readOnly: + description: |- + readOnly value true will force the readOnly setting in VolumeMounts. + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: boolean + volumeID: + description: |- + volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). + More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + type: string + required: + - volumeID + type: object + azureDisk: + description: |- + azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. + Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type + are redirected to the disk.csi.azure.com CSI driver. + properties: + cachingMode: + description: 'cachingMode is the Host Caching mode: + None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data disk + in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk in + the blob storage + type: string + fsType: + default: ext4 + description: |- + fsType is Filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: multiple + blob disks per storage account Dedicated: single + blob disk per storage account Managed: azure + managed data disk (only in managed availability + set). defaults to shared' + type: string + readOnly: + default: false + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: |- + azureFile represents an Azure File Service mount on the host and bind mount to the pod. + Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type + are redirected to the file.csi.azure.com CSI driver. + properties: + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret that + contains Azure Storage Account Name and Key + type: string + shareName: + description: shareName is the azure share Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: |- + cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. + Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported. + properties: + monitors: + description: |- + monitors is Required: Monitors is a collection of Ceph monitors + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + path: + description: 'path is Optional: Used as the mounted + root, rather than the full Ceph tree, default + is /' + type: string + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: boolean + secretFile: + description: |- + secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + secretRef: + description: |- + secretRef is Optional: SecretRef is reference to the authentication secret for User, default is empty. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: |- + user is optional: User is the rados user name, default is admin + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it + type: string + required: + - monitors + type: object + cinder: + description: |- + cinder represents a cinder volume attached and mounted on kubelets host machine. + Deprecated: Cinder is deprecated. All operations for the in-tree cinder type + are redirected to the cinder.csi.openstack.org CSI driver. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: boolean + secretRef: + description: |- + secretRef is optional: points to a secret object containing parameters used to connect + to OpenStack. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: |- + volumeID used to identify the volume in cinder. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap that should + populate this volume + properties: + defaultMode: + description: |- + defaultMode is optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether the ConfigMap + or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) represents + ephemeral storage that is handled by certain external + CSI drivers. + properties: + driver: + description: |- + driver is the name of the CSI driver that handles this volume. + Consult with your admin for the correct name as registered in the cluster. + type: string + fsType: + description: |- + fsType to mount. Ex. "ext4", "xfs", "ntfs". + If not provided, the empty value is passed to the associated CSI driver + which will determine the default filesystem to apply. + type: string + nodePublishSecretRef: + description: |- + nodePublishSecretRef is a reference to the secret object containing + sensitive information to pass to the CSI driver to complete the CSI + NodePublishVolume and NodeUnpublishVolume calls. + This field is optional, and may be empty if no secret is required. If the + secret object contains more than one secret, all secret references are passed. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: |- + readOnly specifies a read-only configuration for the volume. + Defaults to false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: |- + volumeAttributes stores driver-specific properties that are passed to the CSI + driver. Consult your driver's documentation for supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API about + the pod that should populate this volume + properties: + defaultMode: + description: |- + Optional: mode bits to use on created files by default. Must be a + Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: Items is a list of downward API volume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing the + pod field + properties: + fieldRef: + description: 'Required: Selects a field of + the pod: only annotations, labels, name, + namespace and uid are supported.' + properties: + apiVersion: + description: Version of the schema the + FieldPath is written in terms of, defaults + to "v1". + type: string + fieldPath: + description: Path of the field to select + in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the relative + path name of the file to be created. Must + not be absolute or contain the ''..'' path. + Must be utf-8 encoded. The first item of + the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: required + for volumes, optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output format + of the exposed resources, defaults to + "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + emptyDir: + description: |- + emptyDir represents a temporary directory that shares a pod's lifetime. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + properties: + medium: + description: |- + medium represents what type of storage medium should back this directory. + The default is "" which means to use the node's default medium. + Must be an empty string (default) or Memory. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: |- + sizeLimit is the total amount of local storage required for this EmptyDir volume. + The size limit is also applicable for memory medium. + The maximum usage on memory medium EmptyDir would be the minimum value between + the SizeLimit specified here and the sum of memory limits of all containers in a pod. + The default is nil which means that the limit is undefined. + More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: |- + ephemeral represents a volume that is handled by a cluster storage driver. + The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, + and deleted when the pod is removed. + + Use this if: + a) the volume is only needed while the pod runs, + b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, + c) the storage driver is specified through a storage class, and + d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + + Use PersistentVolumeClaim or one of the vendor-specific + APIs for volumes that persist for longer than the lifecycle + of an individual pod. + + Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to + be used that way - see the documentation of the driver for + more information. + + A pod can use both types of ephemeral volumes and + persistent volumes at the same time. + properties: + volumeClaimTemplate: + description: |- + Will be used to create a stand-alone PVC to provision the volume. + The pod in which this EphemeralVolumeSource is embedded will be the + owner of the PVC, i.e. the PVC will be deleted together with the + pod. The name of the PVC will be `-` where + `` is the name from the `PodSpec.Volumes` array + entry. Pod validation will reject the pod if the concatenated name + is not valid for a PVC (for example, too long). + + An existing PVC with that name that is not owned by the pod + will *not* be used for the pod to avoid using an unrelated + volume by mistake. Starting the pod is then blocked until + the unrelated PVC is removed. If such a pre-created PVC is + meant to be used by the pod, the PVC has to updated with an + owner reference to the pod once the pod exists. Normally + this should not be necessary, but it may be useful when + manually reconstructing a broken cluster. + + This field is read-only and no changes will be made by Kubernetes + to the PVC after it has been created. + + Required, must not be nil. + properties: + metadata: + description: |- + May contain labels and annotations that will be copied into the PVC + when creating it. No other fields are allowed and will be rejected during + validation. + type: object + spec: + description: |- + The specification for the PersistentVolumeClaim. The entire content is + copied unchanged into the PVC that gets created from this + template. The same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: |- + accessModes contains the desired access modes the volume should have. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1 + items: + type: string + type: array + x-kubernetes-list-type: atomic + dataSource: + description: |- + dataSource field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external controller can support the specified data source, + it will create a new volume based on the contents of the specified data source. + When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, + and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. + If the namespace is specified, then dataSourceRef will not be copied to dataSource. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: |- + dataSourceRef specifies the object from which to populate the volume with data, if a non-empty + volume is desired. This may be any object from a non-empty API group (non + core object) or a PersistentVolumeClaim object. + When this field is specified, volume binding will only succeed if the type of + the specified object matches some installed volume populator or dynamic + provisioner. + This field will replace the functionality of the dataSource field and as such + if both fields are non-empty, they must have the same value. For backwards + compatibility, when namespace isn't specified in dataSourceRef, + both fields (dataSource and dataSourceRef) will be set to the same + value automatically if one of them is empty and the other is non-empty. + When namespace is specified in dataSourceRef, + dataSource isn't set to the same value and must be empty. + There are three important differences between dataSource and dataSourceRef: + * While dataSource only allows two specific types of objects, dataSourceRef + allows any non-core object, as well as PersistentVolumeClaim objects. + * While dataSource ignores disallowed values (dropping them), dataSourceRef + preserves all values, and generates an error if a disallowed value is + specified. + * While dataSource only allows local objects, dataSourceRef allows objects + in any namespaces. + (Beta) Using this field requires the AnyVolumeDataSource feature gate to be enabled. + (Alpha) Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + properties: + apiGroup: + description: |- + APIGroup is the group for the resource being referenced. + If APIGroup is not specified, the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource + being referenced + type: string + name: + description: Name is the name of resource + being referenced + type: string + namespace: + description: |- + Namespace is the namespace of resource being referenced + Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace's owner to accept the reference. See the ReferenceGrant documentation for details. + (Alpha) This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: |- + resources represents the minimum resources the volume should have. + If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements + that are lower than previous value but must still be higher than capacity recorded in the + status field of the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: selector is a label query over + volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The + requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: |- + storageClassName is the name of the StorageClass required by the claim. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1 + type: string + volumeAttributesClassName: + description: |- + volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim. + If specified, the CSI driver will create or update the volume with the attributes defined + in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, + it can be changed after the claim is created. An empty string or nil value indicates that no + VolumeAttributesClass will be applied to the claim. If the claim enters an Infeasible error state, + this field can be reset to its previous value (including nil) to cancel the modification. + If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be + set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource + exists. + More info: https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/ + type: string + volumeMode: + description: |- + volumeMode defines what type of volume is required by the claim. + Value of Filesystem is implied when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding reference + to the PersistentVolume backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine and then + exposed to the pod. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + lun: + description: 'lun is Optional: FC target lun number' + format: int32 + type: integer + readOnly: + description: |- + readOnly is Optional: Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + x-kubernetes-list-type: atomic + wwids: + description: |- + wwids Optional: FC volume world wide identifiers (wwids) + Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. + items: + type: string + type: array + x-kubernetes-list-type: atomic + type: object + flexVolume: + description: |- + flexVolume represents a generic volume resource that is + provisioned/attached using an exec based plugin. + Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead. + properties: + driver: + description: driver is the name of the driver to + use for this volume. + type: string + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field holds + extra command options if any.' + type: object + readOnly: + description: |- + readOnly is Optional: defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef is Optional: secretRef is reference to the secret object containing + sensitive information to pass to the plugin scripts. This may be + empty if no secret object is specified. If the secret object + contains more than one secret, all secrets are passed to the plugin + scripts. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: |- + flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. + Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported. + properties: + datasetName: + description: |- + datasetName is Name of the dataset stored as metadata -> name on the dataset for Flocker + should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the dataset. + This is unique identifier of a Flocker dataset + type: string + type: object + gcePersistentDisk: + description: |- + gcePersistentDisk represents a GCE Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree + gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + properties: + fsType: + description: |- + fsType is filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + partition: + description: |- + partition is the partition in the volume that you want to mount. + If omitted, the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify the partition as "1". + Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + format: int32 + type: integer + pdName: + description: |- + pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + type: boolean + required: + - pdName + type: object + gitRepo: + description: |- + gitRepo represents a git repository at a particular revision. + Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an + EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir + into the Pod's container. + properties: + directory: + description: |- + directory is the target directory name. + Must not contain or start with '..'. If '.' is supplied, the volume directory will be the + git repository. Otherwise, if specified, the volume will contain the git repository in + the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for the + specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: |- + glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. + Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. + properties: + endpoints: + description: endpoints is the endpoint name that + details Glusterfs topology. + type: string + path: + description: |- + path is the Glusterfs volume path. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: string + readOnly: + description: |- + readOnly here will force the Glusterfs volume to be mounted with read-only permissions. + Defaults to false. + More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: |- + hostPath represents a pre-existing file or directory on the host + machine that is directly exposed to the container. This is generally + used for system agents or other privileged things that are allowed + to see the host machine. Most containers will NOT need this. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + properties: + path: + description: |- + path of the directory on the host. + If the path is a symlink, it will follow the link to the real path. + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + type: + description: |- + type for HostPath Volume + Defaults to "" + More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath + type: string + required: + - path + type: object + image: + description: |- + image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. + The volume is resolved at pod startup depending on which PullPolicy value is provided: + + - Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + + The volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. + A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. + The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. + The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. + The volume will be mounted read-only (ro) and non-executable files (noexec). + Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. + The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type. + properties: + pullPolicy: + description: |- + Policy for pulling OCI objects. Possible values are: + Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. + Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. + IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + type: string + reference: + description: |- + Required: Image or artifact reference to be used. + Behaves in the same way as pod.spec.containers[*].image. + Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. + More info: https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level config management to default or override + container images in workload controllers like Deployments and StatefulSets. + type: string + type: object + iscsi: + description: |- + iscsi represents an ISCSI Disk resource that is attached to a + kubelet's host machine and then exposed to the pod. + More info: https://kubernetes.io/docs/concepts/storage/volumes/#iscsi + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether support + iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether support + iSCSI Session CHAP authentication + type: boolean + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + type: string + initiatorName: + description: |- + initiatorName is the custom iSCSI Initiator Name. + If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface + : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified Name. + type: string + iscsiInterface: + default: default + description: |- + iscsiInterface is the interface Name that uses an iSCSI transport. + Defaults to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun number. + format: int32 + type: integer + portals: + description: |- + portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + items: + type: string + type: array + x-kubernetes-list-type: atomic + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret for iSCSI + target and initiator authentication + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: |- + targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port + is other than default (typically TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: |- + name of the volume. + Must be a DNS_LABEL and unique within the pod. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + nfs: + description: |- + nfs represents an NFS mount on the host that shares a pod's lifetime + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + properties: + path: + description: |- + path that is exported by the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + readOnly: + description: |- + readOnly here will force the NFS export to be mounted with read-only permissions. + Defaults to false. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: boolean + server: + description: |- + server is the hostname or IP address of the NFS server. + More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: |- + persistentVolumeClaimVolumeSource represents a reference to a + PersistentVolumeClaim in the same namespace. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + properties: + claimName: + description: |- + claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. + More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims + type: string + readOnly: + description: |- + readOnly Will force the ReadOnly setting in VolumeMounts. + Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: |- + photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. + Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies Photon + Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: |- + portworxVolume represents a portworx volume attached and mounted on kubelets host machine. + Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type + are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate + is on. + properties: + fsType: + description: |- + fSType represents the filesystem type to mount + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies a Portworx + volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: |- + defaultMode are the mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + sources: + description: |- + sources is the list of volume projections. Each entry in this list + handles one source. + items: + description: |- + Projection that may be projected along with other supported volume types. + Exactly one of these fields must be set. + properties: + clusterTrustBundle: + description: |- + ClusterTrustBundle allows a pod to access the `.spec.trustBundle` field + of ClusterTrustBundle objects in an auto-updating file. + + Alpha, gated by the ClusterTrustBundleProjection feature gate. + + ClusterTrustBundle objects can either be selected by name, or by the + combination of signer name and a label selector. + + Kubelet performs aggressive normalization of the PEM contents written + into the pod filesystem. Esoteric PEM features such as inter-block + comments and block headers are stripped. Certificates are deduplicated. + The ordering of certificates within the file is arbitrary, and Kubelet + may change the order over time. + properties: + labelSelector: + description: |- + Select all ClusterTrustBundles that match this label selector. Only has + effect if signerName is set. Mutually-exclusive with name. If unset, + interpreted as "match nothing". If set but empty, interpreted as "match + everything". + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + name: + description: |- + Select a single ClusterTrustBundle by object name. Mutually-exclusive + with signerName and labelSelector. + type: string + optional: + description: |- + If true, don't block pod startup if the referenced ClusterTrustBundle(s) + aren't available. If using name, then the named ClusterTrustBundle is + allowed not to exist. If using signerName, then the combination of + signerName and labelSelector is allowed to match zero + ClusterTrustBundles. + type: boolean + path: + description: Relative path from the volume + root to write the bundle. + type: string + signerName: + description: |- + Select all ClusterTrustBundles that match this signer name. + Mutually-exclusive with name. The contents of all selected + ClusterTrustBundles will be unified and deduplicated. + type: string + required: + - path + type: object + configMap: + description: configMap information about the + configMap data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + ConfigMap will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the ConfigMap, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about + the downwardAPI data to project + properties: + items: + description: Items is a list of DownwardAPIVolume + file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only annotations, + labels, name, namespace and uid + are supported.' + properties: + apiVersion: + description: Version of the + schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field + to select in the specified + API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: |- + Optional: mode bits used to set permissions on this file, must be an octal value + between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file + to be created. Must not be absolute + or contain the ''..'' path. Must + be utf-8 encoded. The first item + of the relative path must not + start with ''..''' + type: string + resourceFieldRef: + description: |- + Selects a resource of the container: only resources limits and requests + (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. + properties: + containerName: + description: 'Container name: + required for volumes, optional + for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + x-kubernetes-list-type: atomic + type: object + podCertificate: + description: |- + Projects an auto-rotating credential bundle (private key and certificate + chain) that the pod can use either as a TLS client or server. + + Kubelet generates a private key and uses it to send a + PodCertificateRequest to the named signer. Once the signer approves the + request and issues a certificate chain, Kubelet writes the key and + certificate chain to the pod filesystem. The pod does not start until + certificates have been issued for each podCertificate projected volume + source in its spec. + + Kubelet will begin trying to rotate the certificate at the time indicated + by the signer using the PodCertificateRequest.Status.BeginRefreshAt + timestamp. + + Kubelet can write a single file, indicated by the credentialBundlePath + field, or separate files, indicated by the keyPath and + certificateChainPath fields. + + The credential bundle is a single file in PEM format. The first PEM + entry is the private key (in PKCS#8 format), and the remaining PEM + entries are the certificate chain issued by the signer (typically, + signers will return their certificate chain in leaf-to-root order). + + Prefer using the credential bundle format, since your application code + can read it atomically. If you use keyPath and certificateChainPath, + your application must make two separate file reads. If these coincide + with a certificate rotation, it is possible that the private key and leaf + certificate you read may not correspond to each other. Your application + will need to check for this condition, and re-read until they are + consistent. + + The named signer controls chooses the format of the certificate it + issues; consult the signer implementation's documentation to learn how to + use the certificates it issues. + properties: + certificateChainPath: + description: |- + Write the certificate chain at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + credentialBundlePath: + description: |- + Write the credential bundle at this path in the projected volume. + + The credential bundle is a single file that contains multiple PEM blocks. + The first PEM block is a PRIVATE KEY block, containing a PKCS#8 private + key. + + The remaining blocks are CERTIFICATE blocks, containing the issued + certificate chain from the signer (leaf and any intermediates). + + Using credentialBundlePath lets your Pod's application code make a single + atomic read that retrieves a consistent key and certificate chain. If you + project them to separate files, your application code will need to + additionally check that the leaf certificate was issued to the key. + type: string + keyPath: + description: |- + Write the key at this path in the projected volume. + + Most applications should use credentialBundlePath. When using keyPath + and certificateChainPath, your application needs to check that the key + and leaf certificate are consistent, because it is possible to read the + files mid-rotation. + type: string + keyType: + description: |- + The type of keypair Kubelet will generate for the pod. + + Valid values are "RSA3072", "RSA4096", "ECDSAP256", "ECDSAP384", + "ECDSAP521", and "ED25519". + type: string + maxExpirationSeconds: + description: |- + maxExpirationSeconds is the maximum lifetime permitted for the + certificate. + + Kubelet copies this value verbatim into the PodCertificateRequests it + generates for this projection. + + If omitted, kube-apiserver will set it to 86400(24 hours). kube-apiserver + will reject values shorter than 3600 (1 hour). The maximum allowable + value is 7862400 (91 days). + + The signer implementation is then free to issue a certificate with any + lifetime *shorter* than MaxExpirationSeconds, but no shorter than 3600 + seconds (1 hour). This constraint is enforced by kube-apiserver. + `kubernetes.io` signers will never issue certificates with a lifetime + longer than 24 hours. + format: int32 + type: integer + signerName: + description: Kubelet's generated CSRs + will be addressed to this signer. + type: string + required: + - keyType + - signerName + type: object + secret: + description: secret information about the + secret data to project + properties: + items: + description: |- + items if unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a + path within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + optional: + description: optional field specify whether + the Secret or its key must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information + about the serviceAccountToken data to project + properties: + audience: + description: |- + audience is the intended audience of the token. A recipient of a token + must identify itself with an identifier specified in the audience of the + token, and otherwise should reject the token. The audience defaults to the + identifier of the apiserver. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service + account token. As the token approaches expiration, the kubelet volume + plugin will proactively rotate the service account token. The kubelet will + start trying to rotate the token if the token is older than 80 percent of + its time to live or if the token is older than 24 hours.Defaults to 1 hour + and must be at least 10 minutes. + format: int64 + type: integer + path: + description: |- + path is the path relative to the mount point of the file to project the + token into. + type: string + required: + - path + type: object + type: object + type: array + x-kubernetes-list-type: atomic + type: object + quobyte: + description: |- + quobyte represents a Quobyte mount on the host that shares a pod's lifetime. + Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported. + properties: + group: + description: |- + group to map volume access to + Default is no group + type: string + readOnly: + description: |- + readOnly here will force the Quobyte volume to be mounted with read-only permissions. + Defaults to false. + type: boolean + registry: + description: |- + registry represents a single or multiple Quobyte Registry services + specified as a string as host:port pair (multiple entries are separated with commas) + which acts as the central registry for volumes + type: string + tenant: + description: |- + tenant owning the given Quobyte volume in the Backend + Used with dynamically provisioned Quobyte volumes, value is set by the plugin + type: string + user: + description: |- + user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: |- + rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. + Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type of the volume that you want to mount. + Tip: Ensure that the filesystem type is supported by the host operating system. + Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + type: string + image: + description: |- + image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + keyring: + default: /etc/ceph/keyring + description: |- + keyring is the path to key ring for RBDUser. + Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + monitors: + description: |- + monitors is a collection of Ceph monitors. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + items: + type: string + type: array + x-kubernetes-list-type: atomic + pool: + default: rbd + description: |- + pool is the rados pool name. + Default is rbd. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + readOnly: + description: |- + readOnly here will force the ReadOnly setting in VolumeMounts. + Defaults to false. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: boolean + secretRef: + description: |- + secretRef is name of the authentication secret for RBDUser. If provided + overrides keyring. + Default is nil. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + user: + default: admin + description: |- + user is the rados user name. + Default is admin. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + type: string + required: + - image + - monitors + type: object + scaleIO: + description: |- + scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported. + properties: + fsType: + default: xfs + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". + Default is "xfs". + type: string + gateway: + description: gateway is the host address of the + ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name of the + ScaleIO Protection Domain for the configured storage. + type: string + readOnly: + description: |- + readOnly Defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef references to the secret for ScaleIO user and other + sensitive information. If this is not provided, Login operation will fail. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable SSL + communication with Gateway, default false + type: boolean + storageMode: + default: ThinProvisioned + description: |- + storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. + Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage system + as configured in ScaleIO. + type: string + volumeName: + description: |- + volumeName is the name of a volume already created in the ScaleIO system + that is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: |- + secret represents a secret that should populate this volume. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + properties: + defaultMode: + description: |- + defaultMode is Optional: mode bits used to set permissions on created files by default. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values + for mode bits. Defaults to 0644. + Directories within the path are not affected by this setting. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + items: + description: |- + items If unspecified, each key-value pair in the Data field of the referenced + Secret will be projected into the volume as a file whose name is the + key and content is the value. If specified, the listed keys will be + projected into the specified paths, and unlisted keys will not be + present. If a key is specified which is not present in the Secret, + the volume setup will error unless it is marked optional. Paths must be + relative and may not contain the '..' path or start with '..'. + items: + description: Maps a string key to a path within + a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: |- + mode is Optional: mode bits used to set permissions on this file. + Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. + YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. + If not specified, the volume defaultMode will be used. + This might be in conflict with other options that affect the file + mode, like fsGroup, and the result can be other mode bits set. + format: int32 + type: integer + path: + description: |- + path is the relative path of the file to map the key to. + May not be an absolute path. + May not contain the path element '..'. + May not start with the string '..'. + type: string + required: + - key + - path + type: object + type: array + x-kubernetes-list-type: atomic + optional: + description: optional field specify whether the + Secret or its keys must be defined + type: boolean + secretName: + description: |- + secretName is the name of the secret in the pod's namespace to use. + More info: https://kubernetes.io/docs/concepts/storage/volumes#secret + type: string + type: object + storageos: + description: |- + storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. + Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported. + properties: + fsType: + description: |- + fsType is the filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + readOnly: + description: |- + readOnly defaults to false (read/write). ReadOnly here will force + the ReadOnly setting in VolumeMounts. + type: boolean + secretRef: + description: |- + secretRef specifies the secret to use for obtaining the StorageOS API + credentials. If not specified, default values will be attempted. + properties: + name: + default: "" + description: |- + Name of the referent. + This field is effectively required, but due to backwards compatibility is + allowed to be empty. Instances of this type with an empty value here are + almost certainly wrong. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: |- + volumeName is the human-readable name of the StorageOS volume. Volume + names are only unique within a namespace. + type: string + volumeNamespace: + description: |- + volumeNamespace specifies the scope of the volume within StorageOS. If no + namespace is specified then the Pod's namespace will be used. This allows the + Kubernetes name scoping to be mirrored within StorageOS for tighter integration. + Set VolumeName to any name to override the default behaviour. + Set to "default" if you are not using namespaces within StorageOS. + Namespaces that do not pre-exist within StorageOS will be created. + type: string + type: object + vsphereVolume: + description: |- + vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. + Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type + are redirected to the csi.vsphere.vmware.com CSI driver. + properties: + fsType: + description: |- + fsType is filesystem type to mount. + Must be a filesystem type supported by the host operating system. + Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage Policy + Based Management (SPBM) profile ID associated + with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage Policy + Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + xdsAddress: + description: The customized XDS address to retrieve configuration. + type: string + type: object + type: object + version: + default: v1.28.5 + description: |- + Defines the version of Istio to install. + Must be one of: v1.28-latest, v1.28.5, v1.28.4, v1.27-latest, v1.27.8, v1.27.5, v1.27.3, v1.26-latest, v1.26.8, v1.26.6, v1.26.4, v1.26.3, v1.26.2. + enum: + - v1.28-latest + - v1.28.5 + - v1.28.4 + - v1.27-latest + - v1.27.8 + - v1.27.5 + - v1.27.3 + - v1.26-latest + - v1.26.8 + - v1.26.6 + - v1.26.4 + - v1.26.3 + - v1.26.2 + type: string + required: + - namespace + - version + type: object + status: + description: ZTunnelStatus defines the observed state of ZTunnel + properties: + conditions: + description: Represents the latest available observations of the object's + current state. + items: + description: ZTunnelCondition represents a specific observation + of the ZTunnel object's state. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + the last transition. + type: string + reason: + description: Unique, single-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: The status of this condition. Can be True, False + or Unknown. + type: string + type: + description: The type of this condition. + type: string + type: object + type: array + observedGeneration: + description: |- + ObservedGeneration is the most recent generation observed for this + ZTunnel object. It corresponds to the object's generation, which is + updated on mutation by the API Server. The information in the status + pertains to this particular generation of the object. + format: int64 + type: integer + state: + description: Reports the current state of the object. + type: string + type: object + type: object + x-kubernetes-validations: + - message: metadata.name must be 'default' + rule: self.metadata.name == 'default' + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml new file mode 100644 index 0000000000..8fc3def5ee --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_authorizationpolicies.yaml @@ -0,0 +1,766 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: authorizationpolicies.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: AuthorizationPolicy + listKind: AuthorizationPolicyList + plural: authorizationpolicies + shortNames: + - ap + singular: authorizationpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + notServiceAccounts: + description: Optional. + items: + maxLength: 320 + type: string + maxItems: 16 + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + serviceAccounts: + description: Optional. + items: + maxLength: 320 + type: string + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: Cannot set serviceAccounts with namespaces + or principals + rule: |- + (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) && + !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true + type: object + maxItems: 512 + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + maxItems: 512 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: The operation to take. + jsonPath: .spec.action + name: Action + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Configuration for access control on workloads. See more + details at: https://istio.io/docs/reference/config/security/authorization-policy.html' + oneOf: + - not: + anyOf: + - required: + - provider + - required: + - provider + properties: + action: + description: |- + Optional. + + Valid Options: ALLOW, DENY, AUDIT, CUSTOM + enum: + - ALLOW + - DENY + - AUDIT + - CUSTOM + type: string + provider: + description: Specifies detailed configuration of the CUSTOM action. + properties: + name: + description: Specifies the name of the extension provider. + type: string + type: object + rules: + description: Optional. + items: + properties: + from: + description: Optional. + items: + properties: + source: + description: Source specifies the source of a request. + properties: + ipBlocks: + description: Optional. + items: + type: string + type: array + namespaces: + description: Optional. + items: + type: string + type: array + notIpBlocks: + description: Optional. + items: + type: string + type: array + notNamespaces: + description: Optional. + items: + type: string + type: array + notPrincipals: + description: Optional. + items: + type: string + type: array + notRemoteIpBlocks: + description: Optional. + items: + type: string + type: array + notRequestPrincipals: + description: Optional. + items: + type: string + type: array + notServiceAccounts: + description: Optional. + items: + maxLength: 320 + type: string + maxItems: 16 + type: array + principals: + description: Optional. + items: + type: string + type: array + remoteIpBlocks: + description: Optional. + items: + type: string + type: array + requestPrincipals: + description: Optional. + items: + type: string + type: array + serviceAccounts: + description: Optional. + items: + maxLength: 320 + type: string + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: Cannot set serviceAccounts with namespaces + or principals + rule: |- + (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) && + !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true + type: object + maxItems: 512 + type: array + to: + description: Optional. + items: + properties: + operation: + description: Operation specifies the operation of a request. + properties: + hosts: + description: Optional. + items: + type: string + type: array + methods: + description: Optional. + items: + type: string + type: array + notHosts: + description: Optional. + items: + type: string + type: array + notMethods: + description: Optional. + items: + type: string + type: array + notPaths: + description: Optional. + items: + type: string + type: array + notPorts: + description: Optional. + items: + type: string + type: array + paths: + description: Optional. + items: + type: string + type: array + ports: + description: Optional. + items: + type: string + type: array + type: object + type: object + type: array + when: + description: Optional. + items: + properties: + key: + description: The name of an Istio attribute. + type: string + notValues: + description: Optional. + items: + type: string + type: array + values: + description: Optional. + items: + type: string + type: array + required: + - key + type: object + type: array + type: object + maxItems: 512 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml new file mode 100644 index 0000000000..37b3073a07 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_peerauthentications.yaml @@ -0,0 +1,352 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: peerauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: PeerAuthentication + listKind: PeerAuthenticationList + plural: peerauthentications + shortNames: + - pa + singular: peerauthentication + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels)) + ? self.selector.matchLabels : {}).size() > 0) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + minProperties: 1 + type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: 'has(self.portLevelMtls) ? (((has(self.selector) && has(self.selector.matchLabels)) + ? self.selector.matchLabels : {}).size() > 0) : true' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml new file mode 100644 index 0000000000..2c2be1c036 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/security.istio.io_requestauthentications.yaml @@ -0,0 +1,604 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: security + release: istio + name: requestauthentications.security.istio.io +spec: + group: security.istio.io + names: + categories: + - istio-io + - security-istio-io + kind: RequestAuthentication + listKind: RequestAuthenticationList + plural: requestauthentications + shortNames: + - ra + singular: requestauthentication + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ["http", "https"] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ["http", "https"] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + spaceDelimitedClaims: + description: List of JWT claim names that should be treated + as space-delimited strings. + items: + minLength: 1 + type: string + maxItems: 64 + type: array + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 : + 0) + (has(self.jwks) ? 1 : 0) <= 1' + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Request authentication configuration for workloads. See + more details at: https://istio.io/docs/reference/config/security/request_authentication.html' + properties: + jwtRules: + description: Define the list of JWTs that can be validated at the + selected workloads' proxy. + items: + properties: + audiences: + description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) + that are allowed to access. + items: + minLength: 1 + type: string + type: array + forwardOriginalToken: + description: If set to true, the original token will be kept + for the upstream request. + type: boolean + fromCookies: + description: List of cookie names from which JWT is expected. + items: + minLength: 1 + type: string + type: array + fromHeaders: + description: List of header locations from which JWT is expected. + items: + properties: + name: + description: The HTTP header name. + minLength: 1 + type: string + prefix: + description: The prefix that should be stripped before + decoding the token. + type: string + required: + - name + type: object + type: array + fromParams: + description: List of query parameters from which JWT is expected. + items: + minLength: 1 + type: string + type: array + issuer: + description: Identifies the issuer that issued the JWT. + minLength: 1 + type: string + jwks: + description: JSON Web Key Set of public keys to validate signature + of the JWT. + type: string + jwks_uri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ["http", "https"] + jwksUri: + description: URL of the provider's public key set to validate + signature of the JWT. + maxLength: 2048 + minLength: 1 + type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ["http", "https"] + outputClaimToHeaders: + description: This field specifies a list of operations to copy + the claim to HTTP headers on a successfully verified token. + items: + properties: + claim: + description: The name of the claim to be copied from. + minLength: 1 + type: string + header: + description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ + type: string + required: + - header + - claim + type: object + type: array + outputPayloadToHeader: + description: This field specifies the header name to output + a successfully verified JWT payload to the backend. + type: string + spaceDelimitedClaims: + description: List of JWT claim names that should be treated + as space-delimited strings. + items: + minLength: 1 + type: string + maxItems: 64 + type: array + timeout: + description: The maximum amount of time that the resolver, determined + by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, + will spend waiting for the JWKS to be fetched. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: '(has(self.jwksUri) ? 1 : 0) + (has(self.jwks_uri) ? 1 : + 0) + (has(self.jwks) ? 1 : 0) <= 1' + maxItems: 4096 + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml new file mode 100644 index 0000000000..bacf4ecd54 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/chart/crds/telemetry.istio.io_telemetries.yaml @@ -0,0 +1,922 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + "helm.sh/resource-policy": keep + labels: + app: istio-pilot + chart: istio + heritage: Tiller + istio: telemetry + release: istio + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io + - telemetry-istio-io + kind: Telemetry + listKind: TelemetryList + plural: telemetries + shortNames: + - telemetry + singular: telemetry + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : "") + == "UPSERT") ? (self.value != "") : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : "") + == "REMOVE") ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Telemetry configuration for workloads. See more details + at: https://istio.io/docs/reference/config/telemetry.html' + properties: + accessLogging: + description: Optional. + items: + properties: + disabled: + description: Controls logging. + nullable: true + type: boolean + filter: + description: Optional. + properties: + expression: + description: CEL expression for selecting when requests/connections + should be logged. + type: string + type: object + match: + description: Allows tailoring of logging behavior to specific + conditions. + properties: + mode: + description: |- + This determines whether or not to apply the access logging configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + type: array + metrics: + description: Optional. + items: + properties: + overrides: + description: Optional. + items: + properties: + disabled: + description: Optional. + nullable: true + type: boolean + match: + description: Match allows providing the scope of the override. + oneOf: + - not: + anyOf: + - required: + - metric + - required: + - customMetric + - required: + - metric + - required: + - customMetric + properties: + customMetric: + description: Allows free-form specification of a metric. + minLength: 1 + type: string + metric: + description: |- + One of the well-known [Istio Standard Metrics](https://istio.io/latest/docs/reference/config/metrics/). + + Valid Options: ALL_METRICS, REQUEST_COUNT, REQUEST_DURATION, REQUEST_SIZE, RESPONSE_SIZE, TCP_OPENED_CONNECTIONS, TCP_CLOSED_CONNECTIONS, TCP_SENT_BYTES, TCP_RECEIVED_BYTES, GRPC_REQUEST_MESSAGES, GRPC_RESPONSE_MESSAGES + enum: + - ALL_METRICS + - REQUEST_COUNT + - REQUEST_DURATION + - REQUEST_SIZE + - RESPONSE_SIZE + - TCP_OPENED_CONNECTIONS + - TCP_CLOSED_CONNECTIONS + - TCP_SENT_BYTES + - TCP_RECEIVED_BYTES + - GRPC_REQUEST_MESSAGES + - GRPC_RESPONSE_MESSAGES + type: string + mode: + description: |- + Controls which mode of metrics generation is selected: `CLIENT`, `SERVER`, or `CLIENT_AND_SERVER`. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + tagOverrides: + additionalProperties: + properties: + operation: + description: |- + Operation controls whether or not to update/add a tag, or to remove it. + + Valid Options: UPSERT, REMOVE + enum: + - UPSERT + - REMOVE + type: string + value: + description: Value is only considered if the operation + is `UPSERT`. + type: string + type: object + x-kubernetes-validations: + - message: value must be set when operation is UPSERT + rule: '((has(self.operation) ? self.operation : "") + == "UPSERT") ? (self.value != "") : true' + - message: value must not be set when operation is REMOVE + rule: '((has(self.operation) ? self.operation : "") + == "REMOVE") ? !has(self.value) : true' + description: Optional. + type: object + type: object + type: array + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + reportingInterval: + description: Optional. + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + type: object + type: array + selector: + description: Optional. + properties: + matchLabels: + additionalProperties: + maxLength: 63 + type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: '!self.contains("*")' + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + maxProperties: 4096 + type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains("*")) + - message: key must not be empty + rule: self.all(key, key.size() != 0) + type: object + targetRef: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + targetRefs: + description: Optional. + items: + properties: + group: + description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: namespace is the namespace of the referent. + type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name + type: object + maxItems: 16 + type: array + tracing: + description: Optional. + items: + properties: + customTags: + additionalProperties: + oneOf: + - not: + anyOf: + - required: + - literal + - required: + - environment + - required: + - header + - required: + - literal + - required: + - environment + - required: + - header + properties: + environment: + description: Environment adds the value of an environment + variable to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the environment variable from + which to extract the tag value. + minLength: 1 + type: string + required: + - name + type: object + header: + description: RequestHeader adds the value of an header + from the request to each span. + properties: + defaultValue: + description: Optional. + type: string + name: + description: Name of the header from which to extract + the tag value. + minLength: 1 + type: string + required: + - name + type: object + literal: + description: Literal adds the same, hard-coded value to + each span. + properties: + value: + description: The tag value to use. + minLength: 1 + type: string + required: + - value + type: object + type: object + description: Optional. + type: object + disableSpanReporting: + description: Controls span reporting. + nullable: true + type: boolean + enableIstioTags: + description: Determines whether or not trace spans generated + by Envoy will include Istio specific tags. + nullable: true + type: boolean + match: + description: Allows tailoring of behavior to specific conditions. + properties: + mode: + description: |- + This determines whether or not to apply the tracing configuration based on the direction of traffic relative to the proxied workload. + + Valid Options: CLIENT_AND_SERVER, CLIENT, SERVER + enum: + - CLIENT_AND_SERVER + - CLIENT + - SERVER + type: string + type: object + providers: + description: Optional. + items: + properties: + name: + description: Required. + minLength: 1 + type: string + required: + - name + type: object + type: array + randomSamplingPercentage: + description: Controls the rate at which traffic will be selected + for tracing if no prior sampling decision has been made. + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + useRequestIdForTraceSampling: + nullable: true + type: boolean + type: object + type: array + type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + + (has(self.targetRefs) ? 1 : 0) <= 1' + status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Condition refers. + x-kubernetes-int-or-string: true + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go new file mode 100644 index 0000000000..9c402b63c5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/config.go @@ -0,0 +1,66 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package config + +import ( + "io/fs" + "strings" + + "github.com/magiconair/properties" +) + +var Config = OperatorConfig{} + +type OperatorConfig struct { + ImageDigests map[string]IstioImageConfig `properties:"images"` +} + +type IstioImageConfig struct { + IstiodImage string `properties:"istiod"` + ProxyImage string `properties:"proxy"` + CNIImage string `properties:"cni"` + ZTunnelImage string `properties:"ztunnel"` +} + +type ReconcilerConfig struct { + ResourceFS fs.FS + Platform Platform + DefaultProfile string + OperatorNamespace string + MaxConcurrentReconciles int +} + +func Read(configFile string) error { + p, err := properties.LoadFile(configFile, properties.UTF8) + if err != nil { + return err + } + // remove quotes + for _, key := range p.Keys() { + val, _ := p.Get(key) + _, _, _ = p.Set(key, strings.Trim(val, `"`)) + } + err = p.Decode(&Config) + if err != nil { + return err + } + // replace "_" in versions with "." (e.g. v1_20_0 => v1.20.0) + newImageDigests := make(map[string]IstioImageConfig, len(Config.ImageDigests)) + for k, v := range Config.ImageDigests { + newImageDigests[strings.Replace(k, "_", ".", -1)] = v + } + Config.ImageDigests = newImageDigests + return nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go new file mode 100644 index 0000000000..71bb233870 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/config/platform.go @@ -0,0 +1,58 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package config + +import ( + "fmt" + + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/client-go/discovery" + "k8s.io/client-go/rest" +) + +type Platform string + +const ( + PlatformUndefined Platform = "" + PlatformOpenShift Platform = "openshift" + PlatformKubernetes Platform = "kubernetes" +) + +const ( + openshiftKind = "OpenShiftAPIServer" + openshiftResourceGroup = "operator.openshift.io" + openshiftResourceVersion = "v1" +) + +func DetectPlatform(cfg *rest.Config) (Platform, error) { + dc, err := discovery.NewDiscoveryClientForConfig(cfg) + if err != nil { + return "", fmt.Errorf("failed to create discoveryClient: %w", err) + } + + resources, err := dc.ServerResourcesForGroupVersion(openshiftResourceGroup + "/" + openshiftResourceVersion) + if errors.IsNotFound(err) { + return PlatformKubernetes, nil + } else if err != nil { + return "", err + } + + for _, apiResource := range resources.APIResources { + if apiResource.Kind == openshiftKind { + return PlatformOpenShift, nil + } + } + return PlatformKubernetes, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go new file mode 100644 index 0000000000..821880d4f7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/constants/constants.go @@ -0,0 +1,100 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package constants + +const ( + // MetadataNamespace is the namespace for service mesh metadata (labels, annotations) + MetadataNamespace = "sailoperator.io" + + // CreatedByKey is used in annotations to mark ServiceMeshMemberRolls created by the ServiceMeshMember controller + CreatedByKey = MetadataNamespace + "/created-by" + + // OwnerKey represents the mesh (namespace) to which the resource relates + OwnerKey = MetadataNamespace + "/owner" + + // OwnerNameKey represents the name of the SMCP to which the resource relates + OwnerNameKey = MetadataNamespace + "/owner-name" + + // MemberOfKey represents the mesh (namespace) to which the resource relates + MemberOfKey = MetadataNamespace + "/member-of" + + // IgnoreNamespaceKey indicates that sidecar injection should be disabled for the namespace + IgnoreNamespaceKey = MetadataNamespace + "/ignore-namespace" + + // GenerationKey represents the generation to which the resource was last reconciled + GenerationKey = MetadataNamespace + "/generation" + + // MeshGenerationKey represents the generation of the service mesh to which the resource was last reconciled. + // This uniquely identifies an installation, incorporating the operator version and the smcp resource generation. + MeshGenerationKey = MetadataNamespace + "/mesh-generation" + + // InternalKey is used to identify the resource as being internal to the mesh itself (i.e. should not be applied to members) + InternalKey = MetadataNamespace + "/internal" + + // FinalizerName is the finalizer name the controllers add to any resources that need to be finalized during deletion + FinalizerName = MetadataNamespace + "/sail-operator" + + // KubernetesAppNamespace is the common namespace for application information + KubernetesAppNamespace = "app.kubernetes.io" + KubernetesAppNameKey = KubernetesAppNamespace + "/name" + KubernetesAppInstanceKey = KubernetesAppNamespace + "/instance" + KubernetesAppVersionKey = KubernetesAppNamespace + "/version" + KubernetesAppComponentKey = KubernetesAppNamespace + "/component" + KubernetesAppPartOfKey = KubernetesAppNamespace + "/part-of" + KubernetesAppManagedByKey = KubernetesAppNamespace + "/managed-by" + + // KubernetesAppPartOfValue is the KubernetesAppPartOfKey label value the operator sets on all objects it creates + KubernetesAppPartOfValue = "istio" + + // ManagedByLabelKey is the key for the kubernetes resource label indicating the resource is managed by the Sail operator + ManagedByLabelKey = "managed-by" + + // ManagedByLabelValue is the ManagedByKey label value the operator sets on all objects it creates + ManagedByLabelValue = "sail-operator" + + // WebhookReadinessProbeStatusAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that + // reports whether the remote control plane is ready or not + WebhookReadinessProbeStatusAnnotationKey = MetadataNamespace + "/readinessProbe.status" + + // WebhookReadinessProbeStatusReasonAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that + // reports why the remote control plane is not ready + WebhookReadinessProbeStatusReasonAnnotationKey = MetadataNamespace + "/readinessProbe.reason" + + // WebhookReadinessProbePeriodSecondsAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that + // specifies the period for the readiness probe + WebhookReadinessProbePeriodSecondsAnnotationKey = MetadataNamespace + "/readinessProbe.periodSeconds" + + // WebhookReadinessProbeTimeoutSecondsAnnotationKey is an annotation on the istio-sidecar-injection MutatingWebhookConfiguration that + // specifies the timeout for the readiness probe + WebhookReadinessProbeTimeoutSecondsAnnotationKey = MetadataNamespace + "/readinessProbe.timeoutSeconds" + + // IstioInjectionLabel is the label that is used to configure injection for the 'default' IstioRevision + IstioInjectionLabel = "istio-injection" + + // IstioInjectionEnabledValue is the value for IstioInjectionLabel + IstioInjectionEnabledValue = "enabled" + + // IstioRevLabel is the label that is used to configure injection for non-default IstioRevisions + IstioRevLabel = "istio.io/rev" + + // IstioSidecarInjectLabel is the label that is used to configure injection for specific workloads + IstioSidecarInjectLabel = "sidecar.istio.io/inject" + + // IstiodChartName is the name of the chart that installs istiod + IstiodChartName = "istiod" + + // BaseChartName is the name of the base chart + BaseChartName = "base" +) diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go new file mode 100644 index 0000000000..2acf59c1af --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/env/env.go @@ -0,0 +1,37 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package env + +import ( + "os" + "strconv" +) + +func Get(key, defaultValue string) string { + value := os.Getenv(key) + if value == "" { + return defaultValue + } + return value +} + +func GetBool(key string, defaultValue bool) bool { + value := Get(key, strconv.FormatBool(defaultValue)) + boolValue, err := strconv.ParseBool(value) + if err != nil { + return defaultValue + } + return boolValue +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go new file mode 100644 index 0000000000..99d1a149db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/chartmanager.go @@ -0,0 +1,235 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helm + +import ( + "context" + "errors" + "fmt" + "io/fs" + + "github.com/istio-ecosystem/sail-operator/pkg/constants" + "helm.sh/helm/v3/pkg/action" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/storage/driver" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/client-go/rest" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +type ChartManager struct { + restClientGetter genericclioptions.RESTClientGetter + driver string + managedByValue string +} + +// ChartManagerOption is a functional option for configuring a ChartManager. +type ChartManagerOption func(*ChartManager) + +// WithManagedByValue overrides the value of the "managed-by" label that is +// applied to every resource created by Helm install/upgrade. The default +// value is constants.ManagedByLabelValue ("sail-operator"). +func WithManagedByValue(v string) ChartManagerOption { + return func(cm *ChartManager) { + cm.managedByValue = v + } +} + +// NewChartManager creates a new Helm chart manager using cfg as the configuration +// that Helm will use to connect to the cluster when installing or uninstalling +// charts, and using the specified driver to store information about releases +// (one of: memory, secret, configmap, sql, or "" (same as "secret")). +func NewChartManager(cfg *rest.Config, driver string, opts ...ChartManagerOption) *ChartManager { + cm := &ChartManager{ + restClientGetter: NewRESTClientGetter(cfg), + driver: driver, + managedByValue: constants.ManagedByLabelValue, + } + for _, o := range opts { + o(cm) + } + return cm +} + +// newActionConfig Create a new Helm action config from in-cluster service account +func (h *ChartManager) newActionConfig(ctx context.Context, namespace string) (*action.Configuration, error) { + logAdapter := func(format string, v ...any) { + log := logf.FromContext(ctx) + logv2 := log.V(2) + if logv2.Enabled() { + logv2.Info(fmt.Sprintf(format, v...)) + } + } + + actionConfig := new(action.Configuration) + err := actionConfig.Init(h.restClientGetter, namespace, h.driver, logAdapter) + return actionConfig, err +} + +// UpgradeOrInstallChart upgrades a chart in cluster or installs it new if it does not already exist. +// It loads the chart from an fs.FS (e.g., embed.FS or os.DirFS). +func (h *ChartManager) UpgradeOrInstallChart( + ctx context.Context, resourceFS fs.FS, chartPath string, values Values, + namespace, releaseName string, ownerReference *metav1.OwnerReference, +) (*release.Release, error) { + loadedChart, err := LoadChart(resourceFS, chartPath) + if err != nil { + return nil, fmt.Errorf("failed to load chart from fs: %w", err) + } + + return h.upgradeOrInstallChart(ctx, loadedChart, values, namespace, releaseName, ownerReference) +} + +// upgradeOrInstallChart is the internal implementation that works with an already-loaded chart +func (h *ChartManager) upgradeOrInstallChart( + ctx context.Context, chart *chart.Chart, values Values, + namespace, releaseName string, ownerReference *metav1.OwnerReference, +) (*release.Release, error) { + log := logf.FromContext(ctx) + + cfg, err := h.newActionConfig(ctx, namespace) + if err != nil { + return nil, err + } + + rel, err := getRelease(cfg, releaseName) + if err != nil { + return rel, err + } + + releaseExists := rel != nil + + // A helm release can be stuck in pending state when: + // - operator exit/crashes during helm install/upgrade/uninstall + // - lost connection to apiserver + // - helm release timeouts (context timeouts, cancellation) + // - etc + // let's try to brutally unlock it and then remediate later by either rollback or uninstall + if releaseExists && rel.Info.Status.IsPending() { + log.V(2).Info("Unlocking helm release", "status", rel.Info.Status, "release", releaseName) + rel.SetStatus(release.StatusFailed, fmt.Sprintf("Release unlocked from %q state", rel.Info.Status)) + + if err := cfg.Releases.Update(rel); err != nil { + return nil, fmt.Errorf("failed to unlock helm release %s: %w", releaseName, err) + } + } + + switch { + case !releaseExists: + break + case rel.Info.Status == release.StatusDeployed: + break + case rel.Info.Status == release.StatusFailed && rel.Version > 1: + log.V(2).Info("Performing helm rollback", "release", releaseName) + if err := action.NewRollback(cfg).Run(releaseName); err != nil { + return nil, fmt.Errorf("failed to roll back helm release %s: %w", releaseName, err) + } + case rel.Info.Status == release.StatusUninstalling, + rel.Info.Status == release.StatusFailed && rel.Version <= 1: + log.V(2).Info("Performing helm uninstall", "release", releaseName, "status", rel.Info.Status) + if _, err := action.NewUninstall(cfg).Run(releaseName); err != nil { + return nil, fmt.Errorf("failed to uninstall failed helm release %s: %w", releaseName, err) + } + releaseExists = false + default: + return nil, fmt.Errorf("unexpected helm release status %s", rel.Info.Status) + } + + if releaseExists { + log.V(2).Info("Performing helm upgrade", "chartName", chart.Name()) + + updateAction := action.NewUpgrade(cfg) + updateAction.PostRenderer = NewHelmPostRenderer(ownerReference, "", true, h.managedByValue) + updateAction.MaxHistory = 1 + updateAction.SkipCRDs = true + updateAction.DisableOpenAPIValidation = true + + rel, err = updateAction.RunWithContext(ctx, releaseName, chart, values) + if err != nil { + return nil, fmt.Errorf("failed to update helm chart %s: %w", chart.Name(), err) + } + } else { + log.V(2).Info("Performing helm install", "chartName", chart.Name()) + + installAction := action.NewInstall(cfg) + installAction.PostRenderer = NewHelmPostRenderer(ownerReference, "", false, h.managedByValue) + installAction.Namespace = namespace + installAction.ReleaseName = releaseName + installAction.SkipCRDs = true + installAction.DisableOpenAPIValidation = true + + rel, err = installAction.RunWithContext(ctx, chart, values) + if err != nil { + return nil, fmt.Errorf("failed to install helm chart %s: %w", chart.Name(), err) + } + } + return rel, nil +} + +// UninstallChart removes a chart from the cluster +func (h *ChartManager) UninstallChart(ctx context.Context, releaseName, namespace string) (*release.UninstallReleaseResponse, error) { + cfg, err := h.newActionConfig(ctx, namespace) + if err != nil { + return nil, err + } + + if rel, err := getRelease(cfg, releaseName); err != nil { + return nil, err + } else if rel == nil { + // release does not exist; no need for uninstall + return &release.UninstallReleaseResponse{Info: "release not found"}, nil + } + + return action.NewUninstall(cfg).Run(releaseName) +} + +func getRelease(cfg *action.Configuration, releaseName string) (*release.Release, error) { + getAction := action.NewGet(cfg) + rel, err := getAction.Run(releaseName) + if err != nil && !errors.Is(err, driver.ErrReleaseNotFound) { + return nil, fmt.Errorf("failed to get helm release %s: %w", releaseName, err) + } + return rel, nil +} + +func (h *ChartManager) GetRelease(ctx context.Context, namespace, releaseName string) (*release.Release, error) { + cfg, err := h.newActionConfig(ctx, namespace) + if err != nil { + return nil, err + } + + return getRelease(cfg, releaseName) +} + +func (h *ChartManager) UpdateRelease(ctx context.Context, namespace string, rel *release.Release) error { + cfg, err := h.newActionConfig(ctx, namespace) + if err != nil { + return err + } + return cfg.Releases.Update(rel) +} + +func (h *ChartManager) ListReleases(ctx context.Context) ([]*release.Release, error) { + cfg, err := h.newActionConfig(ctx, "") + if err != nil { + return nil, err + } + + listAction := action.NewList(cfg) + listAction.AllNamespaces = true + return listAction.Run() +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go new file mode 100644 index 0000000000..b382e2cef4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/fsloader.go @@ -0,0 +1,113 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helm + +import ( + "fmt" + "io/fs" + "strings" + + "helm.sh/helm/v3/pkg/chart" + chartLoader "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/engine" +) + +// LoadChart loads a Helm chart from an fs.FS at the specified path. +// This allows loading charts from embed.FS, os.DirFS, or any other fs.FS implementation. +// +// The chartPath should be the path to the chart directory within the filesystem, +// e.g., "v1.28.2/charts/istiod". +func LoadChart(resourceFS fs.FS, chartPath string) (*chart.Chart, error) { + var files []*chartLoader.BufferedFile + + err := fs.WalkDir(resourceFS, chartPath, func(path string, d fs.DirEntry, err error) error { + if err != nil { + return err + } + + // Skip directories + if d.IsDir() { + return nil + } + + data, err := fs.ReadFile(resourceFS, path) + if err != nil { + return fmt.Errorf("failed to read file %s: %w", path, err) + } + + // Make path relative to chart root + // e.g., "v1.28.2/charts/istiod/Chart.yaml" -> "Chart.yaml" + relPath := strings.TrimPrefix(path, chartPath) + relPath = strings.TrimPrefix(relPath, "/") + + files = append(files, &chartLoader.BufferedFile{ + Name: relPath, + Data: data, + }) + return nil + }) + if err != nil { + return nil, fmt.Errorf("failed to walk chart directory %s: %w", chartPath, err) + } + + if len(files) == 0 { + return nil, fmt.Errorf("no files found in chart directory %s", chartPath) + } + + loadedChart, err := chartLoader.LoadFiles(files) + if err != nil { + return nil, fmt.Errorf("failed to load chart from files: %w", err) + } + + return loadedChart, nil +} + +// RenderChart renders a Helm chart's templates with the provided values. +// This does not require cluster access - it's a pure template rendering operation. +// Returns a map of template name to rendered content. +func RenderChart(resourceFS fs.FS, chartPath string, values Values, namespace, releaseName string) (map[string]string, error) { + loadedChart, err := LoadChart(resourceFS, chartPath) + if err != nil { + return nil, fmt.Errorf("failed to load chart: %w", err) + } + + return RenderLoadedChart(loadedChart, values, namespace, releaseName) +} + +// RenderLoadedChart renders an already-loaded chart's templates with the provided values. +// Returns a map of template name to rendered content. +func RenderLoadedChart(loadedChart *chart.Chart, values Values, namespace, releaseName string) (map[string]string, error) { + // Create release options for rendering + options := chartutil.ReleaseOptions{ + Name: releaseName, + Namespace: namespace, + IsInstall: true, + } + + // Merge values with chart defaults + chartValues, err := chartutil.ToRenderValues(loadedChart, values, options, nil) + if err != nil { + return nil, fmt.Errorf("failed to create render values: %w", err) + } + + // Render templates + rendered, err := engine.Render(loadedChart, chartValues) + if err != nil { + return nil, fmt.Errorf("failed to render chart templates: %w", err) + } + + return rendered, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go new file mode 100644 index 0000000000..c74fe920ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/postrenderer.go @@ -0,0 +1,182 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helm + +import ( + "bytes" + "fmt" + "io" + "strings" + + "github.com/istio-ecosystem/sail-operator/pkg/constants" + "gopkg.in/yaml.v3" + "helm.sh/helm/v3/pkg/postrender" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" +) + +const ( + AnnotationPrimaryResource = "operator-sdk/primary-resource" + AnnotationPrimaryResourceType = "operator-sdk/primary-resource-type" +) + +// NewHelmPostRenderer creates a Helm PostRenderer that adds the following to each rendered manifest: +// - adds the "managed-by" label with the given managedByValue +// - adds the specified OwnerReference +// It also removes the failurePolicy field from ValidatingWebhookConfigurations on updates, so +// the in-cluster setting stays as-is, to prevent clashing with the istiod validation controller. +func NewHelmPostRenderer(ownerReference *metav1.OwnerReference, ownerNamespace string, isUpdate bool, managedByValue string) postrender.PostRenderer { + return HelmPostRenderer{ + ownerReference: ownerReference, + ownerNamespace: ownerNamespace, + isUpdate: isUpdate, + managedByValue: managedByValue, + } +} + +type HelmPostRenderer struct { + ownerReference *metav1.OwnerReference + ownerNamespace string + isUpdate bool + managedByValue string +} + +var _ postrender.PostRenderer = HelmPostRenderer{} + +func (pr HelmPostRenderer) Run(renderedManifests *bytes.Buffer) (modifiedManifests *bytes.Buffer, err error) { + modifiedManifests = &bytes.Buffer{} + encoder := yaml.NewEncoder(modifiedManifests) + encoder.SetIndent(2) + decoder := yaml.NewDecoder(renderedManifests) + for { + manifest := map[string]any{} + + if err := decoder.Decode(&manifest); err != nil { + if err == io.EOF { + break + } + return nil, err + } + + if manifest == nil { + continue + } + + manifest, err = pr.addOwnerReference(manifest) + if err != nil { + return nil, err + } + + manifest, err = pr.addManagedByLabel(manifest) + if err != nil { + return nil, err + } + + // Strip ValidatingWebhookConfiguration webhooks[].failurePolicy field if we're upgrading, + // to avoid overwriting the value set in-cluster by the istiod validation controller. On + // initial install we still want to set the field per the Helm template. + if pr.isUpdate { + manifest, err = pr.removeValidatingWebhookFailurePolicy(manifest) + if err != nil { + return nil, fmt.Errorf("error removing ValidatingWebhookConfiguration failurePolicy: %v", err) + } + } + + if err := encoder.Encode(manifest); err != nil { + return nil, err + } + } + return modifiedManifests, nil +} + +func (pr HelmPostRenderer) removeValidatingWebhookFailurePolicy(manifest map[string]any) (map[string]any, error) { + apiVersion, _, _ := unstructured.NestedString(manifest, "apiVersion") + if apiVersion != admissionregistrationv1.SchemeGroupVersion.String() { + return manifest, nil + } + kind, _, _ := unstructured.NestedString(manifest, "kind") + if kind != "ValidatingWebhookConfiguration" { + return manifest, nil + } + + webhooksAny, found, err := unstructured.NestedFieldNoCopy(manifest, "webhooks") + if err != nil { + return nil, err + } + if !found { + return manifest, nil + } + + webhooks, ok := webhooksAny.([]interface{}) + if !ok { + return nil, fmt.Errorf("expected webhooks to be []interface{}, got %T", webhooksAny) + } + + for _, webhookAny := range webhooks { + webhook, ok := webhookAny.(map[string]any) + if !ok { + return nil, fmt.Errorf("expected webhook to be map[string]interface{}, got %T", webhookAny) + } + + delete(webhook, "failurePolicy") + } + + return manifest, nil +} + +func (pr HelmPostRenderer) addOwnerReference(manifest map[string]any) (map[string]any, error) { + if pr.ownerReference == nil { + return manifest, nil + } + + objNamespace, objHasNamespace, err := unstructured.NestedFieldNoCopy(manifest, "metadata", "namespace") + if err != nil { + return nil, err + } + if pr.ownerNamespace == "" || objHasNamespace && objNamespace == pr.ownerNamespace { + ownerReferences, _, err := unstructured.NestedSlice(manifest, "metadata", "ownerReferences") + if err != nil { + return nil, err + } + + ref, err := runtime.DefaultUnstructuredConverter.ToUnstructured(pr.ownerReference) + if err != nil { + return nil, err + } + ownerReferences = append(ownerReferences, ref) + + if err := unstructured.SetNestedSlice(manifest, ownerReferences, "metadata", "ownerReferences"); err != nil { + return nil, err + } + } else { + ownerAPIGroup, _, _ := strings.Cut(pr.ownerReference.APIVersion, "/") + ownerType := pr.ownerReference.Kind + "." + ownerAPIGroup + ownerKey := pr.ownerNamespace + "/" + pr.ownerReference.Name + if err := unstructured.SetNestedField(manifest, ownerType, "metadata", "annotations", AnnotationPrimaryResourceType); err != nil { + return nil, err + } + if err := unstructured.SetNestedField(manifest, ownerKey, "metadata", "annotations", AnnotationPrimaryResource); err != nil { + return nil, err + } + } + return manifest, nil +} + +func (pr HelmPostRenderer) addManagedByLabel(manifest map[string]any) (map[string]any, error) { + err := unstructured.SetNestedField(manifest, pr.managedByValue, "metadata", "labels", constants.ManagedByLabelKey) + return manifest, err +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go new file mode 100644 index 0000000000..0b9e906c6c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/restclientgetter.go @@ -0,0 +1,78 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helm + +import ( + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/client-go/discovery" + "k8s.io/client-go/discovery/cached/memory" + "k8s.io/client-go/rest" + "k8s.io/client-go/restmapper" + "k8s.io/client-go/tools/clientcmd" +) + +// restClientGetter is required by helm to instantiate ActionConfig +type restClientGetter struct { + config *rest.Config + discoveryClient discovery.CachedDiscoveryInterface + restMapper meta.RESTMapper +} + +func NewRESTClientGetter(config *rest.Config) genericclioptions.RESTClientGetter { + return &restClientGetter{ + config: config, + } +} + +func (c *restClientGetter) ToRESTConfig() (*rest.Config, error) { + return c.config, nil +} + +func (c *restClientGetter) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) { + if c.discoveryClient == nil { + oldBurst := c.config.Burst + // use the default (high) burst for discovery + c.config.Burst = 0 + // write back the old burst value after it has been copied for discovery client creation + defer func() { c.config.Burst = oldBurst }() + + discoveryClient, _ := discovery.NewDiscoveryClientForConfig(c.config) + c.discoveryClient = memory.NewMemCacheClient(discoveryClient) + } + return c.discoveryClient, nil +} + +func (c *restClientGetter) ToRESTMapper() (meta.RESTMapper, error) { + if c.restMapper == nil { + // we know err is always nil + discoveryClient, _ := c.ToDiscoveryClient() + + mapper := restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient) + c.restMapper = restmapper.NewShortcutExpander(mapper, discoveryClient, nil) + } + return c.restMapper, nil +} + +func (c *restClientGetter) ToRawKubeConfigLoader() clientcmd.ClientConfig { + loadingRules := clientcmd.NewDefaultClientConfigLoadingRules() + // use the standard defaults for this client command + // DEPRECATED: remove and replace with something more accurate + loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig + + overrides := &clientcmd.ConfigOverrides{ClusterDefaults: clientcmd.ClusterDefaults} + + return clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, overrides) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go new file mode 100644 index 0000000000..6467a33ab8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/helm/values.go @@ -0,0 +1,92 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helm + +import ( + "encoding/json" + "fmt" + "strings" + + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +type Values map[string]any + +// GetBool returns the bool value of a nested field. +// Returns false if value is not found and an error if not a bool. +func (h *Values) GetBool(key string) (bool, bool, error) { + return unstructured.NestedBool(*h, toKeys(key)...) +} + +// GetString returns the string value of a nested field. +// Returns false if value is not found and an error if not a string. +func (h *Values) GetString(key string) (string, bool, error) { + return unstructured.NestedString(*h, toKeys(key)...) +} + +// Set sets the value of a nested field to a deep copy of the value provided. +// Returns an error if value cannot be set because one of the nesting levels is not a map[string]any. +func (h *Values) Set(key string, val any) error { + return unstructured.SetNestedField(*h, val, toKeys(key)...) +} + +// Set sets the value of a nested string slice to the value provided. +// Returns an error if value cannot be set because one of the nesting levels is not a map[string]any. +func (h *Values) SetStringSlice(key string, val []string) error { + return unstructured.SetNestedStringSlice(*h, val, toKeys(key)...) +} + +// SetIfAbsent sets the value of a nested field to a deep copy of the value +// provided if the field does not exist. +func (h *Values) SetIfAbsent(key string, val any) error { + if _, found, err := unstructured.NestedFieldNoCopy(*h, toKeys(key)...); err != nil { + return fmt.Errorf("failed to get value %s: %w", key, err) + } else if !found { + if err := h.Set(key, val); err != nil { + return fmt.Errorf("failed to set value %s: %w", key, err) + } + } + return nil +} + +func toKeys(key string) []string { + return strings.Split(key, ".") +} + +func FromValues(values any) Values { + var obj Values + data, err := json.Marshal(values) + if err != nil { + panic(err) + } + if err = json.Unmarshal(data, &obj); err != nil { + panic(err) + } + return obj +} + +func ToValues[V any](helmValues Values, values V) (V, error) { + data, err := json.Marshal(helmValues) + if err != nil { + return values, fmt.Errorf("failed to marshal Values struct: %w", err) + } + + decoder := json.NewDecoder(strings.NewReader(string(data))) + err = decoder.Decode(&values) + if err != nil { + return values, fmt.Errorf("failed to unmarshal into Values struct: %w:\n%v", err, string(data)) + } + return values, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/README.md b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/README.md new file mode 100644 index 0000000000..e8093920d2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/README.md @@ -0,0 +1,109 @@ +# pkg/install + +Library for managing istiod installations without running the Sail Operator. +Designed for embedding in other operators (e.g. OpenShift Ingress) that need +to install and maintain Istio as an internal dependency. + +## Usage + +```go +lib, err := install.New(kubeConfig, resourceFS) +notifyCh := lib.Start(ctx) + +// In controller reconcile: +lib.Apply(install.Options{ + Namespace: "istio-system", + Values: install.GatewayAPIDefaults(), +}) + +// Read result after notification: +for range notifyCh { + status := lib.Status() + // update conditions from status +} + +// Teardown: +lib.Uninstall(ctx, "istio-system", "default") +``` + +## How it works + +The Library runs as an independent actor with a simple state model: + +1. **Apply** -- consumer sends desired state (version, namespace, values) +2. **Reconcile** -- Library installs/upgrades CRDs and istiod via Helm +3. **Drift detection** -- dynamic informers watch owned resources and CRDs, re-enqueuing reconciliation on changes +4. **Status** -- consumer reads the reconciliation result + +The reconciliation loop sits idle until the first `Apply()` call. After that, +it stays active with informers running until `Uninstall()` clears the desired +state and stops the loop. + +## Public API + +### Constructor + +- `New(kubeConfig, resourceFS)` -- creates a Library with Kubernetes clients, Helm chart manager, and CRD manager +- `FromDirectory(path)` -- creates an `fs.FS` from a filesystem path (alternative to embedded resources) + +### Library methods + +| Method | Description | +|---|---| +| `Start(ctx)` | Starts the reconciliation loop; returns a notification channel | +| `Apply(opts)` | Sets desired state; enqueues reconciliation if changed | +| `Enqueue()` | Forces re-reconciliation without changing desired state | +| `Status()` | Returns the latest reconciliation result | +| `Uninstall(ctx, ns, rev)` | Stops informers, waits for processing, then Helm-uninstalls | + +### Types + +- **Options** -- install options: `Namespace`, `Version`, `Revision`, `Values`, `ManageCRDs`, `IncludeAllCRDs`, `OverwriteOLMManagedCRD` +- **Status** -- reconciliation result: `CRDState`, `CRDMessage`, `CRDs`, `Installed`, `Version`, `Error` +- **CRDManagementState** -- aggregate CRD ownership: `ManagedByCIO`, `ManagedByOLM`, `UnknownManagement`, `MixedOwnership`, `NoneExist` +- **CRDInfo** -- per-CRD state: `Name`, `State`, `Found` +- **ImageNames** -- image names for each component: `Istiod`, `Proxy`, `CNI`, `ZTunnel` + +### Helper functions + +- `GatewayAPIDefaults()` -- pre-configured values for Gateway API mode on OpenShift +- `MergeValues(base, overlay)` -- deep-merge two Values structs (overlay wins) +- `DefaultVersion(resourceFS)` -- highest stable semver version from the resource FS +- `NormalizeVersion(version)` -- ensures a `v` prefix +- `ValidateVersion(resourceFS, version)` -- checks that a version directory exists +- `SetImageDefaults(resourceFS, registry, images)` -- populates image refs from version directories +- `LibraryRBACRules()` -- returns RBAC PolicyRules for a consumer's ClusterRole + +## CRD management + +The Library classifies existing CRDs by ownership labels before deciding what to do: + +| State | Meaning | Action | +|---|---|---| +| `NoneExist` | No target CRDs on cluster | Install with CIO labels | +| `ManagedByCIO` | All owned by Cluster Ingress Operator | Update as needed | +| `ManagedByOLM` | All owned by OLM (OSSM subscription) | Leave alone; Helm install proceeds | +| `UnknownManagement` | CRDs exist without recognized labels | Leave alone; set Status.Error | +| `MixedOwnership` | Inconsistent labels across CRDs | Leave alone; set Status.Error | + +The `OverwriteOLMManagedCRD` callback in Options lets the consumer decide +whether to take over OLM-managed CRDs (e.g. after an OSSM subscription is deleted). + +Which CRDs are targeted depends on `IncludeAllCRDs`: when false (default), only +CRDs matching `PILOT_INCLUDE_RESOURCES` / `PILOT_IGNORE_RESOURCES` are managed. + +## Files + +| File | Purpose | +|---|---| +| `library.go` | Public API, types (`Library`, `Status`, `Options`), constructor | +| `lifecycle.go` | Reconciliation loop, workqueue, `Start`/`Apply`/`Uninstall` | +| `installer.go` | Core install/uninstall logic, Helm values resolution, watch spec extraction | +| `crds.go` | CRD ownership classification, install, update | +| `crds_filter.go` | CRD selection based on `PILOT_INCLUDE_RESOURCES` / `PILOT_IGNORE_RESOURCES` | +| `values.go` | `GatewayAPIDefaults()`, `MergeValues()` | +| `predicates.go` | Event filtering for informers (ownership checks, status-only changes) | +| `informers.go` | Dynamic informer setup for drift detection | +| `version.go` | Version resolution and validation | +| `images.go` | Image configuration from resource FS | +| `rbac.go` | RBAC rules for library consumers | diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md new file mode 100644 index 0000000000..2c825951ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/USAGE.md @@ -0,0 +1,313 @@ +# Install Library - CIO Usage Example + +This document shows how the Cluster Ingress Operator (CIO) would wire the install library into its main and GatewayClass controller. + +## Architecture + +``` +┌──────────────────────────────────────────────────────────────┠+│ main.go │ +│ │ +│ 1. Create install.Library │ +│ 2. Start it (returns notifyCh) │ +│ 3. Pass Library to GatewayClassReconciler │ +│ 4. Bridge notifyCh into a source.Func on the controller │ +│ 5. Start manager │ +└──────────────────────────────────────────────────────────────┘ + │ Apply(opts) ▲ notifyCh signal + ▼ │ +┌──────────────────────────────────────────────────────────────┠+│ install.Library (internal goroutines) │ +│ │ +│ - Classifies + installs/updates CRDs │ +│ - Installs istiod via Helm │ +│ - Watches Helm resources for drift │ +│ - Watches CRDs for ownership changes │ +│ - Sends signal on notifyCh after each reconciliation │ +└──────────────────────────────────────────────────────────────┘ + │ Status() ▲ drift / CRD event + ▼ │ +┌──────────────────────────────────────────────────────────────┠+│ GatewayClassReconciler.Reconcile() │ +│ │ +│ 1. Get GatewayClass │ +│ 2. Build values, call lib.Apply(opts) │ +│ 3. Read lib.Status() │ +│ 4. Map status → GatewayClass conditions │ +│ 5. Update GatewayClass status │ +└──────────────────────────────────────────────────────────────┘ +``` + +## main.go + +```go +package main + +import ( + "context" + "os" + + "github.com/istio-ecosystem/sail-operator/pkg/install" + "github.com/istio-ecosystem/sail-operator/resources" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/util/workqueue" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/source" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) + +func main() { + mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{}) + if err != nil { + os.Exit(1) + } + + // 1. Create the install library. + // resources.FS contains the embedded Helm charts, profiles, and CRDs. + lib, err := install.New(mgr.GetConfig(), resources.FS) + if err != nil { + os.Exit(1) + } + + // 2. Start the library. This returns a notification channel that fires + // every time the library finishes a reconciliation (install, drift + // repair, CRD ownership change). + // The library sits idle until the first Apply() call. + ctx := ctrl.SetupSignalHandler() + notifyCh := lib.Start(ctx) + + // 3. Create the GatewayClass controller with the library injected. + reconciler := &GatewayClassReconciler{ + Client: mgr.GetClient(), + Lib: lib, + } + + // 4. Bridge notifyCh into a controller-runtime source. + // notifyCh is <-chan struct{}, so we use source.Func to convert each + // signal into a reconcile.Request for our fixed GatewayClass name. + notifySource := source.Func(func(ctx context.Context, q workqueue.TypedRateLimitingInterface[reconcile.Request]) error { + go func() { + for { + select { + case <-ctx.Done(): + return + case _, ok := <-notifyCh: + if !ok { + return + } + q.Add(reconcile.Request{ + NamespacedName: types.NamespacedName{Name: gatewayClassName}, + }) + } + } + }() + return nil + }) + + err = ctrl.NewControllerManagedBy(mgr). + For(&gwapiv1.GatewayClass{}). + WatchesRawSource(notifySource). + Complete(reconciler) + if err != nil { + os.Exit(1) + } + + // 5. Start the manager. This blocks until ctx is cancelled. + if err := mgr.Start(ctx); err != nil { + os.Exit(1) + } +} +``` + +## GatewayClass Controller + +```go +package main + +import ( + "context" + "fmt" + + "github.com/istio-ecosystem/sail-operator/pkg/install" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" +) + +const ( + controllerName = "openshift.io/ingress-controller" + gatewayClassName = "openshift-default" +) + +// GatewayClassReconciler reconciles GatewayClass objects and drives +// the install library to manage istiod. +type GatewayClassReconciler struct { + client.Client + Lib *install.Library +} + +func (r *GatewayClassReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := ctrl.LoggerFrom(ctx) + + // 1. Get the GatewayClass. + gc := &gwapiv1.GatewayClass{} + if err := r.Get(ctx, req.NamespacedName, gc); err != nil { + return ctrl.Result{}, client.IgnoreNotFound(err) + } + + // Only handle our GatewayClass. + if string(gc.Spec.ControllerName) != controllerName { + return ctrl.Result{}, nil + } + + // 2. Build values and call Apply. + // Apply is idempotent — if nothing changed, it's a no-op. + values := install.GatewayAPIDefaults() + values.Pilot.Env["PILOT_GATEWAY_API_CONTROLLER_NAME"] = controllerName + values.Pilot.Env["PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"] = gatewayClassName + + r.Lib.Apply(install.Options{ + Namespace: "openshift-ingress", + Values: values, + }) + + // 3. Read the latest status from the library. + status := r.Lib.Status() + + // 4. Map library status to GatewayClass conditions. + conditions := mapStatusToConditions(status, gc.Generation) + + // 5. Update GatewayClass status. + gc.Status.Conditions = conditions + if err := r.Status().Update(ctx, gc); err != nil { + return ctrl.Result{}, fmt.Errorf("failed to update GatewayClass status: %w", err) + } + + log.Info("reconciled", + "installed", status.Installed, + "version", status.Version, + "crdState", status.CRDState, + ) + return ctrl.Result{}, nil +} + +// mapStatusToConditions translates the library Status into GatewayClass conditions. +func mapStatusToConditions(status install.Status, generation int64) []metav1.Condition { + var conditions []metav1.Condition + + // Accepted condition: true if istiod is installed. + accepted := metav1.Condition{ + Type: string(gwapiv1.GatewayClassConditionStatusAccepted), + ObservedGeneration: generation, + LastTransitionTime: metav1.Now(), + } + if status.Installed { + accepted.Status = metav1.ConditionTrue + accepted.Reason = "Installed" + accepted.Message = fmt.Sprintf("istiod %s installed", status.Version) + } else if status.Error != nil { + accepted.Status = metav1.ConditionFalse + accepted.Reason = "InstallFailed" + accepted.Message = status.Error.Error() + } else { + accepted.Status = metav1.ConditionUnknown + accepted.Reason = "Pending" + accepted.Message = "waiting for first reconciliation" + } + conditions = append(conditions, accepted) + + // CRD condition: reflects CRD ownership state. + crd := metav1.Condition{ + Type: "CRDsReady", + ObservedGeneration: generation, + LastTransitionTime: metav1.Now(), + } + switch status.CRDState { + case install.CRDManagedByCIO: + crd.Status = metav1.ConditionTrue + crd.Reason = "ManagedByCIO" + crd.Message = status.CRDMessage + case install.CRDManagedByOLM: + crd.Status = metav1.ConditionTrue + crd.Reason = "ManagedByOLM" + crd.Message = status.CRDMessage + case install.CRDNoneExist: + crd.Status = metav1.ConditionUnknown + crd.Reason = "NoneExist" + crd.Message = "CRDs not yet installed" + case install.CRDMixedOwnership: + crd.Status = metav1.ConditionFalse + crd.Reason = "MixedOwnership" + crd.Message = status.CRDMessage + case install.CRDUnknownManagement: + crd.Status = metav1.ConditionFalse + crd.Reason = "UnknownManagement" + crd.Message = status.CRDMessage + } + conditions = append(conditions, crd) + + return conditions +} +``` + +## Sequence: What Happens When + +### Initial startup (no CRDs, no istiod) + +1. Manager starts, controller watches GatewayClass +2. GatewayClass is created by admin or platform +3. Controller reconciles: calls `lib.Apply(opts)` +4. Library wakes up, classifies CRDs (none exist) → installs CRDs with CIO labels +5. Library installs istiod via Helm +6. Library sends signal on `notifyCh` +7. Controller reconciles again: reads `lib.Status()` → sets Accepted=True, CRDsReady=True + +### OSSM installed later (CRD ownership conflict) + +1. Admin installs OSSM via OLM +2. OLM updates CRDs, adds `olm.managed=true` label +3. Library's CRD informer detects label change → re-reconciles +4. Library classifies CRDs → `MixedOwnership` (some CIO, some OLM) +5. Library skips CRD install/update, sets `Status.Error` +6. Library sends signal on `notifyCh` +7. Controller reconciles: reads status → sets CRDsReady=False, reason=MixedOwnership + +### Drift detected (someone deletes a ConfigMap) + +1. Someone deletes `istio` ConfigMap in the target namespace +2. Library's Helm resource informer detects the delete event +3. Library re-reconciles: Helm reinstalls the ConfigMap +4. Library sends signal on `notifyCh` +5. Controller reconciles: reads status → still Accepted=True (everything healthy) + +### No-op Apply (same values) + +1. Controller reconciles for some other reason (e.g. GatewayClass spec unchanged) +2. Calls `lib.Apply(opts)` with identical options +3. Library detects no change via `optionsEqual()` → does nothing +4. No `notifyCh` signal, no unnecessary Helm work + +### External state change (e.g. OLM Subscription deleted) + +1. OLM Subscription managing Istio CRDs is deleted +2. Controller detects the Subscription change (via its own watch) +3. Calls `lib.Enqueue()` to force CRD re-classification +4. Library re-reconciles with the previously applied options, re-classifying CRD ownership +5. Library sends signal on `notifyCh` +6. Controller reconciles: reads status → CRD state may have changed (e.g. takeover now possible) + +Use `Enqueue()` instead of `Apply()` when the Options haven't changed but external cluster state +(CRD ownership, Subscription lifecycle, etc.) has. `Apply()` with identical options is a no-op, +so it won't trigger re-evaluation. `Enqueue()` bypasses that check. + +## RBAC + +The library needs cluster-wide permissions. Aggregate them into your ClusterRole: + +```go +rules := append(myOperatorRules, install.LibraryRBACRules()...) +``` + +Or in YAML, merge the rules from `install.LibraryRBACRules()` into your operator's ClusterRole manifest. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go new file mode 100644 index 0000000000..98d50e2d63 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds.go @@ -0,0 +1,413 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "context" + "fmt" + "io/fs" + "strings" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/chart/crds" + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/yaml" +) + +// OverwriteOLMManagedCRDFunc is called when a CRD is detected with OLM ownership +// labels. The CRD object is provided so the callback can inspect OLM +// annotations/labels to determine whether the owning subscription still exists. +// Return true to overwrite the CRD (take ownership), false to leave it alone. +type OverwriteOLMManagedCRDFunc func(ctx context.Context, crd *apiextensionsv1.CustomResourceDefinition) bool + +// CRD ownership labels and annotations. +const ( + // labelManagedByCIO indicates the CRD is managed by the Cluster Ingress Operator. + labelManagedByCIO = "ingress.operator.openshift.io/owned" + + // labelOLMManaged indicates the CRD is managed by OLM (OSSM subscription). + labelOLMManaged = "olm.managed" + + // annotationHelmKeep prevents Helm from deleting the CRD during uninstall. + annotationHelmKeep = "helm.sh/resource-policy" +) + +// CRDManagementState represents the aggregate ownership state of Istio CRDs on the cluster. +type CRDManagementState string + +const ( + // CRDManagedByCIO means all target CRDs are owned by the Cluster Ingress Operator. + // CRDs will be installed or updated. + CRDManagedByCIO CRDManagementState = "ManagedByCIO" + + // CRDManagedByOLM means all target CRDs are owned by an OSSM subscription via OLM. + // CRDs are left alone; Helm install still proceeds. + CRDManagedByOLM CRDManagementState = "ManagedByOLM" + + // CRDUnknownManagement means one or more CRDs exist but are not owned by CIO or OLM. + // CRDs are left alone; Helm install still proceeds; Status.Error is set. + CRDUnknownManagement CRDManagementState = "UnknownManagement" + + // CRDMixedOwnership means CRDs have inconsistent ownership (some CIO, some OLM, some unknown, or some missing). + // CRDs are left alone; Helm install still proceeds; Status.Error is set. + CRDMixedOwnership CRDManagementState = "MixedOwnership" + + // CRDNoneExist means no target CRDs exist on the cluster yet. + // CRDs will be installed with CIO ownership labels. + CRDNoneExist CRDManagementState = "NoneExist" +) + +// CRDInfo describes the state of a single CRD on the cluster. +type CRDInfo struct { + // Name is the CRD name, e.g. "wasmplugins.extensions.istio.io" + Name string + + // State is the ownership state of this specific CRD. + // Only meaningful when Found is true. + State CRDManagementState + + // Found indicates whether this CRD exists on the cluster. + Found bool +} + +// crdResult bundles the outcome of CRD reconciliation. +type crdResult struct { + // State is the aggregate ownership state of the target Istio CRDs. + State CRDManagementState + + // CRDs contains per-CRD detail (name, ownership, found on cluster). + CRDs []CRDInfo + + // Message is a human-readable description of the CRD state. + Message string + + // Error is non-nil if CRD management encountered a problem. + Error error +} + +// crdManager encapsulates all CRD classification, installation, and update logic. +// It provides a single entry point (Reconcile) and keeps a client dependency +// that can be swapped out in tests. +type crdManager struct { + cl client.Client +} + +// newCRDManager creates a crdManager with the given Kubernetes client. +func newCRDManager(cl client.Client) *crdManager { + return &crdManager{cl: cl} +} + +// classifyCRD checks a single CRD on the cluster and returns its ownership state. +// If overwriteOLM is non-nil and the CRD has OLM labels, it is called to decide +// whether to reclassify the CRD as CIO-managed (allowing adoption). +func (m *crdManager) classifyCRD(ctx context.Context, crdName string, overwriteOLM OverwriteOLMManagedCRDFunc) CRDInfo { + existing := &apiextensionsv1.CustomResourceDefinition{} + err := m.cl.Get(ctx, client.ObjectKey{Name: crdName}, existing) + if err != nil { + if apierrors.IsNotFound(err) { + return CRDInfo{Name: crdName, Found: false} + } + // Treat API errors as unknown management (we can't determine ownership) + return CRDInfo{Name: crdName, Found: true, State: CRDUnknownManagement} + } + + labels := existing.GetLabels() + + // Check CIO ownership + if _, ok := labels[labelManagedByCIO]; ok { + return CRDInfo{Name: crdName, Found: true, State: CRDManagedByCIO} + } + + // Check OLM ownership + if val, ok := labels[labelOLMManaged]; ok && val == "true" { + if overwriteOLM != nil && overwriteOLM(ctx, existing) { + return CRDInfo{Name: crdName, Found: true, State: CRDManagedByCIO} + } + return CRDInfo{Name: crdName, Found: true, State: CRDManagedByOLM} + } + + // No recognized ownership labels + return CRDInfo{Name: crdName, Found: true, State: CRDUnknownManagement} +} + +// classifyCRDs checks all target CRDs on the cluster and returns the aggregate state. +func (m *crdManager) classifyCRDs(ctx context.Context, targets []string, overwriteOLM OverwriteOLMManagedCRDFunc) (CRDManagementState, []CRDInfo) { + if len(targets) == 0 { + return CRDNoneExist, nil + } + + infos := make([]CRDInfo, len(targets)) + for i, target := range targets { + infos[i] = m.classifyCRD(ctx, target, overwriteOLM) + } + + return aggregateCRDState(infos), infos +} + +// aggregateCRDState derives the batch state from individual CRD states. +// +// Rules: +// - All not found → CRDNoneExist +// - All found are CIO or unknown (no OLM), with at least one CIO → CRDManagedByCIO +// (unknown = label drift, missing = deleted; both get fixed by updateCRDs) +// - All found OLM, all present → CRDManagedByOLM +// - Pure unknown (no CIO, no OLM) → CRDUnknownManagement +// - Any mix involving OLM → CRDMixedOwnership +func aggregateCRDState(infos []CRDInfo) CRDManagementState { + if len(infos) == 0 { + return CRDNoneExist + } + + var foundCount, cioCount, olmCount, unknownCount int + for _, info := range infos { + if !info.Found { + continue + } + foundCount++ + switch info.State { + case CRDManagedByCIO: + cioCount++ + case CRDManagedByOLM: + olmCount++ + default: + unknownCount++ + } + } + + total := len(infos) + + // None exist on cluster + if foundCount == 0 { + return CRDNoneExist + } + + // All found are CIO-owned (possibly with some missing or some that lost labels). + // No OLM involvement means we can safely reclaim unknowns and reinstall missing. + if cioCount > 0 && olmCount == 0 { + return CRDManagedByCIO + } + + // All found and all OLM — only if none are missing + if foundCount == total && olmCount == total { + return CRDManagedByOLM + } + + // Pure unknown — no CIO, no OLM labels on any found CRD + if unknownCount > 0 && cioCount == 0 && olmCount == 0 { + return CRDUnknownManagement + } + + // Anything else is mixed: CIO+OLM, OLM with missing, etc. + return CRDMixedOwnership +} + +// Reconcile classifies target CRDs and installs/updates them if we own them (or none exist). +// This is the single entry point for CRD management. +func (m *crdManager) Reconcile(ctx context.Context, values *v1.Values, includeAllCRDs bool, overwriteOLM OverwriteOLMManagedCRDFunc) crdResult { + targets, err := targetCRDsFromValues(values, includeAllCRDs) + if err != nil { + return crdResult{State: CRDNoneExist, Error: fmt.Errorf("failed to determine target CRDs: %w", err)} + } + if len(targets) == 0 { + return crdResult{State: CRDNoneExist, Message: "no target CRDs configured"} + } + + state, infos := m.classifyCRDs(ctx, targets, overwriteOLM) + + switch state { + case CRDNoneExist: + // Install all with CIO labels + if err := m.installCRDs(ctx, targets); err != nil { + return crdResult{State: state, CRDs: infos, Error: fmt.Errorf("failed to install CRDs: %w", err)} + } + // Update infos to reflect new state + for idx := range infos { + infos[idx].Found = true + infos[idx].State = CRDManagedByCIO + } + return crdResult{State: CRDManagedByCIO, CRDs: infos, Message: "CRDs installed by CIO"} + + case CRDManagedByCIO: + // Update existing, reinstall missing, re-label unknowns + missing := missingCRDNames(infos) + unlabeled := unlabeledCRDNames(infos) + if err := m.updateCRDs(ctx, targets); err != nil { + return crdResult{State: state, CRDs: infos, Error: fmt.Errorf("failed to update CRDs: %w", err)} + } + // Update infos for any previously-missing or unlabeled CRDs + for idx := range infos { + if !infos[idx].Found || infos[idx].State == CRDUnknownManagement { + infos[idx].Found = true + infos[idx].State = CRDManagedByCIO + } + } + msg := "CRDs updated by CIO" + if len(missing) > 0 { + msg = fmt.Sprintf("CRDs updated by CIO; reinstalled: %s", strings.Join(missing, ", ")) + } + if len(unlabeled) > 0 { + msg += fmt.Sprintf("; reclaimed: %s", strings.Join(unlabeled, ", ")) + } + return crdResult{State: CRDManagedByCIO, CRDs: infos, Message: msg} + + case CRDManagedByOLM: + return crdResult{State: CRDManagedByOLM, CRDs: infos, Message: "CRDs managed by OSSM subscription via OLM"} + + case CRDUnknownManagement: + missing := missingCRDNames(infos) + msg := "CRDs exist with unknown management" + if len(missing) > 0 { + msg += fmt.Sprintf("; missing from other owner: %s", strings.Join(missing, ", ")) + } + return crdResult{State: CRDUnknownManagement, CRDs: infos, Message: msg, Error: fmt.Errorf("Istio CRDs are managed by an unknown party")} + + case CRDMixedOwnership: + missing := missingCRDNames(infos) + msg := "CRDs have mixed ownership" + if len(missing) > 0 { + msg += fmt.Sprintf("; missing: %s", strings.Join(missing, ", ")) + } + return crdResult{State: CRDMixedOwnership, CRDs: infos, Message: msg, Error: fmt.Errorf("Istio CRDs have mixed ownership (CIO/OLM/other)")} + + default: + return crdResult{State: state, CRDs: infos} + } +} + +// WatchTargets computes the set of CRD names that should be watched for changes. +// Returns nil if the target set cannot be determined. +func (m *crdManager) WatchTargets(values *v1.Values, includeAllCRDs bool) map[string]struct{} { + var targets []string + var err error + + if includeAllCRDs { + targets, err = allIstioCRDs() + } else if values != nil && values.Pilot != nil && values.Pilot.Env != nil { + targets, err = targetCRDsFromValues(values, false) + } + + if err != nil || len(targets) == 0 { + return nil + } + + names := make(map[string]struct{}, len(targets)) + for _, name := range targets { + names[name] = struct{}{} + } + return names +} + +// missingCRDNames returns the names of CRDs that were not found on the cluster. +func missingCRDNames(infos []CRDInfo) []string { + var missing []string + for _, info := range infos { + if !info.Found { + missing = append(missing, info.Name) + } + } + return missing +} + +// unlabeledCRDNames returns names of CRDs that exist but have unknown management (no CIO/OLM labels). +func unlabeledCRDNames(infos []CRDInfo) []string { + var names []string + for _, info := range infos { + if info.Found && info.State == CRDUnknownManagement { + names = append(names, info.Name) + } + } + return names +} + +// installCRDs installs all target CRDs with CIO ownership labels and Helm keep annotation. +func (m *crdManager) installCRDs(ctx context.Context, targets []string) error { + for _, resource := range targets { + crd, err := loadCRD(resource) + if err != nil { + return err + } + applyCIOLabels(crd) + if err := m.cl.Create(ctx, crd); err != nil { + return fmt.Errorf("failed to create CRD %s: %w", crd.Name, err) + } + } + return nil +} + +// updateCRDs updates existing CIO-owned CRDs and creates any missing ones. +func (m *crdManager) updateCRDs(ctx context.Context, targets []string) error { + for _, resource := range targets { + crd, err := loadCRD(resource) + if err != nil { + return err + } + applyCIOLabels(crd) + + existing := &apiextensionsv1.CustomResourceDefinition{} + if err := m.cl.Get(ctx, client.ObjectKey{Name: crd.Name}, existing); err != nil { + if apierrors.IsNotFound(err) { + // CRD was deleted — reinstall it + if err := m.cl.Create(ctx, crd); err != nil { + return fmt.Errorf("failed to create CRD %s: %w", crd.Name, err) + } + continue + } + return fmt.Errorf("failed to get existing CRD %s: %w", crd.Name, err) + } + crd.ResourceVersion = existing.ResourceVersion + if err := m.cl.Update(ctx, crd); err != nil { + return fmt.Errorf("failed to update CRD %s: %w", crd.Name, err) + } + } + return nil +} + +// loadCRD reads and unmarshals a CRD from the embedded filesystem. +func loadCRD(resource string) (*apiextensionsv1.CustomResourceDefinition, error) { + filename := resourceToCRDFilename(resource) + if filename == "" { + return nil, fmt.Errorf("invalid resource name: %s", resource) + } + + data, err := fs.ReadFile(crds.FS, filename) + if err != nil { + return nil, fmt.Errorf("failed to read CRD file %s: %w", filename, err) + } + + crd := &apiextensionsv1.CustomResourceDefinition{} + if err := yaml.Unmarshal(data, crd); err != nil { + return nil, fmt.Errorf("failed to unmarshal CRD %s: %w", filename, err) + } + return crd, nil +} + +// applyCIOLabels sets the CIO ownership label and Helm keep annotation on a CRD. +func applyCIOLabels(crd *apiextensionsv1.CustomResourceDefinition) { + labels := crd.GetLabels() + if labels == nil { + labels = make(map[string]string) + } + labels[labelManagedByCIO] = "true" + crd.SetLabels(labels) + + annotations := crd.GetAnnotations() + if annotations == nil { + annotations = make(map[string]string) + } + annotations[annotationHelmKeep] = "keep" + crd.SetAnnotations(annotations) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go new file mode 100644 index 0000000000..f02c9b3240 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/crds_filter.go @@ -0,0 +1,180 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "fmt" + "io/fs" + "path/filepath" + "strings" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/chart/crds" +) + +// Environment variable names for Istio resource filtering. +// X_ prefix prevents Istio from processing until the feature is ready. +// When activating, remove the X_ prefix. +// See: https://github.com/istio/istio/commit/7e58d08397ee7b7119bf49abc9bd7b4f550f7839 +const ( + envPilotIgnoreResources = "X_PILOT_IGNORE_RESOURCES" + envPilotIncludeResources = "X_PILOT_INCLUDE_RESOURCES" +) + +// Resource filtering values for Gateway API mode. +// Ignore all istio.io resources except the 3 needed for gateway customization. +const ( + gatewayAPIIgnoreResources = "*.istio.io" + gatewayAPIIncludeResources = "wasmplugins.extensions.istio.io,envoyfilters.networking.istio.io,destinationrules.networking.istio.io" +) + +// resourceToCRDFilename converts a resource name to its CRD filename. +// The naming convention is: "{plural}.{group}" -> "{group}_{plural}.yaml" +// Example: "wasmplugins.extensions.istio.io" -> "extensions.istio.io_wasmplugins.yaml" +func resourceToCRDFilename(resource string) string { + parts := strings.SplitN(resource, ".", 2) + if len(parts) != 2 { + return "" + } + plural := parts[0] // e.g., "wasmplugins" + group := parts[1] // e.g., "extensions.istio.io" + return fmt.Sprintf("%s_%s.yaml", group, plural) +} + +// crdFilenameToResource converts a CRD filename back to a resource name. +// The naming convention is: "{group}_{plural}.yaml" -> "{plural}.{group}" +// Example: "extensions.istio.io_wasmplugins.yaml" -> "wasmplugins.extensions.istio.io" +func crdFilenameToResource(filename string) string { + // Strip .yaml suffix + name := strings.TrimSuffix(filename, ".yaml") + // Split on underscore: group_plural + parts := strings.SplitN(name, "_", 2) + if len(parts) != 2 { + return "" + } + group := parts[0] // e.g., "extensions.istio.io" + plural := parts[1] // e.g., "wasmplugins" + return fmt.Sprintf("%s.%s", plural, group) +} + +// matchesPattern checks if a resource matches a filter pattern. +// Patterns support glob-style wildcards: +// - "*.istio.io" matches "virtualservices.networking.istio.io" +// - "virtualservices.networking.istio.io" matches exactly +// +// The resource format is "{plural}.{group}" (e.g., "wasmplugins.extensions.istio.io") +func matchesPattern(resource, pattern string) bool { + // Handle glob patterns using filepath.Match + // Pattern "*.istio.io" should match "virtualservices.networking.istio.io" + matched, err := filepath.Match(pattern, resource) + if err != nil { + return false + } + return matched +} + +// matchesAnyPattern checks if a resource matches any pattern in a comma-separated list. +func matchesAnyPattern(resource, patterns string) bool { + if patterns == "" { + return false + } + for _, pattern := range strings.Split(patterns, ",") { + pattern = strings.TrimSpace(pattern) + if matchesPattern(resource, pattern) { + return true + } + } + return false +} + +// shouldManageResource determines if a resource should be managed based on +// IGNORE and INCLUDE filters. The logic follows Istio's resource filtering: +// - If resource matches INCLUDE, manage it (INCLUDE overrides IGNORE) +// - If resource matches IGNORE (and not INCLUDE), skip it +// - If resource matches neither, manage it (default allow) +func shouldManageResource(resource, ignorePatterns, includePatterns string) bool { + // INCLUDE takes precedence - if explicitly included, always manage + if matchesAnyPattern(resource, includePatterns) { + return true + } + // If ignored (and not included), skip + if matchesAnyPattern(resource, ignorePatterns) { + return false + } + // Default: manage if not matched by any filter + return true +} + +// allIstioCRDs returns all *.istio.io CRD resource names from the embedded CRD filesystem. +// Sail operator CRDs (sailoperator.io) are excluded since those belong to the Sail operator. +func allIstioCRDs() ([]string, error) { + entries, err := fs.ReadDir(crds.FS, ".") + if err != nil { + return nil, fmt.Errorf("failed to read CRD directory: %w", err) + } + + var resources []string + for _, entry := range entries { + if entry.IsDir() || !strings.HasSuffix(entry.Name(), ".yaml") { + continue + } + // Skip Sail operator CRDs + if strings.HasPrefix(entry.Name(), "sailoperator.io_") { + continue + } + resource := crdFilenameToResource(entry.Name()) + if resource != "" { + resources = append(resources, resource) + } + } + return resources, nil +} + +// targetCRDsFromValues determines the target CRD set based on values and options. +// If includeAllCRDs is true, returns all *.istio.io CRDs. +// Otherwise, returns CRDs derived from PILOT_INCLUDE_RESOURCES in values. +func targetCRDsFromValues(values *v1.Values, includeAllCRDs bool) ([]string, error) { + if includeAllCRDs { + return allIstioCRDs() + } + + if values == nil || values.Pilot == nil || values.Pilot.Env == nil { + return nil, nil + } + + ignorePatterns := values.Pilot.Env[envPilotIgnoreResources] + includePatterns := values.Pilot.Env[envPilotIncludeResources] + + // If no filters defined, nothing to do + if ignorePatterns == "" && includePatterns == "" { + return nil, nil + } + + var targets []string + if includePatterns != "" { + for _, resource := range strings.Split(includePatterns, ",") { + resource = strings.TrimSpace(resource) + if !shouldManageResource(resource, ignorePatterns, includePatterns) { + continue + } + // Skip resources that don't map to a valid CRD filename (e.g. wildcards) + if resourceToCRDFilename(resource) == "" { + continue + } + targets = append(targets, resource) + } + } + return targets, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go new file mode 100644 index 0000000000..831a568bbe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/images.go @@ -0,0 +1,167 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "fmt" + "io/fs" + "strings" + + "github.com/istio-ecosystem/sail-operator/pkg/config" + "gopkg.in/yaml.v3" +) + +// ImageNames defines the image name for each component (without registry or tag). +type ImageNames struct { + Istiod string + Proxy string + CNI string + ZTunnel string +} + +// SetImageDefaults populates config.Config.ImageDigests by scanning resourceFS +// for version directories and constructing image refs from the given registry +// and image names. +// +// This is a no-op if config.Config.ImageDigests is already populated (e.g. by +// config.Read() in the operator path). +// +// Example: +// +// install.SetImageDefaults(resourceFS, "registry.redhat.io/openshift-service-mesh", install.ImageNames{ +// Istiod: "istio-pilot-rhel9", +// Proxy: "istio-proxyv2-rhel9", +// CNI: "istio-cni-rhel9", +// ZTunnel: "istio-ztunnel-rhel9", +// }) +func SetImageDefaults(resourceFS fs.FS, registry string, images ImageNames) error { + if config.Config.ImageDigests != nil { + return nil + } + entries, err := fs.ReadDir(resourceFS, ".") + if err != nil { + return fmt.Errorf("failed to read resource directory: %w", err) + } + config.Config.ImageDigests = make(map[string]config.IstioImageConfig) + for _, e := range entries { + if !e.IsDir() { + continue + } + v := e.Name() + tag := strings.TrimPrefix(v, "v") + config.Config.ImageDigests[v] = config.IstioImageConfig{ + IstiodImage: registry + "/" + images.Istiod + ":" + tag, + ProxyImage: registry + "/" + images.Proxy + ":" + tag, + CNIImage: registry + "/" + images.CNI + ":" + tag, + ZTunnelImage: registry + "/" + images.ZTunnel + ":" + tag, + } + } + return nil +} + +// csvDeployment is the minimal structure needed to reach pod template annotations +// inside a ClusterServiceVersion YAML. +type csvDeployment struct { + Spec struct { + Install struct { + Spec struct { + Deployments []struct { + Spec struct { + Template struct { + Metadata struct { + Annotations map[string]string `yaml:"annotations"` + } `yaml:"metadata"` + } `yaml:"template"` + } `yaml:"spec"` + } `yaml:"deployments"` + } `yaml:"spec"` + } `yaml:"install"` + } `yaml:"spec"` +} + +// LoadImageDigestsFromCSV reads image references from ClusterServiceVersion +// YAML bytes and populates config.Config.ImageDigests. +// +// The CSV's pod template annotations are expected to contain keys of the form +// "images.." (e.g. "images.v1_27_0.istiod"). Underscores +// in the version segment are converted to dots (v1_27_0 -> v1.27.0), matching +// the convention used by config.Read(). +// +// This is a no-op if config.Config.ImageDigests is already populated. +func LoadImageDigestsFromCSV(csvData []byte) error { + if config.Config.ImageDigests != nil { + return nil + } + + var csv csvDeployment + if err := yaml.Unmarshal(csvData, &csv); err != nil { + return fmt.Errorf("failed to parse CSV YAML: %w", err) + } + + annotations := findImageAnnotations(csv) + if len(annotations) == 0 { + return fmt.Errorf("no image annotations found in CSV") + } + + config.Config.ImageDigests = buildImageDigests(annotations) + return nil +} + +// findImageAnnotations extracts annotations starting with "images." from the +// first deployment in the CSV. +func findImageAnnotations(csv csvDeployment) map[string]string { + deployments := csv.Spec.Install.Spec.Deployments + if len(deployments) == 0 { + return nil + } + all := deployments[0].Spec.Template.Metadata.Annotations + filtered := make(map[string]string, len(all)) + for k, v := range all { + if strings.HasPrefix(k, "images.") { + filtered[k] = v + } + } + return filtered +} + +// buildImageDigests converts flat annotation keys ("images.v1_27_0.istiod") +// into a map[version]IstioImageConfig, replacing underscores with dots in +// the version segment. +func buildImageDigests(annotations map[string]string) map[string]config.IstioImageConfig { + digests := make(map[string]config.IstioImageConfig) + for key, image := range annotations { + // key format: "images.." + parts := strings.SplitN(key, ".", 3) + if len(parts) != 3 { + continue + } + version := strings.ReplaceAll(parts[1], "_", ".") + component := parts[2] + + cfg := digests[version] + switch component { + case "istiod": + cfg.IstiodImage = image + case "proxy": + cfg.ProxyImage = image + case "cni": + cfg.CNIImage = image + case "ztunnel": + cfg.ZTunnelImage = image + } + digests[version] = cfg + } + return digests +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go new file mode 100644 index 0000000000..b516a34dcc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/informers.go @@ -0,0 +1,241 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "time" + + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/dynamic/dynamicinformer" + "k8s.io/client-go/tools/cache" + "k8s.io/utils/ptr" + ctrllog "sigs.k8s.io/controller-runtime/pkg/log" +) + +const ( + // defaultResyncPeriod is the default resync period for informers. + defaultResyncPeriod = 30 * time.Minute +) + +// setupInformers creates dynamic informers for Helm resources and CRDs +// based on the current desired options. +func (l *Library) setupInformers(stopCh <-chan struct{}) { + log := ctrllog.Log.WithName("install") + + l.mu.RLock() + opts := *l.desiredOpts + l.mu.RUnlock() + + // Helm resource watches (drift detection) + specs, err := l.inst.getWatchSpecs(opts) + if err != nil { + log.Error(err, "Failed to compute watch specs; Helm drift detection disabled") + specs = nil + } + + // CRD watches (ownership changes, creation, deletion) + if ptr.Deref(opts.ManageCRDs, true) { + crdSpec := l.buildCRDWatchSpec(opts) + if crdSpec != nil { + specs = append(specs, *crdSpec) + } + } + + if len(specs) == 0 { + log.Info("No watch specs; informers not started") + return + } + + log.Info("Setting up informers", "count", len(specs)) + + namespacedFactory := dynamicinformer.NewFilteredDynamicSharedInformerFactory( + l.dynamicCl, + defaultResyncPeriod, + opts.Namespace, + nil, + ) + clusterScopedFactory := dynamicinformer.NewDynamicSharedInformerFactory( + l.dynamicCl, + defaultResyncPeriod, + ) + + // Capture revision and managedByValue once for all event handlers — no lock needed per event. + revision := opts.Revision + managedByValue := l.managedByValue + enqueue := l.enqueue + + for _, spec := range specs { + var informer cache.SharedIndexInformer + gvr := gvkToGVR(spec.GVK) + + if spec.ClusterScoped { + informer = clusterScopedFactory.ForResource(gvr).Informer() + } else { + informer = namespacedFactory.ForResource(gvr).Informer() + } + + var handler cache.ResourceEventHandler + if spec.watchType == watchTypeCRD { + handler = makeCRDEventHandler(spec.TargetNames, enqueue) + } else { + handler = makeOwnedEventHandler(spec.GVK, spec.watchType, revision, managedByValue, enqueue) + } + + if _, err := informer.AddEventHandler(handler); err != nil { + log.Error(err, "Failed to add event handler", "gvk", spec.GVK) + continue + } + log.V(1).Info("Watching", "gvk", spec.GVK, "type", spec.watchType, "clusterScoped", spec.ClusterScoped) + } + + namespacedFactory.Start(stopCh) + clusterScopedFactory.Start(stopCh) + namespacedFactory.WaitForCacheSync(stopCh) + clusterScopedFactory.WaitForCacheSync(stopCh) + log.Info("Informers synced and watching for drift") +} + +// buildCRDWatchSpec computes a watchSpec for Istio CRDs based on the current options. +// Returns nil if the target CRD set cannot be determined. +func (l *Library) buildCRDWatchSpec(opts Options) *watchSpec { + targetNames := l.inst.crdManager.WatchTargets(opts.Values, ptr.Deref(opts.IncludeAllCRDs, false)) + if len(targetNames) == 0 { + return nil + } + + return &watchSpec{ + GVK: crdGVK, + watchType: watchTypeCRD, + ClusterScoped: true, + TargetNames: targetNames, + } +} + +// makeOwnedEventHandler handles events for Helm-managed and namespace resources. +// It takes explicit dependencies instead of closing over Library, enabling unit testing +// without concurrency machinery. +func makeOwnedEventHandler(gvk schema.GroupVersionKind, wt watchType, revision, managedByValue string, enqueue func()) cache.ResourceEventHandler { + log := ctrllog.Log.WithName("install").WithValues("gvk", gvk, "watchType", wt) + return cache.ResourceEventHandlerFuncs{ + // Add events fire during initial cache sync — ignore them. + AddFunc: func(obj interface{}) {}, + UpdateFunc: func(oldObj, newObj interface{}) { + oldU, ok := oldObj.(*unstructured.Unstructured) + if !ok { + return + } + newU, ok := newObj.(*unstructured.Unstructured) + if !ok { + return + } + + if !shouldReconcileOnUpdate(gvk, oldU, newU) { + log.V(2).Info("Skipping update (predicate)", "name", newU.GetName()) + return + } + + if wt == watchTypeOwned && !isOwnedResource(newU, revision, managedByValue) { + log.V(1).Info("Skipping update (not owned)", "name", newU.GetName(), "labels", newU.GetLabels()) + return + } + + log.Info("Drift detected (update)", "name", newU.GetName()) + enqueue() + }, + DeleteFunc: func(obj interface{}) { + if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { + obj = tombstone.Obj + } + + u, ok := obj.(*unstructured.Unstructured) + if !ok { + return + } + + if !shouldReconcileOnDelete(u) { + return + } + + if wt == watchTypeOwned && !isOwnedResource(u, revision, managedByValue) { + log.V(1).Info("Skipping delete (not owned)", "name", u.GetName()) + return + } + + log.Info("Drift detected (delete)", "name", u.GetName()) + enqueue() + }, + } +} + +// makeCRDEventHandler handles events for CRD resources. Unlike owned resources, +// CRD events trigger on create (new CRD appeared), delete (CRD removed), and +// label/annotation changes (ownership transfer). Events are filtered by name +// to only watch target Istio CRDs. +func makeCRDEventHandler(targets map[string]struct{}, enqueue func()) cache.ResourceEventHandler { + log := ctrllog.Log.WithName("install").WithValues("watchType", watchTypeCRD) + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + u, ok := obj.(*unstructured.Unstructured) + if !ok { + return + } + if !isTargetCRD(u, targets) { + return + } + log.Info("Drift detected (CRD added)", "name", u.GetName()) + enqueue() + }, + UpdateFunc: func(oldObj, newObj interface{}) { + oldU, ok := oldObj.(*unstructured.Unstructured) + if !ok { + return + } + newU, ok := newObj.(*unstructured.Unstructured) + if !ok { + return + } + if !isTargetCRD(newU, targets) { + return + } + if !shouldReconcileCRDOnUpdate(oldU, newU) { + return + } + log.Info("Drift detected (CRD updated)", "name", newU.GetName()) + enqueue() + }, + DeleteFunc: func(obj interface{}) { + if tombstone, ok := obj.(cache.DeletedFinalStateUnknown); ok { + obj = tombstone.Obj + } + u, ok := obj.(*unstructured.Unstructured) + if !ok { + return + } + if !isTargetCRD(u, targets) { + return + } + log.Info("Drift detected (CRD deleted)", "name", u.GetName()) + enqueue() + }, + } +} + +// gvkToGVR converts a GroupVersionKind to a GroupVersionResource. +func gvkToGVR(gvk schema.GroupVersionKind) schema.GroupVersionResource { + plural, _ := meta.UnsafeGuessKindToResource(gvk) + return plural +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go new file mode 100644 index 0000000000..00c2a497c5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/installer.go @@ -0,0 +1,350 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "bufio" + "context" + "errors" + "fmt" + "io" + "io/fs" + "sort" + "strings" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/constants" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + sharedreconcile "github.com/istio-ecosystem/sail-operator/pkg/reconcile" + "github.com/istio-ecosystem/sail-operator/pkg/revision" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/util/yaml" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// watchType indicates how events for a resource type should be handled. +type watchType int + +const ( + // watchTypeOwned indicates resources owned by the installation. + // Use owner reference filtering to only watch resources created by the installer. + watchTypeOwned watchType = iota + + // watchTypeNamespace indicates namespace resources should be watched. + // Used to detect when the target namespace is created/deleted. + watchTypeNamespace + + // watchTypeCRD indicates CRD resources that should be watched for ownership changes. + // Events are filtered by TargetNames and trigger on label/annotation changes, + // creation, or deletion — allowing the Library to re-classify CRD ownership. + watchTypeCRD +) + +// String returns the string representation of the watchType. +func (w watchType) String() string { + switch w { + case watchTypeOwned: + return "Owned" + case watchTypeNamespace: + return "Namespace" + case watchTypeCRD: + return "CRD" + default: + return fmt.Sprintf("Unknown(%d)", w) + } +} + +// watchSpec describes a resource type that should be watched for drift detection. +type watchSpec struct { + // GVK is the GroupVersionKind of the resource to watch. + GVK schema.GroupVersionKind + + // watchType indicates how events should be handled. + watchType watchType + + // ClusterScoped indicates if this is a cluster-scoped resource (vs namespaced). + // Cluster-scoped resources require a different informer factory setup. + ClusterScoped bool + + // TargetNames is an optional set of resource names to filter on. + // Only used with watchTypeCRD to limit events to specific CRDs. + // When nil or empty, all resources of this GVK are watched. + TargetNames map[string]struct{} +} + +// installer owns the worker dependencies and all install/watch logic. +// It is separated from Library so that reconcile, uninstall, and watch-spec +// computation can be tested and reasoned about without concurrency machinery. +type installer struct { + resourceFS fs.FS + chartManager *helm.ChartManager + cl client.Client + crdManager *crdManager +} + +// resolveValues resolves the version and computes Helm values from Options. +// This eliminates the duplication between reconcile and getWatchSpecs. +func (inst *installer) resolveValues(opts Options) (string, *v1.Values, error) { + opts.applyDefaults() + + // Default version from FS if not specified + if opts.Version == "" { + v, err := DefaultVersion(inst.resourceFS) + if err != nil { + return "", nil, fmt.Errorf("failed to determine default version: %w", err) + } + opts.Version = v + } + + // Validate version + if err := ValidateVersion(inst.resourceFS, opts.Version); err != nil { + return "", nil, fmt.Errorf("invalid version %q: %w", opts.Version, err) + } + + // Compute values + values, err := revision.ComputeValues( + opts.Values, + opts.Namespace, + opts.Version, + config.PlatformOpenShift, + defaultProfile, + "", + inst.resourceFS, + opts.Revision, + ) + if err != nil { + return "", nil, fmt.Errorf("failed to compute values: %w", err) + } + + return opts.Version, values, nil +} + +// reconcile does the actual work: CRDs + Helm. Takes opts as an argument +// so the caller reads opts under lock and passes them in — no lock access here. +func (inst *installer) reconcile(ctx context.Context, opts Options) Status { + // Deep-copy Values so nothing in this function can mutate the + // stored desiredOpts through shared pointers. + if opts.Values != nil { + opts.Values = opts.Values.DeepCopy() + } + + status := Status{} + + resolvedVersion, values, err := inst.resolveValues(opts) + if err != nil { + status.Error = err + return status + } + status.Version = resolvedVersion + + // Manage CRDs + if ptr.Deref(opts.ManageCRDs, true) { + result := inst.crdManager.Reconcile(ctx, values, ptr.Deref(opts.IncludeAllCRDs, false), opts.OverwriteOLMManagedCRD) + status.CRDState = result.State + status.CRDs = result.CRDs + status.CRDMessage = result.Message + if result.Error != nil { + status.Error = result.Error + } + } + + // Helm install + reconcilerCfg := sharedreconcile.Config{ + ResourceFS: inst.resourceFS, + Platform: config.PlatformOpenShift, + DefaultProfile: defaultProfile, + OperatorNamespace: opts.Namespace, + ChartManager: inst.chartManager, + } + + istiodReconciler := sharedreconcile.NewIstiodReconciler(reconcilerCfg, inst.cl) + + if err := istiodReconciler.Validate(ctx, resolvedVersion, opts.Namespace, values); err != nil { + status.Error = errors.Join(status.Error, fmt.Errorf("validation failed: %w", err)) + return status + } + + if err := istiodReconciler.Install(ctx, resolvedVersion, opts.Namespace, values, opts.Revision, nil); err != nil { + status.Error = errors.Join(status.Error, fmt.Errorf("installation failed: %w", err)) + return status + } + + status.Installed = true + return status +} + +// uninstall removes the istiod Helm release. +func (inst *installer) uninstall(ctx context.Context, namespace, revision string) error { + reconcilerCfg := sharedreconcile.Config{ + ResourceFS: inst.resourceFS, + Platform: config.PlatformOpenShift, + DefaultProfile: defaultProfile, + OperatorNamespace: namespace, + ChartManager: inst.chartManager, + } + + istiodReconciler := sharedreconcile.NewIstiodReconciler(reconcilerCfg, inst.cl) + if err := istiodReconciler.Uninstall(ctx, namespace, revision); err != nil { + return fmt.Errorf("uninstallation failed: %w", err) + } + return nil +} + +// getWatchSpecs renders the istiod Helm charts and extracts the GVKs +// of all resources that would be created. Used internally by the Library +// to set up informers for drift detection. +// +// The returned specs include: +// - All resource types from the base and istiod charts (watchTypeOwned) +// - Namespace (watchTypeNamespace) for namespace existence checks +func (inst *installer) getWatchSpecs(opts Options) ([]watchSpec, error) { + resolvedVersion, values, err := inst.resolveValues(opts) + if err != nil { + return nil, err + } + helmValues := helm.FromValues(values) + + // Collect GVKs from both charts + gvkSet := make(map[schema.GroupVersionKind]struct{}) + + // Render base chart (for default revision) + if opts.Revision == defaultRevision { + baseChartPath := sharedreconcile.GetChartPath(resolvedVersion, constants.BaseChartName) + rendered, err := helm.RenderChart(inst.resourceFS, baseChartPath, helmValues, opts.Namespace, "base") + if err != nil { + return nil, fmt.Errorf("failed to render base chart: %w", err) + } + if err := extractGVKsFromRendered(rendered, gvkSet); err != nil { + return nil, fmt.Errorf("failed to extract GVKs from base chart: %w", err) + } + } + + // Render istiod chart + istiodChartPath := sharedreconcile.GetChartPath(resolvedVersion, constants.IstiodChartName) + rendered, err := helm.RenderChart(inst.resourceFS, istiodChartPath, helmValues, opts.Namespace, "istiod") + if err != nil { + return nil, fmt.Errorf("failed to render istiod chart: %w", err) + } + if err := extractGVKsFromRendered(rendered, gvkSet); err != nil { + return nil, fmt.Errorf("failed to extract GVKs from istiod chart: %w", err) + } + + // Convert to specs + specs := make([]watchSpec, 0, len(gvkSet)+1) + for gvk := range gvkSet { + specs = append(specs, watchSpec{ + GVK: gvk, + watchType: watchTypeOwned, + ClusterScoped: isClusterScoped(gvk), + }) + } + + // Add Namespace watch + specs = append(specs, watchSpec{ + GVK: corev1.SchemeGroupVersion.WithKind("Namespace"), + watchType: watchTypeNamespace, + ClusterScoped: true, // Namespaces are cluster-scoped + }) + + // Sort for deterministic output + sort.Slice(specs, func(i, j int) bool { + if specs[i].GVK.Group != specs[j].GVK.Group { + return specs[i].GVK.Group < specs[j].GVK.Group + } + if specs[i].GVK.Version != specs[j].GVK.Version { + return specs[i].GVK.Version < specs[j].GVK.Version + } + return specs[i].GVK.Kind < specs[j].GVK.Kind + }) + + return specs, nil +} + +// extractGVKsFromRendered parses rendered Helm output and extracts GVKs. +func extractGVKsFromRendered(rendered map[string]string, gvkSet map[schema.GroupVersionKind]struct{}) error { + for name, content := range rendered { + // Skip empty files and notes + if content == "" || strings.HasSuffix(name, "NOTES.txt") { + continue + } + + // Parse multi-document YAML + decoder := yaml.NewYAMLOrJSONDecoder( + bufio.NewReader(strings.NewReader(content)), + 4096, + ) + + for { + var obj map[string]interface{} + if err := decoder.Decode(&obj); err != nil { + if err == io.EOF { + break + } + return fmt.Errorf("failed to decode YAML from %s: %w", name, err) + } + + // Skip empty documents + if obj == nil { + continue + } + + // Extract apiVersion and kind + apiVersion, ok := obj["apiVersion"].(string) + if !ok { + continue + } + kind, ok := obj["kind"].(string) + if !ok { + continue + } + + gvk := apiVersionKindToGVK(apiVersion, kind) + gvkSet[gvk] = struct{}{} + } + } + return nil +} + +// apiVersionKindToGVK converts apiVersion and kind strings to a GroupVersionKind. +func apiVersionKindToGVK(apiVersion, kind string) schema.GroupVersionKind { + gv, err := schema.ParseGroupVersion(apiVersion) + if err != nil { + // Fallback for malformed apiVersion + return schema.GroupVersionKind{ + Group: "", + Version: apiVersion, + Kind: kind, + } + } + return gv.WithKind(kind) +} + +// clusterScopedKinds is the set of known cluster-scoped kinds used in Istio charts. +var clusterScopedKinds = map[string]bool{ + "Namespace": true, + "ClusterRole": true, + "ClusterRoleBinding": true, + "CustomResourceDefinition": true, + "MutatingWebhookConfiguration": true, + "ValidatingWebhookConfiguration": true, +} + +// isClusterScoped returns true if the given GVK is a cluster-scoped resource. +func isClusterScoped(gvk schema.GroupVersionKind) bool { + return clusterScopedKinds[gvk.Kind] +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go new file mode 100644 index 0000000000..8230f9cb96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/library.go @@ -0,0 +1,273 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package install provides a library for managing istiod installations. +// It is designed for embedding in other operators (like OpenShift Ingress) +// that need to install and maintain Istio without running a separate operator. +// +// The Library runs as an independent actor: the consumer sends desired state +// via Apply(), and reads the result via Status(). A notification channel +// returned by Start() signals when the Library has reconciled. +// +// Usage: +// +// lib, _ := install.New(kubeConfig, resourceFS) +// notifyCh := lib.Start(ctx) +// +// // In controller reconcile: +// lib.Apply(install.Options{Values: values, Namespace: "openshift-ingress"}) +// status := lib.Status() +// // update GatewayClass conditions from status +// +// // In a goroutine or source.Channel watch: +// for range notifyCh { +// status := lib.Status() +// // ... +// } +package install + +import ( + "fmt" + "io/fs" + "os" + "sync" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/bundle" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/rest" + "k8s.io/client-go/util/workqueue" + "k8s.io/utils/ptr" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +const ( + defaultNamespace = "istio-system" + defaultProfile = "openshift" + defaultHelmDriver = "secret" + defaultRevision = v1.DefaultRevision + defaultManagedByValue = "sail-library" +) + +// Status represents the result of a reconciliation, covering both +// CRD management and Helm installation. +type Status struct { + // CRDState is the aggregate ownership state of the target Istio CRDs. + CRDState CRDManagementState + + // CRDMessage is a human-readable description of the CRD state. + CRDMessage string + + // CRDs contains per-CRD detail (name, ownership, found on cluster). + CRDs []CRDInfo + + // Installed is true if the Helm install/upgrade completed successfully. + Installed bool + + // Version is the resolved Istio version (set even if Installed is false). + Version string + + // Error is non-nil if something went wrong during CRD management or Helm installation. + // CRD ownership problems (UnknownManagement, MixedOwnership) set this but do not + // prevent Helm installation from being attempted. + Error error +} + +// String returns a human-readable summary of the status. +func (s Status) String() string { + state := "not installed" + if s.Installed { + state = "installed" + } + + ver := s.Version + if ver == "" { + ver = "unknown" + } + + msg := fmt.Sprintf("%s version=%s crds=%s", state, ver, s.CRDState) + if s.CRDMessage != "" { + msg += fmt.Sprintf(" (%s)", s.CRDMessage) + } + if len(s.CRDs) > 0 { + msg += " [" + for i, crd := range s.CRDs { + if i > 0 { + msg += ", " + } + if crd.Found { + msg += fmt.Sprintf("%s:%s", crd.Name, crd.State) + } else { + msg += fmt.Sprintf("%s:missing", crd.Name) + } + } + msg += "]" + } + if s.Error != nil { + msg += fmt.Sprintf(" error=%v", s.Error) + } + return msg +} + +// Options for installing istiod. +type Options struct { + // Namespace is the target namespace for installation. + // Defaults to "istio-system" if not specified. + Namespace string + + // Version is the Istio version to install. + // Defaults to the latest supported version if not specified. + Version string + + // Revision is the Istio revision name. + // Defaults to "default" if not specified. + Revision string + + // Values are Helm value overrides. + // Use GatewayAPIDefaults() to get pre-configured values for Gateway API mode, + // then modify as needed before passing here. + Values *v1.Values + + // ManageCRDs controls whether the Library manages Istio CRDs. + // When true (default), CRDs are classified by ownership and installed/updated + // if we own them or none exist. + // Set to false to skip CRD management entirely. + ManageCRDs *bool + + // IncludeAllCRDs controls which CRDs are managed. + // When true, all *.istio.io CRDs from the embedded FS are managed. + // When false (default), only CRDs matching PILOT_INCLUDE_RESOURCES are managed. + IncludeAllCRDs *bool + + // OverwriteOLMManagedCRD is called when a CRD is detected with OLM ownership labels. + // If provided and returns true, the CRD is overwritten with CIO labels and adopted. + // If nil or returns false, OLM-labeled CRDs are left alone. + OverwriteOLMManagedCRD OverwriteOLMManagedCRDFunc +} + +// applyDefaults fills in default values for Options. +// Version is not defaulted here — it requires access to the resource FS, +// so it is resolved during reconciliation via DefaultVersion(). +func (o *Options) applyDefaults() { + o.Version = NormalizeVersion(o.Version) + if o.Namespace == "" { + o.Namespace = defaultNamespace + } + if o.Revision == "" { + o.Revision = defaultRevision + } + if o.ManageCRDs == nil { + o.ManageCRDs = ptr.To(true) + } + if o.IncludeAllCRDs == nil { + o.IncludeAllCRDs = ptr.To(false) + } +} + +// Library manages the lifecycle of an istiod installation. It runs as an +// independent actor: the consumer sends desired state via Apply() and reads +// the result via Status(). Start() returns a notification channel that +// signals when the Library has reconciled (drift repair, CRD change, or +// a new Apply). +type Library struct { + // Core install/uninstall logic (no concurrency concerns) + inst *installer + + // managedByValue is the value of the "managed-by" label set on all + // Helm-managed resources. Used both by the post-renderer (write) and + // by informer predicates (read) for ownership filtering. + managedByValue string + + // Infrastructure needed only by Library (informers, dynamic client) + kubeConfig *rest.Config + dynamicCl dynamic.Interface + + // Lifecycle serialization (Apply and Uninstall hold this) + lifecycleMu sync.Mutex + + // Desired state (set by Apply, read by worker) + mu sync.RWMutex + desiredOpts *Options // nil until first Apply(); nil again after Uninstall() + + // Informer lifecycle (per install cycle) + informerStop chan struct{} // closed to stop current informer cycle + processingDone chan struct{} // closed when processWorkQueue exits + + // Latest status (written by worker, read by Status()) + statusMu sync.RWMutex + status Status + + // Signal channel: Apply() sends on it to wake waitForDesiredState(). + // Buffered 1, non-blocking write — if the signal is already pending, + // the new one is dropped. + applySignal chan struct{} + + // Internal workqueue + workqueue workqueue.TypedRateLimitingInterface[string] +} + +// New creates a new Library. +// +// Parameters: +// - kubeConfig: Kubernetes client configuration (required) +// - resourceFS: Filesystem containing Helm charts and profiles (required). +// Use resources.FS for embedded resources or FromDirectory() for a filesystem path. +func New(kubeConfig *rest.Config, resourceFS fs.FS) (*Library, error) { + if kubeConfig == nil { + return nil, fmt.Errorf("kubeConfig is required") + } + if resourceFS == nil { + return nil, fmt.Errorf("resourceFS is required") + } + + cl, err := client.New(kubeConfig, client.Options{}) + if err != nil { + return nil, fmt.Errorf("failed to create client: %w", err) + } + + dynamicCl, err := dynamic.NewForConfig(kubeConfig) + if err != nil { + return nil, fmt.Errorf("failed to create dynamic client: %w", err) + } + + // Populate default image refs from the embedded CSV (no-op if already set by config.Read) + if err := LoadImageDigestsFromCSV(bundle.CSV); err != nil { + return nil, fmt.Errorf("failed to load image digests from CSV: %w", err) + } + + return &Library{ + inst: &installer{ + resourceFS: resourceFS, + chartManager: helm.NewChartManager(kubeConfig, defaultHelmDriver, helm.WithManagedByValue(defaultManagedByValue)), + cl: cl, + crdManager: newCRDManager(cl), + }, + managedByValue: defaultManagedByValue, + kubeConfig: kubeConfig, + dynamicCl: dynamicCl, + applySignal: make(chan struct{}, 1), + }, nil +} + +// FromDirectory creates an fs.FS from a filesystem directory path. +// This is a convenience function for consumers who want to load resources +// from the filesystem instead of using embedded resources. +// +// Example: +// +// lib, _ := install.New(kubeConfig, install.FromDirectory("/var/lib/sail-operator/resources")) +func FromDirectory(path string) fs.FS { + return os.DirFS(path) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go new file mode 100644 index 0000000000..9990997705 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/lifecycle.go @@ -0,0 +1,323 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "context" + "reflect" + + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "k8s.io/client-go/util/workqueue" + "k8s.io/utils/ptr" + ctrllog "sigs.k8s.io/controller-runtime/pkg/log" +) + +const ( + // reconcileKey is the single key used in the workqueue. + // Since we always reconcile the entire installation, we use a single key + // to coalesce multiple events into one reconciliation. + reconcileKey = "reconcile" +) + +// Start begins the Library's internal reconciliation loop. It returns a +// notification channel that receives a signal every time the Library +// finishes a reconciliation (whether triggered by Apply, drift detection, +// or CRD changes). +// +// The channel is owned by the Library and closed when ctx is cancelled. +// Buffer of 1 with non-blocking write: if the consumer hasn't drained +// the previous notification, the new one is dropped (latest-wins). +// +// Start is non-blocking — it launches goroutines internally and returns +// immediately. The Library sits idle until the first Apply() call. +func (l *Library) Start(ctx context.Context) <-chan struct{} { + notifyCh := make(chan struct{}, 1) + l.workqueue = workqueue.NewTypedRateLimitingQueue(workqueue.DefaultTypedControllerRateLimiter[string]()) + + // Start worker goroutine + go l.run(ctx, notifyCh) + + return notifyCh +} + +// Apply sets the desired installation state. If the options differ from +// the previously applied options, a reconciliation is enqueued. If they +// are the same, this is a no-op. +// +// Apply blocks if Uninstall is in progress (they share a lifecycle lock). +// The result of the reconciliation will be available via Status() after +// the notification channel signals. +func (l *Library) Apply(opts Options) { + l.lifecycleMu.Lock() + defer l.lifecycleMu.Unlock() + + opts.applyDefaults() + + l.mu.Lock() + defer l.mu.Unlock() + + if l.desiredOpts != nil && optionsEqual(*l.desiredOpts, opts) { + return // no change + } + + copied := opts + if copied.Values != nil { + copied.Values = copied.Values.DeepCopy() + } + l.desiredOpts = &copied + // Bypass the rate limiter so explicit user intent is never delayed + // by backoff from a previous failure. + if l.workqueue != nil { + l.workqueue.Add(reconcileKey) + } + + // Wake waitForDesiredState if it's blocking + select { + case l.applySignal <- struct{}{}: + default: + } +} + +// Enqueue forces a reconciliation without changing the desired options. +// Use this when cluster state that affects reconciliation has changed +// externally but the Options passed to Apply remain the same. For example, +// if an OLM Subscription managing Istio CRDs is deleted, the CRD ownership +// labels haven't changed yet, but the consumer knows a takeover is now +// possible. Calling Enqueue triggers the Library to re-classify CRDs and +// re-run the Helm install using the previously applied options. +// +// Enqueue is a no-op if Apply has not been called yet (no desired state). +// It is safe to call from any goroutine. +func (l *Library) Enqueue() { + l.enqueue() +} + +// Status returns the latest reconciliation result. This is safe to call +// from any goroutine. Returns a zero-value Status if no reconciliation +// has completed yet. +func (l *Library) Status() Status { + l.statusMu.RLock() + defer l.statusMu.RUnlock() + return l.status +} + +// Uninstall stops drift detection and removes the istiod installation. +// It first stops informers and waits for the processing loop to exit, +// then performs the Helm uninstall. This prevents the drift-repair loop +// from fighting the uninstall. +// +// Uninstall is a synchronous, blocking operation. It holds the lifecycle +// lock, so Apply() will block until Uninstall completes. +// +// The caller provides the namespace and revision to uninstall. Empty strings +// default to "istio-system" and "default" respectively. This allows Uninstall +// to work even after a crash, when no prior Apply() state exists in memory. +// +// If an active reconcile loop is running, it is stopped before the Helm +// uninstall proceeds. After Uninstall, calling Apply() will start a new +// install cycle. +func (l *Library) Uninstall(ctx context.Context, namespace, revision string) error { + l.lifecycleMu.Lock() + defer l.lifecycleMu.Unlock() + + log := ctrllog.Log.WithName("install") + + if namespace == "" { + namespace = defaultNamespace + } + if revision == "" { + revision = defaultRevision + } + + // Clear desired state and capture loop handles so we can stop + // the processing loop if one is active. + l.mu.Lock() + l.desiredOpts = nil + informerStop := l.informerStop + processingDone := l.processingDone + l.informerStop = nil + l.processingDone = nil + l.mu.Unlock() + + log.Info("Uninstalling", "namespace", namespace, "revision", revision) + + // Stop informers so they don't fire events during teardown + if informerStop != nil { + close(informerStop) + } + + // Enqueue a sentinel so processWorkQueue unblocks from Get() + // and checks the nil desiredOpts condition + l.enqueue() + + // Wait for the processing loop to exit + if processingDone != nil { + <-processingDone + } + + // Now safe to Helm uninstall — nothing is watching or reconciling + if err := l.inst.uninstall(ctx, namespace, revision); err != nil { + return err + } + l.setStatus(Status{}) + + log.Info("Uninstall complete", "namespace", namespace, "revision", revision) + return nil +} + +// run is the main loop. It alternates between idle (waiting for Apply) and +// active (informers running, processing workqueue). Uninstall() nils +// desiredOpts, which causes processWorkQueue to exit and the loop to +// return to idle. The loop exits only when ctx is cancelled. +func (l *Library) run(ctx context.Context, notifyCh chan<- struct{}) { + log := ctrllog.Log.WithName("install") + defer close(notifyCh) + defer l.workqueue.ShutDown() + + for { + // Idle: block until Apply() sets desiredOpts (or ctx cancelled) + if !l.waitForDesiredState(ctx) { + return // ctx cancelled + } + + // Active: set up informers for this install cycle. + // Capture both channels as locals while the lock is held so + // Uninstall can't nil the struct fields before we use them. + l.mu.Lock() + l.informerStop = make(chan struct{}) + l.processingDone = make(chan struct{}) + informerStop := l.informerStop + processingDone := l.processingDone + l.mu.Unlock() + + l.setupInformers(informerStop) + + log.Info("Processing workqueue") + l.processWorkQueue(ctx, notifyCh, processingDone) + log.Info("Workqueue processing stopped, returning to idle") + + // Loop back to idle, waiting for next Apply() + } +} + +// processWorkQueue processes work items until desiredOpts goes nil (Uninstall) +// or the workqueue shuts down (ctx cancelled). It closes done on exit so +// Uninstall() can wait for processing to stop before doing Helm cleanup. +// The done channel is passed by the caller (run) which captures it under +// the lock, so Uninstall niling the struct field doesn't affect us. +func (l *Library) processWorkQueue(ctx context.Context, notifyCh chan<- struct{}, done chan struct{}) { + log := ctrllog.Log.WithName("install") + defer func() { + if done != nil { + close(done) + } + }() + + for { + key, shutdown := l.workqueue.Get() + if shutdown { + return + } + + // Read desiredOpts once under a single lock to avoid a race + // where Uninstall() nils it between a nil-check and dereference. + l.mu.RLock() + optsPtr := l.desiredOpts + l.mu.RUnlock() + + if optsPtr == nil { + l.workqueue.Done(key) + return // back to idle + } + opts := *optsPtr + + log.Info("Reconciling") + status := l.inst.reconcile(ctx, opts) + l.setStatus(status) + log.Info("Reconcile complete", "installed", status.Installed, "error", status.Error) + + // Non-blocking notify + select { + case notifyCh <- struct{}{}: + default: + } + + // On success, reset the rate limiter so the next drift event is + // processed immediately. On failure, leave the backoff counter + // intact so informer-driven re-enqueues get exponential delay. + if status.Error == nil { + l.workqueue.Forget(key) + } + l.workqueue.Done(key) + } +} + +// waitForDesiredState blocks until Apply() has been called or ctx is cancelled. +func (l *Library) waitForDesiredState(ctx context.Context) bool { + // Fast path: check if opts are already set (e.g. Uninstall->Apply cycle) + l.mu.RLock() + hasOpts := l.desiredOpts != nil + l.mu.RUnlock() + if hasOpts { + return true + } + + for { + select { + case <-ctx.Done(): + return false + case <-l.applySignal: + l.mu.RLock() + hasOpts := l.desiredOpts != nil + l.mu.RUnlock() + if hasOpts { + return true + } + } + } +} + +// setStatus atomically updates the stored status. +func (l *Library) setStatus(s Status) { + l.statusMu.Lock() + defer l.statusMu.Unlock() + l.status = s +} + +// enqueue adds a rate-limited reconciliation request to the workqueue. +// The rate limiter provides exponential backoff when reconciliations fail, +// preventing tight loops from informer events during Helm rollbacks. +func (l *Library) enqueue() { + if l.workqueue != nil { + l.workqueue.AddRateLimited(reconcileKey) + } +} + +// optionsEqual compares two Options for equality. +// Used by Apply() to skip no-op updates. +func optionsEqual(a, b Options) bool { + if a.Namespace != b.Namespace || + a.Version != b.Version || + a.Revision != b.Revision || + ptr.Deref(a.ManageCRDs, true) != ptr.Deref(b.ManageCRDs, true) || + ptr.Deref(a.IncludeAllCRDs, false) != ptr.Deref(b.IncludeAllCRDs, false) { + return false + } + + // Compare Values via map conversion for deep equality + aMap := helm.FromValues(a.Values) + bMap := helm.FromValues(b.Values) + return reflect.DeepEqual(aMap, bMap) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go new file mode 100644 index 0000000000..e1cb9462aa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/predicates.go @@ -0,0 +1,272 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "reflect" + "regexp" + + "github.com/istio-ecosystem/sail-operator/pkg/constants" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// istiodValidatorRe matches istiod-managed ValidatingWebhookConfiguration names. +// Precompiled to avoid recompilation on every update event. +var istiodValidatorRe = regexp.MustCompile(`^(istiod-.*-validator|istio-validator.*)$`) + +// Predicate filtering logic adapted from controllers/istiorevision for use with dynamic informers. +// These functions determine whether a resource change should trigger reconciliation. + +const ( + // ignoreAnnotation is the annotation that, when set to "true", causes updates to be ignored. + ignoreAnnotation = "sailoperator.io/ignore" +) + +// GVKs that need special predicate handling +var ( + serviceGVK = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Service"} + serviceAccountGVK = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ServiceAccount"} + namespaceGVK = schema.GroupVersionKind{Group: "", Version: "v1", Kind: "Namespace"} + networkPolicyGVK = schema.GroupVersionKind{Group: "networking.k8s.io", Version: "v1", Kind: "NetworkPolicy"} + pdbGVK = schema.GroupVersionKind{Group: "policy", Version: "v1", Kind: "PodDisruptionBudget"} + hpaGVK = schema.GroupVersionKind{Group: "autoscaling", Version: "v2", Kind: "HorizontalPodAutoscaler"} + validatingWebhookConfigurationGVK = schema.GroupVersionKind{Group: "admissionregistration.k8s.io", Version: "v1", Kind: "ValidatingWebhookConfiguration"} + crdGVK = schema.GroupVersionKind{Group: "apiextensions.k8s.io", Version: "v1", Kind: "CustomResourceDefinition"} +) + +// shouldReconcileOnCreate determines if a create event should trigger reconciliation. +func shouldReconcileOnCreate(obj *unstructured.Unstructured) bool { + // Always reconcile on create + return true +} + +// shouldReconcileOnDelete determines if a delete event should trigger reconciliation. +func shouldReconcileOnDelete(obj *unstructured.Unstructured) bool { + // Always reconcile on delete to restore the resource + return true +} + +// shouldReconcileOnUpdate determines if an update event should trigger reconciliation. +// Implements the same logic as the operator's predicates. +func shouldReconcileOnUpdate(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool { + // Check ignore annotation first - applies to all resources + if hasIgnoreAnnotation(newObj) { + return false + } + + // ServiceAccounts: ignore all updates to prevent removing pull secrets added by other controllers + if gvk == serviceAccountGVK { + return false + } + + // ValidatingWebhookConfiguration: special handling for istiod-managed webhooks + if gvk == validatingWebhookConfigurationGVK { + return shouldReconcileValidatingWebhook(oldObj, newObj) + } + + // Resources that need status-change filtering + if shouldFilterStatusChanges(gvk) { + return !isStatusOnlyChange(gvk, oldObj, newObj) + } + + // Default: reconcile on any change + return true +} + +// shouldFilterStatusChanges returns true for GVKs that should ignore status-only changes. +func shouldFilterStatusChanges(gvk schema.GroupVersionKind) bool { + switch gvk { + case serviceGVK, networkPolicyGVK, pdbGVK, hpaGVK, namespaceGVK: + return true + default: + return false + } +} + +// isStatusOnlyChange returns true if only the status changed (no spec/labels/annotations/etc). +// This prevents unnecessary reconciliation when only status fields are updated. +func isStatusOnlyChange(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool { + // Check if spec was updated + if specWasUpdated(gvk, oldObj, newObj) { + return false + } + + // Check if labels changed + if !reflect.DeepEqual(oldObj.GetLabels(), newObj.GetLabels()) { + return false + } + + // Check if annotations changed + if !reflect.DeepEqual(oldObj.GetAnnotations(), newObj.GetAnnotations()) { + return false + } + + // Check if owner references changed + if !reflect.DeepEqual(oldObj.GetOwnerReferences(), newObj.GetOwnerReferences()) { + return false + } + + // Check if finalizers changed + if !reflect.DeepEqual(oldObj.GetFinalizers(), newObj.GetFinalizers()) { + return false + } + + // Only status changed + return true +} + +// specWasUpdated checks if the spec of a resource was updated. +func specWasUpdated(gvk schema.GroupVersionKind, oldObj, newObj *unstructured.Unstructured) bool { + // For HPAs, k8s doesn't set metadata.generation, so we check the spec directly + if gvk == hpaGVK { + oldSpec, _, _ := unstructured.NestedMap(oldObj.Object, "spec") + newSpec, _, _ := unstructured.NestedMap(newObj.Object, "spec") + return !reflect.DeepEqual(oldSpec, newSpec) + } + + // For other resources, comparing metadata.generation suffices + return oldObj.GetGeneration() != newObj.GetGeneration() +} + +// hasIgnoreAnnotation checks if the resource has the sailoperator.io/ignore annotation set to "true". +func hasIgnoreAnnotation(obj *unstructured.Unstructured) bool { + annotations := obj.GetAnnotations() + if annotations == nil { + return false + } + return annotations[ignoreAnnotation] == "true" +} + +// shouldReconcileValidatingWebhook handles special filtering for ValidatingWebhookConfiguration. +// Istiod updates the caBundle and failurePolicy fields in its validator webhook configs, +// and we must ignore these changes to prevent an endless update loop. +func shouldReconcileValidatingWebhook(oldObj, newObj *unstructured.Unstructured) bool { + name := newObj.GetName() + + // Check if this is an istiod-managed validator webhook + if !istiodValidatorRe.MatchString(name) { + // Not an istiod validator, reconcile normally + return true + } + + // For istiod validators, compare objects after clearing fields that istiod updates + oldCopy := clearIgnoredFields(oldObj.DeepCopy()) + newCopy := clearIgnoredFields(newObj.DeepCopy()) + + return !reflect.DeepEqual(oldCopy.Object, newCopy.Object) +} + +// clearIgnoredFields clears fields that should be ignored when comparing webhook configs. +func clearIgnoredFields(obj *unstructured.Unstructured) *unstructured.Unstructured { + // Clear metadata fields that change frequently + obj.SetResourceVersion("") + obj.SetGeneration(0) + obj.SetManagedFields(nil) + + switch obj.GetKind() { + case "ValidatingWebhookConfiguration": + webhooks, found, _ := unstructured.NestedSlice(obj.Object, "webhooks") + if found { + for i := range webhooks { + if webhook, ok := webhooks[i].(map[string]interface{}); ok { + delete(webhook, "failurePolicy") + if clientConfig, ok := webhook["clientConfig"].(map[string]interface{}); ok { + delete(clientConfig, "caBundle") + } + webhooks[i] = webhook + } + } + _ = unstructured.SetNestedSlice(obj.Object, webhooks, "webhooks") + } + case "MutatingWebhookConfiguration": + webhooks, found, _ := unstructured.NestedSlice(obj.Object, "webhooks") + if found { + for i := range webhooks { + if webhook, ok := webhooks[i].(map[string]interface{}); ok { + if clientConfig, ok := webhook["clientConfig"].(map[string]interface{}); ok { + delete(clientConfig, "caBundle") + } + webhooks[i] = webhook + } + } + _ = unstructured.SetNestedSlice(obj.Object, webhooks, "webhooks") + } + } + + return obj +} + +// isOwnedResource checks if the resource is owned by our installation +// by examining Istio labels against the expected revision and the +// managed-by label set by the post-renderer. +func isOwnedResource(obj *unstructured.Unstructured, revision, managedByValue string) bool { + labels := obj.GetLabels() + if labels == nil { + return false + } + + if rev, ok := labels["istio.io/rev"]; ok { + expectedRev := revision + if expectedRev == defaultRevision { + expectedRev = "default" + } + return rev == expectedRev + } + + if _, ok := labels["operator.istio.io/component"]; ok { + return true + } + + // Check the managed-by label set by HelmPostRenderer. + if managedBy, ok := labels[constants.ManagedByLabelKey]; ok { + return managedBy == managedByValue + } + + // Fallback: Helm sets app.kubernetes.io/managed-by to "Helm" on chart resources. + if managedBy, ok := labels["app.kubernetes.io/managed-by"]; ok { + return managedBy == "Helm" + } + + return false +} + +// isTargetCRD checks if an unstructured CRD object's name is in the target set. +func isTargetCRD(obj *unstructured.Unstructured, targets map[string]struct{}) bool { + if len(targets) == 0 { + return false + } + _, ok := targets[obj.GetName()] + return ok +} + +// shouldReconcileCRDOnUpdate determines if a CRD update should trigger reconciliation. +// We care about ownership label changes (CIO/OLM labels being added/removed) and +// annotation changes (helm.sh/resource-policy). Spec/status changes on the CRD itself +// are not relevant for ownership classification. +func shouldReconcileCRDOnUpdate(oldObj, newObj *unstructured.Unstructured) bool { + if !reflect.DeepEqual(oldObj.GetLabels(), newObj.GetLabels()) { + return true + } + if !reflect.DeepEqual(oldObj.GetAnnotations(), newObj.GetAnnotations()) { + return true + } + // Spec changes on CRDs mean the CRD schema was updated — re-reconcile + // to ensure our version is still current. + if oldObj.GetGeneration() != newObj.GetGeneration() { + return true + } + return false +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go new file mode 100644 index 0000000000..34a8325b05 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/rbac.go @@ -0,0 +1,113 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import rbacv1 "k8s.io/api/rbac/v1" + +// LibraryRBACRules returns the RBAC PolicyRules required when using the +// install library. Consumers should aggregate these into their own ClusterRole. +// +// These rules are derived from chart/templates/rbac/role.yaml with +// sailoperator.io CRs filtered out (those are for the operator, not the library). +// +// Example usage: +// +// rules := append(myOperatorRules, install.LibraryRBACRules()...) +// +// TODO: Consider generating this from role.yaml or adding a verification test +// to ensure these rules stay in sync with the Helm template. +func LibraryRBACRules() []rbacv1.PolicyRule { + return []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{ + "configmaps", + "endpoints", + "events", + "namespaces", + "nodes", + "persistentvolumeclaims", + "pods", + "replicationcontrollers", + "resourcequotas", + "secrets", + "serviceaccounts", + "services", + }, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"admissionregistration.k8s.io"}, + Resources: []string{ + "mutatingwebhookconfigurations", + "validatingadmissionpolicies", + "validatingadmissionpolicybindings", + "validatingwebhookconfigurations", + }, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"apiextensions.k8s.io"}, + Resources: []string{"customresourcedefinitions"}, + Verbs: []string{"get", "list", "watch"}, + }, + { + APIGroups: []string{"apps"}, + Resources: []string{"daemonsets", "deployments"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"autoscaling"}, + Resources: []string{"horizontalpodautoscalers"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"discovery.k8s.io"}, + Resources: []string{"endpointslices"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"k8s.cni.cncf.io"}, + Resources: []string{"network-attachment-definitions"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"networking.istio.io"}, + Resources: []string{"envoyfilters"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"networking.k8s.io"}, + Resources: []string{"networkpolicies"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"policy"}, + Resources: []string{"poddisruptionbudgets"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch"}, + }, + { + APIGroups: []string{"rbac.authorization.k8s.io"}, + Resources: []string{"clusterrolebindings", "clusterroles", "rolebindings", "roles"}, + Verbs: []string{"create", "delete", "get", "list", "patch", "update", "watch", "bind", "escalate"}, + }, + { + APIGroups: []string{"security.openshift.io"}, + Resources: []string{"securitycontextconstraints"}, + ResourceNames: []string{"privileged"}, + Verbs: []string{"use"}, + }, + } +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go new file mode 100644 index 0000000000..303a6c4301 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/values.go @@ -0,0 +1,161 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "k8s.io/utils/ptr" +) + +// GatewayAPIDefaults returns pre-configured values for Gateway API mode on OpenShift. +// These values configure istiod to work as a Gateway API controller. +// +// Usage: +// +// values := install.GatewayAPIDefaults() +// values.Pilot.Env["PILOT_GATEWAY_API_CONTROLLER_NAME"] = "my-controller" +// values.Pilot.Env["PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME"] = "my-class" +// installer.Install(ctx, Options{Values: values}) +// +// Consumer must set: +// - pilot.env.PILOT_GATEWAY_API_CONTROLLER_NAME +// - pilot.env.PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME +// +// Consumer may optionally set: +// - global.trustBundleName (if using custom CA) +func GatewayAPIDefaults() *v1.Values { + return &v1.Values{ + Global: &v1.GlobalConfig{ + // Disable PodDisruptionBudget - managed externally + DefaultPodDisruptionBudget: &v1.DefaultPodDisruptionBudgetConfig{ + Enabled: ptr.To(false), + }, + // Use cluster-critical priority for control plane + PriorityClassName: ptr.To("system-cluster-critical"), + }, + Pilot: &v1.PilotConfig{ + // Disable CNI - not needed for Gateway API only mode + Cni: &v1.CNIUsageConfig{ + Enabled: ptr.To(false), + }, + Enabled: ptr.To(true), + Env: map[string]string{ + // Enable Gateway API support + "PILOT_ENABLE_GATEWAY_API": "true", + // Disable experimental/alpha Gateway API features + "PILOT_ENABLE_ALPHA_GATEWAY_API": "false", + // Enable status updates on Gateway API resources + "PILOT_ENABLE_GATEWAY_API_STATUS": "true", + // Enable automated deployment (creates Envoy proxy + service for gateways) + "PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER": "true", + // Disable gatewayclass controller (admin manages gatewayclass) + "PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER": "false", + // Disable multi-network gateway discovery + "PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API": "false", + // Disable manual deployment (only automated deployment allowed) + "ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT": "false", + // Only create CA bundle configmap in namespaces with gateways + "PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY": "true", + // Don't copy labels/annotations from gateways to generated resources + "PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS": "false", + // Resource filtering for Gateway API mode (X_ prefix until Istio feature is ready) + // When active, istiod will only reconcile Gateway API + the 3 included Istio resources + envPilotIgnoreResources: gatewayAPIIgnoreResources, + envPilotIncludeResources: gatewayAPIIncludeResources, + }, + }, + SidecarInjectorWebhook: &v1.SidecarInjectorConfig{ + // Disable sidecar injection by default (Gateway API mode only) + EnableNamespacesByDefault: ptr.To(false), + }, + MeshConfig: &v1.MeshConfig{ + // Enable access logging + AccessLogFile: ptr.To("/dev/stdout"), + // Disable legacy ingress controller + IngressControllerMode: v1.MeshConfigIngressControllerModeOff, + // Configure proxy defaults + DefaultConfig: &v1.MeshConfigProxyConfig{ + ProxyHeaders: &v1.ProxyConfigProxyHeaders{ + // Don't set Server header + Server: &v1.ProxyConfigProxyHeadersServer{ + Disabled: ptr.To(true), + }, + // Don't set X-Envoy-* debug headers + EnvoyDebugHeaders: &v1.ProxyConfigProxyHeadersEnvoyDebugHeaders{ + Disabled: ptr.To(true), + }, + // Only exchange metadata headers for in-mesh traffic + MetadataExchangeHeaders: &v1.ProxyConfigProxyHeadersMetadataExchangeHeaders{ + Mode: v1.ProxyConfigProxyHeadersMetadataExchangeModeInMesh, + }, + }, + }, + }, + } +} + +// mergeOverwrite recursively merges overlay into base, with overlay taking precedence. +// NOTE: This is a copy of istiovalues.mergeOverwrite. Consider exporting the original +// to avoid duplication once the library API stabilizes. +func mergeOverwrite(base map[string]any, overrides map[string]any) map[string]any { + if base == nil { + base = make(map[string]any, 1) + } + for key, value := range overrides { + if _, exists := base[key]; !exists { + base[key] = value + continue + } + childOverrides, overrideValueIsMap := value.(map[string]any) + childBase, baseValueIsMap := base[key].(map[string]any) + if baseValueIsMap && overrideValueIsMap { + base[key] = mergeOverwrite(childBase, childOverrides) + } else { + base[key] = value + } + } + return base +} + +// MergeValues merges two Values structs, with overlay taking precedence. +// This is useful for combining GatewayAPIDefaults() with custom overrides. +// +// Maps are merged recursively (overlay keys override base keys). +// Lists are replaced entirely (overlay list replaces base list). +// +// Example: +// +// base := install.GatewayAPIDefaults() +// overrides := &v1.Values{Global: &v1.GlobalConfig{Hub: ptr.To("my-registry")}} +// merged := install.MergeValues(base, overrides) +func MergeValues(base, overlay *v1.Values) *v1.Values { + if base == nil { + return overlay + } + if overlay == nil { + return base + } + baseMap := helm.FromValues(base) + overlayMap := helm.FromValues(overlay) + merged := mergeOverwrite(baseMap, overlayMap) + result, err := helm.ToValues(merged, &v1.Values{}) + if err != nil { + panic(fmt.Sprintf("failed to convert merged values: %v", err)) + } + return result +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go new file mode 100644 index 0000000000..22d11a61c5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/install/version.go @@ -0,0 +1,80 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package install + +import ( + "fmt" + "io/fs" + "strings" + + "github.com/Masterminds/semver/v3" +) + +// DefaultVersion scans resourceFS for version directories and returns the +// highest stable (non-prerelease) semver version found. +// Returns an error if no stable version is found. +func DefaultVersion(resourceFS fs.FS) (string, error) { + entries, err := fs.ReadDir(resourceFS, ".") + if err != nil { + return "", fmt.Errorf("failed to read resource directory: %w", err) + } + + var best *semver.Version + var bestName string + for _, e := range entries { + if !e.IsDir() { + continue + } + name := e.Name() + v, err := semver.NewVersion(strings.TrimPrefix(name, "v")) + if err != nil { + continue // skip non-semver directories + } + if v.Prerelease() != "" { + continue // skip alpha, beta, rc, etc. + } + if best == nil || v.GreaterThan(best) { + best = v + bestName = name + } + } + if best == nil { + return "", fmt.Errorf("no stable version found in resource filesystem") + } + return bestName, nil +} + +// NormalizeVersion ensures the version string has a "v" prefix. +// Returns the input unchanged if it is empty or already starts with "v". +func NormalizeVersion(version string) string { + if version != "" && !strings.HasPrefix(version, "v") { + return "v" + version + } + return version +} + +// ValidateVersion checks that a version directory exists in the resource filesystem. +// Unlike istioversion.Resolve, this does not support aliases — only concrete +// version directory names (e.g. "v1.28.3"). +func ValidateVersion(resourceFS fs.FS, version string) error { + info, err := fs.Stat(resourceFS, version) + if err != nil { + return fmt.Errorf("version %q not found in resource filesystem", version) + } + if !info.IsDir() { + return fmt.Errorf("version %q is not a directory", version) + } + return nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go new file mode 100644 index 0000000000..fffd86318a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/digests.go @@ -0,0 +1,70 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiovalues + +import ( + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" +) + +// ApplyDigests applies image digests from configuration, if not already set by user +func ApplyDigests(version string, values *v1.Values, config config.OperatorConfig) *v1.Values { + imageDigests, digestsDefined := config.ImageDigests[version] + // if we don't have default image digests defined for this version, it's a no-op + if !digestsDefined { + return values + } + + // if a global hub or tag value is configured by the user, don't set image digests for any components + if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) { + return values + } + + if values == nil { + values = &v1.Values{} + } + + // set image digests for components unless they've been configured by the user + if values.Pilot == nil { + values.Pilot = &v1.PilotConfig{} + } + if values.Pilot.Image == nil && values.Pilot.Hub == nil && values.Pilot.Tag == nil { + values.Pilot.Image = &imageDigests.IstiodImage + } + + if values.Global == nil { + values.Global = &v1.GlobalConfig{} + } + + if values.Global.Proxy == nil { + values.Global.Proxy = &v1.ProxyConfig{} + } + if values.Global.Proxy.Image == nil { + values.Global.Proxy.Image = &imageDigests.ProxyImage + } + + if values.Global.ProxyInit == nil { + values.Global.ProxyInit = &v1.ProxyInitConfig{} + } + if values.Global.ProxyInit.Image == nil { + values.Global.ProxyInit.Image = &imageDigests.ProxyImage + } + + // TODO: add this once the API supports ambient + // if !hasUserDefinedImage("ztunnel", values) { + // values.ZTunnel.Image = imageDigests.ZTunnelImage + // } + return values +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go new file mode 100644 index 0000000000..161b7bf563 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/fips.go @@ -0,0 +1,65 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiovalues + +import ( + "fmt" + "os" + "strings" + + "github.com/istio-ecosystem/sail-operator/pkg/helm" +) + +var ( + FipsEnabled bool + FipsEnableFilePath = "/proc/sys/crypto/fips_enabled" +) + +// detectFipsMode checks if FIPS mode is enabled in the system. +func init() { + detectFipsMode(FipsEnableFilePath) +} + +func detectFipsMode(filepath string) { + contents, err := os.ReadFile(filepath) + if err != nil { + FipsEnabled = false + } else { + fipsEnabled := strings.TrimSuffix(string(contents), "\n") + if fipsEnabled == "1" { + FipsEnabled = true + } + } +} + +// ApplyFipsValues sets value pilot.env.COMPLIANCE_POLICY if FIPS mode is enabled in the system. +func ApplyFipsValues(values helm.Values) (helm.Values, error) { + if FipsEnabled { + if err := values.SetIfAbsent("pilot.env.COMPLIANCE_POLICY", "fips-140-2"); err != nil { + return nil, fmt.Errorf("failed to set pilot.env.COMPLIANCE_POLICY: %w", err) + } + } + return values, nil +} + +// ApplyZTunnelFipsValues sets value ztunnel.env.TLS12_ENABLED if FIPS mode is enabled in the system. +func ApplyZTunnelFipsValues(values helm.Values) (helm.Values, error) { + if FipsEnabled { + if err := values.SetIfAbsent("env.TLS12_ENABLED", "true"); err != nil { + return nil, fmt.Errorf("failed to set env.TLS12_ENABLED: %w", err) + } + } + return values, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go new file mode 100644 index 0000000000..1485d50858 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/overrides.go @@ -0,0 +1,41 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiovalues + +import ( + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + + "istio.io/istio/pkg/ptr" +) + +func ApplyOverrides(revisionName string, namespace string, values *v1.Values) { + // Set revision name to "" if revision name is "default". This is a temporary fix until we fix the injection + // mutatingwebhook manifest; the webhook performs injection on namespaces labeled with "istio-injection: enabled" + // only when revision is "", but not also for "default", which it should, since elsewhere in the same manifest, + // the "" revision is mapped to "default". + if revisionName == v1.DefaultRevision { + revisionName = "" + } + values.Revision = &revisionName + + if values.Global == nil { + values.Global = &v1.GlobalConfig{} + } + values.Global.IstioNamespace = &namespace + + // Force defaultRevision to be empty to prevent creation of the default validator webhook. + // This field is deprecated and should be ignored by the operator. + values.DefaultRevision = ptr.Of("") +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go new file mode 100644 index 0000000000..92dc11481b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/profiles.go @@ -0,0 +1,153 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiovalues + +import ( + "fmt" + "io/fs" + "path" + + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "gopkg.in/yaml.v3" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + + "istio.io/istio/pkg/util/sets" +) + +// ApplyProfilesAndPlatform loads profiles from an fs.FS and applies them with platform settings. +// Works with embed.FS, os.DirFS, or any other fs.FS implementation. +func ApplyProfilesAndPlatform( + resourceFS fs.FS, version string, platform config.Platform, defaultProfile, userProfile string, userValues helm.Values, +) (helm.Values, error) { + profile := resolve(defaultProfile, userProfile) + profilesPath := path.Join(version, "profiles") + defaultValues, err := getValuesFromProfiles(resourceFS, profilesPath, profile) + if err != nil { + return nil, fmt.Errorf("failed to get values from profile %q: %w", profile, err) + } + values := helm.Values(mergeOverwrite(defaultValues, userValues)) + + if platform != config.PlatformKubernetes && platform != config.PlatformUndefined { + if err = values.SetIfAbsent("global.platform", string(platform)); err != nil { + return nil, fmt.Errorf("failed to set global.platform: %w", err) + } + } + return values, nil +} + +func ApplyUserValues(mergedValues, userValues helm.Values, +) (helm.Values, error) { + values := helm.Values(mergeOverwrite(mergedValues, userValues)) + return values, nil +} + +func resolve(defaultProfile, userProfile string) []string { + switch { + case userProfile != "" && userProfile != "default": + return []string{"default", userProfile} + case defaultProfile != "" && defaultProfile != "default": + return []string{"default", defaultProfile} + default: + return []string{"default"} + } +} + +func getValuesFromProfiles(resourceFS fs.FS, profilesDir string, profiles []string) (helm.Values, error) { + // start with an empty values map + values := helm.Values{} + + // apply profiles in order, overwriting values from previous profiles + alreadyApplied := sets.New[string]() + for _, profile := range profiles { + if profile == "" { + return nil, reconciler.NewValidationError("profile name cannot be empty") + } + if alreadyApplied.Contains(profile) { + continue + } + alreadyApplied.Insert(profile) + + file := path.Join(profilesDir, profile+".yaml") + // prevent path traversal attacks + if path.Dir(file) != profilesDir { + return nil, reconciler.NewValidationError(fmt.Sprintf("invalid profile name %s", profile)) + } + + profileValues, err := getProfileValues(resourceFS, file) + if err != nil { + return nil, err + } + values = mergeOverwrite(values, profileValues) + } + + return values, nil +} + +func getProfileValues(resourceFS fs.FS, file string) (helm.Values, error) { + fileContents, err := fs.ReadFile(resourceFS, file) + if err != nil { + return nil, fmt.Errorf("failed to read profile file %v: %w", file, err) + } + + return parseProfileYAML(fileContents, file) +} + +// parseProfileYAML parses the profile YAML content and extracts spec.values +func parseProfileYAML(fileContents []byte, filename string) (helm.Values, error) { + var profile map[string]any + err := yaml.Unmarshal(fileContents, &profile) + if err != nil { + return nil, fmt.Errorf("failed to unmarshal profile YAML %s: %w", filename, err) + } + + val, found, err := unstructured.NestedFieldNoCopy(profile, "spec", "values") + if !found || err != nil { + return nil, err + } + m, ok := val.(map[string]any) + if !ok { + return nil, fmt.Errorf("spec.values is not a map[string]any") + } + return m, nil +} + +func mergeOverwrite(base map[string]any, overrides map[string]any) map[string]any { + if base == nil { + base = make(map[string]any, 1) + } + + for key, value := range overrides { + // if the key doesn't already exist, add it + if _, exists := base[key]; !exists { + base[key] = value + continue + } + + // At this point, key exists in both base and overrides. + // If both are maps, recurse so that we override only specific values in the map. + // If only override value is a map, overwrite base value completely. + // If both are values, overwrite base. + childOverrides, overrideValueIsMap := value.(map[string]any) + childBase, baseValueIsMap := base[key].(map[string]any) + if baseValueIsMap && overrideValueIsMap { + base[key] = mergeOverwrite(childBase, childOverrides) + } else { + base[key] = value + } + } + return base +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go new file mode 100644 index 0000000000..b88f0bac77 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.go @@ -0,0 +1,123 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istiovalues + +import ( + _ "embed" + "fmt" + "strings" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "gopkg.in/yaml.v3" + "k8s.io/apimachinery/pkg/runtime" +) + +var ( + //go:embed vendor_defaults.yaml + vendorDefaultsYAML []byte + vendorDefaults map[string]map[string]any +) + +func init() { + vendorDefaults = MustParseVendorDefaultsYAML(vendorDefaultsYAML) +} + +func SetVendorDefaults(defaults map[string]map[string]any) { + vendorDefaults = defaults +} + +func MustParseVendorDefaultsYAML(defaultsYAML []byte) map[string]map[string]any { + var parsedDefaults map[string]map[string]any + err := yaml.Unmarshal(defaultsYAML, &parsedDefaults) + if err != nil { + panic("failed to read vendor_defaults.yaml: " + err.Error()) + } + return parsedDefaults +} + +// OverrideVendorDefaults allows tests to override the vendor defaults +func OverrideVendorDefaults(defaults map[string]map[string]any) { + // Set the vendorDefaults to the provided defaults for testing purposes. + // This allows tests to override the defaults without modifying the original file. + vendorDefaults = defaults +} + +// ApplyIstioVendorDefaults applies vendor-specific default values to the provided +// Istio configuration (*v1.Values) for a given Istio version. +func ApplyIstioVendorDefaults(version string, values *v1.Values) (*v1.Values, error) { + // Convert the specific *v1.Values struct to a generic map[string]any + userHelmValues := helm.FromValues(values) + + mergedHelmValues, err := applyVendorDefaultsForResourceType(version, v1.IstioKind, userHelmValues) + if err != nil { + return nil, fmt.Errorf("failed to apply vendor defaults for istio: %w", err) + } + + finalValues, err := helm.ToValues(mergedHelmValues, &v1.Values{}) + if err != nil { + return nil, fmt.Errorf("failed to convert merged values back to *v1.Values: %w", err) + } + + return finalValues, nil +} + +// ApplyIstioCNIVendorDefaults applies vendor-specific default values to the provided +// Istio CNI configuration (*v1.CNIValues) for a given Istio version. +func ApplyIstioCNIVendorDefaults(version string, values *v1.CNIValues) (*v1.CNIValues, error) { + // Convert the specific *v1.CNIValues struct to a generic map[string]any + userHelmValues := helm.FromValues(values) + + mergedHelmValues, err := applyVendorDefaultsForResourceType(version, v1.IstioCNIKind, userHelmValues) + if err != nil { + return nil, fmt.Errorf("failed to apply vendor defaults for istiocni: %w", err) + } + + finalValues, err := helm.ToValues(mergedHelmValues, &v1.CNIValues{}) + if err != nil { + return nil, fmt.Errorf("failed to convert merged values back to *v1.CNIValues: %w", err) + } + + return finalValues, nil +} + +// applyVendorDefaultsForResourceType retrieves defaults for +// a given version and resourceType, current valid resources are: "istio" and "istiocni" +// It returns the merged map and an error if the defaults are not found or malformed. +// The userValuesMap is the 'base', and resource-specific defaults are 'overrides'. +func applyVendorDefaultsForResourceType(version, resourceType string, userValuesMap map[string]any) (map[string]any, error) { + if len(vendorDefaults) == 0 { + return userValuesMap, nil // No vendor defaults defined + } + + versionSpecificDefaults, versionExists := vendorDefaults[version] + if !versionExists { + return userValuesMap, nil // No vendor defaults defined for this version + } + + resourceSpecificDefaults, resourceExists := versionSpecificDefaults[strings.ToLower(resourceType)] + if !resourceExists { + return userValuesMap, nil // No vendor defaults defined for this resource type in this version + } + + // Check if the resource-specific defaults are a map[string]any + resourceSpecificDefaultsMap, ok := resourceSpecificDefaults.(map[string]any) + if !ok { + return nil, fmt.Errorf("vendor defaults for resource '%s' (version '%s') are not a map[string]any", resourceType, version) + } + + valsMap := runtime.DeepCopyJSON(resourceSpecificDefaultsMap) + return mergeOverwrite(valsMap, userValuesMap), nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml new file mode 100644 index 0000000000..d74da33d58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istiovalues/vendor_defaults.yaml @@ -0,0 +1,62 @@ +# This file can be overwritten in vendor distributions of sail-operator to set +# vendor-specific defaults. You can configure version-specific defaults for +# every field in `spec.values` for both Istio and IstioCNI resource, +# see the following example: +# +# v1.26.0: +# istio: +# pilot: +# env: +# test: "true" +# istiocni: +# cni: +# cniConfDir: custom/cni/conf/dir +# +# These defaults are type-checked at compile time. +# Note: After modifying this file, run `make test` to ensure that the +# generated defaults values from this files are valid. +v1.26.2: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.4: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.6: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.26.8: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.0: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.27.5: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" +v1.28.3: + istio: + pilot: + env: + ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go new file mode 100644 index 0000000000..1eefc0bbdf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/version.go @@ -0,0 +1,178 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package istioversion + +import ( + "embed" + "fmt" + "maps" + "slices" + "sort" + + "github.com/Masterminds/semver/v3" + "github.com/istio-ecosystem/sail-operator/pkg/env" + "gopkg.in/yaml.v3" + + "istio.io/istio/pkg/log" +) + +var ( + //go:embed *.yaml + versionsFiles embed.FS + + // versionsFilename is set via ldflags when building the binary and via an environment variable when running tests + versionsFilename = "" +) + +// Versions represents the top-level structure of versions.yaml +type Versions struct { + Versions []VersionInfo `json:"versions"` +} + +// AliasInfo contains information about version aliases +type AliasInfo struct { + Name string `json:"name"` + Ref string `json:"ref"` +} + +// VersionInfo contains information about a specific Istio version +type VersionInfo struct { + Name string `json:"name"` + Ref string `json:"ref"` + Version *semver.Version `json:"version"` + Repo string `json:"repo"` + Branch string `json:"branch,omitempty"` + Commit string `json:"commit"` + Charts []string `json:"charts,omitempty"` + EOL bool `json:"eol"` +} + +var ( + // List contains all supported versions. Does not include aliases + List []VersionInfo + // Map contains version info mapped by version name. Includes mappings for aliases + Map map[string]VersionInfo + // Default is the default version + Default string + // Base is the previous supported version + Base string + // New is the latest version + New string + // aliasList is the alias for the version + aliasList []AliasInfo + // EOL is a list of version names that have gone out of support + EOL []string +) + +func Resolve(version string) (string, error) { + info, ok := Map[version] + if !ok { + return "", fmt.Errorf("version %q not found", version) + } + return info.Name, nil +} + +func init() { + // we can't use ldflags when running tests, use an env variable instead + // tmp workaround for https://github.com/golang/go/issues/64246 + if versionsFilename == "" { + versionsFilename = env.Get("VERSIONS_YAML_FILE", "versions.yaml") + } + log.Info("loading supported istio versions from " + versionsFilename) + // Read the embedded versions.yaml file + data, err := versionsFiles.ReadFile(versionsFilename) + if err != nil { + panic(fmt.Errorf("failed to read versions from '%s': %w", versionsFilename, err)) + } + + List, Default, Base, New, Map, aliasList, EOL = mustParseVersionsYaml(data) +} + +func mustParseVersionsYaml(yamlBytes []byte) ( + list []VersionInfo, + defaultVersion string, + baseVersion string, + newVersion string, + versionMap map[string]VersionInfo, + aliasList []AliasInfo, + eolVersions []string, +) { + versions := Versions{} + err := yaml.Unmarshal(yamlBytes, &versions) + if err != nil { + panic(fmt.Errorf("failed to parse versions data: %w", err)) + } + + versionMap = make(map[string]VersionInfo) + + for _, v := range versions.Versions { + if v.EOL { + eolVersions = append(eolVersions, v.Name) + continue + } + if v.Ref == "" { + list = append(list, v) + versionMap[v.Name] = v + } else { + if v.Version != nil || v.Repo != "" || v.Commit != "" || v.Branch != "" || len(v.Charts) > 0 { + panic(fmt.Errorf("version %q has aliasFor set but the other fields cannot be specified", v.Name)) + } + aliasList = append(aliasList, AliasInfo{ + Name: v.Name, + Ref: v.Ref, + }) + } + } + + // Process aliases after all versions are in the lookup map + for _, a := range aliasList { + v, ok := versionMap[a.Ref] + if !ok { + panic(fmt.Errorf("version %q not found", a.Ref)) + } + versionMap[a.Name] = v + } + + if len(list) > 0 { + newVersion = list[0].Name + defaultVersion = newVersion + if len(list) > 1 { + baseVersion = list[1].Name + } + } + + return list, defaultVersion, baseVersion, newVersion, versionMap, aliasList, eolVersions +} + +// GetLatestPatchVersions returns the latest patch versions for all the Major.Minor versions +func GetLatestPatchVersions() []VersionInfo { + latestPatchVersions := make(map[string]VersionInfo) + for _, version := range List { + majorMinorVersion := fmt.Sprintf("%d.%d", version.Version.Major(), version.Version.Minor()) + latestPatchVersion, ok := latestPatchVersions[majorMinorVersion] + if !ok || version.Version.GreaterThan(latestPatchVersion.Version) { + latestPatchVersions[majorMinorVersion] = version + } + } + + latestSlice := slices.Collect(maps.Values(latestPatchVersions)) + + // Sort the slice in descending order based on the version. + sort.Slice(latestSlice, func(i, j int) bool { + return latestSlice[i].Version.GreaterThan(latestSlice[j].Version) + }) + + return latestSlice +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml new file mode 100644 index 0000000000..25d59521ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.ossm.yaml @@ -0,0 +1,119 @@ +# This file defines all the Istio versions supported by this operator. + +# The list of versions to support. Each item specifies the name of the version, +# the Git repository and commit hash for retrieving the profiles, and +# a list of URLs for retrieving the charts. +# The first item in the list is the default version. +# +# IMPORTANT: in addition to the versions specified here, the versions of the +# istio.io/istio and istio.io/api dependencies defined in go.mod must also be +# updated to match the most recent version specified here. The versions in +# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), +# as well as all the Istio CRDs (e.g. VirtualService). +versions: + - name: v1.28-latest + ref: v1.28.5 + - name: v1.28.5 + version: 1.28.5 + repo: https://github.com/istio/istio + commit: 1.28.5 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/base-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/istiod-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/gateway-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/cni-1.28.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.28.5-redhat/helm/ztunnel-1.28.5.tgz + - name: v1.28.4 + version: 1.28.4 + repo: https://github.com/istio/istio + commit: 1.28.4 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/base-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/istiod-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/gateway-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/cni-1.28.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3056318bdf28c90d92fb1734073028c0fdc4b4b7/1.28.4-redhat/helm/ztunnel-1.28.4.tgz + - name: v1.27-latest + ref: v1.27.8 + - name: v1.27.8 + version: 1.27.8 + repo: https://github.com/istio/istio + commit: 1.27.8 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/base-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/istiod-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/gateway-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/cni-1.27.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/200665bb953620d498329bbe46a886d97a36b060/1.27.8-redhat/helm/ztunnel-1.27.8.tgz + - name: v1.27.5 + version: 1.27.5 + repo: https://github.com/istio/istio + commit: 1.27.5 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/base-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/istiod-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/gateway-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/cni-1.27.5.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.27.5-redhat/helm/ztunnel-1.27.5.tgz + - name: v1.27.3 + version: 1.27.3 + repo: https://github.com/istio/istio + commit: 1.27.3 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/base-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/istiod-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/gateway-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/cni-1.27.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/3ff052018d78531e97946f46292b4367f2b40e70/1.27.3-redhat/helm/ztunnel-1.27.3.tgz + - name: v1.26-latest + ref: v1.26.8 + - name: v1.26.8 + version: 1.26.8 + repo: https://github.com/istio/istio + commit: 1.26.8 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/base-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/istiod-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/gateway-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/cni-1.26.8.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/7d7e1995d825ec45485083d7e40bacca438a2e78/1.26.8-redhat/helm/ztunnel-1.26.8.tgz + - name: v1.26.6 + version: 1.26.6 + repo: https://github.com/istio/istio + commit: 1.26.6 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/base-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/istiod-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/gateway-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/cni-1.26.6.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/74deba2dd9334a029a20637a14847f501386223e/1.26.6-redhat/helm/ztunnel-1.26.6.tgz + - name: v1.26.4 + version: 1.26.4 + repo: https://github.com/istio/istio + commit: 1.26.4 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/base-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/istiod-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/gateway-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/cni-1.26.4.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/fe4a8e608026d15a72c7d978d3f416ba52c4e86b/1.26.4-redhat/helm/ztunnel-1.26.4.tgz + - name: v1.26.3 + version: 1.26.3 + repo: https://github.com/istio/istio + commit: 1.26.3 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/base-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/istiod-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/gateway-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/cni-1.26.3.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/a91fd9b7182ebc89ca571b845078e5f37b03332d/1.26.3-redhat/helm/ztunnel-1.26.3.tgz + - name: v1.26.2 + version: 1.26.2 + repo: https://github.com/istio/istio + commit: 1.26.2 + charts: + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/base-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/istiod-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/gateway-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/cni-1.26.2.tgz + - https://github.com/openshift-service-mesh/istio-release/raw/f3168f90673079a5f4a56fd10bb1c6f6908163a7/1.26.2-redhat/helm/ztunnel-1.26.2.tgz \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml new file mode 100644 index 0000000000..1fb7220fb4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/istioversion/versions.yaml @@ -0,0 +1,319 @@ +# This file defines all the Istio versions supported by this operator. + +# The list of versions to support. Each item specifies the name of the version, +# the Git repository and commit hash for retrieving the profiles, and +# a list of URLs for retrieving the charts. +# The first item in the list is the default version. +# +# IMPORTANT: in addition to the versions specified here, the versions of the +# istio.io/istio and istio.io/api dependencies defined in go.mod must also be +# updated to match the most recent version specified here. The versions in +# go.mod affect the generated API schema for the Sail CRDs (e.g. IstioRevision), +# as well as all the Istio CRDs (e.g. VirtualService). +# +# Versions marked as `eol: true` will not be installable, so no chart URLs are +# required. They will stay valid input values for the spec.version field though, +# to avoid breaking API guarantees. +versions: + - name: v1.28-latest + ref: v1.28.5 + - name: v1.28.5 + version: 1.28.5 + repo: https://github.com/istio/istio + commit: 1.28.5 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.5.tgz + - name: v1.28.4 + version: 1.28.4 + repo: https://github.com/istio/istio + commit: 1.28.4 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.4.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.4.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.4.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.4.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.4.tgz + - name: v1.28.3 + version: 1.28.3 + repo: https://github.com/istio/istio + commit: 1.28.3 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.3.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.3.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.3.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.3.tgz + - name: v1.28.2 + version: 1.28.2 + repo: https://github.com/istio/istio + commit: 1.28.2 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.2.tgz + - name: v1.28.1 + version: 1.28.1 + repo: https://github.com/istio/istio + commit: 1.28.1 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.1.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.1.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.1.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.1.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.1.tgz + - name: v1.28.0 + version: 1.28.0 + repo: https://github.com/istio/istio + commit: 1.28.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.28.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.28.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.28.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.28.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.28.0.tgz + - name: v1.27-latest + ref: v1.27.8 + - name: v1.27.8 + version: 1.27.8 + repo: https://github.com/istio/istio + commit: 1.27.8 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.8.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.8.tgz + - name: v1.27.7 + version: 1.27.7 + repo: https://github.com/istio/istio + commit: 1.27.7 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.7.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.7.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.7.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.7.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.7.tgz + - name: v1.27.6 + version: 1.27.6 + repo: https://github.com/istio/istio + commit: 1.27.6 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.6.tgz + - name: v1.27.5 + version: 1.27.5 + repo: https://github.com/istio/istio + commit: 1.27.5 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.5.tgz + - name: v1.27.4 + version: 1.27.4 + repo: https://github.com/istio/istio + commit: 1.27.4 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.4.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.4.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.4.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.4.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.4.tgz + - name: v1.27.3 + version: 1.27.3 + repo: https://github.com/istio/istio + commit: 1.27.3 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.3.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.3.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.3.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.3.tgz + - name: v1.27.2 + version: 1.27.2 + repo: https://github.com/istio/istio + commit: 1.27.2 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.2.tgz + - name: v1.27.1 + version: 1.27.1 + repo: https://github.com/istio/istio + commit: 1.27.1 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.1.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.1.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.1.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.1.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.1.tgz + - name: v1.27.0 + version: 1.27.0 + repo: https://github.com/istio/istio + commit: 1.27.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.27.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.27.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.27.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.27.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.27.0.tgz + - name: v1.26-latest + ref: v1.26.8 + - name: v1.26.8 + version: 1.26.8 + repo: https://github.com/istio/istio + commit: 1.26.8 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.8.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.8.tgz + - name: v1.26.7 + version: 1.26.7 + repo: https://github.com/istio/istio + commit: 1.26.7 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.7.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.7.tgz + - name: v1.26.6 + version: 1.26.6 + repo: https://github.com/istio/istio + commit: 1.26.6 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.6.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.6.tgz + - name: v1.26.5 + version: 1.26.5 + repo: https://github.com/istio/istio + commit: 1.26.5 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.5.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.5.tgz + - name: v1.26.4 + version: 1.26.4 + repo: https://github.com/istio/istio + commit: 1.26.4 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.4.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.4.tgz + - name: v1.26.3 + version: 1.26.3 + repo: https://github.com/istio/istio + commit: 1.26.3 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.3.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.3.tgz + - name: v1.26.2 + version: 1.26.2 + repo: https://github.com/istio/istio + commit: 1.26.2 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.2.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.2.tgz + - name: v1.26.1 + version: 1.26.1 + repo: https://github.com/istio/istio + commit: 1.26.1 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.1.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.1.tgz + - name: v1.26.0 + version: 1.26.0 + repo: https://github.com/istio/istio + commit: 1.26.0 + charts: + - https://istio-release.storage.googleapis.com/charts/base-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/istiod-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/gateway-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/cni-1.26.0.tgz + - https://istio-release.storage.googleapis.com/charts/ztunnel-1.26.0.tgz + - name: v1.25-latest + ref: v1.25.5 + eol: true + - name: v1.25.5 + eol: true + - name: v1.25.4 + eol: true + - name: v1.25.3 + eol: true + - name: v1.25.2 + eol: true + - name: v1.25.1 + eol: true + - name: v1.24-latest + ref: v1.24.6 + eol: true + - name: v1.24.6 + eol: true + - name: v1.24.5 + eol: true + - name: v1.24.4 + eol: true + - name: v1.24.3 + eol: true + - name: v1.24.2 + eol: true + - name: v1.24.1 + eol: true + - name: v1.24.0 + eol: true + - name: v1.23-latest + ref: v1.23.6 + eol: true + - name: v1.23.6 + eol: true + - name: v1.23.5 + eol: true + - name: v1.23.4 + eol: true + - name: v1.23.3 + eol: true + - name: v1.23.2 + eol: true + - name: v1.22-latest + ref: v1.22.8 + eol: true + - name: v1.22.8 + eol: true + - name: v1.22.7 + eol: true + - name: v1.22.6 + eol: true + - name: v1.22.5 + eol: true + - name: v1.21.6 + eol: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go new file mode 100644 index 0000000000..79db46cf2d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/finalizers.go @@ -0,0 +1,79 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package kube + +import ( + "context" + "fmt" + "slices" + "time" + + "k8s.io/apimachinery/pkg/api/errors" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" + + "istio.io/istio/pkg/util/sets" +) + +const conflictRequeueDelay = 2 * time.Second + +func HasFinalizer(obj client.Object, finalizer string) bool { + return slices.Contains(obj.GetFinalizers(), finalizer) +} + +func RemoveFinalizer(ctx context.Context, cl client.Client, obj client.Object, finalizer string) (ctrl.Result, error) { + log := logf.FromContext(ctx).WithValues("finalizer", finalizer) + + finalizers := sets.New(obj.GetFinalizers()...) + finalizers.Delete(finalizer) + obj.SetFinalizers(finalizers.UnsortedList()) + + err := cl.Update(ctx, obj) + if errors.IsNotFound(err) { + log.Info("Resource no longer exists; no need to remove finalizer") + return ctrl.Result{}, nil + } else if errors.IsConflict(err) { + log.Info("Conflict while removing finalizer; will retry") + return ctrl.Result{RequeueAfter: conflictRequeueDelay}, nil + } else if err != nil { + return ctrl.Result{}, fmt.Errorf("could not remove finalizer from %s/%s: %w", obj.GetNamespace(), obj.GetName(), err) + } + + log.Info("Removed finalizer") + return ctrl.Result{}, nil +} + +func AddFinalizer(ctx context.Context, cl client.Client, obj client.Object, finalizer string) (ctrl.Result, error) { + log := logf.FromContext(ctx).WithValues("finalizer", finalizer) + + finalizers := sets.New(obj.GetFinalizers()...) + finalizers.Insert(finalizer) + obj.SetFinalizers(finalizers.UnsortedList()) + + err := cl.Update(ctx, obj) + if errors.IsNotFound(err) { + log.Info("Resource no longer exists; no need to add finalizer") + return ctrl.Result{}, nil + } else if errors.IsConflict(err) { + log.Info("Conflict while adding finalizer; will retry") + return ctrl.Result{RequeueAfter: conflictRequeueDelay}, nil + } else if err != nil { + return ctrl.Result{}, fmt.Errorf("could not add finalizer to %s/%s: %w", obj.GetNamespace(), obj.GetName(), err) + } + + log.Info("Added finalizer") + return ctrl.Result{}, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go new file mode 100644 index 0000000000..98e3f19469 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/key.go @@ -0,0 +1,27 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package kube + +import "sigs.k8s.io/controller-runtime/pkg/client" + +// Key returns the client.ObjectKey for the given name and namespace. If no namespace is provided, it returns a key cluster scoped +func Key(name string, namespace ...string) client.ObjectKey { + if len(namespace) > 1 { + panic("you can only provide one namespace") + } else if len(namespace) == 1 { + return client.ObjectKey{Name: name, Namespace: namespace[0]} + } + return client.ObjectKey{Name: name} +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go new file mode 100644 index 0000000000..e6af587b7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/kube/status_patch.go @@ -0,0 +1,52 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package kube + +import ( + "encoding/json" + + "gomodules.xyz/jsonpatch/v2" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +type StatusPatch struct { + status any +} + +func NewStatusPatch(status any) *StatusPatch { + return &StatusPatch{ + status: status, + } +} + +func (p *StatusPatch) Type() types.PatchType { + return types.JSONPatchType +} + +func (p *StatusPatch) Data(obj client.Object) ([]byte, error) { + data := []jsonpatch.Operation{ + { + Operation: "replace", + Path: "/status", + Value: p.status, + }, + } + statusJSON, err := json.Marshal(data) + if err != nil { + return nil, err + } + return statusJSON, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go new file mode 100644 index 0000000000..e86f519220 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/cni.go @@ -0,0 +1,158 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package reconcile + +import ( + "context" + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "github.com/istio-ecosystem/sail-operator/pkg/istiovalues" + "github.com/istio-ecosystem/sail-operator/pkg/istioversion" + "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "github.com/istio-ecosystem/sail-operator/pkg/validation" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +const ( + cniReleaseName = "istio-cni" + cniChartName = "cni" +) + +// CNIReconciler handles reconciliation of the istio-cni component. +type CNIReconciler struct { + cfg Config + client client.Client +} + +// NewCNIReconciler creates a new CNIReconciler. +func NewCNIReconciler(cfg Config, client client.Client) *CNIReconciler { + return &CNIReconciler{ + cfg: cfg, + client: client, + } +} + +// Validate performs general validation of the CNI specification. +// This includes basic field validation and Kubernetes API checks (namespace exists). +func (r *CNIReconciler) Validate(ctx context.Context, version, namespace string) error { + if version == "" { + return reconciler.NewValidationError("version not set") + } + if namespace == "" { + return reconciler.NewValidationError("namespace not set") + } + + // Validate target namespace exists + if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil { + return err + } + + return nil +} + +// ComputeValues computes the final Helm values by applying digests, vendor defaults, and profiles. +func (r *CNIReconciler) ComputeValues(version string, userValues *v1.CNIValues, profile string) (helm.Values, error) { + resolvedVersion, err := istioversion.Resolve(version) + if err != nil { + return nil, fmt.Errorf("failed to resolve CNI version: %w", err) + } + + // Apply image digests from configuration, if not already set by user + userValues = ApplyCNIImageDigests(resolvedVersion, userValues, config.Config) + + // Apply vendor-specific default values + userValues, err = istiovalues.ApplyIstioCNIVendorDefaults(resolvedVersion, userValues) + if err != nil { + return nil, fmt.Errorf("failed to apply vendor defaults: %w", err) + } + + // Apply userValues on top of defaultValues from profiles + mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform( + r.cfg.ResourceFS, resolvedVersion, r.cfg.Platform, r.cfg.DefaultProfile, profile, helm.FromValues(userValues)) + if err != nil { + return nil, fmt.Errorf("failed to apply profile: %w", err) + } + + return mergedHelmValues, nil +} + +// Install installs or upgrades the istio-cni Helm chart. +func (r *CNIReconciler) Install(ctx context.Context, version, namespace string, values *v1.CNIValues, profile string, ownerRef *metav1.OwnerReference) error { + mergedHelmValues, err := r.ComputeValues(version, values, profile) + if err != nil { + return err + } + + resolvedVersion, err := istioversion.Resolve(version) + if err != nil { + return fmt.Errorf("failed to resolve CNI version: %w", err) + } + + chartPath := GetChartPath(resolvedVersion, cniChartName) + _, err = r.cfg.ChartManager.UpgradeOrInstallChart( + ctx, + r.cfg.ResourceFS, + chartPath, + mergedHelmValues, + namespace, + cniReleaseName, + ownerRef, + ) + if err != nil { + return fmt.Errorf("failed to install/update Helm chart %q: %w", cniChartName, err) + } + return nil +} + +// Uninstall removes the istio-cni Helm chart. +func (r *CNIReconciler) Uninstall(ctx context.Context, namespace string) error { + _, err := r.cfg.ChartManager.UninstallChart(ctx, cniReleaseName, namespace) + if err != nil { + return fmt.Errorf("failed to uninstall Helm chart %q: %w", cniChartName, err) + } + return nil +} + +// ApplyCNIImageDigests applies image digests to CNI values if not already set by user. +// This function is exported for use by the controller and library. +func ApplyCNIImageDigests(version string, values *v1.CNIValues, cfg config.OperatorConfig) *v1.CNIValues { + imageDigests, digestsDefined := cfg.ImageDigests[version] + // if we don't have default image digests defined for this version, it's a no-op + if !digestsDefined { + return values + } + + // if a global hub or tag value is configured by the user, don't set image digests + if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) { + return values + } + + if values == nil { + values = &v1.CNIValues{} + } + + // set image digest unless any part of the image has been configured by the user + if values.Cni == nil { + values.Cni = &v1.CNIConfig{} + } + if values.Cni.Image == nil && values.Cni.Hub == nil && values.Cni.Tag == nil { + values.Cni.Image = &imageDigests.CNIImage + } + return values +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go new file mode 100644 index 0000000000..047cc835a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/common.go @@ -0,0 +1,51 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package reconcile provides shared reconciliation logic for Istio components. +// It is used by both the operator controllers and the install library to ensure +// consistent behavior across different deployment modes. +package reconcile + +import ( + "io/fs" + "path" + + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/helm" +) + +// Config holds configuration needed for component reconciliation. +// It contains all the dependencies required by reconcilers to validate, +// compute values, and install Helm charts. +type Config struct { + // ResourceFS is the filesystem containing Istio charts and profiles + ResourceFS fs.FS + + // Platform is the target Kubernetes platform (e.g., OpenShift, vanilla Kubernetes) + Platform config.Platform + + // DefaultProfile is the base profile applied before user-selected profiles + DefaultProfile string + + // OperatorNamespace is the namespace where the operator is running + OperatorNamespace string + + // ChartManager handles Helm chart installation and upgrades + ChartManager *helm.ChartManager +} + +// GetChartPath returns the path to a chart for a given version. +func GetChartPath(version, chartName string) string { + return path.Join(version, "charts", chartName) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go new file mode 100644 index 0000000000..752b91f6ab --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/istiod.go @@ -0,0 +1,138 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package reconcile + +import ( + "context" + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/constants" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "github.com/istio-ecosystem/sail-operator/pkg/validation" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// IstiodReconciler handles reconciliation of the istiod component. +type IstiodReconciler struct { + cfg Config + client client.Client +} + +// NewIstiodReconciler creates a new IstiodReconciler. +func NewIstiodReconciler(cfg Config, client client.Client) *IstiodReconciler { + return &IstiodReconciler{ + cfg: cfg, + client: client, + } +} + +// Validate performs general validation of the istiod specification. +// This includes basic field validation and Kubernetes API checks (namespace exists). +// CRD-specific validations (revision name consistency, IstioRevisionTag conflicts) +// should be performed by the controller before calling this method. +func (r *IstiodReconciler) Validate(ctx context.Context, version, namespace string, values *v1.Values) error { + if version == "" { + return reconciler.NewValidationError("version not set") + } + if namespace == "" { + return reconciler.NewValidationError("namespace not set") + } + if values == nil { + return reconciler.NewValidationError("values not set") + } + + // Validate target namespace exists + if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil { + return err + } + + return nil +} + +// Install installs or upgrades the istiod Helm charts. +func (r *IstiodReconciler) Install( + ctx context.Context, + version, namespace string, + values *v1.Values, + revisionName string, + ownerRef *metav1.OwnerReference, +) error { + helmValues := helm.FromValues(values) + + // Install istiod chart + istiodChartPath := GetChartPath(version, constants.IstiodChartName) + istiodReleaseName := getReleaseName(revisionName, constants.IstiodChartName) + + _, err := r.cfg.ChartManager.UpgradeOrInstallChart( + ctx, + r.cfg.ResourceFS, + istiodChartPath, + helmValues, + namespace, + istiodReleaseName, + ownerRef, + ) + if err != nil { + return fmt.Errorf("failed to install/update Helm chart %q: %w", constants.IstiodChartName, err) + } + + // Install base chart for default revision + if revisionName == v1.DefaultRevision { + baseChartPath := GetChartPath(version, constants.BaseChartName) + baseReleaseName := getReleaseName(revisionName, constants.BaseChartName) + + _, err := r.cfg.ChartManager.UpgradeOrInstallChart( + ctx, + r.cfg.ResourceFS, + baseChartPath, + helmValues, + r.cfg.OperatorNamespace, + baseReleaseName, + ownerRef, + ) + if err != nil { + return fmt.Errorf("failed to install/update Helm chart %q: %w", constants.BaseChartName, err) + } + } + + return nil +} + +// Uninstall removes the istiod Helm charts. +func (r *IstiodReconciler) Uninstall(ctx context.Context, namespace, revisionName string) error { + // Uninstall istiod chart + istiodReleaseName := getReleaseName(revisionName, constants.IstiodChartName) + if _, err := r.cfg.ChartManager.UninstallChart(ctx, istiodReleaseName, namespace); err != nil { + return fmt.Errorf("failed to uninstall Helm chart %q: %w", constants.IstiodChartName, err) + } + + // Uninstall base chart for default revision + if revisionName == v1.DefaultRevision { + baseReleaseName := getReleaseName(revisionName, constants.BaseChartName) + if _, err := r.cfg.ChartManager.UninstallChart(ctx, baseReleaseName, r.cfg.OperatorNamespace); err != nil { + return fmt.Errorf("failed to uninstall Helm chart %q: %w", constants.BaseChartName, err) + } + } + + return nil +} + +// getReleaseName returns the Helm release name for a given revision and chart. +func getReleaseName(revisionName, chartName string) string { + return fmt.Sprintf("%s-%s", revisionName, chartName) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go new file mode 100644 index 0000000000..7abe0ec852 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconcile/ztunnel.go @@ -0,0 +1,171 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package reconcile + +import ( + "context" + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "github.com/istio-ecosystem/sail-operator/pkg/istiovalues" + "github.com/istio-ecosystem/sail-operator/pkg/istioversion" + "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + "github.com/istio-ecosystem/sail-operator/pkg/validation" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +const ( + ztunnelReleaseName = "ztunnel" + ztunnelChartName = "ztunnel" + ztunnelProfile = "ambient" +) + +// ZTunnelReconciler handles reconciliation of the ztunnel component. +type ZTunnelReconciler struct { + cfg Config + client client.Client +} + +// NewZTunnelReconciler creates a new ZTunnelReconciler. +func NewZTunnelReconciler(cfg Config, client client.Client) *ZTunnelReconciler { + return &ZTunnelReconciler{ + cfg: cfg, + client: client, + } +} + +// Validate performs general validation of the ZTunnel specification. +// This includes basic field validation and Kubernetes API checks (namespace exists). +func (r *ZTunnelReconciler) Validate(ctx context.Context, version, namespace string) error { + if version == "" { + return reconciler.NewValidationError("version not set") + } + if namespace == "" { + return reconciler.NewValidationError("namespace not set") + } + + // Validate target namespace exists + if err := validation.ValidateTargetNamespace(ctx, r.client, namespace); err != nil { + return err + } + + return nil +} + +// ComputeValues computes the final Helm values by applying digests, profiles, and user overrides. +func (r *ZTunnelReconciler) ComputeValues(version string, userValues *v1.ZTunnelValues) (helm.Values, error) { + resolvedVersion, err := istioversion.Resolve(version) + if err != nil { + return nil, fmt.Errorf("failed to resolve ZTunnel version: %w", err) + } + + if userValues == nil { + userValues = &v1.ZTunnelValues{} + } + + // Apply image digests from configuration, if not already set by user + userValues = ApplyZTunnelImageDigests(resolvedVersion, userValues, config.Config) + + // Apply userValues on top of defaultValues from profiles + mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform( + r.cfg.ResourceFS, resolvedVersion, r.cfg.Platform, r.cfg.DefaultProfile, ztunnelProfile, helm.FromValues(userValues)) + if err != nil { + return nil, fmt.Errorf("failed to apply profile: %w", err) + } + + mergedHelmValues, err = istiovalues.ApplyZTunnelFipsValues(mergedHelmValues) + if err != nil { + return nil, fmt.Errorf("failed to apply FIPS values: %w", err) + } + + // Apply any user Overrides configured as part of values.ztunnel + // This step was not required for the IstioCNI resource because the Helm templates[*] automatically override values.cni + // [*]https://github.com/istio/istio/blob/0200fd0d4c3963a72f36987c2e8c2887df172abf/manifests/charts/istio-cni/templates/zzy_descope_legacy.yaml#L3 + // However, ztunnel charts do not have such a file, hence we are manually applying the mergeOperation here. + finalHelmValues, err := istiovalues.ApplyUserValues(helm.FromValues(mergedHelmValues), helm.FromValues(userValues.ZTunnel)) + if err != nil { + return nil, fmt.Errorf("failed to apply user overrides: %w", err) + } + + return finalHelmValues, nil +} + +// Install installs or upgrades the ztunnel Helm chart. +func (r *ZTunnelReconciler) Install(ctx context.Context, version, namespace string, values *v1.ZTunnelValues, ownerRef *metav1.OwnerReference) error { + finalHelmValues, err := r.ComputeValues(version, values) + if err != nil { + return err + } + + resolvedVersion, err := istioversion.Resolve(version) + if err != nil { + return fmt.Errorf("failed to resolve ZTunnel version: %w", err) + } + + chartPath := GetChartPath(resolvedVersion, ztunnelChartName) + _, err = r.cfg.ChartManager.UpgradeOrInstallChart( + ctx, + r.cfg.ResourceFS, + chartPath, + finalHelmValues, + namespace, + ztunnelReleaseName, + ownerRef, + ) + if err != nil { + return fmt.Errorf("failed to install/update Helm chart %q: %w", ztunnelChartName, err) + } + return nil +} + +// Uninstall removes the ztunnel Helm chart. +func (r *ZTunnelReconciler) Uninstall(ctx context.Context, namespace string) error { + _, err := r.cfg.ChartManager.UninstallChart(ctx, ztunnelReleaseName, namespace) + if err != nil { + return fmt.Errorf("failed to uninstall Helm chart %q: %w", ztunnelChartName, err) + } + return nil +} + +// ApplyZTunnelImageDigests applies image digests to ZTunnel values if not already set by user. +// This function is exported for use by the controller and library. +func ApplyZTunnelImageDigests(version string, values *v1.ZTunnelValues, cfg config.OperatorConfig) *v1.ZTunnelValues { + imageDigests, digestsDefined := cfg.ImageDigests[version] + // if we don't have default image digests defined for this version, it's a no-op + if !digestsDefined { + return values + } + + // if a global hub or tag value is configured by the user, don't set image digests + if values != nil && values.Global != nil && (values.Global.Hub != nil || values.Global.Tag != nil) { + return values + } + + if values == nil { + values = &v1.ZTunnelValues{} + } + + // set image digest unless any part of the image has been configured by the user + if values.ZTunnel == nil { + values.ZTunnel = &v1.ZTunnelConfig{} + } + if values.ZTunnel.Image == nil && values.ZTunnel.Hub == nil && values.ZTunnel.Tag == nil { + values.ZTunnel.Image = &imageDigests.ZTunnelImage + } + return values +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go new file mode 100644 index 0000000000..d295d5b191 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/errors.go @@ -0,0 +1,79 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package reconciler + +import "errors" + +type ValidationError struct { + message string +} + +func (v ValidationError) Error() string { + return "validation error: " + v.message +} + +func NewValidationError(message string) error { + return &ValidationError{message: message} +} + +func IsValidationError(err error) bool { + e := &ValidationError{} + return errors.As(err, &e) +} + +// TransientError is an error returned by a Reconciler that will usually resolve itself when retrying, e.g. some resource not yet reconciled +type TransientError struct { + message string +} + +func (v TransientError) Error() string { + return "transient error: " + v.message +} + +func NewTransientError(message string) error { + return &TransientError{message: message} +} + +func IsTransientError(err error) bool { + e := &TransientError{} + return errors.As(err, &e) +} + +type NameAlreadyExistsError struct { + Message string + originalError error +} + +func (err NameAlreadyExistsError) Error() string { + return err.Message +} + +func (err NameAlreadyExistsError) Unwrap() error { + return err.originalError +} + +func NewNameAlreadyExistsError(message string, originalError error) NameAlreadyExistsError { + return NameAlreadyExistsError{ + Message: message, + originalError: originalError, + } +} + +func IsNameAlreadyExistsError(err error) bool { + if _, ok := err.(NameAlreadyExistsError); ok { + return true + } + return false +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go new file mode 100644 index 0000000000..b0b43002e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/reconciler/reconciler.go @@ -0,0 +1,118 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package reconciler + +import ( + "context" + "reflect" + "strings" + + "github.com/istio-ecosystem/sail-operator/pkg/kube" + "k8s.io/apimachinery/pkg/api/errors" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +// ReconcileFunc is a function that reconciles an object. +type ReconcileFunc[T client.Object] func(ctx context.Context, obj T) (ctrl.Result, error) + +// FinalizeFunc is a function that finalizes an object. It does not remove the finalizer. +type FinalizeFunc[T client.Object] func(ctx context.Context, obj T) error + +// StandardReconciler encapsulates common reconciler behavior, allowing you to +// implement a reconciler simply by providing a ReconcileFunc and an optional +// FinalizeFunc. These functions are invoked at the appropriate time and are +// passed the object being reconciled. +type StandardReconciler[T client.Object] struct { + client client.Client + reconcile ReconcileFunc[T] + finalizer string + finalize FinalizeFunc[T] +} + +// NewStandardReconciler creates a new StandardReconciler for objects of the specified type. +func NewStandardReconciler[T client.Object](cl client.Client, reconcileFunc ReconcileFunc[T]) *StandardReconciler[T] { + return NewStandardReconcilerWithFinalizer[T](cl, reconcileFunc, nil, "") +} + +// NewStandardReconcilerWithFinalizer is similar to NewStandardReconciler, but also accepts a finalizer and a +// FinalizerFunc. +func NewStandardReconcilerWithFinalizer[T client.Object]( + cl client.Client, reconcileFunc ReconcileFunc[T], finalizeFunc FinalizeFunc[T], finalizer string, +) *StandardReconciler[T] { + return &StandardReconciler[T]{ + client: cl, + reconcile: reconcileFunc, + finalizer: finalizer, + finalize: finalizeFunc, + } +} + +// Reconcile reconciles the object. It first fetches the object from the client, then invokes the +// configured ReconcileFunc. If a finalizer is configured in the reconciler, and the object is new, +// this function adds the finalizer to the object. When the object is being deleted, this function +// invokes the configured FinalizerFunc and removes the finalizer afterward. +func (r *StandardReconciler[T]) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) { + log := logf.FromContext(ctx) + + obj := reflect.New(reflect.TypeOf(*new(T)).Elem()).Interface().(T) + if err := r.client.Get(ctx, req.NamespacedName, obj); err != nil { + if errors.IsNotFound(err) { + log.V(2).Info("Resource not found. Skipping reconciliation") + return ctrl.Result{}, nil + } + return ctrl.Result{}, err + } + + if !obj.GetDeletionTimestamp().IsZero() { + if r.finalizationEnabled() && kube.HasFinalizer(obj, r.finalizer) { + if err := r.finalize(ctx, obj); err != nil { + return ctrl.Result{}, err + } + return kube.RemoveFinalizer(ctx, r.client, obj, r.finalizer) + } + return ctrl.Result{}, nil + } + + if r.finalizationEnabled() && !kube.HasFinalizer(obj, r.finalizer) { + return kube.AddFinalizer(ctx, r.client, obj, r.finalizer) + } + + result, err := r.reconcile(ctx, obj) + switch { + case errors.IsForbidden(err) && strings.Contains(err.Error(), "RESTMapping"): + log.Info("APIServer seems to be not ready - RESTMapper of gc admission plugin is not up to date. Retrying...", "error", err) + return ctrl.Result{Requeue: true}, nil + case errors.IsConflict(err): + log.Info("Conflict detected. Retrying...") + return ctrl.Result{Requeue: true}, nil + case errors.IsNotFound(err): + log.Info("Resource not found. Retrying...", "error", err) + return ctrl.Result{Requeue: true}, nil + case IsTransientError(err): + log.Info("Reconciliation failed. Retrying...", "error", err) + return ctrl.Result{Requeue: true}, nil + case IsValidationError(err): + log.Info("Validation failed", "error", err) + return ctrl.Result{}, nil + default: + return result, err + } +} + +func (r *StandardReconciler[T]) finalizationEnabled() bool { + return r.finalizer != "" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go new file mode 100644 index 0000000000..554faeabc7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/dependency.go @@ -0,0 +1,71 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + "io/fs" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" +) + +type computeValuesFunc func(*v1.Values, string, string, config.Platform, string, string, fs.FS, string) (*v1.Values, error) + +var defaultComputeValues computeValuesFunc = ComputeValues + +// DependsOnIstioCNI returns true if CNI is enabled in the revision +func DependsOnIstioCNI(rev *v1.IstioRevision, cfg config.ReconcilerConfig) bool { + values, err := defaultComputeValues(rev.Spec.Values, rev.Spec.Namespace, rev.Spec.Version, + cfg.Platform, cfg.DefaultProfile, "", cfg.ResourceFS, rev.Name) + if err != nil || values == nil { + return false + } + global := values.Global + pilot := values.Pilot + + isOCPPlatform := global != nil && global.Platform != nil && *global.Platform == "openshift" + isCNIEnabled := pilot != nil && pilot.Cni != nil && pilot.Cni.Enabled != nil && *pilot.Cni.Enabled + isCNIExplicitlyDisabled := pilot != nil && pilot.Cni != nil && pilot.Cni.Enabled != nil && !*pilot.Cni.Enabled + + // For OpenShift: CNI is enabled by default unless explicitly disabled + // For non-OpenShift: CNI must be explicitly enabled + if isOCPPlatform { + return !isCNIExplicitlyDisabled + } + return isCNIEnabled +} + +// DependsOnZTunnel returns true if the revision is configured for ambient mode and requires ZTunnel +func DependsOnZTunnel(rev *v1.IstioRevision, cfg config.ReconcilerConfig) bool { + values, err := defaultComputeValues(rev.Spec.Values, rev.Spec.Namespace, rev.Spec.Version, + cfg.Platform, cfg.DefaultProfile, "", cfg.ResourceFS, rev.Name) + if err != nil || values == nil { + return false + } + + // Check if ambient mode is enabled via pilot.env.PILOT_ENABLE_AMBIENT + if values.Pilot != nil && values.Pilot.Env != nil { + if ambientEnabled, exists := values.Pilot.Env["PILOT_ENABLE_AMBIENT"]; exists && ambientEnabled == "true" { + return true + } + } + + // Also check if ambient profile is being used + if values.Profile != nil && *values.Profile == "ambient" { + return true + } + + return false +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go new file mode 100644 index 0000000000..50e5a693ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/list.go @@ -0,0 +1,52 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + "context" + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ListOwned returns all IstioRevisions owned by the given owner. +func ListOwned(ctx context.Context, cl client.Client, ownerUID types.UID) ([]v1.IstioRevision, error) { + revList := v1.IstioRevisionList{} + if err := cl.List(ctx, &revList); err != nil { + return nil, fmt.Errorf("list failed: %w", err) + } + + var revisions []v1.IstioRevision + for _, rev := range revList.Items { + if isOwnedRevision(rev, ownerUID) { + revisions = append(revisions, rev) + } + } + return revisions, nil +} + +func isOwnedRevision(rev v1.IstioRevision, ownerUID types.UID) bool { + if ownerUID == "" { + panic("resource has no UID; did you forget to set it in your test?") + } + for _, owner := range rev.OwnerReferences { + if owner.UID == ownerUID { + return true + } + } + return false +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go new file mode 100644 index 0000000000..355e570d18 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/prune.go @@ -0,0 +1,86 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + "context" + "fmt" + "time" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +// PruneInactive deletes IstioRevisions owned by the specified owner that are +// not in use and whose grace period has expired. +func PruneInactive(ctx context.Context, cl client.Client, ownerUID types.UID, activeRevisionName string, gracePeriod time.Duration) (ctrl.Result, error) { + log := logf.FromContext(ctx) + revisions, err := ListOwned(ctx, cl, ownerUID) + if err != nil { + return ctrl.Result{}, fmt.Errorf("failed to get revisions: %w", err) + } + + // the following code does two things: + // - prunes revisions whose grace period has expired + // - finds the time when the next revision is to be pruned + var nextPruneTimestamp *time.Time + for _, rev := range revisions { + if rev.Name == activeRevisionName { + log.V(2).Info("IstioRevision is the active revision", "IstioRevision", rev.Name) + continue + } + inUseCondition := rev.Status.GetCondition(v1.IstioRevisionConditionInUse) + + // Only prune revisions that are confirmed to be not in use (i.e., ConditionFalse). + // Skip revisions that are in use (ConditionTrue) or whose usage status is unknown (ConditionUnknown). + if inUseCondition.Status == metav1.ConditionTrue { + log.V(2).Info("IstioRevision is in use", "IstioRevision", rev.Name) + continue + } + if inUseCondition.Status != metav1.ConditionFalse { + log.V(2).Info("IstioRevision usage status is unknown, skipping pruning", "IstioRevision", rev.Name) + continue + } + + pruneTimestamp := inUseCondition.LastTransitionTime.Time.Add(gracePeriod) + expired := pruneTimestamp.Before(time.Now()) + if expired { + log.Info("Deleting expired IstioRevision", "IstioRevision", rev.Name) + err = cl.Delete(ctx, &rev) + if err != nil { + return ctrl.Result{}, fmt.Errorf("delete failed: %w", err) + } + } else { + log.V(2).Info("IstioRevision is not in use, but hasn't yet expired", "IstioRevision", rev.Name, "InUseLastTransitionTime", inUseCondition.LastTransitionTime) + if nextPruneTimestamp == nil || nextPruneTimestamp.After(pruneTimestamp) { + nextPruneTimestamp = &pruneTimestamp + } + } + } + if nextPruneTimestamp == nil { + log.V(2).Info("No IstioRevisions to prune") + return ctrl.Result{}, nil + } + + requeueAfter := time.Until(*nextPruneTimestamp) + log.Info("Requeueing resource for cleanup of expired IstioRevision", "RequeueAfter", requeueAfter) + // requeue so that we prune the next revision at the right time (if we didn't, we would prune it when + // something else triggers another reconciliation) + return ctrl.Result{RequeueAfter: requeueAfter}, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go new file mode 100644 index 0000000000..ceb78dee82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/reconcile.go @@ -0,0 +1,81 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + "context" + "fmt" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +func CreateOrUpdate( + ctx context.Context, cl client.Client, revName string, version string, namespace string, + values *v1.Values, ownerRef metav1.OwnerReference, +) error { + log := logf.FromContext(ctx) + log = log.WithValues("IstioRevision", revName) + + rev, found, err := getRevision(ctx, cl, revName) + if err != nil { + return fmt.Errorf("failed to get active IstioRevision: %w", err) + } + + if found { + // update + rev.Spec.Version = version + rev.Spec.Values = values + log.Info("Updating IstioRevision") + if err = cl.Update(ctx, &rev); err != nil { + return fmt.Errorf("failed to update IstioRevision %q: %w", rev.Name, err) + } + } else { + // create new + rev = v1.IstioRevision{ + ObjectMeta: metav1.ObjectMeta{ + Name: revName, + OwnerReferences: []metav1.OwnerReference{ownerRef}, + }, + Spec: v1.IstioRevisionSpec{ + Version: version, + Namespace: namespace, + Values: values, + }, + } + log.Info("Creating IstioRevision") + if err = cl.Create(ctx, &rev); err != nil { + return fmt.Errorf("failed to create IstioRevision %q: %w", rev.Name, err) + } + } + return nil +} + +func getRevision(ctx context.Context, cl client.Client, name string) (rev v1.IstioRevision, found bool, err error) { + key := types.NamespacedName{Name: name} + rev = v1.IstioRevision{} + err = cl.Get(ctx, key, &rev) + if err != nil { + if apierrors.IsNotFound(err) { + return rev, false, nil + } + return rev, false, fmt.Errorf("get failed: %w", err) + } + return rev, true, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go new file mode 100644 index 0000000000..c84879d7c1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/references.go @@ -0,0 +1,48 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/constants" +) + +func GetReferencedRevisionFromNamespace(labels map[string]string) string { + // istio-injection label takes precedence over istio.io/rev + if labels[constants.IstioInjectionLabel] == constants.IstioInjectionEnabledValue { + return v1.DefaultRevision + } + return labels[constants.IstioRevLabel] + // TODO: if .Values.sidecarInjectorWebhook.enableNamespacesByDefault is true, then all namespaces except system namespaces should use the "default" revision +} + +func GetReferencedRevisionFromPod(podLabels map[string]string) string { + // we only look at pod labels to identify injection intent + if podLabels[constants.IstioSidecarInjectLabel] != "false" { + if rev := podLabels[constants.IstioRevLabel]; rev != "" { + return rev + } + if podLabels[constants.IstioSidecarInjectLabel] == "true" { + return v1.DefaultRevision + } + } + + return "" +} + +func GetInjectedRevisionFromPod(podAnnotations map[string]string) string { + // if pod was already injected, the revision that did the injection is specified in the istio.io/rev annotation + return podAnnotations[constants.IstioRevLabel] +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go new file mode 100644 index 0000000000..b632af2879 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/remote.go @@ -0,0 +1,25 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import v1 "github.com/istio-ecosystem/sail-operator/api/v1" + +// IsUsingRemoteControlPlane returns true if the IstioRevision is configured to +// connect to a remote rather than deploy a local control plane. +func IsUsingRemoteControlPlane(rev *v1.IstioRevision) bool { + // TODO: we should use values.istiodRemote.enabled instead of the profile, but we can't get the final set of values because of new profiles implementation + values := rev.Spec.Values + return values != nil && values.Profile != nil && *values.Profile == "remote" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go new file mode 100644 index 0000000000..805d13cee4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/revision/values.go @@ -0,0 +1,68 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package revision + +import ( + "fmt" + "io/fs" + + v1 "github.com/istio-ecosystem/sail-operator/api/v1" + "github.com/istio-ecosystem/sail-operator/pkg/config" + "github.com/istio-ecosystem/sail-operator/pkg/helm" + "github.com/istio-ecosystem/sail-operator/pkg/istiovalues" +) + +// ComputeValues computes the Istio Helm values for an IstioRevision as follows: +// - applies image digests from the operator configuration +// - applies vendor-specific default values +// - applies the user-provided values on top of the default values from the default and user-selected profiles +// - applies overrides that are not configurable by the user +// +// The resourceFS parameter accepts any fs.FS implementation (embed.FS, os.DirFS, etc.). +func ComputeValues( + userValues *v1.Values, namespace string, version string, + platform config.Platform, defaultProfile, userProfile string, resourceFS fs.FS, + activeRevisionName string, +) (*v1.Values, error) { + // apply image digests from configuration, if not already set by user + userValues = istiovalues.ApplyDigests(version, userValues, config.Config) + + // apply vendor-specific default values + userValues, err := istiovalues.ApplyIstioVendorDefaults(version, userValues) + if err != nil { + return nil, fmt.Errorf("failed to apply vendor defaults: %w", err) + } + + // apply userValues on top of defaultValues from profiles + mergedHelmValues, err := istiovalues.ApplyProfilesAndPlatform(resourceFS, version, platform, defaultProfile, userProfile, helm.FromValues(userValues)) + if err != nil { + return nil, fmt.Errorf("failed to apply profile: %w", err) + } + + // apply FipsValues on top of mergedHelmValues from profile + mergedHelmValues, err = istiovalues.ApplyFipsValues(mergedHelmValues) + if err != nil { + return nil, fmt.Errorf("failed to apply FIPS values: %w", err) + } + + values, err := helm.ToValues(mergedHelmValues, &v1.Values{}) + if err != nil { + return nil, fmt.Errorf("conversion to Helm values failed: %w", err) + } + + // override values that are not configurable by the user + istiovalues.ApplyOverrides(activeRevisionName, namespace, values) + return values, nil +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go b/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go new file mode 100644 index 0000000000..6a365227fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/pkg/validation/validation.go @@ -0,0 +1,53 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package validation + +import ( + "context" + "fmt" + "strings" + + "github.com/istio-ecosystem/sail-operator/pkg/reconciler" + corev1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" +) + +// ValidateTargetNamespace checks if the target namespace exists and is not being deleted. +func ValidateTargetNamespace(ctx context.Context, cl client.Client, namespace string) error { + ns := &corev1.Namespace{} + if err := cl.Get(ctx, types.NamespacedName{Name: namespace}, ns); err != nil { + if apierrors.IsNotFound(err) { + return reconciler.NewValidationError(fmt.Sprintf("namespace %q doesn't exist", namespace)) + } + return fmt.Errorf("get failed: %w", err) + } + if ns.DeletionTimestamp != nil { + return reconciler.NewValidationError(fmt.Sprintf("namespace %q is being deleted", namespace)) + } + return nil +} + +// ResourceTakesPrecedence returns `true` if `object1` takes precedence over `object2`. This is used in +// cases where IstioRevision and IstioRevisionTag objects have the same name, to decide which will get +// reconciled. +// The decision is based on creation date, but if those are equal, a lexicographic comparison of the +// objects' UIDs is used as tie-breaker. +func ResourceTakesPrecedence(object1 *metav1.ObjectMeta, object2 *metav1.ObjectMeta) bool { + return object1.CreationTimestamp.Before(&object2.CreationTimestamp) || + (object1.CreationTimestamp.Equal(&object2.CreationTimestamp) && strings.Compare(string(object1.UID), string(object2.UID)) < 0) +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go b/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go new file mode 100644 index 0000000000..081c6ea65d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/resources.go @@ -0,0 +1,69 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package resources provides embedded Istio Helm charts and profiles. +// +// This package embeds all version directories (v1.28.2, etc.) containing +// Helm charts and profiles. Importing this package will increase the binary +// size significantly (~10MB) as it includes all chart files. +// +// This package is intended for consumers who want to embed the charts +// directly in their binary. +// +// Usage: +// +// import "github.com/istio-ecosystem/sail-operator/resources" +// +// cfg := config.ReconcilerConfig{ +// ResourceFS: resources.FS, +// } +// +// The embedded paths are relative to this directory, e.g.: +// - v1.28.2/charts/istiod/Chart.yaml +// - v1.28.2/profiles/default.yaml +package resources + +import ( + "embed" + "io/fs" +) + +// FS contains the embedded resources directory with all Helm charts and profiles. +// Paths are relative to this directory (e.g., "v1.28.2/charts/istiod"). +// +//go:embed all:v* +var FS embed.FS + +// SubFS creates a sub-filesystem rooted at the specified directory. +// This is useful for stripping prefixes from embedded filesystems. +// +// Example: +// +// // If you have your own embed with a prefix: +// //go:embed my-resources +// var rawFS embed.FS +// fs := resources.SubFS(rawFS, "my-resources") +func SubFS(fsys fs.FS, dir string) (fs.FS, error) { + return fs.Sub(fsys, dir) +} + +// MustSubFS is like SubFS but panics on error. +// Use this when the directory is known to exist. +func MustSubFS(fsys fs.FS, dir string) fs.FS { + sub, err := fs.Sub(fsys, dir) + if err != nil { + panic("failed to create sub-filesystem for " + dir + ": " + err.Error()) + } + return sub +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag new file mode 100644 index 0000000000..7e3caa2c8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/base-1.26.2.tgz.etag @@ -0,0 +1 @@ +5731496f7ef557b2845a356becbf57d41c7bbd7bf6988c18782b852107031411 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml new file mode 100644 index 0000000000..acc961e937 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml new file mode 100644 index 0000000000..72c52fc49e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml new file mode 100644 index 0000000000..258635040d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.2 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..a9c5446a0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..b0155cdf05 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json new file mode 100644 index 0000000000..3fdaa2730f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.schema.json @@ -0,0 +1,330 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + }, + "_internal_defaults_do_not_set": { + "type": "object" + } + }, + "additionalProperties": false + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml new file mode 100644 index 0000000000..4e65676ba1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/gateway/values.yaml @@ -0,0 +1,170 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..68663298a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..07885fe316 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..f28930bc59 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..0aa99a967f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..691e03cf96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..1eacf16e69 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,29 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + minAvailable: 1 + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml new file mode 100644 index 0000000000..c9bba2c06c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/istiod/values.yaml @@ -0,0 +1,557 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..18f8737994 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..c9bba2c06c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/revisiontags/values.yaml @@ -0,0 +1,557 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.2 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..c29b478ebb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.2 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..083ef99a4d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.2 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag new file mode 100644 index 0000000000..fe61700d5a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/cni-1.26.2.tgz.etag @@ -0,0 +1 @@ +4e833867b853de59dbc0b18c7499219b87e1552f97c5b3c691219b7686103f46 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit new file mode 100644 index 0000000000..c7c3f3333e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/commit @@ -0,0 +1 @@ +1.26.2 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag new file mode 100644 index 0000000000..e64046cc02 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/gateway-1.26.2.tgz.etag @@ -0,0 +1 @@ +5bfe27456ff3cc185112be32b7a99a6ea9b98e91843e22face47e170cc954bc1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag new file mode 100644 index 0000000000..f83aaeb1c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/istiod-1.26.2.tgz.etag @@ -0,0 +1 @@ +ddac28c3771fcd097e99b8a03730cc206ab99f715078ead99d5c5cc528d6e290 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag new file mode 100644 index 0000000000..341d4a2cc2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.2/ztunnel-1.26.2.tgz.etag @@ -0,0 +1 @@ +b7ddc493f337a56e54450e11c8904c27acec2f551d3fa821daad195f8cb38342 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag new file mode 100644 index 0000000000..5facdc47f9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/base-1.26.3.tgz.etag @@ -0,0 +1 @@ +a5c745b2352b4e645c2b498e84f9aa1a76e0f12cdfa15907a509a41160408544 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml new file mode 100644 index 0000000000..40c0089217 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml new file mode 100644 index 0000000000..8e4c5f64c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml new file mode 100644 index 0000000000..e7a4d48627 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.3 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..688bcd659d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json new file mode 100644 index 0000000000..3fdaa2730f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.schema.json @@ -0,0 +1,330 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "properties": { + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + }, + "_internal_defaults_do_not_set": { + "type": "object" + } + }, + "additionalProperties": false + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..2e6749b0d8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..f881b9a0ef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml new file mode 100644 index 0000000000..bb369026ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..93f38eebee --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..bb369026ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..488c3f4aa6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.3 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..18ab47fd44 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.3 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag new file mode 100644 index 0000000000..59d97a846a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/cni-1.26.3.tgz.etag @@ -0,0 +1 @@ +31b5c9c2ddc9d08b454146bee2b8782b000e4ccef24bfd224dc676050a91d974 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit new file mode 100644 index 0000000000..f8f7381409 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/commit @@ -0,0 +1 @@ +1.26.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag new file mode 100644 index 0000000000..e0203739a1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/gateway-1.26.3.tgz.etag @@ -0,0 +1 @@ +bb1164a9e0c196c577e75164a5c7d552151639af49fb67ec7340a12652fbe78d diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag new file mode 100644 index 0000000000..ff16643d19 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/istiod-1.26.3.tgz.etag @@ -0,0 +1 @@ +ec6577560ba5bf7ae1913296be11d912917788e11de0a5ad96a29777113830e9 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag new file mode 100644 index 0000000000..39cab5f1d2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.3/ztunnel-1.26.3.tgz.etag @@ -0,0 +1 @@ +49fa0b626799f0011c6210ce63153b5e96b7de01a18109778c0965103582c6c5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag new file mode 100644 index 0000000000..bd66b58f5c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/base-1.26.4.tgz.etag @@ -0,0 +1 @@ +1339635defaa4b20e76c1491e1bf6d9ab0426613c7aafb177077e735d89f9304 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml new file mode 100644 index 0000000000..a816e88a05 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml new file mode 100644 index 0000000000..97d726e84d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml new file mode 100644 index 0000000000..c7f3c4a06f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.4 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..847bd28fd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..93d19507e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..f881b9a0ef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/injection-template.yaml @@ -0,0 +1,532 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml new file mode 100644 index 0000000000..7e2d3b7e37 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..1b770dc9fb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..7e2d3b7e37 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..b8f225ccff --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.4 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..5709d37452 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.4 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag new file mode 100644 index 0000000000..07bfbcc430 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/cni-1.26.4.tgz.etag @@ -0,0 +1 @@ +3569346826bcf9faf738eb5cfd1faa861a0af9bc54cc43f8740184f30d541e67 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit new file mode 100644 index 0000000000..ea0928cedf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/commit @@ -0,0 +1 @@ +1.26.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag new file mode 100644 index 0000000000..8e3dc3d980 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/gateway-1.26.4.tgz.etag @@ -0,0 +1 @@ +54f8f96edb1e67e8c60ff43cb29631da484b57a74caab86d0851b349c61ab6bf diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag new file mode 100644 index 0000000000..749caffe88 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/istiod-1.26.4.tgz.etag @@ -0,0 +1 @@ +45fd920c61de59055368f9ecf6b12002c81d3924e28f3297e887f2e5048bddb3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag new file mode 100644 index 0000000000..a2c1b60fde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.4/ztunnel-1.26.4.tgz.etag @@ -0,0 +1 @@ +91c6de1398ceb60a84a20f8e430c489980ce07760e777ab33b90968aa82d933b diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag new file mode 100644 index 0000000000..2b76ee1cf3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/base-1.26.6.tgz.etag @@ -0,0 +1 @@ +3546ec2b47b04cdbef9940a2c26f6718dcd17a9901f3601147b22e1e88bd64a5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml new file mode 100644 index 0000000000..ea428a19ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml new file mode 100644 index 0000000000..3c84bd2d29 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml new file mode 100644 index 0000000000..58b2d721fa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.6 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..9ca41c9c66 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..336c6e2e04 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..e851a8371c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/injection-template.yaml @@ -0,0 +1,531 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml new file mode 100644 index 0000000000..b0146dc644 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.6 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..518159271e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..b0146dc644 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.6 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..8fbec7309b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.6 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..24a28fd3a2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.6 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag new file mode 100644 index 0000000000..27f35c7d31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/cni-1.26.6.tgz.etag @@ -0,0 +1 @@ +ce63413a70957a27741720ccf62d52adc0244ca4541ae4183fb3ed2027011a37 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit new file mode 100644 index 0000000000..f250c8f604 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/commit @@ -0,0 +1 @@ +1.26.6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag new file mode 100644 index 0000000000..a1f30382e2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/gateway-1.26.6.tgz.etag @@ -0,0 +1 @@ +8116afb6dd7d3e92a382c07e562f6298c7353ee8e0a477802a4e0c3c8d4e3ac3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag new file mode 100644 index 0000000000..b5a6370e26 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/istiod-1.26.6.tgz.etag @@ -0,0 +1 @@ +5b4add82c3b36c6140b7f1f6e53193ec02d117fa6334c475ec6de5ddf82b2122 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag new file mode 100644 index 0000000000..2c77ac2106 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.6/ztunnel-1.26.6.tgz.etag @@ -0,0 +1 @@ +d074fcda7eb6d9edec0bf2ba2293cbd7cd385d23769ce63ca63a47e3d8594954 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag new file mode 100644 index 0000000000..ff737b60b4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/base-1.26.8.tgz.etag @@ -0,0 +1 @@ +baa40c2ad185ed9b25d18b1b7bf9b12db565b6866ad3df914fbef6691b60e09e diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml new file mode 100644 index 0000000000..d631eda339 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml new file mode 100644 index 0000000000..17c864fcb3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..3deb2cb5ad --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,35 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..cdccd36542 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/daemonset.yaml @@ -0,0 +1,245 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml new file mode 100644 index 0000000000..b86115fc8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/cni/values.yaml @@ -0,0 +1,156 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.26.8 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..17896d25b9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..d83ff3b493 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/deployment.yaml @@ -0,0 +1,131 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json new file mode 100644 index 0000000000..d81fcffaa5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.schema.json @@ -0,0 +1,368 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "valueFrom": { + "type": "object" + } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ + "null", + "integer" + ] + }, + "readinessProbe": { + "type": [ + "null", + "object" + ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": [ + "string", + "null" + ] + }, + "memory": { + "type": [ + "string", + "null" + ] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "additionalContainers": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml new file mode 100644 index 0000000000..5d4fd3b754 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/gateway/values.yaml @@ -0,0 +1,173 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..a506b0eac9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..224fe75f13 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,261 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..e851a8371c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/injection-template.yaml @@ -0,0 +1,531 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + add: + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY` -}} + - NET_ADMIN + {{- end }} + {{ if eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true` -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or ($tproxy) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..a6116b1ab0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..6a08a662ec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-mesh-controller" + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..09cd6258ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..0fa8532a9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,212 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.x-k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..10781b4079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..3505d28229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..3098d300fd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/configmap.yaml @@ -0,0 +1,106 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..cf82b21e96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/deployment.yaml @@ -0,0 +1,308 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..22160f70a0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..5b8f812faa --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..4707c7e9f0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,64 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + # TODO(keithmattix): See if we can conditionally give permission to read secrets and configmaps iff externalIstiod + # is enabled. Best I can tell, these two resources are only needed for configuring proxy TLS (i.e. CA certs). + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets", "configmaps"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..a6de571da5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,25 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..d3f872f74b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,35 @@ +# This file is only used for remote `istiod` installs. +{{- if .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..10d89e8d1b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..a42f4ec442 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..30d5b89128 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/service.yaml @@ -0,0 +1,54 @@ +# Not created if istiod is running remotely +{{- if not .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..a673a4d078 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..d36eef68eb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..fb28836a0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (and .Values.istiodRemote.enabled .Values.global.configCluster) (not .Values.istiodRemote.enabled) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml new file mode 100644 index 0000000000..91b2c13102 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/istiod/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..80dfc7df32 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..e45b5e1d49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,148 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict + "revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..91b2c13102 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/revisiontags/values.yaml @@ -0,0 +1,567 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.26.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Set to true to connect two kubernetes clusters via their respective + # ingressgateway services when pods in each cluster cannot directly + # talk to one another. All clusters should be using Istio mTLS and must + # have a shared root CA for this model to work. + enabled: false + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..8444a1f3ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.26.8 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..2805fe46bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,17 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml new file mode 100644 index 0000000000..dac910ff5b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.23.yaml @@ -0,0 +1,25 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + ENABLE_INBOUND_RETRY_POLICY: "false" + EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRY: "false" + PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICES: "false" + ENABLE_ENHANCED_DESTINATIONRULE_MERGE: "false" + PILOT_UNIFIED_SIDECAR_SCOPE: "false" + +meshConfig: + defaultConfig: + proxyMetadata: + # 1.24 behaviour changes + ENABLE_DEFERRED_STATS_CREATION: "false" + BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS: "false" + +ambient: + # Not present in <1.24, defaults to `true` in 1.25+ + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..b211c82666 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..eb8827cd50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..0822394d76 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,205 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:root-cert + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..b7d48221b5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/charts/ztunnel/values.yaml @@ -0,0 +1,114 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.26.8 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag new file mode 100644 index 0000000000..bb9e38f7e6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/cni-1.26.8.tgz.etag @@ -0,0 +1 @@ +8d0a2679d64e69377835630fc33625eacc303312abd720943fff890e8e4a7af4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit new file mode 100644 index 0000000000..25691b4f1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/commit @@ -0,0 +1 @@ +1.26.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag new file mode 100644 index 0000000000..434951920c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/gateway-1.26.8.tgz.etag @@ -0,0 +1 @@ +b74d9ab60d50d8b65c881b68bad16107773bfaec7ea554c35decd3808f0ebf59 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag new file mode 100644 index 0000000000..4f24c8b517 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/istiod-1.26.8.tgz.etag @@ -0,0 +1 @@ +fb8c24fe87200d4eac26e3f957044f6cc0d9c3a2279db6b6b1b293853d9d968a diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag new file mode 100644 index 0000000000..ffd17d6f23 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.26.8/ztunnel-1.26.8.tgz.etag @@ -0,0 +1 @@ +5461f28e418f9506bd4392a8179cd3201493f4b9d443efa73eebf8b84d3fcf0d diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag new file mode 100644 index 0000000000..166c945b12 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/base-1.27.3.tgz.etag @@ -0,0 +1 @@ +d8ddfa21d5aa39a6066ef565f30bcd4d92c29c50cc14fcd29db41e69e45ef1fd diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml new file mode 100644 index 0000000000..c5daa7c074 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml new file mode 100644 index 0000000000..73fcf4c7b4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..6f6ef329a2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,41 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} + {{- if .Values.istioOwnedCNIConfig }} + ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..896de3d038 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/daemonset.yaml @@ -0,0 +1,248 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml new file mode 100644 index 0000000000..703e4bf6a8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/cni/values.yaml @@ -0,0 +1,182 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.27.3 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..b806d50178 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..1d8f93a472 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/deployment.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.additionalContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json new file mode 100644 index 0000000000..bcbb30ccc8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.schema.json @@ -0,0 +1,353 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { "type": "string" }, + "valueFrom": { "type": "object" } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { "type": "object" } + }, + "additionalContainers": { + "type": "array", + "items": { "type": "object" } + }, + "priorityClassName": { + "type": "string" + }, + "lifecycle": { + "type": "object", + "properties": { + "postStart": { + "type": "object" + }, + "preStop": { + "type": "object" + } + } + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml new file mode 100644 index 0000000000..454d2a4d2b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/gateway/values.yaml @@ -0,0 +1,195 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..937648f120 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..bc15ee3c31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,274 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..df04baf847 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/injection-template.yaml @@ -0,0 +1,541 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..616fb42c71 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..3e6a2f5dc1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..9b952ba857 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..40f39511ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,213 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..1b8fa4d079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..9d931c4065 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..a8446a6fc9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/configmap.yaml @@ -0,0 +1,111 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..1b769c6ec7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/deployment.yaml @@ -0,0 +1,312 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..ca017194e6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..fcd6c7c2e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..dbaa805035 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,62 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..f13b8ce9a9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..0a48b9918b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,41 @@ +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..bbcfbe4356 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..0c66b38a7d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..25bda4dfd2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/service.yaml @@ -0,0 +1,57 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..8b4a0c0faf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..8562a52d59 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..b49bf7fafd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml new file mode 100644 index 0000000000..c5879ead5c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/istiod/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..23bf542f1c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..c5879ead5c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/revisiontags/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.3 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..24ef047b40 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.3 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..7de85a2d18 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,210 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | trim | indent 8 }} +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + {{- if .Values.network }} + - name: NETWORK + value: {{ .Values.network | quote }} + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: ZTUNNEL_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..812abc7a8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/charts/ztunnel/values.yaml @@ -0,0 +1,133 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.27.3 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag new file mode 100644 index 0000000000..759ea13723 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/cni-1.27.3.tgz.etag @@ -0,0 +1 @@ +4d8a7590020911500b8b8556c7281d25fd7216bedf19449c445c561bd7065677 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit new file mode 100644 index 0000000000..3bae5204be --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/commit @@ -0,0 +1 @@ +1.27.3 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag new file mode 100644 index 0000000000..11459843c9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/gateway-1.27.3.tgz.etag @@ -0,0 +1 @@ +3d0d21fd794e155be848d053637e6c919e26096fe18206846a187cbbdb773995 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag new file mode 100644 index 0000000000..0178d390f1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/istiod-1.27.3.tgz.etag @@ -0,0 +1 @@ +d596603bd0ec87f9ead32c7ac26389578ebd878150d97f73c2c6a697173c3856 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag new file mode 100644 index 0000000000..7e5bde22b5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.3/ztunnel-1.27.3.tgz.etag @@ -0,0 +1 @@ +f372f9abec7d6d6d12610b71701dd37e3cb4a16e58e892ec5ada6c2e52059359 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag new file mode 100644 index 0000000000..5c0b7b25d0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/base-1.27.5.tgz.etag @@ -0,0 +1 @@ +c53922f1c9da614d87ef63613010eba7e34509719db3d1a4c81be59f00299e4e diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml new file mode 100644 index 0000000000..bf04c86b30 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml new file mode 100644 index 0000000000..6f877a1eb3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..6f6ef329a2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,41 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} + {{- if .Values.istioOwnedCNIConfig }} + ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..896de3d038 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/daemonset.yaml @@ -0,0 +1,248 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml new file mode 100644 index 0000000000..b3beacd6ce --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/cni/values.yaml @@ -0,0 +1,182 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.27.5 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..7f68c00147 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..1d8f93a472 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/deployment.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.additionalContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..3e28418f7b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/service.yaml @@ -0,0 +1,69 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json new file mode 100644 index 0000000000..bcbb30ccc8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.schema.json @@ -0,0 +1,353 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { "type": "string" }, + "valueFrom": { "type": "object" } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { "type": "object" } + }, + "additionalContainers": { + "type": "array", + "items": { "type": "object" } + }, + "priorityClassName": { + "type": "string" + }, + "lifecycle": { + "type": "object", + "properties": { + "postStart": { + "type": "object" + }, + "preStop": { + "type": "object" + } + } + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml new file mode 100644 index 0000000000..454d2a4d2b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/gateway/values.yaml @@ -0,0 +1,195 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..aff443622d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..bc15ee3c31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,274 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..6e3102e4c8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..df04baf847 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/injection-template.yaml @@ -0,0 +1,541 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` }}" + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` }}" + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: "{{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` }}" + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..616fb42c71 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..3e6a2f5dc1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..9b952ba857 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..40f39511ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,213 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..1b8fa4d079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..9d931c4065 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..a8446a6fc9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/configmap.yaml @@ -0,0 +1,111 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..1b769c6ec7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/deployment.yaml @@ -0,0 +1,312 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..ca017194e6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..fcd6c7c2e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..dbaa805035 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,62 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..f13b8ce9a9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..0a48b9918b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,41 @@ +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..bbcfbe4356 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..0c66b38a7d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..25bda4dfd2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/service.yaml @@ -0,0 +1,57 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..8b4a0c0faf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..8562a52d59 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..b49bf7fafd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml new file mode 100644 index 0000000000..6570ae1417 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/istiod/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..536fce8f03 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..6570ae1417 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/revisiontags/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..e4b8972785 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.5 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..7de85a2d18 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,210 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | trim | indent 8 }} +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + {{- if .Values.network }} + - name: NETWORK + value: {{ .Values.network | quote }} + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: ZTUNNEL_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..9fe9f0dc3a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/charts/ztunnel/values.yaml @@ -0,0 +1,133 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.27.5 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag new file mode 100644 index 0000000000..c7d66b65e8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/cni-1.27.5.tgz.etag @@ -0,0 +1 @@ +023c4b4ba66f9fe8cc19b6d4791ff6d004fac662d78ff5cf89d6ec9bf551fbf5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit new file mode 100644 index 0000000000..bd9c63786b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/commit @@ -0,0 +1 @@ +1.27.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag new file mode 100644 index 0000000000..46126a8c65 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/gateway-1.27.5.tgz.etag @@ -0,0 +1 @@ +d338fa67a4fbde0eebbb7e50e4681c81ac0550cfd9ae7ce37d9ecbe310e3f1de diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag new file mode 100644 index 0000000000..600d7e101c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/istiod-1.27.5.tgz.etag @@ -0,0 +1 @@ +d11c9653fa7e9e204abff6dc52b2e965f86fb2caf8d2feaee01e848554c8c37c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag new file mode 100644 index 0000000000..8a828cf748 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.5/ztunnel-1.27.5.tgz.etag @@ -0,0 +1 @@ +480cc9a3a64d132bceeba46150ecd2d55c0fb17fbdfc6858d6f12d1cc81e73d1 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag new file mode 100644 index 0000000000..d5edee9229 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/base-1.27.8.tgz.etag @@ -0,0 +1 @@ +7a8b8f8bb2e96e57d710fd96d639773cf69abab2cc07971b0e9fb0bdd2045b91 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml new file mode 100644 index 0000000000..3bcb77102d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..2616b09c9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..8cb76fd773 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,56 @@ +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..ba829a6bfe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,20 @@ +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/values.yaml new file mode 100644 index 0000000000..d18296f00a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/base/values.yaml @@ -0,0 +1,37 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml new file mode 100644 index 0000000000..7e2183f232 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/README.md new file mode 100644 index 0000000000..a8b78d5bde --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..1779e0bb1d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..42fedab1fc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,63 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..6f6ef329a2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,41 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} + {{- if .Values.istioOwnedCNIConfig }} + ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..896de3d038 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/daemonset.yaml @@ -0,0 +1,248 @@ +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..86a2eb7c0b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,11 @@ +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..a30df776db --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..9a6d61ff91 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,19 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..3193d7b74a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml new file mode 100644 index 0000000000..e0c419abfc --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/cni/values.yaml @@ -0,0 +1,182 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.27.8 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..bec88e27b4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/README.md new file mode 100644 index 0000000000..5c064d165b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..1d8f93a472 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/deployment.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.additionalContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..e8e2cdb588 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/service.yaml @@ -0,0 +1,72 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} + {{- with .Values.service.selectorLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.schema.json new file mode 100644 index 0000000000..c28db45139 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.schema.json @@ -0,0 +1,359 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { "type": "string" }, + "valueFrom": { "type": "object" } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": "object", + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "selectorLabels": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { "type": "object" } + }, + "additionalContainers": { + "type": "array", + "items": { "type": "object" } + }, + "priorityClassName": { + "type": "string" + }, + "lifecycle": { + "type": "object", + "properties": { + "postStart": { + "type": "object" + }, + "preStop": { + "type": "object" + } + } + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml new file mode 100644 index 0000000000..8158afb8d0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/gateway/values.yaml @@ -0,0 +1,197 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + # Additional labels to add to the service selector + selectorLabels: {} + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..d69b178b83 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/README.md new file mode 100644 index 0000000000..ddbfbc8fec --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..bc15ee3c31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,274 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..3b9240e36c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..468e9ac4ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/injection-template.yaml @@ -0,0 +1,541 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..616fb42c71 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,401 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..3e6a2f5dc1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/files/waypoint.yaml @@ -0,0 +1,396 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: 2 + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..9b952ba857 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,43 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..40f39511ac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,213 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..1b8fa4d079 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,40 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..9d931c4065 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,18 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..75e6e0bcc6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..a8446a6fc9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/configmap.yaml @@ -0,0 +1,111 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..1b769c6ec7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/deployment.yaml @@ -0,0 +1,312 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..6b23d716a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,20 @@ +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..171aff8861 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,81 @@ +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..ca017194e6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,164 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..bcc1594d97 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,45 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..fcd6c7c2e4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,39 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..dbaa805035 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,62 @@ +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..aea9f01f7a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-endpoints.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-endpoints.yaml new file mode 100644 index 0000000000..f13b8ce9a9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-endpoints.yaml @@ -0,0 +1,30 @@ +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: v1 +kind: Endpoints +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +subsets: +- addresses: + - ip: {{ .Values.global.remotePilotAddress }} + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..0a48b9918b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,41 @@ +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..bbcfbe4356 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/role.yaml @@ -0,0 +1,35 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..0c66b38a7d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..25bda4dfd2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/service.yaml @@ -0,0 +1,57 @@ +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..8b4a0c0faf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..8562a52d59 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,63 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..b49bf7fafd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,68 @@ +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..ae8fced298 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml new file mode 100644 index 0000000000..48bb7fb12c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/istiod/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..904f69c416 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/revision-tags.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/revision-tags.yaml new file mode 100644 index 0000000000..06764a826e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/revision-tags.yaml @@ -0,0 +1,149 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..48bb7fb12c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/revisiontags/values.yaml @@ -0,0 +1,573 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.27.8 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..df21fd7b2a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.27.8 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/README.md new file mode 100644 index 0000000000..ffe0b94fe8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view support configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml new file mode 100644 index 0000000000..4f3dbef7ea --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.24.yaml @@ -0,0 +1,15 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.24 behavioral changes + PILOT_ENABLE_IP_AUTOALLOCATE: "false" + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + dnsCapture: false + reconcileIptablesOnStartup: false + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..b2f45948c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..af10697326 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..7de85a2d18 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,210 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | trim | indent 8 }} +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + {{- if .Values.network }} + - name: NETWORK + value: {{ .Values.network | quote }} + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: ZTUNNEL_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..0a8138c9a3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +--- +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..a1c0e5496d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,20 @@ +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..18ae675f31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/charts/ztunnel/values.yaml @@ -0,0 +1,133 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.27.8 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag new file mode 100644 index 0000000000..9e01656202 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/cni-1.27.8.tgz.etag @@ -0,0 +1 @@ +9397a945c1645fe8d5fff331e9093afcaa99901d835978e52e43f6544efe7873 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit new file mode 100644 index 0000000000..31a078060e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/commit @@ -0,0 +1 @@ +1.27.8 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag new file mode 100644 index 0000000000..091f5d45d1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/gateway-1.27.8.tgz.etag @@ -0,0 +1 @@ +e7bca3e1844071152ed9cd855ea600f72f727a0fabd9829636a43f85bf1355c6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag new file mode 100644 index 0000000000..5810de34d3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/istiod-1.27.8.tgz.etag @@ -0,0 +1 @@ +d1c14f7aea2ae17ff96e2fedcd3abc079539f469c13791e86801a0f41287e0dd diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag new file mode 100644 index 0000000000..63de9d2d74 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.27.8/ztunnel-1.27.8.tgz.etag @@ -0,0 +1 @@ +a9f3b90a9e58185025ab113f41c5de5601f555e8b56b1377b4547dfe20746087 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag new file mode 100644 index 0000000000..a239f7b721 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/base-1.28.4.tgz.etag @@ -0,0 +1 @@ +d5cb2b82bfceb6abede183cf809b6e4cad17dbbcf1ebb8c720617d6156a3ec46 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/Chart.yaml new file mode 100644 index 0000000000..a41d5988e9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..30049df989 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,55 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..dcd16e964f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,58 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..bb7a74ff48 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/values.yaml new file mode 100644 index 0000000000..8353c57d6d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/base/values.yaml @@ -0,0 +1,45 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/Chart.yaml new file mode 100644 index 0000000000..ad69d9b6ba --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/README.md new file mode 100644 index 0000000000..f7e5cbd379 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..51af4ce7ff --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,84 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..60e3c28be8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,66 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..9b5dd47925 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,44 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + ENABLE_AMBIENT_DETECTION_RETRY: {{ .Values.ambient.enableAmbientDetectionRetry | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} + {{- if .Values.istioOwnedCNIConfig }} + ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..6d1dda2902 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/daemonset.yaml @@ -0,0 +1,252 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} + {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..37ef7c3e6d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..fde1723fbf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..2e0be5ab40 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,21 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..17c8e64a9d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/values.yaml new file mode 100644 index 0000000000..eba55d71c6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/cni/values.yaml @@ -0,0 +1,194 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Additional labels to apply on the daemonset level + daemonSetLabels: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Additional labels to apply on the pod level + podLabels: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors + enableAmbientDetectionRetry: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.28.4 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..d116d36b96 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/README.md new file mode 100644 index 0000000000..6344859a22 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..1d8f93a472 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/deployment.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.additionalContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/networkpolicy.yaml new file mode 100644 index 0000000000..ea2fab97b3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/networkpolicy.yaml @@ -0,0 +1,47 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "gateway.name" . }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Gateway" + istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} + release: {{ .Release.Name }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "gateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + # Status/health check port + - from: [] + ports: + - protocol: TCP + port: 15021 + # Metrics endpoints for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 + - protocol: TCP + port: 15090 + # Main gateway traffic ports +{{- if .Values.service.ports }} +{{- range .Values.service.ports }} + - from: [] + ports: + - protocol: {{ .protocol | default "TCP" }} + port: {{ .targetPort | default .port }} +{{- end }} +{{- end }} + egress: + # Allow all egress (gateways need to reach external services, istiod, and other cluster services) + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..d172364d0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/service.yaml @@ -0,0 +1,78 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} +{{- with .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} +{{- if not (eq .Values.service.clusterIP "") }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} + {{- with .Values.service.selectorLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.schema.json new file mode 100644 index 0000000000..9263245a24 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.schema.json @@ -0,0 +1,359 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { "type": "string" }, + "valueFrom": { "type": "object" } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": ["object", "null"], + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": ["object", "null"], + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "selectorLabels": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { "type": "object" } + }, + "additionalContainers": { + "type": "array", + "items": { "type": "object" } + }, + "priorityClassName": { + "type": "string" + }, + "lifecycle": { + "type": "object", + "properties": { + "postStart": { + "type": "object" + }, + "preStop": { + "type": "object" + } + } + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.yaml new file mode 100644 index 0000000000..d463634ec4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/gateway/values.yaml @@ -0,0 +1,204 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + # Set to a specific ClusterIP, or "" for automatic assignment + clusterIP: "" + # Additional labels to add to the service selector + selectorLabels: {} + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} + + # When enabled, a default NetworkPolicy for gateways will be created + global: + networkPolicy: + enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..99d88e3f9a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/README.md new file mode 100644 index 0000000000..44f7b1d8ca --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..bc15ee3c31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,274 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..3b9240e36c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..84463bb43b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/injection-template.yaml @@ -0,0 +1,549 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..8a34ea8a8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,407 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..7feed59a36 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/files/waypoint.yaml @@ -0,0 +1,405 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{ $network }}" + {{- end }} + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..9ab43b5bf0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,45 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..3280c96b54 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,216 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..0ca21b9576 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,43 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..45943d3839 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,20 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..dcd1e3530c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,21 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..a24ff9ee24 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/configmap.yaml @@ -0,0 +1,113 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..15107e745c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/deployment.yaml @@ -0,0 +1,314 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..9f7cdb01da --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..a5a6cf9ae8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,83 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..26a6c8f00d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,167 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..e844d5e5de --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,47 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..c8c55822f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,41 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..e0b0ff42a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,65 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..624f00dce6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-endpointslices.yaml new file mode 100644 index 0000000000..e2f4ff03b6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-endpointslices.yaml @@ -0,0 +1,42 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + {{- if .Release.Service }} + endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- end }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +addressType: IPv4 +endpoints: +- addresses: + - {{ .Values.global.remotePilotAddress }} +ports: +- port: 15012 + name: tcp-istiod + protocol: TCP +- port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..ab14497bac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,43 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-mwc.yaml new file mode 100644 index 0000000000..556bb2f1e9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-mwc.yaml @@ -0,0 +1,154 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not .Values.global.operatorManageWebhooks }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-svc.yaml new file mode 100644 index 0000000000..5c4826d23e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/revision-tags-svc.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Adapted from istio-discovery/templates/service.yaml +{{- range $tagName := .Values.revisionTags }} +apiVersion: v1 +kind: Service +metadata: + name: istiod-revision-tag-{{ $tagName }} + namespace: {{ $.Release.Namespace }} + {{- if $.Values.serviceAnnotations }} + annotations: +{{ toYaml $.Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + istio.io/tag: {{ $tagName }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne $.Values.revision "" }} + istio.io/rev: {{ $.Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if $.Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} + {{- end }} + {{- if $.Values.ipFamilies }} + ipFamilies: + {{- range $.Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end -}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..8abe608b66 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/role.yaml @@ -0,0 +1,37 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..731964f04d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..c3aade8a49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/service.yaml @@ -0,0 +1,59 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ee40eedf81 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..838d9fbaf7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,65 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..6903b29b50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,70 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..73202418ca --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/values.yaml new file mode 100644 index 0000000000..691fd7d7ae --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/istiod/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..fd5d2d5dd6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-mwc.yaml new file mode 100644 index 0000000000..556bb2f1e9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-mwc.yaml @@ -0,0 +1,154 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not .Values.global.operatorManageWebhooks }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-svc.yaml new file mode 100644 index 0000000000..5c4826d23e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/revision-tags-svc.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Adapted from istio-discovery/templates/service.yaml +{{- range $tagName := .Values.revisionTags }} +apiVersion: v1 +kind: Service +metadata: + name: istiod-revision-tag-{{ $tagName }} + namespace: {{ $.Release.Namespace }} + {{- if $.Values.serviceAnnotations }} + annotations: +{{ toYaml $.Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + istio.io/tag: {{ $tagName }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne $.Values.revision "" }} + istio.io/rev: {{ $.Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if $.Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} + {{- end }} + {{- if $.Values.ipFamilies }} + ipFamilies: + {{- range $.Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end -}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..691fd7d7ae --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/revisiontags/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.4 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..84af74d241 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.4 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/README.md new file mode 100644 index 0000000000..72ea6892e5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..b10e99cfa4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,212 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | trim | indent 8 }} +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + {{- if .Values.network }} + - name: NETWORK + value: {{ .Values.network | quote }} + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: ZTUNNEL_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..18291716bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,51 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..d33c9fe137 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e1146f3920 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..e08b1cb6b1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/charts/ztunnel/values.yaml @@ -0,0 +1,141 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.28.4 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag new file mode 100644 index 0000000000..a13884374a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/cni-1.28.4.tgz.etag @@ -0,0 +1 @@ +34ae11794707a24fd2ba92d251a4f764cc8d8c7a3a699dfe39e0e406d762b72f diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/commit new file mode 100644 index 0000000000..15b13fd65b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/commit @@ -0,0 +1 @@ +1.28.4 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag new file mode 100644 index 0000000000..53b95b0f5c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/gateway-1.28.4.tgz.etag @@ -0,0 +1 @@ +049e5b9e6dfea566263352e32b390f2fc10ce95611dfd5cd1cd299edd5baeb30 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag new file mode 100644 index 0000000000..cc2c4a189e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/istiod-1.28.4.tgz.etag @@ -0,0 +1 @@ +befe1b4bf7b1b79ba4e2959c75c7f275db4b7ccab26d2a7815f285f4a6a298ce diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag new file mode 100644 index 0000000000..ebb6e675c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.4/ztunnel-1.28.4.tgz.etag @@ -0,0 +1 @@ +999660af34067b12abeb373ddeae4bb21d9cf76a2edb0d3317461e0f1c94c63c diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag new file mode 100644 index 0000000000..05fe8d1588 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/base-1.28.5.tgz.etag @@ -0,0 +1 @@ +94e4517c649096b883ec44253087c10bf991937f49f17801f3d2c8bed2c86512 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml new file mode 100644 index 0000000000..638f39d3fb --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for deploying Istio cluster resources and CRDs +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +name: base +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/README.md new file mode 100644 index 0000000000..ae8f6d5b0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/README.md @@ -0,0 +1,35 @@ +# Istio base Helm Chart + +This chart installs resources shared by all Istio revisions. This includes Istio CRDs. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-base`: + +```console +kubectl create namespace istio-system +helm install istio-base istio/base -n istio-system +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/NOTES.txt new file mode 100644 index 0000000000..f12616f578 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/NOTES.txt @@ -0,0 +1,5 @@ +Istio base successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..30049df989 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingadmissionpolicy.yaml @@ -0,0 +1,55 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if and .Values.experimental.stableValidationPolicy (not (eq .Values.defaultRevision "")) }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-default-policy.istio.io" + labels: + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-default-policy-binding.istio.io" +spec: + policyName: "stable-channel-default-policy.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..dcd16e964f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/defaultrevision-validatingwebhookconfiguration.yaml @@ -0,0 +1,58 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not (eq .Values.defaultRevision "") }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istiod-default-validator + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.defaultRevision | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + - name: validation.istio.io + clientConfig: + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + {{- if (eq .Values.defaultRevision "default") }} + name: istiod + {{- else }} + name: istiod-{{ .Values.defaultRevision }} + {{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/reader-serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/reader-serviceaccount.yaml new file mode 100644 index 0000000000..bb7a74ff48 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/reader-serviceaccount.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This singleton service account aggregates reader permissions for the revisions in a given cluster +# ATM this is a singleton per cluster with Istio installed, and is not revisioned. It maybe should be, +# as otherwise compromising the token for this SA would give you access to *every* installed revision. +# Should be used for remote secret creation. +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/values.yaml new file mode 100644 index 0000000000..8353c57d6d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/base/values.yaml @@ -0,0 +1,45 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + global: + + # ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + + # Used to locate istiod. + istioNamespace: istio-system + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + base: + # A list of CRDs to exclude. Requires `enableCRDTemplates` to be true. + # Example: `excludedCRDs: ["envoyfilters.networking.istio.io"]`. + # Note: when installing with `istioctl`, `enableIstioConfigCRDs=false` must also be set. + excludedCRDs: [] + # Helm (as of V3) does not support upgrading CRDs, because it is not universally + # safe for them to support this. + # Istio as a project enforces certain backwards-compat guarantees that allow us + # to safely upgrade CRDs in spite of this, so we default to self-managing CRDs + # as standard K8S resources in Helm, and disable Helm's CRD management. See also: + # https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts + enableCRDTemplates: true + + # Validation webhook configuration url + # For example: https://$remotePilotAddress:15017/validate + validationURL: "" + # Validation webhook caBundle value. Useful when running pilot with a well known cert + validationCABundle: "" + + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + defaultRevision: "default" + experimental: + stableValidationPolicy: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml new file mode 100644 index 0000000000..ee867525c1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio-cni components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-cni +- istio +name: cni +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/README.md new file mode 100644 index 0000000000..f7e5cbd379 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/README.md @@ -0,0 +1,65 @@ +# Istio CNI Helm Chart + +This chart installs the Istio CNI Plugin. See the [CNI installation guide](https://istio.io/latest/docs/setup/additional-setup/cni/) +for more information. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-cni`: + +```console +helm install istio-cni istio/cni -n kube-system +``` + +Installation in `kube-system` is recommended to ensure the [`system-node-critical`](https://kubernetes.io/docs/tasks/administer-cluster/guaranteed-scheduling-critical-addon-pods/) +`priorityClassName` can be used. You can install in other namespace only on K8S clusters that allow +'system-node-critical' outside of kube-system. + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/istio-cni +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Ambient + +To enable ambient, you can use the ambient profile: `--set profile=ambient`. + +#### Calico + +For Calico, you must also modify the settings to allow source spoofing: + +- if deployed by operator, `kubectl patch felixconfigurations default --type='json' -p='[{"op": "add", "path": "/spec/workloadSourceSpoofing", "value": "Any"}]'` +- if deployed by manifest, add env `FELIX_WORKLOADSOURCESPOOFING` with value `Any` in `spec.template.spec.containers.env` for daemonset `calico-node`. (This will allow PODs with specified annotation to skip the rpf check. ) + +### GKE notes + +On GKE, 'kube-system' is required. + +If using `helm template`, `--set cni.cniBinDir=/home/kubernetes/bin` is required - with `helm install` +it is auto-detected. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/NOTES.txt new file mode 100644 index 0000000000..fb35525b99 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/NOTES.txt @@ -0,0 +1,5 @@ +"{{ .Release.Name }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/_helpers.tpl new file mode 100644 index 0000000000..73cc17b2f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/_helpers.tpl @@ -0,0 +1,8 @@ +{{- define "name" -}} + istio-cni +{{- end }} + + +{{- define "istio-tag" -}} + {{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrole.yaml new file mode 100644 index 0000000000..51af4ce7ff --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrole.yaml @@ -0,0 +1,84 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +- apiGroups: [""] + resources: ["pods","nodes","namespaces"] + verbs: ["get", "list", "watch"] +{{- if (eq ((coalesce .Values.platform .Values.global.platform) | default "") "openshift") }} +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +{{- end }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-repair-role + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["watch", "get", "list"] +{{- if .Values.repair.repairPods }} +{{- /* No privileges needed*/}} +{{- else if .Values.repair.deletePods }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["delete"] +{{- else if .Values.repair.labelPods }} + - apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +{{- end }} +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "name" . }}-ambient + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}} + resources: ["pods/status"] + verbs: ["patch", "update"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["{{ template "name" . }}-node"] + verbs: ["get"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..60e3c28be8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/clusterrolebinding.yaml @@ -0,0 +1,66 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.repair.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-repair-rolebinding + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-repair-role +{{- end }} +--- +{{- if .Values.ambient.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "name" . }}-ambient + labels: + k8s-app: {{ template "name" . }}-repair + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "name" . }} + namespace: {{ .Release.Namespace}} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "name" . }}-ambient +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/configmap-cni.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/configmap-cni.yaml new file mode 100644 index 0000000000..9b5dd47925 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/configmap-cni.yaml @@ -0,0 +1,44 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "name" . }}-config + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +data: + CURRENT_AGENT_VERSION: {{ .Values.tag | default .Values.global.tag | quote }} + AMBIENT_ENABLED: {{ .Values.ambient.enabled | quote }} + AMBIENT_ENABLEMENT_SELECTOR: {{ .Values.ambient.enablementSelectors | toYaml | quote }} + AMBIENT_DNS_CAPTURE: {{ .Values.ambient.dnsCapture | quote }} + AMBIENT_IPV6: {{ .Values.ambient.ipv6 | quote }} + AMBIENT_RECONCILE_POD_RULES_ON_STARTUP: {{ .Values.ambient.reconcileIptablesOnStartup | quote }} + ENABLE_AMBIENT_DETECTION_RETRY: {{ .Values.ambient.enableAmbientDetectionRetry | quote }} + {{- if .Values.cniConfFileName }} # K8S < 1.24 doesn't like empty values + CNI_CONF_NAME: {{ .Values.cniConfFileName }} # Name of the CNI config file to create. Only override if you know the exact path your CNI requires.. + {{- end }} + ISTIO_OWNED_CNI_CONFIG: {{ .Values.istioOwnedCNIConfig | quote }} + {{- if .Values.istioOwnedCNIConfig }} + ISTIO_OWNED_CNI_CONF_FILENAME: {{ .Values.istioOwnedCNIConfigFileName | quote }} + {{- end }} + CHAINED_CNI_PLUGIN: {{ .Values.chained | quote }} + EXCLUDE_NAMESPACES: "{{ range $idx, $ns := .Values.excludeNamespaces }}{{ if $idx }},{{ end }}{{ $ns }}{{ end }}" + REPAIR_ENABLED: {{ .Values.repair.enabled | quote }} + REPAIR_LABEL_PODS: {{ .Values.repair.labelPods | quote }} + REPAIR_DELETE_PODS: {{ .Values.repair.deletePods | quote }} + REPAIR_REPAIR_PODS: {{ .Values.repair.repairPods | quote }} + REPAIR_INIT_CONTAINER_NAME: {{ .Values.repair.initContainerName | quote }} + REPAIR_BROKEN_POD_LABEL_KEY: {{ .Values.repair.brokenPodLabelKey | quote }} + REPAIR_BROKEN_POD_LABEL_VALUE: {{ .Values.repair.brokenPodLabelValue | quote }} + NATIVE_NFTABLES: {{ .Values.global.nativeNftables | quote }} + {{- with .Values.env }} + {{- range $key, $val := . }} + {{ $key }}: "{{ $val }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/daemonset.yaml new file mode 100644 index 0000000000..6d1dda2902 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/daemonset.yaml @@ -0,0 +1,252 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This manifest installs the Istio install-cni container, as well +# as the Istio CNI plugin and config on +# each master and worker node in a Kubernetes cluster. +# +# $detectedBinDir exists to support a GKE-specific platform override, +# and is deprecated in favor of using the explicit `gke` platform profile. +{{- $detectedBinDir := (.Capabilities.KubeVersion.GitVersion | contains "-gke") | ternary + "/home/kubernetes/bin" + "/opt/cni/bin" +}} +{{- if .Values.cniBinDir }} +{{ $detectedBinDir = .Values.cniBinDir }} +{{- end }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + # Note that this is templated but evaluates to a fixed name + # which the CNI plugin may fall back onto in some failsafe scenarios. + # if this name is changed, CNI plugin logic that checks for this name + # format should also be updated. + name: {{ template "name" . }}-node + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} + {{ with .Values.daemonSetLabels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + selector: + matchLabels: + k8s-app: {{ template "name" . }}-node + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + labels: + k8s-app: {{ template "name" . }}-node + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 8 }} + {{ with .Values.podLabels -}}{{ toYaml . | nindent 8}}{{ end }} + annotations: + sidecar.istio.io/inject: "false" + # Add Prometheus Scrape annotations + prometheus.io/scrape: 'true' + prometheus.io/port: "15014" + prometheus.io/path: '/metrics' + # Add AppArmor annotation + # This is required to avoid conflicts with AppArmor profiles which block certain + # privileged pod capabilities. + # Required for Kubernetes 1.29 which does not support setting appArmorProfile in the + # securityContext which is otherwise preferred. + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined + # Custom annotations + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet +{{- end }} + nodeSelector: + kubernetes.io/os: linux + # Can be configured to allow for excluding istio-cni from being scheduled on specified nodes + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + serviceAccountName: {{ template "name" . }} + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + containers: + # This container installs the Istio CNI binaries + # and CNI network config file on each node. + - name: install-cni +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "install-cni" }}:{{ template "istio-tag" . }}" +{{- end }} +{{- if or .Values.pullPolicy .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.pullPolicy | default .Values.global.imagePullPolicy }} +{{- end }} + ports: + - containerPort: 15014 + name: metrics + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8000 + securityContext: + privileged: false + runAsGroup: 0 + runAsUser: 0 + runAsNonRoot: false + # Both ambient and sidecar repair mode require elevated node privileges to function. + # But we don't need _everything_ in `privileged`, so explicitly set it to false and + # add capabilities based on feature. + capabilities: + drop: + - ALL + add: + # CAP_NET_ADMIN is required to allow ipset and route table access + - NET_ADMIN + # CAP_NET_RAW is required to allow iptables mutation of the `nat` table + - NET_RAW + # CAP_SYS_PTRACE is required for repair and ambient mode to describe + # the pod's network namespace. + - SYS_PTRACE + # CAP_SYS_ADMIN is required for both ambient and repair, in order to open + # network namespaces in `/proc` to obtain descriptors for entering pod network + # namespaces. There does not appear to be a more granular capability for this. + - SYS_ADMIN + # While we run as a 'root' (UID/GID 0), since we drop all capabilities we lose + # the typical ability to read/write to folders owned by others. + # This can cause problems if the hostPath mounts we use, which we require write access into, + # are owned by non-root. DAC_OVERRIDE bypasses these and gives us write access into any folder. + - DAC_OVERRIDE +{{- if .Values.seLinuxOptions }} +{{ with (merge .Values.seLinuxOptions (dict "type" "spc_t")) }} + seLinuxOptions: +{{ toYaml . | trim | indent 14 }} +{{- end }} +{{- end }} +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + command: ["install-cni"] + args: + {{- if or .Values.logging.level .Values.global.logging.level }} + - --log_output_level={{ coalesce .Values.logging.level .Values.global.logging.level }} + {{- end}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end}} + envFrom: + - configMapRef: + name: {{ template "name" . }}-config + env: + - name: REPAIR_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: REPAIR_RUN_AS_DAEMON + value: "true" + - name: REPAIR_SIDECAR_ANNOTATION + value: "sidecar.istio.io/status" + {{- if not (and .Values.ambient.enabled .Values.ambient.shareHostNetworkNamespace) }} + - name: ALLOW_SWITCH_TO_HOST_NS + value: "true" + {{- end }} + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: '1' + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: '1' + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - mountPath: /host/proc + name: cni-host-procfs + readOnly: true + {{- end }} + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /var/run/istio-cni + name: cni-socket-dir + {{- if .Values.ambient.enabled }} + - mountPath: /host/var/run/netns + mountPropagation: HostToContainer + name: cni-netns-dir + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + {{ end }} + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ $detectedBinDir }} + {{- if or .Values.repair.repairPods .Values.ambient.enabled }} + - name: cni-host-procfs + hostPath: + path: /proc + type: Directory + {{- end }} + {{- if .Values.ambient.enabled }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate + {{- end }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cniConfDir }} + # Used for UDS sockets for logging, ambient eventing + - name: cni-socket-dir + hostPath: + path: /var/run/istio-cni + - name: cni-netns-dir + hostPath: + path: {{ .Values.cniNetnsDir }} + type: DirectoryOrCreate # DirectoryOrCreate instead of Directory for the following reason - CNI may not bind mount this until a non-hostnetwork pod is scheduled on the node, + # and we don't want to block CNI agent pod creation on waiting for the first non-hostnetwork pod. + # Once the CNI does mount this, it will get populated and we're good. +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/network-attachment-definition.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/network-attachment-definition.yaml new file mode 100644 index 0000000000..37ef7c3e6d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if eq .Values.provider "multus" }} +apiVersion: k8s.cni.cncf.io/v1 +kind: NetworkAttachmentDefinition +metadata: + name: {{ template "name" . }} + namespace: default + labels: + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml new file mode 100644 index 0000000000..fde1723fbf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if (.Values.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + k8s-app: {{ template "name" . }}-node + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + k8s-app: {{ template "name" . }}-node + policyTypes: + - Ingress + - Egress + ingress: + # Metrics endpoint for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15014 + # Readiness probe endpoint + - from: [] + ports: + - protocol: TCP + port: 8000 + egress: + # Allow DNS resolution and access to Kubernetes API server. + # IP/Port of the API server is heavily dependant on k8s distribution, so we allow all egress for now. + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/resourcequota.yaml new file mode 100644 index 0000000000..2e0be5ab40 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/resourcequota.yaml @@ -0,0 +1,21 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ template "name" . }}-resource-quota + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/serviceaccount.yaml new file mode 100644 index 0000000000..17c8e64a9d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +apiVersion: v1 +kind: ServiceAccount +{{- if .Values.global.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.global.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +metadata: + name: {{ template "name" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "name" . }} + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" }} + operator.istio.io/component: "Cni" + app.kubernetes.io/name: {{ template "name" . }} + {{- include "istio.labels" . | nindent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..a9584ac29f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.cni` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "cni") }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml new file mode 100644 index 0000000000..1cc5fe663c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/cni/values.yaml @@ -0,0 +1,194 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + hub: "" + tag: "" + variant: "" + image: install-cni + pullPolicy: "" + + # Same as `global.logging.level`, but will override it if set + logging: + level: "" + + # Configuration file to insert istio-cni plugin configuration + # by default this will be the first file found in the cni-conf-dir + # Example + # cniConfFileName: 10-calico.conflist + + # CNI-and-platform specific path defaults. + # These may need to be set to platform-specific values, consult + # overrides for your platform in `manifests/helm-profiles/platform-*.yaml` + cniBinDir: /opt/cni/bin + cniConfDir: /etc/cni/net.d + cniConfFileName: "" + cniNetnsDir: "/var/run/netns" + + # If Istio owned CNI config is enabled, defaults to 02-istio-cni.conflist + istioOwnedCNIConfigFileName: "" + istioOwnedCNIConfig: false + + excludeNamespaces: + - kube-system + + # Allows user to set custom affinity for the DaemonSet + affinity: {} + + # Additional labels to apply on the daemonset level + daemonSetLabels: {} + + # Custom annotations on pod level, if you need them + podAnnotations: {} + + # Additional labels to apply on the pod level + podLabels: {} + + # Deploy the config files as plugin chain (value "true") or as standalone files in the conf dir (value "false")? + # Some k8s flavors (e.g. OpenShift) do not support the chain approach, set to false if this is the case + chained: true + + # Custom configuration happens based on the CNI provider. + # Possible values: "default", "multus" + provider: "default" + + # Configure ambient settings + ambient: + # If enabled, ambient redirection will be enabled + enabled: false + # If ambient is enabled, this selector will be used to identify the ambient-enabled pods + enablementSelectors: + - podSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + - podSelector: + matchExpressions: + - { key: istio.io/dataplane-mode, operator: NotIn, values: [none] } + namespaceSelector: + matchLabels: {istio.io/dataplane-mode: ambient} + # Set ambient config dir path: defaults to /etc/ambient-config + configDir: "" + # If enabled, and ambient is enabled, DNS redirection will be enabled + dnsCapture: true + # If enabled, and ambient is enabled, enables ipv6 support + ipv6: true + # If enabled, and ambient is enabled, the CNI agent will reconcile incompatible iptables rules and chains at startup. + # This will eventually be enabled by default + reconcileIptablesOnStartup: false + # If enabled, and ambient is enabled, the CNI agent will always share the network namespace of the host node it is running on + shareHostNetworkNamespace: false + # If enabled, the CNI agent will retry checking if a pod is ambient enabled when there are errors + enableAmbientDetectionRetry: false + + + repair: + enabled: true + hub: "" + tag: "" + + # Repair controller has 3 modes. Pick which one meets your use cases. Note only one may be used. + # This defines the action the controller will take when a pod is detected as broken. + + # labelPods will label all pods with =. + # This is only capable of identifying broken pods; the user is responsible for fixing them (generally, by deleting them). + # Note this gives the DaemonSet a relatively high privilege, as modifying pod metadata/status can have wider impacts. + labelPods: false + # deletePods will delete any broken pod. These will then be rescheduled, hopefully onto a node that is fully ready. + # Note this gives the DaemonSet a relatively high privilege, as it can delete any Pod. + deletePods: false + # repairPods will dynamically repair any broken pod by setting up the pod networking configuration even after it has started. + # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs. + # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`. + repairPods: true + + initContainerName: "istio-validation" + + brokenPodLabelKey: "cni.istio.io/uninitialized" + brokenPodLabelValue: "true" + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # SELinux options to set in the istio-cni-node pods. You may need to set this to `type: spc_t` for some platforms. + seLinuxOptions: {} + + resources: + requests: + cpu: 100m + memory: 100Mi + + resourceQuotas: + enabled: false + pods: 5000 + + tolerations: + # Make sure istio-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # For Helm compatibility. + ownerName: "" + + global: + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + + # Default tag for Istio images. + tag: 1.28.5 + + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # change cni scope level to control logging out of istio-cni-node DaemonSet + logging: + level: info + + logAsJson: false + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Default resources allocated + defaultResources: + requests: + cpu: 100m + memory: 100Mi + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # A `key: value` mapping of environment variables to add to the pod + env: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml new file mode 100644 index 0000000000..45616fb5af --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for deploying Istio gateways +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- gateways +name: gateway +sources: +- https://github.com/istio/istio +type: application +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/README.md new file mode 100644 index 0000000000..6344859a22 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/README.md @@ -0,0 +1,170 @@ +# Istio Gateway Helm Chart + +This chart installs an Istio gateway deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `istio-ingressgateway`: + +```console +helm install istio-ingressgateway istio/gateway +``` + +## Uninstalling the Chart + +To uninstall/delete the `istio-ingressgateway` deployment: + +```console +helm delete istio-ingressgateway +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/gateway +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### OpenShift + +When deploying the gateway in an OpenShift cluster, use the `openshift` profile to override the default values, for example: + +```console +helm install istio-ingressgateway istio/gateway --set profile=openshift +``` + +### `image: auto` Information + +The image used by the chart, `auto`, may be unintuitive. +This exists because the pod spec will be automatically populated at runtime, using the same mechanism as [Sidecar Injection](istio.io/latest/docs/setup/additional-setup/sidecar-injection). +This allows the same configurations and lifecycle to apply to gateways as sidecars. + +Note: this does mean that the namespace the gateway is deployed in must not have the `istio-injection=disabled` label. +See [Controlling the injection policy](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy) for more info. + +### Examples + +#### Egress Gateway + +Deploying a Gateway to be used as an [Egress Gateway](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/): + +```yaml +service: + # Egress gateways do not need an external LoadBalancer IP + type: ClusterIP +``` + +#### Multi-network/VM Gateway + +Deploying a Gateway to be used as a [Multi-network Gateway](https://istio.io/latest/docs/setup/install/multicluster/) for network `network-1`: + +```yaml +networkGateway: network-1 +``` + +### Migrating from other installation methods + +Installations from other installation methods (such as istioctl, Istio Operator, other helm charts, etc) can be migrated to use the new Helm charts +following the guidance below. +If you are able to, a clean installation is simpler. However, this often requires an external IP migration which can be challenging. + +WARNING: when installing over an existing deployment, the two deployments will be merged together by Helm, which may lead to unexpected results. + +#### Legacy Gateway Helm charts + +Istio historically offered two different charts - `manifests/charts/gateways/istio-ingress` and `manifests/charts/gateways/istio-egress`. +These are replaced by this chart. +While not required, it is recommended all new users use this chart, and existing users migrate when possible. + +This chart has the following benefits and differences: +* Designed with Helm best practices in mind (standardized values options, values schema, values are not all nested under `gateways.istio-ingressgateway.*`, release name and namespace taken into account, etc). +* Utilizes Gateway injection, simplifying upgrades, allowing gateways to run in any namespace, and avoiding repeating config for sidecars and gateways. +* Published to official Istio Helm repository. +* Single chart for all gateways (Ingress, Egress, East West). + +#### General concerns + +For a smooth migration, the resource names and `Deployment.spec.selector` labels must match. + +If you install with `helm install istio-gateway istio/gateway`, resources will be named `istio-gateway` and the `selector` labels set to: + +```yaml +app: istio-gateway +istio: gateway # the release name with leading istio- prefix stripped +``` + +If your existing installation doesn't follow these names, you can override them. For example, if you have resources named `my-custom-gateway` with `selector` labels +`foo=bar,istio=ingressgateway`: + +```yaml +name: my-custom-gateway # Override the name to match existing resources +labels: + app: "" # Unset default app selector label + istio: ingressgateway # override default istio selector label + foo: bar # Add the existing custom selector label +``` + +#### Migrating an existing Helm release + +An existing helm release can be `helm upgrade`d to this chart by using the same release name. For example, if a previous +installation was done like: + +```console +helm install istio-ingress manifests/charts/gateways/istio-ingress -n istio-system +``` + +It could be upgraded with + +```console +helm upgrade istio-ingress manifests/charts/gateway -n istio-system --set name=istio-ingressgateway --set labels.app=istio-ingressgateway --set labels.istio=ingressgateway +``` + +Note the name and labels are overridden to match the names of the existing installation. + +Warning: the helm charts here default to using port 80 and 443, while the old charts used 8080 and 8443. +If you have AuthorizationPolicies that reference port these ports, you should update them during this process, +or customize the ports to match the old defaults. +See the [security advisory](https://istio.io/latest/news/security/istio-security-2021-002/) for more information. + +#### Other migrations + +If you see errors like `rendered manifests contain a resource that already exists` during installation, you may need to forcibly take ownership. + +The script below can handle this for you. Replace `RELEASE` and `NAMESPACE` with the name and namespace of the release: + +```console +KINDS=(service deployment) +RELEASE=istio-ingressgateway +NAMESPACE=istio-system +for KIND in "${KINDS[@]}"; do + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-name=$RELEASE + kubectl --namespace $NAMESPACE --overwrite=true annotate $KIND $RELEASE meta.helm.sh/release-namespace=$NAMESPACE + kubectl --namespace $NAMESPACE --overwrite=true label $KIND $RELEASE app.kubernetes.io/managed-by=Helm +done +``` + +You may ignore errors about resources not being found. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/NOTES.txt new file mode 100644 index 0000000000..fd0142911a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/NOTES.txt @@ -0,0 +1,9 @@ +"{{ include "gateway.name" . }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: + * Deploy an HTTP Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-control/ + * Deploy an HTTPS Gateway: https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/ diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/_helpers.tpl new file mode 100644 index 0000000000..e5a0a9b3c2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/_helpers.tpl @@ -0,0 +1,40 @@ +{{- define "gateway.name" -}} +{{- if eq .Release.Name "RELEASE-NAME" -}} + {{- .Values.name | default "istio-ingressgateway" -}} +{{- else -}} + {{- .Values.name | default .Release.Name | default "istio-ingressgateway" -}} +{{- end -}} +{{- end }} + +{{- define "gateway.labels" -}} +{{ include "gateway.selectorLabels" . }} +{{- range $key, $val := .Values.labels }} +{{- if and (ne $key "app") (ne $key "istio") }} +{{ $key | quote }}: {{ $val | quote }} +{{- end }} +{{- end }} +{{- end }} + +{{- define "gateway.selectorLabels" -}} +app: {{ (.Values.labels.app | quote) | default (include "gateway.name" .) }} +istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} +{{- end }} + +{{/* +Keep sidecar injection labels together +https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#controlling-the-injection-policy +*/}} +{{- define "gateway.sidecarInjectionLabels" -}} +sidecar.istio.io/inject: "true" +{{- with .Values.revision }} +istio.io/rev: {{ . | quote }} +{{- end }} +{{- end }} + +{{- define "gateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- .Values.serviceAccount.name | default (include "gateway.name" .) }} +{{- else }} +{{- .Values.serviceAccount.name | default "default" }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/deployment.yaml new file mode 100644 index 0000000000..1d8f93a472 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/deployment.yaml @@ -0,0 +1,145 @@ +apiVersion: apps/v1 +kind: {{ .Values.kind | default "Deployment" }} +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if and (hasKey .Values "replicaCount") (ne .Values.replicaCount nil) }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.minReadySeconds }} + minReadySeconds: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "gateway.sidecarInjectionLabels" . | nindent 8 }} + {{- include "gateway.selectorLabels" . | nindent 8 }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 8}} + {{- range $key, $val := .Values.labels }} + {{- if and (ne $key "app") (ne $key "istio") }} + {{ $key | quote }}: {{ $val | quote }} + {{- end }} + {{- end }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "gateway.serviceAccountName" . }} + securityContext: + {{- if .Values.securityContext }} + {{- toYaml .Values.securityContext | nindent 8 }} + {{- else }} + # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + {{- with .Values.volumes }} + volumes: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: istio-proxy + # "auto" will be populated at runtime by the mutating webhook. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#customizing-injection + image: auto + {{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} + {{- end }} + securityContext: + {{- if .Values.containerSecurityContext }} + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + {{- else }} + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + {{- if not (eq (.Values.platform | default "") "openshift") }} + runAsUser: 1337 + runAsGroup: 1337 + {{- end }} + runAsNonRoot: true + {{- end }} + env: + {{- with .Values.networkGateway }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{.}}" + {{- end }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.additionalContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ $.Values.terminationGracePeriodSeconds }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/hpa.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/hpa.yaml new file mode 100644 index 0000000000..64ecb6a4cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/hpa.yaml @@ -0,0 +1,40 @@ +{{- if and (.Values.autoscaling.enabled) (eq .Values.kind "Deployment") }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: {{ .Values.kind | default "Deployment" }} + name: {{ include "gateway.name" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + type: Utilization + {{- end }} + {{- if .Values.autoscaling.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaling.autoscaleBehavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/networkpolicy.yaml new file mode 100644 index 0000000000..ea2fab97b3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/networkpolicy.yaml @@ -0,0 +1,47 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "gateway.name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ include "gateway.name" . }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Gateway" + istio: {{ (.Values.labels.istio | quote) | default (include "gateway.name" . | trimPrefix "istio-") }} + release: {{ .Release.Name }} + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "gateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + # Status/health check port + - from: [] + ports: + - protocol: TCP + port: 15021 + # Metrics endpoints for monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 + - protocol: TCP + port: 15090 + # Main gateway traffic ports +{{- if .Values.service.ports }} +{{- range .Values.service.ports }} + - from: [] + ports: + - protocol: {{ .protocol | default "TCP" }} + port: {{ .targetPort | default .port }} +{{- end }} +{{- end }} + egress: + # Allow all egress (gateways need to reach external services, istiod, and other cluster services) + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..91869a0ead --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/poddisruptionbudget.yaml @@ -0,0 +1,21 @@ +{{- if .Values.podDisruptionBudget }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaling.enabled (gt (int .Values.autoscaling.minReplicas) 1)) (and (not .Values.autoscaling.enabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" . | nindent 6 }} + {{- with .Values.podDisruptionBudget }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/role.yaml new file mode 100644 index 0000000000..3d16079632 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/role.yaml @@ -0,0 +1,37 @@ +{{/*Set up roles for Istio Gateway. Not required for gateway-api*/}} +{{- if .Values.rbac.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4}} + annotations: + {{- .Values.annotations | toYaml | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "gateway.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "gateway.serviceAccountName" . }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/service.yaml new file mode 100644 index 0000000000..d172364d0e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/service.yaml @@ -0,0 +1,78 @@ +{{- if not (eq .Values.service.type "None") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "gateway.name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.networkGateway }} + topology.istio.io/network: "{{.}}" + {{- end }} + annotations: + {{- merge (deepCopy .Values.service.annotations) .Values.annotations | toYaml | nindent 4 }} +spec: +{{- with .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ . }}" +{{- end }} +{{- if eq .Values.service.type "LoadBalancer" }} + {{- if hasKey .Values.service "allocateLoadBalancerNodePorts" }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if hasKey .Values.service "loadBalancerClass" }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} +{{- end }} +{{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.ipFamilies }} + ipFamilies: +{{- range .Values.service.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +{{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml . | indent 4 }} +{{- end }} +{{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: "{{ . }}" +{{- end }} +{{- with .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: "{{ . }}" +{{- end }} + type: {{ .Values.service.type }} +{{- if not (eq .Values.service.clusterIP "") }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} + ports: +{{- if .Values.networkGateway }} + - name: status-port + port: 15021 + targetPort: 15021 + - name: tls + port: 15443 + targetPort: 15443 + - name: tls-istiod + port: 15012 + targetPort: 15012 + - name: tls-webhook + port: 15017 + targetPort: 15017 +{{- else }} +{{ .Values.service.ports | toYaml | indent 4 }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: {{- range .Values.service.externalIPs }} + - {{.}} + {{- end }} +{{- end }} + selector: + {{- include "gateway.selectorLabels" . | nindent 4 }} + {{- with .Values.service.selectorLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/serviceaccount.yaml new file mode 100644 index 0000000000..c88afeadd3 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "gateway.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "gateway.name" . }} + {{- include "istio.labels" . | nindent 4}} + {{- include "gateway.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.schema.json b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.schema.json new file mode 100644 index 0000000000..9263245a24 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.schema.json @@ -0,0 +1,359 @@ +{ + "$schema": "http://json-schema.org/schema#", + "$defs": { + "values": { + "type": "object", + "additionalProperties": false, + "properties": { + "_internal_defaults_do_not_set": { + "type": "object" + }, + "global": { + "type": "object" + }, + "affinity": { + "type": "object" + }, + "securityContext": { + "type": [ + "object", + "null" + ] + }, + "containerSecurityContext": { + "type": [ + "object", + "null" + ] + }, + "kind": { + "type": "string", + "enum": [ + "Deployment", + "DaemonSet" + ] + }, + "annotations": { + "additionalProperties": { + "type": [ + "string", + "integer" + ] + }, + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "env": { + "type": "object" + }, + "envVarFrom": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { "type": "string" }, + "valueFrom": { "type": "object" } + } + } + }, + "strategy": { + "type": "object" + }, + "minReadySeconds": { + "type": [ "null", "integer" ] + }, + "readinessProbe": { + "type": [ "null", "object" ] + }, + "labels": { + "type": "object" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "podAnnotations": { + "type": "object", + "properties": { + "inject.istio.io/templates": { + "type": "string" + }, + "prometheus.io/path": { + "type": "string" + }, + "prometheus.io/port": { + "type": "string" + }, + "prometheus.io/scrape": { + "type": "string" + } + } + }, + "replicaCount": { + "type": [ + "integer", + "null" + ] + }, + "resources": { + "type": "object", + "properties": { + "limits": { + "type": ["object", "null"], + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + }, + "requests": { + "type": ["object", "null"], + "properties": { + "cpu": { + "type": ["string", "null"] + }, + "memory": { + "type": ["string", "null"] + } + } + } + } + }, + "revision": { + "type": "string" + }, + "defaultRevision": { + "type": "string" + }, + "compatibilityVersion": { + "type": "string" + }, + "profile": { + "type": "string" + }, + "platform": { + "type": "string" + }, + "pilot": { + "type": "object" + }, + "runAsRoot": { + "type": "boolean" + }, + "unprivilegedPort": { + "type": [ + "string", + "boolean" + ], + "enum": [ + true, + false, + "auto" + ] + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "selectorLabels": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "externalTrafficPolicy": { + "type": "string" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "ipFamilies": { + "items": { + "type": "string", + "enum": [ + "IPv4", + "IPv6" + ] + } + }, + "ipFamilyPolicy": { + "type": "string", + "enum": [ + "", + "SingleStack", + "PreferDualStack", + "RequireDualStack" + ] + }, + "ports": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + }, + "targetPort": { + "type": "integer" + } + } + } + }, + "type": { + "type": "string" + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "name": { + "type": "string" + }, + "create": { + "type": "boolean" + } + } + }, + "rbac": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "networkGateway": { + "type": "string" + }, + "imagePullPolicy": { + "type": "string", + "enum": [ + "", + "Always", + "IfNotPresent", + "Never" + ] + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + } + } + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "minAvailable": { + "type": [ + "integer", + "string" + ] + }, + "maxUnavailable": { + "type": [ + "integer", + "string" + ] + }, + "unhealthyPodEvictionPolicy": { + "type": "string", + "enum": [ + "", + "IfHealthyBudget", + "AlwaysAllow" + ] + } + } + }, + "terminationGracePeriodSeconds": { + "type": "number" + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, + "initContainers": { + "type": "array", + "items": { "type": "object" } + }, + "additionalContainers": { + "type": "array", + "items": { "type": "object" } + }, + "priorityClassName": { + "type": "string" + }, + "lifecycle": { + "type": "object", + "properties": { + "postStart": { + "type": "object" + }, + "preStop": { + "type": "object" + } + } + } + } + } + }, + "defaults": { + "$ref": "#/$defs/values" + }, + "$ref": "#/$defs/values" +} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.yaml new file mode 100644 index 0000000000..d463634ec4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/gateway/values.yaml @@ -0,0 +1,204 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Name allows overriding the release name. Generally this should not be set + name: "" + # revision declares which revision this gateway is a part of + revision: "" + + # Controls the spec.replicas setting for the Gateway deployment if set. + # Otherwise defaults to Kubernetes Deployment default (1). + replicaCount: + + kind: Deployment + + rbac: + # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed + # when using http://gateway-api.org/. + enabled: true + + serviceAccount: + # If set, a service account will be created. Otherwise, the default is used + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set, the release name is used + name: "" + + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + prometheus.io/path: "/stats/prometheus" + inject.istio.io/templates: "gateway" + sidecar.istio.io/inject: "true" + + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + containerSecurityContext: {} + + service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + # Set to a specific ClusterIP, or "" for automatic assignment + clusterIP: "" + # Additional labels to add to the service selector + selectorLabels: {} + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + annotations: {} + loadBalancerIP: "" + loadBalancerSourceRanges: [] + externalTrafficPolicy: "" + externalIPs: [] + ipFamilyPolicy: "" + ipFamilies: [] + ## Whether to automatically allocate NodePorts (only for LoadBalancers). + # allocateLoadBalancerNodePorts: false + ## Set LoadBalancer class (only for LoadBalancers). + # loadBalancerClass: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: {} + autoscaleBehavior: {} + + # Pod environment variables + env: {} + + # Use envVarFrom to define full environment variable entries with complex sources, + # such as valueFrom.secretKeyRef, valueFrom.configMapKeyRef. Each item must include a `name` and `valueFrom`. + # + # Example: + # envVarFrom: + # - name: EXAMPLE_SECRET + # valueFrom: + # secretKeyRef: + # name: example-name + # key: example-key + envVarFrom: [] + + # Deployment Update strategy + strategy: {} + + # Sets the Deployment minReadySeconds value + minReadySeconds: + + # Optionally configure a custom readinessProbe. By default the control plane + # automatically injects the readinessProbe. If you wish to override that + # behavior, you may define your own readinessProbe here. + readinessProbe: {} + + # Labels to apply to all resources + labels: + # By default, don't enroll gateways into the ambient dataplane + "istio.io/dataplane-mode": none + + # Annotations to apply to all resources + annotations: {} + + nodeSelector: {} + + tolerations: [] + + topologySpreadConstraints: [] + + affinity: {} + + # If specified, the gateway will act as a network gateway for the given network. + networkGateway: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent + imagePullPolicy: "" + + imagePullSecrets: [] + + # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway. + # + # By default, the `podDisruptionBudget` is disabled (set to `{}`), + # which means that no PodDisruptionBudget resource will be created. + # + # The PodDisruptionBudget can be only enabled if autoscaling is enabled + # with minReplicas > 1 or if autoscaling is disabled but replicaCount > 1. + # + # To enable the PodDisruptionBudget, configure it by specifying the + # `minAvailable` or `maxUnavailable`. For example, to set the + # minimum number of available replicas to 1, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # + # Or, to allow a maximum of 1 unavailable replica, you can set: + # + # podDisruptionBudget: + # maxUnavailable: 1 + # + # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`. + # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows: + # + # podDisruptionBudget: + # minAvailable: 1 + # unhealthyPodEvictionPolicy: AlwaysAllow + # + # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`: + # + # podDisruptionBudget: {} + # + podDisruptionBudget: {} + + # Sets the per-pod terminationGracePeriodSeconds setting. + terminationGracePeriodSeconds: 30 + + # A list of `Volumes` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumes: [] + + # A list of `VolumeMounts` added into the Gateway Pods. See + # https://kubernetes.io/docs/concepts/storage/volumes/. + volumeMounts: [] + + # Inject initContainers into the Gateway Pods. + initContainers: [] + + # Inject additional containers into the Gateway Pods. + additionalContainers: [] + + # Configure this to a higher priority class in order to make sure your Istio gateway pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + # Configure the lifecycle hooks for the gateway. See + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/. + lifecycle: {} + + # When enabled, a default NetworkPolicy for gateways will be created + global: + networkPolicy: + enabled: false diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml new file mode 100644 index 0000000000..c6cc1e4bef --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio control plane +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio +- istiod +- istio-discovery +name: istiod +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/README.md new file mode 100644 index 0000000000..44f7b1d8ca --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/README.md @@ -0,0 +1,73 @@ +# Istiod Helm Chart + +This chart installs an Istiod deployment. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +Before installing, ensure CRDs are installed in the cluster (from the `istio/base` chart). + +To install the chart with the release name `istiod`: + +```console +kubectl create namespace istio-system +helm install istiod istio/istiod --namespace istio-system +``` + +## Uninstalling the Chart + +To uninstall/delete the `istiod` deployment: + +```console +helm delete istiod --namespace istio-system +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/istiod +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. + +### Examples + +#### Configuring mesh configuration settings + +Any [Mesh Config](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/) options can be configured like below: + +```yaml +meshConfig: + accessLogFile: /dev/stdout +``` + +#### Revisions + +Control plane revisions allow deploying multiple versions of the control plane in the same cluster. +This allows safe [canary upgrades](https://istio.io/latest/docs/setup/upgrade/canary/) + +```yaml +revision: my-revision-name +``` diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/gateway-injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/gateway-injection-template.yaml new file mode 100644 index 0000000000..bc15ee3c31 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/gateway-injection-template.yaml @@ -0,0 +1,274 @@ +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: + istio.io/rev: {{ .Revision | default "default" | quote }} + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}" + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}" + {{- end }} + {{- end }} +spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- end }} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- end }} + securityContext: + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{.Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.readinessFailureThreshold }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-agent.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-agent.yaml new file mode 100644 index 0000000000..3b9240e36c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-agent.yaml @@ -0,0 +1,318 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + {{/* security.istio.io/tlsMode: istio must be set by user, if gRPC is using mTLS initialization code. We can't set it automatically. */}} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} + sidecar.istio.io/rewriteAppHTTPProbers: "false", + } +spec: + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + ports: + - containerPort: 15020 + protocol: TCP + name: mesh-metrics + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + - --url=http://localhost:15020/healthz/ready + env: + - name: ISTIO_META_GENERATOR + value: grpc + - name: OUTPUT_CERTS + value: /var/lib/istio/data + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- if .DeploymentMeta.Name }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ .DeploymentMeta.Name }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + # grpc uses xds:/// to resolve – no need to resolve VIP + - name: ISTIO_META_DNS_CAPTURE + value: "false" + - name: DISABLE_ENVOY + value: "true" + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15020 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} +{{- range $index, $container := .Spec.Containers }} +{{ if not (eq $container.Name "istio-proxy") }} + - name: {{ $container.Name }} + env: + - name: "GRPC_XDS_EXPERIMENTAL_SECURITY_SUPPORT" + value: "true" + - name: "GRPC_XDS_BOOTSTRAP" + value: "/etc/istio/proxy/grpc-bootstrap.json" + volumeMounts: + - mountPath: /var/lib/istio/data + name: istio-data + # UDS channel between istioagent and gRPC client for XDS/SDS + - mountPath: /etc/istio/proxy + name: istio-xds + {{- if eq $.Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} +{{- end }} +{{- end }} + volumes: + - emptyDir: + name: workload-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-xds + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-simple.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-simple.yaml new file mode 100644 index 0000000000..9ba0c7a46a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/grpc-simple.yaml @@ -0,0 +1,65 @@ +metadata: + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" +spec: + initContainers: + - name: grpc-bootstrap-init + image: busybox:1.28 + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + env: + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: ISTIO_NAMESPACE + value: | + {{ .Values.global.istioNamespace }} + command: + - sh + - "-c" + - |- + NODE_ID="sidecar~${INSTANCE_IP}~${POD_NAME}.${POD_NAMESPACE}~cluster.local" + SERVER_URI="dns:///istiod.${ISTIO_NAMESPACE}.svc:15010" + echo ' + { + "xds_servers": [ + { + "server_uri": "'${SERVER_URI}'", + "channel_creds": [{"type": "insecure"}], + "server_features" : ["xds_v3"] + } + ], + "node": { + "id": "'${NODE_ID}'", + "metadata": { + "GENERATOR": "grpc" + } + } + }' > /var/lib/grpc/data/bootstrap.json + containers: + {{- range $index, $container := .Spec.Containers }} + - name: {{ $container.Name }} + env: + - name: GRPC_XDS_BOOTSTRAP + value: /var/lib/grpc/data/bootstrap.json + - name: GRPC_GO_LOG_VERBOSITY_LEVEL + value: "99" + - name: GRPC_GO_LOG_SEVERITY_LEVEL + value: info + volumeMounts: + - mountPath: /var/lib/grpc/data/ + name: grpc-io-proxyless-bootstrap + {{- end }} + volumes: + - name: grpc-io-proxyless-bootstrap + emptyDir: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml new file mode 100644 index 0000000000..84463bb43b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/injection-template.yaml @@ -0,0 +1,549 @@ +{{- define "resources" }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) }} + requests: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPU` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemory` | quote }} + {{ end }} + {{- end }} + {{- if or (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) }} + limits: + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit`) -}} + cpu: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyCPULimit` | quote }} + {{ end }} + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit`) -}} + memory: {{ index .ObjectMeta.Annotations `sidecar.istio.io/proxyMemoryLimit` | quote }} + {{ end }} + {{- end }} + {{- else }} + {{- if .Values.global.proxy.resources }} + {{ toYaml .Values.global.proxy.resources | indent 6 }} + {{- end }} + {{- end }} +{{- end }} +{{ $tproxy := (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) }} +{{ $capNetBindService := (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) }} +{{ $nativeSidecar := ne (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar` | default (printf "%t" .NativeSidecars)) "false" }} +{{- $containers := list }} +{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} +metadata: + labels: + security.istio.io/tlsMode: {{ index .ObjectMeta.Labels `security.istio.io/tlsMode` | default "istio" | quote }} + {{- if eq (index .ProxyConfig.ProxyMetadata "ISTIO_META_ENABLE_HBONE") "true" }} + networking.istio.io/tunnel: {{ index .ObjectMeta.Labels `networking.istio.io/tunnel` | default "http" | quote }} + {{- end }} + service.istio.io/canonical-name: {{ index .ObjectMeta.Labels `service.istio.io/canonical-name` | default (index .ObjectMeta.Labels `app.kubernetes.io/name`) | default (index .ObjectMeta.Labels `app`) | default .DeploymentMeta.Name | trunc 63 | trimSuffix "-" | quote }} + service.istio.io/canonical-revision: {{ index .ObjectMeta.Labels `service.istio.io/canonical-revision` | default (index .ObjectMeta.Labels `app.kubernetes.io/version`) | default (index .ObjectMeta.Labels `version`) | default "latest" | quote }} + annotations: { + istio.io/rev: {{ .Revision | default "default" | quote }}, + {{- if ge (len $containers) 1 }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-logs-container`) }} + kubectl.kubernetes.io/default-logs-container: "{{ index $containers 0 }}", + {{- end }} + {{- if not (isset .ObjectMeta.Annotations `kubectl.kubernetes.io/default-container`) }} + kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", + {{- end }} + {{- end }} +{{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} + k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', + {{- end }} + sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}traffic.sidecar.istio.io/includeOutboundIPRanges: "{{.}}",{{ end }} + {{ with annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}traffic.sidecar.istio.io/excludeOutboundIPRanges: "{{.}}",{{ end }} + traffic.sidecar.istio.io/includeInboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}", + traffic.sidecar.istio.io/excludeInboundPorts: "{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}", + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") }} + traffic.sidecar.istio.io/includeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}", + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne .Values.global.proxy.excludeOutboundPorts "") }} + traffic.sidecar.istio.io/excludeOutboundPorts: "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}", + {{- end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}traffic.sidecar.istio.io/kubevirtInterfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}istio.io/reroute-virtual-interfaces: "{{.}}",{{ end }} + {{ with index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}traffic.sidecar.istio.io/excludeInterfaces: "{{.}}",{{ end }} +{{- end }} + } +spec: + {{- $holdProxy := and + (or .ProxyConfig.HoldApplicationUntilProxyStarts.GetValue .Values.global.proxy.holdApplicationUntilProxyStarts) + (not $nativeSidecar) }} + {{- $noInitContainer := and + (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE`) + (not $nativeSidecar) }} + {{ if $noInitContainer }} + initContainers: [] + {{ else -}} + initContainers: + {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} + {{ if .Values.pilot.cni.enabled -}} + - name: istio-validation + {{ else -}} + - name: istio-init + {{ end -}} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + args: + - istio-iptables + - "-p" + - {{ .MeshConfig.ProxyListenPort | default "15001" | quote }} + - "-z" + - {{ .MeshConfig.ProxyInboundListenPort | default "15006" | quote }} + - "-u" + - {{ if $tproxy }} "1337" {{ else }} {{ .ProxyUID | default "1337" | quote }} {{ end }} + - "-m" + - "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}" + - "-i" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundIPRanges` .Values.global.proxy.includeIPRanges }}" + - "-x" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundIPRanges` .Values.global.proxy.excludeIPRanges }}" + - "-b" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeInboundPorts` .Values.global.proxy.includeInboundPorts }}" + - "-d" + {{- if excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }} + - "15090,15021,{{ excludeInboundPort (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) (annotation .ObjectMeta `traffic.sidecar.istio.io/excludeInboundPorts` .Values.global.proxy.excludeInboundPorts) }}" + {{- else }} + - "15090,15021" + {{- end }} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/includeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.includeOutboundPorts "") "") -}} + - "-q" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/includeOutboundPorts` .Values.global.proxy.includeOutboundPorts }}" + {{ end -}} + {{ if or (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeOutboundPorts`) (ne (valueOrDefault .Values.global.proxy.excludeOutboundPorts "") "") -}} + - "-o" + - "{{ annotation .ObjectMeta `traffic.sidecar.istio.io/excludeOutboundPorts` .Values.global.proxy.excludeOutboundPorts }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `istio.io/reroute-virtual-interfaces` }}" + {{ else if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces`) -}} + - "-k" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/kubevirtInterfaces` }}" + {{ end -}} + {{ if (isset .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces`) -}} + - "-c" + - "{{ index .ObjectMeta.Annotations `traffic.sidecar.istio.io/excludeInterfaces` }}" + {{ end -}} + - "--log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }}" + {{ if .Values.global.logAsJson -}} + - "--log_as_json" + {{ end -}} + {{ if .Values.pilot.cni.enabled -}} + - "--run-validation" + - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" + {{ end -}} + {{ if .Values.global.nativeNftables -}} + - "--native-nftables" + {{ end -}} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{- if .ProxyConfig.ProxyMetadata }} + env: + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + resources: + {{ template "resources" . }} + securityContext: + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + privileged: {{ .Values.global.proxy.privileged }} + capabilities: + {{- if not .Values.pilot.cni.enabled }} + add: + - NET_ADMIN + - NET_RAW + {{- end }} + drop: + - ALL + {{- if not .Values.pilot.cni.enabled }} + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + readOnlyRootFilesystem: true + runAsGroup: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyGID | default "1337" }} {{ end }} + runAsUser: {{ if $tproxy }} 1337 {{ else }} {{ .ProxyUID | default "1337" }} {{ end }} + runAsNonRoot: true + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + {{ end -}} + {{ end -}} + {{ if not $nativeSidecar }} + containers: + {{ end }} + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{ if $nativeSidecar }}restartPolicy: Always{{end}} + ports: + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - sidecar + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel }} + - --proxyComponentLogLevel={{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel }} + - --log_output_level={{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level }} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} + {{- else if $holdProxy }} + lifecycle: + postStart: + exec: + command: + - pilot-agent + - wait + {{- else if $nativeSidecar }} + {{- /* preStop is called when the pod starts shutdown. Initialize drain. We will get SIGTERM once applications are torn down. */}} + lifecycle: + preStop: + exec: + command: + - pilot-agent + - request + - --debug-port={{(annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort)}} + - POST + - drain + {{- end }} + env: + {{- if eq .InboundTrafficPolicyMode "localhost" }} + - name: REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATION + value: "true" + {{- end }} + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: |- + [ + {{- $first := true }} + {{- range $index1, $c := .Spec.Containers }} + {{- range $index2, $p := $c.Ports }} + {{- if (structToJSON $p) }} + {{if not $first}},{{end}}{{ structToJSON $p }} + {{- $first = false }} + {{- end }} + {{- end}} + {{- end}} + ] + - name: ISTIO_META_APP_CONTAINERS + value: "{{ $containers | join "," }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- if .CompliancePolicy }} + - name: COMPLIANCE_POLICY + value: "{{ .CompliancePolicy }}" + {{- end }} + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ or (index .ObjectMeta.Annotations `sidecar.istio.io/interceptionMode`) .ProxyConfig.InterceptionMode.String }}" + {{- if .Values.global.network }} + - name: ISTIO_META_NETWORK + value: "{{ .Values.global.network }}" + {{- end }} + {{- with (index .ObjectMeta.Labels `service.istio.io/workload-name` | default .DeploymentMeta.Name) }} + - name: ISTIO_META_WORKLOAD_NAME + value: "{{ . }}" + {{ end }} + {{- if and .TypeMeta.APIVersion .DeploymentMeta.Name }} + - name: ISTIO_META_OWNER + value: kubernetes://apis/{{ .TypeMeta.APIVersion }}/namespaces/{{ valueOrDefault .DeploymentMeta.Namespace `default` }}/{{ toLower .TypeMeta.Kind}}s/{{ .DeploymentMeta.Name }} + {{- end}} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: ISTIO_BOOTSTRAP_OVERRIDE + value: "/etc/istio/custom-bootstrap/custom_bootstrap.json" + {{- end }} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if and (eq .Values.global.proxy.tracer "datadog") (isset .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + {{- range $key, $value := fromJSON (index .ObjectMeta.Annotations `apm.datadoghq.com/env`) }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + {{ if ne (annotation .ObjectMeta `status.sidecar.istio.io/port` .Values.global.proxy.statusPort) `0` }} + {{ if .Values.global.proxy.startupProbe.enabled }} + startupProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 0 + periodSeconds: 1 + timeoutSeconds: 3 + failureThreshold: {{ .Values.global.proxy.startupProbe.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/initialDelaySeconds` .Values.global.proxy.readinessInitialDelaySeconds }} + periodSeconds: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/periodSeconds` .Values.global.proxy.readinessPeriodSeconds }} + timeoutSeconds: 3 + failureThreshold: {{ annotation .ObjectMeta `readiness.status.sidecar.istio.io/failureThreshold` .Values.global.proxy.readinessFailureThreshold }} + {{ end -}} + securityContext: + {{- if eq (index .ProxyConfig.ProxyMetadata "IPTABLES_TRACE_LOGGING") "true" }} + allowPrivilegeEscalation: true + capabilities: + add: + - NET_ADMIN + drop: + - ALL + privileged: true + readOnlyRootFilesystem: true + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: false + runAsUser: 0 + {{- else }} + allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} + capabilities: + {{ if or $tproxy $capNetBindService -}} + add: + {{ if $tproxy -}} + - NET_ADMIN + {{- end }} + {{ if $capNetBindService -}} + - NET_BIND_SERVICE + {{- end }} + {{- end }} + drop: + - ALL + privileged: {{ .Values.global.proxy.privileged }} + readOnlyRootFilesystem: true + {{ if or $tproxy $capNetBindService -}} + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 1337 + {{- else -}} + runAsNonRoot: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + {{- end }} + {{- end }} + {{- if .Values.global.proxy.seccompProfile }} + seccompProfile: + {{- toYaml .Values.global.proxy.seccompProfile | nindent 8 }} + {{- end }} + resources: + {{ template "resources" . }} + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/istio/crl + name: istio-ca-crl + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - mountPath: /etc/istio/custom-bootstrap + name: custom-bootstrap-volume + {{- end }} + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - mountPath: /etc/certs/ + name: istio-certs + readOnly: true + {{- end }} + - name: istio-podinfo + mountPath: /etc/istio/pod + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - mountPath: {{ directory .ProxyConfig.GetTracing.GetTlsSettings.GetCaCertificates }} + name: lightstep-certs + readOnly: true + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount` }} + {{ range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolumeMount`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 6 }} + {{ end }} + {{- end }} + volumes: + - emptyDir: + name: workload-socket + - emptyDir: + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else }} + - emptyDir: + name: workload-certs + {{- end }} + {{- if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} + - name: custom-bootstrap-volume + configMap: + name: {{ annotation .ObjectMeta `sidecar.istio.io/bootstrapOverride` "" }} + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + - name: istio-ca-crl + configMap: + name: istio-ca-crl + optional: true + {{- if .Values.global.mountMtlsCerts }} + # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. + - name: istio-certs + secret: + optional: true + {{ if eq .Spec.ServiceAccountName "" }} + secretName: istio.default + {{ else -}} + secretName: {{ printf "istio.%s" .Spec.ServiceAccountName }} + {{ end -}} + {{- end }} + {{- if isset .ObjectMeta.Annotations `sidecar.istio.io/userVolume` }} + {{range $index, $value := fromJSON (index .ObjectMeta.Annotations `sidecar.istio.io/userVolume`) }} + - name: "{{ $index }}" + {{ toYaml $value | indent 4 }} + {{ end }} + {{ end }} + {{- if and (eq .Values.global.proxy.tracer "lightstep") .ProxyConfig.GetTracing.GetTlsSettings }} + - name: lightstep-certs + secret: + optional: true + secretName: lightstep.cacert + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/kube-gateway.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/kube-gateway.yaml new file mode 100644 index 0000000000..8a34ea8a8c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/kube-gateway.yaml @@ -0,0 +1,407 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": {{.Name}} + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" "istio.io-gateway-controller" + ) | nindent 8 }} + spec: + securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{- if .Values.global.proxy.resources }} + resources: + {{- toYaml .Values.global.proxy.resources | nindent 10 }} + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsUser: {{ .ProxyUID | default "1337" }} + runAsGroup: {{ .ProxyGID | default "1337" }} + runAsNonRoot: true + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.sts.servicePort }} + - --stsPort={{ .Values.global.sts.servicePort }} + {{- end }} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.lifecycle }} + lifecycle: + {{- toYaml .Values.global.proxy.lifecycle | nindent 10 }} + {{- end }} + env: + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + - name: ISTIO_META_POD_PORTS + value: "[]" + - name: ISTIO_META_APP_CONTAINERS + value: "" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName .ClusterID }}" + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: ISTIO_META_INTERCEPTION_MODE + value: "{{ .ProxyConfig.InterceptionMode.String }}" + {{- with (valueOrDefault (index .InfrastructureLabels "topology.istio.io/network") .Values.global.network) }} + - name: ISTIO_META_NETWORK + value: {{.|quote}} + {{- end }} + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName|quote}} + - name: ISTIO_META_OWNER + value: "kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}}" + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- with (index .InfrastructureLabels "topology.istio.io/network") }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: {{.|quote}} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: workload-socket + mountPath: /var/run/secrets/workload-spiffe-uds + - name: credential-socket + mountPath: /var/run/secrets/credential-uds + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + mountPath: /var/run/secrets/workload-spiffe-credentials + readOnly: true + {{- else }} + - name: workload-certs + mountPath: /var/run/secrets/workload-spiffe-credentials + {{- end }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + {{- end }} + - mountPath: /var/lib/istio/data + name: istio-data + # SDS channel between istioagent and Envoy + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - name: istio-podinfo + mountPath: /etc/istio/pod + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + {{- if eq .Values.global.caName "GkeWorkloadCertificate" }} + - name: gke-workload-certificate + csi: + driver: workloadcertificates.security.cloud.google.com + {{- else}} + - emptyDir: {} + name: workload-certs + {{- end }} + # SDS channel between istioagent and Envoy + - emptyDir: + medium: Memory + name: istio-envoy + - name: istio-data + emptyDir: {} + - name: istio-podinfo + downwardAPI: + items: + - path: "labels" + fieldRef: + fieldPath: metadata.labels + - path: "annotations" + fieldRef: + fieldPath: metadata.annotations + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: {{ .Values.global.sds.token.aud }} + {{- if eq .Values.global.pilotCertProvider "istiod" }} + - name: istiod-ca-cert + {{- if eq ((.Values.pilot).env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: {{.UID}} +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": {{.Name}} + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/waypoint.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/waypoint.yaml new file mode 100644 index 0000000000..7feed59a36 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/files/waypoint.yaml @@ -0,0 +1,405 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{.ServiceAccount | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + {{- if ge .KubeVersion 128 }} + # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" + {{- end }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + selector: + matchLabels: + "{{.GatewayNameLabel}}": "{{.Name}}" + template: + metadata: + annotations: + {{- toJsonMap + (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") + (strdict "istio.io/rev" (.Revision | default "default")) + (strdict + "prometheus.io/path" "/stats/prometheus" + "prometheus.io/port" "15020" + "prometheus.io/scrape" "true" + ) | nindent 8 }} + labels: + {{- toJsonMap + (strdict + "sidecar.istio.io/inject" "false" + "istio.io/dataplane-mode" "none" + "service.istio.io/canonical-name" .DeploymentName + "service.istio.io/canonical-revision" "latest" + ) + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + "gateway.istio.io/managed" .ControllerLabel + ) | nindent 8}} + spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} + serviceAccountName: {{.ServiceAccount | quote}} + containers: + - name: istio-proxy + ports: + - containerPort: 15020 + name: metrics + protocol: TCP + - containerPort: 15021 + name: status-port + protocol: TCP + - containerPort: 15090 + protocol: TCP + name: http-envoy-prom + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} + image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" + {{- else }} + image: "{{ .ProxyImage }}" + {{- end }} + {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} + args: + - proxy + - waypoint + - --domain + - $(POD_NAMESPACE).svc.{{ .Values.global.proxy.clusterDomain }} + - --serviceCluster + - {{.ServiceAccount}}.$(POD_NAMESPACE) + - --proxyLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/logLevel` .Values.global.proxy.logLevel | quote}} + - --proxyComponentLogLevel + - {{ annotation .ObjectMeta `sidecar.istio.io/componentLogLevel` .Values.global.proxy.componentLogLevel | quote}} + - --log_output_level + - {{ annotation .ObjectMeta `sidecar.istio.io/agentLogLevel` .Values.global.logging.level | quote}} + {{- if .Values.global.logAsJson }} + - --log_as_json + {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} + env: + - name: ISTIO_META_SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: CA_ADDR + {{- if .Values.global.caAddress }} + value: {{ .Values.global.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.global.istioNamespace }}.svc:15012 + {{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: PROXY_CONFIG + value: | + {{ protoToJSON .ProxyConfig }} + {{- if .ProxyConfig.ProxyMetadata }} + {{- range $key, $value := .ProxyConfig.ProxyMetadata }} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: ISTIO_META_CLUSTER_ID + value: "{{ valueOrDefault .Values.global.multiCluster.clusterName `Kubernetes` }}" + {{- $network := valueOrDefault (index .InfrastructureLabels `topology.istio.io/network`) .Values.global.network }} + {{- if $network }} + - name: ISTIO_META_NETWORK + value: "{{ $network }}" + {{- if eq .ControllerLabel "istio.io-eastwest-controller" }} + - name: ISTIO_META_REQUESTED_NETWORK_VIEW + value: "{{ $network }}" + {{- end }} + {{- end }} + - name: ISTIO_META_INTERCEPTION_MODE + value: REDIRECT + - name: ISTIO_META_WORKLOAD_NAME + value: {{.DeploymentName}} + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/{{.Namespace}}/deployments/{{.DeploymentName}} + {{- if .Values.global.meshID }} + - name: ISTIO_META_MESH_ID + value: "{{ .Values.global.meshID }}" + {{- else if (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: ISTIO_META_MESH_ID + value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" + {{- end }} + {{- with (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }} + - name: TRUST_DOMAIN + value: "{{ . }}" + {{- end }} + {{- if .Values.global.waypoint.resources }} + resources: + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} + startupProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 4 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + privileged: false + {{- if not (eq .Values.global.platform "openshift") }} + runAsGroup: 1337 + runAsUser: 1337 + {{- end }} + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.gateways.seccompProfile }} + seccompProfile: +{{- toYaml .Values.gateways.seccompProfile | nindent 12 }} +{{- end }} + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /etc/istio/pod + name: istio-podinfo + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: + medium: Memory + name: istio-envoy + - emptyDir: + medium: Memory + name: go-proxy-envoy + - emptyDir: {} + name: istio-data + - emptyDir: {} + name: go-proxy-data + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: istio-podinfo + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - name: istiod-ca-cert + {{- if eq (.Values.pilot.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + {{- if .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: "{{.Name}}" + uid: "{{.UID}}" +spec: + ipFamilyPolicy: PreferDualStack + ports: + {{- range $key, $val := .Ports }} + - name: {{ $val.Name | quote }} + port: {{ $val.Port }} + protocol: TCP + appProtocol: {{ $val.AppProtocol }} + {{- end }} + selector: + "{{.GatewayNameLabel}}": "{{.Name}}" + {{- if and (.Spec.Addresses) (eq .ServiceType "LoadBalancer") }} + loadBalancerIP: {{ (index .Spec.Addresses 0).Value | quote}} + {{- end }} + type: {{ .ServiceType | quote }} +--- +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{.DeploymentName | quote}} + maxReplicas: 1 +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{.DeploymentName | quote}} + namespace: {{.Namespace | quote}} + annotations: + {{- toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + labels: + {{- toJsonMap + .InfrastructureLabels + (strdict + "gateway.networking.k8s.io/gateway-name" .Name + "gateway.networking.k8s.io/gateway-class-name" .GatewayClass + ) | nindent 4 }} + ownerReferences: + - apiVersion: gateway.networking.k8s.io/v1beta1 + kind: Gateway + name: {{.Name}} + uid: "{{.UID}}" +spec: + selector: + matchLabels: + gateway.networking.k8s.io/gateway-name: {{.Name|quote}} + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/NOTES.txt new file mode 100644 index 0000000000..0d07ea7f4c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/NOTES.txt @@ -0,0 +1,82 @@ +"istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}" successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} + +Next steps: +{{- $profile := default "" .Values.profile }} +{{- if (eq $profile "ambient") }} + * Get started with ambient: https://istio.io/latest/docs/ops/ambient/getting-started/ + * Review ambient's architecture: https://istio.io/latest/docs/ops/ambient/architecture/ +{{- else }} + * Deploy a Gateway: https://istio.io/latest/docs/setup/additional-setup/gateway/ + * Try out our tasks to get started on common configurations: + * https://istio.io/latest/docs/tasks/traffic-management + * https://istio.io/latest/docs/tasks/security/ + * https://istio.io/latest/docs/tasks/policy-enforcement/ +{{- end }} + * Review the list of actively supported releases, CVE publications and our hardening guide: + * https://istio.io/latest/docs/releases/supported-releases/ + * https://istio.io/latest/news/security/ + * https://istio.io/latest/docs/ops/best-practices/security/ + +For further documentation see https://istio.io website + +{{- + $deps := dict + "global.outboundTrafficPolicy" "meshConfig.outboundTrafficPolicy" + "global.certificates" "meshConfig.certificates" + "global.localityLbSetting" "meshConfig.localityLbSetting" + "global.policyCheckFailOpen" "meshConfig.policyCheckFailOpen" + "global.enableTracing" "meshConfig.enableTracing" + "global.proxy.accessLogFormat" "meshConfig.accessLogFormat" + "global.proxy.accessLogFile" "meshConfig.accessLogFile" + "global.proxy.concurrency" "meshConfig.defaultConfig.concurrency" + "global.proxy.envoyAccessLogService" "meshConfig.defaultConfig.envoyAccessLogService" + "global.proxy.envoyAccessLogService.enabled" "meshConfig.enableEnvoyAccessLogService" + "global.proxy.envoyMetricsService" "meshConfig.defaultConfig.envoyMetricsService" + "global.proxy.protocolDetectionTimeout" "meshConfig.protocolDetectionTimeout" + "global.proxy.holdApplicationUntilProxyStarts" "meshConfig.defaultConfig.holdApplicationUntilProxyStarts" + "pilot.ingress" "meshConfig.ingressService, meshConfig.ingressControllerMode, and meshConfig.ingressClass" + "global.mtls.enabled" "the PeerAuthentication resource" + "global.mtls.auto" "meshConfig.enableAutoMtls" + "global.tracer.lightstep.address" "meshConfig.defaultConfig.tracing.lightstep.address" + "global.tracer.lightstep.accessToken" "meshConfig.defaultConfig.tracing.lightstep.accessToken" + "global.tracer.zipkin.address" "meshConfig.defaultConfig.tracing.zipkin.address" + "global.tracer.datadog.address" "meshConfig.defaultConfig.tracing.datadog.address" + "global.meshExpansion.enabled" "Gateway and other Istio networking resources, such as in samples/multicluster/" + "istiocoredns.enabled" "the in-proxy DNS capturing (ISTIO_META_DNS_CAPTURE)" +}} +{{- range $dep, $replace := $deps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +WARNING: {{$dep|quote}} is deprecated; use {{$replace|quote}} instead. +{{- end }} +{{- end }} +{{- + $failDeps := dict + "telemetry.v2.prometheus.configOverride" + "telemetry.v2.stackdriver.configOverride" + "telemetry.v2.stackdriver.disableOutbound" + "telemetry.v2.stackdriver.outboundAccessLogging" + "global.tracer.stackdriver.debug" "meshConfig.defaultConfig.tracing.stackdriver.debug" + "global.tracer.stackdriver.maxNumberOfAttributes" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" + "global.tracer.stackdriver.maxNumberOfAnnotations" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" + "global.tracer.stackdriver.maxNumberOfMessageEvents" "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" + "meshConfig.defaultConfig.tracing.stackdriver.debug" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAttributes" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfAnnotations" "Istio supported tracers" + "meshConfig.defaultConfig.tracing.stackdriver.maxNumberOfMessageEvents" "Istio supported tracers" +}} +{{- range $dep, $replace := $failDeps }} +{{- /* Complex logic to turn the string above into a null-safe traversal like ((.Values.global).certificates */}} +{{- $res := tpl (print "{{" (repeat (split "." $dep | len) "(") ".Values." (replace "." ")." $dep) ")}}") $}} +{{- if not (eq $res "")}} +{{fail (print $dep " is removed")}} +{{- end }} +{{- end }} +{{- if eq $.Values.global.pilotCertProvider "kubernetes" }} +{{- fail "pilotCertProvider=kubernetes is not supported" }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/_helpers.tpl new file mode 100644 index 0000000000..042c92538d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Default Prometheus is enabled if its enabled and there are no config overrides set */}} +{{ define "default-prometheus" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.prometheus.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. Default metrics are enabled if SD is enabled */}} +{{ define "default-sd-metrics" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} + +{{/* SD has metrics and logging split. */}} +{{ define "default-sd-logs" }} +{{- and + (not .Values.meshConfig.defaultProviders) + .Values.telemetry.enabled .Values.telemetry.v2.enabled .Values.telemetry.v2.stackdriver.enabled +}} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/autoscale.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/autoscale.yaml new file mode 100644 index 0000000000..9ab43b5bf0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/autoscale.yaml @@ -0,0 +1,45 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if and .Values.autoscaleEnabled .Values.autoscaleMin .Values.autoscaleMax }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + maxReplicas: {{ .Values.autoscaleMax }} + minReplicas: {{ .Values.autoscaleMin }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cpu.targetAverageUtilization }} + {{- if .Values.memory.targetAverageUtilization }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.memory.targetAverageUtilization }} + {{- end }} + {{- if .Values.autoscaleBehavior }} + behavior: {{ toYaml .Values.autoscaleBehavior | nindent 4 }} + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrole.yaml new file mode 100644 index 0000000000..3280c96b54 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrole.yaml @@ -0,0 +1,216 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + # sidecar injection controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + + # configuration validation webhook controller + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] + + # istio configuration + # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) + # please proceed with caution + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["get", "watch", "list"] + resources: ["*"] +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] + verbs: ["update", "patch"] + resources: + - authorizationpolicies/status + - destinationrules/status + - envoyfilters/status + - gateways/status + - peerauthentications/status + - proxyconfigs/status + - requestauthentications/status + - serviceentries/status + - sidecars/status + - telemetries/status + - virtualservices/status + - wasmplugins/status + - workloadentries/status + - workloadgroups/status +{{- end }} + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "workloadentries/status", "serviceentries/status" ] + - apiGroups: ["security.istio.io"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "authorizationpolicies/status" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services/status" ] + + # auto-detect installed CRD definitions + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + + # discovery and routing + - apiGroups: [""] + resources: ["pods", "nodes", "services", "namespaces", "endpoints"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + +{{- if .Values.taint.enabled }} + - apiGroups: [""] + resources: ["nodes"] + verbs: ["patch"] +{{- end }} + + # ingress controller +{{- if .Values.global.istiod.enableAnalysis }} + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] +{{- end}} + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses", "ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["*"] + + # required for CA's namespace controller + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + + # Istiod and bootstrap. +{{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} +{{- if or .Values.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} + - apiGroups: ["certificates.k8s.io"] + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: ["update", "create", "get", "delete", "watch"] + - apiGroups: ["certificates.k8s.io"] + resources: + - "signers" + resourceNames: +{{- range .Values.global.certSigners }} + - {{ . | quote }} +{{- end }} + verbs: ["approve"] +{{- end}} +{{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + - apiGroups: ["certificates.k8s.io"] + resources: ["clustertrustbundles"] + verbs: ["update", "create", "delete", "list", "watch", "get"] + - apiGroups: ["certificates.k8s.io"] + resources: ["signers"] + resourceNames: ["istio.io/istiod-ca"] + verbs: ["attest"] +{{- end }} + + # Used by Istiod to verify the JWT tokens + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + + # Used by Istiod to verify gateway SDS + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] + + # Use for Kubernetes Service APIs + - apiGroups: ["gateway.networking.k8s.io", "gateway.networking.x-k8s.io"] + resources: ["*"] + verbs: ["get", "watch", "list"] + - apiGroups: ["gateway.networking.x-k8s.io"] + resources: + - xbackendtrafficpolicies/status + - xlistenersets/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status + verbs: ["update", "patch"] + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["gatewayclasses"] + verbs: ["create", "update", "patch", "delete"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools"] + verbs: ["get", "watch", "list"] + - apiGroups: ["inference.networking.k8s.io"] + resources: ["inferencepools/status"] + verbs: ["update", "patch"] + + # Needed for multicluster secret reading, possibly ingress certs in the future + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "watch", "list"] + + # Used for MCS serviceexport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: [ "get", "watch", "list", "create", "delete"] + + # Used for MCS serviceimport management + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "watch", "list"] +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "deployments" ] + - apiGroups: ["autoscaling"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "horizontalpodautoscalers" ] + - apiGroups: ["policy"] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "poddisruptionbudgets" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "services" ] + - apiGroups: [""] + verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] + resources: [ "serviceaccounts"] +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrolebinding.yaml new file mode 100644 index 0000000000..0ca21b9576 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/clusterrolebinding.yaml @@ -0,0 +1,43 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +--- +{{- if not (eq (toString .Values.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-jwks.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-jwks.yaml new file mode 100644 index 0000000000..45943d3839 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-jwks.yaml @@ -0,0 +1,20 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.jwksResolverExtraRootCA }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + release: {{ .Release.Name }} + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + extra.pem: {{ .Values.jwksResolverExtraRootCA | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-values.yaml new file mode 100644 index 0000000000..dcd1e3530c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap-values.yaml @@ -0,0 +1,21 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: values{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/description: This ConfigMap contains the Helm values used during chart rendering. This ConfigMap is rendered for debugging purposes and external tooling; modifying these values has no effect. + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + original-values: |- +{{ .Values._original | toPrettyJson | indent 4 }} +{{- $_ := unset $.Values "_original" }} + merged-values: |- +{{ .Values | toPrettyJson | indent 4 }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap.yaml new file mode 100644 index 0000000000..a24ff9ee24 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/configmap.yaml @@ -0,0 +1,113 @@ +{{- define "mesh" }} + # The trust domain corresponds to the trust root of a system. + # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain + trustDomain: "cluster.local" + + # The namespace to treat as the administrative root namespace for Istio configuration. + # When processing a leaf namespace Istio will search for declarations in that namespace first + # and if none are found it will search in the root namespace. Any matching declaration found in the root namespace + # is processed as if it were declared in the leaf namespace. + rootNamespace: {{ .Values.meshConfig.rootNamespace | default .Values.global.istioNamespace }} + + {{ $prom := include "default-prometheus" . | eq "true" }} + {{ $sdMetrics := include "default-sd-metrics" . | eq "true" }} + {{ $sdLogs := include "default-sd-logs" . | eq "true" }} + {{- if or $prom $sdMetrics $sdLogs }} + defaultProviders: + {{- if or $prom $sdMetrics }} + metrics: + {{ if $prom }}- prometheus{{ end }} + {{ if and $sdMetrics $sdLogs }}- stackdriver{{ end }} + {{- end }} + {{- if and $sdMetrics $sdLogs }} + accessLogging: + - stackdriver + {{- end }} + {{- end }} + + defaultConfig: + {{- if .Values.global.meshID }} + meshId: "{{ .Values.global.meshID }}" + {{- end }} + {{- with (.Values.global.proxy.variant | default .Values.global.variant) }} + image: + imageType: {{. | quote}} + {{- end }} + {{- if not (eq .Values.global.proxy.tracer "none") }} + tracing: + {{- if eq .Values.global.proxy.tracer "lightstep" }} + lightstep: + # Address of the LightStep Satellite pool + address: {{ .Values.global.tracer.lightstep.address }} + # Access Token used to communicate with the Satellite pool + accessToken: {{ .Values.global.tracer.lightstep.accessToken }} + {{- else if eq .Values.global.proxy.tracer "zipkin" }} + zipkin: + # Address of the Zipkin collector + address: {{ ((.Values.global.tracer).zipkin).address | default (print "zipkin." .Values.global.istioNamespace ":9411") }} + {{- else if eq .Values.global.proxy.tracer "datadog" }} + datadog: + # Address of the Datadog Agent + address: {{ ((.Values.global.tracer).datadog).address | default "$(HOST_IP):8126" }} + {{- else if eq .Values.global.proxy.tracer "stackdriver" }} + stackdriver: + # enables trace output to stdout. + debug: {{ (($.Values.global.tracer).stackdriver).debug | default "false" }} + # The global default max number of attributes per span. + maxNumberOfAttributes: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAttributes | default "200" }} + # The global default max number of annotation events per span. + maxNumberOfAnnotations: {{ (($.Values.global.tracer).stackdriver).maxNumberOfAnnotations | default "200" }} + # The global default max number of message events per span. + maxNumberOfMessageEvents: {{ (($.Values.global.tracer).stackdriver).maxNumberOfMessageEvents | default "200" }} + {{- end }} + {{- end }} + {{- if .Values.global.remotePilotAddress }} + {{- if and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + discoveryAddress: {{ printf "istiod-remote.%s.svc" .Release.Namespace }}:15012 + {{- else }} + discoveryAddress: {{ printf "istiod.%s.svc" .Release.Namespace }}:15012 + {{- end }} + {{- else }} + discoveryAddress: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{.Release.Namespace}}.svc:15012 + {{- end }} +{{- end }} + +{{/* We take the mesh config above, defined with individual values.yaml, and merge with .Values.meshConfig */}} +{{/* The intent here is that meshConfig.foo becomes the API, rather than re-inventing the API in values.yaml */}} +{{- $originalMesh := include "mesh" . | fromYaml }} +{{- $mesh := mergeOverwrite $originalMesh .Values.meshConfig }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if .Values.configMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: + + # Configuration file for the mesh networks to be used by the Split Horizon EDS. + meshNetworks: |- + {{- if .Values.global.meshNetworks }} + networks: +{{ toYaml .Values.global.meshNetworks | trim | indent 6 }} + {{- else }} + networks: {} + {{- end }} + + mesh: |- +{{- if .Values.meshConfig }} +{{ $mesh | toYaml | indent 4 }} +{{- else }} +{{- include "mesh" . }} +{{- end }} +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/deployment.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/deployment.yaml new file mode 100644 index 0000000000..15107e745c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/deployment.yaml @@ -0,0 +1,314 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- range $key, $val := .Values.deploymentLabels }} + {{ $key }}: "{{ $val }}" +{{- end }} + {{- if .Values.deploymentAnnotations }} + annotations: +{{ toYaml .Values.deploymentAnnotations | indent 4 }} + {{- end }} +spec: +{{- if not .Values.autoscaleEnabled }} +{{- if .Values.replicaCount }} + replicas: {{ .Values.replicaCount }} +{{- end }} +{{- end }} + strategy: + rollingUpdate: + maxSurge: {{ .Values.rollingMaxSurge }} + maxUnavailable: {{ .Values.rollingMaxUnavailable }} + selector: + matchLabels: + {{- if ne .Values.revision "" }} + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + {{- else }} + istio: pilot + {{- end }} + template: + metadata: + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + sidecar.istio.io/inject: "false" + operator.istio.io/component: "Pilot" + {{- if ne .Values.revision "" }} + istio: istiod + {{- else }} + istio: pilot + {{- end }} + {{- range $key, $val := .Values.podLabels }} + {{ $key }}: "{{ $val }}" + {{- end }} + istio.io/dataplane-mode: none + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 8 }} + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: +{{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: +{{- toYaml . | nindent 8 }} +{{- end }} + tolerations: + - key: cni.istio.io/not-ready + operator: "Exists" +{{- with .Values.tolerations }} +{{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{- toYaml . | nindent 8 }} +{{- end }} + serviceAccountName: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- if .Values.global.priorityClassName }} + priorityClassName: "{{ .Values.global.priorityClassName }}" +{{- end }} +{{- with .Values.initContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} +{{- end }} + containers: + - name: discovery +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub | default .Values.global.hub }}/{{ .Values.image | default "pilot" }}:{{ .Values.tag | default .Values.global.tag }}{{with (.Values.variant | default .Values.global.variant)}}-{{.}}{{end}}" +{{- end }} +{{- if .Values.global.imagePullPolicy }} + imagePullPolicy: {{ .Values.global.imagePullPolicy }} +{{- end }} + args: + - "discovery" + - --monitoringAddr=:15014 +{{- if .Values.global.logging.level }} + - --log_output_level={{ .Values.global.logging.level }} +{{- end}} +{{- if .Values.global.logAsJson }} + - --log_as_json +{{- end }} + - --domain + - {{ .Values.global.proxy.clusterDomain }} +{{- if .Values.taint.namespace }} + - --cniNamespace={{ .Values.taint.namespace }} +{{- end }} + - --keepaliveMaxServerConnectionAge + - "{{ .Values.keepaliveMaxServerConnectionAge }}" +{{- if .Values.extraContainerArgs }} + {{- with .Values.extraContainerArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} + ports: + - containerPort: 8080 + protocol: TCP + name: http-debug + - containerPort: 15010 + protocol: TCP + name: grpc-xds + - containerPort: 15012 + protocol: TCP + name: tls-xds + - containerPort: 15017 + protocol: TCP + name: https-webhooks + - containerPort: 15014 + protocol: TCP + name: http-monitoring + readinessProbe: + httpGet: + path: /ready + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 3 + timeoutSeconds: 5 + env: + - name: REVISION + value: "{{ .Values.revision | default `default` }}" + - name: PILOT_CERT_PROVIDER + value: {{ .Values.global.pilotCertProvider }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.serviceAccountName + - name: KUBECONFIG + value: /var/run/secrets/remote/config + # If you explicitly told us where ztunnel lives, use that. + # Otherwise, assume it lives in our namespace + # Also, check for an explicit ENV override (legacy approach) and prefer that + # if present + {{ $ztTrustedNS := or .Values.trustedZtunnelNamespace .Release.Namespace }} + {{ $ztTrustedName := or .Values.trustedZtunnelName "ztunnel" }} + {{- if not .Values.env.CA_TRUSTED_NODE_ACCOUNTS }} + - name: CA_TRUSTED_NODE_ACCOUNTS + value: "{{ $ztTrustedNS }}/{{ $ztTrustedName }}" + {{- end }} + {{- if .Values.env }} + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + {{- with .Values.envVarFrom }} + {{- toYaml . | nindent 10 }} + {{- end }} +{{- if .Values.traceSampling }} + - name: PILOT_TRACE_SAMPLING + value: "{{ .Values.traceSampling }}" +{{- end }} +# If externalIstiod is set via Values.Global, then enable the pilot env variable. However, if it's set via Values.pilot.env, then +# don't set it here to avoid duplication. +# TODO (nshankar13): Move from Helm chart to code: https://github.com/istio/istio/issues/52449 +{{- if and .Values.global.externalIstiod (not (and .Values.env .Values.env.EXTERNAL_ISTIOD)) }} + - name: EXTERNAL_ISTIOD + value: "{{ .Values.global.externalIstiod }}" +{{- end }} +{{- if .Values.global.trustBundleName }} + - name: PILOT_CA_CERT_CONFIGMAP + value: "{{ .Values.global.trustBundleName }}" +{{- end }} + - name: PILOT_ENABLE_ANALYSIS + value: "{{ .Values.global.istiod.enableAnalysis }}" + - name: CLUSTER_ID + value: "{{ $.Values.global.multiCluster.clusterName | default `Kubernetes` }}" + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: "1" + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + resource: limits.cpu + divisor: "1" + - name: PLATFORM + value: "{{ coalesce .Values.global.platform .Values.platform }}" + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 12 }} +{{- else }} +{{ toYaml .Values.global.defaultResources | trim | indent 12 }} +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL +{{- if .Values.seccompProfile }} + seccompProfile: +{{ toYaml .Values.seccompProfile | trim | indent 14 }} +{{- end }} + volumeMounts: + - name: istio-token + mountPath: /var/run/secrets/tokens + readOnly: true + - name: local-certs + mountPath: /var/run/secrets/istio-dns + - name: cacerts + mountPath: /etc/cacerts + readOnly: true + - name: istio-kubeconfig + mountPath: /var/run/secrets/remote + readOnly: true + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + mountPath: /cacerts + {{- end }} + - name: istio-csr-dns-cert + mountPath: /var/run/secrets/istiod/tls + readOnly: true + - name: istio-csr-ca-configmap + mountPath: /var/run/secrets/istiod/ca + readOnly: true + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + # Technically not needed on this pod - but it helps debugging/testing SDS + # Should be removed after everything works. + - emptyDir: + medium: Memory + name: local-certs + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: {{ .Values.global.sds.token.aud }} + expirationSeconds: 43200 + path: istio-token + # Optional: user-generated root + - name: cacerts + secret: + secretName: cacerts + optional: true + - name: istio-kubeconfig + secret: + secretName: istio-kubeconfig + optional: true + # Optional: istio-csr dns pilot certs + - name: istio-csr-dns-cert + secret: + secretName: istiod-tls + optional: true + - name: istio-csr-ca-configmap + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.global.trustBundleName | default "root-cert" }} + path: root-cert.pem + optional: true + {{- else }} + configMap: + name: {{ .Values.global.trustBundleName | default "istio-ca-root-cert" }} + defaultMode: 420 + optional: true + {{- end }} + {{- if .Values.jwksResolverExtraRootCA }} + - name: extracacerts + configMap: + name: pilot-jwks-extra-cacerts{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + {{- end }} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + +--- +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/gateway-class-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/gateway-class-configmap.yaml new file mode 100644 index 0000000000..9f7cdb01da --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/gateway-class-configmap.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{ range $key, $value := .Values.gatewayClasses }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-{{ $.Values.revision | default "default" }}-gatewayclass-{{$key}} + namespace: {{ $.Release.Namespace }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + gateway.istio.io/defaults-for-class: {{$key|quote}} + {{- include "istio.labels" $ | nindent 4 }} +data: +{{ range $kind, $overlay := $value }} + {{$kind}}: | +{{$overlay|toYaml|trim|indent 4}} +{{ end }} +--- +{{ end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/istiod-injector-configmap.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/istiod-injector-configmap.yaml new file mode 100644 index 0000000000..a5a6cf9ae8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/istiod-injector-configmap.yaml @@ -0,0 +1,83 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if not .Values.global.omitSidecarInjectorConfigMap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +data: +{{/* Scope the values to just top level fields used in the template, to reduce the size. */}} + values: |- +{{ $vals := pick .Values "global" "sidecarInjectorWebhook" "revision" -}} +{{ $pilotVals := pick .Values "cni" "env" -}} +{{ $vals = set $vals "pilot" $pilotVals -}} +{{ $gatewayVals := pick .Values.gateways "securityContext" "seccompProfile" -}} +{{ $vals = set $vals "gateways" $gatewayVals -}} +{{ $vals | toPrettyJson | indent 4 }} + + # To disable injection: use omitSidecarInjectorConfigMap, which disables the webhook patching + # and istiod webhook functionality. + # + # New fields should not use Values - it is a 'primary' config object, users should be able + # to fine tune it or use it with kube-inject. + config: |- + # defaultTemplates defines the default template to use for pods that do not explicitly specify a template + {{- if .Values.sidecarInjectorWebhook.defaultTemplates }} + defaultTemplates: +{{- range .Values.sidecarInjectorWebhook.defaultTemplates}} + - {{ . }} +{{- end }} + {{- else }} + defaultTemplates: [sidecar] + {{- end }} + policy: {{ .Values.global.proxy.autoInject }} + alwaysInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.alwaysInjectSelector | trim | indent 6 }} + neverInjectSelector: +{{ toYaml .Values.sidecarInjectorWebhook.neverInjectSelector | trim | indent 6 }} + injectedAnnotations: + {{- range $key, $val := .Values.sidecarInjectorWebhook.injectedAnnotations }} + "{{ $key }}": {{ $val | quote }} + {{- end }} + {{- /* If someone ends up with this new template, but an older Istiod image, they will attempt to render this template + which will fail with "Pod injection failed: template: inject:1: function "Istio_1_9_Required_Template_And_Version_Mismatched" not defined". + This should make it obvious that their installation is broken. + */}} + template: {{ `{{ Template_Version_And_Istio_Version_Mismatched_Check_Installation }}` | quote }} + templates: +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "sidecar") }} + sidecar: | +{{ .Files.Get "files/injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "gateway") }} + gateway: | +{{ .Files.Get "files/gateway-injection-template.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-simple") }} + grpc-simple: | +{{ .Files.Get "files/grpc-simple.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "grpc-agent") }} + grpc-agent: | +{{ .Files.Get "files/grpc-agent.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "waypoint") }} + waypoint: | +{{ .Files.Get "files/waypoint.yaml" | trim | indent 8 }} +{{- end }} +{{- if not (hasKey .Values.sidecarInjectorWebhook.templates "kube-gateway") }} + kube-gateway: | +{{ .Files.Get "files/kube-gateway.yaml" | trim | indent 8 }} +{{- end }} +{{- with .Values.sidecarInjectorWebhook.templates }} +{{ toYaml . | trim | indent 6 }} +{{- end }} + +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/mutatingwebhook.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/mutatingwebhook.yaml new file mode 100644 index 0000000000..26a6c8f00d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/mutatingwebhook.yaml @@ -0,0 +1,167 @@ +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- /* Core defines the common configuration used by all webhook segments */}} +{{/* Copy just what we need to avoid expensive deepCopy */}} +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + {{- if .caBundle }} + caBundle: "{{ .caBundle }}" + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- /* Installed for each revision - not installed for cluster resources ( cluster roles, bindings, crds) */}} +{{- if not .Values.global.operatorManageWebhooks }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Release.Namespace "istio-system"}} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} +{{- else }} + name: istio-sidecar-injector{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +{{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- /* Set up the selectors. First section is for revision, rest is for "default" revision */}} + +{{- /* Case 1: namespace selector matches, and object doesn't disable */}} +{{- /* Note: if both revision and legacy selector, we give precedence to the legacy one */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: No namespace selector, but object selects our revision (and doesn't disable) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + + +{{- /* Webhooks for default revision */}} +{{- if (eq .Values.revision "") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if .Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/networkpolicy.yaml new file mode 100644 index 0000000000..e844d5e5de --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/networkpolicy.yaml @@ -0,0 +1,47 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + policyTypes: + - Ingress + - Egress + ingress: + # Webhook from kube-apiserver + - from: [] + ports: + - protocol: TCP + port: 15017 + # xDS from potentially anywhere + - from: [] + ports: + - protocol: TCP + port: 15010 + - protocol: TCP + port: 15011 + - protocol: TCP + port: 15012 + - protocol: TCP + port: 8080 + - protocol: TCP + port: 15014 + # Allow all egress (needed because features like JWKS require connections to user-defined endpoints) + egress: + - {} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..c8c55822f6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/poddisruptionbudget.yaml @@ -0,0 +1,41 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +{{- if .Values.global.defaultPodDisruptionBudget.enabled }} +# a workaround for https://github.com/kubernetes/kubernetes/issues/93476 +{{- if or (and .Values.autoscaleEnabled (gt (int .Values.autoscaleMin) 1)) (and (not .Values.autoscaleEnabled) (gt (int .Values.replicaCount) 1)) }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + release: {{ .Release.Name }} + istio: pilot + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + {{- if and .Values.pdb.minAvailable (not (hasKey .Values.pdb "maxUnavailable")) }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- else if .Values.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.pdb.maxUnavailable }} + {{- end }} + {{- if .Values.pdb.unhealthyPodEvictionPolicy }} + unhealthyPodEvictionPolicy: {{ .Values.pdb.unhealthyPodEvictionPolicy }} + {{- end }} + selector: + matchLabels: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + istio: pilot + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrole.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrole.yaml new file mode 100644 index 0000000000..e0b0ff42a4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrole.yaml @@ -0,0 +1,65 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{ $mcsAPIGroup := or .Values.env.MCS_API_GROUP "multicluster.x-k8s.io" }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +rules: + - apiGroups: + - "config.istio.io" + - "security.istio.io" + - "networking.istio.io" + - "authentication.istio.io" + - "rbac.istio.io" + - "telemetry.istio.io" + - "extensions.istio.io" + resources: ["*"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["networking.istio.io"] + verbs: [ "get", "watch", "list" ] + resources: [ "workloadentries" ] + - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] + resources: ["gateways"] + verbs: ["get", "watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["get", "list", "watch"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceexports"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["{{ $mcsAPIGroup }}"] + resources: ["serviceimports"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +{{- if .Values.istiodRemote.enabled }} + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "update"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch", "update"] +{{- end}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrolebinding.yaml new file mode 100644 index 0000000000..624f00dce6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/reader-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +# Created if cluster resources are not omitted +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} + labels: + app: istio-reader + release: {{ .Release.Name }} + app.kubernetes.io/name: "istio-reader" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: istio-reader-service-account + namespace: {{ .Values.global.istioNamespace }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-endpointslices.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-endpointslices.yaml new file mode 100644 index 0000000000..e2f4ff03b6 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-endpointslices.yaml @@ -0,0 +1,42 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +# if the remotePilotAddress is an IP addr +{{- if regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress }} +apiVersion: discovery.k8s.io/v1 +kind: EndpointSlice +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # This file is only used for remote `istiod` installs. + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + kubernetes.io/service-name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + {{- if .Release.Service }} + endpointslice.kubernetes.io/managed-by: {{ .Release.Service | quote }} + {{- end }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +addressType: IPv4 +endpoints: +- addresses: + - {{ .Values.global.remotePilotAddress }} +ports: +- port: 15012 + name: tcp-istiod + protocol: TCP +- port: 15017 + name: tcp-webhook + protocol: TCP +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-service.yaml new file mode 100644 index 0000000000..ab14497bac --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/remote-istiod-service.yaml @@ -0,0 +1,43 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# This file is only used for remote +{{- if and .Values.global.remotePilotAddress .Values.istiodRemote.enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .Values.istiodRemote.enabledLocalInjectorIstiod }} + # only primary `istiod` to xds and local `istiod` injection installs. + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }}-remote + {{- else }} + name: istiod{{- if .Values.revision }}-{{ .Values.revision}}{{- end }} + {{- end }} + namespace: {{ .Release.Namespace }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{ include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15012 + name: tcp-istiod + protocol: TCP + - port: 443 + targetPort: 15017 + name: tcp-webhook + protocol: TCP + {{- if and .Values.global.remotePilotAddress (not (regexMatch "^([0-9]*\\.){3}[0-9]*$" .Values.global.remotePilotAddress)) }} + # if the remotePilotAddress is not an IP addr, we use ExternalName + type: ExternalName + externalName: {{ .Values.global.remotePilotAddress }} + {{- end }} +{{- if .Values.global.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.global.ipFamilyPolicy }} +{{- end }} +{{- if .Values.global.ipFamilies }} + ipFamilies: +{{- range .Values.global.ipFamilies }} + - {{ . }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-mwc.yaml new file mode 100644 index 0000000000..556bb2f1e9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-mwc.yaml @@ -0,0 +1,154 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not .Values.global.operatorManageWebhooks }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-svc.yaml new file mode 100644 index 0000000000..5c4826d23e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/revision-tags-svc.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Adapted from istio-discovery/templates/service.yaml +{{- range $tagName := .Values.revisionTags }} +apiVersion: v1 +kind: Service +metadata: + name: istiod-revision-tag-{{ $tagName }} + namespace: {{ $.Release.Namespace }} + {{- if $.Values.serviceAnnotations }} + annotations: +{{ toYaml $.Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + istio.io/tag: {{ $tagName }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne $.Values.revision "" }} + istio.io/rev: {{ $.Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if $.Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} + {{- end }} + {{- if $.Values.ipFamilies }} + ipFamilies: + {{- range $.Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end -}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/role.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/role.yaml new file mode 100644 index 0000000000..8abe608b66 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/role.yaml @@ -0,0 +1,37 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +rules: +# permissions to verify the webhook is ready and rejecting +# invalid config. We use --server-dry-run so no config is persisted. +- apiGroups: ["networking.istio.io"] + verbs: ["create"] + resources: ["gateways"] + +# For storing CA secret +- apiGroups: [""] + resources: ["secrets"] + # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config + verbs: ["create", "get", "watch", "list", "update", "delete"] + +# For status controller, so it can delete the distribution report configmap +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["delete"] + +# For gateway deployment controller +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "update", "patch", "create"] +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/rolebinding.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/rolebinding.yaml new file mode 100644 index 0000000000..731964f04d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} +subjects: + - kind: ServiceAccount + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/service.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/service.yaml new file mode 100644 index 0000000000..c3aade8a49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/service.yaml @@ -0,0 +1,59 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Not created if istiod is running remotely +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled .Values.istiodRemote.enabledLocalInjectorIstiod) }} +apiVersion: v1 +kind: Service +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + {{- if .Values.serviceAnnotations }} + annotations: +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne .Values.revision "" }} + istio.io/rev: {{ .Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if .Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.ipFamilyPolicy }} + {{- end }} + {{- if .Values.ipFamilies }} + ipFamilies: + {{- range .Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.trafficDistribution }} + trafficDistribution: {{ .Values.trafficDistribution }} + {{- end }} +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ee40eedf81 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/serviceaccount.yaml @@ -0,0 +1,26 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +apiVersion: v1 +kind: ServiceAccount + {{- if .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range .Values.global.imagePullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} + {{- if .Values.serviceAccountAnnotations }} + annotations: +{{- toYaml .Values.serviceAccountAnnotations | nindent 4 }} + {{- end }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingadmissionpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingadmissionpolicy.yaml new file mode 100644 index 0000000000..838d9fbaf7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingadmissionpolicy.yaml @@ -0,0 +1,65 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.experimental.stableValidationPolicy }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + labels: + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: ["*"] + operations: ["CREATE", "UPDATE"] + resources: ["*"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} + variables: + - name: isEnvoyFilter + expression: "object.kind == 'EnvoyFilter'" + - name: isWasmPlugin + expression: "object.kind == 'WasmPlugin'" + - name: isProxyConfig + expression: "object.kind == 'ProxyConfig'" + - name: isTelemetry + expression: "object.kind == 'Telemetry'" + validations: + - expression: "!variables.isEnvoyFilter" + - expression: "!variables.isWasmPlugin" + - expression: "!variables.isProxyConfig" + - expression: | + !( + variables.isTelemetry && ( + (has(object.spec.tracing) ? object.spec.tracing : {}).exists(t, has(t.useRequestIdForTraceSampling)) || + (has(object.spec.metrics) ? object.spec.metrics : {}).exists(m, has(m.reportingInterval)) || + (has(object.spec.accessLogging) ? object.spec.accessLogging : {}).exists(l, has(l.filter)) + ) + ) +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "stable-channel-policy-binding{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" +spec: + policyName: "stable-channel-policy{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }}.istio.io" + validationActions: [Deny] +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingwebhookconfiguration.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingwebhookconfiguration.yaml new file mode 100644 index 0000000000..6903b29b50 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/validatingwebhookconfiguration.yaml @@ -0,0 +1,70 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +# Created if this is not a remote istiod, OR if it is and is also a config cluster +{{- if or (not .Values.istiodRemote.enabled) (and .Values.istiodRemote.enabled (or .Values.global.configCluster .Values.istiodRemote.enabledLocalInjectorIstiod)) }} +{{- if .Values.global.configValidation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: istio-validator{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}-{{ .Values.global.istioNamespace }} + labels: + app: istiod + release: {{ .Release.Name }} + istio: istiod + istio.io/rev: {{ .Values.revision | default "default" | quote }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" . | nindent 4 }} +webhooks: + # Webhook handling per-revision validation. Mostly here so we can determine whether webhooks + # are rejecting invalid configs on a per-revision basis. + - name: rev.validation.istio.io + clientConfig: + # Should change from base but cannot for API compat + {{- if .Values.base.validationURL }} + url: {{ .Values.base.validationURL }} + {{- else }} + service: + name: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Values.global.istioNamespace }} + path: "/validate" + {{- end }} + {{- if .Values.base.validationCABundle }} + caBundle: "{{ .Values.base.validationCABundle }}" + {{- end }} + rules: + - operations: + - CREATE + - UPDATE + apiGroups: + - security.istio.io + - networking.istio.io + - telemetry.istio.io + - extensions.istio.io + apiVersions: + - "*" + resources: + - "*" + {{- if .Values.base.validationCABundle }} + # Disable webhook controller in Pilot to stop patching it + failurePolicy: Fail + {{- else }} + # Fail open until the validation webhook is ready. The webhook controller + # will update this to `Fail` and patch in the `caBundle` when the webhook + # endpoint is ready. + failurePolicy: Ignore + {{- end }} + sideEffects: None + admissionReviewVersions: ["v1"] + objectSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + {{- if (eq .Values.revision "") }} + - "default" + {{- else }} + - "{{ .Values.revision }}" + {{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzy_descope_legacy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzy_descope_legacy.yaml new file mode 100644 index 0000000000..73202418ca --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzy_descope_legacy.yaml @@ -0,0 +1,3 @@ +{{/* Copy anything under `.pilot` to `.`, to avoid the need to specify a redundant prefix. +Due to the file naming, this always happens after zzz_profile.yaml */}} +{{- $_ := mustMergeOverwrite $.Values (index $.Values "pilot") }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml new file mode 100644 index 0000000000..4a199a17c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/istiod/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml new file mode 100644 index 0000000000..6a26a2af49 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/Chart.yaml @@ -0,0 +1,8 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio revision tags +name: revisiontags +sources: +- https://github.com/istio-ecosystem/sail-operator +version: 0.1.0 + diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-mwc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-mwc.yaml new file mode 100644 index 0000000000..556bb2f1e9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-mwc.yaml @@ -0,0 +1,154 @@ +# Adapted from istio-discovery/templates/mutatingwebhook.yaml +# Removed paths for legacy and default selectors since a revision tag +# is inherently created from a specific revision +# TODO BML istiodRemote.injectionURL is invalid to set if `istiodRemote.enabled` is false, we should express that. +{{- $whv := dict +"revision" .Values.revision + "injectionPath" .Values.istiodRemote.injectionPath + "injectionURL" .Values.istiodRemote.injectionURL + "reinvocationPolicy" .Values.sidecarInjectorWebhook.reinvocationPolicy + "caBundle" .Values.istiodRemote.injectionCABundle + "namespace" .Release.Namespace }} +{{- define "core" }} +{{- /* Kubernetes unfortunately requires a unique name for the webhook in some newer versions, so we assign +a unique prefix to each. */}} +- name: {{.Prefix}}sidecar-injector.istio.io + clientConfig: + {{- if .injectionURL }} + url: "{{ .injectionURL }}" + {{- else }} + service: + name: istiod{{- if not (eq .revision "") }}-{{ .revision }}{{- end }} + namespace: {{ .namespace }} + path: "{{ .injectionPath }}" + port: 443 + {{- end }} + sideEffects: None + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + failurePolicy: Fail + reinvocationPolicy: "{{ .reinvocationPolicy }}" + admissionReviewVersions: ["v1"] +{{- end }} + +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "cluster") }} +{{- if not .Values.global.operatorManageWebhooks }} +{{- range $tagName := $.Values.revisionTags }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq $.Release.Namespace "istio-system"}} + name: istio-revision-tag-{{ $tagName }} +{{- else }} + name: istio-revision-tag-{{ $tagName }}-{{ $.Release.Namespace }} +{{- end }} + labels: + istio.io/tag: {{ $tagName }} + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + operator.istio.io/component: "Pilot" + app: sidecar-injector + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +{{- if $.Values.sidecarInjectorWebhookAnnotations }} + annotations: +{{ toYaml $.Values.sidecarInjectorWebhookAnnotations | indent 4 }} +{{- end }} +webhooks: +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "rev.object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio.io/rev + operator: DoesNotExist + - key: istio-injection + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + - key: istio.io/rev + operator: In + values: + - "{{ $tagName }}" + +{{- /* When the tag is "default" we want to create webhooks for the default revision */}} +{{- /* These webhooks should be kept in sync with istio-discovery/templates/mutatingwebhook.yaml */}} +{{- if (eq $tagName "default") }} + +{{- /* Case 1: Namespace selector enabled, and object selector is not injected */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "namespace.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: In + values: + - enabled + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: NotIn + values: + - "false" + +{{- /* Case 2: no namespace label, but object selector is enabled (and revision label is not, which has priority) */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "object.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: In + values: + - "true" + - key: istio.io/rev + operator: DoesNotExist + +{{- if $.Values.sidecarInjectorWebhook.enableNamespacesByDefault }} +{{- /* Special case 3: no labels at all */}} +{{- include "core" (mergeOverwrite (deepCopy $whv) (dict "Prefix" "auto.") ) }} + namespaceSelector: + matchExpressions: + - key: istio-injection + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist + - key: "kubernetes.io/metadata.name" + operator: "NotIn" + values: ["kube-system","kube-public","kube-node-lease","local-path-storage"] + objectSelector: + matchExpressions: + - key: sidecar.istio.io/inject + operator: DoesNotExist + - key: istio.io/rev + operator: DoesNotExist +{{- end }} + +{{- end }} +--- +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-svc.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-svc.yaml new file mode 100644 index 0000000000..5c4826d23e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/revision-tags-svc.yaml @@ -0,0 +1,57 @@ +{{- if or (eq .Values.global.resourceScope "all") (eq .Values.global.resourceScope "namespace") }} +# Adapted from istio-discovery/templates/service.yaml +{{- range $tagName := .Values.revisionTags }} +apiVersion: v1 +kind: Service +metadata: + name: istiod-revision-tag-{{ $tagName }} + namespace: {{ $.Release.Namespace }} + {{- if $.Values.serviceAnnotations }} + annotations: +{{ toYaml $.Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + istio.io/rev: {{ $.Values.revision | default "default" | quote }} + istio.io/tag: {{ $tagName }} + operator.istio.io/component: "Pilot" + app: istiod + istio: pilot + release: {{ $.Release.Name }} + app.kubernetes.io/name: "istiod" + {{- include "istio.labels" $ | nindent 4 }} +spec: + ports: + - port: 15010 + name: grpc-xds # plaintext + protocol: TCP + - port: 15012 + name: https-dns # mTLS with k8s-signed cert + protocol: TCP + - port: 443 + name: https-webhook # validation and injection + targetPort: 15017 + protocol: TCP + - port: 15014 + name: http-monitoring # prometheus stats + protocol: TCP + selector: + app: istiod + {{- if ne $.Values.revision "" }} + istio.io/rev: {{ $.Values.revision | quote }} + {{- else }} + # Label used by the 'default' service. For versioned deployments we match with app and version. + # This avoids default deployment picking the canary + istio: pilot + {{- end }} + {{- if $.Values.ipFamilyPolicy }} + ipFamilyPolicy: {{ $.Values.ipFamilyPolicy }} + {{- end }} + {{- if $.Values.ipFamilies }} + ipFamilies: + {{- range $.Values.ipFamilies }} + - {{ . }} + {{- end }} + {{- end }} +--- +{{- end -}} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/zzz_profile.yaml new file mode 100644 index 0000000000..3d84956485 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if false }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml new file mode 100644 index 0000000000..4a199a17c7 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/revisiontags/values.yaml @@ -0,0 +1,583 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + autoscaleEnabled: true + autoscaleMin: 1 + autoscaleMax: 5 + autoscaleBehavior: {} + replicaCount: 1 + rollingMaxSurge: 100% + rollingMaxUnavailable: 25% + + hub: "" + tag: "" + variant: "" + + # Can be a full hub/image:tag + image: pilot + traceSampling: 1.0 + + # Resources for a small pilot install + resources: + requests: + cpu: 500m + memory: 2048Mi + + # Set to `type: RuntimeDefault` to use the default profile if available. + seccompProfile: {} + + # Whether to use an existing CNI installation + cni: + enabled: false + provider: default + + # Additional container arguments + extraContainerArgs: [] + + env: {} + + envVarFrom: [] + + # Settings related to the untaint controller + # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready + # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes + taint: + # Controls whether or not the untaint controller is active + enabled: false + # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod + namespace: "" + + affinity: {} + + tolerations: [] + + cpu: + targetAverageUtilization: 80 + memory: {} + # targetAverageUtilization: 80 + + # Additional volumeMounts to the istiod container + volumeMounts: [] + + # Additional volumes to the istiod pod + volumes: [] + + # Inject initContainers into the istiod pod + initContainers: [] + + nodeSelector: {} + podAnnotations: {} + serviceAnnotations: {} + serviceAccountAnnotations: {} + sidecarInjectorWebhookAnnotations: {} + + topologySpreadConstraints: [] + + # You can use jwksResolverExtraRootCA to provide a root certificate + # in PEM format. This will then be trusted by pilot when resolving + # JWKS URIs. + jwksResolverExtraRootCA: "" + + # The following is used to limit how long a sidecar can be connected + # to a pilot. It balances out load across pilot instances at the cost of + # increasing system churn. + keepaliveMaxServerConnectionAge: 30m + + # Additional labels to apply to the deployment. + deploymentLabels: {} + + # Annotations to apply to the istiod deployment. + deploymentAnnotations: {} + + ## Mesh config settings + + # Install the mesh config map, generated from values.yaml. + # If false, pilot wil use default values (by default) or user-supplied values. + configMap: true + + # Additional labels to apply on the pod level for monitoring and logging configuration. + podLabels: {} + + # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipFamilyPolicy: "" + ipFamilies: [] + + # Ambient mode only. + # Set this if you install ztunnel to a different namespace from `istiod`. + # If set, `istiod` will allow connections from trusted node proxy ztunnels + # in the provided namespace. + # If unset, `istiod` will assume the trusted node proxy ztunnel resides + # in the same namespace as itself. + trustedZtunnelNamespace: "" + # Set this if you install ztunnel with a name different from the default. + trustedZtunnelName: "" + + sidecarInjectorWebhook: + # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or + # always skip the injection on pods that match that label selector, regardless of the global policy. + # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions + neverInjectSelector: [] + alwaysInjectSelector: [] + + # injectedAnnotations are additional annotations that will be added to the pod spec after injection + # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations: + # + # annotations: + # apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default + # apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default + # + # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before + # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify: + # injectedAnnotations: + # container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default + # container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default + injectedAnnotations: {} + + # This enables injection of sidecar in all namespaces, + # with the exception of namespaces with "istio-injection:disabled" annotation + # Only one environment should have this enabled. + enableNamespacesByDefault: false + + # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run + # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten. + # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur. + reinvocationPolicy: Never + + rewriteAppHTTPProbe: true + + # Templates defines a set of custom injection templates that can be used. For example, defining: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod + # being injected with the hello=world labels. + # This is intended for advanced configuration only; most users should use the built in template + templates: {} + + # Default templates specifies a set of default templates that are used in sidecar injection. + # By default, a template `sidecar` is always provided, which contains the template of default sidecar. + # To inject other additional templates, define it using the `templates` option, and add it to + # the default templates list. + # For example: + # + # templates: + # hello: | + # metadata: + # labels: + # hello: world + # + # defaultTemplates: ["sidecar", "hello"] + defaultTemplates: [] + istiodRemote: + # If `true`, indicates that this cluster/install should consume a "remote istiod" installation, + # and istiod itself will NOT be installed in this cluster - only the support resources necessary + # to utilize a remote instance. + enabled: false + + # If `true`, indicates that this cluster/install should consume a "local istiod" installation, + # local istiod inject sidecars + enabledLocalInjectorIstiod: false + + # Sidecar injector mutating webhook configuration clientConfig.url value. + # For example: https://$remotePilotAddress:15017/inject + # The host should not refer to a service running in the cluster; use a service reference by specifying + # the clientConfig.service field instead. + injectionURL: "" + + # Sidecar injector mutating webhook configuration path value for the clientConfig.service field. + # Override to pass env variables, for example: /inject/cluster/remote/net/network2 + injectionPath: "/inject" + + injectionCABundle: "" + telemetry: + enabled: true + v2: + # For Null VM case now. + # This also enables metadata exchange. + enabled: true + # Indicate if prometheus stats filter is enabled or not + prometheus: + enabled: true + # stackdriver filter settings. + stackdriver: + enabled: false + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + revision: "" + + # Revision tags are aliases to Istio control plane revisions + revisionTags: [] + + # For Helm compatibility. + ownerName: "" + + # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior + # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options + meshConfig: + enablePrometheusMerge: true + + experimental: + stableValidationPolicy: false + + global: + # Used to locate istiod. + istioNamespace: istio-system + # List of cert-signers to allow "approve" action in the istio cluster role + # + # certSigners: + # - clusterissuers.cert-manager.io/istio-ca + certSigners: [] + # enable pod disruption budget for the control plane, which is used to + # ensure Istio control plane components are gradually upgraded or recovered. + defaultPodDisruptionBudget: + enabled: true + # The values aren't mutable due to a current PodDisruptionBudget limitation + # minAvailable: 1 + + # A minimal set of requested resources to applied to all deployments so that + # Horizontal Pod Autoscaler will be able to function (if set). + # Each component can overwrite these default values by adding its own resources + # block in the relevant section below and setting the desired resources values. + defaultResources: + requests: + cpu: 10m + # memory: 128Mi + # limits: + # cpu: 100m + # memory: 128Mi + + # Default hub for Istio images. + # Releases are published to docker hub under 'istio' project. + # Dev builds from prow are on gcr.io + hub: gcr.io/istio-release + # Default tag for Istio images. + tag: 1.28.5 + # Variant of the image to use. + # Currently supported are: [debug, distroless] + variant: "" + + # Specify image pull policy if default behavior isn't desired. + # Default behavior: latest images will be Always else IfNotPresent. + imagePullPolicy: "" + + # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace + # to use for pulling any images in pods that reference this ServiceAccount. + # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing) + # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects. + # Must be set for any cluster configured with private docker registry. + imagePullSecrets: [] + # - private-registry-key + + # Enabled by default in master for maximising testing. + istiod: + enableAnalysis: false + + # To output all istio components logs in json format by adding --log_as_json argument to each container argument + logAsJson: false + + # In order to use native nftable rules instead of iptable rules, set this flag to true. + nativeNftables: false + + # Comma-separated minimum per-scope logging level of messages to output, in the form of :,: + # The control plane has different scopes depending on component, but can configure default log level across all components + # If empty, default scope and level will be used as configured in code + logging: + level: "default:info" + + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + omitSidecarInjectorConfigMap: false + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # Configure whether Operator manages webhook configurations. The current behavior + # of Istiod is to manage its own webhook configurations. + # When this option is set as true, Istio Operator, instead of webhooks, manages the + # webhook configurations. When this option is set as false, webhooks manage their + # own webhook configurations. + operatorManageWebhooks: false + + # Custom DNS config for the pod to resolve names of services in other + # clusters. Use this to add additional search domains, and other settings. + # see + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config + # This does not apply to gateway pods as they typically need a different + # set of DNS settings than the normal application pods (e.g., in + # multicluster scenarios). + # NOTE: If using templates, follow the pattern in the commented example below. + #podDNSSearchNamespaces: + #- global + #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global" + + # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and + # system-node-critical, it is better to configure this in order to make sure your Istio pods + # will not be killed because of low priority class. + # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass + # for more detail. + priorityClassName: "" + + proxy: + image: proxyv2 + + # This controls the 'policy' in the sidecar injector. + autoInject: enabled + + # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value + # cluster domain. Default value is "cluster.local". + clusterDomain: "cluster.local" + + # Per Component log level for proxy, applies to gateways and sidecars. If a component level is + # not set, then the global "logLevel" will be used. + componentLogLevel: "misc:error" + + # istio ingress capture allowlist + # examples: + # Redirect only selected ports: --includeInboundPorts="80,8080" + excludeInboundPorts: "" + includeInboundPorts: "*" + + # istio egress capture allowlist + # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly + # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16" + # would only capture egress traffic on those two IP Ranges, all other outbound traffic would + # be allowed by the sidecar + includeIPRanges: "*" + excludeIPRanges: "" + includeOutboundPorts: "" + excludeOutboundPorts: "" + + # Log level for proxy, applies to gateways and sidecars. + # Expected values are: trace|debug|info|warning|error|critical|off + logLevel: warning + + # Specify the path to the outlier event log. + # Example: /dev/stdout + outlierLogPath: "" + + #If set to true, istio-proxy container will have privileged securityContext + privileged: false + + seccompProfile: {} + + # The number of successive failed probes before indicating readiness failure. + readinessFailureThreshold: 4 + + # The initial delay for readiness probes in seconds. + readinessInitialDelaySeconds: 0 + + # The period between readiness probes. + readinessPeriodSeconds: 15 + + # Enables or disables a startup probe. + # For optimal startup times, changing this should be tied to the readiness probe values. + # + # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4. + # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval), + # and doesn't spam the readiness endpoint too much + # + # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30. + # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly. + startupProbe: + enabled: true + failureThreshold: 600 # 10 minutes + + # Resources for the sidecar. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 2000m + memory: 1024Mi + + # Default port for Pilot agent health checks. A value of 0 will disable health checking. + statusPort: 15020 + + # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none. + # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file. + tracer: "none" + + proxy_init: + # Base name for the proxy_init container, used to configure iptables. + image: proxyv2 + # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures. + # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases. + forceApplyIptables: false + + # configure remote pilot and istiod service and endpoint + remotePilotAddress: "" + + ############################################################################################## + # The following values are found in other charts. To effectively modify these values, make # + # make sure they are consistent across your Istio helm charts # + ############################################################################################## + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + # If not set explicitly, default to the Istio discovery address. + caAddress: "" + + # Enable control of remote clusters. + externalIstiod: false + + # Configure a remote cluster as the config cluster for an external istiod. + configCluster: false + + # configValidation enables the validation webhook for Istio configuration. + configValidation: true + + # Mesh ID means Mesh Identifier. It should be unique within the scope where + # meshes will interact with each other, but it is not required to be + # globally/universally unique. For example, if any of the following are true, + # then two meshes must have different Mesh IDs: + # - Meshes will have their telemetry aggregated in one place + # - Meshes will be federated together + # - Policy will be written referencing one mesh from the other + # + # If an administrator expects that any of these conditions may become true in + # the future, they should ensure their meshes have different Mesh IDs + # assigned. + # + # Within a multicluster mesh, each cluster must be (manually or auto) + # configured to have the same Mesh ID value. If an existing cluster 'joins' a + # multicluster mesh, it will need to be migrated to the new mesh ID. Details + # of migration TBD, and it may be a disruptive operation to change the Mesh + # ID post-install. + # + # If the mesh admin does not specify a value, Istio will use the value of the + # mesh's Trust Domain. The best practice is to select a proper Trust Domain + # value. + meshID: "" + + # Configure the mesh networks to be used by the Split Horizon EDS. + # + # The following example defines two networks with different endpoints association methods. + # For `network1` all endpoints that their IP belongs to the provided CIDR range will be + # mapped to network1. The gateway for this network example is specified by its public IP + # address and port. + # The second network, `network2`, in this example is defined differently with all endpoints + # retrieved through the specified Multi-Cluster registry being mapped to network2. The + # gateway is also defined differently with the name of the gateway service on the remote + # cluster. The public IP for the gateway will be determined from that remote service (only + # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, + # it still need to be configured manually). + # + # meshNetworks: + # network1: + # endpoints: + # - fromCidr: "192.168.0.1/24" + # gateways: + # - address: 1.1.1.1 + # port: 80 + # network2: + # endpoints: + # - fromRegistry: reg1 + # gateways: + # - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + # port: 443 + # + meshNetworks: {} + + # Use the user-specified, secret volume mounted key and certs for Pilot and workloads. + mountMtlsCerts: false + + multiCluster: + # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection + # to properly label proxies + clusterName: "" + + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + # Configure the certificate provider for control plane communication. + # Currently, two providers are supported: "kubernetes" and "istiod". + # As some platforms may not have kubernetes signing APIs, + # Istiod is the default + pilotCertProvider: istiod + + sds: + # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. + # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the + # JWT is intended for the CA. + token: + aud: istio-ca + + sts: + # The service port used by Security Token Service (STS) server to handle token exchange requests. + # Setting this port to a non-zero value enables STS server. + servicePort: 0 + + # The name of the CA for workload certificates. + # For example, when caName=GkeWorkloadCertificate, GKE workload certificates + # will be used as the certificates for workloads. + # The default value is "" and when caName="", the CA will be configured by other + # mechanisms (e.g., environmental variable CA_PROVIDER). + caName: "" + + waypoint: + # Resources for the waypoint proxy. + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: "2" + memory: 1Gi + + # If specified, affinity defines the scheduling constraints of waypoint pods. + affinity: {} + + # Topology Spread Constraints for the waypoint proxy. + topologySpreadConstraints: [] + + # Node labels for the waypoint proxy. + nodeSelector: {} + + # Tolerations for the waypoint proxy. + tolerations: [] + + base: + # For istioctl usage to disable istio config crds in base + enableIstioConfigCRDs: true + + # Gateway Settings + gateways: + # Define the security context for the pod. + # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443. + # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl. + securityContext: {} + + # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it + seccompProfile: {} + + # gatewayClasses allows customizing the configuration of the default deployment of Gateways per GatewayClass. + # For example: + # gatewayClasses: + # istio: + # service: + # spec: + # type: ClusterIP + # Per-Gateway configuration can also be set in the `Gateway.spec.infrastructure.parametersRef` field. + gatewayClasses: {} + + pdb: + # -- Minimum available pods set in PodDisruptionBudget. + # Define either 'minAvailable' or 'maxUnavailable', never both. + minAvailable: 1 + # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored. + # maxUnavailable: 1 + # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget. + # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/ + unhealthyPodEvictionPolicy: "" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml new file mode 100644 index 0000000000..9ce6eabd7d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +appVersion: 1.28.5 +description: Helm chart for istio ztunnel components +icon: https://istio.io/latest/favicons/android-192x192.png +keywords: +- istio-ztunnel +- istio +name: ztunnel +sources: +- https://github.com/istio/istio +version: 1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/README.md b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/README.md new file mode 100644 index 0000000000..72ea6892e5 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/README.md @@ -0,0 +1,50 @@ +# Istio Ztunnel Helm Chart + +This chart installs an Istio ztunnel. + +## Setup Repo Info + +```console +helm repo add istio https://istio-release.storage.googleapis.com/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart: + +```console +helm install ztunnel istio/ztunnel +``` + +## Uninstalling the Chart + +To uninstall/delete the chart: + +```console +helm delete ztunnel +``` + +## Configuration + +To view supported configuration options and documentation, run: + +```console +helm show values istio/ztunnel +``` + +### Profiles + +Istio Helm charts have a concept of a `profile`, which is a bundled collection of value presets. +These can be set with `--set profile=`. +For example, the `demo` profile offers a preset configuration to try out Istio in a test environment, with additional features enabled and lowered resource requirements. + +For consistency, the same profiles are used across each chart, even if they do not impact a given chart. + +Explicitly set values have highest priority, then profile settings, then chart defaults. + +As an implementation detail of profiles, the default values for the chart are all nested under `defaults`. +When configuring the chart, you should not include this. +That is, `--set some.field=true` should be passed, not `--set defaults.some.field=true`. diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-ambient.yaml new file mode 100644 index 0000000000..495fbcd434 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-ambient.yaml @@ -0,0 +1,24 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The ambient profile enables ambient mode. The Istiod, CNI, and ztunnel charts must be deployed +meshConfig: + defaultConfig: + proxyMetadata: + ISTIO_META_ENABLE_HBONE: "true" + serviceScopeConfigs: + - servicesSelector: + matchExpressions: + - key: istio.io/global + operator: In + values: ["true"] + scope: GLOBAL +global: + variant: distroless +pilot: + env: + PILOT_ENABLE_AMBIENT: "true" +cni: + ambient: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml new file mode 100644 index 0000000000..d04117bfc0 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.25.yaml @@ -0,0 +1,14 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" +ambient: + # 1.26 behavioral changes + shareHostNetworkNamespace: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml new file mode 100644 index 0000000000..8fe80112bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.26.yaml @@ -0,0 +1,11 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.27 behavioral changes + ENABLE_NATIVE_SIDECARS: "false" + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.27.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.27.yaml new file mode 100644 index 0000000000..209157cccf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-compatibility-version-1.27.yaml @@ -0,0 +1,9 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +pilot: + env: + # 1.28 behavioral changes + DISABLE_SHADOW_HOST_SUFFIX: "false" + PILOT_SPAWN_UPSTREAM_SPAN_FOR_GATEWAY: "false" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-demo.yaml new file mode 100644 index 0000000000..d6dc36dd0f --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-demo.yaml @@ -0,0 +1,94 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The demo profile enables a variety of things to try out Istio in non-production environments. +# * Lower resource utilization. +# * Some additional features are enabled by default; especially ones used in some tasks in istio.io. +# * More ports enabled on the ingress, which is used in some tasks. +meshConfig: + accessLogFile: /dev/stdout + extensionProviders: + - name: otel + envoyOtelAls: + service: opentelemetry-collector.observability.svc.cluster.local + port: 4317 + - name: skywalking + skywalking: + service: tracing.istio-system.svc.cluster.local + port: 11800 + - name: otel-tracing + opentelemetry: + port: 4317 + service: opentelemetry-collector.observability.svc.cluster.local + - name: jaeger + opentelemetry: + port: 4317 + service: jaeger-collector.istio-system.svc.cluster.local + +cni: + resources: + requests: + cpu: 10m + memory: 40Mi + +ztunnel: + resources: + requests: + cpu: 10m + memory: 40Mi + +global: + proxy: + resources: + requests: + cpu: 10m + memory: 40Mi + waypoint: + resources: + requests: + cpu: 10m + memory: 40Mi + +pilot: + autoscaleEnabled: false + traceSampling: 100 + resources: + requests: + cpu: 10m + memory: 100Mi + +gateways: + istio-egressgateway: + autoscaleEnabled: false + resources: + requests: + cpu: 10m + memory: 40Mi + istio-ingressgateway: + autoscaleEnabled: false + ports: + ## You can add custom gateway ports in user values overrides, but it must include those ports since helm replaces. + # Note that AWS ELB will by default perform health checks on the first port + # on this list. Setting this to the health check port will ensure that health + # checks always work. https://github.com/istio/istio/issues/12503 + - port: 15021 + targetPort: 15021 + name: status-port + - port: 80 + targetPort: 8080 + name: http2 + - port: 443 + targetPort: 8443 + name: https + - port: 31400 + targetPort: 31400 + name: tcp + # This is the port where sni routing happens + - port: 15443 + targetPort: 15443 + name: tls + resources: + requests: + cpu: 10m + memory: 40Mi \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-gke.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-gke.yaml new file mode 100644 index 0000000000..dfe8a7d741 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-gke.yaml @@ -0,0 +1,10 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniBinDir: "" # intentionally unset for gke to allow template-based autodetection to work + resourceQuotas: + enabled: true +resourceQuotas: + enabled: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3d.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3d.yaml new file mode 100644 index 0000000000..cd86d9ec58 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3d.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3s.yaml new file mode 100644 index 0000000000..07820106d9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-k3s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/lib/rancher/k3s/agent/etc/cni/net.d + cniBinDir: /var/lib/rancher/k3s/data/cni diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-microk8s.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-microk8s.yaml new file mode 100644 index 0000000000..57d7f5e3cd --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-microk8s.yaml @@ -0,0 +1,7 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniConfDir: /var/snap/microk8s/current/args/cni-network + cniBinDir: /var/snap/microk8s/current/opt/cni/bin diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-minikube.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-minikube.yaml new file mode 100644 index 0000000000..fa9992e204 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-minikube.yaml @@ -0,0 +1,6 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +cni: + cniNetnsDir: /var/run/docker/netns diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-openshift.yaml new file mode 100644 index 0000000000..8ddc5e1654 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-platform-openshift.yaml @@ -0,0 +1,19 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The OpenShift profile provides a basic set of settings to run Istio on OpenShift +cni: + cniBinDir: /var/lib/cni/bin + cniConfDir: /etc/cni/multus/net.d + chained: false + cniConfFileName: "istio-cni.conf" + provider: "multus" +pilot: + cni: + enabled: true + provider: "multus" +seLinuxOptions: + type: spc_t +# Openshift requires privileged pods to run in kube-system +trustedZtunnelNamespace: "kube-system" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-preview.yaml new file mode 100644 index 0000000000..181d7bda2c --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-preview.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +meshConfig: + defaultConfig: + proxyMetadata: + # Enable Istio agent to handle DNS requests for known hosts + # Unknown hosts will automatically be resolved using upstream dns servers in resolv.conf + ISTIO_META_DNS_CAPTURE: "true" diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-remote.yaml new file mode 100644 index 0000000000..d17b9a801a --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-remote.yaml @@ -0,0 +1,13 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The remote profile enables installing istio with a remote control plane. The `base` and `istio-discovery` charts must be deployed with this profile. +istiodRemote: + enabled: true +configMap: false +telemetry: + enabled: false +global: + # TODO BML maybe a different profile for a configcluster/revisit this + omitSidecarInjectorConfigMap: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-stable.yaml new file mode 100644 index 0000000000..358282e69b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/files/profile-stable.yaml @@ -0,0 +1,8 @@ +# WARNING: DO NOT EDIT, THIS FILE IS A COPY. +# The original version of this file is located at /manifests/helm-profiles directory. +# If you want to make a change in this file, edit the original one and run "make gen". + +# The stable profile deploys admission control to ensure that only stable resources and fields are used +# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE +experimental: + stableValidationPolicy: true diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/NOTES.txt b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/NOTES.txt new file mode 100644 index 0000000000..244f59db06 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/NOTES.txt @@ -0,0 +1,5 @@ +ztunnel successfully installed! + +To learn more about the release, try: + $ helm status {{ .Release.Name }} -n {{ .Release.Namespace }} + $ helm get all {{ .Release.Name }} -n {{ .Release.Namespace }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/_helpers.tpl b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/_helpers.tpl new file mode 100644 index 0000000000..46a7a0b79d --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/_helpers.tpl @@ -0,0 +1 @@ +{{ define "ztunnel.release-name" }}{{ .Values.resourceName| default "ztunnel" }}{{ end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/daemonset.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/daemonset.yaml new file mode 100644 index 0000000000..b10e99cfa4 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/daemonset.yaml @@ -0,0 +1,212 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +spec: + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + app: ztunnel + template: + metadata: + labels: + sidecar.istio.io/inject: "false" + istio.io/dataplane-mode: none + app: ztunnel + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 8}} +{{ with .Values.podLabels -}}{{ toYaml . | indent 8 }}{{ end }} + annotations: + sidecar.istio.io/inject: "false" +{{- if .Values.revision }} + istio.io/rev: {{ .Values.revision }} +{{- end }} +{{ with .Values.podAnnotations -}}{{ toYaml . | indent 8 }}{{ end }} + spec: + nodeSelector: + kubernetes.io/os: linux +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} +{{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | trim | indent 8 }} +{{- end }} + serviceAccountName: {{ include "ztunnel.release-name" . }} +{{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | trim | indent 8 }} +{{- end }} + containers: + - name: istio-proxy +{{- if contains "/" .Values.image }} + image: "{{ .Values.image }}" +{{- else }} + image: "{{ .Values.hub }}/{{ .Values.image | default "ztunnel" }}:{{ .Values.tag }}{{with (.Values.variant )}}-{{.}}{{end}}" +{{- end }} + ports: + - containerPort: 15020 + name: ztunnel-stats + protocol: TCP + resources: +{{- if .Values.resources }} +{{ toYaml .Values.resources | trim | indent 10 }} +{{- end }} +{{- with .Values.imagePullPolicy }} + imagePullPolicy: {{ . }} +{{- end }} + securityContext: + # K8S docs are clear that CAP_SYS_ADMIN *or* privileged: true + # both force this to `true`: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # But there is a K8S validation bug that doesn't propery catch this: https://github.com/kubernetes/kubernetes/issues/119568 + allowPrivilegeEscalation: true + privileged: false + capabilities: + drop: + - ALL + add: # See https://man7.org/linux/man-pages/man7/capabilities.7.html + - NET_ADMIN # Required for TPROXY and setsockopt + - SYS_ADMIN # Required for `setns` - doing things in other netns + - NET_RAW # Required for RAW/PACKET sockets, TPROXY + readOnlyRootFilesystem: true + runAsGroup: 1337 + runAsNonRoot: false + runAsUser: 0 +{{- if .Values.seLinuxOptions }} + seLinuxOptions: +{{ toYaml .Values.seLinuxOptions | trim | indent 12 }} +{{- end }} + readinessProbe: + httpGet: + port: 15021 + path: /healthz/ready + args: + - proxy + - ztunnel + env: + - name: CA_ADDRESS + {{- if .Values.caAddress }} + value: {{ .Values.caAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + - name: XDS_ADDRESS + {{- if .Values.xdsAddress }} + value: {{ .Values.xdsAddress }} + {{- else }} + value: istiod{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }}.{{ .Values.istioNamespace }}.svc:15012 + {{- end }} + {{- if .Values.logAsJson }} + - name: LOG_FORMAT + value: json + {{- end}} + {{- if .Values.network }} + - name: NETWORK + value: {{ .Values.network | quote }} + {{- end }} + - name: RUST_LOG + value: {{ .Values.logLevel | quote }} + - name: RUST_BACKTRACE + value: "1" + - name: ISTIO_META_CLUSTER_ID + value: {{ .Values.multiCluster.clusterName | default "Kubernetes" }} + - name: INPOD_ENABLED + value: "true" + - name: TERMINATION_GRACE_PERIOD_SECONDS + value: "{{ .Values.terminationGracePeriodSeconds }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: INSTANCE_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + {{- if .Values.meshConfig.defaultConfig.proxyMetadata }} + {{- range $key, $value := .Values.meshConfig.defaultConfig.proxyMetadata}} + - name: {{ $key }} + value: "{{ $value }}" + {{- end }} + {{- end }} + - name: ZTUNNEL_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + {{- with .Values.env }} + {{- range $key, $val := . }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + {{- end }} + volumeMounts: + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + - mountPath: /var/run/ztunnel + name: cni-ztunnel-sock-dir + - mountPath: /tmp + name: tmp + {{- with .Values.volumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + priorityClassName: system-node-critical + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: istio-token + projected: + sources: + - serviceAccountToken: + path: istio-token + expirationSeconds: 43200 + audience: istio-ca + - name: istiod-ca-cert + {{- if eq (.Values.env).ENABLE_CLUSTER_TRUST_BUNDLE_API true }} + projected: + sources: + - clusterTrustBundle: + name: istio.io:istiod-ca:{{ .Values.trustBundleName | default "root-cert" }} + path: root-cert.pem + {{- else }} + configMap: + name: {{ .Values.trustBundleName | default "istio-ca-root-cert" }} + {{- end }} + - name: cni-ztunnel-sock-dir + hostPath: + path: /var/run/ztunnel + type: DirectoryOrCreate # ideally this would be a socket, but istio-cni may not have started yet. + # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one + - name: tmp + emptyDir: {} + {{- with .Values.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml new file mode 100644 index 0000000000..b397c64c82 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/networkpolicy.yaml @@ -0,0 +1,62 @@ +{{- if (.Values.global.networkPolicy).enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "ztunnel.release-name" . }}{{- if not (eq .Values.revision "") }}-{{ .Values.revision }}{{- end }} + namespace: {{ .Release.Namespace }} + labels: + app: ztunnel + app.kubernetes.io/name: ztunnel + istio.io/rev: {{ .Values.revision | default "default" | quote }} + operator.istio.io/component: "Ztunnel" + release: {{ .Release.Name }} + {{- include "istio.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + app: ztunnel + policyTypes: + - Ingress + - Egress + ingress: + # Readiness probe + - from: [] + ports: + - protocol: TCP + port: 15021 + # Monitoring/prometheus + - from: [] + ports: + - protocol: TCP + port: 15020 # Metrics + # Admin interface + - from: [] + ports: + - protocol: TCP + port: 15000 # Admin interface + # HBONE traffic + - from: [] + ports: + - protocol: TCP + port: 15008 + # Outbound traffic endpoint + - from: [] + ports: + - protocol: TCP + port: 15001 + # Traffic endpoint for inbound plaintext + - from: [] + ports: + - protocol: TCP + port: 15006 + # DNS Captures + - from: [ ] + ports: + - protocol: TCP + port: 15053 + - protocol: UDP + port: 15053 + egress: + # Allow all egress + - {} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/rbac.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/rbac.yaml new file mode 100644 index 0000000000..18291716bf --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/rbac.yaml @@ -0,0 +1,51 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "cluster") }} +{{- if (eq (.Values.platform | default "") "openshift") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +rules: +- apiGroups: ["security.openshift.io"] + resources: ["securitycontextconstraints"] + resourceNames: ["privileged"] + verbs: ["use"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ztunnel.release-name" . }} + labels: + app: ztunnel + release: {{ include "ztunnel.release-name" . }} + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "ztunnel.release-name" . }} +subjects: +- kind: ServiceAccount + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/resourcequota.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/resourcequota.yaml new file mode 100644 index 0000000000..d33c9fe137 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/resourcequota.yaml @@ -0,0 +1,22 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +{{- if .Values.resourceQuotas.enabled }} +apiVersion: v1 +kind: ResourceQuota +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} +spec: + hard: + pods: {{ .Values.resourceQuotas.pods | quote }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - system-node-critical +{{- end }} +{{- end }} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/serviceaccount.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e1146f3920 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/serviceaccount.yaml @@ -0,0 +1,24 @@ +{{- if or (eq .Values.resourceScope "all") (eq .Values.resourceScope "namespace") }} +apiVersion: v1 +kind: ServiceAccount + {{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . }} + {{- end }} + {{- end }} +metadata: + name: {{ include "ztunnel.release-name" . }} + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: ztunnel + {{- include "istio.labels" . | nindent 4}} + {{ with .Values.labels -}}{{ toYaml . | nindent 4}}{{ end }} + annotations: +{{- if .Values.revision }} + {{- $annos := set $.Values.annotations "istio.io/rev" .Values.revision }} + {{- toYaml $annos | nindent 4}} +{{- else }} + {{- .Values.annotations | toYaml | nindent 4 }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/zzz_profile.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/zzz_profile.yaml new file mode 100644 index 0000000000..606c556697 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/templates/zzz_profile.yaml @@ -0,0 +1,75 @@ +{{/* +WARNING: DO NOT EDIT, THIS FILE IS A PROBABLY COPY. +The original version of this file is located at /manifests directory. +If you want to make a change in this file, edit the original one and run "make gen". + +Complex logic ahead... +We have three sets of values, in order of precedence (last wins): +1. The builtin values.yaml defaults +2. The profile the user selects +3. Users input (-f or --set) + +Unfortunately, Helm provides us (1) and (3) together (as .Values), making it hard to insert (2). + +However, we can workaround this by placing all of (1) under a specific key (.Values.defaults). +We can then merge the profile onto the defaults, then the user settings onto that. +Finally, we can set all of that under .Values so the chart behaves without awareness. +*/}} +{{- if $.Values.defaults}} +{{ fail (cat + "Setting with .default prefix found; remove it. For example, replace `--set defaults.hub=foo` with `--set hub=foo`. Defaults set:\n" + ($.Values.defaults | toYaml |nindent 4) +) }} +{{- end }} +{{- $defaults := $.Values._internal_defaults_do_not_set }} +{{- $_ := unset $.Values "_internal_defaults_do_not_set" }} +{{- $profile := dict }} +{{- with (coalesce ($.Values).profile ($.Values.global).profile) }} +{{- with $.Files.Get (printf "files/profile-%s.yaml" .)}} +{{- $profile = (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown profile" .) }} +{{- end }} +{{- end }} +{{- with .Values.compatibilityVersion }} +{{- with $.Files.Get (printf "files/profile-compatibility-version-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown compatibility version" $.Values.compatibilityVersion) }} +{{- end }} +{{- end }} +{{- with (coalesce ($.Values).platform ($.Values.global).platform) }} +{{- with $.Files.Get (printf "files/profile-platform-%s.yaml" .) }} +{{- $ignore := mustMergeOverwrite $profile (. | fromYaml) }} +{{- else }} +{{ fail (cat "unknown platform" .) }} +{{- end }} +{{- end }} +{{- if $profile }} +{{- $a := mustMergeOverwrite $defaults $profile }} +{{- end }} +# Flatten globals, if defined on a per-chart basis +{{- if true }} +{{- $a := mustMergeOverwrite $defaults ($profile.global) ($.Values.global | default dict) }} +{{- end }} +{{- $x := set $.Values "_original" (deepCopy $.Values) }} +{{- $b := set $ "Values" (mustMergeOverwrite $defaults $.Values) }} + +{{/* +Labels that should be applied to ALL resources. +*/}} +{{- define "istio.labels" -}} +{{- if .Release.Service -}} +app.kubernetes.io/managed-by: {{ .Release.Service | quote }} +{{- end }} +{{- if .Release.Name }} +app.kubernetes.io/instance: {{ .Release.Name | quote }} +{{- end }} +app.kubernetes.io/part-of: "istio" +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if and .Chart.Name .Chart.Version }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end -}} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml new file mode 100644 index 0000000000..8ffcbd582b --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/charts/ztunnel/values.yaml @@ -0,0 +1,141 @@ +# "_internal_defaults_do_not_set" is a workaround for Helm limitations. Users should NOT set "._internal_defaults_do_not_set" explicitly, but rather directly set the fields internally. +# For instance, instead of `--set _internal_defaults_do_not_set.foo=bar``, just set `--set foo=bar`. +_internal_defaults_do_not_set: + # Hub to pull from. Image will be `Hub/Image:Tag-Variant` + hub: gcr.io/istio-release + # Tag to pull from. Image will be `Hub/Image:Tag-Variant` + tag: 1.28.5 + # Variant to pull. Options are "debug" or "distroless". Unset will use the default for the given version. + variant: "" + + # Image name to pull from. Image will be `Hub/Image:Tag-Variant` + # If Image contains a "/", it will replace the entire `image` in the pod. + image: ztunnel + + # Same as `global.network`, but will override it if set. + # Network defines the network this cluster belong to. This name + # corresponds to the networks in the map of mesh networks. + network: "" + + global: + # When enabled, default NetworkPolicy resources will be created + networkPolicy: + enabled: false + + # resourceName, if set, will override the naming of resources. If not set, will default to 'ztunnel'. + # If you set this, you MUST also set `trustedZtunnelName` in the `istiod` chart. + resourceName: "" + + # Labels to apply to all top level resources + labels: {} + # Annotations to apply to all top level resources + annotations: {} + + # Additional volumeMounts to the ztunnel container + volumeMounts: [] + + # Additional volumes to the ztunnel pod + volumes: [] + + # Tolerations for the ztunnel pod + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + + # Annotations added to each pod. The default annotations are required for scraping prometheus (in most environments). + podAnnotations: + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + + # Additional labels to apply on the pod level + podLabels: {} + + # Pod resource configuration + resources: + requests: + cpu: 200m + # Ztunnel memory scales with the size of the cluster and traffic load + # While there are many factors, this is enough for ~200k pod cluster or 100k concurrently open connections. + memory: 512Mi + + resourceQuotas: + enabled: false + pods: 5000 + + # List of secret names to add to the service account as image pull secrets + imagePullSecrets: [] + + # A `key: value` mapping of environment variables to add to the pod + env: {} + + # Override for the pod imagePullPolicy + imagePullPolicy: "" + + # Settings for multicluster + multiCluster: + # The name of the cluster we are installing in. Note this is a user-defined name, which must be consistent + # with Istiod configuration. + clusterName: "" + + # meshConfig defines runtime configuration of components. + # For ztunnel, only defaultConfig is used, but this is nested under `meshConfig` for consistency with other + # components. + # TODO: https://github.com/istio/istio/issues/43248 + meshConfig: + defaultConfig: + proxyMetadata: {} + + # This value defines: + # 1. how many seconds kube waits for ztunnel pod to gracefully exit before forcibly terminating it (this value) + # 2. how many seconds ztunnel waits to drain its own connections (this value - 1 sec) + # Default K8S value is 30 seconds + terminationGracePeriodSeconds: 30 + + # Revision is set as 'version' label and part of the resource names when installing multiple control planes. + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set explicitly. + revision: "" + + # The customized CA address to retrieve certificates for the pods in the cluster. + # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. + caAddress: "" + + # The customized XDS address to retrieve configuration. + # This should include the port - 15012 for Istiod. TLS will be used with the certificates in "istiod-ca-cert" secret. + # By default, it is istiod.istio-system.svc:15012 if revision is not set, or istiod-..svc:15012 + xdsAddress: "" + + # Used to locate the XDS and CA, if caAddress or xdsAddress are not set. + istioNamespace: istio-system + + # Configuration log level of ztunnel binary, default is info. + # Valid values are: trace, debug, info, warn, error + logLevel: info + + # To output all logs in json format + logAsJson: false + + # Set to `type: RuntimeDefault` to use the default profile if available. + seLinuxOptions: {} + # TODO Ambient inpod - for OpenShift, set to the following to get writable sockets in hostmounts to work, eventually consider CSI driver instead + #seLinuxOptions: + # type: spc_t + + # resourceScope controls what resources will be processed by helm. + # This is useful when installing Istio on a cluster where some resources need to be owned by a cluster administrator and some can be owned by the mesh administrator. + # It can be one of: + # - all: all resources are processed + # - cluster: only cluster-scoped resources are processed + # - namespace: only namespace-scoped resources are processed + resourceScope: all + + # K8s DaemonSet update strategy. + # https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/daemon-set-v1/#DaemonSetSpec). + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag new file mode 100644 index 0000000000..08f171399e --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/cni-1.28.5.tgz.etag @@ -0,0 +1 @@ +781602c5085c9cdbb3d35fa52319f6fca977c7bdec1ed37f0ff66ee4a7b739f7 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit new file mode 100644 index 0000000000..82a5f3bba2 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/commit @@ -0,0 +1 @@ +1.28.5 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag new file mode 100644 index 0000000000..faabccd307 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/gateway-1.28.5.tgz.etag @@ -0,0 +1 @@ +1bccc53c64f89276f6af41eb5980656123a3ca81e584730168e057b6e9910de6 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag new file mode 100644 index 0000000000..e48b765ade --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/istiod-1.28.5.tgz.etag @@ -0,0 +1 @@ +07ffb66c3b59bf676775a8109ff85c7fa6c17a983c90e25d24fa0dca5f1efc99 diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/ambient.yaml new file mode 100644 index 0000000000..71ea784a80 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/ambient.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/default.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/default.yaml new file mode 100644 index 0000000000..8f1ef19676 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/default.yaml @@ -0,0 +1,12 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + # Most default values come from the helm chart's values.yaml + # Below are the things that differ + values: + defaultRevision: "" + global: + istioNamespace: istio-system + configValidation: true + ztunnel: + resourceName: ztunnel diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/demo.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/demo.yaml new file mode 100644 index 0000000000..53c4b41633 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/demo.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: demo diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/empty.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/empty.yaml new file mode 100644 index 0000000000..4477cb1fe1 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/empty.yaml @@ -0,0 +1,5 @@ +# The empty profile has everything disabled +# This is useful as a base for custom user configuration +apiVersion: sailoperator.io/v1 +kind: Istio +spec: {} diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift-ambient.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift-ambient.yaml new file mode 100644 index 0000000000..76edf00cd8 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift-ambient.yaml @@ -0,0 +1,7 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: ambient + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift.yaml new file mode 100644 index 0000000000..41492660fe --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/openshift.yaml @@ -0,0 +1,6 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + global: + platform: openshift diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/preview.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/preview.yaml new file mode 100644 index 0000000000..59d545c840 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/preview.yaml @@ -0,0 +1,8 @@ +# The preview profile contains features that are experimental. +# This is intended to explore new features coming to Istio. +# Stability, security, and performance are not guaranteed - use at your own risk. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: preview diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/remote.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/remote.yaml new file mode 100644 index 0000000000..54c65c8ba9 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/remote.yaml @@ -0,0 +1,7 @@ +# The remote profile is used to configure a mesh cluster without a locally deployed control plane. +# Only the injector mutating webhook configuration is installed. +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: remote diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/stable.yaml b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/stable.yaml new file mode 100644 index 0000000000..285feba244 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/profiles/stable.yaml @@ -0,0 +1,5 @@ +apiVersion: sailoperator.io/v1 +kind: Istio +spec: + values: + profile: stable diff --git a/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag new file mode 100644 index 0000000000..f9a3a19635 --- /dev/null +++ b/vendor/github.com/istio-ecosystem/sail-operator/resources/v1.28.5/ztunnel-1.28.5.tgz.etag @@ -0,0 +1 @@ +2166e1d3f10acd0deec0c1fa0e00e08197252eaf4d587607012b9b33b5e46989 diff --git a/vendor/github.com/jmoiron/sqlx/.gitignore b/vendor/github.com/jmoiron/sqlx/.gitignore new file mode 100644 index 0000000000..b2be23c87f --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/.gitignore @@ -0,0 +1,25 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test +.idea + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +tags +environ diff --git a/vendor/github.com/jmoiron/sqlx/LICENSE b/vendor/github.com/jmoiron/sqlx/LICENSE new file mode 100644 index 0000000000..0d31edfa73 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/LICENSE @@ -0,0 +1,23 @@ + Copyright (c) 2013, Jason Moiron + + Permission is hereby granted, free of charge, to any person + obtaining a copy of this software and associated documentation + files (the "Software"), to deal in the Software without + restriction, including without limitation the rights to use, + copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the + Software is furnished to do so, subject to the following + conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES + OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT + HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + diff --git a/vendor/github.com/jmoiron/sqlx/Makefile b/vendor/github.com/jmoiron/sqlx/Makefile new file mode 100644 index 0000000000..448b9ddd9c --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/Makefile @@ -0,0 +1,30 @@ +.ONESHELL: +SHELL = /bin/sh +.SHELLFLAGS = -ec + +BASE_PACKAGE := github.com/jmoiron/sqlx + +tooling: + go install honnef.co/go/tools/cmd/staticcheck@v0.4.7 + go install golang.org/x/vuln/cmd/govulncheck@v1.0.4 + go install golang.org/x/tools/cmd/goimports@v0.20.0 + +has-changes: + git diff --exit-code --quiet HEAD -- + +lint: + go vet ./... + staticcheck -checks=all ./... + +fmt: + go list -f '{{.Dir}}' ./... | xargs -I {} goimports -local $(BASE_PACKAGE) -w {} + +vuln-check: + govulncheck ./... + +test-race: + go test -v -race -count=1 ./... + +update-dependencies: + go get -u -t -v ./... + go mod tidy diff --git a/vendor/github.com/jmoiron/sqlx/README.md b/vendor/github.com/jmoiron/sqlx/README.md new file mode 100644 index 0000000000..5bfd231a11 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/README.md @@ -0,0 +1,213 @@ +# sqlx + +[![CircleCI](https://dl.circleci.com/status-badge/img/gh/jmoiron/sqlx/tree/master.svg?style=shield)](https://dl.circleci.com/status-badge/redirect/gh/jmoiron/sqlx/tree/master) [![Coverage Status](https://coveralls.io/repos/github/jmoiron/sqlx/badge.svg?branch=master)](https://coveralls.io/github/jmoiron/sqlx?branch=master) [![Godoc](http://img.shields.io/badge/godoc-reference-blue.svg?style=flat)](https://godoc.org/github.com/jmoiron/sqlx) [![license](http://img.shields.io/badge/license-MIT-red.svg?style=flat)](https://raw.githubusercontent.com/jmoiron/sqlx/master/LICENSE) + +sqlx is a library which provides a set of extensions on go's standard +`database/sql` library. The sqlx versions of `sql.DB`, `sql.TX`, `sql.Stmt`, +et al. all leave the underlying interfaces untouched, so that their interfaces +are a superset on the standard ones. This makes it relatively painless to +integrate existing codebases using database/sql with sqlx. + +Major additional concepts are: + +* Marshal rows into structs (with embedded struct support), maps, and slices +* Named parameter support including prepared statements +* `Get` and `Select` to go quickly from query to struct/slice + +In addition to the [godoc API documentation](http://godoc.org/github.com/jmoiron/sqlx), +there is also some [user documentation](http://jmoiron.github.io/sqlx/) that +explains how to use `database/sql` along with sqlx. + +## Recent Changes + +1.3.0: + +* `sqlx.DB.Connx(context.Context) *sqlx.Conn` +* `sqlx.BindDriver(driverName, bindType)` +* support for `[]map[string]interface{}` to do "batch" insertions +* allocation & perf improvements for `sqlx.In` + +DB.Connx returns an `sqlx.Conn`, which is an `sql.Conn`-alike consistent with +sqlx's wrapping of other types. + +`BindDriver` allows users to control the bindvars that sqlx will use for drivers, +and add new drivers at runtime. This results in a very slight performance hit +when resolving the driver into a bind type (~40ns per call), but it allows users +to specify what bindtype their driver uses even when sqlx has not been updated +to know about it by default. + +### Backwards Compatibility + +Compatibility with the most recent two versions of Go is a requirement for any +new changes. Compatibility beyond that is not guaranteed. + +Versioning is done with Go modules. Breaking changes (eg. removing deprecated API) +will get major version number bumps. + +## install + + go get github.com/jmoiron/sqlx + +## issues + +Row headers can be ambiguous (`SELECT 1 AS a, 2 AS a`), and the result of +`Columns()` does not fully qualify column names in queries like: + +```sql +SELECT a.id, a.name, b.id, b.name FROM foos AS a JOIN foos AS b ON a.parent = b.id; +``` + +making a struct or map destination ambiguous. Use `AS` in your queries +to give columns distinct names, `rows.Scan` to scan them manually, or +`SliceScan` to get a slice of results. + +## usage + +Below is an example which shows some common use cases for sqlx. Check +[sqlx_test.go](https://github.com/jmoiron/sqlx/blob/master/sqlx_test.go) for more +usage. + + +```go +package main + +import ( + "database/sql" + "fmt" + "log" + + _ "github.com/lib/pq" + "github.com/jmoiron/sqlx" +) + +var schema = ` +CREATE TABLE person ( + first_name text, + last_name text, + email text +); + +CREATE TABLE place ( + country text, + city text NULL, + telcode integer +)` + +type Person struct { + FirstName string `db:"first_name"` + LastName string `db:"last_name"` + Email string +} + +type Place struct { + Country string + City sql.NullString + TelCode int +} + +func main() { + // this Pings the database trying to connect + // use sqlx.Open() for sql.Open() semantics + db, err := sqlx.Connect("postgres", "user=foo dbname=bar sslmode=disable") + if err != nil { + log.Fatalln(err) + } + + // exec the schema or fail; multi-statement Exec behavior varies between + // database drivers; pq will exec them all, sqlite3 won't, ymmv + db.MustExec(schema) + + tx := db.MustBegin() + tx.MustExec("INSERT INTO person (first_name, last_name, email) VALUES ($1, $2, $3)", "Jason", "Moiron", "jmoiron@jmoiron.net") + tx.MustExec("INSERT INTO person (first_name, last_name, email) VALUES ($1, $2, $3)", "John", "Doe", "johndoeDNE@gmail.net") + tx.MustExec("INSERT INTO place (country, city, telcode) VALUES ($1, $2, $3)", "United States", "New York", "1") + tx.MustExec("INSERT INTO place (country, telcode) VALUES ($1, $2)", "Hong Kong", "852") + tx.MustExec("INSERT INTO place (country, telcode) VALUES ($1, $2)", "Singapore", "65") + // Named queries can use structs, so if you have an existing struct (i.e. person := &Person{}) that you have populated, you can pass it in as &person + tx.NamedExec("INSERT INTO person (first_name, last_name, email) VALUES (:first_name, :last_name, :email)", &Person{"Jane", "Citizen", "jane.citzen@example.com"}) + tx.Commit() + + // Query the database, storing results in a []Person (wrapped in []interface{}) + people := []Person{} + db.Select(&people, "SELECT * FROM person ORDER BY first_name ASC") + jason, john := people[0], people[1] + + fmt.Printf("%#v\n%#v", jason, john) + // Person{FirstName:"Jason", LastName:"Moiron", Email:"jmoiron@jmoiron.net"} + // Person{FirstName:"John", LastName:"Doe", Email:"johndoeDNE@gmail.net"} + + // You can also get a single result, a la QueryRow + jason = Person{} + err = db.Get(&jason, "SELECT * FROM person WHERE first_name=$1", "Jason") + fmt.Printf("%#v\n", jason) + // Person{FirstName:"Jason", LastName:"Moiron", Email:"jmoiron@jmoiron.net"} + + // if you have null fields and use SELECT *, you must use sql.Null* in your struct + places := []Place{} + err = db.Select(&places, "SELECT * FROM place ORDER BY telcode ASC") + if err != nil { + fmt.Println(err) + return + } + usa, singsing, honkers := places[0], places[1], places[2] + + fmt.Printf("%#v\n%#v\n%#v\n", usa, singsing, honkers) + // Place{Country:"United States", City:sql.NullString{String:"New York", Valid:true}, TelCode:1} + // Place{Country:"Singapore", City:sql.NullString{String:"", Valid:false}, TelCode:65} + // Place{Country:"Hong Kong", City:sql.NullString{String:"", Valid:false}, TelCode:852} + + // Loop through rows using only one struct + place := Place{} + rows, err := db.Queryx("SELECT * FROM place") + for rows.Next() { + err := rows.StructScan(&place) + if err != nil { + log.Fatalln(err) + } + fmt.Printf("%#v\n", place) + } + // Place{Country:"United States", City:sql.NullString{String:"New York", Valid:true}, TelCode:1} + // Place{Country:"Hong Kong", City:sql.NullString{String:"", Valid:false}, TelCode:852} + // Place{Country:"Singapore", City:sql.NullString{String:"", Valid:false}, TelCode:65} + + // Named queries, using `:name` as the bindvar. Automatic bindvar support + // which takes into account the dbtype based on the driverName on sqlx.Open/Connect + _, err = db.NamedExec(`INSERT INTO person (first_name,last_name,email) VALUES (:first,:last,:email)`, + map[string]interface{}{ + "first": "Bin", + "last": "Smuth", + "email": "bensmith@allblacks.nz", + }) + + // Selects Mr. Smith from the database + rows, err = db.NamedQuery(`SELECT * FROM person WHERE first_name=:fn`, map[string]interface{}{"fn": "Bin"}) + + // Named queries can also use structs. Their bind names follow the same rules + // as the name -> db mapping, so struct fields are lowercased and the `db` tag + // is taken into consideration. + rows, err = db.NamedQuery(`SELECT * FROM person WHERE first_name=:first_name`, jason) + + + // batch insert + + // batch insert with structs + personStructs := []Person{ + {FirstName: "Ardie", LastName: "Savea", Email: "asavea@ab.co.nz"}, + {FirstName: "Sonny Bill", LastName: "Williams", Email: "sbw@ab.co.nz"}, + {FirstName: "Ngani", LastName: "Laumape", Email: "nlaumape@ab.co.nz"}, + } + + _, err = db.NamedExec(`INSERT INTO person (first_name, last_name, email) + VALUES (:first_name, :last_name, :email)`, personStructs) + + // batch insert with maps + personMaps := []map[string]interface{}{ + {"first_name": "Ardie", "last_name": "Savea", "email": "asavea@ab.co.nz"}, + {"first_name": "Sonny Bill", "last_name": "Williams", "email": "sbw@ab.co.nz"}, + {"first_name": "Ngani", "last_name": "Laumape", "email": "nlaumape@ab.co.nz"}, + } + + _, err = db.NamedExec(`INSERT INTO person (first_name, last_name, email) + VALUES (:first_name, :last_name, :email)`, personMaps) +} +``` diff --git a/vendor/github.com/jmoiron/sqlx/bind.go b/vendor/github.com/jmoiron/sqlx/bind.go new file mode 100644 index 0000000000..ec0da4e72e --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/bind.go @@ -0,0 +1,265 @@ +package sqlx + +import ( + "bytes" + "database/sql/driver" + "errors" + "reflect" + "strconv" + "strings" + "sync" + + "github.com/jmoiron/sqlx/reflectx" +) + +// Bindvar types supported by Rebind, BindMap and BindStruct. +const ( + UNKNOWN = iota + QUESTION + DOLLAR + NAMED + AT +) + +var defaultBinds = map[int][]string{ + DOLLAR: []string{"postgres", "pgx", "pq-timeouts", "cloudsqlpostgres", "ql", "nrpostgres", "cockroach"}, + QUESTION: []string{"mysql", "sqlite3", "nrmysql", "nrsqlite3"}, + NAMED: []string{"oci8", "ora", "goracle", "godror"}, + AT: []string{"sqlserver"}, +} + +var binds sync.Map + +func init() { + for bind, drivers := range defaultBinds { + for _, driver := range drivers { + BindDriver(driver, bind) + } + } + +} + +// BindType returns the bindtype for a given database given a drivername. +func BindType(driverName string) int { + itype, ok := binds.Load(driverName) + if !ok { + return UNKNOWN + } + return itype.(int) +} + +// BindDriver sets the BindType for driverName to bindType. +func BindDriver(driverName string, bindType int) { + binds.Store(driverName, bindType) +} + +// FIXME: this should be able to be tolerant of escaped ?'s in queries without +// losing much speed, and should be to avoid confusion. + +// Rebind a query from the default bindtype (QUESTION) to the target bindtype. +func Rebind(bindType int, query string) string { + switch bindType { + case QUESTION, UNKNOWN: + return query + } + + // Add space enough for 10 params before we have to allocate + rqb := make([]byte, 0, len(query)+10) + + var i, j int + + for i = strings.Index(query, "?"); i != -1; i = strings.Index(query, "?") { + rqb = append(rqb, query[:i]...) + + switch bindType { + case DOLLAR: + rqb = append(rqb, '$') + case NAMED: + rqb = append(rqb, ':', 'a', 'r', 'g') + case AT: + rqb = append(rqb, '@', 'p') + } + + j++ + rqb = strconv.AppendInt(rqb, int64(j), 10) + + query = query[i+1:] + } + + return string(append(rqb, query...)) +} + +// Experimental implementation of Rebind which uses a bytes.Buffer. The code is +// much simpler and should be more resistant to odd unicode, but it is twice as +// slow. Kept here for benchmarking purposes and to possibly replace Rebind if +// problems arise with its somewhat naive handling of unicode. +func rebindBuff(bindType int, query string) string { + if bindType != DOLLAR { + return query + } + + b := make([]byte, 0, len(query)) + rqb := bytes.NewBuffer(b) + j := 1 + for _, r := range query { + if r == '?' { + rqb.WriteRune('$') + rqb.WriteString(strconv.Itoa(j)) + j++ + } else { + rqb.WriteRune(r) + } + } + + return rqb.String() +} + +func asSliceForIn(i interface{}) (v reflect.Value, ok bool) { + if i == nil { + return reflect.Value{}, false + } + + v = reflect.ValueOf(i) + t := reflectx.Deref(v.Type()) + + // Only expand slices + if t.Kind() != reflect.Slice { + return reflect.Value{}, false + } + + // []byte is a driver.Value type so it should not be expanded + if t == reflect.TypeOf([]byte{}) { + return reflect.Value{}, false + + } + + return v, true +} + +// In expands slice values in args, returning the modified query string +// and a new arg list that can be executed by a database. The `query` should +// use the `?` bindVar. The return value uses the `?` bindVar. +func In(query string, args ...interface{}) (string, []interface{}, error) { + // argMeta stores reflect.Value and length for slices and + // the value itself for non-slice arguments + type argMeta struct { + v reflect.Value + i interface{} + length int + } + + var flatArgsCount int + var anySlices bool + + var stackMeta [32]argMeta + + var meta []argMeta + if len(args) <= len(stackMeta) { + meta = stackMeta[:len(args)] + } else { + meta = make([]argMeta, len(args)) + } + + for i, arg := range args { + if a, ok := arg.(driver.Valuer); ok { + var err error + arg, err = a.Value() + if err != nil { + return "", nil, err + } + } + + if v, ok := asSliceForIn(arg); ok { + meta[i].length = v.Len() + meta[i].v = v + + anySlices = true + flatArgsCount += meta[i].length + + if meta[i].length == 0 { + return "", nil, errors.New("empty slice passed to 'in' query") + } + } else { + meta[i].i = arg + flatArgsCount++ + } + } + + // don't do any parsing if there aren't any slices; note that this means + // some errors that we might have caught below will not be returned. + if !anySlices { + return query, args, nil + } + + newArgs := make([]interface{}, 0, flatArgsCount) + + var buf strings.Builder + buf.Grow(len(query) + len(", ?")*flatArgsCount) + + var arg, offset int + + for i := strings.IndexByte(query[offset:], '?'); i != -1; i = strings.IndexByte(query[offset:], '?') { + if arg >= len(meta) { + // if an argument wasn't passed, lets return an error; this is + // not actually how database/sql Exec/Query works, but since we are + // creating an argument list programmatically, we want to be able + // to catch these programmer errors earlier. + return "", nil, errors.New("number of bindVars exceeds arguments") + } + + argMeta := meta[arg] + arg++ + + // not a slice, continue. + // our questionmark will either be written before the next expansion + // of a slice or after the loop when writing the rest of the query + if argMeta.length == 0 { + offset = offset + i + 1 + newArgs = append(newArgs, argMeta.i) + continue + } + + // write everything up to and including our ? character + buf.WriteString(query[:offset+i+1]) + + for si := 1; si < argMeta.length; si++ { + buf.WriteString(", ?") + } + + newArgs = appendReflectSlice(newArgs, argMeta.v, argMeta.length) + + // slice the query and reset the offset. this avoids some bookkeeping for + // the write after the loop + query = query[offset+i+1:] + offset = 0 + } + + buf.WriteString(query) + + if arg < len(meta) { + return "", nil, errors.New("number of bindVars less than number arguments") + } + + return buf.String(), newArgs, nil +} + +func appendReflectSlice(args []interface{}, v reflect.Value, vlen int) []interface{} { + switch val := v.Interface().(type) { + case []interface{}: + args = append(args, val...) + case []int: + for i := range val { + args = append(args, val[i]) + } + case []string: + for i := range val { + args = append(args, val[i]) + } + default: + for si := 0; si < vlen; si++ { + args = append(args, v.Index(si).Interface()) + } + } + + return args +} diff --git a/vendor/github.com/jmoiron/sqlx/doc.go b/vendor/github.com/jmoiron/sqlx/doc.go new file mode 100644 index 0000000000..b80104175d --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/doc.go @@ -0,0 +1,11 @@ +// Package sqlx provides general purpose extensions to database/sql. +// +// It is intended to seamlessly wrap database/sql and provide convenience +// methods which are useful in the development of database driven applications. +// None of the underlying database/sql methods are changed. Instead all extended +// behavior is implemented through new methods defined on wrapper types. +// +// Additions include scanning into structs, named query support, rebinding +// queries for different drivers, convenient shorthands for common error handling +// and more. +package sqlx diff --git a/vendor/github.com/jmoiron/sqlx/named.go b/vendor/github.com/jmoiron/sqlx/named.go new file mode 100644 index 0000000000..6ac4477713 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/named.go @@ -0,0 +1,458 @@ +package sqlx + +// Named Query Support +// +// * BindMap - bind query bindvars to map/struct args +// * NamedExec, NamedQuery - named query w/ struct or map +// * NamedStmt - a pre-compiled named query which is a prepared statement +// +// Internal Interfaces: +// +// * compileNamedQuery - rebind a named query, returning a query and list of names +// * bindArgs, bindMapArgs, bindAnyArgs - given a list of names, return an arglist +// +import ( + "bytes" + "database/sql" + "errors" + "fmt" + "reflect" + "regexp" + "strconv" + "unicode" + + "github.com/jmoiron/sqlx/reflectx" +) + +// NamedStmt is a prepared statement that executes named queries. Prepare it +// how you would execute a NamedQuery, but pass in a struct or map when executing. +type NamedStmt struct { + Params []string + QueryString string + Stmt *Stmt +} + +// Close closes the named statement. +func (n *NamedStmt) Close() error { + return n.Stmt.Close() +} + +// Exec executes a named statement using the struct passed. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) Exec(arg interface{}) (sql.Result, error) { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return *new(sql.Result), err + } + return n.Stmt.Exec(args...) +} + +// Query executes a named statement using the struct argument, returning rows. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) Query(arg interface{}) (*sql.Rows, error) { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return nil, err + } + return n.Stmt.Query(args...) +} + +// QueryRow executes a named statement against the database. Because sqlx cannot +// create a *sql.Row with an error condition pre-set for binding errors, sqlx +// returns a *sqlx.Row instead. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryRow(arg interface{}) *Row { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return &Row{err: err} + } + return n.Stmt.QueryRowx(args...) +} + +// MustExec execs a NamedStmt, panicing on error +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) MustExec(arg interface{}) sql.Result { + res, err := n.Exec(arg) + if err != nil { + panic(err) + } + return res +} + +// Queryx using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) Queryx(arg interface{}) (*Rows, error) { + r, err := n.Query(arg) + if err != nil { + return nil, err + } + return &Rows{Rows: r, Mapper: n.Stmt.Mapper, unsafe: isUnsafe(n)}, err +} + +// QueryRowx this NamedStmt. Because of limitations with QueryRow, this is +// an alias for QueryRow. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryRowx(arg interface{}) *Row { + return n.QueryRow(arg) +} + +// Select using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) Select(dest interface{}, arg interface{}) error { + rows, err := n.Queryx(arg) + if err != nil { + return err + } + // if something happens here, we want to make sure the rows are Closed + defer rows.Close() + return scanAll(rows, dest, false) +} + +// Get using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) Get(dest interface{}, arg interface{}) error { + r := n.QueryRowx(arg) + return r.scanAny(dest, false) +} + +// Unsafe creates an unsafe version of the NamedStmt +func (n *NamedStmt) Unsafe() *NamedStmt { + r := &NamedStmt{Params: n.Params, Stmt: n.Stmt, QueryString: n.QueryString} + r.Stmt.unsafe = true + return r +} + +// A union interface of preparer and binder, required to be able to prepare +// named statements (as the bindtype must be determined). +type namedPreparer interface { + Preparer + binder +} + +func prepareNamed(p namedPreparer, query string) (*NamedStmt, error) { + bindType := BindType(p.DriverName()) + q, args, err := compileNamedQuery([]byte(query), bindType) + if err != nil { + return nil, err + } + stmt, err := Preparex(p, q) + if err != nil { + return nil, err + } + return &NamedStmt{ + QueryString: q, + Params: args, + Stmt: stmt, + }, nil +} + +// convertMapStringInterface attempts to convert v to map[string]interface{}. +// Unlike v.(map[string]interface{}), this function works on named types that +// are convertible to map[string]interface{} as well. +func convertMapStringInterface(v interface{}) (map[string]interface{}, bool) { + var m map[string]interface{} + mtype := reflect.TypeOf(m) + t := reflect.TypeOf(v) + if !t.ConvertibleTo(mtype) { + return nil, false + } + return reflect.ValueOf(v).Convert(mtype).Interface().(map[string]interface{}), true + +} + +func bindAnyArgs(names []string, arg interface{}, m *reflectx.Mapper) ([]interface{}, error) { + if maparg, ok := convertMapStringInterface(arg); ok { + return bindMapArgs(names, maparg) + } + return bindArgs(names, arg, m) +} + +// private interface to generate a list of interfaces from a given struct +// type, given a list of names to pull out of the struct. Used by public +// BindStruct interface. +func bindArgs(names []string, arg interface{}, m *reflectx.Mapper) ([]interface{}, error) { + arglist := make([]interface{}, 0, len(names)) + + // grab the indirected value of arg + var v reflect.Value + for v = reflect.ValueOf(arg); v.Kind() == reflect.Ptr; { + v = v.Elem() + } + + err := m.TraversalsByNameFunc(v.Type(), names, func(i int, t []int) error { + if len(t) == 0 { + return fmt.Errorf("could not find name %s in %#v", names[i], arg) + } + + val := reflectx.FieldByIndexesReadOnly(v, t) + arglist = append(arglist, val.Interface()) + + return nil + }) + + return arglist, err +} + +// like bindArgs, but for maps. +func bindMapArgs(names []string, arg map[string]interface{}) ([]interface{}, error) { + arglist := make([]interface{}, 0, len(names)) + + for _, name := range names { + val, ok := arg[name] + if !ok { + return arglist, fmt.Errorf("could not find name %s in %#v", name, arg) + } + arglist = append(arglist, val) + } + return arglist, nil +} + +// bindStruct binds a named parameter query with fields from a struct argument. +// The rules for binding field names to parameter names follow the same +// conventions as for StructScan, including obeying the `db` struct tags. +func bindStruct(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) { + bound, names, err := compileNamedQuery([]byte(query), bindType) + if err != nil { + return "", []interface{}{}, err + } + + arglist, err := bindAnyArgs(names, arg, m) + if err != nil { + return "", []interface{}{}, err + } + + return bound, arglist, nil +} + +var valuesReg = regexp.MustCompile(`\)\s*(?i)VALUES\s*\(`) + +func findMatchingClosingBracketIndex(s string) int { + count := 0 + for i, ch := range s { + if ch == '(' { + count++ + } + if ch == ')' { + count-- + if count == 0 { + return i + } + } + } + return 0 +} + +func fixBound(bound string, loop int) string { + loc := valuesReg.FindStringIndex(bound) + // defensive guard when "VALUES (...)" not found + if len(loc) < 2 { + return bound + } + + openingBracketIndex := loc[1] - 1 + index := findMatchingClosingBracketIndex(bound[openingBracketIndex:]) + // defensive guard. must have closing bracket + if index == 0 { + return bound + } + closingBracketIndex := openingBracketIndex + index + 1 + + var buffer bytes.Buffer + + buffer.WriteString(bound[0:closingBracketIndex]) + for i := 0; i < loop-1; i++ { + buffer.WriteString(",") + buffer.WriteString(bound[openingBracketIndex:closingBracketIndex]) + } + buffer.WriteString(bound[closingBracketIndex:]) + return buffer.String() +} + +// bindArray binds a named parameter query with fields from an array or slice of +// structs argument. +func bindArray(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) { + // do the initial binding with QUESTION; if bindType is not question, + // we can rebind it at the end. + bound, names, err := compileNamedQuery([]byte(query), QUESTION) + if err != nil { + return "", []interface{}{}, err + } + arrayValue := reflect.ValueOf(arg) + arrayLen := arrayValue.Len() + if arrayLen == 0 { + return "", []interface{}{}, fmt.Errorf("length of array is 0: %#v", arg) + } + var arglist = make([]interface{}, 0, len(names)*arrayLen) + for i := 0; i < arrayLen; i++ { + elemArglist, err := bindAnyArgs(names, arrayValue.Index(i).Interface(), m) + if err != nil { + return "", []interface{}{}, err + } + arglist = append(arglist, elemArglist...) + } + if arrayLen > 1 { + bound = fixBound(bound, arrayLen) + } + // adjust binding type if we weren't on question + if bindType != QUESTION { + bound = Rebind(bindType, bound) + } + return bound, arglist, nil +} + +// bindMap binds a named parameter query with a map of arguments. +func bindMap(bindType int, query string, args map[string]interface{}) (string, []interface{}, error) { + bound, names, err := compileNamedQuery([]byte(query), bindType) + if err != nil { + return "", []interface{}{}, err + } + + arglist, err := bindMapArgs(names, args) + return bound, arglist, err +} + +// -- Compilation of Named Queries + +// Allow digits and letters in bind params; additionally runes are +// checked against underscores, meaning that bind params can have be +// alphanumeric with underscores. Mind the difference between unicode +// digits and numbers, where '5' is a digit but '五' is not. +var allowedBindRunes = []*unicode.RangeTable{unicode.Letter, unicode.Digit} + +// FIXME: this function isn't safe for unicode named params, as a failing test +// can testify. This is not a regression but a failure of the original code +// as well. It should be modified to range over runes in a string rather than +// bytes, even though this is less convenient and slower. Hopefully the +// addition of the prepared NamedStmt (which will only do this once) will make +// up for the slightly slower ad-hoc NamedExec/NamedQuery. + +// compile a NamedQuery into an unbound query (using the '?' bindvar) and +// a list of names. +func compileNamedQuery(qs []byte, bindType int) (query string, names []string, err error) { + names = make([]string, 0, 10) + rebound := make([]byte, 0, len(qs)) + + inName := false + last := len(qs) - 1 + currentVar := 1 + name := make([]byte, 0, 10) + + for i, b := range qs { + // a ':' while we're in a name is an error + if b == ':' { + // if this is the second ':' in a '::' escape sequence, append a ':' + if inName && i > 0 && qs[i-1] == ':' { + rebound = append(rebound, ':') + inName = false + continue + } else if inName { + err = errors.New("unexpected `:` while reading named param at " + strconv.Itoa(i)) + return query, names, err + } + inName = true + name = []byte{} + } else if inName && i > 0 && b == '=' && len(name) == 0 { + rebound = append(rebound, ':', '=') + inName = false + continue + // if we're in a name, and this is an allowed character, continue + } else if inName && (unicode.IsOneOf(allowedBindRunes, rune(b)) || b == '_' || b == '.') && i != last { + // append the byte to the name if we are in a name and not on the last byte + name = append(name, b) + // if we're in a name and it's not an allowed character, the name is done + } else if inName { + inName = false + // if this is the final byte of the string and it is part of the name, then + // make sure to add it to the name + if i == last && unicode.IsOneOf(allowedBindRunes, rune(b)) { + name = append(name, b) + } + // add the string representation to the names list + names = append(names, string(name)) + // add a proper bindvar for the bindType + switch bindType { + // oracle only supports named type bind vars even for positional + case NAMED: + rebound = append(rebound, ':') + rebound = append(rebound, name...) + case QUESTION, UNKNOWN: + rebound = append(rebound, '?') + case DOLLAR: + rebound = append(rebound, '$') + for _, b := range strconv.Itoa(currentVar) { + rebound = append(rebound, byte(b)) + } + currentVar++ + case AT: + rebound = append(rebound, '@', 'p') + for _, b := range strconv.Itoa(currentVar) { + rebound = append(rebound, byte(b)) + } + currentVar++ + } + // add this byte to string unless it was not part of the name + if i != last { + rebound = append(rebound, b) + } else if !unicode.IsOneOf(allowedBindRunes, rune(b)) { + rebound = append(rebound, b) + } + } else { + // this is a normal byte and should just go onto the rebound query + rebound = append(rebound, b) + } + } + + return string(rebound), names, err +} + +// BindNamed binds a struct or a map to a query with named parameters. +// DEPRECATED: use sqlx.Named` instead of this, it may be removed in future. +func BindNamed(bindType int, query string, arg interface{}) (string, []interface{}, error) { + return bindNamedMapper(bindType, query, arg, mapper()) +} + +// Named takes a query using named parameters and an argument and +// returns a new query with a list of args that can be executed by +// a database. The return value uses the `?` bindvar. +func Named(query string, arg interface{}) (string, []interface{}, error) { + return bindNamedMapper(QUESTION, query, arg, mapper()) +} + +func bindNamedMapper(bindType int, query string, arg interface{}, m *reflectx.Mapper) (string, []interface{}, error) { + t := reflect.TypeOf(arg) + k := t.Kind() + switch { + case k == reflect.Map && t.Key().Kind() == reflect.String: + m, ok := convertMapStringInterface(arg) + if !ok { + return "", nil, fmt.Errorf("sqlx.bindNamedMapper: unsupported map type: %T", arg) + } + return bindMap(bindType, query, m) + case k == reflect.Array || k == reflect.Slice: + return bindArray(bindType, query, arg, m) + default: + return bindStruct(bindType, query, arg, m) + } +} + +// NamedQuery binds a named query and then runs Query on the result using the +// provided Ext (sqlx.Tx, sqlx.Db). It works with both structs and with +// map[string]interface{} types. +func NamedQuery(e Ext, query string, arg interface{}) (*Rows, error) { + q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e)) + if err != nil { + return nil, err + } + return e.Queryx(q, args...) +} + +// NamedExec uses BindStruct to get a query executable by the driver and +// then runs Exec on the result. Returns an error from the binding +// or the query execution itself. +func NamedExec(e Ext, query string, arg interface{}) (sql.Result, error) { + q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e)) + if err != nil { + return nil, err + } + return e.Exec(q, args...) +} diff --git a/vendor/github.com/jmoiron/sqlx/named_context.go b/vendor/github.com/jmoiron/sqlx/named_context.go new file mode 100644 index 0000000000..9ad23f4ed1 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/named_context.go @@ -0,0 +1,133 @@ +//go:build go1.8 +// +build go1.8 + +package sqlx + +import ( + "context" + "database/sql" +) + +// A union interface of contextPreparer and binder, required to be able to +// prepare named statements with context (as the bindtype must be determined). +type namedPreparerContext interface { + PreparerContext + binder +} + +func prepareNamedContext(ctx context.Context, p namedPreparerContext, query string) (*NamedStmt, error) { + bindType := BindType(p.DriverName()) + q, args, err := compileNamedQuery([]byte(query), bindType) + if err != nil { + return nil, err + } + stmt, err := PreparexContext(ctx, p, q) + if err != nil { + return nil, err + } + return &NamedStmt{ + QueryString: q, + Params: args, + Stmt: stmt, + }, nil +} + +// ExecContext executes a named statement using the struct passed. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) ExecContext(ctx context.Context, arg interface{}) (sql.Result, error) { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return *new(sql.Result), err + } + return n.Stmt.ExecContext(ctx, args...) +} + +// QueryContext executes a named statement using the struct argument, returning rows. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryContext(ctx context.Context, arg interface{}) (*sql.Rows, error) { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return nil, err + } + return n.Stmt.QueryContext(ctx, args...) +} + +// QueryRowContext executes a named statement against the database. Because sqlx cannot +// create a *sql.Row with an error condition pre-set for binding errors, sqlx +// returns a *sqlx.Row instead. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryRowContext(ctx context.Context, arg interface{}) *Row { + args, err := bindAnyArgs(n.Params, arg, n.Stmt.Mapper) + if err != nil { + return &Row{err: err} + } + return n.Stmt.QueryRowxContext(ctx, args...) +} + +// MustExecContext execs a NamedStmt, panicing on error +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) MustExecContext(ctx context.Context, arg interface{}) sql.Result { + res, err := n.ExecContext(ctx, arg) + if err != nil { + panic(err) + } + return res +} + +// QueryxContext using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryxContext(ctx context.Context, arg interface{}) (*Rows, error) { + r, err := n.QueryContext(ctx, arg) + if err != nil { + return nil, err + } + return &Rows{Rows: r, Mapper: n.Stmt.Mapper, unsafe: isUnsafe(n)}, err +} + +// QueryRowxContext this NamedStmt. Because of limitations with QueryRow, this is +// an alias for QueryRow. +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) QueryRowxContext(ctx context.Context, arg interface{}) *Row { + return n.QueryRowContext(ctx, arg) +} + +// SelectContext using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) SelectContext(ctx context.Context, dest interface{}, arg interface{}) error { + rows, err := n.QueryxContext(ctx, arg) + if err != nil { + return err + } + // if something happens here, we want to make sure the rows are Closed + defer rows.Close() + return scanAll(rows, dest, false) +} + +// GetContext using this NamedStmt +// Any named placeholder parameters are replaced with fields from arg. +func (n *NamedStmt) GetContext(ctx context.Context, dest interface{}, arg interface{}) error { + r := n.QueryRowxContext(ctx, arg) + return r.scanAny(dest, false) +} + +// NamedQueryContext binds a named query and then runs Query on the result using the +// provided Ext (sqlx.Tx, sqlx.Db). It works with both structs and with +// map[string]interface{} types. +func NamedQueryContext(ctx context.Context, e ExtContext, query string, arg interface{}) (*Rows, error) { + q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e)) + if err != nil { + return nil, err + } + return e.QueryxContext(ctx, q, args...) +} + +// NamedExecContext uses BindStruct to get a query executable by the driver and +// then runs Exec on the result. Returns an error from the binding +// or the query execution itself. +func NamedExecContext(ctx context.Context, e ExtContext, query string, arg interface{}) (sql.Result, error) { + q, args, err := bindNamedMapper(BindType(e.DriverName()), query, arg, mapperFor(e)) + if err != nil { + return nil, err + } + return e.ExecContext(ctx, q, args...) +} diff --git a/vendor/github.com/jmoiron/sqlx/reflectx/README.md b/vendor/github.com/jmoiron/sqlx/reflectx/README.md new file mode 100644 index 0000000000..f01d3d1f08 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/reflectx/README.md @@ -0,0 +1,17 @@ +# reflectx + +The sqlx package has special reflect needs. In particular, it needs to: + +* be able to map a name to a field +* understand embedded structs +* understand mapping names to fields by a particular tag +* user specified name -> field mapping functions + +These behaviors mimic the behaviors by the standard library marshallers and also the +behavior of standard Go accessors. + +The first two are amply taken care of by `Reflect.Value.FieldByName`, and the third is +addressed by `Reflect.Value.FieldByNameFunc`, but these don't quite understand struct +tags in the ways that are vital to most marshallers, and they are slow. + +This reflectx package extends reflect to achieve these goals. diff --git a/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go b/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go new file mode 100644 index 0000000000..8ec6a13828 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/reflectx/reflect.go @@ -0,0 +1,443 @@ +// Package reflectx implements extensions to the standard reflect lib suitable +// for implementing marshalling and unmarshalling packages. The main Mapper type +// allows for Go-compatible named attribute access, including accessing embedded +// struct attributes and the ability to use functions and struct tags to +// customize field names. +package reflectx + +import ( + "reflect" + "runtime" + "strings" + "sync" +) + +// A FieldInfo is metadata for a struct field. +type FieldInfo struct { + Index []int + Path string + Field reflect.StructField + Zero reflect.Value + Name string + Options map[string]string + Embedded bool + Children []*FieldInfo + Parent *FieldInfo +} + +// A StructMap is an index of field metadata for a struct. +type StructMap struct { + Tree *FieldInfo + Index []*FieldInfo + Paths map[string]*FieldInfo + Names map[string]*FieldInfo +} + +// GetByPath returns a *FieldInfo for a given string path. +func (f StructMap) GetByPath(path string) *FieldInfo { + return f.Paths[path] +} + +// GetByTraversal returns a *FieldInfo for a given integer path. It is +// analogous to reflect.FieldByIndex, but using the cached traversal +// rather than re-executing the reflect machinery each time. +func (f StructMap) GetByTraversal(index []int) *FieldInfo { + if len(index) == 0 { + return nil + } + + tree := f.Tree + for _, i := range index { + if i >= len(tree.Children) || tree.Children[i] == nil { + return nil + } + tree = tree.Children[i] + } + return tree +} + +// Mapper is a general purpose mapper of names to struct fields. A Mapper +// behaves like most marshallers in the standard library, obeying a field tag +// for name mapping but also providing a basic transform function. +type Mapper struct { + cache map[reflect.Type]*StructMap + tagName string + tagMapFunc func(string) string + mapFunc func(string) string + mutex sync.Mutex +} + +// NewMapper returns a new mapper using the tagName as its struct field tag. +// If tagName is the empty string, it is ignored. +func NewMapper(tagName string) *Mapper { + return &Mapper{ + cache: make(map[reflect.Type]*StructMap), + tagName: tagName, + } +} + +// NewMapperTagFunc returns a new mapper which contains a mapper for field names +// AND a mapper for tag values. This is useful for tags like json which can +// have values like "name,omitempty". +func NewMapperTagFunc(tagName string, mapFunc, tagMapFunc func(string) string) *Mapper { + return &Mapper{ + cache: make(map[reflect.Type]*StructMap), + tagName: tagName, + mapFunc: mapFunc, + tagMapFunc: tagMapFunc, + } +} + +// NewMapperFunc returns a new mapper which optionally obeys a field tag and +// a struct field name mapper func given by f. Tags will take precedence, but +// for any other field, the mapped name will be f(field.Name) +func NewMapperFunc(tagName string, f func(string) string) *Mapper { + return &Mapper{ + cache: make(map[reflect.Type]*StructMap), + tagName: tagName, + mapFunc: f, + } +} + +// TypeMap returns a mapping of field strings to int slices representing +// the traversal down the struct to reach the field. +func (m *Mapper) TypeMap(t reflect.Type) *StructMap { + m.mutex.Lock() + mapping, ok := m.cache[t] + if !ok { + mapping = getMapping(t, m.tagName, m.mapFunc, m.tagMapFunc) + m.cache[t] = mapping + } + m.mutex.Unlock() + return mapping +} + +// FieldMap returns the mapper's mapping of field names to reflect values. Panics +// if v's Kind is not Struct, or v is not Indirectable to a struct kind. +func (m *Mapper) FieldMap(v reflect.Value) map[string]reflect.Value { + v = reflect.Indirect(v) + mustBe(v, reflect.Struct) + + r := map[string]reflect.Value{} + tm := m.TypeMap(v.Type()) + for tagName, fi := range tm.Names { + r[tagName] = FieldByIndexes(v, fi.Index) + } + return r +} + +// FieldByName returns a field by its mapped name as a reflect.Value. +// Panics if v's Kind is not Struct or v is not Indirectable to a struct Kind. +// Returns zero Value if the name is not found. +func (m *Mapper) FieldByName(v reflect.Value, name string) reflect.Value { + v = reflect.Indirect(v) + mustBe(v, reflect.Struct) + + tm := m.TypeMap(v.Type()) + fi, ok := tm.Names[name] + if !ok { + return v + } + return FieldByIndexes(v, fi.Index) +} + +// FieldsByName returns a slice of values corresponding to the slice of names +// for the value. Panics if v's Kind is not Struct or v is not Indirectable +// to a struct Kind. Returns zero Value for each name not found. +func (m *Mapper) FieldsByName(v reflect.Value, names []string) []reflect.Value { + v = reflect.Indirect(v) + mustBe(v, reflect.Struct) + + tm := m.TypeMap(v.Type()) + vals := make([]reflect.Value, 0, len(names)) + for _, name := range names { + fi, ok := tm.Names[name] + if !ok { + vals = append(vals, *new(reflect.Value)) + } else { + vals = append(vals, FieldByIndexes(v, fi.Index)) + } + } + return vals +} + +// TraversalsByName returns a slice of int slices which represent the struct +// traversals for each mapped name. Panics if t is not a struct or Indirectable +// to a struct. Returns empty int slice for each name not found. +func (m *Mapper) TraversalsByName(t reflect.Type, names []string) [][]int { + r := make([][]int, 0, len(names)) + m.TraversalsByNameFunc(t, names, func(_ int, i []int) error { + if i == nil { + r = append(r, []int{}) + } else { + r = append(r, i) + } + + return nil + }) + return r +} + +// TraversalsByNameFunc traverses the mapped names and calls fn with the index of +// each name and the struct traversal represented by that name. Panics if t is not +// a struct or Indirectable to a struct. Returns the first error returned by fn or nil. +func (m *Mapper) TraversalsByNameFunc(t reflect.Type, names []string, fn func(int, []int) error) error { + t = Deref(t) + mustBe(t, reflect.Struct) + tm := m.TypeMap(t) + for i, name := range names { + fi, ok := tm.Names[name] + if !ok { + if err := fn(i, nil); err != nil { + return err + } + } else { + if err := fn(i, fi.Index); err != nil { + return err + } + } + } + return nil +} + +// FieldByIndexes returns a value for the field given by the struct traversal +// for the given value. +func FieldByIndexes(v reflect.Value, indexes []int) reflect.Value { + for _, i := range indexes { + v = reflect.Indirect(v).Field(i) + // if this is a pointer and it's nil, allocate a new value and set it + if v.Kind() == reflect.Ptr && v.IsNil() { + alloc := reflect.New(Deref(v.Type())) + v.Set(alloc) + } + if v.Kind() == reflect.Map && v.IsNil() { + v.Set(reflect.MakeMap(v.Type())) + } + } + return v +} + +// FieldByIndexesReadOnly returns a value for a particular struct traversal, +// but is not concerned with allocating nil pointers because the value is +// going to be used for reading and not setting. +func FieldByIndexesReadOnly(v reflect.Value, indexes []int) reflect.Value { + for _, i := range indexes { + v = reflect.Indirect(v).Field(i) + } + return v +} + +// Deref is Indirect for reflect.Types +func Deref(t reflect.Type) reflect.Type { + if t.Kind() == reflect.Ptr { + t = t.Elem() + } + return t +} + +// -- helpers & utilities -- + +type kinder interface { + Kind() reflect.Kind +} + +// mustBe checks a value against a kind, panicing with a reflect.ValueError +// if the kind isn't that which is required. +func mustBe(v kinder, expected reflect.Kind) { + if k := v.Kind(); k != expected { + panic(&reflect.ValueError{Method: methodName(), Kind: k}) + } +} + +// methodName returns the caller of the function calling methodName +func methodName() string { + pc, _, _, _ := runtime.Caller(2) + f := runtime.FuncForPC(pc) + if f == nil { + return "unknown method" + } + return f.Name() +} + +type typeQueue struct { + t reflect.Type + fi *FieldInfo + pp string // Parent path +} + +// A copying append that creates a new slice each time. +func apnd(is []int, i int) []int { + x := make([]int, len(is)+1) + copy(x, is) + x[len(x)-1] = i + return x +} + +type mapf func(string) string + +// parseName parses the tag and the target name for the given field using +// the tagName (eg 'json' for `json:"foo"` tags), mapFunc for mapping the +// field's name to a target name, and tagMapFunc for mapping the tag to +// a target name. +func parseName(field reflect.StructField, tagName string, mapFunc, tagMapFunc mapf) (tag, fieldName string) { + // first, set the fieldName to the field's name + fieldName = field.Name + // if a mapFunc is set, use that to override the fieldName + if mapFunc != nil { + fieldName = mapFunc(fieldName) + } + + // if there's no tag to look for, return the field name + if tagName == "" { + return "", fieldName + } + + // if this tag is not set using the normal convention in the tag, + // then return the fieldname.. this check is done because according + // to the reflect documentation: + // If the tag does not have the conventional format, + // the value returned by Get is unspecified. + // which doesn't sound great. + if !strings.Contains(string(field.Tag), tagName+":") { + return "", fieldName + } + + // at this point we're fairly sure that we have a tag, so lets pull it out + tag = field.Tag.Get(tagName) + + // if we have a mapper function, call it on the whole tag + // XXX: this is a change from the old version, which pulled out the name + // before the tagMapFunc could be run, but I think this is the right way + if tagMapFunc != nil { + tag = tagMapFunc(tag) + } + + // finally, split the options from the name + parts := strings.Split(tag, ",") + fieldName = parts[0] + + return tag, fieldName +} + +// parseOptions parses options out of a tag string, skipping the name +func parseOptions(tag string) map[string]string { + parts := strings.Split(tag, ",") + options := make(map[string]string, len(parts)) + if len(parts) > 1 { + for _, opt := range parts[1:] { + // short circuit potentially expensive split op + if strings.Contains(opt, "=") { + kv := strings.Split(opt, "=") + options[kv[0]] = kv[1] + continue + } + options[opt] = "" + } + } + return options +} + +// getMapping returns a mapping for the t type, using the tagName, mapFunc and +// tagMapFunc to determine the canonical names of fields. +func getMapping(t reflect.Type, tagName string, mapFunc, tagMapFunc mapf) *StructMap { + m := []*FieldInfo{} + + root := &FieldInfo{} + queue := []typeQueue{} + queue = append(queue, typeQueue{Deref(t), root, ""}) + +QueueLoop: + for len(queue) != 0 { + // pop the first item off of the queue + tq := queue[0] + queue = queue[1:] + + // ignore recursive field + for p := tq.fi.Parent; p != nil; p = p.Parent { + if tq.fi.Field.Type == p.Field.Type { + continue QueueLoop + } + } + + nChildren := 0 + if tq.t.Kind() == reflect.Struct { + nChildren = tq.t.NumField() + } + tq.fi.Children = make([]*FieldInfo, nChildren) + + // iterate through all of its fields + for fieldPos := 0; fieldPos < nChildren; fieldPos++ { + + f := tq.t.Field(fieldPos) + + // parse the tag and the target name using the mapping options for this field + tag, name := parseName(f, tagName, mapFunc, tagMapFunc) + + // if the name is "-", disabled via a tag, skip it + if name == "-" { + continue + } + + fi := FieldInfo{ + Field: f, + Name: name, + Zero: reflect.New(f.Type).Elem(), + Options: parseOptions(tag), + } + + // if the path is empty this path is just the name + if tq.pp == "" { + fi.Path = fi.Name + } else { + fi.Path = tq.pp + "." + fi.Name + } + + // skip unexported fields + if len(f.PkgPath) != 0 && !f.Anonymous { + continue + } + + // bfs search of anonymous embedded structs + if f.Anonymous { + pp := tq.pp + if tag != "" { + pp = fi.Path + } + + fi.Embedded = true + fi.Index = apnd(tq.fi.Index, fieldPos) + nChildren := 0 + ft := Deref(f.Type) + if ft.Kind() == reflect.Struct { + nChildren = ft.NumField() + } + fi.Children = make([]*FieldInfo, nChildren) + queue = append(queue, typeQueue{Deref(f.Type), &fi, pp}) + } else if fi.Zero.Kind() == reflect.Struct || (fi.Zero.Kind() == reflect.Ptr && fi.Zero.Type().Elem().Kind() == reflect.Struct) { + fi.Index = apnd(tq.fi.Index, fieldPos) + fi.Children = make([]*FieldInfo, Deref(f.Type).NumField()) + queue = append(queue, typeQueue{Deref(f.Type), &fi, fi.Path}) + } + + fi.Index = apnd(tq.fi.Index, fieldPos) + fi.Parent = tq.fi + tq.fi.Children[fieldPos] = &fi + m = append(m, &fi) + } + } + + flds := &StructMap{Index: m, Tree: root, Paths: map[string]*FieldInfo{}, Names: map[string]*FieldInfo{}} + for _, fi := range flds.Index { + // check if nothing has already been pushed with the same path + // sometimes you can choose to override a type using embedded struct + fld, ok := flds.Paths[fi.Path] + if !ok || fld.Embedded { + flds.Paths[fi.Path] = fi + if fi.Name != "" && !fi.Embedded { + flds.Names[fi.Path] = fi + } + } + } + + return flds +} diff --git a/vendor/github.com/jmoiron/sqlx/sqlx.go b/vendor/github.com/jmoiron/sqlx/sqlx.go new file mode 100644 index 0000000000..8259a4feb6 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/sqlx.go @@ -0,0 +1,1054 @@ +package sqlx + +import ( + "database/sql" + "database/sql/driver" + "errors" + "fmt" + "io/ioutil" + "path/filepath" + "reflect" + "strings" + "sync" + + "github.com/jmoiron/sqlx/reflectx" +) + +// Although the NameMapper is convenient, in practice it should not +// be relied on except for application code. If you are writing a library +// that uses sqlx, you should be aware that the name mappings you expect +// can be overridden by your user's application. + +// NameMapper is used to map column names to struct field names. By default, +// it uses strings.ToLower to lowercase struct field names. It can be set +// to whatever you want, but it is encouraged to be set before sqlx is used +// as name-to-field mappings are cached after first use on a type. +var NameMapper = strings.ToLower +var origMapper = reflect.ValueOf(NameMapper) + +// Rather than creating on init, this is created when necessary so that +// importers have time to customize the NameMapper. +var mpr *reflectx.Mapper + +// mprMu protects mpr. +var mprMu sync.Mutex + +// mapper returns a valid mapper using the configured NameMapper func. +func mapper() *reflectx.Mapper { + mprMu.Lock() + defer mprMu.Unlock() + + if mpr == nil { + mpr = reflectx.NewMapperFunc("db", NameMapper) + } else if origMapper != reflect.ValueOf(NameMapper) { + // if NameMapper has changed, create a new mapper + mpr = reflectx.NewMapperFunc("db", NameMapper) + origMapper = reflect.ValueOf(NameMapper) + } + return mpr +} + +// isScannable takes the reflect.Type and the actual dest value and returns +// whether or not it's Scannable. Something is scannable if: +// - it is not a struct +// - it implements sql.Scanner +// - it has no exported fields +func isScannable(t reflect.Type) bool { + if reflect.PtrTo(t).Implements(_scannerInterface) { + return true + } + if t.Kind() != reflect.Struct { + return true + } + + // it's not important that we use the right mapper for this particular object, + // we're only concerned on how many exported fields this struct has + return len(mapper().TypeMap(t).Index) == 0 +} + +// ColScanner is an interface used by MapScan and SliceScan +type ColScanner interface { + Columns() ([]string, error) + Scan(dest ...interface{}) error + Err() error +} + +// Queryer is an interface used by Get and Select +type Queryer interface { + Query(query string, args ...interface{}) (*sql.Rows, error) + Queryx(query string, args ...interface{}) (*Rows, error) + QueryRowx(query string, args ...interface{}) *Row +} + +// Execer is an interface used by MustExec and LoadFile +type Execer interface { + Exec(query string, args ...interface{}) (sql.Result, error) +} + +// Binder is an interface for something which can bind queries (Tx, DB) +type binder interface { + DriverName() string + Rebind(string) string + BindNamed(string, interface{}) (string, []interface{}, error) +} + +// Ext is a union interface which can bind, query, and exec, used by +// NamedQuery and NamedExec. +type Ext interface { + binder + Queryer + Execer +} + +// Preparer is an interface used by Preparex. +type Preparer interface { + Prepare(query string) (*sql.Stmt, error) +} + +// determine if any of our extensions are unsafe +func isUnsafe(i interface{}) bool { + switch v := i.(type) { + case Row: + return v.unsafe + case *Row: + return v.unsafe + case Rows: + return v.unsafe + case *Rows: + return v.unsafe + case NamedStmt: + return v.Stmt.unsafe + case *NamedStmt: + return v.Stmt.unsafe + case Stmt: + return v.unsafe + case *Stmt: + return v.unsafe + case qStmt: + return v.unsafe + case *qStmt: + return v.unsafe + case DB: + return v.unsafe + case *DB: + return v.unsafe + case Tx: + return v.unsafe + case *Tx: + return v.unsafe + case sql.Rows, *sql.Rows: + return false + default: + return false + } +} + +func mapperFor(i interface{}) *reflectx.Mapper { + switch i := i.(type) { + case DB: + return i.Mapper + case *DB: + return i.Mapper + case Tx: + return i.Mapper + case *Tx: + return i.Mapper + default: + return mapper() + } +} + +var _scannerInterface = reflect.TypeOf((*sql.Scanner)(nil)).Elem() + +//lint:ignore U1000 ignoring this for now +var _valuerInterface = reflect.TypeOf((*driver.Valuer)(nil)).Elem() + +// Row is a reimplementation of sql.Row in order to gain access to the underlying +// sql.Rows.Columns() data, necessary for StructScan. +type Row struct { + err error + unsafe bool + rows *sql.Rows + Mapper *reflectx.Mapper +} + +// Scan is a fixed implementation of sql.Row.Scan, which does not discard the +// underlying error from the internal rows object if it exists. +func (r *Row) Scan(dest ...interface{}) error { + if r.err != nil { + return r.err + } + + // TODO(bradfitz): for now we need to defensively clone all + // []byte that the driver returned (not permitting + // *RawBytes in Rows.Scan), since we're about to close + // the Rows in our defer, when we return from this function. + // the contract with the driver.Next(...) interface is that it + // can return slices into read-only temporary memory that's + // only valid until the next Scan/Close. But the TODO is that + // for a lot of drivers, this copy will be unnecessary. We + // should provide an optional interface for drivers to + // implement to say, "don't worry, the []bytes that I return + // from Next will not be modified again." (for instance, if + // they were obtained from the network anyway) But for now we + // don't care. + defer r.rows.Close() + for _, dp := range dest { + if _, ok := dp.(*sql.RawBytes); ok { + return errors.New("sql: RawBytes isn't allowed on Row.Scan") + } + } + + if !r.rows.Next() { + if err := r.rows.Err(); err != nil { + return err + } + return sql.ErrNoRows + } + err := r.rows.Scan(dest...) + if err != nil { + return err + } + // Make sure the query can be processed to completion with no errors. + if err := r.rows.Close(); err != nil { + return err + } + return nil +} + +// Columns returns the underlying sql.Rows.Columns(), or the deferred error usually +// returned by Row.Scan() +func (r *Row) Columns() ([]string, error) { + if r.err != nil { + return []string{}, r.err + } + return r.rows.Columns() +} + +// ColumnTypes returns the underlying sql.Rows.ColumnTypes(), or the deferred error +func (r *Row) ColumnTypes() ([]*sql.ColumnType, error) { + if r.err != nil { + return []*sql.ColumnType{}, r.err + } + return r.rows.ColumnTypes() +} + +// Err returns the error encountered while scanning. +func (r *Row) Err() error { + return r.err +} + +// DB is a wrapper around sql.DB which keeps track of the driverName upon Open, +// used mostly to automatically bind named queries using the right bindvars. +type DB struct { + *sql.DB + driverName string + unsafe bool + Mapper *reflectx.Mapper +} + +// NewDb returns a new sqlx DB wrapper for a pre-existing *sql.DB. The +// driverName of the original database is required for named query support. +// +//lint:ignore ST1003 changing this would break the package interface. +func NewDb(db *sql.DB, driverName string) *DB { + return &DB{DB: db, driverName: driverName, Mapper: mapper()} +} + +// DriverName returns the driverName passed to the Open function for this DB. +func (db *DB) DriverName() string { + return db.driverName +} + +// Open is the same as sql.Open, but returns an *sqlx.DB instead. +func Open(driverName, dataSourceName string) (*DB, error) { + db, err := sql.Open(driverName, dataSourceName) + if err != nil { + return nil, err + } + return &DB{DB: db, driverName: driverName, Mapper: mapper()}, err +} + +// MustOpen is the same as sql.Open, but returns an *sqlx.DB instead and panics on error. +func MustOpen(driverName, dataSourceName string) *DB { + db, err := Open(driverName, dataSourceName) + if err != nil { + panic(err) + } + return db +} + +// MapperFunc sets a new mapper for this db using the default sqlx struct tag +// and the provided mapper function. +func (db *DB) MapperFunc(mf func(string) string) { + db.Mapper = reflectx.NewMapperFunc("db", mf) +} + +// Rebind transforms a query from QUESTION to the DB driver's bindvar type. +func (db *DB) Rebind(query string) string { + return Rebind(BindType(db.driverName), query) +} + +// Unsafe returns a version of DB which will silently succeed to scan when +// columns in the SQL result have no fields in the destination struct. +// sqlx.Stmt and sqlx.Tx which are created from this DB will inherit its +// safety behavior. +func (db *DB) Unsafe() *DB { + return &DB{DB: db.DB, driverName: db.driverName, unsafe: true, Mapper: db.Mapper} +} + +// BindNamed binds a query using the DB driver's bindvar type. +func (db *DB) BindNamed(query string, arg interface{}) (string, []interface{}, error) { + return bindNamedMapper(BindType(db.driverName), query, arg, db.Mapper) +} + +// NamedQuery using this DB. +// Any named placeholder parameters are replaced with fields from arg. +func (db *DB) NamedQuery(query string, arg interface{}) (*Rows, error) { + return NamedQuery(db, query, arg) +} + +// NamedExec using this DB. +// Any named placeholder parameters are replaced with fields from arg. +func (db *DB) NamedExec(query string, arg interface{}) (sql.Result, error) { + return NamedExec(db, query, arg) +} + +// Select using this DB. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) Select(dest interface{}, query string, args ...interface{}) error { + return Select(db, dest, query, args...) +} + +// Get using this DB. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (db *DB) Get(dest interface{}, query string, args ...interface{}) error { + return Get(db, dest, query, args...) +} + +// MustBegin starts a transaction, and panics on error. Returns an *sqlx.Tx instead +// of an *sql.Tx. +func (db *DB) MustBegin() *Tx { + tx, err := db.Beginx() + if err != nil { + panic(err) + } + return tx +} + +// Beginx begins a transaction and returns an *sqlx.Tx instead of an *sql.Tx. +func (db *DB) Beginx() (*Tx, error) { + tx, err := db.DB.Begin() + if err != nil { + return nil, err + } + return &Tx{Tx: tx, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, err +} + +// Queryx queries the database and returns an *sqlx.Rows. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) Queryx(query string, args ...interface{}) (*Rows, error) { + r, err := db.DB.Query(query, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: db.unsafe, Mapper: db.Mapper}, err +} + +// QueryRowx queries the database and returns an *sqlx.Row. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) QueryRowx(query string, args ...interface{}) *Row { + rows, err := db.DB.Query(query, args...) + return &Row{rows: rows, err: err, unsafe: db.unsafe, Mapper: db.Mapper} +} + +// MustExec (panic) runs MustExec using this database. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) MustExec(query string, args ...interface{}) sql.Result { + return MustExec(db, query, args...) +} + +// Preparex returns an sqlx.Stmt instead of a sql.Stmt +func (db *DB) Preparex(query string) (*Stmt, error) { + return Preparex(db, query) +} + +// PrepareNamed returns an sqlx.NamedStmt +func (db *DB) PrepareNamed(query string) (*NamedStmt, error) { + return prepareNamed(db, query) +} + +// Conn is a wrapper around sql.Conn with extra functionality +type Conn struct { + *sql.Conn + driverName string + unsafe bool + Mapper *reflectx.Mapper +} + +// Tx is an sqlx wrapper around sql.Tx with extra functionality +type Tx struct { + *sql.Tx + driverName string + unsafe bool + Mapper *reflectx.Mapper +} + +// DriverName returns the driverName used by the DB which began this transaction. +func (tx *Tx) DriverName() string { + return tx.driverName +} + +// Rebind a query within a transaction's bindvar type. +func (tx *Tx) Rebind(query string) string { + return Rebind(BindType(tx.driverName), query) +} + +// Unsafe returns a version of Tx which will silently succeed to scan when +// columns in the SQL result have no fields in the destination struct. +func (tx *Tx) Unsafe() *Tx { + return &Tx{Tx: tx.Tx, driverName: tx.driverName, unsafe: true, Mapper: tx.Mapper} +} + +// BindNamed binds a query within a transaction's bindvar type. +func (tx *Tx) BindNamed(query string, arg interface{}) (string, []interface{}, error) { + return bindNamedMapper(BindType(tx.driverName), query, arg, tx.Mapper) +} + +// NamedQuery within a transaction. +// Any named placeholder parameters are replaced with fields from arg. +func (tx *Tx) NamedQuery(query string, arg interface{}) (*Rows, error) { + return NamedQuery(tx, query, arg) +} + +// NamedExec a named query within a transaction. +// Any named placeholder parameters are replaced with fields from arg. +func (tx *Tx) NamedExec(query string, arg interface{}) (sql.Result, error) { + return NamedExec(tx, query, arg) +} + +// Select within a transaction. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) Select(dest interface{}, query string, args ...interface{}) error { + return Select(tx, dest, query, args...) +} + +// Queryx within a transaction. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) Queryx(query string, args ...interface{}) (*Rows, error) { + r, err := tx.Tx.Query(query, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: tx.unsafe, Mapper: tx.Mapper}, err +} + +// QueryRowx within a transaction. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) QueryRowx(query string, args ...interface{}) *Row { + rows, err := tx.Tx.Query(query, args...) + return &Row{rows: rows, err: err, unsafe: tx.unsafe, Mapper: tx.Mapper} +} + +// Get within a transaction. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (tx *Tx) Get(dest interface{}, query string, args ...interface{}) error { + return Get(tx, dest, query, args...) +} + +// MustExec runs MustExec within a transaction. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) MustExec(query string, args ...interface{}) sql.Result { + return MustExec(tx, query, args...) +} + +// Preparex a statement within a transaction. +func (tx *Tx) Preparex(query string) (*Stmt, error) { + return Preparex(tx, query) +} + +// Stmtx returns a version of the prepared statement which runs within a transaction. Provided +// stmt can be either *sql.Stmt or *sqlx.Stmt. +func (tx *Tx) Stmtx(stmt interface{}) *Stmt { + var s *sql.Stmt + switch v := stmt.(type) { + case Stmt: + s = v.Stmt + case *Stmt: + s = v.Stmt + case *sql.Stmt: + s = v + default: + panic(fmt.Sprintf("non-statement type %v passed to Stmtx", reflect.ValueOf(stmt).Type())) + } + return &Stmt{Stmt: tx.Stmt(s), Mapper: tx.Mapper} +} + +// NamedStmt returns a version of the prepared statement which runs within a transaction. +func (tx *Tx) NamedStmt(stmt *NamedStmt) *NamedStmt { + return &NamedStmt{ + QueryString: stmt.QueryString, + Params: stmt.Params, + Stmt: tx.Stmtx(stmt.Stmt), + } +} + +// PrepareNamed returns an sqlx.NamedStmt +func (tx *Tx) PrepareNamed(query string) (*NamedStmt, error) { + return prepareNamed(tx, query) +} + +// Stmt is an sqlx wrapper around sql.Stmt with extra functionality +type Stmt struct { + *sql.Stmt + unsafe bool + Mapper *reflectx.Mapper +} + +// Unsafe returns a version of Stmt which will silently succeed to scan when +// columns in the SQL result have no fields in the destination struct. +func (s *Stmt) Unsafe() *Stmt { + return &Stmt{Stmt: s.Stmt, unsafe: true, Mapper: s.Mapper} +} + +// Select using the prepared statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) Select(dest interface{}, args ...interface{}) error { + return Select(&qStmt{s}, dest, "", args...) +} + +// Get using the prepared statement. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (s *Stmt) Get(dest interface{}, args ...interface{}) error { + return Get(&qStmt{s}, dest, "", args...) +} + +// MustExec (panic) using this statement. Note that the query portion of the error +// output will be blank, as Stmt does not expose its query. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) MustExec(args ...interface{}) sql.Result { + return MustExec(&qStmt{s}, "", args...) +} + +// QueryRowx using this statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) QueryRowx(args ...interface{}) *Row { + qs := &qStmt{s} + return qs.QueryRowx("", args...) +} + +// Queryx using this statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) Queryx(args ...interface{}) (*Rows, error) { + qs := &qStmt{s} + return qs.Queryx("", args...) +} + +// qStmt is an unexposed wrapper which lets you use a Stmt as a Queryer & Execer by +// implementing those interfaces and ignoring the `query` argument. +type qStmt struct{ *Stmt } + +func (q *qStmt) Query(query string, args ...interface{}) (*sql.Rows, error) { + return q.Stmt.Query(args...) +} + +func (q *qStmt) Queryx(query string, args ...interface{}) (*Rows, error) { + r, err := q.Stmt.Query(args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}, err +} + +func (q *qStmt) QueryRowx(query string, args ...interface{}) *Row { + rows, err := q.Stmt.Query(args...) + return &Row{rows: rows, err: err, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper} +} + +func (q *qStmt) Exec(query string, args ...interface{}) (sql.Result, error) { + return q.Stmt.Exec(args...) +} + +// Rows is a wrapper around sql.Rows which caches costly reflect operations +// during a looped StructScan +type Rows struct { + *sql.Rows + unsafe bool + Mapper *reflectx.Mapper + // these fields cache memory use for a rows during iteration w/ structScan + started bool + fields [][]int + values []interface{} +} + +// SliceScan using this Rows. +func (r *Rows) SliceScan() ([]interface{}, error) { + return SliceScan(r) +} + +// MapScan using this Rows. +func (r *Rows) MapScan(dest map[string]interface{}) error { + return MapScan(r, dest) +} + +// StructScan is like sql.Rows.Scan, but scans a single Row into a single Struct. +// Use this and iterate over Rows manually when the memory load of Select() might be +// prohibitive. *Rows.StructScan caches the reflect work of matching up column +// positions to fields to avoid that overhead per scan, which means it is not safe +// to run StructScan on the same Rows instance with different struct types. +func (r *Rows) StructScan(dest interface{}) error { + v := reflect.ValueOf(dest) + + if v.Kind() != reflect.Ptr { + return errors.New("must pass a pointer, not a value, to StructScan destination") + } + + v = v.Elem() + + if !r.started { + columns, err := r.Columns() + if err != nil { + return err + } + m := r.Mapper + + r.fields = m.TraversalsByName(v.Type(), columns) + // if we are not unsafe and are missing fields, return an error + if f, err := missingFields(r.fields); err != nil && !r.unsafe { + return fmt.Errorf("missing destination name %s in %T", columns[f], dest) + } + r.values = make([]interface{}, len(columns)) + r.started = true + } + + err := fieldsByTraversal(v, r.fields, r.values, true) + if err != nil { + return err + } + // scan into the struct field pointers and append to our results + err = r.Scan(r.values...) + if err != nil { + return err + } + return r.Err() +} + +// Connect to a database and verify with a ping. +func Connect(driverName, dataSourceName string) (*DB, error) { + db, err := Open(driverName, dataSourceName) + if err != nil { + return nil, err + } + err = db.Ping() + if err != nil { + db.Close() + return nil, err + } + return db, nil +} + +// MustConnect connects to a database and panics on error. +func MustConnect(driverName, dataSourceName string) *DB { + db, err := Connect(driverName, dataSourceName) + if err != nil { + panic(err) + } + return db +} + +// Preparex prepares a statement. +func Preparex(p Preparer, query string) (*Stmt, error) { + s, err := p.Prepare(query) + if err != nil { + return nil, err + } + return &Stmt{Stmt: s, unsafe: isUnsafe(p), Mapper: mapperFor(p)}, err +} + +// Select executes a query using the provided Queryer, and StructScans each row +// into dest, which must be a slice. If the slice elements are scannable, then +// the result set must have only one column. Otherwise, StructScan is used. +// The *sql.Rows are closed automatically. +// Any placeholder parameters are replaced with supplied args. +func Select(q Queryer, dest interface{}, query string, args ...interface{}) error { + rows, err := q.Queryx(query, args...) + if err != nil { + return err + } + // if something happens here, we want to make sure the rows are Closed + defer rows.Close() + return scanAll(rows, dest, false) +} + +// Get does a QueryRow using the provided Queryer, and scans the resulting row +// to dest. If dest is scannable, the result must only have one column. Otherwise, +// StructScan is used. Get will return sql.ErrNoRows like row.Scan would. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func Get(q Queryer, dest interface{}, query string, args ...interface{}) error { + r := q.QueryRowx(query, args...) + return r.scanAny(dest, false) +} + +// LoadFile exec's every statement in a file (as a single call to Exec). +// LoadFile may return a nil *sql.Result if errors are encountered locating or +// reading the file at path. LoadFile reads the entire file into memory, so it +// is not suitable for loading large data dumps, but can be useful for initializing +// schemas or loading indexes. +// +// FIXME: this does not really work with multi-statement files for mattn/go-sqlite3 +// or the go-mysql-driver/mysql drivers; pq seems to be an exception here. Detecting +// this by requiring something with DriverName() and then attempting to split the +// queries will be difficult to get right, and its current driver-specific behavior +// is deemed at least not complex in its incorrectness. +func LoadFile(e Execer, path string) (*sql.Result, error) { + realpath, err := filepath.Abs(path) + if err != nil { + return nil, err + } + contents, err := ioutil.ReadFile(realpath) + if err != nil { + return nil, err + } + res, err := e.Exec(string(contents)) + return &res, err +} + +// MustExec execs the query using e and panics if there was an error. +// Any placeholder parameters are replaced with supplied args. +func MustExec(e Execer, query string, args ...interface{}) sql.Result { + res, err := e.Exec(query, args...) + if err != nil { + panic(err) + } + return res +} + +// SliceScan using this Rows. +func (r *Row) SliceScan() ([]interface{}, error) { + return SliceScan(r) +} + +// MapScan using this Rows. +func (r *Row) MapScan(dest map[string]interface{}) error { + return MapScan(r, dest) +} + +func (r *Row) scanAny(dest interface{}, structOnly bool) error { + if r.err != nil { + return r.err + } + if r.rows == nil { + r.err = sql.ErrNoRows + return r.err + } + defer r.rows.Close() + + v := reflect.ValueOf(dest) + if v.Kind() != reflect.Ptr { + return errors.New("must pass a pointer, not a value, to StructScan destination") + } + if v.IsNil() { + return errors.New("nil pointer passed to StructScan destination") + } + + base := reflectx.Deref(v.Type()) + scannable := isScannable(base) + + if structOnly && scannable { + return structOnlyError(base) + } + + columns, err := r.Columns() + if err != nil { + return err + } + + if scannable && len(columns) > 1 { + return fmt.Errorf("scannable dest type %s with >1 columns (%d) in result", base.Kind(), len(columns)) + } + + if scannable { + return r.Scan(dest) + } + + m := r.Mapper + + fields := m.TraversalsByName(v.Type(), columns) + // if we are not unsafe and are missing fields, return an error + if f, err := missingFields(fields); err != nil && !r.unsafe { + return fmt.Errorf("missing destination name %s in %T", columns[f], dest) + } + values := make([]interface{}, len(columns)) + + err = fieldsByTraversal(v, fields, values, true) + if err != nil { + return err + } + // scan into the struct field pointers and append to our results + return r.Scan(values...) +} + +// StructScan a single Row into dest. +func (r *Row) StructScan(dest interface{}) error { + return r.scanAny(dest, true) +} + +// SliceScan a row, returning a []interface{} with values similar to MapScan. +// This function is primarily intended for use where the number of columns +// is not known. Because you can pass an []interface{} directly to Scan, +// it's recommended that you do that as it will not have to allocate new +// slices per row. +func SliceScan(r ColScanner) ([]interface{}, error) { + // ignore r.started, since we needn't use reflect for anything. + columns, err := r.Columns() + if err != nil { + return []interface{}{}, err + } + + values := make([]interface{}, len(columns)) + for i := range values { + values[i] = new(interface{}) + } + + err = r.Scan(values...) + + if err != nil { + return values, err + } + + for i := range columns { + values[i] = *(values[i].(*interface{})) + } + + return values, r.Err() +} + +// MapScan scans a single Row into the dest map[string]interface{}. +// Use this to get results for SQL that might not be under your control +// (for instance, if you're building an interface for an SQL server that +// executes SQL from input). Please do not use this as a primary interface! +// This will modify the map sent to it in place, so reuse the same map with +// care. Columns which occur more than once in the result will overwrite +// each other! +func MapScan(r ColScanner, dest map[string]interface{}) error { + // ignore r.started, since we needn't use reflect for anything. + columns, err := r.Columns() + if err != nil { + return err + } + + values := make([]interface{}, len(columns)) + for i := range values { + values[i] = new(interface{}) + } + + err = r.Scan(values...) + if err != nil { + return err + } + + for i, column := range columns { + dest[column] = *(values[i].(*interface{})) + } + + return r.Err() +} + +type rowsi interface { + Close() error + Columns() ([]string, error) + Err() error + Next() bool + Scan(...interface{}) error +} + +// structOnlyError returns an error appropriate for type when a non-scannable +// struct is expected but something else is given +func structOnlyError(t reflect.Type) error { + isStruct := t.Kind() == reflect.Struct + isScanner := reflect.PtrTo(t).Implements(_scannerInterface) + if !isStruct { + return fmt.Errorf("expected %s but got %s", reflect.Struct, t.Kind()) + } + if isScanner { + return fmt.Errorf("structscan expects a struct dest but the provided struct type %s implements scanner", t.Name()) + } + return fmt.Errorf("expected a struct, but struct %s has no exported fields", t.Name()) +} + +// scanAll scans all rows into a destination, which must be a slice of any +// type. It resets the slice length to zero before appending each element to +// the slice. If the destination slice type is a Struct, then StructScan will +// be used on each row. If the destination is some other kind of base type, +// then each row must only have one column which can scan into that type. This +// allows you to do something like: +// +// rows, _ := db.Query("select id from people;") +// var ids []int +// scanAll(rows, &ids, false) +// +// and ids will be a list of the id results. I realize that this is a desirable +// interface to expose to users, but for now it will only be exposed via changes +// to `Get` and `Select`. The reason that this has been implemented like this is +// this is the only way to not duplicate reflect work in the new API while +// maintaining backwards compatibility. +func scanAll(rows rowsi, dest interface{}, structOnly bool) error { + var v, vp reflect.Value + + value := reflect.ValueOf(dest) + + // json.Unmarshal returns errors for these + if value.Kind() != reflect.Ptr { + return errors.New("must pass a pointer, not a value, to StructScan destination") + } + if value.IsNil() { + return errors.New("nil pointer passed to StructScan destination") + } + direct := reflect.Indirect(value) + + slice, err := baseType(value.Type(), reflect.Slice) + if err != nil { + return err + } + direct.SetLen(0) + + isPtr := slice.Elem().Kind() == reflect.Ptr + base := reflectx.Deref(slice.Elem()) + scannable := isScannable(base) + + if structOnly && scannable { + return structOnlyError(base) + } + + columns, err := rows.Columns() + if err != nil { + return err + } + + // if it's a base type make sure it only has 1 column; if not return an error + if scannable && len(columns) > 1 { + return fmt.Errorf("non-struct dest type %s with >1 columns (%d)", base.Kind(), len(columns)) + } + + if !scannable { + var values []interface{} + var m *reflectx.Mapper + + switch rows := rows.(type) { + case *Rows: + m = rows.Mapper + default: + m = mapper() + } + + fields := m.TraversalsByName(base, columns) + // if we are not unsafe and are missing fields, return an error + if f, err := missingFields(fields); err != nil && !isUnsafe(rows) { + return fmt.Errorf("missing destination name %s in %T", columns[f], dest) + } + values = make([]interface{}, len(columns)) + + for rows.Next() { + // create a new struct type (which returns PtrTo) and indirect it + vp = reflect.New(base) + v = reflect.Indirect(vp) + + err = fieldsByTraversal(v, fields, values, true) + if err != nil { + return err + } + + // scan into the struct field pointers and append to our results + err = rows.Scan(values...) + if err != nil { + return err + } + + if isPtr { + direct.Set(reflect.Append(direct, vp)) + } else { + direct.Set(reflect.Append(direct, v)) + } + } + } else { + for rows.Next() { + vp = reflect.New(base) + err = rows.Scan(vp.Interface()) + if err != nil { + return err + } + // append + if isPtr { + direct.Set(reflect.Append(direct, vp)) + } else { + direct.Set(reflect.Append(direct, reflect.Indirect(vp))) + } + } + } + + return rows.Err() +} + +// FIXME: StructScan was the very first bit of API in sqlx, and now unfortunately +// it doesn't really feel like it's named properly. There is an incongruency +// between this and the way that StructScan (which might better be ScanStruct +// anyway) works on a rows object. + +// StructScan all rows from an sql.Rows or an sqlx.Rows into the dest slice. +// StructScan will scan in the entire rows result, so if you do not want to +// allocate structs for the entire result, use Queryx and see sqlx.Rows.StructScan. +// If rows is sqlx.Rows, it will use its mapper, otherwise it will use the default. +func StructScan(rows rowsi, dest interface{}) error { + return scanAll(rows, dest, true) + +} + +// reflect helpers + +func baseType(t reflect.Type, expected reflect.Kind) (reflect.Type, error) { + t = reflectx.Deref(t) + if t.Kind() != expected { + return nil, fmt.Errorf("expected %s but got %s", expected, t.Kind()) + } + return t, nil +} + +// fieldsByName fills a values interface with fields from the passed value based +// on the traversals in int. If ptrs is true, return addresses instead of values. +// We write this instead of using FieldsByName to save allocations and map lookups +// when iterating over many rows. Empty traversals will get an interface pointer. +// Because of the necessity of requesting ptrs or values, it's considered a bit too +// specialized for inclusion in reflectx itself. +func fieldsByTraversal(v reflect.Value, traversals [][]int, values []interface{}, ptrs bool) error { + v = reflect.Indirect(v) + if v.Kind() != reflect.Struct { + return errors.New("argument not a struct") + } + + for i, traversal := range traversals { + if len(traversal) == 0 { + values[i] = new(interface{}) + continue + } + f := reflectx.FieldByIndexes(v, traversal) + if ptrs { + values[i] = f.Addr().Interface() + } else { + values[i] = f.Interface() + } + } + return nil +} + +func missingFields(transversals [][]int) (field int, err error) { + for i, t := range transversals { + if len(t) == 0 { + return i, errors.New("missing field") + } + } + return 0, nil +} diff --git a/vendor/github.com/jmoiron/sqlx/sqlx_context.go b/vendor/github.com/jmoiron/sqlx/sqlx_context.go new file mode 100644 index 0000000000..32621d56d7 --- /dev/null +++ b/vendor/github.com/jmoiron/sqlx/sqlx_context.go @@ -0,0 +1,415 @@ +//go:build go1.8 +// +build go1.8 + +package sqlx + +import ( + "context" + "database/sql" + "fmt" + "io/ioutil" + "path/filepath" + "reflect" +) + +// ConnectContext to a database and verify with a ping. +func ConnectContext(ctx context.Context, driverName, dataSourceName string) (*DB, error) { + db, err := Open(driverName, dataSourceName) + if err != nil { + return db, err + } + err = db.PingContext(ctx) + return db, err +} + +// QueryerContext is an interface used by GetContext and SelectContext +type QueryerContext interface { + QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error) + QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) + QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row +} + +// PreparerContext is an interface used by PreparexContext. +type PreparerContext interface { + PrepareContext(ctx context.Context, query string) (*sql.Stmt, error) +} + +// ExecerContext is an interface used by MustExecContext and LoadFileContext +type ExecerContext interface { + ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error) +} + +// ExtContext is a union interface which can bind, query, and exec, with Context +// used by NamedQueryContext and NamedExecContext. +type ExtContext interface { + binder + QueryerContext + ExecerContext +} + +// SelectContext executes a query using the provided Queryer, and StructScans +// each row into dest, which must be a slice. If the slice elements are +// scannable, then the result set must have only one column. Otherwise, +// StructScan is used. The *sql.Rows are closed automatically. +// Any placeholder parameters are replaced with supplied args. +func SelectContext(ctx context.Context, q QueryerContext, dest interface{}, query string, args ...interface{}) error { + rows, err := q.QueryxContext(ctx, query, args...) + if err != nil { + return err + } + // if something happens here, we want to make sure the rows are Closed + defer rows.Close() + return scanAll(rows, dest, false) +} + +// PreparexContext prepares a statement. +// +// The provided context is used for the preparation of the statement, not for +// the execution of the statement. +func PreparexContext(ctx context.Context, p PreparerContext, query string) (*Stmt, error) { + s, err := p.PrepareContext(ctx, query) + if err != nil { + return nil, err + } + return &Stmt{Stmt: s, unsafe: isUnsafe(p), Mapper: mapperFor(p)}, err +} + +// GetContext does a QueryRow using the provided Queryer, and scans the +// resulting row to dest. If dest is scannable, the result must only have one +// column. Otherwise, StructScan is used. Get will return sql.ErrNoRows like +// row.Scan would. Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func GetContext(ctx context.Context, q QueryerContext, dest interface{}, query string, args ...interface{}) error { + r := q.QueryRowxContext(ctx, query, args...) + return r.scanAny(dest, false) +} + +// LoadFileContext exec's every statement in a file (as a single call to Exec). +// LoadFileContext may return a nil *sql.Result if errors are encountered +// locating or reading the file at path. LoadFile reads the entire file into +// memory, so it is not suitable for loading large data dumps, but can be useful +// for initializing schemas or loading indexes. +// +// FIXME: this does not really work with multi-statement files for mattn/go-sqlite3 +// or the go-mysql-driver/mysql drivers; pq seems to be an exception here. Detecting +// this by requiring something with DriverName() and then attempting to split the +// queries will be difficult to get right, and its current driver-specific behavior +// is deemed at least not complex in its incorrectness. +func LoadFileContext(ctx context.Context, e ExecerContext, path string) (*sql.Result, error) { + realpath, err := filepath.Abs(path) + if err != nil { + return nil, err + } + contents, err := ioutil.ReadFile(realpath) + if err != nil { + return nil, err + } + res, err := e.ExecContext(ctx, string(contents)) + return &res, err +} + +// MustExecContext execs the query using e and panics if there was an error. +// Any placeholder parameters are replaced with supplied args. +func MustExecContext(ctx context.Context, e ExecerContext, query string, args ...interface{}) sql.Result { + res, err := e.ExecContext(ctx, query, args...) + if err != nil { + panic(err) + } + return res +} + +// PrepareNamedContext returns an sqlx.NamedStmt +func (db *DB) PrepareNamedContext(ctx context.Context, query string) (*NamedStmt, error) { + return prepareNamedContext(ctx, db, query) +} + +// NamedQueryContext using this DB. +// Any named placeholder parameters are replaced with fields from arg. +func (db *DB) NamedQueryContext(ctx context.Context, query string, arg interface{}) (*Rows, error) { + return NamedQueryContext(ctx, db, query, arg) +} + +// NamedExecContext using this DB. +// Any named placeholder parameters are replaced with fields from arg. +func (db *DB) NamedExecContext(ctx context.Context, query string, arg interface{}) (sql.Result, error) { + return NamedExecContext(ctx, db, query, arg) +} + +// SelectContext using this DB. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return SelectContext(ctx, db, dest, query, args...) +} + +// GetContext using this DB. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (db *DB) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return GetContext(ctx, db, dest, query, args...) +} + +// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt. +// +// The provided context is used for the preparation of the statement, not for +// the execution of the statement. +func (db *DB) PreparexContext(ctx context.Context, query string) (*Stmt, error) { + return PreparexContext(ctx, db, query) +} + +// QueryxContext queries the database and returns an *sqlx.Rows. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) { + r, err := db.DB.QueryContext(ctx, query, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: db.unsafe, Mapper: db.Mapper}, err +} + +// QueryRowxContext queries the database and returns an *sqlx.Row. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row { + rows, err := db.DB.QueryContext(ctx, query, args...) + return &Row{rows: rows, err: err, unsafe: db.unsafe, Mapper: db.Mapper} +} + +// MustBeginTx starts a transaction, and panics on error. Returns an *sqlx.Tx instead +// of an *sql.Tx. +// +// The provided context is used until the transaction is committed or rolled +// back. If the context is canceled, the sql package will roll back the +// transaction. Tx.Commit will return an error if the context provided to +// MustBeginContext is canceled. +func (db *DB) MustBeginTx(ctx context.Context, opts *sql.TxOptions) *Tx { + tx, err := db.BeginTxx(ctx, opts) + if err != nil { + panic(err) + } + return tx +} + +// MustExecContext (panic) runs MustExec using this database. +// Any placeholder parameters are replaced with supplied args. +func (db *DB) MustExecContext(ctx context.Context, query string, args ...interface{}) sql.Result { + return MustExecContext(ctx, db, query, args...) +} + +// BeginTxx begins a transaction and returns an *sqlx.Tx instead of an +// *sql.Tx. +// +// The provided context is used until the transaction is committed or rolled +// back. If the context is canceled, the sql package will roll back the +// transaction. Tx.Commit will return an error if the context provided to +// BeginxContext is canceled. +func (db *DB) BeginTxx(ctx context.Context, opts *sql.TxOptions) (*Tx, error) { + tx, err := db.DB.BeginTx(ctx, opts) + if err != nil { + return nil, err + } + return &Tx{Tx: tx, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, err +} + +// Connx returns an *sqlx.Conn instead of an *sql.Conn. +func (db *DB) Connx(ctx context.Context) (*Conn, error) { + conn, err := db.DB.Conn(ctx) + if err != nil { + return nil, err + } + + return &Conn{Conn: conn, driverName: db.driverName, unsafe: db.unsafe, Mapper: db.Mapper}, nil +} + +// BeginTxx begins a transaction and returns an *sqlx.Tx instead of an +// *sql.Tx. +// +// The provided context is used until the transaction is committed or rolled +// back. If the context is canceled, the sql package will roll back the +// transaction. Tx.Commit will return an error if the context provided to +// BeginxContext is canceled. +func (c *Conn) BeginTxx(ctx context.Context, opts *sql.TxOptions) (*Tx, error) { + tx, err := c.Conn.BeginTx(ctx, opts) + if err != nil { + return nil, err + } + return &Tx{Tx: tx, driverName: c.driverName, unsafe: c.unsafe, Mapper: c.Mapper}, err +} + +// SelectContext using this Conn. +// Any placeholder parameters are replaced with supplied args. +func (c *Conn) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return SelectContext(ctx, c, dest, query, args...) +} + +// GetContext using this Conn. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (c *Conn) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return GetContext(ctx, c, dest, query, args...) +} + +// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt. +// +// The provided context is used for the preparation of the statement, not for +// the execution of the statement. +func (c *Conn) PreparexContext(ctx context.Context, query string) (*Stmt, error) { + return PreparexContext(ctx, c, query) +} + +// QueryxContext queries the database and returns an *sqlx.Rows. +// Any placeholder parameters are replaced with supplied args. +func (c *Conn) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) { + r, err := c.Conn.QueryContext(ctx, query, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: c.unsafe, Mapper: c.Mapper}, err +} + +// QueryRowxContext queries the database and returns an *sqlx.Row. +// Any placeholder parameters are replaced with supplied args. +func (c *Conn) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row { + rows, err := c.Conn.QueryContext(ctx, query, args...) + return &Row{rows: rows, err: err, unsafe: c.unsafe, Mapper: c.Mapper} +} + +// Rebind a query within a Conn's bindvar type. +func (c *Conn) Rebind(query string) string { + return Rebind(BindType(c.driverName), query) +} + +// StmtxContext returns a version of the prepared statement which runs within a +// transaction. Provided stmt can be either *sql.Stmt or *sqlx.Stmt. +func (tx *Tx) StmtxContext(ctx context.Context, stmt interface{}) *Stmt { + var s *sql.Stmt + switch v := stmt.(type) { + case Stmt: + s = v.Stmt + case *Stmt: + s = v.Stmt + case *sql.Stmt: + s = v + default: + panic(fmt.Sprintf("non-statement type %v passed to Stmtx", reflect.ValueOf(stmt).Type())) + } + return &Stmt{Stmt: tx.StmtContext(ctx, s), Mapper: tx.Mapper} +} + +// NamedStmtContext returns a version of the prepared statement which runs +// within a transaction. +func (tx *Tx) NamedStmtContext(ctx context.Context, stmt *NamedStmt) *NamedStmt { + return &NamedStmt{ + QueryString: stmt.QueryString, + Params: stmt.Params, + Stmt: tx.StmtxContext(ctx, stmt.Stmt), + } +} + +// PreparexContext returns an sqlx.Stmt instead of a sql.Stmt. +// +// The provided context is used for the preparation of the statement, not for +// the execution of the statement. +func (tx *Tx) PreparexContext(ctx context.Context, query string) (*Stmt, error) { + return PreparexContext(ctx, tx, query) +} + +// PrepareNamedContext returns an sqlx.NamedStmt +func (tx *Tx) PrepareNamedContext(ctx context.Context, query string) (*NamedStmt, error) { + return prepareNamedContext(ctx, tx, query) +} + +// MustExecContext runs MustExecContext within a transaction. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) MustExecContext(ctx context.Context, query string, args ...interface{}) sql.Result { + return MustExecContext(ctx, tx, query, args...) +} + +// QueryxContext within a transaction and context. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) { + r, err := tx.Tx.QueryContext(ctx, query, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: tx.unsafe, Mapper: tx.Mapper}, err +} + +// SelectContext within a transaction and context. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) SelectContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return SelectContext(ctx, tx, dest, query, args...) +} + +// GetContext within a transaction and context. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (tx *Tx) GetContext(ctx context.Context, dest interface{}, query string, args ...interface{}) error { + return GetContext(ctx, tx, dest, query, args...) +} + +// QueryRowxContext within a transaction and context. +// Any placeholder parameters are replaced with supplied args. +func (tx *Tx) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row { + rows, err := tx.Tx.QueryContext(ctx, query, args...) + return &Row{rows: rows, err: err, unsafe: tx.unsafe, Mapper: tx.Mapper} +} + +// NamedExecContext using this Tx. +// Any named placeholder parameters are replaced with fields from arg. +func (tx *Tx) NamedExecContext(ctx context.Context, query string, arg interface{}) (sql.Result, error) { + return NamedExecContext(ctx, tx, query, arg) +} + +// SelectContext using the prepared statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) SelectContext(ctx context.Context, dest interface{}, args ...interface{}) error { + return SelectContext(ctx, &qStmt{s}, dest, "", args...) +} + +// GetContext using the prepared statement. +// Any placeholder parameters are replaced with supplied args. +// An error is returned if the result set is empty. +func (s *Stmt) GetContext(ctx context.Context, dest interface{}, args ...interface{}) error { + return GetContext(ctx, &qStmt{s}, dest, "", args...) +} + +// MustExecContext (panic) using this statement. Note that the query portion of +// the error output will be blank, as Stmt does not expose its query. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) MustExecContext(ctx context.Context, args ...interface{}) sql.Result { + return MustExecContext(ctx, &qStmt{s}, "", args...) +} + +// QueryRowxContext using this statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) QueryRowxContext(ctx context.Context, args ...interface{}) *Row { + qs := &qStmt{s} + return qs.QueryRowxContext(ctx, "", args...) +} + +// QueryxContext using this statement. +// Any placeholder parameters are replaced with supplied args. +func (s *Stmt) QueryxContext(ctx context.Context, args ...interface{}) (*Rows, error) { + qs := &qStmt{s} + return qs.QueryxContext(ctx, "", args...) +} + +func (q *qStmt) QueryContext(ctx context.Context, query string, args ...interface{}) (*sql.Rows, error) { + return q.Stmt.QueryContext(ctx, args...) +} + +func (q *qStmt) QueryxContext(ctx context.Context, query string, args ...interface{}) (*Rows, error) { + r, err := q.Stmt.QueryContext(ctx, args...) + if err != nil { + return nil, err + } + return &Rows{Rows: r, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper}, err +} + +func (q *qStmt) QueryRowxContext(ctx context.Context, query string, args ...interface{}) *Row { + rows, err := q.Stmt.QueryContext(ctx, args...) + return &Row{rows: rows, err: err, unsafe: q.Stmt.unsafe, Mapper: q.Stmt.Mapper} +} + +func (q *qStmt) ExecContext(ctx context.Context, query string, args ...interface{}) (sql.Result, error) { + return q.Stmt.ExecContext(ctx, args...) +} diff --git a/vendor/github.com/klauspost/compress/.gitattributes b/vendor/github.com/klauspost/compress/.gitattributes new file mode 100644 index 0000000000..402433593c --- /dev/null +++ b/vendor/github.com/klauspost/compress/.gitattributes @@ -0,0 +1,2 @@ +* -text +*.bin -text -diff diff --git a/vendor/github.com/klauspost/compress/.gitignore b/vendor/github.com/klauspost/compress/.gitignore new file mode 100644 index 0000000000..d31b378152 --- /dev/null +++ b/vendor/github.com/klauspost/compress/.gitignore @@ -0,0 +1,32 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test +*.prof +/s2/cmd/_s2sx/sfx-exe + +# Linux perf files +perf.data +perf.data.old + +# gdb history +.gdb_history diff --git a/vendor/github.com/klauspost/compress/.goreleaser.yml b/vendor/github.com/klauspost/compress/.goreleaser.yml new file mode 100644 index 0000000000..4528059ca6 --- /dev/null +++ b/vendor/github.com/klauspost/compress/.goreleaser.yml @@ -0,0 +1,123 @@ +version: 2 + +before: + hooks: + - ./gen.sh + +builds: + - + id: "s2c" + binary: s2c + main: ./s2/cmd/s2c/main.go + flags: + - -trimpath + env: + - CGO_ENABLED=0 + goos: + - aix + - linux + - freebsd + - netbsd + - windows + - darwin + goarch: + - 386 + - amd64 + - arm + - arm64 + - ppc64 + - ppc64le + - mips64 + - mips64le + goarm: + - 7 + - + id: "s2d" + binary: s2d + main: ./s2/cmd/s2d/main.go + flags: + - -trimpath + env: + - CGO_ENABLED=0 + goos: + - aix + - linux + - freebsd + - netbsd + - windows + - darwin + goarch: + - 386 + - amd64 + - arm + - arm64 + - ppc64 + - ppc64le + - mips64 + - mips64le + goarm: + - 7 + - + id: "s2sx" + binary: s2sx + main: ./s2/cmd/_s2sx/main.go + flags: + - -modfile=s2sx.mod + - -trimpath + env: + - CGO_ENABLED=0 + goos: + - aix + - linux + - freebsd + - netbsd + - windows + - darwin + goarch: + - 386 + - amd64 + - arm + - arm64 + - ppc64 + - ppc64le + - mips64 + - mips64le + goarm: + - 7 + +archives: + - + id: s2-binaries + name_template: "s2-{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}" + format_overrides: + - goos: windows + format: zip + files: + - unpack/* + - s2/LICENSE + - s2/README.md +checksum: + name_template: 'checksums.txt' +snapshot: + version_template: "{{ .Tag }}-next" +changelog: + sort: asc + filters: + exclude: + - '^doc:' + - '^docs:' + - '^test:' + - '^tests:' + - '^Update\sREADME.md' + +nfpms: + - + file_name_template: "s2_package__{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}" + vendor: Klaus Post + homepage: https://github.com/klauspost/compress + maintainer: Klaus Post + description: S2 Compression Tool + license: BSD 3-Clause + formats: + - deb + - rpm diff --git a/vendor/github.com/klauspost/compress/LICENSE b/vendor/github.com/klauspost/compress/LICENSE new file mode 100644 index 0000000000..87d5574777 --- /dev/null +++ b/vendor/github.com/klauspost/compress/LICENSE @@ -0,0 +1,304 @@ +Copyright (c) 2012 The Go Authors. All rights reserved. +Copyright (c) 2019 Klaus Post. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +------------------ + +Files: gzhttp/* + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016-2017 The New York Times Company + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +------------------ + +Files: s2/cmd/internal/readahead/* + +The MIT License (MIT) + +Copyright (c) 2015 Klaus Post + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +--------------------- +Files: snappy/* +Files: internal/snapref/* + +Copyright (c) 2011 The Snappy-Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +----------------- + +Files: s2/cmd/internal/filepathx/* + +Copyright 2016 The filepathx Authors + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/klauspost/compress/README.md b/vendor/github.com/klauspost/compress/README.md new file mode 100644 index 0000000000..244ee19c4b --- /dev/null +++ b/vendor/github.com/klauspost/compress/README.md @@ -0,0 +1,671 @@ +# compress + +This package provides various compression algorithms. + +* [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and decompression in pure Go. +* [S2](https://github.com/klauspost/compress/tree/master/s2#s2-compression) is a high performance replacement for Snappy. +* Optimized [deflate](https://godoc.org/github.com/klauspost/compress/flate) packages which can be used as a dropin replacement for [gzip](https://godoc.org/github.com/klauspost/compress/gzip), [zip](https://godoc.org/github.com/klauspost/compress/zip) and [zlib](https://godoc.org/github.com/klauspost/compress/zlib). +* [snappy](https://github.com/klauspost/compress/tree/master/snappy) is a drop-in replacement for `github.com/golang/snappy` offering better compression and concurrent streams. +* [huff0](https://github.com/klauspost/compress/tree/master/huff0) and [FSE](https://github.com/klauspost/compress/tree/master/fse) implementations for raw entropy encoding. +* [gzhttp](https://github.com/klauspost/compress/tree/master/gzhttp) Provides client and server wrappers for handling gzipped requests efficiently. +* [pgzip](https://github.com/klauspost/pgzip) is a separate package that provides a very fast parallel gzip implementation. + +[![Go Reference](https://pkg.go.dev/badge/klauspost/compress.svg)](https://pkg.go.dev/github.com/klauspost/compress?tab=subdirectories) +[![Go](https://github.com/klauspost/compress/actions/workflows/go.yml/badge.svg)](https://github.com/klauspost/compress/actions/workflows/go.yml) +[![Sourcegraph Badge](https://sourcegraph.com/github.com/klauspost/compress/-/badge.svg)](https://sourcegraph.com/github.com/klauspost/compress?badge) + +# package usage + +Use `go get github.com/klauspost/compress@latest` to add it to your project. + +This package will support the current Go version and 2 versions back. + +* Use the `nounsafe` tag to disable all use of the "unsafe" package. +* Use the `noasm` tag to disable all assembly across packages. + +Use the links above for more information on each. + +# changelog + +* Feb 19th, 2025 - [1.18.0](https://github.com/klauspost/compress/releases/tag/v1.18.0) + * Add unsafe little endian loaders https://github.com/klauspost/compress/pull/1036 + * fix: check `r.err != nil` but return a nil value error `err` by @alingse in https://github.com/klauspost/compress/pull/1028 + * flate: Simplify L4-6 loading https://github.com/klauspost/compress/pull/1043 + * flate: Simplify matchlen (remove asm) https://github.com/klauspost/compress/pull/1045 + * s2: Improve small block compression speed w/o asm https://github.com/klauspost/compress/pull/1048 + * flate: Fix matchlen L5+L6 https://github.com/klauspost/compress/pull/1049 + * flate: Cleanup & reduce casts https://github.com/klauspost/compress/pull/1050 + +* Oct 11th, 2024 - [1.17.11](https://github.com/klauspost/compress/releases/tag/v1.17.11) + * zstd: Fix extra CRC written with multiple Close calls https://github.com/klauspost/compress/pull/1017 + * s2: Don't use stack for index tables https://github.com/klauspost/compress/pull/1014 + * gzhttp: No content-type on no body response code by @juliens in https://github.com/klauspost/compress/pull/1011 + * gzhttp: Do not set the content-type when response has no body by @kevinpollet in https://github.com/klauspost/compress/pull/1013 + +* Sep 23rd, 2024 - [1.17.10](https://github.com/klauspost/compress/releases/tag/v1.17.10) + * gzhttp: Add TransportAlwaysDecompress option. https://github.com/klauspost/compress/pull/978 + * gzhttp: Add supported decompress request body by @mirecl in https://github.com/klauspost/compress/pull/1002 + * s2: Add EncodeBuffer buffer recycling callback https://github.com/klauspost/compress/pull/982 + * zstd: Improve memory usage on small streaming encodes https://github.com/klauspost/compress/pull/1007 + * flate: read data written with partial flush by @vajexal in https://github.com/klauspost/compress/pull/996 + +* Jun 12th, 2024 - [1.17.9](https://github.com/klauspost/compress/releases/tag/v1.17.9) + * s2: Reduce ReadFrom temporary allocations https://github.com/klauspost/compress/pull/949 + * flate, zstd: Shave some bytes off amd64 matchLen by @greatroar in https://github.com/klauspost/compress/pull/963 + * Upgrade zip/zlib to 1.22.4 upstream https://github.com/klauspost/compress/pull/970 https://github.com/klauspost/compress/pull/971 + * zstd: BuildDict fails with RLE table https://github.com/klauspost/compress/pull/951 + +* Apr 9th, 2024 - [1.17.8](https://github.com/klauspost/compress/releases/tag/v1.17.8) + * zstd: Reject blocks where reserved values are not 0 https://github.com/klauspost/compress/pull/885 + * zstd: Add RLE detection+encoding https://github.com/klauspost/compress/pull/938 + +* Feb 21st, 2024 - [1.17.7](https://github.com/klauspost/compress/releases/tag/v1.17.7) + * s2: Add AsyncFlush method: Complete the block without flushing by @Jille in https://github.com/klauspost/compress/pull/927 + * s2: Fix literal+repeat exceeds dst crash https://github.com/klauspost/compress/pull/930 + +* Feb 5th, 2024 - [1.17.6](https://github.com/klauspost/compress/releases/tag/v1.17.6) + * zstd: Fix incorrect repeat coding in best mode https://github.com/klauspost/compress/pull/923 + * s2: Fix DecodeConcurrent deadlock on errors https://github.com/klauspost/compress/pull/925 + +* Jan 26th, 2024 - [v1.17.5](https://github.com/klauspost/compress/releases/tag/v1.17.5) + * flate: Fix reset with dictionary on custom window encodes https://github.com/klauspost/compress/pull/912 + * zstd: Add Frame header encoding and stripping https://github.com/klauspost/compress/pull/908 + * zstd: Limit better/best default window to 8MB https://github.com/klauspost/compress/pull/913 + * zstd: Speed improvements by @greatroar in https://github.com/klauspost/compress/pull/896 https://github.com/klauspost/compress/pull/910 + * s2: Fix callbacks for skippable blocks and disallow 0xfe (Padding) by @Jille in https://github.com/klauspost/compress/pull/916 https://github.com/klauspost/compress/pull/917 +https://github.com/klauspost/compress/pull/919 https://github.com/klauspost/compress/pull/918 + +* Dec 1st, 2023 - [v1.17.4](https://github.com/klauspost/compress/releases/tag/v1.17.4) + * huff0: Speed up symbol counting by @greatroar in https://github.com/klauspost/compress/pull/887 + * huff0: Remove byteReader by @greatroar in https://github.com/klauspost/compress/pull/886 + * gzhttp: Allow overriding decompression on transport https://github.com/klauspost/compress/pull/892 + * gzhttp: Clamp compression level https://github.com/klauspost/compress/pull/890 + * gzip: Error out if reserved bits are set https://github.com/klauspost/compress/pull/891 + +* Nov 15th, 2023 - [v1.17.3](https://github.com/klauspost/compress/releases/tag/v1.17.3) + * fse: Fix max header size https://github.com/klauspost/compress/pull/881 + * zstd: Improve better/best compression https://github.com/klauspost/compress/pull/877 + * gzhttp: Fix missing content type on Close https://github.com/klauspost/compress/pull/883 + +* Oct 22nd, 2023 - [v1.17.2](https://github.com/klauspost/compress/releases/tag/v1.17.2) + * zstd: Fix rare *CORRUPTION* output in "best" mode. See https://github.com/klauspost/compress/pull/876 + +* Oct 14th, 2023 - [v1.17.1](https://github.com/klauspost/compress/releases/tag/v1.17.1) + * s2: Fix S2 "best" dictionary wrong encoding https://github.com/klauspost/compress/pull/871 + * flate: Reduce allocations in decompressor and minor code improvements by @fakefloordiv in https://github.com/klauspost/compress/pull/869 + * s2: Fix EstimateBlockSize on 6&7 length input https://github.com/klauspost/compress/pull/867 + +* Sept 19th, 2023 - [v1.17.0](https://github.com/klauspost/compress/releases/tag/v1.17.0) + * Add experimental dictionary builder https://github.com/klauspost/compress/pull/853 + * Add xerial snappy read/writer https://github.com/klauspost/compress/pull/838 + * flate: Add limited window compression https://github.com/klauspost/compress/pull/843 + * s2: Do 2 overlapping match checks https://github.com/klauspost/compress/pull/839 + * flate: Add amd64 assembly matchlen https://github.com/klauspost/compress/pull/837 + * gzip: Copy bufio.Reader on Reset by @thatguystone in https://github.com/klauspost/compress/pull/860 + +
+ See changes to v1.16.x + + +* July 1st, 2023 - [v1.16.7](https://github.com/klauspost/compress/releases/tag/v1.16.7) + * zstd: Fix default level first dictionary encode https://github.com/klauspost/compress/pull/829 + * s2: add GetBufferCapacity() method by @GiedriusS in https://github.com/klauspost/compress/pull/832 + +* June 13, 2023 - [v1.16.6](https://github.com/klauspost/compress/releases/tag/v1.16.6) + * zstd: correctly ignore WithEncoderPadding(1) by @ianlancetaylor in https://github.com/klauspost/compress/pull/806 + * zstd: Add amd64 match length assembly https://github.com/klauspost/compress/pull/824 + * gzhttp: Handle informational headers by @rtribotte in https://github.com/klauspost/compress/pull/815 + * s2: Improve Better compression slightly https://github.com/klauspost/compress/pull/663 + +* Apr 16, 2023 - [v1.16.5](https://github.com/klauspost/compress/releases/tag/v1.16.5) + * zstd: readByte needs to use io.ReadFull by @jnoxon in https://github.com/klauspost/compress/pull/802 + * gzip: Fix WriterTo after initial read https://github.com/klauspost/compress/pull/804 + +* Apr 5, 2023 - [v1.16.4](https://github.com/klauspost/compress/releases/tag/v1.16.4) + * zstd: Improve zstd best efficiency by @greatroar and @klauspost in https://github.com/klauspost/compress/pull/784 + * zstd: Respect WithAllLitEntropyCompression https://github.com/klauspost/compress/pull/792 + * zstd: Fix amd64 not always detecting corrupt data https://github.com/klauspost/compress/pull/785 + * zstd: Various minor improvements by @greatroar in https://github.com/klauspost/compress/pull/788 https://github.com/klauspost/compress/pull/794 https://github.com/klauspost/compress/pull/795 + * s2: Fix huge block overflow https://github.com/klauspost/compress/pull/779 + * s2: Allow CustomEncoder fallback https://github.com/klauspost/compress/pull/780 + * gzhttp: Support ResponseWriter Unwrap() in gzhttp handler by @jgimenez in https://github.com/klauspost/compress/pull/799 + +* Mar 13, 2023 - [v1.16.1](https://github.com/klauspost/compress/releases/tag/v1.16.1) + * zstd: Speed up + improve best encoder by @greatroar in https://github.com/klauspost/compress/pull/776 + * gzhttp: Add optional [BREACH mitigation](https://github.com/klauspost/compress/tree/master/gzhttp#breach-mitigation). https://github.com/klauspost/compress/pull/762 https://github.com/klauspost/compress/pull/768 https://github.com/klauspost/compress/pull/769 https://github.com/klauspost/compress/pull/770 https://github.com/klauspost/compress/pull/767 + * s2: Add Intel LZ4s converter https://github.com/klauspost/compress/pull/766 + * zstd: Minor bug fixes https://github.com/klauspost/compress/pull/771 https://github.com/klauspost/compress/pull/772 https://github.com/klauspost/compress/pull/773 + * huff0: Speed up compress1xDo by @greatroar in https://github.com/klauspost/compress/pull/774 + +* Feb 26, 2023 - [v1.16.0](https://github.com/klauspost/compress/releases/tag/v1.16.0) + * s2: Add [Dictionary](https://github.com/klauspost/compress/tree/master/s2#dictionaries) support. https://github.com/klauspost/compress/pull/685 + * s2: Add Compression Size Estimate. https://github.com/klauspost/compress/pull/752 + * s2: Add support for custom stream encoder. https://github.com/klauspost/compress/pull/755 + * s2: Add LZ4 block converter. https://github.com/klauspost/compress/pull/748 + * s2: Support io.ReaderAt in ReadSeeker. https://github.com/klauspost/compress/pull/747 + * s2c/s2sx: Use concurrent decoding. https://github.com/klauspost/compress/pull/746 +
+ +
+ See changes to v1.15.x + +* Jan 21st, 2023 (v1.15.15) + * deflate: Improve level 7-9 https://github.com/klauspost/compress/pull/739 + * zstd: Add delta encoding support by @greatroar in https://github.com/klauspost/compress/pull/728 + * zstd: Various speed improvements by @greatroar https://github.com/klauspost/compress/pull/741 https://github.com/klauspost/compress/pull/734 https://github.com/klauspost/compress/pull/736 https://github.com/klauspost/compress/pull/744 https://github.com/klauspost/compress/pull/743 https://github.com/klauspost/compress/pull/745 + * gzhttp: Add SuffixETag() and DropETag() options to prevent ETag collisions on compressed responses by @willbicks in https://github.com/klauspost/compress/pull/740 + +* Jan 3rd, 2023 (v1.15.14) + + * flate: Improve speed in big stateless blocks https://github.com/klauspost/compress/pull/718 + * zstd: Minor speed tweaks by @greatroar in https://github.com/klauspost/compress/pull/716 https://github.com/klauspost/compress/pull/720 + * export NoGzipResponseWriter for custom ResponseWriter wrappers by @harshavardhana in https://github.com/klauspost/compress/pull/722 + * s2: Add example for indexing and existing stream https://github.com/klauspost/compress/pull/723 + +* Dec 11, 2022 (v1.15.13) + * zstd: Add [MaxEncodedSize](https://pkg.go.dev/github.com/klauspost/compress@v1.15.13/zstd#Encoder.MaxEncodedSize) to encoder https://github.com/klauspost/compress/pull/691 + * zstd: Various tweaks and improvements https://github.com/klauspost/compress/pull/693 https://github.com/klauspost/compress/pull/695 https://github.com/klauspost/compress/pull/696 https://github.com/klauspost/compress/pull/701 https://github.com/klauspost/compress/pull/702 https://github.com/klauspost/compress/pull/703 https://github.com/klauspost/compress/pull/704 https://github.com/klauspost/compress/pull/705 https://github.com/klauspost/compress/pull/706 https://github.com/klauspost/compress/pull/707 https://github.com/klauspost/compress/pull/708 + +* Oct 26, 2022 (v1.15.12) + + * zstd: Tweak decoder allocs. https://github.com/klauspost/compress/pull/680 + * gzhttp: Always delete `HeaderNoCompression` https://github.com/klauspost/compress/pull/683 + +* Sept 26, 2022 (v1.15.11) + + * flate: Improve level 1-3 compression https://github.com/klauspost/compress/pull/678 + * zstd: Improve "best" compression by @nightwolfz in https://github.com/klauspost/compress/pull/677 + * zstd: Fix+reduce decompression allocations https://github.com/klauspost/compress/pull/668 + * zstd: Fix non-effective noescape tag https://github.com/klauspost/compress/pull/667 + +* Sept 16, 2022 (v1.15.10) + + * zstd: Add [WithDecodeAllCapLimit](https://pkg.go.dev/github.com/klauspost/compress@v1.15.10/zstd#WithDecodeAllCapLimit) https://github.com/klauspost/compress/pull/649 + * Add Go 1.19 - deprecate Go 1.16 https://github.com/klauspost/compress/pull/651 + * flate: Improve level 5+6 compression https://github.com/klauspost/compress/pull/656 + * zstd: Improve "better" compression https://github.com/klauspost/compress/pull/657 + * s2: Improve "best" compression https://github.com/klauspost/compress/pull/658 + * s2: Improve "better" compression. https://github.com/klauspost/compress/pull/635 + * s2: Slightly faster non-assembly decompression https://github.com/klauspost/compress/pull/646 + * Use arrays for constant size copies https://github.com/klauspost/compress/pull/659 + +* July 21, 2022 (v1.15.9) + + * zstd: Fix decoder crash on amd64 (no BMI) on invalid input https://github.com/klauspost/compress/pull/645 + * zstd: Disable decoder extended memory copies (amd64) due to possible crashes https://github.com/klauspost/compress/pull/644 + * zstd: Allow single segments up to "max decoded size" https://github.com/klauspost/compress/pull/643 + +* July 13, 2022 (v1.15.8) + + * gzip: fix stack exhaustion bug in Reader.Read https://github.com/klauspost/compress/pull/641 + * s2: Add Index header trim/restore https://github.com/klauspost/compress/pull/638 + * zstd: Optimize seqdeq amd64 asm by @greatroar in https://github.com/klauspost/compress/pull/636 + * zstd: Improve decoder memcopy https://github.com/klauspost/compress/pull/637 + * huff0: Pass a single bitReader pointer to asm by @greatroar in https://github.com/klauspost/compress/pull/634 + * zstd: Branchless getBits for amd64 w/o BMI2 by @greatroar in https://github.com/klauspost/compress/pull/640 + * gzhttp: Remove header before writing https://github.com/klauspost/compress/pull/639 + +* June 29, 2022 (v1.15.7) + + * s2: Fix absolute forward seeks https://github.com/klauspost/compress/pull/633 + * zip: Merge upstream https://github.com/klauspost/compress/pull/631 + * zip: Re-add zip64 fix https://github.com/klauspost/compress/pull/624 + * zstd: translate fseDecoder.buildDtable into asm by @WojciechMula in https://github.com/klauspost/compress/pull/598 + * flate: Faster histograms https://github.com/klauspost/compress/pull/620 + * deflate: Use compound hcode https://github.com/klauspost/compress/pull/622 + +* June 3, 2022 (v1.15.6) + * s2: Improve coding for long, close matches https://github.com/klauspost/compress/pull/613 + * s2c: Add Snappy/S2 stream recompression https://github.com/klauspost/compress/pull/611 + * zstd: Always use configured block size https://github.com/klauspost/compress/pull/605 + * zstd: Fix incorrect hash table placement for dict encoding in default https://github.com/klauspost/compress/pull/606 + * zstd: Apply default config to ZipDecompressor without options https://github.com/klauspost/compress/pull/608 + * gzhttp: Exclude more common archive formats https://github.com/klauspost/compress/pull/612 + * s2: Add ReaderIgnoreCRC https://github.com/klauspost/compress/pull/609 + * s2: Remove sanity load on index creation https://github.com/klauspost/compress/pull/607 + * snappy: Use dedicated function for scoring https://github.com/klauspost/compress/pull/614 + * s2c+s2d: Use official snappy framed extension https://github.com/klauspost/compress/pull/610 + +* May 25, 2022 (v1.15.5) + * s2: Add concurrent stream decompression https://github.com/klauspost/compress/pull/602 + * s2: Fix final emit oob read crash on amd64 https://github.com/klauspost/compress/pull/601 + * huff0: asm implementation of Decompress1X by @WojciechMula https://github.com/klauspost/compress/pull/596 + * zstd: Use 1 less goroutine for stream decoding https://github.com/klauspost/compress/pull/588 + * zstd: Copy literal in 16 byte blocks when possible https://github.com/klauspost/compress/pull/592 + * zstd: Speed up when WithDecoderLowmem(false) https://github.com/klauspost/compress/pull/599 + * zstd: faster next state update in BMI2 version of decode by @WojciechMula in https://github.com/klauspost/compress/pull/593 + * huff0: Do not check max size when reading table. https://github.com/klauspost/compress/pull/586 + * flate: Inplace hashing for level 7-9 https://github.com/klauspost/compress/pull/590 + + +* May 11, 2022 (v1.15.4) + * huff0: decompress directly into output by @WojciechMula in [#577](https://github.com/klauspost/compress/pull/577) + * inflate: Keep dict on stack [#581](https://github.com/klauspost/compress/pull/581) + * zstd: Faster decoding memcopy in asm [#583](https://github.com/klauspost/compress/pull/583) + * zstd: Fix ignored crc [#580](https://github.com/klauspost/compress/pull/580) + +* May 5, 2022 (v1.15.3) + * zstd: Allow to ignore checksum checking by @WojciechMula [#572](https://github.com/klauspost/compress/pull/572) + * s2: Fix incorrect seek for io.SeekEnd in [#575](https://github.com/klauspost/compress/pull/575) + +* Apr 26, 2022 (v1.15.2) + * zstd: Add x86-64 assembly for decompression on streams and blocks. Contributed by [@WojciechMula](https://github.com/WojciechMula). Typically 2x faster. [#528](https://github.com/klauspost/compress/pull/528) [#531](https://github.com/klauspost/compress/pull/531) [#545](https://github.com/klauspost/compress/pull/545) [#537](https://github.com/klauspost/compress/pull/537) + * zstd: Add options to ZipDecompressor and fixes [#539](https://github.com/klauspost/compress/pull/539) + * s2: Use sorted search for index [#555](https://github.com/klauspost/compress/pull/555) + * Minimum version is Go 1.16, added CI test on 1.18. + +* Mar 11, 2022 (v1.15.1) + * huff0: Add x86 assembly of Decode4X by @WojciechMula in [#512](https://github.com/klauspost/compress/pull/512) + * zstd: Reuse zip decoders in [#514](https://github.com/klauspost/compress/pull/514) + * zstd: Detect extra block data and report as corrupted in [#520](https://github.com/klauspost/compress/pull/520) + * zstd: Handle zero sized frame content size stricter in [#521](https://github.com/klauspost/compress/pull/521) + * zstd: Add stricter block size checks in [#523](https://github.com/klauspost/compress/pull/523) + +* Mar 3, 2022 (v1.15.0) + * zstd: Refactor decoder [#498](https://github.com/klauspost/compress/pull/498) + * zstd: Add stream encoding without goroutines [#505](https://github.com/klauspost/compress/pull/505) + * huff0: Prevent single blocks exceeding 16 bits by @klauspost in[#507](https://github.com/klauspost/compress/pull/507) + * flate: Inline literal emission [#509](https://github.com/klauspost/compress/pull/509) + * gzhttp: Add zstd to transport [#400](https://github.com/klauspost/compress/pull/400) + * gzhttp: Make content-type optional [#510](https://github.com/klauspost/compress/pull/510) + +Both compression and decompression now supports "synchronous" stream operations. This means that whenever "concurrency" is set to 1, they will operate without spawning goroutines. + +Stream decompression is now faster on asynchronous, since the goroutine allocation much more effectively splits the workload. On typical streams this will typically use 2 cores fully for decompression. When a stream has finished decoding no goroutines will be left over, so decoders can now safely be pooled and still be garbage collected. + +While the release has been extensively tested, it is recommended to testing when upgrading. + +
+ +
+ See changes to v1.14.x + +* Feb 22, 2022 (v1.14.4) + * flate: Fix rare huffman only (-2) corruption. [#503](https://github.com/klauspost/compress/pull/503) + * zip: Update deprecated CreateHeaderRaw to correctly call CreateRaw by @saracen in [#502](https://github.com/klauspost/compress/pull/502) + * zip: don't read data descriptor early by @saracen in [#501](https://github.com/klauspost/compress/pull/501) #501 + * huff0: Use static decompression buffer up to 30% faster [#499](https://github.com/klauspost/compress/pull/499) [#500](https://github.com/klauspost/compress/pull/500) + +* Feb 17, 2022 (v1.14.3) + * flate: Improve fastest levels compression speed ~10% more throughput. [#482](https://github.com/klauspost/compress/pull/482) [#489](https://github.com/klauspost/compress/pull/489) [#490](https://github.com/klauspost/compress/pull/490) [#491](https://github.com/klauspost/compress/pull/491) [#494](https://github.com/klauspost/compress/pull/494) [#478](https://github.com/klauspost/compress/pull/478) + * flate: Faster decompression speed, ~5-10%. [#483](https://github.com/klauspost/compress/pull/483) + * s2: Faster compression with Go v1.18 and amd64 microarch level 3+. [#484](https://github.com/klauspost/compress/pull/484) [#486](https://github.com/klauspost/compress/pull/486) + +* Jan 25, 2022 (v1.14.2) + * zstd: improve header decoder by @dsnet [#476](https://github.com/klauspost/compress/pull/476) + * zstd: Add bigger default blocks [#469](https://github.com/klauspost/compress/pull/469) + * zstd: Remove unused decompression buffer [#470](https://github.com/klauspost/compress/pull/470) + * zstd: Fix logically dead code by @ningmingxiao [#472](https://github.com/klauspost/compress/pull/472) + * flate: Improve level 7-9 [#471](https://github.com/klauspost/compress/pull/471) [#473](https://github.com/klauspost/compress/pull/473) + * zstd: Add noasm tag for xxhash [#475](https://github.com/klauspost/compress/pull/475) + +* Jan 11, 2022 (v1.14.1) + * s2: Add stream index in [#462](https://github.com/klauspost/compress/pull/462) + * flate: Speed and efficiency improvements in [#439](https://github.com/klauspost/compress/pull/439) [#461](https://github.com/klauspost/compress/pull/461) [#455](https://github.com/klauspost/compress/pull/455) [#452](https://github.com/klauspost/compress/pull/452) [#458](https://github.com/klauspost/compress/pull/458) + * zstd: Performance improvement in [#420]( https://github.com/klauspost/compress/pull/420) [#456](https://github.com/klauspost/compress/pull/456) [#437](https://github.com/klauspost/compress/pull/437) [#467](https://github.com/klauspost/compress/pull/467) [#468](https://github.com/klauspost/compress/pull/468) + * zstd: add arm64 xxhash assembly in [#464](https://github.com/klauspost/compress/pull/464) + * Add garbled for binaries for s2 in [#445](https://github.com/klauspost/compress/pull/445) +
+ +
+ See changes to v1.13.x + +* Aug 30, 2021 (v1.13.5) + * gz/zlib/flate: Alias stdlib errors [#425](https://github.com/klauspost/compress/pull/425) + * s2: Add block support to commandline tools [#413](https://github.com/klauspost/compress/pull/413) + * zstd: pooledZipWriter should return Writers to the same pool [#426](https://github.com/klauspost/compress/pull/426) + * Removed golang/snappy as external dependency for tests [#421](https://github.com/klauspost/compress/pull/421) + +* Aug 12, 2021 (v1.13.4) + * Add [snappy replacement package](https://github.com/klauspost/compress/tree/master/snappy). + * zstd: Fix incorrect encoding in "best" mode [#415](https://github.com/klauspost/compress/pull/415) + +* Aug 3, 2021 (v1.13.3) + * zstd: Improve Best compression [#404](https://github.com/klauspost/compress/pull/404) + * zstd: Fix WriteTo error forwarding [#411](https://github.com/klauspost/compress/pull/411) + * gzhttp: Return http.HandlerFunc instead of http.Handler. Unlikely breaking change. [#406](https://github.com/klauspost/compress/pull/406) + * s2sx: Fix max size error [#399](https://github.com/klauspost/compress/pull/399) + * zstd: Add optional stream content size on reset [#401](https://github.com/klauspost/compress/pull/401) + * zstd: use SpeedBestCompression for level >= 10 [#410](https://github.com/klauspost/compress/pull/410) + +* Jun 14, 2021 (v1.13.1) + * s2: Add full Snappy output support [#396](https://github.com/klauspost/compress/pull/396) + * zstd: Add configurable [Decoder window](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithDecoderMaxWindow) size [#394](https://github.com/klauspost/compress/pull/394) + * gzhttp: Add header to skip compression [#389](https://github.com/klauspost/compress/pull/389) + * s2: Improve speed with bigger output margin [#395](https://github.com/klauspost/compress/pull/395) + +* Jun 3, 2021 (v1.13.0) + * Added [gzhttp](https://github.com/klauspost/compress/tree/master/gzhttp#gzip-handler) which allows wrapping HTTP servers and clients with GZIP compressors. + * zstd: Detect short invalid signatures [#382](https://github.com/klauspost/compress/pull/382) + * zstd: Spawn decoder goroutine only if needed. [#380](https://github.com/klauspost/compress/pull/380) +
+ + +
+ See changes to v1.12.x + +* May 25, 2021 (v1.12.3) + * deflate: Better/faster Huffman encoding [#374](https://github.com/klauspost/compress/pull/374) + * deflate: Allocate less for history. [#375](https://github.com/klauspost/compress/pull/375) + * zstd: Forward read errors [#373](https://github.com/klauspost/compress/pull/373) + +* Apr 27, 2021 (v1.12.2) + * zstd: Improve better/best compression [#360](https://github.com/klauspost/compress/pull/360) [#364](https://github.com/klauspost/compress/pull/364) [#365](https://github.com/klauspost/compress/pull/365) + * zstd: Add helpers to compress/decompress zstd inside zip files [#363](https://github.com/klauspost/compress/pull/363) + * deflate: Improve level 5+6 compression [#367](https://github.com/klauspost/compress/pull/367) + * s2: Improve better/best compression [#358](https://github.com/klauspost/compress/pull/358) [#359](https://github.com/klauspost/compress/pull/358) + * s2: Load after checking src limit on amd64. [#362](https://github.com/klauspost/compress/pull/362) + * s2sx: Limit max executable size [#368](https://github.com/klauspost/compress/pull/368) + +* Apr 14, 2021 (v1.12.1) + * snappy package removed. Upstream added as dependency. + * s2: Better compression in "best" mode [#353](https://github.com/klauspost/compress/pull/353) + * s2sx: Add stdin input and detect pre-compressed from signature [#352](https://github.com/klauspost/compress/pull/352) + * s2c/s2d: Add http as possible input [#348](https://github.com/klauspost/compress/pull/348) + * s2c/s2d/s2sx: Always truncate when writing files [#352](https://github.com/klauspost/compress/pull/352) + * zstd: Reduce memory usage further when using [WithLowerEncoderMem](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithLowerEncoderMem) [#346](https://github.com/klauspost/compress/pull/346) + * s2: Fix potential problem with amd64 assembly and profilers [#349](https://github.com/klauspost/compress/pull/349) +
+ +
+ See changes to v1.11.x + +* Mar 26, 2021 (v1.11.13) + * zstd: Big speedup on small dictionary encodes [#344](https://github.com/klauspost/compress/pull/344) [#345](https://github.com/klauspost/compress/pull/345) + * zstd: Add [WithLowerEncoderMem](https://pkg.go.dev/github.com/klauspost/compress/zstd#WithLowerEncoderMem) encoder option [#336](https://github.com/klauspost/compress/pull/336) + * deflate: Improve entropy compression [#338](https://github.com/klauspost/compress/pull/338) + * s2: Clean up and minor performance improvement in best [#341](https://github.com/klauspost/compress/pull/341) + +* Mar 5, 2021 (v1.11.12) + * s2: Add `s2sx` binary that creates [self extracting archives](https://github.com/klauspost/compress/tree/master/s2#s2sx-self-extracting-archives). + * s2: Speed up decompression on non-assembly platforms [#328](https://github.com/klauspost/compress/pull/328) + +* Mar 1, 2021 (v1.11.9) + * s2: Add ARM64 decompression assembly. Around 2x output speed. [#324](https://github.com/klauspost/compress/pull/324) + * s2: Improve "better" speed and efficiency. [#325](https://github.com/klauspost/compress/pull/325) + * s2: Fix binaries. + +* Feb 25, 2021 (v1.11.8) + * s2: Fixed occasional out-of-bounds write on amd64. Upgrade recommended. + * s2: Add AMD64 assembly for better mode. 25-50% faster. [#315](https://github.com/klauspost/compress/pull/315) + * s2: Less upfront decoder allocation. [#322](https://github.com/klauspost/compress/pull/322) + * zstd: Faster "compression" of incompressible data. [#314](https://github.com/klauspost/compress/pull/314) + * zip: Fix zip64 headers. [#313](https://github.com/klauspost/compress/pull/313) + +* Jan 14, 2021 (v1.11.7) + * Use Bytes() interface to get bytes across packages. [#309](https://github.com/klauspost/compress/pull/309) + * s2: Add 'best' compression option. [#310](https://github.com/klauspost/compress/pull/310) + * s2: Add ReaderMaxBlockSize, changes `s2.NewReader` signature to include varargs. [#311](https://github.com/klauspost/compress/pull/311) + * s2: Fix crash on small better buffers. [#308](https://github.com/klauspost/compress/pull/308) + * s2: Clean up decoder. [#312](https://github.com/klauspost/compress/pull/312) + +* Jan 7, 2021 (v1.11.6) + * zstd: Make decoder allocations smaller [#306](https://github.com/klauspost/compress/pull/306) + * zstd: Free Decoder resources when Reset is called with a nil io.Reader [#305](https://github.com/klauspost/compress/pull/305) + +* Dec 20, 2020 (v1.11.4) + * zstd: Add Best compression mode [#304](https://github.com/klauspost/compress/pull/304) + * Add header decoder [#299](https://github.com/klauspost/compress/pull/299) + * s2: Add uncompressed stream option [#297](https://github.com/klauspost/compress/pull/297) + * Simplify/speed up small blocks with known max size. [#300](https://github.com/klauspost/compress/pull/300) + * zstd: Always reset literal dict encoder [#303](https://github.com/klauspost/compress/pull/303) + +* Nov 15, 2020 (v1.11.3) + * inflate: 10-15% faster decompression [#293](https://github.com/klauspost/compress/pull/293) + * zstd: Tweak DecodeAll default allocation [#295](https://github.com/klauspost/compress/pull/295) + +* Oct 11, 2020 (v1.11.2) + * s2: Fix out of bounds read in "better" block compression [#291](https://github.com/klauspost/compress/pull/291) + +* Oct 1, 2020 (v1.11.1) + * zstd: Set allLitEntropy true in default configuration [#286](https://github.com/klauspost/compress/pull/286) + +* Sept 8, 2020 (v1.11.0) + * zstd: Add experimental compression [dictionaries](https://github.com/klauspost/compress/tree/master/zstd#dictionaries) [#281](https://github.com/klauspost/compress/pull/281) + * zstd: Fix mixed Write and ReadFrom calls [#282](https://github.com/klauspost/compress/pull/282) + * inflate/gz: Limit variable shifts, ~5% faster decompression [#274](https://github.com/klauspost/compress/pull/274) +
+ +
+ See changes to v1.10.x + +* July 8, 2020 (v1.10.11) + * zstd: Fix extra block when compressing with ReadFrom. [#278](https://github.com/klauspost/compress/pull/278) + * huff0: Also populate compression table when reading decoding table. [#275](https://github.com/klauspost/compress/pull/275) + +* June 23, 2020 (v1.10.10) + * zstd: Skip entropy compression in fastest mode when no matches. [#270](https://github.com/klauspost/compress/pull/270) + +* June 16, 2020 (v1.10.9): + * zstd: API change for specifying dictionaries. See [#268](https://github.com/klauspost/compress/pull/268) + * zip: update CreateHeaderRaw to handle zip64 fields. [#266](https://github.com/klauspost/compress/pull/266) + * Fuzzit tests removed. The service has been purchased and is no longer available. + +* June 5, 2020 (v1.10.8): + * 1.15x faster zstd block decompression. [#265](https://github.com/klauspost/compress/pull/265) + +* June 1, 2020 (v1.10.7): + * Added zstd decompression [dictionary support](https://github.com/klauspost/compress/tree/master/zstd#dictionaries) + * Increase zstd decompression speed up to 1.19x. [#259](https://github.com/klauspost/compress/pull/259) + * Remove internal reset call in zstd compression and reduce allocations. [#263](https://github.com/klauspost/compress/pull/263) + +* May 21, 2020: (v1.10.6) + * zstd: Reduce allocations while decoding. [#258](https://github.com/klauspost/compress/pull/258), [#252](https://github.com/klauspost/compress/pull/252) + * zstd: Stricter decompression checks. + +* April 12, 2020: (v1.10.5) + * s2-commands: Flush output when receiving SIGINT. [#239](https://github.com/klauspost/compress/pull/239) + +* Apr 8, 2020: (v1.10.4) + * zstd: Minor/special case optimizations. [#251](https://github.com/klauspost/compress/pull/251), [#250](https://github.com/klauspost/compress/pull/250), [#249](https://github.com/klauspost/compress/pull/249), [#247](https://github.com/klauspost/compress/pull/247) +* Mar 11, 2020: (v1.10.3) + * s2: Use S2 encoder in pure Go mode for Snappy output as well. [#245](https://github.com/klauspost/compress/pull/245) + * s2: Fix pure Go block encoder. [#244](https://github.com/klauspost/compress/pull/244) + * zstd: Added "better compression" mode. [#240](https://github.com/klauspost/compress/pull/240) + * zstd: Improve speed of fastest compression mode by 5-10% [#241](https://github.com/klauspost/compress/pull/241) + * zstd: Skip creating encoders when not needed. [#238](https://github.com/klauspost/compress/pull/238) + +* Feb 27, 2020: (v1.10.2) + * Close to 50% speedup in inflate (gzip/zip decompression). [#236](https://github.com/klauspost/compress/pull/236) [#234](https://github.com/klauspost/compress/pull/234) [#232](https://github.com/klauspost/compress/pull/232) + * Reduce deflate level 1-6 memory usage up to 59%. [#227](https://github.com/klauspost/compress/pull/227) + +* Feb 18, 2020: (v1.10.1) + * Fix zstd crash when resetting multiple times without sending data. [#226](https://github.com/klauspost/compress/pull/226) + * deflate: Fix dictionary use on level 1-6. [#224](https://github.com/klauspost/compress/pull/224) + * Remove deflate writer reference when closing. [#224](https://github.com/klauspost/compress/pull/224) + +* Feb 4, 2020: (v1.10.0) + * Add optional dictionary to [stateless deflate](https://pkg.go.dev/github.com/klauspost/compress/flate?tab=doc#StatelessDeflate). Breaking change, send `nil` for previous behaviour. [#216](https://github.com/klauspost/compress/pull/216) + * Fix buffer overflow on repeated small block deflate. [#218](https://github.com/klauspost/compress/pull/218) + * Allow copying content from an existing ZIP file without decompressing+compressing. [#214](https://github.com/klauspost/compress/pull/214) + * Added [S2](https://github.com/klauspost/compress/tree/master/s2#s2-compression) AMD64 assembler and various optimizations. Stream speed >10GB/s. [#186](https://github.com/klauspost/compress/pull/186) + +
+ +
+ See changes prior to v1.10.0 + +* Jan 20,2020 (v1.9.8) Optimize gzip/deflate with better size estimates and faster table generation. [#207](https://github.com/klauspost/compress/pull/207) by [luyu6056](https://github.com/luyu6056), [#206](https://github.com/klauspost/compress/pull/206). +* Jan 11, 2020: S2 Encode/Decode will use provided buffer if capacity is big enough. [#204](https://github.com/klauspost/compress/pull/204) +* Jan 5, 2020: (v1.9.7) Fix another zstd regression in v1.9.5 - v1.9.6 removed. +* Jan 4, 2020: (v1.9.6) Regression in v1.9.5 fixed causing corrupt zstd encodes in rare cases. +* Jan 4, 2020: Faster IO in [s2c + s2d commandline tools](https://github.com/klauspost/compress/tree/master/s2#commandline-tools) compression/decompression. [#192](https://github.com/klauspost/compress/pull/192) +* Dec 29, 2019: Removed v1.9.5 since fuzz tests showed a compatibility problem with the reference zstandard decoder. +* Dec 29, 2019: (v1.9.5) zstd: 10-20% faster block compression. [#199](https://github.com/klauspost/compress/pull/199) +* Dec 29, 2019: [zip](https://godoc.org/github.com/klauspost/compress/zip) package updated with latest Go features +* Dec 29, 2019: zstd: Single segment flag condintions tweaked. [#197](https://github.com/klauspost/compress/pull/197) +* Dec 18, 2019: s2: Faster compression when ReadFrom is used. [#198](https://github.com/klauspost/compress/pull/198) +* Dec 10, 2019: s2: Fix repeat length output when just above at 16MB limit. +* Dec 10, 2019: zstd: Add function to get decoder as io.ReadCloser. [#191](https://github.com/klauspost/compress/pull/191) +* Dec 3, 2019: (v1.9.4) S2: limit max repeat length. [#188](https://github.com/klauspost/compress/pull/188) +* Dec 3, 2019: Add [WithNoEntropyCompression](https://godoc.org/github.com/klauspost/compress/zstd#WithNoEntropyCompression) to zstd [#187](https://github.com/klauspost/compress/pull/187) +* Dec 3, 2019: Reduce memory use for tests. Check for leaked goroutines. +* Nov 28, 2019 (v1.9.3) Less allocations in stateless deflate. +* Nov 28, 2019: 5-20% Faster huff0 decode. Impacts zstd as well. [#184](https://github.com/klauspost/compress/pull/184) +* Nov 12, 2019 (v1.9.2) Added [Stateless Compression](#stateless-compression) for gzip/deflate. +* Nov 12, 2019: Fixed zstd decompression of large single blocks. [#180](https://github.com/klauspost/compress/pull/180) +* Nov 11, 2019: Set default [s2c](https://github.com/klauspost/compress/tree/master/s2#commandline-tools) block size to 4MB. +* Nov 11, 2019: Reduce inflate memory use by 1KB. +* Nov 10, 2019: Less allocations in deflate bit writer. +* Nov 10, 2019: Fix inconsistent error returned by zstd decoder. +* Oct 28, 2019 (v1.9.1) ztsd: Fix crash when compressing blocks. [#174](https://github.com/klauspost/compress/pull/174) +* Oct 24, 2019 (v1.9.0) zstd: Fix rare data corruption [#173](https://github.com/klauspost/compress/pull/173) +* Oct 24, 2019 zstd: Fix huff0 out of buffer write [#171](https://github.com/klauspost/compress/pull/171) and always return errors [#172](https://github.com/klauspost/compress/pull/172) +* Oct 10, 2019: Big deflate rewrite, 30-40% faster with better compression [#105](https://github.com/klauspost/compress/pull/105) + +
+ +
+ See changes prior to v1.9.0 + +* Oct 10, 2019: (v1.8.6) zstd: Allow partial reads to get flushed data. [#169](https://github.com/klauspost/compress/pull/169) +* Oct 3, 2019: Fix inconsistent results on broken zstd streams. +* Sep 25, 2019: Added `-rm` (remove source files) and `-q` (no output except errors) to `s2c` and `s2d` [commands](https://github.com/klauspost/compress/tree/master/s2#commandline-tools) +* Sep 16, 2019: (v1.8.4) Add `s2c` and `s2d` [commandline tools](https://github.com/klauspost/compress/tree/master/s2#commandline-tools). +* Sep 10, 2019: (v1.8.3) Fix s2 decoder [Skip](https://godoc.org/github.com/klauspost/compress/s2#Reader.Skip). +* Sep 7, 2019: zstd: Added [WithWindowSize](https://godoc.org/github.com/klauspost/compress/zstd#WithWindowSize), contributed by [ianwilkes](https://github.com/ianwilkes). +* Sep 5, 2019: (v1.8.2) Add [WithZeroFrames](https://godoc.org/github.com/klauspost/compress/zstd#WithZeroFrames) which adds full zero payload block encoding option. +* Sep 5, 2019: Lazy initialization of zstandard predefined en/decoder tables. +* Aug 26, 2019: (v1.8.1) S2: 1-2% compression increase in "better" compression mode. +* Aug 26, 2019: zstd: Check maximum size of Huffman 1X compressed literals while decoding. +* Aug 24, 2019: (v1.8.0) Added [S2 compression](https://github.com/klauspost/compress/tree/master/s2#s2-compression), a high performance replacement for Snappy. +* Aug 21, 2019: (v1.7.6) Fixed minor issues found by fuzzer. One could lead to zstd not decompressing. +* Aug 18, 2019: Add [fuzzit](https://fuzzit.dev/) continuous fuzzing. +* Aug 14, 2019: zstd: Skip incompressible data 2x faster. [#147](https://github.com/klauspost/compress/pull/147) +* Aug 4, 2019 (v1.7.5): Better literal compression. [#146](https://github.com/klauspost/compress/pull/146) +* Aug 4, 2019: Faster zstd compression. [#143](https://github.com/klauspost/compress/pull/143) [#144](https://github.com/klauspost/compress/pull/144) +* Aug 4, 2019: Faster zstd decompression. [#145](https://github.com/klauspost/compress/pull/145) [#143](https://github.com/klauspost/compress/pull/143) [#142](https://github.com/klauspost/compress/pull/142) +* July 15, 2019 (v1.7.4): Fix double EOF block in rare cases on zstd encoder. +* July 15, 2019 (v1.7.3): Minor speedup/compression increase in default zstd encoder. +* July 14, 2019: zstd decoder: Fix decompression error on multiple uses with mixed content. +* July 7, 2019 (v1.7.2): Snappy update, zstd decoder potential race fix. +* June 17, 2019: zstd decompression bugfix. +* June 17, 2019: fix 32 bit builds. +* June 17, 2019: Easier use in modules (less dependencies). +* June 9, 2019: New stronger "default" [zstd](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression mode. Matches zstd default compression ratio. +* June 5, 2019: 20-40% throughput in [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and better compression. +* June 5, 2019: deflate/gzip compression: Reduce memory usage of lower compression levels. +* June 2, 2019: Added [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression! +* May 25, 2019: deflate/gzip: 10% faster bit writer, mostly visible in lower levels. +* Apr 22, 2019: [zstd](https://github.com/klauspost/compress/tree/master/zstd#zstd) decompression added. +* Aug 1, 2018: Added [huff0 README](https://github.com/klauspost/compress/tree/master/huff0#huff0-entropy-compression). +* Jul 8, 2018: Added [Performance Update 2018](#performance-update-2018) below. +* Jun 23, 2018: Merged [Go 1.11 inflate optimizations](https://go-review.googlesource.com/c/go/+/102235). Go 1.9 is now required. Backwards compatible version tagged with [v1.3.0](https://github.com/klauspost/compress/releases/tag/v1.3.0). +* Apr 2, 2018: Added [huff0](https://godoc.org/github.com/klauspost/compress/huff0) en/decoder. Experimental for now, API may change. +* Mar 4, 2018: Added [FSE Entropy](https://godoc.org/github.com/klauspost/compress/fse) en/decoder. Experimental for now, API may change. +* Nov 3, 2017: Add compression [Estimate](https://godoc.org/github.com/klauspost/compress#Estimate) function. +* May 28, 2017: Reduce allocations when resetting decoder. +* Apr 02, 2017: Change back to official crc32, since changes were merged in Go 1.7. +* Jan 14, 2017: Reduce stack pressure due to array copies. See [Issue #18625](https://github.com/golang/go/issues/18625). +* Oct 25, 2016: Level 2-4 have been rewritten and now offers significantly better performance than before. +* Oct 20, 2016: Port zlib changes from Go 1.7 to fix zlib writer issue. Please update. +* Oct 16, 2016: Go 1.7 changes merged. Apples to apples this package is a few percent faster, but has a significantly better balance between speed and compression per level. +* Mar 24, 2016: Always attempt Huffman encoding on level 4-7. This improves base 64 encoded data compression. +* Mar 24, 2016: Small speedup for level 1-3. +* Feb 19, 2016: Faster bit writer, level -2 is 15% faster, level 1 is 4% faster. +* Feb 19, 2016: Handle small payloads faster in level 1-3. +* Feb 19, 2016: Added faster level 2 + 3 compression modes. +* Feb 19, 2016: [Rebalanced compression levels](https://blog.klauspost.com/rebalancing-deflate-compression-levels/), so there is a more even progression in terms of compression. New default level is 5. +* Feb 14, 2016: Snappy: Merge upstream changes. +* Feb 14, 2016: Snappy: Fix aggressive skipping. +* Feb 14, 2016: Snappy: Update benchmark. +* Feb 13, 2016: Deflate: Fixed assembler problem that could lead to sub-optimal compression. +* Feb 12, 2016: Snappy: Added AMD64 SSE 4.2 optimizations to matching, which makes easy to compress material run faster. Typical speedup is around 25%. +* Feb 9, 2016: Added Snappy package fork. This version is 5-7% faster, much more on hard to compress content. +* Jan 30, 2016: Optimize level 1 to 3 by not considering static dictionary or storing uncompressed. ~4-5% speedup. +* Jan 16, 2016: Optimization on deflate level 1,2,3 compression. +* Jan 8 2016: Merge [CL 18317](https://go-review.googlesource.com/#/c/18317): fix reading, writing of zip64 archives. +* Dec 8 2015: Make level 1 and -2 deterministic even if write size differs. +* Dec 8 2015: Split encoding functions, so hashing and matching can potentially be inlined. 1-3% faster on AMD64. 5% faster on other platforms. +* Dec 8 2015: Fixed rare [one byte out-of bounds read](https://github.com/klauspost/compress/issues/20). Please update! +* Nov 23 2015: Optimization on token writer. ~2-4% faster. Contributed by [@dsnet](https://github.com/dsnet). +* Nov 20 2015: Small optimization to bit writer on 64 bit systems. +* Nov 17 2015: Fixed out-of-bound errors if the underlying Writer returned an error. See [#15](https://github.com/klauspost/compress/issues/15). +* Nov 12 2015: Added [io.WriterTo](https://golang.org/pkg/io/#WriterTo) support to gzip/inflate. +* Nov 11 2015: Merged [CL 16669](https://go-review.googlesource.com/#/c/16669/4): archive/zip: enable overriding (de)compressors per file +* Oct 15 2015: Added skipping on uncompressible data. Random data speed up >5x. + +
+ +# deflate usage + +The packages are drop-in replacements for standard libraries. Simply replace the import path to use them: + +Typical speed is about 2x of the standard library packages. + +| old import | new import | Documentation | +|------------------|---------------------------------------|-------------------------------------------------------------------------| +| `compress/gzip` | `github.com/klauspost/compress/gzip` | [gzip](https://pkg.go.dev/github.com/klauspost/compress/gzip?tab=doc) | +| `compress/zlib` | `github.com/klauspost/compress/zlib` | [zlib](https://pkg.go.dev/github.com/klauspost/compress/zlib?tab=doc) | +| `archive/zip` | `github.com/klauspost/compress/zip` | [zip](https://pkg.go.dev/github.com/klauspost/compress/zip?tab=doc) | +| `compress/flate` | `github.com/klauspost/compress/flate` | [flate](https://pkg.go.dev/github.com/klauspost/compress/flate?tab=doc) | + +* Optimized [deflate](https://godoc.org/github.com/klauspost/compress/flate) packages which can be used as a dropin replacement for [gzip](https://godoc.org/github.com/klauspost/compress/gzip), [zip](https://godoc.org/github.com/klauspost/compress/zip) and [zlib](https://godoc.org/github.com/klauspost/compress/zlib). + +You may also be interested in [pgzip](https://github.com/klauspost/pgzip), which is a drop in replacement for gzip, which support multithreaded compression on big files and the optimized [crc32](https://github.com/klauspost/crc32) package used by these packages. + +The packages contains the same as the standard library, so you can use the godoc for that: [gzip](http://golang.org/pkg/compress/gzip/), [zip](http://golang.org/pkg/archive/zip/), [zlib](http://golang.org/pkg/compress/zlib/), [flate](http://golang.org/pkg/compress/flate/). + +Currently there is only minor speedup on decompression (mostly CRC32 calculation). + +Memory usage is typically 1MB for a Writer. stdlib is in the same range. +If you expect to have a lot of concurrently allocated Writers consider using +the stateless compress described below. + +For compression performance, see: [this spreadsheet](https://docs.google.com/spreadsheets/d/1nuNE2nPfuINCZJRMt6wFWhKpToF95I47XjSsc-1rbPQ/edit?usp=sharing). + +To disable all assembly add `-tags=noasm`. This works across all packages. + +# Stateless compression + +This package offers stateless compression as a special option for gzip/deflate. +It will do compression but without maintaining any state between Write calls. + +This means there will be no memory kept between Write calls, but compression and speed will be suboptimal. + +This is only relevant in cases where you expect to run many thousands of compressors concurrently, +but with very little activity. This is *not* intended for regular web servers serving individual requests. + +Because of this, the size of actual Write calls will affect output size. + +In gzip, specify level `-3` / `gzip.StatelessCompression` to enable. + +For direct deflate use, NewStatelessWriter and StatelessDeflate are available. See [documentation](https://godoc.org/github.com/klauspost/compress/flate#NewStatelessWriter) + +A `bufio.Writer` can of course be used to control write sizes. For example, to use a 4KB buffer: + +```go + // replace 'ioutil.Discard' with your output. + gzw, err := gzip.NewWriterLevel(ioutil.Discard, gzip.StatelessCompression) + if err != nil { + return err + } + defer gzw.Close() + + w := bufio.NewWriterSize(gzw, 4096) + defer w.Flush() + + // Write to 'w' +``` + +This will only use up to 4KB in memory when the writer is idle. + +Compression is almost always worse than the fastest compression level +and each write will allocate (a little) memory. + + +# Other packages + +Here are other packages of good quality and pure Go (no cgo wrappers or autoconverted code): + +* [github.com/pierrec/lz4](https://github.com/pierrec/lz4) - strong multithreaded LZ4 compression. +* [github.com/cosnicolaou/pbzip2](https://github.com/cosnicolaou/pbzip2) - multithreaded bzip2 decompression. +* [github.com/dsnet/compress](https://github.com/dsnet/compress) - brotli decompression, bzip2 writer. +* [github.com/ronanh/intcomp](https://github.com/ronanh/intcomp) - Integer compression. +* [github.com/spenczar/fpc](https://github.com/spenczar/fpc) - Float compression. +* [github.com/minio/zipindex](https://github.com/minio/zipindex) - External ZIP directory index. +* [github.com/ybirader/pzip](https://github.com/ybirader/pzip) - Fast concurrent zip archiver and extractor. + +# license + +This code is licensed under the same conditions as the original Go code. See LICENSE file. diff --git a/vendor/github.com/klauspost/compress/SECURITY.md b/vendor/github.com/klauspost/compress/SECURITY.md new file mode 100644 index 0000000000..ca6685e2b7 --- /dev/null +++ b/vendor/github.com/klauspost/compress/SECURITY.md @@ -0,0 +1,25 @@ +# Security Policy + +## Supported Versions + +Security updates are applied only to the latest release. + +## Vulnerability Definition + +A security vulnerability is a bug that with certain input triggers a crash or an infinite loop. Most calls will have varying execution time and only in rare cases will slow operation be considered a security vulnerability. + +Corrupted output generally is not considered a security vulnerability, unless independent operations are able to affect each other. Note that not all functionality is re-entrant and safe to use concurrently. + +Out-of-memory crashes only applies if the en/decoder uses an abnormal amount of memory, with appropriate options applied, to limit maximum window size, concurrency, etc. However, if you are in doubt you are welcome to file a security issue. + +It is assumed that all callers are trusted, meaning internal data exposed through reflection or inspection of returned data structures is not considered a vulnerability. + +Vulnerabilities resulting from compiler/assembler errors should be reported upstream. Depending on the severity this package may or may not implement a workaround. + +## Reporting a Vulnerability + +If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released. + +Please disclose it at [security advisory](https://github.com/klauspost/compress/security/advisories/new). If possible please provide a minimal reproducer. If the issue only applies to a single platform, it would be helpful to provide access to that. + +This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base. diff --git a/vendor/github.com/klauspost/compress/compressible.go b/vendor/github.com/klauspost/compress/compressible.go new file mode 100644 index 0000000000..ea5a692d51 --- /dev/null +++ b/vendor/github.com/klauspost/compress/compressible.go @@ -0,0 +1,85 @@ +package compress + +import "math" + +// Estimate returns a normalized compressibility estimate of block b. +// Values close to zero are likely uncompressible. +// Values above 0.1 are likely to be compressible. +// Values above 0.5 are very compressible. +// Very small lengths will return 0. +func Estimate(b []byte) float64 { + if len(b) < 16 { + return 0 + } + + // Correctly predicted order 1 + hits := 0 + lastMatch := false + var o1 [256]byte + var hist [256]int + c1 := byte(0) + for _, c := range b { + if c == o1[c1] { + // We only count a hit if there was two correct predictions in a row. + if lastMatch { + hits++ + } + lastMatch = true + } else { + lastMatch = false + } + o1[c1] = c + c1 = c + hist[c]++ + } + + // Use x^0.6 to give better spread + prediction := math.Pow(float64(hits)/float64(len(b)), 0.6) + + // Calculate histogram distribution + variance := float64(0) + avg := float64(len(b)) / 256 + + for _, v := range hist { + Δ := float64(v) - avg + variance += Δ * Δ + } + + stddev := math.Sqrt(float64(variance)) / float64(len(b)) + exp := math.Sqrt(1 / float64(len(b))) + + // Subtract expected stddev + stddev -= exp + if stddev < 0 { + stddev = 0 + } + stddev *= 1 + exp + + // Use x^0.4 to give better spread + entropy := math.Pow(stddev, 0.4) + + // 50/50 weight between prediction and histogram distribution + return math.Pow((prediction+entropy)/2, 0.9) +} + +// ShannonEntropyBits returns the number of bits minimum required to represent +// an entropy encoding of the input bytes. +// https://en.wiktionary.org/wiki/Shannon_entropy +func ShannonEntropyBits(b []byte) int { + if len(b) == 0 { + return 0 + } + var hist [256]int + for _, c := range b { + hist[c]++ + } + shannon := float64(0) + invTotal := 1.0 / float64(len(b)) + for _, v := range hist[:] { + if v > 0 { + n := float64(v) + shannon += math.Ceil(-math.Log2(n*invTotal) * n) + } + } + return int(math.Ceil(shannon)) +} diff --git a/vendor/github.com/klauspost/compress/fse/README.md b/vendor/github.com/klauspost/compress/fse/README.md new file mode 100644 index 0000000000..ea7324da67 --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/README.md @@ -0,0 +1,79 @@ +# Finite State Entropy + +This package provides Finite State Entropy encoding and decoding. + +Finite State Entropy (also referenced as [tANS](https://en.wikipedia.org/wiki/Asymmetric_numeral_systems#tANS)) +encoding provides a fast near-optimal symbol encoding/decoding +for byte blocks as implemented in [zstandard](https://github.com/facebook/zstd). + +This can be used for compressing input with a lot of similar input values to the smallest number of bytes. +This does not perform any multi-byte [dictionary coding](https://en.wikipedia.org/wiki/Dictionary_coder) as LZ coders, +but it can be used as a secondary step to compressors (like Snappy) that does not do entropy encoding. + +* [Godoc documentation](https://godoc.org/github.com/klauspost/compress/fse) + +## News + + * Feb 2018: First implementation released. Consider this beta software for now. + +# Usage + +This package provides a low level interface that allows to compress single independent blocks. + +Each block is separate, and there is no built in integrity checks. +This means that the caller should keep track of block sizes and also do checksums if needed. + +Compressing a block is done via the [`Compress`](https://godoc.org/github.com/klauspost/compress/fse#Compress) function. +You must provide input and will receive the output and maybe an error. + +These error values can be returned: + +| Error | Description | +|---------------------|-----------------------------------------------------------------------------| +| `` | Everything ok, output is returned | +| `ErrIncompressible` | Returned when input is judged to be too hard to compress | +| `ErrUseRLE` | Returned from the compressor when the input is a single byte value repeated | +| `(error)` | An internal error occurred. | + +As can be seen above there are errors that will be returned even under normal operation so it is important to handle these. + +To reduce allocations you can provide a [`Scratch`](https://godoc.org/github.com/klauspost/compress/fse#Scratch) object +that can be re-used for successive calls. Both compression and decompression accepts a `Scratch` object, and the same +object can be used for both. + +Be aware, that when re-using a `Scratch` object that the *output* buffer is also re-used, so if you are still using this +you must set the `Out` field in the scratch to nil. The same buffer is used for compression and decompression output. + +Decompressing is done by calling the [`Decompress`](https://godoc.org/github.com/klauspost/compress/fse#Decompress) function. +You must provide the output from the compression stage, at exactly the size you got back. If you receive an error back +your input was likely corrupted. + +It is important to note that a successful decoding does *not* mean your output matches your original input. +There are no integrity checks, so relying on errors from the decompressor does not assure your data is valid. + +For more detailed usage, see examples in the [godoc documentation](https://godoc.org/github.com/klauspost/compress/fse#pkg-examples). + +# Performance + +A lot of factors are affecting speed. Block sizes and compressibility of the material are primary factors. +All compression functions are currently only running on the calling goroutine so only one core will be used per block. + +The compressor is significantly faster if symbols are kept as small as possible. The highest byte value of the input +is used to reduce some of the processing, so if all your input is above byte value 64 for instance, it may be +beneficial to transpose all your input values down by 64. + +With moderate block sizes around 64k speed are typically 200MB/s per core for compression and +around 300MB/s decompression speed. + +The same hardware typically does Huffman (deflate) encoding at 125MB/s and decompression at 100MB/s. + +# Plans + +At one point, more internals will be exposed to facilitate more "expert" usage of the components. + +A streaming interface is also likely to be implemented. Likely compatible with [FSE stream format](https://github.com/Cyan4973/FiniteStateEntropy/blob/dev/programs/fileio.c#L261). + +# Contributing + +Contributions are always welcome. Be aware that adding public functions will require good justification and breaking +changes will likely not be accepted. If in doubt open an issue before writing the PR. \ No newline at end of file diff --git a/vendor/github.com/klauspost/compress/fse/bitreader.go b/vendor/github.com/klauspost/compress/fse/bitreader.go new file mode 100644 index 0000000000..f65eb3909c --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/bitreader.go @@ -0,0 +1,122 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package fse + +import ( + "encoding/binary" + "errors" + "io" +) + +// bitReader reads a bitstream in reverse. +// The last set bit indicates the start of the stream and is used +// for aligning the input. +type bitReader struct { + in []byte + off uint // next byte to read is at in[off - 1] + value uint64 + bitsRead uint8 +} + +// init initializes and resets the bit reader. +func (b *bitReader) init(in []byte) error { + if len(in) < 1 { + return errors.New("corrupt stream: too short") + } + b.in = in + b.off = uint(len(in)) + // The highest bit of the last byte indicates where to start + v := in[len(in)-1] + if v == 0 { + return errors.New("corrupt stream, did not find end of stream") + } + b.bitsRead = 64 + b.value = 0 + if len(in) >= 8 { + b.fillFastStart() + } else { + b.fill() + b.fill() + } + b.bitsRead += 8 - uint8(highBits(uint32(v))) + return nil +} + +// getBits will return n bits. n can be 0. +func (b *bitReader) getBits(n uint8) uint16 { + if n == 0 || b.bitsRead >= 64 { + return 0 + } + return b.getBitsFast(n) +} + +// getBitsFast requires that at least one bit is requested every time. +// There are no checks if the buffer is filled. +func (b *bitReader) getBitsFast(n uint8) uint16 { + const regMask = 64 - 1 + v := uint16((b.value << (b.bitsRead & regMask)) >> ((regMask + 1 - n) & regMask)) + b.bitsRead += n + return v +} + +// fillFast() will make sure at least 32 bits are available. +// There must be at least 4 bytes available. +func (b *bitReader) fillFast() { + if b.bitsRead < 32 { + return + } + // 2 bounds checks. + v := b.in[b.off-4:] + v = v[:4] + low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24) + b.value = (b.value << 32) | uint64(low) + b.bitsRead -= 32 + b.off -= 4 +} + +// fill() will make sure at least 32 bits are available. +func (b *bitReader) fill() { + if b.bitsRead < 32 { + return + } + if b.off > 4 { + v := b.in[b.off-4:] + v = v[:4] + low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24) + b.value = (b.value << 32) | uint64(low) + b.bitsRead -= 32 + b.off -= 4 + return + } + for b.off > 0 { + b.value = (b.value << 8) | uint64(b.in[b.off-1]) + b.bitsRead -= 8 + b.off-- + } +} + +// fillFastStart() assumes the bitreader is empty and there is at least 8 bytes to read. +func (b *bitReader) fillFastStart() { + // Do single re-slice to avoid bounds checks. + b.value = binary.LittleEndian.Uint64(b.in[b.off-8:]) + b.bitsRead = 0 + b.off -= 8 +} + +// finished returns true if all bits have been read from the bit stream. +func (b *bitReader) finished() bool { + return b.bitsRead >= 64 && b.off == 0 +} + +// close the bitstream and returns an error if out-of-buffer reads occurred. +func (b *bitReader) close() error { + // Release reference. + b.in = nil + if b.bitsRead > 64 { + return io.ErrUnexpectedEOF + } + return nil +} diff --git a/vendor/github.com/klauspost/compress/fse/bitwriter.go b/vendor/github.com/klauspost/compress/fse/bitwriter.go new file mode 100644 index 0000000000..e82fa3bb7b --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/bitwriter.go @@ -0,0 +1,167 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package fse + +import "fmt" + +// bitWriter will write bits. +// First bit will be LSB of the first byte of output. +type bitWriter struct { + bitContainer uint64 + nBits uint8 + out []byte +} + +// bitMask16 is bitmasks. Has extra to avoid bounds check. +var bitMask16 = [32]uint16{ + 0, 1, 3, 7, 0xF, 0x1F, + 0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF, 0x7FF, + 0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF, 0xFFFF, + 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, + 0xFFFF, 0xFFFF} /* up to 16 bits */ + +// addBits16NC will add up to 16 bits. +// It will not check if there is space for them, +// so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits16NC(value uint16, bits uint8) { + b.bitContainer |= uint64(value&bitMask16[bits&31]) << (b.nBits & 63) + b.nBits += bits +} + +// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated. +// It will not check if there is space for them, so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits16Clean(value uint16, bits uint8) { + b.bitContainer |= uint64(value) << (b.nBits & 63) + b.nBits += bits +} + +// addBits16ZeroNC will add up to 16 bits. +// It will not check if there is space for them, +// so the caller must ensure that it has flushed recently. +// This is fastest if bits can be zero. +func (b *bitWriter) addBits16ZeroNC(value uint16, bits uint8) { + if bits == 0 { + return + } + value <<= (16 - bits) & 15 + value >>= (16 - bits) & 15 + b.bitContainer |= uint64(value) << (b.nBits & 63) + b.nBits += bits +} + +// flush will flush all pending full bytes. +// There will be at least 56 bits available for writing when this has been called. +// Using flush32 is faster, but leaves less space for writing. +func (b *bitWriter) flush() { + v := b.nBits >> 3 + switch v { + case 0: + case 1: + b.out = append(b.out, + byte(b.bitContainer), + ) + case 2: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + ) + case 3: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + ) + case 4: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24), + ) + case 5: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24), + byte(b.bitContainer>>32), + ) + case 6: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24), + byte(b.bitContainer>>32), + byte(b.bitContainer>>40), + ) + case 7: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24), + byte(b.bitContainer>>32), + byte(b.bitContainer>>40), + byte(b.bitContainer>>48), + ) + case 8: + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24), + byte(b.bitContainer>>32), + byte(b.bitContainer>>40), + byte(b.bitContainer>>48), + byte(b.bitContainer>>56), + ) + default: + panic(fmt.Errorf("bits (%d) > 64", b.nBits)) + } + b.bitContainer >>= v << 3 + b.nBits &= 7 +} + +// flush32 will flush out, so there are at least 32 bits available for writing. +func (b *bitWriter) flush32() { + if b.nBits < 32 { + return + } + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24)) + b.nBits -= 32 + b.bitContainer >>= 32 +} + +// flushAlign will flush remaining full bytes and align to next byte boundary. +func (b *bitWriter) flushAlign() { + nbBytes := (b.nBits + 7) >> 3 + for i := uint8(0); i < nbBytes; i++ { + b.out = append(b.out, byte(b.bitContainer>>(i*8))) + } + b.nBits = 0 + b.bitContainer = 0 +} + +// close will write the alignment bit and write the final byte(s) +// to the output. +func (b *bitWriter) close() { + // End mark + b.addBits16Clean(1, 1) + // flush until next byte. + b.flushAlign() +} + +// reset and continue writing by appending to out. +func (b *bitWriter) reset(out []byte) { + b.bitContainer = 0 + b.nBits = 0 + b.out = out +} diff --git a/vendor/github.com/klauspost/compress/fse/bytereader.go b/vendor/github.com/klauspost/compress/fse/bytereader.go new file mode 100644 index 0000000000..abade2d605 --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/bytereader.go @@ -0,0 +1,47 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package fse + +// byteReader provides a byte reader that reads +// little endian values from a byte stream. +// The input stream is manually advanced. +// The reader performs no bounds checks. +type byteReader struct { + b []byte + off int +} + +// init will initialize the reader and set the input. +func (b *byteReader) init(in []byte) { + b.b = in + b.off = 0 +} + +// advance the stream b n bytes. +func (b *byteReader) advance(n uint) { + b.off += int(n) +} + +// Uint32 returns a little endian uint32 starting at current offset. +func (b byteReader) Uint32() uint32 { + b2 := b.b[b.off:] + b2 = b2[:4] + v3 := uint32(b2[3]) + v2 := uint32(b2[2]) + v1 := uint32(b2[1]) + v0 := uint32(b2[0]) + return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24) +} + +// unread returns the unread portion of the input. +func (b byteReader) unread() []byte { + return b.b[b.off:] +} + +// remain will return the number of bytes remaining. +func (b byteReader) remain() int { + return len(b.b) - b.off +} diff --git a/vendor/github.com/klauspost/compress/fse/compress.go b/vendor/github.com/klauspost/compress/fse/compress.go new file mode 100644 index 0000000000..074018d8f9 --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/compress.go @@ -0,0 +1,683 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package fse + +import ( + "errors" + "fmt" +) + +// Compress the input bytes. Input must be < 2GB. +// Provide a Scratch buffer to avoid memory allocations. +// Note that the output is also kept in the scratch buffer. +// If input is too hard to compress, ErrIncompressible is returned. +// If input is a single byte value repeated ErrUseRLE is returned. +func Compress(in []byte, s *Scratch) ([]byte, error) { + if len(in) <= 1 { + return nil, ErrIncompressible + } + if len(in) > (2<<30)-1 { + return nil, errors.New("input too big, must be < 2GB") + } + s, err := s.prepare(in) + if err != nil { + return nil, err + } + + // Create histogram, if none was provided. + maxCount := s.maxCount + if maxCount == 0 { + maxCount = s.countSimple(in) + } + // Reset for next run. + s.clearCount = true + s.maxCount = 0 + if maxCount == len(in) { + // One symbol, use RLE + return nil, ErrUseRLE + } + if maxCount == 1 || maxCount < (len(in)>>7) { + // Each symbol present maximum once or too well distributed. + return nil, ErrIncompressible + } + s.optimalTableLog() + err = s.normalizeCount() + if err != nil { + return nil, err + } + err = s.writeCount() + if err != nil { + return nil, err + } + + if false { + err = s.validateNorm() + if err != nil { + return nil, err + } + } + + err = s.buildCTable() + if err != nil { + return nil, err + } + err = s.compress(in) + if err != nil { + return nil, err + } + s.Out = s.bw.out + // Check if we compressed. + if len(s.Out) >= len(in) { + return nil, ErrIncompressible + } + return s.Out, nil +} + +// cState contains the compression state of a stream. +type cState struct { + bw *bitWriter + stateTable []uint16 + state uint16 +} + +// init will initialize the compression state to the first symbol of the stream. +func (c *cState) init(bw *bitWriter, ct *cTable, tableLog uint8, first symbolTransform) { + c.bw = bw + c.stateTable = ct.stateTable + + nbBitsOut := (first.deltaNbBits + (1 << 15)) >> 16 + im := int32((nbBitsOut << 16) - first.deltaNbBits) + lu := (im >> nbBitsOut) + first.deltaFindState + c.state = c.stateTable[lu] +} + +// encode the output symbol provided and write it to the bitstream. +func (c *cState) encode(symbolTT symbolTransform) { + nbBitsOut := (uint32(c.state) + symbolTT.deltaNbBits) >> 16 + dstState := int32(c.state>>(nbBitsOut&15)) + symbolTT.deltaFindState + c.bw.addBits16NC(c.state, uint8(nbBitsOut)) + c.state = c.stateTable[dstState] +} + +// encode the output symbol provided and write it to the bitstream. +func (c *cState) encodeZero(symbolTT symbolTransform) { + nbBitsOut := (uint32(c.state) + symbolTT.deltaNbBits) >> 16 + dstState := int32(c.state>>(nbBitsOut&15)) + symbolTT.deltaFindState + c.bw.addBits16ZeroNC(c.state, uint8(nbBitsOut)) + c.state = c.stateTable[dstState] +} + +// flush will write the tablelog to the output and flush the remaining full bytes. +func (c *cState) flush(tableLog uint8) { + c.bw.flush32() + c.bw.addBits16NC(c.state, tableLog) + c.bw.flush() +} + +// compress is the main compression loop that will encode the input from the last byte to the first. +func (s *Scratch) compress(src []byte) error { + if len(src) <= 2 { + return errors.New("compress: src too small") + } + tt := s.ct.symbolTT[:256] + s.bw.reset(s.Out) + + // Our two states each encodes every second byte. + // Last byte encoded (first byte decoded) will always be encoded by c1. + var c1, c2 cState + + // Encode so remaining size is divisible by 4. + ip := len(src) + if ip&1 == 1 { + c1.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-1]]) + c2.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-2]]) + c1.encodeZero(tt[src[ip-3]]) + ip -= 3 + } else { + c2.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-1]]) + c1.init(&s.bw, &s.ct, s.actualTableLog, tt[src[ip-2]]) + ip -= 2 + } + if ip&2 != 0 { + c2.encodeZero(tt[src[ip-1]]) + c1.encodeZero(tt[src[ip-2]]) + ip -= 2 + } + src = src[:ip] + + // Main compression loop. + switch { + case !s.zeroBits && s.actualTableLog <= 8: + // We can encode 4 symbols without requiring a flush. + // We do not need to check if any output is 0 bits. + for ; len(src) >= 4; src = src[:len(src)-4] { + s.bw.flush32() + v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1] + c2.encode(tt[v0]) + c1.encode(tt[v1]) + c2.encode(tt[v2]) + c1.encode(tt[v3]) + } + case !s.zeroBits: + // We do not need to check if any output is 0 bits. + for ; len(src) >= 4; src = src[:len(src)-4] { + s.bw.flush32() + v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1] + c2.encode(tt[v0]) + c1.encode(tt[v1]) + s.bw.flush32() + c2.encode(tt[v2]) + c1.encode(tt[v3]) + } + case s.actualTableLog <= 8: + // We can encode 4 symbols without requiring a flush + for ; len(src) >= 4; src = src[:len(src)-4] { + s.bw.flush32() + v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1] + c2.encodeZero(tt[v0]) + c1.encodeZero(tt[v1]) + c2.encodeZero(tt[v2]) + c1.encodeZero(tt[v3]) + } + default: + for ; len(src) >= 4; src = src[:len(src)-4] { + s.bw.flush32() + v3, v2, v1, v0 := src[len(src)-4], src[len(src)-3], src[len(src)-2], src[len(src)-1] + c2.encodeZero(tt[v0]) + c1.encodeZero(tt[v1]) + s.bw.flush32() + c2.encodeZero(tt[v2]) + c1.encodeZero(tt[v3]) + } + } + + // Flush final state. + // Used to initialize state when decoding. + c2.flush(s.actualTableLog) + c1.flush(s.actualTableLog) + + s.bw.close() + return nil +} + +// writeCount will write the normalized histogram count to header. +// This is read back by readNCount. +func (s *Scratch) writeCount() error { + var ( + tableLog = s.actualTableLog + tableSize = 1 << tableLog + previous0 bool + charnum uint16 + + maxHeaderSize = ((int(s.symbolLen)*int(tableLog) + 4 + 2) >> 3) + 3 + + // Write Table Size + bitStream = uint32(tableLog - minTablelog) + bitCount = uint(4) + remaining = int16(tableSize + 1) /* +1 for extra accuracy */ + threshold = int16(tableSize) + nbBits = uint(tableLog + 1) + ) + if cap(s.Out) < maxHeaderSize { + s.Out = make([]byte, 0, s.br.remain()+maxHeaderSize) + } + outP := uint(0) + out := s.Out[:maxHeaderSize] + + // stops at 1 + for remaining > 1 { + if previous0 { + start := charnum + for s.norm[charnum] == 0 { + charnum++ + } + for charnum >= start+24 { + start += 24 + bitStream += uint32(0xFFFF) << bitCount + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + } + for charnum >= start+3 { + start += 3 + bitStream += 3 << bitCount + bitCount += 2 + } + bitStream += uint32(charnum-start) << bitCount + bitCount += 2 + if bitCount > 16 { + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + bitCount -= 16 + } + } + + count := s.norm[charnum] + charnum++ + max := (2*threshold - 1) - remaining + if count < 0 { + remaining += count + } else { + remaining -= count + } + count++ // +1 for extra accuracy + if count >= threshold { + count += max // [0..max[ [max..threshold[ (...) [threshold+max 2*threshold[ + } + bitStream += uint32(count) << bitCount + bitCount += nbBits + if count < max { + bitCount-- + } + + previous0 = count == 1 + if remaining < 1 { + return errors.New("internal error: remaining<1") + } + for remaining < threshold { + nbBits-- + threshold >>= 1 + } + + if bitCount > 16 { + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + bitCount -= 16 + } + } + + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += (bitCount + 7) / 8 + + if charnum > s.symbolLen { + return errors.New("internal error: charnum > s.symbolLen") + } + s.Out = out[:outP] + return nil +} + +// symbolTransform contains the state transform for a symbol. +type symbolTransform struct { + deltaFindState int32 + deltaNbBits uint32 +} + +// String prints values as a human readable string. +func (s symbolTransform) String() string { + return fmt.Sprintf("dnbits: %08x, fs:%d", s.deltaNbBits, s.deltaFindState) +} + +// cTable contains tables used for compression. +type cTable struct { + tableSymbol []byte + stateTable []uint16 + symbolTT []symbolTransform +} + +// allocCtable will allocate tables needed for compression. +// If existing tables a re big enough, they are simply re-used. +func (s *Scratch) allocCtable() { + tableSize := 1 << s.actualTableLog + // get tableSymbol that is big enough. + if cap(s.ct.tableSymbol) < tableSize { + s.ct.tableSymbol = make([]byte, tableSize) + } + s.ct.tableSymbol = s.ct.tableSymbol[:tableSize] + + ctSize := tableSize + if cap(s.ct.stateTable) < ctSize { + s.ct.stateTable = make([]uint16, ctSize) + } + s.ct.stateTable = s.ct.stateTable[:ctSize] + + if cap(s.ct.symbolTT) < 256 { + s.ct.symbolTT = make([]symbolTransform, 256) + } + s.ct.symbolTT = s.ct.symbolTT[:256] +} + +// buildCTable will populate the compression table so it is ready to be used. +func (s *Scratch) buildCTable() error { + tableSize := uint32(1 << s.actualTableLog) + highThreshold := tableSize - 1 + var cumul [maxSymbolValue + 2]int16 + + s.allocCtable() + tableSymbol := s.ct.tableSymbol[:tableSize] + // symbol start positions + { + cumul[0] = 0 + for ui, v := range s.norm[:s.symbolLen-1] { + u := byte(ui) // one less than reference + if v == -1 { + // Low proba symbol + cumul[u+1] = cumul[u] + 1 + tableSymbol[highThreshold] = u + highThreshold-- + } else { + cumul[u+1] = cumul[u] + v + } + } + // Encode last symbol separately to avoid overflowing u + u := int(s.symbolLen - 1) + v := s.norm[s.symbolLen-1] + if v == -1 { + // Low proba symbol + cumul[u+1] = cumul[u] + 1 + tableSymbol[highThreshold] = byte(u) + highThreshold-- + } else { + cumul[u+1] = cumul[u] + v + } + if uint32(cumul[s.symbolLen]) != tableSize { + return fmt.Errorf("internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)", cumul[s.symbolLen], tableSize) + } + cumul[s.symbolLen] = int16(tableSize) + 1 + } + // Spread symbols + s.zeroBits = false + { + step := tableStep(tableSize) + tableMask := tableSize - 1 + var position uint32 + // if any symbol > largeLimit, we may have 0 bits output. + largeLimit := int16(1 << (s.actualTableLog - 1)) + for ui, v := range s.norm[:s.symbolLen] { + symbol := byte(ui) + if v > largeLimit { + s.zeroBits = true + } + for nbOccurrences := int16(0); nbOccurrences < v; nbOccurrences++ { + tableSymbol[position] = symbol + position = (position + step) & tableMask + for position > highThreshold { + position = (position + step) & tableMask + } /* Low proba area */ + } + } + + // Check if we have gone through all positions + if position != 0 { + return errors.New("position!=0") + } + } + + // Build table + table := s.ct.stateTable + { + tsi := int(tableSize) + for u, v := range tableSymbol { + // TableU16 : sorted by symbol order; gives next state value + table[cumul[v]] = uint16(tsi + u) + cumul[v]++ + } + } + + // Build Symbol Transformation Table + { + total := int16(0) + symbolTT := s.ct.symbolTT[:s.symbolLen] + tableLog := s.actualTableLog + tl := (uint32(tableLog) << 16) - (1 << tableLog) + for i, v := range s.norm[:s.symbolLen] { + switch v { + case 0: + case -1, 1: + symbolTT[i].deltaNbBits = tl + symbolTT[i].deltaFindState = int32(total - 1) + total++ + default: + maxBitsOut := uint32(tableLog) - highBits(uint32(v-1)) + minStatePlus := uint32(v) << maxBitsOut + symbolTT[i].deltaNbBits = (maxBitsOut << 16) - minStatePlus + symbolTT[i].deltaFindState = int32(total - v) + total += v + } + } + if total != int16(tableSize) { + return fmt.Errorf("total mismatch %d (got) != %d (want)", total, tableSize) + } + } + return nil +} + +// countSimple will create a simple histogram in s.count. +// Returns the biggest count. +// Does not update s.clearCount. +func (s *Scratch) countSimple(in []byte) (max int) { + for _, v := range in { + s.count[v]++ + } + m, symlen := uint32(0), s.symbolLen + for i, v := range s.count[:] { + if v == 0 { + continue + } + if v > m { + m = v + } + symlen = uint16(i) + 1 + } + s.symbolLen = symlen + return int(m) +} + +// minTableLog provides the minimum logSize to safely represent a distribution. +func (s *Scratch) minTableLog() uint8 { + minBitsSrc := highBits(uint32(s.br.remain()-1)) + 1 + minBitsSymbols := highBits(uint32(s.symbolLen-1)) + 2 + if minBitsSrc < minBitsSymbols { + return uint8(minBitsSrc) + } + return uint8(minBitsSymbols) +} + +// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog +func (s *Scratch) optimalTableLog() { + tableLog := s.TableLog + minBits := s.minTableLog() + maxBitsSrc := uint8(highBits(uint32(s.br.remain()-1))) - 2 + if maxBitsSrc < tableLog { + // Accuracy can be reduced + tableLog = maxBitsSrc + } + if minBits > tableLog { + tableLog = minBits + } + // Need a minimum to safely represent all symbol values + if tableLog < minTablelog { + tableLog = minTablelog + } + if tableLog > maxTableLog { + tableLog = maxTableLog + } + s.actualTableLog = tableLog +} + +var rtbTable = [...]uint32{0, 473195, 504333, 520860, 550000, 700000, 750000, 830000} + +// normalizeCount will normalize the count of the symbols so +// the total is equal to the table size. +func (s *Scratch) normalizeCount() error { + var ( + tableLog = s.actualTableLog + scale = 62 - uint64(tableLog) + step = (1 << 62) / uint64(s.br.remain()) + vStep = uint64(1) << (scale - 20) + stillToDistribute = int16(1 << tableLog) + largest int + largestP int16 + lowThreshold = (uint32)(s.br.remain() >> tableLog) + ) + + for i, cnt := range s.count[:s.symbolLen] { + // already handled + // if (count[s] == s.length) return 0; /* rle special case */ + + if cnt == 0 { + s.norm[i] = 0 + continue + } + if cnt <= lowThreshold { + s.norm[i] = -1 + stillToDistribute-- + } else { + proba := (int16)((uint64(cnt) * step) >> scale) + if proba < 8 { + restToBeat := vStep * uint64(rtbTable[proba]) + v := uint64(cnt)*step - (uint64(proba) << scale) + if v > restToBeat { + proba++ + } + } + if proba > largestP { + largestP = proba + largest = i + } + s.norm[i] = proba + stillToDistribute -= proba + } + } + + if -stillToDistribute >= (s.norm[largest] >> 1) { + // corner case, need another normalization method + return s.normalizeCount2() + } + s.norm[largest] += stillToDistribute + return nil +} + +// Secondary normalization method. +// To be used when primary method fails. +func (s *Scratch) normalizeCount2() error { + const notYetAssigned = -2 + var ( + distributed uint32 + total = uint32(s.br.remain()) + tableLog = s.actualTableLog + lowThreshold = total >> tableLog + lowOne = (total * 3) >> (tableLog + 1) + ) + for i, cnt := range s.count[:s.symbolLen] { + if cnt == 0 { + s.norm[i] = 0 + continue + } + if cnt <= lowThreshold { + s.norm[i] = -1 + distributed++ + total -= cnt + continue + } + if cnt <= lowOne { + s.norm[i] = 1 + distributed++ + total -= cnt + continue + } + s.norm[i] = notYetAssigned + } + toDistribute := (1 << tableLog) - distributed + + if (total / toDistribute) > lowOne { + // risk of rounding to zero + lowOne = (total * 3) / (toDistribute * 2) + for i, cnt := range s.count[:s.symbolLen] { + if (s.norm[i] == notYetAssigned) && (cnt <= lowOne) { + s.norm[i] = 1 + distributed++ + total -= cnt + continue + } + } + toDistribute = (1 << tableLog) - distributed + } + if distributed == uint32(s.symbolLen)+1 { + // all values are pretty poor; + // probably incompressible data (should have already been detected); + // find max, then give all remaining points to max + var maxV int + var maxC uint32 + for i, cnt := range s.count[:s.symbolLen] { + if cnt > maxC { + maxV = i + maxC = cnt + } + } + s.norm[maxV] += int16(toDistribute) + return nil + } + + if total == 0 { + // all of the symbols were low enough for the lowOne or lowThreshold + for i := uint32(0); toDistribute > 0; i = (i + 1) % (uint32(s.symbolLen)) { + if s.norm[i] > 0 { + toDistribute-- + s.norm[i]++ + } + } + return nil + } + + var ( + vStepLog = 62 - uint64(tableLog) + mid = uint64((1 << (vStepLog - 1)) - 1) + rStep = (((1 << vStepLog) * uint64(toDistribute)) + mid) / uint64(total) // scale on remaining + tmpTotal = mid + ) + for i, cnt := range s.count[:s.symbolLen] { + if s.norm[i] == notYetAssigned { + var ( + end = tmpTotal + uint64(cnt)*rStep + sStart = uint32(tmpTotal >> vStepLog) + sEnd = uint32(end >> vStepLog) + weight = sEnd - sStart + ) + if weight < 1 { + return errors.New("weight < 1") + } + s.norm[i] = int16(weight) + tmpTotal = end + } + } + return nil +} + +// validateNorm validates the normalized histogram table. +func (s *Scratch) validateNorm() (err error) { + var total int + for _, v := range s.norm[:s.symbolLen] { + if v >= 0 { + total += int(v) + } else { + total -= int(v) + } + } + defer func() { + if err == nil { + return + } + fmt.Printf("selected TableLog: %d, Symbol length: %d\n", s.actualTableLog, s.symbolLen) + for i, v := range s.norm[:s.symbolLen] { + fmt.Printf("%3d: %5d -> %4d \n", i, s.count[i], v) + } + }() + if total != (1 << s.actualTableLog) { + return fmt.Errorf("warning: Total == %d != %d", total, 1< tablelogAbsoluteMax { + return errors.New("tableLog too large") + } + bitStream >>= 4 + bitCount := uint(4) + + s.actualTableLog = uint8(nbBits) + remaining := int32((1 << nbBits) + 1) + threshold := int32(1 << nbBits) + gotTotal := int32(0) + nbBits++ + + for remaining > 1 { + if previous0 { + n0 := charnum + for (bitStream & 0xFFFF) == 0xFFFF { + n0 += 24 + if b.off < iend-5 { + b.advance(2) + bitStream = b.Uint32() >> bitCount + } else { + bitStream >>= 16 + bitCount += 16 + } + } + for (bitStream & 3) == 3 { + n0 += 3 + bitStream >>= 2 + bitCount += 2 + } + n0 += uint16(bitStream & 3) + bitCount += 2 + if n0 > maxSymbolValue { + return errors.New("maxSymbolValue too small") + } + for charnum < n0 { + s.norm[charnum&0xff] = 0 + charnum++ + } + + if b.off <= iend-7 || b.off+int(bitCount>>3) <= iend-4 { + b.advance(bitCount >> 3) + bitCount &= 7 + bitStream = b.Uint32() >> bitCount + } else { + bitStream >>= 2 + } + } + + max := (2*(threshold) - 1) - (remaining) + var count int32 + + if (int32(bitStream) & (threshold - 1)) < max { + count = int32(bitStream) & (threshold - 1) + bitCount += nbBits - 1 + } else { + count = int32(bitStream) & (2*threshold - 1) + if count >= threshold { + count -= max + } + bitCount += nbBits + } + + count-- // extra accuracy + if count < 0 { + // -1 means +1 + remaining += count + gotTotal -= count + } else { + remaining -= count + gotTotal += count + } + s.norm[charnum&0xff] = int16(count) + charnum++ + previous0 = count == 0 + for remaining < threshold { + nbBits-- + threshold >>= 1 + } + if b.off <= iend-7 || b.off+int(bitCount>>3) <= iend-4 { + b.advance(bitCount >> 3) + bitCount &= 7 + } else { + bitCount -= (uint)(8 * (len(b.b) - 4 - b.off)) + b.off = len(b.b) - 4 + } + bitStream = b.Uint32() >> (bitCount & 31) + } + s.symbolLen = charnum + + if s.symbolLen <= 1 { + return fmt.Errorf("symbolLen (%d) too small", s.symbolLen) + } + if s.symbolLen > maxSymbolValue+1 { + return fmt.Errorf("symbolLen (%d) too big", s.symbolLen) + } + if remaining != 1 { + return fmt.Errorf("corruption detected (remaining %d != 1)", remaining) + } + if bitCount > 32 { + return fmt.Errorf("corruption detected (bitCount %d > 32)", bitCount) + } + if gotTotal != 1<> 3) + return nil +} + +// decSymbol contains information about a state entry, +// Including the state offset base, the output symbol and +// the number of bits to read for the low part of the destination state. +type decSymbol struct { + newState uint16 + symbol uint8 + nbBits uint8 +} + +// allocDtable will allocate decoding tables if they are not big enough. +func (s *Scratch) allocDtable() { + tableSize := 1 << s.actualTableLog + if cap(s.decTable) < tableSize { + s.decTable = make([]decSymbol, tableSize) + } + s.decTable = s.decTable[:tableSize] + + if cap(s.ct.tableSymbol) < 256 { + s.ct.tableSymbol = make([]byte, 256) + } + s.ct.tableSymbol = s.ct.tableSymbol[:256] + + if cap(s.ct.stateTable) < 256 { + s.ct.stateTable = make([]uint16, 256) + } + s.ct.stateTable = s.ct.stateTable[:256] +} + +// buildDtable will build the decoding table. +func (s *Scratch) buildDtable() error { + tableSize := uint32(1 << s.actualTableLog) + highThreshold := tableSize - 1 + s.allocDtable() + symbolNext := s.ct.stateTable[:256] + + // Init, lay down lowprob symbols + s.zeroBits = false + { + largeLimit := int16(1 << (s.actualTableLog - 1)) + for i, v := range s.norm[:s.symbolLen] { + if v == -1 { + s.decTable[highThreshold].symbol = uint8(i) + highThreshold-- + symbolNext[i] = 1 + } else { + if v >= largeLimit { + s.zeroBits = true + } + symbolNext[i] = uint16(v) + } + } + } + // Spread symbols + { + tableMask := tableSize - 1 + step := tableStep(tableSize) + position := uint32(0) + for ss, v := range s.norm[:s.symbolLen] { + for i := 0; i < int(v); i++ { + s.decTable[position].symbol = uint8(ss) + position = (position + step) & tableMask + for position > highThreshold { + // lowprob area + position = (position + step) & tableMask + } + } + } + if position != 0 { + // position must reach all cells once, otherwise normalizedCounter is incorrect + return errors.New("corrupted input (position != 0)") + } + } + + // Build Decoding table + { + tableSize := uint16(1 << s.actualTableLog) + for u, v := range s.decTable { + symbol := v.symbol + nextState := symbolNext[symbol] + symbolNext[symbol] = nextState + 1 + nBits := s.actualTableLog - byte(highBits(uint32(nextState))) + s.decTable[u].nbBits = nBits + newState := (nextState << nBits) - tableSize + if newState >= tableSize { + return fmt.Errorf("newState (%d) outside table size (%d)", newState, tableSize) + } + if newState == uint16(u) && nBits == 0 { + // Seems weird that this is possible with nbits > 0. + return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, u) + } + s.decTable[u].newState = newState + } + } + return nil +} + +// decompress will decompress the bitstream. +// If the buffer is over-read an error is returned. +func (s *Scratch) decompress() error { + br := &s.bits + if err := br.init(s.br.unread()); err != nil { + return err + } + + var s1, s2 decoder + // Initialize and decode first state and symbol. + s1.init(br, s.decTable, s.actualTableLog) + s2.init(br, s.decTable, s.actualTableLog) + + // Use temp table to avoid bound checks/append penalty. + var tmp = s.ct.tableSymbol[:256] + var off uint8 + + // Main part + if !s.zeroBits { + for br.off >= 8 { + br.fillFast() + tmp[off+0] = s1.nextFast() + tmp[off+1] = s2.nextFast() + br.fillFast() + tmp[off+2] = s1.nextFast() + tmp[off+3] = s2.nextFast() + off += 4 + // When off is 0, we have overflowed and should write. + if off == 0 { + s.Out = append(s.Out, tmp...) + if len(s.Out) >= s.DecompressLimit { + return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit) + } + } + } + } else { + for br.off >= 8 { + br.fillFast() + tmp[off+0] = s1.next() + tmp[off+1] = s2.next() + br.fillFast() + tmp[off+2] = s1.next() + tmp[off+3] = s2.next() + off += 4 + if off == 0 { + s.Out = append(s.Out, tmp...) + // When off is 0, we have overflowed and should write. + if len(s.Out) >= s.DecompressLimit { + return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit) + } + } + } + } + s.Out = append(s.Out, tmp[:off]...) + + // Final bits, a bit more expensive check + for { + if s1.finished() { + s.Out = append(s.Out, s1.final(), s2.final()) + break + } + br.fill() + s.Out = append(s.Out, s1.next()) + if s2.finished() { + s.Out = append(s.Out, s2.final(), s1.final()) + break + } + s.Out = append(s.Out, s2.next()) + if len(s.Out) >= s.DecompressLimit { + return fmt.Errorf("output size (%d) > DecompressLimit (%d)", len(s.Out), s.DecompressLimit) + } + } + return br.close() +} + +// decoder keeps track of the current state and updates it from the bitstream. +type decoder struct { + state uint16 + br *bitReader + dt []decSymbol +} + +// init will initialize the decoder and read the first state from the stream. +func (d *decoder) init(in *bitReader, dt []decSymbol, tableLog uint8) { + d.dt = dt + d.br = in + d.state = in.getBits(tableLog) +} + +// next returns the next symbol and sets the next state. +// At least tablelog bits must be available in the bit reader. +func (d *decoder) next() uint8 { + n := &d.dt[d.state] + lowBits := d.br.getBits(n.nbBits) + d.state = n.newState + lowBits + return n.symbol +} + +// finished returns true if all bits have been read from the bitstream +// and the next state would require reading bits from the input. +func (d *decoder) finished() bool { + return d.br.finished() && d.dt[d.state].nbBits > 0 +} + +// final returns the current state symbol without decoding the next. +func (d *decoder) final() uint8 { + return d.dt[d.state].symbol +} + +// nextFast returns the next symbol and sets the next state. +// This can only be used if no symbols are 0 bits. +// At least tablelog bits must be available in the bit reader. +func (d *decoder) nextFast() uint8 { + n := d.dt[d.state] + lowBits := d.br.getBitsFast(n.nbBits) + d.state = n.newState + lowBits + return n.symbol +} diff --git a/vendor/github.com/klauspost/compress/fse/fse.go b/vendor/github.com/klauspost/compress/fse/fse.go new file mode 100644 index 0000000000..535cbadfde --- /dev/null +++ b/vendor/github.com/klauspost/compress/fse/fse.go @@ -0,0 +1,144 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +// Package fse provides Finite State Entropy encoding and decoding. +// +// Finite State Entropy encoding provides a fast near-optimal symbol encoding/decoding +// for byte blocks as implemented in zstd. +// +// See https://github.com/klauspost/compress/tree/master/fse for more information. +package fse + +import ( + "errors" + "fmt" + "math/bits" +) + +const ( + /*!MEMORY_USAGE : + * Memory usage formula : N->2^N Bytes (examples : 10 -> 1KB; 12 -> 4KB ; 16 -> 64KB; 20 -> 1MB; etc.) + * Increasing memory usage improves compression ratio + * Reduced memory usage can improve speed, due to cache effect + * Recommended max value is 14, for 16KB, which nicely fits into Intel x86 L1 cache */ + maxMemoryUsage = 14 + defaultMemoryUsage = 13 + + maxTableLog = maxMemoryUsage - 2 + maxTablesize = 1 << maxTableLog + defaultTablelog = defaultMemoryUsage - 2 + minTablelog = 5 + maxSymbolValue = 255 +) + +var ( + // ErrIncompressible is returned when input is judged to be too hard to compress. + ErrIncompressible = errors.New("input is not compressible") + + // ErrUseRLE is returned from the compressor when the input is a single byte value repeated. + ErrUseRLE = errors.New("input is single value repeated") +) + +// Scratch provides temporary storage for compression and decompression. +type Scratch struct { + // Private + count [maxSymbolValue + 1]uint32 + norm [maxSymbolValue + 1]int16 + br byteReader + bits bitReader + bw bitWriter + ct cTable // Compression tables. + decTable []decSymbol // Decompression table. + maxCount int // count of the most probable symbol + + // Per block parameters. + // These can be used to override compression parameters of the block. + // Do not touch, unless you know what you are doing. + + // Out is output buffer. + // If the scratch is re-used before the caller is done processing the output, + // set this field to nil. + // Otherwise the output buffer will be re-used for next Compression/Decompression step + // and allocation will be avoided. + Out []byte + + // DecompressLimit limits the maximum decoded size acceptable. + // If > 0 decompression will stop when approximately this many bytes + // has been decoded. + // If 0, maximum size will be 2GB. + DecompressLimit int + + symbolLen uint16 // Length of active part of the symbol table. + actualTableLog uint8 // Selected tablelog. + zeroBits bool // no bits has prob > 50%. + clearCount bool // clear count + + // MaxSymbolValue will override the maximum symbol value of the next block. + MaxSymbolValue uint8 + + // TableLog will attempt to override the tablelog for the next block. + TableLog uint8 +} + +// Histogram allows to populate the histogram and skip that step in the compression, +// It otherwise allows to inspect the histogram when compression is done. +// To indicate that you have populated the histogram call HistogramFinished +// with the value of the highest populated symbol, as well as the number of entries +// in the most populated entry. These are accepted at face value. +// The returned slice will always be length 256. +func (s *Scratch) Histogram() []uint32 { + return s.count[:] +} + +// HistogramFinished can be called to indicate that the histogram has been populated. +// maxSymbol is the index of the highest set symbol of the next data segment. +// maxCount is the number of entries in the most populated entry. +// These are accepted at face value. +func (s *Scratch) HistogramFinished(maxSymbol uint8, maxCount int) { + s.maxCount = maxCount + s.symbolLen = uint16(maxSymbol) + 1 + s.clearCount = maxCount != 0 +} + +// prepare will prepare and allocate scratch tables used for both compression and decompression. +func (s *Scratch) prepare(in []byte) (*Scratch, error) { + if s == nil { + s = &Scratch{} + } + if s.MaxSymbolValue == 0 { + s.MaxSymbolValue = 255 + } + if s.TableLog == 0 { + s.TableLog = defaultTablelog + } + if s.TableLog > maxTableLog { + return nil, fmt.Errorf("tableLog (%d) > maxTableLog (%d)", s.TableLog, maxTableLog) + } + if cap(s.Out) == 0 { + s.Out = make([]byte, 0, len(in)) + } + if s.clearCount && s.maxCount == 0 { + for i := range s.count { + s.count[i] = 0 + } + s.clearCount = false + } + s.br.init(in) + if s.DecompressLimit == 0 { + // Max size 2GB. + s.DecompressLimit = (2 << 30) - 1 + } + + return s, nil +} + +// tableStep returns the next table index. +func tableStep(tableSize uint32) uint32 { + return (tableSize >> 1) + (tableSize >> 3) + 3 +} + +func highBits(val uint32) (n uint32) { + return uint32(bits.Len32(val) - 1) +} diff --git a/vendor/github.com/klauspost/compress/gen.sh b/vendor/github.com/klauspost/compress/gen.sh new file mode 100644 index 0000000000..aff942205f --- /dev/null +++ b/vendor/github.com/klauspost/compress/gen.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +cd s2/cmd/_s2sx/ || exit 1 +go generate . diff --git a/vendor/github.com/klauspost/compress/huff0/.gitignore b/vendor/github.com/klauspost/compress/huff0/.gitignore new file mode 100644 index 0000000000..b3d262958f --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/.gitignore @@ -0,0 +1 @@ +/huff0-fuzz.zip diff --git a/vendor/github.com/klauspost/compress/huff0/README.md b/vendor/github.com/klauspost/compress/huff0/README.md new file mode 100644 index 0000000000..8b6e5c6638 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/README.md @@ -0,0 +1,89 @@ +# Huff0 entropy compression + +This package provides Huff0 encoding and decoding as used in zstd. + +[Huff0](https://github.com/Cyan4973/FiniteStateEntropy#new-generation-entropy-coders), +a Huffman codec designed for modern CPU, featuring OoO (Out of Order) operations on multiple ALU +(Arithmetic Logic Unit), achieving extremely fast compression and decompression speeds. + +This can be used for compressing input with a lot of similar input values to the smallest number of bytes. +This does not perform any multi-byte [dictionary coding](https://en.wikipedia.org/wiki/Dictionary_coder) as LZ coders, +but it can be used as a secondary step to compressors (like Snappy) that does not do entropy encoding. + +* [Godoc documentation](https://godoc.org/github.com/klauspost/compress/huff0) + +## News + +This is used as part of the [zstandard](https://github.com/klauspost/compress/tree/master/zstd#zstd) compression and decompression package. + +This ensures that most functionality is well tested. + +# Usage + +This package provides a low level interface that allows to compress single independent blocks. + +Each block is separate, and there is no built in integrity checks. +This means that the caller should keep track of block sizes and also do checksums if needed. + +Compressing a block is done via the [`Compress1X`](https://godoc.org/github.com/klauspost/compress/huff0#Compress1X) and +[`Compress4X`](https://godoc.org/github.com/klauspost/compress/huff0#Compress4X) functions. +You must provide input and will receive the output and maybe an error. + +These error values can be returned: + +| Error | Description | +|---------------------|-----------------------------------------------------------------------------| +| `` | Everything ok, output is returned | +| `ErrIncompressible` | Returned when input is judged to be too hard to compress | +| `ErrUseRLE` | Returned from the compressor when the input is a single byte value repeated | +| `ErrTooBig` | Returned if the input block exceeds the maximum allowed size (128 Kib) | +| `(error)` | An internal error occurred. | + + +As can be seen above some of there are errors that will be returned even under normal operation so it is important to handle these. + +To reduce allocations you can provide a [`Scratch`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch) object +that can be re-used for successive calls. Both compression and decompression accepts a `Scratch` object, and the same +object can be used for both. + +Be aware, that when re-using a `Scratch` object that the *output* buffer is also re-used, so if you are still using this +you must set the `Out` field in the scratch to nil. The same buffer is used for compression and decompression output. + +The `Scratch` object will retain state that allows to re-use previous tables for encoding and decoding. + +## Tables and re-use + +Huff0 allows for reusing tables from the previous block to save space if that is expected to give better/faster results. + +The Scratch object allows you to set a [`ReusePolicy`](https://godoc.org/github.com/klauspost/compress/huff0#ReusePolicy) +that controls this behaviour. See the documentation for details. This can be altered between each block. + +Do however note that this information is *not* stored in the output block and it is up to the users of the package to +record whether [`ReadTable`](https://godoc.org/github.com/klauspost/compress/huff0#ReadTable) should be called, +based on the boolean reported back from the CompressXX call. + +If you want to store the table separate from the data, you can access them as `OutData` and `OutTable` on the +[`Scratch`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch) object. + +## Decompressing + +The first part of decoding is to initialize the decoding table through [`ReadTable`](https://godoc.org/github.com/klauspost/compress/huff0#ReadTable). +This will initialize the decoding tables. +You can supply the complete block to `ReadTable` and it will return the data part of the block +which can be given to the decompressor. + +Decompressing is done by calling the [`Decompress1X`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch.Decompress1X) +or [`Decompress4X`](https://godoc.org/github.com/klauspost/compress/huff0#Scratch.Decompress4X) function. + +For concurrently decompressing content with a fixed table a stateless [`Decoder`](https://godoc.org/github.com/klauspost/compress/huff0#Decoder) can be requested which will remain correct as long as the scratch is unchanged. The capacity of the provided slice indicates the expected output size. + +You must provide the output from the compression stage, at exactly the size you got back. If you receive an error back +your input was likely corrupted. + +It is important to note that a successful decoding does *not* mean your output matches your original input. +There are no integrity checks, so relying on errors from the decompressor does not assure your data is valid. + +# Contributing + +Contributions are always welcome. Be aware that adding public functions will require good justification and breaking +changes will likely not be accepted. If in doubt open an issue before writing the PR. diff --git a/vendor/github.com/klauspost/compress/huff0/bitreader.go b/vendor/github.com/klauspost/compress/huff0/bitreader.go new file mode 100644 index 0000000000..bfc7a523de --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/bitreader.go @@ -0,0 +1,224 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package huff0 + +import ( + "errors" + "fmt" + "io" + + "github.com/klauspost/compress/internal/le" +) + +// bitReader reads a bitstream in reverse. +// The last set bit indicates the start of the stream and is used +// for aligning the input. +type bitReaderBytes struct { + in []byte + off uint // next byte to read is at in[off - 1] + value uint64 + bitsRead uint8 +} + +// init initializes and resets the bit reader. +func (b *bitReaderBytes) init(in []byte) error { + if len(in) < 1 { + return errors.New("corrupt stream: too short") + } + b.in = in + b.off = uint(len(in)) + // The highest bit of the last byte indicates where to start + v := in[len(in)-1] + if v == 0 { + return errors.New("corrupt stream, did not find end of stream") + } + b.bitsRead = 64 + b.value = 0 + if len(in) >= 8 { + b.fillFastStart() + } else { + b.fill() + b.fill() + } + b.advance(8 - uint8(highBit32(uint32(v)))) + return nil +} + +// peekByteFast requires that at least one byte is requested every time. +// There are no checks if the buffer is filled. +func (b *bitReaderBytes) peekByteFast() uint8 { + got := uint8(b.value >> 56) + return got +} + +func (b *bitReaderBytes) advance(n uint8) { + b.bitsRead += n + b.value <<= n & 63 +} + +// fillFast() will make sure at least 32 bits are available. +// There must be at least 4 bytes available. +func (b *bitReaderBytes) fillFast() { + if b.bitsRead < 32 { + return + } + + // 2 bounds checks. + low := le.Load32(b.in, b.off-4) + b.value |= uint64(low) << (b.bitsRead - 32) + b.bitsRead -= 32 + b.off -= 4 +} + +// fillFastStart() assumes the bitReaderBytes is empty and there is at least 8 bytes to read. +func (b *bitReaderBytes) fillFastStart() { + // Do single re-slice to avoid bounds checks. + b.value = le.Load64(b.in, b.off-8) + b.bitsRead = 0 + b.off -= 8 +} + +// fill() will make sure at least 32 bits are available. +func (b *bitReaderBytes) fill() { + if b.bitsRead < 32 { + return + } + if b.off >= 4 { + low := le.Load32(b.in, b.off-4) + b.value |= uint64(low) << (b.bitsRead - 32) + b.bitsRead -= 32 + b.off -= 4 + return + } + for b.off > 0 { + b.value |= uint64(b.in[b.off-1]) << (b.bitsRead - 8) + b.bitsRead -= 8 + b.off-- + } +} + +// finished returns true if all bits have been read from the bit stream. +func (b *bitReaderBytes) finished() bool { + return b.off == 0 && b.bitsRead >= 64 +} + +func (b *bitReaderBytes) remaining() uint { + return b.off*8 + uint(64-b.bitsRead) +} + +// close the bitstream and returns an error if out-of-buffer reads occurred. +func (b *bitReaderBytes) close() error { + // Release reference. + b.in = nil + if b.remaining() > 0 { + return fmt.Errorf("corrupt input: %d bits remain on stream", b.remaining()) + } + if b.bitsRead > 64 { + return io.ErrUnexpectedEOF + } + return nil +} + +// bitReaderShifted reads a bitstream in reverse. +// The last set bit indicates the start of the stream and is used +// for aligning the input. +type bitReaderShifted struct { + in []byte + off uint // next byte to read is at in[off - 1] + value uint64 + bitsRead uint8 +} + +// init initializes and resets the bit reader. +func (b *bitReaderShifted) init(in []byte) error { + if len(in) < 1 { + return errors.New("corrupt stream: too short") + } + b.in = in + b.off = uint(len(in)) + // The highest bit of the last byte indicates where to start + v := in[len(in)-1] + if v == 0 { + return errors.New("corrupt stream, did not find end of stream") + } + b.bitsRead = 64 + b.value = 0 + if len(in) >= 8 { + b.fillFastStart() + } else { + b.fill() + b.fill() + } + b.advance(8 - uint8(highBit32(uint32(v)))) + return nil +} + +// peekBitsFast requires that at least one bit is requested every time. +// There are no checks if the buffer is filled. +func (b *bitReaderShifted) peekBitsFast(n uint8) uint16 { + return uint16(b.value >> ((64 - n) & 63)) +} + +func (b *bitReaderShifted) advance(n uint8) { + b.bitsRead += n + b.value <<= n & 63 +} + +// fillFast() will make sure at least 32 bits are available. +// There must be at least 4 bytes available. +func (b *bitReaderShifted) fillFast() { + if b.bitsRead < 32 { + return + } + + low := le.Load32(b.in, b.off-4) + b.value |= uint64(low) << ((b.bitsRead - 32) & 63) + b.bitsRead -= 32 + b.off -= 4 +} + +// fillFastStart() assumes the bitReaderShifted is empty and there is at least 8 bytes to read. +func (b *bitReaderShifted) fillFastStart() { + b.value = le.Load64(b.in, b.off-8) + b.bitsRead = 0 + b.off -= 8 +} + +// fill() will make sure at least 32 bits are available. +func (b *bitReaderShifted) fill() { + if b.bitsRead < 32 { + return + } + if b.off > 4 { + low := le.Load32(b.in, b.off-4) + b.value |= uint64(low) << ((b.bitsRead - 32) & 63) + b.bitsRead -= 32 + b.off -= 4 + return + } + for b.off > 0 { + b.value |= uint64(b.in[b.off-1]) << ((b.bitsRead - 8) & 63) + b.bitsRead -= 8 + b.off-- + } +} + +func (b *bitReaderShifted) remaining() uint { + return b.off*8 + uint(64-b.bitsRead) +} + +// close the bitstream and returns an error if out-of-buffer reads occurred. +func (b *bitReaderShifted) close() error { + // Release reference. + b.in = nil + if b.remaining() > 0 { + return fmt.Errorf("corrupt input: %d bits remain on stream", b.remaining()) + } + if b.bitsRead > 64 { + return io.ErrUnexpectedEOF + } + return nil +} diff --git a/vendor/github.com/klauspost/compress/huff0/bitwriter.go b/vendor/github.com/klauspost/compress/huff0/bitwriter.go new file mode 100644 index 0000000000..0ebc9aaac7 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/bitwriter.go @@ -0,0 +1,102 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package huff0 + +// bitWriter will write bits. +// First bit will be LSB of the first byte of output. +type bitWriter struct { + bitContainer uint64 + nBits uint8 + out []byte +} + +// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated. +// It will not check if there is space for them, so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits16Clean(value uint16, bits uint8) { + b.bitContainer |= uint64(value) << (b.nBits & 63) + b.nBits += bits +} + +// encSymbol will add up to 16 bits. value may not contain more set bits than indicated. +// It will not check if there is space for them, so the caller must ensure that it has flushed recently. +func (b *bitWriter) encSymbol(ct cTable, symbol byte) { + enc := ct[symbol] + b.bitContainer |= uint64(enc.val) << (b.nBits & 63) + if false { + if enc.nBits == 0 { + panic("nbits 0") + } + } + b.nBits += enc.nBits +} + +// encTwoSymbols will add up to 32 bits. value may not contain more set bits than indicated. +// It will not check if there is space for them, so the caller must ensure that it has flushed recently. +func (b *bitWriter) encTwoSymbols(ct cTable, av, bv byte) { + encA := ct[av] + encB := ct[bv] + sh := b.nBits & 63 + combined := uint64(encA.val) | (uint64(encB.val) << (encA.nBits & 63)) + b.bitContainer |= combined << sh + if false { + if encA.nBits == 0 { + panic("nbitsA 0") + } + if encB.nBits == 0 { + panic("nbitsB 0") + } + } + b.nBits += encA.nBits + encB.nBits +} + +// encFourSymbols adds up to 32 bits from four symbols. +// It will not check if there is space for them, +// so the caller must ensure that b has been flushed recently. +func (b *bitWriter) encFourSymbols(encA, encB, encC, encD cTableEntry) { + bitsA := encA.nBits + bitsB := bitsA + encB.nBits + bitsC := bitsB + encC.nBits + bitsD := bitsC + encD.nBits + combined := uint64(encA.val) | + (uint64(encB.val) << (bitsA & 63)) | + (uint64(encC.val) << (bitsB & 63)) | + (uint64(encD.val) << (bitsC & 63)) + b.bitContainer |= combined << (b.nBits & 63) + b.nBits += bitsD +} + +// flush32 will flush out, so there are at least 32 bits available for writing. +func (b *bitWriter) flush32() { + if b.nBits < 32 { + return + } + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24)) + b.nBits -= 32 + b.bitContainer >>= 32 +} + +// flushAlign will flush remaining full bytes and align to next byte boundary. +func (b *bitWriter) flushAlign() { + nbBytes := (b.nBits + 7) >> 3 + for i := uint8(0); i < nbBytes; i++ { + b.out = append(b.out, byte(b.bitContainer>>(i*8))) + } + b.nBits = 0 + b.bitContainer = 0 +} + +// close will write the alignment bit and write the final byte(s) +// to the output. +func (b *bitWriter) close() { + // End mark + b.addBits16Clean(1, 1) + // flush until next byte. + b.flushAlign() +} diff --git a/vendor/github.com/klauspost/compress/huff0/compress.go b/vendor/github.com/klauspost/compress/huff0/compress.go new file mode 100644 index 0000000000..84aa3d12f0 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/compress.go @@ -0,0 +1,742 @@ +package huff0 + +import ( + "fmt" + "math" + "runtime" + "sync" +) + +// Compress1X will compress the input. +// The output can be decoded using Decompress1X. +// Supply a Scratch object. The scratch object contains state about re-use, +// So when sharing across independent encodes, be sure to set the re-use policy. +func Compress1X(in []byte, s *Scratch) (out []byte, reUsed bool, err error) { + s, err = s.prepare(in) + if err != nil { + return nil, false, err + } + return compress(in, s, s.compress1X) +} + +// Compress4X will compress the input. The input is split into 4 independent blocks +// and compressed similar to Compress1X. +// The output can be decoded using Decompress4X. +// Supply a Scratch object. The scratch object contains state about re-use, +// So when sharing across independent encodes, be sure to set the re-use policy. +func Compress4X(in []byte, s *Scratch) (out []byte, reUsed bool, err error) { + s, err = s.prepare(in) + if err != nil { + return nil, false, err + } + if false { + // TODO: compress4Xp only slightly faster. + const parallelThreshold = 8 << 10 + if len(in) < parallelThreshold || runtime.GOMAXPROCS(0) == 1 { + return compress(in, s, s.compress4X) + } + return compress(in, s, s.compress4Xp) + } + return compress(in, s, s.compress4X) +} + +func compress(in []byte, s *Scratch, compressor func(src []byte) ([]byte, error)) (out []byte, reUsed bool, err error) { + // Nuke previous table if we cannot reuse anyway. + if s.Reuse == ReusePolicyNone { + s.prevTable = s.prevTable[:0] + } + + // Create histogram, if none was provided. + maxCount := s.maxCount + var canReuse = false + if maxCount == 0 { + maxCount, canReuse = s.countSimple(in) + } else { + canReuse = s.canUseTable(s.prevTable) + } + + // We want the output size to be less than this: + wantSize := len(in) + if s.WantLogLess > 0 { + wantSize -= wantSize >> s.WantLogLess + } + + // Reset for next run. + s.clearCount = true + s.maxCount = 0 + if maxCount >= len(in) { + if maxCount > len(in) { + return nil, false, fmt.Errorf("maxCount (%d) > length (%d)", maxCount, len(in)) + } + if len(in) == 1 { + return nil, false, ErrIncompressible + } + // One symbol, use RLE + return nil, false, ErrUseRLE + } + if maxCount == 1 || maxCount < (len(in)>>7) { + // Each symbol present maximum once or too well distributed. + return nil, false, ErrIncompressible + } + if s.Reuse == ReusePolicyMust && !canReuse { + // We must reuse, but we can't. + return nil, false, ErrIncompressible + } + if (s.Reuse == ReusePolicyPrefer || s.Reuse == ReusePolicyMust) && canReuse { + keepTable := s.cTable + keepTL := s.actualTableLog + s.cTable = s.prevTable + s.actualTableLog = s.prevTableLog + s.Out, err = compressor(in) + s.cTable = keepTable + s.actualTableLog = keepTL + if err == nil && len(s.Out) < wantSize { + s.OutData = s.Out + return s.Out, true, nil + } + if s.Reuse == ReusePolicyMust { + return nil, false, ErrIncompressible + } + // Do not attempt to re-use later. + s.prevTable = s.prevTable[:0] + } + + // Calculate new table. + err = s.buildCTable() + if err != nil { + return nil, false, err + } + + if false && !s.canUseTable(s.cTable) { + panic("invalid table generated") + } + + if s.Reuse == ReusePolicyAllow && canReuse { + hSize := len(s.Out) + oldSize := s.prevTable.estimateSize(s.count[:s.symbolLen]) + newSize := s.cTable.estimateSize(s.count[:s.symbolLen]) + if oldSize <= hSize+newSize || hSize+12 >= wantSize { + // Retain cTable even if we re-use. + keepTable := s.cTable + keepTL := s.actualTableLog + + s.cTable = s.prevTable + s.actualTableLog = s.prevTableLog + s.Out, err = compressor(in) + + // Restore ctable. + s.cTable = keepTable + s.actualTableLog = keepTL + if err != nil { + return nil, false, err + } + if len(s.Out) >= wantSize { + return nil, false, ErrIncompressible + } + s.OutData = s.Out + return s.Out, true, nil + } + } + + // Use new table + err = s.cTable.write(s) + if err != nil { + s.OutTable = nil + return nil, false, err + } + s.OutTable = s.Out + + // Compress using new table + s.Out, err = compressor(in) + if err != nil { + s.OutTable = nil + return nil, false, err + } + if len(s.Out) >= wantSize { + s.OutTable = nil + return nil, false, ErrIncompressible + } + // Move current table into previous. + s.prevTable, s.prevTableLog, s.cTable = s.cTable, s.actualTableLog, s.prevTable[:0] + s.OutData = s.Out[len(s.OutTable):] + return s.Out, false, nil +} + +// EstimateSizes will estimate the data sizes +func EstimateSizes(in []byte, s *Scratch) (tableSz, dataSz, reuseSz int, err error) { + s, err = s.prepare(in) + if err != nil { + return 0, 0, 0, err + } + + // Create histogram, if none was provided. + tableSz, dataSz, reuseSz = -1, -1, -1 + maxCount := s.maxCount + var canReuse = false + if maxCount == 0 { + maxCount, canReuse = s.countSimple(in) + } else { + canReuse = s.canUseTable(s.prevTable) + } + + // We want the output size to be less than this: + wantSize := len(in) + if s.WantLogLess > 0 { + wantSize -= wantSize >> s.WantLogLess + } + + // Reset for next run. + s.clearCount = true + s.maxCount = 0 + if maxCount >= len(in) { + if maxCount > len(in) { + return 0, 0, 0, fmt.Errorf("maxCount (%d) > length (%d)", maxCount, len(in)) + } + if len(in) == 1 { + return 0, 0, 0, ErrIncompressible + } + // One symbol, use RLE + return 0, 0, 0, ErrUseRLE + } + if maxCount == 1 || maxCount < (len(in)>>7) { + // Each symbol present maximum once or too well distributed. + return 0, 0, 0, ErrIncompressible + } + + // Calculate new table. + err = s.buildCTable() + if err != nil { + return 0, 0, 0, err + } + + if false && !s.canUseTable(s.cTable) { + panic("invalid table generated") + } + + tableSz, err = s.cTable.estTableSize(s) + if err != nil { + return 0, 0, 0, err + } + if canReuse { + reuseSz = s.prevTable.estimateSize(s.count[:s.symbolLen]) + } + dataSz = s.cTable.estimateSize(s.count[:s.symbolLen]) + + // Restore + return tableSz, dataSz, reuseSz, nil +} + +func (s *Scratch) compress1X(src []byte) ([]byte, error) { + return s.compress1xDo(s.Out, src), nil +} + +func (s *Scratch) compress1xDo(dst, src []byte) []byte { + var bw = bitWriter{out: dst} + + // N is length divisible by 4. + n := len(src) + n -= n & 3 + cTable := s.cTable[:256] + + // Encode last bytes. + for i := len(src) & 3; i > 0; i-- { + bw.encSymbol(cTable, src[n+i-1]) + } + n -= 4 + if s.actualTableLog <= 8 { + for ; n >= 0; n -= 4 { + tmp := src[n : n+4] + // tmp should be len 4 + bw.flush32() + bw.encFourSymbols(cTable[tmp[3]], cTable[tmp[2]], cTable[tmp[1]], cTable[tmp[0]]) + } + } else { + for ; n >= 0; n -= 4 { + tmp := src[n : n+4] + // tmp should be len 4 + bw.flush32() + bw.encTwoSymbols(cTable, tmp[3], tmp[2]) + bw.flush32() + bw.encTwoSymbols(cTable, tmp[1], tmp[0]) + } + } + bw.close() + return bw.out +} + +var sixZeros [6]byte + +func (s *Scratch) compress4X(src []byte) ([]byte, error) { + if len(src) < 12 { + return nil, ErrIncompressible + } + segmentSize := (len(src) + 3) / 4 + + // Add placeholder for output length + offsetIdx := len(s.Out) + s.Out = append(s.Out, sixZeros[:]...) + + for i := 0; i < 4; i++ { + toDo := src + if len(toDo) > segmentSize { + toDo = toDo[:segmentSize] + } + src = src[len(toDo):] + + idx := len(s.Out) + s.Out = s.compress1xDo(s.Out, toDo) + if len(s.Out)-idx > math.MaxUint16 { + // We cannot store the size in the jump table + return nil, ErrIncompressible + } + // Write compressed length as little endian before block. + if i < 3 { + // Last length is not written. + length := len(s.Out) - idx + s.Out[i*2+offsetIdx] = byte(length) + s.Out[i*2+offsetIdx+1] = byte(length >> 8) + } + } + + return s.Out, nil +} + +// compress4Xp will compress 4 streams using separate goroutines. +func (s *Scratch) compress4Xp(src []byte) ([]byte, error) { + if len(src) < 12 { + return nil, ErrIncompressible + } + // Add placeholder for output length + s.Out = s.Out[:6] + + segmentSize := (len(src) + 3) / 4 + var wg sync.WaitGroup + wg.Add(4) + for i := 0; i < 4; i++ { + toDo := src + if len(toDo) > segmentSize { + toDo = toDo[:segmentSize] + } + src = src[len(toDo):] + + // Separate goroutine for each block. + go func(i int) { + s.tmpOut[i] = s.compress1xDo(s.tmpOut[i][:0], toDo) + wg.Done() + }(i) + } + wg.Wait() + for i := 0; i < 4; i++ { + o := s.tmpOut[i] + if len(o) > math.MaxUint16 { + // We cannot store the size in the jump table + return nil, ErrIncompressible + } + // Write compressed length as little endian before block. + if i < 3 { + // Last length is not written. + s.Out[i*2] = byte(len(o)) + s.Out[i*2+1] = byte(len(o) >> 8) + } + + // Write output. + s.Out = append(s.Out, o...) + } + return s.Out, nil +} + +// countSimple will create a simple histogram in s.count. +// Returns the biggest count. +// Does not update s.clearCount. +func (s *Scratch) countSimple(in []byte) (max int, reuse bool) { + reuse = true + _ = s.count // Assert that s != nil to speed up the following loop. + for _, v := range in { + s.count[v]++ + } + m := uint32(0) + if len(s.prevTable) > 0 { + for i, v := range s.count[:] { + if v == 0 { + continue + } + if v > m { + m = v + } + s.symbolLen = uint16(i) + 1 + if i >= len(s.prevTable) { + reuse = false + } else if s.prevTable[i].nBits == 0 { + reuse = false + } + } + return int(m), reuse + } + for i, v := range s.count[:] { + if v == 0 { + continue + } + if v > m { + m = v + } + s.symbolLen = uint16(i) + 1 + } + return int(m), false +} + +func (s *Scratch) canUseTable(c cTable) bool { + if len(c) < int(s.symbolLen) { + return false + } + for i, v := range s.count[:s.symbolLen] { + if v != 0 && c[i].nBits == 0 { + return false + } + } + return true +} + +//lint:ignore U1000 used for debugging +func (s *Scratch) validateTable(c cTable) bool { + if len(c) < int(s.symbolLen) { + return false + } + for i, v := range s.count[:s.symbolLen] { + if v != 0 { + if c[i].nBits == 0 { + return false + } + if c[i].nBits > s.actualTableLog { + return false + } + } + } + return true +} + +// minTableLog provides the minimum logSize to safely represent a distribution. +func (s *Scratch) minTableLog() uint8 { + minBitsSrc := highBit32(uint32(s.srcLen)) + 1 + minBitsSymbols := highBit32(uint32(s.symbolLen-1)) + 2 + if minBitsSrc < minBitsSymbols { + return uint8(minBitsSrc) + } + return uint8(minBitsSymbols) +} + +// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog +func (s *Scratch) optimalTableLog() { + tableLog := s.TableLog + minBits := s.minTableLog() + maxBitsSrc := uint8(highBit32(uint32(s.srcLen-1))) - 1 + if maxBitsSrc < tableLog { + // Accuracy can be reduced + tableLog = maxBitsSrc + } + if minBits > tableLog { + tableLog = minBits + } + // Need a minimum to safely represent all symbol values + if tableLog < minTablelog { + tableLog = minTablelog + } + if tableLog > tableLogMax { + tableLog = tableLogMax + } + s.actualTableLog = tableLog +} + +type cTableEntry struct { + val uint16 + nBits uint8 + // We have 8 bits extra +} + +const huffNodesMask = huffNodesLen - 1 + +func (s *Scratch) buildCTable() error { + s.optimalTableLog() + s.huffSort() + if cap(s.cTable) < maxSymbolValue+1 { + s.cTable = make([]cTableEntry, s.symbolLen, maxSymbolValue+1) + } else { + s.cTable = s.cTable[:s.symbolLen] + for i := range s.cTable { + s.cTable[i] = cTableEntry{} + } + } + + var startNode = int16(s.symbolLen) + nonNullRank := s.symbolLen - 1 + + nodeNb := startNode + huffNode := s.nodes[1 : huffNodesLen+1] + + // This overlays the slice above, but allows "-1" index lookups. + // Different from reference implementation. + huffNode0 := s.nodes[0 : huffNodesLen+1] + + for huffNode[nonNullRank].count() == 0 { + nonNullRank-- + } + + lowS := int16(nonNullRank) + nodeRoot := nodeNb + lowS - 1 + lowN := nodeNb + huffNode[nodeNb].setCount(huffNode[lowS].count() + huffNode[lowS-1].count()) + huffNode[lowS].setParent(nodeNb) + huffNode[lowS-1].setParent(nodeNb) + nodeNb++ + lowS -= 2 + for n := nodeNb; n <= nodeRoot; n++ { + huffNode[n].setCount(1 << 30) + } + // fake entry, strong barrier + huffNode0[0].setCount(1 << 31) + + // create parents + for nodeNb <= nodeRoot { + var n1, n2 int16 + if huffNode0[lowS+1].count() < huffNode0[lowN+1].count() { + n1 = lowS + lowS-- + } else { + n1 = lowN + lowN++ + } + if huffNode0[lowS+1].count() < huffNode0[lowN+1].count() { + n2 = lowS + lowS-- + } else { + n2 = lowN + lowN++ + } + + huffNode[nodeNb].setCount(huffNode0[n1+1].count() + huffNode0[n2+1].count()) + huffNode0[n1+1].setParent(nodeNb) + huffNode0[n2+1].setParent(nodeNb) + nodeNb++ + } + + // distribute weights (unlimited tree height) + huffNode[nodeRoot].setNbBits(0) + for n := nodeRoot - 1; n >= startNode; n-- { + huffNode[n].setNbBits(huffNode[huffNode[n].parent()].nbBits() + 1) + } + for n := uint16(0); n <= nonNullRank; n++ { + huffNode[n].setNbBits(huffNode[huffNode[n].parent()].nbBits() + 1) + } + s.actualTableLog = s.setMaxHeight(int(nonNullRank)) + maxNbBits := s.actualTableLog + + // fill result into tree (val, nbBits) + if maxNbBits > tableLogMax { + return fmt.Errorf("internal error: maxNbBits (%d) > tableLogMax (%d)", maxNbBits, tableLogMax) + } + var nbPerRank [tableLogMax + 1]uint16 + var valPerRank [16]uint16 + for _, v := range huffNode[:nonNullRank+1] { + nbPerRank[v.nbBits()]++ + } + // determine stating value per rank + { + min := uint16(0) + for n := maxNbBits; n > 0; n-- { + // get starting value within each rank + valPerRank[n] = min + min += nbPerRank[n] + min >>= 1 + } + } + + // push nbBits per symbol, symbol order + for _, v := range huffNode[:nonNullRank+1] { + s.cTable[v.symbol()].nBits = v.nbBits() + } + + // assign value within rank, symbol order + t := s.cTable[:s.symbolLen] + for n, val := range t { + nbits := val.nBits & 15 + v := valPerRank[nbits] + t[n].val = v + valPerRank[nbits] = v + 1 + } + + return nil +} + +// huffSort will sort symbols, decreasing order. +func (s *Scratch) huffSort() { + type rankPos struct { + base uint32 + current uint32 + } + + // Clear nodes + nodes := s.nodes[:huffNodesLen+1] + s.nodes = nodes + nodes = nodes[1 : huffNodesLen+1] + + // Sort into buckets based on length of symbol count. + var rank [32]rankPos + for _, v := range s.count[:s.symbolLen] { + r := highBit32(v+1) & 31 + rank[r].base++ + } + // maxBitLength is log2(BlockSizeMax) + 1 + const maxBitLength = 18 + 1 + for n := maxBitLength; n > 0; n-- { + rank[n-1].base += rank[n].base + } + for n := range rank[:maxBitLength] { + rank[n].current = rank[n].base + } + for n, c := range s.count[:s.symbolLen] { + r := (highBit32(c+1) + 1) & 31 + pos := rank[r].current + rank[r].current++ + prev := nodes[(pos-1)&huffNodesMask] + for pos > rank[r].base && c > prev.count() { + nodes[pos&huffNodesMask] = prev + pos-- + prev = nodes[(pos-1)&huffNodesMask] + } + nodes[pos&huffNodesMask] = makeNodeElt(c, byte(n)) + } +} + +func (s *Scratch) setMaxHeight(lastNonNull int) uint8 { + maxNbBits := s.actualTableLog + huffNode := s.nodes[1 : huffNodesLen+1] + //huffNode = huffNode[: huffNodesLen] + + largestBits := huffNode[lastNonNull].nbBits() + + // early exit : no elt > maxNbBits + if largestBits <= maxNbBits { + return largestBits + } + totalCost := int(0) + baseCost := int(1) << (largestBits - maxNbBits) + n := uint32(lastNonNull) + + for huffNode[n].nbBits() > maxNbBits { + totalCost += baseCost - (1 << (largestBits - huffNode[n].nbBits())) + huffNode[n].setNbBits(maxNbBits) + n-- + } + // n stops at huffNode[n].nbBits <= maxNbBits + + for huffNode[n].nbBits() == maxNbBits { + n-- + } + // n end at index of smallest symbol using < maxNbBits + + // renorm totalCost + totalCost >>= largestBits - maxNbBits /* note : totalCost is necessarily a multiple of baseCost */ + + // repay normalized cost + { + const noSymbol = 0xF0F0F0F0 + var rankLast [tableLogMax + 2]uint32 + + for i := range rankLast[:] { + rankLast[i] = noSymbol + } + + // Get pos of last (smallest) symbol per rank + { + currentNbBits := maxNbBits + for pos := int(n); pos >= 0; pos-- { + if huffNode[pos].nbBits() >= currentNbBits { + continue + } + currentNbBits = huffNode[pos].nbBits() // < maxNbBits + rankLast[maxNbBits-currentNbBits] = uint32(pos) + } + } + + for totalCost > 0 { + nBitsToDecrease := uint8(highBit32(uint32(totalCost))) + 1 + + for ; nBitsToDecrease > 1; nBitsToDecrease-- { + highPos := rankLast[nBitsToDecrease] + lowPos := rankLast[nBitsToDecrease-1] + if highPos == noSymbol { + continue + } + if lowPos == noSymbol { + break + } + highTotal := huffNode[highPos].count() + lowTotal := 2 * huffNode[lowPos].count() + if highTotal <= lowTotal { + break + } + } + // only triggered when no more rank 1 symbol left => find closest one (note : there is necessarily at least one !) + // HUF_MAX_TABLELOG test just to please gcc 5+; but it should not be necessary + // FIXME: try to remove + for (nBitsToDecrease <= tableLogMax) && (rankLast[nBitsToDecrease] == noSymbol) { + nBitsToDecrease++ + } + totalCost -= 1 << (nBitsToDecrease - 1) + if rankLast[nBitsToDecrease-1] == noSymbol { + // this rank is no longer empty + rankLast[nBitsToDecrease-1] = rankLast[nBitsToDecrease] + } + huffNode[rankLast[nBitsToDecrease]].setNbBits(1 + + huffNode[rankLast[nBitsToDecrease]].nbBits()) + if rankLast[nBitsToDecrease] == 0 { + /* special case, reached largest symbol */ + rankLast[nBitsToDecrease] = noSymbol + } else { + rankLast[nBitsToDecrease]-- + if huffNode[rankLast[nBitsToDecrease]].nbBits() != maxNbBits-nBitsToDecrease { + rankLast[nBitsToDecrease] = noSymbol /* this rank is now empty */ + } + } + } + + for totalCost < 0 { /* Sometimes, cost correction overshoot */ + if rankLast[1] == noSymbol { /* special case : no rank 1 symbol (using maxNbBits-1); let's create one from largest rank 0 (using maxNbBits) */ + for huffNode[n].nbBits() == maxNbBits { + n-- + } + huffNode[n+1].setNbBits(huffNode[n+1].nbBits() - 1) + rankLast[1] = n + 1 + totalCost++ + continue + } + huffNode[rankLast[1]+1].setNbBits(huffNode[rankLast[1]+1].nbBits() - 1) + rankLast[1]++ + totalCost++ + } + } + return maxNbBits +} + +// A nodeElt is the fields +// +// count uint32 +// parent uint16 +// symbol byte +// nbBits uint8 +// +// in some order, all squashed into an integer so that the compiler +// always loads and stores entire nodeElts instead of separate fields. +type nodeElt uint64 + +func makeNodeElt(count uint32, symbol byte) nodeElt { + return nodeElt(count) | nodeElt(symbol)<<48 +} + +func (e *nodeElt) count() uint32 { return uint32(*e) } +func (e *nodeElt) parent() uint16 { return uint16(*e >> 32) } +func (e *nodeElt) symbol() byte { return byte(*e >> 48) } +func (e *nodeElt) nbBits() uint8 { return uint8(*e >> 56) } + +func (e *nodeElt) setCount(c uint32) { *e = (*e)&0xffffffff00000000 | nodeElt(c) } +func (e *nodeElt) setParent(p int16) { *e = (*e)&0xffff0000ffffffff | nodeElt(uint16(p))<<32 } +func (e *nodeElt) setNbBits(n uint8) { *e = (*e)&0x00ffffffffffffff | nodeElt(n)<<56 } diff --git a/vendor/github.com/klauspost/compress/huff0/decompress.go b/vendor/github.com/klauspost/compress/huff0/decompress.go new file mode 100644 index 0000000000..0f56b02d74 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/decompress.go @@ -0,0 +1,1167 @@ +package huff0 + +import ( + "errors" + "fmt" + "io" + "sync" + + "github.com/klauspost/compress/fse" +) + +type dTable struct { + single []dEntrySingle +} + +// single-symbols decoding +type dEntrySingle struct { + entry uint16 +} + +// Uses special code for all tables that are < 8 bits. +const use8BitTables = true + +// ReadTable will read a table from the input. +// The size of the input may be larger than the table definition. +// Any content remaining after the table definition will be returned. +// If no Scratch is provided a new one is allocated. +// The returned Scratch can be used for encoding or decoding input using this table. +func ReadTable(in []byte, s *Scratch) (s2 *Scratch, remain []byte, err error) { + s, err = s.prepare(nil) + if err != nil { + return s, nil, err + } + if len(in) <= 1 { + return s, nil, errors.New("input too small for table") + } + iSize := in[0] + in = in[1:] + if iSize >= 128 { + // Uncompressed + oSize := iSize - 127 + iSize = (oSize + 1) / 2 + if int(iSize) > len(in) { + return s, nil, errors.New("input too small for table") + } + for n := uint8(0); n < oSize; n += 2 { + v := in[n/2] + s.huffWeight[n] = v >> 4 + s.huffWeight[n+1] = v & 15 + } + s.symbolLen = uint16(oSize) + in = in[iSize:] + } else { + if len(in) < int(iSize) { + return s, nil, fmt.Errorf("input too small for table, want %d bytes, have %d", iSize, len(in)) + } + // FSE compressed weights + s.fse.DecompressLimit = 255 + hw := s.huffWeight[:] + s.fse.Out = hw + b, err := fse.Decompress(in[:iSize], s.fse) + s.fse.Out = nil + if err != nil { + return s, nil, fmt.Errorf("fse decompress returned: %w", err) + } + if len(b) > 255 { + return s, nil, errors.New("corrupt input: output table too large") + } + s.symbolLen = uint16(len(b)) + in = in[iSize:] + } + + // collect weight stats + var rankStats [16]uint32 + weightTotal := uint32(0) + for _, v := range s.huffWeight[:s.symbolLen] { + if v > tableLogMax { + return s, nil, errors.New("corrupt input: weight too large") + } + v2 := v & 15 + rankStats[v2]++ + // (1 << (v2-1)) is slower since the compiler cannot prove that v2 isn't 0. + weightTotal += (1 << v2) >> 1 + } + if weightTotal == 0 { + return s, nil, errors.New("corrupt input: weights zero") + } + + // get last non-null symbol weight (implied, total must be 2^n) + { + tableLog := highBit32(weightTotal) + 1 + if tableLog > tableLogMax { + return s, nil, errors.New("corrupt input: tableLog too big") + } + s.actualTableLog = uint8(tableLog) + // determine last weight + { + total := uint32(1) << tableLog + rest := total - weightTotal + verif := uint32(1) << highBit32(rest) + lastWeight := highBit32(rest) + 1 + if verif != rest { + // last value must be a clean power of 2 + return s, nil, errors.New("corrupt input: last value not power of two") + } + s.huffWeight[s.symbolLen] = uint8(lastWeight) + s.symbolLen++ + rankStats[lastWeight]++ + } + } + + if (rankStats[1] < 2) || (rankStats[1]&1 != 0) { + // by construction : at least 2 elts of rank 1, must be even + return s, nil, errors.New("corrupt input: min elt size, even check failed ") + } + + // TODO: Choose between single/double symbol decoding + + // Calculate starting value for each rank + { + var nextRankStart uint32 + for n := uint8(1); n < s.actualTableLog+1; n++ { + current := nextRankStart + nextRankStart += rankStats[n] << (n - 1) + rankStats[n] = current + } + } + + // fill DTable (always full size) + tSize := 1 << tableLogMax + if len(s.dt.single) != tSize { + s.dt.single = make([]dEntrySingle, tSize) + } + cTable := s.prevTable + if cap(cTable) < maxSymbolValue+1 { + cTable = make([]cTableEntry, 0, maxSymbolValue+1) + } + cTable = cTable[:maxSymbolValue+1] + s.prevTable = cTable[:s.symbolLen] + s.prevTableLog = s.actualTableLog + + for n, w := range s.huffWeight[:s.symbolLen] { + if w == 0 { + cTable[n] = cTableEntry{ + val: 0, + nBits: 0, + } + continue + } + length := (uint32(1) << w) >> 1 + d := dEntrySingle{ + entry: uint16(s.actualTableLog+1-w) | (uint16(n) << 8), + } + + rank := &rankStats[w] + cTable[n] = cTableEntry{ + val: uint16(*rank >> (w - 1)), + nBits: uint8(d.entry), + } + + single := s.dt.single[*rank : *rank+length] + for i := range single { + single[i] = d + } + *rank += length + } + + return s, in, nil +} + +// Decompress1X will decompress a 1X encoded stream. +// The length of the supplied input must match the end of a block exactly. +// Before this is called, the table must be initialized with ReadTable unless +// the encoder re-used the table. +// deprecated: Use the stateless Decoder() to get a concurrent version. +func (s *Scratch) Decompress1X(in []byte) (out []byte, err error) { + if cap(s.Out) < s.MaxDecodedSize { + s.Out = make([]byte, s.MaxDecodedSize) + } + s.Out = s.Out[:0:s.MaxDecodedSize] + s.Out, err = s.Decoder().Decompress1X(s.Out, in) + return s.Out, err +} + +// Decompress4X will decompress a 4X encoded stream. +// Before this is called, the table must be initialized with ReadTable unless +// the encoder re-used the table. +// The length of the supplied input must match the end of a block exactly. +// The destination size of the uncompressed data must be known and provided. +// deprecated: Use the stateless Decoder() to get a concurrent version. +func (s *Scratch) Decompress4X(in []byte, dstSize int) (out []byte, err error) { + if dstSize > s.MaxDecodedSize { + return nil, ErrMaxDecodedSizeExceeded + } + if cap(s.Out) < dstSize { + s.Out = make([]byte, s.MaxDecodedSize) + } + s.Out = s.Out[:0:dstSize] + s.Out, err = s.Decoder().Decompress4X(s.Out, in) + return s.Out, err +} + +// Decoder will return a stateless decoder that can be used by multiple +// decompressors concurrently. +// Before this is called, the table must be initialized with ReadTable. +// The Decoder is still linked to the scratch buffer so that cannot be reused. +// However, it is safe to discard the scratch. +func (s *Scratch) Decoder() *Decoder { + return &Decoder{ + dt: s.dt, + actualTableLog: s.actualTableLog, + bufs: &s.decPool, + } +} + +// Decoder provides stateless decoding. +type Decoder struct { + dt dTable + actualTableLog uint8 + bufs *sync.Pool +} + +func (d *Decoder) buffer() *[4][256]byte { + buf, ok := d.bufs.Get().(*[4][256]byte) + if ok { + return buf + } + return &[4][256]byte{} +} + +// decompress1X8Bit will decompress a 1X encoded stream with tablelog <= 8. +// The cap of the output buffer will be the maximum decompressed size. +// The length of the supplied input must match the end of a block exactly. +func (d *Decoder) decompress1X8Bit(dst, src []byte) ([]byte, error) { + if d.actualTableLog == 8 { + return d.decompress1X8BitExactly(dst, src) + } + var br bitReaderBytes + err := br.init(src) + if err != nil { + return dst, err + } + maxDecodedSize := cap(dst) + dst = dst[:0] + + // Avoid bounds check by always having full sized table. + dt := d.dt.single[:256] + + // Use temp table to avoid bound checks/append penalty. + bufs := d.buffer() + buf := &bufs[0] + var off uint8 + + switch d.actualTableLog { + case 8: + const shift = 0 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + br.close() + d.bufs.Put(bufs) + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 7: + const shift = 8 - 7 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + br.close() + d.bufs.Put(bufs) + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 6: + const shift = 8 - 6 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 5: + const shift = 8 - 5 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 4: + const shift = 8 - 4 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 3: + const shift = 8 - 3 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 2: + const shift = 8 - 2 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + case 1: + const shift = 8 - 1 + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>(56+shift))] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + default: + d.bufs.Put(bufs) + return nil, fmt.Errorf("invalid tablelog: %d", d.actualTableLog) + } + + if len(dst)+int(off) > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:off]...) + + // br < 4, so uint8 is fine + bitsLeft := int8(uint8(br.off)*8 + (64 - br.bitsRead)) + shift := (8 - d.actualTableLog) & 7 + + for bitsLeft > 0 { + if br.bitsRead >= 64-8 { + for br.off > 0 { + br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8) + br.bitsRead -= 8 + br.off-- + } + } + if len(dst) >= maxDecodedSize { + br.close() + d.bufs.Put(bufs) + return nil, ErrMaxDecodedSizeExceeded + } + v := dt[br.peekByteFast()>>shift] + nBits := uint8(v.entry) + br.advance(nBits) + bitsLeft -= int8(nBits) + dst = append(dst, uint8(v.entry>>8)) + } + d.bufs.Put(bufs) + return dst, br.close() +} + +// decompress1X8Bit will decompress a 1X encoded stream with tablelog <= 8. +// The cap of the output buffer will be the maximum decompressed size. +// The length of the supplied input must match the end of a block exactly. +func (d *Decoder) decompress1X8BitExactly(dst, src []byte) ([]byte, error) { + var br bitReaderBytes + err := br.init(src) + if err != nil { + return dst, err + } + maxDecodedSize := cap(dst) + dst = dst[:0] + + // Avoid bounds check by always having full sized table. + dt := d.dt.single[:256] + + // Use temp table to avoid bound checks/append penalty. + bufs := d.buffer() + buf := &bufs[0] + var off uint8 + + const shift = 56 + + //fmt.Printf("mask: %b, tl:%d\n", mask, d.actualTableLog) + for br.off >= 4 { + br.fillFast() + v := dt[uint8(br.value>>shift)] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>shift)] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>shift)] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[uint8(br.value>>shift)] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + + if len(dst)+int(off) > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:off]...) + + // br < 4, so uint8 is fine + bitsLeft := int8(uint8(br.off)*8 + (64 - br.bitsRead)) + for bitsLeft > 0 { + if br.bitsRead >= 64-8 { + for br.off > 0 { + br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8) + br.bitsRead -= 8 + br.off-- + } + } + if len(dst) >= maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + v := dt[br.peekByteFast()] + nBits := uint8(v.entry) + br.advance(nBits) + bitsLeft -= int8(nBits) + dst = append(dst, uint8(v.entry>>8)) + } + d.bufs.Put(bufs) + return dst, br.close() +} + +// Decompress4X will decompress a 4X encoded stream. +// The length of the supplied input must match the end of a block exactly. +// The *capacity* of the dst slice must match the destination size of +// the uncompressed data exactly. +func (d *Decoder) decompress4X8bit(dst, src []byte) ([]byte, error) { + if d.actualTableLog == 8 { + return d.decompress4X8bitExactly(dst, src) + } + + var br [4]bitReaderBytes + start := 6 + for i := 0; i < 3; i++ { + length := int(src[i*2]) | (int(src[i*2+1]) << 8) + if start+length >= len(src) { + return nil, errors.New("truncated input (or invalid offset)") + } + err := br[i].init(src[start : start+length]) + if err != nil { + return nil, err + } + start += length + } + err := br[3].init(src[start:]) + if err != nil { + return nil, err + } + + // destination, offset to match first output + dstSize := cap(dst) + dst = dst[:dstSize] + out := dst + dstEvery := (dstSize + 3) / 4 + + shift := (56 + (8 - d.actualTableLog)) & 63 + + const tlSize = 1 << 8 + single := d.dt.single[:tlSize] + + // Use temp table to avoid bound checks/append penalty. + buf := d.buffer() + var off uint8 + var decoded int + + // Decode 4 values from each decoder/loop. + const bufoff = 256 + for { + if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 { + break + } + + { + // Interleave 2 decodes. + const stream = 0 + const stream2 = 1 + br1 := &br[stream] + br2 := &br[stream2] + br1.fillFast() + br2.fillFast() + + v := single[uint8(br1.value>>shift)].entry + v2 := single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off] = uint8(v >> 8) + buf[stream2][off] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+1] = uint8(v >> 8) + buf[stream2][off+1] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+2] = uint8(v >> 8) + buf[stream2][off+2] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+3] = uint8(v >> 8) + buf[stream2][off+3] = uint8(v2 >> 8) + } + + { + const stream = 2 + const stream2 = 3 + br1 := &br[stream] + br2 := &br[stream2] + br1.fillFast() + br2.fillFast() + + v := single[uint8(br1.value>>shift)].entry + v2 := single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off] = uint8(v >> 8) + buf[stream2][off] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+1] = uint8(v >> 8) + buf[stream2][off+1] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+2] = uint8(v >> 8) + buf[stream2][off+2] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+3] = uint8(v >> 8) + buf[stream2][off+3] = uint8(v2 >> 8) + } + + off += 4 + + if off == 0 { + if bufoff > dstEvery { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 1") + } + // There must at least be 3 buffers left. + if len(out)-bufoff < dstEvery*3 { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 2") + } + //copy(out, buf[0][:]) + //copy(out[dstEvery:], buf[1][:]) + //copy(out[dstEvery*2:], buf[2][:]) + *(*[bufoff]byte)(out) = buf[0] + *(*[bufoff]byte)(out[dstEvery:]) = buf[1] + *(*[bufoff]byte)(out[dstEvery*2:]) = buf[2] + *(*[bufoff]byte)(out[dstEvery*3:]) = buf[3] + out = out[bufoff:] + decoded += bufoff * 4 + } + } + if off > 0 { + ioff := int(off) + if len(out) < dstEvery*3+ioff { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 3") + } + copy(out, buf[0][:off]) + copy(out[dstEvery:], buf[1][:off]) + copy(out[dstEvery*2:], buf[2][:off]) + copy(out[dstEvery*3:], buf[3][:off]) + decoded += int(off) * 4 + out = out[off:] + } + + // Decode remaining. + // Decode remaining. + remainBytes := dstEvery - (decoded / 4) + for i := range br { + offset := dstEvery * i + endsAt := offset + remainBytes + if endsAt > len(out) { + endsAt = len(out) + } + br := &br[i] + bitsLeft := br.remaining() + for bitsLeft > 0 { + if br.finished() { + d.bufs.Put(buf) + return nil, io.ErrUnexpectedEOF + } + if br.bitsRead >= 56 { + if br.off >= 4 { + v := br.in[br.off-4:] + v = v[:4] + low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24) + br.value |= uint64(low) << (br.bitsRead - 32) + br.bitsRead -= 32 + br.off -= 4 + } else { + for br.off > 0 { + br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8) + br.bitsRead -= 8 + br.off-- + } + } + } + // end inline... + if offset >= endsAt { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 4") + } + + // Read value and increment offset. + v := single[uint8(br.value>>shift)].entry + nBits := uint8(v) + br.advance(nBits) + bitsLeft -= uint(nBits) + out[offset] = uint8(v >> 8) + offset++ + } + if offset != endsAt { + d.bufs.Put(buf) + return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt) + } + decoded += offset - dstEvery*i + err = br.close() + if err != nil { + d.bufs.Put(buf) + return nil, err + } + } + d.bufs.Put(buf) + if dstSize != decoded { + return nil, errors.New("corruption detected: short output block") + } + return dst, nil +} + +// Decompress4X will decompress a 4X encoded stream. +// The length of the supplied input must match the end of a block exactly. +// The *capacity* of the dst slice must match the destination size of +// the uncompressed data exactly. +func (d *Decoder) decompress4X8bitExactly(dst, src []byte) ([]byte, error) { + var br [4]bitReaderBytes + start := 6 + for i := 0; i < 3; i++ { + length := int(src[i*2]) | (int(src[i*2+1]) << 8) + if start+length >= len(src) { + return nil, errors.New("truncated input (or invalid offset)") + } + err := br[i].init(src[start : start+length]) + if err != nil { + return nil, err + } + start += length + } + err := br[3].init(src[start:]) + if err != nil { + return nil, err + } + + // destination, offset to match first output + dstSize := cap(dst) + dst = dst[:dstSize] + out := dst + dstEvery := (dstSize + 3) / 4 + + const shift = 56 + const tlSize = 1 << 8 + single := d.dt.single[:tlSize] + + // Use temp table to avoid bound checks/append penalty. + buf := d.buffer() + var off uint8 + var decoded int + + // Decode 4 values from each decoder/loop. + const bufoff = 256 + for { + if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 { + break + } + + { + // Interleave 2 decodes. + const stream = 0 + const stream2 = 1 + br1 := &br[stream] + br2 := &br[stream2] + br1.fillFast() + br2.fillFast() + + v := single[uint8(br1.value>>shift)].entry + v2 := single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off] = uint8(v >> 8) + buf[stream2][off] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+1] = uint8(v >> 8) + buf[stream2][off+1] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+2] = uint8(v >> 8) + buf[stream2][off+2] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+3] = uint8(v >> 8) + buf[stream2][off+3] = uint8(v2 >> 8) + } + + { + const stream = 2 + const stream2 = 3 + br1 := &br[stream] + br2 := &br[stream2] + br1.fillFast() + br2.fillFast() + + v := single[uint8(br1.value>>shift)].entry + v2 := single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off] = uint8(v >> 8) + buf[stream2][off] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+1] = uint8(v >> 8) + buf[stream2][off+1] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+2] = uint8(v >> 8) + buf[stream2][off+2] = uint8(v2 >> 8) + + v = single[uint8(br1.value>>shift)].entry + v2 = single[uint8(br2.value>>shift)].entry + br1.bitsRead += uint8(v) + br1.value <<= v & 63 + br2.bitsRead += uint8(v2) + br2.value <<= v2 & 63 + buf[stream][off+3] = uint8(v >> 8) + buf[stream2][off+3] = uint8(v2 >> 8) + } + + off += 4 + + if off == 0 { + if bufoff > dstEvery { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 1") + } + // There must at least be 3 buffers left. + if len(out)-bufoff < dstEvery*3 { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 2") + } + + //copy(out, buf[0][:]) + //copy(out[dstEvery:], buf[1][:]) + //copy(out[dstEvery*2:], buf[2][:]) + // copy(out[dstEvery*3:], buf[3][:]) + *(*[bufoff]byte)(out) = buf[0] + *(*[bufoff]byte)(out[dstEvery:]) = buf[1] + *(*[bufoff]byte)(out[dstEvery*2:]) = buf[2] + *(*[bufoff]byte)(out[dstEvery*3:]) = buf[3] + out = out[bufoff:] + decoded += bufoff * 4 + } + } + if off > 0 { + ioff := int(off) + if len(out) < dstEvery*3+ioff { + return nil, errors.New("corruption detected: stream overrun 3") + } + copy(out, buf[0][:off]) + copy(out[dstEvery:], buf[1][:off]) + copy(out[dstEvery*2:], buf[2][:off]) + copy(out[dstEvery*3:], buf[3][:off]) + decoded += int(off) * 4 + out = out[off:] + } + + // Decode remaining. + remainBytes := dstEvery - (decoded / 4) + for i := range br { + offset := dstEvery * i + endsAt := offset + remainBytes + if endsAt > len(out) { + endsAt = len(out) + } + br := &br[i] + bitsLeft := br.remaining() + for bitsLeft > 0 { + if br.finished() { + d.bufs.Put(buf) + return nil, io.ErrUnexpectedEOF + } + if br.bitsRead >= 56 { + if br.off >= 4 { + v := br.in[br.off-4:] + v = v[:4] + low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24) + br.value |= uint64(low) << (br.bitsRead - 32) + br.bitsRead -= 32 + br.off -= 4 + } else { + for br.off > 0 { + br.value |= uint64(br.in[br.off-1]) << (br.bitsRead - 8) + br.bitsRead -= 8 + br.off-- + } + } + } + // end inline... + if offset >= endsAt { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 4") + } + + // Read value and increment offset. + v := single[br.peekByteFast()].entry + nBits := uint8(v) + br.advance(nBits) + bitsLeft -= uint(nBits) + out[offset] = uint8(v >> 8) + offset++ + } + if offset != endsAt { + d.bufs.Put(buf) + return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt) + } + + decoded += offset - dstEvery*i + err = br.close() + if err != nil { + d.bufs.Put(buf) + return nil, err + } + } + d.bufs.Put(buf) + if dstSize != decoded { + return nil, errors.New("corruption detected: short output block") + } + return dst, nil +} + +// matches will compare a decoding table to a coding table. +// Errors are written to the writer. +// Nothing will be written if table is ok. +func (s *Scratch) matches(ct cTable, w io.Writer) { + if s == nil || len(s.dt.single) == 0 { + return + } + dt := s.dt.single[:1<>8) == byte(sym) { + fmt.Fprintf(w, "symbol %x has decoder, but no encoder\n", sym) + errs++ + break + } + } + if errs == 0 { + broken-- + } + continue + } + // Unused bits in input + ub := tablelog - enc.nBits + top := enc.val << ub + // decoder looks at top bits. + dec := dt[top] + if uint8(dec.entry) != enc.nBits { + fmt.Fprintf(w, "symbol 0x%x bit size mismatch (enc: %d, dec:%d).\n", sym, enc.nBits, uint8(dec.entry)) + errs++ + } + if uint8(dec.entry>>8) != uint8(sym) { + fmt.Fprintf(w, "symbol 0x%x decoder output mismatch (enc: %d, dec:%d).\n", sym, sym, uint8(dec.entry>>8)) + errs++ + } + if errs > 0 { + fmt.Fprintf(w, "%d errors in base, stopping\n", errs) + continue + } + // Ensure that all combinations are covered. + for i := uint16(0); i < (1 << ub); i++ { + vval := top | i + dec := dt[vval] + if uint8(dec.entry) != enc.nBits { + fmt.Fprintf(w, "symbol 0x%x bit size mismatch (enc: %d, dec:%d).\n", vval, enc.nBits, uint8(dec.entry)) + errs++ + } + if uint8(dec.entry>>8) != uint8(sym) { + fmt.Fprintf(w, "symbol 0x%x decoder output mismatch (enc: %d, dec:%d).\n", vval, sym, uint8(dec.entry>>8)) + errs++ + } + if errs > 20 { + fmt.Fprintf(w, "%d errors, stopping\n", errs) + break + } + } + if errs == 0 { + ok++ + broken-- + } + } + if broken > 0 { + fmt.Fprintf(w, "%d broken, %d ok\n", broken, ok) + } +} diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go new file mode 100644 index 0000000000..ba7e8e6b02 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.go @@ -0,0 +1,226 @@ +//go:build amd64 && !appengine && !noasm && gc +// +build amd64,!appengine,!noasm,gc + +// This file contains the specialisation of Decoder.Decompress4X +// and Decoder.Decompress1X that use an asm implementation of thir main loops. +package huff0 + +import ( + "errors" + "fmt" + + "github.com/klauspost/compress/internal/cpuinfo" +) + +// decompress4x_main_loop_x86 is an x86 assembler implementation +// of Decompress4X when tablelog > 8. +// +//go:noescape +func decompress4x_main_loop_amd64(ctx *decompress4xContext) + +// decompress4x_8b_loop_x86 is an x86 assembler implementation +// of Decompress4X when tablelog <= 8 which decodes 4 entries +// per loop. +// +//go:noescape +func decompress4x_8b_main_loop_amd64(ctx *decompress4xContext) + +// fallback8BitSize is the size where using Go version is faster. +const fallback8BitSize = 800 + +type decompress4xContext struct { + pbr *[4]bitReaderShifted + peekBits uint8 + out *byte + dstEvery int + tbl *dEntrySingle + decoded int + limit *byte +} + +// Decompress4X will decompress a 4X encoded stream. +// The length of the supplied input must match the end of a block exactly. +// The *capacity* of the dst slice must match the destination size of +// the uncompressed data exactly. +func (d *Decoder) Decompress4X(dst, src []byte) ([]byte, error) { + if len(d.dt.single) == 0 { + return nil, errors.New("no table loaded") + } + if len(src) < 6+(4*1) { + return nil, errors.New("input too small") + } + + use8BitTables := d.actualTableLog <= 8 + if cap(dst) < fallback8BitSize && use8BitTables { + return d.decompress4X8bit(dst, src) + } + + var br [4]bitReaderShifted + // Decode "jump table" + start := 6 + for i := 0; i < 3; i++ { + length := int(src[i*2]) | (int(src[i*2+1]) << 8) + if start+length >= len(src) { + return nil, errors.New("truncated input (or invalid offset)") + } + err := br[i].init(src[start : start+length]) + if err != nil { + return nil, err + } + start += length + } + err := br[3].init(src[start:]) + if err != nil { + return nil, err + } + + // destination, offset to match first output + dstSize := cap(dst) + dst = dst[:dstSize] + out := dst + dstEvery := (dstSize + 3) / 4 + + const tlSize = 1 << tableLogMax + const tlMask = tlSize - 1 + single := d.dt.single[:tlSize] + + var decoded int + + if len(out) > 4*4 && !(br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4) { + ctx := decompress4xContext{ + pbr: &br, + peekBits: uint8((64 - d.actualTableLog) & 63), // see: bitReaderShifted.peekBitsFast() + out: &out[0], + dstEvery: dstEvery, + tbl: &single[0], + limit: &out[dstEvery-4], // Always stop decoding when first buffer gets here to avoid writing OOB on last. + } + if use8BitTables { + decompress4x_8b_main_loop_amd64(&ctx) + } else { + decompress4x_main_loop_amd64(&ctx) + } + + decoded = ctx.decoded + out = out[decoded/4:] + } + + // Decode remaining. + remainBytes := dstEvery - (decoded / 4) + for i := range br { + offset := dstEvery * i + endsAt := offset + remainBytes + if endsAt > len(out) { + endsAt = len(out) + } + br := &br[i] + bitsLeft := br.remaining() + for bitsLeft > 0 { + br.fill() + if offset >= endsAt { + return nil, errors.New("corruption detected: stream overrun 4") + } + + // Read value and increment offset. + val := br.peekBitsFast(d.actualTableLog) + v := single[val&tlMask].entry + nBits := uint8(v) + br.advance(nBits) + bitsLeft -= uint(nBits) + out[offset] = uint8(v >> 8) + offset++ + } + if offset != endsAt { + return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt) + } + decoded += offset - dstEvery*i + err = br.close() + if err != nil { + return nil, err + } + } + if dstSize != decoded { + return nil, errors.New("corruption detected: short output block") + } + return dst, nil +} + +// decompress4x_main_loop_x86 is an x86 assembler implementation +// of Decompress1X when tablelog > 8. +// +//go:noescape +func decompress1x_main_loop_amd64(ctx *decompress1xContext) + +// decompress4x_main_loop_x86 is an x86 with BMI2 assembler implementation +// of Decompress1X when tablelog > 8. +// +//go:noescape +func decompress1x_main_loop_bmi2(ctx *decompress1xContext) + +type decompress1xContext struct { + pbr *bitReaderShifted + peekBits uint8 + out *byte + outCap int + tbl *dEntrySingle + decoded int +} + +// Error reported by asm implementations +const error_max_decoded_size_exeeded = -1 + +// Decompress1X will decompress a 1X encoded stream. +// The cap of the output buffer will be the maximum decompressed size. +// The length of the supplied input must match the end of a block exactly. +func (d *Decoder) Decompress1X(dst, src []byte) ([]byte, error) { + if len(d.dt.single) == 0 { + return nil, errors.New("no table loaded") + } + var br bitReaderShifted + err := br.init(src) + if err != nil { + return dst, err + } + maxDecodedSize := cap(dst) + dst = dst[:maxDecodedSize] + + const tlSize = 1 << tableLogMax + const tlMask = tlSize - 1 + + if maxDecodedSize >= 4 { + ctx := decompress1xContext{ + pbr: &br, + out: &dst[0], + outCap: maxDecodedSize, + peekBits: uint8((64 - d.actualTableLog) & 63), // see: bitReaderShifted.peekBitsFast() + tbl: &d.dt.single[0], + } + + if cpuinfo.HasBMI2() { + decompress1x_main_loop_bmi2(&ctx) + } else { + decompress1x_main_loop_amd64(&ctx) + } + if ctx.decoded == error_max_decoded_size_exeeded { + return nil, ErrMaxDecodedSizeExceeded + } + + dst = dst[:ctx.decoded] + } + + // br < 8, so uint8 is fine + bitsLeft := uint8(br.off)*8 + 64 - br.bitsRead + for bitsLeft > 0 { + br.fill() + if len(dst) >= maxDecodedSize { + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + v := d.dt.single[br.peekBitsFast(d.actualTableLog)&tlMask] + nBits := uint8(v.entry) + br.advance(nBits) + bitsLeft -= nBits + dst = append(dst, uint8(v.entry>>8)) + } + return dst, br.close() +} diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s new file mode 100644 index 0000000000..c4c7ab2d1f --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/decompress_amd64.s @@ -0,0 +1,830 @@ +// Code generated by command: go run gen.go -out ../decompress_amd64.s -pkg=huff0. DO NOT EDIT. + +//go:build amd64 && !appengine && !noasm && gc + +// func decompress4x_main_loop_amd64(ctx *decompress4xContext) +TEXT ·decompress4x_main_loop_amd64(SB), $0-8 + // Preload values + MOVQ ctx+0(FP), AX + MOVBQZX 8(AX), DI + MOVQ 16(AX), BX + MOVQ 48(AX), SI + MOVQ 24(AX), R8 + MOVQ 32(AX), R9 + MOVQ (AX), R10 + + // Main loop +main_loop: + XORL DX, DX + CMPQ BX, SI + SETGE DL + + // br0.fillFast32() + MOVQ 32(R10), R11 + MOVBQZX 40(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill0 + MOVQ 24(R10), AX + SUBQ $0x20, R12 + SUBQ $0x04, AX + MOVQ (R10), R13 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (AX)(R13*1), R13 + MOVQ R12, CX + SHLQ CL, R13 + MOVQ AX, 24(R10) + ORQ R13, R11 + + // exhausted += (br0.off < 4) + CMPQ AX, $0x04 + ADCB $+0, DL + +skip_fill0: + // val0 := br0.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br0.peekTopBits(peekBits) + MOVQ DI, CX + MOVQ R11, R13 + SHRQ CL, R13 + + // v1 := table[val1&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v1.entry)) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // these two writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + MOVW AX, (BX) + + // update the bitreader structure + MOVQ R11, 32(R10) + MOVB R12, 40(R10) + + // br1.fillFast32() + MOVQ 80(R10), R11 + MOVBQZX 88(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill1 + MOVQ 72(R10), AX + SUBQ $0x20, R12 + SUBQ $0x04, AX + MOVQ 48(R10), R13 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (AX)(R13*1), R13 + MOVQ R12, CX + SHLQ CL, R13 + MOVQ AX, 72(R10) + ORQ R13, R11 + + // exhausted += (br1.off < 4) + CMPQ AX, $0x04 + ADCB $+0, DL + +skip_fill1: + // val0 := br1.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br1.peekTopBits(peekBits) + MOVQ DI, CX + MOVQ R11, R13 + SHRQ CL, R13 + + // v1 := table[val1&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v1.entry)) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // these two writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + MOVW AX, (BX)(R8*1) + + // update the bitreader structure + MOVQ R11, 80(R10) + MOVB R12, 88(R10) + + // br2.fillFast32() + MOVQ 128(R10), R11 + MOVBQZX 136(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill2 + MOVQ 120(R10), AX + SUBQ $0x20, R12 + SUBQ $0x04, AX + MOVQ 96(R10), R13 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (AX)(R13*1), R13 + MOVQ R12, CX + SHLQ CL, R13 + MOVQ AX, 120(R10) + ORQ R13, R11 + + // exhausted += (br2.off < 4) + CMPQ AX, $0x04 + ADCB $+0, DL + +skip_fill2: + // val0 := br2.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br2.peekTopBits(peekBits) + MOVQ DI, CX + MOVQ R11, R13 + SHRQ CL, R13 + + // v1 := table[val1&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v1.entry)) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // these two writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + MOVW AX, (BX)(R8*2) + + // update the bitreader structure + MOVQ R11, 128(R10) + MOVB R12, 136(R10) + + // br3.fillFast32() + MOVQ 176(R10), R11 + MOVBQZX 184(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill3 + MOVQ 168(R10), AX + SUBQ $0x20, R12 + SUBQ $0x04, AX + MOVQ 144(R10), R13 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (AX)(R13*1), R13 + MOVQ R12, CX + SHLQ CL, R13 + MOVQ AX, 168(R10) + ORQ R13, R11 + + // exhausted += (br3.off < 4) + CMPQ AX, $0x04 + ADCB $+0, DL + +skip_fill3: + // val0 := br3.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br3.peekTopBits(peekBits) + MOVQ DI, CX + MOVQ R11, R13 + SHRQ CL, R13 + + // v1 := table[val1&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v1.entry)) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // these two writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + LEAQ (R8)(R8*2), CX + MOVW AX, (BX)(CX*1) + + // update the bitreader structure + MOVQ R11, 176(R10) + MOVB R12, 184(R10) + ADDQ $0x02, BX + TESTB DL, DL + JZ main_loop + MOVQ ctx+0(FP), AX + SUBQ 16(AX), BX + SHLQ $0x02, BX + MOVQ BX, 40(AX) + RET + +// func decompress4x_8b_main_loop_amd64(ctx *decompress4xContext) +TEXT ·decompress4x_8b_main_loop_amd64(SB), $0-8 + // Preload values + MOVQ ctx+0(FP), CX + MOVBQZX 8(CX), DI + MOVQ 16(CX), BX + MOVQ 48(CX), SI + MOVQ 24(CX), R8 + MOVQ 32(CX), R9 + MOVQ (CX), R10 + + // Main loop +main_loop: + XORL DX, DX + CMPQ BX, SI + SETGE DL + + // br0.fillFast32() + MOVQ 32(R10), R11 + MOVBQZX 40(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill0 + MOVQ 24(R10), R13 + SUBQ $0x20, R12 + SUBQ $0x04, R13 + MOVQ (R10), R14 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (R13)(R14*1), R14 + MOVQ R12, CX + SHLQ CL, R14 + MOVQ R13, 24(R10) + ORQ R14, R11 + + // exhausted += (br0.off < 4) + CMPQ R13, $0x04 + ADCB $+0, DL + +skip_fill0: + // val0 := br0.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br0.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v1 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v1.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // val2 := br0.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v2 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v2.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // val3 := br0.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v3 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br0.advance(uint8(v3.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // these four writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + // out[id * dstEvery + 3] = uint8(v2.entry >> 8) + // out[id * dstEvery + 4] = uint8(v3.entry >> 8) + MOVL AX, (BX) + + // update the bitreader structure + MOVQ R11, 32(R10) + MOVB R12, 40(R10) + + // br1.fillFast32() + MOVQ 80(R10), R11 + MOVBQZX 88(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill1 + MOVQ 72(R10), R13 + SUBQ $0x20, R12 + SUBQ $0x04, R13 + MOVQ 48(R10), R14 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (R13)(R14*1), R14 + MOVQ R12, CX + SHLQ CL, R14 + MOVQ R13, 72(R10) + ORQ R14, R11 + + // exhausted += (br1.off < 4) + CMPQ R13, $0x04 + ADCB $+0, DL + +skip_fill1: + // val0 := br1.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br1.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v1 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v1.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // val2 := br1.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v2 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v2.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // val3 := br1.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v3 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br1.advance(uint8(v3.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // these four writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + // out[id * dstEvery + 3] = uint8(v2.entry >> 8) + // out[id * dstEvery + 4] = uint8(v3.entry >> 8) + MOVL AX, (BX)(R8*1) + + // update the bitreader structure + MOVQ R11, 80(R10) + MOVB R12, 88(R10) + + // br2.fillFast32() + MOVQ 128(R10), R11 + MOVBQZX 136(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill2 + MOVQ 120(R10), R13 + SUBQ $0x20, R12 + SUBQ $0x04, R13 + MOVQ 96(R10), R14 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (R13)(R14*1), R14 + MOVQ R12, CX + SHLQ CL, R14 + MOVQ R13, 120(R10) + ORQ R14, R11 + + // exhausted += (br2.off < 4) + CMPQ R13, $0x04 + ADCB $+0, DL + +skip_fill2: + // val0 := br2.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br2.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v1 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v1.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // val2 := br2.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v2 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v2.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // val3 := br2.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v3 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br2.advance(uint8(v3.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // these four writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + // out[id * dstEvery + 3] = uint8(v2.entry >> 8) + // out[id * dstEvery + 4] = uint8(v3.entry >> 8) + MOVL AX, (BX)(R8*2) + + // update the bitreader structure + MOVQ R11, 128(R10) + MOVB R12, 136(R10) + + // br3.fillFast32() + MOVQ 176(R10), R11 + MOVBQZX 184(R10), R12 + CMPQ R12, $0x20 + JBE skip_fill3 + MOVQ 168(R10), R13 + SUBQ $0x20, R12 + SUBQ $0x04, R13 + MOVQ 144(R10), R14 + + // b.value |= uint64(low) << (b.bitsRead & 63) + MOVL (R13)(R14*1), R14 + MOVQ R12, CX + SHLQ CL, R14 + MOVQ R13, 168(R10) + ORQ R14, R11 + + // exhausted += (br3.off < 4) + CMPQ R13, $0x04 + ADCB $+0, DL + +skip_fill3: + // val0 := br3.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v0 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v0.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + + // val1 := br3.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v1 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v1.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // val2 := br3.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v2 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v2.entry) + MOVB CH, AH + SHLQ CL, R11 + ADDB CL, R12 + + // val3 := br3.peekTopBits(peekBits) + MOVQ R11, R13 + MOVQ DI, CX + SHRQ CL, R13 + + // v3 := table[val0&mask] + MOVW (R9)(R13*2), CX + + // br3.advance(uint8(v3.entry) + MOVB CH, AL + SHLQ CL, R11 + ADDB CL, R12 + BSWAPL AX + + // these four writes get coalesced + // out[id * dstEvery + 0] = uint8(v0.entry >> 8) + // out[id * dstEvery + 1] = uint8(v1.entry >> 8) + // out[id * dstEvery + 3] = uint8(v2.entry >> 8) + // out[id * dstEvery + 4] = uint8(v3.entry >> 8) + LEAQ (R8)(R8*2), CX + MOVL AX, (BX)(CX*1) + + // update the bitreader structure + MOVQ R11, 176(R10) + MOVB R12, 184(R10) + ADDQ $0x04, BX + TESTB DL, DL + JZ main_loop + MOVQ ctx+0(FP), AX + SUBQ 16(AX), BX + SHLQ $0x02, BX + MOVQ BX, 40(AX) + RET + +// func decompress1x_main_loop_amd64(ctx *decompress1xContext) +TEXT ·decompress1x_main_loop_amd64(SB), $0-8 + MOVQ ctx+0(FP), CX + MOVQ 16(CX), DX + MOVQ 24(CX), BX + CMPQ BX, $0x04 + JB error_max_decoded_size_exceeded + LEAQ (DX)(BX*1), BX + MOVQ (CX), SI + MOVQ (SI), R8 + MOVQ 24(SI), R9 + MOVQ 32(SI), R10 + MOVBQZX 40(SI), R11 + MOVQ 32(CX), SI + MOVBQZX 8(CX), DI + JMP loop_condition + +main_loop: + // Check if we have room for 4 bytes in the output buffer + LEAQ 4(DX), CX + CMPQ CX, BX + JGE error_max_decoded_size_exceeded + + // Decode 4 values + CMPQ R11, $0x20 + JL bitReader_fillFast_1_end + SUBQ $0x20, R11 + SUBQ $0x04, R9 + MOVL (R8)(R9*1), R12 + MOVQ R11, CX + SHLQ CL, R12 + ORQ R12, R10 + +bitReader_fillFast_1_end: + MOVQ DI, CX + MOVQ R10, R12 + SHRQ CL, R12 + MOVW (SI)(R12*2), CX + MOVB CH, AL + MOVBQZX CL, CX + ADDQ CX, R11 + SHLQ CL, R10 + MOVQ DI, CX + MOVQ R10, R12 + SHRQ CL, R12 + MOVW (SI)(R12*2), CX + MOVB CH, AH + MOVBQZX CL, CX + ADDQ CX, R11 + SHLQ CL, R10 + BSWAPL AX + CMPQ R11, $0x20 + JL bitReader_fillFast_2_end + SUBQ $0x20, R11 + SUBQ $0x04, R9 + MOVL (R8)(R9*1), R12 + MOVQ R11, CX + SHLQ CL, R12 + ORQ R12, R10 + +bitReader_fillFast_2_end: + MOVQ DI, CX + MOVQ R10, R12 + SHRQ CL, R12 + MOVW (SI)(R12*2), CX + MOVB CH, AH + MOVBQZX CL, CX + ADDQ CX, R11 + SHLQ CL, R10 + MOVQ DI, CX + MOVQ R10, R12 + SHRQ CL, R12 + MOVW (SI)(R12*2), CX + MOVB CH, AL + MOVBQZX CL, CX + ADDQ CX, R11 + SHLQ CL, R10 + BSWAPL AX + + // Store the decoded values + MOVL AX, (DX) + ADDQ $0x04, DX + +loop_condition: + CMPQ R9, $0x08 + JGE main_loop + + // Update ctx structure + MOVQ ctx+0(FP), AX + SUBQ 16(AX), DX + MOVQ DX, 40(AX) + MOVQ (AX), AX + MOVQ R9, 24(AX) + MOVQ R10, 32(AX) + MOVB R11, 40(AX) + RET + + // Report error +error_max_decoded_size_exceeded: + MOVQ ctx+0(FP), AX + MOVQ $-1, CX + MOVQ CX, 40(AX) + RET + +// func decompress1x_main_loop_bmi2(ctx *decompress1xContext) +// Requires: BMI2 +TEXT ·decompress1x_main_loop_bmi2(SB), $0-8 + MOVQ ctx+0(FP), CX + MOVQ 16(CX), DX + MOVQ 24(CX), BX + CMPQ BX, $0x04 + JB error_max_decoded_size_exceeded + LEAQ (DX)(BX*1), BX + MOVQ (CX), SI + MOVQ (SI), R8 + MOVQ 24(SI), R9 + MOVQ 32(SI), R10 + MOVBQZX 40(SI), R11 + MOVQ 32(CX), SI + MOVBQZX 8(CX), DI + JMP loop_condition + +main_loop: + // Check if we have room for 4 bytes in the output buffer + LEAQ 4(DX), CX + CMPQ CX, BX + JGE error_max_decoded_size_exceeded + + // Decode 4 values + CMPQ R11, $0x20 + JL bitReader_fillFast_1_end + SUBQ $0x20, R11 + SUBQ $0x04, R9 + MOVL (R8)(R9*1), CX + SHLXQ R11, CX, CX + ORQ CX, R10 + +bitReader_fillFast_1_end: + SHRXQ DI, R10, CX + MOVW (SI)(CX*2), CX + MOVB CH, AL + MOVBQZX CL, CX + ADDQ CX, R11 + SHLXQ CX, R10, R10 + SHRXQ DI, R10, CX + MOVW (SI)(CX*2), CX + MOVB CH, AH + MOVBQZX CL, CX + ADDQ CX, R11 + SHLXQ CX, R10, R10 + BSWAPL AX + CMPQ R11, $0x20 + JL bitReader_fillFast_2_end + SUBQ $0x20, R11 + SUBQ $0x04, R9 + MOVL (R8)(R9*1), CX + SHLXQ R11, CX, CX + ORQ CX, R10 + +bitReader_fillFast_2_end: + SHRXQ DI, R10, CX + MOVW (SI)(CX*2), CX + MOVB CH, AH + MOVBQZX CL, CX + ADDQ CX, R11 + SHLXQ CX, R10, R10 + SHRXQ DI, R10, CX + MOVW (SI)(CX*2), CX + MOVB CH, AL + MOVBQZX CL, CX + ADDQ CX, R11 + SHLXQ CX, R10, R10 + BSWAPL AX + + // Store the decoded values + MOVL AX, (DX) + ADDQ $0x04, DX + +loop_condition: + CMPQ R9, $0x08 + JGE main_loop + + // Update ctx structure + MOVQ ctx+0(FP), AX + SUBQ 16(AX), DX + MOVQ DX, 40(AX) + MOVQ (AX), AX + MOVQ R9, 24(AX) + MOVQ R10, 32(AX) + MOVB R11, 40(AX) + RET + + // Report error +error_max_decoded_size_exceeded: + MOVQ ctx+0(FP), AX + MOVQ $-1, CX + MOVQ CX, 40(AX) + RET diff --git a/vendor/github.com/klauspost/compress/huff0/decompress_generic.go b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go new file mode 100644 index 0000000000..908c17de63 --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/decompress_generic.go @@ -0,0 +1,299 @@ +//go:build !amd64 || appengine || !gc || noasm +// +build !amd64 appengine !gc noasm + +// This file contains a generic implementation of Decoder.Decompress4X. +package huff0 + +import ( + "errors" + "fmt" +) + +// Decompress4X will decompress a 4X encoded stream. +// The length of the supplied input must match the end of a block exactly. +// The *capacity* of the dst slice must match the destination size of +// the uncompressed data exactly. +func (d *Decoder) Decompress4X(dst, src []byte) ([]byte, error) { + if len(d.dt.single) == 0 { + return nil, errors.New("no table loaded") + } + if len(src) < 6+(4*1) { + return nil, errors.New("input too small") + } + if use8BitTables && d.actualTableLog <= 8 { + return d.decompress4X8bit(dst, src) + } + + var br [4]bitReaderShifted + // Decode "jump table" + start := 6 + for i := 0; i < 3; i++ { + length := int(src[i*2]) | (int(src[i*2+1]) << 8) + if start+length >= len(src) { + return nil, errors.New("truncated input (or invalid offset)") + } + err := br[i].init(src[start : start+length]) + if err != nil { + return nil, err + } + start += length + } + err := br[3].init(src[start:]) + if err != nil { + return nil, err + } + + // destination, offset to match first output + dstSize := cap(dst) + dst = dst[:dstSize] + out := dst + dstEvery := (dstSize + 3) / 4 + + const tlSize = 1 << tableLogMax + const tlMask = tlSize - 1 + single := d.dt.single[:tlSize] + + // Use temp table to avoid bound checks/append penalty. + buf := d.buffer() + var off uint8 + var decoded int + + // Decode 2 values from each decoder/loop. + const bufoff = 256 + for { + if br[0].off < 4 || br[1].off < 4 || br[2].off < 4 || br[3].off < 4 { + break + } + + { + const stream = 0 + const stream2 = 1 + br[stream].fillFast() + br[stream2].fillFast() + + val := br[stream].peekBitsFast(d.actualTableLog) + val2 := br[stream2].peekBitsFast(d.actualTableLog) + v := single[val&tlMask] + v2 := single[val2&tlMask] + br[stream].advance(uint8(v.entry)) + br[stream2].advance(uint8(v2.entry)) + buf[stream][off] = uint8(v.entry >> 8) + buf[stream2][off] = uint8(v2.entry >> 8) + + val = br[stream].peekBitsFast(d.actualTableLog) + val2 = br[stream2].peekBitsFast(d.actualTableLog) + v = single[val&tlMask] + v2 = single[val2&tlMask] + br[stream].advance(uint8(v.entry)) + br[stream2].advance(uint8(v2.entry)) + buf[stream][off+1] = uint8(v.entry >> 8) + buf[stream2][off+1] = uint8(v2.entry >> 8) + } + + { + const stream = 2 + const stream2 = 3 + br[stream].fillFast() + br[stream2].fillFast() + + val := br[stream].peekBitsFast(d.actualTableLog) + val2 := br[stream2].peekBitsFast(d.actualTableLog) + v := single[val&tlMask] + v2 := single[val2&tlMask] + br[stream].advance(uint8(v.entry)) + br[stream2].advance(uint8(v2.entry)) + buf[stream][off] = uint8(v.entry >> 8) + buf[stream2][off] = uint8(v2.entry >> 8) + + val = br[stream].peekBitsFast(d.actualTableLog) + val2 = br[stream2].peekBitsFast(d.actualTableLog) + v = single[val&tlMask] + v2 = single[val2&tlMask] + br[stream].advance(uint8(v.entry)) + br[stream2].advance(uint8(v2.entry)) + buf[stream][off+1] = uint8(v.entry >> 8) + buf[stream2][off+1] = uint8(v2.entry >> 8) + } + + off += 2 + + if off == 0 { + if bufoff > dstEvery { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 1") + } + // There must at least be 3 buffers left. + if len(out)-bufoff < dstEvery*3 { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 2") + } + //copy(out, buf[0][:]) + //copy(out[dstEvery:], buf[1][:]) + //copy(out[dstEvery*2:], buf[2][:]) + //copy(out[dstEvery*3:], buf[3][:]) + *(*[bufoff]byte)(out) = buf[0] + *(*[bufoff]byte)(out[dstEvery:]) = buf[1] + *(*[bufoff]byte)(out[dstEvery*2:]) = buf[2] + *(*[bufoff]byte)(out[dstEvery*3:]) = buf[3] + out = out[bufoff:] + decoded += bufoff * 4 + } + } + if off > 0 { + ioff := int(off) + if len(out) < dstEvery*3+ioff { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 3") + } + copy(out, buf[0][:off]) + copy(out[dstEvery:], buf[1][:off]) + copy(out[dstEvery*2:], buf[2][:off]) + copy(out[dstEvery*3:], buf[3][:off]) + decoded += int(off) * 4 + out = out[off:] + } + + // Decode remaining. + remainBytes := dstEvery - (decoded / 4) + for i := range br { + offset := dstEvery * i + endsAt := offset + remainBytes + if endsAt > len(out) { + endsAt = len(out) + } + br := &br[i] + bitsLeft := br.remaining() + for bitsLeft > 0 { + br.fill() + if offset >= endsAt { + d.bufs.Put(buf) + return nil, errors.New("corruption detected: stream overrun 4") + } + + // Read value and increment offset. + val := br.peekBitsFast(d.actualTableLog) + v := single[val&tlMask].entry + nBits := uint8(v) + br.advance(nBits) + bitsLeft -= uint(nBits) + out[offset] = uint8(v >> 8) + offset++ + } + if offset != endsAt { + d.bufs.Put(buf) + return nil, fmt.Errorf("corruption detected: short output block %d, end %d != %d", i, offset, endsAt) + } + decoded += offset - dstEvery*i + err = br.close() + if err != nil { + return nil, err + } + } + d.bufs.Put(buf) + if dstSize != decoded { + return nil, errors.New("corruption detected: short output block") + } + return dst, nil +} + +// Decompress1X will decompress a 1X encoded stream. +// The cap of the output buffer will be the maximum decompressed size. +// The length of the supplied input must match the end of a block exactly. +func (d *Decoder) Decompress1X(dst, src []byte) ([]byte, error) { + if len(d.dt.single) == 0 { + return nil, errors.New("no table loaded") + } + if use8BitTables && d.actualTableLog <= 8 { + return d.decompress1X8Bit(dst, src) + } + var br bitReaderShifted + err := br.init(src) + if err != nil { + return dst, err + } + maxDecodedSize := cap(dst) + dst = dst[:0] + + // Avoid bounds check by always having full sized table. + const tlSize = 1 << tableLogMax + const tlMask = tlSize - 1 + dt := d.dt.single[:tlSize] + + // Use temp table to avoid bound checks/append penalty. + bufs := d.buffer() + buf := &bufs[0] + var off uint8 + + for br.off >= 8 { + br.fillFast() + v := dt[br.peekBitsFast(d.actualTableLog)&tlMask] + br.advance(uint8(v.entry)) + buf[off+0] = uint8(v.entry >> 8) + + v = dt[br.peekBitsFast(d.actualTableLog)&tlMask] + br.advance(uint8(v.entry)) + buf[off+1] = uint8(v.entry >> 8) + + // Refill + br.fillFast() + + v = dt[br.peekBitsFast(d.actualTableLog)&tlMask] + br.advance(uint8(v.entry)) + buf[off+2] = uint8(v.entry >> 8) + + v = dt[br.peekBitsFast(d.actualTableLog)&tlMask] + br.advance(uint8(v.entry)) + buf[off+3] = uint8(v.entry >> 8) + + off += 4 + if off == 0 { + if len(dst)+256 > maxDecodedSize { + br.close() + d.bufs.Put(bufs) + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:]...) + } + } + + if len(dst)+int(off) > maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + dst = append(dst, buf[:off]...) + + // br < 8, so uint8 is fine + bitsLeft := uint8(br.off)*8 + 64 - br.bitsRead + for bitsLeft > 0 { + br.fill() + if false && br.bitsRead >= 32 { + if br.off >= 4 { + v := br.in[br.off-4:] + v = v[:4] + low := (uint32(v[0])) | (uint32(v[1]) << 8) | (uint32(v[2]) << 16) | (uint32(v[3]) << 24) + br.value = (br.value << 32) | uint64(low) + br.bitsRead -= 32 + br.off -= 4 + } else { + for br.off > 0 { + br.value = (br.value << 8) | uint64(br.in[br.off-1]) + br.bitsRead -= 8 + br.off-- + } + } + } + if len(dst) >= maxDecodedSize { + d.bufs.Put(bufs) + br.close() + return nil, ErrMaxDecodedSizeExceeded + } + v := d.dt.single[br.peekBitsFast(d.actualTableLog)&tlMask] + nBits := uint8(v.entry) + br.advance(nBits) + bitsLeft -= nBits + dst = append(dst, uint8(v.entry>>8)) + } + d.bufs.Put(bufs) + return dst, br.close() +} diff --git a/vendor/github.com/klauspost/compress/huff0/huff0.go b/vendor/github.com/klauspost/compress/huff0/huff0.go new file mode 100644 index 0000000000..77ecd68e0a --- /dev/null +++ b/vendor/github.com/klauspost/compress/huff0/huff0.go @@ -0,0 +1,337 @@ +// Package huff0 provides fast huffman encoding as used in zstd. +// +// See README.md at https://github.com/klauspost/compress/tree/master/huff0 for details. +package huff0 + +import ( + "errors" + "fmt" + "math" + "math/bits" + "sync" + + "github.com/klauspost/compress/fse" +) + +const ( + maxSymbolValue = 255 + + // zstandard limits tablelog to 11, see: + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#huffman-tree-description + tableLogMax = 11 + tableLogDefault = 11 + minTablelog = 5 + huffNodesLen = 512 + + // BlockSizeMax is maximum input size for a single block uncompressed. + BlockSizeMax = 1<<18 - 1 +) + +var ( + // ErrIncompressible is returned when input is judged to be too hard to compress. + ErrIncompressible = errors.New("input is not compressible") + + // ErrUseRLE is returned from the compressor when the input is a single byte value repeated. + ErrUseRLE = errors.New("input is single value repeated") + + // ErrTooBig is return if input is too large for a single block. + ErrTooBig = errors.New("input too big") + + // ErrMaxDecodedSizeExceeded is return if input is too large for a single block. + ErrMaxDecodedSizeExceeded = errors.New("maximum output size exceeded") +) + +type ReusePolicy uint8 + +const ( + // ReusePolicyAllow will allow reuse if it produces smaller output. + ReusePolicyAllow ReusePolicy = iota + + // ReusePolicyPrefer will re-use aggressively if possible. + // This will not check if a new table will produce smaller output, + // except if the current table is impossible to use or + // compressed output is bigger than input. + ReusePolicyPrefer + + // ReusePolicyNone will disable re-use of tables. + // This is slightly faster than ReusePolicyAllow but may produce larger output. + ReusePolicyNone + + // ReusePolicyMust must allow reuse and produce smaller output. + ReusePolicyMust +) + +type Scratch struct { + count [maxSymbolValue + 1]uint32 + + // Per block parameters. + // These can be used to override compression parameters of the block. + // Do not touch, unless you know what you are doing. + + // Out is output buffer. + // If the scratch is re-used before the caller is done processing the output, + // set this field to nil. + // Otherwise the output buffer will be re-used for next Compression/Decompression step + // and allocation will be avoided. + Out []byte + + // OutTable will contain the table data only, if a new table has been generated. + // Slice of the returned data. + OutTable []byte + + // OutData will contain the compressed data. + // Slice of the returned data. + OutData []byte + + // MaxDecodedSize will set the maximum allowed output size. + // This value will automatically be set to BlockSizeMax if not set. + // Decoders will return ErrMaxDecodedSizeExceeded is this limit is exceeded. + MaxDecodedSize int + + srcLen int + + // MaxSymbolValue will override the maximum symbol value of the next block. + MaxSymbolValue uint8 + + // TableLog will attempt to override the tablelog for the next block. + // Must be <= 11 and >= 5. + TableLog uint8 + + // Reuse will specify the reuse policy + Reuse ReusePolicy + + // WantLogLess allows to specify a log 2 reduction that should at least be achieved, + // otherwise the block will be returned as incompressible. + // The reduction should then at least be (input size >> WantLogLess) + // If WantLogLess == 0 any improvement will do. + WantLogLess uint8 + + symbolLen uint16 // Length of active part of the symbol table. + maxCount int // count of the most probable symbol + clearCount bool // clear count + actualTableLog uint8 // Selected tablelog. + prevTableLog uint8 // Tablelog for previous table + prevTable cTable // Table used for previous compression. + cTable cTable // compression table + dt dTable // decompression table + nodes []nodeElt + tmpOut [4][]byte + fse *fse.Scratch + decPool sync.Pool // *[4][256]byte buffers. + huffWeight [maxSymbolValue + 1]byte +} + +// TransferCTable will transfer the previously used compression table. +func (s *Scratch) TransferCTable(src *Scratch) { + if cap(s.prevTable) < len(src.prevTable) { + s.prevTable = make(cTable, 0, maxSymbolValue+1) + } + s.prevTable = s.prevTable[:len(src.prevTable)] + copy(s.prevTable, src.prevTable) + s.prevTableLog = src.prevTableLog +} + +func (s *Scratch) prepare(in []byte) (*Scratch, error) { + if len(in) > BlockSizeMax { + return nil, ErrTooBig + } + if s == nil { + s = &Scratch{} + } + if s.MaxSymbolValue == 0 { + s.MaxSymbolValue = maxSymbolValue + } + if s.TableLog == 0 { + s.TableLog = tableLogDefault + } + if s.TableLog > tableLogMax || s.TableLog < minTablelog { + return nil, fmt.Errorf(" invalid tableLog %d (%d -> %d)", s.TableLog, minTablelog, tableLogMax) + } + if s.MaxDecodedSize <= 0 || s.MaxDecodedSize > BlockSizeMax { + s.MaxDecodedSize = BlockSizeMax + } + if s.clearCount && s.maxCount == 0 { + for i := range s.count { + s.count[i] = 0 + } + s.clearCount = false + } + if cap(s.Out) == 0 { + s.Out = make([]byte, 0, len(in)) + } + s.Out = s.Out[:0] + + s.OutTable = nil + s.OutData = nil + if cap(s.nodes) < huffNodesLen+1 { + s.nodes = make([]nodeElt, 0, huffNodesLen+1) + } + s.nodes = s.nodes[:0] + if s.fse == nil { + s.fse = &fse.Scratch{} + } + s.srcLen = len(in) + + return s, nil +} + +type cTable []cTableEntry + +func (c cTable) write(s *Scratch) error { + var ( + // precomputed conversion table + bitsToWeight [tableLogMax + 1]byte + huffLog = s.actualTableLog + // last weight is not saved. + maxSymbolValue = uint8(s.symbolLen - 1) + huffWeight = s.huffWeight[:256] + ) + const ( + maxFSETableLog = 6 + ) + // convert to weight + bitsToWeight[0] = 0 + for n := uint8(1); n < huffLog+1; n++ { + bitsToWeight[n] = huffLog + 1 - n + } + + // Acquire histogram for FSE. + hist := s.fse.Histogram() + hist = hist[:256] + for i := range hist[:16] { + hist[i] = 0 + } + for n := uint8(0); n < maxSymbolValue; n++ { + v := bitsToWeight[c[n].nBits] & 15 + huffWeight[n] = v + hist[v]++ + } + + // FSE compress if feasible. + if maxSymbolValue >= 2 { + huffMaxCnt := uint32(0) + huffMax := uint8(0) + for i, v := range hist[:16] { + if v == 0 { + continue + } + huffMax = byte(i) + if v > huffMaxCnt { + huffMaxCnt = v + } + } + s.fse.HistogramFinished(huffMax, int(huffMaxCnt)) + s.fse.TableLog = maxFSETableLog + b, err := fse.Compress(huffWeight[:maxSymbolValue], s.fse) + if err == nil && len(b) < int(s.symbolLen>>1) { + s.Out = append(s.Out, uint8(len(b))) + s.Out = append(s.Out, b...) + return nil + } + // Unable to compress (RLE/uncompressible) + } + // write raw values as 4-bits (max : 15) + if maxSymbolValue > (256 - 128) { + // should not happen : likely means source cannot be compressed + return ErrIncompressible + } + op := s.Out + // special case, pack weights 4 bits/weight. + op = append(op, 128|(maxSymbolValue-1)) + // be sure it doesn't cause msan issue in final combination + huffWeight[maxSymbolValue] = 0 + for n := uint16(0); n < uint16(maxSymbolValue); n += 2 { + op = append(op, (huffWeight[n]<<4)|huffWeight[n+1]) + } + s.Out = op + return nil +} + +func (c cTable) estTableSize(s *Scratch) (sz int, err error) { + var ( + // precomputed conversion table + bitsToWeight [tableLogMax + 1]byte + huffLog = s.actualTableLog + // last weight is not saved. + maxSymbolValue = uint8(s.symbolLen - 1) + huffWeight = s.huffWeight[:256] + ) + const ( + maxFSETableLog = 6 + ) + // convert to weight + bitsToWeight[0] = 0 + for n := uint8(1); n < huffLog+1; n++ { + bitsToWeight[n] = huffLog + 1 - n + } + + // Acquire histogram for FSE. + hist := s.fse.Histogram() + hist = hist[:256] + for i := range hist[:16] { + hist[i] = 0 + } + for n := uint8(0); n < maxSymbolValue; n++ { + v := bitsToWeight[c[n].nBits] & 15 + huffWeight[n] = v + hist[v]++ + } + + // FSE compress if feasible. + if maxSymbolValue >= 2 { + huffMaxCnt := uint32(0) + huffMax := uint8(0) + for i, v := range hist[:16] { + if v == 0 { + continue + } + huffMax = byte(i) + if v > huffMaxCnt { + huffMaxCnt = v + } + } + s.fse.HistogramFinished(huffMax, int(huffMaxCnt)) + s.fse.TableLog = maxFSETableLog + b, err := fse.Compress(huffWeight[:maxSymbolValue], s.fse) + if err == nil && len(b) < int(s.symbolLen>>1) { + sz += 1 + len(b) + return sz, nil + } + // Unable to compress (RLE/uncompressible) + } + // write raw values as 4-bits (max : 15) + if maxSymbolValue > (256 - 128) { + // should not happen : likely means source cannot be compressed + return 0, ErrIncompressible + } + // special case, pack weights 4 bits/weight. + sz += 1 + int(maxSymbolValue/2) + return sz, nil +} + +// estimateSize returns the estimated size in bytes of the input represented in the +// histogram supplied. +func (c cTable) estimateSize(hist []uint32) int { + nbBits := uint32(7) + for i, v := range c[:len(hist)] { + nbBits += uint32(v.nBits) * hist[i] + } + return int(nbBits >> 3) +} + +// minSize returns the minimum possible size considering the shannon limit. +func (s *Scratch) minSize(total int) int { + nbBits := float64(7) + fTotal := float64(total) + for _, v := range s.count[:s.symbolLen] { + n := float64(v) + if n > 0 { + nbBits += math.Log2(fTotal/n) * n + } + } + return int(nbBits) >> 3 +} + +func highBit32(val uint32) (n uint32) { + return uint32(bits.Len32(val) - 1) +} diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go new file mode 100644 index 0000000000..3954c51219 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo.go @@ -0,0 +1,34 @@ +// Package cpuinfo gives runtime info about the current CPU. +// +// This is a very limited module meant for use internally +// in this project. For more versatile solution check +// https://github.com/klauspost/cpuid. +package cpuinfo + +// HasBMI1 checks whether an x86 CPU supports the BMI1 extension. +func HasBMI1() bool { + return hasBMI1 +} + +// HasBMI2 checks whether an x86 CPU supports the BMI2 extension. +func HasBMI2() bool { + return hasBMI2 +} + +// DisableBMI2 will disable BMI2, for testing purposes. +// Call returned function to restore previous state. +func DisableBMI2() func() { + old := hasBMI2 + hasBMI2 = false + return func() { + hasBMI2 = old + } +} + +// HasBMI checks whether an x86 CPU supports both BMI1 and BMI2 extensions. +func HasBMI() bool { + return HasBMI1() && HasBMI2() +} + +var hasBMI1 bool +var hasBMI2 bool diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go new file mode 100644 index 0000000000..e802579c4f --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.go @@ -0,0 +1,11 @@ +//go:build amd64 && !appengine && !noasm && gc +// +build amd64,!appengine,!noasm,gc + +package cpuinfo + +// go:noescape +func x86extensions() (bmi1, bmi2 bool) + +func init() { + hasBMI1, hasBMI2 = x86extensions() +} diff --git a/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s new file mode 100644 index 0000000000..4465fbe9e9 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/cpuinfo/cpuinfo_amd64.s @@ -0,0 +1,36 @@ +// +build !appengine +// +build gc +// +build !noasm + +#include "textflag.h" +#include "funcdata.h" +#include "go_asm.h" + +TEXT ·x86extensions(SB), NOSPLIT, $0 + // 1. determine max EAX value + XORQ AX, AX + CPUID + + CMPQ AX, $7 + JB unsupported + + // 2. EAX = 7, ECX = 0 --- see Table 3-8 "Information Returned by CPUID Instruction" + MOVQ $7, AX + MOVQ $0, CX + CPUID + + BTQ $3, BX // bit 3 = BMI1 + SETCS AL + + BTQ $8, BX // bit 8 = BMI2 + SETCS AH + + MOVB AL, bmi1+0(FP) + MOVB AH, bmi2+1(FP) + RET + +unsupported: + XORQ AX, AX + MOVB AL, bmi1+0(FP) + MOVB AL, bmi2+1(FP) + RET diff --git a/vendor/github.com/klauspost/compress/internal/le/le.go b/vendor/github.com/klauspost/compress/internal/le/le.go new file mode 100644 index 0000000000..e54909e16f --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/le/le.go @@ -0,0 +1,5 @@ +package le + +type Indexer interface { + int | int8 | int16 | int32 | int64 | uint | uint8 | uint16 | uint32 | uint64 +} diff --git a/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go b/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go new file mode 100644 index 0000000000..0cfb5c0e27 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/le/unsafe_disabled.go @@ -0,0 +1,42 @@ +//go:build !(amd64 || arm64 || ppc64le || riscv64) || nounsafe || purego || appengine + +package le + +import ( + "encoding/binary" +) + +// Load8 will load from b at index i. +func Load8[I Indexer](b []byte, i I) byte { + return b[i] +} + +// Load16 will load from b at index i. +func Load16[I Indexer](b []byte, i I) uint16 { + return binary.LittleEndian.Uint16(b[i:]) +} + +// Load32 will load from b at index i. +func Load32[I Indexer](b []byte, i I) uint32 { + return binary.LittleEndian.Uint32(b[i:]) +} + +// Load64 will load from b at index i. +func Load64[I Indexer](b []byte, i I) uint64 { + return binary.LittleEndian.Uint64(b[i:]) +} + +// Store16 will store v at b. +func Store16(b []byte, v uint16) { + binary.LittleEndian.PutUint16(b, v) +} + +// Store32 will store v at b. +func Store32(b []byte, v uint32) { + binary.LittleEndian.PutUint32(b, v) +} + +// Store64 will store v at b. +func Store64(b []byte, v uint64) { + binary.LittleEndian.PutUint64(b, v) +} diff --git a/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go b/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go new file mode 100644 index 0000000000..ada45cd909 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/le/unsafe_enabled.go @@ -0,0 +1,55 @@ +// We enable 64 bit LE platforms: + +//go:build (amd64 || arm64 || ppc64le || riscv64) && !nounsafe && !purego && !appengine + +package le + +import ( + "unsafe" +) + +// Load8 will load from b at index i. +func Load8[I Indexer](b []byte, i I) byte { + //return binary.LittleEndian.Uint16(b[i:]) + //return *(*uint16)(unsafe.Pointer(&b[i])) + return *(*byte)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i)) +} + +// Load16 will load from b at index i. +func Load16[I Indexer](b []byte, i I) uint16 { + //return binary.LittleEndian.Uint16(b[i:]) + //return *(*uint16)(unsafe.Pointer(&b[i])) + return *(*uint16)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i)) +} + +// Load32 will load from b at index i. +func Load32[I Indexer](b []byte, i I) uint32 { + //return binary.LittleEndian.Uint32(b[i:]) + //return *(*uint32)(unsafe.Pointer(&b[i])) + return *(*uint32)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i)) +} + +// Load64 will load from b at index i. +func Load64[I Indexer](b []byte, i I) uint64 { + //return binary.LittleEndian.Uint64(b[i:]) + //return *(*uint64)(unsafe.Pointer(&b[i])) + return *(*uint64)(unsafe.Add(unsafe.Pointer(unsafe.SliceData(b)), i)) +} + +// Store16 will store v at b. +func Store16(b []byte, v uint16) { + //binary.LittleEndian.PutUint16(b, v) + *(*uint16)(unsafe.Pointer(unsafe.SliceData(b))) = v +} + +// Store32 will store v at b. +func Store32(b []byte, v uint32) { + //binary.LittleEndian.PutUint32(b, v) + *(*uint32)(unsafe.Pointer(unsafe.SliceData(b))) = v +} + +// Store64 will store v at b. +func Store64(b []byte, v uint64) { + //binary.LittleEndian.PutUint64(b, v) + *(*uint64)(unsafe.Pointer(unsafe.SliceData(b))) = v +} diff --git a/vendor/github.com/klauspost/compress/internal/snapref/LICENSE b/vendor/github.com/klauspost/compress/internal/snapref/LICENSE new file mode 100644 index 0000000000..6050c10f4c --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2011 The Snappy-Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/klauspost/compress/internal/snapref/decode.go b/vendor/github.com/klauspost/compress/internal/snapref/decode.go new file mode 100644 index 0000000000..40796a49d6 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/decode.go @@ -0,0 +1,264 @@ +// Copyright 2011 The Snappy-Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package snapref + +import ( + "encoding/binary" + "errors" + "io" +) + +var ( + // ErrCorrupt reports that the input is invalid. + ErrCorrupt = errors.New("snappy: corrupt input") + // ErrTooLarge reports that the uncompressed length is too large. + ErrTooLarge = errors.New("snappy: decoded block is too large") + // ErrUnsupported reports that the input isn't supported. + ErrUnsupported = errors.New("snappy: unsupported input") + + errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length") +) + +// DecodedLen returns the length of the decoded block. +func DecodedLen(src []byte) (int, error) { + v, _, err := decodedLen(src) + return v, err +} + +// decodedLen returns the length of the decoded block and the number of bytes +// that the length header occupied. +func decodedLen(src []byte) (blockLen, headerLen int, err error) { + v, n := binary.Uvarint(src) + if n <= 0 || v > 0xffffffff { + return 0, 0, ErrCorrupt + } + + const wordSize = 32 << (^uint(0) >> 32 & 1) + if wordSize == 32 && v > 0x7fffffff { + return 0, 0, ErrTooLarge + } + return int(v), n, nil +} + +const ( + decodeErrCodeCorrupt = 1 + decodeErrCodeUnsupportedLiteralLength = 2 +) + +// Decode returns the decoded form of src. The returned slice may be a sub- +// slice of dst if dst was large enough to hold the entire decoded block. +// Otherwise, a newly allocated slice will be returned. +// +// The dst and src must not overlap. It is valid to pass a nil dst. +// +// Decode handles the Snappy block format, not the Snappy stream format. +func Decode(dst, src []byte) ([]byte, error) { + dLen, s, err := decodedLen(src) + if err != nil { + return nil, err + } + if dLen <= len(dst) { + dst = dst[:dLen] + } else { + dst = make([]byte, dLen) + } + switch decode(dst, src[s:]) { + case 0: + return dst, nil + case decodeErrCodeUnsupportedLiteralLength: + return nil, errUnsupportedLiteralLength + } + return nil, ErrCorrupt +} + +// NewReader returns a new Reader that decompresses from r, using the framing +// format described at +// https://github.com/google/snappy/blob/master/framing_format.txt +func NewReader(r io.Reader) *Reader { + return &Reader{ + r: r, + decoded: make([]byte, maxBlockSize), + buf: make([]byte, maxEncodedLenOfMaxBlockSize+checksumSize), + } +} + +// Reader is an io.Reader that can read Snappy-compressed bytes. +// +// Reader handles the Snappy stream format, not the Snappy block format. +type Reader struct { + r io.Reader + err error + decoded []byte + buf []byte + // decoded[i:j] contains decoded bytes that have not yet been passed on. + i, j int + readHeader bool +} + +// Reset discards any buffered data, resets all state, and switches the Snappy +// reader to read from r. This permits reusing a Reader rather than allocating +// a new one. +func (r *Reader) Reset(reader io.Reader) { + r.r = reader + r.err = nil + r.i = 0 + r.j = 0 + r.readHeader = false +} + +func (r *Reader) readFull(p []byte, allowEOF bool) (ok bool) { + if _, r.err = io.ReadFull(r.r, p); r.err != nil { + if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) { + r.err = ErrCorrupt + } + return false + } + return true +} + +func (r *Reader) fill() error { + for r.i >= r.j { + if !r.readFull(r.buf[:4], true) { + return r.err + } + chunkType := r.buf[0] + if !r.readHeader { + if chunkType != chunkTypeStreamIdentifier { + r.err = ErrCorrupt + return r.err + } + r.readHeader = true + } + chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16 + if chunkLen > len(r.buf) { + r.err = ErrUnsupported + return r.err + } + + // The chunk types are specified at + // https://github.com/google/snappy/blob/master/framing_format.txt + switch chunkType { + case chunkTypeCompressedData: + // Section 4.2. Compressed data (chunk type 0x00). + if chunkLen < checksumSize { + r.err = ErrCorrupt + return r.err + } + buf := r.buf[:chunkLen] + if !r.readFull(buf, false) { + return r.err + } + checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24 + buf = buf[checksumSize:] + + n, err := DecodedLen(buf) + if err != nil { + r.err = err + return r.err + } + if n > len(r.decoded) { + r.err = ErrCorrupt + return r.err + } + if _, err := Decode(r.decoded, buf); err != nil { + r.err = err + return r.err + } + if crc(r.decoded[:n]) != checksum { + r.err = ErrCorrupt + return r.err + } + r.i, r.j = 0, n + continue + + case chunkTypeUncompressedData: + // Section 4.3. Uncompressed data (chunk type 0x01). + if chunkLen < checksumSize { + r.err = ErrCorrupt + return r.err + } + buf := r.buf[:checksumSize] + if !r.readFull(buf, false) { + return r.err + } + checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24 + // Read directly into r.decoded instead of via r.buf. + n := chunkLen - checksumSize + if n > len(r.decoded) { + r.err = ErrCorrupt + return r.err + } + if !r.readFull(r.decoded[:n], false) { + return r.err + } + if crc(r.decoded[:n]) != checksum { + r.err = ErrCorrupt + return r.err + } + r.i, r.j = 0, n + continue + + case chunkTypeStreamIdentifier: + // Section 4.1. Stream identifier (chunk type 0xff). + if chunkLen != len(magicBody) { + r.err = ErrCorrupt + return r.err + } + if !r.readFull(r.buf[:len(magicBody)], false) { + return r.err + } + for i := 0; i < len(magicBody); i++ { + if r.buf[i] != magicBody[i] { + r.err = ErrCorrupt + return r.err + } + } + continue + } + + if chunkType <= 0x7f { + // Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f). + r.err = ErrUnsupported + return r.err + } + // Section 4.4 Padding (chunk type 0xfe). + // Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd). + if !r.readFull(r.buf[:chunkLen], false) { + return r.err + } + } + + return nil +} + +// Read satisfies the io.Reader interface. +func (r *Reader) Read(p []byte) (int, error) { + if r.err != nil { + return 0, r.err + } + + if err := r.fill(); err != nil { + return 0, err + } + + n := copy(p, r.decoded[r.i:r.j]) + r.i += n + return n, nil +} + +// ReadByte satisfies the io.ByteReader interface. +func (r *Reader) ReadByte() (byte, error) { + if r.err != nil { + return 0, r.err + } + + if err := r.fill(); err != nil { + return 0, err + } + + c := r.decoded[r.i] + r.i++ + return c, nil +} diff --git a/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go b/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go new file mode 100644 index 0000000000..77395a6b8b --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/decode_other.go @@ -0,0 +1,113 @@ +// Copyright 2016 The Snappy-Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package snapref + +// decode writes the decoding of src to dst. It assumes that the varint-encoded +// length of the decompressed bytes has already been read, and that len(dst) +// equals that length. +// +// It returns 0 on success or a decodeErrCodeXxx error code on failure. +func decode(dst, src []byte) int { + var d, s, offset, length int + for s < len(src) { + switch src[s] & 0x03 { + case tagLiteral: + x := uint32(src[s] >> 2) + switch { + case x < 60: + s++ + case x == 60: + s += 2 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + x = uint32(src[s-1]) + case x == 61: + s += 3 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + x = uint32(src[s-2]) | uint32(src[s-1])<<8 + case x == 62: + s += 4 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16 + case x == 63: + s += 5 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24 + } + length = int(x) + 1 + if length <= 0 { + return decodeErrCodeUnsupportedLiteralLength + } + if length > len(dst)-d || length > len(src)-s { + return decodeErrCodeCorrupt + } + copy(dst[d:], src[s:s+length]) + d += length + s += length + continue + + case tagCopy1: + s += 2 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + length = 4 + int(src[s-2])>>2&0x7 + offset = int(uint32(src[s-2])&0xe0<<3 | uint32(src[s-1])) + + case tagCopy2: + s += 3 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + length = 1 + int(src[s-3])>>2 + offset = int(uint32(src[s-2]) | uint32(src[s-1])<<8) + + case tagCopy4: + s += 5 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + return decodeErrCodeCorrupt + } + length = 1 + int(src[s-5])>>2 + offset = int(uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24) + } + + if offset <= 0 || d < offset || length > len(dst)-d { + return decodeErrCodeCorrupt + } + // Copy from an earlier sub-slice of dst to a later sub-slice. + // If no overlap, use the built-in copy: + if offset >= length { + copy(dst[d:d+length], dst[d-offset:]) + d += length + continue + } + + // Unlike the built-in copy function, this byte-by-byte copy always runs + // forwards, even if the slices overlap. Conceptually, this is: + // + // d += forwardCopy(dst[d:d+length], dst[d-offset:]) + // + // We align the slices into a and b and show the compiler they are the same size. + // This allows the loop to run without bounds checks. + a := dst[d : d+length] + b := dst[d-offset:] + b = b[:len(a)] + for i := range a { + a[i] = b[i] + } + d += length + } + if d != len(dst) { + return decodeErrCodeCorrupt + } + return 0 +} diff --git a/vendor/github.com/klauspost/compress/internal/snapref/encode.go b/vendor/github.com/klauspost/compress/internal/snapref/encode.go new file mode 100644 index 0000000000..13c6040a5d --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/encode.go @@ -0,0 +1,289 @@ +// Copyright 2011 The Snappy-Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package snapref + +import ( + "encoding/binary" + "errors" + "io" +) + +// Encode returns the encoded form of src. The returned slice may be a sub- +// slice of dst if dst was large enough to hold the entire encoded block. +// Otherwise, a newly allocated slice will be returned. +// +// The dst and src must not overlap. It is valid to pass a nil dst. +// +// Encode handles the Snappy block format, not the Snappy stream format. +func Encode(dst, src []byte) []byte { + if n := MaxEncodedLen(len(src)); n < 0 { + panic(ErrTooLarge) + } else if len(dst) < n { + dst = make([]byte, n) + } + + // The block starts with the varint-encoded length of the decompressed bytes. + d := binary.PutUvarint(dst, uint64(len(src))) + + for len(src) > 0 { + p := src + src = nil + if len(p) > maxBlockSize { + p, src = p[:maxBlockSize], p[maxBlockSize:] + } + if len(p) < minNonLiteralBlockSize { + d += emitLiteral(dst[d:], p) + } else { + d += encodeBlock(dst[d:], p) + } + } + return dst[:d] +} + +// inputMargin is the minimum number of extra input bytes to keep, inside +// encodeBlock's inner loop. On some architectures, this margin lets us +// implement a fast path for emitLiteral, where the copy of short (<= 16 byte) +// literals can be implemented as a single load to and store from a 16-byte +// register. That literal's actual length can be as short as 1 byte, so this +// can copy up to 15 bytes too much, but that's OK as subsequent iterations of +// the encoding loop will fix up the copy overrun, and this inputMargin ensures +// that we don't overrun the dst and src buffers. +const inputMargin = 16 - 1 + +// minNonLiteralBlockSize is the minimum size of the input to encodeBlock that +// could be encoded with a copy tag. This is the minimum with respect to the +// algorithm used by encodeBlock, not a minimum enforced by the file format. +// +// The encoded output must start with at least a 1 byte literal, as there are +// no previous bytes to copy. A minimal (1 byte) copy after that, generated +// from an emitCopy call in encodeBlock's main loop, would require at least +// another inputMargin bytes, for the reason above: we want any emitLiteral +// calls inside encodeBlock's main loop to use the fast path if possible, which +// requires being able to overrun by inputMargin bytes. Thus, +// minNonLiteralBlockSize equals 1 + 1 + inputMargin. +// +// The C++ code doesn't use this exact threshold, but it could, as discussed at +// https://groups.google.com/d/topic/snappy-compression/oGbhsdIJSJ8/discussion +// The difference between Go (2+inputMargin) and C++ (inputMargin) is purely an +// optimization. It should not affect the encoded form. This is tested by +// TestSameEncodingAsCppShortCopies. +const minNonLiteralBlockSize = 1 + 1 + inputMargin + +// MaxEncodedLen returns the maximum length of a snappy block, given its +// uncompressed length. +// +// It will return a negative value if srcLen is too large to encode. +func MaxEncodedLen(srcLen int) int { + n := uint64(srcLen) + if n > 0xffffffff { + return -1 + } + // Compressed data can be defined as: + // compressed := item* literal* + // item := literal* copy + // + // The trailing literal sequence has a space blowup of at most 62/60 + // since a literal of length 60 needs one tag byte + one extra byte + // for length information. + // + // Item blowup is trickier to measure. Suppose the "copy" op copies + // 4 bytes of data. Because of a special check in the encoding code, + // we produce a 4-byte copy only if the offset is < 65536. Therefore + // the copy op takes 3 bytes to encode, and this type of item leads + // to at most the 62/60 blowup for representing literals. + // + // Suppose the "copy" op copies 5 bytes of data. If the offset is big + // enough, it will take 5 bytes to encode the copy op. Therefore the + // worst case here is a one-byte literal followed by a five-byte copy. + // That is, 6 bytes of input turn into 7 bytes of "compressed" data. + // + // This last factor dominates the blowup, so the final estimate is: + n = 32 + n + n/6 + if n > 0xffffffff { + return -1 + } + return int(n) +} + +var errClosed = errors.New("snappy: Writer is closed") + +// NewWriter returns a new Writer that compresses to w. +// +// The Writer returned does not buffer writes. There is no need to Flush or +// Close such a Writer. +// +// Deprecated: the Writer returned is not suitable for many small writes, only +// for few large writes. Use NewBufferedWriter instead, which is efficient +// regardless of the frequency and shape of the writes, and remember to Close +// that Writer when done. +func NewWriter(w io.Writer) *Writer { + return &Writer{ + w: w, + obuf: make([]byte, obufLen), + } +} + +// NewBufferedWriter returns a new Writer that compresses to w, using the +// framing format described at +// https://github.com/google/snappy/blob/master/framing_format.txt +// +// The Writer returned buffers writes. Users must call Close to guarantee all +// data has been forwarded to the underlying io.Writer. They may also call +// Flush zero or more times before calling Close. +func NewBufferedWriter(w io.Writer) *Writer { + return &Writer{ + w: w, + ibuf: make([]byte, 0, maxBlockSize), + obuf: make([]byte, obufLen), + } +} + +// Writer is an io.Writer that can write Snappy-compressed bytes. +// +// Writer handles the Snappy stream format, not the Snappy block format. +type Writer struct { + w io.Writer + err error + + // ibuf is a buffer for the incoming (uncompressed) bytes. + // + // Its use is optional. For backwards compatibility, Writers created by the + // NewWriter function have ibuf == nil, do not buffer incoming bytes, and + // therefore do not need to be Flush'ed or Close'd. + ibuf []byte + + // obuf is a buffer for the outgoing (compressed) bytes. + obuf []byte + + // wroteStreamHeader is whether we have written the stream header. + wroteStreamHeader bool +} + +// Reset discards the writer's state and switches the Snappy writer to write to +// w. This permits reusing a Writer rather than allocating a new one. +func (w *Writer) Reset(writer io.Writer) { + w.w = writer + w.err = nil + if w.ibuf != nil { + w.ibuf = w.ibuf[:0] + } + w.wroteStreamHeader = false +} + +// Write satisfies the io.Writer interface. +func (w *Writer) Write(p []byte) (nRet int, errRet error) { + if w.ibuf == nil { + // Do not buffer incoming bytes. This does not perform or compress well + // if the caller of Writer.Write writes many small slices. This + // behavior is therefore deprecated, but still supported for backwards + // compatibility with code that doesn't explicitly Flush or Close. + return w.write(p) + } + + // The remainder of this method is based on bufio.Writer.Write from the + // standard library. + + for len(p) > (cap(w.ibuf)-len(w.ibuf)) && w.err == nil { + var n int + if len(w.ibuf) == 0 { + // Large write, empty buffer. + // Write directly from p to avoid copy. + n, _ = w.write(p) + } else { + n = copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p) + w.ibuf = w.ibuf[:len(w.ibuf)+n] + w.Flush() + } + nRet += n + p = p[n:] + } + if w.err != nil { + return nRet, w.err + } + n := copy(w.ibuf[len(w.ibuf):cap(w.ibuf)], p) + w.ibuf = w.ibuf[:len(w.ibuf)+n] + nRet += n + return nRet, nil +} + +func (w *Writer) write(p []byte) (nRet int, errRet error) { + if w.err != nil { + return 0, w.err + } + for len(p) > 0 { + obufStart := len(magicChunk) + if !w.wroteStreamHeader { + w.wroteStreamHeader = true + copy(w.obuf, magicChunk) + obufStart = 0 + } + + var uncompressed []byte + if len(p) > maxBlockSize { + uncompressed, p = p[:maxBlockSize], p[maxBlockSize:] + } else { + uncompressed, p = p, nil + } + checksum := crc(uncompressed) + + // Compress the buffer, discarding the result if the improvement + // isn't at least 12.5%. + compressed := Encode(w.obuf[obufHeaderLen:], uncompressed) + chunkType := uint8(chunkTypeCompressedData) + chunkLen := 4 + len(compressed) + obufEnd := obufHeaderLen + len(compressed) + if len(compressed) >= len(uncompressed)-len(uncompressed)/8 { + chunkType = chunkTypeUncompressedData + chunkLen = 4 + len(uncompressed) + obufEnd = obufHeaderLen + } + + // Fill in the per-chunk header that comes before the body. + w.obuf[len(magicChunk)+0] = chunkType + w.obuf[len(magicChunk)+1] = uint8(chunkLen >> 0) + w.obuf[len(magicChunk)+2] = uint8(chunkLen >> 8) + w.obuf[len(magicChunk)+3] = uint8(chunkLen >> 16) + w.obuf[len(magicChunk)+4] = uint8(checksum >> 0) + w.obuf[len(magicChunk)+5] = uint8(checksum >> 8) + w.obuf[len(magicChunk)+6] = uint8(checksum >> 16) + w.obuf[len(magicChunk)+7] = uint8(checksum >> 24) + + if _, err := w.w.Write(w.obuf[obufStart:obufEnd]); err != nil { + w.err = err + return nRet, err + } + if chunkType == chunkTypeUncompressedData { + if _, err := w.w.Write(uncompressed); err != nil { + w.err = err + return nRet, err + } + } + nRet += len(uncompressed) + } + return nRet, nil +} + +// Flush flushes the Writer to its underlying io.Writer. +func (w *Writer) Flush() error { + if w.err != nil { + return w.err + } + if len(w.ibuf) == 0 { + return nil + } + w.write(w.ibuf) + w.ibuf = w.ibuf[:0] + return w.err +} + +// Close calls Flush and then closes the Writer. +func (w *Writer) Close() error { + w.Flush() + ret := w.err + if w.err == nil { + w.err = errClosed + } + return ret +} diff --git a/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go b/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go new file mode 100644 index 0000000000..2754bac6f1 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/encode_other.go @@ -0,0 +1,250 @@ +// Copyright 2016 The Snappy-Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package snapref + +func load32(b []byte, i int) uint32 { + b = b[i : i+4 : len(b)] // Help the compiler eliminate bounds checks on the next line. + return uint32(b[0]) | uint32(b[1])<<8 | uint32(b[2])<<16 | uint32(b[3])<<24 +} + +func load64(b []byte, i int) uint64 { + b = b[i : i+8 : len(b)] // Help the compiler eliminate bounds checks on the next line. + return uint64(b[0]) | uint64(b[1])<<8 | uint64(b[2])<<16 | uint64(b[3])<<24 | + uint64(b[4])<<32 | uint64(b[5])<<40 | uint64(b[6])<<48 | uint64(b[7])<<56 +} + +// emitLiteral writes a literal chunk and returns the number of bytes written. +// +// It assumes that: +// +// dst is long enough to hold the encoded bytes +// 1 <= len(lit) && len(lit) <= 65536 +func emitLiteral(dst, lit []byte) int { + i, n := 0, uint(len(lit)-1) + switch { + case n < 60: + dst[0] = uint8(n)<<2 | tagLiteral + i = 1 + case n < 1<<8: + dst[0] = 60<<2 | tagLiteral + dst[1] = uint8(n) + i = 2 + default: + dst[0] = 61<<2 | tagLiteral + dst[1] = uint8(n) + dst[2] = uint8(n >> 8) + i = 3 + } + return i + copy(dst[i:], lit) +} + +// emitCopy writes a copy chunk and returns the number of bytes written. +// +// It assumes that: +// +// dst is long enough to hold the encoded bytes +// 1 <= offset && offset <= 65535 +// 4 <= length && length <= 65535 +func emitCopy(dst []byte, offset, length int) int { + i := 0 + // The maximum length for a single tagCopy1 or tagCopy2 op is 64 bytes. The + // threshold for this loop is a little higher (at 68 = 64 + 4), and the + // length emitted down below is a little lower (at 60 = 64 - 4), because + // it's shorter to encode a length 67 copy as a length 60 tagCopy2 followed + // by a length 7 tagCopy1 (which encodes as 3+2 bytes) than to encode it as + // a length 64 tagCopy2 followed by a length 3 tagCopy2 (which encodes as + // 3+3 bytes). The magic 4 in the 64±4 is because the minimum length for a + // tagCopy1 op is 4 bytes, which is why a length 3 copy has to be an + // encodes-as-3-bytes tagCopy2 instead of an encodes-as-2-bytes tagCopy1. + for length >= 68 { + // Emit a length 64 copy, encoded as 3 bytes. + dst[i+0] = 63<<2 | tagCopy2 + dst[i+1] = uint8(offset) + dst[i+2] = uint8(offset >> 8) + i += 3 + length -= 64 + } + if length > 64 { + // Emit a length 60 copy, encoded as 3 bytes. + dst[i+0] = 59<<2 | tagCopy2 + dst[i+1] = uint8(offset) + dst[i+2] = uint8(offset >> 8) + i += 3 + length -= 60 + } + if length >= 12 || offset >= 2048 { + // Emit the remaining copy, encoded as 3 bytes. + dst[i+0] = uint8(length-1)<<2 | tagCopy2 + dst[i+1] = uint8(offset) + dst[i+2] = uint8(offset >> 8) + return i + 3 + } + // Emit the remaining copy, encoded as 2 bytes. + dst[i+0] = uint8(offset>>8)<<5 | uint8(length-4)<<2 | tagCopy1 + dst[i+1] = uint8(offset) + return i + 2 +} + +func hash(u, shift uint32) uint32 { + return (u * 0x1e35a7bd) >> shift +} + +// EncodeBlockInto exposes encodeBlock but checks dst size. +func EncodeBlockInto(dst, src []byte) (d int) { + if MaxEncodedLen(len(src)) > len(dst) { + return 0 + } + + // encodeBlock breaks on too big blocks, so split. + for len(src) > 0 { + p := src + src = nil + if len(p) > maxBlockSize { + p, src = p[:maxBlockSize], p[maxBlockSize:] + } + if len(p) < minNonLiteralBlockSize { + d += emitLiteral(dst[d:], p) + } else { + d += encodeBlock(dst[d:], p) + } + } + return d +} + +// encodeBlock encodes a non-empty src to a guaranteed-large-enough dst. It +// assumes that the varint-encoded length of the decompressed bytes has already +// been written. +// +// It also assumes that: +// +// len(dst) >= MaxEncodedLen(len(src)) && +// minNonLiteralBlockSize <= len(src) && len(src) <= maxBlockSize +func encodeBlock(dst, src []byte) (d int) { + // Initialize the hash table. Its size ranges from 1<<8 to 1<<14 inclusive. + // The table element type is uint16, as s < sLimit and sLimit < len(src) + // and len(src) <= maxBlockSize and maxBlockSize == 65536. + const ( + maxTableSize = 1 << 14 + // tableMask is redundant, but helps the compiler eliminate bounds + // checks. + tableMask = maxTableSize - 1 + ) + shift := uint32(32 - 8) + for tableSize := 1 << 8; tableSize < maxTableSize && tableSize < len(src); tableSize *= 2 { + shift-- + } + // In Go, all array elements are zero-initialized, so there is no advantage + // to a smaller tableSize per se. However, it matches the C++ algorithm, + // and in the asm versions of this code, we can get away with zeroing only + // the first tableSize elements. + var table [maxTableSize]uint16 + + // sLimit is when to stop looking for offset/length copies. The inputMargin + // lets us use a fast path for emitLiteral in the main loop, while we are + // looking for copies. + sLimit := len(src) - inputMargin + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := 0 + + // The encoded form must start with a literal, as there are no previous + // bytes to copy, so we start looking for hash matches at s == 1. + s := 1 + nextHash := hash(load32(src, s), shift) + + for { + // Copied from the C++ snappy implementation: + // + // Heuristic match skipping: If 32 bytes are scanned with no matches + // found, start looking only at every other byte. If 32 more bytes are + // scanned (or skipped), look at every third byte, etc.. When a match + // is found, immediately go back to looking at every byte. This is a + // small loss (~5% performance, ~0.1% density) for compressible data + // due to more bookkeeping, but for non-compressible data (such as + // JPEG) it's a huge win since the compressor quickly "realizes" the + // data is incompressible and doesn't bother looking for matches + // everywhere. + // + // The "skip" variable keeps track of how many bytes there are since + // the last match; dividing it by 32 (ie. right-shifting by five) gives + // the number of bytes to move ahead for each iteration. + skip := 32 + + nextS := s + candidate := 0 + for { + s = nextS + bytesBetweenHashLookups := skip >> 5 + nextS = s + bytesBetweenHashLookups + skip += bytesBetweenHashLookups + if nextS > sLimit { + goto emitRemainder + } + candidate = int(table[nextHash&tableMask]) + table[nextHash&tableMask] = uint16(s) + nextHash = hash(load32(src, nextS), shift) + if load32(src, s) == load32(src, candidate) { + break + } + } + + // A 4-byte match has been found. We'll later see if more than 4 bytes + // match. But, prior to the match, src[nextEmit:s] are unmatched. Emit + // them as literal bytes. + d += emitLiteral(dst[d:], src[nextEmit:s]) + + // Call emitCopy, and then see if another emitCopy could be our next + // move. Repeat until we find no match for the input immediately after + // what was consumed by the last emitCopy call. + // + // If we exit this loop normally then we need to call emitLiteral next, + // though we don't yet know how big the literal will be. We handle that + // by proceeding to the next iteration of the main loop. We also can + // exit this loop via goto if we get close to exhausting the input. + for { + // Invariant: we have a 4-byte match at s, and no need to emit any + // literal bytes prior to s. + base := s + + // Extend the 4-byte match as long as possible. + // + // This is an inlined version of: + // s = extendMatch(src, candidate+4, s+4) + s += 4 + for i := candidate + 4; s < len(src) && src[i] == src[s]; i, s = i+1, s+1 { + } + + d += emitCopy(dst[d:], base-candidate, s-base) + nextEmit = s + if s >= sLimit { + goto emitRemainder + } + + // We could immediately start working at s now, but to improve + // compression we first update the hash table at s-1 and at s. If + // another emitCopy is not our next move, also calculate nextHash + // at s+1. At least on GOARCH=amd64, these three hash calculations + // are faster as one load64 call (with some shifts) instead of + // three load32 calls. + x := load64(src, s-1) + prevHash := hash(uint32(x>>0), shift) + table[prevHash&tableMask] = uint16(s - 1) + currHash := hash(uint32(x>>8), shift) + candidate = int(table[currHash&tableMask]) + table[currHash&tableMask] = uint16(s) + if uint32(x>>8) != load32(src, candidate) { + nextHash = hash(uint32(x>>16), shift) + s++ + break + } + } + } + +emitRemainder: + if nextEmit < len(src) { + d += emitLiteral(dst[d:], src[nextEmit:]) + } + return d +} diff --git a/vendor/github.com/klauspost/compress/internal/snapref/snappy.go b/vendor/github.com/klauspost/compress/internal/snapref/snappy.go new file mode 100644 index 0000000000..34d01f4aa6 --- /dev/null +++ b/vendor/github.com/klauspost/compress/internal/snapref/snappy.go @@ -0,0 +1,98 @@ +// Copyright 2011 The Snappy-Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package snapref implements the Snappy compression format. It aims for very +// high speeds and reasonable compression. +// +// There are actually two Snappy formats: block and stream. They are related, +// but different: trying to decompress block-compressed data as a Snappy stream +// will fail, and vice versa. The block format is the Decode and Encode +// functions and the stream format is the Reader and Writer types. +// +// The block format, the more common case, is used when the complete size (the +// number of bytes) of the original data is known upfront, at the time +// compression starts. The stream format, also known as the framing format, is +// for when that isn't always true. +// +// The canonical, C++ implementation is at https://github.com/google/snappy and +// it only implements the block format. +package snapref + +import ( + "hash/crc32" +) + +/* +Each encoded block begins with the varint-encoded length of the decoded data, +followed by a sequence of chunks. Chunks begin and end on byte boundaries. The +first byte of each chunk is broken into its 2 least and 6 most significant bits +called l and m: l ranges in [0, 4) and m ranges in [0, 64). l is the chunk tag. +Zero means a literal tag. All other values mean a copy tag. + +For literal tags: + - If m < 60, the next 1 + m bytes are literal bytes. + - Otherwise, let n be the little-endian unsigned integer denoted by the next + m - 59 bytes. The next 1 + n bytes after that are literal bytes. + +For copy tags, length bytes are copied from offset bytes ago, in the style of +Lempel-Ziv compression algorithms. In particular: + - For l == 1, the offset ranges in [0, 1<<11) and the length in [4, 12). + The length is 4 + the low 3 bits of m. The high 3 bits of m form bits 8-10 + of the offset. The next byte is bits 0-7 of the offset. + - For l == 2, the offset ranges in [0, 1<<16) and the length in [1, 65). + The length is 1 + m. The offset is the little-endian unsigned integer + denoted by the next 2 bytes. + - For l == 3, this tag is a legacy format that is no longer issued by most + encoders. Nonetheless, the offset ranges in [0, 1<<32) and the length in + [1, 65). The length is 1 + m. The offset is the little-endian unsigned + integer denoted by the next 4 bytes. +*/ +const ( + tagLiteral = 0x00 + tagCopy1 = 0x01 + tagCopy2 = 0x02 + tagCopy4 = 0x03 +) + +const ( + checksumSize = 4 + chunkHeaderSize = 4 + magicChunk = "\xff\x06\x00\x00" + magicBody + magicBody = "sNaPpY" + + // maxBlockSize is the maximum size of the input to encodeBlock. It is not + // part of the wire format per se, but some parts of the encoder assume + // that an offset fits into a uint16. + // + // Also, for the framing format (Writer type instead of Encode function), + // https://github.com/google/snappy/blob/master/framing_format.txt says + // that "the uncompressed data in a chunk must be no longer than 65536 + // bytes". + maxBlockSize = 65536 + + // maxEncodedLenOfMaxBlockSize equals MaxEncodedLen(maxBlockSize), but is + // hard coded to be a const instead of a variable, so that obufLen can also + // be a const. Their equivalence is confirmed by + // TestMaxEncodedLenOfMaxBlockSize. + maxEncodedLenOfMaxBlockSize = 76490 + + obufHeaderLen = len(magicChunk) + checksumSize + chunkHeaderSize + obufLen = obufHeaderLen + maxEncodedLenOfMaxBlockSize +) + +const ( + chunkTypeCompressedData = 0x00 + chunkTypeUncompressedData = 0x01 + chunkTypePadding = 0xfe + chunkTypeStreamIdentifier = 0xff +) + +var crcTable = crc32.MakeTable(crc32.Castagnoli) + +// crc implements the checksum specified in section 3 of +// https://github.com/google/snappy/blob/master/framing_format.txt +func crc(b []byte) uint32 { + c := crc32.Update(0, crcTable, b) + return uint32(c>>15|c<<17) + 0xa282ead8 +} diff --git a/vendor/github.com/klauspost/compress/s2sx.mod b/vendor/github.com/klauspost/compress/s2sx.mod new file mode 100644 index 0000000000..81bda5e294 --- /dev/null +++ b/vendor/github.com/klauspost/compress/s2sx.mod @@ -0,0 +1,3 @@ +module github.com/klauspost/compress + +go 1.22 diff --git a/vendor/github.com/klauspost/compress/s2sx.sum b/vendor/github.com/klauspost/compress/s2sx.sum new file mode 100644 index 0000000000..e69de29bb2 diff --git a/vendor/github.com/klauspost/compress/zstd/README.md b/vendor/github.com/klauspost/compress/zstd/README.md new file mode 100644 index 0000000000..c11d7fa28e --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/README.md @@ -0,0 +1,441 @@ +# zstd + +[Zstandard](https://facebook.github.io/zstd/) is a real-time compression algorithm, providing high compression ratios. +It offers a very wide range of compression / speed trade-off, while being backed by a very fast decoder. +A high performance compression algorithm is implemented. For now focused on speed. + +This package provides [compression](#Compressor) to and [decompression](#Decompressor) of Zstandard content. + +This package is pure Go. Use `noasm` and `nounsafe` to disable relevant features. + +The `zstd` package is provided as open source software using a Go standard license. + +Currently the package is heavily optimized for 64 bit processors and will be significantly slower on 32 bit processors. + +For seekable zstd streams, see [this excellent package](https://github.com/SaveTheRbtz/zstd-seekable-format-go). + +## Installation + +Install using `go get -u github.com/klauspost/compress`. The package is located in `github.com/klauspost/compress/zstd`. + +[![Go Reference](https://pkg.go.dev/badge/github.com/klauspost/compress/zstd.svg)](https://pkg.go.dev/github.com/klauspost/compress/zstd) + +## Compressor + +### Status: + +STABLE - there may always be subtle bugs, a wide variety of content has been tested and the library is actively +used by several projects. This library is being [fuzz-tested](https://github.com/klauspost/compress-fuzz) for all updates. + +There may still be specific combinations of data types/size/settings that could lead to edge cases, +so as always, testing is recommended. + +For now, a high speed (fastest) and medium-fast (default) compressor has been implemented. + +* The "Fastest" compression ratio is roughly equivalent to zstd level 1. +* The "Default" compression ratio is roughly equivalent to zstd level 3 (default). +* The "Better" compression ratio is roughly equivalent to zstd level 7. +* The "Best" compression ratio is roughly equivalent to zstd level 11. + +In terms of speed, it is typically 2x as fast as the stdlib deflate/gzip in its fastest mode. +The compression ratio compared to stdlib is around level 3, but usually 3x as fast. + + +### Usage + +An Encoder can be used for either compressing a stream via the +`io.WriteCloser` interface supported by the Encoder or as multiple independent +tasks via the `EncodeAll` function. +Smaller encodes are encouraged to use the EncodeAll function. +Use `NewWriter` to create a new instance that can be used for both. + +To create a writer with default options, do like this: + +```Go +// Compress input to output. +func Compress(in io.Reader, out io.Writer) error { + enc, err := zstd.NewWriter(out) + if err != nil { + return err + } + _, err = io.Copy(enc, in) + if err != nil { + enc.Close() + return err + } + return enc.Close() +} +``` + +Now you can encode by writing data to `enc`. The output will be finished writing when `Close()` is called. +Even if your encode fails, you should still call `Close()` to release any resources that may be held up. + +The above is fine for big encodes. However, whenever possible try to *reuse* the writer. + +To reuse the encoder, you can use the `Reset(io.Writer)` function to change to another output. +This will allow the encoder to reuse all resources and avoid wasteful allocations. + +Currently stream encoding has 'light' concurrency, meaning up to 2 goroutines can be working on part +of a stream. This is independent of the `WithEncoderConcurrency(n)`, but that is likely to change +in the future. So if you want to limit concurrency for future updates, specify the concurrency +you would like. + +If you would like stream encoding to be done without spawning async goroutines, use `WithEncoderConcurrency(1)` +which will compress input as each block is completed, blocking on writes until each has completed. + +You can specify your desired compression level using `WithEncoderLevel()` option. Currently only pre-defined +compression settings can be specified. + +#### Future Compatibility Guarantees + +This will be an evolving project. When using this package it is important to note that both the compression efficiency and speed may change. + +The goal will be to keep the default efficiency at the default zstd (level 3). +However the encoding should never be assumed to remain the same, +and you should not use hashes of compressed output for similarity checks. + +The Encoder can be assumed to produce the same output from the exact same code version. +However, the may be modes in the future that break this, +although they will not be enabled without an explicit option. + +This encoder is not designed to (and will probably never) output the exact same bitstream as the reference encoder. + +Also note, that the cgo decompressor currently does not [report all errors on invalid input](https://github.com/DataDog/zstd/issues/59), +[omits error checks](https://github.com/DataDog/zstd/issues/61), [ignores checksums](https://github.com/DataDog/zstd/issues/43) +and seems to ignore concatenated streams, even though [it is part of the spec](https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frames). + +#### Blocks + +For compressing small blocks, the returned encoder has a function called `EncodeAll(src, dst []byte) []byte`. + +`EncodeAll` will encode all input in src and append it to dst. +This function can be called concurrently. +Each call will only run on a same goroutine as the caller. + +Encoded blocks can be concatenated and the result will be the combined input stream. +Data compressed with EncodeAll can be decoded with the Decoder, using either a stream or `DecodeAll`. + +Especially when encoding blocks you should take special care to reuse the encoder. +This will effectively make it run without allocations after a warmup period. +To make it run completely without allocations, supply a destination buffer with space for all content. + +```Go +import "github.com/klauspost/compress/zstd" + +// Create a writer that caches compressors. +// For this operation type we supply a nil Reader. +var encoder, _ = zstd.NewWriter(nil) + +// Compress a buffer. +// If you have a destination buffer, the allocation in the call can also be eliminated. +func Compress(src []byte) []byte { + return encoder.EncodeAll(src, make([]byte, 0, len(src))) +} +``` + +You can control the maximum number of concurrent encodes using the `WithEncoderConcurrency(n)` +option when creating the writer. + +Using the Encoder for both a stream and individual blocks concurrently is safe. + +### Performance + +I have collected some speed examples to compare speed and compression against other compressors. + +* `file` is the input file. +* `out` is the compressor used. `zskp` is this package. `zstd` is the Datadog cgo library. `gzstd/gzkp` is gzip standard and this library. +* `level` is the compression level used. For `zskp` level 1 is "fastest", level 2 is "default"; 3 is "better", 4 is "best". +* `insize`/`outsize` is the input/output size. +* `millis` is the number of milliseconds used for compression. +* `mb/s` is megabytes (2^20 bytes) per second. + +``` +Silesia Corpus: +http://sun.aei.polsl.pl/~sdeor/corpus/silesia.zip + +This package: +file out level insize outsize millis mb/s +silesia.tar zskp 1 211947520 73821326 634 318.47 +silesia.tar zskp 2 211947520 67655404 1508 133.96 +silesia.tar zskp 3 211947520 64746933 3000 67.37 +silesia.tar zskp 4 211947520 60073508 16926 11.94 + +cgo zstd: +silesia.tar zstd 1 211947520 73605392 543 371.56 +silesia.tar zstd 3 211947520 66793289 864 233.68 +silesia.tar zstd 6 211947520 62916450 1913 105.66 +silesia.tar zstd 9 211947520 60212393 5063 39.92 + +gzip, stdlib/this package: +silesia.tar gzstd 1 211947520 80007735 1498 134.87 +silesia.tar gzkp 1 211947520 80088272 1009 200.31 + +GOB stream of binary data. Highly compressible. +https://files.klauspost.com/compress/gob-stream.7z + +file out level insize outsize millis mb/s +gob-stream zskp 1 1911399616 233948096 3230 564.34 +gob-stream zskp 2 1911399616 203997694 4997 364.73 +gob-stream zskp 3 1911399616 173526523 13435 135.68 +gob-stream zskp 4 1911399616 162195235 47559 38.33 + +gob-stream zstd 1 1911399616 249810424 2637 691.26 +gob-stream zstd 3 1911399616 208192146 3490 522.31 +gob-stream zstd 6 1911399616 193632038 6687 272.56 +gob-stream zstd 9 1911399616 177620386 16175 112.70 + +gob-stream gzstd 1 1911399616 357382013 9046 201.49 +gob-stream gzkp 1 1911399616 359136669 4885 373.08 + +The test data for the Large Text Compression Benchmark is the first +10^9 bytes of the English Wikipedia dump on Mar. 3, 2006. +http://mattmahoney.net/dc/textdata.html + +file out level insize outsize millis mb/s +enwik9 zskp 1 1000000000 343833605 3687 258.64 +enwik9 zskp 2 1000000000 317001237 7672 124.29 +enwik9 zskp 3 1000000000 291915823 15923 59.89 +enwik9 zskp 4 1000000000 261710291 77697 12.27 + +enwik9 zstd 1 1000000000 358072021 3110 306.65 +enwik9 zstd 3 1000000000 313734672 4784 199.35 +enwik9 zstd 6 1000000000 295138875 10290 92.68 +enwik9 zstd 9 1000000000 278348700 28549 33.40 + +enwik9 gzstd 1 1000000000 382578136 8608 110.78 +enwik9 gzkp 1 1000000000 382781160 5628 169.45 + +Highly compressible JSON file. +https://files.klauspost.com/compress/github-june-2days-2019.json.zst + +file out level insize outsize millis mb/s +github-june-2days-2019.json zskp 1 6273951764 697439532 9789 611.17 +github-june-2days-2019.json zskp 2 6273951764 610876538 18553 322.49 +github-june-2days-2019.json zskp 3 6273951764 517662858 44186 135.41 +github-june-2days-2019.json zskp 4 6273951764 464617114 165373 36.18 + +github-june-2days-2019.json zstd 1 6273951764 766284037 8450 708.00 +github-june-2days-2019.json zstd 3 6273951764 661889476 10927 547.57 +github-june-2days-2019.json zstd 6 6273951764 642756859 22996 260.18 +github-june-2days-2019.json zstd 9 6273951764 601974523 52413 114.16 + +github-june-2days-2019.json gzstd 1 6273951764 1164397768 26793 223.32 +github-june-2days-2019.json gzkp 1 6273951764 1120631856 17693 338.16 + +VM Image, Linux mint with a few installed applications: +https://files.klauspost.com/compress/rawstudio-mint14.7z + +file out level insize outsize millis mb/s +rawstudio-mint14.tar zskp 1 8558382592 3718400221 18206 448.29 +rawstudio-mint14.tar zskp 2 8558382592 3326118337 37074 220.15 +rawstudio-mint14.tar zskp 3 8558382592 3163842361 87306 93.49 +rawstudio-mint14.tar zskp 4 8558382592 2970480650 783862 10.41 + +rawstudio-mint14.tar zstd 1 8558382592 3609250104 17136 476.27 +rawstudio-mint14.tar zstd 3 8558382592 3341679997 29262 278.92 +rawstudio-mint14.tar zstd 6 8558382592 3235846406 77904 104.77 +rawstudio-mint14.tar zstd 9 8558382592 3160778861 140946 57.91 + +rawstudio-mint14.tar gzstd 1 8558382592 3926234992 51345 158.96 +rawstudio-mint14.tar gzkp 1 8558382592 3960117298 36722 222.26 + +CSV data: +https://files.klauspost.com/compress/nyc-taxi-data-10M.csv.zst + +file out level insize outsize millis mb/s +nyc-taxi-data-10M.csv zskp 1 3325605752 641319332 9462 335.17 +nyc-taxi-data-10M.csv zskp 2 3325605752 588976126 17570 180.50 +nyc-taxi-data-10M.csv zskp 3 3325605752 529329260 32432 97.79 +nyc-taxi-data-10M.csv zskp 4 3325605752 474949772 138025 22.98 + +nyc-taxi-data-10M.csv zstd 1 3325605752 687399637 8233 385.18 +nyc-taxi-data-10M.csv zstd 3 3325605752 598514411 10065 315.07 +nyc-taxi-data-10M.csv zstd 6 3325605752 570522953 20038 158.27 +nyc-taxi-data-10M.csv zstd 9 3325605752 517554797 64565 49.12 + +nyc-taxi-data-10M.csv gzstd 1 3325605752 928654908 21270 149.11 +nyc-taxi-data-10M.csv gzkp 1 3325605752 922273214 13929 227.68 +``` + +## Decompressor + +Status: STABLE - there may still be subtle bugs, but a wide variety of content has been tested. + +This library is being continuously [fuzz-tested](https://github.com/klauspost/compress-fuzz), +kindly supplied by [fuzzit.dev](https://fuzzit.dev/). +The main purpose of the fuzz testing is to ensure that it is not possible to crash the decoder, +or run it past its limits with ANY input provided. + +### Usage + +The package has been designed for two main usages, big streams of data and smaller in-memory buffers. +There are two main usages of the package for these. Both of them are accessed by creating a `Decoder`. + +For streaming use a simple setup could look like this: + +```Go +import "github.com/klauspost/compress/zstd" + +func Decompress(in io.Reader, out io.Writer) error { + d, err := zstd.NewReader(in) + if err != nil { + return err + } + defer d.Close() + + // Copy content... + _, err = io.Copy(out, d) + return err +} +``` + +It is important to use the "Close" function when you no longer need the Reader to stop running goroutines, +when running with default settings. +Goroutines will exit once an error has been returned, including `io.EOF` at the end of a stream. + +Streams are decoded concurrently in 4 asynchronous stages to give the best possible throughput. +However, if you prefer synchronous decompression, use `WithDecoderConcurrency(1)` which will decompress data +as it is being requested only. + +For decoding buffers, it could look something like this: + +```Go +import "github.com/klauspost/compress/zstd" + +// Create a reader that caches decompressors. +// For this operation type we supply a nil Reader. +var decoder, _ = zstd.NewReader(nil, zstd.WithDecoderConcurrency(0)) + +// Decompress a buffer. We don't supply a destination buffer, +// so it will be allocated by the decoder. +func Decompress(src []byte) ([]byte, error) { + return decoder.DecodeAll(src, nil) +} +``` + +Both of these cases should provide the functionality needed. +The decoder can be used for *concurrent* decompression of multiple buffers. +By default 4 decompressors will be created. + +It will only allow a certain number of concurrent operations to run. +To tweak that yourself use the `WithDecoderConcurrency(n)` option when creating the decoder. +It is possible to use `WithDecoderConcurrency(0)` to create GOMAXPROCS decoders. + +### Dictionaries + +Data compressed with [dictionaries](https://github.com/facebook/zstd#the-case-for-small-data-compression) can be decompressed. + +Dictionaries are added individually to Decoders. +Dictionaries are generated by the `zstd --train` command and contains an initial state for the decoder. +To add a dictionary use the `WithDecoderDicts(dicts ...[]byte)` option with the dictionary data. +Several dictionaries can be added at once. + +The dictionary will be used automatically for the data that specifies them. +A re-used Decoder will still contain the dictionaries registered. + +When registering multiple dictionaries with the same ID, the last one will be used. + +It is possible to use dictionaries when compressing data. + +To enable a dictionary use `WithEncoderDict(dict []byte)`. Here only one dictionary will be used +and it will likely be used even if it doesn't improve compression. + +The used dictionary must be used to decompress the content. + +For any real gains, the dictionary should be built with similar data. +If an unsuitable dictionary is used the output may be slightly larger than using no dictionary. +Use the [zstd commandline tool](https://github.com/facebook/zstd/releases) to build a dictionary from sample data. +For information see [zstd dictionary information](https://github.com/facebook/zstd#the-case-for-small-data-compression). + +For now there is a fixed startup performance penalty for compressing content with dictionaries. +This will likely be improved over time. Just be aware to test performance when implementing. + +### Allocation-less operation + +The decoder has been designed to operate without allocations after a warmup. + +This means that you should *store* the decoder for best performance. +To re-use a stream decoder, use the `Reset(r io.Reader) error` to switch to another stream. +A decoder can safely be re-used even if the previous stream failed. + +To release the resources, you must call the `Close()` function on a decoder. +After this it can *no longer be reused*, but all running goroutines will be stopped. +So you *must* use this if you will no longer need the Reader. + +For decompressing smaller buffers a single decoder can be used. +When decoding buffers, you can supply a destination slice with length 0 and your expected capacity. +In this case no unneeded allocations should be made. + +### Concurrency + +The buffer decoder does everything on the same goroutine and does nothing concurrently. +It can however decode several buffers concurrently. Use `WithDecoderConcurrency(n)` to limit that. + +The stream decoder will create goroutines that: + +1) Reads input and splits the input into blocks. +2) Decompression of literals. +3) Decompression of sequences. +4) Reconstruction of output stream. + +So effectively this also means the decoder will "read ahead" and prepare data to always be available for output. + +The concurrency level will, for streams, determine how many blocks ahead the compression will start. + +Since "blocks" are quite dependent on the output of the previous block stream decoding will only have limited concurrency. + +In practice this means that concurrency is often limited to utilizing about 3 cores effectively. + +### Benchmarks + +The first two are streaming decodes and the last are smaller inputs. + +Running on AMD Ryzen 9 3950X 16-Core Processor. AMD64 assembly used. + +``` +BenchmarkDecoderSilesia-32 5 206878840 ns/op 1024.50 MB/s 49808 B/op 43 allocs/op +BenchmarkDecoderEnwik9-32 1 1271809000 ns/op 786.28 MB/s 72048 B/op 52 allocs/op + +Concurrent blocks, performance: + +BenchmarkDecoder_DecodeAllParallel/kppkn.gtb.zst-32 67356 17857 ns/op 10321.96 MB/s 22.48 pct 102 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/geo.protodata.zst-32 266656 4421 ns/op 26823.21 MB/s 11.89 pct 19 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/plrabn12.txt.zst-32 20992 56842 ns/op 8477.17 MB/s 39.90 pct 754 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/lcet10.txt.zst-32 27456 43932 ns/op 9714.01 MB/s 33.27 pct 524 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/asyoulik.txt.zst-32 78432 15047 ns/op 8319.15 MB/s 40.34 pct 66 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/alice29.txt.zst-32 65800 18436 ns/op 8249.63 MB/s 37.75 pct 88 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/html_x_4.zst-32 102993 11523 ns/op 35546.09 MB/s 3.637 pct 143 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/paper-100k.pdf.zst-32 1000000 1070 ns/op 95720.98 MB/s 80.53 pct 3 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/fireworks.jpeg.zst-32 749802 1752 ns/op 70272.35 MB/s 100.0 pct 5 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/urls.10K.zst-32 22640 52934 ns/op 13263.37 MB/s 26.25 pct 1014 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/html.zst-32 226412 5232 ns/op 19572.27 MB/s 14.49 pct 20 B/op 0 allocs/op +BenchmarkDecoder_DecodeAllParallel/comp-data.bin.zst-32 923041 1276 ns/op 3194.71 MB/s 31.26 pct 0 B/op 0 allocs/op +``` + +This reflects the performance around May 2022, but this may be out of date. + +## Zstd inside ZIP files + +It is possible to use zstandard to compress individual files inside zip archives. +While this isn't widely supported it can be useful for internal files. + +To support the compression and decompression of these files you must register a compressor and decompressor. + +It is highly recommended registering the (de)compressors on individual zip Reader/Writer and NOT +use the global registration functions. The main reason for this is that 2 registrations from +different packages will result in a panic. + +It is a good idea to only have a single compressor and decompressor, since they can be used for multiple zip +files concurrently, and using a single instance will allow reusing some resources. + +See [this example](https://pkg.go.dev/github.com/klauspost/compress/zstd#example-ZipCompressor) for +how to compress and decompress files inside zip archives. + +# Contributions + +Contributions are always welcome. +For new features/fixes, remember to add tests and for performance enhancements include benchmarks. + +For general feedback and experience reports, feel free to open an issue or write me on [Twitter](https://twitter.com/sh0dan). + +This package includes the excellent [`github.com/cespare/xxhash`](https://github.com/cespare/xxhash) package Copyright (c) 2016 Caleb Spare. diff --git a/vendor/github.com/klauspost/compress/zstd/bitreader.go b/vendor/github.com/klauspost/compress/zstd/bitreader.go new file mode 100644 index 0000000000..d41e3e1709 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/bitreader.go @@ -0,0 +1,135 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "io" + "math/bits" + + "github.com/klauspost/compress/internal/le" +) + +// bitReader reads a bitstream in reverse. +// The last set bit indicates the start of the stream and is used +// for aligning the input. +type bitReader struct { + in []byte + value uint64 // Maybe use [16]byte, but shifting is awkward. + cursor int // offset where next read should end + bitsRead uint8 +} + +// init initializes and resets the bit reader. +func (b *bitReader) init(in []byte) error { + if len(in) < 1 { + return errors.New("corrupt stream: too short") + } + b.in = in + // The highest bit of the last byte indicates where to start + v := in[len(in)-1] + if v == 0 { + return errors.New("corrupt stream, did not find end of stream") + } + b.cursor = len(in) + b.bitsRead = 64 + b.value = 0 + if len(in) >= 8 { + b.fillFastStart() + } else { + b.fill() + b.fill() + } + b.bitsRead += 8 - uint8(highBits(uint32(v))) + return nil +} + +// getBits will return n bits. n can be 0. +func (b *bitReader) getBits(n uint8) int { + if n == 0 /*|| b.bitsRead >= 64 */ { + return 0 + } + return int(b.get32BitsFast(n)) +} + +// get32BitsFast requires that at least one bit is requested every time. +// There are no checks if the buffer is filled. +func (b *bitReader) get32BitsFast(n uint8) uint32 { + const regMask = 64 - 1 + v := uint32((b.value << (b.bitsRead & regMask)) >> ((regMask + 1 - n) & regMask)) + b.bitsRead += n + return v +} + +// fillFast() will make sure at least 32 bits are available. +// There must be at least 4 bytes available. +func (b *bitReader) fillFast() { + if b.bitsRead < 32 { + return + } + b.cursor -= 4 + b.value = (b.value << 32) | uint64(le.Load32(b.in, b.cursor)) + b.bitsRead -= 32 +} + +// fillFastStart() assumes the bitreader is empty and there is at least 8 bytes to read. +func (b *bitReader) fillFastStart() { + b.cursor -= 8 + b.value = le.Load64(b.in, b.cursor) + b.bitsRead = 0 +} + +// fill() will make sure at least 32 bits are available. +func (b *bitReader) fill() { + if b.bitsRead < 32 { + return + } + if b.cursor >= 4 { + b.cursor -= 4 + b.value = (b.value << 32) | uint64(le.Load32(b.in, b.cursor)) + b.bitsRead -= 32 + return + } + + b.bitsRead -= uint8(8 * b.cursor) + for b.cursor > 0 { + b.cursor -= 1 + b.value = (b.value << 8) | uint64(b.in[b.cursor]) + } +} + +// finished returns true if all bits have been read from the bit stream. +func (b *bitReader) finished() bool { + return b.cursor == 0 && b.bitsRead >= 64 +} + +// overread returns true if more bits have been requested than is on the stream. +func (b *bitReader) overread() bool { + return b.bitsRead > 64 +} + +// remain returns the number of bits remaining. +func (b *bitReader) remain() uint { + return 8*uint(b.cursor) + 64 - uint(b.bitsRead) +} + +// close the bitstream and returns an error if out-of-buffer reads occurred. +func (b *bitReader) close() error { + // Release reference. + b.in = nil + b.cursor = 0 + if !b.finished() { + return fmt.Errorf("%d extra bits on block, should be 0", b.remain()) + } + if b.bitsRead > 64 { + return io.ErrUnexpectedEOF + } + return nil +} + +func highBits(val uint32) (n uint32) { + return uint32(bits.Len32(val) - 1) +} diff --git a/vendor/github.com/klauspost/compress/zstd/bitwriter.go b/vendor/github.com/klauspost/compress/zstd/bitwriter.go new file mode 100644 index 0000000000..1952f175b0 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/bitwriter.go @@ -0,0 +1,112 @@ +// Copyright 2018 Klaus Post. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// Based on work Copyright (c) 2013, Yann Collet, released under BSD License. + +package zstd + +// bitWriter will write bits. +// First bit will be LSB of the first byte of output. +type bitWriter struct { + bitContainer uint64 + nBits uint8 + out []byte +} + +// bitMask16 is bitmasks. Has extra to avoid bounds check. +var bitMask16 = [32]uint16{ + 0, 1, 3, 7, 0xF, 0x1F, + 0x3F, 0x7F, 0xFF, 0x1FF, 0x3FF, 0x7FF, + 0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF, 0xFFFF, + 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, 0xFFFF, + 0xFFFF, 0xFFFF} /* up to 16 bits */ + +var bitMask32 = [32]uint32{ + 0, 1, 3, 7, 0xF, 0x1F, 0x3F, 0x7F, 0xFF, + 0x1FF, 0x3FF, 0x7FF, 0xFFF, 0x1FFF, 0x3FFF, 0x7FFF, 0xFFFF, + 0x1ffff, 0x3ffff, 0x7FFFF, 0xfFFFF, 0x1fFFFF, 0x3fFFFF, 0x7fFFFF, 0xffFFFF, + 0x1ffFFFF, 0x3ffFFFF, 0x7ffFFFF, 0xfffFFFF, 0x1fffFFFF, 0x3fffFFFF, 0x7fffFFFF, +} // up to 32 bits + +// addBits16NC will add up to 16 bits. +// It will not check if there is space for them, +// so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits16NC(value uint16, bits uint8) { + b.bitContainer |= uint64(value&bitMask16[bits&31]) << (b.nBits & 63) + b.nBits += bits +} + +// addBits32NC will add up to 31 bits. +// It will not check if there is space for them, +// so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits32NC(value uint32, bits uint8) { + b.bitContainer |= uint64(value&bitMask32[bits&31]) << (b.nBits & 63) + b.nBits += bits +} + +// addBits64NC will add up to 64 bits. +// There must be space for 32 bits. +func (b *bitWriter) addBits64NC(value uint64, bits uint8) { + if bits <= 31 { + b.addBits32Clean(uint32(value), bits) + return + } + b.addBits32Clean(uint32(value), 32) + b.flush32() + b.addBits32Clean(uint32(value>>32), bits-32) +} + +// addBits32Clean will add up to 32 bits. +// It will not check if there is space for them. +// The input must not contain more bits than specified. +func (b *bitWriter) addBits32Clean(value uint32, bits uint8) { + b.bitContainer |= uint64(value) << (b.nBits & 63) + b.nBits += bits +} + +// addBits16Clean will add up to 16 bits. value may not contain more set bits than indicated. +// It will not check if there is space for them, so the caller must ensure that it has flushed recently. +func (b *bitWriter) addBits16Clean(value uint16, bits uint8) { + b.bitContainer |= uint64(value) << (b.nBits & 63) + b.nBits += bits +} + +// flush32 will flush out, so there are at least 32 bits available for writing. +func (b *bitWriter) flush32() { + if b.nBits < 32 { + return + } + b.out = append(b.out, + byte(b.bitContainer), + byte(b.bitContainer>>8), + byte(b.bitContainer>>16), + byte(b.bitContainer>>24)) + b.nBits -= 32 + b.bitContainer >>= 32 +} + +// flushAlign will flush remaining full bytes and align to next byte boundary. +func (b *bitWriter) flushAlign() { + nbBytes := (b.nBits + 7) >> 3 + for i := uint8(0); i < nbBytes; i++ { + b.out = append(b.out, byte(b.bitContainer>>(i*8))) + } + b.nBits = 0 + b.bitContainer = 0 +} + +// close will write the alignment bit and write the final byte(s) +// to the output. +func (b *bitWriter) close() { + // End mark + b.addBits16Clean(1, 1) + // flush until next byte. + b.flushAlign() +} + +// reset and continue writing by appending to out. +func (b *bitWriter) reset(out []byte) { + b.bitContainer = 0 + b.nBits = 0 + b.out = out +} diff --git a/vendor/github.com/klauspost/compress/zstd/blockdec.go b/vendor/github.com/klauspost/compress/zstd/blockdec.go new file mode 100644 index 0000000000..0dd742fd2a --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/blockdec.go @@ -0,0 +1,712 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "hash/crc32" + "io" + "sync" + + "github.com/klauspost/compress/huff0" + "github.com/klauspost/compress/zstd/internal/xxhash" +) + +type blockType uint8 + +//go:generate stringer -type=blockType,literalsBlockType,seqCompMode,tableIndex + +const ( + blockTypeRaw blockType = iota + blockTypeRLE + blockTypeCompressed + blockTypeReserved +) + +type literalsBlockType uint8 + +const ( + literalsBlockRaw literalsBlockType = iota + literalsBlockRLE + literalsBlockCompressed + literalsBlockTreeless +) + +const ( + // maxCompressedBlockSize is the biggest allowed compressed block size (128KB) + maxCompressedBlockSize = 128 << 10 + + compressedBlockOverAlloc = 16 + maxCompressedBlockSizeAlloc = 128<<10 + compressedBlockOverAlloc + + // Maximum possible block size (all Raw+Uncompressed). + maxBlockSize = (1 << 21) - 1 + + maxMatchLen = 131074 + maxSequences = 0x7f00 + 0xffff + + // We support slightly less than the reference decoder to be able to + // use ints on 32 bit archs. + maxOffsetBits = 30 +) + +var ( + huffDecoderPool = sync.Pool{New: func() interface{} { + return &huff0.Scratch{} + }} + + fseDecoderPool = sync.Pool{New: func() interface{} { + return &fseDecoder{} + }} +) + +type blockDec struct { + // Raw source data of the block. + data []byte + dataStorage []byte + + // Destination of the decoded data. + dst []byte + + // Buffer for literals data. + literalBuf []byte + + // Window size of the block. + WindowSize uint64 + + err error + + // Check against this crc, if hasCRC is true. + checkCRC uint32 + hasCRC bool + + // Frame to use for singlethreaded decoding. + // Should not be used by the decoder itself since parent may be another frame. + localFrame *frameDec + + sequence []seqVals + + async struct { + newHist *history + literals []byte + seqData []byte + seqSize int // Size of uncompressed sequences + fcs uint64 + } + + // Block is RLE, this is the size. + RLESize uint32 + + Type blockType + + // Is this the last block of a frame? + Last bool + + // Use less memory + lowMem bool +} + +func (b *blockDec) String() string { + if b == nil { + return "" + } + return fmt.Sprintf("Steam Size: %d, Type: %v, Last: %t, Window: %d", len(b.data), b.Type, b.Last, b.WindowSize) +} + +func newBlockDec(lowMem bool) *blockDec { + b := blockDec{ + lowMem: lowMem, + } + return &b +} + +// reset will reset the block. +// Input must be a start of a block and will be at the end of the block when returned. +func (b *blockDec) reset(br byteBuffer, windowSize uint64) error { + b.WindowSize = windowSize + tmp, err := br.readSmall(3) + if err != nil { + println("Reading block header:", err) + return err + } + bh := uint32(tmp[0]) | (uint32(tmp[1]) << 8) | (uint32(tmp[2]) << 16) + b.Last = bh&1 != 0 + b.Type = blockType((bh >> 1) & 3) + // find size. + cSize := int(bh >> 3) + maxSize := maxCompressedBlockSizeAlloc + switch b.Type { + case blockTypeReserved: + return ErrReservedBlockType + case blockTypeRLE: + if cSize > maxCompressedBlockSize || cSize > int(b.WindowSize) { + if debugDecoder { + printf("rle block too big: csize:%d block: %+v\n", uint64(cSize), b) + } + return ErrWindowSizeExceeded + } + b.RLESize = uint32(cSize) + if b.lowMem { + maxSize = cSize + } + cSize = 1 + case blockTypeCompressed: + if debugDecoder { + println("Data size on stream:", cSize) + } + b.RLESize = 0 + maxSize = maxCompressedBlockSizeAlloc + if windowSize < maxCompressedBlockSize && b.lowMem { + maxSize = int(windowSize) + compressedBlockOverAlloc + } + if cSize > maxCompressedBlockSize || uint64(cSize) > b.WindowSize { + if debugDecoder { + printf("compressed block too big: csize:%d block: %+v\n", uint64(cSize), b) + } + return ErrCompressedSizeTooBig + } + // Empty compressed blocks must at least be 2 bytes + // for Literals_Block_Type and one for Sequences_Section_Header. + if cSize < 2 { + return ErrBlockTooSmall + } + case blockTypeRaw: + if cSize > maxCompressedBlockSize || cSize > int(b.WindowSize) { + if debugDecoder { + printf("rle block too big: csize:%d block: %+v\n", uint64(cSize), b) + } + return ErrWindowSizeExceeded + } + + b.RLESize = 0 + // We do not need a destination for raw blocks. + maxSize = -1 + default: + panic("Invalid block type") + } + + // Read block data. + if _, ok := br.(*byteBuf); !ok && cap(b.dataStorage) < cSize { + // byteBuf doesn't need a destination buffer. + if b.lowMem || cSize > maxCompressedBlockSize { + b.dataStorage = make([]byte, 0, cSize+compressedBlockOverAlloc) + } else { + b.dataStorage = make([]byte, 0, maxCompressedBlockSizeAlloc) + } + } + b.data, err = br.readBig(cSize, b.dataStorage) + if err != nil { + if debugDecoder { + println("Reading block:", err, "(", cSize, ")", len(b.data)) + printf("%T", br) + } + return err + } + if cap(b.dst) <= maxSize { + b.dst = make([]byte, 0, maxSize+1) + } + return nil +} + +// sendEOF will make the decoder send EOF on this frame. +func (b *blockDec) sendErr(err error) { + b.Last = true + b.Type = blockTypeReserved + b.err = err +} + +// Close will release resources. +// Closed blockDec cannot be reset. +func (b *blockDec) Close() { +} + +// decodeBuf +func (b *blockDec) decodeBuf(hist *history) error { + switch b.Type { + case blockTypeRLE: + if cap(b.dst) < int(b.RLESize) { + if b.lowMem { + b.dst = make([]byte, b.RLESize) + } else { + b.dst = make([]byte, maxCompressedBlockSize) + } + } + b.dst = b.dst[:b.RLESize] + v := b.data[0] + for i := range b.dst { + b.dst[i] = v + } + hist.appendKeep(b.dst) + return nil + case blockTypeRaw: + hist.appendKeep(b.data) + return nil + case blockTypeCompressed: + saved := b.dst + // Append directly to history + if hist.ignoreBuffer == 0 { + b.dst = hist.b + hist.b = nil + } else { + b.dst = b.dst[:0] + } + err := b.decodeCompressed(hist) + if debugDecoder { + println("Decompressed to total", len(b.dst), "bytes, hash:", xxhash.Sum64(b.dst), "error:", err) + } + if hist.ignoreBuffer == 0 { + hist.b = b.dst + b.dst = saved + } else { + hist.appendKeep(b.dst) + } + return err + case blockTypeReserved: + // Used for returning errors. + return b.err + default: + panic("Invalid block type") + } +} + +func (b *blockDec) decodeLiterals(in []byte, hist *history) (remain []byte, err error) { + // There must be at least one byte for Literals_Block_Type and one for Sequences_Section_Header + if len(in) < 2 { + return in, ErrBlockTooSmall + } + + litType := literalsBlockType(in[0] & 3) + var litRegenSize int + var litCompSize int + sizeFormat := (in[0] >> 2) & 3 + var fourStreams bool + var literals []byte + switch litType { + case literalsBlockRaw, literalsBlockRLE: + switch sizeFormat { + case 0, 2: + // Regenerated_Size uses 5 bits (0-31). Literals_Section_Header uses 1 byte. + litRegenSize = int(in[0] >> 3) + in = in[1:] + case 1: + // Regenerated_Size uses 12 bits (0-4095). Literals_Section_Header uses 2 bytes. + litRegenSize = int(in[0]>>4) + (int(in[1]) << 4) + in = in[2:] + case 3: + // Regenerated_Size uses 20 bits (0-1048575). Literals_Section_Header uses 3 bytes. + if len(in) < 3 { + println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in)) + return in, ErrBlockTooSmall + } + litRegenSize = int(in[0]>>4) + (int(in[1]) << 4) + (int(in[2]) << 12) + in = in[3:] + } + case literalsBlockCompressed, literalsBlockTreeless: + switch sizeFormat { + case 0, 1: + // Both Regenerated_Size and Compressed_Size use 10 bits (0-1023). + if len(in) < 3 { + println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in)) + return in, ErrBlockTooSmall + } + n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12) + litRegenSize = int(n & 1023) + litCompSize = int(n >> 10) + fourStreams = sizeFormat == 1 + in = in[3:] + case 2: + fourStreams = true + if len(in) < 4 { + println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in)) + return in, ErrBlockTooSmall + } + n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12) + (uint64(in[3]) << 20) + litRegenSize = int(n & 16383) + litCompSize = int(n >> 14) + in = in[4:] + case 3: + fourStreams = true + if len(in) < 5 { + println("too small: litType:", litType, " sizeFormat", sizeFormat, len(in)) + return in, ErrBlockTooSmall + } + n := uint64(in[0]>>4) + (uint64(in[1]) << 4) + (uint64(in[2]) << 12) + (uint64(in[3]) << 20) + (uint64(in[4]) << 28) + litRegenSize = int(n & 262143) + litCompSize = int(n >> 18) + in = in[5:] + } + } + if debugDecoder { + println("literals type:", litType, "litRegenSize:", litRegenSize, "litCompSize:", litCompSize, "sizeFormat:", sizeFormat, "4X:", fourStreams) + } + if litRegenSize > int(b.WindowSize) || litRegenSize > maxCompressedBlockSize { + return in, ErrWindowSizeExceeded + } + + switch litType { + case literalsBlockRaw: + if len(in) < litRegenSize { + println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litRegenSize) + return in, ErrBlockTooSmall + } + literals = in[:litRegenSize] + in = in[litRegenSize:] + //printf("Found %d uncompressed literals\n", litRegenSize) + case literalsBlockRLE: + if len(in) < 1 { + println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", 1) + return in, ErrBlockTooSmall + } + if cap(b.literalBuf) < litRegenSize { + if b.lowMem { + b.literalBuf = make([]byte, litRegenSize, litRegenSize+compressedBlockOverAlloc) + } else { + b.literalBuf = make([]byte, litRegenSize, maxCompressedBlockSize+compressedBlockOverAlloc) + } + } + literals = b.literalBuf[:litRegenSize] + v := in[0] + for i := range literals { + literals[i] = v + } + in = in[1:] + if debugDecoder { + printf("Found %d RLE compressed literals\n", litRegenSize) + } + case literalsBlockTreeless: + if len(in) < litCompSize { + println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litCompSize) + return in, ErrBlockTooSmall + } + // Store compressed literals, so we defer decoding until we get history. + literals = in[:litCompSize] + in = in[litCompSize:] + if debugDecoder { + printf("Found %d compressed literals\n", litCompSize) + } + huff := hist.huffTree + if huff == nil { + return in, errors.New("literal block was treeless, but no history was defined") + } + // Ensure we have space to store it. + if cap(b.literalBuf) < litRegenSize { + if b.lowMem { + b.literalBuf = make([]byte, 0, litRegenSize+compressedBlockOverAlloc) + } else { + b.literalBuf = make([]byte, 0, maxCompressedBlockSize+compressedBlockOverAlloc) + } + } + var err error + // Use our out buffer. + huff.MaxDecodedSize = litRegenSize + if fourStreams { + literals, err = huff.Decoder().Decompress4X(b.literalBuf[:0:litRegenSize], literals) + } else { + literals, err = huff.Decoder().Decompress1X(b.literalBuf[:0:litRegenSize], literals) + } + // Make sure we don't leak our literals buffer + if err != nil { + println("decompressing literals:", err) + return in, err + } + if len(literals) != litRegenSize { + return in, fmt.Errorf("literal output size mismatch want %d, got %d", litRegenSize, len(literals)) + } + + case literalsBlockCompressed: + if len(in) < litCompSize { + println("too small: litType:", litType, " sizeFormat", sizeFormat, "remain:", len(in), "want:", litCompSize) + return in, ErrBlockTooSmall + } + literals = in[:litCompSize] + in = in[litCompSize:] + // Ensure we have space to store it. + if cap(b.literalBuf) < litRegenSize { + if b.lowMem { + b.literalBuf = make([]byte, 0, litRegenSize+compressedBlockOverAlloc) + } else { + b.literalBuf = make([]byte, 0, maxCompressedBlockSize+compressedBlockOverAlloc) + } + } + huff := hist.huffTree + if huff == nil || (hist.dict != nil && huff == hist.dict.litEnc) { + huff = huffDecoderPool.Get().(*huff0.Scratch) + if huff == nil { + huff = &huff0.Scratch{} + } + } + var err error + if debugDecoder { + println("huff table input:", len(literals), "CRC:", crc32.ChecksumIEEE(literals)) + } + huff, literals, err = huff0.ReadTable(literals, huff) + if err != nil { + println("reading huffman table:", err) + return in, err + } + hist.huffTree = huff + huff.MaxDecodedSize = litRegenSize + // Use our out buffer. + if fourStreams { + literals, err = huff.Decoder().Decompress4X(b.literalBuf[:0:litRegenSize], literals) + } else { + literals, err = huff.Decoder().Decompress1X(b.literalBuf[:0:litRegenSize], literals) + } + if err != nil { + println("decoding compressed literals:", err) + return in, err + } + // Make sure we don't leak our literals buffer + if len(literals) != litRegenSize { + return in, fmt.Errorf("literal output size mismatch want %d, got %d", litRegenSize, len(literals)) + } + // Re-cap to get extra size. + literals = b.literalBuf[:len(literals)] + if debugDecoder { + printf("Decompressed %d literals into %d bytes\n", litCompSize, litRegenSize) + } + } + hist.decoders.literals = literals + return in, nil +} + +// decodeCompressed will start decompressing a block. +func (b *blockDec) decodeCompressed(hist *history) error { + in := b.data + in, err := b.decodeLiterals(in, hist) + if err != nil { + return err + } + err = b.prepareSequences(in, hist) + if err != nil { + return err + } + if hist.decoders.nSeqs == 0 { + b.dst = append(b.dst, hist.decoders.literals...) + return nil + } + before := len(hist.decoders.out) + err = hist.decoders.decodeSync(hist.b[hist.ignoreBuffer:]) + if err != nil { + return err + } + if hist.decoders.maxSyncLen > 0 { + hist.decoders.maxSyncLen += uint64(before) + hist.decoders.maxSyncLen -= uint64(len(hist.decoders.out)) + } + b.dst = hist.decoders.out + hist.recentOffsets = hist.decoders.prevOffset + return nil +} + +func (b *blockDec) prepareSequences(in []byte, hist *history) (err error) { + if debugDecoder { + printf("prepareSequences: %d byte(s) input\n", len(in)) + } + // Decode Sequences + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#sequences-section + if len(in) < 1 { + return ErrBlockTooSmall + } + var nSeqs int + seqHeader := in[0] + switch { + case seqHeader < 128: + nSeqs = int(seqHeader) + in = in[1:] + case seqHeader < 255: + if len(in) < 2 { + return ErrBlockTooSmall + } + nSeqs = int(seqHeader-128)<<8 | int(in[1]) + in = in[2:] + case seqHeader == 255: + if len(in) < 3 { + return ErrBlockTooSmall + } + nSeqs = 0x7f00 + int(in[1]) + (int(in[2]) << 8) + in = in[3:] + } + if nSeqs == 0 && len(in) != 0 { + // When no sequences, there should not be any more data... + if debugDecoder { + printf("prepareSequences: 0 sequences, but %d byte(s) left on stream\n", len(in)) + } + return ErrUnexpectedBlockSize + } + + var seqs = &hist.decoders + seqs.nSeqs = nSeqs + if nSeqs > 0 { + if len(in) < 1 { + return ErrBlockTooSmall + } + br := byteReader{b: in, off: 0} + compMode := br.Uint8() + br.advance(1) + if debugDecoder { + printf("Compression modes: 0b%b", compMode) + } + if compMode&3 != 0 { + return errors.New("corrupt block: reserved bits not zero") + } + for i := uint(0); i < 3; i++ { + mode := seqCompMode((compMode >> (6 - i*2)) & 3) + if debugDecoder { + println("Table", tableIndex(i), "is", mode) + } + var seq *sequenceDec + switch tableIndex(i) { + case tableLiteralLengths: + seq = &seqs.litLengths + case tableOffsets: + seq = &seqs.offsets + case tableMatchLengths: + seq = &seqs.matchLengths + default: + panic("unknown table") + } + switch mode { + case compModePredefined: + if seq.fse != nil && !seq.fse.preDefined { + fseDecoderPool.Put(seq.fse) + } + seq.fse = &fsePredef[i] + case compModeRLE: + if br.remain() < 1 { + return ErrBlockTooSmall + } + v := br.Uint8() + br.advance(1) + if seq.fse == nil || seq.fse.preDefined { + seq.fse = fseDecoderPool.Get().(*fseDecoder) + } + symb, err := decSymbolValue(v, symbolTableX[i]) + if err != nil { + printf("RLE Transform table (%v) error: %v", tableIndex(i), err) + return err + } + seq.fse.setRLE(symb) + if debugDecoder { + printf("RLE set to 0x%x, code: %v", symb, v) + } + case compModeFSE: + if debugDecoder { + println("Reading table for", tableIndex(i)) + } + if seq.fse == nil || seq.fse.preDefined { + seq.fse = fseDecoderPool.Get().(*fseDecoder) + } + err := seq.fse.readNCount(&br, uint16(maxTableSymbol[i])) + if err != nil { + println("Read table error:", err) + return err + } + err = seq.fse.transform(symbolTableX[i]) + if err != nil { + println("Transform table error:", err) + return err + } + if debugDecoder { + println("Read table ok", "symbolLen:", seq.fse.symbolLen) + } + case compModeRepeat: + seq.repeat = true + } + if br.overread() { + return io.ErrUnexpectedEOF + } + } + in = br.unread() + } + if debugDecoder { + println("Literals:", len(seqs.literals), "hash:", xxhash.Sum64(seqs.literals), "and", seqs.nSeqs, "sequences.") + } + + if nSeqs == 0 { + if len(b.sequence) > 0 { + b.sequence = b.sequence[:0] + } + return nil + } + br := seqs.br + if br == nil { + br = &bitReader{} + } + if err := br.init(in); err != nil { + return err + } + + if err := seqs.initialize(br, hist, b.dst); err != nil { + println("initializing sequences:", err) + return err + } + + return nil +} + +func (b *blockDec) decodeSequences(hist *history) error { + if cap(b.sequence) < hist.decoders.nSeqs { + if b.lowMem { + b.sequence = make([]seqVals, 0, hist.decoders.nSeqs) + } else { + b.sequence = make([]seqVals, 0, 0x7F00+0xffff) + } + } + b.sequence = b.sequence[:hist.decoders.nSeqs] + if hist.decoders.nSeqs == 0 { + hist.decoders.seqSize = len(hist.decoders.literals) + return nil + } + hist.decoders.windowSize = hist.windowSize + hist.decoders.prevOffset = hist.recentOffsets + + err := hist.decoders.decode(b.sequence) + hist.recentOffsets = hist.decoders.prevOffset + return err +} + +func (b *blockDec) executeSequences(hist *history) error { + hbytes := hist.b + if len(hbytes) > hist.windowSize { + hbytes = hbytes[len(hbytes)-hist.windowSize:] + // We do not need history anymore. + if hist.dict != nil { + hist.dict.content = nil + } + } + hist.decoders.windowSize = hist.windowSize + hist.decoders.out = b.dst[:0] + err := hist.decoders.execute(b.sequence, hbytes) + if err != nil { + return err + } + return b.updateHistory(hist) +} + +func (b *blockDec) updateHistory(hist *history) error { + if len(b.data) > maxCompressedBlockSize { + return fmt.Errorf("compressed block size too large (%d)", len(b.data)) + } + // Set output and release references. + b.dst = hist.decoders.out + hist.recentOffsets = hist.decoders.prevOffset + + if b.Last { + // if last block we don't care about history. + println("Last block, no history returned") + hist.b = hist.b[:0] + return nil + } else { + hist.append(b.dst) + if debugDecoder { + println("Finished block with ", len(b.sequence), "sequences. Added", len(b.dst), "to history, now length", len(hist.b)) + } + } + hist.decoders.out, hist.decoders.literals = nil, nil + + return nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/blockenc.go b/vendor/github.com/klauspost/compress/zstd/blockenc.go new file mode 100644 index 0000000000..fd35ea1480 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/blockenc.go @@ -0,0 +1,892 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "math" + "math/bits" + "slices" + + "github.com/klauspost/compress/huff0" +) + +type blockEnc struct { + size int + literals []byte + sequences []seq + coders seqCoders + litEnc *huff0.Scratch + dictLitEnc *huff0.Scratch + wr bitWriter + + extraLits int + output []byte + recentOffsets [3]uint32 + prevRecentOffsets [3]uint32 + + last bool + lowMem bool +} + +// init should be used once the block has been created. +// If called more than once, the effect is the same as calling reset. +func (b *blockEnc) init() { + if b.lowMem { + // 1K literals + if cap(b.literals) < 1<<10 { + b.literals = make([]byte, 0, 1<<10) + } + const defSeqs = 20 + if cap(b.sequences) < defSeqs { + b.sequences = make([]seq, 0, defSeqs) + } + // 1K + if cap(b.output) < 1<<10 { + b.output = make([]byte, 0, 1<<10) + } + } else { + if cap(b.literals) < maxCompressedBlockSize { + b.literals = make([]byte, 0, maxCompressedBlockSize) + } + const defSeqs = 2000 + if cap(b.sequences) < defSeqs { + b.sequences = make([]seq, 0, defSeqs) + } + if cap(b.output) < maxCompressedBlockSize { + b.output = make([]byte, 0, maxCompressedBlockSize) + } + } + + if b.coders.mlEnc == nil { + b.coders.mlEnc = &fseEncoder{} + b.coders.mlPrev = &fseEncoder{} + b.coders.ofEnc = &fseEncoder{} + b.coders.ofPrev = &fseEncoder{} + b.coders.llEnc = &fseEncoder{} + b.coders.llPrev = &fseEncoder{} + } + b.litEnc = &huff0.Scratch{WantLogLess: 4} + b.reset(nil) +} + +// initNewEncode can be used to reset offsets and encoders to the initial state. +func (b *blockEnc) initNewEncode() { + b.recentOffsets = [3]uint32{1, 4, 8} + b.litEnc.Reuse = huff0.ReusePolicyNone + b.coders.setPrev(nil, nil, nil) +} + +// reset will reset the block for a new encode, but in the same stream, +// meaning that state will be carried over, but the block content is reset. +// If a previous block is provided, the recent offsets are carried over. +func (b *blockEnc) reset(prev *blockEnc) { + b.extraLits = 0 + b.literals = b.literals[:0] + b.size = 0 + b.sequences = b.sequences[:0] + b.output = b.output[:0] + b.last = false + if prev != nil { + b.recentOffsets = prev.prevRecentOffsets + } + b.dictLitEnc = nil +} + +// reset will reset the block for a new encode, but in the same stream, +// meaning that state will be carried over, but the block content is reset. +// If a previous block is provided, the recent offsets are carried over. +func (b *blockEnc) swapEncoders(prev *blockEnc) { + b.coders.swap(&prev.coders) + b.litEnc, prev.litEnc = prev.litEnc, b.litEnc +} + +// blockHeader contains the information for a block header. +type blockHeader uint32 + +// setLast sets the 'last' indicator on a block. +func (h *blockHeader) setLast(b bool) { + if b { + *h = *h | 1 + } else { + const mask = (1 << 24) - 2 + *h = *h & mask + } +} + +// setSize will store the compressed size of a block. +func (h *blockHeader) setSize(v uint32) { + const mask = 7 + *h = (*h)&mask | blockHeader(v<<3) +} + +// setType sets the block type. +func (h *blockHeader) setType(t blockType) { + const mask = 1 | (((1 << 24) - 1) ^ 7) + *h = (*h & mask) | blockHeader(t<<1) +} + +// appendTo will append the block header to a slice. +func (h blockHeader) appendTo(b []byte) []byte { + return append(b, uint8(h), uint8(h>>8), uint8(h>>16)) +} + +// String returns a string representation of the block. +func (h blockHeader) String() string { + return fmt.Sprintf("Type: %d, Size: %d, Last:%t", (h>>1)&3, h>>3, h&1 == 1) +} + +// literalsHeader contains literals header information. +type literalsHeader uint64 + +// setType can be used to set the type of literal block. +func (h *literalsHeader) setType(t literalsBlockType) { + const mask = math.MaxUint64 - 3 + *h = (*h & mask) | literalsHeader(t) +} + +// setSize can be used to set a single size, for uncompressed and RLE content. +func (h *literalsHeader) setSize(regenLen int) { + inBits := bits.Len32(uint32(regenLen)) + // Only retain 2 bits + const mask = 3 + lh := uint64(*h & mask) + switch { + case inBits < 5: + lh |= (uint64(regenLen) << 3) | (1 << 60) + if debugEncoder { + got := int(lh>>3) & 0xff + if got != regenLen { + panic(fmt.Sprint("litRegenSize = ", regenLen, "(want) != ", got, "(got)")) + } + } + case inBits < 12: + lh |= (1 << 2) | (uint64(regenLen) << 4) | (2 << 60) + case inBits < 20: + lh |= (3 << 2) | (uint64(regenLen) << 4) | (3 << 60) + default: + panic(fmt.Errorf("internal error: block too big (%d)", regenLen)) + } + *h = literalsHeader(lh) +} + +// setSizes will set the size of a compressed literals section and the input length. +func (h *literalsHeader) setSizes(compLen, inLen int, single bool) { + compBits, inBits := bits.Len32(uint32(compLen)), bits.Len32(uint32(inLen)) + // Only retain 2 bits + const mask = 3 + lh := uint64(*h & mask) + switch { + case compBits <= 10 && inBits <= 10: + if !single { + lh |= 1 << 2 + } + lh |= (uint64(inLen) << 4) | (uint64(compLen) << (10 + 4)) | (3 << 60) + if debugEncoder { + const mmask = (1 << 24) - 1 + n := (lh >> 4) & mmask + if int(n&1023) != inLen { + panic(fmt.Sprint("regensize:", int(n&1023), "!=", inLen, inBits)) + } + if int(n>>10) != compLen { + panic(fmt.Sprint("compsize:", int(n>>10), "!=", compLen, compBits)) + } + } + case compBits <= 14 && inBits <= 14: + lh |= (2 << 2) | (uint64(inLen) << 4) | (uint64(compLen) << (14 + 4)) | (4 << 60) + if single { + panic("single stream used with more than 10 bits length.") + } + case compBits <= 18 && inBits <= 18: + lh |= (3 << 2) | (uint64(inLen) << 4) | (uint64(compLen) << (18 + 4)) | (5 << 60) + if single { + panic("single stream used with more than 10 bits length.") + } + default: + panic("internal error: block too big") + } + *h = literalsHeader(lh) +} + +// appendTo will append the literals header to a byte slice. +func (h literalsHeader) appendTo(b []byte) []byte { + size := uint8(h >> 60) + switch size { + case 1: + b = append(b, uint8(h)) + case 2: + b = append(b, uint8(h), uint8(h>>8)) + case 3: + b = append(b, uint8(h), uint8(h>>8), uint8(h>>16)) + case 4: + b = append(b, uint8(h), uint8(h>>8), uint8(h>>16), uint8(h>>24)) + case 5: + b = append(b, uint8(h), uint8(h>>8), uint8(h>>16), uint8(h>>24), uint8(h>>32)) + default: + panic(fmt.Errorf("internal error: literalsHeader has invalid size (%d)", size)) + } + return b +} + +// size returns the output size with currently set values. +func (h literalsHeader) size() int { + return int(h >> 60) +} + +func (h literalsHeader) String() string { + return fmt.Sprintf("Type: %d, SizeFormat: %d, Size: 0x%d, Bytes:%d", literalsBlockType(h&3), (h>>2)&3, h&((1<<60)-1)>>4, h>>60) +} + +// pushOffsets will push the recent offsets to the backup store. +func (b *blockEnc) pushOffsets() { + b.prevRecentOffsets = b.recentOffsets +} + +// pushOffsets will push the recent offsets to the backup store. +func (b *blockEnc) popOffsets() { + b.recentOffsets = b.prevRecentOffsets +} + +// matchOffset will adjust recent offsets and return the adjusted one, +// if it matches a previous offset. +func (b *blockEnc) matchOffset(offset, lits uint32) uint32 { + // Check if offset is one of the recent offsets. + // Adjusts the output offset accordingly. + // Gives a tiny bit of compression, typically around 1%. + if true { + if lits > 0 { + switch offset { + case b.recentOffsets[0]: + offset = 1 + case b.recentOffsets[1]: + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset = 2 + case b.recentOffsets[2]: + b.recentOffsets[2] = b.recentOffsets[1] + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset = 3 + default: + b.recentOffsets[2] = b.recentOffsets[1] + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset += 3 + } + } else { + switch offset { + case b.recentOffsets[1]: + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset = 1 + case b.recentOffsets[2]: + b.recentOffsets[2] = b.recentOffsets[1] + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset = 2 + case b.recentOffsets[0] - 1: + b.recentOffsets[2] = b.recentOffsets[1] + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset = 3 + default: + b.recentOffsets[2] = b.recentOffsets[1] + b.recentOffsets[1] = b.recentOffsets[0] + b.recentOffsets[0] = offset + offset += 3 + } + } + } else { + offset += 3 + } + return offset +} + +// encodeRaw can be used to set the output to a raw representation of supplied bytes. +func (b *blockEnc) encodeRaw(a []byte) { + var bh blockHeader + bh.setLast(b.last) + bh.setSize(uint32(len(a))) + bh.setType(blockTypeRaw) + b.output = bh.appendTo(b.output[:0]) + b.output = append(b.output, a...) + if debugEncoder { + println("Adding RAW block, length", len(a), "last:", b.last) + } +} + +// encodeRaw can be used to set the output to a raw representation of supplied bytes. +func (b *blockEnc) encodeRawTo(dst, src []byte) []byte { + var bh blockHeader + bh.setLast(b.last) + bh.setSize(uint32(len(src))) + bh.setType(blockTypeRaw) + dst = bh.appendTo(dst) + dst = append(dst, src...) + if debugEncoder { + println("Adding RAW block, length", len(src), "last:", b.last) + } + return dst +} + +// encodeLits can be used if the block is only litLen. +func (b *blockEnc) encodeLits(lits []byte, raw bool) error { + var bh blockHeader + bh.setLast(b.last) + bh.setSize(uint32(len(lits))) + + // Don't compress extremely small blocks + if len(lits) < 8 || (len(lits) < 32 && b.dictLitEnc == nil) || raw { + if debugEncoder { + println("Adding RAW block, length", len(lits), "last:", b.last) + } + bh.setType(blockTypeRaw) + b.output = bh.appendTo(b.output) + b.output = append(b.output, lits...) + return nil + } + + var ( + out []byte + reUsed, single bool + err error + ) + if b.dictLitEnc != nil { + b.litEnc.TransferCTable(b.dictLitEnc) + b.litEnc.Reuse = huff0.ReusePolicyAllow + b.dictLitEnc = nil + } + if len(lits) >= 1024 { + // Use 4 Streams. + out, reUsed, err = huff0.Compress4X(lits, b.litEnc) + } else if len(lits) > 16 { + // Use 1 stream + single = true + out, reUsed, err = huff0.Compress1X(lits, b.litEnc) + } else { + err = huff0.ErrIncompressible + } + if err == nil && len(out)+5 > len(lits) { + // If we are close, we may still be worse or equal to raw. + var lh literalsHeader + lh.setSizes(len(out), len(lits), single) + if len(out)+lh.size() >= len(lits) { + err = huff0.ErrIncompressible + } + } + switch err { + case huff0.ErrIncompressible: + if debugEncoder { + println("Adding RAW block, length", len(lits), "last:", b.last) + } + bh.setType(blockTypeRaw) + b.output = bh.appendTo(b.output) + b.output = append(b.output, lits...) + return nil + case huff0.ErrUseRLE: + if debugEncoder { + println("Adding RLE block, length", len(lits)) + } + bh.setType(blockTypeRLE) + b.output = bh.appendTo(b.output) + b.output = append(b.output, lits[0]) + return nil + case nil: + default: + return err + } + // Compressed... + // Now, allow reuse + b.litEnc.Reuse = huff0.ReusePolicyAllow + bh.setType(blockTypeCompressed) + var lh literalsHeader + if reUsed { + if debugEncoder { + println("Reused tree, compressed to", len(out)) + } + lh.setType(literalsBlockTreeless) + } else { + if debugEncoder { + println("New tree, compressed to", len(out), "tree size:", len(b.litEnc.OutTable)) + } + lh.setType(literalsBlockCompressed) + } + // Set sizes + lh.setSizes(len(out), len(lits), single) + bh.setSize(uint32(len(out) + lh.size() + 1)) + + // Write block headers. + b.output = bh.appendTo(b.output) + b.output = lh.appendTo(b.output) + // Add compressed data. + b.output = append(b.output, out...) + // No sequences. + b.output = append(b.output, 0) + return nil +} + +// encodeRLE will encode an RLE block. +func (b *blockEnc) encodeRLE(val byte, length uint32) { + var bh blockHeader + bh.setLast(b.last) + bh.setSize(length) + bh.setType(blockTypeRLE) + b.output = bh.appendTo(b.output) + b.output = append(b.output, val) +} + +// fuzzFseEncoder can be used to fuzz the FSE encoder. +func fuzzFseEncoder(data []byte) int { + if len(data) > maxSequences || len(data) < 2 { + return 0 + } + enc := fseEncoder{} + hist := enc.Histogram() + maxSym := uint8(0) + for i, v := range data { + v = v & 63 + data[i] = v + hist[v]++ + if v > maxSym { + maxSym = v + } + } + if maxSym == 0 { + // All 0 + return 0 + } + cnt := int(slices.Max(hist[:maxSym])) + if cnt == len(data) { + // RLE + return 0 + } + enc.HistogramFinished(maxSym, cnt) + err := enc.normalizeCount(len(data)) + if err != nil { + return 0 + } + _, err = enc.writeCount(nil) + if err != nil { + panic(err) + } + return 1 +} + +// encode will encode the block and append the output in b.output. +// Previous offset codes must be pushed if more blocks are expected. +func (b *blockEnc) encode(org []byte, raw, rawAllLits bool) error { + if len(b.sequences) == 0 { + return b.encodeLits(b.literals, rawAllLits) + } + if len(b.sequences) == 1 && len(org) > 0 && len(b.literals) <= 1 { + // Check common RLE cases. + seq := b.sequences[0] + if seq.litLen == uint32(len(b.literals)) && seq.offset-3 == 1 { + // Offset == 1 and 0 or 1 literals. + b.encodeRLE(org[0], b.sequences[0].matchLen+zstdMinMatch+seq.litLen) + return nil + } + } + + // We want some difference to at least account for the headers. + saved := b.size - len(b.literals) - (b.size >> 6) + if saved < 16 { + if org == nil { + return errIncompressible + } + b.popOffsets() + return b.encodeLits(org, rawAllLits) + } + + var bh blockHeader + var lh literalsHeader + bh.setLast(b.last) + bh.setType(blockTypeCompressed) + // Store offset of the block header. Needed when we know the size. + bhOffset := len(b.output) + b.output = bh.appendTo(b.output) + + var ( + out []byte + reUsed, single bool + err error + ) + if b.dictLitEnc != nil { + b.litEnc.TransferCTable(b.dictLitEnc) + b.litEnc.Reuse = huff0.ReusePolicyAllow + b.dictLitEnc = nil + } + if len(b.literals) >= 1024 && !raw { + // Use 4 Streams. + out, reUsed, err = huff0.Compress4X(b.literals, b.litEnc) + } else if len(b.literals) > 16 && !raw { + // Use 1 stream + single = true + out, reUsed, err = huff0.Compress1X(b.literals, b.litEnc) + } else { + err = huff0.ErrIncompressible + } + + if err == nil && len(out)+5 > len(b.literals) { + // If we are close, we may still be worse or equal to raw. + var lh literalsHeader + lh.setSize(len(b.literals)) + szRaw := lh.size() + lh.setSizes(len(out), len(b.literals), single) + szComp := lh.size() + if len(out)+szComp >= len(b.literals)+szRaw { + err = huff0.ErrIncompressible + } + } + switch err { + case huff0.ErrIncompressible: + lh.setType(literalsBlockRaw) + lh.setSize(len(b.literals)) + b.output = lh.appendTo(b.output) + b.output = append(b.output, b.literals...) + if debugEncoder { + println("Adding literals RAW, length", len(b.literals)) + } + case huff0.ErrUseRLE: + lh.setType(literalsBlockRLE) + lh.setSize(len(b.literals)) + b.output = lh.appendTo(b.output) + b.output = append(b.output, b.literals[0]) + if debugEncoder { + println("Adding literals RLE") + } + case nil: + // Compressed litLen... + if reUsed { + if debugEncoder { + println("reused tree") + } + lh.setType(literalsBlockTreeless) + } else { + if debugEncoder { + println("new tree, size:", len(b.litEnc.OutTable)) + } + lh.setType(literalsBlockCompressed) + if debugEncoder { + _, _, err := huff0.ReadTable(out, nil) + if err != nil { + panic(err) + } + } + } + lh.setSizes(len(out), len(b.literals), single) + if debugEncoder { + printf("Compressed %d literals to %d bytes", len(b.literals), len(out)) + println("Adding literal header:", lh) + } + b.output = lh.appendTo(b.output) + b.output = append(b.output, out...) + b.litEnc.Reuse = huff0.ReusePolicyAllow + if debugEncoder { + println("Adding literals compressed") + } + default: + if debugEncoder { + println("Adding literals ERROR:", err) + } + return err + } + // Sequence compression + + // Write the number of sequences + switch { + case len(b.sequences) < 128: + b.output = append(b.output, uint8(len(b.sequences))) + case len(b.sequences) < 0x7f00: // TODO: this could be wrong + n := len(b.sequences) + b.output = append(b.output, 128+uint8(n>>8), uint8(n)) + default: + n := len(b.sequences) - 0x7f00 + b.output = append(b.output, 255, uint8(n), uint8(n>>8)) + } + if debugEncoder { + println("Encoding", len(b.sequences), "sequences") + } + b.genCodes() + llEnc := b.coders.llEnc + ofEnc := b.coders.ofEnc + mlEnc := b.coders.mlEnc + err = llEnc.normalizeCount(len(b.sequences)) + if err != nil { + return err + } + err = ofEnc.normalizeCount(len(b.sequences)) + if err != nil { + return err + } + err = mlEnc.normalizeCount(len(b.sequences)) + if err != nil { + return err + } + + // Choose the best compression mode for each type. + // Will evaluate the new vs predefined and previous. + chooseComp := func(cur, prev, preDef *fseEncoder) (*fseEncoder, seqCompMode) { + // See if predefined/previous is better + hist := cur.count[:cur.symbolLen] + nSize := cur.approxSize(hist) + cur.maxHeaderSize() + predefSize := preDef.approxSize(hist) + prevSize := prev.approxSize(hist) + + // Add a small penalty for new encoders. + // Don't bother with extremely small (<2 byte gains). + nSize = nSize + (nSize+2*8*16)>>4 + switch { + case predefSize <= prevSize && predefSize <= nSize || forcePreDef: + if debugEncoder { + println("Using predefined", predefSize>>3, "<=", nSize>>3) + } + return preDef, compModePredefined + case prevSize <= nSize: + if debugEncoder { + println("Using previous", prevSize>>3, "<=", nSize>>3) + } + return prev, compModeRepeat + default: + if debugEncoder { + println("Using new, predef", predefSize>>3, ". previous:", prevSize>>3, ">", nSize>>3, "header max:", cur.maxHeaderSize()>>3, "bytes") + println("tl:", cur.actualTableLog, "symbolLen:", cur.symbolLen, "norm:", cur.norm[:cur.symbolLen], "hist", cur.count[:cur.symbolLen]) + } + return cur, compModeFSE + } + } + + // Write compression mode + var mode uint8 + if llEnc.useRLE { + mode |= uint8(compModeRLE) << 6 + llEnc.setRLE(b.sequences[0].llCode) + if debugEncoder { + println("llEnc.useRLE") + } + } else { + var m seqCompMode + llEnc, m = chooseComp(llEnc, b.coders.llPrev, &fsePredefEnc[tableLiteralLengths]) + mode |= uint8(m) << 6 + } + if ofEnc.useRLE { + mode |= uint8(compModeRLE) << 4 + ofEnc.setRLE(b.sequences[0].ofCode) + if debugEncoder { + println("ofEnc.useRLE") + } + } else { + var m seqCompMode + ofEnc, m = chooseComp(ofEnc, b.coders.ofPrev, &fsePredefEnc[tableOffsets]) + mode |= uint8(m) << 4 + } + + if mlEnc.useRLE { + mode |= uint8(compModeRLE) << 2 + mlEnc.setRLE(b.sequences[0].mlCode) + if debugEncoder { + println("mlEnc.useRLE, code: ", b.sequences[0].mlCode, "value", b.sequences[0].matchLen) + } + } else { + var m seqCompMode + mlEnc, m = chooseComp(mlEnc, b.coders.mlPrev, &fsePredefEnc[tableMatchLengths]) + mode |= uint8(m) << 2 + } + b.output = append(b.output, mode) + if debugEncoder { + printf("Compression modes: 0b%b", mode) + } + b.output, err = llEnc.writeCount(b.output) + if err != nil { + return err + } + start := len(b.output) + b.output, err = ofEnc.writeCount(b.output) + if err != nil { + return err + } + if false { + println("block:", b.output[start:], "tablelog", ofEnc.actualTableLog, "maxcount:", ofEnc.maxCount) + fmt.Printf("selected TableLog: %d, Symbol length: %d\n", ofEnc.actualTableLog, ofEnc.symbolLen) + for i, v := range ofEnc.norm[:ofEnc.symbolLen] { + fmt.Printf("%3d: %5d -> %4d \n", i, ofEnc.count[i], v) + } + } + b.output, err = mlEnc.writeCount(b.output) + if err != nil { + return err + } + + // Maybe in block? + wr := &b.wr + wr.reset(b.output) + + var ll, of, ml cState + + // Current sequence + seq := len(b.sequences) - 1 + s := b.sequences[seq] + llEnc.setBits(llBitsTable[:]) + mlEnc.setBits(mlBitsTable[:]) + ofEnc.setBits(nil) + + llTT, ofTT, mlTT := llEnc.ct.symbolTT[:256], ofEnc.ct.symbolTT[:256], mlEnc.ct.symbolTT[:256] + + // We have 3 bounds checks here (and in the loop). + // Since we are iterating backwards it is kinda hard to avoid. + llB, ofB, mlB := llTT[s.llCode], ofTT[s.ofCode], mlTT[s.mlCode] + ll.init(wr, &llEnc.ct, llB) + of.init(wr, &ofEnc.ct, ofB) + wr.flush32() + ml.init(wr, &mlEnc.ct, mlB) + + // Each of these lookups also generates a bounds check. + wr.addBits32NC(s.litLen, llB.outBits) + wr.addBits32NC(s.matchLen, mlB.outBits) + wr.flush32() + wr.addBits32NC(s.offset, ofB.outBits) + if debugSequences { + println("Encoded seq", seq, s, "codes:", s.llCode, s.mlCode, s.ofCode, "states:", ll.state, ml.state, of.state, "bits:", llB, mlB, ofB) + } + seq-- + // Store sequences in reverse... + for seq >= 0 { + s = b.sequences[seq] + + ofB := ofTT[s.ofCode] + wr.flush32() // tablelog max is below 8 for each, so it will fill max 24 bits. + //of.encode(ofB) + nbBitsOut := (uint32(of.state) + ofB.deltaNbBits) >> 16 + dstState := int32(of.state>>(nbBitsOut&15)) + int32(ofB.deltaFindState) + wr.addBits16NC(of.state, uint8(nbBitsOut)) + of.state = of.stateTable[dstState] + + // Accumulate extra bits. + outBits := ofB.outBits & 31 + extraBits := uint64(s.offset & bitMask32[outBits]) + extraBitsN := outBits + + mlB := mlTT[s.mlCode] + //ml.encode(mlB) + nbBitsOut = (uint32(ml.state) + mlB.deltaNbBits) >> 16 + dstState = int32(ml.state>>(nbBitsOut&15)) + int32(mlB.deltaFindState) + wr.addBits16NC(ml.state, uint8(nbBitsOut)) + ml.state = ml.stateTable[dstState] + + outBits = mlB.outBits & 31 + extraBits = extraBits<> 16 + dstState = int32(ll.state>>(nbBitsOut&15)) + int32(llB.deltaFindState) + wr.addBits16NC(ll.state, uint8(nbBitsOut)) + ll.state = ll.stateTable[dstState] + + outBits = llB.outBits & 31 + extraBits = extraBits<= b.size { + // Discard and encode as raw block. + b.output = b.encodeRawTo(b.output[:bhOffset], org) + b.popOffsets() + b.litEnc.Reuse = huff0.ReusePolicyNone + return nil + } + + // Size is output minus block header. + bh.setSize(uint32(len(b.output)-bhOffset) - 3) + if debugEncoder { + println("Rewriting block header", bh) + } + _ = bh.appendTo(b.output[bhOffset:bhOffset]) + b.coders.setPrev(llEnc, mlEnc, ofEnc) + return nil +} + +var errIncompressible = errors.New("incompressible") + +func (b *blockEnc) genCodes() { + if len(b.sequences) == 0 { + // nothing to do + return + } + if len(b.sequences) > math.MaxUint16 { + panic("can only encode up to 64K sequences") + } + // No bounds checks after here: + llH := b.coders.llEnc.Histogram() + ofH := b.coders.ofEnc.Histogram() + mlH := b.coders.mlEnc.Histogram() + for i := range llH { + llH[i] = 0 + } + for i := range ofH { + ofH[i] = 0 + } + for i := range mlH { + mlH[i] = 0 + } + + var llMax, ofMax, mlMax uint8 + for i := range b.sequences { + seq := &b.sequences[i] + v := llCode(seq.litLen) + seq.llCode = v + llH[v]++ + if v > llMax { + llMax = v + } + + v = ofCode(seq.offset) + seq.ofCode = v + ofH[v]++ + if v > ofMax { + ofMax = v + } + + v = mlCode(seq.matchLen) + seq.mlCode = v + mlH[v]++ + if v > mlMax { + mlMax = v + if debugAsserts && mlMax > maxMatchLengthSymbol { + panic(fmt.Errorf("mlMax > maxMatchLengthSymbol (%d), matchlen: %d", mlMax, seq.matchLen)) + } + } + } + if debugAsserts && mlMax > maxMatchLengthSymbol { + panic(fmt.Errorf("mlMax > maxMatchLengthSymbol (%d)", mlMax)) + } + if debugAsserts && ofMax > maxOffsetBits { + panic(fmt.Errorf("ofMax > maxOffsetBits (%d)", ofMax)) + } + if debugAsserts && llMax > maxLiteralLengthSymbol { + panic(fmt.Errorf("llMax > maxLiteralLengthSymbol (%d)", llMax)) + } + + b.coders.mlEnc.HistogramFinished(mlMax, int(slices.Max(mlH[:mlMax+1]))) + b.coders.ofEnc.HistogramFinished(ofMax, int(slices.Max(ofH[:ofMax+1]))) + b.coders.llEnc.HistogramFinished(llMax, int(slices.Max(llH[:llMax+1]))) +} diff --git a/vendor/github.com/klauspost/compress/zstd/blocktype_string.go b/vendor/github.com/klauspost/compress/zstd/blocktype_string.go new file mode 100644 index 0000000000..01a01e486e --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/blocktype_string.go @@ -0,0 +1,85 @@ +// Code generated by "stringer -type=blockType,literalsBlockType,seqCompMode,tableIndex"; DO NOT EDIT. + +package zstd + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[blockTypeRaw-0] + _ = x[blockTypeRLE-1] + _ = x[blockTypeCompressed-2] + _ = x[blockTypeReserved-3] +} + +const _blockType_name = "blockTypeRawblockTypeRLEblockTypeCompressedblockTypeReserved" + +var _blockType_index = [...]uint8{0, 12, 24, 43, 60} + +func (i blockType) String() string { + if i >= blockType(len(_blockType_index)-1) { + return "blockType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _blockType_name[_blockType_index[i]:_blockType_index[i+1]] +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[literalsBlockRaw-0] + _ = x[literalsBlockRLE-1] + _ = x[literalsBlockCompressed-2] + _ = x[literalsBlockTreeless-3] +} + +const _literalsBlockType_name = "literalsBlockRawliteralsBlockRLEliteralsBlockCompressedliteralsBlockTreeless" + +var _literalsBlockType_index = [...]uint8{0, 16, 32, 55, 76} + +func (i literalsBlockType) String() string { + if i >= literalsBlockType(len(_literalsBlockType_index)-1) { + return "literalsBlockType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _literalsBlockType_name[_literalsBlockType_index[i]:_literalsBlockType_index[i+1]] +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[compModePredefined-0] + _ = x[compModeRLE-1] + _ = x[compModeFSE-2] + _ = x[compModeRepeat-3] +} + +const _seqCompMode_name = "compModePredefinedcompModeRLEcompModeFSEcompModeRepeat" + +var _seqCompMode_index = [...]uint8{0, 18, 29, 40, 54} + +func (i seqCompMode) String() string { + if i >= seqCompMode(len(_seqCompMode_index)-1) { + return "seqCompMode(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _seqCompMode_name[_seqCompMode_index[i]:_seqCompMode_index[i+1]] +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[tableLiteralLengths-0] + _ = x[tableOffsets-1] + _ = x[tableMatchLengths-2] +} + +const _tableIndex_name = "tableLiteralLengthstableOffsetstableMatchLengths" + +var _tableIndex_index = [...]uint8{0, 19, 31, 48} + +func (i tableIndex) String() string { + if i >= tableIndex(len(_tableIndex_index)-1) { + return "tableIndex(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _tableIndex_name[_tableIndex_index[i]:_tableIndex_index[i+1]] +} diff --git a/vendor/github.com/klauspost/compress/zstd/bytebuf.go b/vendor/github.com/klauspost/compress/zstd/bytebuf.go new file mode 100644 index 0000000000..55a388553d --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/bytebuf.go @@ -0,0 +1,131 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "fmt" + "io" +) + +type byteBuffer interface { + // Read up to 8 bytes. + // Returns io.ErrUnexpectedEOF if this cannot be satisfied. + readSmall(n int) ([]byte, error) + + // Read >8 bytes. + // MAY use the destination slice. + readBig(n int, dst []byte) ([]byte, error) + + // Read a single byte. + readByte() (byte, error) + + // Skip n bytes. + skipN(n int64) error +} + +// in-memory buffer +type byteBuf []byte + +func (b *byteBuf) readSmall(n int) ([]byte, error) { + if debugAsserts && n > 8 { + panic(fmt.Errorf("small read > 8 (%d). use readBig", n)) + } + bb := *b + if len(bb) < n { + return nil, io.ErrUnexpectedEOF + } + r := bb[:n] + *b = bb[n:] + return r, nil +} + +func (b *byteBuf) readBig(n int, dst []byte) ([]byte, error) { + bb := *b + if len(bb) < n { + return nil, io.ErrUnexpectedEOF + } + r := bb[:n] + *b = bb[n:] + return r, nil +} + +func (b *byteBuf) readByte() (byte, error) { + bb := *b + if len(bb) < 1 { + return 0, io.ErrUnexpectedEOF + } + r := bb[0] + *b = bb[1:] + return r, nil +} + +func (b *byteBuf) skipN(n int64) error { + bb := *b + if n < 0 { + return fmt.Errorf("negative skip (%d) requested", n) + } + if int64(len(bb)) < n { + return io.ErrUnexpectedEOF + } + *b = bb[n:] + return nil +} + +// wrapper around a reader. +type readerWrapper struct { + r io.Reader + tmp [8]byte +} + +func (r *readerWrapper) readSmall(n int) ([]byte, error) { + if debugAsserts && n > 8 { + panic(fmt.Errorf("small read > 8 (%d). use readBig", n)) + } + n2, err := io.ReadFull(r.r, r.tmp[:n]) + // We only really care about the actual bytes read. + if err != nil { + if err == io.EOF { + return nil, io.ErrUnexpectedEOF + } + if debugDecoder { + println("readSmall: got", n2, "want", n, "err", err) + } + return nil, err + } + return r.tmp[:n], nil +} + +func (r *readerWrapper) readBig(n int, dst []byte) ([]byte, error) { + if cap(dst) < n { + dst = make([]byte, n) + } + n2, err := io.ReadFull(r.r, dst[:n]) + if err == io.EOF && n > 0 { + err = io.ErrUnexpectedEOF + } + return dst[:n2], err +} + +func (r *readerWrapper) readByte() (byte, error) { + n2, err := io.ReadFull(r.r, r.tmp[:1]) + if err != nil { + if err == io.EOF { + err = io.ErrUnexpectedEOF + } + return 0, err + } + if n2 != 1 { + return 0, io.ErrUnexpectedEOF + } + return r.tmp[0], nil +} + +func (r *readerWrapper) skipN(n int64) error { + n2, err := io.CopyN(io.Discard, r.r, n) + if n2 != n { + err = io.ErrUnexpectedEOF + } + return err +} diff --git a/vendor/github.com/klauspost/compress/zstd/bytereader.go b/vendor/github.com/klauspost/compress/zstd/bytereader.go new file mode 100644 index 0000000000..0e59a242d8 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/bytereader.go @@ -0,0 +1,82 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +// byteReader provides a byte reader that reads +// little endian values from a byte stream. +// The input stream is manually advanced. +// The reader performs no bounds checks. +type byteReader struct { + b []byte + off int +} + +// advance the stream b n bytes. +func (b *byteReader) advance(n uint) { + b.off += int(n) +} + +// overread returns whether we have advanced too far. +func (b *byteReader) overread() bool { + return b.off > len(b.b) +} + +// Int32 returns a little endian int32 starting at current offset. +func (b byteReader) Int32() int32 { + b2 := b.b[b.off:] + b2 = b2[:4] + v3 := int32(b2[3]) + v2 := int32(b2[2]) + v1 := int32(b2[1]) + v0 := int32(b2[0]) + return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24) +} + +// Uint8 returns the next byte +func (b *byteReader) Uint8() uint8 { + v := b.b[b.off] + return v +} + +// Uint32 returns a little endian uint32 starting at current offset. +func (b byteReader) Uint32() uint32 { + if r := b.remain(); r < 4 { + // Very rare + v := uint32(0) + for i := 1; i <= r; i++ { + v = (v << 8) | uint32(b.b[len(b.b)-i]) + } + return v + } + b2 := b.b[b.off:] + b2 = b2[:4] + v3 := uint32(b2[3]) + v2 := uint32(b2[2]) + v1 := uint32(b2[1]) + v0 := uint32(b2[0]) + return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24) +} + +// Uint32NC returns a little endian uint32 starting at current offset. +// The caller must be sure if there are at least 4 bytes left. +func (b byteReader) Uint32NC() uint32 { + b2 := b.b[b.off:] + b2 = b2[:4] + v3 := uint32(b2[3]) + v2 := uint32(b2[2]) + v1 := uint32(b2[1]) + v0 := uint32(b2[0]) + return v0 | (v1 << 8) | (v2 << 16) | (v3 << 24) +} + +// unread returns the unread portion of the input. +func (b byteReader) unread() []byte { + return b.b[b.off:] +} + +// remain will return the number of bytes remaining. +func (b byteReader) remain() int { + return len(b.b) - b.off +} diff --git a/vendor/github.com/klauspost/compress/zstd/decodeheader.go b/vendor/github.com/klauspost/compress/zstd/decodeheader.go new file mode 100644 index 0000000000..6a5a2988b6 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/decodeheader.go @@ -0,0 +1,261 @@ +// Copyright 2020+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. + +package zstd + +import ( + "encoding/binary" + "errors" + "io" +) + +// HeaderMaxSize is the maximum size of a Frame and Block Header. +// If less is sent to Header.Decode it *may* still contain enough information. +const HeaderMaxSize = 14 + 3 + +// Header contains information about the first frame and block within that. +type Header struct { + // SingleSegment specifies whether the data is to be decompressed into a + // single contiguous memory segment. + // It implies that WindowSize is invalid and that FrameContentSize is valid. + SingleSegment bool + + // WindowSize is the window of data to keep while decoding. + // Will only be set if SingleSegment is false. + WindowSize uint64 + + // Dictionary ID. + // If 0, no dictionary. + DictionaryID uint32 + + // HasFCS specifies whether FrameContentSize has a valid value. + HasFCS bool + + // FrameContentSize is the expected uncompressed size of the entire frame. + FrameContentSize uint64 + + // Skippable will be true if the frame is meant to be skipped. + // This implies that FirstBlock.OK is false. + Skippable bool + + // SkippableID is the user-specific ID for the skippable frame. + // Valid values are between 0 to 15, inclusive. + SkippableID int + + // SkippableSize is the length of the user data to skip following + // the header. + SkippableSize uint32 + + // HeaderSize is the raw size of the frame header. + // + // For normal frames, it includes the size of the magic number and + // the size of the header (per section 3.1.1.1). + // It does not include the size for any data blocks (section 3.1.1.2) nor + // the size for the trailing content checksum. + // + // For skippable frames, this counts the size of the magic number + // along with the size of the size field of the payload. + // It does not include the size of the skippable payload itself. + // The total frame size is the HeaderSize plus the SkippableSize. + HeaderSize int + + // First block information. + FirstBlock struct { + // OK will be set if first block could be decoded. + OK bool + + // Is this the last block of a frame? + Last bool + + // Is the data compressed? + // If true CompressedSize will be populated. + // Unfortunately DecompressedSize cannot be determined + // without decoding the blocks. + Compressed bool + + // DecompressedSize is the expected decompressed size of the block. + // Will be 0 if it cannot be determined. + DecompressedSize int + + // CompressedSize of the data in the block. + // Does not include the block header. + // Will be equal to DecompressedSize if not Compressed. + CompressedSize int + } + + // If set there is a checksum present for the block content. + // The checksum field at the end is always 4 bytes long. + HasCheckSum bool +} + +// Decode the header from the beginning of the stream. +// This will decode the frame header and the first block header if enough bytes are provided. +// It is recommended to provide at least HeaderMaxSize bytes. +// If the frame header cannot be read an error will be returned. +// If there isn't enough input, io.ErrUnexpectedEOF is returned. +// The FirstBlock.OK will indicate if enough information was available to decode the first block header. +func (h *Header) Decode(in []byte) error { + _, err := h.DecodeAndStrip(in) + return err +} + +// DecodeAndStrip will decode the header from the beginning of the stream +// and on success return the remaining bytes. +// This will decode the frame header and the first block header if enough bytes are provided. +// It is recommended to provide at least HeaderMaxSize bytes. +// If the frame header cannot be read an error will be returned. +// If there isn't enough input, io.ErrUnexpectedEOF is returned. +// The FirstBlock.OK will indicate if enough information was available to decode the first block header. +func (h *Header) DecodeAndStrip(in []byte) (remain []byte, err error) { + *h = Header{} + if len(in) < 4 { + return nil, io.ErrUnexpectedEOF + } + h.HeaderSize += 4 + b, in := in[:4], in[4:] + if string(b) != frameMagic { + if string(b[1:4]) != skippableFrameMagic || b[0]&0xf0 != 0x50 { + return nil, ErrMagicMismatch + } + if len(in) < 4 { + return nil, io.ErrUnexpectedEOF + } + h.HeaderSize += 4 + h.Skippable = true + h.SkippableID = int(b[0] & 0xf) + h.SkippableSize = binary.LittleEndian.Uint32(in) + return in[4:], nil + } + + // Read Window_Descriptor + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#window_descriptor + if len(in) < 1 { + return nil, io.ErrUnexpectedEOF + } + fhd, in := in[0], in[1:] + h.HeaderSize++ + h.SingleSegment = fhd&(1<<5) != 0 + h.HasCheckSum = fhd&(1<<2) != 0 + if fhd&(1<<3) != 0 { + return nil, errors.New("reserved bit set on frame header") + } + + if !h.SingleSegment { + if len(in) < 1 { + return nil, io.ErrUnexpectedEOF + } + var wd byte + wd, in = in[0], in[1:] + h.HeaderSize++ + windowLog := 10 + (wd >> 3) + windowBase := uint64(1) << windowLog + windowAdd := (windowBase / 8) * uint64(wd&0x7) + h.WindowSize = windowBase + windowAdd + } + + // Read Dictionary_ID + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary_id + if size := fhd & 3; size != 0 { + if size == 3 { + size = 4 + } + if len(in) < int(size) { + return nil, io.ErrUnexpectedEOF + } + b, in = in[:size], in[size:] + h.HeaderSize += int(size) + switch len(b) { + case 1: + h.DictionaryID = uint32(b[0]) + case 2: + h.DictionaryID = uint32(b[0]) | (uint32(b[1]) << 8) + case 4: + h.DictionaryID = uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24) + } + } + + // Read Frame_Content_Size + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frame_content_size + var fcsSize int + v := fhd >> 6 + switch v { + case 0: + if h.SingleSegment { + fcsSize = 1 + } + default: + fcsSize = 1 << v + } + + if fcsSize > 0 { + h.HasFCS = true + if len(in) < fcsSize { + return nil, io.ErrUnexpectedEOF + } + b, in = in[:fcsSize], in[fcsSize:] + h.HeaderSize += int(fcsSize) + switch len(b) { + case 1: + h.FrameContentSize = uint64(b[0]) + case 2: + // When FCS_Field_Size is 2, the offset of 256 is added. + h.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) + 256 + case 4: + h.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) | (uint64(b[2]) << 16) | (uint64(b[3]) << 24) + case 8: + d1 := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24) + d2 := uint32(b[4]) | (uint32(b[5]) << 8) | (uint32(b[6]) << 16) | (uint32(b[7]) << 24) + h.FrameContentSize = uint64(d1) | (uint64(d2) << 32) + } + } + + // Frame Header done, we will not fail from now on. + if len(in) < 3 { + return in, nil + } + tmp := in[:3] + bh := uint32(tmp[0]) | (uint32(tmp[1]) << 8) | (uint32(tmp[2]) << 16) + h.FirstBlock.Last = bh&1 != 0 + blockType := blockType((bh >> 1) & 3) + // find size. + cSize := int(bh >> 3) + switch blockType { + case blockTypeReserved: + return in, nil + case blockTypeRLE: + h.FirstBlock.Compressed = true + h.FirstBlock.DecompressedSize = cSize + h.FirstBlock.CompressedSize = 1 + case blockTypeCompressed: + h.FirstBlock.Compressed = true + h.FirstBlock.CompressedSize = cSize + case blockTypeRaw: + h.FirstBlock.DecompressedSize = cSize + h.FirstBlock.CompressedSize = cSize + default: + panic("Invalid block type") + } + + h.FirstBlock.OK = true + return in, nil +} + +// AppendTo will append the encoded header to the dst slice. +// There is no error checking performed on the header values. +func (h *Header) AppendTo(dst []byte) ([]byte, error) { + if h.Skippable { + magic := [4]byte{0x50, 0x2a, 0x4d, 0x18} + magic[0] |= byte(h.SkippableID & 0xf) + dst = append(dst, magic[:]...) + f := h.SkippableSize + return append(dst, uint8(f), uint8(f>>8), uint8(f>>16), uint8(f>>24)), nil + } + f := frameHeader{ + ContentSize: h.FrameContentSize, + WindowSize: uint32(h.WindowSize), + SingleSegment: h.SingleSegment, + Checksum: h.HasCheckSum, + DictID: h.DictionaryID, + } + return f.appendTo(dst), nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/decoder.go b/vendor/github.com/klauspost/compress/zstd/decoder.go new file mode 100644 index 0000000000..ea2a19376c --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/decoder.go @@ -0,0 +1,949 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "context" + "encoding/binary" + "io" + "sync" + + "github.com/klauspost/compress/zstd/internal/xxhash" +) + +// Decoder provides decoding of zstandard streams. +// The decoder has been designed to operate without allocations after a warmup. +// This means that you should store the decoder for best performance. +// To re-use a stream decoder, use the Reset(r io.Reader) error to switch to another stream. +// A decoder can safely be re-used even if the previous stream failed. +// To release the resources, you must call the Close() function on a decoder. +type Decoder struct { + o decoderOptions + + // Unreferenced decoders, ready for use. + decoders chan *blockDec + + // Current read position used for Reader functionality. + current decoderState + + // sync stream decoding + syncStream struct { + decodedFrame uint64 + br readerWrapper + enabled bool + inFrame bool + dstBuf []byte + } + + frame *frameDec + + // Custom dictionaries. + dicts map[uint32]*dict + + // streamWg is the waitgroup for all streams + streamWg sync.WaitGroup +} + +// decoderState is used for maintaining state when the decoder +// is used for streaming. +type decoderState struct { + // current block being written to stream. + decodeOutput + + // output in order to be written to stream. + output chan decodeOutput + + // cancel remaining output. + cancel context.CancelFunc + + // crc of current frame + crc *xxhash.Digest + + flushed bool +} + +var ( + // Check the interfaces we want to support. + _ = io.WriterTo(&Decoder{}) + _ = io.Reader(&Decoder{}) +) + +// NewReader creates a new decoder. +// A nil Reader can be provided in which case Reset can be used to start a decode. +// +// A Decoder can be used in two modes: +// +// 1) As a stream, or +// 2) For stateless decoding using DecodeAll. +// +// Only a single stream can be decoded concurrently, but the same decoder +// can run multiple concurrent stateless decodes. It is even possible to +// use stateless decodes while a stream is being decoded. +// +// The Reset function can be used to initiate a new stream, which will considerably +// reduce the allocations normally caused by NewReader. +func NewReader(r io.Reader, opts ...DOption) (*Decoder, error) { + initPredefined() + var d Decoder + d.o.setDefault() + for _, o := range opts { + err := o(&d.o) + if err != nil { + return nil, err + } + } + d.current.crc = xxhash.New() + d.current.flushed = true + + if r == nil { + d.current.err = ErrDecoderNilInput + } + + // Transfer option dicts. + d.dicts = make(map[uint32]*dict, len(d.o.dicts)) + for _, dc := range d.o.dicts { + d.dicts[dc.id] = dc + } + d.o.dicts = nil + + // Create decoders + d.decoders = make(chan *blockDec, d.o.concurrent) + for i := 0; i < d.o.concurrent; i++ { + dec := newBlockDec(d.o.lowMem) + dec.localFrame = newFrameDec(d.o) + d.decoders <- dec + } + + if r == nil { + return &d, nil + } + return &d, d.Reset(r) +} + +// Read bytes from the decompressed stream into p. +// Returns the number of bytes read and any error that occurred. +// When the stream is done, io.EOF will be returned. +func (d *Decoder) Read(p []byte) (int, error) { + var n int + for { + if len(d.current.b) > 0 { + filled := copy(p, d.current.b) + p = p[filled:] + d.current.b = d.current.b[filled:] + n += filled + } + if len(p) == 0 { + break + } + if len(d.current.b) == 0 { + // We have an error and no more data + if d.current.err != nil { + break + } + if !d.nextBlock(n == 0) { + return n, d.current.err + } + } + } + if len(d.current.b) > 0 { + if debugDecoder { + println("returning", n, "still bytes left:", len(d.current.b)) + } + // Only return error at end of block + return n, nil + } + if d.current.err != nil { + d.drainOutput() + } + if debugDecoder { + println("returning", n, d.current.err, len(d.decoders)) + } + return n, d.current.err +} + +// Reset will reset the decoder the supplied stream after the current has finished processing. +// Note that this functionality cannot be used after Close has been called. +// Reset can be called with a nil reader to release references to the previous reader. +// After being called with a nil reader, no other operations than Reset or DecodeAll or Close +// should be used. +func (d *Decoder) Reset(r io.Reader) error { + if d.current.err == ErrDecoderClosed { + return d.current.err + } + + d.drainOutput() + + d.syncStream.br.r = nil + if r == nil { + d.current.err = ErrDecoderNilInput + if len(d.current.b) > 0 { + d.current.b = d.current.b[:0] + } + d.current.flushed = true + return nil + } + + // If bytes buffer and < 5MB, do sync decoding anyway. + if bb, ok := r.(byter); ok && bb.Len() < d.o.decodeBufsBelow && !d.o.limitToCap { + bb2 := bb + if debugDecoder { + println("*bytes.Buffer detected, doing sync decode, len:", bb.Len()) + } + b := bb2.Bytes() + var dst []byte + if cap(d.syncStream.dstBuf) > 0 { + dst = d.syncStream.dstBuf[:0] + } + + dst, err := d.DecodeAll(b, dst) + if err == nil { + err = io.EOF + } + // Save output buffer + d.syncStream.dstBuf = dst + d.current.b = dst + d.current.err = err + d.current.flushed = true + if debugDecoder { + println("sync decode to", len(dst), "bytes, err:", err) + } + return nil + } + // Remove current block. + d.stashDecoder() + d.current.decodeOutput = decodeOutput{} + d.current.err = nil + d.current.flushed = false + d.current.d = nil + d.syncStream.dstBuf = nil + + // Ensure no-one else is still running... + d.streamWg.Wait() + if d.frame == nil { + d.frame = newFrameDec(d.o) + } + + if d.o.concurrent == 1 { + return d.startSyncDecoder(r) + } + + d.current.output = make(chan decodeOutput, d.o.concurrent) + ctx, cancel := context.WithCancel(context.Background()) + d.current.cancel = cancel + d.streamWg.Add(1) + go d.startStreamDecoder(ctx, r, d.current.output) + + return nil +} + +// drainOutput will drain the output until errEndOfStream is sent. +func (d *Decoder) drainOutput() { + if d.current.cancel != nil { + if debugDecoder { + println("cancelling current") + } + d.current.cancel() + d.current.cancel = nil + } + if d.current.d != nil { + if debugDecoder { + printf("re-adding current decoder %p, decoders: %d", d.current.d, len(d.decoders)) + } + d.decoders <- d.current.d + d.current.d = nil + d.current.b = nil + } + if d.current.output == nil || d.current.flushed { + println("current already flushed") + return + } + for v := range d.current.output { + if v.d != nil { + if debugDecoder { + printf("re-adding decoder %p", v.d) + } + d.decoders <- v.d + } + } + d.current.output = nil + d.current.flushed = true +} + +// WriteTo writes data to w until there's no more data to write or when an error occurs. +// The return value n is the number of bytes written. +// Any error encountered during the write is also returned. +func (d *Decoder) WriteTo(w io.Writer) (int64, error) { + var n int64 + for { + if len(d.current.b) > 0 { + n2, err2 := w.Write(d.current.b) + n += int64(n2) + if err2 != nil && (d.current.err == nil || d.current.err == io.EOF) { + d.current.err = err2 + } else if n2 != len(d.current.b) { + d.current.err = io.ErrShortWrite + } + } + if d.current.err != nil { + break + } + d.nextBlock(true) + } + err := d.current.err + if err != nil { + d.drainOutput() + } + if err == io.EOF { + err = nil + } + return n, err +} + +// DecodeAll allows stateless decoding of a blob of bytes. +// Output will be appended to dst, so if the destination size is known +// you can pre-allocate the destination slice to avoid allocations. +// DecodeAll can be used concurrently. +// The Decoder concurrency limits will be respected. +func (d *Decoder) DecodeAll(input, dst []byte) ([]byte, error) { + if d.decoders == nil { + return dst, ErrDecoderClosed + } + + // Grab a block decoder and frame decoder. + block := <-d.decoders + frame := block.localFrame + initialSize := len(dst) + defer func() { + if debugDecoder { + printf("re-adding decoder: %p", block) + } + frame.rawInput = nil + frame.bBuf = nil + if frame.history.decoders.br != nil { + frame.history.decoders.br.in = nil + frame.history.decoders.br.cursor = 0 + } + d.decoders <- block + }() + frame.bBuf = input + + for { + frame.history.reset() + err := frame.reset(&frame.bBuf) + if err != nil { + if err == io.EOF { + if debugDecoder { + println("frame reset return EOF") + } + return dst, nil + } + return dst, err + } + if err = d.setDict(frame); err != nil { + return nil, err + } + if frame.WindowSize > d.o.maxWindowSize { + if debugDecoder { + println("window size exceeded:", frame.WindowSize, ">", d.o.maxWindowSize) + } + return dst, ErrWindowSizeExceeded + } + if frame.FrameContentSize != fcsUnknown { + if frame.FrameContentSize > d.o.maxDecodedSize-uint64(len(dst)-initialSize) { + if debugDecoder { + println("decoder size exceeded; fcs:", frame.FrameContentSize, "> mcs:", d.o.maxDecodedSize-uint64(len(dst)-initialSize), "len:", len(dst)) + } + return dst, ErrDecoderSizeExceeded + } + if d.o.limitToCap && frame.FrameContentSize > uint64(cap(dst)-len(dst)) { + if debugDecoder { + println("decoder size exceeded; fcs:", frame.FrameContentSize, "> (cap-len)", cap(dst)-len(dst)) + } + return dst, ErrDecoderSizeExceeded + } + if cap(dst)-len(dst) < int(frame.FrameContentSize) { + dst2 := make([]byte, len(dst), len(dst)+int(frame.FrameContentSize)+compressedBlockOverAlloc) + copy(dst2, dst) + dst = dst2 + } + } + + if cap(dst) == 0 && !d.o.limitToCap { + // Allocate len(input) * 2 by default if nothing is provided + // and we didn't get frame content size. + size := len(input) * 2 + // Cap to 1 MB. + if size > 1<<20 { + size = 1 << 20 + } + if uint64(size) > d.o.maxDecodedSize { + size = int(d.o.maxDecodedSize) + } + dst = make([]byte, 0, size) + } + + dst, err = frame.runDecoder(dst, block) + if err != nil { + return dst, err + } + if uint64(len(dst)-initialSize) > d.o.maxDecodedSize { + return dst, ErrDecoderSizeExceeded + } + if len(frame.bBuf) == 0 { + if debugDecoder { + println("frame dbuf empty") + } + break + } + } + return dst, nil +} + +// nextBlock returns the next block. +// If an error occurs d.err will be set. +// Optionally the function can block for new output. +// If non-blocking mode is used the returned boolean will be false +// if no data was available without blocking. +func (d *Decoder) nextBlock(blocking bool) (ok bool) { + if d.current.err != nil { + // Keep error state. + return false + } + d.current.b = d.current.b[:0] + + // SYNC: + if d.syncStream.enabled { + if !blocking { + return false + } + ok = d.nextBlockSync() + if !ok { + d.stashDecoder() + } + return ok + } + + //ASYNC: + d.stashDecoder() + if blocking { + d.current.decodeOutput, ok = <-d.current.output + } else { + select { + case d.current.decodeOutput, ok = <-d.current.output: + default: + return false + } + } + if !ok { + // This should not happen, so signal error state... + d.current.err = io.ErrUnexpectedEOF + return false + } + next := d.current.decodeOutput + if next.d != nil && next.d.async.newHist != nil { + d.current.crc.Reset() + } + if debugDecoder { + var tmp [4]byte + binary.LittleEndian.PutUint32(tmp[:], uint32(xxhash.Sum64(next.b))) + println("got", len(d.current.b), "bytes, error:", d.current.err, "data crc:", tmp) + } + + if d.o.ignoreChecksum { + return true + } + + if len(next.b) > 0 { + d.current.crc.Write(next.b) + } + if next.err == nil && next.d != nil && next.d.hasCRC { + got := uint32(d.current.crc.Sum64()) + if got != next.d.checkCRC { + if debugDecoder { + printf("CRC Check Failed: %08x (got) != %08x (on stream)\n", got, next.d.checkCRC) + } + d.current.err = ErrCRCMismatch + } else { + if debugDecoder { + printf("CRC ok %08x\n", got) + } + } + } + + return true +} + +func (d *Decoder) nextBlockSync() (ok bool) { + if d.current.d == nil { + d.current.d = <-d.decoders + } + for len(d.current.b) == 0 { + if !d.syncStream.inFrame { + d.frame.history.reset() + d.current.err = d.frame.reset(&d.syncStream.br) + if d.current.err == nil { + d.current.err = d.setDict(d.frame) + } + if d.current.err != nil { + return false + } + if d.frame.WindowSize > d.o.maxDecodedSize || d.frame.WindowSize > d.o.maxWindowSize { + d.current.err = ErrDecoderSizeExceeded + return false + } + + d.syncStream.decodedFrame = 0 + d.syncStream.inFrame = true + } + d.current.err = d.frame.next(d.current.d) + if d.current.err != nil { + return false + } + d.frame.history.ensureBlock() + if debugDecoder { + println("History trimmed:", len(d.frame.history.b), "decoded already:", d.syncStream.decodedFrame) + } + histBefore := len(d.frame.history.b) + d.current.err = d.current.d.decodeBuf(&d.frame.history) + + if d.current.err != nil { + println("error after:", d.current.err) + return false + } + d.current.b = d.frame.history.b[histBefore:] + if debugDecoder { + println("history after:", len(d.frame.history.b)) + } + + // Check frame size (before CRC) + d.syncStream.decodedFrame += uint64(len(d.current.b)) + if d.syncStream.decodedFrame > d.frame.FrameContentSize { + if debugDecoder { + printf("DecodedFrame (%d) > FrameContentSize (%d)\n", d.syncStream.decodedFrame, d.frame.FrameContentSize) + } + d.current.err = ErrFrameSizeExceeded + return false + } + + // Check FCS + if d.current.d.Last && d.frame.FrameContentSize != fcsUnknown && d.syncStream.decodedFrame != d.frame.FrameContentSize { + if debugDecoder { + printf("DecodedFrame (%d) != FrameContentSize (%d)\n", d.syncStream.decodedFrame, d.frame.FrameContentSize) + } + d.current.err = ErrFrameSizeMismatch + return false + } + + // Update/Check CRC + if d.frame.HasCheckSum { + if !d.o.ignoreChecksum { + d.frame.crc.Write(d.current.b) + } + if d.current.d.Last { + if !d.o.ignoreChecksum { + d.current.err = d.frame.checkCRC() + } else { + d.current.err = d.frame.consumeCRC() + } + if d.current.err != nil { + println("CRC error:", d.current.err) + return false + } + } + } + d.syncStream.inFrame = !d.current.d.Last + } + return true +} + +func (d *Decoder) stashDecoder() { + if d.current.d != nil { + if debugDecoder { + printf("re-adding current decoder %p", d.current.d) + } + d.decoders <- d.current.d + d.current.d = nil + } +} + +// Close will release all resources. +// It is NOT possible to reuse the decoder after this. +func (d *Decoder) Close() { + if d.current.err == ErrDecoderClosed { + return + } + d.drainOutput() + if d.current.cancel != nil { + d.current.cancel() + d.streamWg.Wait() + d.current.cancel = nil + } + if d.decoders != nil { + close(d.decoders) + for dec := range d.decoders { + dec.Close() + } + d.decoders = nil + } + if d.current.d != nil { + d.current.d.Close() + d.current.d = nil + } + d.current.err = ErrDecoderClosed +} + +// IOReadCloser returns the decoder as an io.ReadCloser for convenience. +// Any changes to the decoder will be reflected, so the returned ReadCloser +// can be reused along with the decoder. +// io.WriterTo is also supported by the returned ReadCloser. +func (d *Decoder) IOReadCloser() io.ReadCloser { + return closeWrapper{d: d} +} + +// closeWrapper wraps a function call as a closer. +type closeWrapper struct { + d *Decoder +} + +// WriteTo forwards WriteTo calls to the decoder. +func (c closeWrapper) WriteTo(w io.Writer) (n int64, err error) { + return c.d.WriteTo(w) +} + +// Read forwards read calls to the decoder. +func (c closeWrapper) Read(p []byte) (n int, err error) { + return c.d.Read(p) +} + +// Close closes the decoder. +func (c closeWrapper) Close() error { + c.d.Close() + return nil +} + +type decodeOutput struct { + d *blockDec + b []byte + err error +} + +func (d *Decoder) startSyncDecoder(r io.Reader) error { + d.frame.history.reset() + d.syncStream.br = readerWrapper{r: r} + d.syncStream.inFrame = false + d.syncStream.enabled = true + d.syncStream.decodedFrame = 0 + return nil +} + +// Create Decoder: +// ASYNC: +// Spawn 3 go routines. +// 0: Read frames and decode block literals. +// 1: Decode sequences. +// 2: Execute sequences, send to output. +func (d *Decoder) startStreamDecoder(ctx context.Context, r io.Reader, output chan decodeOutput) { + defer d.streamWg.Done() + br := readerWrapper{r: r} + + var seqDecode = make(chan *blockDec, d.o.concurrent) + var seqExecute = make(chan *blockDec, d.o.concurrent) + + // Async 1: Decode sequences... + go func() { + var hist history + var hasErr bool + + for block := range seqDecode { + if hasErr { + if block != nil { + seqExecute <- block + } + continue + } + if block.async.newHist != nil { + if debugDecoder { + println("Async 1: new history, recent:", block.async.newHist.recentOffsets) + } + hist.reset() + hist.decoders = block.async.newHist.decoders + hist.recentOffsets = block.async.newHist.recentOffsets + hist.windowSize = block.async.newHist.windowSize + if block.async.newHist.dict != nil { + hist.setDict(block.async.newHist.dict) + } + } + if block.err != nil || block.Type != blockTypeCompressed { + hasErr = block.err != nil + seqExecute <- block + continue + } + + hist.decoders.literals = block.async.literals + block.err = block.prepareSequences(block.async.seqData, &hist) + if debugDecoder && block.err != nil { + println("prepareSequences returned:", block.err) + } + hasErr = block.err != nil + if block.err == nil { + block.err = block.decodeSequences(&hist) + if debugDecoder && block.err != nil { + println("decodeSequences returned:", block.err) + } + hasErr = block.err != nil + // block.async.sequence = hist.decoders.seq[:hist.decoders.nSeqs] + block.async.seqSize = hist.decoders.seqSize + } + seqExecute <- block + } + close(seqExecute) + hist.reset() + }() + + var wg sync.WaitGroup + wg.Add(1) + + // Async 3: Execute sequences... + frameHistCache := d.frame.history.b + go func() { + var hist history + var decodedFrame uint64 + var fcs uint64 + var hasErr bool + for block := range seqExecute { + out := decodeOutput{err: block.err, d: block} + if block.err != nil || hasErr { + hasErr = true + output <- out + continue + } + if block.async.newHist != nil { + if debugDecoder { + println("Async 2: new history") + } + hist.reset() + hist.windowSize = block.async.newHist.windowSize + hist.allocFrameBuffer = block.async.newHist.allocFrameBuffer + if block.async.newHist.dict != nil { + hist.setDict(block.async.newHist.dict) + } + + if cap(hist.b) < hist.allocFrameBuffer { + if cap(frameHistCache) >= hist.allocFrameBuffer { + hist.b = frameHistCache + } else { + hist.b = make([]byte, 0, hist.allocFrameBuffer) + println("Alloc history sized", hist.allocFrameBuffer) + } + } + hist.b = hist.b[:0] + fcs = block.async.fcs + decodedFrame = 0 + } + do := decodeOutput{err: block.err, d: block} + switch block.Type { + case blockTypeRLE: + if debugDecoder { + println("add rle block length:", block.RLESize) + } + + if cap(block.dst) < int(block.RLESize) { + if block.lowMem { + block.dst = make([]byte, block.RLESize) + } else { + block.dst = make([]byte, maxCompressedBlockSize) + } + } + block.dst = block.dst[:block.RLESize] + v := block.data[0] + for i := range block.dst { + block.dst[i] = v + } + hist.append(block.dst) + do.b = block.dst + case blockTypeRaw: + if debugDecoder { + println("add raw block length:", len(block.data)) + } + hist.append(block.data) + do.b = block.data + case blockTypeCompressed: + if debugDecoder { + println("execute with history length:", len(hist.b), "window:", hist.windowSize) + } + hist.decoders.seqSize = block.async.seqSize + hist.decoders.literals = block.async.literals + do.err = block.executeSequences(&hist) + hasErr = do.err != nil + if debugDecoder && hasErr { + println("executeSequences returned:", do.err) + } + do.b = block.dst + } + if !hasErr { + decodedFrame += uint64(len(do.b)) + if decodedFrame > fcs { + println("fcs exceeded", block.Last, fcs, decodedFrame) + do.err = ErrFrameSizeExceeded + hasErr = true + } else if block.Last && fcs != fcsUnknown && decodedFrame != fcs { + do.err = ErrFrameSizeMismatch + hasErr = true + } else { + if debugDecoder { + println("fcs ok", block.Last, fcs, decodedFrame) + } + } + } + output <- do + } + close(output) + frameHistCache = hist.b + wg.Done() + if debugDecoder { + println("decoder goroutines finished") + } + hist.reset() + }() + + var hist history +decodeStream: + for { + var hasErr bool + hist.reset() + decodeBlock := func(block *blockDec) { + if hasErr { + if block != nil { + seqDecode <- block + } + return + } + if block.err != nil || block.Type != blockTypeCompressed { + hasErr = block.err != nil + seqDecode <- block + return + } + + remain, err := block.decodeLiterals(block.data, &hist) + block.err = err + hasErr = block.err != nil + if err == nil { + block.async.literals = hist.decoders.literals + block.async.seqData = remain + } else if debugDecoder { + println("decodeLiterals error:", err) + } + seqDecode <- block + } + frame := d.frame + if debugDecoder { + println("New frame...") + } + var historySent bool + frame.history.reset() + err := frame.reset(&br) + if debugDecoder && err != nil { + println("Frame decoder returned", err) + } + if err == nil { + err = d.setDict(frame) + } + if err == nil && d.frame.WindowSize > d.o.maxWindowSize { + if debugDecoder { + println("decoder size exceeded, fws:", d.frame.WindowSize, "> mws:", d.o.maxWindowSize) + } + + err = ErrDecoderSizeExceeded + } + if err != nil { + select { + case <-ctx.Done(): + case dec := <-d.decoders: + dec.sendErr(err) + decodeBlock(dec) + } + break decodeStream + } + + // Go through all blocks of the frame. + for { + var dec *blockDec + select { + case <-ctx.Done(): + break decodeStream + case dec = <-d.decoders: + // Once we have a decoder, we MUST return it. + } + err := frame.next(dec) + if !historySent { + h := frame.history + if debugDecoder { + println("Alloc History:", h.allocFrameBuffer) + } + hist.reset() + if h.dict != nil { + hist.setDict(h.dict) + } + dec.async.newHist = &h + dec.async.fcs = frame.FrameContentSize + historySent = true + } else { + dec.async.newHist = nil + } + if debugDecoder && err != nil { + println("next block returned error:", err) + } + dec.err = err + dec.hasCRC = false + if dec.Last && frame.HasCheckSum && err == nil { + crc, err := frame.rawInput.readSmall(4) + if len(crc) < 4 { + if err == nil { + err = io.ErrUnexpectedEOF + + } + println("CRC missing?", err) + dec.err = err + } else { + dec.checkCRC = binary.LittleEndian.Uint32(crc) + dec.hasCRC = true + if debugDecoder { + printf("found crc to check: %08x\n", dec.checkCRC) + } + } + } + err = dec.err + last := dec.Last + decodeBlock(dec) + if err != nil { + break decodeStream + } + if last { + break + } + } + } + close(seqDecode) + wg.Wait() + hist.reset() + d.frame.history.b = frameHistCache +} + +func (d *Decoder) setDict(frame *frameDec) (err error) { + dict, ok := d.dicts[frame.DictionaryID] + if ok { + if debugDecoder { + println("setting dict", frame.DictionaryID) + } + frame.history.setDict(dict) + } else if frame.DictionaryID != 0 { + // A zero or missing dictionary id is ambiguous: + // either dictionary zero, or no dictionary. In particular, + // zstd --patch-from uses this id for the source file, + // so only return an error if the dictionary id is not zero. + err = ErrUnknownDictionary + } + return err +} diff --git a/vendor/github.com/klauspost/compress/zstd/decoder_options.go b/vendor/github.com/klauspost/compress/zstd/decoder_options.go new file mode 100644 index 0000000000..774c5f00fe --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/decoder_options.go @@ -0,0 +1,169 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "math/bits" + "runtime" +) + +// DOption is an option for creating a decoder. +type DOption func(*decoderOptions) error + +// options retains accumulated state of multiple options. +type decoderOptions struct { + lowMem bool + concurrent int + maxDecodedSize uint64 + maxWindowSize uint64 + dicts []*dict + ignoreChecksum bool + limitToCap bool + decodeBufsBelow int +} + +func (o *decoderOptions) setDefault() { + *o = decoderOptions{ + // use less ram: true for now, but may change. + lowMem: true, + concurrent: runtime.GOMAXPROCS(0), + maxWindowSize: MaxWindowSize, + decodeBufsBelow: 128 << 10, + } + if o.concurrent > 4 { + o.concurrent = 4 + } + o.maxDecodedSize = 64 << 30 +} + +// WithDecoderLowmem will set whether to use a lower amount of memory, +// but possibly have to allocate more while running. +func WithDecoderLowmem(b bool) DOption { + return func(o *decoderOptions) error { o.lowMem = b; return nil } +} + +// WithDecoderConcurrency sets the number of created decoders. +// When decoding block with DecodeAll, this will limit the number +// of possible concurrently running decodes. +// When decoding streams, this will limit the number of +// inflight blocks. +// When decoding streams and setting maximum to 1, +// no async decoding will be done. +// When a value of 0 is provided GOMAXPROCS will be used. +// By default this will be set to 4 or GOMAXPROCS, whatever is lower. +func WithDecoderConcurrency(n int) DOption { + return func(o *decoderOptions) error { + if n < 0 { + return errors.New("concurrency must be at least 1") + } + if n == 0 { + o.concurrent = runtime.GOMAXPROCS(0) + } else { + o.concurrent = n + } + return nil + } +} + +// WithDecoderMaxMemory allows to set a maximum decoded size for in-memory +// non-streaming operations or maximum window size for streaming operations. +// This can be used to control memory usage of potentially hostile content. +// Maximum is 1 << 63 bytes. Default is 64GiB. +func WithDecoderMaxMemory(n uint64) DOption { + return func(o *decoderOptions) error { + if n == 0 { + return errors.New("WithDecoderMaxMemory must be at least 1") + } + if n > 1<<63 { + return errors.New("WithDecoderMaxmemory must be less than 1 << 63") + } + o.maxDecodedSize = n + return nil + } +} + +// WithDecoderDicts allows to register one or more dictionaries for the decoder. +// +// Each slice in dict must be in the [dictionary format] produced by +// "zstd --train" from the Zstandard reference implementation. +// +// If several dictionaries with the same ID are provided, the last one will be used. +// +// [dictionary format]: https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary-format +func WithDecoderDicts(dicts ...[]byte) DOption { + return func(o *decoderOptions) error { + for _, b := range dicts { + d, err := loadDict(b) + if err != nil { + return err + } + o.dicts = append(o.dicts, d) + } + return nil + } +} + +// WithDecoderDictRaw registers a dictionary that may be used by the decoder. +// The slice content can be arbitrary data. +func WithDecoderDictRaw(id uint32, content []byte) DOption { + return func(o *decoderOptions) error { + if bits.UintSize > 32 && uint(len(content)) > dictMaxLength { + return fmt.Errorf("dictionary of size %d > 2GiB too large", len(content)) + } + o.dicts = append(o.dicts, &dict{id: id, content: content, offsets: [3]int{1, 4, 8}}) + return nil + } +} + +// WithDecoderMaxWindow allows to set a maximum window size for decodes. +// This allows rejecting packets that will cause big memory usage. +// The Decoder will likely allocate more memory based on the WithDecoderLowmem setting. +// If WithDecoderMaxMemory is set to a lower value, that will be used. +// Default is 512MB, Maximum is ~3.75 TB as per zstandard spec. +func WithDecoderMaxWindow(size uint64) DOption { + return func(o *decoderOptions) error { + if size < MinWindowSize { + return errors.New("WithMaxWindowSize must be at least 1KB, 1024 bytes") + } + if size > (1<<41)+7*(1<<38) { + return errors.New("WithMaxWindowSize must be less than (1<<41) + 7*(1<<38) ~ 3.75TB") + } + o.maxWindowSize = size + return nil + } +} + +// WithDecodeAllCapLimit will limit DecodeAll to decoding cap(dst)-len(dst) bytes, +// or any size set in WithDecoderMaxMemory. +// This can be used to limit decoding to a specific maximum output size. +// Disabled by default. +func WithDecodeAllCapLimit(b bool) DOption { + return func(o *decoderOptions) error { + o.limitToCap = b + return nil + } +} + +// WithDecodeBuffersBelow will fully decode readers that have a +// `Bytes() []byte` and `Len() int` interface similar to bytes.Buffer. +// This typically uses less allocations but will have the full decompressed object in memory. +// Note that DecodeAllCapLimit will disable this, as well as giving a size of 0 or less. +// Default is 128KiB. +func WithDecodeBuffersBelow(size int) DOption { + return func(o *decoderOptions) error { + o.decodeBufsBelow = size + return nil + } +} + +// IgnoreChecksum allows to forcibly ignore checksum checking. +func IgnoreChecksum(b bool) DOption { + return func(o *decoderOptions) error { + o.ignoreChecksum = b + return nil + } +} diff --git a/vendor/github.com/klauspost/compress/zstd/dict.go b/vendor/github.com/klauspost/compress/zstd/dict.go new file mode 100644 index 0000000000..b7b83164bc --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/dict.go @@ -0,0 +1,565 @@ +package zstd + +import ( + "bytes" + "encoding/binary" + "errors" + "fmt" + "io" + "math" + "sort" + + "github.com/klauspost/compress/huff0" +) + +type dict struct { + id uint32 + + litEnc *huff0.Scratch + llDec, ofDec, mlDec sequenceDec + offsets [3]int + content []byte +} + +const dictMagic = "\x37\xa4\x30\xec" + +// Maximum dictionary size for the reference implementation (1.5.3) is 2 GiB. +const dictMaxLength = 1 << 31 + +// ID returns the dictionary id or 0 if d is nil. +func (d *dict) ID() uint32 { + if d == nil { + return 0 + } + return d.id +} + +// ContentSize returns the dictionary content size or 0 if d is nil. +func (d *dict) ContentSize() int { + if d == nil { + return 0 + } + return len(d.content) +} + +// Content returns the dictionary content. +func (d *dict) Content() []byte { + if d == nil { + return nil + } + return d.content +} + +// Offsets returns the initial offsets. +func (d *dict) Offsets() [3]int { + if d == nil { + return [3]int{} + } + return d.offsets +} + +// LitEncoder returns the literal encoder. +func (d *dict) LitEncoder() *huff0.Scratch { + if d == nil { + return nil + } + return d.litEnc +} + +// Load a dictionary as described in +// https://github.com/facebook/zstd/blob/master/doc/zstd_compression_format.md#dictionary-format +func loadDict(b []byte) (*dict, error) { + // Check static field size. + if len(b) <= 8+(3*4) { + return nil, io.ErrUnexpectedEOF + } + d := dict{ + llDec: sequenceDec{fse: &fseDecoder{}}, + ofDec: sequenceDec{fse: &fseDecoder{}}, + mlDec: sequenceDec{fse: &fseDecoder{}}, + } + if string(b[:4]) != dictMagic { + return nil, ErrMagicMismatch + } + d.id = binary.LittleEndian.Uint32(b[4:8]) + if d.id == 0 { + return nil, errors.New("dictionaries cannot have ID 0") + } + + // Read literal table + var err error + d.litEnc, b, err = huff0.ReadTable(b[8:], nil) + if err != nil { + return nil, fmt.Errorf("loading literal table: %w", err) + } + d.litEnc.Reuse = huff0.ReusePolicyMust + + br := byteReader{ + b: b, + off: 0, + } + readDec := func(i tableIndex, dec *fseDecoder) error { + if err := dec.readNCount(&br, uint16(maxTableSymbol[i])); err != nil { + return err + } + if br.overread() { + return io.ErrUnexpectedEOF + } + err = dec.transform(symbolTableX[i]) + if err != nil { + println("Transform table error:", err) + return err + } + if debugDecoder || debugEncoder { + println("Read table ok", "symbolLen:", dec.symbolLen) + } + // Set decoders as predefined so they aren't reused. + dec.preDefined = true + return nil + } + + if err := readDec(tableOffsets, d.ofDec.fse); err != nil { + return nil, err + } + if err := readDec(tableMatchLengths, d.mlDec.fse); err != nil { + return nil, err + } + if err := readDec(tableLiteralLengths, d.llDec.fse); err != nil { + return nil, err + } + if br.remain() < 12 { + return nil, io.ErrUnexpectedEOF + } + + d.offsets[0] = int(br.Uint32()) + br.advance(4) + d.offsets[1] = int(br.Uint32()) + br.advance(4) + d.offsets[2] = int(br.Uint32()) + br.advance(4) + if d.offsets[0] <= 0 || d.offsets[1] <= 0 || d.offsets[2] <= 0 { + return nil, errors.New("invalid offset in dictionary") + } + d.content = make([]byte, br.remain()) + copy(d.content, br.unread()) + if d.offsets[0] > len(d.content) || d.offsets[1] > len(d.content) || d.offsets[2] > len(d.content) { + return nil, fmt.Errorf("initial offset bigger than dictionary content size %d, offsets: %v", len(d.content), d.offsets) + } + + return &d, nil +} + +// InspectDictionary loads a zstd dictionary and provides functions to inspect the content. +func InspectDictionary(b []byte) (interface { + ID() uint32 + ContentSize() int + Content() []byte + Offsets() [3]int + LitEncoder() *huff0.Scratch +}, error) { + initPredefined() + d, err := loadDict(b) + return d, err +} + +type BuildDictOptions struct { + // Dictionary ID. + ID uint32 + + // Content to use to create dictionary tables. + Contents [][]byte + + // History to use for all blocks. + History []byte + + // Offsets to use. + Offsets [3]int + + // CompatV155 will make the dictionary compatible with Zstd v1.5.5 and earlier. + // See https://github.com/facebook/zstd/issues/3724 + CompatV155 bool + + // Use the specified encoder level. + // The dictionary will be built using the specified encoder level, + // which will reflect speed and make the dictionary tailored for that level. + // If not set SpeedBestCompression will be used. + Level EncoderLevel + + // DebugOut will write stats and other details here if set. + DebugOut io.Writer +} + +func BuildDict(o BuildDictOptions) ([]byte, error) { + initPredefined() + hist := o.History + contents := o.Contents + debug := o.DebugOut != nil + println := func(args ...interface{}) { + if o.DebugOut != nil { + fmt.Fprintln(o.DebugOut, args...) + } + } + printf := func(s string, args ...interface{}) { + if o.DebugOut != nil { + fmt.Fprintf(o.DebugOut, s, args...) + } + } + print := func(args ...interface{}) { + if o.DebugOut != nil { + fmt.Fprint(o.DebugOut, args...) + } + } + + if int64(len(hist)) > dictMaxLength { + return nil, fmt.Errorf("dictionary of size %d > %d", len(hist), int64(dictMaxLength)) + } + if len(hist) < 8 { + return nil, fmt.Errorf("dictionary of size %d < %d", len(hist), 8) + } + if len(contents) == 0 { + return nil, errors.New("no content provided") + } + d := dict{ + id: o.ID, + litEnc: nil, + llDec: sequenceDec{}, + ofDec: sequenceDec{}, + mlDec: sequenceDec{}, + offsets: o.Offsets, + content: hist, + } + block := blockEnc{lowMem: false} + block.init() + enc := encoder(&bestFastEncoder{fastBase: fastBase{maxMatchOff: int32(maxMatchLen), bufferReset: math.MaxInt32 - int32(maxMatchLen*2), lowMem: false}}) + if o.Level != 0 { + eOpts := encoderOptions{ + level: o.Level, + blockSize: maxMatchLen, + windowSize: maxMatchLen, + dict: &d, + lowMem: false, + } + enc = eOpts.encoder() + } else { + o.Level = SpeedBestCompression + } + var ( + remain [256]int + ll [256]int + ml [256]int + of [256]int + ) + addValues := func(dst *[256]int, src []byte) { + for _, v := range src { + dst[v]++ + } + } + addHist := func(dst *[256]int, src *[256]uint32) { + for i, v := range src { + dst[i] += int(v) + } + } + seqs := 0 + nUsed := 0 + litTotal := 0 + newOffsets := make(map[uint32]int, 1000) + for _, b := range contents { + block.reset(nil) + if len(b) < 8 { + continue + } + nUsed++ + enc.Reset(&d, true) + enc.Encode(&block, b) + addValues(&remain, block.literals) + litTotal += len(block.literals) + if len(block.sequences) == 0 { + continue + } + seqs += len(block.sequences) + block.genCodes() + addHist(&ll, block.coders.llEnc.Histogram()) + addHist(&ml, block.coders.mlEnc.Histogram()) + addHist(&of, block.coders.ofEnc.Histogram()) + for i, seq := range block.sequences { + if i > 3 { + break + } + offset := seq.offset + if offset == 0 { + continue + } + if int(offset) >= len(o.History) { + continue + } + if offset > 3 { + newOffsets[offset-3]++ + } else { + newOffsets[uint32(o.Offsets[offset-1])]++ + } + } + } + // Find most used offsets. + var sortedOffsets []uint32 + for k := range newOffsets { + sortedOffsets = append(sortedOffsets, k) + } + sort.Slice(sortedOffsets, func(i, j int) bool { + a, b := sortedOffsets[i], sortedOffsets[j] + if a == b { + // Prefer the longer offset + return sortedOffsets[i] > sortedOffsets[j] + } + return newOffsets[sortedOffsets[i]] > newOffsets[sortedOffsets[j]] + }) + if len(sortedOffsets) > 3 { + if debug { + print("Offsets:") + for i, v := range sortedOffsets { + if i > 20 { + break + } + printf("[%d: %d],", v, newOffsets[v]) + } + println("") + } + + sortedOffsets = sortedOffsets[:3] + } + for i, v := range sortedOffsets { + o.Offsets[i] = int(v) + } + if debug { + println("New repeat offsets", o.Offsets) + } + + if nUsed == 0 || seqs == 0 { + return nil, fmt.Errorf("%d blocks, %d sequences found", nUsed, seqs) + } + if debug { + println("Sequences:", seqs, "Blocks:", nUsed, "Literals:", litTotal) + } + if seqs/nUsed < 512 { + // Use 512 as minimum. + nUsed = seqs / 512 + if nUsed == 0 { + nUsed = 1 + } + } + copyHist := func(dst *fseEncoder, src *[256]int) ([]byte, error) { + hist := dst.Histogram() + var maxSym uint8 + var maxCount int + var fakeLength int + for i, v := range src { + if v > 0 { + v = v / nUsed + if v == 0 { + v = 1 + } + } + if v > maxCount { + maxCount = v + } + if v != 0 { + maxSym = uint8(i) + } + fakeLength += v + hist[i] = uint32(v) + } + + // Ensure we aren't trying to represent RLE. + if maxCount == fakeLength { + for i := range hist { + if uint8(i) == maxSym { + fakeLength++ + maxSym++ + hist[i+1] = 1 + if maxSym > 1 { + break + } + } + if hist[0] == 0 { + fakeLength++ + hist[i] = 1 + if maxSym > 1 { + break + } + } + } + } + + dst.HistogramFinished(maxSym, maxCount) + dst.reUsed = false + dst.useRLE = false + err := dst.normalizeCount(fakeLength) + if err != nil { + return nil, err + } + if debug { + println("RAW:", dst.count[:maxSym+1], "NORM:", dst.norm[:maxSym+1], "LEN:", fakeLength) + } + return dst.writeCount(nil) + } + if debug { + print("Literal lengths: ") + } + llTable, err := copyHist(block.coders.llEnc, &ll) + if err != nil { + return nil, err + } + if debug { + print("Match lengths: ") + } + mlTable, err := copyHist(block.coders.mlEnc, &ml) + if err != nil { + return nil, err + } + if debug { + print("Offsets: ") + } + ofTable, err := copyHist(block.coders.ofEnc, &of) + if err != nil { + return nil, err + } + + // Literal table + avgSize := litTotal + if avgSize > huff0.BlockSizeMax/2 { + avgSize = huff0.BlockSizeMax / 2 + } + huffBuff := make([]byte, 0, avgSize) + // Target size + div := litTotal / avgSize + if div < 1 { + div = 1 + } + if debug { + println("Huffman weights:") + } + for i, n := range remain[:] { + if n > 0 { + n = n / div + // Allow all entries to be represented. + if n == 0 { + n = 1 + } + huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...) + if debug { + printf("[%d: %d], ", i, n) + } + } + } + if o.CompatV155 && remain[255]/div == 0 { + huffBuff = append(huffBuff, 255) + } + scratch := &huff0.Scratch{TableLog: 11} + for tries := 0; tries < 255; tries++ { + scratch = &huff0.Scratch{TableLog: 11} + _, _, err = huff0.Compress1X(huffBuff, scratch) + if err == nil { + break + } + if debug { + printf("Try %d: Huffman error: %v\n", tries+1, err) + } + huffBuff = huffBuff[:0] + if tries == 250 { + if debug { + println("Huffman: Bailing out with predefined table") + } + + // Bail out.... Just generate something + huffBuff = append(huffBuff, bytes.Repeat([]byte{255}, 10000)...) + for i := 0; i < 128; i++ { + huffBuff = append(huffBuff, byte(i)) + } + continue + } + if errors.Is(err, huff0.ErrIncompressible) { + // Try truncating least common. + for i, n := range remain[:] { + if n > 0 { + n = n / (div * (i + 1)) + if n > 0 { + huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...) + } + } + } + if o.CompatV155 && len(huffBuff) > 0 && huffBuff[len(huffBuff)-1] != 255 { + huffBuff = append(huffBuff, 255) + } + if len(huffBuff) == 0 { + huffBuff = append(huffBuff, 0, 255) + } + } + if errors.Is(err, huff0.ErrUseRLE) { + for i, n := range remain[:] { + n = n / (div * (i + 1)) + // Allow all entries to be represented. + if n == 0 { + n = 1 + } + huffBuff = append(huffBuff, bytes.Repeat([]byte{byte(i)}, n)...) + } + } + } + + var out bytes.Buffer + out.Write([]byte(dictMagic)) + out.Write(binary.LittleEndian.AppendUint32(nil, o.ID)) + out.Write(scratch.OutTable) + if debug { + println("huff table:", len(scratch.OutTable), "bytes") + println("of table:", len(ofTable), "bytes") + println("ml table:", len(mlTable), "bytes") + println("ll table:", len(llTable), "bytes") + } + out.Write(ofTable) + out.Write(mlTable) + out.Write(llTable) + out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[0]))) + out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[1]))) + out.Write(binary.LittleEndian.AppendUint32(nil, uint32(o.Offsets[2]))) + out.Write(hist) + if debug { + _, err := loadDict(out.Bytes()) + if err != nil { + panic(err) + } + i, err := InspectDictionary(out.Bytes()) + if err != nil { + panic(err) + } + println("ID:", i.ID()) + println("Content size:", i.ContentSize()) + println("Encoder:", i.LitEncoder() != nil) + println("Offsets:", i.Offsets()) + var totalSize int + for _, b := range contents { + totalSize += len(b) + } + + encWith := func(opts ...EOption) int { + enc, err := NewWriter(nil, opts...) + if err != nil { + panic(err) + } + defer enc.Close() + var dst []byte + var totalSize int + for _, b := range contents { + dst = enc.EncodeAll(b, dst[:0]) + totalSize += len(dst) + } + return totalSize + } + plain := encWith(WithEncoderLevel(o.Level)) + withDict := encWith(WithEncoderLevel(o.Level), WithEncoderDict(out.Bytes())) + println("Input size:", totalSize) + println("Plain Compressed:", plain) + println("Dict Compressed:", withDict) + println("Saved:", plain-withDict, (plain-withDict)/len(contents), "bytes per input (rounded down)") + } + return out.Bytes(), nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/enc_base.go b/vendor/github.com/klauspost/compress/zstd/enc_base.go new file mode 100644 index 0000000000..7d250c67f5 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/enc_base.go @@ -0,0 +1,173 @@ +package zstd + +import ( + "fmt" + "math/bits" + + "github.com/klauspost/compress/zstd/internal/xxhash" +) + +const ( + dictShardBits = 6 +) + +type fastBase struct { + // cur is the offset at the start of hist + cur int32 + // maximum offset. Should be at least 2x block size. + maxMatchOff int32 + bufferReset int32 + hist []byte + crc *xxhash.Digest + tmp [8]byte + blk *blockEnc + lastDictID uint32 + lowMem bool +} + +// CRC returns the underlying CRC writer. +func (e *fastBase) CRC() *xxhash.Digest { + return e.crc +} + +// AppendCRC will append the CRC to the destination slice and return it. +func (e *fastBase) AppendCRC(dst []byte) []byte { + crc := e.crc.Sum(e.tmp[:0]) + dst = append(dst, crc[7], crc[6], crc[5], crc[4]) + return dst +} + +// WindowSize returns the window size of the encoder, +// or a window size small enough to contain the input size, if > 0. +func (e *fastBase) WindowSize(size int64) int32 { + if size > 0 && size < int64(e.maxMatchOff) { + b := int32(1) << uint(bits.Len(uint(size))) + // Keep minimum window. + if b < 1024 { + b = 1024 + } + return b + } + return e.maxMatchOff +} + +// Block returns the current block. +func (e *fastBase) Block() *blockEnc { + return e.blk +} + +func (e *fastBase) addBlock(src []byte) int32 { + if debugAsserts && e.cur > e.bufferReset { + panic(fmt.Sprintf("ecur (%d) > buffer reset (%d)", e.cur, e.bufferReset)) + } + // check if we have space already + if len(e.hist)+len(src) > cap(e.hist) { + if cap(e.hist) == 0 { + e.ensureHist(len(src)) + } else { + if cap(e.hist) < int(e.maxMatchOff+maxCompressedBlockSize) { + panic(fmt.Errorf("unexpected buffer cap %d, want at least %d with window %d", cap(e.hist), e.maxMatchOff+maxCompressedBlockSize, e.maxMatchOff)) + } + // Move down + offset := int32(len(e.hist)) - e.maxMatchOff + copy(e.hist[0:e.maxMatchOff], e.hist[offset:]) + e.cur += offset + e.hist = e.hist[:e.maxMatchOff] + } + } + s := int32(len(e.hist)) + e.hist = append(e.hist, src...) + return s +} + +// ensureHist will ensure that history can keep at least this many bytes. +func (e *fastBase) ensureHist(n int) { + if cap(e.hist) >= n { + return + } + l := e.maxMatchOff + if (e.lowMem && e.maxMatchOff > maxCompressedBlockSize) || e.maxMatchOff <= maxCompressedBlockSize { + l += maxCompressedBlockSize + } else { + l += e.maxMatchOff + } + // Make it at least 1MB. + if l < 1<<20 && !e.lowMem { + l = 1 << 20 + } + // Make it at least the requested size. + if l < int32(n) { + l = int32(n) + } + e.hist = make([]byte, 0, l) +} + +// useBlock will replace the block with the provided one, +// but transfer recent offsets from the previous. +func (e *fastBase) UseBlock(enc *blockEnc) { + enc.reset(e.blk) + e.blk = enc +} + +func (e *fastBase) matchlen(s, t int32, src []byte) int32 { + if debugAsserts { + if s < 0 { + err := fmt.Sprintf("s (%d) < 0", s) + panic(err) + } + if t < 0 { + err := fmt.Sprintf("t (%d) < 0", t) + panic(err) + } + if s-t > e.maxMatchOff { + err := fmt.Sprintf("s (%d) - t (%d) > maxMatchOff (%d)", s, t, e.maxMatchOff) + panic(err) + } + if len(src)-int(s) > maxCompressedBlockSize { + panic(fmt.Sprintf("len(src)-s (%d) > maxCompressedBlockSize (%d)", len(src)-int(s), maxCompressedBlockSize)) + } + } + return int32(matchLen(src[s:], src[t:])) +} + +// Reset the encoding table. +func (e *fastBase) resetBase(d *dict, singleBlock bool) { + if e.blk == nil { + e.blk = &blockEnc{lowMem: e.lowMem} + e.blk.init() + } else { + e.blk.reset(nil) + } + e.blk.initNewEncode() + if e.crc == nil { + e.crc = xxhash.New() + } else { + e.crc.Reset() + } + e.blk.dictLitEnc = nil + if d != nil { + low := e.lowMem + if singleBlock { + e.lowMem = true + } + e.ensureHist(d.ContentSize() + maxCompressedBlockSize) + e.lowMem = low + } + + // We offset current position so everything will be out of reach. + // If above reset line, history will be purged. + if e.cur < e.bufferReset { + e.cur += e.maxMatchOff + int32(len(e.hist)) + } + e.hist = e.hist[:0] + if d != nil { + // Set offsets (currently not used) + for i, off := range d.offsets { + e.blk.recentOffsets[i] = uint32(off) + e.blk.prevRecentOffsets[i] = e.blk.recentOffsets[i] + } + // Transfer litenc. + e.blk.dictLitEnc = d.litEnc + e.hist = append(e.hist, d.content...) + } +} diff --git a/vendor/github.com/klauspost/compress/zstd/enc_best.go b/vendor/github.com/klauspost/compress/zstd/enc_best.go new file mode 100644 index 0000000000..4613724e9d --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/enc_best.go @@ -0,0 +1,560 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "bytes" + "fmt" + + "github.com/klauspost/compress" +) + +const ( + bestLongTableBits = 22 // Bits used in the long match table + bestLongTableSize = 1 << bestLongTableBits // Size of the table + bestLongLen = 8 // Bytes used for table hash + + // Note: Increasing the short table bits or making the hash shorter + // can actually lead to compression degradation since it will 'steal' more from the + // long match table and match offsets are quite big. + // This greatly depends on the type of input. + bestShortTableBits = 18 // Bits used in the short match table + bestShortTableSize = 1 << bestShortTableBits // Size of the table + bestShortLen = 4 // Bytes used for table hash + +) + +type match struct { + offset int32 + s int32 + length int32 + rep int32 + est int32 +} + +const highScore = maxMatchLen * 8 + +// estBits will estimate output bits from predefined tables. +func (m *match) estBits(bitsPerByte int32) { + mlc := mlCode(uint32(m.length - zstdMinMatch)) + var ofc uint8 + if m.rep < 0 { + ofc = ofCode(uint32(m.s-m.offset) + 3) + } else { + ofc = ofCode(uint32(m.rep) & 3) + } + // Cost, excluding + ofTT, mlTT := fsePredefEnc[tableOffsets].ct.symbolTT[ofc], fsePredefEnc[tableMatchLengths].ct.symbolTT[mlc] + + // Add cost of match encoding... + m.est = int32(ofTT.outBits + mlTT.outBits) + m.est += int32(ofTT.deltaNbBits>>16 + mlTT.deltaNbBits>>16) + // Subtract savings compared to literal encoding... + m.est -= (m.length * bitsPerByte) >> 10 + if m.est > 0 { + // Unlikely gain.. + m.length = 0 + m.est = highScore + } +} + +// bestFastEncoder uses 2 tables, one for short matches (5 bytes) and one for long matches. +// The long match table contains the previous entry with the same hash, +// effectively making it a "chain" of length 2. +// When we find a long match we choose between the two values and select the longest. +// When we find a short match, after checking the long, we check if we can find a long at n+1 +// and that it is longer (lazy matching). +type bestFastEncoder struct { + fastBase + table [bestShortTableSize]prevEntry + longTable [bestLongTableSize]prevEntry + dictTable []prevEntry + dictLongTable []prevEntry +} + +// Encode improves compression... +func (e *bestFastEncoder) Encode(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 4 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + e.table = [bestShortTableSize]prevEntry{} + e.longTable = [bestLongTableSize]prevEntry{} + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + v2 := e.table[i].prev + if v < minOff { + v = 0 + v2 = 0 + } else { + v = v - e.cur + e.maxMatchOff + if v2 < minOff { + v2 = 0 + } else { + v2 = v2 - e.cur + e.maxMatchOff + } + } + e.table[i] = prevEntry{ + offset: v, + prev: v2, + } + } + for i := range e.longTable[:] { + v := e.longTable[i].offset + v2 := e.longTable[i].prev + if v < minOff { + v = 0 + v2 = 0 + } else { + v = v - e.cur + e.maxMatchOff + if v2 < minOff { + v2 = 0 + } else { + v2 = v2 - e.cur + e.maxMatchOff + } + } + e.longTable[i] = prevEntry{ + offset: v, + prev: v2, + } + } + e.cur = e.maxMatchOff + break + } + + // Add block to history + s := e.addBlock(src) + blk.size = len(src) + + // Check RLE first + if len(src) > zstdMinMatch { + ml := matchLen(src[1:], src) + if ml == len(src)-1 { + blk.literals = append(blk.literals, src[0]) + blk.sequences = append(blk.sequences, seq{litLen: 1, matchLen: uint32(len(src)-1) - zstdMinMatch, offset: 1 + 3}) + return + } + } + + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Use this to estimate literal cost. + // Scaled by 10 bits. + bitsPerByte := int32((compress.ShannonEntropyBits(src) * 1024) / len(src)) + // Huffman can never go < 1 bit/byte + if bitsPerByte < 1024 { + bitsPerByte = 1024 + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + const kSearchStrength = 10 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + offset3 := int32(blk.recentOffsets[2]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + // We allow the encoder to optionally turn off repeat offsets across blocks + canRepeat := len(blk.sequences) > 2 + + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + const goodEnough = 250 + + cv := load6432(src, s) + + nextHashL := hashLen(cv, bestLongTableBits, bestLongLen) + nextHashS := hashLen(cv, bestShortTableBits, bestShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + // Set m to a match at offset if it looks like that will improve compression. + improve := func(m *match, offset int32, s int32, first uint32, rep int32) { + delta := s - offset + if delta >= e.maxMatchOff || delta <= 0 || load3232(src, offset) != first { + return + } + // Try to quick reject if we already have a long match. + if m.length > 16 { + left := len(src) - int(m.s+m.length) + // If we are too close to the end, keep as is. + if left <= 0 { + return + } + checkLen := m.length - (s - m.s) - 8 + if left > 2 && checkLen > 4 { + // Check 4 bytes, 4 bytes from the end of the current match. + a := load3232(src, offset+checkLen) + b := load3232(src, s+checkLen) + if a != b { + return + } + } + } + l := 4 + e.matchlen(s+4, offset+4, src) + if m.rep <= 0 { + // Extend candidate match backwards as far as possible. + // Do not extend repeats as we can assume they are optimal + // and offsets change if s == nextEmit. + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for offset > tMin && s > nextEmit && src[offset-1] == src[s-1] && l < maxMatchLength { + s-- + offset-- + l++ + } + } + if debugAsserts { + if offset >= s { + panic(fmt.Sprintf("offset: %d - s:%d - rep: %d - cur :%d - max: %d", offset, s, rep, e.cur, e.maxMatchOff)) + } + if !bytes.Equal(src[s:s+l], src[offset:offset+l]) { + panic(fmt.Sprintf("second match mismatch: %v != %v, first: %08x", src[s:s+4], src[offset:offset+4], first)) + } + } + cand := match{offset: offset, s: s, length: l, rep: rep} + cand.estBits(bitsPerByte) + if m.est >= highScore || cand.est-m.est+(cand.s-m.s)*bitsPerByte>>10 < 0 { + *m = cand + } + } + + best := match{s: s, est: highScore} + improve(&best, candidateL.offset-e.cur, s, uint32(cv), -1) + improve(&best, candidateL.prev-e.cur, s, uint32(cv), -1) + improve(&best, candidateS.offset-e.cur, s, uint32(cv), -1) + improve(&best, candidateS.prev-e.cur, s, uint32(cv), -1) + + if canRepeat && best.length < goodEnough { + if s == nextEmit { + // Check repeats straight after a match. + improve(&best, s-offset2, s, uint32(cv), 1|4) + improve(&best, s-offset3, s, uint32(cv), 2|4) + if offset1 > 1 { + improve(&best, s-(offset1-1), s, uint32(cv), 3|4) + } + } + + // If either no match or a non-repeat match, check at + 1 + if best.rep <= 0 { + cv32 := uint32(cv >> 8) + spp := s + 1 + improve(&best, spp-offset1, spp, cv32, 1) + improve(&best, spp-offset2, spp, cv32, 2) + improve(&best, spp-offset3, spp, cv32, 3) + if best.rep < 0 { + cv32 = uint32(cv >> 24) + spp += 2 + improve(&best, spp-offset1, spp, cv32, 1) + improve(&best, spp-offset2, spp, cv32, 2) + improve(&best, spp-offset3, spp, cv32, 3) + } + } + } + // Load next and check... + e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: candidateL.offset} + e.table[nextHashS] = prevEntry{offset: s + e.cur, prev: candidateS.offset} + index0 := s + 1 + + // Look far ahead, unless we have a really long match already... + if best.length < goodEnough { + // No match found, move forward on input, no need to check forward... + if best.length < 4 { + s += 1 + (s-nextEmit)>>(kSearchStrength-1) + if s >= sLimit { + break encodeLoop + } + continue + } + + candidateS = e.table[hashLen(cv>>8, bestShortTableBits, bestShortLen)] + cv = load6432(src, s+1) + cv2 := load6432(src, s+2) + candidateL = e.longTable[hashLen(cv, bestLongTableBits, bestLongLen)] + candidateL2 := e.longTable[hashLen(cv2, bestLongTableBits, bestLongLen)] + + // Short at s+1 + improve(&best, candidateS.offset-e.cur, s+1, uint32(cv), -1) + // Long at s+1, s+2 + improve(&best, candidateL.offset-e.cur, s+1, uint32(cv), -1) + improve(&best, candidateL.prev-e.cur, s+1, uint32(cv), -1) + improve(&best, candidateL2.offset-e.cur, s+2, uint32(cv2), -1) + improve(&best, candidateL2.prev-e.cur, s+2, uint32(cv2), -1) + if false { + // Short at s+3. + // Too often worse... + improve(&best, e.table[hashLen(cv2>>8, bestShortTableBits, bestShortLen)].offset-e.cur, s+3, uint32(cv2>>8), -1) + } + + // Start check at a fixed offset to allow for a few mismatches. + // For this compression level 2 yields the best results. + // We cannot do this if we have already indexed this position. + const skipBeginning = 2 + if best.s > s-skipBeginning { + // See if we can find a better match by checking where the current best ends. + // Use that offset to see if we can find a better full match. + if sAt := best.s + best.length; sAt < sLimit { + nextHashL := hashLen(load6432(src, sAt), bestLongTableBits, bestLongLen) + candidateEnd := e.longTable[nextHashL] + + if off := candidateEnd.offset - e.cur - best.length + skipBeginning; off >= 0 { + improve(&best, off, best.s+skipBeginning, load3232(src, best.s+skipBeginning), -1) + if off := candidateEnd.prev - e.cur - best.length + skipBeginning; off >= 0 { + improve(&best, off, best.s+skipBeginning, load3232(src, best.s+skipBeginning), -1) + } + } + } + } + } + + if debugAsserts { + if best.offset >= best.s { + panic(fmt.Sprintf("best.offset > s: %d >= %d", best.offset, best.s)) + } + if best.s < nextEmit { + panic(fmt.Sprintf("s %d < nextEmit %d", best.s, nextEmit)) + } + if best.offset < s-e.maxMatchOff { + panic(fmt.Sprintf("best.offset < s-e.maxMatchOff: %d < %d", best.offset, s-e.maxMatchOff)) + } + if !bytes.Equal(src[best.s:best.s+best.length], src[best.offset:best.offset+best.length]) { + panic(fmt.Sprintf("match mismatch: %v != %v", src[best.s:best.s+best.length], src[best.offset:best.offset+best.length])) + } + } + + // We have a match, we can store the forward value + s = best.s + if best.rep > 0 { + var seq seq + seq.matchLen = uint32(best.length - zstdMinMatch) + addLiterals(&seq, best.s) + + // Repeat. If bit 4 is set, this is a non-lit repeat. + seq.offset = uint32(best.rep & 3) + if debugSequences { + println("repeat sequence", seq, "next s:", best.s, "off:", best.s-best.offset) + } + blk.sequences = append(blk.sequences, seq) + + // Index old s + 1 -> s - 1 + s = best.s + best.length + nextEmit = s + + // Index skipped... + end := s + if s > sLimit+4 { + end = sLimit + 4 + } + off := index0 + e.cur + for index0 < end { + cv0 := load6432(src, index0) + h0 := hashLen(cv0, bestLongTableBits, bestLongLen) + h1 := hashLen(cv0, bestShortTableBits, bestShortLen) + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.table[h1] = prevEntry{offset: off, prev: e.table[h1].offset} + off++ + index0++ + } + + switch best.rep { + case 2, 4 | 1: + offset1, offset2 = offset2, offset1 + case 3, 4 | 2: + offset1, offset2, offset3 = offset3, offset1, offset2 + case 4 | 3: + offset1, offset2, offset3 = offset1-1, offset1, offset2 + } + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, best.length) + } + break encodeLoop + } + continue + } + + // A 4-byte match has been found. Update recent offsets. + // We'll later see if more than 4 bytes. + t := best.offset + offset1, offset2, offset3 = s-t, offset1, offset2 + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && int(offset1) > len(src) { + panic("invalid offset") + } + + // Write our sequence + var seq seq + l := best.length + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + + // Index old s + 1 -> s - 1 or sLimit + end := s + if s > sLimit-4 { + end = sLimit - 4 + } + + off := index0 + e.cur + for index0 < end { + cv0 := load6432(src, index0) + h0 := hashLen(cv0, bestLongTableBits, bestLongLen) + h1 := hashLen(cv0, bestShortTableBits, bestShortLen) + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.table[h1] = prevEntry{offset: off, prev: e.table[h1].offset} + index0++ + off++ + } + if s >= sLimit { + break encodeLoop + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + blk.recentOffsets[2] = uint32(offset3) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// EncodeNoHist will encode a block with no history and no following blocks. +// Most notable difference is that src will not be copied for history and +// we do not need to check for max match length. +func (e *bestFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) { + e.ensureHist(len(src)) + e.Encode(blk, src) +} + +// Reset will reset and set a dictionary if not nil +func (e *bestFastEncoder) Reset(d *dict, singleBlock bool) { + e.resetBase(d, singleBlock) + if d == nil { + return + } + // Init or copy dict table + if len(e.dictTable) != len(e.table) || d.id != e.lastDictID { + if len(e.dictTable) != len(e.table) { + e.dictTable = make([]prevEntry, len(e.table)) + } + end := int32(len(d.content)) - 8 + e.maxMatchOff + for i := e.maxMatchOff; i < end; i += 4 { + const hashLog = bestShortTableBits + + cv := load6432(d.content, i-e.maxMatchOff) + nextHash := hashLen(cv, hashLog, bestShortLen) // 0 -> 4 + nextHash1 := hashLen(cv>>8, hashLog, bestShortLen) // 1 -> 5 + nextHash2 := hashLen(cv>>16, hashLog, bestShortLen) // 2 -> 6 + nextHash3 := hashLen(cv>>24, hashLog, bestShortLen) // 3 -> 7 + e.dictTable[nextHash] = prevEntry{ + prev: e.dictTable[nextHash].offset, + offset: i, + } + e.dictTable[nextHash1] = prevEntry{ + prev: e.dictTable[nextHash1].offset, + offset: i + 1, + } + e.dictTable[nextHash2] = prevEntry{ + prev: e.dictTable[nextHash2].offset, + offset: i + 2, + } + e.dictTable[nextHash3] = prevEntry{ + prev: e.dictTable[nextHash3].offset, + offset: i + 3, + } + } + e.lastDictID = d.id + } + + // Init or copy dict table + if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID { + if len(e.dictLongTable) != len(e.longTable) { + e.dictLongTable = make([]prevEntry, len(e.longTable)) + } + if len(d.content) >= 8 { + cv := load6432(d.content, 0) + h := hashLen(cv, bestLongTableBits, bestLongLen) + e.dictLongTable[h] = prevEntry{ + offset: e.maxMatchOff, + prev: e.dictLongTable[h].offset, + } + + end := int32(len(d.content)) - 8 + e.maxMatchOff + off := 8 // First to read + for i := e.maxMatchOff + 1; i < end; i++ { + cv = cv>>8 | (uint64(d.content[off]) << 56) + h := hashLen(cv, bestLongTableBits, bestLongLen) + e.dictLongTable[h] = prevEntry{ + offset: i, + prev: e.dictLongTable[h].offset, + } + off++ + } + } + e.lastDictID = d.id + } + // Reset table to initial state + copy(e.longTable[:], e.dictLongTable) + + e.cur = e.maxMatchOff + // Reset table to initial state + copy(e.table[:], e.dictTable) +} diff --git a/vendor/github.com/klauspost/compress/zstd/enc_better.go b/vendor/github.com/klauspost/compress/zstd/enc_better.go new file mode 100644 index 0000000000..84a79fde76 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/enc_better.go @@ -0,0 +1,1252 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import "fmt" + +const ( + betterLongTableBits = 19 // Bits used in the long match table + betterLongTableSize = 1 << betterLongTableBits // Size of the table + betterLongLen = 8 // Bytes used for table hash + + // Note: Increasing the short table bits or making the hash shorter + // can actually lead to compression degradation since it will 'steal' more from the + // long match table and match offsets are quite big. + // This greatly depends on the type of input. + betterShortTableBits = 13 // Bits used in the short match table + betterShortTableSize = 1 << betterShortTableBits // Size of the table + betterShortLen = 5 // Bytes used for table hash + + betterLongTableShardCnt = 1 << (betterLongTableBits - dictShardBits) // Number of shards in the table + betterLongTableShardSize = betterLongTableSize / betterLongTableShardCnt // Size of an individual shard + + betterShortTableShardCnt = 1 << (betterShortTableBits - dictShardBits) // Number of shards in the table + betterShortTableShardSize = betterShortTableSize / betterShortTableShardCnt // Size of an individual shard +) + +type prevEntry struct { + offset int32 + prev int32 +} + +// betterFastEncoder uses 2 tables, one for short matches (5 bytes) and one for long matches. +// The long match table contains the previous entry with the same hash, +// effectively making it a "chain" of length 2. +// When we find a long match we choose between the two values and select the longest. +// When we find a short match, after checking the long, we check if we can find a long at n+1 +// and that it is longer (lazy matching). +type betterFastEncoder struct { + fastBase + table [betterShortTableSize]tableEntry + longTable [betterLongTableSize]prevEntry +} + +type betterFastEncoderDict struct { + betterFastEncoder + dictTable []tableEntry + dictLongTable []prevEntry + shortTableShardDirty [betterShortTableShardCnt]bool + longTableShardDirty [betterLongTableShardCnt]bool + allDirty bool +} + +// Encode improves compression... +func (e *betterFastEncoder) Encode(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 2 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + e.table = [betterShortTableSize]tableEntry{} + e.longTable = [betterLongTableSize]prevEntry{} + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + for i := range e.longTable[:] { + v := e.longTable[i].offset + v2 := e.longTable[i].prev + if v < minOff { + v = 0 + v2 = 0 + } else { + v = v - e.cur + e.maxMatchOff + if v2 < minOff { + v2 = 0 + } else { + v2 = v2 - e.cur + e.maxMatchOff + } + } + e.longTable[i] = prevEntry{ + offset: v, + prev: v2, + } + } + e.cur = e.maxMatchOff + break + } + // Add block to history + s := e.addBlock(src) + blk.size = len(src) + + // Check RLE first + if len(src) > zstdMinMatch { + ml := matchLen(src[1:], src) + if ml == len(src)-1 { + blk.literals = append(blk.literals, src[0]) + blk.sequences = append(blk.sequences, seq{litLen: 1, matchLen: uint32(len(src)-1) - zstdMinMatch, offset: 1 + 3}) + return + } + } + + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 1. + const stepSize = 1 + + const kSearchStrength = 9 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + var t int32 + // We allow the encoder to optionally turn off repeat offsets across blocks + canRepeat := len(blk.sequences) > 2 + var matched, index0 int32 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHashL := hashLen(cv, betterLongTableBits, betterLongLen) + nextHashS := hashLen(cv, betterShortTableBits, betterShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + const repOff = 1 + repIndex := s - offset1 + repOff + off := s + e.cur + e.longTable[nextHashL] = prevEntry{offset: off, prev: candidateL.offset} + e.table[nextHashS] = tableEntry{offset: off, val: uint32(cv)} + index0 = s + 1 + + if canRepeat { + if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+4+repOff, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Index match start+1 (long) -> s - 1 + index0 := s + repOff + s += length + repOff + + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + // Index skipped... + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + off := index0 + e.cur + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)} + index0 += 2 + } + cv = load6432(src, s) + continue + } + const repOff2 = 1 + + // We deviate from the reference encoder and also check offset 2. + // Still slower and not much better, so disabled. + // repIndex = s - offset2 + repOff2 + if false && repIndex >= 0 && load6432(src, repIndex) == load6432(src, s+repOff) { + // Consider history as well. + var seq seq + length := 8 + e.matchlen(s+8+repOff2, repIndex+8, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff2 + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 2 + seq.offset = 2 + if debugSequences { + println("repeat sequence 2", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + s += length + repOff2 + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + + // Index skipped... + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + off := index0 + e.cur + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)} + index0 += 2 + } + cv = load6432(src, s) + // Swap offsets + offset1, offset2 = offset2, offset1 + continue + } + } + // Find the offsets of our two matches. + coffsetL := candidateL.offset - e.cur + coffsetLP := candidateL.prev - e.cur + + // Check if we have a long match. + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matched = e.matchlen(s+8, coffsetL+8, src) + 8 + t = coffsetL + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + + if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) { + // Found a long match, at least 8 bytes. + prevMatch := e.matchlen(s+8, coffsetLP+8, src) + 8 + if prevMatch > matched { + matched = prevMatch + t = coffsetLP + } + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + } + break + } + + // Check if we have a long match on prev. + if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) { + // Found a long match, at least 8 bytes. + matched = e.matchlen(s+8, coffsetLP+8, src) + 8 + t = coffsetLP + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + break + } + + coffsetS := candidateS.offset - e.cur + + // Check if we have a short match. + if s-coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val { + // found a regular match + matched = e.matchlen(s+4, coffsetS+4, src) + 4 + + // See if we can find a long match at s+1 + const checkAt = 1 + cv := load6432(src, s+checkAt) + nextHashL = hashLen(cv, betterLongTableBits, betterLongLen) + candidateL = e.longTable[nextHashL] + coffsetL = candidateL.offset - e.cur + + // We can store it, since we have at least a 4 byte match. + e.longTable[nextHashL] = prevEntry{offset: s + checkAt + e.cur, prev: candidateL.offset} + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8 + if matchedNext > matched { + t = coffsetL + s += checkAt + matched = matchedNext + if debugMatches { + println("long match (after short)") + } + break + } + } + + // Check prev long... + coffsetL = candidateL.prev - e.cur + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8 + if matchedNext > matched { + t = coffsetL + s += checkAt + matched = matchedNext + if debugMatches { + println("prev long match (after short)") + } + break + } + } + t = coffsetS + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + if debugMatches { + println("short match") + } + break + } + + // No match found, move forward in input. + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + + // Try to find a better match by searching for a long match at the end of the current best match + if s+matched < sLimit { + // Allow some bytes at the beginning to mismatch. + // Sweet spot is around 3 bytes, but depends on input. + // The skipped bytes are tested in Extend backwards, + // and still picked up as part of the match if they do. + const skipBeginning = 3 + + nextHashL := hashLen(load6432(src, s+matched), betterLongTableBits, betterLongLen) + s2 := s + skipBeginning + cv := load3232(src, s2) + candidateL := e.longTable[nextHashL] + coffsetL := candidateL.offset - e.cur - matched + skipBeginning + if coffsetL >= 0 && coffsetL < s2 && s2-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) { + // Found a long match, at least 4 bytes. + matchedNext := e.matchlen(s2+4, coffsetL+4, src) + 4 + if matchedNext > matched { + t = coffsetL + s = s2 + matched = matchedNext + if debugMatches { + println("long match at end-of-match") + } + } + } + + // Check prev long... + if true { + coffsetL = candidateL.prev - e.cur - matched + skipBeginning + if coffsetL >= 0 && coffsetL < s2 && s2-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) { + // Found a long match, at least 4 bytes. + matchedNext := e.matchlen(s2+4, coffsetL+4, src) + 4 + if matchedNext > matched { + t = coffsetL + s = s2 + matched = matchedNext + if debugMatches { + println("prev long match at end-of-match") + } + } + } + } + } + // A match has been found. Update recent offsets. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the n-byte match as long as possible. + l := matched + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + + // Index match start+1 (long) -> s - 1 + off := index0 + e.cur + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.table[hashLen(cv1, betterShortTableBits, betterShortLen)] = tableEntry{offset: off + 1, val: uint32(cv1)} + index0 += 2 + off += 2 + } + + cv = load6432(src, s) + if !canRepeat { + continue + } + + // Check offset 2 + for { + o2 := s - offset2 + if load3232(src, o2) != uint32(cv) { + // Do regular search + break + } + + // Store this, since we have it. + nextHashL := hashLen(cv, betterLongTableBits, betterLongLen) + nextHashS := hashLen(cv, betterShortTableBits, betterShortLen) + + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: e.longTable[nextHashL].offset} + e.table[nextHashS] = tableEntry{offset: s + e.cur, val: uint32(cv)} + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + // Finished + break encodeLoop + } + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// EncodeNoHist will encode a block with no history and no following blocks. +// Most notable difference is that src will not be copied for history and +// we do not need to check for max match length. +func (e *betterFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) { + e.ensureHist(len(src)) + e.Encode(blk, src) +} + +// Encode improves compression... +func (e *betterFastEncoderDict) Encode(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 2 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + for i := range e.table[:] { + e.table[i] = tableEntry{} + } + for i := range e.longTable[:] { + e.longTable[i] = prevEntry{} + } + e.cur = e.maxMatchOff + e.allDirty = true + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + for i := range e.longTable[:] { + v := e.longTable[i].offset + v2 := e.longTable[i].prev + if v < minOff { + v = 0 + v2 = 0 + } else { + v = v - e.cur + e.maxMatchOff + if v2 < minOff { + v2 = 0 + } else { + v2 = v2 - e.cur + e.maxMatchOff + } + } + e.longTable[i] = prevEntry{ + offset: v, + prev: v2, + } + } + e.allDirty = true + e.cur = e.maxMatchOff + break + } + + s := e.addBlock(src) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 1. + const stepSize = 1 + + const kSearchStrength = 9 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + var t int32 + // We allow the encoder to optionally turn off repeat offsets across blocks + canRepeat := len(blk.sequences) > 2 + var matched, index0 int32 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHashL := hashLen(cv, betterLongTableBits, betterLongLen) + nextHashS := hashLen(cv, betterShortTableBits, betterShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + const repOff = 1 + repIndex := s - offset1 + repOff + off := s + e.cur + e.longTable[nextHashL] = prevEntry{offset: off, prev: candidateL.offset} + e.markLongShardDirty(nextHashL) + e.table[nextHashS] = tableEntry{offset: off, val: uint32(cv)} + e.markShortShardDirty(nextHashS) + index0 = s + 1 + + if canRepeat { + if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+4+repOff, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Index match start+1 (long) -> s - 1 + s += length + repOff + + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + // Index skipped... + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + off := index0 + e.cur + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.markLongShardDirty(h0) + h1 := hashLen(cv1, betterShortTableBits, betterShortLen) + e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)} + e.markShortShardDirty(h1) + index0 += 2 + } + cv = load6432(src, s) + continue + } + const repOff2 = 1 + + // We deviate from the reference encoder and also check offset 2. + // Still slower and not much better, so disabled. + // repIndex = s - offset2 + repOff2 + if false && repIndex >= 0 && load6432(src, repIndex) == load6432(src, s+repOff) { + // Consider history as well. + var seq seq + length := 8 + e.matchlen(s+8+repOff2, repIndex+8, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff2 + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 2 + seq.offset = 2 + if debugSequences { + println("repeat sequence 2", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + s += length + repOff2 + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + + // Index skipped... + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + off := index0 + e.cur + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.markLongShardDirty(h0) + h1 := hashLen(cv1, betterShortTableBits, betterShortLen) + e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)} + e.markShortShardDirty(h1) + index0 += 2 + } + cv = load6432(src, s) + // Swap offsets + offset1, offset2 = offset2, offset1 + continue + } + } + // Find the offsets of our two matches. + coffsetL := candidateL.offset - e.cur + coffsetLP := candidateL.prev - e.cur + + // Check if we have a long match. + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matched = e.matchlen(s+8, coffsetL+8, src) + 8 + t = coffsetL + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + + if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) { + // Found a long match, at least 8 bytes. + prevMatch := e.matchlen(s+8, coffsetLP+8, src) + 8 + if prevMatch > matched { + matched = prevMatch + t = coffsetLP + } + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + } + break + } + + // Check if we have a long match on prev. + if s-coffsetLP < e.maxMatchOff && cv == load6432(src, coffsetLP) { + // Found a long match, at least 8 bytes. + matched = e.matchlen(s+8, coffsetLP+8, src) + 8 + t = coffsetLP + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + break + } + + coffsetS := candidateS.offset - e.cur + + // Check if we have a short match. + if s-coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val { + // found a regular match + matched = e.matchlen(s+4, coffsetS+4, src) + 4 + + // See if we can find a long match at s+1 + const checkAt = 1 + cv := load6432(src, s+checkAt) + nextHashL = hashLen(cv, betterLongTableBits, betterLongLen) + candidateL = e.longTable[nextHashL] + coffsetL = candidateL.offset - e.cur + + // We can store it, since we have at least a 4 byte match. + e.longTable[nextHashL] = prevEntry{offset: s + checkAt + e.cur, prev: candidateL.offset} + e.markLongShardDirty(nextHashL) + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8 + if matchedNext > matched { + t = coffsetL + s += checkAt + matched = matchedNext + if debugMatches { + println("long match (after short)") + } + break + } + } + + // Check prev long... + coffsetL = candidateL.prev - e.cur + if s-coffsetL < e.maxMatchOff && cv == load6432(src, coffsetL) { + // Found a long match, at least 8 bytes. + matchedNext := e.matchlen(s+8+checkAt, coffsetL+8, src) + 8 + if matchedNext > matched { + t = coffsetL + s += checkAt + matched = matchedNext + if debugMatches { + println("prev long match (after short)") + } + break + } + } + t = coffsetS + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + if debugMatches { + println("short match") + } + break + } + + // No match found, move forward in input. + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + // Try to find a better match by searching for a long match at the end of the current best match + if s+matched < sLimit { + nextHashL := hashLen(load6432(src, s+matched), betterLongTableBits, betterLongLen) + cv := load3232(src, s) + candidateL := e.longTable[nextHashL] + coffsetL := candidateL.offset - e.cur - matched + if coffsetL >= 0 && coffsetL < s && s-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) { + // Found a long match, at least 4 bytes. + matchedNext := e.matchlen(s+4, coffsetL+4, src) + 4 + if matchedNext > matched { + t = coffsetL + matched = matchedNext + if debugMatches { + println("long match at end-of-match") + } + } + } + + // Check prev long... + if true { + coffsetL = candidateL.prev - e.cur - matched + if coffsetL >= 0 && coffsetL < s && s-coffsetL < e.maxMatchOff && cv == load3232(src, coffsetL) { + // Found a long match, at least 4 bytes. + matchedNext := e.matchlen(s+4, coffsetL+4, src) + 4 + if matchedNext > matched { + t = coffsetL + matched = matchedNext + if debugMatches { + println("prev long match at end-of-match") + } + } + } + } + } + // A match has been found. Update recent offsets. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the n-byte match as long as possible. + l := matched + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + + // Index match start+1 (long) -> s - 1 + off := index0 + e.cur + for index0 < s-1 { + cv0 := load6432(src, index0) + cv1 := cv0 >> 8 + h0 := hashLen(cv0, betterLongTableBits, betterLongLen) + e.longTable[h0] = prevEntry{offset: off, prev: e.longTable[h0].offset} + e.markLongShardDirty(h0) + h1 := hashLen(cv1, betterShortTableBits, betterShortLen) + e.table[h1] = tableEntry{offset: off + 1, val: uint32(cv1)} + e.markShortShardDirty(h1) + index0 += 2 + off += 2 + } + + cv = load6432(src, s) + if !canRepeat { + continue + } + + // Check offset 2 + for { + o2 := s - offset2 + if load3232(src, o2) != uint32(cv) { + // Do regular search + break + } + + // Store this, since we have it. + nextHashL := hashLen(cv, betterLongTableBits, betterLongLen) + nextHashS := hashLen(cv, betterShortTableBits, betterShortLen) + + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + e.longTable[nextHashL] = prevEntry{offset: s + e.cur, prev: e.longTable[nextHashL].offset} + e.markLongShardDirty(nextHashL) + e.table[nextHashS] = tableEntry{offset: s + e.cur, val: uint32(cv)} + e.markShortShardDirty(nextHashS) + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + // Finished + break encodeLoop + } + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *betterFastEncoder) Reset(d *dict, singleBlock bool) { + e.resetBase(d, singleBlock) + if d != nil { + panic("betterFastEncoder: Reset with dict") + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *betterFastEncoderDict) Reset(d *dict, singleBlock bool) { + e.resetBase(d, singleBlock) + if d == nil { + return + } + // Init or copy dict table + if len(e.dictTable) != len(e.table) || d.id != e.lastDictID { + if len(e.dictTable) != len(e.table) { + e.dictTable = make([]tableEntry, len(e.table)) + } + end := int32(len(d.content)) - 8 + e.maxMatchOff + for i := e.maxMatchOff; i < end; i += 4 { + const hashLog = betterShortTableBits + + cv := load6432(d.content, i-e.maxMatchOff) + nextHash := hashLen(cv, hashLog, betterShortLen) // 0 -> 4 + nextHash1 := hashLen(cv>>8, hashLog, betterShortLen) // 1 -> 5 + nextHash2 := hashLen(cv>>16, hashLog, betterShortLen) // 2 -> 6 + nextHash3 := hashLen(cv>>24, hashLog, betterShortLen) // 3 -> 7 + e.dictTable[nextHash] = tableEntry{ + val: uint32(cv), + offset: i, + } + e.dictTable[nextHash1] = tableEntry{ + val: uint32(cv >> 8), + offset: i + 1, + } + e.dictTable[nextHash2] = tableEntry{ + val: uint32(cv >> 16), + offset: i + 2, + } + e.dictTable[nextHash3] = tableEntry{ + val: uint32(cv >> 24), + offset: i + 3, + } + } + e.lastDictID = d.id + e.allDirty = true + } + + // Init or copy dict table + if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID { + if len(e.dictLongTable) != len(e.longTable) { + e.dictLongTable = make([]prevEntry, len(e.longTable)) + } + if len(d.content) >= 8 { + cv := load6432(d.content, 0) + h := hashLen(cv, betterLongTableBits, betterLongLen) + e.dictLongTable[h] = prevEntry{ + offset: e.maxMatchOff, + prev: e.dictLongTable[h].offset, + } + + end := int32(len(d.content)) - 8 + e.maxMatchOff + off := 8 // First to read + for i := e.maxMatchOff + 1; i < end; i++ { + cv = cv>>8 | (uint64(d.content[off]) << 56) + h := hashLen(cv, betterLongTableBits, betterLongLen) + e.dictLongTable[h] = prevEntry{ + offset: i, + prev: e.dictLongTable[h].offset, + } + off++ + } + } + e.lastDictID = d.id + e.allDirty = true + } + + // Reset table to initial state + { + dirtyShardCnt := 0 + if !e.allDirty { + for i := range e.shortTableShardDirty { + if e.shortTableShardDirty[i] { + dirtyShardCnt++ + } + } + } + const shardCnt = betterShortTableShardCnt + const shardSize = betterShortTableShardSize + if e.allDirty || dirtyShardCnt > shardCnt*4/6 { + copy(e.table[:], e.dictTable) + for i := range e.shortTableShardDirty { + e.shortTableShardDirty[i] = false + } + } else { + for i := range e.shortTableShardDirty { + if !e.shortTableShardDirty[i] { + continue + } + + copy(e.table[i*shardSize:(i+1)*shardSize], e.dictTable[i*shardSize:(i+1)*shardSize]) + e.shortTableShardDirty[i] = false + } + } + } + { + dirtyShardCnt := 0 + if !e.allDirty { + for i := range e.shortTableShardDirty { + if e.shortTableShardDirty[i] { + dirtyShardCnt++ + } + } + } + const shardCnt = betterLongTableShardCnt + const shardSize = betterLongTableShardSize + if e.allDirty || dirtyShardCnt > shardCnt*4/6 { + copy(e.longTable[:], e.dictLongTable) + for i := range e.longTableShardDirty { + e.longTableShardDirty[i] = false + } + } else { + for i := range e.longTableShardDirty { + if !e.longTableShardDirty[i] { + continue + } + + copy(e.longTable[i*shardSize:(i+1)*shardSize], e.dictLongTable[i*shardSize:(i+1)*shardSize]) + e.longTableShardDirty[i] = false + } + } + } + e.cur = e.maxMatchOff + e.allDirty = false +} + +func (e *betterFastEncoderDict) markLongShardDirty(entryNum uint32) { + e.longTableShardDirty[entryNum/betterLongTableShardSize] = true +} + +func (e *betterFastEncoderDict) markShortShardDirty(entryNum uint32) { + e.shortTableShardDirty[entryNum/betterShortTableShardSize] = true +} diff --git a/vendor/github.com/klauspost/compress/zstd/enc_dfast.go b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go new file mode 100644 index 0000000000..d36be7bd8c --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/enc_dfast.go @@ -0,0 +1,1123 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import "fmt" + +const ( + dFastLongTableBits = 17 // Bits used in the long match table + dFastLongTableSize = 1 << dFastLongTableBits // Size of the table + dFastLongTableMask = dFastLongTableSize - 1 // Mask for table indices. Redundant, but can eliminate bounds checks. + dFastLongLen = 8 // Bytes used for table hash + + dLongTableShardCnt = 1 << (dFastLongTableBits - dictShardBits) // Number of shards in the table + dLongTableShardSize = dFastLongTableSize / tableShardCnt // Size of an individual shard + + dFastShortTableBits = tableBits // Bits used in the short match table + dFastShortTableSize = 1 << dFastShortTableBits // Size of the table + dFastShortTableMask = dFastShortTableSize - 1 // Mask for table indices. Redundant, but can eliminate bounds checks. + dFastShortLen = 5 // Bytes used for table hash + +) + +type doubleFastEncoder struct { + fastEncoder + longTable [dFastLongTableSize]tableEntry +} + +type doubleFastEncoderDict struct { + fastEncoderDict + longTable [dFastLongTableSize]tableEntry + dictLongTable []tableEntry + longTableShardDirty [dLongTableShardCnt]bool +} + +// Encode mimmics functionality in zstd_dfast.c +func (e *doubleFastEncoder) Encode(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 2 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + e.table = [dFastShortTableSize]tableEntry{} + e.longTable = [dFastLongTableSize]tableEntry{} + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + for i := range e.longTable[:] { + v := e.longTable[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.longTable[i].offset = v + } + e.cur = e.maxMatchOff + break + } + + s := e.addBlock(src) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 1. + const stepSize = 1 + + const kSearchStrength = 8 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + var t int32 + // We allow the encoder to optionally turn off repeat offsets across blocks + canRepeat := len(blk.sequences) > 2 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + const repOff = 1 + repIndex := s - offset1 + repOff + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.table[nextHashS] = entry + + if canRepeat { + if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+4+repOff, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + repOff + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + } + // Find the offsets of our two matches. + coffsetL := s - (candidateL.offset - e.cur) + coffsetS := s - (candidateS.offset - e.cur) + + // Check if we have a long match. + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + break + } + + // Check if we have a short match. + if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val { + // found a regular match + // See if we can find a long match at s+1 + const checkAt = 1 + cv := load6432(src, s+checkAt) + nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen) + candidateL = e.longTable[nextHashL] + coffsetL = s - (candidateL.offset - e.cur) + checkAt + + // We can store it, since we have at least a 4 byte match. + e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)} + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + s += checkAt + if debugMatches { + println("long match (after short)") + } + break + } + + t = candidateS.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + if debugMatches { + println("short match") + } + break + } + + // No match found, move forward in input. + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + + // A 4-byte match has been found. Update recent offsets. + // We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the 4-byte match as long as possible. + l := e.matchlen(s+4, t+4, src) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + + // Index match start+1 (long) and start+2 (short) + index0 := s - l + 1 + // Index match end-2 (long) and end-1 (short) + index1 := s - 2 + + cv0 := load6432(src, index0) + cv1 := load6432(src, index1) + te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)} + te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)} + e.longTable[hashLen(cv0, dFastLongTableBits, dFastLongLen)] = te0 + e.longTable[hashLen(cv1, dFastLongTableBits, dFastLongLen)] = te1 + cv0 >>= 8 + cv1 >>= 8 + te0.offset++ + te1.offset++ + te0.val = uint32(cv0) + te1.val = uint32(cv1) + e.table[hashLen(cv0, dFastShortTableBits, dFastShortLen)] = te0 + e.table[hashLen(cv1, dFastShortTableBits, dFastShortLen)] = te1 + + cv = load6432(src, s) + + if !canRepeat { + continue + } + + // Check offset 2 + for { + o2 := s - offset2 + if load3232(src, o2) != uint32(cv) { + // Do regular search + break + } + + // Store this, since we have it. + nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen) + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.table[nextHashS] = entry + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + // Finished + break encodeLoop + } + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// EncodeNoHist will encode a block with no history and no following blocks. +// Most notable difference is that src will not be copied for history and +// we do not need to check for max match length. +func (e *doubleFastEncoder) EncodeNoHist(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 2 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + if e.cur >= e.bufferReset { + for i := range e.table[:] { + e.table[i] = tableEntry{} + } + for i := range e.longTable[:] { + e.longTable[i] = tableEntry{} + } + e.cur = e.maxMatchOff + } + + s := int32(0) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 1. + const stepSize = 1 + + const kSearchStrength = 8 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + var t int32 + for { + + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + const repOff = 1 + repIndex := s - offset1 + repOff + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.table[nextHashS] = entry + + if len(blk.sequences) > 2 { + if load3232(src, repIndex) == uint32(cv>>(repOff*8)) { + // Consider history as well. + var seq seq + //length := 4 + e.matchlen(s+4+repOff, repIndex+4, src) + length := 4 + int32(matchLen(src[s+4+repOff:], src[repIndex+4:])) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + repOff + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + } + // Find the offsets of our two matches. + coffsetL := s - (candidateL.offset - e.cur) + coffsetS := s - (candidateS.offset - e.cur) + + // Check if we have a long match. + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d). cur: %d", s, t, e.cur)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + break + } + + // Check if we have a short match. + if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val { + // found a regular match + // See if we can find a long match at s+1 + const checkAt = 1 + cv := load6432(src, s+checkAt) + nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen) + candidateL = e.longTable[nextHashL] + coffsetL = s - (candidateL.offset - e.cur) + checkAt + + // We can store it, since we have at least a 4 byte match. + e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)} + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + s += checkAt + if debugMatches { + println("long match (after short)") + } + break + } + + t = candidateS.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + if debugMatches { + println("short match") + } + break + } + + // No match found, move forward in input. + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + + // A 4-byte match has been found. Update recent offsets. + // We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + // Extend the 4-byte match as long as possible. + //l := e.matchlen(s+4, t+4, src) + 4 + l := int32(matchLen(src[s+4:], src[t+4:])) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] { + s-- + t-- + l++ + } + + // Write our sequence + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + + // Index match start+1 (long) and start+2 (short) + index0 := s - l + 1 + // Index match end-2 (long) and end-1 (short) + index1 := s - 2 + + cv0 := load6432(src, index0) + cv1 := load6432(src, index1) + te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)} + te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)} + e.longTable[hashLen(cv0, dFastLongTableBits, dFastLongLen)] = te0 + e.longTable[hashLen(cv1, dFastLongTableBits, dFastLongLen)] = te1 + cv0 >>= 8 + cv1 >>= 8 + te0.offset++ + te1.offset++ + te0.val = uint32(cv0) + te1.val = uint32(cv1) + e.table[hashLen(cv0, dFastShortTableBits, dFastShortLen)] = te0 + e.table[hashLen(cv1, dFastShortTableBits, dFastShortLen)] = te1 + + cv = load6432(src, s) + + if len(blk.sequences) <= 2 { + continue + } + + // Check offset 2 + for { + o2 := s - offset2 + if load3232(src, o2) != uint32(cv) { + // Do regular search + break + } + + // Store this, since we have it. + nextHashS := hashLen(cv1>>8, dFastShortTableBits, dFastShortLen) + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + //l := 4 + e.matchlen(s+4, o2+4, src) + l := 4 + int32(matchLen(src[s+4:], src[o2+4:])) + + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.table[nextHashS] = entry + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + // Finished + break encodeLoop + } + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } + + // We do not store history, so we must offset e.cur to avoid false matches for next user. + if e.cur < e.bufferReset { + e.cur += int32(len(src)) + } +} + +// Encode will encode the content, with a dictionary if initialized for it. +func (e *doubleFastEncoderDict) Encode(blk *blockEnc, src []byte) { + const ( + // Input margin is the number of bytes we read (8) + // and the maximum we will read ahead (2) + inputMargin = 8 + 2 + minNonLiteralBlockSize = 16 + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + for i := range e.table[:] { + e.table[i] = tableEntry{} + } + for i := range e.longTable[:] { + e.longTable[i] = tableEntry{} + } + e.markAllShardsDirty() + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + for i := range e.longTable[:] { + v := e.longTable[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.longTable[i].offset = v + } + e.markAllShardsDirty() + e.cur = e.maxMatchOff + break + } + + s := e.addBlock(src) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 1. + const stepSize = 1 + + const kSearchStrength = 8 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + var t int32 + // We allow the encoder to optionally turn off repeat offsets across blocks + canRepeat := len(blk.sequences) > 2 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen) + candidateL := e.longTable[nextHashL] + candidateS := e.table[nextHashS] + + const repOff = 1 + repIndex := s - offset1 + repOff + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.markLongShardDirty(nextHashL) + e.table[nextHashS] = entry + e.markShardDirty(nextHashS) + + if canRepeat { + if repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>(repOff*8)) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+4+repOff, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + repOff + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for repIndex > tMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch-1 { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + repOff + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + } + // Find the offsets of our two matches. + coffsetL := s - (candidateL.offset - e.cur) + coffsetS := s - (candidateS.offset - e.cur) + + // Check if we have a long match. + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugMatches { + println("long match") + } + break + } + + // Check if we have a short match. + if coffsetS < e.maxMatchOff && uint32(cv) == candidateS.val { + // found a regular match + // See if we can find a long match at s+1 + const checkAt = 1 + cv := load6432(src, s+checkAt) + nextHashL = hashLen(cv, dFastLongTableBits, dFastLongLen) + candidateL = e.longTable[nextHashL] + coffsetL = s - (candidateL.offset - e.cur) + checkAt + + // We can store it, since we have at least a 4 byte match. + e.longTable[nextHashL] = tableEntry{offset: s + checkAt + e.cur, val: uint32(cv)} + e.markLongShardDirty(nextHashL) + if coffsetL < e.maxMatchOff && uint32(cv) == candidateL.val { + // Found a long match, likely at least 8 bytes. + // Reference encoder checks all 8 bytes, we only check 4, + // but the likelihood of both the first 4 bytes and the hash matching should be enough. + t = candidateL.offset - e.cur + s += checkAt + if debugMatches { + println("long match (after short)") + } + break + } + + t = candidateS.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + if debugMatches { + println("short match") + } + break + } + + // No match found, move forward in input. + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + + // A 4-byte match has been found. Update recent offsets. + // We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the 4-byte match as long as possible. + l := e.matchlen(s+4, t+4, src) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + + // Index match start+1 (long) and start+2 (short) + index0 := s - l + 1 + // Index match end-2 (long) and end-1 (short) + index1 := s - 2 + + cv0 := load6432(src, index0) + cv1 := load6432(src, index1) + te0 := tableEntry{offset: index0 + e.cur, val: uint32(cv0)} + te1 := tableEntry{offset: index1 + e.cur, val: uint32(cv1)} + longHash1 := hashLen(cv0, dFastLongTableBits, dFastLongLen) + longHash2 := hashLen(cv1, dFastLongTableBits, dFastLongLen) + e.longTable[longHash1] = te0 + e.longTable[longHash2] = te1 + e.markLongShardDirty(longHash1) + e.markLongShardDirty(longHash2) + cv0 >>= 8 + cv1 >>= 8 + te0.offset++ + te1.offset++ + te0.val = uint32(cv0) + te1.val = uint32(cv1) + hashVal1 := hashLen(cv0, dFastShortTableBits, dFastShortLen) + hashVal2 := hashLen(cv1, dFastShortTableBits, dFastShortLen) + e.table[hashVal1] = te0 + e.markShardDirty(hashVal1) + e.table[hashVal2] = te1 + e.markShardDirty(hashVal2) + + cv = load6432(src, s) + + if !canRepeat { + continue + } + + // Check offset 2 + for { + o2 := s - offset2 + if load3232(src, o2) != uint32(cv) { + // Do regular search + break + } + + // Store this, since we have it. + nextHashL := hashLen(cv, dFastLongTableBits, dFastLongLen) + nextHashS := hashLen(cv, dFastShortTableBits, dFastShortLen) + + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + entry := tableEntry{offset: s + e.cur, val: uint32(cv)} + e.longTable[nextHashL] = entry + e.markLongShardDirty(nextHashL) + e.table[nextHashS] = entry + e.markShardDirty(nextHashS) + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + // Finished + break encodeLoop + } + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } + // If we encoded more than 64K mark all dirty. + if len(src) > 64<<10 { + e.markAllShardsDirty() + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *doubleFastEncoder) Reset(d *dict, singleBlock bool) { + e.fastEncoder.Reset(d, singleBlock) + if d != nil { + panic("doubleFastEncoder: Reset with dict not supported") + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *doubleFastEncoderDict) Reset(d *dict, singleBlock bool) { + allDirty := e.allDirty + e.fastEncoderDict.Reset(d, singleBlock) + if d == nil { + return + } + + // Init or copy dict table + if len(e.dictLongTable) != len(e.longTable) || d.id != e.lastDictID { + if len(e.dictLongTable) != len(e.longTable) { + e.dictLongTable = make([]tableEntry, len(e.longTable)) + } + if len(d.content) >= 8 { + cv := load6432(d.content, 0) + e.dictLongTable[hashLen(cv, dFastLongTableBits, dFastLongLen)] = tableEntry{ + val: uint32(cv), + offset: e.maxMatchOff, + } + end := int32(len(d.content)) - 8 + e.maxMatchOff + for i := e.maxMatchOff + 1; i < end; i++ { + cv = cv>>8 | (uint64(d.content[i-e.maxMatchOff+7]) << 56) + e.dictLongTable[hashLen(cv, dFastLongTableBits, dFastLongLen)] = tableEntry{ + val: uint32(cv), + offset: i, + } + } + } + e.lastDictID = d.id + allDirty = true + } + // Reset table to initial state + e.cur = e.maxMatchOff + + dirtyShardCnt := 0 + if !allDirty { + for i := range e.longTableShardDirty { + if e.longTableShardDirty[i] { + dirtyShardCnt++ + } + } + } + + if allDirty || dirtyShardCnt > dLongTableShardCnt/2 { + //copy(e.longTable[:], e.dictLongTable) + e.longTable = *(*[dFastLongTableSize]tableEntry)(e.dictLongTable) + for i := range e.longTableShardDirty { + e.longTableShardDirty[i] = false + } + return + } + for i := range e.longTableShardDirty { + if !e.longTableShardDirty[i] { + continue + } + + // copy(e.longTable[i*dLongTableShardSize:(i+1)*dLongTableShardSize], e.dictLongTable[i*dLongTableShardSize:(i+1)*dLongTableShardSize]) + *(*[dLongTableShardSize]tableEntry)(e.longTable[i*dLongTableShardSize:]) = *(*[dLongTableShardSize]tableEntry)(e.dictLongTable[i*dLongTableShardSize:]) + + e.longTableShardDirty[i] = false + } +} + +func (e *doubleFastEncoderDict) markLongShardDirty(entryNum uint32) { + e.longTableShardDirty[entryNum/dLongTableShardSize] = true +} diff --git a/vendor/github.com/klauspost/compress/zstd/enc_fast.go b/vendor/github.com/klauspost/compress/zstd/enc_fast.go new file mode 100644 index 0000000000..f45a3da7da --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/enc_fast.go @@ -0,0 +1,891 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "fmt" +) + +const ( + tableBits = 15 // Bits used in the table + tableSize = 1 << tableBits // Size of the table + tableShardCnt = 1 << (tableBits - dictShardBits) // Number of shards in the table + tableShardSize = tableSize / tableShardCnt // Size of an individual shard + tableFastHashLen = 6 + tableMask = tableSize - 1 // Mask for table indices. Redundant, but can eliminate bounds checks. + maxMatchLength = 131074 +) + +type tableEntry struct { + val uint32 + offset int32 +} + +type fastEncoder struct { + fastBase + table [tableSize]tableEntry +} + +type fastEncoderDict struct { + fastEncoder + dictTable []tableEntry + tableShardDirty [tableShardCnt]bool + allDirty bool +} + +// Encode mimmics functionality in zstd_fast.c +func (e *fastEncoder) Encode(blk *blockEnc, src []byte) { + const ( + inputMargin = 8 + minNonLiteralBlockSize = 1 + 1 + inputMargin + ) + + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + for i := range e.table[:] { + e.table[i] = tableEntry{} + } + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + e.cur = e.maxMatchOff + break + } + + s := e.addBlock(src) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 2. + const stepSize = 2 + + // TEMPLATE + const hashLog = tableBits + // seems global, but would be nice to tweak. + const kSearchStrength = 6 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + // t will contain the match offset when we find one. + // When existing the search loop, we have already checked 4 bytes. + var t int32 + + // We will not use repeat offsets across blocks. + // By not using them for the first 3 matches + canRepeat := len(blk.sequences) > 2 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHash := hashLen(cv, hashLog, tableFastHashLen) + nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen) + candidate := e.table[nextHash] + candidate2 := e.table[nextHash2] + repIndex := s - offset1 + 2 + + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)} + + if canRepeat && repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>16) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+6, repIndex+4, src) + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + 2 + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + sMin := s - e.maxMatchOff + if sMin < 0 { + sMin = 0 + } + for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + 2 + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + coffset0 := s - (candidate.offset - e.cur) + coffset1 := s - (candidate2.offset - e.cur) + 1 + if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val { + // found a regular match + t = candidate.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + break + } + + if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val { + // found a regular match + t = candidate2.offset - e.cur + s++ + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + break + } + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + // A 4-byte match has been found. We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the 4-byte match as long as possible. + l := e.matchlen(s+4, t+4, src) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence. + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + // Don't use repeat offsets + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + + // Check offset 2 + if o2 := s - offset2; canRepeat && load3232(src, o2) == uint32(cv) { + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + // Store this, since we have it. + nextHash := hashLen(cv, hashLog, tableFastHashLen) + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + break encodeLoop + } + // Prepare next loop. + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// EncodeNoHist will encode a block with no history and no following blocks. +// Most notable difference is that src will not be copied for history and +// we do not need to check for max match length. +func (e *fastEncoder) EncodeNoHist(blk *blockEnc, src []byte) { + const ( + inputMargin = 8 + minNonLiteralBlockSize = 1 + 1 + inputMargin + ) + if debugEncoder { + if len(src) > maxCompressedBlockSize { + panic("src too big") + } + } + + // Protect against e.cur wraparound. + if e.cur >= e.bufferReset { + for i := range e.table[:] { + e.table[i] = tableEntry{} + } + e.cur = e.maxMatchOff + } + + s := int32(0) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 2. + const stepSize = 2 + + // TEMPLATE + const hashLog = tableBits + // seems global, but would be nice to tweak. + const kSearchStrength = 6 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + // t will contain the match offset when we find one. + // When existing the search loop, we have already checked 4 bytes. + var t int32 + + // We will not use repeat offsets across blocks. + // By not using them for the first 3 matches + + for { + nextHash := hashLen(cv, hashLog, tableFastHashLen) + nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen) + candidate := e.table[nextHash] + candidate2 := e.table[nextHash2] + repIndex := s - offset1 + 2 + + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)} + + if len(blk.sequences) > 2 && load3232(src, repIndex) == uint32(cv>>16) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+6, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + 2 + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + sMin := s - e.maxMatchOff + if sMin < 0 { + sMin = 0 + } + for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + 2 + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + coffset0 := s - (candidate.offset - e.cur) + coffset1 := s - (candidate2.offset - e.cur) + 1 + if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val { + // found a regular match + t = candidate.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic(fmt.Sprintf("t (%d) < 0, candidate.offset: %d, e.cur: %d, coffset0: %d, e.maxMatchOff: %d", t, candidate.offset, e.cur, coffset0, e.maxMatchOff)) + } + break + } + + if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val { + // found a regular match + t = candidate2.offset - e.cur + s++ + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + break + } + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + // A 4-byte match has been found. We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && t < 0 { + panic(fmt.Sprintf("t (%d) < 0 ", t)) + } + // Extend the 4-byte match as long as possible. + l := e.matchlen(s+4, t+4, src) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] { + s-- + t-- + l++ + } + + // Write our sequence. + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + // Don't use repeat offsets + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + + // Check offset 2 + if o2 := s - offset2; len(blk.sequences) > 2 && load3232(src, o2) == uint32(cv) { + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + // Store this, since we have it. + nextHash := hashLen(cv, hashLog, tableFastHashLen) + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + break encodeLoop + } + // Prepare next loop. + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } + // We do not store history, so we must offset e.cur to avoid false matches for next user. + if e.cur < e.bufferReset { + e.cur += int32(len(src)) + } +} + +// Encode will encode the content, with a dictionary if initialized for it. +func (e *fastEncoderDict) Encode(blk *blockEnc, src []byte) { + const ( + inputMargin = 8 + minNonLiteralBlockSize = 1 + 1 + inputMargin + ) + if e.allDirty || len(src) > 32<<10 { + e.fastEncoder.Encode(blk, src) + e.allDirty = true + return + } + // Protect against e.cur wraparound. + for e.cur >= e.bufferReset-int32(len(e.hist)) { + if len(e.hist) == 0 { + e.table = [tableSize]tableEntry{} + e.cur = e.maxMatchOff + break + } + // Shift down everything in the table that isn't already too far away. + minOff := e.cur + int32(len(e.hist)) - e.maxMatchOff + for i := range e.table[:] { + v := e.table[i].offset + if v < minOff { + v = 0 + } else { + v = v - e.cur + e.maxMatchOff + } + e.table[i].offset = v + } + e.cur = e.maxMatchOff + break + } + + s := e.addBlock(src) + blk.size = len(src) + if len(src) < minNonLiteralBlockSize { + blk.extraLits = len(src) + blk.literals = blk.literals[:len(src)] + copy(blk.literals, src) + return + } + + // Override src + src = e.hist + sLimit := int32(len(src)) - inputMargin + // stepSize is the number of bytes to skip on every main loop iteration. + // It should be >= 2. + const stepSize = 2 + + // TEMPLATE + const hashLog = tableBits + // seems global, but would be nice to tweak. + const kSearchStrength = 7 + + // nextEmit is where in src the next emitLiteral should start from. + nextEmit := s + cv := load6432(src, s) + + // Relative offsets + offset1 := int32(blk.recentOffsets[0]) + offset2 := int32(blk.recentOffsets[1]) + + addLiterals := func(s *seq, until int32) { + if until == nextEmit { + return + } + blk.literals = append(blk.literals, src[nextEmit:until]...) + s.litLen = uint32(until - nextEmit) + } + if debugEncoder { + println("recent offsets:", blk.recentOffsets) + } + +encodeLoop: + for { + // t will contain the match offset when we find one. + // When existing the search loop, we have already checked 4 bytes. + var t int32 + + // We will not use repeat offsets across blocks. + // By not using them for the first 3 matches + canRepeat := len(blk.sequences) > 2 + + for { + if debugAsserts && canRepeat && offset1 == 0 { + panic("offset0 was 0") + } + + nextHash := hashLen(cv, hashLog, tableFastHashLen) + nextHash2 := hashLen(cv>>8, hashLog, tableFastHashLen) + candidate := e.table[nextHash] + candidate2 := e.table[nextHash2] + repIndex := s - offset1 + 2 + + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + e.markShardDirty(nextHash) + e.table[nextHash2] = tableEntry{offset: s + e.cur + 1, val: uint32(cv >> 8)} + e.markShardDirty(nextHash2) + + if canRepeat && repIndex >= 0 && load3232(src, repIndex) == uint32(cv>>16) { + // Consider history as well. + var seq seq + length := 4 + e.matchlen(s+6, repIndex+4, src) + + seq.matchLen = uint32(length - zstdMinMatch) + + // We might be able to match backwards. + // Extend as long as we can. + start := s + 2 + // We end the search early, so we don't risk 0 literals + // and have to do special offset treatment. + startLimit := nextEmit + 1 + + sMin := s - e.maxMatchOff + if sMin < 0 { + sMin = 0 + } + for repIndex > sMin && start > startLimit && src[repIndex-1] == src[start-1] && seq.matchLen < maxMatchLength-zstdMinMatch { + repIndex-- + start-- + seq.matchLen++ + } + addLiterals(&seq, start) + + // rep 0 + seq.offset = 1 + if debugSequences { + println("repeat sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + s += length + 2 + nextEmit = s + if s >= sLimit { + if debugEncoder { + println("repeat ended", s, length) + + } + break encodeLoop + } + cv = load6432(src, s) + continue + } + coffset0 := s - (candidate.offset - e.cur) + coffset1 := s - (candidate2.offset - e.cur) + 1 + if coffset0 < e.maxMatchOff && uint32(cv) == candidate.val { + // found a regular match + t = candidate.offset - e.cur + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + break + } + + if coffset1 < e.maxMatchOff && uint32(cv>>8) == candidate2.val { + // found a regular match + t = candidate2.offset - e.cur + s++ + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + if debugAsserts && s-t > e.maxMatchOff { + panic("s - t >e.maxMatchOff") + } + if debugAsserts && t < 0 { + panic("t<0") + } + break + } + s += stepSize + ((s - nextEmit) >> (kSearchStrength - 1)) + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + } + // A 4-byte match has been found. We'll later see if more than 4 bytes. + offset2 = offset1 + offset1 = s - t + + if debugAsserts && s <= t { + panic(fmt.Sprintf("s (%d) <= t (%d)", s, t)) + } + + if debugAsserts && canRepeat && int(offset1) > len(src) { + panic("invalid offset") + } + + // Extend the 4-byte match as long as possible. + l := e.matchlen(s+4, t+4, src) + 4 + + // Extend backwards + tMin := s - e.maxMatchOff + if tMin < 0 { + tMin = 0 + } + for t > tMin && s > nextEmit && src[t-1] == src[s-1] && l < maxMatchLength { + s-- + t-- + l++ + } + + // Write our sequence. + var seq seq + seq.litLen = uint32(s - nextEmit) + seq.matchLen = uint32(l - zstdMinMatch) + if seq.litLen > 0 { + blk.literals = append(blk.literals, src[nextEmit:s]...) + } + // Don't use repeat offsets + seq.offset = uint32(s-t) + 3 + s += l + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + nextEmit = s + if s >= sLimit { + break encodeLoop + } + cv = load6432(src, s) + + // Check offset 2 + if o2 := s - offset2; canRepeat && load3232(src, o2) == uint32(cv) { + // We have at least 4 byte match. + // No need to check backwards. We come straight from a match + l := 4 + e.matchlen(s+4, o2+4, src) + + // Store this, since we have it. + nextHash := hashLen(cv, hashLog, tableFastHashLen) + e.table[nextHash] = tableEntry{offset: s + e.cur, val: uint32(cv)} + e.markShardDirty(nextHash) + seq.matchLen = uint32(l) - zstdMinMatch + seq.litLen = 0 + // Since litlen is always 0, this is offset 1. + seq.offset = 1 + s += l + nextEmit = s + if debugSequences { + println("sequence", seq, "next s:", s) + } + blk.sequences = append(blk.sequences, seq) + + // Swap offset 1 and 2. + offset1, offset2 = offset2, offset1 + if s >= sLimit { + break encodeLoop + } + // Prepare next loop. + cv = load6432(src, s) + } + } + + if int(nextEmit) < len(src) { + blk.literals = append(blk.literals, src[nextEmit:]...) + blk.extraLits = len(src) - int(nextEmit) + } + blk.recentOffsets[0] = uint32(offset1) + blk.recentOffsets[1] = uint32(offset2) + if debugEncoder { + println("returning, recent offsets:", blk.recentOffsets, "extra literals:", blk.extraLits) + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *fastEncoder) Reset(d *dict, singleBlock bool) { + e.resetBase(d, singleBlock) + if d != nil { + panic("fastEncoder: Reset with dict") + } +} + +// ResetDict will reset and set a dictionary if not nil +func (e *fastEncoderDict) Reset(d *dict, singleBlock bool) { + e.resetBase(d, singleBlock) + if d == nil { + return + } + + // Init or copy dict table + if len(e.dictTable) != len(e.table) || d.id != e.lastDictID { + if len(e.dictTable) != len(e.table) { + e.dictTable = make([]tableEntry, len(e.table)) + } + if true { + end := e.maxMatchOff + int32(len(d.content)) - 8 + for i := e.maxMatchOff; i < end; i += 2 { + const hashLog = tableBits + + cv := load6432(d.content, i-e.maxMatchOff) + nextHash := hashLen(cv, hashLog, tableFastHashLen) // 0 -> 6 + nextHash1 := hashLen(cv>>8, hashLog, tableFastHashLen) // 1 -> 7 + e.dictTable[nextHash] = tableEntry{ + val: uint32(cv), + offset: i, + } + e.dictTable[nextHash1] = tableEntry{ + val: uint32(cv >> 8), + offset: i + 1, + } + } + } + e.lastDictID = d.id + e.allDirty = true + } + + e.cur = e.maxMatchOff + dirtyShardCnt := 0 + if !e.allDirty { + for i := range e.tableShardDirty { + if e.tableShardDirty[i] { + dirtyShardCnt++ + } + } + } + + const shardCnt = tableShardCnt + const shardSize = tableShardSize + if e.allDirty || dirtyShardCnt > shardCnt*4/6 { + //copy(e.table[:], e.dictTable) + e.table = *(*[tableSize]tableEntry)(e.dictTable) + for i := range e.tableShardDirty { + e.tableShardDirty[i] = false + } + e.allDirty = false + return + } + for i := range e.tableShardDirty { + if !e.tableShardDirty[i] { + continue + } + + //copy(e.table[i*shardSize:(i+1)*shardSize], e.dictTable[i*shardSize:(i+1)*shardSize]) + *(*[shardSize]tableEntry)(e.table[i*shardSize:]) = *(*[shardSize]tableEntry)(e.dictTable[i*shardSize:]) + e.tableShardDirty[i] = false + } + e.allDirty = false +} + +func (e *fastEncoderDict) markAllShardsDirty() { + e.allDirty = true +} + +func (e *fastEncoderDict) markShardDirty(entryNum uint32) { + e.tableShardDirty[entryNum/tableShardSize] = true +} diff --git a/vendor/github.com/klauspost/compress/zstd/encoder.go b/vendor/github.com/klauspost/compress/zstd/encoder.go new file mode 100644 index 0000000000..8f8223cd3a --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/encoder.go @@ -0,0 +1,642 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "crypto/rand" + "errors" + "fmt" + "io" + "math" + rdebug "runtime/debug" + "sync" + + "github.com/klauspost/compress/zstd/internal/xxhash" +) + +// Encoder provides encoding to Zstandard. +// An Encoder can be used for either compressing a stream via the +// io.WriteCloser interface supported by the Encoder or as multiple independent +// tasks via the EncodeAll function. +// Smaller encodes are encouraged to use the EncodeAll function. +// Use NewWriter to create a new instance. +type Encoder struct { + o encoderOptions + encoders chan encoder + state encoderState + init sync.Once +} + +type encoder interface { + Encode(blk *blockEnc, src []byte) + EncodeNoHist(blk *blockEnc, src []byte) + Block() *blockEnc + CRC() *xxhash.Digest + AppendCRC([]byte) []byte + WindowSize(size int64) int32 + UseBlock(*blockEnc) + Reset(d *dict, singleBlock bool) +} + +type encoderState struct { + w io.Writer + filling []byte + current []byte + previous []byte + encoder encoder + writing *blockEnc + err error + writeErr error + nWritten int64 + nInput int64 + frameContentSize int64 + headerWritten bool + eofWritten bool + fullFrameWritten bool + + // This waitgroup indicates an encode is running. + wg sync.WaitGroup + // This waitgroup indicates we have a block encoding/writing. + wWg sync.WaitGroup +} + +// NewWriter will create a new Zstandard encoder. +// If the encoder will be used for encoding blocks a nil writer can be used. +func NewWriter(w io.Writer, opts ...EOption) (*Encoder, error) { + initPredefined() + var e Encoder + e.o.setDefault() + for _, o := range opts { + err := o(&e.o) + if err != nil { + return nil, err + } + } + if w != nil { + e.Reset(w) + } + return &e, nil +} + +func (e *Encoder) initialize() { + if e.o.concurrent == 0 { + e.o.setDefault() + } + e.encoders = make(chan encoder, e.o.concurrent) + for i := 0; i < e.o.concurrent; i++ { + enc := e.o.encoder() + e.encoders <- enc + } +} + +// Reset will re-initialize the writer and new writes will encode to the supplied writer +// as a new, independent stream. +func (e *Encoder) Reset(w io.Writer) { + s := &e.state + s.wg.Wait() + s.wWg.Wait() + if cap(s.filling) == 0 { + s.filling = make([]byte, 0, e.o.blockSize) + } + if e.o.concurrent > 1 { + if cap(s.current) == 0 { + s.current = make([]byte, 0, e.o.blockSize) + } + if cap(s.previous) == 0 { + s.previous = make([]byte, 0, e.o.blockSize) + } + s.current = s.current[:0] + s.previous = s.previous[:0] + if s.writing == nil { + s.writing = &blockEnc{lowMem: e.o.lowMem} + s.writing.init() + } + s.writing.initNewEncode() + } + if s.encoder == nil { + s.encoder = e.o.encoder() + } + s.filling = s.filling[:0] + s.encoder.Reset(e.o.dict, false) + s.headerWritten = false + s.eofWritten = false + s.fullFrameWritten = false + s.w = w + s.err = nil + s.nWritten = 0 + s.nInput = 0 + s.writeErr = nil + s.frameContentSize = 0 +} + +// ResetContentSize will reset and set a content size for the next stream. +// If the bytes written does not match the size given an error will be returned +// when calling Close(). +// This is removed when Reset is called. +// Sizes <= 0 results in no content size set. +func (e *Encoder) ResetContentSize(w io.Writer, size int64) { + e.Reset(w) + if size >= 0 { + e.state.frameContentSize = size + } +} + +// Write data to the encoder. +// Input data will be buffered and as the buffer fills up +// content will be compressed and written to the output. +// When done writing, use Close to flush the remaining output +// and write CRC if requested. +func (e *Encoder) Write(p []byte) (n int, err error) { + s := &e.state + if s.eofWritten { + return 0, ErrEncoderClosed + } + for len(p) > 0 { + if len(p)+len(s.filling) < e.o.blockSize { + if e.o.crc { + _, _ = s.encoder.CRC().Write(p) + } + s.filling = append(s.filling, p...) + return n + len(p), nil + } + add := p + if len(p)+len(s.filling) > e.o.blockSize { + add = add[:e.o.blockSize-len(s.filling)] + } + if e.o.crc { + _, _ = s.encoder.CRC().Write(add) + } + s.filling = append(s.filling, add...) + p = p[len(add):] + n += len(add) + if len(s.filling) < e.o.blockSize { + return n, nil + } + err := e.nextBlock(false) + if err != nil { + return n, err + } + if debugAsserts && len(s.filling) > 0 { + panic(len(s.filling)) + } + } + return n, nil +} + +// nextBlock will synchronize and start compressing input in e.state.filling. +// If an error has occurred during encoding it will be returned. +func (e *Encoder) nextBlock(final bool) error { + s := &e.state + // Wait for current block. + s.wg.Wait() + if s.err != nil { + return s.err + } + if len(s.filling) > e.o.blockSize { + return fmt.Errorf("block > maxStoreBlockSize") + } + if !s.headerWritten { + // If we have a single block encode, do a sync compression. + if final && len(s.filling) == 0 && !e.o.fullZero { + s.headerWritten = true + s.fullFrameWritten = true + s.eofWritten = true + return nil + } + if final && len(s.filling) > 0 { + s.current = e.encodeAll(s.encoder, s.filling, s.current[:0]) + var n2 int + n2, s.err = s.w.Write(s.current) + if s.err != nil { + return s.err + } + s.nWritten += int64(n2) + s.nInput += int64(len(s.filling)) + s.current = s.current[:0] + s.filling = s.filling[:0] + s.headerWritten = true + s.fullFrameWritten = true + s.eofWritten = true + return nil + } + + var tmp [maxHeaderSize]byte + fh := frameHeader{ + ContentSize: uint64(s.frameContentSize), + WindowSize: uint32(s.encoder.WindowSize(s.frameContentSize)), + SingleSegment: false, + Checksum: e.o.crc, + DictID: e.o.dict.ID(), + } + + dst := fh.appendTo(tmp[:0]) + s.headerWritten = true + s.wWg.Wait() + var n2 int + n2, s.err = s.w.Write(dst) + if s.err != nil { + return s.err + } + s.nWritten += int64(n2) + } + if s.eofWritten { + // Ensure we only write it once. + final = false + } + + if len(s.filling) == 0 { + // Final block, but no data. + if final { + enc := s.encoder + blk := enc.Block() + blk.reset(nil) + blk.last = true + blk.encodeRaw(nil) + s.wWg.Wait() + _, s.err = s.w.Write(blk.output) + s.nWritten += int64(len(blk.output)) + s.eofWritten = true + } + return s.err + } + + // SYNC: + if e.o.concurrent == 1 { + src := s.filling + s.nInput += int64(len(s.filling)) + if debugEncoder { + println("Adding sync block,", len(src), "bytes, final:", final) + } + enc := s.encoder + blk := enc.Block() + blk.reset(nil) + enc.Encode(blk, src) + blk.last = final + if final { + s.eofWritten = true + } + + s.err = blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy) + if s.err != nil { + return s.err + } + _, s.err = s.w.Write(blk.output) + s.nWritten += int64(len(blk.output)) + s.filling = s.filling[:0] + return s.err + } + + // Move blocks forward. + s.filling, s.current, s.previous = s.previous[:0], s.filling, s.current + s.nInput += int64(len(s.current)) + s.wg.Add(1) + if final { + s.eofWritten = true + } + go func(src []byte) { + if debugEncoder { + println("Adding block,", len(src), "bytes, final:", final) + } + defer func() { + if r := recover(); r != nil { + s.err = fmt.Errorf("panic while encoding: %v", r) + rdebug.PrintStack() + } + s.wg.Done() + }() + enc := s.encoder + blk := enc.Block() + enc.Encode(blk, src) + blk.last = final + // Wait for pending writes. + s.wWg.Wait() + if s.writeErr != nil { + s.err = s.writeErr + return + } + // Transfer encoders from previous write block. + blk.swapEncoders(s.writing) + // Transfer recent offsets to next. + enc.UseBlock(s.writing) + s.writing = blk + s.wWg.Add(1) + go func() { + defer func() { + if r := recover(); r != nil { + s.writeErr = fmt.Errorf("panic while encoding/writing: %v", r) + rdebug.PrintStack() + } + s.wWg.Done() + }() + s.writeErr = blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy) + if s.writeErr != nil { + return + } + _, s.writeErr = s.w.Write(blk.output) + s.nWritten += int64(len(blk.output)) + }() + }(s.current) + return nil +} + +// ReadFrom reads data from r until EOF or error. +// The return value n is the number of bytes read. +// Any error except io.EOF encountered during the read is also returned. +// +// The Copy function uses ReaderFrom if available. +func (e *Encoder) ReadFrom(r io.Reader) (n int64, err error) { + if debugEncoder { + println("Using ReadFrom") + } + + // Flush any current writes. + if len(e.state.filling) > 0 { + if err := e.nextBlock(false); err != nil { + return 0, err + } + } + e.state.filling = e.state.filling[:e.o.blockSize] + src := e.state.filling + for { + n2, err := r.Read(src) + if e.o.crc { + _, _ = e.state.encoder.CRC().Write(src[:n2]) + } + // src is now the unfilled part... + src = src[n2:] + n += int64(n2) + switch err { + case io.EOF: + e.state.filling = e.state.filling[:len(e.state.filling)-len(src)] + if debugEncoder { + println("ReadFrom: got EOF final block:", len(e.state.filling)) + } + return n, nil + case nil: + default: + if debugEncoder { + println("ReadFrom: got error:", err) + } + e.state.err = err + return n, err + } + if len(src) > 0 { + if debugEncoder { + println("ReadFrom: got space left in source:", len(src)) + } + continue + } + err = e.nextBlock(false) + if err != nil { + return n, err + } + e.state.filling = e.state.filling[:e.o.blockSize] + src = e.state.filling + } +} + +// Flush will send the currently written data to output +// and block until everything has been written. +// This should only be used on rare occasions where pushing the currently queued data is critical. +func (e *Encoder) Flush() error { + s := &e.state + if len(s.filling) > 0 { + err := e.nextBlock(false) + if err != nil { + // Ignore Flush after Close. + if errors.Is(s.err, ErrEncoderClosed) { + return nil + } + return err + } + } + s.wg.Wait() + s.wWg.Wait() + if s.err != nil { + // Ignore Flush after Close. + if errors.Is(s.err, ErrEncoderClosed) { + return nil + } + return s.err + } + return s.writeErr +} + +// Close will flush the final output and close the stream. +// The function will block until everything has been written. +// The Encoder can still be re-used after calling this. +func (e *Encoder) Close() error { + s := &e.state + if s.encoder == nil { + return nil + } + err := e.nextBlock(true) + if err != nil { + if errors.Is(s.err, ErrEncoderClosed) { + return nil + } + return err + } + if s.frameContentSize > 0 { + if s.nInput != s.frameContentSize { + return fmt.Errorf("frame content size %d given, but %d bytes was written", s.frameContentSize, s.nInput) + } + } + if e.state.fullFrameWritten { + return s.err + } + s.wg.Wait() + s.wWg.Wait() + + if s.err != nil { + return s.err + } + if s.writeErr != nil { + return s.writeErr + } + + // Write CRC + if e.o.crc && s.err == nil { + // heap alloc. + var tmp [4]byte + _, s.err = s.w.Write(s.encoder.AppendCRC(tmp[:0])) + s.nWritten += 4 + } + + // Add padding with content from crypto/rand.Reader + if s.err == nil && e.o.pad > 0 { + add := calcSkippableFrame(s.nWritten, int64(e.o.pad)) + frame, err := skippableFrame(s.filling[:0], add, rand.Reader) + if err != nil { + return err + } + _, s.err = s.w.Write(frame) + } + if s.err == nil { + s.err = ErrEncoderClosed + return nil + } + + return s.err +} + +// EncodeAll will encode all input in src and append it to dst. +// This function can be called concurrently, but each call will only run on a single goroutine. +// If empty input is given, nothing is returned, unless WithZeroFrames is specified. +// Encoded blocks can be concatenated and the result will be the combined input stream. +// Data compressed with EncodeAll can be decoded with the Decoder, +// using either a stream or DecodeAll. +func (e *Encoder) EncodeAll(src, dst []byte) []byte { + e.init.Do(e.initialize) + enc := <-e.encoders + defer func() { + e.encoders <- enc + }() + return e.encodeAll(enc, src, dst) +} + +func (e *Encoder) encodeAll(enc encoder, src, dst []byte) []byte { + if len(src) == 0 { + if e.o.fullZero { + // Add frame header. + fh := frameHeader{ + ContentSize: 0, + WindowSize: MinWindowSize, + SingleSegment: true, + // Adding a checksum would be a waste of space. + Checksum: false, + DictID: 0, + } + dst = fh.appendTo(dst) + + // Write raw block as last one only. + var blk blockHeader + blk.setSize(0) + blk.setType(blockTypeRaw) + blk.setLast(true) + dst = blk.appendTo(dst) + } + return dst + } + + // Use single segments when above minimum window and below window size. + single := len(src) <= e.o.windowSize && len(src) > MinWindowSize + if e.o.single != nil { + single = *e.o.single + } + fh := frameHeader{ + ContentSize: uint64(len(src)), + WindowSize: uint32(enc.WindowSize(int64(len(src)))), + SingleSegment: single, + Checksum: e.o.crc, + DictID: e.o.dict.ID(), + } + + // If less than 1MB, allocate a buffer up front. + if len(dst) == 0 && cap(dst) == 0 && len(src) < 1<<20 && !e.o.lowMem { + dst = make([]byte, 0, len(src)) + } + dst = fh.appendTo(dst) + + // If we can do everything in one block, prefer that. + if len(src) <= e.o.blockSize { + enc.Reset(e.o.dict, true) + // Slightly faster with no history and everything in one block. + if e.o.crc { + _, _ = enc.CRC().Write(src) + } + blk := enc.Block() + blk.last = true + if e.o.dict == nil { + enc.EncodeNoHist(blk, src) + } else { + enc.Encode(blk, src) + } + + // If we got the exact same number of literals as input, + // assume the literals cannot be compressed. + oldout := blk.output + // Output directly to dst + blk.output = dst + + err := blk.encode(src, e.o.noEntropy, !e.o.allLitEntropy) + if err != nil { + panic(err) + } + dst = blk.output + blk.output = oldout + } else { + enc.Reset(e.o.dict, false) + blk := enc.Block() + for len(src) > 0 { + todo := src + if len(todo) > e.o.blockSize { + todo = todo[:e.o.blockSize] + } + src = src[len(todo):] + if e.o.crc { + _, _ = enc.CRC().Write(todo) + } + blk.pushOffsets() + enc.Encode(blk, todo) + if len(src) == 0 { + blk.last = true + } + err := blk.encode(todo, e.o.noEntropy, !e.o.allLitEntropy) + if err != nil { + panic(err) + } + dst = append(dst, blk.output...) + blk.reset(nil) + } + } + if e.o.crc { + dst = enc.AppendCRC(dst) + } + // Add padding with content from crypto/rand.Reader + if e.o.pad > 0 { + add := calcSkippableFrame(int64(len(dst)), int64(e.o.pad)) + var err error + dst, err = skippableFrame(dst, add, rand.Reader) + if err != nil { + panic(err) + } + } + return dst +} + +// MaxEncodedSize returns the expected maximum +// size of an encoded block or stream. +func (e *Encoder) MaxEncodedSize(size int) int { + frameHeader := 4 + 2 // magic + frame header & window descriptor + if e.o.dict != nil { + frameHeader += 4 + } + // Frame content size: + if size < 256 { + frameHeader++ + } else if size < 65536+256 { + frameHeader += 2 + } else if size < math.MaxInt32 { + frameHeader += 4 + } else { + frameHeader += 8 + } + // Final crc + if e.o.crc { + frameHeader += 4 + } + + // Max overhead is 3 bytes/block. + // There cannot be 0 blocks. + blocks := (size + e.o.blockSize) / e.o.blockSize + + // Combine, add padding. + maxSz := frameHeader + 3*blocks + size + if e.o.pad > 1 { + maxSz += calcSkippableFrame(int64(maxSz), int64(e.o.pad)) + } + return maxSz +} diff --git a/vendor/github.com/klauspost/compress/zstd/encoder_options.go b/vendor/github.com/klauspost/compress/zstd/encoder_options.go new file mode 100644 index 0000000000..20671dcb91 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/encoder_options.go @@ -0,0 +1,339 @@ +package zstd + +import ( + "errors" + "fmt" + "math" + "math/bits" + "runtime" + "strings" +) + +// EOption is an option for creating a encoder. +type EOption func(*encoderOptions) error + +// options retains accumulated state of multiple options. +type encoderOptions struct { + concurrent int + level EncoderLevel + single *bool + pad int + blockSize int + windowSize int + crc bool + fullZero bool + noEntropy bool + allLitEntropy bool + customWindow bool + customALEntropy bool + customBlockSize bool + lowMem bool + dict *dict +} + +func (o *encoderOptions) setDefault() { + *o = encoderOptions{ + concurrent: runtime.GOMAXPROCS(0), + crc: true, + single: nil, + blockSize: maxCompressedBlockSize, + windowSize: 8 << 20, + level: SpeedDefault, + allLitEntropy: false, + lowMem: false, + } +} + +// encoder returns an encoder with the selected options. +func (o encoderOptions) encoder() encoder { + switch o.level { + case SpeedFastest: + if o.dict != nil { + return &fastEncoderDict{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}} + } + return &fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}} + + case SpeedDefault: + if o.dict != nil { + return &doubleFastEncoderDict{fastEncoderDict: fastEncoderDict{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}}} + } + return &doubleFastEncoder{fastEncoder: fastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}} + case SpeedBetterCompression: + if o.dict != nil { + return &betterFastEncoderDict{betterFastEncoder: betterFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}}} + } + return &betterFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}} + case SpeedBestCompression: + return &bestFastEncoder{fastBase: fastBase{maxMatchOff: int32(o.windowSize), bufferReset: math.MaxInt32 - int32(o.windowSize*2), lowMem: o.lowMem}} + } + panic("unknown compression level") +} + +// WithEncoderCRC will add CRC value to output. +// Output will be 4 bytes larger. +func WithEncoderCRC(b bool) EOption { + return func(o *encoderOptions) error { o.crc = b; return nil } +} + +// WithEncoderConcurrency will set the concurrency, +// meaning the maximum number of encoders to run concurrently. +// The value supplied must be at least 1. +// For streams, setting a value of 1 will disable async compression. +// By default this will be set to GOMAXPROCS. +func WithEncoderConcurrency(n int) EOption { + return func(o *encoderOptions) error { + if n <= 0 { + return fmt.Errorf("concurrency must be at least 1") + } + o.concurrent = n + return nil + } +} + +// WithWindowSize will set the maximum allowed back-reference distance. +// The value must be a power of two between MinWindowSize and MaxWindowSize. +// A larger value will enable better compression but allocate more memory and, +// for above-default values, take considerably longer. +// The default value is determined by the compression level and max 8MB. +func WithWindowSize(n int) EOption { + return func(o *encoderOptions) error { + switch { + case n < MinWindowSize: + return fmt.Errorf("window size must be at least %d", MinWindowSize) + case n > MaxWindowSize: + return fmt.Errorf("window size must be at most %d", MaxWindowSize) + case (n & (n - 1)) != 0: + return errors.New("window size must be a power of 2") + } + + o.windowSize = n + o.customWindow = true + if o.blockSize > o.windowSize { + o.blockSize = o.windowSize + o.customBlockSize = true + } + return nil + } +} + +// WithEncoderPadding will add padding to all output so the size will be a multiple of n. +// This can be used to obfuscate the exact output size or make blocks of a certain size. +// The contents will be a skippable frame, so it will be invisible by the decoder. +// n must be > 0 and <= 1GB, 1<<30 bytes. +// The padded area will be filled with data from crypto/rand.Reader. +// If `EncodeAll` is used with data already in the destination, the total size will be multiple of this. +func WithEncoderPadding(n int) EOption { + return func(o *encoderOptions) error { + if n <= 0 { + return fmt.Errorf("padding must be at least 1") + } + // No need to waste our time. + if n == 1 { + n = 0 + } + if n > 1<<30 { + return fmt.Errorf("padding must less than 1GB (1<<30 bytes) ") + } + o.pad = n + return nil + } +} + +// EncoderLevel predefines encoder compression levels. +// Only use the constants made available, since the actual mapping +// of these values are very likely to change and your compression could change +// unpredictably when upgrading the library. +type EncoderLevel int + +const ( + speedNotSet EncoderLevel = iota + + // SpeedFastest will choose the fastest reasonable compression. + // This is roughly equivalent to the fastest Zstandard mode. + SpeedFastest + + // SpeedDefault is the default "pretty fast" compression option. + // This is roughly equivalent to the default Zstandard mode (level 3). + SpeedDefault + + // SpeedBetterCompression will yield better compression than the default. + // Currently it is about zstd level 7-8 with ~ 2x-3x the default CPU usage. + // By using this, notice that CPU usage may go up in the future. + SpeedBetterCompression + + // SpeedBestCompression will choose the best available compression option. + // This will offer the best compression no matter the CPU cost. + SpeedBestCompression + + // speedLast should be kept as the last actual compression option. + // The is not for external usage, but is used to keep track of the valid options. + speedLast +) + +// EncoderLevelFromString will convert a string representation of an encoding level back +// to a compression level. The compare is not case sensitive. +// If the string wasn't recognized, (false, SpeedDefault) will be returned. +func EncoderLevelFromString(s string) (bool, EncoderLevel) { + for l := speedNotSet + 1; l < speedLast; l++ { + if strings.EqualFold(s, l.String()) { + return true, l + } + } + return false, SpeedDefault +} + +// EncoderLevelFromZstd will return an encoder level that closest matches the compression +// ratio of a specific zstd compression level. +// Many input values will provide the same compression level. +func EncoderLevelFromZstd(level int) EncoderLevel { + switch { + case level < 3: + return SpeedFastest + case level >= 3 && level < 6: + return SpeedDefault + case level >= 6 && level < 10: + return SpeedBetterCompression + default: + return SpeedBestCompression + } +} + +// String provides a string representation of the compression level. +func (e EncoderLevel) String() string { + switch e { + case SpeedFastest: + return "fastest" + case SpeedDefault: + return "default" + case SpeedBetterCompression: + return "better" + case SpeedBestCompression: + return "best" + default: + return "invalid" + } +} + +// WithEncoderLevel specifies a predefined compression level. +func WithEncoderLevel(l EncoderLevel) EOption { + return func(o *encoderOptions) error { + switch { + case l <= speedNotSet || l >= speedLast: + return fmt.Errorf("unknown encoder level") + } + o.level = l + if !o.customWindow { + switch o.level { + case SpeedFastest: + o.windowSize = 4 << 20 + if !o.customBlockSize { + o.blockSize = 1 << 16 + } + case SpeedDefault: + o.windowSize = 8 << 20 + case SpeedBetterCompression: + o.windowSize = 8 << 20 + case SpeedBestCompression: + o.windowSize = 8 << 20 + } + } + if !o.customALEntropy { + o.allLitEntropy = l > SpeedDefault + } + + return nil + } +} + +// WithZeroFrames will encode 0 length input as full frames. +// This can be needed for compatibility with zstandard usage, +// but is not needed for this package. +func WithZeroFrames(b bool) EOption { + return func(o *encoderOptions) error { + o.fullZero = b + return nil + } +} + +// WithAllLitEntropyCompression will apply entropy compression if no matches are found. +// Disabling this will skip incompressible data faster, but in cases with no matches but +// skewed character distribution compression is lost. +// Default value depends on the compression level selected. +func WithAllLitEntropyCompression(b bool) EOption { + return func(o *encoderOptions) error { + o.customALEntropy = true + o.allLitEntropy = b + return nil + } +} + +// WithNoEntropyCompression will always skip entropy compression of literals. +// This can be useful if content has matches, but unlikely to benefit from entropy +// compression. Usually the slight speed improvement is not worth enabling this. +func WithNoEntropyCompression(b bool) EOption { + return func(o *encoderOptions) error { + o.noEntropy = b + return nil + } +} + +// WithSingleSegment will set the "single segment" flag when EncodeAll is used. +// If this flag is set, data must be regenerated within a single continuous memory segment. +// In this case, Window_Descriptor byte is skipped, but Frame_Content_Size is necessarily present. +// As a consequence, the decoder must allocate a memory segment of size equal or larger than size of your content. +// In order to preserve the decoder from unreasonable memory requirements, +// a decoder is allowed to reject a compressed frame which requests a memory size beyond decoder's authorized range. +// For broader compatibility, decoders are recommended to support memory sizes of at least 8 MB. +// This is only a recommendation, each decoder is free to support higher or lower limits, depending on local limitations. +// If this is not specified, block encodes will automatically choose this based on the input size and the window size. +// This setting has no effect on streamed encodes. +func WithSingleSegment(b bool) EOption { + return func(o *encoderOptions) error { + o.single = &b + return nil + } +} + +// WithLowerEncoderMem will trade in some memory cases trade less memory usage for +// slower encoding speed. +// This will not change the window size which is the primary function for reducing +// memory usage. See WithWindowSize. +func WithLowerEncoderMem(b bool) EOption { + return func(o *encoderOptions) error { + o.lowMem = b + return nil + } +} + +// WithEncoderDict allows to register a dictionary that will be used for the encode. +// +// The slice dict must be in the [dictionary format] produced by +// "zstd --train" from the Zstandard reference implementation. +// +// The encoder *may* choose to use no dictionary instead for certain payloads. +// +// [dictionary format]: https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary-format +func WithEncoderDict(dict []byte) EOption { + return func(o *encoderOptions) error { + d, err := loadDict(dict) + if err != nil { + return err + } + o.dict = d + return nil + } +} + +// WithEncoderDictRaw registers a dictionary that may be used by the encoder. +// +// The slice content may contain arbitrary data. It will be used as an initial +// history. +func WithEncoderDictRaw(id uint32, content []byte) EOption { + return func(o *encoderOptions) error { + if bits.UintSize > 32 && uint(len(content)) > dictMaxLength { + return fmt.Errorf("dictionary of size %d > 2GiB too large", len(content)) + } + o.dict = &dict{id: id, content: content, offsets: [3]int{1, 4, 8}} + return nil + } +} diff --git a/vendor/github.com/klauspost/compress/zstd/framedec.go b/vendor/github.com/klauspost/compress/zstd/framedec.go new file mode 100644 index 0000000000..e47af66e7c --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/framedec.go @@ -0,0 +1,415 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "encoding/binary" + "encoding/hex" + "errors" + "io" + + "github.com/klauspost/compress/zstd/internal/xxhash" +) + +type frameDec struct { + o decoderOptions + crc *xxhash.Digest + + WindowSize uint64 + + // Frame history passed between blocks + history history + + rawInput byteBuffer + + // Byte buffer that can be reused for small input blocks. + bBuf byteBuf + + FrameContentSize uint64 + + DictionaryID uint32 + HasCheckSum bool + SingleSegment bool +} + +const ( + // MinWindowSize is the minimum Window Size, which is 1 KB. + MinWindowSize = 1 << 10 + + // MaxWindowSize is the maximum encoder window size + // and the default decoder maximum window size. + MaxWindowSize = 1 << 29 +) + +const ( + frameMagic = "\x28\xb5\x2f\xfd" + skippableFrameMagic = "\x2a\x4d\x18" +) + +func newFrameDec(o decoderOptions) *frameDec { + if o.maxWindowSize > o.maxDecodedSize { + o.maxWindowSize = o.maxDecodedSize + } + d := frameDec{ + o: o, + } + return &d +} + +// reset will read the frame header and prepare for block decoding. +// If nothing can be read from the input, io.EOF will be returned. +// Any other error indicated that the stream contained data, but +// there was a problem. +func (d *frameDec) reset(br byteBuffer) error { + d.HasCheckSum = false + d.WindowSize = 0 + var signature [4]byte + for { + var err error + // Check if we can read more... + b, err := br.readSmall(1) + switch err { + case io.EOF, io.ErrUnexpectedEOF: + return io.EOF + case nil: + signature[0] = b[0] + default: + return err + } + // Read the rest, don't allow io.ErrUnexpectedEOF + b, err = br.readSmall(3) + switch err { + case io.EOF: + return io.EOF + case nil: + copy(signature[1:], b) + default: + return err + } + + if string(signature[1:4]) != skippableFrameMagic || signature[0]&0xf0 != 0x50 { + if debugDecoder { + println("Not skippable", hex.EncodeToString(signature[:]), hex.EncodeToString([]byte(skippableFrameMagic))) + } + // Break if not skippable frame. + break + } + // Read size to skip + b, err = br.readSmall(4) + if err != nil { + if debugDecoder { + println("Reading Frame Size", err) + } + return err + } + n := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24) + println("Skipping frame with", n, "bytes.") + err = br.skipN(int64(n)) + if err != nil { + if debugDecoder { + println("Reading discarded frame", err) + } + return err + } + } + if string(signature[:]) != frameMagic { + if debugDecoder { + println("Got magic numbers: ", signature, "want:", []byte(frameMagic)) + } + return ErrMagicMismatch + } + + // Read Frame_Header_Descriptor + fhd, err := br.readByte() + if err != nil { + if debugDecoder { + println("Reading Frame_Header_Descriptor", err) + } + return err + } + d.SingleSegment = fhd&(1<<5) != 0 + + if fhd&(1<<3) != 0 { + return errors.New("reserved bit set on frame header") + } + + // Read Window_Descriptor + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#window_descriptor + d.WindowSize = 0 + if !d.SingleSegment { + wd, err := br.readByte() + if err != nil { + if debugDecoder { + println("Reading Window_Descriptor", err) + } + return err + } + if debugDecoder { + printf("raw: %x, mantissa: %d, exponent: %d\n", wd, wd&7, wd>>3) + } + windowLog := 10 + (wd >> 3) + windowBase := uint64(1) << windowLog + windowAdd := (windowBase / 8) * uint64(wd&0x7) + d.WindowSize = windowBase + windowAdd + } + + // Read Dictionary_ID + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#dictionary_id + d.DictionaryID = 0 + if size := fhd & 3; size != 0 { + if size == 3 { + size = 4 + } + + b, err := br.readSmall(int(size)) + if err != nil { + println("Reading Dictionary_ID", err) + return err + } + var id uint32 + switch len(b) { + case 1: + id = uint32(b[0]) + case 2: + id = uint32(b[0]) | (uint32(b[1]) << 8) + case 4: + id = uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24) + } + if debugDecoder { + println("Dict size", size, "ID:", id) + } + d.DictionaryID = id + } + + // Read Frame_Content_Size + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#frame_content_size + var fcsSize int + v := fhd >> 6 + switch v { + case 0: + if d.SingleSegment { + fcsSize = 1 + } + default: + fcsSize = 1 << v + } + d.FrameContentSize = fcsUnknown + if fcsSize > 0 { + b, err := br.readSmall(fcsSize) + if err != nil { + println("Reading Frame content", err) + return err + } + switch len(b) { + case 1: + d.FrameContentSize = uint64(b[0]) + case 2: + // When FCS_Field_Size is 2, the offset of 256 is added. + d.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) + 256 + case 4: + d.FrameContentSize = uint64(b[0]) | (uint64(b[1]) << 8) | (uint64(b[2]) << 16) | (uint64(b[3]) << 24) + case 8: + d1 := uint32(b[0]) | (uint32(b[1]) << 8) | (uint32(b[2]) << 16) | (uint32(b[3]) << 24) + d2 := uint32(b[4]) | (uint32(b[5]) << 8) | (uint32(b[6]) << 16) | (uint32(b[7]) << 24) + d.FrameContentSize = uint64(d1) | (uint64(d2) << 32) + } + if debugDecoder { + println("Read FCS:", d.FrameContentSize) + } + } + + // Move this to shared. + d.HasCheckSum = fhd&(1<<2) != 0 + if d.HasCheckSum { + if d.crc == nil { + d.crc = xxhash.New() + } + d.crc.Reset() + } + + if d.WindowSize > d.o.maxWindowSize { + if debugDecoder { + printf("window size %d > max %d\n", d.WindowSize, d.o.maxWindowSize) + } + return ErrWindowSizeExceeded + } + + if d.WindowSize == 0 && d.SingleSegment { + // We may not need window in this case. + d.WindowSize = d.FrameContentSize + if d.WindowSize < MinWindowSize { + d.WindowSize = MinWindowSize + } + if d.WindowSize > d.o.maxDecodedSize { + if debugDecoder { + printf("window size %d > max %d\n", d.WindowSize, d.o.maxWindowSize) + } + return ErrDecoderSizeExceeded + } + } + + // The minimum Window_Size is 1 KB. + if d.WindowSize < MinWindowSize { + if debugDecoder { + println("got window size: ", d.WindowSize) + } + return ErrWindowSizeTooSmall + } + d.history.windowSize = int(d.WindowSize) + if !d.o.lowMem || d.history.windowSize < maxBlockSize { + // Alloc 2x window size if not low-mem, or window size below 2MB. + d.history.allocFrameBuffer = d.history.windowSize * 2 + } else { + if d.o.lowMem { + // Alloc with 1MB extra. + d.history.allocFrameBuffer = d.history.windowSize + maxBlockSize/2 + } else { + // Alloc with 2MB extra. + d.history.allocFrameBuffer = d.history.windowSize + maxBlockSize + } + } + + if debugDecoder { + println("Frame: Dict:", d.DictionaryID, "FrameContentSize:", d.FrameContentSize, "singleseg:", d.SingleSegment, "window:", d.WindowSize, "crc:", d.HasCheckSum) + } + + // history contains input - maybe we do something + d.rawInput = br + return nil +} + +// next will start decoding the next block from stream. +func (d *frameDec) next(block *blockDec) error { + if debugDecoder { + println("decoding new block") + } + err := block.reset(d.rawInput, d.WindowSize) + if err != nil { + println("block error:", err) + // Signal the frame decoder we have a problem. + block.sendErr(err) + return err + } + return nil +} + +// checkCRC will check the checksum, assuming the frame has one. +// Will return ErrCRCMismatch if crc check failed, otherwise nil. +func (d *frameDec) checkCRC() error { + // We can overwrite upper tmp now + buf, err := d.rawInput.readSmall(4) + if err != nil { + println("CRC missing?", err) + return err + } + + want := binary.LittleEndian.Uint32(buf[:4]) + got := uint32(d.crc.Sum64()) + + if got != want { + if debugDecoder { + printf("CRC check failed: got %08x, want %08x\n", got, want) + } + return ErrCRCMismatch + } + if debugDecoder { + printf("CRC ok %08x\n", got) + } + return nil +} + +// consumeCRC skips over the checksum, assuming the frame has one. +func (d *frameDec) consumeCRC() error { + _, err := d.rawInput.readSmall(4) + if err != nil { + println("CRC missing?", err) + } + return err +} + +// runDecoder will run the decoder for the remainder of the frame. +func (d *frameDec) runDecoder(dst []byte, dec *blockDec) ([]byte, error) { + saved := d.history.b + + // We use the history for output to avoid copying it. + d.history.b = dst + d.history.ignoreBuffer = len(dst) + // Store input length, so we only check new data. + crcStart := len(dst) + d.history.decoders.maxSyncLen = 0 + if d.o.limitToCap { + d.history.decoders.maxSyncLen = uint64(cap(dst) - len(dst)) + } + if d.FrameContentSize != fcsUnknown { + if !d.o.limitToCap || d.FrameContentSize+uint64(len(dst)) < d.history.decoders.maxSyncLen { + d.history.decoders.maxSyncLen = d.FrameContentSize + uint64(len(dst)) + } + if d.history.decoders.maxSyncLen > d.o.maxDecodedSize { + if debugDecoder { + println("maxSyncLen:", d.history.decoders.maxSyncLen, "> maxDecodedSize:", d.o.maxDecodedSize) + } + return dst, ErrDecoderSizeExceeded + } + if debugDecoder { + println("maxSyncLen:", d.history.decoders.maxSyncLen) + } + if !d.o.limitToCap && uint64(cap(dst)) < d.history.decoders.maxSyncLen { + // Alloc for output + dst2 := make([]byte, len(dst), d.history.decoders.maxSyncLen+compressedBlockOverAlloc) + copy(dst2, dst) + dst = dst2 + } + } + var err error + for { + err = dec.reset(d.rawInput, d.WindowSize) + if err != nil { + break + } + if debugDecoder { + println("next block:", dec) + } + err = dec.decodeBuf(&d.history) + if err != nil { + break + } + if uint64(len(d.history.b)-crcStart) > d.o.maxDecodedSize { + println("runDecoder: maxDecodedSize exceeded", uint64(len(d.history.b)-crcStart), ">", d.o.maxDecodedSize) + err = ErrDecoderSizeExceeded + break + } + if d.o.limitToCap && len(d.history.b) > cap(dst) { + println("runDecoder: cap exceeded", uint64(len(d.history.b)), ">", cap(dst)) + err = ErrDecoderSizeExceeded + break + } + if uint64(len(d.history.b)-crcStart) > d.FrameContentSize { + println("runDecoder: FrameContentSize exceeded", uint64(len(d.history.b)-crcStart), ">", d.FrameContentSize) + err = ErrFrameSizeExceeded + break + } + if dec.Last { + break + } + if debugDecoder { + println("runDecoder: FrameContentSize", uint64(len(d.history.b)-crcStart), "<=", d.FrameContentSize) + } + } + dst = d.history.b + if err == nil { + if d.FrameContentSize != fcsUnknown && uint64(len(d.history.b)-crcStart) != d.FrameContentSize { + err = ErrFrameSizeMismatch + } else if d.HasCheckSum { + if d.o.ignoreChecksum { + err = d.consumeCRC() + } else { + d.crc.Write(dst[crcStart:]) + err = d.checkCRC() + } + } + } + d.history.b = saved + return dst, err +} diff --git a/vendor/github.com/klauspost/compress/zstd/frameenc.go b/vendor/github.com/klauspost/compress/zstd/frameenc.go new file mode 100644 index 0000000000..667ca06794 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/frameenc.go @@ -0,0 +1,137 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "encoding/binary" + "fmt" + "io" + "math" + "math/bits" +) + +type frameHeader struct { + ContentSize uint64 + WindowSize uint32 + SingleSegment bool + Checksum bool + DictID uint32 +} + +const maxHeaderSize = 14 + +func (f frameHeader) appendTo(dst []byte) []byte { + dst = append(dst, frameMagic...) + var fhd uint8 + if f.Checksum { + fhd |= 1 << 2 + } + if f.SingleSegment { + fhd |= 1 << 5 + } + + var dictIDContent []byte + if f.DictID > 0 { + var tmp [4]byte + if f.DictID < 256 { + fhd |= 1 + tmp[0] = uint8(f.DictID) + dictIDContent = tmp[:1] + } else if f.DictID < 1<<16 { + fhd |= 2 + binary.LittleEndian.PutUint16(tmp[:2], uint16(f.DictID)) + dictIDContent = tmp[:2] + } else { + fhd |= 3 + binary.LittleEndian.PutUint32(tmp[:4], f.DictID) + dictIDContent = tmp[:4] + } + } + var fcs uint8 + if f.ContentSize >= 256 { + fcs++ + } + if f.ContentSize >= 65536+256 { + fcs++ + } + if f.ContentSize >= 0xffffffff { + fcs++ + } + + fhd |= fcs << 6 + + dst = append(dst, fhd) + if !f.SingleSegment { + const winLogMin = 10 + windowLog := (bits.Len32(f.WindowSize-1) - winLogMin) << 3 + dst = append(dst, uint8(windowLog)) + } + if f.DictID > 0 { + dst = append(dst, dictIDContent...) + } + switch fcs { + case 0: + if f.SingleSegment { + dst = append(dst, uint8(f.ContentSize)) + } + // Unless SingleSegment is set, framessizes < 256 are not stored. + case 1: + f.ContentSize -= 256 + dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8)) + case 2: + dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8), uint8(f.ContentSize>>16), uint8(f.ContentSize>>24)) + case 3: + dst = append(dst, uint8(f.ContentSize), uint8(f.ContentSize>>8), uint8(f.ContentSize>>16), uint8(f.ContentSize>>24), + uint8(f.ContentSize>>32), uint8(f.ContentSize>>40), uint8(f.ContentSize>>48), uint8(f.ContentSize>>56)) + default: + panic("invalid fcs") + } + return dst +} + +const skippableFrameHeader = 4 + 4 + +// calcSkippableFrame will return a total size to be added for written +// to be divisible by multiple. +// The value will always be > skippableFrameHeader. +// The function will panic if written < 0 or wantMultiple <= 0. +func calcSkippableFrame(written, wantMultiple int64) int { + if wantMultiple <= 0 { + panic("wantMultiple <= 0") + } + if written < 0 { + panic("written < 0") + } + leftOver := written % wantMultiple + if leftOver == 0 { + return 0 + } + toAdd := wantMultiple - leftOver + for toAdd < skippableFrameHeader { + toAdd += wantMultiple + } + return int(toAdd) +} + +// skippableFrame will add a skippable frame with a total size of bytes. +// total should be >= skippableFrameHeader and < math.MaxUint32. +func skippableFrame(dst []byte, total int, r io.Reader) ([]byte, error) { + if total == 0 { + return dst, nil + } + if total < skippableFrameHeader { + return dst, fmt.Errorf("requested skippable frame (%d) < 8", total) + } + if int64(total) > math.MaxUint32 { + return dst, fmt.Errorf("requested skippable frame (%d) > max uint32", total) + } + dst = append(dst, 0x50, 0x2a, 0x4d, 0x18) + f := uint32(total - skippableFrameHeader) + dst = append(dst, uint8(f), uint8(f>>8), uint8(f>>16), uint8(f>>24)) + start := len(dst) + dst = append(dst, make([]byte, f)...) + _, err := io.ReadFull(r, dst[start:]) + return dst, err +} diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder.go new file mode 100644 index 0000000000..2f8860a722 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder.go @@ -0,0 +1,307 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "encoding/binary" + "errors" + "fmt" + "io" +) + +const ( + tablelogAbsoluteMax = 9 +) + +const ( + /*!MEMORY_USAGE : + * Memory usage formula : N->2^N Bytes (examples : 10 -> 1KB; 12 -> 4KB ; 16 -> 64KB; 20 -> 1MB; etc.) + * Increasing memory usage improves compression ratio + * Reduced memory usage can improve speed, due to cache effect + * Recommended max value is 14, for 16KB, which nicely fits into Intel x86 L1 cache */ + maxMemoryUsage = tablelogAbsoluteMax + 2 + + maxTableLog = maxMemoryUsage - 2 + maxTablesize = 1 << maxTableLog + maxTableMask = (1 << maxTableLog) - 1 + minTablelog = 5 + maxSymbolValue = 255 +) + +// fseDecoder provides temporary storage for compression and decompression. +type fseDecoder struct { + dt [maxTablesize]decSymbol // Decompression table. + symbolLen uint16 // Length of active part of the symbol table. + actualTableLog uint8 // Selected tablelog. + maxBits uint8 // Maximum number of additional bits + + // used for table creation to avoid allocations. + stateTable [256]uint16 + norm [maxSymbolValue + 1]int16 + preDefined bool +} + +// tableStep returns the next table index. +func tableStep(tableSize uint32) uint32 { + return (tableSize >> 1) + (tableSize >> 3) + 3 +} + +// readNCount will read the symbol distribution so decoding tables can be constructed. +func (s *fseDecoder) readNCount(b *byteReader, maxSymbol uint16) error { + var ( + charnum uint16 + previous0 bool + ) + if b.remain() < 4 { + return errors.New("input too small") + } + bitStream := b.Uint32NC() + nbBits := uint((bitStream & 0xF) + minTablelog) // extract tableLog + if nbBits > tablelogAbsoluteMax { + println("Invalid tablelog:", nbBits) + return errors.New("tableLog too large") + } + bitStream >>= 4 + bitCount := uint(4) + + s.actualTableLog = uint8(nbBits) + remaining := int32((1 << nbBits) + 1) + threshold := int32(1 << nbBits) + gotTotal := int32(0) + nbBits++ + + for remaining > 1 && charnum <= maxSymbol { + if previous0 { + //println("prev0") + n0 := charnum + for (bitStream & 0xFFFF) == 0xFFFF { + //println("24 x 0") + n0 += 24 + if r := b.remain(); r > 5 { + b.advance(2) + // The check above should make sure we can read 32 bits + bitStream = b.Uint32NC() >> bitCount + } else { + // end of bit stream + bitStream >>= 16 + bitCount += 16 + } + } + //printf("bitstream: %d, 0b%b", bitStream&3, bitStream) + for (bitStream & 3) == 3 { + n0 += 3 + bitStream >>= 2 + bitCount += 2 + } + n0 += uint16(bitStream & 3) + bitCount += 2 + + if n0 > maxSymbolValue { + return errors.New("maxSymbolValue too small") + } + //println("inserting ", n0-charnum, "zeroes from idx", charnum, "ending before", n0) + for charnum < n0 { + s.norm[uint8(charnum)] = 0 + charnum++ + } + + if r := b.remain(); r >= 7 || r-int(bitCount>>3) >= 4 { + b.advance(bitCount >> 3) + bitCount &= 7 + // The check above should make sure we can read 32 bits + bitStream = b.Uint32NC() >> bitCount + } else { + bitStream >>= 2 + } + } + + max := (2*threshold - 1) - remaining + var count int32 + + if int32(bitStream)&(threshold-1) < max { + count = int32(bitStream) & (threshold - 1) + if debugAsserts && nbBits < 1 { + panic("nbBits underflow") + } + bitCount += nbBits - 1 + } else { + count = int32(bitStream) & (2*threshold - 1) + if count >= threshold { + count -= max + } + bitCount += nbBits + } + + // extra accuracy + count-- + if count < 0 { + // -1 means +1 + remaining += count + gotTotal -= count + } else { + remaining -= count + gotTotal += count + } + s.norm[charnum&0xff] = int16(count) + charnum++ + previous0 = count == 0 + for remaining < threshold { + nbBits-- + threshold >>= 1 + } + + if r := b.remain(); r >= 7 || r-int(bitCount>>3) >= 4 { + b.advance(bitCount >> 3) + bitCount &= 7 + // The check above should make sure we can read 32 bits + bitStream = b.Uint32NC() >> (bitCount & 31) + } else { + bitCount -= (uint)(8 * (len(b.b) - 4 - b.off)) + b.off = len(b.b) - 4 + bitStream = b.Uint32() >> (bitCount & 31) + } + } + s.symbolLen = charnum + if s.symbolLen <= 1 { + return fmt.Errorf("symbolLen (%d) too small", s.symbolLen) + } + if s.symbolLen > maxSymbolValue+1 { + return fmt.Errorf("symbolLen (%d) too big", s.symbolLen) + } + if remaining != 1 { + return fmt.Errorf("corruption detected (remaining %d != 1)", remaining) + } + if bitCount > 32 { + return fmt.Errorf("corruption detected (bitCount %d > 32)", bitCount) + } + if gotTotal != 1<> 3) + return s.buildDtable() +} + +func (s *fseDecoder) mustReadFrom(r io.Reader) { + fatalErr := func(err error) { + if err != nil { + panic(err) + } + } + // dt [maxTablesize]decSymbol // Decompression table. + // symbolLen uint16 // Length of active part of the symbol table. + // actualTableLog uint8 // Selected tablelog. + // maxBits uint8 // Maximum number of additional bits + // // used for table creation to avoid allocations. + // stateTable [256]uint16 + // norm [maxSymbolValue + 1]int16 + // preDefined bool + fatalErr(binary.Read(r, binary.LittleEndian, &s.dt)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.symbolLen)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.actualTableLog)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.maxBits)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.stateTable)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.norm)) + fatalErr(binary.Read(r, binary.LittleEndian, &s.preDefined)) +} + +// decSymbol contains information about a state entry, +// Including the state offset base, the output symbol and +// the number of bits to read for the low part of the destination state. +// Using a composite uint64 is faster than a struct with separate members. +type decSymbol uint64 + +func newDecSymbol(nbits, addBits uint8, newState uint16, baseline uint32) decSymbol { + return decSymbol(nbits) | (decSymbol(addBits) << 8) | (decSymbol(newState) << 16) | (decSymbol(baseline) << 32) +} + +func (d decSymbol) nbBits() uint8 { + return uint8(d) +} + +func (d decSymbol) addBits() uint8 { + return uint8(d >> 8) +} + +func (d decSymbol) newState() uint16 { + return uint16(d >> 16) +} + +func (d decSymbol) baselineInt() int { + return int(d >> 32) +} + +func (d *decSymbol) setNBits(nBits uint8) { + const mask = 0xffffffffffffff00 + *d = (*d & mask) | decSymbol(nBits) +} + +func (d *decSymbol) setAddBits(addBits uint8) { + const mask = 0xffffffffffff00ff + *d = (*d & mask) | (decSymbol(addBits) << 8) +} + +func (d *decSymbol) setNewState(state uint16) { + const mask = 0xffffffff0000ffff + *d = (*d & mask) | decSymbol(state)<<16 +} + +func (d *decSymbol) setExt(addBits uint8, baseline uint32) { + const mask = 0xffff00ff + *d = (*d & mask) | (decSymbol(addBits) << 8) | (decSymbol(baseline) << 32) +} + +// decSymbolValue returns the transformed decSymbol for the given symbol. +func decSymbolValue(symb uint8, t []baseOffset) (decSymbol, error) { + if int(symb) >= len(t) { + return 0, fmt.Errorf("rle symbol %d >= max %d", symb, len(t)) + } + lu := t[symb] + return newDecSymbol(0, lu.addBits, 0, lu.baseLine), nil +} + +// setRLE will set the decoder til RLE mode. +func (s *fseDecoder) setRLE(symbol decSymbol) { + s.actualTableLog = 0 + s.maxBits = symbol.addBits() + s.dt[0] = symbol +} + +// transform will transform the decoder table into a table usable for +// decoding without having to apply the transformation while decoding. +// The state will contain the base value and the number of bits to read. +func (s *fseDecoder) transform(t []baseOffset) error { + tableSize := uint16(1 << s.actualTableLog) + s.maxBits = 0 + for i, v := range s.dt[:tableSize] { + add := v.addBits() + if int(add) >= len(t) { + return fmt.Errorf("invalid decoding table entry %d, symbol %d >= max (%d)", i, v.addBits(), len(t)) + } + lu := t[add] + if lu.addBits > s.maxBits { + s.maxBits = lu.addBits + } + v.setExt(lu.addBits, lu.baseLine) + s.dt[i] = v + } + return nil +} + +type fseState struct { + dt []decSymbol + state decSymbol +} + +// Initialize and decodeAsync first state and symbol. +func (s *fseState) init(br *bitReader, tableLog uint8, dt []decSymbol) { + s.dt = dt + br.fill() + s.state = dt[br.getBits(tableLog)] +} + +// final returns the current state symbol without decoding the next. +func (s decSymbol) final() (int, uint8) { + return s.baselineInt(), s.addBits() +} diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go new file mode 100644 index 0000000000..d04a829b0a --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.go @@ -0,0 +1,65 @@ +//go:build amd64 && !appengine && !noasm && gc +// +build amd64,!appengine,!noasm,gc + +package zstd + +import ( + "fmt" +) + +type buildDtableAsmContext struct { + // inputs + stateTable *uint16 + norm *int16 + dt *uint64 + + // outputs --- set by the procedure in the case of error; + // for interpretation please see the error handling part below + errParam1 uint64 + errParam2 uint64 +} + +// buildDtable_asm is an x86 assembly implementation of fseDecoder.buildDtable. +// Function returns non-zero exit code on error. +// +//go:noescape +func buildDtable_asm(s *fseDecoder, ctx *buildDtableAsmContext) int + +// please keep in sync with _generate/gen_fse.go +const ( + errorCorruptedNormalizedCounter = 1 + errorNewStateTooBig = 2 + errorNewStateNoBits = 3 +) + +// buildDtable will build the decoding table. +func (s *fseDecoder) buildDtable() error { + ctx := buildDtableAsmContext{ + stateTable: &s.stateTable[0], + norm: &s.norm[0], + dt: (*uint64)(&s.dt[0]), + } + code := buildDtable_asm(s, &ctx) + + if code != 0 { + switch code { + case errorCorruptedNormalizedCounter: + position := ctx.errParam1 + return fmt.Errorf("corrupted input (position=%d, expected 0)", position) + + case errorNewStateTooBig: + newState := decSymbol(ctx.errParam1) + size := ctx.errParam2 + return fmt.Errorf("newState (%d) outside table size (%d)", newState, size) + + case errorNewStateNoBits: + newState := decSymbol(ctx.errParam1) + oldState := decSymbol(ctx.errParam2) + return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, oldState) + + default: + return fmt.Errorf("buildDtable_asm returned unhandled nonzero code = %d", code) + } + } + return nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s new file mode 100644 index 0000000000..bcde398695 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_amd64.s @@ -0,0 +1,126 @@ +// Code generated by command: go run gen_fse.go -out ../fse_decoder_amd64.s -pkg=zstd. DO NOT EDIT. + +//go:build !appengine && !noasm && gc && !noasm + +// func buildDtable_asm(s *fseDecoder, ctx *buildDtableAsmContext) int +TEXT ·buildDtable_asm(SB), $0-24 + MOVQ ctx+8(FP), CX + MOVQ s+0(FP), DI + + // Load values + MOVBQZX 4098(DI), DX + XORQ AX, AX + BTSQ DX, AX + MOVQ (CX), BX + MOVQ 16(CX), SI + LEAQ -1(AX), R8 + MOVQ 8(CX), CX + MOVWQZX 4096(DI), DI + + // End load values + // Init, lay down lowprob symbols + XORQ R9, R9 + JMP init_main_loop_condition + +init_main_loop: + MOVWQSX (CX)(R9*2), R10 + CMPW R10, $-1 + JNE do_not_update_high_threshold + MOVB R9, 1(SI)(R8*8) + DECQ R8 + MOVQ $0x0000000000000001, R10 + +do_not_update_high_threshold: + MOVW R10, (BX)(R9*2) + INCQ R9 + +init_main_loop_condition: + CMPQ R9, DI + JL init_main_loop + + // Spread symbols + // Calculate table step + MOVQ AX, R9 + SHRQ $0x01, R9 + MOVQ AX, R10 + SHRQ $0x03, R10 + LEAQ 3(R9)(R10*1), R9 + + // Fill add bits values + LEAQ -1(AX), R10 + XORQ R11, R11 + XORQ R12, R12 + JMP spread_main_loop_condition + +spread_main_loop: + XORQ R13, R13 + MOVWQSX (CX)(R12*2), R14 + JMP spread_inner_loop_condition + +spread_inner_loop: + MOVB R12, 1(SI)(R11*8) + +adjust_position: + ADDQ R9, R11 + ANDQ R10, R11 + CMPQ R11, R8 + JG adjust_position + INCQ R13 + +spread_inner_loop_condition: + CMPQ R13, R14 + JL spread_inner_loop + INCQ R12 + +spread_main_loop_condition: + CMPQ R12, DI + JL spread_main_loop + TESTQ R11, R11 + JZ spread_check_ok + MOVQ ctx+8(FP), AX + MOVQ R11, 24(AX) + MOVQ $+1, ret+16(FP) + RET + +spread_check_ok: + // Build Decoding table + XORQ DI, DI + +build_table_main_table: + MOVBQZX 1(SI)(DI*8), CX + MOVWQZX (BX)(CX*2), R8 + LEAQ 1(R8), R9 + MOVW R9, (BX)(CX*2) + MOVQ R8, R9 + BSRQ R9, R9 + MOVQ DX, CX + SUBQ R9, CX + SHLQ CL, R8 + SUBQ AX, R8 + MOVB CL, (SI)(DI*8) + MOVW R8, 2(SI)(DI*8) + CMPQ R8, AX + JLE build_table_check1_ok + MOVQ ctx+8(FP), CX + MOVQ R8, 24(CX) + MOVQ AX, 32(CX) + MOVQ $+2, ret+16(FP) + RET + +build_table_check1_ok: + TESTB CL, CL + JNZ build_table_check2_ok + CMPW R8, DI + JNE build_table_check2_ok + MOVQ ctx+8(FP), AX + MOVQ R8, 24(AX) + MOVQ DI, 32(AX) + MOVQ $+3, ret+16(FP) + RET + +build_table_check2_ok: + INCQ DI + CMPQ DI, AX + JL build_table_main_table + MOVQ $+0, ret+16(FP) + RET diff --git a/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go new file mode 100644 index 0000000000..8adfebb029 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_decoder_generic.go @@ -0,0 +1,73 @@ +//go:build !amd64 || appengine || !gc || noasm +// +build !amd64 appengine !gc noasm + +package zstd + +import ( + "errors" + "fmt" +) + +// buildDtable will build the decoding table. +func (s *fseDecoder) buildDtable() error { + tableSize := uint32(1 << s.actualTableLog) + highThreshold := tableSize - 1 + symbolNext := s.stateTable[:256] + + // Init, lay down lowprob symbols + { + for i, v := range s.norm[:s.symbolLen] { + if v == -1 { + s.dt[highThreshold].setAddBits(uint8(i)) + highThreshold-- + v = 1 + } + symbolNext[i] = uint16(v) + } + } + + // Spread symbols + { + tableMask := tableSize - 1 + step := tableStep(tableSize) + position := uint32(0) + for ss, v := range s.norm[:s.symbolLen] { + for i := 0; i < int(v); i++ { + s.dt[position].setAddBits(uint8(ss)) + for { + // lowprob area + position = (position + step) & tableMask + if position <= highThreshold { + break + } + } + } + } + if position != 0 { + // position must reach all cells once, otherwise normalizedCounter is incorrect + return errors.New("corrupted input (position != 0)") + } + } + + // Build Decoding table + { + tableSize := uint16(1 << s.actualTableLog) + for u, v := range s.dt[:tableSize] { + symbol := v.addBits() + nextState := symbolNext[symbol] + symbolNext[symbol] = nextState + 1 + nBits := s.actualTableLog - byte(highBits(uint32(nextState))) + s.dt[u&maxTableMask].setNBits(nBits) + newState := (nextState << nBits) - tableSize + if newState > tableSize { + return fmt.Errorf("newState (%d) outside table size (%d)", newState, tableSize) + } + if newState == uint16(u) && nBits == 0 { + // Seems weird that this is possible with nbits > 0. + return fmt.Errorf("newState (%d) == oldState (%d) and no bits", newState, u) + } + s.dt[u&maxTableMask].setNewState(newState) + } + } + return nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/fse_encoder.go b/vendor/github.com/klauspost/compress/zstd/fse_encoder.go new file mode 100644 index 0000000000..ab26326a8f --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_encoder.go @@ -0,0 +1,701 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "math" +) + +const ( + // For encoding we only support up to + maxEncTableLog = 8 + maxEncTablesize = 1 << maxTableLog + maxEncTableMask = (1 << maxTableLog) - 1 + minEncTablelog = 5 + maxEncSymbolValue = maxMatchLengthSymbol +) + +// Scratch provides temporary storage for compression and decompression. +type fseEncoder struct { + symbolLen uint16 // Length of active part of the symbol table. + actualTableLog uint8 // Selected tablelog. + ct cTable // Compression tables. + maxCount int // count of the most probable symbol + zeroBits bool // no bits has prob > 50%. + clearCount bool // clear count + useRLE bool // This encoder is for RLE + preDefined bool // This encoder is predefined. + reUsed bool // Set to know when the encoder has been reused. + rleVal uint8 // RLE Symbol + maxBits uint8 // Maximum output bits after transform. + + // TODO: Technically zstd should be fine with 64 bytes. + count [256]uint32 + norm [256]int16 +} + +// cTable contains tables used for compression. +type cTable struct { + tableSymbol []byte + stateTable []uint16 + symbolTT []symbolTransform +} + +// symbolTransform contains the state transform for a symbol. +type symbolTransform struct { + deltaNbBits uint32 + deltaFindState int16 + outBits uint8 +} + +// String prints values as a human readable string. +func (s symbolTransform) String() string { + return fmt.Sprintf("{deltabits: %08x, findstate:%d outbits:%d}", s.deltaNbBits, s.deltaFindState, s.outBits) +} + +// Histogram allows to populate the histogram and skip that step in the compression, +// It otherwise allows to inspect the histogram when compression is done. +// To indicate that you have populated the histogram call HistogramFinished +// with the value of the highest populated symbol, as well as the number of entries +// in the most populated entry. These are accepted at face value. +func (s *fseEncoder) Histogram() *[256]uint32 { + return &s.count +} + +// HistogramFinished can be called to indicate that the histogram has been populated. +// maxSymbol is the index of the highest set symbol of the next data segment. +// maxCount is the number of entries in the most populated entry. +// These are accepted at face value. +func (s *fseEncoder) HistogramFinished(maxSymbol uint8, maxCount int) { + s.maxCount = maxCount + s.symbolLen = uint16(maxSymbol) + 1 + s.clearCount = maxCount != 0 +} + +// allocCtable will allocate tables needed for compression. +// If existing tables a re big enough, they are simply re-used. +func (s *fseEncoder) allocCtable() { + tableSize := 1 << s.actualTableLog + // get tableSymbol that is big enough. + if cap(s.ct.tableSymbol) < tableSize { + s.ct.tableSymbol = make([]byte, tableSize) + } + s.ct.tableSymbol = s.ct.tableSymbol[:tableSize] + + ctSize := tableSize + if cap(s.ct.stateTable) < ctSize { + s.ct.stateTable = make([]uint16, ctSize) + } + s.ct.stateTable = s.ct.stateTable[:ctSize] + + if cap(s.ct.symbolTT) < 256 { + s.ct.symbolTT = make([]symbolTransform, 256) + } + s.ct.symbolTT = s.ct.symbolTT[:256] +} + +// buildCTable will populate the compression table so it is ready to be used. +func (s *fseEncoder) buildCTable() error { + tableSize := uint32(1 << s.actualTableLog) + highThreshold := tableSize - 1 + var cumul [256]int16 + + s.allocCtable() + tableSymbol := s.ct.tableSymbol[:tableSize] + // symbol start positions + { + cumul[0] = 0 + for ui, v := range s.norm[:s.symbolLen-1] { + u := byte(ui) // one less than reference + if v == -1 { + // Low proba symbol + cumul[u+1] = cumul[u] + 1 + tableSymbol[highThreshold] = u + highThreshold-- + } else { + cumul[u+1] = cumul[u] + v + } + } + // Encode last symbol separately to avoid overflowing u + u := int(s.symbolLen - 1) + v := s.norm[s.symbolLen-1] + if v == -1 { + // Low proba symbol + cumul[u+1] = cumul[u] + 1 + tableSymbol[highThreshold] = byte(u) + highThreshold-- + } else { + cumul[u+1] = cumul[u] + v + } + if uint32(cumul[s.symbolLen]) != tableSize { + return fmt.Errorf("internal error: expected cumul[s.symbolLen] (%d) == tableSize (%d)", cumul[s.symbolLen], tableSize) + } + cumul[s.symbolLen] = int16(tableSize) + 1 + } + // Spread symbols + s.zeroBits = false + { + step := tableStep(tableSize) + tableMask := tableSize - 1 + var position uint32 + // if any symbol > largeLimit, we may have 0 bits output. + largeLimit := int16(1 << (s.actualTableLog - 1)) + for ui, v := range s.norm[:s.symbolLen] { + symbol := byte(ui) + if v > largeLimit { + s.zeroBits = true + } + for nbOccurrences := int16(0); nbOccurrences < v; nbOccurrences++ { + tableSymbol[position] = symbol + position = (position + step) & tableMask + for position > highThreshold { + position = (position + step) & tableMask + } /* Low proba area */ + } + } + + // Check if we have gone through all positions + if position != 0 { + return errors.New("position!=0") + } + } + + // Build table + table := s.ct.stateTable + { + tsi := int(tableSize) + for u, v := range tableSymbol { + // TableU16 : sorted by symbol order; gives next state value + table[cumul[v]] = uint16(tsi + u) + cumul[v]++ + } + } + + // Build Symbol Transformation Table + { + total := int16(0) + symbolTT := s.ct.symbolTT[:s.symbolLen] + tableLog := s.actualTableLog + tl := (uint32(tableLog) << 16) - (1 << tableLog) + for i, v := range s.norm[:s.symbolLen] { + switch v { + case 0: + case -1, 1: + symbolTT[i].deltaNbBits = tl + symbolTT[i].deltaFindState = total - 1 + total++ + default: + maxBitsOut := uint32(tableLog) - highBit(uint32(v-1)) + minStatePlus := uint32(v) << maxBitsOut + symbolTT[i].deltaNbBits = (maxBitsOut << 16) - minStatePlus + symbolTT[i].deltaFindState = total - v + total += v + } + } + if total != int16(tableSize) { + return fmt.Errorf("total mismatch %d (got) != %d (want)", total, tableSize) + } + } + return nil +} + +var rtbTable = [...]uint32{0, 473195, 504333, 520860, 550000, 700000, 750000, 830000} + +func (s *fseEncoder) setRLE(val byte) { + s.allocCtable() + s.actualTableLog = 0 + s.ct.stateTable = s.ct.stateTable[:1] + s.ct.symbolTT[val] = symbolTransform{ + deltaFindState: 0, + deltaNbBits: 0, + } + if debugEncoder { + println("setRLE: val", val, "symbolTT", s.ct.symbolTT[val]) + } + s.rleVal = val + s.useRLE = true +} + +// setBits will set output bits for the transform. +// if nil is provided, the number of bits is equal to the index. +func (s *fseEncoder) setBits(transform []byte) { + if s.reUsed || s.preDefined { + return + } + if s.useRLE { + if transform == nil { + s.ct.symbolTT[s.rleVal].outBits = s.rleVal + s.maxBits = s.rleVal + return + } + s.maxBits = transform[s.rleVal] + s.ct.symbolTT[s.rleVal].outBits = s.maxBits + return + } + if transform == nil { + for i := range s.ct.symbolTT[:s.symbolLen] { + s.ct.symbolTT[i].outBits = uint8(i) + } + s.maxBits = uint8(s.symbolLen - 1) + return + } + s.maxBits = 0 + for i, v := range transform[:s.symbolLen] { + s.ct.symbolTT[i].outBits = v + if v > s.maxBits { + // We could assume bits always going up, but we play safe. + s.maxBits = v + } + } +} + +// normalizeCount will normalize the count of the symbols so +// the total is equal to the table size. +// If successful, compression tables will also be made ready. +func (s *fseEncoder) normalizeCount(length int) error { + if s.reUsed { + return nil + } + s.optimalTableLog(length) + var ( + tableLog = s.actualTableLog + scale = 62 - uint64(tableLog) + step = (1 << 62) / uint64(length) + vStep = uint64(1) << (scale - 20) + stillToDistribute = int16(1 << tableLog) + largest int + largestP int16 + lowThreshold = (uint32)(length >> tableLog) + ) + if s.maxCount == length { + s.useRLE = true + return nil + } + s.useRLE = false + for i, cnt := range s.count[:s.symbolLen] { + // already handled + // if (count[s] == s.length) return 0; /* rle special case */ + + if cnt == 0 { + s.norm[i] = 0 + continue + } + if cnt <= lowThreshold { + s.norm[i] = -1 + stillToDistribute-- + } else { + proba := (int16)((uint64(cnt) * step) >> scale) + if proba < 8 { + restToBeat := vStep * uint64(rtbTable[proba]) + v := uint64(cnt)*step - (uint64(proba) << scale) + if v > restToBeat { + proba++ + } + } + if proba > largestP { + largestP = proba + largest = i + } + s.norm[i] = proba + stillToDistribute -= proba + } + } + + if -stillToDistribute >= (s.norm[largest] >> 1) { + // corner case, need another normalization method + err := s.normalizeCount2(length) + if err != nil { + return err + } + if debugAsserts { + err = s.validateNorm() + if err != nil { + return err + } + } + return s.buildCTable() + } + s.norm[largest] += stillToDistribute + if debugAsserts { + err := s.validateNorm() + if err != nil { + return err + } + } + return s.buildCTable() +} + +// Secondary normalization method. +// To be used when primary method fails. +func (s *fseEncoder) normalizeCount2(length int) error { + const notYetAssigned = -2 + var ( + distributed uint32 + total = uint32(length) + tableLog = s.actualTableLog + lowThreshold = total >> tableLog + lowOne = (total * 3) >> (tableLog + 1) + ) + for i, cnt := range s.count[:s.symbolLen] { + if cnt == 0 { + s.norm[i] = 0 + continue + } + if cnt <= lowThreshold { + s.norm[i] = -1 + distributed++ + total -= cnt + continue + } + if cnt <= lowOne { + s.norm[i] = 1 + distributed++ + total -= cnt + continue + } + s.norm[i] = notYetAssigned + } + toDistribute := (1 << tableLog) - distributed + + if (total / toDistribute) > lowOne { + // risk of rounding to zero + lowOne = (total * 3) / (toDistribute * 2) + for i, cnt := range s.count[:s.symbolLen] { + if (s.norm[i] == notYetAssigned) && (cnt <= lowOne) { + s.norm[i] = 1 + distributed++ + total -= cnt + continue + } + } + toDistribute = (1 << tableLog) - distributed + } + if distributed == uint32(s.symbolLen)+1 { + // all values are pretty poor; + // probably incompressible data (should have already been detected); + // find max, then give all remaining points to max + var maxV int + var maxC uint32 + for i, cnt := range s.count[:s.symbolLen] { + if cnt > maxC { + maxV = i + maxC = cnt + } + } + s.norm[maxV] += int16(toDistribute) + return nil + } + + if total == 0 { + // all of the symbols were low enough for the lowOne or lowThreshold + for i := uint32(0); toDistribute > 0; i = (i + 1) % (uint32(s.symbolLen)) { + if s.norm[i] > 0 { + toDistribute-- + s.norm[i]++ + } + } + return nil + } + + var ( + vStepLog = 62 - uint64(tableLog) + mid = uint64((1 << (vStepLog - 1)) - 1) + rStep = (((1 << vStepLog) * uint64(toDistribute)) + mid) / uint64(total) // scale on remaining + tmpTotal = mid + ) + for i, cnt := range s.count[:s.symbolLen] { + if s.norm[i] == notYetAssigned { + var ( + end = tmpTotal + uint64(cnt)*rStep + sStart = uint32(tmpTotal >> vStepLog) + sEnd = uint32(end >> vStepLog) + weight = sEnd - sStart + ) + if weight < 1 { + return errors.New("weight < 1") + } + s.norm[i] = int16(weight) + tmpTotal = end + } + } + return nil +} + +// optimalTableLog calculates and sets the optimal tableLog in s.actualTableLog +func (s *fseEncoder) optimalTableLog(length int) { + tableLog := uint8(maxEncTableLog) + minBitsSrc := highBit(uint32(length)) + 1 + minBitsSymbols := highBit(uint32(s.symbolLen-1)) + 2 + minBits := uint8(minBitsSymbols) + if minBitsSrc < minBitsSymbols { + minBits = uint8(minBitsSrc) + } + + maxBitsSrc := uint8(highBit(uint32(length-1))) - 2 + if maxBitsSrc < tableLog { + // Accuracy can be reduced + tableLog = maxBitsSrc + } + if minBits > tableLog { + tableLog = minBits + } + // Need a minimum to safely represent all symbol values + if tableLog < minEncTablelog { + tableLog = minEncTablelog + } + if tableLog > maxEncTableLog { + tableLog = maxEncTableLog + } + s.actualTableLog = tableLog +} + +// validateNorm validates the normalized histogram table. +func (s *fseEncoder) validateNorm() (err error) { + var total int + for _, v := range s.norm[:s.symbolLen] { + if v >= 0 { + total += int(v) + } else { + total -= int(v) + } + } + defer func() { + if err == nil { + return + } + fmt.Printf("selected TableLog: %d, Symbol length: %d\n", s.actualTableLog, s.symbolLen) + for i, v := range s.norm[:s.symbolLen] { + fmt.Printf("%3d: %5d -> %4d \n", i, s.count[i], v) + } + }() + if total != (1 << s.actualTableLog) { + return fmt.Errorf("warning: Total == %d != %d", total, 1<> 3) + 3 + 2 + + // Write Table Size + bitStream = uint32(tableLog - minEncTablelog) + bitCount = uint(4) + remaining = int16(tableSize + 1) /* +1 for extra accuracy */ + threshold = int16(tableSize) + nbBits = uint(tableLog + 1) + outP = len(out) + ) + if cap(out) < outP+maxHeaderSize { + out = append(out, make([]byte, maxHeaderSize*3)...) + out = out[:len(out)-maxHeaderSize*3] + } + out = out[:outP+maxHeaderSize] + + // stops at 1 + for remaining > 1 { + if previous0 { + start := charnum + for s.norm[charnum] == 0 { + charnum++ + } + for charnum >= start+24 { + start += 24 + bitStream += uint32(0xFFFF) << bitCount + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + } + for charnum >= start+3 { + start += 3 + bitStream += 3 << bitCount + bitCount += 2 + } + bitStream += uint32(charnum-start) << bitCount + bitCount += 2 + if bitCount > 16 { + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + bitCount -= 16 + } + } + + count := s.norm[charnum] + charnum++ + max := (2*threshold - 1) - remaining + if count < 0 { + remaining += count + } else { + remaining -= count + } + count++ // +1 for extra accuracy + if count >= threshold { + count += max // [0..max[ [max..threshold[ (...) [threshold+max 2*threshold[ + } + bitStream += uint32(count) << bitCount + bitCount += nbBits + if count < max { + bitCount-- + } + + previous0 = count == 1 + if remaining < 1 { + return nil, errors.New("internal error: remaining < 1") + } + for remaining < threshold { + nbBits-- + threshold >>= 1 + } + + if bitCount > 16 { + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += 2 + bitStream >>= 16 + bitCount -= 16 + } + } + + if outP+2 > len(out) { + return nil, fmt.Errorf("internal error: %d > %d, maxheader: %d, sl: %d, tl: %d, normcount: %v", outP+2, len(out), maxHeaderSize, s.symbolLen, int(tableLog), s.norm[:s.symbolLen]) + } + out[outP] = byte(bitStream) + out[outP+1] = byte(bitStream >> 8) + outP += int((bitCount + 7) / 8) + + if charnum > s.symbolLen { + return nil, errors.New("internal error: charnum > s.symbolLen") + } + return out[:outP], nil +} + +// Approximate symbol cost, as fractional value, using fixed-point format (accuracyLog fractional bits) +// note 1 : assume symbolValue is valid (<= maxSymbolValue) +// note 2 : if freq[symbolValue]==0, @return a fake cost of tableLog+1 bits * +func (s *fseEncoder) bitCost(symbolValue uint8, accuracyLog uint32) uint32 { + minNbBits := s.ct.symbolTT[symbolValue].deltaNbBits >> 16 + threshold := (minNbBits + 1) << 16 + if debugAsserts { + if !(s.actualTableLog < 16) { + panic("!s.actualTableLog < 16") + } + // ensure enough room for renormalization double shift + if !(uint8(accuracyLog) < 31-s.actualTableLog) { + panic("!uint8(accuracyLog) < 31-s.actualTableLog") + } + } + tableSize := uint32(1) << s.actualTableLog + deltaFromThreshold := threshold - (s.ct.symbolTT[symbolValue].deltaNbBits + tableSize) + // linear interpolation (very approximate) + normalizedDeltaFromThreshold := (deltaFromThreshold << accuracyLog) >> s.actualTableLog + bitMultiplier := uint32(1) << accuracyLog + if debugAsserts { + if s.ct.symbolTT[symbolValue].deltaNbBits+tableSize > threshold { + panic("s.ct.symbolTT[symbolValue].deltaNbBits+tableSize > threshold") + } + if normalizedDeltaFromThreshold > bitMultiplier { + panic("normalizedDeltaFromThreshold > bitMultiplier") + } + } + return (minNbBits+1)*bitMultiplier - normalizedDeltaFromThreshold +} + +// Returns the cost in bits of encoding the distribution in count using ctable. +// Histogram should only be up to the last non-zero symbol. +// Returns an -1 if ctable cannot represent all the symbols in count. +func (s *fseEncoder) approxSize(hist []uint32) uint32 { + if int(s.symbolLen) < len(hist) { + // More symbols than we have. + return math.MaxUint32 + } + if s.useRLE { + // We will never reuse RLE encoders. + return math.MaxUint32 + } + const kAccuracyLog = 8 + badCost := (uint32(s.actualTableLog) + 1) << kAccuracyLog + var cost uint32 + for i, v := range hist { + if v == 0 { + continue + } + if s.norm[i] == 0 { + return math.MaxUint32 + } + bitCost := s.bitCost(uint8(i), kAccuracyLog) + if bitCost > badCost { + return math.MaxUint32 + } + cost += v * bitCost + } + return cost >> kAccuracyLog +} + +// maxHeaderSize returns the maximum header size in bits. +// This is not exact size, but we want a penalty for new tables anyway. +func (s *fseEncoder) maxHeaderSize() uint32 { + if s.preDefined { + return 0 + } + if s.useRLE { + return 8 + } + return (((uint32(s.symbolLen) * uint32(s.actualTableLog)) >> 3) + 3) * 8 +} + +// cState contains the compression state of a stream. +type cState struct { + bw *bitWriter + stateTable []uint16 + state uint16 +} + +// init will initialize the compression state to the first symbol of the stream. +func (c *cState) init(bw *bitWriter, ct *cTable, first symbolTransform) { + c.bw = bw + c.stateTable = ct.stateTable + if len(c.stateTable) == 1 { + // RLE + c.stateTable[0] = uint16(0) + c.state = 0 + return + } + nbBitsOut := (first.deltaNbBits + (1 << 15)) >> 16 + im := int32((nbBitsOut << 16) - first.deltaNbBits) + lu := (im >> nbBitsOut) + int32(first.deltaFindState) + c.state = c.stateTable[lu] +} + +// flush will write the tablelog to the output and flush the remaining full bytes. +func (c *cState) flush(tableLog uint8) { + c.bw.flush32() + c.bw.addBits16NC(c.state, tableLog) +} diff --git a/vendor/github.com/klauspost/compress/zstd/fse_predefined.go b/vendor/github.com/klauspost/compress/zstd/fse_predefined.go new file mode 100644 index 0000000000..474cb77d2b --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/fse_predefined.go @@ -0,0 +1,158 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "fmt" + "math" + "sync" +) + +var ( + // fsePredef are the predefined fse tables as defined here: + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions + // These values are already transformed. + fsePredef [3]fseDecoder + + // fsePredefEnc are the predefined encoder based on fse tables as defined here: + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions + // These values are already transformed. + fsePredefEnc [3]fseEncoder + + // symbolTableX contain the transformations needed for each type as defined in + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#the-codes-for-literals-lengths-match-lengths-and-offsets + symbolTableX [3][]baseOffset + + // maxTableSymbol is the biggest supported symbol for each table type + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#the-codes-for-literals-lengths-match-lengths-and-offsets + maxTableSymbol = [3]uint8{tableLiteralLengths: maxLiteralLengthSymbol, tableOffsets: maxOffsetLengthSymbol, tableMatchLengths: maxMatchLengthSymbol} + + // bitTables is the bits table for each table. + bitTables = [3][]byte{tableLiteralLengths: llBitsTable[:], tableOffsets: nil, tableMatchLengths: mlBitsTable[:]} +) + +type tableIndex uint8 + +const ( + // indexes for fsePredef and symbolTableX + tableLiteralLengths tableIndex = 0 + tableOffsets tableIndex = 1 + tableMatchLengths tableIndex = 2 + + maxLiteralLengthSymbol = 35 + maxOffsetLengthSymbol = 30 + maxMatchLengthSymbol = 52 +) + +// baseOffset is used for calculating transformations. +type baseOffset struct { + baseLine uint32 + addBits uint8 +} + +// fillBase will precalculate base offsets with the given bit distributions. +func fillBase(dst []baseOffset, base uint32, bits ...uint8) { + if len(bits) != len(dst) { + panic(fmt.Sprintf("len(dst) (%d) != len(bits) (%d)", len(dst), len(bits))) + } + for i, bit := range bits { + if base > math.MaxInt32 { + panic("invalid decoding table, base overflows int32") + } + + dst[i] = baseOffset{ + baseLine: base, + addBits: bit, + } + base += 1 << bit + } +} + +var predef sync.Once + +func initPredefined() { + predef.Do(func() { + // Literals length codes + tmp := make([]baseOffset, 36) + for i := range tmp[:16] { + tmp[i] = baseOffset{ + baseLine: uint32(i), + addBits: 0, + } + } + fillBase(tmp[16:], 16, 1, 1, 1, 1, 2, 2, 3, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16) + symbolTableX[tableLiteralLengths] = tmp + + // Match length codes + tmp = make([]baseOffset, 53) + for i := range tmp[:32] { + tmp[i] = baseOffset{ + // The transformation adds the 3 length. + baseLine: uint32(i) + 3, + addBits: 0, + } + } + fillBase(tmp[32:], 35, 1, 1, 1, 1, 2, 2, 3, 3, 4, 4, 5, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16) + symbolTableX[tableMatchLengths] = tmp + + // Offset codes + tmp = make([]baseOffset, maxOffsetBits+1) + tmp[1] = baseOffset{ + baseLine: 1, + addBits: 1, + } + fillBase(tmp[2:], 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30) + symbolTableX[tableOffsets] = tmp + + // Fill predefined tables and transform them. + // https://github.com/facebook/zstd/blob/dev/doc/zstd_compression_format.md#default-distributions + for i := range fsePredef[:] { + f := &fsePredef[i] + switch tableIndex(i) { + case tableLiteralLengths: + // https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L243 + f.actualTableLog = 6 + copy(f.norm[:], []int16{4, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 2, 1, 1, 1, 1, 1, + -1, -1, -1, -1}) + f.symbolLen = 36 + case tableOffsets: + // https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L281 + f.actualTableLog = 5 + copy(f.norm[:], []int16{ + 1, 1, 1, 1, 1, 1, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, -1, -1, -1, -1, -1}) + f.symbolLen = 29 + case tableMatchLengths: + //https://github.com/facebook/zstd/blob/ededcfca57366461021c922720878c81a5854a0a/lib/decompress/zstd_decompress_block.c#L304 + f.actualTableLog = 6 + copy(f.norm[:], []int16{ + 1, 4, 3, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, -1, -1, + -1, -1, -1, -1, -1}) + f.symbolLen = 53 + } + if err := f.buildDtable(); err != nil { + panic(fmt.Errorf("building table %v: %v", tableIndex(i), err)) + } + if err := f.transform(symbolTableX[i]); err != nil { + panic(fmt.Errorf("building table %v: %v", tableIndex(i), err)) + } + f.preDefined = true + + // Create encoder as well + enc := &fsePredefEnc[i] + copy(enc.norm[:], f.norm[:]) + enc.symbolLen = f.symbolLen + enc.actualTableLog = f.actualTableLog + if err := enc.buildCTable(); err != nil { + panic(fmt.Errorf("building encoding table %v: %v", tableIndex(i), err)) + } + enc.setBits(bitTables[i]) + enc.preDefined = true + } + }) +} diff --git a/vendor/github.com/klauspost/compress/zstd/hash.go b/vendor/github.com/klauspost/compress/zstd/hash.go new file mode 100644 index 0000000000..5d73c21ebd --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/hash.go @@ -0,0 +1,35 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +const ( + prime3bytes = 506832829 + prime4bytes = 2654435761 + prime5bytes = 889523592379 + prime6bytes = 227718039650203 + prime7bytes = 58295818150454627 + prime8bytes = 0xcf1bbcdcb7a56463 +) + +// hashLen returns a hash of the lowest mls bytes of with length output bits. +// mls must be >=3 and <=8. Any other value will return hash for 4 bytes. +// length should always be < 32. +// Preferably length and mls should be a constant for inlining. +func hashLen(u uint64, length, mls uint8) uint32 { + switch mls { + case 3: + return (uint32(u<<8) * prime3bytes) >> (32 - length) + case 5: + return uint32(((u << (64 - 40)) * prime5bytes) >> (64 - length)) + case 6: + return uint32(((u << (64 - 48)) * prime6bytes) >> (64 - length)) + case 7: + return uint32(((u << (64 - 56)) * prime7bytes) >> (64 - length)) + case 8: + return uint32((u * prime8bytes) >> (64 - length)) + default: + return (uint32(u) * prime4bytes) >> (32 - length) + } +} diff --git a/vendor/github.com/klauspost/compress/zstd/history.go b/vendor/github.com/klauspost/compress/zstd/history.go new file mode 100644 index 0000000000..09164856d2 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/history.go @@ -0,0 +1,116 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "github.com/klauspost/compress/huff0" +) + +// history contains the information transferred between blocks. +type history struct { + // Literal decompression + huffTree *huff0.Scratch + + // Sequence decompression + decoders sequenceDecs + recentOffsets [3]int + + // History buffer... + b []byte + + // ignoreBuffer is meant to ignore a number of bytes + // when checking for matches in history + ignoreBuffer int + + windowSize int + allocFrameBuffer int // needed? + error bool + dict *dict +} + +// reset will reset the history to initial state of a frame. +// The history must already have been initialized to the desired size. +func (h *history) reset() { + h.b = h.b[:0] + h.ignoreBuffer = 0 + h.error = false + h.recentOffsets = [3]int{1, 4, 8} + h.decoders.freeDecoders() + h.decoders = sequenceDecs{br: h.decoders.br} + h.freeHuffDecoder() + h.huffTree = nil + h.dict = nil + //printf("history created: %+v (l: %d, c: %d)", *h, len(h.b), cap(h.b)) +} + +func (h *history) freeHuffDecoder() { + if h.huffTree != nil { + if h.dict == nil || h.dict.litEnc != h.huffTree { + huffDecoderPool.Put(h.huffTree) + h.huffTree = nil + } + } +} + +func (h *history) setDict(dict *dict) { + if dict == nil { + return + } + h.dict = dict + h.decoders.litLengths = dict.llDec + h.decoders.offsets = dict.ofDec + h.decoders.matchLengths = dict.mlDec + h.decoders.dict = dict.content + h.recentOffsets = dict.offsets + h.huffTree = dict.litEnc +} + +// append bytes to history. +// This function will make sure there is space for it, +// if the buffer has been allocated with enough extra space. +func (h *history) append(b []byte) { + if len(b) >= h.windowSize { + // Discard all history by simply overwriting + h.b = h.b[:h.windowSize] + copy(h.b, b[len(b)-h.windowSize:]) + return + } + + // If there is space, append it. + if len(b) < cap(h.b)-len(h.b) { + h.b = append(h.b, b...) + return + } + + // Move data down so we only have window size left. + // We know we have less than window size in b at this point. + discard := len(b) + len(h.b) - h.windowSize + copy(h.b, h.b[discard:]) + h.b = h.b[:h.windowSize] + copy(h.b[h.windowSize-len(b):], b) +} + +// ensureBlock will ensure there is space for at least one block... +func (h *history) ensureBlock() { + if cap(h.b) < h.allocFrameBuffer { + h.b = make([]byte, 0, h.allocFrameBuffer) + return + } + + avail := cap(h.b) - len(h.b) + if avail >= h.windowSize || avail > maxCompressedBlockSize { + return + } + // Move data down so we only have window size left. + // We know we have less than window size in b at this point. + discard := len(h.b) - h.windowSize + copy(h.b, h.b[discard:]) + h.b = h.b[:h.windowSize] +} + +// append bytes to history without ever discarding anything. +func (h *history) appendKeep(b []byte) { + h.b = append(h.b, b...) +} diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt new file mode 100644 index 0000000000..24b53065f4 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/LICENSE.txt @@ -0,0 +1,22 @@ +Copyright (c) 2016 Caleb Spare + +MIT License + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md new file mode 100644 index 0000000000..777290d44c --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/README.md @@ -0,0 +1,71 @@ +# xxhash + +VENDORED: Go to [github.com/cespare/xxhash](https://github.com/cespare/xxhash) for original package. + +xxhash is a Go implementation of the 64-bit [xxHash] algorithm, XXH64. This is a +high-quality hashing algorithm that is much faster than anything in the Go +standard library. + +This package provides a straightforward API: + +``` +func Sum64(b []byte) uint64 +func Sum64String(s string) uint64 +type Digest struct{ ... } + func New() *Digest +``` + +The `Digest` type implements hash.Hash64. Its key methods are: + +``` +func (*Digest) Write([]byte) (int, error) +func (*Digest) WriteString(string) (int, error) +func (*Digest) Sum64() uint64 +``` + +The package is written with optimized pure Go and also contains even faster +assembly implementations for amd64 and arm64. If desired, the `purego` build tag +opts into using the Go code even on those architectures. + +[xxHash]: http://cyan4973.github.io/xxHash/ + +## Compatibility + +This package is in a module and the latest code is in version 2 of the module. +You need a version of Go with at least "minimal module compatibility" to use +github.com/cespare/xxhash/v2: + +* 1.9.7+ for Go 1.9 +* 1.10.3+ for Go 1.10 +* Go 1.11 or later + +I recommend using the latest release of Go. + +## Benchmarks + +Here are some quick benchmarks comparing the pure-Go and assembly +implementations of Sum64. + +| input size | purego | asm | +| ---------- | --------- | --------- | +| 4 B | 1.3 GB/s | 1.2 GB/s | +| 16 B | 2.9 GB/s | 3.5 GB/s | +| 100 B | 6.9 GB/s | 8.1 GB/s | +| 4 KB | 11.7 GB/s | 16.7 GB/s | +| 10 MB | 12.0 GB/s | 17.3 GB/s | + +These numbers were generated on Ubuntu 20.04 with an Intel Xeon Platinum 8252C +CPU using the following commands under Go 1.19.2: + +``` +benchstat <(go test -tags purego -benchtime 500ms -count 15 -bench 'Sum64$') +benchstat <(go test -benchtime 500ms -count 15 -bench 'Sum64$') +``` + +## Projects using this package + +- [InfluxDB](https://github.com/influxdata/influxdb) +- [Prometheus](https://github.com/prometheus/prometheus) +- [VictoriaMetrics](https://github.com/VictoriaMetrics/VictoriaMetrics) +- [FreeCache](https://github.com/coocood/freecache) +- [FastCache](https://github.com/VictoriaMetrics/fastcache) diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go new file mode 100644 index 0000000000..fc40c82001 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash.go @@ -0,0 +1,230 @@ +// Package xxhash implements the 64-bit variant of xxHash (XXH64) as described +// at http://cyan4973.github.io/xxHash/. +// THIS IS VENDORED: Go to github.com/cespare/xxhash for original package. + +package xxhash + +import ( + "encoding/binary" + "errors" + "math/bits" +) + +const ( + prime1 uint64 = 11400714785074694791 + prime2 uint64 = 14029467366897019727 + prime3 uint64 = 1609587929392839161 + prime4 uint64 = 9650029242287828579 + prime5 uint64 = 2870177450012600261 +) + +// Store the primes in an array as well. +// +// The consts are used when possible in Go code to avoid MOVs but we need a +// contiguous array of the assembly code. +var primes = [...]uint64{prime1, prime2, prime3, prime4, prime5} + +// Digest implements hash.Hash64. +type Digest struct { + v1 uint64 + v2 uint64 + v3 uint64 + v4 uint64 + total uint64 + mem [32]byte + n int // how much of mem is used +} + +// New creates a new Digest that computes the 64-bit xxHash algorithm. +func New() *Digest { + var d Digest + d.Reset() + return &d +} + +// Reset clears the Digest's state so that it can be reused. +func (d *Digest) Reset() { + d.v1 = primes[0] + prime2 + d.v2 = prime2 + d.v3 = 0 + d.v4 = -primes[0] + d.total = 0 + d.n = 0 +} + +// Size always returns 8 bytes. +func (d *Digest) Size() int { return 8 } + +// BlockSize always returns 32 bytes. +func (d *Digest) BlockSize() int { return 32 } + +// Write adds more data to d. It always returns len(b), nil. +func (d *Digest) Write(b []byte) (n int, err error) { + n = len(b) + d.total += uint64(n) + + memleft := d.mem[d.n&(len(d.mem)-1):] + + if d.n+n < 32 { + // This new data doesn't even fill the current block. + copy(memleft, b) + d.n += n + return + } + + if d.n > 0 { + // Finish off the partial block. + c := copy(memleft, b) + d.v1 = round(d.v1, u64(d.mem[0:8])) + d.v2 = round(d.v2, u64(d.mem[8:16])) + d.v3 = round(d.v3, u64(d.mem[16:24])) + d.v4 = round(d.v4, u64(d.mem[24:32])) + b = b[c:] + d.n = 0 + } + + if len(b) >= 32 { + // One or more full blocks left. + nw := writeBlocks(d, b) + b = b[nw:] + } + + // Store any remaining partial block. + copy(d.mem[:], b) + d.n = len(b) + + return +} + +// Sum appends the current hash to b and returns the resulting slice. +func (d *Digest) Sum(b []byte) []byte { + s := d.Sum64() + return append( + b, + byte(s>>56), + byte(s>>48), + byte(s>>40), + byte(s>>32), + byte(s>>24), + byte(s>>16), + byte(s>>8), + byte(s), + ) +} + +// Sum64 returns the current hash. +func (d *Digest) Sum64() uint64 { + var h uint64 + + if d.total >= 32 { + v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4 + h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4) + h = mergeRound(h, v1) + h = mergeRound(h, v2) + h = mergeRound(h, v3) + h = mergeRound(h, v4) + } else { + h = d.v3 + prime5 + } + + h += d.total + + b := d.mem[:d.n&(len(d.mem)-1)] + for ; len(b) >= 8; b = b[8:] { + k1 := round(0, u64(b[:8])) + h ^= k1 + h = rol27(h)*prime1 + prime4 + } + if len(b) >= 4 { + h ^= uint64(u32(b[:4])) * prime1 + h = rol23(h)*prime2 + prime3 + b = b[4:] + } + for ; len(b) > 0; b = b[1:] { + h ^= uint64(b[0]) * prime5 + h = rol11(h) * prime1 + } + + h ^= h >> 33 + h *= prime2 + h ^= h >> 29 + h *= prime3 + h ^= h >> 32 + + return h +} + +const ( + magic = "xxh\x06" + marshaledSize = len(magic) + 8*5 + 32 +) + +// MarshalBinary implements the encoding.BinaryMarshaler interface. +func (d *Digest) MarshalBinary() ([]byte, error) { + b := make([]byte, 0, marshaledSize) + b = append(b, magic...) + b = appendUint64(b, d.v1) + b = appendUint64(b, d.v2) + b = appendUint64(b, d.v3) + b = appendUint64(b, d.v4) + b = appendUint64(b, d.total) + b = append(b, d.mem[:d.n]...) + b = b[:len(b)+len(d.mem)-d.n] + return b, nil +} + +// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface. +func (d *Digest) UnmarshalBinary(b []byte) error { + if len(b) < len(magic) || string(b[:len(magic)]) != magic { + return errors.New("xxhash: invalid hash state identifier") + } + if len(b) != marshaledSize { + return errors.New("xxhash: invalid hash state size") + } + b = b[len(magic):] + b, d.v1 = consumeUint64(b) + b, d.v2 = consumeUint64(b) + b, d.v3 = consumeUint64(b) + b, d.v4 = consumeUint64(b) + b, d.total = consumeUint64(b) + copy(d.mem[:], b) + d.n = int(d.total % uint64(len(d.mem))) + return nil +} + +func appendUint64(b []byte, x uint64) []byte { + var a [8]byte + binary.LittleEndian.PutUint64(a[:], x) + return append(b, a[:]...) +} + +func consumeUint64(b []byte) ([]byte, uint64) { + x := u64(b) + return b[8:], x +} + +func u64(b []byte) uint64 { return binary.LittleEndian.Uint64(b) } +func u32(b []byte) uint32 { return binary.LittleEndian.Uint32(b) } + +func round(acc, input uint64) uint64 { + acc += input * prime2 + acc = rol31(acc) + acc *= prime1 + return acc +} + +func mergeRound(acc, val uint64) uint64 { + val = round(0, val) + acc ^= val + acc = acc*prime1 + prime4 + return acc +} + +func rol1(x uint64) uint64 { return bits.RotateLeft64(x, 1) } +func rol7(x uint64) uint64 { return bits.RotateLeft64(x, 7) } +func rol11(x uint64) uint64 { return bits.RotateLeft64(x, 11) } +func rol12(x uint64) uint64 { return bits.RotateLeft64(x, 12) } +func rol18(x uint64) uint64 { return bits.RotateLeft64(x, 18) } +func rol23(x uint64) uint64 { return bits.RotateLeft64(x, 23) } +func rol27(x uint64) uint64 { return bits.RotateLeft64(x, 27) } +func rol31(x uint64) uint64 { return bits.RotateLeft64(x, 31) } diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s new file mode 100644 index 0000000000..ddb63aa91b --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_amd64.s @@ -0,0 +1,210 @@ +//go:build !appengine && gc && !purego && !noasm +// +build !appengine +// +build gc +// +build !purego +// +build !noasm + +#include "textflag.h" + +// Registers: +#define h AX +#define d AX +#define p SI // pointer to advance through b +#define n DX +#define end BX // loop end +#define v1 R8 +#define v2 R9 +#define v3 R10 +#define v4 R11 +#define x R12 +#define prime1 R13 +#define prime2 R14 +#define prime4 DI + +#define round(acc, x) \ + IMULQ prime2, x \ + ADDQ x, acc \ + ROLQ $31, acc \ + IMULQ prime1, acc + +// round0 performs the operation x = round(0, x). +#define round0(x) \ + IMULQ prime2, x \ + ROLQ $31, x \ + IMULQ prime1, x + +// mergeRound applies a merge round on the two registers acc and x. +// It assumes that prime1, prime2, and prime4 have been loaded. +#define mergeRound(acc, x) \ + round0(x) \ + XORQ x, acc \ + IMULQ prime1, acc \ + ADDQ prime4, acc + +// blockLoop processes as many 32-byte blocks as possible, +// updating v1, v2, v3, and v4. It assumes that there is at least one block +// to process. +#define blockLoop() \ +loop: \ + MOVQ +0(p), x \ + round(v1, x) \ + MOVQ +8(p), x \ + round(v2, x) \ + MOVQ +16(p), x \ + round(v3, x) \ + MOVQ +24(p), x \ + round(v4, x) \ + ADDQ $32, p \ + CMPQ p, end \ + JLE loop + +// func Sum64(b []byte) uint64 +TEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32 + // Load fixed primes. + MOVQ ·primes+0(SB), prime1 + MOVQ ·primes+8(SB), prime2 + MOVQ ·primes+24(SB), prime4 + + // Load slice. + MOVQ b_base+0(FP), p + MOVQ b_len+8(FP), n + LEAQ (p)(n*1), end + + // The first loop limit will be len(b)-32. + SUBQ $32, end + + // Check whether we have at least one block. + CMPQ n, $32 + JLT noBlocks + + // Set up initial state (v1, v2, v3, v4). + MOVQ prime1, v1 + ADDQ prime2, v1 + MOVQ prime2, v2 + XORQ v3, v3 + XORQ v4, v4 + SUBQ prime1, v4 + + blockLoop() + + MOVQ v1, h + ROLQ $1, h + MOVQ v2, x + ROLQ $7, x + ADDQ x, h + MOVQ v3, x + ROLQ $12, x + ADDQ x, h + MOVQ v4, x + ROLQ $18, x + ADDQ x, h + + mergeRound(h, v1) + mergeRound(h, v2) + mergeRound(h, v3) + mergeRound(h, v4) + + JMP afterBlocks + +noBlocks: + MOVQ ·primes+32(SB), h + +afterBlocks: + ADDQ n, h + + ADDQ $24, end + CMPQ p, end + JG try4 + +loop8: + MOVQ (p), x + ADDQ $8, p + round0(x) + XORQ x, h + ROLQ $27, h + IMULQ prime1, h + ADDQ prime4, h + + CMPQ p, end + JLE loop8 + +try4: + ADDQ $4, end + CMPQ p, end + JG try1 + + MOVL (p), x + ADDQ $4, p + IMULQ prime1, x + XORQ x, h + + ROLQ $23, h + IMULQ prime2, h + ADDQ ·primes+16(SB), h + +try1: + ADDQ $4, end + CMPQ p, end + JGE finalize + +loop1: + MOVBQZX (p), x + ADDQ $1, p + IMULQ ·primes+32(SB), x + XORQ x, h + ROLQ $11, h + IMULQ prime1, h + + CMPQ p, end + JL loop1 + +finalize: + MOVQ h, x + SHRQ $33, x + XORQ x, h + IMULQ prime2, h + MOVQ h, x + SHRQ $29, x + XORQ x, h + IMULQ ·primes+16(SB), h + MOVQ h, x + SHRQ $32, x + XORQ x, h + + MOVQ h, ret+24(FP) + RET + +// func writeBlocks(d *Digest, b []byte) int +TEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40 + // Load fixed primes needed for round. + MOVQ ·primes+0(SB), prime1 + MOVQ ·primes+8(SB), prime2 + + // Load slice. + MOVQ b_base+8(FP), p + MOVQ b_len+16(FP), n + LEAQ (p)(n*1), end + SUBQ $32, end + + // Load vN from d. + MOVQ s+0(FP), d + MOVQ 0(d), v1 + MOVQ 8(d), v2 + MOVQ 16(d), v3 + MOVQ 24(d), v4 + + // We don't need to check the loop condition here; this function is + // always called with at least one block of data to process. + blockLoop() + + // Copy vN back to d. + MOVQ v1, 0(d) + MOVQ v2, 8(d) + MOVQ v3, 16(d) + MOVQ v4, 24(d) + + // The number of bytes written is p minus the old base pointer. + SUBQ b_base+8(FP), p + MOVQ p, ret+32(FP) + + RET diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s new file mode 100644 index 0000000000..ae7d4d3295 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_arm64.s @@ -0,0 +1,184 @@ +//go:build !appengine && gc && !purego && !noasm +// +build !appengine +// +build gc +// +build !purego +// +build !noasm + +#include "textflag.h" + +// Registers: +#define digest R1 +#define h R2 // return value +#define p R3 // input pointer +#define n R4 // input length +#define nblocks R5 // n / 32 +#define prime1 R7 +#define prime2 R8 +#define prime3 R9 +#define prime4 R10 +#define prime5 R11 +#define v1 R12 +#define v2 R13 +#define v3 R14 +#define v4 R15 +#define x1 R20 +#define x2 R21 +#define x3 R22 +#define x4 R23 + +#define round(acc, x) \ + MADD prime2, acc, x, acc \ + ROR $64-31, acc \ + MUL prime1, acc + +// round0 performs the operation x = round(0, x). +#define round0(x) \ + MUL prime2, x \ + ROR $64-31, x \ + MUL prime1, x + +#define mergeRound(acc, x) \ + round0(x) \ + EOR x, acc \ + MADD acc, prime4, prime1, acc + +// blockLoop processes as many 32-byte blocks as possible, +// updating v1, v2, v3, and v4. It assumes that n >= 32. +#define blockLoop() \ + LSR $5, n, nblocks \ + PCALIGN $16 \ + loop: \ + LDP.P 16(p), (x1, x2) \ + LDP.P 16(p), (x3, x4) \ + round(v1, x1) \ + round(v2, x2) \ + round(v3, x3) \ + round(v4, x4) \ + SUB $1, nblocks \ + CBNZ nblocks, loop + +// func Sum64(b []byte) uint64 +TEXT ·Sum64(SB), NOSPLIT|NOFRAME, $0-32 + LDP b_base+0(FP), (p, n) + + LDP ·primes+0(SB), (prime1, prime2) + LDP ·primes+16(SB), (prime3, prime4) + MOVD ·primes+32(SB), prime5 + + CMP $32, n + CSEL LT, prime5, ZR, h // if n < 32 { h = prime5 } else { h = 0 } + BLT afterLoop + + ADD prime1, prime2, v1 + MOVD prime2, v2 + MOVD $0, v3 + NEG prime1, v4 + + blockLoop() + + ROR $64-1, v1, x1 + ROR $64-7, v2, x2 + ADD x1, x2 + ROR $64-12, v3, x3 + ROR $64-18, v4, x4 + ADD x3, x4 + ADD x2, x4, h + + mergeRound(h, v1) + mergeRound(h, v2) + mergeRound(h, v3) + mergeRound(h, v4) + +afterLoop: + ADD n, h + + TBZ $4, n, try8 + LDP.P 16(p), (x1, x2) + + round0(x1) + + // NOTE: here and below, sequencing the EOR after the ROR (using a + // rotated register) is worth a small but measurable speedup for small + // inputs. + ROR $64-27, h + EOR x1 @> 64-27, h, h + MADD h, prime4, prime1, h + + round0(x2) + ROR $64-27, h + EOR x2 @> 64-27, h, h + MADD h, prime4, prime1, h + +try8: + TBZ $3, n, try4 + MOVD.P 8(p), x1 + + round0(x1) + ROR $64-27, h + EOR x1 @> 64-27, h, h + MADD h, prime4, prime1, h + +try4: + TBZ $2, n, try2 + MOVWU.P 4(p), x2 + + MUL prime1, x2 + ROR $64-23, h + EOR x2 @> 64-23, h, h + MADD h, prime3, prime2, h + +try2: + TBZ $1, n, try1 + MOVHU.P 2(p), x3 + AND $255, x3, x1 + LSR $8, x3, x2 + + MUL prime5, x1 + ROR $64-11, h + EOR x1 @> 64-11, h, h + MUL prime1, h + + MUL prime5, x2 + ROR $64-11, h + EOR x2 @> 64-11, h, h + MUL prime1, h + +try1: + TBZ $0, n, finalize + MOVBU (p), x4 + + MUL prime5, x4 + ROR $64-11, h + EOR x4 @> 64-11, h, h + MUL prime1, h + +finalize: + EOR h >> 33, h + MUL prime2, h + EOR h >> 29, h + MUL prime3, h + EOR h >> 32, h + + MOVD h, ret+24(FP) + RET + +// func writeBlocks(s *Digest, b []byte) int +TEXT ·writeBlocks(SB), NOSPLIT|NOFRAME, $0-40 + LDP ·primes+0(SB), (prime1, prime2) + + // Load state. Assume v[1-4] are stored contiguously. + MOVD s+0(FP), digest + LDP 0(digest), (v1, v2) + LDP 16(digest), (v3, v4) + + LDP b_base+8(FP), (p, n) + + blockLoop() + + // Store updated state. + STP (v1, v2), 0(digest) + STP (v3, v4), 16(digest) + + BIC $31, n + MOVD n, ret+32(FP) + RET diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go new file mode 100644 index 0000000000..d4221edf4f --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_asm.go @@ -0,0 +1,16 @@ +//go:build (amd64 || arm64) && !appengine && gc && !purego && !noasm +// +build amd64 arm64 +// +build !appengine +// +build gc +// +build !purego +// +build !noasm + +package xxhash + +// Sum64 computes the 64-bit xxHash digest of b. +// +//go:noescape +func Sum64(b []byte) uint64 + +//go:noescape +func writeBlocks(s *Digest, b []byte) int diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go new file mode 100644 index 0000000000..0be16cefc7 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_other.go @@ -0,0 +1,76 @@ +//go:build (!amd64 && !arm64) || appengine || !gc || purego || noasm +// +build !amd64,!arm64 appengine !gc purego noasm + +package xxhash + +// Sum64 computes the 64-bit xxHash digest of b. +func Sum64(b []byte) uint64 { + // A simpler version would be + // d := New() + // d.Write(b) + // return d.Sum64() + // but this is faster, particularly for small inputs. + + n := len(b) + var h uint64 + + if n >= 32 { + v1 := primes[0] + prime2 + v2 := prime2 + v3 := uint64(0) + v4 := -primes[0] + for len(b) >= 32 { + v1 = round(v1, u64(b[0:8:len(b)])) + v2 = round(v2, u64(b[8:16:len(b)])) + v3 = round(v3, u64(b[16:24:len(b)])) + v4 = round(v4, u64(b[24:32:len(b)])) + b = b[32:len(b):len(b)] + } + h = rol1(v1) + rol7(v2) + rol12(v3) + rol18(v4) + h = mergeRound(h, v1) + h = mergeRound(h, v2) + h = mergeRound(h, v3) + h = mergeRound(h, v4) + } else { + h = prime5 + } + + h += uint64(n) + + for ; len(b) >= 8; b = b[8:] { + k1 := round(0, u64(b[:8])) + h ^= k1 + h = rol27(h)*prime1 + prime4 + } + if len(b) >= 4 { + h ^= uint64(u32(b[:4])) * prime1 + h = rol23(h)*prime2 + prime3 + b = b[4:] + } + for ; len(b) > 0; b = b[1:] { + h ^= uint64(b[0]) * prime5 + h = rol11(h) * prime1 + } + + h ^= h >> 33 + h *= prime2 + h ^= h >> 29 + h *= prime3 + h ^= h >> 32 + + return h +} + +func writeBlocks(d *Digest, b []byte) int { + v1, v2, v3, v4 := d.v1, d.v2, d.v3, d.v4 + n := len(b) + for len(b) >= 32 { + v1 = round(v1, u64(b[0:8:len(b)])) + v2 = round(v2, u64(b[8:16:len(b)])) + v3 = round(v3, u64(b[16:24:len(b)])) + v4 = round(v4, u64(b[24:32:len(b)])) + b = b[32:len(b):len(b)] + } + d.v1, d.v2, d.v3, d.v4 = v1, v2, v3, v4 + return n - len(b) +} diff --git a/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go new file mode 100644 index 0000000000..6f3b0cb102 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/internal/xxhash/xxhash_safe.go @@ -0,0 +1,11 @@ +package xxhash + +// Sum64String computes the 64-bit xxHash digest of s. +func Sum64String(s string) uint64 { + return Sum64([]byte(s)) +} + +// WriteString adds more data to d. It always returns len(s), nil. +func (d *Digest) WriteString(s string) (n int, err error) { + return d.Write([]byte(s)) +} diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go new file mode 100644 index 0000000000..f41932b7a4 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.go @@ -0,0 +1,16 @@ +//go:build amd64 && !appengine && !noasm && gc +// +build amd64,!appengine,!noasm,gc + +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. + +package zstd + +// matchLen returns how many bytes match in a and b +// +// It assumes that: +// +// len(a) <= len(b) and len(a) > 0 +// +//go:noescape +func matchLen(a []byte, b []byte) int diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s new file mode 100644 index 0000000000..0782b86e3d --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/matchlen_amd64.s @@ -0,0 +1,66 @@ +// Copied from S2 implementation. + +//go:build !appengine && !noasm && gc && !noasm + +#include "textflag.h" + +// func matchLen(a []byte, b []byte) int +TEXT ·matchLen(SB), NOSPLIT, $0-56 + MOVQ a_base+0(FP), AX + MOVQ b_base+24(FP), CX + MOVQ a_len+8(FP), DX + + // matchLen + XORL SI, SI + CMPL DX, $0x08 + JB matchlen_match4_standalone + +matchlen_loopback_standalone: + MOVQ (AX)(SI*1), BX + XORQ (CX)(SI*1), BX + JZ matchlen_loop_standalone + +#ifdef GOAMD64_v3 + TZCNTQ BX, BX +#else + BSFQ BX, BX +#endif + SHRL $0x03, BX + LEAL (SI)(BX*1), SI + JMP gen_match_len_end + +matchlen_loop_standalone: + LEAL -8(DX), DX + LEAL 8(SI), SI + CMPL DX, $0x08 + JAE matchlen_loopback_standalone + +matchlen_match4_standalone: + CMPL DX, $0x04 + JB matchlen_match2_standalone + MOVL (AX)(SI*1), BX + CMPL (CX)(SI*1), BX + JNE matchlen_match2_standalone + LEAL -4(DX), DX + LEAL 4(SI), SI + +matchlen_match2_standalone: + CMPL DX, $0x02 + JB matchlen_match1_standalone + MOVW (AX)(SI*1), BX + CMPW (CX)(SI*1), BX + JNE matchlen_match1_standalone + LEAL -2(DX), DX + LEAL 2(SI), SI + +matchlen_match1_standalone: + CMPL DX, $0x01 + JB gen_match_len_end + MOVB (AX)(SI*1), BL + CMPB (CX)(SI*1), BL + JNE gen_match_len_end + INCL SI + +gen_match_len_end: + MOVQ SI, ret+48(FP) + RET diff --git a/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go new file mode 100644 index 0000000000..bea1779e97 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/matchlen_generic.go @@ -0,0 +1,38 @@ +//go:build !amd64 || appengine || !gc || noasm +// +build !amd64 appengine !gc noasm + +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. + +package zstd + +import ( + "math/bits" + + "github.com/klauspost/compress/internal/le" +) + +// matchLen returns the maximum common prefix length of a and b. +// a must be the shortest of the two. +func matchLen(a, b []byte) (n int) { + left := len(a) + for left >= 8 { + diff := le.Load64(a, n) ^ le.Load64(b, n) + if diff != 0 { + return n + bits.TrailingZeros64(diff)>>3 + } + n += 8 + left -= 8 + } + a = a[n:] + b = b[n:] + + for i := range a { + if a[i] != b[i] { + break + } + n++ + } + return n + +} diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec.go b/vendor/github.com/klauspost/compress/zstd/seqdec.go new file mode 100644 index 0000000000..9a7de82f9e --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/seqdec.go @@ -0,0 +1,503 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "errors" + "fmt" + "io" +) + +type seq struct { + litLen uint32 + matchLen uint32 + offset uint32 + + // Codes are stored here for the encoder + // so they only have to be looked up once. + llCode, mlCode, ofCode uint8 +} + +type seqVals struct { + ll, ml, mo int +} + +func (s seq) String() string { + if s.offset <= 3 { + if s.offset == 0 { + return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset: INVALID (0)") + } + return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset:", s.offset, " (repeat)") + } + return fmt.Sprint("litLen:", s.litLen, ", matchLen:", s.matchLen+zstdMinMatch, ", offset:", s.offset-3, " (new)") +} + +type seqCompMode uint8 + +const ( + compModePredefined seqCompMode = iota + compModeRLE + compModeFSE + compModeRepeat +) + +type sequenceDec struct { + // decoder keeps track of the current state and updates it from the bitstream. + fse *fseDecoder + state fseState + repeat bool +} + +// init the state of the decoder with input from stream. +func (s *sequenceDec) init(br *bitReader) error { + if s.fse == nil { + return errors.New("sequence decoder not defined") + } + s.state.init(br, s.fse.actualTableLog, s.fse.dt[:1< cap(s.out) { + addBytes := s.seqSize + len(s.out) + s.out = append(s.out, make([]byte, addBytes)...) + s.out = s.out[:len(s.out)-addBytes] + } + + if debugDecoder { + printf("Execute %d seqs with hist %d, dict %d, literals: %d into %d bytes\n", len(seqs), len(hist), len(s.dict), len(s.literals), s.seqSize) + } + + var t = len(s.out) + out := s.out[:t+s.seqSize] + + for _, seq := range seqs { + // Add literals + copy(out[t:], s.literals[:seq.ll]) + t += seq.ll + s.literals = s.literals[seq.ll:] + + // Copy from dictionary... + if seq.mo > t+len(hist) || seq.mo > s.windowSize { + if len(s.dict) == 0 { + return fmt.Errorf("match offset (%d) bigger than current history (%d)", seq.mo, t+len(hist)) + } + + // we may be in dictionary. + dictO := len(s.dict) - (seq.mo - (t + len(hist))) + if dictO < 0 || dictO >= len(s.dict) { + return fmt.Errorf("match offset (%d) bigger than current history+dict (%d)", seq.mo, t+len(hist)+len(s.dict)) + } + end := dictO + seq.ml + if end > len(s.dict) { + n := len(s.dict) - dictO + copy(out[t:], s.dict[dictO:]) + t += n + seq.ml -= n + } else { + copy(out[t:], s.dict[dictO:end]) + t += end - dictO + continue + } + } + + // Copy from history. + if v := seq.mo - t; v > 0 { + // v is the start position in history from end. + start := len(hist) - v + if seq.ml > v { + // Some goes into current block. + // Copy remainder of history + copy(out[t:], hist[start:]) + t += v + seq.ml -= v + } else { + copy(out[t:], hist[start:start+seq.ml]) + t += seq.ml + continue + } + } + // We must be in current buffer now + if seq.ml > 0 { + start := t - seq.mo + if seq.ml <= t-start { + // No overlap + copy(out[t:], out[start:start+seq.ml]) + t += seq.ml + continue + } else { + // Overlapping copy + // Extend destination slice and copy one byte at the time. + src := out[start : start+seq.ml] + dst := out[t:] + dst = dst[:len(src)] + t += len(src) + // Destination is the space we just added. + for i := range src { + dst[i] = src[i] + } + } + } + } + + // Add final literals + copy(out[t:], s.literals) + if debugDecoder { + t += len(s.literals) + if t != len(out) { + panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize)) + } + } + s.out = out + + return nil +} + +// decode sequences from the stream with the provided history. +func (s *sequenceDecs) decodeSync(hist []byte) error { + supported, err := s.decodeSyncSimple(hist) + if supported { + return err + } + + br := s.br + seqs := s.nSeqs + startSize := len(s.out) + // Grab full sizes tables, to avoid bounds checks. + llTable, mlTable, ofTable := s.litLengths.fse.dt[:maxTablesize], s.matchLengths.fse.dt[:maxTablesize], s.offsets.fse.dt[:maxTablesize] + llState, mlState, ofState := s.litLengths.state.state, s.matchLengths.state.state, s.offsets.state.state + out := s.out + maxBlockSize := maxCompressedBlockSize + if s.windowSize < maxBlockSize { + maxBlockSize = s.windowSize + } + + if debugDecoder { + println("decodeSync: decoding", seqs, "sequences", br.remain(), "bits remain on stream") + } + for i := seqs - 1; i >= 0; i-- { + if br.overread() { + printf("reading sequence %d, exceeded available data. Overread by %d\n", seqs-i, -br.remain()) + return io.ErrUnexpectedEOF + } + var ll, mo, ml int + if br.cursor > 4+((maxOffsetBits+16+16)>>3) { + // inlined function: + // ll, mo, ml = s.nextFast(br, llState, mlState, ofState) + + // Final will not read from stream. + var llB, mlB, moB uint8 + ll, llB = llState.final() + ml, mlB = mlState.final() + mo, moB = ofState.final() + + // extra bits are stored in reverse order. + br.fillFast() + mo += br.getBits(moB) + if s.maxBits > 32 { + br.fillFast() + } + ml += br.getBits(mlB) + ll += br.getBits(llB) + + if moB > 1 { + s.prevOffset[2] = s.prevOffset[1] + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = mo + } else { + // mo = s.adjustOffset(mo, ll, moB) + // Inlined for rather big speedup + if ll == 0 { + // There is an exception though, when current sequence's literals_length = 0. + // In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2, + // an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte. + mo++ + } + + if mo == 0 { + mo = s.prevOffset[0] + } else { + var temp int + if mo == 3 { + temp = s.prevOffset[0] - 1 + } else { + temp = s.prevOffset[mo] + } + + if temp == 0 { + // 0 is not valid; input is corrupted; force offset to 1 + println("WARNING: temp was 0") + temp = 1 + } + + if mo != 1 { + s.prevOffset[2] = s.prevOffset[1] + } + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = temp + mo = temp + } + } + br.fillFast() + } else { + ll, mo, ml = s.next(br, llState, mlState, ofState) + br.fill() + } + + if debugSequences { + println("Seq", seqs-i-1, "Litlen:", ll, "mo:", mo, "(abs) ml:", ml) + } + + if ll > len(s.literals) { + return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, len(s.literals)) + } + size := ll + ml + len(out) + if size-startSize > maxBlockSize { + return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + if size > cap(out) { + // Not enough size, which can happen under high volume block streaming conditions + // but could be if destination slice is too small for sync operations. + // over-allocating here can create a large amount of GC pressure so we try to keep + // it as contained as possible + used := len(out) - startSize + addBytes := 256 + ll + ml + used>>2 + // Clamp to max block size. + if used+addBytes > maxBlockSize { + addBytes = maxBlockSize - used + } + out = append(out, make([]byte, addBytes)...) + out = out[:len(out)-addBytes] + } + if ml > maxMatchLen { + return fmt.Errorf("match len (%d) bigger than max allowed length", ml) + } + + // Add literals + out = append(out, s.literals[:ll]...) + s.literals = s.literals[ll:] + + if mo == 0 && ml > 0 { + return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml) + } + + if mo > len(out)+len(hist) || mo > s.windowSize { + if len(s.dict) == 0 { + return fmt.Errorf("match offset (%d) bigger than current history (%d)", mo, len(out)+len(hist)-startSize) + } + + // we may be in dictionary. + dictO := len(s.dict) - (mo - (len(out) + len(hist))) + if dictO < 0 || dictO >= len(s.dict) { + return fmt.Errorf("match offset (%d) bigger than current history (%d)", mo, len(out)+len(hist)-startSize) + } + end := dictO + ml + if end > len(s.dict) { + out = append(out, s.dict[dictO:]...) + ml -= len(s.dict) - dictO + } else { + out = append(out, s.dict[dictO:end]...) + mo = 0 + ml = 0 + } + } + + // Copy from history. + // TODO: Blocks without history could be made to ignore this completely. + if v := mo - len(out); v > 0 { + // v is the start position in history from end. + start := len(hist) - v + if ml > v { + // Some goes into current block. + // Copy remainder of history + out = append(out, hist[start:]...) + ml -= v + } else { + out = append(out, hist[start:start+ml]...) + ml = 0 + } + } + // We must be in current buffer now + if ml > 0 { + start := len(out) - mo + if ml <= len(out)-start { + // No overlap + out = append(out, out[start:start+ml]...) + } else { + // Overlapping copy + // Extend destination slice and copy one byte at the time. + out = out[:len(out)+ml] + src := out[start : start+ml] + // Destination is the space we just added. + dst := out[len(out)-ml:] + dst = dst[:len(src)] + for i := range src { + dst[i] = src[i] + } + } + } + if i == 0 { + // This is the last sequence, so we shouldn't update state. + break + } + + // Manually inlined, ~ 5-20% faster + // Update all 3 states at once. Approx 20% faster. + nBits := llState.nbBits() + mlState.nbBits() + ofState.nbBits() + if nBits == 0 { + llState = llTable[llState.newState()&maxTableMask] + mlState = mlTable[mlState.newState()&maxTableMask] + ofState = ofTable[ofState.newState()&maxTableMask] + } else { + bits := br.get32BitsFast(nBits) + + lowBits := uint16(bits >> ((ofState.nbBits() + mlState.nbBits()) & 31)) + llState = llTable[(llState.newState()+lowBits)&maxTableMask] + + lowBits = uint16(bits >> (ofState.nbBits() & 31)) + lowBits &= bitMask[mlState.nbBits()&15] + mlState = mlTable[(mlState.newState()+lowBits)&maxTableMask] + + lowBits = uint16(bits) & bitMask[ofState.nbBits()&15] + ofState = ofTable[(ofState.newState()+lowBits)&maxTableMask] + } + } + + if size := len(s.literals) + len(out) - startSize; size > maxBlockSize { + return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + + // Add final literals + s.out = append(out, s.literals...) + return br.close() +} + +var bitMask [16]uint16 + +func init() { + for i := range bitMask[:] { + bitMask[i] = uint16((1 << uint(i)) - 1) + } +} + +func (s *sequenceDecs) next(br *bitReader, llState, mlState, ofState decSymbol) (ll, mo, ml int) { + // Final will not read from stream. + ll, llB := llState.final() + ml, mlB := mlState.final() + mo, moB := ofState.final() + + // extra bits are stored in reverse order. + br.fill() + mo += br.getBits(moB) + if s.maxBits > 32 { + br.fill() + } + // matchlength+literal length, max 32 bits + ml += br.getBits(mlB) + ll += br.getBits(llB) + mo = s.adjustOffset(mo, ll, moB) + return +} + +func (s *sequenceDecs) adjustOffset(offset, litLen int, offsetB uint8) int { + if offsetB > 1 { + s.prevOffset[2] = s.prevOffset[1] + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = offset + return offset + } + + if litLen == 0 { + // There is an exception though, when current sequence's literals_length = 0. + // In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2, + // an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte. + offset++ + } + + if offset == 0 { + return s.prevOffset[0] + } + var temp int + if offset == 3 { + temp = s.prevOffset[0] - 1 + } else { + temp = s.prevOffset[offset] + } + + if temp == 0 { + // 0 is not valid; input is corrupted; force offset to 1 + println("temp was 0") + temp = 1 + } + + if offset != 1 { + s.prevOffset[2] = s.prevOffset[1] + } + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = temp + return temp +} diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go new file mode 100644 index 0000000000..c59f17e07a --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.go @@ -0,0 +1,394 @@ +//go:build amd64 && !appengine && !noasm && gc +// +build amd64,!appengine,!noasm,gc + +package zstd + +import ( + "fmt" + "io" + + "github.com/klauspost/compress/internal/cpuinfo" +) + +type decodeSyncAsmContext struct { + llTable []decSymbol + mlTable []decSymbol + ofTable []decSymbol + llState uint64 + mlState uint64 + ofState uint64 + iteration int + litRemain int + out []byte + outPosition int + literals []byte + litPosition int + history []byte + windowSize int + ll int // set on error (not for all errors, please refer to _generate/gen.go) + ml int // set on error (not for all errors, please refer to _generate/gen.go) + mo int // set on error (not for all errors, please refer to _generate/gen.go) +} + +// sequenceDecs_decodeSync_amd64 implements the main loop of sequenceDecs.decodeSync in x86 asm. +// +// Please refer to seqdec_generic.go for the reference implementation. +// +//go:noescape +func sequenceDecs_decodeSync_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int + +// sequenceDecs_decodeSync_bmi2 implements the main loop of sequenceDecs.decodeSync in x86 asm with BMI2 extensions. +// +//go:noescape +func sequenceDecs_decodeSync_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int + +// sequenceDecs_decodeSync_safe_amd64 does the same as above, but does not write more than output buffer. +// +//go:noescape +func sequenceDecs_decodeSync_safe_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int + +// sequenceDecs_decodeSync_safe_bmi2 does the same as above, but does not write more than output buffer. +// +//go:noescape +func sequenceDecs_decodeSync_safe_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int + +// decode sequences from the stream with the provided history but without a dictionary. +func (s *sequenceDecs) decodeSyncSimple(hist []byte) (bool, error) { + if len(s.dict) > 0 { + return false, nil + } + if s.maxSyncLen == 0 && cap(s.out)-len(s.out) < maxCompressedBlockSize { + return false, nil + } + + // FIXME: Using unsafe memory copies leads to rare, random crashes + // with fuzz testing. It is therefore disabled for now. + const useSafe = true + /* + useSafe := false + if s.maxSyncLen == 0 && cap(s.out)-len(s.out) < maxCompressedBlockSizeAlloc { + useSafe = true + } + if s.maxSyncLen > 0 && cap(s.out)-len(s.out)-compressedBlockOverAlloc < int(s.maxSyncLen) { + useSafe = true + } + if cap(s.literals) < len(s.literals)+compressedBlockOverAlloc { + useSafe = true + } + */ + + br := s.br + + maxBlockSize := maxCompressedBlockSize + if s.windowSize < maxBlockSize { + maxBlockSize = s.windowSize + } + + ctx := decodeSyncAsmContext{ + llTable: s.litLengths.fse.dt[:maxTablesize], + mlTable: s.matchLengths.fse.dt[:maxTablesize], + ofTable: s.offsets.fse.dt[:maxTablesize], + llState: uint64(s.litLengths.state.state), + mlState: uint64(s.matchLengths.state.state), + ofState: uint64(s.offsets.state.state), + iteration: s.nSeqs - 1, + litRemain: len(s.literals), + out: s.out, + outPosition: len(s.out), + literals: s.literals, + windowSize: s.windowSize, + history: hist, + } + + s.seqSize = 0 + startSize := len(s.out) + + var errCode int + if cpuinfo.HasBMI2() { + if useSafe { + errCode = sequenceDecs_decodeSync_safe_bmi2(s, br, &ctx) + } else { + errCode = sequenceDecs_decodeSync_bmi2(s, br, &ctx) + } + } else { + if useSafe { + errCode = sequenceDecs_decodeSync_safe_amd64(s, br, &ctx) + } else { + errCode = sequenceDecs_decodeSync_amd64(s, br, &ctx) + } + } + switch errCode { + case noError: + break + + case errorMatchLenOfsMismatch: + return true, fmt.Errorf("zero matchoff and matchlen (%d) > 0", ctx.ml) + + case errorMatchLenTooBig: + return true, fmt.Errorf("match len (%d) bigger than max allowed length", ctx.ml) + + case errorMatchOffTooBig: + return true, fmt.Errorf("match offset (%d) bigger than current history (%d)", + ctx.mo, ctx.outPosition+len(hist)-startSize) + + case errorNotEnoughLiterals: + return true, fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", + ctx.ll, ctx.litRemain+ctx.ll) + + case errorOverread: + return true, io.ErrUnexpectedEOF + + case errorNotEnoughSpace: + size := ctx.outPosition + ctx.ll + ctx.ml + if debugDecoder { + println("msl:", s.maxSyncLen, "cap", cap(s.out), "bef:", startSize, "sz:", size-startSize, "mbs:", maxBlockSize, "outsz:", cap(s.out)-startSize) + } + return true, fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + + default: + return true, fmt.Errorf("sequenceDecs_decode returned erroneous code %d", errCode) + } + + s.seqSize += ctx.litRemain + if s.seqSize > maxBlockSize { + return true, fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + err := br.close() + if err != nil { + printf("Closing sequences: %v, %+v\n", err, *br) + return true, err + } + + s.literals = s.literals[ctx.litPosition:] + t := ctx.outPosition + s.out = s.out[:t] + + // Add final literals + s.out = append(s.out, s.literals...) + if debugDecoder { + t += len(s.literals) + if t != len(s.out) { + panic(fmt.Errorf("length mismatch, want %d, got %d", len(s.out), t)) + } + } + + return true, nil +} + +// -------------------------------------------------------------------------------- + +type decodeAsmContext struct { + llTable []decSymbol + mlTable []decSymbol + ofTable []decSymbol + llState uint64 + mlState uint64 + ofState uint64 + iteration int + seqs []seqVals + litRemain int +} + +const noError = 0 + +// error reported when mo == 0 && ml > 0 +const errorMatchLenOfsMismatch = 1 + +// error reported when ml > maxMatchLen +const errorMatchLenTooBig = 2 + +// error reported when mo > available history or mo > s.windowSize +const errorMatchOffTooBig = 3 + +// error reported when the sum of literal lengths exeeceds the literal buffer size +const errorNotEnoughLiterals = 4 + +// error reported when capacity of `out` is too small +const errorNotEnoughSpace = 5 + +// error reported when bits are overread. +const errorOverread = 6 + +// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm. +// +// Please refer to seqdec_generic.go for the reference implementation. +// +//go:noescape +func sequenceDecs_decode_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int + +// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm. +// +// Please refer to seqdec_generic.go for the reference implementation. +// +//go:noescape +func sequenceDecs_decode_56_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int + +// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm with BMI2 extensions. +// +//go:noescape +func sequenceDecs_decode_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int + +// sequenceDecs_decode implements the main loop of sequenceDecs in x86 asm with BMI2 extensions. +// +//go:noescape +func sequenceDecs_decode_56_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int + +// decode sequences from the stream without the provided history. +func (s *sequenceDecs) decode(seqs []seqVals) error { + br := s.br + + maxBlockSize := maxCompressedBlockSize + if s.windowSize < maxBlockSize { + maxBlockSize = s.windowSize + } + + ctx := decodeAsmContext{ + llTable: s.litLengths.fse.dt[:maxTablesize], + mlTable: s.matchLengths.fse.dt[:maxTablesize], + ofTable: s.offsets.fse.dt[:maxTablesize], + llState: uint64(s.litLengths.state.state), + mlState: uint64(s.matchLengths.state.state), + ofState: uint64(s.offsets.state.state), + seqs: seqs, + iteration: len(seqs) - 1, + litRemain: len(s.literals), + } + + if debugDecoder { + println("decode: decoding", len(seqs), "sequences", br.remain(), "bits remain on stream") + } + + s.seqSize = 0 + lte56bits := s.maxBits+s.offsets.fse.actualTableLog+s.matchLengths.fse.actualTableLog+s.litLengths.fse.actualTableLog <= 56 + var errCode int + if cpuinfo.HasBMI2() { + if lte56bits { + errCode = sequenceDecs_decode_56_bmi2(s, br, &ctx) + } else { + errCode = sequenceDecs_decode_bmi2(s, br, &ctx) + } + } else { + if lte56bits { + errCode = sequenceDecs_decode_56_amd64(s, br, &ctx) + } else { + errCode = sequenceDecs_decode_amd64(s, br, &ctx) + } + } + if errCode != 0 { + i := len(seqs) - ctx.iteration - 1 + switch errCode { + case errorMatchLenOfsMismatch: + ml := ctx.seqs[i].ml + return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml) + + case errorMatchLenTooBig: + ml := ctx.seqs[i].ml + return fmt.Errorf("match len (%d) bigger than max allowed length", ml) + + case errorNotEnoughLiterals: + ll := ctx.seqs[i].ll + return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, ctx.litRemain+ll) + case errorOverread: + return io.ErrUnexpectedEOF + } + + return fmt.Errorf("sequenceDecs_decode_amd64 returned erroneous code %d", errCode) + } + + if ctx.litRemain < 0 { + return fmt.Errorf("literal count is too big: total available %d, total requested %d", + len(s.literals), len(s.literals)-ctx.litRemain) + } + + s.seqSize += ctx.litRemain + if s.seqSize > maxBlockSize { + return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + if debugDecoder { + println("decode: ", br.remain(), "bits remain on stream. code:", errCode) + } + err := br.close() + if err != nil { + printf("Closing sequences: %v, %+v\n", err, *br) + } + return err +} + +// -------------------------------------------------------------------------------- + +type executeAsmContext struct { + seqs []seqVals + seqIndex int + out []byte + history []byte + literals []byte + outPosition int + litPosition int + windowSize int +} + +// sequenceDecs_executeSimple_amd64 implements the main loop of sequenceDecs.executeSimple in x86 asm. +// +// Returns false if a match offset is too big. +// +// Please refer to seqdec_generic.go for the reference implementation. +// +//go:noescape +func sequenceDecs_executeSimple_amd64(ctx *executeAsmContext) bool + +// Same as above, but with safe memcopies +// +//go:noescape +func sequenceDecs_executeSimple_safe_amd64(ctx *executeAsmContext) bool + +// executeSimple handles cases when dictionary is not used. +func (s *sequenceDecs) executeSimple(seqs []seqVals, hist []byte) error { + // Ensure we have enough output size... + if len(s.out)+s.seqSize+compressedBlockOverAlloc > cap(s.out) { + addBytes := s.seqSize + len(s.out) + compressedBlockOverAlloc + s.out = append(s.out, make([]byte, addBytes)...) + s.out = s.out[:len(s.out)-addBytes] + } + + if debugDecoder { + printf("Execute %d seqs with literals: %d into %d bytes\n", len(seqs), len(s.literals), s.seqSize) + } + + var t = len(s.out) + out := s.out[:t+s.seqSize] + + ctx := executeAsmContext{ + seqs: seqs, + seqIndex: 0, + out: out, + history: hist, + outPosition: t, + litPosition: 0, + literals: s.literals, + windowSize: s.windowSize, + } + var ok bool + if cap(s.literals) < len(s.literals)+compressedBlockOverAlloc { + ok = sequenceDecs_executeSimple_safe_amd64(&ctx) + } else { + ok = sequenceDecs_executeSimple_amd64(&ctx) + } + if !ok { + return fmt.Errorf("match offset (%d) bigger than current history (%d)", + seqs[ctx.seqIndex].mo, ctx.outPosition+len(hist)) + } + s.literals = s.literals[ctx.litPosition:] + t = ctx.outPosition + + // Add final literals + copy(out[t:], s.literals) + if debugDecoder { + t += len(s.literals) + if t != len(out) { + panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize)) + } + } + s.out = out + + return nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s new file mode 100644 index 0000000000..a708ca6d3d --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/seqdec_amd64.s @@ -0,0 +1,4151 @@ +// Code generated by command: go run gen.go -out ../seqdec_amd64.s -pkg=zstd. DO NOT EDIT. + +//go:build !appengine && !noasm && gc && !noasm + +// func sequenceDecs_decode_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int +// Requires: CMOV +TEXT ·sequenceDecs_decode_amd64(SB), $8-32 + MOVQ br+8(FP), CX + MOVQ 24(CX), DX + MOVBQZX 40(CX), BX + MOVQ (CX), AX + MOVQ 32(CX), SI + ADDQ SI, AX + MOVQ AX, (SP) + MOVQ ctx+16(FP), AX + MOVQ 72(AX), DI + MOVQ 80(AX), R8 + MOVQ 88(AX), R9 + MOVQ 104(AX), R10 + MOVQ s+0(FP), AX + MOVQ 144(AX), R11 + MOVQ 152(AX), R12 + MOVQ 160(AX), R13 + +sequenceDecs_decode_amd64_main_loop: + MOVQ (SP), R14 + + // Fill bitreader to have enough for the offset and match length. + CMPQ SI, $0x08 + JL sequenceDecs_decode_amd64_fill_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R14 + MOVQ (R14), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decode_amd64_fill_end + +sequenceDecs_decode_amd64_fill_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decode_amd64_fill_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decode_amd64_fill_end + SHLQ $0x08, DX + SUBQ $0x01, R14 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R14), AX + ORQ AX, DX + JMP sequenceDecs_decode_amd64_fill_byte_by_byte + +sequenceDecs_decode_amd64_fill_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decode_amd64_fill_end: + // Update offset + MOVQ R9, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_amd64_of_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_amd64_of_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_amd64_of_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_amd64_of_update_zero: + MOVQ AX, 16(R10) + + // Update match length + MOVQ R8, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_amd64_ml_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_amd64_ml_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_amd64_ml_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_amd64_ml_update_zero: + MOVQ AX, 8(R10) + + // Fill bitreader to have enough for the remaining + CMPQ SI, $0x08 + JL sequenceDecs_decode_amd64_fill_2_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R14 + MOVQ (R14), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decode_amd64_fill_2_end + +sequenceDecs_decode_amd64_fill_2_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decode_amd64_fill_2_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decode_amd64_fill_2_end + SHLQ $0x08, DX + SUBQ $0x01, R14 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R14), AX + ORQ AX, DX + JMP sequenceDecs_decode_amd64_fill_2_byte_by_byte + +sequenceDecs_decode_amd64_fill_2_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decode_amd64_fill_2_end: + // Update literal length + MOVQ DI, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_amd64_ll_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_amd64_ll_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_amd64_ll_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_amd64_ll_update_zero: + MOVQ AX, (R10) + + // Fill bitreader for state updates + MOVQ R14, (SP) + MOVQ R9, AX + SHRQ $0x08, AX + MOVBQZX AL, AX + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decode_amd64_skip_update + + // Update Literal Length State + MOVBQZX DI, R14 + SHRL $0x10, DI + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, DI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(DI*8), DI + + // Update Match Length State + MOVBQZX R8, R14 + SHRL $0x10, R8 + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, R8 + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Offset State + MOVBQZX R9, R14 + SHRL $0x10, R9 + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, R9 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R9*8), R9 + +sequenceDecs_decode_amd64_skip_update: + // Adjust offset + MOVQ 16(R10), CX + CMPQ AX, $0x01 + JBE sequenceDecs_decode_amd64_adjust_offsetB_1_or_0 + MOVQ R12, R13 + MOVQ R11, R12 + MOVQ CX, R11 + JMP sequenceDecs_decode_amd64_after_adjust + +sequenceDecs_decode_amd64_adjust_offsetB_1_or_0: + CMPQ (R10), $0x00000000 + JNE sequenceDecs_decode_amd64_adjust_offset_maybezero + INCQ CX + JMP sequenceDecs_decode_amd64_adjust_offset_nonzero + +sequenceDecs_decode_amd64_adjust_offset_maybezero: + TESTQ CX, CX + JNZ sequenceDecs_decode_amd64_adjust_offset_nonzero + MOVQ R11, CX + JMP sequenceDecs_decode_amd64_after_adjust + +sequenceDecs_decode_amd64_adjust_offset_nonzero: + CMPQ CX, $0x01 + JB sequenceDecs_decode_amd64_adjust_zero + JEQ sequenceDecs_decode_amd64_adjust_one + CMPQ CX, $0x02 + JA sequenceDecs_decode_amd64_adjust_three + JMP sequenceDecs_decode_amd64_adjust_two + +sequenceDecs_decode_amd64_adjust_zero: + MOVQ R11, AX + JMP sequenceDecs_decode_amd64_adjust_test_temp_valid + +sequenceDecs_decode_amd64_adjust_one: + MOVQ R12, AX + JMP sequenceDecs_decode_amd64_adjust_test_temp_valid + +sequenceDecs_decode_amd64_adjust_two: + MOVQ R13, AX + JMP sequenceDecs_decode_amd64_adjust_test_temp_valid + +sequenceDecs_decode_amd64_adjust_three: + LEAQ -1(R11), AX + +sequenceDecs_decode_amd64_adjust_test_temp_valid: + TESTQ AX, AX + JNZ sequenceDecs_decode_amd64_adjust_temp_valid + MOVQ $0x00000001, AX + +sequenceDecs_decode_amd64_adjust_temp_valid: + CMPQ CX, $0x01 + CMOVQNE R12, R13 + MOVQ R11, R12 + MOVQ AX, R11 + MOVQ AX, CX + +sequenceDecs_decode_amd64_after_adjust: + MOVQ CX, 16(R10) + + // Check values + MOVQ 8(R10), AX + MOVQ (R10), R14 + LEAQ (AX)(R14*1), R15 + MOVQ s+0(FP), BP + ADDQ R15, 256(BP) + MOVQ ctx+16(FP), R15 + SUBQ R14, 128(R15) + JS error_not_enough_literals + CMPQ AX, $0x00020002 + JA sequenceDecs_decode_amd64_error_match_len_too_big + TESTQ CX, CX + JNZ sequenceDecs_decode_amd64_match_len_ofs_ok + TESTQ AX, AX + JNZ sequenceDecs_decode_amd64_error_match_len_ofs_mismatch + +sequenceDecs_decode_amd64_match_len_ofs_ok: + ADDQ $0x18, R10 + MOVQ ctx+16(FP), AX + DECQ 96(AX) + JNS sequenceDecs_decode_amd64_main_loop + MOVQ s+0(FP), AX + MOVQ R11, 144(AX) + MOVQ R12, 152(AX) + MOVQ R13, 160(AX) + MOVQ br+8(FP), AX + MOVQ DX, 24(AX) + MOVB BL, 40(AX) + MOVQ SI, 32(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decode_amd64_error_match_len_ofs_mismatch: + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decode_amd64_error_match_len_too_big: + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + +// func sequenceDecs_decode_56_amd64(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int +// Requires: CMOV +TEXT ·sequenceDecs_decode_56_amd64(SB), $8-32 + MOVQ br+8(FP), CX + MOVQ 24(CX), DX + MOVBQZX 40(CX), BX + MOVQ (CX), AX + MOVQ 32(CX), SI + ADDQ SI, AX + MOVQ AX, (SP) + MOVQ ctx+16(FP), AX + MOVQ 72(AX), DI + MOVQ 80(AX), R8 + MOVQ 88(AX), R9 + MOVQ 104(AX), R10 + MOVQ s+0(FP), AX + MOVQ 144(AX), R11 + MOVQ 152(AX), R12 + MOVQ 160(AX), R13 + +sequenceDecs_decode_56_amd64_main_loop: + MOVQ (SP), R14 + + // Fill bitreader to have enough for the offset and match length. + CMPQ SI, $0x08 + JL sequenceDecs_decode_56_amd64_fill_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R14 + MOVQ (R14), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decode_56_amd64_fill_end + +sequenceDecs_decode_56_amd64_fill_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decode_56_amd64_fill_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decode_56_amd64_fill_end + SHLQ $0x08, DX + SUBQ $0x01, R14 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R14), AX + ORQ AX, DX + JMP sequenceDecs_decode_56_amd64_fill_byte_by_byte + +sequenceDecs_decode_56_amd64_fill_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decode_56_amd64_fill_end: + // Update offset + MOVQ R9, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_56_amd64_of_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_56_amd64_of_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_56_amd64_of_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_56_amd64_of_update_zero: + MOVQ AX, 16(R10) + + // Update match length + MOVQ R8, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_56_amd64_ml_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_56_amd64_ml_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_56_amd64_ml_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_56_amd64_ml_update_zero: + MOVQ AX, 8(R10) + + // Update literal length + MOVQ DI, AX + MOVQ BX, CX + MOVQ DX, R15 + SHLQ CL, R15 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decode_56_amd64_ll_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decode_56_amd64_ll_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decode_56_amd64_ll_update_zero + NEGQ CX + SHRQ CL, R15 + ADDQ R15, AX + +sequenceDecs_decode_56_amd64_ll_update_zero: + MOVQ AX, (R10) + + // Fill bitreader for state updates + MOVQ R14, (SP) + MOVQ R9, AX + SHRQ $0x08, AX + MOVBQZX AL, AX + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decode_56_amd64_skip_update + + // Update Literal Length State + MOVBQZX DI, R14 + SHRL $0x10, DI + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, DI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(DI*8), DI + + // Update Match Length State + MOVBQZX R8, R14 + SHRL $0x10, R8 + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, R8 + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Offset State + MOVBQZX R9, R14 + SHRL $0x10, R9 + LEAQ (BX)(R14*1), CX + MOVQ DX, R15 + MOVQ CX, BX + ROLQ CL, R15 + MOVL $0x00000001, BP + MOVB R14, CL + SHLL CL, BP + DECL BP + ANDQ BP, R15 + ADDQ R15, R9 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R9*8), R9 + +sequenceDecs_decode_56_amd64_skip_update: + // Adjust offset + MOVQ 16(R10), CX + CMPQ AX, $0x01 + JBE sequenceDecs_decode_56_amd64_adjust_offsetB_1_or_0 + MOVQ R12, R13 + MOVQ R11, R12 + MOVQ CX, R11 + JMP sequenceDecs_decode_56_amd64_after_adjust + +sequenceDecs_decode_56_amd64_adjust_offsetB_1_or_0: + CMPQ (R10), $0x00000000 + JNE sequenceDecs_decode_56_amd64_adjust_offset_maybezero + INCQ CX + JMP sequenceDecs_decode_56_amd64_adjust_offset_nonzero + +sequenceDecs_decode_56_amd64_adjust_offset_maybezero: + TESTQ CX, CX + JNZ sequenceDecs_decode_56_amd64_adjust_offset_nonzero + MOVQ R11, CX + JMP sequenceDecs_decode_56_amd64_after_adjust + +sequenceDecs_decode_56_amd64_adjust_offset_nonzero: + CMPQ CX, $0x01 + JB sequenceDecs_decode_56_amd64_adjust_zero + JEQ sequenceDecs_decode_56_amd64_adjust_one + CMPQ CX, $0x02 + JA sequenceDecs_decode_56_amd64_adjust_three + JMP sequenceDecs_decode_56_amd64_adjust_two + +sequenceDecs_decode_56_amd64_adjust_zero: + MOVQ R11, AX + JMP sequenceDecs_decode_56_amd64_adjust_test_temp_valid + +sequenceDecs_decode_56_amd64_adjust_one: + MOVQ R12, AX + JMP sequenceDecs_decode_56_amd64_adjust_test_temp_valid + +sequenceDecs_decode_56_amd64_adjust_two: + MOVQ R13, AX + JMP sequenceDecs_decode_56_amd64_adjust_test_temp_valid + +sequenceDecs_decode_56_amd64_adjust_three: + LEAQ -1(R11), AX + +sequenceDecs_decode_56_amd64_adjust_test_temp_valid: + TESTQ AX, AX + JNZ sequenceDecs_decode_56_amd64_adjust_temp_valid + MOVQ $0x00000001, AX + +sequenceDecs_decode_56_amd64_adjust_temp_valid: + CMPQ CX, $0x01 + CMOVQNE R12, R13 + MOVQ R11, R12 + MOVQ AX, R11 + MOVQ AX, CX + +sequenceDecs_decode_56_amd64_after_adjust: + MOVQ CX, 16(R10) + + // Check values + MOVQ 8(R10), AX + MOVQ (R10), R14 + LEAQ (AX)(R14*1), R15 + MOVQ s+0(FP), BP + ADDQ R15, 256(BP) + MOVQ ctx+16(FP), R15 + SUBQ R14, 128(R15) + JS error_not_enough_literals + CMPQ AX, $0x00020002 + JA sequenceDecs_decode_56_amd64_error_match_len_too_big + TESTQ CX, CX + JNZ sequenceDecs_decode_56_amd64_match_len_ofs_ok + TESTQ AX, AX + JNZ sequenceDecs_decode_56_amd64_error_match_len_ofs_mismatch + +sequenceDecs_decode_56_amd64_match_len_ofs_ok: + ADDQ $0x18, R10 + MOVQ ctx+16(FP), AX + DECQ 96(AX) + JNS sequenceDecs_decode_56_amd64_main_loop + MOVQ s+0(FP), AX + MOVQ R11, 144(AX) + MOVQ R12, 152(AX) + MOVQ R13, 160(AX) + MOVQ br+8(FP), AX + MOVQ DX, 24(AX) + MOVB BL, 40(AX) + MOVQ SI, 32(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decode_56_amd64_error_match_len_ofs_mismatch: + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decode_56_amd64_error_match_len_too_big: + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + +// func sequenceDecs_decode_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int +// Requires: BMI, BMI2, CMOV +TEXT ·sequenceDecs_decode_bmi2(SB), $8-32 + MOVQ br+8(FP), BX + MOVQ 24(BX), AX + MOVBQZX 40(BX), DX + MOVQ (BX), CX + MOVQ 32(BX), BX + ADDQ BX, CX + MOVQ CX, (SP) + MOVQ ctx+16(FP), CX + MOVQ 72(CX), SI + MOVQ 80(CX), DI + MOVQ 88(CX), R8 + MOVQ 104(CX), R9 + MOVQ s+0(FP), CX + MOVQ 144(CX), R10 + MOVQ 152(CX), R11 + MOVQ 160(CX), R12 + +sequenceDecs_decode_bmi2_main_loop: + MOVQ (SP), R13 + + // Fill bitreader to have enough for the offset and match length. + CMPQ BX, $0x08 + JL sequenceDecs_decode_bmi2_fill_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R13 + MOVQ (R13), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decode_bmi2_fill_end + +sequenceDecs_decode_bmi2_fill_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decode_bmi2_fill_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decode_bmi2_fill_end + SHLQ $0x08, AX + SUBQ $0x01, R13 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R13), CX + ORQ CX, AX + JMP sequenceDecs_decode_bmi2_fill_byte_by_byte + +sequenceDecs_decode_bmi2_fill_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decode_bmi2_fill_end: + // Update offset + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ R8, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, 16(R9) + + // Update match length + MOVQ $0x00000808, CX + BEXTRQ CX, DI, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ DI, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, 8(R9) + + // Fill bitreader to have enough for the remaining + CMPQ BX, $0x08 + JL sequenceDecs_decode_bmi2_fill_2_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R13 + MOVQ (R13), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decode_bmi2_fill_2_end + +sequenceDecs_decode_bmi2_fill_2_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decode_bmi2_fill_2_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decode_bmi2_fill_2_end + SHLQ $0x08, AX + SUBQ $0x01, R13 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R13), CX + ORQ CX, AX + JMP sequenceDecs_decode_bmi2_fill_2_byte_by_byte + +sequenceDecs_decode_bmi2_fill_2_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decode_bmi2_fill_2_end: + // Update literal length + MOVQ $0x00000808, CX + BEXTRQ CX, SI, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ SI, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, (R9) + + // Fill bitreader for state updates + MOVQ R13, (SP) + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R13 + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decode_bmi2_skip_update + LEAQ (SI)(DI*1), R14 + ADDQ R8, R14 + MOVBQZX R14, R14 + LEAQ (DX)(R14*1), CX + MOVQ AX, R15 + MOVQ CX, DX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + + // Update Offset State + BZHIQ R8, R15, CX + SHRXQ R8, R15, R15 + SHRL $0x10, R8 + ADDQ CX, R8 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Match Length State + BZHIQ DI, R15, CX + SHRXQ DI, R15, R15 + SHRL $0x10, DI + ADDQ CX, DI + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(DI*8), DI + + // Update Literal Length State + BZHIQ SI, R15, CX + SHRL $0x10, SI + ADDQ CX, SI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(SI*8), SI + +sequenceDecs_decode_bmi2_skip_update: + // Adjust offset + MOVQ 16(R9), CX + CMPQ R13, $0x01 + JBE sequenceDecs_decode_bmi2_adjust_offsetB_1_or_0 + MOVQ R11, R12 + MOVQ R10, R11 + MOVQ CX, R10 + JMP sequenceDecs_decode_bmi2_after_adjust + +sequenceDecs_decode_bmi2_adjust_offsetB_1_or_0: + CMPQ (R9), $0x00000000 + JNE sequenceDecs_decode_bmi2_adjust_offset_maybezero + INCQ CX + JMP sequenceDecs_decode_bmi2_adjust_offset_nonzero + +sequenceDecs_decode_bmi2_adjust_offset_maybezero: + TESTQ CX, CX + JNZ sequenceDecs_decode_bmi2_adjust_offset_nonzero + MOVQ R10, CX + JMP sequenceDecs_decode_bmi2_after_adjust + +sequenceDecs_decode_bmi2_adjust_offset_nonzero: + CMPQ CX, $0x01 + JB sequenceDecs_decode_bmi2_adjust_zero + JEQ sequenceDecs_decode_bmi2_adjust_one + CMPQ CX, $0x02 + JA sequenceDecs_decode_bmi2_adjust_three + JMP sequenceDecs_decode_bmi2_adjust_two + +sequenceDecs_decode_bmi2_adjust_zero: + MOVQ R10, R13 + JMP sequenceDecs_decode_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_bmi2_adjust_one: + MOVQ R11, R13 + JMP sequenceDecs_decode_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_bmi2_adjust_two: + MOVQ R12, R13 + JMP sequenceDecs_decode_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_bmi2_adjust_three: + LEAQ -1(R10), R13 + +sequenceDecs_decode_bmi2_adjust_test_temp_valid: + TESTQ R13, R13 + JNZ sequenceDecs_decode_bmi2_adjust_temp_valid + MOVQ $0x00000001, R13 + +sequenceDecs_decode_bmi2_adjust_temp_valid: + CMPQ CX, $0x01 + CMOVQNE R11, R12 + MOVQ R10, R11 + MOVQ R13, R10 + MOVQ R13, CX + +sequenceDecs_decode_bmi2_after_adjust: + MOVQ CX, 16(R9) + + // Check values + MOVQ 8(R9), R13 + MOVQ (R9), R14 + LEAQ (R13)(R14*1), R15 + MOVQ s+0(FP), BP + ADDQ R15, 256(BP) + MOVQ ctx+16(FP), R15 + SUBQ R14, 128(R15) + JS error_not_enough_literals + CMPQ R13, $0x00020002 + JA sequenceDecs_decode_bmi2_error_match_len_too_big + TESTQ CX, CX + JNZ sequenceDecs_decode_bmi2_match_len_ofs_ok + TESTQ R13, R13 + JNZ sequenceDecs_decode_bmi2_error_match_len_ofs_mismatch + +sequenceDecs_decode_bmi2_match_len_ofs_ok: + ADDQ $0x18, R9 + MOVQ ctx+16(FP), CX + DECQ 96(CX) + JNS sequenceDecs_decode_bmi2_main_loop + MOVQ s+0(FP), CX + MOVQ R10, 144(CX) + MOVQ R11, 152(CX) + MOVQ R12, 160(CX) + MOVQ br+8(FP), CX + MOVQ AX, 24(CX) + MOVB DL, 40(CX) + MOVQ BX, 32(CX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decode_bmi2_error_match_len_ofs_mismatch: + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decode_bmi2_error_match_len_too_big: + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + +// func sequenceDecs_decode_56_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeAsmContext) int +// Requires: BMI, BMI2, CMOV +TEXT ·sequenceDecs_decode_56_bmi2(SB), $8-32 + MOVQ br+8(FP), BX + MOVQ 24(BX), AX + MOVBQZX 40(BX), DX + MOVQ (BX), CX + MOVQ 32(BX), BX + ADDQ BX, CX + MOVQ CX, (SP) + MOVQ ctx+16(FP), CX + MOVQ 72(CX), SI + MOVQ 80(CX), DI + MOVQ 88(CX), R8 + MOVQ 104(CX), R9 + MOVQ s+0(FP), CX + MOVQ 144(CX), R10 + MOVQ 152(CX), R11 + MOVQ 160(CX), R12 + +sequenceDecs_decode_56_bmi2_main_loop: + MOVQ (SP), R13 + + // Fill bitreader to have enough for the offset and match length. + CMPQ BX, $0x08 + JL sequenceDecs_decode_56_bmi2_fill_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R13 + MOVQ (R13), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decode_56_bmi2_fill_end + +sequenceDecs_decode_56_bmi2_fill_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decode_56_bmi2_fill_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decode_56_bmi2_fill_end + SHLQ $0x08, AX + SUBQ $0x01, R13 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R13), CX + ORQ CX, AX + JMP sequenceDecs_decode_56_bmi2_fill_byte_by_byte + +sequenceDecs_decode_56_bmi2_fill_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decode_56_bmi2_fill_end: + // Update offset + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ R8, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, 16(R9) + + // Update match length + MOVQ $0x00000808, CX + BEXTRQ CX, DI, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ DI, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, 8(R9) + + // Update literal length + MOVQ $0x00000808, CX + BEXTRQ CX, SI, R14 + MOVQ AX, R15 + LEAQ (DX)(R14*1), CX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + MOVQ CX, DX + MOVQ SI, CX + SHRQ $0x20, CX + ADDQ R15, CX + MOVQ CX, (R9) + + // Fill bitreader for state updates + MOVQ R13, (SP) + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R13 + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decode_56_bmi2_skip_update + LEAQ (SI)(DI*1), R14 + ADDQ R8, R14 + MOVBQZX R14, R14 + LEAQ (DX)(R14*1), CX + MOVQ AX, R15 + MOVQ CX, DX + ROLQ CL, R15 + BZHIQ R14, R15, R15 + + // Update Offset State + BZHIQ R8, R15, CX + SHRXQ R8, R15, R15 + SHRL $0x10, R8 + ADDQ CX, R8 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Match Length State + BZHIQ DI, R15, CX + SHRXQ DI, R15, R15 + SHRL $0x10, DI + ADDQ CX, DI + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(DI*8), DI + + // Update Literal Length State + BZHIQ SI, R15, CX + SHRL $0x10, SI + ADDQ CX, SI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(SI*8), SI + +sequenceDecs_decode_56_bmi2_skip_update: + // Adjust offset + MOVQ 16(R9), CX + CMPQ R13, $0x01 + JBE sequenceDecs_decode_56_bmi2_adjust_offsetB_1_or_0 + MOVQ R11, R12 + MOVQ R10, R11 + MOVQ CX, R10 + JMP sequenceDecs_decode_56_bmi2_after_adjust + +sequenceDecs_decode_56_bmi2_adjust_offsetB_1_or_0: + CMPQ (R9), $0x00000000 + JNE sequenceDecs_decode_56_bmi2_adjust_offset_maybezero + INCQ CX + JMP sequenceDecs_decode_56_bmi2_adjust_offset_nonzero + +sequenceDecs_decode_56_bmi2_adjust_offset_maybezero: + TESTQ CX, CX + JNZ sequenceDecs_decode_56_bmi2_adjust_offset_nonzero + MOVQ R10, CX + JMP sequenceDecs_decode_56_bmi2_after_adjust + +sequenceDecs_decode_56_bmi2_adjust_offset_nonzero: + CMPQ CX, $0x01 + JB sequenceDecs_decode_56_bmi2_adjust_zero + JEQ sequenceDecs_decode_56_bmi2_adjust_one + CMPQ CX, $0x02 + JA sequenceDecs_decode_56_bmi2_adjust_three + JMP sequenceDecs_decode_56_bmi2_adjust_two + +sequenceDecs_decode_56_bmi2_adjust_zero: + MOVQ R10, R13 + JMP sequenceDecs_decode_56_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_56_bmi2_adjust_one: + MOVQ R11, R13 + JMP sequenceDecs_decode_56_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_56_bmi2_adjust_two: + MOVQ R12, R13 + JMP sequenceDecs_decode_56_bmi2_adjust_test_temp_valid + +sequenceDecs_decode_56_bmi2_adjust_three: + LEAQ -1(R10), R13 + +sequenceDecs_decode_56_bmi2_adjust_test_temp_valid: + TESTQ R13, R13 + JNZ sequenceDecs_decode_56_bmi2_adjust_temp_valid + MOVQ $0x00000001, R13 + +sequenceDecs_decode_56_bmi2_adjust_temp_valid: + CMPQ CX, $0x01 + CMOVQNE R11, R12 + MOVQ R10, R11 + MOVQ R13, R10 + MOVQ R13, CX + +sequenceDecs_decode_56_bmi2_after_adjust: + MOVQ CX, 16(R9) + + // Check values + MOVQ 8(R9), R13 + MOVQ (R9), R14 + LEAQ (R13)(R14*1), R15 + MOVQ s+0(FP), BP + ADDQ R15, 256(BP) + MOVQ ctx+16(FP), R15 + SUBQ R14, 128(R15) + JS error_not_enough_literals + CMPQ R13, $0x00020002 + JA sequenceDecs_decode_56_bmi2_error_match_len_too_big + TESTQ CX, CX + JNZ sequenceDecs_decode_56_bmi2_match_len_ofs_ok + TESTQ R13, R13 + JNZ sequenceDecs_decode_56_bmi2_error_match_len_ofs_mismatch + +sequenceDecs_decode_56_bmi2_match_len_ofs_ok: + ADDQ $0x18, R9 + MOVQ ctx+16(FP), CX + DECQ 96(CX) + JNS sequenceDecs_decode_56_bmi2_main_loop + MOVQ s+0(FP), CX + MOVQ R10, 144(CX) + MOVQ R11, 152(CX) + MOVQ R12, 160(CX) + MOVQ br+8(FP), CX + MOVQ AX, 24(CX) + MOVB DL, 40(CX) + MOVQ BX, 32(CX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decode_56_bmi2_error_match_len_ofs_mismatch: + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decode_56_bmi2_error_match_len_too_big: + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + +// func sequenceDecs_executeSimple_amd64(ctx *executeAsmContext) bool +// Requires: SSE +TEXT ·sequenceDecs_executeSimple_amd64(SB), $8-9 + MOVQ ctx+0(FP), R10 + MOVQ 8(R10), CX + TESTQ CX, CX + JZ empty_seqs + MOVQ (R10), AX + MOVQ 24(R10), DX + MOVQ 32(R10), BX + MOVQ 80(R10), SI + MOVQ 104(R10), DI + MOVQ 120(R10), R8 + MOVQ 56(R10), R9 + MOVQ 64(R10), R10 + ADDQ R10, R9 + + // seqsBase += 24 * seqIndex + LEAQ (DX)(DX*2), R11 + SHLQ $0x03, R11 + ADDQ R11, AX + + // outBase += outPosition + ADDQ DI, BX + +main_loop: + MOVQ (AX), R11 + MOVQ 16(AX), R12 + MOVQ 8(AX), R13 + + // Copy literals + TESTQ R11, R11 + JZ check_offset + XORQ R14, R14 + +copy_1: + MOVUPS (SI)(R14*1), X0 + MOVUPS X0, (BX)(R14*1) + ADDQ $0x10, R14 + CMPQ R14, R11 + JB copy_1 + ADDQ R11, SI + ADDQ R11, BX + ADDQ R11, DI + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + LEAQ (DI)(R10*1), R11 + CMPQ R12, R11 + JG error_match_off_too_big + CMPQ R12, R8 + JG error_match_off_too_big + + // Copy match from history + MOVQ R12, R11 + SUBQ DI, R11 + JLS copy_match + MOVQ R9, R14 + SUBQ R11, R14 + CMPQ R13, R11 + JG copy_all_from_history + MOVQ R13, R11 + SUBQ $0x10, R11 + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (BX) + ADDQ $0x10, R14 + ADDQ $0x10, BX + SUBQ $0x10, R11 + JAE copy_4_loop + LEAQ 16(R14)(R11*1), R14 + LEAQ 16(BX)(R11*1), BX + MOVUPS -16(R14), X0 + MOVUPS X0, -16(BX) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), R11 + MOVB 2(R14), R12 + MOVW R11, (BX) + MOVB R12, 2(BX) + ADDQ R13, R14 + ADDQ R13, BX + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), R11 + MOVL -4(R14)(R13*1), R12 + MOVL R11, (BX) + MOVL R12, -4(BX)(R13*1) + ADDQ R13, R14 + ADDQ R13, BX + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), R11 + MOVQ -8(R14)(R13*1), R12 + MOVQ R11, (BX) + MOVQ R12, -8(BX)(R13*1) + ADDQ R13, R14 + ADDQ R13, BX + +copy_4_end: + ADDQ R13, DI + ADDQ $0x18, AX + INCQ DX + CMPQ DX, CX + JB main_loop + JMP loop_finished + +copy_all_from_history: + MOVQ R11, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (BX) + ADDQ $0x10, R14 + ADDQ $0x10, BX + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(BX)(R15*1), BX + MOVUPS -16(R14), X0 + MOVUPS X0, -16(BX) + JMP copy_5_end + +copy_5_small: + CMPQ R11, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ R11, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(R11*1), BP + MOVB R15, (BX) + MOVB BP, -1(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (BX) + MOVB BP, 2(BX) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(R11*1), BP + MOVL R15, (BX) + MOVL BP, -4(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(R11*1), BP + MOVQ R15, (BX) + MOVQ BP, -8(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + +copy_5_end: + ADDQ R11, DI + SUBQ R11, R13 + + // Copy match from the current buffer +copy_match: + MOVQ BX, R11 + SUBQ R12, R11 + + // ml <= mo + CMPQ R13, R12 + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, DI + MOVQ BX, R12 + ADDQ R13, BX + +copy_2: + MOVUPS (R11), X0 + MOVUPS X0, (R12) + ADDQ $0x10, R11 + ADDQ $0x10, R12 + SUBQ $0x10, R13 + JHI copy_2 + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, DI + +copy_slow_3: + MOVB (R11), R12 + MOVB R12, (BX) + INCQ R11 + INCQ BX + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + ADDQ $0x18, AX + INCQ DX + CMPQ DX, CX + JB main_loop + +loop_finished: + // Return value + MOVB $0x01, ret+8(FP) + + // Update the context + MOVQ ctx+0(FP), AX + MOVQ DX, 24(AX) + MOVQ DI, 104(AX) + SUBQ 80(AX), SI + MOVQ SI, 112(AX) + RET + +error_match_off_too_big: + // Return value + MOVB $0x00, ret+8(FP) + + // Update the context + MOVQ ctx+0(FP), AX + MOVQ DX, 24(AX) + MOVQ DI, 104(AX) + SUBQ 80(AX), SI + MOVQ SI, 112(AX) + RET + +empty_seqs: + // Return value + MOVB $0x01, ret+8(FP) + RET + +// func sequenceDecs_executeSimple_safe_amd64(ctx *executeAsmContext) bool +// Requires: SSE +TEXT ·sequenceDecs_executeSimple_safe_amd64(SB), $8-9 + MOVQ ctx+0(FP), R10 + MOVQ 8(R10), CX + TESTQ CX, CX + JZ empty_seqs + MOVQ (R10), AX + MOVQ 24(R10), DX + MOVQ 32(R10), BX + MOVQ 80(R10), SI + MOVQ 104(R10), DI + MOVQ 120(R10), R8 + MOVQ 56(R10), R9 + MOVQ 64(R10), R10 + ADDQ R10, R9 + + // seqsBase += 24 * seqIndex + LEAQ (DX)(DX*2), R11 + SHLQ $0x03, R11 + ADDQ R11, AX + + // outBase += outPosition + ADDQ DI, BX + +main_loop: + MOVQ (AX), R11 + MOVQ 16(AX), R12 + MOVQ 8(AX), R13 + + // Copy literals + TESTQ R11, R11 + JZ check_offset + MOVQ R11, R14 + SUBQ $0x10, R14 + JB copy_1_small + +copy_1_loop: + MOVUPS (SI), X0 + MOVUPS X0, (BX) + ADDQ $0x10, SI + ADDQ $0x10, BX + SUBQ $0x10, R14 + JAE copy_1_loop + LEAQ 16(SI)(R14*1), SI + LEAQ 16(BX)(R14*1), BX + MOVUPS -16(SI), X0 + MOVUPS X0, -16(BX) + JMP copy_1_end + +copy_1_small: + CMPQ R11, $0x03 + JE copy_1_move_3 + JB copy_1_move_1or2 + CMPQ R11, $0x08 + JB copy_1_move_4through7 + JMP copy_1_move_8through16 + +copy_1_move_1or2: + MOVB (SI), R14 + MOVB -1(SI)(R11*1), R15 + MOVB R14, (BX) + MOVB R15, -1(BX)(R11*1) + ADDQ R11, SI + ADDQ R11, BX + JMP copy_1_end + +copy_1_move_3: + MOVW (SI), R14 + MOVB 2(SI), R15 + MOVW R14, (BX) + MOVB R15, 2(BX) + ADDQ R11, SI + ADDQ R11, BX + JMP copy_1_end + +copy_1_move_4through7: + MOVL (SI), R14 + MOVL -4(SI)(R11*1), R15 + MOVL R14, (BX) + MOVL R15, -4(BX)(R11*1) + ADDQ R11, SI + ADDQ R11, BX + JMP copy_1_end + +copy_1_move_8through16: + MOVQ (SI), R14 + MOVQ -8(SI)(R11*1), R15 + MOVQ R14, (BX) + MOVQ R15, -8(BX)(R11*1) + ADDQ R11, SI + ADDQ R11, BX + +copy_1_end: + ADDQ R11, DI + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + LEAQ (DI)(R10*1), R11 + CMPQ R12, R11 + JG error_match_off_too_big + CMPQ R12, R8 + JG error_match_off_too_big + + // Copy match from history + MOVQ R12, R11 + SUBQ DI, R11 + JLS copy_match + MOVQ R9, R14 + SUBQ R11, R14 + CMPQ R13, R11 + JG copy_all_from_history + MOVQ R13, R11 + SUBQ $0x10, R11 + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (BX) + ADDQ $0x10, R14 + ADDQ $0x10, BX + SUBQ $0x10, R11 + JAE copy_4_loop + LEAQ 16(R14)(R11*1), R14 + LEAQ 16(BX)(R11*1), BX + MOVUPS -16(R14), X0 + MOVUPS X0, -16(BX) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), R11 + MOVB 2(R14), R12 + MOVW R11, (BX) + MOVB R12, 2(BX) + ADDQ R13, R14 + ADDQ R13, BX + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), R11 + MOVL -4(R14)(R13*1), R12 + MOVL R11, (BX) + MOVL R12, -4(BX)(R13*1) + ADDQ R13, R14 + ADDQ R13, BX + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), R11 + MOVQ -8(R14)(R13*1), R12 + MOVQ R11, (BX) + MOVQ R12, -8(BX)(R13*1) + ADDQ R13, R14 + ADDQ R13, BX + +copy_4_end: + ADDQ R13, DI + ADDQ $0x18, AX + INCQ DX + CMPQ DX, CX + JB main_loop + JMP loop_finished + +copy_all_from_history: + MOVQ R11, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (BX) + ADDQ $0x10, R14 + ADDQ $0x10, BX + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(BX)(R15*1), BX + MOVUPS -16(R14), X0 + MOVUPS X0, -16(BX) + JMP copy_5_end + +copy_5_small: + CMPQ R11, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ R11, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(R11*1), BP + MOVB R15, (BX) + MOVB BP, -1(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (BX) + MOVB BP, 2(BX) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(R11*1), BP + MOVL R15, (BX) + MOVL BP, -4(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(R11*1), BP + MOVQ R15, (BX) + MOVQ BP, -8(BX)(R11*1) + ADDQ R11, R14 + ADDQ R11, BX + +copy_5_end: + ADDQ R11, DI + SUBQ R11, R13 + + // Copy match from the current buffer +copy_match: + MOVQ BX, R11 + SUBQ R12, R11 + + // ml <= mo + CMPQ R13, R12 + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, DI + MOVQ R13, R12 + SUBQ $0x10, R12 + JB copy_2_small + +copy_2_loop: + MOVUPS (R11), X0 + MOVUPS X0, (BX) + ADDQ $0x10, R11 + ADDQ $0x10, BX + SUBQ $0x10, R12 + JAE copy_2_loop + LEAQ 16(R11)(R12*1), R11 + LEAQ 16(BX)(R12*1), BX + MOVUPS -16(R11), X0 + MOVUPS X0, -16(BX) + JMP copy_2_end + +copy_2_small: + CMPQ R13, $0x03 + JE copy_2_move_3 + JB copy_2_move_1or2 + CMPQ R13, $0x08 + JB copy_2_move_4through7 + JMP copy_2_move_8through16 + +copy_2_move_1or2: + MOVB (R11), R12 + MOVB -1(R11)(R13*1), R14 + MOVB R12, (BX) + MOVB R14, -1(BX)(R13*1) + ADDQ R13, R11 + ADDQ R13, BX + JMP copy_2_end + +copy_2_move_3: + MOVW (R11), R12 + MOVB 2(R11), R14 + MOVW R12, (BX) + MOVB R14, 2(BX) + ADDQ R13, R11 + ADDQ R13, BX + JMP copy_2_end + +copy_2_move_4through7: + MOVL (R11), R12 + MOVL -4(R11)(R13*1), R14 + MOVL R12, (BX) + MOVL R14, -4(BX)(R13*1) + ADDQ R13, R11 + ADDQ R13, BX + JMP copy_2_end + +copy_2_move_8through16: + MOVQ (R11), R12 + MOVQ -8(R11)(R13*1), R14 + MOVQ R12, (BX) + MOVQ R14, -8(BX)(R13*1) + ADDQ R13, R11 + ADDQ R13, BX + +copy_2_end: + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, DI + +copy_slow_3: + MOVB (R11), R12 + MOVB R12, (BX) + INCQ R11 + INCQ BX + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + ADDQ $0x18, AX + INCQ DX + CMPQ DX, CX + JB main_loop + +loop_finished: + // Return value + MOVB $0x01, ret+8(FP) + + // Update the context + MOVQ ctx+0(FP), AX + MOVQ DX, 24(AX) + MOVQ DI, 104(AX) + SUBQ 80(AX), SI + MOVQ SI, 112(AX) + RET + +error_match_off_too_big: + // Return value + MOVB $0x00, ret+8(FP) + + // Update the context + MOVQ ctx+0(FP), AX + MOVQ DX, 24(AX) + MOVQ DI, 104(AX) + SUBQ 80(AX), SI + MOVQ SI, 112(AX) + RET + +empty_seqs: + // Return value + MOVB $0x01, ret+8(FP) + RET + +// func sequenceDecs_decodeSync_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int +// Requires: CMOV, SSE +TEXT ·sequenceDecs_decodeSync_amd64(SB), $64-32 + MOVQ br+8(FP), CX + MOVQ 24(CX), DX + MOVBQZX 40(CX), BX + MOVQ (CX), AX + MOVQ 32(CX), SI + ADDQ SI, AX + MOVQ AX, (SP) + MOVQ ctx+16(FP), AX + MOVQ 72(AX), DI + MOVQ 80(AX), R8 + MOVQ 88(AX), R9 + XORQ CX, CX + MOVQ CX, 8(SP) + MOVQ CX, 16(SP) + MOVQ CX, 24(SP) + MOVQ 112(AX), R10 + MOVQ 128(AX), CX + MOVQ CX, 32(SP) + MOVQ 144(AX), R11 + MOVQ 136(AX), R12 + MOVQ 200(AX), CX + MOVQ CX, 56(SP) + MOVQ 176(AX), CX + MOVQ CX, 48(SP) + MOVQ 184(AX), AX + MOVQ AX, 40(SP) + MOVQ 40(SP), AX + ADDQ AX, 48(SP) + + // Calculate pointer to s.out[cap(s.out)] (a past-end pointer) + ADDQ R10, 32(SP) + + // outBase += outPosition + ADDQ R12, R10 + +sequenceDecs_decodeSync_amd64_main_loop: + MOVQ (SP), R13 + + // Fill bitreader to have enough for the offset and match length. + CMPQ SI, $0x08 + JL sequenceDecs_decodeSync_amd64_fill_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R13 + MOVQ (R13), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decodeSync_amd64_fill_end + +sequenceDecs_decodeSync_amd64_fill_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decodeSync_amd64_fill_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decodeSync_amd64_fill_end + SHLQ $0x08, DX + SUBQ $0x01, R13 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R13), AX + ORQ AX, DX + JMP sequenceDecs_decodeSync_amd64_fill_byte_by_byte + +sequenceDecs_decodeSync_amd64_fill_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_amd64_fill_end: + // Update offset + MOVQ R9, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_amd64_of_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_amd64_of_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_amd64_of_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_amd64_of_update_zero: + MOVQ AX, 8(SP) + + // Update match length + MOVQ R8, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_amd64_ml_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_amd64_ml_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_amd64_ml_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_amd64_ml_update_zero: + MOVQ AX, 16(SP) + + // Fill bitreader to have enough for the remaining + CMPQ SI, $0x08 + JL sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R13 + MOVQ (R13), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decodeSync_amd64_fill_2_end + +sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decodeSync_amd64_fill_2_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decodeSync_amd64_fill_2_end + SHLQ $0x08, DX + SUBQ $0x01, R13 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R13), AX + ORQ AX, DX + JMP sequenceDecs_decodeSync_amd64_fill_2_byte_by_byte + +sequenceDecs_decodeSync_amd64_fill_2_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_amd64_fill_2_end: + // Update literal length + MOVQ DI, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_amd64_ll_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_amd64_ll_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_amd64_ll_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_amd64_ll_update_zero: + MOVQ AX, 24(SP) + + // Fill bitreader for state updates + MOVQ R13, (SP) + MOVQ R9, AX + SHRQ $0x08, AX + MOVBQZX AL, AX + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decodeSync_amd64_skip_update + + // Update Literal Length State + MOVBQZX DI, R13 + SHRL $0x10, DI + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, DI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(DI*8), DI + + // Update Match Length State + MOVBQZX R8, R13 + SHRL $0x10, R8 + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, R8 + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Offset State + MOVBQZX R9, R13 + SHRL $0x10, R9 + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, R9 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R9*8), R9 + +sequenceDecs_decodeSync_amd64_skip_update: + // Adjust offset + MOVQ s+0(FP), CX + MOVQ 8(SP), R13 + CMPQ AX, $0x01 + JBE sequenceDecs_decodeSync_amd64_adjust_offsetB_1_or_0 + MOVUPS 144(CX), X0 + MOVQ R13, 144(CX) + MOVUPS X0, 152(CX) + JMP sequenceDecs_decodeSync_amd64_after_adjust + +sequenceDecs_decodeSync_amd64_adjust_offsetB_1_or_0: + CMPQ 24(SP), $0x00000000 + JNE sequenceDecs_decodeSync_amd64_adjust_offset_maybezero + INCQ R13 + JMP sequenceDecs_decodeSync_amd64_adjust_offset_nonzero + +sequenceDecs_decodeSync_amd64_adjust_offset_maybezero: + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_amd64_adjust_offset_nonzero + MOVQ 144(CX), R13 + JMP sequenceDecs_decodeSync_amd64_after_adjust + +sequenceDecs_decodeSync_amd64_adjust_offset_nonzero: + MOVQ R13, AX + XORQ R14, R14 + MOVQ $-1, R15 + CMPQ R13, $0x03 + CMOVQEQ R14, AX + CMOVQEQ R15, R14 + ADDQ 144(CX)(AX*8), R14 + JNZ sequenceDecs_decodeSync_amd64_adjust_temp_valid + MOVQ $0x00000001, R14 + +sequenceDecs_decodeSync_amd64_adjust_temp_valid: + CMPQ R13, $0x01 + JZ sequenceDecs_decodeSync_amd64_adjust_skip + MOVQ 152(CX), AX + MOVQ AX, 160(CX) + +sequenceDecs_decodeSync_amd64_adjust_skip: + MOVQ 144(CX), AX + MOVQ AX, 152(CX) + MOVQ R14, 144(CX) + MOVQ R14, R13 + +sequenceDecs_decodeSync_amd64_after_adjust: + MOVQ R13, 8(SP) + + // Check values + MOVQ 16(SP), AX + MOVQ 24(SP), CX + LEAQ (AX)(CX*1), R14 + MOVQ s+0(FP), R15 + ADDQ R14, 256(R15) + MOVQ ctx+16(FP), R14 + SUBQ CX, 104(R14) + JS error_not_enough_literals + CMPQ AX, $0x00020002 + JA sequenceDecs_decodeSync_amd64_error_match_len_too_big + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_amd64_match_len_ofs_ok + TESTQ AX, AX + JNZ sequenceDecs_decodeSync_amd64_error_match_len_ofs_mismatch + +sequenceDecs_decodeSync_amd64_match_len_ofs_ok: + MOVQ 24(SP), AX + MOVQ 8(SP), CX + MOVQ 16(SP), R13 + + // Check if we have enough space in s.out + LEAQ (AX)(R13*1), R14 + ADDQ R10, R14 + CMPQ R14, 32(SP) + JA error_not_enough_space + + // Copy literals + TESTQ AX, AX + JZ check_offset + XORQ R14, R14 + +copy_1: + MOVUPS (R11)(R14*1), X0 + MOVUPS X0, (R10)(R14*1) + ADDQ $0x10, R14 + CMPQ R14, AX + JB copy_1 + ADDQ AX, R11 + ADDQ AX, R10 + ADDQ AX, R12 + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + MOVQ R12, AX + ADDQ 40(SP), AX + CMPQ CX, AX + JG error_match_off_too_big + CMPQ CX, 56(SP) + JG error_match_off_too_big + + // Copy match from history + MOVQ CX, AX + SUBQ R12, AX + JLS copy_match + MOVQ 48(SP), R14 + SUBQ AX, R14 + CMPQ R13, AX + JG copy_all_from_history + MOVQ R13, AX + SUBQ $0x10, AX + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R10) + ADDQ $0x10, R14 + ADDQ $0x10, R10 + SUBQ $0x10, AX + JAE copy_4_loop + LEAQ 16(R14)(AX*1), R14 + LEAQ 16(R10)(AX*1), R10 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R10) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), AX + MOVB 2(R14), CL + MOVW AX, (R10) + MOVB CL, 2(R10) + ADDQ R13, R14 + ADDQ R13, R10 + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), AX + MOVL -4(R14)(R13*1), CX + MOVL AX, (R10) + MOVL CX, -4(R10)(R13*1) + ADDQ R13, R14 + ADDQ R13, R10 + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), AX + MOVQ -8(R14)(R13*1), CX + MOVQ AX, (R10) + MOVQ CX, -8(R10)(R13*1) + ADDQ R13, R14 + ADDQ R13, R10 + +copy_4_end: + ADDQ R13, R12 + JMP handle_loop + JMP loop_finished + +copy_all_from_history: + MOVQ AX, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R10) + ADDQ $0x10, R14 + ADDQ $0x10, R10 + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(R10)(R15*1), R10 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R10) + JMP copy_5_end + +copy_5_small: + CMPQ AX, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ AX, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(AX*1), BP + MOVB R15, (R10) + MOVB BP, -1(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (R10) + MOVB BP, 2(R10) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(AX*1), BP + MOVL R15, (R10) + MOVL BP, -4(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(AX*1), BP + MOVQ R15, (R10) + MOVQ BP, -8(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + +copy_5_end: + ADDQ AX, R12 + SUBQ AX, R13 + + // Copy match from the current buffer +copy_match: + MOVQ R10, AX + SUBQ CX, AX + + // ml <= mo + CMPQ R13, CX + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, R12 + MOVQ R10, CX + ADDQ R13, R10 + +copy_2: + MOVUPS (AX), X0 + MOVUPS X0, (CX) + ADDQ $0x10, AX + ADDQ $0x10, CX + SUBQ $0x10, R13 + JHI copy_2 + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, R12 + +copy_slow_3: + MOVB (AX), CL + MOVB CL, (R10) + INCQ AX + INCQ R10 + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + MOVQ ctx+16(FP), AX + DECQ 96(AX) + JNS sequenceDecs_decodeSync_amd64_main_loop + +loop_finished: + MOVQ br+8(FP), AX + MOVQ DX, 24(AX) + MOVB BL, 40(AX) + MOVQ SI, 32(AX) + + // Update the context + MOVQ ctx+16(FP), AX + MOVQ R12, 136(AX) + MOVQ 144(AX), CX + SUBQ CX, R11 + MOVQ R11, 168(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decodeSync_amd64_error_match_len_ofs_mismatch: + MOVQ 16(SP), AX + MOVQ ctx+16(FP), CX + MOVQ AX, 216(CX) + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decodeSync_amd64_error_match_len_too_big: + MOVQ ctx+16(FP), AX + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error +error_match_off_too_big: + MOVQ ctx+16(FP), AX + MOVQ 8(SP), CX + MOVQ CX, 224(AX) + MOVQ R12, 136(AX) + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + + // Return with not enough output space error +error_not_enough_space: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ R12, 136(AX) + MOVQ $0x00000005, ret+24(FP) + RET + +// func sequenceDecs_decodeSync_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int +// Requires: BMI, BMI2, CMOV, SSE +TEXT ·sequenceDecs_decodeSync_bmi2(SB), $64-32 + MOVQ br+8(FP), BX + MOVQ 24(BX), AX + MOVBQZX 40(BX), DX + MOVQ (BX), CX + MOVQ 32(BX), BX + ADDQ BX, CX + MOVQ CX, (SP) + MOVQ ctx+16(FP), CX + MOVQ 72(CX), SI + MOVQ 80(CX), DI + MOVQ 88(CX), R8 + XORQ R9, R9 + MOVQ R9, 8(SP) + MOVQ R9, 16(SP) + MOVQ R9, 24(SP) + MOVQ 112(CX), R9 + MOVQ 128(CX), R10 + MOVQ R10, 32(SP) + MOVQ 144(CX), R10 + MOVQ 136(CX), R11 + MOVQ 200(CX), R12 + MOVQ R12, 56(SP) + MOVQ 176(CX), R12 + MOVQ R12, 48(SP) + MOVQ 184(CX), CX + MOVQ CX, 40(SP) + MOVQ 40(SP), CX + ADDQ CX, 48(SP) + + // Calculate pointer to s.out[cap(s.out)] (a past-end pointer) + ADDQ R9, 32(SP) + + // outBase += outPosition + ADDQ R11, R9 + +sequenceDecs_decodeSync_bmi2_main_loop: + MOVQ (SP), R12 + + // Fill bitreader to have enough for the offset and match length. + CMPQ BX, $0x08 + JL sequenceDecs_decodeSync_bmi2_fill_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R12 + MOVQ (R12), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decodeSync_bmi2_fill_end + +sequenceDecs_decodeSync_bmi2_fill_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decodeSync_bmi2_fill_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decodeSync_bmi2_fill_end + SHLQ $0x08, AX + SUBQ $0x01, R12 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R12), CX + ORQ CX, AX + JMP sequenceDecs_decodeSync_bmi2_fill_byte_by_byte + +sequenceDecs_decodeSync_bmi2_fill_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_bmi2_fill_end: + // Update offset + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ R8, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 8(SP) + + // Update match length + MOVQ $0x00000808, CX + BEXTRQ CX, DI, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ DI, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 16(SP) + + // Fill bitreader to have enough for the remaining + CMPQ BX, $0x08 + JL sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R12 + MOVQ (R12), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decodeSync_bmi2_fill_2_end + +sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decodeSync_bmi2_fill_2_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decodeSync_bmi2_fill_2_end + SHLQ $0x08, AX + SUBQ $0x01, R12 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R12), CX + ORQ CX, AX + JMP sequenceDecs_decodeSync_bmi2_fill_2_byte_by_byte + +sequenceDecs_decodeSync_bmi2_fill_2_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_bmi2_fill_2_end: + // Update literal length + MOVQ $0x00000808, CX + BEXTRQ CX, SI, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ SI, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 24(SP) + + // Fill bitreader for state updates + MOVQ R12, (SP) + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R12 + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decodeSync_bmi2_skip_update + LEAQ (SI)(DI*1), R13 + ADDQ R8, R13 + MOVBQZX R13, R13 + LEAQ (DX)(R13*1), CX + MOVQ AX, R14 + MOVQ CX, DX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + + // Update Offset State + BZHIQ R8, R14, CX + SHRXQ R8, R14, R14 + SHRL $0x10, R8 + ADDQ CX, R8 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Match Length State + BZHIQ DI, R14, CX + SHRXQ DI, R14, R14 + SHRL $0x10, DI + ADDQ CX, DI + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(DI*8), DI + + // Update Literal Length State + BZHIQ SI, R14, CX + SHRL $0x10, SI + ADDQ CX, SI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(SI*8), SI + +sequenceDecs_decodeSync_bmi2_skip_update: + // Adjust offset + MOVQ s+0(FP), CX + MOVQ 8(SP), R13 + CMPQ R12, $0x01 + JBE sequenceDecs_decodeSync_bmi2_adjust_offsetB_1_or_0 + MOVUPS 144(CX), X0 + MOVQ R13, 144(CX) + MOVUPS X0, 152(CX) + JMP sequenceDecs_decodeSync_bmi2_after_adjust + +sequenceDecs_decodeSync_bmi2_adjust_offsetB_1_or_0: + CMPQ 24(SP), $0x00000000 + JNE sequenceDecs_decodeSync_bmi2_adjust_offset_maybezero + INCQ R13 + JMP sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero + +sequenceDecs_decodeSync_bmi2_adjust_offset_maybezero: + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero + MOVQ 144(CX), R13 + JMP sequenceDecs_decodeSync_bmi2_after_adjust + +sequenceDecs_decodeSync_bmi2_adjust_offset_nonzero: + MOVQ R13, R12 + XORQ R14, R14 + MOVQ $-1, R15 + CMPQ R13, $0x03 + CMOVQEQ R14, R12 + CMOVQEQ R15, R14 + ADDQ 144(CX)(R12*8), R14 + JNZ sequenceDecs_decodeSync_bmi2_adjust_temp_valid + MOVQ $0x00000001, R14 + +sequenceDecs_decodeSync_bmi2_adjust_temp_valid: + CMPQ R13, $0x01 + JZ sequenceDecs_decodeSync_bmi2_adjust_skip + MOVQ 152(CX), R12 + MOVQ R12, 160(CX) + +sequenceDecs_decodeSync_bmi2_adjust_skip: + MOVQ 144(CX), R12 + MOVQ R12, 152(CX) + MOVQ R14, 144(CX) + MOVQ R14, R13 + +sequenceDecs_decodeSync_bmi2_after_adjust: + MOVQ R13, 8(SP) + + // Check values + MOVQ 16(SP), CX + MOVQ 24(SP), R12 + LEAQ (CX)(R12*1), R14 + MOVQ s+0(FP), R15 + ADDQ R14, 256(R15) + MOVQ ctx+16(FP), R14 + SUBQ R12, 104(R14) + JS error_not_enough_literals + CMPQ CX, $0x00020002 + JA sequenceDecs_decodeSync_bmi2_error_match_len_too_big + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_bmi2_match_len_ofs_ok + TESTQ CX, CX + JNZ sequenceDecs_decodeSync_bmi2_error_match_len_ofs_mismatch + +sequenceDecs_decodeSync_bmi2_match_len_ofs_ok: + MOVQ 24(SP), CX + MOVQ 8(SP), R12 + MOVQ 16(SP), R13 + + // Check if we have enough space in s.out + LEAQ (CX)(R13*1), R14 + ADDQ R9, R14 + CMPQ R14, 32(SP) + JA error_not_enough_space + + // Copy literals + TESTQ CX, CX + JZ check_offset + XORQ R14, R14 + +copy_1: + MOVUPS (R10)(R14*1), X0 + MOVUPS X0, (R9)(R14*1) + ADDQ $0x10, R14 + CMPQ R14, CX + JB copy_1 + ADDQ CX, R10 + ADDQ CX, R9 + ADDQ CX, R11 + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + MOVQ R11, CX + ADDQ 40(SP), CX + CMPQ R12, CX + JG error_match_off_too_big + CMPQ R12, 56(SP) + JG error_match_off_too_big + + // Copy match from history + MOVQ R12, CX + SUBQ R11, CX + JLS copy_match + MOVQ 48(SP), R14 + SUBQ CX, R14 + CMPQ R13, CX + JG copy_all_from_history + MOVQ R13, CX + SUBQ $0x10, CX + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R9) + ADDQ $0x10, R14 + ADDQ $0x10, R9 + SUBQ $0x10, CX + JAE copy_4_loop + LEAQ 16(R14)(CX*1), R14 + LEAQ 16(R9)(CX*1), R9 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R9) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), CX + MOVB 2(R14), R12 + MOVW CX, (R9) + MOVB R12, 2(R9) + ADDQ R13, R14 + ADDQ R13, R9 + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), CX + MOVL -4(R14)(R13*1), R12 + MOVL CX, (R9) + MOVL R12, -4(R9)(R13*1) + ADDQ R13, R14 + ADDQ R13, R9 + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), CX + MOVQ -8(R14)(R13*1), R12 + MOVQ CX, (R9) + MOVQ R12, -8(R9)(R13*1) + ADDQ R13, R14 + ADDQ R13, R9 + +copy_4_end: + ADDQ R13, R11 + JMP handle_loop + JMP loop_finished + +copy_all_from_history: + MOVQ CX, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R9) + ADDQ $0x10, R14 + ADDQ $0x10, R9 + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(R9)(R15*1), R9 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R9) + JMP copy_5_end + +copy_5_small: + CMPQ CX, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ CX, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(CX*1), BP + MOVB R15, (R9) + MOVB BP, -1(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (R9) + MOVB BP, 2(R9) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(CX*1), BP + MOVL R15, (R9) + MOVL BP, -4(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(CX*1), BP + MOVQ R15, (R9) + MOVQ BP, -8(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + +copy_5_end: + ADDQ CX, R11 + SUBQ CX, R13 + + // Copy match from the current buffer +copy_match: + MOVQ R9, CX + SUBQ R12, CX + + // ml <= mo + CMPQ R13, R12 + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, R11 + MOVQ R9, R12 + ADDQ R13, R9 + +copy_2: + MOVUPS (CX), X0 + MOVUPS X0, (R12) + ADDQ $0x10, CX + ADDQ $0x10, R12 + SUBQ $0x10, R13 + JHI copy_2 + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, R11 + +copy_slow_3: + MOVB (CX), R12 + MOVB R12, (R9) + INCQ CX + INCQ R9 + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + MOVQ ctx+16(FP), CX + DECQ 96(CX) + JNS sequenceDecs_decodeSync_bmi2_main_loop + +loop_finished: + MOVQ br+8(FP), CX + MOVQ AX, 24(CX) + MOVB DL, 40(CX) + MOVQ BX, 32(CX) + + // Update the context + MOVQ ctx+16(FP), AX + MOVQ R11, 136(AX) + MOVQ 144(AX), CX + SUBQ CX, R10 + MOVQ R10, 168(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decodeSync_bmi2_error_match_len_ofs_mismatch: + MOVQ 16(SP), AX + MOVQ ctx+16(FP), CX + MOVQ AX, 216(CX) + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decodeSync_bmi2_error_match_len_too_big: + MOVQ ctx+16(FP), AX + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error +error_match_off_too_big: + MOVQ ctx+16(FP), AX + MOVQ 8(SP), CX + MOVQ CX, 224(AX) + MOVQ R11, 136(AX) + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + + // Return with not enough output space error +error_not_enough_space: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ R11, 136(AX) + MOVQ $0x00000005, ret+24(FP) + RET + +// func sequenceDecs_decodeSync_safe_amd64(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int +// Requires: CMOV, SSE +TEXT ·sequenceDecs_decodeSync_safe_amd64(SB), $64-32 + MOVQ br+8(FP), CX + MOVQ 24(CX), DX + MOVBQZX 40(CX), BX + MOVQ (CX), AX + MOVQ 32(CX), SI + ADDQ SI, AX + MOVQ AX, (SP) + MOVQ ctx+16(FP), AX + MOVQ 72(AX), DI + MOVQ 80(AX), R8 + MOVQ 88(AX), R9 + XORQ CX, CX + MOVQ CX, 8(SP) + MOVQ CX, 16(SP) + MOVQ CX, 24(SP) + MOVQ 112(AX), R10 + MOVQ 128(AX), CX + MOVQ CX, 32(SP) + MOVQ 144(AX), R11 + MOVQ 136(AX), R12 + MOVQ 200(AX), CX + MOVQ CX, 56(SP) + MOVQ 176(AX), CX + MOVQ CX, 48(SP) + MOVQ 184(AX), AX + MOVQ AX, 40(SP) + MOVQ 40(SP), AX + ADDQ AX, 48(SP) + + // Calculate pointer to s.out[cap(s.out)] (a past-end pointer) + ADDQ R10, 32(SP) + + // outBase += outPosition + ADDQ R12, R10 + +sequenceDecs_decodeSync_safe_amd64_main_loop: + MOVQ (SP), R13 + + // Fill bitreader to have enough for the offset and match length. + CMPQ SI, $0x08 + JL sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R13 + MOVQ (R13), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decodeSync_safe_amd64_fill_end + +sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decodeSync_safe_amd64_fill_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decodeSync_safe_amd64_fill_end + SHLQ $0x08, DX + SUBQ $0x01, R13 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R13), AX + ORQ AX, DX + JMP sequenceDecs_decodeSync_safe_amd64_fill_byte_by_byte + +sequenceDecs_decodeSync_safe_amd64_fill_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_safe_amd64_fill_end: + // Update offset + MOVQ R9, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_safe_amd64_of_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_safe_amd64_of_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_safe_amd64_of_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_safe_amd64_of_update_zero: + MOVQ AX, 8(SP) + + // Update match length + MOVQ R8, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_safe_amd64_ml_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_safe_amd64_ml_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_safe_amd64_ml_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_safe_amd64_ml_update_zero: + MOVQ AX, 16(SP) + + // Fill bitreader to have enough for the remaining + CMPQ SI, $0x08 + JL sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte + MOVQ BX, AX + SHRQ $0x03, AX + SUBQ AX, R13 + MOVQ (R13), DX + SUBQ AX, SI + ANDQ $0x07, BX + JMP sequenceDecs_decodeSync_safe_amd64_fill_2_end + +sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte: + CMPQ SI, $0x00 + JLE sequenceDecs_decodeSync_safe_amd64_fill_2_check_overread + CMPQ BX, $0x07 + JLE sequenceDecs_decodeSync_safe_amd64_fill_2_end + SHLQ $0x08, DX + SUBQ $0x01, R13 + SUBQ $0x01, SI + SUBQ $0x08, BX + MOVBQZX (R13), AX + ORQ AX, DX + JMP sequenceDecs_decodeSync_safe_amd64_fill_2_byte_by_byte + +sequenceDecs_decodeSync_safe_amd64_fill_2_check_overread: + CMPQ BX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_safe_amd64_fill_2_end: + // Update literal length + MOVQ DI, AX + MOVQ BX, CX + MOVQ DX, R14 + SHLQ CL, R14 + MOVB AH, CL + SHRQ $0x20, AX + TESTQ CX, CX + JZ sequenceDecs_decodeSync_safe_amd64_ll_update_zero + ADDQ CX, BX + CMPQ BX, $0x40 + JA sequenceDecs_decodeSync_safe_amd64_ll_update_zero + CMPQ CX, $0x40 + JAE sequenceDecs_decodeSync_safe_amd64_ll_update_zero + NEGQ CX + SHRQ CL, R14 + ADDQ R14, AX + +sequenceDecs_decodeSync_safe_amd64_ll_update_zero: + MOVQ AX, 24(SP) + + // Fill bitreader for state updates + MOVQ R13, (SP) + MOVQ R9, AX + SHRQ $0x08, AX + MOVBQZX AL, AX + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decodeSync_safe_amd64_skip_update + + // Update Literal Length State + MOVBQZX DI, R13 + SHRL $0x10, DI + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, DI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(DI*8), DI + + // Update Match Length State + MOVBQZX R8, R13 + SHRL $0x10, R8 + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, R8 + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Offset State + MOVBQZX R9, R13 + SHRL $0x10, R9 + LEAQ (BX)(R13*1), CX + MOVQ DX, R14 + MOVQ CX, BX + ROLQ CL, R14 + MOVL $0x00000001, R15 + MOVB R13, CL + SHLL CL, R15 + DECL R15 + ANDQ R15, R14 + ADDQ R14, R9 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R9*8), R9 + +sequenceDecs_decodeSync_safe_amd64_skip_update: + // Adjust offset + MOVQ s+0(FP), CX + MOVQ 8(SP), R13 + CMPQ AX, $0x01 + JBE sequenceDecs_decodeSync_safe_amd64_adjust_offsetB_1_or_0 + MOVUPS 144(CX), X0 + MOVQ R13, 144(CX) + MOVUPS X0, 152(CX) + JMP sequenceDecs_decodeSync_safe_amd64_after_adjust + +sequenceDecs_decodeSync_safe_amd64_adjust_offsetB_1_or_0: + CMPQ 24(SP), $0x00000000 + JNE sequenceDecs_decodeSync_safe_amd64_adjust_offset_maybezero + INCQ R13 + JMP sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero + +sequenceDecs_decodeSync_safe_amd64_adjust_offset_maybezero: + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero + MOVQ 144(CX), R13 + JMP sequenceDecs_decodeSync_safe_amd64_after_adjust + +sequenceDecs_decodeSync_safe_amd64_adjust_offset_nonzero: + MOVQ R13, AX + XORQ R14, R14 + MOVQ $-1, R15 + CMPQ R13, $0x03 + CMOVQEQ R14, AX + CMOVQEQ R15, R14 + ADDQ 144(CX)(AX*8), R14 + JNZ sequenceDecs_decodeSync_safe_amd64_adjust_temp_valid + MOVQ $0x00000001, R14 + +sequenceDecs_decodeSync_safe_amd64_adjust_temp_valid: + CMPQ R13, $0x01 + JZ sequenceDecs_decodeSync_safe_amd64_adjust_skip + MOVQ 152(CX), AX + MOVQ AX, 160(CX) + +sequenceDecs_decodeSync_safe_amd64_adjust_skip: + MOVQ 144(CX), AX + MOVQ AX, 152(CX) + MOVQ R14, 144(CX) + MOVQ R14, R13 + +sequenceDecs_decodeSync_safe_amd64_after_adjust: + MOVQ R13, 8(SP) + + // Check values + MOVQ 16(SP), AX + MOVQ 24(SP), CX + LEAQ (AX)(CX*1), R14 + MOVQ s+0(FP), R15 + ADDQ R14, 256(R15) + MOVQ ctx+16(FP), R14 + SUBQ CX, 104(R14) + JS error_not_enough_literals + CMPQ AX, $0x00020002 + JA sequenceDecs_decodeSync_safe_amd64_error_match_len_too_big + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_safe_amd64_match_len_ofs_ok + TESTQ AX, AX + JNZ sequenceDecs_decodeSync_safe_amd64_error_match_len_ofs_mismatch + +sequenceDecs_decodeSync_safe_amd64_match_len_ofs_ok: + MOVQ 24(SP), AX + MOVQ 8(SP), CX + MOVQ 16(SP), R13 + + // Check if we have enough space in s.out + LEAQ (AX)(R13*1), R14 + ADDQ R10, R14 + CMPQ R14, 32(SP) + JA error_not_enough_space + + // Copy literals + TESTQ AX, AX + JZ check_offset + MOVQ AX, R14 + SUBQ $0x10, R14 + JB copy_1_small + +copy_1_loop: + MOVUPS (R11), X0 + MOVUPS X0, (R10) + ADDQ $0x10, R11 + ADDQ $0x10, R10 + SUBQ $0x10, R14 + JAE copy_1_loop + LEAQ 16(R11)(R14*1), R11 + LEAQ 16(R10)(R14*1), R10 + MOVUPS -16(R11), X0 + MOVUPS X0, -16(R10) + JMP copy_1_end + +copy_1_small: + CMPQ AX, $0x03 + JE copy_1_move_3 + JB copy_1_move_1or2 + CMPQ AX, $0x08 + JB copy_1_move_4through7 + JMP copy_1_move_8through16 + +copy_1_move_1or2: + MOVB (R11), R14 + MOVB -1(R11)(AX*1), R15 + MOVB R14, (R10) + MOVB R15, -1(R10)(AX*1) + ADDQ AX, R11 + ADDQ AX, R10 + JMP copy_1_end + +copy_1_move_3: + MOVW (R11), R14 + MOVB 2(R11), R15 + MOVW R14, (R10) + MOVB R15, 2(R10) + ADDQ AX, R11 + ADDQ AX, R10 + JMP copy_1_end + +copy_1_move_4through7: + MOVL (R11), R14 + MOVL -4(R11)(AX*1), R15 + MOVL R14, (R10) + MOVL R15, -4(R10)(AX*1) + ADDQ AX, R11 + ADDQ AX, R10 + JMP copy_1_end + +copy_1_move_8through16: + MOVQ (R11), R14 + MOVQ -8(R11)(AX*1), R15 + MOVQ R14, (R10) + MOVQ R15, -8(R10)(AX*1) + ADDQ AX, R11 + ADDQ AX, R10 + +copy_1_end: + ADDQ AX, R12 + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + MOVQ R12, AX + ADDQ 40(SP), AX + CMPQ CX, AX + JG error_match_off_too_big + CMPQ CX, 56(SP) + JG error_match_off_too_big + + // Copy match from history + MOVQ CX, AX + SUBQ R12, AX + JLS copy_match + MOVQ 48(SP), R14 + SUBQ AX, R14 + CMPQ R13, AX + JG copy_all_from_history + MOVQ R13, AX + SUBQ $0x10, AX + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R10) + ADDQ $0x10, R14 + ADDQ $0x10, R10 + SUBQ $0x10, AX + JAE copy_4_loop + LEAQ 16(R14)(AX*1), R14 + LEAQ 16(R10)(AX*1), R10 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R10) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), AX + MOVB 2(R14), CL + MOVW AX, (R10) + MOVB CL, 2(R10) + ADDQ R13, R14 + ADDQ R13, R10 + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), AX + MOVL -4(R14)(R13*1), CX + MOVL AX, (R10) + MOVL CX, -4(R10)(R13*1) + ADDQ R13, R14 + ADDQ R13, R10 + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), AX + MOVQ -8(R14)(R13*1), CX + MOVQ AX, (R10) + MOVQ CX, -8(R10)(R13*1) + ADDQ R13, R14 + ADDQ R13, R10 + +copy_4_end: + ADDQ R13, R12 + JMP handle_loop + JMP loop_finished + +copy_all_from_history: + MOVQ AX, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R10) + ADDQ $0x10, R14 + ADDQ $0x10, R10 + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(R10)(R15*1), R10 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R10) + JMP copy_5_end + +copy_5_small: + CMPQ AX, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ AX, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(AX*1), BP + MOVB R15, (R10) + MOVB BP, -1(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (R10) + MOVB BP, 2(R10) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(AX*1), BP + MOVL R15, (R10) + MOVL BP, -4(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(AX*1), BP + MOVQ R15, (R10) + MOVQ BP, -8(R10)(AX*1) + ADDQ AX, R14 + ADDQ AX, R10 + +copy_5_end: + ADDQ AX, R12 + SUBQ AX, R13 + + // Copy match from the current buffer +copy_match: + MOVQ R10, AX + SUBQ CX, AX + + // ml <= mo + CMPQ R13, CX + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, R12 + MOVQ R13, CX + SUBQ $0x10, CX + JB copy_2_small + +copy_2_loop: + MOVUPS (AX), X0 + MOVUPS X0, (R10) + ADDQ $0x10, AX + ADDQ $0x10, R10 + SUBQ $0x10, CX + JAE copy_2_loop + LEAQ 16(AX)(CX*1), AX + LEAQ 16(R10)(CX*1), R10 + MOVUPS -16(AX), X0 + MOVUPS X0, -16(R10) + JMP copy_2_end + +copy_2_small: + CMPQ R13, $0x03 + JE copy_2_move_3 + JB copy_2_move_1or2 + CMPQ R13, $0x08 + JB copy_2_move_4through7 + JMP copy_2_move_8through16 + +copy_2_move_1or2: + MOVB (AX), CL + MOVB -1(AX)(R13*1), R14 + MOVB CL, (R10) + MOVB R14, -1(R10)(R13*1) + ADDQ R13, AX + ADDQ R13, R10 + JMP copy_2_end + +copy_2_move_3: + MOVW (AX), CX + MOVB 2(AX), R14 + MOVW CX, (R10) + MOVB R14, 2(R10) + ADDQ R13, AX + ADDQ R13, R10 + JMP copy_2_end + +copy_2_move_4through7: + MOVL (AX), CX + MOVL -4(AX)(R13*1), R14 + MOVL CX, (R10) + MOVL R14, -4(R10)(R13*1) + ADDQ R13, AX + ADDQ R13, R10 + JMP copy_2_end + +copy_2_move_8through16: + MOVQ (AX), CX + MOVQ -8(AX)(R13*1), R14 + MOVQ CX, (R10) + MOVQ R14, -8(R10)(R13*1) + ADDQ R13, AX + ADDQ R13, R10 + +copy_2_end: + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, R12 + +copy_slow_3: + MOVB (AX), CL + MOVB CL, (R10) + INCQ AX + INCQ R10 + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + MOVQ ctx+16(FP), AX + DECQ 96(AX) + JNS sequenceDecs_decodeSync_safe_amd64_main_loop + +loop_finished: + MOVQ br+8(FP), AX + MOVQ DX, 24(AX) + MOVB BL, 40(AX) + MOVQ SI, 32(AX) + + // Update the context + MOVQ ctx+16(FP), AX + MOVQ R12, 136(AX) + MOVQ 144(AX), CX + SUBQ CX, R11 + MOVQ R11, 168(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decodeSync_safe_amd64_error_match_len_ofs_mismatch: + MOVQ 16(SP), AX + MOVQ ctx+16(FP), CX + MOVQ AX, 216(CX) + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decodeSync_safe_amd64_error_match_len_too_big: + MOVQ ctx+16(FP), AX + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error +error_match_off_too_big: + MOVQ ctx+16(FP), AX + MOVQ 8(SP), CX + MOVQ CX, 224(AX) + MOVQ R12, 136(AX) + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + + // Return with not enough output space error +error_not_enough_space: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ R12, 136(AX) + MOVQ $0x00000005, ret+24(FP) + RET + +// func sequenceDecs_decodeSync_safe_bmi2(s *sequenceDecs, br *bitReader, ctx *decodeSyncAsmContext) int +// Requires: BMI, BMI2, CMOV, SSE +TEXT ·sequenceDecs_decodeSync_safe_bmi2(SB), $64-32 + MOVQ br+8(FP), BX + MOVQ 24(BX), AX + MOVBQZX 40(BX), DX + MOVQ (BX), CX + MOVQ 32(BX), BX + ADDQ BX, CX + MOVQ CX, (SP) + MOVQ ctx+16(FP), CX + MOVQ 72(CX), SI + MOVQ 80(CX), DI + MOVQ 88(CX), R8 + XORQ R9, R9 + MOVQ R9, 8(SP) + MOVQ R9, 16(SP) + MOVQ R9, 24(SP) + MOVQ 112(CX), R9 + MOVQ 128(CX), R10 + MOVQ R10, 32(SP) + MOVQ 144(CX), R10 + MOVQ 136(CX), R11 + MOVQ 200(CX), R12 + MOVQ R12, 56(SP) + MOVQ 176(CX), R12 + MOVQ R12, 48(SP) + MOVQ 184(CX), CX + MOVQ CX, 40(SP) + MOVQ 40(SP), CX + ADDQ CX, 48(SP) + + // Calculate pointer to s.out[cap(s.out)] (a past-end pointer) + ADDQ R9, 32(SP) + + // outBase += outPosition + ADDQ R11, R9 + +sequenceDecs_decodeSync_safe_bmi2_main_loop: + MOVQ (SP), R12 + + // Fill bitreader to have enough for the offset and match length. + CMPQ BX, $0x08 + JL sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R12 + MOVQ (R12), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decodeSync_safe_bmi2_fill_end + +sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decodeSync_safe_bmi2_fill_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decodeSync_safe_bmi2_fill_end + SHLQ $0x08, AX + SUBQ $0x01, R12 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R12), CX + ORQ CX, AX + JMP sequenceDecs_decodeSync_safe_bmi2_fill_byte_by_byte + +sequenceDecs_decodeSync_safe_bmi2_fill_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_safe_bmi2_fill_end: + // Update offset + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ R8, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 8(SP) + + // Update match length + MOVQ $0x00000808, CX + BEXTRQ CX, DI, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ DI, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 16(SP) + + // Fill bitreader to have enough for the remaining + CMPQ BX, $0x08 + JL sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte + MOVQ DX, CX + SHRQ $0x03, CX + SUBQ CX, R12 + MOVQ (R12), AX + SUBQ CX, BX + ANDQ $0x07, DX + JMP sequenceDecs_decodeSync_safe_bmi2_fill_2_end + +sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte: + CMPQ BX, $0x00 + JLE sequenceDecs_decodeSync_safe_bmi2_fill_2_check_overread + CMPQ DX, $0x07 + JLE sequenceDecs_decodeSync_safe_bmi2_fill_2_end + SHLQ $0x08, AX + SUBQ $0x01, R12 + SUBQ $0x01, BX + SUBQ $0x08, DX + MOVBQZX (R12), CX + ORQ CX, AX + JMP sequenceDecs_decodeSync_safe_bmi2_fill_2_byte_by_byte + +sequenceDecs_decodeSync_safe_bmi2_fill_2_check_overread: + CMPQ DX, $0x40 + JA error_overread + +sequenceDecs_decodeSync_safe_bmi2_fill_2_end: + // Update literal length + MOVQ $0x00000808, CX + BEXTRQ CX, SI, R13 + MOVQ AX, R14 + LEAQ (DX)(R13*1), CX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + MOVQ CX, DX + MOVQ SI, CX + SHRQ $0x20, CX + ADDQ R14, CX + MOVQ CX, 24(SP) + + // Fill bitreader for state updates + MOVQ R12, (SP) + MOVQ $0x00000808, CX + BEXTRQ CX, R8, R12 + MOVQ ctx+16(FP), CX + CMPQ 96(CX), $0x00 + JZ sequenceDecs_decodeSync_safe_bmi2_skip_update + LEAQ (SI)(DI*1), R13 + ADDQ R8, R13 + MOVBQZX R13, R13 + LEAQ (DX)(R13*1), CX + MOVQ AX, R14 + MOVQ CX, DX + ROLQ CL, R14 + BZHIQ R13, R14, R14 + + // Update Offset State + BZHIQ R8, R14, CX + SHRXQ R8, R14, R14 + SHRL $0x10, R8 + ADDQ CX, R8 + + // Load ctx.ofTable + MOVQ ctx+16(FP), CX + MOVQ 48(CX), CX + MOVQ (CX)(R8*8), R8 + + // Update Match Length State + BZHIQ DI, R14, CX + SHRXQ DI, R14, R14 + SHRL $0x10, DI + ADDQ CX, DI + + // Load ctx.mlTable + MOVQ ctx+16(FP), CX + MOVQ 24(CX), CX + MOVQ (CX)(DI*8), DI + + // Update Literal Length State + BZHIQ SI, R14, CX + SHRL $0x10, SI + ADDQ CX, SI + + // Load ctx.llTable + MOVQ ctx+16(FP), CX + MOVQ (CX), CX + MOVQ (CX)(SI*8), SI + +sequenceDecs_decodeSync_safe_bmi2_skip_update: + // Adjust offset + MOVQ s+0(FP), CX + MOVQ 8(SP), R13 + CMPQ R12, $0x01 + JBE sequenceDecs_decodeSync_safe_bmi2_adjust_offsetB_1_or_0 + MOVUPS 144(CX), X0 + MOVQ R13, 144(CX) + MOVUPS X0, 152(CX) + JMP sequenceDecs_decodeSync_safe_bmi2_after_adjust + +sequenceDecs_decodeSync_safe_bmi2_adjust_offsetB_1_or_0: + CMPQ 24(SP), $0x00000000 + JNE sequenceDecs_decodeSync_safe_bmi2_adjust_offset_maybezero + INCQ R13 + JMP sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero + +sequenceDecs_decodeSync_safe_bmi2_adjust_offset_maybezero: + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero + MOVQ 144(CX), R13 + JMP sequenceDecs_decodeSync_safe_bmi2_after_adjust + +sequenceDecs_decodeSync_safe_bmi2_adjust_offset_nonzero: + MOVQ R13, R12 + XORQ R14, R14 + MOVQ $-1, R15 + CMPQ R13, $0x03 + CMOVQEQ R14, R12 + CMOVQEQ R15, R14 + ADDQ 144(CX)(R12*8), R14 + JNZ sequenceDecs_decodeSync_safe_bmi2_adjust_temp_valid + MOVQ $0x00000001, R14 + +sequenceDecs_decodeSync_safe_bmi2_adjust_temp_valid: + CMPQ R13, $0x01 + JZ sequenceDecs_decodeSync_safe_bmi2_adjust_skip + MOVQ 152(CX), R12 + MOVQ R12, 160(CX) + +sequenceDecs_decodeSync_safe_bmi2_adjust_skip: + MOVQ 144(CX), R12 + MOVQ R12, 152(CX) + MOVQ R14, 144(CX) + MOVQ R14, R13 + +sequenceDecs_decodeSync_safe_bmi2_after_adjust: + MOVQ R13, 8(SP) + + // Check values + MOVQ 16(SP), CX + MOVQ 24(SP), R12 + LEAQ (CX)(R12*1), R14 + MOVQ s+0(FP), R15 + ADDQ R14, 256(R15) + MOVQ ctx+16(FP), R14 + SUBQ R12, 104(R14) + JS error_not_enough_literals + CMPQ CX, $0x00020002 + JA sequenceDecs_decodeSync_safe_bmi2_error_match_len_too_big + TESTQ R13, R13 + JNZ sequenceDecs_decodeSync_safe_bmi2_match_len_ofs_ok + TESTQ CX, CX + JNZ sequenceDecs_decodeSync_safe_bmi2_error_match_len_ofs_mismatch + +sequenceDecs_decodeSync_safe_bmi2_match_len_ofs_ok: + MOVQ 24(SP), CX + MOVQ 8(SP), R12 + MOVQ 16(SP), R13 + + // Check if we have enough space in s.out + LEAQ (CX)(R13*1), R14 + ADDQ R9, R14 + CMPQ R14, 32(SP) + JA error_not_enough_space + + // Copy literals + TESTQ CX, CX + JZ check_offset + MOVQ CX, R14 + SUBQ $0x10, R14 + JB copy_1_small + +copy_1_loop: + MOVUPS (R10), X0 + MOVUPS X0, (R9) + ADDQ $0x10, R10 + ADDQ $0x10, R9 + SUBQ $0x10, R14 + JAE copy_1_loop + LEAQ 16(R10)(R14*1), R10 + LEAQ 16(R9)(R14*1), R9 + MOVUPS -16(R10), X0 + MOVUPS X0, -16(R9) + JMP copy_1_end + +copy_1_small: + CMPQ CX, $0x03 + JE copy_1_move_3 + JB copy_1_move_1or2 + CMPQ CX, $0x08 + JB copy_1_move_4through7 + JMP copy_1_move_8through16 + +copy_1_move_1or2: + MOVB (R10), R14 + MOVB -1(R10)(CX*1), R15 + MOVB R14, (R9) + MOVB R15, -1(R9)(CX*1) + ADDQ CX, R10 + ADDQ CX, R9 + JMP copy_1_end + +copy_1_move_3: + MOVW (R10), R14 + MOVB 2(R10), R15 + MOVW R14, (R9) + MOVB R15, 2(R9) + ADDQ CX, R10 + ADDQ CX, R9 + JMP copy_1_end + +copy_1_move_4through7: + MOVL (R10), R14 + MOVL -4(R10)(CX*1), R15 + MOVL R14, (R9) + MOVL R15, -4(R9)(CX*1) + ADDQ CX, R10 + ADDQ CX, R9 + JMP copy_1_end + +copy_1_move_8through16: + MOVQ (R10), R14 + MOVQ -8(R10)(CX*1), R15 + MOVQ R14, (R9) + MOVQ R15, -8(R9)(CX*1) + ADDQ CX, R10 + ADDQ CX, R9 + +copy_1_end: + ADDQ CX, R11 + + // Malformed input if seq.mo > t+len(hist) || seq.mo > s.windowSize) +check_offset: + MOVQ R11, CX + ADDQ 40(SP), CX + CMPQ R12, CX + JG error_match_off_too_big + CMPQ R12, 56(SP) + JG error_match_off_too_big + + // Copy match from history + MOVQ R12, CX + SUBQ R11, CX + JLS copy_match + MOVQ 48(SP), R14 + SUBQ CX, R14 + CMPQ R13, CX + JG copy_all_from_history + MOVQ R13, CX + SUBQ $0x10, CX + JB copy_4_small + +copy_4_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R9) + ADDQ $0x10, R14 + ADDQ $0x10, R9 + SUBQ $0x10, CX + JAE copy_4_loop + LEAQ 16(R14)(CX*1), R14 + LEAQ 16(R9)(CX*1), R9 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R9) + JMP copy_4_end + +copy_4_small: + CMPQ R13, $0x03 + JE copy_4_move_3 + CMPQ R13, $0x08 + JB copy_4_move_4through7 + JMP copy_4_move_8through16 + +copy_4_move_3: + MOVW (R14), CX + MOVB 2(R14), R12 + MOVW CX, (R9) + MOVB R12, 2(R9) + ADDQ R13, R14 + ADDQ R13, R9 + JMP copy_4_end + +copy_4_move_4through7: + MOVL (R14), CX + MOVL -4(R14)(R13*1), R12 + MOVL CX, (R9) + MOVL R12, -4(R9)(R13*1) + ADDQ R13, R14 + ADDQ R13, R9 + JMP copy_4_end + +copy_4_move_8through16: + MOVQ (R14), CX + MOVQ -8(R14)(R13*1), R12 + MOVQ CX, (R9) + MOVQ R12, -8(R9)(R13*1) + ADDQ R13, R14 + ADDQ R13, R9 + +copy_4_end: + ADDQ R13, R11 + JMP handle_loop + JMP loop_finished + +copy_all_from_history: + MOVQ CX, R15 + SUBQ $0x10, R15 + JB copy_5_small + +copy_5_loop: + MOVUPS (R14), X0 + MOVUPS X0, (R9) + ADDQ $0x10, R14 + ADDQ $0x10, R9 + SUBQ $0x10, R15 + JAE copy_5_loop + LEAQ 16(R14)(R15*1), R14 + LEAQ 16(R9)(R15*1), R9 + MOVUPS -16(R14), X0 + MOVUPS X0, -16(R9) + JMP copy_5_end + +copy_5_small: + CMPQ CX, $0x03 + JE copy_5_move_3 + JB copy_5_move_1or2 + CMPQ CX, $0x08 + JB copy_5_move_4through7 + JMP copy_5_move_8through16 + +copy_5_move_1or2: + MOVB (R14), R15 + MOVB -1(R14)(CX*1), BP + MOVB R15, (R9) + MOVB BP, -1(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_3: + MOVW (R14), R15 + MOVB 2(R14), BP + MOVW R15, (R9) + MOVB BP, 2(R9) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_4through7: + MOVL (R14), R15 + MOVL -4(R14)(CX*1), BP + MOVL R15, (R9) + MOVL BP, -4(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + JMP copy_5_end + +copy_5_move_8through16: + MOVQ (R14), R15 + MOVQ -8(R14)(CX*1), BP + MOVQ R15, (R9) + MOVQ BP, -8(R9)(CX*1) + ADDQ CX, R14 + ADDQ CX, R9 + +copy_5_end: + ADDQ CX, R11 + SUBQ CX, R13 + + // Copy match from the current buffer +copy_match: + MOVQ R9, CX + SUBQ R12, CX + + // ml <= mo + CMPQ R13, R12 + JA copy_overlapping_match + + // Copy non-overlapping match + ADDQ R13, R11 + MOVQ R13, R12 + SUBQ $0x10, R12 + JB copy_2_small + +copy_2_loop: + MOVUPS (CX), X0 + MOVUPS X0, (R9) + ADDQ $0x10, CX + ADDQ $0x10, R9 + SUBQ $0x10, R12 + JAE copy_2_loop + LEAQ 16(CX)(R12*1), CX + LEAQ 16(R9)(R12*1), R9 + MOVUPS -16(CX), X0 + MOVUPS X0, -16(R9) + JMP copy_2_end + +copy_2_small: + CMPQ R13, $0x03 + JE copy_2_move_3 + JB copy_2_move_1or2 + CMPQ R13, $0x08 + JB copy_2_move_4through7 + JMP copy_2_move_8through16 + +copy_2_move_1or2: + MOVB (CX), R12 + MOVB -1(CX)(R13*1), R14 + MOVB R12, (R9) + MOVB R14, -1(R9)(R13*1) + ADDQ R13, CX + ADDQ R13, R9 + JMP copy_2_end + +copy_2_move_3: + MOVW (CX), R12 + MOVB 2(CX), R14 + MOVW R12, (R9) + MOVB R14, 2(R9) + ADDQ R13, CX + ADDQ R13, R9 + JMP copy_2_end + +copy_2_move_4through7: + MOVL (CX), R12 + MOVL -4(CX)(R13*1), R14 + MOVL R12, (R9) + MOVL R14, -4(R9)(R13*1) + ADDQ R13, CX + ADDQ R13, R9 + JMP copy_2_end + +copy_2_move_8through16: + MOVQ (CX), R12 + MOVQ -8(CX)(R13*1), R14 + MOVQ R12, (R9) + MOVQ R14, -8(R9)(R13*1) + ADDQ R13, CX + ADDQ R13, R9 + +copy_2_end: + JMP handle_loop + + // Copy overlapping match +copy_overlapping_match: + ADDQ R13, R11 + +copy_slow_3: + MOVB (CX), R12 + MOVB R12, (R9) + INCQ CX + INCQ R9 + DECQ R13 + JNZ copy_slow_3 + +handle_loop: + MOVQ ctx+16(FP), CX + DECQ 96(CX) + JNS sequenceDecs_decodeSync_safe_bmi2_main_loop + +loop_finished: + MOVQ br+8(FP), CX + MOVQ AX, 24(CX) + MOVB DL, 40(CX) + MOVQ BX, 32(CX) + + // Update the context + MOVQ ctx+16(FP), AX + MOVQ R11, 136(AX) + MOVQ 144(AX), CX + SUBQ CX, R10 + MOVQ R10, 168(AX) + + // Return success + MOVQ $0x00000000, ret+24(FP) + RET + + // Return with match length error +sequenceDecs_decodeSync_safe_bmi2_error_match_len_ofs_mismatch: + MOVQ 16(SP), AX + MOVQ ctx+16(FP), CX + MOVQ AX, 216(CX) + MOVQ $0x00000001, ret+24(FP) + RET + + // Return with match too long error +sequenceDecs_decodeSync_safe_bmi2_error_match_len_too_big: + MOVQ ctx+16(FP), AX + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ $0x00000002, ret+24(FP) + RET + + // Return with match offset too long error +error_match_off_too_big: + MOVQ ctx+16(FP), AX + MOVQ 8(SP), CX + MOVQ CX, 224(AX) + MOVQ R11, 136(AX) + MOVQ $0x00000003, ret+24(FP) + RET + + // Return with not enough literals error +error_not_enough_literals: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ $0x00000004, ret+24(FP) + RET + + // Return with overread error +error_overread: + MOVQ $0x00000006, ret+24(FP) + RET + + // Return with not enough output space error +error_not_enough_space: + MOVQ ctx+16(FP), AX + MOVQ 24(SP), CX + MOVQ CX, 208(AX) + MOVQ 16(SP), CX + MOVQ CX, 216(AX) + MOVQ R11, 136(AX) + MOVQ $0x00000005, ret+24(FP) + RET diff --git a/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go new file mode 100644 index 0000000000..7cec2197cd --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/seqdec_generic.go @@ -0,0 +1,237 @@ +//go:build !amd64 || appengine || !gc || noasm +// +build !amd64 appengine !gc noasm + +package zstd + +import ( + "fmt" + "io" +) + +// decode sequences from the stream with the provided history but without dictionary. +func (s *sequenceDecs) decodeSyncSimple(hist []byte) (bool, error) { + return false, nil +} + +// decode sequences from the stream without the provided history. +func (s *sequenceDecs) decode(seqs []seqVals) error { + br := s.br + + // Grab full sizes tables, to avoid bounds checks. + llTable, mlTable, ofTable := s.litLengths.fse.dt[:maxTablesize], s.matchLengths.fse.dt[:maxTablesize], s.offsets.fse.dt[:maxTablesize] + llState, mlState, ofState := s.litLengths.state.state, s.matchLengths.state.state, s.offsets.state.state + s.seqSize = 0 + litRemain := len(s.literals) + + maxBlockSize := maxCompressedBlockSize + if s.windowSize < maxBlockSize { + maxBlockSize = s.windowSize + } + for i := range seqs { + var ll, mo, ml int + if br.cursor > 4+((maxOffsetBits+16+16)>>3) { + // inlined function: + // ll, mo, ml = s.nextFast(br, llState, mlState, ofState) + + // Final will not read from stream. + var llB, mlB, moB uint8 + ll, llB = llState.final() + ml, mlB = mlState.final() + mo, moB = ofState.final() + + // extra bits are stored in reverse order. + br.fillFast() + mo += br.getBits(moB) + if s.maxBits > 32 { + br.fillFast() + } + ml += br.getBits(mlB) + ll += br.getBits(llB) + + if moB > 1 { + s.prevOffset[2] = s.prevOffset[1] + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = mo + } else { + // mo = s.adjustOffset(mo, ll, moB) + // Inlined for rather big speedup + if ll == 0 { + // There is an exception though, when current sequence's literals_length = 0. + // In this case, repeated offsets are shifted by one, so an offset_value of 1 means Repeated_Offset2, + // an offset_value of 2 means Repeated_Offset3, and an offset_value of 3 means Repeated_Offset1 - 1_byte. + mo++ + } + + if mo == 0 { + mo = s.prevOffset[0] + } else { + var temp int + if mo == 3 { + temp = s.prevOffset[0] - 1 + } else { + temp = s.prevOffset[mo] + } + + if temp == 0 { + // 0 is not valid; input is corrupted; force offset to 1 + println("WARNING: temp was 0") + temp = 1 + } + + if mo != 1 { + s.prevOffset[2] = s.prevOffset[1] + } + s.prevOffset[1] = s.prevOffset[0] + s.prevOffset[0] = temp + mo = temp + } + } + br.fillFast() + } else { + if br.overread() { + if debugDecoder { + printf("reading sequence %d, exceeded available data\n", i) + } + return io.ErrUnexpectedEOF + } + ll, mo, ml = s.next(br, llState, mlState, ofState) + br.fill() + } + + if debugSequences { + println("Seq", i, "Litlen:", ll, "mo:", mo, "(abs) ml:", ml) + } + // Evaluate. + // We might be doing this async, so do it early. + if mo == 0 && ml > 0 { + return fmt.Errorf("zero matchoff and matchlen (%d) > 0", ml) + } + if ml > maxMatchLen { + return fmt.Errorf("match len (%d) bigger than max allowed length", ml) + } + s.seqSize += ll + ml + if s.seqSize > maxBlockSize { + return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + litRemain -= ll + if litRemain < 0 { + return fmt.Errorf("unexpected literal count, want %d bytes, but only %d is available", ll, litRemain+ll) + } + seqs[i] = seqVals{ + ll: ll, + ml: ml, + mo: mo, + } + if i == len(seqs)-1 { + // This is the last sequence, so we shouldn't update state. + break + } + + // Manually inlined, ~ 5-20% faster + // Update all 3 states at once. Approx 20% faster. + nBits := llState.nbBits() + mlState.nbBits() + ofState.nbBits() + if nBits == 0 { + llState = llTable[llState.newState()&maxTableMask] + mlState = mlTable[mlState.newState()&maxTableMask] + ofState = ofTable[ofState.newState()&maxTableMask] + } else { + bits := br.get32BitsFast(nBits) + lowBits := uint16(bits >> ((ofState.nbBits() + mlState.nbBits()) & 31)) + llState = llTable[(llState.newState()+lowBits)&maxTableMask] + + lowBits = uint16(bits >> (ofState.nbBits() & 31)) + lowBits &= bitMask[mlState.nbBits()&15] + mlState = mlTable[(mlState.newState()+lowBits)&maxTableMask] + + lowBits = uint16(bits) & bitMask[ofState.nbBits()&15] + ofState = ofTable[(ofState.newState()+lowBits)&maxTableMask] + } + } + s.seqSize += litRemain + if s.seqSize > maxBlockSize { + return fmt.Errorf("output bigger than max block size (%d)", maxBlockSize) + } + err := br.close() + if err != nil { + printf("Closing sequences: %v, %+v\n", err, *br) + } + return err +} + +// executeSimple handles cases when a dictionary is not used. +func (s *sequenceDecs) executeSimple(seqs []seqVals, hist []byte) error { + // Ensure we have enough output size... + if len(s.out)+s.seqSize > cap(s.out) { + addBytes := s.seqSize + len(s.out) + s.out = append(s.out, make([]byte, addBytes)...) + s.out = s.out[:len(s.out)-addBytes] + } + + if debugDecoder { + printf("Execute %d seqs with literals: %d into %d bytes\n", len(seqs), len(s.literals), s.seqSize) + } + + var t = len(s.out) + out := s.out[:t+s.seqSize] + + for _, seq := range seqs { + // Add literals + copy(out[t:], s.literals[:seq.ll]) + t += seq.ll + s.literals = s.literals[seq.ll:] + + // Malformed input + if seq.mo > t+len(hist) || seq.mo > s.windowSize { + return fmt.Errorf("match offset (%d) bigger than current history (%d)", seq.mo, t+len(hist)) + } + + // Copy from history. + if v := seq.mo - t; v > 0 { + // v is the start position in history from end. + start := len(hist) - v + if seq.ml > v { + // Some goes into the current block. + // Copy remainder of history + copy(out[t:], hist[start:]) + t += v + seq.ml -= v + } else { + copy(out[t:], hist[start:start+seq.ml]) + t += seq.ml + continue + } + } + + // We must be in the current buffer now + if seq.ml > 0 { + start := t - seq.mo + if seq.ml <= t-start { + // No overlap + copy(out[t:], out[start:start+seq.ml]) + t += seq.ml + } else { + // Overlapping copy + // Extend destination slice and copy one byte at the time. + src := out[start : start+seq.ml] + dst := out[t:] + dst = dst[:len(src)] + t += len(src) + // Destination is the space we just added. + for i := range src { + dst[i] = src[i] + } + } + } + } + // Add final literals + copy(out[t:], s.literals) + if debugDecoder { + t += len(s.literals) + if t != len(out) { + panic(fmt.Errorf("length mismatch, want %d, got %d, ss: %d", len(out), t, s.seqSize)) + } + } + s.out = out + + return nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/seqenc.go b/vendor/github.com/klauspost/compress/zstd/seqenc.go new file mode 100644 index 0000000000..65045eabdd --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/seqenc.go @@ -0,0 +1,112 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import "math/bits" + +type seqCoders struct { + llEnc, ofEnc, mlEnc *fseEncoder + llPrev, ofPrev, mlPrev *fseEncoder +} + +// swap coders with another (block). +func (s *seqCoders) swap(other *seqCoders) { + *s, *other = *other, *s +} + +// setPrev will update the previous encoders to the actually used ones +// and make sure a fresh one is in the main slot. +func (s *seqCoders) setPrev(ll, ml, of *fseEncoder) { + compareSwap := func(used *fseEncoder, current, prev **fseEncoder) { + // We used the new one, more current to history and reuse the previous history + if *current == used { + *prev, *current = *current, *prev + c := *current + p := *prev + c.reUsed = false + p.reUsed = true + return + } + if used == *prev { + return + } + // Ensure we cannot reuse by accident + prevEnc := *prev + prevEnc.symbolLen = 0 + } + compareSwap(ll, &s.llEnc, &s.llPrev) + compareSwap(ml, &s.mlEnc, &s.mlPrev) + compareSwap(of, &s.ofEnc, &s.ofPrev) +} + +func highBit(val uint32) (n uint32) { + return uint32(bits.Len32(val) - 1) +} + +var llCodeTable = [64]byte{0, 1, 2, 3, 4, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15, + 16, 16, 17, 17, 18, 18, 19, 19, + 20, 20, 20, 20, 21, 21, 21, 21, + 22, 22, 22, 22, 22, 22, 22, 22, + 23, 23, 23, 23, 23, 23, 23, 23, + 24, 24, 24, 24, 24, 24, 24, 24, + 24, 24, 24, 24, 24, 24, 24, 24} + +// Up to 6 bits +const maxLLCode = 35 + +// llBitsTable translates from ll code to number of bits. +var llBitsTable = [maxLLCode + 1]byte{ + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 1, 1, 1, 1, 2, 2, 3, 3, + 4, 6, 7, 8, 9, 10, 11, 12, + 13, 14, 15, 16} + +// llCode returns the code that represents the literal length requested. +func llCode(litLength uint32) uint8 { + const llDeltaCode = 19 + if litLength <= 63 { + return llCodeTable[litLength&63] + } + return uint8(highBit(litLength)) + llDeltaCode +} + +var mlCodeTable = [128]byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, + 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, + 32, 32, 33, 33, 34, 34, 35, 35, 36, 36, 36, 36, 37, 37, 37, 37, + 38, 38, 38, 38, 38, 38, 38, 38, 39, 39, 39, 39, 39, 39, 39, 39, + 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, + 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, 41, + 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, + 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42} + +// Up to 6 bits +const maxMLCode = 52 + +// mlBitsTable translates from ml code to number of bits. +var mlBitsTable = [maxMLCode + 1]byte{ + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, + 1, 1, 1, 1, 2, 2, 3, 3, + 4, 4, 5, 7, 8, 9, 10, 11, + 12, 13, 14, 15, 16} + +// note : mlBase = matchLength - MINMATCH; +// because it's the format it's stored in seqStore->sequences +func mlCode(mlBase uint32) uint8 { + const mlDeltaCode = 36 + if mlBase <= 127 { + return mlCodeTable[mlBase&127] + } + return uint8(highBit(mlBase)) + mlDeltaCode +} + +func ofCode(offset uint32) uint8 { + // A valid offset will always be > 0. + return uint8(bits.Len32(offset) - 1) +} diff --git a/vendor/github.com/klauspost/compress/zstd/snappy.go b/vendor/github.com/klauspost/compress/zstd/snappy.go new file mode 100644 index 0000000000..a17381b8f8 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/snappy.go @@ -0,0 +1,434 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. +// Based on work by Yann Collet, released under BSD License. + +package zstd + +import ( + "encoding/binary" + "errors" + "hash/crc32" + "io" + + "github.com/klauspost/compress/huff0" + snappy "github.com/klauspost/compress/internal/snapref" +) + +const ( + snappyTagLiteral = 0x00 + snappyTagCopy1 = 0x01 + snappyTagCopy2 = 0x02 + snappyTagCopy4 = 0x03 +) + +const ( + snappyChecksumSize = 4 + snappyMagicBody = "sNaPpY" + + // snappyMaxBlockSize is the maximum size of the input to encodeBlock. It is not + // part of the wire format per se, but some parts of the encoder assume + // that an offset fits into a uint16. + // + // Also, for the framing format (Writer type instead of Encode function), + // https://github.com/google/snappy/blob/master/framing_format.txt says + // that "the uncompressed data in a chunk must be no longer than 65536 + // bytes". + snappyMaxBlockSize = 65536 + + // snappyMaxEncodedLenOfMaxBlockSize equals MaxEncodedLen(snappyMaxBlockSize), but is + // hard coded to be a const instead of a variable, so that obufLen can also + // be a const. Their equivalence is confirmed by + // TestMaxEncodedLenOfMaxBlockSize. + snappyMaxEncodedLenOfMaxBlockSize = 76490 +) + +const ( + chunkTypeCompressedData = 0x00 + chunkTypeUncompressedData = 0x01 + chunkTypePadding = 0xfe + chunkTypeStreamIdentifier = 0xff +) + +var ( + // ErrSnappyCorrupt reports that the input is invalid. + ErrSnappyCorrupt = errors.New("snappy: corrupt input") + // ErrSnappyTooLarge reports that the uncompressed length is too large. + ErrSnappyTooLarge = errors.New("snappy: decoded block is too large") + // ErrSnappyUnsupported reports that the input isn't supported. + ErrSnappyUnsupported = errors.New("snappy: unsupported input") + + errUnsupportedLiteralLength = errors.New("snappy: unsupported literal length") +) + +// SnappyConverter can read SnappyConverter-compressed streams and convert them to zstd. +// Conversion is done by converting the stream directly from Snappy without intermediate +// full decoding. +// Therefore the compression ratio is much less than what can be done by a full decompression +// and compression, and a faulty Snappy stream may lead to a faulty Zstandard stream without +// any errors being generated. +// No CRC value is being generated and not all CRC values of the Snappy stream are checked. +// However, it provides really fast recompression of Snappy streams. +// The converter can be reused to avoid allocations, even after errors. +type SnappyConverter struct { + r io.Reader + err error + buf []byte + block *blockEnc +} + +// Convert the Snappy stream supplied in 'in' and write the zStandard stream to 'w'. +// If any error is detected on the Snappy stream it is returned. +// The number of bytes written is returned. +func (r *SnappyConverter) Convert(in io.Reader, w io.Writer) (int64, error) { + initPredefined() + r.err = nil + r.r = in + if r.block == nil { + r.block = &blockEnc{} + r.block.init() + } + r.block.initNewEncode() + if len(r.buf) != snappyMaxEncodedLenOfMaxBlockSize+snappyChecksumSize { + r.buf = make([]byte, snappyMaxEncodedLenOfMaxBlockSize+snappyChecksumSize) + } + r.block.litEnc.Reuse = huff0.ReusePolicyNone + var written int64 + var readHeader bool + { + header := frameHeader{WindowSize: snappyMaxBlockSize}.appendTo(r.buf[:0]) + + var n int + n, r.err = w.Write(header) + if r.err != nil { + return written, r.err + } + written += int64(n) + } + + for { + if !r.readFull(r.buf[:4], true) { + // Add empty last block + r.block.reset(nil) + r.block.last = true + err := r.block.encodeLits(r.block.literals, false) + if err != nil { + return written, err + } + n, err := w.Write(r.block.output) + if err != nil { + return written, err + } + written += int64(n) + + return written, r.err + } + chunkType := r.buf[0] + if !readHeader { + if chunkType != chunkTypeStreamIdentifier { + println("chunkType != chunkTypeStreamIdentifier", chunkType) + r.err = ErrSnappyCorrupt + return written, r.err + } + readHeader = true + } + chunkLen := int(r.buf[1]) | int(r.buf[2])<<8 | int(r.buf[3])<<16 + if chunkLen > len(r.buf) { + println("chunkLen > len(r.buf)", chunkType) + r.err = ErrSnappyUnsupported + return written, r.err + } + + // The chunk types are specified at + // https://github.com/google/snappy/blob/master/framing_format.txt + switch chunkType { + case chunkTypeCompressedData: + // Section 4.2. Compressed data (chunk type 0x00). + if chunkLen < snappyChecksumSize { + println("chunkLen < snappyChecksumSize", chunkLen, snappyChecksumSize) + r.err = ErrSnappyCorrupt + return written, r.err + } + buf := r.buf[:chunkLen] + if !r.readFull(buf, false) { + return written, r.err + } + //checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24 + buf = buf[snappyChecksumSize:] + + n, hdr, err := snappyDecodedLen(buf) + if err != nil { + r.err = err + return written, r.err + } + buf = buf[hdr:] + if n > snappyMaxBlockSize { + println("n > snappyMaxBlockSize", n, snappyMaxBlockSize) + r.err = ErrSnappyCorrupt + return written, r.err + } + r.block.reset(nil) + r.block.pushOffsets() + if err := decodeSnappy(r.block, buf); err != nil { + r.err = err + return written, r.err + } + if r.block.size+r.block.extraLits != n { + printf("invalid size, want %d, got %d\n", n, r.block.size+r.block.extraLits) + r.err = ErrSnappyCorrupt + return written, r.err + } + err = r.block.encode(nil, false, false) + switch err { + case errIncompressible: + r.block.popOffsets() + r.block.reset(nil) + r.block.literals, err = snappy.Decode(r.block.literals[:n], r.buf[snappyChecksumSize:chunkLen]) + if err != nil { + return written, err + } + err = r.block.encodeLits(r.block.literals, false) + if err != nil { + return written, err + } + case nil: + default: + return written, err + } + + n, r.err = w.Write(r.block.output) + if r.err != nil { + return written, r.err + } + written += int64(n) + continue + case chunkTypeUncompressedData: + if debugEncoder { + println("Uncompressed, chunklen", chunkLen) + } + // Section 4.3. Uncompressed data (chunk type 0x01). + if chunkLen < snappyChecksumSize { + println("chunkLen < snappyChecksumSize", chunkLen, snappyChecksumSize) + r.err = ErrSnappyCorrupt + return written, r.err + } + r.block.reset(nil) + buf := r.buf[:snappyChecksumSize] + if !r.readFull(buf, false) { + return written, r.err + } + checksum := uint32(buf[0]) | uint32(buf[1])<<8 | uint32(buf[2])<<16 | uint32(buf[3])<<24 + // Read directly into r.decoded instead of via r.buf. + n := chunkLen - snappyChecksumSize + if n > snappyMaxBlockSize { + println("n > snappyMaxBlockSize", n, snappyMaxBlockSize) + r.err = ErrSnappyCorrupt + return written, r.err + } + r.block.literals = r.block.literals[:n] + if !r.readFull(r.block.literals, false) { + return written, r.err + } + if snappyCRC(r.block.literals) != checksum { + println("literals crc mismatch") + r.err = ErrSnappyCorrupt + return written, r.err + } + err := r.block.encodeLits(r.block.literals, false) + if err != nil { + return written, err + } + n, r.err = w.Write(r.block.output) + if r.err != nil { + return written, r.err + } + written += int64(n) + continue + + case chunkTypeStreamIdentifier: + if debugEncoder { + println("stream id", chunkLen, len(snappyMagicBody)) + } + // Section 4.1. Stream identifier (chunk type 0xff). + if chunkLen != len(snappyMagicBody) { + println("chunkLen != len(snappyMagicBody)", chunkLen, len(snappyMagicBody)) + r.err = ErrSnappyCorrupt + return written, r.err + } + if !r.readFull(r.buf[:len(snappyMagicBody)], false) { + return written, r.err + } + for i := 0; i < len(snappyMagicBody); i++ { + if r.buf[i] != snappyMagicBody[i] { + println("r.buf[i] != snappyMagicBody[i]", r.buf[i], snappyMagicBody[i], i) + r.err = ErrSnappyCorrupt + return written, r.err + } + } + continue + } + + if chunkType <= 0x7f { + // Section 4.5. Reserved unskippable chunks (chunk types 0x02-0x7f). + println("chunkType <= 0x7f") + r.err = ErrSnappyUnsupported + return written, r.err + } + // Section 4.4 Padding (chunk type 0xfe). + // Section 4.6. Reserved skippable chunks (chunk types 0x80-0xfd). + if !r.readFull(r.buf[:chunkLen], false) { + return written, r.err + } + } +} + +// decodeSnappy writes the decoding of src to dst. It assumes that the varint-encoded +// length of the decompressed bytes has already been read. +func decodeSnappy(blk *blockEnc, src []byte) error { + //decodeRef(make([]byte, snappyMaxBlockSize), src) + var s, length int + lits := blk.extraLits + var offset uint32 + for s < len(src) { + switch src[s] & 0x03 { + case snappyTagLiteral: + x := uint32(src[s] >> 2) + switch { + case x < 60: + s++ + case x == 60: + s += 2 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, src) + return ErrSnappyCorrupt + } + x = uint32(src[s-1]) + case x == 61: + s += 3 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, src) + return ErrSnappyCorrupt + } + x = uint32(src[s-2]) | uint32(src[s-1])<<8 + case x == 62: + s += 4 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, src) + return ErrSnappyCorrupt + } + x = uint32(src[s-3]) | uint32(src[s-2])<<8 | uint32(src[s-1])<<16 + case x == 63: + s += 5 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, src) + return ErrSnappyCorrupt + } + x = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24 + } + if x > snappyMaxBlockSize { + println("x > snappyMaxBlockSize", x, snappyMaxBlockSize) + return ErrSnappyCorrupt + } + length = int(x) + 1 + if length <= 0 { + println("length <= 0 ", length) + + return errUnsupportedLiteralLength + } + //if length > snappyMaxBlockSize-d || uint32(length) > len(src)-s { + // return ErrSnappyCorrupt + //} + + blk.literals = append(blk.literals, src[s:s+length]...) + //println(length, "litLen") + lits += length + s += length + continue + + case snappyTagCopy1: + s += 2 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, len(src)) + return ErrSnappyCorrupt + } + length = 4 + int(src[s-2])>>2&0x7 + offset = uint32(src[s-2])&0xe0<<3 | uint32(src[s-1]) + + case snappyTagCopy2: + s += 3 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, len(src)) + return ErrSnappyCorrupt + } + length = 1 + int(src[s-3])>>2 + offset = uint32(src[s-2]) | uint32(src[s-1])<<8 + + case snappyTagCopy4: + s += 5 + if uint(s) > uint(len(src)) { // The uint conversions catch overflow from the previous line. + println("uint(s) > uint(len(src)", s, len(src)) + return ErrSnappyCorrupt + } + length = 1 + int(src[s-5])>>2 + offset = uint32(src[s-4]) | uint32(src[s-3])<<8 | uint32(src[s-2])<<16 | uint32(src[s-1])<<24 + } + + if offset <= 0 || blk.size+lits < int(offset) /*|| length > len(blk)-d */ { + println("offset <= 0 || blk.size+lits < int(offset)", offset, blk.size+lits, int(offset), blk.size, lits) + + return ErrSnappyCorrupt + } + + // Check if offset is one of the recent offsets. + // Adjusts the output offset accordingly. + // Gives a tiny bit of compression, typically around 1%. + if false { + offset = blk.matchOffset(offset, uint32(lits)) + } else { + offset += 3 + } + + blk.sequences = append(blk.sequences, seq{ + litLen: uint32(lits), + offset: offset, + matchLen: uint32(length) - zstdMinMatch, + }) + blk.size += length + lits + lits = 0 + } + blk.extraLits = lits + return nil +} + +func (r *SnappyConverter) readFull(p []byte, allowEOF bool) (ok bool) { + if _, r.err = io.ReadFull(r.r, p); r.err != nil { + if r.err == io.ErrUnexpectedEOF || (r.err == io.EOF && !allowEOF) { + r.err = ErrSnappyCorrupt + } + return false + } + return true +} + +var crcTable = crc32.MakeTable(crc32.Castagnoli) + +// crc implements the checksum specified in section 3 of +// https://github.com/google/snappy/blob/master/framing_format.txt +func snappyCRC(b []byte) uint32 { + c := crc32.Update(0, crcTable, b) + return c>>15 | c<<17 + 0xa282ead8 +} + +// snappyDecodedLen returns the length of the decoded block and the number of bytes +// that the length header occupied. +func snappyDecodedLen(src []byte) (blockLen, headerLen int, err error) { + v, n := binary.Uvarint(src) + if n <= 0 || v > 0xffffffff { + return 0, 0, ErrSnappyCorrupt + } + + const wordSize = 32 << (^uint(0) >> 32 & 1) + if wordSize == 32 && v > 0x7fffffff { + return 0, 0, ErrSnappyTooLarge + } + return int(v), n, nil +} diff --git a/vendor/github.com/klauspost/compress/zstd/zip.go b/vendor/github.com/klauspost/compress/zstd/zip.go new file mode 100644 index 0000000000..29c15c8c4e --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/zip.go @@ -0,0 +1,141 @@ +// Copyright 2019+ Klaus Post. All rights reserved. +// License information can be found in the LICENSE file. + +package zstd + +import ( + "errors" + "io" + "sync" +) + +// ZipMethodWinZip is the method for Zstandard compressed data inside Zip files for WinZip. +// See https://www.winzip.com/win/en/comp_info.html +const ZipMethodWinZip = 93 + +// ZipMethodPKWare is the original method number used by PKWARE to indicate Zstandard compression. +// Deprecated: This has been deprecated by PKWARE, use ZipMethodWinZip instead for compression. +// See https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.9.TXT +const ZipMethodPKWare = 20 + +// zipReaderPool is the default reader pool. +var zipReaderPool = sync.Pool{New: func() interface{} { + z, err := NewReader(nil, WithDecoderLowmem(true), WithDecoderMaxWindow(128<<20), WithDecoderConcurrency(1)) + if err != nil { + panic(err) + } + return z +}} + +// newZipReader creates a pooled zip decompressor. +func newZipReader(opts ...DOption) func(r io.Reader) io.ReadCloser { + pool := &zipReaderPool + if len(opts) > 0 { + opts = append([]DOption{WithDecoderLowmem(true), WithDecoderMaxWindow(128 << 20)}, opts...) + // Force concurrency 1 + opts = append(opts, WithDecoderConcurrency(1)) + // Create our own pool + pool = &sync.Pool{} + } + return func(r io.Reader) io.ReadCloser { + dec, ok := pool.Get().(*Decoder) + if ok { + dec.Reset(r) + } else { + d, err := NewReader(r, opts...) + if err != nil { + panic(err) + } + dec = d + } + return &pooledZipReader{dec: dec, pool: pool} + } +} + +type pooledZipReader struct { + mu sync.Mutex // guards Close and Read + pool *sync.Pool + dec *Decoder +} + +func (r *pooledZipReader) Read(p []byte) (n int, err error) { + r.mu.Lock() + defer r.mu.Unlock() + if r.dec == nil { + return 0, errors.New("read after close or EOF") + } + dec, err := r.dec.Read(p) + if err == io.EOF { + r.dec.Reset(nil) + r.pool.Put(r.dec) + r.dec = nil + } + return dec, err +} + +func (r *pooledZipReader) Close() error { + r.mu.Lock() + defer r.mu.Unlock() + var err error + if r.dec != nil { + err = r.dec.Reset(nil) + r.pool.Put(r.dec) + r.dec = nil + } + return err +} + +type pooledZipWriter struct { + mu sync.Mutex // guards Close and Read + enc *Encoder + pool *sync.Pool +} + +func (w *pooledZipWriter) Write(p []byte) (n int, err error) { + w.mu.Lock() + defer w.mu.Unlock() + if w.enc == nil { + return 0, errors.New("Write after Close") + } + return w.enc.Write(p) +} + +func (w *pooledZipWriter) Close() error { + w.mu.Lock() + defer w.mu.Unlock() + var err error + if w.enc != nil { + err = w.enc.Close() + w.pool.Put(w.enc) + w.enc = nil + } + return err +} + +// ZipCompressor returns a compressor that can be registered with zip libraries. +// The provided encoder options will be used on all encodes. +func ZipCompressor(opts ...EOption) func(w io.Writer) (io.WriteCloser, error) { + var pool sync.Pool + return func(w io.Writer) (io.WriteCloser, error) { + enc, ok := pool.Get().(*Encoder) + if ok { + enc.Reset(w) + } else { + var err error + enc, err = NewWriter(w, opts...) + if err != nil { + return nil, err + } + } + return &pooledZipWriter{enc: enc, pool: &pool}, nil + } +} + +// ZipDecompressor returns a decompressor that can be registered with zip libraries. +// See ZipCompressor for example. +// Options can be specified. WithDecoderConcurrency(1) is forced, +// and by default a 128MB maximum decompression window is specified. +// The window size can be overridden if required. +func ZipDecompressor(opts ...DOption) func(r io.Reader) io.ReadCloser { + return newZipReader(opts...) +} diff --git a/vendor/github.com/klauspost/compress/zstd/zstd.go b/vendor/github.com/klauspost/compress/zstd/zstd.go new file mode 100644 index 0000000000..6252b46ae6 --- /dev/null +++ b/vendor/github.com/klauspost/compress/zstd/zstd.go @@ -0,0 +1,126 @@ +// Package zstd provides decompression of zstandard files. +// +// For advanced usage and examples, go to the README: https://github.com/klauspost/compress/tree/master/zstd#zstd +package zstd + +import ( + "bytes" + "errors" + "log" + "math" + + "github.com/klauspost/compress/internal/le" +) + +// enable debug printing +const debug = false + +// enable encoding debug printing +const debugEncoder = debug + +// enable decoding debug printing +const debugDecoder = debug + +// Enable extra assertions. +const debugAsserts = debug || false + +// print sequence details +const debugSequences = false + +// print detailed matching information +const debugMatches = false + +// force encoder to use predefined tables. +const forcePreDef = false + +// zstdMinMatch is the minimum zstd match length. +const zstdMinMatch = 3 + +// fcsUnknown is used for unknown frame content size. +const fcsUnknown = math.MaxUint64 + +var ( + // ErrReservedBlockType is returned when a reserved block type is found. + // Typically this indicates wrong or corrupted input. + ErrReservedBlockType = errors.New("invalid input: reserved block type encountered") + + // ErrCompressedSizeTooBig is returned when a block is bigger than allowed. + // Typically this indicates wrong or corrupted input. + ErrCompressedSizeTooBig = errors.New("invalid input: compressed size too big") + + // ErrBlockTooSmall is returned when a block is too small to be decoded. + // Typically returned on invalid input. + ErrBlockTooSmall = errors.New("block too small") + + // ErrUnexpectedBlockSize is returned when a block has unexpected size. + // Typically returned on invalid input. + ErrUnexpectedBlockSize = errors.New("unexpected block size") + + // ErrMagicMismatch is returned when a "magic" number isn't what is expected. + // Typically this indicates wrong or corrupted input. + ErrMagicMismatch = errors.New("invalid input: magic number mismatch") + + // ErrWindowSizeExceeded is returned when a reference exceeds the valid window size. + // Typically this indicates wrong or corrupted input. + ErrWindowSizeExceeded = errors.New("window size exceeded") + + // ErrWindowSizeTooSmall is returned when no window size is specified. + // Typically this indicates wrong or corrupted input. + ErrWindowSizeTooSmall = errors.New("invalid input: window size was too small") + + // ErrDecoderSizeExceeded is returned if decompressed size exceeds the configured limit. + ErrDecoderSizeExceeded = errors.New("decompressed size exceeds configured limit") + + // ErrUnknownDictionary is returned if the dictionary ID is unknown. + ErrUnknownDictionary = errors.New("unknown dictionary") + + // ErrFrameSizeExceeded is returned if the stated frame size is exceeded. + // This is only returned if SingleSegment is specified on the frame. + ErrFrameSizeExceeded = errors.New("frame size exceeded") + + // ErrFrameSizeMismatch is returned if the stated frame size does not match the expected size. + // This is only returned if SingleSegment is specified on the frame. + ErrFrameSizeMismatch = errors.New("frame size does not match size on stream") + + // ErrCRCMismatch is returned if CRC mismatches. + ErrCRCMismatch = errors.New("CRC check failed") + + // ErrDecoderClosed will be returned if the Decoder was used after + // Close has been called. + ErrDecoderClosed = errors.New("decoder used after Close") + + // ErrEncoderClosed will be returned if the Encoder was used after + // Close has been called. + ErrEncoderClosed = errors.New("encoder used after Close") + + // ErrDecoderNilInput is returned when a nil Reader was provided + // and an operation other than Reset/DecodeAll/Close was attempted. + ErrDecoderNilInput = errors.New("nil input provided as reader") +) + +func println(a ...interface{}) { + if debug || debugDecoder || debugEncoder { + log.Println(a...) + } +} + +func printf(format string, a ...interface{}) { + if debug || debugDecoder || debugEncoder { + log.Printf(format, a...) + } +} + +func load3232(b []byte, i int32) uint32 { + return le.Load32(b, i) +} + +func load6432(b []byte, i int32) uint64 { + return le.Load64(b, i) +} + +type byter interface { + Bytes() []byte + Len() int +} + +var _ byter = &bytes.Buffer{} diff --git a/vendor/github.com/lann/builder/.gitignore b/vendor/github.com/lann/builder/.gitignore new file mode 100644 index 0000000000..f54eb28f6e --- /dev/null +++ b/vendor/github.com/lann/builder/.gitignore @@ -0,0 +1,2 @@ +*~ +\#*# diff --git a/vendor/github.com/lann/builder/.travis.yml b/vendor/github.com/lann/builder/.travis.yml new file mode 100644 index 0000000000..c8860f69bc --- /dev/null +++ b/vendor/github.com/lann/builder/.travis.yml @@ -0,0 +1,7 @@ +language: go + +go: + - '1.8' + - '1.9' + - '1.10' + - tip diff --git a/vendor/github.com/lann/builder/LICENSE b/vendor/github.com/lann/builder/LICENSE new file mode 100644 index 0000000000..a109e8051c --- /dev/null +++ b/vendor/github.com/lann/builder/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2014-2015 Lann Martin + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/lann/builder/README.md b/vendor/github.com/lann/builder/README.md new file mode 100644 index 0000000000..3b18550bb9 --- /dev/null +++ b/vendor/github.com/lann/builder/README.md @@ -0,0 +1,68 @@ +# Builder - fluent immutable builders for Go + +[![GoDoc](https://godoc.org/github.com/lann/builder?status.png)](https://godoc.org/github.com/lann/builder) +[![Build Status](https://travis-ci.org/lann/builder.png?branch=master)](https://travis-ci.org/lann/builder) + +Builder was originally written for +[Squirrel](https://github.com/lann/squirrel), a fluent SQL generator. It +is probably the best example of Builder in action. + +Builder helps you write **fluent** DSLs for your libraries with method chaining: + +```go +resp := ReqBuilder. + Url("http://golang.org"). + Header("User-Agent", "Builder"). + Get() +``` + +Builder uses **immutable** persistent data structures +([these](https://github.com/mndrix/ps), specifically) +so that each step in your method chain can be reused: + +```go +build := WordBuilder.AddLetters("Build") +builder := build.AddLetters("er") +building := build.AddLetters("ing") +``` + +Builder makes it easy to **build** structs using the **builder** pattern +(*surprise!*): + +```go +import "github.com/lann/builder" + +type Muppet struct { + Name string + Friends []string +} + +type muppetBuilder builder.Builder + +func (b muppetBuilder) Name(name string) muppetBuilder { + return builder.Set(b, "Name", name).(muppetBuilder) +} + +func (b muppetBuilder) AddFriend(friend string) muppetBuilder { + return builder.Append(b, "Friends", friend).(muppetBuilder) +} + +func (b muppetBuilder) Build() Muppet { + return builder.GetStruct(b).(Muppet) +} + +var MuppetBuilder = builder.Register(muppetBuilder{}, Muppet{}).(muppetBuilder) +``` +```go +MuppetBuilder. + Name("Beaker"). + AddFriend("Dr. Honeydew"). + Build() + +=> Muppet{Name:"Beaker", Friends:[]string{"Dr. Honeydew"}} +``` + +## License + +Builder is released under the +[MIT License](http://www.opensource.org/licenses/MIT). diff --git a/vendor/github.com/lann/builder/builder.go b/vendor/github.com/lann/builder/builder.go new file mode 100644 index 0000000000..ff621406a4 --- /dev/null +++ b/vendor/github.com/lann/builder/builder.go @@ -0,0 +1,225 @@ +// Package builder provides a method for writing fluent immutable builders. +package builder + +import ( + "github.com/lann/ps" + "go/ast" + "reflect" +) + +// Builder stores a set of named values. +// +// New types can be declared with underlying type Builder and used with the +// functions in this package. See example. +// +// Instances of Builder should be treated as immutable. It is up to the +// implementor to ensure mutable values set on a Builder are not mutated while +// the Builder is in use. +type Builder struct { + builderMap ps.Map +} + +var ( + EmptyBuilder = Builder{ps.NewMap()} + emptyBuilderValue = reflect.ValueOf(EmptyBuilder) +) + +func getBuilderMap(builder interface{}) ps.Map { + b := convert(builder, Builder{}).(Builder) + + if b.builderMap == nil { + return ps.NewMap() + } + + return b.builderMap +} + +// Set returns a copy of the given builder with a new value set for the given +// name. +// +// Set (and all other functions taking a builder in this package) will panic if +// the given builder's underlying type is not Builder. +func Set(builder interface{}, name string, v interface{}) interface{} { + b := Builder{getBuilderMap(builder).Set(name, v)} + return convert(b, builder) +} + +// Delete returns a copy of the given builder with the given named value unset. +func Delete(builder interface{}, name string) interface{} { + b := Builder{getBuilderMap(builder).Delete(name)} + return convert(b, builder) +} + +// Append returns a copy of the given builder with new value(s) appended to the +// named list. If the value was previously unset or set with Set (even to a e.g. +// slice values), the new value(s) will be appended to an empty list. +func Append(builder interface{}, name string, vs ...interface{}) interface{} { + return Extend(builder, name, vs) +} + +// Extend behaves like Append, except it takes a single slice or array value +// which will be concatenated to the named list. +// +// Unlike a variadic call to Append - which requires a []interface{} value - +// Extend accepts slices or arrays of any type. +// +// Extend will panic if the given value is not a slice, array, or nil. +func Extend(builder interface{}, name string, vs interface{}) interface{} { + if vs == nil { + return builder + } + + maybeList, ok := getBuilderMap(builder).Lookup(name) + + var list ps.List + if ok { + list, ok = maybeList.(ps.List) + } + if !ok { + list = ps.NewList() + } + + forEach(vs, func(v interface{}) { + list = list.Cons(v) + }) + + return Set(builder, name, list) +} + +func listToSlice(list ps.List, arrayType reflect.Type) reflect.Value { + size := list.Size() + slice := reflect.MakeSlice(arrayType, size, size) + for i := size - 1; i >= 0; i-- { + val := reflect.ValueOf(list.Head()) + slice.Index(i).Set(val) + list = list.Tail() + } + return slice +} + +var anyArrayType = reflect.TypeOf([]interface{}{}) + +// Get retrieves a single named value from the given builder. +// If the value has not been set, it returns (nil, false). Otherwise, it will +// return (value, true). +// +// If the named value was last set with Append or Extend, the returned value +// will be a slice. If the given Builder has been registered with Register or +// RegisterType and the given name is an exported field of the registered +// struct, the returned slice will have the same type as that field. Otherwise +// the slice will have type []interface{}. It will panic if the given name is a +// registered struct's exported field and the value set on the Builder is not +// assignable to the field. +func Get(builder interface{}, name string) (interface{}, bool) { + val, ok := getBuilderMap(builder).Lookup(name) + if !ok { + return nil, false + } + + list, isList := val.(ps.List) + if isList { + arrayType := anyArrayType + + if ast.IsExported(name) { + structType := getBuilderStructType(reflect.TypeOf(builder)) + if structType != nil { + field, ok := (*structType).FieldByName(name) + if ok { + arrayType = field.Type + } + } + } + + val = listToSlice(list, arrayType).Interface() + } + + return val, true +} + +// GetMap returns a map[string]interface{} of the values set in the given +// builder. +// +// See notes on Get regarding returned slices. +func GetMap(builder interface{}) map[string]interface{} { + m := getBuilderMap(builder) + structType := getBuilderStructType(reflect.TypeOf(builder)) + + ret := make(map[string]interface{}, m.Size()) + + m.ForEach(func(name string, val ps.Any) { + list, isList := val.(ps.List) + if isList { + arrayType := anyArrayType + + if structType != nil { + field, ok := (*structType).FieldByName(name) + if ok { + arrayType = field.Type + } + } + + val = listToSlice(list, arrayType).Interface() + } + + ret[name] = val + }) + + return ret +} + +// GetStruct builds a new struct from the given registered builder. +// It will return nil if the given builder's type has not been registered with +// Register or RegisterValue. +// +// All values set on the builder with names that start with an uppercase letter +// (i.e. which would be exported if they were identifiers) are assigned to the +// corresponding exported fields of the struct. +// +// GetStruct will panic if any of these "exported" values are not assignable to +// their corresponding struct fields. +func GetStruct(builder interface{}) interface{} { + structVal := newBuilderStruct(reflect.TypeOf(builder)) + if structVal == nil { + return nil + } + return scanStruct(builder, structVal) +} + +// GetStructLike builds a new struct from the given builder with the same type +// as the given struct. +// +// All values set on the builder with names that start with an uppercase letter +// (i.e. which would be exported if they were identifiers) are assigned to the +// corresponding exported fields of the struct. +// +// ScanStruct will panic if any of these "exported" values are not assignable to +// their corresponding struct fields. +func GetStructLike(builder interface{}, strct interface{}) interface{} { + structVal := reflect.New(reflect.TypeOf(strct)).Elem() + return scanStruct(builder, &structVal) +} + +func scanStruct(builder interface{}, structVal *reflect.Value) interface{} { + getBuilderMap(builder).ForEach(func(name string, val ps.Any) { + if ast.IsExported(name) { + field := structVal.FieldByName(name) + + var value reflect.Value + switch v := val.(type) { + case nil: + switch field.Kind() { + case reflect.Chan, reflect.Func, reflect.Interface, reflect.Map, reflect.Ptr, reflect.Slice: + value = reflect.Zero(field.Type()) + } + // nil is not valid for this Type; Set will panic + case ps.List: + value = listToSlice(v, field.Type()) + default: + value = reflect.ValueOf(val) + } + field.Set(value) + } + }) + + return structVal.Interface() +} diff --git a/vendor/github.com/lann/builder/reflect.go b/vendor/github.com/lann/builder/reflect.go new file mode 100644 index 0000000000..3b236e7918 --- /dev/null +++ b/vendor/github.com/lann/builder/reflect.go @@ -0,0 +1,24 @@ +package builder + +import "reflect" + +func convert(from interface{}, to interface{}) interface{} { + return reflect. + ValueOf(from). + Convert(reflect.TypeOf(to)). + Interface() +} + +func forEach(s interface{}, f func(interface{})) { + val := reflect.ValueOf(s) + + kind := val.Kind() + if kind != reflect.Slice && kind != reflect.Array { + panic(&reflect.ValueError{Method: "builder.forEach", Kind: kind}) + } + + l := val.Len() + for i := 0; i < l; i++ { + f(val.Index(i).Interface()) + } +} diff --git a/vendor/github.com/lann/builder/registry.go b/vendor/github.com/lann/builder/registry.go new file mode 100644 index 0000000000..612845418e --- /dev/null +++ b/vendor/github.com/lann/builder/registry.go @@ -0,0 +1,59 @@ +package builder + +import ( + "reflect" + "sync" +) + +var ( + registry = make(map[reflect.Type]reflect.Type) + registryMux sync.RWMutex +) + +// RegisterType maps the given builderType to a structType. +// This mapping affects the type of slices returned by Get and is required for +// GetStruct to work. +// +// Returns a Value containing an empty instance of the registered builderType. +// +// RegisterType will panic if builderType's underlying type is not Builder or +// if structType's Kind is not Struct. +func RegisterType(builderType reflect.Type, structType reflect.Type) *reflect.Value { + registryMux.Lock() + defer registryMux.Unlock() + structType.NumField() // Panic if structType is not a struct + registry[builderType] = structType + emptyValue := emptyBuilderValue.Convert(builderType) + return &emptyValue +} + +// Register wraps RegisterType, taking instances instead of Types. +// +// Returns an empty instance of the registered builder type which can be used +// as the initial value for builder expressions. See example. +func Register(builderProto, structProto interface{}) interface{} { + empty := RegisterType( + reflect.TypeOf(builderProto), + reflect.TypeOf(structProto), + ).Interface() + return empty +} + +func getBuilderStructType(builderType reflect.Type) *reflect.Type { + registryMux.RLock() + defer registryMux.RUnlock() + structType, ok := registry[builderType] + if !ok { + return nil + } + return &structType +} + +func newBuilderStruct(builderType reflect.Type) *reflect.Value { + structType := getBuilderStructType(builderType) + if structType == nil { + return nil + } + newStruct := reflect.New(*structType).Elem() + return &newStruct +} diff --git a/vendor/github.com/lann/ps/LICENSE b/vendor/github.com/lann/ps/LICENSE new file mode 100644 index 0000000000..69f9ae8d5a --- /dev/null +++ b/vendor/github.com/lann/ps/LICENSE @@ -0,0 +1,7 @@ +Copyright (c) 2013 Michael Hendricks + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/lann/ps/README.md b/vendor/github.com/lann/ps/README.md new file mode 100644 index 0000000000..325a5b3540 --- /dev/null +++ b/vendor/github.com/lann/ps/README.md @@ -0,0 +1,10 @@ +**This is a stable fork of https://github.com/mndrix/ps; it will not introduce breaking changes.** + +ps +== + +Persistent data structures for Go. See the [full package documentation](http://godoc.org/github.com/lann/ps) + +Install with + + go get github.com/lann/ps diff --git a/vendor/github.com/lann/ps/list.go b/vendor/github.com/lann/ps/list.go new file mode 100644 index 0000000000..48a1cebacf --- /dev/null +++ b/vendor/github.com/lann/ps/list.go @@ -0,0 +1,93 @@ +package ps + +// List is a persistent list of possibly heterogenous values. +type List interface { + // IsNil returns true if the list is empty + IsNil() bool + + // Cons returns a new list with val as the head + Cons(val Any) List + + // Head returns the first element of the list; + // panics if the list is empty + Head() Any + + // Tail returns a list with all elements except the head; + // panics if the list is empty + Tail() List + + // Size returns the list's length. This takes O(1) time. + Size() int + + // ForEach executes a callback for each value in the list. + ForEach(f func(Any)) + + // Reverse returns a list whose elements are in the opposite order as + // the original list. + Reverse() List +} + +// Immutable (i.e. persistent) list +type list struct { + depth int // the number of nodes after, and including, this one + value Any + tail *list +} + +// An empty list shared by all lists +var nilList = &list{} + +// NewList returns a new, empty list. The result is a singly linked +// list implementation. All lists share an empty tail, so allocating +// empty lists is efficient in time and memory. +func NewList() List { + return nilList +} + +func (self *list) IsNil() bool { + return self == nilList +} + +func (self *list) Size() int { + return self.depth +} + +func (tail *list) Cons(val Any) List { + var xs list + xs.depth = tail.depth + 1 + xs.value = val + xs.tail = tail + return &xs +} + +func (self *list) Head() Any { + if self.IsNil() { + panic("Called Head() on an empty list") + } + + return self.value +} + +func (self *list) Tail() List { + if self.IsNil() { + panic("Called Tail() on an empty list") + } + + return self.tail +} + +// ForEach executes a callback for each value in the list +func (self *list) ForEach(f func(Any)) { + if self.IsNil() { + return + } + f(self.Head()) + self.Tail().ForEach(f) +} + +// Reverse returns a list with elements in opposite order as this list +func (self *list) Reverse() List { + reversed := NewList() + self.ForEach(func(v Any) { reversed = reversed.Cons(v) }) + return reversed +} diff --git a/vendor/github.com/lann/ps/map.go b/vendor/github.com/lann/ps/map.go new file mode 100644 index 0000000000..192daec8f3 --- /dev/null +++ b/vendor/github.com/lann/ps/map.go @@ -0,0 +1,311 @@ +// Fully persistent data structures. A persistent data structure is a data +// structure that always preserves the previous version of itself when +// it is modified. Such data structures are effectively immutable, +// as their operations do not update the structure in-place, but instead +// always yield a new structure. +// +// Persistent +// data structures typically share structure among themselves. This allows +// operations to avoid copying the entire data structure. +package ps + +import ( + "bytes" + "fmt" +) + +// Any is a shorthand for Go's verbose interface{} type. +type Any interface{} + +// A Map associates unique keys (type string) with values (type Any). +type Map interface { + // IsNil returns true if the Map is empty + IsNil() bool + + // Set returns a new map in which key and value are associated. + // If the key didn't exist before, it's created; otherwise, the + // associated value is changed. + // This operation is O(log N) in the number of keys. + Set(key string, value Any) Map + + // Delete returns a new map with the association for key, if any, removed. + // This operation is O(log N) in the number of keys. + Delete(key string) Map + + // Lookup returns the value associated with a key, if any. If the key + // exists, the second return value is true; otherwise, false. + // This operation is O(log N) in the number of keys. + Lookup(key string) (Any, bool) + + // Size returns the number of key value pairs in the map. + // This takes O(1) time. + Size() int + + // ForEach executes a callback on each key value pair in the map. + ForEach(f func(key string, val Any)) + + // Keys returns a slice with all keys in this map. + // This operation is O(N) in the number of keys. + Keys() []string + + String() string +} + +// Immutable (i.e. persistent) associative array +const childCount = 8 +const shiftSize = 3 + +type tree struct { + count int + hash uint64 // hash of the key (used for tree balancing) + key string + value Any + children [childCount]*tree +} + +var nilMap = &tree{} + +// Recursively set nilMap's subtrees to point at itself. +// This eliminates all nil pointers in the map structure. +// All map nodes are created by cloning this structure so +// they avoid the problem too. +func init() { + for i := range nilMap.children { + nilMap.children[i] = nilMap + } +} + +// NewMap allocates a new, persistent map from strings to values of +// any type. +// This is currently implemented as a path-copying binary tree. +func NewMap() Map { + return nilMap +} + +func (self *tree) IsNil() bool { + return self == nilMap +} + +// clone returns an exact duplicate of a tree node +func (self *tree) clone() *tree { + var m tree + m = *self + return &m +} + +// constants for FNV-1a hash algorithm +const ( + offset64 uint64 = 14695981039346656037 + prime64 uint64 = 1099511628211 +) + +// hashKey returns a hash code for a given string +func hashKey(key string) uint64 { + hash := offset64 + for _, codepoint := range key { + hash ^= uint64(codepoint) + hash *= prime64 + } + return hash +} + +// Set returns a new map similar to this one but with key and value +// associated. If the key didn't exist, it's created; otherwise, the +// associated value is changed. +func (self *tree) Set(key string, value Any) Map { + hash := hashKey(key) + return setLowLevel(self, hash, hash, key, value) +} + +func setLowLevel(self *tree, partialHash, hash uint64, key string, value Any) *tree { + if self.IsNil() { // an empty tree is easy + m := self.clone() + m.count = 1 + m.hash = hash + m.key = key + m.value = value + return m + } + + if hash != self.hash { + m := self.clone() + i := partialHash % childCount + m.children[i] = setLowLevel(self.children[i], partialHash>>shiftSize, hash, key, value) + recalculateCount(m) + return m + } + + // replacing a key's previous value + m := self.clone() + m.value = value + return m +} + +// modifies a map by recalculating its key count based on the counts +// of its subtrees +func recalculateCount(m *tree) { + count := 0 + for _, t := range m.children { + count += t.Size() + } + m.count = count + 1 // add one to count ourself +} + +func (m *tree) Delete(key string) Map { + hash := hashKey(key) + newMap, _ := deleteLowLevel(m, hash, hash) + return newMap +} + +func deleteLowLevel(self *tree, partialHash, hash uint64) (*tree, bool) { + // empty trees are easy + if self.IsNil() { + return self, false + } + + if hash != self.hash { + i := partialHash % childCount + child, found := deleteLowLevel(self.children[i], partialHash>>shiftSize, hash) + if !found { + return self, false + } + newMap := self.clone() + newMap.children[i] = child + recalculateCount(newMap) + return newMap, true // ? this wasn't in the original code + } + + // we must delete our own node + if self.isLeaf() { // we have no children + return nilMap, true + } + /* + if self.subtreeCount() == 1 { // only one subtree + for _, t := range self.children { + if t != nilMap { + return t, true + } + } + panic("Tree with 1 subtree actually had no subtrees") + } + */ + + // find a node to replace us + i := -1 + size := -1 + for j, t := range self.children { + if t.Size() > size { + i = j + size = t.Size() + } + } + + // make chosen leaf smaller + replacement, child := self.children[i].deleteLeftmost() + newMap := replacement.clone() + for j := range self.children { + if j == i { + newMap.children[j] = child + } else { + newMap.children[j] = self.children[j] + } + } + recalculateCount(newMap) + return newMap, true +} + +// delete the leftmost node in a tree returning the node that +// was deleted and the tree left over after its deletion +func (m *tree) deleteLeftmost() (*tree, *tree) { + if m.isLeaf() { + return m, nilMap + } + + for i, t := range m.children { + if t != nilMap { + deleted, child := t.deleteLeftmost() + newMap := m.clone() + newMap.children[i] = child + recalculateCount(newMap) + return deleted, newMap + } + } + panic("Tree isn't a leaf but also had no children. How does that happen?") +} + +// isLeaf returns true if this is a leaf node +func (m *tree) isLeaf() bool { + return m.Size() == 1 +} + +// returns the number of child subtrees we have +func (m *tree) subtreeCount() int { + count := 0 + for _, t := range m.children { + if t != nilMap { + count++ + } + } + return count +} + +func (m *tree) Lookup(key string) (Any, bool) { + hash := hashKey(key) + return lookupLowLevel(m, hash, hash) +} + +func lookupLowLevel(self *tree, partialHash, hash uint64) (Any, bool) { + if self.IsNil() { // an empty tree is easy + return nil, false + } + + if hash != self.hash { + i := partialHash % childCount + return lookupLowLevel(self.children[i], partialHash>>shiftSize, hash) + } + + // we found it + return self.value, true +} + +func (m *tree) Size() int { + return m.count +} + +func (m *tree) ForEach(f func(key string, val Any)) { + if m.IsNil() { + return + } + + // ourself + f(m.key, m.value) + + // children + for _, t := range m.children { + if t != nilMap { + t.ForEach(f) + } + } +} + +func (m *tree) Keys() []string { + keys := make([]string, m.Size()) + i := 0 + m.ForEach(func(k string, v Any) { + keys[i] = k + i++ + }) + return keys +} + +// make it easier to display maps for debugging +func (m *tree) String() string { + keys := m.Keys() + buf := bytes.NewBufferString("{") + for _, key := range keys { + val, _ := m.Lookup(key) + fmt.Fprintf(buf, "%s: %s, ", key, val) + } + fmt.Fprintf(buf, "}\n") + return buf.String() +} diff --git a/vendor/github.com/lann/ps/profile.sh b/vendor/github.com/lann/ps/profile.sh new file mode 100644 index 0000000000..f03df05a5a --- /dev/null +++ b/vendor/github.com/lann/ps/profile.sh @@ -0,0 +1,3 @@ +#!/bin/sh +go test -c +./ps.test -test.run=none -test.bench=$2 -test.$1profile=$1.profile diff --git a/vendor/github.com/lib/pq/.gitignore b/vendor/github.com/lib/pq/.gitignore new file mode 100644 index 0000000000..3243952a4d --- /dev/null +++ b/vendor/github.com/lib/pq/.gitignore @@ -0,0 +1,6 @@ +.db +*.test +*~ +*.swp +.idea +.vscode \ No newline at end of file diff --git a/vendor/github.com/lib/pq/LICENSE.md b/vendor/github.com/lib/pq/LICENSE.md new file mode 100644 index 0000000000..5773904a30 --- /dev/null +++ b/vendor/github.com/lib/pq/LICENSE.md @@ -0,0 +1,8 @@ +Copyright (c) 2011-2013, 'pq' Contributors +Portions Copyright (C) 2011 Blake Mizerany + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/vendor/github.com/lib/pq/README.md b/vendor/github.com/lib/pq/README.md new file mode 100644 index 0000000000..126ee5d35d --- /dev/null +++ b/vendor/github.com/lib/pq/README.md @@ -0,0 +1,36 @@ +# pq - A pure Go postgres driver for Go's database/sql package + +[![GoDoc](https://godoc.org/github.com/lib/pq?status.svg)](https://pkg.go.dev/github.com/lib/pq?tab=doc) + +## Install + + go get github.com/lib/pq + +## Features + +* SSL +* Handles bad connections for `database/sql` +* Scan `time.Time` correctly (i.e. `timestamp[tz]`, `time[tz]`, `date`) +* Scan binary blobs correctly (i.e. `bytea`) +* Package for `hstore` support +* COPY FROM support +* pq.ParseURL for converting urls to connection strings for sql.Open. +* Many libpq compatible environment variables +* Unix socket support +* Notifications: `LISTEN`/`NOTIFY` +* pgpass support +* GSS (Kerberos) auth + +## Tests + +`go test` is used for testing. See [TESTS.md](TESTS.md) for more details. + +## Status + +This package is currently in maintenance mode, which means: +1. It generally does not accept new features. +2. It does accept bug fixes and version compatability changes provided by the community. +3. Maintainers usually do not resolve reported issues. +4. Community members are encouraged to help each other with reported issues. + +For users that require new features or reliable resolution of reported bugs, we recommend using [pgx](https://github.com/jackc/pgx) which is under active development. diff --git a/vendor/github.com/lib/pq/TESTS.md b/vendor/github.com/lib/pq/TESTS.md new file mode 100644 index 0000000000..f05021115b --- /dev/null +++ b/vendor/github.com/lib/pq/TESTS.md @@ -0,0 +1,33 @@ +# Tests + +## Running Tests + +`go test` is used for testing. A running PostgreSQL +server is required, with the ability to log in. The +database to connect to test with is "pqgotest," on +"localhost" but these can be overridden using [environment +variables](https://www.postgresql.org/docs/9.3/static/libpq-envars.html). + +Example: + + PGHOST=/run/postgresql go test + +## Benchmarks + +A benchmark suite can be run as part of the tests: + + go test -bench . + +## Example setup (Docker) + +Run a postgres container: + +``` +docker run --expose 5432:5432 postgres +``` + +Run tests: + +``` +PGHOST=localhost PGPORT=5432 PGUSER=postgres PGSSLMODE=disable PGDATABASE=postgres go test +``` diff --git a/vendor/github.com/lib/pq/array.go b/vendor/github.com/lib/pq/array.go new file mode 100644 index 0000000000..39c8f7e2e0 --- /dev/null +++ b/vendor/github.com/lib/pq/array.go @@ -0,0 +1,895 @@ +package pq + +import ( + "bytes" + "database/sql" + "database/sql/driver" + "encoding/hex" + "fmt" + "reflect" + "strconv" + "strings" +) + +var typeByteSlice = reflect.TypeOf([]byte{}) +var typeDriverValuer = reflect.TypeOf((*driver.Valuer)(nil)).Elem() +var typeSQLScanner = reflect.TypeOf((*sql.Scanner)(nil)).Elem() + +// Array returns the optimal driver.Valuer and sql.Scanner for an array or +// slice of any dimension. +// +// For example: +// db.Query(`SELECT * FROM t WHERE id = ANY($1)`, pq.Array([]int{235, 401})) +// +// var x []sql.NullInt64 +// db.QueryRow(`SELECT ARRAY[235, 401]`).Scan(pq.Array(&x)) +// +// Scanning multi-dimensional arrays is not supported. Arrays where the lower +// bound is not one (such as `[0:0]={1}') are not supported. +func Array(a interface{}) interface { + driver.Valuer + sql.Scanner +} { + switch a := a.(type) { + case []bool: + return (*BoolArray)(&a) + case []float64: + return (*Float64Array)(&a) + case []float32: + return (*Float32Array)(&a) + case []int64: + return (*Int64Array)(&a) + case []int32: + return (*Int32Array)(&a) + case []string: + return (*StringArray)(&a) + case [][]byte: + return (*ByteaArray)(&a) + + case *[]bool: + return (*BoolArray)(a) + case *[]float64: + return (*Float64Array)(a) + case *[]float32: + return (*Float32Array)(a) + case *[]int64: + return (*Int64Array)(a) + case *[]int32: + return (*Int32Array)(a) + case *[]string: + return (*StringArray)(a) + case *[][]byte: + return (*ByteaArray)(a) + } + + return GenericArray{a} +} + +// ArrayDelimiter may be optionally implemented by driver.Valuer or sql.Scanner +// to override the array delimiter used by GenericArray. +type ArrayDelimiter interface { + // ArrayDelimiter returns the delimiter character(s) for this element's type. + ArrayDelimiter() string +} + +// BoolArray represents a one-dimensional array of the PostgreSQL boolean type. +type BoolArray []bool + +// Scan implements the sql.Scanner interface. +func (a *BoolArray) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to BoolArray", src) +} + +func (a *BoolArray) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "BoolArray") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(BoolArray, len(elems)) + for i, v := range elems { + if len(v) != 1 { + return fmt.Errorf("pq: could not parse boolean array index %d: invalid boolean %q", i, v) + } + switch v[0] { + case 't': + b[i] = true + case 'f': + b[i] = false + default: + return fmt.Errorf("pq: could not parse boolean array index %d: invalid boolean %q", i, v) + } + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a BoolArray) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be exactly two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 1+2*n) + + for i := 0; i < n; i++ { + b[2*i] = ',' + if a[i] { + b[1+2*i] = 't' + } else { + b[1+2*i] = 'f' + } + } + + b[0] = '{' + b[2*n] = '}' + + return string(b), nil + } + + return "{}", nil +} + +// ByteaArray represents a one-dimensional array of the PostgreSQL bytea type. +type ByteaArray [][]byte + +// Scan implements the sql.Scanner interface. +func (a *ByteaArray) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to ByteaArray", src) +} + +func (a *ByteaArray) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "ByteaArray") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(ByteaArray, len(elems)) + for i, v := range elems { + b[i], err = parseBytea(v) + if err != nil { + return fmt.Errorf("could not parse bytea array index %d: %s", i, err.Error()) + } + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. It uses the "hex" format which +// is only supported on PostgreSQL 9.0 or newer. +func (a ByteaArray) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, 2*N bytes of quotes, + // 3*N bytes of hex formatting, and N-1 bytes of delimiters. + size := 1 + 6*n + for _, x := range a { + size += hex.EncodedLen(len(x)) + } + + b := make([]byte, size) + + for i, s := 0, b; i < n; i++ { + o := copy(s, `,"\\x`) + o += hex.Encode(s[o:], a[i]) + s[o] = '"' + s = s[o+1:] + } + + b[0] = '{' + b[size-1] = '}' + + return string(b), nil + } + + return "{}", nil +} + +// Float64Array represents a one-dimensional array of the PostgreSQL double +// precision type. +type Float64Array []float64 + +// Scan implements the sql.Scanner interface. +func (a *Float64Array) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to Float64Array", src) +} + +func (a *Float64Array) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "Float64Array") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(Float64Array, len(elems)) + for i, v := range elems { + if b[i], err = strconv.ParseFloat(string(v), 64); err != nil { + return fmt.Errorf("pq: parsing array element index %d: %v", i, err) + } + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a Float64Array) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 1, 1+2*n) + b[0] = '{' + + b = strconv.AppendFloat(b, a[0], 'f', -1, 64) + for i := 1; i < n; i++ { + b = append(b, ',') + b = strconv.AppendFloat(b, a[i], 'f', -1, 64) + } + + return string(append(b, '}')), nil + } + + return "{}", nil +} + +// Float32Array represents a one-dimensional array of the PostgreSQL double +// precision type. +type Float32Array []float32 + +// Scan implements the sql.Scanner interface. +func (a *Float32Array) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to Float32Array", src) +} + +func (a *Float32Array) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "Float32Array") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(Float32Array, len(elems)) + for i, v := range elems { + var x float64 + if x, err = strconv.ParseFloat(string(v), 32); err != nil { + return fmt.Errorf("pq: parsing array element index %d: %v", i, err) + } + b[i] = float32(x) + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a Float32Array) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 1, 1+2*n) + b[0] = '{' + + b = strconv.AppendFloat(b, float64(a[0]), 'f', -1, 32) + for i := 1; i < n; i++ { + b = append(b, ',') + b = strconv.AppendFloat(b, float64(a[i]), 'f', -1, 32) + } + + return string(append(b, '}')), nil + } + + return "{}", nil +} + +// GenericArray implements the driver.Valuer and sql.Scanner interfaces for +// an array or slice of any dimension. +type GenericArray struct{ A interface{} } + +func (GenericArray) evaluateDestination(rt reflect.Type) (reflect.Type, func([]byte, reflect.Value) error, string) { + var assign func([]byte, reflect.Value) error + var del = "," + + // TODO calculate the assign function for other types + // TODO repeat this section on the element type of arrays or slices (multidimensional) + { + if reflect.PtrTo(rt).Implements(typeSQLScanner) { + // dest is always addressable because it is an element of a slice. + assign = func(src []byte, dest reflect.Value) (err error) { + ss := dest.Addr().Interface().(sql.Scanner) + if src == nil { + err = ss.Scan(nil) + } else { + err = ss.Scan(src) + } + return + } + goto FoundType + } + + assign = func([]byte, reflect.Value) error { + return fmt.Errorf("pq: scanning to %s is not implemented; only sql.Scanner", rt) + } + } + +FoundType: + + if ad, ok := reflect.Zero(rt).Interface().(ArrayDelimiter); ok { + del = ad.ArrayDelimiter() + } + + return rt, assign, del +} + +// Scan implements the sql.Scanner interface. +func (a GenericArray) Scan(src interface{}) error { + dpv := reflect.ValueOf(a.A) + switch { + case dpv.Kind() != reflect.Ptr: + return fmt.Errorf("pq: destination %T is not a pointer to array or slice", a.A) + case dpv.IsNil(): + return fmt.Errorf("pq: destination %T is nil", a.A) + } + + dv := dpv.Elem() + switch dv.Kind() { + case reflect.Slice: + case reflect.Array: + default: + return fmt.Errorf("pq: destination %T is not a pointer to array or slice", a.A) + } + + switch src := src.(type) { + case []byte: + return a.scanBytes(src, dv) + case string: + return a.scanBytes([]byte(src), dv) + case nil: + if dv.Kind() == reflect.Slice { + dv.Set(reflect.Zero(dv.Type())) + return nil + } + } + + return fmt.Errorf("pq: cannot convert %T to %s", src, dv.Type()) +} + +func (a GenericArray) scanBytes(src []byte, dv reflect.Value) error { + dtype, assign, del := a.evaluateDestination(dv.Type().Elem()) + dims, elems, err := parseArray(src, []byte(del)) + if err != nil { + return err + } + + // TODO allow multidimensional + + if len(dims) > 1 { + return fmt.Errorf("pq: scanning from multidimensional ARRAY%s is not implemented", + strings.Replace(fmt.Sprint(dims), " ", "][", -1)) + } + + // Treat a zero-dimensional array like an array with a single dimension of zero. + if len(dims) == 0 { + dims = append(dims, 0) + } + + for i, rt := 0, dv.Type(); i < len(dims); i, rt = i+1, rt.Elem() { + switch rt.Kind() { + case reflect.Slice: + case reflect.Array: + if rt.Len() != dims[i] { + return fmt.Errorf("pq: cannot convert ARRAY%s to %s", + strings.Replace(fmt.Sprint(dims), " ", "][", -1), dv.Type()) + } + default: + // TODO handle multidimensional + } + } + + values := reflect.MakeSlice(reflect.SliceOf(dtype), len(elems), len(elems)) + for i, e := range elems { + if err := assign(e, values.Index(i)); err != nil { + return fmt.Errorf("pq: parsing array element index %d: %v", i, err) + } + } + + // TODO handle multidimensional + + switch dv.Kind() { + case reflect.Slice: + dv.Set(values.Slice(0, dims[0])) + case reflect.Array: + for i := 0; i < dims[0]; i++ { + dv.Index(i).Set(values.Index(i)) + } + } + + return nil +} + +// Value implements the driver.Valuer interface. +func (a GenericArray) Value() (driver.Value, error) { + if a.A == nil { + return nil, nil + } + + rv := reflect.ValueOf(a.A) + + switch rv.Kind() { + case reflect.Slice: + if rv.IsNil() { + return nil, nil + } + case reflect.Array: + default: + return nil, fmt.Errorf("pq: Unable to convert %T to array", a.A) + } + + if n := rv.Len(); n > 0 { + // There will be at least two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 0, 1+2*n) + + b, _, err := appendArray(b, rv, n) + return string(b), err + } + + return "{}", nil +} + +// Int64Array represents a one-dimensional array of the PostgreSQL integer types. +type Int64Array []int64 + +// Scan implements the sql.Scanner interface. +func (a *Int64Array) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to Int64Array", src) +} + +func (a *Int64Array) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "Int64Array") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(Int64Array, len(elems)) + for i, v := range elems { + if b[i], err = strconv.ParseInt(string(v), 10, 64); err != nil { + return fmt.Errorf("pq: parsing array element index %d: %v", i, err) + } + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a Int64Array) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 1, 1+2*n) + b[0] = '{' + + b = strconv.AppendInt(b, a[0], 10) + for i := 1; i < n; i++ { + b = append(b, ',') + b = strconv.AppendInt(b, a[i], 10) + } + + return string(append(b, '}')), nil + } + + return "{}", nil +} + +// Int32Array represents a one-dimensional array of the PostgreSQL integer types. +type Int32Array []int32 + +// Scan implements the sql.Scanner interface. +func (a *Int32Array) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to Int32Array", src) +} + +func (a *Int32Array) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "Int32Array") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(Int32Array, len(elems)) + for i, v := range elems { + x, err := strconv.ParseInt(string(v), 10, 32) + if err != nil { + return fmt.Errorf("pq: parsing array element index %d: %v", i, err) + } + b[i] = int32(x) + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a Int32Array) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, N bytes of values, + // and N-1 bytes of delimiters. + b := make([]byte, 1, 1+2*n) + b[0] = '{' + + b = strconv.AppendInt(b, int64(a[0]), 10) + for i := 1; i < n; i++ { + b = append(b, ',') + b = strconv.AppendInt(b, int64(a[i]), 10) + } + + return string(append(b, '}')), nil + } + + return "{}", nil +} + +// StringArray represents a one-dimensional array of the PostgreSQL character types. +type StringArray []string + +// Scan implements the sql.Scanner interface. +func (a *StringArray) Scan(src interface{}) error { + switch src := src.(type) { + case []byte: + return a.scanBytes(src) + case string: + return a.scanBytes([]byte(src)) + case nil: + *a = nil + return nil + } + + return fmt.Errorf("pq: cannot convert %T to StringArray", src) +} + +func (a *StringArray) scanBytes(src []byte) error { + elems, err := scanLinearArray(src, []byte{','}, "StringArray") + if err != nil { + return err + } + if *a != nil && len(elems) == 0 { + *a = (*a)[:0] + } else { + b := make(StringArray, len(elems)) + for i, v := range elems { + if b[i] = string(v); v == nil { + return fmt.Errorf("pq: parsing array element index %d: cannot convert nil to string", i) + } + } + *a = b + } + return nil +} + +// Value implements the driver.Valuer interface. +func (a StringArray) Value() (driver.Value, error) { + if a == nil { + return nil, nil + } + + if n := len(a); n > 0 { + // There will be at least two curly brackets, 2*N bytes of quotes, + // and N-1 bytes of delimiters. + b := make([]byte, 1, 1+3*n) + b[0] = '{' + + b = appendArrayQuotedBytes(b, []byte(a[0])) + for i := 1; i < n; i++ { + b = append(b, ',') + b = appendArrayQuotedBytes(b, []byte(a[i])) + } + + return string(append(b, '}')), nil + } + + return "{}", nil +} + +// appendArray appends rv to the buffer, returning the extended buffer and +// the delimiter used between elements. +// +// It panics when n <= 0 or rv's Kind is not reflect.Array nor reflect.Slice. +func appendArray(b []byte, rv reflect.Value, n int) ([]byte, string, error) { + var del string + var err error + + b = append(b, '{') + + if b, del, err = appendArrayElement(b, rv.Index(0)); err != nil { + return b, del, err + } + + for i := 1; i < n; i++ { + b = append(b, del...) + if b, del, err = appendArrayElement(b, rv.Index(i)); err != nil { + return b, del, err + } + } + + return append(b, '}'), del, nil +} + +// appendArrayElement appends rv to the buffer, returning the extended buffer +// and the delimiter to use before the next element. +// +// When rv's Kind is neither reflect.Array nor reflect.Slice, it is converted +// using driver.DefaultParameterConverter and the resulting []byte or string +// is double-quoted. +// +// See http://www.postgresql.org/docs/current/static/arrays.html#ARRAYS-IO +func appendArrayElement(b []byte, rv reflect.Value) ([]byte, string, error) { + if k := rv.Kind(); k == reflect.Array || k == reflect.Slice { + if t := rv.Type(); t != typeByteSlice && !t.Implements(typeDriverValuer) { + if n := rv.Len(); n > 0 { + return appendArray(b, rv, n) + } + + return b, "", nil + } + } + + var del = "," + var err error + var iv interface{} = rv.Interface() + + if ad, ok := iv.(ArrayDelimiter); ok { + del = ad.ArrayDelimiter() + } + + if iv, err = driver.DefaultParameterConverter.ConvertValue(iv); err != nil { + return b, del, err + } + + switch v := iv.(type) { + case nil: + return append(b, "NULL"...), del, nil + case []byte: + return appendArrayQuotedBytes(b, v), del, nil + case string: + return appendArrayQuotedBytes(b, []byte(v)), del, nil + } + + b, err = appendValue(b, iv) + return b, del, err +} + +func appendArrayQuotedBytes(b, v []byte) []byte { + b = append(b, '"') + for { + i := bytes.IndexAny(v, `"\`) + if i < 0 { + b = append(b, v...) + break + } + if i > 0 { + b = append(b, v[:i]...) + } + b = append(b, '\\', v[i]) + v = v[i+1:] + } + return append(b, '"') +} + +func appendValue(b []byte, v driver.Value) ([]byte, error) { + return append(b, encode(nil, v, 0)...), nil +} + +// parseArray extracts the dimensions and elements of an array represented in +// text format. Only representations emitted by the backend are supported. +// Notably, whitespace around brackets and delimiters is significant, and NULL +// is case-sensitive. +// +// See http://www.postgresql.org/docs/current/static/arrays.html#ARRAYS-IO +func parseArray(src, del []byte) (dims []int, elems [][]byte, err error) { + var depth, i int + + if len(src) < 1 || src[0] != '{' { + return nil, nil, fmt.Errorf("pq: unable to parse array; expected %q at offset %d", '{', 0) + } + +Open: + for i < len(src) { + switch src[i] { + case '{': + depth++ + i++ + case '}': + elems = make([][]byte, 0) + goto Close + default: + break Open + } + } + dims = make([]int, i) + +Element: + for i < len(src) { + switch src[i] { + case '{': + if depth == len(dims) { + break Element + } + depth++ + dims[depth-1] = 0 + i++ + case '"': + var elem = []byte{} + var escape bool + for i++; i < len(src); i++ { + if escape { + elem = append(elem, src[i]) + escape = false + } else { + switch src[i] { + default: + elem = append(elem, src[i]) + case '\\': + escape = true + case '"': + elems = append(elems, elem) + i++ + break Element + } + } + } + default: + for start := i; i < len(src); i++ { + if bytes.HasPrefix(src[i:], del) || src[i] == '}' { + elem := src[start:i] + if len(elem) == 0 { + return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i) + } + if bytes.Equal(elem, []byte("NULL")) { + elem = nil + } + elems = append(elems, elem) + break Element + } + } + } + } + + for i < len(src) { + if bytes.HasPrefix(src[i:], del) && depth > 0 { + dims[depth-1]++ + i += len(del) + goto Element + } else if src[i] == '}' && depth > 0 { + dims[depth-1]++ + depth-- + i++ + } else { + return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i) + } + } + +Close: + for i < len(src) { + if src[i] == '}' && depth > 0 { + depth-- + i++ + } else { + return nil, nil, fmt.Errorf("pq: unable to parse array; unexpected %q at offset %d", src[i], i) + } + } + if depth > 0 { + err = fmt.Errorf("pq: unable to parse array; expected %q at offset %d", '}', i) + } + if err == nil { + for _, d := range dims { + if (len(elems) % d) != 0 { + err = fmt.Errorf("pq: multidimensional arrays must have elements with matching dimensions") + } + } + } + return +} + +func scanLinearArray(src, del []byte, typ string) (elems [][]byte, err error) { + dims, elems, err := parseArray(src, del) + if err != nil { + return nil, err + } + if len(dims) > 1 { + return nil, fmt.Errorf("pq: cannot convert ARRAY%s to %s", strings.Replace(fmt.Sprint(dims), " ", "][", -1), typ) + } + return elems, err +} diff --git a/vendor/github.com/lib/pq/buf.go b/vendor/github.com/lib/pq/buf.go new file mode 100644 index 0000000000..4b0a0a8f7e --- /dev/null +++ b/vendor/github.com/lib/pq/buf.go @@ -0,0 +1,91 @@ +package pq + +import ( + "bytes" + "encoding/binary" + + "github.com/lib/pq/oid" +) + +type readBuf []byte + +func (b *readBuf) int32() (n int) { + n = int(int32(binary.BigEndian.Uint32(*b))) + *b = (*b)[4:] + return +} + +func (b *readBuf) oid() (n oid.Oid) { + n = oid.Oid(binary.BigEndian.Uint32(*b)) + *b = (*b)[4:] + return +} + +// N.B: this is actually an unsigned 16-bit integer, unlike int32 +func (b *readBuf) int16() (n int) { + n = int(binary.BigEndian.Uint16(*b)) + *b = (*b)[2:] + return +} + +func (b *readBuf) string() string { + i := bytes.IndexByte(*b, 0) + if i < 0 { + errorf("invalid message format; expected string terminator") + } + s := (*b)[:i] + *b = (*b)[i+1:] + return string(s) +} + +func (b *readBuf) next(n int) (v []byte) { + v = (*b)[:n] + *b = (*b)[n:] + return +} + +func (b *readBuf) byte() byte { + return b.next(1)[0] +} + +type writeBuf struct { + buf []byte + pos int +} + +func (b *writeBuf) int32(n int) { + x := make([]byte, 4) + binary.BigEndian.PutUint32(x, uint32(n)) + b.buf = append(b.buf, x...) +} + +func (b *writeBuf) int16(n int) { + x := make([]byte, 2) + binary.BigEndian.PutUint16(x, uint16(n)) + b.buf = append(b.buf, x...) +} + +func (b *writeBuf) string(s string) { + b.buf = append(append(b.buf, s...), '\000') +} + +func (b *writeBuf) byte(c byte) { + b.buf = append(b.buf, c) +} + +func (b *writeBuf) bytes(v []byte) { + b.buf = append(b.buf, v...) +} + +func (b *writeBuf) wrap() []byte { + p := b.buf[b.pos:] + binary.BigEndian.PutUint32(p, uint32(len(p))) + return b.buf +} + +func (b *writeBuf) next(c byte) { + p := b.buf[b.pos:] + binary.BigEndian.PutUint32(p, uint32(len(p))) + b.pos = len(b.buf) + 1 + b.buf = append(b.buf, c, 0, 0, 0, 0) +} diff --git a/vendor/github.com/lib/pq/conn.go b/vendor/github.com/lib/pq/conn.go new file mode 100644 index 0000000000..da4ff9de60 --- /dev/null +++ b/vendor/github.com/lib/pq/conn.go @@ -0,0 +1,2112 @@ +package pq + +import ( + "bufio" + "bytes" + "context" + "crypto/md5" + "crypto/sha256" + "database/sql" + "database/sql/driver" + "encoding/binary" + "errors" + "fmt" + "io" + "net" + "os" + "os/user" + "path" + "path/filepath" + "strconv" + "strings" + "sync" + "time" + "unicode" + + "github.com/lib/pq/oid" + "github.com/lib/pq/scram" +) + +// Common error types +var ( + ErrNotSupported = errors.New("pq: Unsupported command") + ErrInFailedTransaction = errors.New("pq: Could not complete operation in a failed transaction") + ErrSSLNotSupported = errors.New("pq: SSL is not enabled on the server") + ErrSSLKeyUnknownOwnership = errors.New("pq: Could not get owner information for private key, may not be properly protected") + ErrSSLKeyHasWorldPermissions = errors.New("pq: Private key has world access. Permissions should be u=rw,g=r (0640) if owned by root, or u=rw (0600), or less") + + ErrCouldNotDetectUsername = errors.New("pq: Could not detect default username. Please provide one explicitly") + + errUnexpectedReady = errors.New("unexpected ReadyForQuery") + errNoRowsAffected = errors.New("no RowsAffected available after the empty statement") + errNoLastInsertID = errors.New("no LastInsertId available after the empty statement") +) + +// Compile time validation that our types implement the expected interfaces +var ( + _ driver.Driver = Driver{} +) + +// Driver is the Postgres database driver. +type Driver struct{} + +// Open opens a new connection to the database. name is a connection string. +// Most users should only use it through database/sql package from the standard +// library. +func (d Driver) Open(name string) (driver.Conn, error) { + return Open(name) +} + +func init() { + sql.Register("postgres", &Driver{}) +} + +type parameterStatus struct { + // server version in the same format as server_version_num, or 0 if + // unavailable + serverVersion int + + // the current location based on the TimeZone value of the session, if + // available + currentLocation *time.Location +} + +type transactionStatus byte + +const ( + txnStatusIdle transactionStatus = 'I' + txnStatusIdleInTransaction transactionStatus = 'T' + txnStatusInFailedTransaction transactionStatus = 'E' +) + +func (s transactionStatus) String() string { + switch s { + case txnStatusIdle: + return "idle" + case txnStatusIdleInTransaction: + return "idle in transaction" + case txnStatusInFailedTransaction: + return "in a failed transaction" + default: + errorf("unknown transactionStatus %d", s) + } + + panic("not reached") +} + +// Dialer is the dialer interface. It can be used to obtain more control over +// how pq creates network connections. +type Dialer interface { + Dial(network, address string) (net.Conn, error) + DialTimeout(network, address string, timeout time.Duration) (net.Conn, error) +} + +// DialerContext is the context-aware dialer interface. +type DialerContext interface { + DialContext(ctx context.Context, network, address string) (net.Conn, error) +} + +type defaultDialer struct { + d net.Dialer +} + +func (d defaultDialer) Dial(network, address string) (net.Conn, error) { + return d.d.Dial(network, address) +} +func (d defaultDialer) DialTimeout( + network, address string, timeout time.Duration, +) (net.Conn, error) { + ctx, cancel := context.WithTimeout(context.Background(), timeout) + defer cancel() + return d.DialContext(ctx, network, address) +} +func (d defaultDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) { + return d.d.DialContext(ctx, network, address) +} + +type conn struct { + c net.Conn + buf *bufio.Reader + namei int + scratch [512]byte + txnStatus transactionStatus + txnFinish func() + + // Save connection arguments to use during CancelRequest. + dialer Dialer + opts values + + // Cancellation key data for use with CancelRequest messages. + processID int + secretKey int + + parameterStatus parameterStatus + + saveMessageType byte + saveMessageBuffer []byte + + // If an error is set, this connection is bad and all public-facing + // functions should return the appropriate error by calling get() + // (ErrBadConn) or getForNext(). + err syncErr + + // If set, this connection should never use the binary format when + // receiving query results from prepared statements. Only provided for + // debugging. + disablePreparedBinaryResult bool + + // Whether to always send []byte parameters over as binary. Enables single + // round-trip mode for non-prepared Query calls. + binaryParameters bool + + // If true this connection is in the middle of a COPY + inCopy bool + + // If not nil, notices will be synchronously sent here + noticeHandler func(*Error) + + // If not nil, notifications will be synchronously sent here + notificationHandler func(*Notification) + + // GSSAPI context + gss GSS +} + +type syncErr struct { + err error + sync.Mutex +} + +// Return ErrBadConn if connection is bad. +func (e *syncErr) get() error { + e.Lock() + defer e.Unlock() + if e.err != nil { + return driver.ErrBadConn + } + return nil +} + +// Return the error set on the connection. Currently only used by rows.Next. +func (e *syncErr) getForNext() error { + e.Lock() + defer e.Unlock() + return e.err +} + +// Set error, only if it isn't set yet. +func (e *syncErr) set(err error) { + if err == nil { + panic("attempt to set nil err") + } + e.Lock() + defer e.Unlock() + if e.err == nil { + e.err = err + } +} + +// Handle driver-side settings in parsed connection string. +func (cn *conn) handleDriverSettings(o values) (err error) { + boolSetting := func(key string, val *bool) error { + if value, ok := o[key]; ok { + if value == "yes" { + *val = true + } else if value == "no" { + *val = false + } else { + return fmt.Errorf("unrecognized value %q for %s", value, key) + } + } + return nil + } + + err = boolSetting("disable_prepared_binary_result", &cn.disablePreparedBinaryResult) + if err != nil { + return err + } + return boolSetting("binary_parameters", &cn.binaryParameters) +} + +func (cn *conn) handlePgpass(o values) { + // if a password was supplied, do not process .pgpass + if _, ok := o["password"]; ok { + return + } + filename := os.Getenv("PGPASSFILE") + if filename == "" { + // XXX this code doesn't work on Windows where the default filename is + // XXX %APPDATA%\postgresql\pgpass.conf + // Prefer $HOME over user.Current due to glibc bug: golang.org/issue/13470 + userHome := os.Getenv("HOME") + if userHome == "" { + user, err := user.Current() + if err != nil { + return + } + userHome = user.HomeDir + } + filename = filepath.Join(userHome, ".pgpass") + } + fileinfo, err := os.Stat(filename) + if err != nil { + return + } + mode := fileinfo.Mode() + if mode&(0x77) != 0 { + // XXX should warn about incorrect .pgpass permissions as psql does + return + } + file, err := os.Open(filename) + if err != nil { + return + } + defer file.Close() + scanner := bufio.NewScanner(io.Reader(file)) + // From: https://github.com/tg/pgpass/blob/master/reader.go + for scanner.Scan() { + if scanText(scanner.Text(), o) { + break + } + } +} + +// GetFields is a helper function for scanText. +func getFields(s string) []string { + fs := make([]string, 0, 5) + f := make([]rune, 0, len(s)) + + var esc bool + for _, c := range s { + switch { + case esc: + f = append(f, c) + esc = false + case c == '\\': + esc = true + case c == ':': + fs = append(fs, string(f)) + f = f[:0] + default: + f = append(f, c) + } + } + return append(fs, string(f)) +} + +// ScanText assists HandlePgpass in it's objective. +func scanText(line string, o values) bool { + hostname := o["host"] + ntw, _ := network(o) + port := o["port"] + db := o["dbname"] + username := o["user"] + if len(line) == 0 || line[0] == '#' { + return false + } + split := getFields(line) + if len(split) != 5 { + return false + } + if (split[0] == "*" || split[0] == hostname || (split[0] == "localhost" && (hostname == "" || ntw == "unix"))) && (split[1] == "*" || split[1] == port) && (split[2] == "*" || split[2] == db) && (split[3] == "*" || split[3] == username) { + o["password"] = split[4] + return true + } + return false +} + +func (cn *conn) writeBuf(b byte) *writeBuf { + cn.scratch[0] = b + return &writeBuf{ + buf: cn.scratch[:5], + pos: 1, + } +} + +// Open opens a new connection to the database. dsn is a connection string. +// Most users should only use it through database/sql package from the standard +// library. +func Open(dsn string) (_ driver.Conn, err error) { + return DialOpen(defaultDialer{}, dsn) +} + +// DialOpen opens a new connection to the database using a dialer. +func DialOpen(d Dialer, dsn string) (_ driver.Conn, err error) { + c, err := NewConnector(dsn) + if err != nil { + return nil, err + } + c.Dialer(d) + return c.open(context.Background()) +} + +func (c *Connector) open(ctx context.Context) (cn *conn, err error) { + // Handle any panics during connection initialization. Note that we + // specifically do *not* want to use errRecover(), as that would turn any + // connection errors into ErrBadConns, hiding the real error message from + // the user. + defer errRecoverNoErrBadConn(&err) + + // Create a new values map (copy). This makes it so maps in different + // connections do not reference the same underlying data structure, so it + // is safe for multiple connections to concurrently write to their opts. + o := make(values) + for k, v := range c.opts { + o[k] = v + } + + cn = &conn{ + opts: o, + dialer: c.dialer, + } + err = cn.handleDriverSettings(o) + if err != nil { + return nil, err + } + cn.handlePgpass(o) + + cn.c, err = dial(ctx, c.dialer, o) + if err != nil { + return nil, err + } + + err = cn.ssl(o) + if err != nil { + if cn.c != nil { + cn.c.Close() + } + return nil, err + } + + // cn.startup panics on error. Make sure we don't leak cn.c. + panicking := true + defer func() { + if panicking { + cn.c.Close() + } + }() + + cn.buf = bufio.NewReader(cn.c) + cn.startup(o) + + // reset the deadline, in case one was set (see dial) + if timeout, ok := o["connect_timeout"]; ok && timeout != "0" { + err = cn.c.SetDeadline(time.Time{}) + } + panicking = false + return cn, err +} + +func dial(ctx context.Context, d Dialer, o values) (net.Conn, error) { + network, address := network(o) + + // Zero or not specified means wait indefinitely. + if timeout, ok := o["connect_timeout"]; ok && timeout != "0" { + seconds, err := strconv.ParseInt(timeout, 10, 0) + if err != nil { + return nil, fmt.Errorf("invalid value for parameter connect_timeout: %s", err) + } + duration := time.Duration(seconds) * time.Second + + // connect_timeout should apply to the entire connection establishment + // procedure, so we both use a timeout for the TCP connection + // establishment and set a deadline for doing the initial handshake. + // The deadline is then reset after startup() is done. + deadline := time.Now().Add(duration) + var conn net.Conn + if dctx, ok := d.(DialerContext); ok { + ctx, cancel := context.WithTimeout(ctx, duration) + defer cancel() + conn, err = dctx.DialContext(ctx, network, address) + } else { + conn, err = d.DialTimeout(network, address, duration) + } + if err != nil { + return nil, err + } + err = conn.SetDeadline(deadline) + return conn, err + } + if dctx, ok := d.(DialerContext); ok { + return dctx.DialContext(ctx, network, address) + } + return d.Dial(network, address) +} + +func network(o values) (string, string) { + host := o["host"] + + if strings.HasPrefix(host, "/") { + sockPath := path.Join(host, ".s.PGSQL."+o["port"]) + return "unix", sockPath + } + + return "tcp", net.JoinHostPort(host, o["port"]) +} + +type values map[string]string + +// scanner implements a tokenizer for libpq-style option strings. +type scanner struct { + s []rune + i int +} + +// newScanner returns a new scanner initialized with the option string s. +func newScanner(s string) *scanner { + return &scanner{[]rune(s), 0} +} + +// Next returns the next rune. +// It returns 0, false if the end of the text has been reached. +func (s *scanner) Next() (rune, bool) { + if s.i >= len(s.s) { + return 0, false + } + r := s.s[s.i] + s.i++ + return r, true +} + +// SkipSpaces returns the next non-whitespace rune. +// It returns 0, false if the end of the text has been reached. +func (s *scanner) SkipSpaces() (rune, bool) { + r, ok := s.Next() + for unicode.IsSpace(r) && ok { + r, ok = s.Next() + } + return r, ok +} + +// parseOpts parses the options from name and adds them to the values. +// +// The parsing code is based on conninfo_parse from libpq's fe-connect.c +func parseOpts(name string, o values) error { + s := newScanner(name) + + for { + var ( + keyRunes, valRunes []rune + r rune + ok bool + ) + + if r, ok = s.SkipSpaces(); !ok { + break + } + + // Scan the key + for !unicode.IsSpace(r) && r != '=' { + keyRunes = append(keyRunes, r) + if r, ok = s.Next(); !ok { + break + } + } + + // Skip any whitespace if we're not at the = yet + if r != '=' { + r, ok = s.SkipSpaces() + } + + // The current character should be = + if r != '=' || !ok { + return fmt.Errorf(`missing "=" after %q in connection info string"`, string(keyRunes)) + } + + // Skip any whitespace after the = + if r, ok = s.SkipSpaces(); !ok { + // If we reach the end here, the last value is just an empty string as per libpq. + o[string(keyRunes)] = "" + break + } + + if r != '\'' { + for !unicode.IsSpace(r) { + if r == '\\' { + if r, ok = s.Next(); !ok { + return fmt.Errorf(`missing character after backslash`) + } + } + valRunes = append(valRunes, r) + + if r, ok = s.Next(); !ok { + break + } + } + } else { + quote: + for { + if r, ok = s.Next(); !ok { + return fmt.Errorf(`unterminated quoted string literal in connection string`) + } + switch r { + case '\'': + break quote + case '\\': + r, _ = s.Next() + fallthrough + default: + valRunes = append(valRunes, r) + } + } + } + + o[string(keyRunes)] = string(valRunes) + } + + return nil +} + +func (cn *conn) isInTransaction() bool { + return cn.txnStatus == txnStatusIdleInTransaction || + cn.txnStatus == txnStatusInFailedTransaction +} + +func (cn *conn) checkIsInTransaction(intxn bool) { + if cn.isInTransaction() != intxn { + cn.err.set(driver.ErrBadConn) + errorf("unexpected transaction status %v", cn.txnStatus) + } +} + +func (cn *conn) Begin() (_ driver.Tx, err error) { + return cn.begin("") +} + +func (cn *conn) begin(mode string) (_ driver.Tx, err error) { + if err := cn.err.get(); err != nil { + return nil, err + } + defer cn.errRecover(&err) + + cn.checkIsInTransaction(false) + _, commandTag, err := cn.simpleExec("BEGIN" + mode) + if err != nil { + return nil, err + } + if commandTag != "BEGIN" { + cn.err.set(driver.ErrBadConn) + return nil, fmt.Errorf("unexpected command tag %s", commandTag) + } + if cn.txnStatus != txnStatusIdleInTransaction { + cn.err.set(driver.ErrBadConn) + return nil, fmt.Errorf("unexpected transaction status %v", cn.txnStatus) + } + return cn, nil +} + +func (cn *conn) closeTxn() { + if finish := cn.txnFinish; finish != nil { + finish() + } +} + +func (cn *conn) Commit() (err error) { + defer cn.closeTxn() + if err := cn.err.get(); err != nil { + return err + } + defer cn.errRecover(&err) + + cn.checkIsInTransaction(true) + // We don't want the client to think that everything is okay if it tries + // to commit a failed transaction. However, no matter what we return, + // database/sql will release this connection back into the free connection + // pool so we have to abort the current transaction here. Note that you + // would get the same behaviour if you issued a COMMIT in a failed + // transaction, so it's also the least surprising thing to do here. + if cn.txnStatus == txnStatusInFailedTransaction { + if err := cn.rollback(); err != nil { + return err + } + return ErrInFailedTransaction + } + + _, commandTag, err := cn.simpleExec("COMMIT") + if err != nil { + if cn.isInTransaction() { + cn.err.set(driver.ErrBadConn) + } + return err + } + if commandTag != "COMMIT" { + cn.err.set(driver.ErrBadConn) + return fmt.Errorf("unexpected command tag %s", commandTag) + } + cn.checkIsInTransaction(false) + return nil +} + +func (cn *conn) Rollback() (err error) { + defer cn.closeTxn() + if err := cn.err.get(); err != nil { + return err + } + defer cn.errRecover(&err) + return cn.rollback() +} + +func (cn *conn) rollback() (err error) { + cn.checkIsInTransaction(true) + _, commandTag, err := cn.simpleExec("ROLLBACK") + if err != nil { + if cn.isInTransaction() { + cn.err.set(driver.ErrBadConn) + } + return err + } + if commandTag != "ROLLBACK" { + return fmt.Errorf("unexpected command tag %s", commandTag) + } + cn.checkIsInTransaction(false) + return nil +} + +func (cn *conn) gname() string { + cn.namei++ + return strconv.FormatInt(int64(cn.namei), 10) +} + +func (cn *conn) simpleExec(q string) (res driver.Result, commandTag string, err error) { + b := cn.writeBuf('Q') + b.string(q) + cn.send(b) + + for { + t, r := cn.recv1() + switch t { + case 'C': + res, commandTag = cn.parseComplete(r.string()) + case 'Z': + cn.processReadyForQuery(r) + if res == nil && err == nil { + err = errUnexpectedReady + } + // done + return + case 'E': + err = parseError(r) + case 'I': + res = emptyRows + case 'T', 'D': + // ignore any results + default: + cn.err.set(driver.ErrBadConn) + errorf("unknown response for simple query: %q", t) + } + } +} + +func (cn *conn) simpleQuery(q string) (res *rows, err error) { + defer cn.errRecover(&err) + + b := cn.writeBuf('Q') + b.string(q) + cn.send(b) + + for { + t, r := cn.recv1() + switch t { + case 'C', 'I': + // We allow queries which don't return any results through Query as + // well as Exec. We still have to give database/sql a rows object + // the user can close, though, to avoid connections from being + // leaked. A "rows" with done=true works fine for that purpose. + if err != nil { + cn.err.set(driver.ErrBadConn) + errorf("unexpected message %q in simple query execution", t) + } + if res == nil { + res = &rows{ + cn: cn, + } + } + // Set the result and tag to the last command complete if there wasn't a + // query already run. Although queries usually return from here and cede + // control to Next, a query with zero results does not. + if t == 'C' { + res.result, res.tag = cn.parseComplete(r.string()) + if res.colNames != nil { + return + } + } + res.done = true + case 'Z': + cn.processReadyForQuery(r) + // done + return + case 'E': + res = nil + err = parseError(r) + case 'D': + if res == nil { + cn.err.set(driver.ErrBadConn) + errorf("unexpected DataRow in simple query execution") + } + // the query didn't fail; kick off to Next + cn.saveMessage(t, r) + return + case 'T': + // res might be non-nil here if we received a previous + // CommandComplete, but that's fine; just overwrite it + res = &rows{cn: cn} + res.rowsHeader = parsePortalRowDescribe(r) + + // To work around a bug in QueryRow in Go 1.2 and earlier, wait + // until the first DataRow has been received. + default: + cn.err.set(driver.ErrBadConn) + errorf("unknown response for simple query: %q", t) + } + } +} + +type noRows struct{} + +var emptyRows noRows + +var _ driver.Result = noRows{} + +func (noRows) LastInsertId() (int64, error) { + return 0, errNoLastInsertID +} + +func (noRows) RowsAffected() (int64, error) { + return 0, errNoRowsAffected +} + +// Decides which column formats to use for a prepared statement. The input is +// an array of type oids, one element per result column. +func decideColumnFormats( + colTyps []fieldDesc, forceText bool, +) (colFmts []format, colFmtData []byte) { + if len(colTyps) == 0 { + return nil, colFmtDataAllText + } + + colFmts = make([]format, len(colTyps)) + if forceText { + return colFmts, colFmtDataAllText + } + + allBinary := true + allText := true + for i, t := range colTyps { + switch t.OID { + // This is the list of types to use binary mode for when receiving them + // through a prepared statement. If a type appears in this list, it + // must also be implemented in binaryDecode in encode.go. + case oid.T_bytea: + fallthrough + case oid.T_int8: + fallthrough + case oid.T_int4: + fallthrough + case oid.T_int2: + fallthrough + case oid.T_uuid: + colFmts[i] = formatBinary + allText = false + + default: + allBinary = false + } + } + + if allBinary { + return colFmts, colFmtDataAllBinary + } else if allText { + return colFmts, colFmtDataAllText + } else { + colFmtData = make([]byte, 2+len(colFmts)*2) + binary.BigEndian.PutUint16(colFmtData, uint16(len(colFmts))) + for i, v := range colFmts { + binary.BigEndian.PutUint16(colFmtData[2+i*2:], uint16(v)) + } + return colFmts, colFmtData + } +} + +func (cn *conn) prepareTo(q, stmtName string) *stmt { + st := &stmt{cn: cn, name: stmtName} + + b := cn.writeBuf('P') + b.string(st.name) + b.string(q) + b.int16(0) + + b.next('D') + b.byte('S') + b.string(st.name) + + b.next('S') + cn.send(b) + + cn.readParseResponse() + st.paramTyps, st.colNames, st.colTyps = cn.readStatementDescribeResponse() + st.colFmts, st.colFmtData = decideColumnFormats(st.colTyps, cn.disablePreparedBinaryResult) + cn.readReadyForQuery() + return st +} + +func (cn *conn) Prepare(q string) (_ driver.Stmt, err error) { + if err := cn.err.get(); err != nil { + return nil, err + } + defer cn.errRecover(&err) + + if len(q) >= 4 && strings.EqualFold(q[:4], "COPY") { + s, err := cn.prepareCopyIn(q) + if err == nil { + cn.inCopy = true + } + return s, err + } + return cn.prepareTo(q, cn.gname()), nil +} + +func (cn *conn) Close() (err error) { + // Skip cn.bad return here because we always want to close a connection. + defer cn.errRecover(&err) + + // Ensure that cn.c.Close is always run. Since error handling is done with + // panics and cn.errRecover, the Close must be in a defer. + defer func() { + cerr := cn.c.Close() + if err == nil { + err = cerr + } + }() + + // Don't go through send(); ListenerConn relies on us not scribbling on the + // scratch buffer of this connection. + return cn.sendSimpleMessage('X') +} + +// Implement the "Queryer" interface +func (cn *conn) Query(query string, args []driver.Value) (driver.Rows, error) { + return cn.query(query, args) +} + +func (cn *conn) query(query string, args []driver.Value) (_ *rows, err error) { + if err := cn.err.get(); err != nil { + return nil, err + } + if cn.inCopy { + return nil, errCopyInProgress + } + defer cn.errRecover(&err) + + // Check to see if we can use the "simpleQuery" interface, which is + // *much* faster than going through prepare/exec + if len(args) == 0 { + return cn.simpleQuery(query) + } + + if cn.binaryParameters { + cn.sendBinaryModeQuery(query, args) + + cn.readParseResponse() + cn.readBindResponse() + rows := &rows{cn: cn} + rows.rowsHeader = cn.readPortalDescribeResponse() + cn.postExecuteWorkaround() + return rows, nil + } + st := cn.prepareTo(query, "") + st.exec(args) + return &rows{ + cn: cn, + rowsHeader: st.rowsHeader, + }, nil +} + +// Implement the optional "Execer" interface for one-shot queries +func (cn *conn) Exec(query string, args []driver.Value) (res driver.Result, err error) { + if err := cn.err.get(); err != nil { + return nil, err + } + defer cn.errRecover(&err) + + // Check to see if we can use the "simpleExec" interface, which is + // *much* faster than going through prepare/exec + if len(args) == 0 { + // ignore commandTag, our caller doesn't care + r, _, err := cn.simpleExec(query) + return r, err + } + + if cn.binaryParameters { + cn.sendBinaryModeQuery(query, args) + + cn.readParseResponse() + cn.readBindResponse() + cn.readPortalDescribeResponse() + cn.postExecuteWorkaround() + res, _, err = cn.readExecuteResponse("Execute") + return res, err + } + // Use the unnamed statement to defer planning until bind + // time, or else value-based selectivity estimates cannot be + // used. + st := cn.prepareTo(query, "") + r, err := st.Exec(args) + if err != nil { + panic(err) + } + return r, err +} + +type safeRetryError struct { + Err error +} + +func (se *safeRetryError) Error() string { + return se.Err.Error() +} + +func (cn *conn) send(m *writeBuf) { + n, err := cn.c.Write(m.wrap()) + if err != nil { + if n == 0 { + err = &safeRetryError{Err: err} + } + panic(err) + } +} + +func (cn *conn) sendStartupPacket(m *writeBuf) error { + _, err := cn.c.Write((m.wrap())[1:]) + return err +} + +// Send a message of type typ to the server on the other end of cn. The +// message should have no payload. This method does not use the scratch +// buffer. +func (cn *conn) sendSimpleMessage(typ byte) (err error) { + _, err = cn.c.Write([]byte{typ, '\x00', '\x00', '\x00', '\x04'}) + return err +} + +// saveMessage memorizes a message and its buffer in the conn struct. +// recvMessage will then return these values on the next call to it. This +// method is useful in cases where you have to see what the next message is +// going to be (e.g. to see whether it's an error or not) but you can't handle +// the message yourself. +func (cn *conn) saveMessage(typ byte, buf *readBuf) { + if cn.saveMessageType != 0 { + cn.err.set(driver.ErrBadConn) + errorf("unexpected saveMessageType %d", cn.saveMessageType) + } + cn.saveMessageType = typ + cn.saveMessageBuffer = *buf +} + +// recvMessage receives any message from the backend, or returns an error if +// a problem occurred while reading the message. +func (cn *conn) recvMessage(r *readBuf) (byte, error) { + // workaround for a QueryRow bug, see exec + if cn.saveMessageType != 0 { + t := cn.saveMessageType + *r = cn.saveMessageBuffer + cn.saveMessageType = 0 + cn.saveMessageBuffer = nil + return t, nil + } + + x := cn.scratch[:5] + _, err := io.ReadFull(cn.buf, x) + if err != nil { + return 0, err + } + + // read the type and length of the message that follows + t := x[0] + n := int(binary.BigEndian.Uint32(x[1:])) - 4 + var y []byte + if n <= len(cn.scratch) { + y = cn.scratch[:n] + } else { + y = make([]byte, n) + } + _, err = io.ReadFull(cn.buf, y) + if err != nil { + return 0, err + } + *r = y + return t, nil +} + +// recv receives a message from the backend, but if an error happened while +// reading the message or the received message was an ErrorResponse, it panics. +// NoticeResponses are ignored. This function should generally be used only +// during the startup sequence. +func (cn *conn) recv() (t byte, r *readBuf) { + for { + var err error + r = &readBuf{} + t, err = cn.recvMessage(r) + if err != nil { + panic(err) + } + switch t { + case 'E': + panic(parseError(r)) + case 'N': + if n := cn.noticeHandler; n != nil { + n(parseError(r)) + } + case 'A': + if n := cn.notificationHandler; n != nil { + n(recvNotification(r)) + } + default: + return + } + } +} + +// recv1Buf is exactly equivalent to recv1, except it uses a buffer supplied by +// the caller to avoid an allocation. +func (cn *conn) recv1Buf(r *readBuf) byte { + for { + t, err := cn.recvMessage(r) + if err != nil { + panic(err) + } + + switch t { + case 'A': + if n := cn.notificationHandler; n != nil { + n(recvNotification(r)) + } + case 'N': + if n := cn.noticeHandler; n != nil { + n(parseError(r)) + } + case 'S': + cn.processParameterStatus(r) + default: + return t + } + } +} + +// recv1 receives a message from the backend, panicking if an error occurs +// while attempting to read it. All asynchronous messages are ignored, with +// the exception of ErrorResponse. +func (cn *conn) recv1() (t byte, r *readBuf) { + r = &readBuf{} + t = cn.recv1Buf(r) + return t, r +} + +func (cn *conn) ssl(o values) error { + upgrade, err := ssl(o) + if err != nil { + return err + } + + if upgrade == nil { + // Nothing to do + return nil + } + + w := cn.writeBuf(0) + w.int32(80877103) + if err = cn.sendStartupPacket(w); err != nil { + return err + } + + b := cn.scratch[:1] + _, err = io.ReadFull(cn.c, b) + if err != nil { + return err + } + + if b[0] != 'S' { + return ErrSSLNotSupported + } + + cn.c, err = upgrade(cn.c) + return err +} + +// isDriverSetting returns true iff a setting is purely for configuring the +// driver's options and should not be sent to the server in the connection +// startup packet. +func isDriverSetting(key string) bool { + switch key { + case "host", "port": + return true + case "password": + return true + case "sslmode", "sslcert", "sslkey", "sslrootcert", "sslinline", "sslsni": + return true + case "fallback_application_name": + return true + case "connect_timeout": + return true + case "disable_prepared_binary_result": + return true + case "binary_parameters": + return true + case "krbsrvname": + return true + case "krbspn": + return true + default: + return false + } +} + +func (cn *conn) startup(o values) { + w := cn.writeBuf(0) + w.int32(196608) + // Send the backend the name of the database we want to connect to, and the + // user we want to connect as. Additionally, we send over any run-time + // parameters potentially included in the connection string. If the server + // doesn't recognize any of them, it will reply with an error. + for k, v := range o { + if isDriverSetting(k) { + // skip options which can't be run-time parameters + continue + } + // The protocol requires us to supply the database name as "database" + // instead of "dbname". + if k == "dbname" { + k = "database" + } + w.string(k) + w.string(v) + } + w.string("") + if err := cn.sendStartupPacket(w); err != nil { + panic(err) + } + + for { + t, r := cn.recv() + switch t { + case 'K': + cn.processBackendKeyData(r) + case 'S': + cn.processParameterStatus(r) + case 'R': + cn.auth(r, o) + case 'Z': + cn.processReadyForQuery(r) + return + default: + errorf("unknown response for startup: %q", t) + } + } +} + +func (cn *conn) auth(r *readBuf, o values) { + switch code := r.int32(); code { + case 0: + // OK + case 3: + w := cn.writeBuf('p') + w.string(o["password"]) + cn.send(w) + + t, r := cn.recv() + if t != 'R' { + errorf("unexpected password response: %q", t) + } + + if r.int32() != 0 { + errorf("unexpected authentication response: %q", t) + } + case 5: + s := string(r.next(4)) + w := cn.writeBuf('p') + w.string("md5" + md5s(md5s(o["password"]+o["user"])+s)) + cn.send(w) + + t, r := cn.recv() + if t != 'R' { + errorf("unexpected password response: %q", t) + } + + if r.int32() != 0 { + errorf("unexpected authentication response: %q", t) + } + case 7: // GSSAPI, startup + if newGss == nil { + errorf("kerberos error: no GSSAPI provider registered (import github.com/lib/pq/auth/kerberos if you need Kerberos support)") + } + cli, err := newGss() + if err != nil { + errorf("kerberos error: %s", err.Error()) + } + + var token []byte + + if spn, ok := o["krbspn"]; ok { + // Use the supplied SPN if provided.. + token, err = cli.GetInitTokenFromSpn(spn) + } else { + // Allow the kerberos service name to be overridden + service := "postgres" + if val, ok := o["krbsrvname"]; ok { + service = val + } + + token, err = cli.GetInitToken(o["host"], service) + } + + if err != nil { + errorf("failed to get Kerberos ticket: %q", err) + } + + w := cn.writeBuf('p') + w.bytes(token) + cn.send(w) + + // Store for GSSAPI continue message + cn.gss = cli + + case 8: // GSSAPI continue + + if cn.gss == nil { + errorf("GSSAPI protocol error") + } + + b := []byte(*r) + + done, tokOut, err := cn.gss.Continue(b) + if err == nil && !done { + w := cn.writeBuf('p') + w.bytes(tokOut) + cn.send(w) + } + + // Errors fall through and read the more detailed message + // from the server.. + + case 10: + sc := scram.NewClient(sha256.New, o["user"], o["password"]) + sc.Step(nil) + if sc.Err() != nil { + errorf("SCRAM-SHA-256 error: %s", sc.Err().Error()) + } + scOut := sc.Out() + + w := cn.writeBuf('p') + w.string("SCRAM-SHA-256") + w.int32(len(scOut)) + w.bytes(scOut) + cn.send(w) + + t, r := cn.recv() + if t != 'R' { + errorf("unexpected password response: %q", t) + } + + if r.int32() != 11 { + errorf("unexpected authentication response: %q", t) + } + + nextStep := r.next(len(*r)) + sc.Step(nextStep) + if sc.Err() != nil { + errorf("SCRAM-SHA-256 error: %s", sc.Err().Error()) + } + + scOut = sc.Out() + w = cn.writeBuf('p') + w.bytes(scOut) + cn.send(w) + + t, r = cn.recv() + if t != 'R' { + errorf("unexpected password response: %q", t) + } + + if r.int32() != 12 { + errorf("unexpected authentication response: %q", t) + } + + nextStep = r.next(len(*r)) + sc.Step(nextStep) + if sc.Err() != nil { + errorf("SCRAM-SHA-256 error: %s", sc.Err().Error()) + } + + default: + errorf("unknown authentication response: %d", code) + } +} + +type format int + +const formatText format = 0 +const formatBinary format = 1 + +// One result-column format code with the value 1 (i.e. all binary). +var colFmtDataAllBinary = []byte{0, 1, 0, 1} + +// No result-column format codes (i.e. all text). +var colFmtDataAllText = []byte{0, 0} + +type stmt struct { + cn *conn + name string + rowsHeader + colFmtData []byte + paramTyps []oid.Oid + closed bool +} + +func (st *stmt) Close() (err error) { + if st.closed { + return nil + } + if err := st.cn.err.get(); err != nil { + return err + } + defer st.cn.errRecover(&err) + + w := st.cn.writeBuf('C') + w.byte('S') + w.string(st.name) + st.cn.send(w) + + st.cn.send(st.cn.writeBuf('S')) + + t, _ := st.cn.recv1() + if t != '3' { + st.cn.err.set(driver.ErrBadConn) + errorf("unexpected close response: %q", t) + } + st.closed = true + + t, r := st.cn.recv1() + if t != 'Z' { + st.cn.err.set(driver.ErrBadConn) + errorf("expected ready for query, but got: %q", t) + } + st.cn.processReadyForQuery(r) + + return nil +} + +func (st *stmt) Query(v []driver.Value) (r driver.Rows, err error) { + return st.query(v) +} + +func (st *stmt) query(v []driver.Value) (r *rows, err error) { + if err := st.cn.err.get(); err != nil { + return nil, err + } + defer st.cn.errRecover(&err) + + st.exec(v) + return &rows{ + cn: st.cn, + rowsHeader: st.rowsHeader, + }, nil +} + +func (st *stmt) Exec(v []driver.Value) (res driver.Result, err error) { + if err := st.cn.err.get(); err != nil { + return nil, err + } + defer st.cn.errRecover(&err) + + st.exec(v) + res, _, err = st.cn.readExecuteResponse("simple query") + return res, err +} + +func (st *stmt) exec(v []driver.Value) { + if len(v) >= 65536 { + errorf("got %d parameters but PostgreSQL only supports 65535 parameters", len(v)) + } + if len(v) != len(st.paramTyps) { + errorf("got %d parameters but the statement requires %d", len(v), len(st.paramTyps)) + } + + cn := st.cn + w := cn.writeBuf('B') + w.byte(0) // unnamed portal + w.string(st.name) + + if cn.binaryParameters { + cn.sendBinaryParameters(w, v) + } else { + w.int16(0) + w.int16(len(v)) + for i, x := range v { + if x == nil { + w.int32(-1) + } else { + b := encode(&cn.parameterStatus, x, st.paramTyps[i]) + w.int32(len(b)) + w.bytes(b) + } + } + } + w.bytes(st.colFmtData) + + w.next('E') + w.byte(0) + w.int32(0) + + w.next('S') + cn.send(w) + + cn.readBindResponse() + cn.postExecuteWorkaround() + +} + +func (st *stmt) NumInput() int { + return len(st.paramTyps) +} + +// parseComplete parses the "command tag" from a CommandComplete message, and +// returns the number of rows affected (if applicable) and a string +// identifying only the command that was executed, e.g. "ALTER TABLE". If the +// command tag could not be parsed, parseComplete panics. +func (cn *conn) parseComplete(commandTag string) (driver.Result, string) { + commandsWithAffectedRows := []string{ + "SELECT ", + // INSERT is handled below + "UPDATE ", + "DELETE ", + "FETCH ", + "MOVE ", + "COPY ", + } + + var affectedRows *string + for _, tag := range commandsWithAffectedRows { + if strings.HasPrefix(commandTag, tag) { + t := commandTag[len(tag):] + affectedRows = &t + commandTag = tag[:len(tag)-1] + break + } + } + // INSERT also includes the oid of the inserted row in its command tag. + // Oids in user tables are deprecated, and the oid is only returned when + // exactly one row is inserted, so it's unlikely to be of value to any + // real-world application and we can ignore it. + if affectedRows == nil && strings.HasPrefix(commandTag, "INSERT ") { + parts := strings.Split(commandTag, " ") + if len(parts) != 3 { + cn.err.set(driver.ErrBadConn) + errorf("unexpected INSERT command tag %s", commandTag) + } + affectedRows = &parts[len(parts)-1] + commandTag = "INSERT" + } + // There should be no affected rows attached to the tag, just return it + if affectedRows == nil { + return driver.RowsAffected(0), commandTag + } + n, err := strconv.ParseInt(*affectedRows, 10, 64) + if err != nil { + cn.err.set(driver.ErrBadConn) + errorf("could not parse commandTag: %s", err) + } + return driver.RowsAffected(n), commandTag +} + +type rowsHeader struct { + colNames []string + colTyps []fieldDesc + colFmts []format +} + +type rows struct { + cn *conn + finish func() + rowsHeader + done bool + rb readBuf + result driver.Result + tag string + + next *rowsHeader +} + +func (rs *rows) Close() error { + if finish := rs.finish; finish != nil { + defer finish() + } + // no need to look at cn.bad as Next() will + for { + err := rs.Next(nil) + switch err { + case nil: + case io.EOF: + // rs.Next can return io.EOF on both 'Z' (ready for query) and 'T' (row + // description, used with HasNextResultSet). We need to fetch messages until + // we hit a 'Z', which is done by waiting for done to be set. + if rs.done { + return nil + } + default: + return err + } + } +} + +func (rs *rows) Columns() []string { + return rs.colNames +} + +func (rs *rows) Result() driver.Result { + if rs.result == nil { + return emptyRows + } + return rs.result +} + +func (rs *rows) Tag() string { + return rs.tag +} + +func (rs *rows) Next(dest []driver.Value) (err error) { + if rs.done { + return io.EOF + } + + conn := rs.cn + if err := conn.err.getForNext(); err != nil { + return err + } + defer conn.errRecover(&err) + + for { + t := conn.recv1Buf(&rs.rb) + switch t { + case 'E': + err = parseError(&rs.rb) + case 'C', 'I': + if t == 'C' { + rs.result, rs.tag = conn.parseComplete(rs.rb.string()) + } + continue + case 'Z': + conn.processReadyForQuery(&rs.rb) + rs.done = true + if err != nil { + return err + } + return io.EOF + case 'D': + n := rs.rb.int16() + if err != nil { + conn.err.set(driver.ErrBadConn) + errorf("unexpected DataRow after error %s", err) + } + if n < len(dest) { + dest = dest[:n] + } + for i := range dest { + l := rs.rb.int32() + if l == -1 { + dest[i] = nil + continue + } + dest[i] = decode(&conn.parameterStatus, rs.rb.next(l), rs.colTyps[i].OID, rs.colFmts[i]) + } + return + case 'T': + next := parsePortalRowDescribe(&rs.rb) + rs.next = &next + return io.EOF + default: + errorf("unexpected message after execute: %q", t) + } + } +} + +func (rs *rows) HasNextResultSet() bool { + hasNext := rs.next != nil && !rs.done + return hasNext +} + +func (rs *rows) NextResultSet() error { + if rs.next == nil { + return io.EOF + } + rs.rowsHeader = *rs.next + rs.next = nil + return nil +} + +// QuoteIdentifier quotes an "identifier" (e.g. a table or a column name) to be +// used as part of an SQL statement. For example: +// +// tblname := "my_table" +// data := "my_data" +// quoted := pq.QuoteIdentifier(tblname) +// err := db.Exec(fmt.Sprintf("INSERT INTO %s VALUES ($1)", quoted), data) +// +// Any double quotes in name will be escaped. The quoted identifier will be +// case sensitive when used in a query. If the input string contains a zero +// byte, the result will be truncated immediately before it. +func QuoteIdentifier(name string) string { + end := strings.IndexRune(name, 0) + if end > -1 { + name = name[:end] + } + return `"` + strings.Replace(name, `"`, `""`, -1) + `"` +} + +// BufferQuoteIdentifier satisfies the same purpose as QuoteIdentifier, but backed by a +// byte buffer. +func BufferQuoteIdentifier(name string, buffer *bytes.Buffer) { + end := strings.IndexRune(name, 0) + if end > -1 { + name = name[:end] + } + buffer.WriteRune('"') + buffer.WriteString(strings.Replace(name, `"`, `""`, -1)) + buffer.WriteRune('"') +} + +// QuoteLiteral quotes a 'literal' (e.g. a parameter, often used to pass literal +// to DDL and other statements that do not accept parameters) to be used as part +// of an SQL statement. For example: +// +// exp_date := pq.QuoteLiteral("2023-01-05 15:00:00Z") +// err := db.Exec(fmt.Sprintf("CREATE ROLE my_user VALID UNTIL %s", exp_date)) +// +// Any single quotes in name will be escaped. Any backslashes (i.e. "\") will be +// replaced by two backslashes (i.e. "\\") and the C-style escape identifier +// that PostgreSQL provides ('E') will be prepended to the string. +func QuoteLiteral(literal string) string { + // This follows the PostgreSQL internal algorithm for handling quoted literals + // from libpq, which can be found in the "PQEscapeStringInternal" function, + // which is found in the libpq/fe-exec.c source file: + // https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/interfaces/libpq/fe-exec.c + // + // substitute any single-quotes (') with two single-quotes ('') + literal = strings.Replace(literal, `'`, `''`, -1) + // determine if the string has any backslashes (\) in it. + // if it does, replace any backslashes (\) with two backslashes (\\) + // then, we need to wrap the entire string with a PostgreSQL + // C-style escape. Per how "PQEscapeStringInternal" handles this case, we + // also add a space before the "E" + if strings.Contains(literal, `\`) { + literal = strings.Replace(literal, `\`, `\\`, -1) + literal = ` E'` + literal + `'` + } else { + // otherwise, we can just wrap the literal with a pair of single quotes + literal = `'` + literal + `'` + } + return literal +} + +func md5s(s string) string { + h := md5.New() + h.Write([]byte(s)) + return fmt.Sprintf("%x", h.Sum(nil)) +} + +func (cn *conn) sendBinaryParameters(b *writeBuf, args []driver.Value) { + // Do one pass over the parameters to see if we're going to send any of + // them over in binary. If we are, create a paramFormats array at the + // same time. + var paramFormats []int + for i, x := range args { + _, ok := x.([]byte) + if ok { + if paramFormats == nil { + paramFormats = make([]int, len(args)) + } + paramFormats[i] = 1 + } + } + if paramFormats == nil { + b.int16(0) + } else { + b.int16(len(paramFormats)) + for _, x := range paramFormats { + b.int16(x) + } + } + + b.int16(len(args)) + for _, x := range args { + if x == nil { + b.int32(-1) + } else { + datum := binaryEncode(&cn.parameterStatus, x) + b.int32(len(datum)) + b.bytes(datum) + } + } +} + +func (cn *conn) sendBinaryModeQuery(query string, args []driver.Value) { + if len(args) >= 65536 { + errorf("got %d parameters but PostgreSQL only supports 65535 parameters", len(args)) + } + + b := cn.writeBuf('P') + b.byte(0) // unnamed statement + b.string(query) + b.int16(0) + + b.next('B') + b.int16(0) // unnamed portal and statement + cn.sendBinaryParameters(b, args) + b.bytes(colFmtDataAllText) + + b.next('D') + b.byte('P') + b.byte(0) // unnamed portal + + b.next('E') + b.byte(0) + b.int32(0) + + b.next('S') + cn.send(b) +} + +func (cn *conn) processParameterStatus(r *readBuf) { + var err error + + param := r.string() + switch param { + case "server_version": + var major1 int + var major2 int + _, err = fmt.Sscanf(r.string(), "%d.%d", &major1, &major2) + if err == nil { + cn.parameterStatus.serverVersion = major1*10000 + major2*100 + } + + case "TimeZone": + cn.parameterStatus.currentLocation, err = time.LoadLocation(r.string()) + if err != nil { + cn.parameterStatus.currentLocation = nil + } + + default: + // ignore + } +} + +func (cn *conn) processReadyForQuery(r *readBuf) { + cn.txnStatus = transactionStatus(r.byte()) +} + +func (cn *conn) readReadyForQuery() { + t, r := cn.recv1() + switch t { + case 'Z': + cn.processReadyForQuery(r) + return + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected message %q; expected ReadyForQuery", t) + } +} + +func (cn *conn) processBackendKeyData(r *readBuf) { + cn.processID = r.int32() + cn.secretKey = r.int32() +} + +func (cn *conn) readParseResponse() { + t, r := cn.recv1() + switch t { + case '1': + return + case 'E': + err := parseError(r) + cn.readReadyForQuery() + panic(err) + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected Parse response %q", t) + } +} + +func (cn *conn) readStatementDescribeResponse() ( + paramTyps []oid.Oid, + colNames []string, + colTyps []fieldDesc, +) { + for { + t, r := cn.recv1() + switch t { + case 't': + nparams := r.int16() + paramTyps = make([]oid.Oid, nparams) + for i := range paramTyps { + paramTyps[i] = r.oid() + } + case 'n': + return paramTyps, nil, nil + case 'T': + colNames, colTyps = parseStatementRowDescribe(r) + return paramTyps, colNames, colTyps + case 'E': + err := parseError(r) + cn.readReadyForQuery() + panic(err) + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected Describe statement response %q", t) + } + } +} + +func (cn *conn) readPortalDescribeResponse() rowsHeader { + t, r := cn.recv1() + switch t { + case 'T': + return parsePortalRowDescribe(r) + case 'n': + return rowsHeader{} + case 'E': + err := parseError(r) + cn.readReadyForQuery() + panic(err) + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected Describe response %q", t) + } + panic("not reached") +} + +func (cn *conn) readBindResponse() { + t, r := cn.recv1() + switch t { + case '2': + return + case 'E': + err := parseError(r) + cn.readReadyForQuery() + panic(err) + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected Bind response %q", t) + } +} + +func (cn *conn) postExecuteWorkaround() { + // Work around a bug in sql.DB.QueryRow: in Go 1.2 and earlier it ignores + // any errors from rows.Next, which masks errors that happened during the + // execution of the query. To avoid the problem in common cases, we wait + // here for one more message from the database. If it's not an error the + // query will likely succeed (or perhaps has already, if it's a + // CommandComplete), so we push the message into the conn struct; recv1 + // will return it as the next message for rows.Next or rows.Close. + // However, if it's an error, we wait until ReadyForQuery and then return + // the error to our caller. + for { + t, r := cn.recv1() + switch t { + case 'E': + err := parseError(r) + cn.readReadyForQuery() + panic(err) + case 'C', 'D', 'I': + // the query didn't fail, but we can't process this message + cn.saveMessage(t, r) + return + default: + cn.err.set(driver.ErrBadConn) + errorf("unexpected message during extended query execution: %q", t) + } + } +} + +// Only for Exec(), since we ignore the returned data +func (cn *conn) readExecuteResponse( + protocolState string, +) (res driver.Result, commandTag string, err error) { + for { + t, r := cn.recv1() + switch t { + case 'C': + if err != nil { + cn.err.set(driver.ErrBadConn) + errorf("unexpected CommandComplete after error %s", err) + } + res, commandTag = cn.parseComplete(r.string()) + case 'Z': + cn.processReadyForQuery(r) + if res == nil && err == nil { + err = errUnexpectedReady + } + return res, commandTag, err + case 'E': + err = parseError(r) + case 'T', 'D', 'I': + if err != nil { + cn.err.set(driver.ErrBadConn) + errorf("unexpected %q after error %s", t, err) + } + if t == 'I' { + res = emptyRows + } + // ignore any results + default: + cn.err.set(driver.ErrBadConn) + errorf("unknown %s response: %q", protocolState, t) + } + } +} + +func parseStatementRowDescribe(r *readBuf) (colNames []string, colTyps []fieldDesc) { + n := r.int16() + colNames = make([]string, n) + colTyps = make([]fieldDesc, n) + for i := range colNames { + colNames[i] = r.string() + r.next(6) + colTyps[i].OID = r.oid() + colTyps[i].Len = r.int16() + colTyps[i].Mod = r.int32() + // format code not known when describing a statement; always 0 + r.next(2) + } + return +} + +func parsePortalRowDescribe(r *readBuf) rowsHeader { + n := r.int16() + colNames := make([]string, n) + colFmts := make([]format, n) + colTyps := make([]fieldDesc, n) + for i := range colNames { + colNames[i] = r.string() + r.next(6) + colTyps[i].OID = r.oid() + colTyps[i].Len = r.int16() + colTyps[i].Mod = r.int32() + colFmts[i] = format(r.int16()) + } + return rowsHeader{ + colNames: colNames, + colFmts: colFmts, + colTyps: colTyps, + } +} + +// parseEnviron tries to mimic some of libpq's environment handling +// +// To ease testing, it does not directly reference os.Environ, but is +// designed to accept its output. +// +// Environment-set connection information is intended to have a higher +// precedence than a library default but lower than any explicitly +// passed information (such as in the URL or connection string). +func parseEnviron(env []string) (out map[string]string) { + out = make(map[string]string) + + for _, v := range env { + parts := strings.SplitN(v, "=", 2) + + accrue := func(keyname string) { + out[keyname] = parts[1] + } + unsupported := func() { + panic(fmt.Sprintf("setting %v not supported", parts[0])) + } + + // The order of these is the same as is seen in the + // PostgreSQL 9.1 manual. Unsupported but well-defined + // keys cause a panic; these should be unset prior to + // execution. Options which pq expects to be set to a + // certain value are allowed, but must be set to that + // value if present (they can, of course, be absent). + switch parts[0] { + case "PGHOST": + accrue("host") + case "PGHOSTADDR": + unsupported() + case "PGPORT": + accrue("port") + case "PGDATABASE": + accrue("dbname") + case "PGUSER": + accrue("user") + case "PGPASSWORD": + accrue("password") + case "PGSERVICE", "PGSERVICEFILE", "PGREALM": + unsupported() + case "PGOPTIONS": + accrue("options") + case "PGAPPNAME": + accrue("application_name") + case "PGSSLMODE": + accrue("sslmode") + case "PGSSLCERT": + accrue("sslcert") + case "PGSSLKEY": + accrue("sslkey") + case "PGSSLROOTCERT": + accrue("sslrootcert") + case "PGSSLSNI": + accrue("sslsni") + case "PGREQUIRESSL", "PGSSLCRL": + unsupported() + case "PGREQUIREPEER": + unsupported() + case "PGKRBSRVNAME", "PGGSSLIB": + unsupported() + case "PGCONNECT_TIMEOUT": + accrue("connect_timeout") + case "PGCLIENTENCODING": + accrue("client_encoding") + case "PGDATESTYLE": + accrue("datestyle") + case "PGTZ": + accrue("timezone") + case "PGGEQO": + accrue("geqo") + case "PGSYSCONFDIR", "PGLOCALEDIR": + unsupported() + } + } + + return out +} + +// isUTF8 returns whether name is a fuzzy variation of the string "UTF-8". +func isUTF8(name string) bool { + // Recognize all sorts of silly things as "UTF-8", like Postgres does + s := strings.Map(alnumLowerASCII, name) + return s == "utf8" || s == "unicode" +} + +func alnumLowerASCII(ch rune) rune { + if 'A' <= ch && ch <= 'Z' { + return ch + ('a' - 'A') + } + if 'a' <= ch && ch <= 'z' || '0' <= ch && ch <= '9' { + return ch + } + return -1 // discard +} + +// The database/sql/driver package says: +// All Conn implementations should implement the following interfaces: Pinger, SessionResetter, and Validator. +var _ driver.Pinger = &conn{} +var _ driver.SessionResetter = &conn{} + +func (cn *conn) ResetSession(ctx context.Context) error { + // Ensure bad connections are reported: From database/sql/driver: + // If a connection is never returned to the connection pool but immediately reused, then + // ResetSession is called prior to reuse but IsValid is not called. + return cn.err.get() +} + +func (cn *conn) IsValid() bool { + return cn.err.get() == nil +} diff --git a/vendor/github.com/lib/pq/conn_go115.go b/vendor/github.com/lib/pq/conn_go115.go new file mode 100644 index 0000000000..f4ef030f99 --- /dev/null +++ b/vendor/github.com/lib/pq/conn_go115.go @@ -0,0 +1,8 @@ +//go:build go1.15 +// +build go1.15 + +package pq + +import "database/sql/driver" + +var _ driver.Validator = &conn{} diff --git a/vendor/github.com/lib/pq/conn_go18.go b/vendor/github.com/lib/pq/conn_go18.go new file mode 100644 index 0000000000..63d4ca6aaa --- /dev/null +++ b/vendor/github.com/lib/pq/conn_go18.go @@ -0,0 +1,247 @@ +package pq + +import ( + "context" + "database/sql" + "database/sql/driver" + "fmt" + "io" + "io/ioutil" + "time" +) + +const ( + watchCancelDialContextTimeout = time.Second * 10 +) + +// Implement the "QueryerContext" interface +func (cn *conn) QueryContext(ctx context.Context, query string, args []driver.NamedValue) (driver.Rows, error) { + list := make([]driver.Value, len(args)) + for i, nv := range args { + list[i] = nv.Value + } + finish := cn.watchCancel(ctx) + r, err := cn.query(query, list) + if err != nil { + if finish != nil { + finish() + } + return nil, err + } + r.finish = finish + return r, nil +} + +// Implement the "ExecerContext" interface +func (cn *conn) ExecContext(ctx context.Context, query string, args []driver.NamedValue) (driver.Result, error) { + list := make([]driver.Value, len(args)) + for i, nv := range args { + list[i] = nv.Value + } + + if finish := cn.watchCancel(ctx); finish != nil { + defer finish() + } + + return cn.Exec(query, list) +} + +// Implement the "ConnPrepareContext" interface +func (cn *conn) PrepareContext(ctx context.Context, query string) (driver.Stmt, error) { + if finish := cn.watchCancel(ctx); finish != nil { + defer finish() + } + return cn.Prepare(query) +} + +// Implement the "ConnBeginTx" interface +func (cn *conn) BeginTx(ctx context.Context, opts driver.TxOptions) (driver.Tx, error) { + var mode string + + switch sql.IsolationLevel(opts.Isolation) { + case sql.LevelDefault: + // Don't touch mode: use the server's default + case sql.LevelReadUncommitted: + mode = " ISOLATION LEVEL READ UNCOMMITTED" + case sql.LevelReadCommitted: + mode = " ISOLATION LEVEL READ COMMITTED" + case sql.LevelRepeatableRead: + mode = " ISOLATION LEVEL REPEATABLE READ" + case sql.LevelSerializable: + mode = " ISOLATION LEVEL SERIALIZABLE" + default: + return nil, fmt.Errorf("pq: isolation level not supported: %d", opts.Isolation) + } + + if opts.ReadOnly { + mode += " READ ONLY" + } else { + mode += " READ WRITE" + } + + tx, err := cn.begin(mode) + if err != nil { + return nil, err + } + cn.txnFinish = cn.watchCancel(ctx) + return tx, nil +} + +func (cn *conn) Ping(ctx context.Context) error { + if finish := cn.watchCancel(ctx); finish != nil { + defer finish() + } + rows, err := cn.simpleQuery(";") + if err != nil { + return driver.ErrBadConn // https://golang.org/pkg/database/sql/driver/#Pinger + } + rows.Close() + return nil +} + +func (cn *conn) watchCancel(ctx context.Context) func() { + if done := ctx.Done(); done != nil { + finished := make(chan struct{}, 1) + go func() { + select { + case <-done: + select { + case finished <- struct{}{}: + default: + // We raced with the finish func, let the next query handle this with the + // context. + return + } + + // Set the connection state to bad so it does not get reused. + cn.err.set(ctx.Err()) + + // At this point the function level context is canceled, + // so it must not be used for the additional network + // request to cancel the query. + // Create a new context to pass into the dial. + ctxCancel, cancel := context.WithTimeout(context.Background(), watchCancelDialContextTimeout) + defer cancel() + + _ = cn.cancel(ctxCancel) + case <-finished: + } + }() + return func() { + select { + case <-finished: + cn.err.set(ctx.Err()) + cn.Close() + case finished <- struct{}{}: + } + } + } + return nil +} + +func (cn *conn) cancel(ctx context.Context) error { + // Create a new values map (copy). This makes sure the connection created + // in this method cannot write to the same underlying data, which could + // cause a concurrent map write panic. This is necessary because cancel + // is called from a goroutine in watchCancel. + o := make(values) + for k, v := range cn.opts { + o[k] = v + } + + c, err := dial(ctx, cn.dialer, o) + if err != nil { + return err + } + defer c.Close() + + { + can := conn{ + c: c, + } + err = can.ssl(o) + if err != nil { + return err + } + + w := can.writeBuf(0) + w.int32(80877102) // cancel request code + w.int32(cn.processID) + w.int32(cn.secretKey) + + if err := can.sendStartupPacket(w); err != nil { + return err + } + } + + // Read until EOF to ensure that the server received the cancel. + { + _, err := io.Copy(ioutil.Discard, c) + return err + } +} + +// Implement the "StmtQueryContext" interface +func (st *stmt) QueryContext(ctx context.Context, args []driver.NamedValue) (driver.Rows, error) { + list := make([]driver.Value, len(args)) + for i, nv := range args { + list[i] = nv.Value + } + finish := st.watchCancel(ctx) + r, err := st.query(list) + if err != nil { + if finish != nil { + finish() + } + return nil, err + } + r.finish = finish + return r, nil +} + +// Implement the "StmtExecContext" interface +func (st *stmt) ExecContext(ctx context.Context, args []driver.NamedValue) (driver.Result, error) { + list := make([]driver.Value, len(args)) + for i, nv := range args { + list[i] = nv.Value + } + + if finish := st.watchCancel(ctx); finish != nil { + defer finish() + } + + return st.Exec(list) +} + +// watchCancel is implemented on stmt in order to not mark the parent conn as bad +func (st *stmt) watchCancel(ctx context.Context) func() { + if done := ctx.Done(); done != nil { + finished := make(chan struct{}) + go func() { + select { + case <-done: + // At this point the function level context is canceled, + // so it must not be used for the additional network + // request to cancel the query. + // Create a new context to pass into the dial. + ctxCancel, cancel := context.WithTimeout(context.Background(), watchCancelDialContextTimeout) + defer cancel() + + _ = st.cancel(ctxCancel) + finished <- struct{}{} + case <-finished: + } + }() + return func() { + select { + case <-finished: + case finished <- struct{}{}: + } + } + } + return nil +} + +func (st *stmt) cancel(ctx context.Context) error { + return st.cn.cancel(ctx) +} diff --git a/vendor/github.com/lib/pq/connector.go b/vendor/github.com/lib/pq/connector.go new file mode 100644 index 0000000000..1145e12257 --- /dev/null +++ b/vendor/github.com/lib/pq/connector.go @@ -0,0 +1,120 @@ +package pq + +import ( + "context" + "database/sql/driver" + "errors" + "fmt" + "os" + "strings" +) + +// Connector represents a fixed configuration for the pq driver with a given +// name. Connector satisfies the database/sql/driver Connector interface and +// can be used to create any number of DB Conn's via the database/sql OpenDB +// function. +// +// See https://golang.org/pkg/database/sql/driver/#Connector. +// See https://golang.org/pkg/database/sql/#OpenDB. +type Connector struct { + opts values + dialer Dialer +} + +// Connect returns a connection to the database using the fixed configuration +// of this Connector. Context is not used. +func (c *Connector) Connect(ctx context.Context) (driver.Conn, error) { + return c.open(ctx) +} + +// Dialer allows change the dialer used to open connections. +func (c *Connector) Dialer(dialer Dialer) { + c.dialer = dialer +} + +// Driver returns the underlying driver of this Connector. +func (c *Connector) Driver() driver.Driver { + return &Driver{} +} + +// NewConnector returns a connector for the pq driver in a fixed configuration +// with the given dsn. The returned connector can be used to create any number +// of equivalent Conn's. The returned connector is intended to be used with +// database/sql.OpenDB. +// +// See https://golang.org/pkg/database/sql/driver/#Connector. +// See https://golang.org/pkg/database/sql/#OpenDB. +func NewConnector(dsn string) (*Connector, error) { + var err error + o := make(values) + + // A number of defaults are applied here, in this order: + // + // * Very low precedence defaults applied in every situation + // * Environment variables + // * Explicitly passed connection information + o["host"] = "localhost" + o["port"] = "5432" + // N.B.: Extra float digits should be set to 3, but that breaks + // Postgres 8.4 and older, where the max is 2. + o["extra_float_digits"] = "2" + for k, v := range parseEnviron(os.Environ()) { + o[k] = v + } + + if strings.HasPrefix(dsn, "postgres://") || strings.HasPrefix(dsn, "postgresql://") { + dsn, err = ParseURL(dsn) + if err != nil { + return nil, err + } + } + + if err := parseOpts(dsn, o); err != nil { + return nil, err + } + + // Use the "fallback" application name if necessary + if fallback, ok := o["fallback_application_name"]; ok { + if _, ok := o["application_name"]; !ok { + o["application_name"] = fallback + } + } + + // We can't work with any client_encoding other than UTF-8 currently. + // However, we have historically allowed the user to set it to UTF-8 + // explicitly, and there's no reason to break such programs, so allow that. + // Note that the "options" setting could also set client_encoding, but + // parsing its value is not worth it. Instead, we always explicitly send + // client_encoding as a separate run-time parameter, which should override + // anything set in options. + if enc, ok := o["client_encoding"]; ok && !isUTF8(enc) { + return nil, errors.New("client_encoding must be absent or 'UTF8'") + } + o["client_encoding"] = "UTF8" + // DateStyle needs a similar treatment. + if datestyle, ok := o["datestyle"]; ok { + if datestyle != "ISO, MDY" { + return nil, fmt.Errorf("setting datestyle must be absent or %v; got %v", "ISO, MDY", datestyle) + } + } else { + o["datestyle"] = "ISO, MDY" + } + + // If a user is not provided by any other means, the last + // resort is to use the current operating system provided user + // name. + if _, ok := o["user"]; !ok { + u, err := userCurrent() + if err != nil { + return nil, err + } + o["user"] = u + } + + // SSL is not necessary or supported over UNIX domain sockets + if network, _ := network(o); network == "unix" { + o["sslmode"] = "disable" + } + + return &Connector{opts: o, dialer: defaultDialer{}}, nil +} diff --git a/vendor/github.com/lib/pq/copy.go b/vendor/github.com/lib/pq/copy.go new file mode 100644 index 0000000000..a8f16b2b26 --- /dev/null +++ b/vendor/github.com/lib/pq/copy.go @@ -0,0 +1,348 @@ +package pq + +import ( + "bytes" + "context" + "database/sql/driver" + "encoding/binary" + "errors" + "fmt" + "sync" +) + +var ( + errCopyInClosed = errors.New("pq: copyin statement has already been closed") + errBinaryCopyNotSupported = errors.New("pq: only text format supported for COPY") + errCopyToNotSupported = errors.New("pq: COPY TO is not supported") + errCopyNotSupportedOutsideTxn = errors.New("pq: COPY is only allowed inside a transaction") + errCopyInProgress = errors.New("pq: COPY in progress") +) + +// CopyIn creates a COPY FROM statement which can be prepared with +// Tx.Prepare(). The target table should be visible in search_path. +func CopyIn(table string, columns ...string) string { + buffer := bytes.NewBufferString("COPY ") + BufferQuoteIdentifier(table, buffer) + buffer.WriteString(" (") + makeStmt(buffer, columns...) + return buffer.String() +} + +// MakeStmt makes the stmt string for CopyIn and CopyInSchema. +func makeStmt(buffer *bytes.Buffer, columns ...string) { + //s := bytes.NewBufferString() + for i, col := range columns { + if i != 0 { + buffer.WriteString(", ") + } + BufferQuoteIdentifier(col, buffer) + } + buffer.WriteString(") FROM STDIN") +} + +// CopyInSchema creates a COPY FROM statement which can be prepared with +// Tx.Prepare(). +func CopyInSchema(schema, table string, columns ...string) string { + buffer := bytes.NewBufferString("COPY ") + BufferQuoteIdentifier(schema, buffer) + buffer.WriteRune('.') + BufferQuoteIdentifier(table, buffer) + buffer.WriteString(" (") + makeStmt(buffer, columns...) + return buffer.String() +} + +type copyin struct { + cn *conn + buffer []byte + rowData chan []byte + done chan bool + + closed bool + + mu struct { + sync.Mutex + err error + driver.Result + } +} + +const ciBufferSize = 64 * 1024 + +// flush buffer before the buffer is filled up and needs reallocation +const ciBufferFlushSize = 63 * 1024 + +func (cn *conn) prepareCopyIn(q string) (_ driver.Stmt, err error) { + if !cn.isInTransaction() { + return nil, errCopyNotSupportedOutsideTxn + } + + ci := ©in{ + cn: cn, + buffer: make([]byte, 0, ciBufferSize), + rowData: make(chan []byte), + done: make(chan bool, 1), + } + // add CopyData identifier + 4 bytes for message length + ci.buffer = append(ci.buffer, 'd', 0, 0, 0, 0) + + b := cn.writeBuf('Q') + b.string(q) + cn.send(b) + +awaitCopyInResponse: + for { + t, r := cn.recv1() + switch t { + case 'G': + if r.byte() != 0 { + err = errBinaryCopyNotSupported + break awaitCopyInResponse + } + go ci.resploop() + return ci, nil + case 'H': + err = errCopyToNotSupported + break awaitCopyInResponse + case 'E': + err = parseError(r) + case 'Z': + if err == nil { + ci.setBad(driver.ErrBadConn) + errorf("unexpected ReadyForQuery in response to COPY") + } + cn.processReadyForQuery(r) + return nil, err + default: + ci.setBad(driver.ErrBadConn) + errorf("unknown response for copy query: %q", t) + } + } + + // something went wrong, abort COPY before we return + b = cn.writeBuf('f') + b.string(err.Error()) + cn.send(b) + + for { + t, r := cn.recv1() + switch t { + case 'c', 'C', 'E': + case 'Z': + // correctly aborted, we're done + cn.processReadyForQuery(r) + return nil, err + default: + ci.setBad(driver.ErrBadConn) + errorf("unknown response for CopyFail: %q", t) + } + } +} + +func (ci *copyin) flush(buf []byte) { + // set message length (without message identifier) + binary.BigEndian.PutUint32(buf[1:], uint32(len(buf)-1)) + + _, err := ci.cn.c.Write(buf) + if err != nil { + panic(err) + } +} + +func (ci *copyin) resploop() { + for { + var r readBuf + t, err := ci.cn.recvMessage(&r) + if err != nil { + ci.setBad(driver.ErrBadConn) + ci.setError(err) + ci.done <- true + return + } + switch t { + case 'C': + // complete + res, _ := ci.cn.parseComplete(r.string()) + ci.setResult(res) + case 'N': + if n := ci.cn.noticeHandler; n != nil { + n(parseError(&r)) + } + case 'Z': + ci.cn.processReadyForQuery(&r) + ci.done <- true + return + case 'E': + err := parseError(&r) + ci.setError(err) + default: + ci.setBad(driver.ErrBadConn) + ci.setError(fmt.Errorf("unknown response during CopyIn: %q", t)) + ci.done <- true + return + } + } +} + +func (ci *copyin) setBad(err error) { + ci.cn.err.set(err) +} + +func (ci *copyin) getBad() error { + return ci.cn.err.get() +} + +func (ci *copyin) err() error { + ci.mu.Lock() + err := ci.mu.err + ci.mu.Unlock() + return err +} + +// setError() sets ci.err if one has not been set already. Caller must not be +// holding ci.Mutex. +func (ci *copyin) setError(err error) { + ci.mu.Lock() + if ci.mu.err == nil { + ci.mu.err = err + } + ci.mu.Unlock() +} + +func (ci *copyin) setResult(result driver.Result) { + ci.mu.Lock() + ci.mu.Result = result + ci.mu.Unlock() +} + +func (ci *copyin) getResult() driver.Result { + ci.mu.Lock() + result := ci.mu.Result + ci.mu.Unlock() + if result == nil { + return driver.RowsAffected(0) + } + return result +} + +func (ci *copyin) NumInput() int { + return -1 +} + +func (ci *copyin) Query(v []driver.Value) (r driver.Rows, err error) { + return nil, ErrNotSupported +} + +// Exec inserts values into the COPY stream. The insert is asynchronous +// and Exec can return errors from previous Exec calls to the same +// COPY stmt. +// +// You need to call Exec(nil) to sync the COPY stream and to get any +// errors from pending data, since Stmt.Close() doesn't return errors +// to the user. +func (ci *copyin) Exec(v []driver.Value) (r driver.Result, err error) { + if ci.closed { + return nil, errCopyInClosed + } + + if err := ci.getBad(); err != nil { + return nil, err + } + defer ci.cn.errRecover(&err) + + if err := ci.err(); err != nil { + return nil, err + } + + if len(v) == 0 { + if err := ci.Close(); err != nil { + return driver.RowsAffected(0), err + } + + return ci.getResult(), nil + } + + numValues := len(v) + for i, value := range v { + ci.buffer = appendEncodedText(&ci.cn.parameterStatus, ci.buffer, value) + if i < numValues-1 { + ci.buffer = append(ci.buffer, '\t') + } + } + + ci.buffer = append(ci.buffer, '\n') + + if len(ci.buffer) > ciBufferFlushSize { + ci.flush(ci.buffer) + // reset buffer, keep bytes for message identifier and length + ci.buffer = ci.buffer[:5] + } + + return driver.RowsAffected(0), nil +} + +// CopyData inserts a raw string into the COPY stream. The insert is +// asynchronous and CopyData can return errors from previous CopyData calls to +// the same COPY stmt. +// +// You need to call Exec(nil) to sync the COPY stream and to get any +// errors from pending data, since Stmt.Close() doesn't return errors +// to the user. +func (ci *copyin) CopyData(ctx context.Context, line string) (r driver.Result, err error) { + if ci.closed { + return nil, errCopyInClosed + } + + if finish := ci.cn.watchCancel(ctx); finish != nil { + defer finish() + } + + if err := ci.getBad(); err != nil { + return nil, err + } + defer ci.cn.errRecover(&err) + + if err := ci.err(); err != nil { + return nil, err + } + + ci.buffer = append(ci.buffer, []byte(line)...) + ci.buffer = append(ci.buffer, '\n') + + if len(ci.buffer) > ciBufferFlushSize { + ci.flush(ci.buffer) + // reset buffer, keep bytes for message identifier and length + ci.buffer = ci.buffer[:5] + } + + return driver.RowsAffected(0), nil +} + +func (ci *copyin) Close() (err error) { + if ci.closed { // Don't do anything, we're already closed + return nil + } + ci.closed = true + + if err := ci.getBad(); err != nil { + return err + } + defer ci.cn.errRecover(&err) + + if len(ci.buffer) > 0 { + ci.flush(ci.buffer) + } + // Avoid touching the scratch buffer as resploop could be using it. + err = ci.cn.sendSimpleMessage('c') + if err != nil { + return err + } + + <-ci.done + ci.cn.inCopy = false + + if err := ci.err(); err != nil { + return err + } + return nil +} diff --git a/vendor/github.com/lib/pq/doc.go b/vendor/github.com/lib/pq/doc.go new file mode 100644 index 0000000000..b57184801b --- /dev/null +++ b/vendor/github.com/lib/pq/doc.go @@ -0,0 +1,268 @@ +/* +Package pq is a pure Go Postgres driver for the database/sql package. + +In most cases clients will use the database/sql package instead of +using this package directly. For example: + + import ( + "database/sql" + + _ "github.com/lib/pq" + ) + + func main() { + connStr := "user=pqgotest dbname=pqgotest sslmode=verify-full" + db, err := sql.Open("postgres", connStr) + if err != nil { + log.Fatal(err) + } + + age := 21 + rows, err := db.Query("SELECT name FROM users WHERE age = $1", age) + … + } + +You can also connect to a database using a URL. For example: + + connStr := "postgres://pqgotest:password@localhost/pqgotest?sslmode=verify-full" + db, err := sql.Open("postgres", connStr) + + +Connection String Parameters + + +Similarly to libpq, when establishing a connection using pq you are expected to +supply a connection string containing zero or more parameters. +A subset of the connection parameters supported by libpq are also supported by pq. +Additionally, pq also lets you specify run-time parameters (such as search_path or work_mem) +directly in the connection string. This is different from libpq, which does not allow +run-time parameters in the connection string, instead requiring you to supply +them in the options parameter. + +For compatibility with libpq, the following special connection parameters are +supported: + + * dbname - The name of the database to connect to + * user - The user to sign in as + * password - The user's password + * host - The host to connect to. Values that start with / are for unix + domain sockets. (default is localhost) + * port - The port to bind to. (default is 5432) + * sslmode - Whether or not to use SSL (default is require, this is not + the default for libpq) + * fallback_application_name - An application_name to fall back to if one isn't provided. + * connect_timeout - Maximum wait for connection, in seconds. Zero or + not specified means wait indefinitely. + * sslcert - Cert file location. The file must contain PEM encoded data. + * sslkey - Key file location. The file must contain PEM encoded data. + * sslrootcert - The location of the root certificate file. The file + must contain PEM encoded data. + +Valid values for sslmode are: + + * disable - No SSL + * require - Always SSL (skip verification) + * verify-ca - Always SSL (verify that the certificate presented by the + server was signed by a trusted CA) + * verify-full - Always SSL (verify that the certification presented by + the server was signed by a trusted CA and the server host name + matches the one in the certificate) + +See http://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING +for more information about connection string parameters. + +Use single quotes for values that contain whitespace: + + "user=pqgotest password='with spaces'" + +A backslash will escape the next character in values: + + "user=space\ man password='it\'s valid'" + +Note that the connection parameter client_encoding (which sets the +text encoding for the connection) may be set but must be "UTF8", +matching with the same rules as Postgres. It is an error to provide +any other value. + +In addition to the parameters listed above, any run-time parameter that can be +set at backend start time can be set in the connection string. For more +information, see +http://www.postgresql.org/docs/current/static/runtime-config.html. + +Most environment variables as specified at http://www.postgresql.org/docs/current/static/libpq-envars.html +supported by libpq are also supported by pq. If any of the environment +variables not supported by pq are set, pq will panic during connection +establishment. Environment variables have a lower precedence than explicitly +provided connection parameters. + +The pgpass mechanism as described in http://www.postgresql.org/docs/current/static/libpq-pgpass.html +is supported, but on Windows PGPASSFILE must be specified explicitly. + + +Queries + + +database/sql does not dictate any specific format for parameter +markers in query strings, and pq uses the Postgres-native ordinal markers, +as shown above. The same marker can be reused for the same parameter: + + rows, err := db.Query(`SELECT name FROM users WHERE favorite_fruit = $1 + OR age BETWEEN $2 AND $2 + 3`, "orange", 64) + +pq does not support the LastInsertId() method of the Result type in database/sql. +To return the identifier of an INSERT (or UPDATE or DELETE), use the Postgres +RETURNING clause with a standard Query or QueryRow call: + + var userid int + err := db.QueryRow(`INSERT INTO users(name, favorite_fruit, age) + VALUES('beatrice', 'starfruit', 93) RETURNING id`).Scan(&userid) + +For more details on RETURNING, see the Postgres documentation: + + http://www.postgresql.org/docs/current/static/sql-insert.html + http://www.postgresql.org/docs/current/static/sql-update.html + http://www.postgresql.org/docs/current/static/sql-delete.html + +For additional instructions on querying see the documentation for the database/sql package. + + +Data Types + + +Parameters pass through driver.DefaultParameterConverter before they are handled +by this package. When the binary_parameters connection option is enabled, +[]byte values are sent directly to the backend as data in binary format. + +This package returns the following types for values from the PostgreSQL backend: + + - integer types smallint, integer, and bigint are returned as int64 + - floating-point types real and double precision are returned as float64 + - character types char, varchar, and text are returned as string + - temporal types date, time, timetz, timestamp, and timestamptz are + returned as time.Time + - the boolean type is returned as bool + - the bytea type is returned as []byte + +All other types are returned directly from the backend as []byte values in text format. + + +Errors + + +pq may return errors of type *pq.Error which can be interrogated for error details: + + if err, ok := err.(*pq.Error); ok { + fmt.Println("pq error:", err.Code.Name()) + } + +See the pq.Error type for details. + + +Bulk imports + +You can perform bulk imports by preparing a statement returned by pq.CopyIn (or +pq.CopyInSchema) in an explicit transaction (sql.Tx). The returned statement +handle can then be repeatedly "executed" to copy data into the target table. +After all data has been processed you should call Exec() once with no arguments +to flush all buffered data. Any call to Exec() might return an error which +should be handled appropriately, but because of the internal buffering an error +returned by Exec() might not be related to the data passed in the call that +failed. + +CopyIn uses COPY FROM internally. It is not possible to COPY outside of an +explicit transaction in pq. + +Usage example: + + txn, err := db.Begin() + if err != nil { + log.Fatal(err) + } + + stmt, err := txn.Prepare(pq.CopyIn("users", "name", "age")) + if err != nil { + log.Fatal(err) + } + + for _, user := range users { + _, err = stmt.Exec(user.Name, int64(user.Age)) + if err != nil { + log.Fatal(err) + } + } + + _, err = stmt.Exec() + if err != nil { + log.Fatal(err) + } + + err = stmt.Close() + if err != nil { + log.Fatal(err) + } + + err = txn.Commit() + if err != nil { + log.Fatal(err) + } + + +Notifications + + +PostgreSQL supports a simple publish/subscribe model over database +connections. See http://www.postgresql.org/docs/current/static/sql-notify.html +for more information about the general mechanism. + +To start listening for notifications, you first have to open a new connection +to the database by calling NewListener. This connection can not be used for +anything other than LISTEN / NOTIFY. Calling Listen will open a "notification +channel"; once a notification channel is open, a notification generated on that +channel will effect a send on the Listener.Notify channel. A notification +channel will remain open until Unlisten is called, though connection loss might +result in some notifications being lost. To solve this problem, Listener sends +a nil pointer over the Notify channel any time the connection is re-established +following a connection loss. The application can get information about the +state of the underlying connection by setting an event callback in the call to +NewListener. + +A single Listener can safely be used from concurrent goroutines, which means +that there is often no need to create more than one Listener in your +application. However, a Listener is always connected to a single database, so +you will need to create a new Listener instance for every database you want to +receive notifications in. + +The channel name in both Listen and Unlisten is case sensitive, and can contain +any characters legal in an identifier (see +http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS +for more information). Note that the channel name will be truncated to 63 +bytes by the PostgreSQL server. + +You can find a complete, working example of Listener usage at +https://godoc.org/github.com/lib/pq/example/listen. + + +Kerberos Support + + +If you need support for Kerberos authentication, add the following to your main +package: + + import "github.com/lib/pq/auth/kerberos" + + func init() { + pq.RegisterGSSProvider(func() (pq.Gss, error) { return kerberos.NewGSS() }) + } + +This package is in a separate module so that users who don't need Kerberos +don't have to download unnecessary dependencies. + +When imported, additional connection string parameters are supported: + + * krbsrvname - GSS (Kerberos) service name when constructing the + SPN (default is `postgres`). This will be combined with the host + to form the full SPN: `krbsrvname/host`. + * krbspn - GSS (Kerberos) SPN. This takes priority over + `krbsrvname` if present. +*/ +package pq diff --git a/vendor/github.com/lib/pq/encode.go b/vendor/github.com/lib/pq/encode.go new file mode 100644 index 0000000000..bffe6096af --- /dev/null +++ b/vendor/github.com/lib/pq/encode.go @@ -0,0 +1,632 @@ +package pq + +import ( + "bytes" + "database/sql/driver" + "encoding/binary" + "encoding/hex" + "errors" + "fmt" + "math" + "regexp" + "strconv" + "strings" + "sync" + "time" + + "github.com/lib/pq/oid" +) + +var time2400Regex = regexp.MustCompile(`^(24:00(?::00(?:\.0+)?)?)(?:[Z+-].*)?$`) + +func binaryEncode(parameterStatus *parameterStatus, x interface{}) []byte { + switch v := x.(type) { + case []byte: + return v + default: + return encode(parameterStatus, x, oid.T_unknown) + } +} + +func encode(parameterStatus *parameterStatus, x interface{}, pgtypOid oid.Oid) []byte { + switch v := x.(type) { + case int64: + return strconv.AppendInt(nil, v, 10) + case float64: + return strconv.AppendFloat(nil, v, 'f', -1, 64) + case []byte: + if pgtypOid == oid.T_bytea { + return encodeBytea(parameterStatus.serverVersion, v) + } + + return v + case string: + if pgtypOid == oid.T_bytea { + return encodeBytea(parameterStatus.serverVersion, []byte(v)) + } + + return []byte(v) + case bool: + return strconv.AppendBool(nil, v) + case time.Time: + return formatTs(v) + + default: + errorf("encode: unknown type for %T", v) + } + + panic("not reached") +} + +func decode(parameterStatus *parameterStatus, s []byte, typ oid.Oid, f format) interface{} { + switch f { + case formatBinary: + return binaryDecode(parameterStatus, s, typ) + case formatText: + return textDecode(parameterStatus, s, typ) + default: + panic("not reached") + } +} + +func binaryDecode(parameterStatus *parameterStatus, s []byte, typ oid.Oid) interface{} { + switch typ { + case oid.T_bytea: + return s + case oid.T_int8: + return int64(binary.BigEndian.Uint64(s)) + case oid.T_int4: + return int64(int32(binary.BigEndian.Uint32(s))) + case oid.T_int2: + return int64(int16(binary.BigEndian.Uint16(s))) + case oid.T_uuid: + b, err := decodeUUIDBinary(s) + if err != nil { + panic(err) + } + return b + + default: + errorf("don't know how to decode binary parameter of type %d", uint32(typ)) + } + + panic("not reached") +} + +func textDecode(parameterStatus *parameterStatus, s []byte, typ oid.Oid) interface{} { + switch typ { + case oid.T_char, oid.T_varchar, oid.T_text: + return string(s) + case oid.T_bytea: + b, err := parseBytea(s) + if err != nil { + errorf("%s", err) + } + return b + case oid.T_timestamptz: + return parseTs(parameterStatus.currentLocation, string(s)) + case oid.T_timestamp, oid.T_date: + return parseTs(nil, string(s)) + case oid.T_time: + return mustParse("15:04:05", typ, s) + case oid.T_timetz: + return mustParse("15:04:05-07", typ, s) + case oid.T_bool: + return s[0] == 't' + case oid.T_int8, oid.T_int4, oid.T_int2: + i, err := strconv.ParseInt(string(s), 10, 64) + if err != nil { + errorf("%s", err) + } + return i + case oid.T_float4, oid.T_float8: + // We always use 64 bit parsing, regardless of whether the input text is for + // a float4 or float8, because clients expect float64s for all float datatypes + // and returning a 32-bit parsed float64 produces lossy results. + f, err := strconv.ParseFloat(string(s), 64) + if err != nil { + errorf("%s", err) + } + return f + } + + return s +} + +// appendEncodedText encodes item in text format as required by COPY +// and appends to buf +func appendEncodedText(parameterStatus *parameterStatus, buf []byte, x interface{}) []byte { + switch v := x.(type) { + case int64: + return strconv.AppendInt(buf, v, 10) + case float64: + return strconv.AppendFloat(buf, v, 'f', -1, 64) + case []byte: + encodedBytea := encodeBytea(parameterStatus.serverVersion, v) + return appendEscapedText(buf, string(encodedBytea)) + case string: + return appendEscapedText(buf, v) + case bool: + return strconv.AppendBool(buf, v) + case time.Time: + return append(buf, formatTs(v)...) + case nil: + return append(buf, "\\N"...) + default: + errorf("encode: unknown type for %T", v) + } + + panic("not reached") +} + +func appendEscapedText(buf []byte, text string) []byte { + escapeNeeded := false + startPos := 0 + var c byte + + // check if we need to escape + for i := 0; i < len(text); i++ { + c = text[i] + if c == '\\' || c == '\n' || c == '\r' || c == '\t' { + escapeNeeded = true + startPos = i + break + } + } + if !escapeNeeded { + return append(buf, text...) + } + + // copy till first char to escape, iterate the rest + result := append(buf, text[:startPos]...) + for i := startPos; i < len(text); i++ { + c = text[i] + switch c { + case '\\': + result = append(result, '\\', '\\') + case '\n': + result = append(result, '\\', 'n') + case '\r': + result = append(result, '\\', 'r') + case '\t': + result = append(result, '\\', 't') + default: + result = append(result, c) + } + } + return result +} + +func mustParse(f string, typ oid.Oid, s []byte) time.Time { + str := string(s) + + // Check for a minute and second offset in the timezone. + if typ == oid.T_timestamptz || typ == oid.T_timetz { + for i := 3; i <= 6; i += 3 { + if str[len(str)-i] == ':' { + f += ":00" + continue + } + break + } + } + + // Special case for 24:00 time. + // Unfortunately, golang does not parse 24:00 as a proper time. + // In this case, we want to try "round to the next day", to differentiate. + // As such, we find if the 24:00 time matches at the beginning; if so, + // we default it back to 00:00 but add a day later. + var is2400Time bool + switch typ { + case oid.T_timetz, oid.T_time: + if matches := time2400Regex.FindStringSubmatch(str); matches != nil { + // Concatenate timezone information at the back. + str = "00:00:00" + str[len(matches[1]):] + is2400Time = true + } + } + t, err := time.Parse(f, str) + if err != nil { + errorf("decode: %s", err) + } + if is2400Time { + t = t.Add(24 * time.Hour) + } + return t +} + +var errInvalidTimestamp = errors.New("invalid timestamp") + +type timestampParser struct { + err error +} + +func (p *timestampParser) expect(str string, char byte, pos int) { + if p.err != nil { + return + } + if pos+1 > len(str) { + p.err = errInvalidTimestamp + return + } + if c := str[pos]; c != char && p.err == nil { + p.err = fmt.Errorf("expected '%v' at position %v; got '%v'", char, pos, c) + } +} + +func (p *timestampParser) mustAtoi(str string, begin int, end int) int { + if p.err != nil { + return 0 + } + if begin < 0 || end < 0 || begin > end || end > len(str) { + p.err = errInvalidTimestamp + return 0 + } + result, err := strconv.Atoi(str[begin:end]) + if err != nil { + if p.err == nil { + p.err = fmt.Errorf("expected number; got '%v'", str) + } + return 0 + } + return result +} + +// The location cache caches the time zones typically used by the client. +type locationCache struct { + cache map[int]*time.Location + lock sync.Mutex +} + +// All connections share the same list of timezones. Benchmarking shows that +// about 5% speed could be gained by putting the cache in the connection and +// losing the mutex, at the cost of a small amount of memory and a somewhat +// significant increase in code complexity. +var globalLocationCache = newLocationCache() + +func newLocationCache() *locationCache { + return &locationCache{cache: make(map[int]*time.Location)} +} + +// Returns the cached timezone for the specified offset, creating and caching +// it if necessary. +func (c *locationCache) getLocation(offset int) *time.Location { + c.lock.Lock() + defer c.lock.Unlock() + + location, ok := c.cache[offset] + if !ok { + location = time.FixedZone("", offset) + c.cache[offset] = location + } + + return location +} + +var infinityTsEnabled = false +var infinityTsNegative time.Time +var infinityTsPositive time.Time + +const ( + infinityTsEnabledAlready = "pq: infinity timestamp enabled already" + infinityTsNegativeMustBeSmaller = "pq: infinity timestamp: negative value must be smaller (before) than positive" +) + +// EnableInfinityTs controls the handling of Postgres' "-infinity" and +// "infinity" "timestamp"s. +// +// If EnableInfinityTs is not called, "-infinity" and "infinity" will return +// []byte("-infinity") and []byte("infinity") respectively, and potentially +// cause error "sql: Scan error on column index 0: unsupported driver -> Scan +// pair: []uint8 -> *time.Time", when scanning into a time.Time value. +// +// Once EnableInfinityTs has been called, all connections created using this +// driver will decode Postgres' "-infinity" and "infinity" for "timestamp", +// "timestamp with time zone" and "date" types to the predefined minimum and +// maximum times, respectively. When encoding time.Time values, any time which +// equals or precedes the predefined minimum time will be encoded to +// "-infinity". Any values at or past the maximum time will similarly be +// encoded to "infinity". +// +// If EnableInfinityTs is called with negative >= positive, it will panic. +// Calling EnableInfinityTs after a connection has been established results in +// undefined behavior. If EnableInfinityTs is called more than once, it will +// panic. +func EnableInfinityTs(negative time.Time, positive time.Time) { + if infinityTsEnabled { + panic(infinityTsEnabledAlready) + } + if !negative.Before(positive) { + panic(infinityTsNegativeMustBeSmaller) + } + infinityTsEnabled = true + infinityTsNegative = negative + infinityTsPositive = positive +} + +/* + * Testing might want to toggle infinityTsEnabled + */ +func disableInfinityTs() { + infinityTsEnabled = false +} + +// This is a time function specific to the Postgres default DateStyle +// setting ("ISO, MDY"), the only one we currently support. This +// accounts for the discrepancies between the parsing available with +// time.Parse and the Postgres date formatting quirks. +func parseTs(currentLocation *time.Location, str string) interface{} { + switch str { + case "-infinity": + if infinityTsEnabled { + return infinityTsNegative + } + return []byte(str) + case "infinity": + if infinityTsEnabled { + return infinityTsPositive + } + return []byte(str) + } + t, err := ParseTimestamp(currentLocation, str) + if err != nil { + panic(err) + } + return t +} + +// ParseTimestamp parses Postgres' text format. It returns a time.Time in +// currentLocation iff that time's offset agrees with the offset sent from the +// Postgres server. Otherwise, ParseTimestamp returns a time.Time with the +// fixed offset offset provided by the Postgres server. +func ParseTimestamp(currentLocation *time.Location, str string) (time.Time, error) { + p := timestampParser{} + + monSep := strings.IndexRune(str, '-') + // this is Gregorian year, not ISO Year + // In Gregorian system, the year 1 BC is followed by AD 1 + year := p.mustAtoi(str, 0, monSep) + daySep := monSep + 3 + month := p.mustAtoi(str, monSep+1, daySep) + p.expect(str, '-', daySep) + timeSep := daySep + 3 + day := p.mustAtoi(str, daySep+1, timeSep) + + minLen := monSep + len("01-01") + 1 + + isBC := strings.HasSuffix(str, " BC") + if isBC { + minLen += 3 + } + + var hour, minute, second int + if len(str) > minLen { + p.expect(str, ' ', timeSep) + minSep := timeSep + 3 + p.expect(str, ':', minSep) + hour = p.mustAtoi(str, timeSep+1, minSep) + secSep := minSep + 3 + p.expect(str, ':', secSep) + minute = p.mustAtoi(str, minSep+1, secSep) + secEnd := secSep + 3 + second = p.mustAtoi(str, secSep+1, secEnd) + } + remainderIdx := monSep + len("01-01 00:00:00") + 1 + // Three optional (but ordered) sections follow: the + // fractional seconds, the time zone offset, and the BC + // designation. We set them up here and adjust the other + // offsets if the preceding sections exist. + + nanoSec := 0 + tzOff := 0 + + if remainderIdx < len(str) && str[remainderIdx] == '.' { + fracStart := remainderIdx + 1 + fracOff := strings.IndexAny(str[fracStart:], "-+Z ") + if fracOff < 0 { + fracOff = len(str) - fracStart + } + fracSec := p.mustAtoi(str, fracStart, fracStart+fracOff) + nanoSec = fracSec * (1000000000 / int(math.Pow(10, float64(fracOff)))) + + remainderIdx += fracOff + 1 + } + if tzStart := remainderIdx; tzStart < len(str) && (str[tzStart] == '-' || str[tzStart] == '+') { + // time zone separator is always '-' or '+' or 'Z' (UTC is +00) + var tzSign int + switch c := str[tzStart]; c { + case '-': + tzSign = -1 + case '+': + tzSign = +1 + default: + return time.Time{}, fmt.Errorf("expected '-' or '+' at position %v; got %v", tzStart, c) + } + tzHours := p.mustAtoi(str, tzStart+1, tzStart+3) + remainderIdx += 3 + var tzMin, tzSec int + if remainderIdx < len(str) && str[remainderIdx] == ':' { + tzMin = p.mustAtoi(str, remainderIdx+1, remainderIdx+3) + remainderIdx += 3 + } + if remainderIdx < len(str) && str[remainderIdx] == ':' { + tzSec = p.mustAtoi(str, remainderIdx+1, remainderIdx+3) + remainderIdx += 3 + } + tzOff = tzSign * ((tzHours * 60 * 60) + (tzMin * 60) + tzSec) + } else if tzStart < len(str) && str[tzStart] == 'Z' { + // time zone Z separator indicates UTC is +00 + remainderIdx += 1 + } + + var isoYear int + + if isBC { + isoYear = 1 - year + remainderIdx += 3 + } else { + isoYear = year + } + if remainderIdx < len(str) { + return time.Time{}, fmt.Errorf("expected end of input, got %v", str[remainderIdx:]) + } + t := time.Date(isoYear, time.Month(month), day, + hour, minute, second, nanoSec, + globalLocationCache.getLocation(tzOff)) + + if currentLocation != nil { + // Set the location of the returned Time based on the session's + // TimeZone value, but only if the local time zone database agrees with + // the remote database on the offset. + lt := t.In(currentLocation) + _, newOff := lt.Zone() + if newOff == tzOff { + t = lt + } + } + + return t, p.err +} + +// formatTs formats t into a format postgres understands. +func formatTs(t time.Time) []byte { + if infinityTsEnabled { + // t <= -infinity : ! (t > -infinity) + if !t.After(infinityTsNegative) { + return []byte("-infinity") + } + // t >= infinity : ! (!t < infinity) + if !t.Before(infinityTsPositive) { + return []byte("infinity") + } + } + return FormatTimestamp(t) +} + +// FormatTimestamp formats t into Postgres' text format for timestamps. +func FormatTimestamp(t time.Time) []byte { + // Need to send dates before 0001 A.D. with " BC" suffix, instead of the + // minus sign preferred by Go. + // Beware, "0000" in ISO is "1 BC", "-0001" is "2 BC" and so on + bc := false + if t.Year() <= 0 { + // flip year sign, and add 1, e.g: "0" will be "1", and "-10" will be "11" + t = t.AddDate((-t.Year())*2+1, 0, 0) + bc = true + } + b := []byte(t.Format("2006-01-02 15:04:05.999999999Z07:00")) + + _, offset := t.Zone() + offset %= 60 + if offset != 0 { + // RFC3339Nano already printed the minus sign + if offset < 0 { + offset = -offset + } + + b = append(b, ':') + if offset < 10 { + b = append(b, '0') + } + b = strconv.AppendInt(b, int64(offset), 10) + } + + if bc { + b = append(b, " BC"...) + } + return b +} + +// Parse a bytea value received from the server. Both "hex" and the legacy +// "escape" format are supported. +func parseBytea(s []byte) (result []byte, err error) { + if len(s) >= 2 && bytes.Equal(s[:2], []byte("\\x")) { + // bytea_output = hex + s = s[2:] // trim off leading "\\x" + result = make([]byte, hex.DecodedLen(len(s))) + _, err := hex.Decode(result, s) + if err != nil { + return nil, err + } + } else { + // bytea_output = escape + for len(s) > 0 { + if s[0] == '\\' { + // escaped '\\' + if len(s) >= 2 && s[1] == '\\' { + result = append(result, '\\') + s = s[2:] + continue + } + + // '\\' followed by an octal number + if len(s) < 4 { + return nil, fmt.Errorf("invalid bytea sequence %v", s) + } + r, err := strconv.ParseUint(string(s[1:4]), 8, 8) + if err != nil { + return nil, fmt.Errorf("could not parse bytea value: %s", err.Error()) + } + result = append(result, byte(r)) + s = s[4:] + } else { + // We hit an unescaped, raw byte. Try to read in as many as + // possible in one go. + i := bytes.IndexByte(s, '\\') + if i == -1 { + result = append(result, s...) + break + } + result = append(result, s[:i]...) + s = s[i:] + } + } + } + + return result, nil +} + +func encodeBytea(serverVersion int, v []byte) (result []byte) { + if serverVersion >= 90000 { + // Use the hex format if we know that the server supports it + result = make([]byte, 2+hex.EncodedLen(len(v))) + result[0] = '\\' + result[1] = 'x' + hex.Encode(result[2:], v) + } else { + // .. or resort to "escape" + for _, b := range v { + if b == '\\' { + result = append(result, '\\', '\\') + } else if b < 0x20 || b > 0x7e { + result = append(result, []byte(fmt.Sprintf("\\%03o", b))...) + } else { + result = append(result, b) + } + } + } + + return result +} + +// NullTime represents a time.Time that may be null. NullTime implements the +// sql.Scanner interface so it can be used as a scan destination, similar to +// sql.NullString. +type NullTime struct { + Time time.Time + Valid bool // Valid is true if Time is not NULL +} + +// Scan implements the Scanner interface. +func (nt *NullTime) Scan(value interface{}) error { + nt.Time, nt.Valid = value.(time.Time) + return nil +} + +// Value implements the driver Valuer interface. +func (nt NullTime) Value() (driver.Value, error) { + if !nt.Valid { + return nil, nil + } + return nt.Time, nil +} diff --git a/vendor/github.com/lib/pq/error.go b/vendor/github.com/lib/pq/error.go new file mode 100644 index 0000000000..f67c5a5fa6 --- /dev/null +++ b/vendor/github.com/lib/pq/error.go @@ -0,0 +1,523 @@ +package pq + +import ( + "database/sql/driver" + "fmt" + "io" + "net" + "runtime" +) + +// Error severities +const ( + Efatal = "FATAL" + Epanic = "PANIC" + Ewarning = "WARNING" + Enotice = "NOTICE" + Edebug = "DEBUG" + Einfo = "INFO" + Elog = "LOG" +) + +// Error represents an error communicating with the server. +// +// See http://www.postgresql.org/docs/current/static/protocol-error-fields.html for details of the fields +type Error struct { + Severity string + Code ErrorCode + Message string + Detail string + Hint string + Position string + InternalPosition string + InternalQuery string + Where string + Schema string + Table string + Column string + DataTypeName string + Constraint string + File string + Line string + Routine string +} + +// ErrorCode is a five-character error code. +type ErrorCode string + +// Name returns a more human friendly rendering of the error code, namely the +// "condition name". +// +// See http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html for +// details. +func (ec ErrorCode) Name() string { + return errorCodeNames[ec] +} + +// ErrorClass is only the class part of an error code. +type ErrorClass string + +// Name returns the condition name of an error class. It is equivalent to the +// condition name of the "standard" error code (i.e. the one having the last +// three characters "000"). +func (ec ErrorClass) Name() string { + return errorCodeNames[ErrorCode(ec+"000")] +} + +// Class returns the error class, e.g. "28". +// +// See http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html for +// details. +func (ec ErrorCode) Class() ErrorClass { + return ErrorClass(ec[0:2]) +} + +// errorCodeNames is a mapping between the five-character error codes and the +// human readable "condition names". It is derived from the list at +// http://www.postgresql.org/docs/9.3/static/errcodes-appendix.html +var errorCodeNames = map[ErrorCode]string{ + // Class 00 - Successful Completion + "00000": "successful_completion", + // Class 01 - Warning + "01000": "warning", + "0100C": "dynamic_result_sets_returned", + "01008": "implicit_zero_bit_padding", + "01003": "null_value_eliminated_in_set_function", + "01007": "privilege_not_granted", + "01006": "privilege_not_revoked", + "01004": "string_data_right_truncation", + "01P01": "deprecated_feature", + // Class 02 - No Data (this is also a warning class per the SQL standard) + "02000": "no_data", + "02001": "no_additional_dynamic_result_sets_returned", + // Class 03 - SQL Statement Not Yet Complete + "03000": "sql_statement_not_yet_complete", + // Class 08 - Connection Exception + "08000": "connection_exception", + "08003": "connection_does_not_exist", + "08006": "connection_failure", + "08001": "sqlclient_unable_to_establish_sqlconnection", + "08004": "sqlserver_rejected_establishment_of_sqlconnection", + "08007": "transaction_resolution_unknown", + "08P01": "protocol_violation", + // Class 09 - Triggered Action Exception + "09000": "triggered_action_exception", + // Class 0A - Feature Not Supported + "0A000": "feature_not_supported", + // Class 0B - Invalid Transaction Initiation + "0B000": "invalid_transaction_initiation", + // Class 0F - Locator Exception + "0F000": "locator_exception", + "0F001": "invalid_locator_specification", + // Class 0L - Invalid Grantor + "0L000": "invalid_grantor", + "0LP01": "invalid_grant_operation", + // Class 0P - Invalid Role Specification + "0P000": "invalid_role_specification", + // Class 0Z - Diagnostics Exception + "0Z000": "diagnostics_exception", + "0Z002": "stacked_diagnostics_accessed_without_active_handler", + // Class 20 - Case Not Found + "20000": "case_not_found", + // Class 21 - Cardinality Violation + "21000": "cardinality_violation", + // Class 22 - Data Exception + "22000": "data_exception", + "2202E": "array_subscript_error", + "22021": "character_not_in_repertoire", + "22008": "datetime_field_overflow", + "22012": "division_by_zero", + "22005": "error_in_assignment", + "2200B": "escape_character_conflict", + "22022": "indicator_overflow", + "22015": "interval_field_overflow", + "2201E": "invalid_argument_for_logarithm", + "22014": "invalid_argument_for_ntile_function", + "22016": "invalid_argument_for_nth_value_function", + "2201F": "invalid_argument_for_power_function", + "2201G": "invalid_argument_for_width_bucket_function", + "22018": "invalid_character_value_for_cast", + "22007": "invalid_datetime_format", + "22019": "invalid_escape_character", + "2200D": "invalid_escape_octet", + "22025": "invalid_escape_sequence", + "22P06": "nonstandard_use_of_escape_character", + "22010": "invalid_indicator_parameter_value", + "22023": "invalid_parameter_value", + "2201B": "invalid_regular_expression", + "2201W": "invalid_row_count_in_limit_clause", + "2201X": "invalid_row_count_in_result_offset_clause", + "22009": "invalid_time_zone_displacement_value", + "2200C": "invalid_use_of_escape_character", + "2200G": "most_specific_type_mismatch", + "22004": "null_value_not_allowed", + "22002": "null_value_no_indicator_parameter", + "22003": "numeric_value_out_of_range", + "2200H": "sequence_generator_limit_exceeded", + "22026": "string_data_length_mismatch", + "22001": "string_data_right_truncation", + "22011": "substring_error", + "22027": "trim_error", + "22024": "unterminated_c_string", + "2200F": "zero_length_character_string", + "22P01": "floating_point_exception", + "22P02": "invalid_text_representation", + "22P03": "invalid_binary_representation", + "22P04": "bad_copy_file_format", + "22P05": "untranslatable_character", + "2200L": "not_an_xml_document", + "2200M": "invalid_xml_document", + "2200N": "invalid_xml_content", + "2200S": "invalid_xml_comment", + "2200T": "invalid_xml_processing_instruction", + // Class 23 - Integrity Constraint Violation + "23000": "integrity_constraint_violation", + "23001": "restrict_violation", + "23502": "not_null_violation", + "23503": "foreign_key_violation", + "23505": "unique_violation", + "23514": "check_violation", + "23P01": "exclusion_violation", + // Class 24 - Invalid Cursor State + "24000": "invalid_cursor_state", + // Class 25 - Invalid Transaction State + "25000": "invalid_transaction_state", + "25001": "active_sql_transaction", + "25002": "branch_transaction_already_active", + "25008": "held_cursor_requires_same_isolation_level", + "25003": "inappropriate_access_mode_for_branch_transaction", + "25004": "inappropriate_isolation_level_for_branch_transaction", + "25005": "no_active_sql_transaction_for_branch_transaction", + "25006": "read_only_sql_transaction", + "25007": "schema_and_data_statement_mixing_not_supported", + "25P01": "no_active_sql_transaction", + "25P02": "in_failed_sql_transaction", + // Class 26 - Invalid SQL Statement Name + "26000": "invalid_sql_statement_name", + // Class 27 - Triggered Data Change Violation + "27000": "triggered_data_change_violation", + // Class 28 - Invalid Authorization Specification + "28000": "invalid_authorization_specification", + "28P01": "invalid_password", + // Class 2B - Dependent Privilege Descriptors Still Exist + "2B000": "dependent_privilege_descriptors_still_exist", + "2BP01": "dependent_objects_still_exist", + // Class 2D - Invalid Transaction Termination + "2D000": "invalid_transaction_termination", + // Class 2F - SQL Routine Exception + "2F000": "sql_routine_exception", + "2F005": "function_executed_no_return_statement", + "2F002": "modifying_sql_data_not_permitted", + "2F003": "prohibited_sql_statement_attempted", + "2F004": "reading_sql_data_not_permitted", + // Class 34 - Invalid Cursor Name + "34000": "invalid_cursor_name", + // Class 38 - External Routine Exception + "38000": "external_routine_exception", + "38001": "containing_sql_not_permitted", + "38002": "modifying_sql_data_not_permitted", + "38003": "prohibited_sql_statement_attempted", + "38004": "reading_sql_data_not_permitted", + // Class 39 - External Routine Invocation Exception + "39000": "external_routine_invocation_exception", + "39001": "invalid_sqlstate_returned", + "39004": "null_value_not_allowed", + "39P01": "trigger_protocol_violated", + "39P02": "srf_protocol_violated", + // Class 3B - Savepoint Exception + "3B000": "savepoint_exception", + "3B001": "invalid_savepoint_specification", + // Class 3D - Invalid Catalog Name + "3D000": "invalid_catalog_name", + // Class 3F - Invalid Schema Name + "3F000": "invalid_schema_name", + // Class 40 - Transaction Rollback + "40000": "transaction_rollback", + "40002": "transaction_integrity_constraint_violation", + "40001": "serialization_failure", + "40003": "statement_completion_unknown", + "40P01": "deadlock_detected", + // Class 42 - Syntax Error or Access Rule Violation + "42000": "syntax_error_or_access_rule_violation", + "42601": "syntax_error", + "42501": "insufficient_privilege", + "42846": "cannot_coerce", + "42803": "grouping_error", + "42P20": "windowing_error", + "42P19": "invalid_recursion", + "42830": "invalid_foreign_key", + "42602": "invalid_name", + "42622": "name_too_long", + "42939": "reserved_name", + "42804": "datatype_mismatch", + "42P18": "indeterminate_datatype", + "42P21": "collation_mismatch", + "42P22": "indeterminate_collation", + "42809": "wrong_object_type", + "42703": "undefined_column", + "42883": "undefined_function", + "42P01": "undefined_table", + "42P02": "undefined_parameter", + "42704": "undefined_object", + "42701": "duplicate_column", + "42P03": "duplicate_cursor", + "42P04": "duplicate_database", + "42723": "duplicate_function", + "42P05": "duplicate_prepared_statement", + "42P06": "duplicate_schema", + "42P07": "duplicate_table", + "42712": "duplicate_alias", + "42710": "duplicate_object", + "42702": "ambiguous_column", + "42725": "ambiguous_function", + "42P08": "ambiguous_parameter", + "42P09": "ambiguous_alias", + "42P10": "invalid_column_reference", + "42611": "invalid_column_definition", + "42P11": "invalid_cursor_definition", + "42P12": "invalid_database_definition", + "42P13": "invalid_function_definition", + "42P14": "invalid_prepared_statement_definition", + "42P15": "invalid_schema_definition", + "42P16": "invalid_table_definition", + "42P17": "invalid_object_definition", + // Class 44 - WITH CHECK OPTION Violation + "44000": "with_check_option_violation", + // Class 53 - Insufficient Resources + "53000": "insufficient_resources", + "53100": "disk_full", + "53200": "out_of_memory", + "53300": "too_many_connections", + "53400": "configuration_limit_exceeded", + // Class 54 - Program Limit Exceeded + "54000": "program_limit_exceeded", + "54001": "statement_too_complex", + "54011": "too_many_columns", + "54023": "too_many_arguments", + // Class 55 - Object Not In Prerequisite State + "55000": "object_not_in_prerequisite_state", + "55006": "object_in_use", + "55P02": "cant_change_runtime_param", + "55P03": "lock_not_available", + // Class 57 - Operator Intervention + "57000": "operator_intervention", + "57014": "query_canceled", + "57P01": "admin_shutdown", + "57P02": "crash_shutdown", + "57P03": "cannot_connect_now", + "57P04": "database_dropped", + // Class 58 - System Error (errors external to PostgreSQL itself) + "58000": "system_error", + "58030": "io_error", + "58P01": "undefined_file", + "58P02": "duplicate_file", + // Class F0 - Configuration File Error + "F0000": "config_file_error", + "F0001": "lock_file_exists", + // Class HV - Foreign Data Wrapper Error (SQL/MED) + "HV000": "fdw_error", + "HV005": "fdw_column_name_not_found", + "HV002": "fdw_dynamic_parameter_value_needed", + "HV010": "fdw_function_sequence_error", + "HV021": "fdw_inconsistent_descriptor_information", + "HV024": "fdw_invalid_attribute_value", + "HV007": "fdw_invalid_column_name", + "HV008": "fdw_invalid_column_number", + "HV004": "fdw_invalid_data_type", + "HV006": "fdw_invalid_data_type_descriptors", + "HV091": "fdw_invalid_descriptor_field_identifier", + "HV00B": "fdw_invalid_handle", + "HV00C": "fdw_invalid_option_index", + "HV00D": "fdw_invalid_option_name", + "HV090": "fdw_invalid_string_length_or_buffer_length", + "HV00A": "fdw_invalid_string_format", + "HV009": "fdw_invalid_use_of_null_pointer", + "HV014": "fdw_too_many_handles", + "HV001": "fdw_out_of_memory", + "HV00P": "fdw_no_schemas", + "HV00J": "fdw_option_name_not_found", + "HV00K": "fdw_reply_handle", + "HV00Q": "fdw_schema_not_found", + "HV00R": "fdw_table_not_found", + "HV00L": "fdw_unable_to_create_execution", + "HV00M": "fdw_unable_to_create_reply", + "HV00N": "fdw_unable_to_establish_connection", + // Class P0 - PL/pgSQL Error + "P0000": "plpgsql_error", + "P0001": "raise_exception", + "P0002": "no_data_found", + "P0003": "too_many_rows", + // Class XX - Internal Error + "XX000": "internal_error", + "XX001": "data_corrupted", + "XX002": "index_corrupted", +} + +func parseError(r *readBuf) *Error { + err := new(Error) + for t := r.byte(); t != 0; t = r.byte() { + msg := r.string() + switch t { + case 'S': + err.Severity = msg + case 'C': + err.Code = ErrorCode(msg) + case 'M': + err.Message = msg + case 'D': + err.Detail = msg + case 'H': + err.Hint = msg + case 'P': + err.Position = msg + case 'p': + err.InternalPosition = msg + case 'q': + err.InternalQuery = msg + case 'W': + err.Where = msg + case 's': + err.Schema = msg + case 't': + err.Table = msg + case 'c': + err.Column = msg + case 'd': + err.DataTypeName = msg + case 'n': + err.Constraint = msg + case 'F': + err.File = msg + case 'L': + err.Line = msg + case 'R': + err.Routine = msg + } + } + return err +} + +// Fatal returns true if the Error Severity is fatal. +func (err *Error) Fatal() bool { + return err.Severity == Efatal +} + +// SQLState returns the SQLState of the error. +func (err *Error) SQLState() string { + return string(err.Code) +} + +// Get implements the legacy PGError interface. New code should use the fields +// of the Error struct directly. +func (err *Error) Get(k byte) (v string) { + switch k { + case 'S': + return err.Severity + case 'C': + return string(err.Code) + case 'M': + return err.Message + case 'D': + return err.Detail + case 'H': + return err.Hint + case 'P': + return err.Position + case 'p': + return err.InternalPosition + case 'q': + return err.InternalQuery + case 'W': + return err.Where + case 's': + return err.Schema + case 't': + return err.Table + case 'c': + return err.Column + case 'd': + return err.DataTypeName + case 'n': + return err.Constraint + case 'F': + return err.File + case 'L': + return err.Line + case 'R': + return err.Routine + } + return "" +} + +func (err *Error) Error() string { + return "pq: " + err.Message +} + +// PGError is an interface used by previous versions of pq. It is provided +// only to support legacy code. New code should use the Error type. +type PGError interface { + Error() string + Fatal() bool + Get(k byte) (v string) +} + +func errorf(s string, args ...interface{}) { + panic(fmt.Errorf("pq: %s", fmt.Sprintf(s, args...))) +} + +// TODO(ainar-g) Rename to errorf after removing panics. +func fmterrorf(s string, args ...interface{}) error { + return fmt.Errorf("pq: %s", fmt.Sprintf(s, args...)) +} + +func errRecoverNoErrBadConn(err *error) { + e := recover() + if e == nil { + // Do nothing + return + } + var ok bool + *err, ok = e.(error) + if !ok { + *err = fmt.Errorf("pq: unexpected error: %#v", e) + } +} + +func (cn *conn) errRecover(err *error) { + e := recover() + switch v := e.(type) { + case nil: + // Do nothing + case runtime.Error: + cn.err.set(driver.ErrBadConn) + panic(v) + case *Error: + if v.Fatal() { + *err = driver.ErrBadConn + } else { + *err = v + } + case *net.OpError: + cn.err.set(driver.ErrBadConn) + *err = v + case *safeRetryError: + cn.err.set(driver.ErrBadConn) + *err = driver.ErrBadConn + case error: + if v == io.EOF || v.Error() == "remote error: handshake failure" { + *err = driver.ErrBadConn + } else { + *err = v + } + + default: + cn.err.set(driver.ErrBadConn) + panic(fmt.Sprintf("unknown error: %#v", e)) + } + + // Any time we return ErrBadConn, we need to remember it since *Tx doesn't + // mark the connection bad in database/sql. + if *err == driver.ErrBadConn { + cn.err.set(driver.ErrBadConn) + } +} diff --git a/vendor/github.com/lib/pq/krb.go b/vendor/github.com/lib/pq/krb.go new file mode 100644 index 0000000000..408ec01f97 --- /dev/null +++ b/vendor/github.com/lib/pq/krb.go @@ -0,0 +1,27 @@ +package pq + +// NewGSSFunc creates a GSS authentication provider, for use with +// RegisterGSSProvider. +type NewGSSFunc func() (GSS, error) + +var newGss NewGSSFunc + +// RegisterGSSProvider registers a GSS authentication provider. For example, if +// you need to use Kerberos to authenticate with your server, add this to your +// main package: +// +// import "github.com/lib/pq/auth/kerberos" +// +// func init() { +// pq.RegisterGSSProvider(func() (pq.GSS, error) { return kerberos.NewGSS() }) +// } +func RegisterGSSProvider(newGssArg NewGSSFunc) { + newGss = newGssArg +} + +// GSS provides GSSAPI authentication (e.g., Kerberos). +type GSS interface { + GetInitToken(host string, service string) ([]byte, error) + GetInitTokenFromSpn(spn string) ([]byte, error) + Continue(inToken []byte) (done bool, outToken []byte, err error) +} diff --git a/vendor/github.com/lib/pq/notice.go b/vendor/github.com/lib/pq/notice.go new file mode 100644 index 0000000000..70ad122a7d --- /dev/null +++ b/vendor/github.com/lib/pq/notice.go @@ -0,0 +1,72 @@ +//go:build go1.10 +// +build go1.10 + +package pq + +import ( + "context" + "database/sql/driver" +) + +// NoticeHandler returns the notice handler on the given connection, if any. A +// runtime panic occurs if c is not a pq connection. This is rarely used +// directly, use ConnectorNoticeHandler and ConnectorWithNoticeHandler instead. +func NoticeHandler(c driver.Conn) func(*Error) { + return c.(*conn).noticeHandler +} + +// SetNoticeHandler sets the given notice handler on the given connection. A +// runtime panic occurs if c is not a pq connection. A nil handler may be used +// to unset it. This is rarely used directly, use ConnectorNoticeHandler and +// ConnectorWithNoticeHandler instead. +// +// Note: Notice handlers are executed synchronously by pq meaning commands +// won't continue to be processed until the handler returns. +func SetNoticeHandler(c driver.Conn, handler func(*Error)) { + c.(*conn).noticeHandler = handler +} + +// NoticeHandlerConnector wraps a regular connector and sets a notice handler +// on it. +type NoticeHandlerConnector struct { + driver.Connector + noticeHandler func(*Error) +} + +// Connect calls the underlying connector's connect method and then sets the +// notice handler. +func (n *NoticeHandlerConnector) Connect(ctx context.Context) (driver.Conn, error) { + c, err := n.Connector.Connect(ctx) + if err == nil { + SetNoticeHandler(c, n.noticeHandler) + } + return c, err +} + +// ConnectorNoticeHandler returns the currently set notice handler, if any. If +// the given connector is not a result of ConnectorWithNoticeHandler, nil is +// returned. +func ConnectorNoticeHandler(c driver.Connector) func(*Error) { + if c, ok := c.(*NoticeHandlerConnector); ok { + return c.noticeHandler + } + return nil +} + +// ConnectorWithNoticeHandler creates or sets the given handler for the given +// connector. If the given connector is a result of calling this function +// previously, it is simply set on the given connector and returned. Otherwise, +// this returns a new connector wrapping the given one and setting the notice +// handler. A nil notice handler may be used to unset it. +// +// The returned connector is intended to be used with database/sql.OpenDB. +// +// Note: Notice handlers are executed synchronously by pq meaning commands +// won't continue to be processed until the handler returns. +func ConnectorWithNoticeHandler(c driver.Connector, handler func(*Error)) *NoticeHandlerConnector { + if c, ok := c.(*NoticeHandlerConnector); ok { + c.noticeHandler = handler + return c + } + return &NoticeHandlerConnector{Connector: c, noticeHandler: handler} +} diff --git a/vendor/github.com/lib/pq/notify.go b/vendor/github.com/lib/pq/notify.go new file mode 100644 index 0000000000..5c421fdb8b --- /dev/null +++ b/vendor/github.com/lib/pq/notify.go @@ -0,0 +1,858 @@ +package pq + +// Package pq is a pure Go Postgres driver for the database/sql package. +// This module contains support for Postgres LISTEN/NOTIFY. + +import ( + "context" + "database/sql/driver" + "errors" + "fmt" + "sync" + "sync/atomic" + "time" +) + +// Notification represents a single notification from the database. +type Notification struct { + // Process ID (PID) of the notifying postgres backend. + BePid int + // Name of the channel the notification was sent on. + Channel string + // Payload, or the empty string if unspecified. + Extra string +} + +func recvNotification(r *readBuf) *Notification { + bePid := r.int32() + channel := r.string() + extra := r.string() + + return &Notification{bePid, channel, extra} +} + +// SetNotificationHandler sets the given notification handler on the given +// connection. A runtime panic occurs if c is not a pq connection. A nil handler +// may be used to unset it. +// +// Note: Notification handlers are executed synchronously by pq meaning commands +// won't continue to be processed until the handler returns. +func SetNotificationHandler(c driver.Conn, handler func(*Notification)) { + c.(*conn).notificationHandler = handler +} + +// NotificationHandlerConnector wraps a regular connector and sets a notification handler +// on it. +type NotificationHandlerConnector struct { + driver.Connector + notificationHandler func(*Notification) +} + +// Connect calls the underlying connector's connect method and then sets the +// notification handler. +func (n *NotificationHandlerConnector) Connect(ctx context.Context) (driver.Conn, error) { + c, err := n.Connector.Connect(ctx) + if err == nil { + SetNotificationHandler(c, n.notificationHandler) + } + return c, err +} + +// ConnectorNotificationHandler returns the currently set notification handler, if any. If +// the given connector is not a result of ConnectorWithNotificationHandler, nil is +// returned. +func ConnectorNotificationHandler(c driver.Connector) func(*Notification) { + if c, ok := c.(*NotificationHandlerConnector); ok { + return c.notificationHandler + } + return nil +} + +// ConnectorWithNotificationHandler creates or sets the given handler for the given +// connector. If the given connector is a result of calling this function +// previously, it is simply set on the given connector and returned. Otherwise, +// this returns a new connector wrapping the given one and setting the notification +// handler. A nil notification handler may be used to unset it. +// +// The returned connector is intended to be used with database/sql.OpenDB. +// +// Note: Notification handlers are executed synchronously by pq meaning commands +// won't continue to be processed until the handler returns. +func ConnectorWithNotificationHandler(c driver.Connector, handler func(*Notification)) *NotificationHandlerConnector { + if c, ok := c.(*NotificationHandlerConnector); ok { + c.notificationHandler = handler + return c + } + return &NotificationHandlerConnector{Connector: c, notificationHandler: handler} +} + +const ( + connStateIdle int32 = iota + connStateExpectResponse + connStateExpectReadyForQuery +) + +type message struct { + typ byte + err error +} + +var errListenerConnClosed = errors.New("pq: ListenerConn has been closed") + +// ListenerConn is a low-level interface for waiting for notifications. You +// should use Listener instead. +type ListenerConn struct { + // guards cn and err + connectionLock sync.Mutex + cn *conn + err error + + connState int32 + + // the sending goroutine will be holding this lock + senderLock sync.Mutex + + notificationChan chan<- *Notification + + replyChan chan message +} + +// NewListenerConn creates a new ListenerConn. Use NewListener instead. +func NewListenerConn(name string, notificationChan chan<- *Notification) (*ListenerConn, error) { + return newDialListenerConn(defaultDialer{}, name, notificationChan) +} + +func newDialListenerConn(d Dialer, name string, c chan<- *Notification) (*ListenerConn, error) { + cn, err := DialOpen(d, name) + if err != nil { + return nil, err + } + + l := &ListenerConn{ + cn: cn.(*conn), + notificationChan: c, + connState: connStateIdle, + replyChan: make(chan message, 2), + } + + go l.listenerConnMain() + + return l, nil +} + +// We can only allow one goroutine at a time to be running a query on the +// connection for various reasons, so the goroutine sending on the connection +// must be holding senderLock. +// +// Returns an error if an unrecoverable error has occurred and the ListenerConn +// should be abandoned. +func (l *ListenerConn) acquireSenderLock() error { + // we must acquire senderLock first to avoid deadlocks; see ExecSimpleQuery + l.senderLock.Lock() + + l.connectionLock.Lock() + err := l.err + l.connectionLock.Unlock() + if err != nil { + l.senderLock.Unlock() + return err + } + return nil +} + +func (l *ListenerConn) releaseSenderLock() { + l.senderLock.Unlock() +} + +// setState advances the protocol state to newState. Returns false if moving +// to that state from the current state is not allowed. +func (l *ListenerConn) setState(newState int32) bool { + var expectedState int32 + + switch newState { + case connStateIdle: + expectedState = connStateExpectReadyForQuery + case connStateExpectResponse: + expectedState = connStateIdle + case connStateExpectReadyForQuery: + expectedState = connStateExpectResponse + default: + panic(fmt.Sprintf("unexpected listenerConnState %d", newState)) + } + + return atomic.CompareAndSwapInt32(&l.connState, expectedState, newState) +} + +// Main logic is here: receive messages from the postgres backend, forward +// notifications and query replies and keep the internal state in sync with the +// protocol state. Returns when the connection has been lost, is about to go +// away or should be discarded because we couldn't agree on the state with the +// server backend. +func (l *ListenerConn) listenerConnLoop() (err error) { + defer errRecoverNoErrBadConn(&err) + + r := &readBuf{} + for { + t, err := l.cn.recvMessage(r) + if err != nil { + return err + } + + switch t { + case 'A': + // recvNotification copies all the data so we don't need to worry + // about the scratch buffer being overwritten. + l.notificationChan <- recvNotification(r) + + case 'T', 'D': + // only used by tests; ignore + + case 'E': + // We might receive an ErrorResponse even when not in a query; it + // is expected that the server will close the connection after + // that, but we should make sure that the error we display is the + // one from the stray ErrorResponse, not io.ErrUnexpectedEOF. + if !l.setState(connStateExpectReadyForQuery) { + return parseError(r) + } + l.replyChan <- message{t, parseError(r)} + + case 'C', 'I': + if !l.setState(connStateExpectReadyForQuery) { + // protocol out of sync + return fmt.Errorf("unexpected CommandComplete") + } + // ExecSimpleQuery doesn't need to know about this message + + case 'Z': + if !l.setState(connStateIdle) { + // protocol out of sync + return fmt.Errorf("unexpected ReadyForQuery") + } + l.replyChan <- message{t, nil} + + case 'S': + // ignore + case 'N': + if n := l.cn.noticeHandler; n != nil { + n(parseError(r)) + } + default: + return fmt.Errorf("unexpected message %q from server in listenerConnLoop", t) + } + } +} + +// This is the main routine for the goroutine receiving on the database +// connection. Most of the main logic is in listenerConnLoop. +func (l *ListenerConn) listenerConnMain() { + err := l.listenerConnLoop() + + // listenerConnLoop terminated; we're done, but we still have to clean up. + // Make sure nobody tries to start any new queries by making sure the err + // pointer is set. It is important that we do not overwrite its value; a + // connection could be closed by either this goroutine or one sending on + // the connection -- whoever closes the connection is assumed to have the + // more meaningful error message (as the other one will probably get + // net.errClosed), so that goroutine sets the error we expose while the + // other error is discarded. If the connection is lost while two + // goroutines are operating on the socket, it probably doesn't matter which + // error we expose so we don't try to do anything more complex. + l.connectionLock.Lock() + if l.err == nil { + l.err = err + } + l.cn.Close() + l.connectionLock.Unlock() + + // There might be a query in-flight; make sure nobody's waiting for a + // response to it, since there's not going to be one. + close(l.replyChan) + + // let the listener know we're done + close(l.notificationChan) + + // this ListenerConn is done +} + +// Listen sends a LISTEN query to the server. See ExecSimpleQuery. +func (l *ListenerConn) Listen(channel string) (bool, error) { + return l.ExecSimpleQuery("LISTEN " + QuoteIdentifier(channel)) +} + +// Unlisten sends an UNLISTEN query to the server. See ExecSimpleQuery. +func (l *ListenerConn) Unlisten(channel string) (bool, error) { + return l.ExecSimpleQuery("UNLISTEN " + QuoteIdentifier(channel)) +} + +// UnlistenAll sends an `UNLISTEN *` query to the server. See ExecSimpleQuery. +func (l *ListenerConn) UnlistenAll() (bool, error) { + return l.ExecSimpleQuery("UNLISTEN *") +} + +// Ping the remote server to make sure it's alive. Non-nil error means the +// connection has failed and should be abandoned. +func (l *ListenerConn) Ping() error { + sent, err := l.ExecSimpleQuery("") + if !sent { + return err + } + if err != nil { + // shouldn't happen + panic(err) + } + return nil +} + +// Attempt to send a query on the connection. Returns an error if sending the +// query failed, and the caller should initiate closure of this connection. +// The caller must be holding senderLock (see acquireSenderLock and +// releaseSenderLock). +func (l *ListenerConn) sendSimpleQuery(q string) (err error) { + defer errRecoverNoErrBadConn(&err) + + // must set connection state before sending the query + if !l.setState(connStateExpectResponse) { + panic("two queries running at the same time") + } + + // Can't use l.cn.writeBuf here because it uses the scratch buffer which + // might get overwritten by listenerConnLoop. + b := &writeBuf{ + buf: []byte("Q\x00\x00\x00\x00"), + pos: 1, + } + b.string(q) + l.cn.send(b) + + return nil +} + +// ExecSimpleQuery executes a "simple query" (i.e. one with no bindable +// parameters) on the connection. The possible return values are: +// 1) "executed" is true; the query was executed to completion on the +// database server. If the query failed, err will be set to the error +// returned by the database, otherwise err will be nil. +// 2) If "executed" is false, the query could not be executed on the remote +// server. err will be non-nil. +// +// After a call to ExecSimpleQuery has returned an executed=false value, the +// connection has either been closed or will be closed shortly thereafter, and +// all subsequently executed queries will return an error. +func (l *ListenerConn) ExecSimpleQuery(q string) (executed bool, err error) { + if err = l.acquireSenderLock(); err != nil { + return false, err + } + defer l.releaseSenderLock() + + err = l.sendSimpleQuery(q) + if err != nil { + // We can't know what state the protocol is in, so we need to abandon + // this connection. + l.connectionLock.Lock() + // Set the error pointer if it hasn't been set already; see + // listenerConnMain. + if l.err == nil { + l.err = err + } + l.connectionLock.Unlock() + l.cn.c.Close() + return false, err + } + + // now we just wait for a reply.. + for { + m, ok := <-l.replyChan + if !ok { + // We lost the connection to server, don't bother waiting for a + // a response. err should have been set already. + l.connectionLock.Lock() + err := l.err + l.connectionLock.Unlock() + return false, err + } + switch m.typ { + case 'Z': + // sanity check + if m.err != nil { + panic("m.err != nil") + } + // done; err might or might not be set + return true, err + + case 'E': + // sanity check + if m.err == nil { + panic("m.err == nil") + } + // server responded with an error; ReadyForQuery to follow + err = m.err + + default: + return false, fmt.Errorf("unknown response for simple query: %q", m.typ) + } + } +} + +// Close closes the connection. +func (l *ListenerConn) Close() error { + l.connectionLock.Lock() + if l.err != nil { + l.connectionLock.Unlock() + return errListenerConnClosed + } + l.err = errListenerConnClosed + l.connectionLock.Unlock() + // We can't send anything on the connection without holding senderLock. + // Simply close the net.Conn to wake up everyone operating on it. + return l.cn.c.Close() +} + +// Err returns the reason the connection was closed. It is not safe to call +// this function until l.Notify has been closed. +func (l *ListenerConn) Err() error { + return l.err +} + +var errListenerClosed = errors.New("pq: Listener has been closed") + +// ErrChannelAlreadyOpen is returned from Listen when a channel is already +// open. +var ErrChannelAlreadyOpen = errors.New("pq: channel is already open") + +// ErrChannelNotOpen is returned from Unlisten when a channel is not open. +var ErrChannelNotOpen = errors.New("pq: channel is not open") + +// ListenerEventType is an enumeration of listener event types. +type ListenerEventType int + +const ( + // ListenerEventConnected is emitted only when the database connection + // has been initially initialized. The err argument of the callback + // will always be nil. + ListenerEventConnected ListenerEventType = iota + + // ListenerEventDisconnected is emitted after a database connection has + // been lost, either because of an error or because Close has been + // called. The err argument will be set to the reason the database + // connection was lost. + ListenerEventDisconnected + + // ListenerEventReconnected is emitted after a database connection has + // been re-established after connection loss. The err argument of the + // callback will always be nil. After this event has been emitted, a + // nil pq.Notification is sent on the Listener.Notify channel. + ListenerEventReconnected + + // ListenerEventConnectionAttemptFailed is emitted after a connection + // to the database was attempted, but failed. The err argument will be + // set to an error describing why the connection attempt did not + // succeed. + ListenerEventConnectionAttemptFailed +) + +// EventCallbackType is the event callback type. See also ListenerEventType +// constants' documentation. +type EventCallbackType func(event ListenerEventType, err error) + +// Listener provides an interface for listening to notifications from a +// PostgreSQL database. For general usage information, see section +// "Notifications". +// +// Listener can safely be used from concurrently running goroutines. +type Listener struct { + // Channel for receiving notifications from the database. In some cases a + // nil value will be sent. See section "Notifications" above. + Notify chan *Notification + + name string + minReconnectInterval time.Duration + maxReconnectInterval time.Duration + dialer Dialer + eventCallback EventCallbackType + + lock sync.Mutex + isClosed bool + reconnectCond *sync.Cond + cn *ListenerConn + connNotificationChan <-chan *Notification + channels map[string]struct{} +} + +// NewListener creates a new database connection dedicated to LISTEN / NOTIFY. +// +// name should be set to a connection string to be used to establish the +// database connection (see section "Connection String Parameters" above). +// +// minReconnectInterval controls the duration to wait before trying to +// re-establish the database connection after connection loss. After each +// consecutive failure this interval is doubled, until maxReconnectInterval is +// reached. Successfully completing the connection establishment procedure +// resets the interval back to minReconnectInterval. +// +// The last parameter eventCallback can be set to a function which will be +// called by the Listener when the state of the underlying database connection +// changes. This callback will be called by the goroutine which dispatches the +// notifications over the Notify channel, so you should try to avoid doing +// potentially time-consuming operations from the callback. +func NewListener(name string, + minReconnectInterval time.Duration, + maxReconnectInterval time.Duration, + eventCallback EventCallbackType) *Listener { + return NewDialListener(defaultDialer{}, name, minReconnectInterval, maxReconnectInterval, eventCallback) +} + +// NewDialListener is like NewListener but it takes a Dialer. +func NewDialListener(d Dialer, + name string, + minReconnectInterval time.Duration, + maxReconnectInterval time.Duration, + eventCallback EventCallbackType) *Listener { + + l := &Listener{ + name: name, + minReconnectInterval: minReconnectInterval, + maxReconnectInterval: maxReconnectInterval, + dialer: d, + eventCallback: eventCallback, + + channels: make(map[string]struct{}), + + Notify: make(chan *Notification, 32), + } + l.reconnectCond = sync.NewCond(&l.lock) + + go l.listenerMain() + + return l +} + +// NotificationChannel returns the notification channel for this listener. +// This is the same channel as Notify, and will not be recreated during the +// life time of the Listener. +func (l *Listener) NotificationChannel() <-chan *Notification { + return l.Notify +} + +// Listen starts listening for notifications on a channel. Calls to this +// function will block until an acknowledgement has been received from the +// server. Note that Listener automatically re-establishes the connection +// after connection loss, so this function may block indefinitely if the +// connection can not be re-established. +// +// Listen will only fail in three conditions: +// 1) The channel is already open. The returned error will be +// ErrChannelAlreadyOpen. +// 2) The query was executed on the remote server, but PostgreSQL returned an +// error message in response to the query. The returned error will be a +// pq.Error containing the information the server supplied. +// 3) Close is called on the Listener before the request could be completed. +// +// The channel name is case-sensitive. +func (l *Listener) Listen(channel string) error { + l.lock.Lock() + defer l.lock.Unlock() + + if l.isClosed { + return errListenerClosed + } + + // The server allows you to issue a LISTEN on a channel which is already + // open, but it seems useful to be able to detect this case to spot for + // mistakes in application logic. If the application genuinely does't + // care, it can check the exported error and ignore it. + _, exists := l.channels[channel] + if exists { + return ErrChannelAlreadyOpen + } + + if l.cn != nil { + // If gotResponse is true but error is set, the query was executed on + // the remote server, but resulted in an error. This should be + // relatively rare, so it's fine if we just pass the error to our + // caller. However, if gotResponse is false, we could not complete the + // query on the remote server and our underlying connection is about + // to go away, so we only add relname to l.channels, and wait for + // resync() to take care of the rest. + gotResponse, err := l.cn.Listen(channel) + if gotResponse && err != nil { + return err + } + } + + l.channels[channel] = struct{}{} + for l.cn == nil { + l.reconnectCond.Wait() + // we let go of the mutex for a while + if l.isClosed { + return errListenerClosed + } + } + + return nil +} + +// Unlisten removes a channel from the Listener's channel list. Returns +// ErrChannelNotOpen if the Listener is not listening on the specified channel. +// Returns immediately with no error if there is no connection. Note that you +// might still get notifications for this channel even after Unlisten has +// returned. +// +// The channel name is case-sensitive. +func (l *Listener) Unlisten(channel string) error { + l.lock.Lock() + defer l.lock.Unlock() + + if l.isClosed { + return errListenerClosed + } + + // Similarly to LISTEN, this is not an error in Postgres, but it seems + // useful to distinguish from the normal conditions. + _, exists := l.channels[channel] + if !exists { + return ErrChannelNotOpen + } + + if l.cn != nil { + // Similarly to Listen (see comment in that function), the caller + // should only be bothered with an error if it came from the backend as + // a response to our query. + gotResponse, err := l.cn.Unlisten(channel) + if gotResponse && err != nil { + return err + } + } + + // Don't bother waiting for resync if there's no connection. + delete(l.channels, channel) + return nil +} + +// UnlistenAll removes all channels from the Listener's channel list. Returns +// immediately with no error if there is no connection. Note that you might +// still get notifications for any of the deleted channels even after +// UnlistenAll has returned. +func (l *Listener) UnlistenAll() error { + l.lock.Lock() + defer l.lock.Unlock() + + if l.isClosed { + return errListenerClosed + } + + if l.cn != nil { + // Similarly to Listen (see comment in that function), the caller + // should only be bothered with an error if it came from the backend as + // a response to our query. + gotResponse, err := l.cn.UnlistenAll() + if gotResponse && err != nil { + return err + } + } + + // Don't bother waiting for resync if there's no connection. + l.channels = make(map[string]struct{}) + return nil +} + +// Ping the remote server to make sure it's alive. Non-nil return value means +// that there is no active connection. +func (l *Listener) Ping() error { + l.lock.Lock() + defer l.lock.Unlock() + + if l.isClosed { + return errListenerClosed + } + if l.cn == nil { + return errors.New("no connection") + } + + return l.cn.Ping() +} + +// Clean up after losing the server connection. Returns l.cn.Err(), which +// should have the reason the connection was lost. +func (l *Listener) disconnectCleanup() error { + l.lock.Lock() + defer l.lock.Unlock() + + // sanity check; can't look at Err() until the channel has been closed + select { + case _, ok := <-l.connNotificationChan: + if ok { + panic("connNotificationChan not closed") + } + default: + panic("connNotificationChan not closed") + } + + err := l.cn.Err() + l.cn.Close() + l.cn = nil + return err +} + +// Synchronize the list of channels we want to be listening on with the server +// after the connection has been established. +func (l *Listener) resync(cn *ListenerConn, notificationChan <-chan *Notification) error { + doneChan := make(chan error) + go func(notificationChan <-chan *Notification) { + for channel := range l.channels { + // If we got a response, return that error to our caller as it's + // going to be more descriptive than cn.Err(). + gotResponse, err := cn.Listen(channel) + if gotResponse && err != nil { + doneChan <- err + return + } + + // If we couldn't reach the server, wait for notificationChan to + // close and then return the error message from the connection, as + // per ListenerConn's interface. + if err != nil { + for range notificationChan { + } + doneChan <- cn.Err() + return + } + } + doneChan <- nil + }(notificationChan) + + // Ignore notifications while synchronization is going on to avoid + // deadlocks. We have to send a nil notification over Notify anyway as + // we can't possibly know which notifications (if any) were lost while + // the connection was down, so there's no reason to try and process + // these messages at all. + for { + select { + case _, ok := <-notificationChan: + if !ok { + notificationChan = nil + } + + case err := <-doneChan: + return err + } + } +} + +// caller should NOT be holding l.lock +func (l *Listener) closed() bool { + l.lock.Lock() + defer l.lock.Unlock() + + return l.isClosed +} + +func (l *Listener) connect() error { + notificationChan := make(chan *Notification, 32) + cn, err := newDialListenerConn(l.dialer, l.name, notificationChan) + if err != nil { + return err + } + + l.lock.Lock() + defer l.lock.Unlock() + + err = l.resync(cn, notificationChan) + if err != nil { + cn.Close() + return err + } + + l.cn = cn + l.connNotificationChan = notificationChan + l.reconnectCond.Broadcast() + + return nil +} + +// Close disconnects the Listener from the database and shuts it down. +// Subsequent calls to its methods will return an error. Close returns an +// error if the connection has already been closed. +func (l *Listener) Close() error { + l.lock.Lock() + defer l.lock.Unlock() + + if l.isClosed { + return errListenerClosed + } + + if l.cn != nil { + l.cn.Close() + } + l.isClosed = true + + // Unblock calls to Listen() + l.reconnectCond.Broadcast() + + return nil +} + +func (l *Listener) emitEvent(event ListenerEventType, err error) { + if l.eventCallback != nil { + l.eventCallback(event, err) + } +} + +// Main logic here: maintain a connection to the server when possible, wait +// for notifications and emit events. +func (l *Listener) listenerConnLoop() { + var nextReconnect time.Time + + reconnectInterval := l.minReconnectInterval + for { + for { + err := l.connect() + if err == nil { + break + } + + if l.closed() { + return + } + l.emitEvent(ListenerEventConnectionAttemptFailed, err) + + time.Sleep(reconnectInterval) + reconnectInterval *= 2 + if reconnectInterval > l.maxReconnectInterval { + reconnectInterval = l.maxReconnectInterval + } + } + + if nextReconnect.IsZero() { + l.emitEvent(ListenerEventConnected, nil) + } else { + l.emitEvent(ListenerEventReconnected, nil) + l.Notify <- nil + } + + reconnectInterval = l.minReconnectInterval + nextReconnect = time.Now().Add(reconnectInterval) + + for { + notification, ok := <-l.connNotificationChan + if !ok { + // lost connection, loop again + break + } + l.Notify <- notification + } + + err := l.disconnectCleanup() + if l.closed() { + return + } + l.emitEvent(ListenerEventDisconnected, err) + + time.Sleep(time.Until(nextReconnect)) + } +} + +func (l *Listener) listenerMain() { + l.listenerConnLoop() + close(l.Notify) +} diff --git a/vendor/github.com/lib/pq/oid/doc.go b/vendor/github.com/lib/pq/oid/doc.go new file mode 100644 index 0000000000..caaede2489 --- /dev/null +++ b/vendor/github.com/lib/pq/oid/doc.go @@ -0,0 +1,6 @@ +// Package oid contains OID constants +// as defined by the Postgres server. +package oid + +// Oid is a Postgres Object ID. +type Oid uint32 diff --git a/vendor/github.com/lib/pq/oid/types.go b/vendor/github.com/lib/pq/oid/types.go new file mode 100644 index 0000000000..ecc84c2c86 --- /dev/null +++ b/vendor/github.com/lib/pq/oid/types.go @@ -0,0 +1,343 @@ +// Code generated by gen.go. DO NOT EDIT. + +package oid + +const ( + T_bool Oid = 16 + T_bytea Oid = 17 + T_char Oid = 18 + T_name Oid = 19 + T_int8 Oid = 20 + T_int2 Oid = 21 + T_int2vector Oid = 22 + T_int4 Oid = 23 + T_regproc Oid = 24 + T_text Oid = 25 + T_oid Oid = 26 + T_tid Oid = 27 + T_xid Oid = 28 + T_cid Oid = 29 + T_oidvector Oid = 30 + T_pg_ddl_command Oid = 32 + T_pg_type Oid = 71 + T_pg_attribute Oid = 75 + T_pg_proc Oid = 81 + T_pg_class Oid = 83 + T_json Oid = 114 + T_xml Oid = 142 + T__xml Oid = 143 + T_pg_node_tree Oid = 194 + T__json Oid = 199 + T_smgr Oid = 210 + T_index_am_handler Oid = 325 + T_point Oid = 600 + T_lseg Oid = 601 + T_path Oid = 602 + T_box Oid = 603 + T_polygon Oid = 604 + T_line Oid = 628 + T__line Oid = 629 + T_cidr Oid = 650 + T__cidr Oid = 651 + T_float4 Oid = 700 + T_float8 Oid = 701 + T_abstime Oid = 702 + T_reltime Oid = 703 + T_tinterval Oid = 704 + T_unknown Oid = 705 + T_circle Oid = 718 + T__circle Oid = 719 + T_money Oid = 790 + T__money Oid = 791 + T_macaddr Oid = 829 + T_inet Oid = 869 + T__bool Oid = 1000 + T__bytea Oid = 1001 + T__char Oid = 1002 + T__name Oid = 1003 + T__int2 Oid = 1005 + T__int2vector Oid = 1006 + T__int4 Oid = 1007 + T__regproc Oid = 1008 + T__text Oid = 1009 + T__tid Oid = 1010 + T__xid Oid = 1011 + T__cid Oid = 1012 + T__oidvector Oid = 1013 + T__bpchar Oid = 1014 + T__varchar Oid = 1015 + T__int8 Oid = 1016 + T__point Oid = 1017 + T__lseg Oid = 1018 + T__path Oid = 1019 + T__box Oid = 1020 + T__float4 Oid = 1021 + T__float8 Oid = 1022 + T__abstime Oid = 1023 + T__reltime Oid = 1024 + T__tinterval Oid = 1025 + T__polygon Oid = 1027 + T__oid Oid = 1028 + T_aclitem Oid = 1033 + T__aclitem Oid = 1034 + T__macaddr Oid = 1040 + T__inet Oid = 1041 + T_bpchar Oid = 1042 + T_varchar Oid = 1043 + T_date Oid = 1082 + T_time Oid = 1083 + T_timestamp Oid = 1114 + T__timestamp Oid = 1115 + T__date Oid = 1182 + T__time Oid = 1183 + T_timestamptz Oid = 1184 + T__timestamptz Oid = 1185 + T_interval Oid = 1186 + T__interval Oid = 1187 + T__numeric Oid = 1231 + T_pg_database Oid = 1248 + T__cstring Oid = 1263 + T_timetz Oid = 1266 + T__timetz Oid = 1270 + T_bit Oid = 1560 + T__bit Oid = 1561 + T_varbit Oid = 1562 + T__varbit Oid = 1563 + T_numeric Oid = 1700 + T_refcursor Oid = 1790 + T__refcursor Oid = 2201 + T_regprocedure Oid = 2202 + T_regoper Oid = 2203 + T_regoperator Oid = 2204 + T_regclass Oid = 2205 + T_regtype Oid = 2206 + T__regprocedure Oid = 2207 + T__regoper Oid = 2208 + T__regoperator Oid = 2209 + T__regclass Oid = 2210 + T__regtype Oid = 2211 + T_record Oid = 2249 + T_cstring Oid = 2275 + T_any Oid = 2276 + T_anyarray Oid = 2277 + T_void Oid = 2278 + T_trigger Oid = 2279 + T_language_handler Oid = 2280 + T_internal Oid = 2281 + T_opaque Oid = 2282 + T_anyelement Oid = 2283 + T__record Oid = 2287 + T_anynonarray Oid = 2776 + T_pg_authid Oid = 2842 + T_pg_auth_members Oid = 2843 + T__txid_snapshot Oid = 2949 + T_uuid Oid = 2950 + T__uuid Oid = 2951 + T_txid_snapshot Oid = 2970 + T_fdw_handler Oid = 3115 + T_pg_lsn Oid = 3220 + T__pg_lsn Oid = 3221 + T_tsm_handler Oid = 3310 + T_anyenum Oid = 3500 + T_tsvector Oid = 3614 + T_tsquery Oid = 3615 + T_gtsvector Oid = 3642 + T__tsvector Oid = 3643 + T__gtsvector Oid = 3644 + T__tsquery Oid = 3645 + T_regconfig Oid = 3734 + T__regconfig Oid = 3735 + T_regdictionary Oid = 3769 + T__regdictionary Oid = 3770 + T_jsonb Oid = 3802 + T__jsonb Oid = 3807 + T_anyrange Oid = 3831 + T_event_trigger Oid = 3838 + T_int4range Oid = 3904 + T__int4range Oid = 3905 + T_numrange Oid = 3906 + T__numrange Oid = 3907 + T_tsrange Oid = 3908 + T__tsrange Oid = 3909 + T_tstzrange Oid = 3910 + T__tstzrange Oid = 3911 + T_daterange Oid = 3912 + T__daterange Oid = 3913 + T_int8range Oid = 3926 + T__int8range Oid = 3927 + T_pg_shseclabel Oid = 4066 + T_regnamespace Oid = 4089 + T__regnamespace Oid = 4090 + T_regrole Oid = 4096 + T__regrole Oid = 4097 +) + +var TypeName = map[Oid]string{ + T_bool: "BOOL", + T_bytea: "BYTEA", + T_char: "CHAR", + T_name: "NAME", + T_int8: "INT8", + T_int2: "INT2", + T_int2vector: "INT2VECTOR", + T_int4: "INT4", + T_regproc: "REGPROC", + T_text: "TEXT", + T_oid: "OID", + T_tid: "TID", + T_xid: "XID", + T_cid: "CID", + T_oidvector: "OIDVECTOR", + T_pg_ddl_command: "PG_DDL_COMMAND", + T_pg_type: "PG_TYPE", + T_pg_attribute: "PG_ATTRIBUTE", + T_pg_proc: "PG_PROC", + T_pg_class: "PG_CLASS", + T_json: "JSON", + T_xml: "XML", + T__xml: "_XML", + T_pg_node_tree: "PG_NODE_TREE", + T__json: "_JSON", + T_smgr: "SMGR", + T_index_am_handler: "INDEX_AM_HANDLER", + T_point: "POINT", + T_lseg: "LSEG", + T_path: "PATH", + T_box: "BOX", + T_polygon: "POLYGON", + T_line: "LINE", + T__line: "_LINE", + T_cidr: "CIDR", + T__cidr: "_CIDR", + T_float4: "FLOAT4", + T_float8: "FLOAT8", + T_abstime: "ABSTIME", + T_reltime: "RELTIME", + T_tinterval: "TINTERVAL", + T_unknown: "UNKNOWN", + T_circle: "CIRCLE", + T__circle: "_CIRCLE", + T_money: "MONEY", + T__money: "_MONEY", + T_macaddr: "MACADDR", + T_inet: "INET", + T__bool: "_BOOL", + T__bytea: "_BYTEA", + T__char: "_CHAR", + T__name: "_NAME", + T__int2: "_INT2", + T__int2vector: "_INT2VECTOR", + T__int4: "_INT4", + T__regproc: "_REGPROC", + T__text: "_TEXT", + T__tid: "_TID", + T__xid: "_XID", + T__cid: "_CID", + T__oidvector: "_OIDVECTOR", + T__bpchar: "_BPCHAR", + T__varchar: "_VARCHAR", + T__int8: "_INT8", + T__point: "_POINT", + T__lseg: "_LSEG", + T__path: "_PATH", + T__box: "_BOX", + T__float4: "_FLOAT4", + T__float8: "_FLOAT8", + T__abstime: "_ABSTIME", + T__reltime: "_RELTIME", + T__tinterval: "_TINTERVAL", + T__polygon: "_POLYGON", + T__oid: "_OID", + T_aclitem: "ACLITEM", + T__aclitem: "_ACLITEM", + T__macaddr: "_MACADDR", + T__inet: "_INET", + T_bpchar: "BPCHAR", + T_varchar: "VARCHAR", + T_date: "DATE", + T_time: "TIME", + T_timestamp: "TIMESTAMP", + T__timestamp: "_TIMESTAMP", + T__date: "_DATE", + T__time: "_TIME", + T_timestamptz: "TIMESTAMPTZ", + T__timestamptz: "_TIMESTAMPTZ", + T_interval: "INTERVAL", + T__interval: "_INTERVAL", + T__numeric: "_NUMERIC", + T_pg_database: "PG_DATABASE", + T__cstring: "_CSTRING", + T_timetz: "TIMETZ", + T__timetz: "_TIMETZ", + T_bit: "BIT", + T__bit: "_BIT", + T_varbit: "VARBIT", + T__varbit: "_VARBIT", + T_numeric: "NUMERIC", + T_refcursor: "REFCURSOR", + T__refcursor: "_REFCURSOR", + T_regprocedure: "REGPROCEDURE", + T_regoper: "REGOPER", + T_regoperator: "REGOPERATOR", + T_regclass: "REGCLASS", + T_regtype: "REGTYPE", + T__regprocedure: "_REGPROCEDURE", + T__regoper: "_REGOPER", + T__regoperator: "_REGOPERATOR", + T__regclass: "_REGCLASS", + T__regtype: "_REGTYPE", + T_record: "RECORD", + T_cstring: "CSTRING", + T_any: "ANY", + T_anyarray: "ANYARRAY", + T_void: "VOID", + T_trigger: "TRIGGER", + T_language_handler: "LANGUAGE_HANDLER", + T_internal: "INTERNAL", + T_opaque: "OPAQUE", + T_anyelement: "ANYELEMENT", + T__record: "_RECORD", + T_anynonarray: "ANYNONARRAY", + T_pg_authid: "PG_AUTHID", + T_pg_auth_members: "PG_AUTH_MEMBERS", + T__txid_snapshot: "_TXID_SNAPSHOT", + T_uuid: "UUID", + T__uuid: "_UUID", + T_txid_snapshot: "TXID_SNAPSHOT", + T_fdw_handler: "FDW_HANDLER", + T_pg_lsn: "PG_LSN", + T__pg_lsn: "_PG_LSN", + T_tsm_handler: "TSM_HANDLER", + T_anyenum: "ANYENUM", + T_tsvector: "TSVECTOR", + T_tsquery: "TSQUERY", + T_gtsvector: "GTSVECTOR", + T__tsvector: "_TSVECTOR", + T__gtsvector: "_GTSVECTOR", + T__tsquery: "_TSQUERY", + T_regconfig: "REGCONFIG", + T__regconfig: "_REGCONFIG", + T_regdictionary: "REGDICTIONARY", + T__regdictionary: "_REGDICTIONARY", + T_jsonb: "JSONB", + T__jsonb: "_JSONB", + T_anyrange: "ANYRANGE", + T_event_trigger: "EVENT_TRIGGER", + T_int4range: "INT4RANGE", + T__int4range: "_INT4RANGE", + T_numrange: "NUMRANGE", + T__numrange: "_NUMRANGE", + T_tsrange: "TSRANGE", + T__tsrange: "_TSRANGE", + T_tstzrange: "TSTZRANGE", + T__tstzrange: "_TSTZRANGE", + T_daterange: "DATERANGE", + T__daterange: "_DATERANGE", + T_int8range: "INT8RANGE", + T__int8range: "_INT8RANGE", + T_pg_shseclabel: "PG_SHSECLABEL", + T_regnamespace: "REGNAMESPACE", + T__regnamespace: "_REGNAMESPACE", + T_regrole: "REGROLE", + T__regrole: "_REGROLE", +} diff --git a/vendor/github.com/lib/pq/rows.go b/vendor/github.com/lib/pq/rows.go new file mode 100644 index 0000000000..c6aa5b9a36 --- /dev/null +++ b/vendor/github.com/lib/pq/rows.go @@ -0,0 +1,93 @@ +package pq + +import ( + "math" + "reflect" + "time" + + "github.com/lib/pq/oid" +) + +const headerSize = 4 + +type fieldDesc struct { + // The object ID of the data type. + OID oid.Oid + // The data type size (see pg_type.typlen). + // Note that negative values denote variable-width types. + Len int + // The type modifier (see pg_attribute.atttypmod). + // The meaning of the modifier is type-specific. + Mod int +} + +func (fd fieldDesc) Type() reflect.Type { + switch fd.OID { + case oid.T_int8: + return reflect.TypeOf(int64(0)) + case oid.T_int4: + return reflect.TypeOf(int32(0)) + case oid.T_int2: + return reflect.TypeOf(int16(0)) + case oid.T_varchar, oid.T_text: + return reflect.TypeOf("") + case oid.T_bool: + return reflect.TypeOf(false) + case oid.T_date, oid.T_time, oid.T_timetz, oid.T_timestamp, oid.T_timestamptz: + return reflect.TypeOf(time.Time{}) + case oid.T_bytea: + return reflect.TypeOf([]byte(nil)) + default: + return reflect.TypeOf(new(interface{})).Elem() + } +} + +func (fd fieldDesc) Name() string { + return oid.TypeName[fd.OID] +} + +func (fd fieldDesc) Length() (length int64, ok bool) { + switch fd.OID { + case oid.T_text, oid.T_bytea: + return math.MaxInt64, true + case oid.T_varchar, oid.T_bpchar: + return int64(fd.Mod - headerSize), true + default: + return 0, false + } +} + +func (fd fieldDesc) PrecisionScale() (precision, scale int64, ok bool) { + switch fd.OID { + case oid.T_numeric, oid.T__numeric: + mod := fd.Mod - headerSize + precision = int64((mod >> 16) & 0xffff) + scale = int64(mod & 0xffff) + return precision, scale, true + default: + return 0, 0, false + } +} + +// ColumnTypeScanType returns the value type that can be used to scan types into. +func (rs *rows) ColumnTypeScanType(index int) reflect.Type { + return rs.colTyps[index].Type() +} + +// ColumnTypeDatabaseTypeName return the database system type name. +func (rs *rows) ColumnTypeDatabaseTypeName(index int) string { + return rs.colTyps[index].Name() +} + +// ColumnTypeLength returns the length of the column type if the column is a +// variable length type. If the column is not a variable length type ok +// should return false. +func (rs *rows) ColumnTypeLength(index int) (length int64, ok bool) { + return rs.colTyps[index].Length() +} + +// ColumnTypePrecisionScale should return the precision and scale for decimal +// types. If not applicable, ok should be false. +func (rs *rows) ColumnTypePrecisionScale(index int) (precision, scale int64, ok bool) { + return rs.colTyps[index].PrecisionScale() +} diff --git a/vendor/github.com/lib/pq/scram/scram.go b/vendor/github.com/lib/pq/scram/scram.go new file mode 100644 index 0000000000..477216b600 --- /dev/null +++ b/vendor/github.com/lib/pq/scram/scram.go @@ -0,0 +1,264 @@ +// Copyright (c) 2014 - Gustavo Niemeyer +// +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are met: +// +// 1. Redistributions of source code must retain the above copyright notice, this +// list of conditions and the following disclaimer. +// 2. Redistributions in binary form must reproduce the above copyright notice, +// this list of conditions and the following disclaimer in the documentation +// and/or other materials provided with the distribution. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +// ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Package scram implements a SCRAM-{SHA-1,etc} client per RFC5802. +// +// http://tools.ietf.org/html/rfc5802 +// +package scram + +import ( + "bytes" + "crypto/hmac" + "crypto/rand" + "encoding/base64" + "fmt" + "hash" + "strconv" + "strings" +) + +// Client implements a SCRAM-* client (SCRAM-SHA-1, SCRAM-SHA-256, etc). +// +// A Client may be used within a SASL conversation with logic resembling: +// +// var in []byte +// var client = scram.NewClient(sha1.New, user, pass) +// for client.Step(in) { +// out := client.Out() +// // send out to server +// in := serverOut +// } +// if client.Err() != nil { +// // auth failed +// } +// +type Client struct { + newHash func() hash.Hash + + user string + pass string + step int + out bytes.Buffer + err error + + clientNonce []byte + serverNonce []byte + saltedPass []byte + authMsg bytes.Buffer +} + +// NewClient returns a new SCRAM-* client with the provided hash algorithm. +// +// For SCRAM-SHA-256, for example, use: +// +// client := scram.NewClient(sha256.New, user, pass) +// +func NewClient(newHash func() hash.Hash, user, pass string) *Client { + c := &Client{ + newHash: newHash, + user: user, + pass: pass, + } + c.out.Grow(256) + c.authMsg.Grow(256) + return c +} + +// Out returns the data to be sent to the server in the current step. +func (c *Client) Out() []byte { + if c.out.Len() == 0 { + return nil + } + return c.out.Bytes() +} + +// Err returns the error that occurred, or nil if there were no errors. +func (c *Client) Err() error { + return c.err +} + +// SetNonce sets the client nonce to the provided value. +// If not set, the nonce is generated automatically out of crypto/rand on the first step. +func (c *Client) SetNonce(nonce []byte) { + c.clientNonce = nonce +} + +var escaper = strings.NewReplacer("=", "=3D", ",", "=2C") + +// Step processes the incoming data from the server and makes the +// next round of data for the server available via Client.Out. +// Step returns false if there are no errors and more data is +// still expected. +func (c *Client) Step(in []byte) bool { + c.out.Reset() + if c.step > 2 || c.err != nil { + return false + } + c.step++ + switch c.step { + case 1: + c.err = c.step1(in) + case 2: + c.err = c.step2(in) + case 3: + c.err = c.step3(in) + } + return c.step > 2 || c.err != nil +} + +func (c *Client) step1(in []byte) error { + if len(c.clientNonce) == 0 { + const nonceLen = 16 + buf := make([]byte, nonceLen+b64.EncodedLen(nonceLen)) + if _, err := rand.Read(buf[:nonceLen]); err != nil { + return fmt.Errorf("cannot read random SCRAM-SHA-256 nonce from operating system: %v", err) + } + c.clientNonce = buf[nonceLen:] + b64.Encode(c.clientNonce, buf[:nonceLen]) + } + c.authMsg.WriteString("n=") + escaper.WriteString(&c.authMsg, c.user) + c.authMsg.WriteString(",r=") + c.authMsg.Write(c.clientNonce) + + c.out.WriteString("n,,") + c.out.Write(c.authMsg.Bytes()) + return nil +} + +var b64 = base64.StdEncoding + +func (c *Client) step2(in []byte) error { + c.authMsg.WriteByte(',') + c.authMsg.Write(in) + + fields := bytes.Split(in, []byte(",")) + if len(fields) != 3 { + return fmt.Errorf("expected 3 fields in first SCRAM-SHA-256 server message, got %d: %q", len(fields), in) + } + if !bytes.HasPrefix(fields[0], []byte("r=")) || len(fields[0]) < 2 { + return fmt.Errorf("server sent an invalid SCRAM-SHA-256 nonce: %q", fields[0]) + } + if !bytes.HasPrefix(fields[1], []byte("s=")) || len(fields[1]) < 6 { + return fmt.Errorf("server sent an invalid SCRAM-SHA-256 salt: %q", fields[1]) + } + if !bytes.HasPrefix(fields[2], []byte("i=")) || len(fields[2]) < 6 { + return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2]) + } + + c.serverNonce = fields[0][2:] + if !bytes.HasPrefix(c.serverNonce, c.clientNonce) { + return fmt.Errorf("server SCRAM-SHA-256 nonce is not prefixed by client nonce: got %q, want %q+\"...\"", c.serverNonce, c.clientNonce) + } + + salt := make([]byte, b64.DecodedLen(len(fields[1][2:]))) + n, err := b64.Decode(salt, fields[1][2:]) + if err != nil { + return fmt.Errorf("cannot decode SCRAM-SHA-256 salt sent by server: %q", fields[1]) + } + salt = salt[:n] + iterCount, err := strconv.Atoi(string(fields[2][2:])) + if err != nil { + return fmt.Errorf("server sent an invalid SCRAM-SHA-256 iteration count: %q", fields[2]) + } + c.saltPassword(salt, iterCount) + + c.authMsg.WriteString(",c=biws,r=") + c.authMsg.Write(c.serverNonce) + + c.out.WriteString("c=biws,r=") + c.out.Write(c.serverNonce) + c.out.WriteString(",p=") + c.out.Write(c.clientProof()) + return nil +} + +func (c *Client) step3(in []byte) error { + var isv, ise bool + var fields = bytes.Split(in, []byte(",")) + if len(fields) == 1 { + isv = bytes.HasPrefix(fields[0], []byte("v=")) + ise = bytes.HasPrefix(fields[0], []byte("e=")) + } + if ise { + return fmt.Errorf("SCRAM-SHA-256 authentication error: %s", fields[0][2:]) + } else if !isv { + return fmt.Errorf("unsupported SCRAM-SHA-256 final message from server: %q", in) + } + if !bytes.Equal(c.serverSignature(), fields[0][2:]) { + return fmt.Errorf("cannot authenticate SCRAM-SHA-256 server signature: %q", fields[0][2:]) + } + return nil +} + +func (c *Client) saltPassword(salt []byte, iterCount int) { + mac := hmac.New(c.newHash, []byte(c.pass)) + mac.Write(salt) + mac.Write([]byte{0, 0, 0, 1}) + ui := mac.Sum(nil) + hi := make([]byte, len(ui)) + copy(hi, ui) + for i := 1; i < iterCount; i++ { + mac.Reset() + mac.Write(ui) + mac.Sum(ui[:0]) + for j, b := range ui { + hi[j] ^= b + } + } + c.saltedPass = hi +} + +func (c *Client) clientProof() []byte { + mac := hmac.New(c.newHash, c.saltedPass) + mac.Write([]byte("Client Key")) + clientKey := mac.Sum(nil) + hash := c.newHash() + hash.Write(clientKey) + storedKey := hash.Sum(nil) + mac = hmac.New(c.newHash, storedKey) + mac.Write(c.authMsg.Bytes()) + clientProof := mac.Sum(nil) + for i, b := range clientKey { + clientProof[i] ^= b + } + clientProof64 := make([]byte, b64.EncodedLen(len(clientProof))) + b64.Encode(clientProof64, clientProof) + return clientProof64 +} + +func (c *Client) serverSignature() []byte { + mac := hmac.New(c.newHash, c.saltedPass) + mac.Write([]byte("Server Key")) + serverKey := mac.Sum(nil) + + mac = hmac.New(c.newHash, serverKey) + mac.Write(c.authMsg.Bytes()) + serverSignature := mac.Sum(nil) + + encoded := make([]byte, b64.EncodedLen(len(serverSignature))) + b64.Encode(encoded, serverSignature) + return encoded +} diff --git a/vendor/github.com/lib/pq/ssl.go b/vendor/github.com/lib/pq/ssl.go new file mode 100644 index 0000000000..36b61ba45b --- /dev/null +++ b/vendor/github.com/lib/pq/ssl.go @@ -0,0 +1,204 @@ +package pq + +import ( + "crypto/tls" + "crypto/x509" + "io/ioutil" + "net" + "os" + "os/user" + "path/filepath" + "strings" +) + +// ssl generates a function to upgrade a net.Conn based on the "sslmode" and +// related settings. The function is nil when no upgrade should take place. +func ssl(o values) (func(net.Conn) (net.Conn, error), error) { + verifyCaOnly := false + tlsConf := tls.Config{} + switch mode := o["sslmode"]; mode { + // "require" is the default. + case "", "require": + // We must skip TLS's own verification since it requires full + // verification since Go 1.3. + tlsConf.InsecureSkipVerify = true + + // From http://www.postgresql.org/docs/current/static/libpq-ssl.html: + // + // Note: For backwards compatibility with earlier versions of + // PostgreSQL, if a root CA file exists, the behavior of + // sslmode=require will be the same as that of verify-ca, meaning the + // server certificate is validated against the CA. Relying on this + // behavior is discouraged, and applications that need certificate + // validation should always use verify-ca or verify-full. + if sslrootcert, ok := o["sslrootcert"]; ok { + if _, err := os.Stat(sslrootcert); err == nil { + verifyCaOnly = true + } else { + delete(o, "sslrootcert") + } + } + case "verify-ca": + // We must skip TLS's own verification since it requires full + // verification since Go 1.3. + tlsConf.InsecureSkipVerify = true + verifyCaOnly = true + case "verify-full": + tlsConf.ServerName = o["host"] + case "disable": + return nil, nil + default: + return nil, fmterrorf(`unsupported sslmode %q; only "require" (default), "verify-full", "verify-ca", and "disable" supported`, mode) + } + + // Set Server Name Indication (SNI), if enabled by connection parameters. + // By default SNI is on, any value which is not starting with "1" disables + // SNI -- that is the same check vanilla libpq uses. + if sslsni := o["sslsni"]; sslsni == "" || strings.HasPrefix(sslsni, "1") { + // RFC 6066 asks to not set SNI if the host is a literal IP address (IPv4 + // or IPv6). This check is coded already crypto.tls.hostnameInSNI, so + // just always set ServerName here and let crypto/tls do the filtering. + tlsConf.ServerName = o["host"] + } + + err := sslClientCertificates(&tlsConf, o) + if err != nil { + return nil, err + } + err = sslCertificateAuthority(&tlsConf, o) + if err != nil { + return nil, err + } + + // Accept renegotiation requests initiated by the backend. + // + // Renegotiation was deprecated then removed from PostgreSQL 9.5, but + // the default configuration of older versions has it enabled. Redshift + // also initiates renegotiations and cannot be reconfigured. + tlsConf.Renegotiation = tls.RenegotiateFreelyAsClient + + return func(conn net.Conn) (net.Conn, error) { + client := tls.Client(conn, &tlsConf) + if verifyCaOnly { + err := sslVerifyCertificateAuthority(client, &tlsConf) + if err != nil { + return nil, err + } + } + return client, nil + }, nil +} + +// sslClientCertificates adds the certificate specified in the "sslcert" and +// "sslkey" settings, or if they aren't set, from the .postgresql directory +// in the user's home directory. The configured files must exist and have +// the correct permissions. +func sslClientCertificates(tlsConf *tls.Config, o values) error { + sslinline := o["sslinline"] + if sslinline == "true" { + cert, err := tls.X509KeyPair([]byte(o["sslcert"]), []byte(o["sslkey"])) + if err != nil { + return err + } + tlsConf.Certificates = []tls.Certificate{cert} + return nil + } + + // user.Current() might fail when cross-compiling. We have to ignore the + // error and continue without home directory defaults, since we wouldn't + // know from where to load them. + user, _ := user.Current() + + // In libpq, the client certificate is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1036-L1037 + sslcert := o["sslcert"] + if len(sslcert) == 0 && user != nil { + sslcert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt") + } + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1045 + if len(sslcert) == 0 { + return nil + } + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1050:L1054 + if _, err := os.Stat(sslcert); os.IsNotExist(err) { + return nil + } else if err != nil { + return err + } + + // In libpq, the ssl key is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1123-L1222 + sslkey := o["sslkey"] + if len(sslkey) == 0 && user != nil { + sslkey = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key") + } + + if len(sslkey) > 0 { + if err := sslKeyPermissions(sslkey); err != nil { + return err + } + } + + cert, err := tls.LoadX509KeyPair(sslcert, sslkey) + if err != nil { + return err + } + + tlsConf.Certificates = []tls.Certificate{cert} + return nil +} + +// sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting. +func sslCertificateAuthority(tlsConf *tls.Config, o values) error { + // In libpq, the root certificate is only loaded if the setting is not blank. + // + // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L950-L951 + if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 { + tlsConf.RootCAs = x509.NewCertPool() + + sslinline := o["sslinline"] + + var cert []byte + if sslinline == "true" { + cert = []byte(sslrootcert) + } else { + var err error + cert, err = ioutil.ReadFile(sslrootcert) + if err != nil { + return err + } + } + + if !tlsConf.RootCAs.AppendCertsFromPEM(cert) { + return fmterrorf("couldn't parse pem in sslrootcert") + } + } + + return nil +} + +// sslVerifyCertificateAuthority carries out a TLS handshake to the server and +// verifies the presented certificate against the CA, i.e. the one specified in +// sslrootcert or the system CA if sslrootcert was not specified. +func sslVerifyCertificateAuthority(client *tls.Conn, tlsConf *tls.Config) error { + err := client.Handshake() + if err != nil { + return err + } + certs := client.ConnectionState().PeerCertificates + opts := x509.VerifyOptions{ + DNSName: client.ConnectionState().ServerName, + Intermediates: x509.NewCertPool(), + Roots: tlsConf.RootCAs, + } + for i, cert := range certs { + if i == 0 { + continue + } + opts.Intermediates.AddCert(cert) + } + _, err = certs[0].Verify(opts) + return err +} diff --git a/vendor/github.com/lib/pq/ssl_permissions.go b/vendor/github.com/lib/pq/ssl_permissions.go new file mode 100644 index 0000000000..d587f102ed --- /dev/null +++ b/vendor/github.com/lib/pq/ssl_permissions.go @@ -0,0 +1,93 @@ +//go:build !windows +// +build !windows + +package pq + +import ( + "errors" + "os" + "syscall" +) + +const ( + rootUserID = uint32(0) + + // The maximum permissions that a private key file owned by a regular user + // is allowed to have. This translates to u=rw. + maxUserOwnedKeyPermissions os.FileMode = 0600 + + // The maximum permissions that a private key file owned by root is allowed + // to have. This translates to u=rw,g=r. + maxRootOwnedKeyPermissions os.FileMode = 0640 +) + +var ( + errSSLKeyHasUnacceptableUserPermissions = errors.New("permissions for files not owned by root should be u=rw (0600) or less") + errSSLKeyHasUnacceptableRootPermissions = errors.New("permissions for root owned files should be u=rw,g=r (0640) or less") +) + +// sslKeyPermissions checks the permissions on user-supplied ssl key files. +// The key file should have very little access. +// +// libpq does not check key file permissions on Windows. +func sslKeyPermissions(sslkey string) error { + info, err := os.Stat(sslkey) + if err != nil { + return err + } + + err = hasCorrectPermissions(info) + + // return ErrSSLKeyHasWorldPermissions for backwards compatability with + // existing code. + if err == errSSLKeyHasUnacceptableUserPermissions || err == errSSLKeyHasUnacceptableRootPermissions { + err = ErrSSLKeyHasWorldPermissions + } + return err +} + +// hasCorrectPermissions checks the file info (and the unix-specific stat_t +// output) to verify that the permissions on the file are correct. +// +// If the file is owned by the same user the process is running as, +// the file should only have 0600 (u=rw). If the file is owned by root, +// and the group matches the group that the process is running in, the +// permissions cannot be more than 0640 (u=rw,g=r). The file should +// never have world permissions. +// +// Returns an error when the permission check fails. +func hasCorrectPermissions(info os.FileInfo) error { + // if file's permission matches 0600, allow access. + userPermissionMask := (os.FileMode(0777) ^ maxUserOwnedKeyPermissions) + + // regardless of if we're running as root or not, 0600 is acceptable, + // so we return if we match the regular user permission mask. + if info.Mode().Perm()&userPermissionMask == 0 { + return nil + } + + // We need to pull the Unix file information to get the file's owner. + // If we can't access it, there's some sort of operating system level error + // and we should fail rather than attempting to use faulty information. + sysInfo := info.Sys() + if sysInfo == nil { + return ErrSSLKeyUnknownOwnership + } + + unixStat, ok := sysInfo.(*syscall.Stat_t) + if !ok { + return ErrSSLKeyUnknownOwnership + } + + // if the file is owned by root, we allow 0640 (u=rw,g=r) to match what + // Postgres does. + if unixStat.Uid == rootUserID { + rootPermissionMask := (os.FileMode(0777) ^ maxRootOwnedKeyPermissions) + if info.Mode().Perm()&rootPermissionMask != 0 { + return errSSLKeyHasUnacceptableRootPermissions + } + return nil + } + + return errSSLKeyHasUnacceptableUserPermissions +} diff --git a/vendor/github.com/lib/pq/ssl_windows.go b/vendor/github.com/lib/pq/ssl_windows.go new file mode 100644 index 0000000000..73663c8f15 --- /dev/null +++ b/vendor/github.com/lib/pq/ssl_windows.go @@ -0,0 +1,10 @@ +//go:build windows +// +build windows + +package pq + +// sslKeyPermissions checks the permissions on user-supplied ssl key files. +// The key file should have very little access. +// +// libpq does not check key file permissions on Windows. +func sslKeyPermissions(string) error { return nil } diff --git a/vendor/github.com/lib/pq/url.go b/vendor/github.com/lib/pq/url.go new file mode 100644 index 0000000000..aec6e95be8 --- /dev/null +++ b/vendor/github.com/lib/pq/url.go @@ -0,0 +1,76 @@ +package pq + +import ( + "fmt" + "net" + nurl "net/url" + "sort" + "strings" +) + +// ParseURL no longer needs to be used by clients of this library since supplying a URL as a +// connection string to sql.Open() is now supported: +// +// sql.Open("postgres", "postgres://bob:secret@1.2.3.4:5432/mydb?sslmode=verify-full") +// +// It remains exported here for backwards-compatibility. +// +// ParseURL converts a url to a connection string for driver.Open. +// Example: +// +// "postgres://bob:secret@1.2.3.4:5432/mydb?sslmode=verify-full" +// +// converts to: +// +// "user=bob password=secret host=1.2.3.4 port=5432 dbname=mydb sslmode=verify-full" +// +// A minimal example: +// +// "postgres://" +// +// This will be blank, causing driver.Open to use all of the defaults +func ParseURL(url string) (string, error) { + u, err := nurl.Parse(url) + if err != nil { + return "", err + } + + if u.Scheme != "postgres" && u.Scheme != "postgresql" { + return "", fmt.Errorf("invalid connection protocol: %s", u.Scheme) + } + + var kvs []string + escaper := strings.NewReplacer(`'`, `\'`, `\`, `\\`) + accrue := func(k, v string) { + if v != "" { + kvs = append(kvs, k+"='"+escaper.Replace(v)+"'") + } + } + + if u.User != nil { + v := u.User.Username() + accrue("user", v) + + v, _ = u.User.Password() + accrue("password", v) + } + + if host, port, err := net.SplitHostPort(u.Host); err != nil { + accrue("host", u.Host) + } else { + accrue("host", host) + accrue("port", port) + } + + if u.Path != "" { + accrue("dbname", u.Path[1:]) + } + + q := u.Query() + for k := range q { + accrue(k, q.Get(k)) + } + + sort.Strings(kvs) // Makes testing easier (not a performance concern) + return strings.Join(kvs, " "), nil +} diff --git a/vendor/github.com/lib/pq/user_other.go b/vendor/github.com/lib/pq/user_other.go new file mode 100644 index 0000000000..3dae8f5572 --- /dev/null +++ b/vendor/github.com/lib/pq/user_other.go @@ -0,0 +1,10 @@ +// Package pq is a pure Go Postgres driver for the database/sql package. + +//go:build js || android || hurd || zos +// +build js android hurd zos + +package pq + +func userCurrent() (string, error) { + return "", ErrCouldNotDetectUsername +} diff --git a/vendor/github.com/lib/pq/user_posix.go b/vendor/github.com/lib/pq/user_posix.go new file mode 100644 index 0000000000..5f2d439bc4 --- /dev/null +++ b/vendor/github.com/lib/pq/user_posix.go @@ -0,0 +1,25 @@ +// Package pq is a pure Go Postgres driver for the database/sql package. + +//go:build aix || darwin || dragonfly || freebsd || (linux && !android) || nacl || netbsd || openbsd || plan9 || solaris || rumprun || illumos +// +build aix darwin dragonfly freebsd linux,!android nacl netbsd openbsd plan9 solaris rumprun illumos + +package pq + +import ( + "os" + "os/user" +) + +func userCurrent() (string, error) { + u, err := user.Current() + if err == nil { + return u.Username, nil + } + + name := os.Getenv("USER") + if name != "" { + return name, nil + } + + return "", ErrCouldNotDetectUsername +} diff --git a/vendor/github.com/lib/pq/user_windows.go b/vendor/github.com/lib/pq/user_windows.go new file mode 100644 index 0000000000..2b691267b9 --- /dev/null +++ b/vendor/github.com/lib/pq/user_windows.go @@ -0,0 +1,27 @@ +// Package pq is a pure Go Postgres driver for the database/sql package. +package pq + +import ( + "path/filepath" + "syscall" +) + +// Perform Windows user name lookup identically to libpq. +// +// The PostgreSQL code makes use of the legacy Win32 function +// GetUserName, and that function has not been imported into stock Go. +// GetUserNameEx is available though, the difference being that a +// wider range of names are available. To get the output to be the +// same as GetUserName, only the base (or last) component of the +// result is returned. +func userCurrent() (string, error) { + pw_name := make([]uint16, 128) + pwname_size := uint32(len(pw_name)) - 1 + err := syscall.GetUserNameEx(syscall.NameSamCompatible, &pw_name[0], &pwname_size) + if err != nil { + return "", ErrCouldNotDetectUsername + } + s := syscall.UTF16ToString(pw_name) + u := filepath.Base(s) + return u, nil +} diff --git a/vendor/github.com/lib/pq/uuid.go b/vendor/github.com/lib/pq/uuid.go new file mode 100644 index 0000000000..9a1b9e0748 --- /dev/null +++ b/vendor/github.com/lib/pq/uuid.go @@ -0,0 +1,23 @@ +package pq + +import ( + "encoding/hex" + "fmt" +) + +// decodeUUIDBinary interprets the binary format of a uuid, returning it in text format. +func decodeUUIDBinary(src []byte) ([]byte, error) { + if len(src) != 16 { + return nil, fmt.Errorf("pq: unable to decode uuid; bad length: %d", len(src)) + } + + dst := make([]byte, 36) + dst[8], dst[13], dst[18], dst[23] = '-', '-', '-', '-' + hex.Encode(dst[0:], src[0:4]) + hex.Encode(dst[9:], src[4:6]) + hex.Encode(dst[14:], src[6:8]) + hex.Encode(dst[19:], src[8:10]) + hex.Encode(dst[24:], src[10:16]) + + return dst, nil +} diff --git a/vendor/github.com/liggitt/tabwriter/.travis.yml b/vendor/github.com/liggitt/tabwriter/.travis.yml new file mode 100644 index 0000000000..2768dc0727 --- /dev/null +++ b/vendor/github.com/liggitt/tabwriter/.travis.yml @@ -0,0 +1,11 @@ +language: go + +go: + - "1.8" + - "1.9" + - "1.10" + - "1.11" + - "1.12" + - master + +script: go test -v ./... diff --git a/vendor/github.com/liggitt/tabwriter/LICENSE b/vendor/github.com/liggitt/tabwriter/LICENSE new file mode 100644 index 0000000000..6a66aea5ea --- /dev/null +++ b/vendor/github.com/liggitt/tabwriter/LICENSE @@ -0,0 +1,27 @@ +Copyright (c) 2009 The Go Authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/liggitt/tabwriter/README.md b/vendor/github.com/liggitt/tabwriter/README.md new file mode 100644 index 0000000000..e75d35672e --- /dev/null +++ b/vendor/github.com/liggitt/tabwriter/README.md @@ -0,0 +1,7 @@ +This repo is a drop-in replacement for the golang [text/tabwriter](https://golang.org/pkg/text/tabwriter/) package. + +It is based on that package at [cf2c2ea8](https://github.com/golang/go/tree/cf2c2ea89d09d486bb018b1817c5874388038c3a/src/text/tabwriter) and inherits its license. + +The following additional features are supported: +* `RememberWidths` flag allows remembering maximum widths seen per column even after Flush() is called. +* `RememberedWidths() []int` and `SetRememberedWidths([]int) *Writer` allows obtaining and transferring remembered column width between writers. diff --git a/vendor/github.com/liggitt/tabwriter/tabwriter.go b/vendor/github.com/liggitt/tabwriter/tabwriter.go new file mode 100644 index 0000000000..fd3431fb03 --- /dev/null +++ b/vendor/github.com/liggitt/tabwriter/tabwriter.go @@ -0,0 +1,637 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package tabwriter implements a write filter (tabwriter.Writer) that +// translates tabbed columns in input into properly aligned text. +// +// It is a drop-in replacement for the golang text/tabwriter package (https://golang.org/pkg/text/tabwriter), +// based on that package at https://github.com/golang/go/tree/cf2c2ea89d09d486bb018b1817c5874388038c3a +// with support for additional features. +// +// The package is using the Elastic Tabstops algorithm described at +// http://nickgravgaard.com/elastictabstops/index.html. +package tabwriter + +import ( + "io" + "unicode/utf8" +) + +// ---------------------------------------------------------------------------- +// Filter implementation + +// A cell represents a segment of text terminated by tabs or line breaks. +// The text itself is stored in a separate buffer; cell only describes the +// segment's size in bytes, its width in runes, and whether it's an htab +// ('\t') terminated cell. +// +type cell struct { + size int // cell size in bytes + width int // cell width in runes + htab bool // true if the cell is terminated by an htab ('\t') +} + +// A Writer is a filter that inserts padding around tab-delimited +// columns in its input to align them in the output. +// +// The Writer treats incoming bytes as UTF-8-encoded text consisting +// of cells terminated by horizontal ('\t') or vertical ('\v') tabs, +// and newline ('\n') or formfeed ('\f') characters; both newline and +// formfeed act as line breaks. +// +// Tab-terminated cells in contiguous lines constitute a column. The +// Writer inserts padding as needed to make all cells in a column have +// the same width, effectively aligning the columns. It assumes that +// all characters have the same width, except for tabs for which a +// tabwidth must be specified. Column cells must be tab-terminated, not +// tab-separated: non-tab terminated trailing text at the end of a line +// forms a cell but that cell is not part of an aligned column. +// For instance, in this example (where | stands for a horizontal tab): +// +// aaaa|bbb|d +// aa |b |dd +// a | +// aa |cccc|eee +// +// the b and c are in distinct columns (the b column is not contiguous +// all the way). The d and e are not in a column at all (there's no +// terminating tab, nor would the column be contiguous). +// +// The Writer assumes that all Unicode code points have the same width; +// this may not be true in some fonts or if the string contains combining +// characters. +// +// If DiscardEmptyColumns is set, empty columns that are terminated +// entirely by vertical (or "soft") tabs are discarded. Columns +// terminated by horizontal (or "hard") tabs are not affected by +// this flag. +// +// If a Writer is configured to filter HTML, HTML tags and entities +// are passed through. The widths of tags and entities are +// assumed to be zero (tags) and one (entities) for formatting purposes. +// +// A segment of text may be escaped by bracketing it with Escape +// characters. The tabwriter passes escaped text segments through +// unchanged. In particular, it does not interpret any tabs or line +// breaks within the segment. If the StripEscape flag is set, the +// Escape characters are stripped from the output; otherwise they +// are passed through as well. For the purpose of formatting, the +// width of the escaped text is always computed excluding the Escape +// characters. +// +// The formfeed character acts like a newline but it also terminates +// all columns in the current line (effectively calling Flush). Tab- +// terminated cells in the next line start new columns. Unless found +// inside an HTML tag or inside an escaped text segment, formfeed +// characters appear as newlines in the output. +// +// The Writer must buffer input internally, because proper spacing +// of one line may depend on the cells in future lines. Clients must +// call Flush when done calling Write. +// +type Writer struct { + // configuration + output io.Writer + minwidth int + tabwidth int + padding int + padbytes [8]byte + flags uint + + // current state + buf []byte // collected text excluding tabs or line breaks + pos int // buffer position up to which cell.width of incomplete cell has been computed + cell cell // current incomplete cell; cell.width is up to buf[pos] excluding ignored sections + endChar byte // terminating char of escaped sequence (Escape for escapes, '>', ';' for HTML tags/entities, or 0) + lines [][]cell // list of lines; each line is a list of cells + widths []int // list of column widths in runes - re-used during formatting + + maxwidths []int // list of max column widths in runes +} + +// addLine adds a new line. +// flushed is a hint indicating whether the underlying writer was just flushed. +// If so, the previous line is not likely to be a good indicator of the new line's cells. +func (b *Writer) addLine(flushed bool) { + // Grow slice instead of appending, + // as that gives us an opportunity + // to re-use an existing []cell. + if n := len(b.lines) + 1; n <= cap(b.lines) { + b.lines = b.lines[:n] + b.lines[n-1] = b.lines[n-1][:0] + } else { + b.lines = append(b.lines, nil) + } + + if !flushed { + // The previous line is probably a good indicator + // of how many cells the current line will have. + // If the current line's capacity is smaller than that, + // abandon it and make a new one. + if n := len(b.lines); n >= 2 { + if prev := len(b.lines[n-2]); prev > cap(b.lines[n-1]) { + b.lines[n-1] = make([]cell, 0, prev) + } + } + } +} + +// Reset the current state. +func (b *Writer) reset() { + b.buf = b.buf[:0] + b.pos = 0 + b.cell = cell{} + b.endChar = 0 + b.lines = b.lines[0:0] + b.widths = b.widths[0:0] + b.addLine(true) +} + +// Internal representation (current state): +// +// - all text written is appended to buf; tabs and line breaks are stripped away +// - at any given time there is a (possibly empty) incomplete cell at the end +// (the cell starts after a tab or line break) +// - cell.size is the number of bytes belonging to the cell so far +// - cell.width is text width in runes of that cell from the start of the cell to +// position pos; html tags and entities are excluded from this width if html +// filtering is enabled +// - the sizes and widths of processed text are kept in the lines list +// which contains a list of cells for each line +// - the widths list is a temporary list with current widths used during +// formatting; it is kept in Writer because it's re-used +// +// |<---------- size ---------->| +// | | +// |<- width ->|<- ignored ->| | +// | | | | +// [---processed---tab------------......] +// ^ ^ ^ +// | | | +// buf start of incomplete cell pos + +// Formatting can be controlled with these flags. +const ( + // Ignore html tags and treat entities (starting with '&' + // and ending in ';') as single characters (width = 1). + FilterHTML uint = 1 << iota + + // Strip Escape characters bracketing escaped text segments + // instead of passing them through unchanged with the text. + StripEscape + + // Force right-alignment of cell content. + // Default is left-alignment. + AlignRight + + // Handle empty columns as if they were not present in + // the input in the first place. + DiscardEmptyColumns + + // Always use tabs for indentation columns (i.e., padding of + // leading empty cells on the left) independent of padchar. + TabIndent + + // Print a vertical bar ('|') between columns (after formatting). + // Discarded columns appear as zero-width columns ("||"). + Debug + + // Remember maximum widths seen per column even after Flush() is called. + RememberWidths +) + +// A Writer must be initialized with a call to Init. The first parameter (output) +// specifies the filter output. The remaining parameters control the formatting: +// +// minwidth minimal cell width including any padding +// tabwidth width of tab characters (equivalent number of spaces) +// padding padding added to a cell before computing its width +// padchar ASCII char used for padding +// if padchar == '\t', the Writer will assume that the +// width of a '\t' in the formatted output is tabwidth, +// and cells are left-aligned independent of align_left +// (for correct-looking results, tabwidth must correspond +// to the tab width in the viewer displaying the result) +// flags formatting control +// +func (b *Writer) Init(output io.Writer, minwidth, tabwidth, padding int, padchar byte, flags uint) *Writer { + if minwidth < 0 || tabwidth < 0 || padding < 0 { + panic("negative minwidth, tabwidth, or padding") + } + b.output = output + b.minwidth = minwidth + b.tabwidth = tabwidth + b.padding = padding + for i := range b.padbytes { + b.padbytes[i] = padchar + } + if padchar == '\t' { + // tab padding enforces left-alignment + flags &^= AlignRight + } + b.flags = flags + + b.reset() + + return b +} + +// debugging support (keep code around) +func (b *Writer) dump() { + pos := 0 + for i, line := range b.lines { + print("(", i, ") ") + for _, c := range line { + print("[", string(b.buf[pos:pos+c.size]), "]") + pos += c.size + } + print("\n") + } + print("\n") +} + +// local error wrapper so we can distinguish errors we want to return +// as errors from genuine panics (which we don't want to return as errors) +type osError struct { + err error +} + +func (b *Writer) write0(buf []byte) { + n, err := b.output.Write(buf) + if n != len(buf) && err == nil { + err = io.ErrShortWrite + } + if err != nil { + panic(osError{err}) + } +} + +func (b *Writer) writeN(src []byte, n int) { + for n > len(src) { + b.write0(src) + n -= len(src) + } + b.write0(src[0:n]) +} + +var ( + newline = []byte{'\n'} + tabs = []byte("\t\t\t\t\t\t\t\t") +) + +func (b *Writer) writePadding(textw, cellw int, useTabs bool) { + if b.padbytes[0] == '\t' || useTabs { + // padding is done with tabs + if b.tabwidth == 0 { + return // tabs have no width - can't do any padding + } + // make cellw the smallest multiple of b.tabwidth + cellw = (cellw + b.tabwidth - 1) / b.tabwidth * b.tabwidth + n := cellw - textw // amount of padding + if n < 0 { + panic("internal error") + } + b.writeN(tabs, (n+b.tabwidth-1)/b.tabwidth) + return + } + + // padding is done with non-tab characters + b.writeN(b.padbytes[0:], cellw-textw) +} + +var vbar = []byte{'|'} + +func (b *Writer) writeLines(pos0 int, line0, line1 int) (pos int) { + pos = pos0 + for i := line0; i < line1; i++ { + line := b.lines[i] + + // if TabIndent is set, use tabs to pad leading empty cells + useTabs := b.flags&TabIndent != 0 + + for j, c := range line { + if j > 0 && b.flags&Debug != 0 { + // indicate column break + b.write0(vbar) + } + + if c.size == 0 { + // empty cell + if j < len(b.widths) { + b.writePadding(c.width, b.widths[j], useTabs) + } + } else { + // non-empty cell + useTabs = false + if b.flags&AlignRight == 0 { // align left + b.write0(b.buf[pos : pos+c.size]) + pos += c.size + if j < len(b.widths) { + b.writePadding(c.width, b.widths[j], false) + } + } else { // align right + if j < len(b.widths) { + b.writePadding(c.width, b.widths[j], false) + } + b.write0(b.buf[pos : pos+c.size]) + pos += c.size + } + } + } + + if i+1 == len(b.lines) { + // last buffered line - we don't have a newline, so just write + // any outstanding buffered data + b.write0(b.buf[pos : pos+b.cell.size]) + pos += b.cell.size + } else { + // not the last line - write newline + b.write0(newline) + } + } + return +} + +// Format the text between line0 and line1 (excluding line1); pos +// is the buffer position corresponding to the beginning of line0. +// Returns the buffer position corresponding to the beginning of +// line1 and an error, if any. +// +func (b *Writer) format(pos0 int, line0, line1 int) (pos int) { + pos = pos0 + column := len(b.widths) + for this := line0; this < line1; this++ { + line := b.lines[this] + + if column >= len(line)-1 { + continue + } + // cell exists in this column => this line + // has more cells than the previous line + // (the last cell per line is ignored because cells are + // tab-terminated; the last cell per line describes the + // text before the newline/formfeed and does not belong + // to a column) + + // print unprinted lines until beginning of block + pos = b.writeLines(pos, line0, this) + line0 = this + + // column block begin + width := b.minwidth // minimal column width + discardable := true // true if all cells in this column are empty and "soft" + for ; this < line1; this++ { + line = b.lines[this] + if column >= len(line)-1 { + break + } + // cell exists in this column + c := line[column] + // update width + if w := c.width + b.padding; w > width { + width = w + } + // update discardable + if c.width > 0 || c.htab { + discardable = false + } + } + // column block end + + // discard empty columns if necessary + if discardable && b.flags&DiscardEmptyColumns != 0 { + width = 0 + } + + if b.flags&RememberWidths != 0 { + if len(b.maxwidths) < len(b.widths) { + b.maxwidths = append(b.maxwidths, b.widths[len(b.maxwidths):]...) + } + + switch { + case len(b.maxwidths) == len(b.widths): + b.maxwidths = append(b.maxwidths, width) + case b.maxwidths[len(b.widths)] > width: + width = b.maxwidths[len(b.widths)] + case b.maxwidths[len(b.widths)] < width: + b.maxwidths[len(b.widths)] = width + } + } + + // format and print all columns to the right of this column + // (we know the widths of this column and all columns to the left) + b.widths = append(b.widths, width) // push width + pos = b.format(pos, line0, this) + b.widths = b.widths[0 : len(b.widths)-1] // pop width + line0 = this + } + + // print unprinted lines until end + return b.writeLines(pos, line0, line1) +} + +// Append text to current cell. +func (b *Writer) append(text []byte) { + b.buf = append(b.buf, text...) + b.cell.size += len(text) +} + +// Update the cell width. +func (b *Writer) updateWidth() { + b.cell.width += utf8.RuneCount(b.buf[b.pos:]) + b.pos = len(b.buf) +} + +// To escape a text segment, bracket it with Escape characters. +// For instance, the tab in this string "Ignore this tab: \xff\t\xff" +// does not terminate a cell and constitutes a single character of +// width one for formatting purposes. +// +// The value 0xff was chosen because it cannot appear in a valid UTF-8 sequence. +// +const Escape = '\xff' + +// Start escaped mode. +func (b *Writer) startEscape(ch byte) { + switch ch { + case Escape: + b.endChar = Escape + case '<': + b.endChar = '>' + case '&': + b.endChar = ';' + } +} + +// Terminate escaped mode. If the escaped text was an HTML tag, its width +// is assumed to be zero for formatting purposes; if it was an HTML entity, +// its width is assumed to be one. In all other cases, the width is the +// unicode width of the text. +// +func (b *Writer) endEscape() { + switch b.endChar { + case Escape: + b.updateWidth() + if b.flags&StripEscape == 0 { + b.cell.width -= 2 // don't count the Escape chars + } + case '>': // tag of zero width + case ';': + b.cell.width++ // entity, count as one rune + } + b.pos = len(b.buf) + b.endChar = 0 +} + +// Terminate the current cell by adding it to the list of cells of the +// current line. Returns the number of cells in that line. +// +func (b *Writer) terminateCell(htab bool) int { + b.cell.htab = htab + line := &b.lines[len(b.lines)-1] + *line = append(*line, b.cell) + b.cell = cell{} + return len(*line) +} + +func handlePanic(err *error, op string) { + if e := recover(); e != nil { + if nerr, ok := e.(osError); ok { + *err = nerr.err + return + } + panic("tabwriter: panic during " + op) + } +} + +// RememberedWidths returns a copy of the remembered per-column maximum widths. +// Requires use of the RememberWidths flag, and is not threadsafe. +func (b *Writer) RememberedWidths() []int { + retval := make([]int, len(b.maxwidths)) + copy(retval, b.maxwidths) + return retval +} + +// SetRememberedWidths sets the remembered per-column maximum widths. +// Requires use of the RememberWidths flag, and is not threadsafe. +func (b *Writer) SetRememberedWidths(widths []int) *Writer { + b.maxwidths = make([]int, len(widths)) + copy(b.maxwidths, widths) + return b +} + +// Flush should be called after the last call to Write to ensure +// that any data buffered in the Writer is written to output. Any +// incomplete escape sequence at the end is considered +// complete for formatting purposes. +func (b *Writer) Flush() error { + return b.flush() +} + +func (b *Writer) flush() (err error) { + defer b.reset() // even in the presence of errors + defer handlePanic(&err, "Flush") + + // add current cell if not empty + if b.cell.size > 0 { + if b.endChar != 0 { + // inside escape - terminate it even if incomplete + b.endEscape() + } + b.terminateCell(false) + } + + // format contents of buffer + b.format(0, 0, len(b.lines)) + return nil +} + +var hbar = []byte("---\n") + +// Write writes buf to the writer b. +// The only errors returned are ones encountered +// while writing to the underlying output stream. +// +func (b *Writer) Write(buf []byte) (n int, err error) { + defer handlePanic(&err, "Write") + + // split text into cells + n = 0 + for i, ch := range buf { + if b.endChar == 0 { + // outside escape + switch ch { + case '\t', '\v', '\n', '\f': + // end of cell + b.append(buf[n:i]) + b.updateWidth() + n = i + 1 // ch consumed + ncells := b.terminateCell(ch == '\t') + if ch == '\n' || ch == '\f' { + // terminate line + b.addLine(ch == '\f') + if ch == '\f' || ncells == 1 { + // A '\f' always forces a flush. Otherwise, if the previous + // line has only one cell which does not have an impact on + // the formatting of the following lines (the last cell per + // line is ignored by format()), thus we can flush the + // Writer contents. + if err = b.Flush(); err != nil { + return + } + if ch == '\f' && b.flags&Debug != 0 { + // indicate section break + b.write0(hbar) + } + } + } + + case Escape: + // start of escaped sequence + b.append(buf[n:i]) + b.updateWidth() + n = i + if b.flags&StripEscape != 0 { + n++ // strip Escape + } + b.startEscape(Escape) + + case '<', '&': + // possibly an html tag/entity + if b.flags&FilterHTML != 0 { + // begin of tag/entity + b.append(buf[n:i]) + b.updateWidth() + n = i + b.startEscape(ch) + } + } + + } else { + // inside escape + if ch == b.endChar { + // end of tag/entity + j := i + 1 + if ch == Escape && b.flags&StripEscape != 0 { + j = i // strip Escape + } + b.append(buf[n:j]) + n = i + 1 // ch consumed + b.endEscape() + } + } + } + + // append leftover text + b.append(buf[n:]) + n = len(buf) + return +} + +// NewWriter allocates and initializes a new tabwriter.Writer. +// The parameters are the same as for the Init function. +// +func NewWriter(output io.Writer, minwidth, tabwidth, padding int, padchar byte, flags uint) *Writer { + return new(Writer).Init(output, minwidth, tabwidth, padding, padchar, flags) +} diff --git a/vendor/github.com/magiconair/properties/.gitignore b/vendor/github.com/magiconair/properties/.gitignore new file mode 100644 index 0000000000..e7081ff522 --- /dev/null +++ b/vendor/github.com/magiconair/properties/.gitignore @@ -0,0 +1,6 @@ +*.sublime-project +*.sublime-workspace +*.un~ +*.swp +.idea/ +*.iml diff --git a/vendor/github.com/magiconair/properties/LICENSE.md b/vendor/github.com/magiconair/properties/LICENSE.md new file mode 100644 index 0000000000..79c87e3e6f --- /dev/null +++ b/vendor/github.com/magiconair/properties/LICENSE.md @@ -0,0 +1,24 @@ +Copyright (c) 2013-2020, Frank Schroeder + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/magiconair/properties/README.md b/vendor/github.com/magiconair/properties/README.md new file mode 100644 index 0000000000..4872685f46 --- /dev/null +++ b/vendor/github.com/magiconair/properties/README.md @@ -0,0 +1,98 @@ +[![](https://img.shields.io/github/tag/magiconair/properties.svg?style=flat-square&label=release)](https://github.com/magiconair/properties/releases) +[![License](https://img.shields.io/badge/License-BSD%202--Clause-orange.svg?style=flat-square)](https://raw.githubusercontent.com/magiconair/properties/master/LICENSE) +[![GoDoc](http://img.shields.io/badge/godoc-reference-5272B4.svg?style=flat-square)](http://godoc.org/github.com/magiconair/properties) + +# Overview + +properties is a Go library for reading and writing properties files. + +It supports reading from multiple files or URLs and Spring style recursive +property expansion of expressions like `${key}` to their corresponding value. +Value expressions can refer to other keys like in `${key}` or to environment +variables like in `${USER}`. Filenames can also contain environment variables +like in `/home/${USER}/myapp.properties`. + +Properties can be decoded into structs, maps, arrays and values through +struct tags. + +Comments and the order of keys are preserved. Comments can be modified +and can be written to the output. + +The properties library supports both ISO-8859-1 and UTF-8 encoded data. + +Starting from version 1.3.0 the behavior of the MustXXX() functions is +configurable by providing a custom `ErrorHandler` function. The default has +changed from `panic` to `log.Fatal` but this is configurable and custom +error handling functions can be provided. See the package documentation for +details. + +Read the full documentation on [![GoDoc](http://img.shields.io/badge/godoc-reference-5272B4.svg?style=flat-square)](http://godoc.org/github.com/magiconair/properties) + +## Getting Started + +```go +import ( + "flag" + "github.com/magiconair/properties" +) + +func main() { + // init from a file + p := properties.MustLoadFile("${HOME}/config.properties", properties.UTF8) + + // or multiple files + p = properties.MustLoadFiles([]string{ + "${HOME}/config.properties", + "${HOME}/config-${USER}.properties", + }, properties.UTF8, true) + + // or from a map + p = properties.LoadMap(map[string]string{"key": "value", "abc": "def"}) + + // or from a string + p = properties.MustLoadString("key=value\nabc=def") + + // or from a URL + p = properties.MustLoadURL("http://host/path") + + // or from multiple URLs + p = properties.MustLoadURL([]string{ + "http://host/config", + "http://host/config-${USER}", + }, true) + + // or from flags + p.MustFlag(flag.CommandLine) + + // get values through getters + host := p.MustGetString("host") + port := p.GetInt("port", 8080) + + // or through Decode + type Config struct { + Host string `properties:"host"` + Port int `properties:"port,default=9000"` + Accept []string `properties:"accept,default=image/png;image;gif"` + Timeout time.Duration `properties:"timeout,default=5s"` + } + var cfg Config + if err := p.Decode(&cfg); err != nil { + log.Fatal(err) + } +} + +``` + +## Installation and Upgrade + +``` +$ go get -u github.com/magiconair/properties +``` + +## License + +2 clause BSD license. See [LICENSE](https://github.com/magiconair/properties/blob/master/LICENSE) file for details. + +## ToDo + +* Dump contents with passwords and secrets obscured diff --git a/vendor/github.com/magiconair/properties/decode.go b/vendor/github.com/magiconair/properties/decode.go new file mode 100644 index 0000000000..f5e252f8d9 --- /dev/null +++ b/vendor/github.com/magiconair/properties/decode.go @@ -0,0 +1,289 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +import ( + "fmt" + "reflect" + "strconv" + "strings" + "time" +) + +// Decode assigns property values to exported fields of a struct. +// +// Decode traverses v recursively and returns an error if a value cannot be +// converted to the field type or a required value is missing for a field. +// +// The following type dependent decodings are used: +// +// String, boolean, numeric fields have the value of the property key assigned. +// The property key name is the name of the field. A different key and a default +// value can be set in the field's tag. Fields without default value are +// required. If the value cannot be converted to the field type an error is +// returned. +// +// time.Duration fields have the result of time.ParseDuration() assigned. +// +// time.Time fields have the vaule of time.Parse() assigned. The default layout +// is time.RFC3339 but can be set in the field's tag. +// +// Arrays and slices of string, boolean, numeric, time.Duration and time.Time +// fields have the value interpreted as a comma separated list of values. The +// individual values are trimmed of whitespace and empty values are ignored. A +// default value can be provided as a semicolon separated list in the field's +// tag. +// +// Struct fields are decoded recursively using the field name plus "." as +// prefix. The prefix (without dot) can be overridden in the field's tag. +// Default values are not supported in the field's tag. Specify them on the +// fields of the inner struct instead. +// +// Map fields must have a key of type string and are decoded recursively by +// using the field's name plus ".' as prefix and the next element of the key +// name as map key. The prefix (without dot) can be overridden in the field's +// tag. Default values are not supported. +// +// Examples: +// +// // Field is ignored. +// Field int `properties:"-"` +// +// // Field is assigned value of 'Field'. +// Field int +// +// // Field is assigned value of 'myName'. +// Field int `properties:"myName"` +// +// // Field is assigned value of key 'myName' and has a default +// // value 15 if the key does not exist. +// Field int `properties:"myName,default=15"` +// +// // Field is assigned value of key 'Field' and has a default +// // value 15 if the key does not exist. +// Field int `properties:",default=15"` +// +// // Field is assigned value of key 'date' and the date +// // is in format 2006-01-02 +// Field time.Time `properties:"date,layout=2006-01-02"` +// +// // Field is assigned the non-empty and whitespace trimmed +// // values of key 'Field' split by commas. +// Field []string +// +// // Field is assigned the non-empty and whitespace trimmed +// // values of key 'Field' split by commas and has a default +// // value ["a", "b", "c"] if the key does not exist. +// Field []string `properties:",default=a;b;c"` +// +// // Field is decoded recursively with "Field." as key prefix. +// Field SomeStruct +// +// // Field is decoded recursively with "myName." as key prefix. +// Field SomeStruct `properties:"myName"` +// +// // Field is decoded recursively with "Field." as key prefix +// // and the next dotted element of the key as map key. +// Field map[string]string +// +// // Field is decoded recursively with "myName." as key prefix +// // and the next dotted element of the key as map key. +// Field map[string]string `properties:"myName"` +func (p *Properties) Decode(x interface{}) error { + t, v := reflect.TypeOf(x), reflect.ValueOf(x) + if t.Kind() != reflect.Ptr || v.Elem().Type().Kind() != reflect.Struct { + return fmt.Errorf("not a pointer to struct: %s", t) + } + if err := dec(p, "", nil, nil, v); err != nil { + return err + } + return nil +} + +func dec(p *Properties, key string, def *string, opts map[string]string, v reflect.Value) error { + t := v.Type() + + // value returns the property value for key or the default if provided. + value := func() (string, error) { + if val, ok := p.Get(key); ok { + return val, nil + } + if def != nil { + return *def, nil + } + return "", fmt.Errorf("missing required key %s", key) + } + + // conv converts a string to a value of the given type. + conv := func(s string, t reflect.Type) (val reflect.Value, err error) { + var v interface{} + + switch { + case isDuration(t): + v, err = time.ParseDuration(s) + + case isTime(t): + layout := opts["layout"] + if layout == "" { + layout = time.RFC3339 + } + v, err = time.Parse(layout, s) + + case isBool(t): + v, err = boolVal(s), nil + + case isString(t): + v, err = s, nil + + case isFloat(t): + v, err = strconv.ParseFloat(s, 64) + + case isInt(t): + v, err = strconv.ParseInt(s, 10, 64) + + case isUint(t): + v, err = strconv.ParseUint(s, 10, 64) + + default: + return reflect.Zero(t), fmt.Errorf("unsupported type %s", t) + } + if err != nil { + return reflect.Zero(t), err + } + return reflect.ValueOf(v).Convert(t), nil + } + + // keydef returns the property key and the default value based on the + // name of the struct field and the options in the tag. + keydef := func(f reflect.StructField) (string, *string, map[string]string) { + _key, _opts := parseTag(f.Tag.Get("properties")) + + var _def *string + if d, ok := _opts["default"]; ok { + _def = &d + } + if _key != "" { + return _key, _def, _opts + } + return f.Name, _def, _opts + } + + switch { + case isDuration(t) || isTime(t) || isBool(t) || isString(t) || isFloat(t) || isInt(t) || isUint(t): + s, err := value() + if err != nil { + return err + } + val, err := conv(s, t) + if err != nil { + return err + } + v.Set(val) + + case isPtr(t): + return dec(p, key, def, opts, v.Elem()) + + case isStruct(t): + for i := 0; i < v.NumField(); i++ { + fv := v.Field(i) + fk, def, opts := keydef(t.Field(i)) + if fk == "-" { + continue + } + if !fv.CanSet() { + return fmt.Errorf("cannot set %s", t.Field(i).Name) + } + if key != "" { + fk = key + "." + fk + } + if err := dec(p, fk, def, opts, fv); err != nil { + return err + } + } + return nil + + case isArray(t): + val, err := value() + if err != nil { + return err + } + vals := split(val, ";") + a := reflect.MakeSlice(t, 0, len(vals)) + for _, s := range vals { + val, err := conv(s, t.Elem()) + if err != nil { + return err + } + a = reflect.Append(a, val) + } + v.Set(a) + + case isMap(t): + valT := t.Elem() + m := reflect.MakeMap(t) + for postfix := range p.FilterStripPrefix(key + ".").m { + pp := strings.SplitN(postfix, ".", 2) + mk, mv := pp[0], reflect.New(valT) + if err := dec(p, key+"."+mk, nil, nil, mv); err != nil { + return err + } + m.SetMapIndex(reflect.ValueOf(mk), mv.Elem()) + } + v.Set(m) + + default: + return fmt.Errorf("unsupported type %s", t) + } + return nil +} + +// split splits a string on sep, trims whitespace of elements +// and omits empty elements +func split(s string, sep string) []string { + var a []string + for _, v := range strings.Split(s, sep) { + if v = strings.TrimSpace(v); v != "" { + a = append(a, v) + } + } + return a +} + +// parseTag parses a "key,k=v,k=v,..." +func parseTag(tag string) (key string, opts map[string]string) { + opts = map[string]string{} + for i, s := range strings.Split(tag, ",") { + if i == 0 { + key = s + continue + } + + pp := strings.SplitN(s, "=", 2) + if len(pp) == 1 { + opts[pp[0]] = "" + } else { + opts[pp[0]] = pp[1] + } + } + return key, opts +} + +func isArray(t reflect.Type) bool { return t.Kind() == reflect.Array || t.Kind() == reflect.Slice } +func isBool(t reflect.Type) bool { return t.Kind() == reflect.Bool } +func isDuration(t reflect.Type) bool { return t == reflect.TypeOf(time.Second) } +func isMap(t reflect.Type) bool { return t.Kind() == reflect.Map } +func isPtr(t reflect.Type) bool { return t.Kind() == reflect.Ptr } +func isString(t reflect.Type) bool { return t.Kind() == reflect.String } +func isStruct(t reflect.Type) bool { return t.Kind() == reflect.Struct } +func isTime(t reflect.Type) bool { return t == reflect.TypeOf(time.Time{}) } +func isFloat(t reflect.Type) bool { + return t.Kind() == reflect.Float32 || t.Kind() == reflect.Float64 +} +func isInt(t reflect.Type) bool { + return t.Kind() == reflect.Int || t.Kind() == reflect.Int8 || t.Kind() == reflect.Int16 || t.Kind() == reflect.Int32 || t.Kind() == reflect.Int64 +} +func isUint(t reflect.Type) bool { + return t.Kind() == reflect.Uint || t.Kind() == reflect.Uint8 || t.Kind() == reflect.Uint16 || t.Kind() == reflect.Uint32 || t.Kind() == reflect.Uint64 +} diff --git a/vendor/github.com/magiconair/properties/doc.go b/vendor/github.com/magiconair/properties/doc.go new file mode 100644 index 0000000000..7c79793159 --- /dev/null +++ b/vendor/github.com/magiconair/properties/doc.go @@ -0,0 +1,155 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package properties provides functions for reading and writing +// ISO-8859-1 and UTF-8 encoded .properties files and has +// support for recursive property expansion. +// +// Java properties files are ISO-8859-1 encoded and use Unicode +// literals for characters outside the ISO character set. Unicode +// literals can be used in UTF-8 encoded properties files but +// aren't necessary. +// +// To load a single properties file use MustLoadFile(): +// +// p := properties.MustLoadFile(filename, properties.UTF8) +// +// To load multiple properties files use MustLoadFiles() +// which loads the files in the given order and merges the +// result. Missing properties files can be ignored if the +// 'ignoreMissing' flag is set to true. +// +// Filenames can contain environment variables which are expanded +// before loading. +// +// f1 := "/etc/myapp/myapp.conf" +// f2 := "/home/${USER}/myapp.conf" +// p := MustLoadFiles([]string{f1, f2}, properties.UTF8, true) +// +// All of the different key/value delimiters ' ', ':' and '=' are +// supported as well as the comment characters '!' and '#' and +// multi-line values. +// +// ! this is a comment +// # and so is this +// +// # the following expressions are equal +// key value +// key=value +// key:value +// key = value +// key : value +// key = val\ +// ue +// +// Properties stores all comments preceding a key and provides +// GetComments() and SetComments() methods to retrieve and +// update them. The convenience functions GetComment() and +// SetComment() allow access to the last comment. The +// WriteComment() method writes properties files including +// the comments and with the keys in the original order. +// This can be used for sanitizing properties files. +// +// Property expansion is recursive and circular references +// and malformed expressions are not allowed and cause an +// error. Expansion of environment variables is supported. +// +// # standard property +// key = value +// +// # property expansion: key2 = value +// key2 = ${key} +// +// # recursive expansion: key3 = value +// key3 = ${key2} +// +// # circular reference (error) +// key = ${key} +// +// # malformed expression (error) +// key = ${ke +// +// # refers to the users' home dir +// home = ${HOME} +// +// # local key takes precedence over env var: u = foo +// USER = foo +// u = ${USER} +// +// The default property expansion format is ${key} but can be +// changed by setting different pre- and postfix values on the +// Properties object. +// +// p := properties.NewProperties() +// p.Prefix = "#[" +// p.Postfix = "]#" +// +// Properties provides convenience functions for getting typed +// values with default values if the key does not exist or the +// type conversion failed. +// +// # Returns true if the value is either "1", "on", "yes" or "true" +// # Returns false for every other value and the default value if +// # the key does not exist. +// v = p.GetBool("key", false) +// +// # Returns the value if the key exists and the format conversion +// # was successful. Otherwise, the default value is returned. +// v = p.GetInt64("key", 999) +// v = p.GetUint64("key", 999) +// v = p.GetFloat64("key", 123.0) +// v = p.GetString("key", "def") +// v = p.GetDuration("key", 999) +// +// As an alternative properties may be applied with the standard +// library's flag implementation at any time. +// +// # Standard configuration +// v = flag.Int("key", 999, "help message") +// flag.Parse() +// +// # Merge p into the flag set +// p.MustFlag(flag.CommandLine) +// +// Properties provides several MustXXX() convenience functions +// which will terminate the app if an error occurs. The behavior +// of the failure is configurable and the default is to call +// log.Fatal(err). To have the MustXXX() functions panic instead +// of logging the error set a different ErrorHandler before +// you use the Properties package. +// +// properties.ErrorHandler = properties.PanicHandler +// +// # Will panic instead of logging an error +// p := properties.MustLoadFile("config.properties") +// +// You can also provide your own ErrorHandler function. The only requirement +// is that the error handler function must exit after handling the error. +// +// properties.ErrorHandler = func(err error) { +// fmt.Println(err) +// os.Exit(1) +// } +// +// # Will write to stdout and then exit +// p := properties.MustLoadFile("config.properties") +// +// Properties can also be loaded into a struct via the `Decode` +// method, e.g. +// +// type S struct { +// A string `properties:"a,default=foo"` +// D time.Duration `properties:"timeout,default=5s"` +// E time.Time `properties:"expires,layout=2006-01-02,default=2015-01-01"` +// } +// +// See `Decode()` method for the full documentation. +// +// The following documents provide a description of the properties +// file format. +// +// http://en.wikipedia.org/wiki/.properties +// +// http://docs.oracle.com/javase/7/docs/api/java/util/Properties.html#load%28java.io.Reader%29 +package properties diff --git a/vendor/github.com/magiconair/properties/integrate.go b/vendor/github.com/magiconair/properties/integrate.go new file mode 100644 index 0000000000..35d0ae97b3 --- /dev/null +++ b/vendor/github.com/magiconair/properties/integrate.go @@ -0,0 +1,35 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +import "flag" + +// MustFlag sets flags that are skipped by dst.Parse when p contains +// the respective key for flag.Flag.Name. +// +// It's use is recommended with command line arguments as in: +// +// flag.Parse() +// p.MustFlag(flag.CommandLine) +func (p *Properties) MustFlag(dst *flag.FlagSet) { + m := make(map[string]*flag.Flag) + dst.VisitAll(func(f *flag.Flag) { + m[f.Name] = f + }) + dst.Visit(func(f *flag.Flag) { + delete(m, f.Name) // overridden + }) + + for name, f := range m { + v, ok := p.Get(name) + if !ok { + continue + } + + if err := f.Value.Set(v); err != nil { + ErrorHandler(err) + } + } +} diff --git a/vendor/github.com/magiconair/properties/lex.go b/vendor/github.com/magiconair/properties/lex.go new file mode 100644 index 0000000000..3d15a1f6ed --- /dev/null +++ b/vendor/github.com/magiconair/properties/lex.go @@ -0,0 +1,395 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. +// +// Parts of the lexer are from the template/text/parser package +// For these parts the following applies: +// +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file of the go 1.2 +// distribution. + +package properties + +import ( + "fmt" + "strconv" + "strings" + "unicode/utf8" +) + +// item represents a token or text string returned from the scanner. +type item struct { + typ itemType // The type of this item. + pos int // The starting position, in bytes, of this item in the input string. + val string // The value of this item. +} + +func (i item) String() string { + switch { + case i.typ == itemEOF: + return "EOF" + case i.typ == itemError: + return i.val + case len(i.val) > 10: + return fmt.Sprintf("%.10q...", i.val) + } + return fmt.Sprintf("%q", i.val) +} + +// itemType identifies the type of lex items. +type itemType int + +const ( + itemError itemType = iota // error occurred; value is text of error + itemEOF + itemKey // a key + itemValue // a value + itemComment // a comment +) + +// defines a constant for EOF +const eof = -1 + +// permitted whitespace characters space, FF and TAB +const whitespace = " \f\t" + +// stateFn represents the state of the scanner as a function that returns the next state. +type stateFn func(*lexer) stateFn + +// lexer holds the state of the scanner. +type lexer struct { + input string // the string being scanned + state stateFn // the next lexing function to enter + pos int // current position in the input + start int // start position of this item + width int // width of last rune read from input + lastPos int // position of most recent item returned by nextItem + runes []rune // scanned runes for this item + items chan item // channel of scanned items +} + +// next returns the next rune in the input. +func (l *lexer) next() rune { + if l.pos >= len(l.input) { + l.width = 0 + return eof + } + r, w := utf8.DecodeRuneInString(l.input[l.pos:]) + l.width = w + l.pos += l.width + return r +} + +// peek returns but does not consume the next rune in the input. +func (l *lexer) peek() rune { + r := l.next() + l.backup() + return r +} + +// backup steps back one rune. Can only be called once per call of next. +func (l *lexer) backup() { + l.pos -= l.width +} + +// emit passes an item back to the client. +func (l *lexer) emit(t itemType) { + i := item{t, l.start, string(l.runes)} + l.items <- i + l.start = l.pos + l.runes = l.runes[:0] +} + +// ignore skips over the pending input before this point. +func (l *lexer) ignore() { + l.start = l.pos +} + +// appends the rune to the current value +func (l *lexer) appendRune(r rune) { + l.runes = append(l.runes, r) +} + +// accept consumes the next rune if it's from the valid set. +func (l *lexer) accept(valid string) bool { + if strings.ContainsRune(valid, l.next()) { + return true + } + l.backup() + return false +} + +// acceptRun consumes a run of runes from the valid set. +func (l *lexer) acceptRun(valid string) { + for strings.ContainsRune(valid, l.next()) { + } + l.backup() +} + +// lineNumber reports which line we're on, based on the position of +// the previous item returned by nextItem. Doing it this way +// means we don't have to worry about peek double counting. +func (l *lexer) lineNumber() int { + return 1 + strings.Count(l.input[:l.lastPos], "\n") +} + +// errorf returns an error token and terminates the scan by passing +// back a nil pointer that will be the next state, terminating l.nextItem. +func (l *lexer) errorf(format string, args ...interface{}) stateFn { + l.items <- item{itemError, l.start, fmt.Sprintf(format, args...)} + return nil +} + +// nextItem returns the next item from the input. +func (l *lexer) nextItem() item { + i := <-l.items + l.lastPos = i.pos + return i +} + +// lex creates a new scanner for the input string. +func lex(input string) *lexer { + l := &lexer{ + input: input, + items: make(chan item), + runes: make([]rune, 0, 32), + } + go l.run() + return l +} + +// run runs the state machine for the lexer. +func (l *lexer) run() { + for l.state = lexBeforeKey(l); l.state != nil; { + l.state = l.state(l) + } +} + +// state functions + +// lexBeforeKey scans until a key begins. +func lexBeforeKey(l *lexer) stateFn { + switch r := l.next(); { + case isEOF(r): + l.emit(itemEOF) + return nil + + case isEOL(r): + l.ignore() + return lexBeforeKey + + case isComment(r): + return lexComment + + case isWhitespace(r): + l.ignore() + return lexBeforeKey + + default: + l.backup() + return lexKey + } +} + +// lexComment scans a comment line. The comment character has already been scanned. +func lexComment(l *lexer) stateFn { + l.acceptRun(whitespace) + l.ignore() + for { + switch r := l.next(); { + case isEOF(r): + l.ignore() + l.emit(itemEOF) + return nil + case isEOL(r): + l.emit(itemComment) + return lexBeforeKey + default: + l.appendRune(r) + } + } +} + +// lexKey scans the key up to a delimiter +func lexKey(l *lexer) stateFn { + var r rune + +Loop: + for { + switch r = l.next(); { + + case isEscape(r): + err := l.scanEscapeSequence() + if err != nil { + return l.errorf(err.Error()) + } + + case isEndOfKey(r): + l.backup() + break Loop + + case isEOF(r): + break Loop + + default: + l.appendRune(r) + } + } + + if len(l.runes) > 0 { + l.emit(itemKey) + } + + if isEOF(r) { + l.emit(itemEOF) + return nil + } + + return lexBeforeValue +} + +// lexBeforeValue scans the delimiter between key and value. +// Leading and trailing whitespace is ignored. +// We expect to be just after the key. +func lexBeforeValue(l *lexer) stateFn { + l.acceptRun(whitespace) + l.accept(":=") + l.acceptRun(whitespace) + l.ignore() + return lexValue +} + +// lexValue scans text until the end of the line. We expect to be just after the delimiter. +func lexValue(l *lexer) stateFn { + for { + switch r := l.next(); { + case isEscape(r): + if isEOL(l.peek()) { + l.next() + l.acceptRun(whitespace) + } else { + err := l.scanEscapeSequence() + if err != nil { + return l.errorf(err.Error()) + } + } + + case isEOL(r): + l.emit(itemValue) + l.ignore() + return lexBeforeKey + + case isEOF(r): + l.emit(itemValue) + l.emit(itemEOF) + return nil + + default: + l.appendRune(r) + } + } +} + +// scanEscapeSequence scans either one of the escaped characters +// or a unicode literal. We expect to be after the escape character. +func (l *lexer) scanEscapeSequence() error { + switch r := l.next(); { + + case isEscapedCharacter(r): + l.appendRune(decodeEscapedCharacter(r)) + return nil + + case atUnicodeLiteral(r): + return l.scanUnicodeLiteral() + + case isEOF(r): + return fmt.Errorf("premature EOF") + + // silently drop the escape character and append the rune as is + default: + l.appendRune(r) + return nil + } +} + +// scans a unicode literal in the form \uXXXX. We expect to be after the \u. +func (l *lexer) scanUnicodeLiteral() error { + // scan the digits + d := make([]rune, 4) + for i := 0; i < 4; i++ { + d[i] = l.next() + if d[i] == eof || !strings.ContainsRune("0123456789abcdefABCDEF", d[i]) { + return fmt.Errorf("invalid unicode literal") + } + } + + // decode the digits into a rune + r, err := strconv.ParseInt(string(d), 16, 0) + if err != nil { + return err + } + + l.appendRune(rune(r)) + return nil +} + +// decodeEscapedCharacter returns the unescaped rune. We expect to be after the escape character. +func decodeEscapedCharacter(r rune) rune { + switch r { + case 'f': + return '\f' + case 'n': + return '\n' + case 'r': + return '\r' + case 't': + return '\t' + default: + return r + } +} + +// atUnicodeLiteral reports whether we are at a unicode literal. +// The escape character has already been consumed. +func atUnicodeLiteral(r rune) bool { + return r == 'u' +} + +// isComment reports whether we are at the start of a comment. +func isComment(r rune) bool { + return r == '#' || r == '!' +} + +// isEndOfKey reports whether the rune terminates the current key. +func isEndOfKey(r rune) bool { + return strings.ContainsRune(" \f\t\r\n:=", r) +} + +// isEOF reports whether we are at EOF. +func isEOF(r rune) bool { + return r == eof +} + +// isEOL reports whether we are at a new line character. +func isEOL(r rune) bool { + return r == '\n' || r == '\r' +} + +// isEscape reports whether the rune is the escape character which +// prefixes unicode literals and other escaped characters. +func isEscape(r rune) bool { + return r == '\\' +} + +// isEscapedCharacter reports whether we are at one of the characters that need escaping. +// The escape character has already been consumed. +func isEscapedCharacter(r rune) bool { + return strings.ContainsRune(" :=fnrt", r) +} + +// isWhitespace reports whether the rune is a whitespace character. +func isWhitespace(r rune) bool { + return strings.ContainsRune(whitespace, r) +} diff --git a/vendor/github.com/magiconair/properties/load.go b/vendor/github.com/magiconair/properties/load.go new file mode 100644 index 0000000000..6567e0c719 --- /dev/null +++ b/vendor/github.com/magiconair/properties/load.go @@ -0,0 +1,314 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +import ( + "fmt" + "io" + "net/http" + "os" + "strings" +) + +// Encoding specifies encoding of the input data. +type Encoding uint + +const ( + // utf8Default is a private placeholder for the zero value of Encoding to + // ensure that it has the correct meaning. UTF8 is the default encoding but + // was assigned a non-zero value which cannot be changed without breaking + // existing code. Clients should continue to use the public constants. + utf8Default Encoding = iota + + // UTF8 interprets the input data as UTF-8. + UTF8 + + // ISO_8859_1 interprets the input data as ISO-8859-1. + ISO_8859_1 +) + +type Loader struct { + // Encoding determines how the data from files and byte buffers + // is interpreted. For URLs the Content-Type header is used + // to determine the encoding of the data. + Encoding Encoding + + // DisableExpansion configures the property expansion of the + // returned property object. When set to true, the property values + // will not be expanded and the Property object will not be checked + // for invalid expansion expressions. + DisableExpansion bool + + // IgnoreMissing configures whether missing files or URLs which return + // 404 are reported as errors. When set to true, missing files and 404 + // status codes are not reported as errors. + IgnoreMissing bool +} + +// Load reads a buffer into a Properties struct. +func (l *Loader) LoadBytes(buf []byte) (*Properties, error) { + return l.loadBytes(buf, l.Encoding) +} + +// LoadReader reads an io.Reader into a Properties struct. +func (l *Loader) LoadReader(r io.Reader) (*Properties, error) { + if buf, err := io.ReadAll(r); err != nil { + return nil, err + } else { + return l.loadBytes(buf, l.Encoding) + } +} + +// LoadAll reads the content of multiple URLs or files in the given order into +// a Properties struct. If IgnoreMissing is true then a 404 status code or +// missing file will not be reported as error. Encoding sets the encoding for +// files. For the URLs see LoadURL for the Content-Type header and the +// encoding. +func (l *Loader) LoadAll(names []string) (*Properties, error) { + all := NewProperties() + for _, name := range names { + n, err := expandName(name) + if err != nil { + return nil, err + } + + var p *Properties + switch { + case strings.HasPrefix(n, "http://"): + p, err = l.LoadURL(n) + case strings.HasPrefix(n, "https://"): + p, err = l.LoadURL(n) + default: + p, err = l.LoadFile(n) + } + if err != nil { + return nil, err + } + all.Merge(p) + } + + all.DisableExpansion = l.DisableExpansion + if all.DisableExpansion { + return all, nil + } + return all, all.check() +} + +// LoadFile reads a file into a Properties struct. +// If IgnoreMissing is true then a missing file will not be +// reported as error. +func (l *Loader) LoadFile(filename string) (*Properties, error) { + data, err := os.ReadFile(filename) + if err != nil { + if l.IgnoreMissing && os.IsNotExist(err) { + LogPrintf("properties: %s not found. skipping", filename) + return NewProperties(), nil + } + return nil, err + } + return l.loadBytes(data, l.Encoding) +} + +// LoadURL reads the content of the URL into a Properties struct. +// +// The encoding is determined via the Content-Type header which +// should be set to 'text/plain'. If the 'charset' parameter is +// missing, 'iso-8859-1' or 'latin1' the encoding is set to +// ISO-8859-1. If the 'charset' parameter is set to 'utf-8' the +// encoding is set to UTF-8. A missing content type header is +// interpreted as 'text/plain; charset=utf-8'. +func (l *Loader) LoadURL(url string) (*Properties, error) { + resp, err := http.Get(url) + if err != nil { + return nil, fmt.Errorf("properties: error fetching %q. %s", url, err) + } + defer resp.Body.Close() + + if resp.StatusCode == 404 && l.IgnoreMissing { + LogPrintf("properties: %s returned %d. skipping", url, resp.StatusCode) + return NewProperties(), nil + } + + if resp.StatusCode != 200 { + return nil, fmt.Errorf("properties: %s returned %d", url, resp.StatusCode) + } + + body, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("properties: %s error reading response. %s", url, err) + } + + ct := resp.Header.Get("Content-Type") + ct = strings.Join(strings.Fields(ct), "") + var enc Encoding + switch strings.ToLower(ct) { + case "text/plain", "text/plain;charset=iso-8859-1", "text/plain;charset=latin1": + enc = ISO_8859_1 + case "", "text/plain;charset=utf-8": + enc = UTF8 + default: + return nil, fmt.Errorf("properties: invalid content type %s", ct) + } + + return l.loadBytes(body, enc) +} + +func (l *Loader) loadBytes(buf []byte, enc Encoding) (*Properties, error) { + p, err := parse(convert(buf, enc)) + if err != nil { + return nil, err + } + p.DisableExpansion = l.DisableExpansion + if p.DisableExpansion { + return p, nil + } + return p, p.check() +} + +// Load reads a buffer into a Properties struct. +func Load(buf []byte, enc Encoding) (*Properties, error) { + l := &Loader{Encoding: enc} + return l.LoadBytes(buf) +} + +// LoadString reads an UTF8 string into a properties struct. +func LoadString(s string) (*Properties, error) { + l := &Loader{Encoding: UTF8} + return l.LoadBytes([]byte(s)) +} + +// LoadMap creates a new Properties struct from a string map. +func LoadMap(m map[string]string) *Properties { + p := NewProperties() + for k, v := range m { + p.Set(k, v) + } + return p +} + +// LoadFile reads a file into a Properties struct. +func LoadFile(filename string, enc Encoding) (*Properties, error) { + l := &Loader{Encoding: enc} + return l.LoadAll([]string{filename}) +} + +// LoadReader reads an io.Reader into a Properties struct. +func LoadReader(r io.Reader, enc Encoding) (*Properties, error) { + l := &Loader{Encoding: enc} + return l.LoadReader(r) +} + +// LoadFiles reads multiple files in the given order into +// a Properties struct. If 'ignoreMissing' is true then +// non-existent files will not be reported as error. +func LoadFiles(filenames []string, enc Encoding, ignoreMissing bool) (*Properties, error) { + l := &Loader{Encoding: enc, IgnoreMissing: ignoreMissing} + return l.LoadAll(filenames) +} + +// LoadURL reads the content of the URL into a Properties struct. +// See Loader#LoadURL for details. +func LoadURL(url string) (*Properties, error) { + l := &Loader{Encoding: UTF8} + return l.LoadAll([]string{url}) +} + +// LoadURLs reads the content of multiple URLs in the given order into a +// Properties struct. If IgnoreMissing is true then a 404 status code will +// not be reported as error. See Loader#LoadURL for the Content-Type header +// and the encoding. +func LoadURLs(urls []string, ignoreMissing bool) (*Properties, error) { + l := &Loader{Encoding: UTF8, IgnoreMissing: ignoreMissing} + return l.LoadAll(urls) +} + +// LoadAll reads the content of multiple URLs or files in the given order into a +// Properties struct. If 'ignoreMissing' is true then a 404 status code or missing file will +// not be reported as error. Encoding sets the encoding for files. For the URLs please see +// LoadURL for the Content-Type header and the encoding. +func LoadAll(names []string, enc Encoding, ignoreMissing bool) (*Properties, error) { + l := &Loader{Encoding: enc, IgnoreMissing: ignoreMissing} + return l.LoadAll(names) +} + +// MustLoadString reads an UTF8 string into a Properties struct and +// panics on error. +func MustLoadString(s string) *Properties { + return must(LoadString(s)) +} + +// MustLoadSReader reads an io.Reader into a Properties struct and +// panics on error. +func MustLoadReader(r io.Reader, enc Encoding) *Properties { + return must(LoadReader(r, enc)) +} + +// MustLoadFile reads a file into a Properties struct and +// panics on error. +func MustLoadFile(filename string, enc Encoding) *Properties { + return must(LoadFile(filename, enc)) +} + +// MustLoadFiles reads multiple files in the given order into +// a Properties struct and panics on error. If 'ignoreMissing' +// is true then non-existent files will not be reported as error. +func MustLoadFiles(filenames []string, enc Encoding, ignoreMissing bool) *Properties { + return must(LoadFiles(filenames, enc, ignoreMissing)) +} + +// MustLoadURL reads the content of a URL into a Properties struct and +// panics on error. +func MustLoadURL(url string) *Properties { + return must(LoadURL(url)) +} + +// MustLoadURLs reads the content of multiple URLs in the given order into a +// Properties struct and panics on error. If 'ignoreMissing' is true then a 404 +// status code will not be reported as error. +func MustLoadURLs(urls []string, ignoreMissing bool) *Properties { + return must(LoadURLs(urls, ignoreMissing)) +} + +// MustLoadAll reads the content of multiple URLs or files in the given order into a +// Properties struct. If 'ignoreMissing' is true then a 404 status code or missing file will +// not be reported as error. Encoding sets the encoding for files. For the URLs please see +// LoadURL for the Content-Type header and the encoding. It panics on error. +func MustLoadAll(names []string, enc Encoding, ignoreMissing bool) *Properties { + return must(LoadAll(names, enc, ignoreMissing)) +} + +func must(p *Properties, err error) *Properties { + if err != nil { + ErrorHandler(err) + } + return p +} + +// expandName expands ${ENV_VAR} expressions in a name. +// If the environment variable does not exist then it will be replaced +// with an empty string. Malformed expressions like "${ENV_VAR" will +// be reported as error. +func expandName(name string) (string, error) { + return expand(name, []string{}, "${", "}", make(map[string]string)) +} + +// Interprets a byte buffer either as an ISO-8859-1 or UTF-8 encoded string. +// For ISO-8859-1 we can convert each byte straight into a rune since the +// first 256 unicode code points cover ISO-8859-1. +func convert(buf []byte, enc Encoding) string { + switch enc { + case utf8Default, UTF8: + return string(buf) + case ISO_8859_1: + runes := make([]rune, len(buf)) + for i, b := range buf { + runes[i] = rune(b) + } + return string(runes) + default: + ErrorHandler(fmt.Errorf("unsupported encoding %v", enc)) + } + panic("ErrorHandler should exit") +} diff --git a/vendor/github.com/magiconair/properties/parser.go b/vendor/github.com/magiconair/properties/parser.go new file mode 100644 index 0000000000..fccfd39f6b --- /dev/null +++ b/vendor/github.com/magiconair/properties/parser.go @@ -0,0 +1,86 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +import ( + "fmt" + "runtime" +) + +type parser struct { + lex *lexer +} + +func parse(input string) (properties *Properties, err error) { + p := &parser{lex: lex(input)} + defer p.recover(&err) + + properties = NewProperties() + key := "" + comments := []string{} + + for { + token := p.expectOneOf(itemComment, itemKey, itemEOF) + switch token.typ { + case itemEOF: + goto done + case itemComment: + comments = append(comments, token.val) + continue + case itemKey: + key = token.val + if _, ok := properties.m[key]; !ok { + properties.k = append(properties.k, key) + } + } + + token = p.expectOneOf(itemValue, itemEOF) + if len(comments) > 0 { + properties.c[key] = comments + comments = []string{} + } + switch token.typ { + case itemEOF: + properties.m[key] = "" + goto done + case itemValue: + properties.m[key] = token.val + } + } + +done: + return properties, nil +} + +func (p *parser) errorf(format string, args ...interface{}) { + format = fmt.Sprintf("properties: Line %d: %s", p.lex.lineNumber(), format) + panic(fmt.Errorf(format, args...)) +} + +func (p *parser) expectOneOf(expected ...itemType) (token item) { + token = p.lex.nextItem() + for _, v := range expected { + if token.typ == v { + return token + } + } + p.unexpected(token) + panic("unexpected token") +} + +func (p *parser) unexpected(token item) { + p.errorf(token.String()) +} + +// recover is the handler that turns panics into returns from the top level of Parse. +func (p *parser) recover(errp *error) { + e := recover() + if e != nil { + if _, ok := e.(runtime.Error); ok { + panic(e) + } + *errp = e.(error) + } +} diff --git a/vendor/github.com/magiconair/properties/properties.go b/vendor/github.com/magiconair/properties/properties.go new file mode 100644 index 0000000000..fb2f7b4048 --- /dev/null +++ b/vendor/github.com/magiconair/properties/properties.go @@ -0,0 +1,848 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +// BUG(frank): Set() does not check for invalid unicode literals since this is currently handled by the lexer. +// BUG(frank): Write() does not allow to configure the newline character. Therefore, on Windows LF is used. + +import ( + "bytes" + "fmt" + "io" + "log" + "os" + "regexp" + "sort" + "strconv" + "strings" + "time" + "unicode/utf8" +) + +const maxExpansionDepth = 64 + +// ErrorHandlerFunc defines the type of function which handles failures +// of the MustXXX() functions. An error handler function must exit +// the application after handling the error. +type ErrorHandlerFunc func(error) + +// ErrorHandler is the function which handles failures of the MustXXX() +// functions. The default is LogFatalHandler. +var ErrorHandler ErrorHandlerFunc = LogFatalHandler + +// LogHandlerFunc defines the function prototype for logging errors. +type LogHandlerFunc func(fmt string, args ...interface{}) + +// LogPrintf defines a log handler which uses log.Printf. +var LogPrintf LogHandlerFunc = log.Printf + +// LogFatalHandler handles the error by logging a fatal error and exiting. +func LogFatalHandler(err error) { + log.Fatal(err) +} + +// PanicHandler handles the error by panicking. +func PanicHandler(err error) { + panic(err) +} + +// ----------------------------------------------------------------------------- + +// A Properties contains the key/value pairs from the properties input. +// All values are stored in unexpanded form and are expanded at runtime +type Properties struct { + // Pre-/Postfix for property expansion. + Prefix string + Postfix string + + // DisableExpansion controls the expansion of properties on Get() + // and the check for circular references on Set(). When set to + // true Properties behaves like a simple key/value store and does + // not check for circular references on Get() or on Set(). + DisableExpansion bool + + // Stores the key/value pairs + m map[string]string + + // Stores the comments per key. + c map[string][]string + + // Stores the keys in order of appearance. + k []string + + // WriteSeparator specifies the separator of key and value while writing the properties. + WriteSeparator string +} + +// NewProperties creates a new Properties struct with the default +// configuration for "${key}" expressions. +func NewProperties() *Properties { + return &Properties{ + Prefix: "${", + Postfix: "}", + m: map[string]string{}, + c: map[string][]string{}, + k: []string{}, + } +} + +// Load reads a buffer into the given Properties struct. +func (p *Properties) Load(buf []byte, enc Encoding) error { + l := &Loader{Encoding: enc, DisableExpansion: p.DisableExpansion} + newProperties, err := l.LoadBytes(buf) + if err != nil { + return err + } + p.Merge(newProperties) + return nil +} + +// Get returns the expanded value for the given key if exists. +// Otherwise, ok is false. +func (p *Properties) Get(key string) (value string, ok bool) { + v, ok := p.m[key] + if p.DisableExpansion { + return v, ok + } + if !ok { + return "", false + } + + expanded, err := p.expand(key, v) + + // we guarantee that the expanded value is free of + // circular references and malformed expressions + // so we panic if we still get an error here. + if err != nil { + ErrorHandler(err) + } + + return expanded, true +} + +// MustGet returns the expanded value for the given key if exists. +// Otherwise, it panics. +func (p *Properties) MustGet(key string) string { + if v, ok := p.Get(key); ok { + return v + } + ErrorHandler(invalidKeyError(key)) + panic("ErrorHandler should exit") +} + +// ---------------------------------------------------------------------------- + +// ClearComments removes the comments for all keys. +func (p *Properties) ClearComments() { + p.c = map[string][]string{} +} + +// ---------------------------------------------------------------------------- + +// GetComment returns the last comment before the given key or an empty string. +func (p *Properties) GetComment(key string) string { + comments, ok := p.c[key] + if !ok || len(comments) == 0 { + return "" + } + return comments[len(comments)-1] +} + +// ---------------------------------------------------------------------------- + +// GetComments returns all comments that appeared before the given key or nil. +func (p *Properties) GetComments(key string) []string { + if comments, ok := p.c[key]; ok { + return comments + } + return nil +} + +// ---------------------------------------------------------------------------- + +// SetComment sets the comment for the key. +func (p *Properties) SetComment(key, comment string) { + p.c[key] = []string{comment} +} + +// ---------------------------------------------------------------------------- + +// SetComments sets the comments for the key. If the comments are nil then +// all comments for this key are deleted. +func (p *Properties) SetComments(key string, comments []string) { + if comments == nil { + delete(p.c, key) + return + } + p.c[key] = comments +} + +// ---------------------------------------------------------------------------- + +// GetBool checks if the expanded value is one of '1', 'yes', +// 'true' or 'on' if the key exists. The comparison is case-insensitive. +// If the key does not exist the default value is returned. +func (p *Properties) GetBool(key string, def bool) bool { + v, err := p.getBool(key) + if err != nil { + return def + } + return v +} + +// MustGetBool checks if the expanded value is one of '1', 'yes', +// 'true' or 'on' if the key exists. The comparison is case-insensitive. +// If the key does not exist the function panics. +func (p *Properties) MustGetBool(key string) bool { + v, err := p.getBool(key) + if err != nil { + ErrorHandler(err) + } + return v +} + +func (p *Properties) getBool(key string) (value bool, err error) { + if v, ok := p.Get(key); ok { + return boolVal(v), nil + } + return false, invalidKeyError(key) +} + +func boolVal(v string) bool { + v = strings.ToLower(v) + return v == "1" || v == "true" || v == "yes" || v == "on" +} + +// ---------------------------------------------------------------------------- + +// GetDuration parses the expanded value as an time.Duration (in ns) if the +// key exists. If key does not exist or the value cannot be parsed the default +// value is returned. In almost all cases you want to use GetParsedDuration(). +func (p *Properties) GetDuration(key string, def time.Duration) time.Duration { + v, err := p.getInt64(key) + if err != nil { + return def + } + return time.Duration(v) +} + +// MustGetDuration parses the expanded value as an time.Duration (in ns) if +// the key exists. If key does not exist or the value cannot be parsed the +// function panics. In almost all cases you want to use MustGetParsedDuration(). +func (p *Properties) MustGetDuration(key string) time.Duration { + v, err := p.getInt64(key) + if err != nil { + ErrorHandler(err) + } + return time.Duration(v) +} + +// ---------------------------------------------------------------------------- + +// GetParsedDuration parses the expanded value with time.ParseDuration() if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. +func (p *Properties) GetParsedDuration(key string, def time.Duration) time.Duration { + s, ok := p.Get(key) + if !ok { + return def + } + v, err := time.ParseDuration(s) + if err != nil { + return def + } + return v +} + +// MustGetParsedDuration parses the expanded value with time.ParseDuration() if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +func (p *Properties) MustGetParsedDuration(key string) time.Duration { + s, ok := p.Get(key) + if !ok { + ErrorHandler(invalidKeyError(key)) + } + v, err := time.ParseDuration(s) + if err != nil { + ErrorHandler(err) + } + return v +} + +// ---------------------------------------------------------------------------- + +// GetFloat64 parses the expanded value as a float64 if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. +func (p *Properties) GetFloat64(key string, def float64) float64 { + v, err := p.getFloat64(key) + if err != nil { + return def + } + return v +} + +// MustGetFloat64 parses the expanded value as a float64 if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +func (p *Properties) MustGetFloat64(key string) float64 { + v, err := p.getFloat64(key) + if err != nil { + ErrorHandler(err) + } + return v +} + +func (p *Properties) getFloat64(key string) (value float64, err error) { + if v, ok := p.Get(key); ok { + value, err = strconv.ParseFloat(v, 64) + if err != nil { + return 0, err + } + return value, nil + } + return 0, invalidKeyError(key) +} + +// ---------------------------------------------------------------------------- + +// GetInt parses the expanded value as an int if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. If the value does not fit into an int the +// function panics with an out of range error. +func (p *Properties) GetInt(key string, def int) int { + v, err := p.getInt64(key) + if err != nil { + return def + } + return intRangeCheck(key, v) +} + +// MustGetInt parses the expanded value as an int if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +// If the value does not fit into an int the function panics with +// an out of range error. +func (p *Properties) MustGetInt(key string) int { + v, err := p.getInt64(key) + if err != nil { + ErrorHandler(err) + } + return intRangeCheck(key, v) +} + +// ---------------------------------------------------------------------------- + +// GetInt64 parses the expanded value as an int64 if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. +func (p *Properties) GetInt64(key string, def int64) int64 { + v, err := p.getInt64(key) + if err != nil { + return def + } + return v +} + +// MustGetInt64 parses the expanded value as an int if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +func (p *Properties) MustGetInt64(key string) int64 { + v, err := p.getInt64(key) + if err != nil { + ErrorHandler(err) + } + return v +} + +func (p *Properties) getInt64(key string) (value int64, err error) { + if v, ok := p.Get(key); ok { + value, err = strconv.ParseInt(v, 10, 64) + if err != nil { + return 0, err + } + return value, nil + } + return 0, invalidKeyError(key) +} + +// ---------------------------------------------------------------------------- + +// GetUint parses the expanded value as an uint if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. If the value does not fit into an int the +// function panics with an out of range error. +func (p *Properties) GetUint(key string, def uint) uint { + v, err := p.getUint64(key) + if err != nil { + return def + } + return uintRangeCheck(key, v) +} + +// MustGetUint parses the expanded value as an int if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +// If the value does not fit into an int the function panics with +// an out of range error. +func (p *Properties) MustGetUint(key string) uint { + v, err := p.getUint64(key) + if err != nil { + ErrorHandler(err) + } + return uintRangeCheck(key, v) +} + +// ---------------------------------------------------------------------------- + +// GetUint64 parses the expanded value as an uint64 if the key exists. +// If key does not exist or the value cannot be parsed the default +// value is returned. +func (p *Properties) GetUint64(key string, def uint64) uint64 { + v, err := p.getUint64(key) + if err != nil { + return def + } + return v +} + +// MustGetUint64 parses the expanded value as an int if the key exists. +// If key does not exist or the value cannot be parsed the function panics. +func (p *Properties) MustGetUint64(key string) uint64 { + v, err := p.getUint64(key) + if err != nil { + ErrorHandler(err) + } + return v +} + +func (p *Properties) getUint64(key string) (value uint64, err error) { + if v, ok := p.Get(key); ok { + value, err = strconv.ParseUint(v, 10, 64) + if err != nil { + return 0, err + } + return value, nil + } + return 0, invalidKeyError(key) +} + +// ---------------------------------------------------------------------------- + +// GetString returns the expanded value for the given key if exists or +// the default value otherwise. +func (p *Properties) GetString(key, def string) string { + if v, ok := p.Get(key); ok { + return v + } + return def +} + +// MustGetString returns the expanded value for the given key if exists or +// panics otherwise. +func (p *Properties) MustGetString(key string) string { + if v, ok := p.Get(key); ok { + return v + } + ErrorHandler(invalidKeyError(key)) + panic("ErrorHandler should exit") +} + +// ---------------------------------------------------------------------------- + +// Filter returns a new properties object which contains all properties +// for which the key matches the pattern. +func (p *Properties) Filter(pattern string) (*Properties, error) { + re, err := regexp.Compile(pattern) + if err != nil { + return nil, err + } + + return p.FilterRegexp(re), nil +} + +// FilterRegexp returns a new properties object which contains all properties +// for which the key matches the regular expression. +func (p *Properties) FilterRegexp(re *regexp.Regexp) *Properties { + pp := NewProperties() + for _, k := range p.k { + if re.MatchString(k) { + // TODO(fs): we are ignoring the error which flags a circular reference. + // TODO(fs): since we are just copying a subset of keys this cannot happen (fingers crossed) + pp.Set(k, p.m[k]) + } + } + return pp +} + +// FilterPrefix returns a new properties object with a subset of all keys +// with the given prefix. +func (p *Properties) FilterPrefix(prefix string) *Properties { + pp := NewProperties() + for _, k := range p.k { + if strings.HasPrefix(k, prefix) { + // TODO(fs): we are ignoring the error which flags a circular reference. + // TODO(fs): since we are just copying a subset of keys this cannot happen (fingers crossed) + pp.Set(k, p.m[k]) + } + } + return pp +} + +// FilterStripPrefix returns a new properties object with a subset of all keys +// with the given prefix and the prefix removed from the keys. +func (p *Properties) FilterStripPrefix(prefix string) *Properties { + pp := NewProperties() + n := len(prefix) + for _, k := range p.k { + if len(k) > len(prefix) && strings.HasPrefix(k, prefix) { + // TODO(fs): we are ignoring the error which flags a circular reference. + // TODO(fs): since we are modifying keys I am not entirely sure whether we can create a circular reference + // TODO(fs): this function should probably return an error but the signature is fixed + pp.Set(k[n:], p.m[k]) + } + } + return pp +} + +// Len returns the number of keys. +func (p *Properties) Len() int { + return len(p.m) +} + +// Keys returns all keys in the same order as in the input. +func (p *Properties) Keys() []string { + keys := make([]string, len(p.k)) + copy(keys, p.k) + return keys +} + +// Set sets the property key to the corresponding value. +// If a value for key existed before then ok is true and prev +// contains the previous value. If the value contains a +// circular reference or a malformed expression then +// an error is returned. +// An empty key is silently ignored. +func (p *Properties) Set(key, value string) (prev string, ok bool, err error) { + if key == "" { + return "", false, nil + } + + // if expansion is disabled we allow circular references + if p.DisableExpansion { + prev, ok = p.Get(key) + p.m[key] = value + if !ok { + p.k = append(p.k, key) + } + return prev, ok, nil + } + + // to check for a circular reference we temporarily need + // to set the new value. If there is an error then revert + // to the previous state. Only if all tests are successful + // then we add the key to the p.k list. + prev, ok = p.Get(key) + p.m[key] = value + + // now check for a circular reference + _, err = p.expand(key, value) + if err != nil { + + // revert to the previous state + if ok { + p.m[key] = prev + } else { + delete(p.m, key) + } + + return "", false, err + } + + if !ok { + p.k = append(p.k, key) + } + + return prev, ok, nil +} + +// SetValue sets property key to the default string value +// as defined by fmt.Sprintf("%v"). +func (p *Properties) SetValue(key string, value interface{}) error { + _, _, err := p.Set(key, fmt.Sprintf("%v", value)) + return err +} + +// MustSet sets the property key to the corresponding value. +// If a value for key existed before then ok is true and prev +// contains the previous value. An empty key is silently ignored. +func (p *Properties) MustSet(key, value string) (prev string, ok bool) { + prev, ok, err := p.Set(key, value) + if err != nil { + ErrorHandler(err) + } + return prev, ok +} + +// String returns a string of all expanded 'key = value' pairs. +func (p *Properties) String() string { + var s string + for _, key := range p.k { + value, _ := p.Get(key) + s = fmt.Sprintf("%s%s = %s\n", s, key, value) + } + return s +} + +// Sort sorts the properties keys in alphabetical order. +// This is helpfully before writing the properties. +func (p *Properties) Sort() { + sort.Strings(p.k) +} + +// Write writes all unexpanded 'key = value' pairs to the given writer. +// Write returns the number of bytes written and any write error encountered. +func (p *Properties) Write(w io.Writer, enc Encoding) (n int, err error) { + return p.WriteComment(w, "", enc) +} + +// WriteComment writes all unexpanced 'key = value' pairs to the given writer. +// If prefix is not empty then comments are written with a blank line and the +// given prefix. The prefix should be either "# " or "! " to be compatible with +// the properties file format. Otherwise, the properties parser will not be +// able to read the file back in. It returns the number of bytes written and +// any write error encountered. +func (p *Properties) WriteComment(w io.Writer, prefix string, enc Encoding) (n int, err error) { + var x int + + for _, key := range p.k { + value := p.m[key] + + if prefix != "" { + if comments, ok := p.c[key]; ok { + // don't print comments if they are all empty + allEmpty := true + for _, c := range comments { + if c != "" { + allEmpty = false + break + } + } + + if !allEmpty { + // add a blank line between entries but not at the top + if len(comments) > 0 && n > 0 { + x, err = fmt.Fprintln(w) + if err != nil { + return + } + n += x + } + + for _, c := range comments { + x, err = fmt.Fprintf(w, "%s%s\n", prefix, c) + if err != nil { + return + } + n += x + } + } + } + } + sep := " = " + if p.WriteSeparator != "" { + sep = p.WriteSeparator + } + x, err = fmt.Fprintf(w, "%s%s%s\n", encode(key, " :", enc), sep, encode(value, "", enc)) + if err != nil { + return + } + n += x + } + return +} + +// Map returns a copy of the properties as a map. +func (p *Properties) Map() map[string]string { + m := make(map[string]string) + for k, v := range p.m { + m[k] = v + } + return m +} + +// FilterFunc returns a copy of the properties which includes the values which passed all filters. +func (p *Properties) FilterFunc(filters ...func(k, v string) bool) *Properties { + pp := NewProperties() +outer: + for k, v := range p.m { + for _, f := range filters { + if !f(k, v) { + continue outer + } + pp.Set(k, v) + } + } + return pp +} + +// ---------------------------------------------------------------------------- + +// Delete removes the key and its comments. +func (p *Properties) Delete(key string) { + delete(p.m, key) + delete(p.c, key) + newKeys := []string{} + for _, k := range p.k { + if k != key { + newKeys = append(newKeys, k) + } + } + p.k = newKeys +} + +// Merge merges properties, comments and keys from other *Properties into p +func (p *Properties) Merge(other *Properties) { + for _, k := range other.k { + if _, ok := p.m[k]; !ok { + p.k = append(p.k, k) + } + } + for k, v := range other.m { + p.m[k] = v + } + for k, v := range other.c { + p.c[k] = v + } +} + +// ---------------------------------------------------------------------------- + +// check expands all values and returns an error if a circular reference or +// a malformed expression was found. +func (p *Properties) check() error { + for key, value := range p.m { + if _, err := p.expand(key, value); err != nil { + return err + } + } + return nil +} + +func (p *Properties) expand(key, input string) (string, error) { + // no pre/postfix -> nothing to expand + if p.Prefix == "" && p.Postfix == "" { + return input, nil + } + + return expand(input, []string{key}, p.Prefix, p.Postfix, p.m) +} + +// expand recursively expands expressions of '(prefix)key(postfix)' to their corresponding values. +// The function keeps track of the keys that were already expanded and stops if it +// detects a circular reference or a malformed expression of the form '(prefix)key'. +func expand(s string, keys []string, prefix, postfix string, values map[string]string) (string, error) { + if len(keys) > maxExpansionDepth { + return "", fmt.Errorf("expansion too deep") + } + + for { + start := strings.Index(s, prefix) + if start == -1 { + return s, nil + } + + keyStart := start + len(prefix) + keyLen := strings.Index(s[keyStart:], postfix) + if keyLen == -1 { + return "", fmt.Errorf("malformed expression") + } + + end := keyStart + keyLen + len(postfix) - 1 + key := s[keyStart : keyStart+keyLen] + + // fmt.Printf("s:%q pp:%q start:%d end:%d keyStart:%d keyLen:%d key:%q\n", s, prefix + "..." + postfix, start, end, keyStart, keyLen, key) + + for _, k := range keys { + if key == k { + var b bytes.Buffer + b.WriteString("circular reference in:\n") + for _, k1 := range keys { + fmt.Fprintf(&b, "%s=%s\n", k1, values[k1]) + } + return "", fmt.Errorf(b.String()) + } + } + + val, ok := values[key] + if !ok { + val = os.Getenv(key) + } + new_val, err := expand(val, append(keys, key), prefix, postfix, values) + if err != nil { + return "", err + } + s = s[:start] + new_val + s[end+1:] + } +} + +// encode encodes a UTF-8 string to ISO-8859-1 and escapes some characters. +func encode(s string, special string, enc Encoding) string { + switch enc { + case UTF8: + return encodeUtf8(s, special) + case ISO_8859_1: + return encodeIso(s, special) + default: + panic(fmt.Sprintf("unsupported encoding %v", enc)) + } +} + +func encodeUtf8(s string, special string) string { + v := "" + for pos := 0; pos < len(s); { + r, w := utf8.DecodeRuneInString(s[pos:]) + pos += w + v += escape(r, special) + } + return v +} + +func encodeIso(s string, special string) string { + var r rune + var w int + var v string + for pos := 0; pos < len(s); { + switch r, w = utf8.DecodeRuneInString(s[pos:]); { + case r < 1<<8: // single byte rune -> escape special chars only + v += escape(r, special) + case r < 1<<16: // two byte rune -> unicode literal + v += fmt.Sprintf("\\u%04x", r) + default: // more than two bytes per rune -> can't encode + v += "?" + } + pos += w + } + return v +} + +func escape(r rune, special string) string { + switch r { + case '\f': + return "\\f" + case '\n': + return "\\n" + case '\r': + return "\\r" + case '\t': + return "\\t" + case '\\': + return "\\\\" + default: + if strings.ContainsRune(special, r) { + return "\\" + string(r) + } + return string(r) + } +} + +func invalidKeyError(key string) error { + return fmt.Errorf("unknown property: %s", key) +} diff --git a/vendor/github.com/magiconair/properties/rangecheck.go b/vendor/github.com/magiconair/properties/rangecheck.go new file mode 100644 index 0000000000..dbd60b36e7 --- /dev/null +++ b/vendor/github.com/magiconair/properties/rangecheck.go @@ -0,0 +1,31 @@ +// Copyright 2013-2022 Frank Schroeder. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package properties + +import ( + "fmt" + "math" +) + +// make this a var to overwrite it in a test +var is32Bit = ^uint(0) == math.MaxUint32 + +// intRangeCheck checks if the value fits into the int type and +// panics if it does not. +func intRangeCheck(key string, v int64) int { + if is32Bit && (v < math.MinInt32 || v > math.MaxInt32) { + panic(fmt.Sprintf("Value %d for key %s out of range", v, key)) + } + return int(v) +} + +// uintRangeCheck checks if the value fits into the uint type and +// panics if it does not. +func uintRangeCheck(key string, v uint64) uint { + if is32Bit && v > math.MaxUint32 { + panic(fmt.Sprintf("Value %d for key %s out of range", v, key)) + } + return uint(v) +} diff --git a/vendor/github.com/mattn/go-runewidth/LICENSE b/vendor/github.com/mattn/go-runewidth/LICENSE new file mode 100644 index 0000000000..91b5cef30e --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 Yasuhiro Matsumoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/mattn/go-runewidth/README.md b/vendor/github.com/mattn/go-runewidth/README.md new file mode 100644 index 0000000000..5e2cfd98cb --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/README.md @@ -0,0 +1,27 @@ +go-runewidth +============ + +[![Build Status](https://github.com/mattn/go-runewidth/workflows/test/badge.svg?branch=master)](https://github.com/mattn/go-runewidth/actions?query=workflow%3Atest) +[![Codecov](https://codecov.io/gh/mattn/go-runewidth/branch/master/graph/badge.svg)](https://codecov.io/gh/mattn/go-runewidth) +[![GoDoc](https://godoc.org/github.com/mattn/go-runewidth?status.svg)](http://godoc.org/github.com/mattn/go-runewidth) +[![Go Report Card](https://goreportcard.com/badge/github.com/mattn/go-runewidth)](https://goreportcard.com/report/github.com/mattn/go-runewidth) + +Provides functions to get fixed width of the character or string. + +Usage +----- + +```go +runewidth.StringWidth("ã¤ã®ã â˜†HIRO") == 12 +``` + + +Author +------ + +Yasuhiro Matsumoto + +License +------- + +under the MIT License: http://mattn.mit-license.org/2013 diff --git a/vendor/github.com/mattn/go-runewidth/runewidth.go b/vendor/github.com/mattn/go-runewidth/runewidth.go new file mode 100644 index 0000000000..7dfbb3be91 --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth.go @@ -0,0 +1,358 @@ +package runewidth + +import ( + "os" + "strings" + + "github.com/rivo/uniseg" +) + +//go:generate go run script/generate.go + +var ( + // EastAsianWidth will be set true if the current locale is CJK + EastAsianWidth bool + + // StrictEmojiNeutral should be set false if handle broken fonts + StrictEmojiNeutral bool = true + + // DefaultCondition is a condition in current locale + DefaultCondition = &Condition{ + EastAsianWidth: false, + StrictEmojiNeutral: true, + } +) + +func init() { + handleEnv() +} + +func handleEnv() { + env := os.Getenv("RUNEWIDTH_EASTASIAN") + if env == "" { + EastAsianWidth = IsEastAsian() + } else { + EastAsianWidth = env == "1" + } + // update DefaultCondition + if DefaultCondition.EastAsianWidth != EastAsianWidth { + DefaultCondition.EastAsianWidth = EastAsianWidth + if len(DefaultCondition.combinedLut) > 0 { + DefaultCondition.combinedLut = DefaultCondition.combinedLut[:0] + CreateLUT() + } + } +} + +type interval struct { + first rune + last rune +} + +type table []interval + +func inTables(r rune, ts ...table) bool { + for _, t := range ts { + if inTable(r, t) { + return true + } + } + return false +} + +func inTable(r rune, t table) bool { + if r < t[0].first { + return false + } + + bot := 0 + top := len(t) - 1 + for top >= bot { + mid := (bot + top) >> 1 + + switch { + case t[mid].last < r: + bot = mid + 1 + case t[mid].first > r: + top = mid - 1 + default: + return true + } + } + + return false +} + +var private = table{ + {0x00E000, 0x00F8FF}, {0x0F0000, 0x0FFFFD}, {0x100000, 0x10FFFD}, +} + +var nonprint = table{ + {0x0000, 0x001F}, {0x007F, 0x009F}, {0x00AD, 0x00AD}, + {0x070F, 0x070F}, {0x180B, 0x180E}, {0x200B, 0x200F}, + {0x2028, 0x202E}, {0x206A, 0x206F}, {0xD800, 0xDFFF}, + {0xFEFF, 0xFEFF}, {0xFFF9, 0xFFFB}, {0xFFFE, 0xFFFF}, +} + +// Condition have flag EastAsianWidth whether the current locale is CJK or not. +type Condition struct { + combinedLut []byte + EastAsianWidth bool + StrictEmojiNeutral bool +} + +// NewCondition return new instance of Condition which is current locale. +func NewCondition() *Condition { + return &Condition{ + EastAsianWidth: EastAsianWidth, + StrictEmojiNeutral: StrictEmojiNeutral, + } +} + +// RuneWidth returns the number of cells in r. +// See http://www.unicode.org/reports/tr11/ +func (c *Condition) RuneWidth(r rune) int { + if r < 0 || r > 0x10FFFF { + return 0 + } + if len(c.combinedLut) > 0 { + return int(c.combinedLut[r>>1]>>(uint(r&1)*4)) & 3 + } + // optimized version, verified by TestRuneWidthChecksums() + if !c.EastAsianWidth { + switch { + case r < 0x20: + return 0 + case (r >= 0x7F && r <= 0x9F) || r == 0xAD: // nonprint + return 0 + case r < 0x300: + return 1 + case inTable(r, narrow): + return 1 + case inTables(r, nonprint, combining): + return 0 + case inTable(r, doublewidth): + return 2 + default: + return 1 + } + } else { + switch { + case inTables(r, nonprint, combining): + return 0 + case inTable(r, narrow): + return 1 + case inTables(r, ambiguous, doublewidth): + return 2 + case !c.StrictEmojiNeutral && inTables(r, ambiguous, emoji, narrow): + return 2 + default: + return 1 + } + } +} + +// CreateLUT will create an in-memory lookup table of 557056 bytes for faster operation. +// This should not be called concurrently with other operations on c. +// If options in c is changed, CreateLUT should be called again. +func (c *Condition) CreateLUT() { + const max = 0x110000 + lut := c.combinedLut + if len(c.combinedLut) != 0 { + // Remove so we don't use it. + c.combinedLut = nil + } else { + lut = make([]byte, max/2) + } + for i := range lut { + i32 := int32(i * 2) + x0 := c.RuneWidth(i32) + x1 := c.RuneWidth(i32 + 1) + lut[i] = uint8(x0) | uint8(x1)<<4 + } + c.combinedLut = lut +} + +// StringWidth return width as you can see +func (c *Condition) StringWidth(s string) (width int) { + g := uniseg.NewGraphemes(s) + for g.Next() { + var chWidth int + for _, r := range g.Runes() { + chWidth = c.RuneWidth(r) + if chWidth > 0 { + break // Our best guess at this point is to use the width of the first non-zero-width rune. + } + } + width += chWidth + } + return +} + +// Truncate return string truncated with w cells +func (c *Condition) Truncate(s string, w int, tail string) string { + if c.StringWidth(s) <= w { + return s + } + w -= c.StringWidth(tail) + var width int + pos := len(s) + g := uniseg.NewGraphemes(s) + for g.Next() { + var chWidth int + for _, r := range g.Runes() { + chWidth = c.RuneWidth(r) + if chWidth > 0 { + break // See StringWidth() for details. + } + } + if width+chWidth > w { + pos, _ = g.Positions() + break + } + width += chWidth + } + return s[:pos] + tail +} + +// TruncateLeft cuts w cells from the beginning of the `s`. +func (c *Condition) TruncateLeft(s string, w int, prefix string) string { + if c.StringWidth(s) <= w { + return prefix + } + + var width int + pos := len(s) + + g := uniseg.NewGraphemes(s) + for g.Next() { + var chWidth int + for _, r := range g.Runes() { + chWidth = c.RuneWidth(r) + if chWidth > 0 { + break // See StringWidth() for details. + } + } + + if width+chWidth > w { + if width < w { + _, pos = g.Positions() + prefix += strings.Repeat(" ", width+chWidth-w) + } else { + pos, _ = g.Positions() + } + + break + } + + width += chWidth + } + + return prefix + s[pos:] +} + +// Wrap return string wrapped with w cells +func (c *Condition) Wrap(s string, w int) string { + width := 0 + out := "" + for _, r := range s { + cw := c.RuneWidth(r) + if r == '\n' { + out += string(r) + width = 0 + continue + } else if width+cw > w { + out += "\n" + width = 0 + out += string(r) + width += cw + continue + } + out += string(r) + width += cw + } + return out +} + +// FillLeft return string filled in left by spaces in w cells +func (c *Condition) FillLeft(s string, w int) string { + width := c.StringWidth(s) + count := w - width + if count > 0 { + b := make([]byte, count) + for i := range b { + b[i] = ' ' + } + return string(b) + s + } + return s +} + +// FillRight return string filled in left by spaces in w cells +func (c *Condition) FillRight(s string, w int) string { + width := c.StringWidth(s) + count := w - width + if count > 0 { + b := make([]byte, count) + for i := range b { + b[i] = ' ' + } + return s + string(b) + } + return s +} + +// RuneWidth returns the number of cells in r. +// See http://www.unicode.org/reports/tr11/ +func RuneWidth(r rune) int { + return DefaultCondition.RuneWidth(r) +} + +// IsAmbiguousWidth returns whether is ambiguous width or not. +func IsAmbiguousWidth(r rune) bool { + return inTables(r, private, ambiguous) +} + +// IsNeutralWidth returns whether is neutral width or not. +func IsNeutralWidth(r rune) bool { + return inTable(r, neutral) +} + +// StringWidth return width as you can see +func StringWidth(s string) (width int) { + return DefaultCondition.StringWidth(s) +} + +// Truncate return string truncated with w cells +func Truncate(s string, w int, tail string) string { + return DefaultCondition.Truncate(s, w, tail) +} + +// TruncateLeft cuts w cells from the beginning of the `s`. +func TruncateLeft(s string, w int, prefix string) string { + return DefaultCondition.TruncateLeft(s, w, prefix) +} + +// Wrap return string wrapped with w cells +func Wrap(s string, w int) string { + return DefaultCondition.Wrap(s, w) +} + +// FillLeft return string filled in left by spaces in w cells +func FillLeft(s string, w int) string { + return DefaultCondition.FillLeft(s, w) +} + +// FillRight return string filled in left by spaces in w cells +func FillRight(s string, w int) string { + return DefaultCondition.FillRight(s, w) +} + +// CreateLUT will create an in-memory lookup table of 557055 bytes for faster operation. +// This should not be called concurrently with other operations. +func CreateLUT() { + if len(DefaultCondition.combinedLut) > 0 { + return + } + DefaultCondition.CreateLUT() +} diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go b/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go new file mode 100644 index 0000000000..84b6528dfe --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth_appengine.go @@ -0,0 +1,9 @@ +//go:build appengine +// +build appengine + +package runewidth + +// IsEastAsian return true if the current locale is CJK +func IsEastAsian() bool { + return false +} diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_js.go b/vendor/github.com/mattn/go-runewidth/runewidth_js.go new file mode 100644 index 0000000000..c2abbc2db3 --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth_js.go @@ -0,0 +1,9 @@ +//go:build js && !appengine +// +build js,!appengine + +package runewidth + +func IsEastAsian() bool { + // TODO: Implement this for the web. Detect east asian in a compatible way, and return true. + return false +} diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_posix.go b/vendor/github.com/mattn/go-runewidth/runewidth_posix.go new file mode 100644 index 0000000000..5a31d738ec --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth_posix.go @@ -0,0 +1,81 @@ +//go:build !windows && !js && !appengine +// +build !windows,!js,!appengine + +package runewidth + +import ( + "os" + "regexp" + "strings" +) + +var reLoc = regexp.MustCompile(`^[a-z][a-z][a-z]?(?:_[A-Z][A-Z])?\.(.+)`) + +var mblenTable = map[string]int{ + "utf-8": 6, + "utf8": 6, + "jis": 8, + "eucjp": 3, + "euckr": 2, + "euccn": 2, + "sjis": 2, + "cp932": 2, + "cp51932": 2, + "cp936": 2, + "cp949": 2, + "cp950": 2, + "big5": 2, + "gbk": 2, + "gb2312": 2, +} + +func isEastAsian(locale string) bool { + charset := strings.ToLower(locale) + r := reLoc.FindStringSubmatch(locale) + if len(r) == 2 { + charset = strings.ToLower(r[1]) + } + + if strings.HasSuffix(charset, "@cjk_narrow") { + return false + } + + for pos, b := range []byte(charset) { + if b == '@' { + charset = charset[:pos] + break + } + } + max := 1 + if m, ok := mblenTable[charset]; ok { + max = m + } + if max > 1 && (charset[0] != 'u' || + strings.HasPrefix(locale, "ja") || + strings.HasPrefix(locale, "ko") || + strings.HasPrefix(locale, "zh")) { + return true + } + return false +} + +// IsEastAsian return true if the current locale is CJK +func IsEastAsian() bool { + locale := os.Getenv("LC_ALL") + if locale == "" { + locale = os.Getenv("LC_CTYPE") + } + if locale == "" { + locale = os.Getenv("LANG") + } + + // ignore C locale + if locale == "POSIX" || locale == "C" { + return false + } + if len(locale) > 1 && locale[0] == 'C' && (locale[1] == '.' || locale[1] == '-') { + return false + } + + return isEastAsian(locale) +} diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_table.go b/vendor/github.com/mattn/go-runewidth/runewidth_table.go new file mode 100644 index 0000000000..ad025ad529 --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth_table.go @@ -0,0 +1,450 @@ +// Code generated by script/generate.go. DO NOT EDIT. + +package runewidth + +var combining = table{ + {0x0300, 0x036F}, {0x0483, 0x0489}, {0x07EB, 0x07F3}, + {0x0C00, 0x0C00}, {0x0C04, 0x0C04}, {0x0CF3, 0x0CF3}, + {0x0D00, 0x0D01}, {0x135D, 0x135F}, {0x1A7F, 0x1A7F}, + {0x1AB0, 0x1ACE}, {0x1B6B, 0x1B73}, {0x1DC0, 0x1DFF}, + {0x20D0, 0x20F0}, {0x2CEF, 0x2CF1}, {0x2DE0, 0x2DFF}, + {0x3099, 0x309A}, {0xA66F, 0xA672}, {0xA674, 0xA67D}, + {0xA69E, 0xA69F}, {0xA6F0, 0xA6F1}, {0xA8E0, 0xA8F1}, + {0xFE20, 0xFE2F}, {0x101FD, 0x101FD}, {0x10376, 0x1037A}, + {0x10EAB, 0x10EAC}, {0x10F46, 0x10F50}, {0x10F82, 0x10F85}, + {0x11300, 0x11301}, {0x1133B, 0x1133C}, {0x11366, 0x1136C}, + {0x11370, 0x11374}, {0x16AF0, 0x16AF4}, {0x1CF00, 0x1CF2D}, + {0x1CF30, 0x1CF46}, {0x1D165, 0x1D169}, {0x1D16D, 0x1D172}, + {0x1D17B, 0x1D182}, {0x1D185, 0x1D18B}, {0x1D1AA, 0x1D1AD}, + {0x1D242, 0x1D244}, {0x1E000, 0x1E006}, {0x1E008, 0x1E018}, + {0x1E01B, 0x1E021}, {0x1E023, 0x1E024}, {0x1E026, 0x1E02A}, + {0x1E08F, 0x1E08F}, {0x1E8D0, 0x1E8D6}, +} + +var doublewidth = table{ + {0x1100, 0x115F}, {0x231A, 0x231B}, {0x2329, 0x232A}, + {0x23E9, 0x23EC}, {0x23F0, 0x23F0}, {0x23F3, 0x23F3}, + {0x25FD, 0x25FE}, {0x2614, 0x2615}, {0x2648, 0x2653}, + {0x267F, 0x267F}, {0x2693, 0x2693}, {0x26A1, 0x26A1}, + {0x26AA, 0x26AB}, {0x26BD, 0x26BE}, {0x26C4, 0x26C5}, + {0x26CE, 0x26CE}, {0x26D4, 0x26D4}, {0x26EA, 0x26EA}, + {0x26F2, 0x26F3}, {0x26F5, 0x26F5}, {0x26FA, 0x26FA}, + {0x26FD, 0x26FD}, {0x2705, 0x2705}, {0x270A, 0x270B}, + {0x2728, 0x2728}, {0x274C, 0x274C}, {0x274E, 0x274E}, + {0x2753, 0x2755}, {0x2757, 0x2757}, {0x2795, 0x2797}, + {0x27B0, 0x27B0}, {0x27BF, 0x27BF}, {0x2B1B, 0x2B1C}, + {0x2B50, 0x2B50}, {0x2B55, 0x2B55}, {0x2E80, 0x2E99}, + {0x2E9B, 0x2EF3}, {0x2F00, 0x2FD5}, {0x2FF0, 0x303E}, + {0x3041, 0x3096}, {0x3099, 0x30FF}, {0x3105, 0x312F}, + {0x3131, 0x318E}, {0x3190, 0x31E3}, {0x31EF, 0x321E}, + {0x3220, 0x3247}, {0x3250, 0x4DBF}, {0x4E00, 0xA48C}, + {0xA490, 0xA4C6}, {0xA960, 0xA97C}, {0xAC00, 0xD7A3}, + {0xF900, 0xFAFF}, {0xFE10, 0xFE19}, {0xFE30, 0xFE52}, + {0xFE54, 0xFE66}, {0xFE68, 0xFE6B}, {0xFF01, 0xFF60}, + {0xFFE0, 0xFFE6}, {0x16FE0, 0x16FE4}, {0x16FF0, 0x16FF1}, + {0x17000, 0x187F7}, {0x18800, 0x18CD5}, {0x18D00, 0x18D08}, + {0x1AFF0, 0x1AFF3}, {0x1AFF5, 0x1AFFB}, {0x1AFFD, 0x1AFFE}, + {0x1B000, 0x1B122}, {0x1B132, 0x1B132}, {0x1B150, 0x1B152}, + {0x1B155, 0x1B155}, {0x1B164, 0x1B167}, {0x1B170, 0x1B2FB}, + {0x1F004, 0x1F004}, {0x1F0CF, 0x1F0CF}, {0x1F18E, 0x1F18E}, + {0x1F191, 0x1F19A}, {0x1F200, 0x1F202}, {0x1F210, 0x1F23B}, + {0x1F240, 0x1F248}, {0x1F250, 0x1F251}, {0x1F260, 0x1F265}, + {0x1F300, 0x1F320}, {0x1F32D, 0x1F335}, {0x1F337, 0x1F37C}, + {0x1F37E, 0x1F393}, {0x1F3A0, 0x1F3CA}, {0x1F3CF, 0x1F3D3}, + {0x1F3E0, 0x1F3F0}, {0x1F3F4, 0x1F3F4}, {0x1F3F8, 0x1F43E}, + {0x1F440, 0x1F440}, {0x1F442, 0x1F4FC}, {0x1F4FF, 0x1F53D}, + {0x1F54B, 0x1F54E}, {0x1F550, 0x1F567}, {0x1F57A, 0x1F57A}, + {0x1F595, 0x1F596}, {0x1F5A4, 0x1F5A4}, {0x1F5FB, 0x1F64F}, + {0x1F680, 0x1F6C5}, {0x1F6CC, 0x1F6CC}, {0x1F6D0, 0x1F6D2}, + {0x1F6D5, 0x1F6D7}, {0x1F6DC, 0x1F6DF}, {0x1F6EB, 0x1F6EC}, + {0x1F6F4, 0x1F6FC}, {0x1F7E0, 0x1F7EB}, {0x1F7F0, 0x1F7F0}, + {0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1F9FF}, + {0x1FA70, 0x1FA7C}, {0x1FA80, 0x1FA88}, {0x1FA90, 0x1FABD}, + {0x1FABF, 0x1FAC5}, {0x1FACE, 0x1FADB}, {0x1FAE0, 0x1FAE8}, + {0x1FAF0, 0x1FAF8}, {0x20000, 0x2FFFD}, {0x30000, 0x3FFFD}, +} + +var ambiguous = table{ + {0x00A1, 0x00A1}, {0x00A4, 0x00A4}, {0x00A7, 0x00A8}, + {0x00AA, 0x00AA}, {0x00AD, 0x00AE}, {0x00B0, 0x00B4}, + {0x00B6, 0x00BA}, {0x00BC, 0x00BF}, {0x00C6, 0x00C6}, + {0x00D0, 0x00D0}, {0x00D7, 0x00D8}, {0x00DE, 0x00E1}, + {0x00E6, 0x00E6}, {0x00E8, 0x00EA}, {0x00EC, 0x00ED}, + {0x00F0, 0x00F0}, {0x00F2, 0x00F3}, {0x00F7, 0x00FA}, + {0x00FC, 0x00FC}, {0x00FE, 0x00FE}, {0x0101, 0x0101}, + {0x0111, 0x0111}, {0x0113, 0x0113}, {0x011B, 0x011B}, + {0x0126, 0x0127}, {0x012B, 0x012B}, {0x0131, 0x0133}, + {0x0138, 0x0138}, {0x013F, 0x0142}, {0x0144, 0x0144}, + {0x0148, 0x014B}, {0x014D, 0x014D}, {0x0152, 0x0153}, + {0x0166, 0x0167}, {0x016B, 0x016B}, {0x01CE, 0x01CE}, + {0x01D0, 0x01D0}, {0x01D2, 0x01D2}, {0x01D4, 0x01D4}, + {0x01D6, 0x01D6}, {0x01D8, 0x01D8}, {0x01DA, 0x01DA}, + {0x01DC, 0x01DC}, {0x0251, 0x0251}, {0x0261, 0x0261}, + {0x02C4, 0x02C4}, {0x02C7, 0x02C7}, {0x02C9, 0x02CB}, + {0x02CD, 0x02CD}, {0x02D0, 0x02D0}, {0x02D8, 0x02DB}, + {0x02DD, 0x02DD}, {0x02DF, 0x02DF}, {0x0300, 0x036F}, + {0x0391, 0x03A1}, {0x03A3, 0x03A9}, {0x03B1, 0x03C1}, + {0x03C3, 0x03C9}, {0x0401, 0x0401}, {0x0410, 0x044F}, + {0x0451, 0x0451}, {0x2010, 0x2010}, {0x2013, 0x2016}, + {0x2018, 0x2019}, {0x201C, 0x201D}, {0x2020, 0x2022}, + {0x2024, 0x2027}, {0x2030, 0x2030}, {0x2032, 0x2033}, + {0x2035, 0x2035}, {0x203B, 0x203B}, {0x203E, 0x203E}, + {0x2074, 0x2074}, {0x207F, 0x207F}, {0x2081, 0x2084}, + {0x20AC, 0x20AC}, {0x2103, 0x2103}, {0x2105, 0x2105}, + {0x2109, 0x2109}, {0x2113, 0x2113}, {0x2116, 0x2116}, + {0x2121, 0x2122}, {0x2126, 0x2126}, {0x212B, 0x212B}, + {0x2153, 0x2154}, {0x215B, 0x215E}, {0x2160, 0x216B}, + {0x2170, 0x2179}, {0x2189, 0x2189}, {0x2190, 0x2199}, + {0x21B8, 0x21B9}, {0x21D2, 0x21D2}, {0x21D4, 0x21D4}, + {0x21E7, 0x21E7}, {0x2200, 0x2200}, {0x2202, 0x2203}, + {0x2207, 0x2208}, {0x220B, 0x220B}, {0x220F, 0x220F}, + {0x2211, 0x2211}, {0x2215, 0x2215}, {0x221A, 0x221A}, + {0x221D, 0x2220}, {0x2223, 0x2223}, {0x2225, 0x2225}, + {0x2227, 0x222C}, {0x222E, 0x222E}, {0x2234, 0x2237}, + {0x223C, 0x223D}, {0x2248, 0x2248}, {0x224C, 0x224C}, + {0x2252, 0x2252}, {0x2260, 0x2261}, {0x2264, 0x2267}, + {0x226A, 0x226B}, {0x226E, 0x226F}, {0x2282, 0x2283}, + {0x2286, 0x2287}, {0x2295, 0x2295}, {0x2299, 0x2299}, + {0x22A5, 0x22A5}, {0x22BF, 0x22BF}, {0x2312, 0x2312}, + {0x2460, 0x24E9}, {0x24EB, 0x254B}, {0x2550, 0x2573}, + {0x2580, 0x258F}, {0x2592, 0x2595}, {0x25A0, 0x25A1}, + {0x25A3, 0x25A9}, {0x25B2, 0x25B3}, {0x25B6, 0x25B7}, + {0x25BC, 0x25BD}, {0x25C0, 0x25C1}, {0x25C6, 0x25C8}, + {0x25CB, 0x25CB}, {0x25CE, 0x25D1}, {0x25E2, 0x25E5}, + {0x25EF, 0x25EF}, {0x2605, 0x2606}, {0x2609, 0x2609}, + {0x260E, 0x260F}, {0x261C, 0x261C}, {0x261E, 0x261E}, + {0x2640, 0x2640}, {0x2642, 0x2642}, {0x2660, 0x2661}, + {0x2663, 0x2665}, {0x2667, 0x266A}, {0x266C, 0x266D}, + {0x266F, 0x266F}, {0x269E, 0x269F}, {0x26BF, 0x26BF}, + {0x26C6, 0x26CD}, {0x26CF, 0x26D3}, {0x26D5, 0x26E1}, + {0x26E3, 0x26E3}, {0x26E8, 0x26E9}, {0x26EB, 0x26F1}, + {0x26F4, 0x26F4}, {0x26F6, 0x26F9}, {0x26FB, 0x26FC}, + {0x26FE, 0x26FF}, {0x273D, 0x273D}, {0x2776, 0x277F}, + {0x2B56, 0x2B59}, {0x3248, 0x324F}, {0xE000, 0xF8FF}, + {0xFE00, 0xFE0F}, {0xFFFD, 0xFFFD}, {0x1F100, 0x1F10A}, + {0x1F110, 0x1F12D}, {0x1F130, 0x1F169}, {0x1F170, 0x1F18D}, + {0x1F18F, 0x1F190}, {0x1F19B, 0x1F1AC}, {0xE0100, 0xE01EF}, + {0xF0000, 0xFFFFD}, {0x100000, 0x10FFFD}, +} +var narrow = table{ + {0x0020, 0x007E}, {0x00A2, 0x00A3}, {0x00A5, 0x00A6}, + {0x00AC, 0x00AC}, {0x00AF, 0x00AF}, {0x27E6, 0x27ED}, + {0x2985, 0x2986}, +} + +var neutral = table{ + {0x0000, 0x001F}, {0x007F, 0x00A0}, {0x00A9, 0x00A9}, + {0x00AB, 0x00AB}, {0x00B5, 0x00B5}, {0x00BB, 0x00BB}, + {0x00C0, 0x00C5}, {0x00C7, 0x00CF}, {0x00D1, 0x00D6}, + {0x00D9, 0x00DD}, {0x00E2, 0x00E5}, {0x00E7, 0x00E7}, + {0x00EB, 0x00EB}, {0x00EE, 0x00EF}, {0x00F1, 0x00F1}, + {0x00F4, 0x00F6}, {0x00FB, 0x00FB}, {0x00FD, 0x00FD}, + {0x00FF, 0x0100}, {0x0102, 0x0110}, {0x0112, 0x0112}, + {0x0114, 0x011A}, {0x011C, 0x0125}, {0x0128, 0x012A}, + {0x012C, 0x0130}, {0x0134, 0x0137}, {0x0139, 0x013E}, + {0x0143, 0x0143}, {0x0145, 0x0147}, {0x014C, 0x014C}, + {0x014E, 0x0151}, {0x0154, 0x0165}, {0x0168, 0x016A}, + {0x016C, 0x01CD}, {0x01CF, 0x01CF}, {0x01D1, 0x01D1}, + {0x01D3, 0x01D3}, {0x01D5, 0x01D5}, {0x01D7, 0x01D7}, + {0x01D9, 0x01D9}, {0x01DB, 0x01DB}, {0x01DD, 0x0250}, + {0x0252, 0x0260}, {0x0262, 0x02C3}, {0x02C5, 0x02C6}, + {0x02C8, 0x02C8}, {0x02CC, 0x02CC}, {0x02CE, 0x02CF}, + {0x02D1, 0x02D7}, {0x02DC, 0x02DC}, {0x02DE, 0x02DE}, + {0x02E0, 0x02FF}, {0x0370, 0x0377}, {0x037A, 0x037F}, + {0x0384, 0x038A}, {0x038C, 0x038C}, {0x038E, 0x0390}, + {0x03AA, 0x03B0}, {0x03C2, 0x03C2}, {0x03CA, 0x0400}, + {0x0402, 0x040F}, {0x0450, 0x0450}, {0x0452, 0x052F}, + {0x0531, 0x0556}, {0x0559, 0x058A}, {0x058D, 0x058F}, + {0x0591, 0x05C7}, {0x05D0, 0x05EA}, {0x05EF, 0x05F4}, + {0x0600, 0x070D}, {0x070F, 0x074A}, {0x074D, 0x07B1}, + {0x07C0, 0x07FA}, {0x07FD, 0x082D}, {0x0830, 0x083E}, + {0x0840, 0x085B}, {0x085E, 0x085E}, {0x0860, 0x086A}, + {0x0870, 0x088E}, {0x0890, 0x0891}, {0x0898, 0x0983}, + {0x0985, 0x098C}, {0x098F, 0x0990}, {0x0993, 0x09A8}, + {0x09AA, 0x09B0}, {0x09B2, 0x09B2}, {0x09B6, 0x09B9}, + {0x09BC, 0x09C4}, {0x09C7, 0x09C8}, {0x09CB, 0x09CE}, + {0x09D7, 0x09D7}, {0x09DC, 0x09DD}, {0x09DF, 0x09E3}, + {0x09E6, 0x09FE}, {0x0A01, 0x0A03}, {0x0A05, 0x0A0A}, + {0x0A0F, 0x0A10}, {0x0A13, 0x0A28}, {0x0A2A, 0x0A30}, + {0x0A32, 0x0A33}, {0x0A35, 0x0A36}, {0x0A38, 0x0A39}, + {0x0A3C, 0x0A3C}, {0x0A3E, 0x0A42}, {0x0A47, 0x0A48}, + {0x0A4B, 0x0A4D}, {0x0A51, 0x0A51}, {0x0A59, 0x0A5C}, + {0x0A5E, 0x0A5E}, {0x0A66, 0x0A76}, {0x0A81, 0x0A83}, + {0x0A85, 0x0A8D}, {0x0A8F, 0x0A91}, {0x0A93, 0x0AA8}, + {0x0AAA, 0x0AB0}, {0x0AB2, 0x0AB3}, {0x0AB5, 0x0AB9}, + {0x0ABC, 0x0AC5}, {0x0AC7, 0x0AC9}, {0x0ACB, 0x0ACD}, + {0x0AD0, 0x0AD0}, {0x0AE0, 0x0AE3}, {0x0AE6, 0x0AF1}, + {0x0AF9, 0x0AFF}, {0x0B01, 0x0B03}, {0x0B05, 0x0B0C}, + {0x0B0F, 0x0B10}, {0x0B13, 0x0B28}, {0x0B2A, 0x0B30}, + {0x0B32, 0x0B33}, {0x0B35, 0x0B39}, {0x0B3C, 0x0B44}, + {0x0B47, 0x0B48}, {0x0B4B, 0x0B4D}, {0x0B55, 0x0B57}, + {0x0B5C, 0x0B5D}, {0x0B5F, 0x0B63}, {0x0B66, 0x0B77}, + {0x0B82, 0x0B83}, {0x0B85, 0x0B8A}, {0x0B8E, 0x0B90}, + {0x0B92, 0x0B95}, {0x0B99, 0x0B9A}, {0x0B9C, 0x0B9C}, + {0x0B9E, 0x0B9F}, {0x0BA3, 0x0BA4}, {0x0BA8, 0x0BAA}, + {0x0BAE, 0x0BB9}, {0x0BBE, 0x0BC2}, {0x0BC6, 0x0BC8}, + {0x0BCA, 0x0BCD}, {0x0BD0, 0x0BD0}, {0x0BD7, 0x0BD7}, + {0x0BE6, 0x0BFA}, {0x0C00, 0x0C0C}, {0x0C0E, 0x0C10}, + {0x0C12, 0x0C28}, {0x0C2A, 0x0C39}, {0x0C3C, 0x0C44}, + {0x0C46, 0x0C48}, {0x0C4A, 0x0C4D}, {0x0C55, 0x0C56}, + {0x0C58, 0x0C5A}, {0x0C5D, 0x0C5D}, {0x0C60, 0x0C63}, + {0x0C66, 0x0C6F}, {0x0C77, 0x0C8C}, {0x0C8E, 0x0C90}, + {0x0C92, 0x0CA8}, {0x0CAA, 0x0CB3}, {0x0CB5, 0x0CB9}, + {0x0CBC, 0x0CC4}, {0x0CC6, 0x0CC8}, {0x0CCA, 0x0CCD}, + {0x0CD5, 0x0CD6}, {0x0CDD, 0x0CDE}, {0x0CE0, 0x0CE3}, + {0x0CE6, 0x0CEF}, {0x0CF1, 0x0CF3}, {0x0D00, 0x0D0C}, + {0x0D0E, 0x0D10}, {0x0D12, 0x0D44}, {0x0D46, 0x0D48}, + {0x0D4A, 0x0D4F}, {0x0D54, 0x0D63}, {0x0D66, 0x0D7F}, + {0x0D81, 0x0D83}, {0x0D85, 0x0D96}, {0x0D9A, 0x0DB1}, + {0x0DB3, 0x0DBB}, {0x0DBD, 0x0DBD}, {0x0DC0, 0x0DC6}, + {0x0DCA, 0x0DCA}, {0x0DCF, 0x0DD4}, {0x0DD6, 0x0DD6}, + {0x0DD8, 0x0DDF}, {0x0DE6, 0x0DEF}, {0x0DF2, 0x0DF4}, + {0x0E01, 0x0E3A}, {0x0E3F, 0x0E5B}, {0x0E81, 0x0E82}, + {0x0E84, 0x0E84}, {0x0E86, 0x0E8A}, {0x0E8C, 0x0EA3}, + {0x0EA5, 0x0EA5}, {0x0EA7, 0x0EBD}, {0x0EC0, 0x0EC4}, + {0x0EC6, 0x0EC6}, {0x0EC8, 0x0ECE}, {0x0ED0, 0x0ED9}, + {0x0EDC, 0x0EDF}, {0x0F00, 0x0F47}, {0x0F49, 0x0F6C}, + {0x0F71, 0x0F97}, {0x0F99, 0x0FBC}, {0x0FBE, 0x0FCC}, + {0x0FCE, 0x0FDA}, {0x1000, 0x10C5}, {0x10C7, 0x10C7}, + {0x10CD, 0x10CD}, {0x10D0, 0x10FF}, {0x1160, 0x1248}, + {0x124A, 0x124D}, {0x1250, 0x1256}, {0x1258, 0x1258}, + {0x125A, 0x125D}, {0x1260, 0x1288}, {0x128A, 0x128D}, + {0x1290, 0x12B0}, {0x12B2, 0x12B5}, {0x12B8, 0x12BE}, + {0x12C0, 0x12C0}, {0x12C2, 0x12C5}, {0x12C8, 0x12D6}, + {0x12D8, 0x1310}, {0x1312, 0x1315}, {0x1318, 0x135A}, + {0x135D, 0x137C}, {0x1380, 0x1399}, {0x13A0, 0x13F5}, + {0x13F8, 0x13FD}, {0x1400, 0x169C}, {0x16A0, 0x16F8}, + {0x1700, 0x1715}, {0x171F, 0x1736}, {0x1740, 0x1753}, + {0x1760, 0x176C}, {0x176E, 0x1770}, {0x1772, 0x1773}, + {0x1780, 0x17DD}, {0x17E0, 0x17E9}, {0x17F0, 0x17F9}, + {0x1800, 0x1819}, {0x1820, 0x1878}, {0x1880, 0x18AA}, + {0x18B0, 0x18F5}, {0x1900, 0x191E}, {0x1920, 0x192B}, + {0x1930, 0x193B}, {0x1940, 0x1940}, {0x1944, 0x196D}, + {0x1970, 0x1974}, {0x1980, 0x19AB}, {0x19B0, 0x19C9}, + {0x19D0, 0x19DA}, {0x19DE, 0x1A1B}, {0x1A1E, 0x1A5E}, + {0x1A60, 0x1A7C}, {0x1A7F, 0x1A89}, {0x1A90, 0x1A99}, + {0x1AA0, 0x1AAD}, {0x1AB0, 0x1ACE}, {0x1B00, 0x1B4C}, + {0x1B50, 0x1B7E}, {0x1B80, 0x1BF3}, {0x1BFC, 0x1C37}, + {0x1C3B, 0x1C49}, {0x1C4D, 0x1C88}, {0x1C90, 0x1CBA}, + {0x1CBD, 0x1CC7}, {0x1CD0, 0x1CFA}, {0x1D00, 0x1F15}, + {0x1F18, 0x1F1D}, {0x1F20, 0x1F45}, {0x1F48, 0x1F4D}, + {0x1F50, 0x1F57}, {0x1F59, 0x1F59}, {0x1F5B, 0x1F5B}, + {0x1F5D, 0x1F5D}, {0x1F5F, 0x1F7D}, {0x1F80, 0x1FB4}, + {0x1FB6, 0x1FC4}, {0x1FC6, 0x1FD3}, {0x1FD6, 0x1FDB}, + {0x1FDD, 0x1FEF}, {0x1FF2, 0x1FF4}, {0x1FF6, 0x1FFE}, + {0x2000, 0x200F}, {0x2011, 0x2012}, {0x2017, 0x2017}, + {0x201A, 0x201B}, {0x201E, 0x201F}, {0x2023, 0x2023}, + {0x2028, 0x202F}, {0x2031, 0x2031}, {0x2034, 0x2034}, + {0x2036, 0x203A}, {0x203C, 0x203D}, {0x203F, 0x2064}, + {0x2066, 0x2071}, {0x2075, 0x207E}, {0x2080, 0x2080}, + {0x2085, 0x208E}, {0x2090, 0x209C}, {0x20A0, 0x20A8}, + {0x20AA, 0x20AB}, {0x20AD, 0x20C0}, {0x20D0, 0x20F0}, + {0x2100, 0x2102}, {0x2104, 0x2104}, {0x2106, 0x2108}, + {0x210A, 0x2112}, {0x2114, 0x2115}, {0x2117, 0x2120}, + {0x2123, 0x2125}, {0x2127, 0x212A}, {0x212C, 0x2152}, + {0x2155, 0x215A}, {0x215F, 0x215F}, {0x216C, 0x216F}, + {0x217A, 0x2188}, {0x218A, 0x218B}, {0x219A, 0x21B7}, + {0x21BA, 0x21D1}, {0x21D3, 0x21D3}, {0x21D5, 0x21E6}, + {0x21E8, 0x21FF}, {0x2201, 0x2201}, {0x2204, 0x2206}, + {0x2209, 0x220A}, {0x220C, 0x220E}, {0x2210, 0x2210}, + {0x2212, 0x2214}, {0x2216, 0x2219}, {0x221B, 0x221C}, + {0x2221, 0x2222}, {0x2224, 0x2224}, {0x2226, 0x2226}, + {0x222D, 0x222D}, {0x222F, 0x2233}, {0x2238, 0x223B}, + {0x223E, 0x2247}, {0x2249, 0x224B}, {0x224D, 0x2251}, + {0x2253, 0x225F}, {0x2262, 0x2263}, {0x2268, 0x2269}, + {0x226C, 0x226D}, {0x2270, 0x2281}, {0x2284, 0x2285}, + {0x2288, 0x2294}, {0x2296, 0x2298}, {0x229A, 0x22A4}, + {0x22A6, 0x22BE}, {0x22C0, 0x2311}, {0x2313, 0x2319}, + {0x231C, 0x2328}, {0x232B, 0x23E8}, {0x23ED, 0x23EF}, + {0x23F1, 0x23F2}, {0x23F4, 0x2426}, {0x2440, 0x244A}, + {0x24EA, 0x24EA}, {0x254C, 0x254F}, {0x2574, 0x257F}, + {0x2590, 0x2591}, {0x2596, 0x259F}, {0x25A2, 0x25A2}, + {0x25AA, 0x25B1}, {0x25B4, 0x25B5}, {0x25B8, 0x25BB}, + {0x25BE, 0x25BF}, {0x25C2, 0x25C5}, {0x25C9, 0x25CA}, + {0x25CC, 0x25CD}, {0x25D2, 0x25E1}, {0x25E6, 0x25EE}, + {0x25F0, 0x25FC}, {0x25FF, 0x2604}, {0x2607, 0x2608}, + {0x260A, 0x260D}, {0x2610, 0x2613}, {0x2616, 0x261B}, + {0x261D, 0x261D}, {0x261F, 0x263F}, {0x2641, 0x2641}, + {0x2643, 0x2647}, {0x2654, 0x265F}, {0x2662, 0x2662}, + {0x2666, 0x2666}, {0x266B, 0x266B}, {0x266E, 0x266E}, + {0x2670, 0x267E}, {0x2680, 0x2692}, {0x2694, 0x269D}, + {0x26A0, 0x26A0}, {0x26A2, 0x26A9}, {0x26AC, 0x26BC}, + {0x26C0, 0x26C3}, {0x26E2, 0x26E2}, {0x26E4, 0x26E7}, + {0x2700, 0x2704}, {0x2706, 0x2709}, {0x270C, 0x2727}, + {0x2729, 0x273C}, {0x273E, 0x274B}, {0x274D, 0x274D}, + {0x274F, 0x2752}, {0x2756, 0x2756}, {0x2758, 0x2775}, + {0x2780, 0x2794}, {0x2798, 0x27AF}, {0x27B1, 0x27BE}, + {0x27C0, 0x27E5}, {0x27EE, 0x2984}, {0x2987, 0x2B1A}, + {0x2B1D, 0x2B4F}, {0x2B51, 0x2B54}, {0x2B5A, 0x2B73}, + {0x2B76, 0x2B95}, {0x2B97, 0x2CF3}, {0x2CF9, 0x2D25}, + {0x2D27, 0x2D27}, {0x2D2D, 0x2D2D}, {0x2D30, 0x2D67}, + {0x2D6F, 0x2D70}, {0x2D7F, 0x2D96}, {0x2DA0, 0x2DA6}, + {0x2DA8, 0x2DAE}, {0x2DB0, 0x2DB6}, {0x2DB8, 0x2DBE}, + {0x2DC0, 0x2DC6}, {0x2DC8, 0x2DCE}, {0x2DD0, 0x2DD6}, + {0x2DD8, 0x2DDE}, {0x2DE0, 0x2E5D}, {0x303F, 0x303F}, + {0x4DC0, 0x4DFF}, {0xA4D0, 0xA62B}, {0xA640, 0xA6F7}, + {0xA700, 0xA7CA}, {0xA7D0, 0xA7D1}, {0xA7D3, 0xA7D3}, + {0xA7D5, 0xA7D9}, {0xA7F2, 0xA82C}, {0xA830, 0xA839}, + {0xA840, 0xA877}, {0xA880, 0xA8C5}, {0xA8CE, 0xA8D9}, + {0xA8E0, 0xA953}, {0xA95F, 0xA95F}, {0xA980, 0xA9CD}, + {0xA9CF, 0xA9D9}, {0xA9DE, 0xA9FE}, {0xAA00, 0xAA36}, + {0xAA40, 0xAA4D}, {0xAA50, 0xAA59}, {0xAA5C, 0xAAC2}, + {0xAADB, 0xAAF6}, {0xAB01, 0xAB06}, {0xAB09, 0xAB0E}, + {0xAB11, 0xAB16}, {0xAB20, 0xAB26}, {0xAB28, 0xAB2E}, + {0xAB30, 0xAB6B}, {0xAB70, 0xABED}, {0xABF0, 0xABF9}, + {0xD7B0, 0xD7C6}, {0xD7CB, 0xD7FB}, {0xD800, 0xDFFF}, + {0xFB00, 0xFB06}, {0xFB13, 0xFB17}, {0xFB1D, 0xFB36}, + {0xFB38, 0xFB3C}, {0xFB3E, 0xFB3E}, {0xFB40, 0xFB41}, + {0xFB43, 0xFB44}, {0xFB46, 0xFBC2}, {0xFBD3, 0xFD8F}, + {0xFD92, 0xFDC7}, {0xFDCF, 0xFDCF}, {0xFDF0, 0xFDFF}, + {0xFE20, 0xFE2F}, {0xFE70, 0xFE74}, {0xFE76, 0xFEFC}, + {0xFEFF, 0xFEFF}, {0xFFF9, 0xFFFC}, {0x10000, 0x1000B}, + {0x1000D, 0x10026}, {0x10028, 0x1003A}, {0x1003C, 0x1003D}, + {0x1003F, 0x1004D}, {0x10050, 0x1005D}, {0x10080, 0x100FA}, + {0x10100, 0x10102}, {0x10107, 0x10133}, {0x10137, 0x1018E}, + {0x10190, 0x1019C}, {0x101A0, 0x101A0}, {0x101D0, 0x101FD}, + {0x10280, 0x1029C}, {0x102A0, 0x102D0}, {0x102E0, 0x102FB}, + {0x10300, 0x10323}, {0x1032D, 0x1034A}, {0x10350, 0x1037A}, + {0x10380, 0x1039D}, {0x1039F, 0x103C3}, {0x103C8, 0x103D5}, + {0x10400, 0x1049D}, {0x104A0, 0x104A9}, {0x104B0, 0x104D3}, + {0x104D8, 0x104FB}, {0x10500, 0x10527}, {0x10530, 0x10563}, + {0x1056F, 0x1057A}, {0x1057C, 0x1058A}, {0x1058C, 0x10592}, + {0x10594, 0x10595}, {0x10597, 0x105A1}, {0x105A3, 0x105B1}, + {0x105B3, 0x105B9}, {0x105BB, 0x105BC}, {0x10600, 0x10736}, + {0x10740, 0x10755}, {0x10760, 0x10767}, {0x10780, 0x10785}, + {0x10787, 0x107B0}, {0x107B2, 0x107BA}, {0x10800, 0x10805}, + {0x10808, 0x10808}, {0x1080A, 0x10835}, {0x10837, 0x10838}, + {0x1083C, 0x1083C}, {0x1083F, 0x10855}, {0x10857, 0x1089E}, + {0x108A7, 0x108AF}, {0x108E0, 0x108F2}, {0x108F4, 0x108F5}, + {0x108FB, 0x1091B}, {0x1091F, 0x10939}, {0x1093F, 0x1093F}, + {0x10980, 0x109B7}, {0x109BC, 0x109CF}, {0x109D2, 0x10A03}, + {0x10A05, 0x10A06}, {0x10A0C, 0x10A13}, {0x10A15, 0x10A17}, + {0x10A19, 0x10A35}, {0x10A38, 0x10A3A}, {0x10A3F, 0x10A48}, + {0x10A50, 0x10A58}, {0x10A60, 0x10A9F}, {0x10AC0, 0x10AE6}, + {0x10AEB, 0x10AF6}, {0x10B00, 0x10B35}, {0x10B39, 0x10B55}, + {0x10B58, 0x10B72}, {0x10B78, 0x10B91}, {0x10B99, 0x10B9C}, + {0x10BA9, 0x10BAF}, {0x10C00, 0x10C48}, {0x10C80, 0x10CB2}, + {0x10CC0, 0x10CF2}, {0x10CFA, 0x10D27}, {0x10D30, 0x10D39}, + {0x10E60, 0x10E7E}, {0x10E80, 0x10EA9}, {0x10EAB, 0x10EAD}, + {0x10EB0, 0x10EB1}, {0x10EFD, 0x10F27}, {0x10F30, 0x10F59}, + {0x10F70, 0x10F89}, {0x10FB0, 0x10FCB}, {0x10FE0, 0x10FF6}, + {0x11000, 0x1104D}, {0x11052, 0x11075}, {0x1107F, 0x110C2}, + {0x110CD, 0x110CD}, {0x110D0, 0x110E8}, {0x110F0, 0x110F9}, + {0x11100, 0x11134}, {0x11136, 0x11147}, {0x11150, 0x11176}, + {0x11180, 0x111DF}, {0x111E1, 0x111F4}, {0x11200, 0x11211}, + {0x11213, 0x11241}, {0x11280, 0x11286}, {0x11288, 0x11288}, + {0x1128A, 0x1128D}, {0x1128F, 0x1129D}, {0x1129F, 0x112A9}, + {0x112B0, 0x112EA}, {0x112F0, 0x112F9}, {0x11300, 0x11303}, + {0x11305, 0x1130C}, {0x1130F, 0x11310}, {0x11313, 0x11328}, + {0x1132A, 0x11330}, {0x11332, 0x11333}, {0x11335, 0x11339}, + {0x1133B, 0x11344}, {0x11347, 0x11348}, {0x1134B, 0x1134D}, + {0x11350, 0x11350}, {0x11357, 0x11357}, {0x1135D, 0x11363}, + {0x11366, 0x1136C}, {0x11370, 0x11374}, {0x11400, 0x1145B}, + {0x1145D, 0x11461}, {0x11480, 0x114C7}, {0x114D0, 0x114D9}, + {0x11580, 0x115B5}, {0x115B8, 0x115DD}, {0x11600, 0x11644}, + {0x11650, 0x11659}, {0x11660, 0x1166C}, {0x11680, 0x116B9}, + {0x116C0, 0x116C9}, {0x11700, 0x1171A}, {0x1171D, 0x1172B}, + {0x11730, 0x11746}, {0x11800, 0x1183B}, {0x118A0, 0x118F2}, + {0x118FF, 0x11906}, {0x11909, 0x11909}, {0x1190C, 0x11913}, + {0x11915, 0x11916}, {0x11918, 0x11935}, {0x11937, 0x11938}, + {0x1193B, 0x11946}, {0x11950, 0x11959}, {0x119A0, 0x119A7}, + {0x119AA, 0x119D7}, {0x119DA, 0x119E4}, {0x11A00, 0x11A47}, + {0x11A50, 0x11AA2}, {0x11AB0, 0x11AF8}, {0x11B00, 0x11B09}, + {0x11C00, 0x11C08}, {0x11C0A, 0x11C36}, {0x11C38, 0x11C45}, + {0x11C50, 0x11C6C}, {0x11C70, 0x11C8F}, {0x11C92, 0x11CA7}, + {0x11CA9, 0x11CB6}, {0x11D00, 0x11D06}, {0x11D08, 0x11D09}, + {0x11D0B, 0x11D36}, {0x11D3A, 0x11D3A}, {0x11D3C, 0x11D3D}, + {0x11D3F, 0x11D47}, {0x11D50, 0x11D59}, {0x11D60, 0x11D65}, + {0x11D67, 0x11D68}, {0x11D6A, 0x11D8E}, {0x11D90, 0x11D91}, + {0x11D93, 0x11D98}, {0x11DA0, 0x11DA9}, {0x11EE0, 0x11EF8}, + {0x11F00, 0x11F10}, {0x11F12, 0x11F3A}, {0x11F3E, 0x11F59}, + {0x11FB0, 0x11FB0}, {0x11FC0, 0x11FF1}, {0x11FFF, 0x12399}, + {0x12400, 0x1246E}, {0x12470, 0x12474}, {0x12480, 0x12543}, + {0x12F90, 0x12FF2}, {0x13000, 0x13455}, {0x14400, 0x14646}, + {0x16800, 0x16A38}, {0x16A40, 0x16A5E}, {0x16A60, 0x16A69}, + {0x16A6E, 0x16ABE}, {0x16AC0, 0x16AC9}, {0x16AD0, 0x16AED}, + {0x16AF0, 0x16AF5}, {0x16B00, 0x16B45}, {0x16B50, 0x16B59}, + {0x16B5B, 0x16B61}, {0x16B63, 0x16B77}, {0x16B7D, 0x16B8F}, + {0x16E40, 0x16E9A}, {0x16F00, 0x16F4A}, {0x16F4F, 0x16F87}, + {0x16F8F, 0x16F9F}, {0x1BC00, 0x1BC6A}, {0x1BC70, 0x1BC7C}, + {0x1BC80, 0x1BC88}, {0x1BC90, 0x1BC99}, {0x1BC9C, 0x1BCA3}, + {0x1CF00, 0x1CF2D}, {0x1CF30, 0x1CF46}, {0x1CF50, 0x1CFC3}, + {0x1D000, 0x1D0F5}, {0x1D100, 0x1D126}, {0x1D129, 0x1D1EA}, + {0x1D200, 0x1D245}, {0x1D2C0, 0x1D2D3}, {0x1D2E0, 0x1D2F3}, + {0x1D300, 0x1D356}, {0x1D360, 0x1D378}, {0x1D400, 0x1D454}, + {0x1D456, 0x1D49C}, {0x1D49E, 0x1D49F}, {0x1D4A2, 0x1D4A2}, + {0x1D4A5, 0x1D4A6}, {0x1D4A9, 0x1D4AC}, {0x1D4AE, 0x1D4B9}, + {0x1D4BB, 0x1D4BB}, {0x1D4BD, 0x1D4C3}, {0x1D4C5, 0x1D505}, + {0x1D507, 0x1D50A}, {0x1D50D, 0x1D514}, {0x1D516, 0x1D51C}, + {0x1D51E, 0x1D539}, {0x1D53B, 0x1D53E}, {0x1D540, 0x1D544}, + {0x1D546, 0x1D546}, {0x1D54A, 0x1D550}, {0x1D552, 0x1D6A5}, + {0x1D6A8, 0x1D7CB}, {0x1D7CE, 0x1DA8B}, {0x1DA9B, 0x1DA9F}, + {0x1DAA1, 0x1DAAF}, {0x1DF00, 0x1DF1E}, {0x1DF25, 0x1DF2A}, + {0x1E000, 0x1E006}, {0x1E008, 0x1E018}, {0x1E01B, 0x1E021}, + {0x1E023, 0x1E024}, {0x1E026, 0x1E02A}, {0x1E030, 0x1E06D}, + {0x1E08F, 0x1E08F}, {0x1E100, 0x1E12C}, {0x1E130, 0x1E13D}, + {0x1E140, 0x1E149}, {0x1E14E, 0x1E14F}, {0x1E290, 0x1E2AE}, + {0x1E2C0, 0x1E2F9}, {0x1E2FF, 0x1E2FF}, {0x1E4D0, 0x1E4F9}, + {0x1E7E0, 0x1E7E6}, {0x1E7E8, 0x1E7EB}, {0x1E7ED, 0x1E7EE}, + {0x1E7F0, 0x1E7FE}, {0x1E800, 0x1E8C4}, {0x1E8C7, 0x1E8D6}, + {0x1E900, 0x1E94B}, {0x1E950, 0x1E959}, {0x1E95E, 0x1E95F}, + {0x1EC71, 0x1ECB4}, {0x1ED01, 0x1ED3D}, {0x1EE00, 0x1EE03}, + {0x1EE05, 0x1EE1F}, {0x1EE21, 0x1EE22}, {0x1EE24, 0x1EE24}, + {0x1EE27, 0x1EE27}, {0x1EE29, 0x1EE32}, {0x1EE34, 0x1EE37}, + {0x1EE39, 0x1EE39}, {0x1EE3B, 0x1EE3B}, {0x1EE42, 0x1EE42}, + {0x1EE47, 0x1EE47}, {0x1EE49, 0x1EE49}, {0x1EE4B, 0x1EE4B}, + {0x1EE4D, 0x1EE4F}, {0x1EE51, 0x1EE52}, {0x1EE54, 0x1EE54}, + {0x1EE57, 0x1EE57}, {0x1EE59, 0x1EE59}, {0x1EE5B, 0x1EE5B}, + {0x1EE5D, 0x1EE5D}, {0x1EE5F, 0x1EE5F}, {0x1EE61, 0x1EE62}, + {0x1EE64, 0x1EE64}, {0x1EE67, 0x1EE6A}, {0x1EE6C, 0x1EE72}, + {0x1EE74, 0x1EE77}, {0x1EE79, 0x1EE7C}, {0x1EE7E, 0x1EE7E}, + {0x1EE80, 0x1EE89}, {0x1EE8B, 0x1EE9B}, {0x1EEA1, 0x1EEA3}, + {0x1EEA5, 0x1EEA9}, {0x1EEAB, 0x1EEBB}, {0x1EEF0, 0x1EEF1}, + {0x1F000, 0x1F003}, {0x1F005, 0x1F02B}, {0x1F030, 0x1F093}, + {0x1F0A0, 0x1F0AE}, {0x1F0B1, 0x1F0BF}, {0x1F0C1, 0x1F0CE}, + {0x1F0D1, 0x1F0F5}, {0x1F10B, 0x1F10F}, {0x1F12E, 0x1F12F}, + {0x1F16A, 0x1F16F}, {0x1F1AD, 0x1F1AD}, {0x1F1E6, 0x1F1FF}, + {0x1F321, 0x1F32C}, {0x1F336, 0x1F336}, {0x1F37D, 0x1F37D}, + {0x1F394, 0x1F39F}, {0x1F3CB, 0x1F3CE}, {0x1F3D4, 0x1F3DF}, + {0x1F3F1, 0x1F3F3}, {0x1F3F5, 0x1F3F7}, {0x1F43F, 0x1F43F}, + {0x1F441, 0x1F441}, {0x1F4FD, 0x1F4FE}, {0x1F53E, 0x1F54A}, + {0x1F54F, 0x1F54F}, {0x1F568, 0x1F579}, {0x1F57B, 0x1F594}, + {0x1F597, 0x1F5A3}, {0x1F5A5, 0x1F5FA}, {0x1F650, 0x1F67F}, + {0x1F6C6, 0x1F6CB}, {0x1F6CD, 0x1F6CF}, {0x1F6D3, 0x1F6D4}, + {0x1F6E0, 0x1F6EA}, {0x1F6F0, 0x1F6F3}, {0x1F700, 0x1F776}, + {0x1F77B, 0x1F7D9}, {0x1F800, 0x1F80B}, {0x1F810, 0x1F847}, + {0x1F850, 0x1F859}, {0x1F860, 0x1F887}, {0x1F890, 0x1F8AD}, + {0x1F8B0, 0x1F8B1}, {0x1F900, 0x1F90B}, {0x1F93B, 0x1F93B}, + {0x1F946, 0x1F946}, {0x1FA00, 0x1FA53}, {0x1FA60, 0x1FA6D}, + {0x1FB00, 0x1FB92}, {0x1FB94, 0x1FBCA}, {0x1FBF0, 0x1FBF9}, + {0xE0001, 0xE0001}, {0xE0020, 0xE007F}, +} + +var emoji = table{ + {0x203C, 0x203C}, {0x2049, 0x2049}, {0x2122, 0x2122}, + {0x2139, 0x2139}, {0x2194, 0x2199}, {0x21A9, 0x21AA}, + {0x231A, 0x231B}, {0x2328, 0x2328}, {0x2388, 0x2388}, + {0x23CF, 0x23CF}, {0x23E9, 0x23F3}, {0x23F8, 0x23FA}, + {0x24C2, 0x24C2}, {0x25AA, 0x25AB}, {0x25B6, 0x25B6}, + {0x25C0, 0x25C0}, {0x25FB, 0x25FE}, {0x2600, 0x2605}, + {0x2607, 0x2612}, {0x2614, 0x2685}, {0x2690, 0x2705}, + {0x2708, 0x2712}, {0x2714, 0x2714}, {0x2716, 0x2716}, + {0x271D, 0x271D}, {0x2721, 0x2721}, {0x2728, 0x2728}, + {0x2733, 0x2734}, {0x2744, 0x2744}, {0x2747, 0x2747}, + {0x274C, 0x274C}, {0x274E, 0x274E}, {0x2753, 0x2755}, + {0x2757, 0x2757}, {0x2763, 0x2767}, {0x2795, 0x2797}, + {0x27A1, 0x27A1}, {0x27B0, 0x27B0}, {0x27BF, 0x27BF}, + {0x2934, 0x2935}, {0x2B05, 0x2B07}, {0x2B1B, 0x2B1C}, + {0x2B50, 0x2B50}, {0x2B55, 0x2B55}, {0x3030, 0x3030}, + {0x303D, 0x303D}, {0x3297, 0x3297}, {0x3299, 0x3299}, + {0x1F000, 0x1F0FF}, {0x1F10D, 0x1F10F}, {0x1F12F, 0x1F12F}, + {0x1F16C, 0x1F171}, {0x1F17E, 0x1F17F}, {0x1F18E, 0x1F18E}, + {0x1F191, 0x1F19A}, {0x1F1AD, 0x1F1E5}, {0x1F201, 0x1F20F}, + {0x1F21A, 0x1F21A}, {0x1F22F, 0x1F22F}, {0x1F232, 0x1F23A}, + {0x1F23C, 0x1F23F}, {0x1F249, 0x1F3FA}, {0x1F400, 0x1F53D}, + {0x1F546, 0x1F64F}, {0x1F680, 0x1F6FF}, {0x1F774, 0x1F77F}, + {0x1F7D5, 0x1F7FF}, {0x1F80C, 0x1F80F}, {0x1F848, 0x1F84F}, + {0x1F85A, 0x1F85F}, {0x1F888, 0x1F88F}, {0x1F8AE, 0x1F8FF}, + {0x1F90C, 0x1F93A}, {0x1F93C, 0x1F945}, {0x1F947, 0x1FAFF}, + {0x1FC00, 0x1FFFD}, +} diff --git a/vendor/github.com/mattn/go-runewidth/runewidth_windows.go b/vendor/github.com/mattn/go-runewidth/runewidth_windows.go new file mode 100644 index 0000000000..5f987a310f --- /dev/null +++ b/vendor/github.com/mattn/go-runewidth/runewidth_windows.go @@ -0,0 +1,28 @@ +//go:build windows && !appengine +// +build windows,!appengine + +package runewidth + +import ( + "syscall" +) + +var ( + kernel32 = syscall.NewLazyDLL("kernel32") + procGetConsoleOutputCP = kernel32.NewProc("GetConsoleOutputCP") +) + +// IsEastAsian return true if the current locale is CJK +func IsEastAsian() bool { + r1, _, _ := procGetConsoleOutputCP.Call() + if r1 == 0 { + return false + } + + switch int(r1) { + case 932, 51932, 936, 949, 950: + return true + } + + return false +} diff --git a/vendor/github.com/mitchellh/copystructure/LICENSE b/vendor/github.com/mitchellh/copystructure/LICENSE new file mode 100644 index 0000000000..2298515904 --- /dev/null +++ b/vendor/github.com/mitchellh/copystructure/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Mitchell Hashimoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/mitchellh/copystructure/README.md b/vendor/github.com/mitchellh/copystructure/README.md new file mode 100644 index 0000000000..f0fbd2e5c9 --- /dev/null +++ b/vendor/github.com/mitchellh/copystructure/README.md @@ -0,0 +1,21 @@ +# copystructure + +copystructure is a Go library for deep copying values in Go. + +This allows you to copy Go values that may contain reference values +such as maps, slices, or pointers, and copy their data as well instead +of just their references. + +## Installation + +Standard `go get`: + +``` +$ go get github.com/mitchellh/copystructure +``` + +## Usage & Example + +For usage and examples see the [Godoc](http://godoc.org/github.com/mitchellh/copystructure). + +The `Copy` function has examples associated with it there. diff --git a/vendor/github.com/mitchellh/copystructure/copier_time.go b/vendor/github.com/mitchellh/copystructure/copier_time.go new file mode 100644 index 0000000000..db6a6aa1a1 --- /dev/null +++ b/vendor/github.com/mitchellh/copystructure/copier_time.go @@ -0,0 +1,15 @@ +package copystructure + +import ( + "reflect" + "time" +) + +func init() { + Copiers[reflect.TypeOf(time.Time{})] = timeCopier +} + +func timeCopier(v interface{}) (interface{}, error) { + // Just... copy it. + return v.(time.Time), nil +} diff --git a/vendor/github.com/mitchellh/copystructure/copystructure.go b/vendor/github.com/mitchellh/copystructure/copystructure.go new file mode 100644 index 0000000000..8089e6670a --- /dev/null +++ b/vendor/github.com/mitchellh/copystructure/copystructure.go @@ -0,0 +1,631 @@ +package copystructure + +import ( + "errors" + "reflect" + "sync" + + "github.com/mitchellh/reflectwalk" +) + +const tagKey = "copy" + +// Copy returns a deep copy of v. +// +// Copy is unable to copy unexported fields in a struct (lowercase field names). +// Unexported fields can't be reflected by the Go runtime and therefore +// copystructure can't perform any data copies. +// +// For structs, copy behavior can be controlled with struct tags. For example: +// +// struct { +// Name string +// Data *bytes.Buffer `copy:"shallow"` +// } +// +// The available tag values are: +// +// * "ignore" - The field will be ignored, effectively resulting in it being +// assigned the zero value in the copy. +// +// * "shallow" - The field will be be shallow copied. This means that references +// values such as pointers, maps, slices, etc. will be directly assigned +// versus deep copied. +// +func Copy(v interface{}) (interface{}, error) { + return Config{}.Copy(v) +} + +// CopierFunc is a function that knows how to deep copy a specific type. +// Register these globally with the Copiers variable. +type CopierFunc func(interface{}) (interface{}, error) + +// Copiers is a map of types that behave specially when they are copied. +// If a type is found in this map while deep copying, this function +// will be called to copy it instead of attempting to copy all fields. +// +// The key should be the type, obtained using: reflect.TypeOf(value with type). +// +// It is unsafe to write to this map after Copies have started. If you +// are writing to this map while also copying, wrap all modifications to +// this map as well as to Copy in a mutex. +var Copiers map[reflect.Type]CopierFunc = make(map[reflect.Type]CopierFunc) + +// ShallowCopiers is a map of pointer types that behave specially +// when they are copied. If a type is found in this map while deep +// copying, the pointer value will be shallow copied and not walked +// into. +// +// The key should be the type, obtained using: reflect.TypeOf(value +// with type). +// +// It is unsafe to write to this map after Copies have started. If you +// are writing to this map while also copying, wrap all modifications to +// this map as well as to Copy in a mutex. +var ShallowCopiers map[reflect.Type]struct{} = make(map[reflect.Type]struct{}) + +// Must is a helper that wraps a call to a function returning +// (interface{}, error) and panics if the error is non-nil. It is intended +// for use in variable initializations and should only be used when a copy +// error should be a crashing case. +func Must(v interface{}, err error) interface{} { + if err != nil { + panic("copy error: " + err.Error()) + } + + return v +} + +var errPointerRequired = errors.New("Copy argument must be a pointer when Lock is true") + +type Config struct { + // Lock any types that are a sync.Locker and are not a mutex while copying. + // If there is an RLocker method, use that to get the sync.Locker. + Lock bool + + // Copiers is a map of types associated with a CopierFunc. Use the global + // Copiers map if this is nil. + Copiers map[reflect.Type]CopierFunc + + // ShallowCopiers is a map of pointer types that when they are + // shallow copied no matter where they are encountered. Use the + // global ShallowCopiers if this is nil. + ShallowCopiers map[reflect.Type]struct{} +} + +func (c Config) Copy(v interface{}) (interface{}, error) { + if c.Lock && reflect.ValueOf(v).Kind() != reflect.Ptr { + return nil, errPointerRequired + } + + w := new(walker) + if c.Lock { + w.useLocks = true + } + + if c.Copiers == nil { + c.Copiers = Copiers + } + w.copiers = c.Copiers + + if c.ShallowCopiers == nil { + c.ShallowCopiers = ShallowCopiers + } + w.shallowCopiers = c.ShallowCopiers + + err := reflectwalk.Walk(v, w) + if err != nil { + return nil, err + } + + // Get the result. If the result is nil, then we want to turn it + // into a typed nil if we can. + result := w.Result + if result == nil { + val := reflect.ValueOf(v) + result = reflect.Indirect(reflect.New(val.Type())).Interface() + } + + return result, nil +} + +// Return the key used to index interfaces types we've seen. Store the number +// of pointers in the upper 32bits, and the depth in the lower 32bits. This is +// easy to calculate, easy to match a key with our current depth, and we don't +// need to deal with initializing and cleaning up nested maps or slices. +func ifaceKey(pointers, depth int) uint64 { + return uint64(pointers)<<32 | uint64(depth) +} + +type walker struct { + Result interface{} + + copiers map[reflect.Type]CopierFunc + shallowCopiers map[reflect.Type]struct{} + depth int + ignoreDepth int + vals []reflect.Value + cs []reflect.Value + + // This stores the number of pointers we've walked over, indexed by depth. + ps []int + + // If an interface is indirected by a pointer, we need to know the type of + // interface to create when creating the new value. Store the interface + // types here, indexed by both the walk depth and the number of pointers + // already seen at that depth. Use ifaceKey to calculate the proper uint64 + // value. + ifaceTypes map[uint64]reflect.Type + + // any locks we've taken, indexed by depth + locks []sync.Locker + // take locks while walking the structure + useLocks bool +} + +func (w *walker) Enter(l reflectwalk.Location) error { + w.depth++ + + // ensure we have enough elements to index via w.depth + for w.depth >= len(w.locks) { + w.locks = append(w.locks, nil) + } + + for len(w.ps) < w.depth+1 { + w.ps = append(w.ps, 0) + } + + return nil +} + +func (w *walker) Exit(l reflectwalk.Location) error { + locker := w.locks[w.depth] + w.locks[w.depth] = nil + if locker != nil { + defer locker.Unlock() + } + + // clear out pointers and interfaces as we exit the stack + w.ps[w.depth] = 0 + + for k := range w.ifaceTypes { + mask := uint64(^uint32(0)) + if k&mask == uint64(w.depth) { + delete(w.ifaceTypes, k) + } + } + + w.depth-- + if w.ignoreDepth > w.depth { + w.ignoreDepth = 0 + } + + if w.ignoring() { + return nil + } + + switch l { + case reflectwalk.Array: + fallthrough + case reflectwalk.Map: + fallthrough + case reflectwalk.Slice: + w.replacePointerMaybe() + + // Pop map off our container + w.cs = w.cs[:len(w.cs)-1] + case reflectwalk.MapValue: + // Pop off the key and value + mv := w.valPop() + mk := w.valPop() + m := w.cs[len(w.cs)-1] + + // If mv is the zero value, SetMapIndex deletes the key form the map, + // or in this case never adds it. We need to create a properly typed + // zero value so that this key can be set. + if !mv.IsValid() { + mv = reflect.Zero(m.Elem().Type().Elem()) + } + m.Elem().SetMapIndex(mk, mv) + case reflectwalk.ArrayElem: + // Pop off the value and the index and set it on the array + v := w.valPop() + i := w.valPop().Interface().(int) + if v.IsValid() { + a := w.cs[len(w.cs)-1] + ae := a.Elem().Index(i) // storing array as pointer on stack - so need Elem() call + if ae.CanSet() { + ae.Set(v) + } + } + case reflectwalk.SliceElem: + // Pop off the value and the index and set it on the slice + v := w.valPop() + i := w.valPop().Interface().(int) + if v.IsValid() { + s := w.cs[len(w.cs)-1] + se := s.Elem().Index(i) + if se.CanSet() { + se.Set(v) + } + } + case reflectwalk.Struct: + w.replacePointerMaybe() + + // Remove the struct from the container stack + w.cs = w.cs[:len(w.cs)-1] + case reflectwalk.StructField: + // Pop off the value and the field + v := w.valPop() + f := w.valPop().Interface().(reflect.StructField) + if v.IsValid() { + s := w.cs[len(w.cs)-1] + sf := reflect.Indirect(s).FieldByName(f.Name) + + if sf.CanSet() { + sf.Set(v) + } + } + case reflectwalk.WalkLoc: + // Clear out the slices for GC + w.cs = nil + w.vals = nil + } + + return nil +} + +func (w *walker) Map(m reflect.Value) error { + if w.ignoring() { + return nil + } + w.lock(m) + + // Create the map. If the map itself is nil, then just make a nil map + var newMap reflect.Value + if m.IsNil() { + newMap = reflect.New(m.Type()) + } else { + newMap = wrapPtr(reflect.MakeMap(m.Type())) + } + + w.cs = append(w.cs, newMap) + w.valPush(newMap) + return nil +} + +func (w *walker) MapElem(m, k, v reflect.Value) error { + return nil +} + +func (w *walker) PointerEnter(v bool) error { + if v { + w.ps[w.depth]++ + } + return nil +} + +func (w *walker) PointerExit(v bool) error { + if v { + w.ps[w.depth]-- + } + return nil +} + +func (w *walker) Pointer(v reflect.Value) error { + if _, ok := w.shallowCopiers[v.Type()]; ok { + // Shallow copy this value. Use the same logic as primitive, then + // return skip. + if err := w.Primitive(v); err != nil { + return err + } + + return reflectwalk.SkipEntry + } + + return nil +} + +func (w *walker) Interface(v reflect.Value) error { + if !v.IsValid() { + return nil + } + if w.ifaceTypes == nil { + w.ifaceTypes = make(map[uint64]reflect.Type) + } + + w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)] = v.Type() + return nil +} + +func (w *walker) Primitive(v reflect.Value) error { + if w.ignoring() { + return nil + } + w.lock(v) + + // IsValid verifies the v is non-zero and CanInterface verifies + // that we're allowed to read this value (unexported fields). + var newV reflect.Value + if v.IsValid() && v.CanInterface() { + newV = reflect.New(v.Type()) + newV.Elem().Set(v) + } + + w.valPush(newV) + w.replacePointerMaybe() + return nil +} + +func (w *walker) Slice(s reflect.Value) error { + if w.ignoring() { + return nil + } + w.lock(s) + + var newS reflect.Value + if s.IsNil() { + newS = reflect.New(s.Type()) + } else { + newS = wrapPtr(reflect.MakeSlice(s.Type(), s.Len(), s.Cap())) + } + + w.cs = append(w.cs, newS) + w.valPush(newS) + return nil +} + +func (w *walker) SliceElem(i int, elem reflect.Value) error { + if w.ignoring() { + return nil + } + + // We don't write the slice here because elem might still be + // arbitrarily complex. Just record the index and continue on. + w.valPush(reflect.ValueOf(i)) + + return nil +} + +func (w *walker) Array(a reflect.Value) error { + if w.ignoring() { + return nil + } + w.lock(a) + + newA := reflect.New(a.Type()) + + w.cs = append(w.cs, newA) + w.valPush(newA) + return nil +} + +func (w *walker) ArrayElem(i int, elem reflect.Value) error { + if w.ignoring() { + return nil + } + + // We don't write the array here because elem might still be + // arbitrarily complex. Just record the index and continue on. + w.valPush(reflect.ValueOf(i)) + + return nil +} + +func (w *walker) Struct(s reflect.Value) error { + if w.ignoring() { + return nil + } + w.lock(s) + + var v reflect.Value + if c, ok := w.copiers[s.Type()]; ok { + // We have a Copier for this struct, so we use that copier to + // get the copy, and we ignore anything deeper than this. + w.ignoreDepth = w.depth + + dup, err := c(s.Interface()) + if err != nil { + return err + } + + // We need to put a pointer to the value on the value stack, + // so allocate a new pointer and set it. + v = reflect.New(s.Type()) + reflect.Indirect(v).Set(reflect.ValueOf(dup)) + } else { + // No copier, we copy ourselves and allow reflectwalk to guide + // us deeper into the structure for copying. + v = reflect.New(s.Type()) + } + + // Push the value onto the value stack for setting the struct field, + // and add the struct itself to the containers stack in case we walk + // deeper so that its own fields can be modified. + w.valPush(v) + w.cs = append(w.cs, v) + + return nil +} + +func (w *walker) StructField(f reflect.StructField, v reflect.Value) error { + if w.ignoring() { + return nil + } + + // If PkgPath is non-empty, this is a private (unexported) field. + // We do not set this unexported since the Go runtime doesn't allow us. + if f.PkgPath != "" { + return reflectwalk.SkipEntry + } + + switch f.Tag.Get(tagKey) { + case "shallow": + // If we're shallow copying then assign the value directly to the + // struct and skip the entry. + if v.IsValid() { + s := w.cs[len(w.cs)-1] + sf := reflect.Indirect(s).FieldByName(f.Name) + if sf.CanSet() { + sf.Set(v) + } + } + + return reflectwalk.SkipEntry + + case "ignore": + // Do nothing + return reflectwalk.SkipEntry + } + + // Push the field onto the stack, we'll handle it when we exit + // the struct field in Exit... + w.valPush(reflect.ValueOf(f)) + + return nil +} + +// ignore causes the walker to ignore any more values until we exit this on +func (w *walker) ignore() { + w.ignoreDepth = w.depth +} + +func (w *walker) ignoring() bool { + return w.ignoreDepth > 0 && w.depth >= w.ignoreDepth +} + +func (w *walker) pointerPeek() bool { + return w.ps[w.depth] > 0 +} + +func (w *walker) valPop() reflect.Value { + result := w.vals[len(w.vals)-1] + w.vals = w.vals[:len(w.vals)-1] + + // If we're out of values, that means we popped everything off. In + // this case, we reset the result so the next pushed value becomes + // the result. + if len(w.vals) == 0 { + w.Result = nil + } + + return result +} + +func (w *walker) valPush(v reflect.Value) { + w.vals = append(w.vals, v) + + // If we haven't set the result yet, then this is the result since + // it is the first (outermost) value we're seeing. + if w.Result == nil && v.IsValid() { + w.Result = v.Interface() + } +} + +func (w *walker) replacePointerMaybe() { + // Determine the last pointer value. If it is NOT a pointer, then + // we need to push that onto the stack. + if !w.pointerPeek() { + w.valPush(reflect.Indirect(w.valPop())) + return + } + + v := w.valPop() + + // If the expected type is a pointer to an interface of any depth, + // such as *interface{}, **interface{}, etc., then we need to convert + // the value "v" from *CONCRETE to *interface{} so types match for + // Set. + // + // Example if v is type *Foo where Foo is a struct, v would become + // *interface{} instead. This only happens if we have an interface expectation + // at this depth. + // + // For more info, see GH-16 + if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth], w.depth)]; ok && iType.Kind() == reflect.Interface { + y := reflect.New(iType) // Create *interface{} + y.Elem().Set(reflect.Indirect(v)) // Assign "Foo" to interface{} (dereferenced) + v = y // v is now typed *interface{} (where *v = Foo) + } + + for i := 1; i < w.ps[w.depth]; i++ { + if iType, ok := w.ifaceTypes[ifaceKey(w.ps[w.depth]-i, w.depth)]; ok { + iface := reflect.New(iType).Elem() + iface.Set(v) + v = iface + } + + p := reflect.New(v.Type()) + p.Elem().Set(v) + v = p + } + + w.valPush(v) +} + +// if this value is a Locker, lock it and add it to the locks slice +func (w *walker) lock(v reflect.Value) { + if !w.useLocks { + return + } + + if !v.IsValid() || !v.CanInterface() { + return + } + + type rlocker interface { + RLocker() sync.Locker + } + + var locker sync.Locker + + // We can't call Interface() on a value directly, since that requires + // a copy. This is OK, since the pointer to a value which is a sync.Locker + // is also a sync.Locker. + if v.Kind() == reflect.Ptr { + switch l := v.Interface().(type) { + case rlocker: + // don't lock a mutex directly + if _, ok := l.(*sync.RWMutex); !ok { + locker = l.RLocker() + } + case sync.Locker: + locker = l + } + } else if v.CanAddr() { + switch l := v.Addr().Interface().(type) { + case rlocker: + // don't lock a mutex directly + if _, ok := l.(*sync.RWMutex); !ok { + locker = l.RLocker() + } + case sync.Locker: + locker = l + } + } + + // still no callable locker + if locker == nil { + return + } + + // don't lock a mutex directly + switch locker.(type) { + case *sync.Mutex, *sync.RWMutex: + return + } + + locker.Lock() + w.locks[w.depth] = locker +} + +// wrapPtr is a helper that takes v and always make it *v. copystructure +// stores things internally as pointers until the last moment before unwrapping +func wrapPtr(v reflect.Value) reflect.Value { + if !v.IsValid() { + return v + } + vPtr := reflect.New(v.Type()) + vPtr.Elem().Set(v) + return vPtr +} diff --git a/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md b/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md new file mode 100644 index 0000000000..2298515904 --- /dev/null +++ b/vendor/github.com/mitchellh/go-wordwrap/LICENSE.md @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Mitchell Hashimoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/mitchellh/go-wordwrap/README.md b/vendor/github.com/mitchellh/go-wordwrap/README.md new file mode 100644 index 0000000000..60ae311700 --- /dev/null +++ b/vendor/github.com/mitchellh/go-wordwrap/README.md @@ -0,0 +1,39 @@ +# go-wordwrap + +`go-wordwrap` (Golang package: `wordwrap`) is a package for Go that +automatically wraps words into multiple lines. The primary use case for this +is in formatting CLI output, but of course word wrapping is a generally useful +thing to do. + +## Installation and Usage + +Install using `go get github.com/mitchellh/go-wordwrap`. + +Full documentation is available at +http://godoc.org/github.com/mitchellh/go-wordwrap + +Below is an example of its usage ignoring errors: + +```go +wrapped := wordwrap.WrapString("foo bar baz", 3) +fmt.Println(wrapped) +``` + +Would output: + +``` +foo +bar +baz +``` + +## Word Wrap Algorithm + +This library doesn't use any clever algorithm for word wrapping. The wrapping +is actually very naive: whenever there is whitespace or an explicit linebreak. +The goal of this library is for word wrapping CLI output, so the input is +typically pretty well controlled human language. Because of this, the naive +approach typically works just fine. + +In the future, we'd like to make the algorithm more advanced. We would do +so without breaking the API. diff --git a/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go b/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go new file mode 100644 index 0000000000..f7bedda388 --- /dev/null +++ b/vendor/github.com/mitchellh/go-wordwrap/wordwrap.go @@ -0,0 +1,83 @@ +package wordwrap + +import ( + "bytes" + "unicode" +) + +const nbsp = 0xA0 + +// WrapString wraps the given string within lim width in characters. +// +// Wrapping is currently naive and only happens at white-space. A future +// version of the library will implement smarter wrapping. This means that +// pathological cases can dramatically reach past the limit, such as a very +// long word. +func WrapString(s string, lim uint) string { + // Initialize a buffer with a slightly larger size to account for breaks + init := make([]byte, 0, len(s)) + buf := bytes.NewBuffer(init) + + var current uint + var wordBuf, spaceBuf bytes.Buffer + var wordBufLen, spaceBufLen uint + + for _, char := range s { + if char == '\n' { + if wordBuf.Len() == 0 { + if current+spaceBufLen > lim { + current = 0 + } else { + current += spaceBufLen + spaceBuf.WriteTo(buf) + } + spaceBuf.Reset() + spaceBufLen = 0 + } else { + current += spaceBufLen + wordBufLen + spaceBuf.WriteTo(buf) + spaceBuf.Reset() + spaceBufLen = 0 + wordBuf.WriteTo(buf) + wordBuf.Reset() + wordBufLen = 0 + } + buf.WriteRune(char) + current = 0 + } else if unicode.IsSpace(char) && char != nbsp { + if spaceBuf.Len() == 0 || wordBuf.Len() > 0 { + current += spaceBufLen + wordBufLen + spaceBuf.WriteTo(buf) + spaceBuf.Reset() + spaceBufLen = 0 + wordBuf.WriteTo(buf) + wordBuf.Reset() + wordBufLen = 0 + } + + spaceBuf.WriteRune(char) + spaceBufLen++ + } else { + wordBuf.WriteRune(char) + wordBufLen++ + + if current+wordBufLen+spaceBufLen > lim && wordBufLen < lim { + buf.WriteRune('\n') + current = 0 + spaceBuf.Reset() + spaceBufLen = 0 + } + } + } + + if wordBuf.Len() == 0 { + if current+spaceBufLen <= lim { + spaceBuf.WriteTo(buf) + } + } else { + spaceBuf.WriteTo(buf) + wordBuf.WriteTo(buf) + } + + return buf.String() +} diff --git a/vendor/github.com/mitchellh/reflectwalk/.travis.yml b/vendor/github.com/mitchellh/reflectwalk/.travis.yml new file mode 100644 index 0000000000..4f2ee4d973 --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/.travis.yml @@ -0,0 +1 @@ +language: go diff --git a/vendor/github.com/mitchellh/reflectwalk/LICENSE b/vendor/github.com/mitchellh/reflectwalk/LICENSE new file mode 100644 index 0000000000..f9c841a51e --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2013 Mitchell Hashimoto + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/mitchellh/reflectwalk/README.md b/vendor/github.com/mitchellh/reflectwalk/README.md new file mode 100644 index 0000000000..ac82cd2e15 --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/README.md @@ -0,0 +1,6 @@ +# reflectwalk + +reflectwalk is a Go library for "walking" a value in Go using reflection, +in the same way a directory tree can be "walked" on the filesystem. Walking +a complex structure can allow you to do manipulations on unknown structures +such as those decoded from JSON. diff --git a/vendor/github.com/mitchellh/reflectwalk/location.go b/vendor/github.com/mitchellh/reflectwalk/location.go new file mode 100644 index 0000000000..6a7f176117 --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/location.go @@ -0,0 +1,19 @@ +package reflectwalk + +//go:generate stringer -type=Location location.go + +type Location uint + +const ( + None Location = iota + Map + MapKey + MapValue + Slice + SliceElem + Array + ArrayElem + Struct + StructField + WalkLoc +) diff --git a/vendor/github.com/mitchellh/reflectwalk/location_string.go b/vendor/github.com/mitchellh/reflectwalk/location_string.go new file mode 100644 index 0000000000..70760cf4c7 --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/location_string.go @@ -0,0 +1,16 @@ +// Code generated by "stringer -type=Location location.go"; DO NOT EDIT. + +package reflectwalk + +import "fmt" + +const _Location_name = "NoneMapMapKeyMapValueSliceSliceElemArrayArrayElemStructStructFieldWalkLoc" + +var _Location_index = [...]uint8{0, 4, 7, 13, 21, 26, 35, 40, 49, 55, 66, 73} + +func (i Location) String() string { + if i >= Location(len(_Location_index)-1) { + return fmt.Sprintf("Location(%d)", i) + } + return _Location_name[_Location_index[i]:_Location_index[i+1]] +} diff --git a/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go b/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go new file mode 100644 index 0000000000..7fee7b050b --- /dev/null +++ b/vendor/github.com/mitchellh/reflectwalk/reflectwalk.go @@ -0,0 +1,420 @@ +// reflectwalk is a package that allows you to "walk" complex structures +// similar to how you may "walk" a filesystem: visiting every element one +// by one and calling callback functions allowing you to handle and manipulate +// those elements. +package reflectwalk + +import ( + "errors" + "reflect" +) + +// PrimitiveWalker implementations are able to handle primitive values +// within complex structures. Primitive values are numbers, strings, +// booleans, funcs, chans. +// +// These primitive values are often members of more complex +// structures (slices, maps, etc.) that are walkable by other interfaces. +type PrimitiveWalker interface { + Primitive(reflect.Value) error +} + +// InterfaceWalker implementations are able to handle interface values as they +// are encountered during the walk. +type InterfaceWalker interface { + Interface(reflect.Value) error +} + +// MapWalker implementations are able to handle individual elements +// found within a map structure. +type MapWalker interface { + Map(m reflect.Value) error + MapElem(m, k, v reflect.Value) error +} + +// SliceWalker implementations are able to handle slice elements found +// within complex structures. +type SliceWalker interface { + Slice(reflect.Value) error + SliceElem(int, reflect.Value) error +} + +// ArrayWalker implementations are able to handle array elements found +// within complex structures. +type ArrayWalker interface { + Array(reflect.Value) error + ArrayElem(int, reflect.Value) error +} + +// StructWalker is an interface that has methods that are called for +// structs when a Walk is done. +type StructWalker interface { + Struct(reflect.Value) error + StructField(reflect.StructField, reflect.Value) error +} + +// EnterExitWalker implementations are notified before and after +// they walk deeper into complex structures (into struct fields, +// into slice elements, etc.) +type EnterExitWalker interface { + Enter(Location) error + Exit(Location) error +} + +// PointerWalker implementations are notified when the value they're +// walking is a pointer or not. Pointer is called for _every_ value whether +// it is a pointer or not. +type PointerWalker interface { + PointerEnter(bool) error + PointerExit(bool) error +} + +// PointerValueWalker implementations are notified with the value of +// a particular pointer when a pointer is walked. Pointer is called +// right before PointerEnter. +type PointerValueWalker interface { + Pointer(reflect.Value) error +} + +// SkipEntry can be returned from walk functions to skip walking +// the value of this field. This is only valid in the following functions: +// +// - Struct: skips all fields from being walked +// - StructField: skips walking the struct value +// +var SkipEntry = errors.New("skip this entry") + +// Walk takes an arbitrary value and an interface and traverses the +// value, calling callbacks on the interface if they are supported. +// The interface should implement one or more of the walker interfaces +// in this package, such as PrimitiveWalker, StructWalker, etc. +func Walk(data, walker interface{}) (err error) { + v := reflect.ValueOf(data) + ew, ok := walker.(EnterExitWalker) + if ok { + err = ew.Enter(WalkLoc) + } + + if err == nil { + err = walk(v, walker) + } + + if ok && err == nil { + err = ew.Exit(WalkLoc) + } + + return +} + +func walk(v reflect.Value, w interface{}) (err error) { + // Determine if we're receiving a pointer and if so notify the walker. + // The logic here is convoluted but very important (tests will fail if + // almost any part is changed). I will try to explain here. + // + // First, we check if the value is an interface, if so, we really need + // to check the interface's VALUE to see whether it is a pointer. + // + // Check whether the value is then a pointer. If so, then set pointer + // to true to notify the user. + // + // If we still have a pointer or an interface after the indirections, then + // we unwrap another level + // + // At this time, we also set "v" to be the dereferenced value. This is + // because once we've unwrapped the pointer we want to use that value. + pointer := false + pointerV := v + + for { + if pointerV.Kind() == reflect.Interface { + if iw, ok := w.(InterfaceWalker); ok { + if err = iw.Interface(pointerV); err != nil { + return + } + } + + pointerV = pointerV.Elem() + } + + if pointerV.Kind() == reflect.Ptr { + if pw, ok := w.(PointerValueWalker); ok { + if err = pw.Pointer(pointerV); err != nil { + if err == SkipEntry { + // Skip the rest of this entry but clear the error + return nil + } + + return + } + } + + pointer = true + v = reflect.Indirect(pointerV) + } + if pw, ok := w.(PointerWalker); ok { + if err = pw.PointerEnter(pointer); err != nil { + return + } + + defer func(pointer bool) { + if err != nil { + return + } + + err = pw.PointerExit(pointer) + }(pointer) + } + + if pointer { + pointerV = v + } + pointer = false + + // If we still have a pointer or interface we have to indirect another level. + switch pointerV.Kind() { + case reflect.Ptr, reflect.Interface: + continue + } + break + } + + // We preserve the original value here because if it is an interface + // type, we want to pass that directly into the walkPrimitive, so that + // we can set it. + originalV := v + if v.Kind() == reflect.Interface { + v = v.Elem() + } + + k := v.Kind() + if k >= reflect.Int && k <= reflect.Complex128 { + k = reflect.Int + } + + switch k { + // Primitives + case reflect.Bool, reflect.Chan, reflect.Func, reflect.Int, reflect.String, reflect.Invalid: + err = walkPrimitive(originalV, w) + return + case reflect.Map: + err = walkMap(v, w) + return + case reflect.Slice: + err = walkSlice(v, w) + return + case reflect.Struct: + err = walkStruct(v, w) + return + case reflect.Array: + err = walkArray(v, w) + return + default: + panic("unsupported type: " + k.String()) + } +} + +func walkMap(v reflect.Value, w interface{}) error { + ew, ewok := w.(EnterExitWalker) + if ewok { + ew.Enter(Map) + } + + if mw, ok := w.(MapWalker); ok { + if err := mw.Map(v); err != nil { + return err + } + } + + for _, k := range v.MapKeys() { + kv := v.MapIndex(k) + + if mw, ok := w.(MapWalker); ok { + if err := mw.MapElem(v, k, kv); err != nil { + return err + } + } + + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(MapKey) + } + + if err := walk(k, w); err != nil { + return err + } + + if ok { + ew.Exit(MapKey) + ew.Enter(MapValue) + } + + // get the map value again as it may have changed in the MapElem call + if err := walk(v.MapIndex(k), w); err != nil { + return err + } + + if ok { + ew.Exit(MapValue) + } + } + + if ewok { + ew.Exit(Map) + } + + return nil +} + +func walkPrimitive(v reflect.Value, w interface{}) error { + if pw, ok := w.(PrimitiveWalker); ok { + return pw.Primitive(v) + } + + return nil +} + +func walkSlice(v reflect.Value, w interface{}) (err error) { + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(Slice) + } + + if sw, ok := w.(SliceWalker); ok { + if err := sw.Slice(v); err != nil { + return err + } + } + + for i := 0; i < v.Len(); i++ { + elem := v.Index(i) + + if sw, ok := w.(SliceWalker); ok { + if err := sw.SliceElem(i, elem); err != nil { + return err + } + } + + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(SliceElem) + } + + if err := walk(elem, w); err != nil { + return err + } + + if ok { + ew.Exit(SliceElem) + } + } + + ew, ok = w.(EnterExitWalker) + if ok { + ew.Exit(Slice) + } + + return nil +} + +func walkArray(v reflect.Value, w interface{}) (err error) { + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(Array) + } + + if aw, ok := w.(ArrayWalker); ok { + if err := aw.Array(v); err != nil { + return err + } + } + + for i := 0; i < v.Len(); i++ { + elem := v.Index(i) + + if aw, ok := w.(ArrayWalker); ok { + if err := aw.ArrayElem(i, elem); err != nil { + return err + } + } + + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(ArrayElem) + } + + if err := walk(elem, w); err != nil { + return err + } + + if ok { + ew.Exit(ArrayElem) + } + } + + ew, ok = w.(EnterExitWalker) + if ok { + ew.Exit(Array) + } + + return nil +} + +func walkStruct(v reflect.Value, w interface{}) (err error) { + ew, ewok := w.(EnterExitWalker) + if ewok { + ew.Enter(Struct) + } + + skip := false + if sw, ok := w.(StructWalker); ok { + err = sw.Struct(v) + if err == SkipEntry { + skip = true + err = nil + } + if err != nil { + return + } + } + + if !skip { + vt := v.Type() + for i := 0; i < vt.NumField(); i++ { + sf := vt.Field(i) + f := v.FieldByIndex([]int{i}) + + if sw, ok := w.(StructWalker); ok { + err = sw.StructField(sf, f) + + // SkipEntry just pretends this field doesn't even exist + if err == SkipEntry { + continue + } + + if err != nil { + return + } + } + + ew, ok := w.(EnterExitWalker) + if ok { + ew.Enter(StructField) + } + + err = walk(f, w) + if err != nil { + return + } + + if ok { + ew.Exit(StructField) + } + } + } + + if ewok { + ew.Exit(Struct) + } + + return nil +} diff --git a/vendor/github.com/moby/term/.gitignore b/vendor/github.com/moby/term/.gitignore new file mode 100644 index 0000000000..b0747ff010 --- /dev/null +++ b/vendor/github.com/moby/term/.gitignore @@ -0,0 +1,8 @@ +# if you want to ignore files created by your editor/tools, consider using a +# global .gitignore or .git/info/exclude see https://help.github.com/articles/ignoring-files +.* +!.github +!.gitignore +profile.out +# support running go modules in vendor mode for local development +vendor/ diff --git a/vendor/github.com/moby/term/LICENSE b/vendor/github.com/moby/term/LICENSE new file mode 100644 index 0000000000..6d8d58fb67 --- /dev/null +++ b/vendor/github.com/moby/term/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2013-2018 Docker, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/moby/term/README.md b/vendor/github.com/moby/term/README.md new file mode 100644 index 0000000000..0ce92cc339 --- /dev/null +++ b/vendor/github.com/moby/term/README.md @@ -0,0 +1,36 @@ +# term - utilities for dealing with terminals + +![Test](https://github.com/moby/term/workflows/Test/badge.svg) [![GoDoc](https://godoc.org/github.com/moby/term?status.svg)](https://godoc.org/github.com/moby/term) [![Go Report Card](https://goreportcard.com/badge/github.com/moby/term)](https://goreportcard.com/report/github.com/moby/term) + +term provides structures and helper functions to work with terminal (state, sizes). + +#### Using term + +```go +package main + +import ( + "log" + "os" + + "github.com/moby/term" +) + +func main() { + fd := os.Stdin.Fd() + if term.IsTerminal(fd) { + ws, err := term.GetWinsize(fd) + if err != nil { + log.Fatalf("term.GetWinsize: %s", err) + } + log.Printf("%d:%d\n", ws.Height, ws.Width) + } +} +``` + +## Contributing + +Want to hack on term? [Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md) apply. + +## Copyright and license +Code and documentation copyright 2015 Docker, inc. Code released under the Apache 2.0 license. Docs released under Creative commons. diff --git a/vendor/github.com/moby/term/ascii.go b/vendor/github.com/moby/term/ascii.go new file mode 100644 index 0000000000..55873c0556 --- /dev/null +++ b/vendor/github.com/moby/term/ascii.go @@ -0,0 +1,66 @@ +package term + +import ( + "fmt" + "strings" +) + +// ASCII list the possible supported ASCII key sequence +var ASCII = []string{ + "ctrl-@", + "ctrl-a", + "ctrl-b", + "ctrl-c", + "ctrl-d", + "ctrl-e", + "ctrl-f", + "ctrl-g", + "ctrl-h", + "ctrl-i", + "ctrl-j", + "ctrl-k", + "ctrl-l", + "ctrl-m", + "ctrl-n", + "ctrl-o", + "ctrl-p", + "ctrl-q", + "ctrl-r", + "ctrl-s", + "ctrl-t", + "ctrl-u", + "ctrl-v", + "ctrl-w", + "ctrl-x", + "ctrl-y", + "ctrl-z", + "ctrl-[", + "ctrl-\\", + "ctrl-]", + "ctrl-^", + "ctrl-_", +} + +// ToBytes converts a string representing a suite of key-sequence to the corresponding ASCII code. +func ToBytes(keys string) ([]byte, error) { + codes := []byte{} +next: + for _, key := range strings.Split(keys, ",") { + if len(key) != 1 { + for code, ctrl := range ASCII { + if ctrl == key { + codes = append(codes, byte(code)) + continue next + } + } + if key == "DEL" { + codes = append(codes, 127) + } else { + return nil, fmt.Errorf("Unknown character: '%s'", key) + } + } else { + codes = append(codes, key[0]) + } + } + return codes, nil +} diff --git a/vendor/github.com/moby/term/doc.go b/vendor/github.com/moby/term/doc.go new file mode 100644 index 0000000000..c9bc032443 --- /dev/null +++ b/vendor/github.com/moby/term/doc.go @@ -0,0 +1,3 @@ +// Package term provides structures and helper functions to work with +// terminal (state, sizes). +package term diff --git a/vendor/github.com/moby/term/proxy.go b/vendor/github.com/moby/term/proxy.go new file mode 100644 index 0000000000..c47756b89a --- /dev/null +++ b/vendor/github.com/moby/term/proxy.go @@ -0,0 +1,88 @@ +package term + +import ( + "io" +) + +// EscapeError is special error which returned by a TTY proxy reader's Read() +// method in case its detach escape sequence is read. +type EscapeError struct{} + +func (EscapeError) Error() string { + return "read escape sequence" +} + +// escapeProxy is used only for attaches with a TTY. It is used to proxy +// stdin keypresses from the underlying reader and look for the passed in +// escape key sequence to signal a detach. +type escapeProxy struct { + escapeKeys []byte + escapeKeyPos int + r io.Reader + buf []byte +} + +// NewEscapeProxy returns a new TTY proxy reader which wraps the given reader +// and detects when the specified escape keys are read, in which case the Read +// method will return an error of type EscapeError. +func NewEscapeProxy(r io.Reader, escapeKeys []byte) io.Reader { + return &escapeProxy{ + escapeKeys: escapeKeys, + r: r, + } +} + +func (r *escapeProxy) Read(buf []byte) (n int, err error) { + if len(r.escapeKeys) > 0 && r.escapeKeyPos == len(r.escapeKeys) { + return 0, EscapeError{} + } + + if len(r.buf) > 0 { + n = copy(buf, r.buf) + r.buf = r.buf[n:] + } + + nr, err := r.r.Read(buf[n:]) + n += nr + if len(r.escapeKeys) == 0 { + return n, err + } + + for i := 0; i < n; i++ { + if buf[i] == r.escapeKeys[r.escapeKeyPos] { + r.escapeKeyPos++ + + // Check if the full escape sequence is matched. + if r.escapeKeyPos == len(r.escapeKeys) { + n = i + 1 - r.escapeKeyPos + if n < 0 { + n = 0 + } + return n, EscapeError{} + } + continue + } + + // If we need to prepend a partial escape sequence from the previous + // read, make sure the new buffer size doesn't exceed len(buf). + // Otherwise, preserve any extra data in a buffer for the next read. + if i < r.escapeKeyPos { + preserve := make([]byte, 0, r.escapeKeyPos+n) + preserve = append(preserve, r.escapeKeys[:r.escapeKeyPos]...) + preserve = append(preserve, buf[:n]...) + n = copy(buf, preserve) + i += r.escapeKeyPos + r.buf = append(r.buf, preserve[n:]...) + } + r.escapeKeyPos = 0 + } + + // If we're in the middle of reading an escape sequence, make sure we don't + // let the caller read it. If later on we find that this is not the escape + // sequence, we'll prepend it back to buf. + n -= r.escapeKeyPos + if n < 0 { + n = 0 + } + return n, err +} diff --git a/vendor/github.com/moby/term/term.go b/vendor/github.com/moby/term/term.go new file mode 100644 index 0000000000..f9d8988ef8 --- /dev/null +++ b/vendor/github.com/moby/term/term.go @@ -0,0 +1,85 @@ +package term + +import "io" + +// State holds the platform-specific state / console mode for the terminal. +type State terminalState + +// Winsize represents the size of the terminal window. +type Winsize struct { + Height uint16 + Width uint16 + + // Only used on Unix + x uint16 + y uint16 +} + +// StdStreams returns the standard streams (stdin, stdout, stderr). +// +// On Windows, it attempts to turn on VT handling on all std handles if +// supported, or falls back to terminal emulation. On Unix, this returns +// the standard [os.Stdin], [os.Stdout] and [os.Stderr]. +func StdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) { + return stdStreams() +} + +// GetFdInfo returns the file descriptor for an os.File and indicates whether the file represents a terminal. +func GetFdInfo(in interface{}) (fd uintptr, isTerminal bool) { + return getFdInfo(in) +} + +// GetWinsize returns the window size based on the specified file descriptor. +func GetWinsize(fd uintptr) (*Winsize, error) { + return getWinsize(fd) +} + +// SetWinsize tries to set the specified window size for the specified file +// descriptor. It is only implemented on Unix, and returns an error on Windows. +func SetWinsize(fd uintptr, ws *Winsize) error { + return setWinsize(fd, ws) +} + +// IsTerminal returns true if the given file descriptor is a terminal. +func IsTerminal(fd uintptr) bool { + return isTerminal(fd) +} + +// RestoreTerminal restores the terminal connected to the given file descriptor +// to a previous state. +func RestoreTerminal(fd uintptr, state *State) error { + return restoreTerminal(fd, state) +} + +// SaveState saves the state of the terminal connected to the given file descriptor. +func SaveState(fd uintptr) (*State, error) { + return saveState(fd) +} + +// DisableEcho applies the specified state to the terminal connected to the file +// descriptor, with echo disabled. +func DisableEcho(fd uintptr, state *State) error { + return disableEcho(fd, state) +} + +// SetRawTerminal puts the terminal connected to the given file descriptor into +// raw mode and returns the previous state. On UNIX, this is the equivalent of +// [MakeRaw], and puts both the input and output into raw mode. On Windows, it +// only puts the input into raw mode. +func SetRawTerminal(fd uintptr) (previousState *State, err error) { + return setRawTerminal(fd) +} + +// SetRawTerminalOutput puts the output of terminal connected to the given file +// descriptor into raw mode. On UNIX, this does nothing and returns nil for the +// state. On Windows, it disables LF -> CRLF translation. +func SetRawTerminalOutput(fd uintptr) (previousState *State, err error) { + return setRawTerminalOutput(fd) +} + +// MakeRaw puts the terminal (Windows Console) connected to the +// given file descriptor into raw mode and returns the previous state of +// the terminal so that it can be restored. +func MakeRaw(fd uintptr) (previousState *State, err error) { + return makeRaw(fd) +} diff --git a/vendor/github.com/moby/term/term_unix.go b/vendor/github.com/moby/term/term_unix.go new file mode 100644 index 0000000000..579ce5530a --- /dev/null +++ b/vendor/github.com/moby/term/term_unix.go @@ -0,0 +1,98 @@ +//go:build !windows +// +build !windows + +package term + +import ( + "errors" + "io" + "os" + + "golang.org/x/sys/unix" +) + +// ErrInvalidState is returned if the state of the terminal is invalid. +// +// Deprecated: ErrInvalidState is no longer used. +var ErrInvalidState = errors.New("Invalid terminal state") + +// terminalState holds the platform-specific state / console mode for the terminal. +type terminalState struct { + termios unix.Termios +} + +func stdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) { + return os.Stdin, os.Stdout, os.Stderr +} + +func getFdInfo(in interface{}) (uintptr, bool) { + var inFd uintptr + var isTerminalIn bool + if file, ok := in.(*os.File); ok { + inFd = file.Fd() + isTerminalIn = isTerminal(inFd) + } + return inFd, isTerminalIn +} + +func getWinsize(fd uintptr) (*Winsize, error) { + uws, err := unix.IoctlGetWinsize(int(fd), unix.TIOCGWINSZ) + ws := &Winsize{Height: uws.Row, Width: uws.Col, x: uws.Xpixel, y: uws.Ypixel} + return ws, err +} + +func setWinsize(fd uintptr, ws *Winsize) error { + return unix.IoctlSetWinsize(int(fd), unix.TIOCSWINSZ, &unix.Winsize{ + Row: ws.Height, + Col: ws.Width, + Xpixel: ws.x, + Ypixel: ws.y, + }) +} + +func isTerminal(fd uintptr) bool { + _, err := tcget(fd) + return err == nil +} + +func restoreTerminal(fd uintptr, state *State) error { + if state == nil { + return errors.New("invalid terminal state") + } + return tcset(fd, &state.termios) +} + +func saveState(fd uintptr) (*State, error) { + termios, err := tcget(fd) + if err != nil { + return nil, err + } + return &State{termios: *termios}, nil +} + +func disableEcho(fd uintptr, state *State) error { + newState := state.termios + newState.Lflag &^= unix.ECHO + + return tcset(fd, &newState) +} + +func setRawTerminal(fd uintptr) (*State, error) { + return makeRaw(fd) +} + +func setRawTerminalOutput(uintptr) (*State, error) { + return nil, nil +} + +func tcget(fd uintptr) (*unix.Termios, error) { + p, err := unix.IoctlGetTermios(int(fd), getTermios) + if err != nil { + return nil, err + } + return p, nil +} + +func tcset(fd uintptr, p *unix.Termios) error { + return unix.IoctlSetTermios(int(fd), setTermios, p) +} diff --git a/vendor/github.com/moby/term/term_windows.go b/vendor/github.com/moby/term/term_windows.go new file mode 100644 index 0000000000..81ccff0428 --- /dev/null +++ b/vendor/github.com/moby/term/term_windows.go @@ -0,0 +1,176 @@ +package term + +import ( + "fmt" + "io" + "os" + "os/signal" + + windowsconsole "github.com/moby/term/windows" + "golang.org/x/sys/windows" +) + +// terminalState holds the platform-specific state / console mode for the terminal. +type terminalState struct { + mode uint32 +} + +// vtInputSupported is true if winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported by the console +var vtInputSupported bool + +func stdStreams() (stdIn io.ReadCloser, stdOut, stdErr io.Writer) { + // Turn on VT handling on all std handles, if possible. This might + // fail, in which case we will fall back to terminal emulation. + var ( + emulateStdin, emulateStdout, emulateStderr bool + + mode uint32 + ) + + fd := windows.Handle(os.Stdin.Fd()) + if err := windows.GetConsoleMode(fd, &mode); err == nil { + // Validate that winterm.ENABLE_VIRTUAL_TERMINAL_INPUT is supported, but do not set it. + if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_INPUT); err != nil { + emulateStdin = true + } else { + vtInputSupported = true + } + // Unconditionally set the console mode back even on failure because SetConsoleMode + // remembers invalid bits on input handles. + _ = windows.SetConsoleMode(fd, mode) + } + + fd = windows.Handle(os.Stdout.Fd()) + if err := windows.GetConsoleMode(fd, &mode); err == nil { + // Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it. + if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING|windows.DISABLE_NEWLINE_AUTO_RETURN); err != nil { + emulateStdout = true + } else { + _ = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING) + } + } + + fd = windows.Handle(os.Stderr.Fd()) + if err := windows.GetConsoleMode(fd, &mode); err == nil { + // Validate winterm.DISABLE_NEWLINE_AUTO_RETURN is supported, but do not set it. + if err = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING|windows.DISABLE_NEWLINE_AUTO_RETURN); err != nil { + emulateStderr = true + } else { + _ = windows.SetConsoleMode(fd, mode|windows.ENABLE_VIRTUAL_TERMINAL_PROCESSING) + } + } + + if emulateStdin { + h := uint32(windows.STD_INPUT_HANDLE) + stdIn = windowsconsole.NewAnsiReader(int(h)) + } else { + stdIn = os.Stdin + } + + if emulateStdout { + h := uint32(windows.STD_OUTPUT_HANDLE) + stdOut = windowsconsole.NewAnsiWriter(int(h)) + } else { + stdOut = os.Stdout + } + + if emulateStderr { + h := uint32(windows.STD_ERROR_HANDLE) + stdErr = windowsconsole.NewAnsiWriter(int(h)) + } else { + stdErr = os.Stderr + } + + return stdIn, stdOut, stdErr +} + +func getFdInfo(in interface{}) (uintptr, bool) { + return windowsconsole.GetHandleInfo(in) +} + +func getWinsize(fd uintptr) (*Winsize, error) { + var info windows.ConsoleScreenBufferInfo + if err := windows.GetConsoleScreenBufferInfo(windows.Handle(fd), &info); err != nil { + return nil, err + } + + winsize := &Winsize{ + Width: uint16(info.Window.Right - info.Window.Left + 1), + Height: uint16(info.Window.Bottom - info.Window.Top + 1), + } + + return winsize, nil +} + +func setWinsize(fd uintptr, ws *Winsize) error { + return fmt.Errorf("not implemented on Windows") +} + +func isTerminal(fd uintptr) bool { + var mode uint32 + err := windows.GetConsoleMode(windows.Handle(fd), &mode) + return err == nil +} + +func restoreTerminal(fd uintptr, state *State) error { + return windows.SetConsoleMode(windows.Handle(fd), state.mode) +} + +func saveState(fd uintptr) (*State, error) { + var mode uint32 + + if err := windows.GetConsoleMode(windows.Handle(fd), &mode); err != nil { + return nil, err + } + + return &State{mode: mode}, nil +} + +func disableEcho(fd uintptr, state *State) error { + // See https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx + mode := state.mode + mode &^= windows.ENABLE_ECHO_INPUT + mode |= windows.ENABLE_PROCESSED_INPUT | windows.ENABLE_LINE_INPUT + err := windows.SetConsoleMode(windows.Handle(fd), mode) + if err != nil { + return err + } + + // Register an interrupt handler to catch and restore prior state + restoreAtInterrupt(fd, state) + return nil +} + +func setRawTerminal(fd uintptr) (*State, error) { + oldState, err := MakeRaw(fd) + if err != nil { + return nil, err + } + + // Register an interrupt handler to catch and restore prior state + restoreAtInterrupt(fd, oldState) + return oldState, err +} + +func setRawTerminalOutput(fd uintptr) (*State, error) { + oldState, err := saveState(fd) + if err != nil { + return nil, err + } + + // Ignore failures, since winterm.DISABLE_NEWLINE_AUTO_RETURN might not be supported on this + // version of Windows. + _ = windows.SetConsoleMode(windows.Handle(fd), oldState.mode|windows.DISABLE_NEWLINE_AUTO_RETURN) + return oldState, err +} + +func restoreAtInterrupt(fd uintptr, state *State) { + sigchan := make(chan os.Signal, 1) + signal.Notify(sigchan, os.Interrupt) + + go func() { + _ = <-sigchan + _ = RestoreTerminal(fd, state) + os.Exit(0) + }() +} diff --git a/vendor/github.com/moby/term/termios_bsd.go b/vendor/github.com/moby/term/termios_bsd.go new file mode 100644 index 0000000000..45f77e03c7 --- /dev/null +++ b/vendor/github.com/moby/term/termios_bsd.go @@ -0,0 +1,13 @@ +//go:build darwin || freebsd || openbsd || netbsd +// +build darwin freebsd openbsd netbsd + +package term + +import ( + "golang.org/x/sys/unix" +) + +const ( + getTermios = unix.TIOCGETA + setTermios = unix.TIOCSETA +) diff --git a/vendor/github.com/moby/term/termios_nonbsd.go b/vendor/github.com/moby/term/termios_nonbsd.go new file mode 100644 index 0000000000..88b7b21563 --- /dev/null +++ b/vendor/github.com/moby/term/termios_nonbsd.go @@ -0,0 +1,13 @@ +//go:build !darwin && !freebsd && !netbsd && !openbsd && !windows +// +build !darwin,!freebsd,!netbsd,!openbsd,!windows + +package term + +import ( + "golang.org/x/sys/unix" +) + +const ( + getTermios = unix.TCGETS + setTermios = unix.TCSETS +) diff --git a/vendor/github.com/moby/term/termios_unix.go b/vendor/github.com/moby/term/termios_unix.go new file mode 100644 index 0000000000..60c823783c --- /dev/null +++ b/vendor/github.com/moby/term/termios_unix.go @@ -0,0 +1,35 @@ +//go:build !windows +// +build !windows + +package term + +import ( + "golang.org/x/sys/unix" +) + +// Termios is the Unix API for terminal I/O. +// +// Deprecated: use [unix.Termios]. +type Termios = unix.Termios + +func makeRaw(fd uintptr) (*State, error) { + termios, err := tcget(fd) + if err != nil { + return nil, err + } + + oldState := State{termios: *termios} + + termios.Iflag &^= unix.IGNBRK | unix.BRKINT | unix.PARMRK | unix.ISTRIP | unix.INLCR | unix.IGNCR | unix.ICRNL | unix.IXON + termios.Oflag &^= unix.OPOST + termios.Lflag &^= unix.ECHO | unix.ECHONL | unix.ICANON | unix.ISIG | unix.IEXTEN + termios.Cflag &^= unix.CSIZE | unix.PARENB + termios.Cflag |= unix.CS8 + termios.Cc[unix.VMIN] = 1 + termios.Cc[unix.VTIME] = 0 + + if err := tcset(fd, termios); err != nil { + return nil, err + } + return &oldState, nil +} diff --git a/vendor/github.com/moby/term/termios_windows.go b/vendor/github.com/moby/term/termios_windows.go new file mode 100644 index 0000000000..5be4e76011 --- /dev/null +++ b/vendor/github.com/moby/term/termios_windows.go @@ -0,0 +1,37 @@ +package term + +import "golang.org/x/sys/windows" + +func makeRaw(fd uintptr) (*State, error) { + state, err := SaveState(fd) + if err != nil { + return nil, err + } + + mode := state.mode + + // See + // -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms686033(v=vs.85).aspx + // -- https://msdn.microsoft.com/en-us/library/windows/desktop/ms683462(v=vs.85).aspx + + // Disable these modes + mode &^= windows.ENABLE_ECHO_INPUT + mode &^= windows.ENABLE_LINE_INPUT + mode &^= windows.ENABLE_MOUSE_INPUT + mode &^= windows.ENABLE_WINDOW_INPUT + mode &^= windows.ENABLE_PROCESSED_INPUT + + // Enable these modes + mode |= windows.ENABLE_EXTENDED_FLAGS + mode |= windows.ENABLE_INSERT_MODE + mode |= windows.ENABLE_QUICK_EDIT_MODE + if vtInputSupported { + mode |= windows.ENABLE_VIRTUAL_TERMINAL_INPUT + } + + err = windows.SetConsoleMode(windows.Handle(fd), mode) + if err != nil { + return nil, err + } + return state, nil +} diff --git a/vendor/github.com/moby/term/windows/ansi_reader.go b/vendor/github.com/moby/term/windows/ansi_reader.go new file mode 100644 index 0000000000..fb34c547aa --- /dev/null +++ b/vendor/github.com/moby/term/windows/ansi_reader.go @@ -0,0 +1,252 @@ +//go:build windows +// +build windows + +package windowsconsole + +import ( + "bytes" + "errors" + "fmt" + "io" + "os" + "strings" + "unsafe" + + ansiterm "github.com/Azure/go-ansiterm" + "github.com/Azure/go-ansiterm/winterm" +) + +const ( + escapeSequence = ansiterm.KEY_ESC_CSI +) + +// ansiReader wraps a standard input file (e.g., os.Stdin) providing ANSI sequence translation. +type ansiReader struct { + file *os.File + fd uintptr + buffer []byte + cbBuffer int + command []byte +} + +// NewAnsiReader returns an io.ReadCloser that provides VT100 terminal emulation on top of a +// Windows console input handle. +func NewAnsiReader(nFile int) io.ReadCloser { + file, fd := winterm.GetStdFile(nFile) + return &ansiReader{ + file: file, + fd: fd, + command: make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH), + buffer: make([]byte, 0), + } +} + +// Close closes the wrapped file. +func (ar *ansiReader) Close() (err error) { + return ar.file.Close() +} + +// Fd returns the file descriptor of the wrapped file. +func (ar *ansiReader) Fd() uintptr { + return ar.fd +} + +// Read reads up to len(p) bytes of translated input events into p. +func (ar *ansiReader) Read(p []byte) (int, error) { + if len(p) == 0 { + return 0, nil + } + + // Previously read bytes exist, read as much as we can and return + if len(ar.buffer) > 0 { + originalLength := len(ar.buffer) + copiedLength := copy(p, ar.buffer) + + if copiedLength == originalLength { + ar.buffer = make([]byte, 0, len(p)) + } else { + ar.buffer = ar.buffer[copiedLength:] + } + + return copiedLength, nil + } + + // Read and translate key events + events, err := readInputEvents(ar, len(p)) + if err != nil { + return 0, err + } else if len(events) == 0 { + return 0, nil + } + + keyBytes := translateKeyEvents(events, []byte(escapeSequence)) + + // Save excess bytes and right-size keyBytes + if len(keyBytes) > len(p) { + ar.buffer = keyBytes[len(p):] + keyBytes = keyBytes[:len(p)] + } else if len(keyBytes) == 0 { + return 0, nil + } + + copiedLength := copy(p, keyBytes) + if copiedLength != len(keyBytes) { + return 0, errors.New("unexpected copy length encountered") + } + + return copiedLength, nil +} + +// readInputEvents polls until at least one event is available. +func readInputEvents(ar *ansiReader, maxBytes int) ([]winterm.INPUT_RECORD, error) { + // Determine the maximum number of records to retrieve + // -- Cast around the type system to obtain the size of a single INPUT_RECORD. + // unsafe.Sizeof requires an expression vs. a type-reference; the casting + // tricks the type system into believing it has such an expression. + recordSize := int(unsafe.Sizeof(*((*winterm.INPUT_RECORD)(unsafe.Pointer(&maxBytes))))) + countRecords := maxBytes / recordSize + if countRecords > ansiterm.MAX_INPUT_EVENTS { + countRecords = ansiterm.MAX_INPUT_EVENTS + } else if countRecords == 0 { + countRecords = 1 + } + + // Wait for and read input events + events := make([]winterm.INPUT_RECORD, countRecords) + nEvents := uint32(0) + eventsExist, err := winterm.WaitForSingleObject(ar.fd, winterm.WAIT_INFINITE) + if err != nil { + return nil, err + } + + if eventsExist { + err = winterm.ReadConsoleInput(ar.fd, events, &nEvents) + if err != nil { + return nil, err + } + } + + // Return a slice restricted to the number of returned records + return events[:nEvents], nil +} + +// KeyEvent Translation Helpers + +var arrowKeyMapPrefix = map[uint16]string{ + winterm.VK_UP: "%s%sA", + winterm.VK_DOWN: "%s%sB", + winterm.VK_RIGHT: "%s%sC", + winterm.VK_LEFT: "%s%sD", +} + +var keyMapPrefix = map[uint16]string{ + winterm.VK_UP: "\x1B[%sA", + winterm.VK_DOWN: "\x1B[%sB", + winterm.VK_RIGHT: "\x1B[%sC", + winterm.VK_LEFT: "\x1B[%sD", + winterm.VK_HOME: "\x1B[1%s~", // showkey shows ^[[1 + winterm.VK_END: "\x1B[4%s~", // showkey shows ^[[4 + winterm.VK_INSERT: "\x1B[2%s~", + winterm.VK_DELETE: "\x1B[3%s~", + winterm.VK_PRIOR: "\x1B[5%s~", + winterm.VK_NEXT: "\x1B[6%s~", + winterm.VK_F1: "", + winterm.VK_F2: "", + winterm.VK_F3: "\x1B[13%s~", + winterm.VK_F4: "\x1B[14%s~", + winterm.VK_F5: "\x1B[15%s~", + winterm.VK_F6: "\x1B[17%s~", + winterm.VK_F7: "\x1B[18%s~", + winterm.VK_F8: "\x1B[19%s~", + winterm.VK_F9: "\x1B[20%s~", + winterm.VK_F10: "\x1B[21%s~", + winterm.VK_F11: "\x1B[23%s~", + winterm.VK_F12: "\x1B[24%s~", +} + +// translateKeyEvents converts the input events into the appropriate ANSI string. +func translateKeyEvents(events []winterm.INPUT_RECORD, escapeSequence []byte) []byte { + var buffer bytes.Buffer + for _, event := range events { + if event.EventType == winterm.KEY_EVENT && event.KeyEvent.KeyDown != 0 { + buffer.WriteString(keyToString(&event.KeyEvent, escapeSequence)) + } + } + + return buffer.Bytes() +} + +// keyToString maps the given input event record to the corresponding string. +func keyToString(keyEvent *winterm.KEY_EVENT_RECORD, escapeSequence []byte) string { + if keyEvent.UnicodeChar == 0 { + return formatVirtualKey(keyEvent.VirtualKeyCode, keyEvent.ControlKeyState, escapeSequence) + } + + _, alt, control := getControlKeys(keyEvent.ControlKeyState) + if control { + // TODO(azlinux): Implement following control sequences + // -D Signals the end of input from the keyboard; also exits current shell. + // -H Deletes the first character to the left of the cursor. Also called the ERASE key. + // -Q Restarts printing after it has been stopped with -s. + // -S Suspends printing on the screen (does not stop the program). + // -U Deletes all characters on the current line. Also called the KILL key. + // -E Quits current command and creates a core + } + + // +Key generates ESC N Key + if !control && alt { + return ansiterm.KEY_ESC_N + strings.ToLower(string(rune(keyEvent.UnicodeChar))) + } + + return string(rune(keyEvent.UnicodeChar)) +} + +// formatVirtualKey converts a virtual key (e.g., up arrow) into the appropriate ANSI string. +func formatVirtualKey(key uint16, controlState uint32, escapeSequence []byte) string { + shift, alt, control := getControlKeys(controlState) + modifier := getControlKeysModifier(shift, alt, control) + + if format, ok := arrowKeyMapPrefix[key]; ok { + return fmt.Sprintf(format, escapeSequence, modifier) + } + + if format, ok := keyMapPrefix[key]; ok { + return fmt.Sprintf(format, modifier) + } + + return "" +} + +// getControlKeys extracts the shift, alt, and ctrl key states. +func getControlKeys(controlState uint32) (shift, alt, control bool) { + shift = 0 != (controlState & winterm.SHIFT_PRESSED) + alt = 0 != (controlState & (winterm.LEFT_ALT_PRESSED | winterm.RIGHT_ALT_PRESSED)) + control = 0 != (controlState & (winterm.LEFT_CTRL_PRESSED | winterm.RIGHT_CTRL_PRESSED)) + return shift, alt, control +} + +// getControlKeysModifier returns the ANSI modifier for the given combination of control keys. +func getControlKeysModifier(shift, alt, control bool) string { + if shift && alt && control { + return ansiterm.KEY_CONTROL_PARAM_8 + } + if alt && control { + return ansiterm.KEY_CONTROL_PARAM_7 + } + if shift && control { + return ansiterm.KEY_CONTROL_PARAM_6 + } + if control { + return ansiterm.KEY_CONTROL_PARAM_5 + } + if shift && alt { + return ansiterm.KEY_CONTROL_PARAM_4 + } + if alt { + return ansiterm.KEY_CONTROL_PARAM_3 + } + if shift { + return ansiterm.KEY_CONTROL_PARAM_2 + } + return "" +} diff --git a/vendor/github.com/moby/term/windows/ansi_writer.go b/vendor/github.com/moby/term/windows/ansi_writer.go new file mode 100644 index 0000000000..4243307fd3 --- /dev/null +++ b/vendor/github.com/moby/term/windows/ansi_writer.go @@ -0,0 +1,57 @@ +//go:build windows +// +build windows + +package windowsconsole + +import ( + "io" + "os" + + ansiterm "github.com/Azure/go-ansiterm" + "github.com/Azure/go-ansiterm/winterm" +) + +// ansiWriter wraps a standard output file (e.g., os.Stdout) providing ANSI sequence translation. +type ansiWriter struct { + file *os.File + fd uintptr + infoReset *winterm.CONSOLE_SCREEN_BUFFER_INFO + command []byte + escapeSequence []byte + inAnsiSequence bool + parser *ansiterm.AnsiParser +} + +// NewAnsiWriter returns an io.Writer that provides VT100 terminal emulation on top of a +// Windows console output handle. +func NewAnsiWriter(nFile int) io.Writer { + file, fd := winterm.GetStdFile(nFile) + info, err := winterm.GetConsoleScreenBufferInfo(fd) + if err != nil { + return nil + } + + parser := ansiterm.CreateParser("Ground", winterm.CreateWinEventHandler(fd, file)) + + return &ansiWriter{ + file: file, + fd: fd, + infoReset: info, + command: make([]byte, 0, ansiterm.ANSI_MAX_CMD_LENGTH), + escapeSequence: []byte(ansiterm.KEY_ESC_CSI), + parser: parser, + } +} + +func (aw *ansiWriter) Fd() uintptr { + return aw.fd +} + +// Write writes len(p) bytes from p to the underlying data stream. +func (aw *ansiWriter) Write(p []byte) (total int, err error) { + if len(p) == 0 { + return 0, nil + } + + return aw.parser.Parse(p) +} diff --git a/vendor/github.com/moby/term/windows/console.go b/vendor/github.com/moby/term/windows/console.go new file mode 100644 index 0000000000..21e57bd52f --- /dev/null +++ b/vendor/github.com/moby/term/windows/console.go @@ -0,0 +1,43 @@ +//go:build windows +// +build windows + +package windowsconsole + +import ( + "os" + + "golang.org/x/sys/windows" +) + +// GetHandleInfo returns file descriptor and bool indicating whether the file is a console. +func GetHandleInfo(in interface{}) (uintptr, bool) { + switch t := in.(type) { + case *ansiReader: + return t.Fd(), true + case *ansiWriter: + return t.Fd(), true + } + + var inFd uintptr + var isTerminal bool + + if file, ok := in.(*os.File); ok { + inFd = file.Fd() + isTerminal = isConsole(inFd) + } + return inFd, isTerminal +} + +// IsConsole returns true if the given file descriptor is a Windows Console. +// The code assumes that GetConsoleMode will return an error for file descriptors that are not a console. +// +// Deprecated: use [windows.GetConsoleMode] or [golang.org/x/term.IsTerminal]. +func IsConsole(fd uintptr) bool { + return isConsole(fd) +} + +func isConsole(fd uintptr) bool { + var mode uint32 + err := windows.GetConsoleMode(windows.Handle(fd), &mode) + return err == nil +} diff --git a/vendor/github.com/moby/term/windows/doc.go b/vendor/github.com/moby/term/windows/doc.go new file mode 100644 index 0000000000..54265fffaf --- /dev/null +++ b/vendor/github.com/moby/term/windows/doc.go @@ -0,0 +1,5 @@ +// These files implement ANSI-aware input and output streams for use by the Docker Windows client. +// When asked for the set of standard streams (e.g., stdin, stdout, stderr), the code will create +// and return pseudo-streams that convert ANSI sequences to / from Windows Console API calls. + +package windowsconsole diff --git a/vendor/github.com/monochromegane/go-gitignore/.travis.yml b/vendor/github.com/monochromegane/go-gitignore/.travis.yml new file mode 100644 index 0000000000..b06a36a466 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/.travis.yml @@ -0,0 +1,6 @@ +language: go +go: + - 1.14.x + - master +script: + - go test -v ./... diff --git a/vendor/github.com/monochromegane/go-gitignore/LICENSE b/vendor/github.com/monochromegane/go-gitignore/LICENSE new file mode 100644 index 0000000000..91b84e9277 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) [2015] [go-gitignore] + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/monochromegane/go-gitignore/README.md b/vendor/github.com/monochromegane/go-gitignore/README.md new file mode 100644 index 0000000000..51a480747b --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/README.md @@ -0,0 +1,95 @@ +# go-gitignore [![Build Status](https://travis-ci.org/monochromegane/go-gitignore.svg)](https://travis-ci.org/monochromegane/go-gitignore) + +A fast gitignore matching library for Go. + +This library use simple tree index for matching, so keep fast if gitignore file has many pattern. + +## Usage + +```go +gitignore, _ := gitignore.NewGitIgnore("/path/to/gitignore") + +path := "/path/to/file" +isDir := false +gitignore.Match(path, isDir) +``` + +### Specify base directory + +go-gitignore treat `path` as a base directory. +If you want to specify other base (e.g. current directory and Global gitignore), you can like the following. + +```go +gitignore, _ := gitignore.NewGitIgnore("/home/you/.gitignore", ".") +``` + +### From io.Reader + +go-gitignore can initialize from io.Reader. + +```go +gitignore, _ := gitignore.NewGitIgnoreFromReader(base, reader) +``` + +## Simple tree index + +go-gitignore parse gitignore file, and generate a simple tree index for matching like the following. + +``` +. +├── accept +│   ├── absolute +│   │   └── depth +│   │   ├── initial +│   │   └── other +│   └── relative +│   └── depth +│   ├── initial +│   └── other +└── ignore + ├── absolute + │   └── depth + │   ├── initial + │   └── other + └── relative + └── depth + ├── initial + └── other +``` + +## Features + +- Support absolute path (/path/to/ignore) +- Support relative path (path/to/ignore) +- Support accept pattern (!path/to/accept) +- Support directory pattern (path/to/directory/) +- Support glob pattern (path/to/\*.txt) + +*note: glob pattern* + +go-gitignore use [filepath.Match](https://golang.org/pkg/path/filepath/#Match) for matching meta char pattern, so not support recursive pattern (path/`**`/file). + +## Installation + +```sh +$ go get github.com/monochromegane/go-gitignore +``` + +## Contribution + +1. Fork it +2. Create a feature branch +3. Commit your changes +4. Rebase your local changes against the master branch +5. Run test suite with the `go test ./...` command and confirm that it passes +6. Run `gofmt -s` +7. Create new Pull Request + +## License + +[MIT](https://github.com/monochromegane/go-gitignore/blob/master/LICENSE) + +## Author + +[monochromegane](https://github.com/monochromegane) + diff --git a/vendor/github.com/monochromegane/go-gitignore/depth_holder.go b/vendor/github.com/monochromegane/go-gitignore/depth_holder.go new file mode 100644 index 0000000000..9805b325d4 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/depth_holder.go @@ -0,0 +1,79 @@ +package gitignore + +import "strings" + +const ( + asc = iota + desc +) + +type depthPatternHolder struct { + patterns depthPatterns + order int +} + +func newDepthPatternHolder(order int) depthPatternHolder { + return depthPatternHolder{ + patterns: depthPatterns{m: map[int]initialPatternHolder{}}, + order: order, + } +} + +func (h *depthPatternHolder) add(pattern string) { + count := strings.Count(strings.Trim(pattern, "/"), "/") + h.patterns.set(count+1, pattern) +} + +func (h depthPatternHolder) match(path string, isDir bool) bool { + if h.patterns.size() == 0 { + return false + } + + for depth := 1; ; depth++ { + var part string + var isLast, isDirCurrent bool + if h.order == asc { + part, isLast = cutN(path, depth) + if isLast { + isDirCurrent = isDir + } else { + isDirCurrent = false + } + } else { + part, isLast = cutLastN(path, depth) + isDirCurrent = isDir + } + if patterns, ok := h.patterns.get(depth); ok { + if patterns.match(part, isDirCurrent) { + return true + } + } + if isLast { + break + } + } + return false +} + +type depthPatterns struct { + m map[int]initialPatternHolder +} + +func (p *depthPatterns) set(depth int, pattern string) { + if ps, ok := p.m[depth]; ok { + ps.add(pattern) + } else { + holder := newInitialPatternHolder() + holder.add(pattern) + p.m[depth] = holder + } +} + +func (p depthPatterns) get(depth int) (initialPatternHolder, bool) { + patterns, ok := p.m[depth] + return patterns, ok +} + +func (p depthPatterns) size() int { + return len(p.m) +} diff --git a/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go b/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go new file mode 100644 index 0000000000..8c04ef3a77 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/full_scan_patterns.go @@ -0,0 +1,31 @@ +package gitignore + +import "strings" + +// Only benchmark use +type fullScanPatterns struct { + absolute patterns + relative patterns +} + +func newFullScanPatterns() *fullScanPatterns { + return &fullScanPatterns{ + absolute: patterns{}, + relative: patterns{}, + } +} + +func (ps *fullScanPatterns) add(pattern string) { + if strings.HasPrefix(pattern, "/") { + ps.absolute.add(newPattern(pattern)) + } else { + ps.relative.add(newPattern(pattern)) + } +} + +func (ps fullScanPatterns) match(path string, isDir bool) bool { + if ps.absolute.match(path, isDir) { + return true + } + return ps.relative.match(path, isDir) +} diff --git a/vendor/github.com/monochromegane/go-gitignore/gitignore.go b/vendor/github.com/monochromegane/go-gitignore/gitignore.go new file mode 100644 index 0000000000..9c719a6cab --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/gitignore.go @@ -0,0 +1,80 @@ +package gitignore + +import ( + "bufio" + "io" + "os" + "path/filepath" + "strings" +) + +type IgnoreMatcher interface { + Match(path string, isDir bool) bool +} + +type DummyIgnoreMatcher bool + +func (d DummyIgnoreMatcher) Match(path string, isDir bool) bool { + return bool(d) +} + +type gitIgnore struct { + ignorePatterns scanStrategy + acceptPatterns scanStrategy + path string +} + +func NewGitIgnore(gitignore string, base ...string) (IgnoreMatcher, error) { + var path string + if len(base) > 0 { + path = base[0] + } else { + path = filepath.Dir(gitignore) + } + + file, err := os.Open(gitignore) + if err != nil { + return nil, err + } + defer file.Close() + + return NewGitIgnoreFromReader(path, file), nil +} + +func NewGitIgnoreFromReader(path string, r io.Reader) IgnoreMatcher { + g := gitIgnore{ + ignorePatterns: newIndexScanPatterns(), + acceptPatterns: newIndexScanPatterns(), + path: path, + } + scanner := bufio.NewScanner(r) + for scanner.Scan() { + line := strings.Trim(scanner.Text(), " ") + if len(line) == 0 || strings.HasPrefix(line, "#") { + continue + } + if strings.HasPrefix(line, `\#`) { + line = strings.TrimPrefix(line, `\`) + } + + if strings.HasPrefix(line, "!") { + g.acceptPatterns.add(strings.TrimPrefix(line, "!")) + } else { + g.ignorePatterns.add(line) + } + } + return g +} + +func (g gitIgnore) Match(path string, isDir bool) bool { + relativePath, err := filepath.Rel(g.path, path) + if err != nil { + return false + } + relativePath = filepath.ToSlash(relativePath) + + if g.acceptPatterns.match(relativePath, isDir) { + return false + } + return g.ignorePatterns.match(relativePath, isDir) +} diff --git a/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go b/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go new file mode 100644 index 0000000000..882280e953 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/index_scan_patterns.go @@ -0,0 +1,35 @@ +package gitignore + +import "strings" + +type indexScanPatterns struct { + absolute depthPatternHolder + relative depthPatternHolder +} + +func newIndexScanPatterns() *indexScanPatterns { + return &indexScanPatterns{ + absolute: newDepthPatternHolder(asc), + relative: newDepthPatternHolder(desc), + } +} + +func (ps *indexScanPatterns) add(pattern string) { + if strings.HasPrefix(pattern, "/") { + ps.absolute.add(pattern) + } else { + ps.relative.add(pattern) + } +} + +func (ps indexScanPatterns) match(path string, isDir bool) bool { + if ps.absolute.match(path, isDir) { + return true + } + return ps.relative.match(path, isDir) +} + +type scanStrategy interface { + add(pattern string) + match(path string, isDir bool) bool +} diff --git a/vendor/github.com/monochromegane/go-gitignore/initial_holder.go b/vendor/github.com/monochromegane/go-gitignore/initial_holder.go new file mode 100644 index 0000000000..86f0bfee2b --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/initial_holder.go @@ -0,0 +1,62 @@ +package gitignore + +import "strings" + +const initials = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ." + +type initialPatternHolder struct { + patterns initialPatterns + otherPatterns *patterns +} + +func newInitialPatternHolder() initialPatternHolder { + return initialPatternHolder{ + patterns: initialPatterns{m: map[byte]*patterns{}}, + otherPatterns: &patterns{}, + } +} + +func (h *initialPatternHolder) add(pattern string) { + trimedPattern := strings.TrimPrefix(pattern, "/") + if strings.IndexAny(trimedPattern[0:1], initials) != -1 { + h.patterns.set(trimedPattern[0], newPatternForEqualizedPath(pattern)) + } else { + h.otherPatterns.add(newPatternForEqualizedPath(pattern)) + } +} + +func (h initialPatternHolder) match(path string, isDir bool) bool { + if h.patterns.size() == 0 && h.otherPatterns.size() == 0 { + return false + } + if patterns, ok := h.patterns.get(path[0]); ok { + if patterns.match(path, isDir) { + return true + } + } + return h.otherPatterns.match(path, isDir) +} + +type initialPatterns struct { + m map[byte]*patterns +} + +func (p *initialPatterns) set(initial byte, pattern pattern) { + if ps, ok := p.m[initial]; ok { + ps.add(pattern) + } else { + patterns := &patterns{} + patterns.add(pattern) + p.m[initial] = patterns + + } +} + +func (p initialPatterns) get(initial byte) (*patterns, bool) { + patterns, ok := p.m[initial] + return patterns, ok +} + +func (p initialPatterns) size() int { + return len(p.m) +} diff --git a/vendor/github.com/monochromegane/go-gitignore/match.go b/vendor/github.com/monochromegane/go-gitignore/match.go new file mode 100644 index 0000000000..4140a9bdc5 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/match.go @@ -0,0 +1,24 @@ +package gitignore + +import "path/filepath" + +type pathMatcher interface { + match(path string) bool +} + +type simpleMatcher struct { + path string +} + +func (m simpleMatcher) match(path string) bool { + return m.path == path +} + +type filepathMatcher struct { + path string +} + +func (m filepathMatcher) match(path string) bool { + match, _ := filepath.Match(m.path, path) + return match +} diff --git a/vendor/github.com/monochromegane/go-gitignore/pattern.go b/vendor/github.com/monochromegane/go-gitignore/pattern.go new file mode 100644 index 0000000000..93adbf7636 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/pattern.go @@ -0,0 +1,69 @@ +package gitignore + +import ( + "path/filepath" + "strings" +) + +var Separator = string(filepath.Separator) + +type pattern struct { + hasRootPrefix bool + hasDirSuffix bool + pathDepth int + matcher pathMatcher + onlyEqualizedPath bool +} + +func newPattern(path string) pattern { + hasRootPrefix := path[0] == '/' + hasDirSuffix := path[len(path)-1] == '/' + + var pathDepth int + if !hasRootPrefix { + pathDepth = strings.Count(path, "/") + } + + var matcher pathMatcher + matchingPath := strings.Trim(path, "/") + if hasMeta(path) { + matcher = filepathMatcher{path: matchingPath} + } else { + matcher = simpleMatcher{path: matchingPath} + } + + return pattern{ + hasRootPrefix: hasRootPrefix, + hasDirSuffix: hasDirSuffix, + pathDepth: pathDepth, + matcher: matcher, + } +} + +func newPatternForEqualizedPath(path string) pattern { + pattern := newPattern(path) + pattern.onlyEqualizedPath = true + return pattern +} + +func (p pattern) match(path string, isDir bool) bool { + + if p.hasDirSuffix && !isDir { + return false + } + + var targetPath string + if p.hasRootPrefix || p.onlyEqualizedPath { + // absolute pattern or only equalized path mode + targetPath = path + } else { + // relative pattern + targetPath = p.equalizeDepth(path) + } + return p.matcher.match(targetPath) +} + +func (p pattern) equalizeDepth(path string) string { + equalizedPath, _ := cutLastN(path, p.pathDepth+1) + return equalizedPath +} diff --git a/vendor/github.com/monochromegane/go-gitignore/patterns.go b/vendor/github.com/monochromegane/go-gitignore/patterns.go new file mode 100644 index 0000000000..6770fb4655 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/patterns.go @@ -0,0 +1,22 @@ +package gitignore + +type patterns struct { + patterns []pattern +} + +func (ps *patterns) add(pattern pattern) { + ps.patterns = append(ps.patterns, pattern) +} + +func (ps *patterns) size() int { + return len(ps.patterns) +} + +func (ps patterns) match(path string, isDir bool) bool { + for _, p := range ps.patterns { + if match := p.match(path, isDir); match { + return true + } + } + return false +} diff --git a/vendor/github.com/monochromegane/go-gitignore/util.go b/vendor/github.com/monochromegane/go-gitignore/util.go new file mode 100644 index 0000000000..b5ab9bbfd2 --- /dev/null +++ b/vendor/github.com/monochromegane/go-gitignore/util.go @@ -0,0 +1,45 @@ +package gitignore + +import ( + "os" + "strings" +) + +func cutN(path string, n int) (string, bool) { + isLast := true + + var i, count int + for i < len(path)-1 { + if os.IsPathSeparator(path[i]) { + count++ + if count >= n { + isLast = false + break + } + } + i++ + } + return path[:i+1], isLast +} + +func cutLastN(path string, n int) (string, bool) { + isLast := true + i := len(path) - 1 + + var count int + for i >= 0 { + if os.IsPathSeparator(path[i]) { + count++ + if count >= n { + isLast = false + break + } + } + i-- + } + return path[i+1:], isLast +} + +func hasMeta(path string) bool { + return strings.IndexAny(path, "*?[") >= 0 +} diff --git a/vendor/github.com/opencontainers/go-digest/.mailmap b/vendor/github.com/opencontainers/go-digest/.mailmap new file mode 100644 index 0000000000..eaf8b2f9e6 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/.mailmap @@ -0,0 +1,4 @@ +Aaron Lehmann +Derek McGowan +Stephen J Day +Haibing Zhou diff --git a/vendor/github.com/opencontainers/go-digest/.pullapprove.yml b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml new file mode 100644 index 0000000000..b6165f83ca --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/.pullapprove.yml @@ -0,0 +1,28 @@ +version: 2 + +requirements: + signed_off_by: + required: true + +always_pending: + title_regex: '^WIP' + explanation: 'Work in progress...' + +group_defaults: + required: 2 + approve_by_comment: + enabled: true + approve_regex: '^LGTM' + reject_regex: '^Rejected' + reset_on_push: + enabled: true + author_approval: + ignored: true + conditions: + branches: + - master + +groups: + go-digest: + teams: + - go-digest-maintainers diff --git a/vendor/github.com/opencontainers/go-digest/.travis.yml b/vendor/github.com/opencontainers/go-digest/.travis.yml new file mode 100644 index 0000000000..5775f885c1 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/.travis.yml @@ -0,0 +1,5 @@ +language: go +go: + - 1.12.x + - 1.13.x + - master diff --git a/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md b/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md new file mode 100644 index 0000000000..e4d962ac16 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/CONTRIBUTING.md @@ -0,0 +1,72 @@ +# Contributing to Docker open source projects + +Want to hack on this project? Awesome! Here are instructions to get you started. + +This project is a part of the [Docker](https://www.docker.com) project, and follows +the same rules and principles. If you're already familiar with the way +Docker does things, you'll feel right at home. + +Otherwise, go read Docker's +[contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md), +[issue triaging](https://github.com/docker/docker/blob/master/project/ISSUE-TRIAGE.md), +[review process](https://github.com/docker/docker/blob/master/project/REVIEWING.md) and +[branches and tags](https://github.com/docker/docker/blob/master/project/BRANCHES-AND-TAGS.md). + +For an in-depth description of our contribution process, visit the +contributors guide: [Understand how to contribute](https://docs.docker.com/opensource/workflow/make-a-contribution/) + +### Sign your work + +The sign-off is a simple line at the end of the explanation for the patch. Your +signature certifies that you wrote the patch or otherwise have the right to pass +it on as an open-source patch. The rules are pretty simple: if you can certify +the below (from [developercertificate.org](http://developercertificate.org/)): + +``` +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +1 Letterman Drive +Suite D4700 +San Francisco, CA, 94129 + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +Then you just add a line to every git commit message: + + Signed-off-by: Joe Smith + +Use your real name (sorry, no pseudonyms or anonymous contributions.) + +If you set your `user.name` and `user.email` git configs, you can sign your +commit automatically with `git commit -s`. diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE b/vendor/github.com/opencontainers/go-digest/LICENSE new file mode 100644 index 0000000000..3ac8ab6487 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/LICENSE @@ -0,0 +1,192 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2019, 2020 OCI Contributors + Copyright 2016 Docker, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/opencontainers/go-digest/LICENSE.docs b/vendor/github.com/opencontainers/go-digest/LICENSE.docs new file mode 100644 index 0000000000..e26cd4fc8e --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/LICENSE.docs @@ -0,0 +1,425 @@ +Attribution-ShareAlike 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More_considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution-ShareAlike 4.0 International Public +License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution-ShareAlike 4.0 International Public License ("Public +License"). To the extent this Public License may be interpreted as a +contract, You are granted the Licensed Rights in consideration of Your +acceptance of these terms and conditions, and the Licensor grants You +such rights in consideration of benefits the Licensor receives from +making the Licensed Material available under these terms and +conditions. + + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. BY-SA Compatible License means a license listed at + creativecommons.org/compatiblelicenses, approved by Creative + Commons as essentially the equivalent of this Public License. + + d. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + e. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + f. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + g. License Elements means the license attributes listed in the name + of a Creative Commons Public License. The License Elements of this + Public License are Attribution and ShareAlike. + + h. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + i. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + j. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + k. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + l. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + m. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. Additional offer from the Licensor -- Adapted Material. + Every recipient of Adapted Material from You + automatically receives an offer from the Licensor to + exercise the Licensed Rights in the Adapted Material + under the conditions of the Adapter's License You apply. + + c. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + b. ShareAlike. + + In addition to the conditions in Section 3(a), if You Share + Adapted Material You produce, the following conditions also apply. + + 1. The Adapter's License You apply must be a Creative Commons + license with the same License Elements, this version or + later, or a BY-SA Compatible License. + + 2. You must include the text of, or the URI or hyperlink to, the + Adapter's License You apply. You may satisfy this condition + in any reasonable manner based on the medium, means, and + context in which You Share Adapted Material. + + 3. You may not offer or impose any additional or different terms + or conditions on, or apply any Effective Technological + Measures to, Adapted Material that restrict exercise of the + rights granted under the Adapter's License You apply. + + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material, + + including for purposes of Section 3(b); and + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + + +======================================================================= + +Creative Commons is not a party to its public licenses. +Notwithstanding, Creative Commons may elect to apply one of its public +licenses to material it publishes and in those instances will be +considered the "Licensor." Except for the limited purpose of indicating +that material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the public +licenses. + +Creative Commons may be contacted at creativecommons.org. diff --git a/vendor/github.com/opencontainers/go-digest/MAINTAINERS b/vendor/github.com/opencontainers/go-digest/MAINTAINERS new file mode 100644 index 0000000000..843b1b2061 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/MAINTAINERS @@ -0,0 +1,5 @@ +Derek McGowan (@dmcgowan) +Stephen Day (@stevvooe) +Vincent Batts (@vbatts) +Akihiro Suda (@AkihiroSuda) +Sebastiaan van Stijn (@thaJeztah) diff --git a/vendor/github.com/opencontainers/go-digest/README.md b/vendor/github.com/opencontainers/go-digest/README.md new file mode 100644 index 0000000000..a11287207e --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/README.md @@ -0,0 +1,96 @@ +# go-digest + +[![GoDoc](https://godoc.org/github.com/opencontainers/go-digest?status.svg)](https://godoc.org/github.com/opencontainers/go-digest) [![Go Report Card](https://goreportcard.com/badge/github.com/opencontainers/go-digest)](https://goreportcard.com/report/github.com/opencontainers/go-digest) [![Build Status](https://travis-ci.org/opencontainers/go-digest.svg?branch=master)](https://travis-ci.org/opencontainers/go-digest) + +Common digest package used across the container ecosystem. + +Please see the [godoc](https://godoc.org/github.com/opencontainers/go-digest) for more information. + +# What is a digest? + +A digest is just a [hash](https://en.wikipedia.org/wiki/Hash_function). + +The most common use case for a digest is to create a content identifier for use in [Content Addressable Storage](https://en.wikipedia.org/wiki/Content-addressable_storage) systems: + +```go +id := digest.FromBytes([]byte("my content")) +``` + +In the example above, the id can be used to uniquely identify the byte slice "my content". +This allows two disparate applications to agree on a verifiable identifier without having to trust one another. + +An identifying digest can be verified, as follows: + +```go +if id != digest.FromBytes([]byte("my content")) { + return errors.New("the content has changed!") +} +``` + +A `Verifier` type can be used to handle cases where an `io.Reader` makes more sense: + +```go +rd := getContent() +verifier := id.Verifier() +io.Copy(verifier, rd) + +if !verifier.Verified() { + return errors.New("the content has changed!") +} +``` + +Using [Merkle DAGs](https://en.wikipedia.org/wiki/Merkle_tree), this can power a rich, safe, content distribution system. + +# Usage + +While the [godoc](https://godoc.org/github.com/opencontainers/go-digest) is considered the best resource, a few important items need to be called out when using this package. + +1. Make sure to import the hash implementations into your application or the package will panic. + You should have something like the following in the main (or other entrypoint) of your application: + + ```go + import ( + _ "crypto/sha256" + _ "crypto/sha512" + ) + ``` + This may seem inconvenient but it allows you replace the hash + implementations with others, such as https://github.com/stevvooe/resumable. + +2. Even though `digest.Digest` may be assemblable as a string, _always_ verify your input with `digest.Parse` or use `Digest.Validate` when accepting untrusted input. + While there are measures to avoid common problems, this will ensure you have valid digests in the rest of your application. + +3. While alternative encodings of hash values (digests) are possible (for example, base64), this package deals exclusively with hex-encoded digests. + +# Stability + +The Go API, at this stage, is considered stable, unless otherwise noted. + +As always, before using a package export, read the [godoc](https://godoc.org/github.com/opencontainers/go-digest). + +# Contributing + +This package is considered fairly complete. +It has been in production in thousands (millions?) of deployments and is fairly battle-hardened. +New additions will be met with skepticism. +If you think there is a missing feature, please file a bug clearly describing the problem and the alternatives you tried before submitting a PR. + +## Code of Conduct + +Participation in the OpenContainers community is governed by [OpenContainer's Code of Conduct][code-of-conduct]. + +## Security + +If you find an issue, please follow the [security][security] protocol to report it. + +# Copyright and license + +Copyright © 2019, 2020 OCI Contributors +Copyright © 2016 Docker, Inc. +All rights reserved, except as follows. +Code is released under the [Apache 2.0 license](LICENSE). +This `README.md` file and the [`CONTRIBUTING.md`](CONTRIBUTING.md) file are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file [`LICENSE.docs`](LICENSE.docs). +You may obtain a duplicate copy of the same license, titled CC BY-SA 4.0, at http://creativecommons.org/licenses/by-sa/4.0/. + +[security]: https://github.com/opencontainers/org/blob/master/security +[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md diff --git a/vendor/github.com/opencontainers/go-digest/algorithm.go b/vendor/github.com/opencontainers/go-digest/algorithm.go new file mode 100644 index 0000000000..490951dc3f --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/algorithm.go @@ -0,0 +1,193 @@ +// Copyright 2019, 2020 OCI Contributors +// Copyright 2017 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package digest + +import ( + "crypto" + "fmt" + "hash" + "io" + "regexp" +) + +// Algorithm identifies and implementation of a digester by an identifier. +// Note the that this defines both the hash algorithm used and the string +// encoding. +type Algorithm string + +// supported digest types +const ( + SHA256 Algorithm = "sha256" // sha256 with hex encoding (lower case only) + SHA384 Algorithm = "sha384" // sha384 with hex encoding (lower case only) + SHA512 Algorithm = "sha512" // sha512 with hex encoding (lower case only) + + // Canonical is the primary digest algorithm used with the distribution + // project. Other digests may be used but this one is the primary storage + // digest. + Canonical = SHA256 +) + +var ( + // TODO(stevvooe): Follow the pattern of the standard crypto package for + // registration of digests. Effectively, we are a registerable set and + // common symbol access. + + // algorithms maps values to hash.Hash implementations. Other algorithms + // may be available but they cannot be calculated by the digest package. + algorithms = map[Algorithm]crypto.Hash{ + SHA256: crypto.SHA256, + SHA384: crypto.SHA384, + SHA512: crypto.SHA512, + } + + // anchoredEncodedRegexps contains anchored regular expressions for hex-encoded digests. + // Note that /A-F/ disallowed. + anchoredEncodedRegexps = map[Algorithm]*regexp.Regexp{ + SHA256: regexp.MustCompile(`^[a-f0-9]{64}$`), + SHA384: regexp.MustCompile(`^[a-f0-9]{96}$`), + SHA512: regexp.MustCompile(`^[a-f0-9]{128}$`), + } +) + +// Available returns true if the digest type is available for use. If this +// returns false, Digester and Hash will return nil. +func (a Algorithm) Available() bool { + h, ok := algorithms[a] + if !ok { + return false + } + + // check availability of the hash, as well + return h.Available() +} + +func (a Algorithm) String() string { + return string(a) +} + +// Size returns number of bytes returned by the hash. +func (a Algorithm) Size() int { + h, ok := algorithms[a] + if !ok { + return 0 + } + return h.Size() +} + +// Set implemented to allow use of Algorithm as a command line flag. +func (a *Algorithm) Set(value string) error { + if value == "" { + *a = Canonical + } else { + // just do a type conversion, support is queried with Available. + *a = Algorithm(value) + } + + if !a.Available() { + return ErrDigestUnsupported + } + + return nil +} + +// Digester returns a new digester for the specified algorithm. If the algorithm +// does not have a digester implementation, nil will be returned. This can be +// checked by calling Available before calling Digester. +func (a Algorithm) Digester() Digester { + return &digester{ + alg: a, + hash: a.Hash(), + } +} + +// Hash returns a new hash as used by the algorithm. If not available, the +// method will panic. Check Algorithm.Available() before calling. +func (a Algorithm) Hash() hash.Hash { + if !a.Available() { + // Empty algorithm string is invalid + if a == "" { + panic(fmt.Sprintf("empty digest algorithm, validate before calling Algorithm.Hash()")) + } + + // NOTE(stevvooe): A missing hash is usually a programming error that + // must be resolved at compile time. We don't import in the digest + // package to allow users to choose their hash implementation (such as + // when using stevvooe/resumable or a hardware accelerated package). + // + // Applications that may want to resolve the hash at runtime should + // call Algorithm.Available before call Algorithm.Hash(). + panic(fmt.Sprintf("%v not available (make sure it is imported)", a)) + } + + return algorithms[a].New() +} + +// Encode encodes the raw bytes of a digest, typically from a hash.Hash, into +// the encoded portion of the digest. +func (a Algorithm) Encode(d []byte) string { + // TODO(stevvooe): Currently, all algorithms use a hex encoding. When we + // add support for back registration, we can modify this accordingly. + return fmt.Sprintf("%x", d) +} + +// FromReader returns the digest of the reader using the algorithm. +func (a Algorithm) FromReader(rd io.Reader) (Digest, error) { + digester := a.Digester() + + if _, err := io.Copy(digester.Hash(), rd); err != nil { + return "", err + } + + return digester.Digest(), nil +} + +// FromBytes digests the input and returns a Digest. +func (a Algorithm) FromBytes(p []byte) Digest { + digester := a.Digester() + + if _, err := digester.Hash().Write(p); err != nil { + // Writes to a Hash should never fail. None of the existing + // hash implementations in the stdlib or hashes vendored + // here can return errors from Write. Having a panic in this + // condition instead of having FromBytes return an error value + // avoids unnecessary error handling paths in all callers. + panic("write to hash function returned error: " + err.Error()) + } + + return digester.Digest() +} + +// FromString digests the string input and returns a Digest. +func (a Algorithm) FromString(s string) Digest { + return a.FromBytes([]byte(s)) +} + +// Validate validates the encoded portion string +func (a Algorithm) Validate(encoded string) error { + r, ok := anchoredEncodedRegexps[a] + if !ok { + return ErrDigestUnsupported + } + // Digests much always be hex-encoded, ensuring that their hex portion will + // always be size*2 + if a.Size()*2 != len(encoded) { + return ErrDigestInvalidLength + } + if r.MatchString(encoded) { + return nil + } + return ErrDigestInvalidFormat +} diff --git a/vendor/github.com/opencontainers/go-digest/digest.go b/vendor/github.com/opencontainers/go-digest/digest.go new file mode 100644 index 0000000000..518b5e7154 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/digest.go @@ -0,0 +1,157 @@ +// Copyright 2019, 2020 OCI Contributors +// Copyright 2017 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package digest + +import ( + "fmt" + "hash" + "io" + "regexp" + "strings" +) + +// Digest allows simple protection of hex formatted digest strings, prefixed +// by their algorithm. Strings of type Digest have some guarantee of being in +// the correct format and it provides quick access to the components of a +// digest string. +// +// The following is an example of the contents of Digest types: +// +// sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc +// +// This allows to abstract the digest behind this type and work only in those +// terms. +type Digest string + +// NewDigest returns a Digest from alg and a hash.Hash object. +func NewDigest(alg Algorithm, h hash.Hash) Digest { + return NewDigestFromBytes(alg, h.Sum(nil)) +} + +// NewDigestFromBytes returns a new digest from the byte contents of p. +// Typically, this can come from hash.Hash.Sum(...) or xxx.SumXXX(...) +// functions. This is also useful for rebuilding digests from binary +// serializations. +func NewDigestFromBytes(alg Algorithm, p []byte) Digest { + return NewDigestFromEncoded(alg, alg.Encode(p)) +} + +// NewDigestFromHex is deprecated. Please use NewDigestFromEncoded. +func NewDigestFromHex(alg, hex string) Digest { + return NewDigestFromEncoded(Algorithm(alg), hex) +} + +// NewDigestFromEncoded returns a Digest from alg and the encoded digest. +func NewDigestFromEncoded(alg Algorithm, encoded string) Digest { + return Digest(fmt.Sprintf("%s:%s", alg, encoded)) +} + +// DigestRegexp matches valid digest types. +var DigestRegexp = regexp.MustCompile(`[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+`) + +// DigestRegexpAnchored matches valid digest types, anchored to the start and end of the match. +var DigestRegexpAnchored = regexp.MustCompile(`^` + DigestRegexp.String() + `$`) + +var ( + // ErrDigestInvalidFormat returned when digest format invalid. + ErrDigestInvalidFormat = fmt.Errorf("invalid checksum digest format") + + // ErrDigestInvalidLength returned when digest has invalid length. + ErrDigestInvalidLength = fmt.Errorf("invalid checksum digest length") + + // ErrDigestUnsupported returned when the digest algorithm is unsupported. + ErrDigestUnsupported = fmt.Errorf("unsupported digest algorithm") +) + +// Parse parses s and returns the validated digest object. An error will +// be returned if the format is invalid. +func Parse(s string) (Digest, error) { + d := Digest(s) + return d, d.Validate() +} + +// FromReader consumes the content of rd until io.EOF, returning canonical digest. +func FromReader(rd io.Reader) (Digest, error) { + return Canonical.FromReader(rd) +} + +// FromBytes digests the input and returns a Digest. +func FromBytes(p []byte) Digest { + return Canonical.FromBytes(p) +} + +// FromString digests the input and returns a Digest. +func FromString(s string) Digest { + return Canonical.FromString(s) +} + +// Validate checks that the contents of d is a valid digest, returning an +// error if not. +func (d Digest) Validate() error { + s := string(d) + i := strings.Index(s, ":") + if i <= 0 || i+1 == len(s) { + return ErrDigestInvalidFormat + } + algorithm, encoded := Algorithm(s[:i]), s[i+1:] + if !algorithm.Available() { + if !DigestRegexpAnchored.MatchString(s) { + return ErrDigestInvalidFormat + } + return ErrDigestUnsupported + } + return algorithm.Validate(encoded) +} + +// Algorithm returns the algorithm portion of the digest. This will panic if +// the underlying digest is not in a valid format. +func (d Digest) Algorithm() Algorithm { + return Algorithm(d[:d.sepIndex()]) +} + +// Verifier returns a writer object that can be used to verify a stream of +// content against the digest. If the digest is invalid, the method will panic. +func (d Digest) Verifier() Verifier { + return hashVerifier{ + hash: d.Algorithm().Hash(), + digest: d, + } +} + +// Encoded returns the encoded portion of the digest. This will panic if the +// underlying digest is not in a valid format. +func (d Digest) Encoded() string { + return string(d[d.sepIndex()+1:]) +} + +// Hex is deprecated. Please use Digest.Encoded. +func (d Digest) Hex() string { + return d.Encoded() +} + +func (d Digest) String() string { + return string(d) +} + +func (d Digest) sepIndex() int { + i := strings.Index(string(d), ":") + + if i < 0 { + panic(fmt.Sprintf("no ':' separator in digest %q", d)) + } + + return i +} diff --git a/vendor/github.com/opencontainers/go-digest/digester.go b/vendor/github.com/opencontainers/go-digest/digester.go new file mode 100644 index 0000000000..ede9077571 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/digester.go @@ -0,0 +1,40 @@ +// Copyright 2019, 2020 OCI Contributors +// Copyright 2017 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package digest + +import "hash" + +// Digester calculates the digest of written data. Writes should go directly +// to the return value of Hash, while calling Digest will return the current +// value of the digest. +type Digester interface { + Hash() hash.Hash // provides direct access to underlying hash instance. + Digest() Digest +} + +// digester provides a simple digester definition that embeds a hasher. +type digester struct { + alg Algorithm + hash hash.Hash +} + +func (d *digester) Hash() hash.Hash { + return d.hash +} + +func (d *digester) Digest() Digest { + return NewDigest(d.alg, d.hash) +} diff --git a/vendor/github.com/opencontainers/go-digest/doc.go b/vendor/github.com/opencontainers/go-digest/doc.go new file mode 100644 index 0000000000..83d3a936ca --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/doc.go @@ -0,0 +1,62 @@ +// Copyright 2019, 2020 OCI Contributors +// Copyright 2017 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package digest provides a generalized type to opaquely represent message +// digests and their operations within the registry. The Digest type is +// designed to serve as a flexible identifier in a content-addressable system. +// More importantly, it provides tools and wrappers to work with +// hash.Hash-based digests with little effort. +// +// Basics +// +// The format of a digest is simply a string with two parts, dubbed the +// "algorithm" and the "digest", separated by a colon: +// +// : +// +// An example of a sha256 digest representation follows: +// +// sha256:7173b809ca12ec5dee4506cd86be934c4596dd234ee82c0662eac04a8c2c71dc +// +// The "algorithm" portion defines both the hashing algorithm used to calculate +// the digest and the encoding of the resulting digest, which defaults to "hex" +// if not otherwise specified. Currently, all supported algorithms have their +// digests encoded in hex strings. +// +// In the example above, the string "sha256" is the algorithm and the hex bytes +// are the "digest". +// +// Because the Digest type is simply a string, once a valid Digest is +// obtained, comparisons are cheap, quick and simple to express with the +// standard equality operator. +// +// Verification +// +// The main benefit of using the Digest type is simple verification against a +// given digest. The Verifier interface, modeled after the stdlib hash.Hash +// interface, provides a common write sink for digest verification. After +// writing is complete, calling the Verifier.Verified method will indicate +// whether or not the stream of bytes matches the target digest. +// +// Missing Features +// +// In addition to the above, we intend to add the following features to this +// package: +// +// 1. A Digester type that supports write sink digest calculation. +// +// 2. Suspend and resume of ongoing digest calculations to support efficient digest verification in the registry. +// +package digest diff --git a/vendor/github.com/opencontainers/go-digest/verifiers.go b/vendor/github.com/opencontainers/go-digest/verifiers.go new file mode 100644 index 0000000000..afef506f46 --- /dev/null +++ b/vendor/github.com/opencontainers/go-digest/verifiers.go @@ -0,0 +1,46 @@ +// Copyright 2019, 2020 OCI Contributors +// Copyright 2017 Docker, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package digest + +import ( + "hash" + "io" +) + +// Verifier presents a general verification interface to be used with message +// digests and other byte stream verifications. Users instantiate a Verifier +// from one of the various methods, write the data under test to it then check +// the result with the Verified method. +type Verifier interface { + io.Writer + + // Verified will return true if the content written to Verifier matches + // the digest. + Verified() bool +} + +type hashVerifier struct { + digest Digest + hash hash.Hash +} + +func (hv hashVerifier) Write(p []byte) (n int, err error) { + return hv.hash.Write(p) +} + +func (hv hashVerifier) Verified() bool { + return hv.digest == NewDigest(hv.digest.Algorithm(), hv.hash) +} diff --git a/vendor/github.com/opencontainers/image-spec/LICENSE b/vendor/github.com/opencontainers/image-spec/LICENSE new file mode 100644 index 0000000000..9fdc20fdb6 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2016 The Linux Foundation. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go new file mode 100644 index 0000000000..581cf7cdfa --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go @@ -0,0 +1,62 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +const ( + // AnnotationCreated is the annotation key for the date and time on which the image was built (date-time string as defined by RFC 3339). + AnnotationCreated = "org.opencontainers.image.created" + + // AnnotationAuthors is the annotation key for the contact details of the people or organization responsible for the image (freeform string). + AnnotationAuthors = "org.opencontainers.image.authors" + + // AnnotationURL is the annotation key for the URL to find more information on the image. + AnnotationURL = "org.opencontainers.image.url" + + // AnnotationDocumentation is the annotation key for the URL to get documentation on the image. + AnnotationDocumentation = "org.opencontainers.image.documentation" + + // AnnotationSource is the annotation key for the URL to get source code for building the image. + AnnotationSource = "org.opencontainers.image.source" + + // AnnotationVersion is the annotation key for the version of the packaged software. + // The version MAY match a label or tag in the source code repository. + // The version MAY be Semantic versioning-compatible. + AnnotationVersion = "org.opencontainers.image.version" + + // AnnotationRevision is the annotation key for the source control revision identifier for the packaged software. + AnnotationRevision = "org.opencontainers.image.revision" + + // AnnotationVendor is the annotation key for the name of the distributing entity, organization or individual. + AnnotationVendor = "org.opencontainers.image.vendor" + + // AnnotationLicenses is the annotation key for the license(s) under which contained software is distributed as an SPDX License Expression. + AnnotationLicenses = "org.opencontainers.image.licenses" + + // AnnotationRefName is the annotation key for the name of the reference for a target. + // SHOULD only be considered valid when on descriptors on `index.json` within image layout. + AnnotationRefName = "org.opencontainers.image.ref.name" + + // AnnotationTitle is the annotation key for the human-readable title of the image. + AnnotationTitle = "org.opencontainers.image.title" + + // AnnotationDescription is the annotation key for the human-readable description of the software packaged in the image. + AnnotationDescription = "org.opencontainers.image.description" + + // AnnotationBaseImageDigest is the annotation key for the digest of the image's base image. + AnnotationBaseImageDigest = "org.opencontainers.image.base.digest" + + // AnnotationBaseImageName is the annotation key for the image reference of the image's base image. + AnnotationBaseImageName = "org.opencontainers.image.base.name" +) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go new file mode 100644 index 0000000000..36b0aeb8f1 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go @@ -0,0 +1,111 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +import ( + "time" + + digest "github.com/opencontainers/go-digest" +) + +// ImageConfig defines the execution parameters which should be used as a base when running a container using an image. +type ImageConfig struct { + // User defines the username or UID which the process in the container should run as. + User string `json:"User,omitempty"` + + // ExposedPorts a set of ports to expose from a container running this image. + ExposedPorts map[string]struct{} `json:"ExposedPorts,omitempty"` + + // Env is a list of environment variables to be used in a container. + Env []string `json:"Env,omitempty"` + + // Entrypoint defines a list of arguments to use as the command to execute when the container starts. + Entrypoint []string `json:"Entrypoint,omitempty"` + + // Cmd defines the default arguments to the entrypoint of the container. + Cmd []string `json:"Cmd,omitempty"` + + // Volumes is a set of directories describing where the process is likely write data specific to a container instance. + Volumes map[string]struct{} `json:"Volumes,omitempty"` + + // WorkingDir sets the current working directory of the entrypoint process in the container. + WorkingDir string `json:"WorkingDir,omitempty"` + + // Labels contains arbitrary metadata for the container. + Labels map[string]string `json:"Labels,omitempty"` + + // StopSignal contains the system call signal that will be sent to the container to exit. + StopSignal string `json:"StopSignal,omitempty"` + + // ArgsEscaped + // + // Deprecated: This field is present only for legacy compatibility with + // Docker and should not be used by new image builders. It is used by Docker + // for Windows images to indicate that the `Entrypoint` or `Cmd` or both, + // contains only a single element array, that is a pre-escaped, and combined + // into a single string `CommandLine`. If `true` the value in `Entrypoint` or + // `Cmd` should be used as-is to avoid double escaping. + // https://github.com/opencontainers/image-spec/pull/892 + ArgsEscaped bool `json:"ArgsEscaped,omitempty"` +} + +// RootFS describes a layer content addresses +type RootFS struct { + // Type is the type of the rootfs. + Type string `json:"type"` + + // DiffIDs is an array of layer content hashes (DiffIDs), in order from bottom-most to top-most. + DiffIDs []digest.Digest `json:"diff_ids"` +} + +// History describes the history of a layer. +type History struct { + // Created is the combined date and time at which the layer was created, formatted as defined by RFC 3339, section 5.6. + Created *time.Time `json:"created,omitempty"` + + // CreatedBy is the command which created the layer. + CreatedBy string `json:"created_by,omitempty"` + + // Author is the author of the build point. + Author string `json:"author,omitempty"` + + // Comment is a custom message set when creating the layer. + Comment string `json:"comment,omitempty"` + + // EmptyLayer is used to mark if the history item created a filesystem diff. + EmptyLayer bool `json:"empty_layer,omitempty"` +} + +// Image is the JSON structure which describes some basic information about the image. +// This provides the `application/vnd.oci.image.config.v1+json` mediatype when marshalled to JSON. +type Image struct { + // Created is the combined date and time at which the image was created, formatted as defined by RFC 3339, section 5.6. + Created *time.Time `json:"created,omitempty"` + + // Author defines the name and/or email address of the person or entity which created and is responsible for maintaining the image. + Author string `json:"author,omitempty"` + + // Platform describes the platform which the image in the manifest runs on. + Platform + + // Config defines the execution parameters which should be used as a base when running a container using the image. + Config ImageConfig `json:"config,omitempty"` + + // RootFS references the layer content addresses used by the image. + RootFS RootFS `json:"rootfs"` + + // History describes the history of each layer. + History []History `json:"history,omitempty"` +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go new file mode 100644 index 0000000000..1881b11814 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go @@ -0,0 +1,80 @@ +// Copyright 2016-2022 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +import digest "github.com/opencontainers/go-digest" + +// Descriptor describes the disposition of targeted content. +// This structure provides `application/vnd.oci.descriptor.v1+json` mediatype +// when marshalled to JSON. +type Descriptor struct { + // MediaType is the media type of the object this schema refers to. + MediaType string `json:"mediaType"` + + // Digest is the digest of the targeted content. + Digest digest.Digest `json:"digest"` + + // Size specifies the size in bytes of the blob. + Size int64 `json:"size"` + + // URLs specifies a list of URLs from which this object MAY be downloaded + URLs []string `json:"urls,omitempty"` + + // Annotations contains arbitrary metadata relating to the targeted content. + Annotations map[string]string `json:"annotations,omitempty"` + + // Data is an embedding of the targeted content. This is encoded as a base64 + // string when marshalled to JSON (automatically, by encoding/json). If + // present, Data can be used directly to avoid fetching the targeted content. + Data []byte `json:"data,omitempty"` + + // Platform describes the platform which the image in the manifest runs on. + // + // This should only be used when referring to a manifest. + Platform *Platform `json:"platform,omitempty"` + + // ArtifactType is the IANA media type of this artifact. + ArtifactType string `json:"artifactType,omitempty"` +} + +// Platform describes the platform which the image in the manifest runs on. +type Platform struct { + // Architecture field specifies the CPU architecture, for example + // `amd64` or `ppc64le`. + Architecture string `json:"architecture"` + + // OS specifies the operating system, for example `linux` or `windows`. + OS string `json:"os"` + + // OSVersion is an optional field specifying the operating system + // version, for example on Windows `10.0.14393.1066`. + OSVersion string `json:"os.version,omitempty"` + + // OSFeatures is an optional field specifying an array of strings, + // each listing a required OS feature (for example on Windows `win32k`). + OSFeatures []string `json:"os.features,omitempty"` + + // Variant is an optional field specifying a variant of the CPU, for + // example `v7` to specify ARMv7 when architecture is `arm`. + Variant string `json:"variant,omitempty"` +} + +// DescriptorEmptyJSON is the descriptor of a blob with content of `{}`. +var DescriptorEmptyJSON = Descriptor{ + MediaType: MediaTypeEmptyJSON, + Digest: `sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a`, + Size: 2, + Data: []byte(`{}`), +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go new file mode 100644 index 0000000000..e2bed9d4e4 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go @@ -0,0 +1,38 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +import "github.com/opencontainers/image-spec/specs-go" + +// Index references manifests for various platforms. +// This structure provides `application/vnd.oci.image.index.v1+json` mediatype when marshalled to JSON. +type Index struct { + specs.Versioned + + // MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.index.v1+json` + MediaType string `json:"mediaType,omitempty"` + + // ArtifactType specifies the IANA media type of artifact when the manifest is used for an artifact. + ArtifactType string `json:"artifactType,omitempty"` + + // Manifests references platform specific manifests. + Manifests []Descriptor `json:"manifests"` + + // Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest. + Subject *Descriptor `json:"subject,omitempty"` + + // Annotations contains arbitrary metadata for the image index. + Annotations map[string]string `json:"annotations,omitempty"` +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go new file mode 100644 index 0000000000..c5503cb305 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/layout.go @@ -0,0 +1,32 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +const ( + // ImageLayoutFile is the file name containing ImageLayout in an OCI Image Layout + ImageLayoutFile = "oci-layout" + // ImageLayoutVersion is the version of ImageLayout + ImageLayoutVersion = "1.0.0" + // ImageIndexFile is the file name of the entry point for references and descriptors in an OCI Image Layout + ImageIndexFile = "index.json" + // ImageBlobsDir is the directory name containing content addressable blobs in an OCI Image Layout + ImageBlobsDir = "blobs" +) + +// ImageLayout is the structure in the "oci-layout" file, found in the root +// of an OCI Image-layout directory. +type ImageLayout struct { + Version string `json:"imageLayoutVersion"` +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go new file mode 100644 index 0000000000..26fec52a6b --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go @@ -0,0 +1,41 @@ +// Copyright 2016-2022 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +import "github.com/opencontainers/image-spec/specs-go" + +// Manifest provides `application/vnd.oci.image.manifest.v1+json` mediatype structure when marshalled to JSON. +type Manifest struct { + specs.Versioned + + // MediaType specifies the type of this document data structure e.g. `application/vnd.oci.image.manifest.v1+json` + MediaType string `json:"mediaType,omitempty"` + + // ArtifactType specifies the IANA media type of artifact when the manifest is used for an artifact. + ArtifactType string `json:"artifactType,omitempty"` + + // Config references a configuration object for a container, by digest. + // The referenced configuration object is a JSON blob that the runtime uses to set up the container. + Config Descriptor `json:"config"` + + // Layers is an indexed list of layers referenced by the manifest. + Layers []Descriptor `json:"layers"` + + // Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest. + Subject *Descriptor `json:"subject,omitempty"` + + // Annotations contains arbitrary metadata for the image manifest. + Annotations map[string]string `json:"annotations,omitempty"` +} diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go new file mode 100644 index 0000000000..ce8313e796 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go @@ -0,0 +1,85 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package v1 + +const ( + // MediaTypeDescriptor specifies the media type for a content descriptor. + MediaTypeDescriptor = "application/vnd.oci.descriptor.v1+json" + + // MediaTypeLayoutHeader specifies the media type for the oci-layout. + MediaTypeLayoutHeader = "application/vnd.oci.layout.header.v1+json" + + // MediaTypeImageIndex specifies the media type for an image index. + MediaTypeImageIndex = "application/vnd.oci.image.index.v1+json" + + // MediaTypeImageManifest specifies the media type for an image manifest. + MediaTypeImageManifest = "application/vnd.oci.image.manifest.v1+json" + + // MediaTypeImageConfig specifies the media type for the image configuration. + MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json" + + // MediaTypeEmptyJSON specifies the media type for an unused blob containing the value "{}". + MediaTypeEmptyJSON = "application/vnd.oci.empty.v1+json" +) + +const ( + // MediaTypeImageLayer is the media type used for layers referenced by the manifest. + MediaTypeImageLayer = "application/vnd.oci.image.layer.v1.tar" + + // MediaTypeImageLayerGzip is the media type used for gzipped layers + // referenced by the manifest. + MediaTypeImageLayerGzip = "application/vnd.oci.image.layer.v1.tar+gzip" + + // MediaTypeImageLayerZstd is the media type used for zstd compressed + // layers referenced by the manifest. + MediaTypeImageLayerZstd = "application/vnd.oci.image.layer.v1.tar+zstd" +) + +// Non-distributable layer media-types. +// +// Deprecated: Non-distributable layers are deprecated, and not recommended +// for future use. Implementations SHOULD NOT produce new non-distributable +// layers. +// https://github.com/opencontainers/image-spec/pull/965 +const ( + // MediaTypeImageLayerNonDistributable is the media type for layers referenced by + // the manifest but with distribution restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 + MediaTypeImageLayerNonDistributable = "application/vnd.oci.image.layer.nondistributable.v1.tar" + + // MediaTypeImageLayerNonDistributableGzip is the media type for + // gzipped layers referenced by the manifest but with distribution + // restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 + MediaTypeImageLayerNonDistributableGzip = "application/vnd.oci.image.layer.nondistributable.v1.tar+gzip" + + // MediaTypeImageLayerNonDistributableZstd is the media type for zstd + // compressed layers referenced by the manifest but with distribution + // restrictions. + // + // Deprecated: Non-distributable layers are deprecated, and not recommended + // for future use. Implementations SHOULD NOT produce new non-distributable + // layers. + // https://github.com/opencontainers/image-spec/pull/965 + MediaTypeImageLayerNonDistributableZstd = "application/vnd.oci.image.layer.nondistributable.v1.tar+zstd" +) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/version.go b/vendor/github.com/opencontainers/image-spec/specs-go/version.go new file mode 100644 index 0000000000..c3897c7ca0 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/version.go @@ -0,0 +1,32 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package specs + +import "fmt" + +const ( + // VersionMajor is for an API incompatible changes + VersionMajor = 1 + // VersionMinor is for functionality in a backwards-compatible manner + VersionMinor = 1 + // VersionPatch is for backwards-compatible bug fixes + VersionPatch = 1 + + // VersionDev indicates development branch. Releases will be empty string. + VersionDev = "" +) + +// Version is the specification version that the package types support. +var Version = fmt.Sprintf("%d.%d.%d%s", VersionMajor, VersionMinor, VersionPatch, VersionDev) diff --git a/vendor/github.com/opencontainers/image-spec/specs-go/versioned.go b/vendor/github.com/opencontainers/image-spec/specs-go/versioned.go new file mode 100644 index 0000000000..58a1510f33 --- /dev/null +++ b/vendor/github.com/opencontainers/image-spec/specs-go/versioned.go @@ -0,0 +1,23 @@ +// Copyright 2016 The Linux Foundation +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package specs + +// Versioned provides a struct with the manifest schemaVersion and mediaType. +// Incoming content with unknown schema version can be decoded against this +// struct to check the version. +type Versioned struct { + // SchemaVersion is the image manifest schema that this image follows + SchemaVersion int `json:"schemaVersion"` +} diff --git a/vendor/github.com/openshift/api/AGENTS.md b/vendor/github.com/openshift/api/AGENTS.md index 0e39032433..991ed62579 100644 --- a/vendor/github.com/openshift/api/AGENTS.md +++ b/vendor/github.com/openshift/api/AGENTS.md @@ -37,15 +37,23 @@ When working on a specific API group/version, you can regenerate only the affect ```bash # Regenerate CRDs for a specific API group/version -make update-codegen-crds API_GROUP_VERSIONS=operator.openshift.io/v1alpha1 -make update-codegen-crds API_GROUP_VERSIONS=config.openshift.io/v1 -make update-codegen-crds API_GROUP_VERSIONS=route.openshift.io/v1 +make update-codegen API_GROUP_VERSIONS=operator.openshift.io/v1alpha1 +make update-codegen API_GROUP_VERSIONS=config.openshift.io/v1 +make update-codegen API_GROUP_VERSIONS=route.openshift.io/v1 # Multiple API groups can be specified with comma separation -make update-codegen-crds API_GROUP_VERSIONS=operator.openshift.io/v1alpha1,config.openshift.io/v1 +make update-codegen API_GROUP_VERSIONS=operator.openshift.io/v1alpha1,config.openshift.io/v1 ``` -This is more efficient than running `make update` (which regenerates all CRDs) when you're only working on specific API groups. +**Important:** While using `API_GROUP_VERSIONS` is faster for iteration (e.g., when developing tests), +it generates invalid OpenAPI data. This targeted generation is useful during development cycles, but you +**must run `make update`** (without `API_GROUP_VERSIONS`) to regenerate all files correctly before +committing changes. The full `make update` ensures all generated files, including OpenAPI schemas, are +properly synchronized. + +**Workflow:** +- During iteration: `make update-codegen API_GROUP_VERSIONS=your.group/v1` (fast feedback) +- Before committing: `make update` (ensures correctness) ### Testing ```bash diff --git a/vendor/github.com/openshift/api/apps/v1/types.go b/vendor/github.com/openshift/api/apps/v1/types.go index a66ce09ea5..883770e764 100644 --- a/vendor/github.com/openshift/api/apps/v1/types.go +++ b/vendor/github.com/openshift/api/apps/v1/types.go @@ -16,7 +16,7 @@ import ( // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // Deployment Configs define the template for a pod and manages deploying new images or configuration changes. // A single deployment configuration is usually analogous to a single micro-service. Can support many different @@ -407,7 +407,7 @@ type DeploymentCondition struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // DeploymentConfigList is a collection of deployment configs. // @@ -427,7 +427,7 @@ type DeploymentConfigList struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // DeploymentConfigRollback provides the input to rollback generation. // @@ -462,7 +462,7 @@ type DeploymentConfigRollbackSpec struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // DeploymentRequest is a request to a deployment config for a new deployment. // @@ -486,7 +486,7 @@ type DeploymentRequest struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // DeploymentLog represents the logs for a deployment // @@ -499,7 +499,7 @@ type DeploymentLog struct { // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:prerelease-lifecycle-gen:introduced=3.0 // +k8s:prerelease-lifecycle-gen:deprecated=4.14 -// +k8s:prerelease-lifecycle-gen:removed=4.10000 +// +k8s:prerelease-lifecycle-gen:removed=6.0 // DeploymentLogOptions is the REST options for a deployment log // diff --git a/vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go b/vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go index b3e4de5010..cdd91d3856 100644 --- a/vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go +++ b/vendor/github.com/openshift/api/apps/v1/zz_prerelease_lifecycle_generated.go @@ -20,7 +20,7 @@ func (in *DeploymentConfig) APILifecycleDeprecated() (major, minor int) { // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentConfig) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. @@ -38,7 +38,7 @@ func (in *DeploymentConfigList) APILifecycleDeprecated() (major, minor int) { // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentConfigList) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. @@ -56,7 +56,7 @@ func (in *DeploymentConfigRollback) APILifecycleDeprecated() (major, minor int) // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentConfigRollback) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. @@ -74,7 +74,7 @@ func (in *DeploymentLog) APILifecycleDeprecated() (major, minor int) { // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentLog) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. @@ -92,7 +92,7 @@ func (in *DeploymentLogOptions) APILifecycleDeprecated() (major, minor int) { // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentLogOptions) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } // APILifecycleIntroduced is an autogenerated function, returning the release in which the API struct was introduced as int versions of major and minor for comparison. @@ -110,5 +110,5 @@ func (in *DeploymentRequest) APILifecycleDeprecated() (major, minor int) { // APILifecycleRemoved is an autogenerated function, returning the release in which the API is no longer served as int versions of major and minor for comparison. // It is controlled by "k8s:prerelease-lifecycle-gen:removed" tags in types.go or "k8s:prerelease-lifecycle-gen:deprecated" plus three minor. func (in *DeploymentRequest) APILifecycleRemoved() (major, minor int) { - return 4, 10000 + return 6, 0 } diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go index 222c7f0cc7..eac29a2367 100644 --- a/vendor/github.com/openshift/api/config/v1/register.go +++ b/vendor/github.com/openshift/api/config/v1/register.go @@ -76,8 +76,6 @@ func addKnownTypes(scheme *runtime.Scheme) error { &ImagePolicyList{}, &ClusterImagePolicy{}, &ClusterImagePolicyList{}, - &InsightsDataGather{}, - &InsightsDataGatherList{}, ) metav1.AddToGroupVersion(scheme, GroupVersion) return nil diff --git a/vendor/github.com/openshift/api/config/v1/types_apiserver.go b/vendor/github.com/openshift/api/config/v1/types_apiserver.go index 0afe7b1d8d..31d8881858 100644 --- a/vendor/github.com/openshift/api/config/v1/types_apiserver.go +++ b/vendor/github.com/openshift/api/config/v1/types_apiserver.go @@ -212,6 +212,7 @@ type APIServerEncryption struct { // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum="";identity;aescbc;aesgcm // +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryptionProvider,enum="";identity;aescbc;aesgcm;KMS +// +openshift:validation:FeatureGateAwareEnum:featureGate=KMSEncryption,enum="";identity;aescbc;aesgcm;KMS type EncryptionType string const ( diff --git a/vendor/github.com/openshift/api/config/v1/types_authentication.go b/vendor/github.com/openshift/api/config/v1/types_authentication.go index 52a41b2fef..11efc90b59 100644 --- a/vendor/github.com/openshift/api/config/v1/types_authentication.go +++ b/vendor/github.com/openshift/api/config/v1/types_authentication.go @@ -672,7 +672,7 @@ type UsernameClaimMapping struct { // +enum type UsernamePrefixPolicy string -var ( +const ( // NoOpinion let's the cluster assign prefixes. If the username claim is email, there is no prefix // If the username claim is anything else, it is prefixed by the issuerURL NoOpinion UsernamePrefixPolicy = "" @@ -723,7 +723,7 @@ type PrefixedClaimMapping struct { type TokenValidationRuleType string const ( - TokenValidationRuleTypeRequiredClaim = "RequiredClaim" + TokenValidationRuleTypeRequiredClaim TokenValidationRuleType = "RequiredClaim" ) type TokenClaimValidationRule struct { diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go index 54bd21adb4..a6a6405130 100644 --- a/vendor/github.com/openshift/api/config/v1/types_image_policy.go +++ b/vendor/github.com/openshift/api/config/v1/types_image_policy.go @@ -82,7 +82,7 @@ type PolicyRootOfTrust struct { // Allowed values are "PublicKey", "FulcioCAWithRekor", and "PKI". // When set to "PublicKey", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. // When set to "FulcioCAWithRekor", the policy is based on the Fulcio certification and incorporates a Rekor verification. - // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate. + // When set to "PKI", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). // +unionDiscriminator // +required PolicyType PolicyType `json:"policyType"` diff --git a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go index 2f80945d38..313ed57a41 100644 --- a/vendor/github.com/openshift/api/config/v1/types_infrastructure.go +++ b/vendor/github.com/openshift/api/config/v1/types_infrastructure.go @@ -699,74 +699,43 @@ const ( AzureStackCloud AzureCloudEnvironment = "AzureStackCloud" ) +// Start: TOMBSTONE + // GCPServiceEndpointName is the name of the GCP Service Endpoint. // +kubebuilder:validation:Enum=Compute;Container;CloudResourceManager;DNS;File;IAM;IAMCredentials;OAuth;ServiceUsage;Storage;STS -type GCPServiceEndpointName string - -const ( - // GCPServiceEndpointNameCompute is the name used for the GCP Compute Service endpoint. - GCPServiceEndpointNameCompute GCPServiceEndpointName = "Compute" - - // GCPServiceEndpointNameContainer is the name used for the GCP Container Service endpoint. - GCPServiceEndpointNameContainer GCPServiceEndpointName = "Container" - - // GCPServiceEndpointNameCloudResource is the name used for the GCP Resource Manager Service endpoint. - GCPServiceEndpointNameCloudResource GCPServiceEndpointName = "CloudResourceManager" - - // GCPServiceEndpointNameDNS is the name used for the GCP DNS Service endpoint. - GCPServiceEndpointNameDNS GCPServiceEndpointName = "DNS" - - // GCPServiceEndpointNameFile is the name used for the GCP File Service endpoint. - GCPServiceEndpointNameFile GCPServiceEndpointName = "File" - - // GCPServiceEndpointNameIAM is the name used for the GCP IAM Service endpoint. - GCPServiceEndpointNameIAM GCPServiceEndpointName = "IAM" - - // GCPServiceEndpointNameIAMCredentials is the name used for the GCP IAM Credentials Service endpoint. - GCPServiceEndpointNameIAMCredentials GCPServiceEndpointName = "IAMCredentials" - - // GCPServiceEndpointNameOAuth is the name used for the GCP OAuth2 Service endpoint. - GCPServiceEndpointNameOAuth GCPServiceEndpointName = "OAuth" - - // GCPServiceEndpointNameServiceUsage is the name used for the GCP Service Usage Service endpoint. - GCPServiceEndpointNameServiceUsage GCPServiceEndpointName = "ServiceUsage" - - // GCPServiceEndpointNameStorage is the name used for the GCP Storage Service endpoint. - GCPServiceEndpointNameStorage GCPServiceEndpointName = "Storage" - - // GCPServiceEndpointNameSTS is the name used for the GCP STS Service endpoint. - GCPServiceEndpointNameSTS GCPServiceEndpointName = "STS" -) +//type GCPServiceEndpointName string // GCPServiceEndpoint store the configuration of a custom url to // override existing defaults of GCP Services. -type GCPServiceEndpoint struct { - // name is the name of the GCP service whose endpoint is being overridden. - // This must be provided and cannot be empty. - // - // Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, - // Storage, and TagManager. - // - // As an example, when setting the name to Compute all requests made by the caller to the GCP Compute - // Service will be directed to the endpoint specified in the url field. - // - // +required - Name GCPServiceEndpointName `json:"name"` +// type GCPServiceEndpoint struct { +// name is the name of the GCP service whose endpoint is being overridden. +// This must be provided and cannot be empty. +// +// Allowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, +// Storage, and TagManager. +// +// As an example, when setting the name to Compute all requests made by the caller to the GCP Compute +// Service will be directed to the endpoint specified in the url field. +// +// +required +// Name GCPServiceEndpointName `json:"name"` - // url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified - // in the name field. - // url is required, must use the scheme https, must not be more than 253 characters in length, - // and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) - // - // An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" - // - // +required - // +kubebuilder:validation:MaxLength=253 - // +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL" - // +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"https\") : true",message="scheme must be https" - // +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath() == \"\" || url(self).getEscapedPath() == \"/\"",message="url must consist only of a scheme and domain. The url path must be empty." - URL string `json:"url"` -} +// url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified +// in the name field. +// url is required, must use the scheme https, must not be more than 253 characters in length, +// and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL) +// +// An example of a valid endpoint that overrides the Compute Service: "https://compute-myendpoint1.p.googleapis.com" +// +// +required +// +kubebuilder:validation:MaxLength=253 +// +kubebuilder:validation:XValidation:rule="isURL(self)",message="must be a valid URL" +// +kubebuilder:validation:XValidation:rule="isURL(self) ? (url(self).getScheme() == \"https\") : true",message="scheme must be https" +// +kubebuilder:validation:XValidation:rule="url(self).getEscapedPath() == \"\" || url(self).getEscapedPath() == \"/\"",message="url must consist only of a scheme and domain. The url path must be empty." +// URL string `json:"url"` +//} + +// End: TOMBSTONE // GCPPlatformSpec holds the desired state of the Google Cloud Platform infrastructure provider. // This only includes fields that can be modified in the cluster. @@ -822,18 +791,21 @@ type GCPPlatformStatus struct { // +nullable CloudLoadBalancerConfig *CloudLoadBalancerConfig `json:"cloudLoadBalancerConfig,omitempty"` + // This field was introduced and removed under tech preview. // serviceEndpoints specifies endpoints that override the default endpoints // used when creating clients to interact with GCP services. // When not specified, the default endpoint for the GCP region will be used. // Only 1 endpoint override is permitted for each GCP service. // The maximum number of endpoint overrides allowed is 11. + // To avoid conflicts with serialisation, this field name may never be used again. + // Tombstone the field as a reminder. // +listType=map // +listMapKey=name // +kubebuilder:validation:MaxItems=11 // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.name == y.name))",message="only 1 endpoint override is permitted per GCP service name" // +optional // +openshift:enable:FeatureGate=GCPCustomAPIEndpointsInstall - ServiceEndpoints []GCPServiceEndpoint `json:"serviceEndpoints,omitempty"` + // ServiceEndpoints []GCPServiceEndpoint `json:"serviceEndpoints,omitempty"` } // GCPResourceLabel is a label to apply to GCP resources created for the cluster. diff --git a/vendor/github.com/openshift/api/config/v1/types_insights.go b/vendor/github.com/openshift/api/config/v1/types_insights.go deleted file mode 100644 index b0959881f1..0000000000 --- a/vendor/github.com/openshift/api/config/v1/types_insights.go +++ /dev/null @@ -1,230 +0,0 @@ -package v1 - -import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// InsightsDataGather provides data gather configuration options for the Insights Operator. -// -// +genclient -// +genclient:nonNamespaced -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=insightsdatagathers,scope=Cluster -// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2448 -// +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 -// +openshift:enable:FeatureGate=InsightsConfig -// -// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -// +openshift:compatibility-gen:level=1 -type InsightsDataGather struct { - metav1.TypeMeta `json:",inline"` - // metadata is the standard object's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +optional - metav1.ObjectMeta `json:"metadata,omitempty"` - // spec holds user settable values for configuration - // +required - Spec InsightsDataGatherSpec `json:"spec,omitempty,omitzero"` -} - -// InsightsDataGatherSpec contains the configuration for the data gathering. -type InsightsDataGatherSpec struct { - // gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress. - // +required - GatherConfig GatherConfig `json:"gatherConfig,omitempty,omitzero"` -} - -// GatherConfig provides data gathering configuration options. -type GatherConfig struct { - // dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. - // It may not exceed 2 items and must not contain duplicates. - // Valid values are ObfuscateNetworking and WorkloadNames. - // When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. - // When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. - // When omitted no obfuscation is applied. - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=2 - // +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x == y))",message="dataPolicy items must be unique" - // +listType=atomic - // +optional - DataPolicy []DataPolicyOption `json:"dataPolicy,omitempty"` - // gatherers is a required field that specifies the configuration of the gatherers. - // +required - Gatherers Gatherers `json:"gatherers,omitempty,omitzero"` - // storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. - // If omitted, the gathering job will use ephemeral storage. - // +optional - Storage Storage `json:"storage,omitempty,omitzero"` -} - -// Gatherers specifies the configuration of the gatherers -// +kubebuilder:validation:XValidation:rule="has(self.mode) && self.mode == 'Custom' ? has(self.custom) : !has(self.custom)",message="custom is required when mode is Custom, and forbidden otherwise" -// +union -type Gatherers struct { - // mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. - // When set to All, all gatherers will run and gather data. - // When set to None, all gatherers will be disabled and no data will be gathered. - // When set to Custom, the custom configuration from the custom field will be applied. - // +unionDiscriminator - // +required - Mode GatheringMode `json:"mode,omitempty"` - // custom provides gathering configuration. - // It is required when mode is Custom, and forbidden otherwise. - // Custom configuration allows user to disable only a subset of gatherers. - // Gatherers that are not explicitly disabled in custom configuration will run. - // +unionMember - // +optional - Custom Custom `json:"custom,omitempty,omitzero"` -} - -// Custom provides the custom configuration of gatherers -type Custom struct { - // configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. - // It may not exceed 100 items and each gatherer can be present only once. - // It is possible to disable an entire set of gatherers while allowing a specific function within that set. - // The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - // Run the following command to get the names of last active gatherers: - // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - // +kubebuilder:validation:MinItems=1 - // +kubebuilder:validation:MaxItems=100 - // +listType=map - // +listMapKey=name - // +required - Configs []GathererConfig `json:"configs,omitempty"` -} - -// GatheringMode defines the valid gathering modes. -// +kubebuilder:validation:Enum=All;None;Custom -type GatheringMode string - -const ( - // Enabled enables all gatherers - GatheringModeAll GatheringMode = "All" - // Disabled disables all gatherers - GatheringModeNone GatheringMode = "None" - // Custom applies the configuration from GatheringConfig. - GatheringModeCustom GatheringMode = "Custom" -) - -// DataPolicyOption declares valid data policy options -// +kubebuilder:validation:Enum=ObfuscateNetworking;WorkloadNames -type DataPolicyOption string - -const ( - // IP addresses and cluster domain name are obfuscated - DataPolicyOptionObfuscateNetworking DataPolicyOption = "ObfuscateNetworking" - // Data from Deployment Validation Operator are obfuscated - DataPolicyOptionObfuscateWorkloadNames DataPolicyOption = "WorkloadNames" -) - -// Storage provides persistent storage configuration options for gathering jobs. -// If the type is set to PersistentVolume, then the PersistentVolume must be defined. -// If the type is set to Ephemeral, then the PersistentVolume must not be defined. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.type == 'PersistentVolume' ? has(self.persistentVolume) : !has(self.persistentVolume)",message="persistentVolume is required when type is PersistentVolume, and forbidden otherwise" -// +union -type Storage struct { - // type is a required field that specifies the type of storage that will be used to store the Insights data archive. - // Valid values are "PersistentVolume" and "Ephemeral". - // When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. - // When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field. - // +unionDiscriminator - // +required - Type StorageType `json:"type,omitempty"` - // persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. - // The PersistentVolume must be created in the openshift-insights namespace. - // +unionMember - // +optional - PersistentVolume PersistentVolumeConfig `json:"persistentVolume,omitempty,omitzero"` -} - -// StorageType declares valid storage types -// +kubebuilder:validation:Enum=PersistentVolume;Ephemeral -type StorageType string - -const ( - // StorageTypePersistentVolume storage type - StorageTypePersistentVolume StorageType = "PersistentVolume" - // StorageTypeEphemeral storage type - StorageTypeEphemeral StorageType = "Ephemeral" -) - -// PersistentVolumeConfig provides configuration options for PersistentVolume storage. -type PersistentVolumeConfig struct { - // claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. - // The PersistentVolumeClaim must be created in the openshift-insights namespace. - // +required - Claim PersistentVolumeClaimReference `json:"claim,omitempty,omitzero"` - // mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. - // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - // The current default mount path is /var/lib/insights-operator - // The path may not exceed 1024 characters and must not contain a colon. - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=1024 - // +kubebuilder:validation:XValidation:rule="!self.contains(':')",message="mountPath must not contain a colon" - // +optional - MountPath string `json:"mountPath,omitempty"` -} - -// PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim. -type PersistentVolumeClaimReference struct { - // name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. - // It is a string that follows the DNS1123 subdomain format. - // It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character. - // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=253 - // +required - Name string `json:"name,omitempty"` -} - -// GathererConfig allows to configure specific gatherers -type GathererConfig struct { - // name is the required name of a specific gatherer. - // It may not exceed 256 characters. - // The format for a gatherer name is: {gatherer}/{function} where the function is optional. - // Gatherer consists of a lowercase letters only that may include underscores (_). - // Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). - // The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. - // Run the following command to get the names of last active gatherers: - // "oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'" - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:MaxLength=256 - // +kubebuilder:validation:XValidation:rule=`self.matches("^[a-z]+[_a-z]*[a-z]([/a-z][_a-z]*)?[a-z]$")`,message=`gatherer name must be in the format of {gatherer}/{function} where the gatherer and function are lowercase letters only that may include underscores (_) and are separated by a forward slash (/) if the function is provided` - // +required - Name string `json:"name,omitempty"` - // state is a required field that allows you to configure specific gatherer. Valid values are "Enabled" and "Disabled". - // When set to Enabled the gatherer will run. - // When set to Disabled the gatherer will not run. - // +required - State GathererState `json:"state,omitempty"` -} - -// GathererState declares valid gatherer state types. -// +kubebuilder:validation:Enum=Enabled;Disabled -type GathererState string - -const ( - // GathererStateEnabled gatherer state, which means that the gatherer will run. - GathererStateEnabled GathererState = "Enabled" - // GathererStateDisabled gatherer state, which means that the gatherer will not run. - GathererStateDisabled GathererState = "Disabled" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// InsightsDataGatherList is a collection of items -// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). -// +openshift:compatibility-gen:level=1 -type InsightsDataGatherList struct { - metav1.TypeMeta `json:",inline"` - // metadata is the required standard list's metadata. - // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata - // +required - metav1.ListMeta `json:"metadata,omitempty"` - // items is the required list of InsightsDataGather objects - // it may not exceed 100 items - // +kubebuilder:validation:MinItems=0 - // +kubebuilder:validation:MaxItems=100 - // +required - Items []InsightsDataGather `json:"items,omitempty"` -} diff --git a/vendor/github.com/openshift/api/config/v1/types_scheduling.go b/vendor/github.com/openshift/api/config/v1/types_scheduling.go index c90d5633f6..a81ed9f30c 100644 --- a/vendor/github.com/openshift/api/config/v1/types_scheduling.go +++ b/vendor/github.com/openshift/api/config/v1/types_scheduling.go @@ -48,7 +48,9 @@ type SchedulerSpec struct { // +optional Profile SchedulerProfile `json:"profile,omitempty"` // profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. - // +openshift:enable:FeatureGate=DynamicResourceAllocation + // Deprecated: no longer needed, since DRA is GA starting with 4.21, and + // is enabled by' default in the cluster, this field will be removed in 4.24. + // +openshift:enable:FeatureGate=HyperShiftOnlyDynamicResourceAllocation // +optional ProfileCustomizations ProfileCustomizations `json:"profileCustomizations"` // defaultNodeSelector helps set the cluster-wide default node selector to diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 0863934f22..fe8c112273 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -1736,27 +1736,6 @@ func (in *ConsoleStatus) DeepCopy() *ConsoleStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Custom) DeepCopyInto(out *Custom) { - *out = *in - if in.Configs != nil { - in, out := &in.Configs, &out.Configs - *out = make([]GathererConfig, len(*in)) - copy(*out, *in) - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Custom. -func (in *Custom) DeepCopy() *Custom { - if in == nil { - return nil - } - out := new(Custom) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CustomFeatureGates) DeepCopyInto(out *CustomFeatureGates) { *out = *in @@ -2422,11 +2401,6 @@ func (in *GCPPlatformStatus) DeepCopyInto(out *GCPPlatformStatus) { *out = new(CloudLoadBalancerConfig) (*in).DeepCopyInto(*out) } - if in.ServiceEndpoints != nil { - in, out := &in.ServiceEndpoints, &out.ServiceEndpoints - *out = make([]GCPServiceEndpoint, len(*in)) - copy(*out, *in) - } return } @@ -2472,78 +2446,6 @@ func (in *GCPResourceTag) DeepCopy() *GCPResourceTag { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GCPServiceEndpoint) DeepCopyInto(out *GCPServiceEndpoint) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPServiceEndpoint. -func (in *GCPServiceEndpoint) DeepCopy() *GCPServiceEndpoint { - if in == nil { - return nil - } - out := new(GCPServiceEndpoint) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GatherConfig) DeepCopyInto(out *GatherConfig) { - *out = *in - if in.DataPolicy != nil { - in, out := &in.DataPolicy, &out.DataPolicy - *out = make([]DataPolicyOption, len(*in)) - copy(*out, *in) - } - in.Gatherers.DeepCopyInto(&out.Gatherers) - out.Storage = in.Storage - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatherConfig. -func (in *GatherConfig) DeepCopy() *GatherConfig { - if in == nil { - return nil - } - out := new(GatherConfig) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GathererConfig) DeepCopyInto(out *GathererConfig) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GathererConfig. -func (in *GathererConfig) DeepCopy() *GathererConfig { - if in == nil { - return nil - } - out := new(GathererConfig) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Gatherers) DeepCopyInto(out *Gatherers) { - *out = *in - in.Custom.DeepCopyInto(&out.Custom) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gatherers. -func (in *Gatherers) DeepCopy() *Gatherers { - if in == nil { - return nil - } - out := new(Gatherers) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GenericAPIServerConfig) DeepCopyInto(out *GenericAPIServerConfig) { *out = *in @@ -3647,83 +3549,6 @@ func (in *IngressStatus) DeepCopy() *IngressStatus { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGather) DeepCopyInto(out *InsightsDataGather) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGather. -func (in *InsightsDataGather) DeepCopy() *InsightsDataGather { - if in == nil { - return nil - } - out := new(InsightsDataGather) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *InsightsDataGather) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGatherList) DeepCopyInto(out *InsightsDataGatherList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]InsightsDataGather, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherList. -func (in *InsightsDataGatherList) DeepCopy() *InsightsDataGatherList { - if in == nil { - return nil - } - out := new(InsightsDataGatherList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *InsightsDataGatherList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *InsightsDataGatherSpec) DeepCopyInto(out *InsightsDataGatherSpec) { - *out = *in - in.GatherConfig.DeepCopyInto(&out.GatherConfig) - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsDataGatherSpec. -func (in *InsightsDataGatherSpec) DeepCopy() *InsightsDataGatherSpec { - if in == nil { - return nil - } - out := new(InsightsDataGatherSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *IntermediateTLSProfile) DeepCopyInto(out *IntermediateTLSProfile) { *out = *in @@ -5173,39 +4998,6 @@ func (in *PKICertificateSubject) DeepCopy() *PKICertificateSubject { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PersistentVolumeClaimReference) DeepCopyInto(out *PersistentVolumeClaimReference) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeClaimReference. -func (in *PersistentVolumeClaimReference) DeepCopy() *PersistentVolumeClaimReference { - if in == nil { - return nil - } - out := new(PersistentVolumeClaimReference) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PersistentVolumeConfig) DeepCopyInto(out *PersistentVolumeConfig) { - *out = *in - out.Claim = in.Claim - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PersistentVolumeConfig. -func (in *PersistentVolumeConfig) DeepCopy() *PersistentVolumeConfig { - if in == nil { - return nil - } - out := new(PersistentVolumeConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *PlatformSpec) DeepCopyInto(out *PlatformSpec) { *out = *in @@ -6168,23 +5960,6 @@ func (in *SignatureStore) DeepCopy() *SignatureStore { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Storage) DeepCopyInto(out *Storage) { - *out = *in - out.PersistentVolume = in.PersistentVolume - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Storage. -func (in *Storage) DeepCopy() *Storage { - if in == nil { - return nil - } - out := new(Storage) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringSource) DeepCopyInto(out *StringSource) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index a1d37f65d0..ded622b898 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -6,6 +6,7 @@ apiservers.config.openshift.io: Capability: "" Category: "" FeatureGates: + - KMSEncryption - KMSEncryptionProvider FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" @@ -368,7 +369,6 @@ infrastructures.config.openshift.io: - DualReplica - DyanmicServiceEndpointIBMCloud - GCPClusterHostedDNSInstall - - GCPCustomAPIEndpointsInstall - HighlyAvailableArbiter - HighlyAvailableArbiter+DualReplica - NutanixMultiSubnets @@ -411,29 +411,6 @@ ingresses.config.openshift.io: TopLevelFeatureGates: [] Version: v1 -insightsdatagathers.config.openshift.io: - Annotations: {} - ApprovedPRNumber: https://github.com/openshift/api/pull/2448 - CRDName: insightsdatagathers.config.openshift.io - Capability: "" - Category: "" - FeatureGates: - - InsightsConfig - FilenameOperatorName: config-operator - FilenameOperatorOrdering: "01" - FilenameRunLevel: "0000_10" - GroupName: config.openshift.io - HasStatus: false - KindName: InsightsDataGather - Labels: {} - PluralName: insightsdatagathers - PrinterColumns: [] - Scope: Cluster - ShortNames: null - TopLevelFeatureGates: - - InsightsConfig - Version: v1 - networks.config.openshift.io: Annotations: release.openshift.io/bootstrap-required: "true" @@ -575,7 +552,7 @@ schedulers.config.openshift.io: Capability: "" Category: "" FeatureGates: - - DynamicResourceAllocation + - HyperShiftOnlyDynamicResourceAllocation FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index b9d0799fbd..766ac5ddab 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -1335,7 +1335,7 @@ func (PolicyMatchRemapIdentity) SwaggerDoc() map[string]string { var map_PolicyRootOfTrust = map[string]string{ "": "PolicyRootOfTrust defines the root of trust based on the selected policyType.", - "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI). This value is enabled by turning on the SigstoreImageVerificationPKI feature gate.", + "policyType": "policyType is a required field specifies the type of the policy for verification. This field must correspond to how the policy was generated. Allowed values are \"PublicKey\", \"FulcioCAWithRekor\", and \"PKI\". When set to \"PublicKey\", the policy relies on a sigstore publicKey and may optionally use a Rekor verification. When set to \"FulcioCAWithRekor\", the policy is based on the Fulcio certification and incorporates a Rekor verification. When set to \"PKI\", the policy is based on the certificates from Bring Your Own Public Key Infrastructure (BYOPKI).", "publicKey": "publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification. publicKey is required when policyType is PublicKey, and forbidden otherwise.", "fulcioCAWithRekor": "fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key. fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise For more information about Fulcio and Rekor, please refer to the document at: https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor", "pki": "pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates. pki is required when policyType is PKI, and forbidden otherwise.", @@ -1616,7 +1616,6 @@ var map_GCPPlatformStatus = map[string]string{ "resourceLabels": "resourceLabels is a list of additional labels to apply to GCP resources created for the cluster. See https://cloud.google.com/compute/docs/labeling-resources for information on labeling GCP resources. GCP supports a maximum of 64 labels per resource. OpenShift reserves 32 labels for internal use, allowing 32 labels for user configuration.", "resourceTags": "resourceTags is a list of additional tags to apply to GCP resources created for the cluster. See https://cloud.google.com/resource-manager/docs/tags/tags-overview for information on tagging GCP resources. GCP supports a maximum of 50 tags per resource.", "cloudLoadBalancerConfig": "cloudLoadBalancerConfig holds configuration related to DNS and cloud load balancers. It allows configuration of in-cluster DNS as an alternative to the platform default DNS implementation. When using the ClusterHosted DNS type, Load Balancer IP addresses must be provided for the API and internal API load balancers as well as the ingress load balancer.", - "serviceEndpoints": "serviceEndpoints specifies endpoints that override the default endpoints used when creating clients to interact with GCP services. When not specified, the default endpoint for the GCP region will be used. Only 1 endpoint override is permitted for each GCP service. The maximum number of endpoint overrides allowed is 11.", } func (GCPPlatformStatus) SwaggerDoc() map[string]string { @@ -1644,16 +1643,6 @@ func (GCPResourceTag) SwaggerDoc() map[string]string { return map_GCPResourceTag } -var map_GCPServiceEndpoint = map[string]string{ - "": "GCPServiceEndpoint store the configuration of a custom url to override existing defaults of GCP Services.", - "name": "name is the name of the GCP service whose endpoint is being overridden. This must be provided and cannot be empty.\n\nAllowed values are Compute, Container, CloudResourceManager, DNS, File, IAM, ServiceUsage, Storage, and TagManager.\n\nAs an example, when setting the name to Compute all requests made by the caller to the GCP Compute Service will be directed to the endpoint specified in the url field.", - "url": "url is a fully qualified URI that overrides the default endpoint for a client using the GCP service specified in the name field. url is required, must use the scheme https, must not be more than 253 characters in length, and must be a valid URL according to Go's net/url package (https://pkg.go.dev/net/url#URL)\n\nAn example of a valid endpoint that overrides the Compute Service: \"https://compute-myendpoint1.p.googleapis.com\"", -} - -func (GCPServiceEndpoint) SwaggerDoc() map[string]string { - return map_GCPServiceEndpoint -} - var map_IBMCloudPlatformSpec = map[string]string{ "": "IBMCloudPlatformSpec holds the desired state of the IBMCloud infrastructure provider. This only includes fields that can be modified in the cluster.", "serviceEndpoints": "serviceEndpoints is a list of custom endpoints which will override the default service endpoints of an IBM service. These endpoints are used by components within the cluster when trying to reach the IBM Cloud Services that have been overridden. The CCCMO reads in the IBMCloudPlatformSpec and validates each endpoint is resolvable. Once validated, the cloud config and IBMCloudPlatformStatus are updated to reflect the same custom endpoints. A maximum of 13 service endpoints overrides are supported.", @@ -2202,104 +2191,6 @@ func (LoadBalancer) SwaggerDoc() map[string]string { return map_LoadBalancer } -var map_Custom = map[string]string{ - "": "Custom provides the custom configuration of gatherers", - "configs": "configs is a required list of gatherers configurations that can be used to enable or disable specific gatherers. It may not exceed 100 items and each gatherer can be present only once. It is possible to disable an entire set of gatherers while allowing a specific function within that set. The particular gatherers IDs can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", -} - -func (Custom) SwaggerDoc() map[string]string { - return map_Custom -} - -var map_GatherConfig = map[string]string{ - "": "GatherConfig provides data gathering configuration options.", - "dataPolicy": "dataPolicy is an optional list of DataPolicyOptions that allows user to enable additional obfuscation of the Insights archive data. It may not exceed 2 items and must not contain duplicates. Valid values are ObfuscateNetworking and WorkloadNames. When set to ObfuscateNetworking the IP addresses and the cluster domain name are obfuscated. When set to WorkloadNames, the gathered data about cluster resources will not contain the workload names for your deployments. Resources UIDs will be used instead. When omitted no obfuscation is applied.", - "gatherers": "gatherers is a required field that specifies the configuration of the gatherers.", - "storage": "storage is an optional field that allows user to define persistent storage for gathering jobs to store the Insights data archive. If omitted, the gathering job will use ephemeral storage.", -} - -func (GatherConfig) SwaggerDoc() map[string]string { - return map_GatherConfig -} - -var map_GathererConfig = map[string]string{ - "": "GathererConfig allows to configure specific gatherers", - "name": "name is the required name of a specific gatherer. It may not exceed 256 characters. The format for a gatherer name is: {gatherer}/{function} where the function is optional. Gatherer consists of a lowercase letters only that may include underscores (_). Function consists of a lowercase letters only that may include underscores (_) and is separated from the gatherer by a forward slash (/). The particular gatherers can be found at https://github.com/openshift/insights-operator/blob/master/docs/gathered-data.md. Run the following command to get the names of last active gatherers: \"oc get insightsoperators.operator.openshift.io cluster -o json | jq '.status.gatherStatus.gatherers[].name'\"", - "state": "state is a required field that allows you to configure specific gatherer. Valid values are \"Enabled\" and \"Disabled\". When set to Enabled the gatherer will run. When set to Disabled the gatherer will not run.", -} - -func (GathererConfig) SwaggerDoc() map[string]string { - return map_GathererConfig -} - -var map_Gatherers = map[string]string{ - "": "Gatherers specifies the configuration of the gatherers", - "mode": "mode is a required field that specifies the mode for gatherers. Allowed values are All, None, and Custom. When set to All, all gatherers will run and gather data. When set to None, all gatherers will be disabled and no data will be gathered. When set to Custom, the custom configuration from the custom field will be applied.", - "custom": "custom provides gathering configuration. It is required when mode is Custom, and forbidden otherwise. Custom configuration allows user to disable only a subset of gatherers. Gatherers that are not explicitly disabled in custom configuration will run.", -} - -func (Gatherers) SwaggerDoc() map[string]string { - return map_Gatherers -} - -var map_InsightsDataGather = map[string]string{ - "": "InsightsDataGather provides data gather configuration options for the Insights Operator.\n\n\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "spec": "spec holds user settable values for configuration", -} - -func (InsightsDataGather) SwaggerDoc() map[string]string { - return map_InsightsDataGather -} - -var map_InsightsDataGatherList = map[string]string{ - "": "InsightsDataGatherList is a collection of items Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", - "metadata": "metadata is the required standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", - "items": "items is the required list of InsightsDataGather objects it may not exceed 100 items", -} - -func (InsightsDataGatherList) SwaggerDoc() map[string]string { - return map_InsightsDataGatherList -} - -var map_InsightsDataGatherSpec = map[string]string{ - "": "InsightsDataGatherSpec contains the configuration for the data gathering.", - "gatherConfig": "gatherConfig is a required spec attribute that includes all the configuration options related to gathering of the Insights data and its uploading to the ingress.", -} - -func (InsightsDataGatherSpec) SwaggerDoc() map[string]string { - return map_InsightsDataGatherSpec -} - -var map_PersistentVolumeClaimReference = map[string]string{ - "": "PersistentVolumeClaimReference is a reference to a PersistentVolumeClaim.", - "name": "name is the name of the PersistentVolumeClaim that will be used to store the Insights data archive. It is a string that follows the DNS1123 subdomain format. It must be at most 253 characters in length, and must consist only of lower case alphanumeric characters, '-' and '.', and must start and end with an alphanumeric character.", -} - -func (PersistentVolumeClaimReference) SwaggerDoc() map[string]string { - return map_PersistentVolumeClaimReference -} - -var map_PersistentVolumeConfig = map[string]string{ - "": "PersistentVolumeConfig provides configuration options for PersistentVolume storage.", - "claim": "claim is a required field that specifies the configuration of the PersistentVolumeClaim that will be used to store the Insights data archive. The PersistentVolumeClaim must be created in the openshift-insights namespace.", - "mountPath": "mountPath is an optional field specifying the directory where the PVC will be mounted inside the Insights data gathering Pod. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default mount path is /var/lib/insights-operator The path may not exceed 1024 characters and must not contain a colon.", -} - -func (PersistentVolumeConfig) SwaggerDoc() map[string]string { - return map_PersistentVolumeConfig -} - -var map_Storage = map[string]string{ - "": "Storage provides persistent storage configuration options for gathering jobs. If the type is set to PersistentVolume, then the PersistentVolume must be defined. If the type is set to Ephemeral, then the PersistentVolume must not be defined.", - "type": "type is a required field that specifies the type of storage that will be used to store the Insights data archive. Valid values are \"PersistentVolume\" and \"Ephemeral\". When set to Ephemeral, the Insights data archive is stored in the ephemeral storage of the gathering job. When set to PersistentVolume, the Insights data archive is stored in the PersistentVolume that is defined by the persistentVolume field.", - "persistentVolume": "persistentVolume is an optional field that specifies the PersistentVolume that will be used to store the Insights data archive. The PersistentVolume must be created in the openshift-insights namespace.", -} - -func (Storage) SwaggerDoc() map[string]string { - return map_Storage -} - var map_AWSKMSConfig = map[string]string{ "": "AWSKMSConfig defines the KMS config specific to AWS KMS provider", "keyARN": "keyARN specifies the Amazon Resource Name (ARN) of the AWS KMS key used for encryption. The value must adhere to the format `arn:aws:kms:::key/`, where: - `` is the AWS region consisting of lowercase letters and hyphens followed by a number. - `` is a 12-digit numeric identifier for the AWS account. - `` is a unique identifier for the KMS key, consisting of lowercase hexadecimal characters and hyphens.", @@ -2901,7 +2792,7 @@ func (SchedulerList) SwaggerDoc() map[string]string { var map_SchedulerSpec = map[string]string{ "policy": "DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. policy is a reference to a ConfigMap containing scheduler policy which has user specified predicates and priorities. If this ConfigMap is not available scheduler will default to use DefaultAlgorithmProvider. The namespace for this configmap is openshift-config.", "profile": "profile sets which scheduling profile should be set in order to configure scheduling decisions for new pods.\n\nValid values are \"LowNodeUtilization\", \"HighNodeUtilization\", \"NoScoring\" Defaults to \"LowNodeUtilization\"", - "profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles.", + "profileCustomizations": "profileCustomizations contains configuration for modifying the default behavior of existing scheduler profiles. Deprecated: no longer needed, since DRA is GA starting with 4.21, and is enabled by' default in the cluster, this field will be removed in 4.24.", "defaultNodeSelector": "defaultNodeSelector helps set the cluster-wide default node selector to restrict pod placement to specific nodes. This is applied to the pods created in all namespaces and creates an intersection with any existing nodeSelectors already set on a pod, additionally constraining that pod's selector. For example, defaultNodeSelector: \"type=user-node,region=east\" would set nodeSelector field in pod spec to \"type=user-node,region=east\" to all pods created in all namespaces. Namespaces having project-wide node selectors won't be impacted even if this field is set. This adds an annotation section to the namespace. For example, if a new namespace is created with node-selector='type=user-node,region=east', the annotation openshift.io/node-selector: type=user-node,region=east gets added to the project. When the openshift.io/node-selector annotation is set on the project the value is used in preference to the value we are setting for defaultNodeSelector field. For instance, openshift.io/node-selector: \"type=user-node,region=west\" means that the default of \"type=user-node,region=east\" set in defaultNodeSelector would not be applied.", "mastersSchedulable": "mastersSchedulable allows masters nodes to be schedulable. When this flag is turned on, all the master nodes in the cluster will be made schedulable, so that workload pods can run on them. The default value for this field is false, meaning none of the master nodes are schedulable. Important Note: Once the workload pods start running on the master nodes, extreme care must be taken to ensure that cluster-critical control plane components are not impacted. Please turn on this field after doing due diligence.", } diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index f6d4cd3420..0653eeb5a5 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -33,7 +33,7 @@ import ( // +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/1929 // +openshift:file-pattern=cvoRunLevel=0000_10,operatorName=config-operator,operatorOrdering=01 // +kubebuilder:object:root=true -// +kubebuilder:resource:path=clustermonitoring,scope=Cluster +// +kubebuilder:resource:path=clustermonitorings,scope=Cluster // +kubebuilder:subresource:status // +kubebuilder:metadata:annotations="description=Cluster Monitoring Operators configuration API" // +openshift:enable:FeatureGate=ClusterMonitoringConfig diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml index b9dca71a92..2f79f801dd 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.featuregated-crd-manifests.yaml @@ -45,11 +45,11 @@ clusterimagepolicies.config.openshift.io: - SigstoreImageVerification Version: v1alpha1 -clustermonitoring.config.openshift.io: +clustermonitorings.config.openshift.io: Annotations: description: Cluster Monitoring Operators configuration API ApprovedPRNumber: https://github.com/openshift/api/pull/1929 - CRDName: clustermonitoring.config.openshift.io + CRDName: clustermonitorings.config.openshift.io Capability: "" Category: "" FeatureGates: @@ -61,7 +61,7 @@ clustermonitoring.config.openshift.io: HasStatus: true KindName: ClusterMonitoring Labels: {} - PluralName: clustermonitoring + PluralName: clustermonitorings PrinterColumns: [] Scope: Cluster ShortNames: null diff --git a/vendor/github.com/openshift/api/features.md b/vendor/github.com/openshift/api/features.md index e74ac0734b..34976ca446 100644 --- a/vendor/github.com/openshift/api/features.md +++ b/vendor/github.com/openshift/api/features.md @@ -1,20 +1,23 @@ | FeatureGate | Default on Hypershift | Default on SelfManagedHA | DevPreviewNoUpgrade on Hypershift | DevPreviewNoUpgrade on SelfManagedHA | TechPreviewNoUpgrade on Hypershift | TechPreviewNoUpgrade on SelfManagedHA | | ------ | --- | --- | --- | --- | --- | --- | +| ClientsAllowCBOR| | | | | | | | ClusterAPIInstall| | | | | | | | EventedPLEG| | | | | | | +| GatewayAPIWithoutOLM| | | | | | | | MachineAPIOperatorDisableMachineHealthCheckController| | | | | | | | MultiArchInstallAzure| | | | | | | +| NewOLMBoxCutterRuntime| | | | | | | | ShortCertRotation| | | | | | | | ClusterAPIMachineManagementVSphere| | | Enabled | Enabled | | | | Example2| | | Enabled | Enabled | | | | ExternalSnapshotMetadata| | | Enabled | Enabled | | | -| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | | | -| NewOLMBoxCutterRuntime| | | | Enabled | | Enabled | +| KMSEncryptionProvider| | | Enabled | Enabled | | | | NewOLMCatalogdAPIV1Metas| | | | Enabled | | Enabled | | NewOLMOwnSingleNamespace| | | | Enabled | | Enabled | | NewOLMPreflightPermissionChecks| | | | Enabled | | Enabled | | NoRegistryClusterInstall| | | | Enabled | | Enabled | | ProvisioningRequestAvailable| | | Enabled | Enabled | | | +| HyperShiftOnlyDynamicResourceAllocation| Enabled | | Enabled | | Enabled | | | NewOLM| | Enabled | | Enabled | | Enabled | | NewOLMWebhookProviderOpenshiftServiceCA| | Enabled | | Enabled | | Enabled | | AWSClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | @@ -31,7 +34,6 @@ | BootcNodeManagement| | | Enabled | Enabled | Enabled | Enabled | | CBORServingAndStorage| | | Enabled | Enabled | Enabled | Enabled | | CRDCompatibilityRequirementOperator| | | Enabled | Enabled | Enabled | Enabled | -| ClientsAllowCBOR| | | Enabled | Enabled | Enabled | Enabled | | ClientsPreferCBOR| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIInstallIBMCloud| | | Enabled | Enabled | Enabled | Enabled | | ClusterAPIMachineManagement| | | Enabled | Enabled | Enabled | Enabled | @@ -40,20 +42,18 @@ | DNSNameResolver| | | Enabled | Enabled | Enabled | Enabled | | DualReplica| | | Enabled | Enabled | Enabled | Enabled | | DyanmicServiceEndpointIBMCloud| | | Enabled | Enabled | Enabled | Enabled | -| DynamicResourceAllocation| | | Enabled | Enabled | Enabled | Enabled | | EtcdBackendQuota| | | Enabled | Enabled | Enabled | Enabled | -| EventTTL| | | Enabled | Enabled | Enabled | Enabled | | Example| | | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNS| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpoints| | | Enabled | Enabled | Enabled | Enabled | | GCPCustomAPIEndpointsInstall| | | Enabled | Enabled | Enabled | Enabled | | GCPDualStackInstall| | | Enabled | Enabled | Enabled | Enabled | | ImageModeStatusReporting| | | Enabled | Enabled | Enabled | Enabled | -| ImageStreamImportMode| | | Enabled | Enabled | Enabled | Enabled | +| IngressControllerDynamicConfigurationManager| | | Enabled | Enabled | Enabled | Enabled | | InsightsConfig| | | Enabled | Enabled | Enabled | Enabled | | InsightsOnDemandDataGather| | | Enabled | Enabled | Enabled | Enabled | | IrreconcilableMachineConfig| | | Enabled | Enabled | Enabled | Enabled | -| KMSEncryptionProvider| | | Enabled | Enabled | Enabled | Enabled | +| KMSEncryption| | | Enabled | Enabled | Enabled | Enabled | | MachineAPIMigration| | | Enabled | Enabled | Enabled | Enabled | | ManagedBootImagesCPMS| | | Enabled | Enabled | Enabled | Enabled | | MaxUnavailableStatefulSet| | | Enabled | Enabled | Enabled | Enabled | @@ -66,9 +66,9 @@ | OSStreams| | | Enabled | Enabled | Enabled | Enabled | | OVNObservability| | | Enabled | Enabled | Enabled | Enabled | | OnPremDNSRecords| | | Enabled | Enabled | Enabled | Enabled | +| OpenShiftPodSecurityAdmission| | | Enabled | Enabled | Enabled | Enabled | | SELinuxMount| | | Enabled | Enabled | Enabled | Enabled | | SignatureStores| | | Enabled | Enabled | Enabled | Enabled | -| SigstoreImageVerificationPKI| | | Enabled | Enabled | Enabled | Enabled | | TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled | | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled | | VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled | @@ -81,12 +81,14 @@ | BuildCSIVolumes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | CPMSMachineNamePrefix| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ConsolePluginContentSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| EventTTL| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDC| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ExternalOIDCWithUIDAndExtraClaimMappings| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GCPClusterHostedDNSInstall| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | GatewayAPIController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | HighlyAvailableArbiter| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| ImageStreamImportMode| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ImageVolume| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | KMSv1| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | MachineConfigNodes| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -98,7 +100,6 @@ | NetworkDiagnosticsConfig| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkLiveMigration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | NetworkSegmentation| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | -| OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | PinnedImages| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | PreconfiguredUDNAddresses| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ProcMountType| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | @@ -106,6 +107,7 @@ | RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | SigstoreImageVerification| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | +| SigstoreImageVerificationPKI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | StoragePerformantSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UpgradeStatus| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | | UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | diff --git a/vendor/github.com/openshift/api/features/features.go b/vendor/github.com/openshift/api/features/features.go index 4dbc7fa02f..fa4250a14e 100644 --- a/vendor/github.com/openshift/api/features/features.go +++ b/vendor/github.com/openshift/api/features/features.go @@ -73,7 +73,7 @@ var ( contactPerson("ibihim"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/899"). - enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateBuildCSIVolumes = newFeatureGate("BuildCSIVolumes"). @@ -84,14 +84,6 @@ var ( enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() - FeatureGateDynamicResourceAllocation = newFeatureGate("DynamicResourceAllocation"). - reportProblemsToJiraComponent("scheduling"). - contactPerson("jchaloup"). - productScope(kubernetes). - enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). - mustRegister() - FeatureGateAzureWorkloadIdentity = newFeatureGate("AzureWorkloadIdentity"). reportProblemsToJiraComponent("cloud-credential-operator"). contactPerson("abutcher"). @@ -136,7 +128,7 @@ var ( contactPerson("QiWang"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1658"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateAlibabaPlatform = newFeatureGate("AlibabaPlatform"). @@ -501,7 +493,7 @@ var ( reportProblemsToJiraComponent("olm"). contactPerson("nschieder"). productScope(ocpSpecific). - enhancementPR("https://github.com/openshift/enhancements/pull/1774"). + enhancementPR("https://github.com/openshift/enhancements/pull/1849"). enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() @@ -518,7 +510,6 @@ var ( contactPerson("pegoncal"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1890"). - enableForClusterProfile(SelfManaged, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateInsightsOnDemandDataGather = newFeatureGate("InsightsOnDemandDataGather"). @@ -597,7 +588,7 @@ var ( contactPerson("psundara"). productScope(ocpSpecific). enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.Default, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateUserNamespacesSupport = newFeatureGate("UserNamespacesSupport"). @@ -639,8 +630,8 @@ var ( reportProblemsToJiraComponent("Networking/router"). contactPerson("miciah"). productScope(ocpSpecific). - enhancementPR(legacyFeatureGateWithoutEnhancement). - enableIn(configv1.DevPreviewNoUpgrade). + enhancementPR("https://github.com/openshift/enhancements/pull/1687"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureGateMinimumKubeletVersion = newFeatureGate("MinimumKubeletVersion"). @@ -664,9 +655,17 @@ var ( contactPerson("swghosh"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1682"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + FeatureGateKMSEncryption = newFeatureGate("KMSEncryption"). + reportProblemsToJiraComponent("kube-apiserver"). + contactPerson("ardaguclu"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1900"). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + mustRegister() + FeatureGateHighlyAvailableArbiter = newFeatureGate("HighlyAvailableArbiter"). reportProblemsToJiraComponent("Two Node with Arbiter"). contactPerson("eggfoobar"). @@ -883,7 +882,6 @@ var ( contactPerson("benluddy"). productScope(kubernetes). enhancementPR("https://github.com/kubernetes/enhancements/issues/4222"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). mustRegister() FeatureClientsPreferCBOR = newFeatureGate("ClientsPreferCBOR"). @@ -899,7 +897,7 @@ var ( contactPerson("tjungblu"). productScope(ocpSpecific). enhancementPR("https://github.com/openshift/enhancements/pull/1857"). - enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade). + enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). mustRegister() FeatureGateMutableCSINodeAllocatableCount = newFeatureGate("MutableCSINodeAllocatableCount"). @@ -939,4 +937,19 @@ var ( enhancementPR("https://github.com/openshift/enhancements/pull/1752"). enableIn(configv1.DevPreviewNoUpgrade). mustRegister() + + FeatureGateHyperShiftOnlyDynamicResourceAllocation = newFeatureGate("HyperShiftOnlyDynamicResourceAllocation"). + reportProblemsToJiraComponent("hypershift"). + contactPerson("csrwng"). + productScope(ocpSpecific). + enhancementPR("https://github.com/kubernetes/enhancements/issues/4381"). + enableForClusterProfile(Hypershift, configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default). + mustRegister() + + FeatureGateGatewayAPIWithoutOLM = newFeatureGate("GatewayAPIWithoutOLM"). + reportProblemsToJiraComponent("Routing"). + contactPerson("miciah"). + productScope(ocpSpecific). + enhancementPR("https://github.com/openshift/enhancements/pull/1933"). + mustRegister() ) diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go index 161f2324c2..c6442186a0 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_awsprovider.go @@ -115,13 +115,14 @@ type AWSMachineProviderConfig struct { // +optional MarketType MarketType `json:"marketType,omitempty"` + // Tombstone: This field was moved into the Placement struct to belong w/ the Tenancy field due to involvement with the setting. // hostPlacement configures placement on AWS Dedicated Hosts. This allows admins to assign instances to specific host // for a variety of needs including for regulatory compliance, to leverage existing per-socket or per-core software licenses (BYOL), // and to gain visibility and control over instance placement on a physical server. // When omitted, the instance is not constrained to a dedicated host. // +openshift:enable:FeatureGate=AWSDedicatedHosts // +optional - HostPlacement *HostPlacement `json:"hostPlacement,omitempty"` + //HostPlacement *HostPlacement `json:"hostPlacement,omitempty"` } // AWSConfidentialComputePolicy represents the confidential compute configuration for the instance. @@ -213,6 +214,19 @@ type EBSBlockDeviceSpec struct { // it is not used in requests to create gp2, st1, sc1, or standard volumes. // +optional Iops *int64 `json:"iops,omitempty"` + // throughputMib to provision in MiB/s supported for the volume type. Not applicable to all types. + // + // This parameter is valid only for gp3 volumes. + // Valid Range: Minimum value of 125. Maximum value of 2000. + // + // When omitted, this means no opinion, and the platform is left to + // choose a reasonable default, which is subject to change over time. + // The current default is 125. + // + // +kubebuilder:validation:Minimum:=125 + // +kubebuilder:validation:Maximum:=2000 + // +optional + ThroughputMib *int32 `json:"throughputMib,omitempty"` // The size of the volume, in GiB. // // Constraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned @@ -225,7 +239,7 @@ type EBSBlockDeviceSpec struct { // a volume size, the default is the snapshot size. // +optional VolumeSize *int64 `json:"volumeSize,omitempty"` - // The volume type: gp2, io1, st1, sc1, or standard. + // volumeType can be of type gp2, gp3, io1, st1, sc1, or standard. // Default: standard // +optional VolumeType *string `json:"volumeType,omitempty"` @@ -281,6 +295,7 @@ type AWSResourceReference struct { } // Placement indicates where to create the instance in AWS +// +kubebuilder:validation:XValidation:rule="has(self.tenancy) && self.tenancy == 'host' ? true : !has(self.host)",message="host may only be specified when tenancy is host" type Placement struct { // region is the region to use to create the instance // +optional @@ -290,8 +305,19 @@ type Placement struct { AvailabilityZone string `json:"availabilityZone,omitempty"` // tenancy indicates if instance should run on shared or single-tenant hardware. There are // supported 3 options: default, dedicated and host. + // When set to default Runs on shared multi-tenant hardware. + // When dedicated Runs on single-tenant hardware (any dedicated instance hardware). + // When host and the host object is not provided: Runs on Dedicated Host; best-effort restart on same host. + // When `host` and `host` object is provided with affinity `dedicatedHost` defined: Runs on specified Dedicated Host. // +optional Tenancy InstanceTenancy `json:"tenancy,omitempty"` + // host configures placement on AWS Dedicated Hosts. This allows admins to assign instances to specific host + // for a variety of needs including for regulatory compliance, to leverage existing per-socket or per-core software licenses (BYOL), + // and to gain visibility and control over instance placement on a physical server. + // When omitted, the instance is not constrained to a dedicated host. + // +openshift:enable:FeatureGate=AWSDedicatedHosts + // +optional + Host *HostPlacement `json:"host,omitempty"` } // Filter is a filter used to identify an AWS resource @@ -403,19 +429,20 @@ const ( ) // HostPlacement is the type that will be used to configure the placement of AWS instances. -// +kubebuilder:validation:XValidation:rule="has(self.type) && self.affinity == 'DedicatedHost' ? has(self.dedicatedHost) : !has(self.dedicatedHost)",message="dedicatedHost is required when affinity is DedicatedHost, and forbidden otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.affinity) && self.affinity == 'DedicatedHost' ? has(self.dedicatedHost) : true",message="dedicatedHost is required when affinity is DedicatedHost, and optional otherwise" // +union type HostPlacement struct { // affinity specifies the affinity setting for the instance. // Allowed values are AnyAvailable and DedicatedHost. // When Affinity is set to DedicatedHost, an instance started onto a specific host always restarts on the same host if stopped. In this scenario, the `dedicatedHost` field must be set. // When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host. + // When Affinity is set to AnyAvailable and the `dedicatedHost` field is defined, it runs on specified Dedicated Host, but may move if stopped. // +required // +unionDiscriminator Affinity *HostAffinity `json:"affinity,omitempty"` // dedicatedHost specifies the exact host that an instance should be restarted on if stopped. - // dedicatedHost is required when 'affinity' is set to DedicatedHost, and forbidden otherwise. + // dedicatedHost is required when 'affinity' is set to DedicatedHost, and optional otherwise. // +optional // +unionMember DedicatedHost *DedicatedHost `json:"dedicatedHost,omitempty"` diff --git a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go index a2343dc398..1ecfd16526 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/types_machineset.go @@ -128,6 +128,14 @@ type MachineSetStatus struct { // observedGeneration reflects the generation of the most recently observed MachineSet. // +optional ObservedGeneration int64 `json:"observedGeneration,omitempty"` + // labelSelector is a label selector, in string format, for Machines corresponding to the MachineSet. + // It is exposed via the scale subresource as status.selector. + // When omitted, the MachineSet controller has not yet reconciled spec.selector into status.labelSelector. + // When present, it must not be empty and must not exceed 4096 characters. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=4096 + // +optional + LabelSelector string `json:"labelSelector,omitempty"` // In the event that there is a terminal problem reconciling the // replicas, both ErrorReason and ErrorMessage will be set. ErrorReason // will be populated with a succinct value suitable for machine diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go index 92586dcdf1..d08906c7d8 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.deepcopy.go @@ -61,7 +61,7 @@ func (in *AWSMachineProviderConfig) DeepCopyInto(out *AWSMachineProviderConfig) } } in.Subnet.DeepCopyInto(&out.Subnet) - out.Placement = in.Placement + in.Placement.DeepCopyInto(&out.Placement) if in.LoadBalancers != nil { in, out := &in.LoadBalancers, &out.LoadBalancers *out = make([]LoadBalancerReference, len(*in)) @@ -85,11 +85,6 @@ func (in *AWSMachineProviderConfig) DeepCopyInto(out *AWSMachineProviderConfig) *out = new(int32) **out = **in } - if in.HostPlacement != nil { - in, out := &in.HostPlacement, &out.HostPlacement - *out = new(HostPlacement) - (*in).DeepCopyInto(*out) - } return } @@ -581,6 +576,11 @@ func (in *EBSBlockDeviceSpec) DeepCopyInto(out *EBSBlockDeviceSpec) { *out = new(int64) **out = **in } + if in.ThroughputMib != nil { + in, out := &in.ThroughputMib, &out.ThroughputMib + *out = new(int32) + **out = **in + } if in.VolumeSize != nil { in, out := &in.VolumeSize, &out.VolumeSize *out = new(int64) @@ -1629,6 +1629,11 @@ func (in *ObjectMeta) DeepCopy() *ObjectMeta { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Placement) DeepCopyInto(out *Placement) { *out = *in + if in.Host != nil { + in, out := &in.Host, &out.Host + *out = new(HostPlacement) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go index 23b6eddd37..6032054d6c 100644 --- a/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machine/v1beta1/zz_generated.swagger_doc_generated.go @@ -35,7 +35,6 @@ var map_AWSMachineProviderConfig = map[string]string{ "placementGroupPartition": "placementGroupPartition is the partition number within the placement group in which to launch the instance. This must be an integer value between 1 and 7. It is only valid if the placement group, referred in `PlacementGroupName` was created with strategy set to partition.", "capacityReservationId": "capacityReservationId specifies the target Capacity Reservation into which the instance should be launched. The field size should be greater than 0 and the field input must start with cr-***", "marketType": "marketType specifies the type of market for the EC2 instance. Valid values are OnDemand, Spot, CapacityBlock and omitted.\n\nDefaults to OnDemand. When SpotMarketOptions is provided, the marketType defaults to \"Spot\".\n\nWhen set to OnDemand the instance runs as a standard OnDemand instance. When set to Spot the instance runs as a Spot instance. When set to CapacityBlock the instance utilizes pre-purchased compute capacity (capacity blocks) with AWS Capacity Reservations. If this value is selected, capacityReservationID must be specified to identify the target reservation.", - "hostPlacement": "hostPlacement configures placement on AWS Dedicated Hosts. This allows admins to assign instances to specific host for a variety of needs including for regulatory compliance, to leverage existing per-socket or per-core software licenses (BYOL), and to gain visibility and control over instance placement on a physical server. When omitted, the instance is not constrained to a dedicated host.", } func (AWSMachineProviderConfig) SwaggerDoc() map[string]string { @@ -108,8 +107,9 @@ var map_EBSBlockDeviceSpec = map[string]string{ "encrypted": "Indicates whether the EBS volume is encrypted. Encrypted Amazon EBS volumes may only be attached to machines that support Amazon EBS encryption.", "kmsKey": "Indicates the KMS key that should be used to encrypt the Amazon EBS volume.", "iops": "The number of I/O operations per second (IOPS) that the volume supports. For io1, this represents the number of IOPS that are provisioned for the volume. For gp2, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting. For more information about General Purpose SSD baseline performance, I/O credits, and bursting, see Amazon EBS Volume Types (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) in the Amazon Elastic Compute Cloud User Guide.\n\nMinimal and maximal IOPS for io1 and gp2 are constrained. Please, check https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html for precise boundaries for individual volumes.\n\nCondition: This parameter is required for requests to create io1 volumes; it is not used in requests to create gp2, st1, sc1, or standard volumes.", + "throughputMib": "throughputMib to provision in MiB/s supported for the volume type. Not applicable to all types.\n\nThis parameter is valid only for gp3 volumes. Valid Range: Minimum value of 125. Maximum value of 2000.\n\nWhen omitted, this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. The current default is 125.", "volumeSize": "The size of the volume, in GiB.\n\nConstraints: 1-16384 for General Purpose SSD (gp2), 4-16384 for Provisioned IOPS SSD (io1), 500-16384 for Throughput Optimized HDD (st1), 500-16384 for Cold HDD (sc1), and 1-1024 for Magnetic (standard) volumes. If you specify a snapshot, the volume size must be equal to or larger than the snapshot size.\n\nDefault: If you're creating the volume from a snapshot and don't specify a volume size, the default is the snapshot size.", - "volumeType": "The volume type: gp2, io1, st1, sc1, or standard. Default: standard", + "volumeType": "volumeType can be of type gp2, gp3, io1, st1, sc1, or standard. Default: standard", } func (EBSBlockDeviceSpec) SwaggerDoc() map[string]string { @@ -128,8 +128,8 @@ func (Filter) SwaggerDoc() map[string]string { var map_HostPlacement = map[string]string{ "": "HostPlacement is the type that will be used to configure the placement of AWS instances.", - "affinity": "affinity specifies the affinity setting for the instance. Allowed values are AnyAvailable and DedicatedHost. When Affinity is set to DedicatedHost, an instance started onto a specific host always restarts on the same host if stopped. In this scenario, the `dedicatedHost` field must be set. When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host.", - "dedicatedHost": "dedicatedHost specifies the exact host that an instance should be restarted on if stopped. dedicatedHost is required when 'affinity' is set to DedicatedHost, and forbidden otherwise.", + "affinity": "affinity specifies the affinity setting for the instance. Allowed values are AnyAvailable and DedicatedHost. When Affinity is set to DedicatedHost, an instance started onto a specific host always restarts on the same host if stopped. In this scenario, the `dedicatedHost` field must be set. When Affinity is set to AnyAvailable, and you stop and restart the instance, it can be restarted on any available host. When Affinity is set to AnyAvailable and the `dedicatedHost` field is defined, it runs on specified Dedicated Host, but may move if stopped.", + "dedicatedHost": "dedicatedHost specifies the exact host that an instance should be restarted on if stopped. dedicatedHost is required when 'affinity' is set to DedicatedHost, and optional otherwise.", } func (HostPlacement) SwaggerDoc() map[string]string { @@ -157,7 +157,8 @@ var map_Placement = map[string]string{ "": "Placement indicates where to create the instance in AWS", "region": "region is the region to use to create the instance", "availabilityZone": "availabilityZone is the availability zone of the instance", - "tenancy": "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host.", + "tenancy": "tenancy indicates if instance should run on shared or single-tenant hardware. There are supported 3 options: default, dedicated and host. When set to default Runs on shared multi-tenant hardware. When dedicated Runs on single-tenant hardware (any dedicated instance hardware). When host and the host object is not provided: Runs on Dedicated Host; best-effort restart on same host. When `host` and `host` object is provided with affinity `dedicatedHost` defined: Runs on specified Dedicated Host.", + "host": "host configures placement on AWS Dedicated Hosts. This allows admins to assign instances to specific host for a variety of needs including for regulatory compliance, to leverage existing per-socket or per-core software licenses (BYOL), and to gain visibility and control over instance placement on a physical server. When omitted, the instance is not constrained to a dedicated host.", } func (Placement) SwaggerDoc() map[string]string { @@ -725,6 +726,7 @@ var map_MachineSetStatus = map[string]string{ "readyReplicas": "The number of ready replicas for this MachineSet. A machine is considered ready when the node has been created and is \"Ready\".", "availableReplicas": "The number of available replicas (ready for at least minReadySeconds) for this MachineSet.", "observedGeneration": "observedGeneration reflects the generation of the most recently observed MachineSet.", + "labelSelector": "labelSelector is a label selector, in string format, for Machines corresponding to the MachineSet. It is exposed via the scale subresource as status.selector. When omitted, the MachineSet controller has not yet reconciled spec.selector into status.labelSelector. When present, it must not be empty and must not exceed 4096 characters.", "errorReason": "In the event that there is a terminal problem reconciling the replicas, both ErrorReason and ErrorMessage will be set. ErrorReason will be populated with a succinct value suitable for machine interpretation, while ErrorMessage will contain a more verbose string suitable for logging and human consumption.\n\nThese fields should not be set for transitive errors that a controller faces that are expected to be fixed automatically over time (like service outages), but instead indicate that something is fundamentally wrong with the MachineTemplate's spec or the configuration of the machine controller, and that manual intervention is required. Examples of terminal errors would be invalid combinations of settings in the spec, values that are unsupported by the machine controller, or the responsible machine controller itself being critically misconfigured.\n\nAny transient errors that occur during the reconciliation of Machines can be added as events to the MachineSet object and/or logged in the controller's output.", "conditions": "conditions defines the current state of the MachineSet", "authoritativeAPI": "authoritativeAPI is the API that is authoritative for this resource. Valid values are MachineAPI, ClusterAPI and Migrating. This value is updated by the migration controller to reflect the authoritative API. Machine API and Cluster API controllers use this value to determine whether or not to reconcile the resource. When set to Migrating, the migration controller is currently performing the handover of authority from one API to the other.", diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml deleted file mode 100644 index 3e7c51dc6f..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-Default.crd.yaml +++ /dev/null @@ -1,335 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml deleted file mode 100644 index b0d11038de..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-DevPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,349 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: DevPreviewNoUpgrade - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - eventTTLMinutes: - description: |- - eventTTLMinutes specifies the amount of time that the events are stored before being deleted. - The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). - - Lowering this value will reduce the storage required in etcd. Note that this setting will only apply - to new events being created and will not update existing events. - - When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. - The current default value is 3h (180 minutes). - format: int32 - maximum: 180 - minimum: 5 - type: integer - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 48d0d6a709..0000000000 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,349 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.openshift.io: https://github.com/openshift/api/pull/475 - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: kubeapiservers.operator.openshift.io -spec: - group: operator.openshift.io - names: - categories: - - coreoperators - kind: KubeAPIServer - listKind: KubeAPIServerList - plural: kubeapiservers - singular: kubeapiserver - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: |- - KubeAPIServer provides information to configure an operator to manage kube-apiserver. - - Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: spec is the specification of the desired behavior of the - Kubernetes API Server - properties: - eventTTLMinutes: - description: |- - eventTTLMinutes specifies the amount of time that the events are stored before being deleted. - The TTL is allowed between 5 minutes minimum up to a maximum of 180 minutes (3 hours). - - Lowering this value will reduce the storage required in etcd. Note that this setting will only apply - to new events being created and will not update existing events. - - When omitted this means no opinion, and the platform is left to choose a reasonable default, which is subject to change over time. - The current default value is 3h (180 minutes). - format: int32 - maximum: 180 - minimum: 5 - type: integer - failedRevisionLimit: - description: |- - failedRevisionLimit is the number of failed static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - forceRedeploymentReason: - description: |- - forceRedeploymentReason can be used to force the redeployment of the operand by providing a unique string. - This provides a mechanism to kick a previously failed deployment and provide a reason why you think it will work - this time instead of failing again on the same config. - type: string - logLevel: - default: Normal - description: |- - logLevel is an intent based logging for an overall component. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for their operands. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - managementState: - description: managementState indicates whether and how the operator - should manage the component - pattern: ^(Managed|Force)$ - type: string - observedConfig: - description: |- - observedConfig holds a sparse config that controller has observed from the cluster state. It exists in spec because - it is an input to the level for the operator - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - operatorLogLevel: - default: Normal - description: |- - operatorLogLevel is an intent based logging for the operator itself. It does not give fine grained control, but it is a - simple way to manage coarse grained logging choices that operators have to interpret for themselves. - - Valid values are: "Normal", "Debug", "Trace", "TraceAll". - Defaults to "Normal". - enum: - - "" - - Normal - - Debug - - Trace - - TraceAll - type: string - succeededRevisionLimit: - description: |- - succeededRevisionLimit is the number of successful static pod installer revisions to keep on disk and in the api - -1 = unlimited, 0 or unset = 5 (default) - format: int32 - type: integer - unsupportedConfigOverrides: - description: |- - unsupportedConfigOverrides overrides the final configuration that was computed by the operator. - Red Hat does not support the use of this field. - Misuse of this field could lead to unexpected behavior or conflict with other configuration options. - Seek guidance from the Red Hat support before using this field. - Use of this property blocks cluster upgrades, it must be removed before upgrading your cluster. - nullable: true - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - status: - description: status is the most recently observed status of the Kubernetes - API Server - properties: - conditions: - description: conditions is a list of conditions and their status - items: - description: OperatorCondition is just the standard condition fields. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - generations: - description: generations are used to determine when an item needs - to be reconciled or has changed in a way that needs a reaction. - items: - description: GenerationStatus keeps track of the generation for - a given resource so that decisions about forced updates can be - made. - properties: - group: - description: group is the group of the thing you're tracking - type: string - hash: - description: hash is an optional field set for resources without - generation that are content sensitive like secrets and configmaps - type: string - lastGeneration: - description: lastGeneration is the last generation of the workload - controller involved - format: int64 - type: integer - name: - description: name is the name of the thing you're tracking - type: string - namespace: - description: namespace is where the thing you're tracking is - type: string - resource: - description: resource is the resource type of the thing you're - tracking - type: string - required: - - group - - name - - namespace - - resource - type: object - type: array - x-kubernetes-list-map-keys: - - group - - resource - - namespace - - name - x-kubernetes-list-type: map - latestAvailableRevision: - description: latestAvailableRevision is the deploymentID of the most - recent deployment - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - latestAvailableRevisionReason: - description: latestAvailableRevisionReason describe the detailed reason - for the most recent deployment - type: string - nodeStatuses: - description: nodeStatuses track the deployment values and errors across - individual nodes - items: - description: NodeStatus provides information about the current state - of a particular node managed by this operator. - properties: - currentRevision: - description: |- - currentRevision is the generation of the most recently successful deployment. - Can not be set on creation of a nodeStatus. Updates must only increase the value. - format: int32 - type: integer - x-kubernetes-validations: - - message: must only increase - rule: self >= oldSelf - lastFailedCount: - description: lastFailedCount is how often the installer pod - of the last failed revision failed. - type: integer - lastFailedReason: - description: lastFailedReason is a machine readable failure - reason string. - type: string - lastFailedRevision: - description: lastFailedRevision is the generation of the deployment - we tried and failed to deploy. - format: int32 - type: integer - lastFailedRevisionErrors: - description: lastFailedRevisionErrors is a list of human readable - errors during the failed deployment referenced in lastFailedRevision. - items: - type: string - type: array - x-kubernetes-list-type: atomic - lastFailedTime: - description: lastFailedTime is the time the last failed revision - failed the last time. - format: date-time - type: string - lastFallbackCount: - description: lastFallbackCount is how often a fallback to a - previous revision happened. - type: integer - nodeName: - description: nodeName is the name of the node - type: string - targetRevision: - description: |- - targetRevision is the generation of the deployment we're trying to apply. - Can not be set on creation of a nodeStatus. - format: int32 - type: integer - required: - - nodeName - type: object - x-kubernetes-validations: - - fieldPath: .currentRevision - message: cannot be unset once set - rule: has(self.currentRevision) || !has(oldSelf.currentRevision) - - fieldPath: .currentRevision - message: currentRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.currentRevision) - - fieldPath: .targetRevision - message: targetRevision can not be set on creation of a nodeStatus - optionalOldSelf: true - rule: oldSelf.hasValue() || !has(self.targetRevision) - type: array - x-kubernetes-list-map-keys: - - nodeName - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: no more than 1 node status may have a nonzero targetRevision - rule: size(self.filter(status, status.?targetRevision.orValue(0) - != 0)) <= 1 - observedGeneration: - description: observedGeneration is the last generation change you've - dealt with - format: int64 - type: integer - readyReplicas: - description: readyReplicas indicates how many replicas are ready and - at the desired state - format: int32 - type: integer - serviceAccountIssuers: - description: |- - serviceAccountIssuers tracks history of used service account issuers. - The item without expiration time represents the currently used service account issuer. - The other items represents service account issuers that were used previously and are still being trusted. - The default expiration for the items is set by the platform and it defaults to 24h. - see: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection - items: - properties: - expirationTime: - description: |- - expirationTime is the time after which this service account issuer will be pruned and removed from the trusted list - of service account issuers. - format: date-time - type: string - name: - description: name is the name of the service account issuer - type: string - type: object - type: array - x-kubernetes-list-type: atomic - version: - description: version is the level this availability applies to - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml similarity index 99% rename from vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml rename to vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml index ba2587dc9d..6d2d44026a 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers-CustomNoUpgrade.crd.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.crd-manifests/0000_20_kube-apiserver_01_kubeapiservers.crd.yaml @@ -6,7 +6,6 @@ metadata: api.openshift.io/merged-by-featuregates: "true" include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade name: kubeapiservers.operator.openshift.io spec: group: operator.openshift.io diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go index b217e5bdcd..53d86d2fdd 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/awsplatformstatus.go @@ -2,6 +2,10 @@ package v1 +import ( + configv1 "github.com/openshift/api/config/v1" +) + // AWSPlatformStatusApplyConfiguration represents a declarative configuration of the AWSPlatformStatus type for use // with apply. type AWSPlatformStatusApplyConfiguration struct { @@ -9,6 +13,7 @@ type AWSPlatformStatusApplyConfiguration struct { ServiceEndpoints []AWSServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"` ResourceTags []AWSResourceTagApplyConfiguration `json:"resourceTags,omitempty"` CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"` + IPFamily *configv1.IPFamilyType `json:"ipFamily,omitempty"` } // AWSPlatformStatusApplyConfiguration constructs a declarative configuration of the AWSPlatformStatus type for use with @@ -58,3 +63,11 @@ func (b *AWSPlatformStatusApplyConfiguration) WithCloudLoadBalancerConfig(value b.CloudLoadBalancerConfig = value return b } + +// WithIPFamily sets the IPFamily field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IPFamily field is set to the value of the last call. +func (b *AWSPlatformStatusApplyConfiguration) WithIPFamily(value configv1.IPFamilyType) *AWSPlatformStatusApplyConfiguration { + b.IPFamily = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go index 3d1a83d28a..774641c829 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/azureplatformstatus.go @@ -15,6 +15,7 @@ type AzurePlatformStatusApplyConfiguration struct { ARMEndpoint *string `json:"armEndpoint,omitempty"` ResourceTags []AzureResourceTagApplyConfiguration `json:"resourceTags,omitempty"` CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"` + IPFamily *configv1.IPFamilyType `json:"ipFamily,omitempty"` } // AzurePlatformStatusApplyConfiguration constructs a declarative configuration of the AzurePlatformStatus type for use with @@ -75,3 +76,11 @@ func (b *AzurePlatformStatusApplyConfiguration) WithCloudLoadBalancerConfig(valu b.CloudLoadBalancerConfig = value return b } + +// WithIPFamily sets the IPFamily field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IPFamily field is set to the value of the last call. +func (b *AzurePlatformStatusApplyConfiguration) WithIPFamily(value configv1.IPFamilyType) *AzurePlatformStatusApplyConfiguration { + b.IPFamily = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go index 55b875c7c4..315dc309ca 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/baremetalplatformstatus.go @@ -15,6 +15,7 @@ type BareMetalPlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *BareMetalPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` + DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"` MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } @@ -76,6 +77,14 @@ func (b *BareMetalPlatformStatusApplyConfiguration) WithLoadBalancer(value *Bare return b } +// WithDNSRecordsType sets the DNSRecordsType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DNSRecordsType field is set to the value of the last call. +func (b *BareMetalPlatformStatusApplyConfiguration) WithDNSRecordsType(value configv1.DNSRecordsType) *BareMetalPlatformStatusApplyConfiguration { + b.DNSRecordsType = &value + return b +} + // WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the MachineNetworks field. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go deleted file mode 100644 index 77234d0df5..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/custom.go +++ /dev/null @@ -1,28 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// CustomApplyConfiguration represents a declarative configuration of the Custom type for use -// with apply. -type CustomApplyConfiguration struct { - Configs []GathererConfigApplyConfiguration `json:"configs,omitempty"` -} - -// CustomApplyConfiguration constructs a declarative configuration of the Custom type for use with -// apply. -func Custom() *CustomApplyConfiguration { - return &CustomApplyConfiguration{} -} - -// WithConfigs adds the given value to the Configs field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Configs field. -func (b *CustomApplyConfiguration) WithConfigs(values ...*GathererConfigApplyConfiguration) *CustomApplyConfiguration { - for i := range values { - if values[i] == nil { - panic("nil value passed to WithConfigs") - } - b.Configs = append(b.Configs, *values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go deleted file mode 100644 index eaa7965192..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherconfig.go +++ /dev/null @@ -1,47 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GatherConfigApplyConfiguration represents a declarative configuration of the GatherConfig type for use -// with apply. -type GatherConfigApplyConfiguration struct { - DataPolicy []configv1.DataPolicyOption `json:"dataPolicy,omitempty"` - Gatherers *GatherersApplyConfiguration `json:"gatherers,omitempty"` - Storage *StorageApplyConfiguration `json:"storage,omitempty"` -} - -// GatherConfigApplyConfiguration constructs a declarative configuration of the GatherConfig type for use with -// apply. -func GatherConfig() *GatherConfigApplyConfiguration { - return &GatherConfigApplyConfiguration{} -} - -// WithDataPolicy adds the given value to the DataPolicy field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the DataPolicy field. -func (b *GatherConfigApplyConfiguration) WithDataPolicy(values ...configv1.DataPolicyOption) *GatherConfigApplyConfiguration { - for i := range values { - b.DataPolicy = append(b.DataPolicy, values[i]) - } - return b -} - -// WithGatherers sets the Gatherers field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Gatherers field is set to the value of the last call. -func (b *GatherConfigApplyConfiguration) WithGatherers(value *GatherersApplyConfiguration) *GatherConfigApplyConfiguration { - b.Gatherers = value - return b -} - -// WithStorage sets the Storage field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Storage field is set to the value of the last call. -func (b *GatherConfigApplyConfiguration) WithStorage(value *StorageApplyConfiguration) *GatherConfigApplyConfiguration { - b.Storage = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go deleted file mode 100644 index caa8b79d03..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gathererconfig.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GathererConfigApplyConfiguration represents a declarative configuration of the GathererConfig type for use -// with apply. -type GathererConfigApplyConfiguration struct { - Name *string `json:"name,omitempty"` - State *configv1.GathererState `json:"state,omitempty"` -} - -// GathererConfigApplyConfiguration constructs a declarative configuration of the GathererConfig type for use with -// apply. -func GathererConfig() *GathererConfigApplyConfiguration { - return &GathererConfigApplyConfiguration{} -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *GathererConfigApplyConfiguration) WithName(value string) *GathererConfigApplyConfiguration { - b.Name = &value - return b -} - -// WithState sets the State field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the State field is set to the value of the last call. -func (b *GathererConfigApplyConfiguration) WithState(value configv1.GathererState) *GathererConfigApplyConfiguration { - b.State = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go deleted file mode 100644 index 32469f512b..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gatherers.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GatherersApplyConfiguration represents a declarative configuration of the Gatherers type for use -// with apply. -type GatherersApplyConfiguration struct { - Mode *configv1.GatheringMode `json:"mode,omitempty"` - Custom *CustomApplyConfiguration `json:"custom,omitempty"` -} - -// GatherersApplyConfiguration constructs a declarative configuration of the Gatherers type for use with -// apply. -func Gatherers() *GatherersApplyConfiguration { - return &GatherersApplyConfiguration{} -} - -// WithMode sets the Mode field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Mode field is set to the value of the last call. -func (b *GatherersApplyConfiguration) WithMode(value configv1.GatheringMode) *GatherersApplyConfiguration { - b.Mode = &value - return b -} - -// WithCustom sets the Custom field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Custom field is set to the value of the last call. -func (b *GatherersApplyConfiguration) WithCustom(value *CustomApplyConfiguration) *GatherersApplyConfiguration { - b.Custom = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go index 3f67e9e359..9c28888cf9 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpplatformstatus.go @@ -10,7 +10,6 @@ type GCPPlatformStatusApplyConfiguration struct { ResourceLabels []GCPResourceLabelApplyConfiguration `json:"resourceLabels,omitempty"` ResourceTags []GCPResourceTagApplyConfiguration `json:"resourceTags,omitempty"` CloudLoadBalancerConfig *CloudLoadBalancerConfigApplyConfiguration `json:"cloudLoadBalancerConfig,omitempty"` - ServiceEndpoints []GCPServiceEndpointApplyConfiguration `json:"serviceEndpoints,omitempty"` } // GCPPlatformStatusApplyConfiguration constructs a declarative configuration of the GCPPlatformStatus type for use with @@ -68,16 +67,3 @@ func (b *GCPPlatformStatusApplyConfiguration) WithCloudLoadBalancerConfig(value b.CloudLoadBalancerConfig = value return b } - -// WithServiceEndpoints adds the given value to the ServiceEndpoints field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the ServiceEndpoints field. -func (b *GCPPlatformStatusApplyConfiguration) WithServiceEndpoints(values ...*GCPServiceEndpointApplyConfiguration) *GCPPlatformStatusApplyConfiguration { - for i := range values { - if values[i] == nil { - panic("nil value passed to WithServiceEndpoints") - } - b.ServiceEndpoints = append(b.ServiceEndpoints, *values[i]) - } - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpserviceendpoint.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpserviceendpoint.go deleted file mode 100644 index 2cb9d0a7ca..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/gcpserviceendpoint.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// GCPServiceEndpointApplyConfiguration represents a declarative configuration of the GCPServiceEndpoint type for use -// with apply. -type GCPServiceEndpointApplyConfiguration struct { - Name *configv1.GCPServiceEndpointName `json:"name,omitempty"` - URL *string `json:"url,omitempty"` -} - -// GCPServiceEndpointApplyConfiguration constructs a declarative configuration of the GCPServiceEndpoint type for use with -// apply. -func GCPServiceEndpoint() *GCPServiceEndpointApplyConfiguration { - return &GCPServiceEndpointApplyConfiguration{} -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *GCPServiceEndpointApplyConfiguration) WithName(value configv1.GCPServiceEndpointName) *GCPServiceEndpointApplyConfiguration { - b.Name = &value - return b -} - -// WithURL sets the URL field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the URL field is set to the value of the last call. -func (b *GCPServiceEndpointApplyConfiguration) WithURL(value string) *GCPServiceEndpointApplyConfiguration { - b.URL = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go deleted file mode 100644 index 829a4071ac..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagather.go +++ /dev/null @@ -1,254 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" - internal "github.com/openshift/client-go/config/applyconfigurations/internal" - apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - managedfields "k8s.io/apimachinery/pkg/util/managedfields" - metav1 "k8s.io/client-go/applyconfigurations/meta/v1" -) - -// InsightsDataGatherApplyConfiguration represents a declarative configuration of the InsightsDataGather type for use -// with apply. -type InsightsDataGatherApplyConfiguration struct { - metav1.TypeMetaApplyConfiguration `json:",inline"` - *metav1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"` - Spec *InsightsDataGatherSpecApplyConfiguration `json:"spec,omitempty"` -} - -// InsightsDataGather constructs a declarative configuration of the InsightsDataGather type for use with -// apply. -func InsightsDataGather(name string) *InsightsDataGatherApplyConfiguration { - b := &InsightsDataGatherApplyConfiguration{} - b.WithName(name) - b.WithKind("InsightsDataGather") - b.WithAPIVersion("config.openshift.io/v1") - return b -} - -// ExtractInsightsDataGather extracts the applied configuration owned by fieldManager from -// insightsDataGather. If no managedFields are found in insightsDataGather for fieldManager, a -// InsightsDataGatherApplyConfiguration is returned with only the Name, Namespace (if applicable), -// APIVersion and Kind populated. It is possible that no managed fields were found for because other -// field managers have taken ownership of all the fields previously owned by fieldManager, or because -// the fieldManager never owned fields any fields. -// insightsDataGather must be a unmodified InsightsDataGather API object that was retrieved from the Kubernetes API. -// ExtractInsightsDataGather provides a way to perform a extract/modify-in-place/apply workflow. -// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously -// applied if another fieldManager has updated or force applied any of the previously applied fields. -// Experimental! -func ExtractInsightsDataGather(insightsDataGather *configv1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { - return extractInsightsDataGather(insightsDataGather, fieldManager, "") -} - -// ExtractInsightsDataGatherStatus is the same as ExtractInsightsDataGather except -// that it extracts the status subresource applied configuration. -// Experimental! -func ExtractInsightsDataGatherStatus(insightsDataGather *configv1.InsightsDataGather, fieldManager string) (*InsightsDataGatherApplyConfiguration, error) { - return extractInsightsDataGather(insightsDataGather, fieldManager, "status") -} - -func extractInsightsDataGather(insightsDataGather *configv1.InsightsDataGather, fieldManager string, subresource string) (*InsightsDataGatherApplyConfiguration, error) { - b := &InsightsDataGatherApplyConfiguration{} - err := managedfields.ExtractInto(insightsDataGather, internal.Parser().Type("com.github.openshift.api.config.v1.InsightsDataGather"), fieldManager, b, subresource) - if err != nil { - return nil, err - } - b.WithName(insightsDataGather.Name) - - b.WithKind("InsightsDataGather") - b.WithAPIVersion("config.openshift.io/v1") - return b, nil -} -func (b InsightsDataGatherApplyConfiguration) IsApplyConfiguration() {} - -// WithKind sets the Kind field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Kind field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithKind(value string) *InsightsDataGatherApplyConfiguration { - b.TypeMetaApplyConfiguration.Kind = &value - return b -} - -// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the APIVersion field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithAPIVersion(value string) *InsightsDataGatherApplyConfiguration { - b.TypeMetaApplyConfiguration.APIVersion = &value - return b -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithName(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Name = &value - return b -} - -// WithGenerateName sets the GenerateName field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the GenerateName field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithGenerateName(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.GenerateName = &value - return b -} - -// WithNamespace sets the Namespace field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Namespace field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithNamespace(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Namespace = &value - return b -} - -// WithUID sets the UID field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the UID field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithUID(value types.UID) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.UID = &value - return b -} - -// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the ResourceVersion field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithResourceVersion(value string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.ResourceVersion = &value - return b -} - -// WithGeneration sets the Generation field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Generation field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithGeneration(value int64) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.Generation = &value - return b -} - -// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the CreationTimestamp field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithCreationTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.CreationTimestamp = &value - return b -} - -// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DeletionTimestamp field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithDeletionTimestamp(value apismetav1.Time) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value - return b -} - -// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value - return b -} - -// WithLabels puts the entries into the Labels field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the Labels field, -// overwriting an existing map entries in Labels field with the same key. -func (b *InsightsDataGatherApplyConfiguration) WithLabels(entries map[string]string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 { - b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.ObjectMetaApplyConfiguration.Labels[k] = v - } - return b -} - -// WithAnnotations puts the entries into the Annotations field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the Annotations field, -// overwriting an existing map entries in Annotations field with the same key. -func (b *InsightsDataGatherApplyConfiguration) WithAnnotations(entries map[string]string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 { - b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.ObjectMetaApplyConfiguration.Annotations[k] = v - } - return b -} - -// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the OwnerReferences field. -func (b *InsightsDataGatherApplyConfiguration) WithOwnerReferences(values ...*metav1.OwnerReferenceApplyConfiguration) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - for i := range values { - if values[i] == nil { - panic("nil value passed to WithOwnerReferences") - } - b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i]) - } - return b -} - -// WithFinalizers adds the given value to the Finalizers field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Finalizers field. -func (b *InsightsDataGatherApplyConfiguration) WithFinalizers(values ...string) *InsightsDataGatherApplyConfiguration { - b.ensureObjectMetaApplyConfigurationExists() - for i := range values { - b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i]) - } - return b -} - -func (b *InsightsDataGatherApplyConfiguration) ensureObjectMetaApplyConfigurationExists() { - if b.ObjectMetaApplyConfiguration == nil { - b.ObjectMetaApplyConfiguration = &metav1.ObjectMetaApplyConfiguration{} - } -} - -// WithSpec sets the Spec field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Spec field is set to the value of the last call. -func (b *InsightsDataGatherApplyConfiguration) WithSpec(value *InsightsDataGatherSpecApplyConfiguration) *InsightsDataGatherApplyConfiguration { - b.Spec = value - return b -} - -// GetKind retrieves the value of the Kind field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetKind() *string { - return b.TypeMetaApplyConfiguration.Kind -} - -// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetAPIVersion() *string { - return b.TypeMetaApplyConfiguration.APIVersion -} - -// GetName retrieves the value of the Name field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetName() *string { - b.ensureObjectMetaApplyConfigurationExists() - return b.ObjectMetaApplyConfiguration.Name -} - -// GetNamespace retrieves the value of the Namespace field in the declarative configuration. -func (b *InsightsDataGatherApplyConfiguration) GetNamespace() *string { - b.ensureObjectMetaApplyConfigurationExists() - return b.ObjectMetaApplyConfiguration.Namespace -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go deleted file mode 100644 index 4be6d441a8..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/insightsdatagatherspec.go +++ /dev/null @@ -1,23 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// InsightsDataGatherSpecApplyConfiguration represents a declarative configuration of the InsightsDataGatherSpec type for use -// with apply. -type InsightsDataGatherSpecApplyConfiguration struct { - GatherConfig *GatherConfigApplyConfiguration `json:"gatherConfig,omitempty"` -} - -// InsightsDataGatherSpecApplyConfiguration constructs a declarative configuration of the InsightsDataGatherSpec type for use with -// apply. -func InsightsDataGatherSpec() *InsightsDataGatherSpecApplyConfiguration { - return &InsightsDataGatherSpecApplyConfiguration{} -} - -// WithGatherConfig sets the GatherConfig field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the GatherConfig field is set to the value of the last call. -func (b *InsightsDataGatherSpecApplyConfiguration) WithGatherConfig(value *GatherConfigApplyConfiguration) *InsightsDataGatherSpecApplyConfiguration { - b.GatherConfig = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go index d7988e5115..5c61ef9801 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/nutanixplatformstatus.go @@ -2,6 +2,10 @@ package v1 +import ( + configv1 "github.com/openshift/api/config/v1" +) + // NutanixPlatformStatusApplyConfiguration represents a declarative configuration of the NutanixPlatformStatus type for use // with apply. type NutanixPlatformStatusApplyConfiguration struct { @@ -10,6 +14,7 @@ type NutanixPlatformStatusApplyConfiguration struct { IngressIP *string `json:"ingressIP,omitempty"` IngressIPs []string `json:"ingressIPs,omitempty"` LoadBalancer *NutanixPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` + DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"` } // NutanixPlatformStatusApplyConfiguration constructs a declarative configuration of the NutanixPlatformStatus type for use with @@ -61,3 +66,11 @@ func (b *NutanixPlatformStatusApplyConfiguration) WithLoadBalancer(value *Nutani b.LoadBalancer = value return b } + +// WithDNSRecordsType sets the DNSRecordsType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DNSRecordsType field is set to the value of the last call. +func (b *NutanixPlatformStatusApplyConfiguration) WithDNSRecordsType(value configv1.DNSRecordsType) *NutanixPlatformStatusApplyConfiguration { + b.DNSRecordsType = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go index f06c78e243..4052769489 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/openstackplatformstatus.go @@ -16,6 +16,7 @@ type OpenStackPlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *OpenStackPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` + DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"` MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } @@ -85,6 +86,14 @@ func (b *OpenStackPlatformStatusApplyConfiguration) WithLoadBalancer(value *Open return b } +// WithDNSRecordsType sets the DNSRecordsType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DNSRecordsType field is set to the value of the last call. +func (b *OpenStackPlatformStatusApplyConfiguration) WithDNSRecordsType(value configv1.DNSRecordsType) *OpenStackPlatformStatusApplyConfiguration { + b.DNSRecordsType = &value + return b +} + // WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the MachineNetworks field. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go index 18ad5d8492..dab2c7a101 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/ovirtplatformstatus.go @@ -2,6 +2,10 @@ package v1 +import ( + configv1 "github.com/openshift/api/config/v1" +) + // OvirtPlatformStatusApplyConfiguration represents a declarative configuration of the OvirtPlatformStatus type for use // with apply. type OvirtPlatformStatusApplyConfiguration struct { @@ -11,6 +15,7 @@ type OvirtPlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *OvirtPlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` + DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"` } // OvirtPlatformStatusApplyConfiguration constructs a declarative configuration of the OvirtPlatformStatus type for use with @@ -70,3 +75,11 @@ func (b *OvirtPlatformStatusApplyConfiguration) WithLoadBalancer(value *OvirtPla b.LoadBalancer = value return b } + +// WithDNSRecordsType sets the DNSRecordsType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DNSRecordsType field is set to the value of the last call. +func (b *OvirtPlatformStatusApplyConfiguration) WithDNSRecordsType(value configv1.DNSRecordsType) *OvirtPlatformStatusApplyConfiguration { + b.DNSRecordsType = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go deleted file mode 100644 index 49daf4bc2a..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeclaimreference.go +++ /dev/null @@ -1,23 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// PersistentVolumeClaimReferenceApplyConfiguration represents a declarative configuration of the PersistentVolumeClaimReference type for use -// with apply. -type PersistentVolumeClaimReferenceApplyConfiguration struct { - Name *string `json:"name,omitempty"` -} - -// PersistentVolumeClaimReferenceApplyConfiguration constructs a declarative configuration of the PersistentVolumeClaimReference type for use with -// apply. -func PersistentVolumeClaimReference() *PersistentVolumeClaimReferenceApplyConfiguration { - return &PersistentVolumeClaimReferenceApplyConfiguration{} -} - -// WithName sets the Name field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Name field is set to the value of the last call. -func (b *PersistentVolumeClaimReferenceApplyConfiguration) WithName(value string) *PersistentVolumeClaimReferenceApplyConfiguration { - b.Name = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go deleted file mode 100644 index c62fdbcf99..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/persistentvolumeconfig.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -// PersistentVolumeConfigApplyConfiguration represents a declarative configuration of the PersistentVolumeConfig type for use -// with apply. -type PersistentVolumeConfigApplyConfiguration struct { - Claim *PersistentVolumeClaimReferenceApplyConfiguration `json:"claim,omitempty"` - MountPath *string `json:"mountPath,omitempty"` -} - -// PersistentVolumeConfigApplyConfiguration constructs a declarative configuration of the PersistentVolumeConfig type for use with -// apply. -func PersistentVolumeConfig() *PersistentVolumeConfigApplyConfiguration { - return &PersistentVolumeConfigApplyConfiguration{} -} - -// WithClaim sets the Claim field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Claim field is set to the value of the last call. -func (b *PersistentVolumeConfigApplyConfiguration) WithClaim(value *PersistentVolumeClaimReferenceApplyConfiguration) *PersistentVolumeConfigApplyConfiguration { - b.Claim = value - return b -} - -// WithMountPath sets the MountPath field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the MountPath field is set to the value of the last call. -func (b *PersistentVolumeConfigApplyConfiguration) WithMountPath(value string) *PersistentVolumeConfigApplyConfiguration { - b.MountPath = &value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go deleted file mode 100644 index 405df6c132..0000000000 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/storage.go +++ /dev/null @@ -1,36 +0,0 @@ -// Code generated by applyconfiguration-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" -) - -// StorageApplyConfiguration represents a declarative configuration of the Storage type for use -// with apply. -type StorageApplyConfiguration struct { - Type *configv1.StorageType `json:"type,omitempty"` - PersistentVolume *PersistentVolumeConfigApplyConfiguration `json:"persistentVolume,omitempty"` -} - -// StorageApplyConfiguration constructs a declarative configuration of the Storage type for use with -// apply. -func Storage() *StorageApplyConfiguration { - return &StorageApplyConfiguration{} -} - -// WithType sets the Type field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the Type field is set to the value of the last call. -func (b *StorageApplyConfiguration) WithType(value configv1.StorageType) *StorageApplyConfiguration { - b.Type = &value - return b -} - -// WithPersistentVolume sets the PersistentVolume field in the declarative configuration to the given value -// and returns the receiver, so that objects can be built by chaining "With" function invocations. -// If called multiple times, the PersistentVolume field is set to the value of the last call. -func (b *StorageApplyConfiguration) WithPersistentVolume(value *PersistentVolumeConfigApplyConfiguration) *StorageApplyConfiguration { - b.PersistentVolume = value - return b -} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go index 36696df716..a3cfc9b1c7 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vsphereplatformstatus.go @@ -15,6 +15,7 @@ type VSpherePlatformStatusApplyConfiguration struct { IngressIPs []string `json:"ingressIPs,omitempty"` NodeDNSIP *string `json:"nodeDNSIP,omitempty"` LoadBalancer *VSpherePlatformLoadBalancerApplyConfiguration `json:"loadBalancer,omitempty"` + DNSRecordsType *configv1.DNSRecordsType `json:"dnsRecordsType,omitempty"` MachineNetworks []configv1.CIDR `json:"machineNetworks,omitempty"` } @@ -76,6 +77,14 @@ func (b *VSpherePlatformStatusApplyConfiguration) WithLoadBalancer(value *VSpher return b } +// WithDNSRecordsType sets the DNSRecordsType field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DNSRecordsType field is set to the value of the last call. +func (b *VSpherePlatformStatusApplyConfiguration) WithDNSRecordsType(value configv1.DNSRecordsType) *VSpherePlatformStatusApplyConfiguration { + b.DNSRecordsType = &value + return b +} + // WithMachineNetworks adds the given value to the MachineNetworks field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the MachineNetworks field. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index de325e3678..0d49eb95f2 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -164,6 +164,10 @@ var schemaYAML = typed.YAMLObject(`types: namedType: com.github.openshift.api.config.v1.CloudLoadBalancerConfig default: dnsType: PlatformDefault + - name: ipFamily + type: + scalar: string + default: IPv4 - name: region type: scalar: string @@ -363,6 +367,10 @@ var schemaYAML = typed.YAMLObject(`types: - name: cloudName type: scalar: string + - name: ipFamily + type: + scalar: string + default: IPv4 - name: networkResourceGroupName type: scalar: string @@ -429,6 +437,9 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: dnsRecordsType + type: + scalar: string - name: ingressIP type: scalar: string @@ -1054,17 +1065,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.Custom - map: - fields: - - name: configs - type: - list: - elementType: - namedType: com.github.openshift.api.config.v1.GathererConfig - elementRelationship: associative - keys: - - name - name: com.github.openshift.api.config.v1.CustomFeatureGates map: fields: @@ -1386,14 +1386,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - key - - name: serviceEndpoints - type: - list: - elementType: - namedType: com.github.openshift.api.config.v1.GCPServiceEndpoint - elementRelationship: associative - keys: - - name - name: com.github.openshift.api.config.v1.GCPResourceLabel map: fields: @@ -1420,58 +1412,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.GCPServiceEndpoint - map: - fields: - - name: name - type: - scalar: string - default: "" - - name: url - type: - scalar: string - default: "" -- name: com.github.openshift.api.config.v1.GatherConfig - map: - fields: - - name: dataPolicy - type: - list: - elementType: - scalar: string - elementRelationship: atomic - - name: gatherers - type: - namedType: com.github.openshift.api.config.v1.Gatherers - default: {} - - name: storage - type: - namedType: com.github.openshift.api.config.v1.Storage - default: {} -- name: com.github.openshift.api.config.v1.GathererConfig - map: - fields: - - name: name - type: - scalar: string - - name: state - type: - scalar: string -- name: com.github.openshift.api.config.v1.Gatherers - map: - fields: - - name: custom - type: - namedType: com.github.openshift.api.config.v1.Custom - default: {} - - name: mode - type: - scalar: string - unions: - - discriminator: mode - fields: - - fieldName: custom - discriminatorValue: Custom - name: com.github.openshift.api.config.v1.GitHubIdentityProvider map: fields: @@ -2064,30 +2004,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.InsightsDataGather - map: - fields: - - name: apiVersion - type: - scalar: string - - name: kind - type: - scalar: string - - name: metadata - type: - namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta - default: {} - - name: spec - type: - namedType: com.github.openshift.api.config.v1.InsightsDataGatherSpec - default: {} -- name: com.github.openshift.api.config.v1.InsightsDataGatherSpec - map: - fields: - - name: gatherConfig - type: - namedType: com.github.openshift.api.config.v1.GatherConfig - default: {} - name: com.github.openshift.api.config.v1.IntermediateTLSProfile map: elementType: @@ -2499,6 +2415,9 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: associative + - name: dnsRecordsType + type: + scalar: string - name: ingressIP type: scalar: string @@ -2860,6 +2779,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: cloudName type: scalar: string + - name: dnsRecordsType + type: + scalar: string - name: ingressIP type: scalar: string @@ -2969,6 +2891,9 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: associative + - name: dnsRecordsType + type: + scalar: string - name: ingressIP type: scalar: string @@ -3008,22 +2933,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: hostname type: scalar: string -- name: com.github.openshift.api.config.v1.PersistentVolumeClaimReference - map: - fields: - - name: name - type: - scalar: string -- name: com.github.openshift.api.config.v1.PersistentVolumeConfig - map: - fields: - - name: claim - type: - namedType: com.github.openshift.api.config.v1.PersistentVolumeClaimReference - default: {} - - name: mountPath - type: - scalar: string - name: com.github.openshift.api.config.v1.PlatformSpec map: fields: @@ -3605,21 +3514,6 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" -- name: com.github.openshift.api.config.v1.Storage - map: - fields: - - name: persistentVolume - type: - namedType: com.github.openshift.api.config.v1.PersistentVolumeConfig - default: {} - - name: type - type: - scalar: string - unions: - - discriminator: type - fields: - - fieldName: persistentVolume - discriminatorValue: PersistentVolume - name: com.github.openshift.api.config.v1.TLSSecurityProfile map: fields: @@ -3970,6 +3864,9 @@ var schemaYAML = typed.YAMLObject(`types: elementType: scalar: string elementRelationship: atomic + - name: dnsRecordsType + type: + scalar: string - name: ingressIP type: scalar: string diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go index afce6aef52..70957eee8b 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/config_client.go @@ -28,7 +28,6 @@ type ConfigV1Interface interface { ImageTagMirrorSetsGetter InfrastructuresGetter IngressesGetter - InsightsDataGathersGetter NetworksGetter NodesGetter OAuthsGetter @@ -107,10 +106,6 @@ func (c *ConfigV1Client) Ingresses() IngressInterface { return newIngresses(c) } -func (c *ConfigV1Client) InsightsDataGathers() InsightsDataGatherInterface { - return newInsightsDataGathers(c) -} - func (c *ConfigV1Client) Networks() NetworkInterface { return newNetworks(c) } diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go index 27c5fd110b..44ad19dcb3 100644 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go +++ b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/generated_expansion.go @@ -34,8 +34,6 @@ type InfrastructureExpansion interface{} type IngressExpansion interface{} -type InsightsDataGatherExpansion interface{} - type NetworkExpansion interface{} type NodeExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go deleted file mode 100644 index 43f6620122..0000000000 --- a/vendor/github.com/openshift/client-go/config/clientset/versioned/typed/config/v1/insightsdatagather.go +++ /dev/null @@ -1,54 +0,0 @@ -// Code generated by client-gen. DO NOT EDIT. - -package v1 - -import ( - context "context" - - configv1 "github.com/openshift/api/config/v1" - applyconfigurationsconfigv1 "github.com/openshift/client-go/config/applyconfigurations/config/v1" - scheme "github.com/openshift/client-go/config/clientset/versioned/scheme" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - gentype "k8s.io/client-go/gentype" -) - -// InsightsDataGathersGetter has a method to return a InsightsDataGatherInterface. -// A group's client should implement this interface. -type InsightsDataGathersGetter interface { - InsightsDataGathers() InsightsDataGatherInterface -} - -// InsightsDataGatherInterface has methods to work with InsightsDataGather resources. -type InsightsDataGatherInterface interface { - Create(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.CreateOptions) (*configv1.InsightsDataGather, error) - Update(ctx context.Context, insightsDataGather *configv1.InsightsDataGather, opts metav1.UpdateOptions) (*configv1.InsightsDataGather, error) - Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error - DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error - Get(ctx context.Context, name string, opts metav1.GetOptions) (*configv1.InsightsDataGather, error) - List(ctx context.Context, opts metav1.ListOptions) (*configv1.InsightsDataGatherList, error) - Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (result *configv1.InsightsDataGather, err error) - Apply(ctx context.Context, insightsDataGather *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration, opts metav1.ApplyOptions) (result *configv1.InsightsDataGather, err error) - InsightsDataGatherExpansion -} - -// insightsDataGathers implements InsightsDataGatherInterface -type insightsDataGathers struct { - *gentype.ClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration] -} - -// newInsightsDataGathers returns a InsightsDataGathers -func newInsightsDataGathers(c *ConfigV1Client) *insightsDataGathers { - return &insightsDataGathers{ - gentype.NewClientWithListAndApply[*configv1.InsightsDataGather, *configv1.InsightsDataGatherList, *applyconfigurationsconfigv1.InsightsDataGatherApplyConfiguration]( - "insightsdatagathers", - c.RESTClient(), - scheme.ParameterCodec, - "", - func() *configv1.InsightsDataGather { return &configv1.InsightsDataGather{} }, - func() *configv1.InsightsDataGatherList { return &configv1.InsightsDataGatherList{} }, - ), - } -} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go deleted file mode 100644 index 53a1739911..0000000000 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/insightsdatagather.go +++ /dev/null @@ -1,85 +0,0 @@ -// Code generated by informer-gen. DO NOT EDIT. - -package v1 - -import ( - context "context" - time "time" - - apiconfigv1 "github.com/openshift/api/config/v1" - versioned "github.com/openshift/client-go/config/clientset/versioned" - internalinterfaces "github.com/openshift/client-go/config/informers/externalversions/internalinterfaces" - configv1 "github.com/openshift/client-go/config/listers/config/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - watch "k8s.io/apimachinery/pkg/watch" - cache "k8s.io/client-go/tools/cache" -) - -// InsightsDataGatherInformer provides access to a shared informer and lister for -// InsightsDataGathers. -type InsightsDataGatherInformer interface { - Informer() cache.SharedIndexInformer - Lister() configv1.InsightsDataGatherLister -} - -type insightsDataGatherInformer struct { - factory internalinterfaces.SharedInformerFactory - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// NewInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { - return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, indexers, nil) -} - -// NewFilteredInsightsDataGatherInformer constructs a new informer for InsightsDataGather type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewFilteredInsightsDataGatherInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options metav1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().List(context.Background(), options) - }, - WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().Watch(context.Background(), options) - }, - ListWithContextFunc: func(ctx context.Context, options metav1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().List(ctx, options) - }, - WatchFuncWithContext: func(ctx context.Context, options metav1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.ConfigV1().InsightsDataGathers().Watch(ctx, options) - }, - }, - &apiconfigv1.InsightsDataGather{}, - resyncPeriod, - indexers, - ) -} - -func (f *insightsDataGatherInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - return NewFilteredInsightsDataGatherInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) -} - -func (f *insightsDataGatherInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&apiconfigv1.InsightsDataGather{}, f.defaultInformer) -} - -func (f *insightsDataGatherInformer) Lister() configv1.InsightsDataGatherLister { - return configv1.NewInsightsDataGatherLister(f.Informer().GetIndexer()) -} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go index 0ad1b98f37..ff4c521b04 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/config/v1/interface.go @@ -40,8 +40,6 @@ type Interface interface { Infrastructures() InfrastructureInformer // Ingresses returns a IngressInformer. Ingresses() IngressInformer - // InsightsDataGathers returns a InsightsDataGatherInformer. - InsightsDataGathers() InsightsDataGatherInformer // Networks returns a NetworkInformer. Networks() NetworkInformer // Nodes returns a NodeInformer. @@ -149,11 +147,6 @@ func (v *version) Ingresses() IngressInformer { return &ingressInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} } -// InsightsDataGathers returns a InsightsDataGatherInformer. -func (v *version) InsightsDataGathers() InsightsDataGatherInformer { - return &insightsDataGatherInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} -} - // Networks returns a NetworkInformer. func (v *version) Networks() NetworkInformer { return &networkInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} diff --git a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go index 146e7e9754..59c98ea77c 100644 --- a/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go +++ b/vendor/github.com/openshift/client-go/config/informers/externalversions/generic.go @@ -71,8 +71,6 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Infrastructures().Informer()}, nil case v1.SchemeGroupVersion.WithResource("ingresses"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Ingresses().Informer()}, nil - case v1.SchemeGroupVersion.WithResource("insightsdatagathers"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().InsightsDataGathers().Informer()}, nil case v1.SchemeGroupVersion.WithResource("networks"): return &genericInformer{resource: resource.GroupResource(), informer: f.Config().V1().Networks().Informer()}, nil case v1.SchemeGroupVersion.WithResource("nodes"): diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go index ca93cb2838..d4e79cd0ea 100644 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go +++ b/vendor/github.com/openshift/client-go/config/listers/config/v1/expansion_generated.go @@ -70,10 +70,6 @@ type InfrastructureListerExpansion interface{} // IngressLister. type IngressListerExpansion interface{} -// InsightsDataGatherListerExpansion allows custom methods to be added to -// InsightsDataGatherLister. -type InsightsDataGatherListerExpansion interface{} - // NetworkListerExpansion allows custom methods to be added to // NetworkLister. type NetworkListerExpansion interface{} diff --git a/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go b/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go deleted file mode 100644 index 79da7823ff..0000000000 --- a/vendor/github.com/openshift/client-go/config/listers/config/v1/insightsdatagather.go +++ /dev/null @@ -1,32 +0,0 @@ -// Code generated by lister-gen. DO NOT EDIT. - -package v1 - -import ( - configv1 "github.com/openshift/api/config/v1" - labels "k8s.io/apimachinery/pkg/labels" - listers "k8s.io/client-go/listers" - cache "k8s.io/client-go/tools/cache" -) - -// InsightsDataGatherLister helps list InsightsDataGathers. -// All objects returned here must be treated as read-only. -type InsightsDataGatherLister interface { - // List lists all InsightsDataGathers in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*configv1.InsightsDataGather, err error) - // Get retrieves the InsightsDataGather from the index for a given name. - // Objects returned here must be treated as read-only. - Get(name string) (*configv1.InsightsDataGather, error) - InsightsDataGatherListerExpansion -} - -// insightsDataGatherLister implements the InsightsDataGatherLister interface. -type insightsDataGatherLister struct { - listers.ResourceIndexer[*configv1.InsightsDataGather] -} - -// NewInsightsDataGatherLister returns a new InsightsDataGatherLister. -func NewInsightsDataGatherLister(indexer cache.Indexer) InsightsDataGatherLister { - return &insightsDataGatherLister{listers.New[*configv1.InsightsDataGather](indexer, configv1.Resource("insightsdatagather"))} -} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go index fa2661459e..d2451c5723 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/internal/internal.go @@ -1860,6 +1860,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.operator.v1.ClientTLS default: {} + - name: closedClientConnectionPolicy + type: + scalar: string + default: Continue - name: defaultCertificate type: namedType: io.k8s.api.core.v1.LocalObjectReference @@ -1974,6 +1978,9 @@ var schemaYAML = typed.YAMLObject(`types: - name: healthCheckInterval type: namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration + - name: httpKeepAliveTimeout + type: + namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Duration - name: maxConnections type: scalar: numeric diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go index ae23fe636a..ff82e0ed18 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollerspec.go @@ -13,24 +13,25 @@ import ( // IngressControllerSpecApplyConfiguration represents a declarative configuration of the IngressControllerSpec type for use // with apply. type IngressControllerSpecApplyConfiguration struct { - Domain *string `json:"domain,omitempty"` - HttpErrorCodePages *configv1.ConfigMapNameReference `json:"httpErrorCodePages,omitempty"` - Replicas *int32 `json:"replicas,omitempty"` - EndpointPublishingStrategy *EndpointPublishingStrategyApplyConfiguration `json:"endpointPublishingStrategy,omitempty"` - DefaultCertificate *corev1.LocalObjectReference `json:"defaultCertificate,omitempty"` - NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"` - RouteSelector *metav1.LabelSelectorApplyConfiguration `json:"routeSelector,omitempty"` - NodePlacement *NodePlacementApplyConfiguration `json:"nodePlacement,omitempty"` - TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` - ClientTLS *ClientTLSApplyConfiguration `json:"clientTLS,omitempty"` - RouteAdmission *RouteAdmissionPolicyApplyConfiguration `json:"routeAdmission,omitempty"` - Logging *IngressControllerLoggingApplyConfiguration `json:"logging,omitempty"` - HTTPHeaders *IngressControllerHTTPHeadersApplyConfiguration `json:"httpHeaders,omitempty"` - HTTPEmptyRequestsPolicy *operatorv1.HTTPEmptyRequestsPolicy `json:"httpEmptyRequestsPolicy,omitempty"` - TuningOptions *IngressControllerTuningOptionsApplyConfiguration `json:"tuningOptions,omitempty"` - UnsupportedConfigOverrides *runtime.RawExtension `json:"unsupportedConfigOverrides,omitempty"` - HTTPCompression *HTTPCompressionPolicyApplyConfiguration `json:"httpCompression,omitempty"` - IdleConnectionTerminationPolicy *operatorv1.IngressControllerConnectionTerminationPolicy `json:"idleConnectionTerminationPolicy,omitempty"` + Domain *string `json:"domain,omitempty"` + HttpErrorCodePages *configv1.ConfigMapNameReference `json:"httpErrorCodePages,omitempty"` + Replicas *int32 `json:"replicas,omitempty"` + EndpointPublishingStrategy *EndpointPublishingStrategyApplyConfiguration `json:"endpointPublishingStrategy,omitempty"` + DefaultCertificate *corev1.LocalObjectReference `json:"defaultCertificate,omitempty"` + NamespaceSelector *metav1.LabelSelectorApplyConfiguration `json:"namespaceSelector,omitempty"` + RouteSelector *metav1.LabelSelectorApplyConfiguration `json:"routeSelector,omitempty"` + NodePlacement *NodePlacementApplyConfiguration `json:"nodePlacement,omitempty"` + TLSSecurityProfile *configv1.TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"` + ClientTLS *ClientTLSApplyConfiguration `json:"clientTLS,omitempty"` + RouteAdmission *RouteAdmissionPolicyApplyConfiguration `json:"routeAdmission,omitempty"` + Logging *IngressControllerLoggingApplyConfiguration `json:"logging,omitempty"` + HTTPHeaders *IngressControllerHTTPHeadersApplyConfiguration `json:"httpHeaders,omitempty"` + HTTPEmptyRequestsPolicy *operatorv1.HTTPEmptyRequestsPolicy `json:"httpEmptyRequestsPolicy,omitempty"` + TuningOptions *IngressControllerTuningOptionsApplyConfiguration `json:"tuningOptions,omitempty"` + UnsupportedConfigOverrides *runtime.RawExtension `json:"unsupportedConfigOverrides,omitempty"` + HTTPCompression *HTTPCompressionPolicyApplyConfiguration `json:"httpCompression,omitempty"` + IdleConnectionTerminationPolicy *operatorv1.IngressControllerConnectionTerminationPolicy `json:"idleConnectionTerminationPolicy,omitempty"` + ClosedClientConnectionPolicy *operatorv1.IngressControllerClosedClientConnectionPolicy `json:"closedClientConnectionPolicy,omitempty"` } // IngressControllerSpecApplyConfiguration constructs a declarative configuration of the IngressControllerSpec type for use with @@ -182,3 +183,11 @@ func (b *IngressControllerSpecApplyConfiguration) WithIdleConnectionTerminationP b.IdleConnectionTerminationPolicy = &value return b } + +// WithClosedClientConnectionPolicy sets the ClosedClientConnectionPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClosedClientConnectionPolicy field is set to the value of the last call. +func (b *IngressControllerSpecApplyConfiguration) WithClosedClientConnectionPolicy(value operatorv1.IngressControllerClosedClientConnectionPolicy) *IngressControllerSpecApplyConfiguration { + b.ClosedClientConnectionPolicy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go index 122801cf10..e7cc8c5ee5 100644 --- a/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go +++ b/vendor/github.com/openshift/client-go/operator/applyconfigurations/operator/v1/ingresscontrollertuningoptions.go @@ -18,6 +18,7 @@ type IngressControllerTuningOptionsApplyConfiguration struct { ServerFinTimeout *metav1.Duration `json:"serverFinTimeout,omitempty"` TunnelTimeout *metav1.Duration `json:"tunnelTimeout,omitempty"` ConnectTimeout *metav1.Duration `json:"connectTimeout,omitempty"` + HTTPKeepAliveTimeout *metav1.Duration `json:"httpKeepAliveTimeout,omitempty"` TLSInspectDelay *metav1.Duration `json:"tlsInspectDelay,omitempty"` HealthCheckInterval *metav1.Duration `json:"healthCheckInterval,omitempty"` MaxConnections *int32 `json:"maxConnections,omitempty"` @@ -102,6 +103,14 @@ func (b *IngressControllerTuningOptionsApplyConfiguration) WithConnectTimeout(va return b } +// WithHTTPKeepAliveTimeout sets the HTTPKeepAliveTimeout field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the HTTPKeepAliveTimeout field is set to the value of the last call. +func (b *IngressControllerTuningOptionsApplyConfiguration) WithHTTPKeepAliveTimeout(value metav1.Duration) *IngressControllerTuningOptionsApplyConfiguration { + b.HTTPKeepAliveTimeout = &value + return b +} + // WithTLSInspectDelay sets the TLSInspectDelay field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the TLSInspectDelay field is set to the value of the last call. diff --git a/vendor/github.com/peterbourgon/diskv/LICENSE b/vendor/github.com/peterbourgon/diskv/LICENSE new file mode 100644 index 0000000000..41ce7f16e1 --- /dev/null +++ b/vendor/github.com/peterbourgon/diskv/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2011-2012 Peter Bourgon + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/peterbourgon/diskv/README.md b/vendor/github.com/peterbourgon/diskv/README.md new file mode 100644 index 0000000000..3474739edc --- /dev/null +++ b/vendor/github.com/peterbourgon/diskv/README.md @@ -0,0 +1,141 @@ +# What is diskv? + +Diskv (disk-vee) is a simple, persistent key-value store written in the Go +language. It starts with an incredibly simple API for storing arbitrary data on +a filesystem by key, and builds several layers of performance-enhancing +abstraction on top. The end result is a conceptually simple, but highly +performant, disk-backed storage system. + +[![Build Status][1]][2] + +[1]: https://drone.io/github.com/peterbourgon/diskv/status.png +[2]: https://drone.io/github.com/peterbourgon/diskv/latest + + +# Installing + +Install [Go 1][3], either [from source][4] or [with a prepackaged binary][5]. +Then, + +```bash +$ go get github.com/peterbourgon/diskv +``` + +[3]: http://golang.org +[4]: http://golang.org/doc/install/source +[5]: http://golang.org/doc/install + + +# Usage + +```go +package main + +import ( + "fmt" + "github.com/peterbourgon/diskv" +) + +func main() { + // Simplest transform function: put all the data files into the base dir. + flatTransform := func(s string) []string { return []string{} } + + // Initialize a new diskv store, rooted at "my-data-dir", with a 1MB cache. + d := diskv.New(diskv.Options{ + BasePath: "my-data-dir", + Transform: flatTransform, + CacheSizeMax: 1024 * 1024, + }) + + // Write three bytes to the key "alpha". + key := "alpha" + d.Write(key, []byte{'1', '2', '3'}) + + // Read the value back out of the store. + value, _ := d.Read(key) + fmt.Printf("%v\n", value) + + // Erase the key+value from the store (and the disk). + d.Erase(key) +} +``` + +More complex examples can be found in the "examples" subdirectory. + + +# Theory + +## Basic idea + +At its core, diskv is a map of a key (`string`) to arbitrary data (`[]byte`). +The data is written to a single file on disk, with the same name as the key. +The key determines where that file will be stored, via a user-provided +`TransformFunc`, which takes a key and returns a slice (`[]string`) +corresponding to a path list where the key file will be stored. The simplest +TransformFunc, + +```go +func SimpleTransform (key string) []string { + return []string{} +} +``` + +will place all keys in the same, base directory. The design is inspired by +[Redis diskstore][6]; a TransformFunc which emulates the default diskstore +behavior is available in the content-addressable-storage example. + +[6]: http://groups.google.com/group/redis-db/browse_thread/thread/d444bc786689bde9?pli=1 + +**Note** that your TransformFunc should ensure that one valid key doesn't +transform to a subset of another valid key. That is, it shouldn't be possible +to construct valid keys that resolve to directory names. As a concrete example, +if your TransformFunc splits on every 3 characters, then + +```go +d.Write("abcabc", val) // OK: written to /abc/abc/abcabc +d.Write("abc", val) // Error: attempted write to /abc/abc, but it's a directory +``` + +This will be addressed in an upcoming version of diskv. + +Probably the most important design principle behind diskv is that your data is +always flatly available on the disk. diskv will never do anything that would +prevent you from accessing, copying, backing up, or otherwise interacting with +your data via common UNIX commandline tools. + +## Adding a cache + +An in-memory caching layer is provided by combining the BasicStore +functionality with a simple map structure, and keeping it up-to-date as +appropriate. Since the map structure in Go is not threadsafe, it's combined +with a RWMutex to provide safe concurrent access. + +## Adding order + +diskv is a key-value store and therefore inherently unordered. An ordering +system can be injected into the store by passing something which satisfies the +diskv.Index interface. (A default implementation, using Google's +[btree][7] package, is provided.) Basically, diskv keeps an ordered (by a +user-provided Less function) index of the keys, which can be queried. + +[7]: https://github.com/google/btree + +## Adding compression + +Something which implements the diskv.Compression interface may be passed +during store creation, so that all Writes and Reads are filtered through +a compression/decompression pipeline. Several default implementations, +using stdlib compression algorithms, are provided. Note that data is cached +compressed; the cost of decompression is borne with each Read. + +## Streaming + +diskv also now provides ReadStream and WriteStream methods, to allow very large +data to be handled efficiently. + + +# Future plans + + * Needs plenty of robust testing: huge datasets, etc... + * More thorough benchmarking + * Your suggestions for use-cases I haven't thought of diff --git a/vendor/github.com/peterbourgon/diskv/compression.go b/vendor/github.com/peterbourgon/diskv/compression.go new file mode 100644 index 0000000000..5192b02733 --- /dev/null +++ b/vendor/github.com/peterbourgon/diskv/compression.go @@ -0,0 +1,64 @@ +package diskv + +import ( + "compress/flate" + "compress/gzip" + "compress/zlib" + "io" +) + +// Compression is an interface that Diskv uses to implement compression of +// data. Writer takes a destination io.Writer and returns a WriteCloser that +// compresses all data written through it. Reader takes a source io.Reader and +// returns a ReadCloser that decompresses all data read through it. You may +// define these methods on your own type, or use one of the NewCompression +// helpers. +type Compression interface { + Writer(dst io.Writer) (io.WriteCloser, error) + Reader(src io.Reader) (io.ReadCloser, error) +} + +// NewGzipCompression returns a Gzip-based Compression. +func NewGzipCompression() Compression { + return NewGzipCompressionLevel(flate.DefaultCompression) +} + +// NewGzipCompressionLevel returns a Gzip-based Compression with the given level. +func NewGzipCompressionLevel(level int) Compression { + return &genericCompression{ + wf: func(w io.Writer) (io.WriteCloser, error) { return gzip.NewWriterLevel(w, level) }, + rf: func(r io.Reader) (io.ReadCloser, error) { return gzip.NewReader(r) }, + } +} + +// NewZlibCompression returns a Zlib-based Compression. +func NewZlibCompression() Compression { + return NewZlibCompressionLevel(flate.DefaultCompression) +} + +// NewZlibCompressionLevel returns a Zlib-based Compression with the given level. +func NewZlibCompressionLevel(level int) Compression { + return NewZlibCompressionLevelDict(level, nil) +} + +// NewZlibCompressionLevelDict returns a Zlib-based Compression with the given +// level, based on the given dictionary. +func NewZlibCompressionLevelDict(level int, dict []byte) Compression { + return &genericCompression{ + func(w io.Writer) (io.WriteCloser, error) { return zlib.NewWriterLevelDict(w, level, dict) }, + func(r io.Reader) (io.ReadCloser, error) { return zlib.NewReaderDict(r, dict) }, + } +} + +type genericCompression struct { + wf func(w io.Writer) (io.WriteCloser, error) + rf func(r io.Reader) (io.ReadCloser, error) +} + +func (g *genericCompression) Writer(dst io.Writer) (io.WriteCloser, error) { + return g.wf(dst) +} + +func (g *genericCompression) Reader(src io.Reader) (io.ReadCloser, error) { + return g.rf(src) +} diff --git a/vendor/github.com/peterbourgon/diskv/diskv.go b/vendor/github.com/peterbourgon/diskv/diskv.go new file mode 100644 index 0000000000..524dc0a6e3 --- /dev/null +++ b/vendor/github.com/peterbourgon/diskv/diskv.go @@ -0,0 +1,624 @@ +// Diskv (disk-vee) is a simple, persistent, key-value store. +// It stores all data flatly on the filesystem. + +package diskv + +import ( + "bytes" + "errors" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + "strings" + "sync" + "syscall" +) + +const ( + defaultBasePath = "diskv" + defaultFilePerm os.FileMode = 0666 + defaultPathPerm os.FileMode = 0777 +) + +var ( + defaultTransform = func(s string) []string { return []string{} } + errCanceled = errors.New("canceled") + errEmptyKey = errors.New("empty key") + errBadKey = errors.New("bad key") + errImportDirectory = errors.New("can't import a directory") +) + +// TransformFunction transforms a key into a slice of strings, with each +// element in the slice representing a directory in the file path where the +// key's entry will eventually be stored. +// +// For example, if TransformFunc transforms "abcdef" to ["ab", "cde", "f"], +// the final location of the data file will be /ab/cde/f/abcdef +type TransformFunction func(s string) []string + +// Options define a set of properties that dictate Diskv behavior. +// All values are optional. +type Options struct { + BasePath string + Transform TransformFunction + CacheSizeMax uint64 // bytes + PathPerm os.FileMode + FilePerm os.FileMode + // If TempDir is set, it will enable filesystem atomic writes by + // writing temporary files to that location before being moved + // to BasePath. + // Note that TempDir MUST be on the same device/partition as + // BasePath. + TempDir string + + Index Index + IndexLess LessFunction + + Compression Compression +} + +// Diskv implements the Diskv interface. You shouldn't construct Diskv +// structures directly; instead, use the New constructor. +type Diskv struct { + Options + mu sync.RWMutex + cache map[string][]byte + cacheSize uint64 +} + +// New returns an initialized Diskv structure, ready to use. +// If the path identified by baseDir already contains data, +// it will be accessible, but not yet cached. +func New(o Options) *Diskv { + if o.BasePath == "" { + o.BasePath = defaultBasePath + } + if o.Transform == nil { + o.Transform = defaultTransform + } + if o.PathPerm == 0 { + o.PathPerm = defaultPathPerm + } + if o.FilePerm == 0 { + o.FilePerm = defaultFilePerm + } + + d := &Diskv{ + Options: o, + cache: map[string][]byte{}, + cacheSize: 0, + } + + if d.Index != nil && d.IndexLess != nil { + d.Index.Initialize(d.IndexLess, d.Keys(nil)) + } + + return d +} + +// Write synchronously writes the key-value pair to disk, making it immediately +// available for reads. Write relies on the filesystem to perform an eventual +// sync to physical media. If you need stronger guarantees, see WriteStream. +func (d *Diskv) Write(key string, val []byte) error { + return d.WriteStream(key, bytes.NewBuffer(val), false) +} + +// WriteStream writes the data represented by the io.Reader to the disk, under +// the provided key. If sync is true, WriteStream performs an explicit sync on +// the file as soon as it's written. +// +// bytes.Buffer provides io.Reader semantics for basic data types. +func (d *Diskv) WriteStream(key string, r io.Reader, sync bool) error { + if len(key) <= 0 { + return errEmptyKey + } + + d.mu.Lock() + defer d.mu.Unlock() + + return d.writeStreamWithLock(key, r, sync) +} + +// createKeyFileWithLock either creates the key file directly, or +// creates a temporary file in TempDir if it is set. +func (d *Diskv) createKeyFileWithLock(key string) (*os.File, error) { + if d.TempDir != "" { + if err := os.MkdirAll(d.TempDir, d.PathPerm); err != nil { + return nil, fmt.Errorf("temp mkdir: %s", err) + } + f, err := ioutil.TempFile(d.TempDir, "") + if err != nil { + return nil, fmt.Errorf("temp file: %s", err) + } + + if err := f.Chmod(d.FilePerm); err != nil { + f.Close() // error deliberately ignored + os.Remove(f.Name()) // error deliberately ignored + return nil, fmt.Errorf("chmod: %s", err) + } + return f, nil + } + + mode := os.O_WRONLY | os.O_CREATE | os.O_TRUNC // overwrite if exists + f, err := os.OpenFile(d.completeFilename(key), mode, d.FilePerm) + if err != nil { + return nil, fmt.Errorf("open file: %s", err) + } + return f, nil +} + +// writeStream does no input validation checking. +func (d *Diskv) writeStreamWithLock(key string, r io.Reader, sync bool) error { + if err := d.ensurePathWithLock(key); err != nil { + return fmt.Errorf("ensure path: %s", err) + } + + f, err := d.createKeyFileWithLock(key) + if err != nil { + return fmt.Errorf("create key file: %s", err) + } + + wc := io.WriteCloser(&nopWriteCloser{f}) + if d.Compression != nil { + wc, err = d.Compression.Writer(f) + if err != nil { + f.Close() // error deliberately ignored + os.Remove(f.Name()) // error deliberately ignored + return fmt.Errorf("compression writer: %s", err) + } + } + + if _, err := io.Copy(wc, r); err != nil { + f.Close() // error deliberately ignored + os.Remove(f.Name()) // error deliberately ignored + return fmt.Errorf("i/o copy: %s", err) + } + + if err := wc.Close(); err != nil { + f.Close() // error deliberately ignored + os.Remove(f.Name()) // error deliberately ignored + return fmt.Errorf("compression close: %s", err) + } + + if sync { + if err := f.Sync(); err != nil { + f.Close() // error deliberately ignored + os.Remove(f.Name()) // error deliberately ignored + return fmt.Errorf("file sync: %s", err) + } + } + + if err := f.Close(); err != nil { + return fmt.Errorf("file close: %s", err) + } + + if f.Name() != d.completeFilename(key) { + if err := os.Rename(f.Name(), d.completeFilename(key)); err != nil { + os.Remove(f.Name()) // error deliberately ignored + return fmt.Errorf("rename: %s", err) + } + } + + if d.Index != nil { + d.Index.Insert(key) + } + + d.bustCacheWithLock(key) // cache only on read + + return nil +} + +// Import imports the source file into diskv under the destination key. If the +// destination key already exists, it's overwritten. If move is true, the +// source file is removed after a successful import. +func (d *Diskv) Import(srcFilename, dstKey string, move bool) (err error) { + if dstKey == "" { + return errEmptyKey + } + + if fi, err := os.Stat(srcFilename); err != nil { + return err + } else if fi.IsDir() { + return errImportDirectory + } + + d.mu.Lock() + defer d.mu.Unlock() + + if err := d.ensurePathWithLock(dstKey); err != nil { + return fmt.Errorf("ensure path: %s", err) + } + + if move { + if err := syscall.Rename(srcFilename, d.completeFilename(dstKey)); err == nil { + d.bustCacheWithLock(dstKey) + return nil + } else if err != syscall.EXDEV { + // If it failed due to being on a different device, fall back to copying + return err + } + } + + f, err := os.Open(srcFilename) + if err != nil { + return err + } + defer f.Close() + err = d.writeStreamWithLock(dstKey, f, false) + if err == nil && move { + err = os.Remove(srcFilename) + } + return err +} + +// Read reads the key and returns the value. +// If the key is available in the cache, Read won't touch the disk. +// If the key is not in the cache, Read will have the side-effect of +// lazily caching the value. +func (d *Diskv) Read(key string) ([]byte, error) { + rc, err := d.ReadStream(key, false) + if err != nil { + return []byte{}, err + } + defer rc.Close() + return ioutil.ReadAll(rc) +} + +// ReadStream reads the key and returns the value (data) as an io.ReadCloser. +// If the value is cached from a previous read, and direct is false, +// ReadStream will use the cached value. Otherwise, it will return a handle to +// the file on disk, and cache the data on read. +// +// If direct is true, ReadStream will lazily delete any cached value for the +// key, and return a direct handle to the file on disk. +// +// If compression is enabled, ReadStream taps into the io.Reader stream prior +// to decompression, and caches the compressed data. +func (d *Diskv) ReadStream(key string, direct bool) (io.ReadCloser, error) { + d.mu.RLock() + defer d.mu.RUnlock() + + if val, ok := d.cache[key]; ok { + if !direct { + buf := bytes.NewBuffer(val) + if d.Compression != nil { + return d.Compression.Reader(buf) + } + return ioutil.NopCloser(buf), nil + } + + go func() { + d.mu.Lock() + defer d.mu.Unlock() + d.uncacheWithLock(key, uint64(len(val))) + }() + } + + return d.readWithRLock(key) +} + +// read ignores the cache, and returns an io.ReadCloser representing the +// decompressed data for the given key, streamed from the disk. Clients should +// acquire a read lock on the Diskv and check the cache themselves before +// calling read. +func (d *Diskv) readWithRLock(key string) (io.ReadCloser, error) { + filename := d.completeFilename(key) + + fi, err := os.Stat(filename) + if err != nil { + return nil, err + } + if fi.IsDir() { + return nil, os.ErrNotExist + } + + f, err := os.Open(filename) + if err != nil { + return nil, err + } + + var r io.Reader + if d.CacheSizeMax > 0 { + r = newSiphon(f, d, key) + } else { + r = &closingReader{f} + } + + var rc = io.ReadCloser(ioutil.NopCloser(r)) + if d.Compression != nil { + rc, err = d.Compression.Reader(r) + if err != nil { + return nil, err + } + } + + return rc, nil +} + +// closingReader provides a Reader that automatically closes the +// embedded ReadCloser when it reaches EOF +type closingReader struct { + rc io.ReadCloser +} + +func (cr closingReader) Read(p []byte) (int, error) { + n, err := cr.rc.Read(p) + if err == io.EOF { + if closeErr := cr.rc.Close(); closeErr != nil { + return n, closeErr // close must succeed for Read to succeed + } + } + return n, err +} + +// siphon is like a TeeReader: it copies all data read through it to an +// internal buffer, and moves that buffer to the cache at EOF. +type siphon struct { + f *os.File + d *Diskv + key string + buf *bytes.Buffer +} + +// newSiphon constructs a siphoning reader that represents the passed file. +// When a successful series of reads ends in an EOF, the siphon will write +// the buffered data to Diskv's cache under the given key. +func newSiphon(f *os.File, d *Diskv, key string) io.Reader { + return &siphon{ + f: f, + d: d, + key: key, + buf: &bytes.Buffer{}, + } +} + +// Read implements the io.Reader interface for siphon. +func (s *siphon) Read(p []byte) (int, error) { + n, err := s.f.Read(p) + + if err == nil { + return s.buf.Write(p[0:n]) // Write must succeed for Read to succeed + } + + if err == io.EOF { + s.d.cacheWithoutLock(s.key, s.buf.Bytes()) // cache may fail + if closeErr := s.f.Close(); closeErr != nil { + return n, closeErr // close must succeed for Read to succeed + } + return n, err + } + + return n, err +} + +// Erase synchronously erases the given key from the disk and the cache. +func (d *Diskv) Erase(key string) error { + d.mu.Lock() + defer d.mu.Unlock() + + d.bustCacheWithLock(key) + + // erase from index + if d.Index != nil { + d.Index.Delete(key) + } + + // erase from disk + filename := d.completeFilename(key) + if s, err := os.Stat(filename); err == nil { + if s.IsDir() { + return errBadKey + } + if err = os.Remove(filename); err != nil { + return err + } + } else { + // Return err as-is so caller can do os.IsNotExist(err). + return err + } + + // clean up and return + d.pruneDirsWithLock(key) + return nil +} + +// EraseAll will delete all of the data from the store, both in the cache and on +// the disk. Note that EraseAll doesn't distinguish diskv-related data from non- +// diskv-related data. Care should be taken to always specify a diskv base +// directory that is exclusively for diskv data. +func (d *Diskv) EraseAll() error { + d.mu.Lock() + defer d.mu.Unlock() + d.cache = make(map[string][]byte) + d.cacheSize = 0 + if d.TempDir != "" { + os.RemoveAll(d.TempDir) // errors ignored + } + return os.RemoveAll(d.BasePath) +} + +// Has returns true if the given key exists. +func (d *Diskv) Has(key string) bool { + d.mu.Lock() + defer d.mu.Unlock() + + if _, ok := d.cache[key]; ok { + return true + } + + filename := d.completeFilename(key) + s, err := os.Stat(filename) + if err != nil { + return false + } + if s.IsDir() { + return false + } + + return true +} + +// Keys returns a channel that will yield every key accessible by the store, +// in undefined order. If a cancel channel is provided, closing it will +// terminate and close the keys channel. +func (d *Diskv) Keys(cancel <-chan struct{}) <-chan string { + return d.KeysPrefix("", cancel) +} + +// KeysPrefix returns a channel that will yield every key accessible by the +// store with the given prefix, in undefined order. If a cancel channel is +// provided, closing it will terminate and close the keys channel. If the +// provided prefix is the empty string, all keys will be yielded. +func (d *Diskv) KeysPrefix(prefix string, cancel <-chan struct{}) <-chan string { + var prepath string + if prefix == "" { + prepath = d.BasePath + } else { + prepath = d.pathFor(prefix) + } + c := make(chan string) + go func() { + filepath.Walk(prepath, walker(c, prefix, cancel)) + close(c) + }() + return c +} + +// walker returns a function which satisfies the filepath.WalkFunc interface. +// It sends every non-directory file entry down the channel c. +func walker(c chan<- string, prefix string, cancel <-chan struct{}) filepath.WalkFunc { + return func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + if info.IsDir() || !strings.HasPrefix(info.Name(), prefix) { + return nil // "pass" + } + + select { + case c <- info.Name(): + case <-cancel: + return errCanceled + } + + return nil + } +} + +// pathFor returns the absolute path for location on the filesystem where the +// data for the given key will be stored. +func (d *Diskv) pathFor(key string) string { + return filepath.Join(d.BasePath, filepath.Join(d.Transform(key)...)) +} + +// ensurePathWithLock is a helper function that generates all necessary +// directories on the filesystem for the given key. +func (d *Diskv) ensurePathWithLock(key string) error { + return os.MkdirAll(d.pathFor(key), d.PathPerm) +} + +// completeFilename returns the absolute path to the file for the given key. +func (d *Diskv) completeFilename(key string) string { + return filepath.Join(d.pathFor(key), key) +} + +// cacheWithLock attempts to cache the given key-value pair in the store's +// cache. It can fail if the value is larger than the cache's maximum size. +func (d *Diskv) cacheWithLock(key string, val []byte) error { + valueSize := uint64(len(val)) + if err := d.ensureCacheSpaceWithLock(valueSize); err != nil { + return fmt.Errorf("%s; not caching", err) + } + + // be very strict about memory guarantees + if (d.cacheSize + valueSize) > d.CacheSizeMax { + panic(fmt.Sprintf("failed to make room for value (%d/%d)", valueSize, d.CacheSizeMax)) + } + + d.cache[key] = val + d.cacheSize += valueSize + return nil +} + +// cacheWithoutLock acquires the store's (write) mutex and calls cacheWithLock. +func (d *Diskv) cacheWithoutLock(key string, val []byte) error { + d.mu.Lock() + defer d.mu.Unlock() + return d.cacheWithLock(key, val) +} + +func (d *Diskv) bustCacheWithLock(key string) { + if val, ok := d.cache[key]; ok { + d.uncacheWithLock(key, uint64(len(val))) + } +} + +func (d *Diskv) uncacheWithLock(key string, sz uint64) { + d.cacheSize -= sz + delete(d.cache, key) +} + +// pruneDirsWithLock deletes empty directories in the path walk leading to the +// key k. Typically this function is called after an Erase is made. +func (d *Diskv) pruneDirsWithLock(key string) error { + pathlist := d.Transform(key) + for i := range pathlist { + dir := filepath.Join(d.BasePath, filepath.Join(pathlist[:len(pathlist)-i]...)) + + // thanks to Steven Blenkinsop for this snippet + switch fi, err := os.Stat(dir); true { + case err != nil: + return err + case !fi.IsDir(): + panic(fmt.Sprintf("corrupt dirstate at %s", dir)) + } + + nlinks, err := filepath.Glob(filepath.Join(dir, "*")) + if err != nil { + return err + } else if len(nlinks) > 0 { + return nil // has subdirs -- do not prune + } + if err = os.Remove(dir); err != nil { + return err + } + } + + return nil +} + +// ensureCacheSpaceWithLock deletes entries from the cache in arbitrary order +// until the cache has at least valueSize bytes available. +func (d *Diskv) ensureCacheSpaceWithLock(valueSize uint64) error { + if valueSize > d.CacheSizeMax { + return fmt.Errorf("value size (%d bytes) too large for cache (%d bytes)", valueSize, d.CacheSizeMax) + } + + safe := func() bool { return (d.cacheSize + valueSize) <= d.CacheSizeMax } + + for key, val := range d.cache { + if safe() { + break + } + + d.uncacheWithLock(key, uint64(len(val))) + } + + if !safe() { + panic(fmt.Sprintf("%d bytes still won't fit in the cache! (max %d bytes)", valueSize, d.CacheSizeMax)) + } + + return nil +} + +// nopWriteCloser wraps an io.Writer and provides a no-op Close method to +// satisfy the io.WriteCloser interface. +type nopWriteCloser struct { + io.Writer +} + +func (wc *nopWriteCloser) Write(p []byte) (int, error) { return wc.Writer.Write(p) } +func (wc *nopWriteCloser) Close() error { return nil } diff --git a/vendor/github.com/peterbourgon/diskv/index.go b/vendor/github.com/peterbourgon/diskv/index.go new file mode 100644 index 0000000000..96fee5152b --- /dev/null +++ b/vendor/github.com/peterbourgon/diskv/index.go @@ -0,0 +1,115 @@ +package diskv + +import ( + "sync" + + "github.com/google/btree" +) + +// Index is a generic interface for things that can +// provide an ordered list of keys. +type Index interface { + Initialize(less LessFunction, keys <-chan string) + Insert(key string) + Delete(key string) + Keys(from string, n int) []string +} + +// LessFunction is used to initialize an Index of keys in a specific order. +type LessFunction func(string, string) bool + +// btreeString is a custom data type that satisfies the BTree Less interface, +// making the strings it wraps sortable by the BTree package. +type btreeString struct { + s string + l LessFunction +} + +// Less satisfies the BTree.Less interface using the btreeString's LessFunction. +func (s btreeString) Less(i btree.Item) bool { + return s.l(s.s, i.(btreeString).s) +} + +// BTreeIndex is an implementation of the Index interface using google/btree. +type BTreeIndex struct { + sync.RWMutex + LessFunction + *btree.BTree +} + +// Initialize populates the BTree tree with data from the keys channel, +// according to the passed less function. It's destructive to the BTreeIndex. +func (i *BTreeIndex) Initialize(less LessFunction, keys <-chan string) { + i.Lock() + defer i.Unlock() + i.LessFunction = less + i.BTree = rebuild(less, keys) +} + +// Insert inserts the given key (only) into the BTree tree. +func (i *BTreeIndex) Insert(key string) { + i.Lock() + defer i.Unlock() + if i.BTree == nil || i.LessFunction == nil { + panic("uninitialized index") + } + i.BTree.ReplaceOrInsert(btreeString{s: key, l: i.LessFunction}) +} + +// Delete removes the given key (only) from the BTree tree. +func (i *BTreeIndex) Delete(key string) { + i.Lock() + defer i.Unlock() + if i.BTree == nil || i.LessFunction == nil { + panic("uninitialized index") + } + i.BTree.Delete(btreeString{s: key, l: i.LessFunction}) +} + +// Keys yields a maximum of n keys in order. If the passed 'from' key is empty, +// Keys will return the first n keys. If the passed 'from' key is non-empty, the +// first key in the returned slice will be the key that immediately follows the +// passed key, in key order. +func (i *BTreeIndex) Keys(from string, n int) []string { + i.RLock() + defer i.RUnlock() + + if i.BTree == nil || i.LessFunction == nil { + panic("uninitialized index") + } + + if i.BTree.Len() <= 0 { + return []string{} + } + + btreeFrom := btreeString{s: from, l: i.LessFunction} + skipFirst := true + if len(from) <= 0 || !i.BTree.Has(btreeFrom) { + // no such key, so fabricate an always-smallest item + btreeFrom = btreeString{s: "", l: func(string, string) bool { return true }} + skipFirst = false + } + + keys := []string{} + iterator := func(i btree.Item) bool { + keys = append(keys, i.(btreeString).s) + return len(keys) < n + } + i.BTree.AscendGreaterOrEqual(btreeFrom, iterator) + + if skipFirst && len(keys) > 0 { + keys = keys[1:] + } + + return keys +} + +// rebuildIndex does the work of regenerating the index +// with the given keys. +func rebuild(less LessFunction, keys <-chan string) *btree.BTree { + tree := btree.New(2) + for key := range keys { + tree.ReplaceOrInsert(btreeString{s: key, l: less}) + } + return tree +} diff --git a/vendor/github.com/prometheus/client_golang/api/client.go b/vendor/github.com/prometheus/client_golang/api/client.go index ddbfea099b..0e647b6756 100644 --- a/vendor/github.com/prometheus/client_golang/api/client.go +++ b/vendor/github.com/prometheus/client_golang/api/client.go @@ -18,7 +18,6 @@ import ( "bytes" "context" "errors" - "io" "net" "net/http" "net/url" @@ -132,36 +131,26 @@ func (c *httpClient) Do(ctx context.Context, req *http.Request) (*http.Response, req = req.WithContext(ctx) } resp, err := c.client.Do(req) - defer func() { - if resp != nil { - _, _ = io.Copy(io.Discard, resp.Body) - _ = resp.Body.Close() - } - }() - if err != nil { return nil, nil, err } var body []byte - done := make(chan struct{}) + done := make(chan error, 1) go func() { var buf bytes.Buffer - // TODO(bwplotka): Add LimitReader for too long err messages (e.g. limit by 1KB) - _, err = buf.ReadFrom(resp.Body) + _, err := buf.ReadFrom(resp.Body) body = buf.Bytes() - close(done) + done <- err }() select { case <-ctx.Done(): + resp.Body.Close() <-done - err = resp.Body.Close() - if err == nil { - err = ctx.Err() - } - case <-done: + return resp, nil, ctx.Err() + case err = <-done: + resp.Body.Close() + return resp, body, err } - - return resp, body, err } diff --git a/vendor/github.com/prometheus/client_golang/prometheus/desc.go b/vendor/github.com/prometheus/client_golang/prometheus/desc.go index ad347113c0..2331b8b4f3 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/desc.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/desc.go @@ -95,7 +95,8 @@ func (v2) NewDesc(fqName, help string, variableLabels ConstrainableLabels, const help: help, variableLabels: variableLabels.compile(), } - if !model.IsValidMetricName(model.LabelValue(fqName)) { + //nolint:staticcheck // TODO: Don't use deprecated model.NameValidationScheme. + if !model.NameValidationScheme.IsValidMetricName(fqName) { d.err = fmt.Errorf("%q is not a valid metric name", fqName) return d } diff --git a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go index 8b016355ad..7bac0da33d 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/internal/difflib.go @@ -453,7 +453,7 @@ func (m *SequenceMatcher) GetGroupedOpCodes(n int) [][]OpCode { } group = append(group, OpCode{c.Tag, i1, i2, j1, j2}) } - if len(group) > 0 && !(len(group) == 1 && group[0].Tag == 'e') { + if len(group) > 0 && (len(group) != 1 || group[0].Tag != 'e') { groups = append(groups, group) } return groups @@ -568,7 +568,7 @@ func WriteUnifiedDiff(writer io.Writer, diff UnifiedDiff) error { buf := bufio.NewWriter(writer) defer buf.Flush() wf := func(format string, args ...interface{}) error { - _, err := buf.WriteString(fmt.Sprintf(format, args...)) + _, err := fmt.Fprintf(buf, format, args...) return err } ws := func(s string) error { diff --git a/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go b/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go index f7f97ef926..d273b6640e 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/internal/go_runtime_metrics.go @@ -67,7 +67,7 @@ func RuntimeMetricsToProm(d *metrics.Description) (string, string, string, bool) } // Our current conversion moves to legacy naming, so use legacy validation. - valid := model.IsValidLegacyMetricName(namespace + "_" + subsystem + "_" + name) + valid := model.LegacyValidation.IsValidMetricName(namespace + "_" + subsystem + "_" + name) switch d.Kind { case metrics.KindUint64: case metrics.KindFloat64: diff --git a/vendor/github.com/prometheus/client_golang/prometheus/labels.go b/vendor/github.com/prometheus/client_golang/prometheus/labels.go index c21911f292..5fe8d3b4d2 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/labels.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/labels.go @@ -184,5 +184,6 @@ func validateLabelValues(vals []string, expectedNumberOfValues int) error { } func checkLabelName(l string) bool { - return model.LabelName(l).IsValid() && !strings.HasPrefix(l, reservedLabelPrefix) + //nolint:staticcheck // TODO: Don't use deprecated model.NameValidationScheme. + return model.NameValidationScheme.IsValidLabelName(l) && !strings.HasPrefix(l, reservedLabelPrefix) } diff --git a/vendor/github.com/prometheus/client_golang/prometheus/metric.go b/vendor/github.com/prometheus/client_golang/prometheus/metric.go index 592eec3e24..76e59f1288 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/metric.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/metric.go @@ -186,21 +186,31 @@ func (m *withExemplarsMetric) Write(pb *dto.Metric) error { case pb.Counter != nil: pb.Counter.Exemplar = m.exemplars[len(m.exemplars)-1] case pb.Histogram != nil: + h := pb.Histogram for _, e := range m.exemplars { - // pb.Histogram.Bucket are sorted by UpperBound. - i := sort.Search(len(pb.Histogram.Bucket), func(i int) bool { - return pb.Histogram.Bucket[i].GetUpperBound() >= e.GetValue() + if (h.GetZeroThreshold() != 0 || h.GetZeroCount() != 0 || + len(h.PositiveSpan) != 0 || len(h.NegativeSpan) != 0) && + e.GetTimestamp() != nil { + h.Exemplars = append(h.Exemplars, e) + if len(h.Bucket) == 0 { + // Don't proceed to classic buckets if there are none. + continue + } + } + // h.Bucket are sorted by UpperBound. + i := sort.Search(len(h.Bucket), func(i int) bool { + return h.Bucket[i].GetUpperBound() >= e.GetValue() }) - if i < len(pb.Histogram.Bucket) { - pb.Histogram.Bucket[i].Exemplar = e + if i < len(h.Bucket) { + h.Bucket[i].Exemplar = e } else { // The +Inf bucket should be explicitly added if there is an exemplar for it, similar to non-const histogram logic in https://github.com/prometheus/client_golang/blob/main/prometheus/histogram.go#L357-L365. b := &dto.Bucket{ - CumulativeCount: proto.Uint64(pb.Histogram.GetSampleCount()), + CumulativeCount: proto.Uint64(h.GetSampleCount()), UpperBound: proto.Float64(math.Inf(1)), Exemplar: e, } - pb.Histogram.Bucket = append(pb.Histogram.Bucket, b) + h.Bucket = append(h.Bucket, b) } } default: @@ -227,6 +237,7 @@ type Exemplar struct { // Only last applicable exemplar is injected from the list. // For example for Counter it means last exemplar is injected. // For Histogram, it means last applicable exemplar for each bucket is injected. +// For a Native Histogram, all valid exemplars are injected. // // NewMetricWithExemplars works best with MustNewConstMetric and // MustNewConstHistogram, see example. diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go index 0a61b98461..b32c95fa3f 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_darwin.go @@ -25,9 +25,9 @@ import ( "golang.org/x/sys/unix" ) -// notImplementedErr is returned by stub functions that replace cgo functions, when cgo +// errNotImplemented is returned by stub functions that replace cgo functions, when cgo // isn't available. -var notImplementedErr = errors.New("not implemented") +var errNotImplemented = errors.New("not implemented") type memoryInfo struct { vsize uint64 // Virtual memory size in bytes @@ -101,7 +101,7 @@ func (c *processCollector) processCollect(ch chan<- Metric) { if memInfo, err := getMemory(); err == nil { ch <- MustNewConstMetric(c.rss, GaugeValue, float64(memInfo.rss)) ch <- MustNewConstMetric(c.vsize, GaugeValue, float64(memInfo.vsize)) - } else if !errors.Is(err, notImplementedErr) { + } else if !errors.Is(err, errNotImplemented) { // Don't report an error when support is not compiled in. c.reportError(ch, c.rss, err) c.reportError(ch, c.vsize, err) diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go index 8ddb0995d6..378865129b 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_mem_nocgo_darwin.go @@ -16,7 +16,7 @@ package prometheus func getMemory() (*memoryInfo, error) { - return nil, notImplementedErr + return nil, errNotImplemented } // describe returns all descriptions of the collector for Darwin. diff --git a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go index 9f4b130bef..8074f70f5d 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/process_collector_procfsenabled.go @@ -66,11 +66,11 @@ func (c *processCollector) processCollect(ch chan<- Metric) { if netstat, err := p.Netstat(); err == nil { var inOctets, outOctets float64 - if netstat.IpExt.InOctets != nil { - inOctets = *netstat.IpExt.InOctets + if netstat.InOctets != nil { + inOctets = *netstat.InOctets } - if netstat.IpExt.OutOctets != nil { - outOctets = *netstat.IpExt.OutOctets + if netstat.OutOctets != nil { + outOctets = *netstat.OutOctets } ch <- MustNewConstMetric(c.inBytes, CounterValue, inOctets) ch <- MustNewConstMetric(c.outBytes, CounterValue, outOctets) diff --git a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go index 356edb7868..9332b0249a 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/promhttp/instrument_server.go @@ -392,7 +392,7 @@ func isLabelCurried(c prometheus.Collector, label string) bool { func labels(code, method bool, reqMethod string, status int, extraMethods ...string) prometheus.Labels { labels := prometheus.Labels{} - if !(code || method) { + if !code && !method { return labels } diff --git a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go index 1258508e4f..80a4d7c355 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/testutil/testutil.go @@ -262,7 +262,7 @@ func CollectAndFormat(c prometheus.Collector, format expfmt.FormatType, metricNa // convertReaderToMetricFamily would read from a io.Reader object and convert it to a slice of // dto.MetricFamily. func convertReaderToMetricFamily(reader io.Reader) ([]*dto.MetricFamily, error) { - var tp expfmt.TextParser + tp := expfmt.NewTextParser(model.UTF8Validation) notNormalized, err := tp.TextToMetricFamilies(reader) if err != nil { return nil, fmt.Errorf("converting reader to metric families failed: %w", err) diff --git a/vendor/github.com/prometheus/client_golang/prometheus/vec.go b/vendor/github.com/prometheus/client_golang/prometheus/vec.go index 2c808eece0..487b466563 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/vec.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/vec.go @@ -79,7 +79,7 @@ func (m *MetricVec) DeleteLabelValues(lvs ...string) bool { return false } - return m.metricMap.deleteByHashWithLabelValues(h, lvs, m.curry) + return m.deleteByHashWithLabelValues(h, lvs, m.curry) } // Delete deletes the metric where the variable labels are the same as those @@ -101,7 +101,7 @@ func (m *MetricVec) Delete(labels Labels) bool { return false } - return m.metricMap.deleteByHashWithLabels(h, labels, m.curry) + return m.deleteByHashWithLabels(h, labels, m.curry) } // DeletePartialMatch deletes all metrics where the variable labels contain all of those @@ -114,7 +114,7 @@ func (m *MetricVec) DeletePartialMatch(labels Labels) int { labels, closer := constrainLabels(m.desc, labels) defer closer() - return m.metricMap.deleteByLabels(labels, m.curry) + return m.deleteByLabels(labels, m.curry) } // Without explicit forwarding of Describe, Collect, Reset, those methods won't @@ -216,7 +216,7 @@ func (m *MetricVec) GetMetricWithLabelValues(lvs ...string) (Metric, error) { return nil, err } - return m.metricMap.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil + return m.getOrCreateMetricWithLabelValues(h, lvs, m.curry), nil } // GetMetricWith returns the Metric for the given Labels map (the label names @@ -244,7 +244,7 @@ func (m *MetricVec) GetMetricWith(labels Labels) (Metric, error) { return nil, err } - return m.metricMap.getOrCreateMetricWithLabels(h, labels, m.curry), nil + return m.getOrCreateMetricWithLabels(h, labels, m.curry), nil } func (m *MetricVec) hashLabelValues(vals []string) (uint64, error) { diff --git a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go index 25da157f15..2ed1285068 100644 --- a/vendor/github.com/prometheus/client_golang/prometheus/wrap.go +++ b/vendor/github.com/prometheus/client_golang/prometheus/wrap.go @@ -63,7 +63,7 @@ func WrapRegistererWith(labels Labels, reg Registerer) Registerer { // metric names that are standardized across applications, as that would break // horizontal monitoring, for example the metrics provided by the Go collector // (see NewGoCollector) and the process collector (see NewProcessCollector). (In -// fact, those metrics are already prefixed with “go_†or “process_â€, +// fact, those metrics are already prefixed with "go_" or "process_", // respectively.) // // Conflicts between Collectors registered through the original Registerer with @@ -78,6 +78,40 @@ func WrapRegistererWithPrefix(prefix string, reg Registerer) Registerer { } } +// WrapCollectorWith returns a Collector wrapping the provided Collector. The +// wrapped Collector will add the provided Labels to all Metrics it collects (as +// ConstLabels). The Metrics collected by the unmodified Collector must not +// duplicate any of those labels. +// +// WrapCollectorWith can be useful to work with multiple instances of a third +// party library that does not expose enough flexibility on the lifecycle of its +// registered metrics. +// For example, let's say you have a foo.New(reg Registerer) constructor that +// registers metrics but never unregisters them, and you want to create multiple +// instances of foo.Foo with different labels. +// The way to achieve that, is to create a new Registry, pass it to foo.New, +// then use WrapCollectorWith to wrap that Registry with the desired labels and +// register that as a collector in your main Registry. +// Then you can un-register the wrapped collector effectively un-registering the +// metrics registered by foo.New. +func WrapCollectorWith(labels Labels, c Collector) Collector { + return &wrappingCollector{ + wrappedCollector: c, + labels: labels, + } +} + +// WrapCollectorWithPrefix returns a Collector wrapping the provided Collector. The +// wrapped Collector will add the provided prefix to the name of all Metrics it collects. +// +// See the documentation of WrapCollectorWith for more details on the use case. +func WrapCollectorWithPrefix(prefix string, c Collector) Collector { + return &wrappingCollector{ + wrappedCollector: c, + prefix: prefix, + } +} + type wrappingRegisterer struct { wrappedRegisterer Registerer prefix string diff --git a/vendor/github.com/prometheus/common/expfmt/decode.go b/vendor/github.com/prometheus/common/expfmt/decode.go index 1448439b7f..7b762370e2 100644 --- a/vendor/github.com/prometheus/common/expfmt/decode.go +++ b/vendor/github.com/prometheus/common/expfmt/decode.go @@ -70,19 +70,34 @@ func ResponseFormat(h http.Header) Format { return FmtUnknown } -// NewDecoder returns a new decoder based on the given input format. -// If the input format does not imply otherwise, a text format decoder is returned. +// NewDecoder returns a new decoder based on the given input format. Metric +// names are validated based on the provided Format -- if the format requires +// escaping, raditional Prometheues validity checking is used. Otherwise, names +// are checked for UTF-8 validity. Supported formats include delimited protobuf +// and Prometheus text format. For historical reasons, this decoder fallbacks +// to classic text decoding for any other format. This decoder does not fully +// support OpenMetrics although it may often succeed due to the similarities +// between the formats. This decoder may not support the latest features of +// Prometheus text format and is not intended for high-performance applications. +// See: https://github.com/prometheus/common/issues/812 func NewDecoder(r io.Reader, format Format) Decoder { + scheme := model.LegacyValidation + if format.ToEscapingScheme() == model.NoEscaping { + scheme = model.UTF8Validation + } switch format.FormatType() { case TypeProtoDelim: - return &protoDecoder{r: bufio.NewReader(r)} + return &protoDecoder{r: bufio.NewReader(r), s: scheme} + case TypeProtoText, TypeProtoCompact: + return &errDecoder{err: fmt.Errorf("format %s not supported for decoding", format)} } - return &textDecoder{r: r} + return &textDecoder{r: r, s: scheme} } // protoDecoder implements the Decoder interface for protocol buffers. type protoDecoder struct { r protodelim.Reader + s model.ValidationScheme } // Decode implements the Decoder interface. @@ -93,7 +108,7 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error { if err := opts.UnmarshalFrom(d.r, v); err != nil { return err } - if !model.IsValidMetricName(model.LabelValue(v.GetName())) { + if !d.s.IsValidMetricName(v.GetName()) { return fmt.Errorf("invalid metric name %q", v.GetName()) } for _, m := range v.GetMetric() { @@ -107,7 +122,7 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error { if !model.LabelValue(l.GetValue()).IsValid() { return fmt.Errorf("invalid label value %q", l.GetValue()) } - if !model.LabelName(l.GetName()).IsValid() { + if !d.s.IsValidLabelName(l.GetName()) { return fmt.Errorf("invalid label name %q", l.GetName()) } } @@ -115,10 +130,20 @@ func (d *protoDecoder) Decode(v *dto.MetricFamily) error { return nil } +// errDecoder is an error-state decoder that always returns the same error. +type errDecoder struct { + err error +} + +func (d *errDecoder) Decode(*dto.MetricFamily) error { + return d.err +} + // textDecoder implements the Decoder interface for the text protocol. type textDecoder struct { r io.Reader fams map[string]*dto.MetricFamily + s model.ValidationScheme err error } @@ -126,7 +151,7 @@ type textDecoder struct { func (d *textDecoder) Decode(v *dto.MetricFamily) error { if d.err == nil { // Read all metrics in one shot. - var p TextParser + p := NewTextParser(d.s) d.fams, d.err = p.TextToMetricFamilies(d.r) // If we don't get an error, store io.EOF for the end. if d.err == nil { diff --git a/vendor/github.com/prometheus/common/expfmt/encode.go b/vendor/github.com/prometheus/common/expfmt/encode.go index d7f3d76f55..73c24dfbc9 100644 --- a/vendor/github.com/prometheus/common/expfmt/encode.go +++ b/vendor/github.com/prometheus/common/expfmt/encode.go @@ -18,14 +18,12 @@ import ( "io" "net/http" + "github.com/munnerz/goautoneg" + dto "github.com/prometheus/client_model/go" "google.golang.org/protobuf/encoding/protodelim" "google.golang.org/protobuf/encoding/prototext" "github.com/prometheus/common/model" - - "github.com/munnerz/goautoneg" - - dto "github.com/prometheus/client_model/go" ) // Encoder types encode metric families into an underlying wire protocol. @@ -61,7 +59,7 @@ func (ec encoderCloser) Close() error { // appropriate accepted type is found, FmtText is returned (which is the // Prometheus text format). This function will never negotiate FmtOpenMetrics, // as the support is still experimental. To include the option to negotiate -// FmtOpenMetrics, use NegotiateOpenMetrics. +// FmtOpenMetrics, use NegotiateIncludingOpenMetrics. func Negotiate(h http.Header) Format { escapingScheme := Format(fmt.Sprintf("; escaping=%s", Format(model.NameEscapingScheme.String()))) for _, ac := range goautoneg.ParseAccept(h.Get(hdrAccept)) { @@ -153,7 +151,7 @@ func NewEncoder(w io.Writer, format Format, options ...EncoderOption) Encoder { case TypeProtoDelim: return encoderCloser{ encode: func(v *dto.MetricFamily) error { - _, err := protodelim.MarshalTo(w, v) + _, err := protodelim.MarshalTo(w, model.EscapeMetricFamily(v, escapingScheme)) return err }, close: func() error { return nil }, diff --git a/vendor/github.com/prometheus/common/expfmt/expfmt.go b/vendor/github.com/prometheus/common/expfmt/expfmt.go index b26886560d..c34c7de432 100644 --- a/vendor/github.com/prometheus/common/expfmt/expfmt.go +++ b/vendor/github.com/prometheus/common/expfmt/expfmt.go @@ -36,9 +36,11 @@ const ( ProtoType = `application/vnd.google.protobuf` ProtoProtocol = `io.prometheus.client.MetricFamily` // Deprecated: Use expfmt.NewFormat(expfmt.TypeProtoCompact) instead. - ProtoFmt = ProtoType + "; proto=" + ProtoProtocol + ";" - OpenMetricsType = `application/openmetrics-text` + ProtoFmt = ProtoType + "; proto=" + ProtoProtocol + ";" + OpenMetricsType = `application/openmetrics-text` + //nolint:revive // Allow for underscores. OpenMetricsVersion_0_0_1 = "0.0.1" + //nolint:revive // Allow for underscores. OpenMetricsVersion_1_0_0 = "1.0.0" // The Content-Type values for the different wire protocols. Do not do direct @@ -54,8 +56,10 @@ const ( // Deprecated: Use expfmt.NewFormat(expfmt.TypeProtoCompact) instead. FmtProtoCompact Format = ProtoFmt + ` encoding=compact-text` // Deprecated: Use expfmt.NewFormat(expfmt.TypeOpenMetrics) instead. + //nolint:revive // Allow for underscores. FmtOpenMetrics_1_0_0 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_1_0_0 + `; charset=utf-8` // Deprecated: Use expfmt.NewFormat(expfmt.TypeOpenMetrics) instead. + //nolint:revive // Allow for underscores. FmtOpenMetrics_0_0_1 Format = OpenMetricsType + `; version=` + OpenMetricsVersion_0_0_1 + `; charset=utf-8` ) @@ -188,8 +192,8 @@ func (f Format) FormatType() FormatType { // Format contains a escaping=allow-utf-8 term, it will select NoEscaping. If a valid // "escaping" term exists, that will be used. Otherwise, the global default will // be returned. -func (format Format) ToEscapingScheme() model.EscapingScheme { - for _, p := range strings.Split(string(format), ";") { +func (f Format) ToEscapingScheme() model.EscapingScheme { + for _, p := range strings.Split(string(f), ";") { toks := strings.Split(p, "=") if len(toks) != 2 { continue diff --git a/vendor/github.com/prometheus/common/expfmt/fuzz.go b/vendor/github.com/prometheus/common/expfmt/fuzz.go index dfac962a4e..0290f6abc4 100644 --- a/vendor/github.com/prometheus/common/expfmt/fuzz.go +++ b/vendor/github.com/prometheus/common/expfmt/fuzz.go @@ -17,7 +17,11 @@ package expfmt -import "bytes" +import ( + "bytes" + + "github.com/prometheus/common/model" +) // Fuzz text metric parser with with github.com/dvyukov/go-fuzz: // @@ -26,9 +30,8 @@ import "bytes" // // Further input samples should go in the folder fuzz/corpus. func Fuzz(in []byte) int { - parser := TextParser{} + parser := NewTextParser(model.UTF8Validation) _, err := parser.TextToMetricFamilies(bytes.NewReader(in)) - if err != nil { return 0 } diff --git a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go index a21ed4ec1f..8dbf6d04ed 100644 --- a/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go +++ b/vendor/github.com/prometheus/common/expfmt/openmetrics_create.go @@ -22,11 +22,10 @@ import ( "strconv" "strings" + dto "github.com/prometheus/client_model/go" "google.golang.org/protobuf/types/known/timestamppb" "github.com/prometheus/common/model" - - dto "github.com/prometheus/client_model/go" ) type encoderOption struct { @@ -249,7 +248,7 @@ func MetricFamilyToOpenMetrics(out io.Writer, in *dto.MetricFamily, options ...E // Finally the samples, one line for each. if metricType == dto.MetricType_COUNTER && strings.HasSuffix(name, "_total") { - compliantName = compliantName + "_total" + compliantName += "_total" } for _, metric := range in.Metric { switch metricType { @@ -477,7 +476,7 @@ func writeOpenMetricsNameAndLabelPairs( if name != "" { // If the name does not pass the legacy validity check, we must put the // metric name inside the braces, quoted. - if !model.IsValidLegacyMetricName(name) { + if !model.LegacyValidation.IsValidMetricName(name) { metricInsideBraces = true err := w.WriteByte(separator) written++ @@ -641,11 +640,11 @@ func writeExemplar(w enhancedWriter, e *dto.Exemplar) (int, error) { if err != nil { return written, err } - err = (*e).Timestamp.CheckValid() + err = e.Timestamp.CheckValid() if err != nil { return written, err } - ts := (*e).Timestamp.AsTime() + ts := e.Timestamp.AsTime() // TODO(beorn7): Format this directly from components of ts to // avoid overflow/underflow and precision issues of the float // conversion. diff --git a/vendor/github.com/prometheus/common/expfmt/text_create.go b/vendor/github.com/prometheus/common/expfmt/text_create.go index 4b86434b33..c4e9c1bbc3 100644 --- a/vendor/github.com/prometheus/common/expfmt/text_create.go +++ b/vendor/github.com/prometheus/common/expfmt/text_create.go @@ -22,9 +22,9 @@ import ( "strings" "sync" - "github.com/prometheus/common/model" - dto "github.com/prometheus/client_model/go" + + "github.com/prometheus/common/model" ) // enhancedWriter has all the enhanced write functions needed here. bufio.Writer @@ -354,7 +354,7 @@ func writeNameAndLabelPairs( if name != "" { // If the name does not pass the legacy validity check, we must put the // metric name inside the braces. - if !model.IsValidLegacyMetricName(name) { + if !model.LegacyValidation.IsValidMetricName(name) { metricInsideBraces = true err := w.WriteByte(separator) written++ @@ -498,7 +498,7 @@ func writeInt(w enhancedWriter, i int64) (int, error) { // writeName writes a string as-is if it complies with the legacy naming // scheme, or escapes it in double quotes if not. func writeName(w enhancedWriter, name string) (int, error) { - if model.IsValidLegacyMetricName(name) { + if model.LegacyValidation.IsValidMetricName(name) { return w.WriteString(name) } var written int diff --git a/vendor/github.com/prometheus/common/expfmt/text_parse.go b/vendor/github.com/prometheus/common/expfmt/text_parse.go index b4607fe4d2..8f2edde324 100644 --- a/vendor/github.com/prometheus/common/expfmt/text_parse.go +++ b/vendor/github.com/prometheus/common/expfmt/text_parse.go @@ -78,6 +78,14 @@ type TextParser struct { // These indicate if the metric name from the current line being parsed is inside // braces and if that metric name was found respectively. currentMetricIsInsideBraces, currentMetricInsideBracesIsPresent bool + // scheme sets the desired ValidationScheme for names. Defaults to the invalid + // UnsetValidation. + scheme model.ValidationScheme +} + +// NewTextParser returns a new TextParser with the provided nameValidationScheme. +func NewTextParser(nameValidationScheme model.ValidationScheme) TextParser { + return TextParser{scheme: nameValidationScheme} } // TextToMetricFamilies reads 'in' as the simple and flat text-based exchange @@ -126,6 +134,7 @@ func (p *TextParser) TextToMetricFamilies(in io.Reader) (map[string]*dto.MetricF func (p *TextParser) reset(in io.Reader) { p.metricFamiliesByName = map[string]*dto.MetricFamily{} + p.currentLabelPairs = nil if p.buf == nil { p.buf = bufio.NewReader(in) } else { @@ -216,6 +225,9 @@ func (p *TextParser) startComment() stateFn { return nil } p.setOrCreateCurrentMF() + if p.err != nil { + return nil + } if p.skipBlankTab(); p.err != nil { return nil // Unexpected end of input. } @@ -244,6 +256,9 @@ func (p *TextParser) readingMetricName() stateFn { return nil } p.setOrCreateCurrentMF() + if p.err != nil { + return nil + } // Now is the time to fix the type if it hasn't happened yet. if p.currentMF.Type == nil { p.currentMF.Type = dto.MetricType_UNTYPED.Enum() @@ -311,6 +326,9 @@ func (p *TextParser) startLabelName() stateFn { switch p.currentByte { case ',': p.setOrCreateCurrentMF() + if p.err != nil { + return nil + } if p.currentMF.Type == nil { p.currentMF.Type = dto.MetricType_UNTYPED.Enum() } @@ -319,6 +337,10 @@ func (p *TextParser) startLabelName() stateFn { return p.startLabelName case '}': p.setOrCreateCurrentMF() + if p.err != nil { + p.currentLabelPairs = nil + return nil + } if p.currentMF.Type == nil { p.currentMF.Type = dto.MetricType_UNTYPED.Enum() } @@ -341,25 +363,30 @@ func (p *TextParser) startLabelName() stateFn { p.currentLabelPair = &dto.LabelPair{Name: proto.String(p.currentToken.String())} if p.currentLabelPair.GetName() == string(model.MetricNameLabel) { p.parseError(fmt.Sprintf("label name %q is reserved", model.MetricNameLabel)) + p.currentLabelPairs = nil + return nil + } + if !p.scheme.IsValidLabelName(p.currentLabelPair.GetName()) { + p.parseError(fmt.Sprintf("invalid label name %q", p.currentLabelPair.GetName())) + p.currentLabelPairs = nil return nil } // Special summary/histogram treatment. Don't add 'quantile' and 'le' // labels to 'real' labels. - if !(p.currentMF.GetType() == dto.MetricType_SUMMARY && p.currentLabelPair.GetName() == model.QuantileLabel) && - !(p.currentMF.GetType() == dto.MetricType_HISTOGRAM && p.currentLabelPair.GetName() == model.BucketLabel) { + if (p.currentMF.GetType() != dto.MetricType_SUMMARY || p.currentLabelPair.GetName() != model.QuantileLabel) && + (p.currentMF.GetType() != dto.MetricType_HISTOGRAM || p.currentLabelPair.GetName() != model.BucketLabel) { p.currentLabelPairs = append(p.currentLabelPairs, p.currentLabelPair) } // Check for duplicate label names. labels := make(map[string]struct{}) for _, l := range p.currentLabelPairs { lName := l.GetName() - if _, exists := labels[lName]; !exists { - labels[lName] = struct{}{} - } else { + if _, exists := labels[lName]; exists { p.parseError(fmt.Sprintf("duplicate label names for metric %q", p.currentMF.GetName())) p.currentLabelPairs = nil return nil } + labels[lName] = struct{}{} } return p.startLabelValue } @@ -440,7 +467,8 @@ func (p *TextParser) readingValue() stateFn { // When we are here, we have read all the labels, so for the // special case of a summary/histogram, we can finally find out // if the metric already exists. - if p.currentMF.GetType() == dto.MetricType_SUMMARY { + switch p.currentMF.GetType() { + case dto.MetricType_SUMMARY: signature := model.LabelsToSignature(p.currentLabels) if summary := p.summaries[signature]; summary != nil { p.currentMetric = summary @@ -448,7 +476,7 @@ func (p *TextParser) readingValue() stateFn { p.summaries[signature] = p.currentMetric p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric) } - } else if p.currentMF.GetType() == dto.MetricType_HISTOGRAM { + case dto.MetricType_HISTOGRAM: signature := model.LabelsToSignature(p.currentLabels) if histogram := p.histograms[signature]; histogram != nil { p.currentMetric = histogram @@ -456,7 +484,7 @@ func (p *TextParser) readingValue() stateFn { p.histograms[signature] = p.currentMetric p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric) } - } else { + default: p.currentMF.Metric = append(p.currentMF.Metric, p.currentMetric) } if p.readTokenUntilWhitespace(); p.err != nil { @@ -805,6 +833,10 @@ func (p *TextParser) setOrCreateCurrentMF() { p.currentIsHistogramCount = false p.currentIsHistogramSum = false name := p.currentToken.String() + if !p.scheme.IsValidMetricName(name) { + p.parseError(fmt.Sprintf("invalid metric name %q", name)) + return + } if p.currentMF = p.metricFamiliesByName[name]; p.currentMF != nil { return } diff --git a/vendor/github.com/prometheus/common/model/labels.go b/vendor/github.com/prometheus/common/model/labels.go index f4a387605f..dfeb34be5f 100644 --- a/vendor/github.com/prometheus/common/model/labels.go +++ b/vendor/github.com/prometheus/common/model/labels.go @@ -32,6 +32,12 @@ const ( // MetricNameLabel is the label name indicating the metric name of a // timeseries. MetricNameLabel = "__name__" + // MetricTypeLabel is the label name indicating the metric type of + // timeseries as per the PROM-39 proposal. + MetricTypeLabel = "__type__" + // MetricUnitLabel is the label name indicating the metric unit of + // timeseries as per the PROM-39 proposal. + MetricUnitLabel = "__unit__" // SchemeLabel is the name of the label that holds the scheme on which to // scrape a target. @@ -100,33 +106,21 @@ type LabelName string // IsValid returns true iff the name matches the pattern of LabelNameRE when // NameValidationScheme is set to LegacyValidation, or valid UTF-8 if // NameValidationScheme is set to UTF8Validation. +// +// Deprecated: This method should not be used and may be removed in the future. +// Use [ValidationScheme.IsValidLabelName] instead. func (ln LabelName) IsValid() bool { - if len(ln) == 0 { - return false - } - switch NameValidationScheme { - case LegacyValidation: - return ln.IsValidLegacy() - case UTF8Validation: - return utf8.ValidString(string(ln)) - default: - panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme)) - } + return NameValidationScheme.IsValidLabelName(string(ln)) } // IsValidLegacy returns true iff name matches the pattern of LabelNameRE for // legacy names. It does not use LabelNameRE for the check but a much faster // hardcoded implementation. +// +// Deprecated: This method should not be used and may be removed in the future. +// Use [LegacyValidation.IsValidLabelName] instead. func (ln LabelName) IsValidLegacy() bool { - if len(ln) == 0 { - return false - } - for i, b := range ln { - if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) { - return false - } - } - return true + return LegacyValidation.IsValidLabelName(string(ln)) } // UnmarshalYAML implements the yaml.Unmarshaler interface. diff --git a/vendor/github.com/prometheus/common/model/labelset.go b/vendor/github.com/prometheus/common/model/labelset.go index d0ad88da33..9de47b2568 100644 --- a/vendor/github.com/prometheus/common/model/labelset.go +++ b/vendor/github.com/prometheus/common/model/labelset.go @@ -114,10 +114,10 @@ func (ls LabelSet) Clone() LabelSet { } // Merge is a helper function to non-destructively merge two label sets. -func (l LabelSet) Merge(other LabelSet) LabelSet { - result := make(LabelSet, len(l)) +func (ls LabelSet) Merge(other LabelSet) LabelSet { + result := make(LabelSet, len(ls)) - for k, v := range l { + for k, v := range ls { result[k] = v } @@ -140,7 +140,7 @@ func (ls LabelSet) FastFingerprint() Fingerprint { } // UnmarshalJSON implements the json.Unmarshaler interface. -func (l *LabelSet) UnmarshalJSON(b []byte) error { +func (ls *LabelSet) UnmarshalJSON(b []byte) error { var m map[LabelName]LabelValue if err := json.Unmarshal(b, &m); err != nil { return err @@ -153,6 +153,6 @@ func (l *LabelSet) UnmarshalJSON(b []byte) error { return fmt.Errorf("%q is not a valid label name", ln) } } - *l = LabelSet(m) + *ls = LabelSet(m) return nil } diff --git a/vendor/github.com/prometheus/common/model/metric.go b/vendor/github.com/prometheus/common/model/metric.go index a6b01755bd..3feebf328a 100644 --- a/vendor/github.com/prometheus/common/model/metric.go +++ b/vendor/github.com/prometheus/common/model/metric.go @@ -14,6 +14,7 @@ package model import ( + "encoding/json" "errors" "fmt" "regexp" @@ -23,6 +24,7 @@ import ( "unicode/utf8" dto "github.com/prometheus/client_model/go" + "go.yaml.in/yaml/v2" "google.golang.org/protobuf/proto" ) @@ -62,16 +64,151 @@ var ( type ValidationScheme int const ( + // UnsetValidation represents an undefined ValidationScheme. + // Should not be used in practice. + UnsetValidation ValidationScheme = iota + // LegacyValidation is a setting that requires that all metric and label names // conform to the original Prometheus character requirements described by // MetricNameRE and LabelNameRE. - LegacyValidation ValidationScheme = iota + LegacyValidation // UTF8Validation only requires that metric and label names be valid UTF-8 // strings. UTF8Validation ) +var _ interface { + yaml.Marshaler + yaml.Unmarshaler + json.Marshaler + json.Unmarshaler + fmt.Stringer +} = new(ValidationScheme) + +// String returns the string representation of s. +func (s ValidationScheme) String() string { + switch s { + case UnsetValidation: + return "unset" + case LegacyValidation: + return "legacy" + case UTF8Validation: + return "utf8" + default: + panic(fmt.Errorf("unhandled ValidationScheme: %d", s)) + } +} + +// MarshalYAML implements the yaml.Marshaler interface. +func (s ValidationScheme) MarshalYAML() (any, error) { + switch s { + case UnsetValidation: + return "", nil + case LegacyValidation, UTF8Validation: + return s.String(), nil + default: + panic(fmt.Errorf("unhandled ValidationScheme: %d", s)) + } +} + +// UnmarshalYAML implements the yaml.Unmarshaler interface. +func (s *ValidationScheme) UnmarshalYAML(unmarshal func(any) error) error { + var scheme string + if err := unmarshal(&scheme); err != nil { + return err + } + return s.Set(scheme) +} + +// MarshalJSON implements the json.Marshaler interface. +func (s ValidationScheme) MarshalJSON() ([]byte, error) { + switch s { + case UnsetValidation: + return json.Marshal("") + case UTF8Validation, LegacyValidation: + return json.Marshal(s.String()) + default: + return nil, fmt.Errorf("unhandled ValidationScheme: %d", s) + } +} + +// UnmarshalJSON implements the json.Unmarshaler interface. +func (s *ValidationScheme) UnmarshalJSON(bytes []byte) error { + var repr string + if err := json.Unmarshal(bytes, &repr); err != nil { + return err + } + return s.Set(repr) +} + +// Set implements the pflag.Value interface. +func (s *ValidationScheme) Set(text string) error { + switch text { + case "": + // Don't change the value. + case LegacyValidation.String(): + *s = LegacyValidation + case UTF8Validation.String(): + *s = UTF8Validation + default: + return fmt.Errorf("unrecognized ValidationScheme: %q", text) + } + return nil +} + +// IsValidMetricName returns whether metricName is valid according to s. +func (s ValidationScheme) IsValidMetricName(metricName string) bool { + switch s { + case LegacyValidation: + if len(metricName) == 0 { + return false + } + for i, b := range metricName { + if !isValidLegacyRune(b, i) { + return false + } + } + return true + case UTF8Validation: + if len(metricName) == 0 { + return false + } + return utf8.ValidString(metricName) + default: + panic(fmt.Sprintf("Invalid name validation scheme requested: %s", s.String())) + } +} + +// IsValidLabelName returns whether labelName is valid according to s. +func (s ValidationScheme) IsValidLabelName(labelName string) bool { + switch s { + case LegacyValidation: + if len(labelName) == 0 { + return false + } + for i, b := range labelName { + // TODO: Apply De Morgan's law. Make sure there are tests for this. + if !((b >= 'a' && b <= 'z') || (b >= 'A' && b <= 'Z') || b == '_' || (b >= '0' && b <= '9' && i > 0)) { //nolint:staticcheck + return false + } + } + return true + case UTF8Validation: + if len(labelName) == 0 { + return false + } + return utf8.ValidString(labelName) + default: + panic(fmt.Sprintf("Invalid name validation scheme requested: %s", s)) + } +} + +// Type implements the pflag.Value interface. +func (ValidationScheme) Type() string { + return "validationScheme" +} + type EscapingScheme int const ( @@ -101,7 +238,7 @@ const ( // Accept header, the default NameEscapingScheme will be used. EscapingKey = "escaping" - // Possible values for Escaping Key: + // Possible values for Escaping Key. AllowUTF8 = "allow-utf-8" // No escaping required. EscapeUnderscores = "underscores" EscapeDots = "dots" @@ -175,34 +312,22 @@ func (m Metric) FastFingerprint() Fingerprint { // IsValidMetricName returns true iff name matches the pattern of MetricNameRE // for legacy names, and iff it's valid UTF-8 if the UTF8Validation scheme is // selected. +// +// Deprecated: This function should not be used and might be removed in the future. +// Use [ValidationScheme.IsValidMetricName] instead. func IsValidMetricName(n LabelValue) bool { - switch NameValidationScheme { - case LegacyValidation: - return IsValidLegacyMetricName(string(n)) - case UTF8Validation: - if len(n) == 0 { - return false - } - return utf8.ValidString(string(n)) - default: - panic(fmt.Sprintf("Invalid name validation scheme requested: %d", NameValidationScheme)) - } + return NameValidationScheme.IsValidMetricName(string(n)) } // IsValidLegacyMetricName is similar to IsValidMetricName but always uses the // legacy validation scheme regardless of the value of NameValidationScheme. // This function, however, does not use MetricNameRE for the check but a much // faster hardcoded implementation. +// +// Deprecated: This function should not be used and might be removed in the future. +// Use [LegacyValidation.IsValidMetricName] instead. func IsValidLegacyMetricName(n string) bool { - if len(n) == 0 { - return false - } - for i, b := range n { - if !isValidLegacyRune(b, i) { - return false - } - } - return true + return LegacyValidation.IsValidMetricName(n) } // EscapeMetricFamily escapes the given metric names and labels with the given @@ -310,13 +435,14 @@ func EscapeName(name string, scheme EscapingScheme) string { case DotsEscaping: // Do not early return for legacy valid names, we still escape underscores. for i, b := range name { - if b == '_' { + switch { + case b == '_': escaped.WriteString("__") - } else if b == '.' { + case b == '.': escaped.WriteString("_dot_") - } else if isValidLegacyRune(b, i) { + case isValidLegacyRune(b, i): escaped.WriteRune(b) - } else { + default: escaped.WriteString("__") } } @@ -327,13 +453,14 @@ func EscapeName(name string, scheme EscapingScheme) string { } escaped.WriteString("U__") for i, b := range name { - if b == '_' { + switch { + case b == '_': escaped.WriteString("__") - } else if isValidLegacyRune(b, i) { + case isValidLegacyRune(b, i): escaped.WriteRune(b) - } else if !utf8.ValidRune(b) { + case !utf8.ValidRune(b): escaped.WriteString("_FFFD_") - } else { + default: escaped.WriteRune('_') escaped.WriteString(strconv.FormatInt(int64(b), 16)) escaped.WriteRune('_') @@ -345,7 +472,7 @@ func EscapeName(name string, scheme EscapingScheme) string { } } -// lower function taken from strconv.atoi +// lower function taken from strconv.atoi. func lower(c byte) byte { return c | ('x' - 'X') } @@ -409,11 +536,12 @@ func UnescapeName(name string, scheme EscapingScheme) string { } r := lower(escapedName[i]) utf8Val *= 16 - if r >= '0' && r <= '9' { + switch { + case r >= '0' && r <= '9': utf8Val += uint(r) - '0' - } else if r >= 'a' && r <= 'f' { + case r >= 'a' && r <= 'f': utf8Val += uint(r) - 'a' + 10 - } else { + default: return name } i++ diff --git a/vendor/github.com/prometheus/common/model/time.go b/vendor/github.com/prometheus/common/model/time.go index 5727452c1e..1730b0fdc1 100644 --- a/vendor/github.com/prometheus/common/model/time.go +++ b/vendor/github.com/prometheus/common/model/time.go @@ -126,14 +126,14 @@ func (t *Time) UnmarshalJSON(b []byte) error { p := strings.Split(string(b), ".") switch len(p) { case 1: - v, err := strconv.ParseInt(string(p[0]), 10, 64) + v, err := strconv.ParseInt(p[0], 10, 64) if err != nil { return err } *t = Time(v * second) case 2: - v, err := strconv.ParseInt(string(p[0]), 10, 64) + v, err := strconv.ParseInt(p[0], 10, 64) if err != nil { return err } @@ -143,7 +143,7 @@ func (t *Time) UnmarshalJSON(b []byte) error { if prec < 0 { p[1] = p[1][:dotPrecision] } else if prec > 0 { - p[1] = p[1] + strings.Repeat("0", prec) + p[1] += strings.Repeat("0", prec) } va, err := strconv.ParseInt(p[1], 10, 32) @@ -170,15 +170,15 @@ func (t *Time) UnmarshalJSON(b []byte) error { // This type should not propagate beyond the scope of input/output processing. type Duration time.Duration -// Set implements pflag/flag.Value +// Set implements pflag/flag.Value. func (d *Duration) Set(s string) error { var err error *d, err = ParseDuration(s) return err } -// Type implements pflag.Value -func (d *Duration) Type() string { +// Type implements pflag.Value. +func (*Duration) Type() string { return "duration" } @@ -201,6 +201,7 @@ var unitMap = map[string]struct { // ParseDuration parses a string into a time.Duration, assuming that a year // always has 365d, a week always has 7d, and a day always has 24h. +// Negative durations are not supported. func ParseDuration(s string) (Duration, error) { switch s { case "0": @@ -253,18 +254,36 @@ func ParseDuration(s string) (Duration, error) { return 0, errors.New("duration out of range") } } + return Duration(dur), nil } +// ParseDurationAllowNegative is like ParseDuration but also accepts negative durations. +func ParseDurationAllowNegative(s string) (Duration, error) { + if s == "" || s[0] != '-' { + return ParseDuration(s) + } + + d, err := ParseDuration(s[1:]) + + return -d, err +} + func (d Duration) String() string { var ( - ms = int64(time.Duration(d) / time.Millisecond) - r = "" + ms = int64(time.Duration(d) / time.Millisecond) + r = "" + sign = "" ) + if ms == 0 { return "0s" } + if ms < 0 { + sign, ms = "-", -ms + } + f := func(unit string, mult int64, exact bool) { if exact && ms%mult != 0 { return @@ -286,7 +305,7 @@ func (d Duration) String() string { f("s", 1000, false) f("ms", 1, false) - return r + return sign + r } // MarshalJSON implements the json.Marshaler interface. diff --git a/vendor/github.com/prometheus/common/model/value.go b/vendor/github.com/prometheus/common/model/value.go index 8050637d82..a9995a37ee 100644 --- a/vendor/github.com/prometheus/common/model/value.go +++ b/vendor/github.com/prometheus/common/model/value.go @@ -191,7 +191,8 @@ func (ss SampleStream) String() string { } func (ss SampleStream) MarshalJSON() ([]byte, error) { - if len(ss.Histograms) > 0 && len(ss.Values) > 0 { + switch { + case len(ss.Histograms) > 0 && len(ss.Values) > 0: v := struct { Metric Metric `json:"metric"` Values []SamplePair `json:"values"` @@ -202,7 +203,7 @@ func (ss SampleStream) MarshalJSON() ([]byte, error) { Histograms: ss.Histograms, } return json.Marshal(&v) - } else if len(ss.Histograms) > 0 { + case len(ss.Histograms) > 0: v := struct { Metric Metric `json:"metric"` Histograms []SampleHistogramPair `json:"histograms"` @@ -211,7 +212,7 @@ func (ss SampleStream) MarshalJSON() ([]byte, error) { Histograms: ss.Histograms, } return json.Marshal(&v) - } else { + default: v := struct { Metric Metric `json:"metric"` Values []SamplePair `json:"values"` @@ -258,7 +259,7 @@ func (s Scalar) String() string { // MarshalJSON implements json.Marshaler. func (s Scalar) MarshalJSON() ([]byte, error) { v := strconv.FormatFloat(float64(s.Value), 'f', -1, 64) - return json.Marshal([...]interface{}{s.Timestamp, string(v)}) + return json.Marshal([...]interface{}{s.Timestamp, v}) } // UnmarshalJSON implements json.Unmarshaler. @@ -349,9 +350,9 @@ func (m Matrix) Len() int { return len(m) } func (m Matrix) Less(i, j int) bool { return m[i].Metric.Before(m[j].Metric) } func (m Matrix) Swap(i, j int) { m[i], m[j] = m[j], m[i] } -func (mat Matrix) String() string { - matCp := make(Matrix, len(mat)) - copy(matCp, mat) +func (m Matrix) String() string { + matCp := make(Matrix, len(m)) + copy(matCp, m) sort.Sort(matCp) strs := make([]string, len(matCp)) diff --git a/vendor/github.com/prometheus/common/model/value_histogram.go b/vendor/github.com/prometheus/common/model/value_histogram.go index 895e6a3e83..91ce5b7a45 100644 --- a/vendor/github.com/prometheus/common/model/value_histogram.go +++ b/vendor/github.com/prometheus/common/model/value_histogram.go @@ -86,22 +86,22 @@ func (s *HistogramBucket) Equal(o *HistogramBucket) bool { return s == o || (s.Boundaries == o.Boundaries && s.Lower == o.Lower && s.Upper == o.Upper && s.Count == o.Count) } -func (b HistogramBucket) String() string { +func (s HistogramBucket) String() string { var sb strings.Builder - lowerInclusive := b.Boundaries == 1 || b.Boundaries == 3 - upperInclusive := b.Boundaries == 0 || b.Boundaries == 3 + lowerInclusive := s.Boundaries == 1 || s.Boundaries == 3 + upperInclusive := s.Boundaries == 0 || s.Boundaries == 3 if lowerInclusive { sb.WriteRune('[') } else { sb.WriteRune('(') } - fmt.Fprintf(&sb, "%g,%g", b.Lower, b.Upper) + fmt.Fprintf(&sb, "%g,%g", s.Lower, s.Upper) if upperInclusive { sb.WriteRune(']') } else { sb.WriteRune(')') } - fmt.Fprintf(&sb, ":%v", b.Count) + fmt.Fprintf(&sb, ":%v", s.Count) return sb.String() } diff --git a/vendor/github.com/prometheus/common/model/value_type.go b/vendor/github.com/prometheus/common/model/value_type.go index 726c50ee63..078910f46b 100644 --- a/vendor/github.com/prometheus/common/model/value_type.go +++ b/vendor/github.com/prometheus/common/model/value_type.go @@ -66,8 +66,8 @@ func (et *ValueType) UnmarshalJSON(b []byte) error { return nil } -func (e ValueType) String() string { - switch e { +func (et ValueType) String() string { + switch et { case ValNone: return "" case ValScalar: diff --git a/vendor/github.com/prometheus/procfs/Makefile.common b/vendor/github.com/prometheus/procfs/Makefile.common index 0ed55c2ba2..4de21512ff 100644 --- a/vendor/github.com/prometheus/procfs/Makefile.common +++ b/vendor/github.com/prometheus/procfs/Makefile.common @@ -33,7 +33,7 @@ GOHOSTOS ?= $(shell $(GO) env GOHOSTOS) GOHOSTARCH ?= $(shell $(GO) env GOHOSTARCH) GO_VERSION ?= $(shell $(GO) version) -GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION))Error Parsing File +GO_VERSION_NUMBER ?= $(word 3, $(GO_VERSION)) PRE_GO_111 ?= $(shell echo $(GO_VERSION_NUMBER) | grep -E 'go1\.(10|[0-9])\.') PROMU := $(FIRST_GOPATH)/bin/promu @@ -61,7 +61,8 @@ PROMU_URL := https://github.com/prometheus/promu/releases/download/v$(PROMU_ SKIP_GOLANGCI_LINT := GOLANGCI_LINT := GOLANGCI_LINT_OPTS ?= -GOLANGCI_LINT_VERSION ?= v2.0.2 +GOLANGCI_LINT_VERSION ?= v2.1.5 +GOLANGCI_FMT_OPTS ?= # golangci-lint only supports linux, darwin and windows platforms on i386/amd64/arm64. # windows isn't included here because of the path separator being different. ifeq ($(GOHOSTOS),$(filter $(GOHOSTOS),linux darwin)) @@ -156,9 +157,13 @@ $(GOTEST_DIR): @mkdir -p $@ .PHONY: common-format -common-format: +common-format: $(GOLANGCI_LINT) @echo ">> formatting code" $(GO) fmt $(pkgs) +ifdef GOLANGCI_LINT + @echo ">> formatting code with golangci-lint" + $(GOLANGCI_LINT) fmt $(GOLANGCI_FMT_OPTS) +endif .PHONY: common-vet common-vet: @@ -248,8 +253,8 @@ $(PROMU): cp $(PROMU_TMP)/promu-$(PROMU_VERSION).$(GO_BUILD_PLATFORM)/promu $(FIRST_GOPATH)/bin/promu rm -r $(PROMU_TMP) -.PHONY: proto -proto: +.PHONY: common-proto +common-proto: @echo ">> generating code from proto files" @./scripts/genproto.sh diff --git a/vendor/github.com/prometheus/procfs/mdstat.go b/vendor/github.com/prometheus/procfs/mdstat.go index 67a9d2b448..1fd4381b22 100644 --- a/vendor/github.com/prometheus/procfs/mdstat.go +++ b/vendor/github.com/prometheus/procfs/mdstat.go @@ -123,13 +123,16 @@ func parseMDStat(mdStatData []byte) ([]MDStat, error) { finish := float64(0) pct := float64(0) recovering := strings.Contains(lines[syncLineIdx], "recovery") + reshaping := strings.Contains(lines[syncLineIdx], "reshape") resyncing := strings.Contains(lines[syncLineIdx], "resync") checking := strings.Contains(lines[syncLineIdx], "check") // Append recovery and resyncing state info. - if recovering || resyncing || checking { + if recovering || resyncing || checking || reshaping { if recovering { state = "recovering" + } else if reshaping { + state = "reshaping" } else if checking { state = "checking" } else { diff --git a/vendor/github.com/prometheus/procfs/meminfo.go b/vendor/github.com/prometheus/procfs/meminfo.go index 4b2c4050a3..937e1f9606 100644 --- a/vendor/github.com/prometheus/procfs/meminfo.go +++ b/vendor/github.com/prometheus/procfs/meminfo.go @@ -66,6 +66,10 @@ type Meminfo struct { // Memory which has been evicted from RAM, and is temporarily // on the disk SwapFree *uint64 + // Memory consumed by the zswap backend (compressed size) + Zswap *uint64 + // Amount of anonymous memory stored in zswap (original size) + Zswapped *uint64 // Memory which is waiting to get written back to the disk Dirty *uint64 // Memory which is actively being written back to the disk @@ -85,6 +89,8 @@ type Meminfo struct { // amount of memory dedicated to the lowest level of page // tables. PageTables *uint64 + // secondary page tables. + SecPageTables *uint64 // NFS pages sent to the server, but not yet committed to // stable storage NFSUnstable *uint64 @@ -129,15 +135,18 @@ type Meminfo struct { Percpu *uint64 HardwareCorrupted *uint64 AnonHugePages *uint64 + FileHugePages *uint64 ShmemHugePages *uint64 ShmemPmdMapped *uint64 CmaTotal *uint64 CmaFree *uint64 + Unaccepted *uint64 HugePagesTotal *uint64 HugePagesFree *uint64 HugePagesRsvd *uint64 HugePagesSurp *uint64 Hugepagesize *uint64 + Hugetlb *uint64 DirectMap4k *uint64 DirectMap2M *uint64 DirectMap1G *uint64 @@ -161,6 +170,8 @@ type Meminfo struct { MlockedBytes *uint64 SwapTotalBytes *uint64 SwapFreeBytes *uint64 + ZswapBytes *uint64 + ZswappedBytes *uint64 DirtyBytes *uint64 WritebackBytes *uint64 AnonPagesBytes *uint64 @@ -171,6 +182,7 @@ type Meminfo struct { SUnreclaimBytes *uint64 KernelStackBytes *uint64 PageTablesBytes *uint64 + SecPageTablesBytes *uint64 NFSUnstableBytes *uint64 BounceBytes *uint64 WritebackTmpBytes *uint64 @@ -182,11 +194,14 @@ type Meminfo struct { PercpuBytes *uint64 HardwareCorruptedBytes *uint64 AnonHugePagesBytes *uint64 + FileHugePagesBytes *uint64 ShmemHugePagesBytes *uint64 ShmemPmdMappedBytes *uint64 CmaTotalBytes *uint64 CmaFreeBytes *uint64 + UnacceptedBytes *uint64 HugepagesizeBytes *uint64 + HugetlbBytes *uint64 DirectMap4kBytes *uint64 DirectMap2MBytes *uint64 DirectMap1GBytes *uint64 @@ -287,6 +302,12 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "SwapFree:": m.SwapFree = &val m.SwapFreeBytes = &valBytes + case "Zswap:": + m.Zswap = &val + m.ZswapBytes = &valBytes + case "Zswapped:": + m.Zswapped = &val + m.ZswapBytes = &valBytes case "Dirty:": m.Dirty = &val m.DirtyBytes = &valBytes @@ -317,6 +338,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "PageTables:": m.PageTables = &val m.PageTablesBytes = &valBytes + case "SecPageTables:": + m.SecPageTables = &val + m.SecPageTablesBytes = &valBytes case "NFS_Unstable:": m.NFSUnstable = &val m.NFSUnstableBytes = &valBytes @@ -350,6 +374,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "AnonHugePages:": m.AnonHugePages = &val m.AnonHugePagesBytes = &valBytes + case "FileHugePages:": + m.FileHugePages = &val + m.FileHugePagesBytes = &valBytes case "ShmemHugePages:": m.ShmemHugePages = &val m.ShmemHugePagesBytes = &valBytes @@ -362,6 +389,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "CmaFree:": m.CmaFree = &val m.CmaFreeBytes = &valBytes + case "Unaccepted:": + m.Unaccepted = &val + m.UnacceptedBytes = &valBytes case "HugePages_Total:": m.HugePagesTotal = &val case "HugePages_Free:": @@ -373,6 +403,9 @@ func parseMemInfo(r io.Reader) (*Meminfo, error) { case "Hugepagesize:": m.Hugepagesize = &val m.HugepagesizeBytes = &valBytes + case "Hugetlb:": + m.Hugetlb = &val + m.HugetlbBytes = &valBytes case "DirectMap4k:": m.DirectMap4k = &val m.DirectMap4kBytes = &valBytes diff --git a/vendor/github.com/prometheus/procfs/proc_stat.go b/vendor/github.com/prometheus/procfs/proc_stat.go index 06a8d931c9..3328556bdc 100644 --- a/vendor/github.com/prometheus/procfs/proc_stat.go +++ b/vendor/github.com/prometheus/procfs/proc_stat.go @@ -101,6 +101,12 @@ type ProcStat struct { RSS int // Soft limit in bytes on the rss of the process. RSSLimit uint64 + // The address above which program text can run. + StartCode uint64 + // The address below which program text can run. + EndCode uint64 + // The address of the start (i.e., bottom) of the stack. + StartStack uint64 // CPU number last executed on. Processor uint // Real-time scheduling priority, a number in the range 1 to 99 for processes @@ -177,9 +183,9 @@ func (p Proc) Stat() (ProcStat, error) { &s.VSize, &s.RSS, &s.RSSLimit, - &ignoreUint64, - &ignoreUint64, - &ignoreUint64, + &s.StartCode, + &s.EndCode, + &s.StartStack, &ignoreUint64, &ignoreUint64, &ignoreUint64, diff --git a/vendor/github.com/prometheus/procfs/proc_statm.go b/vendor/github.com/prometheus/procfs/proc_statm.go new file mode 100644 index 0000000000..ed57984243 --- /dev/null +++ b/vendor/github.com/prometheus/procfs/proc_statm.go @@ -0,0 +1,116 @@ +// Copyright 2025 The Prometheus Authors +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package procfs + +import ( + "os" + "strconv" + "strings" + + "github.com/prometheus/procfs/internal/util" +) + +// - https://man7.org/linux/man-pages/man5/proc_pid_statm.5.html + +// ProcStatm Provides memory usage information for a process, measured in memory pages. +// Read from /proc/[pid]/statm. +type ProcStatm struct { + // The process ID. + PID int + // total program size (same as VmSize in status) + Size uint64 + // resident set size (same as VmRSS in status) + Resident uint64 + // number of resident shared pages (i.e., backed by a file) + Shared uint64 + // text (code) + Text uint64 + // library (unused since Linux 2.6; always 0) + Lib uint64 + // data + stack + Data uint64 + // dirty pages (unused since Linux 2.6; always 0) + Dt uint64 +} + +// NewStatm returns the current status information of the process. +// Deprecated: Use p.Statm() instead. +func (p Proc) NewStatm() (ProcStatm, error) { + return p.Statm() +} + +// Statm returns the current memory usage information of the process. +func (p Proc) Statm() (ProcStatm, error) { + data, err := util.ReadFileNoStat(p.path("statm")) + if err != nil { + return ProcStatm{}, err + } + + statmSlice, err := parseStatm(data) + if err != nil { + return ProcStatm{}, err + } + + procStatm := ProcStatm{ + PID: p.PID, + Size: statmSlice[0], + Resident: statmSlice[1], + Shared: statmSlice[2], + Text: statmSlice[3], + Lib: statmSlice[4], + Data: statmSlice[5], + Dt: statmSlice[6], + } + + return procStatm, nil +} + +// parseStatm return /proc/[pid]/statm data to uint64 slice. +func parseStatm(data []byte) ([]uint64, error) { + var statmSlice []uint64 + statmItems := strings.Fields(string(data)) + for i := 0; i < len(statmItems); i++ { + statmItem, err := strconv.ParseUint(statmItems[i], 10, 64) + if err != nil { + return nil, err + } + statmSlice = append(statmSlice, statmItem) + } + return statmSlice, nil +} + +// SizeBytes returns the process of total program size in bytes. +func (s ProcStatm) SizeBytes() uint64 { + return s.Size * uint64(os.Getpagesize()) +} + +// ResidentBytes returns the process of resident set size in bytes. +func (s ProcStatm) ResidentBytes() uint64 { + return s.Resident * uint64(os.Getpagesize()) +} + +// SHRBytes returns the process of share memory size in bytes. +func (s ProcStatm) SHRBytes() uint64 { + return s.Shared * uint64(os.Getpagesize()) +} + +// TextBytes returns the process of text (code) size in bytes. +func (s ProcStatm) TextBytes() uint64 { + return s.Text * uint64(os.Getpagesize()) +} + +// DataBytes returns the process of data + stack size in bytes. +func (s ProcStatm) DataBytes() uint64 { + return s.Data * uint64(os.Getpagesize()) +} diff --git a/vendor/github.com/rivo/uniseg/LICENSE.txt b/vendor/github.com/rivo/uniseg/LICENSE.txt new file mode 100644 index 0000000000..5040f1ef80 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/LICENSE.txt @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2019 Oliver Kuederle + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/rivo/uniseg/README.md b/vendor/github.com/rivo/uniseg/README.md new file mode 100644 index 0000000000..a8191b8154 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/README.md @@ -0,0 +1,137 @@ +# Unicode Text Segmentation for Go + +[![Go Reference](https://pkg.go.dev/badge/github.com/rivo/uniseg.svg)](https://pkg.go.dev/github.com/rivo/uniseg) +[![Go Report](https://img.shields.io/badge/go%20report-A%2B-brightgreen.svg)](https://goreportcard.com/report/github.com/rivo/uniseg) + +This Go package implements Unicode Text Segmentation according to [Unicode Standard Annex #29](https://unicode.org/reports/tr29/), Unicode Line Breaking according to [Unicode Standard Annex #14](https://unicode.org/reports/tr14/) (Unicode version 15.0.0), and monospace font string width calculation similar to [wcwidth](https://man7.org/linux/man-pages/man3/wcwidth.3.html). + +## Background + +### Grapheme Clusters + +In Go, [strings are read-only slices of bytes](https://go.dev/blog/strings). They can be turned into Unicode code points using the `for` loop or by casting: `[]rune(str)`. However, multiple code points may be combined into one user-perceived character or what the Unicode specification calls "grapheme cluster". Here are some examples: + +|String|Bytes (UTF-8)|Code points (runes)|Grapheme clusters| +|-|-|-|-| +|Käse|6 bytes: `4b 61 cc 88 73 65`|5 code points: `4b 61 308 73 65`|4 clusters: `[4b],[61 308],[73],[65]`| +|ðŸ³ï¸â€ðŸŒˆ|14 bytes: `f0 9f 8f b3 ef b8 8f e2 80 8d f0 9f 8c 88`|4 code points: `1f3f3 fe0f 200d 1f308`|1 cluster: `[1f3f3 fe0f 200d 1f308]`| +|🇩🇪|8 bytes: `f0 9f 87 a9 f0 9f 87 aa`|2 code points: `1f1e9 1f1ea`|1 cluster: `[1f1e9 1f1ea]`| + +This package provides tools to iterate over these grapheme clusters. This may be used to determine the number of user-perceived characters, to split strings in their intended places, or to extract individual characters which form a unit. + +### Word Boundaries + +Word boundaries are used in a number of different contexts. The most familiar ones are selection (double-click mouse selection), cursor movement ("move to next word" control-arrow keys), and the dialog option "Whole Word Search" for search and replace. They are also used in database queries, to determine whether elements are within a certain number of words of one another. Searching may also use word boundaries in determining matching items. This package provides tools to determine word boundaries within strings. + +### Sentence Boundaries + +Sentence boundaries are often used for triple-click or some other method of selecting or iterating through blocks of text that are larger than single words. They are also used to determine whether words occur within the same sentence in database queries. This package provides tools to determine sentence boundaries within strings. + +### Line Breaking + +Line breaking, also known as word wrapping, is the process of breaking a section of text into lines such that it will fit in the available width of a page, window or other display area. This package provides tools to determine where a string may or may not be broken and where it must be broken (for example after newline characters). + +### Monospace Width + +Most terminals or text displays / text editors using a monospace font (for example source code editors) use a fixed width for each character. Some characters such as emojis or characters found in Asian and other languages may take up more than one character cell. This package provides tools to determine the number of cells a string will take up when displayed in a monospace font. See [here](https://pkg.go.dev/github.com/rivo/uniseg#hdr-Monospace_Width) for more information. + +## Installation + +```bash +go get github.com/rivo/uniseg +``` + +## Examples + +### Counting Characters in a String + +```go +n := uniseg.GraphemeClusterCount("🇩🇪ðŸ³ï¸â€ðŸŒˆ") +fmt.Println(n) +// 2 +``` + +### Calculating the Monospace String Width + +```go +width := uniseg.StringWidth("🇩🇪ðŸ³ï¸â€ðŸŒˆ!") +fmt.Println(width) +// 5 +``` + +### Using the [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) Class + +This is the most convenient method of iterating over grapheme clusters: + +```go +gr := uniseg.NewGraphemes("ðŸ‘ðŸ¼!") +for gr.Next() { + fmt.Printf("%x ", gr.Runes()) +} +// [1f44d 1f3fc] [21] +``` + +### Using the [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step) or [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString) Function + +This avoids allocating a new `Graphemes` object but it requires the handling of states and boundaries: + +```go +str := "🇩🇪ðŸ³ï¸â€ðŸŒˆ" +state := -1 +var c string +for len(str) > 0 { + c, str, _, state = uniseg.StepString(str, state) + fmt.Printf("%x ", []rune(c)) +} +// [1f1e9 1f1ea] [1f3f3 fe0f 200d 1f308] +``` + +### Advanced Examples + +The [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) class offers the most convenient way to access all functionality of this package. But in some cases, it may be better to use the specialized functions directly. For example, if you're only interested in word segmentation, use [`FirstWord`](https://pkg.go.dev/github.com/rivo/uniseg#FirstWord) or [`FirstWordInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstWordInString): + +```go +str := "Hello, world!" +state := -1 +var c string +for len(str) > 0 { + c, str, state = uniseg.FirstWordInString(str, state) + fmt.Printf("(%s)\n", c) +} +// (Hello) +// (,) +// ( ) +// (world) +// (!) +``` + +Similarly, use + +- [`FirstGraphemeCluster`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeCluster) or [`FirstGraphemeClusterInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeClusterInString) for grapheme cluster determination only, +- [`FirstSentence`](https://pkg.go.dev/github.com/rivo/uniseg#FirstSentence) or [`FirstSentenceInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstSentenceInString) for sentence segmentation only, and +- [`FirstLineSegment`](https://pkg.go.dev/github.com/rivo/uniseg#FirstLineSegment) or [`FirstLineSegmentInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstLineSegmentInString) for line breaking / word wrapping (although using [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step) or [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString) is preferred as it will observe grapheme cluster boundaries). + +If you're only interested in the width of characters, use [`FirstGraphemeCluster`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeCluster) or [`FirstGraphemeClusterInString`](https://pkg.go.dev/github.com/rivo/uniseg#FirstGraphemeClusterInString). It is much faster than using [`Step`](https://pkg.go.dev/github.com/rivo/uniseg#Step), [`StepString`](https://pkg.go.dev/github.com/rivo/uniseg#StepString), or the [`Graphemes`](https://pkg.go.dev/github.com/rivo/uniseg#Graphemes) class because it does not include the logic for word / sentence / line boundaries. + +Finally, if you need to reverse a string while preserving grapheme clusters, use [`ReverseString`](https://pkg.go.dev/github.com/rivo/uniseg#ReverseString): + +```go +fmt.Println(uniseg.ReverseString("🇩🇪ðŸ³ï¸â€ðŸŒˆ")) +// ðŸ³ï¸â€ðŸŒˆðŸ‡©ðŸ‡ª +``` + +## Documentation + +Refer to https://pkg.go.dev/github.com/rivo/uniseg for the package's documentation. + +## Dependencies + +This package does not depend on any packages outside the standard library. + +## Sponsor this Project + +[Become a Sponsor on GitHub](https://github.com/sponsors/rivo?metadata_source=uniseg_readme) to support this project! + +## Your Feedback + +Add your issue here on GitHub, preferably before submitting any PR's. Feel free to get in touch if you have any questions. \ No newline at end of file diff --git a/vendor/github.com/rivo/uniseg/doc.go b/vendor/github.com/rivo/uniseg/doc.go new file mode 100644 index 0000000000..11224ae22d --- /dev/null +++ b/vendor/github.com/rivo/uniseg/doc.go @@ -0,0 +1,108 @@ +/* +Package uniseg implements Unicode Text Segmentation, Unicode Line Breaking, and +string width calculation for monospace fonts. Unicode Text Segmentation conforms +to Unicode Standard Annex #29 (https://unicode.org/reports/tr29/) and Unicode +Line Breaking conforms to Unicode Standard Annex #14 +(https://unicode.org/reports/tr14/). + +In short, using this package, you can split a string into grapheme clusters +(what people would usually refer to as a "character"), into words, and into +sentences. Or, in its simplest case, this package allows you to count the number +of characters in a string, especially when it contains complex characters such +as emojis, combining characters, or characters from Asian, Arabic, Hebrew, or +other languages. Additionally, you can use it to implement line breaking (or +"word wrapping"), that is, to determine where text can be broken over to the +next line when the width of the line is not big enough to fit the entire text. +Finally, you can use it to calculate the display width of a string for monospace +fonts. + +# Getting Started + +If you just want to count the number of characters in a string, you can use +[GraphemeClusterCount]. If you want to determine the display width of a string, +you can use [StringWidth]. If you want to iterate over a string, you can use +[Step], [StepString], or the [Graphemes] class (more convenient but less +performant). This will provide you with all information: grapheme clusters, +word boundaries, sentence boundaries, line breaks, and monospace character +widths. The specialized functions [FirstGraphemeCluster], +[FirstGraphemeClusterInString], [FirstWord], [FirstWordInString], +[FirstSentence], and [FirstSentenceInString] can be used if only one type of +information is needed. + +# Grapheme Clusters + +Consider the rainbow flag emoji: ðŸ³ï¸â€ðŸŒˆ. On most modern systems, it appears as one +character. But its string representation actually has 14 bytes, so counting +bytes (or using len("ðŸ³ï¸â€ðŸŒˆ")) will not work as expected. Counting runes won't, +either: The flag has 4 Unicode code points, thus 4 runes. The stdlib function +utf8.RuneCountInString("ðŸ³ï¸â€ðŸŒˆ") and len([]rune("ðŸ³ï¸â€ðŸŒˆ")) will both return 4. + +The [GraphemeClusterCount] function will return 1 for the rainbow flag emoji. +The Graphemes class and a variety of functions in this package will allow you to +split strings into its grapheme clusters. + +# Word Boundaries + +Word boundaries are used in a number of different contexts. The most familiar +ones are selection (double-click mouse selection), cursor movement ("move to +next word" control-arrow keys), and the dialog option "Whole Word Search" for +search and replace. This package provides methods for determining word +boundaries. + +# Sentence Boundaries + +Sentence boundaries are often used for triple-click or some other method of +selecting or iterating through blocks of text that are larger than single words. +They are also used to determine whether words occur within the same sentence in +database queries. This package provides methods for determining sentence +boundaries. + +# Line Breaking + +Line breaking, also known as word wrapping, is the process of breaking a section +of text into lines such that it will fit in the available width of a page, +window or other display area. This package provides methods to determine the +positions in a string where a line must be broken, may be broken, or must not be +broken. + +# Monospace Width + +Monospace width, as referred to in this package, is the width of a string in a +monospace font. This is commonly used in terminal user interfaces or text +displays or editors that don't support proportional fonts. A width of 1 +corresponds to a single character cell. The C function [wcswidth()] and its +implementation in other programming languages is in widespread use for the same +purpose. However, there is no standard for the calculation of such widths, and +this package differs from wcswidth() in a number of ways, presumably to generate +more visually pleasing results. + +To start, we assume that every code point has a width of 1, with the following +exceptions: + + - Code points with grapheme cluster break properties Control, CR, LF, Extend, + and ZWJ have a width of 0. + - U+2E3A, Two-Em Dash, has a width of 3. + - U+2E3B, Three-Em Dash, has a width of 4. + - Characters with the East-Asian Width properties "Fullwidth" (F) and "Wide" + (W) have a width of 2. (Properties "Ambiguous" (A) and "Neutral" (N) both + have a width of 1.) + - Code points with grapheme cluster break property Regional Indicator have a + width of 2. + - Code points with grapheme cluster break property Extended Pictographic have + a width of 2, unless their Emoji Presentation flag is "No", in which case + the width is 1. + +For Hangul grapheme clusters composed of conjoining Jamo and for Regional +Indicators (flags), all code points except the first one have a width of 0. For +grapheme clusters starting with an Extended Pictographic, any additional code +point will force a total width of 2, except if the Variation Selector-15 +(U+FE0E) is included, in which case the total width is always 1. Grapheme +clusters ending with Variation Selector-16 (U+FE0F) have a width of 2. + +Note that whether these widths appear correct depends on your application's +render engine, to which extent it conforms to the Unicode Standard, and its +choice of font. + +[wcswidth()]: https://man7.org/linux/man-pages/man3/wcswidth.3.html +*/ +package uniseg diff --git a/vendor/github.com/rivo/uniseg/eastasianwidth.go b/vendor/github.com/rivo/uniseg/eastasianwidth.go new file mode 100644 index 0000000000..5fc54d9915 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/eastasianwidth.go @@ -0,0 +1,2588 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// eastAsianWidth are taken from +// https://www.unicode.org/Public/15.0.0/ucd/EastAsianWidth.txt +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var eastAsianWidth = [][3]int{ + {0x0000, 0x001F, prN}, // Cc [32] .. + {0x0020, 0x0020, prNa}, // Zs SPACE + {0x0021, 0x0023, prNa}, // Po [3] EXCLAMATION MARK..NUMBER SIGN + {0x0024, 0x0024, prNa}, // Sc DOLLAR SIGN + {0x0025, 0x0027, prNa}, // Po [3] PERCENT SIGN..APOSTROPHE + {0x0028, 0x0028, prNa}, // Ps LEFT PARENTHESIS + {0x0029, 0x0029, prNa}, // Pe RIGHT PARENTHESIS + {0x002A, 0x002A, prNa}, // Po ASTERISK + {0x002B, 0x002B, prNa}, // Sm PLUS SIGN + {0x002C, 0x002C, prNa}, // Po COMMA + {0x002D, 0x002D, prNa}, // Pd HYPHEN-MINUS + {0x002E, 0x002F, prNa}, // Po [2] FULL STOP..SOLIDUS + {0x0030, 0x0039, prNa}, // Nd [10] DIGIT ZERO..DIGIT NINE + {0x003A, 0x003B, prNa}, // Po [2] COLON..SEMICOLON + {0x003C, 0x003E, prNa}, // Sm [3] LESS-THAN SIGN..GREATER-THAN SIGN + {0x003F, 0x0040, prNa}, // Po [2] QUESTION MARK..COMMERCIAL AT + {0x0041, 0x005A, prNa}, // Lu [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z + {0x005B, 0x005B, prNa}, // Ps LEFT SQUARE BRACKET + {0x005C, 0x005C, prNa}, // Po REVERSE SOLIDUS + {0x005D, 0x005D, prNa}, // Pe RIGHT SQUARE BRACKET + {0x005E, 0x005E, prNa}, // Sk CIRCUMFLEX ACCENT + {0x005F, 0x005F, prNa}, // Pc LOW LINE + {0x0060, 0x0060, prNa}, // Sk GRAVE ACCENT + {0x0061, 0x007A, prNa}, // Ll [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z + {0x007B, 0x007B, prNa}, // Ps LEFT CURLY BRACKET + {0x007C, 0x007C, prNa}, // Sm VERTICAL LINE + {0x007D, 0x007D, prNa}, // Pe RIGHT CURLY BRACKET + {0x007E, 0x007E, prNa}, // Sm TILDE + {0x007F, 0x007F, prN}, // Cc + {0x0080, 0x009F, prN}, // Cc [32] .. + {0x00A0, 0x00A0, prN}, // Zs NO-BREAK SPACE + {0x00A1, 0x00A1, prA}, // Po INVERTED EXCLAMATION MARK + {0x00A2, 0x00A3, prNa}, // Sc [2] CENT SIGN..POUND SIGN + {0x00A4, 0x00A4, prA}, // Sc CURRENCY SIGN + {0x00A5, 0x00A5, prNa}, // Sc YEN SIGN + {0x00A6, 0x00A6, prNa}, // So BROKEN BAR + {0x00A7, 0x00A7, prA}, // Po SECTION SIGN + {0x00A8, 0x00A8, prA}, // Sk DIAERESIS + {0x00A9, 0x00A9, prN}, // So COPYRIGHT SIGN + {0x00AA, 0x00AA, prA}, // Lo FEMININE ORDINAL INDICATOR + {0x00AB, 0x00AB, prN}, // Pi LEFT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00AC, 0x00AC, prNa}, // Sm NOT SIGN + {0x00AD, 0x00AD, prA}, // Cf SOFT HYPHEN + {0x00AE, 0x00AE, prA}, // So REGISTERED SIGN + {0x00AF, 0x00AF, prNa}, // Sk MACRON + {0x00B0, 0x00B0, prA}, // So DEGREE SIGN + {0x00B1, 0x00B1, prA}, // Sm PLUS-MINUS SIGN + {0x00B2, 0x00B3, prA}, // No [2] SUPERSCRIPT TWO..SUPERSCRIPT THREE + {0x00B4, 0x00B4, prA}, // Sk ACUTE ACCENT + {0x00B5, 0x00B5, prN}, // Ll MICRO SIGN + {0x00B6, 0x00B7, prA}, // Po [2] PILCROW SIGN..MIDDLE DOT + {0x00B8, 0x00B8, prA}, // Sk CEDILLA + {0x00B9, 0x00B9, prA}, // No SUPERSCRIPT ONE + {0x00BA, 0x00BA, prA}, // Lo MASCULINE ORDINAL INDICATOR + {0x00BB, 0x00BB, prN}, // Pf RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00BC, 0x00BE, prA}, // No [3] VULGAR FRACTION ONE QUARTER..VULGAR FRACTION THREE QUARTERS + {0x00BF, 0x00BF, prA}, // Po INVERTED QUESTION MARK + {0x00C0, 0x00C5, prN}, // Lu [6] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER A WITH RING ABOVE + {0x00C6, 0x00C6, prA}, // Lu LATIN CAPITAL LETTER AE + {0x00C7, 0x00CF, prN}, // Lu [9] LATIN CAPITAL LETTER C WITH CEDILLA..LATIN CAPITAL LETTER I WITH DIAERESIS + {0x00D0, 0x00D0, prA}, // Lu LATIN CAPITAL LETTER ETH + {0x00D1, 0x00D6, prN}, // Lu [6] LATIN CAPITAL LETTER N WITH TILDE..LATIN CAPITAL LETTER O WITH DIAERESIS + {0x00D7, 0x00D7, prA}, // Sm MULTIPLICATION SIGN + {0x00D8, 0x00D8, prA}, // Lu LATIN CAPITAL LETTER O WITH STROKE + {0x00D9, 0x00DD, prN}, // Lu [5] LATIN CAPITAL LETTER U WITH GRAVE..LATIN CAPITAL LETTER Y WITH ACUTE + {0x00DE, 0x00E1, prA}, // L& [4] LATIN CAPITAL LETTER THORN..LATIN SMALL LETTER A WITH ACUTE + {0x00E2, 0x00E5, prN}, // Ll [4] LATIN SMALL LETTER A WITH CIRCUMFLEX..LATIN SMALL LETTER A WITH RING ABOVE + {0x00E6, 0x00E6, prA}, // Ll LATIN SMALL LETTER AE + {0x00E7, 0x00E7, prN}, // Ll LATIN SMALL LETTER C WITH CEDILLA + {0x00E8, 0x00EA, prA}, // Ll [3] LATIN SMALL LETTER E WITH GRAVE..LATIN SMALL LETTER E WITH CIRCUMFLEX + {0x00EB, 0x00EB, prN}, // Ll LATIN SMALL LETTER E WITH DIAERESIS + {0x00EC, 0x00ED, prA}, // Ll [2] LATIN SMALL LETTER I WITH GRAVE..LATIN SMALL LETTER I WITH ACUTE + {0x00EE, 0x00EF, prN}, // Ll [2] LATIN SMALL LETTER I WITH CIRCUMFLEX..LATIN SMALL LETTER I WITH DIAERESIS + {0x00F0, 0x00F0, prA}, // Ll LATIN SMALL LETTER ETH + {0x00F1, 0x00F1, prN}, // Ll LATIN SMALL LETTER N WITH TILDE + {0x00F2, 0x00F3, prA}, // Ll [2] LATIN SMALL LETTER O WITH GRAVE..LATIN SMALL LETTER O WITH ACUTE + {0x00F4, 0x00F6, prN}, // Ll [3] LATIN SMALL LETTER O WITH CIRCUMFLEX..LATIN SMALL LETTER O WITH DIAERESIS + {0x00F7, 0x00F7, prA}, // Sm DIVISION SIGN + {0x00F8, 0x00FA, prA}, // Ll [3] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER U WITH ACUTE + {0x00FB, 0x00FB, prN}, // Ll LATIN SMALL LETTER U WITH CIRCUMFLEX + {0x00FC, 0x00FC, prA}, // Ll LATIN SMALL LETTER U WITH DIAERESIS + {0x00FD, 0x00FD, prN}, // Ll LATIN SMALL LETTER Y WITH ACUTE + {0x00FE, 0x00FE, prA}, // Ll LATIN SMALL LETTER THORN + {0x00FF, 0x00FF, prN}, // Ll LATIN SMALL LETTER Y WITH DIAERESIS + {0x0100, 0x0100, prN}, // Lu LATIN CAPITAL LETTER A WITH MACRON + {0x0101, 0x0101, prA}, // Ll LATIN SMALL LETTER A WITH MACRON + {0x0102, 0x0110, prN}, // L& [15] LATIN CAPITAL LETTER A WITH BREVE..LATIN CAPITAL LETTER D WITH STROKE + {0x0111, 0x0111, prA}, // Ll LATIN SMALL LETTER D WITH STROKE + {0x0112, 0x0112, prN}, // Lu LATIN CAPITAL LETTER E WITH MACRON + {0x0113, 0x0113, prA}, // Ll LATIN SMALL LETTER E WITH MACRON + {0x0114, 0x011A, prN}, // L& [7] LATIN CAPITAL LETTER E WITH BREVE..LATIN CAPITAL LETTER E WITH CARON + {0x011B, 0x011B, prA}, // Ll LATIN SMALL LETTER E WITH CARON + {0x011C, 0x0125, prN}, // L& [10] LATIN CAPITAL LETTER G WITH CIRCUMFLEX..LATIN SMALL LETTER H WITH CIRCUMFLEX + {0x0126, 0x0127, prA}, // L& [2] LATIN CAPITAL LETTER H WITH STROKE..LATIN SMALL LETTER H WITH STROKE + {0x0128, 0x012A, prN}, // L& [3] LATIN CAPITAL LETTER I WITH TILDE..LATIN CAPITAL LETTER I WITH MACRON + {0x012B, 0x012B, prA}, // Ll LATIN SMALL LETTER I WITH MACRON + {0x012C, 0x0130, prN}, // L& [5] LATIN CAPITAL LETTER I WITH BREVE..LATIN CAPITAL LETTER I WITH DOT ABOVE + {0x0131, 0x0133, prA}, // L& [3] LATIN SMALL LETTER DOTLESS I..LATIN SMALL LIGATURE IJ + {0x0134, 0x0137, prN}, // L& [4] LATIN CAPITAL LETTER J WITH CIRCUMFLEX..LATIN SMALL LETTER K WITH CEDILLA + {0x0138, 0x0138, prA}, // Ll LATIN SMALL LETTER KRA + {0x0139, 0x013E, prN}, // L& [6] LATIN CAPITAL LETTER L WITH ACUTE..LATIN SMALL LETTER L WITH CARON + {0x013F, 0x0142, prA}, // L& [4] LATIN CAPITAL LETTER L WITH MIDDLE DOT..LATIN SMALL LETTER L WITH STROKE + {0x0143, 0x0143, prN}, // Lu LATIN CAPITAL LETTER N WITH ACUTE + {0x0144, 0x0144, prA}, // Ll LATIN SMALL LETTER N WITH ACUTE + {0x0145, 0x0147, prN}, // L& [3] LATIN CAPITAL LETTER N WITH CEDILLA..LATIN CAPITAL LETTER N WITH CARON + {0x0148, 0x014B, prA}, // L& [4] LATIN SMALL LETTER N WITH CARON..LATIN SMALL LETTER ENG + {0x014C, 0x014C, prN}, // Lu LATIN CAPITAL LETTER O WITH MACRON + {0x014D, 0x014D, prA}, // Ll LATIN SMALL LETTER O WITH MACRON + {0x014E, 0x0151, prN}, // L& [4] LATIN CAPITAL LETTER O WITH BREVE..LATIN SMALL LETTER O WITH DOUBLE ACUTE + {0x0152, 0x0153, prA}, // L& [2] LATIN CAPITAL LIGATURE OE..LATIN SMALL LIGATURE OE + {0x0154, 0x0165, prN}, // L& [18] LATIN CAPITAL LETTER R WITH ACUTE..LATIN SMALL LETTER T WITH CARON + {0x0166, 0x0167, prA}, // L& [2] LATIN CAPITAL LETTER T WITH STROKE..LATIN SMALL LETTER T WITH STROKE + {0x0168, 0x016A, prN}, // L& [3] LATIN CAPITAL LETTER U WITH TILDE..LATIN CAPITAL LETTER U WITH MACRON + {0x016B, 0x016B, prA}, // Ll LATIN SMALL LETTER U WITH MACRON + {0x016C, 0x017F, prN}, // L& [20] LATIN CAPITAL LETTER U WITH BREVE..LATIN SMALL LETTER LONG S + {0x0180, 0x01BA, prN}, // L& [59] LATIN SMALL LETTER B WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL + {0x01BB, 0x01BB, prN}, // Lo LATIN LETTER TWO WITH STROKE + {0x01BC, 0x01BF, prN}, // L& [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN + {0x01C0, 0x01C3, prN}, // Lo [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK + {0x01C4, 0x01CD, prN}, // L& [10] LATIN CAPITAL LETTER DZ WITH CARON..LATIN CAPITAL LETTER A WITH CARON + {0x01CE, 0x01CE, prA}, // Ll LATIN SMALL LETTER A WITH CARON + {0x01CF, 0x01CF, prN}, // Lu LATIN CAPITAL LETTER I WITH CARON + {0x01D0, 0x01D0, prA}, // Ll LATIN SMALL LETTER I WITH CARON + {0x01D1, 0x01D1, prN}, // Lu LATIN CAPITAL LETTER O WITH CARON + {0x01D2, 0x01D2, prA}, // Ll LATIN SMALL LETTER O WITH CARON + {0x01D3, 0x01D3, prN}, // Lu LATIN CAPITAL LETTER U WITH CARON + {0x01D4, 0x01D4, prA}, // Ll LATIN SMALL LETTER U WITH CARON + {0x01D5, 0x01D5, prN}, // Lu LATIN CAPITAL LETTER U WITH DIAERESIS AND MACRON + {0x01D6, 0x01D6, prA}, // Ll LATIN SMALL LETTER U WITH DIAERESIS AND MACRON + {0x01D7, 0x01D7, prN}, // Lu LATIN CAPITAL LETTER U WITH DIAERESIS AND ACUTE + {0x01D8, 0x01D8, prA}, // Ll LATIN SMALL LETTER U WITH DIAERESIS AND ACUTE + {0x01D9, 0x01D9, prN}, // Lu LATIN CAPITAL LETTER U WITH DIAERESIS AND CARON + {0x01DA, 0x01DA, prA}, // Ll LATIN SMALL LETTER U WITH DIAERESIS AND CARON + {0x01DB, 0x01DB, prN}, // Lu LATIN CAPITAL LETTER U WITH DIAERESIS AND GRAVE + {0x01DC, 0x01DC, prA}, // Ll LATIN SMALL LETTER U WITH DIAERESIS AND GRAVE + {0x01DD, 0x024F, prN}, // L& [115] LATIN SMALL LETTER TURNED E..LATIN SMALL LETTER Y WITH STROKE + {0x0250, 0x0250, prN}, // Ll LATIN SMALL LETTER TURNED A + {0x0251, 0x0251, prA}, // Ll LATIN SMALL LETTER ALPHA + {0x0252, 0x0260, prN}, // Ll [15] LATIN SMALL LETTER TURNED ALPHA..LATIN SMALL LETTER G WITH HOOK + {0x0261, 0x0261, prA}, // Ll LATIN SMALL LETTER SCRIPT G + {0x0262, 0x0293, prN}, // Ll [50] LATIN LETTER SMALL CAPITAL G..LATIN SMALL LETTER EZH WITH CURL + {0x0294, 0x0294, prN}, // Lo LATIN LETTER GLOTTAL STOP + {0x0295, 0x02AF, prN}, // Ll [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL + {0x02B0, 0x02C1, prN}, // Lm [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP + {0x02C2, 0x02C3, prN}, // Sk [2] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER RIGHT ARROWHEAD + {0x02C4, 0x02C4, prA}, // Sk MODIFIER LETTER UP ARROWHEAD + {0x02C5, 0x02C5, prN}, // Sk MODIFIER LETTER DOWN ARROWHEAD + {0x02C6, 0x02C6, prN}, // Lm MODIFIER LETTER CIRCUMFLEX ACCENT + {0x02C7, 0x02C7, prA}, // Lm CARON + {0x02C8, 0x02C8, prN}, // Lm MODIFIER LETTER VERTICAL LINE + {0x02C9, 0x02CB, prA}, // Lm [3] MODIFIER LETTER MACRON..MODIFIER LETTER GRAVE ACCENT + {0x02CC, 0x02CC, prN}, // Lm MODIFIER LETTER LOW VERTICAL LINE + {0x02CD, 0x02CD, prA}, // Lm MODIFIER LETTER LOW MACRON + {0x02CE, 0x02CF, prN}, // Lm [2] MODIFIER LETTER LOW GRAVE ACCENT..MODIFIER LETTER LOW ACUTE ACCENT + {0x02D0, 0x02D0, prA}, // Lm MODIFIER LETTER TRIANGULAR COLON + {0x02D1, 0x02D1, prN}, // Lm MODIFIER LETTER HALF TRIANGULAR COLON + {0x02D2, 0x02D7, prN}, // Sk [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN + {0x02D8, 0x02DB, prA}, // Sk [4] BREVE..OGONEK + {0x02DC, 0x02DC, prN}, // Sk SMALL TILDE + {0x02DD, 0x02DD, prA}, // Sk DOUBLE ACUTE ACCENT + {0x02DE, 0x02DE, prN}, // Sk MODIFIER LETTER RHOTIC HOOK + {0x02DF, 0x02DF, prA}, // Sk MODIFIER LETTER CROSS ACCENT + {0x02E0, 0x02E4, prN}, // Lm [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP + {0x02E5, 0x02EB, prN}, // Sk [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK + {0x02EC, 0x02EC, prN}, // Lm MODIFIER LETTER VOICING + {0x02ED, 0x02ED, prN}, // Sk MODIFIER LETTER UNASPIRATED + {0x02EE, 0x02EE, prN}, // Lm MODIFIER LETTER DOUBLE APOSTROPHE + {0x02EF, 0x02FF, prN}, // Sk [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW + {0x0300, 0x036F, prA}, // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X + {0x0370, 0x0373, prN}, // L& [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI + {0x0374, 0x0374, prN}, // Lm GREEK NUMERAL SIGN + {0x0375, 0x0375, prN}, // Sk GREEK LOWER NUMERAL SIGN + {0x0376, 0x0377, prN}, // L& [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA + {0x037A, 0x037A, prN}, // Lm GREEK YPOGEGRAMMENI + {0x037B, 0x037D, prN}, // Ll [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x037E, 0x037E, prN}, // Po GREEK QUESTION MARK + {0x037F, 0x037F, prN}, // Lu GREEK CAPITAL LETTER YOT + {0x0384, 0x0385, prN}, // Sk [2] GREEK TONOS..GREEK DIALYTIKA TONOS + {0x0386, 0x0386, prN}, // Lu GREEK CAPITAL LETTER ALPHA WITH TONOS + {0x0387, 0x0387, prN}, // Po GREEK ANO TELEIA + {0x0388, 0x038A, prN}, // Lu [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS + {0x038C, 0x038C, prN}, // Lu GREEK CAPITAL LETTER OMICRON WITH TONOS + {0x038E, 0x0390, prN}, // L& [3] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND TONOS + {0x0391, 0x03A1, prA}, // Lu [17] GREEK CAPITAL LETTER ALPHA..GREEK CAPITAL LETTER RHO + {0x03A3, 0x03A9, prA}, // Lu [7] GREEK CAPITAL LETTER SIGMA..GREEK CAPITAL LETTER OMEGA + {0x03AA, 0x03B0, prN}, // L& [7] GREEK CAPITAL LETTER IOTA WITH DIALYTIKA..GREEK SMALL LETTER UPSILON WITH DIALYTIKA AND TONOS + {0x03B1, 0x03C1, prA}, // Ll [17] GREEK SMALL LETTER ALPHA..GREEK SMALL LETTER RHO + {0x03C2, 0x03C2, prN}, // Ll GREEK SMALL LETTER FINAL SIGMA + {0x03C3, 0x03C9, prA}, // Ll [7] GREEK SMALL LETTER SIGMA..GREEK SMALL LETTER OMEGA + {0x03CA, 0x03F5, prN}, // L& [44] GREEK SMALL LETTER IOTA WITH DIALYTIKA..GREEK LUNATE EPSILON SYMBOL + {0x03F6, 0x03F6, prN}, // Sm GREEK REVERSED LUNATE EPSILON SYMBOL + {0x03F7, 0x03FF, prN}, // L& [9] GREEK CAPITAL LETTER SHO..GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x0400, 0x0400, prN}, // Lu CYRILLIC CAPITAL LETTER IE WITH GRAVE + {0x0401, 0x0401, prA}, // Lu CYRILLIC CAPITAL LETTER IO + {0x0402, 0x040F, prN}, // Lu [14] CYRILLIC CAPITAL LETTER DJE..CYRILLIC CAPITAL LETTER DZHE + {0x0410, 0x044F, prA}, // L& [64] CYRILLIC CAPITAL LETTER A..CYRILLIC SMALL LETTER YA + {0x0450, 0x0450, prN}, // Ll CYRILLIC SMALL LETTER IE WITH GRAVE + {0x0451, 0x0451, prA}, // Ll CYRILLIC SMALL LETTER IO + {0x0452, 0x0481, prN}, // L& [48] CYRILLIC SMALL LETTER DJE..CYRILLIC SMALL LETTER KOPPA + {0x0482, 0x0482, prN}, // So CYRILLIC THOUSANDS SIGN + {0x0483, 0x0487, prN}, // Mn [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE + {0x0488, 0x0489, prN}, // Me [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN + {0x048A, 0x04FF, prN}, // L& [118] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER HA WITH STROKE + {0x0500, 0x052F, prN}, // L& [48] CYRILLIC CAPITAL LETTER KOMI DE..CYRILLIC SMALL LETTER EL WITH DESCENDER + {0x0531, 0x0556, prN}, // Lu [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH + {0x0559, 0x0559, prN}, // Lm ARMENIAN MODIFIER LETTER LEFT HALF RING + {0x055A, 0x055F, prN}, // Po [6] ARMENIAN APOSTROPHE..ARMENIAN ABBREVIATION MARK + {0x0560, 0x0588, prN}, // Ll [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE + {0x0589, 0x0589, prN}, // Po ARMENIAN FULL STOP + {0x058A, 0x058A, prN}, // Pd ARMENIAN HYPHEN + {0x058D, 0x058E, prN}, // So [2] RIGHT-FACING ARMENIAN ETERNITY SIGN..LEFT-FACING ARMENIAN ETERNITY SIGN + {0x058F, 0x058F, prN}, // Sc ARMENIAN DRAM SIGN + {0x0591, 0x05BD, prN}, // Mn [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG + {0x05BE, 0x05BE, prN}, // Pd HEBREW PUNCTUATION MAQAF + {0x05BF, 0x05BF, prN}, // Mn HEBREW POINT RAFE + {0x05C0, 0x05C0, prN}, // Po HEBREW PUNCTUATION PASEQ + {0x05C1, 0x05C2, prN}, // Mn [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT + {0x05C3, 0x05C3, prN}, // Po HEBREW PUNCTUATION SOF PASUQ + {0x05C4, 0x05C5, prN}, // Mn [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT + {0x05C6, 0x05C6, prN}, // Po HEBREW PUNCTUATION NUN HAFUKHA + {0x05C7, 0x05C7, prN}, // Mn HEBREW POINT QAMATS QATAN + {0x05D0, 0x05EA, prN}, // Lo [27] HEBREW LETTER ALEF..HEBREW LETTER TAV + {0x05EF, 0x05F2, prN}, // Lo [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD + {0x05F3, 0x05F4, prN}, // Po [2] HEBREW PUNCTUATION GERESH..HEBREW PUNCTUATION GERSHAYIM + {0x0600, 0x0605, prN}, // Cf [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE + {0x0606, 0x0608, prN}, // Sm [3] ARABIC-INDIC CUBE ROOT..ARABIC RAY + {0x0609, 0x060A, prN}, // Po [2] ARABIC-INDIC PER MILLE SIGN..ARABIC-INDIC PER TEN THOUSAND SIGN + {0x060B, 0x060B, prN}, // Sc AFGHANI SIGN + {0x060C, 0x060D, prN}, // Po [2] ARABIC COMMA..ARABIC DATE SEPARATOR + {0x060E, 0x060F, prN}, // So [2] ARABIC POETIC VERSE SIGN..ARABIC SIGN MISRA + {0x0610, 0x061A, prN}, // Mn [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA + {0x061B, 0x061B, prN}, // Po ARABIC SEMICOLON + {0x061C, 0x061C, prN}, // Cf ARABIC LETTER MARK + {0x061D, 0x061F, prN}, // Po [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK + {0x0620, 0x063F, prN}, // Lo [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE + {0x0640, 0x0640, prN}, // Lm ARABIC TATWEEL + {0x0641, 0x064A, prN}, // Lo [10] ARABIC LETTER FEH..ARABIC LETTER YEH + {0x064B, 0x065F, prN}, // Mn [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW + {0x0660, 0x0669, prN}, // Nd [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE + {0x066A, 0x066D, prN}, // Po [4] ARABIC PERCENT SIGN..ARABIC FIVE POINTED STAR + {0x066E, 0x066F, prN}, // Lo [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF + {0x0670, 0x0670, prN}, // Mn ARABIC LETTER SUPERSCRIPT ALEF + {0x0671, 0x06D3, prN}, // Lo [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE + {0x06D4, 0x06D4, prN}, // Po ARABIC FULL STOP + {0x06D5, 0x06D5, prN}, // Lo ARABIC LETTER AE + {0x06D6, 0x06DC, prN}, // Mn [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN + {0x06DD, 0x06DD, prN}, // Cf ARABIC END OF AYAH + {0x06DE, 0x06DE, prN}, // So ARABIC START OF RUB EL HIZB + {0x06DF, 0x06E4, prN}, // Mn [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA + {0x06E5, 0x06E6, prN}, // Lm [2] ARABIC SMALL WAW..ARABIC SMALL YEH + {0x06E7, 0x06E8, prN}, // Mn [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON + {0x06E9, 0x06E9, prN}, // So ARABIC PLACE OF SAJDAH + {0x06EA, 0x06ED, prN}, // Mn [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM + {0x06EE, 0x06EF, prN}, // Lo [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V + {0x06F0, 0x06F9, prN}, // Nd [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE + {0x06FA, 0x06FC, prN}, // Lo [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW + {0x06FD, 0x06FE, prN}, // So [2] ARABIC SIGN SINDHI AMPERSAND..ARABIC SIGN SINDHI POSTPOSITION MEN + {0x06FF, 0x06FF, prN}, // Lo ARABIC LETTER HEH WITH INVERTED V + {0x0700, 0x070D, prN}, // Po [14] SYRIAC END OF PARAGRAPH..SYRIAC HARKLEAN ASTERISCUS + {0x070F, 0x070F, prN}, // Cf SYRIAC ABBREVIATION MARK + {0x0710, 0x0710, prN}, // Lo SYRIAC LETTER ALAPH + {0x0711, 0x0711, prN}, // Mn SYRIAC LETTER SUPERSCRIPT ALAPH + {0x0712, 0x072F, prN}, // Lo [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH + {0x0730, 0x074A, prN}, // Mn [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH + {0x074D, 0x074F, prN}, // Lo [3] SYRIAC LETTER SOGDIAN ZHAIN..SYRIAC LETTER SOGDIAN FE + {0x0750, 0x077F, prN}, // Lo [48] ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW..ARABIC LETTER KAF WITH TWO DOTS ABOVE + {0x0780, 0x07A5, prN}, // Lo [38] THAANA LETTER HAA..THAANA LETTER WAAVU + {0x07A6, 0x07B0, prN}, // Mn [11] THAANA ABAFILI..THAANA SUKUN + {0x07B1, 0x07B1, prN}, // Lo THAANA LETTER NAA + {0x07C0, 0x07C9, prN}, // Nd [10] NKO DIGIT ZERO..NKO DIGIT NINE + {0x07CA, 0x07EA, prN}, // Lo [33] NKO LETTER A..NKO LETTER JONA RA + {0x07EB, 0x07F3, prN}, // Mn [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE + {0x07F4, 0x07F5, prN}, // Lm [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE + {0x07F6, 0x07F6, prN}, // So NKO SYMBOL OO DENNEN + {0x07F7, 0x07F9, prN}, // Po [3] NKO SYMBOL GBAKURUNEN..NKO EXCLAMATION MARK + {0x07FA, 0x07FA, prN}, // Lm NKO LAJANYALAN + {0x07FD, 0x07FD, prN}, // Mn NKO DANTAYALAN + {0x07FE, 0x07FF, prN}, // Sc [2] NKO DOROME SIGN..NKO TAMAN SIGN + {0x0800, 0x0815, prN}, // Lo [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF + {0x0816, 0x0819, prN}, // Mn [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH + {0x081A, 0x081A, prN}, // Lm SAMARITAN MODIFIER LETTER EPENTHETIC YUT + {0x081B, 0x0823, prN}, // Mn [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A + {0x0824, 0x0824, prN}, // Lm SAMARITAN MODIFIER LETTER SHORT A + {0x0825, 0x0827, prN}, // Mn [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U + {0x0828, 0x0828, prN}, // Lm SAMARITAN MODIFIER LETTER I + {0x0829, 0x082D, prN}, // Mn [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA + {0x0830, 0x083E, prN}, // Po [15] SAMARITAN PUNCTUATION NEQUDAA..SAMARITAN PUNCTUATION ANNAAU + {0x0840, 0x0858, prN}, // Lo [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN + {0x0859, 0x085B, prN}, // Mn [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK + {0x085E, 0x085E, prN}, // Po MANDAIC PUNCTUATION + {0x0860, 0x086A, prN}, // Lo [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA + {0x0870, 0x0887, prN}, // Lo [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT + {0x0888, 0x0888, prN}, // Sk ARABIC RAISED ROUND DOT + {0x0889, 0x088E, prN}, // Lo [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL + {0x0890, 0x0891, prN}, // Cf [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE + {0x0898, 0x089F, prN}, // Mn [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA + {0x08A0, 0x08C8, prN}, // Lo [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF + {0x08C9, 0x08C9, prN}, // Lm ARABIC SMALL FARSI YEH + {0x08CA, 0x08E1, prN}, // Mn [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA + {0x08E2, 0x08E2, prN}, // Cf ARABIC DISPUTED END OF AYAH + {0x08E3, 0x08FF, prN}, // Mn [29] ARABIC TURNED DAMMA BELOW..ARABIC MARK SIDEWAYS NOON GHUNNA + {0x0900, 0x0902, prN}, // Mn [3] DEVANAGARI SIGN INVERTED CANDRABINDU..DEVANAGARI SIGN ANUSVARA + {0x0903, 0x0903, prN}, // Mc DEVANAGARI SIGN VISARGA + {0x0904, 0x0939, prN}, // Lo [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA + {0x093A, 0x093A, prN}, // Mn DEVANAGARI VOWEL SIGN OE + {0x093B, 0x093B, prN}, // Mc DEVANAGARI VOWEL SIGN OOE + {0x093C, 0x093C, prN}, // Mn DEVANAGARI SIGN NUKTA + {0x093D, 0x093D, prN}, // Lo DEVANAGARI SIGN AVAGRAHA + {0x093E, 0x0940, prN}, // Mc [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II + {0x0941, 0x0948, prN}, // Mn [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI + {0x0949, 0x094C, prN}, // Mc [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU + {0x094D, 0x094D, prN}, // Mn DEVANAGARI SIGN VIRAMA + {0x094E, 0x094F, prN}, // Mc [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW + {0x0950, 0x0950, prN}, // Lo DEVANAGARI OM + {0x0951, 0x0957, prN}, // Mn [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE + {0x0958, 0x0961, prN}, // Lo [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL + {0x0962, 0x0963, prN}, // Mn [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL + {0x0964, 0x0965, prN}, // Po [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA + {0x0966, 0x096F, prN}, // Nd [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE + {0x0970, 0x0970, prN}, // Po DEVANAGARI ABBREVIATION SIGN + {0x0971, 0x0971, prN}, // Lm DEVANAGARI SIGN HIGH SPACING DOT + {0x0972, 0x097F, prN}, // Lo [14] DEVANAGARI LETTER CANDRA A..DEVANAGARI LETTER BBA + {0x0980, 0x0980, prN}, // Lo BENGALI ANJI + {0x0981, 0x0981, prN}, // Mn BENGALI SIGN CANDRABINDU + {0x0982, 0x0983, prN}, // Mc [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA + {0x0985, 0x098C, prN}, // Lo [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L + {0x098F, 0x0990, prN}, // Lo [2] BENGALI LETTER E..BENGALI LETTER AI + {0x0993, 0x09A8, prN}, // Lo [22] BENGALI LETTER O..BENGALI LETTER NA + {0x09AA, 0x09B0, prN}, // Lo [7] BENGALI LETTER PA..BENGALI LETTER RA + {0x09B2, 0x09B2, prN}, // Lo BENGALI LETTER LA + {0x09B6, 0x09B9, prN}, // Lo [4] BENGALI LETTER SHA..BENGALI LETTER HA + {0x09BC, 0x09BC, prN}, // Mn BENGALI SIGN NUKTA + {0x09BD, 0x09BD, prN}, // Lo BENGALI SIGN AVAGRAHA + {0x09BE, 0x09C0, prN}, // Mc [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II + {0x09C1, 0x09C4, prN}, // Mn [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR + {0x09C7, 0x09C8, prN}, // Mc [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI + {0x09CB, 0x09CC, prN}, // Mc [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU + {0x09CD, 0x09CD, prN}, // Mn BENGALI SIGN VIRAMA + {0x09CE, 0x09CE, prN}, // Lo BENGALI LETTER KHANDA TA + {0x09D7, 0x09D7, prN}, // Mc BENGALI AU LENGTH MARK + {0x09DC, 0x09DD, prN}, // Lo [2] BENGALI LETTER RRA..BENGALI LETTER RHA + {0x09DF, 0x09E1, prN}, // Lo [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL + {0x09E2, 0x09E3, prN}, // Mn [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL + {0x09E6, 0x09EF, prN}, // Nd [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE + {0x09F0, 0x09F1, prN}, // Lo [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL + {0x09F2, 0x09F3, prN}, // Sc [2] BENGALI RUPEE MARK..BENGALI RUPEE SIGN + {0x09F4, 0x09F9, prN}, // No [6] BENGALI CURRENCY NUMERATOR ONE..BENGALI CURRENCY DENOMINATOR SIXTEEN + {0x09FA, 0x09FA, prN}, // So BENGALI ISSHAR + {0x09FB, 0x09FB, prN}, // Sc BENGALI GANDA MARK + {0x09FC, 0x09FC, prN}, // Lo BENGALI LETTER VEDIC ANUSVARA + {0x09FD, 0x09FD, prN}, // Po BENGALI ABBREVIATION SIGN + {0x09FE, 0x09FE, prN}, // Mn BENGALI SANDHI MARK + {0x0A01, 0x0A02, prN}, // Mn [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI + {0x0A03, 0x0A03, prN}, // Mc GURMUKHI SIGN VISARGA + {0x0A05, 0x0A0A, prN}, // Lo [6] GURMUKHI LETTER A..GURMUKHI LETTER UU + {0x0A0F, 0x0A10, prN}, // Lo [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI + {0x0A13, 0x0A28, prN}, // Lo [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA + {0x0A2A, 0x0A30, prN}, // Lo [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA + {0x0A32, 0x0A33, prN}, // Lo [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA + {0x0A35, 0x0A36, prN}, // Lo [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA + {0x0A38, 0x0A39, prN}, // Lo [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA + {0x0A3C, 0x0A3C, prN}, // Mn GURMUKHI SIGN NUKTA + {0x0A3E, 0x0A40, prN}, // Mc [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II + {0x0A41, 0x0A42, prN}, // Mn [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU + {0x0A47, 0x0A48, prN}, // Mn [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI + {0x0A4B, 0x0A4D, prN}, // Mn [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA + {0x0A51, 0x0A51, prN}, // Mn GURMUKHI SIGN UDAAT + {0x0A59, 0x0A5C, prN}, // Lo [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA + {0x0A5E, 0x0A5E, prN}, // Lo GURMUKHI LETTER FA + {0x0A66, 0x0A6F, prN}, // Nd [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE + {0x0A70, 0x0A71, prN}, // Mn [2] GURMUKHI TIPPI..GURMUKHI ADDAK + {0x0A72, 0x0A74, prN}, // Lo [3] GURMUKHI IRI..GURMUKHI EK ONKAR + {0x0A75, 0x0A75, prN}, // Mn GURMUKHI SIGN YAKASH + {0x0A76, 0x0A76, prN}, // Po GURMUKHI ABBREVIATION SIGN + {0x0A81, 0x0A82, prN}, // Mn [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA + {0x0A83, 0x0A83, prN}, // Mc GUJARATI SIGN VISARGA + {0x0A85, 0x0A8D, prN}, // Lo [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E + {0x0A8F, 0x0A91, prN}, // Lo [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O + {0x0A93, 0x0AA8, prN}, // Lo [22] GUJARATI LETTER O..GUJARATI LETTER NA + {0x0AAA, 0x0AB0, prN}, // Lo [7] GUJARATI LETTER PA..GUJARATI LETTER RA + {0x0AB2, 0x0AB3, prN}, // Lo [2] GUJARATI LETTER LA..GUJARATI LETTER LLA + {0x0AB5, 0x0AB9, prN}, // Lo [5] GUJARATI LETTER VA..GUJARATI LETTER HA + {0x0ABC, 0x0ABC, prN}, // Mn GUJARATI SIGN NUKTA + {0x0ABD, 0x0ABD, prN}, // Lo GUJARATI SIGN AVAGRAHA + {0x0ABE, 0x0AC0, prN}, // Mc [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II + {0x0AC1, 0x0AC5, prN}, // Mn [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E + {0x0AC7, 0x0AC8, prN}, // Mn [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI + {0x0AC9, 0x0AC9, prN}, // Mc GUJARATI VOWEL SIGN CANDRA O + {0x0ACB, 0x0ACC, prN}, // Mc [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU + {0x0ACD, 0x0ACD, prN}, // Mn GUJARATI SIGN VIRAMA + {0x0AD0, 0x0AD0, prN}, // Lo GUJARATI OM + {0x0AE0, 0x0AE1, prN}, // Lo [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL + {0x0AE2, 0x0AE3, prN}, // Mn [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL + {0x0AE6, 0x0AEF, prN}, // Nd [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE + {0x0AF0, 0x0AF0, prN}, // Po GUJARATI ABBREVIATION SIGN + {0x0AF1, 0x0AF1, prN}, // Sc GUJARATI RUPEE SIGN + {0x0AF9, 0x0AF9, prN}, // Lo GUJARATI LETTER ZHA + {0x0AFA, 0x0AFF, prN}, // Mn [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE + {0x0B01, 0x0B01, prN}, // Mn ORIYA SIGN CANDRABINDU + {0x0B02, 0x0B03, prN}, // Mc [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA + {0x0B05, 0x0B0C, prN}, // Lo [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L + {0x0B0F, 0x0B10, prN}, // Lo [2] ORIYA LETTER E..ORIYA LETTER AI + {0x0B13, 0x0B28, prN}, // Lo [22] ORIYA LETTER O..ORIYA LETTER NA + {0x0B2A, 0x0B30, prN}, // Lo [7] ORIYA LETTER PA..ORIYA LETTER RA + {0x0B32, 0x0B33, prN}, // Lo [2] ORIYA LETTER LA..ORIYA LETTER LLA + {0x0B35, 0x0B39, prN}, // Lo [5] ORIYA LETTER VA..ORIYA LETTER HA + {0x0B3C, 0x0B3C, prN}, // Mn ORIYA SIGN NUKTA + {0x0B3D, 0x0B3D, prN}, // Lo ORIYA SIGN AVAGRAHA + {0x0B3E, 0x0B3E, prN}, // Mc ORIYA VOWEL SIGN AA + {0x0B3F, 0x0B3F, prN}, // Mn ORIYA VOWEL SIGN I + {0x0B40, 0x0B40, prN}, // Mc ORIYA VOWEL SIGN II + {0x0B41, 0x0B44, prN}, // Mn [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR + {0x0B47, 0x0B48, prN}, // Mc [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI + {0x0B4B, 0x0B4C, prN}, // Mc [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU + {0x0B4D, 0x0B4D, prN}, // Mn ORIYA SIGN VIRAMA + {0x0B55, 0x0B56, prN}, // Mn [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK + {0x0B57, 0x0B57, prN}, // Mc ORIYA AU LENGTH MARK + {0x0B5C, 0x0B5D, prN}, // Lo [2] ORIYA LETTER RRA..ORIYA LETTER RHA + {0x0B5F, 0x0B61, prN}, // Lo [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL + {0x0B62, 0x0B63, prN}, // Mn [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL + {0x0B66, 0x0B6F, prN}, // Nd [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE + {0x0B70, 0x0B70, prN}, // So ORIYA ISSHAR + {0x0B71, 0x0B71, prN}, // Lo ORIYA LETTER WA + {0x0B72, 0x0B77, prN}, // No [6] ORIYA FRACTION ONE QUARTER..ORIYA FRACTION THREE SIXTEENTHS + {0x0B82, 0x0B82, prN}, // Mn TAMIL SIGN ANUSVARA + {0x0B83, 0x0B83, prN}, // Lo TAMIL SIGN VISARGA + {0x0B85, 0x0B8A, prN}, // Lo [6] TAMIL LETTER A..TAMIL LETTER UU + {0x0B8E, 0x0B90, prN}, // Lo [3] TAMIL LETTER E..TAMIL LETTER AI + {0x0B92, 0x0B95, prN}, // Lo [4] TAMIL LETTER O..TAMIL LETTER KA + {0x0B99, 0x0B9A, prN}, // Lo [2] TAMIL LETTER NGA..TAMIL LETTER CA + {0x0B9C, 0x0B9C, prN}, // Lo TAMIL LETTER JA + {0x0B9E, 0x0B9F, prN}, // Lo [2] TAMIL LETTER NYA..TAMIL LETTER TTA + {0x0BA3, 0x0BA4, prN}, // Lo [2] TAMIL LETTER NNA..TAMIL LETTER TA + {0x0BA8, 0x0BAA, prN}, // Lo [3] TAMIL LETTER NA..TAMIL LETTER PA + {0x0BAE, 0x0BB9, prN}, // Lo [12] TAMIL LETTER MA..TAMIL LETTER HA + {0x0BBE, 0x0BBF, prN}, // Mc [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I + {0x0BC0, 0x0BC0, prN}, // Mn TAMIL VOWEL SIGN II + {0x0BC1, 0x0BC2, prN}, // Mc [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU + {0x0BC6, 0x0BC8, prN}, // Mc [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI + {0x0BCA, 0x0BCC, prN}, // Mc [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU + {0x0BCD, 0x0BCD, prN}, // Mn TAMIL SIGN VIRAMA + {0x0BD0, 0x0BD0, prN}, // Lo TAMIL OM + {0x0BD7, 0x0BD7, prN}, // Mc TAMIL AU LENGTH MARK + {0x0BE6, 0x0BEF, prN}, // Nd [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE + {0x0BF0, 0x0BF2, prN}, // No [3] TAMIL NUMBER TEN..TAMIL NUMBER ONE THOUSAND + {0x0BF3, 0x0BF8, prN}, // So [6] TAMIL DAY SIGN..TAMIL AS ABOVE SIGN + {0x0BF9, 0x0BF9, prN}, // Sc TAMIL RUPEE SIGN + {0x0BFA, 0x0BFA, prN}, // So TAMIL NUMBER SIGN + {0x0C00, 0x0C00, prN}, // Mn TELUGU SIGN COMBINING CANDRABINDU ABOVE + {0x0C01, 0x0C03, prN}, // Mc [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA + {0x0C04, 0x0C04, prN}, // Mn TELUGU SIGN COMBINING ANUSVARA ABOVE + {0x0C05, 0x0C0C, prN}, // Lo [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L + {0x0C0E, 0x0C10, prN}, // Lo [3] TELUGU LETTER E..TELUGU LETTER AI + {0x0C12, 0x0C28, prN}, // Lo [23] TELUGU LETTER O..TELUGU LETTER NA + {0x0C2A, 0x0C39, prN}, // Lo [16] TELUGU LETTER PA..TELUGU LETTER HA + {0x0C3C, 0x0C3C, prN}, // Mn TELUGU SIGN NUKTA + {0x0C3D, 0x0C3D, prN}, // Lo TELUGU SIGN AVAGRAHA + {0x0C3E, 0x0C40, prN}, // Mn [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II + {0x0C41, 0x0C44, prN}, // Mc [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR + {0x0C46, 0x0C48, prN}, // Mn [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI + {0x0C4A, 0x0C4D, prN}, // Mn [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA + {0x0C55, 0x0C56, prN}, // Mn [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK + {0x0C58, 0x0C5A, prN}, // Lo [3] TELUGU LETTER TSA..TELUGU LETTER RRRA + {0x0C5D, 0x0C5D, prN}, // Lo TELUGU LETTER NAKAARA POLLU + {0x0C60, 0x0C61, prN}, // Lo [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL + {0x0C62, 0x0C63, prN}, // Mn [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL + {0x0C66, 0x0C6F, prN}, // Nd [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE + {0x0C77, 0x0C77, prN}, // Po TELUGU SIGN SIDDHAM + {0x0C78, 0x0C7E, prN}, // No [7] TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR..TELUGU FRACTION DIGIT THREE FOR EVEN POWERS OF FOUR + {0x0C7F, 0x0C7F, prN}, // So TELUGU SIGN TUUMU + {0x0C80, 0x0C80, prN}, // Lo KANNADA SIGN SPACING CANDRABINDU + {0x0C81, 0x0C81, prN}, // Mn KANNADA SIGN CANDRABINDU + {0x0C82, 0x0C83, prN}, // Mc [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA + {0x0C84, 0x0C84, prN}, // Po KANNADA SIGN SIDDHAM + {0x0C85, 0x0C8C, prN}, // Lo [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L + {0x0C8E, 0x0C90, prN}, // Lo [3] KANNADA LETTER E..KANNADA LETTER AI + {0x0C92, 0x0CA8, prN}, // Lo [23] KANNADA LETTER O..KANNADA LETTER NA + {0x0CAA, 0x0CB3, prN}, // Lo [10] KANNADA LETTER PA..KANNADA LETTER LLA + {0x0CB5, 0x0CB9, prN}, // Lo [5] KANNADA LETTER VA..KANNADA LETTER HA + {0x0CBC, 0x0CBC, prN}, // Mn KANNADA SIGN NUKTA + {0x0CBD, 0x0CBD, prN}, // Lo KANNADA SIGN AVAGRAHA + {0x0CBE, 0x0CBE, prN}, // Mc KANNADA VOWEL SIGN AA + {0x0CBF, 0x0CBF, prN}, // Mn KANNADA VOWEL SIGN I + {0x0CC0, 0x0CC4, prN}, // Mc [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR + {0x0CC6, 0x0CC6, prN}, // Mn KANNADA VOWEL SIGN E + {0x0CC7, 0x0CC8, prN}, // Mc [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI + {0x0CCA, 0x0CCB, prN}, // Mc [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO + {0x0CCC, 0x0CCD, prN}, // Mn [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA + {0x0CD5, 0x0CD6, prN}, // Mc [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK + {0x0CDD, 0x0CDE, prN}, // Lo [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA + {0x0CE0, 0x0CE1, prN}, // Lo [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL + {0x0CE2, 0x0CE3, prN}, // Mn [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL + {0x0CE6, 0x0CEF, prN}, // Nd [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE + {0x0CF1, 0x0CF2, prN}, // Lo [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA + {0x0CF3, 0x0CF3, prN}, // Mc KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT + {0x0D00, 0x0D01, prN}, // Mn [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU + {0x0D02, 0x0D03, prN}, // Mc [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA + {0x0D04, 0x0D0C, prN}, // Lo [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L + {0x0D0E, 0x0D10, prN}, // Lo [3] MALAYALAM LETTER E..MALAYALAM LETTER AI + {0x0D12, 0x0D3A, prN}, // Lo [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA + {0x0D3B, 0x0D3C, prN}, // Mn [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA + {0x0D3D, 0x0D3D, prN}, // Lo MALAYALAM SIGN AVAGRAHA + {0x0D3E, 0x0D40, prN}, // Mc [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II + {0x0D41, 0x0D44, prN}, // Mn [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR + {0x0D46, 0x0D48, prN}, // Mc [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI + {0x0D4A, 0x0D4C, prN}, // Mc [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU + {0x0D4D, 0x0D4D, prN}, // Mn MALAYALAM SIGN VIRAMA + {0x0D4E, 0x0D4E, prN}, // Lo MALAYALAM LETTER DOT REPH + {0x0D4F, 0x0D4F, prN}, // So MALAYALAM SIGN PARA + {0x0D54, 0x0D56, prN}, // Lo [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL + {0x0D57, 0x0D57, prN}, // Mc MALAYALAM AU LENGTH MARK + {0x0D58, 0x0D5E, prN}, // No [7] MALAYALAM FRACTION ONE ONE-HUNDRED-AND-SIXTIETH..MALAYALAM FRACTION ONE FIFTH + {0x0D5F, 0x0D61, prN}, // Lo [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL + {0x0D62, 0x0D63, prN}, // Mn [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL + {0x0D66, 0x0D6F, prN}, // Nd [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE + {0x0D70, 0x0D78, prN}, // No [9] MALAYALAM NUMBER TEN..MALAYALAM FRACTION THREE SIXTEENTHS + {0x0D79, 0x0D79, prN}, // So MALAYALAM DATE MARK + {0x0D7A, 0x0D7F, prN}, // Lo [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K + {0x0D81, 0x0D81, prN}, // Mn SINHALA SIGN CANDRABINDU + {0x0D82, 0x0D83, prN}, // Mc [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA + {0x0D85, 0x0D96, prN}, // Lo [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA + {0x0D9A, 0x0DB1, prN}, // Lo [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA + {0x0DB3, 0x0DBB, prN}, // Lo [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA + {0x0DBD, 0x0DBD, prN}, // Lo SINHALA LETTER DANTAJA LAYANNA + {0x0DC0, 0x0DC6, prN}, // Lo [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA + {0x0DCA, 0x0DCA, prN}, // Mn SINHALA SIGN AL-LAKUNA + {0x0DCF, 0x0DD1, prN}, // Mc [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA + {0x0DD2, 0x0DD4, prN}, // Mn [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA + {0x0DD6, 0x0DD6, prN}, // Mn SINHALA VOWEL SIGN DIGA PAA-PILLA + {0x0DD8, 0x0DDF, prN}, // Mc [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA + {0x0DE6, 0x0DEF, prN}, // Nd [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE + {0x0DF2, 0x0DF3, prN}, // Mc [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA + {0x0DF4, 0x0DF4, prN}, // Po SINHALA PUNCTUATION KUNDDALIYA + {0x0E01, 0x0E30, prN}, // Lo [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A + {0x0E31, 0x0E31, prN}, // Mn THAI CHARACTER MAI HAN-AKAT + {0x0E32, 0x0E33, prN}, // Lo [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM + {0x0E34, 0x0E3A, prN}, // Mn [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU + {0x0E3F, 0x0E3F, prN}, // Sc THAI CURRENCY SYMBOL BAHT + {0x0E40, 0x0E45, prN}, // Lo [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO + {0x0E46, 0x0E46, prN}, // Lm THAI CHARACTER MAIYAMOK + {0x0E47, 0x0E4E, prN}, // Mn [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN + {0x0E4F, 0x0E4F, prN}, // Po THAI CHARACTER FONGMAN + {0x0E50, 0x0E59, prN}, // Nd [10] THAI DIGIT ZERO..THAI DIGIT NINE + {0x0E5A, 0x0E5B, prN}, // Po [2] THAI CHARACTER ANGKHANKHU..THAI CHARACTER KHOMUT + {0x0E81, 0x0E82, prN}, // Lo [2] LAO LETTER KO..LAO LETTER KHO SUNG + {0x0E84, 0x0E84, prN}, // Lo LAO LETTER KHO TAM + {0x0E86, 0x0E8A, prN}, // Lo [5] LAO LETTER PALI GHA..LAO LETTER SO TAM + {0x0E8C, 0x0EA3, prN}, // Lo [24] LAO LETTER PALI JHA..LAO LETTER LO LING + {0x0EA5, 0x0EA5, prN}, // Lo LAO LETTER LO LOOT + {0x0EA7, 0x0EB0, prN}, // Lo [10] LAO LETTER WO..LAO VOWEL SIGN A + {0x0EB1, 0x0EB1, prN}, // Mn LAO VOWEL SIGN MAI KAN + {0x0EB2, 0x0EB3, prN}, // Lo [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM + {0x0EB4, 0x0EBC, prN}, // Mn [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO + {0x0EBD, 0x0EBD, prN}, // Lo LAO SEMIVOWEL SIGN NYO + {0x0EC0, 0x0EC4, prN}, // Lo [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI + {0x0EC6, 0x0EC6, prN}, // Lm LAO KO LA + {0x0EC8, 0x0ECE, prN}, // Mn [7] LAO TONE MAI EK..LAO YAMAKKAN + {0x0ED0, 0x0ED9, prN}, // Nd [10] LAO DIGIT ZERO..LAO DIGIT NINE + {0x0EDC, 0x0EDF, prN}, // Lo [4] LAO HO NO..LAO LETTER KHMU NYO + {0x0F00, 0x0F00, prN}, // Lo TIBETAN SYLLABLE OM + {0x0F01, 0x0F03, prN}, // So [3] TIBETAN MARK GTER YIG MGO TRUNCATED A..TIBETAN MARK GTER YIG MGO -UM GTER TSHEG MA + {0x0F04, 0x0F12, prN}, // Po [15] TIBETAN MARK INITIAL YIG MGO MDUN MA..TIBETAN MARK RGYA GRAM SHAD + {0x0F13, 0x0F13, prN}, // So TIBETAN MARK CARET -DZUD RTAGS ME LONG CAN + {0x0F14, 0x0F14, prN}, // Po TIBETAN MARK GTER TSHEG + {0x0F15, 0x0F17, prN}, // So [3] TIBETAN LOGOTYPE SIGN CHAD RTAGS..TIBETAN ASTROLOGICAL SIGN SGRA GCAN -CHAR RTAGS + {0x0F18, 0x0F19, prN}, // Mn [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS + {0x0F1A, 0x0F1F, prN}, // So [6] TIBETAN SIGN RDEL DKAR GCIG..TIBETAN SIGN RDEL DKAR RDEL NAG + {0x0F20, 0x0F29, prN}, // Nd [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE + {0x0F2A, 0x0F33, prN}, // No [10] TIBETAN DIGIT HALF ONE..TIBETAN DIGIT HALF ZERO + {0x0F34, 0x0F34, prN}, // So TIBETAN MARK BSDUS RTAGS + {0x0F35, 0x0F35, prN}, // Mn TIBETAN MARK NGAS BZUNG NYI ZLA + {0x0F36, 0x0F36, prN}, // So TIBETAN MARK CARET -DZUD RTAGS BZHI MIG CAN + {0x0F37, 0x0F37, prN}, // Mn TIBETAN MARK NGAS BZUNG SGOR RTAGS + {0x0F38, 0x0F38, prN}, // So TIBETAN MARK CHE MGO + {0x0F39, 0x0F39, prN}, // Mn TIBETAN MARK TSA -PHRU + {0x0F3A, 0x0F3A, prN}, // Ps TIBETAN MARK GUG RTAGS GYON + {0x0F3B, 0x0F3B, prN}, // Pe TIBETAN MARK GUG RTAGS GYAS + {0x0F3C, 0x0F3C, prN}, // Ps TIBETAN MARK ANG KHANG GYON + {0x0F3D, 0x0F3D, prN}, // Pe TIBETAN MARK ANG KHANG GYAS + {0x0F3E, 0x0F3F, prN}, // Mc [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES + {0x0F40, 0x0F47, prN}, // Lo [8] TIBETAN LETTER KA..TIBETAN LETTER JA + {0x0F49, 0x0F6C, prN}, // Lo [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA + {0x0F71, 0x0F7E, prN}, // Mn [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO + {0x0F7F, 0x0F7F, prN}, // Mc TIBETAN SIGN RNAM BCAD + {0x0F80, 0x0F84, prN}, // Mn [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA + {0x0F85, 0x0F85, prN}, // Po TIBETAN MARK PALUTA + {0x0F86, 0x0F87, prN}, // Mn [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS + {0x0F88, 0x0F8C, prN}, // Lo [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN + {0x0F8D, 0x0F97, prN}, // Mn [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA + {0x0F99, 0x0FBC, prN}, // Mn [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA + {0x0FBE, 0x0FC5, prN}, // So [8] TIBETAN KU RU KHA..TIBETAN SYMBOL RDO RJE + {0x0FC6, 0x0FC6, prN}, // Mn TIBETAN SYMBOL PADMA GDAN + {0x0FC7, 0x0FCC, prN}, // So [6] TIBETAN SYMBOL RDO RJE RGYA GRAM..TIBETAN SYMBOL NOR BU BZHI -KHYIL + {0x0FCE, 0x0FCF, prN}, // So [2] TIBETAN SIGN RDEL NAG RDEL DKAR..TIBETAN SIGN RDEL NAG GSUM + {0x0FD0, 0x0FD4, prN}, // Po [5] TIBETAN MARK BSKA- SHOG GI MGO RGYAN..TIBETAN MARK CLOSING BRDA RNYING YIG MGO SGAB MA + {0x0FD5, 0x0FD8, prN}, // So [4] RIGHT-FACING SVASTI SIGN..LEFT-FACING SVASTI SIGN WITH DOTS + {0x0FD9, 0x0FDA, prN}, // Po [2] TIBETAN MARK LEADING MCHAN RTAGS..TIBETAN MARK TRAILING MCHAN RTAGS + {0x1000, 0x102A, prN}, // Lo [43] MYANMAR LETTER KA..MYANMAR LETTER AU + {0x102B, 0x102C, prN}, // Mc [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA + {0x102D, 0x1030, prN}, // Mn [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU + {0x1031, 0x1031, prN}, // Mc MYANMAR VOWEL SIGN E + {0x1032, 0x1037, prN}, // Mn [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW + {0x1038, 0x1038, prN}, // Mc MYANMAR SIGN VISARGA + {0x1039, 0x103A, prN}, // Mn [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT + {0x103B, 0x103C, prN}, // Mc [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA + {0x103D, 0x103E, prN}, // Mn [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA + {0x103F, 0x103F, prN}, // Lo MYANMAR LETTER GREAT SA + {0x1040, 0x1049, prN}, // Nd [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE + {0x104A, 0x104F, prN}, // Po [6] MYANMAR SIGN LITTLE SECTION..MYANMAR SYMBOL GENITIVE + {0x1050, 0x1055, prN}, // Lo [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL + {0x1056, 0x1057, prN}, // Mc [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR + {0x1058, 0x1059, prN}, // Mn [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL + {0x105A, 0x105D, prN}, // Lo [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE + {0x105E, 0x1060, prN}, // Mn [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA + {0x1061, 0x1061, prN}, // Lo MYANMAR LETTER SGAW KAREN SHA + {0x1062, 0x1064, prN}, // Mc [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO + {0x1065, 0x1066, prN}, // Lo [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA + {0x1067, 0x106D, prN}, // Mc [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5 + {0x106E, 0x1070, prN}, // Lo [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA + {0x1071, 0x1074, prN}, // Mn [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE + {0x1075, 0x1081, prN}, // Lo [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA + {0x1082, 0x1082, prN}, // Mn MYANMAR CONSONANT SIGN SHAN MEDIAL WA + {0x1083, 0x1084, prN}, // Mc [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E + {0x1085, 0x1086, prN}, // Mn [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y + {0x1087, 0x108C, prN}, // Mc [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3 + {0x108D, 0x108D, prN}, // Mn MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE + {0x108E, 0x108E, prN}, // Lo MYANMAR LETTER RUMAI PALAUNG FA + {0x108F, 0x108F, prN}, // Mc MYANMAR SIGN RUMAI PALAUNG TONE-5 + {0x1090, 0x1099, prN}, // Nd [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE + {0x109A, 0x109C, prN}, // Mc [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A + {0x109D, 0x109D, prN}, // Mn MYANMAR VOWEL SIGN AITON AI + {0x109E, 0x109F, prN}, // So [2] MYANMAR SYMBOL SHAN ONE..MYANMAR SYMBOL SHAN EXCLAMATION + {0x10A0, 0x10C5, prN}, // Lu [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE + {0x10C7, 0x10C7, prN}, // Lu GEORGIAN CAPITAL LETTER YN + {0x10CD, 0x10CD, prN}, // Lu GEORGIAN CAPITAL LETTER AEN + {0x10D0, 0x10FA, prN}, // Ll [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN + {0x10FB, 0x10FB, prN}, // Po GEORGIAN PARAGRAPH SEPARATOR + {0x10FC, 0x10FC, prN}, // Lm MODIFIER LETTER GEORGIAN NAR + {0x10FD, 0x10FF, prN}, // Ll [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN + {0x1100, 0x115F, prW}, // Lo [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER + {0x1160, 0x11FF, prN}, // Lo [160] HANGUL JUNGSEONG FILLER..HANGUL JONGSEONG SSANGNIEUN + {0x1200, 0x1248, prN}, // Lo [73] ETHIOPIC SYLLABLE HA..ETHIOPIC SYLLABLE QWA + {0x124A, 0x124D, prN}, // Lo [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE + {0x1250, 0x1256, prN}, // Lo [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO + {0x1258, 0x1258, prN}, // Lo ETHIOPIC SYLLABLE QHWA + {0x125A, 0x125D, prN}, // Lo [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE + {0x1260, 0x1288, prN}, // Lo [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA + {0x128A, 0x128D, prN}, // Lo [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE + {0x1290, 0x12B0, prN}, // Lo [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA + {0x12B2, 0x12B5, prN}, // Lo [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE + {0x12B8, 0x12BE, prN}, // Lo [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO + {0x12C0, 0x12C0, prN}, // Lo ETHIOPIC SYLLABLE KXWA + {0x12C2, 0x12C5, prN}, // Lo [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE + {0x12C8, 0x12D6, prN}, // Lo [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O + {0x12D8, 0x1310, prN}, // Lo [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA + {0x1312, 0x1315, prN}, // Lo [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE + {0x1318, 0x135A, prN}, // Lo [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA + {0x135D, 0x135F, prN}, // Mn [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK + {0x1360, 0x1368, prN}, // Po [9] ETHIOPIC SECTION MARK..ETHIOPIC PARAGRAPH SEPARATOR + {0x1369, 0x137C, prN}, // No [20] ETHIOPIC DIGIT ONE..ETHIOPIC NUMBER TEN THOUSAND + {0x1380, 0x138F, prN}, // Lo [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE + {0x1390, 0x1399, prN}, // So [10] ETHIOPIC TONAL MARK YIZET..ETHIOPIC TONAL MARK KURT + {0x13A0, 0x13F5, prN}, // Lu [86] CHEROKEE LETTER A..CHEROKEE LETTER MV + {0x13F8, 0x13FD, prN}, // Ll [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV + {0x1400, 0x1400, prN}, // Pd CANADIAN SYLLABICS HYPHEN + {0x1401, 0x166C, prN}, // Lo [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA + {0x166D, 0x166D, prN}, // So CANADIAN SYLLABICS CHI SIGN + {0x166E, 0x166E, prN}, // Po CANADIAN SYLLABICS FULL STOP + {0x166F, 0x167F, prN}, // Lo [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W + {0x1680, 0x1680, prN}, // Zs OGHAM SPACE MARK + {0x1681, 0x169A, prN}, // Lo [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH + {0x169B, 0x169B, prN}, // Ps OGHAM FEATHER MARK + {0x169C, 0x169C, prN}, // Pe OGHAM REVERSED FEATHER MARK + {0x16A0, 0x16EA, prN}, // Lo [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X + {0x16EB, 0x16ED, prN}, // Po [3] RUNIC SINGLE PUNCTUATION..RUNIC CROSS PUNCTUATION + {0x16EE, 0x16F0, prN}, // Nl [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL + {0x16F1, 0x16F8, prN}, // Lo [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC + {0x1700, 0x1711, prN}, // Lo [18] TAGALOG LETTER A..TAGALOG LETTER HA + {0x1712, 0x1714, prN}, // Mn [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA + {0x1715, 0x1715, prN}, // Mc TAGALOG SIGN PAMUDPOD + {0x171F, 0x171F, prN}, // Lo TAGALOG LETTER ARCHAIC RA + {0x1720, 0x1731, prN}, // Lo [18] HANUNOO LETTER A..HANUNOO LETTER HA + {0x1732, 0x1733, prN}, // Mn [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U + {0x1734, 0x1734, prN}, // Mc HANUNOO SIGN PAMUDPOD + {0x1735, 0x1736, prN}, // Po [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION + {0x1740, 0x1751, prN}, // Lo [18] BUHID LETTER A..BUHID LETTER HA + {0x1752, 0x1753, prN}, // Mn [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U + {0x1760, 0x176C, prN}, // Lo [13] TAGBANWA LETTER A..TAGBANWA LETTER YA + {0x176E, 0x1770, prN}, // Lo [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA + {0x1772, 0x1773, prN}, // Mn [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U + {0x1780, 0x17B3, prN}, // Lo [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU + {0x17B4, 0x17B5, prN}, // Mn [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA + {0x17B6, 0x17B6, prN}, // Mc KHMER VOWEL SIGN AA + {0x17B7, 0x17BD, prN}, // Mn [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA + {0x17BE, 0x17C5, prN}, // Mc [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU + {0x17C6, 0x17C6, prN}, // Mn KHMER SIGN NIKAHIT + {0x17C7, 0x17C8, prN}, // Mc [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU + {0x17C9, 0x17D3, prN}, // Mn [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT + {0x17D4, 0x17D6, prN}, // Po [3] KHMER SIGN KHAN..KHMER SIGN CAMNUC PII KUUH + {0x17D7, 0x17D7, prN}, // Lm KHMER SIGN LEK TOO + {0x17D8, 0x17DA, prN}, // Po [3] KHMER SIGN BEYYAL..KHMER SIGN KOOMUUT + {0x17DB, 0x17DB, prN}, // Sc KHMER CURRENCY SYMBOL RIEL + {0x17DC, 0x17DC, prN}, // Lo KHMER SIGN AVAKRAHASANYA + {0x17DD, 0x17DD, prN}, // Mn KHMER SIGN ATTHACAN + {0x17E0, 0x17E9, prN}, // Nd [10] KHMER DIGIT ZERO..KHMER DIGIT NINE + {0x17F0, 0x17F9, prN}, // No [10] KHMER SYMBOL LEK ATTAK SON..KHMER SYMBOL LEK ATTAK PRAM-BUON + {0x1800, 0x1805, prN}, // Po [6] MONGOLIAN BIRGA..MONGOLIAN FOUR DOTS + {0x1806, 0x1806, prN}, // Pd MONGOLIAN TODO SOFT HYPHEN + {0x1807, 0x180A, prN}, // Po [4] MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER..MONGOLIAN NIRUGU + {0x180B, 0x180D, prN}, // Mn [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE + {0x180E, 0x180E, prN}, // Cf MONGOLIAN VOWEL SEPARATOR + {0x180F, 0x180F, prN}, // Mn MONGOLIAN FREE VARIATION SELECTOR FOUR + {0x1810, 0x1819, prN}, // Nd [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE + {0x1820, 0x1842, prN}, // Lo [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI + {0x1843, 0x1843, prN}, // Lm MONGOLIAN LETTER TODO LONG VOWEL SIGN + {0x1844, 0x1878, prN}, // Lo [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS + {0x1880, 0x1884, prN}, // Lo [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA + {0x1885, 0x1886, prN}, // Mn [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA + {0x1887, 0x18A8, prN}, // Lo [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA + {0x18A9, 0x18A9, prN}, // Mn MONGOLIAN LETTER ALI GALI DAGALGA + {0x18AA, 0x18AA, prN}, // Lo MONGOLIAN LETTER MANCHU ALI GALI LHA + {0x18B0, 0x18F5, prN}, // Lo [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S + {0x1900, 0x191E, prN}, // Lo [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA + {0x1920, 0x1922, prN}, // Mn [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U + {0x1923, 0x1926, prN}, // Mc [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU + {0x1927, 0x1928, prN}, // Mn [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O + {0x1929, 0x192B, prN}, // Mc [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA + {0x1930, 0x1931, prN}, // Mc [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA + {0x1932, 0x1932, prN}, // Mn LIMBU SMALL LETTER ANUSVARA + {0x1933, 0x1938, prN}, // Mc [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA + {0x1939, 0x193B, prN}, // Mn [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I + {0x1940, 0x1940, prN}, // So LIMBU SIGN LOO + {0x1944, 0x1945, prN}, // Po [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK + {0x1946, 0x194F, prN}, // Nd [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE + {0x1950, 0x196D, prN}, // Lo [30] TAI LE LETTER KA..TAI LE LETTER AI + {0x1970, 0x1974, prN}, // Lo [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6 + {0x1980, 0x19AB, prN}, // Lo [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA + {0x19B0, 0x19C9, prN}, // Lo [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2 + {0x19D0, 0x19D9, prN}, // Nd [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE + {0x19DA, 0x19DA, prN}, // No NEW TAI LUE THAM DIGIT ONE + {0x19DE, 0x19DF, prN}, // So [2] NEW TAI LUE SIGN LAE..NEW TAI LUE SIGN LAEV + {0x19E0, 0x19FF, prN}, // So [32] KHMER SYMBOL PATHAMASAT..KHMER SYMBOL DAP-PRAM ROC + {0x1A00, 0x1A16, prN}, // Lo [23] BUGINESE LETTER KA..BUGINESE LETTER HA + {0x1A17, 0x1A18, prN}, // Mn [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U + {0x1A19, 0x1A1A, prN}, // Mc [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O + {0x1A1B, 0x1A1B, prN}, // Mn BUGINESE VOWEL SIGN AE + {0x1A1E, 0x1A1F, prN}, // Po [2] BUGINESE PALLAWA..BUGINESE END OF SECTION + {0x1A20, 0x1A54, prN}, // Lo [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA + {0x1A55, 0x1A55, prN}, // Mc TAI THAM CONSONANT SIGN MEDIAL RA + {0x1A56, 0x1A56, prN}, // Mn TAI THAM CONSONANT SIGN MEDIAL LA + {0x1A57, 0x1A57, prN}, // Mc TAI THAM CONSONANT SIGN LA TANG LAI + {0x1A58, 0x1A5E, prN}, // Mn [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA + {0x1A60, 0x1A60, prN}, // Mn TAI THAM SIGN SAKOT + {0x1A61, 0x1A61, prN}, // Mc TAI THAM VOWEL SIGN A + {0x1A62, 0x1A62, prN}, // Mn TAI THAM VOWEL SIGN MAI SAT + {0x1A63, 0x1A64, prN}, // Mc [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA + {0x1A65, 0x1A6C, prN}, // Mn [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW + {0x1A6D, 0x1A72, prN}, // Mc [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI + {0x1A73, 0x1A7C, prN}, // Mn [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN + {0x1A7F, 0x1A7F, prN}, // Mn TAI THAM COMBINING CRYPTOGRAMMIC DOT + {0x1A80, 0x1A89, prN}, // Nd [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE + {0x1A90, 0x1A99, prN}, // Nd [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE + {0x1AA0, 0x1AA6, prN}, // Po [7] TAI THAM SIGN WIANG..TAI THAM SIGN REVERSED ROTATED RANA + {0x1AA7, 0x1AA7, prN}, // Lm TAI THAM SIGN MAI YAMOK + {0x1AA8, 0x1AAD, prN}, // Po [6] TAI THAM SIGN KAAN..TAI THAM SIGN CAANG + {0x1AB0, 0x1ABD, prN}, // Mn [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW + {0x1ABE, 0x1ABE, prN}, // Me COMBINING PARENTHESES OVERLAY + {0x1ABF, 0x1ACE, prN}, // Mn [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T + {0x1B00, 0x1B03, prN}, // Mn [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG + {0x1B04, 0x1B04, prN}, // Mc BALINESE SIGN BISAH + {0x1B05, 0x1B33, prN}, // Lo [47] BALINESE LETTER AKARA..BALINESE LETTER HA + {0x1B34, 0x1B34, prN}, // Mn BALINESE SIGN REREKAN + {0x1B35, 0x1B35, prN}, // Mc BALINESE VOWEL SIGN TEDUNG + {0x1B36, 0x1B3A, prN}, // Mn [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA + {0x1B3B, 0x1B3B, prN}, // Mc BALINESE VOWEL SIGN RA REPA TEDUNG + {0x1B3C, 0x1B3C, prN}, // Mn BALINESE VOWEL SIGN LA LENGA + {0x1B3D, 0x1B41, prN}, // Mc [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG + {0x1B42, 0x1B42, prN}, // Mn BALINESE VOWEL SIGN PEPET + {0x1B43, 0x1B44, prN}, // Mc [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG + {0x1B45, 0x1B4C, prN}, // Lo [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA + {0x1B50, 0x1B59, prN}, // Nd [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE + {0x1B5A, 0x1B60, prN}, // Po [7] BALINESE PANTI..BALINESE PAMENENG + {0x1B61, 0x1B6A, prN}, // So [10] BALINESE MUSICAL SYMBOL DONG..BALINESE MUSICAL SYMBOL DANG GEDE + {0x1B6B, 0x1B73, prN}, // Mn [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG + {0x1B74, 0x1B7C, prN}, // So [9] BALINESE MUSICAL SYMBOL RIGHT-HAND OPEN DUG..BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING + {0x1B7D, 0x1B7E, prN}, // Po [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG + {0x1B80, 0x1B81, prN}, // Mn [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR + {0x1B82, 0x1B82, prN}, // Mc SUNDANESE SIGN PANGWISAD + {0x1B83, 0x1BA0, prN}, // Lo [30] SUNDANESE LETTER A..SUNDANESE LETTER HA + {0x1BA1, 0x1BA1, prN}, // Mc SUNDANESE CONSONANT SIGN PAMINGKAL + {0x1BA2, 0x1BA5, prN}, // Mn [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU + {0x1BA6, 0x1BA7, prN}, // Mc [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG + {0x1BA8, 0x1BA9, prN}, // Mn [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG + {0x1BAA, 0x1BAA, prN}, // Mc SUNDANESE SIGN PAMAAEH + {0x1BAB, 0x1BAD, prN}, // Mn [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA + {0x1BAE, 0x1BAF, prN}, // Lo [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA + {0x1BB0, 0x1BB9, prN}, // Nd [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE + {0x1BBA, 0x1BBF, prN}, // Lo [6] SUNDANESE AVAGRAHA..SUNDANESE LETTER FINAL M + {0x1BC0, 0x1BE5, prN}, // Lo [38] BATAK LETTER A..BATAK LETTER U + {0x1BE6, 0x1BE6, prN}, // Mn BATAK SIGN TOMPI + {0x1BE7, 0x1BE7, prN}, // Mc BATAK VOWEL SIGN E + {0x1BE8, 0x1BE9, prN}, // Mn [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE + {0x1BEA, 0x1BEC, prN}, // Mc [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O + {0x1BED, 0x1BED, prN}, // Mn BATAK VOWEL SIGN KARO O + {0x1BEE, 0x1BEE, prN}, // Mc BATAK VOWEL SIGN U + {0x1BEF, 0x1BF1, prN}, // Mn [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H + {0x1BF2, 0x1BF3, prN}, // Mc [2] BATAK PANGOLAT..BATAK PANONGONAN + {0x1BFC, 0x1BFF, prN}, // Po [4] BATAK SYMBOL BINDU NA METEK..BATAK SYMBOL BINDU PANGOLAT + {0x1C00, 0x1C23, prN}, // Lo [36] LEPCHA LETTER KA..LEPCHA LETTER A + {0x1C24, 0x1C2B, prN}, // Mc [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU + {0x1C2C, 0x1C33, prN}, // Mn [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T + {0x1C34, 0x1C35, prN}, // Mc [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG + {0x1C36, 0x1C37, prN}, // Mn [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA + {0x1C3B, 0x1C3F, prN}, // Po [5] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION TSHOOK + {0x1C40, 0x1C49, prN}, // Nd [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE + {0x1C4D, 0x1C4F, prN}, // Lo [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA + {0x1C50, 0x1C59, prN}, // Nd [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE + {0x1C5A, 0x1C77, prN}, // Lo [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH + {0x1C78, 0x1C7D, prN}, // Lm [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD + {0x1C7E, 0x1C7F, prN}, // Po [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD + {0x1C80, 0x1C88, prN}, // Ll [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK + {0x1C90, 0x1CBA, prN}, // Lu [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN + {0x1CBD, 0x1CBF, prN}, // Lu [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN + {0x1CC0, 0x1CC7, prN}, // Po [8] SUNDANESE PUNCTUATION BINDU SURYA..SUNDANESE PUNCTUATION BINDU BA SATANGA + {0x1CD0, 0x1CD2, prN}, // Mn [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA + {0x1CD3, 0x1CD3, prN}, // Po VEDIC SIGN NIHSHVASA + {0x1CD4, 0x1CE0, prN}, // Mn [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA + {0x1CE1, 0x1CE1, prN}, // Mc VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA + {0x1CE2, 0x1CE8, prN}, // Mn [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL + {0x1CE9, 0x1CEC, prN}, // Lo [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL + {0x1CED, 0x1CED, prN}, // Mn VEDIC SIGN TIRYAK + {0x1CEE, 0x1CF3, prN}, // Lo [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA + {0x1CF4, 0x1CF4, prN}, // Mn VEDIC TONE CANDRA ABOVE + {0x1CF5, 0x1CF6, prN}, // Lo [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA + {0x1CF7, 0x1CF7, prN}, // Mc VEDIC SIGN ATIKRAMA + {0x1CF8, 0x1CF9, prN}, // Mn [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE + {0x1CFA, 0x1CFA, prN}, // Lo VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA + {0x1D00, 0x1D2B, prN}, // Ll [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL + {0x1D2C, 0x1D6A, prN}, // Lm [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI + {0x1D6B, 0x1D77, prN}, // Ll [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G + {0x1D78, 0x1D78, prN}, // Lm MODIFIER LETTER CYRILLIC EN + {0x1D79, 0x1D7F, prN}, // Ll [7] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER UPSILON WITH STROKE + {0x1D80, 0x1D9A, prN}, // Ll [27] LATIN SMALL LETTER B WITH PALATAL HOOK..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK + {0x1D9B, 0x1DBF, prN}, // Lm [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA + {0x1DC0, 0x1DFF, prN}, // Mn [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW + {0x1E00, 0x1EFF, prN}, // L& [256] LATIN CAPITAL LETTER A WITH RING BELOW..LATIN SMALL LETTER Y WITH LOOP + {0x1F00, 0x1F15, prN}, // L& [22] GREEK SMALL LETTER ALPHA WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA + {0x1F18, 0x1F1D, prN}, // Lu [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA + {0x1F20, 0x1F45, prN}, // L& [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA + {0x1F48, 0x1F4D, prN}, // Lu [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA + {0x1F50, 0x1F57, prN}, // Ll [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI + {0x1F59, 0x1F59, prN}, // Lu GREEK CAPITAL LETTER UPSILON WITH DASIA + {0x1F5B, 0x1F5B, prN}, // Lu GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA + {0x1F5D, 0x1F5D, prN}, // Lu GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA + {0x1F5F, 0x1F7D, prN}, // L& [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA + {0x1F80, 0x1FB4, prN}, // L& [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI + {0x1FB6, 0x1FBC, prN}, // L& [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI + {0x1FBD, 0x1FBD, prN}, // Sk GREEK KORONIS + {0x1FBE, 0x1FBE, prN}, // Ll GREEK PROSGEGRAMMENI + {0x1FBF, 0x1FC1, prN}, // Sk [3] GREEK PSILI..GREEK DIALYTIKA AND PERISPOMENI + {0x1FC2, 0x1FC4, prN}, // Ll [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI + {0x1FC6, 0x1FCC, prN}, // L& [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI + {0x1FCD, 0x1FCF, prN}, // Sk [3] GREEK PSILI AND VARIA..GREEK PSILI AND PERISPOMENI + {0x1FD0, 0x1FD3, prN}, // Ll [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA + {0x1FD6, 0x1FDB, prN}, // L& [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA + {0x1FDD, 0x1FDF, prN}, // Sk [3] GREEK DASIA AND VARIA..GREEK DASIA AND PERISPOMENI + {0x1FE0, 0x1FEC, prN}, // L& [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA + {0x1FED, 0x1FEF, prN}, // Sk [3] GREEK DIALYTIKA AND VARIA..GREEK VARIA + {0x1FF2, 0x1FF4, prN}, // Ll [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI + {0x1FF6, 0x1FFC, prN}, // L& [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI + {0x1FFD, 0x1FFE, prN}, // Sk [2] GREEK OXIA..GREEK DASIA + {0x2000, 0x200A, prN}, // Zs [11] EN QUAD..HAIR SPACE + {0x200B, 0x200F, prN}, // Cf [5] ZERO WIDTH SPACE..RIGHT-TO-LEFT MARK + {0x2010, 0x2010, prA}, // Pd HYPHEN + {0x2011, 0x2012, prN}, // Pd [2] NON-BREAKING HYPHEN..FIGURE DASH + {0x2013, 0x2015, prA}, // Pd [3] EN DASH..HORIZONTAL BAR + {0x2016, 0x2016, prA}, // Po DOUBLE VERTICAL LINE + {0x2017, 0x2017, prN}, // Po DOUBLE LOW LINE + {0x2018, 0x2018, prA}, // Pi LEFT SINGLE QUOTATION MARK + {0x2019, 0x2019, prA}, // Pf RIGHT SINGLE QUOTATION MARK + {0x201A, 0x201A, prN}, // Ps SINGLE LOW-9 QUOTATION MARK + {0x201B, 0x201B, prN}, // Pi SINGLE HIGH-REVERSED-9 QUOTATION MARK + {0x201C, 0x201C, prA}, // Pi LEFT DOUBLE QUOTATION MARK + {0x201D, 0x201D, prA}, // Pf RIGHT DOUBLE QUOTATION MARK + {0x201E, 0x201E, prN}, // Ps DOUBLE LOW-9 QUOTATION MARK + {0x201F, 0x201F, prN}, // Pi DOUBLE HIGH-REVERSED-9 QUOTATION MARK + {0x2020, 0x2022, prA}, // Po [3] DAGGER..BULLET + {0x2023, 0x2023, prN}, // Po TRIANGULAR BULLET + {0x2024, 0x2027, prA}, // Po [4] ONE DOT LEADER..HYPHENATION POINT + {0x2028, 0x2028, prN}, // Zl LINE SEPARATOR + {0x2029, 0x2029, prN}, // Zp PARAGRAPH SEPARATOR + {0x202A, 0x202E, prN}, // Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE + {0x202F, 0x202F, prN}, // Zs NARROW NO-BREAK SPACE + {0x2030, 0x2030, prA}, // Po PER MILLE SIGN + {0x2031, 0x2031, prN}, // Po PER TEN THOUSAND SIGN + {0x2032, 0x2033, prA}, // Po [2] PRIME..DOUBLE PRIME + {0x2034, 0x2034, prN}, // Po TRIPLE PRIME + {0x2035, 0x2035, prA}, // Po REVERSED PRIME + {0x2036, 0x2038, prN}, // Po [3] REVERSED DOUBLE PRIME..CARET + {0x2039, 0x2039, prN}, // Pi SINGLE LEFT-POINTING ANGLE QUOTATION MARK + {0x203A, 0x203A, prN}, // Pf SINGLE RIGHT-POINTING ANGLE QUOTATION MARK + {0x203B, 0x203B, prA}, // Po REFERENCE MARK + {0x203C, 0x203D, prN}, // Po [2] DOUBLE EXCLAMATION MARK..INTERROBANG + {0x203E, 0x203E, prA}, // Po OVERLINE + {0x203F, 0x2040, prN}, // Pc [2] UNDERTIE..CHARACTER TIE + {0x2041, 0x2043, prN}, // Po [3] CARET INSERTION POINT..HYPHEN BULLET + {0x2044, 0x2044, prN}, // Sm FRACTION SLASH + {0x2045, 0x2045, prN}, // Ps LEFT SQUARE BRACKET WITH QUILL + {0x2046, 0x2046, prN}, // Pe RIGHT SQUARE BRACKET WITH QUILL + {0x2047, 0x2051, prN}, // Po [11] DOUBLE QUESTION MARK..TWO ASTERISKS ALIGNED VERTICALLY + {0x2052, 0x2052, prN}, // Sm COMMERCIAL MINUS SIGN + {0x2053, 0x2053, prN}, // Po SWUNG DASH + {0x2054, 0x2054, prN}, // Pc INVERTED UNDERTIE + {0x2055, 0x205E, prN}, // Po [10] FLOWER PUNCTUATION MARK..VERTICAL FOUR DOTS + {0x205F, 0x205F, prN}, // Zs MEDIUM MATHEMATICAL SPACE + {0x2060, 0x2064, prN}, // Cf [5] WORD JOINER..INVISIBLE PLUS + {0x2066, 0x206F, prN}, // Cf [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES + {0x2070, 0x2070, prN}, // No SUPERSCRIPT ZERO + {0x2071, 0x2071, prN}, // Lm SUPERSCRIPT LATIN SMALL LETTER I + {0x2074, 0x2074, prA}, // No SUPERSCRIPT FOUR + {0x2075, 0x2079, prN}, // No [5] SUPERSCRIPT FIVE..SUPERSCRIPT NINE + {0x207A, 0x207C, prN}, // Sm [3] SUPERSCRIPT PLUS SIGN..SUPERSCRIPT EQUALS SIGN + {0x207D, 0x207D, prN}, // Ps SUPERSCRIPT LEFT PARENTHESIS + {0x207E, 0x207E, prN}, // Pe SUPERSCRIPT RIGHT PARENTHESIS + {0x207F, 0x207F, prA}, // Lm SUPERSCRIPT LATIN SMALL LETTER N + {0x2080, 0x2080, prN}, // No SUBSCRIPT ZERO + {0x2081, 0x2084, prA}, // No [4] SUBSCRIPT ONE..SUBSCRIPT FOUR + {0x2085, 0x2089, prN}, // No [5] SUBSCRIPT FIVE..SUBSCRIPT NINE + {0x208A, 0x208C, prN}, // Sm [3] SUBSCRIPT PLUS SIGN..SUBSCRIPT EQUALS SIGN + {0x208D, 0x208D, prN}, // Ps SUBSCRIPT LEFT PARENTHESIS + {0x208E, 0x208E, prN}, // Pe SUBSCRIPT RIGHT PARENTHESIS + {0x2090, 0x209C, prN}, // Lm [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T + {0x20A0, 0x20A8, prN}, // Sc [9] EURO-CURRENCY SIGN..RUPEE SIGN + {0x20A9, 0x20A9, prH}, // Sc WON SIGN + {0x20AA, 0x20AB, prN}, // Sc [2] NEW SHEQEL SIGN..DONG SIGN + {0x20AC, 0x20AC, prA}, // Sc EURO SIGN + {0x20AD, 0x20C0, prN}, // Sc [20] KIP SIGN..SOM SIGN + {0x20D0, 0x20DC, prN}, // Mn [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE + {0x20DD, 0x20E0, prN}, // Me [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH + {0x20E1, 0x20E1, prN}, // Mn COMBINING LEFT RIGHT ARROW ABOVE + {0x20E2, 0x20E4, prN}, // Me [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE + {0x20E5, 0x20F0, prN}, // Mn [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE + {0x2100, 0x2101, prN}, // So [2] ACCOUNT OF..ADDRESSED TO THE SUBJECT + {0x2102, 0x2102, prN}, // Lu DOUBLE-STRUCK CAPITAL C + {0x2103, 0x2103, prA}, // So DEGREE CELSIUS + {0x2104, 0x2104, prN}, // So CENTRE LINE SYMBOL + {0x2105, 0x2105, prA}, // So CARE OF + {0x2106, 0x2106, prN}, // So CADA UNA + {0x2107, 0x2107, prN}, // Lu EULER CONSTANT + {0x2108, 0x2108, prN}, // So SCRUPLE + {0x2109, 0x2109, prA}, // So DEGREE FAHRENHEIT + {0x210A, 0x2112, prN}, // L& [9] SCRIPT SMALL G..SCRIPT CAPITAL L + {0x2113, 0x2113, prA}, // Ll SCRIPT SMALL L + {0x2114, 0x2114, prN}, // So L B BAR SYMBOL + {0x2115, 0x2115, prN}, // Lu DOUBLE-STRUCK CAPITAL N + {0x2116, 0x2116, prA}, // So NUMERO SIGN + {0x2117, 0x2117, prN}, // So SOUND RECORDING COPYRIGHT + {0x2118, 0x2118, prN}, // Sm SCRIPT CAPITAL P + {0x2119, 0x211D, prN}, // Lu [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R + {0x211E, 0x2120, prN}, // So [3] PRESCRIPTION TAKE..SERVICE MARK + {0x2121, 0x2122, prA}, // So [2] TELEPHONE SIGN..TRADE MARK SIGN + {0x2123, 0x2123, prN}, // So VERSICLE + {0x2124, 0x2124, prN}, // Lu DOUBLE-STRUCK CAPITAL Z + {0x2125, 0x2125, prN}, // So OUNCE SIGN + {0x2126, 0x2126, prA}, // Lu OHM SIGN + {0x2127, 0x2127, prN}, // So INVERTED OHM SIGN + {0x2128, 0x2128, prN}, // Lu BLACK-LETTER CAPITAL Z + {0x2129, 0x2129, prN}, // So TURNED GREEK SMALL LETTER IOTA + {0x212A, 0x212A, prN}, // Lu KELVIN SIGN + {0x212B, 0x212B, prA}, // Lu ANGSTROM SIGN + {0x212C, 0x212D, prN}, // Lu [2] SCRIPT CAPITAL B..BLACK-LETTER CAPITAL C + {0x212E, 0x212E, prN}, // So ESTIMATED SYMBOL + {0x212F, 0x2134, prN}, // L& [6] SCRIPT SMALL E..SCRIPT SMALL O + {0x2135, 0x2138, prN}, // Lo [4] ALEF SYMBOL..DALET SYMBOL + {0x2139, 0x2139, prN}, // Ll INFORMATION SOURCE + {0x213A, 0x213B, prN}, // So [2] ROTATED CAPITAL Q..FACSIMILE SIGN + {0x213C, 0x213F, prN}, // L& [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI + {0x2140, 0x2144, prN}, // Sm [5] DOUBLE-STRUCK N-ARY SUMMATION..TURNED SANS-SERIF CAPITAL Y + {0x2145, 0x2149, prN}, // L& [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J + {0x214A, 0x214A, prN}, // So PROPERTY LINE + {0x214B, 0x214B, prN}, // Sm TURNED AMPERSAND + {0x214C, 0x214D, prN}, // So [2] PER SIGN..AKTIESELSKAB + {0x214E, 0x214E, prN}, // Ll TURNED SMALL F + {0x214F, 0x214F, prN}, // So SYMBOL FOR SAMARITAN SOURCE + {0x2150, 0x2152, prN}, // No [3] VULGAR FRACTION ONE SEVENTH..VULGAR FRACTION ONE TENTH + {0x2153, 0x2154, prA}, // No [2] VULGAR FRACTION ONE THIRD..VULGAR FRACTION TWO THIRDS + {0x2155, 0x215A, prN}, // No [6] VULGAR FRACTION ONE FIFTH..VULGAR FRACTION FIVE SIXTHS + {0x215B, 0x215E, prA}, // No [4] VULGAR FRACTION ONE EIGHTH..VULGAR FRACTION SEVEN EIGHTHS + {0x215F, 0x215F, prN}, // No FRACTION NUMERATOR ONE + {0x2160, 0x216B, prA}, // Nl [12] ROMAN NUMERAL ONE..ROMAN NUMERAL TWELVE + {0x216C, 0x216F, prN}, // Nl [4] ROMAN NUMERAL FIFTY..ROMAN NUMERAL ONE THOUSAND + {0x2170, 0x2179, prA}, // Nl [10] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL TEN + {0x217A, 0x2182, prN}, // Nl [9] SMALL ROMAN NUMERAL ELEVEN..ROMAN NUMERAL TEN THOUSAND + {0x2183, 0x2184, prN}, // L& [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C + {0x2185, 0x2188, prN}, // Nl [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND + {0x2189, 0x2189, prA}, // No VULGAR FRACTION ZERO THIRDS + {0x218A, 0x218B, prN}, // So [2] TURNED DIGIT TWO..TURNED DIGIT THREE + {0x2190, 0x2194, prA}, // Sm [5] LEFTWARDS ARROW..LEFT RIGHT ARROW + {0x2195, 0x2199, prA}, // So [5] UP DOWN ARROW..SOUTH WEST ARROW + {0x219A, 0x219B, prN}, // Sm [2] LEFTWARDS ARROW WITH STROKE..RIGHTWARDS ARROW WITH STROKE + {0x219C, 0x219F, prN}, // So [4] LEFTWARDS WAVE ARROW..UPWARDS TWO HEADED ARROW + {0x21A0, 0x21A0, prN}, // Sm RIGHTWARDS TWO HEADED ARROW + {0x21A1, 0x21A2, prN}, // So [2] DOWNWARDS TWO HEADED ARROW..LEFTWARDS ARROW WITH TAIL + {0x21A3, 0x21A3, prN}, // Sm RIGHTWARDS ARROW WITH TAIL + {0x21A4, 0x21A5, prN}, // So [2] LEFTWARDS ARROW FROM BAR..UPWARDS ARROW FROM BAR + {0x21A6, 0x21A6, prN}, // Sm RIGHTWARDS ARROW FROM BAR + {0x21A7, 0x21AD, prN}, // So [7] DOWNWARDS ARROW FROM BAR..LEFT RIGHT WAVE ARROW + {0x21AE, 0x21AE, prN}, // Sm LEFT RIGHT ARROW WITH STROKE + {0x21AF, 0x21B7, prN}, // So [9] DOWNWARDS ZIGZAG ARROW..CLOCKWISE TOP SEMICIRCLE ARROW + {0x21B8, 0x21B9, prA}, // So [2] NORTH WEST ARROW TO LONG BAR..LEFTWARDS ARROW TO BAR OVER RIGHTWARDS ARROW TO BAR + {0x21BA, 0x21CD, prN}, // So [20] ANTICLOCKWISE OPEN CIRCLE ARROW..LEFTWARDS DOUBLE ARROW WITH STROKE + {0x21CE, 0x21CF, prN}, // Sm [2] LEFT RIGHT DOUBLE ARROW WITH STROKE..RIGHTWARDS DOUBLE ARROW WITH STROKE + {0x21D0, 0x21D1, prN}, // So [2] LEFTWARDS DOUBLE ARROW..UPWARDS DOUBLE ARROW + {0x21D2, 0x21D2, prA}, // Sm RIGHTWARDS DOUBLE ARROW + {0x21D3, 0x21D3, prN}, // So DOWNWARDS DOUBLE ARROW + {0x21D4, 0x21D4, prA}, // Sm LEFT RIGHT DOUBLE ARROW + {0x21D5, 0x21E6, prN}, // So [18] UP DOWN DOUBLE ARROW..LEFTWARDS WHITE ARROW + {0x21E7, 0x21E7, prA}, // So UPWARDS WHITE ARROW + {0x21E8, 0x21F3, prN}, // So [12] RIGHTWARDS WHITE ARROW..UP DOWN WHITE ARROW + {0x21F4, 0x21FF, prN}, // Sm [12] RIGHT ARROW WITH SMALL CIRCLE..LEFT RIGHT OPEN-HEADED ARROW + {0x2200, 0x2200, prA}, // Sm FOR ALL + {0x2201, 0x2201, prN}, // Sm COMPLEMENT + {0x2202, 0x2203, prA}, // Sm [2] PARTIAL DIFFERENTIAL..THERE EXISTS + {0x2204, 0x2206, prN}, // Sm [3] THERE DOES NOT EXIST..INCREMENT + {0x2207, 0x2208, prA}, // Sm [2] NABLA..ELEMENT OF + {0x2209, 0x220A, prN}, // Sm [2] NOT AN ELEMENT OF..SMALL ELEMENT OF + {0x220B, 0x220B, prA}, // Sm CONTAINS AS MEMBER + {0x220C, 0x220E, prN}, // Sm [3] DOES NOT CONTAIN AS MEMBER..END OF PROOF + {0x220F, 0x220F, prA}, // Sm N-ARY PRODUCT + {0x2210, 0x2210, prN}, // Sm N-ARY COPRODUCT + {0x2211, 0x2211, prA}, // Sm N-ARY SUMMATION + {0x2212, 0x2214, prN}, // Sm [3] MINUS SIGN..DOT PLUS + {0x2215, 0x2215, prA}, // Sm DIVISION SLASH + {0x2216, 0x2219, prN}, // Sm [4] SET MINUS..BULLET OPERATOR + {0x221A, 0x221A, prA}, // Sm SQUARE ROOT + {0x221B, 0x221C, prN}, // Sm [2] CUBE ROOT..FOURTH ROOT + {0x221D, 0x2220, prA}, // Sm [4] PROPORTIONAL TO..ANGLE + {0x2221, 0x2222, prN}, // Sm [2] MEASURED ANGLE..SPHERICAL ANGLE + {0x2223, 0x2223, prA}, // Sm DIVIDES + {0x2224, 0x2224, prN}, // Sm DOES NOT DIVIDE + {0x2225, 0x2225, prA}, // Sm PARALLEL TO + {0x2226, 0x2226, prN}, // Sm NOT PARALLEL TO + {0x2227, 0x222C, prA}, // Sm [6] LOGICAL AND..DOUBLE INTEGRAL + {0x222D, 0x222D, prN}, // Sm TRIPLE INTEGRAL + {0x222E, 0x222E, prA}, // Sm CONTOUR INTEGRAL + {0x222F, 0x2233, prN}, // Sm [5] SURFACE INTEGRAL..ANTICLOCKWISE CONTOUR INTEGRAL + {0x2234, 0x2237, prA}, // Sm [4] THEREFORE..PROPORTION + {0x2238, 0x223B, prN}, // Sm [4] DOT MINUS..HOMOTHETIC + {0x223C, 0x223D, prA}, // Sm [2] TILDE OPERATOR..REVERSED TILDE + {0x223E, 0x2247, prN}, // Sm [10] INVERTED LAZY S..NEITHER APPROXIMATELY NOR ACTUALLY EQUAL TO + {0x2248, 0x2248, prA}, // Sm ALMOST EQUAL TO + {0x2249, 0x224B, prN}, // Sm [3] NOT ALMOST EQUAL TO..TRIPLE TILDE + {0x224C, 0x224C, prA}, // Sm ALL EQUAL TO + {0x224D, 0x2251, prN}, // Sm [5] EQUIVALENT TO..GEOMETRICALLY EQUAL TO + {0x2252, 0x2252, prA}, // Sm APPROXIMATELY EQUAL TO OR THE IMAGE OF + {0x2253, 0x225F, prN}, // Sm [13] IMAGE OF OR APPROXIMATELY EQUAL TO..QUESTIONED EQUAL TO + {0x2260, 0x2261, prA}, // Sm [2] NOT EQUAL TO..IDENTICAL TO + {0x2262, 0x2263, prN}, // Sm [2] NOT IDENTICAL TO..STRICTLY EQUIVALENT TO + {0x2264, 0x2267, prA}, // Sm [4] LESS-THAN OR EQUAL TO..GREATER-THAN OVER EQUAL TO + {0x2268, 0x2269, prN}, // Sm [2] LESS-THAN BUT NOT EQUAL TO..GREATER-THAN BUT NOT EQUAL TO + {0x226A, 0x226B, prA}, // Sm [2] MUCH LESS-THAN..MUCH GREATER-THAN + {0x226C, 0x226D, prN}, // Sm [2] BETWEEN..NOT EQUIVALENT TO + {0x226E, 0x226F, prA}, // Sm [2] NOT LESS-THAN..NOT GREATER-THAN + {0x2270, 0x2281, prN}, // Sm [18] NEITHER LESS-THAN NOR EQUAL TO..DOES NOT SUCCEED + {0x2282, 0x2283, prA}, // Sm [2] SUBSET OF..SUPERSET OF + {0x2284, 0x2285, prN}, // Sm [2] NOT A SUBSET OF..NOT A SUPERSET OF + {0x2286, 0x2287, prA}, // Sm [2] SUBSET OF OR EQUAL TO..SUPERSET OF OR EQUAL TO + {0x2288, 0x2294, prN}, // Sm [13] NEITHER A SUBSET OF NOR EQUAL TO..SQUARE CUP + {0x2295, 0x2295, prA}, // Sm CIRCLED PLUS + {0x2296, 0x2298, prN}, // Sm [3] CIRCLED MINUS..CIRCLED DIVISION SLASH + {0x2299, 0x2299, prA}, // Sm CIRCLED DOT OPERATOR + {0x229A, 0x22A4, prN}, // Sm [11] CIRCLED RING OPERATOR..DOWN TACK + {0x22A5, 0x22A5, prA}, // Sm UP TACK + {0x22A6, 0x22BE, prN}, // Sm [25] ASSERTION..RIGHT ANGLE WITH ARC + {0x22BF, 0x22BF, prA}, // Sm RIGHT TRIANGLE + {0x22C0, 0x22FF, prN}, // Sm [64] N-ARY LOGICAL AND..Z NOTATION BAG MEMBERSHIP + {0x2300, 0x2307, prN}, // So [8] DIAMETER SIGN..WAVY LINE + {0x2308, 0x2308, prN}, // Ps LEFT CEILING + {0x2309, 0x2309, prN}, // Pe RIGHT CEILING + {0x230A, 0x230A, prN}, // Ps LEFT FLOOR + {0x230B, 0x230B, prN}, // Pe RIGHT FLOOR + {0x230C, 0x2311, prN}, // So [6] BOTTOM RIGHT CROP..SQUARE LOZENGE + {0x2312, 0x2312, prA}, // So ARC + {0x2313, 0x2319, prN}, // So [7] SEGMENT..TURNED NOT SIGN + {0x231A, 0x231B, prW}, // So [2] WATCH..HOURGLASS + {0x231C, 0x231F, prN}, // So [4] TOP LEFT CORNER..BOTTOM RIGHT CORNER + {0x2320, 0x2321, prN}, // Sm [2] TOP HALF INTEGRAL..BOTTOM HALF INTEGRAL + {0x2322, 0x2328, prN}, // So [7] FROWN..KEYBOARD + {0x2329, 0x2329, prW}, // Ps LEFT-POINTING ANGLE BRACKET + {0x232A, 0x232A, prW}, // Pe RIGHT-POINTING ANGLE BRACKET + {0x232B, 0x237B, prN}, // So [81] ERASE TO THE LEFT..NOT CHECK MARK + {0x237C, 0x237C, prN}, // Sm RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW + {0x237D, 0x239A, prN}, // So [30] SHOULDERED OPEN BOX..CLEAR SCREEN SYMBOL + {0x239B, 0x23B3, prN}, // Sm [25] LEFT PARENTHESIS UPPER HOOK..SUMMATION BOTTOM + {0x23B4, 0x23DB, prN}, // So [40] TOP SQUARE BRACKET..FUSE + {0x23DC, 0x23E1, prN}, // Sm [6] TOP PARENTHESIS..BOTTOM TORTOISE SHELL BRACKET + {0x23E2, 0x23E8, prN}, // So [7] WHITE TRAPEZIUM..DECIMAL EXPONENT SYMBOL + {0x23E9, 0x23EC, prW}, // So [4] BLACK RIGHT-POINTING DOUBLE TRIANGLE..BLACK DOWN-POINTING DOUBLE TRIANGLE + {0x23ED, 0x23EF, prN}, // So [3] BLACK RIGHT-POINTING DOUBLE TRIANGLE WITH VERTICAL BAR..BLACK RIGHT-POINTING TRIANGLE WITH DOUBLE VERTICAL BAR + {0x23F0, 0x23F0, prW}, // So ALARM CLOCK + {0x23F1, 0x23F2, prN}, // So [2] STOPWATCH..TIMER CLOCK + {0x23F3, 0x23F3, prW}, // So HOURGLASS WITH FLOWING SAND + {0x23F4, 0x23FF, prN}, // So [12] BLACK MEDIUM LEFT-POINTING TRIANGLE..OBSERVER EYE SYMBOL + {0x2400, 0x2426, prN}, // So [39] SYMBOL FOR NULL..SYMBOL FOR SUBSTITUTE FORM TWO + {0x2440, 0x244A, prN}, // So [11] OCR HOOK..OCR DOUBLE BACKSLASH + {0x2460, 0x249B, prA}, // No [60] CIRCLED DIGIT ONE..NUMBER TWENTY FULL STOP + {0x249C, 0x24E9, prA}, // So [78] PARENTHESIZED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z + {0x24EA, 0x24EA, prN}, // No CIRCLED DIGIT ZERO + {0x24EB, 0x24FF, prA}, // No [21] NEGATIVE CIRCLED NUMBER ELEVEN..NEGATIVE CIRCLED DIGIT ZERO + {0x2500, 0x254B, prA}, // So [76] BOX DRAWINGS LIGHT HORIZONTAL..BOX DRAWINGS HEAVY VERTICAL AND HORIZONTAL + {0x254C, 0x254F, prN}, // So [4] BOX DRAWINGS LIGHT DOUBLE DASH HORIZONTAL..BOX DRAWINGS HEAVY DOUBLE DASH VERTICAL + {0x2550, 0x2573, prA}, // So [36] BOX DRAWINGS DOUBLE HORIZONTAL..BOX DRAWINGS LIGHT DIAGONAL CROSS + {0x2574, 0x257F, prN}, // So [12] BOX DRAWINGS LIGHT LEFT..BOX DRAWINGS HEAVY UP AND LIGHT DOWN + {0x2580, 0x258F, prA}, // So [16] UPPER HALF BLOCK..LEFT ONE EIGHTH BLOCK + {0x2590, 0x2591, prN}, // So [2] RIGHT HALF BLOCK..LIGHT SHADE + {0x2592, 0x2595, prA}, // So [4] MEDIUM SHADE..RIGHT ONE EIGHTH BLOCK + {0x2596, 0x259F, prN}, // So [10] QUADRANT LOWER LEFT..QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT + {0x25A0, 0x25A1, prA}, // So [2] BLACK SQUARE..WHITE SQUARE + {0x25A2, 0x25A2, prN}, // So WHITE SQUARE WITH ROUNDED CORNERS + {0x25A3, 0x25A9, prA}, // So [7] WHITE SQUARE CONTAINING BLACK SMALL SQUARE..SQUARE WITH DIAGONAL CROSSHATCH FILL + {0x25AA, 0x25B1, prN}, // So [8] BLACK SMALL SQUARE..WHITE PARALLELOGRAM + {0x25B2, 0x25B3, prA}, // So [2] BLACK UP-POINTING TRIANGLE..WHITE UP-POINTING TRIANGLE + {0x25B4, 0x25B5, prN}, // So [2] BLACK UP-POINTING SMALL TRIANGLE..WHITE UP-POINTING SMALL TRIANGLE + {0x25B6, 0x25B6, prA}, // So BLACK RIGHT-POINTING TRIANGLE + {0x25B7, 0x25B7, prA}, // Sm WHITE RIGHT-POINTING TRIANGLE + {0x25B8, 0x25BB, prN}, // So [4] BLACK RIGHT-POINTING SMALL TRIANGLE..WHITE RIGHT-POINTING POINTER + {0x25BC, 0x25BD, prA}, // So [2] BLACK DOWN-POINTING TRIANGLE..WHITE DOWN-POINTING TRIANGLE + {0x25BE, 0x25BF, prN}, // So [2] BLACK DOWN-POINTING SMALL TRIANGLE..WHITE DOWN-POINTING SMALL TRIANGLE + {0x25C0, 0x25C0, prA}, // So BLACK LEFT-POINTING TRIANGLE + {0x25C1, 0x25C1, prA}, // Sm WHITE LEFT-POINTING TRIANGLE + {0x25C2, 0x25C5, prN}, // So [4] BLACK LEFT-POINTING SMALL TRIANGLE..WHITE LEFT-POINTING POINTER + {0x25C6, 0x25C8, prA}, // So [3] BLACK DIAMOND..WHITE DIAMOND CONTAINING BLACK SMALL DIAMOND + {0x25C9, 0x25CA, prN}, // So [2] FISHEYE..LOZENGE + {0x25CB, 0x25CB, prA}, // So WHITE CIRCLE + {0x25CC, 0x25CD, prN}, // So [2] DOTTED CIRCLE..CIRCLE WITH VERTICAL FILL + {0x25CE, 0x25D1, prA}, // So [4] BULLSEYE..CIRCLE WITH RIGHT HALF BLACK + {0x25D2, 0x25E1, prN}, // So [16] CIRCLE WITH LOWER HALF BLACK..LOWER HALF CIRCLE + {0x25E2, 0x25E5, prA}, // So [4] BLACK LOWER RIGHT TRIANGLE..BLACK UPPER RIGHT TRIANGLE + {0x25E6, 0x25EE, prN}, // So [9] WHITE BULLET..UP-POINTING TRIANGLE WITH RIGHT HALF BLACK + {0x25EF, 0x25EF, prA}, // So LARGE CIRCLE + {0x25F0, 0x25F7, prN}, // So [8] WHITE SQUARE WITH UPPER LEFT QUADRANT..WHITE CIRCLE WITH UPPER RIGHT QUADRANT + {0x25F8, 0x25FC, prN}, // Sm [5] UPPER LEFT TRIANGLE..BLACK MEDIUM SQUARE + {0x25FD, 0x25FE, prW}, // Sm [2] WHITE MEDIUM SMALL SQUARE..BLACK MEDIUM SMALL SQUARE + {0x25FF, 0x25FF, prN}, // Sm LOWER RIGHT TRIANGLE + {0x2600, 0x2604, prN}, // So [5] BLACK SUN WITH RAYS..COMET + {0x2605, 0x2606, prA}, // So [2] BLACK STAR..WHITE STAR + {0x2607, 0x2608, prN}, // So [2] LIGHTNING..THUNDERSTORM + {0x2609, 0x2609, prA}, // So SUN + {0x260A, 0x260D, prN}, // So [4] ASCENDING NODE..OPPOSITION + {0x260E, 0x260F, prA}, // So [2] BLACK TELEPHONE..WHITE TELEPHONE + {0x2610, 0x2613, prN}, // So [4] BALLOT BOX..SALTIRE + {0x2614, 0x2615, prW}, // So [2] UMBRELLA WITH RAIN DROPS..HOT BEVERAGE + {0x2616, 0x261B, prN}, // So [6] WHITE SHOGI PIECE..BLACK RIGHT POINTING INDEX + {0x261C, 0x261C, prA}, // So WHITE LEFT POINTING INDEX + {0x261D, 0x261D, prN}, // So WHITE UP POINTING INDEX + {0x261E, 0x261E, prA}, // So WHITE RIGHT POINTING INDEX + {0x261F, 0x263F, prN}, // So [33] WHITE DOWN POINTING INDEX..MERCURY + {0x2640, 0x2640, prA}, // So FEMALE SIGN + {0x2641, 0x2641, prN}, // So EARTH + {0x2642, 0x2642, prA}, // So MALE SIGN + {0x2643, 0x2647, prN}, // So [5] JUPITER..PLUTO + {0x2648, 0x2653, prW}, // So [12] ARIES..PISCES + {0x2654, 0x265F, prN}, // So [12] WHITE CHESS KING..BLACK CHESS PAWN + {0x2660, 0x2661, prA}, // So [2] BLACK SPADE SUIT..WHITE HEART SUIT + {0x2662, 0x2662, prN}, // So WHITE DIAMOND SUIT + {0x2663, 0x2665, prA}, // So [3] BLACK CLUB SUIT..BLACK HEART SUIT + {0x2666, 0x2666, prN}, // So BLACK DIAMOND SUIT + {0x2667, 0x266A, prA}, // So [4] WHITE CLUB SUIT..EIGHTH NOTE + {0x266B, 0x266B, prN}, // So BEAMED EIGHTH NOTES + {0x266C, 0x266D, prA}, // So [2] BEAMED SIXTEENTH NOTES..MUSIC FLAT SIGN + {0x266E, 0x266E, prN}, // So MUSIC NATURAL SIGN + {0x266F, 0x266F, prA}, // Sm MUSIC SHARP SIGN + {0x2670, 0x267E, prN}, // So [15] WEST SYRIAC CROSS..PERMANENT PAPER SIGN + {0x267F, 0x267F, prW}, // So WHEELCHAIR SYMBOL + {0x2680, 0x2692, prN}, // So [19] DIE FACE-1..HAMMER AND PICK + {0x2693, 0x2693, prW}, // So ANCHOR + {0x2694, 0x269D, prN}, // So [10] CROSSED SWORDS..OUTLINED WHITE STAR + {0x269E, 0x269F, prA}, // So [2] THREE LINES CONVERGING RIGHT..THREE LINES CONVERGING LEFT + {0x26A0, 0x26A0, prN}, // So WARNING SIGN + {0x26A1, 0x26A1, prW}, // So HIGH VOLTAGE SIGN + {0x26A2, 0x26A9, prN}, // So [8] DOUBLED FEMALE SIGN..HORIZONTAL MALE WITH STROKE SIGN + {0x26AA, 0x26AB, prW}, // So [2] MEDIUM WHITE CIRCLE..MEDIUM BLACK CIRCLE + {0x26AC, 0x26BC, prN}, // So [17] MEDIUM SMALL WHITE CIRCLE..SESQUIQUADRATE + {0x26BD, 0x26BE, prW}, // So [2] SOCCER BALL..BASEBALL + {0x26BF, 0x26BF, prA}, // So SQUARED KEY + {0x26C0, 0x26C3, prN}, // So [4] WHITE DRAUGHTS MAN..BLACK DRAUGHTS KING + {0x26C4, 0x26C5, prW}, // So [2] SNOWMAN WITHOUT SNOW..SUN BEHIND CLOUD + {0x26C6, 0x26CD, prA}, // So [8] RAIN..DISABLED CAR + {0x26CE, 0x26CE, prW}, // So OPHIUCHUS + {0x26CF, 0x26D3, prA}, // So [5] PICK..CHAINS + {0x26D4, 0x26D4, prW}, // So NO ENTRY + {0x26D5, 0x26E1, prA}, // So [13] ALTERNATE ONE-WAY LEFT WAY TRAFFIC..RESTRICTED LEFT ENTRY-2 + {0x26E2, 0x26E2, prN}, // So ASTRONOMICAL SYMBOL FOR URANUS + {0x26E3, 0x26E3, prA}, // So HEAVY CIRCLE WITH STROKE AND TWO DOTS ABOVE + {0x26E4, 0x26E7, prN}, // So [4] PENTAGRAM..INVERTED PENTAGRAM + {0x26E8, 0x26E9, prA}, // So [2] BLACK CROSS ON SHIELD..SHINTO SHRINE + {0x26EA, 0x26EA, prW}, // So CHURCH + {0x26EB, 0x26F1, prA}, // So [7] CASTLE..UMBRELLA ON GROUND + {0x26F2, 0x26F3, prW}, // So [2] FOUNTAIN..FLAG IN HOLE + {0x26F4, 0x26F4, prA}, // So FERRY + {0x26F5, 0x26F5, prW}, // So SAILBOAT + {0x26F6, 0x26F9, prA}, // So [4] SQUARE FOUR CORNERS..PERSON WITH BALL + {0x26FA, 0x26FA, prW}, // So TENT + {0x26FB, 0x26FC, prA}, // So [2] JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL + {0x26FD, 0x26FD, prW}, // So FUEL PUMP + {0x26FE, 0x26FF, prA}, // So [2] CUP ON BLACK SQUARE..WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE + {0x2700, 0x2704, prN}, // So [5] BLACK SAFETY SCISSORS..WHITE SCISSORS + {0x2705, 0x2705, prW}, // So WHITE HEAVY CHECK MARK + {0x2706, 0x2709, prN}, // So [4] TELEPHONE LOCATION SIGN..ENVELOPE + {0x270A, 0x270B, prW}, // So [2] RAISED FIST..RAISED HAND + {0x270C, 0x2727, prN}, // So [28] VICTORY HAND..WHITE FOUR POINTED STAR + {0x2728, 0x2728, prW}, // So SPARKLES + {0x2729, 0x273C, prN}, // So [20] STRESS OUTLINED WHITE STAR..OPEN CENTRE TEARDROP-SPOKED ASTERISK + {0x273D, 0x273D, prA}, // So HEAVY TEARDROP-SPOKED ASTERISK + {0x273E, 0x274B, prN}, // So [14] SIX PETALLED BLACK AND WHITE FLORETTE..HEAVY EIGHT TEARDROP-SPOKED PROPELLER ASTERISK + {0x274C, 0x274C, prW}, // So CROSS MARK + {0x274D, 0x274D, prN}, // So SHADOWED WHITE CIRCLE + {0x274E, 0x274E, prW}, // So NEGATIVE SQUARED CROSS MARK + {0x274F, 0x2752, prN}, // So [4] LOWER RIGHT DROP-SHADOWED WHITE SQUARE..UPPER RIGHT SHADOWED WHITE SQUARE + {0x2753, 0x2755, prW}, // So [3] BLACK QUESTION MARK ORNAMENT..WHITE EXCLAMATION MARK ORNAMENT + {0x2756, 0x2756, prN}, // So BLACK DIAMOND MINUS WHITE X + {0x2757, 0x2757, prW}, // So HEAVY EXCLAMATION MARK SYMBOL + {0x2758, 0x2767, prN}, // So [16] LIGHT VERTICAL BAR..ROTATED FLORAL HEART BULLET + {0x2768, 0x2768, prN}, // Ps MEDIUM LEFT PARENTHESIS ORNAMENT + {0x2769, 0x2769, prN}, // Pe MEDIUM RIGHT PARENTHESIS ORNAMENT + {0x276A, 0x276A, prN}, // Ps MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT + {0x276B, 0x276B, prN}, // Pe MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT + {0x276C, 0x276C, prN}, // Ps MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x276D, 0x276D, prN}, // Pe MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x276E, 0x276E, prN}, // Ps HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x276F, 0x276F, prN}, // Pe HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x2770, 0x2770, prN}, // Ps HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x2771, 0x2771, prN}, // Pe HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x2772, 0x2772, prN}, // Ps LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT + {0x2773, 0x2773, prN}, // Pe LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT + {0x2774, 0x2774, prN}, // Ps MEDIUM LEFT CURLY BRACKET ORNAMENT + {0x2775, 0x2775, prN}, // Pe MEDIUM RIGHT CURLY BRACKET ORNAMENT + {0x2776, 0x277F, prA}, // No [10] DINGBAT NEGATIVE CIRCLED DIGIT ONE..DINGBAT NEGATIVE CIRCLED NUMBER TEN + {0x2780, 0x2793, prN}, // No [20] DINGBAT CIRCLED SANS-SERIF DIGIT ONE..DINGBAT NEGATIVE CIRCLED SANS-SERIF NUMBER TEN + {0x2794, 0x2794, prN}, // So HEAVY WIDE-HEADED RIGHTWARDS ARROW + {0x2795, 0x2797, prW}, // So [3] HEAVY PLUS SIGN..HEAVY DIVISION SIGN + {0x2798, 0x27AF, prN}, // So [24] HEAVY SOUTH EAST ARROW..NOTCHED LOWER RIGHT-SHADOWED WHITE RIGHTWARDS ARROW + {0x27B0, 0x27B0, prW}, // So CURLY LOOP + {0x27B1, 0x27BE, prN}, // So [14] NOTCHED UPPER RIGHT-SHADOWED WHITE RIGHTWARDS ARROW..OPEN-OUTLINED RIGHTWARDS ARROW + {0x27BF, 0x27BF, prW}, // So DOUBLE CURLY LOOP + {0x27C0, 0x27C4, prN}, // Sm [5] THREE DIMENSIONAL ANGLE..OPEN SUPERSET + {0x27C5, 0x27C5, prN}, // Ps LEFT S-SHAPED BAG DELIMITER + {0x27C6, 0x27C6, prN}, // Pe RIGHT S-SHAPED BAG DELIMITER + {0x27C7, 0x27E5, prN}, // Sm [31] OR WITH DOT INSIDE..WHITE SQUARE WITH RIGHTWARDS TICK + {0x27E6, 0x27E6, prNa}, // Ps MATHEMATICAL LEFT WHITE SQUARE BRACKET + {0x27E7, 0x27E7, prNa}, // Pe MATHEMATICAL RIGHT WHITE SQUARE BRACKET + {0x27E8, 0x27E8, prNa}, // Ps MATHEMATICAL LEFT ANGLE BRACKET + {0x27E9, 0x27E9, prNa}, // Pe MATHEMATICAL RIGHT ANGLE BRACKET + {0x27EA, 0x27EA, prNa}, // Ps MATHEMATICAL LEFT DOUBLE ANGLE BRACKET + {0x27EB, 0x27EB, prNa}, // Pe MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET + {0x27EC, 0x27EC, prNa}, // Ps MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET + {0x27ED, 0x27ED, prNa}, // Pe MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET + {0x27EE, 0x27EE, prN}, // Ps MATHEMATICAL LEFT FLATTENED PARENTHESIS + {0x27EF, 0x27EF, prN}, // Pe MATHEMATICAL RIGHT FLATTENED PARENTHESIS + {0x27F0, 0x27FF, prN}, // Sm [16] UPWARDS QUADRUPLE ARROW..LONG RIGHTWARDS SQUIGGLE ARROW + {0x2800, 0x28FF, prN}, // So [256] BRAILLE PATTERN BLANK..BRAILLE PATTERN DOTS-12345678 + {0x2900, 0x297F, prN}, // Sm [128] RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE..DOWN FISH TAIL + {0x2980, 0x2982, prN}, // Sm [3] TRIPLE VERTICAL BAR DELIMITER..Z NOTATION TYPE COLON + {0x2983, 0x2983, prN}, // Ps LEFT WHITE CURLY BRACKET + {0x2984, 0x2984, prN}, // Pe RIGHT WHITE CURLY BRACKET + {0x2985, 0x2985, prNa}, // Ps LEFT WHITE PARENTHESIS + {0x2986, 0x2986, prNa}, // Pe RIGHT WHITE PARENTHESIS + {0x2987, 0x2987, prN}, // Ps Z NOTATION LEFT IMAGE BRACKET + {0x2988, 0x2988, prN}, // Pe Z NOTATION RIGHT IMAGE BRACKET + {0x2989, 0x2989, prN}, // Ps Z NOTATION LEFT BINDING BRACKET + {0x298A, 0x298A, prN}, // Pe Z NOTATION RIGHT BINDING BRACKET + {0x298B, 0x298B, prN}, // Ps LEFT SQUARE BRACKET WITH UNDERBAR + {0x298C, 0x298C, prN}, // Pe RIGHT SQUARE BRACKET WITH UNDERBAR + {0x298D, 0x298D, prN}, // Ps LEFT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x298E, 0x298E, prN}, // Pe RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x298F, 0x298F, prN}, // Ps LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x2990, 0x2990, prN}, // Pe RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x2991, 0x2991, prN}, // Ps LEFT ANGLE BRACKET WITH DOT + {0x2992, 0x2992, prN}, // Pe RIGHT ANGLE BRACKET WITH DOT + {0x2993, 0x2993, prN}, // Ps LEFT ARC LESS-THAN BRACKET + {0x2994, 0x2994, prN}, // Pe RIGHT ARC GREATER-THAN BRACKET + {0x2995, 0x2995, prN}, // Ps DOUBLE LEFT ARC GREATER-THAN BRACKET + {0x2996, 0x2996, prN}, // Pe DOUBLE RIGHT ARC LESS-THAN BRACKET + {0x2997, 0x2997, prN}, // Ps LEFT BLACK TORTOISE SHELL BRACKET + {0x2998, 0x2998, prN}, // Pe RIGHT BLACK TORTOISE SHELL BRACKET + {0x2999, 0x29D7, prN}, // Sm [63] DOTTED FENCE..BLACK HOURGLASS + {0x29D8, 0x29D8, prN}, // Ps LEFT WIGGLY FENCE + {0x29D9, 0x29D9, prN}, // Pe RIGHT WIGGLY FENCE + {0x29DA, 0x29DA, prN}, // Ps LEFT DOUBLE WIGGLY FENCE + {0x29DB, 0x29DB, prN}, // Pe RIGHT DOUBLE WIGGLY FENCE + {0x29DC, 0x29FB, prN}, // Sm [32] INCOMPLETE INFINITY..TRIPLE PLUS + {0x29FC, 0x29FC, prN}, // Ps LEFT-POINTING CURVED ANGLE BRACKET + {0x29FD, 0x29FD, prN}, // Pe RIGHT-POINTING CURVED ANGLE BRACKET + {0x29FE, 0x29FF, prN}, // Sm [2] TINY..MINY + {0x2A00, 0x2AFF, prN}, // Sm [256] N-ARY CIRCLED DOT OPERATOR..N-ARY WHITE VERTICAL BAR + {0x2B00, 0x2B1A, prN}, // So [27] NORTH EAST WHITE ARROW..DOTTED SQUARE + {0x2B1B, 0x2B1C, prW}, // So [2] BLACK LARGE SQUARE..WHITE LARGE SQUARE + {0x2B1D, 0x2B2F, prN}, // So [19] BLACK VERY SMALL SQUARE..WHITE VERTICAL ELLIPSE + {0x2B30, 0x2B44, prN}, // Sm [21] LEFT ARROW WITH SMALL CIRCLE..RIGHTWARDS ARROW THROUGH SUPERSET + {0x2B45, 0x2B46, prN}, // So [2] LEFTWARDS QUADRUPLE ARROW..RIGHTWARDS QUADRUPLE ARROW + {0x2B47, 0x2B4C, prN}, // Sm [6] REVERSE TILDE OPERATOR ABOVE RIGHTWARDS ARROW..RIGHTWARDS ARROW ABOVE REVERSE TILDE OPERATOR + {0x2B4D, 0x2B4F, prN}, // So [3] DOWNWARDS TRIANGLE-HEADED ZIGZAG ARROW..SHORT BACKSLANTED SOUTH ARROW + {0x2B50, 0x2B50, prW}, // So WHITE MEDIUM STAR + {0x2B51, 0x2B54, prN}, // So [4] BLACK SMALL STAR..WHITE RIGHT-POINTING PENTAGON + {0x2B55, 0x2B55, prW}, // So HEAVY LARGE CIRCLE + {0x2B56, 0x2B59, prA}, // So [4] HEAVY OVAL WITH OVAL INSIDE..HEAVY CIRCLED SALTIRE + {0x2B5A, 0x2B73, prN}, // So [26] SLANTED NORTH ARROW WITH HOOKED HEAD..DOWNWARDS TRIANGLE-HEADED ARROW TO BAR + {0x2B76, 0x2B95, prN}, // So [32] NORTH WEST TRIANGLE-HEADED ARROW TO BAR..RIGHTWARDS BLACK ARROW + {0x2B97, 0x2BFF, prN}, // So [105] SYMBOL FOR TYPE A ELECTRONICS..HELLSCHREIBER PAUSE SYMBOL + {0x2C00, 0x2C5F, prN}, // L& [96] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI + {0x2C60, 0x2C7B, prN}, // L& [28] LATIN CAPITAL LETTER L WITH DOUBLE BAR..LATIN LETTER SMALL CAPITAL TURNED E + {0x2C7C, 0x2C7D, prN}, // Lm [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V + {0x2C7E, 0x2C7F, prN}, // Lu [2] LATIN CAPITAL LETTER S WITH SWASH TAIL..LATIN CAPITAL LETTER Z WITH SWASH TAIL + {0x2C80, 0x2CE4, prN}, // L& [101] COPTIC CAPITAL LETTER ALFA..COPTIC SYMBOL KAI + {0x2CE5, 0x2CEA, prN}, // So [6] COPTIC SYMBOL MI RO..COPTIC SYMBOL SHIMA SIMA + {0x2CEB, 0x2CEE, prN}, // L& [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA + {0x2CEF, 0x2CF1, prN}, // Mn [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS + {0x2CF2, 0x2CF3, prN}, // L& [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI + {0x2CF9, 0x2CFC, prN}, // Po [4] COPTIC OLD NUBIAN FULL STOP..COPTIC OLD NUBIAN VERSE DIVIDER + {0x2CFD, 0x2CFD, prN}, // No COPTIC FRACTION ONE HALF + {0x2CFE, 0x2CFF, prN}, // Po [2] COPTIC FULL STOP..COPTIC MORPHOLOGICAL DIVIDER + {0x2D00, 0x2D25, prN}, // Ll [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE + {0x2D27, 0x2D27, prN}, // Ll GEORGIAN SMALL LETTER YN + {0x2D2D, 0x2D2D, prN}, // Ll GEORGIAN SMALL LETTER AEN + {0x2D30, 0x2D67, prN}, // Lo [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO + {0x2D6F, 0x2D6F, prN}, // Lm TIFINAGH MODIFIER LETTER LABIALIZATION MARK + {0x2D70, 0x2D70, prN}, // Po TIFINAGH SEPARATOR MARK + {0x2D7F, 0x2D7F, prN}, // Mn TIFINAGH CONSONANT JOINER + {0x2D80, 0x2D96, prN}, // Lo [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE + {0x2DA0, 0x2DA6, prN}, // Lo [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO + {0x2DA8, 0x2DAE, prN}, // Lo [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO + {0x2DB0, 0x2DB6, prN}, // Lo [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO + {0x2DB8, 0x2DBE, prN}, // Lo [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO + {0x2DC0, 0x2DC6, prN}, // Lo [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO + {0x2DC8, 0x2DCE, prN}, // Lo [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO + {0x2DD0, 0x2DD6, prN}, // Lo [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO + {0x2DD8, 0x2DDE, prN}, // Lo [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO + {0x2DE0, 0x2DFF, prN}, // Mn [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS + {0x2E00, 0x2E01, prN}, // Po [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER + {0x2E02, 0x2E02, prN}, // Pi LEFT SUBSTITUTION BRACKET + {0x2E03, 0x2E03, prN}, // Pf RIGHT SUBSTITUTION BRACKET + {0x2E04, 0x2E04, prN}, // Pi LEFT DOTTED SUBSTITUTION BRACKET + {0x2E05, 0x2E05, prN}, // Pf RIGHT DOTTED SUBSTITUTION BRACKET + {0x2E06, 0x2E08, prN}, // Po [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER + {0x2E09, 0x2E09, prN}, // Pi LEFT TRANSPOSITION BRACKET + {0x2E0A, 0x2E0A, prN}, // Pf RIGHT TRANSPOSITION BRACKET + {0x2E0B, 0x2E0B, prN}, // Po RAISED SQUARE + {0x2E0C, 0x2E0C, prN}, // Pi LEFT RAISED OMISSION BRACKET + {0x2E0D, 0x2E0D, prN}, // Pf RIGHT RAISED OMISSION BRACKET + {0x2E0E, 0x2E16, prN}, // Po [9] EDITORIAL CORONIS..DOTTED RIGHT-POINTING ANGLE + {0x2E17, 0x2E17, prN}, // Pd DOUBLE OBLIQUE HYPHEN + {0x2E18, 0x2E19, prN}, // Po [2] INVERTED INTERROBANG..PALM BRANCH + {0x2E1A, 0x2E1A, prN}, // Pd HYPHEN WITH DIAERESIS + {0x2E1B, 0x2E1B, prN}, // Po TILDE WITH RING ABOVE + {0x2E1C, 0x2E1C, prN}, // Pi LEFT LOW PARAPHRASE BRACKET + {0x2E1D, 0x2E1D, prN}, // Pf RIGHT LOW PARAPHRASE BRACKET + {0x2E1E, 0x2E1F, prN}, // Po [2] TILDE WITH DOT ABOVE..TILDE WITH DOT BELOW + {0x2E20, 0x2E20, prN}, // Pi LEFT VERTICAL BAR WITH QUILL + {0x2E21, 0x2E21, prN}, // Pf RIGHT VERTICAL BAR WITH QUILL + {0x2E22, 0x2E22, prN}, // Ps TOP LEFT HALF BRACKET + {0x2E23, 0x2E23, prN}, // Pe TOP RIGHT HALF BRACKET + {0x2E24, 0x2E24, prN}, // Ps BOTTOM LEFT HALF BRACKET + {0x2E25, 0x2E25, prN}, // Pe BOTTOM RIGHT HALF BRACKET + {0x2E26, 0x2E26, prN}, // Ps LEFT SIDEWAYS U BRACKET + {0x2E27, 0x2E27, prN}, // Pe RIGHT SIDEWAYS U BRACKET + {0x2E28, 0x2E28, prN}, // Ps LEFT DOUBLE PARENTHESIS + {0x2E29, 0x2E29, prN}, // Pe RIGHT DOUBLE PARENTHESIS + {0x2E2A, 0x2E2E, prN}, // Po [5] TWO DOTS OVER ONE DOT PUNCTUATION..REVERSED QUESTION MARK + {0x2E2F, 0x2E2F, prN}, // Lm VERTICAL TILDE + {0x2E30, 0x2E39, prN}, // Po [10] RING POINT..TOP HALF SECTION SIGN + {0x2E3A, 0x2E3B, prN}, // Pd [2] TWO-EM DASH..THREE-EM DASH + {0x2E3C, 0x2E3F, prN}, // Po [4] STENOGRAPHIC FULL STOP..CAPITULUM + {0x2E40, 0x2E40, prN}, // Pd DOUBLE HYPHEN + {0x2E41, 0x2E41, prN}, // Po REVERSED COMMA + {0x2E42, 0x2E42, prN}, // Ps DOUBLE LOW-REVERSED-9 QUOTATION MARK + {0x2E43, 0x2E4F, prN}, // Po [13] DASH WITH LEFT UPTURN..CORNISH VERSE DIVIDER + {0x2E50, 0x2E51, prN}, // So [2] CROSS PATTY WITH RIGHT CROSSBAR..CROSS PATTY WITH LEFT CROSSBAR + {0x2E52, 0x2E54, prN}, // Po [3] TIRONIAN SIGN CAPITAL ET..MEDIEVAL QUESTION MARK + {0x2E55, 0x2E55, prN}, // Ps LEFT SQUARE BRACKET WITH STROKE + {0x2E56, 0x2E56, prN}, // Pe RIGHT SQUARE BRACKET WITH STROKE + {0x2E57, 0x2E57, prN}, // Ps LEFT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E58, 0x2E58, prN}, // Pe RIGHT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E59, 0x2E59, prN}, // Ps TOP HALF LEFT PARENTHESIS + {0x2E5A, 0x2E5A, prN}, // Pe TOP HALF RIGHT PARENTHESIS + {0x2E5B, 0x2E5B, prN}, // Ps BOTTOM HALF LEFT PARENTHESIS + {0x2E5C, 0x2E5C, prN}, // Pe BOTTOM HALF RIGHT PARENTHESIS + {0x2E5D, 0x2E5D, prN}, // Pd OBLIQUE HYPHEN + {0x2E80, 0x2E99, prW}, // So [26] CJK RADICAL REPEAT..CJK RADICAL RAP + {0x2E9B, 0x2EF3, prW}, // So [89] CJK RADICAL CHOKE..CJK RADICAL C-SIMPLIFIED TURTLE + {0x2F00, 0x2FD5, prW}, // So [214] KANGXI RADICAL ONE..KANGXI RADICAL FLUTE + {0x2FF0, 0x2FFB, prW}, // So [12] IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT..IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID + {0x3000, 0x3000, prF}, // Zs IDEOGRAPHIC SPACE + {0x3001, 0x3003, prW}, // Po [3] IDEOGRAPHIC COMMA..DITTO MARK + {0x3004, 0x3004, prW}, // So JAPANESE INDUSTRIAL STANDARD SYMBOL + {0x3005, 0x3005, prW}, // Lm IDEOGRAPHIC ITERATION MARK + {0x3006, 0x3006, prW}, // Lo IDEOGRAPHIC CLOSING MARK + {0x3007, 0x3007, prW}, // Nl IDEOGRAPHIC NUMBER ZERO + {0x3008, 0x3008, prW}, // Ps LEFT ANGLE BRACKET + {0x3009, 0x3009, prW}, // Pe RIGHT ANGLE BRACKET + {0x300A, 0x300A, prW}, // Ps LEFT DOUBLE ANGLE BRACKET + {0x300B, 0x300B, prW}, // Pe RIGHT DOUBLE ANGLE BRACKET + {0x300C, 0x300C, prW}, // Ps LEFT CORNER BRACKET + {0x300D, 0x300D, prW}, // Pe RIGHT CORNER BRACKET + {0x300E, 0x300E, prW}, // Ps LEFT WHITE CORNER BRACKET + {0x300F, 0x300F, prW}, // Pe RIGHT WHITE CORNER BRACKET + {0x3010, 0x3010, prW}, // Ps LEFT BLACK LENTICULAR BRACKET + {0x3011, 0x3011, prW}, // Pe RIGHT BLACK LENTICULAR BRACKET + {0x3012, 0x3013, prW}, // So [2] POSTAL MARK..GETA MARK + {0x3014, 0x3014, prW}, // Ps LEFT TORTOISE SHELL BRACKET + {0x3015, 0x3015, prW}, // Pe RIGHT TORTOISE SHELL BRACKET + {0x3016, 0x3016, prW}, // Ps LEFT WHITE LENTICULAR BRACKET + {0x3017, 0x3017, prW}, // Pe RIGHT WHITE LENTICULAR BRACKET + {0x3018, 0x3018, prW}, // Ps LEFT WHITE TORTOISE SHELL BRACKET + {0x3019, 0x3019, prW}, // Pe RIGHT WHITE TORTOISE SHELL BRACKET + {0x301A, 0x301A, prW}, // Ps LEFT WHITE SQUARE BRACKET + {0x301B, 0x301B, prW}, // Pe RIGHT WHITE SQUARE BRACKET + {0x301C, 0x301C, prW}, // Pd WAVE DASH + {0x301D, 0x301D, prW}, // Ps REVERSED DOUBLE PRIME QUOTATION MARK + {0x301E, 0x301F, prW}, // Pe [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK + {0x3020, 0x3020, prW}, // So POSTAL MARK FACE + {0x3021, 0x3029, prW}, // Nl [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE + {0x302A, 0x302D, prW}, // Mn [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK + {0x302E, 0x302F, prW}, // Mc [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK + {0x3030, 0x3030, prW}, // Pd WAVY DASH + {0x3031, 0x3035, prW}, // Lm [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF + {0x3036, 0x3037, prW}, // So [2] CIRCLED POSTAL MARK..IDEOGRAPHIC TELEGRAPH LINE FEED SEPARATOR SYMBOL + {0x3038, 0x303A, prW}, // Nl [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY + {0x303B, 0x303B, prW}, // Lm VERTICAL IDEOGRAPHIC ITERATION MARK + {0x303C, 0x303C, prW}, // Lo MASU MARK + {0x303D, 0x303D, prW}, // Po PART ALTERNATION MARK + {0x303E, 0x303E, prW}, // So IDEOGRAPHIC VARIATION INDICATOR + {0x303F, 0x303F, prN}, // So IDEOGRAPHIC HALF FILL SPACE + {0x3041, 0x3096, prW}, // Lo [86] HIRAGANA LETTER SMALL A..HIRAGANA LETTER SMALL KE + {0x3099, 0x309A, prW}, // Mn [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309B, 0x309C, prW}, // Sk [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309D, 0x309E, prW}, // Lm [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK + {0x309F, 0x309F, prW}, // Lo HIRAGANA DIGRAPH YORI + {0x30A0, 0x30A0, prW}, // Pd KATAKANA-HIRAGANA DOUBLE HYPHEN + {0x30A1, 0x30FA, prW}, // Lo [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO + {0x30FB, 0x30FB, prW}, // Po KATAKANA MIDDLE DOT + {0x30FC, 0x30FE, prW}, // Lm [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK + {0x30FF, 0x30FF, prW}, // Lo KATAKANA DIGRAPH KOTO + {0x3105, 0x312F, prW}, // Lo [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN + {0x3131, 0x318E, prW}, // Lo [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE + {0x3190, 0x3191, prW}, // So [2] IDEOGRAPHIC ANNOTATION LINKING MARK..IDEOGRAPHIC ANNOTATION REVERSE MARK + {0x3192, 0x3195, prW}, // No [4] IDEOGRAPHIC ANNOTATION ONE MARK..IDEOGRAPHIC ANNOTATION FOUR MARK + {0x3196, 0x319F, prW}, // So [10] IDEOGRAPHIC ANNOTATION TOP MARK..IDEOGRAPHIC ANNOTATION MAN MARK + {0x31A0, 0x31BF, prW}, // Lo [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH + {0x31C0, 0x31E3, prW}, // So [36] CJK STROKE T..CJK STROKE Q + {0x31F0, 0x31FF, prW}, // Lo [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO + {0x3200, 0x321E, prW}, // So [31] PARENTHESIZED HANGUL KIYEOK..PARENTHESIZED KOREAN CHARACTER O HU + {0x3220, 0x3229, prW}, // No [10] PARENTHESIZED IDEOGRAPH ONE..PARENTHESIZED IDEOGRAPH TEN + {0x322A, 0x3247, prW}, // So [30] PARENTHESIZED IDEOGRAPH MOON..CIRCLED IDEOGRAPH KOTO + {0x3248, 0x324F, prA}, // No [8] CIRCLED NUMBER TEN ON BLACK SQUARE..CIRCLED NUMBER EIGHTY ON BLACK SQUARE + {0x3250, 0x3250, prW}, // So PARTNERSHIP SIGN + {0x3251, 0x325F, prW}, // No [15] CIRCLED NUMBER TWENTY ONE..CIRCLED NUMBER THIRTY FIVE + {0x3260, 0x327F, prW}, // So [32] CIRCLED HANGUL KIYEOK..KOREAN STANDARD SYMBOL + {0x3280, 0x3289, prW}, // No [10] CIRCLED IDEOGRAPH ONE..CIRCLED IDEOGRAPH TEN + {0x328A, 0x32B0, prW}, // So [39] CIRCLED IDEOGRAPH MOON..CIRCLED IDEOGRAPH NIGHT + {0x32B1, 0x32BF, prW}, // No [15] CIRCLED NUMBER THIRTY SIX..CIRCLED NUMBER FIFTY + {0x32C0, 0x32FF, prW}, // So [64] IDEOGRAPHIC TELEGRAPH SYMBOL FOR JANUARY..SQUARE ERA NAME REIWA + {0x3300, 0x33FF, prW}, // So [256] SQUARE APAATO..SQUARE GAL + {0x3400, 0x4DBF, prW}, // Lo [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF + {0x4DC0, 0x4DFF, prN}, // So [64] HEXAGRAM FOR THE CREATIVE HEAVEN..HEXAGRAM FOR BEFORE COMPLETION + {0x4E00, 0x9FFF, prW}, // Lo [20992] CJK UNIFIED IDEOGRAPH-4E00..CJK UNIFIED IDEOGRAPH-9FFF + {0xA000, 0xA014, prW}, // Lo [21] YI SYLLABLE IT..YI SYLLABLE E + {0xA015, 0xA015, prW}, // Lm YI SYLLABLE WU + {0xA016, 0xA48C, prW}, // Lo [1143] YI SYLLABLE BIT..YI SYLLABLE YYR + {0xA490, 0xA4C6, prW}, // So [55] YI RADICAL QOT..YI RADICAL KE + {0xA4D0, 0xA4F7, prN}, // Lo [40] LISU LETTER BA..LISU LETTER OE + {0xA4F8, 0xA4FD, prN}, // Lm [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU + {0xA4FE, 0xA4FF, prN}, // Po [2] LISU PUNCTUATION COMMA..LISU PUNCTUATION FULL STOP + {0xA500, 0xA60B, prN}, // Lo [268] VAI SYLLABLE EE..VAI SYLLABLE NG + {0xA60C, 0xA60C, prN}, // Lm VAI SYLLABLE LENGTHENER + {0xA60D, 0xA60F, prN}, // Po [3] VAI COMMA..VAI QUESTION MARK + {0xA610, 0xA61F, prN}, // Lo [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG + {0xA620, 0xA629, prN}, // Nd [10] VAI DIGIT ZERO..VAI DIGIT NINE + {0xA62A, 0xA62B, prN}, // Lo [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO + {0xA640, 0xA66D, prN}, // L& [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O + {0xA66E, 0xA66E, prN}, // Lo CYRILLIC LETTER MULTIOCULAR O + {0xA66F, 0xA66F, prN}, // Mn COMBINING CYRILLIC VZMET + {0xA670, 0xA672, prN}, // Me [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN + {0xA673, 0xA673, prN}, // Po SLAVONIC ASTERISK + {0xA674, 0xA67D, prN}, // Mn [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK + {0xA67E, 0xA67E, prN}, // Po CYRILLIC KAVYKA + {0xA67F, 0xA67F, prN}, // Lm CYRILLIC PAYEROK + {0xA680, 0xA69B, prN}, // L& [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O + {0xA69C, 0xA69D, prN}, // Lm [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN + {0xA69E, 0xA69F, prN}, // Mn [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E + {0xA6A0, 0xA6E5, prN}, // Lo [70] BAMUM LETTER A..BAMUM LETTER KI + {0xA6E6, 0xA6EF, prN}, // Nl [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM + {0xA6F0, 0xA6F1, prN}, // Mn [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS + {0xA6F2, 0xA6F7, prN}, // Po [6] BAMUM NJAEMLI..BAMUM QUESTION MARK + {0xA700, 0xA716, prN}, // Sk [23] MODIFIER LETTER CHINESE TONE YIN PING..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR + {0xA717, 0xA71F, prN}, // Lm [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK + {0xA720, 0xA721, prN}, // Sk [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE + {0xA722, 0xA76F, prN}, // L& [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON + {0xA770, 0xA770, prN}, // Lm MODIFIER LETTER US + {0xA771, 0xA787, prN}, // L& [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T + {0xA788, 0xA788, prN}, // Lm MODIFIER LETTER LOW CIRCUMFLEX ACCENT + {0xA789, 0xA78A, prN}, // Sk [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN + {0xA78B, 0xA78E, prN}, // L& [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT + {0xA78F, 0xA78F, prN}, // Lo LATIN LETTER SINOLOGICAL DOT + {0xA790, 0xA7CA, prN}, // L& [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY + {0xA7D0, 0xA7D1, prN}, // L& [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G + {0xA7D3, 0xA7D3, prN}, // Ll LATIN SMALL LETTER DOUBLE THORN + {0xA7D5, 0xA7D9, prN}, // L& [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S + {0xA7F2, 0xA7F4, prN}, // Lm [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q + {0xA7F5, 0xA7F6, prN}, // L& [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H + {0xA7F7, 0xA7F7, prN}, // Lo LATIN EPIGRAPHIC LETTER SIDEWAYS I + {0xA7F8, 0xA7F9, prN}, // Lm [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE + {0xA7FA, 0xA7FA, prN}, // Ll LATIN LETTER SMALL CAPITAL TURNED M + {0xA7FB, 0xA7FF, prN}, // Lo [5] LATIN EPIGRAPHIC LETTER REVERSED F..LATIN EPIGRAPHIC LETTER ARCHAIC M + {0xA800, 0xA801, prN}, // Lo [2] SYLOTI NAGRI LETTER A..SYLOTI NAGRI LETTER I + {0xA802, 0xA802, prN}, // Mn SYLOTI NAGRI SIGN DVISVARA + {0xA803, 0xA805, prN}, // Lo [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O + {0xA806, 0xA806, prN}, // Mn SYLOTI NAGRI SIGN HASANTA + {0xA807, 0xA80A, prN}, // Lo [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO + {0xA80B, 0xA80B, prN}, // Mn SYLOTI NAGRI SIGN ANUSVARA + {0xA80C, 0xA822, prN}, // Lo [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO + {0xA823, 0xA824, prN}, // Mc [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I + {0xA825, 0xA826, prN}, // Mn [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E + {0xA827, 0xA827, prN}, // Mc SYLOTI NAGRI VOWEL SIGN OO + {0xA828, 0xA82B, prN}, // So [4] SYLOTI NAGRI POETRY MARK-1..SYLOTI NAGRI POETRY MARK-4 + {0xA82C, 0xA82C, prN}, // Mn SYLOTI NAGRI SIGN ALTERNATE HASANTA + {0xA830, 0xA835, prN}, // No [6] NORTH INDIC FRACTION ONE QUARTER..NORTH INDIC FRACTION THREE SIXTEENTHS + {0xA836, 0xA837, prN}, // So [2] NORTH INDIC QUARTER MARK..NORTH INDIC PLACEHOLDER MARK + {0xA838, 0xA838, prN}, // Sc NORTH INDIC RUPEE MARK + {0xA839, 0xA839, prN}, // So NORTH INDIC QUANTITY MARK + {0xA840, 0xA873, prN}, // Lo [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU + {0xA874, 0xA877, prN}, // Po [4] PHAGS-PA SINGLE HEAD MARK..PHAGS-PA MARK DOUBLE SHAD + {0xA880, 0xA881, prN}, // Mc [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA + {0xA882, 0xA8B3, prN}, // Lo [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA + {0xA8B4, 0xA8C3, prN}, // Mc [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU + {0xA8C4, 0xA8C5, prN}, // Mn [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU + {0xA8CE, 0xA8CF, prN}, // Po [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA + {0xA8D0, 0xA8D9, prN}, // Nd [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE + {0xA8E0, 0xA8F1, prN}, // Mn [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA + {0xA8F2, 0xA8F7, prN}, // Lo [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA + {0xA8F8, 0xA8FA, prN}, // Po [3] DEVANAGARI SIGN PUSHPIKA..DEVANAGARI CARET + {0xA8FB, 0xA8FB, prN}, // Lo DEVANAGARI HEADSTROKE + {0xA8FC, 0xA8FC, prN}, // Po DEVANAGARI SIGN SIDDHAM + {0xA8FD, 0xA8FE, prN}, // Lo [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY + {0xA8FF, 0xA8FF, prN}, // Mn DEVANAGARI VOWEL SIGN AY + {0xA900, 0xA909, prN}, // Nd [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE + {0xA90A, 0xA925, prN}, // Lo [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO + {0xA926, 0xA92D, prN}, // Mn [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU + {0xA92E, 0xA92F, prN}, // Po [2] KAYAH LI SIGN CWI..KAYAH LI SIGN SHYA + {0xA930, 0xA946, prN}, // Lo [23] REJANG LETTER KA..REJANG LETTER A + {0xA947, 0xA951, prN}, // Mn [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R + {0xA952, 0xA953, prN}, // Mc [2] REJANG CONSONANT SIGN H..REJANG VIRAMA + {0xA95F, 0xA95F, prN}, // Po REJANG SECTION MARK + {0xA960, 0xA97C, prW}, // Lo [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH + {0xA980, 0xA982, prN}, // Mn [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR + {0xA983, 0xA983, prN}, // Mc JAVANESE SIGN WIGNYAN + {0xA984, 0xA9B2, prN}, // Lo [47] JAVANESE LETTER A..JAVANESE LETTER HA + {0xA9B3, 0xA9B3, prN}, // Mn JAVANESE SIGN CECAK TELU + {0xA9B4, 0xA9B5, prN}, // Mc [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG + {0xA9B6, 0xA9B9, prN}, // Mn [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT + {0xA9BA, 0xA9BB, prN}, // Mc [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE + {0xA9BC, 0xA9BD, prN}, // Mn [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET + {0xA9BE, 0xA9C0, prN}, // Mc [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON + {0xA9C1, 0xA9CD, prN}, // Po [13] JAVANESE LEFT RERENGGAN..JAVANESE TURNED PADA PISELEH + {0xA9CF, 0xA9CF, prN}, // Lm JAVANESE PANGRANGKEP + {0xA9D0, 0xA9D9, prN}, // Nd [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE + {0xA9DE, 0xA9DF, prN}, // Po [2] JAVANESE PADA TIRTA TUMETES..JAVANESE PADA ISEN-ISEN + {0xA9E0, 0xA9E4, prN}, // Lo [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA + {0xA9E5, 0xA9E5, prN}, // Mn MYANMAR SIGN SHAN SAW + {0xA9E6, 0xA9E6, prN}, // Lm MYANMAR MODIFIER LETTER SHAN REDUPLICATION + {0xA9E7, 0xA9EF, prN}, // Lo [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA + {0xA9F0, 0xA9F9, prN}, // Nd [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE + {0xA9FA, 0xA9FE, prN}, // Lo [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA + {0xAA00, 0xAA28, prN}, // Lo [41] CHAM LETTER A..CHAM LETTER HA + {0xAA29, 0xAA2E, prN}, // Mn [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE + {0xAA2F, 0xAA30, prN}, // Mc [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI + {0xAA31, 0xAA32, prN}, // Mn [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE + {0xAA33, 0xAA34, prN}, // Mc [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA + {0xAA35, 0xAA36, prN}, // Mn [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA + {0xAA40, 0xAA42, prN}, // Lo [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG + {0xAA43, 0xAA43, prN}, // Mn CHAM CONSONANT SIGN FINAL NG + {0xAA44, 0xAA4B, prN}, // Lo [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS + {0xAA4C, 0xAA4C, prN}, // Mn CHAM CONSONANT SIGN FINAL M + {0xAA4D, 0xAA4D, prN}, // Mc CHAM CONSONANT SIGN FINAL H + {0xAA50, 0xAA59, prN}, // Nd [10] CHAM DIGIT ZERO..CHAM DIGIT NINE + {0xAA5C, 0xAA5F, prN}, // Po [4] CHAM PUNCTUATION SPIRAL..CHAM PUNCTUATION TRIPLE DANDA + {0xAA60, 0xAA6F, prN}, // Lo [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA + {0xAA70, 0xAA70, prN}, // Lm MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION + {0xAA71, 0xAA76, prN}, // Lo [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM + {0xAA77, 0xAA79, prN}, // So [3] MYANMAR SYMBOL AITON EXCLAMATION..MYANMAR SYMBOL AITON TWO + {0xAA7A, 0xAA7A, prN}, // Lo MYANMAR LETTER AITON RA + {0xAA7B, 0xAA7B, prN}, // Mc MYANMAR SIGN PAO KAREN TONE + {0xAA7C, 0xAA7C, prN}, // Mn MYANMAR SIGN TAI LAING TONE-2 + {0xAA7D, 0xAA7D, prN}, // Mc MYANMAR SIGN TAI LAING TONE-5 + {0xAA7E, 0xAA7F, prN}, // Lo [2] MYANMAR LETTER SHWE PALAUNG CHA..MYANMAR LETTER SHWE PALAUNG SHA + {0xAA80, 0xAAAF, prN}, // Lo [48] TAI VIET LETTER LOW KO..TAI VIET LETTER HIGH O + {0xAAB0, 0xAAB0, prN}, // Mn TAI VIET MAI KANG + {0xAAB1, 0xAAB1, prN}, // Lo TAI VIET VOWEL AA + {0xAAB2, 0xAAB4, prN}, // Mn [3] TAI VIET VOWEL I..TAI VIET VOWEL U + {0xAAB5, 0xAAB6, prN}, // Lo [2] TAI VIET VOWEL E..TAI VIET VOWEL O + {0xAAB7, 0xAAB8, prN}, // Mn [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA + {0xAAB9, 0xAABD, prN}, // Lo [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN + {0xAABE, 0xAABF, prN}, // Mn [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK + {0xAAC0, 0xAAC0, prN}, // Lo TAI VIET TONE MAI NUENG + {0xAAC1, 0xAAC1, prN}, // Mn TAI VIET TONE MAI THO + {0xAAC2, 0xAAC2, prN}, // Lo TAI VIET TONE MAI SONG + {0xAADB, 0xAADC, prN}, // Lo [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG + {0xAADD, 0xAADD, prN}, // Lm TAI VIET SYMBOL SAM + {0xAADE, 0xAADF, prN}, // Po [2] TAI VIET SYMBOL HO HOI..TAI VIET SYMBOL KOI KOI + {0xAAE0, 0xAAEA, prN}, // Lo [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA + {0xAAEB, 0xAAEB, prN}, // Mc MEETEI MAYEK VOWEL SIGN II + {0xAAEC, 0xAAED, prN}, // Mn [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI + {0xAAEE, 0xAAEF, prN}, // Mc [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU + {0xAAF0, 0xAAF1, prN}, // Po [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM + {0xAAF2, 0xAAF2, prN}, // Lo MEETEI MAYEK ANJI + {0xAAF3, 0xAAF4, prN}, // Lm [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK + {0xAAF5, 0xAAF5, prN}, // Mc MEETEI MAYEK VOWEL SIGN VISARGA + {0xAAF6, 0xAAF6, prN}, // Mn MEETEI MAYEK VIRAMA + {0xAB01, 0xAB06, prN}, // Lo [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO + {0xAB09, 0xAB0E, prN}, // Lo [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO + {0xAB11, 0xAB16, prN}, // Lo [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO + {0xAB20, 0xAB26, prN}, // Lo [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO + {0xAB28, 0xAB2E, prN}, // Lo [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO + {0xAB30, 0xAB5A, prN}, // Ll [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG + {0xAB5B, 0xAB5B, prN}, // Sk MODIFIER BREVE WITH INVERTED BREVE + {0xAB5C, 0xAB5F, prN}, // Lm [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK + {0xAB60, 0xAB68, prN}, // Ll [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE + {0xAB69, 0xAB69, prN}, // Lm MODIFIER LETTER SMALL TURNED W + {0xAB6A, 0xAB6B, prN}, // Sk [2] MODIFIER LETTER LEFT TACK..MODIFIER LETTER RIGHT TACK + {0xAB70, 0xABBF, prN}, // Ll [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA + {0xABC0, 0xABE2, prN}, // Lo [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM + {0xABE3, 0xABE4, prN}, // Mc [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP + {0xABE5, 0xABE5, prN}, // Mn MEETEI MAYEK VOWEL SIGN ANAP + {0xABE6, 0xABE7, prN}, // Mc [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP + {0xABE8, 0xABE8, prN}, // Mn MEETEI MAYEK VOWEL SIGN UNAP + {0xABE9, 0xABEA, prN}, // Mc [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG + {0xABEB, 0xABEB, prN}, // Po MEETEI MAYEK CHEIKHEI + {0xABEC, 0xABEC, prN}, // Mc MEETEI MAYEK LUM IYEK + {0xABED, 0xABED, prN}, // Mn MEETEI MAYEK APUN IYEK + {0xABF0, 0xABF9, prN}, // Nd [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE + {0xAC00, 0xD7A3, prW}, // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH + {0xD7B0, 0xD7C6, prN}, // Lo [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E + {0xD7CB, 0xD7FB, prN}, // Lo [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH + {0xD800, 0xDB7F, prN}, // Cs [896] .. + {0xDB80, 0xDBFF, prN}, // Cs [128] .. + {0xDC00, 0xDFFF, prN}, // Cs [1024] .. + {0xE000, 0xF8FF, prA}, // Co [6400] .. + {0xF900, 0xFA6D, prW}, // Lo [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D + {0xFA6E, 0xFA6F, prW}, // Cn [2] .. + {0xFA70, 0xFAD9, prW}, // Lo [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9 + {0xFADA, 0xFAFF, prW}, // Cn [38] .. + {0xFB00, 0xFB06, prN}, // Ll [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST + {0xFB13, 0xFB17, prN}, // Ll [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH + {0xFB1D, 0xFB1D, prN}, // Lo HEBREW LETTER YOD WITH HIRIQ + {0xFB1E, 0xFB1E, prN}, // Mn HEBREW POINT JUDEO-SPANISH VARIKA + {0xFB1F, 0xFB28, prN}, // Lo [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV + {0xFB29, 0xFB29, prN}, // Sm HEBREW LETTER ALTERNATIVE PLUS SIGN + {0xFB2A, 0xFB36, prN}, // Lo [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH + {0xFB38, 0xFB3C, prN}, // Lo [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH + {0xFB3E, 0xFB3E, prN}, // Lo HEBREW LETTER MEM WITH DAGESH + {0xFB40, 0xFB41, prN}, // Lo [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH + {0xFB43, 0xFB44, prN}, // Lo [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH + {0xFB46, 0xFB4F, prN}, // Lo [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED + {0xFB50, 0xFBB1, prN}, // Lo [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM + {0xFBB2, 0xFBC2, prN}, // Sk [17] ARABIC SYMBOL DOT ABOVE..ARABIC SYMBOL WASLA ABOVE + {0xFBD3, 0xFD3D, prN}, // Lo [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM + {0xFD3E, 0xFD3E, prN}, // Pe ORNATE LEFT PARENTHESIS + {0xFD3F, 0xFD3F, prN}, // Ps ORNATE RIGHT PARENTHESIS + {0xFD40, 0xFD4F, prN}, // So [16] ARABIC LIGATURE RAHIMAHU ALLAAH..ARABIC LIGATURE RAHIMAHUM ALLAAH + {0xFD50, 0xFD8F, prN}, // Lo [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM + {0xFD92, 0xFDC7, prN}, // Lo [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM + {0xFDCF, 0xFDCF, prN}, // So ARABIC LIGATURE SALAAMUHU ALAYNAA + {0xFDF0, 0xFDFB, prN}, // Lo [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU + {0xFDFC, 0xFDFC, prN}, // Sc RIAL SIGN + {0xFDFD, 0xFDFF, prN}, // So [3] ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM..ARABIC LIGATURE AZZA WA JALL + {0xFE00, 0xFE0F, prA}, // Mn [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16 + {0xFE10, 0xFE16, prW}, // Po [7] PRESENTATION FORM FOR VERTICAL COMMA..PRESENTATION FORM FOR VERTICAL QUESTION MARK + {0xFE17, 0xFE17, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET + {0xFE18, 0xFE18, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET + {0xFE19, 0xFE19, prW}, // Po PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS + {0xFE20, 0xFE2F, prN}, // Mn [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF + {0xFE30, 0xFE30, prW}, // Po PRESENTATION FORM FOR VERTICAL TWO DOT LEADER + {0xFE31, 0xFE32, prW}, // Pd [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH + {0xFE33, 0xFE34, prW}, // Pc [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE + {0xFE35, 0xFE35, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS + {0xFE36, 0xFE36, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS + {0xFE37, 0xFE37, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET + {0xFE38, 0xFE38, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET + {0xFE39, 0xFE39, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET + {0xFE3A, 0xFE3A, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET + {0xFE3B, 0xFE3B, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET + {0xFE3C, 0xFE3C, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET + {0xFE3D, 0xFE3D, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET + {0xFE3E, 0xFE3E, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET + {0xFE3F, 0xFE3F, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET + {0xFE40, 0xFE40, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET + {0xFE41, 0xFE41, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET + {0xFE42, 0xFE42, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET + {0xFE43, 0xFE43, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET + {0xFE44, 0xFE44, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET + {0xFE45, 0xFE46, prW}, // Po [2] SESAME DOT..WHITE SESAME DOT + {0xFE47, 0xFE47, prW}, // Ps PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET + {0xFE48, 0xFE48, prW}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET + {0xFE49, 0xFE4C, prW}, // Po [4] DASHED OVERLINE..DOUBLE WAVY OVERLINE + {0xFE4D, 0xFE4F, prW}, // Pc [3] DASHED LOW LINE..WAVY LOW LINE + {0xFE50, 0xFE52, prW}, // Po [3] SMALL COMMA..SMALL FULL STOP + {0xFE54, 0xFE57, prW}, // Po [4] SMALL SEMICOLON..SMALL EXCLAMATION MARK + {0xFE58, 0xFE58, prW}, // Pd SMALL EM DASH + {0xFE59, 0xFE59, prW}, // Ps SMALL LEFT PARENTHESIS + {0xFE5A, 0xFE5A, prW}, // Pe SMALL RIGHT PARENTHESIS + {0xFE5B, 0xFE5B, prW}, // Ps SMALL LEFT CURLY BRACKET + {0xFE5C, 0xFE5C, prW}, // Pe SMALL RIGHT CURLY BRACKET + {0xFE5D, 0xFE5D, prW}, // Ps SMALL LEFT TORTOISE SHELL BRACKET + {0xFE5E, 0xFE5E, prW}, // Pe SMALL RIGHT TORTOISE SHELL BRACKET + {0xFE5F, 0xFE61, prW}, // Po [3] SMALL NUMBER SIGN..SMALL ASTERISK + {0xFE62, 0xFE62, prW}, // Sm SMALL PLUS SIGN + {0xFE63, 0xFE63, prW}, // Pd SMALL HYPHEN-MINUS + {0xFE64, 0xFE66, prW}, // Sm [3] SMALL LESS-THAN SIGN..SMALL EQUALS SIGN + {0xFE68, 0xFE68, prW}, // Po SMALL REVERSE SOLIDUS + {0xFE69, 0xFE69, prW}, // Sc SMALL DOLLAR SIGN + {0xFE6A, 0xFE6B, prW}, // Po [2] SMALL PERCENT SIGN..SMALL COMMERCIAL AT + {0xFE70, 0xFE74, prN}, // Lo [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM + {0xFE76, 0xFEFC, prN}, // Lo [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM + {0xFEFF, 0xFEFF, prN}, // Cf ZERO WIDTH NO-BREAK SPACE + {0xFF01, 0xFF03, prF}, // Po [3] FULLWIDTH EXCLAMATION MARK..FULLWIDTH NUMBER SIGN + {0xFF04, 0xFF04, prF}, // Sc FULLWIDTH DOLLAR SIGN + {0xFF05, 0xFF07, prF}, // Po [3] FULLWIDTH PERCENT SIGN..FULLWIDTH APOSTROPHE + {0xFF08, 0xFF08, prF}, // Ps FULLWIDTH LEFT PARENTHESIS + {0xFF09, 0xFF09, prF}, // Pe FULLWIDTH RIGHT PARENTHESIS + {0xFF0A, 0xFF0A, prF}, // Po FULLWIDTH ASTERISK + {0xFF0B, 0xFF0B, prF}, // Sm FULLWIDTH PLUS SIGN + {0xFF0C, 0xFF0C, prF}, // Po FULLWIDTH COMMA + {0xFF0D, 0xFF0D, prF}, // Pd FULLWIDTH HYPHEN-MINUS + {0xFF0E, 0xFF0F, prF}, // Po [2] FULLWIDTH FULL STOP..FULLWIDTH SOLIDUS + {0xFF10, 0xFF19, prF}, // Nd [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE + {0xFF1A, 0xFF1B, prF}, // Po [2] FULLWIDTH COLON..FULLWIDTH SEMICOLON + {0xFF1C, 0xFF1E, prF}, // Sm [3] FULLWIDTH LESS-THAN SIGN..FULLWIDTH GREATER-THAN SIGN + {0xFF1F, 0xFF20, prF}, // Po [2] FULLWIDTH QUESTION MARK..FULLWIDTH COMMERCIAL AT + {0xFF21, 0xFF3A, prF}, // Lu [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z + {0xFF3B, 0xFF3B, prF}, // Ps FULLWIDTH LEFT SQUARE BRACKET + {0xFF3C, 0xFF3C, prF}, // Po FULLWIDTH REVERSE SOLIDUS + {0xFF3D, 0xFF3D, prF}, // Pe FULLWIDTH RIGHT SQUARE BRACKET + {0xFF3E, 0xFF3E, prF}, // Sk FULLWIDTH CIRCUMFLEX ACCENT + {0xFF3F, 0xFF3F, prF}, // Pc FULLWIDTH LOW LINE + {0xFF40, 0xFF40, prF}, // Sk FULLWIDTH GRAVE ACCENT + {0xFF41, 0xFF5A, prF}, // Ll [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z + {0xFF5B, 0xFF5B, prF}, // Ps FULLWIDTH LEFT CURLY BRACKET + {0xFF5C, 0xFF5C, prF}, // Sm FULLWIDTH VERTICAL LINE + {0xFF5D, 0xFF5D, prF}, // Pe FULLWIDTH RIGHT CURLY BRACKET + {0xFF5E, 0xFF5E, prF}, // Sm FULLWIDTH TILDE + {0xFF5F, 0xFF5F, prF}, // Ps FULLWIDTH LEFT WHITE PARENTHESIS + {0xFF60, 0xFF60, prF}, // Pe FULLWIDTH RIGHT WHITE PARENTHESIS + {0xFF61, 0xFF61, prH}, // Po HALFWIDTH IDEOGRAPHIC FULL STOP + {0xFF62, 0xFF62, prH}, // Ps HALFWIDTH LEFT CORNER BRACKET + {0xFF63, 0xFF63, prH}, // Pe HALFWIDTH RIGHT CORNER BRACKET + {0xFF64, 0xFF65, prH}, // Po [2] HALFWIDTH IDEOGRAPHIC COMMA..HALFWIDTH KATAKANA MIDDLE DOT + {0xFF66, 0xFF6F, prH}, // Lo [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU + {0xFF70, 0xFF70, prH}, // Lm HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK + {0xFF71, 0xFF9D, prH}, // Lo [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N + {0xFF9E, 0xFF9F, prH}, // Lm [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK + {0xFFA0, 0xFFBE, prH}, // Lo [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH + {0xFFC2, 0xFFC7, prH}, // Lo [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E + {0xFFCA, 0xFFCF, prH}, // Lo [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE + {0xFFD2, 0xFFD7, prH}, // Lo [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU + {0xFFDA, 0xFFDC, prH}, // Lo [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I + {0xFFE0, 0xFFE1, prF}, // Sc [2] FULLWIDTH CENT SIGN..FULLWIDTH POUND SIGN + {0xFFE2, 0xFFE2, prF}, // Sm FULLWIDTH NOT SIGN + {0xFFE3, 0xFFE3, prF}, // Sk FULLWIDTH MACRON + {0xFFE4, 0xFFE4, prF}, // So FULLWIDTH BROKEN BAR + {0xFFE5, 0xFFE6, prF}, // Sc [2] FULLWIDTH YEN SIGN..FULLWIDTH WON SIGN + {0xFFE8, 0xFFE8, prH}, // So HALFWIDTH FORMS LIGHT VERTICAL + {0xFFE9, 0xFFEC, prH}, // Sm [4] HALFWIDTH LEFTWARDS ARROW..HALFWIDTH DOWNWARDS ARROW + {0xFFED, 0xFFEE, prH}, // So [2] HALFWIDTH BLACK SQUARE..HALFWIDTH WHITE CIRCLE + {0xFFF9, 0xFFFB, prN}, // Cf [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR + {0xFFFC, 0xFFFC, prN}, // So OBJECT REPLACEMENT CHARACTER + {0xFFFD, 0xFFFD, prA}, // So REPLACEMENT CHARACTER + {0x10000, 0x1000B, prN}, // Lo [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE + {0x1000D, 0x10026, prN}, // Lo [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO + {0x10028, 0x1003A, prN}, // Lo [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO + {0x1003C, 0x1003D, prN}, // Lo [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE + {0x1003F, 0x1004D, prN}, // Lo [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO + {0x10050, 0x1005D, prN}, // Lo [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089 + {0x10080, 0x100FA, prN}, // Lo [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305 + {0x10100, 0x10102, prN}, // Po [3] AEGEAN WORD SEPARATOR LINE..AEGEAN CHECK MARK + {0x10107, 0x10133, prN}, // No [45] AEGEAN NUMBER ONE..AEGEAN NUMBER NINETY THOUSAND + {0x10137, 0x1013F, prN}, // So [9] AEGEAN WEIGHT BASE UNIT..AEGEAN MEASURE THIRD SUBUNIT + {0x10140, 0x10174, prN}, // Nl [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS + {0x10175, 0x10178, prN}, // No [4] GREEK ONE HALF SIGN..GREEK THREE QUARTERS SIGN + {0x10179, 0x10189, prN}, // So [17] GREEK YEAR SIGN..GREEK TRYBLION BASE SIGN + {0x1018A, 0x1018B, prN}, // No [2] GREEK ZERO SIGN..GREEK ONE QUARTER SIGN + {0x1018C, 0x1018E, prN}, // So [3] GREEK SINUSOID SIGN..NOMISMA SIGN + {0x10190, 0x1019C, prN}, // So [13] ROMAN SEXTANS SIGN..ASCIA SYMBOL + {0x101A0, 0x101A0, prN}, // So GREEK SYMBOL TAU RHO + {0x101D0, 0x101FC, prN}, // So [45] PHAISTOS DISC SIGN PEDESTRIAN..PHAISTOS DISC SIGN WAVY BAND + {0x101FD, 0x101FD, prN}, // Mn PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE + {0x10280, 0x1029C, prN}, // Lo [29] LYCIAN LETTER A..LYCIAN LETTER X + {0x102A0, 0x102D0, prN}, // Lo [49] CARIAN LETTER A..CARIAN LETTER UUU3 + {0x102E0, 0x102E0, prN}, // Mn COPTIC EPACT THOUSANDS MARK + {0x102E1, 0x102FB, prN}, // No [27] COPTIC EPACT DIGIT ONE..COPTIC EPACT NUMBER NINE HUNDRED + {0x10300, 0x1031F, prN}, // Lo [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS + {0x10320, 0x10323, prN}, // No [4] OLD ITALIC NUMERAL ONE..OLD ITALIC NUMERAL FIFTY + {0x1032D, 0x1032F, prN}, // Lo [3] OLD ITALIC LETTER YE..OLD ITALIC LETTER SOUTHERN TSE + {0x10330, 0x10340, prN}, // Lo [17] GOTHIC LETTER AHSA..GOTHIC LETTER PAIRTHRA + {0x10341, 0x10341, prN}, // Nl GOTHIC LETTER NINETY + {0x10342, 0x10349, prN}, // Lo [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL + {0x1034A, 0x1034A, prN}, // Nl GOTHIC LETTER NINE HUNDRED + {0x10350, 0x10375, prN}, // Lo [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA + {0x10376, 0x1037A, prN}, // Mn [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII + {0x10380, 0x1039D, prN}, // Lo [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU + {0x1039F, 0x1039F, prN}, // Po UGARITIC WORD DIVIDER + {0x103A0, 0x103C3, prN}, // Lo [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA + {0x103C8, 0x103CF, prN}, // Lo [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH + {0x103D0, 0x103D0, prN}, // Po OLD PERSIAN WORD DIVIDER + {0x103D1, 0x103D5, prN}, // Nl [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED + {0x10400, 0x1044F, prN}, // L& [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW + {0x10450, 0x1047F, prN}, // Lo [48] SHAVIAN LETTER PEEP..SHAVIAN LETTER YEW + {0x10480, 0x1049D, prN}, // Lo [30] OSMANYA LETTER ALEF..OSMANYA LETTER OO + {0x104A0, 0x104A9, prN}, // Nd [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE + {0x104B0, 0x104D3, prN}, // Lu [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA + {0x104D8, 0x104FB, prN}, // Ll [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA + {0x10500, 0x10527, prN}, // Lo [40] ELBASAN LETTER A..ELBASAN LETTER KHE + {0x10530, 0x10563, prN}, // Lo [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW + {0x1056F, 0x1056F, prN}, // Po CAUCASIAN ALBANIAN CITATION MARK + {0x10570, 0x1057A, prN}, // Lu [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA + {0x1057C, 0x1058A, prN}, // Lu [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE + {0x1058C, 0x10592, prN}, // Lu [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE + {0x10594, 0x10595, prN}, // Lu [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE + {0x10597, 0x105A1, prN}, // Ll [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA + {0x105A3, 0x105B1, prN}, // Ll [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE + {0x105B3, 0x105B9, prN}, // Ll [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE + {0x105BB, 0x105BC, prN}, // Ll [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE + {0x10600, 0x10736, prN}, // Lo [311] LINEAR A SIGN AB001..LINEAR A SIGN A664 + {0x10740, 0x10755, prN}, // Lo [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE + {0x10760, 0x10767, prN}, // Lo [8] LINEAR A SIGN A800..LINEAR A SIGN A807 + {0x10780, 0x10785, prN}, // Lm [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK + {0x10787, 0x107B0, prN}, // Lm [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK + {0x107B2, 0x107BA, prN}, // Lm [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL + {0x10800, 0x10805, prN}, // Lo [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA + {0x10808, 0x10808, prN}, // Lo CYPRIOT SYLLABLE JO + {0x1080A, 0x10835, prN}, // Lo [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO + {0x10837, 0x10838, prN}, // Lo [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE + {0x1083C, 0x1083C, prN}, // Lo CYPRIOT SYLLABLE ZA + {0x1083F, 0x1083F, prN}, // Lo CYPRIOT SYLLABLE ZO + {0x10840, 0x10855, prN}, // Lo [22] IMPERIAL ARAMAIC LETTER ALEPH..IMPERIAL ARAMAIC LETTER TAW + {0x10857, 0x10857, prN}, // Po IMPERIAL ARAMAIC SECTION SIGN + {0x10858, 0x1085F, prN}, // No [8] IMPERIAL ARAMAIC NUMBER ONE..IMPERIAL ARAMAIC NUMBER TEN THOUSAND + {0x10860, 0x10876, prN}, // Lo [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW + {0x10877, 0x10878, prN}, // So [2] PALMYRENE LEFT-POINTING FLEURON..PALMYRENE RIGHT-POINTING FLEURON + {0x10879, 0x1087F, prN}, // No [7] PALMYRENE NUMBER ONE..PALMYRENE NUMBER TWENTY + {0x10880, 0x1089E, prN}, // Lo [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW + {0x108A7, 0x108AF, prN}, // No [9] NABATAEAN NUMBER ONE..NABATAEAN NUMBER ONE HUNDRED + {0x108E0, 0x108F2, prN}, // Lo [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH + {0x108F4, 0x108F5, prN}, // Lo [2] HATRAN LETTER SHIN..HATRAN LETTER TAW + {0x108FB, 0x108FF, prN}, // No [5] HATRAN NUMBER ONE..HATRAN NUMBER ONE HUNDRED + {0x10900, 0x10915, prN}, // Lo [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU + {0x10916, 0x1091B, prN}, // No [6] PHOENICIAN NUMBER ONE..PHOENICIAN NUMBER THREE + {0x1091F, 0x1091F, prN}, // Po PHOENICIAN WORD SEPARATOR + {0x10920, 0x10939, prN}, // Lo [26] LYDIAN LETTER A..LYDIAN LETTER C + {0x1093F, 0x1093F, prN}, // Po LYDIAN TRIANGULAR MARK + {0x10980, 0x1099F, prN}, // Lo [32] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2 + {0x109A0, 0x109B7, prN}, // Lo [24] MEROITIC CURSIVE LETTER A..MEROITIC CURSIVE LETTER DA + {0x109BC, 0x109BD, prN}, // No [2] MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS..MEROITIC CURSIVE FRACTION ONE HALF + {0x109BE, 0x109BF, prN}, // Lo [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN + {0x109C0, 0x109CF, prN}, // No [16] MEROITIC CURSIVE NUMBER ONE..MEROITIC CURSIVE NUMBER SEVENTY + {0x109D2, 0x109FF, prN}, // No [46] MEROITIC CURSIVE NUMBER ONE HUNDRED..MEROITIC CURSIVE FRACTION TEN TWELFTHS + {0x10A00, 0x10A00, prN}, // Lo KHAROSHTHI LETTER A + {0x10A01, 0x10A03, prN}, // Mn [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R + {0x10A05, 0x10A06, prN}, // Mn [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O + {0x10A0C, 0x10A0F, prN}, // Mn [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA + {0x10A10, 0x10A13, prN}, // Lo [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA + {0x10A15, 0x10A17, prN}, // Lo [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA + {0x10A19, 0x10A35, prN}, // Lo [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA + {0x10A38, 0x10A3A, prN}, // Mn [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW + {0x10A3F, 0x10A3F, prN}, // Mn KHAROSHTHI VIRAMA + {0x10A40, 0x10A48, prN}, // No [9] KHAROSHTHI DIGIT ONE..KHAROSHTHI FRACTION ONE HALF + {0x10A50, 0x10A58, prN}, // Po [9] KHAROSHTHI PUNCTUATION DOT..KHAROSHTHI PUNCTUATION LINES + {0x10A60, 0x10A7C, prN}, // Lo [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH + {0x10A7D, 0x10A7E, prN}, // No [2] OLD SOUTH ARABIAN NUMBER ONE..OLD SOUTH ARABIAN NUMBER FIFTY + {0x10A7F, 0x10A7F, prN}, // Po OLD SOUTH ARABIAN NUMERIC INDICATOR + {0x10A80, 0x10A9C, prN}, // Lo [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH + {0x10A9D, 0x10A9F, prN}, // No [3] OLD NORTH ARABIAN NUMBER ONE..OLD NORTH ARABIAN NUMBER TWENTY + {0x10AC0, 0x10AC7, prN}, // Lo [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW + {0x10AC8, 0x10AC8, prN}, // So MANICHAEAN SIGN UD + {0x10AC9, 0x10AE4, prN}, // Lo [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW + {0x10AE5, 0x10AE6, prN}, // Mn [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW + {0x10AEB, 0x10AEF, prN}, // No [5] MANICHAEAN NUMBER ONE..MANICHAEAN NUMBER ONE HUNDRED + {0x10AF0, 0x10AF6, prN}, // Po [7] MANICHAEAN PUNCTUATION STAR..MANICHAEAN PUNCTUATION LINE FILLER + {0x10B00, 0x10B35, prN}, // Lo [54] AVESTAN LETTER A..AVESTAN LETTER HE + {0x10B39, 0x10B3F, prN}, // Po [7] AVESTAN ABBREVIATION MARK..LARGE ONE RING OVER TWO RINGS PUNCTUATION + {0x10B40, 0x10B55, prN}, // Lo [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW + {0x10B58, 0x10B5F, prN}, // No [8] INSCRIPTIONAL PARTHIAN NUMBER ONE..INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND + {0x10B60, 0x10B72, prN}, // Lo [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW + {0x10B78, 0x10B7F, prN}, // No [8] INSCRIPTIONAL PAHLAVI NUMBER ONE..INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND + {0x10B80, 0x10B91, prN}, // Lo [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW + {0x10B99, 0x10B9C, prN}, // Po [4] PSALTER PAHLAVI SECTION MARK..PSALTER PAHLAVI FOUR DOTS WITH DOT + {0x10BA9, 0x10BAF, prN}, // No [7] PSALTER PAHLAVI NUMBER ONE..PSALTER PAHLAVI NUMBER ONE HUNDRED + {0x10C00, 0x10C48, prN}, // Lo [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH + {0x10C80, 0x10CB2, prN}, // Lu [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US + {0x10CC0, 0x10CF2, prN}, // Ll [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US + {0x10CFA, 0x10CFF, prN}, // No [6] OLD HUNGARIAN NUMBER ONE..OLD HUNGARIAN NUMBER ONE THOUSAND + {0x10D00, 0x10D23, prN}, // Lo [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA + {0x10D24, 0x10D27, prN}, // Mn [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI + {0x10D30, 0x10D39, prN}, // Nd [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE + {0x10E60, 0x10E7E, prN}, // No [31] RUMI DIGIT ONE..RUMI FRACTION TWO THIRDS + {0x10E80, 0x10EA9, prN}, // Lo [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET + {0x10EAB, 0x10EAC, prN}, // Mn [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK + {0x10EAD, 0x10EAD, prN}, // Pd YEZIDI HYPHENATION MARK + {0x10EB0, 0x10EB1, prN}, // Lo [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE + {0x10EFD, 0x10EFF, prN}, // Mn [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA + {0x10F00, 0x10F1C, prN}, // Lo [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL + {0x10F1D, 0x10F26, prN}, // No [10] OLD SOGDIAN NUMBER ONE..OLD SOGDIAN FRACTION ONE HALF + {0x10F27, 0x10F27, prN}, // Lo OLD SOGDIAN LIGATURE AYIN-DALETH + {0x10F30, 0x10F45, prN}, // Lo [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN + {0x10F46, 0x10F50, prN}, // Mn [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW + {0x10F51, 0x10F54, prN}, // No [4] SOGDIAN NUMBER ONE..SOGDIAN NUMBER ONE HUNDRED + {0x10F55, 0x10F59, prN}, // Po [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT + {0x10F70, 0x10F81, prN}, // Lo [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH + {0x10F82, 0x10F85, prN}, // Mn [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW + {0x10F86, 0x10F89, prN}, // Po [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS + {0x10FB0, 0x10FC4, prN}, // Lo [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW + {0x10FC5, 0x10FCB, prN}, // No [7] CHORASMIAN NUMBER ONE..CHORASMIAN NUMBER ONE HUNDRED + {0x10FE0, 0x10FF6, prN}, // Lo [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH + {0x11000, 0x11000, prN}, // Mc BRAHMI SIGN CANDRABINDU + {0x11001, 0x11001, prN}, // Mn BRAHMI SIGN ANUSVARA + {0x11002, 0x11002, prN}, // Mc BRAHMI SIGN VISARGA + {0x11003, 0x11037, prN}, // Lo [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA + {0x11038, 0x11046, prN}, // Mn [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA + {0x11047, 0x1104D, prN}, // Po [7] BRAHMI DANDA..BRAHMI PUNCTUATION LOTUS + {0x11052, 0x11065, prN}, // No [20] BRAHMI NUMBER ONE..BRAHMI NUMBER ONE THOUSAND + {0x11066, 0x1106F, prN}, // Nd [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE + {0x11070, 0x11070, prN}, // Mn BRAHMI SIGN OLD TAMIL VIRAMA + {0x11071, 0x11072, prN}, // Lo [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O + {0x11073, 0x11074, prN}, // Mn [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O + {0x11075, 0x11075, prN}, // Lo BRAHMI LETTER OLD TAMIL LLA + {0x1107F, 0x1107F, prN}, // Mn BRAHMI NUMBER JOINER + {0x11080, 0x11081, prN}, // Mn [2] KAITHI SIGN CANDRABINDU..KAITHI SIGN ANUSVARA + {0x11082, 0x11082, prN}, // Mc KAITHI SIGN VISARGA + {0x11083, 0x110AF, prN}, // Lo [45] KAITHI LETTER A..KAITHI LETTER HA + {0x110B0, 0x110B2, prN}, // Mc [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II + {0x110B3, 0x110B6, prN}, // Mn [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI + {0x110B7, 0x110B8, prN}, // Mc [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU + {0x110B9, 0x110BA, prN}, // Mn [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA + {0x110BB, 0x110BC, prN}, // Po [2] KAITHI ABBREVIATION SIGN..KAITHI ENUMERATION SIGN + {0x110BD, 0x110BD, prN}, // Cf KAITHI NUMBER SIGN + {0x110BE, 0x110C1, prN}, // Po [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA + {0x110C2, 0x110C2, prN}, // Mn KAITHI VOWEL SIGN VOCALIC R + {0x110CD, 0x110CD, prN}, // Cf KAITHI NUMBER SIGN ABOVE + {0x110D0, 0x110E8, prN}, // Lo [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE + {0x110F0, 0x110F9, prN}, // Nd [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE + {0x11100, 0x11102, prN}, // Mn [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA + {0x11103, 0x11126, prN}, // Lo [36] CHAKMA LETTER AA..CHAKMA LETTER HAA + {0x11127, 0x1112B, prN}, // Mn [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU + {0x1112C, 0x1112C, prN}, // Mc CHAKMA VOWEL SIGN E + {0x1112D, 0x11134, prN}, // Mn [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA + {0x11136, 0x1113F, prN}, // Nd [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE + {0x11140, 0x11143, prN}, // Po [4] CHAKMA SECTION MARK..CHAKMA QUESTION MARK + {0x11144, 0x11144, prN}, // Lo CHAKMA LETTER LHAA + {0x11145, 0x11146, prN}, // Mc [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI + {0x11147, 0x11147, prN}, // Lo CHAKMA LETTER VAA + {0x11150, 0x11172, prN}, // Lo [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA + {0x11173, 0x11173, prN}, // Mn MAHAJANI SIGN NUKTA + {0x11174, 0x11175, prN}, // Po [2] MAHAJANI ABBREVIATION SIGN..MAHAJANI SECTION MARK + {0x11176, 0x11176, prN}, // Lo MAHAJANI LIGATURE SHRI + {0x11180, 0x11181, prN}, // Mn [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA + {0x11182, 0x11182, prN}, // Mc SHARADA SIGN VISARGA + {0x11183, 0x111B2, prN}, // Lo [48] SHARADA LETTER A..SHARADA LETTER HA + {0x111B3, 0x111B5, prN}, // Mc [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II + {0x111B6, 0x111BE, prN}, // Mn [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O + {0x111BF, 0x111C0, prN}, // Mc [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA + {0x111C1, 0x111C4, prN}, // Lo [4] SHARADA SIGN AVAGRAHA..SHARADA OM + {0x111C5, 0x111C8, prN}, // Po [4] SHARADA DANDA..SHARADA SEPARATOR + {0x111C9, 0x111CC, prN}, // Mn [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK + {0x111CD, 0x111CD, prN}, // Po SHARADA SUTRA MARK + {0x111CE, 0x111CE, prN}, // Mc SHARADA VOWEL SIGN PRISHTHAMATRA E + {0x111CF, 0x111CF, prN}, // Mn SHARADA SIGN INVERTED CANDRABINDU + {0x111D0, 0x111D9, prN}, // Nd [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE + {0x111DA, 0x111DA, prN}, // Lo SHARADA EKAM + {0x111DB, 0x111DB, prN}, // Po SHARADA SIGN SIDDHAM + {0x111DC, 0x111DC, prN}, // Lo SHARADA HEADSTROKE + {0x111DD, 0x111DF, prN}, // Po [3] SHARADA CONTINUATION SIGN..SHARADA SECTION MARK-2 + {0x111E1, 0x111F4, prN}, // No [20] SINHALA ARCHAIC DIGIT ONE..SINHALA ARCHAIC NUMBER ONE THOUSAND + {0x11200, 0x11211, prN}, // Lo [18] KHOJKI LETTER A..KHOJKI LETTER JJA + {0x11213, 0x1122B, prN}, // Lo [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA + {0x1122C, 0x1122E, prN}, // Mc [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II + {0x1122F, 0x11231, prN}, // Mn [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI + {0x11232, 0x11233, prN}, // Mc [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU + {0x11234, 0x11234, prN}, // Mn KHOJKI SIGN ANUSVARA + {0x11235, 0x11235, prN}, // Mc KHOJKI SIGN VIRAMA + {0x11236, 0x11237, prN}, // Mn [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA + {0x11238, 0x1123D, prN}, // Po [6] KHOJKI DANDA..KHOJKI ABBREVIATION SIGN + {0x1123E, 0x1123E, prN}, // Mn KHOJKI SIGN SUKUN + {0x1123F, 0x11240, prN}, // Lo [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I + {0x11241, 0x11241, prN}, // Mn KHOJKI VOWEL SIGN VOCALIC R + {0x11280, 0x11286, prN}, // Lo [7] MULTANI LETTER A..MULTANI LETTER GA + {0x11288, 0x11288, prN}, // Lo MULTANI LETTER GHA + {0x1128A, 0x1128D, prN}, // Lo [4] MULTANI LETTER CA..MULTANI LETTER JJA + {0x1128F, 0x1129D, prN}, // Lo [15] MULTANI LETTER NYA..MULTANI LETTER BA + {0x1129F, 0x112A8, prN}, // Lo [10] MULTANI LETTER BHA..MULTANI LETTER RHA + {0x112A9, 0x112A9, prN}, // Po MULTANI SECTION MARK + {0x112B0, 0x112DE, prN}, // Lo [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA + {0x112DF, 0x112DF, prN}, // Mn KHUDAWADI SIGN ANUSVARA + {0x112E0, 0x112E2, prN}, // Mc [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II + {0x112E3, 0x112EA, prN}, // Mn [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA + {0x112F0, 0x112F9, prN}, // Nd [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE + {0x11300, 0x11301, prN}, // Mn [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU + {0x11302, 0x11303, prN}, // Mc [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA + {0x11305, 0x1130C, prN}, // Lo [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L + {0x1130F, 0x11310, prN}, // Lo [2] GRANTHA LETTER EE..GRANTHA LETTER AI + {0x11313, 0x11328, prN}, // Lo [22] GRANTHA LETTER OO..GRANTHA LETTER NA + {0x1132A, 0x11330, prN}, // Lo [7] GRANTHA LETTER PA..GRANTHA LETTER RA + {0x11332, 0x11333, prN}, // Lo [2] GRANTHA LETTER LA..GRANTHA LETTER LLA + {0x11335, 0x11339, prN}, // Lo [5] GRANTHA LETTER VA..GRANTHA LETTER HA + {0x1133B, 0x1133C, prN}, // Mn [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA + {0x1133D, 0x1133D, prN}, // Lo GRANTHA SIGN AVAGRAHA + {0x1133E, 0x1133F, prN}, // Mc [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I + {0x11340, 0x11340, prN}, // Mn GRANTHA VOWEL SIGN II + {0x11341, 0x11344, prN}, // Mc [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR + {0x11347, 0x11348, prN}, // Mc [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI + {0x1134B, 0x1134D, prN}, // Mc [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA + {0x11350, 0x11350, prN}, // Lo GRANTHA OM + {0x11357, 0x11357, prN}, // Mc GRANTHA AU LENGTH MARK + {0x1135D, 0x11361, prN}, // Lo [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL + {0x11362, 0x11363, prN}, // Mc [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL + {0x11366, 0x1136C, prN}, // Mn [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX + {0x11370, 0x11374, prN}, // Mn [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA + {0x11400, 0x11434, prN}, // Lo [53] NEWA LETTER A..NEWA LETTER HA + {0x11435, 0x11437, prN}, // Mc [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II + {0x11438, 0x1143F, prN}, // Mn [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI + {0x11440, 0x11441, prN}, // Mc [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU + {0x11442, 0x11444, prN}, // Mn [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA + {0x11445, 0x11445, prN}, // Mc NEWA SIGN VISARGA + {0x11446, 0x11446, prN}, // Mn NEWA SIGN NUKTA + {0x11447, 0x1144A, prN}, // Lo [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI + {0x1144B, 0x1144F, prN}, // Po [5] NEWA DANDA..NEWA ABBREVIATION SIGN + {0x11450, 0x11459, prN}, // Nd [10] NEWA DIGIT ZERO..NEWA DIGIT NINE + {0x1145A, 0x1145B, prN}, // Po [2] NEWA DOUBLE COMMA..NEWA PLACEHOLDER MARK + {0x1145D, 0x1145D, prN}, // Po NEWA INSERTION SIGN + {0x1145E, 0x1145E, prN}, // Mn NEWA SANDHI MARK + {0x1145F, 0x11461, prN}, // Lo [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA + {0x11480, 0x114AF, prN}, // Lo [48] TIRHUTA ANJI..TIRHUTA LETTER HA + {0x114B0, 0x114B2, prN}, // Mc [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II + {0x114B3, 0x114B8, prN}, // Mn [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL + {0x114B9, 0x114B9, prN}, // Mc TIRHUTA VOWEL SIGN E + {0x114BA, 0x114BA, prN}, // Mn TIRHUTA VOWEL SIGN SHORT E + {0x114BB, 0x114BE, prN}, // Mc [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU + {0x114BF, 0x114C0, prN}, // Mn [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA + {0x114C1, 0x114C1, prN}, // Mc TIRHUTA SIGN VISARGA + {0x114C2, 0x114C3, prN}, // Mn [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA + {0x114C4, 0x114C5, prN}, // Lo [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG + {0x114C6, 0x114C6, prN}, // Po TIRHUTA ABBREVIATION SIGN + {0x114C7, 0x114C7, prN}, // Lo TIRHUTA OM + {0x114D0, 0x114D9, prN}, // Nd [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE + {0x11580, 0x115AE, prN}, // Lo [47] SIDDHAM LETTER A..SIDDHAM LETTER HA + {0x115AF, 0x115B1, prN}, // Mc [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II + {0x115B2, 0x115B5, prN}, // Mn [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR + {0x115B8, 0x115BB, prN}, // Mc [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU + {0x115BC, 0x115BD, prN}, // Mn [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA + {0x115BE, 0x115BE, prN}, // Mc SIDDHAM SIGN VISARGA + {0x115BF, 0x115C0, prN}, // Mn [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA + {0x115C1, 0x115D7, prN}, // Po [23] SIDDHAM SIGN SIDDHAM..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES + {0x115D8, 0x115DB, prN}, // Lo [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U + {0x115DC, 0x115DD, prN}, // Mn [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU + {0x11600, 0x1162F, prN}, // Lo [48] MODI LETTER A..MODI LETTER LLA + {0x11630, 0x11632, prN}, // Mc [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II + {0x11633, 0x1163A, prN}, // Mn [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI + {0x1163B, 0x1163C, prN}, // Mc [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU + {0x1163D, 0x1163D, prN}, // Mn MODI SIGN ANUSVARA + {0x1163E, 0x1163E, prN}, // Mc MODI SIGN VISARGA + {0x1163F, 0x11640, prN}, // Mn [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA + {0x11641, 0x11643, prN}, // Po [3] MODI DANDA..MODI ABBREVIATION SIGN + {0x11644, 0x11644, prN}, // Lo MODI SIGN HUVA + {0x11650, 0x11659, prN}, // Nd [10] MODI DIGIT ZERO..MODI DIGIT NINE + {0x11660, 0x1166C, prN}, // Po [13] MONGOLIAN BIRGA WITH ORNAMENT..MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT + {0x11680, 0x116AA, prN}, // Lo [43] TAKRI LETTER A..TAKRI LETTER RRA + {0x116AB, 0x116AB, prN}, // Mn TAKRI SIGN ANUSVARA + {0x116AC, 0x116AC, prN}, // Mc TAKRI SIGN VISARGA + {0x116AD, 0x116AD, prN}, // Mn TAKRI VOWEL SIGN AA + {0x116AE, 0x116AF, prN}, // Mc [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II + {0x116B0, 0x116B5, prN}, // Mn [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU + {0x116B6, 0x116B6, prN}, // Mc TAKRI SIGN VIRAMA + {0x116B7, 0x116B7, prN}, // Mn TAKRI SIGN NUKTA + {0x116B8, 0x116B8, prN}, // Lo TAKRI LETTER ARCHAIC KHA + {0x116B9, 0x116B9, prN}, // Po TAKRI ABBREVIATION SIGN + {0x116C0, 0x116C9, prN}, // Nd [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE + {0x11700, 0x1171A, prN}, // Lo [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA + {0x1171D, 0x1171F, prN}, // Mn [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA + {0x11720, 0x11721, prN}, // Mc [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA + {0x11722, 0x11725, prN}, // Mn [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU + {0x11726, 0x11726, prN}, // Mc AHOM VOWEL SIGN E + {0x11727, 0x1172B, prN}, // Mn [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER + {0x11730, 0x11739, prN}, // Nd [10] AHOM DIGIT ZERO..AHOM DIGIT NINE + {0x1173A, 0x1173B, prN}, // No [2] AHOM NUMBER TEN..AHOM NUMBER TWENTY + {0x1173C, 0x1173E, prN}, // Po [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI + {0x1173F, 0x1173F, prN}, // So AHOM SYMBOL VI + {0x11740, 0x11746, prN}, // Lo [7] AHOM LETTER CA..AHOM LETTER LLA + {0x11800, 0x1182B, prN}, // Lo [44] DOGRA LETTER A..DOGRA LETTER RRA + {0x1182C, 0x1182E, prN}, // Mc [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II + {0x1182F, 0x11837, prN}, // Mn [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA + {0x11838, 0x11838, prN}, // Mc DOGRA SIGN VISARGA + {0x11839, 0x1183A, prN}, // Mn [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA + {0x1183B, 0x1183B, prN}, // Po DOGRA ABBREVIATION SIGN + {0x118A0, 0x118DF, prN}, // L& [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO + {0x118E0, 0x118E9, prN}, // Nd [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE + {0x118EA, 0x118F2, prN}, // No [9] WARANG CITI NUMBER TEN..WARANG CITI NUMBER NINETY + {0x118FF, 0x118FF, prN}, // Lo WARANG CITI OM + {0x11900, 0x11906, prN}, // Lo [7] DIVES AKURU LETTER A..DIVES AKURU LETTER E + {0x11909, 0x11909, prN}, // Lo DIVES AKURU LETTER O + {0x1190C, 0x11913, prN}, // Lo [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA + {0x11915, 0x11916, prN}, // Lo [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA + {0x11918, 0x1192F, prN}, // Lo [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA + {0x11930, 0x11935, prN}, // Mc [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E + {0x11937, 0x11938, prN}, // Mc [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O + {0x1193B, 0x1193C, prN}, // Mn [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU + {0x1193D, 0x1193D, prN}, // Mc DIVES AKURU SIGN HALANTA + {0x1193E, 0x1193E, prN}, // Mn DIVES AKURU VIRAMA + {0x1193F, 0x1193F, prN}, // Lo DIVES AKURU PREFIXED NASAL SIGN + {0x11940, 0x11940, prN}, // Mc DIVES AKURU MEDIAL YA + {0x11941, 0x11941, prN}, // Lo DIVES AKURU INITIAL RA + {0x11942, 0x11942, prN}, // Mc DIVES AKURU MEDIAL RA + {0x11943, 0x11943, prN}, // Mn DIVES AKURU SIGN NUKTA + {0x11944, 0x11946, prN}, // Po [3] DIVES AKURU DOUBLE DANDA..DIVES AKURU END OF TEXT MARK + {0x11950, 0x11959, prN}, // Nd [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE + {0x119A0, 0x119A7, prN}, // Lo [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR + {0x119AA, 0x119D0, prN}, // Lo [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA + {0x119D1, 0x119D3, prN}, // Mc [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II + {0x119D4, 0x119D7, prN}, // Mn [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR + {0x119DA, 0x119DB, prN}, // Mn [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI + {0x119DC, 0x119DF, prN}, // Mc [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA + {0x119E0, 0x119E0, prN}, // Mn NANDINAGARI SIGN VIRAMA + {0x119E1, 0x119E1, prN}, // Lo NANDINAGARI SIGN AVAGRAHA + {0x119E2, 0x119E2, prN}, // Po NANDINAGARI SIGN SIDDHAM + {0x119E3, 0x119E3, prN}, // Lo NANDINAGARI HEADSTROKE + {0x119E4, 0x119E4, prN}, // Mc NANDINAGARI VOWEL SIGN PRISHTHAMATRA E + {0x11A00, 0x11A00, prN}, // Lo ZANABAZAR SQUARE LETTER A + {0x11A01, 0x11A0A, prN}, // Mn [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK + {0x11A0B, 0x11A32, prN}, // Lo [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA + {0x11A33, 0x11A38, prN}, // Mn [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA + {0x11A39, 0x11A39, prN}, // Mc ZANABAZAR SQUARE SIGN VISARGA + {0x11A3A, 0x11A3A, prN}, // Lo ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA + {0x11A3B, 0x11A3E, prN}, // Mn [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA + {0x11A3F, 0x11A46, prN}, // Po [8] ZANABAZAR SQUARE INITIAL HEAD MARK..ZANABAZAR SQUARE CLOSING DOUBLE-LINED HEAD MARK + {0x11A47, 0x11A47, prN}, // Mn ZANABAZAR SQUARE SUBJOINER + {0x11A50, 0x11A50, prN}, // Lo SOYOMBO LETTER A + {0x11A51, 0x11A56, prN}, // Mn [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE + {0x11A57, 0x11A58, prN}, // Mc [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU + {0x11A59, 0x11A5B, prN}, // Mn [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK + {0x11A5C, 0x11A89, prN}, // Lo [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA + {0x11A8A, 0x11A96, prN}, // Mn [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA + {0x11A97, 0x11A97, prN}, // Mc SOYOMBO SIGN VISARGA + {0x11A98, 0x11A99, prN}, // Mn [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER + {0x11A9A, 0x11A9C, prN}, // Po [3] SOYOMBO MARK TSHEG..SOYOMBO MARK DOUBLE SHAD + {0x11A9D, 0x11A9D, prN}, // Lo SOYOMBO MARK PLUTA + {0x11A9E, 0x11AA2, prN}, // Po [5] SOYOMBO HEAD MARK WITH MOON AND SUN AND TRIPLE FLAME..SOYOMBO TERMINAL MARK-2 + {0x11AB0, 0x11ABF, prN}, // Lo [16] CANADIAN SYLLABICS NATTILIK HI..CANADIAN SYLLABICS SPA + {0x11AC0, 0x11AF8, prN}, // Lo [57] PAU CIN HAU LETTER PA..PAU CIN HAU GLOTTAL STOP FINAL + {0x11B00, 0x11B09, prN}, // Po [10] DEVANAGARI HEAD MARK..DEVANAGARI SIGN MINDU + {0x11C00, 0x11C08, prN}, // Lo [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L + {0x11C0A, 0x11C2E, prN}, // Lo [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA + {0x11C2F, 0x11C2F, prN}, // Mc BHAIKSUKI VOWEL SIGN AA + {0x11C30, 0x11C36, prN}, // Mn [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L + {0x11C38, 0x11C3D, prN}, // Mn [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA + {0x11C3E, 0x11C3E, prN}, // Mc BHAIKSUKI SIGN VISARGA + {0x11C3F, 0x11C3F, prN}, // Mn BHAIKSUKI SIGN VIRAMA + {0x11C40, 0x11C40, prN}, // Lo BHAIKSUKI SIGN AVAGRAHA + {0x11C41, 0x11C45, prN}, // Po [5] BHAIKSUKI DANDA..BHAIKSUKI GAP FILLER-2 + {0x11C50, 0x11C59, prN}, // Nd [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE + {0x11C5A, 0x11C6C, prN}, // No [19] BHAIKSUKI NUMBER ONE..BHAIKSUKI HUNDREDS UNIT MARK + {0x11C70, 0x11C71, prN}, // Po [2] MARCHEN HEAD MARK..MARCHEN MARK SHAD + {0x11C72, 0x11C8F, prN}, // Lo [30] MARCHEN LETTER KA..MARCHEN LETTER A + {0x11C92, 0x11CA7, prN}, // Mn [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA + {0x11CA9, 0x11CA9, prN}, // Mc MARCHEN SUBJOINED LETTER YA + {0x11CAA, 0x11CB0, prN}, // Mn [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA + {0x11CB1, 0x11CB1, prN}, // Mc MARCHEN VOWEL SIGN I + {0x11CB2, 0x11CB3, prN}, // Mn [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E + {0x11CB4, 0x11CB4, prN}, // Mc MARCHEN VOWEL SIGN O + {0x11CB5, 0x11CB6, prN}, // Mn [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU + {0x11D00, 0x11D06, prN}, // Lo [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E + {0x11D08, 0x11D09, prN}, // Lo [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O + {0x11D0B, 0x11D30, prN}, // Lo [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA + {0x11D31, 0x11D36, prN}, // Mn [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R + {0x11D3A, 0x11D3A, prN}, // Mn MASARAM GONDI VOWEL SIGN E + {0x11D3C, 0x11D3D, prN}, // Mn [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O + {0x11D3F, 0x11D45, prN}, // Mn [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA + {0x11D46, 0x11D46, prN}, // Lo MASARAM GONDI REPHA + {0x11D47, 0x11D47, prN}, // Mn MASARAM GONDI RA-KARA + {0x11D50, 0x11D59, prN}, // Nd [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE + {0x11D60, 0x11D65, prN}, // Lo [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU + {0x11D67, 0x11D68, prN}, // Lo [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI + {0x11D6A, 0x11D89, prN}, // Lo [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA + {0x11D8A, 0x11D8E, prN}, // Mc [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU + {0x11D90, 0x11D91, prN}, // Mn [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI + {0x11D93, 0x11D94, prN}, // Mc [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU + {0x11D95, 0x11D95, prN}, // Mn GUNJALA GONDI SIGN ANUSVARA + {0x11D96, 0x11D96, prN}, // Mc GUNJALA GONDI SIGN VISARGA + {0x11D97, 0x11D97, prN}, // Mn GUNJALA GONDI VIRAMA + {0x11D98, 0x11D98, prN}, // Lo GUNJALA GONDI OM + {0x11DA0, 0x11DA9, prN}, // Nd [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE + {0x11EE0, 0x11EF2, prN}, // Lo [19] MAKASAR LETTER KA..MAKASAR ANGKA + {0x11EF3, 0x11EF4, prN}, // Mn [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U + {0x11EF5, 0x11EF6, prN}, // Mc [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O + {0x11EF7, 0x11EF8, prN}, // Po [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION + {0x11F00, 0x11F01, prN}, // Mn [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA + {0x11F02, 0x11F02, prN}, // Lo KAWI SIGN REPHA + {0x11F03, 0x11F03, prN}, // Mc KAWI SIGN VISARGA + {0x11F04, 0x11F10, prN}, // Lo [13] KAWI LETTER A..KAWI LETTER O + {0x11F12, 0x11F33, prN}, // Lo [34] KAWI LETTER KA..KAWI LETTER JNYA + {0x11F34, 0x11F35, prN}, // Mc [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA + {0x11F36, 0x11F3A, prN}, // Mn [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R + {0x11F3E, 0x11F3F, prN}, // Mc [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI + {0x11F40, 0x11F40, prN}, // Mn KAWI VOWEL SIGN EU + {0x11F41, 0x11F41, prN}, // Mc KAWI SIGN KILLER + {0x11F42, 0x11F42, prN}, // Mn KAWI CONJOINER + {0x11F43, 0x11F4F, prN}, // Po [13] KAWI DANDA..KAWI PUNCTUATION CLOSING SPIRAL + {0x11F50, 0x11F59, prN}, // Nd [10] KAWI DIGIT ZERO..KAWI DIGIT NINE + {0x11FB0, 0x11FB0, prN}, // Lo LISU LETTER YHA + {0x11FC0, 0x11FD4, prN}, // No [21] TAMIL FRACTION ONE THREE-HUNDRED-AND-TWENTIETH..TAMIL FRACTION DOWNSCALING FACTOR KIIZH + {0x11FD5, 0x11FDC, prN}, // So [8] TAMIL SIGN NEL..TAMIL SIGN MUKKURUNI + {0x11FDD, 0x11FE0, prN}, // Sc [4] TAMIL SIGN KAACU..TAMIL SIGN VARAAKAN + {0x11FE1, 0x11FF1, prN}, // So [17] TAMIL SIGN PAARAM..TAMIL SIGN VAKAIYARAA + {0x11FFF, 0x11FFF, prN}, // Po TAMIL PUNCTUATION END OF TEXT + {0x12000, 0x12399, prN}, // Lo [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U + {0x12400, 0x1246E, prN}, // Nl [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM + {0x12470, 0x12474, prN}, // Po [5] CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER..CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON + {0x12480, 0x12543, prN}, // Lo [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU + {0x12F90, 0x12FF0, prN}, // Lo [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114 + {0x12FF1, 0x12FF2, prN}, // Po [2] CYPRO-MINOAN SIGN CM301..CYPRO-MINOAN SIGN CM302 + {0x13000, 0x1342F, prN}, // Lo [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D + {0x13430, 0x1343F, prN}, // Cf [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE + {0x13440, 0x13440, prN}, // Mn EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY + {0x13441, 0x13446, prN}, // Lo [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN + {0x13447, 0x13455, prN}, // Mn [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED + {0x14400, 0x14646, prN}, // Lo [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530 + {0x16800, 0x16A38, prN}, // Lo [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ + {0x16A40, 0x16A5E, prN}, // Lo [31] MRO LETTER TA..MRO LETTER TEK + {0x16A60, 0x16A69, prN}, // Nd [10] MRO DIGIT ZERO..MRO DIGIT NINE + {0x16A6E, 0x16A6F, prN}, // Po [2] MRO DANDA..MRO DOUBLE DANDA + {0x16A70, 0x16ABE, prN}, // Lo [79] TANGSA LETTER OZ..TANGSA LETTER ZA + {0x16AC0, 0x16AC9, prN}, // Nd [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE + {0x16AD0, 0x16AED, prN}, // Lo [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I + {0x16AF0, 0x16AF4, prN}, // Mn [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE + {0x16AF5, 0x16AF5, prN}, // Po BASSA VAH FULL STOP + {0x16B00, 0x16B2F, prN}, // Lo [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU + {0x16B30, 0x16B36, prN}, // Mn [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM + {0x16B37, 0x16B3B, prN}, // Po [5] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN VOS FEEM + {0x16B3C, 0x16B3F, prN}, // So [4] PAHAWH HMONG SIGN XYEEM NTXIV..PAHAWH HMONG SIGN XYEEM FAIB + {0x16B40, 0x16B43, prN}, // Lm [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM + {0x16B44, 0x16B44, prN}, // Po PAHAWH HMONG SIGN XAUS + {0x16B45, 0x16B45, prN}, // So PAHAWH HMONG SIGN CIM TSOV ROG + {0x16B50, 0x16B59, prN}, // Nd [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE + {0x16B5B, 0x16B61, prN}, // No [7] PAHAWH HMONG NUMBER TENS..PAHAWH HMONG NUMBER TRILLIONS + {0x16B63, 0x16B77, prN}, // Lo [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS + {0x16B7D, 0x16B8F, prN}, // Lo [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ + {0x16E40, 0x16E7F, prN}, // L& [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y + {0x16E80, 0x16E96, prN}, // No [23] MEDEFAIDRIN DIGIT ZERO..MEDEFAIDRIN DIGIT THREE ALTERNATE FORM + {0x16E97, 0x16E9A, prN}, // Po [4] MEDEFAIDRIN COMMA..MEDEFAIDRIN EXCLAMATION OH + {0x16F00, 0x16F4A, prN}, // Lo [75] MIAO LETTER PA..MIAO LETTER RTE + {0x16F4F, 0x16F4F, prN}, // Mn MIAO SIGN CONSONANT MODIFIER BAR + {0x16F50, 0x16F50, prN}, // Lo MIAO LETTER NASALIZATION + {0x16F51, 0x16F87, prN}, // Mc [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI + {0x16F8F, 0x16F92, prN}, // Mn [4] MIAO TONE RIGHT..MIAO TONE BELOW + {0x16F93, 0x16F9F, prN}, // Lm [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8 + {0x16FE0, 0x16FE1, prW}, // Lm [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK + {0x16FE2, 0x16FE2, prW}, // Po OLD CHINESE HOOK MARK + {0x16FE3, 0x16FE3, prW}, // Lm OLD CHINESE ITERATION MARK + {0x16FE4, 0x16FE4, prW}, // Mn KHITAN SMALL SCRIPT FILLER + {0x16FF0, 0x16FF1, prW}, // Mc [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY + {0x17000, 0x187F7, prW}, // Lo [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7 + {0x18800, 0x18AFF, prW}, // Lo [768] TANGUT COMPONENT-001..TANGUT COMPONENT-768 + {0x18B00, 0x18CD5, prW}, // Lo [470] KHITAN SMALL SCRIPT CHARACTER-18B00..KHITAN SMALL SCRIPT CHARACTER-18CD5 + {0x18D00, 0x18D08, prW}, // Lo [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08 + {0x1AFF0, 0x1AFF3, prW}, // Lm [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5 + {0x1AFF5, 0x1AFFB, prW}, // Lm [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5 + {0x1AFFD, 0x1AFFE, prW}, // Lm [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8 + {0x1B000, 0x1B0FF, prW}, // Lo [256] KATAKANA LETTER ARCHAIC E..HENTAIGANA LETTER RE-2 + {0x1B100, 0x1B122, prW}, // Lo [35] HENTAIGANA LETTER RE-3..KATAKANA LETTER ARCHAIC WU + {0x1B132, 0x1B132, prW}, // Lo HIRAGANA LETTER SMALL KO + {0x1B150, 0x1B152, prW}, // Lo [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO + {0x1B155, 0x1B155, prW}, // Lo KATAKANA LETTER SMALL KO + {0x1B164, 0x1B167, prW}, // Lo [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N + {0x1B170, 0x1B2FB, prW}, // Lo [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB + {0x1BC00, 0x1BC6A, prN}, // Lo [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M + {0x1BC70, 0x1BC7C, prN}, // Lo [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK + {0x1BC80, 0x1BC88, prN}, // Lo [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL + {0x1BC90, 0x1BC99, prN}, // Lo [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW + {0x1BC9C, 0x1BC9C, prN}, // So DUPLOYAN SIGN O WITH CROSS + {0x1BC9D, 0x1BC9E, prN}, // Mn [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK + {0x1BC9F, 0x1BC9F, prN}, // Po DUPLOYAN PUNCTUATION CHINOOK FULL STOP + {0x1BCA0, 0x1BCA3, prN}, // Cf [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP + {0x1CF00, 0x1CF2D, prN}, // Mn [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT + {0x1CF30, 0x1CF46, prN}, // Mn [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG + {0x1CF50, 0x1CFC3, prN}, // So [116] ZNAMENNY NEUME KRYUK..ZNAMENNY NEUME PAUK + {0x1D000, 0x1D0F5, prN}, // So [246] BYZANTINE MUSICAL SYMBOL PSILI..BYZANTINE MUSICAL SYMBOL GORGON NEO KATO + {0x1D100, 0x1D126, prN}, // So [39] MUSICAL SYMBOL SINGLE BARLINE..MUSICAL SYMBOL DRUM CLEF-2 + {0x1D129, 0x1D164, prN}, // So [60] MUSICAL SYMBOL MULTIPLE MEASURE REST..MUSICAL SYMBOL ONE HUNDRED TWENTY-EIGHTH NOTE + {0x1D165, 0x1D166, prN}, // Mc [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM + {0x1D167, 0x1D169, prN}, // Mn [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3 + {0x1D16A, 0x1D16C, prN}, // So [3] MUSICAL SYMBOL FINGERED TREMOLO-1..MUSICAL SYMBOL FINGERED TREMOLO-3 + {0x1D16D, 0x1D172, prN}, // Mc [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5 + {0x1D173, 0x1D17A, prN}, // Cf [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE + {0x1D17B, 0x1D182, prN}, // Mn [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE + {0x1D183, 0x1D184, prN}, // So [2] MUSICAL SYMBOL ARPEGGIATO UP..MUSICAL SYMBOL ARPEGGIATO DOWN + {0x1D185, 0x1D18B, prN}, // Mn [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE + {0x1D18C, 0x1D1A9, prN}, // So [30] MUSICAL SYMBOL RINFORZANDO..MUSICAL SYMBOL DEGREE SLASH + {0x1D1AA, 0x1D1AD, prN}, // Mn [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO + {0x1D1AE, 0x1D1EA, prN}, // So [61] MUSICAL SYMBOL PEDAL MARK..MUSICAL SYMBOL KORON + {0x1D200, 0x1D241, prN}, // So [66] GREEK VOCAL NOTATION SYMBOL-1..GREEK INSTRUMENTAL NOTATION SYMBOL-54 + {0x1D242, 0x1D244, prN}, // Mn [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME + {0x1D245, 0x1D245, prN}, // So GREEK MUSICAL LEIMMA + {0x1D2C0, 0x1D2D3, prN}, // No [20] KAKTOVIK NUMERAL ZERO..KAKTOVIK NUMERAL NINETEEN + {0x1D2E0, 0x1D2F3, prN}, // No [20] MAYAN NUMERAL ZERO..MAYAN NUMERAL NINETEEN + {0x1D300, 0x1D356, prN}, // So [87] MONOGRAM FOR EARTH..TETRAGRAM FOR FOSTERING + {0x1D360, 0x1D378, prN}, // No [25] COUNTING ROD UNIT DIGIT ONE..TALLY MARK FIVE + {0x1D400, 0x1D454, prN}, // L& [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G + {0x1D456, 0x1D49C, prN}, // L& [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A + {0x1D49E, 0x1D49F, prN}, // Lu [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D + {0x1D4A2, 0x1D4A2, prN}, // Lu MATHEMATICAL SCRIPT CAPITAL G + {0x1D4A5, 0x1D4A6, prN}, // Lu [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K + {0x1D4A9, 0x1D4AC, prN}, // Lu [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q + {0x1D4AE, 0x1D4B9, prN}, // L& [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D + {0x1D4BB, 0x1D4BB, prN}, // Ll MATHEMATICAL SCRIPT SMALL F + {0x1D4BD, 0x1D4C3, prN}, // Ll [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N + {0x1D4C5, 0x1D505, prN}, // L& [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B + {0x1D507, 0x1D50A, prN}, // Lu [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G + {0x1D50D, 0x1D514, prN}, // Lu [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q + {0x1D516, 0x1D51C, prN}, // Lu [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y + {0x1D51E, 0x1D539, prN}, // L& [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B + {0x1D53B, 0x1D53E, prN}, // Lu [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G + {0x1D540, 0x1D544, prN}, // Lu [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M + {0x1D546, 0x1D546, prN}, // Lu MATHEMATICAL DOUBLE-STRUCK CAPITAL O + {0x1D54A, 0x1D550, prN}, // Lu [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y + {0x1D552, 0x1D6A5, prN}, // L& [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J + {0x1D6A8, 0x1D6C0, prN}, // Lu [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA + {0x1D6C1, 0x1D6C1, prN}, // Sm MATHEMATICAL BOLD NABLA + {0x1D6C2, 0x1D6DA, prN}, // Ll [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA + {0x1D6DB, 0x1D6DB, prN}, // Sm MATHEMATICAL BOLD PARTIAL DIFFERENTIAL + {0x1D6DC, 0x1D6FA, prN}, // L& [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA + {0x1D6FB, 0x1D6FB, prN}, // Sm MATHEMATICAL ITALIC NABLA + {0x1D6FC, 0x1D714, prN}, // Ll [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA + {0x1D715, 0x1D715, prN}, // Sm MATHEMATICAL ITALIC PARTIAL DIFFERENTIAL + {0x1D716, 0x1D734, prN}, // L& [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA + {0x1D735, 0x1D735, prN}, // Sm MATHEMATICAL BOLD ITALIC NABLA + {0x1D736, 0x1D74E, prN}, // Ll [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA + {0x1D74F, 0x1D74F, prN}, // Sm MATHEMATICAL BOLD ITALIC PARTIAL DIFFERENTIAL + {0x1D750, 0x1D76E, prN}, // L& [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA + {0x1D76F, 0x1D76F, prN}, // Sm MATHEMATICAL SANS-SERIF BOLD NABLA + {0x1D770, 0x1D788, prN}, // Ll [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA + {0x1D789, 0x1D789, prN}, // Sm MATHEMATICAL SANS-SERIF BOLD PARTIAL DIFFERENTIAL + {0x1D78A, 0x1D7A8, prN}, // L& [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA + {0x1D7A9, 0x1D7A9, prN}, // Sm MATHEMATICAL SANS-SERIF BOLD ITALIC NABLA + {0x1D7AA, 0x1D7C2, prN}, // Ll [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA + {0x1D7C3, 0x1D7C3, prN}, // Sm MATHEMATICAL SANS-SERIF BOLD ITALIC PARTIAL DIFFERENTIAL + {0x1D7C4, 0x1D7CB, prN}, // L& [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA + {0x1D7CE, 0x1D7FF, prN}, // Nd [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE + {0x1D800, 0x1D9FF, prN}, // So [512] SIGNWRITING HAND-FIST INDEX..SIGNWRITING HEAD + {0x1DA00, 0x1DA36, prN}, // Mn [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN + {0x1DA37, 0x1DA3A, prN}, // So [4] SIGNWRITING AIR BLOW SMALL ROTATIONS..SIGNWRITING BREATH EXHALE + {0x1DA3B, 0x1DA6C, prN}, // Mn [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT + {0x1DA6D, 0x1DA74, prN}, // So [8] SIGNWRITING SHOULDER HIP SPINE..SIGNWRITING TORSO-FLOORPLANE TWISTING + {0x1DA75, 0x1DA75, prN}, // Mn SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS + {0x1DA76, 0x1DA83, prN}, // So [14] SIGNWRITING LIMB COMBINATION..SIGNWRITING LOCATION DEPTH + {0x1DA84, 0x1DA84, prN}, // Mn SIGNWRITING LOCATION HEAD NECK + {0x1DA85, 0x1DA86, prN}, // So [2] SIGNWRITING LOCATION TORSO..SIGNWRITING LOCATION LIMBS DIGITS + {0x1DA87, 0x1DA8B, prN}, // Po [5] SIGNWRITING COMMA..SIGNWRITING PARENTHESIS + {0x1DA9B, 0x1DA9F, prN}, // Mn [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6 + {0x1DAA1, 0x1DAAF, prN}, // Mn [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16 + {0x1DF00, 0x1DF09, prN}, // Ll [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK + {0x1DF0A, 0x1DF0A, prN}, // Lo LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK + {0x1DF0B, 0x1DF1E, prN}, // Ll [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL + {0x1DF25, 0x1DF2A, prN}, // Ll [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK + {0x1E000, 0x1E006, prN}, // Mn [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE + {0x1E008, 0x1E018, prN}, // Mn [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU + {0x1E01B, 0x1E021, prN}, // Mn [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI + {0x1E023, 0x1E024, prN}, // Mn [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS + {0x1E026, 0x1E02A, prN}, // Mn [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA + {0x1E030, 0x1E06D, prN}, // Lm [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE + {0x1E08F, 0x1E08F, prN}, // Mn COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I + {0x1E100, 0x1E12C, prN}, // Lo [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W + {0x1E130, 0x1E136, prN}, // Mn [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D + {0x1E137, 0x1E13D, prN}, // Lm [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER + {0x1E140, 0x1E149, prN}, // Nd [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE + {0x1E14E, 0x1E14E, prN}, // Lo NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ + {0x1E14F, 0x1E14F, prN}, // So NYIAKENG PUACHUE HMONG CIRCLED CA + {0x1E290, 0x1E2AD, prN}, // Lo [30] TOTO LETTER PA..TOTO LETTER A + {0x1E2AE, 0x1E2AE, prN}, // Mn TOTO SIGN RISING TONE + {0x1E2C0, 0x1E2EB, prN}, // Lo [44] WANCHO LETTER AA..WANCHO LETTER YIH + {0x1E2EC, 0x1E2EF, prN}, // Mn [4] WANCHO TONE TUP..WANCHO TONE KOINI + {0x1E2F0, 0x1E2F9, prN}, // Nd [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE + {0x1E2FF, 0x1E2FF, prN}, // Sc WANCHO NGUN SIGN + {0x1E4D0, 0x1E4EA, prN}, // Lo [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL + {0x1E4EB, 0x1E4EB, prN}, // Lm NAG MUNDARI SIGN OJOD + {0x1E4EC, 0x1E4EF, prN}, // Mn [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH + {0x1E4F0, 0x1E4F9, prN}, // Nd [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE + {0x1E7E0, 0x1E7E6, prN}, // Lo [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO + {0x1E7E8, 0x1E7EB, prN}, // Lo [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE + {0x1E7ED, 0x1E7EE, prN}, // Lo [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE + {0x1E7F0, 0x1E7FE, prN}, // Lo [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE + {0x1E800, 0x1E8C4, prN}, // Lo [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON + {0x1E8C7, 0x1E8CF, prN}, // No [9] MENDE KIKAKUI DIGIT ONE..MENDE KIKAKUI DIGIT NINE + {0x1E8D0, 0x1E8D6, prN}, // Mn [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS + {0x1E900, 0x1E943, prN}, // L& [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA + {0x1E944, 0x1E94A, prN}, // Mn [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA + {0x1E94B, 0x1E94B, prN}, // Lm ADLAM NASALIZATION MARK + {0x1E950, 0x1E959, prN}, // Nd [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE + {0x1E95E, 0x1E95F, prN}, // Po [2] ADLAM INITIAL EXCLAMATION MARK..ADLAM INITIAL QUESTION MARK + {0x1EC71, 0x1ECAB, prN}, // No [59] INDIC SIYAQ NUMBER ONE..INDIC SIYAQ NUMBER PREFIXED NINE + {0x1ECAC, 0x1ECAC, prN}, // So INDIC SIYAQ PLACEHOLDER + {0x1ECAD, 0x1ECAF, prN}, // No [3] INDIC SIYAQ FRACTION ONE QUARTER..INDIC SIYAQ FRACTION THREE QUARTERS + {0x1ECB0, 0x1ECB0, prN}, // Sc INDIC SIYAQ RUPEE MARK + {0x1ECB1, 0x1ECB4, prN}, // No [4] INDIC SIYAQ NUMBER ALTERNATE ONE..INDIC SIYAQ ALTERNATE LAKH MARK + {0x1ED01, 0x1ED2D, prN}, // No [45] OTTOMAN SIYAQ NUMBER ONE..OTTOMAN SIYAQ NUMBER NINETY THOUSAND + {0x1ED2E, 0x1ED2E, prN}, // So OTTOMAN SIYAQ MARRATAN + {0x1ED2F, 0x1ED3D, prN}, // No [15] OTTOMAN SIYAQ ALTERNATE NUMBER TWO..OTTOMAN SIYAQ FRACTION ONE SIXTH + {0x1EE00, 0x1EE03, prN}, // Lo [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL + {0x1EE05, 0x1EE1F, prN}, // Lo [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF + {0x1EE21, 0x1EE22, prN}, // Lo [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM + {0x1EE24, 0x1EE24, prN}, // Lo ARABIC MATHEMATICAL INITIAL HEH + {0x1EE27, 0x1EE27, prN}, // Lo ARABIC MATHEMATICAL INITIAL HAH + {0x1EE29, 0x1EE32, prN}, // Lo [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF + {0x1EE34, 0x1EE37, prN}, // Lo [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH + {0x1EE39, 0x1EE39, prN}, // Lo ARABIC MATHEMATICAL INITIAL DAD + {0x1EE3B, 0x1EE3B, prN}, // Lo ARABIC MATHEMATICAL INITIAL GHAIN + {0x1EE42, 0x1EE42, prN}, // Lo ARABIC MATHEMATICAL TAILED JEEM + {0x1EE47, 0x1EE47, prN}, // Lo ARABIC MATHEMATICAL TAILED HAH + {0x1EE49, 0x1EE49, prN}, // Lo ARABIC MATHEMATICAL TAILED YEH + {0x1EE4B, 0x1EE4B, prN}, // Lo ARABIC MATHEMATICAL TAILED LAM + {0x1EE4D, 0x1EE4F, prN}, // Lo [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN + {0x1EE51, 0x1EE52, prN}, // Lo [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF + {0x1EE54, 0x1EE54, prN}, // Lo ARABIC MATHEMATICAL TAILED SHEEN + {0x1EE57, 0x1EE57, prN}, // Lo ARABIC MATHEMATICAL TAILED KHAH + {0x1EE59, 0x1EE59, prN}, // Lo ARABIC MATHEMATICAL TAILED DAD + {0x1EE5B, 0x1EE5B, prN}, // Lo ARABIC MATHEMATICAL TAILED GHAIN + {0x1EE5D, 0x1EE5D, prN}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS NOON + {0x1EE5F, 0x1EE5F, prN}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS QAF + {0x1EE61, 0x1EE62, prN}, // Lo [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM + {0x1EE64, 0x1EE64, prN}, // Lo ARABIC MATHEMATICAL STRETCHED HEH + {0x1EE67, 0x1EE6A, prN}, // Lo [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF + {0x1EE6C, 0x1EE72, prN}, // Lo [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF + {0x1EE74, 0x1EE77, prN}, // Lo [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH + {0x1EE79, 0x1EE7C, prN}, // Lo [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH + {0x1EE7E, 0x1EE7E, prN}, // Lo ARABIC MATHEMATICAL STRETCHED DOTLESS FEH + {0x1EE80, 0x1EE89, prN}, // Lo [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH + {0x1EE8B, 0x1EE9B, prN}, // Lo [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN + {0x1EEA1, 0x1EEA3, prN}, // Lo [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL + {0x1EEA5, 0x1EEA9, prN}, // Lo [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH + {0x1EEAB, 0x1EEBB, prN}, // Lo [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN + {0x1EEF0, 0x1EEF1, prN}, // Sm [2] ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL..ARABIC MATHEMATICAL OPERATOR HAH WITH DAL + {0x1F000, 0x1F003, prN}, // So [4] MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND + {0x1F004, 0x1F004, prW}, // So MAHJONG TILE RED DRAGON + {0x1F005, 0x1F02B, prN}, // So [39] MAHJONG TILE GREEN DRAGON..MAHJONG TILE BACK + {0x1F030, 0x1F093, prN}, // So [100] DOMINO TILE HORIZONTAL BACK..DOMINO TILE VERTICAL-06-06 + {0x1F0A0, 0x1F0AE, prN}, // So [15] PLAYING CARD BACK..PLAYING CARD KING OF SPADES + {0x1F0B1, 0x1F0BF, prN}, // So [15] PLAYING CARD ACE OF HEARTS..PLAYING CARD RED JOKER + {0x1F0C1, 0x1F0CE, prN}, // So [14] PLAYING CARD ACE OF DIAMONDS..PLAYING CARD KING OF DIAMONDS + {0x1F0CF, 0x1F0CF, prW}, // So PLAYING CARD BLACK JOKER + {0x1F0D1, 0x1F0F5, prN}, // So [37] PLAYING CARD ACE OF CLUBS..PLAYING CARD TRUMP-21 + {0x1F100, 0x1F10A, prA}, // No [11] DIGIT ZERO FULL STOP..DIGIT NINE COMMA + {0x1F10B, 0x1F10C, prN}, // No [2] DINGBAT CIRCLED SANS-SERIF DIGIT ZERO..DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO + {0x1F10D, 0x1F10F, prN}, // So [3] CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH + {0x1F110, 0x1F12D, prA}, // So [30] PARENTHESIZED LATIN CAPITAL LETTER A..CIRCLED CD + {0x1F12E, 0x1F12F, prN}, // So [2] CIRCLED WZ..COPYLEFT SYMBOL + {0x1F130, 0x1F169, prA}, // So [58] SQUARED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z + {0x1F16A, 0x1F16F, prN}, // So [6] RAISED MC SIGN..CIRCLED HUMAN FIGURE + {0x1F170, 0x1F18D, prA}, // So [30] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED SA + {0x1F18E, 0x1F18E, prW}, // So NEGATIVE SQUARED AB + {0x1F18F, 0x1F190, prA}, // So [2] NEGATIVE SQUARED WC..SQUARE DJ + {0x1F191, 0x1F19A, prW}, // So [10] SQUARED CL..SQUARED VS + {0x1F19B, 0x1F1AC, prA}, // So [18] SQUARED THREE D..SQUARED VOD + {0x1F1AD, 0x1F1AD, prN}, // So MASK WORK SYMBOL + {0x1F1E6, 0x1F1FF, prN}, // So [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z + {0x1F200, 0x1F202, prW}, // So [3] SQUARE HIRAGANA HOKA..SQUARED KATAKANA SA + {0x1F210, 0x1F23B, prW}, // So [44] SQUARED CJK UNIFIED IDEOGRAPH-624B..SQUARED CJK UNIFIED IDEOGRAPH-914D + {0x1F240, 0x1F248, prW}, // So [9] TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C..TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557 + {0x1F250, 0x1F251, prW}, // So [2] CIRCLED IDEOGRAPH ADVANTAGE..CIRCLED IDEOGRAPH ACCEPT + {0x1F260, 0x1F265, prW}, // So [6] ROUNDED SYMBOL FOR FU..ROUNDED SYMBOL FOR CAI + {0x1F300, 0x1F320, prW}, // So [33] CYCLONE..SHOOTING STAR + {0x1F321, 0x1F32C, prN}, // So [12] THERMOMETER..WIND BLOWING FACE + {0x1F32D, 0x1F335, prW}, // So [9] HOT DOG..CACTUS + {0x1F336, 0x1F336, prN}, // So HOT PEPPER + {0x1F337, 0x1F37C, prW}, // So [70] TULIP..BABY BOTTLE + {0x1F37D, 0x1F37D, prN}, // So FORK AND KNIFE WITH PLATE + {0x1F37E, 0x1F393, prW}, // So [22] BOTTLE WITH POPPING CORK..GRADUATION CAP + {0x1F394, 0x1F39F, prN}, // So [12] HEART WITH TIP ON THE LEFT..ADMISSION TICKETS + {0x1F3A0, 0x1F3CA, prW}, // So [43] CAROUSEL HORSE..SWIMMER + {0x1F3CB, 0x1F3CE, prN}, // So [4] WEIGHT LIFTER..RACING CAR + {0x1F3CF, 0x1F3D3, prW}, // So [5] CRICKET BAT AND BALL..TABLE TENNIS PADDLE AND BALL + {0x1F3D4, 0x1F3DF, prN}, // So [12] SNOW CAPPED MOUNTAIN..STADIUM + {0x1F3E0, 0x1F3F0, prW}, // So [17] HOUSE BUILDING..EUROPEAN CASTLE + {0x1F3F1, 0x1F3F3, prN}, // So [3] WHITE PENNANT..WAVING WHITE FLAG + {0x1F3F4, 0x1F3F4, prW}, // So WAVING BLACK FLAG + {0x1F3F5, 0x1F3F7, prN}, // So [3] ROSETTE..LABEL + {0x1F3F8, 0x1F3FA, prW}, // So [3] BADMINTON RACQUET AND SHUTTLECOCK..AMPHORA + {0x1F3FB, 0x1F3FF, prW}, // Sk [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6 + {0x1F400, 0x1F43E, prW}, // So [63] RAT..PAW PRINTS + {0x1F43F, 0x1F43F, prN}, // So CHIPMUNK + {0x1F440, 0x1F440, prW}, // So EYES + {0x1F441, 0x1F441, prN}, // So EYE + {0x1F442, 0x1F4FC, prW}, // So [187] EAR..VIDEOCASSETTE + {0x1F4FD, 0x1F4FE, prN}, // So [2] FILM PROJECTOR..PORTABLE STEREO + {0x1F4FF, 0x1F53D, prW}, // So [63] PRAYER BEADS..DOWN-POINTING SMALL RED TRIANGLE + {0x1F53E, 0x1F54A, prN}, // So [13] LOWER RIGHT SHADOWED WHITE CIRCLE..DOVE OF PEACE + {0x1F54B, 0x1F54E, prW}, // So [4] KAABA..MENORAH WITH NINE BRANCHES + {0x1F54F, 0x1F54F, prN}, // So BOWL OF HYGIEIA + {0x1F550, 0x1F567, prW}, // So [24] CLOCK FACE ONE OCLOCK..CLOCK FACE TWELVE-THIRTY + {0x1F568, 0x1F579, prN}, // So [18] RIGHT SPEAKER..JOYSTICK + {0x1F57A, 0x1F57A, prW}, // So MAN DANCING + {0x1F57B, 0x1F594, prN}, // So [26] LEFT HAND TELEPHONE RECEIVER..REVERSED VICTORY HAND + {0x1F595, 0x1F596, prW}, // So [2] REVERSED HAND WITH MIDDLE FINGER EXTENDED..RAISED HAND WITH PART BETWEEN MIDDLE AND RING FINGERS + {0x1F597, 0x1F5A3, prN}, // So [13] WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX + {0x1F5A4, 0x1F5A4, prW}, // So BLACK HEART + {0x1F5A5, 0x1F5FA, prN}, // So [86] DESKTOP COMPUTER..WORLD MAP + {0x1F5FB, 0x1F5FF, prW}, // So [5] MOUNT FUJI..MOYAI + {0x1F600, 0x1F64F, prW}, // So [80] GRINNING FACE..PERSON WITH FOLDED HANDS + {0x1F650, 0x1F67F, prN}, // So [48] NORTH WEST POINTING LEAF..REVERSE CHECKER BOARD + {0x1F680, 0x1F6C5, prW}, // So [70] ROCKET..LEFT LUGGAGE + {0x1F6C6, 0x1F6CB, prN}, // So [6] TRIANGLE WITH ROUNDED CORNERS..COUCH AND LAMP + {0x1F6CC, 0x1F6CC, prW}, // So SLEEPING ACCOMMODATION + {0x1F6CD, 0x1F6CF, prN}, // So [3] SHOPPING BAGS..BED + {0x1F6D0, 0x1F6D2, prW}, // So [3] PLACE OF WORSHIP..SHOPPING TROLLEY + {0x1F6D3, 0x1F6D4, prN}, // So [2] STUPA..PAGODA + {0x1F6D5, 0x1F6D7, prW}, // So [3] HINDU TEMPLE..ELEVATOR + {0x1F6DC, 0x1F6DF, prW}, // So [4] WIRELESS..RING BUOY + {0x1F6E0, 0x1F6EA, prN}, // So [11] HAMMER AND WRENCH..NORTHEAST-POINTING AIRPLANE + {0x1F6EB, 0x1F6EC, prW}, // So [2] AIRPLANE DEPARTURE..AIRPLANE ARRIVING + {0x1F6F0, 0x1F6F3, prN}, // So [4] SATELLITE..PASSENGER SHIP + {0x1F6F4, 0x1F6FC, prW}, // So [9] SCOOTER..ROLLER SKATE + {0x1F700, 0x1F776, prN}, // So [119] ALCHEMICAL SYMBOL FOR QUINTESSENCE..LUNAR ECLIPSE + {0x1F77B, 0x1F77F, prN}, // So [5] HAUMEA..ORCUS + {0x1F780, 0x1F7D9, prN}, // So [90] BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE..NINE POINTED WHITE STAR + {0x1F7E0, 0x1F7EB, prW}, // So [12] LARGE ORANGE CIRCLE..LARGE BROWN SQUARE + {0x1F7F0, 0x1F7F0, prW}, // So HEAVY EQUALS SIGN + {0x1F800, 0x1F80B, prN}, // So [12] LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD..DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD + {0x1F810, 0x1F847, prN}, // So [56] LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD..DOWNWARDS HEAVY ARROW + {0x1F850, 0x1F859, prN}, // So [10] LEFTWARDS SANS-SERIF ARROW..UP DOWN SANS-SERIF ARROW + {0x1F860, 0x1F887, prN}, // So [40] WIDE-HEADED LEFTWARDS LIGHT BARB ARROW..WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW + {0x1F890, 0x1F8AD, prN}, // So [30] LEFTWARDS TRIANGLE ARROWHEAD..WHITE ARROW SHAFT WIDTH TWO THIRDS + {0x1F8B0, 0x1F8B1, prN}, // So [2] ARROW POINTING UPWARDS THEN NORTH WEST..ARROW POINTING RIGHTWARDS THEN CURVING SOUTH WEST + {0x1F900, 0x1F90B, prN}, // So [12] CIRCLED CROSS FORMEE WITH FOUR DOTS..DOWNWARD FACING NOTCHED HOOK WITH DOT + {0x1F90C, 0x1F93A, prW}, // So [47] PINCHED FINGERS..FENCER + {0x1F93B, 0x1F93B, prN}, // So MODERN PENTATHLON + {0x1F93C, 0x1F945, prW}, // So [10] WRESTLERS..GOAL NET + {0x1F946, 0x1F946, prN}, // So RIFLE + {0x1F947, 0x1F9FF, prW}, // So [185] FIRST PLACE MEDAL..NAZAR AMULET + {0x1FA00, 0x1FA53, prN}, // So [84] NEUTRAL CHESS KING..BLACK CHESS KNIGHT-BISHOP + {0x1FA60, 0x1FA6D, prN}, // So [14] XIANGQI RED GENERAL..XIANGQI BLACK SOLDIER + {0x1FA70, 0x1FA7C, prW}, // So [13] BALLET SHOES..CRUTCH + {0x1FA80, 0x1FA88, prW}, // So [9] YO-YO..FLUTE + {0x1FA90, 0x1FABD, prW}, // So [46] RINGED PLANET..WING + {0x1FABF, 0x1FAC5, prW}, // So [7] GOOSE..PERSON WITH CROWN + {0x1FACE, 0x1FADB, prW}, // So [14] MOOSE..PEA POD + {0x1FAE0, 0x1FAE8, prW}, // So [9] MELTING FACE..SHAKING FACE + {0x1FAF0, 0x1FAF8, prW}, // So [9] HAND WITH INDEX FINGER AND THUMB CROSSED..RIGHTWARDS PUSHING HAND + {0x1FB00, 0x1FB92, prN}, // So [147] BLOCK SEXTANT-1..UPPER HALF INVERSE MEDIUM SHADE AND LOWER HALF BLOCK + {0x1FB94, 0x1FBCA, prN}, // So [55] LEFT HALF INVERSE MEDIUM SHADE AND RIGHT HALF BLOCK..WHITE UP-POINTING CHEVRON + {0x1FBF0, 0x1FBF9, prN}, // Nd [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE + {0x20000, 0x2A6DF, prW}, // Lo [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF + {0x2A6E0, 0x2A6FF, prW}, // Cn [32] .. + {0x2A700, 0x2B739, prW}, // Lo [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739 + {0x2B73A, 0x2B73F, prW}, // Cn [6] .. + {0x2B740, 0x2B81D, prW}, // Lo [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D + {0x2B81E, 0x2B81F, prW}, // Cn [2] .. + {0x2B820, 0x2CEA1, prW}, // Lo [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1 + {0x2CEA2, 0x2CEAF, prW}, // Cn [14] .. + {0x2CEB0, 0x2EBE0, prW}, // Lo [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0 + {0x2EBE1, 0x2F7FF, prW}, // Cn [3103] .. + {0x2F800, 0x2FA1D, prW}, // Lo [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D + {0x2FA1E, 0x2FA1F, prW}, // Cn [2] .. + {0x2FA20, 0x2FFFD, prW}, // Cn [1502] .. + {0x30000, 0x3134A, prW}, // Lo [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A + {0x3134B, 0x3134F, prW}, // Cn [5] .. + {0x31350, 0x323AF, prW}, // Lo [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF + {0x323B0, 0x3FFFD, prW}, // Cn [56398] .. + {0xE0001, 0xE0001, prN}, // Cf LANGUAGE TAG + {0xE0020, 0xE007F, prN}, // Cf [96] TAG SPACE..CANCEL TAG + {0xE0100, 0xE01EF, prA}, // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256 + {0xF0000, 0xFFFFD, prA}, // Co [65534] .. + {0x100000, 0x10FFFD, prA}, // Co [65534] .. +} diff --git a/vendor/github.com/rivo/uniseg/emojipresentation.go b/vendor/github.com/rivo/uniseg/emojipresentation.go new file mode 100644 index 0000000000..9b5f499c4a --- /dev/null +++ b/vendor/github.com/rivo/uniseg/emojipresentation.go @@ -0,0 +1,295 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// emojiPresentation are taken from +// +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var emojiPresentation = [][3]int{ + {0x231A, 0x231B, prEmojiPresentation}, // E0.6 [2] (⌚..⌛) watch..hourglass done + {0x23E9, 0x23EC, prEmojiPresentation}, // E0.6 [4] (â©..â¬) fast-forward button..fast down button + {0x23F0, 0x23F0, prEmojiPresentation}, // E0.6 [1] (â°) alarm clock + {0x23F3, 0x23F3, prEmojiPresentation}, // E0.6 [1] (â³) hourglass not done + {0x25FD, 0x25FE, prEmojiPresentation}, // E0.6 [2] (â—½..â—¾) white medium-small square..black medium-small square + {0x2614, 0x2615, prEmojiPresentation}, // E0.6 [2] (☔..☕) umbrella with rain drops..hot beverage + {0x2648, 0x2653, prEmojiPresentation}, // E0.6 [12] (♈..♓) Aries..Pisces + {0x267F, 0x267F, prEmojiPresentation}, // E0.6 [1] (♿) wheelchair symbol + {0x2693, 0x2693, prEmojiPresentation}, // E0.6 [1] (âš“) anchor + {0x26A1, 0x26A1, prEmojiPresentation}, // E0.6 [1] (âš¡) high voltage + {0x26AA, 0x26AB, prEmojiPresentation}, // E0.6 [2] (⚪..âš«) white circle..black circle + {0x26BD, 0x26BE, prEmojiPresentation}, // E0.6 [2] (âš½..âš¾) soccer ball..baseball + {0x26C4, 0x26C5, prEmojiPresentation}, // E0.6 [2] (⛄..â›…) snowman without snow..sun behind cloud + {0x26CE, 0x26CE, prEmojiPresentation}, // E0.6 [1] (⛎) Ophiuchus + {0x26D4, 0x26D4, prEmojiPresentation}, // E0.6 [1] (â›”) no entry + {0x26EA, 0x26EA, prEmojiPresentation}, // E0.6 [1] (⛪) church + {0x26F2, 0x26F3, prEmojiPresentation}, // E0.6 [2] (⛲..⛳) fountain..flag in hole + {0x26F5, 0x26F5, prEmojiPresentation}, // E0.6 [1] (⛵) sailboat + {0x26FA, 0x26FA, prEmojiPresentation}, // E0.6 [1] (⛺) tent + {0x26FD, 0x26FD, prEmojiPresentation}, // E0.6 [1] (⛽) fuel pump + {0x2705, 0x2705, prEmojiPresentation}, // E0.6 [1] (✅) check mark button + {0x270A, 0x270B, prEmojiPresentation}, // E0.6 [2] (✊..✋) raised fist..raised hand + {0x2728, 0x2728, prEmojiPresentation}, // E0.6 [1] (✨) sparkles + {0x274C, 0x274C, prEmojiPresentation}, // E0.6 [1] (âŒ) cross mark + {0x274E, 0x274E, prEmojiPresentation}, // E0.6 [1] (âŽ) cross mark button + {0x2753, 0x2755, prEmojiPresentation}, // E0.6 [3] (â“..â•) red question mark..white exclamation mark + {0x2757, 0x2757, prEmojiPresentation}, // E0.6 [1] (â—) red exclamation mark + {0x2795, 0x2797, prEmojiPresentation}, // E0.6 [3] (âž•..âž—) plus..divide + {0x27B0, 0x27B0, prEmojiPresentation}, // E0.6 [1] (âž°) curly loop + {0x27BF, 0x27BF, prEmojiPresentation}, // E1.0 [1] (âž¿) double curly loop + {0x2B1B, 0x2B1C, prEmojiPresentation}, // E0.6 [2] (⬛..⬜) black large square..white large square + {0x2B50, 0x2B50, prEmojiPresentation}, // E0.6 [1] (â­) star + {0x2B55, 0x2B55, prEmojiPresentation}, // E0.6 [1] (â­•) hollow red circle + {0x1F004, 0x1F004, prEmojiPresentation}, // E0.6 [1] (🀄) mahjong red dragon + {0x1F0CF, 0x1F0CF, prEmojiPresentation}, // E0.6 [1] (ðŸƒ) joker + {0x1F18E, 0x1F18E, prEmojiPresentation}, // E0.6 [1] (🆎) AB button (blood type) + {0x1F191, 0x1F19A, prEmojiPresentation}, // E0.6 [10] (🆑..🆚) CL button..VS button + {0x1F1E6, 0x1F1FF, prEmojiPresentation}, // E0.0 [26] (🇦..🇿) regional indicator symbol letter a..regional indicator symbol letter z + {0x1F201, 0x1F201, prEmojiPresentation}, // E0.6 [1] (ðŸˆ) Japanese “here†button + {0x1F21A, 0x1F21A, prEmojiPresentation}, // E0.6 [1] (🈚) Japanese “free of charge†button + {0x1F22F, 0x1F22F, prEmojiPresentation}, // E0.6 [1] (🈯) Japanese “reserved†button + {0x1F232, 0x1F236, prEmojiPresentation}, // E0.6 [5] (🈲..🈶) Japanese “prohibited†button..Japanese “not free of charge†button + {0x1F238, 0x1F23A, prEmojiPresentation}, // E0.6 [3] (🈸..🈺) Japanese “application†button..Japanese “open for business†button + {0x1F250, 0x1F251, prEmojiPresentation}, // E0.6 [2] (ðŸ‰..🉑) Japanese “bargain†button..Japanese “acceptable†button + {0x1F300, 0x1F30C, prEmojiPresentation}, // E0.6 [13] (🌀..🌌) cyclone..milky way + {0x1F30D, 0x1F30E, prEmojiPresentation}, // E0.7 [2] (ðŸŒ..🌎) globe showing Europe-Africa..globe showing Americas + {0x1F30F, 0x1F30F, prEmojiPresentation}, // E0.6 [1] (ðŸŒ) globe showing Asia-Australia + {0x1F310, 0x1F310, prEmojiPresentation}, // E1.0 [1] (ðŸŒ) globe with meridians + {0x1F311, 0x1F311, prEmojiPresentation}, // E0.6 [1] (🌑) new moon + {0x1F312, 0x1F312, prEmojiPresentation}, // E1.0 [1] (🌒) waxing crescent moon + {0x1F313, 0x1F315, prEmojiPresentation}, // E0.6 [3] (🌓..🌕) first quarter moon..full moon + {0x1F316, 0x1F318, prEmojiPresentation}, // E1.0 [3] (🌖..🌘) waning gibbous moon..waning crescent moon + {0x1F319, 0x1F319, prEmojiPresentation}, // E0.6 [1] (🌙) crescent moon + {0x1F31A, 0x1F31A, prEmojiPresentation}, // E1.0 [1] (🌚) new moon face + {0x1F31B, 0x1F31B, prEmojiPresentation}, // E0.6 [1] (🌛) first quarter moon face + {0x1F31C, 0x1F31C, prEmojiPresentation}, // E0.7 [1] (🌜) last quarter moon face + {0x1F31D, 0x1F31E, prEmojiPresentation}, // E1.0 [2] (ðŸŒ..🌞) full moon face..sun with face + {0x1F31F, 0x1F320, prEmojiPresentation}, // E0.6 [2] (🌟..🌠) glowing star..shooting star + {0x1F32D, 0x1F32F, prEmojiPresentation}, // E1.0 [3] (🌭..🌯) hot dog..burrito + {0x1F330, 0x1F331, prEmojiPresentation}, // E0.6 [2] (🌰..🌱) chestnut..seedling + {0x1F332, 0x1F333, prEmojiPresentation}, // E1.0 [2] (🌲..🌳) evergreen tree..deciduous tree + {0x1F334, 0x1F335, prEmojiPresentation}, // E0.6 [2] (🌴..🌵) palm tree..cactus + {0x1F337, 0x1F34A, prEmojiPresentation}, // E0.6 [20] (🌷..ðŸŠ) tulip..tangerine + {0x1F34B, 0x1F34B, prEmojiPresentation}, // E1.0 [1] (ðŸ‹) lemon + {0x1F34C, 0x1F34F, prEmojiPresentation}, // E0.6 [4] (ðŸŒ..ðŸ) banana..green apple + {0x1F350, 0x1F350, prEmojiPresentation}, // E1.0 [1] (ðŸ) pear + {0x1F351, 0x1F37B, prEmojiPresentation}, // E0.6 [43] (ðŸ‘..ðŸ») peach..clinking beer mugs + {0x1F37C, 0x1F37C, prEmojiPresentation}, // E1.0 [1] (ðŸ¼) baby bottle + {0x1F37E, 0x1F37F, prEmojiPresentation}, // E1.0 [2] (ðŸ¾..ðŸ¿) bottle with popping cork..popcorn + {0x1F380, 0x1F393, prEmojiPresentation}, // E0.6 [20] (🎀..🎓) ribbon..graduation cap + {0x1F3A0, 0x1F3C4, prEmojiPresentation}, // E0.6 [37] (🎠..ðŸ„) carousel horse..person surfing + {0x1F3C5, 0x1F3C5, prEmojiPresentation}, // E1.0 [1] (ðŸ…) sports medal + {0x1F3C6, 0x1F3C6, prEmojiPresentation}, // E0.6 [1] (ðŸ†) trophy + {0x1F3C7, 0x1F3C7, prEmojiPresentation}, // E1.0 [1] (ðŸ‡) horse racing + {0x1F3C8, 0x1F3C8, prEmojiPresentation}, // E0.6 [1] (ðŸˆ) american football + {0x1F3C9, 0x1F3C9, prEmojiPresentation}, // E1.0 [1] (ðŸ‰) rugby football + {0x1F3CA, 0x1F3CA, prEmojiPresentation}, // E0.6 [1] (ðŸŠ) person swimming + {0x1F3CF, 0x1F3D3, prEmojiPresentation}, // E1.0 [5] (ðŸ..ðŸ“) cricket game..ping pong + {0x1F3E0, 0x1F3E3, prEmojiPresentation}, // E0.6 [4] (ðŸ ..ðŸ£) house..Japanese post office + {0x1F3E4, 0x1F3E4, prEmojiPresentation}, // E1.0 [1] (ðŸ¤) post office + {0x1F3E5, 0x1F3F0, prEmojiPresentation}, // E0.6 [12] (ðŸ¥..ðŸ°) hospital..castle + {0x1F3F4, 0x1F3F4, prEmojiPresentation}, // E1.0 [1] (ðŸ´) black flag + {0x1F3F8, 0x1F407, prEmojiPresentation}, // E1.0 [16] (ðŸ¸..ðŸ‡) badminton..rabbit + {0x1F408, 0x1F408, prEmojiPresentation}, // E0.7 [1] (ðŸˆ) cat + {0x1F409, 0x1F40B, prEmojiPresentation}, // E1.0 [3] (ðŸ‰..ðŸ‹) dragon..whale + {0x1F40C, 0x1F40E, prEmojiPresentation}, // E0.6 [3] (ðŸŒ..ðŸŽ) snail..horse + {0x1F40F, 0x1F410, prEmojiPresentation}, // E1.0 [2] (ðŸ..ðŸ) ram..goat + {0x1F411, 0x1F412, prEmojiPresentation}, // E0.6 [2] (ðŸ‘..ðŸ’) ewe..monkey + {0x1F413, 0x1F413, prEmojiPresentation}, // E1.0 [1] (ðŸ“) rooster + {0x1F414, 0x1F414, prEmojiPresentation}, // E0.6 [1] (ðŸ”) chicken + {0x1F415, 0x1F415, prEmojiPresentation}, // E0.7 [1] (ðŸ•) dog + {0x1F416, 0x1F416, prEmojiPresentation}, // E1.0 [1] (ðŸ–) pig + {0x1F417, 0x1F429, prEmojiPresentation}, // E0.6 [19] (ðŸ—..ðŸ©) boar..poodle + {0x1F42A, 0x1F42A, prEmojiPresentation}, // E1.0 [1] (ðŸª) camel + {0x1F42B, 0x1F43E, prEmojiPresentation}, // E0.6 [20] (ðŸ«..ðŸ¾) two-hump camel..paw prints + {0x1F440, 0x1F440, prEmojiPresentation}, // E0.6 [1] (👀) eyes + {0x1F442, 0x1F464, prEmojiPresentation}, // E0.6 [35] (👂..👤) ear..bust in silhouette + {0x1F465, 0x1F465, prEmojiPresentation}, // E1.0 [1] (👥) busts in silhouette + {0x1F466, 0x1F46B, prEmojiPresentation}, // E0.6 [6] (👦..👫) boy..woman and man holding hands + {0x1F46C, 0x1F46D, prEmojiPresentation}, // E1.0 [2] (👬..👭) men holding hands..women holding hands + {0x1F46E, 0x1F4AC, prEmojiPresentation}, // E0.6 [63] (👮..💬) police officer..speech balloon + {0x1F4AD, 0x1F4AD, prEmojiPresentation}, // E1.0 [1] (💭) thought balloon + {0x1F4AE, 0x1F4B5, prEmojiPresentation}, // E0.6 [8] (💮..💵) white flower..dollar banknote + {0x1F4B6, 0x1F4B7, prEmojiPresentation}, // E1.0 [2] (💶..💷) euro banknote..pound banknote + {0x1F4B8, 0x1F4EB, prEmojiPresentation}, // E0.6 [52] (💸..📫) money with wings..closed mailbox with raised flag + {0x1F4EC, 0x1F4ED, prEmojiPresentation}, // E0.7 [2] (📬..📭) open mailbox with raised flag..open mailbox with lowered flag + {0x1F4EE, 0x1F4EE, prEmojiPresentation}, // E0.6 [1] (📮) postbox + {0x1F4EF, 0x1F4EF, prEmojiPresentation}, // E1.0 [1] (📯) postal horn + {0x1F4F0, 0x1F4F4, prEmojiPresentation}, // E0.6 [5] (📰..📴) newspaper..mobile phone off + {0x1F4F5, 0x1F4F5, prEmojiPresentation}, // E1.0 [1] (📵) no mobile phones + {0x1F4F6, 0x1F4F7, prEmojiPresentation}, // E0.6 [2] (📶..📷) antenna bars..camera + {0x1F4F8, 0x1F4F8, prEmojiPresentation}, // E1.0 [1] (📸) camera with flash + {0x1F4F9, 0x1F4FC, prEmojiPresentation}, // E0.6 [4] (📹..📼) video camera..videocassette + {0x1F4FF, 0x1F502, prEmojiPresentation}, // E1.0 [4] (📿..🔂) prayer beads..repeat single button + {0x1F503, 0x1F503, prEmojiPresentation}, // E0.6 [1] (🔃) clockwise vertical arrows + {0x1F504, 0x1F507, prEmojiPresentation}, // E1.0 [4] (🔄..🔇) counterclockwise arrows button..muted speaker + {0x1F508, 0x1F508, prEmojiPresentation}, // E0.7 [1] (🔈) speaker low volume + {0x1F509, 0x1F509, prEmojiPresentation}, // E1.0 [1] (🔉) speaker medium volume + {0x1F50A, 0x1F514, prEmojiPresentation}, // E0.6 [11] (🔊..🔔) speaker high volume..bell + {0x1F515, 0x1F515, prEmojiPresentation}, // E1.0 [1] (🔕) bell with slash + {0x1F516, 0x1F52B, prEmojiPresentation}, // E0.6 [22] (🔖..🔫) bookmark..water pistol + {0x1F52C, 0x1F52D, prEmojiPresentation}, // E1.0 [2] (🔬..🔭) microscope..telescope + {0x1F52E, 0x1F53D, prEmojiPresentation}, // E0.6 [16] (🔮..🔽) crystal ball..downwards button + {0x1F54B, 0x1F54E, prEmojiPresentation}, // E1.0 [4] (🕋..🕎) kaaba..menorah + {0x1F550, 0x1F55B, prEmojiPresentation}, // E0.6 [12] (ðŸ•..🕛) one o’clock..twelve o’clock + {0x1F55C, 0x1F567, prEmojiPresentation}, // E0.7 [12] (🕜..🕧) one-thirty..twelve-thirty + {0x1F57A, 0x1F57A, prEmojiPresentation}, // E3.0 [1] (🕺) man dancing + {0x1F595, 0x1F596, prEmojiPresentation}, // E1.0 [2] (🖕..🖖) middle finger..vulcan salute + {0x1F5A4, 0x1F5A4, prEmojiPresentation}, // E3.0 [1] (🖤) black heart + {0x1F5FB, 0x1F5FF, prEmojiPresentation}, // E0.6 [5] (🗻..🗿) mount fuji..moai + {0x1F600, 0x1F600, prEmojiPresentation}, // E1.0 [1] (😀) grinning face + {0x1F601, 0x1F606, prEmojiPresentation}, // E0.6 [6] (ðŸ˜..😆) beaming face with smiling eyes..grinning squinting face + {0x1F607, 0x1F608, prEmojiPresentation}, // E1.0 [2] (😇..😈) smiling face with halo..smiling face with horns + {0x1F609, 0x1F60D, prEmojiPresentation}, // E0.6 [5] (😉..ðŸ˜) winking face..smiling face with heart-eyes + {0x1F60E, 0x1F60E, prEmojiPresentation}, // E1.0 [1] (😎) smiling face with sunglasses + {0x1F60F, 0x1F60F, prEmojiPresentation}, // E0.6 [1] (ðŸ˜) smirking face + {0x1F610, 0x1F610, prEmojiPresentation}, // E0.7 [1] (ðŸ˜) neutral face + {0x1F611, 0x1F611, prEmojiPresentation}, // E1.0 [1] (😑) expressionless face + {0x1F612, 0x1F614, prEmojiPresentation}, // E0.6 [3] (😒..😔) unamused face..pensive face + {0x1F615, 0x1F615, prEmojiPresentation}, // E1.0 [1] (😕) confused face + {0x1F616, 0x1F616, prEmojiPresentation}, // E0.6 [1] (😖) confounded face + {0x1F617, 0x1F617, prEmojiPresentation}, // E1.0 [1] (😗) kissing face + {0x1F618, 0x1F618, prEmojiPresentation}, // E0.6 [1] (😘) face blowing a kiss + {0x1F619, 0x1F619, prEmojiPresentation}, // E1.0 [1] (😙) kissing face with smiling eyes + {0x1F61A, 0x1F61A, prEmojiPresentation}, // E0.6 [1] (😚) kissing face with closed eyes + {0x1F61B, 0x1F61B, prEmojiPresentation}, // E1.0 [1] (😛) face with tongue + {0x1F61C, 0x1F61E, prEmojiPresentation}, // E0.6 [3] (😜..😞) winking face with tongue..disappointed face + {0x1F61F, 0x1F61F, prEmojiPresentation}, // E1.0 [1] (😟) worried face + {0x1F620, 0x1F625, prEmojiPresentation}, // E0.6 [6] (😠..😥) angry face..sad but relieved face + {0x1F626, 0x1F627, prEmojiPresentation}, // E1.0 [2] (😦..😧) frowning face with open mouth..anguished face + {0x1F628, 0x1F62B, prEmojiPresentation}, // E0.6 [4] (😨..😫) fearful face..tired face + {0x1F62C, 0x1F62C, prEmojiPresentation}, // E1.0 [1] (😬) grimacing face + {0x1F62D, 0x1F62D, prEmojiPresentation}, // E0.6 [1] (😭) loudly crying face + {0x1F62E, 0x1F62F, prEmojiPresentation}, // E1.0 [2] (😮..😯) face with open mouth..hushed face + {0x1F630, 0x1F633, prEmojiPresentation}, // E0.6 [4] (😰..😳) anxious face with sweat..flushed face + {0x1F634, 0x1F634, prEmojiPresentation}, // E1.0 [1] (😴) sleeping face + {0x1F635, 0x1F635, prEmojiPresentation}, // E0.6 [1] (😵) face with crossed-out eyes + {0x1F636, 0x1F636, prEmojiPresentation}, // E1.0 [1] (😶) face without mouth + {0x1F637, 0x1F640, prEmojiPresentation}, // E0.6 [10] (😷..🙀) face with medical mask..weary cat + {0x1F641, 0x1F644, prEmojiPresentation}, // E1.0 [4] (ðŸ™..🙄) slightly frowning face..face with rolling eyes + {0x1F645, 0x1F64F, prEmojiPresentation}, // E0.6 [11] (🙅..ðŸ™) person gesturing NO..folded hands + {0x1F680, 0x1F680, prEmojiPresentation}, // E0.6 [1] (🚀) rocket + {0x1F681, 0x1F682, prEmojiPresentation}, // E1.0 [2] (ðŸš..🚂) helicopter..locomotive + {0x1F683, 0x1F685, prEmojiPresentation}, // E0.6 [3] (🚃..🚅) railway car..bullet train + {0x1F686, 0x1F686, prEmojiPresentation}, // E1.0 [1] (🚆) train + {0x1F687, 0x1F687, prEmojiPresentation}, // E0.6 [1] (🚇) metro + {0x1F688, 0x1F688, prEmojiPresentation}, // E1.0 [1] (🚈) light rail + {0x1F689, 0x1F689, prEmojiPresentation}, // E0.6 [1] (🚉) station + {0x1F68A, 0x1F68B, prEmojiPresentation}, // E1.0 [2] (🚊..🚋) tram..tram car + {0x1F68C, 0x1F68C, prEmojiPresentation}, // E0.6 [1] (🚌) bus + {0x1F68D, 0x1F68D, prEmojiPresentation}, // E0.7 [1] (ðŸš) oncoming bus + {0x1F68E, 0x1F68E, prEmojiPresentation}, // E1.0 [1] (🚎) trolleybus + {0x1F68F, 0x1F68F, prEmojiPresentation}, // E0.6 [1] (ðŸš) bus stop + {0x1F690, 0x1F690, prEmojiPresentation}, // E1.0 [1] (ðŸš) minibus + {0x1F691, 0x1F693, prEmojiPresentation}, // E0.6 [3] (🚑..🚓) ambulance..police car + {0x1F694, 0x1F694, prEmojiPresentation}, // E0.7 [1] (🚔) oncoming police car + {0x1F695, 0x1F695, prEmojiPresentation}, // E0.6 [1] (🚕) taxi + {0x1F696, 0x1F696, prEmojiPresentation}, // E1.0 [1] (🚖) oncoming taxi + {0x1F697, 0x1F697, prEmojiPresentation}, // E0.6 [1] (🚗) automobile + {0x1F698, 0x1F698, prEmojiPresentation}, // E0.7 [1] (🚘) oncoming automobile + {0x1F699, 0x1F69A, prEmojiPresentation}, // E0.6 [2] (🚙..🚚) sport utility vehicle..delivery truck + {0x1F69B, 0x1F6A1, prEmojiPresentation}, // E1.0 [7] (🚛..🚡) articulated lorry..aerial tramway + {0x1F6A2, 0x1F6A2, prEmojiPresentation}, // E0.6 [1] (🚢) ship + {0x1F6A3, 0x1F6A3, prEmojiPresentation}, // E1.0 [1] (🚣) person rowing boat + {0x1F6A4, 0x1F6A5, prEmojiPresentation}, // E0.6 [2] (🚤..🚥) speedboat..horizontal traffic light + {0x1F6A6, 0x1F6A6, prEmojiPresentation}, // E1.0 [1] (🚦) vertical traffic light + {0x1F6A7, 0x1F6AD, prEmojiPresentation}, // E0.6 [7] (🚧..🚭) construction..no smoking + {0x1F6AE, 0x1F6B1, prEmojiPresentation}, // E1.0 [4] (🚮..🚱) litter in bin sign..non-potable water + {0x1F6B2, 0x1F6B2, prEmojiPresentation}, // E0.6 [1] (🚲) bicycle + {0x1F6B3, 0x1F6B5, prEmojiPresentation}, // E1.0 [3] (🚳..🚵) no bicycles..person mountain biking + {0x1F6B6, 0x1F6B6, prEmojiPresentation}, // E0.6 [1] (🚶) person walking + {0x1F6B7, 0x1F6B8, prEmojiPresentation}, // E1.0 [2] (🚷..🚸) no pedestrians..children crossing + {0x1F6B9, 0x1F6BE, prEmojiPresentation}, // E0.6 [6] (🚹..🚾) men’s room..water closet + {0x1F6BF, 0x1F6BF, prEmojiPresentation}, // E1.0 [1] (🚿) shower + {0x1F6C0, 0x1F6C0, prEmojiPresentation}, // E0.6 [1] (🛀) person taking bath + {0x1F6C1, 0x1F6C5, prEmojiPresentation}, // E1.0 [5] (ðŸ›..🛅) bathtub..left luggage + {0x1F6CC, 0x1F6CC, prEmojiPresentation}, // E1.0 [1] (🛌) person in bed + {0x1F6D0, 0x1F6D0, prEmojiPresentation}, // E1.0 [1] (ðŸ›) place of worship + {0x1F6D1, 0x1F6D2, prEmojiPresentation}, // E3.0 [2] (🛑..🛒) stop sign..shopping cart + {0x1F6D5, 0x1F6D5, prEmojiPresentation}, // E12.0 [1] (🛕) hindu temple + {0x1F6D6, 0x1F6D7, prEmojiPresentation}, // E13.0 [2] (🛖..🛗) hut..elevator + {0x1F6DC, 0x1F6DC, prEmojiPresentation}, // E15.0 [1] (🛜) wireless + {0x1F6DD, 0x1F6DF, prEmojiPresentation}, // E14.0 [3] (ðŸ›..🛟) playground slide..ring buoy + {0x1F6EB, 0x1F6EC, prEmojiPresentation}, // E1.0 [2] (🛫..🛬) airplane departure..airplane arrival + {0x1F6F4, 0x1F6F6, prEmojiPresentation}, // E3.0 [3] (🛴..🛶) kick scooter..canoe + {0x1F6F7, 0x1F6F8, prEmojiPresentation}, // E5.0 [2] (🛷..🛸) sled..flying saucer + {0x1F6F9, 0x1F6F9, prEmojiPresentation}, // E11.0 [1] (🛹) skateboard + {0x1F6FA, 0x1F6FA, prEmojiPresentation}, // E12.0 [1] (🛺) auto rickshaw + {0x1F6FB, 0x1F6FC, prEmojiPresentation}, // E13.0 [2] (🛻..🛼) pickup truck..roller skate + {0x1F7E0, 0x1F7EB, prEmojiPresentation}, // E12.0 [12] (🟠..🟫) orange circle..brown square + {0x1F7F0, 0x1F7F0, prEmojiPresentation}, // E14.0 [1] (🟰) heavy equals sign + {0x1F90C, 0x1F90C, prEmojiPresentation}, // E13.0 [1] (🤌) pinched fingers + {0x1F90D, 0x1F90F, prEmojiPresentation}, // E12.0 [3] (ðŸ¤..ðŸ¤) white heart..pinching hand + {0x1F910, 0x1F918, prEmojiPresentation}, // E1.0 [9] (ðŸ¤..🤘) zipper-mouth face..sign of the horns + {0x1F919, 0x1F91E, prEmojiPresentation}, // E3.0 [6] (🤙..🤞) call me hand..crossed fingers + {0x1F91F, 0x1F91F, prEmojiPresentation}, // E5.0 [1] (🤟) love-you gesture + {0x1F920, 0x1F927, prEmojiPresentation}, // E3.0 [8] (🤠..🤧) cowboy hat face..sneezing face + {0x1F928, 0x1F92F, prEmojiPresentation}, // E5.0 [8] (🤨..🤯) face with raised eyebrow..exploding head + {0x1F930, 0x1F930, prEmojiPresentation}, // E3.0 [1] (🤰) pregnant woman + {0x1F931, 0x1F932, prEmojiPresentation}, // E5.0 [2] (🤱..🤲) breast-feeding..palms up together + {0x1F933, 0x1F93A, prEmojiPresentation}, // E3.0 [8] (🤳..🤺) selfie..person fencing + {0x1F93C, 0x1F93E, prEmojiPresentation}, // E3.0 [3] (🤼..🤾) people wrestling..person playing handball + {0x1F93F, 0x1F93F, prEmojiPresentation}, // E12.0 [1] (🤿) diving mask + {0x1F940, 0x1F945, prEmojiPresentation}, // E3.0 [6] (🥀..🥅) wilted flower..goal net + {0x1F947, 0x1F94B, prEmojiPresentation}, // E3.0 [5] (🥇..🥋) 1st place medal..martial arts uniform + {0x1F94C, 0x1F94C, prEmojiPresentation}, // E5.0 [1] (🥌) curling stone + {0x1F94D, 0x1F94F, prEmojiPresentation}, // E11.0 [3] (ðŸ¥..ðŸ¥) lacrosse..flying disc + {0x1F950, 0x1F95E, prEmojiPresentation}, // E3.0 [15] (ðŸ¥..🥞) croissant..pancakes + {0x1F95F, 0x1F96B, prEmojiPresentation}, // E5.0 [13] (🥟..🥫) dumpling..canned food + {0x1F96C, 0x1F970, prEmojiPresentation}, // E11.0 [5] (🥬..🥰) leafy green..smiling face with hearts + {0x1F971, 0x1F971, prEmojiPresentation}, // E12.0 [1] (🥱) yawning face + {0x1F972, 0x1F972, prEmojiPresentation}, // E13.0 [1] (🥲) smiling face with tear + {0x1F973, 0x1F976, prEmojiPresentation}, // E11.0 [4] (🥳..🥶) partying face..cold face + {0x1F977, 0x1F978, prEmojiPresentation}, // E13.0 [2] (🥷..🥸) ninja..disguised face + {0x1F979, 0x1F979, prEmojiPresentation}, // E14.0 [1] (🥹) face holding back tears + {0x1F97A, 0x1F97A, prEmojiPresentation}, // E11.0 [1] (🥺) pleading face + {0x1F97B, 0x1F97B, prEmojiPresentation}, // E12.0 [1] (🥻) sari + {0x1F97C, 0x1F97F, prEmojiPresentation}, // E11.0 [4] (🥼..🥿) lab coat..flat shoe + {0x1F980, 0x1F984, prEmojiPresentation}, // E1.0 [5] (🦀..🦄) crab..unicorn + {0x1F985, 0x1F991, prEmojiPresentation}, // E3.0 [13] (🦅..🦑) eagle..squid + {0x1F992, 0x1F997, prEmojiPresentation}, // E5.0 [6] (🦒..🦗) giraffe..cricket + {0x1F998, 0x1F9A2, prEmojiPresentation}, // E11.0 [11] (🦘..🦢) kangaroo..swan + {0x1F9A3, 0x1F9A4, prEmojiPresentation}, // E13.0 [2] (🦣..🦤) mammoth..dodo + {0x1F9A5, 0x1F9AA, prEmojiPresentation}, // E12.0 [6] (🦥..🦪) sloth..oyster + {0x1F9AB, 0x1F9AD, prEmojiPresentation}, // E13.0 [3] (🦫..🦭) beaver..seal + {0x1F9AE, 0x1F9AF, prEmojiPresentation}, // E12.0 [2] (🦮..🦯) guide dog..white cane + {0x1F9B0, 0x1F9B9, prEmojiPresentation}, // E11.0 [10] (🦰..🦹) red hair..supervillain + {0x1F9BA, 0x1F9BF, prEmojiPresentation}, // E12.0 [6] (🦺..🦿) safety vest..mechanical leg + {0x1F9C0, 0x1F9C0, prEmojiPresentation}, // E1.0 [1] (🧀) cheese wedge + {0x1F9C1, 0x1F9C2, prEmojiPresentation}, // E11.0 [2] (ðŸ§..🧂) cupcake..salt + {0x1F9C3, 0x1F9CA, prEmojiPresentation}, // E12.0 [8] (🧃..🧊) beverage box..ice + {0x1F9CB, 0x1F9CB, prEmojiPresentation}, // E13.0 [1] (🧋) bubble tea + {0x1F9CC, 0x1F9CC, prEmojiPresentation}, // E14.0 [1] (🧌) troll + {0x1F9CD, 0x1F9CF, prEmojiPresentation}, // E12.0 [3] (ðŸ§..ðŸ§) person standing..deaf person + {0x1F9D0, 0x1F9E6, prEmojiPresentation}, // E5.0 [23] (ðŸ§..🧦) face with monocle..socks + {0x1F9E7, 0x1F9FF, prEmojiPresentation}, // E11.0 [25] (🧧..🧿) red envelope..nazar amulet + {0x1FA70, 0x1FA73, prEmojiPresentation}, // E12.0 [4] (🩰..🩳) ballet shoes..shorts + {0x1FA74, 0x1FA74, prEmojiPresentation}, // E13.0 [1] (🩴) thong sandal + {0x1FA75, 0x1FA77, prEmojiPresentation}, // E15.0 [3] (🩵..🩷) light blue heart..pink heart + {0x1FA78, 0x1FA7A, prEmojiPresentation}, // E12.0 [3] (🩸..🩺) drop of blood..stethoscope + {0x1FA7B, 0x1FA7C, prEmojiPresentation}, // E14.0 [2] (🩻..🩼) x-ray..crutch + {0x1FA80, 0x1FA82, prEmojiPresentation}, // E12.0 [3] (🪀..🪂) yo-yo..parachute + {0x1FA83, 0x1FA86, prEmojiPresentation}, // E13.0 [4] (🪃..🪆) boomerang..nesting dolls + {0x1FA87, 0x1FA88, prEmojiPresentation}, // E15.0 [2] (🪇..🪈) maracas..flute + {0x1FA90, 0x1FA95, prEmojiPresentation}, // E12.0 [6] (ðŸª..🪕) ringed planet..banjo + {0x1FA96, 0x1FAA8, prEmojiPresentation}, // E13.0 [19] (🪖..🪨) military helmet..rock + {0x1FAA9, 0x1FAAC, prEmojiPresentation}, // E14.0 [4] (🪩..🪬) mirror ball..hamsa + {0x1FAAD, 0x1FAAF, prEmojiPresentation}, // E15.0 [3] (🪭..🪯) folding hand fan..khanda + {0x1FAB0, 0x1FAB6, prEmojiPresentation}, // E13.0 [7] (🪰..🪶) fly..feather + {0x1FAB7, 0x1FABA, prEmojiPresentation}, // E14.0 [4] (🪷..🪺) lotus..nest with eggs + {0x1FABB, 0x1FABD, prEmojiPresentation}, // E15.0 [3] (🪻..🪽) hyacinth..wing + {0x1FABF, 0x1FABF, prEmojiPresentation}, // E15.0 [1] (🪿) goose + {0x1FAC0, 0x1FAC2, prEmojiPresentation}, // E13.0 [3] (🫀..🫂) anatomical heart..people hugging + {0x1FAC3, 0x1FAC5, prEmojiPresentation}, // E14.0 [3] (🫃..🫅) pregnant man..person with crown + {0x1FACE, 0x1FACF, prEmojiPresentation}, // E15.0 [2] (🫎..ðŸ«) moose..donkey + {0x1FAD0, 0x1FAD6, prEmojiPresentation}, // E13.0 [7] (ðŸ«..🫖) blueberries..teapot + {0x1FAD7, 0x1FAD9, prEmojiPresentation}, // E14.0 [3] (🫗..🫙) pouring liquid..jar + {0x1FADA, 0x1FADB, prEmojiPresentation}, // E15.0 [2] (🫚..🫛) ginger root..pea pod + {0x1FAE0, 0x1FAE7, prEmojiPresentation}, // E14.0 [8] (🫠..🫧) melting face..bubbles + {0x1FAE8, 0x1FAE8, prEmojiPresentation}, // E15.0 [1] (🫨) shaking face + {0x1FAF0, 0x1FAF6, prEmojiPresentation}, // E14.0 [7] (🫰..🫶) hand with index finger and thumb crossed..heart hands + {0x1FAF7, 0x1FAF8, prEmojiPresentation}, // E15.0 [2] (🫷..🫸) leftwards pushing hand..rightwards pushing hand +} diff --git a/vendor/github.com/rivo/uniseg/gen_breaktest.go b/vendor/github.com/rivo/uniseg/gen_breaktest.go new file mode 100644 index 0000000000..6bfbeb5e7f --- /dev/null +++ b/vendor/github.com/rivo/uniseg/gen_breaktest.go @@ -0,0 +1,215 @@ +//go:build generate + +// This program generates a Go containing a slice of test cases based on the +// Unicode Character Database auxiliary data files. The command line arguments +// are as follows: +// +// 1. The name of the Unicode data file (just the filename, without extension). +// 2. The name of the locally generated Go file. +// 3. The name of the slice containing the test cases. +// 4. The name of the generator, for logging purposes. +// +//go:generate go run gen_breaktest.go GraphemeBreakTest graphemebreak_test.go graphemeBreakTestCases graphemes +//go:generate go run gen_breaktest.go WordBreakTest wordbreak_test.go wordBreakTestCases words +//go:generate go run gen_breaktest.go SentenceBreakTest sentencebreak_test.go sentenceBreakTestCases sentences +//go:generate go run gen_breaktest.go LineBreakTest linebreak_test.go lineBreakTestCases lines + +package main + +import ( + "bufio" + "bytes" + "errors" + "fmt" + "go/format" + "io/ioutil" + "log" + "net/http" + "os" + "time" +) + +// We want to test against a specific version rather than the latest. When the +// package is upgraded to a new version, change these to generate new tests. +const ( + testCaseURL = `https://www.unicode.org/Public/15.0.0/ucd/auxiliary/%s.txt` +) + +func main() { + if len(os.Args) < 5 { + fmt.Println("Not enough arguments, see code for details") + os.Exit(1) + } + + log.SetPrefix("gen_breaktest (" + os.Args[4] + "): ") + log.SetFlags(0) + + // Read text of testcases and parse into Go source code. + src, err := parse(fmt.Sprintf(testCaseURL, os.Args[1])) + if err != nil { + log.Fatal(err) + } + + // Format the Go code. + formatted, err := format.Source(src) + if err != nil { + log.Fatalln("gofmt:", err) + } + + // Write it out. + log.Print("Writing to ", os.Args[2]) + if err := ioutil.WriteFile(os.Args[2], formatted, 0644); err != nil { + log.Fatal(err) + } +} + +// parse reads a break text file, either from a local file or from a URL. It +// parses the file data into Go source code representing the test cases. +func parse(url string) ([]byte, error) { + log.Printf("Parsing %s", url) + res, err := http.Get(url) + if err != nil { + return nil, err + } + body := res.Body + defer body.Close() + + buf := new(bytes.Buffer) + buf.Grow(120 << 10) + buf.WriteString(`// Code generated via go generate from gen_breaktest.go. DO NOT EDIT. + +package uniseg + +// ` + os.Args[3] + ` are Grapheme testcases taken from +// ` + url + ` +// on ` + time.Now().Format("January 2, 2006") + `. See +// https://www.unicode.org/license.html for the Unicode license agreement. +var ` + os.Args[3] + ` = []testCase { +`) + + sc := bufio.NewScanner(body) + num := 1 + var line []byte + original := make([]byte, 0, 64) + expected := make([]byte, 0, 64) + for sc.Scan() { + num++ + line = sc.Bytes() + if len(line) == 0 || line[0] == '#' { + continue + } + var comment []byte + if i := bytes.IndexByte(line, '#'); i >= 0 { + comment = bytes.TrimSpace(line[i+1:]) + line = bytes.TrimSpace(line[:i]) + } + original, expected, err := parseRuneSequence(line, original[:0], expected[:0]) + if err != nil { + return nil, fmt.Errorf(`line %d: %v: %q`, num, err, line) + } + fmt.Fprintf(buf, "\t{original: \"%s\", expected: %s}, // %s\n", original, expected, comment) + } + if err := sc.Err(); err != nil { + return nil, err + } + + // Check for final "# EOF", useful check if we're streaming via HTTP + if !bytes.Equal(line, []byte("# EOF")) { + return nil, fmt.Errorf(`line %d: exected "# EOF" as final line, got %q`, num, line) + } + buf.WriteString("}\n") + return buf.Bytes(), nil +} + +// Used by parseRuneSequence to match input via bytes.HasPrefix. +var ( + prefixBreak = []byte("÷ ") + prefixDontBreak = []byte("× ") + breakOk = []byte("÷") + breakNo = []byte("×") +) + +// parseRuneSequence parses a rune + breaking opportunity sequence from b +// and appends the Go code for testcase.original to orig +// and appends the Go code for testcase.expected to exp. +// It retuns the new orig and exp slices. +// +// E.g. for the input b="÷ 0020 × 0308 ÷ 1F1E6 ÷" +// it will append +// +// "\u0020\u0308\U0001F1E6" +// +// and "[][]rune{{0x0020,0x0308},{0x1F1E6},}" +// to orig and exp respectively. +// +// The formatting of exp is expected to be cleaned up by gofmt or format.Source. +// Note we explicitly require the sequence to start with ÷ and we implicitly +// require it to end with ÷. +func parseRuneSequence(b, orig, exp []byte) ([]byte, []byte, error) { + // Check for and remove first ÷ or ×. + if !bytes.HasPrefix(b, prefixBreak) && !bytes.HasPrefix(b, prefixDontBreak) { + return nil, nil, errors.New("expected ÷ or × as first character") + } + if bytes.HasPrefix(b, prefixBreak) { + b = b[len(prefixBreak):] + } else { + b = b[len(prefixDontBreak):] + } + + boundary := true + exp = append(exp, "[][]rune{"...) + for len(b) > 0 { + if boundary { + exp = append(exp, '{') + } + exp = append(exp, "0x"...) + // Find end of hex digits. + var i int + for i = 0; i < len(b) && b[i] != ' '; i++ { + if d := b[i]; ('0' <= d || d <= '9') || + ('A' <= d || d <= 'F') || + ('a' <= d || d <= 'f') { + continue + } + return nil, nil, errors.New("bad hex digit") + } + switch i { + case 4: + orig = append(orig, "\\u"...) + case 5: + orig = append(orig, "\\U000"...) + default: + return nil, nil, errors.New("unsupport code point hex length") + } + orig = append(orig, b[:i]...) + exp = append(exp, b[:i]...) + b = b[i:] + + // Check for space between hex and ÷ or ×. + if len(b) < 1 || b[0] != ' ' { + return nil, nil, errors.New("bad input") + } + b = b[1:] + + // Check for next boundary. + switch { + case bytes.HasPrefix(b, breakOk): + boundary = true + b = b[len(breakOk):] + case bytes.HasPrefix(b, breakNo): + boundary = false + b = b[len(breakNo):] + default: + return nil, nil, errors.New("missing ÷ or ×") + } + if boundary { + exp = append(exp, '}') + } + exp = append(exp, ',') + if len(b) > 0 && b[0] == ' ' { + b = b[1:] + } + } + exp = append(exp, '}') + return orig, exp, nil +} diff --git a/vendor/github.com/rivo/uniseg/gen_properties.go b/vendor/github.com/rivo/uniseg/gen_properties.go new file mode 100644 index 0000000000..8992d2c5f8 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/gen_properties.go @@ -0,0 +1,261 @@ +//go:build generate + +// This program generates a property file in Go file from Unicode Character +// Database auxiliary data files. The command line arguments are as follows: +// +// 1. The name of the Unicode data file (just the filename, without extension). +// Can be "-" (to skip) if the emoji flag is included. +// 2. The name of the locally generated Go file. +// 3. The name of the slice mapping code points to properties. +// 4. The name of the generator, for logging purposes. +// 5. (Optional) Flags, comma-separated. The following flags are available: +// - "emojis=": include the specified emoji properties (e.g. +// "Extended_Pictographic"). +// - "gencat": include general category properties. +// +//go:generate go run gen_properties.go auxiliary/GraphemeBreakProperty graphemeproperties.go graphemeCodePoints graphemes emojis=Extended_Pictographic +//go:generate go run gen_properties.go auxiliary/WordBreakProperty wordproperties.go workBreakCodePoints words emojis=Extended_Pictographic +//go:generate go run gen_properties.go auxiliary/SentenceBreakProperty sentenceproperties.go sentenceBreakCodePoints sentences +//go:generate go run gen_properties.go LineBreak lineproperties.go lineBreakCodePoints lines gencat +//go:generate go run gen_properties.go EastAsianWidth eastasianwidth.go eastAsianWidth eastasianwidth +//go:generate go run gen_properties.go - emojipresentation.go emojiPresentation emojipresentation emojis=Emoji_Presentation +package main + +import ( + "bufio" + "bytes" + "errors" + "fmt" + "go/format" + "io/ioutil" + "log" + "net/http" + "os" + "regexp" + "sort" + "strconv" + "strings" + "time" +) + +// We want to test against a specific version rather than the latest. When the +// package is upgraded to a new version, change these to generate new tests. +const ( + propertyURL = `https://www.unicode.org/Public/15.0.0/ucd/%s.txt` + emojiURL = `https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt` +) + +// The regular expression for a line containing a code point range property. +var propertyPattern = regexp.MustCompile(`^([0-9A-F]{4,6})(\.\.([0-9A-F]{4,6}))?\s*;\s*([A-Za-z0-9_]+)\s*#\s(.+)$`) + +func main() { + if len(os.Args) < 5 { + fmt.Println("Not enough arguments, see code for details") + os.Exit(1) + } + + log.SetPrefix("gen_properties (" + os.Args[4] + "): ") + log.SetFlags(0) + + // Parse flags. + flags := make(map[string]string) + if len(os.Args) >= 6 { + for _, flag := range strings.Split(os.Args[5], ",") { + flagFields := strings.Split(flag, "=") + if len(flagFields) == 1 { + flags[flagFields[0]] = "yes" + } else { + flags[flagFields[0]] = flagFields[1] + } + } + } + + // Parse the text file and generate Go source code from it. + _, includeGeneralCategory := flags["gencat"] + var mainURL string + if os.Args[1] != "-" { + mainURL = fmt.Sprintf(propertyURL, os.Args[1]) + } + src, err := parse(mainURL, flags["emojis"], includeGeneralCategory) + if err != nil { + log.Fatal(err) + } + + // Format the Go code. + formatted, err := format.Source([]byte(src)) + if err != nil { + log.Fatal("gofmt:", err) + } + + // Save it to the (local) target file. + log.Print("Writing to ", os.Args[2]) + if err := ioutil.WriteFile(os.Args[2], formatted, 0644); err != nil { + log.Fatal(err) + } +} + +// parse parses the Unicode Properties text files located at the given URLs and +// returns their equivalent Go source code to be used in the uniseg package. If +// "emojiProperty" is not an empty string, emoji code points for that emoji +// property (e.g. "Extended_Pictographic") will be included. In those cases, you +// may pass an empty "propertyURL" to skip parsing the main properties file. If +// "includeGeneralCategory" is true, the Unicode General Category property will +// be extracted from the comments and included in the output. +func parse(propertyURL, emojiProperty string, includeGeneralCategory bool) (string, error) { + if propertyURL == "" && emojiProperty == "" { + return "", errors.New("no properties to parse") + } + + // Temporary buffer to hold properties. + var properties [][4]string + + // Open the first URL. + if propertyURL != "" { + log.Printf("Parsing %s", propertyURL) + res, err := http.Get(propertyURL) + if err != nil { + return "", err + } + in1 := res.Body + defer in1.Close() + + // Parse it. + scanner := bufio.NewScanner(in1) + num := 0 + for scanner.Scan() { + num++ + line := strings.TrimSpace(scanner.Text()) + + // Skip comments and empty lines. + if strings.HasPrefix(line, "#") || line == "" { + continue + } + + // Everything else must be a code point range, a property and a comment. + from, to, property, comment, err := parseProperty(line) + if err != nil { + return "", fmt.Errorf("%s line %d: %v", os.Args[4], num, err) + } + properties = append(properties, [4]string{from, to, property, comment}) + } + if err := scanner.Err(); err != nil { + return "", err + } + } + + // Open the second URL. + if emojiProperty != "" { + log.Printf("Parsing %s", emojiURL) + res, err := http.Get(emojiURL) + if err != nil { + return "", err + } + in2 := res.Body + defer in2.Close() + + // Parse it. + scanner := bufio.NewScanner(in2) + num := 0 + for scanner.Scan() { + num++ + line := scanner.Text() + + // Skip comments, empty lines, and everything not containing + // "Extended_Pictographic". + if strings.HasPrefix(line, "#") || line == "" || !strings.Contains(line, emojiProperty) { + continue + } + + // Everything else must be a code point range, a property and a comment. + from, to, property, comment, err := parseProperty(line) + if err != nil { + return "", fmt.Errorf("emojis line %d: %v", num, err) + } + properties = append(properties, [4]string{from, to, property, comment}) + } + if err := scanner.Err(); err != nil { + return "", err + } + } + + // Avoid overflow during binary search. + if len(properties) >= 1<<31 { + return "", errors.New("too many properties") + } + + // Sort properties. + sort.Slice(properties, func(i, j int) bool { + left, _ := strconv.ParseUint(properties[i][0], 16, 64) + right, _ := strconv.ParseUint(properties[j][0], 16, 64) + return left < right + }) + + // Header. + var ( + buf bytes.Buffer + emojiComment string + ) + columns := 3 + if includeGeneralCategory { + columns = 4 + } + if emojiURL != "" { + emojiComment = ` +// and +// ` + emojiURL + ` +// ("Extended_Pictographic" only)` + } + buf.WriteString(`// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// ` + os.Args[3] + ` are taken from +// ` + propertyURL + emojiComment + ` +// on ` + time.Now().Format("January 2, 2006") + `. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var ` + os.Args[3] + ` = [][` + strconv.Itoa(columns) + `]int{ + `) + + // Properties. + for _, prop := range properties { + if includeGeneralCategory { + generalCategory := "gc" + prop[3][:2] + if generalCategory == "gcL&" { + generalCategory = "gcLC" + } + prop[3] = prop[3][3:] + fmt.Fprintf(&buf, "{0x%s,0x%s,%s,%s}, // %s\n", prop[0], prop[1], translateProperty("pr", prop[2]), generalCategory, prop[3]) + } else { + fmt.Fprintf(&buf, "{0x%s,0x%s,%s}, // %s\n", prop[0], prop[1], translateProperty("pr", prop[2]), prop[3]) + } + } + + // Tail. + buf.WriteString("}") + + return buf.String(), nil +} + +// parseProperty parses a line of the Unicode properties text file containing a +// property for a code point range and returns it along with its comment. +func parseProperty(line string) (from, to, property, comment string, err error) { + fields := propertyPattern.FindStringSubmatch(line) + if fields == nil { + err = errors.New("no property found") + return + } + from = fields[1] + to = fields[3] + if to == "" { + to = from + } + property = fields[4] + comment = fields[5] + return +} + +// translateProperty translates a property name as used in the Unicode data file +// to a variable used in the Go code. +func translateProperty(prefix, property string) string { + return prefix + strings.ReplaceAll(property, "_", "") +} diff --git a/vendor/github.com/rivo/uniseg/grapheme.go b/vendor/github.com/rivo/uniseg/grapheme.go new file mode 100644 index 0000000000..b12403d43c --- /dev/null +++ b/vendor/github.com/rivo/uniseg/grapheme.go @@ -0,0 +1,331 @@ +package uniseg + +import "unicode/utf8" + +// Graphemes implements an iterator over Unicode grapheme clusters, or +// user-perceived characters. While iterating, it also provides information +// about word boundaries, sentence boundaries, line breaks, and monospace +// character widths. +// +// After constructing the class via [NewGraphemes] for a given string "str", +// [Graphemes.Next] is called for every grapheme cluster in a loop until it +// returns false. Inside the loop, information about the grapheme cluster as +// well as boundary information and character width is available via the various +// methods (see examples below). +// +// This class basically wraps the [StepString] parser and provides a convenient +// interface to it. If you are only interested in some parts of this package's +// functionality, using the specialized functions starting with "First" is +// almost always faster. +type Graphemes struct { + // The original string. + original string + + // The remaining string to be parsed. + remaining string + + // The current grapheme cluster. + cluster string + + // The byte offset of the current grapheme cluster relative to the original + // string. + offset int + + // The current boundary information of the [Step] parser. + boundaries int + + // The current state of the [Step] parser. + state int +} + +// NewGraphemes returns a new grapheme cluster iterator. +func NewGraphemes(str string) *Graphemes { + return &Graphemes{ + original: str, + remaining: str, + state: -1, + } +} + +// Next advances the iterator by one grapheme cluster and returns false if no +// clusters are left. This function must be called before the first cluster is +// accessed. +func (g *Graphemes) Next() bool { + if len(g.remaining) == 0 { + // We're already past the end. + g.state = -2 + g.cluster = "" + return false + } + g.offset += len(g.cluster) + g.cluster, g.remaining, g.boundaries, g.state = StepString(g.remaining, g.state) + return true +} + +// Runes returns a slice of runes (code points) which corresponds to the current +// grapheme cluster. If the iterator is already past the end or [Graphemes.Next] +// has not yet been called, nil is returned. +func (g *Graphemes) Runes() []rune { + if g.state < 0 { + return nil + } + return []rune(g.cluster) +} + +// Str returns a substring of the original string which corresponds to the +// current grapheme cluster. If the iterator is already past the end or +// [Graphemes.Next] has not yet been called, an empty string is returned. +func (g *Graphemes) Str() string { + return g.cluster +} + +// Bytes returns a byte slice which corresponds to the current grapheme cluster. +// If the iterator is already past the end or [Graphemes.Next] has not yet been +// called, nil is returned. +func (g *Graphemes) Bytes() []byte { + if g.state < 0 { + return nil + } + return []byte(g.cluster) +} + +// Positions returns the interval of the current grapheme cluster as byte +// positions into the original string. The first returned value "from" indexes +// the first byte and the second returned value "to" indexes the first byte that +// is not included anymore, i.e. str[from:to] is the current grapheme cluster of +// the original string "str". If [Graphemes.Next] has not yet been called, both +// values are 0. If the iterator is already past the end, both values are 1. +func (g *Graphemes) Positions() (int, int) { + if g.state == -1 { + return 0, 0 + } else if g.state == -2 { + return 1, 1 + } + return g.offset, g.offset + len(g.cluster) +} + +// IsWordBoundary returns true if a word ends after the current grapheme +// cluster. +func (g *Graphemes) IsWordBoundary() bool { + if g.state < 0 { + return true + } + return g.boundaries&MaskWord != 0 +} + +// IsSentenceBoundary returns true if a sentence ends after the current +// grapheme cluster. +func (g *Graphemes) IsSentenceBoundary() bool { + if g.state < 0 { + return true + } + return g.boundaries&MaskSentence != 0 +} + +// LineBreak returns whether the line can be broken after the current grapheme +// cluster. A value of [LineDontBreak] means the line may not be broken, a value +// of [LineMustBreak] means the line must be broken, and a value of +// [LineCanBreak] means the line may or may not be broken. +func (g *Graphemes) LineBreak() int { + if g.state == -1 { + return LineDontBreak + } + if g.state == -2 { + return LineMustBreak + } + return g.boundaries & MaskLine +} + +// Width returns the monospace width of the current grapheme cluster. +func (g *Graphemes) Width() int { + if g.state < 0 { + return 0 + } + return g.boundaries >> ShiftWidth +} + +// Reset puts the iterator into its initial state such that the next call to +// [Graphemes.Next] sets it to the first grapheme cluster again. +func (g *Graphemes) Reset() { + g.state = -1 + g.offset = 0 + g.cluster = "" + g.remaining = g.original +} + +// GraphemeClusterCount returns the number of user-perceived characters +// (grapheme clusters) for the given string. +func GraphemeClusterCount(s string) (n int) { + state := -1 + for len(s) > 0 { + _, s, _, state = FirstGraphemeClusterInString(s, state) + n++ + } + return +} + +// ReverseString reverses the given string while observing grapheme cluster +// boundaries. +func ReverseString(s string) string { + str := []byte(s) + reversed := make([]byte, len(str)) + state := -1 + index := len(str) + for len(str) > 0 { + var cluster []byte + cluster, str, _, state = FirstGraphemeCluster(str, state) + index -= len(cluster) + copy(reversed[index:], cluster) + if index <= len(str)/2 { + break + } + } + return string(reversed) +} + +// The number of bits the grapheme property must be shifted to make place for +// grapheme states. +const shiftGraphemePropState = 4 + +// FirstGraphemeCluster returns the first grapheme cluster found in the given +// byte slice according to the rules of [Unicode Standard Annex #29, Grapheme +// Cluster Boundaries]. This function can be called continuously to extract all +// grapheme clusters from a byte slice, as illustrated in the example below. +// +// If you don't know the current state, for example when calling the function +// for the first time, you must pass -1. For consecutive calls, pass the state +// and rest slice returned by the previous call. +// +// The "rest" slice is the sub-slice of the original byte slice "b" starting +// after the last byte of the identified grapheme cluster. If the length of the +// "rest" slice is 0, the entire byte slice "b" has been processed. The +// "cluster" byte slice is the sub-slice of the input slice containing the +// identified grapheme cluster. +// +// The returned width is the width of the grapheme cluster for most monospace +// fonts where a value of 1 represents one character cell. +// +// Given an empty byte slice "b", the function returns nil values. +// +// While slightly less convenient than using the Graphemes class, this function +// has much better performance and makes no allocations. It lends itself well to +// large byte slices. +// +// [Unicode Standard Annex #29, Grapheme Cluster Boundaries]: http://unicode.org/reports/tr29/#Grapheme_Cluster_Boundaries +func FirstGraphemeCluster(b []byte, state int) (cluster, rest []byte, width, newState int) { + // An empty byte slice returns nothing. + if len(b) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRune(b) + if len(b) <= length { // If we're already past the end, there is nothing else to parse. + var prop int + if state < 0 { + prop = propertyGraphemes(r) + } else { + prop = state >> shiftGraphemePropState + } + return b, nil, runeWidth(r, prop), grAny | (prop << shiftGraphemePropState) + } + + // If we don't know the state, determine it now. + var firstProp int + if state < 0 { + state, firstProp, _ = transitionGraphemeState(state, r) + } else { + firstProp = state >> shiftGraphemePropState + } + width += runeWidth(r, firstProp) + + // Transition until we find a boundary. + for { + var ( + prop int + boundary bool + ) + + r, l := utf8.DecodeRune(b[length:]) + state, prop, boundary = transitionGraphemeState(state&maskGraphemeState, r) + + if boundary { + return b[:length], b[length:], width, state | (prop << shiftGraphemePropState) + } + + if firstProp == prExtendedPictographic { + if r == vs15 { + width = 1 + } else if r == vs16 { + width = 2 + } + } else if firstProp != prRegionalIndicator && firstProp != prL { + width += runeWidth(r, prop) + } + + length += l + if len(b) <= length { + return b, nil, width, grAny | (prop << shiftGraphemePropState) + } + } +} + +// FirstGraphemeClusterInString is like [FirstGraphemeCluster] but its input and +// outputs are strings. +func FirstGraphemeClusterInString(str string, state int) (cluster, rest string, width, newState int) { + // An empty string returns nothing. + if len(str) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRuneInString(str) + if len(str) <= length { // If we're already past the end, there is nothing else to parse. + var prop int + if state < 0 { + prop = propertyGraphemes(r) + } else { + prop = state >> shiftGraphemePropState + } + return str, "", runeWidth(r, prop), grAny | (prop << shiftGraphemePropState) + } + + // If we don't know the state, determine it now. + var firstProp int + if state < 0 { + state, firstProp, _ = transitionGraphemeState(state, r) + } else { + firstProp = state >> shiftGraphemePropState + } + width += runeWidth(r, firstProp) + + // Transition until we find a boundary. + for { + var ( + prop int + boundary bool + ) + + r, l := utf8.DecodeRuneInString(str[length:]) + state, prop, boundary = transitionGraphemeState(state&maskGraphemeState, r) + + if boundary { + return str[:length], str[length:], width, state | (prop << shiftGraphemePropState) + } + + if firstProp == prExtendedPictographic { + if r == vs15 { + width = 1 + } else if r == vs16 { + width = 2 + } + } else if firstProp != prRegionalIndicator && firstProp != prL { + width += runeWidth(r, prop) + } + + length += l + if len(str) <= length { + return str, "", width, grAny | (prop << shiftGraphemePropState) + } + } +} diff --git a/vendor/github.com/rivo/uniseg/graphemeproperties.go b/vendor/github.com/rivo/uniseg/graphemeproperties.go new file mode 100644 index 0000000000..0aff4a619a --- /dev/null +++ b/vendor/github.com/rivo/uniseg/graphemeproperties.go @@ -0,0 +1,1915 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// graphemeCodePoints are taken from +// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/GraphemeBreakProperty.txt +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var graphemeCodePoints = [][3]int{ + {0x0000, 0x0009, prControl}, // Cc [10] .. + {0x000A, 0x000A, prLF}, // Cc + {0x000B, 0x000C, prControl}, // Cc [2] .. + {0x000D, 0x000D, prCR}, // Cc + {0x000E, 0x001F, prControl}, // Cc [18] .. + {0x007F, 0x009F, prControl}, // Cc [33] .. + {0x00A9, 0x00A9, prExtendedPictographic}, // E0.6 [1] (©ï¸) copyright + {0x00AD, 0x00AD, prControl}, // Cf SOFT HYPHEN + {0x00AE, 0x00AE, prExtendedPictographic}, // E0.6 [1] (®ï¸) registered + {0x0300, 0x036F, prExtend}, // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X + {0x0483, 0x0487, prExtend}, // Mn [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE + {0x0488, 0x0489, prExtend}, // Me [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN + {0x0591, 0x05BD, prExtend}, // Mn [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG + {0x05BF, 0x05BF, prExtend}, // Mn HEBREW POINT RAFE + {0x05C1, 0x05C2, prExtend}, // Mn [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT + {0x05C4, 0x05C5, prExtend}, // Mn [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT + {0x05C7, 0x05C7, prExtend}, // Mn HEBREW POINT QAMATS QATAN + {0x0600, 0x0605, prPrepend}, // Cf [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE + {0x0610, 0x061A, prExtend}, // Mn [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA + {0x061C, 0x061C, prControl}, // Cf ARABIC LETTER MARK + {0x064B, 0x065F, prExtend}, // Mn [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW + {0x0670, 0x0670, prExtend}, // Mn ARABIC LETTER SUPERSCRIPT ALEF + {0x06D6, 0x06DC, prExtend}, // Mn [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN + {0x06DD, 0x06DD, prPrepend}, // Cf ARABIC END OF AYAH + {0x06DF, 0x06E4, prExtend}, // Mn [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA + {0x06E7, 0x06E8, prExtend}, // Mn [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON + {0x06EA, 0x06ED, prExtend}, // Mn [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM + {0x070F, 0x070F, prPrepend}, // Cf SYRIAC ABBREVIATION MARK + {0x0711, 0x0711, prExtend}, // Mn SYRIAC LETTER SUPERSCRIPT ALAPH + {0x0730, 0x074A, prExtend}, // Mn [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH + {0x07A6, 0x07B0, prExtend}, // Mn [11] THAANA ABAFILI..THAANA SUKUN + {0x07EB, 0x07F3, prExtend}, // Mn [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE + {0x07FD, 0x07FD, prExtend}, // Mn NKO DANTAYALAN + {0x0816, 0x0819, prExtend}, // Mn [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH + {0x081B, 0x0823, prExtend}, // Mn [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A + {0x0825, 0x0827, prExtend}, // Mn [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U + {0x0829, 0x082D, prExtend}, // Mn [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA + {0x0859, 0x085B, prExtend}, // Mn [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK + {0x0890, 0x0891, prPrepend}, // Cf [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE + {0x0898, 0x089F, prExtend}, // Mn [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA + {0x08CA, 0x08E1, prExtend}, // Mn [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA + {0x08E2, 0x08E2, prPrepend}, // Cf ARABIC DISPUTED END OF AYAH + {0x08E3, 0x0902, prExtend}, // Mn [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA + {0x0903, 0x0903, prSpacingMark}, // Mc DEVANAGARI SIGN VISARGA + {0x093A, 0x093A, prExtend}, // Mn DEVANAGARI VOWEL SIGN OE + {0x093B, 0x093B, prSpacingMark}, // Mc DEVANAGARI VOWEL SIGN OOE + {0x093C, 0x093C, prExtend}, // Mn DEVANAGARI SIGN NUKTA + {0x093E, 0x0940, prSpacingMark}, // Mc [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II + {0x0941, 0x0948, prExtend}, // Mn [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI + {0x0949, 0x094C, prSpacingMark}, // Mc [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU + {0x094D, 0x094D, prExtend}, // Mn DEVANAGARI SIGN VIRAMA + {0x094E, 0x094F, prSpacingMark}, // Mc [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW + {0x0951, 0x0957, prExtend}, // Mn [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE + {0x0962, 0x0963, prExtend}, // Mn [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL + {0x0981, 0x0981, prExtend}, // Mn BENGALI SIGN CANDRABINDU + {0x0982, 0x0983, prSpacingMark}, // Mc [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA + {0x09BC, 0x09BC, prExtend}, // Mn BENGALI SIGN NUKTA + {0x09BE, 0x09BE, prExtend}, // Mc BENGALI VOWEL SIGN AA + {0x09BF, 0x09C0, prSpacingMark}, // Mc [2] BENGALI VOWEL SIGN I..BENGALI VOWEL SIGN II + {0x09C1, 0x09C4, prExtend}, // Mn [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR + {0x09C7, 0x09C8, prSpacingMark}, // Mc [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI + {0x09CB, 0x09CC, prSpacingMark}, // Mc [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU + {0x09CD, 0x09CD, prExtend}, // Mn BENGALI SIGN VIRAMA + {0x09D7, 0x09D7, prExtend}, // Mc BENGALI AU LENGTH MARK + {0x09E2, 0x09E3, prExtend}, // Mn [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL + {0x09FE, 0x09FE, prExtend}, // Mn BENGALI SANDHI MARK + {0x0A01, 0x0A02, prExtend}, // Mn [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI + {0x0A03, 0x0A03, prSpacingMark}, // Mc GURMUKHI SIGN VISARGA + {0x0A3C, 0x0A3C, prExtend}, // Mn GURMUKHI SIGN NUKTA + {0x0A3E, 0x0A40, prSpacingMark}, // Mc [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II + {0x0A41, 0x0A42, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU + {0x0A47, 0x0A48, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI + {0x0A4B, 0x0A4D, prExtend}, // Mn [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA + {0x0A51, 0x0A51, prExtend}, // Mn GURMUKHI SIGN UDAAT + {0x0A70, 0x0A71, prExtend}, // Mn [2] GURMUKHI TIPPI..GURMUKHI ADDAK + {0x0A75, 0x0A75, prExtend}, // Mn GURMUKHI SIGN YAKASH + {0x0A81, 0x0A82, prExtend}, // Mn [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA + {0x0A83, 0x0A83, prSpacingMark}, // Mc GUJARATI SIGN VISARGA + {0x0ABC, 0x0ABC, prExtend}, // Mn GUJARATI SIGN NUKTA + {0x0ABE, 0x0AC0, prSpacingMark}, // Mc [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II + {0x0AC1, 0x0AC5, prExtend}, // Mn [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E + {0x0AC7, 0x0AC8, prExtend}, // Mn [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI + {0x0AC9, 0x0AC9, prSpacingMark}, // Mc GUJARATI VOWEL SIGN CANDRA O + {0x0ACB, 0x0ACC, prSpacingMark}, // Mc [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU + {0x0ACD, 0x0ACD, prExtend}, // Mn GUJARATI SIGN VIRAMA + {0x0AE2, 0x0AE3, prExtend}, // Mn [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL + {0x0AFA, 0x0AFF, prExtend}, // Mn [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE + {0x0B01, 0x0B01, prExtend}, // Mn ORIYA SIGN CANDRABINDU + {0x0B02, 0x0B03, prSpacingMark}, // Mc [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA + {0x0B3C, 0x0B3C, prExtend}, // Mn ORIYA SIGN NUKTA + {0x0B3E, 0x0B3E, prExtend}, // Mc ORIYA VOWEL SIGN AA + {0x0B3F, 0x0B3F, prExtend}, // Mn ORIYA VOWEL SIGN I + {0x0B40, 0x0B40, prSpacingMark}, // Mc ORIYA VOWEL SIGN II + {0x0B41, 0x0B44, prExtend}, // Mn [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR + {0x0B47, 0x0B48, prSpacingMark}, // Mc [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI + {0x0B4B, 0x0B4C, prSpacingMark}, // Mc [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU + {0x0B4D, 0x0B4D, prExtend}, // Mn ORIYA SIGN VIRAMA + {0x0B55, 0x0B56, prExtend}, // Mn [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK + {0x0B57, 0x0B57, prExtend}, // Mc ORIYA AU LENGTH MARK + {0x0B62, 0x0B63, prExtend}, // Mn [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL + {0x0B82, 0x0B82, prExtend}, // Mn TAMIL SIGN ANUSVARA + {0x0BBE, 0x0BBE, prExtend}, // Mc TAMIL VOWEL SIGN AA + {0x0BBF, 0x0BBF, prSpacingMark}, // Mc TAMIL VOWEL SIGN I + {0x0BC0, 0x0BC0, prExtend}, // Mn TAMIL VOWEL SIGN II + {0x0BC1, 0x0BC2, prSpacingMark}, // Mc [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU + {0x0BC6, 0x0BC8, prSpacingMark}, // Mc [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI + {0x0BCA, 0x0BCC, prSpacingMark}, // Mc [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU + {0x0BCD, 0x0BCD, prExtend}, // Mn TAMIL SIGN VIRAMA + {0x0BD7, 0x0BD7, prExtend}, // Mc TAMIL AU LENGTH MARK + {0x0C00, 0x0C00, prExtend}, // Mn TELUGU SIGN COMBINING CANDRABINDU ABOVE + {0x0C01, 0x0C03, prSpacingMark}, // Mc [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA + {0x0C04, 0x0C04, prExtend}, // Mn TELUGU SIGN COMBINING ANUSVARA ABOVE + {0x0C3C, 0x0C3C, prExtend}, // Mn TELUGU SIGN NUKTA + {0x0C3E, 0x0C40, prExtend}, // Mn [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II + {0x0C41, 0x0C44, prSpacingMark}, // Mc [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR + {0x0C46, 0x0C48, prExtend}, // Mn [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI + {0x0C4A, 0x0C4D, prExtend}, // Mn [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA + {0x0C55, 0x0C56, prExtend}, // Mn [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK + {0x0C62, 0x0C63, prExtend}, // Mn [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL + {0x0C81, 0x0C81, prExtend}, // Mn KANNADA SIGN CANDRABINDU + {0x0C82, 0x0C83, prSpacingMark}, // Mc [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA + {0x0CBC, 0x0CBC, prExtend}, // Mn KANNADA SIGN NUKTA + {0x0CBE, 0x0CBE, prSpacingMark}, // Mc KANNADA VOWEL SIGN AA + {0x0CBF, 0x0CBF, prExtend}, // Mn KANNADA VOWEL SIGN I + {0x0CC0, 0x0CC1, prSpacingMark}, // Mc [2] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN U + {0x0CC2, 0x0CC2, prExtend}, // Mc KANNADA VOWEL SIGN UU + {0x0CC3, 0x0CC4, prSpacingMark}, // Mc [2] KANNADA VOWEL SIGN VOCALIC R..KANNADA VOWEL SIGN VOCALIC RR + {0x0CC6, 0x0CC6, prExtend}, // Mn KANNADA VOWEL SIGN E + {0x0CC7, 0x0CC8, prSpacingMark}, // Mc [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI + {0x0CCA, 0x0CCB, prSpacingMark}, // Mc [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO + {0x0CCC, 0x0CCD, prExtend}, // Mn [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA + {0x0CD5, 0x0CD6, prExtend}, // Mc [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK + {0x0CE2, 0x0CE3, prExtend}, // Mn [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL + {0x0CF3, 0x0CF3, prSpacingMark}, // Mc KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT + {0x0D00, 0x0D01, prExtend}, // Mn [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU + {0x0D02, 0x0D03, prSpacingMark}, // Mc [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA + {0x0D3B, 0x0D3C, prExtend}, // Mn [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA + {0x0D3E, 0x0D3E, prExtend}, // Mc MALAYALAM VOWEL SIGN AA + {0x0D3F, 0x0D40, prSpacingMark}, // Mc [2] MALAYALAM VOWEL SIGN I..MALAYALAM VOWEL SIGN II + {0x0D41, 0x0D44, prExtend}, // Mn [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR + {0x0D46, 0x0D48, prSpacingMark}, // Mc [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI + {0x0D4A, 0x0D4C, prSpacingMark}, // Mc [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU + {0x0D4D, 0x0D4D, prExtend}, // Mn MALAYALAM SIGN VIRAMA + {0x0D4E, 0x0D4E, prPrepend}, // Lo MALAYALAM LETTER DOT REPH + {0x0D57, 0x0D57, prExtend}, // Mc MALAYALAM AU LENGTH MARK + {0x0D62, 0x0D63, prExtend}, // Mn [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL + {0x0D81, 0x0D81, prExtend}, // Mn SINHALA SIGN CANDRABINDU + {0x0D82, 0x0D83, prSpacingMark}, // Mc [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA + {0x0DCA, 0x0DCA, prExtend}, // Mn SINHALA SIGN AL-LAKUNA + {0x0DCF, 0x0DCF, prExtend}, // Mc SINHALA VOWEL SIGN AELA-PILLA + {0x0DD0, 0x0DD1, prSpacingMark}, // Mc [2] SINHALA VOWEL SIGN KETTI AEDA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA + {0x0DD2, 0x0DD4, prExtend}, // Mn [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA + {0x0DD6, 0x0DD6, prExtend}, // Mn SINHALA VOWEL SIGN DIGA PAA-PILLA + {0x0DD8, 0x0DDE, prSpacingMark}, // Mc [7] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN KOMBUVA HAA GAYANUKITTA + {0x0DDF, 0x0DDF, prExtend}, // Mc SINHALA VOWEL SIGN GAYANUKITTA + {0x0DF2, 0x0DF3, prSpacingMark}, // Mc [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA + {0x0E31, 0x0E31, prExtend}, // Mn THAI CHARACTER MAI HAN-AKAT + {0x0E33, 0x0E33, prSpacingMark}, // Lo THAI CHARACTER SARA AM + {0x0E34, 0x0E3A, prExtend}, // Mn [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU + {0x0E47, 0x0E4E, prExtend}, // Mn [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN + {0x0EB1, 0x0EB1, prExtend}, // Mn LAO VOWEL SIGN MAI KAN + {0x0EB3, 0x0EB3, prSpacingMark}, // Lo LAO VOWEL SIGN AM + {0x0EB4, 0x0EBC, prExtend}, // Mn [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO + {0x0EC8, 0x0ECE, prExtend}, // Mn [7] LAO TONE MAI EK..LAO YAMAKKAN + {0x0F18, 0x0F19, prExtend}, // Mn [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS + {0x0F35, 0x0F35, prExtend}, // Mn TIBETAN MARK NGAS BZUNG NYI ZLA + {0x0F37, 0x0F37, prExtend}, // Mn TIBETAN MARK NGAS BZUNG SGOR RTAGS + {0x0F39, 0x0F39, prExtend}, // Mn TIBETAN MARK TSA -PHRU + {0x0F3E, 0x0F3F, prSpacingMark}, // Mc [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES + {0x0F71, 0x0F7E, prExtend}, // Mn [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO + {0x0F7F, 0x0F7F, prSpacingMark}, // Mc TIBETAN SIGN RNAM BCAD + {0x0F80, 0x0F84, prExtend}, // Mn [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA + {0x0F86, 0x0F87, prExtend}, // Mn [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS + {0x0F8D, 0x0F97, prExtend}, // Mn [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA + {0x0F99, 0x0FBC, prExtend}, // Mn [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA + {0x0FC6, 0x0FC6, prExtend}, // Mn TIBETAN SYMBOL PADMA GDAN + {0x102D, 0x1030, prExtend}, // Mn [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU + {0x1031, 0x1031, prSpacingMark}, // Mc MYANMAR VOWEL SIGN E + {0x1032, 0x1037, prExtend}, // Mn [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW + {0x1039, 0x103A, prExtend}, // Mn [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT + {0x103B, 0x103C, prSpacingMark}, // Mc [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA + {0x103D, 0x103E, prExtend}, // Mn [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA + {0x1056, 0x1057, prSpacingMark}, // Mc [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR + {0x1058, 0x1059, prExtend}, // Mn [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL + {0x105E, 0x1060, prExtend}, // Mn [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA + {0x1071, 0x1074, prExtend}, // Mn [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE + {0x1082, 0x1082, prExtend}, // Mn MYANMAR CONSONANT SIGN SHAN MEDIAL WA + {0x1084, 0x1084, prSpacingMark}, // Mc MYANMAR VOWEL SIGN SHAN E + {0x1085, 0x1086, prExtend}, // Mn [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y + {0x108D, 0x108D, prExtend}, // Mn MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE + {0x109D, 0x109D, prExtend}, // Mn MYANMAR VOWEL SIGN AITON AI + {0x1100, 0x115F, prL}, // Lo [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER + {0x1160, 0x11A7, prV}, // Lo [72] HANGUL JUNGSEONG FILLER..HANGUL JUNGSEONG O-YAE + {0x11A8, 0x11FF, prT}, // Lo [88] HANGUL JONGSEONG KIYEOK..HANGUL JONGSEONG SSANGNIEUN + {0x135D, 0x135F, prExtend}, // Mn [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK + {0x1712, 0x1714, prExtend}, // Mn [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA + {0x1715, 0x1715, prSpacingMark}, // Mc TAGALOG SIGN PAMUDPOD + {0x1732, 0x1733, prExtend}, // Mn [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U + {0x1734, 0x1734, prSpacingMark}, // Mc HANUNOO SIGN PAMUDPOD + {0x1752, 0x1753, prExtend}, // Mn [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U + {0x1772, 0x1773, prExtend}, // Mn [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U + {0x17B4, 0x17B5, prExtend}, // Mn [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA + {0x17B6, 0x17B6, prSpacingMark}, // Mc KHMER VOWEL SIGN AA + {0x17B7, 0x17BD, prExtend}, // Mn [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA + {0x17BE, 0x17C5, prSpacingMark}, // Mc [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU + {0x17C6, 0x17C6, prExtend}, // Mn KHMER SIGN NIKAHIT + {0x17C7, 0x17C8, prSpacingMark}, // Mc [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU + {0x17C9, 0x17D3, prExtend}, // Mn [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT + {0x17DD, 0x17DD, prExtend}, // Mn KHMER SIGN ATTHACAN + {0x180B, 0x180D, prExtend}, // Mn [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE + {0x180E, 0x180E, prControl}, // Cf MONGOLIAN VOWEL SEPARATOR + {0x180F, 0x180F, prExtend}, // Mn MONGOLIAN FREE VARIATION SELECTOR FOUR + {0x1885, 0x1886, prExtend}, // Mn [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA + {0x18A9, 0x18A9, prExtend}, // Mn MONGOLIAN LETTER ALI GALI DAGALGA + {0x1920, 0x1922, prExtend}, // Mn [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U + {0x1923, 0x1926, prSpacingMark}, // Mc [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU + {0x1927, 0x1928, prExtend}, // Mn [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O + {0x1929, 0x192B, prSpacingMark}, // Mc [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA + {0x1930, 0x1931, prSpacingMark}, // Mc [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA + {0x1932, 0x1932, prExtend}, // Mn LIMBU SMALL LETTER ANUSVARA + {0x1933, 0x1938, prSpacingMark}, // Mc [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA + {0x1939, 0x193B, prExtend}, // Mn [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I + {0x1A17, 0x1A18, prExtend}, // Mn [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U + {0x1A19, 0x1A1A, prSpacingMark}, // Mc [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O + {0x1A1B, 0x1A1B, prExtend}, // Mn BUGINESE VOWEL SIGN AE + {0x1A55, 0x1A55, prSpacingMark}, // Mc TAI THAM CONSONANT SIGN MEDIAL RA + {0x1A56, 0x1A56, prExtend}, // Mn TAI THAM CONSONANT SIGN MEDIAL LA + {0x1A57, 0x1A57, prSpacingMark}, // Mc TAI THAM CONSONANT SIGN LA TANG LAI + {0x1A58, 0x1A5E, prExtend}, // Mn [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA + {0x1A60, 0x1A60, prExtend}, // Mn TAI THAM SIGN SAKOT + {0x1A62, 0x1A62, prExtend}, // Mn TAI THAM VOWEL SIGN MAI SAT + {0x1A65, 0x1A6C, prExtend}, // Mn [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW + {0x1A6D, 0x1A72, prSpacingMark}, // Mc [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI + {0x1A73, 0x1A7C, prExtend}, // Mn [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN + {0x1A7F, 0x1A7F, prExtend}, // Mn TAI THAM COMBINING CRYPTOGRAMMIC DOT + {0x1AB0, 0x1ABD, prExtend}, // Mn [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW + {0x1ABE, 0x1ABE, prExtend}, // Me COMBINING PARENTHESES OVERLAY + {0x1ABF, 0x1ACE, prExtend}, // Mn [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T + {0x1B00, 0x1B03, prExtend}, // Mn [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG + {0x1B04, 0x1B04, prSpacingMark}, // Mc BALINESE SIGN BISAH + {0x1B34, 0x1B34, prExtend}, // Mn BALINESE SIGN REREKAN + {0x1B35, 0x1B35, prExtend}, // Mc BALINESE VOWEL SIGN TEDUNG + {0x1B36, 0x1B3A, prExtend}, // Mn [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA + {0x1B3B, 0x1B3B, prSpacingMark}, // Mc BALINESE VOWEL SIGN RA REPA TEDUNG + {0x1B3C, 0x1B3C, prExtend}, // Mn BALINESE VOWEL SIGN LA LENGA + {0x1B3D, 0x1B41, prSpacingMark}, // Mc [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG + {0x1B42, 0x1B42, prExtend}, // Mn BALINESE VOWEL SIGN PEPET + {0x1B43, 0x1B44, prSpacingMark}, // Mc [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG + {0x1B6B, 0x1B73, prExtend}, // Mn [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG + {0x1B80, 0x1B81, prExtend}, // Mn [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR + {0x1B82, 0x1B82, prSpacingMark}, // Mc SUNDANESE SIGN PANGWISAD + {0x1BA1, 0x1BA1, prSpacingMark}, // Mc SUNDANESE CONSONANT SIGN PAMINGKAL + {0x1BA2, 0x1BA5, prExtend}, // Mn [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU + {0x1BA6, 0x1BA7, prSpacingMark}, // Mc [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG + {0x1BA8, 0x1BA9, prExtend}, // Mn [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG + {0x1BAA, 0x1BAA, prSpacingMark}, // Mc SUNDANESE SIGN PAMAAEH + {0x1BAB, 0x1BAD, prExtend}, // Mn [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA + {0x1BE6, 0x1BE6, prExtend}, // Mn BATAK SIGN TOMPI + {0x1BE7, 0x1BE7, prSpacingMark}, // Mc BATAK VOWEL SIGN E + {0x1BE8, 0x1BE9, prExtend}, // Mn [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE + {0x1BEA, 0x1BEC, prSpacingMark}, // Mc [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O + {0x1BED, 0x1BED, prExtend}, // Mn BATAK VOWEL SIGN KARO O + {0x1BEE, 0x1BEE, prSpacingMark}, // Mc BATAK VOWEL SIGN U + {0x1BEF, 0x1BF1, prExtend}, // Mn [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H + {0x1BF2, 0x1BF3, prSpacingMark}, // Mc [2] BATAK PANGOLAT..BATAK PANONGONAN + {0x1C24, 0x1C2B, prSpacingMark}, // Mc [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU + {0x1C2C, 0x1C33, prExtend}, // Mn [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T + {0x1C34, 0x1C35, prSpacingMark}, // Mc [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG + {0x1C36, 0x1C37, prExtend}, // Mn [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA + {0x1CD0, 0x1CD2, prExtend}, // Mn [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA + {0x1CD4, 0x1CE0, prExtend}, // Mn [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA + {0x1CE1, 0x1CE1, prSpacingMark}, // Mc VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA + {0x1CE2, 0x1CE8, prExtend}, // Mn [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL + {0x1CED, 0x1CED, prExtend}, // Mn VEDIC SIGN TIRYAK + {0x1CF4, 0x1CF4, prExtend}, // Mn VEDIC TONE CANDRA ABOVE + {0x1CF7, 0x1CF7, prSpacingMark}, // Mc VEDIC SIGN ATIKRAMA + {0x1CF8, 0x1CF9, prExtend}, // Mn [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE + {0x1DC0, 0x1DFF, prExtend}, // Mn [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW + {0x200B, 0x200B, prControl}, // Cf ZERO WIDTH SPACE + {0x200C, 0x200C, prExtend}, // Cf ZERO WIDTH NON-JOINER + {0x200D, 0x200D, prZWJ}, // Cf ZERO WIDTH JOINER + {0x200E, 0x200F, prControl}, // Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK + {0x2028, 0x2028, prControl}, // Zl LINE SEPARATOR + {0x2029, 0x2029, prControl}, // Zp PARAGRAPH SEPARATOR + {0x202A, 0x202E, prControl}, // Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE + {0x203C, 0x203C, prExtendedPictographic}, // E0.6 [1] (‼ï¸) double exclamation mark + {0x2049, 0x2049, prExtendedPictographic}, // E0.6 [1] (â‰ï¸) exclamation question mark + {0x2060, 0x2064, prControl}, // Cf [5] WORD JOINER..INVISIBLE PLUS + {0x2065, 0x2065, prControl}, // Cn + {0x2066, 0x206F, prControl}, // Cf [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES + {0x20D0, 0x20DC, prExtend}, // Mn [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE + {0x20DD, 0x20E0, prExtend}, // Me [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH + {0x20E1, 0x20E1, prExtend}, // Mn COMBINING LEFT RIGHT ARROW ABOVE + {0x20E2, 0x20E4, prExtend}, // Me [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE + {0x20E5, 0x20F0, prExtend}, // Mn [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE + {0x2122, 0x2122, prExtendedPictographic}, // E0.6 [1] (â„¢ï¸) trade mark + {0x2139, 0x2139, prExtendedPictographic}, // E0.6 [1] (ℹï¸) information + {0x2194, 0x2199, prExtendedPictographic}, // E0.6 [6] (↔ï¸..↙ï¸) left-right arrow..down-left arrow + {0x21A9, 0x21AA, prExtendedPictographic}, // E0.6 [2] (↩ï¸..↪ï¸) right arrow curving left..left arrow curving right + {0x231A, 0x231B, prExtendedPictographic}, // E0.6 [2] (⌚..⌛) watch..hourglass done + {0x2328, 0x2328, prExtendedPictographic}, // E1.0 [1] (⌨ï¸) keyboard + {0x2388, 0x2388, prExtendedPictographic}, // E0.0 [1] (⎈) HELM SYMBOL + {0x23CF, 0x23CF, prExtendedPictographic}, // E1.0 [1] (âï¸) eject button + {0x23E9, 0x23EC, prExtendedPictographic}, // E0.6 [4] (â©..â¬) fast-forward button..fast down button + {0x23ED, 0x23EE, prExtendedPictographic}, // E0.7 [2] (â­ï¸..â®ï¸) next track button..last track button + {0x23EF, 0x23EF, prExtendedPictographic}, // E1.0 [1] (â¯ï¸) play or pause button + {0x23F0, 0x23F0, prExtendedPictographic}, // E0.6 [1] (â°) alarm clock + {0x23F1, 0x23F2, prExtendedPictographic}, // E1.0 [2] (â±ï¸..â²ï¸) stopwatch..timer clock + {0x23F3, 0x23F3, prExtendedPictographic}, // E0.6 [1] (â³) hourglass not done + {0x23F8, 0x23FA, prExtendedPictographic}, // E0.7 [3] (â¸ï¸..âºï¸) pause button..record button + {0x24C2, 0x24C2, prExtendedPictographic}, // E0.6 [1] (â“‚ï¸) circled M + {0x25AA, 0x25AB, prExtendedPictographic}, // E0.6 [2] (â–ªï¸..â–«ï¸) black small square..white small square + {0x25B6, 0x25B6, prExtendedPictographic}, // E0.6 [1] (â–¶ï¸) play button + {0x25C0, 0x25C0, prExtendedPictographic}, // E0.6 [1] (â—€ï¸) reverse button + {0x25FB, 0x25FE, prExtendedPictographic}, // E0.6 [4] (â—»ï¸..â—¾) white medium square..black medium-small square + {0x2600, 0x2601, prExtendedPictographic}, // E0.6 [2] (☀ï¸..â˜ï¸) sun..cloud + {0x2602, 0x2603, prExtendedPictographic}, // E0.7 [2] (☂ï¸..☃ï¸) umbrella..snowman + {0x2604, 0x2604, prExtendedPictographic}, // E1.0 [1] (☄ï¸) comet + {0x2605, 0x2605, prExtendedPictographic}, // E0.0 [1] (★) BLACK STAR + {0x2607, 0x260D, prExtendedPictographic}, // E0.0 [7] (☇..â˜) LIGHTNING..OPPOSITION + {0x260E, 0x260E, prExtendedPictographic}, // E0.6 [1] (☎ï¸) telephone + {0x260F, 0x2610, prExtendedPictographic}, // E0.0 [2] (â˜..â˜) WHITE TELEPHONE..BALLOT BOX + {0x2611, 0x2611, prExtendedPictographic}, // E0.6 [1] (☑ï¸) check box with check + {0x2612, 0x2612, prExtendedPictographic}, // E0.0 [1] (☒) BALLOT BOX WITH X + {0x2614, 0x2615, prExtendedPictographic}, // E0.6 [2] (☔..☕) umbrella with rain drops..hot beverage + {0x2616, 0x2617, prExtendedPictographic}, // E0.0 [2] (☖..☗) WHITE SHOGI PIECE..BLACK SHOGI PIECE + {0x2618, 0x2618, prExtendedPictographic}, // E1.0 [1] (☘ï¸) shamrock + {0x2619, 0x261C, prExtendedPictographic}, // E0.0 [4] (☙..☜) REVERSED ROTATED FLORAL HEART BULLET..WHITE LEFT POINTING INDEX + {0x261D, 0x261D, prExtendedPictographic}, // E0.6 [1] (â˜ï¸) index pointing up + {0x261E, 0x261F, prExtendedPictographic}, // E0.0 [2] (☞..☟) WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX + {0x2620, 0x2620, prExtendedPictographic}, // E1.0 [1] (☠ï¸) skull and crossbones + {0x2621, 0x2621, prExtendedPictographic}, // E0.0 [1] (☡) CAUTION SIGN + {0x2622, 0x2623, prExtendedPictographic}, // E1.0 [2] (☢ï¸..☣ï¸) radioactive..biohazard + {0x2624, 0x2625, prExtendedPictographic}, // E0.0 [2] (☤..☥) CADUCEUS..ANKH + {0x2626, 0x2626, prExtendedPictographic}, // E1.0 [1] (☦ï¸) orthodox cross + {0x2627, 0x2629, prExtendedPictographic}, // E0.0 [3] (☧..☩) CHI RHO..CROSS OF JERUSALEM + {0x262A, 0x262A, prExtendedPictographic}, // E0.7 [1] (☪ï¸) star and crescent + {0x262B, 0x262D, prExtendedPictographic}, // E0.0 [3] (☫..☭) FARSI SYMBOL..HAMMER AND SICKLE + {0x262E, 0x262E, prExtendedPictographic}, // E1.0 [1] (☮ï¸) peace symbol + {0x262F, 0x262F, prExtendedPictographic}, // E0.7 [1] (☯ï¸) yin yang + {0x2630, 0x2637, prExtendedPictographic}, // E0.0 [8] (☰..☷) TRIGRAM FOR HEAVEN..TRIGRAM FOR EARTH + {0x2638, 0x2639, prExtendedPictographic}, // E0.7 [2] (☸ï¸..☹ï¸) wheel of dharma..frowning face + {0x263A, 0x263A, prExtendedPictographic}, // E0.6 [1] (☺ï¸) smiling face + {0x263B, 0x263F, prExtendedPictographic}, // E0.0 [5] (☻..☿) BLACK SMILING FACE..MERCURY + {0x2640, 0x2640, prExtendedPictographic}, // E4.0 [1] (♀ï¸) female sign + {0x2641, 0x2641, prExtendedPictographic}, // E0.0 [1] (â™) EARTH + {0x2642, 0x2642, prExtendedPictographic}, // E4.0 [1] (♂ï¸) male sign + {0x2643, 0x2647, prExtendedPictographic}, // E0.0 [5] (♃..♇) JUPITER..PLUTO + {0x2648, 0x2653, prExtendedPictographic}, // E0.6 [12] (♈..♓) Aries..Pisces + {0x2654, 0x265E, prExtendedPictographic}, // E0.0 [11] (â™”..♞) WHITE CHESS KING..BLACK CHESS KNIGHT + {0x265F, 0x265F, prExtendedPictographic}, // E11.0 [1] (♟ï¸) chess pawn + {0x2660, 0x2660, prExtendedPictographic}, // E0.6 [1] (â™ ï¸) spade suit + {0x2661, 0x2662, prExtendedPictographic}, // E0.0 [2] (♡..♢) WHITE HEART SUIT..WHITE DIAMOND SUIT + {0x2663, 0x2663, prExtendedPictographic}, // E0.6 [1] (♣ï¸) club suit + {0x2664, 0x2664, prExtendedPictographic}, // E0.0 [1] (♤) WHITE SPADE SUIT + {0x2665, 0x2666, prExtendedPictographic}, // E0.6 [2] (♥ï¸..♦ï¸) heart suit..diamond suit + {0x2667, 0x2667, prExtendedPictographic}, // E0.0 [1] (♧) WHITE CLUB SUIT + {0x2668, 0x2668, prExtendedPictographic}, // E0.6 [1] (♨ï¸) hot springs + {0x2669, 0x267A, prExtendedPictographic}, // E0.0 [18] (♩..♺) QUARTER NOTE..RECYCLING SYMBOL FOR GENERIC MATERIALS + {0x267B, 0x267B, prExtendedPictographic}, // E0.6 [1] (â™»ï¸) recycling symbol + {0x267C, 0x267D, prExtendedPictographic}, // E0.0 [2] (♼..♽) RECYCLED PAPER SYMBOL..PARTIALLY-RECYCLED PAPER SYMBOL + {0x267E, 0x267E, prExtendedPictographic}, // E11.0 [1] (♾ï¸) infinity + {0x267F, 0x267F, prExtendedPictographic}, // E0.6 [1] (♿) wheelchair symbol + {0x2680, 0x2685, prExtendedPictographic}, // E0.0 [6] (⚀..âš…) DIE FACE-1..DIE FACE-6 + {0x2690, 0x2691, prExtendedPictographic}, // E0.0 [2] (âš..âš‘) WHITE FLAG..BLACK FLAG + {0x2692, 0x2692, prExtendedPictographic}, // E1.0 [1] (âš’ï¸) hammer and pick + {0x2693, 0x2693, prExtendedPictographic}, // E0.6 [1] (âš“) anchor + {0x2694, 0x2694, prExtendedPictographic}, // E1.0 [1] (âš”ï¸) crossed swords + {0x2695, 0x2695, prExtendedPictographic}, // E4.0 [1] (âš•ï¸) medical symbol + {0x2696, 0x2697, prExtendedPictographic}, // E1.0 [2] (âš–ï¸..âš—ï¸) balance scale..alembic + {0x2698, 0x2698, prExtendedPictographic}, // E0.0 [1] (⚘) FLOWER + {0x2699, 0x2699, prExtendedPictographic}, // E1.0 [1] (âš™ï¸) gear + {0x269A, 0x269A, prExtendedPictographic}, // E0.0 [1] (âšš) STAFF OF HERMES + {0x269B, 0x269C, prExtendedPictographic}, // E1.0 [2] (âš›ï¸..âšœï¸) atom symbol..fleur-de-lis + {0x269D, 0x269F, prExtendedPictographic}, // E0.0 [3] (âš..⚟) OUTLINED WHITE STAR..THREE LINES CONVERGING LEFT + {0x26A0, 0x26A1, prExtendedPictographic}, // E0.6 [2] (âš ï¸..âš¡) warning..high voltage + {0x26A2, 0x26A6, prExtendedPictographic}, // E0.0 [5] (⚢..⚦) DOUBLED FEMALE SIGN..MALE WITH STROKE SIGN + {0x26A7, 0x26A7, prExtendedPictographic}, // E13.0 [1] (⚧ï¸) transgender symbol + {0x26A8, 0x26A9, prExtendedPictographic}, // E0.0 [2] (⚨..âš©) VERTICAL MALE WITH STROKE SIGN..HORIZONTAL MALE WITH STROKE SIGN + {0x26AA, 0x26AB, prExtendedPictographic}, // E0.6 [2] (⚪..âš«) white circle..black circle + {0x26AC, 0x26AF, prExtendedPictographic}, // E0.0 [4] (⚬..⚯) MEDIUM SMALL WHITE CIRCLE..UNMARRIED PARTNERSHIP SYMBOL + {0x26B0, 0x26B1, prExtendedPictographic}, // E1.0 [2] (âš°ï¸..âš±ï¸) coffin..funeral urn + {0x26B2, 0x26BC, prExtendedPictographic}, // E0.0 [11] (âš²..âš¼) NEUTER..SESQUIQUADRATE + {0x26BD, 0x26BE, prExtendedPictographic}, // E0.6 [2] (âš½..âš¾) soccer ball..baseball + {0x26BF, 0x26C3, prExtendedPictographic}, // E0.0 [5] (âš¿..⛃) SQUARED KEY..BLACK DRAUGHTS KING + {0x26C4, 0x26C5, prExtendedPictographic}, // E0.6 [2] (⛄..â›…) snowman without snow..sun behind cloud + {0x26C6, 0x26C7, prExtendedPictographic}, // E0.0 [2] (⛆..⛇) RAIN..BLACK SNOWMAN + {0x26C8, 0x26C8, prExtendedPictographic}, // E0.7 [1] (⛈ï¸) cloud with lightning and rain + {0x26C9, 0x26CD, prExtendedPictographic}, // E0.0 [5] (⛉..â›) TURNED WHITE SHOGI PIECE..DISABLED CAR + {0x26CE, 0x26CE, prExtendedPictographic}, // E0.6 [1] (⛎) Ophiuchus + {0x26CF, 0x26CF, prExtendedPictographic}, // E0.7 [1] (â›ï¸) pick + {0x26D0, 0x26D0, prExtendedPictographic}, // E0.0 [1] (â›) CAR SLIDING + {0x26D1, 0x26D1, prExtendedPictographic}, // E0.7 [1] (⛑ï¸) rescue worker’s helmet + {0x26D2, 0x26D2, prExtendedPictographic}, // E0.0 [1] (â›’) CIRCLED CROSSING LANES + {0x26D3, 0x26D3, prExtendedPictographic}, // E0.7 [1] (⛓ï¸) chains + {0x26D4, 0x26D4, prExtendedPictographic}, // E0.6 [1] (â›”) no entry + {0x26D5, 0x26E8, prExtendedPictographic}, // E0.0 [20] (⛕..⛨) ALTERNATE ONE-WAY LEFT WAY TRAFFIC..BLACK CROSS ON SHIELD + {0x26E9, 0x26E9, prExtendedPictographic}, // E0.7 [1] (⛩ï¸) shinto shrine + {0x26EA, 0x26EA, prExtendedPictographic}, // E0.6 [1] (⛪) church + {0x26EB, 0x26EF, prExtendedPictographic}, // E0.0 [5] (⛫..⛯) CASTLE..MAP SYMBOL FOR LIGHTHOUSE + {0x26F0, 0x26F1, prExtendedPictographic}, // E0.7 [2] (â›°ï¸..â›±ï¸) mountain..umbrella on ground + {0x26F2, 0x26F3, prExtendedPictographic}, // E0.6 [2] (⛲..⛳) fountain..flag in hole + {0x26F4, 0x26F4, prExtendedPictographic}, // E0.7 [1] (â›´ï¸) ferry + {0x26F5, 0x26F5, prExtendedPictographic}, // E0.6 [1] (⛵) sailboat + {0x26F6, 0x26F6, prExtendedPictographic}, // E0.0 [1] (⛶) SQUARE FOUR CORNERS + {0x26F7, 0x26F9, prExtendedPictographic}, // E0.7 [3] (â›·ï¸..⛹ï¸) skier..person bouncing ball + {0x26FA, 0x26FA, prExtendedPictographic}, // E0.6 [1] (⛺) tent + {0x26FB, 0x26FC, prExtendedPictographic}, // E0.0 [2] (â›»..⛼) JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL + {0x26FD, 0x26FD, prExtendedPictographic}, // E0.6 [1] (⛽) fuel pump + {0x26FE, 0x2701, prExtendedPictographic}, // E0.0 [4] (⛾..âœ) CUP ON BLACK SQUARE..UPPER BLADE SCISSORS + {0x2702, 0x2702, prExtendedPictographic}, // E0.6 [1] (✂ï¸) scissors + {0x2703, 0x2704, prExtendedPictographic}, // E0.0 [2] (✃..✄) LOWER BLADE SCISSORS..WHITE SCISSORS + {0x2705, 0x2705, prExtendedPictographic}, // E0.6 [1] (✅) check mark button + {0x2708, 0x270C, prExtendedPictographic}, // E0.6 [5] (✈ï¸..✌ï¸) airplane..victory hand + {0x270D, 0x270D, prExtendedPictographic}, // E0.7 [1] (âœï¸) writing hand + {0x270E, 0x270E, prExtendedPictographic}, // E0.0 [1] (✎) LOWER RIGHT PENCIL + {0x270F, 0x270F, prExtendedPictographic}, // E0.6 [1] (âœï¸) pencil + {0x2710, 0x2711, prExtendedPictographic}, // E0.0 [2] (âœ..✑) UPPER RIGHT PENCIL..WHITE NIB + {0x2712, 0x2712, prExtendedPictographic}, // E0.6 [1] (✒ï¸) black nib + {0x2714, 0x2714, prExtendedPictographic}, // E0.6 [1] (✔ï¸) check mark + {0x2716, 0x2716, prExtendedPictographic}, // E0.6 [1] (✖ï¸) multiply + {0x271D, 0x271D, prExtendedPictographic}, // E0.7 [1] (âœï¸) latin cross + {0x2721, 0x2721, prExtendedPictographic}, // E0.7 [1] (✡ï¸) star of David + {0x2728, 0x2728, prExtendedPictographic}, // E0.6 [1] (✨) sparkles + {0x2733, 0x2734, prExtendedPictographic}, // E0.6 [2] (✳ï¸..✴ï¸) eight-spoked asterisk..eight-pointed star + {0x2744, 0x2744, prExtendedPictographic}, // E0.6 [1] (â„ï¸) snowflake + {0x2747, 0x2747, prExtendedPictographic}, // E0.6 [1] (â‡ï¸) sparkle + {0x274C, 0x274C, prExtendedPictographic}, // E0.6 [1] (âŒ) cross mark + {0x274E, 0x274E, prExtendedPictographic}, // E0.6 [1] (âŽ) cross mark button + {0x2753, 0x2755, prExtendedPictographic}, // E0.6 [3] (â“..â•) red question mark..white exclamation mark + {0x2757, 0x2757, prExtendedPictographic}, // E0.6 [1] (â—) red exclamation mark + {0x2763, 0x2763, prExtendedPictographic}, // E1.0 [1] (â£ï¸) heart exclamation + {0x2764, 0x2764, prExtendedPictographic}, // E0.6 [1] (â¤ï¸) red heart + {0x2765, 0x2767, prExtendedPictographic}, // E0.0 [3] (â¥..â§) ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET + {0x2795, 0x2797, prExtendedPictographic}, // E0.6 [3] (âž•..âž—) plus..divide + {0x27A1, 0x27A1, prExtendedPictographic}, // E0.6 [1] (âž¡ï¸) right arrow + {0x27B0, 0x27B0, prExtendedPictographic}, // E0.6 [1] (âž°) curly loop + {0x27BF, 0x27BF, prExtendedPictographic}, // E1.0 [1] (âž¿) double curly loop + {0x2934, 0x2935, prExtendedPictographic}, // E0.6 [2] (⤴ï¸..⤵ï¸) right arrow curving up..right arrow curving down + {0x2B05, 0x2B07, prExtendedPictographic}, // E0.6 [3] (⬅ï¸..⬇ï¸) left arrow..down arrow + {0x2B1B, 0x2B1C, prExtendedPictographic}, // E0.6 [2] (⬛..⬜) black large square..white large square + {0x2B50, 0x2B50, prExtendedPictographic}, // E0.6 [1] (â­) star + {0x2B55, 0x2B55, prExtendedPictographic}, // E0.6 [1] (â­•) hollow red circle + {0x2CEF, 0x2CF1, prExtend}, // Mn [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS + {0x2D7F, 0x2D7F, prExtend}, // Mn TIFINAGH CONSONANT JOINER + {0x2DE0, 0x2DFF, prExtend}, // Mn [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS + {0x302A, 0x302D, prExtend}, // Mn [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK + {0x302E, 0x302F, prExtend}, // Mc [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK + {0x3030, 0x3030, prExtendedPictographic}, // E0.6 [1] (〰ï¸) wavy dash + {0x303D, 0x303D, prExtendedPictographic}, // E0.6 [1] (〽ï¸) part alternation mark + {0x3099, 0x309A, prExtend}, // Mn [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x3297, 0x3297, prExtendedPictographic}, // E0.6 [1] (㊗ï¸) Japanese “congratulations†button + {0x3299, 0x3299, prExtendedPictographic}, // E0.6 [1] (㊙ï¸) Japanese “secret†button + {0xA66F, 0xA66F, prExtend}, // Mn COMBINING CYRILLIC VZMET + {0xA670, 0xA672, prExtend}, // Me [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN + {0xA674, 0xA67D, prExtend}, // Mn [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK + {0xA69E, 0xA69F, prExtend}, // Mn [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E + {0xA6F0, 0xA6F1, prExtend}, // Mn [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS + {0xA802, 0xA802, prExtend}, // Mn SYLOTI NAGRI SIGN DVISVARA + {0xA806, 0xA806, prExtend}, // Mn SYLOTI NAGRI SIGN HASANTA + {0xA80B, 0xA80B, prExtend}, // Mn SYLOTI NAGRI SIGN ANUSVARA + {0xA823, 0xA824, prSpacingMark}, // Mc [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I + {0xA825, 0xA826, prExtend}, // Mn [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E + {0xA827, 0xA827, prSpacingMark}, // Mc SYLOTI NAGRI VOWEL SIGN OO + {0xA82C, 0xA82C, prExtend}, // Mn SYLOTI NAGRI SIGN ALTERNATE HASANTA + {0xA880, 0xA881, prSpacingMark}, // Mc [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA + {0xA8B4, 0xA8C3, prSpacingMark}, // Mc [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU + {0xA8C4, 0xA8C5, prExtend}, // Mn [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU + {0xA8E0, 0xA8F1, prExtend}, // Mn [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA + {0xA8FF, 0xA8FF, prExtend}, // Mn DEVANAGARI VOWEL SIGN AY + {0xA926, 0xA92D, prExtend}, // Mn [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU + {0xA947, 0xA951, prExtend}, // Mn [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R + {0xA952, 0xA953, prSpacingMark}, // Mc [2] REJANG CONSONANT SIGN H..REJANG VIRAMA + {0xA960, 0xA97C, prL}, // Lo [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH + {0xA980, 0xA982, prExtend}, // Mn [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR + {0xA983, 0xA983, prSpacingMark}, // Mc JAVANESE SIGN WIGNYAN + {0xA9B3, 0xA9B3, prExtend}, // Mn JAVANESE SIGN CECAK TELU + {0xA9B4, 0xA9B5, prSpacingMark}, // Mc [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG + {0xA9B6, 0xA9B9, prExtend}, // Mn [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT + {0xA9BA, 0xA9BB, prSpacingMark}, // Mc [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE + {0xA9BC, 0xA9BD, prExtend}, // Mn [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET + {0xA9BE, 0xA9C0, prSpacingMark}, // Mc [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON + {0xA9E5, 0xA9E5, prExtend}, // Mn MYANMAR SIGN SHAN SAW + {0xAA29, 0xAA2E, prExtend}, // Mn [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE + {0xAA2F, 0xAA30, prSpacingMark}, // Mc [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI + {0xAA31, 0xAA32, prExtend}, // Mn [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE + {0xAA33, 0xAA34, prSpacingMark}, // Mc [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA + {0xAA35, 0xAA36, prExtend}, // Mn [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA + {0xAA43, 0xAA43, prExtend}, // Mn CHAM CONSONANT SIGN FINAL NG + {0xAA4C, 0xAA4C, prExtend}, // Mn CHAM CONSONANT SIGN FINAL M + {0xAA4D, 0xAA4D, prSpacingMark}, // Mc CHAM CONSONANT SIGN FINAL H + {0xAA7C, 0xAA7C, prExtend}, // Mn MYANMAR SIGN TAI LAING TONE-2 + {0xAAB0, 0xAAB0, prExtend}, // Mn TAI VIET MAI KANG + {0xAAB2, 0xAAB4, prExtend}, // Mn [3] TAI VIET VOWEL I..TAI VIET VOWEL U + {0xAAB7, 0xAAB8, prExtend}, // Mn [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA + {0xAABE, 0xAABF, prExtend}, // Mn [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK + {0xAAC1, 0xAAC1, prExtend}, // Mn TAI VIET TONE MAI THO + {0xAAEB, 0xAAEB, prSpacingMark}, // Mc MEETEI MAYEK VOWEL SIGN II + {0xAAEC, 0xAAED, prExtend}, // Mn [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI + {0xAAEE, 0xAAEF, prSpacingMark}, // Mc [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU + {0xAAF5, 0xAAF5, prSpacingMark}, // Mc MEETEI MAYEK VOWEL SIGN VISARGA + {0xAAF6, 0xAAF6, prExtend}, // Mn MEETEI MAYEK VIRAMA + {0xABE3, 0xABE4, prSpacingMark}, // Mc [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP + {0xABE5, 0xABE5, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN ANAP + {0xABE6, 0xABE7, prSpacingMark}, // Mc [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP + {0xABE8, 0xABE8, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN UNAP + {0xABE9, 0xABEA, prSpacingMark}, // Mc [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG + {0xABEC, 0xABEC, prSpacingMark}, // Mc MEETEI MAYEK LUM IYEK + {0xABED, 0xABED, prExtend}, // Mn MEETEI MAYEK APUN IYEK + {0xAC00, 0xAC00, prLV}, // Lo HANGUL SYLLABLE GA + {0xAC01, 0xAC1B, prLVT}, // Lo [27] HANGUL SYLLABLE GAG..HANGUL SYLLABLE GAH + {0xAC1C, 0xAC1C, prLV}, // Lo HANGUL SYLLABLE GAE + {0xAC1D, 0xAC37, prLVT}, // Lo [27] HANGUL SYLLABLE GAEG..HANGUL SYLLABLE GAEH + {0xAC38, 0xAC38, prLV}, // Lo HANGUL SYLLABLE GYA + {0xAC39, 0xAC53, prLVT}, // Lo [27] HANGUL SYLLABLE GYAG..HANGUL SYLLABLE GYAH + {0xAC54, 0xAC54, prLV}, // Lo HANGUL SYLLABLE GYAE + {0xAC55, 0xAC6F, prLVT}, // Lo [27] HANGUL SYLLABLE GYAEG..HANGUL SYLLABLE GYAEH + {0xAC70, 0xAC70, prLV}, // Lo HANGUL SYLLABLE GEO + {0xAC71, 0xAC8B, prLVT}, // Lo [27] HANGUL SYLLABLE GEOG..HANGUL SYLLABLE GEOH + {0xAC8C, 0xAC8C, prLV}, // Lo HANGUL SYLLABLE GE + {0xAC8D, 0xACA7, prLVT}, // Lo [27] HANGUL SYLLABLE GEG..HANGUL SYLLABLE GEH + {0xACA8, 0xACA8, prLV}, // Lo HANGUL SYLLABLE GYEO + {0xACA9, 0xACC3, prLVT}, // Lo [27] HANGUL SYLLABLE GYEOG..HANGUL SYLLABLE GYEOH + {0xACC4, 0xACC4, prLV}, // Lo HANGUL SYLLABLE GYE + {0xACC5, 0xACDF, prLVT}, // Lo [27] HANGUL SYLLABLE GYEG..HANGUL SYLLABLE GYEH + {0xACE0, 0xACE0, prLV}, // Lo HANGUL SYLLABLE GO + {0xACE1, 0xACFB, prLVT}, // Lo [27] HANGUL SYLLABLE GOG..HANGUL SYLLABLE GOH + {0xACFC, 0xACFC, prLV}, // Lo HANGUL SYLLABLE GWA + {0xACFD, 0xAD17, prLVT}, // Lo [27] HANGUL SYLLABLE GWAG..HANGUL SYLLABLE GWAH + {0xAD18, 0xAD18, prLV}, // Lo HANGUL SYLLABLE GWAE + {0xAD19, 0xAD33, prLVT}, // Lo [27] HANGUL SYLLABLE GWAEG..HANGUL SYLLABLE GWAEH + {0xAD34, 0xAD34, prLV}, // Lo HANGUL SYLLABLE GOE + {0xAD35, 0xAD4F, prLVT}, // Lo [27] HANGUL SYLLABLE GOEG..HANGUL SYLLABLE GOEH + {0xAD50, 0xAD50, prLV}, // Lo HANGUL SYLLABLE GYO + {0xAD51, 0xAD6B, prLVT}, // Lo [27] HANGUL SYLLABLE GYOG..HANGUL SYLLABLE GYOH + {0xAD6C, 0xAD6C, prLV}, // Lo HANGUL SYLLABLE GU + {0xAD6D, 0xAD87, prLVT}, // Lo [27] HANGUL SYLLABLE GUG..HANGUL SYLLABLE GUH + {0xAD88, 0xAD88, prLV}, // Lo HANGUL SYLLABLE GWEO + {0xAD89, 0xADA3, prLVT}, // Lo [27] HANGUL SYLLABLE GWEOG..HANGUL SYLLABLE GWEOH + {0xADA4, 0xADA4, prLV}, // Lo HANGUL SYLLABLE GWE + {0xADA5, 0xADBF, prLVT}, // Lo [27] HANGUL SYLLABLE GWEG..HANGUL SYLLABLE GWEH + {0xADC0, 0xADC0, prLV}, // Lo HANGUL SYLLABLE GWI + {0xADC1, 0xADDB, prLVT}, // Lo [27] HANGUL SYLLABLE GWIG..HANGUL SYLLABLE GWIH + {0xADDC, 0xADDC, prLV}, // Lo HANGUL SYLLABLE GYU + {0xADDD, 0xADF7, prLVT}, // Lo [27] HANGUL SYLLABLE GYUG..HANGUL SYLLABLE GYUH + {0xADF8, 0xADF8, prLV}, // Lo HANGUL SYLLABLE GEU + {0xADF9, 0xAE13, prLVT}, // Lo [27] HANGUL SYLLABLE GEUG..HANGUL SYLLABLE GEUH + {0xAE14, 0xAE14, prLV}, // Lo HANGUL SYLLABLE GYI + {0xAE15, 0xAE2F, prLVT}, // Lo [27] HANGUL SYLLABLE GYIG..HANGUL SYLLABLE GYIH + {0xAE30, 0xAE30, prLV}, // Lo HANGUL SYLLABLE GI + {0xAE31, 0xAE4B, prLVT}, // Lo [27] HANGUL SYLLABLE GIG..HANGUL SYLLABLE GIH + {0xAE4C, 0xAE4C, prLV}, // Lo HANGUL SYLLABLE GGA + {0xAE4D, 0xAE67, prLVT}, // Lo [27] HANGUL SYLLABLE GGAG..HANGUL SYLLABLE GGAH + {0xAE68, 0xAE68, prLV}, // Lo HANGUL SYLLABLE GGAE + {0xAE69, 0xAE83, prLVT}, // Lo [27] HANGUL SYLLABLE GGAEG..HANGUL SYLLABLE GGAEH + {0xAE84, 0xAE84, prLV}, // Lo HANGUL SYLLABLE GGYA + {0xAE85, 0xAE9F, prLVT}, // Lo [27] HANGUL SYLLABLE GGYAG..HANGUL SYLLABLE GGYAH + {0xAEA0, 0xAEA0, prLV}, // Lo HANGUL SYLLABLE GGYAE + {0xAEA1, 0xAEBB, prLVT}, // Lo [27] HANGUL SYLLABLE GGYAEG..HANGUL SYLLABLE GGYAEH + {0xAEBC, 0xAEBC, prLV}, // Lo HANGUL SYLLABLE GGEO + {0xAEBD, 0xAED7, prLVT}, // Lo [27] HANGUL SYLLABLE GGEOG..HANGUL SYLLABLE GGEOH + {0xAED8, 0xAED8, prLV}, // Lo HANGUL SYLLABLE GGE + {0xAED9, 0xAEF3, prLVT}, // Lo [27] HANGUL SYLLABLE GGEG..HANGUL SYLLABLE GGEH + {0xAEF4, 0xAEF4, prLV}, // Lo HANGUL SYLLABLE GGYEO + {0xAEF5, 0xAF0F, prLVT}, // Lo [27] HANGUL SYLLABLE GGYEOG..HANGUL SYLLABLE GGYEOH + {0xAF10, 0xAF10, prLV}, // Lo HANGUL SYLLABLE GGYE + {0xAF11, 0xAF2B, prLVT}, // Lo [27] HANGUL SYLLABLE GGYEG..HANGUL SYLLABLE GGYEH + {0xAF2C, 0xAF2C, prLV}, // Lo HANGUL SYLLABLE GGO + {0xAF2D, 0xAF47, prLVT}, // Lo [27] HANGUL SYLLABLE GGOG..HANGUL SYLLABLE GGOH + {0xAF48, 0xAF48, prLV}, // Lo HANGUL SYLLABLE GGWA + {0xAF49, 0xAF63, prLVT}, // Lo [27] HANGUL SYLLABLE GGWAG..HANGUL SYLLABLE GGWAH + {0xAF64, 0xAF64, prLV}, // Lo HANGUL SYLLABLE GGWAE + {0xAF65, 0xAF7F, prLVT}, // Lo [27] HANGUL SYLLABLE GGWAEG..HANGUL SYLLABLE GGWAEH + {0xAF80, 0xAF80, prLV}, // Lo HANGUL SYLLABLE GGOE + {0xAF81, 0xAF9B, prLVT}, // Lo [27] HANGUL SYLLABLE GGOEG..HANGUL SYLLABLE GGOEH + {0xAF9C, 0xAF9C, prLV}, // Lo HANGUL SYLLABLE GGYO + {0xAF9D, 0xAFB7, prLVT}, // Lo [27] HANGUL SYLLABLE GGYOG..HANGUL SYLLABLE GGYOH + {0xAFB8, 0xAFB8, prLV}, // Lo HANGUL SYLLABLE GGU + {0xAFB9, 0xAFD3, prLVT}, // Lo [27] HANGUL SYLLABLE GGUG..HANGUL SYLLABLE GGUH + {0xAFD4, 0xAFD4, prLV}, // Lo HANGUL SYLLABLE GGWEO + {0xAFD5, 0xAFEF, prLVT}, // Lo [27] HANGUL SYLLABLE GGWEOG..HANGUL SYLLABLE GGWEOH + {0xAFF0, 0xAFF0, prLV}, // Lo HANGUL SYLLABLE GGWE + {0xAFF1, 0xB00B, prLVT}, // Lo [27] HANGUL SYLLABLE GGWEG..HANGUL SYLLABLE GGWEH + {0xB00C, 0xB00C, prLV}, // Lo HANGUL SYLLABLE GGWI + {0xB00D, 0xB027, prLVT}, // Lo [27] HANGUL SYLLABLE GGWIG..HANGUL SYLLABLE GGWIH + {0xB028, 0xB028, prLV}, // Lo HANGUL SYLLABLE GGYU + {0xB029, 0xB043, prLVT}, // Lo [27] HANGUL SYLLABLE GGYUG..HANGUL SYLLABLE GGYUH + {0xB044, 0xB044, prLV}, // Lo HANGUL SYLLABLE GGEU + {0xB045, 0xB05F, prLVT}, // Lo [27] HANGUL SYLLABLE GGEUG..HANGUL SYLLABLE GGEUH + {0xB060, 0xB060, prLV}, // Lo HANGUL SYLLABLE GGYI + {0xB061, 0xB07B, prLVT}, // Lo [27] HANGUL SYLLABLE GGYIG..HANGUL SYLLABLE GGYIH + {0xB07C, 0xB07C, prLV}, // Lo HANGUL SYLLABLE GGI + {0xB07D, 0xB097, prLVT}, // Lo [27] HANGUL SYLLABLE GGIG..HANGUL SYLLABLE GGIH + {0xB098, 0xB098, prLV}, // Lo HANGUL SYLLABLE NA + {0xB099, 0xB0B3, prLVT}, // Lo [27] HANGUL SYLLABLE NAG..HANGUL SYLLABLE NAH + {0xB0B4, 0xB0B4, prLV}, // Lo HANGUL SYLLABLE NAE + {0xB0B5, 0xB0CF, prLVT}, // Lo [27] HANGUL SYLLABLE NAEG..HANGUL SYLLABLE NAEH + {0xB0D0, 0xB0D0, prLV}, // Lo HANGUL SYLLABLE NYA + {0xB0D1, 0xB0EB, prLVT}, // Lo [27] HANGUL SYLLABLE NYAG..HANGUL SYLLABLE NYAH + {0xB0EC, 0xB0EC, prLV}, // Lo HANGUL SYLLABLE NYAE + {0xB0ED, 0xB107, prLVT}, // Lo [27] HANGUL SYLLABLE NYAEG..HANGUL SYLLABLE NYAEH + {0xB108, 0xB108, prLV}, // Lo HANGUL SYLLABLE NEO + {0xB109, 0xB123, prLVT}, // Lo [27] HANGUL SYLLABLE NEOG..HANGUL SYLLABLE NEOH + {0xB124, 0xB124, prLV}, // Lo HANGUL SYLLABLE NE + {0xB125, 0xB13F, prLVT}, // Lo [27] HANGUL SYLLABLE NEG..HANGUL SYLLABLE NEH + {0xB140, 0xB140, prLV}, // Lo HANGUL SYLLABLE NYEO + {0xB141, 0xB15B, prLVT}, // Lo [27] HANGUL SYLLABLE NYEOG..HANGUL SYLLABLE NYEOH + {0xB15C, 0xB15C, prLV}, // Lo HANGUL SYLLABLE NYE + {0xB15D, 0xB177, prLVT}, // Lo [27] HANGUL SYLLABLE NYEG..HANGUL SYLLABLE NYEH + {0xB178, 0xB178, prLV}, // Lo HANGUL SYLLABLE NO + {0xB179, 0xB193, prLVT}, // Lo [27] HANGUL SYLLABLE NOG..HANGUL SYLLABLE NOH + {0xB194, 0xB194, prLV}, // Lo HANGUL SYLLABLE NWA + {0xB195, 0xB1AF, prLVT}, // Lo [27] HANGUL SYLLABLE NWAG..HANGUL SYLLABLE NWAH + {0xB1B0, 0xB1B0, prLV}, // Lo HANGUL SYLLABLE NWAE + {0xB1B1, 0xB1CB, prLVT}, // Lo [27] HANGUL SYLLABLE NWAEG..HANGUL SYLLABLE NWAEH + {0xB1CC, 0xB1CC, prLV}, // Lo HANGUL SYLLABLE NOE + {0xB1CD, 0xB1E7, prLVT}, // Lo [27] HANGUL SYLLABLE NOEG..HANGUL SYLLABLE NOEH + {0xB1E8, 0xB1E8, prLV}, // Lo HANGUL SYLLABLE NYO + {0xB1E9, 0xB203, prLVT}, // Lo [27] HANGUL SYLLABLE NYOG..HANGUL SYLLABLE NYOH + {0xB204, 0xB204, prLV}, // Lo HANGUL SYLLABLE NU + {0xB205, 0xB21F, prLVT}, // Lo [27] HANGUL SYLLABLE NUG..HANGUL SYLLABLE NUH + {0xB220, 0xB220, prLV}, // Lo HANGUL SYLLABLE NWEO + {0xB221, 0xB23B, prLVT}, // Lo [27] HANGUL SYLLABLE NWEOG..HANGUL SYLLABLE NWEOH + {0xB23C, 0xB23C, prLV}, // Lo HANGUL SYLLABLE NWE + {0xB23D, 0xB257, prLVT}, // Lo [27] HANGUL SYLLABLE NWEG..HANGUL SYLLABLE NWEH + {0xB258, 0xB258, prLV}, // Lo HANGUL SYLLABLE NWI + {0xB259, 0xB273, prLVT}, // Lo [27] HANGUL SYLLABLE NWIG..HANGUL SYLLABLE NWIH + {0xB274, 0xB274, prLV}, // Lo HANGUL SYLLABLE NYU + {0xB275, 0xB28F, prLVT}, // Lo [27] HANGUL SYLLABLE NYUG..HANGUL SYLLABLE NYUH + {0xB290, 0xB290, prLV}, // Lo HANGUL SYLLABLE NEU + {0xB291, 0xB2AB, prLVT}, // Lo [27] HANGUL SYLLABLE NEUG..HANGUL SYLLABLE NEUH + {0xB2AC, 0xB2AC, prLV}, // Lo HANGUL SYLLABLE NYI + {0xB2AD, 0xB2C7, prLVT}, // Lo [27] HANGUL SYLLABLE NYIG..HANGUL SYLLABLE NYIH + {0xB2C8, 0xB2C8, prLV}, // Lo HANGUL SYLLABLE NI + {0xB2C9, 0xB2E3, prLVT}, // Lo [27] HANGUL SYLLABLE NIG..HANGUL SYLLABLE NIH + {0xB2E4, 0xB2E4, prLV}, // Lo HANGUL SYLLABLE DA + {0xB2E5, 0xB2FF, prLVT}, // Lo [27] HANGUL SYLLABLE DAG..HANGUL SYLLABLE DAH + {0xB300, 0xB300, prLV}, // Lo HANGUL SYLLABLE DAE + {0xB301, 0xB31B, prLVT}, // Lo [27] HANGUL SYLLABLE DAEG..HANGUL SYLLABLE DAEH + {0xB31C, 0xB31C, prLV}, // Lo HANGUL SYLLABLE DYA + {0xB31D, 0xB337, prLVT}, // Lo [27] HANGUL SYLLABLE DYAG..HANGUL SYLLABLE DYAH + {0xB338, 0xB338, prLV}, // Lo HANGUL SYLLABLE DYAE + {0xB339, 0xB353, prLVT}, // Lo [27] HANGUL SYLLABLE DYAEG..HANGUL SYLLABLE DYAEH + {0xB354, 0xB354, prLV}, // Lo HANGUL SYLLABLE DEO + {0xB355, 0xB36F, prLVT}, // Lo [27] HANGUL SYLLABLE DEOG..HANGUL SYLLABLE DEOH + {0xB370, 0xB370, prLV}, // Lo HANGUL SYLLABLE DE + {0xB371, 0xB38B, prLVT}, // Lo [27] HANGUL SYLLABLE DEG..HANGUL SYLLABLE DEH + {0xB38C, 0xB38C, prLV}, // Lo HANGUL SYLLABLE DYEO + {0xB38D, 0xB3A7, prLVT}, // Lo [27] HANGUL SYLLABLE DYEOG..HANGUL SYLLABLE DYEOH + {0xB3A8, 0xB3A8, prLV}, // Lo HANGUL SYLLABLE DYE + {0xB3A9, 0xB3C3, prLVT}, // Lo [27] HANGUL SYLLABLE DYEG..HANGUL SYLLABLE DYEH + {0xB3C4, 0xB3C4, prLV}, // Lo HANGUL SYLLABLE DO + {0xB3C5, 0xB3DF, prLVT}, // Lo [27] HANGUL SYLLABLE DOG..HANGUL SYLLABLE DOH + {0xB3E0, 0xB3E0, prLV}, // Lo HANGUL SYLLABLE DWA + {0xB3E1, 0xB3FB, prLVT}, // Lo [27] HANGUL SYLLABLE DWAG..HANGUL SYLLABLE DWAH + {0xB3FC, 0xB3FC, prLV}, // Lo HANGUL SYLLABLE DWAE + {0xB3FD, 0xB417, prLVT}, // Lo [27] HANGUL SYLLABLE DWAEG..HANGUL SYLLABLE DWAEH + {0xB418, 0xB418, prLV}, // Lo HANGUL SYLLABLE DOE + {0xB419, 0xB433, prLVT}, // Lo [27] HANGUL SYLLABLE DOEG..HANGUL SYLLABLE DOEH + {0xB434, 0xB434, prLV}, // Lo HANGUL SYLLABLE DYO + {0xB435, 0xB44F, prLVT}, // Lo [27] HANGUL SYLLABLE DYOG..HANGUL SYLLABLE DYOH + {0xB450, 0xB450, prLV}, // Lo HANGUL SYLLABLE DU + {0xB451, 0xB46B, prLVT}, // Lo [27] HANGUL SYLLABLE DUG..HANGUL SYLLABLE DUH + {0xB46C, 0xB46C, prLV}, // Lo HANGUL SYLLABLE DWEO + {0xB46D, 0xB487, prLVT}, // Lo [27] HANGUL SYLLABLE DWEOG..HANGUL SYLLABLE DWEOH + {0xB488, 0xB488, prLV}, // Lo HANGUL SYLLABLE DWE + {0xB489, 0xB4A3, prLVT}, // Lo [27] HANGUL SYLLABLE DWEG..HANGUL SYLLABLE DWEH + {0xB4A4, 0xB4A4, prLV}, // Lo HANGUL SYLLABLE DWI + {0xB4A5, 0xB4BF, prLVT}, // Lo [27] HANGUL SYLLABLE DWIG..HANGUL SYLLABLE DWIH + {0xB4C0, 0xB4C0, prLV}, // Lo HANGUL SYLLABLE DYU + {0xB4C1, 0xB4DB, prLVT}, // Lo [27] HANGUL SYLLABLE DYUG..HANGUL SYLLABLE DYUH + {0xB4DC, 0xB4DC, prLV}, // Lo HANGUL SYLLABLE DEU + {0xB4DD, 0xB4F7, prLVT}, // Lo [27] HANGUL SYLLABLE DEUG..HANGUL SYLLABLE DEUH + {0xB4F8, 0xB4F8, prLV}, // Lo HANGUL SYLLABLE DYI + {0xB4F9, 0xB513, prLVT}, // Lo [27] HANGUL SYLLABLE DYIG..HANGUL SYLLABLE DYIH + {0xB514, 0xB514, prLV}, // Lo HANGUL SYLLABLE DI + {0xB515, 0xB52F, prLVT}, // Lo [27] HANGUL SYLLABLE DIG..HANGUL SYLLABLE DIH + {0xB530, 0xB530, prLV}, // Lo HANGUL SYLLABLE DDA + {0xB531, 0xB54B, prLVT}, // Lo [27] HANGUL SYLLABLE DDAG..HANGUL SYLLABLE DDAH + {0xB54C, 0xB54C, prLV}, // Lo HANGUL SYLLABLE DDAE + {0xB54D, 0xB567, prLVT}, // Lo [27] HANGUL SYLLABLE DDAEG..HANGUL SYLLABLE DDAEH + {0xB568, 0xB568, prLV}, // Lo HANGUL SYLLABLE DDYA + {0xB569, 0xB583, prLVT}, // Lo [27] HANGUL SYLLABLE DDYAG..HANGUL SYLLABLE DDYAH + {0xB584, 0xB584, prLV}, // Lo HANGUL SYLLABLE DDYAE + {0xB585, 0xB59F, prLVT}, // Lo [27] HANGUL SYLLABLE DDYAEG..HANGUL SYLLABLE DDYAEH + {0xB5A0, 0xB5A0, prLV}, // Lo HANGUL SYLLABLE DDEO + {0xB5A1, 0xB5BB, prLVT}, // Lo [27] HANGUL SYLLABLE DDEOG..HANGUL SYLLABLE DDEOH + {0xB5BC, 0xB5BC, prLV}, // Lo HANGUL SYLLABLE DDE + {0xB5BD, 0xB5D7, prLVT}, // Lo [27] HANGUL SYLLABLE DDEG..HANGUL SYLLABLE DDEH + {0xB5D8, 0xB5D8, prLV}, // Lo HANGUL SYLLABLE DDYEO + {0xB5D9, 0xB5F3, prLVT}, // Lo [27] HANGUL SYLLABLE DDYEOG..HANGUL SYLLABLE DDYEOH + {0xB5F4, 0xB5F4, prLV}, // Lo HANGUL SYLLABLE DDYE + {0xB5F5, 0xB60F, prLVT}, // Lo [27] HANGUL SYLLABLE DDYEG..HANGUL SYLLABLE DDYEH + {0xB610, 0xB610, prLV}, // Lo HANGUL SYLLABLE DDO + {0xB611, 0xB62B, prLVT}, // Lo [27] HANGUL SYLLABLE DDOG..HANGUL SYLLABLE DDOH + {0xB62C, 0xB62C, prLV}, // Lo HANGUL SYLLABLE DDWA + {0xB62D, 0xB647, prLVT}, // Lo [27] HANGUL SYLLABLE DDWAG..HANGUL SYLLABLE DDWAH + {0xB648, 0xB648, prLV}, // Lo HANGUL SYLLABLE DDWAE + {0xB649, 0xB663, prLVT}, // Lo [27] HANGUL SYLLABLE DDWAEG..HANGUL SYLLABLE DDWAEH + {0xB664, 0xB664, prLV}, // Lo HANGUL SYLLABLE DDOE + {0xB665, 0xB67F, prLVT}, // Lo [27] HANGUL SYLLABLE DDOEG..HANGUL SYLLABLE DDOEH + {0xB680, 0xB680, prLV}, // Lo HANGUL SYLLABLE DDYO + {0xB681, 0xB69B, prLVT}, // Lo [27] HANGUL SYLLABLE DDYOG..HANGUL SYLLABLE DDYOH + {0xB69C, 0xB69C, prLV}, // Lo HANGUL SYLLABLE DDU + {0xB69D, 0xB6B7, prLVT}, // Lo [27] HANGUL SYLLABLE DDUG..HANGUL SYLLABLE DDUH + {0xB6B8, 0xB6B8, prLV}, // Lo HANGUL SYLLABLE DDWEO + {0xB6B9, 0xB6D3, prLVT}, // Lo [27] HANGUL SYLLABLE DDWEOG..HANGUL SYLLABLE DDWEOH + {0xB6D4, 0xB6D4, prLV}, // Lo HANGUL SYLLABLE DDWE + {0xB6D5, 0xB6EF, prLVT}, // Lo [27] HANGUL SYLLABLE DDWEG..HANGUL SYLLABLE DDWEH + {0xB6F0, 0xB6F0, prLV}, // Lo HANGUL SYLLABLE DDWI + {0xB6F1, 0xB70B, prLVT}, // Lo [27] HANGUL SYLLABLE DDWIG..HANGUL SYLLABLE DDWIH + {0xB70C, 0xB70C, prLV}, // Lo HANGUL SYLLABLE DDYU + {0xB70D, 0xB727, prLVT}, // Lo [27] HANGUL SYLLABLE DDYUG..HANGUL SYLLABLE DDYUH + {0xB728, 0xB728, prLV}, // Lo HANGUL SYLLABLE DDEU + {0xB729, 0xB743, prLVT}, // Lo [27] HANGUL SYLLABLE DDEUG..HANGUL SYLLABLE DDEUH + {0xB744, 0xB744, prLV}, // Lo HANGUL SYLLABLE DDYI + {0xB745, 0xB75F, prLVT}, // Lo [27] HANGUL SYLLABLE DDYIG..HANGUL SYLLABLE DDYIH + {0xB760, 0xB760, prLV}, // Lo HANGUL SYLLABLE DDI + {0xB761, 0xB77B, prLVT}, // Lo [27] HANGUL SYLLABLE DDIG..HANGUL SYLLABLE DDIH + {0xB77C, 0xB77C, prLV}, // Lo HANGUL SYLLABLE RA + {0xB77D, 0xB797, prLVT}, // Lo [27] HANGUL SYLLABLE RAG..HANGUL SYLLABLE RAH + {0xB798, 0xB798, prLV}, // Lo HANGUL SYLLABLE RAE + {0xB799, 0xB7B3, prLVT}, // Lo [27] HANGUL SYLLABLE RAEG..HANGUL SYLLABLE RAEH + {0xB7B4, 0xB7B4, prLV}, // Lo HANGUL SYLLABLE RYA + {0xB7B5, 0xB7CF, prLVT}, // Lo [27] HANGUL SYLLABLE RYAG..HANGUL SYLLABLE RYAH + {0xB7D0, 0xB7D0, prLV}, // Lo HANGUL SYLLABLE RYAE + {0xB7D1, 0xB7EB, prLVT}, // Lo [27] HANGUL SYLLABLE RYAEG..HANGUL SYLLABLE RYAEH + {0xB7EC, 0xB7EC, prLV}, // Lo HANGUL SYLLABLE REO + {0xB7ED, 0xB807, prLVT}, // Lo [27] HANGUL SYLLABLE REOG..HANGUL SYLLABLE REOH + {0xB808, 0xB808, prLV}, // Lo HANGUL SYLLABLE RE + {0xB809, 0xB823, prLVT}, // Lo [27] HANGUL SYLLABLE REG..HANGUL SYLLABLE REH + {0xB824, 0xB824, prLV}, // Lo HANGUL SYLLABLE RYEO + {0xB825, 0xB83F, prLVT}, // Lo [27] HANGUL SYLLABLE RYEOG..HANGUL SYLLABLE RYEOH + {0xB840, 0xB840, prLV}, // Lo HANGUL SYLLABLE RYE + {0xB841, 0xB85B, prLVT}, // Lo [27] HANGUL SYLLABLE RYEG..HANGUL SYLLABLE RYEH + {0xB85C, 0xB85C, prLV}, // Lo HANGUL SYLLABLE RO + {0xB85D, 0xB877, prLVT}, // Lo [27] HANGUL SYLLABLE ROG..HANGUL SYLLABLE ROH + {0xB878, 0xB878, prLV}, // Lo HANGUL SYLLABLE RWA + {0xB879, 0xB893, prLVT}, // Lo [27] HANGUL SYLLABLE RWAG..HANGUL SYLLABLE RWAH + {0xB894, 0xB894, prLV}, // Lo HANGUL SYLLABLE RWAE + {0xB895, 0xB8AF, prLVT}, // Lo [27] HANGUL SYLLABLE RWAEG..HANGUL SYLLABLE RWAEH + {0xB8B0, 0xB8B0, prLV}, // Lo HANGUL SYLLABLE ROE + {0xB8B1, 0xB8CB, prLVT}, // Lo [27] HANGUL SYLLABLE ROEG..HANGUL SYLLABLE ROEH + {0xB8CC, 0xB8CC, prLV}, // Lo HANGUL SYLLABLE RYO + {0xB8CD, 0xB8E7, prLVT}, // Lo [27] HANGUL SYLLABLE RYOG..HANGUL SYLLABLE RYOH + {0xB8E8, 0xB8E8, prLV}, // Lo HANGUL SYLLABLE RU + {0xB8E9, 0xB903, prLVT}, // Lo [27] HANGUL SYLLABLE RUG..HANGUL SYLLABLE RUH + {0xB904, 0xB904, prLV}, // Lo HANGUL SYLLABLE RWEO + {0xB905, 0xB91F, prLVT}, // Lo [27] HANGUL SYLLABLE RWEOG..HANGUL SYLLABLE RWEOH + {0xB920, 0xB920, prLV}, // Lo HANGUL SYLLABLE RWE + {0xB921, 0xB93B, prLVT}, // Lo [27] HANGUL SYLLABLE RWEG..HANGUL SYLLABLE RWEH + {0xB93C, 0xB93C, prLV}, // Lo HANGUL SYLLABLE RWI + {0xB93D, 0xB957, prLVT}, // Lo [27] HANGUL SYLLABLE RWIG..HANGUL SYLLABLE RWIH + {0xB958, 0xB958, prLV}, // Lo HANGUL SYLLABLE RYU + {0xB959, 0xB973, prLVT}, // Lo [27] HANGUL SYLLABLE RYUG..HANGUL SYLLABLE RYUH + {0xB974, 0xB974, prLV}, // Lo HANGUL SYLLABLE REU + {0xB975, 0xB98F, prLVT}, // Lo [27] HANGUL SYLLABLE REUG..HANGUL SYLLABLE REUH + {0xB990, 0xB990, prLV}, // Lo HANGUL SYLLABLE RYI + {0xB991, 0xB9AB, prLVT}, // Lo [27] HANGUL SYLLABLE RYIG..HANGUL SYLLABLE RYIH + {0xB9AC, 0xB9AC, prLV}, // Lo HANGUL SYLLABLE RI + {0xB9AD, 0xB9C7, prLVT}, // Lo [27] HANGUL SYLLABLE RIG..HANGUL SYLLABLE RIH + {0xB9C8, 0xB9C8, prLV}, // Lo HANGUL SYLLABLE MA + {0xB9C9, 0xB9E3, prLVT}, // Lo [27] HANGUL SYLLABLE MAG..HANGUL SYLLABLE MAH + {0xB9E4, 0xB9E4, prLV}, // Lo HANGUL SYLLABLE MAE + {0xB9E5, 0xB9FF, prLVT}, // Lo [27] HANGUL SYLLABLE MAEG..HANGUL SYLLABLE MAEH + {0xBA00, 0xBA00, prLV}, // Lo HANGUL SYLLABLE MYA + {0xBA01, 0xBA1B, prLVT}, // Lo [27] HANGUL SYLLABLE MYAG..HANGUL SYLLABLE MYAH + {0xBA1C, 0xBA1C, prLV}, // Lo HANGUL SYLLABLE MYAE + {0xBA1D, 0xBA37, prLVT}, // Lo [27] HANGUL SYLLABLE MYAEG..HANGUL SYLLABLE MYAEH + {0xBA38, 0xBA38, prLV}, // Lo HANGUL SYLLABLE MEO + {0xBA39, 0xBA53, prLVT}, // Lo [27] HANGUL SYLLABLE MEOG..HANGUL SYLLABLE MEOH + {0xBA54, 0xBA54, prLV}, // Lo HANGUL SYLLABLE ME + {0xBA55, 0xBA6F, prLVT}, // Lo [27] HANGUL SYLLABLE MEG..HANGUL SYLLABLE MEH + {0xBA70, 0xBA70, prLV}, // Lo HANGUL SYLLABLE MYEO + {0xBA71, 0xBA8B, prLVT}, // Lo [27] HANGUL SYLLABLE MYEOG..HANGUL SYLLABLE MYEOH + {0xBA8C, 0xBA8C, prLV}, // Lo HANGUL SYLLABLE MYE + {0xBA8D, 0xBAA7, prLVT}, // Lo [27] HANGUL SYLLABLE MYEG..HANGUL SYLLABLE MYEH + {0xBAA8, 0xBAA8, prLV}, // Lo HANGUL SYLLABLE MO + {0xBAA9, 0xBAC3, prLVT}, // Lo [27] HANGUL SYLLABLE MOG..HANGUL SYLLABLE MOH + {0xBAC4, 0xBAC4, prLV}, // Lo HANGUL SYLLABLE MWA + {0xBAC5, 0xBADF, prLVT}, // Lo [27] HANGUL SYLLABLE MWAG..HANGUL SYLLABLE MWAH + {0xBAE0, 0xBAE0, prLV}, // Lo HANGUL SYLLABLE MWAE + {0xBAE1, 0xBAFB, prLVT}, // Lo [27] HANGUL SYLLABLE MWAEG..HANGUL SYLLABLE MWAEH + {0xBAFC, 0xBAFC, prLV}, // Lo HANGUL SYLLABLE MOE + {0xBAFD, 0xBB17, prLVT}, // Lo [27] HANGUL SYLLABLE MOEG..HANGUL SYLLABLE MOEH + {0xBB18, 0xBB18, prLV}, // Lo HANGUL SYLLABLE MYO + {0xBB19, 0xBB33, prLVT}, // Lo [27] HANGUL SYLLABLE MYOG..HANGUL SYLLABLE MYOH + {0xBB34, 0xBB34, prLV}, // Lo HANGUL SYLLABLE MU + {0xBB35, 0xBB4F, prLVT}, // Lo [27] HANGUL SYLLABLE MUG..HANGUL SYLLABLE MUH + {0xBB50, 0xBB50, prLV}, // Lo HANGUL SYLLABLE MWEO + {0xBB51, 0xBB6B, prLVT}, // Lo [27] HANGUL SYLLABLE MWEOG..HANGUL SYLLABLE MWEOH + {0xBB6C, 0xBB6C, prLV}, // Lo HANGUL SYLLABLE MWE + {0xBB6D, 0xBB87, prLVT}, // Lo [27] HANGUL SYLLABLE MWEG..HANGUL SYLLABLE MWEH + {0xBB88, 0xBB88, prLV}, // Lo HANGUL SYLLABLE MWI + {0xBB89, 0xBBA3, prLVT}, // Lo [27] HANGUL SYLLABLE MWIG..HANGUL SYLLABLE MWIH + {0xBBA4, 0xBBA4, prLV}, // Lo HANGUL SYLLABLE MYU + {0xBBA5, 0xBBBF, prLVT}, // Lo [27] HANGUL SYLLABLE MYUG..HANGUL SYLLABLE MYUH + {0xBBC0, 0xBBC0, prLV}, // Lo HANGUL SYLLABLE MEU + {0xBBC1, 0xBBDB, prLVT}, // Lo [27] HANGUL SYLLABLE MEUG..HANGUL SYLLABLE MEUH + {0xBBDC, 0xBBDC, prLV}, // Lo HANGUL SYLLABLE MYI + {0xBBDD, 0xBBF7, prLVT}, // Lo [27] HANGUL SYLLABLE MYIG..HANGUL SYLLABLE MYIH + {0xBBF8, 0xBBF8, prLV}, // Lo HANGUL SYLLABLE MI + {0xBBF9, 0xBC13, prLVT}, // Lo [27] HANGUL SYLLABLE MIG..HANGUL SYLLABLE MIH + {0xBC14, 0xBC14, prLV}, // Lo HANGUL SYLLABLE BA + {0xBC15, 0xBC2F, prLVT}, // Lo [27] HANGUL SYLLABLE BAG..HANGUL SYLLABLE BAH + {0xBC30, 0xBC30, prLV}, // Lo HANGUL SYLLABLE BAE + {0xBC31, 0xBC4B, prLVT}, // Lo [27] HANGUL SYLLABLE BAEG..HANGUL SYLLABLE BAEH + {0xBC4C, 0xBC4C, prLV}, // Lo HANGUL SYLLABLE BYA + {0xBC4D, 0xBC67, prLVT}, // Lo [27] HANGUL SYLLABLE BYAG..HANGUL SYLLABLE BYAH + {0xBC68, 0xBC68, prLV}, // Lo HANGUL SYLLABLE BYAE + {0xBC69, 0xBC83, prLVT}, // Lo [27] HANGUL SYLLABLE BYAEG..HANGUL SYLLABLE BYAEH + {0xBC84, 0xBC84, prLV}, // Lo HANGUL SYLLABLE BEO + {0xBC85, 0xBC9F, prLVT}, // Lo [27] HANGUL SYLLABLE BEOG..HANGUL SYLLABLE BEOH + {0xBCA0, 0xBCA0, prLV}, // Lo HANGUL SYLLABLE BE + {0xBCA1, 0xBCBB, prLVT}, // Lo [27] HANGUL SYLLABLE BEG..HANGUL SYLLABLE BEH + {0xBCBC, 0xBCBC, prLV}, // Lo HANGUL SYLLABLE BYEO + {0xBCBD, 0xBCD7, prLVT}, // Lo [27] HANGUL SYLLABLE BYEOG..HANGUL SYLLABLE BYEOH + {0xBCD8, 0xBCD8, prLV}, // Lo HANGUL SYLLABLE BYE + {0xBCD9, 0xBCF3, prLVT}, // Lo [27] HANGUL SYLLABLE BYEG..HANGUL SYLLABLE BYEH + {0xBCF4, 0xBCF4, prLV}, // Lo HANGUL SYLLABLE BO + {0xBCF5, 0xBD0F, prLVT}, // Lo [27] HANGUL SYLLABLE BOG..HANGUL SYLLABLE BOH + {0xBD10, 0xBD10, prLV}, // Lo HANGUL SYLLABLE BWA + {0xBD11, 0xBD2B, prLVT}, // Lo [27] HANGUL SYLLABLE BWAG..HANGUL SYLLABLE BWAH + {0xBD2C, 0xBD2C, prLV}, // Lo HANGUL SYLLABLE BWAE + {0xBD2D, 0xBD47, prLVT}, // Lo [27] HANGUL SYLLABLE BWAEG..HANGUL SYLLABLE BWAEH + {0xBD48, 0xBD48, prLV}, // Lo HANGUL SYLLABLE BOE + {0xBD49, 0xBD63, prLVT}, // Lo [27] HANGUL SYLLABLE BOEG..HANGUL SYLLABLE BOEH + {0xBD64, 0xBD64, prLV}, // Lo HANGUL SYLLABLE BYO + {0xBD65, 0xBD7F, prLVT}, // Lo [27] HANGUL SYLLABLE BYOG..HANGUL SYLLABLE BYOH + {0xBD80, 0xBD80, prLV}, // Lo HANGUL SYLLABLE BU + {0xBD81, 0xBD9B, prLVT}, // Lo [27] HANGUL SYLLABLE BUG..HANGUL SYLLABLE BUH + {0xBD9C, 0xBD9C, prLV}, // Lo HANGUL SYLLABLE BWEO + {0xBD9D, 0xBDB7, prLVT}, // Lo [27] HANGUL SYLLABLE BWEOG..HANGUL SYLLABLE BWEOH + {0xBDB8, 0xBDB8, prLV}, // Lo HANGUL SYLLABLE BWE + {0xBDB9, 0xBDD3, prLVT}, // Lo [27] HANGUL SYLLABLE BWEG..HANGUL SYLLABLE BWEH + {0xBDD4, 0xBDD4, prLV}, // Lo HANGUL SYLLABLE BWI + {0xBDD5, 0xBDEF, prLVT}, // Lo [27] HANGUL SYLLABLE BWIG..HANGUL SYLLABLE BWIH + {0xBDF0, 0xBDF0, prLV}, // Lo HANGUL SYLLABLE BYU + {0xBDF1, 0xBE0B, prLVT}, // Lo [27] HANGUL SYLLABLE BYUG..HANGUL SYLLABLE BYUH + {0xBE0C, 0xBE0C, prLV}, // Lo HANGUL SYLLABLE BEU + {0xBE0D, 0xBE27, prLVT}, // Lo [27] HANGUL SYLLABLE BEUG..HANGUL SYLLABLE BEUH + {0xBE28, 0xBE28, prLV}, // Lo HANGUL SYLLABLE BYI + {0xBE29, 0xBE43, prLVT}, // Lo [27] HANGUL SYLLABLE BYIG..HANGUL SYLLABLE BYIH + {0xBE44, 0xBE44, prLV}, // Lo HANGUL SYLLABLE BI + {0xBE45, 0xBE5F, prLVT}, // Lo [27] HANGUL SYLLABLE BIG..HANGUL SYLLABLE BIH + {0xBE60, 0xBE60, prLV}, // Lo HANGUL SYLLABLE BBA + {0xBE61, 0xBE7B, prLVT}, // Lo [27] HANGUL SYLLABLE BBAG..HANGUL SYLLABLE BBAH + {0xBE7C, 0xBE7C, prLV}, // Lo HANGUL SYLLABLE BBAE + {0xBE7D, 0xBE97, prLVT}, // Lo [27] HANGUL SYLLABLE BBAEG..HANGUL SYLLABLE BBAEH + {0xBE98, 0xBE98, prLV}, // Lo HANGUL SYLLABLE BBYA + {0xBE99, 0xBEB3, prLVT}, // Lo [27] HANGUL SYLLABLE BBYAG..HANGUL SYLLABLE BBYAH + {0xBEB4, 0xBEB4, prLV}, // Lo HANGUL SYLLABLE BBYAE + {0xBEB5, 0xBECF, prLVT}, // Lo [27] HANGUL SYLLABLE BBYAEG..HANGUL SYLLABLE BBYAEH + {0xBED0, 0xBED0, prLV}, // Lo HANGUL SYLLABLE BBEO + {0xBED1, 0xBEEB, prLVT}, // Lo [27] HANGUL SYLLABLE BBEOG..HANGUL SYLLABLE BBEOH + {0xBEEC, 0xBEEC, prLV}, // Lo HANGUL SYLLABLE BBE + {0xBEED, 0xBF07, prLVT}, // Lo [27] HANGUL SYLLABLE BBEG..HANGUL SYLLABLE BBEH + {0xBF08, 0xBF08, prLV}, // Lo HANGUL SYLLABLE BBYEO + {0xBF09, 0xBF23, prLVT}, // Lo [27] HANGUL SYLLABLE BBYEOG..HANGUL SYLLABLE BBYEOH + {0xBF24, 0xBF24, prLV}, // Lo HANGUL SYLLABLE BBYE + {0xBF25, 0xBF3F, prLVT}, // Lo [27] HANGUL SYLLABLE BBYEG..HANGUL SYLLABLE BBYEH + {0xBF40, 0xBF40, prLV}, // Lo HANGUL SYLLABLE BBO + {0xBF41, 0xBF5B, prLVT}, // Lo [27] HANGUL SYLLABLE BBOG..HANGUL SYLLABLE BBOH + {0xBF5C, 0xBF5C, prLV}, // Lo HANGUL SYLLABLE BBWA + {0xBF5D, 0xBF77, prLVT}, // Lo [27] HANGUL SYLLABLE BBWAG..HANGUL SYLLABLE BBWAH + {0xBF78, 0xBF78, prLV}, // Lo HANGUL SYLLABLE BBWAE + {0xBF79, 0xBF93, prLVT}, // Lo [27] HANGUL SYLLABLE BBWAEG..HANGUL SYLLABLE BBWAEH + {0xBF94, 0xBF94, prLV}, // Lo HANGUL SYLLABLE BBOE + {0xBF95, 0xBFAF, prLVT}, // Lo [27] HANGUL SYLLABLE BBOEG..HANGUL SYLLABLE BBOEH + {0xBFB0, 0xBFB0, prLV}, // Lo HANGUL SYLLABLE BBYO + {0xBFB1, 0xBFCB, prLVT}, // Lo [27] HANGUL SYLLABLE BBYOG..HANGUL SYLLABLE BBYOH + {0xBFCC, 0xBFCC, prLV}, // Lo HANGUL SYLLABLE BBU + {0xBFCD, 0xBFE7, prLVT}, // Lo [27] HANGUL SYLLABLE BBUG..HANGUL SYLLABLE BBUH + {0xBFE8, 0xBFE8, prLV}, // Lo HANGUL SYLLABLE BBWEO + {0xBFE9, 0xC003, prLVT}, // Lo [27] HANGUL SYLLABLE BBWEOG..HANGUL SYLLABLE BBWEOH + {0xC004, 0xC004, prLV}, // Lo HANGUL SYLLABLE BBWE + {0xC005, 0xC01F, prLVT}, // Lo [27] HANGUL SYLLABLE BBWEG..HANGUL SYLLABLE BBWEH + {0xC020, 0xC020, prLV}, // Lo HANGUL SYLLABLE BBWI + {0xC021, 0xC03B, prLVT}, // Lo [27] HANGUL SYLLABLE BBWIG..HANGUL SYLLABLE BBWIH + {0xC03C, 0xC03C, prLV}, // Lo HANGUL SYLLABLE BBYU + {0xC03D, 0xC057, prLVT}, // Lo [27] HANGUL SYLLABLE BBYUG..HANGUL SYLLABLE BBYUH + {0xC058, 0xC058, prLV}, // Lo HANGUL SYLLABLE BBEU + {0xC059, 0xC073, prLVT}, // Lo [27] HANGUL SYLLABLE BBEUG..HANGUL SYLLABLE BBEUH + {0xC074, 0xC074, prLV}, // Lo HANGUL SYLLABLE BBYI + {0xC075, 0xC08F, prLVT}, // Lo [27] HANGUL SYLLABLE BBYIG..HANGUL SYLLABLE BBYIH + {0xC090, 0xC090, prLV}, // Lo HANGUL SYLLABLE BBI + {0xC091, 0xC0AB, prLVT}, // Lo [27] HANGUL SYLLABLE BBIG..HANGUL SYLLABLE BBIH + {0xC0AC, 0xC0AC, prLV}, // Lo HANGUL SYLLABLE SA + {0xC0AD, 0xC0C7, prLVT}, // Lo [27] HANGUL SYLLABLE SAG..HANGUL SYLLABLE SAH + {0xC0C8, 0xC0C8, prLV}, // Lo HANGUL SYLLABLE SAE + {0xC0C9, 0xC0E3, prLVT}, // Lo [27] HANGUL SYLLABLE SAEG..HANGUL SYLLABLE SAEH + {0xC0E4, 0xC0E4, prLV}, // Lo HANGUL SYLLABLE SYA + {0xC0E5, 0xC0FF, prLVT}, // Lo [27] HANGUL SYLLABLE SYAG..HANGUL SYLLABLE SYAH + {0xC100, 0xC100, prLV}, // Lo HANGUL SYLLABLE SYAE + {0xC101, 0xC11B, prLVT}, // Lo [27] HANGUL SYLLABLE SYAEG..HANGUL SYLLABLE SYAEH + {0xC11C, 0xC11C, prLV}, // Lo HANGUL SYLLABLE SEO + {0xC11D, 0xC137, prLVT}, // Lo [27] HANGUL SYLLABLE SEOG..HANGUL SYLLABLE SEOH + {0xC138, 0xC138, prLV}, // Lo HANGUL SYLLABLE SE + {0xC139, 0xC153, prLVT}, // Lo [27] HANGUL SYLLABLE SEG..HANGUL SYLLABLE SEH + {0xC154, 0xC154, prLV}, // Lo HANGUL SYLLABLE SYEO + {0xC155, 0xC16F, prLVT}, // Lo [27] HANGUL SYLLABLE SYEOG..HANGUL SYLLABLE SYEOH + {0xC170, 0xC170, prLV}, // Lo HANGUL SYLLABLE SYE + {0xC171, 0xC18B, prLVT}, // Lo [27] HANGUL SYLLABLE SYEG..HANGUL SYLLABLE SYEH + {0xC18C, 0xC18C, prLV}, // Lo HANGUL SYLLABLE SO + {0xC18D, 0xC1A7, prLVT}, // Lo [27] HANGUL SYLLABLE SOG..HANGUL SYLLABLE SOH + {0xC1A8, 0xC1A8, prLV}, // Lo HANGUL SYLLABLE SWA + {0xC1A9, 0xC1C3, prLVT}, // Lo [27] HANGUL SYLLABLE SWAG..HANGUL SYLLABLE SWAH + {0xC1C4, 0xC1C4, prLV}, // Lo HANGUL SYLLABLE SWAE + {0xC1C5, 0xC1DF, prLVT}, // Lo [27] HANGUL SYLLABLE SWAEG..HANGUL SYLLABLE SWAEH + {0xC1E0, 0xC1E0, prLV}, // Lo HANGUL SYLLABLE SOE + {0xC1E1, 0xC1FB, prLVT}, // Lo [27] HANGUL SYLLABLE SOEG..HANGUL SYLLABLE SOEH + {0xC1FC, 0xC1FC, prLV}, // Lo HANGUL SYLLABLE SYO + {0xC1FD, 0xC217, prLVT}, // Lo [27] HANGUL SYLLABLE SYOG..HANGUL SYLLABLE SYOH + {0xC218, 0xC218, prLV}, // Lo HANGUL SYLLABLE SU + {0xC219, 0xC233, prLVT}, // Lo [27] HANGUL SYLLABLE SUG..HANGUL SYLLABLE SUH + {0xC234, 0xC234, prLV}, // Lo HANGUL SYLLABLE SWEO + {0xC235, 0xC24F, prLVT}, // Lo [27] HANGUL SYLLABLE SWEOG..HANGUL SYLLABLE SWEOH + {0xC250, 0xC250, prLV}, // Lo HANGUL SYLLABLE SWE + {0xC251, 0xC26B, prLVT}, // Lo [27] HANGUL SYLLABLE SWEG..HANGUL SYLLABLE SWEH + {0xC26C, 0xC26C, prLV}, // Lo HANGUL SYLLABLE SWI + {0xC26D, 0xC287, prLVT}, // Lo [27] HANGUL SYLLABLE SWIG..HANGUL SYLLABLE SWIH + {0xC288, 0xC288, prLV}, // Lo HANGUL SYLLABLE SYU + {0xC289, 0xC2A3, prLVT}, // Lo [27] HANGUL SYLLABLE SYUG..HANGUL SYLLABLE SYUH + {0xC2A4, 0xC2A4, prLV}, // Lo HANGUL SYLLABLE SEU + {0xC2A5, 0xC2BF, prLVT}, // Lo [27] HANGUL SYLLABLE SEUG..HANGUL SYLLABLE SEUH + {0xC2C0, 0xC2C0, prLV}, // Lo HANGUL SYLLABLE SYI + {0xC2C1, 0xC2DB, prLVT}, // Lo [27] HANGUL SYLLABLE SYIG..HANGUL SYLLABLE SYIH + {0xC2DC, 0xC2DC, prLV}, // Lo HANGUL SYLLABLE SI + {0xC2DD, 0xC2F7, prLVT}, // Lo [27] HANGUL SYLLABLE SIG..HANGUL SYLLABLE SIH + {0xC2F8, 0xC2F8, prLV}, // Lo HANGUL SYLLABLE SSA + {0xC2F9, 0xC313, prLVT}, // Lo [27] HANGUL SYLLABLE SSAG..HANGUL SYLLABLE SSAH + {0xC314, 0xC314, prLV}, // Lo HANGUL SYLLABLE SSAE + {0xC315, 0xC32F, prLVT}, // Lo [27] HANGUL SYLLABLE SSAEG..HANGUL SYLLABLE SSAEH + {0xC330, 0xC330, prLV}, // Lo HANGUL SYLLABLE SSYA + {0xC331, 0xC34B, prLVT}, // Lo [27] HANGUL SYLLABLE SSYAG..HANGUL SYLLABLE SSYAH + {0xC34C, 0xC34C, prLV}, // Lo HANGUL SYLLABLE SSYAE + {0xC34D, 0xC367, prLVT}, // Lo [27] HANGUL SYLLABLE SSYAEG..HANGUL SYLLABLE SSYAEH + {0xC368, 0xC368, prLV}, // Lo HANGUL SYLLABLE SSEO + {0xC369, 0xC383, prLVT}, // Lo [27] HANGUL SYLLABLE SSEOG..HANGUL SYLLABLE SSEOH + {0xC384, 0xC384, prLV}, // Lo HANGUL SYLLABLE SSE + {0xC385, 0xC39F, prLVT}, // Lo [27] HANGUL SYLLABLE SSEG..HANGUL SYLLABLE SSEH + {0xC3A0, 0xC3A0, prLV}, // Lo HANGUL SYLLABLE SSYEO + {0xC3A1, 0xC3BB, prLVT}, // Lo [27] HANGUL SYLLABLE SSYEOG..HANGUL SYLLABLE SSYEOH + {0xC3BC, 0xC3BC, prLV}, // Lo HANGUL SYLLABLE SSYE + {0xC3BD, 0xC3D7, prLVT}, // Lo [27] HANGUL SYLLABLE SSYEG..HANGUL SYLLABLE SSYEH + {0xC3D8, 0xC3D8, prLV}, // Lo HANGUL SYLLABLE SSO + {0xC3D9, 0xC3F3, prLVT}, // Lo [27] HANGUL SYLLABLE SSOG..HANGUL SYLLABLE SSOH + {0xC3F4, 0xC3F4, prLV}, // Lo HANGUL SYLLABLE SSWA + {0xC3F5, 0xC40F, prLVT}, // Lo [27] HANGUL SYLLABLE SSWAG..HANGUL SYLLABLE SSWAH + {0xC410, 0xC410, prLV}, // Lo HANGUL SYLLABLE SSWAE + {0xC411, 0xC42B, prLVT}, // Lo [27] HANGUL SYLLABLE SSWAEG..HANGUL SYLLABLE SSWAEH + {0xC42C, 0xC42C, prLV}, // Lo HANGUL SYLLABLE SSOE + {0xC42D, 0xC447, prLVT}, // Lo [27] HANGUL SYLLABLE SSOEG..HANGUL SYLLABLE SSOEH + {0xC448, 0xC448, prLV}, // Lo HANGUL SYLLABLE SSYO + {0xC449, 0xC463, prLVT}, // Lo [27] HANGUL SYLLABLE SSYOG..HANGUL SYLLABLE SSYOH + {0xC464, 0xC464, prLV}, // Lo HANGUL SYLLABLE SSU + {0xC465, 0xC47F, prLVT}, // Lo [27] HANGUL SYLLABLE SSUG..HANGUL SYLLABLE SSUH + {0xC480, 0xC480, prLV}, // Lo HANGUL SYLLABLE SSWEO + {0xC481, 0xC49B, prLVT}, // Lo [27] HANGUL SYLLABLE SSWEOG..HANGUL SYLLABLE SSWEOH + {0xC49C, 0xC49C, prLV}, // Lo HANGUL SYLLABLE SSWE + {0xC49D, 0xC4B7, prLVT}, // Lo [27] HANGUL SYLLABLE SSWEG..HANGUL SYLLABLE SSWEH + {0xC4B8, 0xC4B8, prLV}, // Lo HANGUL SYLLABLE SSWI + {0xC4B9, 0xC4D3, prLVT}, // Lo [27] HANGUL SYLLABLE SSWIG..HANGUL SYLLABLE SSWIH + {0xC4D4, 0xC4D4, prLV}, // Lo HANGUL SYLLABLE SSYU + {0xC4D5, 0xC4EF, prLVT}, // Lo [27] HANGUL SYLLABLE SSYUG..HANGUL SYLLABLE SSYUH + {0xC4F0, 0xC4F0, prLV}, // Lo HANGUL SYLLABLE SSEU + {0xC4F1, 0xC50B, prLVT}, // Lo [27] HANGUL SYLLABLE SSEUG..HANGUL SYLLABLE SSEUH + {0xC50C, 0xC50C, prLV}, // Lo HANGUL SYLLABLE SSYI + {0xC50D, 0xC527, prLVT}, // Lo [27] HANGUL SYLLABLE SSYIG..HANGUL SYLLABLE SSYIH + {0xC528, 0xC528, prLV}, // Lo HANGUL SYLLABLE SSI + {0xC529, 0xC543, prLVT}, // Lo [27] HANGUL SYLLABLE SSIG..HANGUL SYLLABLE SSIH + {0xC544, 0xC544, prLV}, // Lo HANGUL SYLLABLE A + {0xC545, 0xC55F, prLVT}, // Lo [27] HANGUL SYLLABLE AG..HANGUL SYLLABLE AH + {0xC560, 0xC560, prLV}, // Lo HANGUL SYLLABLE AE + {0xC561, 0xC57B, prLVT}, // Lo [27] HANGUL SYLLABLE AEG..HANGUL SYLLABLE AEH + {0xC57C, 0xC57C, prLV}, // Lo HANGUL SYLLABLE YA + {0xC57D, 0xC597, prLVT}, // Lo [27] HANGUL SYLLABLE YAG..HANGUL SYLLABLE YAH + {0xC598, 0xC598, prLV}, // Lo HANGUL SYLLABLE YAE + {0xC599, 0xC5B3, prLVT}, // Lo [27] HANGUL SYLLABLE YAEG..HANGUL SYLLABLE YAEH + {0xC5B4, 0xC5B4, prLV}, // Lo HANGUL SYLLABLE EO + {0xC5B5, 0xC5CF, prLVT}, // Lo [27] HANGUL SYLLABLE EOG..HANGUL SYLLABLE EOH + {0xC5D0, 0xC5D0, prLV}, // Lo HANGUL SYLLABLE E + {0xC5D1, 0xC5EB, prLVT}, // Lo [27] HANGUL SYLLABLE EG..HANGUL SYLLABLE EH + {0xC5EC, 0xC5EC, prLV}, // Lo HANGUL SYLLABLE YEO + {0xC5ED, 0xC607, prLVT}, // Lo [27] HANGUL SYLLABLE YEOG..HANGUL SYLLABLE YEOH + {0xC608, 0xC608, prLV}, // Lo HANGUL SYLLABLE YE + {0xC609, 0xC623, prLVT}, // Lo [27] HANGUL SYLLABLE YEG..HANGUL SYLLABLE YEH + {0xC624, 0xC624, prLV}, // Lo HANGUL SYLLABLE O + {0xC625, 0xC63F, prLVT}, // Lo [27] HANGUL SYLLABLE OG..HANGUL SYLLABLE OH + {0xC640, 0xC640, prLV}, // Lo HANGUL SYLLABLE WA + {0xC641, 0xC65B, prLVT}, // Lo [27] HANGUL SYLLABLE WAG..HANGUL SYLLABLE WAH + {0xC65C, 0xC65C, prLV}, // Lo HANGUL SYLLABLE WAE + {0xC65D, 0xC677, prLVT}, // Lo [27] HANGUL SYLLABLE WAEG..HANGUL SYLLABLE WAEH + {0xC678, 0xC678, prLV}, // Lo HANGUL SYLLABLE OE + {0xC679, 0xC693, prLVT}, // Lo [27] HANGUL SYLLABLE OEG..HANGUL SYLLABLE OEH + {0xC694, 0xC694, prLV}, // Lo HANGUL SYLLABLE YO + {0xC695, 0xC6AF, prLVT}, // Lo [27] HANGUL SYLLABLE YOG..HANGUL SYLLABLE YOH + {0xC6B0, 0xC6B0, prLV}, // Lo HANGUL SYLLABLE U + {0xC6B1, 0xC6CB, prLVT}, // Lo [27] HANGUL SYLLABLE UG..HANGUL SYLLABLE UH + {0xC6CC, 0xC6CC, prLV}, // Lo HANGUL SYLLABLE WEO + {0xC6CD, 0xC6E7, prLVT}, // Lo [27] HANGUL SYLLABLE WEOG..HANGUL SYLLABLE WEOH + {0xC6E8, 0xC6E8, prLV}, // Lo HANGUL SYLLABLE WE + {0xC6E9, 0xC703, prLVT}, // Lo [27] HANGUL SYLLABLE WEG..HANGUL SYLLABLE WEH + {0xC704, 0xC704, prLV}, // Lo HANGUL SYLLABLE WI + {0xC705, 0xC71F, prLVT}, // Lo [27] HANGUL SYLLABLE WIG..HANGUL SYLLABLE WIH + {0xC720, 0xC720, prLV}, // Lo HANGUL SYLLABLE YU + {0xC721, 0xC73B, prLVT}, // Lo [27] HANGUL SYLLABLE YUG..HANGUL SYLLABLE YUH + {0xC73C, 0xC73C, prLV}, // Lo HANGUL SYLLABLE EU + {0xC73D, 0xC757, prLVT}, // Lo [27] HANGUL SYLLABLE EUG..HANGUL SYLLABLE EUH + {0xC758, 0xC758, prLV}, // Lo HANGUL SYLLABLE YI + {0xC759, 0xC773, prLVT}, // Lo [27] HANGUL SYLLABLE YIG..HANGUL SYLLABLE YIH + {0xC774, 0xC774, prLV}, // Lo HANGUL SYLLABLE I + {0xC775, 0xC78F, prLVT}, // Lo [27] HANGUL SYLLABLE IG..HANGUL SYLLABLE IH + {0xC790, 0xC790, prLV}, // Lo HANGUL SYLLABLE JA + {0xC791, 0xC7AB, prLVT}, // Lo [27] HANGUL SYLLABLE JAG..HANGUL SYLLABLE JAH + {0xC7AC, 0xC7AC, prLV}, // Lo HANGUL SYLLABLE JAE + {0xC7AD, 0xC7C7, prLVT}, // Lo [27] HANGUL SYLLABLE JAEG..HANGUL SYLLABLE JAEH + {0xC7C8, 0xC7C8, prLV}, // Lo HANGUL SYLLABLE JYA + {0xC7C9, 0xC7E3, prLVT}, // Lo [27] HANGUL SYLLABLE JYAG..HANGUL SYLLABLE JYAH + {0xC7E4, 0xC7E4, prLV}, // Lo HANGUL SYLLABLE JYAE + {0xC7E5, 0xC7FF, prLVT}, // Lo [27] HANGUL SYLLABLE JYAEG..HANGUL SYLLABLE JYAEH + {0xC800, 0xC800, prLV}, // Lo HANGUL SYLLABLE JEO + {0xC801, 0xC81B, prLVT}, // Lo [27] HANGUL SYLLABLE JEOG..HANGUL SYLLABLE JEOH + {0xC81C, 0xC81C, prLV}, // Lo HANGUL SYLLABLE JE + {0xC81D, 0xC837, prLVT}, // Lo [27] HANGUL SYLLABLE JEG..HANGUL SYLLABLE JEH + {0xC838, 0xC838, prLV}, // Lo HANGUL SYLLABLE JYEO + {0xC839, 0xC853, prLVT}, // Lo [27] HANGUL SYLLABLE JYEOG..HANGUL SYLLABLE JYEOH + {0xC854, 0xC854, prLV}, // Lo HANGUL SYLLABLE JYE + {0xC855, 0xC86F, prLVT}, // Lo [27] HANGUL SYLLABLE JYEG..HANGUL SYLLABLE JYEH + {0xC870, 0xC870, prLV}, // Lo HANGUL SYLLABLE JO + {0xC871, 0xC88B, prLVT}, // Lo [27] HANGUL SYLLABLE JOG..HANGUL SYLLABLE JOH + {0xC88C, 0xC88C, prLV}, // Lo HANGUL SYLLABLE JWA + {0xC88D, 0xC8A7, prLVT}, // Lo [27] HANGUL SYLLABLE JWAG..HANGUL SYLLABLE JWAH + {0xC8A8, 0xC8A8, prLV}, // Lo HANGUL SYLLABLE JWAE + {0xC8A9, 0xC8C3, prLVT}, // Lo [27] HANGUL SYLLABLE JWAEG..HANGUL SYLLABLE JWAEH + {0xC8C4, 0xC8C4, prLV}, // Lo HANGUL SYLLABLE JOE + {0xC8C5, 0xC8DF, prLVT}, // Lo [27] HANGUL SYLLABLE JOEG..HANGUL SYLLABLE JOEH + {0xC8E0, 0xC8E0, prLV}, // Lo HANGUL SYLLABLE JYO + {0xC8E1, 0xC8FB, prLVT}, // Lo [27] HANGUL SYLLABLE JYOG..HANGUL SYLLABLE JYOH + {0xC8FC, 0xC8FC, prLV}, // Lo HANGUL SYLLABLE JU + {0xC8FD, 0xC917, prLVT}, // Lo [27] HANGUL SYLLABLE JUG..HANGUL SYLLABLE JUH + {0xC918, 0xC918, prLV}, // Lo HANGUL SYLLABLE JWEO + {0xC919, 0xC933, prLVT}, // Lo [27] HANGUL SYLLABLE JWEOG..HANGUL SYLLABLE JWEOH + {0xC934, 0xC934, prLV}, // Lo HANGUL SYLLABLE JWE + {0xC935, 0xC94F, prLVT}, // Lo [27] HANGUL SYLLABLE JWEG..HANGUL SYLLABLE JWEH + {0xC950, 0xC950, prLV}, // Lo HANGUL SYLLABLE JWI + {0xC951, 0xC96B, prLVT}, // Lo [27] HANGUL SYLLABLE JWIG..HANGUL SYLLABLE JWIH + {0xC96C, 0xC96C, prLV}, // Lo HANGUL SYLLABLE JYU + {0xC96D, 0xC987, prLVT}, // Lo [27] HANGUL SYLLABLE JYUG..HANGUL SYLLABLE JYUH + {0xC988, 0xC988, prLV}, // Lo HANGUL SYLLABLE JEU + {0xC989, 0xC9A3, prLVT}, // Lo [27] HANGUL SYLLABLE JEUG..HANGUL SYLLABLE JEUH + {0xC9A4, 0xC9A4, prLV}, // Lo HANGUL SYLLABLE JYI + {0xC9A5, 0xC9BF, prLVT}, // Lo [27] HANGUL SYLLABLE JYIG..HANGUL SYLLABLE JYIH + {0xC9C0, 0xC9C0, prLV}, // Lo HANGUL SYLLABLE JI + {0xC9C1, 0xC9DB, prLVT}, // Lo [27] HANGUL SYLLABLE JIG..HANGUL SYLLABLE JIH + {0xC9DC, 0xC9DC, prLV}, // Lo HANGUL SYLLABLE JJA + {0xC9DD, 0xC9F7, prLVT}, // Lo [27] HANGUL SYLLABLE JJAG..HANGUL SYLLABLE JJAH + {0xC9F8, 0xC9F8, prLV}, // Lo HANGUL SYLLABLE JJAE + {0xC9F9, 0xCA13, prLVT}, // Lo [27] HANGUL SYLLABLE JJAEG..HANGUL SYLLABLE JJAEH + {0xCA14, 0xCA14, prLV}, // Lo HANGUL SYLLABLE JJYA + {0xCA15, 0xCA2F, prLVT}, // Lo [27] HANGUL SYLLABLE JJYAG..HANGUL SYLLABLE JJYAH + {0xCA30, 0xCA30, prLV}, // Lo HANGUL SYLLABLE JJYAE + {0xCA31, 0xCA4B, prLVT}, // Lo [27] HANGUL SYLLABLE JJYAEG..HANGUL SYLLABLE JJYAEH + {0xCA4C, 0xCA4C, prLV}, // Lo HANGUL SYLLABLE JJEO + {0xCA4D, 0xCA67, prLVT}, // Lo [27] HANGUL SYLLABLE JJEOG..HANGUL SYLLABLE JJEOH + {0xCA68, 0xCA68, prLV}, // Lo HANGUL SYLLABLE JJE + {0xCA69, 0xCA83, prLVT}, // Lo [27] HANGUL SYLLABLE JJEG..HANGUL SYLLABLE JJEH + {0xCA84, 0xCA84, prLV}, // Lo HANGUL SYLLABLE JJYEO + {0xCA85, 0xCA9F, prLVT}, // Lo [27] HANGUL SYLLABLE JJYEOG..HANGUL SYLLABLE JJYEOH + {0xCAA0, 0xCAA0, prLV}, // Lo HANGUL SYLLABLE JJYE + {0xCAA1, 0xCABB, prLVT}, // Lo [27] HANGUL SYLLABLE JJYEG..HANGUL SYLLABLE JJYEH + {0xCABC, 0xCABC, prLV}, // Lo HANGUL SYLLABLE JJO + {0xCABD, 0xCAD7, prLVT}, // Lo [27] HANGUL SYLLABLE JJOG..HANGUL SYLLABLE JJOH + {0xCAD8, 0xCAD8, prLV}, // Lo HANGUL SYLLABLE JJWA + {0xCAD9, 0xCAF3, prLVT}, // Lo [27] HANGUL SYLLABLE JJWAG..HANGUL SYLLABLE JJWAH + {0xCAF4, 0xCAF4, prLV}, // Lo HANGUL SYLLABLE JJWAE + {0xCAF5, 0xCB0F, prLVT}, // Lo [27] HANGUL SYLLABLE JJWAEG..HANGUL SYLLABLE JJWAEH + {0xCB10, 0xCB10, prLV}, // Lo HANGUL SYLLABLE JJOE + {0xCB11, 0xCB2B, prLVT}, // Lo [27] HANGUL SYLLABLE JJOEG..HANGUL SYLLABLE JJOEH + {0xCB2C, 0xCB2C, prLV}, // Lo HANGUL SYLLABLE JJYO + {0xCB2D, 0xCB47, prLVT}, // Lo [27] HANGUL SYLLABLE JJYOG..HANGUL SYLLABLE JJYOH + {0xCB48, 0xCB48, prLV}, // Lo HANGUL SYLLABLE JJU + {0xCB49, 0xCB63, prLVT}, // Lo [27] HANGUL SYLLABLE JJUG..HANGUL SYLLABLE JJUH + {0xCB64, 0xCB64, prLV}, // Lo HANGUL SYLLABLE JJWEO + {0xCB65, 0xCB7F, prLVT}, // Lo [27] HANGUL SYLLABLE JJWEOG..HANGUL SYLLABLE JJWEOH + {0xCB80, 0xCB80, prLV}, // Lo HANGUL SYLLABLE JJWE + {0xCB81, 0xCB9B, prLVT}, // Lo [27] HANGUL SYLLABLE JJWEG..HANGUL SYLLABLE JJWEH + {0xCB9C, 0xCB9C, prLV}, // Lo HANGUL SYLLABLE JJWI + {0xCB9D, 0xCBB7, prLVT}, // Lo [27] HANGUL SYLLABLE JJWIG..HANGUL SYLLABLE JJWIH + {0xCBB8, 0xCBB8, prLV}, // Lo HANGUL SYLLABLE JJYU + {0xCBB9, 0xCBD3, prLVT}, // Lo [27] HANGUL SYLLABLE JJYUG..HANGUL SYLLABLE JJYUH + {0xCBD4, 0xCBD4, prLV}, // Lo HANGUL SYLLABLE JJEU + {0xCBD5, 0xCBEF, prLVT}, // Lo [27] HANGUL SYLLABLE JJEUG..HANGUL SYLLABLE JJEUH + {0xCBF0, 0xCBF0, prLV}, // Lo HANGUL SYLLABLE JJYI + {0xCBF1, 0xCC0B, prLVT}, // Lo [27] HANGUL SYLLABLE JJYIG..HANGUL SYLLABLE JJYIH + {0xCC0C, 0xCC0C, prLV}, // Lo HANGUL SYLLABLE JJI + {0xCC0D, 0xCC27, prLVT}, // Lo [27] HANGUL SYLLABLE JJIG..HANGUL SYLLABLE JJIH + {0xCC28, 0xCC28, prLV}, // Lo HANGUL SYLLABLE CA + {0xCC29, 0xCC43, prLVT}, // Lo [27] HANGUL SYLLABLE CAG..HANGUL SYLLABLE CAH + {0xCC44, 0xCC44, prLV}, // Lo HANGUL SYLLABLE CAE + {0xCC45, 0xCC5F, prLVT}, // Lo [27] HANGUL SYLLABLE CAEG..HANGUL SYLLABLE CAEH + {0xCC60, 0xCC60, prLV}, // Lo HANGUL SYLLABLE CYA + {0xCC61, 0xCC7B, prLVT}, // Lo [27] HANGUL SYLLABLE CYAG..HANGUL SYLLABLE CYAH + {0xCC7C, 0xCC7C, prLV}, // Lo HANGUL SYLLABLE CYAE + {0xCC7D, 0xCC97, prLVT}, // Lo [27] HANGUL SYLLABLE CYAEG..HANGUL SYLLABLE CYAEH + {0xCC98, 0xCC98, prLV}, // Lo HANGUL SYLLABLE CEO + {0xCC99, 0xCCB3, prLVT}, // Lo [27] HANGUL SYLLABLE CEOG..HANGUL SYLLABLE CEOH + {0xCCB4, 0xCCB4, prLV}, // Lo HANGUL SYLLABLE CE + {0xCCB5, 0xCCCF, prLVT}, // Lo [27] HANGUL SYLLABLE CEG..HANGUL SYLLABLE CEH + {0xCCD0, 0xCCD0, prLV}, // Lo HANGUL SYLLABLE CYEO + {0xCCD1, 0xCCEB, prLVT}, // Lo [27] HANGUL SYLLABLE CYEOG..HANGUL SYLLABLE CYEOH + {0xCCEC, 0xCCEC, prLV}, // Lo HANGUL SYLLABLE CYE + {0xCCED, 0xCD07, prLVT}, // Lo [27] HANGUL SYLLABLE CYEG..HANGUL SYLLABLE CYEH + {0xCD08, 0xCD08, prLV}, // Lo HANGUL SYLLABLE CO + {0xCD09, 0xCD23, prLVT}, // Lo [27] HANGUL SYLLABLE COG..HANGUL SYLLABLE COH + {0xCD24, 0xCD24, prLV}, // Lo HANGUL SYLLABLE CWA + {0xCD25, 0xCD3F, prLVT}, // Lo [27] HANGUL SYLLABLE CWAG..HANGUL SYLLABLE CWAH + {0xCD40, 0xCD40, prLV}, // Lo HANGUL SYLLABLE CWAE + {0xCD41, 0xCD5B, prLVT}, // Lo [27] HANGUL SYLLABLE CWAEG..HANGUL SYLLABLE CWAEH + {0xCD5C, 0xCD5C, prLV}, // Lo HANGUL SYLLABLE COE + {0xCD5D, 0xCD77, prLVT}, // Lo [27] HANGUL SYLLABLE COEG..HANGUL SYLLABLE COEH + {0xCD78, 0xCD78, prLV}, // Lo HANGUL SYLLABLE CYO + {0xCD79, 0xCD93, prLVT}, // Lo [27] HANGUL SYLLABLE CYOG..HANGUL SYLLABLE CYOH + {0xCD94, 0xCD94, prLV}, // Lo HANGUL SYLLABLE CU + {0xCD95, 0xCDAF, prLVT}, // Lo [27] HANGUL SYLLABLE CUG..HANGUL SYLLABLE CUH + {0xCDB0, 0xCDB0, prLV}, // Lo HANGUL SYLLABLE CWEO + {0xCDB1, 0xCDCB, prLVT}, // Lo [27] HANGUL SYLLABLE CWEOG..HANGUL SYLLABLE CWEOH + {0xCDCC, 0xCDCC, prLV}, // Lo HANGUL SYLLABLE CWE + {0xCDCD, 0xCDE7, prLVT}, // Lo [27] HANGUL SYLLABLE CWEG..HANGUL SYLLABLE CWEH + {0xCDE8, 0xCDE8, prLV}, // Lo HANGUL SYLLABLE CWI + {0xCDE9, 0xCE03, prLVT}, // Lo [27] HANGUL SYLLABLE CWIG..HANGUL SYLLABLE CWIH + {0xCE04, 0xCE04, prLV}, // Lo HANGUL SYLLABLE CYU + {0xCE05, 0xCE1F, prLVT}, // Lo [27] HANGUL SYLLABLE CYUG..HANGUL SYLLABLE CYUH + {0xCE20, 0xCE20, prLV}, // Lo HANGUL SYLLABLE CEU + {0xCE21, 0xCE3B, prLVT}, // Lo [27] HANGUL SYLLABLE CEUG..HANGUL SYLLABLE CEUH + {0xCE3C, 0xCE3C, prLV}, // Lo HANGUL SYLLABLE CYI + {0xCE3D, 0xCE57, prLVT}, // Lo [27] HANGUL SYLLABLE CYIG..HANGUL SYLLABLE CYIH + {0xCE58, 0xCE58, prLV}, // Lo HANGUL SYLLABLE CI + {0xCE59, 0xCE73, prLVT}, // Lo [27] HANGUL SYLLABLE CIG..HANGUL SYLLABLE CIH + {0xCE74, 0xCE74, prLV}, // Lo HANGUL SYLLABLE KA + {0xCE75, 0xCE8F, prLVT}, // Lo [27] HANGUL SYLLABLE KAG..HANGUL SYLLABLE KAH + {0xCE90, 0xCE90, prLV}, // Lo HANGUL SYLLABLE KAE + {0xCE91, 0xCEAB, prLVT}, // Lo [27] HANGUL SYLLABLE KAEG..HANGUL SYLLABLE KAEH + {0xCEAC, 0xCEAC, prLV}, // Lo HANGUL SYLLABLE KYA + {0xCEAD, 0xCEC7, prLVT}, // Lo [27] HANGUL SYLLABLE KYAG..HANGUL SYLLABLE KYAH + {0xCEC8, 0xCEC8, prLV}, // Lo HANGUL SYLLABLE KYAE + {0xCEC9, 0xCEE3, prLVT}, // Lo [27] HANGUL SYLLABLE KYAEG..HANGUL SYLLABLE KYAEH + {0xCEE4, 0xCEE4, prLV}, // Lo HANGUL SYLLABLE KEO + {0xCEE5, 0xCEFF, prLVT}, // Lo [27] HANGUL SYLLABLE KEOG..HANGUL SYLLABLE KEOH + {0xCF00, 0xCF00, prLV}, // Lo HANGUL SYLLABLE KE + {0xCF01, 0xCF1B, prLVT}, // Lo [27] HANGUL SYLLABLE KEG..HANGUL SYLLABLE KEH + {0xCF1C, 0xCF1C, prLV}, // Lo HANGUL SYLLABLE KYEO + {0xCF1D, 0xCF37, prLVT}, // Lo [27] HANGUL SYLLABLE KYEOG..HANGUL SYLLABLE KYEOH + {0xCF38, 0xCF38, prLV}, // Lo HANGUL SYLLABLE KYE + {0xCF39, 0xCF53, prLVT}, // Lo [27] HANGUL SYLLABLE KYEG..HANGUL SYLLABLE KYEH + {0xCF54, 0xCF54, prLV}, // Lo HANGUL SYLLABLE KO + {0xCF55, 0xCF6F, prLVT}, // Lo [27] HANGUL SYLLABLE KOG..HANGUL SYLLABLE KOH + {0xCF70, 0xCF70, prLV}, // Lo HANGUL SYLLABLE KWA + {0xCF71, 0xCF8B, prLVT}, // Lo [27] HANGUL SYLLABLE KWAG..HANGUL SYLLABLE KWAH + {0xCF8C, 0xCF8C, prLV}, // Lo HANGUL SYLLABLE KWAE + {0xCF8D, 0xCFA7, prLVT}, // Lo [27] HANGUL SYLLABLE KWAEG..HANGUL SYLLABLE KWAEH + {0xCFA8, 0xCFA8, prLV}, // Lo HANGUL SYLLABLE KOE + {0xCFA9, 0xCFC3, prLVT}, // Lo [27] HANGUL SYLLABLE KOEG..HANGUL SYLLABLE KOEH + {0xCFC4, 0xCFC4, prLV}, // Lo HANGUL SYLLABLE KYO + {0xCFC5, 0xCFDF, prLVT}, // Lo [27] HANGUL SYLLABLE KYOG..HANGUL SYLLABLE KYOH + {0xCFE0, 0xCFE0, prLV}, // Lo HANGUL SYLLABLE KU + {0xCFE1, 0xCFFB, prLVT}, // Lo [27] HANGUL SYLLABLE KUG..HANGUL SYLLABLE KUH + {0xCFFC, 0xCFFC, prLV}, // Lo HANGUL SYLLABLE KWEO + {0xCFFD, 0xD017, prLVT}, // Lo [27] HANGUL SYLLABLE KWEOG..HANGUL SYLLABLE KWEOH + {0xD018, 0xD018, prLV}, // Lo HANGUL SYLLABLE KWE + {0xD019, 0xD033, prLVT}, // Lo [27] HANGUL SYLLABLE KWEG..HANGUL SYLLABLE KWEH + {0xD034, 0xD034, prLV}, // Lo HANGUL SYLLABLE KWI + {0xD035, 0xD04F, prLVT}, // Lo [27] HANGUL SYLLABLE KWIG..HANGUL SYLLABLE KWIH + {0xD050, 0xD050, prLV}, // Lo HANGUL SYLLABLE KYU + {0xD051, 0xD06B, prLVT}, // Lo [27] HANGUL SYLLABLE KYUG..HANGUL SYLLABLE KYUH + {0xD06C, 0xD06C, prLV}, // Lo HANGUL SYLLABLE KEU + {0xD06D, 0xD087, prLVT}, // Lo [27] HANGUL SYLLABLE KEUG..HANGUL SYLLABLE KEUH + {0xD088, 0xD088, prLV}, // Lo HANGUL SYLLABLE KYI + {0xD089, 0xD0A3, prLVT}, // Lo [27] HANGUL SYLLABLE KYIG..HANGUL SYLLABLE KYIH + {0xD0A4, 0xD0A4, prLV}, // Lo HANGUL SYLLABLE KI + {0xD0A5, 0xD0BF, prLVT}, // Lo [27] HANGUL SYLLABLE KIG..HANGUL SYLLABLE KIH + {0xD0C0, 0xD0C0, prLV}, // Lo HANGUL SYLLABLE TA + {0xD0C1, 0xD0DB, prLVT}, // Lo [27] HANGUL SYLLABLE TAG..HANGUL SYLLABLE TAH + {0xD0DC, 0xD0DC, prLV}, // Lo HANGUL SYLLABLE TAE + {0xD0DD, 0xD0F7, prLVT}, // Lo [27] HANGUL SYLLABLE TAEG..HANGUL SYLLABLE TAEH + {0xD0F8, 0xD0F8, prLV}, // Lo HANGUL SYLLABLE TYA + {0xD0F9, 0xD113, prLVT}, // Lo [27] HANGUL SYLLABLE TYAG..HANGUL SYLLABLE TYAH + {0xD114, 0xD114, prLV}, // Lo HANGUL SYLLABLE TYAE + {0xD115, 0xD12F, prLVT}, // Lo [27] HANGUL SYLLABLE TYAEG..HANGUL SYLLABLE TYAEH + {0xD130, 0xD130, prLV}, // Lo HANGUL SYLLABLE TEO + {0xD131, 0xD14B, prLVT}, // Lo [27] HANGUL SYLLABLE TEOG..HANGUL SYLLABLE TEOH + {0xD14C, 0xD14C, prLV}, // Lo HANGUL SYLLABLE TE + {0xD14D, 0xD167, prLVT}, // Lo [27] HANGUL SYLLABLE TEG..HANGUL SYLLABLE TEH + {0xD168, 0xD168, prLV}, // Lo HANGUL SYLLABLE TYEO + {0xD169, 0xD183, prLVT}, // Lo [27] HANGUL SYLLABLE TYEOG..HANGUL SYLLABLE TYEOH + {0xD184, 0xD184, prLV}, // Lo HANGUL SYLLABLE TYE + {0xD185, 0xD19F, prLVT}, // Lo [27] HANGUL SYLLABLE TYEG..HANGUL SYLLABLE TYEH + {0xD1A0, 0xD1A0, prLV}, // Lo HANGUL SYLLABLE TO + {0xD1A1, 0xD1BB, prLVT}, // Lo [27] HANGUL SYLLABLE TOG..HANGUL SYLLABLE TOH + {0xD1BC, 0xD1BC, prLV}, // Lo HANGUL SYLLABLE TWA + {0xD1BD, 0xD1D7, prLVT}, // Lo [27] HANGUL SYLLABLE TWAG..HANGUL SYLLABLE TWAH + {0xD1D8, 0xD1D8, prLV}, // Lo HANGUL SYLLABLE TWAE + {0xD1D9, 0xD1F3, prLVT}, // Lo [27] HANGUL SYLLABLE TWAEG..HANGUL SYLLABLE TWAEH + {0xD1F4, 0xD1F4, prLV}, // Lo HANGUL SYLLABLE TOE + {0xD1F5, 0xD20F, prLVT}, // Lo [27] HANGUL SYLLABLE TOEG..HANGUL SYLLABLE TOEH + {0xD210, 0xD210, prLV}, // Lo HANGUL SYLLABLE TYO + {0xD211, 0xD22B, prLVT}, // Lo [27] HANGUL SYLLABLE TYOG..HANGUL SYLLABLE TYOH + {0xD22C, 0xD22C, prLV}, // Lo HANGUL SYLLABLE TU + {0xD22D, 0xD247, prLVT}, // Lo [27] HANGUL SYLLABLE TUG..HANGUL SYLLABLE TUH + {0xD248, 0xD248, prLV}, // Lo HANGUL SYLLABLE TWEO + {0xD249, 0xD263, prLVT}, // Lo [27] HANGUL SYLLABLE TWEOG..HANGUL SYLLABLE TWEOH + {0xD264, 0xD264, prLV}, // Lo HANGUL SYLLABLE TWE + {0xD265, 0xD27F, prLVT}, // Lo [27] HANGUL SYLLABLE TWEG..HANGUL SYLLABLE TWEH + {0xD280, 0xD280, prLV}, // Lo HANGUL SYLLABLE TWI + {0xD281, 0xD29B, prLVT}, // Lo [27] HANGUL SYLLABLE TWIG..HANGUL SYLLABLE TWIH + {0xD29C, 0xD29C, prLV}, // Lo HANGUL SYLLABLE TYU + {0xD29D, 0xD2B7, prLVT}, // Lo [27] HANGUL SYLLABLE TYUG..HANGUL SYLLABLE TYUH + {0xD2B8, 0xD2B8, prLV}, // Lo HANGUL SYLLABLE TEU + {0xD2B9, 0xD2D3, prLVT}, // Lo [27] HANGUL SYLLABLE TEUG..HANGUL SYLLABLE TEUH + {0xD2D4, 0xD2D4, prLV}, // Lo HANGUL SYLLABLE TYI + {0xD2D5, 0xD2EF, prLVT}, // Lo [27] HANGUL SYLLABLE TYIG..HANGUL SYLLABLE TYIH + {0xD2F0, 0xD2F0, prLV}, // Lo HANGUL SYLLABLE TI + {0xD2F1, 0xD30B, prLVT}, // Lo [27] HANGUL SYLLABLE TIG..HANGUL SYLLABLE TIH + {0xD30C, 0xD30C, prLV}, // Lo HANGUL SYLLABLE PA + {0xD30D, 0xD327, prLVT}, // Lo [27] HANGUL SYLLABLE PAG..HANGUL SYLLABLE PAH + {0xD328, 0xD328, prLV}, // Lo HANGUL SYLLABLE PAE + {0xD329, 0xD343, prLVT}, // Lo [27] HANGUL SYLLABLE PAEG..HANGUL SYLLABLE PAEH + {0xD344, 0xD344, prLV}, // Lo HANGUL SYLLABLE PYA + {0xD345, 0xD35F, prLVT}, // Lo [27] HANGUL SYLLABLE PYAG..HANGUL SYLLABLE PYAH + {0xD360, 0xD360, prLV}, // Lo HANGUL SYLLABLE PYAE + {0xD361, 0xD37B, prLVT}, // Lo [27] HANGUL SYLLABLE PYAEG..HANGUL SYLLABLE PYAEH + {0xD37C, 0xD37C, prLV}, // Lo HANGUL SYLLABLE PEO + {0xD37D, 0xD397, prLVT}, // Lo [27] HANGUL SYLLABLE PEOG..HANGUL SYLLABLE PEOH + {0xD398, 0xD398, prLV}, // Lo HANGUL SYLLABLE PE + {0xD399, 0xD3B3, prLVT}, // Lo [27] HANGUL SYLLABLE PEG..HANGUL SYLLABLE PEH + {0xD3B4, 0xD3B4, prLV}, // Lo HANGUL SYLLABLE PYEO + {0xD3B5, 0xD3CF, prLVT}, // Lo [27] HANGUL SYLLABLE PYEOG..HANGUL SYLLABLE PYEOH + {0xD3D0, 0xD3D0, prLV}, // Lo HANGUL SYLLABLE PYE + {0xD3D1, 0xD3EB, prLVT}, // Lo [27] HANGUL SYLLABLE PYEG..HANGUL SYLLABLE PYEH + {0xD3EC, 0xD3EC, prLV}, // Lo HANGUL SYLLABLE PO + {0xD3ED, 0xD407, prLVT}, // Lo [27] HANGUL SYLLABLE POG..HANGUL SYLLABLE POH + {0xD408, 0xD408, prLV}, // Lo HANGUL SYLLABLE PWA + {0xD409, 0xD423, prLVT}, // Lo [27] HANGUL SYLLABLE PWAG..HANGUL SYLLABLE PWAH + {0xD424, 0xD424, prLV}, // Lo HANGUL SYLLABLE PWAE + {0xD425, 0xD43F, prLVT}, // Lo [27] HANGUL SYLLABLE PWAEG..HANGUL SYLLABLE PWAEH + {0xD440, 0xD440, prLV}, // Lo HANGUL SYLLABLE POE + {0xD441, 0xD45B, prLVT}, // Lo [27] HANGUL SYLLABLE POEG..HANGUL SYLLABLE POEH + {0xD45C, 0xD45C, prLV}, // Lo HANGUL SYLLABLE PYO + {0xD45D, 0xD477, prLVT}, // Lo [27] HANGUL SYLLABLE PYOG..HANGUL SYLLABLE PYOH + {0xD478, 0xD478, prLV}, // Lo HANGUL SYLLABLE PU + {0xD479, 0xD493, prLVT}, // Lo [27] HANGUL SYLLABLE PUG..HANGUL SYLLABLE PUH + {0xD494, 0xD494, prLV}, // Lo HANGUL SYLLABLE PWEO + {0xD495, 0xD4AF, prLVT}, // Lo [27] HANGUL SYLLABLE PWEOG..HANGUL SYLLABLE PWEOH + {0xD4B0, 0xD4B0, prLV}, // Lo HANGUL SYLLABLE PWE + {0xD4B1, 0xD4CB, prLVT}, // Lo [27] HANGUL SYLLABLE PWEG..HANGUL SYLLABLE PWEH + {0xD4CC, 0xD4CC, prLV}, // Lo HANGUL SYLLABLE PWI + {0xD4CD, 0xD4E7, prLVT}, // Lo [27] HANGUL SYLLABLE PWIG..HANGUL SYLLABLE PWIH + {0xD4E8, 0xD4E8, prLV}, // Lo HANGUL SYLLABLE PYU + {0xD4E9, 0xD503, prLVT}, // Lo [27] HANGUL SYLLABLE PYUG..HANGUL SYLLABLE PYUH + {0xD504, 0xD504, prLV}, // Lo HANGUL SYLLABLE PEU + {0xD505, 0xD51F, prLVT}, // Lo [27] HANGUL SYLLABLE PEUG..HANGUL SYLLABLE PEUH + {0xD520, 0xD520, prLV}, // Lo HANGUL SYLLABLE PYI + {0xD521, 0xD53B, prLVT}, // Lo [27] HANGUL SYLLABLE PYIG..HANGUL SYLLABLE PYIH + {0xD53C, 0xD53C, prLV}, // Lo HANGUL SYLLABLE PI + {0xD53D, 0xD557, prLVT}, // Lo [27] HANGUL SYLLABLE PIG..HANGUL SYLLABLE PIH + {0xD558, 0xD558, prLV}, // Lo HANGUL SYLLABLE HA + {0xD559, 0xD573, prLVT}, // Lo [27] HANGUL SYLLABLE HAG..HANGUL SYLLABLE HAH + {0xD574, 0xD574, prLV}, // Lo HANGUL SYLLABLE HAE + {0xD575, 0xD58F, prLVT}, // Lo [27] HANGUL SYLLABLE HAEG..HANGUL SYLLABLE HAEH + {0xD590, 0xD590, prLV}, // Lo HANGUL SYLLABLE HYA + {0xD591, 0xD5AB, prLVT}, // Lo [27] HANGUL SYLLABLE HYAG..HANGUL SYLLABLE HYAH + {0xD5AC, 0xD5AC, prLV}, // Lo HANGUL SYLLABLE HYAE + {0xD5AD, 0xD5C7, prLVT}, // Lo [27] HANGUL SYLLABLE HYAEG..HANGUL SYLLABLE HYAEH + {0xD5C8, 0xD5C8, prLV}, // Lo HANGUL SYLLABLE HEO + {0xD5C9, 0xD5E3, prLVT}, // Lo [27] HANGUL SYLLABLE HEOG..HANGUL SYLLABLE HEOH + {0xD5E4, 0xD5E4, prLV}, // Lo HANGUL SYLLABLE HE + {0xD5E5, 0xD5FF, prLVT}, // Lo [27] HANGUL SYLLABLE HEG..HANGUL SYLLABLE HEH + {0xD600, 0xD600, prLV}, // Lo HANGUL SYLLABLE HYEO + {0xD601, 0xD61B, prLVT}, // Lo [27] HANGUL SYLLABLE HYEOG..HANGUL SYLLABLE HYEOH + {0xD61C, 0xD61C, prLV}, // Lo HANGUL SYLLABLE HYE + {0xD61D, 0xD637, prLVT}, // Lo [27] HANGUL SYLLABLE HYEG..HANGUL SYLLABLE HYEH + {0xD638, 0xD638, prLV}, // Lo HANGUL SYLLABLE HO + {0xD639, 0xD653, prLVT}, // Lo [27] HANGUL SYLLABLE HOG..HANGUL SYLLABLE HOH + {0xD654, 0xD654, prLV}, // Lo HANGUL SYLLABLE HWA + {0xD655, 0xD66F, prLVT}, // Lo [27] HANGUL SYLLABLE HWAG..HANGUL SYLLABLE HWAH + {0xD670, 0xD670, prLV}, // Lo HANGUL SYLLABLE HWAE + {0xD671, 0xD68B, prLVT}, // Lo [27] HANGUL SYLLABLE HWAEG..HANGUL SYLLABLE HWAEH + {0xD68C, 0xD68C, prLV}, // Lo HANGUL SYLLABLE HOE + {0xD68D, 0xD6A7, prLVT}, // Lo [27] HANGUL SYLLABLE HOEG..HANGUL SYLLABLE HOEH + {0xD6A8, 0xD6A8, prLV}, // Lo HANGUL SYLLABLE HYO + {0xD6A9, 0xD6C3, prLVT}, // Lo [27] HANGUL SYLLABLE HYOG..HANGUL SYLLABLE HYOH + {0xD6C4, 0xD6C4, prLV}, // Lo HANGUL SYLLABLE HU + {0xD6C5, 0xD6DF, prLVT}, // Lo [27] HANGUL SYLLABLE HUG..HANGUL SYLLABLE HUH + {0xD6E0, 0xD6E0, prLV}, // Lo HANGUL SYLLABLE HWEO + {0xD6E1, 0xD6FB, prLVT}, // Lo [27] HANGUL SYLLABLE HWEOG..HANGUL SYLLABLE HWEOH + {0xD6FC, 0xD6FC, prLV}, // Lo HANGUL SYLLABLE HWE + {0xD6FD, 0xD717, prLVT}, // Lo [27] HANGUL SYLLABLE HWEG..HANGUL SYLLABLE HWEH + {0xD718, 0xD718, prLV}, // Lo HANGUL SYLLABLE HWI + {0xD719, 0xD733, prLVT}, // Lo [27] HANGUL SYLLABLE HWIG..HANGUL SYLLABLE HWIH + {0xD734, 0xD734, prLV}, // Lo HANGUL SYLLABLE HYU + {0xD735, 0xD74F, prLVT}, // Lo [27] HANGUL SYLLABLE HYUG..HANGUL SYLLABLE HYUH + {0xD750, 0xD750, prLV}, // Lo HANGUL SYLLABLE HEU + {0xD751, 0xD76B, prLVT}, // Lo [27] HANGUL SYLLABLE HEUG..HANGUL SYLLABLE HEUH + {0xD76C, 0xD76C, prLV}, // Lo HANGUL SYLLABLE HYI + {0xD76D, 0xD787, prLVT}, // Lo [27] HANGUL SYLLABLE HYIG..HANGUL SYLLABLE HYIH + {0xD788, 0xD788, prLV}, // Lo HANGUL SYLLABLE HI + {0xD789, 0xD7A3, prLVT}, // Lo [27] HANGUL SYLLABLE HIG..HANGUL SYLLABLE HIH + {0xD7B0, 0xD7C6, prV}, // Lo [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E + {0xD7CB, 0xD7FB, prT}, // Lo [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH + {0xFB1E, 0xFB1E, prExtend}, // Mn HEBREW POINT JUDEO-SPANISH VARIKA + {0xFE00, 0xFE0F, prExtend}, // Mn [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16 + {0xFE20, 0xFE2F, prExtend}, // Mn [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF + {0xFEFF, 0xFEFF, prControl}, // Cf ZERO WIDTH NO-BREAK SPACE + {0xFF9E, 0xFF9F, prExtend}, // Lm [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK + {0xFFF0, 0xFFF8, prControl}, // Cn [9] .. + {0xFFF9, 0xFFFB, prControl}, // Cf [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR + {0x101FD, 0x101FD, prExtend}, // Mn PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE + {0x102E0, 0x102E0, prExtend}, // Mn COPTIC EPACT THOUSANDS MARK + {0x10376, 0x1037A, prExtend}, // Mn [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII + {0x10A01, 0x10A03, prExtend}, // Mn [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R + {0x10A05, 0x10A06, prExtend}, // Mn [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O + {0x10A0C, 0x10A0F, prExtend}, // Mn [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA + {0x10A38, 0x10A3A, prExtend}, // Mn [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW + {0x10A3F, 0x10A3F, prExtend}, // Mn KHAROSHTHI VIRAMA + {0x10AE5, 0x10AE6, prExtend}, // Mn [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW + {0x10D24, 0x10D27, prExtend}, // Mn [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI + {0x10EAB, 0x10EAC, prExtend}, // Mn [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK + {0x10EFD, 0x10EFF, prExtend}, // Mn [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA + {0x10F46, 0x10F50, prExtend}, // Mn [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW + {0x10F82, 0x10F85, prExtend}, // Mn [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW + {0x11000, 0x11000, prSpacingMark}, // Mc BRAHMI SIGN CANDRABINDU + {0x11001, 0x11001, prExtend}, // Mn BRAHMI SIGN ANUSVARA + {0x11002, 0x11002, prSpacingMark}, // Mc BRAHMI SIGN VISARGA + {0x11038, 0x11046, prExtend}, // Mn [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA + {0x11070, 0x11070, prExtend}, // Mn BRAHMI SIGN OLD TAMIL VIRAMA + {0x11073, 0x11074, prExtend}, // Mn [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O + {0x1107F, 0x11081, prExtend}, // Mn [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA + {0x11082, 0x11082, prSpacingMark}, // Mc KAITHI SIGN VISARGA + {0x110B0, 0x110B2, prSpacingMark}, // Mc [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II + {0x110B3, 0x110B6, prExtend}, // Mn [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI + {0x110B7, 0x110B8, prSpacingMark}, // Mc [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU + {0x110B9, 0x110BA, prExtend}, // Mn [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA + {0x110BD, 0x110BD, prPrepend}, // Cf KAITHI NUMBER SIGN + {0x110C2, 0x110C2, prExtend}, // Mn KAITHI VOWEL SIGN VOCALIC R + {0x110CD, 0x110CD, prPrepend}, // Cf KAITHI NUMBER SIGN ABOVE + {0x11100, 0x11102, prExtend}, // Mn [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA + {0x11127, 0x1112B, prExtend}, // Mn [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU + {0x1112C, 0x1112C, prSpacingMark}, // Mc CHAKMA VOWEL SIGN E + {0x1112D, 0x11134, prExtend}, // Mn [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA + {0x11145, 0x11146, prSpacingMark}, // Mc [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI + {0x11173, 0x11173, prExtend}, // Mn MAHAJANI SIGN NUKTA + {0x11180, 0x11181, prExtend}, // Mn [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA + {0x11182, 0x11182, prSpacingMark}, // Mc SHARADA SIGN VISARGA + {0x111B3, 0x111B5, prSpacingMark}, // Mc [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II + {0x111B6, 0x111BE, prExtend}, // Mn [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O + {0x111BF, 0x111C0, prSpacingMark}, // Mc [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA + {0x111C2, 0x111C3, prPrepend}, // Lo [2] SHARADA SIGN JIHVAMULIYA..SHARADA SIGN UPADHMANIYA + {0x111C9, 0x111CC, prExtend}, // Mn [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK + {0x111CE, 0x111CE, prSpacingMark}, // Mc SHARADA VOWEL SIGN PRISHTHAMATRA E + {0x111CF, 0x111CF, prExtend}, // Mn SHARADA SIGN INVERTED CANDRABINDU + {0x1122C, 0x1122E, prSpacingMark}, // Mc [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II + {0x1122F, 0x11231, prExtend}, // Mn [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI + {0x11232, 0x11233, prSpacingMark}, // Mc [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU + {0x11234, 0x11234, prExtend}, // Mn KHOJKI SIGN ANUSVARA + {0x11235, 0x11235, prSpacingMark}, // Mc KHOJKI SIGN VIRAMA + {0x11236, 0x11237, prExtend}, // Mn [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA + {0x1123E, 0x1123E, prExtend}, // Mn KHOJKI SIGN SUKUN + {0x11241, 0x11241, prExtend}, // Mn KHOJKI VOWEL SIGN VOCALIC R + {0x112DF, 0x112DF, prExtend}, // Mn KHUDAWADI SIGN ANUSVARA + {0x112E0, 0x112E2, prSpacingMark}, // Mc [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II + {0x112E3, 0x112EA, prExtend}, // Mn [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA + {0x11300, 0x11301, prExtend}, // Mn [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU + {0x11302, 0x11303, prSpacingMark}, // Mc [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA + {0x1133B, 0x1133C, prExtend}, // Mn [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA + {0x1133E, 0x1133E, prExtend}, // Mc GRANTHA VOWEL SIGN AA + {0x1133F, 0x1133F, prSpacingMark}, // Mc GRANTHA VOWEL SIGN I + {0x11340, 0x11340, prExtend}, // Mn GRANTHA VOWEL SIGN II + {0x11341, 0x11344, prSpacingMark}, // Mc [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR + {0x11347, 0x11348, prSpacingMark}, // Mc [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI + {0x1134B, 0x1134D, prSpacingMark}, // Mc [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA + {0x11357, 0x11357, prExtend}, // Mc GRANTHA AU LENGTH MARK + {0x11362, 0x11363, prSpacingMark}, // Mc [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL + {0x11366, 0x1136C, prExtend}, // Mn [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX + {0x11370, 0x11374, prExtend}, // Mn [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA + {0x11435, 0x11437, prSpacingMark}, // Mc [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II + {0x11438, 0x1143F, prExtend}, // Mn [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI + {0x11440, 0x11441, prSpacingMark}, // Mc [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU + {0x11442, 0x11444, prExtend}, // Mn [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA + {0x11445, 0x11445, prSpacingMark}, // Mc NEWA SIGN VISARGA + {0x11446, 0x11446, prExtend}, // Mn NEWA SIGN NUKTA + {0x1145E, 0x1145E, prExtend}, // Mn NEWA SANDHI MARK + {0x114B0, 0x114B0, prExtend}, // Mc TIRHUTA VOWEL SIGN AA + {0x114B1, 0x114B2, prSpacingMark}, // Mc [2] TIRHUTA VOWEL SIGN I..TIRHUTA VOWEL SIGN II + {0x114B3, 0x114B8, prExtend}, // Mn [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL + {0x114B9, 0x114B9, prSpacingMark}, // Mc TIRHUTA VOWEL SIGN E + {0x114BA, 0x114BA, prExtend}, // Mn TIRHUTA VOWEL SIGN SHORT E + {0x114BB, 0x114BC, prSpacingMark}, // Mc [2] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN O + {0x114BD, 0x114BD, prExtend}, // Mc TIRHUTA VOWEL SIGN SHORT O + {0x114BE, 0x114BE, prSpacingMark}, // Mc TIRHUTA VOWEL SIGN AU + {0x114BF, 0x114C0, prExtend}, // Mn [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA + {0x114C1, 0x114C1, prSpacingMark}, // Mc TIRHUTA SIGN VISARGA + {0x114C2, 0x114C3, prExtend}, // Mn [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA + {0x115AF, 0x115AF, prExtend}, // Mc SIDDHAM VOWEL SIGN AA + {0x115B0, 0x115B1, prSpacingMark}, // Mc [2] SIDDHAM VOWEL SIGN I..SIDDHAM VOWEL SIGN II + {0x115B2, 0x115B5, prExtend}, // Mn [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR + {0x115B8, 0x115BB, prSpacingMark}, // Mc [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU + {0x115BC, 0x115BD, prExtend}, // Mn [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA + {0x115BE, 0x115BE, prSpacingMark}, // Mc SIDDHAM SIGN VISARGA + {0x115BF, 0x115C0, prExtend}, // Mn [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA + {0x115DC, 0x115DD, prExtend}, // Mn [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU + {0x11630, 0x11632, prSpacingMark}, // Mc [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II + {0x11633, 0x1163A, prExtend}, // Mn [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI + {0x1163B, 0x1163C, prSpacingMark}, // Mc [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU + {0x1163D, 0x1163D, prExtend}, // Mn MODI SIGN ANUSVARA + {0x1163E, 0x1163E, prSpacingMark}, // Mc MODI SIGN VISARGA + {0x1163F, 0x11640, prExtend}, // Mn [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA + {0x116AB, 0x116AB, prExtend}, // Mn TAKRI SIGN ANUSVARA + {0x116AC, 0x116AC, prSpacingMark}, // Mc TAKRI SIGN VISARGA + {0x116AD, 0x116AD, prExtend}, // Mn TAKRI VOWEL SIGN AA + {0x116AE, 0x116AF, prSpacingMark}, // Mc [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II + {0x116B0, 0x116B5, prExtend}, // Mn [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU + {0x116B6, 0x116B6, prSpacingMark}, // Mc TAKRI SIGN VIRAMA + {0x116B7, 0x116B7, prExtend}, // Mn TAKRI SIGN NUKTA + {0x1171D, 0x1171F, prExtend}, // Mn [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA + {0x11722, 0x11725, prExtend}, // Mn [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU + {0x11726, 0x11726, prSpacingMark}, // Mc AHOM VOWEL SIGN E + {0x11727, 0x1172B, prExtend}, // Mn [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER + {0x1182C, 0x1182E, prSpacingMark}, // Mc [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II + {0x1182F, 0x11837, prExtend}, // Mn [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA + {0x11838, 0x11838, prSpacingMark}, // Mc DOGRA SIGN VISARGA + {0x11839, 0x1183A, prExtend}, // Mn [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA + {0x11930, 0x11930, prExtend}, // Mc DIVES AKURU VOWEL SIGN AA + {0x11931, 0x11935, prSpacingMark}, // Mc [5] DIVES AKURU VOWEL SIGN I..DIVES AKURU VOWEL SIGN E + {0x11937, 0x11938, prSpacingMark}, // Mc [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O + {0x1193B, 0x1193C, prExtend}, // Mn [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU + {0x1193D, 0x1193D, prSpacingMark}, // Mc DIVES AKURU SIGN HALANTA + {0x1193E, 0x1193E, prExtend}, // Mn DIVES AKURU VIRAMA + {0x1193F, 0x1193F, prPrepend}, // Lo DIVES AKURU PREFIXED NASAL SIGN + {0x11940, 0x11940, prSpacingMark}, // Mc DIVES AKURU MEDIAL YA + {0x11941, 0x11941, prPrepend}, // Lo DIVES AKURU INITIAL RA + {0x11942, 0x11942, prSpacingMark}, // Mc DIVES AKURU MEDIAL RA + {0x11943, 0x11943, prExtend}, // Mn DIVES AKURU SIGN NUKTA + {0x119D1, 0x119D3, prSpacingMark}, // Mc [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II + {0x119D4, 0x119D7, prExtend}, // Mn [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR + {0x119DA, 0x119DB, prExtend}, // Mn [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI + {0x119DC, 0x119DF, prSpacingMark}, // Mc [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA + {0x119E0, 0x119E0, prExtend}, // Mn NANDINAGARI SIGN VIRAMA + {0x119E4, 0x119E4, prSpacingMark}, // Mc NANDINAGARI VOWEL SIGN PRISHTHAMATRA E + {0x11A01, 0x11A0A, prExtend}, // Mn [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK + {0x11A33, 0x11A38, prExtend}, // Mn [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA + {0x11A39, 0x11A39, prSpacingMark}, // Mc ZANABAZAR SQUARE SIGN VISARGA + {0x11A3A, 0x11A3A, prPrepend}, // Lo ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA + {0x11A3B, 0x11A3E, prExtend}, // Mn [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA + {0x11A47, 0x11A47, prExtend}, // Mn ZANABAZAR SQUARE SUBJOINER + {0x11A51, 0x11A56, prExtend}, // Mn [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE + {0x11A57, 0x11A58, prSpacingMark}, // Mc [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU + {0x11A59, 0x11A5B, prExtend}, // Mn [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK + {0x11A84, 0x11A89, prPrepend}, // Lo [6] SOYOMBO SIGN JIHVAMULIYA..SOYOMBO CLUSTER-INITIAL LETTER SA + {0x11A8A, 0x11A96, prExtend}, // Mn [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA + {0x11A97, 0x11A97, prSpacingMark}, // Mc SOYOMBO SIGN VISARGA + {0x11A98, 0x11A99, prExtend}, // Mn [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER + {0x11C2F, 0x11C2F, prSpacingMark}, // Mc BHAIKSUKI VOWEL SIGN AA + {0x11C30, 0x11C36, prExtend}, // Mn [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L + {0x11C38, 0x11C3D, prExtend}, // Mn [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA + {0x11C3E, 0x11C3E, prSpacingMark}, // Mc BHAIKSUKI SIGN VISARGA + {0x11C3F, 0x11C3F, prExtend}, // Mn BHAIKSUKI SIGN VIRAMA + {0x11C92, 0x11CA7, prExtend}, // Mn [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA + {0x11CA9, 0x11CA9, prSpacingMark}, // Mc MARCHEN SUBJOINED LETTER YA + {0x11CAA, 0x11CB0, prExtend}, // Mn [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA + {0x11CB1, 0x11CB1, prSpacingMark}, // Mc MARCHEN VOWEL SIGN I + {0x11CB2, 0x11CB3, prExtend}, // Mn [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E + {0x11CB4, 0x11CB4, prSpacingMark}, // Mc MARCHEN VOWEL SIGN O + {0x11CB5, 0x11CB6, prExtend}, // Mn [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU + {0x11D31, 0x11D36, prExtend}, // Mn [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R + {0x11D3A, 0x11D3A, prExtend}, // Mn MASARAM GONDI VOWEL SIGN E + {0x11D3C, 0x11D3D, prExtend}, // Mn [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O + {0x11D3F, 0x11D45, prExtend}, // Mn [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA + {0x11D46, 0x11D46, prPrepend}, // Lo MASARAM GONDI REPHA + {0x11D47, 0x11D47, prExtend}, // Mn MASARAM GONDI RA-KARA + {0x11D8A, 0x11D8E, prSpacingMark}, // Mc [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU + {0x11D90, 0x11D91, prExtend}, // Mn [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI + {0x11D93, 0x11D94, prSpacingMark}, // Mc [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU + {0x11D95, 0x11D95, prExtend}, // Mn GUNJALA GONDI SIGN ANUSVARA + {0x11D96, 0x11D96, prSpacingMark}, // Mc GUNJALA GONDI SIGN VISARGA + {0x11D97, 0x11D97, prExtend}, // Mn GUNJALA GONDI VIRAMA + {0x11EF3, 0x11EF4, prExtend}, // Mn [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U + {0x11EF5, 0x11EF6, prSpacingMark}, // Mc [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O + {0x11F00, 0x11F01, prExtend}, // Mn [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA + {0x11F02, 0x11F02, prPrepend}, // Lo KAWI SIGN REPHA + {0x11F03, 0x11F03, prSpacingMark}, // Mc KAWI SIGN VISARGA + {0x11F34, 0x11F35, prSpacingMark}, // Mc [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA + {0x11F36, 0x11F3A, prExtend}, // Mn [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R + {0x11F3E, 0x11F3F, prSpacingMark}, // Mc [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI + {0x11F40, 0x11F40, prExtend}, // Mn KAWI VOWEL SIGN EU + {0x11F41, 0x11F41, prSpacingMark}, // Mc KAWI SIGN KILLER + {0x11F42, 0x11F42, prExtend}, // Mn KAWI CONJOINER + {0x13430, 0x1343F, prControl}, // Cf [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE + {0x13440, 0x13440, prExtend}, // Mn EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY + {0x13447, 0x13455, prExtend}, // Mn [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED + {0x16AF0, 0x16AF4, prExtend}, // Mn [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE + {0x16B30, 0x16B36, prExtend}, // Mn [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM + {0x16F4F, 0x16F4F, prExtend}, // Mn MIAO SIGN CONSONANT MODIFIER BAR + {0x16F51, 0x16F87, prSpacingMark}, // Mc [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI + {0x16F8F, 0x16F92, prExtend}, // Mn [4] MIAO TONE RIGHT..MIAO TONE BELOW + {0x16FE4, 0x16FE4, prExtend}, // Mn KHITAN SMALL SCRIPT FILLER + {0x16FF0, 0x16FF1, prSpacingMark}, // Mc [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY + {0x1BC9D, 0x1BC9E, prExtend}, // Mn [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK + {0x1BCA0, 0x1BCA3, prControl}, // Cf [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP + {0x1CF00, 0x1CF2D, prExtend}, // Mn [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT + {0x1CF30, 0x1CF46, prExtend}, // Mn [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG + {0x1D165, 0x1D165, prExtend}, // Mc MUSICAL SYMBOL COMBINING STEM + {0x1D166, 0x1D166, prSpacingMark}, // Mc MUSICAL SYMBOL COMBINING SPRECHGESANG STEM + {0x1D167, 0x1D169, prExtend}, // Mn [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3 + {0x1D16D, 0x1D16D, prSpacingMark}, // Mc MUSICAL SYMBOL COMBINING AUGMENTATION DOT + {0x1D16E, 0x1D172, prExtend}, // Mc [5] MUSICAL SYMBOL COMBINING FLAG-1..MUSICAL SYMBOL COMBINING FLAG-5 + {0x1D173, 0x1D17A, prControl}, // Cf [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE + {0x1D17B, 0x1D182, prExtend}, // Mn [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE + {0x1D185, 0x1D18B, prExtend}, // Mn [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE + {0x1D1AA, 0x1D1AD, prExtend}, // Mn [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO + {0x1D242, 0x1D244, prExtend}, // Mn [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME + {0x1DA00, 0x1DA36, prExtend}, // Mn [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN + {0x1DA3B, 0x1DA6C, prExtend}, // Mn [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT + {0x1DA75, 0x1DA75, prExtend}, // Mn SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS + {0x1DA84, 0x1DA84, prExtend}, // Mn SIGNWRITING LOCATION HEAD NECK + {0x1DA9B, 0x1DA9F, prExtend}, // Mn [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6 + {0x1DAA1, 0x1DAAF, prExtend}, // Mn [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16 + {0x1E000, 0x1E006, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE + {0x1E008, 0x1E018, prExtend}, // Mn [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU + {0x1E01B, 0x1E021, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI + {0x1E023, 0x1E024, prExtend}, // Mn [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS + {0x1E026, 0x1E02A, prExtend}, // Mn [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA + {0x1E08F, 0x1E08F, prExtend}, // Mn COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I + {0x1E130, 0x1E136, prExtend}, // Mn [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D + {0x1E2AE, 0x1E2AE, prExtend}, // Mn TOTO SIGN RISING TONE + {0x1E2EC, 0x1E2EF, prExtend}, // Mn [4] WANCHO TONE TUP..WANCHO TONE KOINI + {0x1E4EC, 0x1E4EF, prExtend}, // Mn [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH + {0x1E8D0, 0x1E8D6, prExtend}, // Mn [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS + {0x1E944, 0x1E94A, prExtend}, // Mn [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA + {0x1F000, 0x1F003, prExtendedPictographic}, // E0.0 [4] (🀀..🀃) MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND + {0x1F004, 0x1F004, prExtendedPictographic}, // E0.6 [1] (🀄) mahjong red dragon + {0x1F005, 0x1F0CE, prExtendedPictographic}, // E0.0 [202] (🀅..🃎) MAHJONG TILE GREEN DRAGON..PLAYING CARD KING OF DIAMONDS + {0x1F0CF, 0x1F0CF, prExtendedPictographic}, // E0.6 [1] (ðŸƒ) joker + {0x1F0D0, 0x1F0FF, prExtendedPictographic}, // E0.0 [48] (ðŸƒ..🃿) .. + {0x1F10D, 0x1F10F, prExtendedPictographic}, // E0.0 [3] (ðŸ„..ðŸ„) CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH + {0x1F12F, 0x1F12F, prExtendedPictographic}, // E0.0 [1] (🄯) COPYLEFT SYMBOL + {0x1F16C, 0x1F16F, prExtendedPictographic}, // E0.0 [4] (🅬..🅯) RAISED MR SIGN..CIRCLED HUMAN FIGURE + {0x1F170, 0x1F171, prExtendedPictographic}, // E0.6 [2] (🅰ï¸..🅱ï¸) A button (blood type)..B button (blood type) + {0x1F17E, 0x1F17F, prExtendedPictographic}, // E0.6 [2] (🅾ï¸..🅿ï¸) O button (blood type)..P button + {0x1F18E, 0x1F18E, prExtendedPictographic}, // E0.6 [1] (🆎) AB button (blood type) + {0x1F191, 0x1F19A, prExtendedPictographic}, // E0.6 [10] (🆑..🆚) CL button..VS button + {0x1F1AD, 0x1F1E5, prExtendedPictographic}, // E0.0 [57] (🆭..🇥) MASK WORK SYMBOL.. + {0x1F1E6, 0x1F1FF, prRegionalIndicator}, // So [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z + {0x1F201, 0x1F202, prExtendedPictographic}, // E0.6 [2] (ðŸˆ..🈂ï¸) Japanese “here†button..Japanese “service charge†button + {0x1F203, 0x1F20F, prExtendedPictographic}, // E0.0 [13] (🈃..ðŸˆ) .. + {0x1F21A, 0x1F21A, prExtendedPictographic}, // E0.6 [1] (🈚) Japanese “free of charge†button + {0x1F22F, 0x1F22F, prExtendedPictographic}, // E0.6 [1] (🈯) Japanese “reserved†button + {0x1F232, 0x1F23A, prExtendedPictographic}, // E0.6 [9] (🈲..🈺) Japanese “prohibited†button..Japanese “open for business†button + {0x1F23C, 0x1F23F, prExtendedPictographic}, // E0.0 [4] (🈼..🈿) .. + {0x1F249, 0x1F24F, prExtendedPictographic}, // E0.0 [7] (🉉..ðŸ‰) .. + {0x1F250, 0x1F251, prExtendedPictographic}, // E0.6 [2] (ðŸ‰..🉑) Japanese “bargain†button..Japanese “acceptable†button + {0x1F252, 0x1F2FF, prExtendedPictographic}, // E0.0 [174] (🉒..🋿) .. + {0x1F300, 0x1F30C, prExtendedPictographic}, // E0.6 [13] (🌀..🌌) cyclone..milky way + {0x1F30D, 0x1F30E, prExtendedPictographic}, // E0.7 [2] (ðŸŒ..🌎) globe showing Europe-Africa..globe showing Americas + {0x1F30F, 0x1F30F, prExtendedPictographic}, // E0.6 [1] (ðŸŒ) globe showing Asia-Australia + {0x1F310, 0x1F310, prExtendedPictographic}, // E1.0 [1] (ðŸŒ) globe with meridians + {0x1F311, 0x1F311, prExtendedPictographic}, // E0.6 [1] (🌑) new moon + {0x1F312, 0x1F312, prExtendedPictographic}, // E1.0 [1] (🌒) waxing crescent moon + {0x1F313, 0x1F315, prExtendedPictographic}, // E0.6 [3] (🌓..🌕) first quarter moon..full moon + {0x1F316, 0x1F318, prExtendedPictographic}, // E1.0 [3] (🌖..🌘) waning gibbous moon..waning crescent moon + {0x1F319, 0x1F319, prExtendedPictographic}, // E0.6 [1] (🌙) crescent moon + {0x1F31A, 0x1F31A, prExtendedPictographic}, // E1.0 [1] (🌚) new moon face + {0x1F31B, 0x1F31B, prExtendedPictographic}, // E0.6 [1] (🌛) first quarter moon face + {0x1F31C, 0x1F31C, prExtendedPictographic}, // E0.7 [1] (🌜) last quarter moon face + {0x1F31D, 0x1F31E, prExtendedPictographic}, // E1.0 [2] (ðŸŒ..🌞) full moon face..sun with face + {0x1F31F, 0x1F320, prExtendedPictographic}, // E0.6 [2] (🌟..🌠) glowing star..shooting star + {0x1F321, 0x1F321, prExtendedPictographic}, // E0.7 [1] (🌡ï¸) thermometer + {0x1F322, 0x1F323, prExtendedPictographic}, // E0.0 [2] (🌢..🌣) BLACK DROPLET..WHITE SUN + {0x1F324, 0x1F32C, prExtendedPictographic}, // E0.7 [9] (🌤ï¸..🌬ï¸) sun behind small cloud..wind face + {0x1F32D, 0x1F32F, prExtendedPictographic}, // E1.0 [3] (🌭..🌯) hot dog..burrito + {0x1F330, 0x1F331, prExtendedPictographic}, // E0.6 [2] (🌰..🌱) chestnut..seedling + {0x1F332, 0x1F333, prExtendedPictographic}, // E1.0 [2] (🌲..🌳) evergreen tree..deciduous tree + {0x1F334, 0x1F335, prExtendedPictographic}, // E0.6 [2] (🌴..🌵) palm tree..cactus + {0x1F336, 0x1F336, prExtendedPictographic}, // E0.7 [1] (🌶ï¸) hot pepper + {0x1F337, 0x1F34A, prExtendedPictographic}, // E0.6 [20] (🌷..ðŸŠ) tulip..tangerine + {0x1F34B, 0x1F34B, prExtendedPictographic}, // E1.0 [1] (ðŸ‹) lemon + {0x1F34C, 0x1F34F, prExtendedPictographic}, // E0.6 [4] (ðŸŒ..ðŸ) banana..green apple + {0x1F350, 0x1F350, prExtendedPictographic}, // E1.0 [1] (ðŸ) pear + {0x1F351, 0x1F37B, prExtendedPictographic}, // E0.6 [43] (ðŸ‘..ðŸ») peach..clinking beer mugs + {0x1F37C, 0x1F37C, prExtendedPictographic}, // E1.0 [1] (ðŸ¼) baby bottle + {0x1F37D, 0x1F37D, prExtendedPictographic}, // E0.7 [1] (ðŸ½ï¸) fork and knife with plate + {0x1F37E, 0x1F37F, prExtendedPictographic}, // E1.0 [2] (ðŸ¾..ðŸ¿) bottle with popping cork..popcorn + {0x1F380, 0x1F393, prExtendedPictographic}, // E0.6 [20] (🎀..🎓) ribbon..graduation cap + {0x1F394, 0x1F395, prExtendedPictographic}, // E0.0 [2] (🎔..🎕) HEART WITH TIP ON THE LEFT..BOUQUET OF FLOWERS + {0x1F396, 0x1F397, prExtendedPictographic}, // E0.7 [2] (🎖ï¸..🎗ï¸) military medal..reminder ribbon + {0x1F398, 0x1F398, prExtendedPictographic}, // E0.0 [1] (🎘) MUSICAL KEYBOARD WITH JACKS + {0x1F399, 0x1F39B, prExtendedPictographic}, // E0.7 [3] (🎙ï¸..🎛ï¸) studio microphone..control knobs + {0x1F39C, 0x1F39D, prExtendedPictographic}, // E0.0 [2] (🎜..ðŸŽ) BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES + {0x1F39E, 0x1F39F, prExtendedPictographic}, // E0.7 [2] (🎞ï¸..🎟ï¸) film frames..admission tickets + {0x1F3A0, 0x1F3C4, prExtendedPictographic}, // E0.6 [37] (🎠..ðŸ„) carousel horse..person surfing + {0x1F3C5, 0x1F3C5, prExtendedPictographic}, // E1.0 [1] (ðŸ…) sports medal + {0x1F3C6, 0x1F3C6, prExtendedPictographic}, // E0.6 [1] (ðŸ†) trophy + {0x1F3C7, 0x1F3C7, prExtendedPictographic}, // E1.0 [1] (ðŸ‡) horse racing + {0x1F3C8, 0x1F3C8, prExtendedPictographic}, // E0.6 [1] (ðŸˆ) american football + {0x1F3C9, 0x1F3C9, prExtendedPictographic}, // E1.0 [1] (ðŸ‰) rugby football + {0x1F3CA, 0x1F3CA, prExtendedPictographic}, // E0.6 [1] (ðŸŠ) person swimming + {0x1F3CB, 0x1F3CE, prExtendedPictographic}, // E0.7 [4] (ðŸ‹ï¸..ðŸŽï¸) person lifting weights..racing car + {0x1F3CF, 0x1F3D3, prExtendedPictographic}, // E1.0 [5] (ðŸ..ðŸ“) cricket game..ping pong + {0x1F3D4, 0x1F3DF, prExtendedPictographic}, // E0.7 [12] (ðŸ”ï¸..ðŸŸï¸) snow-capped mountain..stadium + {0x1F3E0, 0x1F3E3, prExtendedPictographic}, // E0.6 [4] (ðŸ ..ðŸ£) house..Japanese post office + {0x1F3E4, 0x1F3E4, prExtendedPictographic}, // E1.0 [1] (ðŸ¤) post office + {0x1F3E5, 0x1F3F0, prExtendedPictographic}, // E0.6 [12] (ðŸ¥..ðŸ°) hospital..castle + {0x1F3F1, 0x1F3F2, prExtendedPictographic}, // E0.0 [2] (ðŸ±..ðŸ²) WHITE PENNANT..BLACK PENNANT + {0x1F3F3, 0x1F3F3, prExtendedPictographic}, // E0.7 [1] (ðŸ³ï¸) white flag + {0x1F3F4, 0x1F3F4, prExtendedPictographic}, // E1.0 [1] (ðŸ´) black flag + {0x1F3F5, 0x1F3F5, prExtendedPictographic}, // E0.7 [1] (ðŸµï¸) rosette + {0x1F3F6, 0x1F3F6, prExtendedPictographic}, // E0.0 [1] (ðŸ¶) BLACK ROSETTE + {0x1F3F7, 0x1F3F7, prExtendedPictographic}, // E0.7 [1] (ðŸ·ï¸) label + {0x1F3F8, 0x1F3FA, prExtendedPictographic}, // E1.0 [3] (ðŸ¸..ðŸº) badminton..amphora + {0x1F3FB, 0x1F3FF, prExtend}, // Sk [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6 + {0x1F400, 0x1F407, prExtendedPictographic}, // E1.0 [8] (ðŸ€..ðŸ‡) rat..rabbit + {0x1F408, 0x1F408, prExtendedPictographic}, // E0.7 [1] (ðŸˆ) cat + {0x1F409, 0x1F40B, prExtendedPictographic}, // E1.0 [3] (ðŸ‰..ðŸ‹) dragon..whale + {0x1F40C, 0x1F40E, prExtendedPictographic}, // E0.6 [3] (ðŸŒ..ðŸŽ) snail..horse + {0x1F40F, 0x1F410, prExtendedPictographic}, // E1.0 [2] (ðŸ..ðŸ) ram..goat + {0x1F411, 0x1F412, prExtendedPictographic}, // E0.6 [2] (ðŸ‘..ðŸ’) ewe..monkey + {0x1F413, 0x1F413, prExtendedPictographic}, // E1.0 [1] (ðŸ“) rooster + {0x1F414, 0x1F414, prExtendedPictographic}, // E0.6 [1] (ðŸ”) chicken + {0x1F415, 0x1F415, prExtendedPictographic}, // E0.7 [1] (ðŸ•) dog + {0x1F416, 0x1F416, prExtendedPictographic}, // E1.0 [1] (ðŸ–) pig + {0x1F417, 0x1F429, prExtendedPictographic}, // E0.6 [19] (ðŸ—..ðŸ©) boar..poodle + {0x1F42A, 0x1F42A, prExtendedPictographic}, // E1.0 [1] (ðŸª) camel + {0x1F42B, 0x1F43E, prExtendedPictographic}, // E0.6 [20] (ðŸ«..ðŸ¾) two-hump camel..paw prints + {0x1F43F, 0x1F43F, prExtendedPictographic}, // E0.7 [1] (ðŸ¿ï¸) chipmunk + {0x1F440, 0x1F440, prExtendedPictographic}, // E0.6 [1] (👀) eyes + {0x1F441, 0x1F441, prExtendedPictographic}, // E0.7 [1] (ðŸ‘ï¸) eye + {0x1F442, 0x1F464, prExtendedPictographic}, // E0.6 [35] (👂..👤) ear..bust in silhouette + {0x1F465, 0x1F465, prExtendedPictographic}, // E1.0 [1] (👥) busts in silhouette + {0x1F466, 0x1F46B, prExtendedPictographic}, // E0.6 [6] (👦..👫) boy..woman and man holding hands + {0x1F46C, 0x1F46D, prExtendedPictographic}, // E1.0 [2] (👬..👭) men holding hands..women holding hands + {0x1F46E, 0x1F4AC, prExtendedPictographic}, // E0.6 [63] (👮..💬) police officer..speech balloon + {0x1F4AD, 0x1F4AD, prExtendedPictographic}, // E1.0 [1] (💭) thought balloon + {0x1F4AE, 0x1F4B5, prExtendedPictographic}, // E0.6 [8] (💮..💵) white flower..dollar banknote + {0x1F4B6, 0x1F4B7, prExtendedPictographic}, // E1.0 [2] (💶..💷) euro banknote..pound banknote + {0x1F4B8, 0x1F4EB, prExtendedPictographic}, // E0.6 [52] (💸..📫) money with wings..closed mailbox with raised flag + {0x1F4EC, 0x1F4ED, prExtendedPictographic}, // E0.7 [2] (📬..📭) open mailbox with raised flag..open mailbox with lowered flag + {0x1F4EE, 0x1F4EE, prExtendedPictographic}, // E0.6 [1] (📮) postbox + {0x1F4EF, 0x1F4EF, prExtendedPictographic}, // E1.0 [1] (📯) postal horn + {0x1F4F0, 0x1F4F4, prExtendedPictographic}, // E0.6 [5] (📰..📴) newspaper..mobile phone off + {0x1F4F5, 0x1F4F5, prExtendedPictographic}, // E1.0 [1] (📵) no mobile phones + {0x1F4F6, 0x1F4F7, prExtendedPictographic}, // E0.6 [2] (📶..📷) antenna bars..camera + {0x1F4F8, 0x1F4F8, prExtendedPictographic}, // E1.0 [1] (📸) camera with flash + {0x1F4F9, 0x1F4FC, prExtendedPictographic}, // E0.6 [4] (📹..📼) video camera..videocassette + {0x1F4FD, 0x1F4FD, prExtendedPictographic}, // E0.7 [1] (📽ï¸) film projector + {0x1F4FE, 0x1F4FE, prExtendedPictographic}, // E0.0 [1] (📾) PORTABLE STEREO + {0x1F4FF, 0x1F502, prExtendedPictographic}, // E1.0 [4] (📿..🔂) prayer beads..repeat single button + {0x1F503, 0x1F503, prExtendedPictographic}, // E0.6 [1] (🔃) clockwise vertical arrows + {0x1F504, 0x1F507, prExtendedPictographic}, // E1.0 [4] (🔄..🔇) counterclockwise arrows button..muted speaker + {0x1F508, 0x1F508, prExtendedPictographic}, // E0.7 [1] (🔈) speaker low volume + {0x1F509, 0x1F509, prExtendedPictographic}, // E1.0 [1] (🔉) speaker medium volume + {0x1F50A, 0x1F514, prExtendedPictographic}, // E0.6 [11] (🔊..🔔) speaker high volume..bell + {0x1F515, 0x1F515, prExtendedPictographic}, // E1.0 [1] (🔕) bell with slash + {0x1F516, 0x1F52B, prExtendedPictographic}, // E0.6 [22] (🔖..🔫) bookmark..water pistol + {0x1F52C, 0x1F52D, prExtendedPictographic}, // E1.0 [2] (🔬..🔭) microscope..telescope + {0x1F52E, 0x1F53D, prExtendedPictographic}, // E0.6 [16] (🔮..🔽) crystal ball..downwards button + {0x1F546, 0x1F548, prExtendedPictographic}, // E0.0 [3] (🕆..🕈) WHITE LATIN CROSS..CELTIC CROSS + {0x1F549, 0x1F54A, prExtendedPictographic}, // E0.7 [2] (🕉ï¸..🕊ï¸) om..dove + {0x1F54B, 0x1F54E, prExtendedPictographic}, // E1.0 [4] (🕋..🕎) kaaba..menorah + {0x1F54F, 0x1F54F, prExtendedPictographic}, // E0.0 [1] (ðŸ•) BOWL OF HYGIEIA + {0x1F550, 0x1F55B, prExtendedPictographic}, // E0.6 [12] (ðŸ•..🕛) one o’clock..twelve o’clock + {0x1F55C, 0x1F567, prExtendedPictographic}, // E0.7 [12] (🕜..🕧) one-thirty..twelve-thirty + {0x1F568, 0x1F56E, prExtendedPictographic}, // E0.0 [7] (🕨..🕮) RIGHT SPEAKER..BOOK + {0x1F56F, 0x1F570, prExtendedPictographic}, // E0.7 [2] (🕯ï¸..🕰ï¸) candle..mantelpiece clock + {0x1F571, 0x1F572, prExtendedPictographic}, // E0.0 [2] (🕱..🕲) BLACK SKULL AND CROSSBONES..NO PIRACY + {0x1F573, 0x1F579, prExtendedPictographic}, // E0.7 [7] (🕳ï¸..🕹ï¸) hole..joystick + {0x1F57A, 0x1F57A, prExtendedPictographic}, // E3.0 [1] (🕺) man dancing + {0x1F57B, 0x1F586, prExtendedPictographic}, // E0.0 [12] (🕻..🖆) LEFT HAND TELEPHONE RECEIVER..PEN OVER STAMPED ENVELOPE + {0x1F587, 0x1F587, prExtendedPictographic}, // E0.7 [1] (🖇ï¸) linked paperclips + {0x1F588, 0x1F589, prExtendedPictographic}, // E0.0 [2] (🖈..🖉) BLACK PUSHPIN..LOWER LEFT PENCIL + {0x1F58A, 0x1F58D, prExtendedPictographic}, // E0.7 [4] (🖊ï¸..ðŸ–ï¸) pen..crayon + {0x1F58E, 0x1F58F, prExtendedPictographic}, // E0.0 [2] (🖎..ðŸ–) LEFT WRITING HAND..TURNED OK HAND SIGN + {0x1F590, 0x1F590, prExtendedPictographic}, // E0.7 [1] (ðŸ–ï¸) hand with fingers splayed + {0x1F591, 0x1F594, prExtendedPictographic}, // E0.0 [4] (🖑..🖔) REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND + {0x1F595, 0x1F596, prExtendedPictographic}, // E1.0 [2] (🖕..🖖) middle finger..vulcan salute + {0x1F597, 0x1F5A3, prExtendedPictographic}, // E0.0 [13] (🖗..🖣) WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX + {0x1F5A4, 0x1F5A4, prExtendedPictographic}, // E3.0 [1] (🖤) black heart + {0x1F5A5, 0x1F5A5, prExtendedPictographic}, // E0.7 [1] (🖥ï¸) desktop computer + {0x1F5A6, 0x1F5A7, prExtendedPictographic}, // E0.0 [2] (🖦..🖧) KEYBOARD AND MOUSE..THREE NETWORKED COMPUTERS + {0x1F5A8, 0x1F5A8, prExtendedPictographic}, // E0.7 [1] (🖨ï¸) printer + {0x1F5A9, 0x1F5B0, prExtendedPictographic}, // E0.0 [8] (🖩..🖰) POCKET CALCULATOR..TWO BUTTON MOUSE + {0x1F5B1, 0x1F5B2, prExtendedPictographic}, // E0.7 [2] (🖱ï¸..🖲ï¸) computer mouse..trackball + {0x1F5B3, 0x1F5BB, prExtendedPictographic}, // E0.0 [9] (🖳..🖻) OLD PERSONAL COMPUTER..DOCUMENT WITH PICTURE + {0x1F5BC, 0x1F5BC, prExtendedPictographic}, // E0.7 [1] (🖼ï¸) framed picture + {0x1F5BD, 0x1F5C1, prExtendedPictographic}, // E0.0 [5] (🖽..ðŸ—) FRAME WITH TILES..OPEN FOLDER + {0x1F5C2, 0x1F5C4, prExtendedPictographic}, // E0.7 [3] (🗂ï¸..🗄ï¸) card index dividers..file cabinet + {0x1F5C5, 0x1F5D0, prExtendedPictographic}, // E0.0 [12] (🗅..ðŸ—) EMPTY NOTE..PAGES + {0x1F5D1, 0x1F5D3, prExtendedPictographic}, // E0.7 [3] (🗑ï¸..🗓ï¸) wastebasket..spiral calendar + {0x1F5D4, 0x1F5DB, prExtendedPictographic}, // E0.0 [8] (🗔..🗛) DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL + {0x1F5DC, 0x1F5DE, prExtendedPictographic}, // E0.7 [3] (🗜ï¸..🗞ï¸) clamp..rolled-up newspaper + {0x1F5DF, 0x1F5E0, prExtendedPictographic}, // E0.0 [2] (🗟..🗠) PAGE WITH CIRCLED TEXT..STOCK CHART + {0x1F5E1, 0x1F5E1, prExtendedPictographic}, // E0.7 [1] (🗡ï¸) dagger + {0x1F5E2, 0x1F5E2, prExtendedPictographic}, // E0.0 [1] (🗢) LIPS + {0x1F5E3, 0x1F5E3, prExtendedPictographic}, // E0.7 [1] (🗣ï¸) speaking head + {0x1F5E4, 0x1F5E7, prExtendedPictographic}, // E0.0 [4] (🗤..🗧) THREE RAYS ABOVE..THREE RAYS RIGHT + {0x1F5E8, 0x1F5E8, prExtendedPictographic}, // E2.0 [1] (🗨ï¸) left speech bubble + {0x1F5E9, 0x1F5EE, prExtendedPictographic}, // E0.0 [6] (🗩..🗮) RIGHT SPEECH BUBBLE..LEFT ANGER BUBBLE + {0x1F5EF, 0x1F5EF, prExtendedPictographic}, // E0.7 [1] (🗯ï¸) right anger bubble + {0x1F5F0, 0x1F5F2, prExtendedPictographic}, // E0.0 [3] (🗰..🗲) MOOD BUBBLE..LIGHTNING MOOD + {0x1F5F3, 0x1F5F3, prExtendedPictographic}, // E0.7 [1] (🗳ï¸) ballot box with ballot + {0x1F5F4, 0x1F5F9, prExtendedPictographic}, // E0.0 [6] (🗴..🗹) BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK + {0x1F5FA, 0x1F5FA, prExtendedPictographic}, // E0.7 [1] (🗺ï¸) world map + {0x1F5FB, 0x1F5FF, prExtendedPictographic}, // E0.6 [5] (🗻..🗿) mount fuji..moai + {0x1F600, 0x1F600, prExtendedPictographic}, // E1.0 [1] (😀) grinning face + {0x1F601, 0x1F606, prExtendedPictographic}, // E0.6 [6] (ðŸ˜..😆) beaming face with smiling eyes..grinning squinting face + {0x1F607, 0x1F608, prExtendedPictographic}, // E1.0 [2] (😇..😈) smiling face with halo..smiling face with horns + {0x1F609, 0x1F60D, prExtendedPictographic}, // E0.6 [5] (😉..ðŸ˜) winking face..smiling face with heart-eyes + {0x1F60E, 0x1F60E, prExtendedPictographic}, // E1.0 [1] (😎) smiling face with sunglasses + {0x1F60F, 0x1F60F, prExtendedPictographic}, // E0.6 [1] (ðŸ˜) smirking face + {0x1F610, 0x1F610, prExtendedPictographic}, // E0.7 [1] (ðŸ˜) neutral face + {0x1F611, 0x1F611, prExtendedPictographic}, // E1.0 [1] (😑) expressionless face + {0x1F612, 0x1F614, prExtendedPictographic}, // E0.6 [3] (😒..😔) unamused face..pensive face + {0x1F615, 0x1F615, prExtendedPictographic}, // E1.0 [1] (😕) confused face + {0x1F616, 0x1F616, prExtendedPictographic}, // E0.6 [1] (😖) confounded face + {0x1F617, 0x1F617, prExtendedPictographic}, // E1.0 [1] (😗) kissing face + {0x1F618, 0x1F618, prExtendedPictographic}, // E0.6 [1] (😘) face blowing a kiss + {0x1F619, 0x1F619, prExtendedPictographic}, // E1.0 [1] (😙) kissing face with smiling eyes + {0x1F61A, 0x1F61A, prExtendedPictographic}, // E0.6 [1] (😚) kissing face with closed eyes + {0x1F61B, 0x1F61B, prExtendedPictographic}, // E1.0 [1] (😛) face with tongue + {0x1F61C, 0x1F61E, prExtendedPictographic}, // E0.6 [3] (😜..😞) winking face with tongue..disappointed face + {0x1F61F, 0x1F61F, prExtendedPictographic}, // E1.0 [1] (😟) worried face + {0x1F620, 0x1F625, prExtendedPictographic}, // E0.6 [6] (😠..😥) angry face..sad but relieved face + {0x1F626, 0x1F627, prExtendedPictographic}, // E1.0 [2] (😦..😧) frowning face with open mouth..anguished face + {0x1F628, 0x1F62B, prExtendedPictographic}, // E0.6 [4] (😨..😫) fearful face..tired face + {0x1F62C, 0x1F62C, prExtendedPictographic}, // E1.0 [1] (😬) grimacing face + {0x1F62D, 0x1F62D, prExtendedPictographic}, // E0.6 [1] (😭) loudly crying face + {0x1F62E, 0x1F62F, prExtendedPictographic}, // E1.0 [2] (😮..😯) face with open mouth..hushed face + {0x1F630, 0x1F633, prExtendedPictographic}, // E0.6 [4] (😰..😳) anxious face with sweat..flushed face + {0x1F634, 0x1F634, prExtendedPictographic}, // E1.0 [1] (😴) sleeping face + {0x1F635, 0x1F635, prExtendedPictographic}, // E0.6 [1] (😵) face with crossed-out eyes + {0x1F636, 0x1F636, prExtendedPictographic}, // E1.0 [1] (😶) face without mouth + {0x1F637, 0x1F640, prExtendedPictographic}, // E0.6 [10] (😷..🙀) face with medical mask..weary cat + {0x1F641, 0x1F644, prExtendedPictographic}, // E1.0 [4] (ðŸ™..🙄) slightly frowning face..face with rolling eyes + {0x1F645, 0x1F64F, prExtendedPictographic}, // E0.6 [11] (🙅..ðŸ™) person gesturing NO..folded hands + {0x1F680, 0x1F680, prExtendedPictographic}, // E0.6 [1] (🚀) rocket + {0x1F681, 0x1F682, prExtendedPictographic}, // E1.0 [2] (ðŸš..🚂) helicopter..locomotive + {0x1F683, 0x1F685, prExtendedPictographic}, // E0.6 [3] (🚃..🚅) railway car..bullet train + {0x1F686, 0x1F686, prExtendedPictographic}, // E1.0 [1] (🚆) train + {0x1F687, 0x1F687, prExtendedPictographic}, // E0.6 [1] (🚇) metro + {0x1F688, 0x1F688, prExtendedPictographic}, // E1.0 [1] (🚈) light rail + {0x1F689, 0x1F689, prExtendedPictographic}, // E0.6 [1] (🚉) station + {0x1F68A, 0x1F68B, prExtendedPictographic}, // E1.0 [2] (🚊..🚋) tram..tram car + {0x1F68C, 0x1F68C, prExtendedPictographic}, // E0.6 [1] (🚌) bus + {0x1F68D, 0x1F68D, prExtendedPictographic}, // E0.7 [1] (ðŸš) oncoming bus + {0x1F68E, 0x1F68E, prExtendedPictographic}, // E1.0 [1] (🚎) trolleybus + {0x1F68F, 0x1F68F, prExtendedPictographic}, // E0.6 [1] (ðŸš) bus stop + {0x1F690, 0x1F690, prExtendedPictographic}, // E1.0 [1] (ðŸš) minibus + {0x1F691, 0x1F693, prExtendedPictographic}, // E0.6 [3] (🚑..🚓) ambulance..police car + {0x1F694, 0x1F694, prExtendedPictographic}, // E0.7 [1] (🚔) oncoming police car + {0x1F695, 0x1F695, prExtendedPictographic}, // E0.6 [1] (🚕) taxi + {0x1F696, 0x1F696, prExtendedPictographic}, // E1.0 [1] (🚖) oncoming taxi + {0x1F697, 0x1F697, prExtendedPictographic}, // E0.6 [1] (🚗) automobile + {0x1F698, 0x1F698, prExtendedPictographic}, // E0.7 [1] (🚘) oncoming automobile + {0x1F699, 0x1F69A, prExtendedPictographic}, // E0.6 [2] (🚙..🚚) sport utility vehicle..delivery truck + {0x1F69B, 0x1F6A1, prExtendedPictographic}, // E1.0 [7] (🚛..🚡) articulated lorry..aerial tramway + {0x1F6A2, 0x1F6A2, prExtendedPictographic}, // E0.6 [1] (🚢) ship + {0x1F6A3, 0x1F6A3, prExtendedPictographic}, // E1.0 [1] (🚣) person rowing boat + {0x1F6A4, 0x1F6A5, prExtendedPictographic}, // E0.6 [2] (🚤..🚥) speedboat..horizontal traffic light + {0x1F6A6, 0x1F6A6, prExtendedPictographic}, // E1.0 [1] (🚦) vertical traffic light + {0x1F6A7, 0x1F6AD, prExtendedPictographic}, // E0.6 [7] (🚧..🚭) construction..no smoking + {0x1F6AE, 0x1F6B1, prExtendedPictographic}, // E1.0 [4] (🚮..🚱) litter in bin sign..non-potable water + {0x1F6B2, 0x1F6B2, prExtendedPictographic}, // E0.6 [1] (🚲) bicycle + {0x1F6B3, 0x1F6B5, prExtendedPictographic}, // E1.0 [3] (🚳..🚵) no bicycles..person mountain biking + {0x1F6B6, 0x1F6B6, prExtendedPictographic}, // E0.6 [1] (🚶) person walking + {0x1F6B7, 0x1F6B8, prExtendedPictographic}, // E1.0 [2] (🚷..🚸) no pedestrians..children crossing + {0x1F6B9, 0x1F6BE, prExtendedPictographic}, // E0.6 [6] (🚹..🚾) men’s room..water closet + {0x1F6BF, 0x1F6BF, prExtendedPictographic}, // E1.0 [1] (🚿) shower + {0x1F6C0, 0x1F6C0, prExtendedPictographic}, // E0.6 [1] (🛀) person taking bath + {0x1F6C1, 0x1F6C5, prExtendedPictographic}, // E1.0 [5] (ðŸ›..🛅) bathtub..left luggage + {0x1F6C6, 0x1F6CA, prExtendedPictographic}, // E0.0 [5] (🛆..🛊) TRIANGLE WITH ROUNDED CORNERS..GIRLS SYMBOL + {0x1F6CB, 0x1F6CB, prExtendedPictographic}, // E0.7 [1] (🛋ï¸) couch and lamp + {0x1F6CC, 0x1F6CC, prExtendedPictographic}, // E1.0 [1] (🛌) person in bed + {0x1F6CD, 0x1F6CF, prExtendedPictographic}, // E0.7 [3] (ðŸ›ï¸..ðŸ›ï¸) shopping bags..bed + {0x1F6D0, 0x1F6D0, prExtendedPictographic}, // E1.0 [1] (ðŸ›) place of worship + {0x1F6D1, 0x1F6D2, prExtendedPictographic}, // E3.0 [2] (🛑..🛒) stop sign..shopping cart + {0x1F6D3, 0x1F6D4, prExtendedPictographic}, // E0.0 [2] (🛓..🛔) STUPA..PAGODA + {0x1F6D5, 0x1F6D5, prExtendedPictographic}, // E12.0 [1] (🛕) hindu temple + {0x1F6D6, 0x1F6D7, prExtendedPictographic}, // E13.0 [2] (🛖..🛗) hut..elevator + {0x1F6D8, 0x1F6DB, prExtendedPictographic}, // E0.0 [4] (🛘..🛛) .. + {0x1F6DC, 0x1F6DC, prExtendedPictographic}, // E15.0 [1] (🛜) wireless + {0x1F6DD, 0x1F6DF, prExtendedPictographic}, // E14.0 [3] (ðŸ›..🛟) playground slide..ring buoy + {0x1F6E0, 0x1F6E5, prExtendedPictographic}, // E0.7 [6] (🛠ï¸..🛥ï¸) hammer and wrench..motor boat + {0x1F6E6, 0x1F6E8, prExtendedPictographic}, // E0.0 [3] (🛦..🛨) UP-POINTING MILITARY AIRPLANE..UP-POINTING SMALL AIRPLANE + {0x1F6E9, 0x1F6E9, prExtendedPictographic}, // E0.7 [1] (🛩ï¸) small airplane + {0x1F6EA, 0x1F6EA, prExtendedPictographic}, // E0.0 [1] (🛪) NORTHEAST-POINTING AIRPLANE + {0x1F6EB, 0x1F6EC, prExtendedPictographic}, // E1.0 [2] (🛫..🛬) airplane departure..airplane arrival + {0x1F6ED, 0x1F6EF, prExtendedPictographic}, // E0.0 [3] (🛭..🛯) .. + {0x1F6F0, 0x1F6F0, prExtendedPictographic}, // E0.7 [1] (🛰ï¸) satellite + {0x1F6F1, 0x1F6F2, prExtendedPictographic}, // E0.0 [2] (🛱..🛲) ONCOMING FIRE ENGINE..DIESEL LOCOMOTIVE + {0x1F6F3, 0x1F6F3, prExtendedPictographic}, // E0.7 [1] (🛳ï¸) passenger ship + {0x1F6F4, 0x1F6F6, prExtendedPictographic}, // E3.0 [3] (🛴..🛶) kick scooter..canoe + {0x1F6F7, 0x1F6F8, prExtendedPictographic}, // E5.0 [2] (🛷..🛸) sled..flying saucer + {0x1F6F9, 0x1F6F9, prExtendedPictographic}, // E11.0 [1] (🛹) skateboard + {0x1F6FA, 0x1F6FA, prExtendedPictographic}, // E12.0 [1] (🛺) auto rickshaw + {0x1F6FB, 0x1F6FC, prExtendedPictographic}, // E13.0 [2] (🛻..🛼) pickup truck..roller skate + {0x1F6FD, 0x1F6FF, prExtendedPictographic}, // E0.0 [3] (🛽..🛿) .. + {0x1F774, 0x1F77F, prExtendedPictographic}, // E0.0 [12] (ðŸ´..ðŸ¿) LOT OF FORTUNE..ORCUS + {0x1F7D5, 0x1F7DF, prExtendedPictographic}, // E0.0 [11] (🟕..🟟) CIRCLED TRIANGLE.. + {0x1F7E0, 0x1F7EB, prExtendedPictographic}, // E12.0 [12] (🟠..🟫) orange circle..brown square + {0x1F7EC, 0x1F7EF, prExtendedPictographic}, // E0.0 [4] (🟬..🟯) .. + {0x1F7F0, 0x1F7F0, prExtendedPictographic}, // E14.0 [1] (🟰) heavy equals sign + {0x1F7F1, 0x1F7FF, prExtendedPictographic}, // E0.0 [15] (🟱..🟿) .. + {0x1F80C, 0x1F80F, prExtendedPictographic}, // E0.0 [4] (🠌..ðŸ ) .. + {0x1F848, 0x1F84F, prExtendedPictographic}, // E0.0 [8] (🡈..ðŸ¡) .. + {0x1F85A, 0x1F85F, prExtendedPictographic}, // E0.0 [6] (🡚..🡟) .. + {0x1F888, 0x1F88F, prExtendedPictographic}, // E0.0 [8] (🢈..ðŸ¢) .. + {0x1F8AE, 0x1F8FF, prExtendedPictographic}, // E0.0 [82] (🢮..🣿) .. + {0x1F90C, 0x1F90C, prExtendedPictographic}, // E13.0 [1] (🤌) pinched fingers + {0x1F90D, 0x1F90F, prExtendedPictographic}, // E12.0 [3] (ðŸ¤..ðŸ¤) white heart..pinching hand + {0x1F910, 0x1F918, prExtendedPictographic}, // E1.0 [9] (ðŸ¤..🤘) zipper-mouth face..sign of the horns + {0x1F919, 0x1F91E, prExtendedPictographic}, // E3.0 [6] (🤙..🤞) call me hand..crossed fingers + {0x1F91F, 0x1F91F, prExtendedPictographic}, // E5.0 [1] (🤟) love-you gesture + {0x1F920, 0x1F927, prExtendedPictographic}, // E3.0 [8] (🤠..🤧) cowboy hat face..sneezing face + {0x1F928, 0x1F92F, prExtendedPictographic}, // E5.0 [8] (🤨..🤯) face with raised eyebrow..exploding head + {0x1F930, 0x1F930, prExtendedPictographic}, // E3.0 [1] (🤰) pregnant woman + {0x1F931, 0x1F932, prExtendedPictographic}, // E5.0 [2] (🤱..🤲) breast-feeding..palms up together + {0x1F933, 0x1F93A, prExtendedPictographic}, // E3.0 [8] (🤳..🤺) selfie..person fencing + {0x1F93C, 0x1F93E, prExtendedPictographic}, // E3.0 [3] (🤼..🤾) people wrestling..person playing handball + {0x1F93F, 0x1F93F, prExtendedPictographic}, // E12.0 [1] (🤿) diving mask + {0x1F940, 0x1F945, prExtendedPictographic}, // E3.0 [6] (🥀..🥅) wilted flower..goal net + {0x1F947, 0x1F94B, prExtendedPictographic}, // E3.0 [5] (🥇..🥋) 1st place medal..martial arts uniform + {0x1F94C, 0x1F94C, prExtendedPictographic}, // E5.0 [1] (🥌) curling stone + {0x1F94D, 0x1F94F, prExtendedPictographic}, // E11.0 [3] (ðŸ¥..ðŸ¥) lacrosse..flying disc + {0x1F950, 0x1F95E, prExtendedPictographic}, // E3.0 [15] (ðŸ¥..🥞) croissant..pancakes + {0x1F95F, 0x1F96B, prExtendedPictographic}, // E5.0 [13] (🥟..🥫) dumpling..canned food + {0x1F96C, 0x1F970, prExtendedPictographic}, // E11.0 [5] (🥬..🥰) leafy green..smiling face with hearts + {0x1F971, 0x1F971, prExtendedPictographic}, // E12.0 [1] (🥱) yawning face + {0x1F972, 0x1F972, prExtendedPictographic}, // E13.0 [1] (🥲) smiling face with tear + {0x1F973, 0x1F976, prExtendedPictographic}, // E11.0 [4] (🥳..🥶) partying face..cold face + {0x1F977, 0x1F978, prExtendedPictographic}, // E13.0 [2] (🥷..🥸) ninja..disguised face + {0x1F979, 0x1F979, prExtendedPictographic}, // E14.0 [1] (🥹) face holding back tears + {0x1F97A, 0x1F97A, prExtendedPictographic}, // E11.0 [1] (🥺) pleading face + {0x1F97B, 0x1F97B, prExtendedPictographic}, // E12.0 [1] (🥻) sari + {0x1F97C, 0x1F97F, prExtendedPictographic}, // E11.0 [4] (🥼..🥿) lab coat..flat shoe + {0x1F980, 0x1F984, prExtendedPictographic}, // E1.0 [5] (🦀..🦄) crab..unicorn + {0x1F985, 0x1F991, prExtendedPictographic}, // E3.0 [13] (🦅..🦑) eagle..squid + {0x1F992, 0x1F997, prExtendedPictographic}, // E5.0 [6] (🦒..🦗) giraffe..cricket + {0x1F998, 0x1F9A2, prExtendedPictographic}, // E11.0 [11] (🦘..🦢) kangaroo..swan + {0x1F9A3, 0x1F9A4, prExtendedPictographic}, // E13.0 [2] (🦣..🦤) mammoth..dodo + {0x1F9A5, 0x1F9AA, prExtendedPictographic}, // E12.0 [6] (🦥..🦪) sloth..oyster + {0x1F9AB, 0x1F9AD, prExtendedPictographic}, // E13.0 [3] (🦫..🦭) beaver..seal + {0x1F9AE, 0x1F9AF, prExtendedPictographic}, // E12.0 [2] (🦮..🦯) guide dog..white cane + {0x1F9B0, 0x1F9B9, prExtendedPictographic}, // E11.0 [10] (🦰..🦹) red hair..supervillain + {0x1F9BA, 0x1F9BF, prExtendedPictographic}, // E12.0 [6] (🦺..🦿) safety vest..mechanical leg + {0x1F9C0, 0x1F9C0, prExtendedPictographic}, // E1.0 [1] (🧀) cheese wedge + {0x1F9C1, 0x1F9C2, prExtendedPictographic}, // E11.0 [2] (ðŸ§..🧂) cupcake..salt + {0x1F9C3, 0x1F9CA, prExtendedPictographic}, // E12.0 [8] (🧃..🧊) beverage box..ice + {0x1F9CB, 0x1F9CB, prExtendedPictographic}, // E13.0 [1] (🧋) bubble tea + {0x1F9CC, 0x1F9CC, prExtendedPictographic}, // E14.0 [1] (🧌) troll + {0x1F9CD, 0x1F9CF, prExtendedPictographic}, // E12.0 [3] (ðŸ§..ðŸ§) person standing..deaf person + {0x1F9D0, 0x1F9E6, prExtendedPictographic}, // E5.0 [23] (ðŸ§..🧦) face with monocle..socks + {0x1F9E7, 0x1F9FF, prExtendedPictographic}, // E11.0 [25] (🧧..🧿) red envelope..nazar amulet + {0x1FA00, 0x1FA6F, prExtendedPictographic}, // E0.0 [112] (🨀..🩯) NEUTRAL CHESS KING.. + {0x1FA70, 0x1FA73, prExtendedPictographic}, // E12.0 [4] (🩰..🩳) ballet shoes..shorts + {0x1FA74, 0x1FA74, prExtendedPictographic}, // E13.0 [1] (🩴) thong sandal + {0x1FA75, 0x1FA77, prExtendedPictographic}, // E15.0 [3] (🩵..🩷) light blue heart..pink heart + {0x1FA78, 0x1FA7A, prExtendedPictographic}, // E12.0 [3] (🩸..🩺) drop of blood..stethoscope + {0x1FA7B, 0x1FA7C, prExtendedPictographic}, // E14.0 [2] (🩻..🩼) x-ray..crutch + {0x1FA7D, 0x1FA7F, prExtendedPictographic}, // E0.0 [3] (🩽..🩿) .. + {0x1FA80, 0x1FA82, prExtendedPictographic}, // E12.0 [3] (🪀..🪂) yo-yo..parachute + {0x1FA83, 0x1FA86, prExtendedPictographic}, // E13.0 [4] (🪃..🪆) boomerang..nesting dolls + {0x1FA87, 0x1FA88, prExtendedPictographic}, // E15.0 [2] (🪇..🪈) maracas..flute + {0x1FA89, 0x1FA8F, prExtendedPictographic}, // E0.0 [7] (🪉..ðŸª) .. + {0x1FA90, 0x1FA95, prExtendedPictographic}, // E12.0 [6] (ðŸª..🪕) ringed planet..banjo + {0x1FA96, 0x1FAA8, prExtendedPictographic}, // E13.0 [19] (🪖..🪨) military helmet..rock + {0x1FAA9, 0x1FAAC, prExtendedPictographic}, // E14.0 [4] (🪩..🪬) mirror ball..hamsa + {0x1FAAD, 0x1FAAF, prExtendedPictographic}, // E15.0 [3] (🪭..🪯) folding hand fan..khanda + {0x1FAB0, 0x1FAB6, prExtendedPictographic}, // E13.0 [7] (🪰..🪶) fly..feather + {0x1FAB7, 0x1FABA, prExtendedPictographic}, // E14.0 [4] (🪷..🪺) lotus..nest with eggs + {0x1FABB, 0x1FABD, prExtendedPictographic}, // E15.0 [3] (🪻..🪽) hyacinth..wing + {0x1FABE, 0x1FABE, prExtendedPictographic}, // E0.0 [1] (🪾) + {0x1FABF, 0x1FABF, prExtendedPictographic}, // E15.0 [1] (🪿) goose + {0x1FAC0, 0x1FAC2, prExtendedPictographic}, // E13.0 [3] (🫀..🫂) anatomical heart..people hugging + {0x1FAC3, 0x1FAC5, prExtendedPictographic}, // E14.0 [3] (🫃..🫅) pregnant man..person with crown + {0x1FAC6, 0x1FACD, prExtendedPictographic}, // E0.0 [8] (🫆..ðŸ«) .. + {0x1FACE, 0x1FACF, prExtendedPictographic}, // E15.0 [2] (🫎..ðŸ«) moose..donkey + {0x1FAD0, 0x1FAD6, prExtendedPictographic}, // E13.0 [7] (ðŸ«..🫖) blueberries..teapot + {0x1FAD7, 0x1FAD9, prExtendedPictographic}, // E14.0 [3] (🫗..🫙) pouring liquid..jar + {0x1FADA, 0x1FADB, prExtendedPictographic}, // E15.0 [2] (🫚..🫛) ginger root..pea pod + {0x1FADC, 0x1FADF, prExtendedPictographic}, // E0.0 [4] (🫜..🫟) .. + {0x1FAE0, 0x1FAE7, prExtendedPictographic}, // E14.0 [8] (🫠..🫧) melting face..bubbles + {0x1FAE8, 0x1FAE8, prExtendedPictographic}, // E15.0 [1] (🫨) shaking face + {0x1FAE9, 0x1FAEF, prExtendedPictographic}, // E0.0 [7] (🫩..🫯) .. + {0x1FAF0, 0x1FAF6, prExtendedPictographic}, // E14.0 [7] (🫰..🫶) hand with index finger and thumb crossed..heart hands + {0x1FAF7, 0x1FAF8, prExtendedPictographic}, // E15.0 [2] (🫷..🫸) leftwards pushing hand..rightwards pushing hand + {0x1FAF9, 0x1FAFF, prExtendedPictographic}, // E0.0 [7] (🫹..🫿) .. + {0x1FC00, 0x1FFFD, prExtendedPictographic}, // E0.0[1022] (🰀..🿽) .. + {0xE0000, 0xE0000, prControl}, // Cn + {0xE0001, 0xE0001, prControl}, // Cf LANGUAGE TAG + {0xE0002, 0xE001F, prControl}, // Cn [30] .. + {0xE0020, 0xE007F, prExtend}, // Cf [96] TAG SPACE..CANCEL TAG + {0xE0080, 0xE00FF, prControl}, // Cn [128] .. + {0xE0100, 0xE01EF, prExtend}, // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256 + {0xE01F0, 0xE0FFF, prControl}, // Cn [3600] .. +} diff --git a/vendor/github.com/rivo/uniseg/graphemerules.go b/vendor/github.com/rivo/uniseg/graphemerules.go new file mode 100644 index 0000000000..5d399d29c8 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/graphemerules.go @@ -0,0 +1,176 @@ +package uniseg + +// The states of the grapheme cluster parser. +const ( + grAny = iota + grCR + grControlLF + grL + grLVV + grLVTT + grPrepend + grExtendedPictographic + grExtendedPictographicZWJ + grRIOdd + grRIEven +) + +// The grapheme cluster parser's breaking instructions. +const ( + grNoBoundary = iota + grBoundary +) + +// grTransitions implements the grapheme cluster parser's state transitions. +// Maps state and property to a new state, a breaking instruction, and rule +// number. The breaking instruction always refers to the boundary between the +// last and next code point. Returns negative values if no transition is found. +// +// This function is used as follows: +// +// 1. Find specific state + specific property. Stop if found. +// 2. Find specific state + any property. +// 3. Find any state + specific property. +// 4. If only (2) or (3) (but not both) was found, stop. +// 5. If both (2) and (3) were found, use state from (3) and breaking instruction +// from the transition with the lower rule number, prefer (3) if rule numbers +// are equal. Stop. +// 6. Assume grAny and grBoundary. +// +// Unicode version 15.0.0. +func grTransitions(state, prop int) (newState int, newProp int, boundary int) { + // It turns out that using a big switch statement is much faster than using + // a map. + + switch uint64(state) | uint64(prop)<<32 { + // GB5 + case grAny | prCR<<32: + return grCR, grBoundary, 50 + case grAny | prLF<<32: + return grControlLF, grBoundary, 50 + case grAny | prControl<<32: + return grControlLF, grBoundary, 50 + + // GB4 + case grCR | prAny<<32: + return grAny, grBoundary, 40 + case grControlLF | prAny<<32: + return grAny, grBoundary, 40 + + // GB3 + case grCR | prLF<<32: + return grControlLF, grNoBoundary, 30 + + // GB6 + case grAny | prL<<32: + return grL, grBoundary, 9990 + case grL | prL<<32: + return grL, grNoBoundary, 60 + case grL | prV<<32: + return grLVV, grNoBoundary, 60 + case grL | prLV<<32: + return grLVV, grNoBoundary, 60 + case grL | prLVT<<32: + return grLVTT, grNoBoundary, 60 + + // GB7 + case grAny | prLV<<32: + return grLVV, grBoundary, 9990 + case grAny | prV<<32: + return grLVV, grBoundary, 9990 + case grLVV | prV<<32: + return grLVV, grNoBoundary, 70 + case grLVV | prT<<32: + return grLVTT, grNoBoundary, 70 + + // GB8 + case grAny | prLVT<<32: + return grLVTT, grBoundary, 9990 + case grAny | prT<<32: + return grLVTT, grBoundary, 9990 + case grLVTT | prT<<32: + return grLVTT, grNoBoundary, 80 + + // GB9 + case grAny | prExtend<<32: + return grAny, grNoBoundary, 90 + case grAny | prZWJ<<32: + return grAny, grNoBoundary, 90 + + // GB9a + case grAny | prSpacingMark<<32: + return grAny, grNoBoundary, 91 + + // GB9b + case grAny | prPrepend<<32: + return grPrepend, grBoundary, 9990 + case grPrepend | prAny<<32: + return grAny, grNoBoundary, 92 + + // GB11 + case grAny | prExtendedPictographic<<32: + return grExtendedPictographic, grBoundary, 9990 + case grExtendedPictographic | prExtend<<32: + return grExtendedPictographic, grNoBoundary, 110 + case grExtendedPictographic | prZWJ<<32: + return grExtendedPictographicZWJ, grNoBoundary, 110 + case grExtendedPictographicZWJ | prExtendedPictographic<<32: + return grExtendedPictographic, grNoBoundary, 110 + + // GB12 / GB13 + case grAny | prRegionalIndicator<<32: + return grRIOdd, grBoundary, 9990 + case grRIOdd | prRegionalIndicator<<32: + return grRIEven, grNoBoundary, 120 + case grRIEven | prRegionalIndicator<<32: + return grRIOdd, grBoundary, 120 + default: + return -1, -1, -1 + } +} + +// transitionGraphemeState determines the new state of the grapheme cluster +// parser given the current state and the next code point. It also returns the +// code point's grapheme property (the value mapped by the [graphemeCodePoints] +// table) and whether a cluster boundary was detected. +func transitionGraphemeState(state int, r rune) (newState, prop int, boundary bool) { + // Determine the property of the next character. + prop = propertyGraphemes(r) + + // Find the applicable transition. + nextState, nextProp, _ := grTransitions(state, prop) + if nextState >= 0 { + // We have a specific transition. We'll use it. + return nextState, prop, nextProp == grBoundary + } + + // No specific transition found. Try the less specific ones. + anyPropState, anyPropProp, anyPropRule := grTransitions(state, prAny) + anyStateState, anyStateProp, anyStateRule := grTransitions(grAny, prop) + if anyPropState >= 0 && anyStateState >= 0 { + // Both apply. We'll use a mix (see comments for grTransitions). + newState = anyStateState + boundary = anyStateProp == grBoundary + if anyPropRule < anyStateRule { + boundary = anyPropProp == grBoundary + } + return + } + + if anyPropState >= 0 { + // We only have a specific state. + return anyPropState, prop, anyPropProp == grBoundary + // This branch will probably never be reached because okAnyState will + // always be true given the current transition map. But we keep it here + // for future modifications to the transition map where this may not be + // true anymore. + } + + if anyStateState >= 0 { + // We only have a specific property. + return anyStateState, prop, anyStateProp == grBoundary + } + + // No known transition. GB999: Any ÷ Any. + return grAny, prop, true +} diff --git a/vendor/github.com/rivo/uniseg/line.go b/vendor/github.com/rivo/uniseg/line.go new file mode 100644 index 0000000000..7a46318d93 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/line.go @@ -0,0 +1,134 @@ +package uniseg + +import "unicode/utf8" + +// FirstLineSegment returns the prefix of the given byte slice after which a +// decision to break the string over to the next line can or must be made, +// according to the rules of [Unicode Standard Annex #14]. This is used to +// implement line breaking. +// +// Line breaking, also known as word wrapping, is the process of breaking a +// section of text into lines such that it will fit in the available width of a +// page, window or other display area. +// +// The returned "segment" may not be broken into smaller parts, unless no other +// breaking opportunities present themselves, in which case you may break by +// grapheme clusters (using the [FirstGraphemeCluster] function to determine the +// grapheme clusters). +// +// The "mustBreak" flag indicates whether you MUST break the line after the +// given segment (true), for example after newline characters, or you MAY break +// the line after the given segment (false). +// +// This function can be called continuously to extract all non-breaking sub-sets +// from a byte slice, as illustrated in the example below. +// +// If you don't know the current state, for example when calling the function +// for the first time, you must pass -1. For consecutive calls, pass the state +// and rest slice returned by the previous call. +// +// The "rest" slice is the sub-slice of the original byte slice "b" starting +// after the last byte of the identified line segment. If the length of the +// "rest" slice is 0, the entire byte slice "b" has been processed. The +// "segment" byte slice is the sub-slice of the input slice containing the +// identified line segment. +// +// Given an empty byte slice "b", the function returns nil values. +// +// Note that in accordance with [UAX #14 LB3], the final segment will end with +// "mustBreak" set to true. You can choose to ignore this by checking if the +// length of the "rest" slice is 0 and calling [HasTrailingLineBreak] or +// [HasTrailingLineBreakInString] on the last rune. +// +// Note also that this algorithm may break within grapheme clusters. This is +// addressed in Section 8.2 Example 6 of UAX #14. To avoid this, you can use +// the [Step] function instead. +// +// [Unicode Standard Annex #14]: https://www.unicode.org/reports/tr14/ +// [UAX #14 LB3]: https://www.unicode.org/reports/tr14/#Algorithm +func FirstLineSegment(b []byte, state int) (segment, rest []byte, mustBreak bool, newState int) { + // An empty byte slice returns nothing. + if len(b) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRune(b) + if len(b) <= length { // If we're already past the end, there is nothing else to parse. + return b, nil, true, lbAny // LB3. + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionLineBreakState(state, r, b[length:], "") + } + + // Transition until we find a boundary. + var boundary int + for { + r, l := utf8.DecodeRune(b[length:]) + state, boundary = transitionLineBreakState(state, r, b[length+l:], "") + + if boundary != LineDontBreak { + return b[:length], b[length:], boundary == LineMustBreak, state + } + + length += l + if len(b) <= length { + return b, nil, true, lbAny // LB3 + } + } +} + +// FirstLineSegmentInString is like [FirstLineSegment] but its input and outputs +// are strings. +func FirstLineSegmentInString(str string, state int) (segment, rest string, mustBreak bool, newState int) { + // An empty byte slice returns nothing. + if len(str) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRuneInString(str) + if len(str) <= length { // If we're already past the end, there is nothing else to parse. + return str, "", true, lbAny // LB3. + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionLineBreakState(state, r, nil, str[length:]) + } + + // Transition until we find a boundary. + var boundary int + for { + r, l := utf8.DecodeRuneInString(str[length:]) + state, boundary = transitionLineBreakState(state, r, nil, str[length+l:]) + + if boundary != LineDontBreak { + return str[:length], str[length:], boundary == LineMustBreak, state + } + + length += l + if len(str) <= length { + return str, "", true, lbAny // LB3. + } + } +} + +// HasTrailingLineBreak returns true if the last rune in the given byte slice is +// one of the hard line break code points defined in LB4 and LB5 of [UAX #14]. +// +// [UAX #14]: https://www.unicode.org/reports/tr14/#Algorithm +func HasTrailingLineBreak(b []byte) bool { + r, _ := utf8.DecodeLastRune(b) + property, _ := propertyLineBreak(r) + return property == prBK || property == prCR || property == prLF || property == prNL +} + +// HasTrailingLineBreakInString is like [HasTrailingLineBreak] but for a string. +func HasTrailingLineBreakInString(str string) bool { + r, _ := utf8.DecodeLastRuneInString(str) + property, _ := propertyLineBreak(r) + return property == prBK || property == prCR || property == prLF || property == prNL +} diff --git a/vendor/github.com/rivo/uniseg/lineproperties.go b/vendor/github.com/rivo/uniseg/lineproperties.go new file mode 100644 index 0000000000..ac7fac4c05 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/lineproperties.go @@ -0,0 +1,3554 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// lineBreakCodePoints are taken from +// https://www.unicode.org/Public/15.0.0/ucd/LineBreak.txt +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var lineBreakCodePoints = [][4]int{ + {0x0000, 0x0008, prCM, gcCc}, // [9] .. + {0x0009, 0x0009, prBA, gcCc}, // + {0x000A, 0x000A, prLF, gcCc}, // + {0x000B, 0x000C, prBK, gcCc}, // [2] .. + {0x000D, 0x000D, prCR, gcCc}, // + {0x000E, 0x001F, prCM, gcCc}, // [18] .. + {0x0020, 0x0020, prSP, gcZs}, // SPACE + {0x0021, 0x0021, prEX, gcPo}, // EXCLAMATION MARK + {0x0022, 0x0022, prQU, gcPo}, // QUOTATION MARK + {0x0023, 0x0023, prAL, gcPo}, // NUMBER SIGN + {0x0024, 0x0024, prPR, gcSc}, // DOLLAR SIGN + {0x0025, 0x0025, prPO, gcPo}, // PERCENT SIGN + {0x0026, 0x0026, prAL, gcPo}, // AMPERSAND + {0x0027, 0x0027, prQU, gcPo}, // APOSTROPHE + {0x0028, 0x0028, prOP, gcPs}, // LEFT PARENTHESIS + {0x0029, 0x0029, prCP, gcPe}, // RIGHT PARENTHESIS + {0x002A, 0x002A, prAL, gcPo}, // ASTERISK + {0x002B, 0x002B, prPR, gcSm}, // PLUS SIGN + {0x002C, 0x002C, prIS, gcPo}, // COMMA + {0x002D, 0x002D, prHY, gcPd}, // HYPHEN-MINUS + {0x002E, 0x002E, prIS, gcPo}, // FULL STOP + {0x002F, 0x002F, prSY, gcPo}, // SOLIDUS + {0x0030, 0x0039, prNU, gcNd}, // [10] DIGIT ZERO..DIGIT NINE + {0x003A, 0x003B, prIS, gcPo}, // [2] COLON..SEMICOLON + {0x003C, 0x003E, prAL, gcSm}, // [3] LESS-THAN SIGN..GREATER-THAN SIGN + {0x003F, 0x003F, prEX, gcPo}, // QUESTION MARK + {0x0040, 0x0040, prAL, gcPo}, // COMMERCIAL AT + {0x0041, 0x005A, prAL, gcLu}, // [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z + {0x005B, 0x005B, prOP, gcPs}, // LEFT SQUARE BRACKET + {0x005C, 0x005C, prPR, gcPo}, // REVERSE SOLIDUS + {0x005D, 0x005D, prCP, gcPe}, // RIGHT SQUARE BRACKET + {0x005E, 0x005E, prAL, gcSk}, // CIRCUMFLEX ACCENT + {0x005F, 0x005F, prAL, gcPc}, // LOW LINE + {0x0060, 0x0060, prAL, gcSk}, // GRAVE ACCENT + {0x0061, 0x007A, prAL, gcLl}, // [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z + {0x007B, 0x007B, prOP, gcPs}, // LEFT CURLY BRACKET + {0x007C, 0x007C, prBA, gcSm}, // VERTICAL LINE + {0x007D, 0x007D, prCL, gcPe}, // RIGHT CURLY BRACKET + {0x007E, 0x007E, prAL, gcSm}, // TILDE + {0x007F, 0x007F, prCM, gcCc}, // + {0x0080, 0x0084, prCM, gcCc}, // [5] .. + {0x0085, 0x0085, prNL, gcCc}, // + {0x0086, 0x009F, prCM, gcCc}, // [26] .. + {0x00A0, 0x00A0, prGL, gcZs}, // NO-BREAK SPACE + {0x00A1, 0x00A1, prOP, gcPo}, // INVERTED EXCLAMATION MARK + {0x00A2, 0x00A2, prPO, gcSc}, // CENT SIGN + {0x00A3, 0x00A5, prPR, gcSc}, // [3] POUND SIGN..YEN SIGN + {0x00A6, 0x00A6, prAL, gcSo}, // BROKEN BAR + {0x00A7, 0x00A7, prAI, gcPo}, // SECTION SIGN + {0x00A8, 0x00A8, prAI, gcSk}, // DIAERESIS + {0x00A9, 0x00A9, prAL, gcSo}, // COPYRIGHT SIGN + {0x00AA, 0x00AA, prAI, gcLo}, // FEMININE ORDINAL INDICATOR + {0x00AB, 0x00AB, prQU, gcPi}, // LEFT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00AC, 0x00AC, prAL, gcSm}, // NOT SIGN + {0x00AD, 0x00AD, prBA, gcCf}, // SOFT HYPHEN + {0x00AE, 0x00AE, prAL, gcSo}, // REGISTERED SIGN + {0x00AF, 0x00AF, prAL, gcSk}, // MACRON + {0x00B0, 0x00B0, prPO, gcSo}, // DEGREE SIGN + {0x00B1, 0x00B1, prPR, gcSm}, // PLUS-MINUS SIGN + {0x00B2, 0x00B3, prAI, gcNo}, // [2] SUPERSCRIPT TWO..SUPERSCRIPT THREE + {0x00B4, 0x00B4, prBB, gcSk}, // ACUTE ACCENT + {0x00B5, 0x00B5, prAL, gcLl}, // MICRO SIGN + {0x00B6, 0x00B7, prAI, gcPo}, // [2] PILCROW SIGN..MIDDLE DOT + {0x00B8, 0x00B8, prAI, gcSk}, // CEDILLA + {0x00B9, 0x00B9, prAI, gcNo}, // SUPERSCRIPT ONE + {0x00BA, 0x00BA, prAI, gcLo}, // MASCULINE ORDINAL INDICATOR + {0x00BB, 0x00BB, prQU, gcPf}, // RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00BC, 0x00BE, prAI, gcNo}, // [3] VULGAR FRACTION ONE QUARTER..VULGAR FRACTION THREE QUARTERS + {0x00BF, 0x00BF, prOP, gcPo}, // INVERTED QUESTION MARK + {0x00C0, 0x00D6, prAL, gcLu}, // [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS + {0x00D7, 0x00D7, prAI, gcSm}, // MULTIPLICATION SIGN + {0x00D8, 0x00F6, prAL, gcLC}, // [31] LATIN CAPITAL LETTER O WITH STROKE..LATIN SMALL LETTER O WITH DIAERESIS + {0x00F7, 0x00F7, prAI, gcSm}, // DIVISION SIGN + {0x00F8, 0x00FF, prAL, gcLl}, // [8] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER Y WITH DIAERESIS + {0x0100, 0x017F, prAL, gcLC}, // [128] LATIN CAPITAL LETTER A WITH MACRON..LATIN SMALL LETTER LONG S + {0x0180, 0x01BA, prAL, gcLC}, // [59] LATIN SMALL LETTER B WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL + {0x01BB, 0x01BB, prAL, gcLo}, // LATIN LETTER TWO WITH STROKE + {0x01BC, 0x01BF, prAL, gcLC}, // [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN + {0x01C0, 0x01C3, prAL, gcLo}, // [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK + {0x01C4, 0x024F, prAL, gcLC}, // [140] LATIN CAPITAL LETTER DZ WITH CARON..LATIN SMALL LETTER Y WITH STROKE + {0x0250, 0x0293, prAL, gcLl}, // [68] LATIN SMALL LETTER TURNED A..LATIN SMALL LETTER EZH WITH CURL + {0x0294, 0x0294, prAL, gcLo}, // LATIN LETTER GLOTTAL STOP + {0x0295, 0x02AF, prAL, gcLl}, // [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL + {0x02B0, 0x02C1, prAL, gcLm}, // [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP + {0x02C2, 0x02C5, prAL, gcSk}, // [4] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER DOWN ARROWHEAD + {0x02C6, 0x02C6, prAL, gcLm}, // MODIFIER LETTER CIRCUMFLEX ACCENT + {0x02C7, 0x02C7, prAI, gcLm}, // CARON + {0x02C8, 0x02C8, prBB, gcLm}, // MODIFIER LETTER VERTICAL LINE + {0x02C9, 0x02CB, prAI, gcLm}, // [3] MODIFIER LETTER MACRON..MODIFIER LETTER GRAVE ACCENT + {0x02CC, 0x02CC, prBB, gcLm}, // MODIFIER LETTER LOW VERTICAL LINE + {0x02CD, 0x02CD, prAI, gcLm}, // MODIFIER LETTER LOW MACRON + {0x02CE, 0x02CF, prAL, gcLm}, // [2] MODIFIER LETTER LOW GRAVE ACCENT..MODIFIER LETTER LOW ACUTE ACCENT + {0x02D0, 0x02D0, prAI, gcLm}, // MODIFIER LETTER TRIANGULAR COLON + {0x02D1, 0x02D1, prAL, gcLm}, // MODIFIER LETTER HALF TRIANGULAR COLON + {0x02D2, 0x02D7, prAL, gcSk}, // [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN + {0x02D8, 0x02DB, prAI, gcSk}, // [4] BREVE..OGONEK + {0x02DC, 0x02DC, prAL, gcSk}, // SMALL TILDE + {0x02DD, 0x02DD, prAI, gcSk}, // DOUBLE ACUTE ACCENT + {0x02DE, 0x02DE, prAL, gcSk}, // MODIFIER LETTER RHOTIC HOOK + {0x02DF, 0x02DF, prBB, gcSk}, // MODIFIER LETTER CROSS ACCENT + {0x02E0, 0x02E4, prAL, gcLm}, // [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP + {0x02E5, 0x02EB, prAL, gcSk}, // [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK + {0x02EC, 0x02EC, prAL, gcLm}, // MODIFIER LETTER VOICING + {0x02ED, 0x02ED, prAL, gcSk}, // MODIFIER LETTER UNASPIRATED + {0x02EE, 0x02EE, prAL, gcLm}, // MODIFIER LETTER DOUBLE APOSTROPHE + {0x02EF, 0x02FF, prAL, gcSk}, // [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW + {0x0300, 0x034E, prCM, gcMn}, // [79] COMBINING GRAVE ACCENT..COMBINING UPWARDS ARROW BELOW + {0x034F, 0x034F, prGL, gcMn}, // COMBINING GRAPHEME JOINER + {0x0350, 0x035B, prCM, gcMn}, // [12] COMBINING RIGHT ARROWHEAD ABOVE..COMBINING ZIGZAG ABOVE + {0x035C, 0x0362, prGL, gcMn}, // [7] COMBINING DOUBLE BREVE BELOW..COMBINING DOUBLE RIGHTWARDS ARROW BELOW + {0x0363, 0x036F, prCM, gcMn}, // [13] COMBINING LATIN SMALL LETTER A..COMBINING LATIN SMALL LETTER X + {0x0370, 0x0373, prAL, gcLC}, // [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI + {0x0374, 0x0374, prAL, gcLm}, // GREEK NUMERAL SIGN + {0x0375, 0x0375, prAL, gcSk}, // GREEK LOWER NUMERAL SIGN + {0x0376, 0x0377, prAL, gcLC}, // [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA + {0x037A, 0x037A, prAL, gcLm}, // GREEK YPOGEGRAMMENI + {0x037B, 0x037D, prAL, gcLl}, // [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x037E, 0x037E, prIS, gcPo}, // GREEK QUESTION MARK + {0x037F, 0x037F, prAL, gcLu}, // GREEK CAPITAL LETTER YOT + {0x0384, 0x0385, prAL, gcSk}, // [2] GREEK TONOS..GREEK DIALYTIKA TONOS + {0x0386, 0x0386, prAL, gcLu}, // GREEK CAPITAL LETTER ALPHA WITH TONOS + {0x0387, 0x0387, prAL, gcPo}, // GREEK ANO TELEIA + {0x0388, 0x038A, prAL, gcLu}, // [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS + {0x038C, 0x038C, prAL, gcLu}, // GREEK CAPITAL LETTER OMICRON WITH TONOS + {0x038E, 0x03A1, prAL, gcLC}, // [20] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER RHO + {0x03A3, 0x03F5, prAL, gcLC}, // [83] GREEK CAPITAL LETTER SIGMA..GREEK LUNATE EPSILON SYMBOL + {0x03F6, 0x03F6, prAL, gcSm}, // GREEK REVERSED LUNATE EPSILON SYMBOL + {0x03F7, 0x03FF, prAL, gcLC}, // [9] GREEK CAPITAL LETTER SHO..GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x0400, 0x0481, prAL, gcLC}, // [130] CYRILLIC CAPITAL LETTER IE WITH GRAVE..CYRILLIC SMALL LETTER KOPPA + {0x0482, 0x0482, prAL, gcSo}, // CYRILLIC THOUSANDS SIGN + {0x0483, 0x0487, prCM, gcMn}, // [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE + {0x0488, 0x0489, prCM, gcMe}, // [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN + {0x048A, 0x04FF, prAL, gcLC}, // [118] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER HA WITH STROKE + {0x0500, 0x052F, prAL, gcLC}, // [48] CYRILLIC CAPITAL LETTER KOMI DE..CYRILLIC SMALL LETTER EL WITH DESCENDER + {0x0531, 0x0556, prAL, gcLu}, // [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH + {0x0559, 0x0559, prAL, gcLm}, // ARMENIAN MODIFIER LETTER LEFT HALF RING + {0x055A, 0x055F, prAL, gcPo}, // [6] ARMENIAN APOSTROPHE..ARMENIAN ABBREVIATION MARK + {0x0560, 0x0588, prAL, gcLl}, // [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE + {0x0589, 0x0589, prIS, gcPo}, // ARMENIAN FULL STOP + {0x058A, 0x058A, prBA, gcPd}, // ARMENIAN HYPHEN + {0x058D, 0x058E, prAL, gcSo}, // [2] RIGHT-FACING ARMENIAN ETERNITY SIGN..LEFT-FACING ARMENIAN ETERNITY SIGN + {0x058F, 0x058F, prPR, gcSc}, // ARMENIAN DRAM SIGN + {0x0591, 0x05BD, prCM, gcMn}, // [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG + {0x05BE, 0x05BE, prBA, gcPd}, // HEBREW PUNCTUATION MAQAF + {0x05BF, 0x05BF, prCM, gcMn}, // HEBREW POINT RAFE + {0x05C0, 0x05C0, prAL, gcPo}, // HEBREW PUNCTUATION PASEQ + {0x05C1, 0x05C2, prCM, gcMn}, // [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT + {0x05C3, 0x05C3, prAL, gcPo}, // HEBREW PUNCTUATION SOF PASUQ + {0x05C4, 0x05C5, prCM, gcMn}, // [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT + {0x05C6, 0x05C6, prEX, gcPo}, // HEBREW PUNCTUATION NUN HAFUKHA + {0x05C7, 0x05C7, prCM, gcMn}, // HEBREW POINT QAMATS QATAN + {0x05D0, 0x05EA, prHL, gcLo}, // [27] HEBREW LETTER ALEF..HEBREW LETTER TAV + {0x05EF, 0x05F2, prHL, gcLo}, // [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD + {0x05F3, 0x05F4, prAL, gcPo}, // [2] HEBREW PUNCTUATION GERESH..HEBREW PUNCTUATION GERSHAYIM + {0x0600, 0x0605, prAL, gcCf}, // [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE + {0x0606, 0x0608, prAL, gcSm}, // [3] ARABIC-INDIC CUBE ROOT..ARABIC RAY + {0x0609, 0x060A, prPO, gcPo}, // [2] ARABIC-INDIC PER MILLE SIGN..ARABIC-INDIC PER TEN THOUSAND SIGN + {0x060B, 0x060B, prPO, gcSc}, // AFGHANI SIGN + {0x060C, 0x060D, prIS, gcPo}, // [2] ARABIC COMMA..ARABIC DATE SEPARATOR + {0x060E, 0x060F, prAL, gcSo}, // [2] ARABIC POETIC VERSE SIGN..ARABIC SIGN MISRA + {0x0610, 0x061A, prCM, gcMn}, // [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA + {0x061B, 0x061B, prEX, gcPo}, // ARABIC SEMICOLON + {0x061C, 0x061C, prCM, gcCf}, // ARABIC LETTER MARK + {0x061D, 0x061F, prEX, gcPo}, // [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK + {0x0620, 0x063F, prAL, gcLo}, // [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE + {0x0640, 0x0640, prAL, gcLm}, // ARABIC TATWEEL + {0x0641, 0x064A, prAL, gcLo}, // [10] ARABIC LETTER FEH..ARABIC LETTER YEH + {0x064B, 0x065F, prCM, gcMn}, // [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW + {0x0660, 0x0669, prNU, gcNd}, // [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE + {0x066A, 0x066A, prPO, gcPo}, // ARABIC PERCENT SIGN + {0x066B, 0x066C, prNU, gcPo}, // [2] ARABIC DECIMAL SEPARATOR..ARABIC THOUSANDS SEPARATOR + {0x066D, 0x066D, prAL, gcPo}, // ARABIC FIVE POINTED STAR + {0x066E, 0x066F, prAL, gcLo}, // [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF + {0x0670, 0x0670, prCM, gcMn}, // ARABIC LETTER SUPERSCRIPT ALEF + {0x0671, 0x06D3, prAL, gcLo}, // [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE + {0x06D4, 0x06D4, prEX, gcPo}, // ARABIC FULL STOP + {0x06D5, 0x06D5, prAL, gcLo}, // ARABIC LETTER AE + {0x06D6, 0x06DC, prCM, gcMn}, // [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN + {0x06DD, 0x06DD, prAL, gcCf}, // ARABIC END OF AYAH + {0x06DE, 0x06DE, prAL, gcSo}, // ARABIC START OF RUB EL HIZB + {0x06DF, 0x06E4, prCM, gcMn}, // [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA + {0x06E5, 0x06E6, prAL, gcLm}, // [2] ARABIC SMALL WAW..ARABIC SMALL YEH + {0x06E7, 0x06E8, prCM, gcMn}, // [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON + {0x06E9, 0x06E9, prAL, gcSo}, // ARABIC PLACE OF SAJDAH + {0x06EA, 0x06ED, prCM, gcMn}, // [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM + {0x06EE, 0x06EF, prAL, gcLo}, // [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V + {0x06F0, 0x06F9, prNU, gcNd}, // [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE + {0x06FA, 0x06FC, prAL, gcLo}, // [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW + {0x06FD, 0x06FE, prAL, gcSo}, // [2] ARABIC SIGN SINDHI AMPERSAND..ARABIC SIGN SINDHI POSTPOSITION MEN + {0x06FF, 0x06FF, prAL, gcLo}, // ARABIC LETTER HEH WITH INVERTED V + {0x0700, 0x070D, prAL, gcPo}, // [14] SYRIAC END OF PARAGRAPH..SYRIAC HARKLEAN ASTERISCUS + {0x070F, 0x070F, prAL, gcCf}, // SYRIAC ABBREVIATION MARK + {0x0710, 0x0710, prAL, gcLo}, // SYRIAC LETTER ALAPH + {0x0711, 0x0711, prCM, gcMn}, // SYRIAC LETTER SUPERSCRIPT ALAPH + {0x0712, 0x072F, prAL, gcLo}, // [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH + {0x0730, 0x074A, prCM, gcMn}, // [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH + {0x074D, 0x074F, prAL, gcLo}, // [3] SYRIAC LETTER SOGDIAN ZHAIN..SYRIAC LETTER SOGDIAN FE + {0x0750, 0x077F, prAL, gcLo}, // [48] ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW..ARABIC LETTER KAF WITH TWO DOTS ABOVE + {0x0780, 0x07A5, prAL, gcLo}, // [38] THAANA LETTER HAA..THAANA LETTER WAAVU + {0x07A6, 0x07B0, prCM, gcMn}, // [11] THAANA ABAFILI..THAANA SUKUN + {0x07B1, 0x07B1, prAL, gcLo}, // THAANA LETTER NAA + {0x07C0, 0x07C9, prNU, gcNd}, // [10] NKO DIGIT ZERO..NKO DIGIT NINE + {0x07CA, 0x07EA, prAL, gcLo}, // [33] NKO LETTER A..NKO LETTER JONA RA + {0x07EB, 0x07F3, prCM, gcMn}, // [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE + {0x07F4, 0x07F5, prAL, gcLm}, // [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE + {0x07F6, 0x07F6, prAL, gcSo}, // NKO SYMBOL OO DENNEN + {0x07F7, 0x07F7, prAL, gcPo}, // NKO SYMBOL GBAKURUNEN + {0x07F8, 0x07F8, prIS, gcPo}, // NKO COMMA + {0x07F9, 0x07F9, prEX, gcPo}, // NKO EXCLAMATION MARK + {0x07FA, 0x07FA, prAL, gcLm}, // NKO LAJANYALAN + {0x07FD, 0x07FD, prCM, gcMn}, // NKO DANTAYALAN + {0x07FE, 0x07FF, prPR, gcSc}, // [2] NKO DOROME SIGN..NKO TAMAN SIGN + {0x0800, 0x0815, prAL, gcLo}, // [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF + {0x0816, 0x0819, prCM, gcMn}, // [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH + {0x081A, 0x081A, prAL, gcLm}, // SAMARITAN MODIFIER LETTER EPENTHETIC YUT + {0x081B, 0x0823, prCM, gcMn}, // [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A + {0x0824, 0x0824, prAL, gcLm}, // SAMARITAN MODIFIER LETTER SHORT A + {0x0825, 0x0827, prCM, gcMn}, // [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U + {0x0828, 0x0828, prAL, gcLm}, // SAMARITAN MODIFIER LETTER I + {0x0829, 0x082D, prCM, gcMn}, // [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA + {0x0830, 0x083E, prAL, gcPo}, // [15] SAMARITAN PUNCTUATION NEQUDAA..SAMARITAN PUNCTUATION ANNAAU + {0x0840, 0x0858, prAL, gcLo}, // [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN + {0x0859, 0x085B, prCM, gcMn}, // [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK + {0x085E, 0x085E, prAL, gcPo}, // MANDAIC PUNCTUATION + {0x0860, 0x086A, prAL, gcLo}, // [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA + {0x0870, 0x0887, prAL, gcLo}, // [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT + {0x0888, 0x0888, prAL, gcSk}, // ARABIC RAISED ROUND DOT + {0x0889, 0x088E, prAL, gcLo}, // [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL + {0x0890, 0x0891, prAL, gcCf}, // [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE + {0x0898, 0x089F, prCM, gcMn}, // [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA + {0x08A0, 0x08C8, prAL, gcLo}, // [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF + {0x08C9, 0x08C9, prAL, gcLm}, // ARABIC SMALL FARSI YEH + {0x08CA, 0x08E1, prCM, gcMn}, // [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA + {0x08E2, 0x08E2, prAL, gcCf}, // ARABIC DISPUTED END OF AYAH + {0x08E3, 0x08FF, prCM, gcMn}, // [29] ARABIC TURNED DAMMA BELOW..ARABIC MARK SIDEWAYS NOON GHUNNA + {0x0900, 0x0902, prCM, gcMn}, // [3] DEVANAGARI SIGN INVERTED CANDRABINDU..DEVANAGARI SIGN ANUSVARA + {0x0903, 0x0903, prCM, gcMc}, // DEVANAGARI SIGN VISARGA + {0x0904, 0x0939, prAL, gcLo}, // [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA + {0x093A, 0x093A, prCM, gcMn}, // DEVANAGARI VOWEL SIGN OE + {0x093B, 0x093B, prCM, gcMc}, // DEVANAGARI VOWEL SIGN OOE + {0x093C, 0x093C, prCM, gcMn}, // DEVANAGARI SIGN NUKTA + {0x093D, 0x093D, prAL, gcLo}, // DEVANAGARI SIGN AVAGRAHA + {0x093E, 0x0940, prCM, gcMc}, // [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II + {0x0941, 0x0948, prCM, gcMn}, // [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI + {0x0949, 0x094C, prCM, gcMc}, // [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU + {0x094D, 0x094D, prCM, gcMn}, // DEVANAGARI SIGN VIRAMA + {0x094E, 0x094F, prCM, gcMc}, // [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW + {0x0950, 0x0950, prAL, gcLo}, // DEVANAGARI OM + {0x0951, 0x0957, prCM, gcMn}, // [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE + {0x0958, 0x0961, prAL, gcLo}, // [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL + {0x0962, 0x0963, prCM, gcMn}, // [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL + {0x0964, 0x0965, prBA, gcPo}, // [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA + {0x0966, 0x096F, prNU, gcNd}, // [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE + {0x0970, 0x0970, prAL, gcPo}, // DEVANAGARI ABBREVIATION SIGN + {0x0971, 0x0971, prAL, gcLm}, // DEVANAGARI SIGN HIGH SPACING DOT + {0x0972, 0x097F, prAL, gcLo}, // [14] DEVANAGARI LETTER CANDRA A..DEVANAGARI LETTER BBA + {0x0980, 0x0980, prAL, gcLo}, // BENGALI ANJI + {0x0981, 0x0981, prCM, gcMn}, // BENGALI SIGN CANDRABINDU + {0x0982, 0x0983, prCM, gcMc}, // [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA + {0x0985, 0x098C, prAL, gcLo}, // [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L + {0x098F, 0x0990, prAL, gcLo}, // [2] BENGALI LETTER E..BENGALI LETTER AI + {0x0993, 0x09A8, prAL, gcLo}, // [22] BENGALI LETTER O..BENGALI LETTER NA + {0x09AA, 0x09B0, prAL, gcLo}, // [7] BENGALI LETTER PA..BENGALI LETTER RA + {0x09B2, 0x09B2, prAL, gcLo}, // BENGALI LETTER LA + {0x09B6, 0x09B9, prAL, gcLo}, // [4] BENGALI LETTER SHA..BENGALI LETTER HA + {0x09BC, 0x09BC, prCM, gcMn}, // BENGALI SIGN NUKTA + {0x09BD, 0x09BD, prAL, gcLo}, // BENGALI SIGN AVAGRAHA + {0x09BE, 0x09C0, prCM, gcMc}, // [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II + {0x09C1, 0x09C4, prCM, gcMn}, // [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR + {0x09C7, 0x09C8, prCM, gcMc}, // [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI + {0x09CB, 0x09CC, prCM, gcMc}, // [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU + {0x09CD, 0x09CD, prCM, gcMn}, // BENGALI SIGN VIRAMA + {0x09CE, 0x09CE, prAL, gcLo}, // BENGALI LETTER KHANDA TA + {0x09D7, 0x09D7, prCM, gcMc}, // BENGALI AU LENGTH MARK + {0x09DC, 0x09DD, prAL, gcLo}, // [2] BENGALI LETTER RRA..BENGALI LETTER RHA + {0x09DF, 0x09E1, prAL, gcLo}, // [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL + {0x09E2, 0x09E3, prCM, gcMn}, // [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL + {0x09E6, 0x09EF, prNU, gcNd}, // [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE + {0x09F0, 0x09F1, prAL, gcLo}, // [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL + {0x09F2, 0x09F3, prPO, gcSc}, // [2] BENGALI RUPEE MARK..BENGALI RUPEE SIGN + {0x09F4, 0x09F8, prAL, gcNo}, // [5] BENGALI CURRENCY NUMERATOR ONE..BENGALI CURRENCY NUMERATOR ONE LESS THAN THE DENOMINATOR + {0x09F9, 0x09F9, prPO, gcNo}, // BENGALI CURRENCY DENOMINATOR SIXTEEN + {0x09FA, 0x09FA, prAL, gcSo}, // BENGALI ISSHAR + {0x09FB, 0x09FB, prPR, gcSc}, // BENGALI GANDA MARK + {0x09FC, 0x09FC, prAL, gcLo}, // BENGALI LETTER VEDIC ANUSVARA + {0x09FD, 0x09FD, prAL, gcPo}, // BENGALI ABBREVIATION SIGN + {0x09FE, 0x09FE, prCM, gcMn}, // BENGALI SANDHI MARK + {0x0A01, 0x0A02, prCM, gcMn}, // [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI + {0x0A03, 0x0A03, prCM, gcMc}, // GURMUKHI SIGN VISARGA + {0x0A05, 0x0A0A, prAL, gcLo}, // [6] GURMUKHI LETTER A..GURMUKHI LETTER UU + {0x0A0F, 0x0A10, prAL, gcLo}, // [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI + {0x0A13, 0x0A28, prAL, gcLo}, // [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA + {0x0A2A, 0x0A30, prAL, gcLo}, // [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA + {0x0A32, 0x0A33, prAL, gcLo}, // [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA + {0x0A35, 0x0A36, prAL, gcLo}, // [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA + {0x0A38, 0x0A39, prAL, gcLo}, // [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA + {0x0A3C, 0x0A3C, prCM, gcMn}, // GURMUKHI SIGN NUKTA + {0x0A3E, 0x0A40, prCM, gcMc}, // [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II + {0x0A41, 0x0A42, prCM, gcMn}, // [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU + {0x0A47, 0x0A48, prCM, gcMn}, // [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI + {0x0A4B, 0x0A4D, prCM, gcMn}, // [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA + {0x0A51, 0x0A51, prCM, gcMn}, // GURMUKHI SIGN UDAAT + {0x0A59, 0x0A5C, prAL, gcLo}, // [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA + {0x0A5E, 0x0A5E, prAL, gcLo}, // GURMUKHI LETTER FA + {0x0A66, 0x0A6F, prNU, gcNd}, // [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE + {0x0A70, 0x0A71, prCM, gcMn}, // [2] GURMUKHI TIPPI..GURMUKHI ADDAK + {0x0A72, 0x0A74, prAL, gcLo}, // [3] GURMUKHI IRI..GURMUKHI EK ONKAR + {0x0A75, 0x0A75, prCM, gcMn}, // GURMUKHI SIGN YAKASH + {0x0A76, 0x0A76, prAL, gcPo}, // GURMUKHI ABBREVIATION SIGN + {0x0A81, 0x0A82, prCM, gcMn}, // [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA + {0x0A83, 0x0A83, prCM, gcMc}, // GUJARATI SIGN VISARGA + {0x0A85, 0x0A8D, prAL, gcLo}, // [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E + {0x0A8F, 0x0A91, prAL, gcLo}, // [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O + {0x0A93, 0x0AA8, prAL, gcLo}, // [22] GUJARATI LETTER O..GUJARATI LETTER NA + {0x0AAA, 0x0AB0, prAL, gcLo}, // [7] GUJARATI LETTER PA..GUJARATI LETTER RA + {0x0AB2, 0x0AB3, prAL, gcLo}, // [2] GUJARATI LETTER LA..GUJARATI LETTER LLA + {0x0AB5, 0x0AB9, prAL, gcLo}, // [5] GUJARATI LETTER VA..GUJARATI LETTER HA + {0x0ABC, 0x0ABC, prCM, gcMn}, // GUJARATI SIGN NUKTA + {0x0ABD, 0x0ABD, prAL, gcLo}, // GUJARATI SIGN AVAGRAHA + {0x0ABE, 0x0AC0, prCM, gcMc}, // [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II + {0x0AC1, 0x0AC5, prCM, gcMn}, // [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E + {0x0AC7, 0x0AC8, prCM, gcMn}, // [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI + {0x0AC9, 0x0AC9, prCM, gcMc}, // GUJARATI VOWEL SIGN CANDRA O + {0x0ACB, 0x0ACC, prCM, gcMc}, // [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU + {0x0ACD, 0x0ACD, prCM, gcMn}, // GUJARATI SIGN VIRAMA + {0x0AD0, 0x0AD0, prAL, gcLo}, // GUJARATI OM + {0x0AE0, 0x0AE1, prAL, gcLo}, // [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL + {0x0AE2, 0x0AE3, prCM, gcMn}, // [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL + {0x0AE6, 0x0AEF, prNU, gcNd}, // [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE + {0x0AF0, 0x0AF0, prAL, gcPo}, // GUJARATI ABBREVIATION SIGN + {0x0AF1, 0x0AF1, prPR, gcSc}, // GUJARATI RUPEE SIGN + {0x0AF9, 0x0AF9, prAL, gcLo}, // GUJARATI LETTER ZHA + {0x0AFA, 0x0AFF, prCM, gcMn}, // [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE + {0x0B01, 0x0B01, prCM, gcMn}, // ORIYA SIGN CANDRABINDU + {0x0B02, 0x0B03, prCM, gcMc}, // [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA + {0x0B05, 0x0B0C, prAL, gcLo}, // [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L + {0x0B0F, 0x0B10, prAL, gcLo}, // [2] ORIYA LETTER E..ORIYA LETTER AI + {0x0B13, 0x0B28, prAL, gcLo}, // [22] ORIYA LETTER O..ORIYA LETTER NA + {0x0B2A, 0x0B30, prAL, gcLo}, // [7] ORIYA LETTER PA..ORIYA LETTER RA + {0x0B32, 0x0B33, prAL, gcLo}, // [2] ORIYA LETTER LA..ORIYA LETTER LLA + {0x0B35, 0x0B39, prAL, gcLo}, // [5] ORIYA LETTER VA..ORIYA LETTER HA + {0x0B3C, 0x0B3C, prCM, gcMn}, // ORIYA SIGN NUKTA + {0x0B3D, 0x0B3D, prAL, gcLo}, // ORIYA SIGN AVAGRAHA + {0x0B3E, 0x0B3E, prCM, gcMc}, // ORIYA VOWEL SIGN AA + {0x0B3F, 0x0B3F, prCM, gcMn}, // ORIYA VOWEL SIGN I + {0x0B40, 0x0B40, prCM, gcMc}, // ORIYA VOWEL SIGN II + {0x0B41, 0x0B44, prCM, gcMn}, // [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR + {0x0B47, 0x0B48, prCM, gcMc}, // [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI + {0x0B4B, 0x0B4C, prCM, gcMc}, // [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU + {0x0B4D, 0x0B4D, prCM, gcMn}, // ORIYA SIGN VIRAMA + {0x0B55, 0x0B56, prCM, gcMn}, // [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK + {0x0B57, 0x0B57, prCM, gcMc}, // ORIYA AU LENGTH MARK + {0x0B5C, 0x0B5D, prAL, gcLo}, // [2] ORIYA LETTER RRA..ORIYA LETTER RHA + {0x0B5F, 0x0B61, prAL, gcLo}, // [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL + {0x0B62, 0x0B63, prCM, gcMn}, // [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL + {0x0B66, 0x0B6F, prNU, gcNd}, // [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE + {0x0B70, 0x0B70, prAL, gcSo}, // ORIYA ISSHAR + {0x0B71, 0x0B71, prAL, gcLo}, // ORIYA LETTER WA + {0x0B72, 0x0B77, prAL, gcNo}, // [6] ORIYA FRACTION ONE QUARTER..ORIYA FRACTION THREE SIXTEENTHS + {0x0B82, 0x0B82, prCM, gcMn}, // TAMIL SIGN ANUSVARA + {0x0B83, 0x0B83, prAL, gcLo}, // TAMIL SIGN VISARGA + {0x0B85, 0x0B8A, prAL, gcLo}, // [6] TAMIL LETTER A..TAMIL LETTER UU + {0x0B8E, 0x0B90, prAL, gcLo}, // [3] TAMIL LETTER E..TAMIL LETTER AI + {0x0B92, 0x0B95, prAL, gcLo}, // [4] TAMIL LETTER O..TAMIL LETTER KA + {0x0B99, 0x0B9A, prAL, gcLo}, // [2] TAMIL LETTER NGA..TAMIL LETTER CA + {0x0B9C, 0x0B9C, prAL, gcLo}, // TAMIL LETTER JA + {0x0B9E, 0x0B9F, prAL, gcLo}, // [2] TAMIL LETTER NYA..TAMIL LETTER TTA + {0x0BA3, 0x0BA4, prAL, gcLo}, // [2] TAMIL LETTER NNA..TAMIL LETTER TA + {0x0BA8, 0x0BAA, prAL, gcLo}, // [3] TAMIL LETTER NA..TAMIL LETTER PA + {0x0BAE, 0x0BB9, prAL, gcLo}, // [12] TAMIL LETTER MA..TAMIL LETTER HA + {0x0BBE, 0x0BBF, prCM, gcMc}, // [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I + {0x0BC0, 0x0BC0, prCM, gcMn}, // TAMIL VOWEL SIGN II + {0x0BC1, 0x0BC2, prCM, gcMc}, // [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU + {0x0BC6, 0x0BC8, prCM, gcMc}, // [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI + {0x0BCA, 0x0BCC, prCM, gcMc}, // [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU + {0x0BCD, 0x0BCD, prCM, gcMn}, // TAMIL SIGN VIRAMA + {0x0BD0, 0x0BD0, prAL, gcLo}, // TAMIL OM + {0x0BD7, 0x0BD7, prCM, gcMc}, // TAMIL AU LENGTH MARK + {0x0BE6, 0x0BEF, prNU, gcNd}, // [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE + {0x0BF0, 0x0BF2, prAL, gcNo}, // [3] TAMIL NUMBER TEN..TAMIL NUMBER ONE THOUSAND + {0x0BF3, 0x0BF8, prAL, gcSo}, // [6] TAMIL DAY SIGN..TAMIL AS ABOVE SIGN + {0x0BF9, 0x0BF9, prPR, gcSc}, // TAMIL RUPEE SIGN + {0x0BFA, 0x0BFA, prAL, gcSo}, // TAMIL NUMBER SIGN + {0x0C00, 0x0C00, prCM, gcMn}, // TELUGU SIGN COMBINING CANDRABINDU ABOVE + {0x0C01, 0x0C03, prCM, gcMc}, // [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA + {0x0C04, 0x0C04, prCM, gcMn}, // TELUGU SIGN COMBINING ANUSVARA ABOVE + {0x0C05, 0x0C0C, prAL, gcLo}, // [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L + {0x0C0E, 0x0C10, prAL, gcLo}, // [3] TELUGU LETTER E..TELUGU LETTER AI + {0x0C12, 0x0C28, prAL, gcLo}, // [23] TELUGU LETTER O..TELUGU LETTER NA + {0x0C2A, 0x0C39, prAL, gcLo}, // [16] TELUGU LETTER PA..TELUGU LETTER HA + {0x0C3C, 0x0C3C, prCM, gcMn}, // TELUGU SIGN NUKTA + {0x0C3D, 0x0C3D, prAL, gcLo}, // TELUGU SIGN AVAGRAHA + {0x0C3E, 0x0C40, prCM, gcMn}, // [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II + {0x0C41, 0x0C44, prCM, gcMc}, // [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR + {0x0C46, 0x0C48, prCM, gcMn}, // [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI + {0x0C4A, 0x0C4D, prCM, gcMn}, // [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA + {0x0C55, 0x0C56, prCM, gcMn}, // [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK + {0x0C58, 0x0C5A, prAL, gcLo}, // [3] TELUGU LETTER TSA..TELUGU LETTER RRRA + {0x0C5D, 0x0C5D, prAL, gcLo}, // TELUGU LETTER NAKAARA POLLU + {0x0C60, 0x0C61, prAL, gcLo}, // [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL + {0x0C62, 0x0C63, prCM, gcMn}, // [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL + {0x0C66, 0x0C6F, prNU, gcNd}, // [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE + {0x0C77, 0x0C77, prBB, gcPo}, // TELUGU SIGN SIDDHAM + {0x0C78, 0x0C7E, prAL, gcNo}, // [7] TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR..TELUGU FRACTION DIGIT THREE FOR EVEN POWERS OF FOUR + {0x0C7F, 0x0C7F, prAL, gcSo}, // TELUGU SIGN TUUMU + {0x0C80, 0x0C80, prAL, gcLo}, // KANNADA SIGN SPACING CANDRABINDU + {0x0C81, 0x0C81, prCM, gcMn}, // KANNADA SIGN CANDRABINDU + {0x0C82, 0x0C83, prCM, gcMc}, // [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA + {0x0C84, 0x0C84, prBB, gcPo}, // KANNADA SIGN SIDDHAM + {0x0C85, 0x0C8C, prAL, gcLo}, // [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L + {0x0C8E, 0x0C90, prAL, gcLo}, // [3] KANNADA LETTER E..KANNADA LETTER AI + {0x0C92, 0x0CA8, prAL, gcLo}, // [23] KANNADA LETTER O..KANNADA LETTER NA + {0x0CAA, 0x0CB3, prAL, gcLo}, // [10] KANNADA LETTER PA..KANNADA LETTER LLA + {0x0CB5, 0x0CB9, prAL, gcLo}, // [5] KANNADA LETTER VA..KANNADA LETTER HA + {0x0CBC, 0x0CBC, prCM, gcMn}, // KANNADA SIGN NUKTA + {0x0CBD, 0x0CBD, prAL, gcLo}, // KANNADA SIGN AVAGRAHA + {0x0CBE, 0x0CBE, prCM, gcMc}, // KANNADA VOWEL SIGN AA + {0x0CBF, 0x0CBF, prCM, gcMn}, // KANNADA VOWEL SIGN I + {0x0CC0, 0x0CC4, prCM, gcMc}, // [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR + {0x0CC6, 0x0CC6, prCM, gcMn}, // KANNADA VOWEL SIGN E + {0x0CC7, 0x0CC8, prCM, gcMc}, // [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI + {0x0CCA, 0x0CCB, prCM, gcMc}, // [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO + {0x0CCC, 0x0CCD, prCM, gcMn}, // [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA + {0x0CD5, 0x0CD6, prCM, gcMc}, // [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK + {0x0CDD, 0x0CDE, prAL, gcLo}, // [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA + {0x0CE0, 0x0CE1, prAL, gcLo}, // [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL + {0x0CE2, 0x0CE3, prCM, gcMn}, // [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL + {0x0CE6, 0x0CEF, prNU, gcNd}, // [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE + {0x0CF1, 0x0CF2, prAL, gcLo}, // [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA + {0x0CF3, 0x0CF3, prCM, gcMc}, // KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT + {0x0D00, 0x0D01, prCM, gcMn}, // [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU + {0x0D02, 0x0D03, prCM, gcMc}, // [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA + {0x0D04, 0x0D0C, prAL, gcLo}, // [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L + {0x0D0E, 0x0D10, prAL, gcLo}, // [3] MALAYALAM LETTER E..MALAYALAM LETTER AI + {0x0D12, 0x0D3A, prAL, gcLo}, // [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA + {0x0D3B, 0x0D3C, prCM, gcMn}, // [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA + {0x0D3D, 0x0D3D, prAL, gcLo}, // MALAYALAM SIGN AVAGRAHA + {0x0D3E, 0x0D40, prCM, gcMc}, // [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II + {0x0D41, 0x0D44, prCM, gcMn}, // [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR + {0x0D46, 0x0D48, prCM, gcMc}, // [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI + {0x0D4A, 0x0D4C, prCM, gcMc}, // [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU + {0x0D4D, 0x0D4D, prCM, gcMn}, // MALAYALAM SIGN VIRAMA + {0x0D4E, 0x0D4E, prAL, gcLo}, // MALAYALAM LETTER DOT REPH + {0x0D4F, 0x0D4F, prAL, gcSo}, // MALAYALAM SIGN PARA + {0x0D54, 0x0D56, prAL, gcLo}, // [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL + {0x0D57, 0x0D57, prCM, gcMc}, // MALAYALAM AU LENGTH MARK + {0x0D58, 0x0D5E, prAL, gcNo}, // [7] MALAYALAM FRACTION ONE ONE-HUNDRED-AND-SIXTIETH..MALAYALAM FRACTION ONE FIFTH + {0x0D5F, 0x0D61, prAL, gcLo}, // [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL + {0x0D62, 0x0D63, prCM, gcMn}, // [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL + {0x0D66, 0x0D6F, prNU, gcNd}, // [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE + {0x0D70, 0x0D78, prAL, gcNo}, // [9] MALAYALAM NUMBER TEN..MALAYALAM FRACTION THREE SIXTEENTHS + {0x0D79, 0x0D79, prPO, gcSo}, // MALAYALAM DATE MARK + {0x0D7A, 0x0D7F, prAL, gcLo}, // [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K + {0x0D81, 0x0D81, prCM, gcMn}, // SINHALA SIGN CANDRABINDU + {0x0D82, 0x0D83, prCM, gcMc}, // [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA + {0x0D85, 0x0D96, prAL, gcLo}, // [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA + {0x0D9A, 0x0DB1, prAL, gcLo}, // [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA + {0x0DB3, 0x0DBB, prAL, gcLo}, // [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA + {0x0DBD, 0x0DBD, prAL, gcLo}, // SINHALA LETTER DANTAJA LAYANNA + {0x0DC0, 0x0DC6, prAL, gcLo}, // [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA + {0x0DCA, 0x0DCA, prCM, gcMn}, // SINHALA SIGN AL-LAKUNA + {0x0DCF, 0x0DD1, prCM, gcMc}, // [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA + {0x0DD2, 0x0DD4, prCM, gcMn}, // [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA + {0x0DD6, 0x0DD6, prCM, gcMn}, // SINHALA VOWEL SIGN DIGA PAA-PILLA + {0x0DD8, 0x0DDF, prCM, gcMc}, // [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA + {0x0DE6, 0x0DEF, prNU, gcNd}, // [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE + {0x0DF2, 0x0DF3, prCM, gcMc}, // [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA + {0x0DF4, 0x0DF4, prAL, gcPo}, // SINHALA PUNCTUATION KUNDDALIYA + {0x0E01, 0x0E30, prSA, gcLo}, // [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A + {0x0E31, 0x0E31, prSA, gcMn}, // THAI CHARACTER MAI HAN-AKAT + {0x0E32, 0x0E33, prSA, gcLo}, // [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM + {0x0E34, 0x0E3A, prSA, gcMn}, // [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU + {0x0E3F, 0x0E3F, prPR, gcSc}, // THAI CURRENCY SYMBOL BAHT + {0x0E40, 0x0E45, prSA, gcLo}, // [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO + {0x0E46, 0x0E46, prSA, gcLm}, // THAI CHARACTER MAIYAMOK + {0x0E47, 0x0E4E, prSA, gcMn}, // [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN + {0x0E4F, 0x0E4F, prAL, gcPo}, // THAI CHARACTER FONGMAN + {0x0E50, 0x0E59, prNU, gcNd}, // [10] THAI DIGIT ZERO..THAI DIGIT NINE + {0x0E5A, 0x0E5B, prBA, gcPo}, // [2] THAI CHARACTER ANGKHANKHU..THAI CHARACTER KHOMUT + {0x0E81, 0x0E82, prSA, gcLo}, // [2] LAO LETTER KO..LAO LETTER KHO SUNG + {0x0E84, 0x0E84, prSA, gcLo}, // LAO LETTER KHO TAM + {0x0E86, 0x0E8A, prSA, gcLo}, // [5] LAO LETTER PALI GHA..LAO LETTER SO TAM + {0x0E8C, 0x0EA3, prSA, gcLo}, // [24] LAO LETTER PALI JHA..LAO LETTER LO LING + {0x0EA5, 0x0EA5, prSA, gcLo}, // LAO LETTER LO LOOT + {0x0EA7, 0x0EB0, prSA, gcLo}, // [10] LAO LETTER WO..LAO VOWEL SIGN A + {0x0EB1, 0x0EB1, prSA, gcMn}, // LAO VOWEL SIGN MAI KAN + {0x0EB2, 0x0EB3, prSA, gcLo}, // [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM + {0x0EB4, 0x0EBC, prSA, gcMn}, // [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO + {0x0EBD, 0x0EBD, prSA, gcLo}, // LAO SEMIVOWEL SIGN NYO + {0x0EC0, 0x0EC4, prSA, gcLo}, // [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI + {0x0EC6, 0x0EC6, prSA, gcLm}, // LAO KO LA + {0x0EC8, 0x0ECE, prSA, gcMn}, // [7] LAO TONE MAI EK..LAO YAMAKKAN + {0x0ED0, 0x0ED9, prNU, gcNd}, // [10] LAO DIGIT ZERO..LAO DIGIT NINE + {0x0EDC, 0x0EDF, prSA, gcLo}, // [4] LAO HO NO..LAO LETTER KHMU NYO + {0x0F00, 0x0F00, prAL, gcLo}, // TIBETAN SYLLABLE OM + {0x0F01, 0x0F03, prBB, gcSo}, // [3] TIBETAN MARK GTER YIG MGO TRUNCATED A..TIBETAN MARK GTER YIG MGO -UM GTER TSHEG MA + {0x0F04, 0x0F04, prBB, gcPo}, // TIBETAN MARK INITIAL YIG MGO MDUN MA + {0x0F05, 0x0F05, prAL, gcPo}, // TIBETAN MARK CLOSING YIG MGO SGAB MA + {0x0F06, 0x0F07, prBB, gcPo}, // [2] TIBETAN MARK CARET YIG MGO PHUR SHAD MA..TIBETAN MARK YIG MGO TSHEG SHAD MA + {0x0F08, 0x0F08, prGL, gcPo}, // TIBETAN MARK SBRUL SHAD + {0x0F09, 0x0F0A, prBB, gcPo}, // [2] TIBETAN MARK BSKUR YIG MGO..TIBETAN MARK BKA- SHOG YIG MGO + {0x0F0B, 0x0F0B, prBA, gcPo}, // TIBETAN MARK INTERSYLLABIC TSHEG + {0x0F0C, 0x0F0C, prGL, gcPo}, // TIBETAN MARK DELIMITER TSHEG BSTAR + {0x0F0D, 0x0F11, prEX, gcPo}, // [5] TIBETAN MARK SHAD..TIBETAN MARK RIN CHEN SPUNGS SHAD + {0x0F12, 0x0F12, prGL, gcPo}, // TIBETAN MARK RGYA GRAM SHAD + {0x0F13, 0x0F13, prAL, gcSo}, // TIBETAN MARK CARET -DZUD RTAGS ME LONG CAN + {0x0F14, 0x0F14, prEX, gcPo}, // TIBETAN MARK GTER TSHEG + {0x0F15, 0x0F17, prAL, gcSo}, // [3] TIBETAN LOGOTYPE SIGN CHAD RTAGS..TIBETAN ASTROLOGICAL SIGN SGRA GCAN -CHAR RTAGS + {0x0F18, 0x0F19, prCM, gcMn}, // [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS + {0x0F1A, 0x0F1F, prAL, gcSo}, // [6] TIBETAN SIGN RDEL DKAR GCIG..TIBETAN SIGN RDEL DKAR RDEL NAG + {0x0F20, 0x0F29, prNU, gcNd}, // [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE + {0x0F2A, 0x0F33, prAL, gcNo}, // [10] TIBETAN DIGIT HALF ONE..TIBETAN DIGIT HALF ZERO + {0x0F34, 0x0F34, prBA, gcSo}, // TIBETAN MARK BSDUS RTAGS + {0x0F35, 0x0F35, prCM, gcMn}, // TIBETAN MARK NGAS BZUNG NYI ZLA + {0x0F36, 0x0F36, prAL, gcSo}, // TIBETAN MARK CARET -DZUD RTAGS BZHI MIG CAN + {0x0F37, 0x0F37, prCM, gcMn}, // TIBETAN MARK NGAS BZUNG SGOR RTAGS + {0x0F38, 0x0F38, prAL, gcSo}, // TIBETAN MARK CHE MGO + {0x0F39, 0x0F39, prCM, gcMn}, // TIBETAN MARK TSA -PHRU + {0x0F3A, 0x0F3A, prOP, gcPs}, // TIBETAN MARK GUG RTAGS GYON + {0x0F3B, 0x0F3B, prCL, gcPe}, // TIBETAN MARK GUG RTAGS GYAS + {0x0F3C, 0x0F3C, prOP, gcPs}, // TIBETAN MARK ANG KHANG GYON + {0x0F3D, 0x0F3D, prCL, gcPe}, // TIBETAN MARK ANG KHANG GYAS + {0x0F3E, 0x0F3F, prCM, gcMc}, // [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES + {0x0F40, 0x0F47, prAL, gcLo}, // [8] TIBETAN LETTER KA..TIBETAN LETTER JA + {0x0F49, 0x0F6C, prAL, gcLo}, // [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA + {0x0F71, 0x0F7E, prCM, gcMn}, // [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO + {0x0F7F, 0x0F7F, prBA, gcMc}, // TIBETAN SIGN RNAM BCAD + {0x0F80, 0x0F84, prCM, gcMn}, // [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA + {0x0F85, 0x0F85, prBA, gcPo}, // TIBETAN MARK PALUTA + {0x0F86, 0x0F87, prCM, gcMn}, // [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS + {0x0F88, 0x0F8C, prAL, gcLo}, // [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN + {0x0F8D, 0x0F97, prCM, gcMn}, // [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA + {0x0F99, 0x0FBC, prCM, gcMn}, // [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA + {0x0FBE, 0x0FBF, prBA, gcSo}, // [2] TIBETAN KU RU KHA..TIBETAN KU RU KHA BZHI MIG CAN + {0x0FC0, 0x0FC5, prAL, gcSo}, // [6] TIBETAN CANTILLATION SIGN HEAVY BEAT..TIBETAN SYMBOL RDO RJE + {0x0FC6, 0x0FC6, prCM, gcMn}, // TIBETAN SYMBOL PADMA GDAN + {0x0FC7, 0x0FCC, prAL, gcSo}, // [6] TIBETAN SYMBOL RDO RJE RGYA GRAM..TIBETAN SYMBOL NOR BU BZHI -KHYIL + {0x0FCE, 0x0FCF, prAL, gcSo}, // [2] TIBETAN SIGN RDEL NAG RDEL DKAR..TIBETAN SIGN RDEL NAG GSUM + {0x0FD0, 0x0FD1, prBB, gcPo}, // [2] TIBETAN MARK BSKA- SHOG GI MGO RGYAN..TIBETAN MARK MNYAM YIG GI MGO RGYAN + {0x0FD2, 0x0FD2, prBA, gcPo}, // TIBETAN MARK NYIS TSHEG + {0x0FD3, 0x0FD3, prBB, gcPo}, // TIBETAN MARK INITIAL BRDA RNYING YIG MGO MDUN MA + {0x0FD4, 0x0FD4, prAL, gcPo}, // TIBETAN MARK CLOSING BRDA RNYING YIG MGO SGAB MA + {0x0FD5, 0x0FD8, prAL, gcSo}, // [4] RIGHT-FACING SVASTI SIGN..LEFT-FACING SVASTI SIGN WITH DOTS + {0x0FD9, 0x0FDA, prGL, gcPo}, // [2] TIBETAN MARK LEADING MCHAN RTAGS..TIBETAN MARK TRAILING MCHAN RTAGS + {0x1000, 0x102A, prSA, gcLo}, // [43] MYANMAR LETTER KA..MYANMAR LETTER AU + {0x102B, 0x102C, prSA, gcMc}, // [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA + {0x102D, 0x1030, prSA, gcMn}, // [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU + {0x1031, 0x1031, prSA, gcMc}, // MYANMAR VOWEL SIGN E + {0x1032, 0x1037, prSA, gcMn}, // [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW + {0x1038, 0x1038, prSA, gcMc}, // MYANMAR SIGN VISARGA + {0x1039, 0x103A, prSA, gcMn}, // [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT + {0x103B, 0x103C, prSA, gcMc}, // [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA + {0x103D, 0x103E, prSA, gcMn}, // [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA + {0x103F, 0x103F, prSA, gcLo}, // MYANMAR LETTER GREAT SA + {0x1040, 0x1049, prNU, gcNd}, // [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE + {0x104A, 0x104B, prBA, gcPo}, // [2] MYANMAR SIGN LITTLE SECTION..MYANMAR SIGN SECTION + {0x104C, 0x104F, prAL, gcPo}, // [4] MYANMAR SYMBOL LOCATIVE..MYANMAR SYMBOL GENITIVE + {0x1050, 0x1055, prSA, gcLo}, // [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL + {0x1056, 0x1057, prSA, gcMc}, // [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR + {0x1058, 0x1059, prSA, gcMn}, // [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL + {0x105A, 0x105D, prSA, gcLo}, // [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE + {0x105E, 0x1060, prSA, gcMn}, // [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA + {0x1061, 0x1061, prSA, gcLo}, // MYANMAR LETTER SGAW KAREN SHA + {0x1062, 0x1064, prSA, gcMc}, // [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO + {0x1065, 0x1066, prSA, gcLo}, // [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA + {0x1067, 0x106D, prSA, gcMc}, // [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5 + {0x106E, 0x1070, prSA, gcLo}, // [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA + {0x1071, 0x1074, prSA, gcMn}, // [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE + {0x1075, 0x1081, prSA, gcLo}, // [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA + {0x1082, 0x1082, prSA, gcMn}, // MYANMAR CONSONANT SIGN SHAN MEDIAL WA + {0x1083, 0x1084, prSA, gcMc}, // [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E + {0x1085, 0x1086, prSA, gcMn}, // [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y + {0x1087, 0x108C, prSA, gcMc}, // [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3 + {0x108D, 0x108D, prSA, gcMn}, // MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE + {0x108E, 0x108E, prSA, gcLo}, // MYANMAR LETTER RUMAI PALAUNG FA + {0x108F, 0x108F, prSA, gcMc}, // MYANMAR SIGN RUMAI PALAUNG TONE-5 + {0x1090, 0x1099, prNU, gcNd}, // [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE + {0x109A, 0x109C, prSA, gcMc}, // [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A + {0x109D, 0x109D, prSA, gcMn}, // MYANMAR VOWEL SIGN AITON AI + {0x109E, 0x109F, prSA, gcSo}, // [2] MYANMAR SYMBOL SHAN ONE..MYANMAR SYMBOL SHAN EXCLAMATION + {0x10A0, 0x10C5, prAL, gcLu}, // [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE + {0x10C7, 0x10C7, prAL, gcLu}, // GEORGIAN CAPITAL LETTER YN + {0x10CD, 0x10CD, prAL, gcLu}, // GEORGIAN CAPITAL LETTER AEN + {0x10D0, 0x10FA, prAL, gcLl}, // [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN + {0x10FB, 0x10FB, prAL, gcPo}, // GEORGIAN PARAGRAPH SEPARATOR + {0x10FC, 0x10FC, prAL, gcLm}, // MODIFIER LETTER GEORGIAN NAR + {0x10FD, 0x10FF, prAL, gcLl}, // [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN + {0x1100, 0x115F, prJL, gcLo}, // [96] HANGUL CHOSEONG KIYEOK..HANGUL CHOSEONG FILLER + {0x1160, 0x11A7, prJV, gcLo}, // [72] HANGUL JUNGSEONG FILLER..HANGUL JUNGSEONG O-YAE + {0x11A8, 0x11FF, prJT, gcLo}, // [88] HANGUL JONGSEONG KIYEOK..HANGUL JONGSEONG SSANGNIEUN + {0x1200, 0x1248, prAL, gcLo}, // [73] ETHIOPIC SYLLABLE HA..ETHIOPIC SYLLABLE QWA + {0x124A, 0x124D, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE + {0x1250, 0x1256, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO + {0x1258, 0x1258, prAL, gcLo}, // ETHIOPIC SYLLABLE QHWA + {0x125A, 0x125D, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE + {0x1260, 0x1288, prAL, gcLo}, // [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA + {0x128A, 0x128D, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE + {0x1290, 0x12B0, prAL, gcLo}, // [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA + {0x12B2, 0x12B5, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE + {0x12B8, 0x12BE, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO + {0x12C0, 0x12C0, prAL, gcLo}, // ETHIOPIC SYLLABLE KXWA + {0x12C2, 0x12C5, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE + {0x12C8, 0x12D6, prAL, gcLo}, // [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O + {0x12D8, 0x1310, prAL, gcLo}, // [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA + {0x1312, 0x1315, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE + {0x1318, 0x135A, prAL, gcLo}, // [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA + {0x135D, 0x135F, prCM, gcMn}, // [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK + {0x1360, 0x1360, prAL, gcPo}, // ETHIOPIC SECTION MARK + {0x1361, 0x1361, prBA, gcPo}, // ETHIOPIC WORDSPACE + {0x1362, 0x1368, prAL, gcPo}, // [7] ETHIOPIC FULL STOP..ETHIOPIC PARAGRAPH SEPARATOR + {0x1369, 0x137C, prAL, gcNo}, // [20] ETHIOPIC DIGIT ONE..ETHIOPIC NUMBER TEN THOUSAND + {0x1380, 0x138F, prAL, gcLo}, // [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE + {0x1390, 0x1399, prAL, gcSo}, // [10] ETHIOPIC TONAL MARK YIZET..ETHIOPIC TONAL MARK KURT + {0x13A0, 0x13F5, prAL, gcLu}, // [86] CHEROKEE LETTER A..CHEROKEE LETTER MV + {0x13F8, 0x13FD, prAL, gcLl}, // [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV + {0x1400, 0x1400, prBA, gcPd}, // CANADIAN SYLLABICS HYPHEN + {0x1401, 0x166C, prAL, gcLo}, // [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA + {0x166D, 0x166D, prAL, gcSo}, // CANADIAN SYLLABICS CHI SIGN + {0x166E, 0x166E, prAL, gcPo}, // CANADIAN SYLLABICS FULL STOP + {0x166F, 0x167F, prAL, gcLo}, // [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W + {0x1680, 0x1680, prBA, gcZs}, // OGHAM SPACE MARK + {0x1681, 0x169A, prAL, gcLo}, // [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH + {0x169B, 0x169B, prOP, gcPs}, // OGHAM FEATHER MARK + {0x169C, 0x169C, prCL, gcPe}, // OGHAM REVERSED FEATHER MARK + {0x16A0, 0x16EA, prAL, gcLo}, // [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X + {0x16EB, 0x16ED, prBA, gcPo}, // [3] RUNIC SINGLE PUNCTUATION..RUNIC CROSS PUNCTUATION + {0x16EE, 0x16F0, prAL, gcNl}, // [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL + {0x16F1, 0x16F8, prAL, gcLo}, // [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC + {0x1700, 0x1711, prAL, gcLo}, // [18] TAGALOG LETTER A..TAGALOG LETTER HA + {0x1712, 0x1714, prCM, gcMn}, // [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA + {0x1715, 0x1715, prCM, gcMc}, // TAGALOG SIGN PAMUDPOD + {0x171F, 0x171F, prAL, gcLo}, // TAGALOG LETTER ARCHAIC RA + {0x1720, 0x1731, prAL, gcLo}, // [18] HANUNOO LETTER A..HANUNOO LETTER HA + {0x1732, 0x1733, prCM, gcMn}, // [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U + {0x1734, 0x1734, prCM, gcMc}, // HANUNOO SIGN PAMUDPOD + {0x1735, 0x1736, prBA, gcPo}, // [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION + {0x1740, 0x1751, prAL, gcLo}, // [18] BUHID LETTER A..BUHID LETTER HA + {0x1752, 0x1753, prCM, gcMn}, // [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U + {0x1760, 0x176C, prAL, gcLo}, // [13] TAGBANWA LETTER A..TAGBANWA LETTER YA + {0x176E, 0x1770, prAL, gcLo}, // [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA + {0x1772, 0x1773, prCM, gcMn}, // [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U + {0x1780, 0x17B3, prSA, gcLo}, // [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU + {0x17B4, 0x17B5, prSA, gcMn}, // [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA + {0x17B6, 0x17B6, prSA, gcMc}, // KHMER VOWEL SIGN AA + {0x17B7, 0x17BD, prSA, gcMn}, // [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA + {0x17BE, 0x17C5, prSA, gcMc}, // [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU + {0x17C6, 0x17C6, prSA, gcMn}, // KHMER SIGN NIKAHIT + {0x17C7, 0x17C8, prSA, gcMc}, // [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU + {0x17C9, 0x17D3, prSA, gcMn}, // [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT + {0x17D4, 0x17D5, prBA, gcPo}, // [2] KHMER SIGN KHAN..KHMER SIGN BARIYOOSAN + {0x17D6, 0x17D6, prNS, gcPo}, // KHMER SIGN CAMNUC PII KUUH + {0x17D7, 0x17D7, prSA, gcLm}, // KHMER SIGN LEK TOO + {0x17D8, 0x17D8, prBA, gcPo}, // KHMER SIGN BEYYAL + {0x17D9, 0x17D9, prAL, gcPo}, // KHMER SIGN PHNAEK MUAN + {0x17DA, 0x17DA, prBA, gcPo}, // KHMER SIGN KOOMUUT + {0x17DB, 0x17DB, prPR, gcSc}, // KHMER CURRENCY SYMBOL RIEL + {0x17DC, 0x17DC, prSA, gcLo}, // KHMER SIGN AVAKRAHASANYA + {0x17DD, 0x17DD, prSA, gcMn}, // KHMER SIGN ATTHACAN + {0x17E0, 0x17E9, prNU, gcNd}, // [10] KHMER DIGIT ZERO..KHMER DIGIT NINE + {0x17F0, 0x17F9, prAL, gcNo}, // [10] KHMER SYMBOL LEK ATTAK SON..KHMER SYMBOL LEK ATTAK PRAM-BUON + {0x1800, 0x1801, prAL, gcPo}, // [2] MONGOLIAN BIRGA..MONGOLIAN ELLIPSIS + {0x1802, 0x1803, prEX, gcPo}, // [2] MONGOLIAN COMMA..MONGOLIAN FULL STOP + {0x1804, 0x1805, prBA, gcPo}, // [2] MONGOLIAN COLON..MONGOLIAN FOUR DOTS + {0x1806, 0x1806, prBB, gcPd}, // MONGOLIAN TODO SOFT HYPHEN + {0x1807, 0x1807, prAL, gcPo}, // MONGOLIAN SIBE SYLLABLE BOUNDARY MARKER + {0x1808, 0x1809, prEX, gcPo}, // [2] MONGOLIAN MANCHU COMMA..MONGOLIAN MANCHU FULL STOP + {0x180A, 0x180A, prAL, gcPo}, // MONGOLIAN NIRUGU + {0x180B, 0x180D, prCM, gcMn}, // [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE + {0x180E, 0x180E, prGL, gcCf}, // MONGOLIAN VOWEL SEPARATOR + {0x180F, 0x180F, prCM, gcMn}, // MONGOLIAN FREE VARIATION SELECTOR FOUR + {0x1810, 0x1819, prNU, gcNd}, // [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE + {0x1820, 0x1842, prAL, gcLo}, // [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI + {0x1843, 0x1843, prAL, gcLm}, // MONGOLIAN LETTER TODO LONG VOWEL SIGN + {0x1844, 0x1878, prAL, gcLo}, // [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS + {0x1880, 0x1884, prAL, gcLo}, // [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA + {0x1885, 0x1886, prCM, gcMn}, // [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA + {0x1887, 0x18A8, prAL, gcLo}, // [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA + {0x18A9, 0x18A9, prCM, gcMn}, // MONGOLIAN LETTER ALI GALI DAGALGA + {0x18AA, 0x18AA, prAL, gcLo}, // MONGOLIAN LETTER MANCHU ALI GALI LHA + {0x18B0, 0x18F5, prAL, gcLo}, // [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S + {0x1900, 0x191E, prAL, gcLo}, // [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA + {0x1920, 0x1922, prCM, gcMn}, // [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U + {0x1923, 0x1926, prCM, gcMc}, // [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU + {0x1927, 0x1928, prCM, gcMn}, // [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O + {0x1929, 0x192B, prCM, gcMc}, // [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA + {0x1930, 0x1931, prCM, gcMc}, // [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA + {0x1932, 0x1932, prCM, gcMn}, // LIMBU SMALL LETTER ANUSVARA + {0x1933, 0x1938, prCM, gcMc}, // [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA + {0x1939, 0x193B, prCM, gcMn}, // [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I + {0x1940, 0x1940, prAL, gcSo}, // LIMBU SIGN LOO + {0x1944, 0x1945, prEX, gcPo}, // [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK + {0x1946, 0x194F, prNU, gcNd}, // [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE + {0x1950, 0x196D, prSA, gcLo}, // [30] TAI LE LETTER KA..TAI LE LETTER AI + {0x1970, 0x1974, prSA, gcLo}, // [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6 + {0x1980, 0x19AB, prSA, gcLo}, // [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA + {0x19B0, 0x19C9, prSA, gcLo}, // [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2 + {0x19D0, 0x19D9, prNU, gcNd}, // [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE + {0x19DA, 0x19DA, prSA, gcNo}, // NEW TAI LUE THAM DIGIT ONE + {0x19DE, 0x19DF, prSA, gcSo}, // [2] NEW TAI LUE SIGN LAE..NEW TAI LUE SIGN LAEV + {0x19E0, 0x19FF, prAL, gcSo}, // [32] KHMER SYMBOL PATHAMASAT..KHMER SYMBOL DAP-PRAM ROC + {0x1A00, 0x1A16, prAL, gcLo}, // [23] BUGINESE LETTER KA..BUGINESE LETTER HA + {0x1A17, 0x1A18, prCM, gcMn}, // [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U + {0x1A19, 0x1A1A, prCM, gcMc}, // [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O + {0x1A1B, 0x1A1B, prCM, gcMn}, // BUGINESE VOWEL SIGN AE + {0x1A1E, 0x1A1F, prAL, gcPo}, // [2] BUGINESE PALLAWA..BUGINESE END OF SECTION + {0x1A20, 0x1A54, prSA, gcLo}, // [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA + {0x1A55, 0x1A55, prSA, gcMc}, // TAI THAM CONSONANT SIGN MEDIAL RA + {0x1A56, 0x1A56, prSA, gcMn}, // TAI THAM CONSONANT SIGN MEDIAL LA + {0x1A57, 0x1A57, prSA, gcMc}, // TAI THAM CONSONANT SIGN LA TANG LAI + {0x1A58, 0x1A5E, prSA, gcMn}, // [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA + {0x1A60, 0x1A60, prSA, gcMn}, // TAI THAM SIGN SAKOT + {0x1A61, 0x1A61, prSA, gcMc}, // TAI THAM VOWEL SIGN A + {0x1A62, 0x1A62, prSA, gcMn}, // TAI THAM VOWEL SIGN MAI SAT + {0x1A63, 0x1A64, prSA, gcMc}, // [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA + {0x1A65, 0x1A6C, prSA, gcMn}, // [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW + {0x1A6D, 0x1A72, prSA, gcMc}, // [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI + {0x1A73, 0x1A7C, prSA, gcMn}, // [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN + {0x1A7F, 0x1A7F, prCM, gcMn}, // TAI THAM COMBINING CRYPTOGRAMMIC DOT + {0x1A80, 0x1A89, prNU, gcNd}, // [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE + {0x1A90, 0x1A99, prNU, gcNd}, // [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE + {0x1AA0, 0x1AA6, prSA, gcPo}, // [7] TAI THAM SIGN WIANG..TAI THAM SIGN REVERSED ROTATED RANA + {0x1AA7, 0x1AA7, prSA, gcLm}, // TAI THAM SIGN MAI YAMOK + {0x1AA8, 0x1AAD, prSA, gcPo}, // [6] TAI THAM SIGN KAAN..TAI THAM SIGN CAANG + {0x1AB0, 0x1ABD, prCM, gcMn}, // [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW + {0x1ABE, 0x1ABE, prCM, gcMe}, // COMBINING PARENTHESES OVERLAY + {0x1ABF, 0x1ACE, prCM, gcMn}, // [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T + {0x1B00, 0x1B03, prCM, gcMn}, // [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG + {0x1B04, 0x1B04, prCM, gcMc}, // BALINESE SIGN BISAH + {0x1B05, 0x1B33, prAL, gcLo}, // [47] BALINESE LETTER AKARA..BALINESE LETTER HA + {0x1B34, 0x1B34, prCM, gcMn}, // BALINESE SIGN REREKAN + {0x1B35, 0x1B35, prCM, gcMc}, // BALINESE VOWEL SIGN TEDUNG + {0x1B36, 0x1B3A, prCM, gcMn}, // [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA + {0x1B3B, 0x1B3B, prCM, gcMc}, // BALINESE VOWEL SIGN RA REPA TEDUNG + {0x1B3C, 0x1B3C, prCM, gcMn}, // BALINESE VOWEL SIGN LA LENGA + {0x1B3D, 0x1B41, prCM, gcMc}, // [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG + {0x1B42, 0x1B42, prCM, gcMn}, // BALINESE VOWEL SIGN PEPET + {0x1B43, 0x1B44, prCM, gcMc}, // [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG + {0x1B45, 0x1B4C, prAL, gcLo}, // [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA + {0x1B50, 0x1B59, prNU, gcNd}, // [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE + {0x1B5A, 0x1B5B, prBA, gcPo}, // [2] BALINESE PANTI..BALINESE PAMADA + {0x1B5C, 0x1B5C, prAL, gcPo}, // BALINESE WINDU + {0x1B5D, 0x1B60, prBA, gcPo}, // [4] BALINESE CARIK PAMUNGKAH..BALINESE PAMENENG + {0x1B61, 0x1B6A, prAL, gcSo}, // [10] BALINESE MUSICAL SYMBOL DONG..BALINESE MUSICAL SYMBOL DANG GEDE + {0x1B6B, 0x1B73, prCM, gcMn}, // [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG + {0x1B74, 0x1B7C, prAL, gcSo}, // [9] BALINESE MUSICAL SYMBOL RIGHT-HAND OPEN DUG..BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING + {0x1B7D, 0x1B7E, prBA, gcPo}, // [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG + {0x1B80, 0x1B81, prCM, gcMn}, // [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR + {0x1B82, 0x1B82, prCM, gcMc}, // SUNDANESE SIGN PANGWISAD + {0x1B83, 0x1BA0, prAL, gcLo}, // [30] SUNDANESE LETTER A..SUNDANESE LETTER HA + {0x1BA1, 0x1BA1, prCM, gcMc}, // SUNDANESE CONSONANT SIGN PAMINGKAL + {0x1BA2, 0x1BA5, prCM, gcMn}, // [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU + {0x1BA6, 0x1BA7, prCM, gcMc}, // [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG + {0x1BA8, 0x1BA9, prCM, gcMn}, // [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG + {0x1BAA, 0x1BAA, prCM, gcMc}, // SUNDANESE SIGN PAMAAEH + {0x1BAB, 0x1BAD, prCM, gcMn}, // [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA + {0x1BAE, 0x1BAF, prAL, gcLo}, // [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA + {0x1BB0, 0x1BB9, prNU, gcNd}, // [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE + {0x1BBA, 0x1BBF, prAL, gcLo}, // [6] SUNDANESE AVAGRAHA..SUNDANESE LETTER FINAL M + {0x1BC0, 0x1BE5, prAL, gcLo}, // [38] BATAK LETTER A..BATAK LETTER U + {0x1BE6, 0x1BE6, prCM, gcMn}, // BATAK SIGN TOMPI + {0x1BE7, 0x1BE7, prCM, gcMc}, // BATAK VOWEL SIGN E + {0x1BE8, 0x1BE9, prCM, gcMn}, // [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE + {0x1BEA, 0x1BEC, prCM, gcMc}, // [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O + {0x1BED, 0x1BED, prCM, gcMn}, // BATAK VOWEL SIGN KARO O + {0x1BEE, 0x1BEE, prCM, gcMc}, // BATAK VOWEL SIGN U + {0x1BEF, 0x1BF1, prCM, gcMn}, // [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H + {0x1BF2, 0x1BF3, prCM, gcMc}, // [2] BATAK PANGOLAT..BATAK PANONGONAN + {0x1BFC, 0x1BFF, prAL, gcPo}, // [4] BATAK SYMBOL BINDU NA METEK..BATAK SYMBOL BINDU PANGOLAT + {0x1C00, 0x1C23, prAL, gcLo}, // [36] LEPCHA LETTER KA..LEPCHA LETTER A + {0x1C24, 0x1C2B, prCM, gcMc}, // [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU + {0x1C2C, 0x1C33, prCM, gcMn}, // [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T + {0x1C34, 0x1C35, prCM, gcMc}, // [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG + {0x1C36, 0x1C37, prCM, gcMn}, // [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA + {0x1C3B, 0x1C3F, prBA, gcPo}, // [5] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION TSHOOK + {0x1C40, 0x1C49, prNU, gcNd}, // [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE + {0x1C4D, 0x1C4F, prAL, gcLo}, // [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA + {0x1C50, 0x1C59, prNU, gcNd}, // [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE + {0x1C5A, 0x1C77, prAL, gcLo}, // [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH + {0x1C78, 0x1C7D, prAL, gcLm}, // [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD + {0x1C7E, 0x1C7F, prBA, gcPo}, // [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD + {0x1C80, 0x1C88, prAL, gcLl}, // [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK + {0x1C90, 0x1CBA, prAL, gcLu}, // [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN + {0x1CBD, 0x1CBF, prAL, gcLu}, // [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN + {0x1CC0, 0x1CC7, prAL, gcPo}, // [8] SUNDANESE PUNCTUATION BINDU SURYA..SUNDANESE PUNCTUATION BINDU BA SATANGA + {0x1CD0, 0x1CD2, prCM, gcMn}, // [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA + {0x1CD3, 0x1CD3, prAL, gcPo}, // VEDIC SIGN NIHSHVASA + {0x1CD4, 0x1CE0, prCM, gcMn}, // [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA + {0x1CE1, 0x1CE1, prCM, gcMc}, // VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA + {0x1CE2, 0x1CE8, prCM, gcMn}, // [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL + {0x1CE9, 0x1CEC, prAL, gcLo}, // [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL + {0x1CED, 0x1CED, prCM, gcMn}, // VEDIC SIGN TIRYAK + {0x1CEE, 0x1CF3, prAL, gcLo}, // [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA + {0x1CF4, 0x1CF4, prCM, gcMn}, // VEDIC TONE CANDRA ABOVE + {0x1CF5, 0x1CF6, prAL, gcLo}, // [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA + {0x1CF7, 0x1CF7, prCM, gcMc}, // VEDIC SIGN ATIKRAMA + {0x1CF8, 0x1CF9, prCM, gcMn}, // [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE + {0x1CFA, 0x1CFA, prAL, gcLo}, // VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA + {0x1D00, 0x1D2B, prAL, gcLl}, // [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL + {0x1D2C, 0x1D6A, prAL, gcLm}, // [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI + {0x1D6B, 0x1D77, prAL, gcLl}, // [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G + {0x1D78, 0x1D78, prAL, gcLm}, // MODIFIER LETTER CYRILLIC EN + {0x1D79, 0x1D7F, prAL, gcLl}, // [7] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER UPSILON WITH STROKE + {0x1D80, 0x1D9A, prAL, gcLl}, // [27] LATIN SMALL LETTER B WITH PALATAL HOOK..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK + {0x1D9B, 0x1DBF, prAL, gcLm}, // [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA + {0x1DC0, 0x1DCC, prCM, gcMn}, // [13] COMBINING DOTTED GRAVE ACCENT..COMBINING MACRON-BREVE + {0x1DCD, 0x1DCD, prGL, gcMn}, // COMBINING DOUBLE CIRCUMFLEX ABOVE + {0x1DCE, 0x1DFB, prCM, gcMn}, // [46] COMBINING OGONEK ABOVE..COMBINING DELETION MARK + {0x1DFC, 0x1DFC, prGL, gcMn}, // COMBINING DOUBLE INVERTED BREVE BELOW + {0x1DFD, 0x1DFF, prCM, gcMn}, // [3] COMBINING ALMOST EQUAL TO BELOW..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW + {0x1E00, 0x1EFF, prAL, gcLC}, // [256] LATIN CAPITAL LETTER A WITH RING BELOW..LATIN SMALL LETTER Y WITH LOOP + {0x1F00, 0x1F15, prAL, gcLC}, // [22] GREEK SMALL LETTER ALPHA WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA + {0x1F18, 0x1F1D, prAL, gcLu}, // [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA + {0x1F20, 0x1F45, prAL, gcLC}, // [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA + {0x1F48, 0x1F4D, prAL, gcLu}, // [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA + {0x1F50, 0x1F57, prAL, gcLl}, // [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI + {0x1F59, 0x1F59, prAL, gcLu}, // GREEK CAPITAL LETTER UPSILON WITH DASIA + {0x1F5B, 0x1F5B, prAL, gcLu}, // GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA + {0x1F5D, 0x1F5D, prAL, gcLu}, // GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA + {0x1F5F, 0x1F7D, prAL, gcLC}, // [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA + {0x1F80, 0x1FB4, prAL, gcLC}, // [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI + {0x1FB6, 0x1FBC, prAL, gcLC}, // [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI + {0x1FBD, 0x1FBD, prAL, gcSk}, // GREEK KORONIS + {0x1FBE, 0x1FBE, prAL, gcLl}, // GREEK PROSGEGRAMMENI + {0x1FBF, 0x1FC1, prAL, gcSk}, // [3] GREEK PSILI..GREEK DIALYTIKA AND PERISPOMENI + {0x1FC2, 0x1FC4, prAL, gcLl}, // [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI + {0x1FC6, 0x1FCC, prAL, gcLC}, // [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI + {0x1FCD, 0x1FCF, prAL, gcSk}, // [3] GREEK PSILI AND VARIA..GREEK PSILI AND PERISPOMENI + {0x1FD0, 0x1FD3, prAL, gcLl}, // [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA + {0x1FD6, 0x1FDB, prAL, gcLC}, // [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA + {0x1FDD, 0x1FDF, prAL, gcSk}, // [3] GREEK DASIA AND VARIA..GREEK DASIA AND PERISPOMENI + {0x1FE0, 0x1FEC, prAL, gcLC}, // [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA + {0x1FED, 0x1FEF, prAL, gcSk}, // [3] GREEK DIALYTIKA AND VARIA..GREEK VARIA + {0x1FF2, 0x1FF4, prAL, gcLl}, // [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI + {0x1FF6, 0x1FFC, prAL, gcLC}, // [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI + {0x1FFD, 0x1FFD, prBB, gcSk}, // GREEK OXIA + {0x1FFE, 0x1FFE, prAL, gcSk}, // GREEK DASIA + {0x2000, 0x2006, prBA, gcZs}, // [7] EN QUAD..SIX-PER-EM SPACE + {0x2007, 0x2007, prGL, gcZs}, // FIGURE SPACE + {0x2008, 0x200A, prBA, gcZs}, // [3] PUNCTUATION SPACE..HAIR SPACE + {0x200B, 0x200B, prZW, gcCf}, // ZERO WIDTH SPACE + {0x200C, 0x200C, prCM, gcCf}, // ZERO WIDTH NON-JOINER + {0x200D, 0x200D, prZWJ, gcCf}, // ZERO WIDTH JOINER + {0x200E, 0x200F, prCM, gcCf}, // [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK + {0x2010, 0x2010, prBA, gcPd}, // HYPHEN + {0x2011, 0x2011, prGL, gcPd}, // NON-BREAKING HYPHEN + {0x2012, 0x2013, prBA, gcPd}, // [2] FIGURE DASH..EN DASH + {0x2014, 0x2014, prB2, gcPd}, // EM DASH + {0x2015, 0x2015, prAI, gcPd}, // HORIZONTAL BAR + {0x2016, 0x2016, prAI, gcPo}, // DOUBLE VERTICAL LINE + {0x2017, 0x2017, prAL, gcPo}, // DOUBLE LOW LINE + {0x2018, 0x2018, prQU, gcPi}, // LEFT SINGLE QUOTATION MARK + {0x2019, 0x2019, prQU, gcPf}, // RIGHT SINGLE QUOTATION MARK + {0x201A, 0x201A, prOP, gcPs}, // SINGLE LOW-9 QUOTATION MARK + {0x201B, 0x201C, prQU, gcPi}, // [2] SINGLE HIGH-REVERSED-9 QUOTATION MARK..LEFT DOUBLE QUOTATION MARK + {0x201D, 0x201D, prQU, gcPf}, // RIGHT DOUBLE QUOTATION MARK + {0x201E, 0x201E, prOP, gcPs}, // DOUBLE LOW-9 QUOTATION MARK + {0x201F, 0x201F, prQU, gcPi}, // DOUBLE HIGH-REVERSED-9 QUOTATION MARK + {0x2020, 0x2021, prAI, gcPo}, // [2] DAGGER..DOUBLE DAGGER + {0x2022, 0x2023, prAL, gcPo}, // [2] BULLET..TRIANGULAR BULLET + {0x2024, 0x2026, prIN, gcPo}, // [3] ONE DOT LEADER..HORIZONTAL ELLIPSIS + {0x2027, 0x2027, prBA, gcPo}, // HYPHENATION POINT + {0x2028, 0x2028, prBK, gcZl}, // LINE SEPARATOR + {0x2029, 0x2029, prBK, gcZp}, // PARAGRAPH SEPARATOR + {0x202A, 0x202E, prCM, gcCf}, // [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE + {0x202F, 0x202F, prGL, gcZs}, // NARROW NO-BREAK SPACE + {0x2030, 0x2037, prPO, gcPo}, // [8] PER MILLE SIGN..REVERSED TRIPLE PRIME + {0x2038, 0x2038, prAL, gcPo}, // CARET + {0x2039, 0x2039, prQU, gcPi}, // SINGLE LEFT-POINTING ANGLE QUOTATION MARK + {0x203A, 0x203A, prQU, gcPf}, // SINGLE RIGHT-POINTING ANGLE QUOTATION MARK + {0x203B, 0x203B, prAI, gcPo}, // REFERENCE MARK + {0x203C, 0x203D, prNS, gcPo}, // [2] DOUBLE EXCLAMATION MARK..INTERROBANG + {0x203E, 0x203E, prAL, gcPo}, // OVERLINE + {0x203F, 0x2040, prAL, gcPc}, // [2] UNDERTIE..CHARACTER TIE + {0x2041, 0x2043, prAL, gcPo}, // [3] CARET INSERTION POINT..HYPHEN BULLET + {0x2044, 0x2044, prIS, gcSm}, // FRACTION SLASH + {0x2045, 0x2045, prOP, gcPs}, // LEFT SQUARE BRACKET WITH QUILL + {0x2046, 0x2046, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH QUILL + {0x2047, 0x2049, prNS, gcPo}, // [3] DOUBLE QUESTION MARK..EXCLAMATION QUESTION MARK + {0x204A, 0x2051, prAL, gcPo}, // [8] TIRONIAN SIGN ET..TWO ASTERISKS ALIGNED VERTICALLY + {0x2052, 0x2052, prAL, gcSm}, // COMMERCIAL MINUS SIGN + {0x2053, 0x2053, prAL, gcPo}, // SWUNG DASH + {0x2054, 0x2054, prAL, gcPc}, // INVERTED UNDERTIE + {0x2055, 0x2055, prAL, gcPo}, // FLOWER PUNCTUATION MARK + {0x2056, 0x2056, prBA, gcPo}, // THREE DOT PUNCTUATION + {0x2057, 0x2057, prPO, gcPo}, // QUADRUPLE PRIME + {0x2058, 0x205B, prBA, gcPo}, // [4] FOUR DOT PUNCTUATION..FOUR DOT MARK + {0x205C, 0x205C, prAL, gcPo}, // DOTTED CROSS + {0x205D, 0x205E, prBA, gcPo}, // [2] TRICOLON..VERTICAL FOUR DOTS + {0x205F, 0x205F, prBA, gcZs}, // MEDIUM MATHEMATICAL SPACE + {0x2060, 0x2060, prWJ, gcCf}, // WORD JOINER + {0x2061, 0x2064, prAL, gcCf}, // [4] FUNCTION APPLICATION..INVISIBLE PLUS + {0x2066, 0x206F, prCM, gcCf}, // [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES + {0x2070, 0x2070, prAL, gcNo}, // SUPERSCRIPT ZERO + {0x2071, 0x2071, prAL, gcLm}, // SUPERSCRIPT LATIN SMALL LETTER I + {0x2074, 0x2074, prAI, gcNo}, // SUPERSCRIPT FOUR + {0x2075, 0x2079, prAL, gcNo}, // [5] SUPERSCRIPT FIVE..SUPERSCRIPT NINE + {0x207A, 0x207C, prAL, gcSm}, // [3] SUPERSCRIPT PLUS SIGN..SUPERSCRIPT EQUALS SIGN + {0x207D, 0x207D, prOP, gcPs}, // SUPERSCRIPT LEFT PARENTHESIS + {0x207E, 0x207E, prCL, gcPe}, // SUPERSCRIPT RIGHT PARENTHESIS + {0x207F, 0x207F, prAI, gcLm}, // SUPERSCRIPT LATIN SMALL LETTER N + {0x2080, 0x2080, prAL, gcNo}, // SUBSCRIPT ZERO + {0x2081, 0x2084, prAI, gcNo}, // [4] SUBSCRIPT ONE..SUBSCRIPT FOUR + {0x2085, 0x2089, prAL, gcNo}, // [5] SUBSCRIPT FIVE..SUBSCRIPT NINE + {0x208A, 0x208C, prAL, gcSm}, // [3] SUBSCRIPT PLUS SIGN..SUBSCRIPT EQUALS SIGN + {0x208D, 0x208D, prOP, gcPs}, // SUBSCRIPT LEFT PARENTHESIS + {0x208E, 0x208E, prCL, gcPe}, // SUBSCRIPT RIGHT PARENTHESIS + {0x2090, 0x209C, prAL, gcLm}, // [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T + {0x20A0, 0x20A6, prPR, gcSc}, // [7] EURO-CURRENCY SIGN..NAIRA SIGN + {0x20A7, 0x20A7, prPO, gcSc}, // PESETA SIGN + {0x20A8, 0x20B5, prPR, gcSc}, // [14] RUPEE SIGN..CEDI SIGN + {0x20B6, 0x20B6, prPO, gcSc}, // LIVRE TOURNOIS SIGN + {0x20B7, 0x20BA, prPR, gcSc}, // [4] SPESMILO SIGN..TURKISH LIRA SIGN + {0x20BB, 0x20BB, prPO, gcSc}, // NORDIC MARK SIGN + {0x20BC, 0x20BD, prPR, gcSc}, // [2] MANAT SIGN..RUBLE SIGN + {0x20BE, 0x20BE, prPO, gcSc}, // LARI SIGN + {0x20BF, 0x20BF, prPR, gcSc}, // BITCOIN SIGN + {0x20C0, 0x20C0, prPO, gcSc}, // SOM SIGN + {0x20C1, 0x20CF, prPR, gcCn}, // [15] .. + {0x20D0, 0x20DC, prCM, gcMn}, // [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE + {0x20DD, 0x20E0, prCM, gcMe}, // [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH + {0x20E1, 0x20E1, prCM, gcMn}, // COMBINING LEFT RIGHT ARROW ABOVE + {0x20E2, 0x20E4, prCM, gcMe}, // [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE + {0x20E5, 0x20F0, prCM, gcMn}, // [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE + {0x2100, 0x2101, prAL, gcSo}, // [2] ACCOUNT OF..ADDRESSED TO THE SUBJECT + {0x2102, 0x2102, prAL, gcLu}, // DOUBLE-STRUCK CAPITAL C + {0x2103, 0x2103, prPO, gcSo}, // DEGREE CELSIUS + {0x2104, 0x2104, prAL, gcSo}, // CENTRE LINE SYMBOL + {0x2105, 0x2105, prAI, gcSo}, // CARE OF + {0x2106, 0x2106, prAL, gcSo}, // CADA UNA + {0x2107, 0x2107, prAL, gcLu}, // EULER CONSTANT + {0x2108, 0x2108, prAL, gcSo}, // SCRUPLE + {0x2109, 0x2109, prPO, gcSo}, // DEGREE FAHRENHEIT + {0x210A, 0x2112, prAL, gcLC}, // [9] SCRIPT SMALL G..SCRIPT CAPITAL L + {0x2113, 0x2113, prAI, gcLl}, // SCRIPT SMALL L + {0x2114, 0x2114, prAL, gcSo}, // L B BAR SYMBOL + {0x2115, 0x2115, prAL, gcLu}, // DOUBLE-STRUCK CAPITAL N + {0x2116, 0x2116, prPR, gcSo}, // NUMERO SIGN + {0x2117, 0x2117, prAL, gcSo}, // SOUND RECORDING COPYRIGHT + {0x2118, 0x2118, prAL, gcSm}, // SCRIPT CAPITAL P + {0x2119, 0x211D, prAL, gcLu}, // [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R + {0x211E, 0x2120, prAL, gcSo}, // [3] PRESCRIPTION TAKE..SERVICE MARK + {0x2121, 0x2122, prAI, gcSo}, // [2] TELEPHONE SIGN..TRADE MARK SIGN + {0x2123, 0x2123, prAL, gcSo}, // VERSICLE + {0x2124, 0x2124, prAL, gcLu}, // DOUBLE-STRUCK CAPITAL Z + {0x2125, 0x2125, prAL, gcSo}, // OUNCE SIGN + {0x2126, 0x2126, prAL, gcLu}, // OHM SIGN + {0x2127, 0x2127, prAL, gcSo}, // INVERTED OHM SIGN + {0x2128, 0x2128, prAL, gcLu}, // BLACK-LETTER CAPITAL Z + {0x2129, 0x2129, prAL, gcSo}, // TURNED GREEK SMALL LETTER IOTA + {0x212A, 0x212A, prAL, gcLu}, // KELVIN SIGN + {0x212B, 0x212B, prAI, gcLu}, // ANGSTROM SIGN + {0x212C, 0x212D, prAL, gcLu}, // [2] SCRIPT CAPITAL B..BLACK-LETTER CAPITAL C + {0x212E, 0x212E, prAL, gcSo}, // ESTIMATED SYMBOL + {0x212F, 0x2134, prAL, gcLC}, // [6] SCRIPT SMALL E..SCRIPT SMALL O + {0x2135, 0x2138, prAL, gcLo}, // [4] ALEF SYMBOL..DALET SYMBOL + {0x2139, 0x2139, prAL, gcLl}, // INFORMATION SOURCE + {0x213A, 0x213B, prAL, gcSo}, // [2] ROTATED CAPITAL Q..FACSIMILE SIGN + {0x213C, 0x213F, prAL, gcLC}, // [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI + {0x2140, 0x2144, prAL, gcSm}, // [5] DOUBLE-STRUCK N-ARY SUMMATION..TURNED SANS-SERIF CAPITAL Y + {0x2145, 0x2149, prAL, gcLC}, // [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J + {0x214A, 0x214A, prAL, gcSo}, // PROPERTY LINE + {0x214B, 0x214B, prAL, gcSm}, // TURNED AMPERSAND + {0x214C, 0x214D, prAL, gcSo}, // [2] PER SIGN..AKTIESELSKAB + {0x214E, 0x214E, prAL, gcLl}, // TURNED SMALL F + {0x214F, 0x214F, prAL, gcSo}, // SYMBOL FOR SAMARITAN SOURCE + {0x2150, 0x2153, prAL, gcNo}, // [4] VULGAR FRACTION ONE SEVENTH..VULGAR FRACTION ONE THIRD + {0x2154, 0x2155, prAI, gcNo}, // [2] VULGAR FRACTION TWO THIRDS..VULGAR FRACTION ONE FIFTH + {0x2156, 0x215A, prAL, gcNo}, // [5] VULGAR FRACTION TWO FIFTHS..VULGAR FRACTION FIVE SIXTHS + {0x215B, 0x215B, prAI, gcNo}, // VULGAR FRACTION ONE EIGHTH + {0x215C, 0x215D, prAL, gcNo}, // [2] VULGAR FRACTION THREE EIGHTHS..VULGAR FRACTION FIVE EIGHTHS + {0x215E, 0x215E, prAI, gcNo}, // VULGAR FRACTION SEVEN EIGHTHS + {0x215F, 0x215F, prAL, gcNo}, // FRACTION NUMERATOR ONE + {0x2160, 0x216B, prAI, gcNl}, // [12] ROMAN NUMERAL ONE..ROMAN NUMERAL TWELVE + {0x216C, 0x216F, prAL, gcNl}, // [4] ROMAN NUMERAL FIFTY..ROMAN NUMERAL ONE THOUSAND + {0x2170, 0x2179, prAI, gcNl}, // [10] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL TEN + {0x217A, 0x2182, prAL, gcNl}, // [9] SMALL ROMAN NUMERAL ELEVEN..ROMAN NUMERAL TEN THOUSAND + {0x2183, 0x2184, prAL, gcLC}, // [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C + {0x2185, 0x2188, prAL, gcNl}, // [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND + {0x2189, 0x2189, prAI, gcNo}, // VULGAR FRACTION ZERO THIRDS + {0x218A, 0x218B, prAL, gcSo}, // [2] TURNED DIGIT TWO..TURNED DIGIT THREE + {0x2190, 0x2194, prAI, gcSm}, // [5] LEFTWARDS ARROW..LEFT RIGHT ARROW + {0x2195, 0x2199, prAI, gcSo}, // [5] UP DOWN ARROW..SOUTH WEST ARROW + {0x219A, 0x219B, prAL, gcSm}, // [2] LEFTWARDS ARROW WITH STROKE..RIGHTWARDS ARROW WITH STROKE + {0x219C, 0x219F, prAL, gcSo}, // [4] LEFTWARDS WAVE ARROW..UPWARDS TWO HEADED ARROW + {0x21A0, 0x21A0, prAL, gcSm}, // RIGHTWARDS TWO HEADED ARROW + {0x21A1, 0x21A2, prAL, gcSo}, // [2] DOWNWARDS TWO HEADED ARROW..LEFTWARDS ARROW WITH TAIL + {0x21A3, 0x21A3, prAL, gcSm}, // RIGHTWARDS ARROW WITH TAIL + {0x21A4, 0x21A5, prAL, gcSo}, // [2] LEFTWARDS ARROW FROM BAR..UPWARDS ARROW FROM BAR + {0x21A6, 0x21A6, prAL, gcSm}, // RIGHTWARDS ARROW FROM BAR + {0x21A7, 0x21AD, prAL, gcSo}, // [7] DOWNWARDS ARROW FROM BAR..LEFT RIGHT WAVE ARROW + {0x21AE, 0x21AE, prAL, gcSm}, // LEFT RIGHT ARROW WITH STROKE + {0x21AF, 0x21CD, prAL, gcSo}, // [31] DOWNWARDS ZIGZAG ARROW..LEFTWARDS DOUBLE ARROW WITH STROKE + {0x21CE, 0x21CF, prAL, gcSm}, // [2] LEFT RIGHT DOUBLE ARROW WITH STROKE..RIGHTWARDS DOUBLE ARROW WITH STROKE + {0x21D0, 0x21D1, prAL, gcSo}, // [2] LEFTWARDS DOUBLE ARROW..UPWARDS DOUBLE ARROW + {0x21D2, 0x21D2, prAI, gcSm}, // RIGHTWARDS DOUBLE ARROW + {0x21D3, 0x21D3, prAL, gcSo}, // DOWNWARDS DOUBLE ARROW + {0x21D4, 0x21D4, prAI, gcSm}, // LEFT RIGHT DOUBLE ARROW + {0x21D5, 0x21F3, prAL, gcSo}, // [31] UP DOWN DOUBLE ARROW..UP DOWN WHITE ARROW + {0x21F4, 0x21FF, prAL, gcSm}, // [12] RIGHT ARROW WITH SMALL CIRCLE..LEFT RIGHT OPEN-HEADED ARROW + {0x2200, 0x2200, prAI, gcSm}, // FOR ALL + {0x2201, 0x2201, prAL, gcSm}, // COMPLEMENT + {0x2202, 0x2203, prAI, gcSm}, // [2] PARTIAL DIFFERENTIAL..THERE EXISTS + {0x2204, 0x2206, prAL, gcSm}, // [3] THERE DOES NOT EXIST..INCREMENT + {0x2207, 0x2208, prAI, gcSm}, // [2] NABLA..ELEMENT OF + {0x2209, 0x220A, prAL, gcSm}, // [2] NOT AN ELEMENT OF..SMALL ELEMENT OF + {0x220B, 0x220B, prAI, gcSm}, // CONTAINS AS MEMBER + {0x220C, 0x220E, prAL, gcSm}, // [3] DOES NOT CONTAIN AS MEMBER..END OF PROOF + {0x220F, 0x220F, prAI, gcSm}, // N-ARY PRODUCT + {0x2210, 0x2210, prAL, gcSm}, // N-ARY COPRODUCT + {0x2211, 0x2211, prAI, gcSm}, // N-ARY SUMMATION + {0x2212, 0x2213, prPR, gcSm}, // [2] MINUS SIGN..MINUS-OR-PLUS SIGN + {0x2214, 0x2214, prAL, gcSm}, // DOT PLUS + {0x2215, 0x2215, prAI, gcSm}, // DIVISION SLASH + {0x2216, 0x2219, prAL, gcSm}, // [4] SET MINUS..BULLET OPERATOR + {0x221A, 0x221A, prAI, gcSm}, // SQUARE ROOT + {0x221B, 0x221C, prAL, gcSm}, // [2] CUBE ROOT..FOURTH ROOT + {0x221D, 0x2220, prAI, gcSm}, // [4] PROPORTIONAL TO..ANGLE + {0x2221, 0x2222, prAL, gcSm}, // [2] MEASURED ANGLE..SPHERICAL ANGLE + {0x2223, 0x2223, prAI, gcSm}, // DIVIDES + {0x2224, 0x2224, prAL, gcSm}, // DOES NOT DIVIDE + {0x2225, 0x2225, prAI, gcSm}, // PARALLEL TO + {0x2226, 0x2226, prAL, gcSm}, // NOT PARALLEL TO + {0x2227, 0x222C, prAI, gcSm}, // [6] LOGICAL AND..DOUBLE INTEGRAL + {0x222D, 0x222D, prAL, gcSm}, // TRIPLE INTEGRAL + {0x222E, 0x222E, prAI, gcSm}, // CONTOUR INTEGRAL + {0x222F, 0x2233, prAL, gcSm}, // [5] SURFACE INTEGRAL..ANTICLOCKWISE CONTOUR INTEGRAL + {0x2234, 0x2237, prAI, gcSm}, // [4] THEREFORE..PROPORTION + {0x2238, 0x223B, prAL, gcSm}, // [4] DOT MINUS..HOMOTHETIC + {0x223C, 0x223D, prAI, gcSm}, // [2] TILDE OPERATOR..REVERSED TILDE + {0x223E, 0x2247, prAL, gcSm}, // [10] INVERTED LAZY S..NEITHER APPROXIMATELY NOR ACTUALLY EQUAL TO + {0x2248, 0x2248, prAI, gcSm}, // ALMOST EQUAL TO + {0x2249, 0x224B, prAL, gcSm}, // [3] NOT ALMOST EQUAL TO..TRIPLE TILDE + {0x224C, 0x224C, prAI, gcSm}, // ALL EQUAL TO + {0x224D, 0x2251, prAL, gcSm}, // [5] EQUIVALENT TO..GEOMETRICALLY EQUAL TO + {0x2252, 0x2252, prAI, gcSm}, // APPROXIMATELY EQUAL TO OR THE IMAGE OF + {0x2253, 0x225F, prAL, gcSm}, // [13] IMAGE OF OR APPROXIMATELY EQUAL TO..QUESTIONED EQUAL TO + {0x2260, 0x2261, prAI, gcSm}, // [2] NOT EQUAL TO..IDENTICAL TO + {0x2262, 0x2263, prAL, gcSm}, // [2] NOT IDENTICAL TO..STRICTLY EQUIVALENT TO + {0x2264, 0x2267, prAI, gcSm}, // [4] LESS-THAN OR EQUAL TO..GREATER-THAN OVER EQUAL TO + {0x2268, 0x2269, prAL, gcSm}, // [2] LESS-THAN BUT NOT EQUAL TO..GREATER-THAN BUT NOT EQUAL TO + {0x226A, 0x226B, prAI, gcSm}, // [2] MUCH LESS-THAN..MUCH GREATER-THAN + {0x226C, 0x226D, prAL, gcSm}, // [2] BETWEEN..NOT EQUIVALENT TO + {0x226E, 0x226F, prAI, gcSm}, // [2] NOT LESS-THAN..NOT GREATER-THAN + {0x2270, 0x2281, prAL, gcSm}, // [18] NEITHER LESS-THAN NOR EQUAL TO..DOES NOT SUCCEED + {0x2282, 0x2283, prAI, gcSm}, // [2] SUBSET OF..SUPERSET OF + {0x2284, 0x2285, prAL, gcSm}, // [2] NOT A SUBSET OF..NOT A SUPERSET OF + {0x2286, 0x2287, prAI, gcSm}, // [2] SUBSET OF OR EQUAL TO..SUPERSET OF OR EQUAL TO + {0x2288, 0x2294, prAL, gcSm}, // [13] NEITHER A SUBSET OF NOR EQUAL TO..SQUARE CUP + {0x2295, 0x2295, prAI, gcSm}, // CIRCLED PLUS + {0x2296, 0x2298, prAL, gcSm}, // [3] CIRCLED MINUS..CIRCLED DIVISION SLASH + {0x2299, 0x2299, prAI, gcSm}, // CIRCLED DOT OPERATOR + {0x229A, 0x22A4, prAL, gcSm}, // [11] CIRCLED RING OPERATOR..DOWN TACK + {0x22A5, 0x22A5, prAI, gcSm}, // UP TACK + {0x22A6, 0x22BE, prAL, gcSm}, // [25] ASSERTION..RIGHT ANGLE WITH ARC + {0x22BF, 0x22BF, prAI, gcSm}, // RIGHT TRIANGLE + {0x22C0, 0x22EE, prAL, gcSm}, // [47] N-ARY LOGICAL AND..VERTICAL ELLIPSIS + {0x22EF, 0x22EF, prIN, gcSm}, // MIDLINE HORIZONTAL ELLIPSIS + {0x22F0, 0x22FF, prAL, gcSm}, // [16] UP RIGHT DIAGONAL ELLIPSIS..Z NOTATION BAG MEMBERSHIP + {0x2300, 0x2307, prAL, gcSo}, // [8] DIAMETER SIGN..WAVY LINE + {0x2308, 0x2308, prOP, gcPs}, // LEFT CEILING + {0x2309, 0x2309, prCL, gcPe}, // RIGHT CEILING + {0x230A, 0x230A, prOP, gcPs}, // LEFT FLOOR + {0x230B, 0x230B, prCL, gcPe}, // RIGHT FLOOR + {0x230C, 0x2311, prAL, gcSo}, // [6] BOTTOM RIGHT CROP..SQUARE LOZENGE + {0x2312, 0x2312, prAI, gcSo}, // ARC + {0x2313, 0x2319, prAL, gcSo}, // [7] SEGMENT..TURNED NOT SIGN + {0x231A, 0x231B, prID, gcSo}, // [2] WATCH..HOURGLASS + {0x231C, 0x231F, prAL, gcSo}, // [4] TOP LEFT CORNER..BOTTOM RIGHT CORNER + {0x2320, 0x2321, prAL, gcSm}, // [2] TOP HALF INTEGRAL..BOTTOM HALF INTEGRAL + {0x2322, 0x2328, prAL, gcSo}, // [7] FROWN..KEYBOARD + {0x2329, 0x2329, prOP, gcPs}, // LEFT-POINTING ANGLE BRACKET + {0x232A, 0x232A, prCL, gcPe}, // RIGHT-POINTING ANGLE BRACKET + {0x232B, 0x237B, prAL, gcSo}, // [81] ERASE TO THE LEFT..NOT CHECK MARK + {0x237C, 0x237C, prAL, gcSm}, // RIGHT ANGLE WITH DOWNWARDS ZIGZAG ARROW + {0x237D, 0x239A, prAL, gcSo}, // [30] SHOULDERED OPEN BOX..CLEAR SCREEN SYMBOL + {0x239B, 0x23B3, prAL, gcSm}, // [25] LEFT PARENTHESIS UPPER HOOK..SUMMATION BOTTOM + {0x23B4, 0x23DB, prAL, gcSo}, // [40] TOP SQUARE BRACKET..FUSE + {0x23DC, 0x23E1, prAL, gcSm}, // [6] TOP PARENTHESIS..BOTTOM TORTOISE SHELL BRACKET + {0x23E2, 0x23EF, prAL, gcSo}, // [14] WHITE TRAPEZIUM..BLACK RIGHT-POINTING TRIANGLE WITH DOUBLE VERTICAL BAR + {0x23F0, 0x23F3, prID, gcSo}, // [4] ALARM CLOCK..HOURGLASS WITH FLOWING SAND + {0x23F4, 0x23FF, prAL, gcSo}, // [12] BLACK MEDIUM LEFT-POINTING TRIANGLE..OBSERVER EYE SYMBOL + {0x2400, 0x2426, prAL, gcSo}, // [39] SYMBOL FOR NULL..SYMBOL FOR SUBSTITUTE FORM TWO + {0x2440, 0x244A, prAL, gcSo}, // [11] OCR HOOK..OCR DOUBLE BACKSLASH + {0x2460, 0x249B, prAI, gcNo}, // [60] CIRCLED DIGIT ONE..NUMBER TWENTY FULL STOP + {0x249C, 0x24E9, prAI, gcSo}, // [78] PARENTHESIZED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z + {0x24EA, 0x24FE, prAI, gcNo}, // [21] CIRCLED DIGIT ZERO..DOUBLE CIRCLED NUMBER TEN + {0x24FF, 0x24FF, prAL, gcNo}, // NEGATIVE CIRCLED DIGIT ZERO + {0x2500, 0x254B, prAI, gcSo}, // [76] BOX DRAWINGS LIGHT HORIZONTAL..BOX DRAWINGS HEAVY VERTICAL AND HORIZONTAL + {0x254C, 0x254F, prAL, gcSo}, // [4] BOX DRAWINGS LIGHT DOUBLE DASH HORIZONTAL..BOX DRAWINGS HEAVY DOUBLE DASH VERTICAL + {0x2550, 0x2574, prAI, gcSo}, // [37] BOX DRAWINGS DOUBLE HORIZONTAL..BOX DRAWINGS LIGHT LEFT + {0x2575, 0x257F, prAL, gcSo}, // [11] BOX DRAWINGS LIGHT UP..BOX DRAWINGS HEAVY UP AND LIGHT DOWN + {0x2580, 0x258F, prAI, gcSo}, // [16] UPPER HALF BLOCK..LEFT ONE EIGHTH BLOCK + {0x2590, 0x2591, prAL, gcSo}, // [2] RIGHT HALF BLOCK..LIGHT SHADE + {0x2592, 0x2595, prAI, gcSo}, // [4] MEDIUM SHADE..RIGHT ONE EIGHTH BLOCK + {0x2596, 0x259F, prAL, gcSo}, // [10] QUADRANT LOWER LEFT..QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT + {0x25A0, 0x25A1, prAI, gcSo}, // [2] BLACK SQUARE..WHITE SQUARE + {0x25A2, 0x25A2, prAL, gcSo}, // WHITE SQUARE WITH ROUNDED CORNERS + {0x25A3, 0x25A9, prAI, gcSo}, // [7] WHITE SQUARE CONTAINING BLACK SMALL SQUARE..SQUARE WITH DIAGONAL CROSSHATCH FILL + {0x25AA, 0x25B1, prAL, gcSo}, // [8] BLACK SMALL SQUARE..WHITE PARALLELOGRAM + {0x25B2, 0x25B3, prAI, gcSo}, // [2] BLACK UP-POINTING TRIANGLE..WHITE UP-POINTING TRIANGLE + {0x25B4, 0x25B5, prAL, gcSo}, // [2] BLACK UP-POINTING SMALL TRIANGLE..WHITE UP-POINTING SMALL TRIANGLE + {0x25B6, 0x25B6, prAI, gcSo}, // BLACK RIGHT-POINTING TRIANGLE + {0x25B7, 0x25B7, prAI, gcSm}, // WHITE RIGHT-POINTING TRIANGLE + {0x25B8, 0x25BB, prAL, gcSo}, // [4] BLACK RIGHT-POINTING SMALL TRIANGLE..WHITE RIGHT-POINTING POINTER + {0x25BC, 0x25BD, prAI, gcSo}, // [2] BLACK DOWN-POINTING TRIANGLE..WHITE DOWN-POINTING TRIANGLE + {0x25BE, 0x25BF, prAL, gcSo}, // [2] BLACK DOWN-POINTING SMALL TRIANGLE..WHITE DOWN-POINTING SMALL TRIANGLE + {0x25C0, 0x25C0, prAI, gcSo}, // BLACK LEFT-POINTING TRIANGLE + {0x25C1, 0x25C1, prAI, gcSm}, // WHITE LEFT-POINTING TRIANGLE + {0x25C2, 0x25C5, prAL, gcSo}, // [4] BLACK LEFT-POINTING SMALL TRIANGLE..WHITE LEFT-POINTING POINTER + {0x25C6, 0x25C8, prAI, gcSo}, // [3] BLACK DIAMOND..WHITE DIAMOND CONTAINING BLACK SMALL DIAMOND + {0x25C9, 0x25CA, prAL, gcSo}, // [2] FISHEYE..LOZENGE + {0x25CB, 0x25CB, prAI, gcSo}, // WHITE CIRCLE + {0x25CC, 0x25CD, prAL, gcSo}, // [2] DOTTED CIRCLE..CIRCLE WITH VERTICAL FILL + {0x25CE, 0x25D1, prAI, gcSo}, // [4] BULLSEYE..CIRCLE WITH RIGHT HALF BLACK + {0x25D2, 0x25E1, prAL, gcSo}, // [16] CIRCLE WITH LOWER HALF BLACK..LOWER HALF CIRCLE + {0x25E2, 0x25E5, prAI, gcSo}, // [4] BLACK LOWER RIGHT TRIANGLE..BLACK UPPER RIGHT TRIANGLE + {0x25E6, 0x25EE, prAL, gcSo}, // [9] WHITE BULLET..UP-POINTING TRIANGLE WITH RIGHT HALF BLACK + {0x25EF, 0x25EF, prAI, gcSo}, // LARGE CIRCLE + {0x25F0, 0x25F7, prAL, gcSo}, // [8] WHITE SQUARE WITH UPPER LEFT QUADRANT..WHITE CIRCLE WITH UPPER RIGHT QUADRANT + {0x25F8, 0x25FF, prAL, gcSm}, // [8] UPPER LEFT TRIANGLE..LOWER RIGHT TRIANGLE + {0x2600, 0x2603, prID, gcSo}, // [4] BLACK SUN WITH RAYS..SNOWMAN + {0x2604, 0x2604, prAL, gcSo}, // COMET + {0x2605, 0x2606, prAI, gcSo}, // [2] BLACK STAR..WHITE STAR + {0x2607, 0x2608, prAL, gcSo}, // [2] LIGHTNING..THUNDERSTORM + {0x2609, 0x2609, prAI, gcSo}, // SUN + {0x260A, 0x260D, prAL, gcSo}, // [4] ASCENDING NODE..OPPOSITION + {0x260E, 0x260F, prAI, gcSo}, // [2] BLACK TELEPHONE..WHITE TELEPHONE + {0x2610, 0x2613, prAL, gcSo}, // [4] BALLOT BOX..SALTIRE + {0x2614, 0x2615, prID, gcSo}, // [2] UMBRELLA WITH RAIN DROPS..HOT BEVERAGE + {0x2616, 0x2617, prAI, gcSo}, // [2] WHITE SHOGI PIECE..BLACK SHOGI PIECE + {0x2618, 0x2618, prID, gcSo}, // SHAMROCK + {0x2619, 0x2619, prAL, gcSo}, // REVERSED ROTATED FLORAL HEART BULLET + {0x261A, 0x261C, prID, gcSo}, // [3] BLACK LEFT POINTING INDEX..WHITE LEFT POINTING INDEX + {0x261D, 0x261D, prEB, gcSo}, // WHITE UP POINTING INDEX + {0x261E, 0x261F, prID, gcSo}, // [2] WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX + {0x2620, 0x2638, prAL, gcSo}, // [25] SKULL AND CROSSBONES..WHEEL OF DHARMA + {0x2639, 0x263B, prID, gcSo}, // [3] WHITE FROWNING FACE..BLACK SMILING FACE + {0x263C, 0x263F, prAL, gcSo}, // [4] WHITE SUN WITH RAYS..MERCURY + {0x2640, 0x2640, prAI, gcSo}, // FEMALE SIGN + {0x2641, 0x2641, prAL, gcSo}, // EARTH + {0x2642, 0x2642, prAI, gcSo}, // MALE SIGN + {0x2643, 0x265F, prAL, gcSo}, // [29] JUPITER..BLACK CHESS PAWN + {0x2660, 0x2661, prAI, gcSo}, // [2] BLACK SPADE SUIT..WHITE HEART SUIT + {0x2662, 0x2662, prAL, gcSo}, // WHITE DIAMOND SUIT + {0x2663, 0x2665, prAI, gcSo}, // [3] BLACK CLUB SUIT..BLACK HEART SUIT + {0x2666, 0x2666, prAL, gcSo}, // BLACK DIAMOND SUIT + {0x2667, 0x2667, prAI, gcSo}, // WHITE CLUB SUIT + {0x2668, 0x2668, prID, gcSo}, // HOT SPRINGS + {0x2669, 0x266A, prAI, gcSo}, // [2] QUARTER NOTE..EIGHTH NOTE + {0x266B, 0x266B, prAL, gcSo}, // BEAMED EIGHTH NOTES + {0x266C, 0x266D, prAI, gcSo}, // [2] BEAMED SIXTEENTH NOTES..MUSIC FLAT SIGN + {0x266E, 0x266E, prAL, gcSo}, // MUSIC NATURAL SIGN + {0x266F, 0x266F, prAI, gcSm}, // MUSIC SHARP SIGN + {0x2670, 0x267E, prAL, gcSo}, // [15] WEST SYRIAC CROSS..PERMANENT PAPER SIGN + {0x267F, 0x267F, prID, gcSo}, // WHEELCHAIR SYMBOL + {0x2680, 0x269D, prAL, gcSo}, // [30] DIE FACE-1..OUTLINED WHITE STAR + {0x269E, 0x269F, prAI, gcSo}, // [2] THREE LINES CONVERGING RIGHT..THREE LINES CONVERGING LEFT + {0x26A0, 0x26BC, prAL, gcSo}, // [29] WARNING SIGN..SESQUIQUADRATE + {0x26BD, 0x26C8, prID, gcSo}, // [12] SOCCER BALL..THUNDER CLOUD AND RAIN + {0x26C9, 0x26CC, prAI, gcSo}, // [4] TURNED WHITE SHOGI PIECE..CROSSING LANES + {0x26CD, 0x26CD, prID, gcSo}, // DISABLED CAR + {0x26CE, 0x26CE, prAL, gcSo}, // OPHIUCHUS + {0x26CF, 0x26D1, prID, gcSo}, // [3] PICK..HELMET WITH WHITE CROSS + {0x26D2, 0x26D2, prAI, gcSo}, // CIRCLED CROSSING LANES + {0x26D3, 0x26D4, prID, gcSo}, // [2] CHAINS..NO ENTRY + {0x26D5, 0x26D7, prAI, gcSo}, // [3] ALTERNATE ONE-WAY LEFT WAY TRAFFIC..WHITE TWO-WAY LEFT WAY TRAFFIC + {0x26D8, 0x26D9, prID, gcSo}, // [2] BLACK LEFT LANE MERGE..WHITE LEFT LANE MERGE + {0x26DA, 0x26DB, prAI, gcSo}, // [2] DRIVE SLOW SIGN..HEAVY WHITE DOWN-POINTING TRIANGLE + {0x26DC, 0x26DC, prID, gcSo}, // LEFT CLOSED ENTRY + {0x26DD, 0x26DE, prAI, gcSo}, // [2] SQUARED SALTIRE..FALLING DIAGONAL IN WHITE CIRCLE IN BLACK SQUARE + {0x26DF, 0x26E1, prID, gcSo}, // [3] BLACK TRUCK..RESTRICTED LEFT ENTRY-2 + {0x26E2, 0x26E2, prAL, gcSo}, // ASTRONOMICAL SYMBOL FOR URANUS + {0x26E3, 0x26E3, prAI, gcSo}, // HEAVY CIRCLE WITH STROKE AND TWO DOTS ABOVE + {0x26E4, 0x26E7, prAL, gcSo}, // [4] PENTAGRAM..INVERTED PENTAGRAM + {0x26E8, 0x26E9, prAI, gcSo}, // [2] BLACK CROSS ON SHIELD..SHINTO SHRINE + {0x26EA, 0x26EA, prID, gcSo}, // CHURCH + {0x26EB, 0x26F0, prAI, gcSo}, // [6] CASTLE..MOUNTAIN + {0x26F1, 0x26F5, prID, gcSo}, // [5] UMBRELLA ON GROUND..SAILBOAT + {0x26F6, 0x26F6, prAI, gcSo}, // SQUARE FOUR CORNERS + {0x26F7, 0x26F8, prID, gcSo}, // [2] SKIER..ICE SKATE + {0x26F9, 0x26F9, prEB, gcSo}, // PERSON WITH BALL + {0x26FA, 0x26FA, prID, gcSo}, // TENT + {0x26FB, 0x26FC, prAI, gcSo}, // [2] JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL + {0x26FD, 0x26FF, prID, gcSo}, // [3] FUEL PUMP..WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE + {0x2700, 0x2704, prID, gcSo}, // [5] BLACK SAFETY SCISSORS..WHITE SCISSORS + {0x2705, 0x2707, prAL, gcSo}, // [3] WHITE HEAVY CHECK MARK..TAPE DRIVE + {0x2708, 0x2709, prID, gcSo}, // [2] AIRPLANE..ENVELOPE + {0x270A, 0x270D, prEB, gcSo}, // [4] RAISED FIST..WRITING HAND + {0x270E, 0x2756, prAL, gcSo}, // [73] LOWER RIGHT PENCIL..BLACK DIAMOND MINUS WHITE X + {0x2757, 0x2757, prAI, gcSo}, // HEAVY EXCLAMATION MARK SYMBOL + {0x2758, 0x275A, prAL, gcSo}, // [3] LIGHT VERTICAL BAR..HEAVY VERTICAL BAR + {0x275B, 0x2760, prQU, gcSo}, // [6] HEAVY SINGLE TURNED COMMA QUOTATION MARK ORNAMENT..HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT + {0x2761, 0x2761, prAL, gcSo}, // CURVED STEM PARAGRAPH SIGN ORNAMENT + {0x2762, 0x2763, prEX, gcSo}, // [2] HEAVY EXCLAMATION MARK ORNAMENT..HEAVY HEART EXCLAMATION MARK ORNAMENT + {0x2764, 0x2764, prID, gcSo}, // HEAVY BLACK HEART + {0x2765, 0x2767, prAL, gcSo}, // [3] ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET + {0x2768, 0x2768, prOP, gcPs}, // MEDIUM LEFT PARENTHESIS ORNAMENT + {0x2769, 0x2769, prCL, gcPe}, // MEDIUM RIGHT PARENTHESIS ORNAMENT + {0x276A, 0x276A, prOP, gcPs}, // MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT + {0x276B, 0x276B, prCL, gcPe}, // MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT + {0x276C, 0x276C, prOP, gcPs}, // MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x276D, 0x276D, prCL, gcPe}, // MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x276E, 0x276E, prOP, gcPs}, // HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x276F, 0x276F, prCL, gcPe}, // HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x2770, 0x2770, prOP, gcPs}, // HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x2771, 0x2771, prCL, gcPe}, // HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x2772, 0x2772, prOP, gcPs}, // LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT + {0x2773, 0x2773, prCL, gcPe}, // LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT + {0x2774, 0x2774, prOP, gcPs}, // MEDIUM LEFT CURLY BRACKET ORNAMENT + {0x2775, 0x2775, prCL, gcPe}, // MEDIUM RIGHT CURLY BRACKET ORNAMENT + {0x2776, 0x2793, prAI, gcNo}, // [30] DINGBAT NEGATIVE CIRCLED DIGIT ONE..DINGBAT NEGATIVE CIRCLED SANS-SERIF NUMBER TEN + {0x2794, 0x27BF, prAL, gcSo}, // [44] HEAVY WIDE-HEADED RIGHTWARDS ARROW..DOUBLE CURLY LOOP + {0x27C0, 0x27C4, prAL, gcSm}, // [5] THREE DIMENSIONAL ANGLE..OPEN SUPERSET + {0x27C5, 0x27C5, prOP, gcPs}, // LEFT S-SHAPED BAG DELIMITER + {0x27C6, 0x27C6, prCL, gcPe}, // RIGHT S-SHAPED BAG DELIMITER + {0x27C7, 0x27E5, prAL, gcSm}, // [31] OR WITH DOT INSIDE..WHITE SQUARE WITH RIGHTWARDS TICK + {0x27E6, 0x27E6, prOP, gcPs}, // MATHEMATICAL LEFT WHITE SQUARE BRACKET + {0x27E7, 0x27E7, prCL, gcPe}, // MATHEMATICAL RIGHT WHITE SQUARE BRACKET + {0x27E8, 0x27E8, prOP, gcPs}, // MATHEMATICAL LEFT ANGLE BRACKET + {0x27E9, 0x27E9, prCL, gcPe}, // MATHEMATICAL RIGHT ANGLE BRACKET + {0x27EA, 0x27EA, prOP, gcPs}, // MATHEMATICAL LEFT DOUBLE ANGLE BRACKET + {0x27EB, 0x27EB, prCL, gcPe}, // MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET + {0x27EC, 0x27EC, prOP, gcPs}, // MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET + {0x27ED, 0x27ED, prCL, gcPe}, // MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET + {0x27EE, 0x27EE, prOP, gcPs}, // MATHEMATICAL LEFT FLATTENED PARENTHESIS + {0x27EF, 0x27EF, prCL, gcPe}, // MATHEMATICAL RIGHT FLATTENED PARENTHESIS + {0x27F0, 0x27FF, prAL, gcSm}, // [16] UPWARDS QUADRUPLE ARROW..LONG RIGHTWARDS SQUIGGLE ARROW + {0x2800, 0x28FF, prAL, gcSo}, // [256] BRAILLE PATTERN BLANK..BRAILLE PATTERN DOTS-12345678 + {0x2900, 0x297F, prAL, gcSm}, // [128] RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE..DOWN FISH TAIL + {0x2980, 0x2982, prAL, gcSm}, // [3] TRIPLE VERTICAL BAR DELIMITER..Z NOTATION TYPE COLON + {0x2983, 0x2983, prOP, gcPs}, // LEFT WHITE CURLY BRACKET + {0x2984, 0x2984, prCL, gcPe}, // RIGHT WHITE CURLY BRACKET + {0x2985, 0x2985, prOP, gcPs}, // LEFT WHITE PARENTHESIS + {0x2986, 0x2986, prCL, gcPe}, // RIGHT WHITE PARENTHESIS + {0x2987, 0x2987, prOP, gcPs}, // Z NOTATION LEFT IMAGE BRACKET + {0x2988, 0x2988, prCL, gcPe}, // Z NOTATION RIGHT IMAGE BRACKET + {0x2989, 0x2989, prOP, gcPs}, // Z NOTATION LEFT BINDING BRACKET + {0x298A, 0x298A, prCL, gcPe}, // Z NOTATION RIGHT BINDING BRACKET + {0x298B, 0x298B, prOP, gcPs}, // LEFT SQUARE BRACKET WITH UNDERBAR + {0x298C, 0x298C, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH UNDERBAR + {0x298D, 0x298D, prOP, gcPs}, // LEFT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x298E, 0x298E, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x298F, 0x298F, prOP, gcPs}, // LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x2990, 0x2990, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x2991, 0x2991, prOP, gcPs}, // LEFT ANGLE BRACKET WITH DOT + {0x2992, 0x2992, prCL, gcPe}, // RIGHT ANGLE BRACKET WITH DOT + {0x2993, 0x2993, prOP, gcPs}, // LEFT ARC LESS-THAN BRACKET + {0x2994, 0x2994, prCL, gcPe}, // RIGHT ARC GREATER-THAN BRACKET + {0x2995, 0x2995, prOP, gcPs}, // DOUBLE LEFT ARC GREATER-THAN BRACKET + {0x2996, 0x2996, prCL, gcPe}, // DOUBLE RIGHT ARC LESS-THAN BRACKET + {0x2997, 0x2997, prOP, gcPs}, // LEFT BLACK TORTOISE SHELL BRACKET + {0x2998, 0x2998, prCL, gcPe}, // RIGHT BLACK TORTOISE SHELL BRACKET + {0x2999, 0x29D7, prAL, gcSm}, // [63] DOTTED FENCE..BLACK HOURGLASS + {0x29D8, 0x29D8, prOP, gcPs}, // LEFT WIGGLY FENCE + {0x29D9, 0x29D9, prCL, gcPe}, // RIGHT WIGGLY FENCE + {0x29DA, 0x29DA, prOP, gcPs}, // LEFT DOUBLE WIGGLY FENCE + {0x29DB, 0x29DB, prCL, gcPe}, // RIGHT DOUBLE WIGGLY FENCE + {0x29DC, 0x29FB, prAL, gcSm}, // [32] INCOMPLETE INFINITY..TRIPLE PLUS + {0x29FC, 0x29FC, prOP, gcPs}, // LEFT-POINTING CURVED ANGLE BRACKET + {0x29FD, 0x29FD, prCL, gcPe}, // RIGHT-POINTING CURVED ANGLE BRACKET + {0x29FE, 0x29FF, prAL, gcSm}, // [2] TINY..MINY + {0x2A00, 0x2AFF, prAL, gcSm}, // [256] N-ARY CIRCLED DOT OPERATOR..N-ARY WHITE VERTICAL BAR + {0x2B00, 0x2B2F, prAL, gcSo}, // [48] NORTH EAST WHITE ARROW..WHITE VERTICAL ELLIPSE + {0x2B30, 0x2B44, prAL, gcSm}, // [21] LEFT ARROW WITH SMALL CIRCLE..RIGHTWARDS ARROW THROUGH SUPERSET + {0x2B45, 0x2B46, prAL, gcSo}, // [2] LEFTWARDS QUADRUPLE ARROW..RIGHTWARDS QUADRUPLE ARROW + {0x2B47, 0x2B4C, prAL, gcSm}, // [6] REVERSE TILDE OPERATOR ABOVE RIGHTWARDS ARROW..RIGHTWARDS ARROW ABOVE REVERSE TILDE OPERATOR + {0x2B4D, 0x2B54, prAL, gcSo}, // [8] DOWNWARDS TRIANGLE-HEADED ZIGZAG ARROW..WHITE RIGHT-POINTING PENTAGON + {0x2B55, 0x2B59, prAI, gcSo}, // [5] HEAVY LARGE CIRCLE..HEAVY CIRCLED SALTIRE + {0x2B5A, 0x2B73, prAL, gcSo}, // [26] SLANTED NORTH ARROW WITH HOOKED HEAD..DOWNWARDS TRIANGLE-HEADED ARROW TO BAR + {0x2B76, 0x2B95, prAL, gcSo}, // [32] NORTH WEST TRIANGLE-HEADED ARROW TO BAR..RIGHTWARDS BLACK ARROW + {0x2B97, 0x2BFF, prAL, gcSo}, // [105] SYMBOL FOR TYPE A ELECTRONICS..HELLSCHREIBER PAUSE SYMBOL + {0x2C00, 0x2C5F, prAL, gcLC}, // [96] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI + {0x2C60, 0x2C7B, prAL, gcLC}, // [28] LATIN CAPITAL LETTER L WITH DOUBLE BAR..LATIN LETTER SMALL CAPITAL TURNED E + {0x2C7C, 0x2C7D, prAL, gcLm}, // [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V + {0x2C7E, 0x2C7F, prAL, gcLu}, // [2] LATIN CAPITAL LETTER S WITH SWASH TAIL..LATIN CAPITAL LETTER Z WITH SWASH TAIL + {0x2C80, 0x2CE4, prAL, gcLC}, // [101] COPTIC CAPITAL LETTER ALFA..COPTIC SYMBOL KAI + {0x2CE5, 0x2CEA, prAL, gcSo}, // [6] COPTIC SYMBOL MI RO..COPTIC SYMBOL SHIMA SIMA + {0x2CEB, 0x2CEE, prAL, gcLC}, // [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA + {0x2CEF, 0x2CF1, prCM, gcMn}, // [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS + {0x2CF2, 0x2CF3, prAL, gcLC}, // [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI + {0x2CF9, 0x2CF9, prEX, gcPo}, // COPTIC OLD NUBIAN FULL STOP + {0x2CFA, 0x2CFC, prBA, gcPo}, // [3] COPTIC OLD NUBIAN DIRECT QUESTION MARK..COPTIC OLD NUBIAN VERSE DIVIDER + {0x2CFD, 0x2CFD, prAL, gcNo}, // COPTIC FRACTION ONE HALF + {0x2CFE, 0x2CFE, prEX, gcPo}, // COPTIC FULL STOP + {0x2CFF, 0x2CFF, prBA, gcPo}, // COPTIC MORPHOLOGICAL DIVIDER + {0x2D00, 0x2D25, prAL, gcLl}, // [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE + {0x2D27, 0x2D27, prAL, gcLl}, // GEORGIAN SMALL LETTER YN + {0x2D2D, 0x2D2D, prAL, gcLl}, // GEORGIAN SMALL LETTER AEN + {0x2D30, 0x2D67, prAL, gcLo}, // [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO + {0x2D6F, 0x2D6F, prAL, gcLm}, // TIFINAGH MODIFIER LETTER LABIALIZATION MARK + {0x2D70, 0x2D70, prBA, gcPo}, // TIFINAGH SEPARATOR MARK + {0x2D7F, 0x2D7F, prCM, gcMn}, // TIFINAGH CONSONANT JOINER + {0x2D80, 0x2D96, prAL, gcLo}, // [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE + {0x2DA0, 0x2DA6, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO + {0x2DA8, 0x2DAE, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO + {0x2DB0, 0x2DB6, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO + {0x2DB8, 0x2DBE, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO + {0x2DC0, 0x2DC6, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO + {0x2DC8, 0x2DCE, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO + {0x2DD0, 0x2DD6, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO + {0x2DD8, 0x2DDE, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO + {0x2DE0, 0x2DFF, prCM, gcMn}, // [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS + {0x2E00, 0x2E01, prQU, gcPo}, // [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER + {0x2E02, 0x2E02, prQU, gcPi}, // LEFT SUBSTITUTION BRACKET + {0x2E03, 0x2E03, prQU, gcPf}, // RIGHT SUBSTITUTION BRACKET + {0x2E04, 0x2E04, prQU, gcPi}, // LEFT DOTTED SUBSTITUTION BRACKET + {0x2E05, 0x2E05, prQU, gcPf}, // RIGHT DOTTED SUBSTITUTION BRACKET + {0x2E06, 0x2E08, prQU, gcPo}, // [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER + {0x2E09, 0x2E09, prQU, gcPi}, // LEFT TRANSPOSITION BRACKET + {0x2E0A, 0x2E0A, prQU, gcPf}, // RIGHT TRANSPOSITION BRACKET + {0x2E0B, 0x2E0B, prQU, gcPo}, // RAISED SQUARE + {0x2E0C, 0x2E0C, prQU, gcPi}, // LEFT RAISED OMISSION BRACKET + {0x2E0D, 0x2E0D, prQU, gcPf}, // RIGHT RAISED OMISSION BRACKET + {0x2E0E, 0x2E15, prBA, gcPo}, // [8] EDITORIAL CORONIS..UPWARDS ANCORA + {0x2E16, 0x2E16, prAL, gcPo}, // DOTTED RIGHT-POINTING ANGLE + {0x2E17, 0x2E17, prBA, gcPd}, // DOUBLE OBLIQUE HYPHEN + {0x2E18, 0x2E18, prOP, gcPo}, // INVERTED INTERROBANG + {0x2E19, 0x2E19, prBA, gcPo}, // PALM BRANCH + {0x2E1A, 0x2E1A, prAL, gcPd}, // HYPHEN WITH DIAERESIS + {0x2E1B, 0x2E1B, prAL, gcPo}, // TILDE WITH RING ABOVE + {0x2E1C, 0x2E1C, prQU, gcPi}, // LEFT LOW PARAPHRASE BRACKET + {0x2E1D, 0x2E1D, prQU, gcPf}, // RIGHT LOW PARAPHRASE BRACKET + {0x2E1E, 0x2E1F, prAL, gcPo}, // [2] TILDE WITH DOT ABOVE..TILDE WITH DOT BELOW + {0x2E20, 0x2E20, prQU, gcPi}, // LEFT VERTICAL BAR WITH QUILL + {0x2E21, 0x2E21, prQU, gcPf}, // RIGHT VERTICAL BAR WITH QUILL + {0x2E22, 0x2E22, prOP, gcPs}, // TOP LEFT HALF BRACKET + {0x2E23, 0x2E23, prCL, gcPe}, // TOP RIGHT HALF BRACKET + {0x2E24, 0x2E24, prOP, gcPs}, // BOTTOM LEFT HALF BRACKET + {0x2E25, 0x2E25, prCL, gcPe}, // BOTTOM RIGHT HALF BRACKET + {0x2E26, 0x2E26, prOP, gcPs}, // LEFT SIDEWAYS U BRACKET + {0x2E27, 0x2E27, prCL, gcPe}, // RIGHT SIDEWAYS U BRACKET + {0x2E28, 0x2E28, prOP, gcPs}, // LEFT DOUBLE PARENTHESIS + {0x2E29, 0x2E29, prCL, gcPe}, // RIGHT DOUBLE PARENTHESIS + {0x2E2A, 0x2E2D, prBA, gcPo}, // [4] TWO DOTS OVER ONE DOT PUNCTUATION..FIVE DOT MARK + {0x2E2E, 0x2E2E, prEX, gcPo}, // REVERSED QUESTION MARK + {0x2E2F, 0x2E2F, prAL, gcLm}, // VERTICAL TILDE + {0x2E30, 0x2E31, prBA, gcPo}, // [2] RING POINT..WORD SEPARATOR MIDDLE DOT + {0x2E32, 0x2E32, prAL, gcPo}, // TURNED COMMA + {0x2E33, 0x2E34, prBA, gcPo}, // [2] RAISED DOT..RAISED COMMA + {0x2E35, 0x2E39, prAL, gcPo}, // [5] TURNED SEMICOLON..TOP HALF SECTION SIGN + {0x2E3A, 0x2E3B, prB2, gcPd}, // [2] TWO-EM DASH..THREE-EM DASH + {0x2E3C, 0x2E3E, prBA, gcPo}, // [3] STENOGRAPHIC FULL STOP..WIGGLY VERTICAL LINE + {0x2E3F, 0x2E3F, prAL, gcPo}, // CAPITULUM + {0x2E40, 0x2E40, prBA, gcPd}, // DOUBLE HYPHEN + {0x2E41, 0x2E41, prBA, gcPo}, // REVERSED COMMA + {0x2E42, 0x2E42, prOP, gcPs}, // DOUBLE LOW-REVERSED-9 QUOTATION MARK + {0x2E43, 0x2E4A, prBA, gcPo}, // [8] DASH WITH LEFT UPTURN..DOTTED SOLIDUS + {0x2E4B, 0x2E4B, prAL, gcPo}, // TRIPLE DAGGER + {0x2E4C, 0x2E4C, prBA, gcPo}, // MEDIEVAL COMMA + {0x2E4D, 0x2E4D, prAL, gcPo}, // PARAGRAPHUS MARK + {0x2E4E, 0x2E4F, prBA, gcPo}, // [2] PUNCTUS ELEVATUS MARK..CORNISH VERSE DIVIDER + {0x2E50, 0x2E51, prAL, gcSo}, // [2] CROSS PATTY WITH RIGHT CROSSBAR..CROSS PATTY WITH LEFT CROSSBAR + {0x2E52, 0x2E52, prAL, gcPo}, // TIRONIAN SIGN CAPITAL ET + {0x2E53, 0x2E54, prEX, gcPo}, // [2] MEDIEVAL EXCLAMATION MARK..MEDIEVAL QUESTION MARK + {0x2E55, 0x2E55, prOP, gcPs}, // LEFT SQUARE BRACKET WITH STROKE + {0x2E56, 0x2E56, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH STROKE + {0x2E57, 0x2E57, prOP, gcPs}, // LEFT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E58, 0x2E58, prCL, gcPe}, // RIGHT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E59, 0x2E59, prOP, gcPs}, // TOP HALF LEFT PARENTHESIS + {0x2E5A, 0x2E5A, prCL, gcPe}, // TOP HALF RIGHT PARENTHESIS + {0x2E5B, 0x2E5B, prOP, gcPs}, // BOTTOM HALF LEFT PARENTHESIS + {0x2E5C, 0x2E5C, prCL, gcPe}, // BOTTOM HALF RIGHT PARENTHESIS + {0x2E5D, 0x2E5D, prBA, gcPd}, // OBLIQUE HYPHEN + {0x2E80, 0x2E99, prID, gcSo}, // [26] CJK RADICAL REPEAT..CJK RADICAL RAP + {0x2E9B, 0x2EF3, prID, gcSo}, // [89] CJK RADICAL CHOKE..CJK RADICAL C-SIMPLIFIED TURTLE + {0x2F00, 0x2FD5, prID, gcSo}, // [214] KANGXI RADICAL ONE..KANGXI RADICAL FLUTE + {0x2FF0, 0x2FFB, prID, gcSo}, // [12] IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT..IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID + {0x3000, 0x3000, prBA, gcZs}, // IDEOGRAPHIC SPACE + {0x3001, 0x3002, prCL, gcPo}, // [2] IDEOGRAPHIC COMMA..IDEOGRAPHIC FULL STOP + {0x3003, 0x3003, prID, gcPo}, // DITTO MARK + {0x3004, 0x3004, prID, gcSo}, // JAPANESE INDUSTRIAL STANDARD SYMBOL + {0x3005, 0x3005, prNS, gcLm}, // IDEOGRAPHIC ITERATION MARK + {0x3006, 0x3006, prID, gcLo}, // IDEOGRAPHIC CLOSING MARK + {0x3007, 0x3007, prID, gcNl}, // IDEOGRAPHIC NUMBER ZERO + {0x3008, 0x3008, prOP, gcPs}, // LEFT ANGLE BRACKET + {0x3009, 0x3009, prCL, gcPe}, // RIGHT ANGLE BRACKET + {0x300A, 0x300A, prOP, gcPs}, // LEFT DOUBLE ANGLE BRACKET + {0x300B, 0x300B, prCL, gcPe}, // RIGHT DOUBLE ANGLE BRACKET + {0x300C, 0x300C, prOP, gcPs}, // LEFT CORNER BRACKET + {0x300D, 0x300D, prCL, gcPe}, // RIGHT CORNER BRACKET + {0x300E, 0x300E, prOP, gcPs}, // LEFT WHITE CORNER BRACKET + {0x300F, 0x300F, prCL, gcPe}, // RIGHT WHITE CORNER BRACKET + {0x3010, 0x3010, prOP, gcPs}, // LEFT BLACK LENTICULAR BRACKET + {0x3011, 0x3011, prCL, gcPe}, // RIGHT BLACK LENTICULAR BRACKET + {0x3012, 0x3013, prID, gcSo}, // [2] POSTAL MARK..GETA MARK + {0x3014, 0x3014, prOP, gcPs}, // LEFT TORTOISE SHELL BRACKET + {0x3015, 0x3015, prCL, gcPe}, // RIGHT TORTOISE SHELL BRACKET + {0x3016, 0x3016, prOP, gcPs}, // LEFT WHITE LENTICULAR BRACKET + {0x3017, 0x3017, prCL, gcPe}, // RIGHT WHITE LENTICULAR BRACKET + {0x3018, 0x3018, prOP, gcPs}, // LEFT WHITE TORTOISE SHELL BRACKET + {0x3019, 0x3019, prCL, gcPe}, // RIGHT WHITE TORTOISE SHELL BRACKET + {0x301A, 0x301A, prOP, gcPs}, // LEFT WHITE SQUARE BRACKET + {0x301B, 0x301B, prCL, gcPe}, // RIGHT WHITE SQUARE BRACKET + {0x301C, 0x301C, prNS, gcPd}, // WAVE DASH + {0x301D, 0x301D, prOP, gcPs}, // REVERSED DOUBLE PRIME QUOTATION MARK + {0x301E, 0x301F, prCL, gcPe}, // [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK + {0x3020, 0x3020, prID, gcSo}, // POSTAL MARK FACE + {0x3021, 0x3029, prID, gcNl}, // [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE + {0x302A, 0x302D, prCM, gcMn}, // [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK + {0x302E, 0x302F, prCM, gcMc}, // [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK + {0x3030, 0x3030, prID, gcPd}, // WAVY DASH + {0x3031, 0x3034, prID, gcLm}, // [4] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT WITH VOICED SOUND MARK UPPER HALF + {0x3035, 0x3035, prCM, gcLm}, // VERTICAL KANA REPEAT MARK LOWER HALF + {0x3036, 0x3037, prID, gcSo}, // [2] CIRCLED POSTAL MARK..IDEOGRAPHIC TELEGRAPH LINE FEED SEPARATOR SYMBOL + {0x3038, 0x303A, prID, gcNl}, // [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY + {0x303B, 0x303B, prNS, gcLm}, // VERTICAL IDEOGRAPHIC ITERATION MARK + {0x303C, 0x303C, prNS, gcLo}, // MASU MARK + {0x303D, 0x303D, prID, gcPo}, // PART ALTERNATION MARK + {0x303E, 0x303F, prID, gcSo}, // [2] IDEOGRAPHIC VARIATION INDICATOR..IDEOGRAPHIC HALF FILL SPACE + {0x3041, 0x3041, prCJ, gcLo}, // HIRAGANA LETTER SMALL A + {0x3042, 0x3042, prID, gcLo}, // HIRAGANA LETTER A + {0x3043, 0x3043, prCJ, gcLo}, // HIRAGANA LETTER SMALL I + {0x3044, 0x3044, prID, gcLo}, // HIRAGANA LETTER I + {0x3045, 0x3045, prCJ, gcLo}, // HIRAGANA LETTER SMALL U + {0x3046, 0x3046, prID, gcLo}, // HIRAGANA LETTER U + {0x3047, 0x3047, prCJ, gcLo}, // HIRAGANA LETTER SMALL E + {0x3048, 0x3048, prID, gcLo}, // HIRAGANA LETTER E + {0x3049, 0x3049, prCJ, gcLo}, // HIRAGANA LETTER SMALL O + {0x304A, 0x3062, prID, gcLo}, // [25] HIRAGANA LETTER O..HIRAGANA LETTER DI + {0x3063, 0x3063, prCJ, gcLo}, // HIRAGANA LETTER SMALL TU + {0x3064, 0x3082, prID, gcLo}, // [31] HIRAGANA LETTER TU..HIRAGANA LETTER MO + {0x3083, 0x3083, prCJ, gcLo}, // HIRAGANA LETTER SMALL YA + {0x3084, 0x3084, prID, gcLo}, // HIRAGANA LETTER YA + {0x3085, 0x3085, prCJ, gcLo}, // HIRAGANA LETTER SMALL YU + {0x3086, 0x3086, prID, gcLo}, // HIRAGANA LETTER YU + {0x3087, 0x3087, prCJ, gcLo}, // HIRAGANA LETTER SMALL YO + {0x3088, 0x308D, prID, gcLo}, // [6] HIRAGANA LETTER YO..HIRAGANA LETTER RO + {0x308E, 0x308E, prCJ, gcLo}, // HIRAGANA LETTER SMALL WA + {0x308F, 0x3094, prID, gcLo}, // [6] HIRAGANA LETTER WA..HIRAGANA LETTER VU + {0x3095, 0x3096, prCJ, gcLo}, // [2] HIRAGANA LETTER SMALL KA..HIRAGANA LETTER SMALL KE + {0x3099, 0x309A, prCM, gcMn}, // [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309B, 0x309C, prNS, gcSk}, // [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309D, 0x309E, prNS, gcLm}, // [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK + {0x309F, 0x309F, prID, gcLo}, // HIRAGANA DIGRAPH YORI + {0x30A0, 0x30A0, prNS, gcPd}, // KATAKANA-HIRAGANA DOUBLE HYPHEN + {0x30A1, 0x30A1, prCJ, gcLo}, // KATAKANA LETTER SMALL A + {0x30A2, 0x30A2, prID, gcLo}, // KATAKANA LETTER A + {0x30A3, 0x30A3, prCJ, gcLo}, // KATAKANA LETTER SMALL I + {0x30A4, 0x30A4, prID, gcLo}, // KATAKANA LETTER I + {0x30A5, 0x30A5, prCJ, gcLo}, // KATAKANA LETTER SMALL U + {0x30A6, 0x30A6, prID, gcLo}, // KATAKANA LETTER U + {0x30A7, 0x30A7, prCJ, gcLo}, // KATAKANA LETTER SMALL E + {0x30A8, 0x30A8, prID, gcLo}, // KATAKANA LETTER E + {0x30A9, 0x30A9, prCJ, gcLo}, // KATAKANA LETTER SMALL O + {0x30AA, 0x30C2, prID, gcLo}, // [25] KATAKANA LETTER O..KATAKANA LETTER DI + {0x30C3, 0x30C3, prCJ, gcLo}, // KATAKANA LETTER SMALL TU + {0x30C4, 0x30E2, prID, gcLo}, // [31] KATAKANA LETTER TU..KATAKANA LETTER MO + {0x30E3, 0x30E3, prCJ, gcLo}, // KATAKANA LETTER SMALL YA + {0x30E4, 0x30E4, prID, gcLo}, // KATAKANA LETTER YA + {0x30E5, 0x30E5, prCJ, gcLo}, // KATAKANA LETTER SMALL YU + {0x30E6, 0x30E6, prID, gcLo}, // KATAKANA LETTER YU + {0x30E7, 0x30E7, prCJ, gcLo}, // KATAKANA LETTER SMALL YO + {0x30E8, 0x30ED, prID, gcLo}, // [6] KATAKANA LETTER YO..KATAKANA LETTER RO + {0x30EE, 0x30EE, prCJ, gcLo}, // KATAKANA LETTER SMALL WA + {0x30EF, 0x30F4, prID, gcLo}, // [6] KATAKANA LETTER WA..KATAKANA LETTER VU + {0x30F5, 0x30F6, prCJ, gcLo}, // [2] KATAKANA LETTER SMALL KA..KATAKANA LETTER SMALL KE + {0x30F7, 0x30FA, prID, gcLo}, // [4] KATAKANA LETTER VA..KATAKANA LETTER VO + {0x30FB, 0x30FB, prNS, gcPo}, // KATAKANA MIDDLE DOT + {0x30FC, 0x30FC, prCJ, gcLm}, // KATAKANA-HIRAGANA PROLONGED SOUND MARK + {0x30FD, 0x30FE, prNS, gcLm}, // [2] KATAKANA ITERATION MARK..KATAKANA VOICED ITERATION MARK + {0x30FF, 0x30FF, prID, gcLo}, // KATAKANA DIGRAPH KOTO + {0x3105, 0x312F, prID, gcLo}, // [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN + {0x3131, 0x318E, prID, gcLo}, // [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE + {0x3190, 0x3191, prID, gcSo}, // [2] IDEOGRAPHIC ANNOTATION LINKING MARK..IDEOGRAPHIC ANNOTATION REVERSE MARK + {0x3192, 0x3195, prID, gcNo}, // [4] IDEOGRAPHIC ANNOTATION ONE MARK..IDEOGRAPHIC ANNOTATION FOUR MARK + {0x3196, 0x319F, prID, gcSo}, // [10] IDEOGRAPHIC ANNOTATION TOP MARK..IDEOGRAPHIC ANNOTATION MAN MARK + {0x31A0, 0x31BF, prID, gcLo}, // [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH + {0x31C0, 0x31E3, prID, gcSo}, // [36] CJK STROKE T..CJK STROKE Q + {0x31F0, 0x31FF, prCJ, gcLo}, // [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO + {0x3200, 0x321E, prID, gcSo}, // [31] PARENTHESIZED HANGUL KIYEOK..PARENTHESIZED KOREAN CHARACTER O HU + {0x3220, 0x3229, prID, gcNo}, // [10] PARENTHESIZED IDEOGRAPH ONE..PARENTHESIZED IDEOGRAPH TEN + {0x322A, 0x3247, prID, gcSo}, // [30] PARENTHESIZED IDEOGRAPH MOON..CIRCLED IDEOGRAPH KOTO + {0x3248, 0x324F, prAI, gcNo}, // [8] CIRCLED NUMBER TEN ON BLACK SQUARE..CIRCLED NUMBER EIGHTY ON BLACK SQUARE + {0x3250, 0x3250, prID, gcSo}, // PARTNERSHIP SIGN + {0x3251, 0x325F, prID, gcNo}, // [15] CIRCLED NUMBER TWENTY ONE..CIRCLED NUMBER THIRTY FIVE + {0x3260, 0x327F, prID, gcSo}, // [32] CIRCLED HANGUL KIYEOK..KOREAN STANDARD SYMBOL + {0x3280, 0x3289, prID, gcNo}, // [10] CIRCLED IDEOGRAPH ONE..CIRCLED IDEOGRAPH TEN + {0x328A, 0x32B0, prID, gcSo}, // [39] CIRCLED IDEOGRAPH MOON..CIRCLED IDEOGRAPH NIGHT + {0x32B1, 0x32BF, prID, gcNo}, // [15] CIRCLED NUMBER THIRTY SIX..CIRCLED NUMBER FIFTY + {0x32C0, 0x32FF, prID, gcSo}, // [64] IDEOGRAPHIC TELEGRAPH SYMBOL FOR JANUARY..SQUARE ERA NAME REIWA + {0x3300, 0x33FF, prID, gcSo}, // [256] SQUARE APAATO..SQUARE GAL + {0x3400, 0x4DBF, prID, gcLo}, // [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF + {0x4DC0, 0x4DFF, prAL, gcSo}, // [64] HEXAGRAM FOR THE CREATIVE HEAVEN..HEXAGRAM FOR BEFORE COMPLETION + {0x4E00, 0x9FFF, prID, gcLo}, // [20992] CJK UNIFIED IDEOGRAPH-4E00..CJK UNIFIED IDEOGRAPH-9FFF + {0xA000, 0xA014, prID, gcLo}, // [21] YI SYLLABLE IT..YI SYLLABLE E + {0xA015, 0xA015, prNS, gcLm}, // YI SYLLABLE WU + {0xA016, 0xA48C, prID, gcLo}, // [1143] YI SYLLABLE BIT..YI SYLLABLE YYR + {0xA490, 0xA4C6, prID, gcSo}, // [55] YI RADICAL QOT..YI RADICAL KE + {0xA4D0, 0xA4F7, prAL, gcLo}, // [40] LISU LETTER BA..LISU LETTER OE + {0xA4F8, 0xA4FD, prAL, gcLm}, // [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU + {0xA4FE, 0xA4FF, prBA, gcPo}, // [2] LISU PUNCTUATION COMMA..LISU PUNCTUATION FULL STOP + {0xA500, 0xA60B, prAL, gcLo}, // [268] VAI SYLLABLE EE..VAI SYLLABLE NG + {0xA60C, 0xA60C, prAL, gcLm}, // VAI SYLLABLE LENGTHENER + {0xA60D, 0xA60D, prBA, gcPo}, // VAI COMMA + {0xA60E, 0xA60E, prEX, gcPo}, // VAI FULL STOP + {0xA60F, 0xA60F, prBA, gcPo}, // VAI QUESTION MARK + {0xA610, 0xA61F, prAL, gcLo}, // [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG + {0xA620, 0xA629, prNU, gcNd}, // [10] VAI DIGIT ZERO..VAI DIGIT NINE + {0xA62A, 0xA62B, prAL, gcLo}, // [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO + {0xA640, 0xA66D, prAL, gcLC}, // [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O + {0xA66E, 0xA66E, prAL, gcLo}, // CYRILLIC LETTER MULTIOCULAR O + {0xA66F, 0xA66F, prCM, gcMn}, // COMBINING CYRILLIC VZMET + {0xA670, 0xA672, prCM, gcMe}, // [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN + {0xA673, 0xA673, prAL, gcPo}, // SLAVONIC ASTERISK + {0xA674, 0xA67D, prCM, gcMn}, // [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK + {0xA67E, 0xA67E, prAL, gcPo}, // CYRILLIC KAVYKA + {0xA67F, 0xA67F, prAL, gcLm}, // CYRILLIC PAYEROK + {0xA680, 0xA69B, prAL, gcLC}, // [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O + {0xA69C, 0xA69D, prAL, gcLm}, // [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN + {0xA69E, 0xA69F, prCM, gcMn}, // [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E + {0xA6A0, 0xA6E5, prAL, gcLo}, // [70] BAMUM LETTER A..BAMUM LETTER KI + {0xA6E6, 0xA6EF, prAL, gcNl}, // [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM + {0xA6F0, 0xA6F1, prCM, gcMn}, // [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS + {0xA6F2, 0xA6F2, prAL, gcPo}, // BAMUM NJAEMLI + {0xA6F3, 0xA6F7, prBA, gcPo}, // [5] BAMUM FULL STOP..BAMUM QUESTION MARK + {0xA700, 0xA716, prAL, gcSk}, // [23] MODIFIER LETTER CHINESE TONE YIN PING..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR + {0xA717, 0xA71F, prAL, gcLm}, // [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK + {0xA720, 0xA721, prAL, gcSk}, // [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE + {0xA722, 0xA76F, prAL, gcLC}, // [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON + {0xA770, 0xA770, prAL, gcLm}, // MODIFIER LETTER US + {0xA771, 0xA787, prAL, gcLC}, // [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T + {0xA788, 0xA788, prAL, gcLm}, // MODIFIER LETTER LOW CIRCUMFLEX ACCENT + {0xA789, 0xA78A, prAL, gcSk}, // [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN + {0xA78B, 0xA78E, prAL, gcLC}, // [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT + {0xA78F, 0xA78F, prAL, gcLo}, // LATIN LETTER SINOLOGICAL DOT + {0xA790, 0xA7CA, prAL, gcLC}, // [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY + {0xA7D0, 0xA7D1, prAL, gcLC}, // [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G + {0xA7D3, 0xA7D3, prAL, gcLl}, // LATIN SMALL LETTER DOUBLE THORN + {0xA7D5, 0xA7D9, prAL, gcLC}, // [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S + {0xA7F2, 0xA7F4, prAL, gcLm}, // [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q + {0xA7F5, 0xA7F6, prAL, gcLC}, // [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H + {0xA7F7, 0xA7F7, prAL, gcLo}, // LATIN EPIGRAPHIC LETTER SIDEWAYS I + {0xA7F8, 0xA7F9, prAL, gcLm}, // [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE + {0xA7FA, 0xA7FA, prAL, gcLl}, // LATIN LETTER SMALL CAPITAL TURNED M + {0xA7FB, 0xA7FF, prAL, gcLo}, // [5] LATIN EPIGRAPHIC LETTER REVERSED F..LATIN EPIGRAPHIC LETTER ARCHAIC M + {0xA800, 0xA801, prAL, gcLo}, // [2] SYLOTI NAGRI LETTER A..SYLOTI NAGRI LETTER I + {0xA802, 0xA802, prCM, gcMn}, // SYLOTI NAGRI SIGN DVISVARA + {0xA803, 0xA805, prAL, gcLo}, // [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O + {0xA806, 0xA806, prCM, gcMn}, // SYLOTI NAGRI SIGN HASANTA + {0xA807, 0xA80A, prAL, gcLo}, // [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO + {0xA80B, 0xA80B, prCM, gcMn}, // SYLOTI NAGRI SIGN ANUSVARA + {0xA80C, 0xA822, prAL, gcLo}, // [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO + {0xA823, 0xA824, prCM, gcMc}, // [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I + {0xA825, 0xA826, prCM, gcMn}, // [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E + {0xA827, 0xA827, prCM, gcMc}, // SYLOTI NAGRI VOWEL SIGN OO + {0xA828, 0xA82B, prAL, gcSo}, // [4] SYLOTI NAGRI POETRY MARK-1..SYLOTI NAGRI POETRY MARK-4 + {0xA82C, 0xA82C, prCM, gcMn}, // SYLOTI NAGRI SIGN ALTERNATE HASANTA + {0xA830, 0xA835, prAL, gcNo}, // [6] NORTH INDIC FRACTION ONE QUARTER..NORTH INDIC FRACTION THREE SIXTEENTHS + {0xA836, 0xA837, prAL, gcSo}, // [2] NORTH INDIC QUARTER MARK..NORTH INDIC PLACEHOLDER MARK + {0xA838, 0xA838, prPO, gcSc}, // NORTH INDIC RUPEE MARK + {0xA839, 0xA839, prAL, gcSo}, // NORTH INDIC QUANTITY MARK + {0xA840, 0xA873, prAL, gcLo}, // [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU + {0xA874, 0xA875, prBB, gcPo}, // [2] PHAGS-PA SINGLE HEAD MARK..PHAGS-PA DOUBLE HEAD MARK + {0xA876, 0xA877, prEX, gcPo}, // [2] PHAGS-PA MARK SHAD..PHAGS-PA MARK DOUBLE SHAD + {0xA880, 0xA881, prCM, gcMc}, // [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA + {0xA882, 0xA8B3, prAL, gcLo}, // [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA + {0xA8B4, 0xA8C3, prCM, gcMc}, // [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU + {0xA8C4, 0xA8C5, prCM, gcMn}, // [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU + {0xA8CE, 0xA8CF, prBA, gcPo}, // [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA + {0xA8D0, 0xA8D9, prNU, gcNd}, // [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE + {0xA8E0, 0xA8F1, prCM, gcMn}, // [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA + {0xA8F2, 0xA8F7, prAL, gcLo}, // [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA + {0xA8F8, 0xA8FA, prAL, gcPo}, // [3] DEVANAGARI SIGN PUSHPIKA..DEVANAGARI CARET + {0xA8FB, 0xA8FB, prAL, gcLo}, // DEVANAGARI HEADSTROKE + {0xA8FC, 0xA8FC, prBB, gcPo}, // DEVANAGARI SIGN SIDDHAM + {0xA8FD, 0xA8FE, prAL, gcLo}, // [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY + {0xA8FF, 0xA8FF, prCM, gcMn}, // DEVANAGARI VOWEL SIGN AY + {0xA900, 0xA909, prNU, gcNd}, // [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE + {0xA90A, 0xA925, prAL, gcLo}, // [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO + {0xA926, 0xA92D, prCM, gcMn}, // [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU + {0xA92E, 0xA92F, prBA, gcPo}, // [2] KAYAH LI SIGN CWI..KAYAH LI SIGN SHYA + {0xA930, 0xA946, prAL, gcLo}, // [23] REJANG LETTER KA..REJANG LETTER A + {0xA947, 0xA951, prCM, gcMn}, // [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R + {0xA952, 0xA953, prCM, gcMc}, // [2] REJANG CONSONANT SIGN H..REJANG VIRAMA + {0xA95F, 0xA95F, prAL, gcPo}, // REJANG SECTION MARK + {0xA960, 0xA97C, prJL, gcLo}, // [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH + {0xA980, 0xA982, prCM, gcMn}, // [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR + {0xA983, 0xA983, prCM, gcMc}, // JAVANESE SIGN WIGNYAN + {0xA984, 0xA9B2, prAL, gcLo}, // [47] JAVANESE LETTER A..JAVANESE LETTER HA + {0xA9B3, 0xA9B3, prCM, gcMn}, // JAVANESE SIGN CECAK TELU + {0xA9B4, 0xA9B5, prCM, gcMc}, // [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG + {0xA9B6, 0xA9B9, prCM, gcMn}, // [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT + {0xA9BA, 0xA9BB, prCM, gcMc}, // [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE + {0xA9BC, 0xA9BD, prCM, gcMn}, // [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET + {0xA9BE, 0xA9C0, prCM, gcMc}, // [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON + {0xA9C1, 0xA9C6, prAL, gcPo}, // [6] JAVANESE LEFT RERENGGAN..JAVANESE PADA WINDU + {0xA9C7, 0xA9C9, prBA, gcPo}, // [3] JAVANESE PADA PANGKAT..JAVANESE PADA LUNGSI + {0xA9CA, 0xA9CD, prAL, gcPo}, // [4] JAVANESE PADA ADEG..JAVANESE TURNED PADA PISELEH + {0xA9CF, 0xA9CF, prAL, gcLm}, // JAVANESE PANGRANGKEP + {0xA9D0, 0xA9D9, prNU, gcNd}, // [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE + {0xA9DE, 0xA9DF, prAL, gcPo}, // [2] JAVANESE PADA TIRTA TUMETES..JAVANESE PADA ISEN-ISEN + {0xA9E0, 0xA9E4, prSA, gcLo}, // [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA + {0xA9E5, 0xA9E5, prSA, gcMn}, // MYANMAR SIGN SHAN SAW + {0xA9E6, 0xA9E6, prSA, gcLm}, // MYANMAR MODIFIER LETTER SHAN REDUPLICATION + {0xA9E7, 0xA9EF, prSA, gcLo}, // [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA + {0xA9F0, 0xA9F9, prNU, gcNd}, // [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE + {0xA9FA, 0xA9FE, prSA, gcLo}, // [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA + {0xAA00, 0xAA28, prAL, gcLo}, // [41] CHAM LETTER A..CHAM LETTER HA + {0xAA29, 0xAA2E, prCM, gcMn}, // [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE + {0xAA2F, 0xAA30, prCM, gcMc}, // [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI + {0xAA31, 0xAA32, prCM, gcMn}, // [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE + {0xAA33, 0xAA34, prCM, gcMc}, // [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA + {0xAA35, 0xAA36, prCM, gcMn}, // [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA + {0xAA40, 0xAA42, prAL, gcLo}, // [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG + {0xAA43, 0xAA43, prCM, gcMn}, // CHAM CONSONANT SIGN FINAL NG + {0xAA44, 0xAA4B, prAL, gcLo}, // [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS + {0xAA4C, 0xAA4C, prCM, gcMn}, // CHAM CONSONANT SIGN FINAL M + {0xAA4D, 0xAA4D, prCM, gcMc}, // CHAM CONSONANT SIGN FINAL H + {0xAA50, 0xAA59, prNU, gcNd}, // [10] CHAM DIGIT ZERO..CHAM DIGIT NINE + {0xAA5C, 0xAA5C, prAL, gcPo}, // CHAM PUNCTUATION SPIRAL + {0xAA5D, 0xAA5F, prBA, gcPo}, // [3] CHAM PUNCTUATION DANDA..CHAM PUNCTUATION TRIPLE DANDA + {0xAA60, 0xAA6F, prSA, gcLo}, // [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA + {0xAA70, 0xAA70, prSA, gcLm}, // MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION + {0xAA71, 0xAA76, prSA, gcLo}, // [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM + {0xAA77, 0xAA79, prSA, gcSo}, // [3] MYANMAR SYMBOL AITON EXCLAMATION..MYANMAR SYMBOL AITON TWO + {0xAA7A, 0xAA7A, prSA, gcLo}, // MYANMAR LETTER AITON RA + {0xAA7B, 0xAA7B, prSA, gcMc}, // MYANMAR SIGN PAO KAREN TONE + {0xAA7C, 0xAA7C, prSA, gcMn}, // MYANMAR SIGN TAI LAING TONE-2 + {0xAA7D, 0xAA7D, prSA, gcMc}, // MYANMAR SIGN TAI LAING TONE-5 + {0xAA7E, 0xAA7F, prSA, gcLo}, // [2] MYANMAR LETTER SHWE PALAUNG CHA..MYANMAR LETTER SHWE PALAUNG SHA + {0xAA80, 0xAAAF, prSA, gcLo}, // [48] TAI VIET LETTER LOW KO..TAI VIET LETTER HIGH O + {0xAAB0, 0xAAB0, prSA, gcMn}, // TAI VIET MAI KANG + {0xAAB1, 0xAAB1, prSA, gcLo}, // TAI VIET VOWEL AA + {0xAAB2, 0xAAB4, prSA, gcMn}, // [3] TAI VIET VOWEL I..TAI VIET VOWEL U + {0xAAB5, 0xAAB6, prSA, gcLo}, // [2] TAI VIET VOWEL E..TAI VIET VOWEL O + {0xAAB7, 0xAAB8, prSA, gcMn}, // [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA + {0xAAB9, 0xAABD, prSA, gcLo}, // [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN + {0xAABE, 0xAABF, prSA, gcMn}, // [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK + {0xAAC0, 0xAAC0, prSA, gcLo}, // TAI VIET TONE MAI NUENG + {0xAAC1, 0xAAC1, prSA, gcMn}, // TAI VIET TONE MAI THO + {0xAAC2, 0xAAC2, prSA, gcLo}, // TAI VIET TONE MAI SONG + {0xAADB, 0xAADC, prSA, gcLo}, // [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG + {0xAADD, 0xAADD, prSA, gcLm}, // TAI VIET SYMBOL SAM + {0xAADE, 0xAADF, prSA, gcPo}, // [2] TAI VIET SYMBOL HO HOI..TAI VIET SYMBOL KOI KOI + {0xAAE0, 0xAAEA, prAL, gcLo}, // [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA + {0xAAEB, 0xAAEB, prCM, gcMc}, // MEETEI MAYEK VOWEL SIGN II + {0xAAEC, 0xAAED, prCM, gcMn}, // [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI + {0xAAEE, 0xAAEF, prCM, gcMc}, // [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU + {0xAAF0, 0xAAF1, prBA, gcPo}, // [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM + {0xAAF2, 0xAAF2, prAL, gcLo}, // MEETEI MAYEK ANJI + {0xAAF3, 0xAAF4, prAL, gcLm}, // [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK + {0xAAF5, 0xAAF5, prCM, gcMc}, // MEETEI MAYEK VOWEL SIGN VISARGA + {0xAAF6, 0xAAF6, prCM, gcMn}, // MEETEI MAYEK VIRAMA + {0xAB01, 0xAB06, prAL, gcLo}, // [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO + {0xAB09, 0xAB0E, prAL, gcLo}, // [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO + {0xAB11, 0xAB16, prAL, gcLo}, // [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO + {0xAB20, 0xAB26, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO + {0xAB28, 0xAB2E, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO + {0xAB30, 0xAB5A, prAL, gcLl}, // [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG + {0xAB5B, 0xAB5B, prAL, gcSk}, // MODIFIER BREVE WITH INVERTED BREVE + {0xAB5C, 0xAB5F, prAL, gcLm}, // [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK + {0xAB60, 0xAB68, prAL, gcLl}, // [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE + {0xAB69, 0xAB69, prAL, gcLm}, // MODIFIER LETTER SMALL TURNED W + {0xAB6A, 0xAB6B, prAL, gcSk}, // [2] MODIFIER LETTER LEFT TACK..MODIFIER LETTER RIGHT TACK + {0xAB70, 0xABBF, prAL, gcLl}, // [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA + {0xABC0, 0xABE2, prAL, gcLo}, // [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM + {0xABE3, 0xABE4, prCM, gcMc}, // [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP + {0xABE5, 0xABE5, prCM, gcMn}, // MEETEI MAYEK VOWEL SIGN ANAP + {0xABE6, 0xABE7, prCM, gcMc}, // [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP + {0xABE8, 0xABE8, prCM, gcMn}, // MEETEI MAYEK VOWEL SIGN UNAP + {0xABE9, 0xABEA, prCM, gcMc}, // [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG + {0xABEB, 0xABEB, prBA, gcPo}, // MEETEI MAYEK CHEIKHEI + {0xABEC, 0xABEC, prCM, gcMc}, // MEETEI MAYEK LUM IYEK + {0xABED, 0xABED, prCM, gcMn}, // MEETEI MAYEK APUN IYEK + {0xABF0, 0xABF9, prNU, gcNd}, // [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE + {0xAC00, 0xAC00, prH2, gcLo}, // HANGUL SYLLABLE GA + {0xAC01, 0xAC1B, prH3, gcLo}, // [27] HANGUL SYLLABLE GAG..HANGUL SYLLABLE GAH + {0xAC1C, 0xAC1C, prH2, gcLo}, // HANGUL SYLLABLE GAE + {0xAC1D, 0xAC37, prH3, gcLo}, // [27] HANGUL SYLLABLE GAEG..HANGUL SYLLABLE GAEH + {0xAC38, 0xAC38, prH2, gcLo}, // HANGUL SYLLABLE GYA + {0xAC39, 0xAC53, prH3, gcLo}, // [27] HANGUL SYLLABLE GYAG..HANGUL SYLLABLE GYAH + {0xAC54, 0xAC54, prH2, gcLo}, // HANGUL SYLLABLE GYAE + {0xAC55, 0xAC6F, prH3, gcLo}, // [27] HANGUL SYLLABLE GYAEG..HANGUL SYLLABLE GYAEH + {0xAC70, 0xAC70, prH2, gcLo}, // HANGUL SYLLABLE GEO + {0xAC71, 0xAC8B, prH3, gcLo}, // [27] HANGUL SYLLABLE GEOG..HANGUL SYLLABLE GEOH + {0xAC8C, 0xAC8C, prH2, gcLo}, // HANGUL SYLLABLE GE + {0xAC8D, 0xACA7, prH3, gcLo}, // [27] HANGUL SYLLABLE GEG..HANGUL SYLLABLE GEH + {0xACA8, 0xACA8, prH2, gcLo}, // HANGUL SYLLABLE GYEO + {0xACA9, 0xACC3, prH3, gcLo}, // [27] HANGUL SYLLABLE GYEOG..HANGUL SYLLABLE GYEOH + {0xACC4, 0xACC4, prH2, gcLo}, // HANGUL SYLLABLE GYE + {0xACC5, 0xACDF, prH3, gcLo}, // [27] HANGUL SYLLABLE GYEG..HANGUL SYLLABLE GYEH + {0xACE0, 0xACE0, prH2, gcLo}, // HANGUL SYLLABLE GO + {0xACE1, 0xACFB, prH3, gcLo}, // [27] HANGUL SYLLABLE GOG..HANGUL SYLLABLE GOH + {0xACFC, 0xACFC, prH2, gcLo}, // HANGUL SYLLABLE GWA + {0xACFD, 0xAD17, prH3, gcLo}, // [27] HANGUL SYLLABLE GWAG..HANGUL SYLLABLE GWAH + {0xAD18, 0xAD18, prH2, gcLo}, // HANGUL SYLLABLE GWAE + {0xAD19, 0xAD33, prH3, gcLo}, // [27] HANGUL SYLLABLE GWAEG..HANGUL SYLLABLE GWAEH + {0xAD34, 0xAD34, prH2, gcLo}, // HANGUL SYLLABLE GOE + {0xAD35, 0xAD4F, prH3, gcLo}, // [27] HANGUL SYLLABLE GOEG..HANGUL SYLLABLE GOEH + {0xAD50, 0xAD50, prH2, gcLo}, // HANGUL SYLLABLE GYO + {0xAD51, 0xAD6B, prH3, gcLo}, // [27] HANGUL SYLLABLE GYOG..HANGUL SYLLABLE GYOH + {0xAD6C, 0xAD6C, prH2, gcLo}, // HANGUL SYLLABLE GU + {0xAD6D, 0xAD87, prH3, gcLo}, // [27] HANGUL SYLLABLE GUG..HANGUL SYLLABLE GUH + {0xAD88, 0xAD88, prH2, gcLo}, // HANGUL SYLLABLE GWEO + {0xAD89, 0xADA3, prH3, gcLo}, // [27] HANGUL SYLLABLE GWEOG..HANGUL SYLLABLE GWEOH + {0xADA4, 0xADA4, prH2, gcLo}, // HANGUL SYLLABLE GWE + {0xADA5, 0xADBF, prH3, gcLo}, // [27] HANGUL SYLLABLE GWEG..HANGUL SYLLABLE GWEH + {0xADC0, 0xADC0, prH2, gcLo}, // HANGUL SYLLABLE GWI + {0xADC1, 0xADDB, prH3, gcLo}, // [27] HANGUL SYLLABLE GWIG..HANGUL SYLLABLE GWIH + {0xADDC, 0xADDC, prH2, gcLo}, // HANGUL SYLLABLE GYU + {0xADDD, 0xADF7, prH3, gcLo}, // [27] HANGUL SYLLABLE GYUG..HANGUL SYLLABLE GYUH + {0xADF8, 0xADF8, prH2, gcLo}, // HANGUL SYLLABLE GEU + {0xADF9, 0xAE13, prH3, gcLo}, // [27] HANGUL SYLLABLE GEUG..HANGUL SYLLABLE GEUH + {0xAE14, 0xAE14, prH2, gcLo}, // HANGUL SYLLABLE GYI + {0xAE15, 0xAE2F, prH3, gcLo}, // [27] HANGUL SYLLABLE GYIG..HANGUL SYLLABLE GYIH + {0xAE30, 0xAE30, prH2, gcLo}, // HANGUL SYLLABLE GI + {0xAE31, 0xAE4B, prH3, gcLo}, // [27] HANGUL SYLLABLE GIG..HANGUL SYLLABLE GIH + {0xAE4C, 0xAE4C, prH2, gcLo}, // HANGUL SYLLABLE GGA + {0xAE4D, 0xAE67, prH3, gcLo}, // [27] HANGUL SYLLABLE GGAG..HANGUL SYLLABLE GGAH + {0xAE68, 0xAE68, prH2, gcLo}, // HANGUL SYLLABLE GGAE + {0xAE69, 0xAE83, prH3, gcLo}, // [27] HANGUL SYLLABLE GGAEG..HANGUL SYLLABLE GGAEH + {0xAE84, 0xAE84, prH2, gcLo}, // HANGUL SYLLABLE GGYA + {0xAE85, 0xAE9F, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYAG..HANGUL SYLLABLE GGYAH + {0xAEA0, 0xAEA0, prH2, gcLo}, // HANGUL SYLLABLE GGYAE + {0xAEA1, 0xAEBB, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYAEG..HANGUL SYLLABLE GGYAEH + {0xAEBC, 0xAEBC, prH2, gcLo}, // HANGUL SYLLABLE GGEO + {0xAEBD, 0xAED7, prH3, gcLo}, // [27] HANGUL SYLLABLE GGEOG..HANGUL SYLLABLE GGEOH + {0xAED8, 0xAED8, prH2, gcLo}, // HANGUL SYLLABLE GGE + {0xAED9, 0xAEF3, prH3, gcLo}, // [27] HANGUL SYLLABLE GGEG..HANGUL SYLLABLE GGEH + {0xAEF4, 0xAEF4, prH2, gcLo}, // HANGUL SYLLABLE GGYEO + {0xAEF5, 0xAF0F, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYEOG..HANGUL SYLLABLE GGYEOH + {0xAF10, 0xAF10, prH2, gcLo}, // HANGUL SYLLABLE GGYE + {0xAF11, 0xAF2B, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYEG..HANGUL SYLLABLE GGYEH + {0xAF2C, 0xAF2C, prH2, gcLo}, // HANGUL SYLLABLE GGO + {0xAF2D, 0xAF47, prH3, gcLo}, // [27] HANGUL SYLLABLE GGOG..HANGUL SYLLABLE GGOH + {0xAF48, 0xAF48, prH2, gcLo}, // HANGUL SYLLABLE GGWA + {0xAF49, 0xAF63, prH3, gcLo}, // [27] HANGUL SYLLABLE GGWAG..HANGUL SYLLABLE GGWAH + {0xAF64, 0xAF64, prH2, gcLo}, // HANGUL SYLLABLE GGWAE + {0xAF65, 0xAF7F, prH3, gcLo}, // [27] HANGUL SYLLABLE GGWAEG..HANGUL SYLLABLE GGWAEH + {0xAF80, 0xAF80, prH2, gcLo}, // HANGUL SYLLABLE GGOE + {0xAF81, 0xAF9B, prH3, gcLo}, // [27] HANGUL SYLLABLE GGOEG..HANGUL SYLLABLE GGOEH + {0xAF9C, 0xAF9C, prH2, gcLo}, // HANGUL SYLLABLE GGYO + {0xAF9D, 0xAFB7, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYOG..HANGUL SYLLABLE GGYOH + {0xAFB8, 0xAFB8, prH2, gcLo}, // HANGUL SYLLABLE GGU + {0xAFB9, 0xAFD3, prH3, gcLo}, // [27] HANGUL SYLLABLE GGUG..HANGUL SYLLABLE GGUH + {0xAFD4, 0xAFD4, prH2, gcLo}, // HANGUL SYLLABLE GGWEO + {0xAFD5, 0xAFEF, prH3, gcLo}, // [27] HANGUL SYLLABLE GGWEOG..HANGUL SYLLABLE GGWEOH + {0xAFF0, 0xAFF0, prH2, gcLo}, // HANGUL SYLLABLE GGWE + {0xAFF1, 0xB00B, prH3, gcLo}, // [27] HANGUL SYLLABLE GGWEG..HANGUL SYLLABLE GGWEH + {0xB00C, 0xB00C, prH2, gcLo}, // HANGUL SYLLABLE GGWI + {0xB00D, 0xB027, prH3, gcLo}, // [27] HANGUL SYLLABLE GGWIG..HANGUL SYLLABLE GGWIH + {0xB028, 0xB028, prH2, gcLo}, // HANGUL SYLLABLE GGYU + {0xB029, 0xB043, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYUG..HANGUL SYLLABLE GGYUH + {0xB044, 0xB044, prH2, gcLo}, // HANGUL SYLLABLE GGEU + {0xB045, 0xB05F, prH3, gcLo}, // [27] HANGUL SYLLABLE GGEUG..HANGUL SYLLABLE GGEUH + {0xB060, 0xB060, prH2, gcLo}, // HANGUL SYLLABLE GGYI + {0xB061, 0xB07B, prH3, gcLo}, // [27] HANGUL SYLLABLE GGYIG..HANGUL SYLLABLE GGYIH + {0xB07C, 0xB07C, prH2, gcLo}, // HANGUL SYLLABLE GGI + {0xB07D, 0xB097, prH3, gcLo}, // [27] HANGUL SYLLABLE GGIG..HANGUL SYLLABLE GGIH + {0xB098, 0xB098, prH2, gcLo}, // HANGUL SYLLABLE NA + {0xB099, 0xB0B3, prH3, gcLo}, // [27] HANGUL SYLLABLE NAG..HANGUL SYLLABLE NAH + {0xB0B4, 0xB0B4, prH2, gcLo}, // HANGUL SYLLABLE NAE + {0xB0B5, 0xB0CF, prH3, gcLo}, // [27] HANGUL SYLLABLE NAEG..HANGUL SYLLABLE NAEH + {0xB0D0, 0xB0D0, prH2, gcLo}, // HANGUL SYLLABLE NYA + {0xB0D1, 0xB0EB, prH3, gcLo}, // [27] HANGUL SYLLABLE NYAG..HANGUL SYLLABLE NYAH + {0xB0EC, 0xB0EC, prH2, gcLo}, // HANGUL SYLLABLE NYAE + {0xB0ED, 0xB107, prH3, gcLo}, // [27] HANGUL SYLLABLE NYAEG..HANGUL SYLLABLE NYAEH + {0xB108, 0xB108, prH2, gcLo}, // HANGUL SYLLABLE NEO + {0xB109, 0xB123, prH3, gcLo}, // [27] HANGUL SYLLABLE NEOG..HANGUL SYLLABLE NEOH + {0xB124, 0xB124, prH2, gcLo}, // HANGUL SYLLABLE NE + {0xB125, 0xB13F, prH3, gcLo}, // [27] HANGUL SYLLABLE NEG..HANGUL SYLLABLE NEH + {0xB140, 0xB140, prH2, gcLo}, // HANGUL SYLLABLE NYEO + {0xB141, 0xB15B, prH3, gcLo}, // [27] HANGUL SYLLABLE NYEOG..HANGUL SYLLABLE NYEOH + {0xB15C, 0xB15C, prH2, gcLo}, // HANGUL SYLLABLE NYE + {0xB15D, 0xB177, prH3, gcLo}, // [27] HANGUL SYLLABLE NYEG..HANGUL SYLLABLE NYEH + {0xB178, 0xB178, prH2, gcLo}, // HANGUL SYLLABLE NO + {0xB179, 0xB193, prH3, gcLo}, // [27] HANGUL SYLLABLE NOG..HANGUL SYLLABLE NOH + {0xB194, 0xB194, prH2, gcLo}, // HANGUL SYLLABLE NWA + {0xB195, 0xB1AF, prH3, gcLo}, // [27] HANGUL SYLLABLE NWAG..HANGUL SYLLABLE NWAH + {0xB1B0, 0xB1B0, prH2, gcLo}, // HANGUL SYLLABLE NWAE + {0xB1B1, 0xB1CB, prH3, gcLo}, // [27] HANGUL SYLLABLE NWAEG..HANGUL SYLLABLE NWAEH + {0xB1CC, 0xB1CC, prH2, gcLo}, // HANGUL SYLLABLE NOE + {0xB1CD, 0xB1E7, prH3, gcLo}, // [27] HANGUL SYLLABLE NOEG..HANGUL SYLLABLE NOEH + {0xB1E8, 0xB1E8, prH2, gcLo}, // HANGUL SYLLABLE NYO + {0xB1E9, 0xB203, prH3, gcLo}, // [27] HANGUL SYLLABLE NYOG..HANGUL SYLLABLE NYOH + {0xB204, 0xB204, prH2, gcLo}, // HANGUL SYLLABLE NU + {0xB205, 0xB21F, prH3, gcLo}, // [27] HANGUL SYLLABLE NUG..HANGUL SYLLABLE NUH + {0xB220, 0xB220, prH2, gcLo}, // HANGUL SYLLABLE NWEO + {0xB221, 0xB23B, prH3, gcLo}, // [27] HANGUL SYLLABLE NWEOG..HANGUL SYLLABLE NWEOH + {0xB23C, 0xB23C, prH2, gcLo}, // HANGUL SYLLABLE NWE + {0xB23D, 0xB257, prH3, gcLo}, // [27] HANGUL SYLLABLE NWEG..HANGUL SYLLABLE NWEH + {0xB258, 0xB258, prH2, gcLo}, // HANGUL SYLLABLE NWI + {0xB259, 0xB273, prH3, gcLo}, // [27] HANGUL SYLLABLE NWIG..HANGUL SYLLABLE NWIH + {0xB274, 0xB274, prH2, gcLo}, // HANGUL SYLLABLE NYU + {0xB275, 0xB28F, prH3, gcLo}, // [27] HANGUL SYLLABLE NYUG..HANGUL SYLLABLE NYUH + {0xB290, 0xB290, prH2, gcLo}, // HANGUL SYLLABLE NEU + {0xB291, 0xB2AB, prH3, gcLo}, // [27] HANGUL SYLLABLE NEUG..HANGUL SYLLABLE NEUH + {0xB2AC, 0xB2AC, prH2, gcLo}, // HANGUL SYLLABLE NYI + {0xB2AD, 0xB2C7, prH3, gcLo}, // [27] HANGUL SYLLABLE NYIG..HANGUL SYLLABLE NYIH + {0xB2C8, 0xB2C8, prH2, gcLo}, // HANGUL SYLLABLE NI + {0xB2C9, 0xB2E3, prH3, gcLo}, // [27] HANGUL SYLLABLE NIG..HANGUL SYLLABLE NIH + {0xB2E4, 0xB2E4, prH2, gcLo}, // HANGUL SYLLABLE DA + {0xB2E5, 0xB2FF, prH3, gcLo}, // [27] HANGUL SYLLABLE DAG..HANGUL SYLLABLE DAH + {0xB300, 0xB300, prH2, gcLo}, // HANGUL SYLLABLE DAE + {0xB301, 0xB31B, prH3, gcLo}, // [27] HANGUL SYLLABLE DAEG..HANGUL SYLLABLE DAEH + {0xB31C, 0xB31C, prH2, gcLo}, // HANGUL SYLLABLE DYA + {0xB31D, 0xB337, prH3, gcLo}, // [27] HANGUL SYLLABLE DYAG..HANGUL SYLLABLE DYAH + {0xB338, 0xB338, prH2, gcLo}, // HANGUL SYLLABLE DYAE + {0xB339, 0xB353, prH3, gcLo}, // [27] HANGUL SYLLABLE DYAEG..HANGUL SYLLABLE DYAEH + {0xB354, 0xB354, prH2, gcLo}, // HANGUL SYLLABLE DEO + {0xB355, 0xB36F, prH3, gcLo}, // [27] HANGUL SYLLABLE DEOG..HANGUL SYLLABLE DEOH + {0xB370, 0xB370, prH2, gcLo}, // HANGUL SYLLABLE DE + {0xB371, 0xB38B, prH3, gcLo}, // [27] HANGUL SYLLABLE DEG..HANGUL SYLLABLE DEH + {0xB38C, 0xB38C, prH2, gcLo}, // HANGUL SYLLABLE DYEO + {0xB38D, 0xB3A7, prH3, gcLo}, // [27] HANGUL SYLLABLE DYEOG..HANGUL SYLLABLE DYEOH + {0xB3A8, 0xB3A8, prH2, gcLo}, // HANGUL SYLLABLE DYE + {0xB3A9, 0xB3C3, prH3, gcLo}, // [27] HANGUL SYLLABLE DYEG..HANGUL SYLLABLE DYEH + {0xB3C4, 0xB3C4, prH2, gcLo}, // HANGUL SYLLABLE DO + {0xB3C5, 0xB3DF, prH3, gcLo}, // [27] HANGUL SYLLABLE DOG..HANGUL SYLLABLE DOH + {0xB3E0, 0xB3E0, prH2, gcLo}, // HANGUL SYLLABLE DWA + {0xB3E1, 0xB3FB, prH3, gcLo}, // [27] HANGUL SYLLABLE DWAG..HANGUL SYLLABLE DWAH + {0xB3FC, 0xB3FC, prH2, gcLo}, // HANGUL SYLLABLE DWAE + {0xB3FD, 0xB417, prH3, gcLo}, // [27] HANGUL SYLLABLE DWAEG..HANGUL SYLLABLE DWAEH + {0xB418, 0xB418, prH2, gcLo}, // HANGUL SYLLABLE DOE + {0xB419, 0xB433, prH3, gcLo}, // [27] HANGUL SYLLABLE DOEG..HANGUL SYLLABLE DOEH + {0xB434, 0xB434, prH2, gcLo}, // HANGUL SYLLABLE DYO + {0xB435, 0xB44F, prH3, gcLo}, // [27] HANGUL SYLLABLE DYOG..HANGUL SYLLABLE DYOH + {0xB450, 0xB450, prH2, gcLo}, // HANGUL SYLLABLE DU + {0xB451, 0xB46B, prH3, gcLo}, // [27] HANGUL SYLLABLE DUG..HANGUL SYLLABLE DUH + {0xB46C, 0xB46C, prH2, gcLo}, // HANGUL SYLLABLE DWEO + {0xB46D, 0xB487, prH3, gcLo}, // [27] HANGUL SYLLABLE DWEOG..HANGUL SYLLABLE DWEOH + {0xB488, 0xB488, prH2, gcLo}, // HANGUL SYLLABLE DWE + {0xB489, 0xB4A3, prH3, gcLo}, // [27] HANGUL SYLLABLE DWEG..HANGUL SYLLABLE DWEH + {0xB4A4, 0xB4A4, prH2, gcLo}, // HANGUL SYLLABLE DWI + {0xB4A5, 0xB4BF, prH3, gcLo}, // [27] HANGUL SYLLABLE DWIG..HANGUL SYLLABLE DWIH + {0xB4C0, 0xB4C0, prH2, gcLo}, // HANGUL SYLLABLE DYU + {0xB4C1, 0xB4DB, prH3, gcLo}, // [27] HANGUL SYLLABLE DYUG..HANGUL SYLLABLE DYUH + {0xB4DC, 0xB4DC, prH2, gcLo}, // HANGUL SYLLABLE DEU + {0xB4DD, 0xB4F7, prH3, gcLo}, // [27] HANGUL SYLLABLE DEUG..HANGUL SYLLABLE DEUH + {0xB4F8, 0xB4F8, prH2, gcLo}, // HANGUL SYLLABLE DYI + {0xB4F9, 0xB513, prH3, gcLo}, // [27] HANGUL SYLLABLE DYIG..HANGUL SYLLABLE DYIH + {0xB514, 0xB514, prH2, gcLo}, // HANGUL SYLLABLE DI + {0xB515, 0xB52F, prH3, gcLo}, // [27] HANGUL SYLLABLE DIG..HANGUL SYLLABLE DIH + {0xB530, 0xB530, prH2, gcLo}, // HANGUL SYLLABLE DDA + {0xB531, 0xB54B, prH3, gcLo}, // [27] HANGUL SYLLABLE DDAG..HANGUL SYLLABLE DDAH + {0xB54C, 0xB54C, prH2, gcLo}, // HANGUL SYLLABLE DDAE + {0xB54D, 0xB567, prH3, gcLo}, // [27] HANGUL SYLLABLE DDAEG..HANGUL SYLLABLE DDAEH + {0xB568, 0xB568, prH2, gcLo}, // HANGUL SYLLABLE DDYA + {0xB569, 0xB583, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYAG..HANGUL SYLLABLE DDYAH + {0xB584, 0xB584, prH2, gcLo}, // HANGUL SYLLABLE DDYAE + {0xB585, 0xB59F, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYAEG..HANGUL SYLLABLE DDYAEH + {0xB5A0, 0xB5A0, prH2, gcLo}, // HANGUL SYLLABLE DDEO + {0xB5A1, 0xB5BB, prH3, gcLo}, // [27] HANGUL SYLLABLE DDEOG..HANGUL SYLLABLE DDEOH + {0xB5BC, 0xB5BC, prH2, gcLo}, // HANGUL SYLLABLE DDE + {0xB5BD, 0xB5D7, prH3, gcLo}, // [27] HANGUL SYLLABLE DDEG..HANGUL SYLLABLE DDEH + {0xB5D8, 0xB5D8, prH2, gcLo}, // HANGUL SYLLABLE DDYEO + {0xB5D9, 0xB5F3, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYEOG..HANGUL SYLLABLE DDYEOH + {0xB5F4, 0xB5F4, prH2, gcLo}, // HANGUL SYLLABLE DDYE + {0xB5F5, 0xB60F, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYEG..HANGUL SYLLABLE DDYEH + {0xB610, 0xB610, prH2, gcLo}, // HANGUL SYLLABLE DDO + {0xB611, 0xB62B, prH3, gcLo}, // [27] HANGUL SYLLABLE DDOG..HANGUL SYLLABLE DDOH + {0xB62C, 0xB62C, prH2, gcLo}, // HANGUL SYLLABLE DDWA + {0xB62D, 0xB647, prH3, gcLo}, // [27] HANGUL SYLLABLE DDWAG..HANGUL SYLLABLE DDWAH + {0xB648, 0xB648, prH2, gcLo}, // HANGUL SYLLABLE DDWAE + {0xB649, 0xB663, prH3, gcLo}, // [27] HANGUL SYLLABLE DDWAEG..HANGUL SYLLABLE DDWAEH + {0xB664, 0xB664, prH2, gcLo}, // HANGUL SYLLABLE DDOE + {0xB665, 0xB67F, prH3, gcLo}, // [27] HANGUL SYLLABLE DDOEG..HANGUL SYLLABLE DDOEH + {0xB680, 0xB680, prH2, gcLo}, // HANGUL SYLLABLE DDYO + {0xB681, 0xB69B, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYOG..HANGUL SYLLABLE DDYOH + {0xB69C, 0xB69C, prH2, gcLo}, // HANGUL SYLLABLE DDU + {0xB69D, 0xB6B7, prH3, gcLo}, // [27] HANGUL SYLLABLE DDUG..HANGUL SYLLABLE DDUH + {0xB6B8, 0xB6B8, prH2, gcLo}, // HANGUL SYLLABLE DDWEO + {0xB6B9, 0xB6D3, prH3, gcLo}, // [27] HANGUL SYLLABLE DDWEOG..HANGUL SYLLABLE DDWEOH + {0xB6D4, 0xB6D4, prH2, gcLo}, // HANGUL SYLLABLE DDWE + {0xB6D5, 0xB6EF, prH3, gcLo}, // [27] HANGUL SYLLABLE DDWEG..HANGUL SYLLABLE DDWEH + {0xB6F0, 0xB6F0, prH2, gcLo}, // HANGUL SYLLABLE DDWI + {0xB6F1, 0xB70B, prH3, gcLo}, // [27] HANGUL SYLLABLE DDWIG..HANGUL SYLLABLE DDWIH + {0xB70C, 0xB70C, prH2, gcLo}, // HANGUL SYLLABLE DDYU + {0xB70D, 0xB727, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYUG..HANGUL SYLLABLE DDYUH + {0xB728, 0xB728, prH2, gcLo}, // HANGUL SYLLABLE DDEU + {0xB729, 0xB743, prH3, gcLo}, // [27] HANGUL SYLLABLE DDEUG..HANGUL SYLLABLE DDEUH + {0xB744, 0xB744, prH2, gcLo}, // HANGUL SYLLABLE DDYI + {0xB745, 0xB75F, prH3, gcLo}, // [27] HANGUL SYLLABLE DDYIG..HANGUL SYLLABLE DDYIH + {0xB760, 0xB760, prH2, gcLo}, // HANGUL SYLLABLE DDI + {0xB761, 0xB77B, prH3, gcLo}, // [27] HANGUL SYLLABLE DDIG..HANGUL SYLLABLE DDIH + {0xB77C, 0xB77C, prH2, gcLo}, // HANGUL SYLLABLE RA + {0xB77D, 0xB797, prH3, gcLo}, // [27] HANGUL SYLLABLE RAG..HANGUL SYLLABLE RAH + {0xB798, 0xB798, prH2, gcLo}, // HANGUL SYLLABLE RAE + {0xB799, 0xB7B3, prH3, gcLo}, // [27] HANGUL SYLLABLE RAEG..HANGUL SYLLABLE RAEH + {0xB7B4, 0xB7B4, prH2, gcLo}, // HANGUL SYLLABLE RYA + {0xB7B5, 0xB7CF, prH3, gcLo}, // [27] HANGUL SYLLABLE RYAG..HANGUL SYLLABLE RYAH + {0xB7D0, 0xB7D0, prH2, gcLo}, // HANGUL SYLLABLE RYAE + {0xB7D1, 0xB7EB, prH3, gcLo}, // [27] HANGUL SYLLABLE RYAEG..HANGUL SYLLABLE RYAEH + {0xB7EC, 0xB7EC, prH2, gcLo}, // HANGUL SYLLABLE REO + {0xB7ED, 0xB807, prH3, gcLo}, // [27] HANGUL SYLLABLE REOG..HANGUL SYLLABLE REOH + {0xB808, 0xB808, prH2, gcLo}, // HANGUL SYLLABLE RE + {0xB809, 0xB823, prH3, gcLo}, // [27] HANGUL SYLLABLE REG..HANGUL SYLLABLE REH + {0xB824, 0xB824, prH2, gcLo}, // HANGUL SYLLABLE RYEO + {0xB825, 0xB83F, prH3, gcLo}, // [27] HANGUL SYLLABLE RYEOG..HANGUL SYLLABLE RYEOH + {0xB840, 0xB840, prH2, gcLo}, // HANGUL SYLLABLE RYE + {0xB841, 0xB85B, prH3, gcLo}, // [27] HANGUL SYLLABLE RYEG..HANGUL SYLLABLE RYEH + {0xB85C, 0xB85C, prH2, gcLo}, // HANGUL SYLLABLE RO + {0xB85D, 0xB877, prH3, gcLo}, // [27] HANGUL SYLLABLE ROG..HANGUL SYLLABLE ROH + {0xB878, 0xB878, prH2, gcLo}, // HANGUL SYLLABLE RWA + {0xB879, 0xB893, prH3, gcLo}, // [27] HANGUL SYLLABLE RWAG..HANGUL SYLLABLE RWAH + {0xB894, 0xB894, prH2, gcLo}, // HANGUL SYLLABLE RWAE + {0xB895, 0xB8AF, prH3, gcLo}, // [27] HANGUL SYLLABLE RWAEG..HANGUL SYLLABLE RWAEH + {0xB8B0, 0xB8B0, prH2, gcLo}, // HANGUL SYLLABLE ROE + {0xB8B1, 0xB8CB, prH3, gcLo}, // [27] HANGUL SYLLABLE ROEG..HANGUL SYLLABLE ROEH + {0xB8CC, 0xB8CC, prH2, gcLo}, // HANGUL SYLLABLE RYO + {0xB8CD, 0xB8E7, prH3, gcLo}, // [27] HANGUL SYLLABLE RYOG..HANGUL SYLLABLE RYOH + {0xB8E8, 0xB8E8, prH2, gcLo}, // HANGUL SYLLABLE RU + {0xB8E9, 0xB903, prH3, gcLo}, // [27] HANGUL SYLLABLE RUG..HANGUL SYLLABLE RUH + {0xB904, 0xB904, prH2, gcLo}, // HANGUL SYLLABLE RWEO + {0xB905, 0xB91F, prH3, gcLo}, // [27] HANGUL SYLLABLE RWEOG..HANGUL SYLLABLE RWEOH + {0xB920, 0xB920, prH2, gcLo}, // HANGUL SYLLABLE RWE + {0xB921, 0xB93B, prH3, gcLo}, // [27] HANGUL SYLLABLE RWEG..HANGUL SYLLABLE RWEH + {0xB93C, 0xB93C, prH2, gcLo}, // HANGUL SYLLABLE RWI + {0xB93D, 0xB957, prH3, gcLo}, // [27] HANGUL SYLLABLE RWIG..HANGUL SYLLABLE RWIH + {0xB958, 0xB958, prH2, gcLo}, // HANGUL SYLLABLE RYU + {0xB959, 0xB973, prH3, gcLo}, // [27] HANGUL SYLLABLE RYUG..HANGUL SYLLABLE RYUH + {0xB974, 0xB974, prH2, gcLo}, // HANGUL SYLLABLE REU + {0xB975, 0xB98F, prH3, gcLo}, // [27] HANGUL SYLLABLE REUG..HANGUL SYLLABLE REUH + {0xB990, 0xB990, prH2, gcLo}, // HANGUL SYLLABLE RYI + {0xB991, 0xB9AB, prH3, gcLo}, // [27] HANGUL SYLLABLE RYIG..HANGUL SYLLABLE RYIH + {0xB9AC, 0xB9AC, prH2, gcLo}, // HANGUL SYLLABLE RI + {0xB9AD, 0xB9C7, prH3, gcLo}, // [27] HANGUL SYLLABLE RIG..HANGUL SYLLABLE RIH + {0xB9C8, 0xB9C8, prH2, gcLo}, // HANGUL SYLLABLE MA + {0xB9C9, 0xB9E3, prH3, gcLo}, // [27] HANGUL SYLLABLE MAG..HANGUL SYLLABLE MAH + {0xB9E4, 0xB9E4, prH2, gcLo}, // HANGUL SYLLABLE MAE + {0xB9E5, 0xB9FF, prH3, gcLo}, // [27] HANGUL SYLLABLE MAEG..HANGUL SYLLABLE MAEH + {0xBA00, 0xBA00, prH2, gcLo}, // HANGUL SYLLABLE MYA + {0xBA01, 0xBA1B, prH3, gcLo}, // [27] HANGUL SYLLABLE MYAG..HANGUL SYLLABLE MYAH + {0xBA1C, 0xBA1C, prH2, gcLo}, // HANGUL SYLLABLE MYAE + {0xBA1D, 0xBA37, prH3, gcLo}, // [27] HANGUL SYLLABLE MYAEG..HANGUL SYLLABLE MYAEH + {0xBA38, 0xBA38, prH2, gcLo}, // HANGUL SYLLABLE MEO + {0xBA39, 0xBA53, prH3, gcLo}, // [27] HANGUL SYLLABLE MEOG..HANGUL SYLLABLE MEOH + {0xBA54, 0xBA54, prH2, gcLo}, // HANGUL SYLLABLE ME + {0xBA55, 0xBA6F, prH3, gcLo}, // [27] HANGUL SYLLABLE MEG..HANGUL SYLLABLE MEH + {0xBA70, 0xBA70, prH2, gcLo}, // HANGUL SYLLABLE MYEO + {0xBA71, 0xBA8B, prH3, gcLo}, // [27] HANGUL SYLLABLE MYEOG..HANGUL SYLLABLE MYEOH + {0xBA8C, 0xBA8C, prH2, gcLo}, // HANGUL SYLLABLE MYE + {0xBA8D, 0xBAA7, prH3, gcLo}, // [27] HANGUL SYLLABLE MYEG..HANGUL SYLLABLE MYEH + {0xBAA8, 0xBAA8, prH2, gcLo}, // HANGUL SYLLABLE MO + {0xBAA9, 0xBAC3, prH3, gcLo}, // [27] HANGUL SYLLABLE MOG..HANGUL SYLLABLE MOH + {0xBAC4, 0xBAC4, prH2, gcLo}, // HANGUL SYLLABLE MWA + {0xBAC5, 0xBADF, prH3, gcLo}, // [27] HANGUL SYLLABLE MWAG..HANGUL SYLLABLE MWAH + {0xBAE0, 0xBAE0, prH2, gcLo}, // HANGUL SYLLABLE MWAE + {0xBAE1, 0xBAFB, prH3, gcLo}, // [27] HANGUL SYLLABLE MWAEG..HANGUL SYLLABLE MWAEH + {0xBAFC, 0xBAFC, prH2, gcLo}, // HANGUL SYLLABLE MOE + {0xBAFD, 0xBB17, prH3, gcLo}, // [27] HANGUL SYLLABLE MOEG..HANGUL SYLLABLE MOEH + {0xBB18, 0xBB18, prH2, gcLo}, // HANGUL SYLLABLE MYO + {0xBB19, 0xBB33, prH3, gcLo}, // [27] HANGUL SYLLABLE MYOG..HANGUL SYLLABLE MYOH + {0xBB34, 0xBB34, prH2, gcLo}, // HANGUL SYLLABLE MU + {0xBB35, 0xBB4F, prH3, gcLo}, // [27] HANGUL SYLLABLE MUG..HANGUL SYLLABLE MUH + {0xBB50, 0xBB50, prH2, gcLo}, // HANGUL SYLLABLE MWEO + {0xBB51, 0xBB6B, prH3, gcLo}, // [27] HANGUL SYLLABLE MWEOG..HANGUL SYLLABLE MWEOH + {0xBB6C, 0xBB6C, prH2, gcLo}, // HANGUL SYLLABLE MWE + {0xBB6D, 0xBB87, prH3, gcLo}, // [27] HANGUL SYLLABLE MWEG..HANGUL SYLLABLE MWEH + {0xBB88, 0xBB88, prH2, gcLo}, // HANGUL SYLLABLE MWI + {0xBB89, 0xBBA3, prH3, gcLo}, // [27] HANGUL SYLLABLE MWIG..HANGUL SYLLABLE MWIH + {0xBBA4, 0xBBA4, prH2, gcLo}, // HANGUL SYLLABLE MYU + {0xBBA5, 0xBBBF, prH3, gcLo}, // [27] HANGUL SYLLABLE MYUG..HANGUL SYLLABLE MYUH + {0xBBC0, 0xBBC0, prH2, gcLo}, // HANGUL SYLLABLE MEU + {0xBBC1, 0xBBDB, prH3, gcLo}, // [27] HANGUL SYLLABLE MEUG..HANGUL SYLLABLE MEUH + {0xBBDC, 0xBBDC, prH2, gcLo}, // HANGUL SYLLABLE MYI + {0xBBDD, 0xBBF7, prH3, gcLo}, // [27] HANGUL SYLLABLE MYIG..HANGUL SYLLABLE MYIH + {0xBBF8, 0xBBF8, prH2, gcLo}, // HANGUL SYLLABLE MI + {0xBBF9, 0xBC13, prH3, gcLo}, // [27] HANGUL SYLLABLE MIG..HANGUL SYLLABLE MIH + {0xBC14, 0xBC14, prH2, gcLo}, // HANGUL SYLLABLE BA + {0xBC15, 0xBC2F, prH3, gcLo}, // [27] HANGUL SYLLABLE BAG..HANGUL SYLLABLE BAH + {0xBC30, 0xBC30, prH2, gcLo}, // HANGUL SYLLABLE BAE + {0xBC31, 0xBC4B, prH3, gcLo}, // [27] HANGUL SYLLABLE BAEG..HANGUL SYLLABLE BAEH + {0xBC4C, 0xBC4C, prH2, gcLo}, // HANGUL SYLLABLE BYA + {0xBC4D, 0xBC67, prH3, gcLo}, // [27] HANGUL SYLLABLE BYAG..HANGUL SYLLABLE BYAH + {0xBC68, 0xBC68, prH2, gcLo}, // HANGUL SYLLABLE BYAE + {0xBC69, 0xBC83, prH3, gcLo}, // [27] HANGUL SYLLABLE BYAEG..HANGUL SYLLABLE BYAEH + {0xBC84, 0xBC84, prH2, gcLo}, // HANGUL SYLLABLE BEO + {0xBC85, 0xBC9F, prH3, gcLo}, // [27] HANGUL SYLLABLE BEOG..HANGUL SYLLABLE BEOH + {0xBCA0, 0xBCA0, prH2, gcLo}, // HANGUL SYLLABLE BE + {0xBCA1, 0xBCBB, prH3, gcLo}, // [27] HANGUL SYLLABLE BEG..HANGUL SYLLABLE BEH + {0xBCBC, 0xBCBC, prH2, gcLo}, // HANGUL SYLLABLE BYEO + {0xBCBD, 0xBCD7, prH3, gcLo}, // [27] HANGUL SYLLABLE BYEOG..HANGUL SYLLABLE BYEOH + {0xBCD8, 0xBCD8, prH2, gcLo}, // HANGUL SYLLABLE BYE + {0xBCD9, 0xBCF3, prH3, gcLo}, // [27] HANGUL SYLLABLE BYEG..HANGUL SYLLABLE BYEH + {0xBCF4, 0xBCF4, prH2, gcLo}, // HANGUL SYLLABLE BO + {0xBCF5, 0xBD0F, prH3, gcLo}, // [27] HANGUL SYLLABLE BOG..HANGUL SYLLABLE BOH + {0xBD10, 0xBD10, prH2, gcLo}, // HANGUL SYLLABLE BWA + {0xBD11, 0xBD2B, prH3, gcLo}, // [27] HANGUL SYLLABLE BWAG..HANGUL SYLLABLE BWAH + {0xBD2C, 0xBD2C, prH2, gcLo}, // HANGUL SYLLABLE BWAE + {0xBD2D, 0xBD47, prH3, gcLo}, // [27] HANGUL SYLLABLE BWAEG..HANGUL SYLLABLE BWAEH + {0xBD48, 0xBD48, prH2, gcLo}, // HANGUL SYLLABLE BOE + {0xBD49, 0xBD63, prH3, gcLo}, // [27] HANGUL SYLLABLE BOEG..HANGUL SYLLABLE BOEH + {0xBD64, 0xBD64, prH2, gcLo}, // HANGUL SYLLABLE BYO + {0xBD65, 0xBD7F, prH3, gcLo}, // [27] HANGUL SYLLABLE BYOG..HANGUL SYLLABLE BYOH + {0xBD80, 0xBD80, prH2, gcLo}, // HANGUL SYLLABLE BU + {0xBD81, 0xBD9B, prH3, gcLo}, // [27] HANGUL SYLLABLE BUG..HANGUL SYLLABLE BUH + {0xBD9C, 0xBD9C, prH2, gcLo}, // HANGUL SYLLABLE BWEO + {0xBD9D, 0xBDB7, prH3, gcLo}, // [27] HANGUL SYLLABLE BWEOG..HANGUL SYLLABLE BWEOH + {0xBDB8, 0xBDB8, prH2, gcLo}, // HANGUL SYLLABLE BWE + {0xBDB9, 0xBDD3, prH3, gcLo}, // [27] HANGUL SYLLABLE BWEG..HANGUL SYLLABLE BWEH + {0xBDD4, 0xBDD4, prH2, gcLo}, // HANGUL SYLLABLE BWI + {0xBDD5, 0xBDEF, prH3, gcLo}, // [27] HANGUL SYLLABLE BWIG..HANGUL SYLLABLE BWIH + {0xBDF0, 0xBDF0, prH2, gcLo}, // HANGUL SYLLABLE BYU + {0xBDF1, 0xBE0B, prH3, gcLo}, // [27] HANGUL SYLLABLE BYUG..HANGUL SYLLABLE BYUH + {0xBE0C, 0xBE0C, prH2, gcLo}, // HANGUL SYLLABLE BEU + {0xBE0D, 0xBE27, prH3, gcLo}, // [27] HANGUL SYLLABLE BEUG..HANGUL SYLLABLE BEUH + {0xBE28, 0xBE28, prH2, gcLo}, // HANGUL SYLLABLE BYI + {0xBE29, 0xBE43, prH3, gcLo}, // [27] HANGUL SYLLABLE BYIG..HANGUL SYLLABLE BYIH + {0xBE44, 0xBE44, prH2, gcLo}, // HANGUL SYLLABLE BI + {0xBE45, 0xBE5F, prH3, gcLo}, // [27] HANGUL SYLLABLE BIG..HANGUL SYLLABLE BIH + {0xBE60, 0xBE60, prH2, gcLo}, // HANGUL SYLLABLE BBA + {0xBE61, 0xBE7B, prH3, gcLo}, // [27] HANGUL SYLLABLE BBAG..HANGUL SYLLABLE BBAH + {0xBE7C, 0xBE7C, prH2, gcLo}, // HANGUL SYLLABLE BBAE + {0xBE7D, 0xBE97, prH3, gcLo}, // [27] HANGUL SYLLABLE BBAEG..HANGUL SYLLABLE BBAEH + {0xBE98, 0xBE98, prH2, gcLo}, // HANGUL SYLLABLE BBYA + {0xBE99, 0xBEB3, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYAG..HANGUL SYLLABLE BBYAH + {0xBEB4, 0xBEB4, prH2, gcLo}, // HANGUL SYLLABLE BBYAE + {0xBEB5, 0xBECF, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYAEG..HANGUL SYLLABLE BBYAEH + {0xBED0, 0xBED0, prH2, gcLo}, // HANGUL SYLLABLE BBEO + {0xBED1, 0xBEEB, prH3, gcLo}, // [27] HANGUL SYLLABLE BBEOG..HANGUL SYLLABLE BBEOH + {0xBEEC, 0xBEEC, prH2, gcLo}, // HANGUL SYLLABLE BBE + {0xBEED, 0xBF07, prH3, gcLo}, // [27] HANGUL SYLLABLE BBEG..HANGUL SYLLABLE BBEH + {0xBF08, 0xBF08, prH2, gcLo}, // HANGUL SYLLABLE BBYEO + {0xBF09, 0xBF23, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYEOG..HANGUL SYLLABLE BBYEOH + {0xBF24, 0xBF24, prH2, gcLo}, // HANGUL SYLLABLE BBYE + {0xBF25, 0xBF3F, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYEG..HANGUL SYLLABLE BBYEH + {0xBF40, 0xBF40, prH2, gcLo}, // HANGUL SYLLABLE BBO + {0xBF41, 0xBF5B, prH3, gcLo}, // [27] HANGUL SYLLABLE BBOG..HANGUL SYLLABLE BBOH + {0xBF5C, 0xBF5C, prH2, gcLo}, // HANGUL SYLLABLE BBWA + {0xBF5D, 0xBF77, prH3, gcLo}, // [27] HANGUL SYLLABLE BBWAG..HANGUL SYLLABLE BBWAH + {0xBF78, 0xBF78, prH2, gcLo}, // HANGUL SYLLABLE BBWAE + {0xBF79, 0xBF93, prH3, gcLo}, // [27] HANGUL SYLLABLE BBWAEG..HANGUL SYLLABLE BBWAEH + {0xBF94, 0xBF94, prH2, gcLo}, // HANGUL SYLLABLE BBOE + {0xBF95, 0xBFAF, prH3, gcLo}, // [27] HANGUL SYLLABLE BBOEG..HANGUL SYLLABLE BBOEH + {0xBFB0, 0xBFB0, prH2, gcLo}, // HANGUL SYLLABLE BBYO + {0xBFB1, 0xBFCB, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYOG..HANGUL SYLLABLE BBYOH + {0xBFCC, 0xBFCC, prH2, gcLo}, // HANGUL SYLLABLE BBU + {0xBFCD, 0xBFE7, prH3, gcLo}, // [27] HANGUL SYLLABLE BBUG..HANGUL SYLLABLE BBUH + {0xBFE8, 0xBFE8, prH2, gcLo}, // HANGUL SYLLABLE BBWEO + {0xBFE9, 0xC003, prH3, gcLo}, // [27] HANGUL SYLLABLE BBWEOG..HANGUL SYLLABLE BBWEOH + {0xC004, 0xC004, prH2, gcLo}, // HANGUL SYLLABLE BBWE + {0xC005, 0xC01F, prH3, gcLo}, // [27] HANGUL SYLLABLE BBWEG..HANGUL SYLLABLE BBWEH + {0xC020, 0xC020, prH2, gcLo}, // HANGUL SYLLABLE BBWI + {0xC021, 0xC03B, prH3, gcLo}, // [27] HANGUL SYLLABLE BBWIG..HANGUL SYLLABLE BBWIH + {0xC03C, 0xC03C, prH2, gcLo}, // HANGUL SYLLABLE BBYU + {0xC03D, 0xC057, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYUG..HANGUL SYLLABLE BBYUH + {0xC058, 0xC058, prH2, gcLo}, // HANGUL SYLLABLE BBEU + {0xC059, 0xC073, prH3, gcLo}, // [27] HANGUL SYLLABLE BBEUG..HANGUL SYLLABLE BBEUH + {0xC074, 0xC074, prH2, gcLo}, // HANGUL SYLLABLE BBYI + {0xC075, 0xC08F, prH3, gcLo}, // [27] HANGUL SYLLABLE BBYIG..HANGUL SYLLABLE BBYIH + {0xC090, 0xC090, prH2, gcLo}, // HANGUL SYLLABLE BBI + {0xC091, 0xC0AB, prH3, gcLo}, // [27] HANGUL SYLLABLE BBIG..HANGUL SYLLABLE BBIH + {0xC0AC, 0xC0AC, prH2, gcLo}, // HANGUL SYLLABLE SA + {0xC0AD, 0xC0C7, prH3, gcLo}, // [27] HANGUL SYLLABLE SAG..HANGUL SYLLABLE SAH + {0xC0C8, 0xC0C8, prH2, gcLo}, // HANGUL SYLLABLE SAE + {0xC0C9, 0xC0E3, prH3, gcLo}, // [27] HANGUL SYLLABLE SAEG..HANGUL SYLLABLE SAEH + {0xC0E4, 0xC0E4, prH2, gcLo}, // HANGUL SYLLABLE SYA + {0xC0E5, 0xC0FF, prH3, gcLo}, // [27] HANGUL SYLLABLE SYAG..HANGUL SYLLABLE SYAH + {0xC100, 0xC100, prH2, gcLo}, // HANGUL SYLLABLE SYAE + {0xC101, 0xC11B, prH3, gcLo}, // [27] HANGUL SYLLABLE SYAEG..HANGUL SYLLABLE SYAEH + {0xC11C, 0xC11C, prH2, gcLo}, // HANGUL SYLLABLE SEO + {0xC11D, 0xC137, prH3, gcLo}, // [27] HANGUL SYLLABLE SEOG..HANGUL SYLLABLE SEOH + {0xC138, 0xC138, prH2, gcLo}, // HANGUL SYLLABLE SE + {0xC139, 0xC153, prH3, gcLo}, // [27] HANGUL SYLLABLE SEG..HANGUL SYLLABLE SEH + {0xC154, 0xC154, prH2, gcLo}, // HANGUL SYLLABLE SYEO + {0xC155, 0xC16F, prH3, gcLo}, // [27] HANGUL SYLLABLE SYEOG..HANGUL SYLLABLE SYEOH + {0xC170, 0xC170, prH2, gcLo}, // HANGUL SYLLABLE SYE + {0xC171, 0xC18B, prH3, gcLo}, // [27] HANGUL SYLLABLE SYEG..HANGUL SYLLABLE SYEH + {0xC18C, 0xC18C, prH2, gcLo}, // HANGUL SYLLABLE SO + {0xC18D, 0xC1A7, prH3, gcLo}, // [27] HANGUL SYLLABLE SOG..HANGUL SYLLABLE SOH + {0xC1A8, 0xC1A8, prH2, gcLo}, // HANGUL SYLLABLE SWA + {0xC1A9, 0xC1C3, prH3, gcLo}, // [27] HANGUL SYLLABLE SWAG..HANGUL SYLLABLE SWAH + {0xC1C4, 0xC1C4, prH2, gcLo}, // HANGUL SYLLABLE SWAE + {0xC1C5, 0xC1DF, prH3, gcLo}, // [27] HANGUL SYLLABLE SWAEG..HANGUL SYLLABLE SWAEH + {0xC1E0, 0xC1E0, prH2, gcLo}, // HANGUL SYLLABLE SOE + {0xC1E1, 0xC1FB, prH3, gcLo}, // [27] HANGUL SYLLABLE SOEG..HANGUL SYLLABLE SOEH + {0xC1FC, 0xC1FC, prH2, gcLo}, // HANGUL SYLLABLE SYO + {0xC1FD, 0xC217, prH3, gcLo}, // [27] HANGUL SYLLABLE SYOG..HANGUL SYLLABLE SYOH + {0xC218, 0xC218, prH2, gcLo}, // HANGUL SYLLABLE SU + {0xC219, 0xC233, prH3, gcLo}, // [27] HANGUL SYLLABLE SUG..HANGUL SYLLABLE SUH + {0xC234, 0xC234, prH2, gcLo}, // HANGUL SYLLABLE SWEO + {0xC235, 0xC24F, prH3, gcLo}, // [27] HANGUL SYLLABLE SWEOG..HANGUL SYLLABLE SWEOH + {0xC250, 0xC250, prH2, gcLo}, // HANGUL SYLLABLE SWE + {0xC251, 0xC26B, prH3, gcLo}, // [27] HANGUL SYLLABLE SWEG..HANGUL SYLLABLE SWEH + {0xC26C, 0xC26C, prH2, gcLo}, // HANGUL SYLLABLE SWI + {0xC26D, 0xC287, prH3, gcLo}, // [27] HANGUL SYLLABLE SWIG..HANGUL SYLLABLE SWIH + {0xC288, 0xC288, prH2, gcLo}, // HANGUL SYLLABLE SYU + {0xC289, 0xC2A3, prH3, gcLo}, // [27] HANGUL SYLLABLE SYUG..HANGUL SYLLABLE SYUH + {0xC2A4, 0xC2A4, prH2, gcLo}, // HANGUL SYLLABLE SEU + {0xC2A5, 0xC2BF, prH3, gcLo}, // [27] HANGUL SYLLABLE SEUG..HANGUL SYLLABLE SEUH + {0xC2C0, 0xC2C0, prH2, gcLo}, // HANGUL SYLLABLE SYI + {0xC2C1, 0xC2DB, prH3, gcLo}, // [27] HANGUL SYLLABLE SYIG..HANGUL SYLLABLE SYIH + {0xC2DC, 0xC2DC, prH2, gcLo}, // HANGUL SYLLABLE SI + {0xC2DD, 0xC2F7, prH3, gcLo}, // [27] HANGUL SYLLABLE SIG..HANGUL SYLLABLE SIH + {0xC2F8, 0xC2F8, prH2, gcLo}, // HANGUL SYLLABLE SSA + {0xC2F9, 0xC313, prH3, gcLo}, // [27] HANGUL SYLLABLE SSAG..HANGUL SYLLABLE SSAH + {0xC314, 0xC314, prH2, gcLo}, // HANGUL SYLLABLE SSAE + {0xC315, 0xC32F, prH3, gcLo}, // [27] HANGUL SYLLABLE SSAEG..HANGUL SYLLABLE SSAEH + {0xC330, 0xC330, prH2, gcLo}, // HANGUL SYLLABLE SSYA + {0xC331, 0xC34B, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYAG..HANGUL SYLLABLE SSYAH + {0xC34C, 0xC34C, prH2, gcLo}, // HANGUL SYLLABLE SSYAE + {0xC34D, 0xC367, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYAEG..HANGUL SYLLABLE SSYAEH + {0xC368, 0xC368, prH2, gcLo}, // HANGUL SYLLABLE SSEO + {0xC369, 0xC383, prH3, gcLo}, // [27] HANGUL SYLLABLE SSEOG..HANGUL SYLLABLE SSEOH + {0xC384, 0xC384, prH2, gcLo}, // HANGUL SYLLABLE SSE + {0xC385, 0xC39F, prH3, gcLo}, // [27] HANGUL SYLLABLE SSEG..HANGUL SYLLABLE SSEH + {0xC3A0, 0xC3A0, prH2, gcLo}, // HANGUL SYLLABLE SSYEO + {0xC3A1, 0xC3BB, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYEOG..HANGUL SYLLABLE SSYEOH + {0xC3BC, 0xC3BC, prH2, gcLo}, // HANGUL SYLLABLE SSYE + {0xC3BD, 0xC3D7, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYEG..HANGUL SYLLABLE SSYEH + {0xC3D8, 0xC3D8, prH2, gcLo}, // HANGUL SYLLABLE SSO + {0xC3D9, 0xC3F3, prH3, gcLo}, // [27] HANGUL SYLLABLE SSOG..HANGUL SYLLABLE SSOH + {0xC3F4, 0xC3F4, prH2, gcLo}, // HANGUL SYLLABLE SSWA + {0xC3F5, 0xC40F, prH3, gcLo}, // [27] HANGUL SYLLABLE SSWAG..HANGUL SYLLABLE SSWAH + {0xC410, 0xC410, prH2, gcLo}, // HANGUL SYLLABLE SSWAE + {0xC411, 0xC42B, prH3, gcLo}, // [27] HANGUL SYLLABLE SSWAEG..HANGUL SYLLABLE SSWAEH + {0xC42C, 0xC42C, prH2, gcLo}, // HANGUL SYLLABLE SSOE + {0xC42D, 0xC447, prH3, gcLo}, // [27] HANGUL SYLLABLE SSOEG..HANGUL SYLLABLE SSOEH + {0xC448, 0xC448, prH2, gcLo}, // HANGUL SYLLABLE SSYO + {0xC449, 0xC463, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYOG..HANGUL SYLLABLE SSYOH + {0xC464, 0xC464, prH2, gcLo}, // HANGUL SYLLABLE SSU + {0xC465, 0xC47F, prH3, gcLo}, // [27] HANGUL SYLLABLE SSUG..HANGUL SYLLABLE SSUH + {0xC480, 0xC480, prH2, gcLo}, // HANGUL SYLLABLE SSWEO + {0xC481, 0xC49B, prH3, gcLo}, // [27] HANGUL SYLLABLE SSWEOG..HANGUL SYLLABLE SSWEOH + {0xC49C, 0xC49C, prH2, gcLo}, // HANGUL SYLLABLE SSWE + {0xC49D, 0xC4B7, prH3, gcLo}, // [27] HANGUL SYLLABLE SSWEG..HANGUL SYLLABLE SSWEH + {0xC4B8, 0xC4B8, prH2, gcLo}, // HANGUL SYLLABLE SSWI + {0xC4B9, 0xC4D3, prH3, gcLo}, // [27] HANGUL SYLLABLE SSWIG..HANGUL SYLLABLE SSWIH + {0xC4D4, 0xC4D4, prH2, gcLo}, // HANGUL SYLLABLE SSYU + {0xC4D5, 0xC4EF, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYUG..HANGUL SYLLABLE SSYUH + {0xC4F0, 0xC4F0, prH2, gcLo}, // HANGUL SYLLABLE SSEU + {0xC4F1, 0xC50B, prH3, gcLo}, // [27] HANGUL SYLLABLE SSEUG..HANGUL SYLLABLE SSEUH + {0xC50C, 0xC50C, prH2, gcLo}, // HANGUL SYLLABLE SSYI + {0xC50D, 0xC527, prH3, gcLo}, // [27] HANGUL SYLLABLE SSYIG..HANGUL SYLLABLE SSYIH + {0xC528, 0xC528, prH2, gcLo}, // HANGUL SYLLABLE SSI + {0xC529, 0xC543, prH3, gcLo}, // [27] HANGUL SYLLABLE SSIG..HANGUL SYLLABLE SSIH + {0xC544, 0xC544, prH2, gcLo}, // HANGUL SYLLABLE A + {0xC545, 0xC55F, prH3, gcLo}, // [27] HANGUL SYLLABLE AG..HANGUL SYLLABLE AH + {0xC560, 0xC560, prH2, gcLo}, // HANGUL SYLLABLE AE + {0xC561, 0xC57B, prH3, gcLo}, // [27] HANGUL SYLLABLE AEG..HANGUL SYLLABLE AEH + {0xC57C, 0xC57C, prH2, gcLo}, // HANGUL SYLLABLE YA + {0xC57D, 0xC597, prH3, gcLo}, // [27] HANGUL SYLLABLE YAG..HANGUL SYLLABLE YAH + {0xC598, 0xC598, prH2, gcLo}, // HANGUL SYLLABLE YAE + {0xC599, 0xC5B3, prH3, gcLo}, // [27] HANGUL SYLLABLE YAEG..HANGUL SYLLABLE YAEH + {0xC5B4, 0xC5B4, prH2, gcLo}, // HANGUL SYLLABLE EO + {0xC5B5, 0xC5CF, prH3, gcLo}, // [27] HANGUL SYLLABLE EOG..HANGUL SYLLABLE EOH + {0xC5D0, 0xC5D0, prH2, gcLo}, // HANGUL SYLLABLE E + {0xC5D1, 0xC5EB, prH3, gcLo}, // [27] HANGUL SYLLABLE EG..HANGUL SYLLABLE EH + {0xC5EC, 0xC5EC, prH2, gcLo}, // HANGUL SYLLABLE YEO + {0xC5ED, 0xC607, prH3, gcLo}, // [27] HANGUL SYLLABLE YEOG..HANGUL SYLLABLE YEOH + {0xC608, 0xC608, prH2, gcLo}, // HANGUL SYLLABLE YE + {0xC609, 0xC623, prH3, gcLo}, // [27] HANGUL SYLLABLE YEG..HANGUL SYLLABLE YEH + {0xC624, 0xC624, prH2, gcLo}, // HANGUL SYLLABLE O + {0xC625, 0xC63F, prH3, gcLo}, // [27] HANGUL SYLLABLE OG..HANGUL SYLLABLE OH + {0xC640, 0xC640, prH2, gcLo}, // HANGUL SYLLABLE WA + {0xC641, 0xC65B, prH3, gcLo}, // [27] HANGUL SYLLABLE WAG..HANGUL SYLLABLE WAH + {0xC65C, 0xC65C, prH2, gcLo}, // HANGUL SYLLABLE WAE + {0xC65D, 0xC677, prH3, gcLo}, // [27] HANGUL SYLLABLE WAEG..HANGUL SYLLABLE WAEH + {0xC678, 0xC678, prH2, gcLo}, // HANGUL SYLLABLE OE + {0xC679, 0xC693, prH3, gcLo}, // [27] HANGUL SYLLABLE OEG..HANGUL SYLLABLE OEH + {0xC694, 0xC694, prH2, gcLo}, // HANGUL SYLLABLE YO + {0xC695, 0xC6AF, prH3, gcLo}, // [27] HANGUL SYLLABLE YOG..HANGUL SYLLABLE YOH + {0xC6B0, 0xC6B0, prH2, gcLo}, // HANGUL SYLLABLE U + {0xC6B1, 0xC6CB, prH3, gcLo}, // [27] HANGUL SYLLABLE UG..HANGUL SYLLABLE UH + {0xC6CC, 0xC6CC, prH2, gcLo}, // HANGUL SYLLABLE WEO + {0xC6CD, 0xC6E7, prH3, gcLo}, // [27] HANGUL SYLLABLE WEOG..HANGUL SYLLABLE WEOH + {0xC6E8, 0xC6E8, prH2, gcLo}, // HANGUL SYLLABLE WE + {0xC6E9, 0xC703, prH3, gcLo}, // [27] HANGUL SYLLABLE WEG..HANGUL SYLLABLE WEH + {0xC704, 0xC704, prH2, gcLo}, // HANGUL SYLLABLE WI + {0xC705, 0xC71F, prH3, gcLo}, // [27] HANGUL SYLLABLE WIG..HANGUL SYLLABLE WIH + {0xC720, 0xC720, prH2, gcLo}, // HANGUL SYLLABLE YU + {0xC721, 0xC73B, prH3, gcLo}, // [27] HANGUL SYLLABLE YUG..HANGUL SYLLABLE YUH + {0xC73C, 0xC73C, prH2, gcLo}, // HANGUL SYLLABLE EU + {0xC73D, 0xC757, prH3, gcLo}, // [27] HANGUL SYLLABLE EUG..HANGUL SYLLABLE EUH + {0xC758, 0xC758, prH2, gcLo}, // HANGUL SYLLABLE YI + {0xC759, 0xC773, prH3, gcLo}, // [27] HANGUL SYLLABLE YIG..HANGUL SYLLABLE YIH + {0xC774, 0xC774, prH2, gcLo}, // HANGUL SYLLABLE I + {0xC775, 0xC78F, prH3, gcLo}, // [27] HANGUL SYLLABLE IG..HANGUL SYLLABLE IH + {0xC790, 0xC790, prH2, gcLo}, // HANGUL SYLLABLE JA + {0xC791, 0xC7AB, prH3, gcLo}, // [27] HANGUL SYLLABLE JAG..HANGUL SYLLABLE JAH + {0xC7AC, 0xC7AC, prH2, gcLo}, // HANGUL SYLLABLE JAE + {0xC7AD, 0xC7C7, prH3, gcLo}, // [27] HANGUL SYLLABLE JAEG..HANGUL SYLLABLE JAEH + {0xC7C8, 0xC7C8, prH2, gcLo}, // HANGUL SYLLABLE JYA + {0xC7C9, 0xC7E3, prH3, gcLo}, // [27] HANGUL SYLLABLE JYAG..HANGUL SYLLABLE JYAH + {0xC7E4, 0xC7E4, prH2, gcLo}, // HANGUL SYLLABLE JYAE + {0xC7E5, 0xC7FF, prH3, gcLo}, // [27] HANGUL SYLLABLE JYAEG..HANGUL SYLLABLE JYAEH + {0xC800, 0xC800, prH2, gcLo}, // HANGUL SYLLABLE JEO + {0xC801, 0xC81B, prH3, gcLo}, // [27] HANGUL SYLLABLE JEOG..HANGUL SYLLABLE JEOH + {0xC81C, 0xC81C, prH2, gcLo}, // HANGUL SYLLABLE JE + {0xC81D, 0xC837, prH3, gcLo}, // [27] HANGUL SYLLABLE JEG..HANGUL SYLLABLE JEH + {0xC838, 0xC838, prH2, gcLo}, // HANGUL SYLLABLE JYEO + {0xC839, 0xC853, prH3, gcLo}, // [27] HANGUL SYLLABLE JYEOG..HANGUL SYLLABLE JYEOH + {0xC854, 0xC854, prH2, gcLo}, // HANGUL SYLLABLE JYE + {0xC855, 0xC86F, prH3, gcLo}, // [27] HANGUL SYLLABLE JYEG..HANGUL SYLLABLE JYEH + {0xC870, 0xC870, prH2, gcLo}, // HANGUL SYLLABLE JO + {0xC871, 0xC88B, prH3, gcLo}, // [27] HANGUL SYLLABLE JOG..HANGUL SYLLABLE JOH + {0xC88C, 0xC88C, prH2, gcLo}, // HANGUL SYLLABLE JWA + {0xC88D, 0xC8A7, prH3, gcLo}, // [27] HANGUL SYLLABLE JWAG..HANGUL SYLLABLE JWAH + {0xC8A8, 0xC8A8, prH2, gcLo}, // HANGUL SYLLABLE JWAE + {0xC8A9, 0xC8C3, prH3, gcLo}, // [27] HANGUL SYLLABLE JWAEG..HANGUL SYLLABLE JWAEH + {0xC8C4, 0xC8C4, prH2, gcLo}, // HANGUL SYLLABLE JOE + {0xC8C5, 0xC8DF, prH3, gcLo}, // [27] HANGUL SYLLABLE JOEG..HANGUL SYLLABLE JOEH + {0xC8E0, 0xC8E0, prH2, gcLo}, // HANGUL SYLLABLE JYO + {0xC8E1, 0xC8FB, prH3, gcLo}, // [27] HANGUL SYLLABLE JYOG..HANGUL SYLLABLE JYOH + {0xC8FC, 0xC8FC, prH2, gcLo}, // HANGUL SYLLABLE JU + {0xC8FD, 0xC917, prH3, gcLo}, // [27] HANGUL SYLLABLE JUG..HANGUL SYLLABLE JUH + {0xC918, 0xC918, prH2, gcLo}, // HANGUL SYLLABLE JWEO + {0xC919, 0xC933, prH3, gcLo}, // [27] HANGUL SYLLABLE JWEOG..HANGUL SYLLABLE JWEOH + {0xC934, 0xC934, prH2, gcLo}, // HANGUL SYLLABLE JWE + {0xC935, 0xC94F, prH3, gcLo}, // [27] HANGUL SYLLABLE JWEG..HANGUL SYLLABLE JWEH + {0xC950, 0xC950, prH2, gcLo}, // HANGUL SYLLABLE JWI + {0xC951, 0xC96B, prH3, gcLo}, // [27] HANGUL SYLLABLE JWIG..HANGUL SYLLABLE JWIH + {0xC96C, 0xC96C, prH2, gcLo}, // HANGUL SYLLABLE JYU + {0xC96D, 0xC987, prH3, gcLo}, // [27] HANGUL SYLLABLE JYUG..HANGUL SYLLABLE JYUH + {0xC988, 0xC988, prH2, gcLo}, // HANGUL SYLLABLE JEU + {0xC989, 0xC9A3, prH3, gcLo}, // [27] HANGUL SYLLABLE JEUG..HANGUL SYLLABLE JEUH + {0xC9A4, 0xC9A4, prH2, gcLo}, // HANGUL SYLLABLE JYI + {0xC9A5, 0xC9BF, prH3, gcLo}, // [27] HANGUL SYLLABLE JYIG..HANGUL SYLLABLE JYIH + {0xC9C0, 0xC9C0, prH2, gcLo}, // HANGUL SYLLABLE JI + {0xC9C1, 0xC9DB, prH3, gcLo}, // [27] HANGUL SYLLABLE JIG..HANGUL SYLLABLE JIH + {0xC9DC, 0xC9DC, prH2, gcLo}, // HANGUL SYLLABLE JJA + {0xC9DD, 0xC9F7, prH3, gcLo}, // [27] HANGUL SYLLABLE JJAG..HANGUL SYLLABLE JJAH + {0xC9F8, 0xC9F8, prH2, gcLo}, // HANGUL SYLLABLE JJAE + {0xC9F9, 0xCA13, prH3, gcLo}, // [27] HANGUL SYLLABLE JJAEG..HANGUL SYLLABLE JJAEH + {0xCA14, 0xCA14, prH2, gcLo}, // HANGUL SYLLABLE JJYA + {0xCA15, 0xCA2F, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYAG..HANGUL SYLLABLE JJYAH + {0xCA30, 0xCA30, prH2, gcLo}, // HANGUL SYLLABLE JJYAE + {0xCA31, 0xCA4B, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYAEG..HANGUL SYLLABLE JJYAEH + {0xCA4C, 0xCA4C, prH2, gcLo}, // HANGUL SYLLABLE JJEO + {0xCA4D, 0xCA67, prH3, gcLo}, // [27] HANGUL SYLLABLE JJEOG..HANGUL SYLLABLE JJEOH + {0xCA68, 0xCA68, prH2, gcLo}, // HANGUL SYLLABLE JJE + {0xCA69, 0xCA83, prH3, gcLo}, // [27] HANGUL SYLLABLE JJEG..HANGUL SYLLABLE JJEH + {0xCA84, 0xCA84, prH2, gcLo}, // HANGUL SYLLABLE JJYEO + {0xCA85, 0xCA9F, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYEOG..HANGUL SYLLABLE JJYEOH + {0xCAA0, 0xCAA0, prH2, gcLo}, // HANGUL SYLLABLE JJYE + {0xCAA1, 0xCABB, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYEG..HANGUL SYLLABLE JJYEH + {0xCABC, 0xCABC, prH2, gcLo}, // HANGUL SYLLABLE JJO + {0xCABD, 0xCAD7, prH3, gcLo}, // [27] HANGUL SYLLABLE JJOG..HANGUL SYLLABLE JJOH + {0xCAD8, 0xCAD8, prH2, gcLo}, // HANGUL SYLLABLE JJWA + {0xCAD9, 0xCAF3, prH3, gcLo}, // [27] HANGUL SYLLABLE JJWAG..HANGUL SYLLABLE JJWAH + {0xCAF4, 0xCAF4, prH2, gcLo}, // HANGUL SYLLABLE JJWAE + {0xCAF5, 0xCB0F, prH3, gcLo}, // [27] HANGUL SYLLABLE JJWAEG..HANGUL SYLLABLE JJWAEH + {0xCB10, 0xCB10, prH2, gcLo}, // HANGUL SYLLABLE JJOE + {0xCB11, 0xCB2B, prH3, gcLo}, // [27] HANGUL SYLLABLE JJOEG..HANGUL SYLLABLE JJOEH + {0xCB2C, 0xCB2C, prH2, gcLo}, // HANGUL SYLLABLE JJYO + {0xCB2D, 0xCB47, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYOG..HANGUL SYLLABLE JJYOH + {0xCB48, 0xCB48, prH2, gcLo}, // HANGUL SYLLABLE JJU + {0xCB49, 0xCB63, prH3, gcLo}, // [27] HANGUL SYLLABLE JJUG..HANGUL SYLLABLE JJUH + {0xCB64, 0xCB64, prH2, gcLo}, // HANGUL SYLLABLE JJWEO + {0xCB65, 0xCB7F, prH3, gcLo}, // [27] HANGUL SYLLABLE JJWEOG..HANGUL SYLLABLE JJWEOH + {0xCB80, 0xCB80, prH2, gcLo}, // HANGUL SYLLABLE JJWE + {0xCB81, 0xCB9B, prH3, gcLo}, // [27] HANGUL SYLLABLE JJWEG..HANGUL SYLLABLE JJWEH + {0xCB9C, 0xCB9C, prH2, gcLo}, // HANGUL SYLLABLE JJWI + {0xCB9D, 0xCBB7, prH3, gcLo}, // [27] HANGUL SYLLABLE JJWIG..HANGUL SYLLABLE JJWIH + {0xCBB8, 0xCBB8, prH2, gcLo}, // HANGUL SYLLABLE JJYU + {0xCBB9, 0xCBD3, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYUG..HANGUL SYLLABLE JJYUH + {0xCBD4, 0xCBD4, prH2, gcLo}, // HANGUL SYLLABLE JJEU + {0xCBD5, 0xCBEF, prH3, gcLo}, // [27] HANGUL SYLLABLE JJEUG..HANGUL SYLLABLE JJEUH + {0xCBF0, 0xCBF0, prH2, gcLo}, // HANGUL SYLLABLE JJYI + {0xCBF1, 0xCC0B, prH3, gcLo}, // [27] HANGUL SYLLABLE JJYIG..HANGUL SYLLABLE JJYIH + {0xCC0C, 0xCC0C, prH2, gcLo}, // HANGUL SYLLABLE JJI + {0xCC0D, 0xCC27, prH3, gcLo}, // [27] HANGUL SYLLABLE JJIG..HANGUL SYLLABLE JJIH + {0xCC28, 0xCC28, prH2, gcLo}, // HANGUL SYLLABLE CA + {0xCC29, 0xCC43, prH3, gcLo}, // [27] HANGUL SYLLABLE CAG..HANGUL SYLLABLE CAH + {0xCC44, 0xCC44, prH2, gcLo}, // HANGUL SYLLABLE CAE + {0xCC45, 0xCC5F, prH3, gcLo}, // [27] HANGUL SYLLABLE CAEG..HANGUL SYLLABLE CAEH + {0xCC60, 0xCC60, prH2, gcLo}, // HANGUL SYLLABLE CYA + {0xCC61, 0xCC7B, prH3, gcLo}, // [27] HANGUL SYLLABLE CYAG..HANGUL SYLLABLE CYAH + {0xCC7C, 0xCC7C, prH2, gcLo}, // HANGUL SYLLABLE CYAE + {0xCC7D, 0xCC97, prH3, gcLo}, // [27] HANGUL SYLLABLE CYAEG..HANGUL SYLLABLE CYAEH + {0xCC98, 0xCC98, prH2, gcLo}, // HANGUL SYLLABLE CEO + {0xCC99, 0xCCB3, prH3, gcLo}, // [27] HANGUL SYLLABLE CEOG..HANGUL SYLLABLE CEOH + {0xCCB4, 0xCCB4, prH2, gcLo}, // HANGUL SYLLABLE CE + {0xCCB5, 0xCCCF, prH3, gcLo}, // [27] HANGUL SYLLABLE CEG..HANGUL SYLLABLE CEH + {0xCCD0, 0xCCD0, prH2, gcLo}, // HANGUL SYLLABLE CYEO + {0xCCD1, 0xCCEB, prH3, gcLo}, // [27] HANGUL SYLLABLE CYEOG..HANGUL SYLLABLE CYEOH + {0xCCEC, 0xCCEC, prH2, gcLo}, // HANGUL SYLLABLE CYE + {0xCCED, 0xCD07, prH3, gcLo}, // [27] HANGUL SYLLABLE CYEG..HANGUL SYLLABLE CYEH + {0xCD08, 0xCD08, prH2, gcLo}, // HANGUL SYLLABLE CO + {0xCD09, 0xCD23, prH3, gcLo}, // [27] HANGUL SYLLABLE COG..HANGUL SYLLABLE COH + {0xCD24, 0xCD24, prH2, gcLo}, // HANGUL SYLLABLE CWA + {0xCD25, 0xCD3F, prH3, gcLo}, // [27] HANGUL SYLLABLE CWAG..HANGUL SYLLABLE CWAH + {0xCD40, 0xCD40, prH2, gcLo}, // HANGUL SYLLABLE CWAE + {0xCD41, 0xCD5B, prH3, gcLo}, // [27] HANGUL SYLLABLE CWAEG..HANGUL SYLLABLE CWAEH + {0xCD5C, 0xCD5C, prH2, gcLo}, // HANGUL SYLLABLE COE + {0xCD5D, 0xCD77, prH3, gcLo}, // [27] HANGUL SYLLABLE COEG..HANGUL SYLLABLE COEH + {0xCD78, 0xCD78, prH2, gcLo}, // HANGUL SYLLABLE CYO + {0xCD79, 0xCD93, prH3, gcLo}, // [27] HANGUL SYLLABLE CYOG..HANGUL SYLLABLE CYOH + {0xCD94, 0xCD94, prH2, gcLo}, // HANGUL SYLLABLE CU + {0xCD95, 0xCDAF, prH3, gcLo}, // [27] HANGUL SYLLABLE CUG..HANGUL SYLLABLE CUH + {0xCDB0, 0xCDB0, prH2, gcLo}, // HANGUL SYLLABLE CWEO + {0xCDB1, 0xCDCB, prH3, gcLo}, // [27] HANGUL SYLLABLE CWEOG..HANGUL SYLLABLE CWEOH + {0xCDCC, 0xCDCC, prH2, gcLo}, // HANGUL SYLLABLE CWE + {0xCDCD, 0xCDE7, prH3, gcLo}, // [27] HANGUL SYLLABLE CWEG..HANGUL SYLLABLE CWEH + {0xCDE8, 0xCDE8, prH2, gcLo}, // HANGUL SYLLABLE CWI + {0xCDE9, 0xCE03, prH3, gcLo}, // [27] HANGUL SYLLABLE CWIG..HANGUL SYLLABLE CWIH + {0xCE04, 0xCE04, prH2, gcLo}, // HANGUL SYLLABLE CYU + {0xCE05, 0xCE1F, prH3, gcLo}, // [27] HANGUL SYLLABLE CYUG..HANGUL SYLLABLE CYUH + {0xCE20, 0xCE20, prH2, gcLo}, // HANGUL SYLLABLE CEU + {0xCE21, 0xCE3B, prH3, gcLo}, // [27] HANGUL SYLLABLE CEUG..HANGUL SYLLABLE CEUH + {0xCE3C, 0xCE3C, prH2, gcLo}, // HANGUL SYLLABLE CYI + {0xCE3D, 0xCE57, prH3, gcLo}, // [27] HANGUL SYLLABLE CYIG..HANGUL SYLLABLE CYIH + {0xCE58, 0xCE58, prH2, gcLo}, // HANGUL SYLLABLE CI + {0xCE59, 0xCE73, prH3, gcLo}, // [27] HANGUL SYLLABLE CIG..HANGUL SYLLABLE CIH + {0xCE74, 0xCE74, prH2, gcLo}, // HANGUL SYLLABLE KA + {0xCE75, 0xCE8F, prH3, gcLo}, // [27] HANGUL SYLLABLE KAG..HANGUL SYLLABLE KAH + {0xCE90, 0xCE90, prH2, gcLo}, // HANGUL SYLLABLE KAE + {0xCE91, 0xCEAB, prH3, gcLo}, // [27] HANGUL SYLLABLE KAEG..HANGUL SYLLABLE KAEH + {0xCEAC, 0xCEAC, prH2, gcLo}, // HANGUL SYLLABLE KYA + {0xCEAD, 0xCEC7, prH3, gcLo}, // [27] HANGUL SYLLABLE KYAG..HANGUL SYLLABLE KYAH + {0xCEC8, 0xCEC8, prH2, gcLo}, // HANGUL SYLLABLE KYAE + {0xCEC9, 0xCEE3, prH3, gcLo}, // [27] HANGUL SYLLABLE KYAEG..HANGUL SYLLABLE KYAEH + {0xCEE4, 0xCEE4, prH2, gcLo}, // HANGUL SYLLABLE KEO + {0xCEE5, 0xCEFF, prH3, gcLo}, // [27] HANGUL SYLLABLE KEOG..HANGUL SYLLABLE KEOH + {0xCF00, 0xCF00, prH2, gcLo}, // HANGUL SYLLABLE KE + {0xCF01, 0xCF1B, prH3, gcLo}, // [27] HANGUL SYLLABLE KEG..HANGUL SYLLABLE KEH + {0xCF1C, 0xCF1C, prH2, gcLo}, // HANGUL SYLLABLE KYEO + {0xCF1D, 0xCF37, prH3, gcLo}, // [27] HANGUL SYLLABLE KYEOG..HANGUL SYLLABLE KYEOH + {0xCF38, 0xCF38, prH2, gcLo}, // HANGUL SYLLABLE KYE + {0xCF39, 0xCF53, prH3, gcLo}, // [27] HANGUL SYLLABLE KYEG..HANGUL SYLLABLE KYEH + {0xCF54, 0xCF54, prH2, gcLo}, // HANGUL SYLLABLE KO + {0xCF55, 0xCF6F, prH3, gcLo}, // [27] HANGUL SYLLABLE KOG..HANGUL SYLLABLE KOH + {0xCF70, 0xCF70, prH2, gcLo}, // HANGUL SYLLABLE KWA + {0xCF71, 0xCF8B, prH3, gcLo}, // [27] HANGUL SYLLABLE KWAG..HANGUL SYLLABLE KWAH + {0xCF8C, 0xCF8C, prH2, gcLo}, // HANGUL SYLLABLE KWAE + {0xCF8D, 0xCFA7, prH3, gcLo}, // [27] HANGUL SYLLABLE KWAEG..HANGUL SYLLABLE KWAEH + {0xCFA8, 0xCFA8, prH2, gcLo}, // HANGUL SYLLABLE KOE + {0xCFA9, 0xCFC3, prH3, gcLo}, // [27] HANGUL SYLLABLE KOEG..HANGUL SYLLABLE KOEH + {0xCFC4, 0xCFC4, prH2, gcLo}, // HANGUL SYLLABLE KYO + {0xCFC5, 0xCFDF, prH3, gcLo}, // [27] HANGUL SYLLABLE KYOG..HANGUL SYLLABLE KYOH + {0xCFE0, 0xCFE0, prH2, gcLo}, // HANGUL SYLLABLE KU + {0xCFE1, 0xCFFB, prH3, gcLo}, // [27] HANGUL SYLLABLE KUG..HANGUL SYLLABLE KUH + {0xCFFC, 0xCFFC, prH2, gcLo}, // HANGUL SYLLABLE KWEO + {0xCFFD, 0xD017, prH3, gcLo}, // [27] HANGUL SYLLABLE KWEOG..HANGUL SYLLABLE KWEOH + {0xD018, 0xD018, prH2, gcLo}, // HANGUL SYLLABLE KWE + {0xD019, 0xD033, prH3, gcLo}, // [27] HANGUL SYLLABLE KWEG..HANGUL SYLLABLE KWEH + {0xD034, 0xD034, prH2, gcLo}, // HANGUL SYLLABLE KWI + {0xD035, 0xD04F, prH3, gcLo}, // [27] HANGUL SYLLABLE KWIG..HANGUL SYLLABLE KWIH + {0xD050, 0xD050, prH2, gcLo}, // HANGUL SYLLABLE KYU + {0xD051, 0xD06B, prH3, gcLo}, // [27] HANGUL SYLLABLE KYUG..HANGUL SYLLABLE KYUH + {0xD06C, 0xD06C, prH2, gcLo}, // HANGUL SYLLABLE KEU + {0xD06D, 0xD087, prH3, gcLo}, // [27] HANGUL SYLLABLE KEUG..HANGUL SYLLABLE KEUH + {0xD088, 0xD088, prH2, gcLo}, // HANGUL SYLLABLE KYI + {0xD089, 0xD0A3, prH3, gcLo}, // [27] HANGUL SYLLABLE KYIG..HANGUL SYLLABLE KYIH + {0xD0A4, 0xD0A4, prH2, gcLo}, // HANGUL SYLLABLE KI + {0xD0A5, 0xD0BF, prH3, gcLo}, // [27] HANGUL SYLLABLE KIG..HANGUL SYLLABLE KIH + {0xD0C0, 0xD0C0, prH2, gcLo}, // HANGUL SYLLABLE TA + {0xD0C1, 0xD0DB, prH3, gcLo}, // [27] HANGUL SYLLABLE TAG..HANGUL SYLLABLE TAH + {0xD0DC, 0xD0DC, prH2, gcLo}, // HANGUL SYLLABLE TAE + {0xD0DD, 0xD0F7, prH3, gcLo}, // [27] HANGUL SYLLABLE TAEG..HANGUL SYLLABLE TAEH + {0xD0F8, 0xD0F8, prH2, gcLo}, // HANGUL SYLLABLE TYA + {0xD0F9, 0xD113, prH3, gcLo}, // [27] HANGUL SYLLABLE TYAG..HANGUL SYLLABLE TYAH + {0xD114, 0xD114, prH2, gcLo}, // HANGUL SYLLABLE TYAE + {0xD115, 0xD12F, prH3, gcLo}, // [27] HANGUL SYLLABLE TYAEG..HANGUL SYLLABLE TYAEH + {0xD130, 0xD130, prH2, gcLo}, // HANGUL SYLLABLE TEO + {0xD131, 0xD14B, prH3, gcLo}, // [27] HANGUL SYLLABLE TEOG..HANGUL SYLLABLE TEOH + {0xD14C, 0xD14C, prH2, gcLo}, // HANGUL SYLLABLE TE + {0xD14D, 0xD167, prH3, gcLo}, // [27] HANGUL SYLLABLE TEG..HANGUL SYLLABLE TEH + {0xD168, 0xD168, prH2, gcLo}, // HANGUL SYLLABLE TYEO + {0xD169, 0xD183, prH3, gcLo}, // [27] HANGUL SYLLABLE TYEOG..HANGUL SYLLABLE TYEOH + {0xD184, 0xD184, prH2, gcLo}, // HANGUL SYLLABLE TYE + {0xD185, 0xD19F, prH3, gcLo}, // [27] HANGUL SYLLABLE TYEG..HANGUL SYLLABLE TYEH + {0xD1A0, 0xD1A0, prH2, gcLo}, // HANGUL SYLLABLE TO + {0xD1A1, 0xD1BB, prH3, gcLo}, // [27] HANGUL SYLLABLE TOG..HANGUL SYLLABLE TOH + {0xD1BC, 0xD1BC, prH2, gcLo}, // HANGUL SYLLABLE TWA + {0xD1BD, 0xD1D7, prH3, gcLo}, // [27] HANGUL SYLLABLE TWAG..HANGUL SYLLABLE TWAH + {0xD1D8, 0xD1D8, prH2, gcLo}, // HANGUL SYLLABLE TWAE + {0xD1D9, 0xD1F3, prH3, gcLo}, // [27] HANGUL SYLLABLE TWAEG..HANGUL SYLLABLE TWAEH + {0xD1F4, 0xD1F4, prH2, gcLo}, // HANGUL SYLLABLE TOE + {0xD1F5, 0xD20F, prH3, gcLo}, // [27] HANGUL SYLLABLE TOEG..HANGUL SYLLABLE TOEH + {0xD210, 0xD210, prH2, gcLo}, // HANGUL SYLLABLE TYO + {0xD211, 0xD22B, prH3, gcLo}, // [27] HANGUL SYLLABLE TYOG..HANGUL SYLLABLE TYOH + {0xD22C, 0xD22C, prH2, gcLo}, // HANGUL SYLLABLE TU + {0xD22D, 0xD247, prH3, gcLo}, // [27] HANGUL SYLLABLE TUG..HANGUL SYLLABLE TUH + {0xD248, 0xD248, prH2, gcLo}, // HANGUL SYLLABLE TWEO + {0xD249, 0xD263, prH3, gcLo}, // [27] HANGUL SYLLABLE TWEOG..HANGUL SYLLABLE TWEOH + {0xD264, 0xD264, prH2, gcLo}, // HANGUL SYLLABLE TWE + {0xD265, 0xD27F, prH3, gcLo}, // [27] HANGUL SYLLABLE TWEG..HANGUL SYLLABLE TWEH + {0xD280, 0xD280, prH2, gcLo}, // HANGUL SYLLABLE TWI + {0xD281, 0xD29B, prH3, gcLo}, // [27] HANGUL SYLLABLE TWIG..HANGUL SYLLABLE TWIH + {0xD29C, 0xD29C, prH2, gcLo}, // HANGUL SYLLABLE TYU + {0xD29D, 0xD2B7, prH3, gcLo}, // [27] HANGUL SYLLABLE TYUG..HANGUL SYLLABLE TYUH + {0xD2B8, 0xD2B8, prH2, gcLo}, // HANGUL SYLLABLE TEU + {0xD2B9, 0xD2D3, prH3, gcLo}, // [27] HANGUL SYLLABLE TEUG..HANGUL SYLLABLE TEUH + {0xD2D4, 0xD2D4, prH2, gcLo}, // HANGUL SYLLABLE TYI + {0xD2D5, 0xD2EF, prH3, gcLo}, // [27] HANGUL SYLLABLE TYIG..HANGUL SYLLABLE TYIH + {0xD2F0, 0xD2F0, prH2, gcLo}, // HANGUL SYLLABLE TI + {0xD2F1, 0xD30B, prH3, gcLo}, // [27] HANGUL SYLLABLE TIG..HANGUL SYLLABLE TIH + {0xD30C, 0xD30C, prH2, gcLo}, // HANGUL SYLLABLE PA + {0xD30D, 0xD327, prH3, gcLo}, // [27] HANGUL SYLLABLE PAG..HANGUL SYLLABLE PAH + {0xD328, 0xD328, prH2, gcLo}, // HANGUL SYLLABLE PAE + {0xD329, 0xD343, prH3, gcLo}, // [27] HANGUL SYLLABLE PAEG..HANGUL SYLLABLE PAEH + {0xD344, 0xD344, prH2, gcLo}, // HANGUL SYLLABLE PYA + {0xD345, 0xD35F, prH3, gcLo}, // [27] HANGUL SYLLABLE PYAG..HANGUL SYLLABLE PYAH + {0xD360, 0xD360, prH2, gcLo}, // HANGUL SYLLABLE PYAE + {0xD361, 0xD37B, prH3, gcLo}, // [27] HANGUL SYLLABLE PYAEG..HANGUL SYLLABLE PYAEH + {0xD37C, 0xD37C, prH2, gcLo}, // HANGUL SYLLABLE PEO + {0xD37D, 0xD397, prH3, gcLo}, // [27] HANGUL SYLLABLE PEOG..HANGUL SYLLABLE PEOH + {0xD398, 0xD398, prH2, gcLo}, // HANGUL SYLLABLE PE + {0xD399, 0xD3B3, prH3, gcLo}, // [27] HANGUL SYLLABLE PEG..HANGUL SYLLABLE PEH + {0xD3B4, 0xD3B4, prH2, gcLo}, // HANGUL SYLLABLE PYEO + {0xD3B5, 0xD3CF, prH3, gcLo}, // [27] HANGUL SYLLABLE PYEOG..HANGUL SYLLABLE PYEOH + {0xD3D0, 0xD3D0, prH2, gcLo}, // HANGUL SYLLABLE PYE + {0xD3D1, 0xD3EB, prH3, gcLo}, // [27] HANGUL SYLLABLE PYEG..HANGUL SYLLABLE PYEH + {0xD3EC, 0xD3EC, prH2, gcLo}, // HANGUL SYLLABLE PO + {0xD3ED, 0xD407, prH3, gcLo}, // [27] HANGUL SYLLABLE POG..HANGUL SYLLABLE POH + {0xD408, 0xD408, prH2, gcLo}, // HANGUL SYLLABLE PWA + {0xD409, 0xD423, prH3, gcLo}, // [27] HANGUL SYLLABLE PWAG..HANGUL SYLLABLE PWAH + {0xD424, 0xD424, prH2, gcLo}, // HANGUL SYLLABLE PWAE + {0xD425, 0xD43F, prH3, gcLo}, // [27] HANGUL SYLLABLE PWAEG..HANGUL SYLLABLE PWAEH + {0xD440, 0xD440, prH2, gcLo}, // HANGUL SYLLABLE POE + {0xD441, 0xD45B, prH3, gcLo}, // [27] HANGUL SYLLABLE POEG..HANGUL SYLLABLE POEH + {0xD45C, 0xD45C, prH2, gcLo}, // HANGUL SYLLABLE PYO + {0xD45D, 0xD477, prH3, gcLo}, // [27] HANGUL SYLLABLE PYOG..HANGUL SYLLABLE PYOH + {0xD478, 0xD478, prH2, gcLo}, // HANGUL SYLLABLE PU + {0xD479, 0xD493, prH3, gcLo}, // [27] HANGUL SYLLABLE PUG..HANGUL SYLLABLE PUH + {0xD494, 0xD494, prH2, gcLo}, // HANGUL SYLLABLE PWEO + {0xD495, 0xD4AF, prH3, gcLo}, // [27] HANGUL SYLLABLE PWEOG..HANGUL SYLLABLE PWEOH + {0xD4B0, 0xD4B0, prH2, gcLo}, // HANGUL SYLLABLE PWE + {0xD4B1, 0xD4CB, prH3, gcLo}, // [27] HANGUL SYLLABLE PWEG..HANGUL SYLLABLE PWEH + {0xD4CC, 0xD4CC, prH2, gcLo}, // HANGUL SYLLABLE PWI + {0xD4CD, 0xD4E7, prH3, gcLo}, // [27] HANGUL SYLLABLE PWIG..HANGUL SYLLABLE PWIH + {0xD4E8, 0xD4E8, prH2, gcLo}, // HANGUL SYLLABLE PYU + {0xD4E9, 0xD503, prH3, gcLo}, // [27] HANGUL SYLLABLE PYUG..HANGUL SYLLABLE PYUH + {0xD504, 0xD504, prH2, gcLo}, // HANGUL SYLLABLE PEU + {0xD505, 0xD51F, prH3, gcLo}, // [27] HANGUL SYLLABLE PEUG..HANGUL SYLLABLE PEUH + {0xD520, 0xD520, prH2, gcLo}, // HANGUL SYLLABLE PYI + {0xD521, 0xD53B, prH3, gcLo}, // [27] HANGUL SYLLABLE PYIG..HANGUL SYLLABLE PYIH + {0xD53C, 0xD53C, prH2, gcLo}, // HANGUL SYLLABLE PI + {0xD53D, 0xD557, prH3, gcLo}, // [27] HANGUL SYLLABLE PIG..HANGUL SYLLABLE PIH + {0xD558, 0xD558, prH2, gcLo}, // HANGUL SYLLABLE HA + {0xD559, 0xD573, prH3, gcLo}, // [27] HANGUL SYLLABLE HAG..HANGUL SYLLABLE HAH + {0xD574, 0xD574, prH2, gcLo}, // HANGUL SYLLABLE HAE + {0xD575, 0xD58F, prH3, gcLo}, // [27] HANGUL SYLLABLE HAEG..HANGUL SYLLABLE HAEH + {0xD590, 0xD590, prH2, gcLo}, // HANGUL SYLLABLE HYA + {0xD591, 0xD5AB, prH3, gcLo}, // [27] HANGUL SYLLABLE HYAG..HANGUL SYLLABLE HYAH + {0xD5AC, 0xD5AC, prH2, gcLo}, // HANGUL SYLLABLE HYAE + {0xD5AD, 0xD5C7, prH3, gcLo}, // [27] HANGUL SYLLABLE HYAEG..HANGUL SYLLABLE HYAEH + {0xD5C8, 0xD5C8, prH2, gcLo}, // HANGUL SYLLABLE HEO + {0xD5C9, 0xD5E3, prH3, gcLo}, // [27] HANGUL SYLLABLE HEOG..HANGUL SYLLABLE HEOH + {0xD5E4, 0xD5E4, prH2, gcLo}, // HANGUL SYLLABLE HE + {0xD5E5, 0xD5FF, prH3, gcLo}, // [27] HANGUL SYLLABLE HEG..HANGUL SYLLABLE HEH + {0xD600, 0xD600, prH2, gcLo}, // HANGUL SYLLABLE HYEO + {0xD601, 0xD61B, prH3, gcLo}, // [27] HANGUL SYLLABLE HYEOG..HANGUL SYLLABLE HYEOH + {0xD61C, 0xD61C, prH2, gcLo}, // HANGUL SYLLABLE HYE + {0xD61D, 0xD637, prH3, gcLo}, // [27] HANGUL SYLLABLE HYEG..HANGUL SYLLABLE HYEH + {0xD638, 0xD638, prH2, gcLo}, // HANGUL SYLLABLE HO + {0xD639, 0xD653, prH3, gcLo}, // [27] HANGUL SYLLABLE HOG..HANGUL SYLLABLE HOH + {0xD654, 0xD654, prH2, gcLo}, // HANGUL SYLLABLE HWA + {0xD655, 0xD66F, prH3, gcLo}, // [27] HANGUL SYLLABLE HWAG..HANGUL SYLLABLE HWAH + {0xD670, 0xD670, prH2, gcLo}, // HANGUL SYLLABLE HWAE + {0xD671, 0xD68B, prH3, gcLo}, // [27] HANGUL SYLLABLE HWAEG..HANGUL SYLLABLE HWAEH + {0xD68C, 0xD68C, prH2, gcLo}, // HANGUL SYLLABLE HOE + {0xD68D, 0xD6A7, prH3, gcLo}, // [27] HANGUL SYLLABLE HOEG..HANGUL SYLLABLE HOEH + {0xD6A8, 0xD6A8, prH2, gcLo}, // HANGUL SYLLABLE HYO + {0xD6A9, 0xD6C3, prH3, gcLo}, // [27] HANGUL SYLLABLE HYOG..HANGUL SYLLABLE HYOH + {0xD6C4, 0xD6C4, prH2, gcLo}, // HANGUL SYLLABLE HU + {0xD6C5, 0xD6DF, prH3, gcLo}, // [27] HANGUL SYLLABLE HUG..HANGUL SYLLABLE HUH + {0xD6E0, 0xD6E0, prH2, gcLo}, // HANGUL SYLLABLE HWEO + {0xD6E1, 0xD6FB, prH3, gcLo}, // [27] HANGUL SYLLABLE HWEOG..HANGUL SYLLABLE HWEOH + {0xD6FC, 0xD6FC, prH2, gcLo}, // HANGUL SYLLABLE HWE + {0xD6FD, 0xD717, prH3, gcLo}, // [27] HANGUL SYLLABLE HWEG..HANGUL SYLLABLE HWEH + {0xD718, 0xD718, prH2, gcLo}, // HANGUL SYLLABLE HWI + {0xD719, 0xD733, prH3, gcLo}, // [27] HANGUL SYLLABLE HWIG..HANGUL SYLLABLE HWIH + {0xD734, 0xD734, prH2, gcLo}, // HANGUL SYLLABLE HYU + {0xD735, 0xD74F, prH3, gcLo}, // [27] HANGUL SYLLABLE HYUG..HANGUL SYLLABLE HYUH + {0xD750, 0xD750, prH2, gcLo}, // HANGUL SYLLABLE HEU + {0xD751, 0xD76B, prH3, gcLo}, // [27] HANGUL SYLLABLE HEUG..HANGUL SYLLABLE HEUH + {0xD76C, 0xD76C, prH2, gcLo}, // HANGUL SYLLABLE HYI + {0xD76D, 0xD787, prH3, gcLo}, // [27] HANGUL SYLLABLE HYIG..HANGUL SYLLABLE HYIH + {0xD788, 0xD788, prH2, gcLo}, // HANGUL SYLLABLE HI + {0xD789, 0xD7A3, prH3, gcLo}, // [27] HANGUL SYLLABLE HIG..HANGUL SYLLABLE HIH + {0xD7B0, 0xD7C6, prJV, gcLo}, // [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E + {0xD7CB, 0xD7FB, prJT, gcLo}, // [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH + {0xD800, 0xDB7F, prSG, gcCs}, // [896] .. + {0xDB80, 0xDBFF, prSG, gcCs}, // [128] .. + {0xDC00, 0xDFFF, prSG, gcCs}, // [1024] .. + {0xE000, 0xF8FF, prXX, gcCo}, // [6400] .. + {0xF900, 0xFA6D, prID, gcLo}, // [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D + {0xFA6E, 0xFA6F, prID, gcCn}, // [2] .. + {0xFA70, 0xFAD9, prID, gcLo}, // [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9 + {0xFADA, 0xFAFF, prID, gcCn}, // [38] .. + {0xFB00, 0xFB06, prAL, gcLl}, // [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST + {0xFB13, 0xFB17, prAL, gcLl}, // [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH + {0xFB1D, 0xFB1D, prHL, gcLo}, // HEBREW LETTER YOD WITH HIRIQ + {0xFB1E, 0xFB1E, prCM, gcMn}, // HEBREW POINT JUDEO-SPANISH VARIKA + {0xFB1F, 0xFB28, prHL, gcLo}, // [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV + {0xFB29, 0xFB29, prAL, gcSm}, // HEBREW LETTER ALTERNATIVE PLUS SIGN + {0xFB2A, 0xFB36, prHL, gcLo}, // [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH + {0xFB38, 0xFB3C, prHL, gcLo}, // [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH + {0xFB3E, 0xFB3E, prHL, gcLo}, // HEBREW LETTER MEM WITH DAGESH + {0xFB40, 0xFB41, prHL, gcLo}, // [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH + {0xFB43, 0xFB44, prHL, gcLo}, // [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH + {0xFB46, 0xFB4F, prHL, gcLo}, // [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED + {0xFB50, 0xFBB1, prAL, gcLo}, // [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM + {0xFBB2, 0xFBC2, prAL, gcSk}, // [17] ARABIC SYMBOL DOT ABOVE..ARABIC SYMBOL WASLA ABOVE + {0xFBD3, 0xFD3D, prAL, gcLo}, // [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM + {0xFD3E, 0xFD3E, prCL, gcPe}, // ORNATE LEFT PARENTHESIS + {0xFD3F, 0xFD3F, prOP, gcPs}, // ORNATE RIGHT PARENTHESIS + {0xFD40, 0xFD4F, prAL, gcSo}, // [16] ARABIC LIGATURE RAHIMAHU ALLAAH..ARABIC LIGATURE RAHIMAHUM ALLAAH + {0xFD50, 0xFD8F, prAL, gcLo}, // [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM + {0xFD92, 0xFDC7, prAL, gcLo}, // [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM + {0xFDCF, 0xFDCF, prAL, gcSo}, // ARABIC LIGATURE SALAAMUHU ALAYNAA + {0xFDF0, 0xFDFB, prAL, gcLo}, // [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU + {0xFDFC, 0xFDFC, prPO, gcSc}, // RIAL SIGN + {0xFDFD, 0xFDFF, prAL, gcSo}, // [3] ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM..ARABIC LIGATURE AZZA WA JALL + {0xFE00, 0xFE0F, prCM, gcMn}, // [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16 + {0xFE10, 0xFE10, prIS, gcPo}, // PRESENTATION FORM FOR VERTICAL COMMA + {0xFE11, 0xFE12, prCL, gcPo}, // [2] PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC COMMA..PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC FULL STOP + {0xFE13, 0xFE14, prIS, gcPo}, // [2] PRESENTATION FORM FOR VERTICAL COLON..PRESENTATION FORM FOR VERTICAL SEMICOLON + {0xFE15, 0xFE16, prEX, gcPo}, // [2] PRESENTATION FORM FOR VERTICAL EXCLAMATION MARK..PRESENTATION FORM FOR VERTICAL QUESTION MARK + {0xFE17, 0xFE17, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET + {0xFE18, 0xFE18, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET + {0xFE19, 0xFE19, prIN, gcPo}, // PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS + {0xFE20, 0xFE2F, prCM, gcMn}, // [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF + {0xFE30, 0xFE30, prID, gcPo}, // PRESENTATION FORM FOR VERTICAL TWO DOT LEADER + {0xFE31, 0xFE32, prID, gcPd}, // [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH + {0xFE33, 0xFE34, prID, gcPc}, // [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE + {0xFE35, 0xFE35, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS + {0xFE36, 0xFE36, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS + {0xFE37, 0xFE37, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET + {0xFE38, 0xFE38, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET + {0xFE39, 0xFE39, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET + {0xFE3A, 0xFE3A, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET + {0xFE3B, 0xFE3B, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET + {0xFE3C, 0xFE3C, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET + {0xFE3D, 0xFE3D, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET + {0xFE3E, 0xFE3E, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET + {0xFE3F, 0xFE3F, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET + {0xFE40, 0xFE40, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET + {0xFE41, 0xFE41, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET + {0xFE42, 0xFE42, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET + {0xFE43, 0xFE43, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET + {0xFE44, 0xFE44, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET + {0xFE45, 0xFE46, prID, gcPo}, // [2] SESAME DOT..WHITE SESAME DOT + {0xFE47, 0xFE47, prOP, gcPs}, // PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET + {0xFE48, 0xFE48, prCL, gcPe}, // PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET + {0xFE49, 0xFE4C, prID, gcPo}, // [4] DASHED OVERLINE..DOUBLE WAVY OVERLINE + {0xFE4D, 0xFE4F, prID, gcPc}, // [3] DASHED LOW LINE..WAVY LOW LINE + {0xFE50, 0xFE50, prCL, gcPo}, // SMALL COMMA + {0xFE51, 0xFE51, prID, gcPo}, // SMALL IDEOGRAPHIC COMMA + {0xFE52, 0xFE52, prCL, gcPo}, // SMALL FULL STOP + {0xFE54, 0xFE55, prNS, gcPo}, // [2] SMALL SEMICOLON..SMALL COLON + {0xFE56, 0xFE57, prEX, gcPo}, // [2] SMALL QUESTION MARK..SMALL EXCLAMATION MARK + {0xFE58, 0xFE58, prID, gcPd}, // SMALL EM DASH + {0xFE59, 0xFE59, prOP, gcPs}, // SMALL LEFT PARENTHESIS + {0xFE5A, 0xFE5A, prCL, gcPe}, // SMALL RIGHT PARENTHESIS + {0xFE5B, 0xFE5B, prOP, gcPs}, // SMALL LEFT CURLY BRACKET + {0xFE5C, 0xFE5C, prCL, gcPe}, // SMALL RIGHT CURLY BRACKET + {0xFE5D, 0xFE5D, prOP, gcPs}, // SMALL LEFT TORTOISE SHELL BRACKET + {0xFE5E, 0xFE5E, prCL, gcPe}, // SMALL RIGHT TORTOISE SHELL BRACKET + {0xFE5F, 0xFE61, prID, gcPo}, // [3] SMALL NUMBER SIGN..SMALL ASTERISK + {0xFE62, 0xFE62, prID, gcSm}, // SMALL PLUS SIGN + {0xFE63, 0xFE63, prID, gcPd}, // SMALL HYPHEN-MINUS + {0xFE64, 0xFE66, prID, gcSm}, // [3] SMALL LESS-THAN SIGN..SMALL EQUALS SIGN + {0xFE68, 0xFE68, prID, gcPo}, // SMALL REVERSE SOLIDUS + {0xFE69, 0xFE69, prPR, gcSc}, // SMALL DOLLAR SIGN + {0xFE6A, 0xFE6A, prPO, gcPo}, // SMALL PERCENT SIGN + {0xFE6B, 0xFE6B, prID, gcPo}, // SMALL COMMERCIAL AT + {0xFE70, 0xFE74, prAL, gcLo}, // [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM + {0xFE76, 0xFEFC, prAL, gcLo}, // [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM + {0xFEFF, 0xFEFF, prWJ, gcCf}, // ZERO WIDTH NO-BREAK SPACE + {0xFF01, 0xFF01, prEX, gcPo}, // FULLWIDTH EXCLAMATION MARK + {0xFF02, 0xFF03, prID, gcPo}, // [2] FULLWIDTH QUOTATION MARK..FULLWIDTH NUMBER SIGN + {0xFF04, 0xFF04, prPR, gcSc}, // FULLWIDTH DOLLAR SIGN + {0xFF05, 0xFF05, prPO, gcPo}, // FULLWIDTH PERCENT SIGN + {0xFF06, 0xFF07, prID, gcPo}, // [2] FULLWIDTH AMPERSAND..FULLWIDTH APOSTROPHE + {0xFF08, 0xFF08, prOP, gcPs}, // FULLWIDTH LEFT PARENTHESIS + {0xFF09, 0xFF09, prCL, gcPe}, // FULLWIDTH RIGHT PARENTHESIS + {0xFF0A, 0xFF0A, prID, gcPo}, // FULLWIDTH ASTERISK + {0xFF0B, 0xFF0B, prID, gcSm}, // FULLWIDTH PLUS SIGN + {0xFF0C, 0xFF0C, prCL, gcPo}, // FULLWIDTH COMMA + {0xFF0D, 0xFF0D, prID, gcPd}, // FULLWIDTH HYPHEN-MINUS + {0xFF0E, 0xFF0E, prCL, gcPo}, // FULLWIDTH FULL STOP + {0xFF0F, 0xFF0F, prID, gcPo}, // FULLWIDTH SOLIDUS + {0xFF10, 0xFF19, prID, gcNd}, // [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE + {0xFF1A, 0xFF1B, prNS, gcPo}, // [2] FULLWIDTH COLON..FULLWIDTH SEMICOLON + {0xFF1C, 0xFF1E, prID, gcSm}, // [3] FULLWIDTH LESS-THAN SIGN..FULLWIDTH GREATER-THAN SIGN + {0xFF1F, 0xFF1F, prEX, gcPo}, // FULLWIDTH QUESTION MARK + {0xFF20, 0xFF20, prID, gcPo}, // FULLWIDTH COMMERCIAL AT + {0xFF21, 0xFF3A, prID, gcLu}, // [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z + {0xFF3B, 0xFF3B, prOP, gcPs}, // FULLWIDTH LEFT SQUARE BRACKET + {0xFF3C, 0xFF3C, prID, gcPo}, // FULLWIDTH REVERSE SOLIDUS + {0xFF3D, 0xFF3D, prCL, gcPe}, // FULLWIDTH RIGHT SQUARE BRACKET + {0xFF3E, 0xFF3E, prID, gcSk}, // FULLWIDTH CIRCUMFLEX ACCENT + {0xFF3F, 0xFF3F, prID, gcPc}, // FULLWIDTH LOW LINE + {0xFF40, 0xFF40, prID, gcSk}, // FULLWIDTH GRAVE ACCENT + {0xFF41, 0xFF5A, prID, gcLl}, // [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z + {0xFF5B, 0xFF5B, prOP, gcPs}, // FULLWIDTH LEFT CURLY BRACKET + {0xFF5C, 0xFF5C, prID, gcSm}, // FULLWIDTH VERTICAL LINE + {0xFF5D, 0xFF5D, prCL, gcPe}, // FULLWIDTH RIGHT CURLY BRACKET + {0xFF5E, 0xFF5E, prID, gcSm}, // FULLWIDTH TILDE + {0xFF5F, 0xFF5F, prOP, gcPs}, // FULLWIDTH LEFT WHITE PARENTHESIS + {0xFF60, 0xFF60, prCL, gcPe}, // FULLWIDTH RIGHT WHITE PARENTHESIS + {0xFF61, 0xFF61, prCL, gcPo}, // HALFWIDTH IDEOGRAPHIC FULL STOP + {0xFF62, 0xFF62, prOP, gcPs}, // HALFWIDTH LEFT CORNER BRACKET + {0xFF63, 0xFF63, prCL, gcPe}, // HALFWIDTH RIGHT CORNER BRACKET + {0xFF64, 0xFF64, prCL, gcPo}, // HALFWIDTH IDEOGRAPHIC COMMA + {0xFF65, 0xFF65, prNS, gcPo}, // HALFWIDTH KATAKANA MIDDLE DOT + {0xFF66, 0xFF66, prID, gcLo}, // HALFWIDTH KATAKANA LETTER WO + {0xFF67, 0xFF6F, prCJ, gcLo}, // [9] HALFWIDTH KATAKANA LETTER SMALL A..HALFWIDTH KATAKANA LETTER SMALL TU + {0xFF70, 0xFF70, prCJ, gcLm}, // HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK + {0xFF71, 0xFF9D, prID, gcLo}, // [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N + {0xFF9E, 0xFF9F, prNS, gcLm}, // [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK + {0xFFA0, 0xFFBE, prID, gcLo}, // [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH + {0xFFC2, 0xFFC7, prID, gcLo}, // [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E + {0xFFCA, 0xFFCF, prID, gcLo}, // [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE + {0xFFD2, 0xFFD7, prID, gcLo}, // [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU + {0xFFDA, 0xFFDC, prID, gcLo}, // [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I + {0xFFE0, 0xFFE0, prPO, gcSc}, // FULLWIDTH CENT SIGN + {0xFFE1, 0xFFE1, prPR, gcSc}, // FULLWIDTH POUND SIGN + {0xFFE2, 0xFFE2, prID, gcSm}, // FULLWIDTH NOT SIGN + {0xFFE3, 0xFFE3, prID, gcSk}, // FULLWIDTH MACRON + {0xFFE4, 0xFFE4, prID, gcSo}, // FULLWIDTH BROKEN BAR + {0xFFE5, 0xFFE6, prPR, gcSc}, // [2] FULLWIDTH YEN SIGN..FULLWIDTH WON SIGN + {0xFFE8, 0xFFE8, prAL, gcSo}, // HALFWIDTH FORMS LIGHT VERTICAL + {0xFFE9, 0xFFEC, prAL, gcSm}, // [4] HALFWIDTH LEFTWARDS ARROW..HALFWIDTH DOWNWARDS ARROW + {0xFFED, 0xFFEE, prAL, gcSo}, // [2] HALFWIDTH BLACK SQUARE..HALFWIDTH WHITE CIRCLE + {0xFFF9, 0xFFFB, prCM, gcCf}, // [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR + {0xFFFC, 0xFFFC, prCB, gcSo}, // OBJECT REPLACEMENT CHARACTER + {0xFFFD, 0xFFFD, prAI, gcSo}, // REPLACEMENT CHARACTER + {0x10000, 0x1000B, prAL, gcLo}, // [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE + {0x1000D, 0x10026, prAL, gcLo}, // [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO + {0x10028, 0x1003A, prAL, gcLo}, // [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO + {0x1003C, 0x1003D, prAL, gcLo}, // [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE + {0x1003F, 0x1004D, prAL, gcLo}, // [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO + {0x10050, 0x1005D, prAL, gcLo}, // [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089 + {0x10080, 0x100FA, prAL, gcLo}, // [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305 + {0x10100, 0x10102, prBA, gcPo}, // [3] AEGEAN WORD SEPARATOR LINE..AEGEAN CHECK MARK + {0x10107, 0x10133, prAL, gcNo}, // [45] AEGEAN NUMBER ONE..AEGEAN NUMBER NINETY THOUSAND + {0x10137, 0x1013F, prAL, gcSo}, // [9] AEGEAN WEIGHT BASE UNIT..AEGEAN MEASURE THIRD SUBUNIT + {0x10140, 0x10174, prAL, gcNl}, // [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS + {0x10175, 0x10178, prAL, gcNo}, // [4] GREEK ONE HALF SIGN..GREEK THREE QUARTERS SIGN + {0x10179, 0x10189, prAL, gcSo}, // [17] GREEK YEAR SIGN..GREEK TRYBLION BASE SIGN + {0x1018A, 0x1018B, prAL, gcNo}, // [2] GREEK ZERO SIGN..GREEK ONE QUARTER SIGN + {0x1018C, 0x1018E, prAL, gcSo}, // [3] GREEK SINUSOID SIGN..NOMISMA SIGN + {0x10190, 0x1019C, prAL, gcSo}, // [13] ROMAN SEXTANS SIGN..ASCIA SYMBOL + {0x101A0, 0x101A0, prAL, gcSo}, // GREEK SYMBOL TAU RHO + {0x101D0, 0x101FC, prAL, gcSo}, // [45] PHAISTOS DISC SIGN PEDESTRIAN..PHAISTOS DISC SIGN WAVY BAND + {0x101FD, 0x101FD, prCM, gcMn}, // PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE + {0x10280, 0x1029C, prAL, gcLo}, // [29] LYCIAN LETTER A..LYCIAN LETTER X + {0x102A0, 0x102D0, prAL, gcLo}, // [49] CARIAN LETTER A..CARIAN LETTER UUU3 + {0x102E0, 0x102E0, prCM, gcMn}, // COPTIC EPACT THOUSANDS MARK + {0x102E1, 0x102FB, prAL, gcNo}, // [27] COPTIC EPACT DIGIT ONE..COPTIC EPACT NUMBER NINE HUNDRED + {0x10300, 0x1031F, prAL, gcLo}, // [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS + {0x10320, 0x10323, prAL, gcNo}, // [4] OLD ITALIC NUMERAL ONE..OLD ITALIC NUMERAL FIFTY + {0x1032D, 0x1032F, prAL, gcLo}, // [3] OLD ITALIC LETTER YE..OLD ITALIC LETTER SOUTHERN TSE + {0x10330, 0x10340, prAL, gcLo}, // [17] GOTHIC LETTER AHSA..GOTHIC LETTER PAIRTHRA + {0x10341, 0x10341, prAL, gcNl}, // GOTHIC LETTER NINETY + {0x10342, 0x10349, prAL, gcLo}, // [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL + {0x1034A, 0x1034A, prAL, gcNl}, // GOTHIC LETTER NINE HUNDRED + {0x10350, 0x10375, prAL, gcLo}, // [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA + {0x10376, 0x1037A, prCM, gcMn}, // [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII + {0x10380, 0x1039D, prAL, gcLo}, // [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU + {0x1039F, 0x1039F, prBA, gcPo}, // UGARITIC WORD DIVIDER + {0x103A0, 0x103C3, prAL, gcLo}, // [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA + {0x103C8, 0x103CF, prAL, gcLo}, // [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH + {0x103D0, 0x103D0, prBA, gcPo}, // OLD PERSIAN WORD DIVIDER + {0x103D1, 0x103D5, prAL, gcNl}, // [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED + {0x10400, 0x1044F, prAL, gcLC}, // [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW + {0x10450, 0x1047F, prAL, gcLo}, // [48] SHAVIAN LETTER PEEP..SHAVIAN LETTER YEW + {0x10480, 0x1049D, prAL, gcLo}, // [30] OSMANYA LETTER ALEF..OSMANYA LETTER OO + {0x104A0, 0x104A9, prNU, gcNd}, // [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE + {0x104B0, 0x104D3, prAL, gcLu}, // [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA + {0x104D8, 0x104FB, prAL, gcLl}, // [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA + {0x10500, 0x10527, prAL, gcLo}, // [40] ELBASAN LETTER A..ELBASAN LETTER KHE + {0x10530, 0x10563, prAL, gcLo}, // [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW + {0x1056F, 0x1056F, prAL, gcPo}, // CAUCASIAN ALBANIAN CITATION MARK + {0x10570, 0x1057A, prAL, gcLu}, // [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA + {0x1057C, 0x1058A, prAL, gcLu}, // [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE + {0x1058C, 0x10592, prAL, gcLu}, // [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE + {0x10594, 0x10595, prAL, gcLu}, // [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE + {0x10597, 0x105A1, prAL, gcLl}, // [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA + {0x105A3, 0x105B1, prAL, gcLl}, // [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE + {0x105B3, 0x105B9, prAL, gcLl}, // [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE + {0x105BB, 0x105BC, prAL, gcLl}, // [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE + {0x10600, 0x10736, prAL, gcLo}, // [311] LINEAR A SIGN AB001..LINEAR A SIGN A664 + {0x10740, 0x10755, prAL, gcLo}, // [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE + {0x10760, 0x10767, prAL, gcLo}, // [8] LINEAR A SIGN A800..LINEAR A SIGN A807 + {0x10780, 0x10785, prAL, gcLm}, // [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK + {0x10787, 0x107B0, prAL, gcLm}, // [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK + {0x107B2, 0x107BA, prAL, gcLm}, // [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL + {0x10800, 0x10805, prAL, gcLo}, // [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA + {0x10808, 0x10808, prAL, gcLo}, // CYPRIOT SYLLABLE JO + {0x1080A, 0x10835, prAL, gcLo}, // [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO + {0x10837, 0x10838, prAL, gcLo}, // [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE + {0x1083C, 0x1083C, prAL, gcLo}, // CYPRIOT SYLLABLE ZA + {0x1083F, 0x1083F, prAL, gcLo}, // CYPRIOT SYLLABLE ZO + {0x10840, 0x10855, prAL, gcLo}, // [22] IMPERIAL ARAMAIC LETTER ALEPH..IMPERIAL ARAMAIC LETTER TAW + {0x10857, 0x10857, prBA, gcPo}, // IMPERIAL ARAMAIC SECTION SIGN + {0x10858, 0x1085F, prAL, gcNo}, // [8] IMPERIAL ARAMAIC NUMBER ONE..IMPERIAL ARAMAIC NUMBER TEN THOUSAND + {0x10860, 0x10876, prAL, gcLo}, // [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW + {0x10877, 0x10878, prAL, gcSo}, // [2] PALMYRENE LEFT-POINTING FLEURON..PALMYRENE RIGHT-POINTING FLEURON + {0x10879, 0x1087F, prAL, gcNo}, // [7] PALMYRENE NUMBER ONE..PALMYRENE NUMBER TWENTY + {0x10880, 0x1089E, prAL, gcLo}, // [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW + {0x108A7, 0x108AF, prAL, gcNo}, // [9] NABATAEAN NUMBER ONE..NABATAEAN NUMBER ONE HUNDRED + {0x108E0, 0x108F2, prAL, gcLo}, // [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH + {0x108F4, 0x108F5, prAL, gcLo}, // [2] HATRAN LETTER SHIN..HATRAN LETTER TAW + {0x108FB, 0x108FF, prAL, gcNo}, // [5] HATRAN NUMBER ONE..HATRAN NUMBER ONE HUNDRED + {0x10900, 0x10915, prAL, gcLo}, // [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU + {0x10916, 0x1091B, prAL, gcNo}, // [6] PHOENICIAN NUMBER ONE..PHOENICIAN NUMBER THREE + {0x1091F, 0x1091F, prBA, gcPo}, // PHOENICIAN WORD SEPARATOR + {0x10920, 0x10939, prAL, gcLo}, // [26] LYDIAN LETTER A..LYDIAN LETTER C + {0x1093F, 0x1093F, prAL, gcPo}, // LYDIAN TRIANGULAR MARK + {0x10980, 0x1099F, prAL, gcLo}, // [32] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2 + {0x109A0, 0x109B7, prAL, gcLo}, // [24] MEROITIC CURSIVE LETTER A..MEROITIC CURSIVE LETTER DA + {0x109BC, 0x109BD, prAL, gcNo}, // [2] MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS..MEROITIC CURSIVE FRACTION ONE HALF + {0x109BE, 0x109BF, prAL, gcLo}, // [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN + {0x109C0, 0x109CF, prAL, gcNo}, // [16] MEROITIC CURSIVE NUMBER ONE..MEROITIC CURSIVE NUMBER SEVENTY + {0x109D2, 0x109FF, prAL, gcNo}, // [46] MEROITIC CURSIVE NUMBER ONE HUNDRED..MEROITIC CURSIVE FRACTION TEN TWELFTHS + {0x10A00, 0x10A00, prAL, gcLo}, // KHAROSHTHI LETTER A + {0x10A01, 0x10A03, prCM, gcMn}, // [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R + {0x10A05, 0x10A06, prCM, gcMn}, // [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O + {0x10A0C, 0x10A0F, prCM, gcMn}, // [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA + {0x10A10, 0x10A13, prAL, gcLo}, // [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA + {0x10A15, 0x10A17, prAL, gcLo}, // [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA + {0x10A19, 0x10A35, prAL, gcLo}, // [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA + {0x10A38, 0x10A3A, prCM, gcMn}, // [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW + {0x10A3F, 0x10A3F, prCM, gcMn}, // KHAROSHTHI VIRAMA + {0x10A40, 0x10A48, prAL, gcNo}, // [9] KHAROSHTHI DIGIT ONE..KHAROSHTHI FRACTION ONE HALF + {0x10A50, 0x10A57, prBA, gcPo}, // [8] KHAROSHTHI PUNCTUATION DOT..KHAROSHTHI PUNCTUATION DOUBLE DANDA + {0x10A58, 0x10A58, prAL, gcPo}, // KHAROSHTHI PUNCTUATION LINES + {0x10A60, 0x10A7C, prAL, gcLo}, // [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH + {0x10A7D, 0x10A7E, prAL, gcNo}, // [2] OLD SOUTH ARABIAN NUMBER ONE..OLD SOUTH ARABIAN NUMBER FIFTY + {0x10A7F, 0x10A7F, prAL, gcPo}, // OLD SOUTH ARABIAN NUMERIC INDICATOR + {0x10A80, 0x10A9C, prAL, gcLo}, // [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH + {0x10A9D, 0x10A9F, prAL, gcNo}, // [3] OLD NORTH ARABIAN NUMBER ONE..OLD NORTH ARABIAN NUMBER TWENTY + {0x10AC0, 0x10AC7, prAL, gcLo}, // [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW + {0x10AC8, 0x10AC8, prAL, gcSo}, // MANICHAEAN SIGN UD + {0x10AC9, 0x10AE4, prAL, gcLo}, // [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW + {0x10AE5, 0x10AE6, prCM, gcMn}, // [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW + {0x10AEB, 0x10AEF, prAL, gcNo}, // [5] MANICHAEAN NUMBER ONE..MANICHAEAN NUMBER ONE HUNDRED + {0x10AF0, 0x10AF5, prBA, gcPo}, // [6] MANICHAEAN PUNCTUATION STAR..MANICHAEAN PUNCTUATION TWO DOTS + {0x10AF6, 0x10AF6, prIN, gcPo}, // MANICHAEAN PUNCTUATION LINE FILLER + {0x10B00, 0x10B35, prAL, gcLo}, // [54] AVESTAN LETTER A..AVESTAN LETTER HE + {0x10B39, 0x10B3F, prBA, gcPo}, // [7] AVESTAN ABBREVIATION MARK..LARGE ONE RING OVER TWO RINGS PUNCTUATION + {0x10B40, 0x10B55, prAL, gcLo}, // [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW + {0x10B58, 0x10B5F, prAL, gcNo}, // [8] INSCRIPTIONAL PARTHIAN NUMBER ONE..INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND + {0x10B60, 0x10B72, prAL, gcLo}, // [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW + {0x10B78, 0x10B7F, prAL, gcNo}, // [8] INSCRIPTIONAL PAHLAVI NUMBER ONE..INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND + {0x10B80, 0x10B91, prAL, gcLo}, // [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW + {0x10B99, 0x10B9C, prAL, gcPo}, // [4] PSALTER PAHLAVI SECTION MARK..PSALTER PAHLAVI FOUR DOTS WITH DOT + {0x10BA9, 0x10BAF, prAL, gcNo}, // [7] PSALTER PAHLAVI NUMBER ONE..PSALTER PAHLAVI NUMBER ONE HUNDRED + {0x10C00, 0x10C48, prAL, gcLo}, // [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH + {0x10C80, 0x10CB2, prAL, gcLu}, // [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US + {0x10CC0, 0x10CF2, prAL, gcLl}, // [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US + {0x10CFA, 0x10CFF, prAL, gcNo}, // [6] OLD HUNGARIAN NUMBER ONE..OLD HUNGARIAN NUMBER ONE THOUSAND + {0x10D00, 0x10D23, prAL, gcLo}, // [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA + {0x10D24, 0x10D27, prCM, gcMn}, // [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI + {0x10D30, 0x10D39, prNU, gcNd}, // [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE + {0x10E60, 0x10E7E, prAL, gcNo}, // [31] RUMI DIGIT ONE..RUMI FRACTION TWO THIRDS + {0x10E80, 0x10EA9, prAL, gcLo}, // [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET + {0x10EAB, 0x10EAC, prCM, gcMn}, // [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK + {0x10EAD, 0x10EAD, prBA, gcPd}, // YEZIDI HYPHENATION MARK + {0x10EB0, 0x10EB1, prAL, gcLo}, // [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE + {0x10EFD, 0x10EFF, prCM, gcMn}, // [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA + {0x10F00, 0x10F1C, prAL, gcLo}, // [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL + {0x10F1D, 0x10F26, prAL, gcNo}, // [10] OLD SOGDIAN NUMBER ONE..OLD SOGDIAN FRACTION ONE HALF + {0x10F27, 0x10F27, prAL, gcLo}, // OLD SOGDIAN LIGATURE AYIN-DALETH + {0x10F30, 0x10F45, prAL, gcLo}, // [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN + {0x10F46, 0x10F50, prCM, gcMn}, // [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW + {0x10F51, 0x10F54, prAL, gcNo}, // [4] SOGDIAN NUMBER ONE..SOGDIAN NUMBER ONE HUNDRED + {0x10F55, 0x10F59, prAL, gcPo}, // [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT + {0x10F70, 0x10F81, prAL, gcLo}, // [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH + {0x10F82, 0x10F85, prCM, gcMn}, // [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW + {0x10F86, 0x10F89, prAL, gcPo}, // [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS + {0x10FB0, 0x10FC4, prAL, gcLo}, // [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW + {0x10FC5, 0x10FCB, prAL, gcNo}, // [7] CHORASMIAN NUMBER ONE..CHORASMIAN NUMBER ONE HUNDRED + {0x10FE0, 0x10FF6, prAL, gcLo}, // [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH + {0x11000, 0x11000, prCM, gcMc}, // BRAHMI SIGN CANDRABINDU + {0x11001, 0x11001, prCM, gcMn}, // BRAHMI SIGN ANUSVARA + {0x11002, 0x11002, prCM, gcMc}, // BRAHMI SIGN VISARGA + {0x11003, 0x11037, prAL, gcLo}, // [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA + {0x11038, 0x11046, prCM, gcMn}, // [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA + {0x11047, 0x11048, prBA, gcPo}, // [2] BRAHMI DANDA..BRAHMI DOUBLE DANDA + {0x11049, 0x1104D, prAL, gcPo}, // [5] BRAHMI PUNCTUATION DOT..BRAHMI PUNCTUATION LOTUS + {0x11052, 0x11065, prAL, gcNo}, // [20] BRAHMI NUMBER ONE..BRAHMI NUMBER ONE THOUSAND + {0x11066, 0x1106F, prNU, gcNd}, // [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE + {0x11070, 0x11070, prCM, gcMn}, // BRAHMI SIGN OLD TAMIL VIRAMA + {0x11071, 0x11072, prAL, gcLo}, // [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O + {0x11073, 0x11074, prCM, gcMn}, // [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O + {0x11075, 0x11075, prAL, gcLo}, // BRAHMI LETTER OLD TAMIL LLA + {0x1107F, 0x1107F, prCM, gcMn}, // BRAHMI NUMBER JOINER + {0x11080, 0x11081, prCM, gcMn}, // [2] KAITHI SIGN CANDRABINDU..KAITHI SIGN ANUSVARA + {0x11082, 0x11082, prCM, gcMc}, // KAITHI SIGN VISARGA + {0x11083, 0x110AF, prAL, gcLo}, // [45] KAITHI LETTER A..KAITHI LETTER HA + {0x110B0, 0x110B2, prCM, gcMc}, // [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II + {0x110B3, 0x110B6, prCM, gcMn}, // [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI + {0x110B7, 0x110B8, prCM, gcMc}, // [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU + {0x110B9, 0x110BA, prCM, gcMn}, // [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA + {0x110BB, 0x110BC, prAL, gcPo}, // [2] KAITHI ABBREVIATION SIGN..KAITHI ENUMERATION SIGN + {0x110BD, 0x110BD, prAL, gcCf}, // KAITHI NUMBER SIGN + {0x110BE, 0x110C1, prBA, gcPo}, // [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA + {0x110C2, 0x110C2, prCM, gcMn}, // KAITHI VOWEL SIGN VOCALIC R + {0x110CD, 0x110CD, prAL, gcCf}, // KAITHI NUMBER SIGN ABOVE + {0x110D0, 0x110E8, prAL, gcLo}, // [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE + {0x110F0, 0x110F9, prNU, gcNd}, // [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE + {0x11100, 0x11102, prCM, gcMn}, // [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA + {0x11103, 0x11126, prAL, gcLo}, // [36] CHAKMA LETTER AA..CHAKMA LETTER HAA + {0x11127, 0x1112B, prCM, gcMn}, // [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU + {0x1112C, 0x1112C, prCM, gcMc}, // CHAKMA VOWEL SIGN E + {0x1112D, 0x11134, prCM, gcMn}, // [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA + {0x11136, 0x1113F, prNU, gcNd}, // [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE + {0x11140, 0x11143, prBA, gcPo}, // [4] CHAKMA SECTION MARK..CHAKMA QUESTION MARK + {0x11144, 0x11144, prAL, gcLo}, // CHAKMA LETTER LHAA + {0x11145, 0x11146, prCM, gcMc}, // [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI + {0x11147, 0x11147, prAL, gcLo}, // CHAKMA LETTER VAA + {0x11150, 0x11172, prAL, gcLo}, // [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA + {0x11173, 0x11173, prCM, gcMn}, // MAHAJANI SIGN NUKTA + {0x11174, 0x11174, prAL, gcPo}, // MAHAJANI ABBREVIATION SIGN + {0x11175, 0x11175, prBB, gcPo}, // MAHAJANI SECTION MARK + {0x11176, 0x11176, prAL, gcLo}, // MAHAJANI LIGATURE SHRI + {0x11180, 0x11181, prCM, gcMn}, // [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA + {0x11182, 0x11182, prCM, gcMc}, // SHARADA SIGN VISARGA + {0x11183, 0x111B2, prAL, gcLo}, // [48] SHARADA LETTER A..SHARADA LETTER HA + {0x111B3, 0x111B5, prCM, gcMc}, // [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II + {0x111B6, 0x111BE, prCM, gcMn}, // [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O + {0x111BF, 0x111C0, prCM, gcMc}, // [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA + {0x111C1, 0x111C4, prAL, gcLo}, // [4] SHARADA SIGN AVAGRAHA..SHARADA OM + {0x111C5, 0x111C6, prBA, gcPo}, // [2] SHARADA DANDA..SHARADA DOUBLE DANDA + {0x111C7, 0x111C7, prAL, gcPo}, // SHARADA ABBREVIATION SIGN + {0x111C8, 0x111C8, prBA, gcPo}, // SHARADA SEPARATOR + {0x111C9, 0x111CC, prCM, gcMn}, // [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK + {0x111CD, 0x111CD, prAL, gcPo}, // SHARADA SUTRA MARK + {0x111CE, 0x111CE, prCM, gcMc}, // SHARADA VOWEL SIGN PRISHTHAMATRA E + {0x111CF, 0x111CF, prCM, gcMn}, // SHARADA SIGN INVERTED CANDRABINDU + {0x111D0, 0x111D9, prNU, gcNd}, // [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE + {0x111DA, 0x111DA, prAL, gcLo}, // SHARADA EKAM + {0x111DB, 0x111DB, prBB, gcPo}, // SHARADA SIGN SIDDHAM + {0x111DC, 0x111DC, prAL, gcLo}, // SHARADA HEADSTROKE + {0x111DD, 0x111DF, prBA, gcPo}, // [3] SHARADA CONTINUATION SIGN..SHARADA SECTION MARK-2 + {0x111E1, 0x111F4, prAL, gcNo}, // [20] SINHALA ARCHAIC DIGIT ONE..SINHALA ARCHAIC NUMBER ONE THOUSAND + {0x11200, 0x11211, prAL, gcLo}, // [18] KHOJKI LETTER A..KHOJKI LETTER JJA + {0x11213, 0x1122B, prAL, gcLo}, // [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA + {0x1122C, 0x1122E, prCM, gcMc}, // [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II + {0x1122F, 0x11231, prCM, gcMn}, // [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI + {0x11232, 0x11233, prCM, gcMc}, // [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU + {0x11234, 0x11234, prCM, gcMn}, // KHOJKI SIGN ANUSVARA + {0x11235, 0x11235, prCM, gcMc}, // KHOJKI SIGN VIRAMA + {0x11236, 0x11237, prCM, gcMn}, // [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA + {0x11238, 0x11239, prBA, gcPo}, // [2] KHOJKI DANDA..KHOJKI DOUBLE DANDA + {0x1123A, 0x1123A, prAL, gcPo}, // KHOJKI WORD SEPARATOR + {0x1123B, 0x1123C, prBA, gcPo}, // [2] KHOJKI SECTION MARK..KHOJKI DOUBLE SECTION MARK + {0x1123D, 0x1123D, prAL, gcPo}, // KHOJKI ABBREVIATION SIGN + {0x1123E, 0x1123E, prCM, gcMn}, // KHOJKI SIGN SUKUN + {0x1123F, 0x11240, prAL, gcLo}, // [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I + {0x11241, 0x11241, prCM, gcMn}, // KHOJKI VOWEL SIGN VOCALIC R + {0x11280, 0x11286, prAL, gcLo}, // [7] MULTANI LETTER A..MULTANI LETTER GA + {0x11288, 0x11288, prAL, gcLo}, // MULTANI LETTER GHA + {0x1128A, 0x1128D, prAL, gcLo}, // [4] MULTANI LETTER CA..MULTANI LETTER JJA + {0x1128F, 0x1129D, prAL, gcLo}, // [15] MULTANI LETTER NYA..MULTANI LETTER BA + {0x1129F, 0x112A8, prAL, gcLo}, // [10] MULTANI LETTER BHA..MULTANI LETTER RHA + {0x112A9, 0x112A9, prBA, gcPo}, // MULTANI SECTION MARK + {0x112B0, 0x112DE, prAL, gcLo}, // [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA + {0x112DF, 0x112DF, prCM, gcMn}, // KHUDAWADI SIGN ANUSVARA + {0x112E0, 0x112E2, prCM, gcMc}, // [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II + {0x112E3, 0x112EA, prCM, gcMn}, // [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA + {0x112F0, 0x112F9, prNU, gcNd}, // [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE + {0x11300, 0x11301, prCM, gcMn}, // [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU + {0x11302, 0x11303, prCM, gcMc}, // [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA + {0x11305, 0x1130C, prAL, gcLo}, // [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L + {0x1130F, 0x11310, prAL, gcLo}, // [2] GRANTHA LETTER EE..GRANTHA LETTER AI + {0x11313, 0x11328, prAL, gcLo}, // [22] GRANTHA LETTER OO..GRANTHA LETTER NA + {0x1132A, 0x11330, prAL, gcLo}, // [7] GRANTHA LETTER PA..GRANTHA LETTER RA + {0x11332, 0x11333, prAL, gcLo}, // [2] GRANTHA LETTER LA..GRANTHA LETTER LLA + {0x11335, 0x11339, prAL, gcLo}, // [5] GRANTHA LETTER VA..GRANTHA LETTER HA + {0x1133B, 0x1133C, prCM, gcMn}, // [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA + {0x1133D, 0x1133D, prAL, gcLo}, // GRANTHA SIGN AVAGRAHA + {0x1133E, 0x1133F, prCM, gcMc}, // [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I + {0x11340, 0x11340, prCM, gcMn}, // GRANTHA VOWEL SIGN II + {0x11341, 0x11344, prCM, gcMc}, // [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR + {0x11347, 0x11348, prCM, gcMc}, // [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI + {0x1134B, 0x1134D, prCM, gcMc}, // [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA + {0x11350, 0x11350, prAL, gcLo}, // GRANTHA OM + {0x11357, 0x11357, prCM, gcMc}, // GRANTHA AU LENGTH MARK + {0x1135D, 0x11361, prAL, gcLo}, // [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL + {0x11362, 0x11363, prCM, gcMc}, // [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL + {0x11366, 0x1136C, prCM, gcMn}, // [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX + {0x11370, 0x11374, prCM, gcMn}, // [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA + {0x11400, 0x11434, prAL, gcLo}, // [53] NEWA LETTER A..NEWA LETTER HA + {0x11435, 0x11437, prCM, gcMc}, // [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II + {0x11438, 0x1143F, prCM, gcMn}, // [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI + {0x11440, 0x11441, prCM, gcMc}, // [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU + {0x11442, 0x11444, prCM, gcMn}, // [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA + {0x11445, 0x11445, prCM, gcMc}, // NEWA SIGN VISARGA + {0x11446, 0x11446, prCM, gcMn}, // NEWA SIGN NUKTA + {0x11447, 0x1144A, prAL, gcLo}, // [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI + {0x1144B, 0x1144E, prBA, gcPo}, // [4] NEWA DANDA..NEWA GAP FILLER + {0x1144F, 0x1144F, prAL, gcPo}, // NEWA ABBREVIATION SIGN + {0x11450, 0x11459, prNU, gcNd}, // [10] NEWA DIGIT ZERO..NEWA DIGIT NINE + {0x1145A, 0x1145B, prBA, gcPo}, // [2] NEWA DOUBLE COMMA..NEWA PLACEHOLDER MARK + {0x1145D, 0x1145D, prAL, gcPo}, // NEWA INSERTION SIGN + {0x1145E, 0x1145E, prCM, gcMn}, // NEWA SANDHI MARK + {0x1145F, 0x11461, prAL, gcLo}, // [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA + {0x11480, 0x114AF, prAL, gcLo}, // [48] TIRHUTA ANJI..TIRHUTA LETTER HA + {0x114B0, 0x114B2, prCM, gcMc}, // [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II + {0x114B3, 0x114B8, prCM, gcMn}, // [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL + {0x114B9, 0x114B9, prCM, gcMc}, // TIRHUTA VOWEL SIGN E + {0x114BA, 0x114BA, prCM, gcMn}, // TIRHUTA VOWEL SIGN SHORT E + {0x114BB, 0x114BE, prCM, gcMc}, // [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU + {0x114BF, 0x114C0, prCM, gcMn}, // [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA + {0x114C1, 0x114C1, prCM, gcMc}, // TIRHUTA SIGN VISARGA + {0x114C2, 0x114C3, prCM, gcMn}, // [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA + {0x114C4, 0x114C5, prAL, gcLo}, // [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG + {0x114C6, 0x114C6, prAL, gcPo}, // TIRHUTA ABBREVIATION SIGN + {0x114C7, 0x114C7, prAL, gcLo}, // TIRHUTA OM + {0x114D0, 0x114D9, prNU, gcNd}, // [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE + {0x11580, 0x115AE, prAL, gcLo}, // [47] SIDDHAM LETTER A..SIDDHAM LETTER HA + {0x115AF, 0x115B1, prCM, gcMc}, // [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II + {0x115B2, 0x115B5, prCM, gcMn}, // [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR + {0x115B8, 0x115BB, prCM, gcMc}, // [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU + {0x115BC, 0x115BD, prCM, gcMn}, // [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA + {0x115BE, 0x115BE, prCM, gcMc}, // SIDDHAM SIGN VISARGA + {0x115BF, 0x115C0, prCM, gcMn}, // [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA + {0x115C1, 0x115C1, prBB, gcPo}, // SIDDHAM SIGN SIDDHAM + {0x115C2, 0x115C3, prBA, gcPo}, // [2] SIDDHAM DANDA..SIDDHAM DOUBLE DANDA + {0x115C4, 0x115C5, prEX, gcPo}, // [2] SIDDHAM SEPARATOR DOT..SIDDHAM SEPARATOR BAR + {0x115C6, 0x115C8, prAL, gcPo}, // [3] SIDDHAM REPETITION MARK-1..SIDDHAM REPETITION MARK-3 + {0x115C9, 0x115D7, prBA, gcPo}, // [15] SIDDHAM END OF TEXT MARK..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES + {0x115D8, 0x115DB, prAL, gcLo}, // [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U + {0x115DC, 0x115DD, prCM, gcMn}, // [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU + {0x11600, 0x1162F, prAL, gcLo}, // [48] MODI LETTER A..MODI LETTER LLA + {0x11630, 0x11632, prCM, gcMc}, // [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II + {0x11633, 0x1163A, prCM, gcMn}, // [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI + {0x1163B, 0x1163C, prCM, gcMc}, // [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU + {0x1163D, 0x1163D, prCM, gcMn}, // MODI SIGN ANUSVARA + {0x1163E, 0x1163E, prCM, gcMc}, // MODI SIGN VISARGA + {0x1163F, 0x11640, prCM, gcMn}, // [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA + {0x11641, 0x11642, prBA, gcPo}, // [2] MODI DANDA..MODI DOUBLE DANDA + {0x11643, 0x11643, prAL, gcPo}, // MODI ABBREVIATION SIGN + {0x11644, 0x11644, prAL, gcLo}, // MODI SIGN HUVA + {0x11650, 0x11659, prNU, gcNd}, // [10] MODI DIGIT ZERO..MODI DIGIT NINE + {0x11660, 0x1166C, prBB, gcPo}, // [13] MONGOLIAN BIRGA WITH ORNAMENT..MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT + {0x11680, 0x116AA, prAL, gcLo}, // [43] TAKRI LETTER A..TAKRI LETTER RRA + {0x116AB, 0x116AB, prCM, gcMn}, // TAKRI SIGN ANUSVARA + {0x116AC, 0x116AC, prCM, gcMc}, // TAKRI SIGN VISARGA + {0x116AD, 0x116AD, prCM, gcMn}, // TAKRI VOWEL SIGN AA + {0x116AE, 0x116AF, prCM, gcMc}, // [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II + {0x116B0, 0x116B5, prCM, gcMn}, // [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU + {0x116B6, 0x116B6, prCM, gcMc}, // TAKRI SIGN VIRAMA + {0x116B7, 0x116B7, prCM, gcMn}, // TAKRI SIGN NUKTA + {0x116B8, 0x116B8, prAL, gcLo}, // TAKRI LETTER ARCHAIC KHA + {0x116B9, 0x116B9, prAL, gcPo}, // TAKRI ABBREVIATION SIGN + {0x116C0, 0x116C9, prNU, gcNd}, // [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE + {0x11700, 0x1171A, prSA, gcLo}, // [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA + {0x1171D, 0x1171F, prSA, gcMn}, // [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA + {0x11720, 0x11721, prSA, gcMc}, // [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA + {0x11722, 0x11725, prSA, gcMn}, // [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU + {0x11726, 0x11726, prSA, gcMc}, // AHOM VOWEL SIGN E + {0x11727, 0x1172B, prSA, gcMn}, // [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER + {0x11730, 0x11739, prNU, gcNd}, // [10] AHOM DIGIT ZERO..AHOM DIGIT NINE + {0x1173A, 0x1173B, prSA, gcNo}, // [2] AHOM NUMBER TEN..AHOM NUMBER TWENTY + {0x1173C, 0x1173E, prBA, gcPo}, // [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI + {0x1173F, 0x1173F, prSA, gcSo}, // AHOM SYMBOL VI + {0x11740, 0x11746, prSA, gcLo}, // [7] AHOM LETTER CA..AHOM LETTER LLA + {0x11800, 0x1182B, prAL, gcLo}, // [44] DOGRA LETTER A..DOGRA LETTER RRA + {0x1182C, 0x1182E, prCM, gcMc}, // [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II + {0x1182F, 0x11837, prCM, gcMn}, // [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA + {0x11838, 0x11838, prCM, gcMc}, // DOGRA SIGN VISARGA + {0x11839, 0x1183A, prCM, gcMn}, // [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA + {0x1183B, 0x1183B, prAL, gcPo}, // DOGRA ABBREVIATION SIGN + {0x118A0, 0x118DF, prAL, gcLC}, // [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO + {0x118E0, 0x118E9, prNU, gcNd}, // [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE + {0x118EA, 0x118F2, prAL, gcNo}, // [9] WARANG CITI NUMBER TEN..WARANG CITI NUMBER NINETY + {0x118FF, 0x118FF, prAL, gcLo}, // WARANG CITI OM + {0x11900, 0x11906, prAL, gcLo}, // [7] DIVES AKURU LETTER A..DIVES AKURU LETTER E + {0x11909, 0x11909, prAL, gcLo}, // DIVES AKURU LETTER O + {0x1190C, 0x11913, prAL, gcLo}, // [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA + {0x11915, 0x11916, prAL, gcLo}, // [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA + {0x11918, 0x1192F, prAL, gcLo}, // [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA + {0x11930, 0x11935, prCM, gcMc}, // [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E + {0x11937, 0x11938, prCM, gcMc}, // [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O + {0x1193B, 0x1193C, prCM, gcMn}, // [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU + {0x1193D, 0x1193D, prCM, gcMc}, // DIVES AKURU SIGN HALANTA + {0x1193E, 0x1193E, prCM, gcMn}, // DIVES AKURU VIRAMA + {0x1193F, 0x1193F, prAL, gcLo}, // DIVES AKURU PREFIXED NASAL SIGN + {0x11940, 0x11940, prCM, gcMc}, // DIVES AKURU MEDIAL YA + {0x11941, 0x11941, prAL, gcLo}, // DIVES AKURU INITIAL RA + {0x11942, 0x11942, prCM, gcMc}, // DIVES AKURU MEDIAL RA + {0x11943, 0x11943, prCM, gcMn}, // DIVES AKURU SIGN NUKTA + {0x11944, 0x11946, prBA, gcPo}, // [3] DIVES AKURU DOUBLE DANDA..DIVES AKURU END OF TEXT MARK + {0x11950, 0x11959, prNU, gcNd}, // [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE + {0x119A0, 0x119A7, prAL, gcLo}, // [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR + {0x119AA, 0x119D0, prAL, gcLo}, // [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA + {0x119D1, 0x119D3, prCM, gcMc}, // [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II + {0x119D4, 0x119D7, prCM, gcMn}, // [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR + {0x119DA, 0x119DB, prCM, gcMn}, // [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI + {0x119DC, 0x119DF, prCM, gcMc}, // [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA + {0x119E0, 0x119E0, prCM, gcMn}, // NANDINAGARI SIGN VIRAMA + {0x119E1, 0x119E1, prAL, gcLo}, // NANDINAGARI SIGN AVAGRAHA + {0x119E2, 0x119E2, prBB, gcPo}, // NANDINAGARI SIGN SIDDHAM + {0x119E3, 0x119E3, prAL, gcLo}, // NANDINAGARI HEADSTROKE + {0x119E4, 0x119E4, prCM, gcMc}, // NANDINAGARI VOWEL SIGN PRISHTHAMATRA E + {0x11A00, 0x11A00, prAL, gcLo}, // ZANABAZAR SQUARE LETTER A + {0x11A01, 0x11A0A, prCM, gcMn}, // [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK + {0x11A0B, 0x11A32, prAL, gcLo}, // [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA + {0x11A33, 0x11A38, prCM, gcMn}, // [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA + {0x11A39, 0x11A39, prCM, gcMc}, // ZANABAZAR SQUARE SIGN VISARGA + {0x11A3A, 0x11A3A, prAL, gcLo}, // ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA + {0x11A3B, 0x11A3E, prCM, gcMn}, // [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA + {0x11A3F, 0x11A3F, prBB, gcPo}, // ZANABAZAR SQUARE INITIAL HEAD MARK + {0x11A40, 0x11A40, prAL, gcPo}, // ZANABAZAR SQUARE CLOSING HEAD MARK + {0x11A41, 0x11A44, prBA, gcPo}, // [4] ZANABAZAR SQUARE MARK TSHEG..ZANABAZAR SQUARE MARK LONG TSHEG + {0x11A45, 0x11A45, prBB, gcPo}, // ZANABAZAR SQUARE INITIAL DOUBLE-LINED HEAD MARK + {0x11A46, 0x11A46, prAL, gcPo}, // ZANABAZAR SQUARE CLOSING DOUBLE-LINED HEAD MARK + {0x11A47, 0x11A47, prCM, gcMn}, // ZANABAZAR SQUARE SUBJOINER + {0x11A50, 0x11A50, prAL, gcLo}, // SOYOMBO LETTER A + {0x11A51, 0x11A56, prCM, gcMn}, // [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE + {0x11A57, 0x11A58, prCM, gcMc}, // [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU + {0x11A59, 0x11A5B, prCM, gcMn}, // [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK + {0x11A5C, 0x11A89, prAL, gcLo}, // [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA + {0x11A8A, 0x11A96, prCM, gcMn}, // [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA + {0x11A97, 0x11A97, prCM, gcMc}, // SOYOMBO SIGN VISARGA + {0x11A98, 0x11A99, prCM, gcMn}, // [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER + {0x11A9A, 0x11A9C, prBA, gcPo}, // [3] SOYOMBO MARK TSHEG..SOYOMBO MARK DOUBLE SHAD + {0x11A9D, 0x11A9D, prAL, gcLo}, // SOYOMBO MARK PLUTA + {0x11A9E, 0x11AA0, prBB, gcPo}, // [3] SOYOMBO HEAD MARK WITH MOON AND SUN AND TRIPLE FLAME..SOYOMBO HEAD MARK WITH MOON AND SUN + {0x11AA1, 0x11AA2, prBA, gcPo}, // [2] SOYOMBO TERMINAL MARK-1..SOYOMBO TERMINAL MARK-2 + {0x11AB0, 0x11ABF, prAL, gcLo}, // [16] CANADIAN SYLLABICS NATTILIK HI..CANADIAN SYLLABICS SPA + {0x11AC0, 0x11AF8, prAL, gcLo}, // [57] PAU CIN HAU LETTER PA..PAU CIN HAU GLOTTAL STOP FINAL + {0x11B00, 0x11B09, prBB, gcPo}, // [10] DEVANAGARI HEAD MARK..DEVANAGARI SIGN MINDU + {0x11C00, 0x11C08, prAL, gcLo}, // [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L + {0x11C0A, 0x11C2E, prAL, gcLo}, // [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA + {0x11C2F, 0x11C2F, prCM, gcMc}, // BHAIKSUKI VOWEL SIGN AA + {0x11C30, 0x11C36, prCM, gcMn}, // [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L + {0x11C38, 0x11C3D, prCM, gcMn}, // [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA + {0x11C3E, 0x11C3E, prCM, gcMc}, // BHAIKSUKI SIGN VISARGA + {0x11C3F, 0x11C3F, prCM, gcMn}, // BHAIKSUKI SIGN VIRAMA + {0x11C40, 0x11C40, prAL, gcLo}, // BHAIKSUKI SIGN AVAGRAHA + {0x11C41, 0x11C45, prBA, gcPo}, // [5] BHAIKSUKI DANDA..BHAIKSUKI GAP FILLER-2 + {0x11C50, 0x11C59, prNU, gcNd}, // [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE + {0x11C5A, 0x11C6C, prAL, gcNo}, // [19] BHAIKSUKI NUMBER ONE..BHAIKSUKI HUNDREDS UNIT MARK + {0x11C70, 0x11C70, prBB, gcPo}, // MARCHEN HEAD MARK + {0x11C71, 0x11C71, prEX, gcPo}, // MARCHEN MARK SHAD + {0x11C72, 0x11C8F, prAL, gcLo}, // [30] MARCHEN LETTER KA..MARCHEN LETTER A + {0x11C92, 0x11CA7, prCM, gcMn}, // [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA + {0x11CA9, 0x11CA9, prCM, gcMc}, // MARCHEN SUBJOINED LETTER YA + {0x11CAA, 0x11CB0, prCM, gcMn}, // [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA + {0x11CB1, 0x11CB1, prCM, gcMc}, // MARCHEN VOWEL SIGN I + {0x11CB2, 0x11CB3, prCM, gcMn}, // [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E + {0x11CB4, 0x11CB4, prCM, gcMc}, // MARCHEN VOWEL SIGN O + {0x11CB5, 0x11CB6, prCM, gcMn}, // [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU + {0x11D00, 0x11D06, prAL, gcLo}, // [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E + {0x11D08, 0x11D09, prAL, gcLo}, // [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O + {0x11D0B, 0x11D30, prAL, gcLo}, // [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA + {0x11D31, 0x11D36, prCM, gcMn}, // [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R + {0x11D3A, 0x11D3A, prCM, gcMn}, // MASARAM GONDI VOWEL SIGN E + {0x11D3C, 0x11D3D, prCM, gcMn}, // [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O + {0x11D3F, 0x11D45, prCM, gcMn}, // [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA + {0x11D46, 0x11D46, prAL, gcLo}, // MASARAM GONDI REPHA + {0x11D47, 0x11D47, prCM, gcMn}, // MASARAM GONDI RA-KARA + {0x11D50, 0x11D59, prNU, gcNd}, // [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE + {0x11D60, 0x11D65, prAL, gcLo}, // [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU + {0x11D67, 0x11D68, prAL, gcLo}, // [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI + {0x11D6A, 0x11D89, prAL, gcLo}, // [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA + {0x11D8A, 0x11D8E, prCM, gcMc}, // [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU + {0x11D90, 0x11D91, prCM, gcMn}, // [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI + {0x11D93, 0x11D94, prCM, gcMc}, // [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU + {0x11D95, 0x11D95, prCM, gcMn}, // GUNJALA GONDI SIGN ANUSVARA + {0x11D96, 0x11D96, prCM, gcMc}, // GUNJALA GONDI SIGN VISARGA + {0x11D97, 0x11D97, prCM, gcMn}, // GUNJALA GONDI VIRAMA + {0x11D98, 0x11D98, prAL, gcLo}, // GUNJALA GONDI OM + {0x11DA0, 0x11DA9, prNU, gcNd}, // [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE + {0x11EE0, 0x11EF2, prAL, gcLo}, // [19] MAKASAR LETTER KA..MAKASAR ANGKA + {0x11EF3, 0x11EF4, prCM, gcMn}, // [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U + {0x11EF5, 0x11EF6, prCM, gcMc}, // [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O + {0x11EF7, 0x11EF8, prAL, gcPo}, // [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION + {0x11F00, 0x11F01, prCM, gcMn}, // [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA + {0x11F02, 0x11F02, prAL, gcLo}, // KAWI SIGN REPHA + {0x11F03, 0x11F03, prCM, gcMc}, // KAWI SIGN VISARGA + {0x11F04, 0x11F10, prAL, gcLo}, // [13] KAWI LETTER A..KAWI LETTER O + {0x11F12, 0x11F33, prAL, gcLo}, // [34] KAWI LETTER KA..KAWI LETTER JNYA + {0x11F34, 0x11F35, prCM, gcMc}, // [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA + {0x11F36, 0x11F3A, prCM, gcMn}, // [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R + {0x11F3E, 0x11F3F, prCM, gcMc}, // [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI + {0x11F40, 0x11F40, prCM, gcMn}, // KAWI VOWEL SIGN EU + {0x11F41, 0x11F41, prCM, gcMc}, // KAWI SIGN KILLER + {0x11F42, 0x11F42, prCM, gcMn}, // KAWI CONJOINER + {0x11F43, 0x11F44, prBA, gcPo}, // [2] KAWI DANDA..KAWI DOUBLE DANDA + {0x11F45, 0x11F4F, prID, gcPo}, // [11] KAWI PUNCTUATION SECTION MARKER..KAWI PUNCTUATION CLOSING SPIRAL + {0x11F50, 0x11F59, prNU, gcNd}, // [10] KAWI DIGIT ZERO..KAWI DIGIT NINE + {0x11FB0, 0x11FB0, prAL, gcLo}, // LISU LETTER YHA + {0x11FC0, 0x11FD4, prAL, gcNo}, // [21] TAMIL FRACTION ONE THREE-HUNDRED-AND-TWENTIETH..TAMIL FRACTION DOWNSCALING FACTOR KIIZH + {0x11FD5, 0x11FDC, prAL, gcSo}, // [8] TAMIL SIGN NEL..TAMIL SIGN MUKKURUNI + {0x11FDD, 0x11FE0, prPO, gcSc}, // [4] TAMIL SIGN KAACU..TAMIL SIGN VARAAKAN + {0x11FE1, 0x11FF1, prAL, gcSo}, // [17] TAMIL SIGN PAARAM..TAMIL SIGN VAKAIYARAA + {0x11FFF, 0x11FFF, prBA, gcPo}, // TAMIL PUNCTUATION END OF TEXT + {0x12000, 0x12399, prAL, gcLo}, // [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U + {0x12400, 0x1246E, prAL, gcNl}, // [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM + {0x12470, 0x12474, prBA, gcPo}, // [5] CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER..CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON + {0x12480, 0x12543, prAL, gcLo}, // [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU + {0x12F90, 0x12FF0, prAL, gcLo}, // [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114 + {0x12FF1, 0x12FF2, prAL, gcPo}, // [2] CYPRO-MINOAN SIGN CM301..CYPRO-MINOAN SIGN CM302 + {0x13000, 0x13257, prAL, gcLo}, // [600] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH O006 + {0x13258, 0x1325A, prOP, gcLo}, // [3] EGYPTIAN HIEROGLYPH O006A..EGYPTIAN HIEROGLYPH O006C + {0x1325B, 0x1325D, prCL, gcLo}, // [3] EGYPTIAN HIEROGLYPH O006D..EGYPTIAN HIEROGLYPH O006F + {0x1325E, 0x13281, prAL, gcLo}, // [36] EGYPTIAN HIEROGLYPH O007..EGYPTIAN HIEROGLYPH O033 + {0x13282, 0x13282, prCL, gcLo}, // EGYPTIAN HIEROGLYPH O033A + {0x13283, 0x13285, prAL, gcLo}, // [3] EGYPTIAN HIEROGLYPH O034..EGYPTIAN HIEROGLYPH O036 + {0x13286, 0x13286, prOP, gcLo}, // EGYPTIAN HIEROGLYPH O036A + {0x13287, 0x13287, prCL, gcLo}, // EGYPTIAN HIEROGLYPH O036B + {0x13288, 0x13288, prOP, gcLo}, // EGYPTIAN HIEROGLYPH O036C + {0x13289, 0x13289, prCL, gcLo}, // EGYPTIAN HIEROGLYPH O036D + {0x1328A, 0x13378, prAL, gcLo}, // [239] EGYPTIAN HIEROGLYPH O037..EGYPTIAN HIEROGLYPH V011 + {0x13379, 0x13379, prOP, gcLo}, // EGYPTIAN HIEROGLYPH V011A + {0x1337A, 0x1337B, prCL, gcLo}, // [2] EGYPTIAN HIEROGLYPH V011B..EGYPTIAN HIEROGLYPH V011C + {0x1337C, 0x1342F, prAL, gcLo}, // [180] EGYPTIAN HIEROGLYPH V012..EGYPTIAN HIEROGLYPH V011D + {0x13430, 0x13436, prGL, gcCf}, // [7] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH OVERLAY MIDDLE + {0x13437, 0x13437, prOP, gcCf}, // EGYPTIAN HIEROGLYPH BEGIN SEGMENT + {0x13438, 0x13438, prCL, gcCf}, // EGYPTIAN HIEROGLYPH END SEGMENT + {0x13439, 0x1343B, prGL, gcCf}, // [3] EGYPTIAN HIEROGLYPH INSERT AT MIDDLE..EGYPTIAN HIEROGLYPH INSERT AT BOTTOM + {0x1343C, 0x1343C, prOP, gcCf}, // EGYPTIAN HIEROGLYPH BEGIN ENCLOSURE + {0x1343D, 0x1343D, prCL, gcCf}, // EGYPTIAN HIEROGLYPH END ENCLOSURE + {0x1343E, 0x1343E, prOP, gcCf}, // EGYPTIAN HIEROGLYPH BEGIN WALLED ENCLOSURE + {0x1343F, 0x1343F, prCL, gcCf}, // EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE + {0x13440, 0x13440, prCM, gcMn}, // EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY + {0x13441, 0x13446, prAL, gcLo}, // [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN + {0x13447, 0x13455, prCM, gcMn}, // [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED + {0x14400, 0x145CD, prAL, gcLo}, // [462] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A409 + {0x145CE, 0x145CE, prOP, gcLo}, // ANATOLIAN HIEROGLYPH A410 BEGIN LOGOGRAM MARK + {0x145CF, 0x145CF, prCL, gcLo}, // ANATOLIAN HIEROGLYPH A410A END LOGOGRAM MARK + {0x145D0, 0x14646, prAL, gcLo}, // [119] ANATOLIAN HIEROGLYPH A411..ANATOLIAN HIEROGLYPH A530 + {0x16800, 0x16A38, prAL, gcLo}, // [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ + {0x16A40, 0x16A5E, prAL, gcLo}, // [31] MRO LETTER TA..MRO LETTER TEK + {0x16A60, 0x16A69, prNU, gcNd}, // [10] MRO DIGIT ZERO..MRO DIGIT NINE + {0x16A6E, 0x16A6F, prBA, gcPo}, // [2] MRO DANDA..MRO DOUBLE DANDA + {0x16A70, 0x16ABE, prAL, gcLo}, // [79] TANGSA LETTER OZ..TANGSA LETTER ZA + {0x16AC0, 0x16AC9, prNU, gcNd}, // [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE + {0x16AD0, 0x16AED, prAL, gcLo}, // [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I + {0x16AF0, 0x16AF4, prCM, gcMn}, // [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE + {0x16AF5, 0x16AF5, prBA, gcPo}, // BASSA VAH FULL STOP + {0x16B00, 0x16B2F, prAL, gcLo}, // [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU + {0x16B30, 0x16B36, prCM, gcMn}, // [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM + {0x16B37, 0x16B39, prBA, gcPo}, // [3] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN CIM CHEEM + {0x16B3A, 0x16B3B, prAL, gcPo}, // [2] PAHAWH HMONG SIGN VOS THIAB..PAHAWH HMONG SIGN VOS FEEM + {0x16B3C, 0x16B3F, prAL, gcSo}, // [4] PAHAWH HMONG SIGN XYEEM NTXIV..PAHAWH HMONG SIGN XYEEM FAIB + {0x16B40, 0x16B43, prAL, gcLm}, // [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM + {0x16B44, 0x16B44, prBA, gcPo}, // PAHAWH HMONG SIGN XAUS + {0x16B45, 0x16B45, prAL, gcSo}, // PAHAWH HMONG SIGN CIM TSOV ROG + {0x16B50, 0x16B59, prNU, gcNd}, // [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE + {0x16B5B, 0x16B61, prAL, gcNo}, // [7] PAHAWH HMONG NUMBER TENS..PAHAWH HMONG NUMBER TRILLIONS + {0x16B63, 0x16B77, prAL, gcLo}, // [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS + {0x16B7D, 0x16B8F, prAL, gcLo}, // [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ + {0x16E40, 0x16E7F, prAL, gcLC}, // [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y + {0x16E80, 0x16E96, prAL, gcNo}, // [23] MEDEFAIDRIN DIGIT ZERO..MEDEFAIDRIN DIGIT THREE ALTERNATE FORM + {0x16E97, 0x16E98, prBA, gcPo}, // [2] MEDEFAIDRIN COMMA..MEDEFAIDRIN FULL STOP + {0x16E99, 0x16E9A, prAL, gcPo}, // [2] MEDEFAIDRIN SYMBOL AIVA..MEDEFAIDRIN EXCLAMATION OH + {0x16F00, 0x16F4A, prAL, gcLo}, // [75] MIAO LETTER PA..MIAO LETTER RTE + {0x16F4F, 0x16F4F, prCM, gcMn}, // MIAO SIGN CONSONANT MODIFIER BAR + {0x16F50, 0x16F50, prAL, gcLo}, // MIAO LETTER NASALIZATION + {0x16F51, 0x16F87, prCM, gcMc}, // [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI + {0x16F8F, 0x16F92, prCM, gcMn}, // [4] MIAO TONE RIGHT..MIAO TONE BELOW + {0x16F93, 0x16F9F, prAL, gcLm}, // [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8 + {0x16FE0, 0x16FE1, prNS, gcLm}, // [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK + {0x16FE2, 0x16FE2, prNS, gcPo}, // OLD CHINESE HOOK MARK + {0x16FE3, 0x16FE3, prNS, gcLm}, // OLD CHINESE ITERATION MARK + {0x16FE4, 0x16FE4, prGL, gcMn}, // KHITAN SMALL SCRIPT FILLER + {0x16FF0, 0x16FF1, prCM, gcMc}, // [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY + {0x17000, 0x187F7, prID, gcLo}, // [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7 + {0x18800, 0x18AFF, prID, gcLo}, // [768] TANGUT COMPONENT-001..TANGUT COMPONENT-768 + {0x18B00, 0x18CD5, prAL, gcLo}, // [470] KHITAN SMALL SCRIPT CHARACTER-18B00..KHITAN SMALL SCRIPT CHARACTER-18CD5 + {0x18D00, 0x18D08, prID, gcLo}, // [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08 + {0x1AFF0, 0x1AFF3, prAL, gcLm}, // [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5 + {0x1AFF5, 0x1AFFB, prAL, gcLm}, // [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5 + {0x1AFFD, 0x1AFFE, prAL, gcLm}, // [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8 + {0x1B000, 0x1B0FF, prID, gcLo}, // [256] KATAKANA LETTER ARCHAIC E..HENTAIGANA LETTER RE-2 + {0x1B100, 0x1B122, prID, gcLo}, // [35] HENTAIGANA LETTER RE-3..KATAKANA LETTER ARCHAIC WU + {0x1B132, 0x1B132, prCJ, gcLo}, // HIRAGANA LETTER SMALL KO + {0x1B150, 0x1B152, prCJ, gcLo}, // [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO + {0x1B155, 0x1B155, prCJ, gcLo}, // KATAKANA LETTER SMALL KO + {0x1B164, 0x1B167, prCJ, gcLo}, // [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N + {0x1B170, 0x1B2FB, prID, gcLo}, // [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB + {0x1BC00, 0x1BC6A, prAL, gcLo}, // [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M + {0x1BC70, 0x1BC7C, prAL, gcLo}, // [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK + {0x1BC80, 0x1BC88, prAL, gcLo}, // [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL + {0x1BC90, 0x1BC99, prAL, gcLo}, // [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW + {0x1BC9C, 0x1BC9C, prAL, gcSo}, // DUPLOYAN SIGN O WITH CROSS + {0x1BC9D, 0x1BC9E, prCM, gcMn}, // [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK + {0x1BC9F, 0x1BC9F, prBA, gcPo}, // DUPLOYAN PUNCTUATION CHINOOK FULL STOP + {0x1BCA0, 0x1BCA3, prCM, gcCf}, // [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP + {0x1CF00, 0x1CF2D, prCM, gcMn}, // [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT + {0x1CF30, 0x1CF46, prCM, gcMn}, // [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG + {0x1CF50, 0x1CFC3, prAL, gcSo}, // [116] ZNAMENNY NEUME KRYUK..ZNAMENNY NEUME PAUK + {0x1D000, 0x1D0F5, prAL, gcSo}, // [246] BYZANTINE MUSICAL SYMBOL PSILI..BYZANTINE MUSICAL SYMBOL GORGON NEO KATO + {0x1D100, 0x1D126, prAL, gcSo}, // [39] MUSICAL SYMBOL SINGLE BARLINE..MUSICAL SYMBOL DRUM CLEF-2 + {0x1D129, 0x1D164, prAL, gcSo}, // [60] MUSICAL SYMBOL MULTIPLE MEASURE REST..MUSICAL SYMBOL ONE HUNDRED TWENTY-EIGHTH NOTE + {0x1D165, 0x1D166, prCM, gcMc}, // [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM + {0x1D167, 0x1D169, prCM, gcMn}, // [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3 + {0x1D16A, 0x1D16C, prAL, gcSo}, // [3] MUSICAL SYMBOL FINGERED TREMOLO-1..MUSICAL SYMBOL FINGERED TREMOLO-3 + {0x1D16D, 0x1D172, prCM, gcMc}, // [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5 + {0x1D173, 0x1D17A, prCM, gcCf}, // [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE + {0x1D17B, 0x1D182, prCM, gcMn}, // [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE + {0x1D183, 0x1D184, prAL, gcSo}, // [2] MUSICAL SYMBOL ARPEGGIATO UP..MUSICAL SYMBOL ARPEGGIATO DOWN + {0x1D185, 0x1D18B, prCM, gcMn}, // [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE + {0x1D18C, 0x1D1A9, prAL, gcSo}, // [30] MUSICAL SYMBOL RINFORZANDO..MUSICAL SYMBOL DEGREE SLASH + {0x1D1AA, 0x1D1AD, prCM, gcMn}, // [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO + {0x1D1AE, 0x1D1EA, prAL, gcSo}, // [61] MUSICAL SYMBOL PEDAL MARK..MUSICAL SYMBOL KORON + {0x1D200, 0x1D241, prAL, gcSo}, // [66] GREEK VOCAL NOTATION SYMBOL-1..GREEK INSTRUMENTAL NOTATION SYMBOL-54 + {0x1D242, 0x1D244, prCM, gcMn}, // [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME + {0x1D245, 0x1D245, prAL, gcSo}, // GREEK MUSICAL LEIMMA + {0x1D2C0, 0x1D2D3, prAL, gcNo}, // [20] KAKTOVIK NUMERAL ZERO..KAKTOVIK NUMERAL NINETEEN + {0x1D2E0, 0x1D2F3, prAL, gcNo}, // [20] MAYAN NUMERAL ZERO..MAYAN NUMERAL NINETEEN + {0x1D300, 0x1D356, prAL, gcSo}, // [87] MONOGRAM FOR EARTH..TETRAGRAM FOR FOSTERING + {0x1D360, 0x1D378, prAL, gcNo}, // [25] COUNTING ROD UNIT DIGIT ONE..TALLY MARK FIVE + {0x1D400, 0x1D454, prAL, gcLC}, // [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G + {0x1D456, 0x1D49C, prAL, gcLC}, // [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A + {0x1D49E, 0x1D49F, prAL, gcLu}, // [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D + {0x1D4A2, 0x1D4A2, prAL, gcLu}, // MATHEMATICAL SCRIPT CAPITAL G + {0x1D4A5, 0x1D4A6, prAL, gcLu}, // [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K + {0x1D4A9, 0x1D4AC, prAL, gcLu}, // [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q + {0x1D4AE, 0x1D4B9, prAL, gcLC}, // [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D + {0x1D4BB, 0x1D4BB, prAL, gcLl}, // MATHEMATICAL SCRIPT SMALL F + {0x1D4BD, 0x1D4C3, prAL, gcLl}, // [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N + {0x1D4C5, 0x1D505, prAL, gcLC}, // [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B + {0x1D507, 0x1D50A, prAL, gcLu}, // [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G + {0x1D50D, 0x1D514, prAL, gcLu}, // [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q + {0x1D516, 0x1D51C, prAL, gcLu}, // [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y + {0x1D51E, 0x1D539, prAL, gcLC}, // [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B + {0x1D53B, 0x1D53E, prAL, gcLu}, // [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G + {0x1D540, 0x1D544, prAL, gcLu}, // [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M + {0x1D546, 0x1D546, prAL, gcLu}, // MATHEMATICAL DOUBLE-STRUCK CAPITAL O + {0x1D54A, 0x1D550, prAL, gcLu}, // [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y + {0x1D552, 0x1D6A5, prAL, gcLC}, // [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J + {0x1D6A8, 0x1D6C0, prAL, gcLu}, // [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA + {0x1D6C1, 0x1D6C1, prAL, gcSm}, // MATHEMATICAL BOLD NABLA + {0x1D6C2, 0x1D6DA, prAL, gcLl}, // [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA + {0x1D6DB, 0x1D6DB, prAL, gcSm}, // MATHEMATICAL BOLD PARTIAL DIFFERENTIAL + {0x1D6DC, 0x1D6FA, prAL, gcLC}, // [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA + {0x1D6FB, 0x1D6FB, prAL, gcSm}, // MATHEMATICAL ITALIC NABLA + {0x1D6FC, 0x1D714, prAL, gcLl}, // [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA + {0x1D715, 0x1D715, prAL, gcSm}, // MATHEMATICAL ITALIC PARTIAL DIFFERENTIAL + {0x1D716, 0x1D734, prAL, gcLC}, // [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA + {0x1D735, 0x1D735, prAL, gcSm}, // MATHEMATICAL BOLD ITALIC NABLA + {0x1D736, 0x1D74E, prAL, gcLl}, // [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA + {0x1D74F, 0x1D74F, prAL, gcSm}, // MATHEMATICAL BOLD ITALIC PARTIAL DIFFERENTIAL + {0x1D750, 0x1D76E, prAL, gcLC}, // [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA + {0x1D76F, 0x1D76F, prAL, gcSm}, // MATHEMATICAL SANS-SERIF BOLD NABLA + {0x1D770, 0x1D788, prAL, gcLl}, // [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA + {0x1D789, 0x1D789, prAL, gcSm}, // MATHEMATICAL SANS-SERIF BOLD PARTIAL DIFFERENTIAL + {0x1D78A, 0x1D7A8, prAL, gcLC}, // [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA + {0x1D7A9, 0x1D7A9, prAL, gcSm}, // MATHEMATICAL SANS-SERIF BOLD ITALIC NABLA + {0x1D7AA, 0x1D7C2, prAL, gcLl}, // [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA + {0x1D7C3, 0x1D7C3, prAL, gcSm}, // MATHEMATICAL SANS-SERIF BOLD ITALIC PARTIAL DIFFERENTIAL + {0x1D7C4, 0x1D7CB, prAL, gcLC}, // [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA + {0x1D7CE, 0x1D7FF, prNU, gcNd}, // [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE + {0x1D800, 0x1D9FF, prAL, gcSo}, // [512] SIGNWRITING HAND-FIST INDEX..SIGNWRITING HEAD + {0x1DA00, 0x1DA36, prCM, gcMn}, // [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN + {0x1DA37, 0x1DA3A, prAL, gcSo}, // [4] SIGNWRITING AIR BLOW SMALL ROTATIONS..SIGNWRITING BREATH EXHALE + {0x1DA3B, 0x1DA6C, prCM, gcMn}, // [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT + {0x1DA6D, 0x1DA74, prAL, gcSo}, // [8] SIGNWRITING SHOULDER HIP SPINE..SIGNWRITING TORSO-FLOORPLANE TWISTING + {0x1DA75, 0x1DA75, prCM, gcMn}, // SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS + {0x1DA76, 0x1DA83, prAL, gcSo}, // [14] SIGNWRITING LIMB COMBINATION..SIGNWRITING LOCATION DEPTH + {0x1DA84, 0x1DA84, prCM, gcMn}, // SIGNWRITING LOCATION HEAD NECK + {0x1DA85, 0x1DA86, prAL, gcSo}, // [2] SIGNWRITING LOCATION TORSO..SIGNWRITING LOCATION LIMBS DIGITS + {0x1DA87, 0x1DA8A, prBA, gcPo}, // [4] SIGNWRITING COMMA..SIGNWRITING COLON + {0x1DA8B, 0x1DA8B, prAL, gcPo}, // SIGNWRITING PARENTHESIS + {0x1DA9B, 0x1DA9F, prCM, gcMn}, // [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6 + {0x1DAA1, 0x1DAAF, prCM, gcMn}, // [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16 + {0x1DF00, 0x1DF09, prAL, gcLl}, // [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK + {0x1DF0A, 0x1DF0A, prAL, gcLo}, // LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK + {0x1DF0B, 0x1DF1E, prAL, gcLl}, // [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL + {0x1DF25, 0x1DF2A, prAL, gcLl}, // [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK + {0x1E000, 0x1E006, prCM, gcMn}, // [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE + {0x1E008, 0x1E018, prCM, gcMn}, // [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU + {0x1E01B, 0x1E021, prCM, gcMn}, // [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI + {0x1E023, 0x1E024, prCM, gcMn}, // [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS + {0x1E026, 0x1E02A, prCM, gcMn}, // [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA + {0x1E030, 0x1E06D, prAL, gcLm}, // [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE + {0x1E08F, 0x1E08F, prCM, gcMn}, // COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I + {0x1E100, 0x1E12C, prAL, gcLo}, // [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W + {0x1E130, 0x1E136, prCM, gcMn}, // [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D + {0x1E137, 0x1E13D, prAL, gcLm}, // [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER + {0x1E140, 0x1E149, prNU, gcNd}, // [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE + {0x1E14E, 0x1E14E, prAL, gcLo}, // NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ + {0x1E14F, 0x1E14F, prAL, gcSo}, // NYIAKENG PUACHUE HMONG CIRCLED CA + {0x1E290, 0x1E2AD, prAL, gcLo}, // [30] TOTO LETTER PA..TOTO LETTER A + {0x1E2AE, 0x1E2AE, prCM, gcMn}, // TOTO SIGN RISING TONE + {0x1E2C0, 0x1E2EB, prAL, gcLo}, // [44] WANCHO LETTER AA..WANCHO LETTER YIH + {0x1E2EC, 0x1E2EF, prCM, gcMn}, // [4] WANCHO TONE TUP..WANCHO TONE KOINI + {0x1E2F0, 0x1E2F9, prNU, gcNd}, // [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE + {0x1E2FF, 0x1E2FF, prPR, gcSc}, // WANCHO NGUN SIGN + {0x1E4D0, 0x1E4EA, prAL, gcLo}, // [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL + {0x1E4EB, 0x1E4EB, prAL, gcLm}, // NAG MUNDARI SIGN OJOD + {0x1E4EC, 0x1E4EF, prCM, gcMn}, // [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH + {0x1E4F0, 0x1E4F9, prNU, gcNd}, // [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE + {0x1E7E0, 0x1E7E6, prAL, gcLo}, // [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO + {0x1E7E8, 0x1E7EB, prAL, gcLo}, // [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE + {0x1E7ED, 0x1E7EE, prAL, gcLo}, // [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE + {0x1E7F0, 0x1E7FE, prAL, gcLo}, // [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE + {0x1E800, 0x1E8C4, prAL, gcLo}, // [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON + {0x1E8C7, 0x1E8CF, prAL, gcNo}, // [9] MENDE KIKAKUI DIGIT ONE..MENDE KIKAKUI DIGIT NINE + {0x1E8D0, 0x1E8D6, prCM, gcMn}, // [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS + {0x1E900, 0x1E943, prAL, gcLC}, // [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA + {0x1E944, 0x1E94A, prCM, gcMn}, // [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA + {0x1E94B, 0x1E94B, prAL, gcLm}, // ADLAM NASALIZATION MARK + {0x1E950, 0x1E959, prNU, gcNd}, // [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE + {0x1E95E, 0x1E95F, prOP, gcPo}, // [2] ADLAM INITIAL EXCLAMATION MARK..ADLAM INITIAL QUESTION MARK + {0x1EC71, 0x1ECAB, prAL, gcNo}, // [59] INDIC SIYAQ NUMBER ONE..INDIC SIYAQ NUMBER PREFIXED NINE + {0x1ECAC, 0x1ECAC, prPO, gcSo}, // INDIC SIYAQ PLACEHOLDER + {0x1ECAD, 0x1ECAF, prAL, gcNo}, // [3] INDIC SIYAQ FRACTION ONE QUARTER..INDIC SIYAQ FRACTION THREE QUARTERS + {0x1ECB0, 0x1ECB0, prPO, gcSc}, // INDIC SIYAQ RUPEE MARK + {0x1ECB1, 0x1ECB4, prAL, gcNo}, // [4] INDIC SIYAQ NUMBER ALTERNATE ONE..INDIC SIYAQ ALTERNATE LAKH MARK + {0x1ED01, 0x1ED2D, prAL, gcNo}, // [45] OTTOMAN SIYAQ NUMBER ONE..OTTOMAN SIYAQ NUMBER NINETY THOUSAND + {0x1ED2E, 0x1ED2E, prAL, gcSo}, // OTTOMAN SIYAQ MARRATAN + {0x1ED2F, 0x1ED3D, prAL, gcNo}, // [15] OTTOMAN SIYAQ ALTERNATE NUMBER TWO..OTTOMAN SIYAQ FRACTION ONE SIXTH + {0x1EE00, 0x1EE03, prAL, gcLo}, // [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL + {0x1EE05, 0x1EE1F, prAL, gcLo}, // [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF + {0x1EE21, 0x1EE22, prAL, gcLo}, // [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM + {0x1EE24, 0x1EE24, prAL, gcLo}, // ARABIC MATHEMATICAL INITIAL HEH + {0x1EE27, 0x1EE27, prAL, gcLo}, // ARABIC MATHEMATICAL INITIAL HAH + {0x1EE29, 0x1EE32, prAL, gcLo}, // [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF + {0x1EE34, 0x1EE37, prAL, gcLo}, // [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH + {0x1EE39, 0x1EE39, prAL, gcLo}, // ARABIC MATHEMATICAL INITIAL DAD + {0x1EE3B, 0x1EE3B, prAL, gcLo}, // ARABIC MATHEMATICAL INITIAL GHAIN + {0x1EE42, 0x1EE42, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED JEEM + {0x1EE47, 0x1EE47, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED HAH + {0x1EE49, 0x1EE49, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED YEH + {0x1EE4B, 0x1EE4B, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED LAM + {0x1EE4D, 0x1EE4F, prAL, gcLo}, // [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN + {0x1EE51, 0x1EE52, prAL, gcLo}, // [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF + {0x1EE54, 0x1EE54, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED SHEEN + {0x1EE57, 0x1EE57, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED KHAH + {0x1EE59, 0x1EE59, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED DAD + {0x1EE5B, 0x1EE5B, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED GHAIN + {0x1EE5D, 0x1EE5D, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED DOTLESS NOON + {0x1EE5F, 0x1EE5F, prAL, gcLo}, // ARABIC MATHEMATICAL TAILED DOTLESS QAF + {0x1EE61, 0x1EE62, prAL, gcLo}, // [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM + {0x1EE64, 0x1EE64, prAL, gcLo}, // ARABIC MATHEMATICAL STRETCHED HEH + {0x1EE67, 0x1EE6A, prAL, gcLo}, // [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF + {0x1EE6C, 0x1EE72, prAL, gcLo}, // [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF + {0x1EE74, 0x1EE77, prAL, gcLo}, // [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH + {0x1EE79, 0x1EE7C, prAL, gcLo}, // [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH + {0x1EE7E, 0x1EE7E, prAL, gcLo}, // ARABIC MATHEMATICAL STRETCHED DOTLESS FEH + {0x1EE80, 0x1EE89, prAL, gcLo}, // [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH + {0x1EE8B, 0x1EE9B, prAL, gcLo}, // [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN + {0x1EEA1, 0x1EEA3, prAL, gcLo}, // [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL + {0x1EEA5, 0x1EEA9, prAL, gcLo}, // [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH + {0x1EEAB, 0x1EEBB, prAL, gcLo}, // [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN + {0x1EEF0, 0x1EEF1, prAL, gcSm}, // [2] ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL..ARABIC MATHEMATICAL OPERATOR HAH WITH DAL + {0x1F000, 0x1F02B, prID, gcSo}, // [44] MAHJONG TILE EAST WIND..MAHJONG TILE BACK + {0x1F02C, 0x1F02F, prID, gcCn}, // [4] .. + {0x1F030, 0x1F093, prID, gcSo}, // [100] DOMINO TILE HORIZONTAL BACK..DOMINO TILE VERTICAL-06-06 + {0x1F094, 0x1F09F, prID, gcCn}, // [12] .. + {0x1F0A0, 0x1F0AE, prID, gcSo}, // [15] PLAYING CARD BACK..PLAYING CARD KING OF SPADES + {0x1F0AF, 0x1F0B0, prID, gcCn}, // [2] .. + {0x1F0B1, 0x1F0BF, prID, gcSo}, // [15] PLAYING CARD ACE OF HEARTS..PLAYING CARD RED JOKER + {0x1F0C0, 0x1F0C0, prID, gcCn}, // + {0x1F0C1, 0x1F0CF, prID, gcSo}, // [15] PLAYING CARD ACE OF DIAMONDS..PLAYING CARD BLACK JOKER + {0x1F0D0, 0x1F0D0, prID, gcCn}, // + {0x1F0D1, 0x1F0F5, prID, gcSo}, // [37] PLAYING CARD ACE OF CLUBS..PLAYING CARD TRUMP-21 + {0x1F0F6, 0x1F0FF, prID, gcCn}, // [10] .. + {0x1F100, 0x1F10C, prAI, gcNo}, // [13] DIGIT ZERO FULL STOP..DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO + {0x1F10D, 0x1F10F, prID, gcSo}, // [3] CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH + {0x1F110, 0x1F12D, prAI, gcSo}, // [30] PARENTHESIZED LATIN CAPITAL LETTER A..CIRCLED CD + {0x1F12E, 0x1F12F, prAL, gcSo}, // [2] CIRCLED WZ..COPYLEFT SYMBOL + {0x1F130, 0x1F169, prAI, gcSo}, // [58] SQUARED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z + {0x1F16A, 0x1F16C, prAL, gcSo}, // [3] RAISED MC SIGN..RAISED MR SIGN + {0x1F16D, 0x1F16F, prID, gcSo}, // [3] CIRCLED CC..CIRCLED HUMAN FIGURE + {0x1F170, 0x1F1AC, prAI, gcSo}, // [61] NEGATIVE SQUARED LATIN CAPITAL LETTER A..SQUARED VOD + {0x1F1AD, 0x1F1AD, prID, gcSo}, // MASK WORK SYMBOL + {0x1F1AE, 0x1F1E5, prID, gcCn}, // [56] .. + {0x1F1E6, 0x1F1FF, prRI, gcSo}, // [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z + {0x1F200, 0x1F202, prID, gcSo}, // [3] SQUARE HIRAGANA HOKA..SQUARED KATAKANA SA + {0x1F203, 0x1F20F, prID, gcCn}, // [13] .. + {0x1F210, 0x1F23B, prID, gcSo}, // [44] SQUARED CJK UNIFIED IDEOGRAPH-624B..SQUARED CJK UNIFIED IDEOGRAPH-914D + {0x1F23C, 0x1F23F, prID, gcCn}, // [4] .. + {0x1F240, 0x1F248, prID, gcSo}, // [9] TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C..TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557 + {0x1F249, 0x1F24F, prID, gcCn}, // [7] .. + {0x1F250, 0x1F251, prID, gcSo}, // [2] CIRCLED IDEOGRAPH ADVANTAGE..CIRCLED IDEOGRAPH ACCEPT + {0x1F252, 0x1F25F, prID, gcCn}, // [14] .. + {0x1F260, 0x1F265, prID, gcSo}, // [6] ROUNDED SYMBOL FOR FU..ROUNDED SYMBOL FOR CAI + {0x1F266, 0x1F2FF, prID, gcCn}, // [154] .. + {0x1F300, 0x1F384, prID, gcSo}, // [133] CYCLONE..CHRISTMAS TREE + {0x1F385, 0x1F385, prEB, gcSo}, // FATHER CHRISTMAS + {0x1F386, 0x1F39B, prID, gcSo}, // [22] FIREWORKS..CONTROL KNOBS + {0x1F39C, 0x1F39D, prAL, gcSo}, // [2] BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES + {0x1F39E, 0x1F3B4, prID, gcSo}, // [23] FILM FRAMES..FLOWER PLAYING CARDS + {0x1F3B5, 0x1F3B6, prAL, gcSo}, // [2] MUSICAL NOTE..MULTIPLE MUSICAL NOTES + {0x1F3B7, 0x1F3BB, prID, gcSo}, // [5] SAXOPHONE..VIOLIN + {0x1F3BC, 0x1F3BC, prAL, gcSo}, // MUSICAL SCORE + {0x1F3BD, 0x1F3C1, prID, gcSo}, // [5] RUNNING SHIRT WITH SASH..CHEQUERED FLAG + {0x1F3C2, 0x1F3C4, prEB, gcSo}, // [3] SNOWBOARDER..SURFER + {0x1F3C5, 0x1F3C6, prID, gcSo}, // [2] SPORTS MEDAL..TROPHY + {0x1F3C7, 0x1F3C7, prEB, gcSo}, // HORSE RACING + {0x1F3C8, 0x1F3C9, prID, gcSo}, // [2] AMERICAN FOOTBALL..RUGBY FOOTBALL + {0x1F3CA, 0x1F3CC, prEB, gcSo}, // [3] SWIMMER..GOLFER + {0x1F3CD, 0x1F3FA, prID, gcSo}, // [46] RACING MOTORCYCLE..AMPHORA + {0x1F3FB, 0x1F3FF, prEM, gcSk}, // [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6 + {0x1F400, 0x1F441, prID, gcSo}, // [66] RAT..EYE + {0x1F442, 0x1F443, prEB, gcSo}, // [2] EAR..NOSE + {0x1F444, 0x1F445, prID, gcSo}, // [2] MOUTH..TONGUE + {0x1F446, 0x1F450, prEB, gcSo}, // [11] WHITE UP POINTING BACKHAND INDEX..OPEN HANDS SIGN + {0x1F451, 0x1F465, prID, gcSo}, // [21] CROWN..BUSTS IN SILHOUETTE + {0x1F466, 0x1F478, prEB, gcSo}, // [19] BOY..PRINCESS + {0x1F479, 0x1F47B, prID, gcSo}, // [3] JAPANESE OGRE..GHOST + {0x1F47C, 0x1F47C, prEB, gcSo}, // BABY ANGEL + {0x1F47D, 0x1F480, prID, gcSo}, // [4] EXTRATERRESTRIAL ALIEN..SKULL + {0x1F481, 0x1F483, prEB, gcSo}, // [3] INFORMATION DESK PERSON..DANCER + {0x1F484, 0x1F484, prID, gcSo}, // LIPSTICK + {0x1F485, 0x1F487, prEB, gcSo}, // [3] NAIL POLISH..HAIRCUT + {0x1F488, 0x1F48E, prID, gcSo}, // [7] BARBER POLE..GEM STONE + {0x1F48F, 0x1F48F, prEB, gcSo}, // KISS + {0x1F490, 0x1F490, prID, gcSo}, // BOUQUET + {0x1F491, 0x1F491, prEB, gcSo}, // COUPLE WITH HEART + {0x1F492, 0x1F49F, prID, gcSo}, // [14] WEDDING..HEART DECORATION + {0x1F4A0, 0x1F4A0, prAL, gcSo}, // DIAMOND SHAPE WITH A DOT INSIDE + {0x1F4A1, 0x1F4A1, prID, gcSo}, // ELECTRIC LIGHT BULB + {0x1F4A2, 0x1F4A2, prAL, gcSo}, // ANGER SYMBOL + {0x1F4A3, 0x1F4A3, prID, gcSo}, // BOMB + {0x1F4A4, 0x1F4A4, prAL, gcSo}, // SLEEPING SYMBOL + {0x1F4A5, 0x1F4A9, prID, gcSo}, // [5] COLLISION SYMBOL..PILE OF POO + {0x1F4AA, 0x1F4AA, prEB, gcSo}, // FLEXED BICEPS + {0x1F4AB, 0x1F4AE, prID, gcSo}, // [4] DIZZY SYMBOL..WHITE FLOWER + {0x1F4AF, 0x1F4AF, prAL, gcSo}, // HUNDRED POINTS SYMBOL + {0x1F4B0, 0x1F4B0, prID, gcSo}, // MONEY BAG + {0x1F4B1, 0x1F4B2, prAL, gcSo}, // [2] CURRENCY EXCHANGE..HEAVY DOLLAR SIGN + {0x1F4B3, 0x1F4FF, prID, gcSo}, // [77] CREDIT CARD..PRAYER BEADS + {0x1F500, 0x1F506, prAL, gcSo}, // [7] TWISTED RIGHTWARDS ARROWS..HIGH BRIGHTNESS SYMBOL + {0x1F507, 0x1F516, prID, gcSo}, // [16] SPEAKER WITH CANCELLATION STROKE..BOOKMARK + {0x1F517, 0x1F524, prAL, gcSo}, // [14] LINK SYMBOL..INPUT SYMBOL FOR LATIN LETTERS + {0x1F525, 0x1F531, prID, gcSo}, // [13] FIRE..TRIDENT EMBLEM + {0x1F532, 0x1F549, prAL, gcSo}, // [24] BLACK SQUARE BUTTON..OM SYMBOL + {0x1F54A, 0x1F573, prID, gcSo}, // [42] DOVE OF PEACE..HOLE + {0x1F574, 0x1F575, prEB, gcSo}, // [2] MAN IN BUSINESS SUIT LEVITATING..SLEUTH OR SPY + {0x1F576, 0x1F579, prID, gcSo}, // [4] DARK SUNGLASSES..JOYSTICK + {0x1F57A, 0x1F57A, prEB, gcSo}, // MAN DANCING + {0x1F57B, 0x1F58F, prID, gcSo}, // [21] LEFT HAND TELEPHONE RECEIVER..TURNED OK HAND SIGN + {0x1F590, 0x1F590, prEB, gcSo}, // RAISED HAND WITH FINGERS SPLAYED + {0x1F591, 0x1F594, prID, gcSo}, // [4] REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND + {0x1F595, 0x1F596, prEB, gcSo}, // [2] REVERSED HAND WITH MIDDLE FINGER EXTENDED..RAISED HAND WITH PART BETWEEN MIDDLE AND RING FINGERS + {0x1F597, 0x1F5D3, prID, gcSo}, // [61] WHITE DOWN POINTING LEFT HAND INDEX..SPIRAL CALENDAR PAD + {0x1F5D4, 0x1F5DB, prAL, gcSo}, // [8] DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL + {0x1F5DC, 0x1F5F3, prID, gcSo}, // [24] COMPRESSION..BALLOT BOX WITH BALLOT + {0x1F5F4, 0x1F5F9, prAL, gcSo}, // [6] BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK + {0x1F5FA, 0x1F5FF, prID, gcSo}, // [6] WORLD MAP..MOYAI + {0x1F600, 0x1F644, prID, gcSo}, // [69] GRINNING FACE..FACE WITH ROLLING EYES + {0x1F645, 0x1F647, prEB, gcSo}, // [3] FACE WITH NO GOOD GESTURE..PERSON BOWING DEEPLY + {0x1F648, 0x1F64A, prID, gcSo}, // [3] SEE-NO-EVIL MONKEY..SPEAK-NO-EVIL MONKEY + {0x1F64B, 0x1F64F, prEB, gcSo}, // [5] HAPPY PERSON RAISING ONE HAND..PERSON WITH FOLDED HANDS + {0x1F650, 0x1F675, prAL, gcSo}, // [38] NORTH WEST POINTING LEAF..SWASH AMPERSAND ORNAMENT + {0x1F676, 0x1F678, prQU, gcSo}, // [3] SANS-SERIF HEAVY DOUBLE TURNED COMMA QUOTATION MARK ORNAMENT..SANS-SERIF HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT + {0x1F679, 0x1F67B, prNS, gcSo}, // [3] HEAVY INTERROBANG ORNAMENT..HEAVY SANS-SERIF INTERROBANG ORNAMENT + {0x1F67C, 0x1F67F, prAL, gcSo}, // [4] VERY HEAVY SOLIDUS..REVERSE CHECKER BOARD + {0x1F680, 0x1F6A2, prID, gcSo}, // [35] ROCKET..SHIP + {0x1F6A3, 0x1F6A3, prEB, gcSo}, // ROWBOAT + {0x1F6A4, 0x1F6B3, prID, gcSo}, // [16] SPEEDBOAT..NO BICYCLES + {0x1F6B4, 0x1F6B6, prEB, gcSo}, // [3] BICYCLIST..PEDESTRIAN + {0x1F6B7, 0x1F6BF, prID, gcSo}, // [9] NO PEDESTRIANS..SHOWER + {0x1F6C0, 0x1F6C0, prEB, gcSo}, // BATH + {0x1F6C1, 0x1F6CB, prID, gcSo}, // [11] BATHTUB..COUCH AND LAMP + {0x1F6CC, 0x1F6CC, prEB, gcSo}, // SLEEPING ACCOMMODATION + {0x1F6CD, 0x1F6D7, prID, gcSo}, // [11] SHOPPING BAGS..ELEVATOR + {0x1F6D8, 0x1F6DB, prID, gcCn}, // [4] .. + {0x1F6DC, 0x1F6EC, prID, gcSo}, // [17] WIRELESS..AIRPLANE ARRIVING + {0x1F6ED, 0x1F6EF, prID, gcCn}, // [3] .. + {0x1F6F0, 0x1F6FC, prID, gcSo}, // [13] SATELLITE..ROLLER SKATE + {0x1F6FD, 0x1F6FF, prID, gcCn}, // [3] .. + {0x1F700, 0x1F773, prAL, gcSo}, // [116] ALCHEMICAL SYMBOL FOR QUINTESSENCE..ALCHEMICAL SYMBOL FOR HALF OUNCE + {0x1F774, 0x1F776, prID, gcSo}, // [3] LOT OF FORTUNE..LUNAR ECLIPSE + {0x1F777, 0x1F77A, prID, gcCn}, // [4] .. + {0x1F77B, 0x1F77F, prID, gcSo}, // [5] HAUMEA..ORCUS + {0x1F780, 0x1F7D4, prAL, gcSo}, // [85] BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE..HEAVY TWELVE POINTED PINWHEEL STAR + {0x1F7D5, 0x1F7D9, prID, gcSo}, // [5] CIRCLED TRIANGLE..NINE POINTED WHITE STAR + {0x1F7DA, 0x1F7DF, prID, gcCn}, // [6] .. + {0x1F7E0, 0x1F7EB, prID, gcSo}, // [12] LARGE ORANGE CIRCLE..LARGE BROWN SQUARE + {0x1F7EC, 0x1F7EF, prID, gcCn}, // [4] .. + {0x1F7F0, 0x1F7F0, prID, gcSo}, // HEAVY EQUALS SIGN + {0x1F7F1, 0x1F7FF, prID, gcCn}, // [15] .. + {0x1F800, 0x1F80B, prAL, gcSo}, // [12] LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD..DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD + {0x1F80C, 0x1F80F, prID, gcCn}, // [4] .. + {0x1F810, 0x1F847, prAL, gcSo}, // [56] LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD..DOWNWARDS HEAVY ARROW + {0x1F848, 0x1F84F, prID, gcCn}, // [8] .. + {0x1F850, 0x1F859, prAL, gcSo}, // [10] LEFTWARDS SANS-SERIF ARROW..UP DOWN SANS-SERIF ARROW + {0x1F85A, 0x1F85F, prID, gcCn}, // [6] .. + {0x1F860, 0x1F887, prAL, gcSo}, // [40] WIDE-HEADED LEFTWARDS LIGHT BARB ARROW..WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW + {0x1F888, 0x1F88F, prID, gcCn}, // [8] .. + {0x1F890, 0x1F8AD, prAL, gcSo}, // [30] LEFTWARDS TRIANGLE ARROWHEAD..WHITE ARROW SHAFT WIDTH TWO THIRDS + {0x1F8AE, 0x1F8AF, prID, gcCn}, // [2] .. + {0x1F8B0, 0x1F8B1, prID, gcSo}, // [2] ARROW POINTING UPWARDS THEN NORTH WEST..ARROW POINTING RIGHTWARDS THEN CURVING SOUTH WEST + {0x1F8B2, 0x1F8FF, prID, gcCn}, // [78] .. + {0x1F900, 0x1F90B, prAL, gcSo}, // [12] CIRCLED CROSS FORMEE WITH FOUR DOTS..DOWNWARD FACING NOTCHED HOOK WITH DOT + {0x1F90C, 0x1F90C, prEB, gcSo}, // PINCHED FINGERS + {0x1F90D, 0x1F90E, prID, gcSo}, // [2] WHITE HEART..BROWN HEART + {0x1F90F, 0x1F90F, prEB, gcSo}, // PINCHING HAND + {0x1F910, 0x1F917, prID, gcSo}, // [8] ZIPPER-MOUTH FACE..HUGGING FACE + {0x1F918, 0x1F91F, prEB, gcSo}, // [8] SIGN OF THE HORNS..I LOVE YOU HAND SIGN + {0x1F920, 0x1F925, prID, gcSo}, // [6] FACE WITH COWBOY HAT..LYING FACE + {0x1F926, 0x1F926, prEB, gcSo}, // FACE PALM + {0x1F927, 0x1F92F, prID, gcSo}, // [9] SNEEZING FACE..SHOCKED FACE WITH EXPLODING HEAD + {0x1F930, 0x1F939, prEB, gcSo}, // [10] PREGNANT WOMAN..JUGGLING + {0x1F93A, 0x1F93B, prID, gcSo}, // [2] FENCER..MODERN PENTATHLON + {0x1F93C, 0x1F93E, prEB, gcSo}, // [3] WRESTLERS..HANDBALL + {0x1F93F, 0x1F976, prID, gcSo}, // [56] DIVING MASK..FREEZING FACE + {0x1F977, 0x1F977, prEB, gcSo}, // NINJA + {0x1F978, 0x1F9B4, prID, gcSo}, // [61] DISGUISED FACE..BONE + {0x1F9B5, 0x1F9B6, prEB, gcSo}, // [2] LEG..FOOT + {0x1F9B7, 0x1F9B7, prID, gcSo}, // TOOTH + {0x1F9B8, 0x1F9B9, prEB, gcSo}, // [2] SUPERHERO..SUPERVILLAIN + {0x1F9BA, 0x1F9BA, prID, gcSo}, // SAFETY VEST + {0x1F9BB, 0x1F9BB, prEB, gcSo}, // EAR WITH HEARING AID + {0x1F9BC, 0x1F9CC, prID, gcSo}, // [17] MOTORIZED WHEELCHAIR..TROLL + {0x1F9CD, 0x1F9CF, prEB, gcSo}, // [3] STANDING PERSON..DEAF PERSON + {0x1F9D0, 0x1F9D0, prID, gcSo}, // FACE WITH MONOCLE + {0x1F9D1, 0x1F9DD, prEB, gcSo}, // [13] ADULT..ELF + {0x1F9DE, 0x1F9FF, prID, gcSo}, // [34] GENIE..NAZAR AMULET + {0x1FA00, 0x1FA53, prAL, gcSo}, // [84] NEUTRAL CHESS KING..BLACK CHESS KNIGHT-BISHOP + {0x1FA54, 0x1FA5F, prID, gcCn}, // [12] .. + {0x1FA60, 0x1FA6D, prID, gcSo}, // [14] XIANGQI RED GENERAL..XIANGQI BLACK SOLDIER + {0x1FA6E, 0x1FA6F, prID, gcCn}, // [2] .. + {0x1FA70, 0x1FA7C, prID, gcSo}, // [13] BALLET SHOES..CRUTCH + {0x1FA7D, 0x1FA7F, prID, gcCn}, // [3] .. + {0x1FA80, 0x1FA88, prID, gcSo}, // [9] YO-YO..FLUTE + {0x1FA89, 0x1FA8F, prID, gcCn}, // [7] .. + {0x1FA90, 0x1FABD, prID, gcSo}, // [46] RINGED PLANET..WING + {0x1FABE, 0x1FABE, prID, gcCn}, // + {0x1FABF, 0x1FAC2, prID, gcSo}, // [4] GOOSE..PEOPLE HUGGING + {0x1FAC3, 0x1FAC5, prEB, gcSo}, // [3] PREGNANT MAN..PERSON WITH CROWN + {0x1FAC6, 0x1FACD, prID, gcCn}, // [8] .. + {0x1FACE, 0x1FADB, prID, gcSo}, // [14] MOOSE..PEA POD + {0x1FADC, 0x1FADF, prID, gcCn}, // [4] .. + {0x1FAE0, 0x1FAE8, prID, gcSo}, // [9] MELTING FACE..SHAKING FACE + {0x1FAE9, 0x1FAEF, prID, gcCn}, // [7] .. + {0x1FAF0, 0x1FAF8, prEB, gcSo}, // [9] HAND WITH INDEX FINGER AND THUMB CROSSED..RIGHTWARDS PUSHING HAND + {0x1FAF9, 0x1FAFF, prID, gcCn}, // [7] .. + {0x1FB00, 0x1FB92, prAL, gcSo}, // [147] BLOCK SEXTANT-1..UPPER HALF INVERSE MEDIUM SHADE AND LOWER HALF BLOCK + {0x1FB94, 0x1FBCA, prAL, gcSo}, // [55] LEFT HALF INVERSE MEDIUM SHADE AND RIGHT HALF BLOCK..WHITE UP-POINTING CHEVRON + {0x1FBF0, 0x1FBF9, prNU, gcNd}, // [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE + {0x1FC00, 0x1FFFD, prID, gcCn}, // [1022] .. + {0x20000, 0x2A6DF, prID, gcLo}, // [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF + {0x2A6E0, 0x2A6FF, prID, gcCn}, // [32] .. + {0x2A700, 0x2B739, prID, gcLo}, // [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739 + {0x2B73A, 0x2B73F, prID, gcCn}, // [6] .. + {0x2B740, 0x2B81D, prID, gcLo}, // [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D + {0x2B81E, 0x2B81F, prID, gcCn}, // [2] .. + {0x2B820, 0x2CEA1, prID, gcLo}, // [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1 + {0x2CEA2, 0x2CEAF, prID, gcCn}, // [14] .. + {0x2CEB0, 0x2EBE0, prID, gcLo}, // [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0 + {0x2EBE1, 0x2F7FF, prID, gcCn}, // [3103] .. + {0x2F800, 0x2FA1D, prID, gcLo}, // [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D + {0x2FA1E, 0x2FA1F, prID, gcCn}, // [2] .. + {0x2FA20, 0x2FFFD, prID, gcCn}, // [1502] .. + {0x30000, 0x3134A, prID, gcLo}, // [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A + {0x3134B, 0x3134F, prID, gcCn}, // [5] .. + {0x31350, 0x323AF, prID, gcLo}, // [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF + {0x323B0, 0x3FFFD, prID, gcCn}, // [56398] .. + {0xE0001, 0xE0001, prCM, gcCf}, // LANGUAGE TAG + {0xE0020, 0xE007F, prCM, gcCf}, // [96] TAG SPACE..CANCEL TAG + {0xE0100, 0xE01EF, prCM, gcMn}, // [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256 + {0xF0000, 0xFFFFD, prXX, gcCo}, // [65534] .. + {0x100000, 0x10FFFD, prXX, gcCo}, // [65534] .. +} diff --git a/vendor/github.com/rivo/uniseg/linerules.go b/vendor/github.com/rivo/uniseg/linerules.go new file mode 100644 index 0000000000..7708ae0fbe --- /dev/null +++ b/vendor/github.com/rivo/uniseg/linerules.go @@ -0,0 +1,626 @@ +package uniseg + +import "unicode/utf8" + +// The states of the line break parser. +const ( + lbAny = iota + lbBK + lbCR + lbLF + lbNL + lbSP + lbZW + lbWJ + lbGL + lbBA + lbHY + lbCL + lbCP + lbEX + lbIS + lbSY + lbOP + lbQU + lbQUSP + lbNS + lbCLCPSP + lbB2 + lbB2SP + lbCB + lbBB + lbLB21a + lbHL + lbAL + lbNU + lbPR + lbEB + lbIDEM + lbNUNU + lbNUSY + lbNUIS + lbNUCL + lbNUCP + lbPO + lbJL + lbJV + lbJT + lbH2 + lbH3 + lbOddRI + lbEvenRI + lbExtPicCn + lbZWJBit = 64 + lbCPeaFWHBit = 128 +) + +// These constants define whether a given text may be broken into the next line. +// If the break is optional (LineCanBreak), you may choose to break or not based +// on your own criteria, for example, if the text has reached the available +// width. +const ( + LineDontBreak = iota // You may not break the line here. + LineCanBreak // You may or may not break the line here. + LineMustBreak // You must break the line here. +) + +// lbTransitions implements the line break parser's state transitions. It's +// anologous to [grTransitions], see comments there for details. +// +// Unicode version 15.0.0. +func lbTransitions(state, prop int) (newState, lineBreak, rule int) { + switch uint64(state) | uint64(prop)<<32 { + // LB4. + case lbBK | prAny<<32: + return lbAny, LineMustBreak, 40 + + // LB5. + case lbCR | prLF<<32: + return lbLF, LineDontBreak, 50 + case lbCR | prAny<<32: + return lbAny, LineMustBreak, 50 + case lbLF | prAny<<32: + return lbAny, LineMustBreak, 50 + case lbNL | prAny<<32: + return lbAny, LineMustBreak, 50 + + // LB6. + case lbAny | prBK<<32: + return lbBK, LineDontBreak, 60 + case lbAny | prCR<<32: + return lbCR, LineDontBreak, 60 + case lbAny | prLF<<32: + return lbLF, LineDontBreak, 60 + case lbAny | prNL<<32: + return lbNL, LineDontBreak, 60 + + // LB7. + case lbAny | prSP<<32: + return lbSP, LineDontBreak, 70 + case lbAny | prZW<<32: + return lbZW, LineDontBreak, 70 + + // LB8. + case lbZW | prSP<<32: + return lbZW, LineDontBreak, 70 + case lbZW | prAny<<32: + return lbAny, LineCanBreak, 80 + + // LB11. + case lbAny | prWJ<<32: + return lbWJ, LineDontBreak, 110 + case lbWJ | prAny<<32: + return lbAny, LineDontBreak, 110 + + // LB12. + case lbAny | prGL<<32: + return lbGL, LineCanBreak, 310 + case lbGL | prAny<<32: + return lbAny, LineDontBreak, 120 + + // LB13 (simple transitions). + case lbAny | prCL<<32: + return lbCL, LineCanBreak, 310 + case lbAny | prCP<<32: + return lbCP, LineCanBreak, 310 + case lbAny | prEX<<32: + return lbEX, LineDontBreak, 130 + case lbAny | prIS<<32: + return lbIS, LineCanBreak, 310 + case lbAny | prSY<<32: + return lbSY, LineCanBreak, 310 + + // LB14. + case lbAny | prOP<<32: + return lbOP, LineCanBreak, 310 + case lbOP | prSP<<32: + return lbOP, LineDontBreak, 70 + case lbOP | prAny<<32: + return lbAny, LineDontBreak, 140 + + // LB15. + case lbQU | prSP<<32: + return lbQUSP, LineDontBreak, 70 + case lbQU | prOP<<32: + return lbOP, LineDontBreak, 150 + case lbQUSP | prOP<<32: + return lbOP, LineDontBreak, 150 + + // LB16. + case lbCL | prSP<<32: + return lbCLCPSP, LineDontBreak, 70 + case lbNUCL | prSP<<32: + return lbCLCPSP, LineDontBreak, 70 + case lbCP | prSP<<32: + return lbCLCPSP, LineDontBreak, 70 + case lbNUCP | prSP<<32: + return lbCLCPSP, LineDontBreak, 70 + case lbCL | prNS<<32: + return lbNS, LineDontBreak, 160 + case lbNUCL | prNS<<32: + return lbNS, LineDontBreak, 160 + case lbCP | prNS<<32: + return lbNS, LineDontBreak, 160 + case lbNUCP | prNS<<32: + return lbNS, LineDontBreak, 160 + case lbCLCPSP | prNS<<32: + return lbNS, LineDontBreak, 160 + + // LB17. + case lbAny | prB2<<32: + return lbB2, LineCanBreak, 310 + case lbB2 | prSP<<32: + return lbB2SP, LineDontBreak, 70 + case lbB2 | prB2<<32: + return lbB2, LineDontBreak, 170 + case lbB2SP | prB2<<32: + return lbB2, LineDontBreak, 170 + + // LB18. + case lbSP | prAny<<32: + return lbAny, LineCanBreak, 180 + case lbQUSP | prAny<<32: + return lbAny, LineCanBreak, 180 + case lbCLCPSP | prAny<<32: + return lbAny, LineCanBreak, 180 + case lbB2SP | prAny<<32: + return lbAny, LineCanBreak, 180 + + // LB19. + case lbAny | prQU<<32: + return lbQU, LineDontBreak, 190 + case lbQU | prAny<<32: + return lbAny, LineDontBreak, 190 + + // LB20. + case lbAny | prCB<<32: + return lbCB, LineCanBreak, 200 + case lbCB | prAny<<32: + return lbAny, LineCanBreak, 200 + + // LB21. + case lbAny | prBA<<32: + return lbBA, LineDontBreak, 210 + case lbAny | prHY<<32: + return lbHY, LineDontBreak, 210 + case lbAny | prNS<<32: + return lbNS, LineDontBreak, 210 + case lbAny | prBB<<32: + return lbBB, LineCanBreak, 310 + case lbBB | prAny<<32: + return lbAny, LineDontBreak, 210 + + // LB21a. + case lbAny | prHL<<32: + return lbHL, LineCanBreak, 310 + case lbHL | prHY<<32: + return lbLB21a, LineDontBreak, 210 + case lbHL | prBA<<32: + return lbLB21a, LineDontBreak, 210 + case lbLB21a | prAny<<32: + return lbAny, LineDontBreak, 211 + + // LB21b. + case lbSY | prHL<<32: + return lbHL, LineDontBreak, 212 + case lbNUSY | prHL<<32: + return lbHL, LineDontBreak, 212 + + // LB22. + case lbAny | prIN<<32: + return lbAny, LineDontBreak, 220 + + // LB23. + case lbAny | prAL<<32: + return lbAL, LineCanBreak, 310 + case lbAny | prNU<<32: + return lbNU, LineCanBreak, 310 + case lbAL | prNU<<32: + return lbNU, LineDontBreak, 230 + case lbHL | prNU<<32: + return lbNU, LineDontBreak, 230 + case lbNU | prAL<<32: + return lbAL, LineDontBreak, 230 + case lbNU | prHL<<32: + return lbHL, LineDontBreak, 230 + case lbNUNU | prAL<<32: + return lbAL, LineDontBreak, 230 + case lbNUNU | prHL<<32: + return lbHL, LineDontBreak, 230 + + // LB23a. + case lbAny | prPR<<32: + return lbPR, LineCanBreak, 310 + case lbAny | prID<<32: + return lbIDEM, LineCanBreak, 310 + case lbAny | prEB<<32: + return lbEB, LineCanBreak, 310 + case lbAny | prEM<<32: + return lbIDEM, LineCanBreak, 310 + case lbPR | prID<<32: + return lbIDEM, LineDontBreak, 231 + case lbPR | prEB<<32: + return lbEB, LineDontBreak, 231 + case lbPR | prEM<<32: + return lbIDEM, LineDontBreak, 231 + case lbIDEM | prPO<<32: + return lbPO, LineDontBreak, 231 + case lbEB | prPO<<32: + return lbPO, LineDontBreak, 231 + + // LB24. + case lbAny | prPO<<32: + return lbPO, LineCanBreak, 310 + case lbPR | prAL<<32: + return lbAL, LineDontBreak, 240 + case lbPR | prHL<<32: + return lbHL, LineDontBreak, 240 + case lbPO | prAL<<32: + return lbAL, LineDontBreak, 240 + case lbPO | prHL<<32: + return lbHL, LineDontBreak, 240 + case lbAL | prPR<<32: + return lbPR, LineDontBreak, 240 + case lbAL | prPO<<32: + return lbPO, LineDontBreak, 240 + case lbHL | prPR<<32: + return lbPR, LineDontBreak, 240 + case lbHL | prPO<<32: + return lbPO, LineDontBreak, 240 + + // LB25 (simple transitions). + case lbPR | prNU<<32: + return lbNU, LineDontBreak, 250 + case lbPO | prNU<<32: + return lbNU, LineDontBreak, 250 + case lbOP | prNU<<32: + return lbNU, LineDontBreak, 250 + case lbHY | prNU<<32: + return lbNU, LineDontBreak, 250 + case lbNU | prNU<<32: + return lbNUNU, LineDontBreak, 250 + case lbNU | prSY<<32: + return lbNUSY, LineDontBreak, 250 + case lbNU | prIS<<32: + return lbNUIS, LineDontBreak, 250 + case lbNUNU | prNU<<32: + return lbNUNU, LineDontBreak, 250 + case lbNUNU | prSY<<32: + return lbNUSY, LineDontBreak, 250 + case lbNUNU | prIS<<32: + return lbNUIS, LineDontBreak, 250 + case lbNUSY | prNU<<32: + return lbNUNU, LineDontBreak, 250 + case lbNUSY | prSY<<32: + return lbNUSY, LineDontBreak, 250 + case lbNUSY | prIS<<32: + return lbNUIS, LineDontBreak, 250 + case lbNUIS | prNU<<32: + return lbNUNU, LineDontBreak, 250 + case lbNUIS | prSY<<32: + return lbNUSY, LineDontBreak, 250 + case lbNUIS | prIS<<32: + return lbNUIS, LineDontBreak, 250 + case lbNU | prCL<<32: + return lbNUCL, LineDontBreak, 250 + case lbNU | prCP<<32: + return lbNUCP, LineDontBreak, 250 + case lbNUNU | prCL<<32: + return lbNUCL, LineDontBreak, 250 + case lbNUNU | prCP<<32: + return lbNUCP, LineDontBreak, 250 + case lbNUSY | prCL<<32: + return lbNUCL, LineDontBreak, 250 + case lbNUSY | prCP<<32: + return lbNUCP, LineDontBreak, 250 + case lbNUIS | prCL<<32: + return lbNUCL, LineDontBreak, 250 + case lbNUIS | prCP<<32: + return lbNUCP, LineDontBreak, 250 + case lbNU | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNUNU | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNUSY | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNUIS | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNUCL | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNUCP | prPO<<32: + return lbPO, LineDontBreak, 250 + case lbNU | prPR<<32: + return lbPR, LineDontBreak, 250 + case lbNUNU | prPR<<32: + return lbPR, LineDontBreak, 250 + case lbNUSY | prPR<<32: + return lbPR, LineDontBreak, 250 + case lbNUIS | prPR<<32: + return lbPR, LineDontBreak, 250 + case lbNUCL | prPR<<32: + return lbPR, LineDontBreak, 250 + case lbNUCP | prPR<<32: + return lbPR, LineDontBreak, 250 + + // LB26. + case lbAny | prJL<<32: + return lbJL, LineCanBreak, 310 + case lbAny | prJV<<32: + return lbJV, LineCanBreak, 310 + case lbAny | prJT<<32: + return lbJT, LineCanBreak, 310 + case lbAny | prH2<<32: + return lbH2, LineCanBreak, 310 + case lbAny | prH3<<32: + return lbH3, LineCanBreak, 310 + case lbJL | prJL<<32: + return lbJL, LineDontBreak, 260 + case lbJL | prJV<<32: + return lbJV, LineDontBreak, 260 + case lbJL | prH2<<32: + return lbH2, LineDontBreak, 260 + case lbJL | prH3<<32: + return lbH3, LineDontBreak, 260 + case lbJV | prJV<<32: + return lbJV, LineDontBreak, 260 + case lbJV | prJT<<32: + return lbJT, LineDontBreak, 260 + case lbH2 | prJV<<32: + return lbJV, LineDontBreak, 260 + case lbH2 | prJT<<32: + return lbJT, LineDontBreak, 260 + case lbJT | prJT<<32: + return lbJT, LineDontBreak, 260 + case lbH3 | prJT<<32: + return lbJT, LineDontBreak, 260 + + // LB27. + case lbJL | prPO<<32: + return lbPO, LineDontBreak, 270 + case lbJV | prPO<<32: + return lbPO, LineDontBreak, 270 + case lbJT | prPO<<32: + return lbPO, LineDontBreak, 270 + case lbH2 | prPO<<32: + return lbPO, LineDontBreak, 270 + case lbH3 | prPO<<32: + return lbPO, LineDontBreak, 270 + case lbPR | prJL<<32: + return lbJL, LineDontBreak, 270 + case lbPR | prJV<<32: + return lbJV, LineDontBreak, 270 + case lbPR | prJT<<32: + return lbJT, LineDontBreak, 270 + case lbPR | prH2<<32: + return lbH2, LineDontBreak, 270 + case lbPR | prH3<<32: + return lbH3, LineDontBreak, 270 + + // LB28. + case lbAL | prAL<<32: + return lbAL, LineDontBreak, 280 + case lbAL | prHL<<32: + return lbHL, LineDontBreak, 280 + case lbHL | prAL<<32: + return lbAL, LineDontBreak, 280 + case lbHL | prHL<<32: + return lbHL, LineDontBreak, 280 + + // LB29. + case lbIS | prAL<<32: + return lbAL, LineDontBreak, 290 + case lbIS | prHL<<32: + return lbHL, LineDontBreak, 290 + case lbNUIS | prAL<<32: + return lbAL, LineDontBreak, 290 + case lbNUIS | prHL<<32: + return lbHL, LineDontBreak, 290 + + default: + return -1, -1, -1 + } +} + +// transitionLineBreakState determines the new state of the line break parser +// given the current state and the next code point. It also returns the type of +// line break: LineDontBreak, LineCanBreak, or LineMustBreak. If more than one +// code point is needed to determine the new state, the byte slice or the string +// starting after rune "r" can be used (whichever is not nil or empty) for +// further lookups. +func transitionLineBreakState(state int, r rune, b []byte, str string) (newState int, lineBreak int) { + // Determine the property of the next character. + nextProperty, generalCategory := propertyLineBreak(r) + + // Prepare. + var forceNoBreak, isCPeaFWH bool + if state >= 0 && state&lbCPeaFWHBit != 0 { + isCPeaFWH = true // LB30: CP but ea is not F, W, or H. + state = state &^ lbCPeaFWHBit + } + if state >= 0 && state&lbZWJBit != 0 { + state = state &^ lbZWJBit // Extract zero-width joiner bit. + forceNoBreak = true // LB8a. + } + + defer func() { + // Transition into LB30. + if newState == lbCP || newState == lbNUCP { + ea := propertyEastAsianWidth(r) + if ea != prF && ea != prW && ea != prH { + newState |= lbCPeaFWHBit + } + } + + // Override break. + if forceNoBreak { + lineBreak = LineDontBreak + } + }() + + // LB1. + if nextProperty == prAI || nextProperty == prSG || nextProperty == prXX { + nextProperty = prAL + } else if nextProperty == prSA { + if generalCategory == gcMn || generalCategory == gcMc { + nextProperty = prCM + } else { + nextProperty = prAL + } + } else if nextProperty == prCJ { + nextProperty = prNS + } + + // Combining marks. + if nextProperty == prZWJ || nextProperty == prCM { + var bit int + if nextProperty == prZWJ { + bit = lbZWJBit + } + mustBreakState := state < 0 || state == lbBK || state == lbCR || state == lbLF || state == lbNL + if !mustBreakState && state != lbSP && state != lbZW && state != lbQUSP && state != lbCLCPSP && state != lbB2SP { + // LB9. + return state | bit, LineDontBreak + } else { + // LB10. + if mustBreakState { + return lbAL | bit, LineMustBreak + } + return lbAL | bit, LineCanBreak + } + } + + // Find the applicable transition in the table. + var rule int + newState, lineBreak, rule = lbTransitions(state, nextProperty) + if newState < 0 { + // No specific transition found. Try the less specific ones. + anyPropProp, anyPropLineBreak, anyPropRule := lbTransitions(state, prAny) + anyStateProp, anyStateLineBreak, anyStateRule := lbTransitions(lbAny, nextProperty) + if anyPropProp >= 0 && anyStateProp >= 0 { + // Both apply. We'll use a mix (see comments for grTransitions). + newState, lineBreak, rule = anyStateProp, anyStateLineBreak, anyStateRule + if anyPropRule < anyStateRule { + lineBreak, rule = anyPropLineBreak, anyPropRule + } + } else if anyPropProp >= 0 { + // We only have a specific state. + newState, lineBreak, rule = anyPropProp, anyPropLineBreak, anyPropRule + // This branch will probably never be reached because okAnyState will + // always be true given the current transition map. But we keep it here + // for future modifications to the transition map where this may not be + // true anymore. + } else if anyStateProp >= 0 { + // We only have a specific property. + newState, lineBreak, rule = anyStateProp, anyStateLineBreak, anyStateRule + } else { + // No known transition. LB31: ALL ÷ ALL. + newState, lineBreak, rule = lbAny, LineCanBreak, 310 + } + } + + // LB12a. + if rule > 121 && + nextProperty == prGL && + (state != lbSP && state != lbBA && state != lbHY && state != lbLB21a && state != lbQUSP && state != lbCLCPSP && state != lbB2SP) { + return lbGL, LineDontBreak + } + + // LB13. + if rule > 130 && state != lbNU && state != lbNUNU { + switch nextProperty { + case prCL: + return lbCL, LineDontBreak + case prCP: + return lbCP, LineDontBreak + case prIS: + return lbIS, LineDontBreak + case prSY: + return lbSY, LineDontBreak + } + } + + // LB25 (look ahead). + if rule > 250 && + (state == lbPR || state == lbPO) && + nextProperty == prOP || nextProperty == prHY { + var r rune + if b != nil { // Byte slice version. + r, _ = utf8.DecodeRune(b) + } else { // String version. + r, _ = utf8.DecodeRuneInString(str) + } + if r != utf8.RuneError { + pr, _ := propertyLineBreak(r) + if pr == prNU { + return lbNU, LineDontBreak + } + } + } + + // LB30 (part one). + if rule > 300 { + if (state == lbAL || state == lbHL || state == lbNU || state == lbNUNU) && nextProperty == prOP { + ea := propertyEastAsianWidth(r) + if ea != prF && ea != prW && ea != prH { + return lbOP, LineDontBreak + } + } else if isCPeaFWH { + switch nextProperty { + case prAL: + return lbAL, LineDontBreak + case prHL: + return lbHL, LineDontBreak + case prNU: + return lbNU, LineDontBreak + } + } + } + + // LB30a. + if newState == lbAny && nextProperty == prRI { + if state != lbOddRI && state != lbEvenRI { // Includes state == -1. + // Transition into the first RI. + return lbOddRI, lineBreak + } + if state == lbOddRI { + // Don't break pairs of Regional Indicators. + return lbEvenRI, LineDontBreak + } + return lbOddRI, lineBreak + } + + // LB30b. + if rule > 302 { + if nextProperty == prEM { + if state == lbEB || state == lbExtPicCn { + return prAny, LineDontBreak + } + } + graphemeProperty := propertyGraphemes(r) + if graphemeProperty == prExtendedPictographic && generalCategory == gcCn { + return lbExtPicCn, LineCanBreak + } + } + + return +} diff --git a/vendor/github.com/rivo/uniseg/properties.go b/vendor/github.com/rivo/uniseg/properties.go new file mode 100644 index 0000000000..6290e6810f --- /dev/null +++ b/vendor/github.com/rivo/uniseg/properties.go @@ -0,0 +1,208 @@ +package uniseg + +// The Unicode properties as used in the various parsers. Only the ones needed +// in the context of this package are included. +const ( + prXX = 0 // Same as prAny. + prAny = iota // prAny must be 0. + prPrepend // Grapheme properties must come first, to reduce the number of bits stored in the state vector. + prCR + prLF + prControl + prExtend + prRegionalIndicator + prSpacingMark + prL + prV + prT + prLV + prLVT + prZWJ + prExtendedPictographic + prNewline + prWSegSpace + prDoubleQuote + prSingleQuote + prMidNumLet + prNumeric + prMidLetter + prMidNum + prExtendNumLet + prALetter + prFormat + prHebrewLetter + prKatakana + prSp + prSTerm + prClose + prSContinue + prATerm + prUpper + prLower + prSep + prOLetter + prCM + prBA + prBK + prSP + prEX + prQU + prAL + prPR + prPO + prOP + prCP + prIS + prHY + prSY + prNU + prCL + prNL + prGL + prAI + prBB + prHL + prSA + prJL + prJV + prJT + prNS + prZW + prB2 + prIN + prWJ + prID + prEB + prCJ + prH2 + prH3 + prSG + prCB + prRI + prEM + prN + prNa + prA + prW + prH + prF + prEmojiPresentation +) + +// Unicode General Categories. Only the ones needed in the context of this +// package are included. +const ( + gcNone = iota // gcNone must be 0. + gcCc + gcZs + gcPo + gcSc + gcPs + gcPe + gcSm + gcPd + gcNd + gcLu + gcSk + gcPc + gcLl + gcSo + gcLo + gcPi + gcCf + gcNo + gcPf + gcLC + gcLm + gcMn + gcMe + gcMc + gcNl + gcZl + gcZp + gcCn + gcCs + gcCo +) + +// Special code points. +const ( + vs15 = 0xfe0e // Variation Selector-15 (text presentation) + vs16 = 0xfe0f // Variation Selector-16 (emoji presentation) +) + +// propertySearch performs a binary search on a property slice and returns the +// entry whose range (start = first array element, end = second array element) +// includes r, or an array of 0's if no such entry was found. +func propertySearch[E interface{ [3]int | [4]int }](dictionary []E, r rune) (result E) { + // Run a binary search. + from := 0 + to := len(dictionary) + for to > from { + middle := (from + to) / 2 + cpRange := dictionary[middle] + if int(r) < cpRange[0] { + to = middle + continue + } + if int(r) > cpRange[1] { + from = middle + 1 + continue + } + return cpRange + } + return +} + +// property returns the Unicode property value (see constants above) of the +// given code point. +func property(dictionary [][3]int, r rune) int { + return propertySearch(dictionary, r)[2] +} + +// propertyLineBreak returns the Unicode property value and General Category +// (see constants above) of the given code point, as listed in the line break +// code points table, while fast tracking ASCII digits and letters. +func propertyLineBreak(r rune) (property, generalCategory int) { + if r >= 'a' && r <= 'z' { + return prAL, gcLl + } + if r >= 'A' && r <= 'Z' { + return prAL, gcLu + } + if r >= '0' && r <= '9' { + return prNU, gcNd + } + entry := propertySearch(lineBreakCodePoints, r) + return entry[2], entry[3] +} + +// propertyGraphemes returns the Unicode grapheme cluster property value of the +// given code point while fast tracking ASCII characters. +func propertyGraphemes(r rune) int { + if r >= 0x20 && r <= 0x7e { + return prAny + } + if r == 0x0a { + return prLF + } + if r == 0x0d { + return prCR + } + if r >= 0 && r <= 0x1f || r == 0x7f { + return prControl + } + return property(graphemeCodePoints, r) +} + +// propertyEastAsianWidth returns the Unicode East Asian Width property value of +// the given code point while fast tracking ASCII characters. +func propertyEastAsianWidth(r rune) int { + if r >= 0x20 && r <= 0x7e { + return prNa + } + if r >= 0 && r <= 0x1f || r == 0x7f { + return prN + } + return property(eastAsianWidth, r) +} diff --git a/vendor/github.com/rivo/uniseg/sentence.go b/vendor/github.com/rivo/uniseg/sentence.go new file mode 100644 index 0000000000..adc2a35773 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/sentence.go @@ -0,0 +1,90 @@ +package uniseg + +import "unicode/utf8" + +// FirstSentence returns the first sentence found in the given byte slice +// according to the rules of [Unicode Standard Annex #29, Sentence Boundaries]. +// This function can be called continuously to extract all sentences from a byte +// slice, as illustrated in the example below. +// +// If you don't know the current state, for example when calling the function +// for the first time, you must pass -1. For consecutive calls, pass the state +// and rest slice returned by the previous call. +// +// The "rest" slice is the sub-slice of the original byte slice "b" starting +// after the last byte of the identified sentence. If the length of the "rest" +// slice is 0, the entire byte slice "b" has been processed. The "sentence" byte +// slice is the sub-slice of the input slice containing the identified sentence. +// +// Given an empty byte slice "b", the function returns nil values. +// +// [Unicode Standard Annex #29, Sentence Boundaries]: http://unicode.org/reports/tr29/#Sentence_Boundaries +func FirstSentence(b []byte, state int) (sentence, rest []byte, newState int) { + // An empty byte slice returns nothing. + if len(b) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRune(b) + if len(b) <= length { // If we're already past the end, there is nothing else to parse. + return b, nil, sbAny + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionSentenceBreakState(state, r, b[length:], "") + } + + // Transition until we find a boundary. + var boundary bool + for { + r, l := utf8.DecodeRune(b[length:]) + state, boundary = transitionSentenceBreakState(state, r, b[length+l:], "") + + if boundary { + return b[:length], b[length:], state + } + + length += l + if len(b) <= length { + return b, nil, sbAny + } + } +} + +// FirstSentenceInString is like [FirstSentence] but its input and outputs are +// strings. +func FirstSentenceInString(str string, state int) (sentence, rest string, newState int) { + // An empty byte slice returns nothing. + if len(str) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRuneInString(str) + if len(str) <= length { // If we're already past the end, there is nothing else to parse. + return str, "", sbAny + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionSentenceBreakState(state, r, nil, str[length:]) + } + + // Transition until we find a boundary. + var boundary bool + for { + r, l := utf8.DecodeRuneInString(str[length:]) + state, boundary = transitionSentenceBreakState(state, r, nil, str[length+l:]) + + if boundary { + return str[:length], str[length:], state + } + + length += l + if len(str) <= length { + return str, "", sbAny + } + } +} diff --git a/vendor/github.com/rivo/uniseg/sentenceproperties.go b/vendor/github.com/rivo/uniseg/sentenceproperties.go new file mode 100644 index 0000000000..67717ec1f3 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/sentenceproperties.go @@ -0,0 +1,2845 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// sentenceBreakCodePoints are taken from +// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/SentenceBreakProperty.txt +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var sentenceBreakCodePoints = [][3]int{ + {0x0009, 0x0009, prSp}, // Cc + {0x000A, 0x000A, prLF}, // Cc + {0x000B, 0x000C, prSp}, // Cc [2] .. + {0x000D, 0x000D, prCR}, // Cc + {0x0020, 0x0020, prSp}, // Zs SPACE + {0x0021, 0x0021, prSTerm}, // Po EXCLAMATION MARK + {0x0022, 0x0022, prClose}, // Po QUOTATION MARK + {0x0027, 0x0027, prClose}, // Po APOSTROPHE + {0x0028, 0x0028, prClose}, // Ps LEFT PARENTHESIS + {0x0029, 0x0029, prClose}, // Pe RIGHT PARENTHESIS + {0x002C, 0x002C, prSContinue}, // Po COMMA + {0x002D, 0x002D, prSContinue}, // Pd HYPHEN-MINUS + {0x002E, 0x002E, prATerm}, // Po FULL STOP + {0x0030, 0x0039, prNumeric}, // Nd [10] DIGIT ZERO..DIGIT NINE + {0x003A, 0x003A, prSContinue}, // Po COLON + {0x003F, 0x003F, prSTerm}, // Po QUESTION MARK + {0x0041, 0x005A, prUpper}, // L& [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z + {0x005B, 0x005B, prClose}, // Ps LEFT SQUARE BRACKET + {0x005D, 0x005D, prClose}, // Pe RIGHT SQUARE BRACKET + {0x0061, 0x007A, prLower}, // L& [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z + {0x007B, 0x007B, prClose}, // Ps LEFT CURLY BRACKET + {0x007D, 0x007D, prClose}, // Pe RIGHT CURLY BRACKET + {0x0085, 0x0085, prSep}, // Cc + {0x00A0, 0x00A0, prSp}, // Zs NO-BREAK SPACE + {0x00AA, 0x00AA, prLower}, // Lo FEMININE ORDINAL INDICATOR + {0x00AB, 0x00AB, prClose}, // Pi LEFT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00AD, 0x00AD, prFormat}, // Cf SOFT HYPHEN + {0x00B5, 0x00B5, prLower}, // L& MICRO SIGN + {0x00BA, 0x00BA, prLower}, // Lo MASCULINE ORDINAL INDICATOR + {0x00BB, 0x00BB, prClose}, // Pf RIGHT-POINTING DOUBLE ANGLE QUOTATION MARK + {0x00C0, 0x00D6, prUpper}, // L& [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS + {0x00D8, 0x00DE, prUpper}, // L& [7] LATIN CAPITAL LETTER O WITH STROKE..LATIN CAPITAL LETTER THORN + {0x00DF, 0x00F6, prLower}, // L& [24] LATIN SMALL LETTER SHARP S..LATIN SMALL LETTER O WITH DIAERESIS + {0x00F8, 0x00FF, prLower}, // L& [8] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER Y WITH DIAERESIS + {0x0100, 0x0100, prUpper}, // L& LATIN CAPITAL LETTER A WITH MACRON + {0x0101, 0x0101, prLower}, // L& LATIN SMALL LETTER A WITH MACRON + {0x0102, 0x0102, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE + {0x0103, 0x0103, prLower}, // L& LATIN SMALL LETTER A WITH BREVE + {0x0104, 0x0104, prUpper}, // L& LATIN CAPITAL LETTER A WITH OGONEK + {0x0105, 0x0105, prLower}, // L& LATIN SMALL LETTER A WITH OGONEK + {0x0106, 0x0106, prUpper}, // L& LATIN CAPITAL LETTER C WITH ACUTE + {0x0107, 0x0107, prLower}, // L& LATIN SMALL LETTER C WITH ACUTE + {0x0108, 0x0108, prUpper}, // L& LATIN CAPITAL LETTER C WITH CIRCUMFLEX + {0x0109, 0x0109, prLower}, // L& LATIN SMALL LETTER C WITH CIRCUMFLEX + {0x010A, 0x010A, prUpper}, // L& LATIN CAPITAL LETTER C WITH DOT ABOVE + {0x010B, 0x010B, prLower}, // L& LATIN SMALL LETTER C WITH DOT ABOVE + {0x010C, 0x010C, prUpper}, // L& LATIN CAPITAL LETTER C WITH CARON + {0x010D, 0x010D, prLower}, // L& LATIN SMALL LETTER C WITH CARON + {0x010E, 0x010E, prUpper}, // L& LATIN CAPITAL LETTER D WITH CARON + {0x010F, 0x010F, prLower}, // L& LATIN SMALL LETTER D WITH CARON + {0x0110, 0x0110, prUpper}, // L& LATIN CAPITAL LETTER D WITH STROKE + {0x0111, 0x0111, prLower}, // L& LATIN SMALL LETTER D WITH STROKE + {0x0112, 0x0112, prUpper}, // L& LATIN CAPITAL LETTER E WITH MACRON + {0x0113, 0x0113, prLower}, // L& LATIN SMALL LETTER E WITH MACRON + {0x0114, 0x0114, prUpper}, // L& LATIN CAPITAL LETTER E WITH BREVE + {0x0115, 0x0115, prLower}, // L& LATIN SMALL LETTER E WITH BREVE + {0x0116, 0x0116, prUpper}, // L& LATIN CAPITAL LETTER E WITH DOT ABOVE + {0x0117, 0x0117, prLower}, // L& LATIN SMALL LETTER E WITH DOT ABOVE + {0x0118, 0x0118, prUpper}, // L& LATIN CAPITAL LETTER E WITH OGONEK + {0x0119, 0x0119, prLower}, // L& LATIN SMALL LETTER E WITH OGONEK + {0x011A, 0x011A, prUpper}, // L& LATIN CAPITAL LETTER E WITH CARON + {0x011B, 0x011B, prLower}, // L& LATIN SMALL LETTER E WITH CARON + {0x011C, 0x011C, prUpper}, // L& LATIN CAPITAL LETTER G WITH CIRCUMFLEX + {0x011D, 0x011D, prLower}, // L& LATIN SMALL LETTER G WITH CIRCUMFLEX + {0x011E, 0x011E, prUpper}, // L& LATIN CAPITAL LETTER G WITH BREVE + {0x011F, 0x011F, prLower}, // L& LATIN SMALL LETTER G WITH BREVE + {0x0120, 0x0120, prUpper}, // L& LATIN CAPITAL LETTER G WITH DOT ABOVE + {0x0121, 0x0121, prLower}, // L& LATIN SMALL LETTER G WITH DOT ABOVE + {0x0122, 0x0122, prUpper}, // L& LATIN CAPITAL LETTER G WITH CEDILLA + {0x0123, 0x0123, prLower}, // L& LATIN SMALL LETTER G WITH CEDILLA + {0x0124, 0x0124, prUpper}, // L& LATIN CAPITAL LETTER H WITH CIRCUMFLEX + {0x0125, 0x0125, prLower}, // L& LATIN SMALL LETTER H WITH CIRCUMFLEX + {0x0126, 0x0126, prUpper}, // L& LATIN CAPITAL LETTER H WITH STROKE + {0x0127, 0x0127, prLower}, // L& LATIN SMALL LETTER H WITH STROKE + {0x0128, 0x0128, prUpper}, // L& LATIN CAPITAL LETTER I WITH TILDE + {0x0129, 0x0129, prLower}, // L& LATIN SMALL LETTER I WITH TILDE + {0x012A, 0x012A, prUpper}, // L& LATIN CAPITAL LETTER I WITH MACRON + {0x012B, 0x012B, prLower}, // L& LATIN SMALL LETTER I WITH MACRON + {0x012C, 0x012C, prUpper}, // L& LATIN CAPITAL LETTER I WITH BREVE + {0x012D, 0x012D, prLower}, // L& LATIN SMALL LETTER I WITH BREVE + {0x012E, 0x012E, prUpper}, // L& LATIN CAPITAL LETTER I WITH OGONEK + {0x012F, 0x012F, prLower}, // L& LATIN SMALL LETTER I WITH OGONEK + {0x0130, 0x0130, prUpper}, // L& LATIN CAPITAL LETTER I WITH DOT ABOVE + {0x0131, 0x0131, prLower}, // L& LATIN SMALL LETTER DOTLESS I + {0x0132, 0x0132, prUpper}, // L& LATIN CAPITAL LIGATURE IJ + {0x0133, 0x0133, prLower}, // L& LATIN SMALL LIGATURE IJ + {0x0134, 0x0134, prUpper}, // L& LATIN CAPITAL LETTER J WITH CIRCUMFLEX + {0x0135, 0x0135, prLower}, // L& LATIN SMALL LETTER J WITH CIRCUMFLEX + {0x0136, 0x0136, prUpper}, // L& LATIN CAPITAL LETTER K WITH CEDILLA + {0x0137, 0x0138, prLower}, // L& [2] LATIN SMALL LETTER K WITH CEDILLA..LATIN SMALL LETTER KRA + {0x0139, 0x0139, prUpper}, // L& LATIN CAPITAL LETTER L WITH ACUTE + {0x013A, 0x013A, prLower}, // L& LATIN SMALL LETTER L WITH ACUTE + {0x013B, 0x013B, prUpper}, // L& LATIN CAPITAL LETTER L WITH CEDILLA + {0x013C, 0x013C, prLower}, // L& LATIN SMALL LETTER L WITH CEDILLA + {0x013D, 0x013D, prUpper}, // L& LATIN CAPITAL LETTER L WITH CARON + {0x013E, 0x013E, prLower}, // L& LATIN SMALL LETTER L WITH CARON + {0x013F, 0x013F, prUpper}, // L& LATIN CAPITAL LETTER L WITH MIDDLE DOT + {0x0140, 0x0140, prLower}, // L& LATIN SMALL LETTER L WITH MIDDLE DOT + {0x0141, 0x0141, prUpper}, // L& LATIN CAPITAL LETTER L WITH STROKE + {0x0142, 0x0142, prLower}, // L& LATIN SMALL LETTER L WITH STROKE + {0x0143, 0x0143, prUpper}, // L& LATIN CAPITAL LETTER N WITH ACUTE + {0x0144, 0x0144, prLower}, // L& LATIN SMALL LETTER N WITH ACUTE + {0x0145, 0x0145, prUpper}, // L& LATIN CAPITAL LETTER N WITH CEDILLA + {0x0146, 0x0146, prLower}, // L& LATIN SMALL LETTER N WITH CEDILLA + {0x0147, 0x0147, prUpper}, // L& LATIN CAPITAL LETTER N WITH CARON + {0x0148, 0x0149, prLower}, // L& [2] LATIN SMALL LETTER N WITH CARON..LATIN SMALL LETTER N PRECEDED BY APOSTROPHE + {0x014A, 0x014A, prUpper}, // L& LATIN CAPITAL LETTER ENG + {0x014B, 0x014B, prLower}, // L& LATIN SMALL LETTER ENG + {0x014C, 0x014C, prUpper}, // L& LATIN CAPITAL LETTER O WITH MACRON + {0x014D, 0x014D, prLower}, // L& LATIN SMALL LETTER O WITH MACRON + {0x014E, 0x014E, prUpper}, // L& LATIN CAPITAL LETTER O WITH BREVE + {0x014F, 0x014F, prLower}, // L& LATIN SMALL LETTER O WITH BREVE + {0x0150, 0x0150, prUpper}, // L& LATIN CAPITAL LETTER O WITH DOUBLE ACUTE + {0x0151, 0x0151, prLower}, // L& LATIN SMALL LETTER O WITH DOUBLE ACUTE + {0x0152, 0x0152, prUpper}, // L& LATIN CAPITAL LIGATURE OE + {0x0153, 0x0153, prLower}, // L& LATIN SMALL LIGATURE OE + {0x0154, 0x0154, prUpper}, // L& LATIN CAPITAL LETTER R WITH ACUTE + {0x0155, 0x0155, prLower}, // L& LATIN SMALL LETTER R WITH ACUTE + {0x0156, 0x0156, prUpper}, // L& LATIN CAPITAL LETTER R WITH CEDILLA + {0x0157, 0x0157, prLower}, // L& LATIN SMALL LETTER R WITH CEDILLA + {0x0158, 0x0158, prUpper}, // L& LATIN CAPITAL LETTER R WITH CARON + {0x0159, 0x0159, prLower}, // L& LATIN SMALL LETTER R WITH CARON + {0x015A, 0x015A, prUpper}, // L& LATIN CAPITAL LETTER S WITH ACUTE + {0x015B, 0x015B, prLower}, // L& LATIN SMALL LETTER S WITH ACUTE + {0x015C, 0x015C, prUpper}, // L& LATIN CAPITAL LETTER S WITH CIRCUMFLEX + {0x015D, 0x015D, prLower}, // L& LATIN SMALL LETTER S WITH CIRCUMFLEX + {0x015E, 0x015E, prUpper}, // L& LATIN CAPITAL LETTER S WITH CEDILLA + {0x015F, 0x015F, prLower}, // L& LATIN SMALL LETTER S WITH CEDILLA + {0x0160, 0x0160, prUpper}, // L& LATIN CAPITAL LETTER S WITH CARON + {0x0161, 0x0161, prLower}, // L& LATIN SMALL LETTER S WITH CARON + {0x0162, 0x0162, prUpper}, // L& LATIN CAPITAL LETTER T WITH CEDILLA + {0x0163, 0x0163, prLower}, // L& LATIN SMALL LETTER T WITH CEDILLA + {0x0164, 0x0164, prUpper}, // L& LATIN CAPITAL LETTER T WITH CARON + {0x0165, 0x0165, prLower}, // L& LATIN SMALL LETTER T WITH CARON + {0x0166, 0x0166, prUpper}, // L& LATIN CAPITAL LETTER T WITH STROKE + {0x0167, 0x0167, prLower}, // L& LATIN SMALL LETTER T WITH STROKE + {0x0168, 0x0168, prUpper}, // L& LATIN CAPITAL LETTER U WITH TILDE + {0x0169, 0x0169, prLower}, // L& LATIN SMALL LETTER U WITH TILDE + {0x016A, 0x016A, prUpper}, // L& LATIN CAPITAL LETTER U WITH MACRON + {0x016B, 0x016B, prLower}, // L& LATIN SMALL LETTER U WITH MACRON + {0x016C, 0x016C, prUpper}, // L& LATIN CAPITAL LETTER U WITH BREVE + {0x016D, 0x016D, prLower}, // L& LATIN SMALL LETTER U WITH BREVE + {0x016E, 0x016E, prUpper}, // L& LATIN CAPITAL LETTER U WITH RING ABOVE + {0x016F, 0x016F, prLower}, // L& LATIN SMALL LETTER U WITH RING ABOVE + {0x0170, 0x0170, prUpper}, // L& LATIN CAPITAL LETTER U WITH DOUBLE ACUTE + {0x0171, 0x0171, prLower}, // L& LATIN SMALL LETTER U WITH DOUBLE ACUTE + {0x0172, 0x0172, prUpper}, // L& LATIN CAPITAL LETTER U WITH OGONEK + {0x0173, 0x0173, prLower}, // L& LATIN SMALL LETTER U WITH OGONEK + {0x0174, 0x0174, prUpper}, // L& LATIN CAPITAL LETTER W WITH CIRCUMFLEX + {0x0175, 0x0175, prLower}, // L& LATIN SMALL LETTER W WITH CIRCUMFLEX + {0x0176, 0x0176, prUpper}, // L& LATIN CAPITAL LETTER Y WITH CIRCUMFLEX + {0x0177, 0x0177, prLower}, // L& LATIN SMALL LETTER Y WITH CIRCUMFLEX + {0x0178, 0x0179, prUpper}, // L& [2] LATIN CAPITAL LETTER Y WITH DIAERESIS..LATIN CAPITAL LETTER Z WITH ACUTE + {0x017A, 0x017A, prLower}, // L& LATIN SMALL LETTER Z WITH ACUTE + {0x017B, 0x017B, prUpper}, // L& LATIN CAPITAL LETTER Z WITH DOT ABOVE + {0x017C, 0x017C, prLower}, // L& LATIN SMALL LETTER Z WITH DOT ABOVE + {0x017D, 0x017D, prUpper}, // L& LATIN CAPITAL LETTER Z WITH CARON + {0x017E, 0x0180, prLower}, // L& [3] LATIN SMALL LETTER Z WITH CARON..LATIN SMALL LETTER B WITH STROKE + {0x0181, 0x0182, prUpper}, // L& [2] LATIN CAPITAL LETTER B WITH HOOK..LATIN CAPITAL LETTER B WITH TOPBAR + {0x0183, 0x0183, prLower}, // L& LATIN SMALL LETTER B WITH TOPBAR + {0x0184, 0x0184, prUpper}, // L& LATIN CAPITAL LETTER TONE SIX + {0x0185, 0x0185, prLower}, // L& LATIN SMALL LETTER TONE SIX + {0x0186, 0x0187, prUpper}, // L& [2] LATIN CAPITAL LETTER OPEN O..LATIN CAPITAL LETTER C WITH HOOK + {0x0188, 0x0188, prLower}, // L& LATIN SMALL LETTER C WITH HOOK + {0x0189, 0x018B, prUpper}, // L& [3] LATIN CAPITAL LETTER AFRICAN D..LATIN CAPITAL LETTER D WITH TOPBAR + {0x018C, 0x018D, prLower}, // L& [2] LATIN SMALL LETTER D WITH TOPBAR..LATIN SMALL LETTER TURNED DELTA + {0x018E, 0x0191, prUpper}, // L& [4] LATIN CAPITAL LETTER REVERSED E..LATIN CAPITAL LETTER F WITH HOOK + {0x0192, 0x0192, prLower}, // L& LATIN SMALL LETTER F WITH HOOK + {0x0193, 0x0194, prUpper}, // L& [2] LATIN CAPITAL LETTER G WITH HOOK..LATIN CAPITAL LETTER GAMMA + {0x0195, 0x0195, prLower}, // L& LATIN SMALL LETTER HV + {0x0196, 0x0198, prUpper}, // L& [3] LATIN CAPITAL LETTER IOTA..LATIN CAPITAL LETTER K WITH HOOK + {0x0199, 0x019B, prLower}, // L& [3] LATIN SMALL LETTER K WITH HOOK..LATIN SMALL LETTER LAMBDA WITH STROKE + {0x019C, 0x019D, prUpper}, // L& [2] LATIN CAPITAL LETTER TURNED M..LATIN CAPITAL LETTER N WITH LEFT HOOK + {0x019E, 0x019E, prLower}, // L& LATIN SMALL LETTER N WITH LONG RIGHT LEG + {0x019F, 0x01A0, prUpper}, // L& [2] LATIN CAPITAL LETTER O WITH MIDDLE TILDE..LATIN CAPITAL LETTER O WITH HORN + {0x01A1, 0x01A1, prLower}, // L& LATIN SMALL LETTER O WITH HORN + {0x01A2, 0x01A2, prUpper}, // L& LATIN CAPITAL LETTER OI + {0x01A3, 0x01A3, prLower}, // L& LATIN SMALL LETTER OI + {0x01A4, 0x01A4, prUpper}, // L& LATIN CAPITAL LETTER P WITH HOOK + {0x01A5, 0x01A5, prLower}, // L& LATIN SMALL LETTER P WITH HOOK + {0x01A6, 0x01A7, prUpper}, // L& [2] LATIN LETTER YR..LATIN CAPITAL LETTER TONE TWO + {0x01A8, 0x01A8, prLower}, // L& LATIN SMALL LETTER TONE TWO + {0x01A9, 0x01A9, prUpper}, // L& LATIN CAPITAL LETTER ESH + {0x01AA, 0x01AB, prLower}, // L& [2] LATIN LETTER REVERSED ESH LOOP..LATIN SMALL LETTER T WITH PALATAL HOOK + {0x01AC, 0x01AC, prUpper}, // L& LATIN CAPITAL LETTER T WITH HOOK + {0x01AD, 0x01AD, prLower}, // L& LATIN SMALL LETTER T WITH HOOK + {0x01AE, 0x01AF, prUpper}, // L& [2] LATIN CAPITAL LETTER T WITH RETROFLEX HOOK..LATIN CAPITAL LETTER U WITH HORN + {0x01B0, 0x01B0, prLower}, // L& LATIN SMALL LETTER U WITH HORN + {0x01B1, 0x01B3, prUpper}, // L& [3] LATIN CAPITAL LETTER UPSILON..LATIN CAPITAL LETTER Y WITH HOOK + {0x01B4, 0x01B4, prLower}, // L& LATIN SMALL LETTER Y WITH HOOK + {0x01B5, 0x01B5, prUpper}, // L& LATIN CAPITAL LETTER Z WITH STROKE + {0x01B6, 0x01B6, prLower}, // L& LATIN SMALL LETTER Z WITH STROKE + {0x01B7, 0x01B8, prUpper}, // L& [2] LATIN CAPITAL LETTER EZH..LATIN CAPITAL LETTER EZH REVERSED + {0x01B9, 0x01BA, prLower}, // L& [2] LATIN SMALL LETTER EZH REVERSED..LATIN SMALL LETTER EZH WITH TAIL + {0x01BB, 0x01BB, prOLetter}, // Lo LATIN LETTER TWO WITH STROKE + {0x01BC, 0x01BC, prUpper}, // L& LATIN CAPITAL LETTER TONE FIVE + {0x01BD, 0x01BF, prLower}, // L& [3] LATIN SMALL LETTER TONE FIVE..LATIN LETTER WYNN + {0x01C0, 0x01C3, prOLetter}, // Lo [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK + {0x01C4, 0x01C5, prUpper}, // L& [2] LATIN CAPITAL LETTER DZ WITH CARON..LATIN CAPITAL LETTER D WITH SMALL LETTER Z WITH CARON + {0x01C6, 0x01C6, prLower}, // L& LATIN SMALL LETTER DZ WITH CARON + {0x01C7, 0x01C8, prUpper}, // L& [2] LATIN CAPITAL LETTER LJ..LATIN CAPITAL LETTER L WITH SMALL LETTER J + {0x01C9, 0x01C9, prLower}, // L& LATIN SMALL LETTER LJ + {0x01CA, 0x01CB, prUpper}, // L& [2] LATIN CAPITAL LETTER NJ..LATIN CAPITAL LETTER N WITH SMALL LETTER J + {0x01CC, 0x01CC, prLower}, // L& LATIN SMALL LETTER NJ + {0x01CD, 0x01CD, prUpper}, // L& LATIN CAPITAL LETTER A WITH CARON + {0x01CE, 0x01CE, prLower}, // L& LATIN SMALL LETTER A WITH CARON + {0x01CF, 0x01CF, prUpper}, // L& LATIN CAPITAL LETTER I WITH CARON + {0x01D0, 0x01D0, prLower}, // L& LATIN SMALL LETTER I WITH CARON + {0x01D1, 0x01D1, prUpper}, // L& LATIN CAPITAL LETTER O WITH CARON + {0x01D2, 0x01D2, prLower}, // L& LATIN SMALL LETTER O WITH CARON + {0x01D3, 0x01D3, prUpper}, // L& LATIN CAPITAL LETTER U WITH CARON + {0x01D4, 0x01D4, prLower}, // L& LATIN SMALL LETTER U WITH CARON + {0x01D5, 0x01D5, prUpper}, // L& LATIN CAPITAL LETTER U WITH DIAERESIS AND MACRON + {0x01D6, 0x01D6, prLower}, // L& LATIN SMALL LETTER U WITH DIAERESIS AND MACRON + {0x01D7, 0x01D7, prUpper}, // L& LATIN CAPITAL LETTER U WITH DIAERESIS AND ACUTE + {0x01D8, 0x01D8, prLower}, // L& LATIN SMALL LETTER U WITH DIAERESIS AND ACUTE + {0x01D9, 0x01D9, prUpper}, // L& LATIN CAPITAL LETTER U WITH DIAERESIS AND CARON + {0x01DA, 0x01DA, prLower}, // L& LATIN SMALL LETTER U WITH DIAERESIS AND CARON + {0x01DB, 0x01DB, prUpper}, // L& LATIN CAPITAL LETTER U WITH DIAERESIS AND GRAVE + {0x01DC, 0x01DD, prLower}, // L& [2] LATIN SMALL LETTER U WITH DIAERESIS AND GRAVE..LATIN SMALL LETTER TURNED E + {0x01DE, 0x01DE, prUpper}, // L& LATIN CAPITAL LETTER A WITH DIAERESIS AND MACRON + {0x01DF, 0x01DF, prLower}, // L& LATIN SMALL LETTER A WITH DIAERESIS AND MACRON + {0x01E0, 0x01E0, prUpper}, // L& LATIN CAPITAL LETTER A WITH DOT ABOVE AND MACRON + {0x01E1, 0x01E1, prLower}, // L& LATIN SMALL LETTER A WITH DOT ABOVE AND MACRON + {0x01E2, 0x01E2, prUpper}, // L& LATIN CAPITAL LETTER AE WITH MACRON + {0x01E3, 0x01E3, prLower}, // L& LATIN SMALL LETTER AE WITH MACRON + {0x01E4, 0x01E4, prUpper}, // L& LATIN CAPITAL LETTER G WITH STROKE + {0x01E5, 0x01E5, prLower}, // L& LATIN SMALL LETTER G WITH STROKE + {0x01E6, 0x01E6, prUpper}, // L& LATIN CAPITAL LETTER G WITH CARON + {0x01E7, 0x01E7, prLower}, // L& LATIN SMALL LETTER G WITH CARON + {0x01E8, 0x01E8, prUpper}, // L& LATIN CAPITAL LETTER K WITH CARON + {0x01E9, 0x01E9, prLower}, // L& LATIN SMALL LETTER K WITH CARON + {0x01EA, 0x01EA, prUpper}, // L& LATIN CAPITAL LETTER O WITH OGONEK + {0x01EB, 0x01EB, prLower}, // L& LATIN SMALL LETTER O WITH OGONEK + {0x01EC, 0x01EC, prUpper}, // L& LATIN CAPITAL LETTER O WITH OGONEK AND MACRON + {0x01ED, 0x01ED, prLower}, // L& LATIN SMALL LETTER O WITH OGONEK AND MACRON + {0x01EE, 0x01EE, prUpper}, // L& LATIN CAPITAL LETTER EZH WITH CARON + {0x01EF, 0x01F0, prLower}, // L& [2] LATIN SMALL LETTER EZH WITH CARON..LATIN SMALL LETTER J WITH CARON + {0x01F1, 0x01F2, prUpper}, // L& [2] LATIN CAPITAL LETTER DZ..LATIN CAPITAL LETTER D WITH SMALL LETTER Z + {0x01F3, 0x01F3, prLower}, // L& LATIN SMALL LETTER DZ + {0x01F4, 0x01F4, prUpper}, // L& LATIN CAPITAL LETTER G WITH ACUTE + {0x01F5, 0x01F5, prLower}, // L& LATIN SMALL LETTER G WITH ACUTE + {0x01F6, 0x01F8, prUpper}, // L& [3] LATIN CAPITAL LETTER HWAIR..LATIN CAPITAL LETTER N WITH GRAVE + {0x01F9, 0x01F9, prLower}, // L& LATIN SMALL LETTER N WITH GRAVE + {0x01FA, 0x01FA, prUpper}, // L& LATIN CAPITAL LETTER A WITH RING ABOVE AND ACUTE + {0x01FB, 0x01FB, prLower}, // L& LATIN SMALL LETTER A WITH RING ABOVE AND ACUTE + {0x01FC, 0x01FC, prUpper}, // L& LATIN CAPITAL LETTER AE WITH ACUTE + {0x01FD, 0x01FD, prLower}, // L& LATIN SMALL LETTER AE WITH ACUTE + {0x01FE, 0x01FE, prUpper}, // L& LATIN CAPITAL LETTER O WITH STROKE AND ACUTE + {0x01FF, 0x01FF, prLower}, // L& LATIN SMALL LETTER O WITH STROKE AND ACUTE + {0x0200, 0x0200, prUpper}, // L& LATIN CAPITAL LETTER A WITH DOUBLE GRAVE + {0x0201, 0x0201, prLower}, // L& LATIN SMALL LETTER A WITH DOUBLE GRAVE + {0x0202, 0x0202, prUpper}, // L& LATIN CAPITAL LETTER A WITH INVERTED BREVE + {0x0203, 0x0203, prLower}, // L& LATIN SMALL LETTER A WITH INVERTED BREVE + {0x0204, 0x0204, prUpper}, // L& LATIN CAPITAL LETTER E WITH DOUBLE GRAVE + {0x0205, 0x0205, prLower}, // L& LATIN SMALL LETTER E WITH DOUBLE GRAVE + {0x0206, 0x0206, prUpper}, // L& LATIN CAPITAL LETTER E WITH INVERTED BREVE + {0x0207, 0x0207, prLower}, // L& LATIN SMALL LETTER E WITH INVERTED BREVE + {0x0208, 0x0208, prUpper}, // L& LATIN CAPITAL LETTER I WITH DOUBLE GRAVE + {0x0209, 0x0209, prLower}, // L& LATIN SMALL LETTER I WITH DOUBLE GRAVE + {0x020A, 0x020A, prUpper}, // L& LATIN CAPITAL LETTER I WITH INVERTED BREVE + {0x020B, 0x020B, prLower}, // L& LATIN SMALL LETTER I WITH INVERTED BREVE + {0x020C, 0x020C, prUpper}, // L& LATIN CAPITAL LETTER O WITH DOUBLE GRAVE + {0x020D, 0x020D, prLower}, // L& LATIN SMALL LETTER O WITH DOUBLE GRAVE + {0x020E, 0x020E, prUpper}, // L& LATIN CAPITAL LETTER O WITH INVERTED BREVE + {0x020F, 0x020F, prLower}, // L& LATIN SMALL LETTER O WITH INVERTED BREVE + {0x0210, 0x0210, prUpper}, // L& LATIN CAPITAL LETTER R WITH DOUBLE GRAVE + {0x0211, 0x0211, prLower}, // L& LATIN SMALL LETTER R WITH DOUBLE GRAVE + {0x0212, 0x0212, prUpper}, // L& LATIN CAPITAL LETTER R WITH INVERTED BREVE + {0x0213, 0x0213, prLower}, // L& LATIN SMALL LETTER R WITH INVERTED BREVE + {0x0214, 0x0214, prUpper}, // L& LATIN CAPITAL LETTER U WITH DOUBLE GRAVE + {0x0215, 0x0215, prLower}, // L& LATIN SMALL LETTER U WITH DOUBLE GRAVE + {0x0216, 0x0216, prUpper}, // L& LATIN CAPITAL LETTER U WITH INVERTED BREVE + {0x0217, 0x0217, prLower}, // L& LATIN SMALL LETTER U WITH INVERTED BREVE + {0x0218, 0x0218, prUpper}, // L& LATIN CAPITAL LETTER S WITH COMMA BELOW + {0x0219, 0x0219, prLower}, // L& LATIN SMALL LETTER S WITH COMMA BELOW + {0x021A, 0x021A, prUpper}, // L& LATIN CAPITAL LETTER T WITH COMMA BELOW + {0x021B, 0x021B, prLower}, // L& LATIN SMALL LETTER T WITH COMMA BELOW + {0x021C, 0x021C, prUpper}, // L& LATIN CAPITAL LETTER YOGH + {0x021D, 0x021D, prLower}, // L& LATIN SMALL LETTER YOGH + {0x021E, 0x021E, prUpper}, // L& LATIN CAPITAL LETTER H WITH CARON + {0x021F, 0x021F, prLower}, // L& LATIN SMALL LETTER H WITH CARON + {0x0220, 0x0220, prUpper}, // L& LATIN CAPITAL LETTER N WITH LONG RIGHT LEG + {0x0221, 0x0221, prLower}, // L& LATIN SMALL LETTER D WITH CURL + {0x0222, 0x0222, prUpper}, // L& LATIN CAPITAL LETTER OU + {0x0223, 0x0223, prLower}, // L& LATIN SMALL LETTER OU + {0x0224, 0x0224, prUpper}, // L& LATIN CAPITAL LETTER Z WITH HOOK + {0x0225, 0x0225, prLower}, // L& LATIN SMALL LETTER Z WITH HOOK + {0x0226, 0x0226, prUpper}, // L& LATIN CAPITAL LETTER A WITH DOT ABOVE + {0x0227, 0x0227, prLower}, // L& LATIN SMALL LETTER A WITH DOT ABOVE + {0x0228, 0x0228, prUpper}, // L& LATIN CAPITAL LETTER E WITH CEDILLA + {0x0229, 0x0229, prLower}, // L& LATIN SMALL LETTER E WITH CEDILLA + {0x022A, 0x022A, prUpper}, // L& LATIN CAPITAL LETTER O WITH DIAERESIS AND MACRON + {0x022B, 0x022B, prLower}, // L& LATIN SMALL LETTER O WITH DIAERESIS AND MACRON + {0x022C, 0x022C, prUpper}, // L& LATIN CAPITAL LETTER O WITH TILDE AND MACRON + {0x022D, 0x022D, prLower}, // L& LATIN SMALL LETTER O WITH TILDE AND MACRON + {0x022E, 0x022E, prUpper}, // L& LATIN CAPITAL LETTER O WITH DOT ABOVE + {0x022F, 0x022F, prLower}, // L& LATIN SMALL LETTER O WITH DOT ABOVE + {0x0230, 0x0230, prUpper}, // L& LATIN CAPITAL LETTER O WITH DOT ABOVE AND MACRON + {0x0231, 0x0231, prLower}, // L& LATIN SMALL LETTER O WITH DOT ABOVE AND MACRON + {0x0232, 0x0232, prUpper}, // L& LATIN CAPITAL LETTER Y WITH MACRON + {0x0233, 0x0239, prLower}, // L& [7] LATIN SMALL LETTER Y WITH MACRON..LATIN SMALL LETTER QP DIGRAPH + {0x023A, 0x023B, prUpper}, // L& [2] LATIN CAPITAL LETTER A WITH STROKE..LATIN CAPITAL LETTER C WITH STROKE + {0x023C, 0x023C, prLower}, // L& LATIN SMALL LETTER C WITH STROKE + {0x023D, 0x023E, prUpper}, // L& [2] LATIN CAPITAL LETTER L WITH BAR..LATIN CAPITAL LETTER T WITH DIAGONAL STROKE + {0x023F, 0x0240, prLower}, // L& [2] LATIN SMALL LETTER S WITH SWASH TAIL..LATIN SMALL LETTER Z WITH SWASH TAIL + {0x0241, 0x0241, prUpper}, // L& LATIN CAPITAL LETTER GLOTTAL STOP + {0x0242, 0x0242, prLower}, // L& LATIN SMALL LETTER GLOTTAL STOP + {0x0243, 0x0246, prUpper}, // L& [4] LATIN CAPITAL LETTER B WITH STROKE..LATIN CAPITAL LETTER E WITH STROKE + {0x0247, 0x0247, prLower}, // L& LATIN SMALL LETTER E WITH STROKE + {0x0248, 0x0248, prUpper}, // L& LATIN CAPITAL LETTER J WITH STROKE + {0x0249, 0x0249, prLower}, // L& LATIN SMALL LETTER J WITH STROKE + {0x024A, 0x024A, prUpper}, // L& LATIN CAPITAL LETTER SMALL Q WITH HOOK TAIL + {0x024B, 0x024B, prLower}, // L& LATIN SMALL LETTER Q WITH HOOK TAIL + {0x024C, 0x024C, prUpper}, // L& LATIN CAPITAL LETTER R WITH STROKE + {0x024D, 0x024D, prLower}, // L& LATIN SMALL LETTER R WITH STROKE + {0x024E, 0x024E, prUpper}, // L& LATIN CAPITAL LETTER Y WITH STROKE + {0x024F, 0x0293, prLower}, // L& [69] LATIN SMALL LETTER Y WITH STROKE..LATIN SMALL LETTER EZH WITH CURL + {0x0294, 0x0294, prOLetter}, // Lo LATIN LETTER GLOTTAL STOP + {0x0295, 0x02AF, prLower}, // L& [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL + {0x02B0, 0x02B8, prLower}, // Lm [9] MODIFIER LETTER SMALL H..MODIFIER LETTER SMALL Y + {0x02B9, 0x02BF, prOLetter}, // Lm [7] MODIFIER LETTER PRIME..MODIFIER LETTER LEFT HALF RING + {0x02C0, 0x02C1, prLower}, // Lm [2] MODIFIER LETTER GLOTTAL STOP..MODIFIER LETTER REVERSED GLOTTAL STOP + {0x02C6, 0x02D1, prOLetter}, // Lm [12] MODIFIER LETTER CIRCUMFLEX ACCENT..MODIFIER LETTER HALF TRIANGULAR COLON + {0x02E0, 0x02E4, prLower}, // Lm [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP + {0x02EC, 0x02EC, prOLetter}, // Lm MODIFIER LETTER VOICING + {0x02EE, 0x02EE, prOLetter}, // Lm MODIFIER LETTER DOUBLE APOSTROPHE + {0x0300, 0x036F, prExtend}, // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X + {0x0370, 0x0370, prUpper}, // L& GREEK CAPITAL LETTER HETA + {0x0371, 0x0371, prLower}, // L& GREEK SMALL LETTER HETA + {0x0372, 0x0372, prUpper}, // L& GREEK CAPITAL LETTER ARCHAIC SAMPI + {0x0373, 0x0373, prLower}, // L& GREEK SMALL LETTER ARCHAIC SAMPI + {0x0374, 0x0374, prOLetter}, // Lm GREEK NUMERAL SIGN + {0x0376, 0x0376, prUpper}, // L& GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA + {0x0377, 0x0377, prLower}, // L& GREEK SMALL LETTER PAMPHYLIAN DIGAMMA + {0x037A, 0x037A, prLower}, // Lm GREEK YPOGEGRAMMENI + {0x037B, 0x037D, prLower}, // L& [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x037F, 0x037F, prUpper}, // L& GREEK CAPITAL LETTER YOT + {0x0386, 0x0386, prUpper}, // L& GREEK CAPITAL LETTER ALPHA WITH TONOS + {0x0388, 0x038A, prUpper}, // L& [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS + {0x038C, 0x038C, prUpper}, // L& GREEK CAPITAL LETTER OMICRON WITH TONOS + {0x038E, 0x038F, prUpper}, // L& [2] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER OMEGA WITH TONOS + {0x0390, 0x0390, prLower}, // L& GREEK SMALL LETTER IOTA WITH DIALYTIKA AND TONOS + {0x0391, 0x03A1, prUpper}, // L& [17] GREEK CAPITAL LETTER ALPHA..GREEK CAPITAL LETTER RHO + {0x03A3, 0x03AB, prUpper}, // L& [9] GREEK CAPITAL LETTER SIGMA..GREEK CAPITAL LETTER UPSILON WITH DIALYTIKA + {0x03AC, 0x03CE, prLower}, // L& [35] GREEK SMALL LETTER ALPHA WITH TONOS..GREEK SMALL LETTER OMEGA WITH TONOS + {0x03CF, 0x03CF, prUpper}, // L& GREEK CAPITAL KAI SYMBOL + {0x03D0, 0x03D1, prLower}, // L& [2] GREEK BETA SYMBOL..GREEK THETA SYMBOL + {0x03D2, 0x03D4, prUpper}, // L& [3] GREEK UPSILON WITH HOOK SYMBOL..GREEK UPSILON WITH DIAERESIS AND HOOK SYMBOL + {0x03D5, 0x03D7, prLower}, // L& [3] GREEK PHI SYMBOL..GREEK KAI SYMBOL + {0x03D8, 0x03D8, prUpper}, // L& GREEK LETTER ARCHAIC KOPPA + {0x03D9, 0x03D9, prLower}, // L& GREEK SMALL LETTER ARCHAIC KOPPA + {0x03DA, 0x03DA, prUpper}, // L& GREEK LETTER STIGMA + {0x03DB, 0x03DB, prLower}, // L& GREEK SMALL LETTER STIGMA + {0x03DC, 0x03DC, prUpper}, // L& GREEK LETTER DIGAMMA + {0x03DD, 0x03DD, prLower}, // L& GREEK SMALL LETTER DIGAMMA + {0x03DE, 0x03DE, prUpper}, // L& GREEK LETTER KOPPA + {0x03DF, 0x03DF, prLower}, // L& GREEK SMALL LETTER KOPPA + {0x03E0, 0x03E0, prUpper}, // L& GREEK LETTER SAMPI + {0x03E1, 0x03E1, prLower}, // L& GREEK SMALL LETTER SAMPI + {0x03E2, 0x03E2, prUpper}, // L& COPTIC CAPITAL LETTER SHEI + {0x03E3, 0x03E3, prLower}, // L& COPTIC SMALL LETTER SHEI + {0x03E4, 0x03E4, prUpper}, // L& COPTIC CAPITAL LETTER FEI + {0x03E5, 0x03E5, prLower}, // L& COPTIC SMALL LETTER FEI + {0x03E6, 0x03E6, prUpper}, // L& COPTIC CAPITAL LETTER KHEI + {0x03E7, 0x03E7, prLower}, // L& COPTIC SMALL LETTER KHEI + {0x03E8, 0x03E8, prUpper}, // L& COPTIC CAPITAL LETTER HORI + {0x03E9, 0x03E9, prLower}, // L& COPTIC SMALL LETTER HORI + {0x03EA, 0x03EA, prUpper}, // L& COPTIC CAPITAL LETTER GANGIA + {0x03EB, 0x03EB, prLower}, // L& COPTIC SMALL LETTER GANGIA + {0x03EC, 0x03EC, prUpper}, // L& COPTIC CAPITAL LETTER SHIMA + {0x03ED, 0x03ED, prLower}, // L& COPTIC SMALL LETTER SHIMA + {0x03EE, 0x03EE, prUpper}, // L& COPTIC CAPITAL LETTER DEI + {0x03EF, 0x03F3, prLower}, // L& [5] COPTIC SMALL LETTER DEI..GREEK LETTER YOT + {0x03F4, 0x03F4, prUpper}, // L& GREEK CAPITAL THETA SYMBOL + {0x03F5, 0x03F5, prLower}, // L& GREEK LUNATE EPSILON SYMBOL + {0x03F7, 0x03F7, prUpper}, // L& GREEK CAPITAL LETTER SHO + {0x03F8, 0x03F8, prLower}, // L& GREEK SMALL LETTER SHO + {0x03F9, 0x03FA, prUpper}, // L& [2] GREEK CAPITAL LUNATE SIGMA SYMBOL..GREEK CAPITAL LETTER SAN + {0x03FB, 0x03FC, prLower}, // L& [2] GREEK SMALL LETTER SAN..GREEK RHO WITH STROKE SYMBOL + {0x03FD, 0x042F, prUpper}, // L& [51] GREEK CAPITAL REVERSED LUNATE SIGMA SYMBOL..CYRILLIC CAPITAL LETTER YA + {0x0430, 0x045F, prLower}, // L& [48] CYRILLIC SMALL LETTER A..CYRILLIC SMALL LETTER DZHE + {0x0460, 0x0460, prUpper}, // L& CYRILLIC CAPITAL LETTER OMEGA + {0x0461, 0x0461, prLower}, // L& CYRILLIC SMALL LETTER OMEGA + {0x0462, 0x0462, prUpper}, // L& CYRILLIC CAPITAL LETTER YAT + {0x0463, 0x0463, prLower}, // L& CYRILLIC SMALL LETTER YAT + {0x0464, 0x0464, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED E + {0x0465, 0x0465, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED E + {0x0466, 0x0466, prUpper}, // L& CYRILLIC CAPITAL LETTER LITTLE YUS + {0x0467, 0x0467, prLower}, // L& CYRILLIC SMALL LETTER LITTLE YUS + {0x0468, 0x0468, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED LITTLE YUS + {0x0469, 0x0469, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED LITTLE YUS + {0x046A, 0x046A, prUpper}, // L& CYRILLIC CAPITAL LETTER BIG YUS + {0x046B, 0x046B, prLower}, // L& CYRILLIC SMALL LETTER BIG YUS + {0x046C, 0x046C, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED BIG YUS + {0x046D, 0x046D, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED BIG YUS + {0x046E, 0x046E, prUpper}, // L& CYRILLIC CAPITAL LETTER KSI + {0x046F, 0x046F, prLower}, // L& CYRILLIC SMALL LETTER KSI + {0x0470, 0x0470, prUpper}, // L& CYRILLIC CAPITAL LETTER PSI + {0x0471, 0x0471, prLower}, // L& CYRILLIC SMALL LETTER PSI + {0x0472, 0x0472, prUpper}, // L& CYRILLIC CAPITAL LETTER FITA + {0x0473, 0x0473, prLower}, // L& CYRILLIC SMALL LETTER FITA + {0x0474, 0x0474, prUpper}, // L& CYRILLIC CAPITAL LETTER IZHITSA + {0x0475, 0x0475, prLower}, // L& CYRILLIC SMALL LETTER IZHITSA + {0x0476, 0x0476, prUpper}, // L& CYRILLIC CAPITAL LETTER IZHITSA WITH DOUBLE GRAVE ACCENT + {0x0477, 0x0477, prLower}, // L& CYRILLIC SMALL LETTER IZHITSA WITH DOUBLE GRAVE ACCENT + {0x0478, 0x0478, prUpper}, // L& CYRILLIC CAPITAL LETTER UK + {0x0479, 0x0479, prLower}, // L& CYRILLIC SMALL LETTER UK + {0x047A, 0x047A, prUpper}, // L& CYRILLIC CAPITAL LETTER ROUND OMEGA + {0x047B, 0x047B, prLower}, // L& CYRILLIC SMALL LETTER ROUND OMEGA + {0x047C, 0x047C, prUpper}, // L& CYRILLIC CAPITAL LETTER OMEGA WITH TITLO + {0x047D, 0x047D, prLower}, // L& CYRILLIC SMALL LETTER OMEGA WITH TITLO + {0x047E, 0x047E, prUpper}, // L& CYRILLIC CAPITAL LETTER OT + {0x047F, 0x047F, prLower}, // L& CYRILLIC SMALL LETTER OT + {0x0480, 0x0480, prUpper}, // L& CYRILLIC CAPITAL LETTER KOPPA + {0x0481, 0x0481, prLower}, // L& CYRILLIC SMALL LETTER KOPPA + {0x0483, 0x0487, prExtend}, // Mn [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE + {0x0488, 0x0489, prExtend}, // Me [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN + {0x048A, 0x048A, prUpper}, // L& CYRILLIC CAPITAL LETTER SHORT I WITH TAIL + {0x048B, 0x048B, prLower}, // L& CYRILLIC SMALL LETTER SHORT I WITH TAIL + {0x048C, 0x048C, prUpper}, // L& CYRILLIC CAPITAL LETTER SEMISOFT SIGN + {0x048D, 0x048D, prLower}, // L& CYRILLIC SMALL LETTER SEMISOFT SIGN + {0x048E, 0x048E, prUpper}, // L& CYRILLIC CAPITAL LETTER ER WITH TICK + {0x048F, 0x048F, prLower}, // L& CYRILLIC SMALL LETTER ER WITH TICK + {0x0490, 0x0490, prUpper}, // L& CYRILLIC CAPITAL LETTER GHE WITH UPTURN + {0x0491, 0x0491, prLower}, // L& CYRILLIC SMALL LETTER GHE WITH UPTURN + {0x0492, 0x0492, prUpper}, // L& CYRILLIC CAPITAL LETTER GHE WITH STROKE + {0x0493, 0x0493, prLower}, // L& CYRILLIC SMALL LETTER GHE WITH STROKE + {0x0494, 0x0494, prUpper}, // L& CYRILLIC CAPITAL LETTER GHE WITH MIDDLE HOOK + {0x0495, 0x0495, prLower}, // L& CYRILLIC SMALL LETTER GHE WITH MIDDLE HOOK + {0x0496, 0x0496, prUpper}, // L& CYRILLIC CAPITAL LETTER ZHE WITH DESCENDER + {0x0497, 0x0497, prLower}, // L& CYRILLIC SMALL LETTER ZHE WITH DESCENDER + {0x0498, 0x0498, prUpper}, // L& CYRILLIC CAPITAL LETTER ZE WITH DESCENDER + {0x0499, 0x0499, prLower}, // L& CYRILLIC SMALL LETTER ZE WITH DESCENDER + {0x049A, 0x049A, prUpper}, // L& CYRILLIC CAPITAL LETTER KA WITH DESCENDER + {0x049B, 0x049B, prLower}, // L& CYRILLIC SMALL LETTER KA WITH DESCENDER + {0x049C, 0x049C, prUpper}, // L& CYRILLIC CAPITAL LETTER KA WITH VERTICAL STROKE + {0x049D, 0x049D, prLower}, // L& CYRILLIC SMALL LETTER KA WITH VERTICAL STROKE + {0x049E, 0x049E, prUpper}, // L& CYRILLIC CAPITAL LETTER KA WITH STROKE + {0x049F, 0x049F, prLower}, // L& CYRILLIC SMALL LETTER KA WITH STROKE + {0x04A0, 0x04A0, prUpper}, // L& CYRILLIC CAPITAL LETTER BASHKIR KA + {0x04A1, 0x04A1, prLower}, // L& CYRILLIC SMALL LETTER BASHKIR KA + {0x04A2, 0x04A2, prUpper}, // L& CYRILLIC CAPITAL LETTER EN WITH DESCENDER + {0x04A3, 0x04A3, prLower}, // L& CYRILLIC SMALL LETTER EN WITH DESCENDER + {0x04A4, 0x04A4, prUpper}, // L& CYRILLIC CAPITAL LIGATURE EN GHE + {0x04A5, 0x04A5, prLower}, // L& CYRILLIC SMALL LIGATURE EN GHE + {0x04A6, 0x04A6, prUpper}, // L& CYRILLIC CAPITAL LETTER PE WITH MIDDLE HOOK + {0x04A7, 0x04A7, prLower}, // L& CYRILLIC SMALL LETTER PE WITH MIDDLE HOOK + {0x04A8, 0x04A8, prUpper}, // L& CYRILLIC CAPITAL LETTER ABKHASIAN HA + {0x04A9, 0x04A9, prLower}, // L& CYRILLIC SMALL LETTER ABKHASIAN HA + {0x04AA, 0x04AA, prUpper}, // L& CYRILLIC CAPITAL LETTER ES WITH DESCENDER + {0x04AB, 0x04AB, prLower}, // L& CYRILLIC SMALL LETTER ES WITH DESCENDER + {0x04AC, 0x04AC, prUpper}, // L& CYRILLIC CAPITAL LETTER TE WITH DESCENDER + {0x04AD, 0x04AD, prLower}, // L& CYRILLIC SMALL LETTER TE WITH DESCENDER + {0x04AE, 0x04AE, prUpper}, // L& CYRILLIC CAPITAL LETTER STRAIGHT U + {0x04AF, 0x04AF, prLower}, // L& CYRILLIC SMALL LETTER STRAIGHT U + {0x04B0, 0x04B0, prUpper}, // L& CYRILLIC CAPITAL LETTER STRAIGHT U WITH STROKE + {0x04B1, 0x04B1, prLower}, // L& CYRILLIC SMALL LETTER STRAIGHT U WITH STROKE + {0x04B2, 0x04B2, prUpper}, // L& CYRILLIC CAPITAL LETTER HA WITH DESCENDER + {0x04B3, 0x04B3, prLower}, // L& CYRILLIC SMALL LETTER HA WITH DESCENDER + {0x04B4, 0x04B4, prUpper}, // L& CYRILLIC CAPITAL LIGATURE TE TSE + {0x04B5, 0x04B5, prLower}, // L& CYRILLIC SMALL LIGATURE TE TSE + {0x04B6, 0x04B6, prUpper}, // L& CYRILLIC CAPITAL LETTER CHE WITH DESCENDER + {0x04B7, 0x04B7, prLower}, // L& CYRILLIC SMALL LETTER CHE WITH DESCENDER + {0x04B8, 0x04B8, prUpper}, // L& CYRILLIC CAPITAL LETTER CHE WITH VERTICAL STROKE + {0x04B9, 0x04B9, prLower}, // L& CYRILLIC SMALL LETTER CHE WITH VERTICAL STROKE + {0x04BA, 0x04BA, prUpper}, // L& CYRILLIC CAPITAL LETTER SHHA + {0x04BB, 0x04BB, prLower}, // L& CYRILLIC SMALL LETTER SHHA + {0x04BC, 0x04BC, prUpper}, // L& CYRILLIC CAPITAL LETTER ABKHASIAN CHE + {0x04BD, 0x04BD, prLower}, // L& CYRILLIC SMALL LETTER ABKHASIAN CHE + {0x04BE, 0x04BE, prUpper}, // L& CYRILLIC CAPITAL LETTER ABKHASIAN CHE WITH DESCENDER + {0x04BF, 0x04BF, prLower}, // L& CYRILLIC SMALL LETTER ABKHASIAN CHE WITH DESCENDER + {0x04C0, 0x04C1, prUpper}, // L& [2] CYRILLIC LETTER PALOCHKA..CYRILLIC CAPITAL LETTER ZHE WITH BREVE + {0x04C2, 0x04C2, prLower}, // L& CYRILLIC SMALL LETTER ZHE WITH BREVE + {0x04C3, 0x04C3, prUpper}, // L& CYRILLIC CAPITAL LETTER KA WITH HOOK + {0x04C4, 0x04C4, prLower}, // L& CYRILLIC SMALL LETTER KA WITH HOOK + {0x04C5, 0x04C5, prUpper}, // L& CYRILLIC CAPITAL LETTER EL WITH TAIL + {0x04C6, 0x04C6, prLower}, // L& CYRILLIC SMALL LETTER EL WITH TAIL + {0x04C7, 0x04C7, prUpper}, // L& CYRILLIC CAPITAL LETTER EN WITH HOOK + {0x04C8, 0x04C8, prLower}, // L& CYRILLIC SMALL LETTER EN WITH HOOK + {0x04C9, 0x04C9, prUpper}, // L& CYRILLIC CAPITAL LETTER EN WITH TAIL + {0x04CA, 0x04CA, prLower}, // L& CYRILLIC SMALL LETTER EN WITH TAIL + {0x04CB, 0x04CB, prUpper}, // L& CYRILLIC CAPITAL LETTER KHAKASSIAN CHE + {0x04CC, 0x04CC, prLower}, // L& CYRILLIC SMALL LETTER KHAKASSIAN CHE + {0x04CD, 0x04CD, prUpper}, // L& CYRILLIC CAPITAL LETTER EM WITH TAIL + {0x04CE, 0x04CF, prLower}, // L& [2] CYRILLIC SMALL LETTER EM WITH TAIL..CYRILLIC SMALL LETTER PALOCHKA + {0x04D0, 0x04D0, prUpper}, // L& CYRILLIC CAPITAL LETTER A WITH BREVE + {0x04D1, 0x04D1, prLower}, // L& CYRILLIC SMALL LETTER A WITH BREVE + {0x04D2, 0x04D2, prUpper}, // L& CYRILLIC CAPITAL LETTER A WITH DIAERESIS + {0x04D3, 0x04D3, prLower}, // L& CYRILLIC SMALL LETTER A WITH DIAERESIS + {0x04D4, 0x04D4, prUpper}, // L& CYRILLIC CAPITAL LIGATURE A IE + {0x04D5, 0x04D5, prLower}, // L& CYRILLIC SMALL LIGATURE A IE + {0x04D6, 0x04D6, prUpper}, // L& CYRILLIC CAPITAL LETTER IE WITH BREVE + {0x04D7, 0x04D7, prLower}, // L& CYRILLIC SMALL LETTER IE WITH BREVE + {0x04D8, 0x04D8, prUpper}, // L& CYRILLIC CAPITAL LETTER SCHWA + {0x04D9, 0x04D9, prLower}, // L& CYRILLIC SMALL LETTER SCHWA + {0x04DA, 0x04DA, prUpper}, // L& CYRILLIC CAPITAL LETTER SCHWA WITH DIAERESIS + {0x04DB, 0x04DB, prLower}, // L& CYRILLIC SMALL LETTER SCHWA WITH DIAERESIS + {0x04DC, 0x04DC, prUpper}, // L& CYRILLIC CAPITAL LETTER ZHE WITH DIAERESIS + {0x04DD, 0x04DD, prLower}, // L& CYRILLIC SMALL LETTER ZHE WITH DIAERESIS + {0x04DE, 0x04DE, prUpper}, // L& CYRILLIC CAPITAL LETTER ZE WITH DIAERESIS + {0x04DF, 0x04DF, prLower}, // L& CYRILLIC SMALL LETTER ZE WITH DIAERESIS + {0x04E0, 0x04E0, prUpper}, // L& CYRILLIC CAPITAL LETTER ABKHASIAN DZE + {0x04E1, 0x04E1, prLower}, // L& CYRILLIC SMALL LETTER ABKHASIAN DZE + {0x04E2, 0x04E2, prUpper}, // L& CYRILLIC CAPITAL LETTER I WITH MACRON + {0x04E3, 0x04E3, prLower}, // L& CYRILLIC SMALL LETTER I WITH MACRON + {0x04E4, 0x04E4, prUpper}, // L& CYRILLIC CAPITAL LETTER I WITH DIAERESIS + {0x04E5, 0x04E5, prLower}, // L& CYRILLIC SMALL LETTER I WITH DIAERESIS + {0x04E6, 0x04E6, prUpper}, // L& CYRILLIC CAPITAL LETTER O WITH DIAERESIS + {0x04E7, 0x04E7, prLower}, // L& CYRILLIC SMALL LETTER O WITH DIAERESIS + {0x04E8, 0x04E8, prUpper}, // L& CYRILLIC CAPITAL LETTER BARRED O + {0x04E9, 0x04E9, prLower}, // L& CYRILLIC SMALL LETTER BARRED O + {0x04EA, 0x04EA, prUpper}, // L& CYRILLIC CAPITAL LETTER BARRED O WITH DIAERESIS + {0x04EB, 0x04EB, prLower}, // L& CYRILLIC SMALL LETTER BARRED O WITH DIAERESIS + {0x04EC, 0x04EC, prUpper}, // L& CYRILLIC CAPITAL LETTER E WITH DIAERESIS + {0x04ED, 0x04ED, prLower}, // L& CYRILLIC SMALL LETTER E WITH DIAERESIS + {0x04EE, 0x04EE, prUpper}, // L& CYRILLIC CAPITAL LETTER U WITH MACRON + {0x04EF, 0x04EF, prLower}, // L& CYRILLIC SMALL LETTER U WITH MACRON + {0x04F0, 0x04F0, prUpper}, // L& CYRILLIC CAPITAL LETTER U WITH DIAERESIS + {0x04F1, 0x04F1, prLower}, // L& CYRILLIC SMALL LETTER U WITH DIAERESIS + {0x04F2, 0x04F2, prUpper}, // L& CYRILLIC CAPITAL LETTER U WITH DOUBLE ACUTE + {0x04F3, 0x04F3, prLower}, // L& CYRILLIC SMALL LETTER U WITH DOUBLE ACUTE + {0x04F4, 0x04F4, prUpper}, // L& CYRILLIC CAPITAL LETTER CHE WITH DIAERESIS + {0x04F5, 0x04F5, prLower}, // L& CYRILLIC SMALL LETTER CHE WITH DIAERESIS + {0x04F6, 0x04F6, prUpper}, // L& CYRILLIC CAPITAL LETTER GHE WITH DESCENDER + {0x04F7, 0x04F7, prLower}, // L& CYRILLIC SMALL LETTER GHE WITH DESCENDER + {0x04F8, 0x04F8, prUpper}, // L& CYRILLIC CAPITAL LETTER YERU WITH DIAERESIS + {0x04F9, 0x04F9, prLower}, // L& CYRILLIC SMALL LETTER YERU WITH DIAERESIS + {0x04FA, 0x04FA, prUpper}, // L& CYRILLIC CAPITAL LETTER GHE WITH STROKE AND HOOK + {0x04FB, 0x04FB, prLower}, // L& CYRILLIC SMALL LETTER GHE WITH STROKE AND HOOK + {0x04FC, 0x04FC, prUpper}, // L& CYRILLIC CAPITAL LETTER HA WITH HOOK + {0x04FD, 0x04FD, prLower}, // L& CYRILLIC SMALL LETTER HA WITH HOOK + {0x04FE, 0x04FE, prUpper}, // L& CYRILLIC CAPITAL LETTER HA WITH STROKE + {0x04FF, 0x04FF, prLower}, // L& CYRILLIC SMALL LETTER HA WITH STROKE + {0x0500, 0x0500, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI DE + {0x0501, 0x0501, prLower}, // L& CYRILLIC SMALL LETTER KOMI DE + {0x0502, 0x0502, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI DJE + {0x0503, 0x0503, prLower}, // L& CYRILLIC SMALL LETTER KOMI DJE + {0x0504, 0x0504, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI ZJE + {0x0505, 0x0505, prLower}, // L& CYRILLIC SMALL LETTER KOMI ZJE + {0x0506, 0x0506, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI DZJE + {0x0507, 0x0507, prLower}, // L& CYRILLIC SMALL LETTER KOMI DZJE + {0x0508, 0x0508, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI LJE + {0x0509, 0x0509, prLower}, // L& CYRILLIC SMALL LETTER KOMI LJE + {0x050A, 0x050A, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI NJE + {0x050B, 0x050B, prLower}, // L& CYRILLIC SMALL LETTER KOMI NJE + {0x050C, 0x050C, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI SJE + {0x050D, 0x050D, prLower}, // L& CYRILLIC SMALL LETTER KOMI SJE + {0x050E, 0x050E, prUpper}, // L& CYRILLIC CAPITAL LETTER KOMI TJE + {0x050F, 0x050F, prLower}, // L& CYRILLIC SMALL LETTER KOMI TJE + {0x0510, 0x0510, prUpper}, // L& CYRILLIC CAPITAL LETTER REVERSED ZE + {0x0511, 0x0511, prLower}, // L& CYRILLIC SMALL LETTER REVERSED ZE + {0x0512, 0x0512, prUpper}, // L& CYRILLIC CAPITAL LETTER EL WITH HOOK + {0x0513, 0x0513, prLower}, // L& CYRILLIC SMALL LETTER EL WITH HOOK + {0x0514, 0x0514, prUpper}, // L& CYRILLIC CAPITAL LETTER LHA + {0x0515, 0x0515, prLower}, // L& CYRILLIC SMALL LETTER LHA + {0x0516, 0x0516, prUpper}, // L& CYRILLIC CAPITAL LETTER RHA + {0x0517, 0x0517, prLower}, // L& CYRILLIC SMALL LETTER RHA + {0x0518, 0x0518, prUpper}, // L& CYRILLIC CAPITAL LETTER YAE + {0x0519, 0x0519, prLower}, // L& CYRILLIC SMALL LETTER YAE + {0x051A, 0x051A, prUpper}, // L& CYRILLIC CAPITAL LETTER QA + {0x051B, 0x051B, prLower}, // L& CYRILLIC SMALL LETTER QA + {0x051C, 0x051C, prUpper}, // L& CYRILLIC CAPITAL LETTER WE + {0x051D, 0x051D, prLower}, // L& CYRILLIC SMALL LETTER WE + {0x051E, 0x051E, prUpper}, // L& CYRILLIC CAPITAL LETTER ALEUT KA + {0x051F, 0x051F, prLower}, // L& CYRILLIC SMALL LETTER ALEUT KA + {0x0520, 0x0520, prUpper}, // L& CYRILLIC CAPITAL LETTER EL WITH MIDDLE HOOK + {0x0521, 0x0521, prLower}, // L& CYRILLIC SMALL LETTER EL WITH MIDDLE HOOK + {0x0522, 0x0522, prUpper}, // L& CYRILLIC CAPITAL LETTER EN WITH MIDDLE HOOK + {0x0523, 0x0523, prLower}, // L& CYRILLIC SMALL LETTER EN WITH MIDDLE HOOK + {0x0524, 0x0524, prUpper}, // L& CYRILLIC CAPITAL LETTER PE WITH DESCENDER + {0x0525, 0x0525, prLower}, // L& CYRILLIC SMALL LETTER PE WITH DESCENDER + {0x0526, 0x0526, prUpper}, // L& CYRILLIC CAPITAL LETTER SHHA WITH DESCENDER + {0x0527, 0x0527, prLower}, // L& CYRILLIC SMALL LETTER SHHA WITH DESCENDER + {0x0528, 0x0528, prUpper}, // L& CYRILLIC CAPITAL LETTER EN WITH LEFT HOOK + {0x0529, 0x0529, prLower}, // L& CYRILLIC SMALL LETTER EN WITH LEFT HOOK + {0x052A, 0x052A, prUpper}, // L& CYRILLIC CAPITAL LETTER DZZHE + {0x052B, 0x052B, prLower}, // L& CYRILLIC SMALL LETTER DZZHE + {0x052C, 0x052C, prUpper}, // L& CYRILLIC CAPITAL LETTER DCHE + {0x052D, 0x052D, prLower}, // L& CYRILLIC SMALL LETTER DCHE + {0x052E, 0x052E, prUpper}, // L& CYRILLIC CAPITAL LETTER EL WITH DESCENDER + {0x052F, 0x052F, prLower}, // L& CYRILLIC SMALL LETTER EL WITH DESCENDER + {0x0531, 0x0556, prUpper}, // L& [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH + {0x0559, 0x0559, prOLetter}, // Lm ARMENIAN MODIFIER LETTER LEFT HALF RING + {0x055D, 0x055D, prSContinue}, // Po ARMENIAN COMMA + {0x0560, 0x0588, prLower}, // L& [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE + {0x0589, 0x0589, prSTerm}, // Po ARMENIAN FULL STOP + {0x0591, 0x05BD, prExtend}, // Mn [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG + {0x05BF, 0x05BF, prExtend}, // Mn HEBREW POINT RAFE + {0x05C1, 0x05C2, prExtend}, // Mn [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT + {0x05C4, 0x05C5, prExtend}, // Mn [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT + {0x05C7, 0x05C7, prExtend}, // Mn HEBREW POINT QAMATS QATAN + {0x05D0, 0x05EA, prOLetter}, // Lo [27] HEBREW LETTER ALEF..HEBREW LETTER TAV + {0x05EF, 0x05F2, prOLetter}, // Lo [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD + {0x05F3, 0x05F3, prOLetter}, // Po HEBREW PUNCTUATION GERESH + {0x0600, 0x0605, prFormat}, // Cf [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE + {0x060C, 0x060D, prSContinue}, // Po [2] ARABIC COMMA..ARABIC DATE SEPARATOR + {0x0610, 0x061A, prExtend}, // Mn [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA + {0x061C, 0x061C, prFormat}, // Cf ARABIC LETTER MARK + {0x061D, 0x061F, prSTerm}, // Po [3] ARABIC END OF TEXT MARK..ARABIC QUESTION MARK + {0x0620, 0x063F, prOLetter}, // Lo [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE + {0x0640, 0x0640, prOLetter}, // Lm ARABIC TATWEEL + {0x0641, 0x064A, prOLetter}, // Lo [10] ARABIC LETTER FEH..ARABIC LETTER YEH + {0x064B, 0x065F, prExtend}, // Mn [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW + {0x0660, 0x0669, prNumeric}, // Nd [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE + {0x066B, 0x066C, prNumeric}, // Po [2] ARABIC DECIMAL SEPARATOR..ARABIC THOUSANDS SEPARATOR + {0x066E, 0x066F, prOLetter}, // Lo [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF + {0x0670, 0x0670, prExtend}, // Mn ARABIC LETTER SUPERSCRIPT ALEF + {0x0671, 0x06D3, prOLetter}, // Lo [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE + {0x06D4, 0x06D4, prSTerm}, // Po ARABIC FULL STOP + {0x06D5, 0x06D5, prOLetter}, // Lo ARABIC LETTER AE + {0x06D6, 0x06DC, prExtend}, // Mn [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN + {0x06DD, 0x06DD, prFormat}, // Cf ARABIC END OF AYAH + {0x06DF, 0x06E4, prExtend}, // Mn [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA + {0x06E5, 0x06E6, prOLetter}, // Lm [2] ARABIC SMALL WAW..ARABIC SMALL YEH + {0x06E7, 0x06E8, prExtend}, // Mn [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON + {0x06EA, 0x06ED, prExtend}, // Mn [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM + {0x06EE, 0x06EF, prOLetter}, // Lo [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V + {0x06F0, 0x06F9, prNumeric}, // Nd [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE + {0x06FA, 0x06FC, prOLetter}, // Lo [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW + {0x06FF, 0x06FF, prOLetter}, // Lo ARABIC LETTER HEH WITH INVERTED V + {0x0700, 0x0702, prSTerm}, // Po [3] SYRIAC END OF PARAGRAPH..SYRIAC SUBLINEAR FULL STOP + {0x070F, 0x070F, prFormat}, // Cf SYRIAC ABBREVIATION MARK + {0x0710, 0x0710, prOLetter}, // Lo SYRIAC LETTER ALAPH + {0x0711, 0x0711, prExtend}, // Mn SYRIAC LETTER SUPERSCRIPT ALAPH + {0x0712, 0x072F, prOLetter}, // Lo [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH + {0x0730, 0x074A, prExtend}, // Mn [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH + {0x074D, 0x07A5, prOLetter}, // Lo [89] SYRIAC LETTER SOGDIAN ZHAIN..THAANA LETTER WAAVU + {0x07A6, 0x07B0, prExtend}, // Mn [11] THAANA ABAFILI..THAANA SUKUN + {0x07B1, 0x07B1, prOLetter}, // Lo THAANA LETTER NAA + {0x07C0, 0x07C9, prNumeric}, // Nd [10] NKO DIGIT ZERO..NKO DIGIT NINE + {0x07CA, 0x07EA, prOLetter}, // Lo [33] NKO LETTER A..NKO LETTER JONA RA + {0x07EB, 0x07F3, prExtend}, // Mn [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE + {0x07F4, 0x07F5, prOLetter}, // Lm [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE + {0x07F8, 0x07F8, prSContinue}, // Po NKO COMMA + {0x07F9, 0x07F9, prSTerm}, // Po NKO EXCLAMATION MARK + {0x07FA, 0x07FA, prOLetter}, // Lm NKO LAJANYALAN + {0x07FD, 0x07FD, prExtend}, // Mn NKO DANTAYALAN + {0x0800, 0x0815, prOLetter}, // Lo [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF + {0x0816, 0x0819, prExtend}, // Mn [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH + {0x081A, 0x081A, prOLetter}, // Lm SAMARITAN MODIFIER LETTER EPENTHETIC YUT + {0x081B, 0x0823, prExtend}, // Mn [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A + {0x0824, 0x0824, prOLetter}, // Lm SAMARITAN MODIFIER LETTER SHORT A + {0x0825, 0x0827, prExtend}, // Mn [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U + {0x0828, 0x0828, prOLetter}, // Lm SAMARITAN MODIFIER LETTER I + {0x0829, 0x082D, prExtend}, // Mn [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA + {0x0837, 0x0837, prSTerm}, // Po SAMARITAN PUNCTUATION MELODIC QITSA + {0x0839, 0x0839, prSTerm}, // Po SAMARITAN PUNCTUATION QITSA + {0x083D, 0x083E, prSTerm}, // Po [2] SAMARITAN PUNCTUATION SOF MASHFAAT..SAMARITAN PUNCTUATION ANNAAU + {0x0840, 0x0858, prOLetter}, // Lo [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN + {0x0859, 0x085B, prExtend}, // Mn [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK + {0x0860, 0x086A, prOLetter}, // Lo [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA + {0x0870, 0x0887, prOLetter}, // Lo [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT + {0x0889, 0x088E, prOLetter}, // Lo [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL + {0x0890, 0x0891, prFormat}, // Cf [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE + {0x0898, 0x089F, prExtend}, // Mn [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA + {0x08A0, 0x08C8, prOLetter}, // Lo [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF + {0x08C9, 0x08C9, prOLetter}, // Lm ARABIC SMALL FARSI YEH + {0x08CA, 0x08E1, prExtend}, // Mn [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA + {0x08E2, 0x08E2, prFormat}, // Cf ARABIC DISPUTED END OF AYAH + {0x08E3, 0x0902, prExtend}, // Mn [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA + {0x0903, 0x0903, prExtend}, // Mc DEVANAGARI SIGN VISARGA + {0x0904, 0x0939, prOLetter}, // Lo [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA + {0x093A, 0x093A, prExtend}, // Mn DEVANAGARI VOWEL SIGN OE + {0x093B, 0x093B, prExtend}, // Mc DEVANAGARI VOWEL SIGN OOE + {0x093C, 0x093C, prExtend}, // Mn DEVANAGARI SIGN NUKTA + {0x093D, 0x093D, prOLetter}, // Lo DEVANAGARI SIGN AVAGRAHA + {0x093E, 0x0940, prExtend}, // Mc [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II + {0x0941, 0x0948, prExtend}, // Mn [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI + {0x0949, 0x094C, prExtend}, // Mc [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU + {0x094D, 0x094D, prExtend}, // Mn DEVANAGARI SIGN VIRAMA + {0x094E, 0x094F, prExtend}, // Mc [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW + {0x0950, 0x0950, prOLetter}, // Lo DEVANAGARI OM + {0x0951, 0x0957, prExtend}, // Mn [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE + {0x0958, 0x0961, prOLetter}, // Lo [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL + {0x0962, 0x0963, prExtend}, // Mn [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL + {0x0964, 0x0965, prSTerm}, // Po [2] DEVANAGARI DANDA..DEVANAGARI DOUBLE DANDA + {0x0966, 0x096F, prNumeric}, // Nd [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE + {0x0971, 0x0971, prOLetter}, // Lm DEVANAGARI SIGN HIGH SPACING DOT + {0x0972, 0x0980, prOLetter}, // Lo [15] DEVANAGARI LETTER CANDRA A..BENGALI ANJI + {0x0981, 0x0981, prExtend}, // Mn BENGALI SIGN CANDRABINDU + {0x0982, 0x0983, prExtend}, // Mc [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA + {0x0985, 0x098C, prOLetter}, // Lo [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L + {0x098F, 0x0990, prOLetter}, // Lo [2] BENGALI LETTER E..BENGALI LETTER AI + {0x0993, 0x09A8, prOLetter}, // Lo [22] BENGALI LETTER O..BENGALI LETTER NA + {0x09AA, 0x09B0, prOLetter}, // Lo [7] BENGALI LETTER PA..BENGALI LETTER RA + {0x09B2, 0x09B2, prOLetter}, // Lo BENGALI LETTER LA + {0x09B6, 0x09B9, prOLetter}, // Lo [4] BENGALI LETTER SHA..BENGALI LETTER HA + {0x09BC, 0x09BC, prExtend}, // Mn BENGALI SIGN NUKTA + {0x09BD, 0x09BD, prOLetter}, // Lo BENGALI SIGN AVAGRAHA + {0x09BE, 0x09C0, prExtend}, // Mc [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II + {0x09C1, 0x09C4, prExtend}, // Mn [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR + {0x09C7, 0x09C8, prExtend}, // Mc [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI + {0x09CB, 0x09CC, prExtend}, // Mc [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU + {0x09CD, 0x09CD, prExtend}, // Mn BENGALI SIGN VIRAMA + {0x09CE, 0x09CE, prOLetter}, // Lo BENGALI LETTER KHANDA TA + {0x09D7, 0x09D7, prExtend}, // Mc BENGALI AU LENGTH MARK + {0x09DC, 0x09DD, prOLetter}, // Lo [2] BENGALI LETTER RRA..BENGALI LETTER RHA + {0x09DF, 0x09E1, prOLetter}, // Lo [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL + {0x09E2, 0x09E3, prExtend}, // Mn [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL + {0x09E6, 0x09EF, prNumeric}, // Nd [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE + {0x09F0, 0x09F1, prOLetter}, // Lo [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL + {0x09FC, 0x09FC, prOLetter}, // Lo BENGALI LETTER VEDIC ANUSVARA + {0x09FE, 0x09FE, prExtend}, // Mn BENGALI SANDHI MARK + {0x0A01, 0x0A02, prExtend}, // Mn [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI + {0x0A03, 0x0A03, prExtend}, // Mc GURMUKHI SIGN VISARGA + {0x0A05, 0x0A0A, prOLetter}, // Lo [6] GURMUKHI LETTER A..GURMUKHI LETTER UU + {0x0A0F, 0x0A10, prOLetter}, // Lo [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI + {0x0A13, 0x0A28, prOLetter}, // Lo [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA + {0x0A2A, 0x0A30, prOLetter}, // Lo [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA + {0x0A32, 0x0A33, prOLetter}, // Lo [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA + {0x0A35, 0x0A36, prOLetter}, // Lo [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA + {0x0A38, 0x0A39, prOLetter}, // Lo [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA + {0x0A3C, 0x0A3C, prExtend}, // Mn GURMUKHI SIGN NUKTA + {0x0A3E, 0x0A40, prExtend}, // Mc [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II + {0x0A41, 0x0A42, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU + {0x0A47, 0x0A48, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI + {0x0A4B, 0x0A4D, prExtend}, // Mn [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA + {0x0A51, 0x0A51, prExtend}, // Mn GURMUKHI SIGN UDAAT + {0x0A59, 0x0A5C, prOLetter}, // Lo [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA + {0x0A5E, 0x0A5E, prOLetter}, // Lo GURMUKHI LETTER FA + {0x0A66, 0x0A6F, prNumeric}, // Nd [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE + {0x0A70, 0x0A71, prExtend}, // Mn [2] GURMUKHI TIPPI..GURMUKHI ADDAK + {0x0A72, 0x0A74, prOLetter}, // Lo [3] GURMUKHI IRI..GURMUKHI EK ONKAR + {0x0A75, 0x0A75, prExtend}, // Mn GURMUKHI SIGN YAKASH + {0x0A81, 0x0A82, prExtend}, // Mn [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA + {0x0A83, 0x0A83, prExtend}, // Mc GUJARATI SIGN VISARGA + {0x0A85, 0x0A8D, prOLetter}, // Lo [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E + {0x0A8F, 0x0A91, prOLetter}, // Lo [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O + {0x0A93, 0x0AA8, prOLetter}, // Lo [22] GUJARATI LETTER O..GUJARATI LETTER NA + {0x0AAA, 0x0AB0, prOLetter}, // Lo [7] GUJARATI LETTER PA..GUJARATI LETTER RA + {0x0AB2, 0x0AB3, prOLetter}, // Lo [2] GUJARATI LETTER LA..GUJARATI LETTER LLA + {0x0AB5, 0x0AB9, prOLetter}, // Lo [5] GUJARATI LETTER VA..GUJARATI LETTER HA + {0x0ABC, 0x0ABC, prExtend}, // Mn GUJARATI SIGN NUKTA + {0x0ABD, 0x0ABD, prOLetter}, // Lo GUJARATI SIGN AVAGRAHA + {0x0ABE, 0x0AC0, prExtend}, // Mc [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II + {0x0AC1, 0x0AC5, prExtend}, // Mn [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E + {0x0AC7, 0x0AC8, prExtend}, // Mn [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI + {0x0AC9, 0x0AC9, prExtend}, // Mc GUJARATI VOWEL SIGN CANDRA O + {0x0ACB, 0x0ACC, prExtend}, // Mc [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU + {0x0ACD, 0x0ACD, prExtend}, // Mn GUJARATI SIGN VIRAMA + {0x0AD0, 0x0AD0, prOLetter}, // Lo GUJARATI OM + {0x0AE0, 0x0AE1, prOLetter}, // Lo [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL + {0x0AE2, 0x0AE3, prExtend}, // Mn [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL + {0x0AE6, 0x0AEF, prNumeric}, // Nd [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE + {0x0AF9, 0x0AF9, prOLetter}, // Lo GUJARATI LETTER ZHA + {0x0AFA, 0x0AFF, prExtend}, // Mn [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE + {0x0B01, 0x0B01, prExtend}, // Mn ORIYA SIGN CANDRABINDU + {0x0B02, 0x0B03, prExtend}, // Mc [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA + {0x0B05, 0x0B0C, prOLetter}, // Lo [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L + {0x0B0F, 0x0B10, prOLetter}, // Lo [2] ORIYA LETTER E..ORIYA LETTER AI + {0x0B13, 0x0B28, prOLetter}, // Lo [22] ORIYA LETTER O..ORIYA LETTER NA + {0x0B2A, 0x0B30, prOLetter}, // Lo [7] ORIYA LETTER PA..ORIYA LETTER RA + {0x0B32, 0x0B33, prOLetter}, // Lo [2] ORIYA LETTER LA..ORIYA LETTER LLA + {0x0B35, 0x0B39, prOLetter}, // Lo [5] ORIYA LETTER VA..ORIYA LETTER HA + {0x0B3C, 0x0B3C, prExtend}, // Mn ORIYA SIGN NUKTA + {0x0B3D, 0x0B3D, prOLetter}, // Lo ORIYA SIGN AVAGRAHA + {0x0B3E, 0x0B3E, prExtend}, // Mc ORIYA VOWEL SIGN AA + {0x0B3F, 0x0B3F, prExtend}, // Mn ORIYA VOWEL SIGN I + {0x0B40, 0x0B40, prExtend}, // Mc ORIYA VOWEL SIGN II + {0x0B41, 0x0B44, prExtend}, // Mn [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR + {0x0B47, 0x0B48, prExtend}, // Mc [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI + {0x0B4B, 0x0B4C, prExtend}, // Mc [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU + {0x0B4D, 0x0B4D, prExtend}, // Mn ORIYA SIGN VIRAMA + {0x0B55, 0x0B56, prExtend}, // Mn [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK + {0x0B57, 0x0B57, prExtend}, // Mc ORIYA AU LENGTH MARK + {0x0B5C, 0x0B5D, prOLetter}, // Lo [2] ORIYA LETTER RRA..ORIYA LETTER RHA + {0x0B5F, 0x0B61, prOLetter}, // Lo [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL + {0x0B62, 0x0B63, prExtend}, // Mn [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL + {0x0B66, 0x0B6F, prNumeric}, // Nd [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE + {0x0B71, 0x0B71, prOLetter}, // Lo ORIYA LETTER WA + {0x0B82, 0x0B82, prExtend}, // Mn TAMIL SIGN ANUSVARA + {0x0B83, 0x0B83, prOLetter}, // Lo TAMIL SIGN VISARGA + {0x0B85, 0x0B8A, prOLetter}, // Lo [6] TAMIL LETTER A..TAMIL LETTER UU + {0x0B8E, 0x0B90, prOLetter}, // Lo [3] TAMIL LETTER E..TAMIL LETTER AI + {0x0B92, 0x0B95, prOLetter}, // Lo [4] TAMIL LETTER O..TAMIL LETTER KA + {0x0B99, 0x0B9A, prOLetter}, // Lo [2] TAMIL LETTER NGA..TAMIL LETTER CA + {0x0B9C, 0x0B9C, prOLetter}, // Lo TAMIL LETTER JA + {0x0B9E, 0x0B9F, prOLetter}, // Lo [2] TAMIL LETTER NYA..TAMIL LETTER TTA + {0x0BA3, 0x0BA4, prOLetter}, // Lo [2] TAMIL LETTER NNA..TAMIL LETTER TA + {0x0BA8, 0x0BAA, prOLetter}, // Lo [3] TAMIL LETTER NA..TAMIL LETTER PA + {0x0BAE, 0x0BB9, prOLetter}, // Lo [12] TAMIL LETTER MA..TAMIL LETTER HA + {0x0BBE, 0x0BBF, prExtend}, // Mc [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I + {0x0BC0, 0x0BC0, prExtend}, // Mn TAMIL VOWEL SIGN II + {0x0BC1, 0x0BC2, prExtend}, // Mc [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU + {0x0BC6, 0x0BC8, prExtend}, // Mc [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI + {0x0BCA, 0x0BCC, prExtend}, // Mc [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU + {0x0BCD, 0x0BCD, prExtend}, // Mn TAMIL SIGN VIRAMA + {0x0BD0, 0x0BD0, prOLetter}, // Lo TAMIL OM + {0x0BD7, 0x0BD7, prExtend}, // Mc TAMIL AU LENGTH MARK + {0x0BE6, 0x0BEF, prNumeric}, // Nd [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE + {0x0C00, 0x0C00, prExtend}, // Mn TELUGU SIGN COMBINING CANDRABINDU ABOVE + {0x0C01, 0x0C03, prExtend}, // Mc [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA + {0x0C04, 0x0C04, prExtend}, // Mn TELUGU SIGN COMBINING ANUSVARA ABOVE + {0x0C05, 0x0C0C, prOLetter}, // Lo [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L + {0x0C0E, 0x0C10, prOLetter}, // Lo [3] TELUGU LETTER E..TELUGU LETTER AI + {0x0C12, 0x0C28, prOLetter}, // Lo [23] TELUGU LETTER O..TELUGU LETTER NA + {0x0C2A, 0x0C39, prOLetter}, // Lo [16] TELUGU LETTER PA..TELUGU LETTER HA + {0x0C3C, 0x0C3C, prExtend}, // Mn TELUGU SIGN NUKTA + {0x0C3D, 0x0C3D, prOLetter}, // Lo TELUGU SIGN AVAGRAHA + {0x0C3E, 0x0C40, prExtend}, // Mn [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II + {0x0C41, 0x0C44, prExtend}, // Mc [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR + {0x0C46, 0x0C48, prExtend}, // Mn [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI + {0x0C4A, 0x0C4D, prExtend}, // Mn [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA + {0x0C55, 0x0C56, prExtend}, // Mn [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK + {0x0C58, 0x0C5A, prOLetter}, // Lo [3] TELUGU LETTER TSA..TELUGU LETTER RRRA + {0x0C5D, 0x0C5D, prOLetter}, // Lo TELUGU LETTER NAKAARA POLLU + {0x0C60, 0x0C61, prOLetter}, // Lo [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL + {0x0C62, 0x0C63, prExtend}, // Mn [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL + {0x0C66, 0x0C6F, prNumeric}, // Nd [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE + {0x0C80, 0x0C80, prOLetter}, // Lo KANNADA SIGN SPACING CANDRABINDU + {0x0C81, 0x0C81, prExtend}, // Mn KANNADA SIGN CANDRABINDU + {0x0C82, 0x0C83, prExtend}, // Mc [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA + {0x0C85, 0x0C8C, prOLetter}, // Lo [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L + {0x0C8E, 0x0C90, prOLetter}, // Lo [3] KANNADA LETTER E..KANNADA LETTER AI + {0x0C92, 0x0CA8, prOLetter}, // Lo [23] KANNADA LETTER O..KANNADA LETTER NA + {0x0CAA, 0x0CB3, prOLetter}, // Lo [10] KANNADA LETTER PA..KANNADA LETTER LLA + {0x0CB5, 0x0CB9, prOLetter}, // Lo [5] KANNADA LETTER VA..KANNADA LETTER HA + {0x0CBC, 0x0CBC, prExtend}, // Mn KANNADA SIGN NUKTA + {0x0CBD, 0x0CBD, prOLetter}, // Lo KANNADA SIGN AVAGRAHA + {0x0CBE, 0x0CBE, prExtend}, // Mc KANNADA VOWEL SIGN AA + {0x0CBF, 0x0CBF, prExtend}, // Mn KANNADA VOWEL SIGN I + {0x0CC0, 0x0CC4, prExtend}, // Mc [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR + {0x0CC6, 0x0CC6, prExtend}, // Mn KANNADA VOWEL SIGN E + {0x0CC7, 0x0CC8, prExtend}, // Mc [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI + {0x0CCA, 0x0CCB, prExtend}, // Mc [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO + {0x0CCC, 0x0CCD, prExtend}, // Mn [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA + {0x0CD5, 0x0CD6, prExtend}, // Mc [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK + {0x0CDD, 0x0CDE, prOLetter}, // Lo [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA + {0x0CE0, 0x0CE1, prOLetter}, // Lo [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL + {0x0CE2, 0x0CE3, prExtend}, // Mn [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL + {0x0CE6, 0x0CEF, prNumeric}, // Nd [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE + {0x0CF1, 0x0CF2, prOLetter}, // Lo [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA + {0x0CF3, 0x0CF3, prExtend}, // Mc KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT + {0x0D00, 0x0D01, prExtend}, // Mn [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU + {0x0D02, 0x0D03, prExtend}, // Mc [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA + {0x0D04, 0x0D0C, prOLetter}, // Lo [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L + {0x0D0E, 0x0D10, prOLetter}, // Lo [3] MALAYALAM LETTER E..MALAYALAM LETTER AI + {0x0D12, 0x0D3A, prOLetter}, // Lo [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA + {0x0D3B, 0x0D3C, prExtend}, // Mn [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA + {0x0D3D, 0x0D3D, prOLetter}, // Lo MALAYALAM SIGN AVAGRAHA + {0x0D3E, 0x0D40, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II + {0x0D41, 0x0D44, prExtend}, // Mn [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR + {0x0D46, 0x0D48, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI + {0x0D4A, 0x0D4C, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU + {0x0D4D, 0x0D4D, prExtend}, // Mn MALAYALAM SIGN VIRAMA + {0x0D4E, 0x0D4E, prOLetter}, // Lo MALAYALAM LETTER DOT REPH + {0x0D54, 0x0D56, prOLetter}, // Lo [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL + {0x0D57, 0x0D57, prExtend}, // Mc MALAYALAM AU LENGTH MARK + {0x0D5F, 0x0D61, prOLetter}, // Lo [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL + {0x0D62, 0x0D63, prExtend}, // Mn [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL + {0x0D66, 0x0D6F, prNumeric}, // Nd [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE + {0x0D7A, 0x0D7F, prOLetter}, // Lo [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K + {0x0D81, 0x0D81, prExtend}, // Mn SINHALA SIGN CANDRABINDU + {0x0D82, 0x0D83, prExtend}, // Mc [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA + {0x0D85, 0x0D96, prOLetter}, // Lo [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA + {0x0D9A, 0x0DB1, prOLetter}, // Lo [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA + {0x0DB3, 0x0DBB, prOLetter}, // Lo [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA + {0x0DBD, 0x0DBD, prOLetter}, // Lo SINHALA LETTER DANTAJA LAYANNA + {0x0DC0, 0x0DC6, prOLetter}, // Lo [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA + {0x0DCA, 0x0DCA, prExtend}, // Mn SINHALA SIGN AL-LAKUNA + {0x0DCF, 0x0DD1, prExtend}, // Mc [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA + {0x0DD2, 0x0DD4, prExtend}, // Mn [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA + {0x0DD6, 0x0DD6, prExtend}, // Mn SINHALA VOWEL SIGN DIGA PAA-PILLA + {0x0DD8, 0x0DDF, prExtend}, // Mc [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA + {0x0DE6, 0x0DEF, prNumeric}, // Nd [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE + {0x0DF2, 0x0DF3, prExtend}, // Mc [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA + {0x0E01, 0x0E30, prOLetter}, // Lo [48] THAI CHARACTER KO KAI..THAI CHARACTER SARA A + {0x0E31, 0x0E31, prExtend}, // Mn THAI CHARACTER MAI HAN-AKAT + {0x0E32, 0x0E33, prOLetter}, // Lo [2] THAI CHARACTER SARA AA..THAI CHARACTER SARA AM + {0x0E34, 0x0E3A, prExtend}, // Mn [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU + {0x0E40, 0x0E45, prOLetter}, // Lo [6] THAI CHARACTER SARA E..THAI CHARACTER LAKKHANGYAO + {0x0E46, 0x0E46, prOLetter}, // Lm THAI CHARACTER MAIYAMOK + {0x0E47, 0x0E4E, prExtend}, // Mn [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN + {0x0E50, 0x0E59, prNumeric}, // Nd [10] THAI DIGIT ZERO..THAI DIGIT NINE + {0x0E81, 0x0E82, prOLetter}, // Lo [2] LAO LETTER KO..LAO LETTER KHO SUNG + {0x0E84, 0x0E84, prOLetter}, // Lo LAO LETTER KHO TAM + {0x0E86, 0x0E8A, prOLetter}, // Lo [5] LAO LETTER PALI GHA..LAO LETTER SO TAM + {0x0E8C, 0x0EA3, prOLetter}, // Lo [24] LAO LETTER PALI JHA..LAO LETTER LO LING + {0x0EA5, 0x0EA5, prOLetter}, // Lo LAO LETTER LO LOOT + {0x0EA7, 0x0EB0, prOLetter}, // Lo [10] LAO LETTER WO..LAO VOWEL SIGN A + {0x0EB1, 0x0EB1, prExtend}, // Mn LAO VOWEL SIGN MAI KAN + {0x0EB2, 0x0EB3, prOLetter}, // Lo [2] LAO VOWEL SIGN AA..LAO VOWEL SIGN AM + {0x0EB4, 0x0EBC, prExtend}, // Mn [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO + {0x0EBD, 0x0EBD, prOLetter}, // Lo LAO SEMIVOWEL SIGN NYO + {0x0EC0, 0x0EC4, prOLetter}, // Lo [5] LAO VOWEL SIGN E..LAO VOWEL SIGN AI + {0x0EC6, 0x0EC6, prOLetter}, // Lm LAO KO LA + {0x0EC8, 0x0ECE, prExtend}, // Mn [7] LAO TONE MAI EK..LAO YAMAKKAN + {0x0ED0, 0x0ED9, prNumeric}, // Nd [10] LAO DIGIT ZERO..LAO DIGIT NINE + {0x0EDC, 0x0EDF, prOLetter}, // Lo [4] LAO HO NO..LAO LETTER KHMU NYO + {0x0F00, 0x0F00, prOLetter}, // Lo TIBETAN SYLLABLE OM + {0x0F18, 0x0F19, prExtend}, // Mn [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS + {0x0F20, 0x0F29, prNumeric}, // Nd [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE + {0x0F35, 0x0F35, prExtend}, // Mn TIBETAN MARK NGAS BZUNG NYI ZLA + {0x0F37, 0x0F37, prExtend}, // Mn TIBETAN MARK NGAS BZUNG SGOR RTAGS + {0x0F39, 0x0F39, prExtend}, // Mn TIBETAN MARK TSA -PHRU + {0x0F3A, 0x0F3A, prClose}, // Ps TIBETAN MARK GUG RTAGS GYON + {0x0F3B, 0x0F3B, prClose}, // Pe TIBETAN MARK GUG RTAGS GYAS + {0x0F3C, 0x0F3C, prClose}, // Ps TIBETAN MARK ANG KHANG GYON + {0x0F3D, 0x0F3D, prClose}, // Pe TIBETAN MARK ANG KHANG GYAS + {0x0F3E, 0x0F3F, prExtend}, // Mc [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES + {0x0F40, 0x0F47, prOLetter}, // Lo [8] TIBETAN LETTER KA..TIBETAN LETTER JA + {0x0F49, 0x0F6C, prOLetter}, // Lo [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA + {0x0F71, 0x0F7E, prExtend}, // Mn [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO + {0x0F7F, 0x0F7F, prExtend}, // Mc TIBETAN SIGN RNAM BCAD + {0x0F80, 0x0F84, prExtend}, // Mn [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA + {0x0F86, 0x0F87, prExtend}, // Mn [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS + {0x0F88, 0x0F8C, prOLetter}, // Lo [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN + {0x0F8D, 0x0F97, prExtend}, // Mn [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA + {0x0F99, 0x0FBC, prExtend}, // Mn [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA + {0x0FC6, 0x0FC6, prExtend}, // Mn TIBETAN SYMBOL PADMA GDAN + {0x1000, 0x102A, prOLetter}, // Lo [43] MYANMAR LETTER KA..MYANMAR LETTER AU + {0x102B, 0x102C, prExtend}, // Mc [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA + {0x102D, 0x1030, prExtend}, // Mn [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU + {0x1031, 0x1031, prExtend}, // Mc MYANMAR VOWEL SIGN E + {0x1032, 0x1037, prExtend}, // Mn [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW + {0x1038, 0x1038, prExtend}, // Mc MYANMAR SIGN VISARGA + {0x1039, 0x103A, prExtend}, // Mn [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT + {0x103B, 0x103C, prExtend}, // Mc [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA + {0x103D, 0x103E, prExtend}, // Mn [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA + {0x103F, 0x103F, prOLetter}, // Lo MYANMAR LETTER GREAT SA + {0x1040, 0x1049, prNumeric}, // Nd [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE + {0x104A, 0x104B, prSTerm}, // Po [2] MYANMAR SIGN LITTLE SECTION..MYANMAR SIGN SECTION + {0x1050, 0x1055, prOLetter}, // Lo [6] MYANMAR LETTER SHA..MYANMAR LETTER VOCALIC LL + {0x1056, 0x1057, prExtend}, // Mc [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR + {0x1058, 0x1059, prExtend}, // Mn [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL + {0x105A, 0x105D, prOLetter}, // Lo [4] MYANMAR LETTER MON NGA..MYANMAR LETTER MON BBE + {0x105E, 0x1060, prExtend}, // Mn [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA + {0x1061, 0x1061, prOLetter}, // Lo MYANMAR LETTER SGAW KAREN SHA + {0x1062, 0x1064, prExtend}, // Mc [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO + {0x1065, 0x1066, prOLetter}, // Lo [2] MYANMAR LETTER WESTERN PWO KAREN THA..MYANMAR LETTER WESTERN PWO KAREN PWA + {0x1067, 0x106D, prExtend}, // Mc [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5 + {0x106E, 0x1070, prOLetter}, // Lo [3] MYANMAR LETTER EASTERN PWO KAREN NNA..MYANMAR LETTER EASTERN PWO KAREN GHWA + {0x1071, 0x1074, prExtend}, // Mn [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE + {0x1075, 0x1081, prOLetter}, // Lo [13] MYANMAR LETTER SHAN KA..MYANMAR LETTER SHAN HA + {0x1082, 0x1082, prExtend}, // Mn MYANMAR CONSONANT SIGN SHAN MEDIAL WA + {0x1083, 0x1084, prExtend}, // Mc [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E + {0x1085, 0x1086, prExtend}, // Mn [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y + {0x1087, 0x108C, prExtend}, // Mc [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3 + {0x108D, 0x108D, prExtend}, // Mn MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE + {0x108E, 0x108E, prOLetter}, // Lo MYANMAR LETTER RUMAI PALAUNG FA + {0x108F, 0x108F, prExtend}, // Mc MYANMAR SIGN RUMAI PALAUNG TONE-5 + {0x1090, 0x1099, prNumeric}, // Nd [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE + {0x109A, 0x109C, prExtend}, // Mc [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A + {0x109D, 0x109D, prExtend}, // Mn MYANMAR VOWEL SIGN AITON AI + {0x10A0, 0x10C5, prUpper}, // L& [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE + {0x10C7, 0x10C7, prUpper}, // L& GEORGIAN CAPITAL LETTER YN + {0x10CD, 0x10CD, prUpper}, // L& GEORGIAN CAPITAL LETTER AEN + {0x10D0, 0x10FA, prOLetter}, // L& [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN + {0x10FC, 0x10FC, prLower}, // Lm MODIFIER LETTER GEORGIAN NAR + {0x10FD, 0x10FF, prOLetter}, // L& [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN + {0x1100, 0x1248, prOLetter}, // Lo [329] HANGUL CHOSEONG KIYEOK..ETHIOPIC SYLLABLE QWA + {0x124A, 0x124D, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE + {0x1250, 0x1256, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO + {0x1258, 0x1258, prOLetter}, // Lo ETHIOPIC SYLLABLE QHWA + {0x125A, 0x125D, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE + {0x1260, 0x1288, prOLetter}, // Lo [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA + {0x128A, 0x128D, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE + {0x1290, 0x12B0, prOLetter}, // Lo [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA + {0x12B2, 0x12B5, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE + {0x12B8, 0x12BE, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO + {0x12C0, 0x12C0, prOLetter}, // Lo ETHIOPIC SYLLABLE KXWA + {0x12C2, 0x12C5, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE + {0x12C8, 0x12D6, prOLetter}, // Lo [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O + {0x12D8, 0x1310, prOLetter}, // Lo [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA + {0x1312, 0x1315, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE + {0x1318, 0x135A, prOLetter}, // Lo [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA + {0x135D, 0x135F, prExtend}, // Mn [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK + {0x1362, 0x1362, prSTerm}, // Po ETHIOPIC FULL STOP + {0x1367, 0x1368, prSTerm}, // Po [2] ETHIOPIC QUESTION MARK..ETHIOPIC PARAGRAPH SEPARATOR + {0x1380, 0x138F, prOLetter}, // Lo [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE + {0x13A0, 0x13F5, prUpper}, // L& [86] CHEROKEE LETTER A..CHEROKEE LETTER MV + {0x13F8, 0x13FD, prLower}, // L& [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV + {0x1401, 0x166C, prOLetter}, // Lo [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA + {0x166E, 0x166E, prSTerm}, // Po CANADIAN SYLLABICS FULL STOP + {0x166F, 0x167F, prOLetter}, // Lo [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W + {0x1680, 0x1680, prSp}, // Zs OGHAM SPACE MARK + {0x1681, 0x169A, prOLetter}, // Lo [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH + {0x169B, 0x169B, prClose}, // Ps OGHAM FEATHER MARK + {0x169C, 0x169C, prClose}, // Pe OGHAM REVERSED FEATHER MARK + {0x16A0, 0x16EA, prOLetter}, // Lo [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X + {0x16EE, 0x16F0, prOLetter}, // Nl [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL + {0x16F1, 0x16F8, prOLetter}, // Lo [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC + {0x1700, 0x1711, prOLetter}, // Lo [18] TAGALOG LETTER A..TAGALOG LETTER HA + {0x1712, 0x1714, prExtend}, // Mn [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA + {0x1715, 0x1715, prExtend}, // Mc TAGALOG SIGN PAMUDPOD + {0x171F, 0x1731, prOLetter}, // Lo [19] TAGALOG LETTER ARCHAIC RA..HANUNOO LETTER HA + {0x1732, 0x1733, prExtend}, // Mn [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U + {0x1734, 0x1734, prExtend}, // Mc HANUNOO SIGN PAMUDPOD + {0x1735, 0x1736, prSTerm}, // Po [2] PHILIPPINE SINGLE PUNCTUATION..PHILIPPINE DOUBLE PUNCTUATION + {0x1740, 0x1751, prOLetter}, // Lo [18] BUHID LETTER A..BUHID LETTER HA + {0x1752, 0x1753, prExtend}, // Mn [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U + {0x1760, 0x176C, prOLetter}, // Lo [13] TAGBANWA LETTER A..TAGBANWA LETTER YA + {0x176E, 0x1770, prOLetter}, // Lo [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA + {0x1772, 0x1773, prExtend}, // Mn [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U + {0x1780, 0x17B3, prOLetter}, // Lo [52] KHMER LETTER KA..KHMER INDEPENDENT VOWEL QAU + {0x17B4, 0x17B5, prExtend}, // Mn [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA + {0x17B6, 0x17B6, prExtend}, // Mc KHMER VOWEL SIGN AA + {0x17B7, 0x17BD, prExtend}, // Mn [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA + {0x17BE, 0x17C5, prExtend}, // Mc [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU + {0x17C6, 0x17C6, prExtend}, // Mn KHMER SIGN NIKAHIT + {0x17C7, 0x17C8, prExtend}, // Mc [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU + {0x17C9, 0x17D3, prExtend}, // Mn [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT + {0x17D7, 0x17D7, prOLetter}, // Lm KHMER SIGN LEK TOO + {0x17DC, 0x17DC, prOLetter}, // Lo KHMER SIGN AVAKRAHASANYA + {0x17DD, 0x17DD, prExtend}, // Mn KHMER SIGN ATTHACAN + {0x17E0, 0x17E9, prNumeric}, // Nd [10] KHMER DIGIT ZERO..KHMER DIGIT NINE + {0x1802, 0x1802, prSContinue}, // Po MONGOLIAN COMMA + {0x1803, 0x1803, prSTerm}, // Po MONGOLIAN FULL STOP + {0x1808, 0x1808, prSContinue}, // Po MONGOLIAN MANCHU COMMA + {0x1809, 0x1809, prSTerm}, // Po MONGOLIAN MANCHU FULL STOP + {0x180B, 0x180D, prExtend}, // Mn [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE + {0x180E, 0x180E, prFormat}, // Cf MONGOLIAN VOWEL SEPARATOR + {0x180F, 0x180F, prExtend}, // Mn MONGOLIAN FREE VARIATION SELECTOR FOUR + {0x1810, 0x1819, prNumeric}, // Nd [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE + {0x1820, 0x1842, prOLetter}, // Lo [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI + {0x1843, 0x1843, prOLetter}, // Lm MONGOLIAN LETTER TODO LONG VOWEL SIGN + {0x1844, 0x1878, prOLetter}, // Lo [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS + {0x1880, 0x1884, prOLetter}, // Lo [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA + {0x1885, 0x1886, prExtend}, // Mn [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA + {0x1887, 0x18A8, prOLetter}, // Lo [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA + {0x18A9, 0x18A9, prExtend}, // Mn MONGOLIAN LETTER ALI GALI DAGALGA + {0x18AA, 0x18AA, prOLetter}, // Lo MONGOLIAN LETTER MANCHU ALI GALI LHA + {0x18B0, 0x18F5, prOLetter}, // Lo [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S + {0x1900, 0x191E, prOLetter}, // Lo [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA + {0x1920, 0x1922, prExtend}, // Mn [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U + {0x1923, 0x1926, prExtend}, // Mc [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU + {0x1927, 0x1928, prExtend}, // Mn [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O + {0x1929, 0x192B, prExtend}, // Mc [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA + {0x1930, 0x1931, prExtend}, // Mc [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA + {0x1932, 0x1932, prExtend}, // Mn LIMBU SMALL LETTER ANUSVARA + {0x1933, 0x1938, prExtend}, // Mc [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA + {0x1939, 0x193B, prExtend}, // Mn [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I + {0x1944, 0x1945, prSTerm}, // Po [2] LIMBU EXCLAMATION MARK..LIMBU QUESTION MARK + {0x1946, 0x194F, prNumeric}, // Nd [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE + {0x1950, 0x196D, prOLetter}, // Lo [30] TAI LE LETTER KA..TAI LE LETTER AI + {0x1970, 0x1974, prOLetter}, // Lo [5] TAI LE LETTER TONE-2..TAI LE LETTER TONE-6 + {0x1980, 0x19AB, prOLetter}, // Lo [44] NEW TAI LUE LETTER HIGH QA..NEW TAI LUE LETTER LOW SUA + {0x19B0, 0x19C9, prOLetter}, // Lo [26] NEW TAI LUE VOWEL SIGN VOWEL SHORTENER..NEW TAI LUE TONE MARK-2 + {0x19D0, 0x19D9, prNumeric}, // Nd [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE + {0x1A00, 0x1A16, prOLetter}, // Lo [23] BUGINESE LETTER KA..BUGINESE LETTER HA + {0x1A17, 0x1A18, prExtend}, // Mn [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U + {0x1A19, 0x1A1A, prExtend}, // Mc [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O + {0x1A1B, 0x1A1B, prExtend}, // Mn BUGINESE VOWEL SIGN AE + {0x1A20, 0x1A54, prOLetter}, // Lo [53] TAI THAM LETTER HIGH KA..TAI THAM LETTER GREAT SA + {0x1A55, 0x1A55, prExtend}, // Mc TAI THAM CONSONANT SIGN MEDIAL RA + {0x1A56, 0x1A56, prExtend}, // Mn TAI THAM CONSONANT SIGN MEDIAL LA + {0x1A57, 0x1A57, prExtend}, // Mc TAI THAM CONSONANT SIGN LA TANG LAI + {0x1A58, 0x1A5E, prExtend}, // Mn [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA + {0x1A60, 0x1A60, prExtend}, // Mn TAI THAM SIGN SAKOT + {0x1A61, 0x1A61, prExtend}, // Mc TAI THAM VOWEL SIGN A + {0x1A62, 0x1A62, prExtend}, // Mn TAI THAM VOWEL SIGN MAI SAT + {0x1A63, 0x1A64, prExtend}, // Mc [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA + {0x1A65, 0x1A6C, prExtend}, // Mn [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW + {0x1A6D, 0x1A72, prExtend}, // Mc [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI + {0x1A73, 0x1A7C, prExtend}, // Mn [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN + {0x1A7F, 0x1A7F, prExtend}, // Mn TAI THAM COMBINING CRYPTOGRAMMIC DOT + {0x1A80, 0x1A89, prNumeric}, // Nd [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE + {0x1A90, 0x1A99, prNumeric}, // Nd [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE + {0x1AA7, 0x1AA7, prOLetter}, // Lm TAI THAM SIGN MAI YAMOK + {0x1AA8, 0x1AAB, prSTerm}, // Po [4] TAI THAM SIGN KAAN..TAI THAM SIGN SATKAANKUU + {0x1AB0, 0x1ABD, prExtend}, // Mn [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW + {0x1ABE, 0x1ABE, prExtend}, // Me COMBINING PARENTHESES OVERLAY + {0x1ABF, 0x1ACE, prExtend}, // Mn [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T + {0x1B00, 0x1B03, prExtend}, // Mn [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG + {0x1B04, 0x1B04, prExtend}, // Mc BALINESE SIGN BISAH + {0x1B05, 0x1B33, prOLetter}, // Lo [47] BALINESE LETTER AKARA..BALINESE LETTER HA + {0x1B34, 0x1B34, prExtend}, // Mn BALINESE SIGN REREKAN + {0x1B35, 0x1B35, prExtend}, // Mc BALINESE VOWEL SIGN TEDUNG + {0x1B36, 0x1B3A, prExtend}, // Mn [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA + {0x1B3B, 0x1B3B, prExtend}, // Mc BALINESE VOWEL SIGN RA REPA TEDUNG + {0x1B3C, 0x1B3C, prExtend}, // Mn BALINESE VOWEL SIGN LA LENGA + {0x1B3D, 0x1B41, prExtend}, // Mc [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG + {0x1B42, 0x1B42, prExtend}, // Mn BALINESE VOWEL SIGN PEPET + {0x1B43, 0x1B44, prExtend}, // Mc [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG + {0x1B45, 0x1B4C, prOLetter}, // Lo [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA + {0x1B50, 0x1B59, prNumeric}, // Nd [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE + {0x1B5A, 0x1B5B, prSTerm}, // Po [2] BALINESE PANTI..BALINESE PAMADA + {0x1B5E, 0x1B5F, prSTerm}, // Po [2] BALINESE CARIK SIKI..BALINESE CARIK PAREREN + {0x1B6B, 0x1B73, prExtend}, // Mn [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG + {0x1B7D, 0x1B7E, prSTerm}, // Po [2] BALINESE PANTI LANTANG..BALINESE PAMADA LANTANG + {0x1B80, 0x1B81, prExtend}, // Mn [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR + {0x1B82, 0x1B82, prExtend}, // Mc SUNDANESE SIGN PANGWISAD + {0x1B83, 0x1BA0, prOLetter}, // Lo [30] SUNDANESE LETTER A..SUNDANESE LETTER HA + {0x1BA1, 0x1BA1, prExtend}, // Mc SUNDANESE CONSONANT SIGN PAMINGKAL + {0x1BA2, 0x1BA5, prExtend}, // Mn [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU + {0x1BA6, 0x1BA7, prExtend}, // Mc [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG + {0x1BA8, 0x1BA9, prExtend}, // Mn [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG + {0x1BAA, 0x1BAA, prExtend}, // Mc SUNDANESE SIGN PAMAAEH + {0x1BAB, 0x1BAD, prExtend}, // Mn [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA + {0x1BAE, 0x1BAF, prOLetter}, // Lo [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA + {0x1BB0, 0x1BB9, prNumeric}, // Nd [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE + {0x1BBA, 0x1BE5, prOLetter}, // Lo [44] SUNDANESE AVAGRAHA..BATAK LETTER U + {0x1BE6, 0x1BE6, prExtend}, // Mn BATAK SIGN TOMPI + {0x1BE7, 0x1BE7, prExtend}, // Mc BATAK VOWEL SIGN E + {0x1BE8, 0x1BE9, prExtend}, // Mn [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE + {0x1BEA, 0x1BEC, prExtend}, // Mc [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O + {0x1BED, 0x1BED, prExtend}, // Mn BATAK VOWEL SIGN KARO O + {0x1BEE, 0x1BEE, prExtend}, // Mc BATAK VOWEL SIGN U + {0x1BEF, 0x1BF1, prExtend}, // Mn [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H + {0x1BF2, 0x1BF3, prExtend}, // Mc [2] BATAK PANGOLAT..BATAK PANONGONAN + {0x1C00, 0x1C23, prOLetter}, // Lo [36] LEPCHA LETTER KA..LEPCHA LETTER A + {0x1C24, 0x1C2B, prExtend}, // Mc [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU + {0x1C2C, 0x1C33, prExtend}, // Mn [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T + {0x1C34, 0x1C35, prExtend}, // Mc [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG + {0x1C36, 0x1C37, prExtend}, // Mn [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA + {0x1C3B, 0x1C3C, prSTerm}, // Po [2] LEPCHA PUNCTUATION TA-ROL..LEPCHA PUNCTUATION NYET THYOOM TA-ROL + {0x1C40, 0x1C49, prNumeric}, // Nd [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE + {0x1C4D, 0x1C4F, prOLetter}, // Lo [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA + {0x1C50, 0x1C59, prNumeric}, // Nd [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE + {0x1C5A, 0x1C77, prOLetter}, // Lo [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH + {0x1C78, 0x1C7D, prOLetter}, // Lm [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD + {0x1C7E, 0x1C7F, prSTerm}, // Po [2] OL CHIKI PUNCTUATION MUCAAD..OL CHIKI PUNCTUATION DOUBLE MUCAAD + {0x1C80, 0x1C88, prLower}, // L& [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK + {0x1C90, 0x1CBA, prOLetter}, // L& [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN + {0x1CBD, 0x1CBF, prOLetter}, // L& [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN + {0x1CD0, 0x1CD2, prExtend}, // Mn [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA + {0x1CD4, 0x1CE0, prExtend}, // Mn [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA + {0x1CE1, 0x1CE1, prExtend}, // Mc VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA + {0x1CE2, 0x1CE8, prExtend}, // Mn [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL + {0x1CE9, 0x1CEC, prOLetter}, // Lo [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL + {0x1CED, 0x1CED, prExtend}, // Mn VEDIC SIGN TIRYAK + {0x1CEE, 0x1CF3, prOLetter}, // Lo [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA + {0x1CF4, 0x1CF4, prExtend}, // Mn VEDIC TONE CANDRA ABOVE + {0x1CF5, 0x1CF6, prOLetter}, // Lo [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA + {0x1CF7, 0x1CF7, prExtend}, // Mc VEDIC SIGN ATIKRAMA + {0x1CF8, 0x1CF9, prExtend}, // Mn [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE + {0x1CFA, 0x1CFA, prOLetter}, // Lo VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA + {0x1D00, 0x1D2B, prLower}, // L& [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL + {0x1D2C, 0x1D6A, prLower}, // Lm [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI + {0x1D6B, 0x1D77, prLower}, // L& [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G + {0x1D78, 0x1D78, prLower}, // Lm MODIFIER LETTER CYRILLIC EN + {0x1D79, 0x1D9A, prLower}, // L& [34] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK + {0x1D9B, 0x1DBF, prLower}, // Lm [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA + {0x1DC0, 0x1DFF, prExtend}, // Mn [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW + {0x1E00, 0x1E00, prUpper}, // L& LATIN CAPITAL LETTER A WITH RING BELOW + {0x1E01, 0x1E01, prLower}, // L& LATIN SMALL LETTER A WITH RING BELOW + {0x1E02, 0x1E02, prUpper}, // L& LATIN CAPITAL LETTER B WITH DOT ABOVE + {0x1E03, 0x1E03, prLower}, // L& LATIN SMALL LETTER B WITH DOT ABOVE + {0x1E04, 0x1E04, prUpper}, // L& LATIN CAPITAL LETTER B WITH DOT BELOW + {0x1E05, 0x1E05, prLower}, // L& LATIN SMALL LETTER B WITH DOT BELOW + {0x1E06, 0x1E06, prUpper}, // L& LATIN CAPITAL LETTER B WITH LINE BELOW + {0x1E07, 0x1E07, prLower}, // L& LATIN SMALL LETTER B WITH LINE BELOW + {0x1E08, 0x1E08, prUpper}, // L& LATIN CAPITAL LETTER C WITH CEDILLA AND ACUTE + {0x1E09, 0x1E09, prLower}, // L& LATIN SMALL LETTER C WITH CEDILLA AND ACUTE + {0x1E0A, 0x1E0A, prUpper}, // L& LATIN CAPITAL LETTER D WITH DOT ABOVE + {0x1E0B, 0x1E0B, prLower}, // L& LATIN SMALL LETTER D WITH DOT ABOVE + {0x1E0C, 0x1E0C, prUpper}, // L& LATIN CAPITAL LETTER D WITH DOT BELOW + {0x1E0D, 0x1E0D, prLower}, // L& LATIN SMALL LETTER D WITH DOT BELOW + {0x1E0E, 0x1E0E, prUpper}, // L& LATIN CAPITAL LETTER D WITH LINE BELOW + {0x1E0F, 0x1E0F, prLower}, // L& LATIN SMALL LETTER D WITH LINE BELOW + {0x1E10, 0x1E10, prUpper}, // L& LATIN CAPITAL LETTER D WITH CEDILLA + {0x1E11, 0x1E11, prLower}, // L& LATIN SMALL LETTER D WITH CEDILLA + {0x1E12, 0x1E12, prUpper}, // L& LATIN CAPITAL LETTER D WITH CIRCUMFLEX BELOW + {0x1E13, 0x1E13, prLower}, // L& LATIN SMALL LETTER D WITH CIRCUMFLEX BELOW + {0x1E14, 0x1E14, prUpper}, // L& LATIN CAPITAL LETTER E WITH MACRON AND GRAVE + {0x1E15, 0x1E15, prLower}, // L& LATIN SMALL LETTER E WITH MACRON AND GRAVE + {0x1E16, 0x1E16, prUpper}, // L& LATIN CAPITAL LETTER E WITH MACRON AND ACUTE + {0x1E17, 0x1E17, prLower}, // L& LATIN SMALL LETTER E WITH MACRON AND ACUTE + {0x1E18, 0x1E18, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX BELOW + {0x1E19, 0x1E19, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX BELOW + {0x1E1A, 0x1E1A, prUpper}, // L& LATIN CAPITAL LETTER E WITH TILDE BELOW + {0x1E1B, 0x1E1B, prLower}, // L& LATIN SMALL LETTER E WITH TILDE BELOW + {0x1E1C, 0x1E1C, prUpper}, // L& LATIN CAPITAL LETTER E WITH CEDILLA AND BREVE + {0x1E1D, 0x1E1D, prLower}, // L& LATIN SMALL LETTER E WITH CEDILLA AND BREVE + {0x1E1E, 0x1E1E, prUpper}, // L& LATIN CAPITAL LETTER F WITH DOT ABOVE + {0x1E1F, 0x1E1F, prLower}, // L& LATIN SMALL LETTER F WITH DOT ABOVE + {0x1E20, 0x1E20, prUpper}, // L& LATIN CAPITAL LETTER G WITH MACRON + {0x1E21, 0x1E21, prLower}, // L& LATIN SMALL LETTER G WITH MACRON + {0x1E22, 0x1E22, prUpper}, // L& LATIN CAPITAL LETTER H WITH DOT ABOVE + {0x1E23, 0x1E23, prLower}, // L& LATIN SMALL LETTER H WITH DOT ABOVE + {0x1E24, 0x1E24, prUpper}, // L& LATIN CAPITAL LETTER H WITH DOT BELOW + {0x1E25, 0x1E25, prLower}, // L& LATIN SMALL LETTER H WITH DOT BELOW + {0x1E26, 0x1E26, prUpper}, // L& LATIN CAPITAL LETTER H WITH DIAERESIS + {0x1E27, 0x1E27, prLower}, // L& LATIN SMALL LETTER H WITH DIAERESIS + {0x1E28, 0x1E28, prUpper}, // L& LATIN CAPITAL LETTER H WITH CEDILLA + {0x1E29, 0x1E29, prLower}, // L& LATIN SMALL LETTER H WITH CEDILLA + {0x1E2A, 0x1E2A, prUpper}, // L& LATIN CAPITAL LETTER H WITH BREVE BELOW + {0x1E2B, 0x1E2B, prLower}, // L& LATIN SMALL LETTER H WITH BREVE BELOW + {0x1E2C, 0x1E2C, prUpper}, // L& LATIN CAPITAL LETTER I WITH TILDE BELOW + {0x1E2D, 0x1E2D, prLower}, // L& LATIN SMALL LETTER I WITH TILDE BELOW + {0x1E2E, 0x1E2E, prUpper}, // L& LATIN CAPITAL LETTER I WITH DIAERESIS AND ACUTE + {0x1E2F, 0x1E2F, prLower}, // L& LATIN SMALL LETTER I WITH DIAERESIS AND ACUTE + {0x1E30, 0x1E30, prUpper}, // L& LATIN CAPITAL LETTER K WITH ACUTE + {0x1E31, 0x1E31, prLower}, // L& LATIN SMALL LETTER K WITH ACUTE + {0x1E32, 0x1E32, prUpper}, // L& LATIN CAPITAL LETTER K WITH DOT BELOW + {0x1E33, 0x1E33, prLower}, // L& LATIN SMALL LETTER K WITH DOT BELOW + {0x1E34, 0x1E34, prUpper}, // L& LATIN CAPITAL LETTER K WITH LINE BELOW + {0x1E35, 0x1E35, prLower}, // L& LATIN SMALL LETTER K WITH LINE BELOW + {0x1E36, 0x1E36, prUpper}, // L& LATIN CAPITAL LETTER L WITH DOT BELOW + {0x1E37, 0x1E37, prLower}, // L& LATIN SMALL LETTER L WITH DOT BELOW + {0x1E38, 0x1E38, prUpper}, // L& LATIN CAPITAL LETTER L WITH DOT BELOW AND MACRON + {0x1E39, 0x1E39, prLower}, // L& LATIN SMALL LETTER L WITH DOT BELOW AND MACRON + {0x1E3A, 0x1E3A, prUpper}, // L& LATIN CAPITAL LETTER L WITH LINE BELOW + {0x1E3B, 0x1E3B, prLower}, // L& LATIN SMALL LETTER L WITH LINE BELOW + {0x1E3C, 0x1E3C, prUpper}, // L& LATIN CAPITAL LETTER L WITH CIRCUMFLEX BELOW + {0x1E3D, 0x1E3D, prLower}, // L& LATIN SMALL LETTER L WITH CIRCUMFLEX BELOW + {0x1E3E, 0x1E3E, prUpper}, // L& LATIN CAPITAL LETTER M WITH ACUTE + {0x1E3F, 0x1E3F, prLower}, // L& LATIN SMALL LETTER M WITH ACUTE + {0x1E40, 0x1E40, prUpper}, // L& LATIN CAPITAL LETTER M WITH DOT ABOVE + {0x1E41, 0x1E41, prLower}, // L& LATIN SMALL LETTER M WITH DOT ABOVE + {0x1E42, 0x1E42, prUpper}, // L& LATIN CAPITAL LETTER M WITH DOT BELOW + {0x1E43, 0x1E43, prLower}, // L& LATIN SMALL LETTER M WITH DOT BELOW + {0x1E44, 0x1E44, prUpper}, // L& LATIN CAPITAL LETTER N WITH DOT ABOVE + {0x1E45, 0x1E45, prLower}, // L& LATIN SMALL LETTER N WITH DOT ABOVE + {0x1E46, 0x1E46, prUpper}, // L& LATIN CAPITAL LETTER N WITH DOT BELOW + {0x1E47, 0x1E47, prLower}, // L& LATIN SMALL LETTER N WITH DOT BELOW + {0x1E48, 0x1E48, prUpper}, // L& LATIN CAPITAL LETTER N WITH LINE BELOW + {0x1E49, 0x1E49, prLower}, // L& LATIN SMALL LETTER N WITH LINE BELOW + {0x1E4A, 0x1E4A, prUpper}, // L& LATIN CAPITAL LETTER N WITH CIRCUMFLEX BELOW + {0x1E4B, 0x1E4B, prLower}, // L& LATIN SMALL LETTER N WITH CIRCUMFLEX BELOW + {0x1E4C, 0x1E4C, prUpper}, // L& LATIN CAPITAL LETTER O WITH TILDE AND ACUTE + {0x1E4D, 0x1E4D, prLower}, // L& LATIN SMALL LETTER O WITH TILDE AND ACUTE + {0x1E4E, 0x1E4E, prUpper}, // L& LATIN CAPITAL LETTER O WITH TILDE AND DIAERESIS + {0x1E4F, 0x1E4F, prLower}, // L& LATIN SMALL LETTER O WITH TILDE AND DIAERESIS + {0x1E50, 0x1E50, prUpper}, // L& LATIN CAPITAL LETTER O WITH MACRON AND GRAVE + {0x1E51, 0x1E51, prLower}, // L& LATIN SMALL LETTER O WITH MACRON AND GRAVE + {0x1E52, 0x1E52, prUpper}, // L& LATIN CAPITAL LETTER O WITH MACRON AND ACUTE + {0x1E53, 0x1E53, prLower}, // L& LATIN SMALL LETTER O WITH MACRON AND ACUTE + {0x1E54, 0x1E54, prUpper}, // L& LATIN CAPITAL LETTER P WITH ACUTE + {0x1E55, 0x1E55, prLower}, // L& LATIN SMALL LETTER P WITH ACUTE + {0x1E56, 0x1E56, prUpper}, // L& LATIN CAPITAL LETTER P WITH DOT ABOVE + {0x1E57, 0x1E57, prLower}, // L& LATIN SMALL LETTER P WITH DOT ABOVE + {0x1E58, 0x1E58, prUpper}, // L& LATIN CAPITAL LETTER R WITH DOT ABOVE + {0x1E59, 0x1E59, prLower}, // L& LATIN SMALL LETTER R WITH DOT ABOVE + {0x1E5A, 0x1E5A, prUpper}, // L& LATIN CAPITAL LETTER R WITH DOT BELOW + {0x1E5B, 0x1E5B, prLower}, // L& LATIN SMALL LETTER R WITH DOT BELOW + {0x1E5C, 0x1E5C, prUpper}, // L& LATIN CAPITAL LETTER R WITH DOT BELOW AND MACRON + {0x1E5D, 0x1E5D, prLower}, // L& LATIN SMALL LETTER R WITH DOT BELOW AND MACRON + {0x1E5E, 0x1E5E, prUpper}, // L& LATIN CAPITAL LETTER R WITH LINE BELOW + {0x1E5F, 0x1E5F, prLower}, // L& LATIN SMALL LETTER R WITH LINE BELOW + {0x1E60, 0x1E60, prUpper}, // L& LATIN CAPITAL LETTER S WITH DOT ABOVE + {0x1E61, 0x1E61, prLower}, // L& LATIN SMALL LETTER S WITH DOT ABOVE + {0x1E62, 0x1E62, prUpper}, // L& LATIN CAPITAL LETTER S WITH DOT BELOW + {0x1E63, 0x1E63, prLower}, // L& LATIN SMALL LETTER S WITH DOT BELOW + {0x1E64, 0x1E64, prUpper}, // L& LATIN CAPITAL LETTER S WITH ACUTE AND DOT ABOVE + {0x1E65, 0x1E65, prLower}, // L& LATIN SMALL LETTER S WITH ACUTE AND DOT ABOVE + {0x1E66, 0x1E66, prUpper}, // L& LATIN CAPITAL LETTER S WITH CARON AND DOT ABOVE + {0x1E67, 0x1E67, prLower}, // L& LATIN SMALL LETTER S WITH CARON AND DOT ABOVE + {0x1E68, 0x1E68, prUpper}, // L& LATIN CAPITAL LETTER S WITH DOT BELOW AND DOT ABOVE + {0x1E69, 0x1E69, prLower}, // L& LATIN SMALL LETTER S WITH DOT BELOW AND DOT ABOVE + {0x1E6A, 0x1E6A, prUpper}, // L& LATIN CAPITAL LETTER T WITH DOT ABOVE + {0x1E6B, 0x1E6B, prLower}, // L& LATIN SMALL LETTER T WITH DOT ABOVE + {0x1E6C, 0x1E6C, prUpper}, // L& LATIN CAPITAL LETTER T WITH DOT BELOW + {0x1E6D, 0x1E6D, prLower}, // L& LATIN SMALL LETTER T WITH DOT BELOW + {0x1E6E, 0x1E6E, prUpper}, // L& LATIN CAPITAL LETTER T WITH LINE BELOW + {0x1E6F, 0x1E6F, prLower}, // L& LATIN SMALL LETTER T WITH LINE BELOW + {0x1E70, 0x1E70, prUpper}, // L& LATIN CAPITAL LETTER T WITH CIRCUMFLEX BELOW + {0x1E71, 0x1E71, prLower}, // L& LATIN SMALL LETTER T WITH CIRCUMFLEX BELOW + {0x1E72, 0x1E72, prUpper}, // L& LATIN CAPITAL LETTER U WITH DIAERESIS BELOW + {0x1E73, 0x1E73, prLower}, // L& LATIN SMALL LETTER U WITH DIAERESIS BELOW + {0x1E74, 0x1E74, prUpper}, // L& LATIN CAPITAL LETTER U WITH TILDE BELOW + {0x1E75, 0x1E75, prLower}, // L& LATIN SMALL LETTER U WITH TILDE BELOW + {0x1E76, 0x1E76, prUpper}, // L& LATIN CAPITAL LETTER U WITH CIRCUMFLEX BELOW + {0x1E77, 0x1E77, prLower}, // L& LATIN SMALL LETTER U WITH CIRCUMFLEX BELOW + {0x1E78, 0x1E78, prUpper}, // L& LATIN CAPITAL LETTER U WITH TILDE AND ACUTE + {0x1E79, 0x1E79, prLower}, // L& LATIN SMALL LETTER U WITH TILDE AND ACUTE + {0x1E7A, 0x1E7A, prUpper}, // L& LATIN CAPITAL LETTER U WITH MACRON AND DIAERESIS + {0x1E7B, 0x1E7B, prLower}, // L& LATIN SMALL LETTER U WITH MACRON AND DIAERESIS + {0x1E7C, 0x1E7C, prUpper}, // L& LATIN CAPITAL LETTER V WITH TILDE + {0x1E7D, 0x1E7D, prLower}, // L& LATIN SMALL LETTER V WITH TILDE + {0x1E7E, 0x1E7E, prUpper}, // L& LATIN CAPITAL LETTER V WITH DOT BELOW + {0x1E7F, 0x1E7F, prLower}, // L& LATIN SMALL LETTER V WITH DOT BELOW + {0x1E80, 0x1E80, prUpper}, // L& LATIN CAPITAL LETTER W WITH GRAVE + {0x1E81, 0x1E81, prLower}, // L& LATIN SMALL LETTER W WITH GRAVE + {0x1E82, 0x1E82, prUpper}, // L& LATIN CAPITAL LETTER W WITH ACUTE + {0x1E83, 0x1E83, prLower}, // L& LATIN SMALL LETTER W WITH ACUTE + {0x1E84, 0x1E84, prUpper}, // L& LATIN CAPITAL LETTER W WITH DIAERESIS + {0x1E85, 0x1E85, prLower}, // L& LATIN SMALL LETTER W WITH DIAERESIS + {0x1E86, 0x1E86, prUpper}, // L& LATIN CAPITAL LETTER W WITH DOT ABOVE + {0x1E87, 0x1E87, prLower}, // L& LATIN SMALL LETTER W WITH DOT ABOVE + {0x1E88, 0x1E88, prUpper}, // L& LATIN CAPITAL LETTER W WITH DOT BELOW + {0x1E89, 0x1E89, prLower}, // L& LATIN SMALL LETTER W WITH DOT BELOW + {0x1E8A, 0x1E8A, prUpper}, // L& LATIN CAPITAL LETTER X WITH DOT ABOVE + {0x1E8B, 0x1E8B, prLower}, // L& LATIN SMALL LETTER X WITH DOT ABOVE + {0x1E8C, 0x1E8C, prUpper}, // L& LATIN CAPITAL LETTER X WITH DIAERESIS + {0x1E8D, 0x1E8D, prLower}, // L& LATIN SMALL LETTER X WITH DIAERESIS + {0x1E8E, 0x1E8E, prUpper}, // L& LATIN CAPITAL LETTER Y WITH DOT ABOVE + {0x1E8F, 0x1E8F, prLower}, // L& LATIN SMALL LETTER Y WITH DOT ABOVE + {0x1E90, 0x1E90, prUpper}, // L& LATIN CAPITAL LETTER Z WITH CIRCUMFLEX + {0x1E91, 0x1E91, prLower}, // L& LATIN SMALL LETTER Z WITH CIRCUMFLEX + {0x1E92, 0x1E92, prUpper}, // L& LATIN CAPITAL LETTER Z WITH DOT BELOW + {0x1E93, 0x1E93, prLower}, // L& LATIN SMALL LETTER Z WITH DOT BELOW + {0x1E94, 0x1E94, prUpper}, // L& LATIN CAPITAL LETTER Z WITH LINE BELOW + {0x1E95, 0x1E9D, prLower}, // L& [9] LATIN SMALL LETTER Z WITH LINE BELOW..LATIN SMALL LETTER LONG S WITH HIGH STROKE + {0x1E9E, 0x1E9E, prUpper}, // L& LATIN CAPITAL LETTER SHARP S + {0x1E9F, 0x1E9F, prLower}, // L& LATIN SMALL LETTER DELTA + {0x1EA0, 0x1EA0, prUpper}, // L& LATIN CAPITAL LETTER A WITH DOT BELOW + {0x1EA1, 0x1EA1, prLower}, // L& LATIN SMALL LETTER A WITH DOT BELOW + {0x1EA2, 0x1EA2, prUpper}, // L& LATIN CAPITAL LETTER A WITH HOOK ABOVE + {0x1EA3, 0x1EA3, prLower}, // L& LATIN SMALL LETTER A WITH HOOK ABOVE + {0x1EA4, 0x1EA4, prUpper}, // L& LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND ACUTE + {0x1EA5, 0x1EA5, prLower}, // L& LATIN SMALL LETTER A WITH CIRCUMFLEX AND ACUTE + {0x1EA6, 0x1EA6, prUpper}, // L& LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND GRAVE + {0x1EA7, 0x1EA7, prLower}, // L& LATIN SMALL LETTER A WITH CIRCUMFLEX AND GRAVE + {0x1EA8, 0x1EA8, prUpper}, // L& LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND HOOK ABOVE + {0x1EA9, 0x1EA9, prLower}, // L& LATIN SMALL LETTER A WITH CIRCUMFLEX AND HOOK ABOVE + {0x1EAA, 0x1EAA, prUpper}, // L& LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND TILDE + {0x1EAB, 0x1EAB, prLower}, // L& LATIN SMALL LETTER A WITH CIRCUMFLEX AND TILDE + {0x1EAC, 0x1EAC, prUpper}, // L& LATIN CAPITAL LETTER A WITH CIRCUMFLEX AND DOT BELOW + {0x1EAD, 0x1EAD, prLower}, // L& LATIN SMALL LETTER A WITH CIRCUMFLEX AND DOT BELOW + {0x1EAE, 0x1EAE, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE AND ACUTE + {0x1EAF, 0x1EAF, prLower}, // L& LATIN SMALL LETTER A WITH BREVE AND ACUTE + {0x1EB0, 0x1EB0, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE AND GRAVE + {0x1EB1, 0x1EB1, prLower}, // L& LATIN SMALL LETTER A WITH BREVE AND GRAVE + {0x1EB2, 0x1EB2, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE AND HOOK ABOVE + {0x1EB3, 0x1EB3, prLower}, // L& LATIN SMALL LETTER A WITH BREVE AND HOOK ABOVE + {0x1EB4, 0x1EB4, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE AND TILDE + {0x1EB5, 0x1EB5, prLower}, // L& LATIN SMALL LETTER A WITH BREVE AND TILDE + {0x1EB6, 0x1EB6, prUpper}, // L& LATIN CAPITAL LETTER A WITH BREVE AND DOT BELOW + {0x1EB7, 0x1EB7, prLower}, // L& LATIN SMALL LETTER A WITH BREVE AND DOT BELOW + {0x1EB8, 0x1EB8, prUpper}, // L& LATIN CAPITAL LETTER E WITH DOT BELOW + {0x1EB9, 0x1EB9, prLower}, // L& LATIN SMALL LETTER E WITH DOT BELOW + {0x1EBA, 0x1EBA, prUpper}, // L& LATIN CAPITAL LETTER E WITH HOOK ABOVE + {0x1EBB, 0x1EBB, prLower}, // L& LATIN SMALL LETTER E WITH HOOK ABOVE + {0x1EBC, 0x1EBC, prUpper}, // L& LATIN CAPITAL LETTER E WITH TILDE + {0x1EBD, 0x1EBD, prLower}, // L& LATIN SMALL LETTER E WITH TILDE + {0x1EBE, 0x1EBE, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND ACUTE + {0x1EBF, 0x1EBF, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX AND ACUTE + {0x1EC0, 0x1EC0, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND GRAVE + {0x1EC1, 0x1EC1, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX AND GRAVE + {0x1EC2, 0x1EC2, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND HOOK ABOVE + {0x1EC3, 0x1EC3, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX AND HOOK ABOVE + {0x1EC4, 0x1EC4, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND TILDE + {0x1EC5, 0x1EC5, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX AND TILDE + {0x1EC6, 0x1EC6, prUpper}, // L& LATIN CAPITAL LETTER E WITH CIRCUMFLEX AND DOT BELOW + {0x1EC7, 0x1EC7, prLower}, // L& LATIN SMALL LETTER E WITH CIRCUMFLEX AND DOT BELOW + {0x1EC8, 0x1EC8, prUpper}, // L& LATIN CAPITAL LETTER I WITH HOOK ABOVE + {0x1EC9, 0x1EC9, prLower}, // L& LATIN SMALL LETTER I WITH HOOK ABOVE + {0x1ECA, 0x1ECA, prUpper}, // L& LATIN CAPITAL LETTER I WITH DOT BELOW + {0x1ECB, 0x1ECB, prLower}, // L& LATIN SMALL LETTER I WITH DOT BELOW + {0x1ECC, 0x1ECC, prUpper}, // L& LATIN CAPITAL LETTER O WITH DOT BELOW + {0x1ECD, 0x1ECD, prLower}, // L& LATIN SMALL LETTER O WITH DOT BELOW + {0x1ECE, 0x1ECE, prUpper}, // L& LATIN CAPITAL LETTER O WITH HOOK ABOVE + {0x1ECF, 0x1ECF, prLower}, // L& LATIN SMALL LETTER O WITH HOOK ABOVE + {0x1ED0, 0x1ED0, prUpper}, // L& LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND ACUTE + {0x1ED1, 0x1ED1, prLower}, // L& LATIN SMALL LETTER O WITH CIRCUMFLEX AND ACUTE + {0x1ED2, 0x1ED2, prUpper}, // L& LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND GRAVE + {0x1ED3, 0x1ED3, prLower}, // L& LATIN SMALL LETTER O WITH CIRCUMFLEX AND GRAVE + {0x1ED4, 0x1ED4, prUpper}, // L& LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND HOOK ABOVE + {0x1ED5, 0x1ED5, prLower}, // L& LATIN SMALL LETTER O WITH CIRCUMFLEX AND HOOK ABOVE + {0x1ED6, 0x1ED6, prUpper}, // L& LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND TILDE + {0x1ED7, 0x1ED7, prLower}, // L& LATIN SMALL LETTER O WITH CIRCUMFLEX AND TILDE + {0x1ED8, 0x1ED8, prUpper}, // L& LATIN CAPITAL LETTER O WITH CIRCUMFLEX AND DOT BELOW + {0x1ED9, 0x1ED9, prLower}, // L& LATIN SMALL LETTER O WITH CIRCUMFLEX AND DOT BELOW + {0x1EDA, 0x1EDA, prUpper}, // L& LATIN CAPITAL LETTER O WITH HORN AND ACUTE + {0x1EDB, 0x1EDB, prLower}, // L& LATIN SMALL LETTER O WITH HORN AND ACUTE + {0x1EDC, 0x1EDC, prUpper}, // L& LATIN CAPITAL LETTER O WITH HORN AND GRAVE + {0x1EDD, 0x1EDD, prLower}, // L& LATIN SMALL LETTER O WITH HORN AND GRAVE + {0x1EDE, 0x1EDE, prUpper}, // L& LATIN CAPITAL LETTER O WITH HORN AND HOOK ABOVE + {0x1EDF, 0x1EDF, prLower}, // L& LATIN SMALL LETTER O WITH HORN AND HOOK ABOVE + {0x1EE0, 0x1EE0, prUpper}, // L& LATIN CAPITAL LETTER O WITH HORN AND TILDE + {0x1EE1, 0x1EE1, prLower}, // L& LATIN SMALL LETTER O WITH HORN AND TILDE + {0x1EE2, 0x1EE2, prUpper}, // L& LATIN CAPITAL LETTER O WITH HORN AND DOT BELOW + {0x1EE3, 0x1EE3, prLower}, // L& LATIN SMALL LETTER O WITH HORN AND DOT BELOW + {0x1EE4, 0x1EE4, prUpper}, // L& LATIN CAPITAL LETTER U WITH DOT BELOW + {0x1EE5, 0x1EE5, prLower}, // L& LATIN SMALL LETTER U WITH DOT BELOW + {0x1EE6, 0x1EE6, prUpper}, // L& LATIN CAPITAL LETTER U WITH HOOK ABOVE + {0x1EE7, 0x1EE7, prLower}, // L& LATIN SMALL LETTER U WITH HOOK ABOVE + {0x1EE8, 0x1EE8, prUpper}, // L& LATIN CAPITAL LETTER U WITH HORN AND ACUTE + {0x1EE9, 0x1EE9, prLower}, // L& LATIN SMALL LETTER U WITH HORN AND ACUTE + {0x1EEA, 0x1EEA, prUpper}, // L& LATIN CAPITAL LETTER U WITH HORN AND GRAVE + {0x1EEB, 0x1EEB, prLower}, // L& LATIN SMALL LETTER U WITH HORN AND GRAVE + {0x1EEC, 0x1EEC, prUpper}, // L& LATIN CAPITAL LETTER U WITH HORN AND HOOK ABOVE + {0x1EED, 0x1EED, prLower}, // L& LATIN SMALL LETTER U WITH HORN AND HOOK ABOVE + {0x1EEE, 0x1EEE, prUpper}, // L& LATIN CAPITAL LETTER U WITH HORN AND TILDE + {0x1EEF, 0x1EEF, prLower}, // L& LATIN SMALL LETTER U WITH HORN AND TILDE + {0x1EF0, 0x1EF0, prUpper}, // L& LATIN CAPITAL LETTER U WITH HORN AND DOT BELOW + {0x1EF1, 0x1EF1, prLower}, // L& LATIN SMALL LETTER U WITH HORN AND DOT BELOW + {0x1EF2, 0x1EF2, prUpper}, // L& LATIN CAPITAL LETTER Y WITH GRAVE + {0x1EF3, 0x1EF3, prLower}, // L& LATIN SMALL LETTER Y WITH GRAVE + {0x1EF4, 0x1EF4, prUpper}, // L& LATIN CAPITAL LETTER Y WITH DOT BELOW + {0x1EF5, 0x1EF5, prLower}, // L& LATIN SMALL LETTER Y WITH DOT BELOW + {0x1EF6, 0x1EF6, prUpper}, // L& LATIN CAPITAL LETTER Y WITH HOOK ABOVE + {0x1EF7, 0x1EF7, prLower}, // L& LATIN SMALL LETTER Y WITH HOOK ABOVE + {0x1EF8, 0x1EF8, prUpper}, // L& LATIN CAPITAL LETTER Y WITH TILDE + {0x1EF9, 0x1EF9, prLower}, // L& LATIN SMALL LETTER Y WITH TILDE + {0x1EFA, 0x1EFA, prUpper}, // L& LATIN CAPITAL LETTER MIDDLE-WELSH LL + {0x1EFB, 0x1EFB, prLower}, // L& LATIN SMALL LETTER MIDDLE-WELSH LL + {0x1EFC, 0x1EFC, prUpper}, // L& LATIN CAPITAL LETTER MIDDLE-WELSH V + {0x1EFD, 0x1EFD, prLower}, // L& LATIN SMALL LETTER MIDDLE-WELSH V + {0x1EFE, 0x1EFE, prUpper}, // L& LATIN CAPITAL LETTER Y WITH LOOP + {0x1EFF, 0x1F07, prLower}, // L& [9] LATIN SMALL LETTER Y WITH LOOP..GREEK SMALL LETTER ALPHA WITH DASIA AND PERISPOMENI + {0x1F08, 0x1F0F, prUpper}, // L& [8] GREEK CAPITAL LETTER ALPHA WITH PSILI..GREEK CAPITAL LETTER ALPHA WITH DASIA AND PERISPOMENI + {0x1F10, 0x1F15, prLower}, // L& [6] GREEK SMALL LETTER EPSILON WITH PSILI..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA + {0x1F18, 0x1F1D, prUpper}, // L& [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA + {0x1F20, 0x1F27, prLower}, // L& [8] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER ETA WITH DASIA AND PERISPOMENI + {0x1F28, 0x1F2F, prUpper}, // L& [8] GREEK CAPITAL LETTER ETA WITH PSILI..GREEK CAPITAL LETTER ETA WITH DASIA AND PERISPOMENI + {0x1F30, 0x1F37, prLower}, // L& [8] GREEK SMALL LETTER IOTA WITH PSILI..GREEK SMALL LETTER IOTA WITH DASIA AND PERISPOMENI + {0x1F38, 0x1F3F, prUpper}, // L& [8] GREEK CAPITAL LETTER IOTA WITH PSILI..GREEK CAPITAL LETTER IOTA WITH DASIA AND PERISPOMENI + {0x1F40, 0x1F45, prLower}, // L& [6] GREEK SMALL LETTER OMICRON WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA + {0x1F48, 0x1F4D, prUpper}, // L& [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA + {0x1F50, 0x1F57, prLower}, // L& [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI + {0x1F59, 0x1F59, prUpper}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA + {0x1F5B, 0x1F5B, prUpper}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA + {0x1F5D, 0x1F5D, prUpper}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA + {0x1F5F, 0x1F5F, prUpper}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI + {0x1F60, 0x1F67, prLower}, // L& [8] GREEK SMALL LETTER OMEGA WITH PSILI..GREEK SMALL LETTER OMEGA WITH DASIA AND PERISPOMENI + {0x1F68, 0x1F6F, prUpper}, // L& [8] GREEK CAPITAL LETTER OMEGA WITH PSILI..GREEK CAPITAL LETTER OMEGA WITH DASIA AND PERISPOMENI + {0x1F70, 0x1F7D, prLower}, // L& [14] GREEK SMALL LETTER ALPHA WITH VARIA..GREEK SMALL LETTER OMEGA WITH OXIA + {0x1F80, 0x1F87, prLower}, // L& [8] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI + {0x1F88, 0x1F8F, prUpper}, // L& [8] GREEK CAPITAL LETTER ALPHA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER ALPHA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI + {0x1F90, 0x1F97, prLower}, // L& [8] GREEK SMALL LETTER ETA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI + {0x1F98, 0x1F9F, prUpper}, // L& [8] GREEK CAPITAL LETTER ETA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER ETA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI + {0x1FA0, 0x1FA7, prLower}, // L& [8] GREEK SMALL LETTER OMEGA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH DASIA AND PERISPOMENI AND YPOGEGRAMMENI + {0x1FA8, 0x1FAF, prUpper}, // L& [8] GREEK CAPITAL LETTER OMEGA WITH PSILI AND PROSGEGRAMMENI..GREEK CAPITAL LETTER OMEGA WITH DASIA AND PERISPOMENI AND PROSGEGRAMMENI + {0x1FB0, 0x1FB4, prLower}, // L& [5] GREEK SMALL LETTER ALPHA WITH VRACHY..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI + {0x1FB6, 0x1FB7, prLower}, // L& [2] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK SMALL LETTER ALPHA WITH PERISPOMENI AND YPOGEGRAMMENI + {0x1FB8, 0x1FBC, prUpper}, // L& [5] GREEK CAPITAL LETTER ALPHA WITH VRACHY..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI + {0x1FBE, 0x1FBE, prLower}, // L& GREEK PROSGEGRAMMENI + {0x1FC2, 0x1FC4, prLower}, // L& [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI + {0x1FC6, 0x1FC7, prLower}, // L& [2] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK SMALL LETTER ETA WITH PERISPOMENI AND YPOGEGRAMMENI + {0x1FC8, 0x1FCC, prUpper}, // L& [5] GREEK CAPITAL LETTER EPSILON WITH VARIA..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI + {0x1FD0, 0x1FD3, prLower}, // L& [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA + {0x1FD6, 0x1FD7, prLower}, // L& [2] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND PERISPOMENI + {0x1FD8, 0x1FDB, prUpper}, // L& [4] GREEK CAPITAL LETTER IOTA WITH VRACHY..GREEK CAPITAL LETTER IOTA WITH OXIA + {0x1FE0, 0x1FE7, prLower}, // L& [8] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK SMALL LETTER UPSILON WITH DIALYTIKA AND PERISPOMENI + {0x1FE8, 0x1FEC, prUpper}, // L& [5] GREEK CAPITAL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA + {0x1FF2, 0x1FF4, prLower}, // L& [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI + {0x1FF6, 0x1FF7, prLower}, // L& [2] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK SMALL LETTER OMEGA WITH PERISPOMENI AND YPOGEGRAMMENI + {0x1FF8, 0x1FFC, prUpper}, // L& [5] GREEK CAPITAL LETTER OMICRON WITH VARIA..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI + {0x2000, 0x200A, prSp}, // Zs [11] EN QUAD..HAIR SPACE + {0x200B, 0x200B, prFormat}, // Cf ZERO WIDTH SPACE + {0x200C, 0x200D, prExtend}, // Cf [2] ZERO WIDTH NON-JOINER..ZERO WIDTH JOINER + {0x200E, 0x200F, prFormat}, // Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK + {0x2013, 0x2014, prSContinue}, // Pd [2] EN DASH..EM DASH + {0x2018, 0x2018, prClose}, // Pi LEFT SINGLE QUOTATION MARK + {0x2019, 0x2019, prClose}, // Pf RIGHT SINGLE QUOTATION MARK + {0x201A, 0x201A, prClose}, // Ps SINGLE LOW-9 QUOTATION MARK + {0x201B, 0x201C, prClose}, // Pi [2] SINGLE HIGH-REVERSED-9 QUOTATION MARK..LEFT DOUBLE QUOTATION MARK + {0x201D, 0x201D, prClose}, // Pf RIGHT DOUBLE QUOTATION MARK + {0x201E, 0x201E, prClose}, // Ps DOUBLE LOW-9 QUOTATION MARK + {0x201F, 0x201F, prClose}, // Pi DOUBLE HIGH-REVERSED-9 QUOTATION MARK + {0x2024, 0x2024, prATerm}, // Po ONE DOT LEADER + {0x2028, 0x2028, prSep}, // Zl LINE SEPARATOR + {0x2029, 0x2029, prSep}, // Zp PARAGRAPH SEPARATOR + {0x202A, 0x202E, prFormat}, // Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE + {0x202F, 0x202F, prSp}, // Zs NARROW NO-BREAK SPACE + {0x2039, 0x2039, prClose}, // Pi SINGLE LEFT-POINTING ANGLE QUOTATION MARK + {0x203A, 0x203A, prClose}, // Pf SINGLE RIGHT-POINTING ANGLE QUOTATION MARK + {0x203C, 0x203D, prSTerm}, // Po [2] DOUBLE EXCLAMATION MARK..INTERROBANG + {0x2045, 0x2045, prClose}, // Ps LEFT SQUARE BRACKET WITH QUILL + {0x2046, 0x2046, prClose}, // Pe RIGHT SQUARE BRACKET WITH QUILL + {0x2047, 0x2049, prSTerm}, // Po [3] DOUBLE QUESTION MARK..EXCLAMATION QUESTION MARK + {0x205F, 0x205F, prSp}, // Zs MEDIUM MATHEMATICAL SPACE + {0x2060, 0x2064, prFormat}, // Cf [5] WORD JOINER..INVISIBLE PLUS + {0x2066, 0x206F, prFormat}, // Cf [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES + {0x2071, 0x2071, prLower}, // Lm SUPERSCRIPT LATIN SMALL LETTER I + {0x207D, 0x207D, prClose}, // Ps SUPERSCRIPT LEFT PARENTHESIS + {0x207E, 0x207E, prClose}, // Pe SUPERSCRIPT RIGHT PARENTHESIS + {0x207F, 0x207F, prLower}, // Lm SUPERSCRIPT LATIN SMALL LETTER N + {0x208D, 0x208D, prClose}, // Ps SUBSCRIPT LEFT PARENTHESIS + {0x208E, 0x208E, prClose}, // Pe SUBSCRIPT RIGHT PARENTHESIS + {0x2090, 0x209C, prLower}, // Lm [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T + {0x20D0, 0x20DC, prExtend}, // Mn [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE + {0x20DD, 0x20E0, prExtend}, // Me [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH + {0x20E1, 0x20E1, prExtend}, // Mn COMBINING LEFT RIGHT ARROW ABOVE + {0x20E2, 0x20E4, prExtend}, // Me [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE + {0x20E5, 0x20F0, prExtend}, // Mn [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE + {0x2102, 0x2102, prUpper}, // L& DOUBLE-STRUCK CAPITAL C + {0x2107, 0x2107, prUpper}, // L& EULER CONSTANT + {0x210A, 0x210A, prLower}, // L& SCRIPT SMALL G + {0x210B, 0x210D, prUpper}, // L& [3] SCRIPT CAPITAL H..DOUBLE-STRUCK CAPITAL H + {0x210E, 0x210F, prLower}, // L& [2] PLANCK CONSTANT..PLANCK CONSTANT OVER TWO PI + {0x2110, 0x2112, prUpper}, // L& [3] SCRIPT CAPITAL I..SCRIPT CAPITAL L + {0x2113, 0x2113, prLower}, // L& SCRIPT SMALL L + {0x2115, 0x2115, prUpper}, // L& DOUBLE-STRUCK CAPITAL N + {0x2119, 0x211D, prUpper}, // L& [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R + {0x2124, 0x2124, prUpper}, // L& DOUBLE-STRUCK CAPITAL Z + {0x2126, 0x2126, prUpper}, // L& OHM SIGN + {0x2128, 0x2128, prUpper}, // L& BLACK-LETTER CAPITAL Z + {0x212A, 0x212D, prUpper}, // L& [4] KELVIN SIGN..BLACK-LETTER CAPITAL C + {0x212F, 0x212F, prLower}, // L& SCRIPT SMALL E + {0x2130, 0x2133, prUpper}, // L& [4] SCRIPT CAPITAL E..SCRIPT CAPITAL M + {0x2134, 0x2134, prLower}, // L& SCRIPT SMALL O + {0x2135, 0x2138, prOLetter}, // Lo [4] ALEF SYMBOL..DALET SYMBOL + {0x2139, 0x2139, prLower}, // L& INFORMATION SOURCE + {0x213C, 0x213D, prLower}, // L& [2] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK SMALL GAMMA + {0x213E, 0x213F, prUpper}, // L& [2] DOUBLE-STRUCK CAPITAL GAMMA..DOUBLE-STRUCK CAPITAL PI + {0x2145, 0x2145, prUpper}, // L& DOUBLE-STRUCK ITALIC CAPITAL D + {0x2146, 0x2149, prLower}, // L& [4] DOUBLE-STRUCK ITALIC SMALL D..DOUBLE-STRUCK ITALIC SMALL J + {0x214E, 0x214E, prLower}, // L& TURNED SMALL F + {0x2160, 0x216F, prUpper}, // Nl [16] ROMAN NUMERAL ONE..ROMAN NUMERAL ONE THOUSAND + {0x2170, 0x217F, prLower}, // Nl [16] SMALL ROMAN NUMERAL ONE..SMALL ROMAN NUMERAL ONE THOUSAND + {0x2180, 0x2182, prOLetter}, // Nl [3] ROMAN NUMERAL ONE THOUSAND C D..ROMAN NUMERAL TEN THOUSAND + {0x2183, 0x2183, prUpper}, // L& ROMAN NUMERAL REVERSED ONE HUNDRED + {0x2184, 0x2184, prLower}, // L& LATIN SMALL LETTER REVERSED C + {0x2185, 0x2188, prOLetter}, // Nl [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND + {0x2308, 0x2308, prClose}, // Ps LEFT CEILING + {0x2309, 0x2309, prClose}, // Pe RIGHT CEILING + {0x230A, 0x230A, prClose}, // Ps LEFT FLOOR + {0x230B, 0x230B, prClose}, // Pe RIGHT FLOOR + {0x2329, 0x2329, prClose}, // Ps LEFT-POINTING ANGLE BRACKET + {0x232A, 0x232A, prClose}, // Pe RIGHT-POINTING ANGLE BRACKET + {0x24B6, 0x24CF, prUpper}, // So [26] CIRCLED LATIN CAPITAL LETTER A..CIRCLED LATIN CAPITAL LETTER Z + {0x24D0, 0x24E9, prLower}, // So [26] CIRCLED LATIN SMALL LETTER A..CIRCLED LATIN SMALL LETTER Z + {0x275B, 0x2760, prClose}, // So [6] HEAVY SINGLE TURNED COMMA QUOTATION MARK ORNAMENT..HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT + {0x2768, 0x2768, prClose}, // Ps MEDIUM LEFT PARENTHESIS ORNAMENT + {0x2769, 0x2769, prClose}, // Pe MEDIUM RIGHT PARENTHESIS ORNAMENT + {0x276A, 0x276A, prClose}, // Ps MEDIUM FLATTENED LEFT PARENTHESIS ORNAMENT + {0x276B, 0x276B, prClose}, // Pe MEDIUM FLATTENED RIGHT PARENTHESIS ORNAMENT + {0x276C, 0x276C, prClose}, // Ps MEDIUM LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x276D, 0x276D, prClose}, // Pe MEDIUM RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x276E, 0x276E, prClose}, // Ps HEAVY LEFT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x276F, 0x276F, prClose}, // Pe HEAVY RIGHT-POINTING ANGLE QUOTATION MARK ORNAMENT + {0x2770, 0x2770, prClose}, // Ps HEAVY LEFT-POINTING ANGLE BRACKET ORNAMENT + {0x2771, 0x2771, prClose}, // Pe HEAVY RIGHT-POINTING ANGLE BRACKET ORNAMENT + {0x2772, 0x2772, prClose}, // Ps LIGHT LEFT TORTOISE SHELL BRACKET ORNAMENT + {0x2773, 0x2773, prClose}, // Pe LIGHT RIGHT TORTOISE SHELL BRACKET ORNAMENT + {0x2774, 0x2774, prClose}, // Ps MEDIUM LEFT CURLY BRACKET ORNAMENT + {0x2775, 0x2775, prClose}, // Pe MEDIUM RIGHT CURLY BRACKET ORNAMENT + {0x27C5, 0x27C5, prClose}, // Ps LEFT S-SHAPED BAG DELIMITER + {0x27C6, 0x27C6, prClose}, // Pe RIGHT S-SHAPED BAG DELIMITER + {0x27E6, 0x27E6, prClose}, // Ps MATHEMATICAL LEFT WHITE SQUARE BRACKET + {0x27E7, 0x27E7, prClose}, // Pe MATHEMATICAL RIGHT WHITE SQUARE BRACKET + {0x27E8, 0x27E8, prClose}, // Ps MATHEMATICAL LEFT ANGLE BRACKET + {0x27E9, 0x27E9, prClose}, // Pe MATHEMATICAL RIGHT ANGLE BRACKET + {0x27EA, 0x27EA, prClose}, // Ps MATHEMATICAL LEFT DOUBLE ANGLE BRACKET + {0x27EB, 0x27EB, prClose}, // Pe MATHEMATICAL RIGHT DOUBLE ANGLE BRACKET + {0x27EC, 0x27EC, prClose}, // Ps MATHEMATICAL LEFT WHITE TORTOISE SHELL BRACKET + {0x27ED, 0x27ED, prClose}, // Pe MATHEMATICAL RIGHT WHITE TORTOISE SHELL BRACKET + {0x27EE, 0x27EE, prClose}, // Ps MATHEMATICAL LEFT FLATTENED PARENTHESIS + {0x27EF, 0x27EF, prClose}, // Pe MATHEMATICAL RIGHT FLATTENED PARENTHESIS + {0x2983, 0x2983, prClose}, // Ps LEFT WHITE CURLY BRACKET + {0x2984, 0x2984, prClose}, // Pe RIGHT WHITE CURLY BRACKET + {0x2985, 0x2985, prClose}, // Ps LEFT WHITE PARENTHESIS + {0x2986, 0x2986, prClose}, // Pe RIGHT WHITE PARENTHESIS + {0x2987, 0x2987, prClose}, // Ps Z NOTATION LEFT IMAGE BRACKET + {0x2988, 0x2988, prClose}, // Pe Z NOTATION RIGHT IMAGE BRACKET + {0x2989, 0x2989, prClose}, // Ps Z NOTATION LEFT BINDING BRACKET + {0x298A, 0x298A, prClose}, // Pe Z NOTATION RIGHT BINDING BRACKET + {0x298B, 0x298B, prClose}, // Ps LEFT SQUARE BRACKET WITH UNDERBAR + {0x298C, 0x298C, prClose}, // Pe RIGHT SQUARE BRACKET WITH UNDERBAR + {0x298D, 0x298D, prClose}, // Ps LEFT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x298E, 0x298E, prClose}, // Pe RIGHT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x298F, 0x298F, prClose}, // Ps LEFT SQUARE BRACKET WITH TICK IN BOTTOM CORNER + {0x2990, 0x2990, prClose}, // Pe RIGHT SQUARE BRACKET WITH TICK IN TOP CORNER + {0x2991, 0x2991, prClose}, // Ps LEFT ANGLE BRACKET WITH DOT + {0x2992, 0x2992, prClose}, // Pe RIGHT ANGLE BRACKET WITH DOT + {0x2993, 0x2993, prClose}, // Ps LEFT ARC LESS-THAN BRACKET + {0x2994, 0x2994, prClose}, // Pe RIGHT ARC GREATER-THAN BRACKET + {0x2995, 0x2995, prClose}, // Ps DOUBLE LEFT ARC GREATER-THAN BRACKET + {0x2996, 0x2996, prClose}, // Pe DOUBLE RIGHT ARC LESS-THAN BRACKET + {0x2997, 0x2997, prClose}, // Ps LEFT BLACK TORTOISE SHELL BRACKET + {0x2998, 0x2998, prClose}, // Pe RIGHT BLACK TORTOISE SHELL BRACKET + {0x29D8, 0x29D8, prClose}, // Ps LEFT WIGGLY FENCE + {0x29D9, 0x29D9, prClose}, // Pe RIGHT WIGGLY FENCE + {0x29DA, 0x29DA, prClose}, // Ps LEFT DOUBLE WIGGLY FENCE + {0x29DB, 0x29DB, prClose}, // Pe RIGHT DOUBLE WIGGLY FENCE + {0x29FC, 0x29FC, prClose}, // Ps LEFT-POINTING CURVED ANGLE BRACKET + {0x29FD, 0x29FD, prClose}, // Pe RIGHT-POINTING CURVED ANGLE BRACKET + {0x2C00, 0x2C2F, prUpper}, // L& [48] GLAGOLITIC CAPITAL LETTER AZU..GLAGOLITIC CAPITAL LETTER CAUDATE CHRIVI + {0x2C30, 0x2C5F, prLower}, // L& [48] GLAGOLITIC SMALL LETTER AZU..GLAGOLITIC SMALL LETTER CAUDATE CHRIVI + {0x2C60, 0x2C60, prUpper}, // L& LATIN CAPITAL LETTER L WITH DOUBLE BAR + {0x2C61, 0x2C61, prLower}, // L& LATIN SMALL LETTER L WITH DOUBLE BAR + {0x2C62, 0x2C64, prUpper}, // L& [3] LATIN CAPITAL LETTER L WITH MIDDLE TILDE..LATIN CAPITAL LETTER R WITH TAIL + {0x2C65, 0x2C66, prLower}, // L& [2] LATIN SMALL LETTER A WITH STROKE..LATIN SMALL LETTER T WITH DIAGONAL STROKE + {0x2C67, 0x2C67, prUpper}, // L& LATIN CAPITAL LETTER H WITH DESCENDER + {0x2C68, 0x2C68, prLower}, // L& LATIN SMALL LETTER H WITH DESCENDER + {0x2C69, 0x2C69, prUpper}, // L& LATIN CAPITAL LETTER K WITH DESCENDER + {0x2C6A, 0x2C6A, prLower}, // L& LATIN SMALL LETTER K WITH DESCENDER + {0x2C6B, 0x2C6B, prUpper}, // L& LATIN CAPITAL LETTER Z WITH DESCENDER + {0x2C6C, 0x2C6C, prLower}, // L& LATIN SMALL LETTER Z WITH DESCENDER + {0x2C6D, 0x2C70, prUpper}, // L& [4] LATIN CAPITAL LETTER ALPHA..LATIN CAPITAL LETTER TURNED ALPHA + {0x2C71, 0x2C71, prLower}, // L& LATIN SMALL LETTER V WITH RIGHT HOOK + {0x2C72, 0x2C72, prUpper}, // L& LATIN CAPITAL LETTER W WITH HOOK + {0x2C73, 0x2C74, prLower}, // L& [2] LATIN SMALL LETTER W WITH HOOK..LATIN SMALL LETTER V WITH CURL + {0x2C75, 0x2C75, prUpper}, // L& LATIN CAPITAL LETTER HALF H + {0x2C76, 0x2C7B, prLower}, // L& [6] LATIN SMALL LETTER HALF H..LATIN LETTER SMALL CAPITAL TURNED E + {0x2C7C, 0x2C7D, prLower}, // Lm [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V + {0x2C7E, 0x2C80, prUpper}, // L& [3] LATIN CAPITAL LETTER S WITH SWASH TAIL..COPTIC CAPITAL LETTER ALFA + {0x2C81, 0x2C81, prLower}, // L& COPTIC SMALL LETTER ALFA + {0x2C82, 0x2C82, prUpper}, // L& COPTIC CAPITAL LETTER VIDA + {0x2C83, 0x2C83, prLower}, // L& COPTIC SMALL LETTER VIDA + {0x2C84, 0x2C84, prUpper}, // L& COPTIC CAPITAL LETTER GAMMA + {0x2C85, 0x2C85, prLower}, // L& COPTIC SMALL LETTER GAMMA + {0x2C86, 0x2C86, prUpper}, // L& COPTIC CAPITAL LETTER DALDA + {0x2C87, 0x2C87, prLower}, // L& COPTIC SMALL LETTER DALDA + {0x2C88, 0x2C88, prUpper}, // L& COPTIC CAPITAL LETTER EIE + {0x2C89, 0x2C89, prLower}, // L& COPTIC SMALL LETTER EIE + {0x2C8A, 0x2C8A, prUpper}, // L& COPTIC CAPITAL LETTER SOU + {0x2C8B, 0x2C8B, prLower}, // L& COPTIC SMALL LETTER SOU + {0x2C8C, 0x2C8C, prUpper}, // L& COPTIC CAPITAL LETTER ZATA + {0x2C8D, 0x2C8D, prLower}, // L& COPTIC SMALL LETTER ZATA + {0x2C8E, 0x2C8E, prUpper}, // L& COPTIC CAPITAL LETTER HATE + {0x2C8F, 0x2C8F, prLower}, // L& COPTIC SMALL LETTER HATE + {0x2C90, 0x2C90, prUpper}, // L& COPTIC CAPITAL LETTER THETHE + {0x2C91, 0x2C91, prLower}, // L& COPTIC SMALL LETTER THETHE + {0x2C92, 0x2C92, prUpper}, // L& COPTIC CAPITAL LETTER IAUDA + {0x2C93, 0x2C93, prLower}, // L& COPTIC SMALL LETTER IAUDA + {0x2C94, 0x2C94, prUpper}, // L& COPTIC CAPITAL LETTER KAPA + {0x2C95, 0x2C95, prLower}, // L& COPTIC SMALL LETTER KAPA + {0x2C96, 0x2C96, prUpper}, // L& COPTIC CAPITAL LETTER LAULA + {0x2C97, 0x2C97, prLower}, // L& COPTIC SMALL LETTER LAULA + {0x2C98, 0x2C98, prUpper}, // L& COPTIC CAPITAL LETTER MI + {0x2C99, 0x2C99, prLower}, // L& COPTIC SMALL LETTER MI + {0x2C9A, 0x2C9A, prUpper}, // L& COPTIC CAPITAL LETTER NI + {0x2C9B, 0x2C9B, prLower}, // L& COPTIC SMALL LETTER NI + {0x2C9C, 0x2C9C, prUpper}, // L& COPTIC CAPITAL LETTER KSI + {0x2C9D, 0x2C9D, prLower}, // L& COPTIC SMALL LETTER KSI + {0x2C9E, 0x2C9E, prUpper}, // L& COPTIC CAPITAL LETTER O + {0x2C9F, 0x2C9F, prLower}, // L& COPTIC SMALL LETTER O + {0x2CA0, 0x2CA0, prUpper}, // L& COPTIC CAPITAL LETTER PI + {0x2CA1, 0x2CA1, prLower}, // L& COPTIC SMALL LETTER PI + {0x2CA2, 0x2CA2, prUpper}, // L& COPTIC CAPITAL LETTER RO + {0x2CA3, 0x2CA3, prLower}, // L& COPTIC SMALL LETTER RO + {0x2CA4, 0x2CA4, prUpper}, // L& COPTIC CAPITAL LETTER SIMA + {0x2CA5, 0x2CA5, prLower}, // L& COPTIC SMALL LETTER SIMA + {0x2CA6, 0x2CA6, prUpper}, // L& COPTIC CAPITAL LETTER TAU + {0x2CA7, 0x2CA7, prLower}, // L& COPTIC SMALL LETTER TAU + {0x2CA8, 0x2CA8, prUpper}, // L& COPTIC CAPITAL LETTER UA + {0x2CA9, 0x2CA9, prLower}, // L& COPTIC SMALL LETTER UA + {0x2CAA, 0x2CAA, prUpper}, // L& COPTIC CAPITAL LETTER FI + {0x2CAB, 0x2CAB, prLower}, // L& COPTIC SMALL LETTER FI + {0x2CAC, 0x2CAC, prUpper}, // L& COPTIC CAPITAL LETTER KHI + {0x2CAD, 0x2CAD, prLower}, // L& COPTIC SMALL LETTER KHI + {0x2CAE, 0x2CAE, prUpper}, // L& COPTIC CAPITAL LETTER PSI + {0x2CAF, 0x2CAF, prLower}, // L& COPTIC SMALL LETTER PSI + {0x2CB0, 0x2CB0, prUpper}, // L& COPTIC CAPITAL LETTER OOU + {0x2CB1, 0x2CB1, prLower}, // L& COPTIC SMALL LETTER OOU + {0x2CB2, 0x2CB2, prUpper}, // L& COPTIC CAPITAL LETTER DIALECT-P ALEF + {0x2CB3, 0x2CB3, prLower}, // L& COPTIC SMALL LETTER DIALECT-P ALEF + {0x2CB4, 0x2CB4, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC AIN + {0x2CB5, 0x2CB5, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC AIN + {0x2CB6, 0x2CB6, prUpper}, // L& COPTIC CAPITAL LETTER CRYPTOGRAMMIC EIE + {0x2CB7, 0x2CB7, prLower}, // L& COPTIC SMALL LETTER CRYPTOGRAMMIC EIE + {0x2CB8, 0x2CB8, prUpper}, // L& COPTIC CAPITAL LETTER DIALECT-P KAPA + {0x2CB9, 0x2CB9, prLower}, // L& COPTIC SMALL LETTER DIALECT-P KAPA + {0x2CBA, 0x2CBA, prUpper}, // L& COPTIC CAPITAL LETTER DIALECT-P NI + {0x2CBB, 0x2CBB, prLower}, // L& COPTIC SMALL LETTER DIALECT-P NI + {0x2CBC, 0x2CBC, prUpper}, // L& COPTIC CAPITAL LETTER CRYPTOGRAMMIC NI + {0x2CBD, 0x2CBD, prLower}, // L& COPTIC SMALL LETTER CRYPTOGRAMMIC NI + {0x2CBE, 0x2CBE, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC OOU + {0x2CBF, 0x2CBF, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC OOU + {0x2CC0, 0x2CC0, prUpper}, // L& COPTIC CAPITAL LETTER SAMPI + {0x2CC1, 0x2CC1, prLower}, // L& COPTIC SMALL LETTER SAMPI + {0x2CC2, 0x2CC2, prUpper}, // L& COPTIC CAPITAL LETTER CROSSED SHEI + {0x2CC3, 0x2CC3, prLower}, // L& COPTIC SMALL LETTER CROSSED SHEI + {0x2CC4, 0x2CC4, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC SHEI + {0x2CC5, 0x2CC5, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC SHEI + {0x2CC6, 0x2CC6, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC ESH + {0x2CC7, 0x2CC7, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC ESH + {0x2CC8, 0x2CC8, prUpper}, // L& COPTIC CAPITAL LETTER AKHMIMIC KHEI + {0x2CC9, 0x2CC9, prLower}, // L& COPTIC SMALL LETTER AKHMIMIC KHEI + {0x2CCA, 0x2CCA, prUpper}, // L& COPTIC CAPITAL LETTER DIALECT-P HORI + {0x2CCB, 0x2CCB, prLower}, // L& COPTIC SMALL LETTER DIALECT-P HORI + {0x2CCC, 0x2CCC, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC HORI + {0x2CCD, 0x2CCD, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC HORI + {0x2CCE, 0x2CCE, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC HA + {0x2CCF, 0x2CCF, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC HA + {0x2CD0, 0x2CD0, prUpper}, // L& COPTIC CAPITAL LETTER L-SHAPED HA + {0x2CD1, 0x2CD1, prLower}, // L& COPTIC SMALL LETTER L-SHAPED HA + {0x2CD2, 0x2CD2, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC HEI + {0x2CD3, 0x2CD3, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC HEI + {0x2CD4, 0x2CD4, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC HAT + {0x2CD5, 0x2CD5, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC HAT + {0x2CD6, 0x2CD6, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC GANGIA + {0x2CD7, 0x2CD7, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC GANGIA + {0x2CD8, 0x2CD8, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC DJA + {0x2CD9, 0x2CD9, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC DJA + {0x2CDA, 0x2CDA, prUpper}, // L& COPTIC CAPITAL LETTER OLD COPTIC SHIMA + {0x2CDB, 0x2CDB, prLower}, // L& COPTIC SMALL LETTER OLD COPTIC SHIMA + {0x2CDC, 0x2CDC, prUpper}, // L& COPTIC CAPITAL LETTER OLD NUBIAN SHIMA + {0x2CDD, 0x2CDD, prLower}, // L& COPTIC SMALL LETTER OLD NUBIAN SHIMA + {0x2CDE, 0x2CDE, prUpper}, // L& COPTIC CAPITAL LETTER OLD NUBIAN NGI + {0x2CDF, 0x2CDF, prLower}, // L& COPTIC SMALL LETTER OLD NUBIAN NGI + {0x2CE0, 0x2CE0, prUpper}, // L& COPTIC CAPITAL LETTER OLD NUBIAN NYI + {0x2CE1, 0x2CE1, prLower}, // L& COPTIC SMALL LETTER OLD NUBIAN NYI + {0x2CE2, 0x2CE2, prUpper}, // L& COPTIC CAPITAL LETTER OLD NUBIAN WAU + {0x2CE3, 0x2CE4, prLower}, // L& [2] COPTIC SMALL LETTER OLD NUBIAN WAU..COPTIC SYMBOL KAI + {0x2CEB, 0x2CEB, prUpper}, // L& COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI + {0x2CEC, 0x2CEC, prLower}, // L& COPTIC SMALL LETTER CRYPTOGRAMMIC SHEI + {0x2CED, 0x2CED, prUpper}, // L& COPTIC CAPITAL LETTER CRYPTOGRAMMIC GANGIA + {0x2CEE, 0x2CEE, prLower}, // L& COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA + {0x2CEF, 0x2CF1, prExtend}, // Mn [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS + {0x2CF2, 0x2CF2, prUpper}, // L& COPTIC CAPITAL LETTER BOHAIRIC KHEI + {0x2CF3, 0x2CF3, prLower}, // L& COPTIC SMALL LETTER BOHAIRIC KHEI + {0x2D00, 0x2D25, prLower}, // L& [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE + {0x2D27, 0x2D27, prLower}, // L& GEORGIAN SMALL LETTER YN + {0x2D2D, 0x2D2D, prLower}, // L& GEORGIAN SMALL LETTER AEN + {0x2D30, 0x2D67, prOLetter}, // Lo [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO + {0x2D6F, 0x2D6F, prOLetter}, // Lm TIFINAGH MODIFIER LETTER LABIALIZATION MARK + {0x2D7F, 0x2D7F, prExtend}, // Mn TIFINAGH CONSONANT JOINER + {0x2D80, 0x2D96, prOLetter}, // Lo [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE + {0x2DA0, 0x2DA6, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO + {0x2DA8, 0x2DAE, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO + {0x2DB0, 0x2DB6, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO + {0x2DB8, 0x2DBE, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO + {0x2DC0, 0x2DC6, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO + {0x2DC8, 0x2DCE, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO + {0x2DD0, 0x2DD6, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO + {0x2DD8, 0x2DDE, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO + {0x2DE0, 0x2DFF, prExtend}, // Mn [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS + {0x2E00, 0x2E01, prClose}, // Po [2] RIGHT ANGLE SUBSTITUTION MARKER..RIGHT ANGLE DOTTED SUBSTITUTION MARKER + {0x2E02, 0x2E02, prClose}, // Pi LEFT SUBSTITUTION BRACKET + {0x2E03, 0x2E03, prClose}, // Pf RIGHT SUBSTITUTION BRACKET + {0x2E04, 0x2E04, prClose}, // Pi LEFT DOTTED SUBSTITUTION BRACKET + {0x2E05, 0x2E05, prClose}, // Pf RIGHT DOTTED SUBSTITUTION BRACKET + {0x2E06, 0x2E08, prClose}, // Po [3] RAISED INTERPOLATION MARKER..DOTTED TRANSPOSITION MARKER + {0x2E09, 0x2E09, prClose}, // Pi LEFT TRANSPOSITION BRACKET + {0x2E0A, 0x2E0A, prClose}, // Pf RIGHT TRANSPOSITION BRACKET + {0x2E0B, 0x2E0B, prClose}, // Po RAISED SQUARE + {0x2E0C, 0x2E0C, prClose}, // Pi LEFT RAISED OMISSION BRACKET + {0x2E0D, 0x2E0D, prClose}, // Pf RIGHT RAISED OMISSION BRACKET + {0x2E1C, 0x2E1C, prClose}, // Pi LEFT LOW PARAPHRASE BRACKET + {0x2E1D, 0x2E1D, prClose}, // Pf RIGHT LOW PARAPHRASE BRACKET + {0x2E20, 0x2E20, prClose}, // Pi LEFT VERTICAL BAR WITH QUILL + {0x2E21, 0x2E21, prClose}, // Pf RIGHT VERTICAL BAR WITH QUILL + {0x2E22, 0x2E22, prClose}, // Ps TOP LEFT HALF BRACKET + {0x2E23, 0x2E23, prClose}, // Pe TOP RIGHT HALF BRACKET + {0x2E24, 0x2E24, prClose}, // Ps BOTTOM LEFT HALF BRACKET + {0x2E25, 0x2E25, prClose}, // Pe BOTTOM RIGHT HALF BRACKET + {0x2E26, 0x2E26, prClose}, // Ps LEFT SIDEWAYS U BRACKET + {0x2E27, 0x2E27, prClose}, // Pe RIGHT SIDEWAYS U BRACKET + {0x2E28, 0x2E28, prClose}, // Ps LEFT DOUBLE PARENTHESIS + {0x2E29, 0x2E29, prClose}, // Pe RIGHT DOUBLE PARENTHESIS + {0x2E2E, 0x2E2E, prSTerm}, // Po REVERSED QUESTION MARK + {0x2E2F, 0x2E2F, prOLetter}, // Lm VERTICAL TILDE + {0x2E3C, 0x2E3C, prSTerm}, // Po STENOGRAPHIC FULL STOP + {0x2E42, 0x2E42, prClose}, // Ps DOUBLE LOW-REVERSED-9 QUOTATION MARK + {0x2E53, 0x2E54, prSTerm}, // Po [2] MEDIEVAL EXCLAMATION MARK..MEDIEVAL QUESTION MARK + {0x2E55, 0x2E55, prClose}, // Ps LEFT SQUARE BRACKET WITH STROKE + {0x2E56, 0x2E56, prClose}, // Pe RIGHT SQUARE BRACKET WITH STROKE + {0x2E57, 0x2E57, prClose}, // Ps LEFT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E58, 0x2E58, prClose}, // Pe RIGHT SQUARE BRACKET WITH DOUBLE STROKE + {0x2E59, 0x2E59, prClose}, // Ps TOP HALF LEFT PARENTHESIS + {0x2E5A, 0x2E5A, prClose}, // Pe TOP HALF RIGHT PARENTHESIS + {0x2E5B, 0x2E5B, prClose}, // Ps BOTTOM HALF LEFT PARENTHESIS + {0x2E5C, 0x2E5C, prClose}, // Pe BOTTOM HALF RIGHT PARENTHESIS + {0x3000, 0x3000, prSp}, // Zs IDEOGRAPHIC SPACE + {0x3001, 0x3001, prSContinue}, // Po IDEOGRAPHIC COMMA + {0x3002, 0x3002, prSTerm}, // Po IDEOGRAPHIC FULL STOP + {0x3005, 0x3005, prOLetter}, // Lm IDEOGRAPHIC ITERATION MARK + {0x3006, 0x3006, prOLetter}, // Lo IDEOGRAPHIC CLOSING MARK + {0x3007, 0x3007, prOLetter}, // Nl IDEOGRAPHIC NUMBER ZERO + {0x3008, 0x3008, prClose}, // Ps LEFT ANGLE BRACKET + {0x3009, 0x3009, prClose}, // Pe RIGHT ANGLE BRACKET + {0x300A, 0x300A, prClose}, // Ps LEFT DOUBLE ANGLE BRACKET + {0x300B, 0x300B, prClose}, // Pe RIGHT DOUBLE ANGLE BRACKET + {0x300C, 0x300C, prClose}, // Ps LEFT CORNER BRACKET + {0x300D, 0x300D, prClose}, // Pe RIGHT CORNER BRACKET + {0x300E, 0x300E, prClose}, // Ps LEFT WHITE CORNER BRACKET + {0x300F, 0x300F, prClose}, // Pe RIGHT WHITE CORNER BRACKET + {0x3010, 0x3010, prClose}, // Ps LEFT BLACK LENTICULAR BRACKET + {0x3011, 0x3011, prClose}, // Pe RIGHT BLACK LENTICULAR BRACKET + {0x3014, 0x3014, prClose}, // Ps LEFT TORTOISE SHELL BRACKET + {0x3015, 0x3015, prClose}, // Pe RIGHT TORTOISE SHELL BRACKET + {0x3016, 0x3016, prClose}, // Ps LEFT WHITE LENTICULAR BRACKET + {0x3017, 0x3017, prClose}, // Pe RIGHT WHITE LENTICULAR BRACKET + {0x3018, 0x3018, prClose}, // Ps LEFT WHITE TORTOISE SHELL BRACKET + {0x3019, 0x3019, prClose}, // Pe RIGHT WHITE TORTOISE SHELL BRACKET + {0x301A, 0x301A, prClose}, // Ps LEFT WHITE SQUARE BRACKET + {0x301B, 0x301B, prClose}, // Pe RIGHT WHITE SQUARE BRACKET + {0x301D, 0x301D, prClose}, // Ps REVERSED DOUBLE PRIME QUOTATION MARK + {0x301E, 0x301F, prClose}, // Pe [2] DOUBLE PRIME QUOTATION MARK..LOW DOUBLE PRIME QUOTATION MARK + {0x3021, 0x3029, prOLetter}, // Nl [9] HANGZHOU NUMERAL ONE..HANGZHOU NUMERAL NINE + {0x302A, 0x302D, prExtend}, // Mn [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK + {0x302E, 0x302F, prExtend}, // Mc [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK + {0x3031, 0x3035, prOLetter}, // Lm [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF + {0x3038, 0x303A, prOLetter}, // Nl [3] HANGZHOU NUMERAL TEN..HANGZHOU NUMERAL THIRTY + {0x303B, 0x303B, prOLetter}, // Lm VERTICAL IDEOGRAPHIC ITERATION MARK + {0x303C, 0x303C, prOLetter}, // Lo MASU MARK + {0x3041, 0x3096, prOLetter}, // Lo [86] HIRAGANA LETTER SMALL A..HIRAGANA LETTER SMALL KE + {0x3099, 0x309A, prExtend}, // Mn [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309D, 0x309E, prOLetter}, // Lm [2] HIRAGANA ITERATION MARK..HIRAGANA VOICED ITERATION MARK + {0x309F, 0x309F, prOLetter}, // Lo HIRAGANA DIGRAPH YORI + {0x30A1, 0x30FA, prOLetter}, // Lo [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO + {0x30FC, 0x30FE, prOLetter}, // Lm [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK + {0x30FF, 0x30FF, prOLetter}, // Lo KATAKANA DIGRAPH KOTO + {0x3105, 0x312F, prOLetter}, // Lo [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN + {0x3131, 0x318E, prOLetter}, // Lo [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE + {0x31A0, 0x31BF, prOLetter}, // Lo [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH + {0x31F0, 0x31FF, prOLetter}, // Lo [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO + {0x3400, 0x4DBF, prOLetter}, // Lo [6592] CJK UNIFIED IDEOGRAPH-3400..CJK UNIFIED IDEOGRAPH-4DBF + {0x4E00, 0xA014, prOLetter}, // Lo [21013] CJK UNIFIED IDEOGRAPH-4E00..YI SYLLABLE E + {0xA015, 0xA015, prOLetter}, // Lm YI SYLLABLE WU + {0xA016, 0xA48C, prOLetter}, // Lo [1143] YI SYLLABLE BIT..YI SYLLABLE YYR + {0xA4D0, 0xA4F7, prOLetter}, // Lo [40] LISU LETTER BA..LISU LETTER OE + {0xA4F8, 0xA4FD, prOLetter}, // Lm [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU + {0xA4FF, 0xA4FF, prSTerm}, // Po LISU PUNCTUATION FULL STOP + {0xA500, 0xA60B, prOLetter}, // Lo [268] VAI SYLLABLE EE..VAI SYLLABLE NG + {0xA60C, 0xA60C, prOLetter}, // Lm VAI SYLLABLE LENGTHENER + {0xA60E, 0xA60F, prSTerm}, // Po [2] VAI FULL STOP..VAI QUESTION MARK + {0xA610, 0xA61F, prOLetter}, // Lo [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG + {0xA620, 0xA629, prNumeric}, // Nd [10] VAI DIGIT ZERO..VAI DIGIT NINE + {0xA62A, 0xA62B, prOLetter}, // Lo [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO + {0xA640, 0xA640, prUpper}, // L& CYRILLIC CAPITAL LETTER ZEMLYA + {0xA641, 0xA641, prLower}, // L& CYRILLIC SMALL LETTER ZEMLYA + {0xA642, 0xA642, prUpper}, // L& CYRILLIC CAPITAL LETTER DZELO + {0xA643, 0xA643, prLower}, // L& CYRILLIC SMALL LETTER DZELO + {0xA644, 0xA644, prUpper}, // L& CYRILLIC CAPITAL LETTER REVERSED DZE + {0xA645, 0xA645, prLower}, // L& CYRILLIC SMALL LETTER REVERSED DZE + {0xA646, 0xA646, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTA + {0xA647, 0xA647, prLower}, // L& CYRILLIC SMALL LETTER IOTA + {0xA648, 0xA648, prUpper}, // L& CYRILLIC CAPITAL LETTER DJERV + {0xA649, 0xA649, prLower}, // L& CYRILLIC SMALL LETTER DJERV + {0xA64A, 0xA64A, prUpper}, // L& CYRILLIC CAPITAL LETTER MONOGRAPH UK + {0xA64B, 0xA64B, prLower}, // L& CYRILLIC SMALL LETTER MONOGRAPH UK + {0xA64C, 0xA64C, prUpper}, // L& CYRILLIC CAPITAL LETTER BROAD OMEGA + {0xA64D, 0xA64D, prLower}, // L& CYRILLIC SMALL LETTER BROAD OMEGA + {0xA64E, 0xA64E, prUpper}, // L& CYRILLIC CAPITAL LETTER NEUTRAL YER + {0xA64F, 0xA64F, prLower}, // L& CYRILLIC SMALL LETTER NEUTRAL YER + {0xA650, 0xA650, prUpper}, // L& CYRILLIC CAPITAL LETTER YERU WITH BACK YER + {0xA651, 0xA651, prLower}, // L& CYRILLIC SMALL LETTER YERU WITH BACK YER + {0xA652, 0xA652, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED YAT + {0xA653, 0xA653, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED YAT + {0xA654, 0xA654, prUpper}, // L& CYRILLIC CAPITAL LETTER REVERSED YU + {0xA655, 0xA655, prLower}, // L& CYRILLIC SMALL LETTER REVERSED YU + {0xA656, 0xA656, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED A + {0xA657, 0xA657, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED A + {0xA658, 0xA658, prUpper}, // L& CYRILLIC CAPITAL LETTER CLOSED LITTLE YUS + {0xA659, 0xA659, prLower}, // L& CYRILLIC SMALL LETTER CLOSED LITTLE YUS + {0xA65A, 0xA65A, prUpper}, // L& CYRILLIC CAPITAL LETTER BLENDED YUS + {0xA65B, 0xA65B, prLower}, // L& CYRILLIC SMALL LETTER BLENDED YUS + {0xA65C, 0xA65C, prUpper}, // L& CYRILLIC CAPITAL LETTER IOTIFIED CLOSED LITTLE YUS + {0xA65D, 0xA65D, prLower}, // L& CYRILLIC SMALL LETTER IOTIFIED CLOSED LITTLE YUS + {0xA65E, 0xA65E, prUpper}, // L& CYRILLIC CAPITAL LETTER YN + {0xA65F, 0xA65F, prLower}, // L& CYRILLIC SMALL LETTER YN + {0xA660, 0xA660, prUpper}, // L& CYRILLIC CAPITAL LETTER REVERSED TSE + {0xA661, 0xA661, prLower}, // L& CYRILLIC SMALL LETTER REVERSED TSE + {0xA662, 0xA662, prUpper}, // L& CYRILLIC CAPITAL LETTER SOFT DE + {0xA663, 0xA663, prLower}, // L& CYRILLIC SMALL LETTER SOFT DE + {0xA664, 0xA664, prUpper}, // L& CYRILLIC CAPITAL LETTER SOFT EL + {0xA665, 0xA665, prLower}, // L& CYRILLIC SMALL LETTER SOFT EL + {0xA666, 0xA666, prUpper}, // L& CYRILLIC CAPITAL LETTER SOFT EM + {0xA667, 0xA667, prLower}, // L& CYRILLIC SMALL LETTER SOFT EM + {0xA668, 0xA668, prUpper}, // L& CYRILLIC CAPITAL LETTER MONOCULAR O + {0xA669, 0xA669, prLower}, // L& CYRILLIC SMALL LETTER MONOCULAR O + {0xA66A, 0xA66A, prUpper}, // L& CYRILLIC CAPITAL LETTER BINOCULAR O + {0xA66B, 0xA66B, prLower}, // L& CYRILLIC SMALL LETTER BINOCULAR O + {0xA66C, 0xA66C, prUpper}, // L& CYRILLIC CAPITAL LETTER DOUBLE MONOCULAR O + {0xA66D, 0xA66D, prLower}, // L& CYRILLIC SMALL LETTER DOUBLE MONOCULAR O + {0xA66E, 0xA66E, prOLetter}, // Lo CYRILLIC LETTER MULTIOCULAR O + {0xA66F, 0xA66F, prExtend}, // Mn COMBINING CYRILLIC VZMET + {0xA670, 0xA672, prExtend}, // Me [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN + {0xA674, 0xA67D, prExtend}, // Mn [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK + {0xA67F, 0xA67F, prOLetter}, // Lm CYRILLIC PAYEROK + {0xA680, 0xA680, prUpper}, // L& CYRILLIC CAPITAL LETTER DWE + {0xA681, 0xA681, prLower}, // L& CYRILLIC SMALL LETTER DWE + {0xA682, 0xA682, prUpper}, // L& CYRILLIC CAPITAL LETTER DZWE + {0xA683, 0xA683, prLower}, // L& CYRILLIC SMALL LETTER DZWE + {0xA684, 0xA684, prUpper}, // L& CYRILLIC CAPITAL LETTER ZHWE + {0xA685, 0xA685, prLower}, // L& CYRILLIC SMALL LETTER ZHWE + {0xA686, 0xA686, prUpper}, // L& CYRILLIC CAPITAL LETTER CCHE + {0xA687, 0xA687, prLower}, // L& CYRILLIC SMALL LETTER CCHE + {0xA688, 0xA688, prUpper}, // L& CYRILLIC CAPITAL LETTER DZZE + {0xA689, 0xA689, prLower}, // L& CYRILLIC SMALL LETTER DZZE + {0xA68A, 0xA68A, prUpper}, // L& CYRILLIC CAPITAL LETTER TE WITH MIDDLE HOOK + {0xA68B, 0xA68B, prLower}, // L& CYRILLIC SMALL LETTER TE WITH MIDDLE HOOK + {0xA68C, 0xA68C, prUpper}, // L& CYRILLIC CAPITAL LETTER TWE + {0xA68D, 0xA68D, prLower}, // L& CYRILLIC SMALL LETTER TWE + {0xA68E, 0xA68E, prUpper}, // L& CYRILLIC CAPITAL LETTER TSWE + {0xA68F, 0xA68F, prLower}, // L& CYRILLIC SMALL LETTER TSWE + {0xA690, 0xA690, prUpper}, // L& CYRILLIC CAPITAL LETTER TSSE + {0xA691, 0xA691, prLower}, // L& CYRILLIC SMALL LETTER TSSE + {0xA692, 0xA692, prUpper}, // L& CYRILLIC CAPITAL LETTER TCHE + {0xA693, 0xA693, prLower}, // L& CYRILLIC SMALL LETTER TCHE + {0xA694, 0xA694, prUpper}, // L& CYRILLIC CAPITAL LETTER HWE + {0xA695, 0xA695, prLower}, // L& CYRILLIC SMALL LETTER HWE + {0xA696, 0xA696, prUpper}, // L& CYRILLIC CAPITAL LETTER SHWE + {0xA697, 0xA697, prLower}, // L& CYRILLIC SMALL LETTER SHWE + {0xA698, 0xA698, prUpper}, // L& CYRILLIC CAPITAL LETTER DOUBLE O + {0xA699, 0xA699, prLower}, // L& CYRILLIC SMALL LETTER DOUBLE O + {0xA69A, 0xA69A, prUpper}, // L& CYRILLIC CAPITAL LETTER CROSSED O + {0xA69B, 0xA69B, prLower}, // L& CYRILLIC SMALL LETTER CROSSED O + {0xA69C, 0xA69D, prLower}, // Lm [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN + {0xA69E, 0xA69F, prExtend}, // Mn [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E + {0xA6A0, 0xA6E5, prOLetter}, // Lo [70] BAMUM LETTER A..BAMUM LETTER KI + {0xA6E6, 0xA6EF, prOLetter}, // Nl [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM + {0xA6F0, 0xA6F1, prExtend}, // Mn [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS + {0xA6F3, 0xA6F3, prSTerm}, // Po BAMUM FULL STOP + {0xA6F7, 0xA6F7, prSTerm}, // Po BAMUM QUESTION MARK + {0xA717, 0xA71F, prOLetter}, // Lm [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK + {0xA722, 0xA722, prUpper}, // L& LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF + {0xA723, 0xA723, prLower}, // L& LATIN SMALL LETTER EGYPTOLOGICAL ALEF + {0xA724, 0xA724, prUpper}, // L& LATIN CAPITAL LETTER EGYPTOLOGICAL AIN + {0xA725, 0xA725, prLower}, // L& LATIN SMALL LETTER EGYPTOLOGICAL AIN + {0xA726, 0xA726, prUpper}, // L& LATIN CAPITAL LETTER HENG + {0xA727, 0xA727, prLower}, // L& LATIN SMALL LETTER HENG + {0xA728, 0xA728, prUpper}, // L& LATIN CAPITAL LETTER TZ + {0xA729, 0xA729, prLower}, // L& LATIN SMALL LETTER TZ + {0xA72A, 0xA72A, prUpper}, // L& LATIN CAPITAL LETTER TRESILLO + {0xA72B, 0xA72B, prLower}, // L& LATIN SMALL LETTER TRESILLO + {0xA72C, 0xA72C, prUpper}, // L& LATIN CAPITAL LETTER CUATRILLO + {0xA72D, 0xA72D, prLower}, // L& LATIN SMALL LETTER CUATRILLO + {0xA72E, 0xA72E, prUpper}, // L& LATIN CAPITAL LETTER CUATRILLO WITH COMMA + {0xA72F, 0xA731, prLower}, // L& [3] LATIN SMALL LETTER CUATRILLO WITH COMMA..LATIN LETTER SMALL CAPITAL S + {0xA732, 0xA732, prUpper}, // L& LATIN CAPITAL LETTER AA + {0xA733, 0xA733, prLower}, // L& LATIN SMALL LETTER AA + {0xA734, 0xA734, prUpper}, // L& LATIN CAPITAL LETTER AO + {0xA735, 0xA735, prLower}, // L& LATIN SMALL LETTER AO + {0xA736, 0xA736, prUpper}, // L& LATIN CAPITAL LETTER AU + {0xA737, 0xA737, prLower}, // L& LATIN SMALL LETTER AU + {0xA738, 0xA738, prUpper}, // L& LATIN CAPITAL LETTER AV + {0xA739, 0xA739, prLower}, // L& LATIN SMALL LETTER AV + {0xA73A, 0xA73A, prUpper}, // L& LATIN CAPITAL LETTER AV WITH HORIZONTAL BAR + {0xA73B, 0xA73B, prLower}, // L& LATIN SMALL LETTER AV WITH HORIZONTAL BAR + {0xA73C, 0xA73C, prUpper}, // L& LATIN CAPITAL LETTER AY + {0xA73D, 0xA73D, prLower}, // L& LATIN SMALL LETTER AY + {0xA73E, 0xA73E, prUpper}, // L& LATIN CAPITAL LETTER REVERSED C WITH DOT + {0xA73F, 0xA73F, prLower}, // L& LATIN SMALL LETTER REVERSED C WITH DOT + {0xA740, 0xA740, prUpper}, // L& LATIN CAPITAL LETTER K WITH STROKE + {0xA741, 0xA741, prLower}, // L& LATIN SMALL LETTER K WITH STROKE + {0xA742, 0xA742, prUpper}, // L& LATIN CAPITAL LETTER K WITH DIAGONAL STROKE + {0xA743, 0xA743, prLower}, // L& LATIN SMALL LETTER K WITH DIAGONAL STROKE + {0xA744, 0xA744, prUpper}, // L& LATIN CAPITAL LETTER K WITH STROKE AND DIAGONAL STROKE + {0xA745, 0xA745, prLower}, // L& LATIN SMALL LETTER K WITH STROKE AND DIAGONAL STROKE + {0xA746, 0xA746, prUpper}, // L& LATIN CAPITAL LETTER BROKEN L + {0xA747, 0xA747, prLower}, // L& LATIN SMALL LETTER BROKEN L + {0xA748, 0xA748, prUpper}, // L& LATIN CAPITAL LETTER L WITH HIGH STROKE + {0xA749, 0xA749, prLower}, // L& LATIN SMALL LETTER L WITH HIGH STROKE + {0xA74A, 0xA74A, prUpper}, // L& LATIN CAPITAL LETTER O WITH LONG STROKE OVERLAY + {0xA74B, 0xA74B, prLower}, // L& LATIN SMALL LETTER O WITH LONG STROKE OVERLAY + {0xA74C, 0xA74C, prUpper}, // L& LATIN CAPITAL LETTER O WITH LOOP + {0xA74D, 0xA74D, prLower}, // L& LATIN SMALL LETTER O WITH LOOP + {0xA74E, 0xA74E, prUpper}, // L& LATIN CAPITAL LETTER OO + {0xA74F, 0xA74F, prLower}, // L& LATIN SMALL LETTER OO + {0xA750, 0xA750, prUpper}, // L& LATIN CAPITAL LETTER P WITH STROKE THROUGH DESCENDER + {0xA751, 0xA751, prLower}, // L& LATIN SMALL LETTER P WITH STROKE THROUGH DESCENDER + {0xA752, 0xA752, prUpper}, // L& LATIN CAPITAL LETTER P WITH FLOURISH + {0xA753, 0xA753, prLower}, // L& LATIN SMALL LETTER P WITH FLOURISH + {0xA754, 0xA754, prUpper}, // L& LATIN CAPITAL LETTER P WITH SQUIRREL TAIL + {0xA755, 0xA755, prLower}, // L& LATIN SMALL LETTER P WITH SQUIRREL TAIL + {0xA756, 0xA756, prUpper}, // L& LATIN CAPITAL LETTER Q WITH STROKE THROUGH DESCENDER + {0xA757, 0xA757, prLower}, // L& LATIN SMALL LETTER Q WITH STROKE THROUGH DESCENDER + {0xA758, 0xA758, prUpper}, // L& LATIN CAPITAL LETTER Q WITH DIAGONAL STROKE + {0xA759, 0xA759, prLower}, // L& LATIN SMALL LETTER Q WITH DIAGONAL STROKE + {0xA75A, 0xA75A, prUpper}, // L& LATIN CAPITAL LETTER R ROTUNDA + {0xA75B, 0xA75B, prLower}, // L& LATIN SMALL LETTER R ROTUNDA + {0xA75C, 0xA75C, prUpper}, // L& LATIN CAPITAL LETTER RUM ROTUNDA + {0xA75D, 0xA75D, prLower}, // L& LATIN SMALL LETTER RUM ROTUNDA + {0xA75E, 0xA75E, prUpper}, // L& LATIN CAPITAL LETTER V WITH DIAGONAL STROKE + {0xA75F, 0xA75F, prLower}, // L& LATIN SMALL LETTER V WITH DIAGONAL STROKE + {0xA760, 0xA760, prUpper}, // L& LATIN CAPITAL LETTER VY + {0xA761, 0xA761, prLower}, // L& LATIN SMALL LETTER VY + {0xA762, 0xA762, prUpper}, // L& LATIN CAPITAL LETTER VISIGOTHIC Z + {0xA763, 0xA763, prLower}, // L& LATIN SMALL LETTER VISIGOTHIC Z + {0xA764, 0xA764, prUpper}, // L& LATIN CAPITAL LETTER THORN WITH STROKE + {0xA765, 0xA765, prLower}, // L& LATIN SMALL LETTER THORN WITH STROKE + {0xA766, 0xA766, prUpper}, // L& LATIN CAPITAL LETTER THORN WITH STROKE THROUGH DESCENDER + {0xA767, 0xA767, prLower}, // L& LATIN SMALL LETTER THORN WITH STROKE THROUGH DESCENDER + {0xA768, 0xA768, prUpper}, // L& LATIN CAPITAL LETTER VEND + {0xA769, 0xA769, prLower}, // L& LATIN SMALL LETTER VEND + {0xA76A, 0xA76A, prUpper}, // L& LATIN CAPITAL LETTER ET + {0xA76B, 0xA76B, prLower}, // L& LATIN SMALL LETTER ET + {0xA76C, 0xA76C, prUpper}, // L& LATIN CAPITAL LETTER IS + {0xA76D, 0xA76D, prLower}, // L& LATIN SMALL LETTER IS + {0xA76E, 0xA76E, prUpper}, // L& LATIN CAPITAL LETTER CON + {0xA76F, 0xA76F, prLower}, // L& LATIN SMALL LETTER CON + {0xA770, 0xA770, prLower}, // Lm MODIFIER LETTER US + {0xA771, 0xA778, prLower}, // L& [8] LATIN SMALL LETTER DUM..LATIN SMALL LETTER UM + {0xA779, 0xA779, prUpper}, // L& LATIN CAPITAL LETTER INSULAR D + {0xA77A, 0xA77A, prLower}, // L& LATIN SMALL LETTER INSULAR D + {0xA77B, 0xA77B, prUpper}, // L& LATIN CAPITAL LETTER INSULAR F + {0xA77C, 0xA77C, prLower}, // L& LATIN SMALL LETTER INSULAR F + {0xA77D, 0xA77E, prUpper}, // L& [2] LATIN CAPITAL LETTER INSULAR G..LATIN CAPITAL LETTER TURNED INSULAR G + {0xA77F, 0xA77F, prLower}, // L& LATIN SMALL LETTER TURNED INSULAR G + {0xA780, 0xA780, prUpper}, // L& LATIN CAPITAL LETTER TURNED L + {0xA781, 0xA781, prLower}, // L& LATIN SMALL LETTER TURNED L + {0xA782, 0xA782, prUpper}, // L& LATIN CAPITAL LETTER INSULAR R + {0xA783, 0xA783, prLower}, // L& LATIN SMALL LETTER INSULAR R + {0xA784, 0xA784, prUpper}, // L& LATIN CAPITAL LETTER INSULAR S + {0xA785, 0xA785, prLower}, // L& LATIN SMALL LETTER INSULAR S + {0xA786, 0xA786, prUpper}, // L& LATIN CAPITAL LETTER INSULAR T + {0xA787, 0xA787, prLower}, // L& LATIN SMALL LETTER INSULAR T + {0xA788, 0xA788, prOLetter}, // Lm MODIFIER LETTER LOW CIRCUMFLEX ACCENT + {0xA78B, 0xA78B, prUpper}, // L& LATIN CAPITAL LETTER SALTILLO + {0xA78C, 0xA78C, prLower}, // L& LATIN SMALL LETTER SALTILLO + {0xA78D, 0xA78D, prUpper}, // L& LATIN CAPITAL LETTER TURNED H + {0xA78E, 0xA78E, prLower}, // L& LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT + {0xA78F, 0xA78F, prOLetter}, // Lo LATIN LETTER SINOLOGICAL DOT + {0xA790, 0xA790, prUpper}, // L& LATIN CAPITAL LETTER N WITH DESCENDER + {0xA791, 0xA791, prLower}, // L& LATIN SMALL LETTER N WITH DESCENDER + {0xA792, 0xA792, prUpper}, // L& LATIN CAPITAL LETTER C WITH BAR + {0xA793, 0xA795, prLower}, // L& [3] LATIN SMALL LETTER C WITH BAR..LATIN SMALL LETTER H WITH PALATAL HOOK + {0xA796, 0xA796, prUpper}, // L& LATIN CAPITAL LETTER B WITH FLOURISH + {0xA797, 0xA797, prLower}, // L& LATIN SMALL LETTER B WITH FLOURISH + {0xA798, 0xA798, prUpper}, // L& LATIN CAPITAL LETTER F WITH STROKE + {0xA799, 0xA799, prLower}, // L& LATIN SMALL LETTER F WITH STROKE + {0xA79A, 0xA79A, prUpper}, // L& LATIN CAPITAL LETTER VOLAPUK AE + {0xA79B, 0xA79B, prLower}, // L& LATIN SMALL LETTER VOLAPUK AE + {0xA79C, 0xA79C, prUpper}, // L& LATIN CAPITAL LETTER VOLAPUK OE + {0xA79D, 0xA79D, prLower}, // L& LATIN SMALL LETTER VOLAPUK OE + {0xA79E, 0xA79E, prUpper}, // L& LATIN CAPITAL LETTER VOLAPUK UE + {0xA79F, 0xA79F, prLower}, // L& LATIN SMALL LETTER VOLAPUK UE + {0xA7A0, 0xA7A0, prUpper}, // L& LATIN CAPITAL LETTER G WITH OBLIQUE STROKE + {0xA7A1, 0xA7A1, prLower}, // L& LATIN SMALL LETTER G WITH OBLIQUE STROKE + {0xA7A2, 0xA7A2, prUpper}, // L& LATIN CAPITAL LETTER K WITH OBLIQUE STROKE + {0xA7A3, 0xA7A3, prLower}, // L& LATIN SMALL LETTER K WITH OBLIQUE STROKE + {0xA7A4, 0xA7A4, prUpper}, // L& LATIN CAPITAL LETTER N WITH OBLIQUE STROKE + {0xA7A5, 0xA7A5, prLower}, // L& LATIN SMALL LETTER N WITH OBLIQUE STROKE + {0xA7A6, 0xA7A6, prUpper}, // L& LATIN CAPITAL LETTER R WITH OBLIQUE STROKE + {0xA7A7, 0xA7A7, prLower}, // L& LATIN SMALL LETTER R WITH OBLIQUE STROKE + {0xA7A8, 0xA7A8, prUpper}, // L& LATIN CAPITAL LETTER S WITH OBLIQUE STROKE + {0xA7A9, 0xA7A9, prLower}, // L& LATIN SMALL LETTER S WITH OBLIQUE STROKE + {0xA7AA, 0xA7AE, prUpper}, // L& [5] LATIN CAPITAL LETTER H WITH HOOK..LATIN CAPITAL LETTER SMALL CAPITAL I + {0xA7AF, 0xA7AF, prLower}, // L& LATIN LETTER SMALL CAPITAL Q + {0xA7B0, 0xA7B4, prUpper}, // L& [5] LATIN CAPITAL LETTER TURNED K..LATIN CAPITAL LETTER BETA + {0xA7B5, 0xA7B5, prLower}, // L& LATIN SMALL LETTER BETA + {0xA7B6, 0xA7B6, prUpper}, // L& LATIN CAPITAL LETTER OMEGA + {0xA7B7, 0xA7B7, prLower}, // L& LATIN SMALL LETTER OMEGA + {0xA7B8, 0xA7B8, prUpper}, // L& LATIN CAPITAL LETTER U WITH STROKE + {0xA7B9, 0xA7B9, prLower}, // L& LATIN SMALL LETTER U WITH STROKE + {0xA7BA, 0xA7BA, prUpper}, // L& LATIN CAPITAL LETTER GLOTTAL A + {0xA7BB, 0xA7BB, prLower}, // L& LATIN SMALL LETTER GLOTTAL A + {0xA7BC, 0xA7BC, prUpper}, // L& LATIN CAPITAL LETTER GLOTTAL I + {0xA7BD, 0xA7BD, prLower}, // L& LATIN SMALL LETTER GLOTTAL I + {0xA7BE, 0xA7BE, prUpper}, // L& LATIN CAPITAL LETTER GLOTTAL U + {0xA7BF, 0xA7BF, prLower}, // L& LATIN SMALL LETTER GLOTTAL U + {0xA7C0, 0xA7C0, prUpper}, // L& LATIN CAPITAL LETTER OLD POLISH O + {0xA7C1, 0xA7C1, prLower}, // L& LATIN SMALL LETTER OLD POLISH O + {0xA7C2, 0xA7C2, prUpper}, // L& LATIN CAPITAL LETTER ANGLICANA W + {0xA7C3, 0xA7C3, prLower}, // L& LATIN SMALL LETTER ANGLICANA W + {0xA7C4, 0xA7C7, prUpper}, // L& [4] LATIN CAPITAL LETTER C WITH PALATAL HOOK..LATIN CAPITAL LETTER D WITH SHORT STROKE OVERLAY + {0xA7C8, 0xA7C8, prLower}, // L& LATIN SMALL LETTER D WITH SHORT STROKE OVERLAY + {0xA7C9, 0xA7C9, prUpper}, // L& LATIN CAPITAL LETTER S WITH SHORT STROKE OVERLAY + {0xA7CA, 0xA7CA, prLower}, // L& LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY + {0xA7D0, 0xA7D0, prUpper}, // L& LATIN CAPITAL LETTER CLOSED INSULAR G + {0xA7D1, 0xA7D1, prLower}, // L& LATIN SMALL LETTER CLOSED INSULAR G + {0xA7D3, 0xA7D3, prLower}, // L& LATIN SMALL LETTER DOUBLE THORN + {0xA7D5, 0xA7D5, prLower}, // L& LATIN SMALL LETTER DOUBLE WYNN + {0xA7D6, 0xA7D6, prUpper}, // L& LATIN CAPITAL LETTER MIDDLE SCOTS S + {0xA7D7, 0xA7D7, prLower}, // L& LATIN SMALL LETTER MIDDLE SCOTS S + {0xA7D8, 0xA7D8, prUpper}, // L& LATIN CAPITAL LETTER SIGMOID S + {0xA7D9, 0xA7D9, prLower}, // L& LATIN SMALL LETTER SIGMOID S + {0xA7F2, 0xA7F4, prLower}, // Lm [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q + {0xA7F5, 0xA7F5, prUpper}, // L& LATIN CAPITAL LETTER REVERSED HALF H + {0xA7F6, 0xA7F6, prLower}, // L& LATIN SMALL LETTER REVERSED HALF H + {0xA7F7, 0xA7F7, prOLetter}, // Lo LATIN EPIGRAPHIC LETTER SIDEWAYS I + {0xA7F8, 0xA7F9, prLower}, // Lm [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE + {0xA7FA, 0xA7FA, prLower}, // L& LATIN LETTER SMALL CAPITAL TURNED M + {0xA7FB, 0xA801, prOLetter}, // Lo [7] LATIN EPIGRAPHIC LETTER REVERSED F..SYLOTI NAGRI LETTER I + {0xA802, 0xA802, prExtend}, // Mn SYLOTI NAGRI SIGN DVISVARA + {0xA803, 0xA805, prOLetter}, // Lo [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O + {0xA806, 0xA806, prExtend}, // Mn SYLOTI NAGRI SIGN HASANTA + {0xA807, 0xA80A, prOLetter}, // Lo [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO + {0xA80B, 0xA80B, prExtend}, // Mn SYLOTI NAGRI SIGN ANUSVARA + {0xA80C, 0xA822, prOLetter}, // Lo [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO + {0xA823, 0xA824, prExtend}, // Mc [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I + {0xA825, 0xA826, prExtend}, // Mn [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E + {0xA827, 0xA827, prExtend}, // Mc SYLOTI NAGRI VOWEL SIGN OO + {0xA82C, 0xA82C, prExtend}, // Mn SYLOTI NAGRI SIGN ALTERNATE HASANTA + {0xA840, 0xA873, prOLetter}, // Lo [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU + {0xA876, 0xA877, prSTerm}, // Po [2] PHAGS-PA MARK SHAD..PHAGS-PA MARK DOUBLE SHAD + {0xA880, 0xA881, prExtend}, // Mc [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA + {0xA882, 0xA8B3, prOLetter}, // Lo [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA + {0xA8B4, 0xA8C3, prExtend}, // Mc [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU + {0xA8C4, 0xA8C5, prExtend}, // Mn [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU + {0xA8CE, 0xA8CF, prSTerm}, // Po [2] SAURASHTRA DANDA..SAURASHTRA DOUBLE DANDA + {0xA8D0, 0xA8D9, prNumeric}, // Nd [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE + {0xA8E0, 0xA8F1, prExtend}, // Mn [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA + {0xA8F2, 0xA8F7, prOLetter}, // Lo [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA + {0xA8FB, 0xA8FB, prOLetter}, // Lo DEVANAGARI HEADSTROKE + {0xA8FD, 0xA8FE, prOLetter}, // Lo [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY + {0xA8FF, 0xA8FF, prExtend}, // Mn DEVANAGARI VOWEL SIGN AY + {0xA900, 0xA909, prNumeric}, // Nd [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE + {0xA90A, 0xA925, prOLetter}, // Lo [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO + {0xA926, 0xA92D, prExtend}, // Mn [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU + {0xA92F, 0xA92F, prSTerm}, // Po KAYAH LI SIGN SHYA + {0xA930, 0xA946, prOLetter}, // Lo [23] REJANG LETTER KA..REJANG LETTER A + {0xA947, 0xA951, prExtend}, // Mn [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R + {0xA952, 0xA953, prExtend}, // Mc [2] REJANG CONSONANT SIGN H..REJANG VIRAMA + {0xA960, 0xA97C, prOLetter}, // Lo [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH + {0xA980, 0xA982, prExtend}, // Mn [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR + {0xA983, 0xA983, prExtend}, // Mc JAVANESE SIGN WIGNYAN + {0xA984, 0xA9B2, prOLetter}, // Lo [47] JAVANESE LETTER A..JAVANESE LETTER HA + {0xA9B3, 0xA9B3, prExtend}, // Mn JAVANESE SIGN CECAK TELU + {0xA9B4, 0xA9B5, prExtend}, // Mc [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG + {0xA9B6, 0xA9B9, prExtend}, // Mn [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT + {0xA9BA, 0xA9BB, prExtend}, // Mc [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE + {0xA9BC, 0xA9BD, prExtend}, // Mn [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET + {0xA9BE, 0xA9C0, prExtend}, // Mc [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON + {0xA9C8, 0xA9C9, prSTerm}, // Po [2] JAVANESE PADA LINGSA..JAVANESE PADA LUNGSI + {0xA9CF, 0xA9CF, prOLetter}, // Lm JAVANESE PANGRANGKEP + {0xA9D0, 0xA9D9, prNumeric}, // Nd [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE + {0xA9E0, 0xA9E4, prOLetter}, // Lo [5] MYANMAR LETTER SHAN GHA..MYANMAR LETTER SHAN BHA + {0xA9E5, 0xA9E5, prExtend}, // Mn MYANMAR SIGN SHAN SAW + {0xA9E6, 0xA9E6, prOLetter}, // Lm MYANMAR MODIFIER LETTER SHAN REDUPLICATION + {0xA9E7, 0xA9EF, prOLetter}, // Lo [9] MYANMAR LETTER TAI LAING NYA..MYANMAR LETTER TAI LAING NNA + {0xA9F0, 0xA9F9, prNumeric}, // Nd [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE + {0xA9FA, 0xA9FE, prOLetter}, // Lo [5] MYANMAR LETTER TAI LAING LLA..MYANMAR LETTER TAI LAING BHA + {0xAA00, 0xAA28, prOLetter}, // Lo [41] CHAM LETTER A..CHAM LETTER HA + {0xAA29, 0xAA2E, prExtend}, // Mn [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE + {0xAA2F, 0xAA30, prExtend}, // Mc [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI + {0xAA31, 0xAA32, prExtend}, // Mn [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE + {0xAA33, 0xAA34, prExtend}, // Mc [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA + {0xAA35, 0xAA36, prExtend}, // Mn [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA + {0xAA40, 0xAA42, prOLetter}, // Lo [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG + {0xAA43, 0xAA43, prExtend}, // Mn CHAM CONSONANT SIGN FINAL NG + {0xAA44, 0xAA4B, prOLetter}, // Lo [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS + {0xAA4C, 0xAA4C, prExtend}, // Mn CHAM CONSONANT SIGN FINAL M + {0xAA4D, 0xAA4D, prExtend}, // Mc CHAM CONSONANT SIGN FINAL H + {0xAA50, 0xAA59, prNumeric}, // Nd [10] CHAM DIGIT ZERO..CHAM DIGIT NINE + {0xAA5D, 0xAA5F, prSTerm}, // Po [3] CHAM PUNCTUATION DANDA..CHAM PUNCTUATION TRIPLE DANDA + {0xAA60, 0xAA6F, prOLetter}, // Lo [16] MYANMAR LETTER KHAMTI GA..MYANMAR LETTER KHAMTI FA + {0xAA70, 0xAA70, prOLetter}, // Lm MYANMAR MODIFIER LETTER KHAMTI REDUPLICATION + {0xAA71, 0xAA76, prOLetter}, // Lo [6] MYANMAR LETTER KHAMTI XA..MYANMAR LOGOGRAM KHAMTI HM + {0xAA7A, 0xAA7A, prOLetter}, // Lo MYANMAR LETTER AITON RA + {0xAA7B, 0xAA7B, prExtend}, // Mc MYANMAR SIGN PAO KAREN TONE + {0xAA7C, 0xAA7C, prExtend}, // Mn MYANMAR SIGN TAI LAING TONE-2 + {0xAA7D, 0xAA7D, prExtend}, // Mc MYANMAR SIGN TAI LAING TONE-5 + {0xAA7E, 0xAAAF, prOLetter}, // Lo [50] MYANMAR LETTER SHWE PALAUNG CHA..TAI VIET LETTER HIGH O + {0xAAB0, 0xAAB0, prExtend}, // Mn TAI VIET MAI KANG + {0xAAB1, 0xAAB1, prOLetter}, // Lo TAI VIET VOWEL AA + {0xAAB2, 0xAAB4, prExtend}, // Mn [3] TAI VIET VOWEL I..TAI VIET VOWEL U + {0xAAB5, 0xAAB6, prOLetter}, // Lo [2] TAI VIET VOWEL E..TAI VIET VOWEL O + {0xAAB7, 0xAAB8, prExtend}, // Mn [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA + {0xAAB9, 0xAABD, prOLetter}, // Lo [5] TAI VIET VOWEL UEA..TAI VIET VOWEL AN + {0xAABE, 0xAABF, prExtend}, // Mn [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK + {0xAAC0, 0xAAC0, prOLetter}, // Lo TAI VIET TONE MAI NUENG + {0xAAC1, 0xAAC1, prExtend}, // Mn TAI VIET TONE MAI THO + {0xAAC2, 0xAAC2, prOLetter}, // Lo TAI VIET TONE MAI SONG + {0xAADB, 0xAADC, prOLetter}, // Lo [2] TAI VIET SYMBOL KON..TAI VIET SYMBOL NUENG + {0xAADD, 0xAADD, prOLetter}, // Lm TAI VIET SYMBOL SAM + {0xAAE0, 0xAAEA, prOLetter}, // Lo [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA + {0xAAEB, 0xAAEB, prExtend}, // Mc MEETEI MAYEK VOWEL SIGN II + {0xAAEC, 0xAAED, prExtend}, // Mn [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI + {0xAAEE, 0xAAEF, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU + {0xAAF0, 0xAAF1, prSTerm}, // Po [2] MEETEI MAYEK CHEIKHAN..MEETEI MAYEK AHANG KHUDAM + {0xAAF2, 0xAAF2, prOLetter}, // Lo MEETEI MAYEK ANJI + {0xAAF3, 0xAAF4, prOLetter}, // Lm [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK + {0xAAF5, 0xAAF5, prExtend}, // Mc MEETEI MAYEK VOWEL SIGN VISARGA + {0xAAF6, 0xAAF6, prExtend}, // Mn MEETEI MAYEK VIRAMA + {0xAB01, 0xAB06, prOLetter}, // Lo [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO + {0xAB09, 0xAB0E, prOLetter}, // Lo [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO + {0xAB11, 0xAB16, prOLetter}, // Lo [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO + {0xAB20, 0xAB26, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO + {0xAB28, 0xAB2E, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO + {0xAB30, 0xAB5A, prLower}, // L& [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG + {0xAB5C, 0xAB5F, prLower}, // Lm [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK + {0xAB60, 0xAB68, prLower}, // L& [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE + {0xAB69, 0xAB69, prLower}, // Lm MODIFIER LETTER SMALL TURNED W + {0xAB70, 0xABBF, prLower}, // L& [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA + {0xABC0, 0xABE2, prOLetter}, // Lo [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM + {0xABE3, 0xABE4, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP + {0xABE5, 0xABE5, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN ANAP + {0xABE6, 0xABE7, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP + {0xABE8, 0xABE8, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN UNAP + {0xABE9, 0xABEA, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG + {0xABEB, 0xABEB, prSTerm}, // Po MEETEI MAYEK CHEIKHEI + {0xABEC, 0xABEC, prExtend}, // Mc MEETEI MAYEK LUM IYEK + {0xABED, 0xABED, prExtend}, // Mn MEETEI MAYEK APUN IYEK + {0xABF0, 0xABF9, prNumeric}, // Nd [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE + {0xAC00, 0xD7A3, prOLetter}, // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH + {0xD7B0, 0xD7C6, prOLetter}, // Lo [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E + {0xD7CB, 0xD7FB, prOLetter}, // Lo [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH + {0xF900, 0xFA6D, prOLetter}, // Lo [366] CJK COMPATIBILITY IDEOGRAPH-F900..CJK COMPATIBILITY IDEOGRAPH-FA6D + {0xFA70, 0xFAD9, prOLetter}, // Lo [106] CJK COMPATIBILITY IDEOGRAPH-FA70..CJK COMPATIBILITY IDEOGRAPH-FAD9 + {0xFB00, 0xFB06, prLower}, // L& [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST + {0xFB13, 0xFB17, prLower}, // L& [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH + {0xFB1D, 0xFB1D, prOLetter}, // Lo HEBREW LETTER YOD WITH HIRIQ + {0xFB1E, 0xFB1E, prExtend}, // Mn HEBREW POINT JUDEO-SPANISH VARIKA + {0xFB1F, 0xFB28, prOLetter}, // Lo [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV + {0xFB2A, 0xFB36, prOLetter}, // Lo [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH + {0xFB38, 0xFB3C, prOLetter}, // Lo [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH + {0xFB3E, 0xFB3E, prOLetter}, // Lo HEBREW LETTER MEM WITH DAGESH + {0xFB40, 0xFB41, prOLetter}, // Lo [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH + {0xFB43, 0xFB44, prOLetter}, // Lo [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH + {0xFB46, 0xFBB1, prOLetter}, // Lo [108] HEBREW LETTER TSADI WITH DAGESH..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM + {0xFBD3, 0xFD3D, prOLetter}, // Lo [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM + {0xFD3E, 0xFD3E, prClose}, // Pe ORNATE LEFT PARENTHESIS + {0xFD3F, 0xFD3F, prClose}, // Ps ORNATE RIGHT PARENTHESIS + {0xFD50, 0xFD8F, prOLetter}, // Lo [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM + {0xFD92, 0xFDC7, prOLetter}, // Lo [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM + {0xFDF0, 0xFDFB, prOLetter}, // Lo [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU + {0xFE00, 0xFE0F, prExtend}, // Mn [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16 + {0xFE10, 0xFE11, prSContinue}, // Po [2] PRESENTATION FORM FOR VERTICAL COMMA..PRESENTATION FORM FOR VERTICAL IDEOGRAPHIC COMMA + {0xFE13, 0xFE13, prSContinue}, // Po PRESENTATION FORM FOR VERTICAL COLON + {0xFE17, 0xFE17, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT WHITE LENTICULAR BRACKET + {0xFE18, 0xFE18, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT WHITE LENTICULAR BRAKCET + {0xFE20, 0xFE2F, prExtend}, // Mn [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF + {0xFE31, 0xFE32, prSContinue}, // Pd [2] PRESENTATION FORM FOR VERTICAL EM DASH..PRESENTATION FORM FOR VERTICAL EN DASH + {0xFE35, 0xFE35, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT PARENTHESIS + {0xFE36, 0xFE36, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT PARENTHESIS + {0xFE37, 0xFE37, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT CURLY BRACKET + {0xFE38, 0xFE38, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT CURLY BRACKET + {0xFE39, 0xFE39, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT TORTOISE SHELL BRACKET + {0xFE3A, 0xFE3A, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT TORTOISE SHELL BRACKET + {0xFE3B, 0xFE3B, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT BLACK LENTICULAR BRACKET + {0xFE3C, 0xFE3C, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT BLACK LENTICULAR BRACKET + {0xFE3D, 0xFE3D, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT DOUBLE ANGLE BRACKET + {0xFE3E, 0xFE3E, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT DOUBLE ANGLE BRACKET + {0xFE3F, 0xFE3F, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT ANGLE BRACKET + {0xFE40, 0xFE40, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT ANGLE BRACKET + {0xFE41, 0xFE41, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT CORNER BRACKET + {0xFE42, 0xFE42, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT CORNER BRACKET + {0xFE43, 0xFE43, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT WHITE CORNER BRACKET + {0xFE44, 0xFE44, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT WHITE CORNER BRACKET + {0xFE47, 0xFE47, prClose}, // Ps PRESENTATION FORM FOR VERTICAL LEFT SQUARE BRACKET + {0xFE48, 0xFE48, prClose}, // Pe PRESENTATION FORM FOR VERTICAL RIGHT SQUARE BRACKET + {0xFE50, 0xFE51, prSContinue}, // Po [2] SMALL COMMA..SMALL IDEOGRAPHIC COMMA + {0xFE52, 0xFE52, prATerm}, // Po SMALL FULL STOP + {0xFE55, 0xFE55, prSContinue}, // Po SMALL COLON + {0xFE56, 0xFE57, prSTerm}, // Po [2] SMALL QUESTION MARK..SMALL EXCLAMATION MARK + {0xFE58, 0xFE58, prSContinue}, // Pd SMALL EM DASH + {0xFE59, 0xFE59, prClose}, // Ps SMALL LEFT PARENTHESIS + {0xFE5A, 0xFE5A, prClose}, // Pe SMALL RIGHT PARENTHESIS + {0xFE5B, 0xFE5B, prClose}, // Ps SMALL LEFT CURLY BRACKET + {0xFE5C, 0xFE5C, prClose}, // Pe SMALL RIGHT CURLY BRACKET + {0xFE5D, 0xFE5D, prClose}, // Ps SMALL LEFT TORTOISE SHELL BRACKET + {0xFE5E, 0xFE5E, prClose}, // Pe SMALL RIGHT TORTOISE SHELL BRACKET + {0xFE63, 0xFE63, prSContinue}, // Pd SMALL HYPHEN-MINUS + {0xFE70, 0xFE74, prOLetter}, // Lo [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM + {0xFE76, 0xFEFC, prOLetter}, // Lo [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM + {0xFEFF, 0xFEFF, prFormat}, // Cf ZERO WIDTH NO-BREAK SPACE + {0xFF01, 0xFF01, prSTerm}, // Po FULLWIDTH EXCLAMATION MARK + {0xFF08, 0xFF08, prClose}, // Ps FULLWIDTH LEFT PARENTHESIS + {0xFF09, 0xFF09, prClose}, // Pe FULLWIDTH RIGHT PARENTHESIS + {0xFF0C, 0xFF0C, prSContinue}, // Po FULLWIDTH COMMA + {0xFF0D, 0xFF0D, prSContinue}, // Pd FULLWIDTH HYPHEN-MINUS + {0xFF0E, 0xFF0E, prATerm}, // Po FULLWIDTH FULL STOP + {0xFF10, 0xFF19, prNumeric}, // Nd [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE + {0xFF1A, 0xFF1A, prSContinue}, // Po FULLWIDTH COLON + {0xFF1F, 0xFF1F, prSTerm}, // Po FULLWIDTH QUESTION MARK + {0xFF21, 0xFF3A, prUpper}, // L& [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z + {0xFF3B, 0xFF3B, prClose}, // Ps FULLWIDTH LEFT SQUARE BRACKET + {0xFF3D, 0xFF3D, prClose}, // Pe FULLWIDTH RIGHT SQUARE BRACKET + {0xFF41, 0xFF5A, prLower}, // L& [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z + {0xFF5B, 0xFF5B, prClose}, // Ps FULLWIDTH LEFT CURLY BRACKET + {0xFF5D, 0xFF5D, prClose}, // Pe FULLWIDTH RIGHT CURLY BRACKET + {0xFF5F, 0xFF5F, prClose}, // Ps FULLWIDTH LEFT WHITE PARENTHESIS + {0xFF60, 0xFF60, prClose}, // Pe FULLWIDTH RIGHT WHITE PARENTHESIS + {0xFF61, 0xFF61, prSTerm}, // Po HALFWIDTH IDEOGRAPHIC FULL STOP + {0xFF62, 0xFF62, prClose}, // Ps HALFWIDTH LEFT CORNER BRACKET + {0xFF63, 0xFF63, prClose}, // Pe HALFWIDTH RIGHT CORNER BRACKET + {0xFF64, 0xFF64, prSContinue}, // Po HALFWIDTH IDEOGRAPHIC COMMA + {0xFF66, 0xFF6F, prOLetter}, // Lo [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU + {0xFF70, 0xFF70, prOLetter}, // Lm HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK + {0xFF71, 0xFF9D, prOLetter}, // Lo [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N + {0xFF9E, 0xFF9F, prExtend}, // Lm [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK + {0xFFA0, 0xFFBE, prOLetter}, // Lo [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH + {0xFFC2, 0xFFC7, prOLetter}, // Lo [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E + {0xFFCA, 0xFFCF, prOLetter}, // Lo [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE + {0xFFD2, 0xFFD7, prOLetter}, // Lo [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU + {0xFFDA, 0xFFDC, prOLetter}, // Lo [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I + {0xFFF9, 0xFFFB, prFormat}, // Cf [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR + {0x10000, 0x1000B, prOLetter}, // Lo [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE + {0x1000D, 0x10026, prOLetter}, // Lo [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO + {0x10028, 0x1003A, prOLetter}, // Lo [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO + {0x1003C, 0x1003D, prOLetter}, // Lo [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE + {0x1003F, 0x1004D, prOLetter}, // Lo [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO + {0x10050, 0x1005D, prOLetter}, // Lo [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089 + {0x10080, 0x100FA, prOLetter}, // Lo [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305 + {0x10140, 0x10174, prOLetter}, // Nl [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS + {0x101FD, 0x101FD, prExtend}, // Mn PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE + {0x10280, 0x1029C, prOLetter}, // Lo [29] LYCIAN LETTER A..LYCIAN LETTER X + {0x102A0, 0x102D0, prOLetter}, // Lo [49] CARIAN LETTER A..CARIAN LETTER UUU3 + {0x102E0, 0x102E0, prExtend}, // Mn COPTIC EPACT THOUSANDS MARK + {0x10300, 0x1031F, prOLetter}, // Lo [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS + {0x1032D, 0x10340, prOLetter}, // Lo [20] OLD ITALIC LETTER YE..GOTHIC LETTER PAIRTHRA + {0x10341, 0x10341, prOLetter}, // Nl GOTHIC LETTER NINETY + {0x10342, 0x10349, prOLetter}, // Lo [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL + {0x1034A, 0x1034A, prOLetter}, // Nl GOTHIC LETTER NINE HUNDRED + {0x10350, 0x10375, prOLetter}, // Lo [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA + {0x10376, 0x1037A, prExtend}, // Mn [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII + {0x10380, 0x1039D, prOLetter}, // Lo [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU + {0x103A0, 0x103C3, prOLetter}, // Lo [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA + {0x103C8, 0x103CF, prOLetter}, // Lo [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH + {0x103D1, 0x103D5, prOLetter}, // Nl [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED + {0x10400, 0x10427, prUpper}, // L& [40] DESERET CAPITAL LETTER LONG I..DESERET CAPITAL LETTER EW + {0x10428, 0x1044F, prLower}, // L& [40] DESERET SMALL LETTER LONG I..DESERET SMALL LETTER EW + {0x10450, 0x1049D, prOLetter}, // Lo [78] SHAVIAN LETTER PEEP..OSMANYA LETTER OO + {0x104A0, 0x104A9, prNumeric}, // Nd [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE + {0x104B0, 0x104D3, prUpper}, // L& [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA + {0x104D8, 0x104FB, prLower}, // L& [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA + {0x10500, 0x10527, prOLetter}, // Lo [40] ELBASAN LETTER A..ELBASAN LETTER KHE + {0x10530, 0x10563, prOLetter}, // Lo [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW + {0x10570, 0x1057A, prUpper}, // L& [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA + {0x1057C, 0x1058A, prUpper}, // L& [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE + {0x1058C, 0x10592, prUpper}, // L& [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE + {0x10594, 0x10595, prUpper}, // L& [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE + {0x10597, 0x105A1, prLower}, // L& [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA + {0x105A3, 0x105B1, prLower}, // L& [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE + {0x105B3, 0x105B9, prLower}, // L& [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE + {0x105BB, 0x105BC, prLower}, // L& [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE + {0x10600, 0x10736, prOLetter}, // Lo [311] LINEAR A SIGN AB001..LINEAR A SIGN A664 + {0x10740, 0x10755, prOLetter}, // Lo [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE + {0x10760, 0x10767, prOLetter}, // Lo [8] LINEAR A SIGN A800..LINEAR A SIGN A807 + {0x10780, 0x10780, prLower}, // Lm MODIFIER LETTER SMALL CAPITAL AA + {0x10781, 0x10782, prOLetter}, // Lm [2] MODIFIER LETTER SUPERSCRIPT TRIANGULAR COLON..MODIFIER LETTER SUPERSCRIPT HALF TRIANGULAR COLON + {0x10783, 0x10785, prLower}, // Lm [3] MODIFIER LETTER SMALL AE..MODIFIER LETTER SMALL B WITH HOOK + {0x10787, 0x107B0, prLower}, // Lm [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK + {0x107B2, 0x107BA, prLower}, // Lm [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL + {0x10800, 0x10805, prOLetter}, // Lo [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA + {0x10808, 0x10808, prOLetter}, // Lo CYPRIOT SYLLABLE JO + {0x1080A, 0x10835, prOLetter}, // Lo [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO + {0x10837, 0x10838, prOLetter}, // Lo [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE + {0x1083C, 0x1083C, prOLetter}, // Lo CYPRIOT SYLLABLE ZA + {0x1083F, 0x10855, prOLetter}, // Lo [23] CYPRIOT SYLLABLE ZO..IMPERIAL ARAMAIC LETTER TAW + {0x10860, 0x10876, prOLetter}, // Lo [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW + {0x10880, 0x1089E, prOLetter}, // Lo [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW + {0x108E0, 0x108F2, prOLetter}, // Lo [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH + {0x108F4, 0x108F5, prOLetter}, // Lo [2] HATRAN LETTER SHIN..HATRAN LETTER TAW + {0x10900, 0x10915, prOLetter}, // Lo [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU + {0x10920, 0x10939, prOLetter}, // Lo [26] LYDIAN LETTER A..LYDIAN LETTER C + {0x10980, 0x109B7, prOLetter}, // Lo [56] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC CURSIVE LETTER DA + {0x109BE, 0x109BF, prOLetter}, // Lo [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN + {0x10A00, 0x10A00, prOLetter}, // Lo KHAROSHTHI LETTER A + {0x10A01, 0x10A03, prExtend}, // Mn [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R + {0x10A05, 0x10A06, prExtend}, // Mn [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O + {0x10A0C, 0x10A0F, prExtend}, // Mn [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA + {0x10A10, 0x10A13, prOLetter}, // Lo [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA + {0x10A15, 0x10A17, prOLetter}, // Lo [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA + {0x10A19, 0x10A35, prOLetter}, // Lo [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA + {0x10A38, 0x10A3A, prExtend}, // Mn [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW + {0x10A3F, 0x10A3F, prExtend}, // Mn KHAROSHTHI VIRAMA + {0x10A56, 0x10A57, prSTerm}, // Po [2] KHAROSHTHI PUNCTUATION DANDA..KHAROSHTHI PUNCTUATION DOUBLE DANDA + {0x10A60, 0x10A7C, prOLetter}, // Lo [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH + {0x10A80, 0x10A9C, prOLetter}, // Lo [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH + {0x10AC0, 0x10AC7, prOLetter}, // Lo [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW + {0x10AC9, 0x10AE4, prOLetter}, // Lo [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW + {0x10AE5, 0x10AE6, prExtend}, // Mn [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW + {0x10B00, 0x10B35, prOLetter}, // Lo [54] AVESTAN LETTER A..AVESTAN LETTER HE + {0x10B40, 0x10B55, prOLetter}, // Lo [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW + {0x10B60, 0x10B72, prOLetter}, // Lo [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW + {0x10B80, 0x10B91, prOLetter}, // Lo [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW + {0x10C00, 0x10C48, prOLetter}, // Lo [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH + {0x10C80, 0x10CB2, prUpper}, // L& [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US + {0x10CC0, 0x10CF2, prLower}, // L& [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US + {0x10D00, 0x10D23, prOLetter}, // Lo [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA + {0x10D24, 0x10D27, prExtend}, // Mn [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI + {0x10D30, 0x10D39, prNumeric}, // Nd [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE + {0x10E80, 0x10EA9, prOLetter}, // Lo [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET + {0x10EAB, 0x10EAC, prExtend}, // Mn [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK + {0x10EB0, 0x10EB1, prOLetter}, // Lo [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE + {0x10EFD, 0x10EFF, prExtend}, // Mn [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA + {0x10F00, 0x10F1C, prOLetter}, // Lo [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL + {0x10F27, 0x10F27, prOLetter}, // Lo OLD SOGDIAN LIGATURE AYIN-DALETH + {0x10F30, 0x10F45, prOLetter}, // Lo [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN + {0x10F46, 0x10F50, prExtend}, // Mn [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW + {0x10F55, 0x10F59, prSTerm}, // Po [5] SOGDIAN PUNCTUATION TWO VERTICAL BARS..SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT + {0x10F70, 0x10F81, prOLetter}, // Lo [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH + {0x10F82, 0x10F85, prExtend}, // Mn [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW + {0x10F86, 0x10F89, prSTerm}, // Po [4] OLD UYGHUR PUNCTUATION BAR..OLD UYGHUR PUNCTUATION FOUR DOTS + {0x10FB0, 0x10FC4, prOLetter}, // Lo [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW + {0x10FE0, 0x10FF6, prOLetter}, // Lo [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH + {0x11000, 0x11000, prExtend}, // Mc BRAHMI SIGN CANDRABINDU + {0x11001, 0x11001, prExtend}, // Mn BRAHMI SIGN ANUSVARA + {0x11002, 0x11002, prExtend}, // Mc BRAHMI SIGN VISARGA + {0x11003, 0x11037, prOLetter}, // Lo [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA + {0x11038, 0x11046, prExtend}, // Mn [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA + {0x11047, 0x11048, prSTerm}, // Po [2] BRAHMI DANDA..BRAHMI DOUBLE DANDA + {0x11066, 0x1106F, prNumeric}, // Nd [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE + {0x11070, 0x11070, prExtend}, // Mn BRAHMI SIGN OLD TAMIL VIRAMA + {0x11071, 0x11072, prOLetter}, // Lo [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O + {0x11073, 0x11074, prExtend}, // Mn [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O + {0x11075, 0x11075, prOLetter}, // Lo BRAHMI LETTER OLD TAMIL LLA + {0x1107F, 0x11081, prExtend}, // Mn [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA + {0x11082, 0x11082, prExtend}, // Mc KAITHI SIGN VISARGA + {0x11083, 0x110AF, prOLetter}, // Lo [45] KAITHI LETTER A..KAITHI LETTER HA + {0x110B0, 0x110B2, prExtend}, // Mc [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II + {0x110B3, 0x110B6, prExtend}, // Mn [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI + {0x110B7, 0x110B8, prExtend}, // Mc [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU + {0x110B9, 0x110BA, prExtend}, // Mn [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA + {0x110BD, 0x110BD, prFormat}, // Cf KAITHI NUMBER SIGN + {0x110BE, 0x110C1, prSTerm}, // Po [4] KAITHI SECTION MARK..KAITHI DOUBLE DANDA + {0x110C2, 0x110C2, prExtend}, // Mn KAITHI VOWEL SIGN VOCALIC R + {0x110CD, 0x110CD, prFormat}, // Cf KAITHI NUMBER SIGN ABOVE + {0x110D0, 0x110E8, prOLetter}, // Lo [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE + {0x110F0, 0x110F9, prNumeric}, // Nd [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE + {0x11100, 0x11102, prExtend}, // Mn [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA + {0x11103, 0x11126, prOLetter}, // Lo [36] CHAKMA LETTER AA..CHAKMA LETTER HAA + {0x11127, 0x1112B, prExtend}, // Mn [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU + {0x1112C, 0x1112C, prExtend}, // Mc CHAKMA VOWEL SIGN E + {0x1112D, 0x11134, prExtend}, // Mn [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA + {0x11136, 0x1113F, prNumeric}, // Nd [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE + {0x11141, 0x11143, prSTerm}, // Po [3] CHAKMA DANDA..CHAKMA QUESTION MARK + {0x11144, 0x11144, prOLetter}, // Lo CHAKMA LETTER LHAA + {0x11145, 0x11146, prExtend}, // Mc [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI + {0x11147, 0x11147, prOLetter}, // Lo CHAKMA LETTER VAA + {0x11150, 0x11172, prOLetter}, // Lo [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA + {0x11173, 0x11173, prExtend}, // Mn MAHAJANI SIGN NUKTA + {0x11176, 0x11176, prOLetter}, // Lo MAHAJANI LIGATURE SHRI + {0x11180, 0x11181, prExtend}, // Mn [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA + {0x11182, 0x11182, prExtend}, // Mc SHARADA SIGN VISARGA + {0x11183, 0x111B2, prOLetter}, // Lo [48] SHARADA LETTER A..SHARADA LETTER HA + {0x111B3, 0x111B5, prExtend}, // Mc [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II + {0x111B6, 0x111BE, prExtend}, // Mn [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O + {0x111BF, 0x111C0, prExtend}, // Mc [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA + {0x111C1, 0x111C4, prOLetter}, // Lo [4] SHARADA SIGN AVAGRAHA..SHARADA OM + {0x111C5, 0x111C6, prSTerm}, // Po [2] SHARADA DANDA..SHARADA DOUBLE DANDA + {0x111C9, 0x111CC, prExtend}, // Mn [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK + {0x111CD, 0x111CD, prSTerm}, // Po SHARADA SUTRA MARK + {0x111CE, 0x111CE, prExtend}, // Mc SHARADA VOWEL SIGN PRISHTHAMATRA E + {0x111CF, 0x111CF, prExtend}, // Mn SHARADA SIGN INVERTED CANDRABINDU + {0x111D0, 0x111D9, prNumeric}, // Nd [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE + {0x111DA, 0x111DA, prOLetter}, // Lo SHARADA EKAM + {0x111DC, 0x111DC, prOLetter}, // Lo SHARADA HEADSTROKE + {0x111DE, 0x111DF, prSTerm}, // Po [2] SHARADA SECTION MARK-1..SHARADA SECTION MARK-2 + {0x11200, 0x11211, prOLetter}, // Lo [18] KHOJKI LETTER A..KHOJKI LETTER JJA + {0x11213, 0x1122B, prOLetter}, // Lo [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA + {0x1122C, 0x1122E, prExtend}, // Mc [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II + {0x1122F, 0x11231, prExtend}, // Mn [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI + {0x11232, 0x11233, prExtend}, // Mc [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU + {0x11234, 0x11234, prExtend}, // Mn KHOJKI SIGN ANUSVARA + {0x11235, 0x11235, prExtend}, // Mc KHOJKI SIGN VIRAMA + {0x11236, 0x11237, prExtend}, // Mn [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA + {0x11238, 0x11239, prSTerm}, // Po [2] KHOJKI DANDA..KHOJKI DOUBLE DANDA + {0x1123B, 0x1123C, prSTerm}, // Po [2] KHOJKI SECTION MARK..KHOJKI DOUBLE SECTION MARK + {0x1123E, 0x1123E, prExtend}, // Mn KHOJKI SIGN SUKUN + {0x1123F, 0x11240, prOLetter}, // Lo [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I + {0x11241, 0x11241, prExtend}, // Mn KHOJKI VOWEL SIGN VOCALIC R + {0x11280, 0x11286, prOLetter}, // Lo [7] MULTANI LETTER A..MULTANI LETTER GA + {0x11288, 0x11288, prOLetter}, // Lo MULTANI LETTER GHA + {0x1128A, 0x1128D, prOLetter}, // Lo [4] MULTANI LETTER CA..MULTANI LETTER JJA + {0x1128F, 0x1129D, prOLetter}, // Lo [15] MULTANI LETTER NYA..MULTANI LETTER BA + {0x1129F, 0x112A8, prOLetter}, // Lo [10] MULTANI LETTER BHA..MULTANI LETTER RHA + {0x112A9, 0x112A9, prSTerm}, // Po MULTANI SECTION MARK + {0x112B0, 0x112DE, prOLetter}, // Lo [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA + {0x112DF, 0x112DF, prExtend}, // Mn KHUDAWADI SIGN ANUSVARA + {0x112E0, 0x112E2, prExtend}, // Mc [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II + {0x112E3, 0x112EA, prExtend}, // Mn [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA + {0x112F0, 0x112F9, prNumeric}, // Nd [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE + {0x11300, 0x11301, prExtend}, // Mn [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU + {0x11302, 0x11303, prExtend}, // Mc [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA + {0x11305, 0x1130C, prOLetter}, // Lo [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L + {0x1130F, 0x11310, prOLetter}, // Lo [2] GRANTHA LETTER EE..GRANTHA LETTER AI + {0x11313, 0x11328, prOLetter}, // Lo [22] GRANTHA LETTER OO..GRANTHA LETTER NA + {0x1132A, 0x11330, prOLetter}, // Lo [7] GRANTHA LETTER PA..GRANTHA LETTER RA + {0x11332, 0x11333, prOLetter}, // Lo [2] GRANTHA LETTER LA..GRANTHA LETTER LLA + {0x11335, 0x11339, prOLetter}, // Lo [5] GRANTHA LETTER VA..GRANTHA LETTER HA + {0x1133B, 0x1133C, prExtend}, // Mn [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA + {0x1133D, 0x1133D, prOLetter}, // Lo GRANTHA SIGN AVAGRAHA + {0x1133E, 0x1133F, prExtend}, // Mc [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I + {0x11340, 0x11340, prExtend}, // Mn GRANTHA VOWEL SIGN II + {0x11341, 0x11344, prExtend}, // Mc [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR + {0x11347, 0x11348, prExtend}, // Mc [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI + {0x1134B, 0x1134D, prExtend}, // Mc [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA + {0x11350, 0x11350, prOLetter}, // Lo GRANTHA OM + {0x11357, 0x11357, prExtend}, // Mc GRANTHA AU LENGTH MARK + {0x1135D, 0x11361, prOLetter}, // Lo [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL + {0x11362, 0x11363, prExtend}, // Mc [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL + {0x11366, 0x1136C, prExtend}, // Mn [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX + {0x11370, 0x11374, prExtend}, // Mn [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA + {0x11400, 0x11434, prOLetter}, // Lo [53] NEWA LETTER A..NEWA LETTER HA + {0x11435, 0x11437, prExtend}, // Mc [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II + {0x11438, 0x1143F, prExtend}, // Mn [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI + {0x11440, 0x11441, prExtend}, // Mc [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU + {0x11442, 0x11444, prExtend}, // Mn [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA + {0x11445, 0x11445, prExtend}, // Mc NEWA SIGN VISARGA + {0x11446, 0x11446, prExtend}, // Mn NEWA SIGN NUKTA + {0x11447, 0x1144A, prOLetter}, // Lo [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI + {0x1144B, 0x1144C, prSTerm}, // Po [2] NEWA DANDA..NEWA DOUBLE DANDA + {0x11450, 0x11459, prNumeric}, // Nd [10] NEWA DIGIT ZERO..NEWA DIGIT NINE + {0x1145E, 0x1145E, prExtend}, // Mn NEWA SANDHI MARK + {0x1145F, 0x11461, prOLetter}, // Lo [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA + {0x11480, 0x114AF, prOLetter}, // Lo [48] TIRHUTA ANJI..TIRHUTA LETTER HA + {0x114B0, 0x114B2, prExtend}, // Mc [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II + {0x114B3, 0x114B8, prExtend}, // Mn [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL + {0x114B9, 0x114B9, prExtend}, // Mc TIRHUTA VOWEL SIGN E + {0x114BA, 0x114BA, prExtend}, // Mn TIRHUTA VOWEL SIGN SHORT E + {0x114BB, 0x114BE, prExtend}, // Mc [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU + {0x114BF, 0x114C0, prExtend}, // Mn [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA + {0x114C1, 0x114C1, prExtend}, // Mc TIRHUTA SIGN VISARGA + {0x114C2, 0x114C3, prExtend}, // Mn [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA + {0x114C4, 0x114C5, prOLetter}, // Lo [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG + {0x114C7, 0x114C7, prOLetter}, // Lo TIRHUTA OM + {0x114D0, 0x114D9, prNumeric}, // Nd [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE + {0x11580, 0x115AE, prOLetter}, // Lo [47] SIDDHAM LETTER A..SIDDHAM LETTER HA + {0x115AF, 0x115B1, prExtend}, // Mc [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II + {0x115B2, 0x115B5, prExtend}, // Mn [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR + {0x115B8, 0x115BB, prExtend}, // Mc [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU + {0x115BC, 0x115BD, prExtend}, // Mn [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA + {0x115BE, 0x115BE, prExtend}, // Mc SIDDHAM SIGN VISARGA + {0x115BF, 0x115C0, prExtend}, // Mn [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA + {0x115C2, 0x115C3, prSTerm}, // Po [2] SIDDHAM DANDA..SIDDHAM DOUBLE DANDA + {0x115C9, 0x115D7, prSTerm}, // Po [15] SIDDHAM END OF TEXT MARK..SIDDHAM SECTION MARK WITH CIRCLES AND FOUR ENCLOSURES + {0x115D8, 0x115DB, prOLetter}, // Lo [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U + {0x115DC, 0x115DD, prExtend}, // Mn [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU + {0x11600, 0x1162F, prOLetter}, // Lo [48] MODI LETTER A..MODI LETTER LLA + {0x11630, 0x11632, prExtend}, // Mc [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II + {0x11633, 0x1163A, prExtend}, // Mn [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI + {0x1163B, 0x1163C, prExtend}, // Mc [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU + {0x1163D, 0x1163D, prExtend}, // Mn MODI SIGN ANUSVARA + {0x1163E, 0x1163E, prExtend}, // Mc MODI SIGN VISARGA + {0x1163F, 0x11640, prExtend}, // Mn [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA + {0x11641, 0x11642, prSTerm}, // Po [2] MODI DANDA..MODI DOUBLE DANDA + {0x11644, 0x11644, prOLetter}, // Lo MODI SIGN HUVA + {0x11650, 0x11659, prNumeric}, // Nd [10] MODI DIGIT ZERO..MODI DIGIT NINE + {0x11680, 0x116AA, prOLetter}, // Lo [43] TAKRI LETTER A..TAKRI LETTER RRA + {0x116AB, 0x116AB, prExtend}, // Mn TAKRI SIGN ANUSVARA + {0x116AC, 0x116AC, prExtend}, // Mc TAKRI SIGN VISARGA + {0x116AD, 0x116AD, prExtend}, // Mn TAKRI VOWEL SIGN AA + {0x116AE, 0x116AF, prExtend}, // Mc [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II + {0x116B0, 0x116B5, prExtend}, // Mn [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU + {0x116B6, 0x116B6, prExtend}, // Mc TAKRI SIGN VIRAMA + {0x116B7, 0x116B7, prExtend}, // Mn TAKRI SIGN NUKTA + {0x116B8, 0x116B8, prOLetter}, // Lo TAKRI LETTER ARCHAIC KHA + {0x116C0, 0x116C9, prNumeric}, // Nd [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE + {0x11700, 0x1171A, prOLetter}, // Lo [27] AHOM LETTER KA..AHOM LETTER ALTERNATE BA + {0x1171D, 0x1171F, prExtend}, // Mn [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA + {0x11720, 0x11721, prExtend}, // Mc [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA + {0x11722, 0x11725, prExtend}, // Mn [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU + {0x11726, 0x11726, prExtend}, // Mc AHOM VOWEL SIGN E + {0x11727, 0x1172B, prExtend}, // Mn [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER + {0x11730, 0x11739, prNumeric}, // Nd [10] AHOM DIGIT ZERO..AHOM DIGIT NINE + {0x1173C, 0x1173E, prSTerm}, // Po [3] AHOM SIGN SMALL SECTION..AHOM SIGN RULAI + {0x11740, 0x11746, prOLetter}, // Lo [7] AHOM LETTER CA..AHOM LETTER LLA + {0x11800, 0x1182B, prOLetter}, // Lo [44] DOGRA LETTER A..DOGRA LETTER RRA + {0x1182C, 0x1182E, prExtend}, // Mc [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II + {0x1182F, 0x11837, prExtend}, // Mn [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA + {0x11838, 0x11838, prExtend}, // Mc DOGRA SIGN VISARGA + {0x11839, 0x1183A, prExtend}, // Mn [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA + {0x118A0, 0x118BF, prUpper}, // L& [32] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI CAPITAL LETTER VIYO + {0x118C0, 0x118DF, prLower}, // L& [32] WARANG CITI SMALL LETTER NGAA..WARANG CITI SMALL LETTER VIYO + {0x118E0, 0x118E9, prNumeric}, // Nd [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE + {0x118FF, 0x11906, prOLetter}, // Lo [8] WARANG CITI OM..DIVES AKURU LETTER E + {0x11909, 0x11909, prOLetter}, // Lo DIVES AKURU LETTER O + {0x1190C, 0x11913, prOLetter}, // Lo [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA + {0x11915, 0x11916, prOLetter}, // Lo [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA + {0x11918, 0x1192F, prOLetter}, // Lo [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA + {0x11930, 0x11935, prExtend}, // Mc [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E + {0x11937, 0x11938, prExtend}, // Mc [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O + {0x1193B, 0x1193C, prExtend}, // Mn [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU + {0x1193D, 0x1193D, prExtend}, // Mc DIVES AKURU SIGN HALANTA + {0x1193E, 0x1193E, prExtend}, // Mn DIVES AKURU VIRAMA + {0x1193F, 0x1193F, prOLetter}, // Lo DIVES AKURU PREFIXED NASAL SIGN + {0x11940, 0x11940, prExtend}, // Mc DIVES AKURU MEDIAL YA + {0x11941, 0x11941, prOLetter}, // Lo DIVES AKURU INITIAL RA + {0x11942, 0x11942, prExtend}, // Mc DIVES AKURU MEDIAL RA + {0x11943, 0x11943, prExtend}, // Mn DIVES AKURU SIGN NUKTA + {0x11944, 0x11944, prSTerm}, // Po DIVES AKURU DOUBLE DANDA + {0x11946, 0x11946, prSTerm}, // Po DIVES AKURU END OF TEXT MARK + {0x11950, 0x11959, prNumeric}, // Nd [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE + {0x119A0, 0x119A7, prOLetter}, // Lo [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR + {0x119AA, 0x119D0, prOLetter}, // Lo [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA + {0x119D1, 0x119D3, prExtend}, // Mc [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II + {0x119D4, 0x119D7, prExtend}, // Mn [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR + {0x119DA, 0x119DB, prExtend}, // Mn [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI + {0x119DC, 0x119DF, prExtend}, // Mc [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA + {0x119E0, 0x119E0, prExtend}, // Mn NANDINAGARI SIGN VIRAMA + {0x119E1, 0x119E1, prOLetter}, // Lo NANDINAGARI SIGN AVAGRAHA + {0x119E3, 0x119E3, prOLetter}, // Lo NANDINAGARI HEADSTROKE + {0x119E4, 0x119E4, prExtend}, // Mc NANDINAGARI VOWEL SIGN PRISHTHAMATRA E + {0x11A00, 0x11A00, prOLetter}, // Lo ZANABAZAR SQUARE LETTER A + {0x11A01, 0x11A0A, prExtend}, // Mn [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK + {0x11A0B, 0x11A32, prOLetter}, // Lo [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA + {0x11A33, 0x11A38, prExtend}, // Mn [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA + {0x11A39, 0x11A39, prExtend}, // Mc ZANABAZAR SQUARE SIGN VISARGA + {0x11A3A, 0x11A3A, prOLetter}, // Lo ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA + {0x11A3B, 0x11A3E, prExtend}, // Mn [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA + {0x11A42, 0x11A43, prSTerm}, // Po [2] ZANABAZAR SQUARE MARK SHAD..ZANABAZAR SQUARE MARK DOUBLE SHAD + {0x11A47, 0x11A47, prExtend}, // Mn ZANABAZAR SQUARE SUBJOINER + {0x11A50, 0x11A50, prOLetter}, // Lo SOYOMBO LETTER A + {0x11A51, 0x11A56, prExtend}, // Mn [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE + {0x11A57, 0x11A58, prExtend}, // Mc [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU + {0x11A59, 0x11A5B, prExtend}, // Mn [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK + {0x11A5C, 0x11A89, prOLetter}, // Lo [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA + {0x11A8A, 0x11A96, prExtend}, // Mn [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA + {0x11A97, 0x11A97, prExtend}, // Mc SOYOMBO SIGN VISARGA + {0x11A98, 0x11A99, prExtend}, // Mn [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER + {0x11A9B, 0x11A9C, prSTerm}, // Po [2] SOYOMBO MARK SHAD..SOYOMBO MARK DOUBLE SHAD + {0x11A9D, 0x11A9D, prOLetter}, // Lo SOYOMBO MARK PLUTA + {0x11AB0, 0x11AF8, prOLetter}, // Lo [73] CANADIAN SYLLABICS NATTILIK HI..PAU CIN HAU GLOTTAL STOP FINAL + {0x11C00, 0x11C08, prOLetter}, // Lo [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L + {0x11C0A, 0x11C2E, prOLetter}, // Lo [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA + {0x11C2F, 0x11C2F, prExtend}, // Mc BHAIKSUKI VOWEL SIGN AA + {0x11C30, 0x11C36, prExtend}, // Mn [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L + {0x11C38, 0x11C3D, prExtend}, // Mn [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA + {0x11C3E, 0x11C3E, prExtend}, // Mc BHAIKSUKI SIGN VISARGA + {0x11C3F, 0x11C3F, prExtend}, // Mn BHAIKSUKI SIGN VIRAMA + {0x11C40, 0x11C40, prOLetter}, // Lo BHAIKSUKI SIGN AVAGRAHA + {0x11C41, 0x11C42, prSTerm}, // Po [2] BHAIKSUKI DANDA..BHAIKSUKI DOUBLE DANDA + {0x11C50, 0x11C59, prNumeric}, // Nd [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE + {0x11C72, 0x11C8F, prOLetter}, // Lo [30] MARCHEN LETTER KA..MARCHEN LETTER A + {0x11C92, 0x11CA7, prExtend}, // Mn [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA + {0x11CA9, 0x11CA9, prExtend}, // Mc MARCHEN SUBJOINED LETTER YA + {0x11CAA, 0x11CB0, prExtend}, // Mn [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA + {0x11CB1, 0x11CB1, prExtend}, // Mc MARCHEN VOWEL SIGN I + {0x11CB2, 0x11CB3, prExtend}, // Mn [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E + {0x11CB4, 0x11CB4, prExtend}, // Mc MARCHEN VOWEL SIGN O + {0x11CB5, 0x11CB6, prExtend}, // Mn [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU + {0x11D00, 0x11D06, prOLetter}, // Lo [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E + {0x11D08, 0x11D09, prOLetter}, // Lo [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O + {0x11D0B, 0x11D30, prOLetter}, // Lo [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA + {0x11D31, 0x11D36, prExtend}, // Mn [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R + {0x11D3A, 0x11D3A, prExtend}, // Mn MASARAM GONDI VOWEL SIGN E + {0x11D3C, 0x11D3D, prExtend}, // Mn [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O + {0x11D3F, 0x11D45, prExtend}, // Mn [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA + {0x11D46, 0x11D46, prOLetter}, // Lo MASARAM GONDI REPHA + {0x11D47, 0x11D47, prExtend}, // Mn MASARAM GONDI RA-KARA + {0x11D50, 0x11D59, prNumeric}, // Nd [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE + {0x11D60, 0x11D65, prOLetter}, // Lo [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU + {0x11D67, 0x11D68, prOLetter}, // Lo [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI + {0x11D6A, 0x11D89, prOLetter}, // Lo [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA + {0x11D8A, 0x11D8E, prExtend}, // Mc [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU + {0x11D90, 0x11D91, prExtend}, // Mn [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI + {0x11D93, 0x11D94, prExtend}, // Mc [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU + {0x11D95, 0x11D95, prExtend}, // Mn GUNJALA GONDI SIGN ANUSVARA + {0x11D96, 0x11D96, prExtend}, // Mc GUNJALA GONDI SIGN VISARGA + {0x11D97, 0x11D97, prExtend}, // Mn GUNJALA GONDI VIRAMA + {0x11D98, 0x11D98, prOLetter}, // Lo GUNJALA GONDI OM + {0x11DA0, 0x11DA9, prNumeric}, // Nd [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE + {0x11EE0, 0x11EF2, prOLetter}, // Lo [19] MAKASAR LETTER KA..MAKASAR ANGKA + {0x11EF3, 0x11EF4, prExtend}, // Mn [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U + {0x11EF5, 0x11EF6, prExtend}, // Mc [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O + {0x11EF7, 0x11EF8, prSTerm}, // Po [2] MAKASAR PASSIMBANG..MAKASAR END OF SECTION + {0x11F00, 0x11F01, prExtend}, // Mn [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA + {0x11F02, 0x11F02, prOLetter}, // Lo KAWI SIGN REPHA + {0x11F03, 0x11F03, prExtend}, // Mc KAWI SIGN VISARGA + {0x11F04, 0x11F10, prOLetter}, // Lo [13] KAWI LETTER A..KAWI LETTER O + {0x11F12, 0x11F33, prOLetter}, // Lo [34] KAWI LETTER KA..KAWI LETTER JNYA + {0x11F34, 0x11F35, prExtend}, // Mc [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA + {0x11F36, 0x11F3A, prExtend}, // Mn [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R + {0x11F3E, 0x11F3F, prExtend}, // Mc [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI + {0x11F40, 0x11F40, prExtend}, // Mn KAWI VOWEL SIGN EU + {0x11F41, 0x11F41, prExtend}, // Mc KAWI SIGN KILLER + {0x11F42, 0x11F42, prExtend}, // Mn KAWI CONJOINER + {0x11F43, 0x11F44, prSTerm}, // Po [2] KAWI DANDA..KAWI DOUBLE DANDA + {0x11F50, 0x11F59, prNumeric}, // Nd [10] KAWI DIGIT ZERO..KAWI DIGIT NINE + {0x11FB0, 0x11FB0, prOLetter}, // Lo LISU LETTER YHA + {0x12000, 0x12399, prOLetter}, // Lo [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U + {0x12400, 0x1246E, prOLetter}, // Nl [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM + {0x12480, 0x12543, prOLetter}, // Lo [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU + {0x12F90, 0x12FF0, prOLetter}, // Lo [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114 + {0x13000, 0x1342F, prOLetter}, // Lo [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D + {0x13430, 0x1343F, prFormat}, // Cf [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE + {0x13440, 0x13440, prExtend}, // Mn EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY + {0x13441, 0x13446, prOLetter}, // Lo [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN + {0x13447, 0x13455, prExtend}, // Mn [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED + {0x14400, 0x14646, prOLetter}, // Lo [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530 + {0x16800, 0x16A38, prOLetter}, // Lo [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ + {0x16A40, 0x16A5E, prOLetter}, // Lo [31] MRO LETTER TA..MRO LETTER TEK + {0x16A60, 0x16A69, prNumeric}, // Nd [10] MRO DIGIT ZERO..MRO DIGIT NINE + {0x16A6E, 0x16A6F, prSTerm}, // Po [2] MRO DANDA..MRO DOUBLE DANDA + {0x16A70, 0x16ABE, prOLetter}, // Lo [79] TANGSA LETTER OZ..TANGSA LETTER ZA + {0x16AC0, 0x16AC9, prNumeric}, // Nd [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE + {0x16AD0, 0x16AED, prOLetter}, // Lo [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I + {0x16AF0, 0x16AF4, prExtend}, // Mn [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE + {0x16AF5, 0x16AF5, prSTerm}, // Po BASSA VAH FULL STOP + {0x16B00, 0x16B2F, prOLetter}, // Lo [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU + {0x16B30, 0x16B36, prExtend}, // Mn [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM + {0x16B37, 0x16B38, prSTerm}, // Po [2] PAHAWH HMONG SIGN VOS THOM..PAHAWH HMONG SIGN VOS TSHAB CEEB + {0x16B40, 0x16B43, prOLetter}, // Lm [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM + {0x16B44, 0x16B44, prSTerm}, // Po PAHAWH HMONG SIGN XAUS + {0x16B50, 0x16B59, prNumeric}, // Nd [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE + {0x16B63, 0x16B77, prOLetter}, // Lo [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS + {0x16B7D, 0x16B8F, prOLetter}, // Lo [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ + {0x16E40, 0x16E5F, prUpper}, // L& [32] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN CAPITAL LETTER Y + {0x16E60, 0x16E7F, prLower}, // L& [32] MEDEFAIDRIN SMALL LETTER M..MEDEFAIDRIN SMALL LETTER Y + {0x16E98, 0x16E98, prSTerm}, // Po MEDEFAIDRIN FULL STOP + {0x16F00, 0x16F4A, prOLetter}, // Lo [75] MIAO LETTER PA..MIAO LETTER RTE + {0x16F4F, 0x16F4F, prExtend}, // Mn MIAO SIGN CONSONANT MODIFIER BAR + {0x16F50, 0x16F50, prOLetter}, // Lo MIAO LETTER NASALIZATION + {0x16F51, 0x16F87, prExtend}, // Mc [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI + {0x16F8F, 0x16F92, prExtend}, // Mn [4] MIAO TONE RIGHT..MIAO TONE BELOW + {0x16F93, 0x16F9F, prOLetter}, // Lm [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8 + {0x16FE0, 0x16FE1, prOLetter}, // Lm [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK + {0x16FE3, 0x16FE3, prOLetter}, // Lm OLD CHINESE ITERATION MARK + {0x16FE4, 0x16FE4, prExtend}, // Mn KHITAN SMALL SCRIPT FILLER + {0x16FF0, 0x16FF1, prExtend}, // Mc [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY + {0x17000, 0x187F7, prOLetter}, // Lo [6136] TANGUT IDEOGRAPH-17000..TANGUT IDEOGRAPH-187F7 + {0x18800, 0x18CD5, prOLetter}, // Lo [1238] TANGUT COMPONENT-001..KHITAN SMALL SCRIPT CHARACTER-18CD5 + {0x18D00, 0x18D08, prOLetter}, // Lo [9] TANGUT IDEOGRAPH-18D00..TANGUT IDEOGRAPH-18D08 + {0x1AFF0, 0x1AFF3, prOLetter}, // Lm [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5 + {0x1AFF5, 0x1AFFB, prOLetter}, // Lm [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5 + {0x1AFFD, 0x1AFFE, prOLetter}, // Lm [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8 + {0x1B000, 0x1B122, prOLetter}, // Lo [291] KATAKANA LETTER ARCHAIC E..KATAKANA LETTER ARCHAIC WU + {0x1B132, 0x1B132, prOLetter}, // Lo HIRAGANA LETTER SMALL KO + {0x1B150, 0x1B152, prOLetter}, // Lo [3] HIRAGANA LETTER SMALL WI..HIRAGANA LETTER SMALL WO + {0x1B155, 0x1B155, prOLetter}, // Lo KATAKANA LETTER SMALL KO + {0x1B164, 0x1B167, prOLetter}, // Lo [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N + {0x1B170, 0x1B2FB, prOLetter}, // Lo [396] NUSHU CHARACTER-1B170..NUSHU CHARACTER-1B2FB + {0x1BC00, 0x1BC6A, prOLetter}, // Lo [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M + {0x1BC70, 0x1BC7C, prOLetter}, // Lo [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK + {0x1BC80, 0x1BC88, prOLetter}, // Lo [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL + {0x1BC90, 0x1BC99, prOLetter}, // Lo [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW + {0x1BC9D, 0x1BC9E, prExtend}, // Mn [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK + {0x1BC9F, 0x1BC9F, prSTerm}, // Po DUPLOYAN PUNCTUATION CHINOOK FULL STOP + {0x1BCA0, 0x1BCA3, prFormat}, // Cf [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP + {0x1CF00, 0x1CF2D, prExtend}, // Mn [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT + {0x1CF30, 0x1CF46, prExtend}, // Mn [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG + {0x1D165, 0x1D166, prExtend}, // Mc [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM + {0x1D167, 0x1D169, prExtend}, // Mn [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3 + {0x1D16D, 0x1D172, prExtend}, // Mc [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5 + {0x1D173, 0x1D17A, prFormat}, // Cf [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE + {0x1D17B, 0x1D182, prExtend}, // Mn [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE + {0x1D185, 0x1D18B, prExtend}, // Mn [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE + {0x1D1AA, 0x1D1AD, prExtend}, // Mn [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO + {0x1D242, 0x1D244, prExtend}, // Mn [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME + {0x1D400, 0x1D419, prUpper}, // L& [26] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL BOLD CAPITAL Z + {0x1D41A, 0x1D433, prLower}, // L& [26] MATHEMATICAL BOLD SMALL A..MATHEMATICAL BOLD SMALL Z + {0x1D434, 0x1D44D, prUpper}, // L& [26] MATHEMATICAL ITALIC CAPITAL A..MATHEMATICAL ITALIC CAPITAL Z + {0x1D44E, 0x1D454, prLower}, // L& [7] MATHEMATICAL ITALIC SMALL A..MATHEMATICAL ITALIC SMALL G + {0x1D456, 0x1D467, prLower}, // L& [18] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL ITALIC SMALL Z + {0x1D468, 0x1D481, prUpper}, // L& [26] MATHEMATICAL BOLD ITALIC CAPITAL A..MATHEMATICAL BOLD ITALIC CAPITAL Z + {0x1D482, 0x1D49B, prLower}, // L& [26] MATHEMATICAL BOLD ITALIC SMALL A..MATHEMATICAL BOLD ITALIC SMALL Z + {0x1D49C, 0x1D49C, prUpper}, // L& MATHEMATICAL SCRIPT CAPITAL A + {0x1D49E, 0x1D49F, prUpper}, // L& [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D + {0x1D4A2, 0x1D4A2, prUpper}, // L& MATHEMATICAL SCRIPT CAPITAL G + {0x1D4A5, 0x1D4A6, prUpper}, // L& [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K + {0x1D4A9, 0x1D4AC, prUpper}, // L& [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q + {0x1D4AE, 0x1D4B5, prUpper}, // L& [8] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT CAPITAL Z + {0x1D4B6, 0x1D4B9, prLower}, // L& [4] MATHEMATICAL SCRIPT SMALL A..MATHEMATICAL SCRIPT SMALL D + {0x1D4BB, 0x1D4BB, prLower}, // L& MATHEMATICAL SCRIPT SMALL F + {0x1D4BD, 0x1D4C3, prLower}, // L& [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N + {0x1D4C5, 0x1D4CF, prLower}, // L& [11] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL SCRIPT SMALL Z + {0x1D4D0, 0x1D4E9, prUpper}, // L& [26] MATHEMATICAL BOLD SCRIPT CAPITAL A..MATHEMATICAL BOLD SCRIPT CAPITAL Z + {0x1D4EA, 0x1D503, prLower}, // L& [26] MATHEMATICAL BOLD SCRIPT SMALL A..MATHEMATICAL BOLD SCRIPT SMALL Z + {0x1D504, 0x1D505, prUpper}, // L& [2] MATHEMATICAL FRAKTUR CAPITAL A..MATHEMATICAL FRAKTUR CAPITAL B + {0x1D507, 0x1D50A, prUpper}, // L& [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G + {0x1D50D, 0x1D514, prUpper}, // L& [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q + {0x1D516, 0x1D51C, prUpper}, // L& [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y + {0x1D51E, 0x1D537, prLower}, // L& [26] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL FRAKTUR SMALL Z + {0x1D538, 0x1D539, prUpper}, // L& [2] MATHEMATICAL DOUBLE-STRUCK CAPITAL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B + {0x1D53B, 0x1D53E, prUpper}, // L& [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G + {0x1D540, 0x1D544, prUpper}, // L& [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M + {0x1D546, 0x1D546, prUpper}, // L& MATHEMATICAL DOUBLE-STRUCK CAPITAL O + {0x1D54A, 0x1D550, prUpper}, // L& [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y + {0x1D552, 0x1D56B, prLower}, // L& [26] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL DOUBLE-STRUCK SMALL Z + {0x1D56C, 0x1D585, prUpper}, // L& [26] MATHEMATICAL BOLD FRAKTUR CAPITAL A..MATHEMATICAL BOLD FRAKTUR CAPITAL Z + {0x1D586, 0x1D59F, prLower}, // L& [26] MATHEMATICAL BOLD FRAKTUR SMALL A..MATHEMATICAL BOLD FRAKTUR SMALL Z + {0x1D5A0, 0x1D5B9, prUpper}, // L& [26] MATHEMATICAL SANS-SERIF CAPITAL A..MATHEMATICAL SANS-SERIF CAPITAL Z + {0x1D5BA, 0x1D5D3, prLower}, // L& [26] MATHEMATICAL SANS-SERIF SMALL A..MATHEMATICAL SANS-SERIF SMALL Z + {0x1D5D4, 0x1D5ED, prUpper}, // L& [26] MATHEMATICAL SANS-SERIF BOLD CAPITAL A..MATHEMATICAL SANS-SERIF BOLD CAPITAL Z + {0x1D5EE, 0x1D607, prLower}, // L& [26] MATHEMATICAL SANS-SERIF BOLD SMALL A..MATHEMATICAL SANS-SERIF BOLD SMALL Z + {0x1D608, 0x1D621, prUpper}, // L& [26] MATHEMATICAL SANS-SERIF ITALIC CAPITAL A..MATHEMATICAL SANS-SERIF ITALIC CAPITAL Z + {0x1D622, 0x1D63B, prLower}, // L& [26] MATHEMATICAL SANS-SERIF ITALIC SMALL A..MATHEMATICAL SANS-SERIF ITALIC SMALL Z + {0x1D63C, 0x1D655, prUpper}, // L& [26] MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL A..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL Z + {0x1D656, 0x1D66F, prLower}, // L& [26] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL A..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL Z + {0x1D670, 0x1D689, prUpper}, // L& [26] MATHEMATICAL MONOSPACE CAPITAL A..MATHEMATICAL MONOSPACE CAPITAL Z + {0x1D68A, 0x1D6A5, prLower}, // L& [28] MATHEMATICAL MONOSPACE SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J + {0x1D6A8, 0x1D6C0, prUpper}, // L& [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA + {0x1D6C2, 0x1D6DA, prLower}, // L& [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA + {0x1D6DC, 0x1D6E1, prLower}, // L& [6] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL BOLD PI SYMBOL + {0x1D6E2, 0x1D6FA, prUpper}, // L& [25] MATHEMATICAL ITALIC CAPITAL ALPHA..MATHEMATICAL ITALIC CAPITAL OMEGA + {0x1D6FC, 0x1D714, prLower}, // L& [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA + {0x1D716, 0x1D71B, prLower}, // L& [6] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL ITALIC PI SYMBOL + {0x1D71C, 0x1D734, prUpper}, // L& [25] MATHEMATICAL BOLD ITALIC CAPITAL ALPHA..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA + {0x1D736, 0x1D74E, prLower}, // L& [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA + {0x1D750, 0x1D755, prLower}, // L& [6] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC PI SYMBOL + {0x1D756, 0x1D76E, prUpper}, // L& [25] MATHEMATICAL SANS-SERIF BOLD CAPITAL ALPHA..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA + {0x1D770, 0x1D788, prLower}, // L& [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA + {0x1D78A, 0x1D78F, prLower}, // L& [6] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD PI SYMBOL + {0x1D790, 0x1D7A8, prUpper}, // L& [25] MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA + {0x1D7AA, 0x1D7C2, prLower}, // L& [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA + {0x1D7C4, 0x1D7C9, prLower}, // L& [6] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC PI SYMBOL + {0x1D7CA, 0x1D7CA, prUpper}, // L& MATHEMATICAL BOLD CAPITAL DIGAMMA + {0x1D7CB, 0x1D7CB, prLower}, // L& MATHEMATICAL BOLD SMALL DIGAMMA + {0x1D7CE, 0x1D7FF, prNumeric}, // Nd [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE + {0x1DA00, 0x1DA36, prExtend}, // Mn [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN + {0x1DA3B, 0x1DA6C, prExtend}, // Mn [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT + {0x1DA75, 0x1DA75, prExtend}, // Mn SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS + {0x1DA84, 0x1DA84, prExtend}, // Mn SIGNWRITING LOCATION HEAD NECK + {0x1DA88, 0x1DA88, prSTerm}, // Po SIGNWRITING FULL STOP + {0x1DA9B, 0x1DA9F, prExtend}, // Mn [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6 + {0x1DAA1, 0x1DAAF, prExtend}, // Mn [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16 + {0x1DF00, 0x1DF09, prLower}, // L& [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK + {0x1DF0A, 0x1DF0A, prOLetter}, // Lo LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK + {0x1DF0B, 0x1DF1E, prLower}, // L& [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL + {0x1DF25, 0x1DF2A, prLower}, // L& [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK + {0x1E000, 0x1E006, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE + {0x1E008, 0x1E018, prExtend}, // Mn [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU + {0x1E01B, 0x1E021, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI + {0x1E023, 0x1E024, prExtend}, // Mn [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS + {0x1E026, 0x1E02A, prExtend}, // Mn [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA + {0x1E030, 0x1E06D, prLower}, // Lm [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE + {0x1E08F, 0x1E08F, prExtend}, // Mn COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I + {0x1E100, 0x1E12C, prOLetter}, // Lo [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W + {0x1E130, 0x1E136, prExtend}, // Mn [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D + {0x1E137, 0x1E13D, prOLetter}, // Lm [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER + {0x1E140, 0x1E149, prNumeric}, // Nd [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE + {0x1E14E, 0x1E14E, prOLetter}, // Lo NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ + {0x1E290, 0x1E2AD, prOLetter}, // Lo [30] TOTO LETTER PA..TOTO LETTER A + {0x1E2AE, 0x1E2AE, prExtend}, // Mn TOTO SIGN RISING TONE + {0x1E2C0, 0x1E2EB, prOLetter}, // Lo [44] WANCHO LETTER AA..WANCHO LETTER YIH + {0x1E2EC, 0x1E2EF, prExtend}, // Mn [4] WANCHO TONE TUP..WANCHO TONE KOINI + {0x1E2F0, 0x1E2F9, prNumeric}, // Nd [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE + {0x1E4D0, 0x1E4EA, prOLetter}, // Lo [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL + {0x1E4EB, 0x1E4EB, prOLetter}, // Lm NAG MUNDARI SIGN OJOD + {0x1E4EC, 0x1E4EF, prExtend}, // Mn [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH + {0x1E4F0, 0x1E4F9, prNumeric}, // Nd [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE + {0x1E7E0, 0x1E7E6, prOLetter}, // Lo [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO + {0x1E7E8, 0x1E7EB, prOLetter}, // Lo [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE + {0x1E7ED, 0x1E7EE, prOLetter}, // Lo [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE + {0x1E7F0, 0x1E7FE, prOLetter}, // Lo [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE + {0x1E800, 0x1E8C4, prOLetter}, // Lo [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON + {0x1E8D0, 0x1E8D6, prExtend}, // Mn [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS + {0x1E900, 0x1E921, prUpper}, // L& [34] ADLAM CAPITAL LETTER ALIF..ADLAM CAPITAL LETTER SHA + {0x1E922, 0x1E943, prLower}, // L& [34] ADLAM SMALL LETTER ALIF..ADLAM SMALL LETTER SHA + {0x1E944, 0x1E94A, prExtend}, // Mn [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA + {0x1E94B, 0x1E94B, prOLetter}, // Lm ADLAM NASALIZATION MARK + {0x1E950, 0x1E959, prNumeric}, // Nd [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE + {0x1EE00, 0x1EE03, prOLetter}, // Lo [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL + {0x1EE05, 0x1EE1F, prOLetter}, // Lo [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF + {0x1EE21, 0x1EE22, prOLetter}, // Lo [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM + {0x1EE24, 0x1EE24, prOLetter}, // Lo ARABIC MATHEMATICAL INITIAL HEH + {0x1EE27, 0x1EE27, prOLetter}, // Lo ARABIC MATHEMATICAL INITIAL HAH + {0x1EE29, 0x1EE32, prOLetter}, // Lo [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF + {0x1EE34, 0x1EE37, prOLetter}, // Lo [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH + {0x1EE39, 0x1EE39, prOLetter}, // Lo ARABIC MATHEMATICAL INITIAL DAD + {0x1EE3B, 0x1EE3B, prOLetter}, // Lo ARABIC MATHEMATICAL INITIAL GHAIN + {0x1EE42, 0x1EE42, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED JEEM + {0x1EE47, 0x1EE47, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED HAH + {0x1EE49, 0x1EE49, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED YEH + {0x1EE4B, 0x1EE4B, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED LAM + {0x1EE4D, 0x1EE4F, prOLetter}, // Lo [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN + {0x1EE51, 0x1EE52, prOLetter}, // Lo [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF + {0x1EE54, 0x1EE54, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED SHEEN + {0x1EE57, 0x1EE57, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED KHAH + {0x1EE59, 0x1EE59, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED DAD + {0x1EE5B, 0x1EE5B, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED GHAIN + {0x1EE5D, 0x1EE5D, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS NOON + {0x1EE5F, 0x1EE5F, prOLetter}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS QAF + {0x1EE61, 0x1EE62, prOLetter}, // Lo [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM + {0x1EE64, 0x1EE64, prOLetter}, // Lo ARABIC MATHEMATICAL STRETCHED HEH + {0x1EE67, 0x1EE6A, prOLetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF + {0x1EE6C, 0x1EE72, prOLetter}, // Lo [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF + {0x1EE74, 0x1EE77, prOLetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH + {0x1EE79, 0x1EE7C, prOLetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH + {0x1EE7E, 0x1EE7E, prOLetter}, // Lo ARABIC MATHEMATICAL STRETCHED DOTLESS FEH + {0x1EE80, 0x1EE89, prOLetter}, // Lo [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH + {0x1EE8B, 0x1EE9B, prOLetter}, // Lo [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN + {0x1EEA1, 0x1EEA3, prOLetter}, // Lo [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL + {0x1EEA5, 0x1EEA9, prOLetter}, // Lo [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH + {0x1EEAB, 0x1EEBB, prOLetter}, // Lo [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN + {0x1F130, 0x1F149, prUpper}, // So [26] SQUARED LATIN CAPITAL LETTER A..SQUARED LATIN CAPITAL LETTER Z + {0x1F150, 0x1F169, prUpper}, // So [26] NEGATIVE CIRCLED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z + {0x1F170, 0x1F189, prUpper}, // So [26] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED LATIN CAPITAL LETTER Z + {0x1F676, 0x1F678, prClose}, // So [3] SANS-SERIF HEAVY DOUBLE TURNED COMMA QUOTATION MARK ORNAMENT..SANS-SERIF HEAVY LOW DOUBLE COMMA QUOTATION MARK ORNAMENT + {0x1FBF0, 0x1FBF9, prNumeric}, // Nd [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE + {0x20000, 0x2A6DF, prOLetter}, // Lo [42720] CJK UNIFIED IDEOGRAPH-20000..CJK UNIFIED IDEOGRAPH-2A6DF + {0x2A700, 0x2B739, prOLetter}, // Lo [4154] CJK UNIFIED IDEOGRAPH-2A700..CJK UNIFIED IDEOGRAPH-2B739 + {0x2B740, 0x2B81D, prOLetter}, // Lo [222] CJK UNIFIED IDEOGRAPH-2B740..CJK UNIFIED IDEOGRAPH-2B81D + {0x2B820, 0x2CEA1, prOLetter}, // Lo [5762] CJK UNIFIED IDEOGRAPH-2B820..CJK UNIFIED IDEOGRAPH-2CEA1 + {0x2CEB0, 0x2EBE0, prOLetter}, // Lo [7473] CJK UNIFIED IDEOGRAPH-2CEB0..CJK UNIFIED IDEOGRAPH-2EBE0 + {0x2F800, 0x2FA1D, prOLetter}, // Lo [542] CJK COMPATIBILITY IDEOGRAPH-2F800..CJK COMPATIBILITY IDEOGRAPH-2FA1D + {0x30000, 0x3134A, prOLetter}, // Lo [4939] CJK UNIFIED IDEOGRAPH-30000..CJK UNIFIED IDEOGRAPH-3134A + {0x31350, 0x323AF, prOLetter}, // Lo [4192] CJK UNIFIED IDEOGRAPH-31350..CJK UNIFIED IDEOGRAPH-323AF + {0xE0001, 0xE0001, prFormat}, // Cf LANGUAGE TAG + {0xE0020, 0xE007F, prExtend}, // Cf [96] TAG SPACE..CANCEL TAG + {0xE0100, 0xE01EF, prExtend}, // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256 +} diff --git a/vendor/github.com/rivo/uniseg/sentencerules.go b/vendor/github.com/rivo/uniseg/sentencerules.go new file mode 100644 index 0000000000..0b29c7bdb8 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/sentencerules.go @@ -0,0 +1,276 @@ +package uniseg + +import "unicode/utf8" + +// The states of the sentence break parser. +const ( + sbAny = iota + sbCR + sbParaSep + sbATerm + sbUpper + sbLower + sbSB7 + sbSB8Close + sbSB8Sp + sbSTerm + sbSB8aClose + sbSB8aSp +) + +// sbTransitions implements the sentence break parser's state transitions. It's +// anologous to [grTransitions], see comments there for details. +// +// Unicode version 15.0.0. +func sbTransitions(state, prop int) (newState int, sentenceBreak bool, rule int) { + switch uint64(state) | uint64(prop)<<32 { + // SB3. + case sbAny | prCR<<32: + return sbCR, false, 9990 + case sbCR | prLF<<32: + return sbParaSep, false, 30 + + // SB4. + case sbAny | prSep<<32: + return sbParaSep, false, 9990 + case sbAny | prLF<<32: + return sbParaSep, false, 9990 + case sbParaSep | prAny<<32: + return sbAny, true, 40 + case sbCR | prAny<<32: + return sbAny, true, 40 + + // SB6. + case sbAny | prATerm<<32: + return sbATerm, false, 9990 + case sbATerm | prNumeric<<32: + return sbAny, false, 60 + case sbSB7 | prNumeric<<32: + return sbAny, false, 60 // Because ATerm also appears in SB7. + + // SB7. + case sbAny | prUpper<<32: + return sbUpper, false, 9990 + case sbAny | prLower<<32: + return sbLower, false, 9990 + case sbUpper | prATerm<<32: + return sbSB7, false, 70 + case sbLower | prATerm<<32: + return sbSB7, false, 70 + case sbSB7 | prUpper<<32: + return sbUpper, false, 70 + + // SB8a. + case sbAny | prSTerm<<32: + return sbSTerm, false, 9990 + case sbATerm | prSContinue<<32: + return sbAny, false, 81 + case sbATerm | prATerm<<32: + return sbATerm, false, 81 + case sbATerm | prSTerm<<32: + return sbSTerm, false, 81 + case sbSB7 | prSContinue<<32: + return sbAny, false, 81 + case sbSB7 | prATerm<<32: + return sbATerm, false, 81 + case sbSB7 | prSTerm<<32: + return sbSTerm, false, 81 + case sbSB8Close | prSContinue<<32: + return sbAny, false, 81 + case sbSB8Close | prATerm<<32: + return sbATerm, false, 81 + case sbSB8Close | prSTerm<<32: + return sbSTerm, false, 81 + case sbSB8Sp | prSContinue<<32: + return sbAny, false, 81 + case sbSB8Sp | prATerm<<32: + return sbATerm, false, 81 + case sbSB8Sp | prSTerm<<32: + return sbSTerm, false, 81 + case sbSTerm | prSContinue<<32: + return sbAny, false, 81 + case sbSTerm | prATerm<<32: + return sbATerm, false, 81 + case sbSTerm | prSTerm<<32: + return sbSTerm, false, 81 + case sbSB8aClose | prSContinue<<32: + return sbAny, false, 81 + case sbSB8aClose | prATerm<<32: + return sbATerm, false, 81 + case sbSB8aClose | prSTerm<<32: + return sbSTerm, false, 81 + case sbSB8aSp | prSContinue<<32: + return sbAny, false, 81 + case sbSB8aSp | prATerm<<32: + return sbATerm, false, 81 + case sbSB8aSp | prSTerm<<32: + return sbSTerm, false, 81 + + // SB9. + case sbATerm | prClose<<32: + return sbSB8Close, false, 90 + case sbSB7 | prClose<<32: + return sbSB8Close, false, 90 + case sbSB8Close | prClose<<32: + return sbSB8Close, false, 90 + case sbATerm | prSp<<32: + return sbSB8Sp, false, 90 + case sbSB7 | prSp<<32: + return sbSB8Sp, false, 90 + case sbSB8Close | prSp<<32: + return sbSB8Sp, false, 90 + case sbSTerm | prClose<<32: + return sbSB8aClose, false, 90 + case sbSB8aClose | prClose<<32: + return sbSB8aClose, false, 90 + case sbSTerm | prSp<<32: + return sbSB8aSp, false, 90 + case sbSB8aClose | prSp<<32: + return sbSB8aSp, false, 90 + case sbATerm | prSep<<32: + return sbParaSep, false, 90 + case sbATerm | prCR<<32: + return sbParaSep, false, 90 + case sbATerm | prLF<<32: + return sbParaSep, false, 90 + case sbSB7 | prSep<<32: + return sbParaSep, false, 90 + case sbSB7 | prCR<<32: + return sbParaSep, false, 90 + case sbSB7 | prLF<<32: + return sbParaSep, false, 90 + case sbSB8Close | prSep<<32: + return sbParaSep, false, 90 + case sbSB8Close | prCR<<32: + return sbParaSep, false, 90 + case sbSB8Close | prLF<<32: + return sbParaSep, false, 90 + case sbSTerm | prSep<<32: + return sbParaSep, false, 90 + case sbSTerm | prCR<<32: + return sbParaSep, false, 90 + case sbSTerm | prLF<<32: + return sbParaSep, false, 90 + case sbSB8aClose | prSep<<32: + return sbParaSep, false, 90 + case sbSB8aClose | prCR<<32: + return sbParaSep, false, 90 + case sbSB8aClose | prLF<<32: + return sbParaSep, false, 90 + + // SB10. + case sbSB8Sp | prSp<<32: + return sbSB8Sp, false, 100 + case sbSB8aSp | prSp<<32: + return sbSB8aSp, false, 100 + case sbSB8Sp | prSep<<32: + return sbParaSep, false, 100 + case sbSB8Sp | prCR<<32: + return sbParaSep, false, 100 + case sbSB8Sp | prLF<<32: + return sbParaSep, false, 100 + + // SB11. + case sbATerm | prAny<<32: + return sbAny, true, 110 + case sbSB7 | prAny<<32: + return sbAny, true, 110 + case sbSB8Close | prAny<<32: + return sbAny, true, 110 + case sbSB8Sp | prAny<<32: + return sbAny, true, 110 + case sbSTerm | prAny<<32: + return sbAny, true, 110 + case sbSB8aClose | prAny<<32: + return sbAny, true, 110 + case sbSB8aSp | prAny<<32: + return sbAny, true, 110 + // We'll always break after ParaSep due to SB4. + + default: + return -1, false, -1 + } +} + +// transitionSentenceBreakState determines the new state of the sentence break +// parser given the current state and the next code point. It also returns +// whether a sentence boundary was detected. If more than one code point is +// needed to determine the new state, the byte slice or the string starting +// after rune "r" can be used (whichever is not nil or empty) for further +// lookups. +func transitionSentenceBreakState(state int, r rune, b []byte, str string) (newState int, sentenceBreak bool) { + // Determine the property of the next character. + nextProperty := property(sentenceBreakCodePoints, r) + + // SB5 (Replacing Ignore Rules). + if nextProperty == prExtend || nextProperty == prFormat { + if state == sbParaSep || state == sbCR { + return sbAny, true // Make sure we don't apply SB5 to SB3 or SB4. + } + if state < 0 { + return sbAny, true // SB1. + } + return state, false + } + + // Find the applicable transition in the table. + var rule int + newState, sentenceBreak, rule = sbTransitions(state, nextProperty) + if newState < 0 { + // No specific transition found. Try the less specific ones. + anyPropState, anyPropProp, anyPropRule := sbTransitions(state, prAny) + anyStateState, anyStateProp, anyStateRule := sbTransitions(sbAny, nextProperty) + if anyPropState >= 0 && anyStateState >= 0 { + // Both apply. We'll use a mix (see comments for grTransitions). + newState, sentenceBreak, rule = anyStateState, anyStateProp, anyStateRule + if anyPropRule < anyStateRule { + sentenceBreak, rule = anyPropProp, anyPropRule + } + } else if anyPropState >= 0 { + // We only have a specific state. + newState, sentenceBreak, rule = anyPropState, anyPropProp, anyPropRule + // This branch will probably never be reached because okAnyState will + // always be true given the current transition map. But we keep it here + // for future modifications to the transition map where this may not be + // true anymore. + } else if anyStateState >= 0 { + // We only have a specific property. + newState, sentenceBreak, rule = anyStateState, anyStateProp, anyStateRule + } else { + // No known transition. SB999: Any × Any. + newState, sentenceBreak, rule = sbAny, false, 9990 + } + } + + // SB8. + if rule > 80 && (state == sbATerm || state == sbSB8Close || state == sbSB8Sp || state == sbSB7) { + // Check the right side of the rule. + var length int + for nextProperty != prOLetter && + nextProperty != prUpper && + nextProperty != prLower && + nextProperty != prSep && + nextProperty != prCR && + nextProperty != prLF && + nextProperty != prATerm && + nextProperty != prSTerm { + // Move on to the next rune. + if b != nil { // Byte slice version. + r, length = utf8.DecodeRune(b) + b = b[length:] + } else { // String version. + r, length = utf8.DecodeRuneInString(str) + str = str[length:] + } + if r == utf8.RuneError { + break + } + nextProperty = property(sentenceBreakCodePoints, r) + } + if nextProperty == prLower { + return sbLower, false + } + } + + return +} diff --git a/vendor/github.com/rivo/uniseg/step.go b/vendor/github.com/rivo/uniseg/step.go new file mode 100644 index 0000000000..9b72c5e596 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/step.go @@ -0,0 +1,242 @@ +package uniseg + +import "unicode/utf8" + +// The bit masks used to extract boundary information returned by [Step]. +const ( + MaskLine = 3 + MaskWord = 4 + MaskSentence = 8 +) + +// The number of bits to shift the boundary information returned by [Step] to +// obtain the monospace width of the grapheme cluster. +const ShiftWidth = 4 + +// The bit positions by which boundary flags are shifted by the [Step] function. +// These must correspond to the Mask constants. +const ( + shiftWord = 2 + shiftSentence = 3 + // shiftwWidth is ShiftWidth above. No mask as these are always the remaining bits. +) + +// The bit positions by which states are shifted by the [Step] function. These +// values must ensure state values defined for each of the boundary algorithms +// don't overlap (and that they all still fit in a single int). These must +// correspond to the Mask constants. +const ( + shiftWordState = 4 + shiftSentenceState = 9 + shiftLineState = 13 + shiftPropState = 21 // No mask as these are always the remaining bits. +) + +// The bit mask used to extract the state returned by the [Step] function, after +// shifting. These values must correspond to the shift constants. +const ( + maskGraphemeState = 0xf + maskWordState = 0x1f + maskSentenceState = 0xf + maskLineState = 0xff +) + +// Step returns the first grapheme cluster (user-perceived character) found in +// the given byte slice. It also returns information about the boundary between +// that grapheme cluster and the one following it as well as the monospace width +// of the grapheme cluster. There are three types of boundary information: word +// boundaries, sentence boundaries, and line breaks. This function is therefore +// a combination of [FirstGraphemeCluster], [FirstWord], [FirstSentence], and +// [FirstLineSegment]. +// +// The "boundaries" return value can be evaluated as follows: +// +// - boundaries&MaskWord != 0: The boundary is a word boundary. +// - boundaries&MaskWord == 0: The boundary is not a word boundary. +// - boundaries&MaskSentence != 0: The boundary is a sentence boundary. +// - boundaries&MaskSentence == 0: The boundary is not a sentence boundary. +// - boundaries&MaskLine == LineDontBreak: You must not break the line at the +// boundary. +// - boundaries&MaskLine == LineMustBreak: You must break the line at the +// boundary. +// - boundaries&MaskLine == LineCanBreak: You may or may not break the line at +// the boundary. +// - boundaries >> ShiftWidth: The width of the grapheme cluster for most +// monospace fonts where a value of 1 represents one character cell. +// +// This function can be called continuously to extract all grapheme clusters +// from a byte slice, as illustrated in the examples below. +// +// If you don't know which state to pass, for example when calling the function +// for the first time, you must pass -1. For consecutive calls, pass the state +// and rest slice returned by the previous call. +// +// The "rest" slice is the sub-slice of the original byte slice "b" starting +// after the last byte of the identified grapheme cluster. If the length of the +// "rest" slice is 0, the entire byte slice "b" has been processed. The +// "cluster" byte slice is the sub-slice of the input slice containing the +// first identified grapheme cluster. +// +// Given an empty byte slice "b", the function returns nil values. +// +// While slightly less convenient than using the Graphemes class, this function +// has much better performance and makes no allocations. It lends itself well to +// large byte slices. +// +// Note that in accordance with [UAX #14 LB3], the final segment will end with +// a mandatory line break (boundaries&MaskLine == LineMustBreak). You can choose +// to ignore this by checking if the length of the "rest" slice is 0 and calling +// [HasTrailingLineBreak] or [HasTrailingLineBreakInString] on the last rune. +// +// [UAX #14 LB3]: https://www.unicode.org/reports/tr14/#Algorithm +func Step(b []byte, state int) (cluster, rest []byte, boundaries int, newState int) { + // An empty byte slice returns nothing. + if len(b) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRune(b) + if len(b) <= length { // If we're already past the end, there is nothing else to parse. + var prop int + if state < 0 { + prop = propertyGraphemes(r) + } else { + prop = state >> shiftPropState + } + return b, nil, LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (runeWidth(r, prop) << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState) + } + + // If we don't know the state, determine it now. + var graphemeState, wordState, sentenceState, lineState, firstProp int + remainder := b[length:] + if state < 0 { + graphemeState, firstProp, _ = transitionGraphemeState(state, r) + wordState, _ = transitionWordBreakState(state, r, remainder, "") + sentenceState, _ = transitionSentenceBreakState(state, r, remainder, "") + lineState, _ = transitionLineBreakState(state, r, remainder, "") + } else { + graphemeState = state & maskGraphemeState + wordState = (state >> shiftWordState) & maskWordState + sentenceState = (state >> shiftSentenceState) & maskSentenceState + lineState = (state >> shiftLineState) & maskLineState + firstProp = state >> shiftPropState + } + + // Transition until we find a grapheme cluster boundary. + width := runeWidth(r, firstProp) + for { + var ( + graphemeBoundary, wordBoundary, sentenceBoundary bool + lineBreak, prop int + ) + + r, l := utf8.DecodeRune(remainder) + remainder = b[length+l:] + + graphemeState, prop, graphemeBoundary = transitionGraphemeState(graphemeState, r) + wordState, wordBoundary = transitionWordBreakState(wordState, r, remainder, "") + sentenceState, sentenceBoundary = transitionSentenceBreakState(sentenceState, r, remainder, "") + lineState, lineBreak = transitionLineBreakState(lineState, r, remainder, "") + + if graphemeBoundary { + boundary := lineBreak | (width << ShiftWidth) + if wordBoundary { + boundary |= 1 << shiftWord + } + if sentenceBoundary { + boundary |= 1 << shiftSentence + } + return b[:length], b[length:], boundary, graphemeState | (wordState << shiftWordState) | (sentenceState << shiftSentenceState) | (lineState << shiftLineState) | (prop << shiftPropState) + } + + if firstProp == prExtendedPictographic { + if r == vs15 { + width = 1 + } else if r == vs16 { + width = 2 + } + } else if firstProp != prRegionalIndicator && firstProp != prL { + width += runeWidth(r, prop) + } + + length += l + if len(b) <= length { + return b, nil, LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (width << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState) + } + } +} + +// StepString is like [Step] but its input and outputs are strings. +func StepString(str string, state int) (cluster, rest string, boundaries int, newState int) { + // An empty byte slice returns nothing. + if len(str) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRuneInString(str) + if len(str) <= length { // If we're already past the end, there is nothing else to parse. + prop := propertyGraphemes(r) + return str, "", LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (runeWidth(r, prop) << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) + } + + // If we don't know the state, determine it now. + var graphemeState, wordState, sentenceState, lineState, firstProp int + remainder := str[length:] + if state < 0 { + graphemeState, firstProp, _ = transitionGraphemeState(state, r) + wordState, _ = transitionWordBreakState(state, r, nil, remainder) + sentenceState, _ = transitionSentenceBreakState(state, r, nil, remainder) + lineState, _ = transitionLineBreakState(state, r, nil, remainder) + } else { + graphemeState = state & maskGraphemeState + wordState = (state >> shiftWordState) & maskWordState + sentenceState = (state >> shiftSentenceState) & maskSentenceState + lineState = (state >> shiftLineState) & maskLineState + firstProp = state >> shiftPropState + } + + // Transition until we find a grapheme cluster boundary. + width := runeWidth(r, firstProp) + for { + var ( + graphemeBoundary, wordBoundary, sentenceBoundary bool + lineBreak, prop int + ) + + r, l := utf8.DecodeRuneInString(remainder) + remainder = str[length+l:] + + graphemeState, prop, graphemeBoundary = transitionGraphemeState(graphemeState, r) + wordState, wordBoundary = transitionWordBreakState(wordState, r, nil, remainder) + sentenceState, sentenceBoundary = transitionSentenceBreakState(sentenceState, r, nil, remainder) + lineState, lineBreak = transitionLineBreakState(lineState, r, nil, remainder) + + if graphemeBoundary { + boundary := lineBreak | (width << ShiftWidth) + if wordBoundary { + boundary |= 1 << shiftWord + } + if sentenceBoundary { + boundary |= 1 << shiftSentence + } + return str[:length], str[length:], boundary, graphemeState | (wordState << shiftWordState) | (sentenceState << shiftSentenceState) | (lineState << shiftLineState) | (prop << shiftPropState) + } + + if firstProp == prExtendedPictographic { + if r == vs15 { + width = 1 + } else if r == vs16 { + width = 2 + } + } else if firstProp != prRegionalIndicator && firstProp != prL { + width += runeWidth(r, prop) + } + + length += l + if len(str) <= length { + return str, "", LineMustBreak | (1 << shiftWord) | (1 << shiftSentence) | (width << ShiftWidth), grAny | (wbAny << shiftWordState) | (sbAny << shiftSentenceState) | (lbAny << shiftLineState) | (prop << shiftPropState) + } + } +} diff --git a/vendor/github.com/rivo/uniseg/width.go b/vendor/github.com/rivo/uniseg/width.go new file mode 100644 index 0000000000..975a9f1343 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/width.go @@ -0,0 +1,61 @@ +package uniseg + +// EastAsianAmbiguousWidth specifies the monospace width for East Asian +// characters classified as Ambiguous. The default is 1 but some rare fonts +// render them with a width of 2. +var EastAsianAmbiguousWidth = 1 + +// runeWidth returns the monospace width for the given rune. The provided +// grapheme property is a value mapped by the [graphemeCodePoints] table. +// +// Every rune has a width of 1, except for runes with the following properties +// (evaluated in this order): +// +// - Control, CR, LF, Extend, ZWJ: Width of 0 +// - \u2e3a, TWO-EM DASH: Width of 3 +// - \u2e3b, THREE-EM DASH: Width of 4 +// - East-Asian width Fullwidth and Wide: Width of 2 (Ambiguous and Neutral +// have a width of 1) +// - Regional Indicator: Width of 2 +// - Extended Pictographic: Width of 2, unless Emoji Presentation is "No". +func runeWidth(r rune, graphemeProperty int) int { + switch graphemeProperty { + case prControl, prCR, prLF, prExtend, prZWJ: + return 0 + case prRegionalIndicator: + return 2 + case prExtendedPictographic: + if property(emojiPresentation, r) == prEmojiPresentation { + return 2 + } + return 1 + } + + switch r { + case 0x2e3a: + return 3 + case 0x2e3b: + return 4 + } + + switch propertyEastAsianWidth(r) { + case prW, prF: + return 2 + case prA: + return EastAsianAmbiguousWidth + } + + return 1 +} + +// StringWidth returns the monospace width for the given string, that is, the +// number of same-size cells to be occupied by the string. +func StringWidth(s string) (width int) { + state := -1 + for len(s) > 0 { + var w int + _, s, w, state = FirstGraphemeClusterInString(s, state) + width += w + } + return +} diff --git a/vendor/github.com/rivo/uniseg/word.go b/vendor/github.com/rivo/uniseg/word.go new file mode 100644 index 0000000000..34fba7f291 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/word.go @@ -0,0 +1,89 @@ +package uniseg + +import "unicode/utf8" + +// FirstWord returns the first word found in the given byte slice according to +// the rules of [Unicode Standard Annex #29, Word Boundaries]. This function can +// be called continuously to extract all words from a byte slice, as illustrated +// in the example below. +// +// If you don't know the current state, for example when calling the function +// for the first time, you must pass -1. For consecutive calls, pass the state +// and rest slice returned by the previous call. +// +// The "rest" slice is the sub-slice of the original byte slice "b" starting +// after the last byte of the identified word. If the length of the "rest" slice +// is 0, the entire byte slice "b" has been processed. The "word" byte slice is +// the sub-slice of the input slice containing the identified word. +// +// Given an empty byte slice "b", the function returns nil values. +// +// [Unicode Standard Annex #29, Word Boundaries]: http://unicode.org/reports/tr29/#Word_Boundaries +func FirstWord(b []byte, state int) (word, rest []byte, newState int) { + // An empty byte slice returns nothing. + if len(b) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRune(b) + if len(b) <= length { // If we're already past the end, there is nothing else to parse. + return b, nil, wbAny + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionWordBreakState(state, r, b[length:], "") + } + + // Transition until we find a boundary. + var boundary bool + for { + r, l := utf8.DecodeRune(b[length:]) + state, boundary = transitionWordBreakState(state, r, b[length+l:], "") + + if boundary { + return b[:length], b[length:], state + } + + length += l + if len(b) <= length { + return b, nil, wbAny + } + } +} + +// FirstWordInString is like [FirstWord] but its input and outputs are strings. +func FirstWordInString(str string, state int) (word, rest string, newState int) { + // An empty byte slice returns nothing. + if len(str) == 0 { + return + } + + // Extract the first rune. + r, length := utf8.DecodeRuneInString(str) + if len(str) <= length { // If we're already past the end, there is nothing else to parse. + return str, "", wbAny + } + + // If we don't know the state, determine it now. + if state < 0 { + state, _ = transitionWordBreakState(state, r, nil, str[length:]) + } + + // Transition until we find a boundary. + var boundary bool + for { + r, l := utf8.DecodeRuneInString(str[length:]) + state, boundary = transitionWordBreakState(state, r, nil, str[length+l:]) + + if boundary { + return str[:length], str[length:], state + } + + length += l + if len(str) <= length { + return str, "", wbAny + } + } +} diff --git a/vendor/github.com/rivo/uniseg/wordproperties.go b/vendor/github.com/rivo/uniseg/wordproperties.go new file mode 100644 index 0000000000..277ca10068 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/wordproperties.go @@ -0,0 +1,1883 @@ +// Code generated via go generate from gen_properties.go. DO NOT EDIT. + +package uniseg + +// workBreakCodePoints are taken from +// https://www.unicode.org/Public/15.0.0/ucd/auxiliary/WordBreakProperty.txt +// and +// https://unicode.org/Public/15.0.0/ucd/emoji/emoji-data.txt +// ("Extended_Pictographic" only) +// on September 5, 2023. See https://www.unicode.org/license.html for the Unicode +// license agreement. +var workBreakCodePoints = [][3]int{ + {0x000A, 0x000A, prLF}, // Cc + {0x000B, 0x000C, prNewline}, // Cc [2] .. + {0x000D, 0x000D, prCR}, // Cc + {0x0020, 0x0020, prWSegSpace}, // Zs SPACE + {0x0022, 0x0022, prDoubleQuote}, // Po QUOTATION MARK + {0x0027, 0x0027, prSingleQuote}, // Po APOSTROPHE + {0x002C, 0x002C, prMidNum}, // Po COMMA + {0x002E, 0x002E, prMidNumLet}, // Po FULL STOP + {0x0030, 0x0039, prNumeric}, // Nd [10] DIGIT ZERO..DIGIT NINE + {0x003A, 0x003A, prMidLetter}, // Po COLON + {0x003B, 0x003B, prMidNum}, // Po SEMICOLON + {0x0041, 0x005A, prALetter}, // L& [26] LATIN CAPITAL LETTER A..LATIN CAPITAL LETTER Z + {0x005F, 0x005F, prExtendNumLet}, // Pc LOW LINE + {0x0061, 0x007A, prALetter}, // L& [26] LATIN SMALL LETTER A..LATIN SMALL LETTER Z + {0x0085, 0x0085, prNewline}, // Cc + {0x00A9, 0x00A9, prExtendedPictographic}, // E0.6 [1] (©ï¸) copyright + {0x00AA, 0x00AA, prALetter}, // Lo FEMININE ORDINAL INDICATOR + {0x00AD, 0x00AD, prFormat}, // Cf SOFT HYPHEN + {0x00AE, 0x00AE, prExtendedPictographic}, // E0.6 [1] (®ï¸) registered + {0x00B5, 0x00B5, prALetter}, // L& MICRO SIGN + {0x00B7, 0x00B7, prMidLetter}, // Po MIDDLE DOT + {0x00BA, 0x00BA, prALetter}, // Lo MASCULINE ORDINAL INDICATOR + {0x00C0, 0x00D6, prALetter}, // L& [23] LATIN CAPITAL LETTER A WITH GRAVE..LATIN CAPITAL LETTER O WITH DIAERESIS + {0x00D8, 0x00F6, prALetter}, // L& [31] LATIN CAPITAL LETTER O WITH STROKE..LATIN SMALL LETTER O WITH DIAERESIS + {0x00F8, 0x01BA, prALetter}, // L& [195] LATIN SMALL LETTER O WITH STROKE..LATIN SMALL LETTER EZH WITH TAIL + {0x01BB, 0x01BB, prALetter}, // Lo LATIN LETTER TWO WITH STROKE + {0x01BC, 0x01BF, prALetter}, // L& [4] LATIN CAPITAL LETTER TONE FIVE..LATIN LETTER WYNN + {0x01C0, 0x01C3, prALetter}, // Lo [4] LATIN LETTER DENTAL CLICK..LATIN LETTER RETROFLEX CLICK + {0x01C4, 0x0293, prALetter}, // L& [208] LATIN CAPITAL LETTER DZ WITH CARON..LATIN SMALL LETTER EZH WITH CURL + {0x0294, 0x0294, prALetter}, // Lo LATIN LETTER GLOTTAL STOP + {0x0295, 0x02AF, prALetter}, // L& [27] LATIN LETTER PHARYNGEAL VOICED FRICATIVE..LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL + {0x02B0, 0x02C1, prALetter}, // Lm [18] MODIFIER LETTER SMALL H..MODIFIER LETTER REVERSED GLOTTAL STOP + {0x02C2, 0x02C5, prALetter}, // Sk [4] MODIFIER LETTER LEFT ARROWHEAD..MODIFIER LETTER DOWN ARROWHEAD + {0x02C6, 0x02D1, prALetter}, // Lm [12] MODIFIER LETTER CIRCUMFLEX ACCENT..MODIFIER LETTER HALF TRIANGULAR COLON + {0x02D2, 0x02D7, prALetter}, // Sk [6] MODIFIER LETTER CENTRED RIGHT HALF RING..MODIFIER LETTER MINUS SIGN + {0x02DE, 0x02DF, prALetter}, // Sk [2] MODIFIER LETTER RHOTIC HOOK..MODIFIER LETTER CROSS ACCENT + {0x02E0, 0x02E4, prALetter}, // Lm [5] MODIFIER LETTER SMALL GAMMA..MODIFIER LETTER SMALL REVERSED GLOTTAL STOP + {0x02E5, 0x02EB, prALetter}, // Sk [7] MODIFIER LETTER EXTRA-HIGH TONE BAR..MODIFIER LETTER YANG DEPARTING TONE MARK + {0x02EC, 0x02EC, prALetter}, // Lm MODIFIER LETTER VOICING + {0x02ED, 0x02ED, prALetter}, // Sk MODIFIER LETTER UNASPIRATED + {0x02EE, 0x02EE, prALetter}, // Lm MODIFIER LETTER DOUBLE APOSTROPHE + {0x02EF, 0x02FF, prALetter}, // Sk [17] MODIFIER LETTER LOW DOWN ARROWHEAD..MODIFIER LETTER LOW LEFT ARROW + {0x0300, 0x036F, prExtend}, // Mn [112] COMBINING GRAVE ACCENT..COMBINING LATIN SMALL LETTER X + {0x0370, 0x0373, prALetter}, // L& [4] GREEK CAPITAL LETTER HETA..GREEK SMALL LETTER ARCHAIC SAMPI + {0x0374, 0x0374, prALetter}, // Lm GREEK NUMERAL SIGN + {0x0376, 0x0377, prALetter}, // L& [2] GREEK CAPITAL LETTER PAMPHYLIAN DIGAMMA..GREEK SMALL LETTER PAMPHYLIAN DIGAMMA + {0x037A, 0x037A, prALetter}, // Lm GREEK YPOGEGRAMMENI + {0x037B, 0x037D, prALetter}, // L& [3] GREEK SMALL REVERSED LUNATE SIGMA SYMBOL..GREEK SMALL REVERSED DOTTED LUNATE SIGMA SYMBOL + {0x037E, 0x037E, prMidNum}, // Po GREEK QUESTION MARK + {0x037F, 0x037F, prALetter}, // L& GREEK CAPITAL LETTER YOT + {0x0386, 0x0386, prALetter}, // L& GREEK CAPITAL LETTER ALPHA WITH TONOS + {0x0387, 0x0387, prMidLetter}, // Po GREEK ANO TELEIA + {0x0388, 0x038A, prALetter}, // L& [3] GREEK CAPITAL LETTER EPSILON WITH TONOS..GREEK CAPITAL LETTER IOTA WITH TONOS + {0x038C, 0x038C, prALetter}, // L& GREEK CAPITAL LETTER OMICRON WITH TONOS + {0x038E, 0x03A1, prALetter}, // L& [20] GREEK CAPITAL LETTER UPSILON WITH TONOS..GREEK CAPITAL LETTER RHO + {0x03A3, 0x03F5, prALetter}, // L& [83] GREEK CAPITAL LETTER SIGMA..GREEK LUNATE EPSILON SYMBOL + {0x03F7, 0x0481, prALetter}, // L& [139] GREEK CAPITAL LETTER SHO..CYRILLIC SMALL LETTER KOPPA + {0x0483, 0x0487, prExtend}, // Mn [5] COMBINING CYRILLIC TITLO..COMBINING CYRILLIC POKRYTIE + {0x0488, 0x0489, prExtend}, // Me [2] COMBINING CYRILLIC HUNDRED THOUSANDS SIGN..COMBINING CYRILLIC MILLIONS SIGN + {0x048A, 0x052F, prALetter}, // L& [166] CYRILLIC CAPITAL LETTER SHORT I WITH TAIL..CYRILLIC SMALL LETTER EL WITH DESCENDER + {0x0531, 0x0556, prALetter}, // L& [38] ARMENIAN CAPITAL LETTER AYB..ARMENIAN CAPITAL LETTER FEH + {0x0559, 0x0559, prALetter}, // Lm ARMENIAN MODIFIER LETTER LEFT HALF RING + {0x055A, 0x055C, prALetter}, // Po [3] ARMENIAN APOSTROPHE..ARMENIAN EXCLAMATION MARK + {0x055E, 0x055E, prALetter}, // Po ARMENIAN QUESTION MARK + {0x055F, 0x055F, prMidLetter}, // Po ARMENIAN ABBREVIATION MARK + {0x0560, 0x0588, prALetter}, // L& [41] ARMENIAN SMALL LETTER TURNED AYB..ARMENIAN SMALL LETTER YI WITH STROKE + {0x0589, 0x0589, prMidNum}, // Po ARMENIAN FULL STOP + {0x058A, 0x058A, prALetter}, // Pd ARMENIAN HYPHEN + {0x0591, 0x05BD, prExtend}, // Mn [45] HEBREW ACCENT ETNAHTA..HEBREW POINT METEG + {0x05BF, 0x05BF, prExtend}, // Mn HEBREW POINT RAFE + {0x05C1, 0x05C2, prExtend}, // Mn [2] HEBREW POINT SHIN DOT..HEBREW POINT SIN DOT + {0x05C4, 0x05C5, prExtend}, // Mn [2] HEBREW MARK UPPER DOT..HEBREW MARK LOWER DOT + {0x05C7, 0x05C7, prExtend}, // Mn HEBREW POINT QAMATS QATAN + {0x05D0, 0x05EA, prHebrewLetter}, // Lo [27] HEBREW LETTER ALEF..HEBREW LETTER TAV + {0x05EF, 0x05F2, prHebrewLetter}, // Lo [4] HEBREW YOD TRIANGLE..HEBREW LIGATURE YIDDISH DOUBLE YOD + {0x05F3, 0x05F3, prALetter}, // Po HEBREW PUNCTUATION GERESH + {0x05F4, 0x05F4, prMidLetter}, // Po HEBREW PUNCTUATION GERSHAYIM + {0x0600, 0x0605, prFormat}, // Cf [6] ARABIC NUMBER SIGN..ARABIC NUMBER MARK ABOVE + {0x060C, 0x060D, prMidNum}, // Po [2] ARABIC COMMA..ARABIC DATE SEPARATOR + {0x0610, 0x061A, prExtend}, // Mn [11] ARABIC SIGN SALLALLAHOU ALAYHE WASSALLAM..ARABIC SMALL KASRA + {0x061C, 0x061C, prFormat}, // Cf ARABIC LETTER MARK + {0x0620, 0x063F, prALetter}, // Lo [32] ARABIC LETTER KASHMIRI YEH..ARABIC LETTER FARSI YEH WITH THREE DOTS ABOVE + {0x0640, 0x0640, prALetter}, // Lm ARABIC TATWEEL + {0x0641, 0x064A, prALetter}, // Lo [10] ARABIC LETTER FEH..ARABIC LETTER YEH + {0x064B, 0x065F, prExtend}, // Mn [21] ARABIC FATHATAN..ARABIC WAVY HAMZA BELOW + {0x0660, 0x0669, prNumeric}, // Nd [10] ARABIC-INDIC DIGIT ZERO..ARABIC-INDIC DIGIT NINE + {0x066B, 0x066B, prNumeric}, // Po ARABIC DECIMAL SEPARATOR + {0x066C, 0x066C, prMidNum}, // Po ARABIC THOUSANDS SEPARATOR + {0x066E, 0x066F, prALetter}, // Lo [2] ARABIC LETTER DOTLESS BEH..ARABIC LETTER DOTLESS QAF + {0x0670, 0x0670, prExtend}, // Mn ARABIC LETTER SUPERSCRIPT ALEF + {0x0671, 0x06D3, prALetter}, // Lo [99] ARABIC LETTER ALEF WASLA..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE + {0x06D5, 0x06D5, prALetter}, // Lo ARABIC LETTER AE + {0x06D6, 0x06DC, prExtend}, // Mn [7] ARABIC SMALL HIGH LIGATURE SAD WITH LAM WITH ALEF MAKSURA..ARABIC SMALL HIGH SEEN + {0x06DD, 0x06DD, prFormat}, // Cf ARABIC END OF AYAH + {0x06DF, 0x06E4, prExtend}, // Mn [6] ARABIC SMALL HIGH ROUNDED ZERO..ARABIC SMALL HIGH MADDA + {0x06E5, 0x06E6, prALetter}, // Lm [2] ARABIC SMALL WAW..ARABIC SMALL YEH + {0x06E7, 0x06E8, prExtend}, // Mn [2] ARABIC SMALL HIGH YEH..ARABIC SMALL HIGH NOON + {0x06EA, 0x06ED, prExtend}, // Mn [4] ARABIC EMPTY CENTRE LOW STOP..ARABIC SMALL LOW MEEM + {0x06EE, 0x06EF, prALetter}, // Lo [2] ARABIC LETTER DAL WITH INVERTED V..ARABIC LETTER REH WITH INVERTED V + {0x06F0, 0x06F9, prNumeric}, // Nd [10] EXTENDED ARABIC-INDIC DIGIT ZERO..EXTENDED ARABIC-INDIC DIGIT NINE + {0x06FA, 0x06FC, prALetter}, // Lo [3] ARABIC LETTER SHEEN WITH DOT BELOW..ARABIC LETTER GHAIN WITH DOT BELOW + {0x06FF, 0x06FF, prALetter}, // Lo ARABIC LETTER HEH WITH INVERTED V + {0x070F, 0x070F, prFormat}, // Cf SYRIAC ABBREVIATION MARK + {0x0710, 0x0710, prALetter}, // Lo SYRIAC LETTER ALAPH + {0x0711, 0x0711, prExtend}, // Mn SYRIAC LETTER SUPERSCRIPT ALAPH + {0x0712, 0x072F, prALetter}, // Lo [30] SYRIAC LETTER BETH..SYRIAC LETTER PERSIAN DHALATH + {0x0730, 0x074A, prExtend}, // Mn [27] SYRIAC PTHAHA ABOVE..SYRIAC BARREKH + {0x074D, 0x07A5, prALetter}, // Lo [89] SYRIAC LETTER SOGDIAN ZHAIN..THAANA LETTER WAAVU + {0x07A6, 0x07B0, prExtend}, // Mn [11] THAANA ABAFILI..THAANA SUKUN + {0x07B1, 0x07B1, prALetter}, // Lo THAANA LETTER NAA + {0x07C0, 0x07C9, prNumeric}, // Nd [10] NKO DIGIT ZERO..NKO DIGIT NINE + {0x07CA, 0x07EA, prALetter}, // Lo [33] NKO LETTER A..NKO LETTER JONA RA + {0x07EB, 0x07F3, prExtend}, // Mn [9] NKO COMBINING SHORT HIGH TONE..NKO COMBINING DOUBLE DOT ABOVE + {0x07F4, 0x07F5, prALetter}, // Lm [2] NKO HIGH TONE APOSTROPHE..NKO LOW TONE APOSTROPHE + {0x07F8, 0x07F8, prMidNum}, // Po NKO COMMA + {0x07FA, 0x07FA, prALetter}, // Lm NKO LAJANYALAN + {0x07FD, 0x07FD, prExtend}, // Mn NKO DANTAYALAN + {0x0800, 0x0815, prALetter}, // Lo [22] SAMARITAN LETTER ALAF..SAMARITAN LETTER TAAF + {0x0816, 0x0819, prExtend}, // Mn [4] SAMARITAN MARK IN..SAMARITAN MARK DAGESH + {0x081A, 0x081A, prALetter}, // Lm SAMARITAN MODIFIER LETTER EPENTHETIC YUT + {0x081B, 0x0823, prExtend}, // Mn [9] SAMARITAN MARK EPENTHETIC YUT..SAMARITAN VOWEL SIGN A + {0x0824, 0x0824, prALetter}, // Lm SAMARITAN MODIFIER LETTER SHORT A + {0x0825, 0x0827, prExtend}, // Mn [3] SAMARITAN VOWEL SIGN SHORT A..SAMARITAN VOWEL SIGN U + {0x0828, 0x0828, prALetter}, // Lm SAMARITAN MODIFIER LETTER I + {0x0829, 0x082D, prExtend}, // Mn [5] SAMARITAN VOWEL SIGN LONG I..SAMARITAN MARK NEQUDAA + {0x0840, 0x0858, prALetter}, // Lo [25] MANDAIC LETTER HALQA..MANDAIC LETTER AIN + {0x0859, 0x085B, prExtend}, // Mn [3] MANDAIC AFFRICATION MARK..MANDAIC GEMINATION MARK + {0x0860, 0x086A, prALetter}, // Lo [11] SYRIAC LETTER MALAYALAM NGA..SYRIAC LETTER MALAYALAM SSA + {0x0870, 0x0887, prALetter}, // Lo [24] ARABIC LETTER ALEF WITH ATTACHED FATHA..ARABIC BASELINE ROUND DOT + {0x0889, 0x088E, prALetter}, // Lo [6] ARABIC LETTER NOON WITH INVERTED SMALL V..ARABIC VERTICAL TAIL + {0x0890, 0x0891, prFormat}, // Cf [2] ARABIC POUND MARK ABOVE..ARABIC PIASTRE MARK ABOVE + {0x0898, 0x089F, prExtend}, // Mn [8] ARABIC SMALL HIGH WORD AL-JUZ..ARABIC HALF MADDA OVER MADDA + {0x08A0, 0x08C8, prALetter}, // Lo [41] ARABIC LETTER BEH WITH SMALL V BELOW..ARABIC LETTER GRAF + {0x08C9, 0x08C9, prALetter}, // Lm ARABIC SMALL FARSI YEH + {0x08CA, 0x08E1, prExtend}, // Mn [24] ARABIC SMALL HIGH FARSI YEH..ARABIC SMALL HIGH SIGN SAFHA + {0x08E2, 0x08E2, prFormat}, // Cf ARABIC DISPUTED END OF AYAH + {0x08E3, 0x0902, prExtend}, // Mn [32] ARABIC TURNED DAMMA BELOW..DEVANAGARI SIGN ANUSVARA + {0x0903, 0x0903, prExtend}, // Mc DEVANAGARI SIGN VISARGA + {0x0904, 0x0939, prALetter}, // Lo [54] DEVANAGARI LETTER SHORT A..DEVANAGARI LETTER HA + {0x093A, 0x093A, prExtend}, // Mn DEVANAGARI VOWEL SIGN OE + {0x093B, 0x093B, prExtend}, // Mc DEVANAGARI VOWEL SIGN OOE + {0x093C, 0x093C, prExtend}, // Mn DEVANAGARI SIGN NUKTA + {0x093D, 0x093D, prALetter}, // Lo DEVANAGARI SIGN AVAGRAHA + {0x093E, 0x0940, prExtend}, // Mc [3] DEVANAGARI VOWEL SIGN AA..DEVANAGARI VOWEL SIGN II + {0x0941, 0x0948, prExtend}, // Mn [8] DEVANAGARI VOWEL SIGN U..DEVANAGARI VOWEL SIGN AI + {0x0949, 0x094C, prExtend}, // Mc [4] DEVANAGARI VOWEL SIGN CANDRA O..DEVANAGARI VOWEL SIGN AU + {0x094D, 0x094D, prExtend}, // Mn DEVANAGARI SIGN VIRAMA + {0x094E, 0x094F, prExtend}, // Mc [2] DEVANAGARI VOWEL SIGN PRISHTHAMATRA E..DEVANAGARI VOWEL SIGN AW + {0x0950, 0x0950, prALetter}, // Lo DEVANAGARI OM + {0x0951, 0x0957, prExtend}, // Mn [7] DEVANAGARI STRESS SIGN UDATTA..DEVANAGARI VOWEL SIGN UUE + {0x0958, 0x0961, prALetter}, // Lo [10] DEVANAGARI LETTER QA..DEVANAGARI LETTER VOCALIC LL + {0x0962, 0x0963, prExtend}, // Mn [2] DEVANAGARI VOWEL SIGN VOCALIC L..DEVANAGARI VOWEL SIGN VOCALIC LL + {0x0966, 0x096F, prNumeric}, // Nd [10] DEVANAGARI DIGIT ZERO..DEVANAGARI DIGIT NINE + {0x0971, 0x0971, prALetter}, // Lm DEVANAGARI SIGN HIGH SPACING DOT + {0x0972, 0x0980, prALetter}, // Lo [15] DEVANAGARI LETTER CANDRA A..BENGALI ANJI + {0x0981, 0x0981, prExtend}, // Mn BENGALI SIGN CANDRABINDU + {0x0982, 0x0983, prExtend}, // Mc [2] BENGALI SIGN ANUSVARA..BENGALI SIGN VISARGA + {0x0985, 0x098C, prALetter}, // Lo [8] BENGALI LETTER A..BENGALI LETTER VOCALIC L + {0x098F, 0x0990, prALetter}, // Lo [2] BENGALI LETTER E..BENGALI LETTER AI + {0x0993, 0x09A8, prALetter}, // Lo [22] BENGALI LETTER O..BENGALI LETTER NA + {0x09AA, 0x09B0, prALetter}, // Lo [7] BENGALI LETTER PA..BENGALI LETTER RA + {0x09B2, 0x09B2, prALetter}, // Lo BENGALI LETTER LA + {0x09B6, 0x09B9, prALetter}, // Lo [4] BENGALI LETTER SHA..BENGALI LETTER HA + {0x09BC, 0x09BC, prExtend}, // Mn BENGALI SIGN NUKTA + {0x09BD, 0x09BD, prALetter}, // Lo BENGALI SIGN AVAGRAHA + {0x09BE, 0x09C0, prExtend}, // Mc [3] BENGALI VOWEL SIGN AA..BENGALI VOWEL SIGN II + {0x09C1, 0x09C4, prExtend}, // Mn [4] BENGALI VOWEL SIGN U..BENGALI VOWEL SIGN VOCALIC RR + {0x09C7, 0x09C8, prExtend}, // Mc [2] BENGALI VOWEL SIGN E..BENGALI VOWEL SIGN AI + {0x09CB, 0x09CC, prExtend}, // Mc [2] BENGALI VOWEL SIGN O..BENGALI VOWEL SIGN AU + {0x09CD, 0x09CD, prExtend}, // Mn BENGALI SIGN VIRAMA + {0x09CE, 0x09CE, prALetter}, // Lo BENGALI LETTER KHANDA TA + {0x09D7, 0x09D7, prExtend}, // Mc BENGALI AU LENGTH MARK + {0x09DC, 0x09DD, prALetter}, // Lo [2] BENGALI LETTER RRA..BENGALI LETTER RHA + {0x09DF, 0x09E1, prALetter}, // Lo [3] BENGALI LETTER YYA..BENGALI LETTER VOCALIC LL + {0x09E2, 0x09E3, prExtend}, // Mn [2] BENGALI VOWEL SIGN VOCALIC L..BENGALI VOWEL SIGN VOCALIC LL + {0x09E6, 0x09EF, prNumeric}, // Nd [10] BENGALI DIGIT ZERO..BENGALI DIGIT NINE + {0x09F0, 0x09F1, prALetter}, // Lo [2] BENGALI LETTER RA WITH MIDDLE DIAGONAL..BENGALI LETTER RA WITH LOWER DIAGONAL + {0x09FC, 0x09FC, prALetter}, // Lo BENGALI LETTER VEDIC ANUSVARA + {0x09FE, 0x09FE, prExtend}, // Mn BENGALI SANDHI MARK + {0x0A01, 0x0A02, prExtend}, // Mn [2] GURMUKHI SIGN ADAK BINDI..GURMUKHI SIGN BINDI + {0x0A03, 0x0A03, prExtend}, // Mc GURMUKHI SIGN VISARGA + {0x0A05, 0x0A0A, prALetter}, // Lo [6] GURMUKHI LETTER A..GURMUKHI LETTER UU + {0x0A0F, 0x0A10, prALetter}, // Lo [2] GURMUKHI LETTER EE..GURMUKHI LETTER AI + {0x0A13, 0x0A28, prALetter}, // Lo [22] GURMUKHI LETTER OO..GURMUKHI LETTER NA + {0x0A2A, 0x0A30, prALetter}, // Lo [7] GURMUKHI LETTER PA..GURMUKHI LETTER RA + {0x0A32, 0x0A33, prALetter}, // Lo [2] GURMUKHI LETTER LA..GURMUKHI LETTER LLA + {0x0A35, 0x0A36, prALetter}, // Lo [2] GURMUKHI LETTER VA..GURMUKHI LETTER SHA + {0x0A38, 0x0A39, prALetter}, // Lo [2] GURMUKHI LETTER SA..GURMUKHI LETTER HA + {0x0A3C, 0x0A3C, prExtend}, // Mn GURMUKHI SIGN NUKTA + {0x0A3E, 0x0A40, prExtend}, // Mc [3] GURMUKHI VOWEL SIGN AA..GURMUKHI VOWEL SIGN II + {0x0A41, 0x0A42, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN U..GURMUKHI VOWEL SIGN UU + {0x0A47, 0x0A48, prExtend}, // Mn [2] GURMUKHI VOWEL SIGN EE..GURMUKHI VOWEL SIGN AI + {0x0A4B, 0x0A4D, prExtend}, // Mn [3] GURMUKHI VOWEL SIGN OO..GURMUKHI SIGN VIRAMA + {0x0A51, 0x0A51, prExtend}, // Mn GURMUKHI SIGN UDAAT + {0x0A59, 0x0A5C, prALetter}, // Lo [4] GURMUKHI LETTER KHHA..GURMUKHI LETTER RRA + {0x0A5E, 0x0A5E, prALetter}, // Lo GURMUKHI LETTER FA + {0x0A66, 0x0A6F, prNumeric}, // Nd [10] GURMUKHI DIGIT ZERO..GURMUKHI DIGIT NINE + {0x0A70, 0x0A71, prExtend}, // Mn [2] GURMUKHI TIPPI..GURMUKHI ADDAK + {0x0A72, 0x0A74, prALetter}, // Lo [3] GURMUKHI IRI..GURMUKHI EK ONKAR + {0x0A75, 0x0A75, prExtend}, // Mn GURMUKHI SIGN YAKASH + {0x0A81, 0x0A82, prExtend}, // Mn [2] GUJARATI SIGN CANDRABINDU..GUJARATI SIGN ANUSVARA + {0x0A83, 0x0A83, prExtend}, // Mc GUJARATI SIGN VISARGA + {0x0A85, 0x0A8D, prALetter}, // Lo [9] GUJARATI LETTER A..GUJARATI VOWEL CANDRA E + {0x0A8F, 0x0A91, prALetter}, // Lo [3] GUJARATI LETTER E..GUJARATI VOWEL CANDRA O + {0x0A93, 0x0AA8, prALetter}, // Lo [22] GUJARATI LETTER O..GUJARATI LETTER NA + {0x0AAA, 0x0AB0, prALetter}, // Lo [7] GUJARATI LETTER PA..GUJARATI LETTER RA + {0x0AB2, 0x0AB3, prALetter}, // Lo [2] GUJARATI LETTER LA..GUJARATI LETTER LLA + {0x0AB5, 0x0AB9, prALetter}, // Lo [5] GUJARATI LETTER VA..GUJARATI LETTER HA + {0x0ABC, 0x0ABC, prExtend}, // Mn GUJARATI SIGN NUKTA + {0x0ABD, 0x0ABD, prALetter}, // Lo GUJARATI SIGN AVAGRAHA + {0x0ABE, 0x0AC0, prExtend}, // Mc [3] GUJARATI VOWEL SIGN AA..GUJARATI VOWEL SIGN II + {0x0AC1, 0x0AC5, prExtend}, // Mn [5] GUJARATI VOWEL SIGN U..GUJARATI VOWEL SIGN CANDRA E + {0x0AC7, 0x0AC8, prExtend}, // Mn [2] GUJARATI VOWEL SIGN E..GUJARATI VOWEL SIGN AI + {0x0AC9, 0x0AC9, prExtend}, // Mc GUJARATI VOWEL SIGN CANDRA O + {0x0ACB, 0x0ACC, prExtend}, // Mc [2] GUJARATI VOWEL SIGN O..GUJARATI VOWEL SIGN AU + {0x0ACD, 0x0ACD, prExtend}, // Mn GUJARATI SIGN VIRAMA + {0x0AD0, 0x0AD0, prALetter}, // Lo GUJARATI OM + {0x0AE0, 0x0AE1, prALetter}, // Lo [2] GUJARATI LETTER VOCALIC RR..GUJARATI LETTER VOCALIC LL + {0x0AE2, 0x0AE3, prExtend}, // Mn [2] GUJARATI VOWEL SIGN VOCALIC L..GUJARATI VOWEL SIGN VOCALIC LL + {0x0AE6, 0x0AEF, prNumeric}, // Nd [10] GUJARATI DIGIT ZERO..GUJARATI DIGIT NINE + {0x0AF9, 0x0AF9, prALetter}, // Lo GUJARATI LETTER ZHA + {0x0AFA, 0x0AFF, prExtend}, // Mn [6] GUJARATI SIGN SUKUN..GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE + {0x0B01, 0x0B01, prExtend}, // Mn ORIYA SIGN CANDRABINDU + {0x0B02, 0x0B03, prExtend}, // Mc [2] ORIYA SIGN ANUSVARA..ORIYA SIGN VISARGA + {0x0B05, 0x0B0C, prALetter}, // Lo [8] ORIYA LETTER A..ORIYA LETTER VOCALIC L + {0x0B0F, 0x0B10, prALetter}, // Lo [2] ORIYA LETTER E..ORIYA LETTER AI + {0x0B13, 0x0B28, prALetter}, // Lo [22] ORIYA LETTER O..ORIYA LETTER NA + {0x0B2A, 0x0B30, prALetter}, // Lo [7] ORIYA LETTER PA..ORIYA LETTER RA + {0x0B32, 0x0B33, prALetter}, // Lo [2] ORIYA LETTER LA..ORIYA LETTER LLA + {0x0B35, 0x0B39, prALetter}, // Lo [5] ORIYA LETTER VA..ORIYA LETTER HA + {0x0B3C, 0x0B3C, prExtend}, // Mn ORIYA SIGN NUKTA + {0x0B3D, 0x0B3D, prALetter}, // Lo ORIYA SIGN AVAGRAHA + {0x0B3E, 0x0B3E, prExtend}, // Mc ORIYA VOWEL SIGN AA + {0x0B3F, 0x0B3F, prExtend}, // Mn ORIYA VOWEL SIGN I + {0x0B40, 0x0B40, prExtend}, // Mc ORIYA VOWEL SIGN II + {0x0B41, 0x0B44, prExtend}, // Mn [4] ORIYA VOWEL SIGN U..ORIYA VOWEL SIGN VOCALIC RR + {0x0B47, 0x0B48, prExtend}, // Mc [2] ORIYA VOWEL SIGN E..ORIYA VOWEL SIGN AI + {0x0B4B, 0x0B4C, prExtend}, // Mc [2] ORIYA VOWEL SIGN O..ORIYA VOWEL SIGN AU + {0x0B4D, 0x0B4D, prExtend}, // Mn ORIYA SIGN VIRAMA + {0x0B55, 0x0B56, prExtend}, // Mn [2] ORIYA SIGN OVERLINE..ORIYA AI LENGTH MARK + {0x0B57, 0x0B57, prExtend}, // Mc ORIYA AU LENGTH MARK + {0x0B5C, 0x0B5D, prALetter}, // Lo [2] ORIYA LETTER RRA..ORIYA LETTER RHA + {0x0B5F, 0x0B61, prALetter}, // Lo [3] ORIYA LETTER YYA..ORIYA LETTER VOCALIC LL + {0x0B62, 0x0B63, prExtend}, // Mn [2] ORIYA VOWEL SIGN VOCALIC L..ORIYA VOWEL SIGN VOCALIC LL + {0x0B66, 0x0B6F, prNumeric}, // Nd [10] ORIYA DIGIT ZERO..ORIYA DIGIT NINE + {0x0B71, 0x0B71, prALetter}, // Lo ORIYA LETTER WA + {0x0B82, 0x0B82, prExtend}, // Mn TAMIL SIGN ANUSVARA + {0x0B83, 0x0B83, prALetter}, // Lo TAMIL SIGN VISARGA + {0x0B85, 0x0B8A, prALetter}, // Lo [6] TAMIL LETTER A..TAMIL LETTER UU + {0x0B8E, 0x0B90, prALetter}, // Lo [3] TAMIL LETTER E..TAMIL LETTER AI + {0x0B92, 0x0B95, prALetter}, // Lo [4] TAMIL LETTER O..TAMIL LETTER KA + {0x0B99, 0x0B9A, prALetter}, // Lo [2] TAMIL LETTER NGA..TAMIL LETTER CA + {0x0B9C, 0x0B9C, prALetter}, // Lo TAMIL LETTER JA + {0x0B9E, 0x0B9F, prALetter}, // Lo [2] TAMIL LETTER NYA..TAMIL LETTER TTA + {0x0BA3, 0x0BA4, prALetter}, // Lo [2] TAMIL LETTER NNA..TAMIL LETTER TA + {0x0BA8, 0x0BAA, prALetter}, // Lo [3] TAMIL LETTER NA..TAMIL LETTER PA + {0x0BAE, 0x0BB9, prALetter}, // Lo [12] TAMIL LETTER MA..TAMIL LETTER HA + {0x0BBE, 0x0BBF, prExtend}, // Mc [2] TAMIL VOWEL SIGN AA..TAMIL VOWEL SIGN I + {0x0BC0, 0x0BC0, prExtend}, // Mn TAMIL VOWEL SIGN II + {0x0BC1, 0x0BC2, prExtend}, // Mc [2] TAMIL VOWEL SIGN U..TAMIL VOWEL SIGN UU + {0x0BC6, 0x0BC8, prExtend}, // Mc [3] TAMIL VOWEL SIGN E..TAMIL VOWEL SIGN AI + {0x0BCA, 0x0BCC, prExtend}, // Mc [3] TAMIL VOWEL SIGN O..TAMIL VOWEL SIGN AU + {0x0BCD, 0x0BCD, prExtend}, // Mn TAMIL SIGN VIRAMA + {0x0BD0, 0x0BD0, prALetter}, // Lo TAMIL OM + {0x0BD7, 0x0BD7, prExtend}, // Mc TAMIL AU LENGTH MARK + {0x0BE6, 0x0BEF, prNumeric}, // Nd [10] TAMIL DIGIT ZERO..TAMIL DIGIT NINE + {0x0C00, 0x0C00, prExtend}, // Mn TELUGU SIGN COMBINING CANDRABINDU ABOVE + {0x0C01, 0x0C03, prExtend}, // Mc [3] TELUGU SIGN CANDRABINDU..TELUGU SIGN VISARGA + {0x0C04, 0x0C04, prExtend}, // Mn TELUGU SIGN COMBINING ANUSVARA ABOVE + {0x0C05, 0x0C0C, prALetter}, // Lo [8] TELUGU LETTER A..TELUGU LETTER VOCALIC L + {0x0C0E, 0x0C10, prALetter}, // Lo [3] TELUGU LETTER E..TELUGU LETTER AI + {0x0C12, 0x0C28, prALetter}, // Lo [23] TELUGU LETTER O..TELUGU LETTER NA + {0x0C2A, 0x0C39, prALetter}, // Lo [16] TELUGU LETTER PA..TELUGU LETTER HA + {0x0C3C, 0x0C3C, prExtend}, // Mn TELUGU SIGN NUKTA + {0x0C3D, 0x0C3D, prALetter}, // Lo TELUGU SIGN AVAGRAHA + {0x0C3E, 0x0C40, prExtend}, // Mn [3] TELUGU VOWEL SIGN AA..TELUGU VOWEL SIGN II + {0x0C41, 0x0C44, prExtend}, // Mc [4] TELUGU VOWEL SIGN U..TELUGU VOWEL SIGN VOCALIC RR + {0x0C46, 0x0C48, prExtend}, // Mn [3] TELUGU VOWEL SIGN E..TELUGU VOWEL SIGN AI + {0x0C4A, 0x0C4D, prExtend}, // Mn [4] TELUGU VOWEL SIGN O..TELUGU SIGN VIRAMA + {0x0C55, 0x0C56, prExtend}, // Mn [2] TELUGU LENGTH MARK..TELUGU AI LENGTH MARK + {0x0C58, 0x0C5A, prALetter}, // Lo [3] TELUGU LETTER TSA..TELUGU LETTER RRRA + {0x0C5D, 0x0C5D, prALetter}, // Lo TELUGU LETTER NAKAARA POLLU + {0x0C60, 0x0C61, prALetter}, // Lo [2] TELUGU LETTER VOCALIC RR..TELUGU LETTER VOCALIC LL + {0x0C62, 0x0C63, prExtend}, // Mn [2] TELUGU VOWEL SIGN VOCALIC L..TELUGU VOWEL SIGN VOCALIC LL + {0x0C66, 0x0C6F, prNumeric}, // Nd [10] TELUGU DIGIT ZERO..TELUGU DIGIT NINE + {0x0C80, 0x0C80, prALetter}, // Lo KANNADA SIGN SPACING CANDRABINDU + {0x0C81, 0x0C81, prExtend}, // Mn KANNADA SIGN CANDRABINDU + {0x0C82, 0x0C83, prExtend}, // Mc [2] KANNADA SIGN ANUSVARA..KANNADA SIGN VISARGA + {0x0C85, 0x0C8C, prALetter}, // Lo [8] KANNADA LETTER A..KANNADA LETTER VOCALIC L + {0x0C8E, 0x0C90, prALetter}, // Lo [3] KANNADA LETTER E..KANNADA LETTER AI + {0x0C92, 0x0CA8, prALetter}, // Lo [23] KANNADA LETTER O..KANNADA LETTER NA + {0x0CAA, 0x0CB3, prALetter}, // Lo [10] KANNADA LETTER PA..KANNADA LETTER LLA + {0x0CB5, 0x0CB9, prALetter}, // Lo [5] KANNADA LETTER VA..KANNADA LETTER HA + {0x0CBC, 0x0CBC, prExtend}, // Mn KANNADA SIGN NUKTA + {0x0CBD, 0x0CBD, prALetter}, // Lo KANNADA SIGN AVAGRAHA + {0x0CBE, 0x0CBE, prExtend}, // Mc KANNADA VOWEL SIGN AA + {0x0CBF, 0x0CBF, prExtend}, // Mn KANNADA VOWEL SIGN I + {0x0CC0, 0x0CC4, prExtend}, // Mc [5] KANNADA VOWEL SIGN II..KANNADA VOWEL SIGN VOCALIC RR + {0x0CC6, 0x0CC6, prExtend}, // Mn KANNADA VOWEL SIGN E + {0x0CC7, 0x0CC8, prExtend}, // Mc [2] KANNADA VOWEL SIGN EE..KANNADA VOWEL SIGN AI + {0x0CCA, 0x0CCB, prExtend}, // Mc [2] KANNADA VOWEL SIGN O..KANNADA VOWEL SIGN OO + {0x0CCC, 0x0CCD, prExtend}, // Mn [2] KANNADA VOWEL SIGN AU..KANNADA SIGN VIRAMA + {0x0CD5, 0x0CD6, prExtend}, // Mc [2] KANNADA LENGTH MARK..KANNADA AI LENGTH MARK + {0x0CDD, 0x0CDE, prALetter}, // Lo [2] KANNADA LETTER NAKAARA POLLU..KANNADA LETTER FA + {0x0CE0, 0x0CE1, prALetter}, // Lo [2] KANNADA LETTER VOCALIC RR..KANNADA LETTER VOCALIC LL + {0x0CE2, 0x0CE3, prExtend}, // Mn [2] KANNADA VOWEL SIGN VOCALIC L..KANNADA VOWEL SIGN VOCALIC LL + {0x0CE6, 0x0CEF, prNumeric}, // Nd [10] KANNADA DIGIT ZERO..KANNADA DIGIT NINE + {0x0CF1, 0x0CF2, prALetter}, // Lo [2] KANNADA SIGN JIHVAMULIYA..KANNADA SIGN UPADHMANIYA + {0x0CF3, 0x0CF3, prExtend}, // Mc KANNADA SIGN COMBINING ANUSVARA ABOVE RIGHT + {0x0D00, 0x0D01, prExtend}, // Mn [2] MALAYALAM SIGN COMBINING ANUSVARA ABOVE..MALAYALAM SIGN CANDRABINDU + {0x0D02, 0x0D03, prExtend}, // Mc [2] MALAYALAM SIGN ANUSVARA..MALAYALAM SIGN VISARGA + {0x0D04, 0x0D0C, prALetter}, // Lo [9] MALAYALAM LETTER VEDIC ANUSVARA..MALAYALAM LETTER VOCALIC L + {0x0D0E, 0x0D10, prALetter}, // Lo [3] MALAYALAM LETTER E..MALAYALAM LETTER AI + {0x0D12, 0x0D3A, prALetter}, // Lo [41] MALAYALAM LETTER O..MALAYALAM LETTER TTTA + {0x0D3B, 0x0D3C, prExtend}, // Mn [2] MALAYALAM SIGN VERTICAL BAR VIRAMA..MALAYALAM SIGN CIRCULAR VIRAMA + {0x0D3D, 0x0D3D, prALetter}, // Lo MALAYALAM SIGN AVAGRAHA + {0x0D3E, 0x0D40, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN AA..MALAYALAM VOWEL SIGN II + {0x0D41, 0x0D44, prExtend}, // Mn [4] MALAYALAM VOWEL SIGN U..MALAYALAM VOWEL SIGN VOCALIC RR + {0x0D46, 0x0D48, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN E..MALAYALAM VOWEL SIGN AI + {0x0D4A, 0x0D4C, prExtend}, // Mc [3] MALAYALAM VOWEL SIGN O..MALAYALAM VOWEL SIGN AU + {0x0D4D, 0x0D4D, prExtend}, // Mn MALAYALAM SIGN VIRAMA + {0x0D4E, 0x0D4E, prALetter}, // Lo MALAYALAM LETTER DOT REPH + {0x0D54, 0x0D56, prALetter}, // Lo [3] MALAYALAM LETTER CHILLU M..MALAYALAM LETTER CHILLU LLL + {0x0D57, 0x0D57, prExtend}, // Mc MALAYALAM AU LENGTH MARK + {0x0D5F, 0x0D61, prALetter}, // Lo [3] MALAYALAM LETTER ARCHAIC II..MALAYALAM LETTER VOCALIC LL + {0x0D62, 0x0D63, prExtend}, // Mn [2] MALAYALAM VOWEL SIGN VOCALIC L..MALAYALAM VOWEL SIGN VOCALIC LL + {0x0D66, 0x0D6F, prNumeric}, // Nd [10] MALAYALAM DIGIT ZERO..MALAYALAM DIGIT NINE + {0x0D7A, 0x0D7F, prALetter}, // Lo [6] MALAYALAM LETTER CHILLU NN..MALAYALAM LETTER CHILLU K + {0x0D81, 0x0D81, prExtend}, // Mn SINHALA SIGN CANDRABINDU + {0x0D82, 0x0D83, prExtend}, // Mc [2] SINHALA SIGN ANUSVARAYA..SINHALA SIGN VISARGAYA + {0x0D85, 0x0D96, prALetter}, // Lo [18] SINHALA LETTER AYANNA..SINHALA LETTER AUYANNA + {0x0D9A, 0x0DB1, prALetter}, // Lo [24] SINHALA LETTER ALPAPRAANA KAYANNA..SINHALA LETTER DANTAJA NAYANNA + {0x0DB3, 0x0DBB, prALetter}, // Lo [9] SINHALA LETTER SANYAKA DAYANNA..SINHALA LETTER RAYANNA + {0x0DBD, 0x0DBD, prALetter}, // Lo SINHALA LETTER DANTAJA LAYANNA + {0x0DC0, 0x0DC6, prALetter}, // Lo [7] SINHALA LETTER VAYANNA..SINHALA LETTER FAYANNA + {0x0DCA, 0x0DCA, prExtend}, // Mn SINHALA SIGN AL-LAKUNA + {0x0DCF, 0x0DD1, prExtend}, // Mc [3] SINHALA VOWEL SIGN AELA-PILLA..SINHALA VOWEL SIGN DIGA AEDA-PILLA + {0x0DD2, 0x0DD4, prExtend}, // Mn [3] SINHALA VOWEL SIGN KETTI IS-PILLA..SINHALA VOWEL SIGN KETTI PAA-PILLA + {0x0DD6, 0x0DD6, prExtend}, // Mn SINHALA VOWEL SIGN DIGA PAA-PILLA + {0x0DD8, 0x0DDF, prExtend}, // Mc [8] SINHALA VOWEL SIGN GAETTA-PILLA..SINHALA VOWEL SIGN GAYANUKITTA + {0x0DE6, 0x0DEF, prNumeric}, // Nd [10] SINHALA LITH DIGIT ZERO..SINHALA LITH DIGIT NINE + {0x0DF2, 0x0DF3, prExtend}, // Mc [2] SINHALA VOWEL SIGN DIGA GAETTA-PILLA..SINHALA VOWEL SIGN DIGA GAYANUKITTA + {0x0E31, 0x0E31, prExtend}, // Mn THAI CHARACTER MAI HAN-AKAT + {0x0E34, 0x0E3A, prExtend}, // Mn [7] THAI CHARACTER SARA I..THAI CHARACTER PHINTHU + {0x0E47, 0x0E4E, prExtend}, // Mn [8] THAI CHARACTER MAITAIKHU..THAI CHARACTER YAMAKKAN + {0x0E50, 0x0E59, prNumeric}, // Nd [10] THAI DIGIT ZERO..THAI DIGIT NINE + {0x0EB1, 0x0EB1, prExtend}, // Mn LAO VOWEL SIGN MAI KAN + {0x0EB4, 0x0EBC, prExtend}, // Mn [9] LAO VOWEL SIGN I..LAO SEMIVOWEL SIGN LO + {0x0EC8, 0x0ECE, prExtend}, // Mn [7] LAO TONE MAI EK..LAO YAMAKKAN + {0x0ED0, 0x0ED9, prNumeric}, // Nd [10] LAO DIGIT ZERO..LAO DIGIT NINE + {0x0F00, 0x0F00, prALetter}, // Lo TIBETAN SYLLABLE OM + {0x0F18, 0x0F19, prExtend}, // Mn [2] TIBETAN ASTROLOGICAL SIGN -KHYUD PA..TIBETAN ASTROLOGICAL SIGN SDONG TSHUGS + {0x0F20, 0x0F29, prNumeric}, // Nd [10] TIBETAN DIGIT ZERO..TIBETAN DIGIT NINE + {0x0F35, 0x0F35, prExtend}, // Mn TIBETAN MARK NGAS BZUNG NYI ZLA + {0x0F37, 0x0F37, prExtend}, // Mn TIBETAN MARK NGAS BZUNG SGOR RTAGS + {0x0F39, 0x0F39, prExtend}, // Mn TIBETAN MARK TSA -PHRU + {0x0F3E, 0x0F3F, prExtend}, // Mc [2] TIBETAN SIGN YAR TSHES..TIBETAN SIGN MAR TSHES + {0x0F40, 0x0F47, prALetter}, // Lo [8] TIBETAN LETTER KA..TIBETAN LETTER JA + {0x0F49, 0x0F6C, prALetter}, // Lo [36] TIBETAN LETTER NYA..TIBETAN LETTER RRA + {0x0F71, 0x0F7E, prExtend}, // Mn [14] TIBETAN VOWEL SIGN AA..TIBETAN SIGN RJES SU NGA RO + {0x0F7F, 0x0F7F, prExtend}, // Mc TIBETAN SIGN RNAM BCAD + {0x0F80, 0x0F84, prExtend}, // Mn [5] TIBETAN VOWEL SIGN REVERSED I..TIBETAN MARK HALANTA + {0x0F86, 0x0F87, prExtend}, // Mn [2] TIBETAN SIGN LCI RTAGS..TIBETAN SIGN YANG RTAGS + {0x0F88, 0x0F8C, prALetter}, // Lo [5] TIBETAN SIGN LCE TSA CAN..TIBETAN SIGN INVERTED MCHU CAN + {0x0F8D, 0x0F97, prExtend}, // Mn [11] TIBETAN SUBJOINED SIGN LCE TSA CAN..TIBETAN SUBJOINED LETTER JA + {0x0F99, 0x0FBC, prExtend}, // Mn [36] TIBETAN SUBJOINED LETTER NYA..TIBETAN SUBJOINED LETTER FIXED-FORM RA + {0x0FC6, 0x0FC6, prExtend}, // Mn TIBETAN SYMBOL PADMA GDAN + {0x102B, 0x102C, prExtend}, // Mc [2] MYANMAR VOWEL SIGN TALL AA..MYANMAR VOWEL SIGN AA + {0x102D, 0x1030, prExtend}, // Mn [4] MYANMAR VOWEL SIGN I..MYANMAR VOWEL SIGN UU + {0x1031, 0x1031, prExtend}, // Mc MYANMAR VOWEL SIGN E + {0x1032, 0x1037, prExtend}, // Mn [6] MYANMAR VOWEL SIGN AI..MYANMAR SIGN DOT BELOW + {0x1038, 0x1038, prExtend}, // Mc MYANMAR SIGN VISARGA + {0x1039, 0x103A, prExtend}, // Mn [2] MYANMAR SIGN VIRAMA..MYANMAR SIGN ASAT + {0x103B, 0x103C, prExtend}, // Mc [2] MYANMAR CONSONANT SIGN MEDIAL YA..MYANMAR CONSONANT SIGN MEDIAL RA + {0x103D, 0x103E, prExtend}, // Mn [2] MYANMAR CONSONANT SIGN MEDIAL WA..MYANMAR CONSONANT SIGN MEDIAL HA + {0x1040, 0x1049, prNumeric}, // Nd [10] MYANMAR DIGIT ZERO..MYANMAR DIGIT NINE + {0x1056, 0x1057, prExtend}, // Mc [2] MYANMAR VOWEL SIGN VOCALIC R..MYANMAR VOWEL SIGN VOCALIC RR + {0x1058, 0x1059, prExtend}, // Mn [2] MYANMAR VOWEL SIGN VOCALIC L..MYANMAR VOWEL SIGN VOCALIC LL + {0x105E, 0x1060, prExtend}, // Mn [3] MYANMAR CONSONANT SIGN MON MEDIAL NA..MYANMAR CONSONANT SIGN MON MEDIAL LA + {0x1062, 0x1064, prExtend}, // Mc [3] MYANMAR VOWEL SIGN SGAW KAREN EU..MYANMAR TONE MARK SGAW KAREN KE PHO + {0x1067, 0x106D, prExtend}, // Mc [7] MYANMAR VOWEL SIGN WESTERN PWO KAREN EU..MYANMAR SIGN WESTERN PWO KAREN TONE-5 + {0x1071, 0x1074, prExtend}, // Mn [4] MYANMAR VOWEL SIGN GEBA KAREN I..MYANMAR VOWEL SIGN KAYAH EE + {0x1082, 0x1082, prExtend}, // Mn MYANMAR CONSONANT SIGN SHAN MEDIAL WA + {0x1083, 0x1084, prExtend}, // Mc [2] MYANMAR VOWEL SIGN SHAN AA..MYANMAR VOWEL SIGN SHAN E + {0x1085, 0x1086, prExtend}, // Mn [2] MYANMAR VOWEL SIGN SHAN E ABOVE..MYANMAR VOWEL SIGN SHAN FINAL Y + {0x1087, 0x108C, prExtend}, // Mc [6] MYANMAR SIGN SHAN TONE-2..MYANMAR SIGN SHAN COUNCIL TONE-3 + {0x108D, 0x108D, prExtend}, // Mn MYANMAR SIGN SHAN COUNCIL EMPHATIC TONE + {0x108F, 0x108F, prExtend}, // Mc MYANMAR SIGN RUMAI PALAUNG TONE-5 + {0x1090, 0x1099, prNumeric}, // Nd [10] MYANMAR SHAN DIGIT ZERO..MYANMAR SHAN DIGIT NINE + {0x109A, 0x109C, prExtend}, // Mc [3] MYANMAR SIGN KHAMTI TONE-1..MYANMAR VOWEL SIGN AITON A + {0x109D, 0x109D, prExtend}, // Mn MYANMAR VOWEL SIGN AITON AI + {0x10A0, 0x10C5, prALetter}, // L& [38] GEORGIAN CAPITAL LETTER AN..GEORGIAN CAPITAL LETTER HOE + {0x10C7, 0x10C7, prALetter}, // L& GEORGIAN CAPITAL LETTER YN + {0x10CD, 0x10CD, prALetter}, // L& GEORGIAN CAPITAL LETTER AEN + {0x10D0, 0x10FA, prALetter}, // L& [43] GEORGIAN LETTER AN..GEORGIAN LETTER AIN + {0x10FC, 0x10FC, prALetter}, // Lm MODIFIER LETTER GEORGIAN NAR + {0x10FD, 0x10FF, prALetter}, // L& [3] GEORGIAN LETTER AEN..GEORGIAN LETTER LABIAL SIGN + {0x1100, 0x1248, prALetter}, // Lo [329] HANGUL CHOSEONG KIYEOK..ETHIOPIC SYLLABLE QWA + {0x124A, 0x124D, prALetter}, // Lo [4] ETHIOPIC SYLLABLE QWI..ETHIOPIC SYLLABLE QWE + {0x1250, 0x1256, prALetter}, // Lo [7] ETHIOPIC SYLLABLE QHA..ETHIOPIC SYLLABLE QHO + {0x1258, 0x1258, prALetter}, // Lo ETHIOPIC SYLLABLE QHWA + {0x125A, 0x125D, prALetter}, // Lo [4] ETHIOPIC SYLLABLE QHWI..ETHIOPIC SYLLABLE QHWE + {0x1260, 0x1288, prALetter}, // Lo [41] ETHIOPIC SYLLABLE BA..ETHIOPIC SYLLABLE XWA + {0x128A, 0x128D, prALetter}, // Lo [4] ETHIOPIC SYLLABLE XWI..ETHIOPIC SYLLABLE XWE + {0x1290, 0x12B0, prALetter}, // Lo [33] ETHIOPIC SYLLABLE NA..ETHIOPIC SYLLABLE KWA + {0x12B2, 0x12B5, prALetter}, // Lo [4] ETHIOPIC SYLLABLE KWI..ETHIOPIC SYLLABLE KWE + {0x12B8, 0x12BE, prALetter}, // Lo [7] ETHIOPIC SYLLABLE KXA..ETHIOPIC SYLLABLE KXO + {0x12C0, 0x12C0, prALetter}, // Lo ETHIOPIC SYLLABLE KXWA + {0x12C2, 0x12C5, prALetter}, // Lo [4] ETHIOPIC SYLLABLE KXWI..ETHIOPIC SYLLABLE KXWE + {0x12C8, 0x12D6, prALetter}, // Lo [15] ETHIOPIC SYLLABLE WA..ETHIOPIC SYLLABLE PHARYNGEAL O + {0x12D8, 0x1310, prALetter}, // Lo [57] ETHIOPIC SYLLABLE ZA..ETHIOPIC SYLLABLE GWA + {0x1312, 0x1315, prALetter}, // Lo [4] ETHIOPIC SYLLABLE GWI..ETHIOPIC SYLLABLE GWE + {0x1318, 0x135A, prALetter}, // Lo [67] ETHIOPIC SYLLABLE GGA..ETHIOPIC SYLLABLE FYA + {0x135D, 0x135F, prExtend}, // Mn [3] ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK..ETHIOPIC COMBINING GEMINATION MARK + {0x1380, 0x138F, prALetter}, // Lo [16] ETHIOPIC SYLLABLE SEBATBEIT MWA..ETHIOPIC SYLLABLE PWE + {0x13A0, 0x13F5, prALetter}, // L& [86] CHEROKEE LETTER A..CHEROKEE LETTER MV + {0x13F8, 0x13FD, prALetter}, // L& [6] CHEROKEE SMALL LETTER YE..CHEROKEE SMALL LETTER MV + {0x1401, 0x166C, prALetter}, // Lo [620] CANADIAN SYLLABICS E..CANADIAN SYLLABICS CARRIER TTSA + {0x166F, 0x167F, prALetter}, // Lo [17] CANADIAN SYLLABICS QAI..CANADIAN SYLLABICS BLACKFOOT W + {0x1680, 0x1680, prWSegSpace}, // Zs OGHAM SPACE MARK + {0x1681, 0x169A, prALetter}, // Lo [26] OGHAM LETTER BEITH..OGHAM LETTER PEITH + {0x16A0, 0x16EA, prALetter}, // Lo [75] RUNIC LETTER FEHU FEOH FE F..RUNIC LETTER X + {0x16EE, 0x16F0, prALetter}, // Nl [3] RUNIC ARLAUG SYMBOL..RUNIC BELGTHOR SYMBOL + {0x16F1, 0x16F8, prALetter}, // Lo [8] RUNIC LETTER K..RUNIC LETTER FRANKS CASKET AESC + {0x1700, 0x1711, prALetter}, // Lo [18] TAGALOG LETTER A..TAGALOG LETTER HA + {0x1712, 0x1714, prExtend}, // Mn [3] TAGALOG VOWEL SIGN I..TAGALOG SIGN VIRAMA + {0x1715, 0x1715, prExtend}, // Mc TAGALOG SIGN PAMUDPOD + {0x171F, 0x1731, prALetter}, // Lo [19] TAGALOG LETTER ARCHAIC RA..HANUNOO LETTER HA + {0x1732, 0x1733, prExtend}, // Mn [2] HANUNOO VOWEL SIGN I..HANUNOO VOWEL SIGN U + {0x1734, 0x1734, prExtend}, // Mc HANUNOO SIGN PAMUDPOD + {0x1740, 0x1751, prALetter}, // Lo [18] BUHID LETTER A..BUHID LETTER HA + {0x1752, 0x1753, prExtend}, // Mn [2] BUHID VOWEL SIGN I..BUHID VOWEL SIGN U + {0x1760, 0x176C, prALetter}, // Lo [13] TAGBANWA LETTER A..TAGBANWA LETTER YA + {0x176E, 0x1770, prALetter}, // Lo [3] TAGBANWA LETTER LA..TAGBANWA LETTER SA + {0x1772, 0x1773, prExtend}, // Mn [2] TAGBANWA VOWEL SIGN I..TAGBANWA VOWEL SIGN U + {0x17B4, 0x17B5, prExtend}, // Mn [2] KHMER VOWEL INHERENT AQ..KHMER VOWEL INHERENT AA + {0x17B6, 0x17B6, prExtend}, // Mc KHMER VOWEL SIGN AA + {0x17B7, 0x17BD, prExtend}, // Mn [7] KHMER VOWEL SIGN I..KHMER VOWEL SIGN UA + {0x17BE, 0x17C5, prExtend}, // Mc [8] KHMER VOWEL SIGN OE..KHMER VOWEL SIGN AU + {0x17C6, 0x17C6, prExtend}, // Mn KHMER SIGN NIKAHIT + {0x17C7, 0x17C8, prExtend}, // Mc [2] KHMER SIGN REAHMUK..KHMER SIGN YUUKALEAPINTU + {0x17C9, 0x17D3, prExtend}, // Mn [11] KHMER SIGN MUUSIKATOAN..KHMER SIGN BATHAMASAT + {0x17DD, 0x17DD, prExtend}, // Mn KHMER SIGN ATTHACAN + {0x17E0, 0x17E9, prNumeric}, // Nd [10] KHMER DIGIT ZERO..KHMER DIGIT NINE + {0x180B, 0x180D, prExtend}, // Mn [3] MONGOLIAN FREE VARIATION SELECTOR ONE..MONGOLIAN FREE VARIATION SELECTOR THREE + {0x180E, 0x180E, prFormat}, // Cf MONGOLIAN VOWEL SEPARATOR + {0x180F, 0x180F, prExtend}, // Mn MONGOLIAN FREE VARIATION SELECTOR FOUR + {0x1810, 0x1819, prNumeric}, // Nd [10] MONGOLIAN DIGIT ZERO..MONGOLIAN DIGIT NINE + {0x1820, 0x1842, prALetter}, // Lo [35] MONGOLIAN LETTER A..MONGOLIAN LETTER CHI + {0x1843, 0x1843, prALetter}, // Lm MONGOLIAN LETTER TODO LONG VOWEL SIGN + {0x1844, 0x1878, prALetter}, // Lo [53] MONGOLIAN LETTER TODO E..MONGOLIAN LETTER CHA WITH TWO DOTS + {0x1880, 0x1884, prALetter}, // Lo [5] MONGOLIAN LETTER ALI GALI ANUSVARA ONE..MONGOLIAN LETTER ALI GALI INVERTED UBADAMA + {0x1885, 0x1886, prExtend}, // Mn [2] MONGOLIAN LETTER ALI GALI BALUDA..MONGOLIAN LETTER ALI GALI THREE BALUDA + {0x1887, 0x18A8, prALetter}, // Lo [34] MONGOLIAN LETTER ALI GALI A..MONGOLIAN LETTER MANCHU ALI GALI BHA + {0x18A9, 0x18A9, prExtend}, // Mn MONGOLIAN LETTER ALI GALI DAGALGA + {0x18AA, 0x18AA, prALetter}, // Lo MONGOLIAN LETTER MANCHU ALI GALI LHA + {0x18B0, 0x18F5, prALetter}, // Lo [70] CANADIAN SYLLABICS OY..CANADIAN SYLLABICS CARRIER DENTAL S + {0x1900, 0x191E, prALetter}, // Lo [31] LIMBU VOWEL-CARRIER LETTER..LIMBU LETTER TRA + {0x1920, 0x1922, prExtend}, // Mn [3] LIMBU VOWEL SIGN A..LIMBU VOWEL SIGN U + {0x1923, 0x1926, prExtend}, // Mc [4] LIMBU VOWEL SIGN EE..LIMBU VOWEL SIGN AU + {0x1927, 0x1928, prExtend}, // Mn [2] LIMBU VOWEL SIGN E..LIMBU VOWEL SIGN O + {0x1929, 0x192B, prExtend}, // Mc [3] LIMBU SUBJOINED LETTER YA..LIMBU SUBJOINED LETTER WA + {0x1930, 0x1931, prExtend}, // Mc [2] LIMBU SMALL LETTER KA..LIMBU SMALL LETTER NGA + {0x1932, 0x1932, prExtend}, // Mn LIMBU SMALL LETTER ANUSVARA + {0x1933, 0x1938, prExtend}, // Mc [6] LIMBU SMALL LETTER TA..LIMBU SMALL LETTER LA + {0x1939, 0x193B, prExtend}, // Mn [3] LIMBU SIGN MUKPHRENG..LIMBU SIGN SA-I + {0x1946, 0x194F, prNumeric}, // Nd [10] LIMBU DIGIT ZERO..LIMBU DIGIT NINE + {0x19D0, 0x19D9, prNumeric}, // Nd [10] NEW TAI LUE DIGIT ZERO..NEW TAI LUE DIGIT NINE + {0x1A00, 0x1A16, prALetter}, // Lo [23] BUGINESE LETTER KA..BUGINESE LETTER HA + {0x1A17, 0x1A18, prExtend}, // Mn [2] BUGINESE VOWEL SIGN I..BUGINESE VOWEL SIGN U + {0x1A19, 0x1A1A, prExtend}, // Mc [2] BUGINESE VOWEL SIGN E..BUGINESE VOWEL SIGN O + {0x1A1B, 0x1A1B, prExtend}, // Mn BUGINESE VOWEL SIGN AE + {0x1A55, 0x1A55, prExtend}, // Mc TAI THAM CONSONANT SIGN MEDIAL RA + {0x1A56, 0x1A56, prExtend}, // Mn TAI THAM CONSONANT SIGN MEDIAL LA + {0x1A57, 0x1A57, prExtend}, // Mc TAI THAM CONSONANT SIGN LA TANG LAI + {0x1A58, 0x1A5E, prExtend}, // Mn [7] TAI THAM SIGN MAI KANG LAI..TAI THAM CONSONANT SIGN SA + {0x1A60, 0x1A60, prExtend}, // Mn TAI THAM SIGN SAKOT + {0x1A61, 0x1A61, prExtend}, // Mc TAI THAM VOWEL SIGN A + {0x1A62, 0x1A62, prExtend}, // Mn TAI THAM VOWEL SIGN MAI SAT + {0x1A63, 0x1A64, prExtend}, // Mc [2] TAI THAM VOWEL SIGN AA..TAI THAM VOWEL SIGN TALL AA + {0x1A65, 0x1A6C, prExtend}, // Mn [8] TAI THAM VOWEL SIGN I..TAI THAM VOWEL SIGN OA BELOW + {0x1A6D, 0x1A72, prExtend}, // Mc [6] TAI THAM VOWEL SIGN OY..TAI THAM VOWEL SIGN THAM AI + {0x1A73, 0x1A7C, prExtend}, // Mn [10] TAI THAM VOWEL SIGN OA ABOVE..TAI THAM SIGN KHUEN-LUE KARAN + {0x1A7F, 0x1A7F, prExtend}, // Mn TAI THAM COMBINING CRYPTOGRAMMIC DOT + {0x1A80, 0x1A89, prNumeric}, // Nd [10] TAI THAM HORA DIGIT ZERO..TAI THAM HORA DIGIT NINE + {0x1A90, 0x1A99, prNumeric}, // Nd [10] TAI THAM THAM DIGIT ZERO..TAI THAM THAM DIGIT NINE + {0x1AB0, 0x1ABD, prExtend}, // Mn [14] COMBINING DOUBLED CIRCUMFLEX ACCENT..COMBINING PARENTHESES BELOW + {0x1ABE, 0x1ABE, prExtend}, // Me COMBINING PARENTHESES OVERLAY + {0x1ABF, 0x1ACE, prExtend}, // Mn [16] COMBINING LATIN SMALL LETTER W BELOW..COMBINING LATIN SMALL LETTER INSULAR T + {0x1B00, 0x1B03, prExtend}, // Mn [4] BALINESE SIGN ULU RICEM..BALINESE SIGN SURANG + {0x1B04, 0x1B04, prExtend}, // Mc BALINESE SIGN BISAH + {0x1B05, 0x1B33, prALetter}, // Lo [47] BALINESE LETTER AKARA..BALINESE LETTER HA + {0x1B34, 0x1B34, prExtend}, // Mn BALINESE SIGN REREKAN + {0x1B35, 0x1B35, prExtend}, // Mc BALINESE VOWEL SIGN TEDUNG + {0x1B36, 0x1B3A, prExtend}, // Mn [5] BALINESE VOWEL SIGN ULU..BALINESE VOWEL SIGN RA REPA + {0x1B3B, 0x1B3B, prExtend}, // Mc BALINESE VOWEL SIGN RA REPA TEDUNG + {0x1B3C, 0x1B3C, prExtend}, // Mn BALINESE VOWEL SIGN LA LENGA + {0x1B3D, 0x1B41, prExtend}, // Mc [5] BALINESE VOWEL SIGN LA LENGA TEDUNG..BALINESE VOWEL SIGN TALING REPA TEDUNG + {0x1B42, 0x1B42, prExtend}, // Mn BALINESE VOWEL SIGN PEPET + {0x1B43, 0x1B44, prExtend}, // Mc [2] BALINESE VOWEL SIGN PEPET TEDUNG..BALINESE ADEG ADEG + {0x1B45, 0x1B4C, prALetter}, // Lo [8] BALINESE LETTER KAF SASAK..BALINESE LETTER ARCHAIC JNYA + {0x1B50, 0x1B59, prNumeric}, // Nd [10] BALINESE DIGIT ZERO..BALINESE DIGIT NINE + {0x1B6B, 0x1B73, prExtend}, // Mn [9] BALINESE MUSICAL SYMBOL COMBINING TEGEH..BALINESE MUSICAL SYMBOL COMBINING GONG + {0x1B80, 0x1B81, prExtend}, // Mn [2] SUNDANESE SIGN PANYECEK..SUNDANESE SIGN PANGLAYAR + {0x1B82, 0x1B82, prExtend}, // Mc SUNDANESE SIGN PANGWISAD + {0x1B83, 0x1BA0, prALetter}, // Lo [30] SUNDANESE LETTER A..SUNDANESE LETTER HA + {0x1BA1, 0x1BA1, prExtend}, // Mc SUNDANESE CONSONANT SIGN PAMINGKAL + {0x1BA2, 0x1BA5, prExtend}, // Mn [4] SUNDANESE CONSONANT SIGN PANYAKRA..SUNDANESE VOWEL SIGN PANYUKU + {0x1BA6, 0x1BA7, prExtend}, // Mc [2] SUNDANESE VOWEL SIGN PANAELAENG..SUNDANESE VOWEL SIGN PANOLONG + {0x1BA8, 0x1BA9, prExtend}, // Mn [2] SUNDANESE VOWEL SIGN PAMEPET..SUNDANESE VOWEL SIGN PANEULEUNG + {0x1BAA, 0x1BAA, prExtend}, // Mc SUNDANESE SIGN PAMAAEH + {0x1BAB, 0x1BAD, prExtend}, // Mn [3] SUNDANESE SIGN VIRAMA..SUNDANESE CONSONANT SIGN PASANGAN WA + {0x1BAE, 0x1BAF, prALetter}, // Lo [2] SUNDANESE LETTER KHA..SUNDANESE LETTER SYA + {0x1BB0, 0x1BB9, prNumeric}, // Nd [10] SUNDANESE DIGIT ZERO..SUNDANESE DIGIT NINE + {0x1BBA, 0x1BE5, prALetter}, // Lo [44] SUNDANESE AVAGRAHA..BATAK LETTER U + {0x1BE6, 0x1BE6, prExtend}, // Mn BATAK SIGN TOMPI + {0x1BE7, 0x1BE7, prExtend}, // Mc BATAK VOWEL SIGN E + {0x1BE8, 0x1BE9, prExtend}, // Mn [2] BATAK VOWEL SIGN PAKPAK E..BATAK VOWEL SIGN EE + {0x1BEA, 0x1BEC, prExtend}, // Mc [3] BATAK VOWEL SIGN I..BATAK VOWEL SIGN O + {0x1BED, 0x1BED, prExtend}, // Mn BATAK VOWEL SIGN KARO O + {0x1BEE, 0x1BEE, prExtend}, // Mc BATAK VOWEL SIGN U + {0x1BEF, 0x1BF1, prExtend}, // Mn [3] BATAK VOWEL SIGN U FOR SIMALUNGUN SA..BATAK CONSONANT SIGN H + {0x1BF2, 0x1BF3, prExtend}, // Mc [2] BATAK PANGOLAT..BATAK PANONGONAN + {0x1C00, 0x1C23, prALetter}, // Lo [36] LEPCHA LETTER KA..LEPCHA LETTER A + {0x1C24, 0x1C2B, prExtend}, // Mc [8] LEPCHA SUBJOINED LETTER YA..LEPCHA VOWEL SIGN UU + {0x1C2C, 0x1C33, prExtend}, // Mn [8] LEPCHA VOWEL SIGN E..LEPCHA CONSONANT SIGN T + {0x1C34, 0x1C35, prExtend}, // Mc [2] LEPCHA CONSONANT SIGN NYIN-DO..LEPCHA CONSONANT SIGN KANG + {0x1C36, 0x1C37, prExtend}, // Mn [2] LEPCHA SIGN RAN..LEPCHA SIGN NUKTA + {0x1C40, 0x1C49, prNumeric}, // Nd [10] LEPCHA DIGIT ZERO..LEPCHA DIGIT NINE + {0x1C4D, 0x1C4F, prALetter}, // Lo [3] LEPCHA LETTER TTA..LEPCHA LETTER DDA + {0x1C50, 0x1C59, prNumeric}, // Nd [10] OL CHIKI DIGIT ZERO..OL CHIKI DIGIT NINE + {0x1C5A, 0x1C77, prALetter}, // Lo [30] OL CHIKI LETTER LA..OL CHIKI LETTER OH + {0x1C78, 0x1C7D, prALetter}, // Lm [6] OL CHIKI MU TTUDDAG..OL CHIKI AHAD + {0x1C80, 0x1C88, prALetter}, // L& [9] CYRILLIC SMALL LETTER ROUNDED VE..CYRILLIC SMALL LETTER UNBLENDED UK + {0x1C90, 0x1CBA, prALetter}, // L& [43] GEORGIAN MTAVRULI CAPITAL LETTER AN..GEORGIAN MTAVRULI CAPITAL LETTER AIN + {0x1CBD, 0x1CBF, prALetter}, // L& [3] GEORGIAN MTAVRULI CAPITAL LETTER AEN..GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN + {0x1CD0, 0x1CD2, prExtend}, // Mn [3] VEDIC TONE KARSHANA..VEDIC TONE PRENKHA + {0x1CD4, 0x1CE0, prExtend}, // Mn [13] VEDIC SIGN YAJURVEDIC MIDLINE SVARITA..VEDIC TONE RIGVEDIC KASHMIRI INDEPENDENT SVARITA + {0x1CE1, 0x1CE1, prExtend}, // Mc VEDIC TONE ATHARVAVEDIC INDEPENDENT SVARITA + {0x1CE2, 0x1CE8, prExtend}, // Mn [7] VEDIC SIGN VISARGA SVARITA..VEDIC SIGN VISARGA ANUDATTA WITH TAIL + {0x1CE9, 0x1CEC, prALetter}, // Lo [4] VEDIC SIGN ANUSVARA ANTARGOMUKHA..VEDIC SIGN ANUSVARA VAMAGOMUKHA WITH TAIL + {0x1CED, 0x1CED, prExtend}, // Mn VEDIC SIGN TIRYAK + {0x1CEE, 0x1CF3, prALetter}, // Lo [6] VEDIC SIGN HEXIFORM LONG ANUSVARA..VEDIC SIGN ROTATED ARDHAVISARGA + {0x1CF4, 0x1CF4, prExtend}, // Mn VEDIC TONE CANDRA ABOVE + {0x1CF5, 0x1CF6, prALetter}, // Lo [2] VEDIC SIGN JIHVAMULIYA..VEDIC SIGN UPADHMANIYA + {0x1CF7, 0x1CF7, prExtend}, // Mc VEDIC SIGN ATIKRAMA + {0x1CF8, 0x1CF9, prExtend}, // Mn [2] VEDIC TONE RING ABOVE..VEDIC TONE DOUBLE RING ABOVE + {0x1CFA, 0x1CFA, prALetter}, // Lo VEDIC SIGN DOUBLE ANUSVARA ANTARGOMUKHA + {0x1D00, 0x1D2B, prALetter}, // L& [44] LATIN LETTER SMALL CAPITAL A..CYRILLIC LETTER SMALL CAPITAL EL + {0x1D2C, 0x1D6A, prALetter}, // Lm [63] MODIFIER LETTER CAPITAL A..GREEK SUBSCRIPT SMALL LETTER CHI + {0x1D6B, 0x1D77, prALetter}, // L& [13] LATIN SMALL LETTER UE..LATIN SMALL LETTER TURNED G + {0x1D78, 0x1D78, prALetter}, // Lm MODIFIER LETTER CYRILLIC EN + {0x1D79, 0x1D9A, prALetter}, // L& [34] LATIN SMALL LETTER INSULAR G..LATIN SMALL LETTER EZH WITH RETROFLEX HOOK + {0x1D9B, 0x1DBF, prALetter}, // Lm [37] MODIFIER LETTER SMALL TURNED ALPHA..MODIFIER LETTER SMALL THETA + {0x1DC0, 0x1DFF, prExtend}, // Mn [64] COMBINING DOTTED GRAVE ACCENT..COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW + {0x1E00, 0x1F15, prALetter}, // L& [278] LATIN CAPITAL LETTER A WITH RING BELOW..GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA + {0x1F18, 0x1F1D, prALetter}, // L& [6] GREEK CAPITAL LETTER EPSILON WITH PSILI..GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA + {0x1F20, 0x1F45, prALetter}, // L& [38] GREEK SMALL LETTER ETA WITH PSILI..GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA + {0x1F48, 0x1F4D, prALetter}, // L& [6] GREEK CAPITAL LETTER OMICRON WITH PSILI..GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA + {0x1F50, 0x1F57, prALetter}, // L& [8] GREEK SMALL LETTER UPSILON WITH PSILI..GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI + {0x1F59, 0x1F59, prALetter}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA + {0x1F5B, 0x1F5B, prALetter}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA AND VARIA + {0x1F5D, 0x1F5D, prALetter}, // L& GREEK CAPITAL LETTER UPSILON WITH DASIA AND OXIA + {0x1F5F, 0x1F7D, prALetter}, // L& [31] GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI..GREEK SMALL LETTER OMEGA WITH OXIA + {0x1F80, 0x1FB4, prALetter}, // L& [53] GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI..GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI + {0x1FB6, 0x1FBC, prALetter}, // L& [7] GREEK SMALL LETTER ALPHA WITH PERISPOMENI..GREEK CAPITAL LETTER ALPHA WITH PROSGEGRAMMENI + {0x1FBE, 0x1FBE, prALetter}, // L& GREEK PROSGEGRAMMENI + {0x1FC2, 0x1FC4, prALetter}, // L& [3] GREEK SMALL LETTER ETA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI + {0x1FC6, 0x1FCC, prALetter}, // L& [7] GREEK SMALL LETTER ETA WITH PERISPOMENI..GREEK CAPITAL LETTER ETA WITH PROSGEGRAMMENI + {0x1FD0, 0x1FD3, prALetter}, // L& [4] GREEK SMALL LETTER IOTA WITH VRACHY..GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA + {0x1FD6, 0x1FDB, prALetter}, // L& [6] GREEK SMALL LETTER IOTA WITH PERISPOMENI..GREEK CAPITAL LETTER IOTA WITH OXIA + {0x1FE0, 0x1FEC, prALetter}, // L& [13] GREEK SMALL LETTER UPSILON WITH VRACHY..GREEK CAPITAL LETTER RHO WITH DASIA + {0x1FF2, 0x1FF4, prALetter}, // L& [3] GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI..GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI + {0x1FF6, 0x1FFC, prALetter}, // L& [7] GREEK SMALL LETTER OMEGA WITH PERISPOMENI..GREEK CAPITAL LETTER OMEGA WITH PROSGEGRAMMENI + {0x2000, 0x2006, prWSegSpace}, // Zs [7] EN QUAD..SIX-PER-EM SPACE + {0x2008, 0x200A, prWSegSpace}, // Zs [3] PUNCTUATION SPACE..HAIR SPACE + {0x200C, 0x200C, prExtend}, // Cf ZERO WIDTH NON-JOINER + {0x200D, 0x200D, prZWJ}, // Cf ZERO WIDTH JOINER + {0x200E, 0x200F, prFormat}, // Cf [2] LEFT-TO-RIGHT MARK..RIGHT-TO-LEFT MARK + {0x2018, 0x2018, prMidNumLet}, // Pi LEFT SINGLE QUOTATION MARK + {0x2019, 0x2019, prMidNumLet}, // Pf RIGHT SINGLE QUOTATION MARK + {0x2024, 0x2024, prMidNumLet}, // Po ONE DOT LEADER + {0x2027, 0x2027, prMidLetter}, // Po HYPHENATION POINT + {0x2028, 0x2028, prNewline}, // Zl LINE SEPARATOR + {0x2029, 0x2029, prNewline}, // Zp PARAGRAPH SEPARATOR + {0x202A, 0x202E, prFormat}, // Cf [5] LEFT-TO-RIGHT EMBEDDING..RIGHT-TO-LEFT OVERRIDE + {0x202F, 0x202F, prExtendNumLet}, // Zs NARROW NO-BREAK SPACE + {0x203C, 0x203C, prExtendedPictographic}, // E0.6 [1] (‼ï¸) double exclamation mark + {0x203F, 0x2040, prExtendNumLet}, // Pc [2] UNDERTIE..CHARACTER TIE + {0x2044, 0x2044, prMidNum}, // Sm FRACTION SLASH + {0x2049, 0x2049, prExtendedPictographic}, // E0.6 [1] (â‰ï¸) exclamation question mark + {0x2054, 0x2054, prExtendNumLet}, // Pc INVERTED UNDERTIE + {0x205F, 0x205F, prWSegSpace}, // Zs MEDIUM MATHEMATICAL SPACE + {0x2060, 0x2064, prFormat}, // Cf [5] WORD JOINER..INVISIBLE PLUS + {0x2066, 0x206F, prFormat}, // Cf [10] LEFT-TO-RIGHT ISOLATE..NOMINAL DIGIT SHAPES + {0x2071, 0x2071, prALetter}, // Lm SUPERSCRIPT LATIN SMALL LETTER I + {0x207F, 0x207F, prALetter}, // Lm SUPERSCRIPT LATIN SMALL LETTER N + {0x2090, 0x209C, prALetter}, // Lm [13] LATIN SUBSCRIPT SMALL LETTER A..LATIN SUBSCRIPT SMALL LETTER T + {0x20D0, 0x20DC, prExtend}, // Mn [13] COMBINING LEFT HARPOON ABOVE..COMBINING FOUR DOTS ABOVE + {0x20DD, 0x20E0, prExtend}, // Me [4] COMBINING ENCLOSING CIRCLE..COMBINING ENCLOSING CIRCLE BACKSLASH + {0x20E1, 0x20E1, prExtend}, // Mn COMBINING LEFT RIGHT ARROW ABOVE + {0x20E2, 0x20E4, prExtend}, // Me [3] COMBINING ENCLOSING SCREEN..COMBINING ENCLOSING UPWARD POINTING TRIANGLE + {0x20E5, 0x20F0, prExtend}, // Mn [12] COMBINING REVERSE SOLIDUS OVERLAY..COMBINING ASTERISK ABOVE + {0x2102, 0x2102, prALetter}, // L& DOUBLE-STRUCK CAPITAL C + {0x2107, 0x2107, prALetter}, // L& EULER CONSTANT + {0x210A, 0x2113, prALetter}, // L& [10] SCRIPT SMALL G..SCRIPT SMALL L + {0x2115, 0x2115, prALetter}, // L& DOUBLE-STRUCK CAPITAL N + {0x2119, 0x211D, prALetter}, // L& [5] DOUBLE-STRUCK CAPITAL P..DOUBLE-STRUCK CAPITAL R + {0x2122, 0x2122, prExtendedPictographic}, // E0.6 [1] (â„¢ï¸) trade mark + {0x2124, 0x2124, prALetter}, // L& DOUBLE-STRUCK CAPITAL Z + {0x2126, 0x2126, prALetter}, // L& OHM SIGN + {0x2128, 0x2128, prALetter}, // L& BLACK-LETTER CAPITAL Z + {0x212A, 0x212D, prALetter}, // L& [4] KELVIN SIGN..BLACK-LETTER CAPITAL C + {0x212F, 0x2134, prALetter}, // L& [6] SCRIPT SMALL E..SCRIPT SMALL O + {0x2135, 0x2138, prALetter}, // Lo [4] ALEF SYMBOL..DALET SYMBOL + {0x2139, 0x2139, prExtendedPictographic}, // E0.6 [1] (ℹï¸) information + {0x2139, 0x2139, prALetter}, // L& INFORMATION SOURCE + {0x213C, 0x213F, prALetter}, // L& [4] DOUBLE-STRUCK SMALL PI..DOUBLE-STRUCK CAPITAL PI + {0x2145, 0x2149, prALetter}, // L& [5] DOUBLE-STRUCK ITALIC CAPITAL D..DOUBLE-STRUCK ITALIC SMALL J + {0x214E, 0x214E, prALetter}, // L& TURNED SMALL F + {0x2160, 0x2182, prALetter}, // Nl [35] ROMAN NUMERAL ONE..ROMAN NUMERAL TEN THOUSAND + {0x2183, 0x2184, prALetter}, // L& [2] ROMAN NUMERAL REVERSED ONE HUNDRED..LATIN SMALL LETTER REVERSED C + {0x2185, 0x2188, prALetter}, // Nl [4] ROMAN NUMERAL SIX LATE FORM..ROMAN NUMERAL ONE HUNDRED THOUSAND + {0x2194, 0x2199, prExtendedPictographic}, // E0.6 [6] (↔ï¸..↙ï¸) left-right arrow..down-left arrow + {0x21A9, 0x21AA, prExtendedPictographic}, // E0.6 [2] (↩ï¸..↪ï¸) right arrow curving left..left arrow curving right + {0x231A, 0x231B, prExtendedPictographic}, // E0.6 [2] (⌚..⌛) watch..hourglass done + {0x2328, 0x2328, prExtendedPictographic}, // E1.0 [1] (⌨ï¸) keyboard + {0x2388, 0x2388, prExtendedPictographic}, // E0.0 [1] (⎈) HELM SYMBOL + {0x23CF, 0x23CF, prExtendedPictographic}, // E1.0 [1] (âï¸) eject button + {0x23E9, 0x23EC, prExtendedPictographic}, // E0.6 [4] (â©..â¬) fast-forward button..fast down button + {0x23ED, 0x23EE, prExtendedPictographic}, // E0.7 [2] (â­ï¸..â®ï¸) next track button..last track button + {0x23EF, 0x23EF, prExtendedPictographic}, // E1.0 [1] (â¯ï¸) play or pause button + {0x23F0, 0x23F0, prExtendedPictographic}, // E0.6 [1] (â°) alarm clock + {0x23F1, 0x23F2, prExtendedPictographic}, // E1.0 [2] (â±ï¸..â²ï¸) stopwatch..timer clock + {0x23F3, 0x23F3, prExtendedPictographic}, // E0.6 [1] (â³) hourglass not done + {0x23F8, 0x23FA, prExtendedPictographic}, // E0.7 [3] (â¸ï¸..âºï¸) pause button..record button + {0x24B6, 0x24E9, prALetter}, // So [52] CIRCLED LATIN CAPITAL LETTER A..CIRCLED LATIN SMALL LETTER Z + {0x24C2, 0x24C2, prExtendedPictographic}, // E0.6 [1] (â“‚ï¸) circled M + {0x25AA, 0x25AB, prExtendedPictographic}, // E0.6 [2] (â–ªï¸..â–«ï¸) black small square..white small square + {0x25B6, 0x25B6, prExtendedPictographic}, // E0.6 [1] (â–¶ï¸) play button + {0x25C0, 0x25C0, prExtendedPictographic}, // E0.6 [1] (â—€ï¸) reverse button + {0x25FB, 0x25FE, prExtendedPictographic}, // E0.6 [4] (â—»ï¸..â—¾) white medium square..black medium-small square + {0x2600, 0x2601, prExtendedPictographic}, // E0.6 [2] (☀ï¸..â˜ï¸) sun..cloud + {0x2602, 0x2603, prExtendedPictographic}, // E0.7 [2] (☂ï¸..☃ï¸) umbrella..snowman + {0x2604, 0x2604, prExtendedPictographic}, // E1.0 [1] (☄ï¸) comet + {0x2605, 0x2605, prExtendedPictographic}, // E0.0 [1] (★) BLACK STAR + {0x2607, 0x260D, prExtendedPictographic}, // E0.0 [7] (☇..â˜) LIGHTNING..OPPOSITION + {0x260E, 0x260E, prExtendedPictographic}, // E0.6 [1] (☎ï¸) telephone + {0x260F, 0x2610, prExtendedPictographic}, // E0.0 [2] (â˜..â˜) WHITE TELEPHONE..BALLOT BOX + {0x2611, 0x2611, prExtendedPictographic}, // E0.6 [1] (☑ï¸) check box with check + {0x2612, 0x2612, prExtendedPictographic}, // E0.0 [1] (☒) BALLOT BOX WITH X + {0x2614, 0x2615, prExtendedPictographic}, // E0.6 [2] (☔..☕) umbrella with rain drops..hot beverage + {0x2616, 0x2617, prExtendedPictographic}, // E0.0 [2] (☖..☗) WHITE SHOGI PIECE..BLACK SHOGI PIECE + {0x2618, 0x2618, prExtendedPictographic}, // E1.0 [1] (☘ï¸) shamrock + {0x2619, 0x261C, prExtendedPictographic}, // E0.0 [4] (☙..☜) REVERSED ROTATED FLORAL HEART BULLET..WHITE LEFT POINTING INDEX + {0x261D, 0x261D, prExtendedPictographic}, // E0.6 [1] (â˜ï¸) index pointing up + {0x261E, 0x261F, prExtendedPictographic}, // E0.0 [2] (☞..☟) WHITE RIGHT POINTING INDEX..WHITE DOWN POINTING INDEX + {0x2620, 0x2620, prExtendedPictographic}, // E1.0 [1] (☠ï¸) skull and crossbones + {0x2621, 0x2621, prExtendedPictographic}, // E0.0 [1] (☡) CAUTION SIGN + {0x2622, 0x2623, prExtendedPictographic}, // E1.0 [2] (☢ï¸..☣ï¸) radioactive..biohazard + {0x2624, 0x2625, prExtendedPictographic}, // E0.0 [2] (☤..☥) CADUCEUS..ANKH + {0x2626, 0x2626, prExtendedPictographic}, // E1.0 [1] (☦ï¸) orthodox cross + {0x2627, 0x2629, prExtendedPictographic}, // E0.0 [3] (☧..☩) CHI RHO..CROSS OF JERUSALEM + {0x262A, 0x262A, prExtendedPictographic}, // E0.7 [1] (☪ï¸) star and crescent + {0x262B, 0x262D, prExtendedPictographic}, // E0.0 [3] (☫..☭) FARSI SYMBOL..HAMMER AND SICKLE + {0x262E, 0x262E, prExtendedPictographic}, // E1.0 [1] (☮ï¸) peace symbol + {0x262F, 0x262F, prExtendedPictographic}, // E0.7 [1] (☯ï¸) yin yang + {0x2630, 0x2637, prExtendedPictographic}, // E0.0 [8] (☰..☷) TRIGRAM FOR HEAVEN..TRIGRAM FOR EARTH + {0x2638, 0x2639, prExtendedPictographic}, // E0.7 [2] (☸ï¸..☹ï¸) wheel of dharma..frowning face + {0x263A, 0x263A, prExtendedPictographic}, // E0.6 [1] (☺ï¸) smiling face + {0x263B, 0x263F, prExtendedPictographic}, // E0.0 [5] (☻..☿) BLACK SMILING FACE..MERCURY + {0x2640, 0x2640, prExtendedPictographic}, // E4.0 [1] (♀ï¸) female sign + {0x2641, 0x2641, prExtendedPictographic}, // E0.0 [1] (â™) EARTH + {0x2642, 0x2642, prExtendedPictographic}, // E4.0 [1] (♂ï¸) male sign + {0x2643, 0x2647, prExtendedPictographic}, // E0.0 [5] (♃..♇) JUPITER..PLUTO + {0x2648, 0x2653, prExtendedPictographic}, // E0.6 [12] (♈..♓) Aries..Pisces + {0x2654, 0x265E, prExtendedPictographic}, // E0.0 [11] (â™”..♞) WHITE CHESS KING..BLACK CHESS KNIGHT + {0x265F, 0x265F, prExtendedPictographic}, // E11.0 [1] (♟ï¸) chess pawn + {0x2660, 0x2660, prExtendedPictographic}, // E0.6 [1] (â™ ï¸) spade suit + {0x2661, 0x2662, prExtendedPictographic}, // E0.0 [2] (♡..♢) WHITE HEART SUIT..WHITE DIAMOND SUIT + {0x2663, 0x2663, prExtendedPictographic}, // E0.6 [1] (♣ï¸) club suit + {0x2664, 0x2664, prExtendedPictographic}, // E0.0 [1] (♤) WHITE SPADE SUIT + {0x2665, 0x2666, prExtendedPictographic}, // E0.6 [2] (♥ï¸..♦ï¸) heart suit..diamond suit + {0x2667, 0x2667, prExtendedPictographic}, // E0.0 [1] (♧) WHITE CLUB SUIT + {0x2668, 0x2668, prExtendedPictographic}, // E0.6 [1] (♨ï¸) hot springs + {0x2669, 0x267A, prExtendedPictographic}, // E0.0 [18] (♩..♺) QUARTER NOTE..RECYCLING SYMBOL FOR GENERIC MATERIALS + {0x267B, 0x267B, prExtendedPictographic}, // E0.6 [1] (â™»ï¸) recycling symbol + {0x267C, 0x267D, prExtendedPictographic}, // E0.0 [2] (♼..♽) RECYCLED PAPER SYMBOL..PARTIALLY-RECYCLED PAPER SYMBOL + {0x267E, 0x267E, prExtendedPictographic}, // E11.0 [1] (♾ï¸) infinity + {0x267F, 0x267F, prExtendedPictographic}, // E0.6 [1] (♿) wheelchair symbol + {0x2680, 0x2685, prExtendedPictographic}, // E0.0 [6] (⚀..âš…) DIE FACE-1..DIE FACE-6 + {0x2690, 0x2691, prExtendedPictographic}, // E0.0 [2] (âš..âš‘) WHITE FLAG..BLACK FLAG + {0x2692, 0x2692, prExtendedPictographic}, // E1.0 [1] (âš’ï¸) hammer and pick + {0x2693, 0x2693, prExtendedPictographic}, // E0.6 [1] (âš“) anchor + {0x2694, 0x2694, prExtendedPictographic}, // E1.0 [1] (âš”ï¸) crossed swords + {0x2695, 0x2695, prExtendedPictographic}, // E4.0 [1] (âš•ï¸) medical symbol + {0x2696, 0x2697, prExtendedPictographic}, // E1.0 [2] (âš–ï¸..âš—ï¸) balance scale..alembic + {0x2698, 0x2698, prExtendedPictographic}, // E0.0 [1] (⚘) FLOWER + {0x2699, 0x2699, prExtendedPictographic}, // E1.0 [1] (âš™ï¸) gear + {0x269A, 0x269A, prExtendedPictographic}, // E0.0 [1] (âšš) STAFF OF HERMES + {0x269B, 0x269C, prExtendedPictographic}, // E1.0 [2] (âš›ï¸..âšœï¸) atom symbol..fleur-de-lis + {0x269D, 0x269F, prExtendedPictographic}, // E0.0 [3] (âš..⚟) OUTLINED WHITE STAR..THREE LINES CONVERGING LEFT + {0x26A0, 0x26A1, prExtendedPictographic}, // E0.6 [2] (âš ï¸..âš¡) warning..high voltage + {0x26A2, 0x26A6, prExtendedPictographic}, // E0.0 [5] (⚢..⚦) DOUBLED FEMALE SIGN..MALE WITH STROKE SIGN + {0x26A7, 0x26A7, prExtendedPictographic}, // E13.0 [1] (⚧ï¸) transgender symbol + {0x26A8, 0x26A9, prExtendedPictographic}, // E0.0 [2] (⚨..âš©) VERTICAL MALE WITH STROKE SIGN..HORIZONTAL MALE WITH STROKE SIGN + {0x26AA, 0x26AB, prExtendedPictographic}, // E0.6 [2] (⚪..âš«) white circle..black circle + {0x26AC, 0x26AF, prExtendedPictographic}, // E0.0 [4] (⚬..⚯) MEDIUM SMALL WHITE CIRCLE..UNMARRIED PARTNERSHIP SYMBOL + {0x26B0, 0x26B1, prExtendedPictographic}, // E1.0 [2] (âš°ï¸..âš±ï¸) coffin..funeral urn + {0x26B2, 0x26BC, prExtendedPictographic}, // E0.0 [11] (âš²..âš¼) NEUTER..SESQUIQUADRATE + {0x26BD, 0x26BE, prExtendedPictographic}, // E0.6 [2] (âš½..âš¾) soccer ball..baseball + {0x26BF, 0x26C3, prExtendedPictographic}, // E0.0 [5] (âš¿..⛃) SQUARED KEY..BLACK DRAUGHTS KING + {0x26C4, 0x26C5, prExtendedPictographic}, // E0.6 [2] (⛄..â›…) snowman without snow..sun behind cloud + {0x26C6, 0x26C7, prExtendedPictographic}, // E0.0 [2] (⛆..⛇) RAIN..BLACK SNOWMAN + {0x26C8, 0x26C8, prExtendedPictographic}, // E0.7 [1] (⛈ï¸) cloud with lightning and rain + {0x26C9, 0x26CD, prExtendedPictographic}, // E0.0 [5] (⛉..â›) TURNED WHITE SHOGI PIECE..DISABLED CAR + {0x26CE, 0x26CE, prExtendedPictographic}, // E0.6 [1] (⛎) Ophiuchus + {0x26CF, 0x26CF, prExtendedPictographic}, // E0.7 [1] (â›ï¸) pick + {0x26D0, 0x26D0, prExtendedPictographic}, // E0.0 [1] (â›) CAR SLIDING + {0x26D1, 0x26D1, prExtendedPictographic}, // E0.7 [1] (⛑ï¸) rescue worker’s helmet + {0x26D2, 0x26D2, prExtendedPictographic}, // E0.0 [1] (â›’) CIRCLED CROSSING LANES + {0x26D3, 0x26D3, prExtendedPictographic}, // E0.7 [1] (⛓ï¸) chains + {0x26D4, 0x26D4, prExtendedPictographic}, // E0.6 [1] (â›”) no entry + {0x26D5, 0x26E8, prExtendedPictographic}, // E0.0 [20] (⛕..⛨) ALTERNATE ONE-WAY LEFT WAY TRAFFIC..BLACK CROSS ON SHIELD + {0x26E9, 0x26E9, prExtendedPictographic}, // E0.7 [1] (⛩ï¸) shinto shrine + {0x26EA, 0x26EA, prExtendedPictographic}, // E0.6 [1] (⛪) church + {0x26EB, 0x26EF, prExtendedPictographic}, // E0.0 [5] (⛫..⛯) CASTLE..MAP SYMBOL FOR LIGHTHOUSE + {0x26F0, 0x26F1, prExtendedPictographic}, // E0.7 [2] (â›°ï¸..â›±ï¸) mountain..umbrella on ground + {0x26F2, 0x26F3, prExtendedPictographic}, // E0.6 [2] (⛲..⛳) fountain..flag in hole + {0x26F4, 0x26F4, prExtendedPictographic}, // E0.7 [1] (â›´ï¸) ferry + {0x26F5, 0x26F5, prExtendedPictographic}, // E0.6 [1] (⛵) sailboat + {0x26F6, 0x26F6, prExtendedPictographic}, // E0.0 [1] (⛶) SQUARE FOUR CORNERS + {0x26F7, 0x26F9, prExtendedPictographic}, // E0.7 [3] (â›·ï¸..⛹ï¸) skier..person bouncing ball + {0x26FA, 0x26FA, prExtendedPictographic}, // E0.6 [1] (⛺) tent + {0x26FB, 0x26FC, prExtendedPictographic}, // E0.0 [2] (â›»..⛼) JAPANESE BANK SYMBOL..HEADSTONE GRAVEYARD SYMBOL + {0x26FD, 0x26FD, prExtendedPictographic}, // E0.6 [1] (⛽) fuel pump + {0x26FE, 0x2701, prExtendedPictographic}, // E0.0 [4] (⛾..âœ) CUP ON BLACK SQUARE..UPPER BLADE SCISSORS + {0x2702, 0x2702, prExtendedPictographic}, // E0.6 [1] (✂ï¸) scissors + {0x2703, 0x2704, prExtendedPictographic}, // E0.0 [2] (✃..✄) LOWER BLADE SCISSORS..WHITE SCISSORS + {0x2705, 0x2705, prExtendedPictographic}, // E0.6 [1] (✅) check mark button + {0x2708, 0x270C, prExtendedPictographic}, // E0.6 [5] (✈ï¸..✌ï¸) airplane..victory hand + {0x270D, 0x270D, prExtendedPictographic}, // E0.7 [1] (âœï¸) writing hand + {0x270E, 0x270E, prExtendedPictographic}, // E0.0 [1] (✎) LOWER RIGHT PENCIL + {0x270F, 0x270F, prExtendedPictographic}, // E0.6 [1] (âœï¸) pencil + {0x2710, 0x2711, prExtendedPictographic}, // E0.0 [2] (âœ..✑) UPPER RIGHT PENCIL..WHITE NIB + {0x2712, 0x2712, prExtendedPictographic}, // E0.6 [1] (✒ï¸) black nib + {0x2714, 0x2714, prExtendedPictographic}, // E0.6 [1] (✔ï¸) check mark + {0x2716, 0x2716, prExtendedPictographic}, // E0.6 [1] (✖ï¸) multiply + {0x271D, 0x271D, prExtendedPictographic}, // E0.7 [1] (âœï¸) latin cross + {0x2721, 0x2721, prExtendedPictographic}, // E0.7 [1] (✡ï¸) star of David + {0x2728, 0x2728, prExtendedPictographic}, // E0.6 [1] (✨) sparkles + {0x2733, 0x2734, prExtendedPictographic}, // E0.6 [2] (✳ï¸..✴ï¸) eight-spoked asterisk..eight-pointed star + {0x2744, 0x2744, prExtendedPictographic}, // E0.6 [1] (â„ï¸) snowflake + {0x2747, 0x2747, prExtendedPictographic}, // E0.6 [1] (â‡ï¸) sparkle + {0x274C, 0x274C, prExtendedPictographic}, // E0.6 [1] (âŒ) cross mark + {0x274E, 0x274E, prExtendedPictographic}, // E0.6 [1] (âŽ) cross mark button + {0x2753, 0x2755, prExtendedPictographic}, // E0.6 [3] (â“..â•) red question mark..white exclamation mark + {0x2757, 0x2757, prExtendedPictographic}, // E0.6 [1] (â—) red exclamation mark + {0x2763, 0x2763, prExtendedPictographic}, // E1.0 [1] (â£ï¸) heart exclamation + {0x2764, 0x2764, prExtendedPictographic}, // E0.6 [1] (â¤ï¸) red heart + {0x2765, 0x2767, prExtendedPictographic}, // E0.0 [3] (â¥..â§) ROTATED HEAVY BLACK HEART BULLET..ROTATED FLORAL HEART BULLET + {0x2795, 0x2797, prExtendedPictographic}, // E0.6 [3] (âž•..âž—) plus..divide + {0x27A1, 0x27A1, prExtendedPictographic}, // E0.6 [1] (âž¡ï¸) right arrow + {0x27B0, 0x27B0, prExtendedPictographic}, // E0.6 [1] (âž°) curly loop + {0x27BF, 0x27BF, prExtendedPictographic}, // E1.0 [1] (âž¿) double curly loop + {0x2934, 0x2935, prExtendedPictographic}, // E0.6 [2] (⤴ï¸..⤵ï¸) right arrow curving up..right arrow curving down + {0x2B05, 0x2B07, prExtendedPictographic}, // E0.6 [3] (⬅ï¸..⬇ï¸) left arrow..down arrow + {0x2B1B, 0x2B1C, prExtendedPictographic}, // E0.6 [2] (⬛..⬜) black large square..white large square + {0x2B50, 0x2B50, prExtendedPictographic}, // E0.6 [1] (â­) star + {0x2B55, 0x2B55, prExtendedPictographic}, // E0.6 [1] (â­•) hollow red circle + {0x2C00, 0x2C7B, prALetter}, // L& [124] GLAGOLITIC CAPITAL LETTER AZU..LATIN LETTER SMALL CAPITAL TURNED E + {0x2C7C, 0x2C7D, prALetter}, // Lm [2] LATIN SUBSCRIPT SMALL LETTER J..MODIFIER LETTER CAPITAL V + {0x2C7E, 0x2CE4, prALetter}, // L& [103] LATIN CAPITAL LETTER S WITH SWASH TAIL..COPTIC SYMBOL KAI + {0x2CEB, 0x2CEE, prALetter}, // L& [4] COPTIC CAPITAL LETTER CRYPTOGRAMMIC SHEI..COPTIC SMALL LETTER CRYPTOGRAMMIC GANGIA + {0x2CEF, 0x2CF1, prExtend}, // Mn [3] COPTIC COMBINING NI ABOVE..COPTIC COMBINING SPIRITUS LENIS + {0x2CF2, 0x2CF3, prALetter}, // L& [2] COPTIC CAPITAL LETTER BOHAIRIC KHEI..COPTIC SMALL LETTER BOHAIRIC KHEI + {0x2D00, 0x2D25, prALetter}, // L& [38] GEORGIAN SMALL LETTER AN..GEORGIAN SMALL LETTER HOE + {0x2D27, 0x2D27, prALetter}, // L& GEORGIAN SMALL LETTER YN + {0x2D2D, 0x2D2D, prALetter}, // L& GEORGIAN SMALL LETTER AEN + {0x2D30, 0x2D67, prALetter}, // Lo [56] TIFINAGH LETTER YA..TIFINAGH LETTER YO + {0x2D6F, 0x2D6F, prALetter}, // Lm TIFINAGH MODIFIER LETTER LABIALIZATION MARK + {0x2D7F, 0x2D7F, prExtend}, // Mn TIFINAGH CONSONANT JOINER + {0x2D80, 0x2D96, prALetter}, // Lo [23] ETHIOPIC SYLLABLE LOA..ETHIOPIC SYLLABLE GGWE + {0x2DA0, 0x2DA6, prALetter}, // Lo [7] ETHIOPIC SYLLABLE SSA..ETHIOPIC SYLLABLE SSO + {0x2DA8, 0x2DAE, prALetter}, // Lo [7] ETHIOPIC SYLLABLE CCA..ETHIOPIC SYLLABLE CCO + {0x2DB0, 0x2DB6, prALetter}, // Lo [7] ETHIOPIC SYLLABLE ZZA..ETHIOPIC SYLLABLE ZZO + {0x2DB8, 0x2DBE, prALetter}, // Lo [7] ETHIOPIC SYLLABLE CCHA..ETHIOPIC SYLLABLE CCHO + {0x2DC0, 0x2DC6, prALetter}, // Lo [7] ETHIOPIC SYLLABLE QYA..ETHIOPIC SYLLABLE QYO + {0x2DC8, 0x2DCE, prALetter}, // Lo [7] ETHIOPIC SYLLABLE KYA..ETHIOPIC SYLLABLE KYO + {0x2DD0, 0x2DD6, prALetter}, // Lo [7] ETHIOPIC SYLLABLE XYA..ETHIOPIC SYLLABLE XYO + {0x2DD8, 0x2DDE, prALetter}, // Lo [7] ETHIOPIC SYLLABLE GYA..ETHIOPIC SYLLABLE GYO + {0x2DE0, 0x2DFF, prExtend}, // Mn [32] COMBINING CYRILLIC LETTER BE..COMBINING CYRILLIC LETTER IOTIFIED BIG YUS + {0x2E2F, 0x2E2F, prALetter}, // Lm VERTICAL TILDE + {0x3000, 0x3000, prWSegSpace}, // Zs IDEOGRAPHIC SPACE + {0x3005, 0x3005, prALetter}, // Lm IDEOGRAPHIC ITERATION MARK + {0x302A, 0x302D, prExtend}, // Mn [4] IDEOGRAPHIC LEVEL TONE MARK..IDEOGRAPHIC ENTERING TONE MARK + {0x302E, 0x302F, prExtend}, // Mc [2] HANGUL SINGLE DOT TONE MARK..HANGUL DOUBLE DOT TONE MARK + {0x3030, 0x3030, prExtendedPictographic}, // E0.6 [1] (〰ï¸) wavy dash + {0x3031, 0x3035, prKatakana}, // Lm [5] VERTICAL KANA REPEAT MARK..VERTICAL KANA REPEAT MARK LOWER HALF + {0x303B, 0x303B, prALetter}, // Lm VERTICAL IDEOGRAPHIC ITERATION MARK + {0x303C, 0x303C, prALetter}, // Lo MASU MARK + {0x303D, 0x303D, prExtendedPictographic}, // E0.6 [1] (〽ï¸) part alternation mark + {0x3099, 0x309A, prExtend}, // Mn [2] COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK..COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x309B, 0x309C, prKatakana}, // Sk [2] KATAKANA-HIRAGANA VOICED SOUND MARK..KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK + {0x30A0, 0x30A0, prKatakana}, // Pd KATAKANA-HIRAGANA DOUBLE HYPHEN + {0x30A1, 0x30FA, prKatakana}, // Lo [90] KATAKANA LETTER SMALL A..KATAKANA LETTER VO + {0x30FC, 0x30FE, prKatakana}, // Lm [3] KATAKANA-HIRAGANA PROLONGED SOUND MARK..KATAKANA VOICED ITERATION MARK + {0x30FF, 0x30FF, prKatakana}, // Lo KATAKANA DIGRAPH KOTO + {0x3105, 0x312F, prALetter}, // Lo [43] BOPOMOFO LETTER B..BOPOMOFO LETTER NN + {0x3131, 0x318E, prALetter}, // Lo [94] HANGUL LETTER KIYEOK..HANGUL LETTER ARAEAE + {0x31A0, 0x31BF, prALetter}, // Lo [32] BOPOMOFO LETTER BU..BOPOMOFO LETTER AH + {0x31F0, 0x31FF, prKatakana}, // Lo [16] KATAKANA LETTER SMALL KU..KATAKANA LETTER SMALL RO + {0x3297, 0x3297, prExtendedPictographic}, // E0.6 [1] (㊗ï¸) Japanese “congratulations†button + {0x3299, 0x3299, prExtendedPictographic}, // E0.6 [1] (㊙ï¸) Japanese “secret†button + {0x32D0, 0x32FE, prKatakana}, // So [47] CIRCLED KATAKANA A..CIRCLED KATAKANA WO + {0x3300, 0x3357, prKatakana}, // So [88] SQUARE APAATO..SQUARE WATTO + {0xA000, 0xA014, prALetter}, // Lo [21] YI SYLLABLE IT..YI SYLLABLE E + {0xA015, 0xA015, prALetter}, // Lm YI SYLLABLE WU + {0xA016, 0xA48C, prALetter}, // Lo [1143] YI SYLLABLE BIT..YI SYLLABLE YYR + {0xA4D0, 0xA4F7, prALetter}, // Lo [40] LISU LETTER BA..LISU LETTER OE + {0xA4F8, 0xA4FD, prALetter}, // Lm [6] LISU LETTER TONE MYA TI..LISU LETTER TONE MYA JEU + {0xA500, 0xA60B, prALetter}, // Lo [268] VAI SYLLABLE EE..VAI SYLLABLE NG + {0xA60C, 0xA60C, prALetter}, // Lm VAI SYLLABLE LENGTHENER + {0xA610, 0xA61F, prALetter}, // Lo [16] VAI SYLLABLE NDOLE FA..VAI SYMBOL JONG + {0xA620, 0xA629, prNumeric}, // Nd [10] VAI DIGIT ZERO..VAI DIGIT NINE + {0xA62A, 0xA62B, prALetter}, // Lo [2] VAI SYLLABLE NDOLE MA..VAI SYLLABLE NDOLE DO + {0xA640, 0xA66D, prALetter}, // L& [46] CYRILLIC CAPITAL LETTER ZEMLYA..CYRILLIC SMALL LETTER DOUBLE MONOCULAR O + {0xA66E, 0xA66E, prALetter}, // Lo CYRILLIC LETTER MULTIOCULAR O + {0xA66F, 0xA66F, prExtend}, // Mn COMBINING CYRILLIC VZMET + {0xA670, 0xA672, prExtend}, // Me [3] COMBINING CYRILLIC TEN MILLIONS SIGN..COMBINING CYRILLIC THOUSAND MILLIONS SIGN + {0xA674, 0xA67D, prExtend}, // Mn [10] COMBINING CYRILLIC LETTER UKRAINIAN IE..COMBINING CYRILLIC PAYEROK + {0xA67F, 0xA67F, prALetter}, // Lm CYRILLIC PAYEROK + {0xA680, 0xA69B, prALetter}, // L& [28] CYRILLIC CAPITAL LETTER DWE..CYRILLIC SMALL LETTER CROSSED O + {0xA69C, 0xA69D, prALetter}, // Lm [2] MODIFIER LETTER CYRILLIC HARD SIGN..MODIFIER LETTER CYRILLIC SOFT SIGN + {0xA69E, 0xA69F, prExtend}, // Mn [2] COMBINING CYRILLIC LETTER EF..COMBINING CYRILLIC LETTER IOTIFIED E + {0xA6A0, 0xA6E5, prALetter}, // Lo [70] BAMUM LETTER A..BAMUM LETTER KI + {0xA6E6, 0xA6EF, prALetter}, // Nl [10] BAMUM LETTER MO..BAMUM LETTER KOGHOM + {0xA6F0, 0xA6F1, prExtend}, // Mn [2] BAMUM COMBINING MARK KOQNDON..BAMUM COMBINING MARK TUKWENTIS + {0xA708, 0xA716, prALetter}, // Sk [15] MODIFIER LETTER EXTRA-HIGH DOTTED TONE BAR..MODIFIER LETTER EXTRA-LOW LEFT-STEM TONE BAR + {0xA717, 0xA71F, prALetter}, // Lm [9] MODIFIER LETTER DOT VERTICAL BAR..MODIFIER LETTER LOW INVERTED EXCLAMATION MARK + {0xA720, 0xA721, prALetter}, // Sk [2] MODIFIER LETTER STRESS AND HIGH TONE..MODIFIER LETTER STRESS AND LOW TONE + {0xA722, 0xA76F, prALetter}, // L& [78] LATIN CAPITAL LETTER EGYPTOLOGICAL ALEF..LATIN SMALL LETTER CON + {0xA770, 0xA770, prALetter}, // Lm MODIFIER LETTER US + {0xA771, 0xA787, prALetter}, // L& [23] LATIN SMALL LETTER DUM..LATIN SMALL LETTER INSULAR T + {0xA788, 0xA788, prALetter}, // Lm MODIFIER LETTER LOW CIRCUMFLEX ACCENT + {0xA789, 0xA78A, prALetter}, // Sk [2] MODIFIER LETTER COLON..MODIFIER LETTER SHORT EQUALS SIGN + {0xA78B, 0xA78E, prALetter}, // L& [4] LATIN CAPITAL LETTER SALTILLO..LATIN SMALL LETTER L WITH RETROFLEX HOOK AND BELT + {0xA78F, 0xA78F, prALetter}, // Lo LATIN LETTER SINOLOGICAL DOT + {0xA790, 0xA7CA, prALetter}, // L& [59] LATIN CAPITAL LETTER N WITH DESCENDER..LATIN SMALL LETTER S WITH SHORT STROKE OVERLAY + {0xA7D0, 0xA7D1, prALetter}, // L& [2] LATIN CAPITAL LETTER CLOSED INSULAR G..LATIN SMALL LETTER CLOSED INSULAR G + {0xA7D3, 0xA7D3, prALetter}, // L& LATIN SMALL LETTER DOUBLE THORN + {0xA7D5, 0xA7D9, prALetter}, // L& [5] LATIN SMALL LETTER DOUBLE WYNN..LATIN SMALL LETTER SIGMOID S + {0xA7F2, 0xA7F4, prALetter}, // Lm [3] MODIFIER LETTER CAPITAL C..MODIFIER LETTER CAPITAL Q + {0xA7F5, 0xA7F6, prALetter}, // L& [2] LATIN CAPITAL LETTER REVERSED HALF H..LATIN SMALL LETTER REVERSED HALF H + {0xA7F7, 0xA7F7, prALetter}, // Lo LATIN EPIGRAPHIC LETTER SIDEWAYS I + {0xA7F8, 0xA7F9, prALetter}, // Lm [2] MODIFIER LETTER CAPITAL H WITH STROKE..MODIFIER LETTER SMALL LIGATURE OE + {0xA7FA, 0xA7FA, prALetter}, // L& LATIN LETTER SMALL CAPITAL TURNED M + {0xA7FB, 0xA801, prALetter}, // Lo [7] LATIN EPIGRAPHIC LETTER REVERSED F..SYLOTI NAGRI LETTER I + {0xA802, 0xA802, prExtend}, // Mn SYLOTI NAGRI SIGN DVISVARA + {0xA803, 0xA805, prALetter}, // Lo [3] SYLOTI NAGRI LETTER U..SYLOTI NAGRI LETTER O + {0xA806, 0xA806, prExtend}, // Mn SYLOTI NAGRI SIGN HASANTA + {0xA807, 0xA80A, prALetter}, // Lo [4] SYLOTI NAGRI LETTER KO..SYLOTI NAGRI LETTER GHO + {0xA80B, 0xA80B, prExtend}, // Mn SYLOTI NAGRI SIGN ANUSVARA + {0xA80C, 0xA822, prALetter}, // Lo [23] SYLOTI NAGRI LETTER CO..SYLOTI NAGRI LETTER HO + {0xA823, 0xA824, prExtend}, // Mc [2] SYLOTI NAGRI VOWEL SIGN A..SYLOTI NAGRI VOWEL SIGN I + {0xA825, 0xA826, prExtend}, // Mn [2] SYLOTI NAGRI VOWEL SIGN U..SYLOTI NAGRI VOWEL SIGN E + {0xA827, 0xA827, prExtend}, // Mc SYLOTI NAGRI VOWEL SIGN OO + {0xA82C, 0xA82C, prExtend}, // Mn SYLOTI NAGRI SIGN ALTERNATE HASANTA + {0xA840, 0xA873, prALetter}, // Lo [52] PHAGS-PA LETTER KA..PHAGS-PA LETTER CANDRABINDU + {0xA880, 0xA881, prExtend}, // Mc [2] SAURASHTRA SIGN ANUSVARA..SAURASHTRA SIGN VISARGA + {0xA882, 0xA8B3, prALetter}, // Lo [50] SAURASHTRA LETTER A..SAURASHTRA LETTER LLA + {0xA8B4, 0xA8C3, prExtend}, // Mc [16] SAURASHTRA CONSONANT SIGN HAARU..SAURASHTRA VOWEL SIGN AU + {0xA8C4, 0xA8C5, prExtend}, // Mn [2] SAURASHTRA SIGN VIRAMA..SAURASHTRA SIGN CANDRABINDU + {0xA8D0, 0xA8D9, prNumeric}, // Nd [10] SAURASHTRA DIGIT ZERO..SAURASHTRA DIGIT NINE + {0xA8E0, 0xA8F1, prExtend}, // Mn [18] COMBINING DEVANAGARI DIGIT ZERO..COMBINING DEVANAGARI SIGN AVAGRAHA + {0xA8F2, 0xA8F7, prALetter}, // Lo [6] DEVANAGARI SIGN SPACING CANDRABINDU..DEVANAGARI SIGN CANDRABINDU AVAGRAHA + {0xA8FB, 0xA8FB, prALetter}, // Lo DEVANAGARI HEADSTROKE + {0xA8FD, 0xA8FE, prALetter}, // Lo [2] DEVANAGARI JAIN OM..DEVANAGARI LETTER AY + {0xA8FF, 0xA8FF, prExtend}, // Mn DEVANAGARI VOWEL SIGN AY + {0xA900, 0xA909, prNumeric}, // Nd [10] KAYAH LI DIGIT ZERO..KAYAH LI DIGIT NINE + {0xA90A, 0xA925, prALetter}, // Lo [28] KAYAH LI LETTER KA..KAYAH LI LETTER OO + {0xA926, 0xA92D, prExtend}, // Mn [8] KAYAH LI VOWEL UE..KAYAH LI TONE CALYA PLOPHU + {0xA930, 0xA946, prALetter}, // Lo [23] REJANG LETTER KA..REJANG LETTER A + {0xA947, 0xA951, prExtend}, // Mn [11] REJANG VOWEL SIGN I..REJANG CONSONANT SIGN R + {0xA952, 0xA953, prExtend}, // Mc [2] REJANG CONSONANT SIGN H..REJANG VIRAMA + {0xA960, 0xA97C, prALetter}, // Lo [29] HANGUL CHOSEONG TIKEUT-MIEUM..HANGUL CHOSEONG SSANGYEORINHIEUH + {0xA980, 0xA982, prExtend}, // Mn [3] JAVANESE SIGN PANYANGGA..JAVANESE SIGN LAYAR + {0xA983, 0xA983, prExtend}, // Mc JAVANESE SIGN WIGNYAN + {0xA984, 0xA9B2, prALetter}, // Lo [47] JAVANESE LETTER A..JAVANESE LETTER HA + {0xA9B3, 0xA9B3, prExtend}, // Mn JAVANESE SIGN CECAK TELU + {0xA9B4, 0xA9B5, prExtend}, // Mc [2] JAVANESE VOWEL SIGN TARUNG..JAVANESE VOWEL SIGN TOLONG + {0xA9B6, 0xA9B9, prExtend}, // Mn [4] JAVANESE VOWEL SIGN WULU..JAVANESE VOWEL SIGN SUKU MENDUT + {0xA9BA, 0xA9BB, prExtend}, // Mc [2] JAVANESE VOWEL SIGN TALING..JAVANESE VOWEL SIGN DIRGA MURE + {0xA9BC, 0xA9BD, prExtend}, // Mn [2] JAVANESE VOWEL SIGN PEPET..JAVANESE CONSONANT SIGN KERET + {0xA9BE, 0xA9C0, prExtend}, // Mc [3] JAVANESE CONSONANT SIGN PENGKAL..JAVANESE PANGKON + {0xA9CF, 0xA9CF, prALetter}, // Lm JAVANESE PANGRANGKEP + {0xA9D0, 0xA9D9, prNumeric}, // Nd [10] JAVANESE DIGIT ZERO..JAVANESE DIGIT NINE + {0xA9E5, 0xA9E5, prExtend}, // Mn MYANMAR SIGN SHAN SAW + {0xA9F0, 0xA9F9, prNumeric}, // Nd [10] MYANMAR TAI LAING DIGIT ZERO..MYANMAR TAI LAING DIGIT NINE + {0xAA00, 0xAA28, prALetter}, // Lo [41] CHAM LETTER A..CHAM LETTER HA + {0xAA29, 0xAA2E, prExtend}, // Mn [6] CHAM VOWEL SIGN AA..CHAM VOWEL SIGN OE + {0xAA2F, 0xAA30, prExtend}, // Mc [2] CHAM VOWEL SIGN O..CHAM VOWEL SIGN AI + {0xAA31, 0xAA32, prExtend}, // Mn [2] CHAM VOWEL SIGN AU..CHAM VOWEL SIGN UE + {0xAA33, 0xAA34, prExtend}, // Mc [2] CHAM CONSONANT SIGN YA..CHAM CONSONANT SIGN RA + {0xAA35, 0xAA36, prExtend}, // Mn [2] CHAM CONSONANT SIGN LA..CHAM CONSONANT SIGN WA + {0xAA40, 0xAA42, prALetter}, // Lo [3] CHAM LETTER FINAL K..CHAM LETTER FINAL NG + {0xAA43, 0xAA43, prExtend}, // Mn CHAM CONSONANT SIGN FINAL NG + {0xAA44, 0xAA4B, prALetter}, // Lo [8] CHAM LETTER FINAL CH..CHAM LETTER FINAL SS + {0xAA4C, 0xAA4C, prExtend}, // Mn CHAM CONSONANT SIGN FINAL M + {0xAA4D, 0xAA4D, prExtend}, // Mc CHAM CONSONANT SIGN FINAL H + {0xAA50, 0xAA59, prNumeric}, // Nd [10] CHAM DIGIT ZERO..CHAM DIGIT NINE + {0xAA7B, 0xAA7B, prExtend}, // Mc MYANMAR SIGN PAO KAREN TONE + {0xAA7C, 0xAA7C, prExtend}, // Mn MYANMAR SIGN TAI LAING TONE-2 + {0xAA7D, 0xAA7D, prExtend}, // Mc MYANMAR SIGN TAI LAING TONE-5 + {0xAAB0, 0xAAB0, prExtend}, // Mn TAI VIET MAI KANG + {0xAAB2, 0xAAB4, prExtend}, // Mn [3] TAI VIET VOWEL I..TAI VIET VOWEL U + {0xAAB7, 0xAAB8, prExtend}, // Mn [2] TAI VIET MAI KHIT..TAI VIET VOWEL IA + {0xAABE, 0xAABF, prExtend}, // Mn [2] TAI VIET VOWEL AM..TAI VIET TONE MAI EK + {0xAAC1, 0xAAC1, prExtend}, // Mn TAI VIET TONE MAI THO + {0xAAE0, 0xAAEA, prALetter}, // Lo [11] MEETEI MAYEK LETTER E..MEETEI MAYEK LETTER SSA + {0xAAEB, 0xAAEB, prExtend}, // Mc MEETEI MAYEK VOWEL SIGN II + {0xAAEC, 0xAAED, prExtend}, // Mn [2] MEETEI MAYEK VOWEL SIGN UU..MEETEI MAYEK VOWEL SIGN AAI + {0xAAEE, 0xAAEF, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN AU..MEETEI MAYEK VOWEL SIGN AAU + {0xAAF2, 0xAAF2, prALetter}, // Lo MEETEI MAYEK ANJI + {0xAAF3, 0xAAF4, prALetter}, // Lm [2] MEETEI MAYEK SYLLABLE REPETITION MARK..MEETEI MAYEK WORD REPETITION MARK + {0xAAF5, 0xAAF5, prExtend}, // Mc MEETEI MAYEK VOWEL SIGN VISARGA + {0xAAF6, 0xAAF6, prExtend}, // Mn MEETEI MAYEK VIRAMA + {0xAB01, 0xAB06, prALetter}, // Lo [6] ETHIOPIC SYLLABLE TTHU..ETHIOPIC SYLLABLE TTHO + {0xAB09, 0xAB0E, prALetter}, // Lo [6] ETHIOPIC SYLLABLE DDHU..ETHIOPIC SYLLABLE DDHO + {0xAB11, 0xAB16, prALetter}, // Lo [6] ETHIOPIC SYLLABLE DZU..ETHIOPIC SYLLABLE DZO + {0xAB20, 0xAB26, prALetter}, // Lo [7] ETHIOPIC SYLLABLE CCHHA..ETHIOPIC SYLLABLE CCHHO + {0xAB28, 0xAB2E, prALetter}, // Lo [7] ETHIOPIC SYLLABLE BBA..ETHIOPIC SYLLABLE BBO + {0xAB30, 0xAB5A, prALetter}, // L& [43] LATIN SMALL LETTER BARRED ALPHA..LATIN SMALL LETTER Y WITH SHORT RIGHT LEG + {0xAB5B, 0xAB5B, prALetter}, // Sk MODIFIER BREVE WITH INVERTED BREVE + {0xAB5C, 0xAB5F, prALetter}, // Lm [4] MODIFIER LETTER SMALL HENG..MODIFIER LETTER SMALL U WITH LEFT HOOK + {0xAB60, 0xAB68, prALetter}, // L& [9] LATIN SMALL LETTER SAKHA YAT..LATIN SMALL LETTER TURNED R WITH MIDDLE TILDE + {0xAB69, 0xAB69, prALetter}, // Lm MODIFIER LETTER SMALL TURNED W + {0xAB70, 0xABBF, prALetter}, // L& [80] CHEROKEE SMALL LETTER A..CHEROKEE SMALL LETTER YA + {0xABC0, 0xABE2, prALetter}, // Lo [35] MEETEI MAYEK LETTER KOK..MEETEI MAYEK LETTER I LONSUM + {0xABE3, 0xABE4, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN ONAP..MEETEI MAYEK VOWEL SIGN INAP + {0xABE5, 0xABE5, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN ANAP + {0xABE6, 0xABE7, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN YENAP..MEETEI MAYEK VOWEL SIGN SOUNAP + {0xABE8, 0xABE8, prExtend}, // Mn MEETEI MAYEK VOWEL SIGN UNAP + {0xABE9, 0xABEA, prExtend}, // Mc [2] MEETEI MAYEK VOWEL SIGN CHEINAP..MEETEI MAYEK VOWEL SIGN NUNG + {0xABEC, 0xABEC, prExtend}, // Mc MEETEI MAYEK LUM IYEK + {0xABED, 0xABED, prExtend}, // Mn MEETEI MAYEK APUN IYEK + {0xABF0, 0xABF9, prNumeric}, // Nd [10] MEETEI MAYEK DIGIT ZERO..MEETEI MAYEK DIGIT NINE + {0xAC00, 0xD7A3, prALetter}, // Lo [11172] HANGUL SYLLABLE GA..HANGUL SYLLABLE HIH + {0xD7B0, 0xD7C6, prALetter}, // Lo [23] HANGUL JUNGSEONG O-YEO..HANGUL JUNGSEONG ARAEA-E + {0xD7CB, 0xD7FB, prALetter}, // Lo [49] HANGUL JONGSEONG NIEUN-RIEUL..HANGUL JONGSEONG PHIEUPH-THIEUTH + {0xFB00, 0xFB06, prALetter}, // L& [7] LATIN SMALL LIGATURE FF..LATIN SMALL LIGATURE ST + {0xFB13, 0xFB17, prALetter}, // L& [5] ARMENIAN SMALL LIGATURE MEN NOW..ARMENIAN SMALL LIGATURE MEN XEH + {0xFB1D, 0xFB1D, prHebrewLetter}, // Lo HEBREW LETTER YOD WITH HIRIQ + {0xFB1E, 0xFB1E, prExtend}, // Mn HEBREW POINT JUDEO-SPANISH VARIKA + {0xFB1F, 0xFB28, prHebrewLetter}, // Lo [10] HEBREW LIGATURE YIDDISH YOD YOD PATAH..HEBREW LETTER WIDE TAV + {0xFB2A, 0xFB36, prHebrewLetter}, // Lo [13] HEBREW LETTER SHIN WITH SHIN DOT..HEBREW LETTER ZAYIN WITH DAGESH + {0xFB38, 0xFB3C, prHebrewLetter}, // Lo [5] HEBREW LETTER TET WITH DAGESH..HEBREW LETTER LAMED WITH DAGESH + {0xFB3E, 0xFB3E, prHebrewLetter}, // Lo HEBREW LETTER MEM WITH DAGESH + {0xFB40, 0xFB41, prHebrewLetter}, // Lo [2] HEBREW LETTER NUN WITH DAGESH..HEBREW LETTER SAMEKH WITH DAGESH + {0xFB43, 0xFB44, prHebrewLetter}, // Lo [2] HEBREW LETTER FINAL PE WITH DAGESH..HEBREW LETTER PE WITH DAGESH + {0xFB46, 0xFB4F, prHebrewLetter}, // Lo [10] HEBREW LETTER TSADI WITH DAGESH..HEBREW LIGATURE ALEF LAMED + {0xFB50, 0xFBB1, prALetter}, // Lo [98] ARABIC LETTER ALEF WASLA ISOLATED FORM..ARABIC LETTER YEH BARREE WITH HAMZA ABOVE FINAL FORM + {0xFBD3, 0xFD3D, prALetter}, // Lo [363] ARABIC LETTER NG ISOLATED FORM..ARABIC LIGATURE ALEF WITH FATHATAN ISOLATED FORM + {0xFD50, 0xFD8F, prALetter}, // Lo [64] ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM..ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM + {0xFD92, 0xFDC7, prALetter}, // Lo [54] ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM..ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM + {0xFDF0, 0xFDFB, prALetter}, // Lo [12] ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM..ARABIC LIGATURE JALLAJALALOUHOU + {0xFE00, 0xFE0F, prExtend}, // Mn [16] VARIATION SELECTOR-1..VARIATION SELECTOR-16 + {0xFE10, 0xFE10, prMidNum}, // Po PRESENTATION FORM FOR VERTICAL COMMA + {0xFE13, 0xFE13, prMidLetter}, // Po PRESENTATION FORM FOR VERTICAL COLON + {0xFE14, 0xFE14, prMidNum}, // Po PRESENTATION FORM FOR VERTICAL SEMICOLON + {0xFE20, 0xFE2F, prExtend}, // Mn [16] COMBINING LIGATURE LEFT HALF..COMBINING CYRILLIC TITLO RIGHT HALF + {0xFE33, 0xFE34, prExtendNumLet}, // Pc [2] PRESENTATION FORM FOR VERTICAL LOW LINE..PRESENTATION FORM FOR VERTICAL WAVY LOW LINE + {0xFE4D, 0xFE4F, prExtendNumLet}, // Pc [3] DASHED LOW LINE..WAVY LOW LINE + {0xFE50, 0xFE50, prMidNum}, // Po SMALL COMMA + {0xFE52, 0xFE52, prMidNumLet}, // Po SMALL FULL STOP + {0xFE54, 0xFE54, prMidNum}, // Po SMALL SEMICOLON + {0xFE55, 0xFE55, prMidLetter}, // Po SMALL COLON + {0xFE70, 0xFE74, prALetter}, // Lo [5] ARABIC FATHATAN ISOLATED FORM..ARABIC KASRATAN ISOLATED FORM + {0xFE76, 0xFEFC, prALetter}, // Lo [135] ARABIC FATHA ISOLATED FORM..ARABIC LIGATURE LAM WITH ALEF FINAL FORM + {0xFEFF, 0xFEFF, prFormat}, // Cf ZERO WIDTH NO-BREAK SPACE + {0xFF07, 0xFF07, prMidNumLet}, // Po FULLWIDTH APOSTROPHE + {0xFF0C, 0xFF0C, prMidNum}, // Po FULLWIDTH COMMA + {0xFF0E, 0xFF0E, prMidNumLet}, // Po FULLWIDTH FULL STOP + {0xFF10, 0xFF19, prNumeric}, // Nd [10] FULLWIDTH DIGIT ZERO..FULLWIDTH DIGIT NINE + {0xFF1A, 0xFF1A, prMidLetter}, // Po FULLWIDTH COLON + {0xFF1B, 0xFF1B, prMidNum}, // Po FULLWIDTH SEMICOLON + {0xFF21, 0xFF3A, prALetter}, // L& [26] FULLWIDTH LATIN CAPITAL LETTER A..FULLWIDTH LATIN CAPITAL LETTER Z + {0xFF3F, 0xFF3F, prExtendNumLet}, // Pc FULLWIDTH LOW LINE + {0xFF41, 0xFF5A, prALetter}, // L& [26] FULLWIDTH LATIN SMALL LETTER A..FULLWIDTH LATIN SMALL LETTER Z + {0xFF66, 0xFF6F, prKatakana}, // Lo [10] HALFWIDTH KATAKANA LETTER WO..HALFWIDTH KATAKANA LETTER SMALL TU + {0xFF70, 0xFF70, prKatakana}, // Lm HALFWIDTH KATAKANA-HIRAGANA PROLONGED SOUND MARK + {0xFF71, 0xFF9D, prKatakana}, // Lo [45] HALFWIDTH KATAKANA LETTER A..HALFWIDTH KATAKANA LETTER N + {0xFF9E, 0xFF9F, prExtend}, // Lm [2] HALFWIDTH KATAKANA VOICED SOUND MARK..HALFWIDTH KATAKANA SEMI-VOICED SOUND MARK + {0xFFA0, 0xFFBE, prALetter}, // Lo [31] HALFWIDTH HANGUL FILLER..HALFWIDTH HANGUL LETTER HIEUH + {0xFFC2, 0xFFC7, prALetter}, // Lo [6] HALFWIDTH HANGUL LETTER A..HALFWIDTH HANGUL LETTER E + {0xFFCA, 0xFFCF, prALetter}, // Lo [6] HALFWIDTH HANGUL LETTER YEO..HALFWIDTH HANGUL LETTER OE + {0xFFD2, 0xFFD7, prALetter}, // Lo [6] HALFWIDTH HANGUL LETTER YO..HALFWIDTH HANGUL LETTER YU + {0xFFDA, 0xFFDC, prALetter}, // Lo [3] HALFWIDTH HANGUL LETTER EU..HALFWIDTH HANGUL LETTER I + {0xFFF9, 0xFFFB, prFormat}, // Cf [3] INTERLINEAR ANNOTATION ANCHOR..INTERLINEAR ANNOTATION TERMINATOR + {0x10000, 0x1000B, prALetter}, // Lo [12] LINEAR B SYLLABLE B008 A..LINEAR B SYLLABLE B046 JE + {0x1000D, 0x10026, prALetter}, // Lo [26] LINEAR B SYLLABLE B036 JO..LINEAR B SYLLABLE B032 QO + {0x10028, 0x1003A, prALetter}, // Lo [19] LINEAR B SYLLABLE B060 RA..LINEAR B SYLLABLE B042 WO + {0x1003C, 0x1003D, prALetter}, // Lo [2] LINEAR B SYLLABLE B017 ZA..LINEAR B SYLLABLE B074 ZE + {0x1003F, 0x1004D, prALetter}, // Lo [15] LINEAR B SYLLABLE B020 ZO..LINEAR B SYLLABLE B091 TWO + {0x10050, 0x1005D, prALetter}, // Lo [14] LINEAR B SYMBOL B018..LINEAR B SYMBOL B089 + {0x10080, 0x100FA, prALetter}, // Lo [123] LINEAR B IDEOGRAM B100 MAN..LINEAR B IDEOGRAM VESSEL B305 + {0x10140, 0x10174, prALetter}, // Nl [53] GREEK ACROPHONIC ATTIC ONE QUARTER..GREEK ACROPHONIC STRATIAN FIFTY MNAS + {0x101FD, 0x101FD, prExtend}, // Mn PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE + {0x10280, 0x1029C, prALetter}, // Lo [29] LYCIAN LETTER A..LYCIAN LETTER X + {0x102A0, 0x102D0, prALetter}, // Lo [49] CARIAN LETTER A..CARIAN LETTER UUU3 + {0x102E0, 0x102E0, prExtend}, // Mn COPTIC EPACT THOUSANDS MARK + {0x10300, 0x1031F, prALetter}, // Lo [32] OLD ITALIC LETTER A..OLD ITALIC LETTER ESS + {0x1032D, 0x10340, prALetter}, // Lo [20] OLD ITALIC LETTER YE..GOTHIC LETTER PAIRTHRA + {0x10341, 0x10341, prALetter}, // Nl GOTHIC LETTER NINETY + {0x10342, 0x10349, prALetter}, // Lo [8] GOTHIC LETTER RAIDA..GOTHIC LETTER OTHAL + {0x1034A, 0x1034A, prALetter}, // Nl GOTHIC LETTER NINE HUNDRED + {0x10350, 0x10375, prALetter}, // Lo [38] OLD PERMIC LETTER AN..OLD PERMIC LETTER IA + {0x10376, 0x1037A, prExtend}, // Mn [5] COMBINING OLD PERMIC LETTER AN..COMBINING OLD PERMIC LETTER SII + {0x10380, 0x1039D, prALetter}, // Lo [30] UGARITIC LETTER ALPA..UGARITIC LETTER SSU + {0x103A0, 0x103C3, prALetter}, // Lo [36] OLD PERSIAN SIGN A..OLD PERSIAN SIGN HA + {0x103C8, 0x103CF, prALetter}, // Lo [8] OLD PERSIAN SIGN AURAMAZDAA..OLD PERSIAN SIGN BUUMISH + {0x103D1, 0x103D5, prALetter}, // Nl [5] OLD PERSIAN NUMBER ONE..OLD PERSIAN NUMBER HUNDRED + {0x10400, 0x1044F, prALetter}, // L& [80] DESERET CAPITAL LETTER LONG I..DESERET SMALL LETTER EW + {0x10450, 0x1049D, prALetter}, // Lo [78] SHAVIAN LETTER PEEP..OSMANYA LETTER OO + {0x104A0, 0x104A9, prNumeric}, // Nd [10] OSMANYA DIGIT ZERO..OSMANYA DIGIT NINE + {0x104B0, 0x104D3, prALetter}, // L& [36] OSAGE CAPITAL LETTER A..OSAGE CAPITAL LETTER ZHA + {0x104D8, 0x104FB, prALetter}, // L& [36] OSAGE SMALL LETTER A..OSAGE SMALL LETTER ZHA + {0x10500, 0x10527, prALetter}, // Lo [40] ELBASAN LETTER A..ELBASAN LETTER KHE + {0x10530, 0x10563, prALetter}, // Lo [52] CAUCASIAN ALBANIAN LETTER ALT..CAUCASIAN ALBANIAN LETTER KIW + {0x10570, 0x1057A, prALetter}, // L& [11] VITHKUQI CAPITAL LETTER A..VITHKUQI CAPITAL LETTER GA + {0x1057C, 0x1058A, prALetter}, // L& [15] VITHKUQI CAPITAL LETTER HA..VITHKUQI CAPITAL LETTER RE + {0x1058C, 0x10592, prALetter}, // L& [7] VITHKUQI CAPITAL LETTER SE..VITHKUQI CAPITAL LETTER XE + {0x10594, 0x10595, prALetter}, // L& [2] VITHKUQI CAPITAL LETTER Y..VITHKUQI CAPITAL LETTER ZE + {0x10597, 0x105A1, prALetter}, // L& [11] VITHKUQI SMALL LETTER A..VITHKUQI SMALL LETTER GA + {0x105A3, 0x105B1, prALetter}, // L& [15] VITHKUQI SMALL LETTER HA..VITHKUQI SMALL LETTER RE + {0x105B3, 0x105B9, prALetter}, // L& [7] VITHKUQI SMALL LETTER SE..VITHKUQI SMALL LETTER XE + {0x105BB, 0x105BC, prALetter}, // L& [2] VITHKUQI SMALL LETTER Y..VITHKUQI SMALL LETTER ZE + {0x10600, 0x10736, prALetter}, // Lo [311] LINEAR A SIGN AB001..LINEAR A SIGN A664 + {0x10740, 0x10755, prALetter}, // Lo [22] LINEAR A SIGN A701 A..LINEAR A SIGN A732 JE + {0x10760, 0x10767, prALetter}, // Lo [8] LINEAR A SIGN A800..LINEAR A SIGN A807 + {0x10780, 0x10785, prALetter}, // Lm [6] MODIFIER LETTER SMALL CAPITAL AA..MODIFIER LETTER SMALL B WITH HOOK + {0x10787, 0x107B0, prALetter}, // Lm [42] MODIFIER LETTER SMALL DZ DIGRAPH..MODIFIER LETTER SMALL V WITH RIGHT HOOK + {0x107B2, 0x107BA, prALetter}, // Lm [9] MODIFIER LETTER SMALL CAPITAL Y..MODIFIER LETTER SMALL S WITH CURL + {0x10800, 0x10805, prALetter}, // Lo [6] CYPRIOT SYLLABLE A..CYPRIOT SYLLABLE JA + {0x10808, 0x10808, prALetter}, // Lo CYPRIOT SYLLABLE JO + {0x1080A, 0x10835, prALetter}, // Lo [44] CYPRIOT SYLLABLE KA..CYPRIOT SYLLABLE WO + {0x10837, 0x10838, prALetter}, // Lo [2] CYPRIOT SYLLABLE XA..CYPRIOT SYLLABLE XE + {0x1083C, 0x1083C, prALetter}, // Lo CYPRIOT SYLLABLE ZA + {0x1083F, 0x10855, prALetter}, // Lo [23] CYPRIOT SYLLABLE ZO..IMPERIAL ARAMAIC LETTER TAW + {0x10860, 0x10876, prALetter}, // Lo [23] PALMYRENE LETTER ALEPH..PALMYRENE LETTER TAW + {0x10880, 0x1089E, prALetter}, // Lo [31] NABATAEAN LETTER FINAL ALEPH..NABATAEAN LETTER TAW + {0x108E0, 0x108F2, prALetter}, // Lo [19] HATRAN LETTER ALEPH..HATRAN LETTER QOPH + {0x108F4, 0x108F5, prALetter}, // Lo [2] HATRAN LETTER SHIN..HATRAN LETTER TAW + {0x10900, 0x10915, prALetter}, // Lo [22] PHOENICIAN LETTER ALF..PHOENICIAN LETTER TAU + {0x10920, 0x10939, prALetter}, // Lo [26] LYDIAN LETTER A..LYDIAN LETTER C + {0x10980, 0x109B7, prALetter}, // Lo [56] MEROITIC HIEROGLYPHIC LETTER A..MEROITIC CURSIVE LETTER DA + {0x109BE, 0x109BF, prALetter}, // Lo [2] MEROITIC CURSIVE LOGOGRAM RMT..MEROITIC CURSIVE LOGOGRAM IMN + {0x10A00, 0x10A00, prALetter}, // Lo KHAROSHTHI LETTER A + {0x10A01, 0x10A03, prExtend}, // Mn [3] KHAROSHTHI VOWEL SIGN I..KHAROSHTHI VOWEL SIGN VOCALIC R + {0x10A05, 0x10A06, prExtend}, // Mn [2] KHAROSHTHI VOWEL SIGN E..KHAROSHTHI VOWEL SIGN O + {0x10A0C, 0x10A0F, prExtend}, // Mn [4] KHAROSHTHI VOWEL LENGTH MARK..KHAROSHTHI SIGN VISARGA + {0x10A10, 0x10A13, prALetter}, // Lo [4] KHAROSHTHI LETTER KA..KHAROSHTHI LETTER GHA + {0x10A15, 0x10A17, prALetter}, // Lo [3] KHAROSHTHI LETTER CA..KHAROSHTHI LETTER JA + {0x10A19, 0x10A35, prALetter}, // Lo [29] KHAROSHTHI LETTER NYA..KHAROSHTHI LETTER VHA + {0x10A38, 0x10A3A, prExtend}, // Mn [3] KHAROSHTHI SIGN BAR ABOVE..KHAROSHTHI SIGN DOT BELOW + {0x10A3F, 0x10A3F, prExtend}, // Mn KHAROSHTHI VIRAMA + {0x10A60, 0x10A7C, prALetter}, // Lo [29] OLD SOUTH ARABIAN LETTER HE..OLD SOUTH ARABIAN LETTER THETH + {0x10A80, 0x10A9C, prALetter}, // Lo [29] OLD NORTH ARABIAN LETTER HEH..OLD NORTH ARABIAN LETTER ZAH + {0x10AC0, 0x10AC7, prALetter}, // Lo [8] MANICHAEAN LETTER ALEPH..MANICHAEAN LETTER WAW + {0x10AC9, 0x10AE4, prALetter}, // Lo [28] MANICHAEAN LETTER ZAYIN..MANICHAEAN LETTER TAW + {0x10AE5, 0x10AE6, prExtend}, // Mn [2] MANICHAEAN ABBREVIATION MARK ABOVE..MANICHAEAN ABBREVIATION MARK BELOW + {0x10B00, 0x10B35, prALetter}, // Lo [54] AVESTAN LETTER A..AVESTAN LETTER HE + {0x10B40, 0x10B55, prALetter}, // Lo [22] INSCRIPTIONAL PARTHIAN LETTER ALEPH..INSCRIPTIONAL PARTHIAN LETTER TAW + {0x10B60, 0x10B72, prALetter}, // Lo [19] INSCRIPTIONAL PAHLAVI LETTER ALEPH..INSCRIPTIONAL PAHLAVI LETTER TAW + {0x10B80, 0x10B91, prALetter}, // Lo [18] PSALTER PAHLAVI LETTER ALEPH..PSALTER PAHLAVI LETTER TAW + {0x10C00, 0x10C48, prALetter}, // Lo [73] OLD TURKIC LETTER ORKHON A..OLD TURKIC LETTER ORKHON BASH + {0x10C80, 0x10CB2, prALetter}, // L& [51] OLD HUNGARIAN CAPITAL LETTER A..OLD HUNGARIAN CAPITAL LETTER US + {0x10CC0, 0x10CF2, prALetter}, // L& [51] OLD HUNGARIAN SMALL LETTER A..OLD HUNGARIAN SMALL LETTER US + {0x10D00, 0x10D23, prALetter}, // Lo [36] HANIFI ROHINGYA LETTER A..HANIFI ROHINGYA MARK NA KHONNA + {0x10D24, 0x10D27, prExtend}, // Mn [4] HANIFI ROHINGYA SIGN HARBAHAY..HANIFI ROHINGYA SIGN TASSI + {0x10D30, 0x10D39, prNumeric}, // Nd [10] HANIFI ROHINGYA DIGIT ZERO..HANIFI ROHINGYA DIGIT NINE + {0x10E80, 0x10EA9, prALetter}, // Lo [42] YEZIDI LETTER ELIF..YEZIDI LETTER ET + {0x10EAB, 0x10EAC, prExtend}, // Mn [2] YEZIDI COMBINING HAMZA MARK..YEZIDI COMBINING MADDA MARK + {0x10EB0, 0x10EB1, prALetter}, // Lo [2] YEZIDI LETTER LAM WITH DOT ABOVE..YEZIDI LETTER YOT WITH CIRCUMFLEX ABOVE + {0x10EFD, 0x10EFF, prExtend}, // Mn [3] ARABIC SMALL LOW WORD SAKTA..ARABIC SMALL LOW WORD MADDA + {0x10F00, 0x10F1C, prALetter}, // Lo [29] OLD SOGDIAN LETTER ALEPH..OLD SOGDIAN LETTER FINAL TAW WITH VERTICAL TAIL + {0x10F27, 0x10F27, prALetter}, // Lo OLD SOGDIAN LIGATURE AYIN-DALETH + {0x10F30, 0x10F45, prALetter}, // Lo [22] SOGDIAN LETTER ALEPH..SOGDIAN INDEPENDENT SHIN + {0x10F46, 0x10F50, prExtend}, // Mn [11] SOGDIAN COMBINING DOT BELOW..SOGDIAN COMBINING STROKE BELOW + {0x10F70, 0x10F81, prALetter}, // Lo [18] OLD UYGHUR LETTER ALEPH..OLD UYGHUR LETTER LESH + {0x10F82, 0x10F85, prExtend}, // Mn [4] OLD UYGHUR COMBINING DOT ABOVE..OLD UYGHUR COMBINING TWO DOTS BELOW + {0x10FB0, 0x10FC4, prALetter}, // Lo [21] CHORASMIAN LETTER ALEPH..CHORASMIAN LETTER TAW + {0x10FE0, 0x10FF6, prALetter}, // Lo [23] ELYMAIC LETTER ALEPH..ELYMAIC LIGATURE ZAYIN-YODH + {0x11000, 0x11000, prExtend}, // Mc BRAHMI SIGN CANDRABINDU + {0x11001, 0x11001, prExtend}, // Mn BRAHMI SIGN ANUSVARA + {0x11002, 0x11002, prExtend}, // Mc BRAHMI SIGN VISARGA + {0x11003, 0x11037, prALetter}, // Lo [53] BRAHMI SIGN JIHVAMULIYA..BRAHMI LETTER OLD TAMIL NNNA + {0x11038, 0x11046, prExtend}, // Mn [15] BRAHMI VOWEL SIGN AA..BRAHMI VIRAMA + {0x11066, 0x1106F, prNumeric}, // Nd [10] BRAHMI DIGIT ZERO..BRAHMI DIGIT NINE + {0x11070, 0x11070, prExtend}, // Mn BRAHMI SIGN OLD TAMIL VIRAMA + {0x11071, 0x11072, prALetter}, // Lo [2] BRAHMI LETTER OLD TAMIL SHORT E..BRAHMI LETTER OLD TAMIL SHORT O + {0x11073, 0x11074, prExtend}, // Mn [2] BRAHMI VOWEL SIGN OLD TAMIL SHORT E..BRAHMI VOWEL SIGN OLD TAMIL SHORT O + {0x11075, 0x11075, prALetter}, // Lo BRAHMI LETTER OLD TAMIL LLA + {0x1107F, 0x11081, prExtend}, // Mn [3] BRAHMI NUMBER JOINER..KAITHI SIGN ANUSVARA + {0x11082, 0x11082, prExtend}, // Mc KAITHI SIGN VISARGA + {0x11083, 0x110AF, prALetter}, // Lo [45] KAITHI LETTER A..KAITHI LETTER HA + {0x110B0, 0x110B2, prExtend}, // Mc [3] KAITHI VOWEL SIGN AA..KAITHI VOWEL SIGN II + {0x110B3, 0x110B6, prExtend}, // Mn [4] KAITHI VOWEL SIGN U..KAITHI VOWEL SIGN AI + {0x110B7, 0x110B8, prExtend}, // Mc [2] KAITHI VOWEL SIGN O..KAITHI VOWEL SIGN AU + {0x110B9, 0x110BA, prExtend}, // Mn [2] KAITHI SIGN VIRAMA..KAITHI SIGN NUKTA + {0x110BD, 0x110BD, prFormat}, // Cf KAITHI NUMBER SIGN + {0x110C2, 0x110C2, prExtend}, // Mn KAITHI VOWEL SIGN VOCALIC R + {0x110CD, 0x110CD, prFormat}, // Cf KAITHI NUMBER SIGN ABOVE + {0x110D0, 0x110E8, prALetter}, // Lo [25] SORA SOMPENG LETTER SAH..SORA SOMPENG LETTER MAE + {0x110F0, 0x110F9, prNumeric}, // Nd [10] SORA SOMPENG DIGIT ZERO..SORA SOMPENG DIGIT NINE + {0x11100, 0x11102, prExtend}, // Mn [3] CHAKMA SIGN CANDRABINDU..CHAKMA SIGN VISARGA + {0x11103, 0x11126, prALetter}, // Lo [36] CHAKMA LETTER AA..CHAKMA LETTER HAA + {0x11127, 0x1112B, prExtend}, // Mn [5] CHAKMA VOWEL SIGN A..CHAKMA VOWEL SIGN UU + {0x1112C, 0x1112C, prExtend}, // Mc CHAKMA VOWEL SIGN E + {0x1112D, 0x11134, prExtend}, // Mn [8] CHAKMA VOWEL SIGN AI..CHAKMA MAAYYAA + {0x11136, 0x1113F, prNumeric}, // Nd [10] CHAKMA DIGIT ZERO..CHAKMA DIGIT NINE + {0x11144, 0x11144, prALetter}, // Lo CHAKMA LETTER LHAA + {0x11145, 0x11146, prExtend}, // Mc [2] CHAKMA VOWEL SIGN AA..CHAKMA VOWEL SIGN EI + {0x11147, 0x11147, prALetter}, // Lo CHAKMA LETTER VAA + {0x11150, 0x11172, prALetter}, // Lo [35] MAHAJANI LETTER A..MAHAJANI LETTER RRA + {0x11173, 0x11173, prExtend}, // Mn MAHAJANI SIGN NUKTA + {0x11176, 0x11176, prALetter}, // Lo MAHAJANI LIGATURE SHRI + {0x11180, 0x11181, prExtend}, // Mn [2] SHARADA SIGN CANDRABINDU..SHARADA SIGN ANUSVARA + {0x11182, 0x11182, prExtend}, // Mc SHARADA SIGN VISARGA + {0x11183, 0x111B2, prALetter}, // Lo [48] SHARADA LETTER A..SHARADA LETTER HA + {0x111B3, 0x111B5, prExtend}, // Mc [3] SHARADA VOWEL SIGN AA..SHARADA VOWEL SIGN II + {0x111B6, 0x111BE, prExtend}, // Mn [9] SHARADA VOWEL SIGN U..SHARADA VOWEL SIGN O + {0x111BF, 0x111C0, prExtend}, // Mc [2] SHARADA VOWEL SIGN AU..SHARADA SIGN VIRAMA + {0x111C1, 0x111C4, prALetter}, // Lo [4] SHARADA SIGN AVAGRAHA..SHARADA OM + {0x111C9, 0x111CC, prExtend}, // Mn [4] SHARADA SANDHI MARK..SHARADA EXTRA SHORT VOWEL MARK + {0x111CE, 0x111CE, prExtend}, // Mc SHARADA VOWEL SIGN PRISHTHAMATRA E + {0x111CF, 0x111CF, prExtend}, // Mn SHARADA SIGN INVERTED CANDRABINDU + {0x111D0, 0x111D9, prNumeric}, // Nd [10] SHARADA DIGIT ZERO..SHARADA DIGIT NINE + {0x111DA, 0x111DA, prALetter}, // Lo SHARADA EKAM + {0x111DC, 0x111DC, prALetter}, // Lo SHARADA HEADSTROKE + {0x11200, 0x11211, prALetter}, // Lo [18] KHOJKI LETTER A..KHOJKI LETTER JJA + {0x11213, 0x1122B, prALetter}, // Lo [25] KHOJKI LETTER NYA..KHOJKI LETTER LLA + {0x1122C, 0x1122E, prExtend}, // Mc [3] KHOJKI VOWEL SIGN AA..KHOJKI VOWEL SIGN II + {0x1122F, 0x11231, prExtend}, // Mn [3] KHOJKI VOWEL SIGN U..KHOJKI VOWEL SIGN AI + {0x11232, 0x11233, prExtend}, // Mc [2] KHOJKI VOWEL SIGN O..KHOJKI VOWEL SIGN AU + {0x11234, 0x11234, prExtend}, // Mn KHOJKI SIGN ANUSVARA + {0x11235, 0x11235, prExtend}, // Mc KHOJKI SIGN VIRAMA + {0x11236, 0x11237, prExtend}, // Mn [2] KHOJKI SIGN NUKTA..KHOJKI SIGN SHADDA + {0x1123E, 0x1123E, prExtend}, // Mn KHOJKI SIGN SUKUN + {0x1123F, 0x11240, prALetter}, // Lo [2] KHOJKI LETTER QA..KHOJKI LETTER SHORT I + {0x11241, 0x11241, prExtend}, // Mn KHOJKI VOWEL SIGN VOCALIC R + {0x11280, 0x11286, prALetter}, // Lo [7] MULTANI LETTER A..MULTANI LETTER GA + {0x11288, 0x11288, prALetter}, // Lo MULTANI LETTER GHA + {0x1128A, 0x1128D, prALetter}, // Lo [4] MULTANI LETTER CA..MULTANI LETTER JJA + {0x1128F, 0x1129D, prALetter}, // Lo [15] MULTANI LETTER NYA..MULTANI LETTER BA + {0x1129F, 0x112A8, prALetter}, // Lo [10] MULTANI LETTER BHA..MULTANI LETTER RHA + {0x112B0, 0x112DE, prALetter}, // Lo [47] KHUDAWADI LETTER A..KHUDAWADI LETTER HA + {0x112DF, 0x112DF, prExtend}, // Mn KHUDAWADI SIGN ANUSVARA + {0x112E0, 0x112E2, prExtend}, // Mc [3] KHUDAWADI VOWEL SIGN AA..KHUDAWADI VOWEL SIGN II + {0x112E3, 0x112EA, prExtend}, // Mn [8] KHUDAWADI VOWEL SIGN U..KHUDAWADI SIGN VIRAMA + {0x112F0, 0x112F9, prNumeric}, // Nd [10] KHUDAWADI DIGIT ZERO..KHUDAWADI DIGIT NINE + {0x11300, 0x11301, prExtend}, // Mn [2] GRANTHA SIGN COMBINING ANUSVARA ABOVE..GRANTHA SIGN CANDRABINDU + {0x11302, 0x11303, prExtend}, // Mc [2] GRANTHA SIGN ANUSVARA..GRANTHA SIGN VISARGA + {0x11305, 0x1130C, prALetter}, // Lo [8] GRANTHA LETTER A..GRANTHA LETTER VOCALIC L + {0x1130F, 0x11310, prALetter}, // Lo [2] GRANTHA LETTER EE..GRANTHA LETTER AI + {0x11313, 0x11328, prALetter}, // Lo [22] GRANTHA LETTER OO..GRANTHA LETTER NA + {0x1132A, 0x11330, prALetter}, // Lo [7] GRANTHA LETTER PA..GRANTHA LETTER RA + {0x11332, 0x11333, prALetter}, // Lo [2] GRANTHA LETTER LA..GRANTHA LETTER LLA + {0x11335, 0x11339, prALetter}, // Lo [5] GRANTHA LETTER VA..GRANTHA LETTER HA + {0x1133B, 0x1133C, prExtend}, // Mn [2] COMBINING BINDU BELOW..GRANTHA SIGN NUKTA + {0x1133D, 0x1133D, prALetter}, // Lo GRANTHA SIGN AVAGRAHA + {0x1133E, 0x1133F, prExtend}, // Mc [2] GRANTHA VOWEL SIGN AA..GRANTHA VOWEL SIGN I + {0x11340, 0x11340, prExtend}, // Mn GRANTHA VOWEL SIGN II + {0x11341, 0x11344, prExtend}, // Mc [4] GRANTHA VOWEL SIGN U..GRANTHA VOWEL SIGN VOCALIC RR + {0x11347, 0x11348, prExtend}, // Mc [2] GRANTHA VOWEL SIGN EE..GRANTHA VOWEL SIGN AI + {0x1134B, 0x1134D, prExtend}, // Mc [3] GRANTHA VOWEL SIGN OO..GRANTHA SIGN VIRAMA + {0x11350, 0x11350, prALetter}, // Lo GRANTHA OM + {0x11357, 0x11357, prExtend}, // Mc GRANTHA AU LENGTH MARK + {0x1135D, 0x11361, prALetter}, // Lo [5] GRANTHA SIGN PLUTA..GRANTHA LETTER VOCALIC LL + {0x11362, 0x11363, prExtend}, // Mc [2] GRANTHA VOWEL SIGN VOCALIC L..GRANTHA VOWEL SIGN VOCALIC LL + {0x11366, 0x1136C, prExtend}, // Mn [7] COMBINING GRANTHA DIGIT ZERO..COMBINING GRANTHA DIGIT SIX + {0x11370, 0x11374, prExtend}, // Mn [5] COMBINING GRANTHA LETTER A..COMBINING GRANTHA LETTER PA + {0x11400, 0x11434, prALetter}, // Lo [53] NEWA LETTER A..NEWA LETTER HA + {0x11435, 0x11437, prExtend}, // Mc [3] NEWA VOWEL SIGN AA..NEWA VOWEL SIGN II + {0x11438, 0x1143F, prExtend}, // Mn [8] NEWA VOWEL SIGN U..NEWA VOWEL SIGN AI + {0x11440, 0x11441, prExtend}, // Mc [2] NEWA VOWEL SIGN O..NEWA VOWEL SIGN AU + {0x11442, 0x11444, prExtend}, // Mn [3] NEWA SIGN VIRAMA..NEWA SIGN ANUSVARA + {0x11445, 0x11445, prExtend}, // Mc NEWA SIGN VISARGA + {0x11446, 0x11446, prExtend}, // Mn NEWA SIGN NUKTA + {0x11447, 0x1144A, prALetter}, // Lo [4] NEWA SIGN AVAGRAHA..NEWA SIDDHI + {0x11450, 0x11459, prNumeric}, // Nd [10] NEWA DIGIT ZERO..NEWA DIGIT NINE + {0x1145E, 0x1145E, prExtend}, // Mn NEWA SANDHI MARK + {0x1145F, 0x11461, prALetter}, // Lo [3] NEWA LETTER VEDIC ANUSVARA..NEWA SIGN UPADHMANIYA + {0x11480, 0x114AF, prALetter}, // Lo [48] TIRHUTA ANJI..TIRHUTA LETTER HA + {0x114B0, 0x114B2, prExtend}, // Mc [3] TIRHUTA VOWEL SIGN AA..TIRHUTA VOWEL SIGN II + {0x114B3, 0x114B8, prExtend}, // Mn [6] TIRHUTA VOWEL SIGN U..TIRHUTA VOWEL SIGN VOCALIC LL + {0x114B9, 0x114B9, prExtend}, // Mc TIRHUTA VOWEL SIGN E + {0x114BA, 0x114BA, prExtend}, // Mn TIRHUTA VOWEL SIGN SHORT E + {0x114BB, 0x114BE, prExtend}, // Mc [4] TIRHUTA VOWEL SIGN AI..TIRHUTA VOWEL SIGN AU + {0x114BF, 0x114C0, prExtend}, // Mn [2] TIRHUTA SIGN CANDRABINDU..TIRHUTA SIGN ANUSVARA + {0x114C1, 0x114C1, prExtend}, // Mc TIRHUTA SIGN VISARGA + {0x114C2, 0x114C3, prExtend}, // Mn [2] TIRHUTA SIGN VIRAMA..TIRHUTA SIGN NUKTA + {0x114C4, 0x114C5, prALetter}, // Lo [2] TIRHUTA SIGN AVAGRAHA..TIRHUTA GVANG + {0x114C7, 0x114C7, prALetter}, // Lo TIRHUTA OM + {0x114D0, 0x114D9, prNumeric}, // Nd [10] TIRHUTA DIGIT ZERO..TIRHUTA DIGIT NINE + {0x11580, 0x115AE, prALetter}, // Lo [47] SIDDHAM LETTER A..SIDDHAM LETTER HA + {0x115AF, 0x115B1, prExtend}, // Mc [3] SIDDHAM VOWEL SIGN AA..SIDDHAM VOWEL SIGN II + {0x115B2, 0x115B5, prExtend}, // Mn [4] SIDDHAM VOWEL SIGN U..SIDDHAM VOWEL SIGN VOCALIC RR + {0x115B8, 0x115BB, prExtend}, // Mc [4] SIDDHAM VOWEL SIGN E..SIDDHAM VOWEL SIGN AU + {0x115BC, 0x115BD, prExtend}, // Mn [2] SIDDHAM SIGN CANDRABINDU..SIDDHAM SIGN ANUSVARA + {0x115BE, 0x115BE, prExtend}, // Mc SIDDHAM SIGN VISARGA + {0x115BF, 0x115C0, prExtend}, // Mn [2] SIDDHAM SIGN VIRAMA..SIDDHAM SIGN NUKTA + {0x115D8, 0x115DB, prALetter}, // Lo [4] SIDDHAM LETTER THREE-CIRCLE ALTERNATE I..SIDDHAM LETTER ALTERNATE U + {0x115DC, 0x115DD, prExtend}, // Mn [2] SIDDHAM VOWEL SIGN ALTERNATE U..SIDDHAM VOWEL SIGN ALTERNATE UU + {0x11600, 0x1162F, prALetter}, // Lo [48] MODI LETTER A..MODI LETTER LLA + {0x11630, 0x11632, prExtend}, // Mc [3] MODI VOWEL SIGN AA..MODI VOWEL SIGN II + {0x11633, 0x1163A, prExtend}, // Mn [8] MODI VOWEL SIGN U..MODI VOWEL SIGN AI + {0x1163B, 0x1163C, prExtend}, // Mc [2] MODI VOWEL SIGN O..MODI VOWEL SIGN AU + {0x1163D, 0x1163D, prExtend}, // Mn MODI SIGN ANUSVARA + {0x1163E, 0x1163E, prExtend}, // Mc MODI SIGN VISARGA + {0x1163F, 0x11640, prExtend}, // Mn [2] MODI SIGN VIRAMA..MODI SIGN ARDHACANDRA + {0x11644, 0x11644, prALetter}, // Lo MODI SIGN HUVA + {0x11650, 0x11659, prNumeric}, // Nd [10] MODI DIGIT ZERO..MODI DIGIT NINE + {0x11680, 0x116AA, prALetter}, // Lo [43] TAKRI LETTER A..TAKRI LETTER RRA + {0x116AB, 0x116AB, prExtend}, // Mn TAKRI SIGN ANUSVARA + {0x116AC, 0x116AC, prExtend}, // Mc TAKRI SIGN VISARGA + {0x116AD, 0x116AD, prExtend}, // Mn TAKRI VOWEL SIGN AA + {0x116AE, 0x116AF, prExtend}, // Mc [2] TAKRI VOWEL SIGN I..TAKRI VOWEL SIGN II + {0x116B0, 0x116B5, prExtend}, // Mn [6] TAKRI VOWEL SIGN U..TAKRI VOWEL SIGN AU + {0x116B6, 0x116B6, prExtend}, // Mc TAKRI SIGN VIRAMA + {0x116B7, 0x116B7, prExtend}, // Mn TAKRI SIGN NUKTA + {0x116B8, 0x116B8, prALetter}, // Lo TAKRI LETTER ARCHAIC KHA + {0x116C0, 0x116C9, prNumeric}, // Nd [10] TAKRI DIGIT ZERO..TAKRI DIGIT NINE + {0x1171D, 0x1171F, prExtend}, // Mn [3] AHOM CONSONANT SIGN MEDIAL LA..AHOM CONSONANT SIGN MEDIAL LIGATING RA + {0x11720, 0x11721, prExtend}, // Mc [2] AHOM VOWEL SIGN A..AHOM VOWEL SIGN AA + {0x11722, 0x11725, prExtend}, // Mn [4] AHOM VOWEL SIGN I..AHOM VOWEL SIGN UU + {0x11726, 0x11726, prExtend}, // Mc AHOM VOWEL SIGN E + {0x11727, 0x1172B, prExtend}, // Mn [5] AHOM VOWEL SIGN AW..AHOM SIGN KILLER + {0x11730, 0x11739, prNumeric}, // Nd [10] AHOM DIGIT ZERO..AHOM DIGIT NINE + {0x11800, 0x1182B, prALetter}, // Lo [44] DOGRA LETTER A..DOGRA LETTER RRA + {0x1182C, 0x1182E, prExtend}, // Mc [3] DOGRA VOWEL SIGN AA..DOGRA VOWEL SIGN II + {0x1182F, 0x11837, prExtend}, // Mn [9] DOGRA VOWEL SIGN U..DOGRA SIGN ANUSVARA + {0x11838, 0x11838, prExtend}, // Mc DOGRA SIGN VISARGA + {0x11839, 0x1183A, prExtend}, // Mn [2] DOGRA SIGN VIRAMA..DOGRA SIGN NUKTA + {0x118A0, 0x118DF, prALetter}, // L& [64] WARANG CITI CAPITAL LETTER NGAA..WARANG CITI SMALL LETTER VIYO + {0x118E0, 0x118E9, prNumeric}, // Nd [10] WARANG CITI DIGIT ZERO..WARANG CITI DIGIT NINE + {0x118FF, 0x11906, prALetter}, // Lo [8] WARANG CITI OM..DIVES AKURU LETTER E + {0x11909, 0x11909, prALetter}, // Lo DIVES AKURU LETTER O + {0x1190C, 0x11913, prALetter}, // Lo [8] DIVES AKURU LETTER KA..DIVES AKURU LETTER JA + {0x11915, 0x11916, prALetter}, // Lo [2] DIVES AKURU LETTER NYA..DIVES AKURU LETTER TTA + {0x11918, 0x1192F, prALetter}, // Lo [24] DIVES AKURU LETTER DDA..DIVES AKURU LETTER ZA + {0x11930, 0x11935, prExtend}, // Mc [6] DIVES AKURU VOWEL SIGN AA..DIVES AKURU VOWEL SIGN E + {0x11937, 0x11938, prExtend}, // Mc [2] DIVES AKURU VOWEL SIGN AI..DIVES AKURU VOWEL SIGN O + {0x1193B, 0x1193C, prExtend}, // Mn [2] DIVES AKURU SIGN ANUSVARA..DIVES AKURU SIGN CANDRABINDU + {0x1193D, 0x1193D, prExtend}, // Mc DIVES AKURU SIGN HALANTA + {0x1193E, 0x1193E, prExtend}, // Mn DIVES AKURU VIRAMA + {0x1193F, 0x1193F, prALetter}, // Lo DIVES AKURU PREFIXED NASAL SIGN + {0x11940, 0x11940, prExtend}, // Mc DIVES AKURU MEDIAL YA + {0x11941, 0x11941, prALetter}, // Lo DIVES AKURU INITIAL RA + {0x11942, 0x11942, prExtend}, // Mc DIVES AKURU MEDIAL RA + {0x11943, 0x11943, prExtend}, // Mn DIVES AKURU SIGN NUKTA + {0x11950, 0x11959, prNumeric}, // Nd [10] DIVES AKURU DIGIT ZERO..DIVES AKURU DIGIT NINE + {0x119A0, 0x119A7, prALetter}, // Lo [8] NANDINAGARI LETTER A..NANDINAGARI LETTER VOCALIC RR + {0x119AA, 0x119D0, prALetter}, // Lo [39] NANDINAGARI LETTER E..NANDINAGARI LETTER RRA + {0x119D1, 0x119D3, prExtend}, // Mc [3] NANDINAGARI VOWEL SIGN AA..NANDINAGARI VOWEL SIGN II + {0x119D4, 0x119D7, prExtend}, // Mn [4] NANDINAGARI VOWEL SIGN U..NANDINAGARI VOWEL SIGN VOCALIC RR + {0x119DA, 0x119DB, prExtend}, // Mn [2] NANDINAGARI VOWEL SIGN E..NANDINAGARI VOWEL SIGN AI + {0x119DC, 0x119DF, prExtend}, // Mc [4] NANDINAGARI VOWEL SIGN O..NANDINAGARI SIGN VISARGA + {0x119E0, 0x119E0, prExtend}, // Mn NANDINAGARI SIGN VIRAMA + {0x119E1, 0x119E1, prALetter}, // Lo NANDINAGARI SIGN AVAGRAHA + {0x119E3, 0x119E3, prALetter}, // Lo NANDINAGARI HEADSTROKE + {0x119E4, 0x119E4, prExtend}, // Mc NANDINAGARI VOWEL SIGN PRISHTHAMATRA E + {0x11A00, 0x11A00, prALetter}, // Lo ZANABAZAR SQUARE LETTER A + {0x11A01, 0x11A0A, prExtend}, // Mn [10] ZANABAZAR SQUARE VOWEL SIGN I..ZANABAZAR SQUARE VOWEL LENGTH MARK + {0x11A0B, 0x11A32, prALetter}, // Lo [40] ZANABAZAR SQUARE LETTER KA..ZANABAZAR SQUARE LETTER KSSA + {0x11A33, 0x11A38, prExtend}, // Mn [6] ZANABAZAR SQUARE FINAL CONSONANT MARK..ZANABAZAR SQUARE SIGN ANUSVARA + {0x11A39, 0x11A39, prExtend}, // Mc ZANABAZAR SQUARE SIGN VISARGA + {0x11A3A, 0x11A3A, prALetter}, // Lo ZANABAZAR SQUARE CLUSTER-INITIAL LETTER RA + {0x11A3B, 0x11A3E, prExtend}, // Mn [4] ZANABAZAR SQUARE CLUSTER-FINAL LETTER YA..ZANABAZAR SQUARE CLUSTER-FINAL LETTER VA + {0x11A47, 0x11A47, prExtend}, // Mn ZANABAZAR SQUARE SUBJOINER + {0x11A50, 0x11A50, prALetter}, // Lo SOYOMBO LETTER A + {0x11A51, 0x11A56, prExtend}, // Mn [6] SOYOMBO VOWEL SIGN I..SOYOMBO VOWEL SIGN OE + {0x11A57, 0x11A58, prExtend}, // Mc [2] SOYOMBO VOWEL SIGN AI..SOYOMBO VOWEL SIGN AU + {0x11A59, 0x11A5B, prExtend}, // Mn [3] SOYOMBO VOWEL SIGN VOCALIC R..SOYOMBO VOWEL LENGTH MARK + {0x11A5C, 0x11A89, prALetter}, // Lo [46] SOYOMBO LETTER KA..SOYOMBO CLUSTER-INITIAL LETTER SA + {0x11A8A, 0x11A96, prExtend}, // Mn [13] SOYOMBO FINAL CONSONANT SIGN G..SOYOMBO SIGN ANUSVARA + {0x11A97, 0x11A97, prExtend}, // Mc SOYOMBO SIGN VISARGA + {0x11A98, 0x11A99, prExtend}, // Mn [2] SOYOMBO GEMINATION MARK..SOYOMBO SUBJOINER + {0x11A9D, 0x11A9D, prALetter}, // Lo SOYOMBO MARK PLUTA + {0x11AB0, 0x11AF8, prALetter}, // Lo [73] CANADIAN SYLLABICS NATTILIK HI..PAU CIN HAU GLOTTAL STOP FINAL + {0x11C00, 0x11C08, prALetter}, // Lo [9] BHAIKSUKI LETTER A..BHAIKSUKI LETTER VOCALIC L + {0x11C0A, 0x11C2E, prALetter}, // Lo [37] BHAIKSUKI LETTER E..BHAIKSUKI LETTER HA + {0x11C2F, 0x11C2F, prExtend}, // Mc BHAIKSUKI VOWEL SIGN AA + {0x11C30, 0x11C36, prExtend}, // Mn [7] BHAIKSUKI VOWEL SIGN I..BHAIKSUKI VOWEL SIGN VOCALIC L + {0x11C38, 0x11C3D, prExtend}, // Mn [6] BHAIKSUKI VOWEL SIGN E..BHAIKSUKI SIGN ANUSVARA + {0x11C3E, 0x11C3E, prExtend}, // Mc BHAIKSUKI SIGN VISARGA + {0x11C3F, 0x11C3F, prExtend}, // Mn BHAIKSUKI SIGN VIRAMA + {0x11C40, 0x11C40, prALetter}, // Lo BHAIKSUKI SIGN AVAGRAHA + {0x11C50, 0x11C59, prNumeric}, // Nd [10] BHAIKSUKI DIGIT ZERO..BHAIKSUKI DIGIT NINE + {0x11C72, 0x11C8F, prALetter}, // Lo [30] MARCHEN LETTER KA..MARCHEN LETTER A + {0x11C92, 0x11CA7, prExtend}, // Mn [22] MARCHEN SUBJOINED LETTER KA..MARCHEN SUBJOINED LETTER ZA + {0x11CA9, 0x11CA9, prExtend}, // Mc MARCHEN SUBJOINED LETTER YA + {0x11CAA, 0x11CB0, prExtend}, // Mn [7] MARCHEN SUBJOINED LETTER RA..MARCHEN VOWEL SIGN AA + {0x11CB1, 0x11CB1, prExtend}, // Mc MARCHEN VOWEL SIGN I + {0x11CB2, 0x11CB3, prExtend}, // Mn [2] MARCHEN VOWEL SIGN U..MARCHEN VOWEL SIGN E + {0x11CB4, 0x11CB4, prExtend}, // Mc MARCHEN VOWEL SIGN O + {0x11CB5, 0x11CB6, prExtend}, // Mn [2] MARCHEN SIGN ANUSVARA..MARCHEN SIGN CANDRABINDU + {0x11D00, 0x11D06, prALetter}, // Lo [7] MASARAM GONDI LETTER A..MASARAM GONDI LETTER E + {0x11D08, 0x11D09, prALetter}, // Lo [2] MASARAM GONDI LETTER AI..MASARAM GONDI LETTER O + {0x11D0B, 0x11D30, prALetter}, // Lo [38] MASARAM GONDI LETTER AU..MASARAM GONDI LETTER TRA + {0x11D31, 0x11D36, prExtend}, // Mn [6] MASARAM GONDI VOWEL SIGN AA..MASARAM GONDI VOWEL SIGN VOCALIC R + {0x11D3A, 0x11D3A, prExtend}, // Mn MASARAM GONDI VOWEL SIGN E + {0x11D3C, 0x11D3D, prExtend}, // Mn [2] MASARAM GONDI VOWEL SIGN AI..MASARAM GONDI VOWEL SIGN O + {0x11D3F, 0x11D45, prExtend}, // Mn [7] MASARAM GONDI VOWEL SIGN AU..MASARAM GONDI VIRAMA + {0x11D46, 0x11D46, prALetter}, // Lo MASARAM GONDI REPHA + {0x11D47, 0x11D47, prExtend}, // Mn MASARAM GONDI RA-KARA + {0x11D50, 0x11D59, prNumeric}, // Nd [10] MASARAM GONDI DIGIT ZERO..MASARAM GONDI DIGIT NINE + {0x11D60, 0x11D65, prALetter}, // Lo [6] GUNJALA GONDI LETTER A..GUNJALA GONDI LETTER UU + {0x11D67, 0x11D68, prALetter}, // Lo [2] GUNJALA GONDI LETTER EE..GUNJALA GONDI LETTER AI + {0x11D6A, 0x11D89, prALetter}, // Lo [32] GUNJALA GONDI LETTER OO..GUNJALA GONDI LETTER SA + {0x11D8A, 0x11D8E, prExtend}, // Mc [5] GUNJALA GONDI VOWEL SIGN AA..GUNJALA GONDI VOWEL SIGN UU + {0x11D90, 0x11D91, prExtend}, // Mn [2] GUNJALA GONDI VOWEL SIGN EE..GUNJALA GONDI VOWEL SIGN AI + {0x11D93, 0x11D94, prExtend}, // Mc [2] GUNJALA GONDI VOWEL SIGN OO..GUNJALA GONDI VOWEL SIGN AU + {0x11D95, 0x11D95, prExtend}, // Mn GUNJALA GONDI SIGN ANUSVARA + {0x11D96, 0x11D96, prExtend}, // Mc GUNJALA GONDI SIGN VISARGA + {0x11D97, 0x11D97, prExtend}, // Mn GUNJALA GONDI VIRAMA + {0x11D98, 0x11D98, prALetter}, // Lo GUNJALA GONDI OM + {0x11DA0, 0x11DA9, prNumeric}, // Nd [10] GUNJALA GONDI DIGIT ZERO..GUNJALA GONDI DIGIT NINE + {0x11EE0, 0x11EF2, prALetter}, // Lo [19] MAKASAR LETTER KA..MAKASAR ANGKA + {0x11EF3, 0x11EF4, prExtend}, // Mn [2] MAKASAR VOWEL SIGN I..MAKASAR VOWEL SIGN U + {0x11EF5, 0x11EF6, prExtend}, // Mc [2] MAKASAR VOWEL SIGN E..MAKASAR VOWEL SIGN O + {0x11F00, 0x11F01, prExtend}, // Mn [2] KAWI SIGN CANDRABINDU..KAWI SIGN ANUSVARA + {0x11F02, 0x11F02, prALetter}, // Lo KAWI SIGN REPHA + {0x11F03, 0x11F03, prExtend}, // Mc KAWI SIGN VISARGA + {0x11F04, 0x11F10, prALetter}, // Lo [13] KAWI LETTER A..KAWI LETTER O + {0x11F12, 0x11F33, prALetter}, // Lo [34] KAWI LETTER KA..KAWI LETTER JNYA + {0x11F34, 0x11F35, prExtend}, // Mc [2] KAWI VOWEL SIGN AA..KAWI VOWEL SIGN ALTERNATE AA + {0x11F36, 0x11F3A, prExtend}, // Mn [5] KAWI VOWEL SIGN I..KAWI VOWEL SIGN VOCALIC R + {0x11F3E, 0x11F3F, prExtend}, // Mc [2] KAWI VOWEL SIGN E..KAWI VOWEL SIGN AI + {0x11F40, 0x11F40, prExtend}, // Mn KAWI VOWEL SIGN EU + {0x11F41, 0x11F41, prExtend}, // Mc KAWI SIGN KILLER + {0x11F42, 0x11F42, prExtend}, // Mn KAWI CONJOINER + {0x11F50, 0x11F59, prNumeric}, // Nd [10] KAWI DIGIT ZERO..KAWI DIGIT NINE + {0x11FB0, 0x11FB0, prALetter}, // Lo LISU LETTER YHA + {0x12000, 0x12399, prALetter}, // Lo [922] CUNEIFORM SIGN A..CUNEIFORM SIGN U U + {0x12400, 0x1246E, prALetter}, // Nl [111] CUNEIFORM NUMERIC SIGN TWO ASH..CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM + {0x12480, 0x12543, prALetter}, // Lo [196] CUNEIFORM SIGN AB TIMES NUN TENU..CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU + {0x12F90, 0x12FF0, prALetter}, // Lo [97] CYPRO-MINOAN SIGN CM001..CYPRO-MINOAN SIGN CM114 + {0x13000, 0x1342F, prALetter}, // Lo [1072] EGYPTIAN HIEROGLYPH A001..EGYPTIAN HIEROGLYPH V011D + {0x13430, 0x1343F, prFormat}, // Cf [16] EGYPTIAN HIEROGLYPH VERTICAL JOINER..EGYPTIAN HIEROGLYPH END WALLED ENCLOSURE + {0x13440, 0x13440, prExtend}, // Mn EGYPTIAN HIEROGLYPH MIRROR HORIZONTALLY + {0x13441, 0x13446, prALetter}, // Lo [6] EGYPTIAN HIEROGLYPH FULL BLANK..EGYPTIAN HIEROGLYPH WIDE LOST SIGN + {0x13447, 0x13455, prExtend}, // Mn [15] EGYPTIAN HIEROGLYPH MODIFIER DAMAGED AT TOP START..EGYPTIAN HIEROGLYPH MODIFIER DAMAGED + {0x14400, 0x14646, prALetter}, // Lo [583] ANATOLIAN HIEROGLYPH A001..ANATOLIAN HIEROGLYPH A530 + {0x16800, 0x16A38, prALetter}, // Lo [569] BAMUM LETTER PHASE-A NGKUE MFON..BAMUM LETTER PHASE-F VUEQ + {0x16A40, 0x16A5E, prALetter}, // Lo [31] MRO LETTER TA..MRO LETTER TEK + {0x16A60, 0x16A69, prNumeric}, // Nd [10] MRO DIGIT ZERO..MRO DIGIT NINE + {0x16A70, 0x16ABE, prALetter}, // Lo [79] TANGSA LETTER OZ..TANGSA LETTER ZA + {0x16AC0, 0x16AC9, prNumeric}, // Nd [10] TANGSA DIGIT ZERO..TANGSA DIGIT NINE + {0x16AD0, 0x16AED, prALetter}, // Lo [30] BASSA VAH LETTER ENNI..BASSA VAH LETTER I + {0x16AF0, 0x16AF4, prExtend}, // Mn [5] BASSA VAH COMBINING HIGH TONE..BASSA VAH COMBINING HIGH-LOW TONE + {0x16B00, 0x16B2F, prALetter}, // Lo [48] PAHAWH HMONG VOWEL KEEB..PAHAWH HMONG CONSONANT CAU + {0x16B30, 0x16B36, prExtend}, // Mn [7] PAHAWH HMONG MARK CIM TUB..PAHAWH HMONG MARK CIM TAUM + {0x16B40, 0x16B43, prALetter}, // Lm [4] PAHAWH HMONG SIGN VOS SEEV..PAHAWH HMONG SIGN IB YAM + {0x16B50, 0x16B59, prNumeric}, // Nd [10] PAHAWH HMONG DIGIT ZERO..PAHAWH HMONG DIGIT NINE + {0x16B63, 0x16B77, prALetter}, // Lo [21] PAHAWH HMONG SIGN VOS LUB..PAHAWH HMONG SIGN CIM NRES TOS + {0x16B7D, 0x16B8F, prALetter}, // Lo [19] PAHAWH HMONG CLAN SIGN TSHEEJ..PAHAWH HMONG CLAN SIGN VWJ + {0x16E40, 0x16E7F, prALetter}, // L& [64] MEDEFAIDRIN CAPITAL LETTER M..MEDEFAIDRIN SMALL LETTER Y + {0x16F00, 0x16F4A, prALetter}, // Lo [75] MIAO LETTER PA..MIAO LETTER RTE + {0x16F4F, 0x16F4F, prExtend}, // Mn MIAO SIGN CONSONANT MODIFIER BAR + {0x16F50, 0x16F50, prALetter}, // Lo MIAO LETTER NASALIZATION + {0x16F51, 0x16F87, prExtend}, // Mc [55] MIAO SIGN ASPIRATION..MIAO VOWEL SIGN UI + {0x16F8F, 0x16F92, prExtend}, // Mn [4] MIAO TONE RIGHT..MIAO TONE BELOW + {0x16F93, 0x16F9F, prALetter}, // Lm [13] MIAO LETTER TONE-2..MIAO LETTER REFORMED TONE-8 + {0x16FE0, 0x16FE1, prALetter}, // Lm [2] TANGUT ITERATION MARK..NUSHU ITERATION MARK + {0x16FE3, 0x16FE3, prALetter}, // Lm OLD CHINESE ITERATION MARK + {0x16FE4, 0x16FE4, prExtend}, // Mn KHITAN SMALL SCRIPT FILLER + {0x16FF0, 0x16FF1, prExtend}, // Mc [2] VIETNAMESE ALTERNATE READING MARK CA..VIETNAMESE ALTERNATE READING MARK NHAY + {0x1AFF0, 0x1AFF3, prKatakana}, // Lm [4] KATAKANA LETTER MINNAN TONE-2..KATAKANA LETTER MINNAN TONE-5 + {0x1AFF5, 0x1AFFB, prKatakana}, // Lm [7] KATAKANA LETTER MINNAN TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-5 + {0x1AFFD, 0x1AFFE, prKatakana}, // Lm [2] KATAKANA LETTER MINNAN NASALIZED TONE-7..KATAKANA LETTER MINNAN NASALIZED TONE-8 + {0x1B000, 0x1B000, prKatakana}, // Lo KATAKANA LETTER ARCHAIC E + {0x1B120, 0x1B122, prKatakana}, // Lo [3] KATAKANA LETTER ARCHAIC YI..KATAKANA LETTER ARCHAIC WU + {0x1B155, 0x1B155, prKatakana}, // Lo KATAKANA LETTER SMALL KO + {0x1B164, 0x1B167, prKatakana}, // Lo [4] KATAKANA LETTER SMALL WI..KATAKANA LETTER SMALL N + {0x1BC00, 0x1BC6A, prALetter}, // Lo [107] DUPLOYAN LETTER H..DUPLOYAN LETTER VOCALIC M + {0x1BC70, 0x1BC7C, prALetter}, // Lo [13] DUPLOYAN AFFIX LEFT HORIZONTAL SECANT..DUPLOYAN AFFIX ATTACHED TANGENT HOOK + {0x1BC80, 0x1BC88, prALetter}, // Lo [9] DUPLOYAN AFFIX HIGH ACUTE..DUPLOYAN AFFIX HIGH VERTICAL + {0x1BC90, 0x1BC99, prALetter}, // Lo [10] DUPLOYAN AFFIX LOW ACUTE..DUPLOYAN AFFIX LOW ARROW + {0x1BC9D, 0x1BC9E, prExtend}, // Mn [2] DUPLOYAN THICK LETTER SELECTOR..DUPLOYAN DOUBLE MARK + {0x1BCA0, 0x1BCA3, prFormat}, // Cf [4] SHORTHAND FORMAT LETTER OVERLAP..SHORTHAND FORMAT UP STEP + {0x1CF00, 0x1CF2D, prExtend}, // Mn [46] ZNAMENNY COMBINING MARK GORAZDO NIZKO S KRYZHEM ON LEFT..ZNAMENNY COMBINING MARK KRYZH ON LEFT + {0x1CF30, 0x1CF46, prExtend}, // Mn [23] ZNAMENNY COMBINING TONAL RANGE MARK MRACHNO..ZNAMENNY PRIZNAK MODIFIER ROG + {0x1D165, 0x1D166, prExtend}, // Mc [2] MUSICAL SYMBOL COMBINING STEM..MUSICAL SYMBOL COMBINING SPRECHGESANG STEM + {0x1D167, 0x1D169, prExtend}, // Mn [3] MUSICAL SYMBOL COMBINING TREMOLO-1..MUSICAL SYMBOL COMBINING TREMOLO-3 + {0x1D16D, 0x1D172, prExtend}, // Mc [6] MUSICAL SYMBOL COMBINING AUGMENTATION DOT..MUSICAL SYMBOL COMBINING FLAG-5 + {0x1D173, 0x1D17A, prFormat}, // Cf [8] MUSICAL SYMBOL BEGIN BEAM..MUSICAL SYMBOL END PHRASE + {0x1D17B, 0x1D182, prExtend}, // Mn [8] MUSICAL SYMBOL COMBINING ACCENT..MUSICAL SYMBOL COMBINING LOURE + {0x1D185, 0x1D18B, prExtend}, // Mn [7] MUSICAL SYMBOL COMBINING DOIT..MUSICAL SYMBOL COMBINING TRIPLE TONGUE + {0x1D1AA, 0x1D1AD, prExtend}, // Mn [4] MUSICAL SYMBOL COMBINING DOWN BOW..MUSICAL SYMBOL COMBINING SNAP PIZZICATO + {0x1D242, 0x1D244, prExtend}, // Mn [3] COMBINING GREEK MUSICAL TRISEME..COMBINING GREEK MUSICAL PENTASEME + {0x1D400, 0x1D454, prALetter}, // L& [85] MATHEMATICAL BOLD CAPITAL A..MATHEMATICAL ITALIC SMALL G + {0x1D456, 0x1D49C, prALetter}, // L& [71] MATHEMATICAL ITALIC SMALL I..MATHEMATICAL SCRIPT CAPITAL A + {0x1D49E, 0x1D49F, prALetter}, // L& [2] MATHEMATICAL SCRIPT CAPITAL C..MATHEMATICAL SCRIPT CAPITAL D + {0x1D4A2, 0x1D4A2, prALetter}, // L& MATHEMATICAL SCRIPT CAPITAL G + {0x1D4A5, 0x1D4A6, prALetter}, // L& [2] MATHEMATICAL SCRIPT CAPITAL J..MATHEMATICAL SCRIPT CAPITAL K + {0x1D4A9, 0x1D4AC, prALetter}, // L& [4] MATHEMATICAL SCRIPT CAPITAL N..MATHEMATICAL SCRIPT CAPITAL Q + {0x1D4AE, 0x1D4B9, prALetter}, // L& [12] MATHEMATICAL SCRIPT CAPITAL S..MATHEMATICAL SCRIPT SMALL D + {0x1D4BB, 0x1D4BB, prALetter}, // L& MATHEMATICAL SCRIPT SMALL F + {0x1D4BD, 0x1D4C3, prALetter}, // L& [7] MATHEMATICAL SCRIPT SMALL H..MATHEMATICAL SCRIPT SMALL N + {0x1D4C5, 0x1D505, prALetter}, // L& [65] MATHEMATICAL SCRIPT SMALL P..MATHEMATICAL FRAKTUR CAPITAL B + {0x1D507, 0x1D50A, prALetter}, // L& [4] MATHEMATICAL FRAKTUR CAPITAL D..MATHEMATICAL FRAKTUR CAPITAL G + {0x1D50D, 0x1D514, prALetter}, // L& [8] MATHEMATICAL FRAKTUR CAPITAL J..MATHEMATICAL FRAKTUR CAPITAL Q + {0x1D516, 0x1D51C, prALetter}, // L& [7] MATHEMATICAL FRAKTUR CAPITAL S..MATHEMATICAL FRAKTUR CAPITAL Y + {0x1D51E, 0x1D539, prALetter}, // L& [28] MATHEMATICAL FRAKTUR SMALL A..MATHEMATICAL DOUBLE-STRUCK CAPITAL B + {0x1D53B, 0x1D53E, prALetter}, // L& [4] MATHEMATICAL DOUBLE-STRUCK CAPITAL D..MATHEMATICAL DOUBLE-STRUCK CAPITAL G + {0x1D540, 0x1D544, prALetter}, // L& [5] MATHEMATICAL DOUBLE-STRUCK CAPITAL I..MATHEMATICAL DOUBLE-STRUCK CAPITAL M + {0x1D546, 0x1D546, prALetter}, // L& MATHEMATICAL DOUBLE-STRUCK CAPITAL O + {0x1D54A, 0x1D550, prALetter}, // L& [7] MATHEMATICAL DOUBLE-STRUCK CAPITAL S..MATHEMATICAL DOUBLE-STRUCK CAPITAL Y + {0x1D552, 0x1D6A5, prALetter}, // L& [340] MATHEMATICAL DOUBLE-STRUCK SMALL A..MATHEMATICAL ITALIC SMALL DOTLESS J + {0x1D6A8, 0x1D6C0, prALetter}, // L& [25] MATHEMATICAL BOLD CAPITAL ALPHA..MATHEMATICAL BOLD CAPITAL OMEGA + {0x1D6C2, 0x1D6DA, prALetter}, // L& [25] MATHEMATICAL BOLD SMALL ALPHA..MATHEMATICAL BOLD SMALL OMEGA + {0x1D6DC, 0x1D6FA, prALetter}, // L& [31] MATHEMATICAL BOLD EPSILON SYMBOL..MATHEMATICAL ITALIC CAPITAL OMEGA + {0x1D6FC, 0x1D714, prALetter}, // L& [25] MATHEMATICAL ITALIC SMALL ALPHA..MATHEMATICAL ITALIC SMALL OMEGA + {0x1D716, 0x1D734, prALetter}, // L& [31] MATHEMATICAL ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD ITALIC CAPITAL OMEGA + {0x1D736, 0x1D74E, prALetter}, // L& [25] MATHEMATICAL BOLD ITALIC SMALL ALPHA..MATHEMATICAL BOLD ITALIC SMALL OMEGA + {0x1D750, 0x1D76E, prALetter}, // L& [31] MATHEMATICAL BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD CAPITAL OMEGA + {0x1D770, 0x1D788, prALetter}, // L& [25] MATHEMATICAL SANS-SERIF BOLD SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD SMALL OMEGA + {0x1D78A, 0x1D7A8, prALetter}, // L& [31] MATHEMATICAL SANS-SERIF BOLD EPSILON SYMBOL..MATHEMATICAL SANS-SERIF BOLD ITALIC CAPITAL OMEGA + {0x1D7AA, 0x1D7C2, prALetter}, // L& [25] MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL ALPHA..MATHEMATICAL SANS-SERIF BOLD ITALIC SMALL OMEGA + {0x1D7C4, 0x1D7CB, prALetter}, // L& [8] MATHEMATICAL SANS-SERIF BOLD ITALIC EPSILON SYMBOL..MATHEMATICAL BOLD SMALL DIGAMMA + {0x1D7CE, 0x1D7FF, prNumeric}, // Nd [50] MATHEMATICAL BOLD DIGIT ZERO..MATHEMATICAL MONOSPACE DIGIT NINE + {0x1DA00, 0x1DA36, prExtend}, // Mn [55] SIGNWRITING HEAD RIM..SIGNWRITING AIR SUCKING IN + {0x1DA3B, 0x1DA6C, prExtend}, // Mn [50] SIGNWRITING MOUTH CLOSED NEUTRAL..SIGNWRITING EXCITEMENT + {0x1DA75, 0x1DA75, prExtend}, // Mn SIGNWRITING UPPER BODY TILTING FROM HIP JOINTS + {0x1DA84, 0x1DA84, prExtend}, // Mn SIGNWRITING LOCATION HEAD NECK + {0x1DA9B, 0x1DA9F, prExtend}, // Mn [5] SIGNWRITING FILL MODIFIER-2..SIGNWRITING FILL MODIFIER-6 + {0x1DAA1, 0x1DAAF, prExtend}, // Mn [15] SIGNWRITING ROTATION MODIFIER-2..SIGNWRITING ROTATION MODIFIER-16 + {0x1DF00, 0x1DF09, prALetter}, // L& [10] LATIN SMALL LETTER FENG DIGRAPH WITH TRILL..LATIN SMALL LETTER T WITH HOOK AND RETROFLEX HOOK + {0x1DF0A, 0x1DF0A, prALetter}, // Lo LATIN LETTER RETROFLEX CLICK WITH RETROFLEX HOOK + {0x1DF0B, 0x1DF1E, prALetter}, // L& [20] LATIN SMALL LETTER ESH WITH DOUBLE BAR..LATIN SMALL LETTER S WITH CURL + {0x1DF25, 0x1DF2A, prALetter}, // L& [6] LATIN SMALL LETTER D WITH MID-HEIGHT LEFT HOOK..LATIN SMALL LETTER T WITH MID-HEIGHT LEFT HOOK + {0x1E000, 0x1E006, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER AZU..COMBINING GLAGOLITIC LETTER ZHIVETE + {0x1E008, 0x1E018, prExtend}, // Mn [17] COMBINING GLAGOLITIC LETTER ZEMLJA..COMBINING GLAGOLITIC LETTER HERU + {0x1E01B, 0x1E021, prExtend}, // Mn [7] COMBINING GLAGOLITIC LETTER SHTA..COMBINING GLAGOLITIC LETTER YATI + {0x1E023, 0x1E024, prExtend}, // Mn [2] COMBINING GLAGOLITIC LETTER YU..COMBINING GLAGOLITIC LETTER SMALL YUS + {0x1E026, 0x1E02A, prExtend}, // Mn [5] COMBINING GLAGOLITIC LETTER YO..COMBINING GLAGOLITIC LETTER FITA + {0x1E030, 0x1E06D, prALetter}, // Lm [62] MODIFIER LETTER CYRILLIC SMALL A..MODIFIER LETTER CYRILLIC SMALL STRAIGHT U WITH STROKE + {0x1E08F, 0x1E08F, prExtend}, // Mn COMBINING CYRILLIC SMALL LETTER BYELORUSSIAN-UKRAINIAN I + {0x1E100, 0x1E12C, prALetter}, // Lo [45] NYIAKENG PUACHUE HMONG LETTER MA..NYIAKENG PUACHUE HMONG LETTER W + {0x1E130, 0x1E136, prExtend}, // Mn [7] NYIAKENG PUACHUE HMONG TONE-B..NYIAKENG PUACHUE HMONG TONE-D + {0x1E137, 0x1E13D, prALetter}, // Lm [7] NYIAKENG PUACHUE HMONG SIGN FOR PERSON..NYIAKENG PUACHUE HMONG SYLLABLE LENGTHENER + {0x1E140, 0x1E149, prNumeric}, // Nd [10] NYIAKENG PUACHUE HMONG DIGIT ZERO..NYIAKENG PUACHUE HMONG DIGIT NINE + {0x1E14E, 0x1E14E, prALetter}, // Lo NYIAKENG PUACHUE HMONG LOGOGRAM NYAJ + {0x1E290, 0x1E2AD, prALetter}, // Lo [30] TOTO LETTER PA..TOTO LETTER A + {0x1E2AE, 0x1E2AE, prExtend}, // Mn TOTO SIGN RISING TONE + {0x1E2C0, 0x1E2EB, prALetter}, // Lo [44] WANCHO LETTER AA..WANCHO LETTER YIH + {0x1E2EC, 0x1E2EF, prExtend}, // Mn [4] WANCHO TONE TUP..WANCHO TONE KOINI + {0x1E2F0, 0x1E2F9, prNumeric}, // Nd [10] WANCHO DIGIT ZERO..WANCHO DIGIT NINE + {0x1E4D0, 0x1E4EA, prALetter}, // Lo [27] NAG MUNDARI LETTER O..NAG MUNDARI LETTER ELL + {0x1E4EB, 0x1E4EB, prALetter}, // Lm NAG MUNDARI SIGN OJOD + {0x1E4EC, 0x1E4EF, prExtend}, // Mn [4] NAG MUNDARI SIGN MUHOR..NAG MUNDARI SIGN SUTUH + {0x1E4F0, 0x1E4F9, prNumeric}, // Nd [10] NAG MUNDARI DIGIT ZERO..NAG MUNDARI DIGIT NINE + {0x1E7E0, 0x1E7E6, prALetter}, // Lo [7] ETHIOPIC SYLLABLE HHYA..ETHIOPIC SYLLABLE HHYO + {0x1E7E8, 0x1E7EB, prALetter}, // Lo [4] ETHIOPIC SYLLABLE GURAGE HHWA..ETHIOPIC SYLLABLE HHWE + {0x1E7ED, 0x1E7EE, prALetter}, // Lo [2] ETHIOPIC SYLLABLE GURAGE MWI..ETHIOPIC SYLLABLE GURAGE MWEE + {0x1E7F0, 0x1E7FE, prALetter}, // Lo [15] ETHIOPIC SYLLABLE GURAGE QWI..ETHIOPIC SYLLABLE GURAGE PWEE + {0x1E800, 0x1E8C4, prALetter}, // Lo [197] MENDE KIKAKUI SYLLABLE M001 KI..MENDE KIKAKUI SYLLABLE M060 NYON + {0x1E8D0, 0x1E8D6, prExtend}, // Mn [7] MENDE KIKAKUI COMBINING NUMBER TEENS..MENDE KIKAKUI COMBINING NUMBER MILLIONS + {0x1E900, 0x1E943, prALetter}, // L& [68] ADLAM CAPITAL LETTER ALIF..ADLAM SMALL LETTER SHA + {0x1E944, 0x1E94A, prExtend}, // Mn [7] ADLAM ALIF LENGTHENER..ADLAM NUKTA + {0x1E94B, 0x1E94B, prALetter}, // Lm ADLAM NASALIZATION MARK + {0x1E950, 0x1E959, prNumeric}, // Nd [10] ADLAM DIGIT ZERO..ADLAM DIGIT NINE + {0x1EE00, 0x1EE03, prALetter}, // Lo [4] ARABIC MATHEMATICAL ALEF..ARABIC MATHEMATICAL DAL + {0x1EE05, 0x1EE1F, prALetter}, // Lo [27] ARABIC MATHEMATICAL WAW..ARABIC MATHEMATICAL DOTLESS QAF + {0x1EE21, 0x1EE22, prALetter}, // Lo [2] ARABIC MATHEMATICAL INITIAL BEH..ARABIC MATHEMATICAL INITIAL JEEM + {0x1EE24, 0x1EE24, prALetter}, // Lo ARABIC MATHEMATICAL INITIAL HEH + {0x1EE27, 0x1EE27, prALetter}, // Lo ARABIC MATHEMATICAL INITIAL HAH + {0x1EE29, 0x1EE32, prALetter}, // Lo [10] ARABIC MATHEMATICAL INITIAL YEH..ARABIC MATHEMATICAL INITIAL QAF + {0x1EE34, 0x1EE37, prALetter}, // Lo [4] ARABIC MATHEMATICAL INITIAL SHEEN..ARABIC MATHEMATICAL INITIAL KHAH + {0x1EE39, 0x1EE39, prALetter}, // Lo ARABIC MATHEMATICAL INITIAL DAD + {0x1EE3B, 0x1EE3B, prALetter}, // Lo ARABIC MATHEMATICAL INITIAL GHAIN + {0x1EE42, 0x1EE42, prALetter}, // Lo ARABIC MATHEMATICAL TAILED JEEM + {0x1EE47, 0x1EE47, prALetter}, // Lo ARABIC MATHEMATICAL TAILED HAH + {0x1EE49, 0x1EE49, prALetter}, // Lo ARABIC MATHEMATICAL TAILED YEH + {0x1EE4B, 0x1EE4B, prALetter}, // Lo ARABIC MATHEMATICAL TAILED LAM + {0x1EE4D, 0x1EE4F, prALetter}, // Lo [3] ARABIC MATHEMATICAL TAILED NOON..ARABIC MATHEMATICAL TAILED AIN + {0x1EE51, 0x1EE52, prALetter}, // Lo [2] ARABIC MATHEMATICAL TAILED SAD..ARABIC MATHEMATICAL TAILED QAF + {0x1EE54, 0x1EE54, prALetter}, // Lo ARABIC MATHEMATICAL TAILED SHEEN + {0x1EE57, 0x1EE57, prALetter}, // Lo ARABIC MATHEMATICAL TAILED KHAH + {0x1EE59, 0x1EE59, prALetter}, // Lo ARABIC MATHEMATICAL TAILED DAD + {0x1EE5B, 0x1EE5B, prALetter}, // Lo ARABIC MATHEMATICAL TAILED GHAIN + {0x1EE5D, 0x1EE5D, prALetter}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS NOON + {0x1EE5F, 0x1EE5F, prALetter}, // Lo ARABIC MATHEMATICAL TAILED DOTLESS QAF + {0x1EE61, 0x1EE62, prALetter}, // Lo [2] ARABIC MATHEMATICAL STRETCHED BEH..ARABIC MATHEMATICAL STRETCHED JEEM + {0x1EE64, 0x1EE64, prALetter}, // Lo ARABIC MATHEMATICAL STRETCHED HEH + {0x1EE67, 0x1EE6A, prALetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED HAH..ARABIC MATHEMATICAL STRETCHED KAF + {0x1EE6C, 0x1EE72, prALetter}, // Lo [7] ARABIC MATHEMATICAL STRETCHED MEEM..ARABIC MATHEMATICAL STRETCHED QAF + {0x1EE74, 0x1EE77, prALetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED SHEEN..ARABIC MATHEMATICAL STRETCHED KHAH + {0x1EE79, 0x1EE7C, prALetter}, // Lo [4] ARABIC MATHEMATICAL STRETCHED DAD..ARABIC MATHEMATICAL STRETCHED DOTLESS BEH + {0x1EE7E, 0x1EE7E, prALetter}, // Lo ARABIC MATHEMATICAL STRETCHED DOTLESS FEH + {0x1EE80, 0x1EE89, prALetter}, // Lo [10] ARABIC MATHEMATICAL LOOPED ALEF..ARABIC MATHEMATICAL LOOPED YEH + {0x1EE8B, 0x1EE9B, prALetter}, // Lo [17] ARABIC MATHEMATICAL LOOPED LAM..ARABIC MATHEMATICAL LOOPED GHAIN + {0x1EEA1, 0x1EEA3, prALetter}, // Lo [3] ARABIC MATHEMATICAL DOUBLE-STRUCK BEH..ARABIC MATHEMATICAL DOUBLE-STRUCK DAL + {0x1EEA5, 0x1EEA9, prALetter}, // Lo [5] ARABIC MATHEMATICAL DOUBLE-STRUCK WAW..ARABIC MATHEMATICAL DOUBLE-STRUCK YEH + {0x1EEAB, 0x1EEBB, prALetter}, // Lo [17] ARABIC MATHEMATICAL DOUBLE-STRUCK LAM..ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN + {0x1F000, 0x1F003, prExtendedPictographic}, // E0.0 [4] (🀀..🀃) MAHJONG TILE EAST WIND..MAHJONG TILE NORTH WIND + {0x1F004, 0x1F004, prExtendedPictographic}, // E0.6 [1] (🀄) mahjong red dragon + {0x1F005, 0x1F0CE, prExtendedPictographic}, // E0.0 [202] (🀅..🃎) MAHJONG TILE GREEN DRAGON..PLAYING CARD KING OF DIAMONDS + {0x1F0CF, 0x1F0CF, prExtendedPictographic}, // E0.6 [1] (ðŸƒ) joker + {0x1F0D0, 0x1F0FF, prExtendedPictographic}, // E0.0 [48] (ðŸƒ..🃿) .. + {0x1F10D, 0x1F10F, prExtendedPictographic}, // E0.0 [3] (ðŸ„..ðŸ„) CIRCLED ZERO WITH SLASH..CIRCLED DOLLAR SIGN WITH OVERLAID BACKSLASH + {0x1F12F, 0x1F12F, prExtendedPictographic}, // E0.0 [1] (🄯) COPYLEFT SYMBOL + {0x1F130, 0x1F149, prALetter}, // So [26] SQUARED LATIN CAPITAL LETTER A..SQUARED LATIN CAPITAL LETTER Z + {0x1F150, 0x1F169, prALetter}, // So [26] NEGATIVE CIRCLED LATIN CAPITAL LETTER A..NEGATIVE CIRCLED LATIN CAPITAL LETTER Z + {0x1F16C, 0x1F16F, prExtendedPictographic}, // E0.0 [4] (🅬..🅯) RAISED MR SIGN..CIRCLED HUMAN FIGURE + {0x1F170, 0x1F189, prALetter}, // So [26] NEGATIVE SQUARED LATIN CAPITAL LETTER A..NEGATIVE SQUARED LATIN CAPITAL LETTER Z + {0x1F170, 0x1F171, prExtendedPictographic}, // E0.6 [2] (🅰ï¸..🅱ï¸) A button (blood type)..B button (blood type) + {0x1F17E, 0x1F17F, prExtendedPictographic}, // E0.6 [2] (🅾ï¸..🅿ï¸) O button (blood type)..P button + {0x1F18E, 0x1F18E, prExtendedPictographic}, // E0.6 [1] (🆎) AB button (blood type) + {0x1F191, 0x1F19A, prExtendedPictographic}, // E0.6 [10] (🆑..🆚) CL button..VS button + {0x1F1AD, 0x1F1E5, prExtendedPictographic}, // E0.0 [57] (🆭..🇥) MASK WORK SYMBOL.. + {0x1F1E6, 0x1F1FF, prRegionalIndicator}, // So [26] REGIONAL INDICATOR SYMBOL LETTER A..REGIONAL INDICATOR SYMBOL LETTER Z + {0x1F201, 0x1F202, prExtendedPictographic}, // E0.6 [2] (ðŸˆ..🈂ï¸) Japanese “here†button..Japanese “service charge†button + {0x1F203, 0x1F20F, prExtendedPictographic}, // E0.0 [13] (🈃..ðŸˆ) .. + {0x1F21A, 0x1F21A, prExtendedPictographic}, // E0.6 [1] (🈚) Japanese “free of charge†button + {0x1F22F, 0x1F22F, prExtendedPictographic}, // E0.6 [1] (🈯) Japanese “reserved†button + {0x1F232, 0x1F23A, prExtendedPictographic}, // E0.6 [9] (🈲..🈺) Japanese “prohibited†button..Japanese “open for business†button + {0x1F23C, 0x1F23F, prExtendedPictographic}, // E0.0 [4] (🈼..🈿) .. + {0x1F249, 0x1F24F, prExtendedPictographic}, // E0.0 [7] (🉉..ðŸ‰) .. + {0x1F250, 0x1F251, prExtendedPictographic}, // E0.6 [2] (ðŸ‰..🉑) Japanese “bargain†button..Japanese “acceptable†button + {0x1F252, 0x1F2FF, prExtendedPictographic}, // E0.0 [174] (🉒..🋿) .. + {0x1F300, 0x1F30C, prExtendedPictographic}, // E0.6 [13] (🌀..🌌) cyclone..milky way + {0x1F30D, 0x1F30E, prExtendedPictographic}, // E0.7 [2] (ðŸŒ..🌎) globe showing Europe-Africa..globe showing Americas + {0x1F30F, 0x1F30F, prExtendedPictographic}, // E0.6 [1] (ðŸŒ) globe showing Asia-Australia + {0x1F310, 0x1F310, prExtendedPictographic}, // E1.0 [1] (ðŸŒ) globe with meridians + {0x1F311, 0x1F311, prExtendedPictographic}, // E0.6 [1] (🌑) new moon + {0x1F312, 0x1F312, prExtendedPictographic}, // E1.0 [1] (🌒) waxing crescent moon + {0x1F313, 0x1F315, prExtendedPictographic}, // E0.6 [3] (🌓..🌕) first quarter moon..full moon + {0x1F316, 0x1F318, prExtendedPictographic}, // E1.0 [3] (🌖..🌘) waning gibbous moon..waning crescent moon + {0x1F319, 0x1F319, prExtendedPictographic}, // E0.6 [1] (🌙) crescent moon + {0x1F31A, 0x1F31A, prExtendedPictographic}, // E1.0 [1] (🌚) new moon face + {0x1F31B, 0x1F31B, prExtendedPictographic}, // E0.6 [1] (🌛) first quarter moon face + {0x1F31C, 0x1F31C, prExtendedPictographic}, // E0.7 [1] (🌜) last quarter moon face + {0x1F31D, 0x1F31E, prExtendedPictographic}, // E1.0 [2] (ðŸŒ..🌞) full moon face..sun with face + {0x1F31F, 0x1F320, prExtendedPictographic}, // E0.6 [2] (🌟..🌠) glowing star..shooting star + {0x1F321, 0x1F321, prExtendedPictographic}, // E0.7 [1] (🌡ï¸) thermometer + {0x1F322, 0x1F323, prExtendedPictographic}, // E0.0 [2] (🌢..🌣) BLACK DROPLET..WHITE SUN + {0x1F324, 0x1F32C, prExtendedPictographic}, // E0.7 [9] (🌤ï¸..🌬ï¸) sun behind small cloud..wind face + {0x1F32D, 0x1F32F, prExtendedPictographic}, // E1.0 [3] (🌭..🌯) hot dog..burrito + {0x1F330, 0x1F331, prExtendedPictographic}, // E0.6 [2] (🌰..🌱) chestnut..seedling + {0x1F332, 0x1F333, prExtendedPictographic}, // E1.0 [2] (🌲..🌳) evergreen tree..deciduous tree + {0x1F334, 0x1F335, prExtendedPictographic}, // E0.6 [2] (🌴..🌵) palm tree..cactus + {0x1F336, 0x1F336, prExtendedPictographic}, // E0.7 [1] (🌶ï¸) hot pepper + {0x1F337, 0x1F34A, prExtendedPictographic}, // E0.6 [20] (🌷..ðŸŠ) tulip..tangerine + {0x1F34B, 0x1F34B, prExtendedPictographic}, // E1.0 [1] (ðŸ‹) lemon + {0x1F34C, 0x1F34F, prExtendedPictographic}, // E0.6 [4] (ðŸŒ..ðŸ) banana..green apple + {0x1F350, 0x1F350, prExtendedPictographic}, // E1.0 [1] (ðŸ) pear + {0x1F351, 0x1F37B, prExtendedPictographic}, // E0.6 [43] (ðŸ‘..ðŸ») peach..clinking beer mugs + {0x1F37C, 0x1F37C, prExtendedPictographic}, // E1.0 [1] (ðŸ¼) baby bottle + {0x1F37D, 0x1F37D, prExtendedPictographic}, // E0.7 [1] (ðŸ½ï¸) fork and knife with plate + {0x1F37E, 0x1F37F, prExtendedPictographic}, // E1.0 [2] (ðŸ¾..ðŸ¿) bottle with popping cork..popcorn + {0x1F380, 0x1F393, prExtendedPictographic}, // E0.6 [20] (🎀..🎓) ribbon..graduation cap + {0x1F394, 0x1F395, prExtendedPictographic}, // E0.0 [2] (🎔..🎕) HEART WITH TIP ON THE LEFT..BOUQUET OF FLOWERS + {0x1F396, 0x1F397, prExtendedPictographic}, // E0.7 [2] (🎖ï¸..🎗ï¸) military medal..reminder ribbon + {0x1F398, 0x1F398, prExtendedPictographic}, // E0.0 [1] (🎘) MUSICAL KEYBOARD WITH JACKS + {0x1F399, 0x1F39B, prExtendedPictographic}, // E0.7 [3] (🎙ï¸..🎛ï¸) studio microphone..control knobs + {0x1F39C, 0x1F39D, prExtendedPictographic}, // E0.0 [2] (🎜..ðŸŽ) BEAMED ASCENDING MUSICAL NOTES..BEAMED DESCENDING MUSICAL NOTES + {0x1F39E, 0x1F39F, prExtendedPictographic}, // E0.7 [2] (🎞ï¸..🎟ï¸) film frames..admission tickets + {0x1F3A0, 0x1F3C4, prExtendedPictographic}, // E0.6 [37] (🎠..ðŸ„) carousel horse..person surfing + {0x1F3C5, 0x1F3C5, prExtendedPictographic}, // E1.0 [1] (ðŸ…) sports medal + {0x1F3C6, 0x1F3C6, prExtendedPictographic}, // E0.6 [1] (ðŸ†) trophy + {0x1F3C7, 0x1F3C7, prExtendedPictographic}, // E1.0 [1] (ðŸ‡) horse racing + {0x1F3C8, 0x1F3C8, prExtendedPictographic}, // E0.6 [1] (ðŸˆ) american football + {0x1F3C9, 0x1F3C9, prExtendedPictographic}, // E1.0 [1] (ðŸ‰) rugby football + {0x1F3CA, 0x1F3CA, prExtendedPictographic}, // E0.6 [1] (ðŸŠ) person swimming + {0x1F3CB, 0x1F3CE, prExtendedPictographic}, // E0.7 [4] (ðŸ‹ï¸..ðŸŽï¸) person lifting weights..racing car + {0x1F3CF, 0x1F3D3, prExtendedPictographic}, // E1.0 [5] (ðŸ..ðŸ“) cricket game..ping pong + {0x1F3D4, 0x1F3DF, prExtendedPictographic}, // E0.7 [12] (ðŸ”ï¸..ðŸŸï¸) snow-capped mountain..stadium + {0x1F3E0, 0x1F3E3, prExtendedPictographic}, // E0.6 [4] (ðŸ ..ðŸ£) house..Japanese post office + {0x1F3E4, 0x1F3E4, prExtendedPictographic}, // E1.0 [1] (ðŸ¤) post office + {0x1F3E5, 0x1F3F0, prExtendedPictographic}, // E0.6 [12] (ðŸ¥..ðŸ°) hospital..castle + {0x1F3F1, 0x1F3F2, prExtendedPictographic}, // E0.0 [2] (ðŸ±..ðŸ²) WHITE PENNANT..BLACK PENNANT + {0x1F3F3, 0x1F3F3, prExtendedPictographic}, // E0.7 [1] (ðŸ³ï¸) white flag + {0x1F3F4, 0x1F3F4, prExtendedPictographic}, // E1.0 [1] (ðŸ´) black flag + {0x1F3F5, 0x1F3F5, prExtendedPictographic}, // E0.7 [1] (ðŸµï¸) rosette + {0x1F3F6, 0x1F3F6, prExtendedPictographic}, // E0.0 [1] (ðŸ¶) BLACK ROSETTE + {0x1F3F7, 0x1F3F7, prExtendedPictographic}, // E0.7 [1] (ðŸ·ï¸) label + {0x1F3F8, 0x1F3FA, prExtendedPictographic}, // E1.0 [3] (ðŸ¸..ðŸº) badminton..amphora + {0x1F3FB, 0x1F3FF, prExtend}, // Sk [5] EMOJI MODIFIER FITZPATRICK TYPE-1-2..EMOJI MODIFIER FITZPATRICK TYPE-6 + {0x1F400, 0x1F407, prExtendedPictographic}, // E1.0 [8] (ðŸ€..ðŸ‡) rat..rabbit + {0x1F408, 0x1F408, prExtendedPictographic}, // E0.7 [1] (ðŸˆ) cat + {0x1F409, 0x1F40B, prExtendedPictographic}, // E1.0 [3] (ðŸ‰..ðŸ‹) dragon..whale + {0x1F40C, 0x1F40E, prExtendedPictographic}, // E0.6 [3] (ðŸŒ..ðŸŽ) snail..horse + {0x1F40F, 0x1F410, prExtendedPictographic}, // E1.0 [2] (ðŸ..ðŸ) ram..goat + {0x1F411, 0x1F412, prExtendedPictographic}, // E0.6 [2] (ðŸ‘..ðŸ’) ewe..monkey + {0x1F413, 0x1F413, prExtendedPictographic}, // E1.0 [1] (ðŸ“) rooster + {0x1F414, 0x1F414, prExtendedPictographic}, // E0.6 [1] (ðŸ”) chicken + {0x1F415, 0x1F415, prExtendedPictographic}, // E0.7 [1] (ðŸ•) dog + {0x1F416, 0x1F416, prExtendedPictographic}, // E1.0 [1] (ðŸ–) pig + {0x1F417, 0x1F429, prExtendedPictographic}, // E0.6 [19] (ðŸ—..ðŸ©) boar..poodle + {0x1F42A, 0x1F42A, prExtendedPictographic}, // E1.0 [1] (ðŸª) camel + {0x1F42B, 0x1F43E, prExtendedPictographic}, // E0.6 [20] (ðŸ«..ðŸ¾) two-hump camel..paw prints + {0x1F43F, 0x1F43F, prExtendedPictographic}, // E0.7 [1] (ðŸ¿ï¸) chipmunk + {0x1F440, 0x1F440, prExtendedPictographic}, // E0.6 [1] (👀) eyes + {0x1F441, 0x1F441, prExtendedPictographic}, // E0.7 [1] (ðŸ‘ï¸) eye + {0x1F442, 0x1F464, prExtendedPictographic}, // E0.6 [35] (👂..👤) ear..bust in silhouette + {0x1F465, 0x1F465, prExtendedPictographic}, // E1.0 [1] (👥) busts in silhouette + {0x1F466, 0x1F46B, prExtendedPictographic}, // E0.6 [6] (👦..👫) boy..woman and man holding hands + {0x1F46C, 0x1F46D, prExtendedPictographic}, // E1.0 [2] (👬..👭) men holding hands..women holding hands + {0x1F46E, 0x1F4AC, prExtendedPictographic}, // E0.6 [63] (👮..💬) police officer..speech balloon + {0x1F4AD, 0x1F4AD, prExtendedPictographic}, // E1.0 [1] (💭) thought balloon + {0x1F4AE, 0x1F4B5, prExtendedPictographic}, // E0.6 [8] (💮..💵) white flower..dollar banknote + {0x1F4B6, 0x1F4B7, prExtendedPictographic}, // E1.0 [2] (💶..💷) euro banknote..pound banknote + {0x1F4B8, 0x1F4EB, prExtendedPictographic}, // E0.6 [52] (💸..📫) money with wings..closed mailbox with raised flag + {0x1F4EC, 0x1F4ED, prExtendedPictographic}, // E0.7 [2] (📬..📭) open mailbox with raised flag..open mailbox with lowered flag + {0x1F4EE, 0x1F4EE, prExtendedPictographic}, // E0.6 [1] (📮) postbox + {0x1F4EF, 0x1F4EF, prExtendedPictographic}, // E1.0 [1] (📯) postal horn + {0x1F4F0, 0x1F4F4, prExtendedPictographic}, // E0.6 [5] (📰..📴) newspaper..mobile phone off + {0x1F4F5, 0x1F4F5, prExtendedPictographic}, // E1.0 [1] (📵) no mobile phones + {0x1F4F6, 0x1F4F7, prExtendedPictographic}, // E0.6 [2] (📶..📷) antenna bars..camera + {0x1F4F8, 0x1F4F8, prExtendedPictographic}, // E1.0 [1] (📸) camera with flash + {0x1F4F9, 0x1F4FC, prExtendedPictographic}, // E0.6 [4] (📹..📼) video camera..videocassette + {0x1F4FD, 0x1F4FD, prExtendedPictographic}, // E0.7 [1] (📽ï¸) film projector + {0x1F4FE, 0x1F4FE, prExtendedPictographic}, // E0.0 [1] (📾) PORTABLE STEREO + {0x1F4FF, 0x1F502, prExtendedPictographic}, // E1.0 [4] (📿..🔂) prayer beads..repeat single button + {0x1F503, 0x1F503, prExtendedPictographic}, // E0.6 [1] (🔃) clockwise vertical arrows + {0x1F504, 0x1F507, prExtendedPictographic}, // E1.0 [4] (🔄..🔇) counterclockwise arrows button..muted speaker + {0x1F508, 0x1F508, prExtendedPictographic}, // E0.7 [1] (🔈) speaker low volume + {0x1F509, 0x1F509, prExtendedPictographic}, // E1.0 [1] (🔉) speaker medium volume + {0x1F50A, 0x1F514, prExtendedPictographic}, // E0.6 [11] (🔊..🔔) speaker high volume..bell + {0x1F515, 0x1F515, prExtendedPictographic}, // E1.0 [1] (🔕) bell with slash + {0x1F516, 0x1F52B, prExtendedPictographic}, // E0.6 [22] (🔖..🔫) bookmark..water pistol + {0x1F52C, 0x1F52D, prExtendedPictographic}, // E1.0 [2] (🔬..🔭) microscope..telescope + {0x1F52E, 0x1F53D, prExtendedPictographic}, // E0.6 [16] (🔮..🔽) crystal ball..downwards button + {0x1F546, 0x1F548, prExtendedPictographic}, // E0.0 [3] (🕆..🕈) WHITE LATIN CROSS..CELTIC CROSS + {0x1F549, 0x1F54A, prExtendedPictographic}, // E0.7 [2] (🕉ï¸..🕊ï¸) om..dove + {0x1F54B, 0x1F54E, prExtendedPictographic}, // E1.0 [4] (🕋..🕎) kaaba..menorah + {0x1F54F, 0x1F54F, prExtendedPictographic}, // E0.0 [1] (ðŸ•) BOWL OF HYGIEIA + {0x1F550, 0x1F55B, prExtendedPictographic}, // E0.6 [12] (ðŸ•..🕛) one o’clock..twelve o’clock + {0x1F55C, 0x1F567, prExtendedPictographic}, // E0.7 [12] (🕜..🕧) one-thirty..twelve-thirty + {0x1F568, 0x1F56E, prExtendedPictographic}, // E0.0 [7] (🕨..🕮) RIGHT SPEAKER..BOOK + {0x1F56F, 0x1F570, prExtendedPictographic}, // E0.7 [2] (🕯ï¸..🕰ï¸) candle..mantelpiece clock + {0x1F571, 0x1F572, prExtendedPictographic}, // E0.0 [2] (🕱..🕲) BLACK SKULL AND CROSSBONES..NO PIRACY + {0x1F573, 0x1F579, prExtendedPictographic}, // E0.7 [7] (🕳ï¸..🕹ï¸) hole..joystick + {0x1F57A, 0x1F57A, prExtendedPictographic}, // E3.0 [1] (🕺) man dancing + {0x1F57B, 0x1F586, prExtendedPictographic}, // E0.0 [12] (🕻..🖆) LEFT HAND TELEPHONE RECEIVER..PEN OVER STAMPED ENVELOPE + {0x1F587, 0x1F587, prExtendedPictographic}, // E0.7 [1] (🖇ï¸) linked paperclips + {0x1F588, 0x1F589, prExtendedPictographic}, // E0.0 [2] (🖈..🖉) BLACK PUSHPIN..LOWER LEFT PENCIL + {0x1F58A, 0x1F58D, prExtendedPictographic}, // E0.7 [4] (🖊ï¸..ðŸ–ï¸) pen..crayon + {0x1F58E, 0x1F58F, prExtendedPictographic}, // E0.0 [2] (🖎..ðŸ–) LEFT WRITING HAND..TURNED OK HAND SIGN + {0x1F590, 0x1F590, prExtendedPictographic}, // E0.7 [1] (ðŸ–ï¸) hand with fingers splayed + {0x1F591, 0x1F594, prExtendedPictographic}, // E0.0 [4] (🖑..🖔) REVERSED RAISED HAND WITH FINGERS SPLAYED..REVERSED VICTORY HAND + {0x1F595, 0x1F596, prExtendedPictographic}, // E1.0 [2] (🖕..🖖) middle finger..vulcan salute + {0x1F597, 0x1F5A3, prExtendedPictographic}, // E0.0 [13] (🖗..🖣) WHITE DOWN POINTING LEFT HAND INDEX..BLACK DOWN POINTING BACKHAND INDEX + {0x1F5A4, 0x1F5A4, prExtendedPictographic}, // E3.0 [1] (🖤) black heart + {0x1F5A5, 0x1F5A5, prExtendedPictographic}, // E0.7 [1] (🖥ï¸) desktop computer + {0x1F5A6, 0x1F5A7, prExtendedPictographic}, // E0.0 [2] (🖦..🖧) KEYBOARD AND MOUSE..THREE NETWORKED COMPUTERS + {0x1F5A8, 0x1F5A8, prExtendedPictographic}, // E0.7 [1] (🖨ï¸) printer + {0x1F5A9, 0x1F5B0, prExtendedPictographic}, // E0.0 [8] (🖩..🖰) POCKET CALCULATOR..TWO BUTTON MOUSE + {0x1F5B1, 0x1F5B2, prExtendedPictographic}, // E0.7 [2] (🖱ï¸..🖲ï¸) computer mouse..trackball + {0x1F5B3, 0x1F5BB, prExtendedPictographic}, // E0.0 [9] (🖳..🖻) OLD PERSONAL COMPUTER..DOCUMENT WITH PICTURE + {0x1F5BC, 0x1F5BC, prExtendedPictographic}, // E0.7 [1] (🖼ï¸) framed picture + {0x1F5BD, 0x1F5C1, prExtendedPictographic}, // E0.0 [5] (🖽..ðŸ—) FRAME WITH TILES..OPEN FOLDER + {0x1F5C2, 0x1F5C4, prExtendedPictographic}, // E0.7 [3] (🗂ï¸..🗄ï¸) card index dividers..file cabinet + {0x1F5C5, 0x1F5D0, prExtendedPictographic}, // E0.0 [12] (🗅..ðŸ—) EMPTY NOTE..PAGES + {0x1F5D1, 0x1F5D3, prExtendedPictographic}, // E0.7 [3] (🗑ï¸..🗓ï¸) wastebasket..spiral calendar + {0x1F5D4, 0x1F5DB, prExtendedPictographic}, // E0.0 [8] (🗔..🗛) DESKTOP WINDOW..DECREASE FONT SIZE SYMBOL + {0x1F5DC, 0x1F5DE, prExtendedPictographic}, // E0.7 [3] (🗜ï¸..🗞ï¸) clamp..rolled-up newspaper + {0x1F5DF, 0x1F5E0, prExtendedPictographic}, // E0.0 [2] (🗟..🗠) PAGE WITH CIRCLED TEXT..STOCK CHART + {0x1F5E1, 0x1F5E1, prExtendedPictographic}, // E0.7 [1] (🗡ï¸) dagger + {0x1F5E2, 0x1F5E2, prExtendedPictographic}, // E0.0 [1] (🗢) LIPS + {0x1F5E3, 0x1F5E3, prExtendedPictographic}, // E0.7 [1] (🗣ï¸) speaking head + {0x1F5E4, 0x1F5E7, prExtendedPictographic}, // E0.0 [4] (🗤..🗧) THREE RAYS ABOVE..THREE RAYS RIGHT + {0x1F5E8, 0x1F5E8, prExtendedPictographic}, // E2.0 [1] (🗨ï¸) left speech bubble + {0x1F5E9, 0x1F5EE, prExtendedPictographic}, // E0.0 [6] (🗩..🗮) RIGHT SPEECH BUBBLE..LEFT ANGER BUBBLE + {0x1F5EF, 0x1F5EF, prExtendedPictographic}, // E0.7 [1] (🗯ï¸) right anger bubble + {0x1F5F0, 0x1F5F2, prExtendedPictographic}, // E0.0 [3] (🗰..🗲) MOOD BUBBLE..LIGHTNING MOOD + {0x1F5F3, 0x1F5F3, prExtendedPictographic}, // E0.7 [1] (🗳ï¸) ballot box with ballot + {0x1F5F4, 0x1F5F9, prExtendedPictographic}, // E0.0 [6] (🗴..🗹) BALLOT SCRIPT X..BALLOT BOX WITH BOLD CHECK + {0x1F5FA, 0x1F5FA, prExtendedPictographic}, // E0.7 [1] (🗺ï¸) world map + {0x1F5FB, 0x1F5FF, prExtendedPictographic}, // E0.6 [5] (🗻..🗿) mount fuji..moai + {0x1F600, 0x1F600, prExtendedPictographic}, // E1.0 [1] (😀) grinning face + {0x1F601, 0x1F606, prExtendedPictographic}, // E0.6 [6] (ðŸ˜..😆) beaming face with smiling eyes..grinning squinting face + {0x1F607, 0x1F608, prExtendedPictographic}, // E1.0 [2] (😇..😈) smiling face with halo..smiling face with horns + {0x1F609, 0x1F60D, prExtendedPictographic}, // E0.6 [5] (😉..ðŸ˜) winking face..smiling face with heart-eyes + {0x1F60E, 0x1F60E, prExtendedPictographic}, // E1.0 [1] (😎) smiling face with sunglasses + {0x1F60F, 0x1F60F, prExtendedPictographic}, // E0.6 [1] (ðŸ˜) smirking face + {0x1F610, 0x1F610, prExtendedPictographic}, // E0.7 [1] (ðŸ˜) neutral face + {0x1F611, 0x1F611, prExtendedPictographic}, // E1.0 [1] (😑) expressionless face + {0x1F612, 0x1F614, prExtendedPictographic}, // E0.6 [3] (😒..😔) unamused face..pensive face + {0x1F615, 0x1F615, prExtendedPictographic}, // E1.0 [1] (😕) confused face + {0x1F616, 0x1F616, prExtendedPictographic}, // E0.6 [1] (😖) confounded face + {0x1F617, 0x1F617, prExtendedPictographic}, // E1.0 [1] (😗) kissing face + {0x1F618, 0x1F618, prExtendedPictographic}, // E0.6 [1] (😘) face blowing a kiss + {0x1F619, 0x1F619, prExtendedPictographic}, // E1.0 [1] (😙) kissing face with smiling eyes + {0x1F61A, 0x1F61A, prExtendedPictographic}, // E0.6 [1] (😚) kissing face with closed eyes + {0x1F61B, 0x1F61B, prExtendedPictographic}, // E1.0 [1] (😛) face with tongue + {0x1F61C, 0x1F61E, prExtendedPictographic}, // E0.6 [3] (😜..😞) winking face with tongue..disappointed face + {0x1F61F, 0x1F61F, prExtendedPictographic}, // E1.0 [1] (😟) worried face + {0x1F620, 0x1F625, prExtendedPictographic}, // E0.6 [6] (😠..😥) angry face..sad but relieved face + {0x1F626, 0x1F627, prExtendedPictographic}, // E1.0 [2] (😦..😧) frowning face with open mouth..anguished face + {0x1F628, 0x1F62B, prExtendedPictographic}, // E0.6 [4] (😨..😫) fearful face..tired face + {0x1F62C, 0x1F62C, prExtendedPictographic}, // E1.0 [1] (😬) grimacing face + {0x1F62D, 0x1F62D, prExtendedPictographic}, // E0.6 [1] (😭) loudly crying face + {0x1F62E, 0x1F62F, prExtendedPictographic}, // E1.0 [2] (😮..😯) face with open mouth..hushed face + {0x1F630, 0x1F633, prExtendedPictographic}, // E0.6 [4] (😰..😳) anxious face with sweat..flushed face + {0x1F634, 0x1F634, prExtendedPictographic}, // E1.0 [1] (😴) sleeping face + {0x1F635, 0x1F635, prExtendedPictographic}, // E0.6 [1] (😵) face with crossed-out eyes + {0x1F636, 0x1F636, prExtendedPictographic}, // E1.0 [1] (😶) face without mouth + {0x1F637, 0x1F640, prExtendedPictographic}, // E0.6 [10] (😷..🙀) face with medical mask..weary cat + {0x1F641, 0x1F644, prExtendedPictographic}, // E1.0 [4] (ðŸ™..🙄) slightly frowning face..face with rolling eyes + {0x1F645, 0x1F64F, prExtendedPictographic}, // E0.6 [11] (🙅..ðŸ™) person gesturing NO..folded hands + {0x1F680, 0x1F680, prExtendedPictographic}, // E0.6 [1] (🚀) rocket + {0x1F681, 0x1F682, prExtendedPictographic}, // E1.0 [2] (ðŸš..🚂) helicopter..locomotive + {0x1F683, 0x1F685, prExtendedPictographic}, // E0.6 [3] (🚃..🚅) railway car..bullet train + {0x1F686, 0x1F686, prExtendedPictographic}, // E1.0 [1] (🚆) train + {0x1F687, 0x1F687, prExtendedPictographic}, // E0.6 [1] (🚇) metro + {0x1F688, 0x1F688, prExtendedPictographic}, // E1.0 [1] (🚈) light rail + {0x1F689, 0x1F689, prExtendedPictographic}, // E0.6 [1] (🚉) station + {0x1F68A, 0x1F68B, prExtendedPictographic}, // E1.0 [2] (🚊..🚋) tram..tram car + {0x1F68C, 0x1F68C, prExtendedPictographic}, // E0.6 [1] (🚌) bus + {0x1F68D, 0x1F68D, prExtendedPictographic}, // E0.7 [1] (ðŸš) oncoming bus + {0x1F68E, 0x1F68E, prExtendedPictographic}, // E1.0 [1] (🚎) trolleybus + {0x1F68F, 0x1F68F, prExtendedPictographic}, // E0.6 [1] (ðŸš) bus stop + {0x1F690, 0x1F690, prExtendedPictographic}, // E1.0 [1] (ðŸš) minibus + {0x1F691, 0x1F693, prExtendedPictographic}, // E0.6 [3] (🚑..🚓) ambulance..police car + {0x1F694, 0x1F694, prExtendedPictographic}, // E0.7 [1] (🚔) oncoming police car + {0x1F695, 0x1F695, prExtendedPictographic}, // E0.6 [1] (🚕) taxi + {0x1F696, 0x1F696, prExtendedPictographic}, // E1.0 [1] (🚖) oncoming taxi + {0x1F697, 0x1F697, prExtendedPictographic}, // E0.6 [1] (🚗) automobile + {0x1F698, 0x1F698, prExtendedPictographic}, // E0.7 [1] (🚘) oncoming automobile + {0x1F699, 0x1F69A, prExtendedPictographic}, // E0.6 [2] (🚙..🚚) sport utility vehicle..delivery truck + {0x1F69B, 0x1F6A1, prExtendedPictographic}, // E1.0 [7] (🚛..🚡) articulated lorry..aerial tramway + {0x1F6A2, 0x1F6A2, prExtendedPictographic}, // E0.6 [1] (🚢) ship + {0x1F6A3, 0x1F6A3, prExtendedPictographic}, // E1.0 [1] (🚣) person rowing boat + {0x1F6A4, 0x1F6A5, prExtendedPictographic}, // E0.6 [2] (🚤..🚥) speedboat..horizontal traffic light + {0x1F6A6, 0x1F6A6, prExtendedPictographic}, // E1.0 [1] (🚦) vertical traffic light + {0x1F6A7, 0x1F6AD, prExtendedPictographic}, // E0.6 [7] (🚧..🚭) construction..no smoking + {0x1F6AE, 0x1F6B1, prExtendedPictographic}, // E1.0 [4] (🚮..🚱) litter in bin sign..non-potable water + {0x1F6B2, 0x1F6B2, prExtendedPictographic}, // E0.6 [1] (🚲) bicycle + {0x1F6B3, 0x1F6B5, prExtendedPictographic}, // E1.0 [3] (🚳..🚵) no bicycles..person mountain biking + {0x1F6B6, 0x1F6B6, prExtendedPictographic}, // E0.6 [1] (🚶) person walking + {0x1F6B7, 0x1F6B8, prExtendedPictographic}, // E1.0 [2] (🚷..🚸) no pedestrians..children crossing + {0x1F6B9, 0x1F6BE, prExtendedPictographic}, // E0.6 [6] (🚹..🚾) men’s room..water closet + {0x1F6BF, 0x1F6BF, prExtendedPictographic}, // E1.0 [1] (🚿) shower + {0x1F6C0, 0x1F6C0, prExtendedPictographic}, // E0.6 [1] (🛀) person taking bath + {0x1F6C1, 0x1F6C5, prExtendedPictographic}, // E1.0 [5] (ðŸ›..🛅) bathtub..left luggage + {0x1F6C6, 0x1F6CA, prExtendedPictographic}, // E0.0 [5] (🛆..🛊) TRIANGLE WITH ROUNDED CORNERS..GIRLS SYMBOL + {0x1F6CB, 0x1F6CB, prExtendedPictographic}, // E0.7 [1] (🛋ï¸) couch and lamp + {0x1F6CC, 0x1F6CC, prExtendedPictographic}, // E1.0 [1] (🛌) person in bed + {0x1F6CD, 0x1F6CF, prExtendedPictographic}, // E0.7 [3] (ðŸ›ï¸..ðŸ›ï¸) shopping bags..bed + {0x1F6D0, 0x1F6D0, prExtendedPictographic}, // E1.0 [1] (ðŸ›) place of worship + {0x1F6D1, 0x1F6D2, prExtendedPictographic}, // E3.0 [2] (🛑..🛒) stop sign..shopping cart + {0x1F6D3, 0x1F6D4, prExtendedPictographic}, // E0.0 [2] (🛓..🛔) STUPA..PAGODA + {0x1F6D5, 0x1F6D5, prExtendedPictographic}, // E12.0 [1] (🛕) hindu temple + {0x1F6D6, 0x1F6D7, prExtendedPictographic}, // E13.0 [2] (🛖..🛗) hut..elevator + {0x1F6D8, 0x1F6DB, prExtendedPictographic}, // E0.0 [4] (🛘..🛛) .. + {0x1F6DC, 0x1F6DC, prExtendedPictographic}, // E15.0 [1] (🛜) wireless + {0x1F6DD, 0x1F6DF, prExtendedPictographic}, // E14.0 [3] (ðŸ›..🛟) playground slide..ring buoy + {0x1F6E0, 0x1F6E5, prExtendedPictographic}, // E0.7 [6] (🛠ï¸..🛥ï¸) hammer and wrench..motor boat + {0x1F6E6, 0x1F6E8, prExtendedPictographic}, // E0.0 [3] (🛦..🛨) UP-POINTING MILITARY AIRPLANE..UP-POINTING SMALL AIRPLANE + {0x1F6E9, 0x1F6E9, prExtendedPictographic}, // E0.7 [1] (🛩ï¸) small airplane + {0x1F6EA, 0x1F6EA, prExtendedPictographic}, // E0.0 [1] (🛪) NORTHEAST-POINTING AIRPLANE + {0x1F6EB, 0x1F6EC, prExtendedPictographic}, // E1.0 [2] (🛫..🛬) airplane departure..airplane arrival + {0x1F6ED, 0x1F6EF, prExtendedPictographic}, // E0.0 [3] (🛭..🛯) .. + {0x1F6F0, 0x1F6F0, prExtendedPictographic}, // E0.7 [1] (🛰ï¸) satellite + {0x1F6F1, 0x1F6F2, prExtendedPictographic}, // E0.0 [2] (🛱..🛲) ONCOMING FIRE ENGINE..DIESEL LOCOMOTIVE + {0x1F6F3, 0x1F6F3, prExtendedPictographic}, // E0.7 [1] (🛳ï¸) passenger ship + {0x1F6F4, 0x1F6F6, prExtendedPictographic}, // E3.0 [3] (🛴..🛶) kick scooter..canoe + {0x1F6F7, 0x1F6F8, prExtendedPictographic}, // E5.0 [2] (🛷..🛸) sled..flying saucer + {0x1F6F9, 0x1F6F9, prExtendedPictographic}, // E11.0 [1] (🛹) skateboard + {0x1F6FA, 0x1F6FA, prExtendedPictographic}, // E12.0 [1] (🛺) auto rickshaw + {0x1F6FB, 0x1F6FC, prExtendedPictographic}, // E13.0 [2] (🛻..🛼) pickup truck..roller skate + {0x1F6FD, 0x1F6FF, prExtendedPictographic}, // E0.0 [3] (🛽..🛿) .. + {0x1F774, 0x1F77F, prExtendedPictographic}, // E0.0 [12] (ðŸ´..ðŸ¿) LOT OF FORTUNE..ORCUS + {0x1F7D5, 0x1F7DF, prExtendedPictographic}, // E0.0 [11] (🟕..🟟) CIRCLED TRIANGLE.. + {0x1F7E0, 0x1F7EB, prExtendedPictographic}, // E12.0 [12] (🟠..🟫) orange circle..brown square + {0x1F7EC, 0x1F7EF, prExtendedPictographic}, // E0.0 [4] (🟬..🟯) .. + {0x1F7F0, 0x1F7F0, prExtendedPictographic}, // E14.0 [1] (🟰) heavy equals sign + {0x1F7F1, 0x1F7FF, prExtendedPictographic}, // E0.0 [15] (🟱..🟿) .. + {0x1F80C, 0x1F80F, prExtendedPictographic}, // E0.0 [4] (🠌..ðŸ ) .. + {0x1F848, 0x1F84F, prExtendedPictographic}, // E0.0 [8] (🡈..ðŸ¡) .. + {0x1F85A, 0x1F85F, prExtendedPictographic}, // E0.0 [6] (🡚..🡟) .. + {0x1F888, 0x1F88F, prExtendedPictographic}, // E0.0 [8] (🢈..ðŸ¢) .. + {0x1F8AE, 0x1F8FF, prExtendedPictographic}, // E0.0 [82] (🢮..🣿) .. + {0x1F90C, 0x1F90C, prExtendedPictographic}, // E13.0 [1] (🤌) pinched fingers + {0x1F90D, 0x1F90F, prExtendedPictographic}, // E12.0 [3] (ðŸ¤..ðŸ¤) white heart..pinching hand + {0x1F910, 0x1F918, prExtendedPictographic}, // E1.0 [9] (ðŸ¤..🤘) zipper-mouth face..sign of the horns + {0x1F919, 0x1F91E, prExtendedPictographic}, // E3.0 [6] (🤙..🤞) call me hand..crossed fingers + {0x1F91F, 0x1F91F, prExtendedPictographic}, // E5.0 [1] (🤟) love-you gesture + {0x1F920, 0x1F927, prExtendedPictographic}, // E3.0 [8] (🤠..🤧) cowboy hat face..sneezing face + {0x1F928, 0x1F92F, prExtendedPictographic}, // E5.0 [8] (🤨..🤯) face with raised eyebrow..exploding head + {0x1F930, 0x1F930, prExtendedPictographic}, // E3.0 [1] (🤰) pregnant woman + {0x1F931, 0x1F932, prExtendedPictographic}, // E5.0 [2] (🤱..🤲) breast-feeding..palms up together + {0x1F933, 0x1F93A, prExtendedPictographic}, // E3.0 [8] (🤳..🤺) selfie..person fencing + {0x1F93C, 0x1F93E, prExtendedPictographic}, // E3.0 [3] (🤼..🤾) people wrestling..person playing handball + {0x1F93F, 0x1F93F, prExtendedPictographic}, // E12.0 [1] (🤿) diving mask + {0x1F940, 0x1F945, prExtendedPictographic}, // E3.0 [6] (🥀..🥅) wilted flower..goal net + {0x1F947, 0x1F94B, prExtendedPictographic}, // E3.0 [5] (🥇..🥋) 1st place medal..martial arts uniform + {0x1F94C, 0x1F94C, prExtendedPictographic}, // E5.0 [1] (🥌) curling stone + {0x1F94D, 0x1F94F, prExtendedPictographic}, // E11.0 [3] (ðŸ¥..ðŸ¥) lacrosse..flying disc + {0x1F950, 0x1F95E, prExtendedPictographic}, // E3.0 [15] (ðŸ¥..🥞) croissant..pancakes + {0x1F95F, 0x1F96B, prExtendedPictographic}, // E5.0 [13] (🥟..🥫) dumpling..canned food + {0x1F96C, 0x1F970, prExtendedPictographic}, // E11.0 [5] (🥬..🥰) leafy green..smiling face with hearts + {0x1F971, 0x1F971, prExtendedPictographic}, // E12.0 [1] (🥱) yawning face + {0x1F972, 0x1F972, prExtendedPictographic}, // E13.0 [1] (🥲) smiling face with tear + {0x1F973, 0x1F976, prExtendedPictographic}, // E11.0 [4] (🥳..🥶) partying face..cold face + {0x1F977, 0x1F978, prExtendedPictographic}, // E13.0 [2] (🥷..🥸) ninja..disguised face + {0x1F979, 0x1F979, prExtendedPictographic}, // E14.0 [1] (🥹) face holding back tears + {0x1F97A, 0x1F97A, prExtendedPictographic}, // E11.0 [1] (🥺) pleading face + {0x1F97B, 0x1F97B, prExtendedPictographic}, // E12.0 [1] (🥻) sari + {0x1F97C, 0x1F97F, prExtendedPictographic}, // E11.0 [4] (🥼..🥿) lab coat..flat shoe + {0x1F980, 0x1F984, prExtendedPictographic}, // E1.0 [5] (🦀..🦄) crab..unicorn + {0x1F985, 0x1F991, prExtendedPictographic}, // E3.0 [13] (🦅..🦑) eagle..squid + {0x1F992, 0x1F997, prExtendedPictographic}, // E5.0 [6] (🦒..🦗) giraffe..cricket + {0x1F998, 0x1F9A2, prExtendedPictographic}, // E11.0 [11] (🦘..🦢) kangaroo..swan + {0x1F9A3, 0x1F9A4, prExtendedPictographic}, // E13.0 [2] (🦣..🦤) mammoth..dodo + {0x1F9A5, 0x1F9AA, prExtendedPictographic}, // E12.0 [6] (🦥..🦪) sloth..oyster + {0x1F9AB, 0x1F9AD, prExtendedPictographic}, // E13.0 [3] (🦫..🦭) beaver..seal + {0x1F9AE, 0x1F9AF, prExtendedPictographic}, // E12.0 [2] (🦮..🦯) guide dog..white cane + {0x1F9B0, 0x1F9B9, prExtendedPictographic}, // E11.0 [10] (🦰..🦹) red hair..supervillain + {0x1F9BA, 0x1F9BF, prExtendedPictographic}, // E12.0 [6] (🦺..🦿) safety vest..mechanical leg + {0x1F9C0, 0x1F9C0, prExtendedPictographic}, // E1.0 [1] (🧀) cheese wedge + {0x1F9C1, 0x1F9C2, prExtendedPictographic}, // E11.0 [2] (ðŸ§..🧂) cupcake..salt + {0x1F9C3, 0x1F9CA, prExtendedPictographic}, // E12.0 [8] (🧃..🧊) beverage box..ice + {0x1F9CB, 0x1F9CB, prExtendedPictographic}, // E13.0 [1] (🧋) bubble tea + {0x1F9CC, 0x1F9CC, prExtendedPictographic}, // E14.0 [1] (🧌) troll + {0x1F9CD, 0x1F9CF, prExtendedPictographic}, // E12.0 [3] (ðŸ§..ðŸ§) person standing..deaf person + {0x1F9D0, 0x1F9E6, prExtendedPictographic}, // E5.0 [23] (ðŸ§..🧦) face with monocle..socks + {0x1F9E7, 0x1F9FF, prExtendedPictographic}, // E11.0 [25] (🧧..🧿) red envelope..nazar amulet + {0x1FA00, 0x1FA6F, prExtendedPictographic}, // E0.0 [112] (🨀..🩯) NEUTRAL CHESS KING.. + {0x1FA70, 0x1FA73, prExtendedPictographic}, // E12.0 [4] (🩰..🩳) ballet shoes..shorts + {0x1FA74, 0x1FA74, prExtendedPictographic}, // E13.0 [1] (🩴) thong sandal + {0x1FA75, 0x1FA77, prExtendedPictographic}, // E15.0 [3] (🩵..🩷) light blue heart..pink heart + {0x1FA78, 0x1FA7A, prExtendedPictographic}, // E12.0 [3] (🩸..🩺) drop of blood..stethoscope + {0x1FA7B, 0x1FA7C, prExtendedPictographic}, // E14.0 [2] (🩻..🩼) x-ray..crutch + {0x1FA7D, 0x1FA7F, prExtendedPictographic}, // E0.0 [3] (🩽..🩿) .. + {0x1FA80, 0x1FA82, prExtendedPictographic}, // E12.0 [3] (🪀..🪂) yo-yo..parachute + {0x1FA83, 0x1FA86, prExtendedPictographic}, // E13.0 [4] (🪃..🪆) boomerang..nesting dolls + {0x1FA87, 0x1FA88, prExtendedPictographic}, // E15.0 [2] (🪇..🪈) maracas..flute + {0x1FA89, 0x1FA8F, prExtendedPictographic}, // E0.0 [7] (🪉..ðŸª) .. + {0x1FA90, 0x1FA95, prExtendedPictographic}, // E12.0 [6] (ðŸª..🪕) ringed planet..banjo + {0x1FA96, 0x1FAA8, prExtendedPictographic}, // E13.0 [19] (🪖..🪨) military helmet..rock + {0x1FAA9, 0x1FAAC, prExtendedPictographic}, // E14.0 [4] (🪩..🪬) mirror ball..hamsa + {0x1FAAD, 0x1FAAF, prExtendedPictographic}, // E15.0 [3] (🪭..🪯) folding hand fan..khanda + {0x1FAB0, 0x1FAB6, prExtendedPictographic}, // E13.0 [7] (🪰..🪶) fly..feather + {0x1FAB7, 0x1FABA, prExtendedPictographic}, // E14.0 [4] (🪷..🪺) lotus..nest with eggs + {0x1FABB, 0x1FABD, prExtendedPictographic}, // E15.0 [3] (🪻..🪽) hyacinth..wing + {0x1FABE, 0x1FABE, prExtendedPictographic}, // E0.0 [1] (🪾) + {0x1FABF, 0x1FABF, prExtendedPictographic}, // E15.0 [1] (🪿) goose + {0x1FAC0, 0x1FAC2, prExtendedPictographic}, // E13.0 [3] (🫀..🫂) anatomical heart..people hugging + {0x1FAC3, 0x1FAC5, prExtendedPictographic}, // E14.0 [3] (🫃..🫅) pregnant man..person with crown + {0x1FAC6, 0x1FACD, prExtendedPictographic}, // E0.0 [8] (🫆..ðŸ«) .. + {0x1FACE, 0x1FACF, prExtendedPictographic}, // E15.0 [2] (🫎..ðŸ«) moose..donkey + {0x1FAD0, 0x1FAD6, prExtendedPictographic}, // E13.0 [7] (ðŸ«..🫖) blueberries..teapot + {0x1FAD7, 0x1FAD9, prExtendedPictographic}, // E14.0 [3] (🫗..🫙) pouring liquid..jar + {0x1FADA, 0x1FADB, prExtendedPictographic}, // E15.0 [2] (🫚..🫛) ginger root..pea pod + {0x1FADC, 0x1FADF, prExtendedPictographic}, // E0.0 [4] (🫜..🫟) .. + {0x1FAE0, 0x1FAE7, prExtendedPictographic}, // E14.0 [8] (🫠..🫧) melting face..bubbles + {0x1FAE8, 0x1FAE8, prExtendedPictographic}, // E15.0 [1] (🫨) shaking face + {0x1FAE9, 0x1FAEF, prExtendedPictographic}, // E0.0 [7] (🫩..🫯) .. + {0x1FAF0, 0x1FAF6, prExtendedPictographic}, // E14.0 [7] (🫰..🫶) hand with index finger and thumb crossed..heart hands + {0x1FAF7, 0x1FAF8, prExtendedPictographic}, // E15.0 [2] (🫷..🫸) leftwards pushing hand..rightwards pushing hand + {0x1FAF9, 0x1FAFF, prExtendedPictographic}, // E0.0 [7] (🫹..🫿) .. + {0x1FBF0, 0x1FBF9, prNumeric}, // Nd [10] SEGMENTED DIGIT ZERO..SEGMENTED DIGIT NINE + {0x1FC00, 0x1FFFD, prExtendedPictographic}, // E0.0[1022] (🰀..🿽) .. + {0xE0001, 0xE0001, prFormat}, // Cf LANGUAGE TAG + {0xE0020, 0xE007F, prExtend}, // Cf [96] TAG SPACE..CANCEL TAG + {0xE0100, 0xE01EF, prExtend}, // Mn [240] VARIATION SELECTOR-17..VARIATION SELECTOR-256 +} diff --git a/vendor/github.com/rivo/uniseg/wordrules.go b/vendor/github.com/rivo/uniseg/wordrules.go new file mode 100644 index 0000000000..57a8c68311 --- /dev/null +++ b/vendor/github.com/rivo/uniseg/wordrules.go @@ -0,0 +1,282 @@ +package uniseg + +import "unicode/utf8" + +// The states of the word break parser. +const ( + wbAny = iota + wbCR + wbLF + wbNewline + wbWSegSpace + wbHebrewLetter + wbALetter + wbWB7 + wbWB7c + wbNumeric + wbWB11 + wbKatakana + wbExtendNumLet + wbOddRI + wbEvenRI + wbZWJBit = 16 // This bit is set for any states followed by at least one zero-width joiner (see WB4 and WB3c). +) + +// wbTransitions implements the word break parser's state transitions. It's +// anologous to [grTransitions], see comments there for details. +// +// Unicode version 15.0.0. +func wbTransitions(state, prop int) (newState int, wordBreak bool, rule int) { + switch uint64(state) | uint64(prop)<<32 { + // WB3b. + case wbAny | prNewline<<32: + return wbNewline, true, 32 + case wbAny | prCR<<32: + return wbCR, true, 32 + case wbAny | prLF<<32: + return wbLF, true, 32 + + // WB3a. + case wbNewline | prAny<<32: + return wbAny, true, 31 + case wbCR | prAny<<32: + return wbAny, true, 31 + case wbLF | prAny<<32: + return wbAny, true, 31 + + // WB3. + case wbCR | prLF<<32: + return wbLF, false, 30 + + // WB3d. + case wbAny | prWSegSpace<<32: + return wbWSegSpace, true, 9990 + case wbWSegSpace | prWSegSpace<<32: + return wbWSegSpace, false, 34 + + // WB5. + case wbAny | prALetter<<32: + return wbALetter, true, 9990 + case wbAny | prHebrewLetter<<32: + return wbHebrewLetter, true, 9990 + case wbALetter | prALetter<<32: + return wbALetter, false, 50 + case wbALetter | prHebrewLetter<<32: + return wbHebrewLetter, false, 50 + case wbHebrewLetter | prALetter<<32: + return wbALetter, false, 50 + case wbHebrewLetter | prHebrewLetter<<32: + return wbHebrewLetter, false, 50 + + // WB7. Transitions to wbWB7 handled by transitionWordBreakState(). + case wbWB7 | prALetter<<32: + return wbALetter, false, 70 + case wbWB7 | prHebrewLetter<<32: + return wbHebrewLetter, false, 70 + + // WB7a. + case wbHebrewLetter | prSingleQuote<<32: + return wbAny, false, 71 + + // WB7c. Transitions to wbWB7c handled by transitionWordBreakState(). + case wbWB7c | prHebrewLetter<<32: + return wbHebrewLetter, false, 73 + + // WB8. + case wbAny | prNumeric<<32: + return wbNumeric, true, 9990 + case wbNumeric | prNumeric<<32: + return wbNumeric, false, 80 + + // WB9. + case wbALetter | prNumeric<<32: + return wbNumeric, false, 90 + case wbHebrewLetter | prNumeric<<32: + return wbNumeric, false, 90 + + // WB10. + case wbNumeric | prALetter<<32: + return wbALetter, false, 100 + case wbNumeric | prHebrewLetter<<32: + return wbHebrewLetter, false, 100 + + // WB11. Transitions to wbWB11 handled by transitionWordBreakState(). + case wbWB11 | prNumeric<<32: + return wbNumeric, false, 110 + + // WB13. + case wbAny | prKatakana<<32: + return wbKatakana, true, 9990 + case wbKatakana | prKatakana<<32: + return wbKatakana, false, 130 + + // WB13a. + case wbAny | prExtendNumLet<<32: + return wbExtendNumLet, true, 9990 + case wbALetter | prExtendNumLet<<32: + return wbExtendNumLet, false, 131 + case wbHebrewLetter | prExtendNumLet<<32: + return wbExtendNumLet, false, 131 + case wbNumeric | prExtendNumLet<<32: + return wbExtendNumLet, false, 131 + case wbKatakana | prExtendNumLet<<32: + return wbExtendNumLet, false, 131 + case wbExtendNumLet | prExtendNumLet<<32: + return wbExtendNumLet, false, 131 + + // WB13b. + case wbExtendNumLet | prALetter<<32: + return wbALetter, false, 132 + case wbExtendNumLet | prHebrewLetter<<32: + return wbHebrewLetter, false, 132 + case wbExtendNumLet | prNumeric<<32: + return wbNumeric, false, 132 + case wbExtendNumLet | prKatakana<<32: + return wbKatakana, false, 132 + + default: + return -1, false, -1 + } +} + +// transitionWordBreakState determines the new state of the word break parser +// given the current state and the next code point. It also returns whether a +// word boundary was detected. If more than one code point is needed to +// determine the new state, the byte slice or the string starting after rune "r" +// can be used (whichever is not nil or empty) for further lookups. +func transitionWordBreakState(state int, r rune, b []byte, str string) (newState int, wordBreak bool) { + // Determine the property of the next character. + nextProperty := property(workBreakCodePoints, r) + + // "Replacing Ignore Rules". + if nextProperty == prZWJ { + // WB4 (for zero-width joiners). + if state == wbNewline || state == wbCR || state == wbLF { + return wbAny | wbZWJBit, true // Make sure we don't apply WB4 to WB3a. + } + if state < 0 { + return wbAny | wbZWJBit, false + } + return state | wbZWJBit, false + } else if nextProperty == prExtend || nextProperty == prFormat { + // WB4 (for Extend and Format). + if state == wbNewline || state == wbCR || state == wbLF { + return wbAny, true // Make sure we don't apply WB4 to WB3a. + } + if state == wbWSegSpace || state == wbAny|wbZWJBit { + return wbAny, false // We don't break but this is also not WB3d or WB3c. + } + if state < 0 { + return wbAny, false + } + return state, false + } else if nextProperty == prExtendedPictographic && state >= 0 && state&wbZWJBit != 0 { + // WB3c. + return wbAny, false + } + if state >= 0 { + state = state &^ wbZWJBit + } + + // Find the applicable transition in the table. + var rule int + newState, wordBreak, rule = wbTransitions(state, nextProperty) + if newState < 0 { + // No specific transition found. Try the less specific ones. + anyPropState, anyPropWordBreak, anyPropRule := wbTransitions(state, prAny) + anyStateState, anyStateWordBreak, anyStateRule := wbTransitions(wbAny, nextProperty) + if anyPropState >= 0 && anyStateState >= 0 { + // Both apply. We'll use a mix (see comments for grTransitions). + newState, wordBreak, rule = anyStateState, anyStateWordBreak, anyStateRule + if anyPropRule < anyStateRule { + wordBreak, rule = anyPropWordBreak, anyPropRule + } + } else if anyPropState >= 0 { + // We only have a specific state. + newState, wordBreak, rule = anyPropState, anyPropWordBreak, anyPropRule + // This branch will probably never be reached because okAnyState will + // always be true given the current transition map. But we keep it here + // for future modifications to the transition map where this may not be + // true anymore. + } else if anyStateState >= 0 { + // We only have a specific property. + newState, wordBreak, rule = anyStateState, anyStateWordBreak, anyStateRule + } else { + // No known transition. WB999: Any ÷ Any. + newState, wordBreak, rule = wbAny, true, 9990 + } + } + + // For those rules that need to look up runes further in the string, we + // determine the property after nextProperty, skipping over Format, Extend, + // and ZWJ (according to WB4). It's -1 if not needed, if such a rune cannot + // be determined (because the text ends or the rune is faulty). + farProperty := -1 + if rule > 60 && + (state == wbALetter || state == wbHebrewLetter || state == wbNumeric) && + (nextProperty == prMidLetter || nextProperty == prMidNumLet || nextProperty == prSingleQuote || // WB6. + nextProperty == prDoubleQuote || // WB7b. + nextProperty == prMidNum) { // WB12. + for { + var ( + r rune + length int + ) + if b != nil { // Byte slice version. + r, length = utf8.DecodeRune(b) + b = b[length:] + } else { // String version. + r, length = utf8.DecodeRuneInString(str) + str = str[length:] + } + if r == utf8.RuneError { + break + } + prop := property(workBreakCodePoints, r) + if prop == prExtend || prop == prFormat || prop == prZWJ { + continue + } + farProperty = prop + break + } + } + + // WB6. + if rule > 60 && + (state == wbALetter || state == wbHebrewLetter) && + (nextProperty == prMidLetter || nextProperty == prMidNumLet || nextProperty == prSingleQuote) && + (farProperty == prALetter || farProperty == prHebrewLetter) { + return wbWB7, false + } + + // WB7b. + if rule > 72 && + state == wbHebrewLetter && + nextProperty == prDoubleQuote && + farProperty == prHebrewLetter { + return wbWB7c, false + } + + // WB12. + if rule > 120 && + state == wbNumeric && + (nextProperty == prMidNum || nextProperty == prMidNumLet || nextProperty == prSingleQuote) && + farProperty == prNumeric { + return wbWB11, false + } + + // WB15 and WB16. + if newState == wbAny && nextProperty == prRegionalIndicator { + if state != wbOddRI && state != wbEvenRI { // Includes state == -1. + // Transition into the first RI. + return wbOddRI, true + } + if state == wbOddRI { + // Don't break pairs of Regional Indicators. + return wbEvenRI, false + } + return wbOddRI, true // We can break after a pair. + } + + return +} diff --git a/vendor/github.com/rubenv/sql-migrate/.dockerignore b/vendor/github.com/rubenv/sql-migrate/.dockerignore new file mode 100644 index 0000000000..42bb921b46 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/.dockerignore @@ -0,0 +1,6 @@ +* +!go.mod +!go.sum +!*.go +!sql-migrate/*.go +!sqlparse/*.go diff --git a/vendor/github.com/rubenv/sql-migrate/.gitignore b/vendor/github.com/rubenv/sql-migrate/.gitignore new file mode 100644 index 0000000000..9720db0cfa --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/.gitignore @@ -0,0 +1,9 @@ +.*.swp +*.test +.idea +/vendor/ + +/sql-migrate/test.db +/test.db +.vscode/ +bin/ diff --git a/vendor/github.com/rubenv/sql-migrate/.golangci.yaml b/vendor/github.com/rubenv/sql-migrate/.golangci.yaml new file mode 100644 index 0000000000..f581841653 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/.golangci.yaml @@ -0,0 +1,133 @@ +version: "2" +run: + tests: true +linters: + default: none + enable: + - asciicheck + - depguard + - errcheck + - errorlint + - exhaustive + - gocritic + - govet + - ineffassign + - nolintlint + - revive + - staticcheck + - unparam + - unused + - whitespace + settings: + depguard: + rules: + main: + allow: + - $gostd + - github.com/denisenkom/go-mssqldb + - github.com/go-sql-driver/mysql + - github.com/go-gorp/gorp/v3 + - github.com/lib/pq + - github.com/mattn/go-sqlite3 + - github.com/mitchellh/cli + - github.com/olekukonko/tablewriter + - github.com/rubenv/sql-migrate + - gopkg.in/check.v1 + - gopkg.in/yaml.v2 + exhaustive: + default-signifies-exhaustive: true + gocritic: + disabled-checks: + - ifElseChain + govet: + disable: + - fieldalignment + enable-all: true + nolintlint: + require-explanation: true + require-specific: true + allow-no-explanation: + - depguard + allow-unused: false + revive: + enable-all-rules: false + rules: + - name: atomic + - name: blank-imports + - name: bool-literal-in-expr + - name: call-to-gc + - name: constant-logical-expr + - name: context-as-argument + - name: context-keys-type + - name: dot-imports + - name: duplicated-imports + - name: empty-block + - name: empty-lines + - name: error-naming + - name: error-return + - name: error-strings + - name: errorf + - name: exported + - name: identical-branches + - name: imports-blocklist + - name: increment-decrement + - name: indent-error-flow + - name: modifies-parameter + - name: modifies-value-receiver + - name: package-comments + - name: range + - name: range-val-address + - name: range-val-in-closure + - name: receiver-naming + - name: string-format + - name: string-of-int + - name: struct-tag + - name: time-naming + - name: unconditional-recursion + - name: unexported-naming + - name: unexported-return + - name: superfluous-else + - name: unreachable-code + - name: var-declaration + - name: waitgroup-by-value + - name: unused-receiver + - name: unnecessary-stmt + - name: unused-parameter + exclusions: + generated: lax + presets: + - comments + - common-false-positives + - legacy + - std-error-handling + rules: + - path: (.+)\.go$ + text: declaration of "err" shadows declaration at + - path: (.+)\.go$ + text: 'error-strings: error strings should not be capitalized or end with punctuation or a newline' + - path: (.+)\.go$ + text: 'ST1005: error strings should not end with punctuation or newline' + - path: (.+)\.go$ + text: 'ST1005: error strings should not be capitalized' + paths: + - third_party$ + - builtin$ + - examples$ +issues: + max-issues-per-linter: 10000 + max-same-issues: 10000 +formatters: + enable: + - gofmt + - gofumpt + - goimports + settings: + goimports: + local-prefixes: + - github.com/rubenv/sql-migrate + exclusions: + generated: lax + paths: + - third_party$ + - builtin$ + - examples$ diff --git a/vendor/github.com/rubenv/sql-migrate/Dockerfile b/vendor/github.com/rubenv/sql-migrate/Dockerfile new file mode 100644 index 0000000000..238ac714af --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/Dockerfile @@ -0,0 +1,25 @@ +ARG GO_VERSION=1.20.6 +ARG ALPINE_VERSION=3.12 + +### Vendor +FROM golang:${GO_VERSION} as vendor +COPY . /project +WORKDIR /project +RUN go mod tidy && go mod vendor + +### Build binary +FROM golang:${GO_VERSION} as build-binary +COPY . /project +COPY --from=vendor /project/vendor /project/vendor +WORKDIR /project +RUN GOOS=linux GOARCH=amd64 CGO_ENABLED=0 GO111MODULE=on go build \ + -v \ + -mod vendor \ + -o /project/bin/sql-migrate \ + /project/sql-migrate + +### Image +FROM alpine:${ALPINE_VERSION} as image +COPY --from=build-binary /project/bin/sql-migrate /usr/local/bin/sql-migrate +RUN chmod +x /usr/local/bin/sql-migrate +ENTRYPOINT ["sql-migrate"] diff --git a/vendor/github.com/rubenv/sql-migrate/LICENSE b/vendor/github.com/rubenv/sql-migrate/LICENSE new file mode 100644 index 0000000000..95e7c9abe7 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (C) 2014-2021 by Ruben Vermeersch + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/vendor/github.com/rubenv/sql-migrate/Makefile b/vendor/github.com/rubenv/sql-migrate/Makefile new file mode 100644 index 0000000000..e17ae0ad4a --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/Makefile @@ -0,0 +1,11 @@ +.PHONY: test lint build + +test: + go test ./... + +lint: + golangci-lint run --fix --config .golangci.yaml + +build: + mkdir -p bin + go build -o ./bin/sql-migrate ./sql-migrate diff --git a/vendor/github.com/rubenv/sql-migrate/README.md b/vendor/github.com/rubenv/sql-migrate/README.md new file mode 100644 index 0000000000..65fd7f70ef --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/README.md @@ -0,0 +1,386 @@ +# sql-migrate + +> SQL Schema migration tool for [Go](https://golang.org/). Based on [gorp](https://github.com/go-gorp/gorp) and [goose](https://bitbucket.org/liamstask/goose). + +[![Test](https://github.com/rubenv/sql-migrate/actions/workflows/test.yml/badge.svg)](https://github.com/rubenv/sql-migrate/actions/workflows/test.yml) [![Go Reference](https://pkg.go.dev/badge/github.com/rubenv/sql-migrate.svg)](https://pkg.go.dev/github.com/rubenv/sql-migrate) + +## Features + +- Usable as a CLI tool or as a library +- Supports SQLite, PostgreSQL, MySQL, MSSQL and Oracle databases (through [gorp](https://github.com/go-gorp/gorp)) +- Can embed migrations into your application +- Migrations are defined with SQL for full flexibility +- Atomic migrations +- Up/down migrations to allow rollback +- Supports multiple database types in one project +- Works great with other libraries such as [sqlx](https://jmoiron.github.io/sqlx/) +- Supported on go1.13+ + +## Installation + +To install the library and command line program, use the following: + +```bash +go get -v github.com/rubenv/sql-migrate/... +``` + +For Go version from 1.18, use: + +```bash +go install github.com/rubenv/sql-migrate/...@latest +``` + +## Usage + +### As a standalone tool + +``` +$ sql-migrate --help +usage: sql-migrate [--version] [--help] [] + +Available commands are: + down Undo a database migration + new Create a new migration + redo Reapply the last migration + status Show migration status + up Migrates the database to the most recent version available +``` + +Each command requires a configuration file (which defaults to `dbconfig.yml`, but can be specified with the `-config` flag). This config file should specify one or more environments: + +```yml +development: + dialect: sqlite3 + datasource: test.db + dir: migrations/sqlite3 + +production: + dialect: postgres + datasource: dbname=myapp sslmode=disable + dir: migrations/postgres + table: migrations +``` + +(See more examples for different set ups [here](test-integration/dbconfig.yml)) + +Also one can obtain env variables in datasource field via `os.ExpandEnv` embedded call for the field. +This may be useful if one doesn't want to store credentials in file: + +```yml +production: + dialect: postgres + datasource: host=prodhost dbname=proddb user=${DB_USER} password=${DB_PASSWORD} sslmode=require + dir: migrations + table: migrations +``` + +The `table` setting is optional and will default to `gorp_migrations`. + +The environment that will be used can be specified with the `-env` flag (defaults to `development`). + +Use the `--help` flag in combination with any of the commands to get an overview of its usage: + +``` +$ sql-migrate up --help +Usage: sql-migrate up [options] ... + + Migrates the database to the most recent version available. + +Options: + + -config=dbconfig.yml Configuration file to use. + -env="development" Environment. + -limit=0 Limit the number of migrations (0 = unlimited). + -version Run migrate up to a specific version, eg: the version number of migration 1_initial.sql is 1. + -dryrun Don't apply migrations, just print them. +``` + +The `new` command creates a new empty migration template using the following pattern `-.sql`. + +The `up` command applies all available migrations. By contrast, `down` will only apply one migration by default. This behavior can be changed for both by using the `-limit` parameter, and the `-version` parameter. Note `-version` has higher priority than `-limit` if you try to use them both. + +The `redo` command will unapply the last migration and reapply it. This is useful during development, when you're writing migrations. + +Use the `status` command to see the state of the applied migrations: + +```bash +$ sql-migrate status ++---------------+-----------------------------------------+ +| MIGRATION | APPLIED | ++---------------+-----------------------------------------+ +| 1_initial.sql | 2014-09-13 08:19:06.788354925 +0000 UTC | +| 2_record.sql | no | ++---------------+-----------------------------------------+ +``` + +#### Running Test Integrations + +You can see how to run setups for different setups by executing the `.sh` files in [test-integration](test-integration/) + +```bash +# Run mysql-env.sh example (you need to be in the project root directory) + +./test-integration/mysql-env.sh +``` + +### MySQL Caveat + +If you are using MySQL, you must append `?parseTime=true` to the `datasource` configuration. For example: + +```yml +production: + dialect: mysql + datasource: root@/dbname?parseTime=true + dir: migrations/mysql + table: migrations +``` + +See [here](https://github.com/go-sql-driver/mysql#parsetime) for more information. + +### Oracle (oci8) + +Oracle Driver is [oci8](https://github.com/mattn/go-oci8), it is not pure Go code and relies on Oracle Office Client ([Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html)), more detailed information is in the [oci8 repo](https://github.com/mattn/go-oci8). + +#### Install with Oracle support + +To install the library and command line program, use the following: + +```bash +go get -tags oracle -v github.com/rubenv/sql-migrate/... +``` + +```yml +development: + dialect: oci8 + datasource: user/password@localhost:1521/sid + dir: migrations/oracle + table: migrations +``` + +### Oracle (godror) + +Oracle Driver is [godror](https://github.com/godror/godror), it is not pure Go code and relies on Oracle Office Client ([Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html)), more detailed information is in the [godror repository](https://github.com/godror/godror). + +#### Install with Oracle support + +To install the library and command line program, use the following: + +1. Install sql-migrate + +```bash +go get -tags godror -v github.com/rubenv/sql-migrate/... +``` + +2. Download Oracle Office Client(e.g. macos, click [Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) if you are other system) + +```bash +wget https://download.oracle.com/otn_software/mac/instantclient/193000/instantclient-basic-macos.x64-19.3.0.0.0dbru.zip +``` + +3. Configure environment variables `LD_LIBRARY_PATH` + +``` +export LD_LIBRARY_PATH=your_oracle_office_path/instantclient_19_3 +``` + +```yml +development: + dialect: godror + datasource: user/password@localhost:1521/sid + dir: migrations/oracle + table: migrations +``` + +### As a library + +Import sql-migrate into your application: + +```go +import "github.com/rubenv/sql-migrate" +``` + +Set up a source of migrations, this can be from memory, from a set of files, from bindata (more on that later), or from any library that implements [`http.FileSystem`](https://godoc.org/net/http#FileSystem): + +```go +// Hardcoded strings in memory: +migrations := &migrate.MemoryMigrationSource{ + Migrations: []*migrate.Migration{ + &migrate.Migration{ + Id: "123", + Up: []string{"CREATE TABLE people (id int)"}, + Down: []string{"DROP TABLE people"}, + }, + }, +} + +// OR: Read migrations from a folder: +migrations := &migrate.FileMigrationSource{ + Dir: "db/migrations", +} + +// OR: Use migrations from a packr box +// Note: Packr is no longer supported, your best option these days is [embed](https://pkg.go.dev/embed) +migrations := &migrate.PackrMigrationSource{ + Box: packr.New("migrations", "./migrations"), +} + +// OR: Use pkger which implements `http.FileSystem` +migrationSource := &migrate.HttpFileSystemMigrationSource{ + FileSystem: pkger.Dir("/db/migrations"), +} + +// OR: Use migrations from bindata: +migrations := &migrate.AssetMigrationSource{ + Asset: Asset, + AssetDir: AssetDir, + Dir: "migrations", +} + +// OR: Read migrations from a `http.FileSystem` +migrationSource := &migrate.HttpFileSystemMigrationSource{ + FileSystem: httpFS, +} +``` + +Then use the `Exec` function to upgrade your database: + +```go +db, err := sql.Open("sqlite3", filename) +if err != nil { + // Handle errors! +} + +n, err := migrate.Exec(db, "sqlite3", migrations, migrate.Up) +if err != nil { + // Handle errors! +} +fmt.Printf("Applied %d migrations!\n", n) +``` + +Note that `n` can be greater than `0` even if there is an error: any migration that succeeded will remain applied even if a later one fails. + +Check [the GoDoc reference](https://godoc.org/github.com/rubenv/sql-migrate) for the full documentation. + +## Writing migrations + +Migrations are defined in SQL files, which contain a set of SQL statements. Special comments are used to distinguish up and down migrations. + +```sql +-- +migrate Up +-- SQL in section 'Up' is executed when this migration is applied +CREATE TABLE people (id int); + + +-- +migrate Down +-- SQL section 'Down' is executed when this migration is rolled back +DROP TABLE people; +``` + +You can put multiple statements in each block, as long as you end them with a semicolon (`;`). + +You can alternatively set up a separator string that matches an entire line by setting `sqlparse.LineSeparator`. This +can be used to imitate, for example, MS SQL Query Analyzer functionality where commands can be separated by a line with +contents of `GO`. If `sqlparse.LineSeparator` is matched, it will not be included in the resulting migration scripts. + +If you have complex statements which contain semicolons, use `StatementBegin` and `StatementEnd` to indicate boundaries: + +```sql +-- +migrate Up +CREATE TABLE people (id int); + +-- +migrate StatementBegin +CREATE OR REPLACE FUNCTION do_something() +returns void AS $$ +DECLARE + create_query text; +BEGIN + -- Do something here +END; +$$ +language plpgsql; +-- +migrate StatementEnd + +-- +migrate Down +DROP FUNCTION do_something(); +DROP TABLE people; +``` + +The order in which migrations are applied is defined through the filename: sql-migrate will sort migrations based on their name. It's recommended to use an increasing version number or a timestamp as the first part of the filename. + +Normally each migration is run within a transaction in order to guarantee that it is fully atomic. However some SQL commands (for example creating an index concurrently in PostgreSQL) cannot be executed inside a transaction. In order to execute such a command in a migration, the migration can be run using the `notransaction` option: + +```sql +-- +migrate Up notransaction +CREATE UNIQUE INDEX CONCURRENTLY people_unique_id_idx ON people (id); + +-- +migrate Down +DROP INDEX people_unique_id_idx; +``` + +## Embedding migrations with [embed](https://pkg.go.dev/embed) + +If you like your Go applications self-contained (that is: a single binary): use [embed](https://pkg.go.dev/embed) to embed the migration files. + +Just write your migration files as usual, as a set of SQL files in a folder. + +Import the embed package into your application and point it to your migrations: + +```go +import "embed" + +//go:embed migrations/* +var dbMigrations embed.FS +``` + +Use the `EmbedFileSystemMigrationSource` in your application to find the migrations: + +```go +migrations := migrate.EmbedFileSystemMigrationSource{ + FileSystem: dbMigrations, + Root: "migrations", +} +``` + +Other options such as [packr](https://github.com/gobuffalo/packr) or [go-bindata](https://github.com/shuLhan/go-bindata) are no longer recommended. + +## Embedding migrations with libraries that implement `http.FileSystem` + +You can also embed migrations with any library that implements `http.FileSystem`, like [`vfsgen`](https://github.com/shurcooL/vfsgen), [`parcello`](https://github.com/phogolabs/parcello), or [`go-resources`](https://github.com/omeid/go-resources). + +```go +migrationSource := &migrate.HttpFileSystemMigrationSource{ + FileSystem: httpFS, +} +``` + +## Extending + +Adding a new migration source means implementing `MigrationSource`. + +```go +type MigrationSource interface { + FindMigrations() ([]*Migration, error) +} +``` + +The resulting slice of migrations will be executed in the given order, so it should usually be sorted by the `Id` field. + +## Usage with [sqlx](https://jmoiron.github.io/sqlx/) + +This library is compatible with sqlx. When calling migrate just dereference the DB from your `*sqlx.DB`: + +``` +n, err := migrate.Exec(db.DB, "sqlite3", migrations, migrate.Up) + // ^^^ <-- Here db is a *sqlx.DB, the db.DB field is the plain sql.DB +if err != nil { + // Handle errors! +} +``` + +## Questions or Feedback? + +You can use Github Issues for feedback or questions. + +## License + +This library is distributed under the [MIT](LICENSE) license. diff --git a/vendor/github.com/rubenv/sql-migrate/doc.go b/vendor/github.com/rubenv/sql-migrate/doc.go new file mode 100644 index 0000000000..8ff186d0ff --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/doc.go @@ -0,0 +1,238 @@ +/* +SQL Schema migration tool for Go. + +Key features: + + - Usable as a CLI tool or as a library + - Supports SQLite, PostgreSQL, MySQL, MSSQL and Oracle databases (through gorp) + - Can embed migrations into your application + - Migrations are defined with SQL for full flexibility + - Atomic migrations + - Up/down migrations to allow rollback + - Supports multiple database types in one project + +# Installation + +To install the library and command line program, use the following: + + go get -v github.com/rubenv/sql-migrate/... + +# Command-line tool + +The main command is called sql-migrate. + + $ sql-migrate --help + usage: sql-migrate [--version] [--help] [] + + Available commands are: + down Undo a database migration + new Create a new migration + redo Reapply the last migration + status Show migration status + up Migrates the database to the most recent version available + +Each command requires a configuration file (which defaults to dbconfig.yml, but can be specified with the -config flag). This config file should specify one or more environments: + + development: + dialect: sqlite3 + datasource: test.db + dir: migrations/sqlite3 + + production: + dialect: postgres + datasource: dbname=myapp sslmode=disable + dir: migrations/postgres + table: migrations + +The `table` setting is optional and will default to `gorp_migrations`. + +The environment that will be used can be specified with the -env flag (defaults to development). + +Use the --help flag in combination with any of the commands to get an overview of its usage: + + $ sql-migrate up --help + Usage: sql-migrate up [options] ... + + Migrates the database to the most recent version available. + + Options: + + -config=config.yml Configuration file to use. + -env="development" Environment. + -limit=0 Limit the number of migrations (0 = unlimited). + -dryrun Don't apply migrations, just print them. + +The up command applies all available migrations. By contrast, down will only apply one migration by default. This behavior can be changed for both by using the -limit parameter. + +The redo command will unapply the last migration and reapply it. This is useful during development, when you're writing migrations. + +Use the status command to see the state of the applied migrations: + + $ sql-migrate status + +---------------+-----------------------------------------+ + | MIGRATION | APPLIED | + +---------------+-----------------------------------------+ + | 1_initial.sql | 2014-09-13 08:19:06.788354925 +0000 UTC | + | 2_record.sql | no | + +---------------+-----------------------------------------+ + +# MySQL Caveat + +If you are using MySQL, you must append ?parseTime=true to the datasource configuration. For example: + + production: + dialect: mysql + datasource: root@/dbname?parseTime=true + dir: migrations/mysql + table: migrations + +See https://github.com/go-sql-driver/mysql#parsetime for more information. + +# Library + +Import sql-migrate into your application: + + import "github.com/rubenv/sql-migrate" + +Set up a source of migrations, this can be from memory, from a set of files or from bindata (more on that later): + + // Hardcoded strings in memory: + migrations := &migrate.MemoryMigrationSource{ + Migrations: []*migrate.Migration{ + &migrate.Migration{ + Id: "123", + Up: []string{"CREATE TABLE people (id int)"}, + Down: []string{"DROP TABLE people"}, + }, + }, + } + + // OR: Read migrations from a folder: + migrations := &migrate.FileMigrationSource{ + Dir: "db/migrations", + } + + // OR: Use migrations from bindata: + migrations := &migrate.AssetMigrationSource{ + Asset: Asset, + AssetDir: AssetDir, + Dir: "migrations", + } + +Then use the Exec function to upgrade your database: + + db, err := sql.Open("sqlite3", filename) + if err != nil { + // Handle errors! + } + + n, err := migrate.Exec(db, "sqlite3", migrations, migrate.Up) + if err != nil { + // Handle errors! + } + fmt.Printf("Applied %d migrations!\n", n) + +Note that n can be greater than 0 even if there is an error: any migration that succeeded will remain applied even if a later one fails. + +The full set of capabilities can be found in the API docs below. + +# Writing migrations + +Migrations are defined in SQL files, which contain a set of SQL statements. Special comments are used to distinguish up and down migrations. + + -- +migrate Up + -- SQL in section 'Up' is executed when this migration is applied + CREATE TABLE people (id int); + + + -- +migrate Down + -- SQL section 'Down' is executed when this migration is rolled back + DROP TABLE people; + +You can put multiple statements in each block, as long as you end them with a semicolon (;). + +If you have complex statements which contain semicolons, use StatementBegin and StatementEnd to indicate boundaries: + + -- +migrate Up + CREATE TABLE people (id int); + + -- +migrate StatementBegin + CREATE OR REPLACE FUNCTION do_something() + returns void AS $$ + DECLARE + create_query text; + BEGIN + -- Do something here + END; + $$ + language plpgsql; + -- +migrate StatementEnd + + -- +migrate Down + DROP FUNCTION do_something(); + DROP TABLE people; + +The order in which migrations are applied is defined through the filename: sql-migrate will sort migrations based on their name. It's recommended to use an increasing version number or a timestamp as the first part of the filename. + +Normally each migration is run within a transaction in order to guarantee that it is fully atomic. However some SQL commands (for example creating an index concurrently in PostgreSQL) cannot be executed inside a transaction. In order to execute such a command in a migration, the migration can be run using the notransaction option: + + -- +migrate Up notransaction + CREATE UNIQUE INDEX people_unique_id_idx CONCURRENTLY ON people (id); + + -- +migrate Down + DROP INDEX people_unique_id_idx; + +# Embedding migrations with packr + +If you like your Go applications self-contained (that is: a single binary): use packr (https://github.com/gobuffalo/packr) to embed the migration files. + +Just write your migration files as usual, as a set of SQL files in a folder. + +Use the PackrMigrationSource in your application to find the migrations: + + migrations := &migrate.PackrMigrationSource{ + Box: packr.NewBox("./migrations"), + } + +If you already have a box and would like to use a subdirectory: + + migrations := &migrate.PackrMigrationSource{ + Box: myBox, + Dir: "./migrations", + } + +# Embedding migrations with bindata + +As an alternative, but slightly less maintained, you can use bindata (https://github.com/shuLhan/go-bindata) to embed the migration files. + +Just write your migration files as usual, as a set of SQL files in a folder. + +Then use bindata to generate a .go file with the migrations embedded: + + go-bindata -pkg myapp -o bindata.go db/migrations/ + +The resulting bindata.go file will contain your migrations. Remember to regenerate your bindata.go file whenever you add/modify a migration (go generate will help here, once it arrives). + +Use the AssetMigrationSource in your application to find the migrations: + + migrations := &migrate.AssetMigrationSource{ + Asset: Asset, + AssetDir: AssetDir, + Dir: "db/migrations", + } + +Both Asset and AssetDir are functions provided by bindata. + +Then proceed as usual. + +# Extending + +Adding a new migration source means implementing MigrationSource. + + type MigrationSource interface { + FindMigrations() ([]*Migration, error) + } + +The resulting slice of migrations will be executed in the given order, so it should usually be sorted by the Id field. +*/ +package migrate diff --git a/vendor/github.com/rubenv/sql-migrate/migrate.go b/vendor/github.com/rubenv/sql-migrate/migrate.go new file mode 100644 index 0000000000..c9cb4a48b6 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/migrate.go @@ -0,0 +1,891 @@ +package migrate + +import ( + "bytes" + "context" + "database/sql" + "embed" + "errors" + "fmt" + "io" + "net/http" + "os" + "path" + "regexp" + "sort" + "strconv" + "strings" + "time" + + "github.com/go-gorp/gorp/v3" + + "github.com/rubenv/sql-migrate/sqlparse" +) + +type MigrationDirection int + +const ( + Up MigrationDirection = iota + Down +) + +// MigrationSet provides database parameters for a migration execution +type MigrationSet struct { + // TableName name of the table used to store migration info. + TableName string + // SchemaName schema that the migration table be referenced. + SchemaName string + // IgnoreUnknown skips the check to see if there is a migration + // ran in the database that is not in MigrationSource. + // + // This should be used sparingly as it is removing a safety check. + IgnoreUnknown bool + // DisableCreateTable disable the creation of the migration table + DisableCreateTable bool +} + +var migSet = MigrationSet{} + +// NewMigrationSet returns a parametrized Migration object +func (ms MigrationSet) getTableName() string { + if ms.TableName == "" { + return "gorp_migrations" + } + return ms.TableName +} + +var numberPrefixRegex = regexp.MustCompile(`^(\d+).*$`) + +// PlanError happens where no migration plan could be created between the sets +// of already applied migrations and the currently found. For example, when the database +// contains a migration which is not among the migrations list found for an operation. +type PlanError struct { + Migration *Migration + ErrorMessage string +} + +func newPlanError(migration *Migration, errorMessage string) error { + return &PlanError{ + Migration: migration, + ErrorMessage: errorMessage, + } +} + +func (p *PlanError) Error() string { + return fmt.Sprintf("Unable to create migration plan because of %s: %s", + p.Migration.Id, p.ErrorMessage) +} + +// TxError is returned when any error is encountered during a database +// transaction. It contains the relevant *Migration and notes it's Id in the +// Error function output. +type TxError struct { + Migration *Migration + Err error +} + +func newTxError(migration *PlannedMigration, err error) error { + return &TxError{ + Migration: migration.Migration, + Err: err, + } +} + +func (e *TxError) Error() string { + return e.Err.Error() + " handling " + e.Migration.Id +} + +// Set the name of the table used to store migration info. +// +// Should be called before any other call such as (Exec, ExecMax, ...). +func SetTable(name string) { + if name != "" { + migSet.TableName = name + } +} + +// SetSchema sets the name of a schema that the migration table be referenced. +func SetSchema(name string) { + if name != "" { + migSet.SchemaName = name + } +} + +// SetDisableCreateTable sets the boolean to disable the creation of the migration table +func SetDisableCreateTable(disable bool) { + migSet.DisableCreateTable = disable +} + +// SetIgnoreUnknown sets the flag that skips database check to see if there is a +// migration in the database that is not in migration source. +// +// This should be used sparingly as it is removing a safety check. +func SetIgnoreUnknown(v bool) { + migSet.IgnoreUnknown = v +} + +type Migration struct { + Id string + Up []string + Down []string + + DisableTransactionUp bool + DisableTransactionDown bool +} + +func (m Migration) Less(other *Migration) bool { + switch { + case m.isNumeric() && other.isNumeric() && m.VersionInt() != other.VersionInt(): + return m.VersionInt() < other.VersionInt() + case m.isNumeric() && !other.isNumeric(): + return true + case !m.isNumeric() && other.isNumeric(): + return false + default: + return m.Id < other.Id + } +} + +func (m Migration) isNumeric() bool { + return len(m.NumberPrefixMatches()) > 0 +} + +func (m Migration) NumberPrefixMatches() []string { + return numberPrefixRegex.FindStringSubmatch(m.Id) +} + +func (m Migration) VersionInt() int64 { + v := m.NumberPrefixMatches()[1] + value, err := strconv.ParseInt(v, 10, 64) + if err != nil { + panic(fmt.Sprintf("Could not parse %q into int64: %s", v, err)) + } + return value +} + +type PlannedMigration struct { + *Migration + + DisableTransaction bool + Queries []string +} + +type byId []*Migration + +func (b byId) Len() int { return len(b) } +func (b byId) Swap(i, j int) { b[i], b[j] = b[j], b[i] } +func (b byId) Less(i, j int) bool { return b[i].Less(b[j]) } + +type MigrationRecord struct { + Id string `db:"id"` + AppliedAt time.Time `db:"applied_at"` +} + +type OracleDialect struct { + gorp.OracleDialect +} + +func (OracleDialect) IfTableNotExists(command, _, _ string) string { + return command +} + +func (OracleDialect) IfSchemaNotExists(command, _ string) string { + return command +} + +func (OracleDialect) IfTableExists(command, _, _ string) string { + return command +} + +var MigrationDialects = map[string]gorp.Dialect{ + "sqlite3": gorp.SqliteDialect{}, + "postgres": gorp.PostgresDialect{}, + "mysql": gorp.MySQLDialect{Engine: "InnoDB", Encoding: "UTF8"}, + "mssql": gorp.SqlServerDialect{}, + "oci8": OracleDialect{}, + "godror": OracleDialect{}, + "snowflake": gorp.SnowflakeDialect{}, +} + +type MigrationSource interface { + // Finds the migrations. + // + // The resulting slice of migrations should be sorted by Id. + FindMigrations() ([]*Migration, error) +} + +// A hardcoded set of migrations, in-memory. +type MemoryMigrationSource struct { + Migrations []*Migration +} + +var _ MigrationSource = (*MemoryMigrationSource)(nil) + +func (m MemoryMigrationSource) FindMigrations() ([]*Migration, error) { + // Make sure migrations are sorted. In order to make the MemoryMigrationSource safe for + // concurrent use we should not mutate it in place. So `FindMigrations` would sort a copy + // of the m.Migrations. + migrations := make([]*Migration, len(m.Migrations)) + copy(migrations, m.Migrations) + sort.Sort(byId(migrations)) + return migrations, nil +} + +// A set of migrations loaded from an http.FileServer + +type HttpFileSystemMigrationSource struct { + FileSystem http.FileSystem +} + +var _ MigrationSource = (*HttpFileSystemMigrationSource)(nil) + +func (f HttpFileSystemMigrationSource) FindMigrations() ([]*Migration, error) { + return findMigrations(f.FileSystem, "/") +} + +// A set of migrations loaded from a directory. +type FileMigrationSource struct { + Dir string +} + +var _ MigrationSource = (*FileMigrationSource)(nil) + +func (f FileMigrationSource) FindMigrations() ([]*Migration, error) { + filesystem := http.Dir(f.Dir) + return findMigrations(filesystem, "/") +} + +func findMigrations(dir http.FileSystem, root string) ([]*Migration, error) { + migrations := make([]*Migration, 0) + + file, err := dir.Open(root) + if err != nil { + return nil, err + } + + files, err := file.Readdir(0) + if err != nil { + return nil, err + } + + for _, info := range files { + if strings.HasSuffix(info.Name(), ".sql") { + migration, err := migrationFromFile(dir, root, info) + if err != nil { + return nil, err + } + + migrations = append(migrations, migration) + } + } + + // Make sure migrations are sorted + sort.Sort(byId(migrations)) + + return migrations, nil +} + +func migrationFromFile(dir http.FileSystem, root string, info os.FileInfo) (*Migration, error) { + path := path.Join(root, info.Name()) + file, err := dir.Open(path) + if err != nil { + return nil, fmt.Errorf("Error while opening %s: %w", info.Name(), err) + } + defer func() { _ = file.Close() }() + + migration, err := ParseMigration(info.Name(), file) + if err != nil { + return nil, fmt.Errorf("Error while parsing %s: %w", info.Name(), err) + } + return migration, nil +} + +// Migrations from a bindata asset set. +type AssetMigrationSource struct { + // Asset should return content of file in path if exists + Asset func(path string) ([]byte, error) + + // AssetDir should return list of files in the path + AssetDir func(path string) ([]string, error) + + // Path in the bindata to use. + Dir string +} + +var _ MigrationSource = (*AssetMigrationSource)(nil) + +func (a AssetMigrationSource) FindMigrations() ([]*Migration, error) { + migrations := make([]*Migration, 0) + + files, err := a.AssetDir(a.Dir) + if err != nil { + return nil, err + } + + for _, name := range files { + if strings.HasSuffix(name, ".sql") { + file, err := a.Asset(path.Join(a.Dir, name)) + if err != nil { + return nil, err + } + + migration, err := ParseMigration(name, bytes.NewReader(file)) + if err != nil { + return nil, err + } + + migrations = append(migrations, migration) + } + } + + // Make sure migrations are sorted + sort.Sort(byId(migrations)) + + return migrations, nil +} + +// A set of migrations loaded from an go1.16 embed.FS +type EmbedFileSystemMigrationSource struct { + FileSystem embed.FS + + Root string +} + +var _ MigrationSource = (*EmbedFileSystemMigrationSource)(nil) + +func (f EmbedFileSystemMigrationSource) FindMigrations() ([]*Migration, error) { + return findMigrations(http.FS(f.FileSystem), f.Root) +} + +// Avoids pulling in the packr library for everyone, mimicks the bits of +// packr.Box that we need. +type PackrBox interface { + List() []string + Find(name string) ([]byte, error) +} + +// Migrations from a packr box. +type PackrMigrationSource struct { + Box PackrBox + + // Path in the box to use. + Dir string +} + +var _ MigrationSource = (*PackrMigrationSource)(nil) + +func (p PackrMigrationSource) FindMigrations() ([]*Migration, error) { + migrations := make([]*Migration, 0) + items := p.Box.List() + + prefix := "" + dir := path.Clean(p.Dir) + if dir != "." { + prefix = fmt.Sprintf("%s/", dir) + } + + for _, item := range items { + if !strings.HasPrefix(item, prefix) { + continue + } + name := strings.TrimPrefix(item, prefix) + if strings.Contains(name, "/") { + continue + } + + if strings.HasSuffix(name, ".sql") { + file, err := p.Box.Find(item) + if err != nil { + return nil, err + } + + migration, err := ParseMigration(name, bytes.NewReader(file)) + if err != nil { + return nil, err + } + + migrations = append(migrations, migration) + } + } + + // Make sure migrations are sorted + sort.Sort(byId(migrations)) + + return migrations, nil +} + +// Migration parsing +func ParseMigration(id string, r io.ReadSeeker) (*Migration, error) { + m := &Migration{ + Id: id, + } + + parsed, err := sqlparse.ParseMigration(r) + if err != nil { + return nil, fmt.Errorf("Error parsing migration (%s): %w", id, err) + } + + m.Up = parsed.UpStatements + m.Down = parsed.DownStatements + + m.DisableTransactionUp = parsed.DisableTransactionUp + m.DisableTransactionDown = parsed.DisableTransactionDown + + return m, nil +} + +type SqlExecutor interface { + Exec(query string, args ...interface{}) (sql.Result, error) + Insert(list ...interface{}) error + Delete(list ...interface{}) (int64, error) +} + +// Execute a set of migrations +// +// Returns the number of applied migrations. +func Exec(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) { + return ExecMaxContext(context.Background(), db, dialect, m, dir, 0) +} + +// Returns the number of applied migrations. +func (ms MigrationSet) Exec(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) { + return ms.ExecMaxContext(context.Background(), db, dialect, m, dir, 0) +} + +// Execute a set of migrations with an input context. +// +// Returns the number of applied migrations. +func ExecContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) { + return ExecMaxContext(ctx, db, dialect, m, dir, 0) +} + +// Returns the number of applied migrations. +func (ms MigrationSet) ExecContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection) (int, error) { + return ms.ExecMaxContext(ctx, db, dialect, m, dir, 0) +} + +// Execute a set of migrations +// +// Will apply at most `max` migrations. Pass 0 for no limit (or use Exec). +// +// Returns the number of applied migrations. +func ExecMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) { + return migSet.ExecMax(db, dialect, m, dir, max) +} + +// Execute a set of migrations with an input context. +// +// Will apply at most `max` migrations. Pass 0 for no limit (or use Exec). +// +// Returns the number of applied migrations. +func ExecMaxContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) { + return migSet.ExecMaxContext(ctx, db, dialect, m, dir, max) +} + +// Execute a set of migrations +// +// Will apply at the target `version` of migration. Cannot be a negative value. +// +// Returns the number of applied migrations. +func ExecVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) { + return ExecVersionContext(context.Background(), db, dialect, m, dir, version) +} + +// Execute a set of migrations with an input context. +// +// Will apply at the target `version` of migration. Cannot be a negative value. +// +// Returns the number of applied migrations. +func ExecVersionContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) { + if version < 0 { + return 0, fmt.Errorf("target version %d should not be negative", version) + } + return migSet.ExecVersionContext(ctx, db, dialect, m, dir, version) +} + +// Returns the number of applied migrations. +func (ms MigrationSet) ExecMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) { + return ms.ExecMaxContext(context.Background(), db, dialect, m, dir, max) +} + +// Returns the number of applied migrations, but applies with an input context. +func (ms MigrationSet) ExecMaxContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) { + migrations, dbMap, err := ms.PlanMigration(db, dialect, m, dir, max) + if err != nil { + return 0, err + } + return ms.applyMigrations(ctx, dir, migrations, dbMap) +} + +// Returns the number of applied migrations. +func (ms MigrationSet) ExecVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) { + return ms.ExecVersionContext(context.Background(), db, dialect, m, dir, version) +} + +func (ms MigrationSet) ExecVersionContext(ctx context.Context, db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) (int, error) { + migrations, dbMap, err := ms.PlanMigrationToVersion(db, dialect, m, dir, version) + if err != nil { + return 0, err + } + return ms.applyMigrations(ctx, dir, migrations, dbMap) +} + +// Applies the planned migrations and returns the number of applied migrations. +func (MigrationSet) applyMigrations(ctx context.Context, dir MigrationDirection, migrations []*PlannedMigration, dbMap *gorp.DbMap) (int, error) { + applied := 0 + for _, migration := range migrations { + var executor SqlExecutor + var err error + + if migration.DisableTransaction { + executor = dbMap.WithContext(ctx) + } else { + e, err := dbMap.Begin() + if err != nil { + return applied, newTxError(migration, err) + } + executor = e.WithContext(ctx) + } + + for _, stmt := range migration.Queries { + // remove the semicolon from stmt, fix ORA-00922 issue in database oracle + stmt = strings.TrimSuffix(stmt, "\n") + stmt = strings.TrimSuffix(stmt, " ") + stmt = strings.TrimSuffix(stmt, ";") + if _, err := executor.Exec(stmt); err != nil { + if trans, ok := executor.(*gorp.Transaction); ok { + _ = trans.Rollback() + } + + return applied, newTxError(migration, err) + } + } + + switch dir { + case Up: + err = executor.Insert(&MigrationRecord{ + Id: migration.Id, + AppliedAt: time.Now(), + }) + if err != nil { + if trans, ok := executor.(*gorp.Transaction); ok { + _ = trans.Rollback() + } + + return applied, newTxError(migration, err) + } + case Down: + _, err := executor.Delete(&MigrationRecord{ + Id: migration.Id, + }) + if err != nil { + if trans, ok := executor.(*gorp.Transaction); ok { + _ = trans.Rollback() + } + + return applied, newTxError(migration, err) + } + default: + panic("Not possible") + } + + if trans, ok := executor.(*gorp.Transaction); ok { + if err := trans.Commit(); err != nil { + return applied, newTxError(migration, err) + } + } + + applied++ + } + + return applied, nil +} + +// Plan a migration. +func PlanMigration(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) ([]*PlannedMigration, *gorp.DbMap, error) { + return migSet.PlanMigration(db, dialect, m, dir, max) +} + +// Plan a migration to version. +func PlanMigrationToVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) ([]*PlannedMigration, *gorp.DbMap, error) { + return migSet.PlanMigrationToVersion(db, dialect, m, dir, version) +} + +// Plan a migration. +func (ms MigrationSet) PlanMigration(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) ([]*PlannedMigration, *gorp.DbMap, error) { + return ms.planMigrationCommon(db, dialect, m, dir, max, -1) +} + +// Plan a migration to version. +func (ms MigrationSet) PlanMigrationToVersion(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, version int64) ([]*PlannedMigration, *gorp.DbMap, error) { + return ms.planMigrationCommon(db, dialect, m, dir, 0, version) +} + +// A common method to plan a migration. +func (ms MigrationSet) planMigrationCommon(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int, version int64) ([]*PlannedMigration, *gorp.DbMap, error) { + dbMap, err := ms.getMigrationDbMap(db, dialect) + if err != nil { + return nil, nil, err + } + + migrations, err := m.FindMigrations() + if err != nil { + return nil, nil, err + } + + var migrationRecords []MigrationRecord + _, err = dbMap.Select(&migrationRecords, fmt.Sprintf("SELECT * FROM %s", dbMap.Dialect.QuotedTableForQuery(ms.SchemaName, ms.getTableName()))) + if err != nil { + return nil, nil, err + } + + // Sort migrations that have been run by Id. + var existingMigrations []*Migration + for _, migrationRecord := range migrationRecords { + existingMigrations = append(existingMigrations, &Migration{ + Id: migrationRecord.Id, + }) + } + sort.Sort(byId(existingMigrations)) + + // Make sure all migrations in the database are among the found migrations which + // are to be applied. + if !ms.IgnoreUnknown { + migrationsSearch := make(map[string]struct{}) + for _, migration := range migrations { + migrationsSearch[migration.Id] = struct{}{} + } + for _, existingMigration := range existingMigrations { + if _, ok := migrationsSearch[existingMigration.Id]; !ok { + return nil, nil, newPlanError(existingMigration, "unknown migration in database") + } + } + } + + // Get last migration that was run + record := &Migration{} + if len(existingMigrations) > 0 { + record = existingMigrations[len(existingMigrations)-1] + } + + result := make([]*PlannedMigration, 0) + + // Add missing migrations up to the last run migration. + // This can happen for example when merges happened. + if len(existingMigrations) > 0 { + result = append(result, ToCatchup(migrations, existingMigrations, record)...) + } + + // Figure out which migrations to apply + toApply := ToApply(migrations, record.Id, dir) + toApplyCount := len(toApply) + + if version >= 0 { + targetIndex := 0 + for targetIndex < len(toApply) { + tempVersion := toApply[targetIndex].VersionInt() + if dir == Up && tempVersion > version || dir == Down && tempVersion < version { + return nil, nil, newPlanError(&Migration{}, fmt.Errorf("unknown migration with version id %d in database", version).Error()) + } + if tempVersion == version { + toApplyCount = targetIndex + 1 + break + } + targetIndex++ + } + if targetIndex == len(toApply) { + return nil, nil, newPlanError(&Migration{}, fmt.Errorf("unknown migration with version id %d in database", version).Error()) + } + } else if max > 0 && max < toApplyCount { + toApplyCount = max + } + for _, v := range toApply[0:toApplyCount] { + switch dir { + case Up: + result = append(result, &PlannedMigration{ + Migration: v, + Queries: v.Up, + DisableTransaction: v.DisableTransactionUp, + }) + case Down: + result = append(result, &PlannedMigration{ + Migration: v, + Queries: v.Down, + DisableTransaction: v.DisableTransactionDown, + }) + } + } + + return result, dbMap, nil +} + +// Skip a set of migrations +// +// Will skip at most `max` migrations. Pass 0 for no limit. +// +// Returns the number of skipped migrations. +func SkipMax(db *sql.DB, dialect string, m MigrationSource, dir MigrationDirection, max int) (int, error) { + migrations, dbMap, err := PlanMigration(db, dialect, m, dir, max) + if err != nil { + return 0, err + } + + // Skip migrations + applied := 0 + for _, migration := range migrations { + var executor SqlExecutor + + if migration.DisableTransaction { + executor = dbMap + } else { + executor, err = dbMap.Begin() + if err != nil { + return applied, newTxError(migration, err) + } + } + + err = executor.Insert(&MigrationRecord{ + Id: migration.Id, + AppliedAt: time.Now(), + }) + if err != nil { + if trans, ok := executor.(*gorp.Transaction); ok { + _ = trans.Rollback() + } + + return applied, newTxError(migration, err) + } + + if trans, ok := executor.(*gorp.Transaction); ok { + if err := trans.Commit(); err != nil { + return applied, newTxError(migration, err) + } + } + + applied++ + } + + return applied, nil +} + +// Filter a slice of migrations into ones that should be applied. +func ToApply(migrations []*Migration, current string, direction MigrationDirection) []*Migration { + index := -1 + if current != "" { + for index < len(migrations)-1 { + index++ + if migrations[index].Id == current { + break + } + } + } + + switch direction { + case Up: + return migrations[index+1:] + case Down: + if index == -1 { + return []*Migration{} + } + toApply := make([]*Migration, index+1) + for i := 0; i < index+1; i++ { + toApply[index-i] = migrations[i] + } + return toApply + } + + panic("Not possible") +} + +func ToCatchup(migrations, existingMigrations []*Migration, lastRun *Migration) []*PlannedMigration { + missing := make([]*PlannedMigration, 0) + for _, migration := range migrations { + found := false + for _, existing := range existingMigrations { + if existing.Id == migration.Id { + found = true + break + } + } + if !found && migration.Less(lastRun) { + missing = append(missing, &PlannedMigration{ + Migration: migration, + Queries: migration.Up, + DisableTransaction: migration.DisableTransactionUp, + }) + } + } + return missing +} + +func GetMigrationRecords(db *sql.DB, dialect string) ([]*MigrationRecord, error) { + return migSet.GetMigrationRecords(db, dialect) +} + +func (ms MigrationSet) GetMigrationRecords(db *sql.DB, dialect string) ([]*MigrationRecord, error) { + dbMap, err := ms.getMigrationDbMap(db, dialect) + if err != nil { + return nil, err + } + + var records []*MigrationRecord + query := fmt.Sprintf("SELECT * FROM %s ORDER BY %s ASC", dbMap.Dialect.QuotedTableForQuery(ms.SchemaName, ms.getTableName()), dbMap.Dialect.QuoteField("id")) + _, err = dbMap.Select(&records, query) + if err != nil { + return nil, err + } + + return records, nil +} + +func (ms MigrationSet) getMigrationDbMap(db *sql.DB, dialect string) (*gorp.DbMap, error) { + d, ok := MigrationDialects[dialect] + if !ok { + return nil, fmt.Errorf("Unknown dialect: %s", dialect) + } + + // When using the mysql driver, make sure that the parseTime option is + // configured, otherwise it won't map time columns to time.Time. See + // https://github.com/rubenv/sql-migrate/issues/2 + if dialect == "mysql" { + var out *time.Time + err := db.QueryRow("SELECT NOW()").Scan(&out) + if err != nil { + if err.Error() == "sql: Scan error on column index 0: unsupported driver -> Scan pair: []uint8 -> *time.Time" || + err.Error() == "sql: Scan error on column index 0: unsupported Scan, storing driver.Value type []uint8 into type *time.Time" || + err.Error() == "sql: Scan error on column index 0, name \"NOW()\": unsupported Scan, storing driver.Value type []uint8 into type *time.Time" { + return nil, errors.New(`Cannot parse dates. + +Make sure that the parseTime option is supplied to your database connection. +Check https://github.com/go-sql-driver/mysql#parsetime for more info.`) + } + return nil, err + } + } + + // Create migration database map + dbMap := &gorp.DbMap{Db: db, Dialect: d} + table := dbMap.AddTableWithNameAndSchema(MigrationRecord{}, ms.SchemaName, ms.getTableName()).SetKeys(false, "Id") + + if dialect == "oci8" || dialect == "godror" { + table.ColMap("Id").SetMaxSize(4000) + } + + if ms.DisableCreateTable { + return dbMap, nil + } + + err := dbMap.CreateTablesIfNotExists() + if err != nil { + // Oracle database does not support `if not exists`, so use `ORA-00955:` error code + // to check if the table exists. + if (dialect == "oci8" || dialect == "godror") && strings.Contains(err.Error(), "ORA-00955:") { + return dbMap, nil + } + return nil, err + } + + return dbMap, nil +} + +// TODO: Run migration + record insert in transaction. diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE b/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE new file mode 100644 index 0000000000..9c12525138 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/LICENSE @@ -0,0 +1,22 @@ +MIT License + +Copyright (C) 2014-2017 by Ruben Vermeersch +Copyright (C) 2012-2014 by Liam Staskawicz + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md b/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md new file mode 100644 index 0000000000..fa5341abdb --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/README.md @@ -0,0 +1,7 @@ +# SQL migration parser + +Based on the [goose](https://bitbucket.org/liamstask/goose) migration parser. + +## License + +This library is distributed under the [MIT](LICENSE) license. diff --git a/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go b/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go new file mode 100644 index 0000000000..f04460e6e2 --- /dev/null +++ b/vendor/github.com/rubenv/sql-migrate/sqlparse/sqlparse.go @@ -0,0 +1,226 @@ +package sqlparse + +import ( + "bufio" + "bytes" + "fmt" + "io" + "strings" +) + +const ( + sqlCmdPrefix = "-- +migrate " + optionNoTransaction = "notransaction" +) + +type ParsedMigration struct { + UpStatements []string + DownStatements []string + + DisableTransactionUp bool + DisableTransactionDown bool +} + +// LineSeparator can be used to split migrations by an exact line match. This line +// will be removed from the output. If left blank, it is not considered. It is defaulted +// to blank so you will have to set it manually. +// Use case: in MSSQL, it is convenient to separate commands by GO statements like in +// SQL Query Analyzer. +var LineSeparator = "" + +func errNoTerminator() error { + if len(LineSeparator) == 0 { + return fmt.Errorf(`ERROR: The last statement must be ended by a semicolon or '-- +migrate StatementEnd' marker. + See https://github.com/rubenv/sql-migrate for details.`) + } + + return fmt.Errorf(`ERROR: The last statement must be ended by a semicolon, a line whose contents are %q, or '-- +migrate StatementEnd' marker. + See https://github.com/rubenv/sql-migrate for details.`, LineSeparator) +} + +// Checks the line to see if the line has a statement-ending semicolon +// or if the line contains a double-dash comment. +func endsWithSemicolon(line string) bool { + prev := "" + scanner := bufio.NewScanner(strings.NewReader(line)) + scanner.Split(bufio.ScanWords) + + for scanner.Scan() { + word := scanner.Text() + if strings.HasPrefix(word, "--") { + break + } + prev = word + } + + return strings.HasSuffix(prev, ";") +} + +type migrationDirection int + +const ( + directionNone migrationDirection = iota + directionUp + directionDown +) + +type migrateCommand struct { + Command string + Options []string +} + +func (c *migrateCommand) HasOption(opt string) bool { + for _, specifiedOption := range c.Options { + if specifiedOption == opt { + return true + } + } + + return false +} + +func parseCommand(line string) (*migrateCommand, error) { + cmd := &migrateCommand{} + + if !strings.HasPrefix(line, sqlCmdPrefix) { + return nil, fmt.Errorf("ERROR: not a sql-migrate command") + } + + fields := strings.Fields(line[len(sqlCmdPrefix):]) + if len(fields) == 0 { + return nil, fmt.Errorf(`ERROR: incomplete migration command`) + } + + cmd.Command = fields[0] + + cmd.Options = fields[1:] + + return cmd, nil +} + +// Split the given sql script into individual statements. +// +// The base case is to simply split on semicolons, as these +// naturally terminate a statement. +// +// However, more complex cases like pl/pgsql can have semicolons +// within a statement. For these cases, we provide the explicit annotations +// 'StatementBegin' and 'StatementEnd' to allow the script to +// tell us to ignore semicolons. +func ParseMigration(r io.ReadSeeker) (*ParsedMigration, error) { + p := &ParsedMigration{} + + _, err := r.Seek(0, 0) + if err != nil { + return nil, err + } + + var buf bytes.Buffer + scanner := bufio.NewScanner(r) + scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024) + + statementEnded := false + ignoreSemicolons := false + currentDirection := directionNone + + for scanner.Scan() { + line := scanner.Text() + // ignore comment except beginning with '-- +' + if strings.HasPrefix(line, "-- ") && !strings.HasPrefix(line, "-- +") { + continue + } + + // handle any migrate-specific commands + if strings.HasPrefix(line, sqlCmdPrefix) { + cmd, err := parseCommand(line) + if err != nil { + return nil, err + } + + switch cmd.Command { + case "Up": + if len(strings.TrimSpace(buf.String())) > 0 { + return nil, errNoTerminator() + } + currentDirection = directionUp + if cmd.HasOption(optionNoTransaction) { + p.DisableTransactionUp = true + } + + case "Down": + if len(strings.TrimSpace(buf.String())) > 0 { + return nil, errNoTerminator() + } + currentDirection = directionDown + if cmd.HasOption(optionNoTransaction) { + p.DisableTransactionDown = true + } + + case "StatementBegin": + if currentDirection != directionNone { + ignoreSemicolons = true + } + + case "StatementEnd": + if currentDirection != directionNone { + statementEnded = ignoreSemicolons + ignoreSemicolons = false + } + } + } + + if currentDirection == directionNone { + continue + } + + isLineSeparator := !ignoreSemicolons && len(LineSeparator) > 0 && line == LineSeparator + + if !isLineSeparator && !strings.HasPrefix(line, "-- +") { + if _, err := buf.WriteString(line + "\n"); err != nil { + return nil, err + } + } + + // Wrap up the two supported cases: 1) basic with semicolon; 2) psql statement + // Lines that end with semicolon that are in a statement block + // do not conclude statement. + if (!ignoreSemicolons && (endsWithSemicolon(line) || isLineSeparator)) || statementEnded { + statementEnded = false + switch currentDirection { + case directionUp: + p.UpStatements = append(p.UpStatements, buf.String()) + + case directionDown: + p.DownStatements = append(p.DownStatements, buf.String()) + + default: + panic("impossible state") + } + + buf.Reset() + } + } + + if err := scanner.Err(); err != nil { + return nil, err + } + + // diagnose likely migration script errors + if ignoreSemicolons { + return nil, fmt.Errorf("ERROR: saw '-- +migrate StatementBegin' with no matching '-- +migrate StatementEnd'") + } + + if currentDirection == directionNone { + return nil, fmt.Errorf(`ERROR: no Up/Down annotations found, so no statements were executed. + See https://github.com/rubenv/sql-migrate for details.`) + } + + // allow comment without sql instruction. Example: + // -- +migrate Down + // -- nothing to downgrade! + if len(strings.TrimSpace(buf.String())) > 0 && !strings.HasPrefix(buf.String(), "-- +") { + return nil, errNoTerminator() + } + + return p, nil +} diff --git a/vendor/github.com/russross/blackfriday/v2/.gitignore b/vendor/github.com/russross/blackfriday/v2/.gitignore new file mode 100644 index 0000000000..75623dcccb --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/.gitignore @@ -0,0 +1,8 @@ +*.out +*.swp +*.8 +*.6 +_obj +_test* +markdown +tags diff --git a/vendor/github.com/russross/blackfriday/v2/.travis.yml b/vendor/github.com/russross/blackfriday/v2/.travis.yml new file mode 100644 index 0000000000..b0b525a5a8 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/.travis.yml @@ -0,0 +1,17 @@ +sudo: false +language: go +go: + - "1.10.x" + - "1.11.x" + - tip +matrix: + fast_finish: true + allow_failures: + - go: tip +install: + - # Do nothing. This is needed to prevent default install action "go get -t -v ./..." from happening here (we want it to happen inside script step). +script: + - go get -t -v ./... + - diff -u <(echo -n) <(gofmt -d -s .) + - go tool vet . + - go test -v ./... diff --git a/vendor/github.com/russross/blackfriday/v2/LICENSE.txt b/vendor/github.com/russross/blackfriday/v2/LICENSE.txt new file mode 100644 index 0000000000..2885af3602 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/LICENSE.txt @@ -0,0 +1,29 @@ +Blackfriday is distributed under the Simplified BSD License: + +> Copyright © 2011 Russ Ross +> All rights reserved. +> +> Redistribution and use in source and binary forms, with or without +> modification, are permitted provided that the following conditions +> are met: +> +> 1. Redistributions of source code must retain the above copyright +> notice, this list of conditions and the following disclaimer. +> +> 2. Redistributions in binary form must reproduce the above +> copyright notice, this list of conditions and the following +> disclaimer in the documentation and/or other materials provided with +> the distribution. +> +> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +> COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +> BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +> LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +> LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +> ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +> POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/github.com/russross/blackfriday/v2/README.md b/vendor/github.com/russross/blackfriday/v2/README.md new file mode 100644 index 0000000000..d9c08a22fc --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/README.md @@ -0,0 +1,335 @@ +Blackfriday +[![Build Status][BuildV2SVG]][BuildV2URL] +[![PkgGoDev][PkgGoDevV2SVG]][PkgGoDevV2URL] +=========== + +Blackfriday is a [Markdown][1] processor implemented in [Go][2]. It +is paranoid about its input (so you can safely feed it user-supplied +data), it is fast, it supports common extensions (tables, smart +punctuation substitutions, etc.), and it is safe for all utf-8 +(unicode) input. + +HTML output is currently supported, along with Smartypants +extensions. + +It started as a translation from C of [Sundown][3]. + + +Installation +------------ + +Blackfriday is compatible with modern Go releases in module mode. +With Go installed: + + go get github.com/russross/blackfriday/v2 + +will resolve and add the package to the current development module, +then build and install it. Alternatively, you can achieve the same +if you import it in a package: + + import "github.com/russross/blackfriday/v2" + +and `go get` without parameters. + +Legacy GOPATH mode is unsupported. + + +Versions +-------- + +Currently maintained and recommended version of Blackfriday is `v2`. It's being +developed on its own branch: https://github.com/russross/blackfriday/tree/v2 and the +documentation is available at +https://pkg.go.dev/github.com/russross/blackfriday/v2. + +It is `go get`-able in module mode at `github.com/russross/blackfriday/v2`. + +Version 2 offers a number of improvements over v1: + +* Cleaned up API +* A separate call to [`Parse`][4], which produces an abstract syntax tree for + the document +* Latest bug fixes +* Flexibility to easily add your own rendering extensions + +Potential drawbacks: + +* Our benchmarks show v2 to be slightly slower than v1. Currently in the + ballpark of around 15%. +* API breakage. If you can't afford modifying your code to adhere to the new API + and don't care too much about the new features, v2 is probably not for you. +* Several bug fixes are trailing behind and still need to be forward-ported to + v2. See issue [#348](https://github.com/russross/blackfriday/issues/348) for + tracking. + +If you are still interested in the legacy `v1`, you can import it from +`github.com/russross/blackfriday`. Documentation for the legacy v1 can be found +here: https://pkg.go.dev/github.com/russross/blackfriday. + + +Usage +----- + +For the most sensible markdown processing, it is as simple as getting your input +into a byte slice and calling: + +```go +output := blackfriday.Run(input) +``` + +Your input will be parsed and the output rendered with a set of most popular +extensions enabled. If you want the most basic feature set, corresponding with +the bare Markdown specification, use: + +```go +output := blackfriday.Run(input, blackfriday.WithNoExtensions()) +``` + +### Sanitize untrusted content + +Blackfriday itself does nothing to protect against malicious content. If you are +dealing with user-supplied markdown, we recommend running Blackfriday's output +through HTML sanitizer such as [Bluemonday][5]. + +Here's an example of simple usage of Blackfriday together with Bluemonday: + +```go +import ( + "github.com/microcosm-cc/bluemonday" + "github.com/russross/blackfriday/v2" +) + +// ... +unsafe := blackfriday.Run(input) +html := bluemonday.UGCPolicy().SanitizeBytes(unsafe) +``` + +### Custom options + +If you want to customize the set of options, use `blackfriday.WithExtensions`, +`blackfriday.WithRenderer` and `blackfriday.WithRefOverride`. + +### `blackfriday-tool` + +You can also check out `blackfriday-tool` for a more complete example +of how to use it. Download and install it using: + + go get github.com/russross/blackfriday-tool + +This is a simple command-line tool that allows you to process a +markdown file using a standalone program. You can also browse the +source directly on github if you are just looking for some example +code: + +* + +Note that if you have not already done so, installing +`blackfriday-tool` will be sufficient to download and install +blackfriday in addition to the tool itself. The tool binary will be +installed in `$GOPATH/bin`. This is a statically-linked binary that +can be copied to wherever you need it without worrying about +dependencies and library versions. + +### Sanitized anchor names + +Blackfriday includes an algorithm for creating sanitized anchor names +corresponding to a given input text. This algorithm is used to create +anchors for headings when `AutoHeadingIDs` extension is enabled. The +algorithm has a specification, so that other packages can create +compatible anchor names and links to those anchors. + +The specification is located at https://pkg.go.dev/github.com/russross/blackfriday/v2#hdr-Sanitized_Anchor_Names. + +[`SanitizedAnchorName`](https://pkg.go.dev/github.com/russross/blackfriday/v2#SanitizedAnchorName) exposes this functionality, and can be used to +create compatible links to the anchor names generated by blackfriday. +This algorithm is also implemented in a small standalone package at +[`github.com/shurcooL/sanitized_anchor_name`](https://pkg.go.dev/github.com/shurcooL/sanitized_anchor_name). It can be useful for clients +that want a small package and don't need full functionality of blackfriday. + + +Features +-------- + +All features of Sundown are supported, including: + +* **Compatibility**. The Markdown v1.0.3 test suite passes with + the `--tidy` option. Without `--tidy`, the differences are + mostly in whitespace and entity escaping, where blackfriday is + more consistent and cleaner. + +* **Common extensions**, including table support, fenced code + blocks, autolinks, strikethroughs, non-strict emphasis, etc. + +* **Safety**. Blackfriday is paranoid when parsing, making it safe + to feed untrusted user input without fear of bad things + happening. The test suite stress tests this and there are no + known inputs that make it crash. If you find one, please let me + know and send me the input that does it. + + NOTE: "safety" in this context means *runtime safety only*. In order to + protect yourself against JavaScript injection in untrusted content, see + [this example](https://github.com/russross/blackfriday#sanitize-untrusted-content). + +* **Fast processing**. It is fast enough to render on-demand in + most web applications without having to cache the output. + +* **Thread safety**. You can run multiple parsers in different + goroutines without ill effect. There is no dependence on global + shared state. + +* **Minimal dependencies**. Blackfriday only depends on standard + library packages in Go. The source code is pretty + self-contained, so it is easy to add to any project, including + Google App Engine projects. + +* **Standards compliant**. Output successfully validates using the + W3C validation tool for HTML 4.01 and XHTML 1.0 Transitional. + + +Extensions +---------- + +In addition to the standard markdown syntax, this package +implements the following extensions: + +* **Intra-word emphasis supression**. The `_` character is + commonly used inside words when discussing code, so having + markdown interpret it as an emphasis command is usually the + wrong thing. Blackfriday lets you treat all emphasis markers as + normal characters when they occur inside a word. + +* **Tables**. Tables can be created by drawing them in the input + using a simple syntax: + + ``` + Name | Age + --------|------ + Bob | 27 + Alice | 23 + ``` + +* **Fenced code blocks**. In addition to the normal 4-space + indentation to mark code blocks, you can explicitly mark them + and supply a language (to make syntax highlighting simple). Just + mark it like this: + + ```go + func getTrue() bool { + return true + } + ``` + + You can use 3 or more backticks to mark the beginning of the + block, and the same number to mark the end of the block. + + To preserve classes of fenced code blocks while using the bluemonday + HTML sanitizer, use the following policy: + + ```go + p := bluemonday.UGCPolicy() + p.AllowAttrs("class").Matching(regexp.MustCompile("^language-[a-zA-Z0-9]+$")).OnElements("code") + html := p.SanitizeBytes(unsafe) + ``` + +* **Definition lists**. A simple definition list is made of a single-line + term followed by a colon and the definition for that term. + + Cat + : Fluffy animal everyone likes + + Internet + : Vector of transmission for pictures of cats + + Terms must be separated from the previous definition by a blank line. + +* **Footnotes**. A marker in the text that will become a superscript number; + a footnote definition that will be placed in a list of footnotes at the + end of the document. A footnote looks like this: + + This is a footnote.[^1] + + [^1]: the footnote text. + +* **Autolinking**. Blackfriday can find URLs that have not been + explicitly marked as links and turn them into links. + +* **Strikethrough**. Use two tildes (`~~`) to mark text that + should be crossed out. + +* **Hard line breaks**. With this extension enabled newlines in the input + translate into line breaks in the output. This extension is off by default. + +* **Smart quotes**. Smartypants-style punctuation substitution is + supported, turning normal double- and single-quote marks into + curly quotes, etc. + +* **LaTeX-style dash parsing** is an additional option, where `--` + is translated into `–`, and `---` is translated into + `—`. This differs from most smartypants processors, which + turn a single hyphen into an ndash and a double hyphen into an + mdash. + +* **Smart fractions**, where anything that looks like a fraction + is translated into suitable HTML (instead of just a few special + cases like most smartypant processors). For example, `4/5` + becomes `45`, which renders as + 45. + + +Other renderers +--------------- + +Blackfriday is structured to allow alternative rendering engines. Here +are a few of note: + +* [github_flavored_markdown](https://pkg.go.dev/github.com/shurcooL/github_flavored_markdown): + provides a GitHub Flavored Markdown renderer with fenced code block + highlighting, clickable heading anchor links. + + It's not customizable, and its goal is to produce HTML output + equivalent to the [GitHub Markdown API endpoint](https://developer.github.com/v3/markdown/#render-a-markdown-document-in-raw-mode), + except the rendering is performed locally. + +* [markdownfmt](https://github.com/shurcooL/markdownfmt): like gofmt, + but for markdown. + +* [LaTeX output](https://gitlab.com/ambrevar/blackfriday-latex): + renders output as LaTeX. + +* [bfchroma](https://github.com/Depado/bfchroma/): provides convenience + integration with the [Chroma](https://github.com/alecthomas/chroma) code + highlighting library. bfchroma is only compatible with v2 of Blackfriday and + provides a drop-in renderer ready to use with Blackfriday, as well as + options and means for further customization. + +* [Blackfriday-Confluence](https://github.com/kentaro-m/blackfriday-confluence): provides a [Confluence Wiki Markup](https://confluence.atlassian.com/doc/confluence-wiki-markup-251003035.html) renderer. + +* [Blackfriday-Slack](https://github.com/karriereat/blackfriday-slack): converts markdown to slack message style + + +TODO +---- + +* More unit testing +* Improve Unicode support. It does not understand all Unicode + rules (about what constitutes a letter, a punctuation symbol, + etc.), so it may fail to detect word boundaries correctly in + some instances. It is safe on all UTF-8 input. + + +License +------- + +[Blackfriday is distributed under the Simplified BSD License](LICENSE.txt) + + + [1]: https://daringfireball.net/projects/markdown/ "Markdown" + [2]: https://golang.org/ "Go Language" + [3]: https://github.com/vmg/sundown "Sundown" + [4]: https://pkg.go.dev/github.com/russross/blackfriday/v2#Parse "Parse func" + [5]: https://github.com/microcosm-cc/bluemonday "Bluemonday" + + [BuildV2SVG]: https://travis-ci.org/russross/blackfriday.svg?branch=v2 + [BuildV2URL]: https://travis-ci.org/russross/blackfriday + [PkgGoDevV2SVG]: https://pkg.go.dev/badge/github.com/russross/blackfriday/v2 + [PkgGoDevV2URL]: https://pkg.go.dev/github.com/russross/blackfriday/v2 diff --git a/vendor/github.com/russross/blackfriday/v2/block.go b/vendor/github.com/russross/blackfriday/v2/block.go new file mode 100644 index 0000000000..dcd61e6e35 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/block.go @@ -0,0 +1,1612 @@ +// +// Blackfriday Markdown Processor +// Available at http://github.com/russross/blackfriday +// +// Copyright © 2011 Russ Ross . +// Distributed under the Simplified BSD License. +// See README.md for details. +// + +// +// Functions to parse block-level elements. +// + +package blackfriday + +import ( + "bytes" + "html" + "regexp" + "strings" + "unicode" +) + +const ( + charEntity = "&(?:#x[a-f0-9]{1,8}|#[0-9]{1,8}|[a-z][a-z0-9]{1,31});" + escapable = "[!\"#$%&'()*+,./:;<=>?@[\\\\\\]^_`{|}~-]" +) + +var ( + reBackslashOrAmp = regexp.MustCompile("[\\&]") + reEntityOrEscapedChar = regexp.MustCompile("(?i)\\\\" + escapable + "|" + charEntity) +) + +// Parse block-level data. +// Note: this function and many that it calls assume that +// the input buffer ends with a newline. +func (p *Markdown) block(data []byte) { + // this is called recursively: enforce a maximum depth + if p.nesting >= p.maxNesting { + return + } + p.nesting++ + + // parse out one block-level construct at a time + for len(data) > 0 { + // prefixed heading: + // + // # Heading 1 + // ## Heading 2 + // ... + // ###### Heading 6 + if p.isPrefixHeading(data) { + data = data[p.prefixHeading(data):] + continue + } + + // block of preformatted HTML: + // + //
+ // ... + //
+ if data[0] == '<' { + if i := p.html(data, true); i > 0 { + data = data[i:] + continue + } + } + + // title block + // + // % stuff + // % more stuff + // % even more stuff + if p.extensions&Titleblock != 0 { + if data[0] == '%' { + if i := p.titleBlock(data, true); i > 0 { + data = data[i:] + continue + } + } + } + + // blank lines. note: returns the # of bytes to skip + if i := p.isEmpty(data); i > 0 { + data = data[i:] + continue + } + + // indented code block: + // + // func max(a, b int) int { + // if a > b { + // return a + // } + // return b + // } + if p.codePrefix(data) > 0 { + data = data[p.code(data):] + continue + } + + // fenced code block: + // + // ``` go + // func fact(n int) int { + // if n <= 1 { + // return n + // } + // return n * fact(n-1) + // } + // ``` + if p.extensions&FencedCode != 0 { + if i := p.fencedCodeBlock(data, true); i > 0 { + data = data[i:] + continue + } + } + + // horizontal rule: + // + // ------ + // or + // ****** + // or + // ______ + if p.isHRule(data) { + p.addBlock(HorizontalRule, nil) + var i int + for i = 0; i < len(data) && data[i] != '\n'; i++ { + } + data = data[i:] + continue + } + + // block quote: + // + // > A big quote I found somewhere + // > on the web + if p.quotePrefix(data) > 0 { + data = data[p.quote(data):] + continue + } + + // table: + // + // Name | Age | Phone + // ------|-----|--------- + // Bob | 31 | 555-1234 + // Alice | 27 | 555-4321 + if p.extensions&Tables != 0 { + if i := p.table(data); i > 0 { + data = data[i:] + continue + } + } + + // an itemized/unordered list: + // + // * Item 1 + // * Item 2 + // + // also works with + or - + if p.uliPrefix(data) > 0 { + data = data[p.list(data, 0):] + continue + } + + // a numbered/ordered list: + // + // 1. Item 1 + // 2. Item 2 + if p.oliPrefix(data) > 0 { + data = data[p.list(data, ListTypeOrdered):] + continue + } + + // definition lists: + // + // Term 1 + // : Definition a + // : Definition b + // + // Term 2 + // : Definition c + if p.extensions&DefinitionLists != 0 { + if p.dliPrefix(data) > 0 { + data = data[p.list(data, ListTypeDefinition):] + continue + } + } + + // anything else must look like a normal paragraph + // note: this finds underlined headings, too + data = data[p.paragraph(data):] + } + + p.nesting-- +} + +func (p *Markdown) addBlock(typ NodeType, content []byte) *Node { + p.closeUnmatchedBlocks() + container := p.addChild(typ, 0) + container.content = content + return container +} + +func (p *Markdown) isPrefixHeading(data []byte) bool { + if data[0] != '#' { + return false + } + + if p.extensions&SpaceHeadings != 0 { + level := 0 + for level < 6 && level < len(data) && data[level] == '#' { + level++ + } + if level == len(data) || data[level] != ' ' { + return false + } + } + return true +} + +func (p *Markdown) prefixHeading(data []byte) int { + level := 0 + for level < 6 && level < len(data) && data[level] == '#' { + level++ + } + i := skipChar(data, level, ' ') + end := skipUntilChar(data, i, '\n') + skip := end + id := "" + if p.extensions&HeadingIDs != 0 { + j, k := 0, 0 + // find start/end of heading id + for j = i; j < end-1 && (data[j] != '{' || data[j+1] != '#'); j++ { + } + for k = j + 1; k < end && data[k] != '}'; k++ { + } + // extract heading id iff found + if j < end && k < end { + id = string(data[j+2 : k]) + end = j + skip = k + 1 + for end > 0 && data[end-1] == ' ' { + end-- + } + } + } + for end > 0 && data[end-1] == '#' { + if isBackslashEscaped(data, end-1) { + break + } + end-- + } + for end > 0 && data[end-1] == ' ' { + end-- + } + if end > i { + if id == "" && p.extensions&AutoHeadingIDs != 0 { + id = SanitizedAnchorName(string(data[i:end])) + } + block := p.addBlock(Heading, data[i:end]) + block.HeadingID = id + block.Level = level + } + return skip +} + +func (p *Markdown) isUnderlinedHeading(data []byte) int { + // test of level 1 heading + if data[0] == '=' { + i := skipChar(data, 1, '=') + i = skipChar(data, i, ' ') + if i < len(data) && data[i] == '\n' { + return 1 + } + return 0 + } + + // test of level 2 heading + if data[0] == '-' { + i := skipChar(data, 1, '-') + i = skipChar(data, i, ' ') + if i < len(data) && data[i] == '\n' { + return 2 + } + return 0 + } + + return 0 +} + +func (p *Markdown) titleBlock(data []byte, doRender bool) int { + if data[0] != '%' { + return 0 + } + splitData := bytes.Split(data, []byte("\n")) + var i int + for idx, b := range splitData { + if !bytes.HasPrefix(b, []byte("%")) { + i = idx // - 1 + break + } + } + + data = bytes.Join(splitData[0:i], []byte("\n")) + consumed := len(data) + data = bytes.TrimPrefix(data, []byte("% ")) + data = bytes.Replace(data, []byte("\n% "), []byte("\n"), -1) + block := p.addBlock(Heading, data) + block.Level = 1 + block.IsTitleblock = true + + return consumed +} + +func (p *Markdown) html(data []byte, doRender bool) int { + var i, j int + + // identify the opening tag + if data[0] != '<' { + return 0 + } + curtag, tagfound := p.htmlFindTag(data[1:]) + + // handle special cases + if !tagfound { + // check for an HTML comment + if size := p.htmlComment(data, doRender); size > 0 { + return size + } + + // check for an
tag + if size := p.htmlHr(data, doRender); size > 0 { + return size + } + + // no special case recognized + return 0 + } + + // look for an unindented matching closing tag + // followed by a blank line + found := false + /* + closetag := []byte("\n") + j = len(curtag) + 1 + for !found { + // scan for a closing tag at the beginning of a line + if skip := bytes.Index(data[j:], closetag); skip >= 0 { + j += skip + len(closetag) + } else { + break + } + + // see if it is the only thing on the line + if skip := p.isEmpty(data[j:]); skip > 0 { + // see if it is followed by a blank line/eof + j += skip + if j >= len(data) { + found = true + i = j + } else { + if skip := p.isEmpty(data[j:]); skip > 0 { + j += skip + found = true + i = j + } + } + } + } + */ + + // if not found, try a second pass looking for indented match + // but not if tag is "ins" or "del" (following original Markdown.pl) + if !found && curtag != "ins" && curtag != "del" { + i = 1 + for i < len(data) { + i++ + for i < len(data) && !(data[i-1] == '<' && data[i] == '/') { + i++ + } + + if i+2+len(curtag) >= len(data) { + break + } + + j = p.htmlFindEnd(curtag, data[i-1:]) + + if j > 0 { + i += j - 1 + found = true + break + } + } + } + + if !found { + return 0 + } + + // the end of the block has been found + if doRender { + // trim newlines + end := i + for end > 0 && data[end-1] == '\n' { + end-- + } + finalizeHTMLBlock(p.addBlock(HTMLBlock, data[:end])) + } + + return i +} + +func finalizeHTMLBlock(block *Node) { + block.Literal = block.content + block.content = nil +} + +// HTML comment, lax form +func (p *Markdown) htmlComment(data []byte, doRender bool) int { + i := p.inlineHTMLComment(data) + // needs to end with a blank line + if j := p.isEmpty(data[i:]); j > 0 { + size := i + j + if doRender { + // trim trailing newlines + end := size + for end > 0 && data[end-1] == '\n' { + end-- + } + block := p.addBlock(HTMLBlock, data[:end]) + finalizeHTMLBlock(block) + } + return size + } + return 0 +} + +// HR, which is the only self-closing block tag considered +func (p *Markdown) htmlHr(data []byte, doRender bool) int { + if len(data) < 4 { + return 0 + } + if data[0] != '<' || (data[1] != 'h' && data[1] != 'H') || (data[2] != 'r' && data[2] != 'R') { + return 0 + } + if data[3] != ' ' && data[3] != '/' && data[3] != '>' { + // not an
tag after all; at least not a valid one + return 0 + } + i := 3 + for i < len(data) && data[i] != '>' && data[i] != '\n' { + i++ + } + if i < len(data) && data[i] == '>' { + i++ + if j := p.isEmpty(data[i:]); j > 0 { + size := i + j + if doRender { + // trim newlines + end := size + for end > 0 && data[end-1] == '\n' { + end-- + } + finalizeHTMLBlock(p.addBlock(HTMLBlock, data[:end])) + } + return size + } + } + return 0 +} + +func (p *Markdown) htmlFindTag(data []byte) (string, bool) { + i := 0 + for i < len(data) && isalnum(data[i]) { + i++ + } + key := string(data[:i]) + if _, ok := blockTags[key]; ok { + return key, true + } + return "", false +} + +func (p *Markdown) htmlFindEnd(tag string, data []byte) int { + // assume data[0] == '<' && data[1] == '/' already tested + if tag == "hr" { + return 2 + } + // check if tag is a match + closetag := []byte("") + if !bytes.HasPrefix(data, closetag) { + return 0 + } + i := len(closetag) + + // check that the rest of the line is blank + skip := 0 + if skip = p.isEmpty(data[i:]); skip == 0 { + return 0 + } + i += skip + skip = 0 + + if i >= len(data) { + return i + } + + if p.extensions&LaxHTMLBlocks != 0 { + return i + } + if skip = p.isEmpty(data[i:]); skip == 0 { + // following line must be blank + return 0 + } + + return i + skip +} + +func (*Markdown) isEmpty(data []byte) int { + // it is okay to call isEmpty on an empty buffer + if len(data) == 0 { + return 0 + } + + var i int + for i = 0; i < len(data) && data[i] != '\n'; i++ { + if data[i] != ' ' && data[i] != '\t' { + return 0 + } + } + if i < len(data) && data[i] == '\n' { + i++ + } + return i +} + +func (*Markdown) isHRule(data []byte) bool { + i := 0 + + // skip up to three spaces + for i < 3 && data[i] == ' ' { + i++ + } + + // look at the hrule char + if data[i] != '*' && data[i] != '-' && data[i] != '_' { + return false + } + c := data[i] + + // the whole line must be the char or whitespace + n := 0 + for i < len(data) && data[i] != '\n' { + switch { + case data[i] == c: + n++ + case data[i] != ' ': + return false + } + i++ + } + + return n >= 3 +} + +// isFenceLine checks if there's a fence line (e.g., ``` or ``` go) at the beginning of data, +// and returns the end index if so, or 0 otherwise. It also returns the marker found. +// If info is not nil, it gets set to the syntax specified in the fence line. +func isFenceLine(data []byte, info *string, oldmarker string) (end int, marker string) { + i, size := 0, 0 + + // skip up to three spaces + for i < len(data) && i < 3 && data[i] == ' ' { + i++ + } + + // check for the marker characters: ~ or ` + if i >= len(data) { + return 0, "" + } + if data[i] != '~' && data[i] != '`' { + return 0, "" + } + + c := data[i] + + // the whole line must be the same char or whitespace + for i < len(data) && data[i] == c { + size++ + i++ + } + + // the marker char must occur at least 3 times + if size < 3 { + return 0, "" + } + marker = string(data[i-size : i]) + + // if this is the end marker, it must match the beginning marker + if oldmarker != "" && marker != oldmarker { + return 0, "" + } + + // TODO(shurcooL): It's probably a good idea to simplify the 2 code paths here + // into one, always get the info string, and discard it if the caller doesn't care. + if info != nil { + infoLength := 0 + i = skipChar(data, i, ' ') + + if i >= len(data) { + if i == len(data) { + return i, marker + } + return 0, "" + } + + infoStart := i + + if data[i] == '{' { + i++ + infoStart++ + + for i < len(data) && data[i] != '}' && data[i] != '\n' { + infoLength++ + i++ + } + + if i >= len(data) || data[i] != '}' { + return 0, "" + } + + // strip all whitespace at the beginning and the end + // of the {} block + for infoLength > 0 && isspace(data[infoStart]) { + infoStart++ + infoLength-- + } + + for infoLength > 0 && isspace(data[infoStart+infoLength-1]) { + infoLength-- + } + i++ + i = skipChar(data, i, ' ') + } else { + for i < len(data) && !isverticalspace(data[i]) { + infoLength++ + i++ + } + } + + *info = strings.TrimSpace(string(data[infoStart : infoStart+infoLength])) + } + + if i == len(data) { + return i, marker + } + if i > len(data) || data[i] != '\n' { + return 0, "" + } + return i + 1, marker // Take newline into account. +} + +// fencedCodeBlock returns the end index if data contains a fenced code block at the beginning, +// or 0 otherwise. It writes to out if doRender is true, otherwise it has no side effects. +// If doRender is true, a final newline is mandatory to recognize the fenced code block. +func (p *Markdown) fencedCodeBlock(data []byte, doRender bool) int { + var info string + beg, marker := isFenceLine(data, &info, "") + if beg == 0 || beg >= len(data) { + return 0 + } + fenceLength := beg - 1 + + var work bytes.Buffer + work.Write([]byte(info)) + work.WriteByte('\n') + + for { + // safe to assume beg < len(data) + + // check for the end of the code block + fenceEnd, _ := isFenceLine(data[beg:], nil, marker) + if fenceEnd != 0 { + beg += fenceEnd + break + } + + // copy the current line + end := skipUntilChar(data, beg, '\n') + 1 + + // did we reach the end of the buffer without a closing marker? + if end >= len(data) { + return 0 + } + + // verbatim copy to the working buffer + if doRender { + work.Write(data[beg:end]) + } + beg = end + } + + if doRender { + block := p.addBlock(CodeBlock, work.Bytes()) // TODO: get rid of temp buffer + block.IsFenced = true + block.FenceLength = fenceLength + finalizeCodeBlock(block) + } + + return beg +} + +func unescapeChar(str []byte) []byte { + if str[0] == '\\' { + return []byte{str[1]} + } + return []byte(html.UnescapeString(string(str))) +} + +func unescapeString(str []byte) []byte { + if reBackslashOrAmp.Match(str) { + return reEntityOrEscapedChar.ReplaceAllFunc(str, unescapeChar) + } + return str +} + +func finalizeCodeBlock(block *Node) { + if block.IsFenced { + newlinePos := bytes.IndexByte(block.content, '\n') + firstLine := block.content[:newlinePos] + rest := block.content[newlinePos+1:] + block.Info = unescapeString(bytes.Trim(firstLine, "\n")) + block.Literal = rest + } else { + block.Literal = block.content + } + block.content = nil +} + +func (p *Markdown) table(data []byte) int { + table := p.addBlock(Table, nil) + i, columns := p.tableHeader(data) + if i == 0 { + p.tip = table.Parent + table.Unlink() + return 0 + } + + p.addBlock(TableBody, nil) + + for i < len(data) { + pipes, rowStart := 0, i + for ; i < len(data) && data[i] != '\n'; i++ { + if data[i] == '|' { + pipes++ + } + } + + if pipes == 0 { + i = rowStart + break + } + + // include the newline in data sent to tableRow + if i < len(data) && data[i] == '\n' { + i++ + } + p.tableRow(data[rowStart:i], columns, false) + } + + return i +} + +// check if the specified position is preceded by an odd number of backslashes +func isBackslashEscaped(data []byte, i int) bool { + backslashes := 0 + for i-backslashes-1 >= 0 && data[i-backslashes-1] == '\\' { + backslashes++ + } + return backslashes&1 == 1 +} + +func (p *Markdown) tableHeader(data []byte) (size int, columns []CellAlignFlags) { + i := 0 + colCount := 1 + for i = 0; i < len(data) && data[i] != '\n'; i++ { + if data[i] == '|' && !isBackslashEscaped(data, i) { + colCount++ + } + } + + // doesn't look like a table header + if colCount == 1 { + return + } + + // include the newline in the data sent to tableRow + j := i + if j < len(data) && data[j] == '\n' { + j++ + } + header := data[:j] + + // column count ignores pipes at beginning or end of line + if data[0] == '|' { + colCount-- + } + if i > 2 && data[i-1] == '|' && !isBackslashEscaped(data, i-1) { + colCount-- + } + + columns = make([]CellAlignFlags, colCount) + + // move on to the header underline + i++ + if i >= len(data) { + return + } + + if data[i] == '|' && !isBackslashEscaped(data, i) { + i++ + } + i = skipChar(data, i, ' ') + + // each column header is of form: / *:?-+:? *|/ with # dashes + # colons >= 3 + // and trailing | optional on last column + col := 0 + for i < len(data) && data[i] != '\n' { + dashes := 0 + + if data[i] == ':' { + i++ + columns[col] |= TableAlignmentLeft + dashes++ + } + for i < len(data) && data[i] == '-' { + i++ + dashes++ + } + if i < len(data) && data[i] == ':' { + i++ + columns[col] |= TableAlignmentRight + dashes++ + } + for i < len(data) && data[i] == ' ' { + i++ + } + if i == len(data) { + return + } + // end of column test is messy + switch { + case dashes < 3: + // not a valid column + return + + case data[i] == '|' && !isBackslashEscaped(data, i): + // marker found, now skip past trailing whitespace + col++ + i++ + for i < len(data) && data[i] == ' ' { + i++ + } + + // trailing junk found after last column + if col >= colCount && i < len(data) && data[i] != '\n' { + return + } + + case (data[i] != '|' || isBackslashEscaped(data, i)) && col+1 < colCount: + // something else found where marker was required + return + + case data[i] == '\n': + // marker is optional for the last column + col++ + + default: + // trailing junk found after last column + return + } + } + if col != colCount { + return + } + + p.addBlock(TableHead, nil) + p.tableRow(header, columns, true) + size = i + if size < len(data) && data[size] == '\n' { + size++ + } + return +} + +func (p *Markdown) tableRow(data []byte, columns []CellAlignFlags, header bool) { + p.addBlock(TableRow, nil) + i, col := 0, 0 + + if data[i] == '|' && !isBackslashEscaped(data, i) { + i++ + } + + for col = 0; col < len(columns) && i < len(data); col++ { + for i < len(data) && data[i] == ' ' { + i++ + } + + cellStart := i + + for i < len(data) && (data[i] != '|' || isBackslashEscaped(data, i)) && data[i] != '\n' { + i++ + } + + cellEnd := i + + // skip the end-of-cell marker, possibly taking us past end of buffer + i++ + + for cellEnd > cellStart && cellEnd-1 < len(data) && data[cellEnd-1] == ' ' { + cellEnd-- + } + + cell := p.addBlock(TableCell, data[cellStart:cellEnd]) + cell.IsHeader = header + cell.Align = columns[col] + } + + // pad it out with empty columns to get the right number + for ; col < len(columns); col++ { + cell := p.addBlock(TableCell, nil) + cell.IsHeader = header + cell.Align = columns[col] + } + + // silently ignore rows with too many cells +} + +// returns blockquote prefix length +func (p *Markdown) quotePrefix(data []byte) int { + i := 0 + for i < 3 && i < len(data) && data[i] == ' ' { + i++ + } + if i < len(data) && data[i] == '>' { + if i+1 < len(data) && data[i+1] == ' ' { + return i + 2 + } + return i + 1 + } + return 0 +} + +// blockquote ends with at least one blank line +// followed by something without a blockquote prefix +func (p *Markdown) terminateBlockquote(data []byte, beg, end int) bool { + if p.isEmpty(data[beg:]) <= 0 { + return false + } + if end >= len(data) { + return true + } + return p.quotePrefix(data[end:]) == 0 && p.isEmpty(data[end:]) == 0 +} + +// parse a blockquote fragment +func (p *Markdown) quote(data []byte) int { + block := p.addBlock(BlockQuote, nil) + var raw bytes.Buffer + beg, end := 0, 0 + for beg < len(data) { + end = beg + // Step over whole lines, collecting them. While doing that, check for + // fenced code and if one's found, incorporate it altogether, + // irregardless of any contents inside it + for end < len(data) && data[end] != '\n' { + if p.extensions&FencedCode != 0 { + if i := p.fencedCodeBlock(data[end:], false); i > 0 { + // -1 to compensate for the extra end++ after the loop: + end += i - 1 + break + } + } + end++ + } + if end < len(data) && data[end] == '\n' { + end++ + } + if pre := p.quotePrefix(data[beg:]); pre > 0 { + // skip the prefix + beg += pre + } else if p.terminateBlockquote(data, beg, end) { + break + } + // this line is part of the blockquote + raw.Write(data[beg:end]) + beg = end + } + p.block(raw.Bytes()) + p.finalize(block) + return end +} + +// returns prefix length for block code +func (p *Markdown) codePrefix(data []byte) int { + if len(data) >= 1 && data[0] == '\t' { + return 1 + } + if len(data) >= 4 && data[0] == ' ' && data[1] == ' ' && data[2] == ' ' && data[3] == ' ' { + return 4 + } + return 0 +} + +func (p *Markdown) code(data []byte) int { + var work bytes.Buffer + + i := 0 + for i < len(data) { + beg := i + for i < len(data) && data[i] != '\n' { + i++ + } + if i < len(data) && data[i] == '\n' { + i++ + } + + blankline := p.isEmpty(data[beg:i]) > 0 + if pre := p.codePrefix(data[beg:i]); pre > 0 { + beg += pre + } else if !blankline { + // non-empty, non-prefixed line breaks the pre + i = beg + break + } + + // verbatim copy to the working buffer + if blankline { + work.WriteByte('\n') + } else { + work.Write(data[beg:i]) + } + } + + // trim all the \n off the end of work + workbytes := work.Bytes() + eol := len(workbytes) + for eol > 0 && workbytes[eol-1] == '\n' { + eol-- + } + if eol != len(workbytes) { + work.Truncate(eol) + } + + work.WriteByte('\n') + + block := p.addBlock(CodeBlock, work.Bytes()) // TODO: get rid of temp buffer + block.IsFenced = false + finalizeCodeBlock(block) + + return i +} + +// returns unordered list item prefix +func (p *Markdown) uliPrefix(data []byte) int { + i := 0 + // start with up to 3 spaces + for i < len(data) && i < 3 && data[i] == ' ' { + i++ + } + if i >= len(data)-1 { + return 0 + } + // need one of {'*', '+', '-'} followed by a space or a tab + if (data[i] != '*' && data[i] != '+' && data[i] != '-') || + (data[i+1] != ' ' && data[i+1] != '\t') { + return 0 + } + return i + 2 +} + +// returns ordered list item prefix +func (p *Markdown) oliPrefix(data []byte) int { + i := 0 + + // start with up to 3 spaces + for i < 3 && i < len(data) && data[i] == ' ' { + i++ + } + + // count the digits + start := i + for i < len(data) && data[i] >= '0' && data[i] <= '9' { + i++ + } + if start == i || i >= len(data)-1 { + return 0 + } + + // we need >= 1 digits followed by a dot and a space or a tab + if data[i] != '.' || !(data[i+1] == ' ' || data[i+1] == '\t') { + return 0 + } + return i + 2 +} + +// returns definition list item prefix +func (p *Markdown) dliPrefix(data []byte) int { + if len(data) < 2 { + return 0 + } + i := 0 + // need a ':' followed by a space or a tab + if data[i] != ':' || !(data[i+1] == ' ' || data[i+1] == '\t') { + return 0 + } + for i < len(data) && data[i] == ' ' { + i++ + } + return i + 2 +} + +// parse ordered or unordered list block +func (p *Markdown) list(data []byte, flags ListType) int { + i := 0 + flags |= ListItemBeginningOfList + block := p.addBlock(List, nil) + block.ListFlags = flags + block.Tight = true + + for i < len(data) { + skip := p.listItem(data[i:], &flags) + if flags&ListItemContainsBlock != 0 { + block.ListData.Tight = false + } + i += skip + if skip == 0 || flags&ListItemEndOfList != 0 { + break + } + flags &= ^ListItemBeginningOfList + } + + above := block.Parent + finalizeList(block) + p.tip = above + return i +} + +// Returns true if the list item is not the same type as its parent list +func (p *Markdown) listTypeChanged(data []byte, flags *ListType) bool { + if p.dliPrefix(data) > 0 && *flags&ListTypeDefinition == 0 { + return true + } else if p.oliPrefix(data) > 0 && *flags&ListTypeOrdered == 0 { + return true + } else if p.uliPrefix(data) > 0 && (*flags&ListTypeOrdered != 0 || *flags&ListTypeDefinition != 0) { + return true + } + return false +} + +// Returns true if block ends with a blank line, descending if needed +// into lists and sublists. +func endsWithBlankLine(block *Node) bool { + // TODO: figure this out. Always false now. + for block != nil { + //if block.lastLineBlank { + //return true + //} + t := block.Type + if t == List || t == Item { + block = block.LastChild + } else { + break + } + } + return false +} + +func finalizeList(block *Node) { + block.open = false + item := block.FirstChild + for item != nil { + // check for non-final list item ending with blank line: + if endsWithBlankLine(item) && item.Next != nil { + block.ListData.Tight = false + break + } + // recurse into children of list item, to see if there are spaces + // between any of them: + subItem := item.FirstChild + for subItem != nil { + if endsWithBlankLine(subItem) && (item.Next != nil || subItem.Next != nil) { + block.ListData.Tight = false + break + } + subItem = subItem.Next + } + item = item.Next + } +} + +// Parse a single list item. +// Assumes initial prefix is already removed if this is a sublist. +func (p *Markdown) listItem(data []byte, flags *ListType) int { + // keep track of the indentation of the first line + itemIndent := 0 + if data[0] == '\t' { + itemIndent += 4 + } else { + for itemIndent < 3 && data[itemIndent] == ' ' { + itemIndent++ + } + } + + var bulletChar byte = '*' + i := p.uliPrefix(data) + if i == 0 { + i = p.oliPrefix(data) + } else { + bulletChar = data[i-2] + } + if i == 0 { + i = p.dliPrefix(data) + // reset definition term flag + if i > 0 { + *flags &= ^ListTypeTerm + } + } + if i == 0 { + // if in definition list, set term flag and continue + if *flags&ListTypeDefinition != 0 { + *flags |= ListTypeTerm + } else { + return 0 + } + } + + // skip leading whitespace on first line + for i < len(data) && data[i] == ' ' { + i++ + } + + // find the end of the line + line := i + for i > 0 && i < len(data) && data[i-1] != '\n' { + i++ + } + + // get working buffer + var raw bytes.Buffer + + // put the first line into the working buffer + raw.Write(data[line:i]) + line = i + + // process the following lines + containsBlankLine := false + sublist := 0 + codeBlockMarker := "" + +gatherlines: + for line < len(data) { + i++ + + // find the end of this line + for i < len(data) && data[i-1] != '\n' { + i++ + } + + // if it is an empty line, guess that it is part of this item + // and move on to the next line + if p.isEmpty(data[line:i]) > 0 { + containsBlankLine = true + line = i + continue + } + + // calculate the indentation + indent := 0 + indentIndex := 0 + if data[line] == '\t' { + indentIndex++ + indent += 4 + } else { + for indent < 4 && line+indent < i && data[line+indent] == ' ' { + indent++ + indentIndex++ + } + } + + chunk := data[line+indentIndex : i] + + if p.extensions&FencedCode != 0 { + // determine if in or out of codeblock + // if in codeblock, ignore normal list processing + _, marker := isFenceLine(chunk, nil, codeBlockMarker) + if marker != "" { + if codeBlockMarker == "" { + // start of codeblock + codeBlockMarker = marker + } else { + // end of codeblock. + codeBlockMarker = "" + } + } + // we are in a codeblock, write line, and continue + if codeBlockMarker != "" || marker != "" { + raw.Write(data[line+indentIndex : i]) + line = i + continue gatherlines + } + } + + // evaluate how this line fits in + switch { + // is this a nested list item? + case (p.uliPrefix(chunk) > 0 && !p.isHRule(chunk)) || + p.oliPrefix(chunk) > 0 || + p.dliPrefix(chunk) > 0: + + // to be a nested list, it must be indented more + // if not, it is either a different kind of list + // or the next item in the same list + if indent <= itemIndent { + if p.listTypeChanged(chunk, flags) { + *flags |= ListItemEndOfList + } else if containsBlankLine { + *flags |= ListItemContainsBlock + } + + break gatherlines + } + + if containsBlankLine { + *flags |= ListItemContainsBlock + } + + // is this the first item in the nested list? + if sublist == 0 { + sublist = raw.Len() + } + + // is this a nested prefix heading? + case p.isPrefixHeading(chunk): + // if the heading is not indented, it is not nested in the list + // and thus ends the list + if containsBlankLine && indent < 4 { + *flags |= ListItemEndOfList + break gatherlines + } + *flags |= ListItemContainsBlock + + // anything following an empty line is only part + // of this item if it is indented 4 spaces + // (regardless of the indentation of the beginning of the item) + case containsBlankLine && indent < 4: + if *flags&ListTypeDefinition != 0 && i < len(data)-1 { + // is the next item still a part of this list? + next := i + for next < len(data) && data[next] != '\n' { + next++ + } + for next < len(data)-1 && data[next] == '\n' { + next++ + } + if i < len(data)-1 && data[i] != ':' && data[next] != ':' { + *flags |= ListItemEndOfList + } + } else { + *flags |= ListItemEndOfList + } + break gatherlines + + // a blank line means this should be parsed as a block + case containsBlankLine: + raw.WriteByte('\n') + *flags |= ListItemContainsBlock + } + + // if this line was preceded by one or more blanks, + // re-introduce the blank into the buffer + if containsBlankLine { + containsBlankLine = false + raw.WriteByte('\n') + } + + // add the line into the working buffer without prefix + raw.Write(data[line+indentIndex : i]) + + line = i + } + + rawBytes := raw.Bytes() + + block := p.addBlock(Item, nil) + block.ListFlags = *flags + block.Tight = false + block.BulletChar = bulletChar + block.Delimiter = '.' // Only '.' is possible in Markdown, but ')' will also be possible in CommonMark + + // render the contents of the list item + if *flags&ListItemContainsBlock != 0 && *flags&ListTypeTerm == 0 { + // intermediate render of block item, except for definition term + if sublist > 0 { + p.block(rawBytes[:sublist]) + p.block(rawBytes[sublist:]) + } else { + p.block(rawBytes) + } + } else { + // intermediate render of inline item + if sublist > 0 { + child := p.addChild(Paragraph, 0) + child.content = rawBytes[:sublist] + p.block(rawBytes[sublist:]) + } else { + child := p.addChild(Paragraph, 0) + child.content = rawBytes + } + } + return line +} + +// render a single paragraph that has already been parsed out +func (p *Markdown) renderParagraph(data []byte) { + if len(data) == 0 { + return + } + + // trim leading spaces + beg := 0 + for data[beg] == ' ' { + beg++ + } + + end := len(data) + // trim trailing newline + if data[len(data)-1] == '\n' { + end-- + } + + // trim trailing spaces + for end > beg && data[end-1] == ' ' { + end-- + } + + p.addBlock(Paragraph, data[beg:end]) +} + +func (p *Markdown) paragraph(data []byte) int { + // prev: index of 1st char of previous line + // line: index of 1st char of current line + // i: index of cursor/end of current line + var prev, line, i int + tabSize := TabSizeDefault + if p.extensions&TabSizeEight != 0 { + tabSize = TabSizeDouble + } + // keep going until we find something to mark the end of the paragraph + for i < len(data) { + // mark the beginning of the current line + prev = line + current := data[i:] + line = i + + // did we find a reference or a footnote? If so, end a paragraph + // preceding it and report that we have consumed up to the end of that + // reference: + if refEnd := isReference(p, current, tabSize); refEnd > 0 { + p.renderParagraph(data[:i]) + return i + refEnd + } + + // did we find a blank line marking the end of the paragraph? + if n := p.isEmpty(current); n > 0 { + // did this blank line followed by a definition list item? + if p.extensions&DefinitionLists != 0 { + if i < len(data)-1 && data[i+1] == ':' { + return p.list(data[prev:], ListTypeDefinition) + } + } + + p.renderParagraph(data[:i]) + return i + n + } + + // an underline under some text marks a heading, so our paragraph ended on prev line + if i > 0 { + if level := p.isUnderlinedHeading(current); level > 0 { + // render the paragraph + p.renderParagraph(data[:prev]) + + // ignore leading and trailing whitespace + eol := i - 1 + for prev < eol && data[prev] == ' ' { + prev++ + } + for eol > prev && data[eol-1] == ' ' { + eol-- + } + + id := "" + if p.extensions&AutoHeadingIDs != 0 { + id = SanitizedAnchorName(string(data[prev:eol])) + } + + block := p.addBlock(Heading, data[prev:eol]) + block.Level = level + block.HeadingID = id + + // find the end of the underline + for i < len(data) && data[i] != '\n' { + i++ + } + return i + } + } + + // if the next line starts a block of HTML, then the paragraph ends here + if p.extensions&LaxHTMLBlocks != 0 { + if data[i] == '<' && p.html(current, false) > 0 { + // rewind to before the HTML block + p.renderParagraph(data[:i]) + return i + } + } + + // if there's a prefixed heading or a horizontal rule after this, paragraph is over + if p.isPrefixHeading(current) || p.isHRule(current) { + p.renderParagraph(data[:i]) + return i + } + + // if there's a fenced code block, paragraph is over + if p.extensions&FencedCode != 0 { + if p.fencedCodeBlock(current, false) > 0 { + p.renderParagraph(data[:i]) + return i + } + } + + // if there's a definition list item, prev line is a definition term + if p.extensions&DefinitionLists != 0 { + if p.dliPrefix(current) != 0 { + ret := p.list(data[prev:], ListTypeDefinition) + return ret + } + } + + // if there's a list after this, paragraph is over + if p.extensions&NoEmptyLineBeforeBlock != 0 { + if p.uliPrefix(current) != 0 || + p.oliPrefix(current) != 0 || + p.quotePrefix(current) != 0 || + p.codePrefix(current) != 0 { + p.renderParagraph(data[:i]) + return i + } + } + + // otherwise, scan to the beginning of the next line + nl := bytes.IndexByte(data[i:], '\n') + if nl >= 0 { + i += nl + 1 + } else { + i += len(data[i:]) + } + } + + p.renderParagraph(data[:i]) + return i +} + +func skipChar(data []byte, start int, char byte) int { + i := start + for i < len(data) && data[i] == char { + i++ + } + return i +} + +func skipUntilChar(text []byte, start int, char byte) int { + i := start + for i < len(text) && text[i] != char { + i++ + } + return i +} + +// SanitizedAnchorName returns a sanitized anchor name for the given text. +// +// It implements the algorithm specified in the package comment. +func SanitizedAnchorName(text string) string { + var anchorName []rune + futureDash := false + for _, r := range text { + switch { + case unicode.IsLetter(r) || unicode.IsNumber(r): + if futureDash && len(anchorName) > 0 { + anchorName = append(anchorName, '-') + } + futureDash = false + anchorName = append(anchorName, unicode.ToLower(r)) + default: + futureDash = true + } + } + return string(anchorName) +} diff --git a/vendor/github.com/russross/blackfriday/v2/doc.go b/vendor/github.com/russross/blackfriday/v2/doc.go new file mode 100644 index 0000000000..57ff152a05 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/doc.go @@ -0,0 +1,46 @@ +// Package blackfriday is a markdown processor. +// +// It translates plain text with simple formatting rules into an AST, which can +// then be further processed to HTML (provided by Blackfriday itself) or other +// formats (provided by the community). +// +// The simplest way to invoke Blackfriday is to call the Run function. It will +// take a text input and produce a text output in HTML (or other format). +// +// A slightly more sophisticated way to use Blackfriday is to create a Markdown +// processor and to call Parse, which returns a syntax tree for the input +// document. You can leverage Blackfriday's parsing for content extraction from +// markdown documents. You can assign a custom renderer and set various options +// to the Markdown processor. +// +// If you're interested in calling Blackfriday from command line, see +// https://github.com/russross/blackfriday-tool. +// +// Sanitized Anchor Names +// +// Blackfriday includes an algorithm for creating sanitized anchor names +// corresponding to a given input text. This algorithm is used to create +// anchors for headings when AutoHeadingIDs extension is enabled. The +// algorithm is specified below, so that other packages can create +// compatible anchor names and links to those anchors. +// +// The algorithm iterates over the input text, interpreted as UTF-8, +// one Unicode code point (rune) at a time. All runes that are letters (category L) +// or numbers (category N) are considered valid characters. They are mapped to +// lower case, and included in the output. All other runes are considered +// invalid characters. Invalid characters that precede the first valid character, +// as well as invalid character that follow the last valid character +// are dropped completely. All other sequences of invalid characters +// between two valid characters are replaced with a single dash character '-'. +// +// SanitizedAnchorName exposes this functionality, and can be used to +// create compatible links to the anchor names generated by blackfriday. +// This algorithm is also implemented in a small standalone package at +// github.com/shurcooL/sanitized_anchor_name. It can be useful for clients +// that want a small package and don't need full functionality of blackfriday. +package blackfriday + +// NOTE: Keep Sanitized Anchor Name algorithm in sync with package +// github.com/shurcooL/sanitized_anchor_name. +// Otherwise, users of sanitized_anchor_name will get anchor names +// that are incompatible with those generated by blackfriday. diff --git a/vendor/github.com/russross/blackfriday/v2/entities.go b/vendor/github.com/russross/blackfriday/v2/entities.go new file mode 100644 index 0000000000..a2c3edb691 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/entities.go @@ -0,0 +1,2236 @@ +package blackfriday + +// Extracted from https://html.spec.whatwg.org/multipage/entities.json +var entities = map[string]bool{ + "Æ": true, + "Æ": true, + "&": true, + "&": true, + "Á": true, + "Á": true, + "Ă": true, + "Â": true, + "Â": true, + "А": true, + "𝔄": true, + "À": true, + "À": true, + "Α": true, + "Ā": true, + "⩓": true, + "Ą": true, + "𝔸": true, + "⁡": true, + "Å": true, + "Å": true, + "𝒜": true, + "≔": true, + "Ã": true, + "Ã": true, + "Ä": true, + "Ä": true, + "∖": true, + "⫧": true, + "⌆": true, + "Б": true, + "∵": true, + "ℬ": true, + "Β": true, + "𝔅": true, + "𝔹": true, + "˘": true, + "ℬ": true, + "≎": true, + "Ч": true, + "©": true, + "©": true, + "Ć": true, + "⋒": true, + "ⅅ": true, + "ℭ": true, + "Č": true, + "Ç": true, + "Ç": true, + "Ĉ": true, + "∰": true, + "Ċ": true, + "¸": true, + "·": true, + "ℭ": true, + "Χ": true, + "⊙": true, + "⊖": true, + "⊕": true, + "⊗": true, + "∲": true, + "”": true, + "’": true, + "∷": true, + "⩴": true, + "≡": true, + "∯": true, + "∮": true, + "ℂ": true, + "∐": true, + "∳": true, + "⨯": true, + "𝒞": true, + "⋓": true, + "≍": true, + "ⅅ": true, + "⤑": true, + "Ђ": true, + "Ѕ": true, + "Џ": true, + "‡": true, + "↡": true, + "⫤": true, + "Ď": true, + "Д": true, + "∇": true, + "Δ": true, + "𝔇": true, + "´": true, + "˙": true, + "˝": true, + "`": true, + "˜": true, + "⋄": true, + "ⅆ": true, + "𝔻": true, + "¨": true, + "⃜": true, + "≐": true, + "∯": true, + "¨": true, + "⇓": true, + "⇐": true, + "⇔": true, + "⫤": true, + "⟸": true, + "⟺": true, + "⟹": true, + "⇒": true, + "⊨": true, + "⇑": true, + "⇕": true, + "∥": true, + "↓": true, + "⤓": true, + "⇵": true, + "̑": true, + "⥐": true, + "⥞": true, + "↽": true, + "⥖": true, + "⥟": true, + "⇁": true, + "⥗": true, + "⊤": true, + "↧": true, + "⇓": true, + "𝒟": true, + "Đ": true, + "Ŋ": true, + "Ð": true, + "Ð": true, + "É": true, + "É": true, + "Ě": true, + "Ê": true, + "Ê": true, + "Э": true, + "Ė": true, + "𝔈": true, + "È": true, + "È": true, + "∈": true, + "Ē": true, + "◻": true, + "▫": true, + "Ę": true, + "𝔼": true, + "Ε": true, + "⩵": true, + "≂": true, + "⇌": true, + "ℰ": true, + "⩳": true, + "Η": true, + "Ë": true, + "Ë": true, + "∃": true, + "ⅇ": true, + "Ф": true, + "𝔉": true, + "◼": true, + "▪": true, + "𝔽": true, + "∀": true, + "ℱ": true, + "ℱ": true, + "Ѓ": true, + ">": true, + ">": true, + "Γ": true, + "Ϝ": true, + "Ğ": true, + "Ģ": true, + "Ĝ": true, + "Г": true, + "Ġ": true, + "𝔊": true, + "⋙": true, + "𝔾": true, + "≥": true, + "⋛": true, + "≧": true, + "⪢": true, + "≷": true, + "⩾": true, + "≳": true, + "𝒢": true, + "≫": true, + "Ъ": true, + "ˇ": true, + "^": true, + "Ĥ": true, + "ℌ": true, + "ℋ": true, + "ℍ": true, + "─": true, + "ℋ": true, + "Ħ": true, + "≎": true, + "≏": true, + "Е": true, + "IJ": true, + "Ё": true, + "Í": true, + "Í": true, + "Î": true, + "Î": true, + "И": true, + "İ": true, + "ℑ": true, + "Ì": true, + "Ì": true, + "ℑ": true, + "Ī": true, + "ⅈ": true, + "⇒": true, + "∬": true, + "∫": true, + "⋂": true, + "⁣": true, + "⁢": true, + "Į": true, + "𝕀": true, + "Ι": true, + "ℐ": true, + "Ĩ": true, + "І": true, + "Ï": true, + "Ï": true, + "Ĵ": true, + "Й": true, + "𝔍": true, + "𝕁": true, + "𝒥": true, + "Ј": true, + "Є": true, + "Х": true, + "Ќ": true, + "Κ": true, + "Ķ": true, + "К": true, + "𝔎": true, + "𝕂": true, + "𝒦": true, + "Љ": true, + "<": true, + "<": true, + "Ĺ": true, + "Λ": true, + "⟪": true, + "ℒ": true, + "↞": true, + "Ľ": true, + "Ļ": true, + "Л": true, + "⟨": true, + "←": true, + "⇤": true, + "⇆": true, + "⌈": true, + "⟦": true, + "⥡": true, + "⇃": true, + "⥙": true, + "⌊": true, + "↔": true, + "⥎": true, + "⊣": true, + "↤": true, + "⥚": true, + "⊲": true, + "⧏": true, + "⊴": true, + "⥑": true, + "⥠": true, + "↿": true, + "⥘": true, + "↼": true, + "⥒": true, + "⇐": true, + "⇔": true, + "⋚": true, + "≦": true, + "≶": true, + "⪡": true, + "⩽": true, + "≲": true, + "𝔏": true, + "⋘": true, + "⇚": true, + "Ŀ": true, + "⟵": true, + "⟷": true, + "⟶": true, + "⟸": true, + "⟺": true, + "⟹": true, + "𝕃": true, + "↙": true, + "↘": true, + "ℒ": true, + "↰": true, + "Ł": true, + "≪": true, + "⤅": true, + "М": true, + " ": true, + "ℳ": true, + "𝔐": true, + "∓": true, + "𝕄": true, + "ℳ": true, + "Μ": true, + "Њ": true, + "Ń": true, + "Ň": true, + "Ņ": true, + "Н": true, + "​": true, + "​": true, + "​": true, + "​": true, + "≫": true, + "≪": true, + " ": true, + "𝔑": true, + "⁠": true, + " ": true, + "ℕ": true, + "⫬": true, + "≢": true, + "≭": true, + "∦": true, + "∉": true, + "≠": true, + "≂̸": true, + "∄": true, + "≯": true, + "≱": true, + "≧̸": true, + "≫̸": true, + "≹": true, + "⩾̸": true, + "≵": true, + "≎̸": true, + "≏̸": true, + "⋪": true, + "⧏̸": true, + "⋬": true, + "≮": true, + "≰": true, + "≸": true, + "≪̸": true, + "⩽̸": true, + "≴": true, + "⪢̸": true, + "⪡̸": true, + "⊀": true, + "⪯̸": true, + "⋠": true, + "∌": true, + "⋫": true, + "⧐̸": true, + "⋭": true, + "⊏̸": true, + "⋢": true, + "⊐̸": true, + "⋣": true, + "⊂⃒": true, + "⊈": true, + "⊁": true, + "⪰̸": true, + "⋡": true, + "≿̸": true, + "⊃⃒": true, + "⊉": true, + "≁": true, + "≄": true, + "≇": true, + "≉": true, + "∤": true, + "𝒩": true, + "Ñ": true, + "Ñ": true, + "Ν": true, + "Œ": true, + "Ó": true, + "Ó": true, + "Ô": true, + "Ô": true, + "О": true, + "Ő": true, + "𝔒": true, + "Ò": true, + "Ò": true, + "Ō": true, + "Ω": true, + "Ο": true, + "𝕆": true, + "“": true, + "‘": true, + "⩔": true, + "𝒪": true, + "Ø": true, + "Ø": true, + "Õ": true, + "Õ": true, + "⨷": true, + "Ö": true, + "Ö": true, + "‾": true, + "⏞": true, + "⎴": true, + "⏜": true, + "∂": true, + "П": true, + "𝔓": true, + "Φ": true, + "Π": true, + "±": true, + "ℌ": true, + "ℙ": true, + "⪻": true, + "≺": true, + "⪯": true, + "≼": true, + "≾": true, + "″": true, + "∏": true, + "∷": true, + "∝": true, + "𝒫": true, + "Ψ": true, + """: true, + """: true, + "𝔔": true, + "ℚ": true, + "𝒬": true, + "⤐": true, + "®": true, + "®": true, + "Ŕ": true, + "⟫": true, + "↠": true, + "⤖": true, + "Ř": true, + "Ŗ": true, + "Р": true, + "ℜ": true, + "∋": true, + "⇋": true, + "⥯": true, + "ℜ": true, + "Ρ": true, + "⟩": true, + "→": true, + "⇥": true, + "⇄": true, + "⌉": true, + "⟧": true, + "⥝": true, + "⇂": true, + "⥕": true, + "⌋": true, + "⊢": true, + "↦": true, + "⥛": true, + "⊳": true, + "⧐": true, + "⊵": true, + "⥏": true, + "⥜": true, + "↾": true, + "⥔": true, + "⇀": true, + "⥓": true, + "⇒": true, + "ℝ": true, + "⥰": true, + "⇛": true, + "ℛ": true, + "↱": true, + "⧴": true, + "Щ": true, + "Ш": true, + "Ь": true, + "Ś": true, + "⪼": true, + "Š": true, + "Ş": true, + "Ŝ": true, + "С": true, + "𝔖": true, + "↓": true, + "←": true, + "→": true, + "↑": true, + "Σ": true, + "∘": true, + "𝕊": true, + "√": true, + "□": true, + "⊓": true, + "⊏": true, + "⊑": true, + "⊐": true, + "⊒": true, + "⊔": true, + "𝒮": true, + "⋆": true, + "⋐": true, + "⋐": true, + "⊆": true, + "≻": true, + "⪰": true, + "≽": true, + "≿": true, + "∋": true, + "∑": true, + "⋑": true, + "⊃": true, + "⊇": true, + "⋑": true, + "Þ": true, + "Þ": true, + "™": true, + "Ћ": true, + "Ц": true, + " ": true, + "Τ": true, + "Ť": true, + "Ţ": true, + "Т": true, + "𝔗": true, + "∴": true, + "Θ": true, + "  ": true, + " ": true, + "∼": true, + "≃": true, + "≅": true, + "≈": true, + "𝕋": true, + "⃛": true, + "𝒯": true, + "Ŧ": true, + "Ú": true, + "Ú": true, + "↟": true, + "⥉": true, + "Ў": true, + "Ŭ": true, + "Û": true, + "Û": true, + "У": true, + "Ű": true, + "𝔘": true, + "Ù": true, + "Ù": true, + "Ū": true, + "_": true, + "⏟": true, + "⎵": true, + "⏝": true, + "⋃": true, + "⊎": true, + "Ų": true, + "𝕌": true, + "↑": true, + "⤒": true, + "⇅": true, + "↕": true, + "⥮": true, + "⊥": true, + "↥": true, + "⇑": true, + "⇕": true, + "↖": true, + "↗": true, + "ϒ": true, + "Υ": true, + "Ů": true, + "𝒰": true, + "Ũ": true, + "Ü": true, + "Ü": true, + "⊫": true, + "⫫": true, + "В": true, + "⊩": true, + "⫦": true, + "⋁": true, + "‖": true, + "‖": true, + "∣": true, + "|": true, + "❘": true, + "≀": true, + " ": true, + "𝔙": true, + "𝕍": true, + "𝒱": true, + "⊪": true, + "Ŵ": true, + "⋀": true, + "𝔚": true, + "𝕎": true, + "𝒲": true, + "𝔛": true, + "Ξ": true, + "𝕏": true, + "𝒳": true, + "Я": true, + "Ї": true, + "Ю": true, + "Ý": true, + "Ý": true, + "Ŷ": true, + "Ы": true, + "𝔜": true, + "𝕐": true, + "𝒴": true, + "Ÿ": true, + "Ж": true, + "Ź": true, + "Ž": true, + "З": true, + "Ż": true, + "​": true, + "Ζ": true, + "ℨ": true, + "ℤ": true, + "𝒵": true, + "á": true, + "á": true, + "ă": true, + "∾": true, + "∾̳": true, + "∿": true, + "â": true, + "â": true, + "´": true, + "´": true, + "а": true, + "æ": true, + "æ": true, + "⁡": true, + "𝔞": true, + "à": true, + "à": true, + "ℵ": true, + "ℵ": true, + "α": true, + "ā": true, + "⨿": true, + "&": true, + "&": true, + "∧": true, + "⩕": true, + "⩜": true, + "⩘": true, + "⩚": true, + "∠": true, + "⦤": true, + "∠": true, + "∡": true, + "⦨": true, + "⦩": true, + "⦪": true, + "⦫": true, + "⦬": true, + "⦭": true, + "⦮": true, + "⦯": true, + "∟": true, + "⊾": true, + "⦝": true, + "∢": true, + "Å": true, + "⍼": true, + "ą": true, + "𝕒": true, + "≈": true, + "⩰": true, + "⩯": true, + "≊": true, + "≋": true, + "'": true, + "≈": true, + "≊": true, + "å": true, + "å": true, + "𝒶": true, + "*": true, + "≈": true, + "≍": true, + "ã": true, + "ã": true, + "ä": true, + "ä": true, + "∳": true, + "⨑": true, + "⫭": true, + "≌": true, + "϶": true, + "‵": true, + "∽": true, + "⋍": true, + "⊽": true, + "⌅": true, + "⌅": true, + "⎵": true, + "⎶": true, + "≌": true, + "б": true, + "„": true, + "∵": true, + "∵": true, + "⦰": true, + "϶": true, + "ℬ": true, + "β": true, + "ℶ": true, + "≬": true, + "𝔟": true, + "⋂": true, + "◯": true, + "⋃": true, + "⨀": true, + "⨁": true, + "⨂": true, + "⨆": true, + "★": true, + "▽": true, + "△": true, + "⨄": true, + "⋁": true, + "⋀": true, + "⤍": true, + "⧫": true, + "▪": true, + "▴": true, + "▾": true, + "◂": true, + "▸": true, + "␣": true, + "▒": true, + "░": true, + "▓": true, + "█": true, + "=⃥": true, + "≡⃥": true, + "⌐": true, + "𝕓": true, + "⊥": true, + "⊥": true, + "⋈": true, + "╗": true, + "╔": true, + "╖": true, + "╓": true, + "═": true, + "╦": true, + "╩": true, + "╤": true, + "╧": true, + "╝": true, + "╚": true, + "╜": true, + "╙": true, + "║": true, + "╬": true, + "╣": true, + "╠": true, + "╫": true, + "╢": true, + "╟": true, + "⧉": true, + "╕": true, + "╒": true, + "┐": true, + "┌": true, + "─": true, + "╥": true, + "╨": true, + "┬": true, + "┴": true, + "⊟": true, + "⊞": true, + "⊠": true, + "╛": true, + "╘": true, + "┘": true, + "└": true, + "│": true, + "╪": true, + "╡": true, + "╞": true, + "┼": true, + "┤": true, + "├": true, + "‵": true, + "˘": true, + "¦": true, + "¦": true, + "𝒷": true, + "⁏": true, + "∽": true, + "⋍": true, + "\": true, + "⧅": true, + "⟈": true, + "•": true, + "•": true, + "≎": true, + "⪮": true, + "≏": true, + "≏": true, + "ć": true, + "∩": true, + "⩄": true, + "⩉": true, + "⩋": true, + "⩇": true, + "⩀": true, + "∩︀": true, + "⁁": true, + "ˇ": true, + "⩍": true, + "č": true, + "ç": true, + "ç": true, + "ĉ": true, + "⩌": true, + "⩐": true, + "ċ": true, + "¸": true, + "¸": true, + "⦲": true, + "¢": true, + "¢": true, + "·": true, + "𝔠": true, + "ч": true, + "✓": true, + "✓": true, + "χ": true, + "○": true, + "⧃": true, + "ˆ": true, + "≗": true, + "↺": true, + "↻": true, + "®": true, + "Ⓢ": true, + "⊛": true, + "⊚": true, + "⊝": true, + "≗": true, + "⨐": true, + "⫯": true, + "⧂": true, + "♣": true, + "♣": true, + ":": true, + "≔": true, + "≔": true, + ",": true, + "@": true, + "∁": true, + "∘": true, + "∁": true, + "ℂ": true, + "≅": true, + "⩭": true, + "∮": true, + "𝕔": true, + "∐": true, + "©": true, + "©": true, + "℗": true, + "↵": true, + "✗": true, + "𝒸": true, + "⫏": true, + "⫑": true, + "⫐": true, + "⫒": true, + "⋯": true, + "⤸": true, + "⤵": true, + "⋞": true, + "⋟": true, + "↶": true, + "⤽": true, + "∪": true, + "⩈": true, + "⩆": true, + "⩊": true, + "⊍": true, + "⩅": true, + "∪︀": true, + "↷": true, + "⤼": true, + "⋞": true, + "⋟": true, + "⋎": true, + "⋏": true, + "¤": true, + "¤": true, + "↶": true, + "↷": true, + "⋎": true, + "⋏": true, + "∲": true, + "∱": true, + "⌭": true, + "⇓": true, + "⥥": true, + "†": true, + "ℸ": true, + "↓": true, + "‐": true, + "⊣": true, + "⤏": true, + "˝": true, + "ď": true, + "д": true, + "ⅆ": true, + "‡": true, + "⇊": true, + "⩷": true, + "°": true, + "°": true, + "δ": true, + "⦱": true, + "⥿": true, + "𝔡": true, + "⇃": true, + "⇂": true, + "⋄": true, + "⋄": true, + "♦": true, + "♦": true, + "¨": true, + "ϝ": true, + "⋲": true, + "÷": true, + "÷": true, + "÷": true, + "⋇": true, + "⋇": true, + "ђ": true, + "⌞": true, + "⌍": true, + "$": true, + "𝕕": true, + "˙": true, + "≐": true, + "≑": true, + "∸": true, + "∔": true, + "⊡": true, + "⌆": true, + "↓": true, + "⇊": true, + "⇃": true, + "⇂": true, + "⤐": true, + "⌟": true, + "⌌": true, + "𝒹": true, + "ѕ": true, + "⧶": true, + "đ": true, + "⋱": true, + "▿": true, + "▾": true, + "⇵": true, + "⥯": true, + "⦦": true, + "џ": true, + "⟿": true, + "⩷": true, + "≑": true, + "é": true, + "é": true, + "⩮": true, + "ě": true, + "≖": true, + "ê": true, + "ê": true, + "≕": true, + "э": true, + "ė": true, + "ⅇ": true, + "≒": true, + "𝔢": true, + "⪚": true, + "è": true, + "è": true, + "⪖": true, + "⪘": true, + "⪙": true, + "⏧": true, + "ℓ": true, + "⪕": true, + "⪗": true, + "ē": true, + "∅": true, + "∅": true, + "∅": true, + " ": true, + " ": true, + " ": true, + "ŋ": true, + " ": true, + "ę": true, + "𝕖": true, + "⋕": true, + "⧣": true, + "⩱": true, + "ε": true, + "ε": true, + "ϵ": true, + "≖": true, + "≕": true, + "≂": true, + "⪖": true, + "⪕": true, + "=": true, + "≟": true, + "≡": true, + "⩸": true, + "⧥": true, + "≓": true, + "⥱": true, + "ℯ": true, + "≐": true, + "≂": true, + "η": true, + "ð": true, + "ð": true, + "ë": true, + "ë": true, + "€": true, + "!": true, + "∃": true, + "ℰ": true, + "ⅇ": true, + "≒": true, + "ф": true, + "♀": true, + "ffi": true, + "ff": true, + "ffl": true, + "𝔣": true, + "fi": true, + "fj": true, + "♭": true, + "fl": true, + "▱": true, + "ƒ": true, + "𝕗": true, + "∀": true, + "⋔": true, + "⫙": true, + "⨍": true, + "½": true, + "½": true, + "⅓": true, + "¼": true, + "¼": true, + "⅕": true, + "⅙": true, + "⅛": true, + "⅔": true, + "⅖": true, + "¾": true, + "¾": true, + "⅗": true, + "⅜": true, + "⅘": true, + "⅚": true, + "⅝": true, + "⅞": true, + "⁄": true, + "⌢": true, + "𝒻": true, + "≧": true, + "⪌": true, + "ǵ": true, + "γ": true, + "ϝ": true, + "⪆": true, + "ğ": true, + "ĝ": true, + "г": true, + "ġ": true, + "≥": true, + "⋛": true, + "≥": true, + "≧": true, + "⩾": true, + "⩾": true, + "⪩": true, + "⪀": true, + "⪂": true, + "⪄": true, + "⋛︀": true, + "⪔": true, + "𝔤": true, + "≫": true, + "⋙": true, + "ℷ": true, + "ѓ": true, + "≷": true, + "⪒": true, + "⪥": true, + "⪤": true, + "≩": true, + "⪊": true, + "⪊": true, + "⪈": true, + "⪈": true, + "≩": true, + "⋧": true, + "𝕘": true, + "`": true, + "ℊ": true, + "≳": true, + "⪎": true, + "⪐": true, + ">": true, + ">": true, + "⪧": true, + "⩺": true, + "⋗": true, + "⦕": true, + "⩼": true, + "⪆": true, + "⥸": true, + "⋗": true, + "⋛": true, + "⪌": true, + "≷": true, + "≳": true, + "≩︀": true, + "≩︀": true, + "⇔": true, + " ": true, + "½": true, + "ℋ": true, + "ъ": true, + "↔": true, + "⥈": true, + "↭": true, + "ℏ": true, + "ĥ": true, + "♥": true, + "♥": true, + "…": true, + "⊹": true, + "𝔥": true, + "⤥": true, + "⤦": true, + "⇿": true, + "∻": true, + "↩": true, + "↪": true, + "𝕙": true, + "―": true, + "𝒽": true, + "ℏ": true, + "ħ": true, + "⁃": true, + "‐": true, + "í": true, + "í": true, + "⁣": true, + "î": true, + "î": true, + "и": true, + "е": true, + "¡": true, + "¡": true, + "⇔": true, + "𝔦": true, + "ì": true, + "ì": true, + "ⅈ": true, + "⨌": true, + "∭": true, + "⧜": true, + "℩": true, + "ij": true, + "ī": true, + "ℑ": true, + "ℐ": true, + "ℑ": true, + "ı": true, + "⊷": true, + "Ƶ": true, + "∈": true, + "℅": true, + "∞": true, + "⧝": true, + "ı": true, + "∫": true, + "⊺": true, + "ℤ": true, + "⊺": true, + "⨗": true, + "⨼": true, + "ё": true, + "į": true, + "𝕚": true, + "ι": true, + "⨼": true, + "¿": true, + "¿": true, + "𝒾": true, + "∈": true, + "⋹": true, + "⋵": true, + "⋴": true, + "⋳": true, + "∈": true, + "⁢": true, + "ĩ": true, + "і": true, + "ï": true, + "ï": true, + "ĵ": true, + "й": true, + "𝔧": true, + "ȷ": true, + "𝕛": true, + "𝒿": true, + "ј": true, + "є": true, + "κ": true, + "ϰ": true, + "ķ": true, + "к": true, + "𝔨": true, + "ĸ": true, + "х": true, + "ќ": true, + "𝕜": true, + "𝓀": true, + "⇚": true, + "⇐": true, + "⤛": true, + "⤎": true, + "≦": true, + "⪋": true, + "⥢": true, + "ĺ": true, + "⦴": true, + "ℒ": true, + "λ": true, + "⟨": true, + "⦑": true, + "⟨": true, + "⪅": true, + "«": true, + "«": true, + "←": true, + "⇤": true, + "⤟": true, + "⤝": true, + "↩": true, + "↫": true, + "⤹": true, + "⥳": true, + "↢": true, + "⪫": true, + "⤙": true, + "⪭": true, + "⪭︀": true, + "⤌": true, + "❲": true, + "{": true, + "[": true, + "⦋": true, + "⦏": true, + "⦍": true, + "ľ": true, + "ļ": true, + "⌈": true, + "{": true, + "л": true, + "⤶": true, + "“": true, + "„": true, + "⥧": true, + "⥋": true, + "↲": true, + "≤": true, + "←": true, + "↢": true, + "↽": true, + "↼": true, + "⇇": true, + "↔": true, + "⇆": true, + "⇋": true, + "↭": true, + "⋋": true, + "⋚": true, + "≤": true, + "≦": true, + "⩽": true, + "⩽": true, + "⪨": true, + "⩿": true, + "⪁": true, + "⪃": true, + "⋚︀": true, + "⪓": true, + "⪅": true, + "⋖": true, + "⋚": true, + "⪋": true, + "≶": true, + "≲": true, + "⥼": true, + "⌊": true, + "𝔩": true, + "≶": true, + "⪑": true, + "↽": true, + "↼": true, + "⥪": true, + "▄": true, + "љ": true, + "≪": true, + "⇇": true, + "⌞": true, + "⥫": true, + "◺": true, + "ŀ": true, + "⎰": true, + "⎰": true, + "≨": true, + "⪉": true, + "⪉": true, + "⪇": true, + "⪇": true, + "≨": true, + "⋦": true, + "⟬": true, + "⇽": true, + "⟦": true, + "⟵": true, + "⟷": true, + "⟼": true, + "⟶": true, + "↫": true, + "↬": true, + "⦅": true, + "𝕝": true, + "⨭": true, + "⨴": true, + "∗": true, + "_": true, + "◊": true, + "◊": true, + "⧫": true, + "(": true, + "⦓": true, + "⇆": true, + "⌟": true, + "⇋": true, + "⥭": true, + "‎": true, + "⊿": true, + "‹": true, + "𝓁": true, + "↰": true, + "≲": true, + "⪍": true, + "⪏": true, + "[": true, + "‘": true, + "‚": true, + "ł": true, + "<": true, + "<": true, + "⪦": true, + "⩹": true, + "⋖": true, + "⋋": true, + "⋉": true, + "⥶": true, + "⩻": true, + "⦖": true, + "◃": true, + "⊴": true, + "◂": true, + "⥊": true, + "⥦": true, + "≨︀": true, + "≨︀": true, + "∺": true, + "¯": true, + "¯": true, + "♂": true, + "✠": true, + "✠": true, + "↦": true, + "↦": true, + "↧": true, + "↤": true, + "↥": true, + "▮": true, + "⨩": true, + "м": true, + "—": true, + "∡": true, + "𝔪": true, + "℧": true, + "µ": true, + "µ": true, + "∣": true, + "*": true, + "⫰": true, + "·": true, + "·": true, + "−": true, + "⊟": true, + "∸": true, + "⨪": true, + "⫛": true, + "…": true, + "∓": true, + "⊧": true, + "𝕞": true, + "∓": true, + "𝓂": true, + "∾": true, + "μ": true, + "⊸": true, + "⊸": true, + "⋙̸": true, + "≫⃒": true, + "≫̸": true, + "⇍": true, + "⇎": true, + "⋘̸": true, + "≪⃒": true, + "≪̸": true, + "⇏": true, + "⊯": true, + "⊮": true, + "∇": true, + "ń": true, + "∠⃒": true, + "≉": true, + "⩰̸": true, + "≋̸": true, + "ʼn": true, + "≉": true, + "♮": true, + "♮": true, + "ℕ": true, + " ": true, + " ": true, + "≎̸": true, + "≏̸": true, + "⩃": true, + "ň": true, + "ņ": true, + "≇": true, + "⩭̸": true, + "⩂": true, + "н": true, + "–": true, + "≠": true, + "⇗": true, + "⤤": true, + "↗": true, + "↗": true, + "≐̸": true, + "≢": true, + "⤨": true, + "≂̸": true, + "∄": true, + "∄": true, + "𝔫": true, + "≧̸": true, + "≱": true, + "≱": true, + "≧̸": true, + "⩾̸": true, + "⩾̸": true, + "≵": true, + "≯": true, + "≯": true, + "⇎": true, + "↮": true, + "⫲": true, + "∋": true, + "⋼": true, + "⋺": true, + "∋": true, + "њ": true, + "⇍": true, + "≦̸": true, + "↚": true, + "‥": true, + "≰": true, + "↚": true, + "↮": true, + "≰": true, + "≦̸": true, + "⩽̸": true, + "⩽̸": true, + "≮": true, + "≴": true, + "≮": true, + "⋪": true, + "⋬": true, + "∤": true, + "𝕟": true, + "¬": true, + "¬": true, + "∉": true, + "⋹̸": true, + "⋵̸": true, + "∉": true, + "⋷": true, + "⋶": true, + "∌": true, + "∌": true, + "⋾": true, + "⋽": true, + "∦": true, + "∦": true, + "⫽⃥": true, + "∂̸": true, + "⨔": true, + "⊀": true, + "⋠": true, + "⪯̸": true, + "⊀": true, + "⪯̸": true, + "⇏": true, + "↛": true, + "⤳̸": true, + "↝̸": true, + "↛": true, + "⋫": true, + "⋭": true, + "⊁": true, + "⋡": true, + "⪰̸": true, + "𝓃": true, + "∤": true, + "∦": true, + "≁": true, + "≄": true, + "≄": true, + "∤": true, + "∦": true, + "⋢": true, + "⋣": true, + "⊄": true, + "⫅̸": true, + "⊈": true, + "⊂⃒": true, + "⊈": true, + "⫅̸": true, + "⊁": true, + "⪰̸": true, + "⊅": true, + "⫆̸": true, + "⊉": true, + "⊃⃒": true, + "⊉": true, + "⫆̸": true, + "≹": true, + "ñ": true, + "ñ": true, + "≸": true, + "⋪": true, + "⋬": true, + "⋫": true, + "⋭": true, + "ν": true, + "#": true, + "№": true, + " ": true, + "⊭": true, + "⤄": true, + "≍⃒": true, + "⊬": true, + "≥⃒": true, + ">⃒": true, + "⧞": true, + "⤂": true, + "≤⃒": true, + "<⃒": true, + "⊴⃒": true, + "⤃": true, + "⊵⃒": true, + "∼⃒": true, + "⇖": true, + "⤣": true, + "↖": true, + "↖": true, + "⤧": true, + "Ⓢ": true, + "ó": true, + "ó": true, + "⊛": true, + "⊚": true, + "ô": true, + "ô": true, + "о": true, + "⊝": true, + "ő": true, + "⨸": true, + "⊙": true, + "⦼": true, + "œ": true, + "⦿": true, + "𝔬": true, + "˛": true, + "ò": true, + "ò": true, + "⧁": true, + "⦵": true, + "Ω": true, + "∮": true, + "↺": true, + "⦾": true, + "⦻": true, + "‾": true, + "⧀": true, + "ō": true, + "ω": true, + "ο": true, + "⦶": true, + "⊖": true, + "𝕠": true, + "⦷": true, + "⦹": true, + "⊕": true, + "∨": true, + "↻": true, + "⩝": true, + "ℴ": true, + "ℴ": true, + "ª": true, + "ª": true, + "º": true, + "º": true, + "⊶": true, + "⩖": true, + "⩗": true, + "⩛": true, + "ℴ": true, + "ø": true, + "ø": true, + "⊘": true, + "õ": true, + "õ": true, + "⊗": true, + "⨶": true, + "ö": true, + "ö": true, + "⌽": true, + "∥": true, + "¶": true, + "¶": true, + "∥": true, + "⫳": true, + "⫽": true, + "∂": true, + "п": true, + "%": true, + ".": true, + "‰": true, + "⊥": true, + "‱": true, + "𝔭": true, + "φ": true, + "ϕ": true, + "ℳ": true, + "☎": true, + "π": true, + "⋔": true, + "ϖ": true, + "ℏ": true, + "ℎ": true, + "ℏ": true, + "+": true, + "⨣": true, + "⊞": true, + "⨢": true, + "∔": true, + "⨥": true, + "⩲": true, + "±": true, + "±": true, + "⨦": true, + "⨧": true, + "±": true, + "⨕": true, + "𝕡": true, + "£": true, + "£": true, + "≺": true, + "⪳": true, + "⪷": true, + "≼": true, + "⪯": true, + "≺": true, + "⪷": true, + "≼": true, + "⪯": true, + "⪹": true, + "⪵": true, + "⋨": true, + "≾": true, + "′": true, + "ℙ": true, + "⪵": true, + "⪹": true, + "⋨": true, + "∏": true, + "⌮": true, + "⌒": true, + "⌓": true, + "∝": true, + "∝": true, + "≾": true, + "⊰": true, + "𝓅": true, + "ψ": true, + " ": true, + "𝔮": true, + "⨌": true, + "𝕢": true, + "⁗": true, + "𝓆": true, + "ℍ": true, + "⨖": true, + "?": true, + "≟": true, + """: true, + """: true, + "⇛": true, + "⇒": true, + "⤜": true, + "⤏": true, + "⥤": true, + "∽̱": true, + "ŕ": true, + "√": true, + "⦳": true, + "⟩": true, + "⦒": true, + "⦥": true, + "⟩": true, + "»": true, + "»": true, + "→": true, + "⥵": true, + "⇥": true, + "⤠": true, + "⤳": true, + "⤞": true, + "↪": true, + "↬": true, + "⥅": true, + "⥴": true, + "↣": true, + "↝": true, + "⤚": true, + "∶": true, + "ℚ": true, + "⤍": true, + "❳": true, + "}": true, + "]": true, + "⦌": true, + "⦎": true, + "⦐": true, + "ř": true, + "ŗ": true, + "⌉": true, + "}": true, + "р": true, + "⤷": true, + "⥩": true, + "”": true, + "”": true, + "↳": true, + "ℜ": true, + "ℛ": true, + "ℜ": true, + "ℝ": true, + "▭": true, + "®": true, + "®": true, + "⥽": true, + "⌋": true, + "𝔯": true, + "⇁": true, + "⇀": true, + "⥬": true, + "ρ": true, + "ϱ": true, + "→": true, + "↣": true, + "⇁": true, + "⇀": true, + "⇄": true, + "⇌": true, + "⇉": true, + "↝": true, + "⋌": true, + "˚": true, + "≓": true, + "⇄": true, + "⇌": true, + "‏": true, + "⎱": true, + "⎱": true, + "⫮": true, + "⟭": true, + "⇾": true, + "⟧": true, + "⦆": true, + "𝕣": true, + "⨮": true, + "⨵": true, + ")": true, + "⦔": true, + "⨒": true, + "⇉": true, + "›": true, + "𝓇": true, + "↱": true, + "]": true, + "’": true, + "’": true, + "⋌": true, + "⋊": true, + "▹": true, + "⊵": true, + "▸": true, + "⧎": true, + "⥨": true, + "℞": true, + "ś": true, + "‚": true, + "≻": true, + "⪴": true, + "⪸": true, + "š": true, + "≽": true, + "⪰": true, + "ş": true, + "ŝ": true, + "⪶": true, + "⪺": true, + "⋩": true, + "⨓": true, + "≿": true, + "с": true, + "⋅": true, + "⊡": true, + "⩦": true, + "⇘": true, + "⤥": true, + "↘": true, + "↘": true, + "§": true, + "§": true, + ";": true, + "⤩": true, + "∖": true, + "∖": true, + "✶": true, + "𝔰": true, + "⌢": true, + "♯": true, + "щ": true, + "ш": true, + "∣": true, + "∥": true, + "­": true, + "­": true, + "σ": true, + "ς": true, + "ς": true, + "∼": true, + "⩪": true, + "≃": true, + "≃": true, + "⪞": true, + "⪠": true, + "⪝": true, + "⪟": true, + "≆": true, + "⨤": true, + "⥲": true, + "←": true, + "∖": true, + "⨳": true, + "⧤": true, + "∣": true, + "⌣": true, + "⪪": true, + "⪬": true, + "⪬︀": true, + "ь": true, + "/": true, + "⧄": true, + "⌿": true, + "𝕤": true, + "♠": true, + "♠": true, + "∥": true, + "⊓": true, + "⊓︀": true, + "⊔": true, + "⊔︀": true, + "⊏": true, + "⊑": true, + "⊏": true, + "⊑": true, + "⊐": true, + "⊒": true, + "⊐": true, + "⊒": true, + "□": true, + "□": true, + "▪": true, + "▪": true, + "→": true, + "𝓈": true, + "∖": true, + "⌣": true, + "⋆": true, + "☆": true, + "★": true, + "ϵ": true, + "ϕ": true, + "¯": true, + "⊂": true, + "⫅": true, + "⪽": true, + "⊆": true, + "⫃": true, + "⫁": true, + "⫋": true, + "⊊": true, + "⪿": true, + "⥹": true, + "⊂": true, + "⊆": true, + "⫅": true, + "⊊": true, + "⫋": true, + "⫇": true, + "⫕": true, + "⫓": true, + "≻": true, + "⪸": true, + "≽": true, + "⪰": true, + "⪺": true, + "⪶": true, + "⋩": true, + "≿": true, + "∑": true, + "♪": true, + "¹": true, + "¹": true, + "²": true, + "²": true, + "³": true, + "³": true, + "⊃": true, + "⫆": true, + "⪾": true, + "⫘": true, + "⊇": true, + "⫄": true, + "⟉": true, + "⫗": true, + "⥻": true, + "⫂": true, + "⫌": true, + "⊋": true, + "⫀": true, + "⊃": true, + "⊇": true, + "⫆": true, + "⊋": true, + "⫌": true, + "⫈": true, + "⫔": true, + "⫖": true, + "⇙": true, + "⤦": true, + "↙": true, + "↙": true, + "⤪": true, + "ß": true, + "ß": true, + "⌖": true, + "τ": true, + "⎴": true, + "ť": true, + "ţ": true, + "т": true, + "⃛": true, + "⌕": true, + "𝔱": true, + "∴": true, + "∴": true, + "θ": true, + "ϑ": true, + "ϑ": true, + "≈": true, + "∼": true, + " ": true, + "≈": true, + "∼": true, + "þ": true, + "þ": true, + "˜": true, + "×": true, + "×": true, + "⊠": true, + "⨱": true, + "⨰": true, + "∭": true, + "⤨": true, + "⊤": true, + "⌶": true, + "⫱": true, + "𝕥": true, + "⫚": true, + "⤩": true, + "‴": true, + "™": true, + "▵": true, + "▿": true, + "◃": true, + "⊴": true, + "≜": true, + "▹": true, + "⊵": true, + "◬": true, + "≜": true, + "⨺": true, + "⨹": true, + "⧍": true, + "⨻": true, + "⏢": true, + "𝓉": true, + "ц": true, + "ћ": true, + "ŧ": true, + "≬": true, + "↞": true, + "↠": true, + "⇑": true, + "⥣": true, + "ú": true, + "ú": true, + "↑": true, + "ў": true, + "ŭ": true, + "û": true, + "û": true, + "у": true, + "⇅": true, + "ű": true, + "⥮": true, + "⥾": true, + "𝔲": true, + "ù": true, + "ù": true, + "↿": true, + "↾": true, + "▀": true, + "⌜": true, + "⌜": true, + "⌏": true, + "◸": true, + "ū": true, + "¨": true, + "¨": true, + "ų": true, + "𝕦": true, + "↑": true, + "↕": true, + "↿": true, + "↾": true, + "⊎": true, + "υ": true, + "ϒ": true, + "υ": true, + "⇈": true, + "⌝": true, + "⌝": true, + "⌎": true, + "ů": true, + "◹": true, + "𝓊": true, + "⋰": true, + "ũ": true, + "▵": true, + "▴": true, + "⇈": true, + "ü": true, + "ü": true, + "⦧": true, + "⇕": true, + "⫨": true, + "⫩": true, + "⊨": true, + "⦜": true, + "ϵ": true, + "ϰ": true, + "∅": true, + "ϕ": true, + "ϖ": true, + "∝": true, + "↕": true, + "ϱ": true, + "ς": true, + "⊊︀": true, + "⫋︀": true, + "⊋︀": true, + "⫌︀": true, + "ϑ": true, + "⊲": true, + "⊳": true, + "в": true, + "⊢": true, + "∨": true, + "⊻": true, + "≚": true, + "⋮": true, + "|": true, + "|": true, + "𝔳": true, + "⊲": true, + "⊂⃒": true, + "⊃⃒": true, + "𝕧": true, + "∝": true, + "⊳": true, + "𝓋": true, + "⫋︀": true, + "⊊︀": true, + "⫌︀": true, + "⊋︀": true, + "⦚": true, + "ŵ": true, + "⩟": true, + "∧": true, + "≙": true, + "℘": true, + "𝔴": true, + "𝕨": true, + "℘": true, + "≀": true, + "≀": true, + "𝓌": true, + "⋂": true, + "◯": true, + "⋃": true, + "▽": true, + "𝔵": true, + "⟺": true, + "⟷": true, + "ξ": true, + "⟸": true, + "⟵": true, + "⟼": true, + "⋻": true, + "⨀": true, + "𝕩": true, + "⨁": true, + "⨂": true, + "⟹": true, + "⟶": true, + "𝓍": true, + "⨆": true, + "⨄": true, + "△": true, + "⋁": true, + "⋀": true, + "ý": true, + "ý": true, + "я": true, + "ŷ": true, + "ы": true, + "¥": true, + "¥": true, + "𝔶": true, + "ї": true, + "𝕪": true, + "𝓎": true, + "ю": true, + "ÿ": true, + "ÿ": true, + "ź": true, + "ž": true, + "з": true, + "ż": true, + "ℨ": true, + "ζ": true, + "𝔷": true, + "ж": true, + "⇝": true, + "𝕫": true, + "𝓏": true, + "‍": true, + "‌": true, +} diff --git a/vendor/github.com/russross/blackfriday/v2/esc.go b/vendor/github.com/russross/blackfriday/v2/esc.go new file mode 100644 index 0000000000..6ab60102c9 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/esc.go @@ -0,0 +1,70 @@ +package blackfriday + +import ( + "html" + "io" +) + +var htmlEscaper = [256][]byte{ + '&': []byte("&"), + '<': []byte("<"), + '>': []byte(">"), + '"': []byte("""), +} + +func escapeHTML(w io.Writer, s []byte) { + escapeEntities(w, s, false) +} + +func escapeAllHTML(w io.Writer, s []byte) { + escapeEntities(w, s, true) +} + +func escapeEntities(w io.Writer, s []byte, escapeValidEntities bool) { + var start, end int + for end < len(s) { + escSeq := htmlEscaper[s[end]] + if escSeq != nil { + isEntity, entityEnd := nodeIsEntity(s, end) + if isEntity && !escapeValidEntities { + w.Write(s[start : entityEnd+1]) + start = entityEnd + 1 + } else { + w.Write(s[start:end]) + w.Write(escSeq) + start = end + 1 + } + } + end++ + } + if start < len(s) && end <= len(s) { + w.Write(s[start:end]) + } +} + +func nodeIsEntity(s []byte, end int) (isEntity bool, endEntityPos int) { + isEntity = false + endEntityPos = end + 1 + + if s[end] == '&' { + for endEntityPos < len(s) { + if s[endEntityPos] == ';' { + if entities[string(s[end:endEntityPos+1])] { + isEntity = true + break + } + } + if !isalnum(s[endEntityPos]) && s[endEntityPos] != '&' && s[endEntityPos] != '#' { + break + } + endEntityPos++ + } + } + + return isEntity, endEntityPos +} + +func escLink(w io.Writer, text []byte) { + unesc := html.UnescapeString(string(text)) + escapeHTML(w, []byte(unesc)) +} diff --git a/vendor/github.com/russross/blackfriday/v2/html.go b/vendor/github.com/russross/blackfriday/v2/html.go new file mode 100644 index 0000000000..cb4f26e30f --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/html.go @@ -0,0 +1,952 @@ +// +// Blackfriday Markdown Processor +// Available at http://github.com/russross/blackfriday +// +// Copyright © 2011 Russ Ross . +// Distributed under the Simplified BSD License. +// See README.md for details. +// + +// +// +// HTML rendering backend +// +// + +package blackfriday + +import ( + "bytes" + "fmt" + "io" + "regexp" + "strings" +) + +// HTMLFlags control optional behavior of HTML renderer. +type HTMLFlags int + +// HTML renderer configuration options. +const ( + HTMLFlagsNone HTMLFlags = 0 + SkipHTML HTMLFlags = 1 << iota // Skip preformatted HTML blocks + SkipImages // Skip embedded images + SkipLinks // Skip all links + Safelink // Only link to trusted protocols + NofollowLinks // Only link with rel="nofollow" + NoreferrerLinks // Only link with rel="noreferrer" + NoopenerLinks // Only link with rel="noopener" + HrefTargetBlank // Add a blank target + CompletePage // Generate a complete HTML page + UseXHTML // Generate XHTML output instead of HTML + FootnoteReturnLinks // Generate a link at the end of a footnote to return to the source + Smartypants // Enable smart punctuation substitutions + SmartypantsFractions // Enable smart fractions (with Smartypants) + SmartypantsDashes // Enable smart dashes (with Smartypants) + SmartypantsLatexDashes // Enable LaTeX-style dashes (with Smartypants) + SmartypantsAngledQuotes // Enable angled double quotes (with Smartypants) for double quotes rendering + SmartypantsQuotesNBSP // Enable « French guillemets » (with Smartypants) + TOC // Generate a table of contents +) + +var ( + htmlTagRe = regexp.MustCompile("(?i)^" + htmlTag) +) + +const ( + htmlTag = "(?:" + openTag + "|" + closeTag + "|" + htmlComment + "|" + + processingInstruction + "|" + declaration + "|" + cdata + ")" + closeTag = "]" + openTag = "<" + tagName + attribute + "*" + "\\s*/?>" + attribute = "(?:" + "\\s+" + attributeName + attributeValueSpec + "?)" + attributeValue = "(?:" + unquotedValue + "|" + singleQuotedValue + "|" + doubleQuotedValue + ")" + attributeValueSpec = "(?:" + "\\s*=" + "\\s*" + attributeValue + ")" + attributeName = "[a-zA-Z_:][a-zA-Z0-9:._-]*" + cdata = "" + declaration = "]*>" + doubleQuotedValue = "\"[^\"]*\"" + htmlComment = "|" + processingInstruction = "[<][?].*?[?][>]" + singleQuotedValue = "'[^']*'" + tagName = "[A-Za-z][A-Za-z0-9-]*" + unquotedValue = "[^\"'=<>`\\x00-\\x20]+" +) + +// HTMLRendererParameters is a collection of supplementary parameters tweaking +// the behavior of various parts of HTML renderer. +type HTMLRendererParameters struct { + // Prepend this text to each relative URL. + AbsolutePrefix string + // Add this text to each footnote anchor, to ensure uniqueness. + FootnoteAnchorPrefix string + // Show this text inside the tag for a footnote return link, if the + // HTML_FOOTNOTE_RETURN_LINKS flag is enabled. If blank, the string + // [return] is used. + FootnoteReturnLinkContents string + // If set, add this text to the front of each Heading ID, to ensure + // uniqueness. + HeadingIDPrefix string + // If set, add this text to the back of each Heading ID, to ensure uniqueness. + HeadingIDSuffix string + // Increase heading levels: if the offset is 1,

becomes

etc. + // Negative offset is also valid. + // Resulting levels are clipped between 1 and 6. + HeadingLevelOffset int + + Title string // Document title (used if CompletePage is set) + CSS string // Optional CSS file URL (used if CompletePage is set) + Icon string // Optional icon file URL (used if CompletePage is set) + + Flags HTMLFlags // Flags allow customizing this renderer's behavior +} + +// HTMLRenderer is a type that implements the Renderer interface for HTML output. +// +// Do not create this directly, instead use the NewHTMLRenderer function. +type HTMLRenderer struct { + HTMLRendererParameters + + closeTag string // how to end singleton tags: either " />" or ">" + + // Track heading IDs to prevent ID collision in a single generation. + headingIDs map[string]int + + lastOutputLen int + disableTags int + + sr *SPRenderer +} + +const ( + xhtmlClose = " />" + htmlClose = ">" +) + +// NewHTMLRenderer creates and configures an HTMLRenderer object, which +// satisfies the Renderer interface. +func NewHTMLRenderer(params HTMLRendererParameters) *HTMLRenderer { + // configure the rendering engine + closeTag := htmlClose + if params.Flags&UseXHTML != 0 { + closeTag = xhtmlClose + } + + if params.FootnoteReturnLinkContents == "" { + // U+FE0E is VARIATION SELECTOR-15. + // It suppresses automatic emoji presentation of the preceding + // U+21A9 LEFTWARDS ARROW WITH HOOK on iOS and iPadOS. + params.FootnoteReturnLinkContents = "↩\ufe0e" + } + + return &HTMLRenderer{ + HTMLRendererParameters: params, + + closeTag: closeTag, + headingIDs: make(map[string]int), + + sr: NewSmartypantsRenderer(params.Flags), + } +} + +func isHTMLTag(tag []byte, tagname string) bool { + found, _ := findHTMLTagPos(tag, tagname) + return found +} + +// Look for a character, but ignore it when it's in any kind of quotes, it +// might be JavaScript +func skipUntilCharIgnoreQuotes(html []byte, start int, char byte) int { + inSingleQuote := false + inDoubleQuote := false + inGraveQuote := false + i := start + for i < len(html) { + switch { + case html[i] == char && !inSingleQuote && !inDoubleQuote && !inGraveQuote: + return i + case html[i] == '\'': + inSingleQuote = !inSingleQuote + case html[i] == '"': + inDoubleQuote = !inDoubleQuote + case html[i] == '`': + inGraveQuote = !inGraveQuote + } + i++ + } + return start +} + +func findHTMLTagPos(tag []byte, tagname string) (bool, int) { + i := 0 + if i < len(tag) && tag[0] != '<' { + return false, -1 + } + i++ + i = skipSpace(tag, i) + + if i < len(tag) && tag[i] == '/' { + i++ + } + + i = skipSpace(tag, i) + j := 0 + for ; i < len(tag); i, j = i+1, j+1 { + if j >= len(tagname) { + break + } + + if strings.ToLower(string(tag[i]))[0] != tagname[j] { + return false, -1 + } + } + + if i == len(tag) { + return false, -1 + } + + rightAngle := skipUntilCharIgnoreQuotes(tag, i, '>') + if rightAngle >= i { + return true, rightAngle + } + + return false, -1 +} + +func skipSpace(tag []byte, i int) int { + for i < len(tag) && isspace(tag[i]) { + i++ + } + return i +} + +func isRelativeLink(link []byte) (yes bool) { + // a tag begin with '#' + if link[0] == '#' { + return true + } + + // link begin with '/' but not '//', the second maybe a protocol relative link + if len(link) >= 2 && link[0] == '/' && link[1] != '/' { + return true + } + + // only the root '/' + if len(link) == 1 && link[0] == '/' { + return true + } + + // current directory : begin with "./" + if bytes.HasPrefix(link, []byte("./")) { + return true + } + + // parent directory : begin with "../" + if bytes.HasPrefix(link, []byte("../")) { + return true + } + + return false +} + +func (r *HTMLRenderer) ensureUniqueHeadingID(id string) string { + for count, found := r.headingIDs[id]; found; count, found = r.headingIDs[id] { + tmp := fmt.Sprintf("%s-%d", id, count+1) + + if _, tmpFound := r.headingIDs[tmp]; !tmpFound { + r.headingIDs[id] = count + 1 + id = tmp + } else { + id = id + "-1" + } + } + + if _, found := r.headingIDs[id]; !found { + r.headingIDs[id] = 0 + } + + return id +} + +func (r *HTMLRenderer) addAbsPrefix(link []byte) []byte { + if r.AbsolutePrefix != "" && isRelativeLink(link) && link[0] != '.' { + newDest := r.AbsolutePrefix + if link[0] != '/' { + newDest += "/" + } + newDest += string(link) + return []byte(newDest) + } + return link +} + +func appendLinkAttrs(attrs []string, flags HTMLFlags, link []byte) []string { + if isRelativeLink(link) { + return attrs + } + val := []string{} + if flags&NofollowLinks != 0 { + val = append(val, "nofollow") + } + if flags&NoreferrerLinks != 0 { + val = append(val, "noreferrer") + } + if flags&NoopenerLinks != 0 { + val = append(val, "noopener") + } + if flags&HrefTargetBlank != 0 { + attrs = append(attrs, "target=\"_blank\"") + } + if len(val) == 0 { + return attrs + } + attr := fmt.Sprintf("rel=%q", strings.Join(val, " ")) + return append(attrs, attr) +} + +func isMailto(link []byte) bool { + return bytes.HasPrefix(link, []byte("mailto:")) +} + +func needSkipLink(flags HTMLFlags, dest []byte) bool { + if flags&SkipLinks != 0 { + return true + } + return flags&Safelink != 0 && !isSafeLink(dest) && !isMailto(dest) +} + +func isSmartypantable(node *Node) bool { + pt := node.Parent.Type + return pt != Link && pt != CodeBlock && pt != Code +} + +func appendLanguageAttr(attrs []string, info []byte) []string { + if len(info) == 0 { + return attrs + } + endOfLang := bytes.IndexAny(info, "\t ") + if endOfLang < 0 { + endOfLang = len(info) + } + return append(attrs, fmt.Sprintf("class=\"language-%s\"", info[:endOfLang])) +} + +func (r *HTMLRenderer) tag(w io.Writer, name []byte, attrs []string) { + w.Write(name) + if len(attrs) > 0 { + w.Write(spaceBytes) + w.Write([]byte(strings.Join(attrs, " "))) + } + w.Write(gtBytes) + r.lastOutputLen = 1 +} + +func footnoteRef(prefix string, node *Node) []byte { + urlFrag := prefix + string(slugify(node.Destination)) + anchor := fmt.Sprintf(`%d`, urlFrag, node.NoteID) + return []byte(fmt.Sprintf(`%s`, urlFrag, anchor)) +} + +func footnoteItem(prefix string, slug []byte) []byte { + return []byte(fmt.Sprintf(`
  • `, prefix, slug)) +} + +func footnoteReturnLink(prefix, returnLink string, slug []byte) []byte { + const format = ` %s` + return []byte(fmt.Sprintf(format, prefix, slug, returnLink)) +} + +func itemOpenCR(node *Node) bool { + if node.Prev == nil { + return false + } + ld := node.Parent.ListData + return !ld.Tight && ld.ListFlags&ListTypeDefinition == 0 +} + +func skipParagraphTags(node *Node) bool { + grandparent := node.Parent.Parent + if grandparent == nil || grandparent.Type != List { + return false + } + tightOrTerm := grandparent.Tight || node.Parent.ListFlags&ListTypeTerm != 0 + return grandparent.Type == List && tightOrTerm +} + +func cellAlignment(align CellAlignFlags) string { + switch align { + case TableAlignmentLeft: + return "left" + case TableAlignmentRight: + return "right" + case TableAlignmentCenter: + return "center" + default: + return "" + } +} + +func (r *HTMLRenderer) out(w io.Writer, text []byte) { + if r.disableTags > 0 { + w.Write(htmlTagRe.ReplaceAll(text, []byte{})) + } else { + w.Write(text) + } + r.lastOutputLen = len(text) +} + +func (r *HTMLRenderer) cr(w io.Writer) { + if r.lastOutputLen > 0 { + r.out(w, nlBytes) + } +} + +var ( + nlBytes = []byte{'\n'} + gtBytes = []byte{'>'} + spaceBytes = []byte{' '} +) + +var ( + brTag = []byte("
    ") + brXHTMLTag = []byte("
    ") + emTag = []byte("") + emCloseTag = []byte("") + strongTag = []byte("") + strongCloseTag = []byte("") + delTag = []byte("") + delCloseTag = []byte("") + ttTag = []byte("") + ttCloseTag = []byte("") + aTag = []byte("") + preTag = []byte("
    ")
+	preCloseTag        = []byte("
    ") + codeTag = []byte("") + codeCloseTag = []byte("") + pTag = []byte("

    ") + pCloseTag = []byte("

    ") + blockquoteTag = []byte("
    ") + blockquoteCloseTag = []byte("
    ") + hrTag = []byte("
    ") + hrXHTMLTag = []byte("
    ") + ulTag = []byte("
      ") + ulCloseTag = []byte("
    ") + olTag = []byte("
      ") + olCloseTag = []byte("
    ") + dlTag = []byte("
    ") + dlCloseTag = []byte("
    ") + liTag = []byte("
  • ") + liCloseTag = []byte("
    • ") + ddTag = []byte("
    ") + ddCloseTag = []byte("
    ") + dtTag = []byte("
    ") + dtCloseTag = []byte("
    ") + tableTag = []byte("

    ") + tableCloseTag = []byte("
    ") + tdTag = []byte("") + thTag = []byte("") + theadTag = []byte("") + theadCloseTag = []byte("") + tbodyTag = []byte("") + tbodyCloseTag = []byte("") + trTag = []byte("") + trCloseTag = []byte("") + h1Tag = []byte("") + h2Tag = []byte("") + h3Tag = []byte("") + h4Tag = []byte("") + h5Tag = []byte("") + h6Tag = []byte("") + + footnotesDivBytes = []byte("\n
    \n\n") + footnotesCloseDivBytes = []byte("\n
    \n") +) + +func headingTagsFromLevel(level int) ([]byte, []byte) { + if level <= 1 { + return h1Tag, h1CloseTag + } + switch level { + case 2: + return h2Tag, h2CloseTag + case 3: + return h3Tag, h3CloseTag + case 4: + return h4Tag, h4CloseTag + case 5: + return h5Tag, h5CloseTag + } + return h6Tag, h6CloseTag +} + +func (r *HTMLRenderer) outHRTag(w io.Writer) { + if r.Flags&UseXHTML == 0 { + r.out(w, hrTag) + } else { + r.out(w, hrXHTMLTag) + } +} + +// RenderNode is a default renderer of a single node of a syntax tree. For +// block nodes it will be called twice: first time with entering=true, second +// time with entering=false, so that it could know when it's working on an open +// tag and when on close. It writes the result to w. +// +// The return value is a way to tell the calling walker to adjust its walk +// pattern: e.g. it can terminate the traversal by returning Terminate. Or it +// can ask the walker to skip a subtree of this node by returning SkipChildren. +// The typical behavior is to return GoToNext, which asks for the usual +// traversal to the next node. +func (r *HTMLRenderer) RenderNode(w io.Writer, node *Node, entering bool) WalkStatus { + attrs := []string{} + switch node.Type { + case Text: + if r.Flags&Smartypants != 0 { + var tmp bytes.Buffer + escapeHTML(&tmp, node.Literal) + r.sr.Process(w, tmp.Bytes()) + } else { + if node.Parent.Type == Link { + escLink(w, node.Literal) + } else { + escapeHTML(w, node.Literal) + } + } + case Softbreak: + r.cr(w) + // TODO: make it configurable via out(renderer.softbreak) + case Hardbreak: + if r.Flags&UseXHTML == 0 { + r.out(w, brTag) + } else { + r.out(w, brXHTMLTag) + } + r.cr(w) + case Emph: + if entering { + r.out(w, emTag) + } else { + r.out(w, emCloseTag) + } + case Strong: + if entering { + r.out(w, strongTag) + } else { + r.out(w, strongCloseTag) + } + case Del: + if entering { + r.out(w, delTag) + } else { + r.out(w, delCloseTag) + } + case HTMLSpan: + if r.Flags&SkipHTML != 0 { + break + } + r.out(w, node.Literal) + case Link: + // mark it but don't link it if it is not a safe link: no smartypants + dest := node.LinkData.Destination + if needSkipLink(r.Flags, dest) { + if entering { + r.out(w, ttTag) + } else { + r.out(w, ttCloseTag) + } + } else { + if entering { + dest = r.addAbsPrefix(dest) + var hrefBuf bytes.Buffer + hrefBuf.WriteString("href=\"") + escLink(&hrefBuf, dest) + hrefBuf.WriteByte('"') + attrs = append(attrs, hrefBuf.String()) + if node.NoteID != 0 { + r.out(w, footnoteRef(r.FootnoteAnchorPrefix, node)) + break + } + attrs = appendLinkAttrs(attrs, r.Flags, dest) + if len(node.LinkData.Title) > 0 { + var titleBuff bytes.Buffer + titleBuff.WriteString("title=\"") + escapeHTML(&titleBuff, node.LinkData.Title) + titleBuff.WriteByte('"') + attrs = append(attrs, titleBuff.String()) + } + r.tag(w, aTag, attrs) + } else { + if node.NoteID != 0 { + break + } + r.out(w, aCloseTag) + } + } + case Image: + if r.Flags&SkipImages != 0 { + return SkipChildren + } + if entering { + dest := node.LinkData.Destination + dest = r.addAbsPrefix(dest) + if r.disableTags == 0 { + //if options.safe && potentiallyUnsafe(dest) { + //out(w, ``) + //} else { + r.out(w, []byte(`<img src=`)) + } + } + case Code: + r.out(w, codeTag) + escapeAllHTML(w, node.Literal) + r.out(w, codeCloseTag) + case Document: + break + case Paragraph: + if skipParagraphTags(node) { + break + } + if entering { + // TODO: untangle this clusterfuck about when the newlines need + // to be added and when not. + if node.Prev != nil { + switch node.Prev.Type { + case HTMLBlock, List, Paragraph, Heading, CodeBlock, BlockQuote, HorizontalRule: + r.cr(w) + } + } + if node.Parent.Type == BlockQuote && node.Prev == nil { + r.cr(w) + } + r.out(w, pTag) + } else { + r.out(w, pCloseTag) + if !(node.Parent.Type == Item && node.Next == nil) { + r.cr(w) + } + } + case BlockQuote: + if entering { + r.cr(w) + r.out(w, blockquoteTag) + } else { + r.out(w, blockquoteCloseTag) + r.cr(w) + } + case HTMLBlock: + if r.Flags&SkipHTML != 0 { + break + } + r.cr(w) + r.out(w, node.Literal) + r.cr(w) + case Heading: + headingLevel := r.HTMLRendererParameters.HeadingLevelOffset + node.Level + openTag, closeTag := headingTagsFromLevel(headingLevel) + if entering { + if node.IsTitleblock { + attrs = append(attrs, `class="title"`) + } + if node.HeadingID != "" { + id := r.ensureUniqueHeadingID(node.HeadingID) + if r.HeadingIDPrefix != "" { + id = r.HeadingIDPrefix + id + } + if r.HeadingIDSuffix != "" { + id = id + r.HeadingIDSuffix + } + attrs = append(attrs, fmt.Sprintf(`id="%s"`, id)) + } + r.cr(w) + r.tag(w, openTag, attrs) + } else { + r.out(w, closeTag) + if !(node.Parent.Type == Item && node.Next == nil) { + r.cr(w) + } + } + case HorizontalRule: + r.cr(w) + r.outHRTag(w) + r.cr(w) + case List: + openTag := ulTag + closeTag := ulCloseTag + if node.ListFlags&ListTypeOrdered != 0 { + openTag = olTag + closeTag = olCloseTag + } + if node.ListFlags&ListTypeDefinition != 0 { + openTag = dlTag + closeTag = dlCloseTag + } + if entering { + if node.IsFootnotesList { + r.out(w, footnotesDivBytes) + r.outHRTag(w) + r.cr(w) + } + r.cr(w) + if node.Parent.Type == Item && node.Parent.Parent.Tight { + r.cr(w) + } + r.tag(w, openTag[:len(openTag)-1], attrs) + r.cr(w) + } else { + r.out(w, closeTag) + //cr(w) + //if node.parent.Type != Item { + // cr(w) + //} + if node.Parent.Type == Item && node.Next != nil { + r.cr(w) + } + if node.Parent.Type == Document || node.Parent.Type == BlockQuote { + r.cr(w) + } + if node.IsFootnotesList { + r.out(w, footnotesCloseDivBytes) + } + } + case Item: + openTag := liTag + closeTag := liCloseTag + if node.ListFlags&ListTypeDefinition != 0 { + openTag = ddTag + closeTag = ddCloseTag + } + if node.ListFlags&ListTypeTerm != 0 { + openTag = dtTag + closeTag = dtCloseTag + } + if entering { + if itemOpenCR(node) { + r.cr(w) + } + if node.ListData.RefLink != nil { + slug := slugify(node.ListData.RefLink) + r.out(w, footnoteItem(r.FootnoteAnchorPrefix, slug)) + break + } + r.out(w, openTag) + } else { + if node.ListData.RefLink != nil { + slug := slugify(node.ListData.RefLink) + if r.Flags&FootnoteReturnLinks != 0 { + r.out(w, footnoteReturnLink(r.FootnoteAnchorPrefix, r.FootnoteReturnLinkContents, slug)) + } + } + r.out(w, closeTag) + r.cr(w) + } + case CodeBlock: + attrs = appendLanguageAttr(attrs, node.Info) + r.cr(w) + r.out(w, preTag) + r.tag(w, codeTag[:len(codeTag)-1], attrs) + escapeAllHTML(w, node.Literal) + r.out(w, codeCloseTag) + r.out(w, preCloseTag) + if node.Parent.Type != Item { + r.cr(w) + } + case Table: + if entering { + r.cr(w) + r.out(w, tableTag) + } else { + r.out(w, tableCloseTag) + r.cr(w) + } + case TableCell: + openTag := tdTag + closeTag := tdCloseTag + if node.IsHeader { + openTag = thTag + closeTag = thCloseTag + } + if entering { + align := cellAlignment(node.Align) + if align != "" { + attrs = append(attrs, fmt.Sprintf(`align="%s"`, align)) + } + if node.Prev == nil { + r.cr(w) + } + r.tag(w, openTag, attrs) + } else { + r.out(w, closeTag) + r.cr(w) + } + case TableHead: + if entering { + r.cr(w) + r.out(w, theadTag) + } else { + r.out(w, theadCloseTag) + r.cr(w) + } + case TableBody: + if entering { + r.cr(w) + r.out(w, tbodyTag) + // XXX: this is to adhere to a rather silly test. Should fix test. + if node.FirstChild == nil { + r.cr(w) + } + } else { + r.out(w, tbodyCloseTag) + r.cr(w) + } + case TableRow: + if entering { + r.cr(w) + r.out(w, trTag) + } else { + r.out(w, trCloseTag) + r.cr(w) + } + default: + panic("Unknown node type " + node.Type.String()) + } + return GoToNext +} + +// RenderHeader writes HTML document preamble and TOC if requested. +func (r *HTMLRenderer) RenderHeader(w io.Writer, ast *Node) { + r.writeDocumentHeader(w) + if r.Flags&TOC != 0 { + r.writeTOC(w, ast) + } +} + +// RenderFooter writes HTML document footer. +func (r *HTMLRenderer) RenderFooter(w io.Writer, ast *Node) { + if r.Flags&CompletePage == 0 { + return + } + io.WriteString(w, "\n\n\n") +} + +func (r *HTMLRenderer) writeDocumentHeader(w io.Writer) { + if r.Flags&CompletePage == 0 { + return + } + ending := "" + if r.Flags&UseXHTML != 0 { + io.WriteString(w, "\n") + io.WriteString(w, "\n") + ending = " /" + } else { + io.WriteString(w, "\n") + io.WriteString(w, "\n") + } + io.WriteString(w, "\n") + io.WriteString(w, " ") + if r.Flags&Smartypants != 0 { + r.sr.Process(w, []byte(r.Title)) + } else { + escapeHTML(w, []byte(r.Title)) + } + io.WriteString(w, "\n") + io.WriteString(w, " \n") + io.WriteString(w, " \n") + if r.CSS != "" { + io.WriteString(w, " \n") + } + if r.Icon != "" { + io.WriteString(w, " \n") + } + io.WriteString(w, "\n") + io.WriteString(w, "\n\n") +} + +func (r *HTMLRenderer) writeTOC(w io.Writer, ast *Node) { + buf := bytes.Buffer{} + + inHeading := false + tocLevel := 0 + headingCount := 0 + + ast.Walk(func(node *Node, entering bool) WalkStatus { + if node.Type == Heading && !node.HeadingData.IsTitleblock { + inHeading = entering + if entering { + node.HeadingID = fmt.Sprintf("toc_%d", headingCount) + if node.Level == tocLevel { + buf.WriteString("\n\n
  • ") + } else if node.Level < tocLevel { + for node.Level < tocLevel { + tocLevel-- + buf.WriteString("
    • \n") + } + buf.WriteString("\n\n
  • ") + } else { + for node.Level > tocLevel { + tocLevel++ + buf.WriteString("\n") + } + + if buf.Len() > 0 { + io.WriteString(w, "\n") + } + r.lastOutputLen = buf.Len() +} diff --git a/vendor/github.com/russross/blackfriday/v2/inline.go b/vendor/github.com/russross/blackfriday/v2/inline.go new file mode 100644 index 0000000000..d45bd94172 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/inline.go @@ -0,0 +1,1228 @@ +// +// Blackfriday Markdown Processor +// Available at http://github.com/russross/blackfriday +// +// Copyright © 2011 Russ Ross . +// Distributed under the Simplified BSD License. +// See README.md for details. +// + +// +// Functions to parse inline elements. +// + +package blackfriday + +import ( + "bytes" + "regexp" + "strconv" +) + +var ( + urlRe = `((https?|ftp):\/\/|\/)[-A-Za-z0-9+&@#\/%?=~_|!:,.;\(\)]+` + anchorRe = regexp.MustCompile(`^(]+")?\s?>` + urlRe + `<\/a>)`) + + // https://www.w3.org/TR/html5/syntax.html#character-references + // highest unicode code point in 17 planes (2^20): 1,114,112d = + // 7 dec digits or 6 hex digits + // named entity references can be 2-31 characters with stuff like < + // at one end and ∳ at the other. There + // are also sometimes numbers at the end, although this isn't inherent + // in the specification; there are never numbers anywhere else in + // current character references, though; see ¾ and ▒, etc. + // https://www.w3.org/TR/html5/syntax.html#named-character-references + // + // entity := "&" (named group | number ref) ";" + // named group := [a-zA-Z]{2,31}[0-9]{0,2} + // number ref := "#" (dec ref | hex ref) + // dec ref := [0-9]{1,7} + // hex ref := ("x" | "X") [0-9a-fA-F]{1,6} + htmlEntityRe = regexp.MustCompile(`&([a-zA-Z]{2,31}[0-9]{0,2}|#([0-9]{1,7}|[xX][0-9a-fA-F]{1,6}));`) +) + +// Functions to parse text within a block +// Each function returns the number of chars taken care of +// data is the complete block being rendered +// offset is the number of valid chars before the current cursor + +func (p *Markdown) inline(currBlock *Node, data []byte) { + // handlers might call us recursively: enforce a maximum depth + if p.nesting >= p.maxNesting || len(data) == 0 { + return + } + p.nesting++ + beg, end := 0, 0 + for end < len(data) { + handler := p.inlineCallback[data[end]] + if handler != nil { + if consumed, node := handler(p, data, end); consumed == 0 { + // No action from the callback. + end++ + } else { + // Copy inactive chars into the output. + currBlock.AppendChild(text(data[beg:end])) + if node != nil { + currBlock.AppendChild(node) + } + // Skip past whatever the callback used. + beg = end + consumed + end = beg + } + } else { + end++ + } + } + if beg < len(data) { + if data[end-1] == '\n' { + end-- + } + currBlock.AppendChild(text(data[beg:end])) + } + p.nesting-- +} + +// single and double emphasis parsing +func emphasis(p *Markdown, data []byte, offset int) (int, *Node) { + data = data[offset:] + c := data[0] + + if len(data) > 2 && data[1] != c { + // whitespace cannot follow an opening emphasis; + // strikethrough only takes two characters '~~' + if c == '~' || isspace(data[1]) { + return 0, nil + } + ret, node := helperEmphasis(p, data[1:], c) + if ret == 0 { + return 0, nil + } + + return ret + 1, node + } + + if len(data) > 3 && data[1] == c && data[2] != c { + if isspace(data[2]) { + return 0, nil + } + ret, node := helperDoubleEmphasis(p, data[2:], c) + if ret == 0 { + return 0, nil + } + + return ret + 2, node + } + + if len(data) > 4 && data[1] == c && data[2] == c && data[3] != c { + if c == '~' || isspace(data[3]) { + return 0, nil + } + ret, node := helperTripleEmphasis(p, data, 3, c) + if ret == 0 { + return 0, nil + } + + return ret + 3, node + } + + return 0, nil +} + +func codeSpan(p *Markdown, data []byte, offset int) (int, *Node) { + data = data[offset:] + + nb := 0 + + // count the number of backticks in the delimiter + for nb < len(data) && data[nb] == '`' { + nb++ + } + + // find the next delimiter + i, end := 0, 0 + for end = nb; end < len(data) && i < nb; end++ { + if data[end] == '`' { + i++ + } else { + i = 0 + } + } + + // no matching delimiter? + if i < nb && end >= len(data) { + return 0, nil + } + + // trim outside whitespace + fBegin := nb + for fBegin < end && data[fBegin] == ' ' { + fBegin++ + } + + fEnd := end - nb + for fEnd > fBegin && data[fEnd-1] == ' ' { + fEnd-- + } + + // render the code span + if fBegin != fEnd { + code := NewNode(Code) + code.Literal = data[fBegin:fEnd] + return end, code + } + + return end, nil +} + +// newline preceded by two spaces becomes
    +func maybeLineBreak(p *Markdown, data []byte, offset int) (int, *Node) { + origOffset := offset + for offset < len(data) && data[offset] == ' ' { + offset++ + } + + if offset < len(data) && data[offset] == '\n' { + if offset-origOffset >= 2 { + return offset - origOffset + 1, NewNode(Hardbreak) + } + return offset - origOffset, nil + } + return 0, nil +} + +// newline without two spaces works when HardLineBreak is enabled +func lineBreak(p *Markdown, data []byte, offset int) (int, *Node) { + if p.extensions&HardLineBreak != 0 { + return 1, NewNode(Hardbreak) + } + return 0, nil +} + +type linkType int + +const ( + linkNormal linkType = iota + linkImg + linkDeferredFootnote + linkInlineFootnote +) + +func isReferenceStyleLink(data []byte, pos int, t linkType) bool { + if t == linkDeferredFootnote { + return false + } + return pos < len(data)-1 && data[pos] == '[' && data[pos+1] != '^' +} + +func maybeImage(p *Markdown, data []byte, offset int) (int, *Node) { + if offset < len(data)-1 && data[offset+1] == '[' { + return link(p, data, offset) + } + return 0, nil +} + +func maybeInlineFootnote(p *Markdown, data []byte, offset int) (int, *Node) { + if offset < len(data)-1 && data[offset+1] == '[' { + return link(p, data, offset) + } + return 0, nil +} + +// '[': parse a link or an image or a footnote +func link(p *Markdown, data []byte, offset int) (int, *Node) { + // no links allowed inside regular links, footnote, and deferred footnotes + if p.insideLink && (offset > 0 && data[offset-1] == '[' || len(data)-1 > offset && data[offset+1] == '^') { + return 0, nil + } + + var t linkType + switch { + // special case: ![^text] == deferred footnote (that follows something with + // an exclamation point) + case p.extensions&Footnotes != 0 && len(data)-1 > offset && data[offset+1] == '^': + t = linkDeferredFootnote + // ![alt] == image + case offset >= 0 && data[offset] == '!': + t = linkImg + offset++ + // ^[text] == inline footnote + // [^refId] == deferred footnote + case p.extensions&Footnotes != 0: + if offset >= 0 && data[offset] == '^' { + t = linkInlineFootnote + offset++ + } else if len(data)-1 > offset && data[offset+1] == '^' { + t = linkDeferredFootnote + } + // [text] == regular link + default: + t = linkNormal + } + + data = data[offset:] + + var ( + i = 1 + noteID int + title, link, altContent []byte + textHasNl = false + ) + + if t == linkDeferredFootnote { + i++ + } + + // look for the matching closing bracket + for level := 1; level > 0 && i < len(data); i++ { + switch { + case data[i] == '\n': + textHasNl = true + + case isBackslashEscaped(data, i): + continue + + case data[i] == '[': + level++ + + case data[i] == ']': + level-- + if level <= 0 { + i-- // compensate for extra i++ in for loop + } + } + } + + if i >= len(data) { + return 0, nil + } + + txtE := i + i++ + var footnoteNode *Node + + // skip any amount of whitespace or newline + // (this is much more lax than original markdown syntax) + for i < len(data) && isspace(data[i]) { + i++ + } + + // inline style link + switch { + case i < len(data) && data[i] == '(': + // skip initial whitespace + i++ + + for i < len(data) && isspace(data[i]) { + i++ + } + + linkB := i + + // look for link end: ' " ) + findlinkend: + for i < len(data) { + switch { + case data[i] == '\\': + i += 2 + + case data[i] == ')' || data[i] == '\'' || data[i] == '"': + break findlinkend + + default: + i++ + } + } + + if i >= len(data) { + return 0, nil + } + linkE := i + + // look for title end if present + titleB, titleE := 0, 0 + if data[i] == '\'' || data[i] == '"' { + i++ + titleB = i + + findtitleend: + for i < len(data) { + switch { + case data[i] == '\\': + i += 2 + + case data[i] == ')': + break findtitleend + + default: + i++ + } + } + + if i >= len(data) { + return 0, nil + } + + // skip whitespace after title + titleE = i - 1 + for titleE > titleB && isspace(data[titleE]) { + titleE-- + } + + // check for closing quote presence + if data[titleE] != '\'' && data[titleE] != '"' { + titleB, titleE = 0, 0 + linkE = i + } + } + + // remove whitespace at the end of the link + for linkE > linkB && isspace(data[linkE-1]) { + linkE-- + } + + // remove optional angle brackets around the link + if data[linkB] == '<' { + linkB++ + } + if data[linkE-1] == '>' { + linkE-- + } + + // build escaped link and title + if linkE > linkB { + link = data[linkB:linkE] + } + + if titleE > titleB { + title = data[titleB:titleE] + } + + i++ + + // reference style link + case isReferenceStyleLink(data, i, t): + var id []byte + altContentConsidered := false + + // look for the id + i++ + linkB := i + for i < len(data) && data[i] != ']' { + i++ + } + if i >= len(data) { + return 0, nil + } + linkE := i + + // find the reference + if linkB == linkE { + if textHasNl { + var b bytes.Buffer + + for j := 1; j < txtE; j++ { + switch { + case data[j] != '\n': + b.WriteByte(data[j]) + case data[j-1] != ' ': + b.WriteByte(' ') + } + } + + id = b.Bytes() + } else { + id = data[1:txtE] + altContentConsidered = true + } + } else { + id = data[linkB:linkE] + } + + // find the reference with matching id + lr, ok := p.getRef(string(id)) + if !ok { + return 0, nil + } + + // keep link and title from reference + link = lr.link + title = lr.title + if altContentConsidered { + altContent = lr.text + } + i++ + + // shortcut reference style link or reference or inline footnote + default: + var id []byte + + // craft the id + if textHasNl { + var b bytes.Buffer + + for j := 1; j < txtE; j++ { + switch { + case data[j] != '\n': + b.WriteByte(data[j]) + case data[j-1] != ' ': + b.WriteByte(' ') + } + } + + id = b.Bytes() + } else { + if t == linkDeferredFootnote { + id = data[2:txtE] // get rid of the ^ + } else { + id = data[1:txtE] + } + } + + footnoteNode = NewNode(Item) + if t == linkInlineFootnote { + // create a new reference + noteID = len(p.notes) + 1 + + var fragment []byte + if len(id) > 0 { + if len(id) < 16 { + fragment = make([]byte, len(id)) + } else { + fragment = make([]byte, 16) + } + copy(fragment, slugify(id)) + } else { + fragment = append([]byte("footnote-"), []byte(strconv.Itoa(noteID))...) + } + + ref := &reference{ + noteID: noteID, + hasBlock: false, + link: fragment, + title: id, + footnote: footnoteNode, + } + + p.notes = append(p.notes, ref) + + link = ref.link + title = ref.title + } else { + // find the reference with matching id + lr, ok := p.getRef(string(id)) + if !ok { + return 0, nil + } + + if t == linkDeferredFootnote { + lr.noteID = len(p.notes) + 1 + lr.footnote = footnoteNode + p.notes = append(p.notes, lr) + } + + // keep link and title from reference + link = lr.link + // if inline footnote, title == footnote contents + title = lr.title + noteID = lr.noteID + } + + // rewind the whitespace + i = txtE + 1 + } + + var uLink []byte + if t == linkNormal || t == linkImg { + if len(link) > 0 { + var uLinkBuf bytes.Buffer + unescapeText(&uLinkBuf, link) + uLink = uLinkBuf.Bytes() + } + + // links need something to click on and somewhere to go + if len(uLink) == 0 || (t == linkNormal && txtE <= 1) { + return 0, nil + } + } + + // call the relevant rendering function + var linkNode *Node + switch t { + case linkNormal: + linkNode = NewNode(Link) + linkNode.Destination = normalizeURI(uLink) + linkNode.Title = title + if len(altContent) > 0 { + linkNode.AppendChild(text(altContent)) + } else { + // links cannot contain other links, so turn off link parsing + // temporarily and recurse + insideLink := p.insideLink + p.insideLink = true + p.inline(linkNode, data[1:txtE]) + p.insideLink = insideLink + } + + case linkImg: + linkNode = NewNode(Image) + linkNode.Destination = uLink + linkNode.Title = title + linkNode.AppendChild(text(data[1:txtE])) + i++ + + case linkInlineFootnote, linkDeferredFootnote: + linkNode = NewNode(Link) + linkNode.Destination = link + linkNode.Title = title + linkNode.NoteID = noteID + linkNode.Footnote = footnoteNode + if t == linkInlineFootnote { + i++ + } + + default: + return 0, nil + } + + return i, linkNode +} + +func (p *Markdown) inlineHTMLComment(data []byte) int { + if len(data) < 5 { + return 0 + } + if data[0] != '<' || data[1] != '!' || data[2] != '-' || data[3] != '-' { + return 0 + } + i := 5 + // scan for an end-of-comment marker, across lines if necessary + for i < len(data) && !(data[i-2] == '-' && data[i-1] == '-' && data[i] == '>') { + i++ + } + // no end-of-comment marker + if i >= len(data) { + return 0 + } + return i + 1 +} + +func stripMailto(link []byte) []byte { + if bytes.HasPrefix(link, []byte("mailto://")) { + return link[9:] + } else if bytes.HasPrefix(link, []byte("mailto:")) { + return link[7:] + } else { + return link + } +} + +// autolinkType specifies a kind of autolink that gets detected. +type autolinkType int + +// These are the possible flag values for the autolink renderer. +const ( + notAutolink autolinkType = iota + normalAutolink + emailAutolink +) + +// '<' when tags or autolinks are allowed +func leftAngle(p *Markdown, data []byte, offset int) (int, *Node) { + data = data[offset:] + altype, end := tagLength(data) + if size := p.inlineHTMLComment(data); size > 0 { + end = size + } + if end > 2 { + if altype != notAutolink { + var uLink bytes.Buffer + unescapeText(&uLink, data[1:end+1-2]) + if uLink.Len() > 0 { + link := uLink.Bytes() + node := NewNode(Link) + node.Destination = link + if altype == emailAutolink { + node.Destination = append([]byte("mailto:"), link...) + } + node.AppendChild(text(stripMailto(link))) + return end, node + } + } else { + htmlTag := NewNode(HTMLSpan) + htmlTag.Literal = data[:end] + return end, htmlTag + } + } + + return end, nil +} + +// '\\' backslash escape +var escapeChars = []byte("\\`*_{}[]()#+-.!:|&<>~") + +func escape(p *Markdown, data []byte, offset int) (int, *Node) { + data = data[offset:] + + if len(data) > 1 { + if p.extensions&BackslashLineBreak != 0 && data[1] == '\n' { + return 2, NewNode(Hardbreak) + } + if bytes.IndexByte(escapeChars, data[1]) < 0 { + return 0, nil + } + + return 2, text(data[1:2]) + } + + return 2, nil +} + +func unescapeText(ob *bytes.Buffer, src []byte) { + i := 0 + for i < len(src) { + org := i + for i < len(src) && src[i] != '\\' { + i++ + } + + if i > org { + ob.Write(src[org:i]) + } + + if i+1 >= len(src) { + break + } + + ob.WriteByte(src[i+1]) + i += 2 + } +} + +// '&' escaped when it doesn't belong to an entity +// valid entities are assumed to be anything matching &#?[A-Za-z0-9]+; +func entity(p *Markdown, data []byte, offset int) (int, *Node) { + data = data[offset:] + + end := 1 + + if end < len(data) && data[end] == '#' { + end++ + } + + for end < len(data) && isalnum(data[end]) { + end++ + } + + if end < len(data) && data[end] == ';' { + end++ // real entity + } else { + return 0, nil // lone '&' + } + + ent := data[:end] + // undo & escaping or it will be converted to &amp; by another + // escaper in the renderer + if bytes.Equal(ent, []byte("&")) { + ent = []byte{'&'} + } + + return end, text(ent) +} + +func linkEndsWithEntity(data []byte, linkEnd int) bool { + entityRanges := htmlEntityRe.FindAllIndex(data[:linkEnd], -1) + return entityRanges != nil && entityRanges[len(entityRanges)-1][1] == linkEnd +} + +// hasPrefixCaseInsensitive is a custom implementation of +// strings.HasPrefix(strings.ToLower(s), prefix) +// we rolled our own because ToLower pulls in a huge machinery of lowercasing +// anything from Unicode and that's very slow. Since this func will only be +// used on ASCII protocol prefixes, we can take shortcuts. +func hasPrefixCaseInsensitive(s, prefix []byte) bool { + if len(s) < len(prefix) { + return false + } + delta := byte('a' - 'A') + for i, b := range prefix { + if b != s[i] && b != s[i]+delta { + return false + } + } + return true +} + +var protocolPrefixes = [][]byte{ + []byte("http://"), + []byte("https://"), + []byte("ftp://"), + []byte("file://"), + []byte("mailto:"), +} + +const shortestPrefix = 6 // len("ftp://"), the shortest of the above + +func maybeAutoLink(p *Markdown, data []byte, offset int) (int, *Node) { + // quick check to rule out most false hits + if p.insideLink || len(data) < offset+shortestPrefix { + return 0, nil + } + for _, prefix := range protocolPrefixes { + endOfHead := offset + 8 // 8 is the len() of the longest prefix + if endOfHead > len(data) { + endOfHead = len(data) + } + if hasPrefixCaseInsensitive(data[offset:endOfHead], prefix) { + return autoLink(p, data, offset) + } + } + return 0, nil +} + +func autoLink(p *Markdown, data []byte, offset int) (int, *Node) { + // Now a more expensive check to see if we're not inside an anchor element + anchorStart := offset + offsetFromAnchor := 0 + for anchorStart > 0 && data[anchorStart] != '<' { + anchorStart-- + offsetFromAnchor++ + } + + anchorStr := anchorRe.Find(data[anchorStart:]) + if anchorStr != nil { + anchorClose := NewNode(HTMLSpan) + anchorClose.Literal = anchorStr[offsetFromAnchor:] + return len(anchorStr) - offsetFromAnchor, anchorClose + } + + // scan backward for a word boundary + rewind := 0 + for offset-rewind > 0 && rewind <= 7 && isletter(data[offset-rewind-1]) { + rewind++ + } + if rewind > 6 { // longest supported protocol is "mailto" which has 6 letters + return 0, nil + } + + origData := data + data = data[offset-rewind:] + + if !isSafeLink(data) { + return 0, nil + } + + linkEnd := 0 + for linkEnd < len(data) && !isEndOfLink(data[linkEnd]) { + linkEnd++ + } + + // Skip punctuation at the end of the link + if (data[linkEnd-1] == '.' || data[linkEnd-1] == ',') && data[linkEnd-2] != '\\' { + linkEnd-- + } + + // But don't skip semicolon if it's a part of escaped entity: + if data[linkEnd-1] == ';' && data[linkEnd-2] != '\\' && !linkEndsWithEntity(data, linkEnd) { + linkEnd-- + } + + // See if the link finishes with a punctuation sign that can be closed. + var copen byte + switch data[linkEnd-1] { + case '"': + copen = '"' + case '\'': + copen = '\'' + case ')': + copen = '(' + case ']': + copen = '[' + case '}': + copen = '{' + default: + copen = 0 + } + + if copen != 0 { + bufEnd := offset - rewind + linkEnd - 2 + + openDelim := 1 + + /* Try to close the final punctuation sign in this same line; + * if we managed to close it outside of the URL, that means that it's + * not part of the URL. If it closes inside the URL, that means it + * is part of the URL. + * + * Examples: + * + * foo http://www.pokemon.com/Pikachu_(Electric) bar + * => http://www.pokemon.com/Pikachu_(Electric) + * + * foo (http://www.pokemon.com/Pikachu_(Electric)) bar + * => http://www.pokemon.com/Pikachu_(Electric) + * + * foo http://www.pokemon.com/Pikachu_(Electric)) bar + * => http://www.pokemon.com/Pikachu_(Electric)) + * + * (foo http://www.pokemon.com/Pikachu_(Electric)) bar + * => foo http://www.pokemon.com/Pikachu_(Electric) + */ + + for bufEnd >= 0 && origData[bufEnd] != '\n' && openDelim != 0 { + if origData[bufEnd] == data[linkEnd-1] { + openDelim++ + } + + if origData[bufEnd] == copen { + openDelim-- + } + + bufEnd-- + } + + if openDelim == 0 { + linkEnd-- + } + } + + var uLink bytes.Buffer + unescapeText(&uLink, data[:linkEnd]) + + if uLink.Len() > 0 { + node := NewNode(Link) + node.Destination = uLink.Bytes() + node.AppendChild(text(uLink.Bytes())) + return linkEnd, node + } + + return linkEnd, nil +} + +func isEndOfLink(char byte) bool { + return isspace(char) || char == '<' +} + +var validUris = [][]byte{[]byte("http://"), []byte("https://"), []byte("ftp://"), []byte("mailto://")} +var validPaths = [][]byte{[]byte("/"), []byte("./"), []byte("../")} + +func isSafeLink(link []byte) bool { + for _, path := range validPaths { + if len(link) >= len(path) && bytes.Equal(link[:len(path)], path) { + if len(link) == len(path) { + return true + } else if isalnum(link[len(path)]) { + return true + } + } + } + + for _, prefix := range validUris { + // TODO: handle unicode here + // case-insensitive prefix test + if len(link) > len(prefix) && bytes.Equal(bytes.ToLower(link[:len(prefix)]), prefix) && isalnum(link[len(prefix)]) { + return true + } + } + + return false +} + +// return the length of the given tag, or 0 is it's not valid +func tagLength(data []byte) (autolink autolinkType, end int) { + var i, j int + + // a valid tag can't be shorter than 3 chars + if len(data) < 3 { + return notAutolink, 0 + } + + // begins with a '<' optionally followed by '/', followed by letter or number + if data[0] != '<' { + return notAutolink, 0 + } + if data[1] == '/' { + i = 2 + } else { + i = 1 + } + + if !isalnum(data[i]) { + return notAutolink, 0 + } + + // scheme test + autolink = notAutolink + + // try to find the beginning of an URI + for i < len(data) && (isalnum(data[i]) || data[i] == '.' || data[i] == '+' || data[i] == '-') { + i++ + } + + if i > 1 && i < len(data) && data[i] == '@' { + if j = isMailtoAutoLink(data[i:]); j != 0 { + return emailAutolink, i + j + } + } + + if i > 2 && i < len(data) && data[i] == ':' { + autolink = normalAutolink + i++ + } + + // complete autolink test: no whitespace or ' or " + switch { + case i >= len(data): + autolink = notAutolink + case autolink != notAutolink: + j = i + + for i < len(data) { + if data[i] == '\\' { + i += 2 + } else if data[i] == '>' || data[i] == '\'' || data[i] == '"' || isspace(data[i]) { + break + } else { + i++ + } + + } + + if i >= len(data) { + return autolink, 0 + } + if i > j && data[i] == '>' { + return autolink, i + 1 + } + + // one of the forbidden chars has been found + autolink = notAutolink + } + i += bytes.IndexByte(data[i:], '>') + if i < 0 { + return autolink, 0 + } + return autolink, i + 1 +} + +// look for the address part of a mail autolink and '>' +// this is less strict than the original markdown e-mail address matching +func isMailtoAutoLink(data []byte) int { + nb := 0 + + // address is assumed to be: [-@._a-zA-Z0-9]+ with exactly one '@' + for i := 0; i < len(data); i++ { + if isalnum(data[i]) { + continue + } + + switch data[i] { + case '@': + nb++ + + case '-', '.', '_': + break + + case '>': + if nb == 1 { + return i + 1 + } + return 0 + default: + return 0 + } + } + + return 0 +} + +// look for the next emph char, skipping other constructs +func helperFindEmphChar(data []byte, c byte) int { + i := 0 + + for i < len(data) { + for i < len(data) && data[i] != c && data[i] != '`' && data[i] != '[' { + i++ + } + if i >= len(data) { + return 0 + } + // do not count escaped chars + if i != 0 && data[i-1] == '\\' { + i++ + continue + } + if data[i] == c { + return i + } + + if data[i] == '`' { + // skip a code span + tmpI := 0 + i++ + for i < len(data) && data[i] != '`' { + if tmpI == 0 && data[i] == c { + tmpI = i + } + i++ + } + if i >= len(data) { + return tmpI + } + i++ + } else if data[i] == '[' { + // skip a link + tmpI := 0 + i++ + for i < len(data) && data[i] != ']' { + if tmpI == 0 && data[i] == c { + tmpI = i + } + i++ + } + i++ + for i < len(data) && (data[i] == ' ' || data[i] == '\n') { + i++ + } + if i >= len(data) { + return tmpI + } + if data[i] != '[' && data[i] != '(' { // not a link + if tmpI > 0 { + return tmpI + } + continue + } + cc := data[i] + i++ + for i < len(data) && data[i] != cc { + if tmpI == 0 && data[i] == c { + return i + } + i++ + } + if i >= len(data) { + return tmpI + } + i++ + } + } + return 0 +} + +func helperEmphasis(p *Markdown, data []byte, c byte) (int, *Node) { + i := 0 + + // skip one symbol if coming from emph3 + if len(data) > 1 && data[0] == c && data[1] == c { + i = 1 + } + + for i < len(data) { + length := helperFindEmphChar(data[i:], c) + if length == 0 { + return 0, nil + } + i += length + if i >= len(data) { + return 0, nil + } + + if i+1 < len(data) && data[i+1] == c { + i++ + continue + } + + if data[i] == c && !isspace(data[i-1]) { + + if p.extensions&NoIntraEmphasis != 0 { + if !(i+1 == len(data) || isspace(data[i+1]) || ispunct(data[i+1])) { + continue + } + } + + emph := NewNode(Emph) + p.inline(emph, data[:i]) + return i + 1, emph + } + } + + return 0, nil +} + +func helperDoubleEmphasis(p *Markdown, data []byte, c byte) (int, *Node) { + i := 0 + + for i < len(data) { + length := helperFindEmphChar(data[i:], c) + if length == 0 { + return 0, nil + } + i += length + + if i+1 < len(data) && data[i] == c && data[i+1] == c && i > 0 && !isspace(data[i-1]) { + nodeType := Strong + if c == '~' { + nodeType = Del + } + node := NewNode(nodeType) + p.inline(node, data[:i]) + return i + 2, node + } + i++ + } + return 0, nil +} + +func helperTripleEmphasis(p *Markdown, data []byte, offset int, c byte) (int, *Node) { + i := 0 + origData := data + data = data[offset:] + + for i < len(data) { + length := helperFindEmphChar(data[i:], c) + if length == 0 { + return 0, nil + } + i += length + + // skip whitespace preceded symbols + if data[i] != c || isspace(data[i-1]) { + continue + } + + switch { + case i+2 < len(data) && data[i+1] == c && data[i+2] == c: + // triple symbol found + strong := NewNode(Strong) + em := NewNode(Emph) + strong.AppendChild(em) + p.inline(em, data[:i]) + return i + 3, strong + case (i+1 < len(data) && data[i+1] == c): + // double symbol found, hand over to emph1 + length, node := helperEmphasis(p, origData[offset-2:], c) + if length == 0 { + return 0, nil + } + return length - 2, node + default: + // single symbol found, hand over to emph2 + length, node := helperDoubleEmphasis(p, origData[offset-1:], c) + if length == 0 { + return 0, nil + } + return length - 1, node + } + } + return 0, nil +} + +func text(s []byte) *Node { + node := NewNode(Text) + node.Literal = s + return node +} + +func normalizeURI(s []byte) []byte { + return s // TODO: implement +} diff --git a/vendor/github.com/russross/blackfriday/v2/markdown.go b/vendor/github.com/russross/blackfriday/v2/markdown.go new file mode 100644 index 0000000000..58d2e4538c --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/markdown.go @@ -0,0 +1,950 @@ +// Blackfriday Markdown Processor +// Available at http://github.com/russross/blackfriday +// +// Copyright © 2011 Russ Ross . +// Distributed under the Simplified BSD License. +// See README.md for details. + +package blackfriday + +import ( + "bytes" + "fmt" + "io" + "strings" + "unicode/utf8" +) + +// +// Markdown parsing and processing +// + +// Version string of the package. Appears in the rendered document when +// CompletePage flag is on. +const Version = "2.0" + +// Extensions is a bitwise or'ed collection of enabled Blackfriday's +// extensions. +type Extensions int + +// These are the supported markdown parsing extensions. +// OR these values together to select multiple extensions. +const ( + NoExtensions Extensions = 0 + NoIntraEmphasis Extensions = 1 << iota // Ignore emphasis markers inside words + Tables // Render tables + FencedCode // Render fenced code blocks + Autolink // Detect embedded URLs that are not explicitly marked + Strikethrough // Strikethrough text using ~~test~~ + LaxHTMLBlocks // Loosen up HTML block parsing rules + SpaceHeadings // Be strict about prefix heading rules + HardLineBreak // Translate newlines into line breaks + TabSizeEight // Expand tabs to eight spaces instead of four + Footnotes // Pandoc-style footnotes + NoEmptyLineBeforeBlock // No need to insert an empty line to start a (code, quote, ordered list, unordered list) block + HeadingIDs // specify heading IDs with {#id} + Titleblock // Titleblock ala pandoc + AutoHeadingIDs // Create the heading ID from the text + BackslashLineBreak // Translate trailing backslashes into line breaks + DefinitionLists // Render definition lists + + CommonHTMLFlags HTMLFlags = UseXHTML | Smartypants | + SmartypantsFractions | SmartypantsDashes | SmartypantsLatexDashes + + CommonExtensions Extensions = NoIntraEmphasis | Tables | FencedCode | + Autolink | Strikethrough | SpaceHeadings | HeadingIDs | + BackslashLineBreak | DefinitionLists +) + +// ListType contains bitwise or'ed flags for list and list item objects. +type ListType int + +// These are the possible flag values for the ListItem renderer. +// Multiple flag values may be ORed together. +// These are mostly of interest if you are writing a new output format. +const ( + ListTypeOrdered ListType = 1 << iota + ListTypeDefinition + ListTypeTerm + + ListItemContainsBlock + ListItemBeginningOfList // TODO: figure out if this is of any use now + ListItemEndOfList +) + +// CellAlignFlags holds a type of alignment in a table cell. +type CellAlignFlags int + +// These are the possible flag values for the table cell renderer. +// Only a single one of these values will be used; they are not ORed together. +// These are mostly of interest if you are writing a new output format. +const ( + TableAlignmentLeft CellAlignFlags = 1 << iota + TableAlignmentRight + TableAlignmentCenter = (TableAlignmentLeft | TableAlignmentRight) +) + +// The size of a tab stop. +const ( + TabSizeDefault = 4 + TabSizeDouble = 8 +) + +// blockTags is a set of tags that are recognized as HTML block tags. +// Any of these can be included in markdown text without special escaping. +var blockTags = map[string]struct{}{ + "blockquote": {}, + "del": {}, + "div": {}, + "dl": {}, + "fieldset": {}, + "form": {}, + "h1": {}, + "h2": {}, + "h3": {}, + "h4": {}, + "h5": {}, + "h6": {}, + "iframe": {}, + "ins": {}, + "math": {}, + "noscript": {}, + "ol": {}, + "pre": {}, + "p": {}, + "script": {}, + "style": {}, + "table": {}, + "ul": {}, + + // HTML5 + "address": {}, + "article": {}, + "aside": {}, + "canvas": {}, + "figcaption": {}, + "figure": {}, + "footer": {}, + "header": {}, + "hgroup": {}, + "main": {}, + "nav": {}, + "output": {}, + "progress": {}, + "section": {}, + "video": {}, +} + +// Renderer is the rendering interface. This is mostly of interest if you are +// implementing a new rendering format. +// +// Only an HTML implementation is provided in this repository, see the README +// for external implementations. +type Renderer interface { + // RenderNode is the main rendering method. It will be called once for + // every leaf node and twice for every non-leaf node (first with + // entering=true, then with entering=false). The method should write its + // rendition of the node to the supplied writer w. + RenderNode(w io.Writer, node *Node, entering bool) WalkStatus + + // RenderHeader is a method that allows the renderer to produce some + // content preceding the main body of the output document. The header is + // understood in the broad sense here. For example, the default HTML + // renderer will write not only the HTML document preamble, but also the + // table of contents if it was requested. + // + // The method will be passed an entire document tree, in case a particular + // implementation needs to inspect it to produce output. + // + // The output should be written to the supplied writer w. If your + // implementation has no header to write, supply an empty implementation. + RenderHeader(w io.Writer, ast *Node) + + // RenderFooter is a symmetric counterpart of RenderHeader. + RenderFooter(w io.Writer, ast *Node) +} + +// Callback functions for inline parsing. One such function is defined +// for each character that triggers a response when parsing inline data. +type inlineParser func(p *Markdown, data []byte, offset int) (int, *Node) + +// Markdown is a type that holds extensions and the runtime state used by +// Parse, and the renderer. You can not use it directly, construct it with New. +type Markdown struct { + renderer Renderer + referenceOverride ReferenceOverrideFunc + refs map[string]*reference + inlineCallback [256]inlineParser + extensions Extensions + nesting int + maxNesting int + insideLink bool + + // Footnotes need to be ordered as well as available to quickly check for + // presence. If a ref is also a footnote, it's stored both in refs and here + // in notes. Slice is nil if footnotes not enabled. + notes []*reference + + doc *Node + tip *Node // = doc + oldTip *Node + lastMatchedContainer *Node // = doc + allClosed bool +} + +func (p *Markdown) getRef(refid string) (ref *reference, found bool) { + if p.referenceOverride != nil { + r, overridden := p.referenceOverride(refid) + if overridden { + if r == nil { + return nil, false + } + return &reference{ + link: []byte(r.Link), + title: []byte(r.Title), + noteID: 0, + hasBlock: false, + text: []byte(r.Text)}, true + } + } + // refs are case insensitive + ref, found = p.refs[strings.ToLower(refid)] + return ref, found +} + +func (p *Markdown) finalize(block *Node) { + above := block.Parent + block.open = false + p.tip = above +} + +func (p *Markdown) addChild(node NodeType, offset uint32) *Node { + return p.addExistingChild(NewNode(node), offset) +} + +func (p *Markdown) addExistingChild(node *Node, offset uint32) *Node { + for !p.tip.canContain(node.Type) { + p.finalize(p.tip) + } + p.tip.AppendChild(node) + p.tip = node + return node +} + +func (p *Markdown) closeUnmatchedBlocks() { + if !p.allClosed { + for p.oldTip != p.lastMatchedContainer { + parent := p.oldTip.Parent + p.finalize(p.oldTip) + p.oldTip = parent + } + p.allClosed = true + } +} + +// +// +// Public interface +// +// + +// Reference represents the details of a link. +// See the documentation in Options for more details on use-case. +type Reference struct { + // Link is usually the URL the reference points to. + Link string + // Title is the alternate text describing the link in more detail. + Title string + // Text is the optional text to override the ref with if the syntax used was + // [refid][] + Text string +} + +// ReferenceOverrideFunc is expected to be called with a reference string and +// return either a valid Reference type that the reference string maps to or +// nil. If overridden is false, the default reference logic will be executed. +// See the documentation in Options for more details on use-case. +type ReferenceOverrideFunc func(reference string) (ref *Reference, overridden bool) + +// New constructs a Markdown processor. You can use the same With* functions as +// for Run() to customize parser's behavior and the renderer. +func New(opts ...Option) *Markdown { + var p Markdown + for _, opt := range opts { + opt(&p) + } + p.refs = make(map[string]*reference) + p.maxNesting = 16 + p.insideLink = false + docNode := NewNode(Document) + p.doc = docNode + p.tip = docNode + p.oldTip = docNode + p.lastMatchedContainer = docNode + p.allClosed = true + // register inline parsers + p.inlineCallback[' '] = maybeLineBreak + p.inlineCallback['*'] = emphasis + p.inlineCallback['_'] = emphasis + if p.extensions&Strikethrough != 0 { + p.inlineCallback['~'] = emphasis + } + p.inlineCallback['`'] = codeSpan + p.inlineCallback['\n'] = lineBreak + p.inlineCallback['['] = link + p.inlineCallback['<'] = leftAngle + p.inlineCallback['\\'] = escape + p.inlineCallback['&'] = entity + p.inlineCallback['!'] = maybeImage + p.inlineCallback['^'] = maybeInlineFootnote + if p.extensions&Autolink != 0 { + p.inlineCallback['h'] = maybeAutoLink + p.inlineCallback['m'] = maybeAutoLink + p.inlineCallback['f'] = maybeAutoLink + p.inlineCallback['H'] = maybeAutoLink + p.inlineCallback['M'] = maybeAutoLink + p.inlineCallback['F'] = maybeAutoLink + } + if p.extensions&Footnotes != 0 { + p.notes = make([]*reference, 0) + } + return &p +} + +// Option customizes the Markdown processor's default behavior. +type Option func(*Markdown) + +// WithRenderer allows you to override the default renderer. +func WithRenderer(r Renderer) Option { + return func(p *Markdown) { + p.renderer = r + } +} + +// WithExtensions allows you to pick some of the many extensions provided by +// Blackfriday. You can bitwise OR them. +func WithExtensions(e Extensions) Option { + return func(p *Markdown) { + p.extensions = e + } +} + +// WithNoExtensions turns off all extensions and custom behavior. +func WithNoExtensions() Option { + return func(p *Markdown) { + p.extensions = NoExtensions + p.renderer = NewHTMLRenderer(HTMLRendererParameters{ + Flags: HTMLFlagsNone, + }) + } +} + +// WithRefOverride sets an optional function callback that is called every +// time a reference is resolved. +// +// In Markdown, the link reference syntax can be made to resolve a link to +// a reference instead of an inline URL, in one of the following ways: +// +// * [link text][refid] +// * [refid][] +// +// Usually, the refid is defined at the bottom of the Markdown document. If +// this override function is provided, the refid is passed to the override +// function first, before consulting the defined refids at the bottom. If +// the override function indicates an override did not occur, the refids at +// the bottom will be used to fill in the link details. +func WithRefOverride(o ReferenceOverrideFunc) Option { + return func(p *Markdown) { + p.referenceOverride = o + } +} + +// Run is the main entry point to Blackfriday. It parses and renders a +// block of markdown-encoded text. +// +// The simplest invocation of Run takes one argument, input: +// output := Run(input) +// This will parse the input with CommonExtensions enabled and render it with +// the default HTMLRenderer (with CommonHTMLFlags). +// +// Variadic arguments opts can customize the default behavior. Since Markdown +// type does not contain exported fields, you can not use it directly. Instead, +// use the With* functions. For example, this will call the most basic +// functionality, with no extensions: +// output := Run(input, WithNoExtensions()) +// +// You can use any number of With* arguments, even contradicting ones. They +// will be applied in order of appearance and the latter will override the +// former: +// output := Run(input, WithNoExtensions(), WithExtensions(exts), +// WithRenderer(yourRenderer)) +func Run(input []byte, opts ...Option) []byte { + r := NewHTMLRenderer(HTMLRendererParameters{ + Flags: CommonHTMLFlags, + }) + optList := []Option{WithRenderer(r), WithExtensions(CommonExtensions)} + optList = append(optList, opts...) + parser := New(optList...) + ast := parser.Parse(input) + var buf bytes.Buffer + parser.renderer.RenderHeader(&buf, ast) + ast.Walk(func(node *Node, entering bool) WalkStatus { + return parser.renderer.RenderNode(&buf, node, entering) + }) + parser.renderer.RenderFooter(&buf, ast) + return buf.Bytes() +} + +// Parse is an entry point to the parsing part of Blackfriday. It takes an +// input markdown document and produces a syntax tree for its contents. This +// tree can then be rendered with a default or custom renderer, or +// analyzed/transformed by the caller to whatever non-standard needs they have. +// The return value is the root node of the syntax tree. +func (p *Markdown) Parse(input []byte) *Node { + p.block(input) + // Walk the tree and finish up some of unfinished blocks + for p.tip != nil { + p.finalize(p.tip) + } + // Walk the tree again and process inline markdown in each block + p.doc.Walk(func(node *Node, entering bool) WalkStatus { + if node.Type == Paragraph || node.Type == Heading || node.Type == TableCell { + p.inline(node, node.content) + node.content = nil + } + return GoToNext + }) + p.parseRefsToAST() + return p.doc +} + +func (p *Markdown) parseRefsToAST() { + if p.extensions&Footnotes == 0 || len(p.notes) == 0 { + return + } + p.tip = p.doc + block := p.addBlock(List, nil) + block.IsFootnotesList = true + block.ListFlags = ListTypeOrdered + flags := ListItemBeginningOfList + // Note: this loop is intentionally explicit, not range-form. This is + // because the body of the loop will append nested footnotes to p.notes and + // we need to process those late additions. Range form would only walk over + // the fixed initial set. + for i := 0; i < len(p.notes); i++ { + ref := p.notes[i] + p.addExistingChild(ref.footnote, 0) + block := ref.footnote + block.ListFlags = flags | ListTypeOrdered + block.RefLink = ref.link + if ref.hasBlock { + flags |= ListItemContainsBlock + p.block(ref.title) + } else { + p.inline(block, ref.title) + } + flags &^= ListItemBeginningOfList | ListItemContainsBlock + } + above := block.Parent + finalizeList(block) + p.tip = above + block.Walk(func(node *Node, entering bool) WalkStatus { + if node.Type == Paragraph || node.Type == Heading { + p.inline(node, node.content) + node.content = nil + } + return GoToNext + }) +} + +// +// Link references +// +// This section implements support for references that (usually) appear +// as footnotes in a document, and can be referenced anywhere in the document. +// The basic format is: +// +// [1]: http://www.google.com/ "Google" +// [2]: http://www.github.com/ "Github" +// +// Anywhere in the document, the reference can be linked by referring to its +// label, i.e., 1 and 2 in this example, as in: +// +// This library is hosted on [Github][2], a git hosting site. +// +// Actual footnotes as specified in Pandoc and supported by some other Markdown +// libraries such as php-markdown are also taken care of. They look like this: +// +// This sentence needs a bit of further explanation.[^note] +// +// [^note]: This is the explanation. +// +// Footnotes should be placed at the end of the document in an ordered list. +// Finally, there are inline footnotes such as: +// +// Inline footnotes^[Also supported.] provide a quick inline explanation, +// but are rendered at the bottom of the document. +// + +// reference holds all information necessary for a reference-style links or +// footnotes. +// +// Consider this markdown with reference-style links: +// +// [link][ref] +// +// [ref]: /url/ "tooltip title" +// +// It will be ultimately converted to this HTML: +// +//

    link

    +// +// And a reference structure will be populated as follows: +// +// p.refs["ref"] = &reference{ +// link: "/url/", +// title: "tooltip title", +// } +// +// Alternatively, reference can contain information about a footnote. Consider +// this markdown: +// +// Text needing a footnote.[^a] +// +// [^a]: This is the note +// +// A reference structure will be populated as follows: +// +// p.refs["a"] = &reference{ +// link: "a", +// title: "This is the note", +// noteID: , +// } +// +// TODO: As you can see, it begs for splitting into two dedicated structures +// for refs and for footnotes. +type reference struct { + link []byte + title []byte + noteID int // 0 if not a footnote ref + hasBlock bool + footnote *Node // a link to the Item node within a list of footnotes + + text []byte // only gets populated by refOverride feature with Reference.Text +} + +func (r *reference) String() string { + return fmt.Sprintf("{link: %q, title: %q, text: %q, noteID: %d, hasBlock: %v}", + r.link, r.title, r.text, r.noteID, r.hasBlock) +} + +// Check whether or not data starts with a reference link. +// If so, it is parsed and stored in the list of references +// (in the render struct). +// Returns the number of bytes to skip to move past it, +// or zero if the first line is not a reference. +func isReference(p *Markdown, data []byte, tabSize int) int { + // up to 3 optional leading spaces + if len(data) < 4 { + return 0 + } + i := 0 + for i < 3 && data[i] == ' ' { + i++ + } + + noteID := 0 + + // id part: anything but a newline between brackets + if data[i] != '[' { + return 0 + } + i++ + if p.extensions&Footnotes != 0 { + if i < len(data) && data[i] == '^' { + // we can set it to anything here because the proper noteIds will + // be assigned later during the second pass. It just has to be != 0 + noteID = 1 + i++ + } + } + idOffset := i + for i < len(data) && data[i] != '\n' && data[i] != '\r' && data[i] != ']' { + i++ + } + if i >= len(data) || data[i] != ']' { + return 0 + } + idEnd := i + // footnotes can have empty ID, like this: [^], but a reference can not be + // empty like this: []. Break early if it's not a footnote and there's no ID + if noteID == 0 && idOffset == idEnd { + return 0 + } + // spacer: colon (space | tab)* newline? (space | tab)* + i++ + if i >= len(data) || data[i] != ':' { + return 0 + } + i++ + for i < len(data) && (data[i] == ' ' || data[i] == '\t') { + i++ + } + if i < len(data) && (data[i] == '\n' || data[i] == '\r') { + i++ + if i < len(data) && data[i] == '\n' && data[i-1] == '\r' { + i++ + } + } + for i < len(data) && (data[i] == ' ' || data[i] == '\t') { + i++ + } + if i >= len(data) { + return 0 + } + + var ( + linkOffset, linkEnd int + titleOffset, titleEnd int + lineEnd int + raw []byte + hasBlock bool + ) + + if p.extensions&Footnotes != 0 && noteID != 0 { + linkOffset, linkEnd, raw, hasBlock = scanFootnote(p, data, i, tabSize) + lineEnd = linkEnd + } else { + linkOffset, linkEnd, titleOffset, titleEnd, lineEnd = scanLinkRef(p, data, i) + } + if lineEnd == 0 { + return 0 + } + + // a valid ref has been found + + ref := &reference{ + noteID: noteID, + hasBlock: hasBlock, + } + + if noteID > 0 { + // reusing the link field for the id since footnotes don't have links + ref.link = data[idOffset:idEnd] + // if footnote, it's not really a title, it's the contained text + ref.title = raw + } else { + ref.link = data[linkOffset:linkEnd] + ref.title = data[titleOffset:titleEnd] + } + + // id matches are case-insensitive + id := string(bytes.ToLower(data[idOffset:idEnd])) + + p.refs[id] = ref + + return lineEnd +} + +func scanLinkRef(p *Markdown, data []byte, i int) (linkOffset, linkEnd, titleOffset, titleEnd, lineEnd int) { + // link: whitespace-free sequence, optionally between angle brackets + if data[i] == '<' { + i++ + } + linkOffset = i + for i < len(data) && data[i] != ' ' && data[i] != '\t' && data[i] != '\n' && data[i] != '\r' { + i++ + } + linkEnd = i + if data[linkOffset] == '<' && data[linkEnd-1] == '>' { + linkOffset++ + linkEnd-- + } + + // optional spacer: (space | tab)* (newline | '\'' | '"' | '(' ) + for i < len(data) && (data[i] == ' ' || data[i] == '\t') { + i++ + } + if i < len(data) && data[i] != '\n' && data[i] != '\r' && data[i] != '\'' && data[i] != '"' && data[i] != '(' { + return + } + + // compute end-of-line + if i >= len(data) || data[i] == '\r' || data[i] == '\n' { + lineEnd = i + } + if i+1 < len(data) && data[i] == '\r' && data[i+1] == '\n' { + lineEnd++ + } + + // optional (space|tab)* spacer after a newline + if lineEnd > 0 { + i = lineEnd + 1 + for i < len(data) && (data[i] == ' ' || data[i] == '\t') { + i++ + } + } + + // optional title: any non-newline sequence enclosed in '"() alone on its line + if i+1 < len(data) && (data[i] == '\'' || data[i] == '"' || data[i] == '(') { + i++ + titleOffset = i + + // look for EOL + for i < len(data) && data[i] != '\n' && data[i] != '\r' { + i++ + } + if i+1 < len(data) && data[i] == '\n' && data[i+1] == '\r' { + titleEnd = i + 1 + } else { + titleEnd = i + } + + // step back + i-- + for i > titleOffset && (data[i] == ' ' || data[i] == '\t') { + i-- + } + if i > titleOffset && (data[i] == '\'' || data[i] == '"' || data[i] == ')') { + lineEnd = titleEnd + titleEnd = i + } + } + + return +} + +// The first bit of this logic is the same as Parser.listItem, but the rest +// is much simpler. This function simply finds the entire block and shifts it +// over by one tab if it is indeed a block (just returns the line if it's not). +// blockEnd is the end of the section in the input buffer, and contents is the +// extracted text that was shifted over one tab. It will need to be rendered at +// the end of the document. +func scanFootnote(p *Markdown, data []byte, i, indentSize int) (blockStart, blockEnd int, contents []byte, hasBlock bool) { + if i == 0 || len(data) == 0 { + return + } + + // skip leading whitespace on first line + for i < len(data) && data[i] == ' ' { + i++ + } + + blockStart = i + + // find the end of the line + blockEnd = i + for i < len(data) && data[i-1] != '\n' { + i++ + } + + // get working buffer + var raw bytes.Buffer + + // put the first line into the working buffer + raw.Write(data[blockEnd:i]) + blockEnd = i + + // process the following lines + containsBlankLine := false + +gatherLines: + for blockEnd < len(data) { + i++ + + // find the end of this line + for i < len(data) && data[i-1] != '\n' { + i++ + } + + // if it is an empty line, guess that it is part of this item + // and move on to the next line + if p.isEmpty(data[blockEnd:i]) > 0 { + containsBlankLine = true + blockEnd = i + continue + } + + n := 0 + if n = isIndented(data[blockEnd:i], indentSize); n == 0 { + // this is the end of the block. + // we don't want to include this last line in the index. + break gatherLines + } + + // if there were blank lines before this one, insert a new one now + if containsBlankLine { + raw.WriteByte('\n') + containsBlankLine = false + } + + // get rid of that first tab, write to buffer + raw.Write(data[blockEnd+n : i]) + hasBlock = true + + blockEnd = i + } + + if data[blockEnd-1] != '\n' { + raw.WriteByte('\n') + } + + contents = raw.Bytes() + + return +} + +// +// +// Miscellaneous helper functions +// +// + +// Test if a character is a punctuation symbol. +// Taken from a private function in regexp in the stdlib. +func ispunct(c byte) bool { + for _, r := range []byte("!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~") { + if c == r { + return true + } + } + return false +} + +// Test if a character is a whitespace character. +func isspace(c byte) bool { + return ishorizontalspace(c) || isverticalspace(c) +} + +// Test if a character is a horizontal whitespace character. +func ishorizontalspace(c byte) bool { + return c == ' ' || c == '\t' +} + +// Test if a character is a vertical character. +func isverticalspace(c byte) bool { + return c == '\n' || c == '\r' || c == '\f' || c == '\v' +} + +// Test if a character is letter. +func isletter(c byte) bool { + return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') +} + +// Test if a character is a letter or a digit. +// TODO: check when this is looking for ASCII alnum and when it should use unicode +func isalnum(c byte) bool { + return (c >= '0' && c <= '9') || isletter(c) +} + +// Replace tab characters with spaces, aligning to the next TAB_SIZE column. +// always ends output with a newline +func expandTabs(out *bytes.Buffer, line []byte, tabSize int) { + // first, check for common cases: no tabs, or only tabs at beginning of line + i, prefix := 0, 0 + slowcase := false + for i = 0; i < len(line); i++ { + if line[i] == '\t' { + if prefix == i { + prefix++ + } else { + slowcase = true + break + } + } + } + + // no need to decode runes if all tabs are at the beginning of the line + if !slowcase { + for i = 0; i < prefix*tabSize; i++ { + out.WriteByte(' ') + } + out.Write(line[prefix:]) + return + } + + // the slow case: we need to count runes to figure out how + // many spaces to insert for each tab + column := 0 + i = 0 + for i < len(line) { + start := i + for i < len(line) && line[i] != '\t' { + _, size := utf8.DecodeRune(line[i:]) + i += size + column++ + } + + if i > start { + out.Write(line[start:i]) + } + + if i >= len(line) { + break + } + + for { + out.WriteByte(' ') + column++ + if column%tabSize == 0 { + break + } + } + + i++ + } +} + +// Find if a line counts as indented or not. +// Returns number of characters the indent is (0 = not indented). +func isIndented(data []byte, indentSize int) int { + if len(data) == 0 { + return 0 + } + if data[0] == '\t' { + return 1 + } + if len(data) < indentSize { + return 0 + } + for i := 0; i < indentSize; i++ { + if data[i] != ' ' { + return 0 + } + } + return indentSize +} + +// Create a url-safe slug for fragments +func slugify(in []byte) []byte { + if len(in) == 0 { + return in + } + out := make([]byte, 0, len(in)) + sym := false + + for _, ch := range in { + if isalnum(ch) { + sym = false + out = append(out, ch) + } else if sym { + continue + } else { + out = append(out, '-') + sym = true + } + } + var a, b int + var ch byte + for a, ch = range out { + if ch != '-' { + break + } + } + for b = len(out) - 1; b > 0; b-- { + if out[b] != '-' { + break + } + } + return out[a : b+1] +} diff --git a/vendor/github.com/russross/blackfriday/v2/node.go b/vendor/github.com/russross/blackfriday/v2/node.go new file mode 100644 index 0000000000..04e6050cee --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/node.go @@ -0,0 +1,360 @@ +package blackfriday + +import ( + "bytes" + "fmt" +) + +// NodeType specifies a type of a single node of a syntax tree. Usually one +// node (and its type) corresponds to a single markdown feature, e.g. emphasis +// or code block. +type NodeType int + +// Constants for identifying different types of nodes. See NodeType. +const ( + Document NodeType = iota + BlockQuote + List + Item + Paragraph + Heading + HorizontalRule + Emph + Strong + Del + Link + Image + Text + HTMLBlock + CodeBlock + Softbreak + Hardbreak + Code + HTMLSpan + Table + TableCell + TableHead + TableBody + TableRow +) + +var nodeTypeNames = []string{ + Document: "Document", + BlockQuote: "BlockQuote", + List: "List", + Item: "Item", + Paragraph: "Paragraph", + Heading: "Heading", + HorizontalRule: "HorizontalRule", + Emph: "Emph", + Strong: "Strong", + Del: "Del", + Link: "Link", + Image: "Image", + Text: "Text", + HTMLBlock: "HTMLBlock", + CodeBlock: "CodeBlock", + Softbreak: "Softbreak", + Hardbreak: "Hardbreak", + Code: "Code", + HTMLSpan: "HTMLSpan", + Table: "Table", + TableCell: "TableCell", + TableHead: "TableHead", + TableBody: "TableBody", + TableRow: "TableRow", +} + +func (t NodeType) String() string { + return nodeTypeNames[t] +} + +// ListData contains fields relevant to a List and Item node type. +type ListData struct { + ListFlags ListType + Tight bool // Skip

    s around list item data if true + BulletChar byte // '*', '+' or '-' in bullet lists + Delimiter byte // '.' or ')' after the number in ordered lists + RefLink []byte // If not nil, turns this list item into a footnote item and triggers different rendering + IsFootnotesList bool // This is a list of footnotes +} + +// LinkData contains fields relevant to a Link node type. +type LinkData struct { + Destination []byte // Destination is what goes into a href + Title []byte // Title is the tooltip thing that goes in a title attribute + NoteID int // NoteID contains a serial number of a footnote, zero if it's not a footnote + Footnote *Node // If it's a footnote, this is a direct link to the footnote Node. Otherwise nil. +} + +// CodeBlockData contains fields relevant to a CodeBlock node type. +type CodeBlockData struct { + IsFenced bool // Specifies whether it's a fenced code block or an indented one + Info []byte // This holds the info string + FenceChar byte + FenceLength int + FenceOffset int +} + +// TableCellData contains fields relevant to a TableCell node type. +type TableCellData struct { + IsHeader bool // This tells if it's under the header row + Align CellAlignFlags // This holds the value for align attribute +} + +// HeadingData contains fields relevant to a Heading node type. +type HeadingData struct { + Level int // This holds the heading level number + HeadingID string // This might hold heading ID, if present + IsTitleblock bool // Specifies whether it's a title block +} + +// Node is a single element in the abstract syntax tree of the parsed document. +// It holds connections to the structurally neighboring nodes and, for certain +// types of nodes, additional information that might be needed when rendering. +type Node struct { + Type NodeType // Determines the type of the node + Parent *Node // Points to the parent + FirstChild *Node // Points to the first child, if any + LastChild *Node // Points to the last child, if any + Prev *Node // Previous sibling; nil if it's the first child + Next *Node // Next sibling; nil if it's the last child + + Literal []byte // Text contents of the leaf nodes + + HeadingData // Populated if Type is Heading + ListData // Populated if Type is List + CodeBlockData // Populated if Type is CodeBlock + LinkData // Populated if Type is Link + TableCellData // Populated if Type is TableCell + + content []byte // Markdown content of the block nodes + open bool // Specifies an open block node that has not been finished to process yet +} + +// NewNode allocates a node of a specified type. +func NewNode(typ NodeType) *Node { + return &Node{ + Type: typ, + open: true, + } +} + +func (n *Node) String() string { + ellipsis := "" + snippet := n.Literal + if len(snippet) > 16 { + snippet = snippet[:16] + ellipsis = "..." + } + return fmt.Sprintf("%s: '%s%s'", n.Type, snippet, ellipsis) +} + +// Unlink removes node 'n' from the tree. +// It panics if the node is nil. +func (n *Node) Unlink() { + if n.Prev != nil { + n.Prev.Next = n.Next + } else if n.Parent != nil { + n.Parent.FirstChild = n.Next + } + if n.Next != nil { + n.Next.Prev = n.Prev + } else if n.Parent != nil { + n.Parent.LastChild = n.Prev + } + n.Parent = nil + n.Next = nil + n.Prev = nil +} + +// AppendChild adds a node 'child' as a child of 'n'. +// It panics if either node is nil. +func (n *Node) AppendChild(child *Node) { + child.Unlink() + child.Parent = n + if n.LastChild != nil { + n.LastChild.Next = child + child.Prev = n.LastChild + n.LastChild = child + } else { + n.FirstChild = child + n.LastChild = child + } +} + +// InsertBefore inserts 'sibling' immediately before 'n'. +// It panics if either node is nil. +func (n *Node) InsertBefore(sibling *Node) { + sibling.Unlink() + sibling.Prev = n.Prev + if sibling.Prev != nil { + sibling.Prev.Next = sibling + } + sibling.Next = n + n.Prev = sibling + sibling.Parent = n.Parent + if sibling.Prev == nil { + sibling.Parent.FirstChild = sibling + } +} + +// IsContainer returns true if 'n' can contain children. +func (n *Node) IsContainer() bool { + switch n.Type { + case Document: + fallthrough + case BlockQuote: + fallthrough + case List: + fallthrough + case Item: + fallthrough + case Paragraph: + fallthrough + case Heading: + fallthrough + case Emph: + fallthrough + case Strong: + fallthrough + case Del: + fallthrough + case Link: + fallthrough + case Image: + fallthrough + case Table: + fallthrough + case TableHead: + fallthrough + case TableBody: + fallthrough + case TableRow: + fallthrough + case TableCell: + return true + default: + return false + } +} + +// IsLeaf returns true if 'n' is a leaf node. +func (n *Node) IsLeaf() bool { + return !n.IsContainer() +} + +func (n *Node) canContain(t NodeType) bool { + if n.Type == List { + return t == Item + } + if n.Type == Document || n.Type == BlockQuote || n.Type == Item { + return t != Item + } + if n.Type == Table { + return t == TableHead || t == TableBody + } + if n.Type == TableHead || n.Type == TableBody { + return t == TableRow + } + if n.Type == TableRow { + return t == TableCell + } + return false +} + +// WalkStatus allows NodeVisitor to have some control over the tree traversal. +// It is returned from NodeVisitor and different values allow Node.Walk to +// decide which node to go to next. +type WalkStatus int + +const ( + // GoToNext is the default traversal of every node. + GoToNext WalkStatus = iota + // SkipChildren tells walker to skip all children of current node. + SkipChildren + // Terminate tells walker to terminate the traversal. + Terminate +) + +// NodeVisitor is a callback to be called when traversing the syntax tree. +// Called twice for every node: once with entering=true when the branch is +// first visited, then with entering=false after all the children are done. +type NodeVisitor func(node *Node, entering bool) WalkStatus + +// Walk is a convenience method that instantiates a walker and starts a +// traversal of subtree rooted at n. +func (n *Node) Walk(visitor NodeVisitor) { + w := newNodeWalker(n) + for w.current != nil { + status := visitor(w.current, w.entering) + switch status { + case GoToNext: + w.next() + case SkipChildren: + w.entering = false + w.next() + case Terminate: + return + } + } +} + +type nodeWalker struct { + current *Node + root *Node + entering bool +} + +func newNodeWalker(root *Node) *nodeWalker { + return &nodeWalker{ + current: root, + root: root, + entering: true, + } +} + +func (nw *nodeWalker) next() { + if (!nw.current.IsContainer() || !nw.entering) && nw.current == nw.root { + nw.current = nil + return + } + if nw.entering && nw.current.IsContainer() { + if nw.current.FirstChild != nil { + nw.current = nw.current.FirstChild + nw.entering = true + } else { + nw.entering = false + } + } else if nw.current.Next == nil { + nw.current = nw.current.Parent + nw.entering = false + } else { + nw.current = nw.current.Next + nw.entering = true + } +} + +func dump(ast *Node) { + fmt.Println(dumpString(ast)) +} + +func dumpR(ast *Node, depth int) string { + if ast == nil { + return "" + } + indent := bytes.Repeat([]byte("\t"), depth) + content := ast.Literal + if content == nil { + content = ast.content + } + result := fmt.Sprintf("%s%s(%q)\n", indent, ast.Type, content) + for n := ast.FirstChild; n != nil; n = n.Next { + result += dumpR(n, depth+1) + } + return result +} + +func dumpString(ast *Node) string { + return dumpR(ast, 0) +} diff --git a/vendor/github.com/russross/blackfriday/v2/smartypants.go b/vendor/github.com/russross/blackfriday/v2/smartypants.go new file mode 100644 index 0000000000..3a220e9424 --- /dev/null +++ b/vendor/github.com/russross/blackfriday/v2/smartypants.go @@ -0,0 +1,457 @@ +// +// Blackfriday Markdown Processor +// Available at http://github.com/russross/blackfriday +// +// Copyright © 2011 Russ Ross . +// Distributed under the Simplified BSD License. +// See README.md for details. +// + +// +// +// SmartyPants rendering +// +// + +package blackfriday + +import ( + "bytes" + "io" +) + +// SPRenderer is a struct containing state of a Smartypants renderer. +type SPRenderer struct { + inSingleQuote bool + inDoubleQuote bool + callbacks [256]smartCallback +} + +func wordBoundary(c byte) bool { + return c == 0 || isspace(c) || ispunct(c) +} + +func tolower(c byte) byte { + if c >= 'A' && c <= 'Z' { + return c - 'A' + 'a' + } + return c +} + +func isdigit(c byte) bool { + return c >= '0' && c <= '9' +} + +func smartQuoteHelper(out *bytes.Buffer, previousChar byte, nextChar byte, quote byte, isOpen *bool, addNBSP bool) bool { + // edge of the buffer is likely to be a tag that we don't get to see, + // so we treat it like text sometimes + + // enumerate all sixteen possibilities for (previousChar, nextChar) + // each can be one of {0, space, punct, other} + switch { + case previousChar == 0 && nextChar == 0: + // context is not any help here, so toggle + *isOpen = !*isOpen + case isspace(previousChar) && nextChar == 0: + // [ "] might be [ "foo...] + *isOpen = true + case ispunct(previousChar) && nextChar == 0: + // [!"] hmm... could be [Run!"] or [("...] + *isOpen = false + case /* isnormal(previousChar) && */ nextChar == 0: + // [a"] is probably a close + *isOpen = false + case previousChar == 0 && isspace(nextChar): + // [" ] might be [...foo" ] + *isOpen = false + case isspace(previousChar) && isspace(nextChar): + // [ " ] context is not any help here, so toggle + *isOpen = !*isOpen + case ispunct(previousChar) && isspace(nextChar): + // [!" ] is probably a close + *isOpen = false + case /* isnormal(previousChar) && */ isspace(nextChar): + // [a" ] this is one of the easy cases + *isOpen = false + case previousChar == 0 && ispunct(nextChar): + // ["!] hmm... could be ["$1.95] or ["!...] + *isOpen = false + case isspace(previousChar) && ispunct(nextChar): + // [ "!] looks more like [ "$1.95] + *isOpen = true + case ispunct(previousChar) && ispunct(nextChar): + // [!"!] context is not any help here, so toggle + *isOpen = !*isOpen + case /* isnormal(previousChar) && */ ispunct(nextChar): + // [a"!] is probably a close + *isOpen = false + case previousChar == 0 /* && isnormal(nextChar) */ : + // ["a] is probably an open + *isOpen = true + case isspace(previousChar) /* && isnormal(nextChar) */ : + // [ "a] this is one of the easy cases + *isOpen = true + case ispunct(previousChar) /* && isnormal(nextChar) */ : + // [!"a] is probably an open + *isOpen = true + default: + // [a'b] maybe a contraction? + *isOpen = false + } + + // Note that with the limited lookahead, this non-breaking + // space will also be appended to single double quotes. + if addNBSP && !*isOpen { + out.WriteString(" ") + } + + out.WriteByte('&') + if *isOpen { + out.WriteByte('l') + } else { + out.WriteByte('r') + } + out.WriteByte(quote) + out.WriteString("quo;") + + if addNBSP && *isOpen { + out.WriteString(" ") + } + + return true +} + +func (r *SPRenderer) smartSingleQuote(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 2 { + t1 := tolower(text[1]) + + if t1 == '\'' { + nextChar := byte(0) + if len(text) >= 3 { + nextChar = text[2] + } + if smartQuoteHelper(out, previousChar, nextChar, 'd', &r.inDoubleQuote, false) { + return 1 + } + } + + if (t1 == 's' || t1 == 't' || t1 == 'm' || t1 == 'd') && (len(text) < 3 || wordBoundary(text[2])) { + out.WriteString("’") + return 0 + } + + if len(text) >= 3 { + t2 := tolower(text[2]) + + if ((t1 == 'r' && t2 == 'e') || (t1 == 'l' && t2 == 'l') || (t1 == 'v' && t2 == 'e')) && + (len(text) < 4 || wordBoundary(text[3])) { + out.WriteString("’") + return 0 + } + } + } + + nextChar := byte(0) + if len(text) > 1 { + nextChar = text[1] + } + if smartQuoteHelper(out, previousChar, nextChar, 's', &r.inSingleQuote, false) { + return 0 + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartParens(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 3 { + t1 := tolower(text[1]) + t2 := tolower(text[2]) + + if t1 == 'c' && t2 == ')' { + out.WriteString("©") + return 2 + } + + if t1 == 'r' && t2 == ')' { + out.WriteString("®") + return 2 + } + + if len(text) >= 4 && t1 == 't' && t2 == 'm' && text[3] == ')' { + out.WriteString("™") + return 3 + } + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartDash(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 2 { + if text[1] == '-' { + out.WriteString("—") + return 1 + } + + if wordBoundary(previousChar) && wordBoundary(text[1]) { + out.WriteString("–") + return 0 + } + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartDashLatex(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 3 && text[1] == '-' && text[2] == '-' { + out.WriteString("—") + return 2 + } + if len(text) >= 2 && text[1] == '-' { + out.WriteString("–") + return 1 + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartAmpVariant(out *bytes.Buffer, previousChar byte, text []byte, quote byte, addNBSP bool) int { + if bytes.HasPrefix(text, []byte(""")) { + nextChar := byte(0) + if len(text) >= 7 { + nextChar = text[6] + } + if smartQuoteHelper(out, previousChar, nextChar, quote, &r.inDoubleQuote, addNBSP) { + return 5 + } + } + + if bytes.HasPrefix(text, []byte("�")) { + return 3 + } + + out.WriteByte('&') + return 0 +} + +func (r *SPRenderer) smartAmp(angledQuotes, addNBSP bool) func(*bytes.Buffer, byte, []byte) int { + var quote byte = 'd' + if angledQuotes { + quote = 'a' + } + + return func(out *bytes.Buffer, previousChar byte, text []byte) int { + return r.smartAmpVariant(out, previousChar, text, quote, addNBSP) + } +} + +func (r *SPRenderer) smartPeriod(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 3 && text[1] == '.' && text[2] == '.' { + out.WriteString("…") + return 2 + } + + if len(text) >= 5 && text[1] == ' ' && text[2] == '.' && text[3] == ' ' && text[4] == '.' { + out.WriteString("…") + return 4 + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartBacktick(out *bytes.Buffer, previousChar byte, text []byte) int { + if len(text) >= 2 && text[1] == '`' { + nextChar := byte(0) + if len(text) >= 3 { + nextChar = text[2] + } + if smartQuoteHelper(out, previousChar, nextChar, 'd', &r.inDoubleQuote, false) { + return 1 + } + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartNumberGeneric(out *bytes.Buffer, previousChar byte, text []byte) int { + if wordBoundary(previousChar) && previousChar != '/' && len(text) >= 3 { + // is it of the form digits/digits(word boundary)?, i.e., \d+/\d+\b + // note: check for regular slash (/) or fraction slash (â„, 0x2044, or 0xe2 81 84 in utf-8) + // and avoid changing dates like 1/23/2005 into fractions. + numEnd := 0 + for len(text) > numEnd && isdigit(text[numEnd]) { + numEnd++ + } + if numEnd == 0 { + out.WriteByte(text[0]) + return 0 + } + denStart := numEnd + 1 + if len(text) > numEnd+3 && text[numEnd] == 0xe2 && text[numEnd+1] == 0x81 && text[numEnd+2] == 0x84 { + denStart = numEnd + 3 + } else if len(text) < numEnd+2 || text[numEnd] != '/' { + out.WriteByte(text[0]) + return 0 + } + denEnd := denStart + for len(text) > denEnd && isdigit(text[denEnd]) { + denEnd++ + } + if denEnd == denStart { + out.WriteByte(text[0]) + return 0 + } + if len(text) == denEnd || wordBoundary(text[denEnd]) && text[denEnd] != '/' { + out.WriteString("") + out.Write(text[:numEnd]) + out.WriteString("") + out.Write(text[denStart:denEnd]) + out.WriteString("") + return denEnd - 1 + } + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartNumber(out *bytes.Buffer, previousChar byte, text []byte) int { + if wordBoundary(previousChar) && previousChar != '/' && len(text) >= 3 { + if text[0] == '1' && text[1] == '/' && text[2] == '2' { + if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' { + out.WriteString("½") + return 2 + } + } + + if text[0] == '1' && text[1] == '/' && text[2] == '4' { + if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' || (len(text) >= 5 && tolower(text[3]) == 't' && tolower(text[4]) == 'h') { + out.WriteString("¼") + return 2 + } + } + + if text[0] == '3' && text[1] == '/' && text[2] == '4' { + if len(text) < 4 || wordBoundary(text[3]) && text[3] != '/' || (len(text) >= 6 && tolower(text[3]) == 't' && tolower(text[4]) == 'h' && tolower(text[5]) == 's') { + out.WriteString("¾") + return 2 + } + } + } + + out.WriteByte(text[0]) + return 0 +} + +func (r *SPRenderer) smartDoubleQuoteVariant(out *bytes.Buffer, previousChar byte, text []byte, quote byte) int { + nextChar := byte(0) + if len(text) > 1 { + nextChar = text[1] + } + if !smartQuoteHelper(out, previousChar, nextChar, quote, &r.inDoubleQuote, false) { + out.WriteString(""") + } + + return 0 +} + +func (r *SPRenderer) smartDoubleQuote(out *bytes.Buffer, previousChar byte, text []byte) int { + return r.smartDoubleQuoteVariant(out, previousChar, text, 'd') +} + +func (r *SPRenderer) smartAngledDoubleQuote(out *bytes.Buffer, previousChar byte, text []byte) int { + return r.smartDoubleQuoteVariant(out, previousChar, text, 'a') +} + +func (r *SPRenderer) smartLeftAngle(out *bytes.Buffer, previousChar byte, text []byte) int { + i := 0 + + for i < len(text) && text[i] != '>' { + i++ + } + + out.Write(text[:i+1]) + return i +} + +type smartCallback func(out *bytes.Buffer, previousChar byte, text []byte) int + +// NewSmartypantsRenderer constructs a Smartypants renderer object. +func NewSmartypantsRenderer(flags HTMLFlags) *SPRenderer { + var ( + r SPRenderer + + smartAmpAngled = r.smartAmp(true, false) + smartAmpAngledNBSP = r.smartAmp(true, true) + smartAmpRegular = r.smartAmp(false, false) + smartAmpRegularNBSP = r.smartAmp(false, true) + + addNBSP = flags&SmartypantsQuotesNBSP != 0 + ) + + if flags&SmartypantsAngledQuotes == 0 { + r.callbacks['"'] = r.smartDoubleQuote + if !addNBSP { + r.callbacks['&'] = smartAmpRegular + } else { + r.callbacks['&'] = smartAmpRegularNBSP + } + } else { + r.callbacks['"'] = r.smartAngledDoubleQuote + if !addNBSP { + r.callbacks['&'] = smartAmpAngled + } else { + r.callbacks['&'] = smartAmpAngledNBSP + } + } + r.callbacks['\''] = r.smartSingleQuote + r.callbacks['('] = r.smartParens + if flags&SmartypantsDashes != 0 { + if flags&SmartypantsLatexDashes == 0 { + r.callbacks['-'] = r.smartDash + } else { + r.callbacks['-'] = r.smartDashLatex + } + } + r.callbacks['.'] = r.smartPeriod + if flags&SmartypantsFractions == 0 { + r.callbacks['1'] = r.smartNumber + r.callbacks['3'] = r.smartNumber + } else { + for ch := '1'; ch <= '9'; ch++ { + r.callbacks[ch] = r.smartNumberGeneric + } + } + r.callbacks['<'] = r.smartLeftAngle + r.callbacks['`'] = r.smartBacktick + return &r +} + +// Process is the entry point of the Smartypants renderer. +func (r *SPRenderer) Process(w io.Writer, text []byte) { + mark := 0 + for i := 0; i < len(text); i++ { + if action := r.callbacks[text[i]]; action != nil { + if i > mark { + w.Write(text[mark:i]) + } + previousChar := byte(0) + if i > 0 { + previousChar = text[i-1] + } + var tmp bytes.Buffer + i += action(&tmp, previousChar, text[i:]) + w.Write(tmp.Bytes()) + mark = i + 1 + } + } + if mark < len(text) { + w.Write(text[mark:]) + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules new file mode 100644 index 0000000000..d14f5ea70f --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.gitmodules @@ -0,0 +1,4 @@ +[submodule "testdata/JSON-Schema-Test-Suite"] + path = testdata/JSON-Schema-Test-Suite + url = https://github.com/json-schema-org/JSON-Schema-Test-Suite.git + branch = main diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml new file mode 100644 index 0000000000..6534d53166 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.golangci.yml @@ -0,0 +1,7 @@ +version: "2" +linters: + enable: + - nakedret + - errname + - godot + - misspell diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml new file mode 100644 index 0000000000..695b502ed9 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.pre-commit-hooks.yaml @@ -0,0 +1,7 @@ +- id: jsonschema-validate + name: Validate JSON against JSON Schema + description: ensure json files follow specified JSON Schema + entry: jv + language: golang + additional_dependencies: + - ./cmd/jv diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/.swp b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.swp new file mode 100644 index 0000000000..e511900313 Binary files /dev/null and b/vendor/github.com/santhosh-tekuri/jsonschema/v6/.swp differ diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE b/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE new file mode 100644 index 0000000000..19dc35b243 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/LICENSE @@ -0,0 +1,175 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. \ No newline at end of file diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md b/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md new file mode 100644 index 0000000000..1243b66c5a --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/README.md @@ -0,0 +1,88 @@ +# jsonschema v6.0.2 + +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) +[![GoDoc](https://godoc.org/github.com/santhosh-tekuri/jsonschema?status.svg)](https://pkg.go.dev/github.com/santhosh-tekuri/jsonschema/v6) +[![Go Report Card](https://goreportcard.com/badge/github.com/santhosh-tekuri/jsonschema/v6)](https://goreportcard.com/report/github.com/santhosh-tekuri/jsonschema/v6) +[![Build Status](https://github.com/santhosh-tekuri/jsonschema/actions/workflows/go.yaml/badge.svg?branch=boon)](https://github.com/santhosh-tekuri/jsonschema/actions/workflows/go.yaml) +[![codecov](https://codecov.io/gh/santhosh-tekuri/jsonschema/branch/boon/graph/badge.svg?token=JMVj1pFT2l)](https://codecov.io/gh/santhosh-tekuri/jsonschema/tree/boon) + +see [godoc](https://pkg.go.dev/github.com/santhosh-tekuri/jsonschema/v6) for examples + +## Library Features + +- [x] pass [JSON-Schema-Test-Suite](https://github.com/json-schema-org/JSON-Schema-Test-Suite) excluding optional(compare with other impls at [bowtie](https://bowtie-json-schema.github.io/bowtie/#)) + - [x] [![draft-04](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft4.json)](https://bowtie.report/#/dialects/draft4) + - [x] [![draft-06](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft6.json)](https://bowtie.report/#/dialects/draft6) + - [x] [![draft-07](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft7.json)](https://bowtie.report/#/dialects/draft7) + - [x] [![draft/2019-09](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft2019-09.json)](https://bowtie.report/#/dialects/draft2019-09) + - [x] [![draft/2020-12](https://img.shields.io/endpoint?url=https://bowtie.report/badges/go-jsonschema/compliance/draft2020-12.json)](https://bowtie.report/#/dialects/draft2020-12) +- [x] detect infinite loop traps + - [x] `$schema` cycle + - [x] validation cycle +- [x] custom `$schema` url +- [x] vocabulary based validation +- [x] custom regex engine +- [x] format assertions + - [x] flag to enable in draft >= 2019-09 + - [x] custom format registration + - [x] built-in formats + - [x] regex, uuid + - [x] ipv4, ipv6 + - [x] hostname, email + - [x] date, time, date-time, duration + - [x] json-pointer, relative-json-pointer + - [x] uri, uri-reference, uri-template + - [x] iri, iri-reference + - [x] period, semver +- [x] content assertions + - [x] flag to enable in draft >= 7 + - [x] contentEncoding + - [x] base64 + - [x] custom + - [x] contentMediaType + - [x] application/json + - [x] custom + - [x] contentSchema +- [x] errors + - [x] introspectable + - [x] hierarchy + - [x] alternative display with `#` + - [x] output + - [x] flag + - [x] basic + - [x] detailed +- [x] custom vocabulary + - enable via `$vocabulary` for draft >=2019-19 + - enable via flag for draft <= 7 +- [x] mixed dialect support + +## CLI v0.7.0 + +to install: `go install github.com/santhosh-tekuri/jsonschema/cmd/jv@latest` + +Note that the cli is versioned independently. you can see it in git tags `cmd/jv/v0.7.0` + +``` +Usage: jv [OPTIONS] SCHEMA [INSTANCE...] + +Options: + -c, --assert-content Enable content assertions with draft >= 7 + -f, --assert-format Enable format assertions with draft >= 2019 + --cacert pem-file Use the specified pem-file to verify the peer. The file may contain multiple CA certificates + -d, --draft version Draft version used when '$schema' is missing. Valid values 4, 6, 7, 2019, 2020 (default 2020) + -h, --help Print help information + -k, --insecure Use insecure TLS connection + -o, --output format Output format. Valid values simple, alt, flag, basic, detailed (default "simple") + -q, --quiet Do not print errors + -v, --version Print build information +``` + +- [x] exit code `1` for validation errors, `2` for usage errors +- [x] validate both schema and multiple instances +- [x] support both json and yaml files +- [x] support standard input, use `-` +- [x] quite mode with parsable output +- [x] http(s) url support + - [x] custom certs for validation, use `--cacert` + - [x] flag to skip certificate verification, use `--insecure` + diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go new file mode 100644 index 0000000000..4da7361038 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/compiler.go @@ -0,0 +1,332 @@ +package jsonschema + +import ( + "fmt" + "regexp" + "slices" +) + +// Compiler compiles json schema into *Schema. +type Compiler struct { + schemas map[urlPtr]*Schema + roots *roots + formats map[string]*Format + decoders map[string]*Decoder + mediaTypes map[string]*MediaType + assertFormat bool + assertContent bool +} + +// NewCompiler create Compiler Object. +func NewCompiler() *Compiler { + return &Compiler{ + schemas: map[urlPtr]*Schema{}, + roots: newRoots(), + formats: map[string]*Format{}, + decoders: map[string]*Decoder{}, + mediaTypes: map[string]*MediaType{}, + assertFormat: false, + assertContent: false, + } +} + +// DefaultDraft overrides the draft used to +// compile schemas without `$schema` field. +// +// By default, this library uses the latest +// draft supported. +// +// The use of this option is HIGHLY encouraged +// to ensure continued correct operation of your +// schema. The current default value will not stay +// the same overtime. +func (c *Compiler) DefaultDraft(d *Draft) { + c.roots.defaultDraft = d +} + +// AssertFormat always enables format assertions. +// +// Default Behavior: +// for draft-07: enabled. +// for draft/2019-09: disabled unless metaschema says `format` vocabulary is required. +// for draft/2020-12: disabled unless metaschema says `format-assertion` vocabulary is required. +func (c *Compiler) AssertFormat() { + c.assertFormat = true +} + +// AssertContent enables content assertions. +// +// Content assertions include keywords: +// - contentEncoding +// - contentMediaType +// - contentSchema +// +// Default behavior is always disabled. +func (c *Compiler) AssertContent() { + c.assertContent = true +} + +// RegisterFormat registers custom format. +// +// NOTE: +// - "regex" format can not be overridden +// - format assertions are disabled for draft >= 2019-09 +// see [Compiler.AssertFormat] +func (c *Compiler) RegisterFormat(f *Format) { + if f.Name != "regex" { + c.formats[f.Name] = f + } +} + +// RegisterContentEncoding registers custom contentEncoding. +// +// NOTE: content assertions are disabled by default. +// see [Compiler.AssertContent]. +func (c *Compiler) RegisterContentEncoding(d *Decoder) { + c.decoders[d.Name] = d +} + +// RegisterContentMediaType registers custom contentMediaType. +// +// NOTE: content assertions are disabled by default. +// see [Compiler.AssertContent]. +func (c *Compiler) RegisterContentMediaType(mt *MediaType) { + c.mediaTypes[mt.Name] = mt +} + +// RegisterVocabulary registers custom vocabulary. +// +// NOTE: +// - vocabularies are disabled for draft >= 2019-09 +// see [Compiler.AssertVocabs] +func (c *Compiler) RegisterVocabulary(vocab *Vocabulary) { + c.roots.vocabularies[vocab.URL] = vocab +} + +// AssertVocabs always enables user-defined vocabularies assertions. +// +// Default Behavior: +// for draft-07: enabled. +// for draft/2019-09: disabled unless metaschema enables a vocabulary. +// for draft/2020-12: disabled unless metaschema enables a vocabulary. +func (c *Compiler) AssertVocabs() { + c.roots.assertVocabs = true +} + +// AddResource adds schema resource which gets used later in reference +// resolution. +// +// The argument url can be file path or url. Any fragment in url is ignored. +// The argument doc must be valid json value. +func (c *Compiler) AddResource(url string, doc any) error { + uf, err := absolute(url) + if err != nil { + return err + } + if isMeta(string(uf.url)) { + return &ResourceExistsError{string(uf.url)} + } + if !c.roots.loader.add(uf.url, doc) { + return &ResourceExistsError{string(uf.url)} + } + return nil +} + +// UseLoader overrides the default [URLLoader] used +// to load schema resources. +func (c *Compiler) UseLoader(loader URLLoader) { + c.roots.loader.loader = loader +} + +// UseRegexpEngine changes the regexp-engine used. +// By default it uses regexp package from go standard +// library. +// +// NOTE: must be called before compiling any schemas. +func (c *Compiler) UseRegexpEngine(engine RegexpEngine) { + if engine == nil { + engine = goRegexpCompile + } + c.roots.regexpEngine = engine +} + +func (c *Compiler) enqueue(q *queue, up urlPtr) *Schema { + if sch, ok := c.schemas[up]; ok { + // already got compiled + return sch + } + if sch := q.get(up); sch != nil { + return sch + } + sch := newSchema(up) + q.append(sch) + return sch +} + +// MustCompile is like [Compile] but panics if compilation fails. +// It simplifies safe initialization of global variables holding +// compiled schema. +func (c *Compiler) MustCompile(loc string) *Schema { + sch, err := c.Compile(loc) + if err != nil { + panic(fmt.Sprintf("jsonschema: Compile(%q): %v", loc, err)) + } + return sch +} + +// Compile compiles json-schema at given loc. +func (c *Compiler) Compile(loc string) (*Schema, error) { + uf, err := absolute(loc) + if err != nil { + return nil, err + } + up, err := c.roots.resolveFragment(*uf) + if err != nil { + return nil, err + } + return c.doCompile(up) +} + +func (c *Compiler) doCompile(up urlPtr) (*Schema, error) { + q := &queue{} + compiled := 0 + + c.enqueue(q, up) + for q.len() > compiled { + sch := q.at(compiled) + if err := c.roots.ensureSubschema(sch.up); err != nil { + return nil, err + } + r := c.roots.roots[sch.up.url] + v, err := sch.up.lookup(r.doc) + if err != nil { + return nil, err + } + if err := c.compileValue(v, sch, r, q); err != nil { + return nil, err + } + compiled++ + } + for _, sch := range *q { + c.schemas[sch.up] = sch + } + return c.schemas[up], nil +} + +func (c *Compiler) compileValue(v any, sch *Schema, r *root, q *queue) error { + res := r.resource(sch.up.ptr) + sch.DraftVersion = res.dialect.draft.version + + base := urlPtr{sch.up.url, res.ptr} + sch.resource = c.enqueue(q, base) + + // if resource, enqueue dynamic anchors for compilation + if sch.DraftVersion >= 2020 && sch.up == sch.resource.up { + res := r.resource(sch.up.ptr) + for anchor, anchorPtr := range res.anchors { + if slices.Contains(res.dynamicAnchors, anchor) { + up := urlPtr{sch.up.url, anchorPtr} + danchorSch := c.enqueue(q, up) + if sch.dynamicAnchors == nil { + sch.dynamicAnchors = map[string]*Schema{} + } + sch.dynamicAnchors[string(anchor)] = danchorSch + } + } + } + + switch v := v.(type) { + case bool: + sch.Bool = &v + case map[string]any: + if err := c.compileObject(v, sch, r, q); err != nil { + return err + } + } + + sch.allPropsEvaluated = sch.AdditionalProperties != nil + if sch.DraftVersion < 2020 { + sch.allItemsEvaluated = sch.AdditionalItems != nil + switch items := sch.Items.(type) { + case *Schema: + sch.allItemsEvaluated = true + case []*Schema: + sch.numItemsEvaluated = len(items) + } + } else { + sch.allItemsEvaluated = sch.Items2020 != nil + sch.numItemsEvaluated = len(sch.PrefixItems) + } + + return nil +} + +func (c *Compiler) compileObject(obj map[string]any, sch *Schema, r *root, q *queue) error { + if len(obj) == 0 { + b := true + sch.Bool = &b + return nil + } + oc := objCompiler{ + c: c, + obj: obj, + up: sch.up, + r: r, + res: r.resource(sch.up.ptr), + q: q, + } + return oc.compile(sch) +} + +// queue -- + +type queue []*Schema + +func (q *queue) append(sch *Schema) { + *q = append(*q, sch) +} + +func (q *queue) at(i int) *Schema { + return (*q)[i] +} + +func (q *queue) len() int { + return len(*q) +} + +func (q *queue) get(up urlPtr) *Schema { + i := slices.IndexFunc(*q, func(sch *Schema) bool { return sch.up == up }) + if i != -1 { + return (*q)[i] + } + return nil +} + +// regexp -- + +// Regexp is the representation of compiled regular expression. +type Regexp interface { + fmt.Stringer + + // MatchString reports whether the string s contains + // any match of the regular expression. + MatchString(string) bool +} + +// RegexpEngine parses a regular expression and returns, +// if successful, a Regexp object that can be used to +// match against text. +type RegexpEngine func(string) (Regexp, error) + +func (re RegexpEngine) validate(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + _, err := re(s) + return err +} + +func goRegexpCompile(s string) (Regexp, error) { + return regexp.Compile(s) +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go new file mode 100644 index 0000000000..8d62e58b09 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/content.go @@ -0,0 +1,51 @@ +package jsonschema + +import ( + "bytes" + "encoding/base64" + "encoding/json" +) + +// Decoder specifies how to decode specific contentEncoding. +type Decoder struct { + // Name of contentEncoding. + Name string + // Decode given string to byte array. + Decode func(string) ([]byte, error) +} + +var decoders = map[string]*Decoder{ + "base64": { + Name: "base64", + Decode: func(s string) ([]byte, error) { + return base64.StdEncoding.DecodeString(s) + }, + }, +} + +// MediaType specified how to validate bytes against specific contentMediaType. +type MediaType struct { + // Name of contentMediaType. + Name string + + // Validate checks whether bytes conform to this mediatype. + Validate func([]byte) error + + // UnmarshalJSON unmarshals bytes into json value. + // This must be nil if this mediatype is not compatible + // with json. + UnmarshalJSON func([]byte) (any, error) +} + +var mediaTypes = map[string]*MediaType{ + "application/json": { + Name: "application/json", + Validate: func(b []byte) error { + var v any + return json.Unmarshal(b, &v) + }, + UnmarshalJSON: func(b []byte) (any, error) { + return UnmarshalJSON(bytes.NewReader(b)) + }, + }, +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go new file mode 100644 index 0000000000..fd09bae8d3 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/draft.go @@ -0,0 +1,360 @@ +package jsonschema + +import ( + "fmt" + "slices" + "strings" +) + +// A Draft represents json-schema specification. +type Draft struct { + version int + url string + sch *Schema + id string // property name used to represent id + subschemas []SchemaPath // locations of subschemas + vocabPrefix string // prefix used for vocabulary + allVocabs map[string]*Schema // names of supported vocabs with its schemas + defaultVocabs []string // names of default vocabs +} + +// String returns the specification url. +func (d *Draft) String() string { + return d.url +} + +var ( + Draft4 = &Draft{ + version: 4, + url: "http://json-schema.org/draft-04/schema", + id: "id", + subschemas: []SchemaPath{ + // type agonistic + schemaPath("definitions/*"), + schemaPath("not"), + schemaPath("allOf/[]"), + schemaPath("anyOf/[]"), + schemaPath("oneOf/[]"), + // object + schemaPath("properties/*"), + schemaPath("additionalProperties"), + schemaPath("patternProperties/*"), + // array + schemaPath("items"), + schemaPath("items/[]"), + schemaPath("additionalItems"), + schemaPath("dependencies/*"), + }, + vocabPrefix: "", + allVocabs: map[string]*Schema{}, + defaultVocabs: []string{}, + } + + Draft6 = &Draft{ + version: 6, + url: "http://json-schema.org/draft-06/schema", + id: "$id", + subschemas: joinSubschemas(Draft4.subschemas, + schemaPath("propertyNames"), + schemaPath("contains"), + ), + vocabPrefix: "", + allVocabs: map[string]*Schema{}, + defaultVocabs: []string{}, + } + + Draft7 = &Draft{ + version: 7, + url: "http://json-schema.org/draft-07/schema", + id: "$id", + subschemas: joinSubschemas(Draft6.subschemas, + schemaPath("if"), + schemaPath("then"), + schemaPath("else"), + ), + vocabPrefix: "", + allVocabs: map[string]*Schema{}, + defaultVocabs: []string{}, + } + + Draft2019 = &Draft{ + version: 2019, + url: "https://json-schema.org/draft/2019-09/schema", + id: "$id", + subschemas: joinSubschemas(Draft7.subschemas, + schemaPath("$defs/*"), + schemaPath("dependentSchemas/*"), + schemaPath("unevaluatedProperties"), + schemaPath("unevaluatedItems"), + schemaPath("contentSchema"), + ), + vocabPrefix: "https://json-schema.org/draft/2019-09/vocab/", + allVocabs: map[string]*Schema{ + "core": nil, + "applicator": nil, + "validation": nil, + "meta-data": nil, + "format": nil, + "content": nil, + }, + defaultVocabs: []string{"core", "applicator", "validation"}, + } + + Draft2020 = &Draft{ + version: 2020, + url: "https://json-schema.org/draft/2020-12/schema", + id: "$id", + subschemas: joinSubschemas(Draft2019.subschemas, + schemaPath("prefixItems/[]"), + ), + vocabPrefix: "https://json-schema.org/draft/2020-12/vocab/", + allVocabs: map[string]*Schema{ + "core": nil, + "applicator": nil, + "unevaluated": nil, + "validation": nil, + "meta-data": nil, + "format-annotation": nil, + "format-assertion": nil, + "content": nil, + }, + defaultVocabs: []string{"core", "applicator", "unevaluated", "validation"}, + } + + draftLatest = Draft2020 +) + +func init() { + c := NewCompiler() + c.AssertFormat() + for _, d := range []*Draft{Draft4, Draft6, Draft7, Draft2019, Draft2020} { + d.sch = c.MustCompile(d.url) + for name := range d.allVocabs { + d.allVocabs[name] = c.MustCompile(strings.TrimSuffix(d.url, "schema") + "meta/" + name) + } + } +} + +func draftFromURL(url string) *Draft { + u, frag := split(url) + if frag != "" { + return nil + } + u, ok := strings.CutPrefix(u, "http://") + if !ok { + u, _ = strings.CutPrefix(u, "https://") + } + switch u { + case "json-schema.org/schema": + return draftLatest + case "json-schema.org/draft/2020-12/schema": + return Draft2020 + case "json-schema.org/draft/2019-09/schema": + return Draft2019 + case "json-schema.org/draft-07/schema": + return Draft7 + case "json-schema.org/draft-06/schema": + return Draft6 + case "json-schema.org/draft-04/schema": + return Draft4 + default: + return nil + } +} + +func (d *Draft) getID(obj map[string]any) string { + if d.version < 2019 { + if _, ok := obj["$ref"]; ok { + // All other properties in a "$ref" object MUST be ignored + return "" + } + } + + id, ok := strVal(obj, d.id) + if !ok { + return "" + } + id, _ = split(id) // ignore fragment + return id +} + +func (d *Draft) getVocabs(url url, doc any, vocabularies map[string]*Vocabulary) ([]string, error) { + if d.version < 2019 { + return nil, nil + } + obj, ok := doc.(map[string]any) + if !ok { + return nil, nil + } + v, ok := obj["$vocabulary"] + if !ok { + return nil, nil + } + obj, ok = v.(map[string]any) + if !ok { + return nil, nil + } + + var vocabs []string + for vocab, reqd := range obj { + if reqd, ok := reqd.(bool); !ok || !reqd { + continue + } + name, ok := strings.CutPrefix(vocab, d.vocabPrefix) + if ok { + if _, ok := d.allVocabs[name]; ok { + if !slices.Contains(vocabs, name) { + vocabs = append(vocabs, name) + continue + } + } + } + if _, ok := vocabularies[vocab]; !ok { + return nil, &UnsupportedVocabularyError{url.String(), vocab} + } + if !slices.Contains(vocabs, vocab) { + vocabs = append(vocabs, vocab) + } + } + if !slices.Contains(vocabs, "core") { + vocabs = append(vocabs, "core") + } + return vocabs, nil +} + +// -- + +type dialect struct { + draft *Draft + vocabs []string // nil means use draft.defaultVocabs +} + +func (d *dialect) hasVocab(name string) bool { + if name == "core" || d.draft.version < 2019 { + return true + } + if d.vocabs != nil { + return slices.Contains(d.vocabs, name) + } + return slices.Contains(d.draft.defaultVocabs, name) +} + +func (d *dialect) activeVocabs(assertVocabs bool, vocabularies map[string]*Vocabulary) []string { + if len(vocabularies) == 0 { + return d.vocabs + } + if d.draft.version < 2019 { + assertVocabs = true + } + if !assertVocabs { + return d.vocabs + } + var vocabs []string + if d.vocabs == nil { + vocabs = slices.Clone(d.draft.defaultVocabs) + } else { + vocabs = slices.Clone(d.vocabs) + } + for vocab := range vocabularies { + if !slices.Contains(vocabs, vocab) { + vocabs = append(vocabs, vocab) + } + } + return vocabs +} + +func (d *dialect) getSchema(assertVocabs bool, vocabularies map[string]*Vocabulary) *Schema { + vocabs := d.activeVocabs(assertVocabs, vocabularies) + if vocabs == nil { + return d.draft.sch + } + + var allOf []*Schema + for _, vocab := range vocabs { + sch := d.draft.allVocabs[vocab] + if sch == nil { + if v, ok := vocabularies[vocab]; ok { + sch = v.Schema + } + } + if sch != nil { + allOf = append(allOf, sch) + } + } + if !slices.Contains(vocabs, "core") { + sch := d.draft.allVocabs["core"] + if sch == nil { + sch = d.draft.sch + } + allOf = append(allOf, sch) + } + sch := &Schema{ + Location: "urn:mem:metaschema", + up: urlPtr{url("urn:mem:metaschema"), ""}, + DraftVersion: d.draft.version, + AllOf: allOf, + } + sch.resource = sch + if sch.DraftVersion >= 2020 { + sch.DynamicAnchor = "meta" + sch.dynamicAnchors = map[string]*Schema{ + "meta": sch, + } + } + return sch +} + +// -- + +type ParseIDError struct { + URL string +} + +func (e *ParseIDError) Error() string { + return fmt.Sprintf("error in parsing id at %q", e.URL) +} + +// -- + +type ParseAnchorError struct { + URL string +} + +func (e *ParseAnchorError) Error() string { + return fmt.Sprintf("error in parsing anchor at %q", e.URL) +} + +// -- + +type DuplicateIDError struct { + ID string + URL string + Ptr1 string + Ptr2 string +} + +func (e *DuplicateIDError) Error() string { + return fmt.Sprintf("duplicate id %q in %q at %q and %q", e.ID, e.URL, e.Ptr1, e.Ptr2) +} + +// -- + +type DuplicateAnchorError struct { + Anchor string + URL string + Ptr1 string + Ptr2 string +} + +func (e *DuplicateAnchorError) Error() string { + return fmt.Sprintf("duplicate anchor %q in %q at %q and %q", e.Anchor, e.URL, e.Ptr1, e.Ptr2) +} + +// -- + +func joinSubschemas(a1 []SchemaPath, a2 ...SchemaPath) []SchemaPath { + var a []SchemaPath + a = append(a, a1...) + a = append(a, a2...) + return a +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go new file mode 100644 index 0000000000..b78b22e2a5 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/format.go @@ -0,0 +1,708 @@ +package jsonschema + +import ( + "net/netip" + gourl "net/url" + "strconv" + "strings" + "time" +) + +// Format defined specific format. +type Format struct { + // Name of format. + Name string + + // Validate checks if given value is of this format. + Validate func(v any) error +} + +var formats = map[string]*Format{ + "json-pointer": {"json-pointer", validateJSONPointer}, + "relative-json-pointer": {"relative-json-pointer", validateRelativeJSONPointer}, + "uuid": {"uuid", validateUUID}, + "duration": {"duration", validateDuration}, + "period": {"period", validatePeriod}, + "ipv4": {"ipv4", validateIPV4}, + "ipv6": {"ipv6", validateIPV6}, + "hostname": {"hostname", validateHostname}, + "email": {"email", validateEmail}, + "date": {"date", validateDate}, + "time": {"time", validateTime}, + "date-time": {"date-time", validateDateTime}, + "uri": {"uri", validateURI}, + "iri": {"iri", validateURI}, + "uri-reference": {"uri-reference", validateURIReference}, + "iri-reference": {"iri-reference", validateURIReference}, + "uri-template": {"uri-template", validateURITemplate}, + "semver": {"semver", validateSemver}, +} + +// see https://www.rfc-editor.org/rfc/rfc6901#section-3 +func validateJSONPointer(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + if s == "" { + return nil + } + if !strings.HasPrefix(s, "/") { + return LocalizableError("not starting with /") + } + for _, tok := range strings.Split(s, "/")[1:] { + escape := false + for _, ch := range tok { + if escape { + escape = false + if ch != '0' && ch != '1' { + return LocalizableError("~ must be followed by 0 or 1") + } + continue + } + if ch == '~' { + escape = true + continue + } + switch { + case ch >= '\x00' && ch <= '\x2E': + case ch >= '\x30' && ch <= '\x7D': + case ch >= '\x7F' && ch <= '\U0010FFFF': + default: + return LocalizableError("invalid character %q", ch) + } + } + if escape { + return LocalizableError("~ must be followed by 0 or 1") + } + } + return nil +} + +// see https://tools.ietf.org/html/draft-handrews-relative-json-pointer-01#section-3 +func validateRelativeJSONPointer(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + // start with non-negative-integer + numDigits := 0 + for _, ch := range s { + if ch >= '0' && ch <= '9' { + numDigits++ + } else { + break + } + } + if numDigits == 0 { + return LocalizableError("must start with non-negative integer") + } + if numDigits > 1 && strings.HasPrefix(s, "0") { + return LocalizableError("starts with zero") + } + s = s[numDigits:] + + // followed by either json-pointer or '#' + if s == "#" { + return nil + } + return validateJSONPointer(s) +} + +// see https://datatracker.ietf.org/doc/html/rfc4122#page-4 +func validateUUID(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + hexGroups := []int{8, 4, 4, 4, 12} + groups := strings.Split(s, "-") + if len(groups) != len(hexGroups) { + return LocalizableError("must have %d elements", len(hexGroups)) + } + for i, group := range groups { + if len(group) != hexGroups[i] { + return LocalizableError("element %d must be %d characters long", i+1, hexGroups[i]) + } + for _, ch := range group { + switch { + case ch >= '0' && ch <= '9': + case ch >= 'a' && ch <= 'f': + case ch >= 'A' && ch <= 'F': + default: + return LocalizableError("non-hex character %q", ch) + } + } + } + return nil +} + +// see https://datatracker.ietf.org/doc/html/rfc3339#appendix-A +func validateDuration(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + // must start with 'P' + s, ok = strings.CutPrefix(s, "P") + if !ok { + return LocalizableError("must start with P") + } + if s == "" { + return LocalizableError("nothing after P") + } + + // dur-week + if s, ok := strings.CutSuffix(s, "W"); ok { + if s == "" { + return LocalizableError("no number in week") + } + for _, ch := range s { + if ch < '0' || ch > '9' { + return LocalizableError("invalid week") + } + } + return nil + } + + allUnits := []string{"YMD", "HMS"} + for i, s := range strings.Split(s, "T") { + if i != 0 && s == "" { + return LocalizableError("no time elements") + } + if i >= len(allUnits) { + return LocalizableError("more than one T") + } + units := allUnits[i] + for s != "" { + digitCount := 0 + for _, ch := range s { + if ch >= '0' && ch <= '9' { + digitCount++ + } else { + break + } + } + if digitCount == 0 { + return LocalizableError("missing number") + } + s = s[digitCount:] + if s == "" { + return LocalizableError("missing unit") + } + unit := s[0] + j := strings.IndexByte(units, unit) + if j == -1 { + if strings.IndexByte(allUnits[i], unit) != -1 { + return LocalizableError("unit %q out of order", unit) + } + return LocalizableError("invalid unit %q", unit) + } + units = units[j+1:] + s = s[1:] + } + } + + return nil +} + +func validateIPV4(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + groups := strings.Split(s, ".") + if len(groups) != 4 { + return LocalizableError("expected four decimals") + } + for _, group := range groups { + if len(group) > 1 && group[0] == '0' { + return LocalizableError("leading zeros") + } + n, err := strconv.Atoi(group) + if err != nil { + return err + } + if n < 0 || n > 255 { + return LocalizableError("decimal must be between 0 and 255") + } + } + return nil +} + +func validateIPV6(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + if !strings.Contains(s, ":") { + return LocalizableError("missing colon") + } + addr, err := netip.ParseAddr(s) + if err != nil { + return err + } + if addr.Zone() != "" { + return LocalizableError("zone id is not a part of ipv6 address") + } + return nil +} + +// see https://en.wikipedia.org/wiki/Hostname#Restrictions_on_valid_host_names +func validateHostname(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + // entire hostname (including the delimiting dots but not a trailing dot) has a maximum of 253 ASCII characters + s = strings.TrimSuffix(s, ".") + if len(s) > 253 { + return LocalizableError("more than 253 characters long") + } + + // Hostnames are composed of series of labels concatenated with dots, as are all domain names + for _, label := range strings.Split(s, ".") { + // Each label must be from 1 to 63 characters long + if len(label) < 1 || len(label) > 63 { + return LocalizableError("label must be 1 to 63 characters long") + } + + // labels must not start or end with a hyphen + if strings.HasPrefix(label, "-") { + return LocalizableError("label starts with hyphen") + } + if strings.HasSuffix(label, "-") { + return LocalizableError("label ends with hyphen") + } + + // labels may contain only the ASCII letters 'a' through 'z' (in a case-insensitive manner), + // the digits '0' through '9', and the hyphen ('-') + for _, ch := range label { + switch { + case ch >= 'a' && ch <= 'z': + case ch >= 'A' && ch <= 'Z': + case ch >= '0' && ch <= '9': + case ch == '-': + default: + return LocalizableError("invalid character %q", ch) + } + } + } + return nil +} + +// see https://en.wikipedia.org/wiki/Email_address +func validateEmail(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + // entire email address to be no more than 254 characters long + if len(s) > 254 { + return LocalizableError("more than 255 characters long") + } + + // email address is generally recognized as having two parts joined with an at-sign + at := strings.LastIndexByte(s, '@') + if at == -1 { + return LocalizableError("missing @") + } + local, domain := s[:at], s[at+1:] + + // local part may be up to 64 characters long + if len(local) > 64 { + return LocalizableError("local part more than 64 characters long") + } + + if len(local) > 1 && strings.HasPrefix(local, `"`) && strings.HasPrefix(local, `"`) { + // quoted + local := local[1 : len(local)-1] + if strings.IndexByte(local, '\\') != -1 || strings.IndexByte(local, '"') != -1 { + return LocalizableError("backslash and quote are not allowed within quoted local part") + } + } else { + // unquoted + if strings.HasPrefix(local, ".") { + return LocalizableError("starts with dot") + } + if strings.HasSuffix(local, ".") { + return LocalizableError("ends with dot") + } + + // consecutive dots not allowed + if strings.Contains(local, "..") { + return LocalizableError("consecutive dots") + } + + // check allowed chars + for _, ch := range local { + switch { + case ch >= 'a' && ch <= 'z': + case ch >= 'A' && ch <= 'Z': + case ch >= '0' && ch <= '9': + case strings.ContainsRune(".!#$%&'*+-/=?^_`{|}~", ch): + default: + return LocalizableError("invalid character %q", ch) + } + } + } + + // domain if enclosed in brackets, must match an IP address + if strings.HasPrefix(domain, "[") && strings.HasSuffix(domain, "]") { + domain = domain[1 : len(domain)-1] + if rem, ok := strings.CutPrefix(domain, "IPv6:"); ok { + if err := validateIPV6(rem); err != nil { + return LocalizableError("invalid ipv6 address: %v", err) + } + return nil + } + if err := validateIPV4(domain); err != nil { + return LocalizableError("invalid ipv4 address: %v", err) + } + return nil + } + + // domain must match the requirements for a hostname + if err := validateHostname(domain); err != nil { + return LocalizableError("invalid domain: %v", err) + } + + return nil +} + +// see see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 +func validateDate(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + _, err := time.Parse("2006-01-02", s) + return err +} + +// see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 +// NOTE: golang time package does not support leap seconds. +func validateTime(v any) error { + str, ok := v.(string) + if !ok { + return nil + } + + // min: hh:mm:ssZ + if len(str) < 9 { + return LocalizableError("less than 9 characters long") + } + if str[2] != ':' || str[5] != ':' { + return LocalizableError("missing colon in correct place") + } + + // parse hh:mm:ss + var hms []int + for _, tok := range strings.SplitN(str[:8], ":", 3) { + i, err := strconv.Atoi(tok) + if err != nil { + return LocalizableError("invalid hour/min/sec") + } + if i < 0 { + return LocalizableError("non-positive hour/min/sec") + } + hms = append(hms, i) + } + if len(hms) != 3 { + return LocalizableError("missing hour/min/sec") + } + h, m, s := hms[0], hms[1], hms[2] + if h > 23 || m > 59 || s > 60 { + return LocalizableError("hour/min/sec out of range") + } + str = str[8:] + + // parse sec-frac if present + if rem, ok := strings.CutPrefix(str, "."); ok { + numDigits := 0 + for _, ch := range rem { + if ch >= '0' && ch <= '9' { + numDigits++ + } else { + break + } + } + if numDigits == 0 { + return LocalizableError("no digits in second fraction") + } + str = rem[numDigits:] + } + + if str != "z" && str != "Z" { + // parse time-numoffset + if len(str) != 6 { + return LocalizableError("offset must be 6 characters long") + } + var sign int + switch str[0] { + case '+': + sign = -1 + case '-': + sign = +1 + default: + return LocalizableError("offset must begin with plus/minus") + } + str = str[1:] + if str[2] != ':' { + return LocalizableError("missing colon in offset in correct place") + } + + var zhm []int + for _, tok := range strings.SplitN(str, ":", 2) { + i, err := strconv.Atoi(tok) + if err != nil { + return LocalizableError("invalid hour/min in offset") + } + if i < 0 { + return LocalizableError("non-positive hour/min in offset") + } + zhm = append(zhm, i) + } + zh, zm := zhm[0], zhm[1] + if zh > 23 || zm > 59 { + return LocalizableError("hour/min in offset out of range") + } + + // apply timezone + hm := (h*60 + m) + sign*(zh*60+zm) + if hm < 0 { + hm += 24 * 60 + } + h, m = hm/60, hm%60 + } + + // check leap second + if s >= 60 && (h != 23 || m != 59) { + return LocalizableError("invalid leap second") + } + + return nil +} + +// see https://datatracker.ietf.org/doc/html/rfc3339#section-5.6 +func validateDateTime(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + // min: yyyy-mm-ddThh:mm:ssZ + if len(s) < 20 { + return LocalizableError("less than 20 characters long") + } + + if s[10] != 't' && s[10] != 'T' { + return LocalizableError("11th character must be t or T") + } + if err := validateDate(s[:10]); err != nil { + return LocalizableError("invalid date element: %v", err) + } + if err := validateTime(s[11:]); err != nil { + return LocalizableError("invalid time element: %v", err) + } + return nil +} + +func parseURL(s string) (*gourl.URL, error) { + u, err := gourl.Parse(s) + if err != nil { + return nil, err + } + + // gourl does not validate ipv6 host address + hostName := u.Hostname() + if strings.Contains(hostName, ":") { + if !strings.Contains(u.Host, "[") || !strings.Contains(u.Host, "]") { + return nil, LocalizableError("ipv6 address not enclosed in brackets") + } + if err := validateIPV6(hostName); err != nil { + return nil, LocalizableError("invalid ipv6 address: %v", err) + } + } + + return u, nil +} + +func validateURI(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + u, err := parseURL(s) + if err != nil { + return err + } + if !u.IsAbs() { + return LocalizableError("relative url") + } + return nil +} + +func validateURIReference(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + if strings.Contains(s, `\`) { + return LocalizableError(`contains \`) + } + _, err := parseURL(s) + return err +} + +func validateURITemplate(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + u, err := parseURL(s) + if err != nil { + return err + } + for _, tok := range strings.Split(u.RawPath, "/") { + tok, err = decode(tok) + if err != nil { + return LocalizableError("percent decode failed: %v", err) + } + want := true + for _, ch := range tok { + var got bool + switch ch { + case '{': + got = true + case '}': + got = false + default: + continue + } + if got != want { + return LocalizableError("nested curly braces") + } + want = !want + } + if !want { + return LocalizableError("no matching closing brace") + } + } + return nil +} + +func validatePeriod(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + slash := strings.IndexByte(s, '/') + if slash == -1 { + return LocalizableError("missing slash") + } + + start, end := s[:slash], s[slash+1:] + if strings.HasPrefix(start, "P") { + if err := validateDuration(start); err != nil { + return LocalizableError("invalid start duration: %v", err) + } + if err := validateDateTime(end); err != nil { + return LocalizableError("invalid end date-time: %v", err) + } + } else { + if err := validateDateTime(start); err != nil { + return LocalizableError("invalid start date-time: %v", err) + } + if strings.HasPrefix(end, "P") { + if err := validateDuration(end); err != nil { + return LocalizableError("invalid end duration: %v", err) + } + } else if err := validateDateTime(end); err != nil { + return LocalizableError("invalid end date-time: %v", err) + } + } + + return nil +} + +// see https://semver.org/#backusnaur-form-grammar-for-valid-semver-versions +func validateSemver(v any) error { + s, ok := v.(string) + if !ok { + return nil + } + + // build -- + if i := strings.IndexByte(s, '+'); i != -1 { + build := s[i+1:] + if build == "" { + return LocalizableError("build is empty") + } + for _, buildID := range strings.Split(build, ".") { + if buildID == "" { + return LocalizableError("build identifier is empty") + } + for _, ch := range buildID { + switch { + case ch >= '0' && ch <= '9': + case (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || ch == '-': + default: + return LocalizableError("invalid character %q in build identifier", ch) + } + } + } + s = s[:i] + } + + // pre-release -- + if i := strings.IndexByte(s, '-'); i != -1 { + preRelease := s[i+1:] + for _, preReleaseID := range strings.Split(preRelease, ".") { + if preReleaseID == "" { + return LocalizableError("pre-release identifier is empty") + } + allDigits := true + for _, ch := range preReleaseID { + switch { + case ch >= '0' && ch <= '9': + case (ch >= 'a' && ch <= 'z') || (ch >= 'A' && ch <= 'Z') || ch == '-': + allDigits = false + default: + return LocalizableError("invalid character %q in pre-release identifier", ch) + } + } + if allDigits && len(preReleaseID) > 1 && preReleaseID[0] == '0' { + return LocalizableError("pre-release numeric identifier starts with zero") + } + } + s = s[:i] + } + + // versionCore -- + versions := strings.Split(s, ".") + if len(versions) != 3 { + return LocalizableError("versionCore must have 3 numbers separated by dot") + } + names := []string{"major", "minor", "patch"} + for i, version := range versions { + if version == "" { + return LocalizableError("%s is empty", names[i]) + } + if len(version) > 1 && version[0] == '0' { + return LocalizableError("%s starts with zero", names[i]) + } + for _, ch := range version { + if ch < '0' || ch > '9' { + return LocalizableError("%s contains non-digit", names[i]) + } + } + } + + return nil +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work new file mode 100644 index 0000000000..e7f4d93de4 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work @@ -0,0 +1,8 @@ +go 1.21.1 + +use ( + . + ./cmd/jv +) + +// replace github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 => ./ diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum new file mode 100644 index 0000000000..2b5b811d99 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/go.work.sum @@ -0,0 +1,4 @@ +github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go new file mode 100644 index 0000000000..a37fb0b978 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/kind/kind.go @@ -0,0 +1,651 @@ +package kind + +import ( + "fmt" + "math/big" + "strings" + + "golang.org/x/text/message" +) + +// -- + +type InvalidJsonValue struct { + Value any +} + +func (*InvalidJsonValue) KeywordPath() []string { + return nil +} + +func (k *InvalidJsonValue) LocalizedString(p *message.Printer) string { + return p.Sprintf("invalid jsonType %T", k.Value) +} + +// -- + +type Schema struct { + Location string +} + +func (*Schema) KeywordPath() []string { + return nil +} + +func (k *Schema) LocalizedString(p *message.Printer) string { + return p.Sprintf("jsonschema validation failed with %s", quote(k.Location)) +} + +// -- + +type Group struct{} + +func (*Group) KeywordPath() []string { + return nil +} + +func (*Group) LocalizedString(p *message.Printer) string { + return p.Sprintf("validation failed") +} + +// -- + +type Not struct{} + +func (*Not) KeywordPath() []string { + return nil +} + +func (*Not) LocalizedString(p *message.Printer) string { + return p.Sprintf("'not' failed") +} + +// -- + +type AllOf struct{} + +func (*AllOf) KeywordPath() []string { + return []string{"allOf"} +} + +func (*AllOf) LocalizedString(p *message.Printer) string { + return p.Sprintf("'allOf' failed") +} + +// -- + +type AnyOf struct{} + +func (*AnyOf) KeywordPath() []string { + return []string{"anyOf"} +} + +func (*AnyOf) LocalizedString(p *message.Printer) string { + return p.Sprintf("'anyOf' failed") +} + +// -- + +type OneOf struct { + // Subschemas gives indexes of Subschemas that have matched. + // Value nil, means none of the subschemas matched. + Subschemas []int +} + +func (*OneOf) KeywordPath() []string { + return []string{"oneOf"} +} + +func (k *OneOf) LocalizedString(p *message.Printer) string { + if len(k.Subschemas) == 0 { + return p.Sprintf("'oneOf' failed, none matched") + } + return p.Sprintf("'oneOf' failed, subschemas %d, %d matched", k.Subschemas[0], k.Subschemas[1]) +} + +//-- + +type FalseSchema struct{} + +func (*FalseSchema) KeywordPath() []string { + return nil +} + +func (*FalseSchema) LocalizedString(p *message.Printer) string { + return p.Sprintf("false schema") +} + +// -- + +type RefCycle struct { + URL string + KeywordLocation1 string + KeywordLocation2 string +} + +func (*RefCycle) KeywordPath() []string { + return nil +} + +func (k *RefCycle) LocalizedString(p *message.Printer) string { + return p.Sprintf("both %s and %s resolve to %q causing reference cycle", k.KeywordLocation1, k.KeywordLocation2, k.URL) +} + +// -- + +type Type struct { + Got string + Want []string +} + +func (*Type) KeywordPath() []string { + return []string{"type"} +} + +func (k *Type) LocalizedString(p *message.Printer) string { + want := strings.Join(k.Want, " or ") + return p.Sprintf("got %s, want %s", k.Got, want) +} + +// -- + +type Enum struct { + Got any + Want []any +} + +// KeywordPath implements jsonschema.ErrorKind. +func (*Enum) KeywordPath() []string { + return []string{"enum"} +} + +func (k *Enum) LocalizedString(p *message.Printer) string { + allPrimitive := true +loop: + for _, item := range k.Want { + switch item.(type) { + case []any, map[string]any: + allPrimitive = false + break loop + } + } + if allPrimitive { + if len(k.Want) == 1 { + return p.Sprintf("value must be %s", display(k.Want[0])) + } + var want []string + for _, v := range k.Want { + want = append(want, display(v)) + } + return p.Sprintf("value must be one of %s", strings.Join(want, ", ")) + } + return p.Sprintf("'enum' failed") +} + +// -- + +type Const struct { + Got any + Want any +} + +func (*Const) KeywordPath() []string { + return []string{"const"} +} + +func (k *Const) LocalizedString(p *message.Printer) string { + switch want := k.Want.(type) { + case []any, map[string]any: + return p.Sprintf("'const' failed") + default: + return p.Sprintf("value must be %s", display(want)) + } +} + +// -- + +type Format struct { + Got any + Want string + Err error +} + +func (*Format) KeywordPath() []string { + return []string{"format"} +} + +func (k *Format) LocalizedString(p *message.Printer) string { + return p.Sprintf("%s is not valid %s: %v", display(k.Got), k.Want, localizedError(k.Err, p)) +} + +// -- + +type Reference struct { + Keyword string + URL string +} + +func (k *Reference) KeywordPath() []string { + return []string{k.Keyword} +} + +func (*Reference) LocalizedString(p *message.Printer) string { + return p.Sprintf("validation failed") +} + +// -- + +type MinProperties struct { + Got, Want int +} + +func (*MinProperties) KeywordPath() []string { + return []string{"minProperties"} +} + +func (k *MinProperties) LocalizedString(p *message.Printer) string { + return p.Sprintf("minProperties: got %d, want %d", k.Got, k.Want) +} + +// -- + +type MaxProperties struct { + Got, Want int +} + +func (*MaxProperties) KeywordPath() []string { + return []string{"maxProperties"} +} + +func (k *MaxProperties) LocalizedString(p *message.Printer) string { + return p.Sprintf("maxProperties: got %d, want %d", k.Got, k.Want) +} + +// -- + +type MinItems struct { + Got, Want int +} + +func (*MinItems) KeywordPath() []string { + return []string{"minItems"} +} + +func (k *MinItems) LocalizedString(p *message.Printer) string { + return p.Sprintf("minItems: got %d, want %d", k.Got, k.Want) +} + +// -- + +type MaxItems struct { + Got, Want int +} + +func (*MaxItems) KeywordPath() []string { + return []string{"maxItems"} +} + +func (k *MaxItems) LocalizedString(p *message.Printer) string { + return p.Sprintf("maxItems: got %d, want %d", k.Got, k.Want) +} + +// -- + +type AdditionalItems struct { + Count int +} + +func (*AdditionalItems) KeywordPath() []string { + return []string{"additionalItems"} +} + +func (k *AdditionalItems) LocalizedString(p *message.Printer) string { + return p.Sprintf("last %d additionalItem(s) not allowed", k.Count) +} + +// -- + +type Required struct { + Missing []string +} + +func (*Required) KeywordPath() []string { + return []string{"required"} +} + +func (k *Required) LocalizedString(p *message.Printer) string { + if len(k.Missing) == 1 { + return p.Sprintf("missing property %s", quote(k.Missing[0])) + } + return p.Sprintf("missing properties %s", joinQuoted(k.Missing, ", ")) +} + +// -- + +type Dependency struct { + Prop string // dependency of prop that failed + Missing []string // missing props +} + +func (k *Dependency) KeywordPath() []string { + return []string{"dependency", k.Prop} +} + +func (k *Dependency) LocalizedString(p *message.Printer) string { + return p.Sprintf("properties %s required, if %s exists", joinQuoted(k.Missing, ", "), quote(k.Prop)) +} + +// -- + +type DependentRequired struct { + Prop string // dependency of prop that failed + Missing []string // missing props +} + +func (k *DependentRequired) KeywordPath() []string { + return []string{"dependentRequired", k.Prop} +} + +func (k *DependentRequired) LocalizedString(p *message.Printer) string { + return p.Sprintf("properties %s required, if %s exists", joinQuoted(k.Missing, ", "), quote(k.Prop)) +} + +// -- + +type AdditionalProperties struct { + Properties []string +} + +func (*AdditionalProperties) KeywordPath() []string { + return []string{"additionalProperties"} +} + +func (k *AdditionalProperties) LocalizedString(p *message.Printer) string { + return p.Sprintf("additional properties %s not allowed", joinQuoted(k.Properties, ", ")) +} + +// -- + +type PropertyNames struct { + Property string +} + +func (*PropertyNames) KeywordPath() []string { + return []string{"propertyNames"} +} + +func (k *PropertyNames) LocalizedString(p *message.Printer) string { + return p.Sprintf("invalid propertyName %s", quote(k.Property)) +} + +// -- + +type UniqueItems struct { + Duplicates [2]int +} + +func (*UniqueItems) KeywordPath() []string { + return []string{"uniqueItems"} +} + +func (k *UniqueItems) LocalizedString(p *message.Printer) string { + return p.Sprintf("items at %d and %d are equal", k.Duplicates[0], k.Duplicates[1]) +} + +// -- + +type Contains struct{} + +func (*Contains) KeywordPath() []string { + return []string{"contains"} +} + +func (*Contains) LocalizedString(p *message.Printer) string { + return p.Sprintf("no items match contains schema") +} + +// -- + +type MinContains struct { + Got []int + Want int +} + +func (*MinContains) KeywordPath() []string { + return []string{"minContains"} +} + +func (k *MinContains) LocalizedString(p *message.Printer) string { + if len(k.Got) == 0 { + return p.Sprintf("min %d items required to match contains schema, but none matched", k.Want) + } else { + got := fmt.Sprintf("%v", k.Got) + return p.Sprintf("min %d items required to match contains schema, but matched %d items at %v", k.Want, len(k.Got), got[1:len(got)-1]) + } +} + +// -- + +type MaxContains struct { + Got []int + Want int +} + +func (*MaxContains) KeywordPath() []string { + return []string{"maxContains"} +} + +func (k *MaxContains) LocalizedString(p *message.Printer) string { + got := fmt.Sprintf("%v", k.Got) + return p.Sprintf("max %d items required to match contains schema, but matched %d items at %v", k.Want, len(k.Got), got[1:len(got)-1]) +} + +// -- + +type MinLength struct { + Got, Want int +} + +func (*MinLength) KeywordPath() []string { + return []string{"minLength"} +} + +func (k *MinLength) LocalizedString(p *message.Printer) string { + return p.Sprintf("minLength: got %d, want %d", k.Got, k.Want) +} + +// -- + +type MaxLength struct { + Got, Want int +} + +func (*MaxLength) KeywordPath() []string { + return []string{"maxLength"} +} + +func (k *MaxLength) LocalizedString(p *message.Printer) string { + return p.Sprintf("maxLength: got %d, want %d", k.Got, k.Want) +} + +// -- + +type Pattern struct { + Got string + Want string +} + +func (*Pattern) KeywordPath() []string { + return []string{"pattern"} +} + +func (k *Pattern) LocalizedString(p *message.Printer) string { + return p.Sprintf("%s does not match pattern %s", quote(k.Got), quote(k.Want)) +} + +// -- + +type ContentEncoding struct { + Want string + Err error +} + +func (*ContentEncoding) KeywordPath() []string { + return []string{"contentEncoding"} +} + +func (k *ContentEncoding) LocalizedString(p *message.Printer) string { + return p.Sprintf("value is not %s encoded: %v", quote(k.Want), localizedError(k.Err, p)) +} + +// -- + +type ContentMediaType struct { + Got []byte + Want string + Err error +} + +func (*ContentMediaType) KeywordPath() []string { + return []string{"contentMediaType"} +} + +func (k *ContentMediaType) LocalizedString(p *message.Printer) string { + return p.Sprintf("value if not of mediatype %s: %v", quote(k.Want), k.Err) +} + +// -- + +type ContentSchema struct{} + +func (*ContentSchema) KeywordPath() []string { + return []string{"contentSchema"} +} + +func (*ContentSchema) LocalizedString(p *message.Printer) string { + return p.Sprintf("'contentSchema' failed") +} + +// -- + +type Minimum struct { + Got *big.Rat + Want *big.Rat +} + +func (*Minimum) KeywordPath() []string { + return []string{"minimum"} +} + +func (k *Minimum) LocalizedString(p *message.Printer) string { + got, _ := k.Got.Float64() + want, _ := k.Want.Float64() + return p.Sprintf("minimum: got %v, want %v", got, want) +} + +// -- + +type Maximum struct { + Got *big.Rat + Want *big.Rat +} + +func (*Maximum) KeywordPath() []string { + return []string{"maximum"} +} + +func (k *Maximum) LocalizedString(p *message.Printer) string { + got, _ := k.Got.Float64() + want, _ := k.Want.Float64() + return p.Sprintf("maximum: got %v, want %v", got, want) +} + +// -- + +type ExclusiveMinimum struct { + Got *big.Rat + Want *big.Rat +} + +func (*ExclusiveMinimum) KeywordPath() []string { + return []string{"exclusiveMinimum"} +} + +func (k *ExclusiveMinimum) LocalizedString(p *message.Printer) string { + got, _ := k.Got.Float64() + want, _ := k.Want.Float64() + return p.Sprintf("exclusiveMinimum: got %v, want %v", got, want) +} + +// -- + +type ExclusiveMaximum struct { + Got *big.Rat + Want *big.Rat +} + +func (*ExclusiveMaximum) KeywordPath() []string { + return []string{"exclusiveMaximum"} +} + +func (k *ExclusiveMaximum) LocalizedString(p *message.Printer) string { + got, _ := k.Got.Float64() + want, _ := k.Want.Float64() + return p.Sprintf("exclusiveMaximum: got %v, want %v", got, want) +} + +// -- + +type MultipleOf struct { + Got *big.Rat + Want *big.Rat +} + +func (*MultipleOf) KeywordPath() []string { + return []string{"multipleOf"} +} + +func (k *MultipleOf) LocalizedString(p *message.Printer) string { + got, _ := k.Got.Float64() + want, _ := k.Want.Float64() + return p.Sprintf("multipleOf: got %v, want %v", got, want) +} + +// -- + +func quote(s string) string { + s = fmt.Sprintf("%q", s) + s = strings.ReplaceAll(s, `\"`, `"`) + s = strings.ReplaceAll(s, `'`, `\'`) + return "'" + s[1:len(s)-1] + "'" +} + +func joinQuoted(arr []string, sep string) string { + var sb strings.Builder + for _, s := range arr { + if sb.Len() > 0 { + sb.WriteString(sep) + } + sb.WriteString(quote(s)) + } + return sb.String() +} + +// to be used only for primitive. +func display(v any) string { + switch v := v.(type) { + case string: + return quote(v) + case []any, map[string]any: + return "value" + default: + return fmt.Sprintf("%v", v) + } +} + +func localizedError(err error, p *message.Printer) string { + if err, ok := err.(interface{ LocalizedError(*message.Printer) string }); ok { + return err.LocalizedError(p) + } + return err.Error() +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go new file mode 100644 index 0000000000..ce0170e20a --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/loader.go @@ -0,0 +1,266 @@ +package jsonschema + +import ( + "embed" + "encoding/json" + "errors" + "fmt" + "io" + "io/fs" + gourl "net/url" + "os" + "path/filepath" + "runtime" + "strings" +) + +// URLLoader knows how to load json from given url. +type URLLoader interface { + // Load loads json from given absolute url. + Load(url string) (any, error) +} + +// -- + +// FileLoader loads json file url. +type FileLoader struct{} + +func (l FileLoader) Load(url string) (any, error) { + path, err := l.ToFile(url) + if err != nil { + return nil, err + } + f, err := os.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + return UnmarshalJSON(f) +} + +// ToFile is helper method to convert file url to file path. +func (l FileLoader) ToFile(url string) (string, error) { + u, err := gourl.Parse(url) + if err != nil { + return "", err + } + if u.Scheme != "file" { + return "", fmt.Errorf("invalid file url: %s", u) + } + path := u.Path + if runtime.GOOS == "windows" { + path = strings.TrimPrefix(path, "/") + path = filepath.FromSlash(path) + } + return path, nil +} + +// -- + +// SchemeURLLoader delegates to other [URLLoaders] +// based on url scheme. +type SchemeURLLoader map[string]URLLoader + +func (l SchemeURLLoader) Load(url string) (any, error) { + u, err := gourl.Parse(url) + if err != nil { + return nil, err + } + ll, ok := l[u.Scheme] + if !ok { + return nil, &UnsupportedURLSchemeError{u.String()} + } + return ll.Load(url) +} + +// -- + +//go:embed metaschemas +var metaFS embed.FS + +func openMeta(url string) (fs.File, error) { + u, meta := strings.CutPrefix(url, "http://json-schema.org/") + if !meta { + u, meta = strings.CutPrefix(url, "https://json-schema.org/") + } + if meta { + if u == "schema" { + return openMeta(draftLatest.url) + } + f, err := metaFS.Open("metaschemas/" + u) + if err != nil { + if errors.Is(err, fs.ErrNotExist) { + return nil, nil + } + return nil, err + } + return f, err + } + return nil, nil + +} + +func isMeta(url string) bool { + f, err := openMeta(url) + if err != nil { + return true + } + if f != nil { + f.Close() + return true + } + return false +} + +func loadMeta(url string) (any, error) { + f, err := openMeta(url) + if err != nil { + return nil, err + } + if f == nil { + return nil, nil + } + defer f.Close() + return UnmarshalJSON(f) +} + +// -- + +type defaultLoader struct { + docs map[url]any // docs loaded so far + loader URLLoader +} + +func (l *defaultLoader) add(url url, doc any) bool { + if _, ok := l.docs[url]; ok { + return false + } + l.docs[url] = doc + return true +} + +func (l *defaultLoader) load(url url) (any, error) { + if doc, ok := l.docs[url]; ok { + return doc, nil + } + doc, err := loadMeta(url.String()) + if err != nil { + return nil, err + } + if doc != nil { + l.add(url, doc) + return doc, nil + } + if l.loader == nil { + return nil, &LoadURLError{url.String(), errors.New("no URLLoader set")} + } + doc, err = l.loader.Load(url.String()) + if err != nil { + return nil, &LoadURLError{URL: url.String(), Err: err} + } + l.add(url, doc) + return doc, nil +} + +func (l *defaultLoader) getDraft(up urlPtr, doc any, defaultDraft *Draft, cycle map[url]struct{}) (*Draft, error) { + obj, ok := doc.(map[string]any) + if !ok { + return defaultDraft, nil + } + sch, ok := strVal(obj, "$schema") + if !ok { + return defaultDraft, nil + } + if draft := draftFromURL(sch); draft != nil { + return draft, nil + } + sch, _ = split(sch) + if _, err := gourl.Parse(sch); err != nil { + return nil, &InvalidMetaSchemaURLError{up.String(), err} + } + schUrl := url(sch) + if up.ptr.isEmpty() && schUrl == up.url { + return nil, &UnsupportedDraftError{schUrl.String()} + } + if _, ok := cycle[schUrl]; ok { + return nil, &MetaSchemaCycleError{schUrl.String()} + } + cycle[schUrl] = struct{}{} + doc, err := l.load(schUrl) + if err != nil { + return nil, err + } + return l.getDraft(urlPtr{schUrl, ""}, doc, defaultDraft, cycle) +} + +func (l *defaultLoader) getMetaVocabs(doc any, draft *Draft, vocabularies map[string]*Vocabulary) ([]string, error) { + obj, ok := doc.(map[string]any) + if !ok { + return nil, nil + } + sch, ok := strVal(obj, "$schema") + if !ok { + return nil, nil + } + if draft := draftFromURL(sch); draft != nil { + return nil, nil + } + sch, _ = split(sch) + if _, err := gourl.Parse(sch); err != nil { + return nil, &ParseURLError{sch, err} + } + schUrl := url(sch) + doc, err := l.load(schUrl) + if err != nil { + return nil, err + } + return draft.getVocabs(schUrl, doc, vocabularies) +} + +// -- + +type LoadURLError struct { + URL string + Err error +} + +func (e *LoadURLError) Error() string { + return fmt.Sprintf("failing loading %q: %v", e.URL, e.Err) +} + +// -- + +type UnsupportedURLSchemeError struct { + url string +} + +func (e *UnsupportedURLSchemeError) Error() string { + return fmt.Sprintf("no URLLoader registered for %q", e.url) +} + +// -- + +type ResourceExistsError struct { + url string +} + +func (e *ResourceExistsError) Error() string { + return fmt.Sprintf("resource for %q already exists", e.url) +} + +// -- + +// UnmarshalJSON unmarshals into [any] without losing +// number precision using [json.Number]. +func UnmarshalJSON(r io.Reader) (any, error) { + decoder := json.NewDecoder(r) + decoder.UseNumber() + var doc any + if err := decoder.Decode(&doc); err != nil { + return nil, err + } + if _, err := decoder.Token(); err == nil || err != io.EOF { + return nil, fmt.Errorf("invalid character after top-level value") + } + return doc, nil +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema new file mode 100644 index 0000000000..b2a7ff0f54 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-04/schema @@ -0,0 +1,151 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "description": "Core schema meta-schema", + "definitions": { + "schemaArray": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#" } + }, + "positiveInteger": { + "type": "integer", + "minimum": 0 + }, + "positiveIntegerDefault0": { + "allOf": [ { "$ref": "#/definitions/positiveInteger" }, { "default": 0 } ] + }, + "simpleTypes": { + "enum": [ "array", "boolean", "integer", "null", "number", "object", "string" ] + }, + "stringArray": { + "type": "array", + "items": { "type": "string" }, + "minItems": 1, + "uniqueItems": true + } + }, + "type": "object", + "properties": { + "id": { + "type": "string", + "format": "uriref" + }, + "$schema": { + "type": "string", + "format": "uri" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "default": {}, + "multipleOf": { + "type": "number", + "minimum": 0, + "exclusiveMinimum": true + }, + "maximum": { + "type": "number" + }, + "exclusiveMaximum": { + "type": "boolean", + "default": false + }, + "minimum": { + "type": "number" + }, + "exclusiveMinimum": { + "type": "boolean", + "default": false + }, + "maxLength": { "$ref": "#/definitions/positiveInteger" }, + "minLength": { "$ref": "#/definitions/positiveIntegerDefault0" }, + "pattern": { + "type": "string", + "format": "regex" + }, + "additionalItems": { + "anyOf": [ + { "type": "boolean" }, + { "$ref": "#" } + ], + "default": {} + }, + "items": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/schemaArray" } + ], + "default": {} + }, + "maxItems": { "$ref": "#/definitions/positiveInteger" }, + "minItems": { "$ref": "#/definitions/positiveIntegerDefault0" }, + "uniqueItems": { + "type": "boolean", + "default": false + }, + "maxProperties": { "$ref": "#/definitions/positiveInteger" }, + "minProperties": { "$ref": "#/definitions/positiveIntegerDefault0" }, + "required": { "$ref": "#/definitions/stringArray" }, + "additionalProperties": { + "anyOf": [ + { "type": "boolean" }, + { "$ref": "#" } + ], + "default": {} + }, + "definitions": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "properties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "patternProperties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "dependencies": { + "type": "object", + "additionalProperties": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/stringArray" } + ] + } + }, + "enum": { + "type": "array", + "minItems": 1, + "uniqueItems": true + }, + "type": { + "anyOf": [ + { "$ref": "#/definitions/simpleTypes" }, + { + "type": "array", + "items": { "$ref": "#/definitions/simpleTypes" }, + "minItems": 1, + "uniqueItems": true + } + ] + }, + "allOf": { "$ref": "#/definitions/schemaArray" }, + "anyOf": { "$ref": "#/definitions/schemaArray" }, + "oneOf": { "$ref": "#/definitions/schemaArray" }, + "not": { "$ref": "#" }, + "format": { "type": "string" }, + "$ref": { "type": "string" } + }, + "dependencies": { + "exclusiveMaximum": [ "maximum" ], + "exclusiveMinimum": [ "minimum" ] + }, + "default": {} +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema new file mode 100644 index 0000000000..fa22ad1b06 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-06/schema @@ -0,0 +1,150 @@ +{ + "$schema": "http://json-schema.org/draft-06/schema#", + "$id": "http://json-schema.org/draft-06/schema#", + "title": "Core schema meta-schema", + "definitions": { + "schemaArray": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#" } + }, + "nonNegativeInteger": { + "type": "integer", + "minimum": 0 + }, + "nonNegativeIntegerDefault0": { + "allOf": [ + { "$ref": "#/definitions/nonNegativeInteger" }, + { "default": 0 } + ] + }, + "simpleTypes": { + "enum": [ + "array", + "boolean", + "integer", + "null", + "number", + "object", + "string" + ] + }, + "stringArray": { + "type": "array", + "items": { "type": "string" }, + "uniqueItems": true, + "default": [] + } + }, + "type": ["object", "boolean"], + "properties": { + "$id": { + "type": "string", + "format": "uri-reference" + }, + "$schema": { + "type": "string", + "format": "uri" + }, + "$ref": { + "type": "string", + "format": "uri-reference" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "default": {}, + "multipleOf": { + "type": "number", + "exclusiveMinimum": 0 + }, + "maximum": { + "type": "number" + }, + "exclusiveMaximum": { + "type": "number" + }, + "minimum": { + "type": "number" + }, + "exclusiveMinimum": { + "type": "number" + }, + "maxLength": { "$ref": "#/definitions/nonNegativeInteger" }, + "minLength": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "pattern": { + "type": "string", + "format": "regex" + }, + "additionalItems": { "$ref": "#" }, + "items": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/schemaArray" } + ], + "default": {} + }, + "maxItems": { "$ref": "#/definitions/nonNegativeInteger" }, + "minItems": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "uniqueItems": { + "type": "boolean", + "default": false + }, + "contains": { "$ref": "#" }, + "maxProperties": { "$ref": "#/definitions/nonNegativeInteger" }, + "minProperties": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "required": { "$ref": "#/definitions/stringArray" }, + "additionalProperties": { "$ref": "#" }, + "definitions": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "properties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "patternProperties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "dependencies": { + "type": "object", + "additionalProperties": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/stringArray" } + ] + } + }, + "propertyNames": { "$ref": "#" }, + "const": {}, + "enum": { + "type": "array", + "minItems": 1, + "uniqueItems": true + }, + "type": { + "anyOf": [ + { "$ref": "#/definitions/simpleTypes" }, + { + "type": "array", + "items": { "$ref": "#/definitions/simpleTypes" }, + "minItems": 1, + "uniqueItems": true + } + ] + }, + "format": { "type": "string" }, + "allOf": { "$ref": "#/definitions/schemaArray" }, + "anyOf": { "$ref": "#/definitions/schemaArray" }, + "oneOf": { "$ref": "#/definitions/schemaArray" }, + "not": { "$ref": "#" } + }, + "default": {} +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema new file mode 100644 index 0000000000..326759a622 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft-07/schema @@ -0,0 +1,172 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://json-schema.org/draft-07/schema#", + "title": "Core schema meta-schema", + "definitions": { + "schemaArray": { + "type": "array", + "minItems": 1, + "items": { "$ref": "#" } + }, + "nonNegativeInteger": { + "type": "integer", + "minimum": 0 + }, + "nonNegativeIntegerDefault0": { + "allOf": [ + { "$ref": "#/definitions/nonNegativeInteger" }, + { "default": 0 } + ] + }, + "simpleTypes": { + "enum": [ + "array", + "boolean", + "integer", + "null", + "number", + "object", + "string" + ] + }, + "stringArray": { + "type": "array", + "items": { "type": "string" }, + "uniqueItems": true, + "default": [] + } + }, + "type": ["object", "boolean"], + "properties": { + "$id": { + "type": "string", + "format": "uri-reference" + }, + "$schema": { + "type": "string", + "format": "uri" + }, + "$ref": { + "type": "string", + "format": "uri-reference" + }, + "$comment": { + "type": "string" + }, + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "default": true, + "readOnly": { + "type": "boolean", + "default": false + }, + "writeOnly": { + "type": "boolean", + "default": false + }, + "examples": { + "type": "array", + "items": true + }, + "multipleOf": { + "type": "number", + "exclusiveMinimum": 0 + }, + "maximum": { + "type": "number" + }, + "exclusiveMaximum": { + "type": "number" + }, + "minimum": { + "type": "number" + }, + "exclusiveMinimum": { + "type": "number" + }, + "maxLength": { "$ref": "#/definitions/nonNegativeInteger" }, + "minLength": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "pattern": { + "type": "string", + "format": "regex" + }, + "additionalItems": { "$ref": "#" }, + "items": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/schemaArray" } + ], + "default": true + }, + "maxItems": { "$ref": "#/definitions/nonNegativeInteger" }, + "minItems": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "uniqueItems": { + "type": "boolean", + "default": false + }, + "contains": { "$ref": "#" }, + "maxProperties": { "$ref": "#/definitions/nonNegativeInteger" }, + "minProperties": { "$ref": "#/definitions/nonNegativeIntegerDefault0" }, + "required": { "$ref": "#/definitions/stringArray" }, + "additionalProperties": { "$ref": "#" }, + "definitions": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "properties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "default": {} + }, + "patternProperties": { + "type": "object", + "additionalProperties": { "$ref": "#" }, + "propertyNames": { "format": "regex" }, + "default": {} + }, + "dependencies": { + "type": "object", + "additionalProperties": { + "anyOf": [ + { "$ref": "#" }, + { "$ref": "#/definitions/stringArray" } + ] + } + }, + "propertyNames": { "$ref": "#" }, + "const": true, + "enum": { + "type": "array", + "items": true, + "minItems": 1, + "uniqueItems": true + }, + "type": { + "anyOf": [ + { "$ref": "#/definitions/simpleTypes" }, + { + "type": "array", + "items": { "$ref": "#/definitions/simpleTypes" }, + "minItems": 1, + "uniqueItems": true + } + ] + }, + "format": { "type": "string" }, + "contentMediaType": { "type": "string" }, + "contentEncoding": { "type": "string" }, + "if": { "$ref": "#" }, + "then": { "$ref": "#" }, + "else": { "$ref": "#" }, + "allOf": { "$ref": "#/definitions/schemaArray" }, + "anyOf": { "$ref": "#/definitions/schemaArray" }, + "oneOf": { "$ref": "#/definitions/schemaArray" }, + "not": { "$ref": "#" } + }, + "default": true +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator new file mode 100644 index 0000000000..857d2d4955 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/applicator @@ -0,0 +1,55 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/applicator", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/applicator": true + }, + "$recursiveAnchor": true, + "title": "Applicator vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "additionalItems": { "$recursiveRef": "#" }, + "unevaluatedItems": { "$recursiveRef": "#" }, + "items": { + "anyOf": [ + { "$recursiveRef": "#" }, + { "$ref": "#/$defs/schemaArray" } + ] + }, + "contains": { "$recursiveRef": "#" }, + "additionalProperties": { "$recursiveRef": "#" }, + "unevaluatedProperties": { "$recursiveRef": "#" }, + "properties": { + "type": "object", + "additionalProperties": { "$recursiveRef": "#" }, + "default": {} + }, + "patternProperties": { + "type": "object", + "additionalProperties": { "$recursiveRef": "#" }, + "propertyNames": { "format": "regex" }, + "default": {} + }, + "dependentSchemas": { + "type": "object", + "additionalProperties": { + "$recursiveRef": "#" + } + }, + "propertyNames": { "$recursiveRef": "#" }, + "if": { "$recursiveRef": "#" }, + "then": { "$recursiveRef": "#" }, + "else": { "$recursiveRef": "#" }, + "allOf": { "$ref": "#/$defs/schemaArray" }, + "anyOf": { "$ref": "#/$defs/schemaArray" }, + "oneOf": { "$ref": "#/$defs/schemaArray" }, + "not": { "$recursiveRef": "#" } + }, + "$defs": { + "schemaArray": { + "type": "array", + "minItems": 1, + "items": { "$recursiveRef": "#" } + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content new file mode 100644 index 0000000000..fa5d20b8d6 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/content @@ -0,0 +1,15 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/content", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/content": true + }, + "$recursiveAnchor": true, + "title": "Content vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "contentMediaType": { "type": "string" }, + "contentEncoding": { "type": "string" }, + "contentSchema": { "$recursiveRef": "#" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core new file mode 100644 index 0000000000..bf5731985d --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/core @@ -0,0 +1,56 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/core", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/core": true + }, + "$recursiveAnchor": true, + "title": "Core vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "$id": { + "type": "string", + "format": "uri-reference", + "$comment": "Non-empty fragments not allowed.", + "pattern": "^[^#]*#?$" + }, + "$schema": { + "type": "string", + "format": "uri" + }, + "$anchor": { + "type": "string", + "pattern": "^[A-Za-z][-A-Za-z0-9.:_]*$" + }, + "$ref": { + "type": "string", + "format": "uri-reference" + }, + "$recursiveRef": { + "type": "string", + "format": "uri-reference" + }, + "$recursiveAnchor": { + "type": "boolean", + "default": false + }, + "$vocabulary": { + "type": "object", + "propertyNames": { + "type": "string", + "format": "uri" + }, + "additionalProperties": { + "type": "boolean" + } + }, + "$comment": { + "type": "string" + }, + "$defs": { + "type": "object", + "additionalProperties": { "$recursiveRef": "#" }, + "default": {} + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format new file mode 100644 index 0000000000..fe553c2397 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/format @@ -0,0 +1,13 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/format", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/format": true + }, + "$recursiveAnchor": true, + "title": "Format vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "format": { "type": "string" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data new file mode 100644 index 0000000000..5c95715c4a --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/meta-data @@ -0,0 +1,35 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/meta-data", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/meta-data": true + }, + "$recursiveAnchor": true, + "title": "Meta-data vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "default": true, + "deprecated": { + "type": "boolean", + "default": false + }, + "readOnly": { + "type": "boolean", + "default": false + }, + "writeOnly": { + "type": "boolean", + "default": false + }, + "examples": { + "type": "array", + "items": true + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation new file mode 100644 index 0000000000..f3525e0760 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/meta/validation @@ -0,0 +1,97 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/meta/validation", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/validation": true + }, + "$recursiveAnchor": true, + "title": "Validation vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "multipleOf": { + "type": "number", + "exclusiveMinimum": 0 + }, + "maximum": { + "type": "number" + }, + "exclusiveMaximum": { + "type": "number" + }, + "minimum": { + "type": "number" + }, + "exclusiveMinimum": { + "type": "number" + }, + "maxLength": { "$ref": "#/$defs/nonNegativeInteger" }, + "minLength": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "pattern": { + "type": "string", + "format": "regex" + }, + "maxItems": { "$ref": "#/$defs/nonNegativeInteger" }, + "minItems": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "uniqueItems": { + "type": "boolean", + "default": false + }, + "maxContains": { "$ref": "#/$defs/nonNegativeInteger" }, + "minContains": { + "$ref": "#/$defs/nonNegativeInteger", + "default": 1 + }, + "maxProperties": { "$ref": "#/$defs/nonNegativeInteger" }, + "minProperties": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "required": { "$ref": "#/$defs/stringArray" }, + "dependentRequired": { + "type": "object", + "additionalProperties": { + "$ref": "#/$defs/stringArray" + } + }, + "const": true, + "enum": { + "type": "array", + "items": true + }, + "type": { + "anyOf": [ + { "$ref": "#/$defs/simpleTypes" }, + { + "type": "array", + "items": { "$ref": "#/$defs/simpleTypes" }, + "minItems": 1, + "uniqueItems": true + } + ] + } + }, + "$defs": { + "nonNegativeInteger": { + "type": "integer", + "minimum": 0 + }, + "nonNegativeIntegerDefault0": { + "$ref": "#/$defs/nonNegativeInteger", + "default": 0 + }, + "simpleTypes": { + "enum": [ + "array", + "boolean", + "integer", + "null", + "number", + "object", + "string" + ] + }, + "stringArray": { + "type": "array", + "items": { "type": "string" }, + "uniqueItems": true, + "default": [] + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema new file mode 100644 index 0000000000..f433389be6 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2019-09/schema @@ -0,0 +1,41 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://json-schema.org/draft/2019-09/schema", + "$vocabulary": { + "https://json-schema.org/draft/2019-09/vocab/core": true, + "https://json-schema.org/draft/2019-09/vocab/applicator": true, + "https://json-schema.org/draft/2019-09/vocab/validation": true, + "https://json-schema.org/draft/2019-09/vocab/meta-data": true, + "https://json-schema.org/draft/2019-09/vocab/format": false, + "https://json-schema.org/draft/2019-09/vocab/content": true + }, + "$recursiveAnchor": true, + "title": "Core and Validation specifications meta-schema", + "allOf": [ + {"$ref": "meta/core"}, + {"$ref": "meta/applicator"}, + {"$ref": "meta/validation"}, + {"$ref": "meta/meta-data"}, + {"$ref": "meta/format"}, + {"$ref": "meta/content"} + ], + "type": ["object", "boolean"], + "properties": { + "definitions": { + "$comment": "While no longer an official keyword as it is replaced by $defs, this keyword is retained in the meta-schema to prevent incompatible extensions as it remains in common use.", + "type": "object", + "additionalProperties": { "$recursiveRef": "#" }, + "default": {} + }, + "dependencies": { + "$comment": "\"dependencies\" is no longer a keyword, but schema authors should avoid redefining it to facilitate a smooth transition to \"dependentSchemas\" and \"dependentRequired\"", + "type": "object", + "additionalProperties": { + "anyOf": [ + { "$recursiveRef": "#" }, + { "$ref": "meta/validation#/$defs/stringArray" } + ] + } + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator new file mode 100644 index 0000000000..0ef24edc81 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/applicator @@ -0,0 +1,47 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/applicator", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/applicator": true + }, + "$dynamicAnchor": "meta", + "title": "Applicator vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "prefixItems": { "$ref": "#/$defs/schemaArray" }, + "items": { "$dynamicRef": "#meta" }, + "contains": { "$dynamicRef": "#meta" }, + "additionalProperties": { "$dynamicRef": "#meta" }, + "properties": { + "type": "object", + "additionalProperties": { "$dynamicRef": "#meta" }, + "default": {} + }, + "patternProperties": { + "type": "object", + "additionalProperties": { "$dynamicRef": "#meta" }, + "propertyNames": { "format": "regex" }, + "default": {} + }, + "dependentSchemas": { + "type": "object", + "additionalProperties": { "$dynamicRef": "#meta" }, + "default": {} + }, + "propertyNames": { "$dynamicRef": "#meta" }, + "if": { "$dynamicRef": "#meta" }, + "then": { "$dynamicRef": "#meta" }, + "else": { "$dynamicRef": "#meta" }, + "allOf": { "$ref": "#/$defs/schemaArray" }, + "anyOf": { "$ref": "#/$defs/schemaArray" }, + "oneOf": { "$ref": "#/$defs/schemaArray" }, + "not": { "$dynamicRef": "#meta" } + }, + "$defs": { + "schemaArray": { + "type": "array", + "minItems": 1, + "items": { "$dynamicRef": "#meta" } + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content new file mode 100644 index 0000000000..0330ff0a81 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/content @@ -0,0 +1,15 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/content", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/content": true + }, + "$dynamicAnchor": "meta", + "title": "Content vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "contentEncoding": { "type": "string" }, + "contentMediaType": { "type": "string" }, + "contentSchema": { "$dynamicRef": "#meta" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core new file mode 100644 index 0000000000..c4de7005ab --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/core @@ -0,0 +1,50 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/core", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/core": true + }, + "$dynamicAnchor": "meta", + "title": "Core vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "$id": { + "$ref": "#/$defs/uriReferenceString", + "$comment": "Non-empty fragments not allowed.", + "pattern": "^[^#]*#?$" + }, + "$schema": { "$ref": "#/$defs/uriString" }, + "$ref": { "$ref": "#/$defs/uriReferenceString" }, + "$anchor": { "$ref": "#/$defs/anchorString" }, + "$dynamicRef": { "$ref": "#/$defs/uriReferenceString" }, + "$dynamicAnchor": { "$ref": "#/$defs/anchorString" }, + "$vocabulary": { + "type": "object", + "propertyNames": { "$ref": "#/$defs/uriString" }, + "additionalProperties": { + "type": "boolean" + } + }, + "$comment": { + "type": "string" + }, + "$defs": { + "type": "object", + "additionalProperties": { "$dynamicRef": "#meta" } + } + }, + "$defs": { + "anchorString": { + "type": "string", + "pattern": "^[A-Za-z_][-A-Za-z0-9._]*$" + }, + "uriString": { + "type": "string", + "format": "uri" + }, + "uriReferenceString": { + "type": "string", + "format": "uri-reference" + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation new file mode 100644 index 0000000000..0aa07d1c15 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-annotation @@ -0,0 +1,13 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/format-annotation", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/format-annotation": true + }, + "$dynamicAnchor": "meta", + "title": "Format vocabulary meta-schema for annotation results", + "type": ["object", "boolean"], + "properties": { + "format": { "type": "string" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion new file mode 100644 index 0000000000..38613bff6e --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/format-assertion @@ -0,0 +1,13 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/format-assertion", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/format-assertion": true + }, + "$dynamicAnchor": "meta", + "title": "Format vocabulary meta-schema for assertion results", + "type": ["object", "boolean"], + "properties": { + "format": { "type": "string" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data new file mode 100644 index 0000000000..30e2837140 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/meta-data @@ -0,0 +1,35 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/meta-data", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/meta-data": true + }, + "$dynamicAnchor": "meta", + "title": "Meta-data vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "title": { + "type": "string" + }, + "description": { + "type": "string" + }, + "default": true, + "deprecated": { + "type": "boolean", + "default": false + }, + "readOnly": { + "type": "boolean", + "default": false + }, + "writeOnly": { + "type": "boolean", + "default": false + }, + "examples": { + "type": "array", + "items": true + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated new file mode 100644 index 0000000000..e9e093d12a --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/unevaluated @@ -0,0 +1,14 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/unevaluated", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/unevaluated": true + }, + "$dynamicAnchor": "meta", + "title": "Unevaluated applicator vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "unevaluatedItems": { "$dynamicRef": "#meta" }, + "unevaluatedProperties": { "$dynamicRef": "#meta" } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation new file mode 100644 index 0000000000..4e016ed2b7 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/meta/validation @@ -0,0 +1,97 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/meta/validation", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/validation": true + }, + "$dynamicAnchor": "meta", + "title": "Validation vocabulary meta-schema", + "type": ["object", "boolean"], + "properties": { + "type": { + "anyOf": [ + { "$ref": "#/$defs/simpleTypes" }, + { + "type": "array", + "items": { "$ref": "#/$defs/simpleTypes" }, + "minItems": 1, + "uniqueItems": true + } + ] + }, + "const": true, + "enum": { + "type": "array", + "items": true + }, + "multipleOf": { + "type": "number", + "exclusiveMinimum": 0 + }, + "maximum": { + "type": "number" + }, + "exclusiveMaximum": { + "type": "number" + }, + "minimum": { + "type": "number" + }, + "exclusiveMinimum": { + "type": "number" + }, + "maxLength": { "$ref": "#/$defs/nonNegativeInteger" }, + "minLength": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "pattern": { + "type": "string", + "format": "regex" + }, + "maxItems": { "$ref": "#/$defs/nonNegativeInteger" }, + "minItems": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "uniqueItems": { + "type": "boolean", + "default": false + }, + "maxContains": { "$ref": "#/$defs/nonNegativeInteger" }, + "minContains": { + "$ref": "#/$defs/nonNegativeInteger", + "default": 1 + }, + "maxProperties": { "$ref": "#/$defs/nonNegativeInteger" }, + "minProperties": { "$ref": "#/$defs/nonNegativeIntegerDefault0" }, + "required": { "$ref": "#/$defs/stringArray" }, + "dependentRequired": { + "type": "object", + "additionalProperties": { + "$ref": "#/$defs/stringArray" + } + } + }, + "$defs": { + "nonNegativeInteger": { + "type": "integer", + "minimum": 0 + }, + "nonNegativeIntegerDefault0": { + "$ref": "#/$defs/nonNegativeInteger", + "default": 0 + }, + "simpleTypes": { + "enum": [ + "array", + "boolean", + "integer", + "null", + "number", + "object", + "string" + ] + }, + "stringArray": { + "type": "array", + "items": { "type": "string" }, + "uniqueItems": true, + "default": [] + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema new file mode 100644 index 0000000000..364f8ada6c --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/metaschemas/draft/2020-12/schema @@ -0,0 +1,57 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://json-schema.org/draft/2020-12/schema", + "$vocabulary": { + "https://json-schema.org/draft/2020-12/vocab/core": true, + "https://json-schema.org/draft/2020-12/vocab/applicator": true, + "https://json-schema.org/draft/2020-12/vocab/unevaluated": true, + "https://json-schema.org/draft/2020-12/vocab/validation": true, + "https://json-schema.org/draft/2020-12/vocab/meta-data": true, + "https://json-schema.org/draft/2020-12/vocab/format-annotation": true, + "https://json-schema.org/draft/2020-12/vocab/content": true + }, + "$dynamicAnchor": "meta", + "title": "Core and Validation specifications meta-schema", + "allOf": [ + {"$ref": "meta/core"}, + {"$ref": "meta/applicator"}, + {"$ref": "meta/unevaluated"}, + {"$ref": "meta/validation"}, + {"$ref": "meta/meta-data"}, + {"$ref": "meta/format-annotation"}, + {"$ref": "meta/content"} + ], + "type": ["object", "boolean"], + "$comment": "This meta-schema also defines keywords that have appeared in previous drafts in order to prevent incompatible extensions as they remain in common use.", + "properties": { + "definitions": { + "$comment": "\"definitions\" has been replaced by \"$defs\".", + "type": "object", + "additionalProperties": { "$dynamicRef": "#meta" }, + "deprecated": true, + "default": {} + }, + "dependencies": { + "$comment": "\"dependencies\" has been split and replaced by \"dependentSchemas\" and \"dependentRequired\" in order to serve their differing semantics.", + "type": "object", + "additionalProperties": { + "anyOf": [ + { "$dynamicRef": "#meta" }, + { "$ref": "meta/validation#/$defs/stringArray" } + ] + }, + "deprecated": true, + "default": {} + }, + "$recursiveAnchor": { + "$comment": "\"$recursiveAnchor\" has been replaced by \"$dynamicAnchor\".", + "$ref": "meta/core#/$defs/anchorString", + "deprecated": true + }, + "$recursiveRef": { + "$comment": "\"$recursiveRef\" has been replaced by \"$dynamicRef\".", + "$ref": "meta/core#/$defs/uriReferenceString", + "deprecated": true + } + } +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go new file mode 100644 index 0000000000..f1494b13a8 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/objcompiler.go @@ -0,0 +1,549 @@ +package jsonschema + +import ( + "encoding/json" + "fmt" + "math/big" + "strconv" +) + +type objCompiler struct { + c *Compiler + obj map[string]any + up urlPtr + r *root + res *resource + q *queue +} + +func (c *objCompiler) compile(s *Schema) error { + // id -- + if id := c.res.dialect.draft.getID(c.obj); id != "" { + s.ID = id + } + + // anchor -- + if s.DraftVersion < 2019 { + // anchor is specified in id + id := c.string(c.res.dialect.draft.id) + if id != "" { + _, f := split(id) + if f != "" { + var err error + s.Anchor, err = decode(f) + if err != nil { + return &ParseAnchorError{URL: s.Location} + } + } + } + } else { + s.Anchor = c.string("$anchor") + } + + if err := c.compileDraft4(s); err != nil { + return err + } + if s.DraftVersion >= 6 { + if err := c.compileDraft6(s); err != nil { + return err + } + } + if s.DraftVersion >= 7 { + if err := c.compileDraft7(s); err != nil { + return err + } + } + if s.DraftVersion >= 2019 { + if err := c.compileDraft2019(s); err != nil { + return err + } + } + if s.DraftVersion >= 2020 { + if err := c.compileDraft2020(s); err != nil { + return err + } + } + + // vocabularies + vocabs := c.res.dialect.activeVocabs(c.c.roots.assertVocabs, c.c.roots.vocabularies) + for _, vocab := range vocabs { + v := c.c.roots.vocabularies[vocab] + if v == nil { + continue + } + ext, err := v.Compile(&CompilerContext{c}, c.obj) + if err != nil { + return err + } + if ext != nil { + s.Extensions = append(s.Extensions, ext) + } + } + + return nil +} + +func (c *objCompiler) compileDraft4(s *Schema) error { + var err error + + if c.hasVocab("core") { + if s.Ref, err = c.enqueueRef("$ref"); err != nil { + return err + } + if s.DraftVersion < 2019 && s.Ref != nil { + // All other properties in a "$ref" object MUST be ignored + return nil + } + } + + if c.hasVocab("applicator") { + s.AllOf = c.enqueueArr("allOf") + s.AnyOf = c.enqueueArr("anyOf") + s.OneOf = c.enqueueArr("oneOf") + s.Not = c.enqueueProp("not") + + if s.DraftVersion < 2020 { + if items, ok := c.obj["items"]; ok { + if _, ok := items.([]any); ok { + s.Items = c.enqueueArr("items") + s.AdditionalItems = c.enqueueAdditional("additionalItems") + } else { + s.Items = c.enqueueProp("items") + } + } + } + + s.Properties = c.enqueueMap("properties") + if m := c.enqueueMap("patternProperties"); m != nil { + s.PatternProperties = map[Regexp]*Schema{} + for pname, sch := range m { + re, err := c.c.roots.regexpEngine(pname) + if err != nil { + return &InvalidRegexError{c.up.format("patternProperties"), pname, err} + } + s.PatternProperties[re] = sch + } + } + s.AdditionalProperties = c.enqueueAdditional("additionalProperties") + + if m := c.objVal("dependencies"); m != nil { + s.Dependencies = map[string]any{} + for pname, pvalue := range m { + if arr, ok := pvalue.([]any); ok { + s.Dependencies[pname] = toStrings(arr) + } else { + ptr := c.up.ptr.append2("dependencies", pname) + s.Dependencies[pname] = c.enqueuePtr(ptr) + } + } + } + } + + if c.hasVocab("validation") { + if t, ok := c.obj["type"]; ok { + s.Types = newTypes(t) + } + if arr := c.arrVal("enum"); arr != nil { + s.Enum = newEnum(arr) + } + s.MultipleOf = c.numVal("multipleOf") + s.Maximum = c.numVal("maximum") + if c.boolean("exclusiveMaximum") { + s.ExclusiveMaximum = s.Maximum + s.Maximum = nil + } else { + s.ExclusiveMaximum = c.numVal("exclusiveMaximum") + } + s.Minimum = c.numVal("minimum") + if c.boolean("exclusiveMinimum") { + s.ExclusiveMinimum = s.Minimum + s.Minimum = nil + } else { + s.ExclusiveMinimum = c.numVal("exclusiveMinimum") + } + + s.MinLength = c.intVal("minLength") + s.MaxLength = c.intVal("maxLength") + if pat := c.strVal("pattern"); pat != nil { + s.Pattern, err = c.c.roots.regexpEngine(*pat) + if err != nil { + return &InvalidRegexError{c.up.format("pattern"), *pat, err} + } + } + + s.MinItems = c.intVal("minItems") + s.MaxItems = c.intVal("maxItems") + s.UniqueItems = c.boolean("uniqueItems") + + s.MaxProperties = c.intVal("maxProperties") + s.MinProperties = c.intVal("minProperties") + if arr := c.arrVal("required"); arr != nil { + s.Required = toStrings(arr) + } + } + + // format -- + if c.assertFormat(s.DraftVersion) { + if f := c.strVal("format"); f != nil { + if *f == "regex" { + s.Format = &Format{ + Name: "regex", + Validate: c.c.roots.regexpEngine.validate, + } + } else { + s.Format = c.c.formats[*f] + if s.Format == nil { + s.Format = formats[*f] + } + } + } + } + + // annotations -- + s.Title = c.string("title") + s.Description = c.string("description") + if v, ok := c.obj["default"]; ok { + s.Default = &v + } + + return nil +} + +func (c *objCompiler) compileDraft6(s *Schema) error { + if c.hasVocab("applicator") { + s.Contains = c.enqueueProp("contains") + s.PropertyNames = c.enqueueProp("propertyNames") + } + if c.hasVocab("validation") { + if v, ok := c.obj["const"]; ok { + s.Const = &v + } + } + return nil +} + +func (c *objCompiler) compileDraft7(s *Schema) error { + if c.hasVocab("applicator") { + s.If = c.enqueueProp("if") + if s.If != nil { + b := c.boolVal("if") + if b == nil || *b { + s.Then = c.enqueueProp("then") + } + if b == nil || !*b { + s.Else = c.enqueueProp("else") + } + } + } + + if c.c.assertContent { + if ce := c.strVal("contentEncoding"); ce != nil { + s.ContentEncoding = c.c.decoders[*ce] + if s.ContentEncoding == nil { + s.ContentEncoding = decoders[*ce] + } + } + if cm := c.strVal("contentMediaType"); cm != nil { + s.ContentMediaType = c.c.mediaTypes[*cm] + if s.ContentMediaType == nil { + s.ContentMediaType = mediaTypes[*cm] + } + } + } + + // annotations -- + s.Comment = c.string("$comment") + s.ReadOnly = c.boolean("readOnly") + s.WriteOnly = c.boolean("writeOnly") + if arr, ok := c.obj["examples"].([]any); ok { + s.Examples = arr + } + + return nil +} + +func (c *objCompiler) compileDraft2019(s *Schema) error { + var err error + + if c.hasVocab("core") { + if s.RecursiveRef, err = c.enqueueRef("$recursiveRef"); err != nil { + return err + } + s.RecursiveAnchor = c.boolean("$recursiveAnchor") + } + + if c.hasVocab("validation") { + if s.Contains != nil { + s.MinContains = c.intVal("minContains") + s.MaxContains = c.intVal("maxContains") + } + if m := c.objVal("dependentRequired"); m != nil { + s.DependentRequired = map[string][]string{} + for pname, pvalue := range m { + if arr, ok := pvalue.([]any); ok { + s.DependentRequired[pname] = toStrings(arr) + } + } + } + } + + if c.hasVocab("applicator") { + s.DependentSchemas = c.enqueueMap("dependentSchemas") + } + + var unevaluated bool + if s.DraftVersion == 2019 { + unevaluated = c.hasVocab("applicator") + } else { + unevaluated = c.hasVocab("unevaluated") + } + if unevaluated { + s.UnevaluatedItems = c.enqueueProp("unevaluatedItems") + s.UnevaluatedProperties = c.enqueueProp("unevaluatedProperties") + } + + if c.c.assertContent { + if s.ContentMediaType != nil && s.ContentMediaType.UnmarshalJSON != nil { + s.ContentSchema = c.enqueueProp("contentSchema") + } + } + + // annotations -- + s.Deprecated = c.boolean("deprecated") + + return nil +} + +func (c *objCompiler) compileDraft2020(s *Schema) error { + if c.hasVocab("core") { + sch, err := c.enqueueRef("$dynamicRef") + if err != nil { + return err + } + if sch != nil { + dref := c.strVal("$dynamicRef") + _, frag, err := splitFragment(*dref) + if err != nil { + return err + } + var anch string + if anchor, ok := frag.convert().(anchor); ok { + anch = string(anchor) + } + s.DynamicRef = &DynamicRef{sch, anch} + } + s.DynamicAnchor = c.string("$dynamicAnchor") + } + + if c.hasVocab("applicator") { + s.PrefixItems = c.enqueueArr("prefixItems") + s.Items2020 = c.enqueueProp("items") + } + + return nil +} + +// enqueue helpers -- + +func (c *objCompiler) enqueuePtr(ptr jsonPointer) *Schema { + up := urlPtr{c.up.url, ptr} + return c.c.enqueue(c.q, up) +} + +func (c *objCompiler) enqueueRef(pname string) (*Schema, error) { + ref := c.strVal(pname) + if ref == nil { + return nil, nil + } + baseURL := c.res.id + // baseURL := c.r.baseURL(c.up.ptr) + uf, err := baseURL.join(*ref) + if err != nil { + return nil, err + } + + up, err := c.r.resolve(*uf) + if err != nil { + return nil, err + } + if up != nil { + // local ref + return c.enqueuePtr(up.ptr), nil + } + + // remote ref + up_, err := c.c.roots.resolveFragment(*uf) + if err != nil { + return nil, err + } + return c.c.enqueue(c.q, up_), nil +} + +func (c *objCompiler) enqueueProp(pname string) *Schema { + if _, ok := c.obj[pname]; !ok { + return nil + } + ptr := c.up.ptr.append(pname) + return c.enqueuePtr(ptr) +} + +func (c *objCompiler) enqueueArr(pname string) []*Schema { + arr := c.arrVal(pname) + if arr == nil { + return nil + } + sch := make([]*Schema, len(arr)) + for i := range arr { + ptr := c.up.ptr.append2(pname, strconv.Itoa(i)) + sch[i] = c.enqueuePtr(ptr) + } + return sch +} + +func (c *objCompiler) enqueueMap(pname string) map[string]*Schema { + obj := c.objVal(pname) + if obj == nil { + return nil + } + sch := make(map[string]*Schema) + for k := range obj { + ptr := c.up.ptr.append2(pname, k) + sch[k] = c.enqueuePtr(ptr) + } + return sch +} + +func (c *objCompiler) enqueueAdditional(pname string) any { + if b := c.boolVal(pname); b != nil { + return *b + } + if sch := c.enqueueProp(pname); sch != nil { + return sch + } + return nil +} + +// -- + +func (c *objCompiler) hasVocab(name string) bool { + return c.res.dialect.hasVocab(name) +} + +func (c *objCompiler) assertFormat(draftVersion int) bool { + if c.c.assertFormat || draftVersion < 2019 { + return true + } + if draftVersion == 2019 { + return c.hasVocab("format") + } else { + return c.hasVocab("format-assertion") + } +} + +// value helpers -- + +func (c *objCompiler) boolVal(pname string) *bool { + v, ok := c.obj[pname] + if !ok { + return nil + } + b, ok := v.(bool) + if !ok { + return nil + } + return &b +} + +func (c *objCompiler) boolean(pname string) bool { + b := c.boolVal(pname) + return b != nil && *b +} + +func (c *objCompiler) strVal(pname string) *string { + v, ok := c.obj[pname] + if !ok { + return nil + } + s, ok := v.(string) + if !ok { + return nil + } + return &s +} + +func (c *objCompiler) string(pname string) string { + if s := c.strVal(pname); s != nil { + return *s + } + return "" +} + +func (c *objCompiler) numVal(pname string) *big.Rat { + v, ok := c.obj[pname] + if !ok { + return nil + } + switch v.(type) { + case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64: + if n, ok := new(big.Rat).SetString(fmt.Sprint(v)); ok { + return n + } + } + return nil +} + +func (c *objCompiler) intVal(pname string) *int { + if n := c.numVal(pname); n != nil && n.IsInt() { + n := int(n.Num().Int64()) + return &n + } + return nil +} + +func (c *objCompiler) objVal(pname string) map[string]any { + v, ok := c.obj[pname] + if !ok { + return nil + } + obj, ok := v.(map[string]any) + if !ok { + return nil + } + return obj +} + +func (c *objCompiler) arrVal(pname string) []any { + v, ok := c.obj[pname] + if !ok { + return nil + } + arr, ok := v.([]any) + if !ok { + return nil + } + return arr +} + +// -- + +type InvalidRegexError struct { + URL string + Regex string + Err error +} + +func (e *InvalidRegexError) Error() string { + return fmt.Sprintf("invalid regex %q at %q: %v", e.Regex, e.URL, e.Err) +} + +// -- + +func toStrings(arr []any) []string { + var strings []string + for _, item := range arr { + if s, ok := item.(string); ok { + strings = append(strings, s) + } + } + return strings +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go new file mode 100644 index 0000000000..69d3f26de5 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/output.go @@ -0,0 +1,216 @@ +package jsonschema + +import ( + "encoding/json" + "fmt" + "strings" + + "github.com/santhosh-tekuri/jsonschema/v6/kind" + "golang.org/x/text/language" + "golang.org/x/text/message" +) + +var defaultPrinter = message.NewPrinter(language.English) + +// format --- + +func (e *ValidationError) schemaURL() string { + if ref, ok := e.ErrorKind.(*kind.Reference); ok { + return ref.URL + } else { + return e.SchemaURL + } +} + +func (e *ValidationError) absoluteKeywordLocation() string { + var schemaURL string + var keywordPath []string + if ref, ok := e.ErrorKind.(*kind.Reference); ok { + schemaURL = ref.URL + keywordPath = nil + } else { + schemaURL = e.SchemaURL + keywordPath = e.ErrorKind.KeywordPath() + } + return fmt.Sprintf("%s%s", schemaURL, encode(jsonPtr(keywordPath))) +} + +func (e *ValidationError) skip() bool { + if len(e.Causes) == 1 { + _, ok := e.ErrorKind.(*kind.Reference) + return ok + } + return false +} + +func (e *ValidationError) display(sb *strings.Builder, verbose bool, indent int, absKwLoc string, p *message.Printer) { + if !e.skip() { + if indent > 0 { + sb.WriteByte('\n') + for i := 0; i < indent-1; i++ { + sb.WriteString(" ") + } + sb.WriteString("- ") + } + indent = indent + 1 + + prevAbsKwLoc := absKwLoc + absKwLoc = e.absoluteKeywordLocation() + + if _, ok := e.ErrorKind.(*kind.Schema); ok { + sb.WriteString(e.ErrorKind.LocalizedString(p)) + } else { + sb.WriteString(p.Sprintf("at %s", quote(jsonPtr(e.InstanceLocation)))) + if verbose { + schLoc := absKwLoc + if prevAbsKwLoc != "" { + pu, _ := split(prevAbsKwLoc) + u, f := split(absKwLoc) + if u == pu { + schLoc = fmt.Sprintf("S#%s", f) + } + } + fmt.Fprintf(sb, " [%s]", schLoc) + } + fmt.Fprintf(sb, ": %s", e.ErrorKind.LocalizedString(p)) + } + } + for _, cause := range e.Causes { + cause.display(sb, verbose, indent, absKwLoc, p) + } +} + +func (e *ValidationError) Error() string { + return e.LocalizedError(defaultPrinter) +} + +func (e *ValidationError) LocalizedError(p *message.Printer) string { + var sb strings.Builder + e.display(&sb, false, 0, "", p) + return sb.String() +} + +func (e *ValidationError) GoString() string { + return e.LocalizedGoString(defaultPrinter) +} + +func (e *ValidationError) LocalizedGoString(p *message.Printer) string { + var sb strings.Builder + e.display(&sb, true, 0, "", p) + return sb.String() +} + +func jsonPtr(tokens []string) string { + var sb strings.Builder + for _, tok := range tokens { + sb.WriteByte('/') + sb.WriteString(escape(tok)) + } + return sb.String() +} + +// -- + +// Flag is output format with simple boolean property valid. +type FlagOutput struct { + Valid bool `json:"valid"` +} + +// The `Flag` output format, merely the boolean result. +func (e *ValidationError) FlagOutput() *FlagOutput { + return &FlagOutput{Valid: false} +} + +// -- + +type OutputUnit struct { + Valid bool `json:"valid"` + KeywordLocation string `json:"keywordLocation"` + AbsoluteKeywordLocation string `json:"AbsoluteKeywordLocation,omitempty"` + InstanceLocation string `json:"instanceLocation"` + Error *OutputError `json:"error,omitempty"` + Errors []OutputUnit `json:"errors,omitempty"` +} + +type OutputError struct { + Kind ErrorKind + p *message.Printer +} + +func (k OutputError) String() string { + return k.Kind.LocalizedString(k.p) +} + +func (k OutputError) MarshalJSON() ([]byte, error) { + return json.Marshal(k.Kind.LocalizedString(k.p)) +} + +// The `Basic` structure, a flat list of output units. +func (e *ValidationError) BasicOutput() *OutputUnit { + return e.LocalizedBasicOutput(defaultPrinter) +} + +func (e *ValidationError) LocalizedBasicOutput(p *message.Printer) *OutputUnit { + out := e.output(true, false, "", "", p) + return &out +} + +// The `Detailed` structure, based on the schema. +func (e *ValidationError) DetailedOutput() *OutputUnit { + return e.LocalizedDetailedOutput(defaultPrinter) +} + +func (e *ValidationError) LocalizedDetailedOutput(p *message.Printer) *OutputUnit { + out := e.output(false, false, "", "", p) + return &out +} + +func (e *ValidationError) output(flatten, inRef bool, schemaURL, kwLoc string, p *message.Printer) OutputUnit { + if !inRef { + if _, ok := e.ErrorKind.(*kind.Reference); ok { + inRef = true + } + } + if schemaURL != "" { + kwLoc += e.SchemaURL[len(schemaURL):] + if ref, ok := e.ErrorKind.(*kind.Reference); ok { + kwLoc += jsonPtr(ref.KeywordPath()) + } + } + schemaURL = e.schemaURL() + + keywordLocation := kwLoc + if _, ok := e.ErrorKind.(*kind.Reference); !ok { + keywordLocation += jsonPtr(e.ErrorKind.KeywordPath()) + } + + out := OutputUnit{ + Valid: false, + InstanceLocation: jsonPtr(e.InstanceLocation), + KeywordLocation: keywordLocation, + } + if inRef { + out.AbsoluteKeywordLocation = e.absoluteKeywordLocation() + } + for _, cause := range e.Causes { + causeOut := cause.output(flatten, inRef, schemaURL, kwLoc, p) + if cause.skip() { + causeOut = causeOut.Errors[0] + } + if flatten { + errors := causeOut.Errors + causeOut.Errors = nil + causeOut.Error = &OutputError{cause.ErrorKind, p} + out.Errors = append(out.Errors, causeOut) + if len(errors) > 0 { + out.Errors = append(out.Errors, errors...) + } + } else { + out.Errors = append(out.Errors, causeOut) + } + } + if len(out.Errors) == 0 { + out.Error = &OutputError{e.ErrorKind, p} + } + return out +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go new file mode 100644 index 0000000000..576a2a47f7 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/position.go @@ -0,0 +1,142 @@ +package jsonschema + +import ( + "strconv" + "strings" +) + +// Position tells possible tokens in json. +type Position interface { + collect(v any, ptr jsonPointer) map[jsonPointer]any +} + +// -- + +type AllProp struct{} + +func (AllProp) collect(v any, ptr jsonPointer) map[jsonPointer]any { + obj, ok := v.(map[string]any) + if !ok { + return nil + } + m := map[jsonPointer]any{} + for pname, pvalue := range obj { + m[ptr.append(pname)] = pvalue + } + return m +} + +// -- + +type AllItem struct{} + +func (AllItem) collect(v any, ptr jsonPointer) map[jsonPointer]any { + arr, ok := v.([]any) + if !ok { + return nil + } + m := map[jsonPointer]any{} + for i, item := range arr { + m[ptr.append(strconv.Itoa(i))] = item + } + return m +} + +// -- + +type Prop string + +func (p Prop) collect(v any, ptr jsonPointer) map[jsonPointer]any { + obj, ok := v.(map[string]any) + if !ok { + return nil + } + pvalue, ok := obj[string(p)] + if !ok { + return nil + } + return map[jsonPointer]any{ + ptr.append(string(p)): pvalue, + } +} + +// -- + +type Item int + +func (i Item) collect(v any, ptr jsonPointer) map[jsonPointer]any { + arr, ok := v.([]any) + if !ok { + return nil + } + if i < 0 || int(i) >= len(arr) { + return nil + } + return map[jsonPointer]any{ + ptr.append(strconv.Itoa(int(i))): arr[int(i)], + } +} + +// -- + +// SchemaPath tells where to look for subschema inside keyword. +type SchemaPath []Position + +func schemaPath(path string) SchemaPath { + var sp SchemaPath + for _, tok := range strings.Split(path, "/") { + var pos Position + switch tok { + case "*": + pos = AllProp{} + case "[]": + pos = AllItem{} + default: + if i, err := strconv.Atoi(tok); err == nil { + pos = Item(i) + } else { + pos = Prop(tok) + } + } + sp = append(sp, pos) + } + return sp +} + +func (sp SchemaPath) collect(v any, ptr jsonPointer) map[jsonPointer]any { + if len(sp) == 0 { + return map[jsonPointer]any{ + ptr: v, + } + } + p, sp := sp[0], sp[1:] + m := p.collect(v, ptr) + mm := map[jsonPointer]any{} + for ptr, v := range m { + m = sp.collect(v, ptr) + for k, v := range m { + mm[k] = v + } + } + return mm +} + +func (sp SchemaPath) String() string { + var sb strings.Builder + for _, pos := range sp { + if sb.Len() != 0 { + sb.WriteByte('/') + } + switch pos := pos.(type) { + case AllProp: + sb.WriteString("*") + case AllItem: + sb.WriteString("[]") + case Prop: + sb.WriteString(string(pos)) + case Item: + sb.WriteString(strconv.Itoa(int(pos))) + } + } + return sb.String() +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go new file mode 100644 index 0000000000..a8b819bab0 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/root.go @@ -0,0 +1,202 @@ +package jsonschema + +import ( + "fmt" + "slices" + "strings" +) + +type root struct { + url url + doc any + resources map[jsonPointer]*resource + subschemasProcessed map[jsonPointer]struct{} +} + +func (r *root) rootResource() *resource { + return r.resources[""] +} + +func (r *root) resource(ptr jsonPointer) *resource { + for { + if res, ok := r.resources[ptr]; ok { + return res + } + slash := strings.LastIndexByte(string(ptr), '/') + if slash == -1 { + break + } + ptr = ptr[:slash] + } + return r.rootResource() +} + +func (r *root) resolveFragmentIn(frag fragment, res *resource) (urlPtr, error) { + var ptr jsonPointer + switch f := frag.convert().(type) { + case jsonPointer: + ptr = res.ptr.concat(f) + case anchor: + aptr, ok := res.anchors[f] + if !ok { + return urlPtr{}, &AnchorNotFoundError{ + URL: r.url.String(), + Reference: (&urlFrag{res.id, frag}).String(), + } + } + ptr = aptr + } + return urlPtr{r.url, ptr}, nil +} + +func (r *root) resolveFragment(frag fragment) (urlPtr, error) { + return r.resolveFragmentIn(frag, r.rootResource()) +} + +// resolves urlFrag to urlPtr from root. +// returns nil if it is external. +func (r *root) resolve(uf urlFrag) (*urlPtr, error) { + var res *resource + if uf.url == r.url { + res = r.rootResource() + } else { + // look for resource with id==uf.url + for _, v := range r.resources { + if v.id == uf.url { + res = v + break + } + } + if res == nil { + return nil, nil // external url + } + } + up, err := r.resolveFragmentIn(uf.frag, res) + return &up, err +} + +func (r *root) collectAnchors(sch any, schPtr jsonPointer, res *resource) error { + obj, ok := sch.(map[string]any) + if !ok { + return nil + } + + addAnchor := func(anchor anchor) error { + ptr1, ok := res.anchors[anchor] + if ok { + if ptr1 == schPtr { + // anchor with same root_ptr already exists + return nil + } + return &DuplicateAnchorError{ + string(anchor), r.url.String(), string(ptr1), string(schPtr), + } + } + res.anchors[anchor] = schPtr + return nil + } + + if res.dialect.draft.version < 2019 { + if _, ok := obj["$ref"]; ok { + // All other properties in a "$ref" object MUST be ignored + return nil + } + // anchor is specified in id + if id, ok := strVal(obj, res.dialect.draft.id); ok { + _, frag, err := splitFragment(id) + if err != nil { + loc := urlPtr{r.url, schPtr} + return &ParseAnchorError{loc.String()} + } + if anchor, ok := frag.convert().(anchor); ok { + if err := addAnchor(anchor); err != nil { + return err + } + } + } + } + if res.dialect.draft.version >= 2019 { + if s, ok := strVal(obj, "$anchor"); ok { + if err := addAnchor(anchor(s)); err != nil { + return err + } + } + } + if res.dialect.draft.version >= 2020 { + if s, ok := strVal(obj, "$dynamicAnchor"); ok { + if err := addAnchor(anchor(s)); err != nil { + return err + } + res.dynamicAnchors = append(res.dynamicAnchors, anchor(s)) + } + } + + return nil +} + +func (r *root) clone() *root { + processed := map[jsonPointer]struct{}{} + for k := range r.subschemasProcessed { + processed[k] = struct{}{} + } + resources := map[jsonPointer]*resource{} + for k, v := range r.resources { + resources[k] = v.clone() + } + return &root{ + url: r.url, + doc: r.doc, + resources: resources, + subschemasProcessed: processed, + } +} + +// -- + +type resource struct { + ptr jsonPointer + id url + dialect dialect + anchors map[anchor]jsonPointer + dynamicAnchors []anchor +} + +func newResource(ptr jsonPointer, id url) *resource { + return &resource{ptr: ptr, id: id, anchors: make(map[anchor]jsonPointer)} +} + +func (res *resource) clone() *resource { + anchors := map[anchor]jsonPointer{} + for k, v := range res.anchors { + anchors[k] = v + } + return &resource{ + ptr: res.ptr, + id: res.id, + dialect: res.dialect, + anchors: anchors, + dynamicAnchors: slices.Clone(res.dynamicAnchors), + } +} + +//-- + +type UnsupportedVocabularyError struct { + URL string + Vocabulary string +} + +func (e *UnsupportedVocabularyError) Error() string { + return fmt.Sprintf("unsupported vocabulary %q in %q", e.Vocabulary, e.URL) +} + +// -- + +type AnchorNotFoundError struct { + URL string + Reference string +} + +func (e *AnchorNotFoundError) Error() string { + return fmt.Sprintf("anchor in %q not found in schema %q", e.Reference, e.URL) +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go new file mode 100644 index 0000000000..a8d0ef0ce2 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/roots.go @@ -0,0 +1,286 @@ +package jsonschema + +import ( + "fmt" + "strings" +) + +type roots struct { + defaultDraft *Draft + roots map[url]*root + loader defaultLoader + regexpEngine RegexpEngine + vocabularies map[string]*Vocabulary + assertVocabs bool +} + +func newRoots() *roots { + return &roots{ + defaultDraft: draftLatest, + roots: map[url]*root{}, + loader: defaultLoader{ + docs: map[url]any{}, + loader: FileLoader{}, + }, + regexpEngine: goRegexpCompile, + vocabularies: map[string]*Vocabulary{}, + } +} + +func (rr *roots) orLoad(u url) (*root, error) { + if r, ok := rr.roots[u]; ok { + return r, nil + } + doc, err := rr.loader.load(u) + if err != nil { + return nil, err + } + return rr.addRoot(u, doc) +} + +func (rr *roots) addRoot(u url, doc any) (*root, error) { + r := &root{ + url: u, + doc: doc, + resources: map[jsonPointer]*resource{}, + subschemasProcessed: map[jsonPointer]struct{}{}, + } + if err := rr.collectResources(r, doc, u, "", dialect{rr.defaultDraft, nil}); err != nil { + return nil, err + } + if !strings.HasPrefix(u.String(), "http://json-schema.org/") && + !strings.HasPrefix(u.String(), "https://json-schema.org/") { + if err := rr.validate(r, doc, ""); err != nil { + return nil, err + } + } + + rr.roots[u] = r + return r, nil +} + +func (rr *roots) resolveFragment(uf urlFrag) (urlPtr, error) { + r, err := rr.orLoad(uf.url) + if err != nil { + return urlPtr{}, err + } + return r.resolveFragment(uf.frag) +} + +func (rr *roots) collectResources(r *root, sch any, base url, schPtr jsonPointer, fallback dialect) error { + if _, ok := r.subschemasProcessed[schPtr]; ok { + return nil + } + if err := rr._collectResources(r, sch, base, schPtr, fallback); err != nil { + return err + } + r.subschemasProcessed[schPtr] = struct{}{} + return nil +} + +func (rr *roots) _collectResources(r *root, sch any, base url, schPtr jsonPointer, fallback dialect) error { + obj, ok := sch.(map[string]any) + if !ok { + if schPtr.isEmpty() { + // root resource + res := newResource(schPtr, base) + res.dialect = fallback + r.resources[schPtr] = res + } + return nil + } + + hasSchema := false + if sch, ok := obj["$schema"]; ok { + if _, ok := sch.(string); ok { + hasSchema = true + } + } + + draft, err := rr.loader.getDraft(urlPtr{r.url, schPtr}, sch, fallback.draft, map[url]struct{}{}) + if err != nil { + return err + } + id := draft.getID(obj) + if id == "" && !schPtr.isEmpty() { + // ignore $schema + draft = fallback.draft + hasSchema = false + id = draft.getID(obj) + } + + var res *resource + if id != "" { + uf, err := base.join(id) + if err != nil { + loc := urlPtr{r.url, schPtr} + return &ParseIDError{loc.String()} + } + base = uf.url + res = newResource(schPtr, base) + } else if schPtr.isEmpty() { + // root resource + res = newResource(schPtr, base) + } + + if res != nil { + found := false + for _, res := range r.resources { + if res.id == base { + found = true + if res.ptr != schPtr { + return &DuplicateIDError{base.String(), r.url.String(), string(schPtr), string(res.ptr)} + } + } + } + if !found { + if hasSchema { + vocabs, err := rr.loader.getMetaVocabs(sch, draft, rr.vocabularies) + if err != nil { + return err + } + res.dialect = dialect{draft, vocabs} + } else { + res.dialect = fallback + } + r.resources[schPtr] = res + } + } + + var baseRes *resource + for _, res := range r.resources { + if res.id == base { + baseRes = res + break + } + } + if baseRes == nil { + panic("baseres is nil") + } + + // found base resource + if err := r.collectAnchors(sch, schPtr, baseRes); err != nil { + return err + } + + // process subschemas + subschemas := map[jsonPointer]any{} + for _, sp := range draft.subschemas { + ss := sp.collect(obj, schPtr) + for k, v := range ss { + subschemas[k] = v + } + } + for _, vocab := range baseRes.dialect.activeVocabs(true, rr.vocabularies) { + if v := rr.vocabularies[vocab]; v != nil { + for _, sp := range v.Subschemas { + ss := sp.collect(obj, schPtr) + for k, v := range ss { + subschemas[k] = v + } + } + } + } + for ptr, v := range subschemas { + if err := rr.collectResources(r, v, base, ptr, baseRes.dialect); err != nil { + return err + } + } + + return nil +} + +func (rr *roots) ensureSubschema(up urlPtr) error { + r, err := rr.orLoad(up.url) + if err != nil { + return err + } + if _, ok := r.subschemasProcessed[up.ptr]; ok { + return nil + } + v, err := up.lookup(r.doc) + if err != nil { + return err + } + rClone := r.clone() + if err := rr.addSubschema(rClone, up.ptr); err != nil { + return err + } + if err := rr.validate(rClone, v, up.ptr); err != nil { + return err + } + rr.roots[r.url] = rClone + return nil +} + +func (rr *roots) addSubschema(r *root, ptr jsonPointer) error { + v, err := (&urlPtr{r.url, ptr}).lookup(r.doc) + if err != nil { + return err + } + base := r.resource(ptr) + baseURL := base.id + if err := rr.collectResources(r, v, baseURL, ptr, base.dialect); err != nil { + return err + } + + // collect anchors + if _, ok := r.resources[ptr]; !ok { + res := r.resource(ptr) + if err := r.collectAnchors(v, ptr, res); err != nil { + return err + } + } + return nil +} + +func (rr *roots) validate(r *root, v any, ptr jsonPointer) error { + dialect := r.resource(ptr).dialect + meta := dialect.getSchema(rr.assertVocabs, rr.vocabularies) + if err := meta.validate(v, rr.regexpEngine, meta, r.resources, rr.assertVocabs, rr.vocabularies); err != nil { + up := urlPtr{r.url, ptr} + return &SchemaValidationError{URL: up.String(), Err: err} + } + return nil +} + +// -- + +type InvalidMetaSchemaURLError struct { + URL string + Err error +} + +func (e *InvalidMetaSchemaURLError) Error() string { + return fmt.Sprintf("invalid $schema in %q: %v", e.URL, e.Err) +} + +// -- + +type UnsupportedDraftError struct { + URL string +} + +func (e *UnsupportedDraftError) Error() string { + return fmt.Sprintf("draft %q is not supported", e.URL) +} + +// -- + +type MetaSchemaCycleError struct { + URL string +} + +func (e *MetaSchemaCycleError) Error() string { + return fmt.Sprintf("cycle in resolving $schema in %q", e.URL) +} + +// -- + +type MetaSchemaMismatchError struct { + URL string +} + +func (e *MetaSchemaMismatchError) Error() string { + return fmt.Sprintf("$schema in %q does not match with $schema in root", e.URL) +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go new file mode 100644 index 0000000000..b4c1f37afb --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/schema.go @@ -0,0 +1,254 @@ +package jsonschema + +import ( + "encoding/json" + "fmt" + "math/big" +) + +// Schema is the representation of a compiled +// jsonschema. +type Schema struct { + up urlPtr + resource *Schema + dynamicAnchors map[string]*Schema + allPropsEvaluated bool + allItemsEvaluated bool + numItemsEvaluated int + + DraftVersion int + Location string + + // type agnostic -- + Bool *bool // boolean schema + ID string + Ref *Schema + Anchor string + RecursiveRef *Schema + RecursiveAnchor bool + DynamicRef *DynamicRef + DynamicAnchor string // "" if not specified + Types *Types + Enum *Enum + Const *any + Not *Schema + AllOf []*Schema + AnyOf []*Schema + OneOf []*Schema + If *Schema + Then *Schema + Else *Schema + Format *Format + + // object -- + MaxProperties *int + MinProperties *int + Required []string + PropertyNames *Schema + Properties map[string]*Schema + PatternProperties map[Regexp]*Schema + AdditionalProperties any // nil or bool or *Schema + Dependencies map[string]any // value is []string or *Schema + DependentRequired map[string][]string + DependentSchemas map[string]*Schema + UnevaluatedProperties *Schema + + // array -- + MinItems *int + MaxItems *int + UniqueItems bool + Contains *Schema + MinContains *int + MaxContains *int + Items any // nil or []*Schema or *Schema + AdditionalItems any // nil or bool or *Schema + PrefixItems []*Schema + Items2020 *Schema + UnevaluatedItems *Schema + + // string -- + MinLength *int + MaxLength *int + Pattern Regexp + ContentEncoding *Decoder + ContentMediaType *MediaType + ContentSchema *Schema + + // number -- + Maximum *big.Rat + Minimum *big.Rat + ExclusiveMaximum *big.Rat + ExclusiveMinimum *big.Rat + MultipleOf *big.Rat + + Extensions []SchemaExt + + // annotations -- + Title string + Description string + Default *any + Comment string + ReadOnly bool + WriteOnly bool + Examples []any + Deprecated bool +} + +// -- + +type jsonType int + +const ( + invalidType jsonType = 0 + nullType jsonType = 1 << iota + booleanType + numberType + integerType + stringType + arrayType + objectType +) + +func typeOf(v any) jsonType { + switch v.(type) { + case nil: + return nullType + case bool: + return booleanType + case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64: + return numberType + case string: + return stringType + case []any: + return arrayType + case map[string]any: + return objectType + default: + return invalidType + } +} + +func typeFromString(s string) jsonType { + switch s { + case "null": + return nullType + case "boolean": + return booleanType + case "number": + return numberType + case "integer": + return integerType + case "string": + return stringType + case "array": + return arrayType + case "object": + return objectType + } + return invalidType +} + +func (jt jsonType) String() string { + switch jt { + case nullType: + return "null" + case booleanType: + return "boolean" + case numberType: + return "number" + case integerType: + return "integer" + case stringType: + return "string" + case arrayType: + return "array" + case objectType: + return "object" + } + return "" +} + +// -- + +// Types encapsulates list of json value types. +type Types int + +func newTypes(v any) *Types { + var types Types + switch v := v.(type) { + case string: + types.Add(v) + case []any: + for _, item := range v { + if s, ok := item.(string); ok { + types.Add(s) + } + } + } + if types.IsEmpty() { + return nil + } + return &types +} + +func (tt Types) IsEmpty() bool { + return tt == 0 +} + +// Add specified json type. If typ is +// not valid json type it is ignored. +func (tt *Types) Add(typ string) { + tt.add(typeFromString(typ)) +} + +func (tt *Types) add(t jsonType) { + *tt = Types(int(*tt) | int(t)) +} + +func (tt Types) contains(t jsonType) bool { + return int(tt)&int(t) != 0 +} + +func (tt Types) ToStrings() []string { + types := []jsonType{ + nullType, booleanType, numberType, integerType, + stringType, arrayType, objectType, + } + var arr []string + for _, t := range types { + if tt.contains(t) { + arr = append(arr, t.String()) + } + } + return arr +} + +func (tt Types) String() string { + return fmt.Sprintf("%v", tt.ToStrings()) +} + +// -- + +type Enum struct { + Values []any + types Types +} + +func newEnum(arr []any) *Enum { + var types Types + for _, item := range arr { + types.add(typeOf(item)) + } + return &Enum{arr, types} +} + +// -- + +type DynamicRef struct { + Ref *Schema + Anchor string // "" if not specified +} + +func newSchema(up urlPtr) *Schema { + return &Schema{up: up, Location: up.String()} +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go new file mode 100644 index 0000000000..c6f8e77526 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/util.go @@ -0,0 +1,464 @@ +package jsonschema + +import ( + "encoding/json" + "fmt" + "hash/maphash" + "math/big" + gourl "net/url" + "path/filepath" + "runtime" + "slices" + "strconv" + "strings" + + "github.com/santhosh-tekuri/jsonschema/v6/kind" + "golang.org/x/text/message" +) + +// -- + +type url (string) + +func (u url) String() string { + return string(u) +} + +func (u url) join(ref string) (*urlFrag, error) { + base, err := gourl.Parse(string(u)) + if err != nil { + return nil, &ParseURLError{URL: u.String(), Err: err} + } + + ref, frag, err := splitFragment(ref) + if err != nil { + return nil, err + } + refURL, err := gourl.Parse(ref) + if err != nil { + return nil, &ParseURLError{URL: ref, Err: err} + } + resolved := base.ResolveReference(refURL) + + // see https://github.com/golang/go/issues/66084 (net/url: ResolveReference ignores Opaque value) + if !refURL.IsAbs() && base.Opaque != "" { + resolved.Opaque = base.Opaque + } + + return &urlFrag{url: url(resolved.String()), frag: frag}, nil +} + +// -- + +type jsonPointer string + +func escape(tok string) string { + tok = strings.ReplaceAll(tok, "~", "~0") + tok = strings.ReplaceAll(tok, "/", "~1") + return tok +} + +func unescape(tok string) (string, bool) { + tilde := strings.IndexByte(tok, '~') + if tilde == -1 { + return tok, true + } + sb := new(strings.Builder) + for { + sb.WriteString(tok[:tilde]) + tok = tok[tilde+1:] + if tok == "" { + return "", false + } + switch tok[0] { + case '0': + sb.WriteByte('~') + case '1': + sb.WriteByte('/') + default: + return "", false + } + tok = tok[1:] + tilde = strings.IndexByte(tok, '~') + if tilde == -1 { + sb.WriteString(tok) + break + } + } + return sb.String(), true +} + +func (ptr jsonPointer) isEmpty() bool { + return string(ptr) == "" +} + +func (ptr jsonPointer) concat(next jsonPointer) jsonPointer { + return jsonPointer(fmt.Sprintf("%s%s", ptr, next)) +} + +func (ptr jsonPointer) append(tok string) jsonPointer { + return jsonPointer(fmt.Sprintf("%s/%s", ptr, escape(tok))) +} + +func (ptr jsonPointer) append2(tok1, tok2 string) jsonPointer { + return jsonPointer(fmt.Sprintf("%s/%s/%s", ptr, escape(tok1), escape(tok2))) +} + +// -- + +type anchor string + +// -- + +type fragment string + +func decode(frag string) (string, error) { + return gourl.PathUnescape(frag) +} + +// avoids escaping /. +func encode(frag string) string { + var sb strings.Builder + for i, tok := range strings.Split(frag, "/") { + if i > 0 { + sb.WriteByte('/') + } + sb.WriteString(gourl.PathEscape(tok)) + } + return sb.String() +} + +func splitFragment(str string) (string, fragment, error) { + u, f := split(str) + f, err := decode(f) + if err != nil { + return "", fragment(""), &ParseURLError{URL: str, Err: err} + } + return u, fragment(f), nil +} + +func split(str string) (string, string) { + hash := strings.IndexByte(str, '#') + if hash == -1 { + return str, "" + } + return str[:hash], str[hash+1:] +} + +func (frag fragment) convert() any { + str := string(frag) + if str == "" || strings.HasPrefix(str, "/") { + return jsonPointer(str) + } + return anchor(str) +} + +// -- + +type urlFrag struct { + url url + frag fragment +} + +func startsWithWindowsDrive(s string) bool { + if s != "" && strings.HasPrefix(s[1:], `:\`) { + return (s[0] >= 'a' && s[0] <= 'z') || (s[0] >= 'A' && s[0] <= 'Z') + } + return false +} + +func absolute(input string) (*urlFrag, error) { + u, frag, err := splitFragment(input) + if err != nil { + return nil, err + } + + // if windows absolute file path, convert to file url + // because: net/url parses driver name as scheme + if runtime.GOOS == "windows" && startsWithWindowsDrive(u) { + u = "file:///" + filepath.ToSlash(u) + } + + gourl, err := gourl.Parse(u) + if err != nil { + return nil, &ParseURLError{URL: input, Err: err} + } + if gourl.IsAbs() { + return &urlFrag{url(u), frag}, nil + } + + // avoid filesystem api in wasm + if runtime.GOOS != "js" { + abs, err := filepath.Abs(u) + if err != nil { + return nil, &ParseURLError{URL: input, Err: err} + } + u = abs + } + if !strings.HasPrefix(u, "/") { + u = "/" + u + } + u = "file://" + filepath.ToSlash(u) + + _, err = gourl.Parse(u) + if err != nil { + return nil, &ParseURLError{URL: input, Err: err} + } + return &urlFrag{url: url(u), frag: frag}, nil +} + +func (uf *urlFrag) String() string { + return fmt.Sprintf("%s#%s", uf.url, encode(string(uf.frag))) +} + +// -- + +type urlPtr struct { + url url + ptr jsonPointer +} + +func (up *urlPtr) lookup(v any) (any, error) { + for _, tok := range strings.Split(string(up.ptr), "/")[1:] { + tok, ok := unescape(tok) + if !ok { + return nil, &InvalidJsonPointerError{up.String()} + } + switch val := v.(type) { + case map[string]any: + if pvalue, ok := val[tok]; ok { + v = pvalue + continue + } + case []any: + if index, err := strconv.Atoi(tok); err == nil { + if index >= 0 && index < len(val) { + v = val[index] + continue + } + } + } + return nil, &JSONPointerNotFoundError{up.String()} + } + return v, nil +} + +func (up *urlPtr) format(tok string) string { + return fmt.Sprintf("%s#%s/%s", up.url, encode(string(up.ptr)), encode(escape(tok))) +} + +func (up *urlPtr) String() string { + return fmt.Sprintf("%s#%s", up.url, encode(string(up.ptr))) +} + +// -- + +func minInt(i, j int) int { + if i < j { + return i + } + return j +} + +func strVal(obj map[string]any, prop string) (string, bool) { + v, ok := obj[prop] + if !ok { + return "", false + } + s, ok := v.(string) + return s, ok +} + +func isInteger(num any) bool { + rat, ok := new(big.Rat).SetString(fmt.Sprint(num)) + return ok && rat.IsInt() +} + +// quote returns single-quoted string. +// used for embedding quoted strings in json. +func quote(s string) string { + s = fmt.Sprintf("%q", s) + s = strings.ReplaceAll(s, `\"`, `"`) + s = strings.ReplaceAll(s, `'`, `\'`) + return "'" + s[1:len(s)-1] + "'" +} + +func equals(v1, v2 any) (bool, ErrorKind) { + switch v1 := v1.(type) { + case map[string]any: + v2, ok := v2.(map[string]any) + if !ok || len(v1) != len(v2) { + return false, nil + } + for k, val1 := range v1 { + val2, ok := v2[k] + if !ok { + return false, nil + } + if ok, k := equals(val1, val2); !ok || k != nil { + return ok, k + } + } + return true, nil + case []any: + v2, ok := v2.([]any) + if !ok || len(v1) != len(v2) { + return false, nil + } + for i := range v1 { + if ok, k := equals(v1[i], v2[i]); !ok || k != nil { + return ok, k + } + } + return true, nil + case nil: + return v2 == nil, nil + case bool: + v2, ok := v2.(bool) + return ok && v1 == v2, nil + case string: + v2, ok := v2.(string) + return ok && v1 == v2, nil + case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64: + num1, ok1 := new(big.Rat).SetString(fmt.Sprint(v1)) + num2, ok2 := new(big.Rat).SetString(fmt.Sprint(v2)) + return ok1 && ok2 && num1.Cmp(num2) == 0, nil + default: + return false, &kind.InvalidJsonValue{Value: v1} + } +} + +func duplicates(arr []any) (int, int, ErrorKind) { + if len(arr) <= 20 { + for i := 1; i < len(arr); i++ { + for j := 0; j < i; j++ { + if ok, k := equals(arr[i], arr[j]); ok || k != nil { + return j, i, k + } + } + } + return -1, -1, nil + } + + m := make(map[uint64][]int) + h := new(maphash.Hash) + for i, item := range arr { + h.Reset() + writeHash(item, h) + hash := h.Sum64() + indexes, ok := m[hash] + if ok { + for _, j := range indexes { + if ok, k := equals(item, arr[j]); ok || k != nil { + return j, i, k + } + } + } + indexes = append(indexes, i) + m[hash] = indexes + } + return -1, -1, nil +} + +func writeHash(v any, h *maphash.Hash) ErrorKind { + switch v := v.(type) { + case map[string]any: + _ = h.WriteByte(0) + props := make([]string, 0, len(v)) + for prop := range v { + props = append(props, prop) + } + slices.Sort(props) + for _, prop := range props { + writeHash(prop, h) + writeHash(v[prop], h) + } + case []any: + _ = h.WriteByte(1) + for _, item := range v { + writeHash(item, h) + } + case nil: + _ = h.WriteByte(2) + case bool: + _ = h.WriteByte(3) + if v { + _ = h.WriteByte(1) + } else { + _ = h.WriteByte(0) + } + case string: + _ = h.WriteByte(4) + _, _ = h.WriteString(v) + case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64: + _ = h.WriteByte(5) + num, _ := new(big.Rat).SetString(fmt.Sprint(v)) + _, _ = h.Write(num.Num().Bytes()) + _, _ = h.Write(num.Denom().Bytes()) + default: + return &kind.InvalidJsonValue{Value: v} + } + return nil +} + +// -- + +type ParseURLError struct { + URL string + Err error +} + +func (e *ParseURLError) Error() string { + return fmt.Sprintf("error in parsing %q: %v", e.URL, e.Err) +} + +// -- + +type InvalidJsonPointerError struct { + URL string +} + +func (e *InvalidJsonPointerError) Error() string { + return fmt.Sprintf("invalid json-pointer %q", e.URL) +} + +// -- + +type JSONPointerNotFoundError struct { + URL string +} + +func (e *JSONPointerNotFoundError) Error() string { + return fmt.Sprintf("json-pointer in %q not found", e.URL) +} + +// -- + +type SchemaValidationError struct { + URL string + Err error +} + +func (e *SchemaValidationError) Error() string { + return fmt.Sprintf("%q is not valid against metaschema: %v", e.URL, e.Err) +} + +// -- + +// LocalizableError is an error whose message is localizable. +func LocalizableError(format string, args ...any) error { + return &localizableError{format, args} +} + +type localizableError struct { + msg string + args []any +} + +func (e *localizableError) Error() string { + return fmt.Sprintf(e.msg, e.args...) +} + +func (e *localizableError) LocalizedError(p *message.Printer) string { + return p.Sprintf(e.msg, e.args...) +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go new file mode 100644 index 0000000000..e2ace37a9f --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/validator.go @@ -0,0 +1,975 @@ +package jsonschema + +import ( + "encoding/json" + "fmt" + "math/big" + "slices" + "strconv" + "unicode/utf8" + + "github.com/santhosh-tekuri/jsonschema/v6/kind" + "golang.org/x/text/message" +) + +func (sch *Schema) Validate(v any) error { + return sch.validate(v, nil, nil, nil, false, nil) +} + +func (sch *Schema) validate(v any, regexpEngine RegexpEngine, meta *Schema, resources map[jsonPointer]*resource, assertVocabs bool, vocabularies map[string]*Vocabulary) error { + vd := validator{ + v: v, + vloc: make([]string, 0, 8), + sch: sch, + scp: &scope{sch, "", 0, nil}, + uneval: unevalFrom(v, sch, false), + errors: nil, + boolResult: false, + regexpEngine: regexpEngine, + meta: meta, + resources: resources, + assertVocabs: assertVocabs, + vocabularies: vocabularies, + } + if _, err := vd.validate(); err != nil { + verr := err.(*ValidationError) + var causes []*ValidationError + if _, ok := verr.ErrorKind.(*kind.Group); ok { + causes = verr.Causes + } else { + causes = []*ValidationError{verr} + } + return &ValidationError{ + SchemaURL: sch.Location, + InstanceLocation: nil, + ErrorKind: &kind.Schema{Location: sch.Location}, + Causes: causes, + } + } + + return nil +} + +type validator struct { + v any + vloc []string + sch *Schema + scp *scope + uneval *uneval + errors []*ValidationError + boolResult bool // is interested to know valid or not (but not actuall error) + regexpEngine RegexpEngine + + // meta validation + meta *Schema // set only when validating with metaschema + resources map[jsonPointer]*resource // resources which should be validated with their dialect + assertVocabs bool + vocabularies map[string]*Vocabulary +} + +func (vd *validator) validate() (*uneval, error) { + s := vd.sch + v := vd.v + + // boolean -- + if s.Bool != nil { + if *s.Bool { + return vd.uneval, nil + } else { + return nil, vd.error(&kind.FalseSchema{}) + } + } + + // check cycle -- + if scp := vd.scp.checkCycle(); scp != nil { + return nil, vd.error(&kind.RefCycle{ + URL: s.Location, + KeywordLocation1: vd.scp.kwLoc(), + KeywordLocation2: scp.kwLoc(), + }) + } + + t := typeOf(v) + if t == invalidType { + return nil, vd.error(&kind.InvalidJsonValue{Value: v}) + } + + // type -- + if s.Types != nil && !s.Types.IsEmpty() { + matched := s.Types.contains(t) || (s.Types.contains(integerType) && t == numberType && isInteger(v)) + if !matched { + return nil, vd.error(&kind.Type{Got: t.String(), Want: s.Types.ToStrings()}) + } + } + + // const -- + if s.Const != nil { + ok, k := equals(v, *s.Const) + if k != nil { + return nil, vd.error(k) + } else if !ok { + return nil, vd.error(&kind.Const{Got: v, Want: *s.Const}) + } + } + + // enum -- + if s.Enum != nil { + matched := s.Enum.types.contains(typeOf(v)) + if matched { + matched = false + for _, item := range s.Enum.Values { + ok, k := equals(v, item) + if k != nil { + return nil, vd.error(k) + } else if ok { + matched = true + break + } + } + } + if !matched { + return nil, vd.error(&kind.Enum{Got: v, Want: s.Enum.Values}) + } + } + + // format -- + if s.Format != nil { + var err error + if s.Format.Name == "regex" && vd.regexpEngine != nil { + err = vd.regexpEngine.validate(v) + } else { + err = s.Format.Validate(v) + } + if err != nil { + return nil, vd.error(&kind.Format{Got: v, Want: s.Format.Name, Err: err}) + } + } + + // $ref -- + if s.Ref != nil { + err := vd.validateRef(s.Ref, "$ref") + if s.DraftVersion < 2019 { + return vd.uneval, err + } + if err != nil { + vd.addErr(err) + } + } + + // type specific validations -- + switch v := v.(type) { + case map[string]any: + vd.objValidate(v) + case []any: + vd.arrValidate(v) + case string: + vd.strValidate(v) + case json.Number, float32, float64, int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64: + vd.numValidate(v) + } + + if len(vd.errors) == 0 || !vd.boolResult { + if s.DraftVersion >= 2019 { + vd.validateRefs() + } + vd.condValidate() + + for _, ext := range s.Extensions { + ext.Validate(&ValidatorContext{vd}, v) + } + + if s.DraftVersion >= 2019 { + vd.unevalValidate() + } + } + + switch len(vd.errors) { + case 0: + return vd.uneval, nil + case 1: + return nil, vd.errors[0] + default: + verr := vd.error(&kind.Group{}) + verr.Causes = vd.errors + return nil, verr + } +} + +func (vd *validator) objValidate(obj map[string]any) { + s := vd.sch + + // minProperties -- + if s.MinProperties != nil { + if len(obj) < *s.MinProperties { + vd.addError(&kind.MinProperties{Got: len(obj), Want: *s.MinProperties}) + } + } + + // maxProperties -- + if s.MaxProperties != nil { + if len(obj) > *s.MaxProperties { + vd.addError(&kind.MaxProperties{Got: len(obj), Want: *s.MaxProperties}) + } + } + + // required -- + if len(s.Required) > 0 { + if missing := vd.findMissing(obj, s.Required); missing != nil { + vd.addError(&kind.Required{Missing: missing}) + } + } + + if vd.boolResult && len(vd.errors) > 0 { + return + } + + // dependencies -- + for pname, dep := range s.Dependencies { + if _, ok := obj[pname]; ok { + switch dep := dep.(type) { + case []string: + if missing := vd.findMissing(obj, dep); missing != nil { + vd.addError(&kind.Dependency{Prop: pname, Missing: missing}) + } + case *Schema: + vd.addErr(vd.validateSelf(dep, "", false)) + } + } + } + + var additionalPros []string + for pname, pvalue := range obj { + if vd.boolResult && len(vd.errors) > 0 { + return + } + evaluated := false + + // properties -- + if sch, ok := s.Properties[pname]; ok { + evaluated = true + vd.addErr(vd.validateVal(sch, pvalue, pname)) + } + + // patternProperties -- + for regex, sch := range s.PatternProperties { + if regex.MatchString(pname) { + evaluated = true + vd.addErr(vd.validateVal(sch, pvalue, pname)) + } + } + + if !evaluated && s.AdditionalProperties != nil { + evaluated = true + switch additional := s.AdditionalProperties.(type) { + case bool: + if !additional { + additionalPros = append(additionalPros, pname) + } + case *Schema: + vd.addErr(vd.validateVal(additional, pvalue, pname)) + } + } + + if evaluated { + delete(vd.uneval.props, pname) + } + } + if len(additionalPros) > 0 { + vd.addError(&kind.AdditionalProperties{Properties: additionalPros}) + } + + if s.DraftVersion == 4 { + return + } + + // propertyNames -- + if s.PropertyNames != nil { + for pname := range obj { + sch, meta, resources := s.PropertyNames, vd.meta, vd.resources + res := vd.metaResource(sch) + if res != nil { + meta = res.dialect.getSchema(vd.assertVocabs, vd.vocabularies) + sch = meta + } + if err := sch.validate(pname, vd.regexpEngine, meta, resources, vd.assertVocabs, vd.vocabularies); err != nil { + verr := err.(*ValidationError) + verr.SchemaURL = s.PropertyNames.Location + verr.ErrorKind = &kind.PropertyNames{Property: pname} + vd.addErr(verr) + } + } + } + + if s.DraftVersion == 6 { + return + } + + // dependentSchemas -- + for pname, sch := range s.DependentSchemas { + if _, ok := obj[pname]; ok { + vd.addErr(vd.validateSelf(sch, "", false)) + } + } + + // dependentRequired -- + for pname, reqd := range s.DependentRequired { + if _, ok := obj[pname]; ok { + if missing := vd.findMissing(obj, reqd); missing != nil { + vd.addError(&kind.DependentRequired{Prop: pname, Missing: missing}) + } + } + } +} + +func (vd *validator) arrValidate(arr []any) { + s := vd.sch + + // minItems -- + if s.MinItems != nil { + if len(arr) < *s.MinItems { + vd.addError(&kind.MinItems{Got: len(arr), Want: *s.MinItems}) + } + } + + // maxItems -- + if s.MaxItems != nil { + if len(arr) > *s.MaxItems { + vd.addError(&kind.MaxItems{Got: len(arr), Want: *s.MaxItems}) + } + } + + // uniqueItems -- + if s.UniqueItems && len(arr) > 1 { + i, j, k := duplicates(arr) + if k != nil { + vd.addError(k) + } else if i != -1 { + vd.addError(&kind.UniqueItems{Duplicates: [2]int{i, j}}) + } + } + + if s.DraftVersion < 2020 { + evaluated := 0 + + // items -- + switch items := s.Items.(type) { + case *Schema: + for i, item := range arr { + vd.addErr(vd.validateVal(items, item, strconv.Itoa(i))) + } + evaluated = len(arr) + case []*Schema: + min := minInt(len(arr), len(items)) + for i, item := range arr[:min] { + vd.addErr(vd.validateVal(items[i], item, strconv.Itoa(i))) + } + evaluated = min + } + + // additionalItems -- + if s.AdditionalItems != nil { + switch additional := s.AdditionalItems.(type) { + case bool: + if !additional && evaluated != len(arr) { + vd.addError(&kind.AdditionalItems{Count: len(arr) - evaluated}) + } + case *Schema: + for i, item := range arr[evaluated:] { + vd.addErr(vd.validateVal(additional, item, strconv.Itoa(i))) + } + } + } + } else { + evaluated := minInt(len(s.PrefixItems), len(arr)) + + // prefixItems -- + for i, item := range arr[:evaluated] { + vd.addErr(vd.validateVal(s.PrefixItems[i], item, strconv.Itoa(i))) + } + + // items2020 -- + if s.Items2020 != nil { + for i, item := range arr[evaluated:] { + vd.addErr(vd.validateVal(s.Items2020, item, strconv.Itoa(i))) + } + } + } + + // contains -- + if s.Contains != nil { + var errors []*ValidationError + var matched []int + + for i, item := range arr { + if err := vd.validateVal(s.Contains, item, strconv.Itoa(i)); err != nil { + errors = append(errors, err.(*ValidationError)) + } else { + matched = append(matched, i) + if s.DraftVersion >= 2020 { + delete(vd.uneval.items, i) + } + } + } + + // minContains -- + if s.MinContains != nil { + if len(matched) < *s.MinContains { + vd.addErrors(errors, &kind.MinContains{Got: matched, Want: *s.MinContains}) + } + } else if len(matched) == 0 { + vd.addErrors(errors, &kind.Contains{}) + } + + // maxContains -- + if s.MaxContains != nil { + if len(matched) > *s.MaxContains { + vd.addError(&kind.MaxContains{Got: matched, Want: *s.MaxContains}) + } + } + } +} + +func (vd *validator) strValidate(str string) { + s := vd.sch + + strLen := -1 + if s.MinLength != nil || s.MaxLength != nil { + strLen = utf8.RuneCount([]byte(str)) + } + + // minLength -- + if s.MinLength != nil { + if strLen < *s.MinLength { + vd.addError(&kind.MinLength{Got: strLen, Want: *s.MinLength}) + } + } + + // maxLength -- + if s.MaxLength != nil { + if strLen > *s.MaxLength { + vd.addError(&kind.MaxLength{Got: strLen, Want: *s.MaxLength}) + } + } + + // pattern -- + if s.Pattern != nil { + if !s.Pattern.MatchString(str) { + vd.addError(&kind.Pattern{Got: str, Want: s.Pattern.String()}) + } + } + + if s.DraftVersion == 6 { + return + } + + var err error + + // contentEncoding -- + decoded := []byte(str) + if s.ContentEncoding != nil { + decoded, err = s.ContentEncoding.Decode(str) + if err != nil { + decoded = nil + vd.addError(&kind.ContentEncoding{Want: s.ContentEncoding.Name, Err: err}) + } + } + + var deserialized *any + if decoded != nil && s.ContentMediaType != nil { + if s.ContentSchema == nil { + err = s.ContentMediaType.Validate(decoded) + } else { + var value any + value, err = s.ContentMediaType.UnmarshalJSON(decoded) + if err == nil { + deserialized = &value + } + } + if err != nil { + vd.addError(&kind.ContentMediaType{ + Got: decoded, + Want: s.ContentMediaType.Name, + Err: err, + }) + } + } + + if deserialized != nil && s.ContentSchema != nil { + sch, meta, resources := s.ContentSchema, vd.meta, vd.resources + res := vd.metaResource(sch) + if res != nil { + meta = res.dialect.getSchema(vd.assertVocabs, vd.vocabularies) + sch = meta + } + if err = sch.validate(*deserialized, vd.regexpEngine, meta, resources, vd.assertVocabs, vd.vocabularies); err != nil { + verr := err.(*ValidationError) + verr.SchemaURL = s.Location + verr.ErrorKind = &kind.ContentSchema{} + vd.addErr(verr) + } + } +} + +func (vd *validator) numValidate(v any) { + s := vd.sch + + var numVal *big.Rat + num := func() *big.Rat { + if numVal == nil { + numVal, _ = new(big.Rat).SetString(fmt.Sprintf("%v", v)) + } + return numVal + } + + // minimum -- + if s.Minimum != nil && num().Cmp(s.Minimum) < 0 { + vd.addError(&kind.Minimum{Got: num(), Want: s.Minimum}) + } + + // maximum -- + if s.Maximum != nil && num().Cmp(s.Maximum) > 0 { + vd.addError(&kind.Maximum{Got: num(), Want: s.Maximum}) + } + + // exclusiveMinimum + if s.ExclusiveMinimum != nil && num().Cmp(s.ExclusiveMinimum) <= 0 { + vd.addError(&kind.ExclusiveMinimum{Got: num(), Want: s.ExclusiveMinimum}) + } + + // exclusiveMaximum + if s.ExclusiveMaximum != nil && num().Cmp(s.ExclusiveMaximum) >= 0 { + vd.addError(&kind.ExclusiveMaximum{Got: num(), Want: s.ExclusiveMaximum}) + } + + // multipleOf + if s.MultipleOf != nil { + if q := new(big.Rat).Quo(num(), s.MultipleOf); !q.IsInt() { + vd.addError(&kind.MultipleOf{Got: num(), Want: s.MultipleOf}) + } + } +} + +func (vd *validator) condValidate() { + s := vd.sch + + // not -- + if s.Not != nil { + if vd.validateSelf(s.Not, "", true) == nil { + vd.addError(&kind.Not{}) + } + } + + // allOf -- + if len(s.AllOf) > 0 { + var errors []*ValidationError + for _, sch := range s.AllOf { + if err := vd.validateSelf(sch, "", false); err != nil { + errors = append(errors, err.(*ValidationError)) + if vd.boolResult { + break + } + } + } + if len(errors) != 0 { + vd.addErrors(errors, &kind.AllOf{}) + } + } + + // anyOf + if len(s.AnyOf) > 0 { + var matched bool + var errors []*ValidationError + for _, sch := range s.AnyOf { + if err := vd.validateSelf(sch, "", false); err != nil { + errors = append(errors, err.(*ValidationError)) + } else { + matched = true + // for uneval, all schemas must be evaluated + if vd.uneval.isEmpty() { + break + } + } + } + if !matched { + vd.addErrors(errors, &kind.AnyOf{}) + } + } + + // oneOf + if len(s.OneOf) > 0 { + var matched = -1 + var errors []*ValidationError + for i, sch := range s.OneOf { + if err := vd.validateSelf(sch, "", matched != -1); err != nil { + if matched == -1 { + errors = append(errors, err.(*ValidationError)) + } + } else { + if matched == -1 { + matched = i + } else { + vd.addError(&kind.OneOf{Subschemas: []int{matched, i}}) + break + } + } + } + if matched == -1 { + vd.addErrors(errors, &kind.OneOf{Subschemas: nil}) + } + } + + // if, then, else -- + if s.If != nil { + if vd.validateSelf(s.If, "", true) == nil { + if s.Then != nil { + vd.addErr(vd.validateSelf(s.Then, "", false)) + } + } else if s.Else != nil { + vd.addErr(vd.validateSelf(s.Else, "", false)) + } + } +} + +func (vd *validator) unevalValidate() { + s := vd.sch + + // unevaluatedProperties + if obj, ok := vd.v.(map[string]any); ok && s.UnevaluatedProperties != nil { + for pname := range vd.uneval.props { + if pvalue, ok := obj[pname]; ok { + vd.addErr(vd.validateVal(s.UnevaluatedProperties, pvalue, pname)) + } + } + vd.uneval.props = nil + } + + // unevaluatedItems + if arr, ok := vd.v.([]any); ok && s.UnevaluatedItems != nil { + for i := range vd.uneval.items { + vd.addErr(vd.validateVal(s.UnevaluatedItems, arr[i], strconv.Itoa(i))) + } + vd.uneval.items = nil + } +} + +// validation helpers -- + +func (vd *validator) validateSelf(sch *Schema, refKw string, boolResult bool) error { + scp := vd.scp.child(sch, refKw, vd.scp.vid) + uneval := unevalFrom(vd.v, sch, !vd.uneval.isEmpty()) + subvd := validator{ + v: vd.v, + vloc: vd.vloc, + sch: sch, + scp: scp, + uneval: uneval, + errors: nil, + boolResult: vd.boolResult || boolResult, + regexpEngine: vd.regexpEngine, + meta: vd.meta, + resources: vd.resources, + assertVocabs: vd.assertVocabs, + vocabularies: vd.vocabularies, + } + subvd.handleMeta() + uneval, err := subvd.validate() + if err == nil { + vd.uneval.merge(uneval) + } + return err +} + +func (vd *validator) validateVal(sch *Schema, v any, vtok string) error { + vloc := append(vd.vloc, vtok) + scp := vd.scp.child(sch, "", vd.scp.vid+1) + uneval := unevalFrom(v, sch, false) + subvd := validator{ + v: v, + vloc: vloc, + sch: sch, + scp: scp, + uneval: uneval, + errors: nil, + boolResult: vd.boolResult, + regexpEngine: vd.regexpEngine, + meta: vd.meta, + resources: vd.resources, + assertVocabs: vd.assertVocabs, + vocabularies: vd.vocabularies, + } + subvd.handleMeta() + _, err := subvd.validate() + return err +} + +func (vd *validator) validateValue(sch *Schema, v any, vpath []string) error { + vloc := append(vd.vloc, vpath...) + scp := vd.scp.child(sch, "", vd.scp.vid+1) + uneval := unevalFrom(v, sch, false) + subvd := validator{ + v: v, + vloc: vloc, + sch: sch, + scp: scp, + uneval: uneval, + errors: nil, + boolResult: vd.boolResult, + regexpEngine: vd.regexpEngine, + meta: vd.meta, + resources: vd.resources, + assertVocabs: vd.assertVocabs, + vocabularies: vd.vocabularies, + } + subvd.handleMeta() + _, err := subvd.validate() + return err +} + +func (vd *validator) metaResource(sch *Schema) *resource { + if sch != vd.meta { + return nil + } + ptr := "" + for _, tok := range vd.instanceLocation() { + ptr += "/" + ptr += escape(tok) + } + return vd.resources[jsonPointer(ptr)] +} + +func (vd *validator) handleMeta() { + res := vd.metaResource(vd.sch) + if res == nil { + return + } + sch := res.dialect.getSchema(vd.assertVocabs, vd.vocabularies) + vd.meta = sch + vd.sch = sch +} + +// reference validation -- + +func (vd *validator) validateRef(sch *Schema, kw string) error { + err := vd.validateSelf(sch, kw, false) + if err != nil { + refErr := vd.error(&kind.Reference{Keyword: kw, URL: sch.Location}) + verr := err.(*ValidationError) + if _, ok := verr.ErrorKind.(*kind.Group); ok { + refErr.Causes = verr.Causes + } else { + refErr.Causes = append(refErr.Causes, verr) + } + return refErr + } + return nil +} + +func (vd *validator) resolveRecursiveAnchor(fallback *Schema) *Schema { + sch := fallback + scp := vd.scp + for scp != nil { + if scp.sch.resource.RecursiveAnchor { + sch = scp.sch + } + scp = scp.parent + } + return sch +} + +func (vd *validator) resolveDynamicAnchor(name string, fallback *Schema) *Schema { + sch := fallback + scp := vd.scp + for scp != nil { + if dsch, ok := scp.sch.resource.dynamicAnchors[name]; ok { + sch = dsch + } + scp = scp.parent + } + return sch +} + +func (vd *validator) validateRefs() { + // $recursiveRef -- + if sch := vd.sch.RecursiveRef; sch != nil { + if sch.RecursiveAnchor { + sch = vd.resolveRecursiveAnchor(sch) + } + vd.addErr(vd.validateRef(sch, "$recursiveRef")) + } + + // $dynamicRef -- + if dref := vd.sch.DynamicRef; dref != nil { + sch := dref.Ref // initial target + if dref.Anchor != "" { + // $dynamicRef includes anchor + if sch.DynamicAnchor == dref.Anchor { + // initial target has matching $dynamicAnchor + sch = vd.resolveDynamicAnchor(dref.Anchor, sch) + } + } + vd.addErr(vd.validateRef(sch, "$dynamicRef")) + } +} + +// error helpers -- + +func (vd *validator) instanceLocation() []string { + return slices.Clone(vd.vloc) +} + +func (vd *validator) error(kind ErrorKind) *ValidationError { + if vd.boolResult { + return &ValidationError{} + } + return &ValidationError{ + SchemaURL: vd.sch.Location, + InstanceLocation: vd.instanceLocation(), + ErrorKind: kind, + Causes: nil, + } +} + +func (vd *validator) addErr(err error) { + if err != nil { + vd.errors = append(vd.errors, err.(*ValidationError)) + } +} + +func (vd *validator) addError(kind ErrorKind) { + vd.errors = append(vd.errors, vd.error(kind)) +} + +func (vd *validator) addErrors(errors []*ValidationError, kind ErrorKind) { + err := vd.error(kind) + err.Causes = errors + vd.errors = append(vd.errors, err) +} + +func (vd *validator) findMissing(obj map[string]any, reqd []string) []string { + var missing []string + for _, pname := range reqd { + if _, ok := obj[pname]; !ok { + if vd.boolResult { + return []string{} // non-nil + } + missing = append(missing, pname) + } + } + return missing +} + +// -- + +type scope struct { + sch *Schema + + // if empty, compute from self.sch and self.parent.sch. + // not empty, only when there is a jump i.e, $ref, $XXXRef + refKeyword string + + // unique id of value being validated + // if two scopes validate same value, they will have + // same vid + vid int + + parent *scope +} + +func (sc *scope) child(sch *Schema, refKeyword string, vid int) *scope { + return &scope{sch, refKeyword, vid, sc} +} + +func (sc *scope) checkCycle() *scope { + scp := sc.parent + for scp != nil { + if scp.vid != sc.vid { + break + } + if scp.sch == sc.sch { + return scp + } + scp = scp.parent + } + return nil +} + +func (sc *scope) kwLoc() string { + var loc string + for sc.parent != nil { + if sc.refKeyword != "" { + loc = fmt.Sprintf("/%s%s", escape(sc.refKeyword), loc) + } else { + cur := sc.sch.Location + parent := sc.parent.sch.Location + loc = fmt.Sprintf("%s%s", cur[len(parent):], loc) + } + sc = sc.parent + } + return loc +} + +// -- + +type uneval struct { + props map[string]struct{} + items map[int]struct{} +} + +func unevalFrom(v any, sch *Schema, callerNeeds bool) *uneval { + uneval := &uneval{} + switch v := v.(type) { + case map[string]any: + if !sch.allPropsEvaluated && (callerNeeds || sch.UnevaluatedProperties != nil) { + uneval.props = map[string]struct{}{} + for k := range v { + uneval.props[k] = struct{}{} + } + } + case []any: + if !sch.allItemsEvaluated && (callerNeeds || sch.UnevaluatedItems != nil) && sch.numItemsEvaluated < len(v) { + uneval.items = map[int]struct{}{} + for i := sch.numItemsEvaluated; i < len(v); i++ { + uneval.items[i] = struct{}{} + } + } + } + return uneval +} + +func (ue *uneval) merge(other *uneval) { + for k := range ue.props { + if _, ok := other.props[k]; !ok { + delete(ue.props, k) + } + } + for i := range ue.items { + if _, ok := other.items[i]; !ok { + delete(ue.items, i) + } + } +} + +func (ue *uneval) isEmpty() bool { + return len(ue.props) == 0 && len(ue.items) == 0 +} + +// -- + +type ValidationError struct { + // absolute, dereferenced schema location. + SchemaURL string + + // location of the JSON value within the instance being validated. + InstanceLocation []string + + // kind of error + ErrorKind ErrorKind + + // holds nested errors + Causes []*ValidationError +} + +type ErrorKind interface { + KeywordPath() []string + LocalizedString(*message.Printer) string +} diff --git a/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go b/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go new file mode 100644 index 0000000000..c81cb700f1 --- /dev/null +++ b/vendor/github.com/santhosh-tekuri/jsonschema/v6/vocab.go @@ -0,0 +1,111 @@ +package jsonschema + +// CompilerContext provides helpers for +// compiling a [Vocabulary]. +type CompilerContext struct { + c *objCompiler +} + +func (ctx *CompilerContext) Enqueue(schPath []string) *Schema { + ptr := ctx.c.up.ptr + for _, tok := range schPath { + ptr = ptr.append(tok) + } + return ctx.c.enqueuePtr(ptr) +} + +// Vocabulary defines a set of keywords, their syntax and +// their semantics. +type Vocabulary struct { + // URL identifier for this Vocabulary. + URL string + + // Schema that is used to validate the keywords that is introduced by this + // vocabulary. + Schema *Schema + + // Subschemas lists the possible locations of subschemas introduced by + // this vocabulary. + Subschemas []SchemaPath + + // Compile compiles the keywords(introduced by this vocabulary) in obj into [SchemaExt]. + // If obj does not contain any keywords introduced by this vocabulary, nil SchemaExt must + // be returned. + Compile func(ctx *CompilerContext, obj map[string]any) (SchemaExt, error) +} + +// -- + +// SchemaExt is compled form of vocabulary. +type SchemaExt interface { + // Validate validates v against and errors if any are reported + // to ctx. + Validate(ctx *ValidatorContext, v any) +} + +// ValidatorContext provides helpers for +// validating with [SchemaExt]. +type ValidatorContext struct { + vd *validator +} + +// ValueLocation returns location of value as jsonpath token array. +func (ctx *ValidatorContext) ValueLocation() []string { + return ctx.vd.vloc +} + +// Validate validates v with sch. vpath gives path of v from current context value. +func (ctx *ValidatorContext) Validate(sch *Schema, v any, vpath []string) error { + switch len(vpath) { + case 0: + return ctx.vd.validateSelf(sch, "", false) + case 1: + return ctx.vd.validateVal(sch, v, vpath[0]) + default: + return ctx.vd.validateValue(sch, v, vpath) + } +} + +// EvaluatedProp marks given property of current object as evaluated. +func (ctx *ValidatorContext) EvaluatedProp(pname string) { + delete(ctx.vd.uneval.props, pname) +} + +// EvaluatedItem marks items at given index of current array as evaluated. +func (ctx *ValidatorContext) EvaluatedItem(index int) { + delete(ctx.vd.uneval.items, index) +} + +// AddError reports validation-error of given kind. +func (ctx *ValidatorContext) AddError(k ErrorKind) { + ctx.vd.addError(k) +} + +// AddErrors reports validation-errors of given kind. +func (ctx *ValidatorContext) AddErrors(errors []*ValidationError, k ErrorKind) { + ctx.vd.addErrors(errors, k) +} + +// AddErr reports the given err. This is typically used to report +// the error created by subschema validation. +// +// NOTE that err must be of type *ValidationError. +func (ctx *ValidatorContext) AddErr(err error) { + ctx.vd.addErr(err) +} + +func (ctx *ValidatorContext) Equals(v1, v2 any) (bool, error) { + b, k := equals(v1, v2) + if k != nil { + return false, ctx.vd.error(k) + } + return b, nil +} + +func (ctx *ValidatorContext) Duplicates(arr []any) (int, int, error) { + i, j, k := duplicates(arr) + if k != nil { + return -1, -1, ctx.vd.error(k) + } + return i, j, nil +} diff --git a/vendor/github.com/shopspring/decimal/.gitignore b/vendor/github.com/shopspring/decimal/.gitignore new file mode 100644 index 0000000000..ff36b987f0 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/.gitignore @@ -0,0 +1,9 @@ +.git +*.swp + +# IntelliJ +.idea/ +*.iml + +# VS code +*.code-workspace diff --git a/vendor/github.com/shopspring/decimal/CHANGELOG.md b/vendor/github.com/shopspring/decimal/CHANGELOG.md new file mode 100644 index 0000000000..432d0fd4ea --- /dev/null +++ b/vendor/github.com/shopspring/decimal/CHANGELOG.md @@ -0,0 +1,76 @@ +## Decimal v1.4.0 +#### BREAKING +- Drop support for Go version older than 1.10 [#361](https://github.com/shopspring/decimal/pull/361) + +#### FEATURES +- Add implementation of natural logarithm [#339](https://github.com/shopspring/decimal/pull/339) [#357](https://github.com/shopspring/decimal/pull/357) +- Add improved implementation of power operation [#358](https://github.com/shopspring/decimal/pull/358) +- Add Compare method which forwards calls to Cmp [#346](https://github.com/shopspring/decimal/pull/346) +- Add NewFromBigRat constructor [#288](https://github.com/shopspring/decimal/pull/288) +- Add NewFromUint64 constructor [#352](https://github.com/shopspring/decimal/pull/352) + +#### ENHANCEMENTS +- Migrate to Github Actions [#245](https://github.com/shopspring/decimal/pull/245) [#340](https://github.com/shopspring/decimal/pull/340) +- Fix examples for RoundDown, RoundFloor, RoundUp, and RoundCeil [#285](https://github.com/shopspring/decimal/pull/285) [#328](https://github.com/shopspring/decimal/pull/328) [#341](https://github.com/shopspring/decimal/pull/341) +- Use Godoc standard to mark deprecated Equals and StringScaled methods [#342](https://github.com/shopspring/decimal/pull/342) +- Removed unnecessary min function for RescalePair method [#265](https://github.com/shopspring/decimal/pull/265) +- Avoid reallocation of initial slice in MarshalBinary (GobEncode) [#355](https://github.com/shopspring/decimal/pull/355) +- Optimize NumDigits method [#301](https://github.com/shopspring/decimal/pull/301) [#356](https://github.com/shopspring/decimal/pull/356) +- Optimize BigInt method [#359](https://github.com/shopspring/decimal/pull/359) +- Support scanning uint64 [#131](https://github.com/shopspring/decimal/pull/131) [#364](https://github.com/shopspring/decimal/pull/364) +- Add docs section with alternative libraries [#363](https://github.com/shopspring/decimal/pull/363) + +#### BUGFIXES +- Fix incorrect calculation of decimal modulo [#258](https://github.com/shopspring/decimal/pull/258) [#317](https://github.com/shopspring/decimal/pull/317) +- Allocate new(big.Int) in Copy method to deeply clone it [#278](https://github.com/shopspring/decimal/pull/278) +- Fix overflow edge case in QuoRem method [#322](https://github.com/shopspring/decimal/pull/322) + +## Decimal v1.3.1 + +#### ENHANCEMENTS +- Reduce memory allocation in case of initialization from big.Int [#252](https://github.com/shopspring/decimal/pull/252) + +#### BUGFIXES +- Fix binary marshalling of decimal zero value [#253](https://github.com/shopspring/decimal/pull/253) + +## Decimal v1.3.0 + +#### FEATURES +- Add NewFromFormattedString initializer [#184](https://github.com/shopspring/decimal/pull/184) +- Add NewNullDecimal initializer [#234](https://github.com/shopspring/decimal/pull/234) +- Add implementation of natural exponent function (Taylor, Hull-Abraham) [#229](https://github.com/shopspring/decimal/pull/229) +- Add RoundUp, RoundDown, RoundCeil, RoundFloor methods [#196](https://github.com/shopspring/decimal/pull/196) [#202](https://github.com/shopspring/decimal/pull/202) [#220](https://github.com/shopspring/decimal/pull/220) +- Add XML support for NullDecimal [#192](https://github.com/shopspring/decimal/pull/192) +- Add IsInteger method [#179](https://github.com/shopspring/decimal/pull/179) +- Add Copy helper method [#123](https://github.com/shopspring/decimal/pull/123) +- Add InexactFloat64 helper method [#205](https://github.com/shopspring/decimal/pull/205) +- Add CoefficientInt64 helper method [#244](https://github.com/shopspring/decimal/pull/244) + +#### ENHANCEMENTS +- Performance optimization of NewFromString init method [#198](https://github.com/shopspring/decimal/pull/198) +- Performance optimization of Abs and Round methods [#240](https://github.com/shopspring/decimal/pull/240) +- Additional tests (CI) for ppc64le architecture [#188](https://github.com/shopspring/decimal/pull/188) + +#### BUGFIXES +- Fix rounding in FormatFloat fallback path (roundShortest method, fix taken from Go main repository) [#161](https://github.com/shopspring/decimal/pull/161) +- Add slice range checks to UnmarshalBinary method [#232](https://github.com/shopspring/decimal/pull/232) + +## Decimal v1.2.0 + +#### BREAKING +- Drop support for Go version older than 1.7 [#172](https://github.com/shopspring/decimal/pull/172) + +#### FEATURES +- Add NewFromInt and NewFromInt32 initializers [#72](https://github.com/shopspring/decimal/pull/72) +- Add support for Go modules [#157](https://github.com/shopspring/decimal/pull/157) +- Add BigInt, BigFloat helper methods [#171](https://github.com/shopspring/decimal/pull/171) + +#### ENHANCEMENTS +- Memory usage optimization [#160](https://github.com/shopspring/decimal/pull/160) +- Updated travis CI golang versions [#156](https://github.com/shopspring/decimal/pull/156) +- Update documentation [#173](https://github.com/shopspring/decimal/pull/173) +- Improve code quality [#174](https://github.com/shopspring/decimal/pull/174) + +#### BUGFIXES +- Revert remove insignificant digits [#159](https://github.com/shopspring/decimal/pull/159) +- Remove 15 interval for RoundCash [#166](https://github.com/shopspring/decimal/pull/166) diff --git a/vendor/github.com/shopspring/decimal/LICENSE b/vendor/github.com/shopspring/decimal/LICENSE new file mode 100644 index 0000000000..ad2148aaf9 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/LICENSE @@ -0,0 +1,45 @@ +The MIT License (MIT) + +Copyright (c) 2015 Spring, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. + +- Based on https://github.com/oguzbilgic/fpd, which has the following license: +""" +The MIT License (MIT) + +Copyright (c) 2013 Oguz Bilgic + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +""" diff --git a/vendor/github.com/shopspring/decimal/README.md b/vendor/github.com/shopspring/decimal/README.md new file mode 100644 index 0000000000..318c9df581 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/README.md @@ -0,0 +1,139 @@ +# decimal + +[![ci](https://github.com/shopspring/decimal/actions/workflows/ci.yml/badge.svg?branch=master)](https://github.com/shopspring/decimal/actions/workflows/ci.yml) +[![GoDoc](https://godoc.org/github.com/shopspring/decimal?status.svg)](https://godoc.org/github.com/shopspring/decimal) +[![Go Report Card](https://goreportcard.com/badge/github.com/shopspring/decimal)](https://goreportcard.com/report/github.com/shopspring/decimal) + +Arbitrary-precision fixed-point decimal numbers in go. + +_Note:_ Decimal library can "only" represent numbers with a maximum of 2^31 digits after the decimal point. + +## Features + + * The zero-value is 0, and is safe to use without initialization + * Addition, subtraction, multiplication with no loss of precision + * Division with specified precision + * Database/sql serialization/deserialization + * JSON and XML serialization/deserialization + +## Install + +Run `go get github.com/shopspring/decimal` + +## Requirements + +Decimal library requires Go version `>=1.10` + +## Documentation + +http://godoc.org/github.com/shopspring/decimal + + +## Usage + +```go +package main + +import ( + "fmt" + "github.com/shopspring/decimal" +) + +func main() { + price, err := decimal.NewFromString("136.02") + if err != nil { + panic(err) + } + + quantity := decimal.NewFromInt(3) + + fee, _ := decimal.NewFromString(".035") + taxRate, _ := decimal.NewFromString(".08875") + + subtotal := price.Mul(quantity) + + preTax := subtotal.Mul(fee.Add(decimal.NewFromFloat(1))) + + total := preTax.Mul(taxRate.Add(decimal.NewFromFloat(1))) + + fmt.Println("Subtotal:", subtotal) // Subtotal: 408.06 + fmt.Println("Pre-tax:", preTax) // Pre-tax: 422.3421 + fmt.Println("Taxes:", total.Sub(preTax)) // Taxes: 37.482861375 + fmt.Println("Total:", total) // Total: 459.824961375 + fmt.Println("Tax rate:", total.Sub(preTax).Div(preTax)) // Tax rate: 0.08875 +} +``` + +## Alternative libraries + +When working with decimal numbers, you might face problems this library is not perfectly suited for. +Fortunately, thanks to the wonderful community we have a dozen other libraries that you can choose from. +Explore other alternatives to find the one that best fits your needs :) + +* [cockroachdb/apd](https://github.com/cockroachdb/apd) - arbitrary precision, mutable and rich API similar to `big.Int`, more performant than this library +* [alpacahq/alpacadecimal](https://github.com/alpacahq/alpacadecimal) - high performance, low precision (12 digits), fully compatible API with this library +* [govalues/decimal](https://github.com/govalues/decimal) - high performance, zero-allocation, low precision (19 digits) +* [greatcloak/decimal](https://github.com/greatcloak/decimal) - fork focusing on billing and e-commerce web application related use cases, includes out-of-the-box BSON marshaling support + +## FAQ + +#### Why don't you just use float64? + +Because float64 (or any binary floating point type, actually) can't represent +numbers such as `0.1` exactly. + +Consider this code: http://play.golang.org/p/TQBd4yJe6B You might expect that +it prints out `10`, but it actually prints `9.999999999999831`. Over time, +these small errors can really add up! + +#### Why don't you just use big.Rat? + +big.Rat is fine for representing rational numbers, but Decimal is better for +representing money. Why? Here's a (contrived) example: + +Let's say you use big.Rat, and you have two numbers, x and y, both +representing 1/3, and you have `z = 1 - x - y = 1/3`. If you print each one +out, the string output has to stop somewhere (let's say it stops at 3 decimal +digits, for simplicity), so you'll get 0.333, 0.333, and 0.333. But where did +the other 0.001 go? + +Here's the above example as code: http://play.golang.org/p/lCZZs0w9KE + +With Decimal, the strings being printed out represent the number exactly. So, +if you have `x = y = 1/3` (with precision 3), they will actually be equal to +0.333, and when you do `z = 1 - x - y`, `z` will be equal to .334. No money is +unaccounted for! + +You still have to be careful. If you want to split a number `N` 3 ways, you +can't just send `N/3` to three different people. You have to pick one to send +`N - (2/3*N)` to. That person will receive the fraction of a penny remainder. + +But, it is much easier to be careful with Decimal than with big.Rat. + +#### Why isn't the API similar to big.Int's? + +big.Int's API is built to reduce the number of memory allocations for maximal +performance. This makes sense for its use-case, but the trade-off is that the +API is awkward and easy to misuse. + +For example, to add two big.Ints, you do: `z := new(big.Int).Add(x, y)`. A +developer unfamiliar with this API might try to do `z := a.Add(a, b)`. This +modifies `a` and sets `z` as an alias for `a`, which they might not expect. It +also modifies any other aliases to `a`. + +Here's an example of the subtle bugs you can introduce with big.Int's API: +https://play.golang.org/p/x2R_78pa8r + +In contrast, it's difficult to make such mistakes with decimal. Decimals +behave like other go numbers types: even though `a = b` will not deep copy +`b` into `a`, it is impossible to modify a Decimal, since all Decimal methods +return new Decimals and do not modify the originals. The downside is that +this causes extra allocations, so Decimal is less performant. My assumption +is that if you're using Decimals, you probably care more about correctness +than performance. + +## License + +The MIT License (MIT) + +This is a heavily modified fork of [fpd.Decimal](https://github.com/oguzbilgic/fpd), which was also released under the MIT License. diff --git a/vendor/github.com/shopspring/decimal/const.go b/vendor/github.com/shopspring/decimal/const.go new file mode 100644 index 0000000000..e5d6fa87e8 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/const.go @@ -0,0 +1,63 @@ +package decimal + +import ( + "strings" +) + +const ( + strLn10 = "2.302585092994045684017991454684364207601101488628772976033327900967572609677352480235997205089598298341967784042286248633409525465082806756666287369098781689482907208325554680843799894826233198528393505308965377732628846163366222287698219886746543667474404243274365155048934314939391479619404400222105101714174800368808401264708068556774321622835522011480466371565912137345074785694768346361679210180644507064800027750268491674655058685693567342067058113642922455440575892572420824131469568901675894025677631135691929203337658714166023010570308963457207544037084746994016826928280848118428931484852494864487192780967627127577539702766860595249671667418348570442250719796500471495105049221477656763693866297697952211071826454973477266242570942932258279850258550978526538320760672631716430950599508780752371033310119785754733154142180842754386359177811705430982748238504564801909561029929182431823752535770975053956518769751037497088869218020518933950723853920514463419726528728696511086257149219884997874887377134568620916705849807828059751193854445009978131146915934666241071846692310107598438319191292230792503747298650929009880391941702654416816335727555703151596113564846546190897042819763365836983716328982174407366009162177850541779276367731145041782137660111010731042397832521894898817597921798666394319523936855916447118246753245630912528778330963604262982153040874560927760726641354787576616262926568298704957954913954918049209069438580790032763017941503117866862092408537949861264933479354871737451675809537088281067452440105892444976479686075120275724181874989395971643105518848195288330746699317814634930000321200327765654130472621883970596794457943468343218395304414844803701305753674262153675579814770458031413637793236291560128185336498466942261465206459942072917119370602444929358037007718981097362533224548366988505528285966192805098447175198503666680874970496982273220244823343097169111136813588418696549323714996941979687803008850408979618598756579894836445212043698216415292987811742973332588607915912510967187510929248475023930572665446276200923068791518135803477701295593646298412366497023355174586195564772461857717369368404676577047874319780573853271810933883496338813069945569399346101090745616033312247949360455361849123333063704751724871276379140924398331810164737823379692265637682071706935846394531616949411701841938119405416449466111274712819705817783293841742231409930022911502362192186723337268385688273533371925103412930705632544426611429765388301822384091026198582888433587455960453004548370789052578473166283701953392231047527564998119228742789713715713228319641003422124210082180679525276689858180956119208391760721080919923461516952599099473782780648128058792731993893453415320185969711021407542282796298237068941764740642225757212455392526179373652434440560595336591539160312524480149313234572453879524389036839236450507881731359711238145323701508413491122324390927681724749607955799151363982881058285740538000653371655553014196332241918087621018204919492651483892" +) + +var ( + ln10 = newConstApproximation(strLn10) +) + +type constApproximation struct { + exact Decimal + approximations []Decimal +} + +func newConstApproximation(value string) constApproximation { + parts := strings.Split(value, ".") + coeff, fractional := parts[0], parts[1] + + coeffLen := len(coeff) + maxPrecision := len(fractional) + + var approximations []Decimal + for p := 1; p < maxPrecision; p *= 2 { + r := RequireFromString(value[:coeffLen+p]) + approximations = append(approximations, r) + } + + return constApproximation{ + RequireFromString(value), + approximations, + } +} + +// Returns the smallest approximation available that's at least as precise +// as the passed precision (places after decimal point), i.e. Floor[ log2(precision) ] + 1 +func (c constApproximation) withPrecision(precision int32) Decimal { + i := 0 + + if precision >= 1 { + i++ + } + + for precision >= 16 { + precision /= 16 + i += 4 + } + + for precision >= 2 { + precision /= 2 + i++ + } + + if i >= len(c.approximations) { + return c.exact + } + + return c.approximations[i] +} diff --git a/vendor/github.com/shopspring/decimal/decimal-go.go b/vendor/github.com/shopspring/decimal/decimal-go.go new file mode 100644 index 0000000000..9958d69020 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/decimal-go.go @@ -0,0 +1,415 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Multiprecision decimal numbers. +// For floating-point formatting only; not general purpose. +// Only operations are assign and (binary) left/right shift. +// Can do binary floating point in multiprecision decimal precisely +// because 2 divides 10; cannot do decimal floating point +// in multiprecision binary precisely. + +package decimal + +type decimal struct { + d [800]byte // digits, big-endian representation + nd int // number of digits used + dp int // decimal point + neg bool // negative flag + trunc bool // discarded nonzero digits beyond d[:nd] +} + +func (a *decimal) String() string { + n := 10 + a.nd + if a.dp > 0 { + n += a.dp + } + if a.dp < 0 { + n += -a.dp + } + + buf := make([]byte, n) + w := 0 + switch { + case a.nd == 0: + return "0" + + case a.dp <= 0: + // zeros fill space between decimal point and digits + buf[w] = '0' + w++ + buf[w] = '.' + w++ + w += digitZero(buf[w : w+-a.dp]) + w += copy(buf[w:], a.d[0:a.nd]) + + case a.dp < a.nd: + // decimal point in middle of digits + w += copy(buf[w:], a.d[0:a.dp]) + buf[w] = '.' + w++ + w += copy(buf[w:], a.d[a.dp:a.nd]) + + default: + // zeros fill space between digits and decimal point + w += copy(buf[w:], a.d[0:a.nd]) + w += digitZero(buf[w : w+a.dp-a.nd]) + } + return string(buf[0:w]) +} + +func digitZero(dst []byte) int { + for i := range dst { + dst[i] = '0' + } + return len(dst) +} + +// trim trailing zeros from number. +// (They are meaningless; the decimal point is tracked +// independent of the number of digits.) +func trim(a *decimal) { + for a.nd > 0 && a.d[a.nd-1] == '0' { + a.nd-- + } + if a.nd == 0 { + a.dp = 0 + } +} + +// Assign v to a. +func (a *decimal) Assign(v uint64) { + var buf [24]byte + + // Write reversed decimal in buf. + n := 0 + for v > 0 { + v1 := v / 10 + v -= 10 * v1 + buf[n] = byte(v + '0') + n++ + v = v1 + } + + // Reverse again to produce forward decimal in a.d. + a.nd = 0 + for n--; n >= 0; n-- { + a.d[a.nd] = buf[n] + a.nd++ + } + a.dp = a.nd + trim(a) +} + +// Maximum shift that we can do in one pass without overflow. +// A uint has 32 or 64 bits, and we have to be able to accommodate 9<> 63) +const maxShift = uintSize - 4 + +// Binary shift right (/ 2) by k bits. k <= maxShift to avoid overflow. +func rightShift(a *decimal, k uint) { + r := 0 // read pointer + w := 0 // write pointer + + // Pick up enough leading digits to cover first shift. + var n uint + for ; n>>k == 0; r++ { + if r >= a.nd { + if n == 0 { + // a == 0; shouldn't get here, but handle anyway. + a.nd = 0 + return + } + for n>>k == 0 { + n = n * 10 + r++ + } + break + } + c := uint(a.d[r]) + n = n*10 + c - '0' + } + a.dp -= r - 1 + + var mask uint = (1 << k) - 1 + + // Pick up a digit, put down a digit. + for ; r < a.nd; r++ { + c := uint(a.d[r]) + dig := n >> k + n &= mask + a.d[w] = byte(dig + '0') + w++ + n = n*10 + c - '0' + } + + // Put down extra digits. + for n > 0 { + dig := n >> k + n &= mask + if w < len(a.d) { + a.d[w] = byte(dig + '0') + w++ + } else if dig > 0 { + a.trunc = true + } + n = n * 10 + } + + a.nd = w + trim(a) +} + +// Cheat sheet for left shift: table indexed by shift count giving +// number of new digits that will be introduced by that shift. +// +// For example, leftcheats[4] = {2, "625"}. That means that +// if we are shifting by 4 (multiplying by 16), it will add 2 digits +// when the string prefix is "625" through "999", and one fewer digit +// if the string prefix is "000" through "624". +// +// Credit for this trick goes to Ken. + +type leftCheat struct { + delta int // number of new digits + cutoff string // minus one digit if original < a. +} + +var leftcheats = []leftCheat{ + // Leading digits of 1/2^i = 5^i. + // 5^23 is not an exact 64-bit floating point number, + // so have to use bc for the math. + // Go up to 60 to be large enough for 32bit and 64bit platforms. + /* + seq 60 | sed 's/^/5^/' | bc | + awk 'BEGIN{ print "\t{ 0, \"\" }," } + { + log2 = log(2)/log(10) + printf("\t{ %d, \"%s\" },\t// * %d\n", + int(log2*NR+1), $0, 2**NR) + }' + */ + {0, ""}, + {1, "5"}, // * 2 + {1, "25"}, // * 4 + {1, "125"}, // * 8 + {2, "625"}, // * 16 + {2, "3125"}, // * 32 + {2, "15625"}, // * 64 + {3, "78125"}, // * 128 + {3, "390625"}, // * 256 + {3, "1953125"}, // * 512 + {4, "9765625"}, // * 1024 + {4, "48828125"}, // * 2048 + {4, "244140625"}, // * 4096 + {4, "1220703125"}, // * 8192 + {5, "6103515625"}, // * 16384 + {5, "30517578125"}, // * 32768 + {5, "152587890625"}, // * 65536 + {6, "762939453125"}, // * 131072 + {6, "3814697265625"}, // * 262144 + {6, "19073486328125"}, // * 524288 + {7, "95367431640625"}, // * 1048576 + {7, "476837158203125"}, // * 2097152 + {7, "2384185791015625"}, // * 4194304 + {7, "11920928955078125"}, // * 8388608 + {8, "59604644775390625"}, // * 16777216 + {8, "298023223876953125"}, // * 33554432 + {8, "1490116119384765625"}, // * 67108864 + {9, "7450580596923828125"}, // * 134217728 + {9, "37252902984619140625"}, // * 268435456 + {9, "186264514923095703125"}, // * 536870912 + {10, "931322574615478515625"}, // * 1073741824 + {10, "4656612873077392578125"}, // * 2147483648 + {10, "23283064365386962890625"}, // * 4294967296 + {10, "116415321826934814453125"}, // * 8589934592 + {11, "582076609134674072265625"}, // * 17179869184 + {11, "2910383045673370361328125"}, // * 34359738368 + {11, "14551915228366851806640625"}, // * 68719476736 + {12, "72759576141834259033203125"}, // * 137438953472 + {12, "363797880709171295166015625"}, // * 274877906944 + {12, "1818989403545856475830078125"}, // * 549755813888 + {13, "9094947017729282379150390625"}, // * 1099511627776 + {13, "45474735088646411895751953125"}, // * 2199023255552 + {13, "227373675443232059478759765625"}, // * 4398046511104 + {13, "1136868377216160297393798828125"}, // * 8796093022208 + {14, "5684341886080801486968994140625"}, // * 17592186044416 + {14, "28421709430404007434844970703125"}, // * 35184372088832 + {14, "142108547152020037174224853515625"}, // * 70368744177664 + {15, "710542735760100185871124267578125"}, // * 140737488355328 + {15, "3552713678800500929355621337890625"}, // * 281474976710656 + {15, "17763568394002504646778106689453125"}, // * 562949953421312 + {16, "88817841970012523233890533447265625"}, // * 1125899906842624 + {16, "444089209850062616169452667236328125"}, // * 2251799813685248 + {16, "2220446049250313080847263336181640625"}, // * 4503599627370496 + {16, "11102230246251565404236316680908203125"}, // * 9007199254740992 + {17, "55511151231257827021181583404541015625"}, // * 18014398509481984 + {17, "277555756156289135105907917022705078125"}, // * 36028797018963968 + {17, "1387778780781445675529539585113525390625"}, // * 72057594037927936 + {18, "6938893903907228377647697925567626953125"}, // * 144115188075855872 + {18, "34694469519536141888238489627838134765625"}, // * 288230376151711744 + {18, "173472347597680709441192448139190673828125"}, // * 576460752303423488 + {19, "867361737988403547205962240695953369140625"}, // * 1152921504606846976 +} + +// Is the leading prefix of b lexicographically less than s? +func prefixIsLessThan(b []byte, s string) bool { + for i := 0; i < len(s); i++ { + if i >= len(b) { + return true + } + if b[i] != s[i] { + return b[i] < s[i] + } + } + return false +} + +// Binary shift left (* 2) by k bits. k <= maxShift to avoid overflow. +func leftShift(a *decimal, k uint) { + delta := leftcheats[k].delta + if prefixIsLessThan(a.d[0:a.nd], leftcheats[k].cutoff) { + delta-- + } + + r := a.nd // read index + w := a.nd + delta // write index + + // Pick up a digit, put down a digit. + var n uint + for r--; r >= 0; r-- { + n += (uint(a.d[r]) - '0') << k + quo := n / 10 + rem := n - 10*quo + w-- + if w < len(a.d) { + a.d[w] = byte(rem + '0') + } else if rem != 0 { + a.trunc = true + } + n = quo + } + + // Put down extra digits. + for n > 0 { + quo := n / 10 + rem := n - 10*quo + w-- + if w < len(a.d) { + a.d[w] = byte(rem + '0') + } else if rem != 0 { + a.trunc = true + } + n = quo + } + + a.nd += delta + if a.nd >= len(a.d) { + a.nd = len(a.d) + } + a.dp += delta + trim(a) +} + +// Binary shift left (k > 0) or right (k < 0). +func (a *decimal) Shift(k int) { + switch { + case a.nd == 0: + // nothing to do: a == 0 + case k > 0: + for k > maxShift { + leftShift(a, maxShift) + k -= maxShift + } + leftShift(a, uint(k)) + case k < 0: + for k < -maxShift { + rightShift(a, maxShift) + k += maxShift + } + rightShift(a, uint(-k)) + } +} + +// If we chop a at nd digits, should we round up? +func shouldRoundUp(a *decimal, nd int) bool { + if nd < 0 || nd >= a.nd { + return false + } + if a.d[nd] == '5' && nd+1 == a.nd { // exactly halfway - round to even + // if we truncated, a little higher than what's recorded - always round up + if a.trunc { + return true + } + return nd > 0 && (a.d[nd-1]-'0')%2 != 0 + } + // not halfway - digit tells all + return a.d[nd] >= '5' +} + +// Round a to nd digits (or fewer). +// If nd is zero, it means we're rounding +// just to the left of the digits, as in +// 0.09 -> 0.1. +func (a *decimal) Round(nd int) { + if nd < 0 || nd >= a.nd { + return + } + if shouldRoundUp(a, nd) { + a.RoundUp(nd) + } else { + a.RoundDown(nd) + } +} + +// Round a down to nd digits (or fewer). +func (a *decimal) RoundDown(nd int) { + if nd < 0 || nd >= a.nd { + return + } + a.nd = nd + trim(a) +} + +// Round a up to nd digits (or fewer). +func (a *decimal) RoundUp(nd int) { + if nd < 0 || nd >= a.nd { + return + } + + // round up + for i := nd - 1; i >= 0; i-- { + c := a.d[i] + if c < '9' { // can stop after this digit + a.d[i]++ + a.nd = i + 1 + return + } + } + + // Number is all 9s. + // Change to single 1 with adjusted decimal point. + a.d[0] = '1' + a.nd = 1 + a.dp++ +} + +// Extract integer part, rounded appropriately. +// No guarantees about overflow. +func (a *decimal) RoundedInteger() uint64 { + if a.dp > 20 { + return 0xFFFFFFFFFFFFFFFF + } + var i int + n := uint64(0) + for i = 0; i < a.dp && i < a.nd; i++ { + n = n*10 + uint64(a.d[i]-'0') + } + for ; i < a.dp; i++ { + n *= 10 + } + if shouldRoundUp(a, a.dp) { + n++ + } + return n +} diff --git a/vendor/github.com/shopspring/decimal/decimal.go b/vendor/github.com/shopspring/decimal/decimal.go new file mode 100644 index 0000000000..a37a2301ef --- /dev/null +++ b/vendor/github.com/shopspring/decimal/decimal.go @@ -0,0 +1,2339 @@ +// Package decimal implements an arbitrary precision fixed-point decimal. +// +// The zero-value of a Decimal is 0, as you would expect. +// +// The best way to create a new Decimal is to use decimal.NewFromString, ex: +// +// n, err := decimal.NewFromString("-123.4567") +// n.String() // output: "-123.4567" +// +// To use Decimal as part of a struct: +// +// type StructName struct { +// Number Decimal +// } +// +// Note: This can "only" represent numbers with a maximum of 2^31 digits after the decimal point. +package decimal + +import ( + "database/sql/driver" + "encoding/binary" + "fmt" + "math" + "math/big" + "regexp" + "strconv" + "strings" +) + +// DivisionPrecision is the number of decimal places in the result when it +// doesn't divide exactly. +// +// Example: +// +// d1 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(3)) +// d1.String() // output: "0.6666666666666667" +// d2 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(30000)) +// d2.String() // output: "0.0000666666666667" +// d3 := decimal.NewFromFloat(20000).Div(decimal.NewFromFloat(3)) +// d3.String() // output: "6666.6666666666666667" +// decimal.DivisionPrecision = 3 +// d4 := decimal.NewFromFloat(2).Div(decimal.NewFromFloat(3)) +// d4.String() // output: "0.667" +var DivisionPrecision = 16 + +// PowPrecisionNegativeExponent specifies the maximum precision of the result (digits after decimal point) +// when calculating decimal power. Only used for cases where the exponent is a negative number. +// This constant applies to Pow, PowInt32 and PowBigInt methods, PowWithPrecision method is not constrained by it. +// +// Example: +// +// d1, err := decimal.NewFromFloat(15.2).PowInt32(-2) +// d1.String() // output: "0.0043282548476454" +// +// decimal.PowPrecisionNegativeExponent = 24 +// d2, err := decimal.NewFromFloat(15.2).PowInt32(-2) +// d2.String() // output: "0.004328254847645429362881" +var PowPrecisionNegativeExponent = 16 + +// MarshalJSONWithoutQuotes should be set to true if you want the decimal to +// be JSON marshaled as a number, instead of as a string. +// WARNING: this is dangerous for decimals with many digits, since many JSON +// unmarshallers (ex: Javascript's) will unmarshal JSON numbers to IEEE 754 +// double-precision floating point numbers, which means you can potentially +// silently lose precision. +var MarshalJSONWithoutQuotes = false + +// ExpMaxIterations specifies the maximum number of iterations needed to calculate +// precise natural exponent value using ExpHullAbrham method. +var ExpMaxIterations = 1000 + +// Zero constant, to make computations faster. +// Zero should never be compared with == or != directly, please use decimal.Equal or decimal.Cmp instead. +var Zero = New(0, 1) + +var zeroInt = big.NewInt(0) +var oneInt = big.NewInt(1) +var twoInt = big.NewInt(2) +var fourInt = big.NewInt(4) +var fiveInt = big.NewInt(5) +var tenInt = big.NewInt(10) +var twentyInt = big.NewInt(20) + +var factorials = []Decimal{New(1, 0)} + +// Decimal represents a fixed-point decimal. It is immutable. +// number = value * 10 ^ exp +type Decimal struct { + value *big.Int + + // NOTE(vadim): this must be an int32, because we cast it to float64 during + // calculations. If exp is 64 bit, we might lose precision. + // If we cared about being able to represent every possible decimal, we + // could make exp a *big.Int but it would hurt performance and numbers + // like that are unrealistic. + exp int32 +} + +// New returns a new fixed-point decimal, value * 10 ^ exp. +func New(value int64, exp int32) Decimal { + return Decimal{ + value: big.NewInt(value), + exp: exp, + } +} + +// NewFromInt converts an int64 to Decimal. +// +// Example: +// +// NewFromInt(123).String() // output: "123" +// NewFromInt(-10).String() // output: "-10" +func NewFromInt(value int64) Decimal { + return Decimal{ + value: big.NewInt(value), + exp: 0, + } +} + +// NewFromInt32 converts an int32 to Decimal. +// +// Example: +// +// NewFromInt(123).String() // output: "123" +// NewFromInt(-10).String() // output: "-10" +func NewFromInt32(value int32) Decimal { + return Decimal{ + value: big.NewInt(int64(value)), + exp: 0, + } +} + +// NewFromUint64 converts an uint64 to Decimal. +// +// Example: +// +// NewFromUint64(123).String() // output: "123" +func NewFromUint64(value uint64) Decimal { + return Decimal{ + value: new(big.Int).SetUint64(value), + exp: 0, + } +} + +// NewFromBigInt returns a new Decimal from a big.Int, value * 10 ^ exp +func NewFromBigInt(value *big.Int, exp int32) Decimal { + return Decimal{ + value: new(big.Int).Set(value), + exp: exp, + } +} + +// NewFromBigRat returns a new Decimal from a big.Rat. The numerator and +// denominator are divided and rounded to the given precision. +// +// Example: +// +// d1 := NewFromBigRat(big.NewRat(0, 1), 0) // output: "0" +// d2 := NewFromBigRat(big.NewRat(4, 5), 1) // output: "0.8" +// d3 := NewFromBigRat(big.NewRat(1000, 3), 3) // output: "333.333" +// d4 := NewFromBigRat(big.NewRat(2, 7), 4) // output: "0.2857" +func NewFromBigRat(value *big.Rat, precision int32) Decimal { + return Decimal{ + value: new(big.Int).Set(value.Num()), + exp: 0, + }.DivRound(Decimal{ + value: new(big.Int).Set(value.Denom()), + exp: 0, + }, precision) +} + +// NewFromString returns a new Decimal from a string representation. +// Trailing zeroes are not trimmed. +// +// Example: +// +// d, err := NewFromString("-123.45") +// d2, err := NewFromString(".0001") +// d3, err := NewFromString("1.47000") +func NewFromString(value string) (Decimal, error) { + originalInput := value + var intString string + var exp int64 + + // Check if number is using scientific notation + eIndex := strings.IndexAny(value, "Ee") + if eIndex != -1 { + expInt, err := strconv.ParseInt(value[eIndex+1:], 10, 32) + if err != nil { + if e, ok := err.(*strconv.NumError); ok && e.Err == strconv.ErrRange { + return Decimal{}, fmt.Errorf("can't convert %s to decimal: fractional part too long", value) + } + return Decimal{}, fmt.Errorf("can't convert %s to decimal: exponent is not numeric", value) + } + value = value[:eIndex] + exp = expInt + } + + pIndex := -1 + vLen := len(value) + for i := 0; i < vLen; i++ { + if value[i] == '.' { + if pIndex > -1 { + return Decimal{}, fmt.Errorf("can't convert %s to decimal: too many .s", value) + } + pIndex = i + } + } + + if pIndex == -1 { + // There is no decimal point, we can just parse the original string as + // an int + intString = value + } else { + if pIndex+1 < vLen { + intString = value[:pIndex] + value[pIndex+1:] + } else { + intString = value[:pIndex] + } + expInt := -len(value[pIndex+1:]) + exp += int64(expInt) + } + + var dValue *big.Int + // strconv.ParseInt is faster than new(big.Int).SetString so this is just a shortcut for strings we know won't overflow + if len(intString) <= 18 { + parsed64, err := strconv.ParseInt(intString, 10, 64) + if err != nil { + return Decimal{}, fmt.Errorf("can't convert %s to decimal", value) + } + dValue = big.NewInt(parsed64) + } else { + dValue = new(big.Int) + _, ok := dValue.SetString(intString, 10) + if !ok { + return Decimal{}, fmt.Errorf("can't convert %s to decimal", value) + } + } + + if exp < math.MinInt32 || exp > math.MaxInt32 { + // NOTE(vadim): I doubt a string could realistically be this long + return Decimal{}, fmt.Errorf("can't convert %s to decimal: fractional part too long", originalInput) + } + + return Decimal{ + value: dValue, + exp: int32(exp), + }, nil +} + +// NewFromFormattedString returns a new Decimal from a formatted string representation. +// The second argument - replRegexp, is a regular expression that is used to find characters that should be +// removed from given decimal string representation. All matched characters will be replaced with an empty string. +// +// Example: +// +// r := regexp.MustCompile("[$,]") +// d1, err := NewFromFormattedString("$5,125.99", r) +// +// r2 := regexp.MustCompile("[_]") +// d2, err := NewFromFormattedString("1_000_000", r2) +// +// r3 := regexp.MustCompile("[USD\\s]") +// d3, err := NewFromFormattedString("5000 USD", r3) +func NewFromFormattedString(value string, replRegexp *regexp.Regexp) (Decimal, error) { + parsedValue := replRegexp.ReplaceAllString(value, "") + d, err := NewFromString(parsedValue) + if err != nil { + return Decimal{}, err + } + return d, nil +} + +// RequireFromString returns a new Decimal from a string representation +// or panics if NewFromString had returned an error. +// +// Example: +// +// d := RequireFromString("-123.45") +// d2 := RequireFromString(".0001") +func RequireFromString(value string) Decimal { + dec, err := NewFromString(value) + if err != nil { + panic(err) + } + return dec +} + +// NewFromFloat converts a float64 to Decimal. +// +// The converted number will contain the number of significant digits that can be +// represented in a float with reliable roundtrip. +// This is typically 15 digits, but may be more in some cases. +// See https://www.exploringbinary.com/decimal-precision-of-binary-floating-point-numbers/ for more information. +// +// For slightly faster conversion, use NewFromFloatWithExponent where you can specify the precision in absolute terms. +// +// NOTE: this will panic on NaN, +/-inf +func NewFromFloat(value float64) Decimal { + if value == 0 { + return New(0, 0) + } + return newFromFloat(value, math.Float64bits(value), &float64info) +} + +// NewFromFloat32 converts a float32 to Decimal. +// +// The converted number will contain the number of significant digits that can be +// represented in a float with reliable roundtrip. +// This is typically 6-8 digits depending on the input. +// See https://www.exploringbinary.com/decimal-precision-of-binary-floating-point-numbers/ for more information. +// +// For slightly faster conversion, use NewFromFloatWithExponent where you can specify the precision in absolute terms. +// +// NOTE: this will panic on NaN, +/-inf +func NewFromFloat32(value float32) Decimal { + if value == 0 { + return New(0, 0) + } + // XOR is workaround for https://github.com/golang/go/issues/26285 + a := math.Float32bits(value) ^ 0x80808080 + return newFromFloat(float64(value), uint64(a)^0x80808080, &float32info) +} + +func newFromFloat(val float64, bits uint64, flt *floatInfo) Decimal { + if math.IsNaN(val) || math.IsInf(val, 0) { + panic(fmt.Sprintf("Cannot create a Decimal from %v", val)) + } + exp := int(bits>>flt.mantbits) & (1<>(flt.expbits+flt.mantbits) != 0 + + roundShortest(&d, mant, exp, flt) + // If less than 19 digits, we can do calculation in an int64. + if d.nd < 19 { + tmp := int64(0) + m := int64(1) + for i := d.nd - 1; i >= 0; i-- { + tmp += m * int64(d.d[i]-'0') + m *= 10 + } + if d.neg { + tmp *= -1 + } + return Decimal{value: big.NewInt(tmp), exp: int32(d.dp) - int32(d.nd)} + } + dValue := new(big.Int) + dValue, ok := dValue.SetString(string(d.d[:d.nd]), 10) + if ok { + return Decimal{value: dValue, exp: int32(d.dp) - int32(d.nd)} + } + + return NewFromFloatWithExponent(val, int32(d.dp)-int32(d.nd)) +} + +// NewFromFloatWithExponent converts a float64 to Decimal, with an arbitrary +// number of fractional digits. +// +// Example: +// +// NewFromFloatWithExponent(123.456, -2).String() // output: "123.46" +func NewFromFloatWithExponent(value float64, exp int32) Decimal { + if math.IsNaN(value) || math.IsInf(value, 0) { + panic(fmt.Sprintf("Cannot create a Decimal from %v", value)) + } + + bits := math.Float64bits(value) + mant := bits & (1<<52 - 1) + exp2 := int32((bits >> 52) & (1<<11 - 1)) + sign := bits >> 63 + + if exp2 == 0 { + // specials + if mant == 0 { + return Decimal{} + } + // subnormal + exp2++ + } else { + // normal + mant |= 1 << 52 + } + + exp2 -= 1023 + 52 + + // normalizing base-2 values + for mant&1 == 0 { + mant = mant >> 1 + exp2++ + } + + // maximum number of fractional base-10 digits to represent 2^N exactly cannot be more than -N if N<0 + if exp < 0 && exp < exp2 { + if exp2 < 0 { + exp = exp2 + } else { + exp = 0 + } + } + + // representing 10^M * 2^N as 5^M * 2^(M+N) + exp2 -= exp + + temp := big.NewInt(1) + dMant := big.NewInt(int64(mant)) + + // applying 5^M + if exp > 0 { + temp = temp.SetInt64(int64(exp)) + temp = temp.Exp(fiveInt, temp, nil) + } else if exp < 0 { + temp = temp.SetInt64(-int64(exp)) + temp = temp.Exp(fiveInt, temp, nil) + dMant = dMant.Mul(dMant, temp) + temp = temp.SetUint64(1) + } + + // applying 2^(M+N) + if exp2 > 0 { + dMant = dMant.Lsh(dMant, uint(exp2)) + } else if exp2 < 0 { + temp = temp.Lsh(temp, uint(-exp2)) + } + + // rounding and downscaling + if exp > 0 || exp2 < 0 { + halfDown := new(big.Int).Rsh(temp, 1) + dMant = dMant.Add(dMant, halfDown) + dMant = dMant.Quo(dMant, temp) + } + + if sign == 1 { + dMant = dMant.Neg(dMant) + } + + return Decimal{ + value: dMant, + exp: exp, + } +} + +// Copy returns a copy of decimal with the same value and exponent, but a different pointer to value. +func (d Decimal) Copy() Decimal { + d.ensureInitialized() + return Decimal{ + value: new(big.Int).Set(d.value), + exp: d.exp, + } +} + +// rescale returns a rescaled version of the decimal. Returned +// decimal may be less precise if the given exponent is bigger +// than the initial exponent of the Decimal. +// NOTE: this will truncate, NOT round +// +// Example: +// +// d := New(12345, -4) +// d2 := d.rescale(-1) +// d3 := d2.rescale(-4) +// println(d1) +// println(d2) +// println(d3) +// +// Output: +// +// 1.2345 +// 1.2 +// 1.2000 +func (d Decimal) rescale(exp int32) Decimal { + d.ensureInitialized() + + if d.exp == exp { + return Decimal{ + new(big.Int).Set(d.value), + d.exp, + } + } + + // NOTE(vadim): must convert exps to float64 before - to prevent overflow + diff := math.Abs(float64(exp) - float64(d.exp)) + value := new(big.Int).Set(d.value) + + expScale := new(big.Int).Exp(tenInt, big.NewInt(int64(diff)), nil) + if exp > d.exp { + value = value.Quo(value, expScale) + } else if exp < d.exp { + value = value.Mul(value, expScale) + } + + return Decimal{ + value: value, + exp: exp, + } +} + +// Abs returns the absolute value of the decimal. +func (d Decimal) Abs() Decimal { + if !d.IsNegative() { + return d + } + d.ensureInitialized() + d2Value := new(big.Int).Abs(d.value) + return Decimal{ + value: d2Value, + exp: d.exp, + } +} + +// Add returns d + d2. +func (d Decimal) Add(d2 Decimal) Decimal { + rd, rd2 := RescalePair(d, d2) + + d3Value := new(big.Int).Add(rd.value, rd2.value) + return Decimal{ + value: d3Value, + exp: rd.exp, + } +} + +// Sub returns d - d2. +func (d Decimal) Sub(d2 Decimal) Decimal { + rd, rd2 := RescalePair(d, d2) + + d3Value := new(big.Int).Sub(rd.value, rd2.value) + return Decimal{ + value: d3Value, + exp: rd.exp, + } +} + +// Neg returns -d. +func (d Decimal) Neg() Decimal { + d.ensureInitialized() + val := new(big.Int).Neg(d.value) + return Decimal{ + value: val, + exp: d.exp, + } +} + +// Mul returns d * d2. +func (d Decimal) Mul(d2 Decimal) Decimal { + d.ensureInitialized() + d2.ensureInitialized() + + expInt64 := int64(d.exp) + int64(d2.exp) + if expInt64 > math.MaxInt32 || expInt64 < math.MinInt32 { + // NOTE(vadim): better to panic than give incorrect results, as + // Decimals are usually used for money + panic(fmt.Sprintf("exponent %v overflows an int32!", expInt64)) + } + + d3Value := new(big.Int).Mul(d.value, d2.value) + return Decimal{ + value: d3Value, + exp: int32(expInt64), + } +} + +// Shift shifts the decimal in base 10. +// It shifts left when shift is positive and right if shift is negative. +// In simpler terms, the given value for shift is added to the exponent +// of the decimal. +func (d Decimal) Shift(shift int32) Decimal { + d.ensureInitialized() + return Decimal{ + value: new(big.Int).Set(d.value), + exp: d.exp + shift, + } +} + +// Div returns d / d2. If it doesn't divide exactly, the result will have +// DivisionPrecision digits after the decimal point. +func (d Decimal) Div(d2 Decimal) Decimal { + return d.DivRound(d2, int32(DivisionPrecision)) +} + +// QuoRem does division with remainder +// d.QuoRem(d2,precision) returns quotient q and remainder r such that +// +// d = d2 * q + r, q an integer multiple of 10^(-precision) +// 0 <= r < abs(d2) * 10 ^(-precision) if d>=0 +// 0 >= r > -abs(d2) * 10 ^(-precision) if d<0 +// +// Note that precision<0 is allowed as input. +func (d Decimal) QuoRem(d2 Decimal, precision int32) (Decimal, Decimal) { + d.ensureInitialized() + d2.ensureInitialized() + if d2.value.Sign() == 0 { + panic("decimal division by 0") + } + scale := -precision + e := int64(d.exp) - int64(d2.exp) - int64(scale) + if e > math.MaxInt32 || e < math.MinInt32 { + panic("overflow in decimal QuoRem") + } + var aa, bb, expo big.Int + var scalerest int32 + // d = a 10^ea + // d2 = b 10^eb + if e < 0 { + aa = *d.value + expo.SetInt64(-e) + bb.Exp(tenInt, &expo, nil) + bb.Mul(d2.value, &bb) + scalerest = d.exp + // now aa = a + // bb = b 10^(scale + eb - ea) + } else { + expo.SetInt64(e) + aa.Exp(tenInt, &expo, nil) + aa.Mul(d.value, &aa) + bb = *d2.value + scalerest = scale + d2.exp + // now aa = a ^ (ea - eb - scale) + // bb = b + } + var q, r big.Int + q.QuoRem(&aa, &bb, &r) + dq := Decimal{value: &q, exp: scale} + dr := Decimal{value: &r, exp: scalerest} + return dq, dr +} + +// DivRound divides and rounds to a given precision +// i.e. to an integer multiple of 10^(-precision) +// +// for a positive quotient digit 5 is rounded up, away from 0 +// if the quotient is negative then digit 5 is rounded down, away from 0 +// +// Note that precision<0 is allowed as input. +func (d Decimal) DivRound(d2 Decimal, precision int32) Decimal { + // QuoRem already checks initialization + q, r := d.QuoRem(d2, precision) + // the actual rounding decision is based on comparing r*10^precision and d2/2 + // instead compare 2 r 10 ^precision and d2 + var rv2 big.Int + rv2.Abs(r.value) + rv2.Lsh(&rv2, 1) + // now rv2 = abs(r.value) * 2 + r2 := Decimal{value: &rv2, exp: r.exp + precision} + // r2 is now 2 * r * 10 ^ precision + var c = r2.Cmp(d2.Abs()) + + if c < 0 { + return q + } + + if d.value.Sign()*d2.value.Sign() < 0 { + return q.Sub(New(1, -precision)) + } + + return q.Add(New(1, -precision)) +} + +// Mod returns d % d2. +func (d Decimal) Mod(d2 Decimal) Decimal { + _, r := d.QuoRem(d2, 0) + return r +} + +// Pow returns d to the power of d2. +// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point. +// +// Pow returns 0 (zero-value of Decimal) instead of error for power operation edge cases, to handle those edge cases use PowWithPrecision +// Edge cases not handled by Pow: +// - 0 ** 0 => undefined value +// - 0 ** y, where y < 0 => infinity +// - x ** y, where x < 0 and y is non-integer decimal => imaginary value +// +// Example: +// +// d1 := decimal.NewFromFloat(4.0) +// d2 := decimal.NewFromFloat(4.0) +// res1 := d1.Pow(d2) +// res1.String() // output: "256" +// +// d3 := decimal.NewFromFloat(5.0) +// d4 := decimal.NewFromFloat(5.73) +// res2 := d3.Pow(d4) +// res2.String() // output: "10118.08037125" +func (d Decimal) Pow(d2 Decimal) Decimal { + baseSign := d.Sign() + expSign := d2.Sign() + + if baseSign == 0 { + if expSign == 0 { + return Decimal{} + } + if expSign == 1 { + return Decimal{zeroInt, 0} + } + if expSign == -1 { + return Decimal{} + } + } + + if expSign == 0 { + return Decimal{oneInt, 0} + } + + // TODO: optimize extraction of fractional part + one := Decimal{oneInt, 0} + expIntPart, expFracPart := d2.QuoRem(one, 0) + + if baseSign == -1 && !expFracPart.IsZero() { + return Decimal{} + } + + intPartPow, _ := d.PowBigInt(expIntPart.value) + + // if exponent is an integer we don't need to calculate d1**frac(d2) + if expFracPart.value.Sign() == 0 { + return intPartPow + } + + // TODO: optimize NumDigits for more performant precision adjustment + digitsBase := d.NumDigits() + digitsExponent := d2.NumDigits() + + precision := digitsBase + + if digitsExponent > precision { + precision += digitsExponent + } + + precision += 6 + + // Calculate x ** frac(y), where + // x ** frac(y) = exp(ln(x ** frac(y)) = exp(ln(x) * frac(y)) + fracPartPow, err := d.Abs().Ln(-d.exp + int32(precision)) + if err != nil { + return Decimal{} + } + + fracPartPow = fracPartPow.Mul(expFracPart) + + fracPartPow, err = fracPartPow.ExpTaylor(-d.exp + int32(precision)) + if err != nil { + return Decimal{} + } + + // Join integer and fractional part, + // base ** (expBase + expFrac) = base ** expBase * base ** expFrac + res := intPartPow.Mul(fracPartPow) + + return res +} + +// PowWithPrecision returns d to the power of d2. +// Precision parameter specifies minimum precision of the result (digits after decimal point). +// Returned decimal is not rounded to 'precision' places after decimal point. +// +// PowWithPrecision returns error when: +// - 0 ** 0 => undefined value +// - 0 ** y, where y < 0 => infinity +// - x ** y, where x < 0 and y is non-integer decimal => imaginary value +// +// Example: +// +// d1 := decimal.NewFromFloat(4.0) +// d2 := decimal.NewFromFloat(4.0) +// res1, err := d1.PowWithPrecision(d2, 2) +// res1.String() // output: "256" +// +// d3 := decimal.NewFromFloat(5.0) +// d4 := decimal.NewFromFloat(5.73) +// res2, err := d3.PowWithPrecision(d4, 5) +// res2.String() // output: "10118.080371595015625" +// +// d5 := decimal.NewFromFloat(-3.0) +// d6 := decimal.NewFromFloat(-6.0) +// res3, err := d5.PowWithPrecision(d6, 10) +// res3.String() // output: "0.0013717421" +func (d Decimal) PowWithPrecision(d2 Decimal, precision int32) (Decimal, error) { + baseSign := d.Sign() + expSign := d2.Sign() + + if baseSign == 0 { + if expSign == 0 { + return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0") + } + if expSign == 1 { + return Decimal{zeroInt, 0}, nil + } + if expSign == -1 { + return Decimal{}, fmt.Errorf("cannot represent infinity value of 0 ** y, where y < 0") + } + } + + if expSign == 0 { + return Decimal{oneInt, 0}, nil + } + + // TODO: optimize extraction of fractional part + one := Decimal{oneInt, 0} + expIntPart, expFracPart := d2.QuoRem(one, 0) + + if baseSign == -1 && !expFracPart.IsZero() { + return Decimal{}, fmt.Errorf("cannot represent imaginary value of x ** y, where x < 0 and y is non-integer decimal") + } + + intPartPow, _ := d.powBigIntWithPrecision(expIntPart.value, precision) + + // if exponent is an integer we don't need to calculate d1**frac(d2) + if expFracPart.value.Sign() == 0 { + return intPartPow, nil + } + + // TODO: optimize NumDigits for more performant precision adjustment + digitsBase := d.NumDigits() + digitsExponent := d2.NumDigits() + + if int32(digitsBase) > precision { + precision = int32(digitsBase) + } + if int32(digitsExponent) > precision { + precision += int32(digitsExponent) + } + // increase precision by 10 to compensate for errors in further calculations + precision += 10 + + // Calculate x ** frac(y), where + // x ** frac(y) = exp(ln(x ** frac(y)) = exp(ln(x) * frac(y)) + fracPartPow, err := d.Abs().Ln(precision) + if err != nil { + return Decimal{}, err + } + + fracPartPow = fracPartPow.Mul(expFracPart) + + fracPartPow, err = fracPartPow.ExpTaylor(precision) + if err != nil { + return Decimal{}, err + } + + // Join integer and fractional part, + // base ** (expBase + expFrac) = base ** expBase * base ** expFrac + res := intPartPow.Mul(fracPartPow) + + return res, nil +} + +// PowInt32 returns d to the power of exp, where exp is int32. +// Only returns error when d and exp is 0, thus result is undefined. +// +// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point. +// +// Example: +// +// d1, err := decimal.NewFromFloat(4.0).PowInt32(4) +// d1.String() // output: "256" +// +// d2, err := decimal.NewFromFloat(3.13).PowInt32(5) +// d2.String() // output: "300.4150512793" +func (d Decimal) PowInt32(exp int32) (Decimal, error) { + if d.IsZero() && exp == 0 { + return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0") + } + + isExpNeg := exp < 0 + exp = abs(exp) + + n, result := d, New(1, 0) + + for exp > 0 { + if exp%2 == 1 { + result = result.Mul(n) + } + exp /= 2 + + if exp > 0 { + n = n.Mul(n) + } + } + + if isExpNeg { + return New(1, 0).DivRound(result, int32(PowPrecisionNegativeExponent)), nil + } + + return result, nil +} + +// PowBigInt returns d to the power of exp, where exp is big.Int. +// Only returns error when d and exp is 0, thus result is undefined. +// +// When exponent is negative the returned decimal will have maximum precision of PowPrecisionNegativeExponent places after decimal point. +// +// Example: +// +// d1, err := decimal.NewFromFloat(3.0).PowBigInt(big.NewInt(3)) +// d1.String() // output: "27" +// +// d2, err := decimal.NewFromFloat(629.25).PowBigInt(big.NewInt(5)) +// d2.String() // output: "98654323103449.5673828125" +func (d Decimal) PowBigInt(exp *big.Int) (Decimal, error) { + return d.powBigIntWithPrecision(exp, int32(PowPrecisionNegativeExponent)) +} + +func (d Decimal) powBigIntWithPrecision(exp *big.Int, precision int32) (Decimal, error) { + if d.IsZero() && exp.Sign() == 0 { + return Decimal{}, fmt.Errorf("cannot represent undefined value of 0**0") + } + + tmpExp := new(big.Int).Set(exp) + isExpNeg := exp.Sign() < 0 + + if isExpNeg { + tmpExp.Abs(tmpExp) + } + + n, result := d, New(1, 0) + + for tmpExp.Sign() > 0 { + if tmpExp.Bit(0) == 1 { + result = result.Mul(n) + } + tmpExp.Rsh(tmpExp, 1) + + if tmpExp.Sign() > 0 { + n = n.Mul(n) + } + } + + if isExpNeg { + return New(1, 0).DivRound(result, precision), nil + } + + return result, nil +} + +// ExpHullAbrham calculates the natural exponent of decimal (e to the power of d) using Hull-Abraham algorithm. +// OverallPrecision argument specifies the overall precision of the result (integer part + decimal part). +// +// ExpHullAbrham is faster than ExpTaylor for small precision values, but it is much slower for large precision values. +// +// Example: +// +// NewFromFloat(26.1).ExpHullAbrham(2).String() // output: "220000000000" +// NewFromFloat(26.1).ExpHullAbrham(20).String() // output: "216314672147.05767284" +func (d Decimal) ExpHullAbrham(overallPrecision uint32) (Decimal, error) { + // Algorithm based on Variable precision exponential function. + // ACM Transactions on Mathematical Software by T. E. Hull & A. Abrham. + if d.IsZero() { + return Decimal{oneInt, 0}, nil + } + + currentPrecision := overallPrecision + + // Algorithm does not work if currentPrecision * 23 < |x|. + // Precision is automatically increased in such cases, so the value can be calculated precisely. + // If newly calculated precision is higher than ExpMaxIterations the currentPrecision will not be changed. + f := d.Abs().InexactFloat64() + if ncp := f / 23; ncp > float64(currentPrecision) && ncp < float64(ExpMaxIterations) { + currentPrecision = uint32(math.Ceil(ncp)) + } + + // fail if abs(d) beyond an over/underflow threshold + overflowThreshold := New(23*int64(currentPrecision), 0) + if d.Abs().Cmp(overflowThreshold) > 0 { + return Decimal{}, fmt.Errorf("over/underflow threshold, exp(x) cannot be calculated precisely") + } + + // Return 1 if abs(d) small enough; this also avoids later over/underflow + overflowThreshold2 := New(9, -int32(currentPrecision)-1) + if d.Abs().Cmp(overflowThreshold2) <= 0 { + return Decimal{oneInt, d.exp}, nil + } + + // t is the smallest integer >= 0 such that the corresponding abs(d/k) < 1 + t := d.exp + int32(d.NumDigits()) // Add d.NumDigits because the paper assumes that d.value [0.1, 1) + + if t < 0 { + t = 0 + } + + k := New(1, t) // reduction factor + r := Decimal{new(big.Int).Set(d.value), d.exp - t} // reduced argument + p := int32(currentPrecision) + t + 2 // precision for calculating the sum + + // Determine n, the number of therms for calculating sum + // use first Newton step (1.435p - 1.182) / log10(p/abs(r)) + // for solving appropriate equation, along with directed + // roundings and simple rational bound for log10(p/abs(r)) + rf := r.Abs().InexactFloat64() + pf := float64(p) + nf := math.Ceil((1.453*pf - 1.182) / math.Log10(pf/rf)) + if nf > float64(ExpMaxIterations) || math.IsNaN(nf) { + return Decimal{}, fmt.Errorf("exact value cannot be calculated in <=ExpMaxIterations iterations") + } + n := int64(nf) + + tmp := New(0, 0) + sum := New(1, 0) + one := New(1, 0) + for i := n - 1; i > 0; i-- { + tmp.value.SetInt64(i) + sum = sum.Mul(r.DivRound(tmp, p)) + sum = sum.Add(one) + } + + ki := k.IntPart() + res := New(1, 0) + for i := ki; i > 0; i-- { + res = res.Mul(sum) + } + + resNumDigits := int32(res.NumDigits()) + + var roundDigits int32 + if resNumDigits > abs(res.exp) { + roundDigits = int32(currentPrecision) - resNumDigits - res.exp + } else { + roundDigits = int32(currentPrecision) + } + + res = res.Round(roundDigits) + + return res, nil +} + +// ExpTaylor calculates the natural exponent of decimal (e to the power of d) using Taylor series expansion. +// Precision argument specifies how precise the result must be (number of digits after decimal point). +// Negative precision is allowed. +// +// ExpTaylor is much faster for large precision values than ExpHullAbrham. +// +// Example: +// +// d, err := NewFromFloat(26.1).ExpTaylor(2).String() +// d.String() // output: "216314672147.06" +// +// NewFromFloat(26.1).ExpTaylor(20).String() +// d.String() // output: "216314672147.05767284062928674083" +// +// NewFromFloat(26.1).ExpTaylor(-10).String() +// d.String() // output: "220000000000" +func (d Decimal) ExpTaylor(precision int32) (Decimal, error) { + // Note(mwoss): Implementation can be optimized by exclusively using big.Int API only + if d.IsZero() { + return Decimal{oneInt, 0}.Round(precision), nil + } + + var epsilon Decimal + var divPrecision int32 + if precision < 0 { + epsilon = New(1, -1) + divPrecision = 8 + } else { + epsilon = New(1, -precision-1) + divPrecision = precision + 1 + } + + decAbs := d.Abs() + pow := d.Abs() + factorial := New(1, 0) + + result := New(1, 0) + + for i := int64(1); ; { + step := pow.DivRound(factorial, divPrecision) + result = result.Add(step) + + // Stop Taylor series when current step is smaller than epsilon + if step.Cmp(epsilon) < 0 { + break + } + + pow = pow.Mul(decAbs) + + i++ + + // Calculate next factorial number or retrieve cached value + if len(factorials) >= int(i) && !factorials[i-1].IsZero() { + factorial = factorials[i-1] + } else { + // To avoid any race conditions, firstly the zero value is appended to a slice to create + // a spot for newly calculated factorial. After that, the zero value is replaced by calculated + // factorial using the index notation. + factorial = factorials[i-2].Mul(New(i, 0)) + factorials = append(factorials, Zero) + factorials[i-1] = factorial + } + } + + if d.Sign() < 0 { + result = New(1, 0).DivRound(result, precision+1) + } + + result = result.Round(precision) + return result, nil +} + +// Ln calculates natural logarithm of d. +// Precision argument specifies how precise the result must be (number of digits after decimal point). +// Negative precision is allowed. +// +// Example: +// +// d1, err := NewFromFloat(13.3).Ln(2) +// d1.String() // output: "2.59" +// +// d2, err := NewFromFloat(579.161).Ln(10) +// d2.String() // output: "6.3615805046" +func (d Decimal) Ln(precision int32) (Decimal, error) { + // Algorithm based on The Use of Iteration Methods for Approximating the Natural Logarithm, + // James F. Epperson, The American Mathematical Monthly, Vol. 96, No. 9, November 1989, pp. 831-835. + if d.IsNegative() { + return Decimal{}, fmt.Errorf("cannot calculate natural logarithm for negative decimals") + } + + if d.IsZero() { + return Decimal{}, fmt.Errorf("cannot represent natural logarithm of 0, result: -infinity") + } + + calcPrecision := precision + 2 + z := d.Copy() + + var comp1, comp3, comp2, comp4, reduceAdjust Decimal + comp1 = z.Sub(Decimal{oneInt, 0}) + comp3 = Decimal{oneInt, -1} + + // for decimal in range [0.9, 1.1] where ln(d) is close to 0 + usePowerSeries := false + + if comp1.Abs().Cmp(comp3) <= 0 { + usePowerSeries = true + } else { + // reduce input decimal to range [0.1, 1) + expDelta := int32(z.NumDigits()) + z.exp + z.exp -= expDelta + + // Input decimal was reduced by factor of 10^expDelta, thus we will need to add + // ln(10^expDelta) = expDelta * ln(10) + // to the result to compensate that + ln10 := ln10.withPrecision(calcPrecision) + reduceAdjust = NewFromInt32(expDelta) + reduceAdjust = reduceAdjust.Mul(ln10) + + comp1 = z.Sub(Decimal{oneInt, 0}) + + if comp1.Abs().Cmp(comp3) <= 0 { + usePowerSeries = true + } else { + // initial estimate using floats + zFloat := z.InexactFloat64() + comp1 = NewFromFloat(math.Log(zFloat)) + } + } + + epsilon := Decimal{oneInt, -calcPrecision} + + if usePowerSeries { + // Power Series - https://en.wikipedia.org/wiki/Logarithm#Power_series + // Calculating n-th term of formula: ln(z+1) = 2 sum [ 1 / (2n+1) * (z / (z+2))^(2n+1) ] + // until the difference between current and next term is smaller than epsilon. + // Coverage quite fast for decimals close to 1.0 + + // z + 2 + comp2 = comp1.Add(Decimal{twoInt, 0}) + // z / (z + 2) + comp3 = comp1.DivRound(comp2, calcPrecision) + // 2 * (z / (z + 2)) + comp1 = comp3.Add(comp3) + comp2 = comp1.Copy() + + for n := 1; ; n++ { + // 2 * (z / (z+2))^(2n+1) + comp2 = comp2.Mul(comp3).Mul(comp3) + + // 1 / (2n+1) * 2 * (z / (z+2))^(2n+1) + comp4 = NewFromInt(int64(2*n + 1)) + comp4 = comp2.DivRound(comp4, calcPrecision) + + // comp1 = 2 sum [ 1 / (2n+1) * (z / (z+2))^(2n+1) ] + comp1 = comp1.Add(comp4) + + if comp4.Abs().Cmp(epsilon) <= 0 { + break + } + } + } else { + // Halley's Iteration. + // Calculating n-th term of formula: a_(n+1) = a_n - 2 * (exp(a_n) - z) / (exp(a_n) + z), + // until the difference between current and next term is smaller than epsilon + var prevStep Decimal + maxIters := calcPrecision*2 + 10 + + for i := int32(0); i < maxIters; i++ { + // exp(a_n) + comp3, _ = comp1.ExpTaylor(calcPrecision) + // exp(a_n) - z + comp2 = comp3.Sub(z) + // 2 * (exp(a_n) - z) + comp2 = comp2.Add(comp2) + // exp(a_n) + z + comp4 = comp3.Add(z) + // 2 * (exp(a_n) - z) / (exp(a_n) + z) + comp3 = comp2.DivRound(comp4, calcPrecision) + // comp1 = a_(n+1) = a_n - 2 * (exp(a_n) - z) / (exp(a_n) + z) + comp1 = comp1.Sub(comp3) + + if prevStep.Add(comp3).IsZero() { + // If iteration steps oscillate we should return early and prevent an infinity loop + // NOTE(mwoss): This should be quite a rare case, returning error is not necessary + break + } + + if comp3.Abs().Cmp(epsilon) <= 0 { + break + } + + prevStep = comp3 + } + } + + comp1 = comp1.Add(reduceAdjust) + + return comp1.Round(precision), nil +} + +// NumDigits returns the number of digits of the decimal coefficient (d.Value) +func (d Decimal) NumDigits() int { + if d.value == nil { + return 1 + } + + if d.value.IsInt64() { + i64 := d.value.Int64() + // restrict fast path to integers with exact conversion to float64 + if i64 <= (1<<53) && i64 >= -(1<<53) { + if i64 == 0 { + return 1 + } + return int(math.Log10(math.Abs(float64(i64)))) + 1 + } + } + + estimatedNumDigits := int(float64(d.value.BitLen()) / math.Log2(10)) + + // estimatedNumDigits (lg10) may be off by 1, need to verify + digitsBigInt := big.NewInt(int64(estimatedNumDigits)) + errorCorrectionUnit := digitsBigInt.Exp(tenInt, digitsBigInt, nil) + + if d.value.CmpAbs(errorCorrectionUnit) >= 0 { + return estimatedNumDigits + 1 + } + + return estimatedNumDigits +} + +// IsInteger returns true when decimal can be represented as an integer value, otherwise, it returns false. +func (d Decimal) IsInteger() bool { + // The most typical case, all decimal with exponent higher or equal 0 can be represented as integer + if d.exp >= 0 { + return true + } + // When the exponent is negative we have to check every number after the decimal place + // If all of them are zeroes, we are sure that given decimal can be represented as an integer + var r big.Int + q := new(big.Int).Set(d.value) + for z := abs(d.exp); z > 0; z-- { + q.QuoRem(q, tenInt, &r) + if r.Cmp(zeroInt) != 0 { + return false + } + } + return true +} + +// Abs calculates absolute value of any int32. Used for calculating absolute value of decimal's exponent. +func abs(n int32) int32 { + if n < 0 { + return -n + } + return n +} + +// Cmp compares the numbers represented by d and d2 and returns: +// +// -1 if d < d2 +// 0 if d == d2 +// +1 if d > d2 +func (d Decimal) Cmp(d2 Decimal) int { + d.ensureInitialized() + d2.ensureInitialized() + + if d.exp == d2.exp { + return d.value.Cmp(d2.value) + } + + rd, rd2 := RescalePair(d, d2) + + return rd.value.Cmp(rd2.value) +} + +// Compare compares the numbers represented by d and d2 and returns: +// +// -1 if d < d2 +// 0 if d == d2 +// +1 if d > d2 +func (d Decimal) Compare(d2 Decimal) int { + return d.Cmp(d2) +} + +// Equal returns whether the numbers represented by d and d2 are equal. +func (d Decimal) Equal(d2 Decimal) bool { + return d.Cmp(d2) == 0 +} + +// Deprecated: Equals is deprecated, please use Equal method instead. +func (d Decimal) Equals(d2 Decimal) bool { + return d.Equal(d2) +} + +// GreaterThan (GT) returns true when d is greater than d2. +func (d Decimal) GreaterThan(d2 Decimal) bool { + return d.Cmp(d2) == 1 +} + +// GreaterThanOrEqual (GTE) returns true when d is greater than or equal to d2. +func (d Decimal) GreaterThanOrEqual(d2 Decimal) bool { + cmp := d.Cmp(d2) + return cmp == 1 || cmp == 0 +} + +// LessThan (LT) returns true when d is less than d2. +func (d Decimal) LessThan(d2 Decimal) bool { + return d.Cmp(d2) == -1 +} + +// LessThanOrEqual (LTE) returns true when d is less than or equal to d2. +func (d Decimal) LessThanOrEqual(d2 Decimal) bool { + cmp := d.Cmp(d2) + return cmp == -1 || cmp == 0 +} + +// Sign returns: +// +// -1 if d < 0 +// 0 if d == 0 +// +1 if d > 0 +func (d Decimal) Sign() int { + if d.value == nil { + return 0 + } + return d.value.Sign() +} + +// IsPositive return +// +// true if d > 0 +// false if d == 0 +// false if d < 0 +func (d Decimal) IsPositive() bool { + return d.Sign() == 1 +} + +// IsNegative return +// +// true if d < 0 +// false if d == 0 +// false if d > 0 +func (d Decimal) IsNegative() bool { + return d.Sign() == -1 +} + +// IsZero return +// +// true if d == 0 +// false if d > 0 +// false if d < 0 +func (d Decimal) IsZero() bool { + return d.Sign() == 0 +} + +// Exponent returns the exponent, or scale component of the decimal. +func (d Decimal) Exponent() int32 { + return d.exp +} + +// Coefficient returns the coefficient of the decimal. It is scaled by 10^Exponent() +func (d Decimal) Coefficient() *big.Int { + d.ensureInitialized() + // we copy the coefficient so that mutating the result does not mutate the Decimal. + return new(big.Int).Set(d.value) +} + +// CoefficientInt64 returns the coefficient of the decimal as int64. It is scaled by 10^Exponent() +// If coefficient cannot be represented in an int64, the result will be undefined. +func (d Decimal) CoefficientInt64() int64 { + d.ensureInitialized() + return d.value.Int64() +} + +// IntPart returns the integer component of the decimal. +func (d Decimal) IntPart() int64 { + scaledD := d.rescale(0) + return scaledD.value.Int64() +} + +// BigInt returns integer component of the decimal as a BigInt. +func (d Decimal) BigInt() *big.Int { + scaledD := d.rescale(0) + return scaledD.value +} + +// BigFloat returns decimal as BigFloat. +// Be aware that casting decimal to BigFloat might cause a loss of precision. +func (d Decimal) BigFloat() *big.Float { + f := &big.Float{} + f.SetString(d.String()) + return f +} + +// Rat returns a rational number representation of the decimal. +func (d Decimal) Rat() *big.Rat { + d.ensureInitialized() + if d.exp <= 0 { + // NOTE(vadim): must negate after casting to prevent int32 overflow + denom := new(big.Int).Exp(tenInt, big.NewInt(-int64(d.exp)), nil) + return new(big.Rat).SetFrac(d.value, denom) + } + + mul := new(big.Int).Exp(tenInt, big.NewInt(int64(d.exp)), nil) + num := new(big.Int).Mul(d.value, mul) + return new(big.Rat).SetFrac(num, oneInt) +} + +// Float64 returns the nearest float64 value for d and a bool indicating +// whether f represents d exactly. +// For more details, see the documentation for big.Rat.Float64 +func (d Decimal) Float64() (f float64, exact bool) { + return d.Rat().Float64() +} + +// InexactFloat64 returns the nearest float64 value for d. +// It doesn't indicate if the returned value represents d exactly. +func (d Decimal) InexactFloat64() float64 { + f, _ := d.Float64() + return f +} + +// String returns the string representation of the decimal +// with the fixed point. +// +// Example: +// +// d := New(-12345, -3) +// println(d.String()) +// +// Output: +// +// -12.345 +func (d Decimal) String() string { + return d.string(true) +} + +// StringFixed returns a rounded fixed-point string with places digits after +// the decimal point. +// +// Example: +// +// NewFromFloat(0).StringFixed(2) // output: "0.00" +// NewFromFloat(0).StringFixed(0) // output: "0" +// NewFromFloat(5.45).StringFixed(0) // output: "5" +// NewFromFloat(5.45).StringFixed(1) // output: "5.5" +// NewFromFloat(5.45).StringFixed(2) // output: "5.45" +// NewFromFloat(5.45).StringFixed(3) // output: "5.450" +// NewFromFloat(545).StringFixed(-1) // output: "550" +func (d Decimal) StringFixed(places int32) string { + rounded := d.Round(places) + return rounded.string(false) +} + +// StringFixedBank returns a banker rounded fixed-point string with places digits +// after the decimal point. +// +// Example: +// +// NewFromFloat(0).StringFixedBank(2) // output: "0.00" +// NewFromFloat(0).StringFixedBank(0) // output: "0" +// NewFromFloat(5.45).StringFixedBank(0) // output: "5" +// NewFromFloat(5.45).StringFixedBank(1) // output: "5.4" +// NewFromFloat(5.45).StringFixedBank(2) // output: "5.45" +// NewFromFloat(5.45).StringFixedBank(3) // output: "5.450" +// NewFromFloat(545).StringFixedBank(-1) // output: "540" +func (d Decimal) StringFixedBank(places int32) string { + rounded := d.RoundBank(places) + return rounded.string(false) +} + +// StringFixedCash returns a Swedish/Cash rounded fixed-point string. For +// more details see the documentation at function RoundCash. +func (d Decimal) StringFixedCash(interval uint8) string { + rounded := d.RoundCash(interval) + return rounded.string(false) +} + +// Round rounds the decimal to places decimal places. +// If places < 0, it will round the integer part to the nearest 10^(-places). +// +// Example: +// +// NewFromFloat(5.45).Round(1).String() // output: "5.5" +// NewFromFloat(545).Round(-1).String() // output: "550" +func (d Decimal) Round(places int32) Decimal { + if d.exp == -places { + return d + } + // truncate to places + 1 + ret := d.rescale(-places - 1) + + // add sign(d) * 0.5 + if ret.value.Sign() < 0 { + ret.value.Sub(ret.value, fiveInt) + } else { + ret.value.Add(ret.value, fiveInt) + } + + // floor for positive numbers, ceil for negative numbers + _, m := ret.value.DivMod(ret.value, tenInt, new(big.Int)) + ret.exp++ + if ret.value.Sign() < 0 && m.Cmp(zeroInt) != 0 { + ret.value.Add(ret.value, oneInt) + } + + return ret +} + +// RoundCeil rounds the decimal towards +infinity. +// +// Example: +// +// NewFromFloat(545).RoundCeil(-2).String() // output: "600" +// NewFromFloat(500).RoundCeil(-2).String() // output: "500" +// NewFromFloat(1.1001).RoundCeil(2).String() // output: "1.11" +// NewFromFloat(-1.454).RoundCeil(1).String() // output: "-1.4" +func (d Decimal) RoundCeil(places int32) Decimal { + if d.exp >= -places { + return d + } + + rescaled := d.rescale(-places) + if d.Equal(rescaled) { + return d + } + + if d.value.Sign() > 0 { + rescaled.value.Add(rescaled.value, oneInt) + } + + return rescaled +} + +// RoundFloor rounds the decimal towards -infinity. +// +// Example: +// +// NewFromFloat(545).RoundFloor(-2).String() // output: "500" +// NewFromFloat(-500).RoundFloor(-2).String() // output: "-500" +// NewFromFloat(1.1001).RoundFloor(2).String() // output: "1.1" +// NewFromFloat(-1.454).RoundFloor(1).String() // output: "-1.5" +func (d Decimal) RoundFloor(places int32) Decimal { + if d.exp >= -places { + return d + } + + rescaled := d.rescale(-places) + if d.Equal(rescaled) { + return d + } + + if d.value.Sign() < 0 { + rescaled.value.Sub(rescaled.value, oneInt) + } + + return rescaled +} + +// RoundUp rounds the decimal away from zero. +// +// Example: +// +// NewFromFloat(545).RoundUp(-2).String() // output: "600" +// NewFromFloat(500).RoundUp(-2).String() // output: "500" +// NewFromFloat(1.1001).RoundUp(2).String() // output: "1.11" +// NewFromFloat(-1.454).RoundUp(1).String() // output: "-1.5" +func (d Decimal) RoundUp(places int32) Decimal { + if d.exp >= -places { + return d + } + + rescaled := d.rescale(-places) + if d.Equal(rescaled) { + return d + } + + if d.value.Sign() > 0 { + rescaled.value.Add(rescaled.value, oneInt) + } else if d.value.Sign() < 0 { + rescaled.value.Sub(rescaled.value, oneInt) + } + + return rescaled +} + +// RoundDown rounds the decimal towards zero. +// +// Example: +// +// NewFromFloat(545).RoundDown(-2).String() // output: "500" +// NewFromFloat(-500).RoundDown(-2).String() // output: "-500" +// NewFromFloat(1.1001).RoundDown(2).String() // output: "1.1" +// NewFromFloat(-1.454).RoundDown(1).String() // output: "-1.4" +func (d Decimal) RoundDown(places int32) Decimal { + if d.exp >= -places { + return d + } + + rescaled := d.rescale(-places) + if d.Equal(rescaled) { + return d + } + return rescaled +} + +// RoundBank rounds the decimal to places decimal places. +// If the final digit to round is equidistant from the nearest two integers the +// rounded value is taken as the even number +// +// If places < 0, it will round the integer part to the nearest 10^(-places). +// +// Examples: +// +// NewFromFloat(5.45).RoundBank(1).String() // output: "5.4" +// NewFromFloat(545).RoundBank(-1).String() // output: "540" +// NewFromFloat(5.46).RoundBank(1).String() // output: "5.5" +// NewFromFloat(546).RoundBank(-1).String() // output: "550" +// NewFromFloat(5.55).RoundBank(1).String() // output: "5.6" +// NewFromFloat(555).RoundBank(-1).String() // output: "560" +func (d Decimal) RoundBank(places int32) Decimal { + + round := d.Round(places) + remainder := d.Sub(round).Abs() + + half := New(5, -places-1) + if remainder.Cmp(half) == 0 && round.value.Bit(0) != 0 { + if round.value.Sign() < 0 { + round.value.Add(round.value, oneInt) + } else { + round.value.Sub(round.value, oneInt) + } + } + + return round +} + +// RoundCash aka Cash/Penny/öre rounding rounds decimal to a specific +// interval. The amount payable for a cash transaction is rounded to the nearest +// multiple of the minimum currency unit available. The following intervals are +// available: 5, 10, 25, 50 and 100; any other number throws a panic. +// +// 5: 5 cent rounding 3.43 => 3.45 +// 10: 10 cent rounding 3.45 => 3.50 (5 gets rounded up) +// 25: 25 cent rounding 3.41 => 3.50 +// 50: 50 cent rounding 3.75 => 4.00 +// 100: 100 cent rounding 3.50 => 4.00 +// +// For more details: https://en.wikipedia.org/wiki/Cash_rounding +func (d Decimal) RoundCash(interval uint8) Decimal { + var iVal *big.Int + switch interval { + case 5: + iVal = twentyInt + case 10: + iVal = tenInt + case 25: + iVal = fourInt + case 50: + iVal = twoInt + case 100: + iVal = oneInt + default: + panic(fmt.Sprintf("Decimal does not support this Cash rounding interval `%d`. Supported: 5, 10, 25, 50, 100", interval)) + } + dVal := Decimal{ + value: iVal, + } + + // TODO: optimize those calculations to reduce the high allocations (~29 allocs). + return d.Mul(dVal).Round(0).Div(dVal).Truncate(2) +} + +// Floor returns the nearest integer value less than or equal to d. +func (d Decimal) Floor() Decimal { + d.ensureInitialized() + + if d.exp >= 0 { + return d + } + + exp := big.NewInt(10) + + // NOTE(vadim): must negate after casting to prevent int32 overflow + exp.Exp(exp, big.NewInt(-int64(d.exp)), nil) + + z := new(big.Int).Div(d.value, exp) + return Decimal{value: z, exp: 0} +} + +// Ceil returns the nearest integer value greater than or equal to d. +func (d Decimal) Ceil() Decimal { + d.ensureInitialized() + + if d.exp >= 0 { + return d + } + + exp := big.NewInt(10) + + // NOTE(vadim): must negate after casting to prevent int32 overflow + exp.Exp(exp, big.NewInt(-int64(d.exp)), nil) + + z, m := new(big.Int).DivMod(d.value, exp, new(big.Int)) + if m.Cmp(zeroInt) != 0 { + z.Add(z, oneInt) + } + return Decimal{value: z, exp: 0} +} + +// Truncate truncates off digits from the number, without rounding. +// +// NOTE: precision is the last digit that will not be truncated (must be >= 0). +// +// Example: +// +// decimal.NewFromString("123.456").Truncate(2).String() // "123.45" +func (d Decimal) Truncate(precision int32) Decimal { + d.ensureInitialized() + if precision >= 0 && -precision > d.exp { + return d.rescale(-precision) + } + return d +} + +// UnmarshalJSON implements the json.Unmarshaler interface. +func (d *Decimal) UnmarshalJSON(decimalBytes []byte) error { + if string(decimalBytes) == "null" { + return nil + } + + str, err := unquoteIfQuoted(decimalBytes) + if err != nil { + return fmt.Errorf("error decoding string '%s': %s", decimalBytes, err) + } + + decimal, err := NewFromString(str) + *d = decimal + if err != nil { + return fmt.Errorf("error decoding string '%s': %s", str, err) + } + return nil +} + +// MarshalJSON implements the json.Marshaler interface. +func (d Decimal) MarshalJSON() ([]byte, error) { + var str string + if MarshalJSONWithoutQuotes { + str = d.String() + } else { + str = "\"" + d.String() + "\"" + } + return []byte(str), nil +} + +// UnmarshalBinary implements the encoding.BinaryUnmarshaler interface. As a string representation +// is already used when encoding to text, this method stores that string as []byte +func (d *Decimal) UnmarshalBinary(data []byte) error { + // Verify we have at least 4 bytes for the exponent. The GOB encoded value + // may be empty. + if len(data) < 4 { + return fmt.Errorf("error decoding binary %v: expected at least 4 bytes, got %d", data, len(data)) + } + + // Extract the exponent + d.exp = int32(binary.BigEndian.Uint32(data[:4])) + + // Extract the value + d.value = new(big.Int) + if err := d.value.GobDecode(data[4:]); err != nil { + return fmt.Errorf("error decoding binary %v: %s", data, err) + } + + return nil +} + +// MarshalBinary implements the encoding.BinaryMarshaler interface. +func (d Decimal) MarshalBinary() (data []byte, err error) { + // exp is written first, but encode value first to know output size + var valueData []byte + if valueData, err = d.value.GobEncode(); err != nil { + return nil, err + } + + // Write the exponent in front, since it's a fixed size + expData := make([]byte, 4, len(valueData)+4) + binary.BigEndian.PutUint32(expData, uint32(d.exp)) + + // Return the byte array + return append(expData, valueData...), nil +} + +// Scan implements the sql.Scanner interface for database deserialization. +func (d *Decimal) Scan(value interface{}) error { + // first try to see if the data is stored in database as a Numeric datatype + switch v := value.(type) { + + case float32: + *d = NewFromFloat(float64(v)) + return nil + + case float64: + // numeric in sqlite3 sends us float64 + *d = NewFromFloat(v) + return nil + + case int64: + // at least in sqlite3 when the value is 0 in db, the data is sent + // to us as an int64 instead of a float64 ... + *d = New(v, 0) + return nil + + case uint64: + // while clickhouse may send 0 in db as uint64 + *d = NewFromUint64(v) + return nil + + default: + // default is trying to interpret value stored as string + str, err := unquoteIfQuoted(v) + if err != nil { + return err + } + *d, err = NewFromString(str) + return err + } +} + +// Value implements the driver.Valuer interface for database serialization. +func (d Decimal) Value() (driver.Value, error) { + return d.String(), nil +} + +// UnmarshalText implements the encoding.TextUnmarshaler interface for XML +// deserialization. +func (d *Decimal) UnmarshalText(text []byte) error { + str := string(text) + + dec, err := NewFromString(str) + *d = dec + if err != nil { + return fmt.Errorf("error decoding string '%s': %s", str, err) + } + + return nil +} + +// MarshalText implements the encoding.TextMarshaler interface for XML +// serialization. +func (d Decimal) MarshalText() (text []byte, err error) { + return []byte(d.String()), nil +} + +// GobEncode implements the gob.GobEncoder interface for gob serialization. +func (d Decimal) GobEncode() ([]byte, error) { + return d.MarshalBinary() +} + +// GobDecode implements the gob.GobDecoder interface for gob serialization. +func (d *Decimal) GobDecode(data []byte) error { + return d.UnmarshalBinary(data) +} + +// StringScaled first scales the decimal then calls .String() on it. +// +// Deprecated: buggy and unintuitive. Use StringFixed instead. +func (d Decimal) StringScaled(exp int32) string { + return d.rescale(exp).String() +} + +func (d Decimal) string(trimTrailingZeros bool) string { + if d.exp >= 0 { + return d.rescale(0).value.String() + } + + abs := new(big.Int).Abs(d.value) + str := abs.String() + + var intPart, fractionalPart string + + // NOTE(vadim): this cast to int will cause bugs if d.exp == INT_MIN + // and you are on a 32-bit machine. Won't fix this super-edge case. + dExpInt := int(d.exp) + if len(str) > -dExpInt { + intPart = str[:len(str)+dExpInt] + fractionalPart = str[len(str)+dExpInt:] + } else { + intPart = "0" + + num0s := -dExpInt - len(str) + fractionalPart = strings.Repeat("0", num0s) + str + } + + if trimTrailingZeros { + i := len(fractionalPart) - 1 + for ; i >= 0; i-- { + if fractionalPart[i] != '0' { + break + } + } + fractionalPart = fractionalPart[:i+1] + } + + number := intPart + if len(fractionalPart) > 0 { + number += "." + fractionalPart + } + + if d.value.Sign() < 0 { + return "-" + number + } + + return number +} + +func (d *Decimal) ensureInitialized() { + if d.value == nil { + d.value = new(big.Int) + } +} + +// Min returns the smallest Decimal that was passed in the arguments. +// +// To call this function with an array, you must do: +// +// Min(arr[0], arr[1:]...) +// +// This makes it harder to accidentally call Min with 0 arguments. +func Min(first Decimal, rest ...Decimal) Decimal { + ans := first + for _, item := range rest { + if item.Cmp(ans) < 0 { + ans = item + } + } + return ans +} + +// Max returns the largest Decimal that was passed in the arguments. +// +// To call this function with an array, you must do: +// +// Max(arr[0], arr[1:]...) +// +// This makes it harder to accidentally call Max with 0 arguments. +func Max(first Decimal, rest ...Decimal) Decimal { + ans := first + for _, item := range rest { + if item.Cmp(ans) > 0 { + ans = item + } + } + return ans +} + +// Sum returns the combined total of the provided first and rest Decimals +func Sum(first Decimal, rest ...Decimal) Decimal { + total := first + for _, item := range rest { + total = total.Add(item) + } + + return total +} + +// Avg returns the average value of the provided first and rest Decimals +func Avg(first Decimal, rest ...Decimal) Decimal { + count := New(int64(len(rest)+1), 0) + sum := Sum(first, rest...) + return sum.Div(count) +} + +// RescalePair rescales two decimals to common exponential value (minimal exp of both decimals) +func RescalePair(d1 Decimal, d2 Decimal) (Decimal, Decimal) { + d1.ensureInitialized() + d2.ensureInitialized() + + if d1.exp < d2.exp { + return d1, d2.rescale(d1.exp) + } else if d1.exp > d2.exp { + return d1.rescale(d2.exp), d2 + } + + return d1, d2 +} + +func unquoteIfQuoted(value interface{}) (string, error) { + var bytes []byte + + switch v := value.(type) { + case string: + bytes = []byte(v) + case []byte: + bytes = v + default: + return "", fmt.Errorf("could not convert value '%+v' to byte array of type '%T'", value, value) + } + + // If the amount is quoted, strip the quotes + if len(bytes) > 2 && bytes[0] == '"' && bytes[len(bytes)-1] == '"' { + bytes = bytes[1 : len(bytes)-1] + } + return string(bytes), nil +} + +// NullDecimal represents a nullable decimal with compatibility for +// scanning null values from the database. +type NullDecimal struct { + Decimal Decimal + Valid bool +} + +func NewNullDecimal(d Decimal) NullDecimal { + return NullDecimal{ + Decimal: d, + Valid: true, + } +} + +// Scan implements the sql.Scanner interface for database deserialization. +func (d *NullDecimal) Scan(value interface{}) error { + if value == nil { + d.Valid = false + return nil + } + d.Valid = true + return d.Decimal.Scan(value) +} + +// Value implements the driver.Valuer interface for database serialization. +func (d NullDecimal) Value() (driver.Value, error) { + if !d.Valid { + return nil, nil + } + return d.Decimal.Value() +} + +// UnmarshalJSON implements the json.Unmarshaler interface. +func (d *NullDecimal) UnmarshalJSON(decimalBytes []byte) error { + if string(decimalBytes) == "null" { + d.Valid = false + return nil + } + d.Valid = true + return d.Decimal.UnmarshalJSON(decimalBytes) +} + +// MarshalJSON implements the json.Marshaler interface. +func (d NullDecimal) MarshalJSON() ([]byte, error) { + if !d.Valid { + return []byte("null"), nil + } + return d.Decimal.MarshalJSON() +} + +// UnmarshalText implements the encoding.TextUnmarshaler interface for XML +// deserialization +func (d *NullDecimal) UnmarshalText(text []byte) error { + str := string(text) + + // check for empty XML or XML without body e.g., + if str == "" { + d.Valid = false + return nil + } + if err := d.Decimal.UnmarshalText(text); err != nil { + d.Valid = false + return err + } + d.Valid = true + return nil +} + +// MarshalText implements the encoding.TextMarshaler interface for XML +// serialization. +func (d NullDecimal) MarshalText() (text []byte, err error) { + if !d.Valid { + return []byte{}, nil + } + return d.Decimal.MarshalText() +} + +// Trig functions + +// Atan returns the arctangent, in radians, of x. +func (d Decimal) Atan() Decimal { + if d.Equal(NewFromFloat(0.0)) { + return d + } + if d.GreaterThan(NewFromFloat(0.0)) { + return d.satan() + } + return d.Neg().satan().Neg() +} + +func (d Decimal) xatan() Decimal { + P0 := NewFromFloat(-8.750608600031904122785e-01) + P1 := NewFromFloat(-1.615753718733365076637e+01) + P2 := NewFromFloat(-7.500855792314704667340e+01) + P3 := NewFromFloat(-1.228866684490136173410e+02) + P4 := NewFromFloat(-6.485021904942025371773e+01) + Q0 := NewFromFloat(2.485846490142306297962e+01) + Q1 := NewFromFloat(1.650270098316988542046e+02) + Q2 := NewFromFloat(4.328810604912902668951e+02) + Q3 := NewFromFloat(4.853903996359136964868e+02) + Q4 := NewFromFloat(1.945506571482613964425e+02) + z := d.Mul(d) + b1 := P0.Mul(z).Add(P1).Mul(z).Add(P2).Mul(z).Add(P3).Mul(z).Add(P4).Mul(z) + b2 := z.Add(Q0).Mul(z).Add(Q1).Mul(z).Add(Q2).Mul(z).Add(Q3).Mul(z).Add(Q4) + z = b1.Div(b2) + z = d.Mul(z).Add(d) + return z +} + +// satan reduces its argument (known to be positive) +// to the range [0, 0.66] and calls xatan. +func (d Decimal) satan() Decimal { + Morebits := NewFromFloat(6.123233995736765886130e-17) // pi/2 = PIO2 + Morebits + Tan3pio8 := NewFromFloat(2.41421356237309504880) // tan(3*pi/8) + pi := NewFromFloat(3.14159265358979323846264338327950288419716939937510582097494459) + + if d.LessThanOrEqual(NewFromFloat(0.66)) { + return d.xatan() + } + if d.GreaterThan(Tan3pio8) { + return pi.Div(NewFromFloat(2.0)).Sub(NewFromFloat(1.0).Div(d).xatan()).Add(Morebits) + } + return pi.Div(NewFromFloat(4.0)).Add((d.Sub(NewFromFloat(1.0)).Div(d.Add(NewFromFloat(1.0)))).xatan()).Add(NewFromFloat(0.5).Mul(Morebits)) +} + +// sin coefficients +var _sin = [...]Decimal{ + NewFromFloat(1.58962301576546568060e-10), // 0x3de5d8fd1fd19ccd + NewFromFloat(-2.50507477628578072866e-8), // 0xbe5ae5e5a9291f5d + NewFromFloat(2.75573136213857245213e-6), // 0x3ec71de3567d48a1 + NewFromFloat(-1.98412698295895385996e-4), // 0xbf2a01a019bfdf03 + NewFromFloat(8.33333333332211858878e-3), // 0x3f8111111110f7d0 + NewFromFloat(-1.66666666666666307295e-1), // 0xbfc5555555555548 +} + +// Sin returns the sine of the radian argument x. +func (d Decimal) Sin() Decimal { + PI4A := NewFromFloat(7.85398125648498535156e-1) // 0x3fe921fb40000000, Pi/4 split into three parts + PI4B := NewFromFloat(3.77489470793079817668e-8) // 0x3e64442d00000000, + PI4C := NewFromFloat(2.69515142907905952645e-15) // 0x3ce8469898cc5170, + M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi + + if d.Equal(NewFromFloat(0.0)) { + return d + } + // make argument positive but save the sign + sign := false + if d.LessThan(NewFromFloat(0.0)) { + d = d.Neg() + sign = true + } + + j := d.Mul(M4PI).IntPart() // integer part of x/(Pi/4), as integer for tests on the phase angle + y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float + + // map zeros to origin + if j&1 == 1 { + j++ + y = y.Add(NewFromFloat(1.0)) + } + j &= 7 // octant modulo 2Pi radians (360 degrees) + // reflect in x axis + if j > 3 { + sign = !sign + j -= 4 + } + z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic + zz := z.Mul(z) + + if j == 1 || j == 2 { + w := zz.Mul(zz).Mul(_cos[0].Mul(zz).Add(_cos[1]).Mul(zz).Add(_cos[2]).Mul(zz).Add(_cos[3]).Mul(zz).Add(_cos[4]).Mul(zz).Add(_cos[5])) + y = NewFromFloat(1.0).Sub(NewFromFloat(0.5).Mul(zz)).Add(w) + } else { + y = z.Add(z.Mul(zz).Mul(_sin[0].Mul(zz).Add(_sin[1]).Mul(zz).Add(_sin[2]).Mul(zz).Add(_sin[3]).Mul(zz).Add(_sin[4]).Mul(zz).Add(_sin[5]))) + } + if sign { + y = y.Neg() + } + return y +} + +// cos coefficients +var _cos = [...]Decimal{ + NewFromFloat(-1.13585365213876817300e-11), // 0xbda8fa49a0861a9b + NewFromFloat(2.08757008419747316778e-9), // 0x3e21ee9d7b4e3f05 + NewFromFloat(-2.75573141792967388112e-7), // 0xbe927e4f7eac4bc6 + NewFromFloat(2.48015872888517045348e-5), // 0x3efa01a019c844f5 + NewFromFloat(-1.38888888888730564116e-3), // 0xbf56c16c16c14f91 + NewFromFloat(4.16666666666665929218e-2), // 0x3fa555555555554b +} + +// Cos returns the cosine of the radian argument x. +func (d Decimal) Cos() Decimal { + + PI4A := NewFromFloat(7.85398125648498535156e-1) // 0x3fe921fb40000000, Pi/4 split into three parts + PI4B := NewFromFloat(3.77489470793079817668e-8) // 0x3e64442d00000000, + PI4C := NewFromFloat(2.69515142907905952645e-15) // 0x3ce8469898cc5170, + M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi + + // make argument positive + sign := false + if d.LessThan(NewFromFloat(0.0)) { + d = d.Neg() + } + + j := d.Mul(M4PI).IntPart() // integer part of x/(Pi/4), as integer for tests on the phase angle + y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float + + // map zeros to origin + if j&1 == 1 { + j++ + y = y.Add(NewFromFloat(1.0)) + } + j &= 7 // octant modulo 2Pi radians (360 degrees) + // reflect in x axis + if j > 3 { + sign = !sign + j -= 4 + } + if j > 1 { + sign = !sign + } + + z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic + zz := z.Mul(z) + + if j == 1 || j == 2 { + y = z.Add(z.Mul(zz).Mul(_sin[0].Mul(zz).Add(_sin[1]).Mul(zz).Add(_sin[2]).Mul(zz).Add(_sin[3]).Mul(zz).Add(_sin[4]).Mul(zz).Add(_sin[5]))) + } else { + w := zz.Mul(zz).Mul(_cos[0].Mul(zz).Add(_cos[1]).Mul(zz).Add(_cos[2]).Mul(zz).Add(_cos[3]).Mul(zz).Add(_cos[4]).Mul(zz).Add(_cos[5])) + y = NewFromFloat(1.0).Sub(NewFromFloat(0.5).Mul(zz)).Add(w) + } + if sign { + y = y.Neg() + } + return y +} + +var _tanP = [...]Decimal{ + NewFromFloat(-1.30936939181383777646e+4), // 0xc0c992d8d24f3f38 + NewFromFloat(1.15351664838587416140e+6), // 0x413199eca5fc9ddd + NewFromFloat(-1.79565251976484877988e+7), // 0xc1711fead3299176 +} +var _tanQ = [...]Decimal{ + NewFromFloat(1.00000000000000000000e+0), + NewFromFloat(1.36812963470692954678e+4), //0x40cab8a5eeb36572 + NewFromFloat(-1.32089234440210967447e+6), //0xc13427bc582abc96 + NewFromFloat(2.50083801823357915839e+7), //0x4177d98fc2ead8ef + NewFromFloat(-5.38695755929454629881e+7), //0xc189afe03cbe5a31 +} + +// Tan returns the tangent of the radian argument x. +func (d Decimal) Tan() Decimal { + + PI4A := NewFromFloat(7.85398125648498535156e-1) // 0x3fe921fb40000000, Pi/4 split into three parts + PI4B := NewFromFloat(3.77489470793079817668e-8) // 0x3e64442d00000000, + PI4C := NewFromFloat(2.69515142907905952645e-15) // 0x3ce8469898cc5170, + M4PI := NewFromFloat(1.273239544735162542821171882678754627704620361328125) // 4/pi + + if d.Equal(NewFromFloat(0.0)) { + return d + } + + // make argument positive but save the sign + sign := false + if d.LessThan(NewFromFloat(0.0)) { + d = d.Neg() + sign = true + } + + j := d.Mul(M4PI).IntPart() // integer part of x/(Pi/4), as integer for tests on the phase angle + y := NewFromFloat(float64(j)) // integer part of x/(Pi/4), as float + + // map zeros to origin + if j&1 == 1 { + j++ + y = y.Add(NewFromFloat(1.0)) + } + + z := d.Sub(y.Mul(PI4A)).Sub(y.Mul(PI4B)).Sub(y.Mul(PI4C)) // Extended precision modular arithmetic + zz := z.Mul(z) + + if zz.GreaterThan(NewFromFloat(1e-14)) { + w := zz.Mul(_tanP[0].Mul(zz).Add(_tanP[1]).Mul(zz).Add(_tanP[2])) + x := zz.Add(_tanQ[1]).Mul(zz).Add(_tanQ[2]).Mul(zz).Add(_tanQ[3]).Mul(zz).Add(_tanQ[4]) + y = z.Add(z.Mul(w.Div(x))) + } else { + y = z + } + if j&2 == 2 { + y = NewFromFloat(-1.0).Div(y) + } + if sign { + y = y.Neg() + } + return y +} diff --git a/vendor/github.com/shopspring/decimal/rounding.go b/vendor/github.com/shopspring/decimal/rounding.go new file mode 100644 index 0000000000..d4b0cd0079 --- /dev/null +++ b/vendor/github.com/shopspring/decimal/rounding.go @@ -0,0 +1,160 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Multiprecision decimal numbers. +// For floating-point formatting only; not general purpose. +// Only operations are assign and (binary) left/right shift. +// Can do binary floating point in multiprecision decimal precisely +// because 2 divides 10; cannot do decimal floating point +// in multiprecision binary precisely. + +package decimal + +type floatInfo struct { + mantbits uint + expbits uint + bias int +} + +var float32info = floatInfo{23, 8, -127} +var float64info = floatInfo{52, 11, -1023} + +// roundShortest rounds d (= mant * 2^exp) to the shortest number of digits +// that will let the original floating point value be precisely reconstructed. +func roundShortest(d *decimal, mant uint64, exp int, flt *floatInfo) { + // If mantissa is zero, the number is zero; stop now. + if mant == 0 { + d.nd = 0 + return + } + + // Compute upper and lower such that any decimal number + // between upper and lower (possibly inclusive) + // will round to the original floating point number. + + // We may see at once that the number is already shortest. + // + // Suppose d is not denormal, so that 2^exp <= d < 10^dp. + // The closest shorter number is at least 10^(dp-nd) away. + // The lower/upper bounds computed below are at distance + // at most 2^(exp-mantbits). + // + // So the number is already shortest if 10^(dp-nd) > 2^(exp-mantbits), + // or equivalently log2(10)*(dp-nd) > exp-mantbits. + // It is true if 332/100*(dp-nd) >= exp-mantbits (log2(10) > 3.32). + minexp := flt.bias + 1 // minimum possible exponent + if exp > minexp && 332*(d.dp-d.nd) >= 100*(exp-int(flt.mantbits)) { + // The number is already shortest. + return + } + + // d = mant << (exp - mantbits) + // Next highest floating point number is mant+1 << exp-mantbits. + // Our upper bound is halfway between, mant*2+1 << exp-mantbits-1. + upper := new(decimal) + upper.Assign(mant*2 + 1) + upper.Shift(exp - int(flt.mantbits) - 1) + + // d = mant << (exp - mantbits) + // Next lowest floating point number is mant-1 << exp-mantbits, + // unless mant-1 drops the significant bit and exp is not the minimum exp, + // in which case the next lowest is mant*2-1 << exp-mantbits-1. + // Either way, call it mantlo << explo-mantbits. + // Our lower bound is halfway between, mantlo*2+1 << explo-mantbits-1. + var mantlo uint64 + var explo int + if mant > 1<= d.nd { + break + } + li := ui - upper.dp + lower.dp + l := byte('0') // lower digit + if li >= 0 && li < lower.nd { + l = lower.d[li] + } + m := byte('0') // middle digit + if mi >= 0 { + m = d.d[mi] + } + u := byte('0') // upper digit + if ui < upper.nd { + u = upper.d[ui] + } + + // Okay to round down (truncate) if lower has a different digit + // or if lower is inclusive and is exactly the result of rounding + // down (i.e., and we have reached the final digit of lower). + okdown := l != m || inclusive && li+1 == lower.nd + + switch { + case upperdelta == 0 && m+1 < u: + // Example: + // m = 12345xxx + // u = 12347xxx + upperdelta = 2 + case upperdelta == 0 && m != u: + // Example: + // m = 12345xxx + // u = 12346xxx + upperdelta = 1 + case upperdelta == 1 && (m != '9' || u != '0'): + // Example: + // m = 1234598x + // u = 1234600x + upperdelta = 2 + } + // Okay to round up if upper has a different digit and either upper + // is inclusive or upper is bigger than the result of rounding up. + okup := upperdelta > 0 && (inclusive || upperdelta > 1 || ui+1 < upper.nd) + + // If it's okay to do either, then round to the nearest one. + // If it's okay to do only one, do it. + switch { + case okdown && okup: + d.Round(mi + 1) + return + case okdown: + d.RoundDown(mi + 1) + return + case okup: + d.RoundUp(mi + 1) + return + } + } +} diff --git a/vendor/github.com/spf13/cast/.editorconfig b/vendor/github.com/spf13/cast/.editorconfig new file mode 100644 index 0000000000..a85749f190 --- /dev/null +++ b/vendor/github.com/spf13/cast/.editorconfig @@ -0,0 +1,15 @@ +root = true + +[*] +charset = utf-8 +end_of_line = lf +indent_size = 4 +indent_style = space +insert_final_newline = true +trim_trailing_whitespace = true + +[*.go] +indent_style = tab + +[{*.yml,*.yaml}] +indent_size = 2 diff --git a/vendor/github.com/spf13/cast/.gitignore b/vendor/github.com/spf13/cast/.gitignore new file mode 100644 index 0000000000..53053a8ac5 --- /dev/null +++ b/vendor/github.com/spf13/cast/.gitignore @@ -0,0 +1,25 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test + +*.bench diff --git a/vendor/github.com/spf13/cast/.golangci.yaml b/vendor/github.com/spf13/cast/.golangci.yaml new file mode 100644 index 0000000000..e00fd47aa2 --- /dev/null +++ b/vendor/github.com/spf13/cast/.golangci.yaml @@ -0,0 +1,39 @@ +version: "2" + +run: + timeout: 10m + +linters: + enable: + - errcheck + - govet + - ineffassign + - misspell + - nolintlint + # - revive + - unused + + disable: + - staticcheck + + settings: + misspell: + locale: US + nolintlint: + allow-unused: false # report any unused nolint directives + require-specific: false # don't require nolint directives to be specific about which linter is being skipped + +formatters: + enable: + - gci + - gofmt + # - gofumpt + - goimports + # - golines + + settings: + gci: + sections: + - standard + - default + - localmodule diff --git a/vendor/github.com/spf13/cast/LICENSE b/vendor/github.com/spf13/cast/LICENSE new file mode 100644 index 0000000000..4527efb9c0 --- /dev/null +++ b/vendor/github.com/spf13/cast/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Steve Francia + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/vendor/github.com/spf13/cast/Makefile b/vendor/github.com/spf13/cast/Makefile new file mode 100644 index 0000000000..f01a5dbb6e --- /dev/null +++ b/vendor/github.com/spf13/cast/Makefile @@ -0,0 +1,40 @@ +GOVERSION := $(shell go version | cut -d ' ' -f 3 | cut -d '.' -f 2) + +.PHONY: check fmt lint test test-race vet test-cover-html help +.DEFAULT_GOAL := help + +check: test-race fmt vet lint ## Run tests and linters + +test: ## Run tests + go test ./... + +test-race: ## Run tests with race detector + go test -race ./... + +fmt: ## Run gofmt linter +ifeq "$(GOVERSION)" "12" + @for d in `go list` ; do \ + if [ "`gofmt -l -s $$GOPATH/src/$$d | tee /dev/stderr`" ]; then \ + echo "^ improperly formatted go files" && echo && exit 1; \ + fi \ + done +endif + +lint: ## Run golint linter + @for d in `go list` ; do \ + if [ "`golint $$d | tee /dev/stderr`" ]; then \ + echo "^ golint errors!" && echo && exit 1; \ + fi \ + done + +vet: ## Run go vet linter + @if [ "`go vet | tee /dev/stderr`" ]; then \ + echo "^ go vet errors!" && echo && exit 1; \ + fi + +test-cover-html: ## Generate test coverage report + go test -coverprofile=coverage.out -covermode=count + go tool cover -func=coverage.out + +help: + @grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/vendor/github.com/spf13/cast/README.md b/vendor/github.com/spf13/cast/README.md new file mode 100644 index 0000000000..c58eccb3fd --- /dev/null +++ b/vendor/github.com/spf13/cast/README.md @@ -0,0 +1,79 @@ +# cast + +[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/spf13/cast/ci.yaml?style=flat-square)](https://github.com/spf13/cast/actions/workflows/ci.yaml) +[![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/spf13/cast) +![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/spf13/cast?style=flat-square&color=61CFDD) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/spf13/cast/badge?style=flat-square)](https://deps.dev/go/github.com%252Fspf13%252Fcast) + +Easy and safe casting from one type to another in Go + +Don’t Panic! ... Cast + +## What is Cast? + +Cast is a library to convert between different go types in a consistent and easy way. + +Cast provides simple functions to easily convert a number to a string, an +interface into a bool, etc. Cast does this intelligently when an obvious +conversion is possible. It doesn’t make any attempts to guess what you meant, +for example you can only convert a string to an int when it is a string +representation of an int such as “8â€. Cast was developed for use in +[Hugo](https://gohugo.io), a website engine which uses YAML, TOML or JSON +for meta data. + +## Why use Cast? + +When working with dynamic data in Go you often need to cast or convert the data +from one type into another. Cast goes beyond just using type assertion (though +it uses that when possible) to provide a very straightforward and convenient +library. + +If you are working with interfaces to handle things like dynamic content +you’ll need an easy way to convert an interface into a given type. This +is the library for you. + +If you are taking in data from YAML, TOML or JSON or other formats which lack +full types, then Cast is the library for you. + +## Usage + +Cast provides a handful of To_____ methods. These methods will always return +the desired type. **If input is provided that will not convert to that type, the +0 or nil value for that type will be returned**. + +Cast also provides identical methods To_____E. These return the same result as +the To_____ methods, plus an additional error which tells you if it successfully +converted. Using these methods you can tell the difference between when the +input matched the zero value or when the conversion failed and the zero value +was returned. + +The following examples are merely a sample of what is available. Please review +the code for a complete set. + +### Example ‘ToString’: + + cast.ToString("mayonegg") // "mayonegg" + cast.ToString(8) // "8" + cast.ToString(8.31) // "8.31" + cast.ToString([]byte("one time")) // "one time" + cast.ToString(nil) // "" + + var foo interface{} = "one more time" + cast.ToString(foo) // "one more time" + + +### Example ‘ToInt’: + + cast.ToInt(8) // 8 + cast.ToInt(8.31) // 8 + cast.ToInt("8") // 8 + cast.ToInt(true) // 1 + cast.ToInt(false) // 0 + + var eight interface{} = 8 + cast.ToInt(eight) // 8 + cast.ToInt(nil) // 0 + +## License + +The project is licensed under the [MIT License](LICENSE). diff --git a/vendor/github.com/spf13/cast/cast.go b/vendor/github.com/spf13/cast/cast.go new file mode 100644 index 0000000000..386ba80a99 --- /dev/null +++ b/vendor/github.com/spf13/cast/cast.go @@ -0,0 +1,194 @@ +// Copyright © 2014 Steve Francia . +// +// Use of this source code is governed by an MIT-style +// license that can be found in the LICENSE file. + +// Package cast provides easy and safe casting in Go. +package cast + +import "time" + +// ToBool casts an interface to a bool type. +func ToBool(i interface{}) bool { + v, _ := ToBoolE(i) + return v +} + +// ToTime casts an interface to a time.Time type. +func ToTime(i interface{}) time.Time { + v, _ := ToTimeE(i) + return v +} + +func ToTimeInDefaultLocation(i interface{}, location *time.Location) time.Time { + v, _ := ToTimeInDefaultLocationE(i, location) + return v +} + +// ToDuration casts an interface to a time.Duration type. +func ToDuration(i interface{}) time.Duration { + v, _ := ToDurationE(i) + return v +} + +// ToFloat64 casts an interface to a float64 type. +func ToFloat64(i interface{}) float64 { + v, _ := ToFloat64E(i) + return v +} + +// ToFloat32 casts an interface to a float32 type. +func ToFloat32(i interface{}) float32 { + v, _ := ToFloat32E(i) + return v +} + +// ToInt64 casts an interface to an int64 type. +func ToInt64(i interface{}) int64 { + v, _ := ToInt64E(i) + return v +} + +// ToInt32 casts an interface to an int32 type. +func ToInt32(i interface{}) int32 { + v, _ := ToInt32E(i) + return v +} + +// ToInt16 casts an interface to an int16 type. +func ToInt16(i interface{}) int16 { + v, _ := ToInt16E(i) + return v +} + +// ToInt8 casts an interface to an int8 type. +func ToInt8(i interface{}) int8 { + v, _ := ToInt8E(i) + return v +} + +// ToInt casts an interface to an int type. +func ToInt(i interface{}) int { + v, _ := ToIntE(i) + return v +} + +// ToUint casts an interface to a uint type. +func ToUint(i interface{}) uint { + v, _ := ToUintE(i) + return v +} + +// ToUint64 casts an interface to a uint64 type. +func ToUint64(i interface{}) uint64 { + v, _ := ToUint64E(i) + return v +} + +// ToUint32 casts an interface to a uint32 type. +func ToUint32(i interface{}) uint32 { + v, _ := ToUint32E(i) + return v +} + +// ToUint16 casts an interface to a uint16 type. +func ToUint16(i interface{}) uint16 { + v, _ := ToUint16E(i) + return v +} + +// ToUint8 casts an interface to a uint8 type. +func ToUint8(i interface{}) uint8 { + v, _ := ToUint8E(i) + return v +} + +// ToString casts an interface to a string type. +func ToString(i interface{}) string { + v, _ := ToStringE(i) + return v +} + +// ToStringMapString casts an interface to a map[string]string type. +func ToStringMapString(i interface{}) map[string]string { + v, _ := ToStringMapStringE(i) + return v +} + +// ToStringMapStringSlice casts an interface to a map[string][]string type. +func ToStringMapStringSlice(i interface{}) map[string][]string { + v, _ := ToStringMapStringSliceE(i) + return v +} + +// ToStringMapBool casts an interface to a map[string]bool type. +func ToStringMapBool(i interface{}) map[string]bool { + v, _ := ToStringMapBoolE(i) + return v +} + +// ToStringMapInt casts an interface to a map[string]int type. +func ToStringMapInt(i interface{}) map[string]int { + v, _ := ToStringMapIntE(i) + return v +} + +// ToStringMapInt64 casts an interface to a map[string]int64 type. +func ToStringMapInt64(i interface{}) map[string]int64 { + v, _ := ToStringMapInt64E(i) + return v +} + +// ToStringMap casts an interface to a map[string]interface{} type. +func ToStringMap(i interface{}) map[string]interface{} { + v, _ := ToStringMapE(i) + return v +} + +// ToSlice casts an interface to a []interface{} type. +func ToSlice(i interface{}) []interface{} { + v, _ := ToSliceE(i) + return v +} + +// ToBoolSlice casts an interface to a []bool type. +func ToBoolSlice(i interface{}) []bool { + v, _ := ToBoolSliceE(i) + return v +} + +// ToStringSlice casts an interface to a []string type. +func ToStringSlice(i interface{}) []string { + v, _ := ToStringSliceE(i) + return v +} + +// ToIntSlice casts an interface to a []int type. +func ToIntSlice(i interface{}) []int { + v, _ := ToIntSliceE(i) + return v +} + +// ToInt64Slice casts an interface to a []int64 type. +func ToInt64Slice(i interface{}) []int64 { + v, _ := ToInt64SliceE(i) + return v +} + +// ToUintSlice casts an interface to a []uint type. +func ToUintSlice(i interface{}) []uint { + v, _ := ToUintSliceE(i) + return v +} + +// ToFloat64Slice casts an interface to a []float64 type. +func ToFloat64Slice(i interface{}) []float64 { + v, _ := ToFloat64SliceE(i) + return v +} + +// ToDurationSlice casts an interface to a []time.Duration type. +func ToDurationSlice(i interface{}) []time.Duration { + v, _ := ToDurationSliceE(i) + return v +} diff --git a/vendor/github.com/spf13/cast/caste.go b/vendor/github.com/spf13/cast/caste.go new file mode 100644 index 0000000000..4d4ca8db15 --- /dev/null +++ b/vendor/github.com/spf13/cast/caste.go @@ -0,0 +1,1472 @@ +// Copyright © 2014 Steve Francia . +// +// Use of this source code is governed by an MIT-style +// license that can be found in the LICENSE file. + +package cast + +import ( + "encoding/json" + "errors" + "fmt" + "html/template" + "reflect" + "strconv" + "strings" + "time" +) + +var errNegativeNotAllowed = errors.New("unable to cast negative value") + +type float64EProvider interface { + Float64() (float64, error) +} + +type float64Provider interface { + Float64() float64 +} + +// ToTimeE casts an interface to a time.Time type. +func ToTimeE(i interface{}) (tim time.Time, err error) { + return ToTimeInDefaultLocationE(i, time.UTC) +} + +// ToTimeInDefaultLocationE casts an empty interface to time.Time, +// interpreting inputs without a timezone to be in the given location, +// or the local timezone if nil. +func ToTimeInDefaultLocationE(i interface{}, location *time.Location) (tim time.Time, err error) { + i = indirect(i) + + switch v := i.(type) { + case time.Time: + return v, nil + case string: + return StringToDateInDefaultLocation(v, location) + case json.Number: + s, err1 := ToInt64E(v) + if err1 != nil { + return time.Time{}, fmt.Errorf("unable to cast %#v of type %T to Time", i, i) + } + return time.Unix(s, 0), nil + case int: + return time.Unix(int64(v), 0), nil + case int64: + return time.Unix(v, 0), nil + case int32: + return time.Unix(int64(v), 0), nil + case uint: + return time.Unix(int64(v), 0), nil + case uint64: + return time.Unix(int64(v), 0), nil + case uint32: + return time.Unix(int64(v), 0), nil + default: + return time.Time{}, fmt.Errorf("unable to cast %#v of type %T to Time", i, i) + } +} + +// ToDurationE casts an interface to a time.Duration type. +func ToDurationE(i interface{}) (d time.Duration, err error) { + i = indirect(i) + + switch s := i.(type) { + case time.Duration: + return s, nil + case int, int64, int32, int16, int8, uint, uint64, uint32, uint16, uint8: + d = time.Duration(ToInt64(s)) + return + case float32, float64: + d = time.Duration(ToFloat64(s)) + return + case string: + if strings.ContainsAny(s, "nsuµmh") { + d, err = time.ParseDuration(s) + } else { + d, err = time.ParseDuration(s + "ns") + } + return + case float64EProvider: + var v float64 + v, err = s.Float64() + d = time.Duration(v) + return + case float64Provider: + d = time.Duration(s.Float64()) + return + default: + err = fmt.Errorf("unable to cast %#v of type %T to Duration", i, i) + return + } +} + +// ToBoolE casts an interface to a bool type. +func ToBoolE(i interface{}) (bool, error) { + i = indirect(i) + + switch b := i.(type) { + case bool: + return b, nil + case nil: + return false, nil + case int: + return b != 0, nil + case int64: + return b != 0, nil + case int32: + return b != 0, nil + case int16: + return b != 0, nil + case int8: + return b != 0, nil + case uint: + return b != 0, nil + case uint64: + return b != 0, nil + case uint32: + return b != 0, nil + case uint16: + return b != 0, nil + case uint8: + return b != 0, nil + case float64: + return b != 0, nil + case float32: + return b != 0, nil + case time.Duration: + return b != 0, nil + case string: + return strconv.ParseBool(i.(string)) + case json.Number: + v, err := ToInt64E(b) + if err == nil { + return v != 0, nil + } + return false, fmt.Errorf("unable to cast %#v of type %T to bool", i, i) + default: + return false, fmt.Errorf("unable to cast %#v of type %T to bool", i, i) + } +} + +// ToFloat64E casts an interface to a float64 type. +func ToFloat64E(i interface{}) (float64, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return float64(intv), nil + } + + switch s := i.(type) { + case float64: + return s, nil + case float32: + return float64(s), nil + case int64: + return float64(s), nil + case int32: + return float64(s), nil + case int16: + return float64(s), nil + case int8: + return float64(s), nil + case uint: + return float64(s), nil + case uint64: + return float64(s), nil + case uint32: + return float64(s), nil + case uint16: + return float64(s), nil + case uint8: + return float64(s), nil + case string: + v, err := strconv.ParseFloat(s, 64) + if err == nil { + return v, nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i) + case float64EProvider: + v, err := s.Float64() + if err == nil { + return v, nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i) + case float64Provider: + return s.Float64(), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to float64", i, i) + } +} + +// ToFloat32E casts an interface to a float32 type. +func ToFloat32E(i interface{}) (float32, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return float32(intv), nil + } + + switch s := i.(type) { + case float64: + return float32(s), nil + case float32: + return s, nil + case int64: + return float32(s), nil + case int32: + return float32(s), nil + case int16: + return float32(s), nil + case int8: + return float32(s), nil + case uint: + return float32(s), nil + case uint64: + return float32(s), nil + case uint32: + return float32(s), nil + case uint16: + return float32(s), nil + case uint8: + return float32(s), nil + case string: + v, err := strconv.ParseFloat(s, 32) + if err == nil { + return float32(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i) + case float64EProvider: + v, err := s.Float64() + if err == nil { + return float32(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i) + case float64Provider: + return float32(s.Float64()), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to float32", i, i) + } +} + +// ToInt64E casts an interface to an int64 type. +func ToInt64E(i interface{}) (int64, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return int64(intv), nil + } + + switch s := i.(type) { + case int64: + return s, nil + case int32: + return int64(s), nil + case int16: + return int64(s), nil + case int8: + return int64(s), nil + case uint: + return int64(s), nil + case uint64: + return int64(s), nil + case uint32: + return int64(s), nil + case uint16: + return int64(s), nil + case uint8: + return int64(s), nil + case float64: + return int64(s), nil + case float32: + return int64(s), nil + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + return v, nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i) + case json.Number: + return ToInt64E(string(s)) + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i) + } +} + +// ToInt32E casts an interface to an int32 type. +func ToInt32E(i interface{}) (int32, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return int32(intv), nil + } + + switch s := i.(type) { + case int64: + return int32(s), nil + case int32: + return s, nil + case int16: + return int32(s), nil + case int8: + return int32(s), nil + case uint: + return int32(s), nil + case uint64: + return int32(s), nil + case uint32: + return int32(s), nil + case uint16: + return int32(s), nil + case uint8: + return int32(s), nil + case float64: + return int32(s), nil + case float32: + return int32(s), nil + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + return int32(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to int32", i, i) + case json.Number: + return ToInt32E(string(s)) + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to int32", i, i) + } +} + +// ToInt16E casts an interface to an int16 type. +func ToInt16E(i interface{}) (int16, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return int16(intv), nil + } + + switch s := i.(type) { + case int64: + return int16(s), nil + case int32: + return int16(s), nil + case int16: + return s, nil + case int8: + return int16(s), nil + case uint: + return int16(s), nil + case uint64: + return int16(s), nil + case uint32: + return int16(s), nil + case uint16: + return int16(s), nil + case uint8: + return int16(s), nil + case float64: + return int16(s), nil + case float32: + return int16(s), nil + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + return int16(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to int16", i, i) + case json.Number: + return ToInt16E(string(s)) + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to int16", i, i) + } +} + +// ToInt8E casts an interface to an int8 type. +func ToInt8E(i interface{}) (int8, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return int8(intv), nil + } + + switch s := i.(type) { + case int64: + return int8(s), nil + case int32: + return int8(s), nil + case int16: + return int8(s), nil + case int8: + return s, nil + case uint: + return int8(s), nil + case uint64: + return int8(s), nil + case uint32: + return int8(s), nil + case uint16: + return int8(s), nil + case uint8: + return int8(s), nil + case float64: + return int8(s), nil + case float32: + return int8(s), nil + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + return int8(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to int8", i, i) + case json.Number: + return ToInt8E(string(s)) + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to int8", i, i) + } +} + +// ToIntE casts an interface to an int type. +func ToIntE(i interface{}) (int, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + return intv, nil + } + + switch s := i.(type) { + case int64: + return int(s), nil + case int32: + return int(s), nil + case int16: + return int(s), nil + case int8: + return int(s), nil + case uint: + return int(s), nil + case uint64: + return int(s), nil + case uint32: + return int(s), nil + case uint16: + return int(s), nil + case uint8: + return int(s), nil + case float64: + return int(s), nil + case float32: + return int(s), nil + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + return int(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to int64", i, i) + case json.Number: + return ToIntE(string(s)) + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to int", i, i) + } +} + +// ToUintE casts an interface to a uint type. +func ToUintE(i interface{}) (uint, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + if intv < 0 { + return 0, errNegativeNotAllowed + } + return uint(intv), nil + } + + switch s := i.(type) { + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + if v < 0 { + return 0, errNegativeNotAllowed + } + return uint(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to uint", i, i) + case json.Number: + return ToUintE(string(s)) + case int64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case int32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case int16: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case int8: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case uint: + return s, nil + case uint64: + return uint(s), nil + case uint32: + return uint(s), nil + case uint16: + return uint(s), nil + case uint8: + return uint(s), nil + case float64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case float32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint(s), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to uint", i, i) + } +} + +// ToUint64E casts an interface to a uint64 type. +func ToUint64E(i interface{}) (uint64, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + if intv < 0 { + return 0, errNegativeNotAllowed + } + return uint64(intv), nil + } + + switch s := i.(type) { + case string: + v, err := strconv.ParseUint(trimZeroDecimal(s), 0, 0) + if err == nil { + return v, nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to uint64", i, i) + case json.Number: + return ToUint64E(string(s)) + case int64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case int32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case int16: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case int8: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case uint: + return uint64(s), nil + case uint64: + return s, nil + case uint32: + return uint64(s), nil + case uint16: + return uint64(s), nil + case uint8: + return uint64(s), nil + case float32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case float64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint64(s), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to uint64", i, i) + } +} + +// ToUint32E casts an interface to a uint32 type. +func ToUint32E(i interface{}) (uint32, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + if intv < 0 { + return 0, errNegativeNotAllowed + } + return uint32(intv), nil + } + + switch s := i.(type) { + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + if v < 0 { + return 0, errNegativeNotAllowed + } + return uint32(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to uint32", i, i) + case json.Number: + return ToUint32E(string(s)) + case int64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case int32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case int16: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case int8: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case uint: + return uint32(s), nil + case uint64: + return uint32(s), nil + case uint32: + return s, nil + case uint16: + return uint32(s), nil + case uint8: + return uint32(s), nil + case float64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case float32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint32(s), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to uint32", i, i) + } +} + +// ToUint16E casts an interface to a uint16 type. +func ToUint16E(i interface{}) (uint16, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + if intv < 0 { + return 0, errNegativeNotAllowed + } + return uint16(intv), nil + } + + switch s := i.(type) { + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + if v < 0 { + return 0, errNegativeNotAllowed + } + return uint16(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to uint16", i, i) + case json.Number: + return ToUint16E(string(s)) + case int64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case int32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case int16: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case int8: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case uint: + return uint16(s), nil + case uint64: + return uint16(s), nil + case uint32: + return uint16(s), nil + case uint16: + return s, nil + case uint8: + return uint16(s), nil + case float64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case float32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint16(s), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to uint16", i, i) + } +} + +// ToUint8E casts an interface to a uint type. +func ToUint8E(i interface{}) (uint8, error) { + i = indirect(i) + + intv, ok := toInt(i) + if ok { + if intv < 0 { + return 0, errNegativeNotAllowed + } + return uint8(intv), nil + } + + switch s := i.(type) { + case string: + v, err := strconv.ParseInt(trimZeroDecimal(s), 0, 0) + if err == nil { + if v < 0 { + return 0, errNegativeNotAllowed + } + return uint8(v), nil + } + return 0, fmt.Errorf("unable to cast %#v of type %T to uint8", i, i) + case json.Number: + return ToUint8E(string(s)) + case int64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case int32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case int16: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case int8: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case uint: + return uint8(s), nil + case uint64: + return uint8(s), nil + case uint32: + return uint8(s), nil + case uint16: + return uint8(s), nil + case uint8: + return s, nil + case float64: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case float32: + if s < 0 { + return 0, errNegativeNotAllowed + } + return uint8(s), nil + case bool: + if s { + return 1, nil + } + return 0, nil + case nil: + return 0, nil + default: + return 0, fmt.Errorf("unable to cast %#v of type %T to uint8", i, i) + } +} + +// From html/template/content.go +// Copyright 2011 The Go Authors. All rights reserved. +// indirect returns the value, after dereferencing as many times +// as necessary to reach the base type (or nil). +func indirect(a interface{}) interface{} { + if a == nil { + return nil + } + if t := reflect.TypeOf(a); t.Kind() != reflect.Ptr { + // Avoid creating a reflect.Value if it's not a pointer. + return a + } + v := reflect.ValueOf(a) + for v.Kind() == reflect.Ptr && !v.IsNil() { + v = v.Elem() + } + return v.Interface() +} + +// From html/template/content.go +// Copyright 2011 The Go Authors. All rights reserved. +// indirectToStringerOrError returns the value, after dereferencing as many times +// as necessary to reach the base type (or nil) or an implementation of fmt.Stringer +// or error, +func indirectToStringerOrError(a interface{}) interface{} { + if a == nil { + return nil + } + + errorType := reflect.TypeOf((*error)(nil)).Elem() + fmtStringerType := reflect.TypeOf((*fmt.Stringer)(nil)).Elem() + + v := reflect.ValueOf(a) + for !v.Type().Implements(fmtStringerType) && !v.Type().Implements(errorType) && v.Kind() == reflect.Ptr && !v.IsNil() { + v = v.Elem() + } + return v.Interface() +} + +// ToStringE casts an interface to a string type. +func ToStringE(i interface{}) (string, error) { + i = indirectToStringerOrError(i) + + switch s := i.(type) { + case string: + return s, nil + case bool: + return strconv.FormatBool(s), nil + case float64: + return strconv.FormatFloat(s, 'f', -1, 64), nil + case float32: + return strconv.FormatFloat(float64(s), 'f', -1, 32), nil + case int: + return strconv.Itoa(s), nil + case int64: + return strconv.FormatInt(s, 10), nil + case int32: + return strconv.Itoa(int(s)), nil + case int16: + return strconv.FormatInt(int64(s), 10), nil + case int8: + return strconv.FormatInt(int64(s), 10), nil + case uint: + return strconv.FormatUint(uint64(s), 10), nil + case uint64: + return strconv.FormatUint(uint64(s), 10), nil + case uint32: + return strconv.FormatUint(uint64(s), 10), nil + case uint16: + return strconv.FormatUint(uint64(s), 10), nil + case uint8: + return strconv.FormatUint(uint64(s), 10), nil + case json.Number: + return s.String(), nil + case []byte: + return string(s), nil + case template.HTML: + return string(s), nil + case template.URL: + return string(s), nil + case template.JS: + return string(s), nil + case template.CSS: + return string(s), nil + case template.HTMLAttr: + return string(s), nil + case nil: + return "", nil + case fmt.Stringer: + return s.String(), nil + case error: + return s.Error(), nil + default: + return "", fmt.Errorf("unable to cast %#v of type %T to string", i, i) + } +} + +func toMapE[K comparable, V any](i any, keyFn func(any) K, valFn func(any) V) (map[K]V, error) { + m := map[K]V{} + + if i == nil { + return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m) + } + + switch v := i.(type) { + case map[K]V: + return v, nil + + case map[K]any: + for k, val := range v { + m[k] = valFn(val) + } + + return m, nil + + case map[any]V: + for k, val := range v { + m[keyFn(k)] = val + } + + return m, nil + + case map[any]any: + for k, val := range v { + m[keyFn(k)] = valFn(val) + } + + return m, nil + + case string: + err := jsonStringToObject(v, &m) + + return m, err + + default: + return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m) + } +} + +func toStringMapE[T any](i any, fn func(any) T) (map[string]T, error) { + return toMapE(i, ToString, fn) +} + +// ToStringMapStringE casts an interface to a map[string]string type. +func ToStringMapStringE(i any) (map[string]string, error) { + return toStringMapE(i, ToString) +} + +// ToStringMapStringSliceE casts an interface to a map[string][]string type. +func ToStringMapStringSliceE(i interface{}) (map[string][]string, error) { + m := map[string][]string{} + + switch v := i.(type) { + case map[string][]string: + return v, nil + case map[string][]interface{}: + for k, val := range v { + m[ToString(k)] = ToStringSlice(val) + } + return m, nil + case map[string]string: + for k, val := range v { + m[ToString(k)] = []string{val} + } + case map[string]interface{}: + for k, val := range v { + switch vt := val.(type) { + case []interface{}: + m[ToString(k)] = ToStringSlice(vt) + case []string: + m[ToString(k)] = vt + default: + m[ToString(k)] = []string{ToString(val)} + } + } + return m, nil + case map[interface{}][]string: + for k, val := range v { + m[ToString(k)] = ToStringSlice(val) + } + return m, nil + case map[interface{}]string: + for k, val := range v { + m[ToString(k)] = ToStringSlice(val) + } + return m, nil + case map[interface{}][]interface{}: + for k, val := range v { + m[ToString(k)] = ToStringSlice(val) + } + return m, nil + case map[interface{}]interface{}: + for k, val := range v { + key, err := ToStringE(k) + if err != nil { + return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i) + } + value, err := ToStringSliceE(val) + if err != nil { + return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i) + } + m[key] = value + } + case string: + err := jsonStringToObject(v, &m) + return m, err + default: + return m, fmt.Errorf("unable to cast %#v of type %T to map[string][]string", i, i) + } + return m, nil +} + +// ToStringMapBoolE casts an interface to a map[string]bool type. +func ToStringMapBoolE(i interface{}) (map[string]bool, error) { + return toStringMapE(i, ToBool) +} + +// ToStringMapE casts an interface to a map[string]interface{} type. +func ToStringMapE(i interface{}) (map[string]interface{}, error) { + fn := func(i any) any { return i } + + return toStringMapE(i, fn) +} + +func toStringMapIntE[T int | int64](i any, fn func(any) T, fnE func(any) (T, error)) (map[string]T, error) { + m := map[string]T{} + + if i == nil { + return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m) + } + + switch v := i.(type) { + case map[string]T: + return v, nil + + case map[string]any: + for k, val := range v { + m[k] = fn(val) + } + + return m, nil + + case map[any]T: + for k, val := range v { + m[ToString(k)] = val + } + + return m, nil + + case map[any]any: + for k, val := range v { + m[ToString(k)] = fn(val) + } + + return m, nil + + case string: + err := jsonStringToObject(v, &m) + + return m, err + } + + if reflect.TypeOf(i).Kind() != reflect.Map { + return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m) + } + + mVal := reflect.ValueOf(m) + v := reflect.ValueOf(i) + + for _, keyVal := range v.MapKeys() { + val, err := fnE(v.MapIndex(keyVal).Interface()) + if err != nil { + return m, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, m) + } + + mVal.SetMapIndex(keyVal, reflect.ValueOf(val)) + } + + return m, nil +} + +// ToStringMapIntE casts an interface to a map[string]int{} type. +func ToStringMapIntE(i any) (map[string]int, error) { + return toStringMapIntE(i, ToInt, ToIntE) +} + +// ToStringMapInt64E casts an interface to a map[string]int64{} type. +func ToStringMapInt64E(i interface{}) (map[string]int64, error) { + return toStringMapIntE(i, ToInt64, ToInt64E) +} + +// ToSliceE casts an interface to a []interface{} type. +func ToSliceE(i interface{}) ([]interface{}, error) { + var s []interface{} + + switch v := i.(type) { + case []interface{}: + return append(s, v...), nil + case []map[string]interface{}: + for _, u := range v { + s = append(s, u) + } + return s, nil + default: + return s, fmt.Errorf("unable to cast %#v of type %T to []interface{}", i, i) + } +} + +func toSliceE[T any](i any, fn func(any) (T, error)) ([]T, error) { + if i == nil { + return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{}) + } + + switch v := i.(type) { + case []T: + return v, nil + } + + kind := reflect.TypeOf(i).Kind() + switch kind { + case reflect.Slice, reflect.Array: + s := reflect.ValueOf(i) + a := make([]T, s.Len()) + for j := 0; j < s.Len(); j++ { + val, err := fn(s.Index(j).Interface()) + if err != nil { + return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{}) + } + a[j] = val + } + return a, nil + default: + return []T{}, fmt.Errorf("unable to cast %#v of type %T to %T", i, i, []T{}) + } +} + +// ToBoolSliceE casts an interface to a []bool type. +func ToBoolSliceE(i interface{}) ([]bool, error) { + return toSliceE(i, ToBoolE) +} + +// ToStringSliceE casts an interface to a []string type. +func ToStringSliceE(i interface{}) ([]string, error) { + var a []string + + switch v := i.(type) { + case []interface{}: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []string: + return v, nil + case []int8: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []int: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []int32: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []int64: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []uint8: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []uint: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []uint32: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []uint64: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []float32: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case []float64: + for _, u := range v { + a = append(a, ToString(u)) + } + return a, nil + case string: + return strings.Fields(v), nil + case []error: + for _, err := range i.([]error) { + a = append(a, err.Error()) + } + return a, nil + case interface{}: + str, err := ToStringE(v) + if err != nil { + return a, fmt.Errorf("unable to cast %#v of type %T to []string", i, i) + } + return []string{str}, nil + default: + return a, fmt.Errorf("unable to cast %#v of type %T to []string", i, i) + } +} + +// ToIntSliceE casts an interface to a []int type. +func ToIntSliceE(i interface{}) ([]int, error) { + return toSliceE(i, ToIntE) +} + +// ToUintSliceE casts an interface to a []uint type. +func ToUintSliceE(i interface{}) ([]uint, error) { + return toSliceE(i, ToUintE) +} + +// ToFloat64SliceE casts an interface to a []float64 type. +func ToFloat64SliceE(i interface{}) ([]float64, error) { + return toSliceE(i, ToFloat64E) +} + +// ToInt64SliceE casts an interface to a []int64 type. +func ToInt64SliceE(i interface{}) ([]int64, error) { + return toSliceE(i, ToInt64E) +} + +// ToDurationSliceE casts an interface to a []time.Duration type. +func ToDurationSliceE(i interface{}) ([]time.Duration, error) { + return toSliceE(i, ToDurationE) +} + +// StringToDate attempts to parse a string into a time.Time type using a +// predefined list of formats. If no suitable format is found, an error is +// returned. +func StringToDate(s string) (time.Time, error) { + return parseDateWith(s, time.UTC, timeFormats) +} + +// StringToDateInDefaultLocation casts an empty interface to a time.Time, +// interpreting inputs without a timezone to be in the given location, +// or the local timezone if nil. +func StringToDateInDefaultLocation(s string, location *time.Location) (time.Time, error) { + return parseDateWith(s, location, timeFormats) +} + +type timeFormatType int + +const ( + timeFormatNoTimezone timeFormatType = iota + timeFormatNamedTimezone + timeFormatNumericTimezone + timeFormatNumericAndNamedTimezone + timeFormatTimeOnly +) + +type timeFormat struct { + format string + typ timeFormatType +} + +func (f timeFormat) hasTimezone() bool { + // We don't include the formats with only named timezones, see + // https://github.com/golang/go/issues/19694#issuecomment-289103522 + return f.typ >= timeFormatNumericTimezone && f.typ <= timeFormatNumericAndNamedTimezone +} + +var timeFormats = []timeFormat{ + // Keep common formats at the top. + {"2006-01-02", timeFormatNoTimezone}, + {time.RFC3339, timeFormatNumericTimezone}, + {"2006-01-02T15:04:05", timeFormatNoTimezone}, // iso8601 without timezone + {time.RFC1123Z, timeFormatNumericTimezone}, + {time.RFC1123, timeFormatNamedTimezone}, + {time.RFC822Z, timeFormatNumericTimezone}, + {time.RFC822, timeFormatNamedTimezone}, + {time.RFC850, timeFormatNamedTimezone}, + {"2006-01-02 15:04:05.999999999 -0700 MST", timeFormatNumericAndNamedTimezone}, // Time.String() + {"2006-01-02T15:04:05-0700", timeFormatNumericTimezone}, // RFC3339 without timezone hh:mm colon + {"2006-01-02 15:04:05Z0700", timeFormatNumericTimezone}, // RFC3339 without T or timezone hh:mm colon + {"2006-01-02 15:04:05", timeFormatNoTimezone}, + {time.ANSIC, timeFormatNoTimezone}, + {time.UnixDate, timeFormatNamedTimezone}, + {time.RubyDate, timeFormatNumericTimezone}, + {"2006-01-02 15:04:05Z07:00", timeFormatNumericTimezone}, + {"02 Jan 2006", timeFormatNoTimezone}, + {"2006-01-02 15:04:05 -07:00", timeFormatNumericTimezone}, + {"2006-01-02 15:04:05 -0700", timeFormatNumericTimezone}, + {time.Kitchen, timeFormatTimeOnly}, + {time.Stamp, timeFormatTimeOnly}, + {time.StampMilli, timeFormatTimeOnly}, + {time.StampMicro, timeFormatTimeOnly}, + {time.StampNano, timeFormatTimeOnly}, +} + +func parseDateWith(s string, location *time.Location, formats []timeFormat) (d time.Time, e error) { + for _, format := range formats { + if d, e = time.Parse(format.format, s); e == nil { + + // Some time formats have a zone name, but no offset, so it gets + // put in that zone name (not the default one passed in to us), but + // without that zone's offset. So set the location manually. + if format.typ <= timeFormatNamedTimezone { + if location == nil { + location = time.Local + } + year, month, day := d.Date() + hour, min, sec := d.Clock() + d = time.Date(year, month, day, hour, min, sec, d.Nanosecond(), location) + } + + return + } + } + return d, fmt.Errorf("unable to parse date: %s", s) +} + +// jsonStringToObject attempts to unmarshall a string as JSON into +// the object passed as pointer. +func jsonStringToObject(s string, v interface{}) error { + data := []byte(s) + return json.Unmarshal(data, v) +} + +// toInt returns the int value of v if v or v's underlying type +// is an int. +// Note that this will return false for int64 etc. types. +func toInt(v interface{}) (int, bool) { + switch v := v.(type) { + case int: + return v, true + case time.Weekday: + return int(v), true + case time.Month: + return int(v), true + default: + return 0, false + } +} + +func trimZeroDecimal(s string) string { + var foundZero bool + for i := len(s); i > 0; i-- { + switch s[i-1] { + case '.': + if foundZero { + return s[:i-1] + } + case '0': + foundZero = true + default: + return s + } + } + return s +} diff --git a/vendor/github.com/spf13/cast/timeformattype_string.go b/vendor/github.com/spf13/cast/timeformattype_string.go new file mode 100644 index 0000000000..1524fc82ce --- /dev/null +++ b/vendor/github.com/spf13/cast/timeformattype_string.go @@ -0,0 +1,27 @@ +// Code generated by "stringer -type timeFormatType"; DO NOT EDIT. + +package cast + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[timeFormatNoTimezone-0] + _ = x[timeFormatNamedTimezone-1] + _ = x[timeFormatNumericTimezone-2] + _ = x[timeFormatNumericAndNamedTimezone-3] + _ = x[timeFormatTimeOnly-4] +} + +const _timeFormatType_name = "timeFormatNoTimezonetimeFormatNamedTimezonetimeFormatNumericTimezonetimeFormatNumericAndNamedTimezonetimeFormatTimeOnly" + +var _timeFormatType_index = [...]uint8{0, 20, 43, 68, 101, 119} + +func (i timeFormatType) String() string { + if i < 0 || i >= timeFormatType(len(_timeFormatType_index)-1) { + return "timeFormatType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _timeFormatType_name[_timeFormatType_index[i]:_timeFormatType_index[i+1]] +} diff --git a/vendor/github.com/spf13/pflag/README.md b/vendor/github.com/spf13/pflag/README.md index 7eacc5bdbe..388c4e5ead 100644 --- a/vendor/github.com/spf13/pflag/README.md +++ b/vendor/github.com/spf13/pflag/README.md @@ -284,6 +284,33 @@ func main() { } ``` +### Using pflag with go test +`pflag` does not parse the shorthand versions of go test's built-in flags (i.e., those starting with `-test.`). +For more context, see issues [#63](https://github.com/spf13/pflag/issues/63) and [#238](https://github.com/spf13/pflag/issues/238) for more details. + +For example, if you use pflag in your `TestMain` function and call `pflag.Parse()` after defining your custom flags, running a test like this: +```bash +go test /your/tests -run ^YourTest -v --your-test-pflags +``` +will result in the `-v` flag being ignored. This happens because of the way pflag handles flag parsing, skipping over go test's built-in shorthand flags. +To work around this, you can use the `ParseSkippedFlags` function, which ensures that go test's flags are parsed separately using the standard flag package. + +**Example**: You want to parse go test flags that are otherwise ignore by `pflag.Parse()` +```go +import ( + goflag "flag" + flag "github.com/spf13/pflag" +) + +var ip *int = flag.Int("flagname", 1234, "help message for flagname") + +func main() { + flag.CommandLine.AddGoFlagSet(goflag.CommandLine) + flag.ParseSkippedFlags(os.Args[1:], goflag.CommandLine) + flag.Parse() +} +``` + ## More info You can see the full reference documentation of the pflag package diff --git a/vendor/github.com/spf13/pflag/bool_func.go b/vendor/github.com/spf13/pflag/bool_func.go new file mode 100644 index 0000000000..83d77afa89 --- /dev/null +++ b/vendor/github.com/spf13/pflag/bool_func.go @@ -0,0 +1,40 @@ +package pflag + +// -- func Value +type boolfuncValue func(string) error + +func (f boolfuncValue) Set(s string) error { return f(s) } + +func (f boolfuncValue) Type() string { return "boolfunc" } + +func (f boolfuncValue) String() string { return "" } // same behavior as stdlib 'flag' package + +func (f boolfuncValue) IsBoolFlag() bool { return true } + +// BoolFunc defines a func flag with specified name, callback function and usage string. +// +// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed +// on the command line. +func (f *FlagSet) BoolFunc(name string, usage string, fn func(string) error) { + f.BoolFuncP(name, "", usage, fn) +} + +// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash. +func (f *FlagSet) BoolFuncP(name, shorthand string, usage string, fn func(string) error) { + var val Value = boolfuncValue(fn) + flag := f.VarPF(val, name, shorthand, usage) + flag.NoOptDefVal = "true" +} + +// BoolFunc defines a func flag with specified name, callback function and usage string. +// +// The callback function will be called every time "--{name}" (or any form that matches the flag) is parsed +// on the command line. +func BoolFunc(name string, usage string, fn func(string) error) { + CommandLine.BoolFuncP(name, "", usage, fn) +} + +// BoolFuncP is like BoolFunc, but accepts a shorthand letter that can be used after a single dash. +func BoolFuncP(name, shorthand string, usage string, fn func(string) error) { + CommandLine.BoolFuncP(name, shorthand, usage, fn) +} diff --git a/vendor/github.com/spf13/pflag/count.go b/vendor/github.com/spf13/pflag/count.go index a0b2679f71..d49c0143c1 100644 --- a/vendor/github.com/spf13/pflag/count.go +++ b/vendor/github.com/spf13/pflag/count.go @@ -85,7 +85,7 @@ func (f *FlagSet) CountP(name, shorthand string, usage string) *int { // Count defines a count flag with specified name, default value, and usage string. // The return value is the address of an int variable that stores the value of the flag. -// A count flag will add 1 to its value evey time it is found on the command line +// A count flag will add 1 to its value every time it is found on the command line func Count(name string, usage string) *int { return CommandLine.CountP(name, "", usage) } diff --git a/vendor/github.com/spf13/pflag/errors.go b/vendor/github.com/spf13/pflag/errors.go new file mode 100644 index 0000000000..ff11b66bef --- /dev/null +++ b/vendor/github.com/spf13/pflag/errors.go @@ -0,0 +1,149 @@ +package pflag + +import "fmt" + +// notExistErrorMessageType specifies which flavor of "flag does not exist" +// is printed by NotExistError. This allows the related errors to be grouped +// under a single NotExistError struct without making a breaking change to +// the error message text. +type notExistErrorMessageType int + +const ( + flagNotExistMessage notExistErrorMessageType = iota + flagNotDefinedMessage + flagNoSuchFlagMessage + flagUnknownFlagMessage + flagUnknownShorthandFlagMessage +) + +// NotExistError is the error returned when trying to access a flag that +// does not exist in the FlagSet. +type NotExistError struct { + name string + specifiedShorthands string + messageType notExistErrorMessageType +} + +// Error implements error. +func (e *NotExistError) Error() string { + switch e.messageType { + case flagNotExistMessage: + return fmt.Sprintf("flag %q does not exist", e.name) + + case flagNotDefinedMessage: + return fmt.Sprintf("flag accessed but not defined: %s", e.name) + + case flagNoSuchFlagMessage: + return fmt.Sprintf("no such flag -%v", e.name) + + case flagUnknownFlagMessage: + return fmt.Sprintf("unknown flag: --%s", e.name) + + case flagUnknownShorthandFlagMessage: + c := rune(e.name[0]) + return fmt.Sprintf("unknown shorthand flag: %q in -%s", c, e.specifiedShorthands) + } + + panic(fmt.Errorf("unknown flagNotExistErrorMessageType: %v", e.messageType)) +} + +// GetSpecifiedName returns the name of the flag (without dashes) as it +// appeared in the parsed arguments. +func (e *NotExistError) GetSpecifiedName() string { + return e.name +} + +// GetSpecifiedShortnames returns the group of shorthand arguments +// (without dashes) that the flag appeared within. If the flag was not in a +// shorthand group, this will return an empty string. +func (e *NotExistError) GetSpecifiedShortnames() string { + return e.specifiedShorthands +} + +// ValueRequiredError is the error returned when a flag needs an argument but +// no argument was provided. +type ValueRequiredError struct { + flag *Flag + specifiedName string + specifiedShorthands string +} + +// Error implements error. +func (e *ValueRequiredError) Error() string { + if len(e.specifiedShorthands) > 0 { + c := rune(e.specifiedName[0]) + return fmt.Sprintf("flag needs an argument: %q in -%s", c, e.specifiedShorthands) + } + + return fmt.Sprintf("flag needs an argument: --%s", e.specifiedName) +} + +// GetFlag returns the flag for which the error occurred. +func (e *ValueRequiredError) GetFlag() *Flag { + return e.flag +} + +// GetSpecifiedName returns the name of the flag (without dashes) as it +// appeared in the parsed arguments. +func (e *ValueRequiredError) GetSpecifiedName() string { + return e.specifiedName +} + +// GetSpecifiedShortnames returns the group of shorthand arguments +// (without dashes) that the flag appeared within. If the flag was not in a +// shorthand group, this will return an empty string. +func (e *ValueRequiredError) GetSpecifiedShortnames() string { + return e.specifiedShorthands +} + +// InvalidValueError is the error returned when an invalid value is used +// for a flag. +type InvalidValueError struct { + flag *Flag + value string + cause error +} + +// Error implements error. +func (e *InvalidValueError) Error() string { + flag := e.flag + var flagName string + if flag.Shorthand != "" && flag.ShorthandDeprecated == "" { + flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name) + } else { + flagName = fmt.Sprintf("--%s", flag.Name) + } + return fmt.Sprintf("invalid argument %q for %q flag: %v", e.value, flagName, e.cause) +} + +// Unwrap implements errors.Unwrap. +func (e *InvalidValueError) Unwrap() error { + return e.cause +} + +// GetFlag returns the flag for which the error occurred. +func (e *InvalidValueError) GetFlag() *Flag { + return e.flag +} + +// GetValue returns the invalid value that was provided. +func (e *InvalidValueError) GetValue() string { + return e.value +} + +// InvalidSyntaxError is the error returned when a bad flag name is passed on +// the command line. +type InvalidSyntaxError struct { + specifiedFlag string +} + +// Error implements error. +func (e *InvalidSyntaxError) Error() string { + return fmt.Sprintf("bad flag syntax: %s", e.specifiedFlag) +} + +// GetSpecifiedName returns the exact flag (with dashes) as it +// appeared in the parsed arguments. +func (e *InvalidSyntaxError) GetSpecifiedFlag() string { + return e.specifiedFlag +} diff --git a/vendor/github.com/spf13/pflag/flag.go b/vendor/github.com/spf13/pflag/flag.go index 7c058de374..d4dfbc5ea0 100644 --- a/vendor/github.com/spf13/pflag/flag.go +++ b/vendor/github.com/spf13/pflag/flag.go @@ -27,23 +27,32 @@ unaffected. Define flags using flag.String(), Bool(), Int(), etc. This declares an integer flag, -flagname, stored in the pointer ip, with type *int. + var ip = flag.Int("flagname", 1234, "help message for flagname") + If you like, you can bind the flag to a variable using the Var() functions. + var flagvar int func init() { flag.IntVar(&flagvar, "flagname", 1234, "help message for flagname") } + Or you can create custom flags that satisfy the Value interface (with pointer receivers) and couple them to flag parsing by + flag.Var(&flagVal, "name", "help message for flagname") + For such flags, the default value is just the initial value of the variable. After all flags are defined, call + flag.Parse() + to parse the command line into the defined flags. Flags may then be used directly. If you're using the flags themselves, they are all pointers; if you bind to variables, they're values. + fmt.Println("ip has value ", *ip) fmt.Println("flagvar has value ", flagvar) @@ -54,22 +63,26 @@ The arguments are indexed from 0 through flag.NArg()-1. The pflag package also defines some new functions that are not in flag, that give one-letter shorthands for flags. You can use these by appending 'P' to the name of any function that defines a flag. + var ip = flag.IntP("flagname", "f", 1234, "help message") var flagvar bool func init() { flag.BoolVarP(&flagvar, "boolname", "b", true, "help message") } flag.VarP(&flagval, "varname", "v", "help message") + Shorthand letters can be used with single dashes on the command line. Boolean shorthand flags can be combined with other shorthand flags. Command line flag syntax: + --flag // boolean flags only --flag=x Unlike the flag package, a single dash before an option means something different than a double dash. Single dashes signify a series of shorthand letters for flags. All but the last shorthand letter must be boolean flags. + // boolean flags -f -abc @@ -381,7 +394,7 @@ func (f *FlagSet) lookup(name NormalizedName) *Flag { func (f *FlagSet) getFlagType(name string, ftype string, convFunc func(sval string) (interface{}, error)) (interface{}, error) { flag := f.Lookup(name) if flag == nil { - err := fmt.Errorf("flag accessed but not defined: %s", name) + err := &NotExistError{name: name, messageType: flagNotDefinedMessage} return nil, err } @@ -411,7 +424,7 @@ func (f *FlagSet) ArgsLenAtDash() int { func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error { flag := f.Lookup(name) if flag == nil { - return fmt.Errorf("flag %q does not exist", name) + return &NotExistError{name: name, messageType: flagNotExistMessage} } if usageMessage == "" { return fmt.Errorf("deprecated message for flag %q must be set", name) @@ -427,7 +440,7 @@ func (f *FlagSet) MarkDeprecated(name string, usageMessage string) error { func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) error { flag := f.Lookup(name) if flag == nil { - return fmt.Errorf("flag %q does not exist", name) + return &NotExistError{name: name, messageType: flagNotExistMessage} } if usageMessage == "" { return fmt.Errorf("deprecated message for flag %q must be set", name) @@ -441,7 +454,7 @@ func (f *FlagSet) MarkShorthandDeprecated(name string, usageMessage string) erro func (f *FlagSet) MarkHidden(name string) error { flag := f.Lookup(name) if flag == nil { - return fmt.Errorf("flag %q does not exist", name) + return &NotExistError{name: name, messageType: flagNotExistMessage} } flag.Hidden = true return nil @@ -464,18 +477,16 @@ func (f *FlagSet) Set(name, value string) error { normalName := f.normalizeFlagName(name) flag, ok := f.formal[normalName] if !ok { - return fmt.Errorf("no such flag -%v", name) + return &NotExistError{name: name, messageType: flagNoSuchFlagMessage} } err := flag.Value.Set(value) if err != nil { - var flagName string - if flag.Shorthand != "" && flag.ShorthandDeprecated == "" { - flagName = fmt.Sprintf("-%s, --%s", flag.Shorthand, flag.Name) - } else { - flagName = fmt.Sprintf("--%s", flag.Name) + return &InvalidValueError{ + flag: flag, + value: value, + cause: err, } - return fmt.Errorf("invalid argument %q for %q flag: %v", value, flagName, err) } if !flag.Changed { @@ -501,7 +512,7 @@ func (f *FlagSet) SetAnnotation(name, key string, values []string) error { normalName := f.normalizeFlagName(name) flag, ok := f.formal[normalName] if !ok { - return fmt.Errorf("no such flag -%v", name) + return &NotExistError{name: name, messageType: flagNoSuchFlagMessage} } if flag.Annotations == nil { flag.Annotations = map[string][]string{} @@ -538,7 +549,7 @@ func (f *FlagSet) PrintDefaults() { func (f *Flag) defaultIsZeroValue() bool { switch f.Value.(type) { case boolFlag: - return f.DefValue == "false" + return f.DefValue == "false" || f.DefValue == "" case *durationValue: // Beginning in Go 1.7, duration zero values are "0s" return f.DefValue == "0" || f.DefValue == "0s" @@ -551,7 +562,7 @@ func (f *Flag) defaultIsZeroValue() bool { case *intSliceValue, *stringSliceValue, *stringArrayValue: return f.DefValue == "[]" default: - switch f.Value.String() { + switch f.DefValue { case "false": return true case "": @@ -588,8 +599,10 @@ func UnquoteUsage(flag *Flag) (name string, usage string) { name = flag.Value.Type() switch name { - case "bool": + case "bool", "boolfunc": name = "" + case "func": + name = "value" case "float64": name = "float" case "int64": @@ -707,7 +720,7 @@ func (f *FlagSet) FlagUsagesWrapped(cols int) string { switch flag.Value.Type() { case "string": line += fmt.Sprintf("[=\"%s\"]", flag.NoOptDefVal) - case "bool": + case "bool", "boolfunc": if flag.NoOptDefVal != "true" { line += fmt.Sprintf("[=%s]", flag.NoOptDefVal) } @@ -911,10 +924,9 @@ func VarP(value Value, name, shorthand, usage string) { CommandLine.VarP(value, name, shorthand, usage) } -// failf prints to standard error a formatted error and usage message and +// fail prints an error message and usage message to standard error and // returns the error. -func (f *FlagSet) failf(format string, a ...interface{}) error { - err := fmt.Errorf(format, a...) +func (f *FlagSet) fail(err error) error { if f.errorHandling != ContinueOnError { fmt.Fprintln(f.Output(), err) f.usage() @@ -934,9 +946,9 @@ func (f *FlagSet) usage() { } } -//--unknown (args will be empty) -//--unknown --next-flag ... (args will be --next-flag ...) -//--unknown arg ... (args will be arg ...) +// --unknown (args will be empty) +// --unknown --next-flag ... (args will be --next-flag ...) +// --unknown arg ... (args will be arg ...) func stripUnknownFlagValue(args []string) []string { if len(args) == 0 { //--unknown @@ -960,7 +972,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin a = args name := s[2:] if len(name) == 0 || name[0] == '-' || name[0] == '=' { - err = f.failf("bad flag syntax: %s", s) + err = f.fail(&InvalidSyntaxError{specifiedFlag: s}) return } @@ -982,7 +994,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin return stripUnknownFlagValue(a), nil default: - err = f.failf("unknown flag: --%s", name) + err = f.fail(&NotExistError{name: name, messageType: flagUnknownFlagMessage}) return } } @@ -1000,13 +1012,16 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin a = a[1:] } else { // '--flag' (arg was required) - err = f.failf("flag needs an argument: %s", s) + err = f.fail(&ValueRequiredError{ + flag: flag, + specifiedName: name, + }) return } err = fn(flag, value) if err != nil { - f.failf(err.Error()) + f.fail(err) } return } @@ -1014,7 +1029,7 @@ func (f *FlagSet) parseLongArg(s string, args []string, fn parseFunc) (a []strin func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parseFunc) (outShorts string, outArgs []string, err error) { outArgs = args - if strings.HasPrefix(shorthands, "test.") { + if isGotestShorthandFlag(shorthands) { return } @@ -1039,7 +1054,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse outArgs = stripUnknownFlagValue(outArgs) return default: - err = f.failf("unknown shorthand flag: %q in -%s", c, shorthands) + err = f.fail(&NotExistError{ + name: string(c), + specifiedShorthands: shorthands, + messageType: flagUnknownShorthandFlagMessage, + }) return } } @@ -1062,7 +1081,11 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse outArgs = args[1:] } else { // '-f' (arg was required) - err = f.failf("flag needs an argument: %q in -%s", c, shorthands) + err = f.fail(&ValueRequiredError{ + flag: flag, + specifiedName: string(c), + specifiedShorthands: shorthands, + }) return } @@ -1072,7 +1095,7 @@ func (f *FlagSet) parseSingleShortArg(shorthands string, args []string, fn parse err = fn(flag, value) if err != nil { - f.failf(err.Error()) + f.fail(err) } return } @@ -1135,7 +1158,7 @@ func (f *FlagSet) Parse(arguments []string) error { } f.parsed = true - if len(arguments) < 0 { + if len(arguments) == 0 { return nil } diff --git a/vendor/github.com/spf13/pflag/func.go b/vendor/github.com/spf13/pflag/func.go new file mode 100644 index 0000000000..9f4d88f271 --- /dev/null +++ b/vendor/github.com/spf13/pflag/func.go @@ -0,0 +1,37 @@ +package pflag + +// -- func Value +type funcValue func(string) error + +func (f funcValue) Set(s string) error { return f(s) } + +func (f funcValue) Type() string { return "func" } + +func (f funcValue) String() string { return "" } // same behavior as stdlib 'flag' package + +// Func defines a func flag with specified name, callback function and usage string. +// +// The callback function will be called every time "--{name}={value}" (or equivalent) is +// parsed on the command line, with "{value}" as an argument. +func (f *FlagSet) Func(name string, usage string, fn func(string) error) { + f.FuncP(name, "", usage, fn) +} + +// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash. +func (f *FlagSet) FuncP(name string, shorthand string, usage string, fn func(string) error) { + var val Value = funcValue(fn) + f.VarP(val, name, shorthand, usage) +} + +// Func defines a func flag with specified name, callback function and usage string. +// +// The callback function will be called every time "--{name}={value}" (or equivalent) is +// parsed on the command line, with "{value}" as an argument. +func Func(name string, usage string, fn func(string) error) { + CommandLine.FuncP(name, "", usage, fn) +} + +// FuncP is like Func, but accepts a shorthand letter that can be used after a single dash. +func FuncP(name, shorthand string, usage string, fn func(string) error) { + CommandLine.FuncP(name, shorthand, usage, fn) +} diff --git a/vendor/github.com/spf13/pflag/golangflag.go b/vendor/github.com/spf13/pflag/golangflag.go index d3dd72b7fe..f563907e28 100644 --- a/vendor/github.com/spf13/pflag/golangflag.go +++ b/vendor/github.com/spf13/pflag/golangflag.go @@ -10,6 +10,15 @@ import ( "strings" ) +// go test flags prefixes +func isGotestFlag(flag string) bool { + return strings.HasPrefix(flag, "-test.") +} + +func isGotestShorthandFlag(flag string) bool { + return strings.HasPrefix(flag, "test.") +} + // flagValueWrapper implements pflag.Value around a flag.Value. The main // difference here is the addition of the Type method that returns a string // name of the type. As this is generally unknown, we approximate that with @@ -103,3 +112,16 @@ func (f *FlagSet) AddGoFlagSet(newSet *goflag.FlagSet) { } f.addedGoFlagSets = append(f.addedGoFlagSets, newSet) } + +// ParseSkippedFlags explicitly Parses go test flags (i.e. the one starting with '-test.') with goflag.Parse(), +// since by default those are skipped by pflag.Parse(). +// Typical usage example: `ParseGoTestFlags(os.Args[1:], goflag.CommandLine)` +func ParseSkippedFlags(osArgs []string, goFlagSet *goflag.FlagSet) error { + var skippedFlags []string + for _, f := range osArgs { + if isGotestFlag(f) { + skippedFlags = append(skippedFlags, f) + } + } + return goFlagSet.Parse(skippedFlags) +} diff --git a/vendor/github.com/spf13/pflag/ipnet_slice.go b/vendor/github.com/spf13/pflag/ipnet_slice.go index 6b541aa879..c6e89da18d 100644 --- a/vendor/github.com/spf13/pflag/ipnet_slice.go +++ b/vendor/github.com/spf13/pflag/ipnet_slice.go @@ -73,7 +73,7 @@ func (s *ipNetSliceValue) String() string { func ipNetSliceConv(val string) (interface{}, error) { val = strings.Trim(val, "[]") - // Emtpy string would cause a slice with one (empty) entry + // Empty string would cause a slice with one (empty) entry if len(val) == 0 { return []net.IPNet{}, nil } diff --git a/vendor/github.com/spf13/pflag/text.go b/vendor/github.com/spf13/pflag/text.go new file mode 100644 index 0000000000..886d5a3d80 --- /dev/null +++ b/vendor/github.com/spf13/pflag/text.go @@ -0,0 +1,81 @@ +package pflag + +import ( + "encoding" + "fmt" + "reflect" +) + +// following is copied from go 1.23.4 flag.go +type textValue struct{ p encoding.TextUnmarshaler } + +func newTextValue(val encoding.TextMarshaler, p encoding.TextUnmarshaler) textValue { + ptrVal := reflect.ValueOf(p) + if ptrVal.Kind() != reflect.Ptr { + panic("variable value type must be a pointer") + } + defVal := reflect.ValueOf(val) + if defVal.Kind() == reflect.Ptr { + defVal = defVal.Elem() + } + if defVal.Type() != ptrVal.Type().Elem() { + panic(fmt.Sprintf("default type does not match variable type: %v != %v", defVal.Type(), ptrVal.Type().Elem())) + } + ptrVal.Elem().Set(defVal) + return textValue{p} +} + +func (v textValue) Set(s string) error { + return v.p.UnmarshalText([]byte(s)) +} + +func (v textValue) Get() interface{} { + return v.p +} + +func (v textValue) String() string { + if m, ok := v.p.(encoding.TextMarshaler); ok { + if b, err := m.MarshalText(); err == nil { + return string(b) + } + } + return "" +} + +//end of copy + +func (v textValue) Type() string { + return reflect.ValueOf(v.p).Type().Name() +} + +// GetText set out, which implements encoding.UnmarshalText, to the value of a flag with given name +func (f *FlagSet) GetText(name string, out encoding.TextUnmarshaler) error { + flag := f.Lookup(name) + if flag == nil { + return fmt.Errorf("flag accessed but not defined: %s", name) + } + if flag.Value.Type() != reflect.TypeOf(out).Name() { + return fmt.Errorf("trying to get %s value of flag of type %s", reflect.TypeOf(out).Name(), flag.Value.Type()) + } + return out.UnmarshalText([]byte(flag.Value.String())) +} + +// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p. +func (f *FlagSet) TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) { + f.VarP(newTextValue(value, p), name, "", usage) +} + +// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash. +func (f *FlagSet) TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) { + f.VarP(newTextValue(value, p), name, shorthand, usage) +} + +// TextVar defines a flag with a specified name, default value, and usage string. The argument p must be a pointer to a variable that will hold the value of the flag, and p must implement encoding.TextUnmarshaler. If the flag is used, the flag value will be passed to p's UnmarshalText method. The type of the default value must be the same as the type of p. +func TextVar(p encoding.TextUnmarshaler, name string, value encoding.TextMarshaler, usage string) { + CommandLine.VarP(newTextValue(value, p), name, "", usage) +} + +// TextVarP is like TextVar, but accepts a shorthand letter that can be used after a single dash. +func TextVarP(p encoding.TextUnmarshaler, name, shorthand string, value encoding.TextMarshaler, usage string) { + CommandLine.VarP(newTextValue(value, p), name, shorthand, usage) +} diff --git a/vendor/github.com/spf13/pflag/time.go b/vendor/github.com/spf13/pflag/time.go new file mode 100644 index 0000000000..dc024807e0 --- /dev/null +++ b/vendor/github.com/spf13/pflag/time.go @@ -0,0 +1,118 @@ +package pflag + +import ( + "fmt" + "strings" + "time" +) + +// TimeValue adapts time.Time for use as a flag. +type timeValue struct { + *time.Time + formats []string +} + +func newTimeValue(val time.Time, p *time.Time, formats []string) *timeValue { + *p = val + return &timeValue{ + Time: p, + formats: formats, + } +} + +// Set time.Time value from string based on accepted formats. +func (d *timeValue) Set(s string) error { + s = strings.TrimSpace(s) + for _, f := range d.formats { + v, err := time.Parse(f, s) + if err != nil { + continue + } + *d.Time = v + return nil + } + + formatsString := "" + for i, f := range d.formats { + if i > 0 { + formatsString += ", " + } + formatsString += fmt.Sprintf("`%s`", f) + } + + return fmt.Errorf("invalid time format `%s` must be one of: %s", s, formatsString) +} + +// Type name for time.Time flags. +func (d *timeValue) Type() string { + return "time" +} + +func (d *timeValue) String() string { return d.Time.Format(time.RFC3339Nano) } + +// GetTime return the time value of a flag with the given name +func (f *FlagSet) GetTime(name string) (time.Time, error) { + flag := f.Lookup(name) + if flag == nil { + err := fmt.Errorf("flag accessed but not defined: %s", name) + return time.Time{}, err + } + + if flag.Value.Type() != "time" { + err := fmt.Errorf("trying to get %s value of flag of type %s", "time", flag.Value.Type()) + return time.Time{}, err + } + + val, ok := flag.Value.(*timeValue) + if !ok { + return time.Time{}, fmt.Errorf("value %s is not a time", flag.Value) + } + + return *val.Time, nil +} + +// TimeVar defines a time.Time flag with specified name, default value, and usage string. +// The argument p points to a time.Time variable in which to store the value of the flag. +func (f *FlagSet) TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) { + f.TimeVarP(p, name, "", value, formats, usage) +} + +// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash. +func (f *FlagSet) TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) { + f.VarP(newTimeValue(value, p, formats), name, shorthand, usage) +} + +// TimeVar defines a time.Time flag with specified name, default value, and usage string. +// The argument p points to a time.Time variable in which to store the value of the flag. +func TimeVar(p *time.Time, name string, value time.Time, formats []string, usage string) { + CommandLine.TimeVarP(p, name, "", value, formats, usage) +} + +// TimeVarP is like TimeVar, but accepts a shorthand letter that can be used after a single dash. +func TimeVarP(p *time.Time, name, shorthand string, value time.Time, formats []string, usage string) { + CommandLine.VarP(newTimeValue(value, p, formats), name, shorthand, usage) +} + +// Time defines a time.Time flag with specified name, default value, and usage string. +// The return value is the address of a time.Time variable that stores the value of the flag. +func (f *FlagSet) Time(name string, value time.Time, formats []string, usage string) *time.Time { + return f.TimeP(name, "", value, formats, usage) +} + +// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash. +func (f *FlagSet) TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time { + p := new(time.Time) + f.TimeVarP(p, name, shorthand, value, formats, usage) + return p +} + +// Time defines a time.Time flag with specified name, default value, and usage string. +// The return value is the address of a time.Time variable that stores the value of the flag. +func Time(name string, value time.Time, formats []string, usage string) *time.Time { + return CommandLine.TimeP(name, "", value, formats, usage) +} + +// TimeP is like Time, but accepts a shorthand letter that can be used after a single dash. +func TimeP(name, shorthand string, value time.Time, formats []string, usage string) *time.Time { + return CommandLine.TimeP(name, shorthand, value, formats, usage) +} diff --git a/vendor/github.com/stretchr/testify/require/doc.go b/vendor/github.com/stretchr/testify/require/doc.go new file mode 100644 index 0000000000..c8e3f94a80 --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/doc.go @@ -0,0 +1,31 @@ +// Package require implements the same assertions as the `assert` package but +// stops test execution when a test fails. +// +// # Example Usage +// +// The following is a complete example using require in a standard test function: +// +// import ( +// "testing" +// "github.com/stretchr/testify/require" +// ) +// +// func TestSomething(t *testing.T) { +// +// var a string = "Hello" +// var b string = "Hello" +// +// require.Equal(t, a, b, "The two words should be the same.") +// +// } +// +// # Assertions +// +// The `require` package have same global functions as in the `assert` package, +// but instead of returning a boolean result they call `t.FailNow()`. +// A consequence of this is that it must be called from the goroutine running +// the test function, not from other goroutines created during the test. +// +// Every assertion function also takes an optional string message as the final argument, +// allowing custom error messages to be appended to the message the assertion method outputs. +package require diff --git a/vendor/github.com/stretchr/testify/require/forward_requirements.go b/vendor/github.com/stretchr/testify/require/forward_requirements.go new file mode 100644 index 0000000000..1dcb2338c4 --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/forward_requirements.go @@ -0,0 +1,16 @@ +package require + +// Assertions provides assertion methods around the +// TestingT interface. +type Assertions struct { + t TestingT +} + +// New makes a new Assertions object for the specified TestingT. +func New(t TestingT) *Assertions { + return &Assertions{ + t: t, + } +} + +//go:generate sh -c "cd ../_codegen && go build && cd - && ../_codegen/_codegen -output-package=require -template=require_forward.go.tmpl -include-format-funcs" diff --git a/vendor/github.com/stretchr/testify/require/require.go b/vendor/github.com/stretchr/testify/require/require.go new file mode 100644 index 0000000000..2d02f9bcef --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/require.go @@ -0,0 +1,2180 @@ +// Code generated with github.com/stretchr/testify/_codegen; DO NOT EDIT. + +package require + +import ( + assert "github.com/stretchr/testify/assert" + http "net/http" + url "net/url" + time "time" +) + +// Condition uses a Comparison to assert a complex condition. +func Condition(t TestingT, comp assert.Comparison, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Condition(t, comp, msgAndArgs...) { + return + } + t.FailNow() +} + +// Conditionf uses a Comparison to assert a complex condition. +func Conditionf(t TestingT, comp assert.Comparison, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Conditionf(t, comp, msg, args...) { + return + } + t.FailNow() +} + +// Contains asserts that the specified string, list(array, slice...) or map contains the +// specified substring or element. +// +// require.Contains(t, "Hello World", "World") +// require.Contains(t, ["Hello", "World"], "World") +// require.Contains(t, {"Hello": "World"}, "Hello") +func Contains(t TestingT, s interface{}, contains interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Contains(t, s, contains, msgAndArgs...) { + return + } + t.FailNow() +} + +// Containsf asserts that the specified string, list(array, slice...) or map contains the +// specified substring or element. +// +// require.Containsf(t, "Hello World", "World", "error message %s", "formatted") +// require.Containsf(t, ["Hello", "World"], "World", "error message %s", "formatted") +// require.Containsf(t, {"Hello": "World"}, "Hello", "error message %s", "formatted") +func Containsf(t TestingT, s interface{}, contains interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Containsf(t, s, contains, msg, args...) { + return + } + t.FailNow() +} + +// DirExists checks whether a directory exists in the given path. It also fails +// if the path is a file rather a directory or there is an error checking whether it exists. +func DirExists(t TestingT, path string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.DirExists(t, path, msgAndArgs...) { + return + } + t.FailNow() +} + +// DirExistsf checks whether a directory exists in the given path. It also fails +// if the path is a file rather a directory or there is an error checking whether it exists. +func DirExistsf(t TestingT, path string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.DirExistsf(t, path, msg, args...) { + return + } + t.FailNow() +} + +// ElementsMatch asserts that the specified listA(array, slice...) is equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should match. +// +// require.ElementsMatch(t, [1, 3, 2, 3], [1, 3, 3, 2]) +func ElementsMatch(t TestingT, listA interface{}, listB interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ElementsMatch(t, listA, listB, msgAndArgs...) { + return + } + t.FailNow() +} + +// ElementsMatchf asserts that the specified listA(array, slice...) is equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should match. +// +// require.ElementsMatchf(t, [1, 3, 2, 3], [1, 3, 3, 2], "error message %s", "formatted") +func ElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ElementsMatchf(t, listA, listB, msg, args...) { + return + } + t.FailNow() +} + +// Empty asserts that the given value is "empty". +// +// [Zero values] are "empty". +// +// Arrays are "empty" if every element is the zero value of the type (stricter than "empty"). +// +// Slices, maps and channels with zero length are "empty". +// +// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty". +// +// require.Empty(t, obj) +// +// [Zero values]: https://go.dev/ref/spec#The_zero_value +func Empty(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Empty(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// Emptyf asserts that the given value is "empty". +// +// [Zero values] are "empty". +// +// Arrays are "empty" if every element is the zero value of the type (stricter than "empty"). +// +// Slices, maps and channels with zero length are "empty". +// +// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty". +// +// require.Emptyf(t, obj, "error message %s", "formatted") +// +// [Zero values]: https://go.dev/ref/spec#The_zero_value +func Emptyf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Emptyf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// Equal asserts that two objects are equal. +// +// require.Equal(t, 123, 123) +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). Function equality +// cannot be determined and will always fail. +func Equal(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Equal(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// EqualError asserts that a function returned an error (i.e. not `nil`) +// and that it is equal to the provided error. +// +// actualObj, err := SomeFunction() +// require.EqualError(t, err, expectedErrorString) +func EqualError(t TestingT, theError error, errString string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualError(t, theError, errString, msgAndArgs...) { + return + } + t.FailNow() +} + +// EqualErrorf asserts that a function returned an error (i.e. not `nil`) +// and that it is equal to the provided error. +// +// actualObj, err := SomeFunction() +// require.EqualErrorf(t, err, expectedErrorString, "error message %s", "formatted") +func EqualErrorf(t TestingT, theError error, errString string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualErrorf(t, theError, errString, msg, args...) { + return + } + t.FailNow() +} + +// EqualExportedValues asserts that the types of two objects are equal and their public +// fields are also equal. This is useful for comparing structs that have private fields +// that could potentially differ. +// +// type S struct { +// Exported int +// notExported int +// } +// require.EqualExportedValues(t, S{1, 2}, S{1, 3}) => true +// require.EqualExportedValues(t, S{1, 2}, S{2, 3}) => false +func EqualExportedValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualExportedValues(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// EqualExportedValuesf asserts that the types of two objects are equal and their public +// fields are also equal. This is useful for comparing structs that have private fields +// that could potentially differ. +// +// type S struct { +// Exported int +// notExported int +// } +// require.EqualExportedValuesf(t, S{1, 2}, S{1, 3}, "error message %s", "formatted") => true +// require.EqualExportedValuesf(t, S{1, 2}, S{2, 3}, "error message %s", "formatted") => false +func EqualExportedValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualExportedValuesf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// EqualValues asserts that two objects are equal or convertible to the larger +// type and equal. +// +// require.EqualValues(t, uint32(123), int32(123)) +func EqualValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualValues(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// EqualValuesf asserts that two objects are equal or convertible to the larger +// type and equal. +// +// require.EqualValuesf(t, uint32(123), int32(123), "error message %s", "formatted") +func EqualValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EqualValuesf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Equalf asserts that two objects are equal. +// +// require.Equalf(t, 123, 123, "error message %s", "formatted") +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). Function equality +// cannot be determined and will always fail. +func Equalf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Equalf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Error asserts that a function returned an error (i.e. not `nil`). +// +// actualObj, err := SomeFunction() +// require.Error(t, err) +func Error(t TestingT, err error, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Error(t, err, msgAndArgs...) { + return + } + t.FailNow() +} + +// ErrorAs asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value. +// This is a wrapper for errors.As. +func ErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorAs(t, err, target, msgAndArgs...) { + return + } + t.FailNow() +} + +// ErrorAsf asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value. +// This is a wrapper for errors.As. +func ErrorAsf(t TestingT, err error, target interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorAsf(t, err, target, msg, args...) { + return + } + t.FailNow() +} + +// ErrorContains asserts that a function returned an error (i.e. not `nil`) +// and that the error contains the specified substring. +// +// actualObj, err := SomeFunction() +// require.ErrorContains(t, err, expectedErrorSubString) +func ErrorContains(t TestingT, theError error, contains string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorContains(t, theError, contains, msgAndArgs...) { + return + } + t.FailNow() +} + +// ErrorContainsf asserts that a function returned an error (i.e. not `nil`) +// and that the error contains the specified substring. +// +// actualObj, err := SomeFunction() +// require.ErrorContainsf(t, err, expectedErrorSubString, "error message %s", "formatted") +func ErrorContainsf(t TestingT, theError error, contains string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorContainsf(t, theError, contains, msg, args...) { + return + } + t.FailNow() +} + +// ErrorIs asserts that at least one of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func ErrorIs(t TestingT, err error, target error, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorIs(t, err, target, msgAndArgs...) { + return + } + t.FailNow() +} + +// ErrorIsf asserts that at least one of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func ErrorIsf(t TestingT, err error, target error, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.ErrorIsf(t, err, target, msg, args...) { + return + } + t.FailNow() +} + +// Errorf asserts that a function returned an error (i.e. not `nil`). +// +// actualObj, err := SomeFunction() +// require.Errorf(t, err, "error message %s", "formatted") +func Errorf(t TestingT, err error, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Errorf(t, err, msg, args...) { + return + } + t.FailNow() +} + +// Eventually asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. +// +// require.Eventually(t, func() bool { return true; }, time.Second, 10*time.Millisecond) +func Eventually(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Eventually(t, condition, waitFor, tick, msgAndArgs...) { + return + } + t.FailNow() +} + +// EventuallyWithT asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. In contrast to Eventually, +// it supplies a CollectT to the condition function, so that the condition +// function can use the CollectT to call other assertions. +// The condition is considered "met" if no errors are raised in a tick. +// The supplied CollectT collects all errors from one tick (if there are any). +// If the condition is not met before waitFor, the collected errors of +// the last tick are copied to t. +// +// externalValue := false +// go func() { +// time.Sleep(8*time.Second) +// externalValue = true +// }() +// require.EventuallyWithT(t, func(c *require.CollectT) { +// // add assertions as needed; any assertion failure will fail the current tick +// require.True(c, externalValue, "expected 'externalValue' to be true") +// }, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false") +func EventuallyWithT(t TestingT, condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EventuallyWithT(t, condition, waitFor, tick, msgAndArgs...) { + return + } + t.FailNow() +} + +// EventuallyWithTf asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. In contrast to Eventually, +// it supplies a CollectT to the condition function, so that the condition +// function can use the CollectT to call other assertions. +// The condition is considered "met" if no errors are raised in a tick. +// The supplied CollectT collects all errors from one tick (if there are any). +// If the condition is not met before waitFor, the collected errors of +// the last tick are copied to t. +// +// externalValue := false +// go func() { +// time.Sleep(8*time.Second) +// externalValue = true +// }() +// require.EventuallyWithTf(t, func(c *require.CollectT, "error message %s", "formatted") { +// // add assertions as needed; any assertion failure will fail the current tick +// require.True(c, externalValue, "expected 'externalValue' to be true") +// }, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false") +func EventuallyWithTf(t TestingT, condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.EventuallyWithTf(t, condition, waitFor, tick, msg, args...) { + return + } + t.FailNow() +} + +// Eventuallyf asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. +// +// require.Eventuallyf(t, func() bool { return true; }, time.Second, 10*time.Millisecond, "error message %s", "formatted") +func Eventuallyf(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Eventuallyf(t, condition, waitFor, tick, msg, args...) { + return + } + t.FailNow() +} + +// Exactly asserts that two objects are equal in value and type. +// +// require.Exactly(t, int32(123), int64(123)) +func Exactly(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Exactly(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// Exactlyf asserts that two objects are equal in value and type. +// +// require.Exactlyf(t, int32(123), int64(123), "error message %s", "formatted") +func Exactlyf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Exactlyf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Fail reports a failure through +func Fail(t TestingT, failureMessage string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Fail(t, failureMessage, msgAndArgs...) { + return + } + t.FailNow() +} + +// FailNow fails test +func FailNow(t TestingT, failureMessage string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.FailNow(t, failureMessage, msgAndArgs...) { + return + } + t.FailNow() +} + +// FailNowf fails test +func FailNowf(t TestingT, failureMessage string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.FailNowf(t, failureMessage, msg, args...) { + return + } + t.FailNow() +} + +// Failf reports a failure through +func Failf(t TestingT, failureMessage string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Failf(t, failureMessage, msg, args...) { + return + } + t.FailNow() +} + +// False asserts that the specified value is false. +// +// require.False(t, myBool) +func False(t TestingT, value bool, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.False(t, value, msgAndArgs...) { + return + } + t.FailNow() +} + +// Falsef asserts that the specified value is false. +// +// require.Falsef(t, myBool, "error message %s", "formatted") +func Falsef(t TestingT, value bool, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Falsef(t, value, msg, args...) { + return + } + t.FailNow() +} + +// FileExists checks whether a file exists in the given path. It also fails if +// the path points to a directory or there is an error when trying to check the file. +func FileExists(t TestingT, path string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.FileExists(t, path, msgAndArgs...) { + return + } + t.FailNow() +} + +// FileExistsf checks whether a file exists in the given path. It also fails if +// the path points to a directory or there is an error when trying to check the file. +func FileExistsf(t TestingT, path string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.FileExistsf(t, path, msg, args...) { + return + } + t.FailNow() +} + +// Greater asserts that the first element is greater than the second +// +// require.Greater(t, 2, 1) +// require.Greater(t, float64(2), float64(1)) +// require.Greater(t, "b", "a") +func Greater(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Greater(t, e1, e2, msgAndArgs...) { + return + } + t.FailNow() +} + +// GreaterOrEqual asserts that the first element is greater than or equal to the second +// +// require.GreaterOrEqual(t, 2, 1) +// require.GreaterOrEqual(t, 2, 2) +// require.GreaterOrEqual(t, "b", "a") +// require.GreaterOrEqual(t, "b", "b") +func GreaterOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.GreaterOrEqual(t, e1, e2, msgAndArgs...) { + return + } + t.FailNow() +} + +// GreaterOrEqualf asserts that the first element is greater than or equal to the second +// +// require.GreaterOrEqualf(t, 2, 1, "error message %s", "formatted") +// require.GreaterOrEqualf(t, 2, 2, "error message %s", "formatted") +// require.GreaterOrEqualf(t, "b", "a", "error message %s", "formatted") +// require.GreaterOrEqualf(t, "b", "b", "error message %s", "formatted") +func GreaterOrEqualf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.GreaterOrEqualf(t, e1, e2, msg, args...) { + return + } + t.FailNow() +} + +// Greaterf asserts that the first element is greater than the second +// +// require.Greaterf(t, 2, 1, "error message %s", "formatted") +// require.Greaterf(t, float64(2), float64(1), "error message %s", "formatted") +// require.Greaterf(t, "b", "a", "error message %s", "formatted") +func Greaterf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Greaterf(t, e1, e2, msg, args...) { + return + } + t.FailNow() +} + +// HTTPBodyContains asserts that a specified handler returns a +// body that contains a string. +// +// require.HTTPBodyContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPBodyContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPBodyContains(t, handler, method, url, values, str, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPBodyContainsf asserts that a specified handler returns a +// body that contains a string. +// +// require.HTTPBodyContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPBodyContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPBodyContainsf(t, handler, method, url, values, str, msg, args...) { + return + } + t.FailNow() +} + +// HTTPBodyNotContains asserts that a specified handler returns a +// body that does not contain a string. +// +// require.HTTPBodyNotContains(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPBodyNotContains(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPBodyNotContains(t, handler, method, url, values, str, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPBodyNotContainsf asserts that a specified handler returns a +// body that does not contain a string. +// +// require.HTTPBodyNotContainsf(t, myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPBodyNotContainsf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPBodyNotContainsf(t, handler, method, url, values, str, msg, args...) { + return + } + t.FailNow() +} + +// HTTPError asserts that a specified handler returns an error status code. +// +// require.HTTPError(t, myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPError(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPError(t, handler, method, url, values, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPErrorf asserts that a specified handler returns an error status code. +// +// require.HTTPErrorf(t, myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPErrorf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPErrorf(t, handler, method, url, values, msg, args...) { + return + } + t.FailNow() +} + +// HTTPRedirect asserts that a specified handler returns a redirect status code. +// +// require.HTTPRedirect(t, myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPRedirect(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPRedirect(t, handler, method, url, values, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPRedirectf asserts that a specified handler returns a redirect status code. +// +// require.HTTPRedirectf(t, myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPRedirectf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPRedirectf(t, handler, method, url, values, msg, args...) { + return + } + t.FailNow() +} + +// HTTPStatusCode asserts that a specified handler returns a specified status code. +// +// require.HTTPStatusCode(t, myHandler, "GET", "/notImplemented", nil, 501) +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPStatusCode(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPStatusCode(t, handler, method, url, values, statuscode, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPStatusCodef asserts that a specified handler returns a specified status code. +// +// require.HTTPStatusCodef(t, myHandler, "GET", "/notImplemented", nil, 501, "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPStatusCodef(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPStatusCodef(t, handler, method, url, values, statuscode, msg, args...) { + return + } + t.FailNow() +} + +// HTTPSuccess asserts that a specified handler returns a success status code. +// +// require.HTTPSuccess(t, myHandler, "POST", "http://www.google.com", nil) +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPSuccess(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPSuccess(t, handler, method, url, values, msgAndArgs...) { + return + } + t.FailNow() +} + +// HTTPSuccessf asserts that a specified handler returns a success status code. +// +// require.HTTPSuccessf(t, myHandler, "POST", "http://www.google.com", nil, "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func HTTPSuccessf(t TestingT, handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.HTTPSuccessf(t, handler, method, url, values, msg, args...) { + return + } + t.FailNow() +} + +// Implements asserts that an object is implemented by the specified interface. +// +// require.Implements(t, (*MyInterface)(nil), new(MyObject)) +func Implements(t TestingT, interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Implements(t, interfaceObject, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// Implementsf asserts that an object is implemented by the specified interface. +// +// require.Implementsf(t, (*MyInterface)(nil), new(MyObject), "error message %s", "formatted") +func Implementsf(t TestingT, interfaceObject interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Implementsf(t, interfaceObject, object, msg, args...) { + return + } + t.FailNow() +} + +// InDelta asserts that the two numerals are within delta of each other. +// +// require.InDelta(t, math.Pi, 22/7.0, 0.01) +func InDelta(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDelta(t, expected, actual, delta, msgAndArgs...) { + return + } + t.FailNow() +} + +// InDeltaMapValues is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys. +func InDeltaMapValues(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDeltaMapValues(t, expected, actual, delta, msgAndArgs...) { + return + } + t.FailNow() +} + +// InDeltaMapValuesf is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys. +func InDeltaMapValuesf(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDeltaMapValuesf(t, expected, actual, delta, msg, args...) { + return + } + t.FailNow() +} + +// InDeltaSlice is the same as InDelta, except it compares two slices. +func InDeltaSlice(t TestingT, expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDeltaSlice(t, expected, actual, delta, msgAndArgs...) { + return + } + t.FailNow() +} + +// InDeltaSlicef is the same as InDelta, except it compares two slices. +func InDeltaSlicef(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDeltaSlicef(t, expected, actual, delta, msg, args...) { + return + } + t.FailNow() +} + +// InDeltaf asserts that the two numerals are within delta of each other. +// +// require.InDeltaf(t, math.Pi, 22/7.0, 0.01, "error message %s", "formatted") +func InDeltaf(t TestingT, expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InDeltaf(t, expected, actual, delta, msg, args...) { + return + } + t.FailNow() +} + +// InEpsilon asserts that expected and actual have a relative error less than epsilon +func InEpsilon(t TestingT, expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InEpsilon(t, expected, actual, epsilon, msgAndArgs...) { + return + } + t.FailNow() +} + +// InEpsilonSlice is the same as InEpsilon, except it compares each value from two slices. +func InEpsilonSlice(t TestingT, expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InEpsilonSlice(t, expected, actual, epsilon, msgAndArgs...) { + return + } + t.FailNow() +} + +// InEpsilonSlicef is the same as InEpsilon, except it compares each value from two slices. +func InEpsilonSlicef(t TestingT, expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InEpsilonSlicef(t, expected, actual, epsilon, msg, args...) { + return + } + t.FailNow() +} + +// InEpsilonf asserts that expected and actual have a relative error less than epsilon +func InEpsilonf(t TestingT, expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.InEpsilonf(t, expected, actual, epsilon, msg, args...) { + return + } + t.FailNow() +} + +// IsDecreasing asserts that the collection is decreasing +// +// require.IsDecreasing(t, []int{2, 1, 0}) +// require.IsDecreasing(t, []float{2, 1}) +// require.IsDecreasing(t, []string{"b", "a"}) +func IsDecreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsDecreasing(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsDecreasingf asserts that the collection is decreasing +// +// require.IsDecreasingf(t, []int{2, 1, 0}, "error message %s", "formatted") +// require.IsDecreasingf(t, []float{2, 1}, "error message %s", "formatted") +// require.IsDecreasingf(t, []string{"b", "a"}, "error message %s", "formatted") +func IsDecreasingf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsDecreasingf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// IsIncreasing asserts that the collection is increasing +// +// require.IsIncreasing(t, []int{1, 2, 3}) +// require.IsIncreasing(t, []float{1, 2}) +// require.IsIncreasing(t, []string{"a", "b"}) +func IsIncreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsIncreasing(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsIncreasingf asserts that the collection is increasing +// +// require.IsIncreasingf(t, []int{1, 2, 3}, "error message %s", "formatted") +// require.IsIncreasingf(t, []float{1, 2}, "error message %s", "formatted") +// require.IsIncreasingf(t, []string{"a", "b"}, "error message %s", "formatted") +func IsIncreasingf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsIncreasingf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// IsNonDecreasing asserts that the collection is not decreasing +// +// require.IsNonDecreasing(t, []int{1, 1, 2}) +// require.IsNonDecreasing(t, []float{1, 2}) +// require.IsNonDecreasing(t, []string{"a", "b"}) +func IsNonDecreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNonDecreasing(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsNonDecreasingf asserts that the collection is not decreasing +// +// require.IsNonDecreasingf(t, []int{1, 1, 2}, "error message %s", "formatted") +// require.IsNonDecreasingf(t, []float{1, 2}, "error message %s", "formatted") +// require.IsNonDecreasingf(t, []string{"a", "b"}, "error message %s", "formatted") +func IsNonDecreasingf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNonDecreasingf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// IsNonIncreasing asserts that the collection is not increasing +// +// require.IsNonIncreasing(t, []int{2, 1, 1}) +// require.IsNonIncreasing(t, []float{2, 1}) +// require.IsNonIncreasing(t, []string{"b", "a"}) +func IsNonIncreasing(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNonIncreasing(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsNonIncreasingf asserts that the collection is not increasing +// +// require.IsNonIncreasingf(t, []int{2, 1, 1}, "error message %s", "formatted") +// require.IsNonIncreasingf(t, []float{2, 1}, "error message %s", "formatted") +// require.IsNonIncreasingf(t, []string{"b", "a"}, "error message %s", "formatted") +func IsNonIncreasingf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNonIncreasingf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// IsNotType asserts that the specified objects are not of the same type. +// +// require.IsNotType(t, &NotMyStruct{}, &MyStruct{}) +func IsNotType(t TestingT, theType interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNotType(t, theType, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsNotTypef asserts that the specified objects are not of the same type. +// +// require.IsNotTypef(t, &NotMyStruct{}, &MyStruct{}, "error message %s", "formatted") +func IsNotTypef(t TestingT, theType interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsNotTypef(t, theType, object, msg, args...) { + return + } + t.FailNow() +} + +// IsType asserts that the specified objects are of the same type. +// +// require.IsType(t, &MyStruct{}, &MyStruct{}) +func IsType(t TestingT, expectedType interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsType(t, expectedType, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// IsTypef asserts that the specified objects are of the same type. +// +// require.IsTypef(t, &MyStruct{}, &MyStruct{}, "error message %s", "formatted") +func IsTypef(t TestingT, expectedType interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.IsTypef(t, expectedType, object, msg, args...) { + return + } + t.FailNow() +} + +// JSONEq asserts that two JSON strings are equivalent. +// +// require.JSONEq(t, `{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`) +func JSONEq(t TestingT, expected string, actual string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.JSONEq(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// JSONEqf asserts that two JSON strings are equivalent. +// +// require.JSONEqf(t, `{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`, "error message %s", "formatted") +func JSONEqf(t TestingT, expected string, actual string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.JSONEqf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Len asserts that the specified object has specific length. +// Len also fails if the object has a type that len() not accept. +// +// require.Len(t, mySlice, 3) +func Len(t TestingT, object interface{}, length int, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Len(t, object, length, msgAndArgs...) { + return + } + t.FailNow() +} + +// Lenf asserts that the specified object has specific length. +// Lenf also fails if the object has a type that len() not accept. +// +// require.Lenf(t, mySlice, 3, "error message %s", "formatted") +func Lenf(t TestingT, object interface{}, length int, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Lenf(t, object, length, msg, args...) { + return + } + t.FailNow() +} + +// Less asserts that the first element is less than the second +// +// require.Less(t, 1, 2) +// require.Less(t, float64(1), float64(2)) +// require.Less(t, "a", "b") +func Less(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Less(t, e1, e2, msgAndArgs...) { + return + } + t.FailNow() +} + +// LessOrEqual asserts that the first element is less than or equal to the second +// +// require.LessOrEqual(t, 1, 2) +// require.LessOrEqual(t, 2, 2) +// require.LessOrEqual(t, "a", "b") +// require.LessOrEqual(t, "b", "b") +func LessOrEqual(t TestingT, e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.LessOrEqual(t, e1, e2, msgAndArgs...) { + return + } + t.FailNow() +} + +// LessOrEqualf asserts that the first element is less than or equal to the second +// +// require.LessOrEqualf(t, 1, 2, "error message %s", "formatted") +// require.LessOrEqualf(t, 2, 2, "error message %s", "formatted") +// require.LessOrEqualf(t, "a", "b", "error message %s", "formatted") +// require.LessOrEqualf(t, "b", "b", "error message %s", "formatted") +func LessOrEqualf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.LessOrEqualf(t, e1, e2, msg, args...) { + return + } + t.FailNow() +} + +// Lessf asserts that the first element is less than the second +// +// require.Lessf(t, 1, 2, "error message %s", "formatted") +// require.Lessf(t, float64(1), float64(2), "error message %s", "formatted") +// require.Lessf(t, "a", "b", "error message %s", "formatted") +func Lessf(t TestingT, e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Lessf(t, e1, e2, msg, args...) { + return + } + t.FailNow() +} + +// Negative asserts that the specified element is negative +// +// require.Negative(t, -1) +// require.Negative(t, -1.23) +func Negative(t TestingT, e interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Negative(t, e, msgAndArgs...) { + return + } + t.FailNow() +} + +// Negativef asserts that the specified element is negative +// +// require.Negativef(t, -1, "error message %s", "formatted") +// require.Negativef(t, -1.23, "error message %s", "formatted") +func Negativef(t TestingT, e interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Negativef(t, e, msg, args...) { + return + } + t.FailNow() +} + +// Never asserts that the given condition doesn't satisfy in waitFor time, +// periodically checking the target function each tick. +// +// require.Never(t, func() bool { return false; }, time.Second, 10*time.Millisecond) +func Never(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Never(t, condition, waitFor, tick, msgAndArgs...) { + return + } + t.FailNow() +} + +// Neverf asserts that the given condition doesn't satisfy in waitFor time, +// periodically checking the target function each tick. +// +// require.Neverf(t, func() bool { return false; }, time.Second, 10*time.Millisecond, "error message %s", "formatted") +func Neverf(t TestingT, condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Neverf(t, condition, waitFor, tick, msg, args...) { + return + } + t.FailNow() +} + +// Nil asserts that the specified object is nil. +// +// require.Nil(t, err) +func Nil(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Nil(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// Nilf asserts that the specified object is nil. +// +// require.Nilf(t, err, "error message %s", "formatted") +func Nilf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Nilf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// NoDirExists checks whether a directory does not exist in the given path. +// It fails if the path points to an existing _directory_ only. +func NoDirExists(t TestingT, path string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoDirExists(t, path, msgAndArgs...) { + return + } + t.FailNow() +} + +// NoDirExistsf checks whether a directory does not exist in the given path. +// It fails if the path points to an existing _directory_ only. +func NoDirExistsf(t TestingT, path string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoDirExistsf(t, path, msg, args...) { + return + } + t.FailNow() +} + +// NoError asserts that a function returned no error (i.e. `nil`). +// +// actualObj, err := SomeFunction() +// if require.NoError(t, err) { +// require.Equal(t, expectedObj, actualObj) +// } +func NoError(t TestingT, err error, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoError(t, err, msgAndArgs...) { + return + } + t.FailNow() +} + +// NoErrorf asserts that a function returned no error (i.e. `nil`). +// +// actualObj, err := SomeFunction() +// if require.NoErrorf(t, err, "error message %s", "formatted") { +// require.Equal(t, expectedObj, actualObj) +// } +func NoErrorf(t TestingT, err error, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoErrorf(t, err, msg, args...) { + return + } + t.FailNow() +} + +// NoFileExists checks whether a file does not exist in a given path. It fails +// if the path points to an existing _file_ only. +func NoFileExists(t TestingT, path string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoFileExists(t, path, msgAndArgs...) { + return + } + t.FailNow() +} + +// NoFileExistsf checks whether a file does not exist in a given path. It fails +// if the path points to an existing _file_ only. +func NoFileExistsf(t TestingT, path string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NoFileExistsf(t, path, msg, args...) { + return + } + t.FailNow() +} + +// NotContains asserts that the specified string, list(array, slice...) or map does NOT contain the +// specified substring or element. +// +// require.NotContains(t, "Hello World", "Earth") +// require.NotContains(t, ["Hello", "World"], "Earth") +// require.NotContains(t, {"Hello": "World"}, "Earth") +func NotContains(t TestingT, s interface{}, contains interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotContains(t, s, contains, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotContainsf asserts that the specified string, list(array, slice...) or map does NOT contain the +// specified substring or element. +// +// require.NotContainsf(t, "Hello World", "Earth", "error message %s", "formatted") +// require.NotContainsf(t, ["Hello", "World"], "Earth", "error message %s", "formatted") +// require.NotContainsf(t, {"Hello": "World"}, "Earth", "error message %s", "formatted") +func NotContainsf(t TestingT, s interface{}, contains interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotContainsf(t, s, contains, msg, args...) { + return + } + t.FailNow() +} + +// NotElementsMatch asserts that the specified listA(array, slice...) is NOT equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should not match. +// This is an inverse of ElementsMatch. +// +// require.NotElementsMatch(t, [1, 1, 2, 3], [1, 1, 2, 3]) -> false +// +// require.NotElementsMatch(t, [1, 1, 2, 3], [1, 2, 3]) -> true +// +// require.NotElementsMatch(t, [1, 2, 3], [1, 2, 4]) -> true +func NotElementsMatch(t TestingT, listA interface{}, listB interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotElementsMatch(t, listA, listB, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotElementsMatchf asserts that the specified listA(array, slice...) is NOT equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should not match. +// This is an inverse of ElementsMatch. +// +// require.NotElementsMatchf(t, [1, 1, 2, 3], [1, 1, 2, 3], "error message %s", "formatted") -> false +// +// require.NotElementsMatchf(t, [1, 1, 2, 3], [1, 2, 3], "error message %s", "formatted") -> true +// +// require.NotElementsMatchf(t, [1, 2, 3], [1, 2, 4], "error message %s", "formatted") -> true +func NotElementsMatchf(t TestingT, listA interface{}, listB interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotElementsMatchf(t, listA, listB, msg, args...) { + return + } + t.FailNow() +} + +// NotEmpty asserts that the specified object is NOT [Empty]. +// +// if require.NotEmpty(t, obj) { +// require.Equal(t, "two", obj[1]) +// } +func NotEmpty(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEmpty(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotEmptyf asserts that the specified object is NOT [Empty]. +// +// if require.NotEmptyf(t, obj, "error message %s", "formatted") { +// require.Equal(t, "two", obj[1]) +// } +func NotEmptyf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEmptyf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// NotEqual asserts that the specified values are NOT equal. +// +// require.NotEqual(t, obj1, obj2) +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). +func NotEqual(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEqual(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotEqualValues asserts that two objects are not equal even when converted to the same type +// +// require.NotEqualValues(t, obj1, obj2) +func NotEqualValues(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEqualValues(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotEqualValuesf asserts that two objects are not equal even when converted to the same type +// +// require.NotEqualValuesf(t, obj1, obj2, "error message %s", "formatted") +func NotEqualValuesf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEqualValuesf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// NotEqualf asserts that the specified values are NOT equal. +// +// require.NotEqualf(t, obj1, obj2, "error message %s", "formatted") +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). +func NotEqualf(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotEqualf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// NotErrorAs asserts that none of the errors in err's chain matches target, +// but if so, sets target to that error value. +func NotErrorAs(t TestingT, err error, target interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotErrorAs(t, err, target, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotErrorAsf asserts that none of the errors in err's chain matches target, +// but if so, sets target to that error value. +func NotErrorAsf(t TestingT, err error, target interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotErrorAsf(t, err, target, msg, args...) { + return + } + t.FailNow() +} + +// NotErrorIs asserts that none of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func NotErrorIs(t TestingT, err error, target error, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotErrorIs(t, err, target, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotErrorIsf asserts that none of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func NotErrorIsf(t TestingT, err error, target error, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotErrorIsf(t, err, target, msg, args...) { + return + } + t.FailNow() +} + +// NotImplements asserts that an object does not implement the specified interface. +// +// require.NotImplements(t, (*MyInterface)(nil), new(MyObject)) +func NotImplements(t TestingT, interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotImplements(t, interfaceObject, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotImplementsf asserts that an object does not implement the specified interface. +// +// require.NotImplementsf(t, (*MyInterface)(nil), new(MyObject), "error message %s", "formatted") +func NotImplementsf(t TestingT, interfaceObject interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotImplementsf(t, interfaceObject, object, msg, args...) { + return + } + t.FailNow() +} + +// NotNil asserts that the specified object is not nil. +// +// require.NotNil(t, err) +func NotNil(t TestingT, object interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotNil(t, object, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotNilf asserts that the specified object is not nil. +// +// require.NotNilf(t, err, "error message %s", "formatted") +func NotNilf(t TestingT, object interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotNilf(t, object, msg, args...) { + return + } + t.FailNow() +} + +// NotPanics asserts that the code inside the specified PanicTestFunc does NOT panic. +// +// require.NotPanics(t, func(){ RemainCalm() }) +func NotPanics(t TestingT, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotPanics(t, f, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotPanicsf asserts that the code inside the specified PanicTestFunc does NOT panic. +// +// require.NotPanicsf(t, func(){ RemainCalm() }, "error message %s", "formatted") +func NotPanicsf(t TestingT, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotPanicsf(t, f, msg, args...) { + return + } + t.FailNow() +} + +// NotRegexp asserts that a specified regexp does not match a string. +// +// require.NotRegexp(t, regexp.MustCompile("starts"), "it's starting") +// require.NotRegexp(t, "^start", "it's not starting") +func NotRegexp(t TestingT, rx interface{}, str interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotRegexp(t, rx, str, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotRegexpf asserts that a specified regexp does not match a string. +// +// require.NotRegexpf(t, regexp.MustCompile("starts"), "it's starting", "error message %s", "formatted") +// require.NotRegexpf(t, "^start", "it's not starting", "error message %s", "formatted") +func NotRegexpf(t TestingT, rx interface{}, str interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotRegexpf(t, rx, str, msg, args...) { + return + } + t.FailNow() +} + +// NotSame asserts that two pointers do not reference the same object. +// +// require.NotSame(t, ptr1, ptr2) +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func NotSame(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotSame(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotSamef asserts that two pointers do not reference the same object. +// +// require.NotSamef(t, ptr1, ptr2, "error message %s", "formatted") +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func NotSamef(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotSamef(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// NotSubset asserts that the list (array, slice, or map) does NOT contain all +// elements given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// require.NotSubset(t, [1, 3, 4], [1, 2]) +// require.NotSubset(t, {"x": 1, "y": 2}, {"z": 3}) +// require.NotSubset(t, [1, 3, 4], {1: "one", 2: "two"}) +// require.NotSubset(t, {"x": 1, "y": 2}, ["z"]) +func NotSubset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotSubset(t, list, subset, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all +// elements given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// require.NotSubsetf(t, [1, 3, 4], [1, 2], "error message %s", "formatted") +// require.NotSubsetf(t, {"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted") +// require.NotSubsetf(t, [1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted") +// require.NotSubsetf(t, {"x": 1, "y": 2}, ["z"], "error message %s", "formatted") +func NotSubsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotSubsetf(t, list, subset, msg, args...) { + return + } + t.FailNow() +} + +// NotZero asserts that i is not the zero value for its type. +func NotZero(t TestingT, i interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotZero(t, i, msgAndArgs...) { + return + } + t.FailNow() +} + +// NotZerof asserts that i is not the zero value for its type. +func NotZerof(t TestingT, i interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.NotZerof(t, i, msg, args...) { + return + } + t.FailNow() +} + +// Panics asserts that the code inside the specified PanicTestFunc panics. +// +// require.Panics(t, func(){ GoCrazy() }) +func Panics(t TestingT, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Panics(t, f, msgAndArgs...) { + return + } + t.FailNow() +} + +// PanicsWithError asserts that the code inside the specified PanicTestFunc +// panics, and that the recovered panic value is an error that satisfies the +// EqualError comparison. +// +// require.PanicsWithError(t, "crazy error", func(){ GoCrazy() }) +func PanicsWithError(t TestingT, errString string, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.PanicsWithError(t, errString, f, msgAndArgs...) { + return + } + t.FailNow() +} + +// PanicsWithErrorf asserts that the code inside the specified PanicTestFunc +// panics, and that the recovered panic value is an error that satisfies the +// EqualError comparison. +// +// require.PanicsWithErrorf(t, "crazy error", func(){ GoCrazy() }, "error message %s", "formatted") +func PanicsWithErrorf(t TestingT, errString string, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.PanicsWithErrorf(t, errString, f, msg, args...) { + return + } + t.FailNow() +} + +// PanicsWithValue asserts that the code inside the specified PanicTestFunc panics, and that +// the recovered panic value equals the expected panic value. +// +// require.PanicsWithValue(t, "crazy error", func(){ GoCrazy() }) +func PanicsWithValue(t TestingT, expected interface{}, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.PanicsWithValue(t, expected, f, msgAndArgs...) { + return + } + t.FailNow() +} + +// PanicsWithValuef asserts that the code inside the specified PanicTestFunc panics, and that +// the recovered panic value equals the expected panic value. +// +// require.PanicsWithValuef(t, "crazy error", func(){ GoCrazy() }, "error message %s", "formatted") +func PanicsWithValuef(t TestingT, expected interface{}, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.PanicsWithValuef(t, expected, f, msg, args...) { + return + } + t.FailNow() +} + +// Panicsf asserts that the code inside the specified PanicTestFunc panics. +// +// require.Panicsf(t, func(){ GoCrazy() }, "error message %s", "formatted") +func Panicsf(t TestingT, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Panicsf(t, f, msg, args...) { + return + } + t.FailNow() +} + +// Positive asserts that the specified element is positive +// +// require.Positive(t, 1) +// require.Positive(t, 1.23) +func Positive(t TestingT, e interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Positive(t, e, msgAndArgs...) { + return + } + t.FailNow() +} + +// Positivef asserts that the specified element is positive +// +// require.Positivef(t, 1, "error message %s", "formatted") +// require.Positivef(t, 1.23, "error message %s", "formatted") +func Positivef(t TestingT, e interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Positivef(t, e, msg, args...) { + return + } + t.FailNow() +} + +// Regexp asserts that a specified regexp matches a string. +// +// require.Regexp(t, regexp.MustCompile("start"), "it's starting") +// require.Regexp(t, "start...$", "it's not starting") +func Regexp(t TestingT, rx interface{}, str interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Regexp(t, rx, str, msgAndArgs...) { + return + } + t.FailNow() +} + +// Regexpf asserts that a specified regexp matches a string. +// +// require.Regexpf(t, regexp.MustCompile("start"), "it's starting", "error message %s", "formatted") +// require.Regexpf(t, "start...$", "it's not starting", "error message %s", "formatted") +func Regexpf(t TestingT, rx interface{}, str interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Regexpf(t, rx, str, msg, args...) { + return + } + t.FailNow() +} + +// Same asserts that two pointers reference the same object. +// +// require.Same(t, ptr1, ptr2) +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func Same(t TestingT, expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Same(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// Samef asserts that two pointers reference the same object. +// +// require.Samef(t, ptr1, ptr2, "error message %s", "formatted") +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func Samef(t TestingT, expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Samef(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Subset asserts that the list (array, slice, or map) contains all elements +// given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// require.Subset(t, [1, 2, 3], [1, 2]) +// require.Subset(t, {"x": 1, "y": 2}, {"x": 1}) +// require.Subset(t, [1, 2, 3], {1: "one", 2: "two"}) +// require.Subset(t, {"x": 1, "y": 2}, ["x"]) +func Subset(t TestingT, list interface{}, subset interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Subset(t, list, subset, msgAndArgs...) { + return + } + t.FailNow() +} + +// Subsetf asserts that the list (array, slice, or map) contains all elements +// given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// require.Subsetf(t, [1, 2, 3], [1, 2], "error message %s", "formatted") +// require.Subsetf(t, {"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted") +// require.Subsetf(t, [1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted") +// require.Subsetf(t, {"x": 1, "y": 2}, ["x"], "error message %s", "formatted") +func Subsetf(t TestingT, list interface{}, subset interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Subsetf(t, list, subset, msg, args...) { + return + } + t.FailNow() +} + +// True asserts that the specified value is true. +// +// require.True(t, myBool) +func True(t TestingT, value bool, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.True(t, value, msgAndArgs...) { + return + } + t.FailNow() +} + +// Truef asserts that the specified value is true. +// +// require.Truef(t, myBool, "error message %s", "formatted") +func Truef(t TestingT, value bool, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Truef(t, value, msg, args...) { + return + } + t.FailNow() +} + +// WithinDuration asserts that the two times are within duration delta of each other. +// +// require.WithinDuration(t, time.Now(), time.Now(), 10*time.Second) +func WithinDuration(t TestingT, expected time.Time, actual time.Time, delta time.Duration, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.WithinDuration(t, expected, actual, delta, msgAndArgs...) { + return + } + t.FailNow() +} + +// WithinDurationf asserts that the two times are within duration delta of each other. +// +// require.WithinDurationf(t, time.Now(), time.Now(), 10*time.Second, "error message %s", "formatted") +func WithinDurationf(t TestingT, expected time.Time, actual time.Time, delta time.Duration, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.WithinDurationf(t, expected, actual, delta, msg, args...) { + return + } + t.FailNow() +} + +// WithinRange asserts that a time is within a time range (inclusive). +// +// require.WithinRange(t, time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second)) +func WithinRange(t TestingT, actual time.Time, start time.Time, end time.Time, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.WithinRange(t, actual, start, end, msgAndArgs...) { + return + } + t.FailNow() +} + +// WithinRangef asserts that a time is within a time range (inclusive). +// +// require.WithinRangef(t, time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second), "error message %s", "formatted") +func WithinRangef(t TestingT, actual time.Time, start time.Time, end time.Time, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.WithinRangef(t, actual, start, end, msg, args...) { + return + } + t.FailNow() +} + +// YAMLEq asserts that two YAML strings are equivalent. +func YAMLEq(t TestingT, expected string, actual string, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.YAMLEq(t, expected, actual, msgAndArgs...) { + return + } + t.FailNow() +} + +// YAMLEqf asserts that two YAML strings are equivalent. +func YAMLEqf(t TestingT, expected string, actual string, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.YAMLEqf(t, expected, actual, msg, args...) { + return + } + t.FailNow() +} + +// Zero asserts that i is the zero value for its type. +func Zero(t TestingT, i interface{}, msgAndArgs ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Zero(t, i, msgAndArgs...) { + return + } + t.FailNow() +} + +// Zerof asserts that i is the zero value for its type. +func Zerof(t TestingT, i interface{}, msg string, args ...interface{}) { + if h, ok := t.(tHelper); ok { + h.Helper() + } + if assert.Zerof(t, i, msg, args...) { + return + } + t.FailNow() +} diff --git a/vendor/github.com/stretchr/testify/require/require.go.tmpl b/vendor/github.com/stretchr/testify/require/require.go.tmpl new file mode 100644 index 0000000000..8b32836850 --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/require.go.tmpl @@ -0,0 +1,6 @@ +{{ replace .Comment "assert." "require."}} +func {{.DocInfo.Name}}(t TestingT, {{.Params}}) { + if h, ok := t.(tHelper); ok { h.Helper() } + if assert.{{.DocInfo.Name}}(t, {{.ForwardedParams}}) { return } + t.FailNow() +} diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go b/vendor/github.com/stretchr/testify/require/require_forward.go new file mode 100644 index 0000000000..e6f7e94468 --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/require_forward.go @@ -0,0 +1,1724 @@ +// Code generated with github.com/stretchr/testify/_codegen; DO NOT EDIT. + +package require + +import ( + assert "github.com/stretchr/testify/assert" + http "net/http" + url "net/url" + time "time" +) + +// Condition uses a Comparison to assert a complex condition. +func (a *Assertions) Condition(comp assert.Comparison, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Condition(a.t, comp, msgAndArgs...) +} + +// Conditionf uses a Comparison to assert a complex condition. +func (a *Assertions) Conditionf(comp assert.Comparison, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Conditionf(a.t, comp, msg, args...) +} + +// Contains asserts that the specified string, list(array, slice...) or map contains the +// specified substring or element. +// +// a.Contains("Hello World", "World") +// a.Contains(["Hello", "World"], "World") +// a.Contains({"Hello": "World"}, "Hello") +func (a *Assertions) Contains(s interface{}, contains interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Contains(a.t, s, contains, msgAndArgs...) +} + +// Containsf asserts that the specified string, list(array, slice...) or map contains the +// specified substring or element. +// +// a.Containsf("Hello World", "World", "error message %s", "formatted") +// a.Containsf(["Hello", "World"], "World", "error message %s", "formatted") +// a.Containsf({"Hello": "World"}, "Hello", "error message %s", "formatted") +func (a *Assertions) Containsf(s interface{}, contains interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Containsf(a.t, s, contains, msg, args...) +} + +// DirExists checks whether a directory exists in the given path. It also fails +// if the path is a file rather a directory or there is an error checking whether it exists. +func (a *Assertions) DirExists(path string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + DirExists(a.t, path, msgAndArgs...) +} + +// DirExistsf checks whether a directory exists in the given path. It also fails +// if the path is a file rather a directory or there is an error checking whether it exists. +func (a *Assertions) DirExistsf(path string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + DirExistsf(a.t, path, msg, args...) +} + +// ElementsMatch asserts that the specified listA(array, slice...) is equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should match. +// +// a.ElementsMatch([1, 3, 2, 3], [1, 3, 3, 2]) +func (a *Assertions) ElementsMatch(listA interface{}, listB interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ElementsMatch(a.t, listA, listB, msgAndArgs...) +} + +// ElementsMatchf asserts that the specified listA(array, slice...) is equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should match. +// +// a.ElementsMatchf([1, 3, 2, 3], [1, 3, 3, 2], "error message %s", "formatted") +func (a *Assertions) ElementsMatchf(listA interface{}, listB interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ElementsMatchf(a.t, listA, listB, msg, args...) +} + +// Empty asserts that the given value is "empty". +// +// [Zero values] are "empty". +// +// Arrays are "empty" if every element is the zero value of the type (stricter than "empty"). +// +// Slices, maps and channels with zero length are "empty". +// +// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty". +// +// a.Empty(obj) +// +// [Zero values]: https://go.dev/ref/spec#The_zero_value +func (a *Assertions) Empty(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Empty(a.t, object, msgAndArgs...) +} + +// Emptyf asserts that the given value is "empty". +// +// [Zero values] are "empty". +// +// Arrays are "empty" if every element is the zero value of the type (stricter than "empty"). +// +// Slices, maps and channels with zero length are "empty". +// +// Pointer values are "empty" if the pointer is nil or if the pointed value is "empty". +// +// a.Emptyf(obj, "error message %s", "formatted") +// +// [Zero values]: https://go.dev/ref/spec#The_zero_value +func (a *Assertions) Emptyf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Emptyf(a.t, object, msg, args...) +} + +// Equal asserts that two objects are equal. +// +// a.Equal(123, 123) +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). Function equality +// cannot be determined and will always fail. +func (a *Assertions) Equal(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Equal(a.t, expected, actual, msgAndArgs...) +} + +// EqualError asserts that a function returned an error (i.e. not `nil`) +// and that it is equal to the provided error. +// +// actualObj, err := SomeFunction() +// a.EqualError(err, expectedErrorString) +func (a *Assertions) EqualError(theError error, errString string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualError(a.t, theError, errString, msgAndArgs...) +} + +// EqualErrorf asserts that a function returned an error (i.e. not `nil`) +// and that it is equal to the provided error. +// +// actualObj, err := SomeFunction() +// a.EqualErrorf(err, expectedErrorString, "error message %s", "formatted") +func (a *Assertions) EqualErrorf(theError error, errString string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualErrorf(a.t, theError, errString, msg, args...) +} + +// EqualExportedValues asserts that the types of two objects are equal and their public +// fields are also equal. This is useful for comparing structs that have private fields +// that could potentially differ. +// +// type S struct { +// Exported int +// notExported int +// } +// a.EqualExportedValues(S{1, 2}, S{1, 3}) => true +// a.EqualExportedValues(S{1, 2}, S{2, 3}) => false +func (a *Assertions) EqualExportedValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualExportedValues(a.t, expected, actual, msgAndArgs...) +} + +// EqualExportedValuesf asserts that the types of two objects are equal and their public +// fields are also equal. This is useful for comparing structs that have private fields +// that could potentially differ. +// +// type S struct { +// Exported int +// notExported int +// } +// a.EqualExportedValuesf(S{1, 2}, S{1, 3}, "error message %s", "formatted") => true +// a.EqualExportedValuesf(S{1, 2}, S{2, 3}, "error message %s", "formatted") => false +func (a *Assertions) EqualExportedValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualExportedValuesf(a.t, expected, actual, msg, args...) +} + +// EqualValues asserts that two objects are equal or convertible to the larger +// type and equal. +// +// a.EqualValues(uint32(123), int32(123)) +func (a *Assertions) EqualValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualValues(a.t, expected, actual, msgAndArgs...) +} + +// EqualValuesf asserts that two objects are equal or convertible to the larger +// type and equal. +// +// a.EqualValuesf(uint32(123), int32(123), "error message %s", "formatted") +func (a *Assertions) EqualValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EqualValuesf(a.t, expected, actual, msg, args...) +} + +// Equalf asserts that two objects are equal. +// +// a.Equalf(123, 123, "error message %s", "formatted") +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). Function equality +// cannot be determined and will always fail. +func (a *Assertions) Equalf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Equalf(a.t, expected, actual, msg, args...) +} + +// Error asserts that a function returned an error (i.e. not `nil`). +// +// actualObj, err := SomeFunction() +// a.Error(err) +func (a *Assertions) Error(err error, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Error(a.t, err, msgAndArgs...) +} + +// ErrorAs asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value. +// This is a wrapper for errors.As. +func (a *Assertions) ErrorAs(err error, target interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorAs(a.t, err, target, msgAndArgs...) +} + +// ErrorAsf asserts that at least one of the errors in err's chain matches target, and if so, sets target to that error value. +// This is a wrapper for errors.As. +func (a *Assertions) ErrorAsf(err error, target interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorAsf(a.t, err, target, msg, args...) +} + +// ErrorContains asserts that a function returned an error (i.e. not `nil`) +// and that the error contains the specified substring. +// +// actualObj, err := SomeFunction() +// a.ErrorContains(err, expectedErrorSubString) +func (a *Assertions) ErrorContains(theError error, contains string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorContains(a.t, theError, contains, msgAndArgs...) +} + +// ErrorContainsf asserts that a function returned an error (i.e. not `nil`) +// and that the error contains the specified substring. +// +// actualObj, err := SomeFunction() +// a.ErrorContainsf(err, expectedErrorSubString, "error message %s", "formatted") +func (a *Assertions) ErrorContainsf(theError error, contains string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorContainsf(a.t, theError, contains, msg, args...) +} + +// ErrorIs asserts that at least one of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func (a *Assertions) ErrorIs(err error, target error, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorIs(a.t, err, target, msgAndArgs...) +} + +// ErrorIsf asserts that at least one of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func (a *Assertions) ErrorIsf(err error, target error, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + ErrorIsf(a.t, err, target, msg, args...) +} + +// Errorf asserts that a function returned an error (i.e. not `nil`). +// +// actualObj, err := SomeFunction() +// a.Errorf(err, "error message %s", "formatted") +func (a *Assertions) Errorf(err error, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Errorf(a.t, err, msg, args...) +} + +// Eventually asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. +// +// a.Eventually(func() bool { return true; }, time.Second, 10*time.Millisecond) +func (a *Assertions) Eventually(condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Eventually(a.t, condition, waitFor, tick, msgAndArgs...) +} + +// EventuallyWithT asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. In contrast to Eventually, +// it supplies a CollectT to the condition function, so that the condition +// function can use the CollectT to call other assertions. +// The condition is considered "met" if no errors are raised in a tick. +// The supplied CollectT collects all errors from one tick (if there are any). +// If the condition is not met before waitFor, the collected errors of +// the last tick are copied to t. +// +// externalValue := false +// go func() { +// time.Sleep(8*time.Second) +// externalValue = true +// }() +// a.EventuallyWithT(func(c *assert.CollectT) { +// // add assertions as needed; any assertion failure will fail the current tick +// assert.True(c, externalValue, "expected 'externalValue' to be true") +// }, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false") +func (a *Assertions) EventuallyWithT(condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EventuallyWithT(a.t, condition, waitFor, tick, msgAndArgs...) +} + +// EventuallyWithTf asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. In contrast to Eventually, +// it supplies a CollectT to the condition function, so that the condition +// function can use the CollectT to call other assertions. +// The condition is considered "met" if no errors are raised in a tick. +// The supplied CollectT collects all errors from one tick (if there are any). +// If the condition is not met before waitFor, the collected errors of +// the last tick are copied to t. +// +// externalValue := false +// go func() { +// time.Sleep(8*time.Second) +// externalValue = true +// }() +// a.EventuallyWithTf(func(c *assert.CollectT, "error message %s", "formatted") { +// // add assertions as needed; any assertion failure will fail the current tick +// assert.True(c, externalValue, "expected 'externalValue' to be true") +// }, 10*time.Second, 1*time.Second, "external state has not changed to 'true'; still false") +func (a *Assertions) EventuallyWithTf(condition func(collect *assert.CollectT), waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + EventuallyWithTf(a.t, condition, waitFor, tick, msg, args...) +} + +// Eventuallyf asserts that given condition will be met in waitFor time, +// periodically checking target function each tick. +// +// a.Eventuallyf(func() bool { return true; }, time.Second, 10*time.Millisecond, "error message %s", "formatted") +func (a *Assertions) Eventuallyf(condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Eventuallyf(a.t, condition, waitFor, tick, msg, args...) +} + +// Exactly asserts that two objects are equal in value and type. +// +// a.Exactly(int32(123), int64(123)) +func (a *Assertions) Exactly(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Exactly(a.t, expected, actual, msgAndArgs...) +} + +// Exactlyf asserts that two objects are equal in value and type. +// +// a.Exactlyf(int32(123), int64(123), "error message %s", "formatted") +func (a *Assertions) Exactlyf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Exactlyf(a.t, expected, actual, msg, args...) +} + +// Fail reports a failure through +func (a *Assertions) Fail(failureMessage string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Fail(a.t, failureMessage, msgAndArgs...) +} + +// FailNow fails test +func (a *Assertions) FailNow(failureMessage string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + FailNow(a.t, failureMessage, msgAndArgs...) +} + +// FailNowf fails test +func (a *Assertions) FailNowf(failureMessage string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + FailNowf(a.t, failureMessage, msg, args...) +} + +// Failf reports a failure through +func (a *Assertions) Failf(failureMessage string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Failf(a.t, failureMessage, msg, args...) +} + +// False asserts that the specified value is false. +// +// a.False(myBool) +func (a *Assertions) False(value bool, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + False(a.t, value, msgAndArgs...) +} + +// Falsef asserts that the specified value is false. +// +// a.Falsef(myBool, "error message %s", "formatted") +func (a *Assertions) Falsef(value bool, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Falsef(a.t, value, msg, args...) +} + +// FileExists checks whether a file exists in the given path. It also fails if +// the path points to a directory or there is an error when trying to check the file. +func (a *Assertions) FileExists(path string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + FileExists(a.t, path, msgAndArgs...) +} + +// FileExistsf checks whether a file exists in the given path. It also fails if +// the path points to a directory or there is an error when trying to check the file. +func (a *Assertions) FileExistsf(path string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + FileExistsf(a.t, path, msg, args...) +} + +// Greater asserts that the first element is greater than the second +// +// a.Greater(2, 1) +// a.Greater(float64(2), float64(1)) +// a.Greater("b", "a") +func (a *Assertions) Greater(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Greater(a.t, e1, e2, msgAndArgs...) +} + +// GreaterOrEqual asserts that the first element is greater than or equal to the second +// +// a.GreaterOrEqual(2, 1) +// a.GreaterOrEqual(2, 2) +// a.GreaterOrEqual("b", "a") +// a.GreaterOrEqual("b", "b") +func (a *Assertions) GreaterOrEqual(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + GreaterOrEqual(a.t, e1, e2, msgAndArgs...) +} + +// GreaterOrEqualf asserts that the first element is greater than or equal to the second +// +// a.GreaterOrEqualf(2, 1, "error message %s", "formatted") +// a.GreaterOrEqualf(2, 2, "error message %s", "formatted") +// a.GreaterOrEqualf("b", "a", "error message %s", "formatted") +// a.GreaterOrEqualf("b", "b", "error message %s", "formatted") +func (a *Assertions) GreaterOrEqualf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + GreaterOrEqualf(a.t, e1, e2, msg, args...) +} + +// Greaterf asserts that the first element is greater than the second +// +// a.Greaterf(2, 1, "error message %s", "formatted") +// a.Greaterf(float64(2), float64(1), "error message %s", "formatted") +// a.Greaterf("b", "a", "error message %s", "formatted") +func (a *Assertions) Greaterf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Greaterf(a.t, e1, e2, msg, args...) +} + +// HTTPBodyContains asserts that a specified handler returns a +// body that contains a string. +// +// a.HTTPBodyContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPBodyContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPBodyContains(a.t, handler, method, url, values, str, msgAndArgs...) +} + +// HTTPBodyContainsf asserts that a specified handler returns a +// body that contains a string. +// +// a.HTTPBodyContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPBodyContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPBodyContainsf(a.t, handler, method, url, values, str, msg, args...) +} + +// HTTPBodyNotContains asserts that a specified handler returns a +// body that does not contain a string. +// +// a.HTTPBodyNotContains(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPBodyNotContains(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPBodyNotContains(a.t, handler, method, url, values, str, msgAndArgs...) +} + +// HTTPBodyNotContainsf asserts that a specified handler returns a +// body that does not contain a string. +// +// a.HTTPBodyNotContainsf(myHandler, "GET", "www.google.com", nil, "I'm Feeling Lucky", "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPBodyNotContainsf(handler http.HandlerFunc, method string, url string, values url.Values, str interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPBodyNotContainsf(a.t, handler, method, url, values, str, msg, args...) +} + +// HTTPError asserts that a specified handler returns an error status code. +// +// a.HTTPError(myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPError(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPError(a.t, handler, method, url, values, msgAndArgs...) +} + +// HTTPErrorf asserts that a specified handler returns an error status code. +// +// a.HTTPErrorf(myHandler, "POST", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPErrorf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPErrorf(a.t, handler, method, url, values, msg, args...) +} + +// HTTPRedirect asserts that a specified handler returns a redirect status code. +// +// a.HTTPRedirect(myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPRedirect(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPRedirect(a.t, handler, method, url, values, msgAndArgs...) +} + +// HTTPRedirectf asserts that a specified handler returns a redirect status code. +// +// a.HTTPRedirectf(myHandler, "GET", "/a/b/c", url.Values{"a": []string{"b", "c"}} +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPRedirectf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPRedirectf(a.t, handler, method, url, values, msg, args...) +} + +// HTTPStatusCode asserts that a specified handler returns a specified status code. +// +// a.HTTPStatusCode(myHandler, "GET", "/notImplemented", nil, 501) +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPStatusCode(handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPStatusCode(a.t, handler, method, url, values, statuscode, msgAndArgs...) +} + +// HTTPStatusCodef asserts that a specified handler returns a specified status code. +// +// a.HTTPStatusCodef(myHandler, "GET", "/notImplemented", nil, 501, "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPStatusCodef(handler http.HandlerFunc, method string, url string, values url.Values, statuscode int, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPStatusCodef(a.t, handler, method, url, values, statuscode, msg, args...) +} + +// HTTPSuccess asserts that a specified handler returns a success status code. +// +// a.HTTPSuccess(myHandler, "POST", "http://www.google.com", nil) +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPSuccess(handler http.HandlerFunc, method string, url string, values url.Values, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPSuccess(a.t, handler, method, url, values, msgAndArgs...) +} + +// HTTPSuccessf asserts that a specified handler returns a success status code. +// +// a.HTTPSuccessf(myHandler, "POST", "http://www.google.com", nil, "error message %s", "formatted") +// +// Returns whether the assertion was successful (true) or not (false). +func (a *Assertions) HTTPSuccessf(handler http.HandlerFunc, method string, url string, values url.Values, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + HTTPSuccessf(a.t, handler, method, url, values, msg, args...) +} + +// Implements asserts that an object is implemented by the specified interface. +// +// a.Implements((*MyInterface)(nil), new(MyObject)) +func (a *Assertions) Implements(interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Implements(a.t, interfaceObject, object, msgAndArgs...) +} + +// Implementsf asserts that an object is implemented by the specified interface. +// +// a.Implementsf((*MyInterface)(nil), new(MyObject), "error message %s", "formatted") +func (a *Assertions) Implementsf(interfaceObject interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Implementsf(a.t, interfaceObject, object, msg, args...) +} + +// InDelta asserts that the two numerals are within delta of each other. +// +// a.InDelta(math.Pi, 22/7.0, 0.01) +func (a *Assertions) InDelta(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDelta(a.t, expected, actual, delta, msgAndArgs...) +} + +// InDeltaMapValues is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys. +func (a *Assertions) InDeltaMapValues(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDeltaMapValues(a.t, expected, actual, delta, msgAndArgs...) +} + +// InDeltaMapValuesf is the same as InDelta, but it compares all values between two maps. Both maps must have exactly the same keys. +func (a *Assertions) InDeltaMapValuesf(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDeltaMapValuesf(a.t, expected, actual, delta, msg, args...) +} + +// InDeltaSlice is the same as InDelta, except it compares two slices. +func (a *Assertions) InDeltaSlice(expected interface{}, actual interface{}, delta float64, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDeltaSlice(a.t, expected, actual, delta, msgAndArgs...) +} + +// InDeltaSlicef is the same as InDelta, except it compares two slices. +func (a *Assertions) InDeltaSlicef(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDeltaSlicef(a.t, expected, actual, delta, msg, args...) +} + +// InDeltaf asserts that the two numerals are within delta of each other. +// +// a.InDeltaf(math.Pi, 22/7.0, 0.01, "error message %s", "formatted") +func (a *Assertions) InDeltaf(expected interface{}, actual interface{}, delta float64, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InDeltaf(a.t, expected, actual, delta, msg, args...) +} + +// InEpsilon asserts that expected and actual have a relative error less than epsilon +func (a *Assertions) InEpsilon(expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InEpsilon(a.t, expected, actual, epsilon, msgAndArgs...) +} + +// InEpsilonSlice is the same as InEpsilon, except it compares each value from two slices. +func (a *Assertions) InEpsilonSlice(expected interface{}, actual interface{}, epsilon float64, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InEpsilonSlice(a.t, expected, actual, epsilon, msgAndArgs...) +} + +// InEpsilonSlicef is the same as InEpsilon, except it compares each value from two slices. +func (a *Assertions) InEpsilonSlicef(expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InEpsilonSlicef(a.t, expected, actual, epsilon, msg, args...) +} + +// InEpsilonf asserts that expected and actual have a relative error less than epsilon +func (a *Assertions) InEpsilonf(expected interface{}, actual interface{}, epsilon float64, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + InEpsilonf(a.t, expected, actual, epsilon, msg, args...) +} + +// IsDecreasing asserts that the collection is decreasing +// +// a.IsDecreasing([]int{2, 1, 0}) +// a.IsDecreasing([]float{2, 1}) +// a.IsDecreasing([]string{"b", "a"}) +func (a *Assertions) IsDecreasing(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsDecreasing(a.t, object, msgAndArgs...) +} + +// IsDecreasingf asserts that the collection is decreasing +// +// a.IsDecreasingf([]int{2, 1, 0}, "error message %s", "formatted") +// a.IsDecreasingf([]float{2, 1}, "error message %s", "formatted") +// a.IsDecreasingf([]string{"b", "a"}, "error message %s", "formatted") +func (a *Assertions) IsDecreasingf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsDecreasingf(a.t, object, msg, args...) +} + +// IsIncreasing asserts that the collection is increasing +// +// a.IsIncreasing([]int{1, 2, 3}) +// a.IsIncreasing([]float{1, 2}) +// a.IsIncreasing([]string{"a", "b"}) +func (a *Assertions) IsIncreasing(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsIncreasing(a.t, object, msgAndArgs...) +} + +// IsIncreasingf asserts that the collection is increasing +// +// a.IsIncreasingf([]int{1, 2, 3}, "error message %s", "formatted") +// a.IsIncreasingf([]float{1, 2}, "error message %s", "formatted") +// a.IsIncreasingf([]string{"a", "b"}, "error message %s", "formatted") +func (a *Assertions) IsIncreasingf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsIncreasingf(a.t, object, msg, args...) +} + +// IsNonDecreasing asserts that the collection is not decreasing +// +// a.IsNonDecreasing([]int{1, 1, 2}) +// a.IsNonDecreasing([]float{1, 2}) +// a.IsNonDecreasing([]string{"a", "b"}) +func (a *Assertions) IsNonDecreasing(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNonDecreasing(a.t, object, msgAndArgs...) +} + +// IsNonDecreasingf asserts that the collection is not decreasing +// +// a.IsNonDecreasingf([]int{1, 1, 2}, "error message %s", "formatted") +// a.IsNonDecreasingf([]float{1, 2}, "error message %s", "formatted") +// a.IsNonDecreasingf([]string{"a", "b"}, "error message %s", "formatted") +func (a *Assertions) IsNonDecreasingf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNonDecreasingf(a.t, object, msg, args...) +} + +// IsNonIncreasing asserts that the collection is not increasing +// +// a.IsNonIncreasing([]int{2, 1, 1}) +// a.IsNonIncreasing([]float{2, 1}) +// a.IsNonIncreasing([]string{"b", "a"}) +func (a *Assertions) IsNonIncreasing(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNonIncreasing(a.t, object, msgAndArgs...) +} + +// IsNonIncreasingf asserts that the collection is not increasing +// +// a.IsNonIncreasingf([]int{2, 1, 1}, "error message %s", "formatted") +// a.IsNonIncreasingf([]float{2, 1}, "error message %s", "formatted") +// a.IsNonIncreasingf([]string{"b", "a"}, "error message %s", "formatted") +func (a *Assertions) IsNonIncreasingf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNonIncreasingf(a.t, object, msg, args...) +} + +// IsNotType asserts that the specified objects are not of the same type. +// +// a.IsNotType(&NotMyStruct{}, &MyStruct{}) +func (a *Assertions) IsNotType(theType interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNotType(a.t, theType, object, msgAndArgs...) +} + +// IsNotTypef asserts that the specified objects are not of the same type. +// +// a.IsNotTypef(&NotMyStruct{}, &MyStruct{}, "error message %s", "formatted") +func (a *Assertions) IsNotTypef(theType interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsNotTypef(a.t, theType, object, msg, args...) +} + +// IsType asserts that the specified objects are of the same type. +// +// a.IsType(&MyStruct{}, &MyStruct{}) +func (a *Assertions) IsType(expectedType interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsType(a.t, expectedType, object, msgAndArgs...) +} + +// IsTypef asserts that the specified objects are of the same type. +// +// a.IsTypef(&MyStruct{}, &MyStruct{}, "error message %s", "formatted") +func (a *Assertions) IsTypef(expectedType interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + IsTypef(a.t, expectedType, object, msg, args...) +} + +// JSONEq asserts that two JSON strings are equivalent. +// +// a.JSONEq(`{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`) +func (a *Assertions) JSONEq(expected string, actual string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + JSONEq(a.t, expected, actual, msgAndArgs...) +} + +// JSONEqf asserts that two JSON strings are equivalent. +// +// a.JSONEqf(`{"hello": "world", "foo": "bar"}`, `{"foo": "bar", "hello": "world"}`, "error message %s", "formatted") +func (a *Assertions) JSONEqf(expected string, actual string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + JSONEqf(a.t, expected, actual, msg, args...) +} + +// Len asserts that the specified object has specific length. +// Len also fails if the object has a type that len() not accept. +// +// a.Len(mySlice, 3) +func (a *Assertions) Len(object interface{}, length int, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Len(a.t, object, length, msgAndArgs...) +} + +// Lenf asserts that the specified object has specific length. +// Lenf also fails if the object has a type that len() not accept. +// +// a.Lenf(mySlice, 3, "error message %s", "formatted") +func (a *Assertions) Lenf(object interface{}, length int, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Lenf(a.t, object, length, msg, args...) +} + +// Less asserts that the first element is less than the second +// +// a.Less(1, 2) +// a.Less(float64(1), float64(2)) +// a.Less("a", "b") +func (a *Assertions) Less(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Less(a.t, e1, e2, msgAndArgs...) +} + +// LessOrEqual asserts that the first element is less than or equal to the second +// +// a.LessOrEqual(1, 2) +// a.LessOrEqual(2, 2) +// a.LessOrEqual("a", "b") +// a.LessOrEqual("b", "b") +func (a *Assertions) LessOrEqual(e1 interface{}, e2 interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + LessOrEqual(a.t, e1, e2, msgAndArgs...) +} + +// LessOrEqualf asserts that the first element is less than or equal to the second +// +// a.LessOrEqualf(1, 2, "error message %s", "formatted") +// a.LessOrEqualf(2, 2, "error message %s", "formatted") +// a.LessOrEqualf("a", "b", "error message %s", "formatted") +// a.LessOrEqualf("b", "b", "error message %s", "formatted") +func (a *Assertions) LessOrEqualf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + LessOrEqualf(a.t, e1, e2, msg, args...) +} + +// Lessf asserts that the first element is less than the second +// +// a.Lessf(1, 2, "error message %s", "formatted") +// a.Lessf(float64(1), float64(2), "error message %s", "formatted") +// a.Lessf("a", "b", "error message %s", "formatted") +func (a *Assertions) Lessf(e1 interface{}, e2 interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Lessf(a.t, e1, e2, msg, args...) +} + +// Negative asserts that the specified element is negative +// +// a.Negative(-1) +// a.Negative(-1.23) +func (a *Assertions) Negative(e interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Negative(a.t, e, msgAndArgs...) +} + +// Negativef asserts that the specified element is negative +// +// a.Negativef(-1, "error message %s", "formatted") +// a.Negativef(-1.23, "error message %s", "formatted") +func (a *Assertions) Negativef(e interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Negativef(a.t, e, msg, args...) +} + +// Never asserts that the given condition doesn't satisfy in waitFor time, +// periodically checking the target function each tick. +// +// a.Never(func() bool { return false; }, time.Second, 10*time.Millisecond) +func (a *Assertions) Never(condition func() bool, waitFor time.Duration, tick time.Duration, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Never(a.t, condition, waitFor, tick, msgAndArgs...) +} + +// Neverf asserts that the given condition doesn't satisfy in waitFor time, +// periodically checking the target function each tick. +// +// a.Neverf(func() bool { return false; }, time.Second, 10*time.Millisecond, "error message %s", "formatted") +func (a *Assertions) Neverf(condition func() bool, waitFor time.Duration, tick time.Duration, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Neverf(a.t, condition, waitFor, tick, msg, args...) +} + +// Nil asserts that the specified object is nil. +// +// a.Nil(err) +func (a *Assertions) Nil(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Nil(a.t, object, msgAndArgs...) +} + +// Nilf asserts that the specified object is nil. +// +// a.Nilf(err, "error message %s", "formatted") +func (a *Assertions) Nilf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Nilf(a.t, object, msg, args...) +} + +// NoDirExists checks whether a directory does not exist in the given path. +// It fails if the path points to an existing _directory_ only. +func (a *Assertions) NoDirExists(path string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoDirExists(a.t, path, msgAndArgs...) +} + +// NoDirExistsf checks whether a directory does not exist in the given path. +// It fails if the path points to an existing _directory_ only. +func (a *Assertions) NoDirExistsf(path string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoDirExistsf(a.t, path, msg, args...) +} + +// NoError asserts that a function returned no error (i.e. `nil`). +// +// actualObj, err := SomeFunction() +// if a.NoError(err) { +// assert.Equal(t, expectedObj, actualObj) +// } +func (a *Assertions) NoError(err error, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoError(a.t, err, msgAndArgs...) +} + +// NoErrorf asserts that a function returned no error (i.e. `nil`). +// +// actualObj, err := SomeFunction() +// if a.NoErrorf(err, "error message %s", "formatted") { +// assert.Equal(t, expectedObj, actualObj) +// } +func (a *Assertions) NoErrorf(err error, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoErrorf(a.t, err, msg, args...) +} + +// NoFileExists checks whether a file does not exist in a given path. It fails +// if the path points to an existing _file_ only. +func (a *Assertions) NoFileExists(path string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoFileExists(a.t, path, msgAndArgs...) +} + +// NoFileExistsf checks whether a file does not exist in a given path. It fails +// if the path points to an existing _file_ only. +func (a *Assertions) NoFileExistsf(path string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NoFileExistsf(a.t, path, msg, args...) +} + +// NotContains asserts that the specified string, list(array, slice...) or map does NOT contain the +// specified substring or element. +// +// a.NotContains("Hello World", "Earth") +// a.NotContains(["Hello", "World"], "Earth") +// a.NotContains({"Hello": "World"}, "Earth") +func (a *Assertions) NotContains(s interface{}, contains interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotContains(a.t, s, contains, msgAndArgs...) +} + +// NotContainsf asserts that the specified string, list(array, slice...) or map does NOT contain the +// specified substring or element. +// +// a.NotContainsf("Hello World", "Earth", "error message %s", "formatted") +// a.NotContainsf(["Hello", "World"], "Earth", "error message %s", "formatted") +// a.NotContainsf({"Hello": "World"}, "Earth", "error message %s", "formatted") +func (a *Assertions) NotContainsf(s interface{}, contains interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotContainsf(a.t, s, contains, msg, args...) +} + +// NotElementsMatch asserts that the specified listA(array, slice...) is NOT equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should not match. +// This is an inverse of ElementsMatch. +// +// a.NotElementsMatch([1, 1, 2, 3], [1, 1, 2, 3]) -> false +// +// a.NotElementsMatch([1, 1, 2, 3], [1, 2, 3]) -> true +// +// a.NotElementsMatch([1, 2, 3], [1, 2, 4]) -> true +func (a *Assertions) NotElementsMatch(listA interface{}, listB interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotElementsMatch(a.t, listA, listB, msgAndArgs...) +} + +// NotElementsMatchf asserts that the specified listA(array, slice...) is NOT equal to specified +// listB(array, slice...) ignoring the order of the elements. If there are duplicate elements, +// the number of appearances of each of them in both lists should not match. +// This is an inverse of ElementsMatch. +// +// a.NotElementsMatchf([1, 1, 2, 3], [1, 1, 2, 3], "error message %s", "formatted") -> false +// +// a.NotElementsMatchf([1, 1, 2, 3], [1, 2, 3], "error message %s", "formatted") -> true +// +// a.NotElementsMatchf([1, 2, 3], [1, 2, 4], "error message %s", "formatted") -> true +func (a *Assertions) NotElementsMatchf(listA interface{}, listB interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotElementsMatchf(a.t, listA, listB, msg, args...) +} + +// NotEmpty asserts that the specified object is NOT [Empty]. +// +// if a.NotEmpty(obj) { +// assert.Equal(t, "two", obj[1]) +// } +func (a *Assertions) NotEmpty(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEmpty(a.t, object, msgAndArgs...) +} + +// NotEmptyf asserts that the specified object is NOT [Empty]. +// +// if a.NotEmptyf(obj, "error message %s", "formatted") { +// assert.Equal(t, "two", obj[1]) +// } +func (a *Assertions) NotEmptyf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEmptyf(a.t, object, msg, args...) +} + +// NotEqual asserts that the specified values are NOT equal. +// +// a.NotEqual(obj1, obj2) +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). +func (a *Assertions) NotEqual(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEqual(a.t, expected, actual, msgAndArgs...) +} + +// NotEqualValues asserts that two objects are not equal even when converted to the same type +// +// a.NotEqualValues(obj1, obj2) +func (a *Assertions) NotEqualValues(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEqualValues(a.t, expected, actual, msgAndArgs...) +} + +// NotEqualValuesf asserts that two objects are not equal even when converted to the same type +// +// a.NotEqualValuesf(obj1, obj2, "error message %s", "formatted") +func (a *Assertions) NotEqualValuesf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEqualValuesf(a.t, expected, actual, msg, args...) +} + +// NotEqualf asserts that the specified values are NOT equal. +// +// a.NotEqualf(obj1, obj2, "error message %s", "formatted") +// +// Pointer variable equality is determined based on the equality of the +// referenced values (as opposed to the memory addresses). +func (a *Assertions) NotEqualf(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotEqualf(a.t, expected, actual, msg, args...) +} + +// NotErrorAs asserts that none of the errors in err's chain matches target, +// but if so, sets target to that error value. +func (a *Assertions) NotErrorAs(err error, target interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotErrorAs(a.t, err, target, msgAndArgs...) +} + +// NotErrorAsf asserts that none of the errors in err's chain matches target, +// but if so, sets target to that error value. +func (a *Assertions) NotErrorAsf(err error, target interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotErrorAsf(a.t, err, target, msg, args...) +} + +// NotErrorIs asserts that none of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func (a *Assertions) NotErrorIs(err error, target error, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotErrorIs(a.t, err, target, msgAndArgs...) +} + +// NotErrorIsf asserts that none of the errors in err's chain matches target. +// This is a wrapper for errors.Is. +func (a *Assertions) NotErrorIsf(err error, target error, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotErrorIsf(a.t, err, target, msg, args...) +} + +// NotImplements asserts that an object does not implement the specified interface. +// +// a.NotImplements((*MyInterface)(nil), new(MyObject)) +func (a *Assertions) NotImplements(interfaceObject interface{}, object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotImplements(a.t, interfaceObject, object, msgAndArgs...) +} + +// NotImplementsf asserts that an object does not implement the specified interface. +// +// a.NotImplementsf((*MyInterface)(nil), new(MyObject), "error message %s", "formatted") +func (a *Assertions) NotImplementsf(interfaceObject interface{}, object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotImplementsf(a.t, interfaceObject, object, msg, args...) +} + +// NotNil asserts that the specified object is not nil. +// +// a.NotNil(err) +func (a *Assertions) NotNil(object interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotNil(a.t, object, msgAndArgs...) +} + +// NotNilf asserts that the specified object is not nil. +// +// a.NotNilf(err, "error message %s", "formatted") +func (a *Assertions) NotNilf(object interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotNilf(a.t, object, msg, args...) +} + +// NotPanics asserts that the code inside the specified PanicTestFunc does NOT panic. +// +// a.NotPanics(func(){ RemainCalm() }) +func (a *Assertions) NotPanics(f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotPanics(a.t, f, msgAndArgs...) +} + +// NotPanicsf asserts that the code inside the specified PanicTestFunc does NOT panic. +// +// a.NotPanicsf(func(){ RemainCalm() }, "error message %s", "formatted") +func (a *Assertions) NotPanicsf(f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotPanicsf(a.t, f, msg, args...) +} + +// NotRegexp asserts that a specified regexp does not match a string. +// +// a.NotRegexp(regexp.MustCompile("starts"), "it's starting") +// a.NotRegexp("^start", "it's not starting") +func (a *Assertions) NotRegexp(rx interface{}, str interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotRegexp(a.t, rx, str, msgAndArgs...) +} + +// NotRegexpf asserts that a specified regexp does not match a string. +// +// a.NotRegexpf(regexp.MustCompile("starts"), "it's starting", "error message %s", "formatted") +// a.NotRegexpf("^start", "it's not starting", "error message %s", "formatted") +func (a *Assertions) NotRegexpf(rx interface{}, str interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotRegexpf(a.t, rx, str, msg, args...) +} + +// NotSame asserts that two pointers do not reference the same object. +// +// a.NotSame(ptr1, ptr2) +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func (a *Assertions) NotSame(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotSame(a.t, expected, actual, msgAndArgs...) +} + +// NotSamef asserts that two pointers do not reference the same object. +// +// a.NotSamef(ptr1, ptr2, "error message %s", "formatted") +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func (a *Assertions) NotSamef(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotSamef(a.t, expected, actual, msg, args...) +} + +// NotSubset asserts that the list (array, slice, or map) does NOT contain all +// elements given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// a.NotSubset([1, 3, 4], [1, 2]) +// a.NotSubset({"x": 1, "y": 2}, {"z": 3}) +// a.NotSubset([1, 3, 4], {1: "one", 2: "two"}) +// a.NotSubset({"x": 1, "y": 2}, ["z"]) +func (a *Assertions) NotSubset(list interface{}, subset interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotSubset(a.t, list, subset, msgAndArgs...) +} + +// NotSubsetf asserts that the list (array, slice, or map) does NOT contain all +// elements given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// a.NotSubsetf([1, 3, 4], [1, 2], "error message %s", "formatted") +// a.NotSubsetf({"x": 1, "y": 2}, {"z": 3}, "error message %s", "formatted") +// a.NotSubsetf([1, 3, 4], {1: "one", 2: "two"}, "error message %s", "formatted") +// a.NotSubsetf({"x": 1, "y": 2}, ["z"], "error message %s", "formatted") +func (a *Assertions) NotSubsetf(list interface{}, subset interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotSubsetf(a.t, list, subset, msg, args...) +} + +// NotZero asserts that i is not the zero value for its type. +func (a *Assertions) NotZero(i interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotZero(a.t, i, msgAndArgs...) +} + +// NotZerof asserts that i is not the zero value for its type. +func (a *Assertions) NotZerof(i interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + NotZerof(a.t, i, msg, args...) +} + +// Panics asserts that the code inside the specified PanicTestFunc panics. +// +// a.Panics(func(){ GoCrazy() }) +func (a *Assertions) Panics(f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Panics(a.t, f, msgAndArgs...) +} + +// PanicsWithError asserts that the code inside the specified PanicTestFunc +// panics, and that the recovered panic value is an error that satisfies the +// EqualError comparison. +// +// a.PanicsWithError("crazy error", func(){ GoCrazy() }) +func (a *Assertions) PanicsWithError(errString string, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + PanicsWithError(a.t, errString, f, msgAndArgs...) +} + +// PanicsWithErrorf asserts that the code inside the specified PanicTestFunc +// panics, and that the recovered panic value is an error that satisfies the +// EqualError comparison. +// +// a.PanicsWithErrorf("crazy error", func(){ GoCrazy() }, "error message %s", "formatted") +func (a *Assertions) PanicsWithErrorf(errString string, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + PanicsWithErrorf(a.t, errString, f, msg, args...) +} + +// PanicsWithValue asserts that the code inside the specified PanicTestFunc panics, and that +// the recovered panic value equals the expected panic value. +// +// a.PanicsWithValue("crazy error", func(){ GoCrazy() }) +func (a *Assertions) PanicsWithValue(expected interface{}, f assert.PanicTestFunc, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + PanicsWithValue(a.t, expected, f, msgAndArgs...) +} + +// PanicsWithValuef asserts that the code inside the specified PanicTestFunc panics, and that +// the recovered panic value equals the expected panic value. +// +// a.PanicsWithValuef("crazy error", func(){ GoCrazy() }, "error message %s", "formatted") +func (a *Assertions) PanicsWithValuef(expected interface{}, f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + PanicsWithValuef(a.t, expected, f, msg, args...) +} + +// Panicsf asserts that the code inside the specified PanicTestFunc panics. +// +// a.Panicsf(func(){ GoCrazy() }, "error message %s", "formatted") +func (a *Assertions) Panicsf(f assert.PanicTestFunc, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Panicsf(a.t, f, msg, args...) +} + +// Positive asserts that the specified element is positive +// +// a.Positive(1) +// a.Positive(1.23) +func (a *Assertions) Positive(e interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Positive(a.t, e, msgAndArgs...) +} + +// Positivef asserts that the specified element is positive +// +// a.Positivef(1, "error message %s", "formatted") +// a.Positivef(1.23, "error message %s", "formatted") +func (a *Assertions) Positivef(e interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Positivef(a.t, e, msg, args...) +} + +// Regexp asserts that a specified regexp matches a string. +// +// a.Regexp(regexp.MustCompile("start"), "it's starting") +// a.Regexp("start...$", "it's not starting") +func (a *Assertions) Regexp(rx interface{}, str interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Regexp(a.t, rx, str, msgAndArgs...) +} + +// Regexpf asserts that a specified regexp matches a string. +// +// a.Regexpf(regexp.MustCompile("start"), "it's starting", "error message %s", "formatted") +// a.Regexpf("start...$", "it's not starting", "error message %s", "formatted") +func (a *Assertions) Regexpf(rx interface{}, str interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Regexpf(a.t, rx, str, msg, args...) +} + +// Same asserts that two pointers reference the same object. +// +// a.Same(ptr1, ptr2) +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func (a *Assertions) Same(expected interface{}, actual interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Same(a.t, expected, actual, msgAndArgs...) +} + +// Samef asserts that two pointers reference the same object. +// +// a.Samef(ptr1, ptr2, "error message %s", "formatted") +// +// Both arguments must be pointer variables. Pointer variable sameness is +// determined based on the equality of both type and value. +func (a *Assertions) Samef(expected interface{}, actual interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Samef(a.t, expected, actual, msg, args...) +} + +// Subset asserts that the list (array, slice, or map) contains all elements +// given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// a.Subset([1, 2, 3], [1, 2]) +// a.Subset({"x": 1, "y": 2}, {"x": 1}) +// a.Subset([1, 2, 3], {1: "one", 2: "two"}) +// a.Subset({"x": 1, "y": 2}, ["x"]) +func (a *Assertions) Subset(list interface{}, subset interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Subset(a.t, list, subset, msgAndArgs...) +} + +// Subsetf asserts that the list (array, slice, or map) contains all elements +// given in the subset (array, slice, or map). +// Map elements are key-value pairs unless compared with an array or slice where +// only the map key is evaluated. +// +// a.Subsetf([1, 2, 3], [1, 2], "error message %s", "formatted") +// a.Subsetf({"x": 1, "y": 2}, {"x": 1}, "error message %s", "formatted") +// a.Subsetf([1, 2, 3], {1: "one", 2: "two"}, "error message %s", "formatted") +// a.Subsetf({"x": 1, "y": 2}, ["x"], "error message %s", "formatted") +func (a *Assertions) Subsetf(list interface{}, subset interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Subsetf(a.t, list, subset, msg, args...) +} + +// True asserts that the specified value is true. +// +// a.True(myBool) +func (a *Assertions) True(value bool, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + True(a.t, value, msgAndArgs...) +} + +// Truef asserts that the specified value is true. +// +// a.Truef(myBool, "error message %s", "formatted") +func (a *Assertions) Truef(value bool, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Truef(a.t, value, msg, args...) +} + +// WithinDuration asserts that the two times are within duration delta of each other. +// +// a.WithinDuration(time.Now(), time.Now(), 10*time.Second) +func (a *Assertions) WithinDuration(expected time.Time, actual time.Time, delta time.Duration, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + WithinDuration(a.t, expected, actual, delta, msgAndArgs...) +} + +// WithinDurationf asserts that the two times are within duration delta of each other. +// +// a.WithinDurationf(time.Now(), time.Now(), 10*time.Second, "error message %s", "formatted") +func (a *Assertions) WithinDurationf(expected time.Time, actual time.Time, delta time.Duration, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + WithinDurationf(a.t, expected, actual, delta, msg, args...) +} + +// WithinRange asserts that a time is within a time range (inclusive). +// +// a.WithinRange(time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second)) +func (a *Assertions) WithinRange(actual time.Time, start time.Time, end time.Time, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + WithinRange(a.t, actual, start, end, msgAndArgs...) +} + +// WithinRangef asserts that a time is within a time range (inclusive). +// +// a.WithinRangef(time.Now(), time.Now().Add(-time.Second), time.Now().Add(time.Second), "error message %s", "formatted") +func (a *Assertions) WithinRangef(actual time.Time, start time.Time, end time.Time, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + WithinRangef(a.t, actual, start, end, msg, args...) +} + +// YAMLEq asserts that two YAML strings are equivalent. +func (a *Assertions) YAMLEq(expected string, actual string, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + YAMLEq(a.t, expected, actual, msgAndArgs...) +} + +// YAMLEqf asserts that two YAML strings are equivalent. +func (a *Assertions) YAMLEqf(expected string, actual string, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + YAMLEqf(a.t, expected, actual, msg, args...) +} + +// Zero asserts that i is the zero value for its type. +func (a *Assertions) Zero(i interface{}, msgAndArgs ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Zero(a.t, i, msgAndArgs...) +} + +// Zerof asserts that i is the zero value for its type. +func (a *Assertions) Zerof(i interface{}, msg string, args ...interface{}) { + if h, ok := a.t.(tHelper); ok { + h.Helper() + } + Zerof(a.t, i, msg, args...) +} diff --git a/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl b/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl new file mode 100644 index 0000000000..54124df1d3 --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/require_forward.go.tmpl @@ -0,0 +1,5 @@ +{{.CommentWithoutT "a"}} +func (a *Assertions) {{.DocInfo.Name}}({{.Params}}) { + if h, ok := a.t.(tHelper); ok { h.Helper() } + {{.DocInfo.Name}}(a.t, {{.ForwardedParams}}) +} diff --git a/vendor/github.com/stretchr/testify/require/requirements.go b/vendor/github.com/stretchr/testify/require/requirements.go new file mode 100644 index 0000000000..6b7ce929eb --- /dev/null +++ b/vendor/github.com/stretchr/testify/require/requirements.go @@ -0,0 +1,29 @@ +package require + +// TestingT is an interface wrapper around *testing.T +type TestingT interface { + Errorf(format string, args ...interface{}) + FailNow() +} + +type tHelper = interface { + Helper() +} + +// ComparisonAssertionFunc is a common function prototype when comparing two values. Can be useful +// for table driven tests. +type ComparisonAssertionFunc func(TestingT, interface{}, interface{}, ...interface{}) + +// ValueAssertionFunc is a common function prototype when validating a single value. Can be useful +// for table driven tests. +type ValueAssertionFunc func(TestingT, interface{}, ...interface{}) + +// BoolAssertionFunc is a common function prototype when validating a bool value. Can be useful +// for table driven tests. +type BoolAssertionFunc func(TestingT, bool, ...interface{}) + +// ErrorAssertionFunc is a common function prototype when validating an error value. Can be useful +// for table driven tests. +type ErrorAssertionFunc func(TestingT, error, ...interface{}) + +//go:generate sh -c "cd ../_codegen && go build && cd - && ../_codegen/_codegen -output-package=require -template=require.go.tmpl -include-format-funcs" diff --git a/vendor/github.com/xlab/treeprint/.gitignore b/vendor/github.com/xlab/treeprint/.gitignore new file mode 100644 index 0000000000..7c9305d664 --- /dev/null +++ b/vendor/github.com/xlab/treeprint/.gitignore @@ -0,0 +1,3 @@ +vendor/** +.idea +**/**.iml diff --git a/vendor/github.com/xlab/treeprint/LICENSE b/vendor/github.com/xlab/treeprint/LICENSE new file mode 100644 index 0000000000..5ab533ad2f --- /dev/null +++ b/vendor/github.com/xlab/treeprint/LICENSE @@ -0,0 +1,20 @@ +The MIT License (MIT) +Copyright © 2016 Maxim Kupriianov + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the “Softwareâ€), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS ISâ€, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/xlab/treeprint/README.md b/vendor/github.com/xlab/treeprint/README.md new file mode 100644 index 0000000000..59fb121fcf --- /dev/null +++ b/vendor/github.com/xlab/treeprint/README.md @@ -0,0 +1,154 @@ +treeprint [![GoDoc](https://godoc.org/github.com/xlab/treeprint?status.svg)](https://godoc.org/github.com/xlab/treeprint) ![test coverage](https://img.shields.io/badge/coverage-68.6%25-green.svg) +========= + +Package `treeprint` provides a simple ASCII tree composing tool. + +SYSTEME FIGURE + +If you are familiar with the [tree](http://mama.indstate.edu/users/ice/tree/) utility that is a recursive directory listing command that produces a depth indented listing of files, then you have the idea of what it would look like. + +On my system the command yields the following + +``` + $ tree +. +├── LICENSE +├── README.md +├── treeprint.go +└── treeprint_test.go + +0 directories, 4 files +``` + +and I'd like to have the same format for my Go data structures when I print them. + +## Installation + +``` +$ go get github.com/xlab/treeprint +``` + +## Concept of work + +The general idea is that you initialise a new tree with `treeprint.New()` and then add nodes and +branches into it. Use `AddNode()` when you want add a node on the same level as the target or +use `AddBranch()` when you want to go a level deeper. So `tree.AddBranch().AddNode().AddNode()` would +create a new level with two distinct nodes on it. So `tree.AddNode().AddNode()` is a flat thing and +`tree.AddBranch().AddBranch().AddBranch()` is a high thing. Use `String()` or `Bytes()` on a branch +to render a subtree, or use it on the root to print the whole tree. + +The utility will yield Unicode-friendly trees. The output is predictable and there is no platform-dependent exceptions, so if you have issues with displaying the tree in the console, all platform-related transformations can be done after the tree has been rendered: [an example](https://github.com/xlab/treeprint/issues/2#issuecomment-324944141) for Asian locales. + +## Use cases + +### When you want to render a complex data structure: + +```go +func main() { + // to add a custom root name use `treeprint.NewWithRoot()` instead + tree := treeprint.New() + + // create a new branch in the root + one := tree.AddBranch("one") + + // add some nodes + one.AddNode("subnode1").AddNode("subnode2") + + // create a new sub-branch + one.AddBranch("two"). + AddNode("subnode1").AddNode("subnode2"). // add some nodes + AddBranch("three"). // add a new sub-branch + AddNode("subnode1").AddNode("subnode2") // add some nodes too + + // add one more node that should surround the inner branch + one.AddNode("subnode3") + + // add a new node to the root + tree.AddNode("outernode") + + fmt.Println(tree.String()) +} +``` + +Will give you: + +``` +. +├── one +│   ├── subnode1 +│   ├── subnode2 +│   ├── two +│   │   ├── subnode1 +│   │   ├── subnode2 +│   │   └── three +│   │   ├── subnode1 +│   │   └── subnode2 +│   └── subnode3 +└── outernode +``` + +### Another case, when you have to make a tree where any leaf may have some meta-data (as `tree` is capable of it): + +```go +func main { + // to add a custom root name use `treeprint.NewWithRoot()` instead + tree := treeprint.New() + + tree.AddNode("Dockerfile") + tree.AddNode("Makefile") + tree.AddNode("aws.sh") + tree.AddMetaBranch(" 204", "bin"). + AddNode("dbmaker").AddNode("someserver").AddNode("testtool") + tree.AddMetaBranch(" 374", "deploy"). + AddNode("Makefile").AddNode("bootstrap.sh") + tree.AddMetaNode("122K", "testtool.a") + + fmt.Println(tree.String()) +} +``` + +Output: + +``` +. +├── Dockerfile +├── Makefile +├── aws.sh +├── [ 204] bin +│   ├── dbmaker +│   ├── someserver +│   └── testtool +├── [ 374] deploy +│   ├── Makefile +│   └── bootstrap.sh +└── [122K] testtool.a +``` + +### Iterating over the tree nodes + +```go +tree := New() + +one := tree.AddBranch("one") +one.AddNode("one-subnode1").AddNode("one-subnode2") +one.AddBranch("two").AddNode("two-subnode1").AddNode("two-subnode2"). + AddBranch("three").AddNode("three-subnode1").AddNode("three-subnode2") +tree.AddNode("outernode") + +// if you need to iterate over the whole tree +// call `VisitAll` from your top root node. +tree.VisitAll(func(item *node) { + if len(item.Nodes) > 0 { + // branch nodes + fmt.Println(item.Value) // will output one, two, three + } else { + // leaf nodes + fmt.Println(item.Value) // will output one-*, two-*, three-* and outernode + } +}) + +``` +Yay! So it works. + +## License +MIT diff --git a/vendor/github.com/xlab/treeprint/helpers.go b/vendor/github.com/xlab/treeprint/helpers.go new file mode 100644 index 0000000000..a091a5a0f0 --- /dev/null +++ b/vendor/github.com/xlab/treeprint/helpers.go @@ -0,0 +1,47 @@ +package treeprint + +import ( + "reflect" + "strings" +) + +func isEmpty(v *reflect.Value) bool { + switch v.Kind() { + case reflect.Array, reflect.Map, reflect.Slice, reflect.String: + return v.Len() == 0 + case reflect.Bool: + return !v.Bool() + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + return v.Int() == 0 + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + return v.Uint() == 0 + case reflect.Float32, reflect.Float64: + return v.Float() == 0 + case reflect.Interface, reflect.Ptr: + return v.IsNil() + } + return false +} + +func tagSpec(tag string) (name string, omit bool) { + parts := strings.Split(tag, ",") + if len(parts) < 2 { + return tag, false + } + if parts[1] == "omitempty" { + return parts[0], true + } + return parts[0], false +} + +func filterTags(tag reflect.StructTag) string { + tags := strings.Split(string(tag), " ") + filtered := make([]string, 0, len(tags)) + for i := range tags { + if strings.HasPrefix(tags[i], "tree:") { + continue + } + filtered = append(filtered, tags[i]) + } + return strings.Join(filtered, " ") +} diff --git a/vendor/github.com/xlab/treeprint/struct.go b/vendor/github.com/xlab/treeprint/struct.go new file mode 100644 index 0000000000..4d5cc82540 --- /dev/null +++ b/vendor/github.com/xlab/treeprint/struct.go @@ -0,0 +1,322 @@ +package treeprint + +import ( + "fmt" + "reflect" + "strings" +) + +type StructTreeOption int + +const ( + StructNameTree StructTreeOption = iota + StructValueTree + StructTagTree + StructTypeTree + StructTypeSizeTree +) + +func FromStruct(v interface{}, opt ...StructTreeOption) (Tree, error) { + var treeOpt StructTreeOption + if len(opt) > 0 { + treeOpt = opt[0] + } + switch treeOpt { + case StructNameTree: + tree := New() + err := nameTree(tree, v) + return tree, err + case StructValueTree: + tree := New() + err := valueTree(tree, v) + return tree, err + case StructTagTree: + tree := New() + err := tagTree(tree, v) + return tree, err + case StructTypeTree: + tree := New() + err := typeTree(tree, v) + return tree, err + case StructTypeSizeTree: + tree := New() + err := typeSizeTree(tree, v) + return tree, err + default: + err := fmt.Errorf("treeprint: invalid StructTreeOption %v", treeOpt) + return nil, err + } +} + +type FmtFunc func(name string, v interface{}) (string, bool) + +func FromStructWithMeta(v interface{}, fmtFunc FmtFunc) (Tree, error) { + if fmtFunc == nil { + tree := New() + err := nameTree(tree, v) + return tree, err + } + tree := New() + err := metaTree(tree, v, fmtFunc) + return tree, err +} + +func Repr(v interface{}) string { + tree := New() + vType := reflect.TypeOf(v) + vValue := reflect.ValueOf(v) + _, val, isStruct := getValue(vType, &vValue) + if !isStruct { + return fmt.Sprintf("%+v", val.Interface()) + } + err := valueTree(tree, val.Interface()) + if err != nil { + return err.Error() + } + return tree.String() +} + +func nameTree(tree Tree, v interface{}) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + typ, val, isStruct := getValue(field.Type, &fieldValue) + if !isStruct { + tree.AddNode(name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + tree.AddNode(name) + continue + } + branch := tree.AddBranch(name) + if err := nameTree(branch, val.Interface()); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func getMeta(fieldName string, tag reflect.StructTag) (name string, skip, omit bool) { + if tagStr := tag.Get("tree"); len(tagStr) > 0 { + name, omit = tagSpec(tagStr) + } + if name == "-" { + return fieldName, true, omit + } + if len(name) == 0 { + name = fieldName + } else if trimmed := strings.TrimSpace(name); len(trimmed) == 0 { + name = fieldName + } + return +} + +func valueTree(tree Tree, v interface{}) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + typ, val, isStruct := getValue(field.Type, &fieldValue) + if !isStruct { + tree.AddMetaNode(val.Interface(), name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + tree.AddMetaNode(val.Interface(), name) + continue + } + branch := tree.AddBranch(name) + if err := valueTree(branch, val.Interface()); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func tagTree(tree Tree, v interface{}) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + filteredTag := filterTags(field.Tag) + typ, val, isStruct := getValue(field.Type, &fieldValue) + if !isStruct { + tree.AddMetaNode(filteredTag, name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + tree.AddMetaNode(filteredTag, name) + continue + } + branch := tree.AddMetaBranch(filteredTag, name) + if err := tagTree(branch, val.Interface()); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func typeTree(tree Tree, v interface{}) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + typ, val, isStruct := getValue(field.Type, &fieldValue) + typename := fmt.Sprintf("%T", val.Interface()) + if !isStruct { + tree.AddMetaNode(typename, name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + tree.AddMetaNode(typename, name) + continue + } + branch := tree.AddMetaBranch(typename, name) + if err := typeTree(branch, val.Interface()); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func typeSizeTree(tree Tree, v interface{}) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + typ, val, isStruct := getValue(field.Type, &fieldValue) + typesize := typ.Size() + if !isStruct { + tree.AddMetaNode(typesize, name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + tree.AddMetaNode(typesize, name) + continue + } + branch := tree.AddMetaBranch(typesize, name) + if err := typeSizeTree(branch, val.Interface()); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func metaTree(tree Tree, v interface{}, fmtFunc FmtFunc) error { + typ, val, err := checkType(v) + if err != nil { + return err + } + fields := typ.NumField() + for i := 0; i < fields; i++ { + field := typ.Field(i) + fieldValue := val.Field(i) + name, skip, omit := getMeta(field.Name, field.Tag) + if skip || omit && isEmpty(&fieldValue) { + continue + } + typ, val, isStruct := getValue(field.Type, &fieldValue) + formatted, show := fmtFunc(name, val.Interface()) + if !isStruct { + if show { + tree.AddMetaNode(formatted, name) + continue + } + tree.AddNode(name) + continue + } else if subNum := typ.NumField(); subNum == 0 { + if show { + tree.AddMetaNode(formatted, name) + continue + } + tree.AddNode(name) + continue + } + var branch Tree + if show { + branch = tree.AddMetaBranch(formatted, name) + } else { + branch = tree.AddBranch(name) + } + if err := metaTree(branch, val.Interface(), fmtFunc); err != nil { + err := fmt.Errorf("%v on struct branch %s", err, name) + return err + } + } + return nil +} + +func getValue(typ reflect.Type, val *reflect.Value) (reflect.Type, *reflect.Value, bool) { + switch typ.Kind() { + case reflect.Ptr: + typ = typ.Elem() + if typ.Kind() == reflect.Struct { + elem := val.Elem() + return typ, &elem, true + } + case reflect.Struct: + return typ, val, true + } + return typ, val, false +} + +func checkType(v interface{}) (reflect.Type, *reflect.Value, error) { + typ := reflect.TypeOf(v) + val := reflect.ValueOf(v) + switch typ.Kind() { + case reflect.Ptr: + typ = typ.Elem() + if typ.Kind() != reflect.Struct { + err := fmt.Errorf("treeprint: %T is not a struct we could work with", v) + return nil, nil, err + } + val = val.Elem() + case reflect.Struct: + default: + err := fmt.Errorf("treeprint: %T is not a struct we could work with", v) + return nil, nil, err + } + return typ, &val, nil +} diff --git a/vendor/github.com/xlab/treeprint/treeprint.go b/vendor/github.com/xlab/treeprint/treeprint.go new file mode 100644 index 0000000000..fc8204b710 --- /dev/null +++ b/vendor/github.com/xlab/treeprint/treeprint.go @@ -0,0 +1,294 @@ +// Package treeprint provides a simple ASCII tree composing tool. +package treeprint + +import ( + "bytes" + "fmt" + "io" + "reflect" + "strings" +) + +// Value defines any value +type Value interface{} + +// MetaValue defines any meta value +type MetaValue interface{} + +// NodeVisitor function type for iterating over nodes +type NodeVisitor func(item *Node) + +// Tree represents a tree structure with leaf-nodes and branch-nodes. +type Tree interface { + // AddNode adds a new Node to a branch. + AddNode(v Value) Tree + // AddMetaNode adds a new Node with meta value provided to a branch. + AddMetaNode(meta MetaValue, v Value) Tree + // AddBranch adds a new branch Node (a level deeper). + AddBranch(v Value) Tree + // AddMetaBranch adds a new branch Node (a level deeper) with meta value provided. + AddMetaBranch(meta MetaValue, v Value) Tree + // Branch converts a leaf-Node to a branch-Node, + // applying this on a branch-Node does no effect. + Branch() Tree + // FindByMeta finds a Node whose meta value matches the provided one by reflect.DeepEqual, + // returns nil if not found. + FindByMeta(meta MetaValue) Tree + // FindByValue finds a Node whose value matches the provided one by reflect.DeepEqual, + // returns nil if not found. + FindByValue(value Value) Tree + // returns the last Node of a tree + FindLastNode() Tree + // String renders the tree or subtree as a string. + String() string + // Bytes renders the tree or subtree as byteslice. + Bytes() []byte + + SetValue(value Value) + SetMetaValue(meta MetaValue) + + // VisitAll iterates over the tree, branches and nodes. + // If need to iterate over the whole tree, use the root Node. + // Note this method uses a breadth-first approach. + VisitAll(fn NodeVisitor) +} + +type Node struct { + Root *Node + Meta MetaValue + Value Value + Nodes []*Node +} + +func (n *Node) FindLastNode() Tree { + ns := n.Nodes + if len(ns) == 0 { + return nil + } + return ns[len(ns)-1] +} + +func (n *Node) AddNode(v Value) Tree { + n.Nodes = append(n.Nodes, &Node{ + Root: n, + Value: v, + }) + return n +} + +func (n *Node) AddMetaNode(meta MetaValue, v Value) Tree { + n.Nodes = append(n.Nodes, &Node{ + Root: n, + Meta: meta, + Value: v, + }) + return n +} + +func (n *Node) AddBranch(v Value) Tree { + branch := &Node{ + Root: n, + Value: v, + } + n.Nodes = append(n.Nodes, branch) + return branch +} + +func (n *Node) AddMetaBranch(meta MetaValue, v Value) Tree { + branch := &Node{ + Root: n, + Meta: meta, + Value: v, + } + n.Nodes = append(n.Nodes, branch) + return branch +} + +func (n *Node) Branch() Tree { + n.Root = nil + return n +} + +func (n *Node) FindByMeta(meta MetaValue) Tree { + for _, node := range n.Nodes { + if reflect.DeepEqual(node.Meta, meta) { + return node + } + if v := node.FindByMeta(meta); v != nil { + return v + } + } + return nil +} + +func (n *Node) FindByValue(value Value) Tree { + for _, node := range n.Nodes { + if reflect.DeepEqual(node.Value, value) { + return node + } + if v := node.FindByMeta(value); v != nil { + return v + } + } + return nil +} + +func (n *Node) Bytes() []byte { + buf := new(bytes.Buffer) + level := 0 + var levelsEnded []int + if n.Root == nil { + if n.Meta != nil { + buf.WriteString(fmt.Sprintf("[%v] %v", n.Meta, n.Value)) + } else { + buf.WriteString(fmt.Sprintf("%v", n.Value)) + } + buf.WriteByte('\n') + } else { + edge := EdgeTypeMid + if len(n.Nodes) == 0 { + edge = EdgeTypeEnd + levelsEnded = append(levelsEnded, level) + } + printValues(buf, 0, levelsEnded, edge, n) + } + if len(n.Nodes) > 0 { + printNodes(buf, level, levelsEnded, n.Nodes) + } + return buf.Bytes() +} + +func (n *Node) String() string { + return string(n.Bytes()) +} + +func (n *Node) SetValue(value Value) { + n.Value = value +} + +func (n *Node) SetMetaValue(meta MetaValue) { + n.Meta = meta +} + +func (n *Node) VisitAll(fn NodeVisitor) { + for _, node := range n.Nodes { + fn(node) + + if len(node.Nodes) > 0 { + node.VisitAll(fn) + continue + } + } +} + +func printNodes(wr io.Writer, + level int, levelsEnded []int, nodes []*Node) { + + for i, node := range nodes { + edge := EdgeTypeMid + if i == len(nodes)-1 { + levelsEnded = append(levelsEnded, level) + edge = EdgeTypeEnd + } + printValues(wr, level, levelsEnded, edge, node) + if len(node.Nodes) > 0 { + printNodes(wr, level+1, levelsEnded, node.Nodes) + } + } +} + +func printValues(wr io.Writer, + level int, levelsEnded []int, edge EdgeType, node *Node) { + + for i := 0; i < level; i++ { + if isEnded(levelsEnded, i) { + fmt.Fprint(wr, strings.Repeat(" ", IndentSize+1)) + continue + } + fmt.Fprintf(wr, "%s%s", EdgeTypeLink, strings.Repeat(" ", IndentSize)) + } + + val := renderValue(level, node) + meta := node.Meta + + if meta != nil { + fmt.Fprintf(wr, "%s [%v] %v\n", edge, meta, val) + return + } + fmt.Fprintf(wr, "%s %v\n", edge, val) +} + +func isEnded(levelsEnded []int, level int) bool { + for _, l := range levelsEnded { + if l == level { + return true + } + } + return false +} + +func renderValue(level int, node *Node) Value { + lines := strings.Split(fmt.Sprintf("%v", node.Value), "\n") + + // If value does not contain multiple lines, return itself. + if len(lines) < 2 { + return node.Value + } + + // If value contains multiple lines, + // generate a padding and prefix each line with it. + pad := padding(level, node) + + for i := 1; i < len(lines); i++ { + lines[i] = fmt.Sprintf("%s%s", pad, lines[i]) + } + + return strings.Join(lines, "\n") +} + +// padding returns a padding for the multiline values with correctly placed link edges. +// It is generated by traversing the tree upwards (from leaf to the root of the tree) +// and, on each level, checking if the Node the last one of its siblings. +// If a Node is the last one, the padding on that level should be empty (there's nothing to link to below it). +// If a Node is not the last one, the padding on that level should be the link edge so the sibling below is correctly connected. +func padding(level int, node *Node) string { + links := make([]string, level+1) + + for node.Root != nil { + if isLast(node) { + links[level] = strings.Repeat(" ", IndentSize+1) + } else { + links[level] = fmt.Sprintf("%s%s", EdgeTypeLink, strings.Repeat(" ", IndentSize)) + } + level-- + node = node.Root + } + + return strings.Join(links, "") +} + +// isLast checks if the Node is the last one in the slice of its parent children +func isLast(n *Node) bool { + return n == n.Root.FindLastNode() +} + +type EdgeType string + +var ( + EdgeTypeLink EdgeType = "│" + EdgeTypeMid EdgeType = "├──" + EdgeTypeEnd EdgeType = "└──" +) + +// IndentSize is the number of spaces per tree level. +var IndentSize = 3 + +// New Generates new tree +func New() Tree { + return &Node{Value: "."} +} + +// NewWithRoot Generates new tree with the given root value +func NewWithRoot(root Value) Tree { + return &Node{Value: root} +} diff --git a/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go b/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go new file mode 100644 index 0000000000..682de254de --- /dev/null +++ b/vendor/go.uber.org/zap/zapgrpc/zapgrpc.go @@ -0,0 +1,243 @@ +// Copyright (c) 2016 Uber Technologies, Inc. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files (the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions: +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +// Package zapgrpc provides a logger that is compatible with grpclog. +package zapgrpc // import "go.uber.org/zap/zapgrpc" + +import ( + "fmt" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" +) + +// See https://github.com/grpc/grpc-go/blob/v1.35.0/grpclog/loggerv2.go#L77-L86 +const ( + grpcLvlInfo int = iota + grpcLvlWarn + grpcLvlError + grpcLvlFatal +) + +// _grpcToZapLevel maps gRPC log levels to zap log levels. +// See https://pkg.go.dev/go.uber.org/zap@v1.16.0/zapcore#Level +var _grpcToZapLevel = map[int]zapcore.Level{ + grpcLvlInfo: zapcore.InfoLevel, + grpcLvlWarn: zapcore.WarnLevel, + grpcLvlError: zapcore.ErrorLevel, + grpcLvlFatal: zapcore.FatalLevel, +} + +// An Option overrides a Logger's default configuration. +type Option interface { + apply(*Logger) +} + +type optionFunc func(*Logger) + +func (f optionFunc) apply(log *Logger) { + f(log) +} + +// WithDebug configures a Logger to print at zap's DebugLevel instead of +// InfoLevel. +// It only affects the Printf, Println and Print methods, which are only used in the gRPC v1 grpclog.Logger API. +// +// Deprecated: use grpclog.SetLoggerV2() for v2 API. +func WithDebug() Option { + return optionFunc(func(logger *Logger) { + logger.print = &printer{ + enab: logger.levelEnabler, + level: zapcore.DebugLevel, + print: logger.delegate.Debug, + printf: logger.delegate.Debugf, + } + }) +} + +// withWarn redirects the fatal level to the warn level, which makes testing +// easier. This is intentionally unexported. +func withWarn() Option { + return optionFunc(func(logger *Logger) { + logger.fatal = &printer{ + enab: logger.levelEnabler, + level: zapcore.WarnLevel, + print: logger.delegate.Warn, + printf: logger.delegate.Warnf, + } + }) +} + +// NewLogger returns a new Logger. +func NewLogger(l *zap.Logger, options ...Option) *Logger { + logger := &Logger{ + delegate: l.Sugar(), + levelEnabler: l.Core(), + } + logger.print = &printer{ + enab: logger.levelEnabler, + level: zapcore.InfoLevel, + print: logger.delegate.Info, + printf: logger.delegate.Infof, + } + logger.fatal = &printer{ + enab: logger.levelEnabler, + level: zapcore.FatalLevel, + print: logger.delegate.Fatal, + printf: logger.delegate.Fatalf, + } + for _, option := range options { + option.apply(logger) + } + return logger +} + +// printer implements Print, Printf, and Println operations for a Zap level. +// +// We use it to customize Debug vs Info, and Warn vs Fatal for Print and Fatal +// respectively. +type printer struct { + enab zapcore.LevelEnabler + level zapcore.Level + print func(...interface{}) + printf func(string, ...interface{}) +} + +func (v *printer) Print(args ...interface{}) { + v.print(args...) +} + +func (v *printer) Printf(format string, args ...interface{}) { + v.printf(format, args...) +} + +func (v *printer) Println(args ...interface{}) { + if v.enab.Enabled(v.level) { + v.print(sprintln(args)) + } +} + +// Logger adapts zap's Logger to be compatible with grpclog.LoggerV2 and the deprecated grpclog.Logger. +type Logger struct { + delegate *zap.SugaredLogger + levelEnabler zapcore.LevelEnabler + print *printer + fatal *printer + // printToDebug bool + // fatalToWarn bool +} + +// Print implements grpclog.Logger. +// +// Deprecated: use [Logger.Info]. +func (l *Logger) Print(args ...interface{}) { + l.print.Print(args...) +} + +// Printf implements grpclog.Logger. +// +// Deprecated: use [Logger.Infof]. +func (l *Logger) Printf(format string, args ...interface{}) { + l.print.Printf(format, args...) +} + +// Println implements grpclog.Logger. +// +// Deprecated: use [Logger.Info]. +func (l *Logger) Println(args ...interface{}) { + l.print.Println(args...) +} + +// Info implements grpclog.LoggerV2. +func (l *Logger) Info(args ...interface{}) { + l.delegate.Info(args...) +} + +// Infoln implements grpclog.LoggerV2. +func (l *Logger) Infoln(args ...interface{}) { + if l.levelEnabler.Enabled(zapcore.InfoLevel) { + l.delegate.Info(sprintln(args)) + } +} + +// Infof implements grpclog.LoggerV2. +func (l *Logger) Infof(format string, args ...interface{}) { + l.delegate.Infof(format, args...) +} + +// Warning implements grpclog.LoggerV2. +func (l *Logger) Warning(args ...interface{}) { + l.delegate.Warn(args...) +} + +// Warningln implements grpclog.LoggerV2. +func (l *Logger) Warningln(args ...interface{}) { + if l.levelEnabler.Enabled(zapcore.WarnLevel) { + l.delegate.Warn(sprintln(args)) + } +} + +// Warningf implements grpclog.LoggerV2. +func (l *Logger) Warningf(format string, args ...interface{}) { + l.delegate.Warnf(format, args...) +} + +// Error implements grpclog.LoggerV2. +func (l *Logger) Error(args ...interface{}) { + l.delegate.Error(args...) +} + +// Errorln implements grpclog.LoggerV2. +func (l *Logger) Errorln(args ...interface{}) { + if l.levelEnabler.Enabled(zapcore.ErrorLevel) { + l.delegate.Error(sprintln(args)) + } +} + +// Errorf implements grpclog.LoggerV2. +func (l *Logger) Errorf(format string, args ...interface{}) { + l.delegate.Errorf(format, args...) +} + +// Fatal implements grpclog.LoggerV2. +func (l *Logger) Fatal(args ...interface{}) { + l.fatal.Print(args...) +} + +// Fatalln implements grpclog.LoggerV2. +func (l *Logger) Fatalln(args ...interface{}) { + l.fatal.Println(args...) +} + +// Fatalf implements grpclog.LoggerV2. +func (l *Logger) Fatalf(format string, args ...interface{}) { + l.fatal.Printf(format, args...) +} + +// V implements grpclog.LoggerV2. +func (l *Logger) V(level int) bool { + return l.levelEnabler.Enabled(_grpcToZapLevel[level]) +} + +func sprintln(args []interface{}) string { + s := fmt.Sprintln(args...) + // Drop the new line character added by Sprintln + return s[:len(s)-1] +} diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go new file mode 100644 index 0000000000..fc31160908 --- /dev/null +++ b/vendor/golang.org/x/crypto/bcrypt/base64.go @@ -0,0 +1,35 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package bcrypt + +import "encoding/base64" + +const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + +var bcEncoding = base64.NewEncoding(alphabet) + +func base64Encode(src []byte) []byte { + n := bcEncoding.EncodedLen(len(src)) + dst := make([]byte, n) + bcEncoding.Encode(dst, src) + for dst[n-1] == '=' { + n-- + } + return dst[:n] +} + +func base64Decode(src []byte) ([]byte, error) { + numOfEquals := 4 - (len(src) % 4) + for i := 0; i < numOfEquals; i++ { + src = append(src, '=') + } + + dst := make([]byte, bcEncoding.DecodedLen(len(src))) + n, err := bcEncoding.Decode(dst, src) + if err != nil { + return nil, err + } + return dst[:n], nil +} diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go new file mode 100644 index 0000000000..3e7f8df871 --- /dev/null +++ b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go @@ -0,0 +1,304 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing +// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf +package bcrypt + +// The code is a port of Provos and Mazières's C implementation. +import ( + "crypto/rand" + "crypto/subtle" + "errors" + "fmt" + "io" + "strconv" + + "golang.org/x/crypto/blowfish" +) + +const ( + MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword + MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword + DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword +) + +// The error returned from CompareHashAndPassword when a password and hash do +// not match. +var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password") + +// The error returned from CompareHashAndPassword when a hash is too short to +// be a bcrypt hash. +var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password") + +// The error returned from CompareHashAndPassword when a hash was created with +// a bcrypt algorithm newer than this implementation. +type HashVersionTooNewError byte + +func (hv HashVersionTooNewError) Error() string { + return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion) +} + +// The error returned from CompareHashAndPassword when a hash starts with something other than '$' +type InvalidHashPrefixError byte + +func (ih InvalidHashPrefixError) Error() string { + return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih)) +} + +type InvalidCostError int + +func (ic InvalidCostError) Error() string { + return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed inclusive range %d..%d", int(ic), MinCost, MaxCost) +} + +const ( + majorVersion = '2' + minorVersion = 'a' + maxSaltSize = 16 + maxCryptedHashSize = 23 + encodedSaltSize = 22 + encodedHashSize = 31 + minHashSize = 59 +) + +// magicCipherData is an IV for the 64 Blowfish encryption calls in +// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes. +var magicCipherData = []byte{ + 0x4f, 0x72, 0x70, 0x68, + 0x65, 0x61, 0x6e, 0x42, + 0x65, 0x68, 0x6f, 0x6c, + 0x64, 0x65, 0x72, 0x53, + 0x63, 0x72, 0x79, 0x44, + 0x6f, 0x75, 0x62, 0x74, +} + +type hashed struct { + hash []byte + salt []byte + cost int // allowed range is MinCost to MaxCost + major byte + minor byte +} + +// ErrPasswordTooLong is returned when the password passed to +// GenerateFromPassword is too long (i.e. > 72 bytes). +var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes") + +// GenerateFromPassword returns the bcrypt hash of the password at the given +// cost. If the cost given is less than MinCost, the cost will be set to +// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package, +// to compare the returned hashed password with its cleartext version. +// GenerateFromPassword does not accept passwords longer than 72 bytes, which +// is the longest password bcrypt will operate on. +func GenerateFromPassword(password []byte, cost int) ([]byte, error) { + if len(password) > 72 { + return nil, ErrPasswordTooLong + } + p, err := newFromPassword(password, cost) + if err != nil { + return nil, err + } + return p.Hash(), nil +} + +// CompareHashAndPassword compares a bcrypt hashed password with its possible +// plaintext equivalent. Returns nil on success, or an error on failure. +func CompareHashAndPassword(hashedPassword, password []byte) error { + p, err := newFromHash(hashedPassword) + if err != nil { + return err + } + + otherHash, err := bcrypt(password, p.cost, p.salt) + if err != nil { + return err + } + + otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor} + if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 { + return nil + } + + return ErrMismatchedHashAndPassword +} + +// Cost returns the hashing cost used to create the given hashed +// password. When, in the future, the hashing cost of a password system needs +// to be increased in order to adjust for greater computational power, this +// function allows one to establish which passwords need to be updated. +func Cost(hashedPassword []byte) (int, error) { + p, err := newFromHash(hashedPassword) + if err != nil { + return 0, err + } + return p.cost, nil +} + +func newFromPassword(password []byte, cost int) (*hashed, error) { + if cost < MinCost { + cost = DefaultCost + } + p := new(hashed) + p.major = majorVersion + p.minor = minorVersion + + err := checkCost(cost) + if err != nil { + return nil, err + } + p.cost = cost + + unencodedSalt := make([]byte, maxSaltSize) + _, err = io.ReadFull(rand.Reader, unencodedSalt) + if err != nil { + return nil, err + } + + p.salt = base64Encode(unencodedSalt) + hash, err := bcrypt(password, p.cost, p.salt) + if err != nil { + return nil, err + } + p.hash = hash + return p, err +} + +func newFromHash(hashedSecret []byte) (*hashed, error) { + if len(hashedSecret) < minHashSize { + return nil, ErrHashTooShort + } + p := new(hashed) + n, err := p.decodeVersion(hashedSecret) + if err != nil { + return nil, err + } + hashedSecret = hashedSecret[n:] + n, err = p.decodeCost(hashedSecret) + if err != nil { + return nil, err + } + hashedSecret = hashedSecret[n:] + + // The "+2" is here because we'll have to append at most 2 '=' to the salt + // when base64 decoding it in expensiveBlowfishSetup(). + p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2) + copy(p.salt, hashedSecret[:encodedSaltSize]) + + hashedSecret = hashedSecret[encodedSaltSize:] + p.hash = make([]byte, len(hashedSecret)) + copy(p.hash, hashedSecret) + + return p, nil +} + +func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) { + cipherData := make([]byte, len(magicCipherData)) + copy(cipherData, magicCipherData) + + c, err := expensiveBlowfishSetup(password, uint32(cost), salt) + if err != nil { + return nil, err + } + + for i := 0; i < 24; i += 8 { + for j := 0; j < 64; j++ { + c.Encrypt(cipherData[i:i+8], cipherData[i:i+8]) + } + } + + // Bug compatibility with C bcrypt implementations. We only encode 23 of + // the 24 bytes encrypted. + hsh := base64Encode(cipherData[:maxCryptedHashSize]) + return hsh, nil +} + +func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) { + csalt, err := base64Decode(salt) + if err != nil { + return nil, err + } + + // Bug compatibility with C bcrypt implementations. They use the trailing + // NULL in the key string during expansion. + // We copy the key to prevent changing the underlying array. + ckey := append(key[:len(key):len(key)], 0) + + c, err := blowfish.NewSaltedCipher(ckey, csalt) + if err != nil { + return nil, err + } + + var i, rounds uint64 + rounds = 1 << cost + for i = 0; i < rounds; i++ { + blowfish.ExpandKey(ckey, c) + blowfish.ExpandKey(csalt, c) + } + + return c, nil +} + +func (p *hashed) Hash() []byte { + arr := make([]byte, 60) + arr[0] = '$' + arr[1] = p.major + n := 2 + if p.minor != 0 { + arr[2] = p.minor + n = 3 + } + arr[n] = '$' + n++ + copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost))) + n += 2 + arr[n] = '$' + n++ + copy(arr[n:], p.salt) + n += encodedSaltSize + copy(arr[n:], p.hash) + n += encodedHashSize + return arr[:n] +} + +func (p *hashed) decodeVersion(sbytes []byte) (int, error) { + if sbytes[0] != '$' { + return -1, InvalidHashPrefixError(sbytes[0]) + } + if sbytes[1] > majorVersion { + return -1, HashVersionTooNewError(sbytes[1]) + } + p.major = sbytes[1] + n := 3 + if sbytes[2] != '$' { + p.minor = sbytes[2] + n++ + } + return n, nil +} + +// sbytes should begin where decodeVersion left off. +func (p *hashed) decodeCost(sbytes []byte) (int, error) { + cost, err := strconv.Atoi(string(sbytes[0:2])) + if err != nil { + return -1, err + } + err = checkCost(cost) + if err != nil { + return -1, err + } + p.cost = cost + return 3, nil +} + +func (p *hashed) String() string { + return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor) +} + +func checkCost(cost int) error { + if cost < MinCost || cost > MaxCost { + return InvalidCostError(cost) + } + return nil +} diff --git a/vendor/golang.org/x/crypto/blowfish/block.go b/vendor/golang.org/x/crypto/blowfish/block.go new file mode 100644 index 0000000000..9d80f19521 --- /dev/null +++ b/vendor/golang.org/x/crypto/blowfish/block.go @@ -0,0 +1,159 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package blowfish + +// getNextWord returns the next big-endian uint32 value from the byte slice +// at the given position in a circular manner, updating the position. +func getNextWord(b []byte, pos *int) uint32 { + var w uint32 + j := *pos + for i := 0; i < 4; i++ { + w = w<<8 | uint32(b[j]) + j++ + if j >= len(b) { + j = 0 + } + } + *pos = j + return w +} + +// ExpandKey performs a key expansion on the given *Cipher. Specifically, it +// performs the Blowfish algorithm's key schedule which sets up the *Cipher's +// pi and substitution tables for calls to Encrypt. This is used, primarily, +// by the bcrypt package to reuse the Blowfish key schedule during its +// set up. It's unlikely that you need to use this directly. +func ExpandKey(key []byte, c *Cipher) { + j := 0 + for i := 0; i < 18; i++ { + // Using inlined getNextWord for performance. + var d uint32 + for k := 0; k < 4; k++ { + d = d<<8 | uint32(key[j]) + j++ + if j >= len(key) { + j = 0 + } + } + c.p[i] ^= d + } + + var l, r uint32 + for i := 0; i < 18; i += 2 { + l, r = encryptBlock(l, r, c) + c.p[i], c.p[i+1] = l, r + } + + for i := 0; i < 256; i += 2 { + l, r = encryptBlock(l, r, c) + c.s0[i], c.s0[i+1] = l, r + } + for i := 0; i < 256; i += 2 { + l, r = encryptBlock(l, r, c) + c.s1[i], c.s1[i+1] = l, r + } + for i := 0; i < 256; i += 2 { + l, r = encryptBlock(l, r, c) + c.s2[i], c.s2[i+1] = l, r + } + for i := 0; i < 256; i += 2 { + l, r = encryptBlock(l, r, c) + c.s3[i], c.s3[i+1] = l, r + } +} + +// This is similar to ExpandKey, but folds the salt during the key +// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero +// salt passed in, reusing ExpandKey turns out to be a place of inefficiency +// and specializing it here is useful. +func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) { + j := 0 + for i := 0; i < 18; i++ { + c.p[i] ^= getNextWord(key, &j) + } + + j = 0 + var l, r uint32 + for i := 0; i < 18; i += 2 { + l ^= getNextWord(salt, &j) + r ^= getNextWord(salt, &j) + l, r = encryptBlock(l, r, c) + c.p[i], c.p[i+1] = l, r + } + + for i := 0; i < 256; i += 2 { + l ^= getNextWord(salt, &j) + r ^= getNextWord(salt, &j) + l, r = encryptBlock(l, r, c) + c.s0[i], c.s0[i+1] = l, r + } + + for i := 0; i < 256; i += 2 { + l ^= getNextWord(salt, &j) + r ^= getNextWord(salt, &j) + l, r = encryptBlock(l, r, c) + c.s1[i], c.s1[i+1] = l, r + } + + for i := 0; i < 256; i += 2 { + l ^= getNextWord(salt, &j) + r ^= getNextWord(salt, &j) + l, r = encryptBlock(l, r, c) + c.s2[i], c.s2[i+1] = l, r + } + + for i := 0; i < 256; i += 2 { + l ^= getNextWord(salt, &j) + r ^= getNextWord(salt, &j) + l, r = encryptBlock(l, r, c) + c.s3[i], c.s3[i+1] = l, r + } +} + +func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) { + xl, xr := l, r + xl ^= c.p[0] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16] + xr ^= c.p[17] + return xr, xl +} + +func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) { + xl, xr := l, r + xl ^= c.p[17] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3] + xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2] + xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1] + xr ^= c.p[0] + return xr, xl +} diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go new file mode 100644 index 0000000000..0898956807 --- /dev/null +++ b/vendor/golang.org/x/crypto/blowfish/cipher.go @@ -0,0 +1,99 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm. +// +// Blowfish is a legacy cipher and its short block size makes it vulnerable to +// birthday bound attacks (see https://sweet32.info). It should only be used +// where compatibility with legacy systems, not security, is the goal. +// +// Deprecated: any new system should use AES (from crypto/aes, if necessary in +// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from +// golang.org/x/crypto/chacha20poly1305). +package blowfish + +// The code is a port of Bruce Schneier's C implementation. +// See https://www.schneier.com/blowfish.html. + +import "strconv" + +// The Blowfish block size in bytes. +const BlockSize = 8 + +// A Cipher is an instance of Blowfish encryption using a particular key. +type Cipher struct { + p [18]uint32 + s0, s1, s2, s3 [256]uint32 +} + +type KeySizeError int + +func (k KeySizeError) Error() string { + return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k)) +} + +// NewCipher creates and returns a Cipher. +// The key argument should be the Blowfish key, from 1 to 56 bytes. +func NewCipher(key []byte) (*Cipher, error) { + var result Cipher + if k := len(key); k < 1 || k > 56 { + return nil, KeySizeError(k) + } + initCipher(&result) + ExpandKey(key, &result) + return &result, nil +} + +// NewSaltedCipher creates a returns a Cipher that folds a salt into its key +// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is +// sufficient and desirable. For bcrypt compatibility, the key can be over 56 +// bytes. +func NewSaltedCipher(key, salt []byte) (*Cipher, error) { + if len(salt) == 0 { + return NewCipher(key) + } + var result Cipher + if k := len(key); k < 1 { + return nil, KeySizeError(k) + } + initCipher(&result) + expandKeyWithSalt(key, salt, &result) + return &result, nil +} + +// BlockSize returns the Blowfish block size, 8 bytes. +// It is necessary to satisfy the Block interface in the +// package "crypto/cipher". +func (c *Cipher) BlockSize() int { return BlockSize } + +// Encrypt encrypts the 8-byte buffer src using the key k +// and stores the result in dst. +// Note that for amounts of data larger than a block, +// it is not safe to just call Encrypt on successive blocks; +// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go). +func (c *Cipher) Encrypt(dst, src []byte) { + l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) + r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) + l, r = encryptBlock(l, r, c) + dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) + dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) +} + +// Decrypt decrypts the 8-byte buffer src using the key k +// and stores the result in dst. +func (c *Cipher) Decrypt(dst, src []byte) { + l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) + r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) + l, r = decryptBlock(l, r, c) + dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) + dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) +} + +func initCipher(c *Cipher) { + copy(c.p[0:], p[0:]) + copy(c.s0[0:], s0[0:]) + copy(c.s1[0:], s1[0:]) + copy(c.s2[0:], s2[0:]) + copy(c.s3[0:], s3[0:]) +} diff --git a/vendor/golang.org/x/crypto/blowfish/const.go b/vendor/golang.org/x/crypto/blowfish/const.go new file mode 100644 index 0000000000..d04077595a --- /dev/null +++ b/vendor/golang.org/x/crypto/blowfish/const.go @@ -0,0 +1,199 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// The startup permutation array and substitution boxes. +// They are the hexadecimal digits of PI; see: +// https://www.schneier.com/code/constants.txt. + +package blowfish + +var s0 = [256]uint32{ + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96, + 0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658, + 0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e, + 0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6, + 0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c, + 0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1, + 0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a, + 0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176, + 0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706, + 0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b, + 0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c, + 0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a, + 0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760, + 0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8, + 0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33, + 0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0, + 0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777, + 0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705, + 0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e, + 0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9, + 0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f, + 0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a, +} + +var s1 = [256]uint32{ + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d, + 0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65, + 0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9, + 0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d, + 0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc, + 0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908, + 0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124, + 0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908, + 0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b, + 0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa, + 0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d, + 0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5, + 0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96, + 0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca, + 0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77, + 0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054, + 0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea, + 0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646, + 0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea, + 0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e, + 0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd, + 0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7, +} + +var s2 = [256]uint32{ + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7, + 0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af, + 0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4, + 0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec, + 0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332, + 0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58, + 0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22, + 0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60, + 0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99, + 0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74, + 0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3, + 0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979, + 0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa, + 0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086, + 0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24, + 0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84, + 0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09, + 0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe, + 0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0, + 0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188, + 0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8, + 0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0, +} + +var s3 = [256]uint32{ + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742, + 0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79, + 0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a, + 0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1, + 0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797, + 0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6, + 0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba, + 0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5, + 0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce, + 0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd, + 0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb, + 0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc, + 0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc, + 0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a, + 0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a, + 0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b, + 0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e, + 0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623, + 0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a, + 0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3, + 0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c, + 0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6, +} + +var p = [18]uint32{ + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0, + 0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b, +} diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go new file mode 100644 index 0000000000..016e90215c --- /dev/null +++ b/vendor/golang.org/x/crypto/cast5/cast5.go @@ -0,0 +1,536 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package cast5 implements CAST5, as defined in RFC 2144. +// +// CAST5 is a legacy cipher and its short block size makes it vulnerable to +// birthday bound attacks (see https://sweet32.info). It should only be used +// where compatibility with legacy systems, not security, is the goal. +// +// Deprecated: any new system should use AES (from crypto/aes, if necessary in +// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from +// golang.org/x/crypto/chacha20poly1305). +package cast5 + +import ( + "errors" + "math/bits" +) + +const BlockSize = 8 +const KeySize = 16 + +type Cipher struct { + masking [16]uint32 + rotate [16]uint8 +} + +func NewCipher(key []byte) (c *Cipher, err error) { + if len(key) != KeySize { + return nil, errors.New("CAST5: keys must be 16 bytes") + } + + c = new(Cipher) + c.keySchedule(key) + return +} + +func (c *Cipher) BlockSize() int { + return BlockSize +} + +func (c *Cipher) Encrypt(dst, src []byte) { + l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) + r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) + + l, r = r, l^f1(r, c.masking[0], c.rotate[0]) + l, r = r, l^f2(r, c.masking[1], c.rotate[1]) + l, r = r, l^f3(r, c.masking[2], c.rotate[2]) + l, r = r, l^f1(r, c.masking[3], c.rotate[3]) + + l, r = r, l^f2(r, c.masking[4], c.rotate[4]) + l, r = r, l^f3(r, c.masking[5], c.rotate[5]) + l, r = r, l^f1(r, c.masking[6], c.rotate[6]) + l, r = r, l^f2(r, c.masking[7], c.rotate[7]) + + l, r = r, l^f3(r, c.masking[8], c.rotate[8]) + l, r = r, l^f1(r, c.masking[9], c.rotate[9]) + l, r = r, l^f2(r, c.masking[10], c.rotate[10]) + l, r = r, l^f3(r, c.masking[11], c.rotate[11]) + + l, r = r, l^f1(r, c.masking[12], c.rotate[12]) + l, r = r, l^f2(r, c.masking[13], c.rotate[13]) + l, r = r, l^f3(r, c.masking[14], c.rotate[14]) + l, r = r, l^f1(r, c.masking[15], c.rotate[15]) + + dst[0] = uint8(r >> 24) + dst[1] = uint8(r >> 16) + dst[2] = uint8(r >> 8) + dst[3] = uint8(r) + dst[4] = uint8(l >> 24) + dst[5] = uint8(l >> 16) + dst[6] = uint8(l >> 8) + dst[7] = uint8(l) +} + +func (c *Cipher) Decrypt(dst, src []byte) { + l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) + r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) + + l, r = r, l^f1(r, c.masking[15], c.rotate[15]) + l, r = r, l^f3(r, c.masking[14], c.rotate[14]) + l, r = r, l^f2(r, c.masking[13], c.rotate[13]) + l, r = r, l^f1(r, c.masking[12], c.rotate[12]) + + l, r = r, l^f3(r, c.masking[11], c.rotate[11]) + l, r = r, l^f2(r, c.masking[10], c.rotate[10]) + l, r = r, l^f1(r, c.masking[9], c.rotate[9]) + l, r = r, l^f3(r, c.masking[8], c.rotate[8]) + + l, r = r, l^f2(r, c.masking[7], c.rotate[7]) + l, r = r, l^f1(r, c.masking[6], c.rotate[6]) + l, r = r, l^f3(r, c.masking[5], c.rotate[5]) + l, r = r, l^f2(r, c.masking[4], c.rotate[4]) + + l, r = r, l^f1(r, c.masking[3], c.rotate[3]) + l, r = r, l^f3(r, c.masking[2], c.rotate[2]) + l, r = r, l^f2(r, c.masking[1], c.rotate[1]) + l, r = r, l^f1(r, c.masking[0], c.rotate[0]) + + dst[0] = uint8(r >> 24) + dst[1] = uint8(r >> 16) + dst[2] = uint8(r >> 8) + dst[3] = uint8(r) + dst[4] = uint8(l >> 24) + dst[5] = uint8(l >> 16) + dst[6] = uint8(l >> 8) + dst[7] = uint8(l) +} + +type keyScheduleA [4][7]uint8 +type keyScheduleB [4][5]uint8 + +// keyScheduleRound contains the magic values for a round of the key schedule. +// The keyScheduleA deals with the lines like: +// z0z1z2z3 = x0x1x2x3 ^ S5[xD] ^ S6[xF] ^ S7[xC] ^ S8[xE] ^ S7[x8] +// Conceptually, both x and z are in the same array, x first. The first +// element describes which word of this array gets written to and the +// second, which word gets read. So, for the line above, it's "4, 0", because +// it's writing to the first word of z, which, being after x, is word 4, and +// reading from the first word of x: word 0. +// +// Next are the indexes into the S-boxes. Now the array is treated as bytes. So +// "xD" is 0xd. The first byte of z is written as "16 + 0", just to be clear +// that it's z that we're indexing. +// +// keyScheduleB deals with lines like: +// K1 = S5[z8] ^ S6[z9] ^ S7[z7] ^ S8[z6] ^ S5[z2] +// "K1" is ignored because key words are always written in order. So the five +// elements are the S-box indexes. They use the same form as in keyScheduleA, +// above. + +type keyScheduleRound struct{} +type keySchedule []keyScheduleRound + +var schedule = []struct { + a keyScheduleA + b keyScheduleB +}{ + { + keyScheduleA{ + {4, 0, 0xd, 0xf, 0xc, 0xe, 0x8}, + {5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa}, + {6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9}, + {7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb}, + }, + keyScheduleB{ + {16 + 8, 16 + 9, 16 + 7, 16 + 6, 16 + 2}, + {16 + 0xa, 16 + 0xb, 16 + 5, 16 + 4, 16 + 6}, + {16 + 0xc, 16 + 0xd, 16 + 3, 16 + 2, 16 + 9}, + {16 + 0xe, 16 + 0xf, 16 + 1, 16 + 0, 16 + 0xc}, + }, + }, + { + keyScheduleA{ + {0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0}, + {1, 4, 0, 2, 1, 3, 16 + 2}, + {2, 5, 7, 6, 5, 4, 16 + 1}, + {3, 7, 0xa, 9, 0xb, 8, 16 + 3}, + }, + keyScheduleB{ + {3, 2, 0xc, 0xd, 8}, + {1, 0, 0xe, 0xf, 0xd}, + {7, 6, 8, 9, 3}, + {5, 4, 0xa, 0xb, 7}, + }, + }, + { + keyScheduleA{ + {4, 0, 0xd, 0xf, 0xc, 0xe, 8}, + {5, 2, 16 + 0, 16 + 2, 16 + 1, 16 + 3, 0xa}, + {6, 3, 16 + 7, 16 + 6, 16 + 5, 16 + 4, 9}, + {7, 1, 16 + 0xa, 16 + 9, 16 + 0xb, 16 + 8, 0xb}, + }, + keyScheduleB{ + {16 + 3, 16 + 2, 16 + 0xc, 16 + 0xd, 16 + 9}, + {16 + 1, 16 + 0, 16 + 0xe, 16 + 0xf, 16 + 0xc}, + {16 + 7, 16 + 6, 16 + 8, 16 + 9, 16 + 2}, + {16 + 5, 16 + 4, 16 + 0xa, 16 + 0xb, 16 + 6}, + }, + }, + { + keyScheduleA{ + {0, 6, 16 + 5, 16 + 7, 16 + 4, 16 + 6, 16 + 0}, + {1, 4, 0, 2, 1, 3, 16 + 2}, + {2, 5, 7, 6, 5, 4, 16 + 1}, + {3, 7, 0xa, 9, 0xb, 8, 16 + 3}, + }, + keyScheduleB{ + {8, 9, 7, 6, 3}, + {0xa, 0xb, 5, 4, 7}, + {0xc, 0xd, 3, 2, 8}, + {0xe, 0xf, 1, 0, 0xd}, + }, + }, +} + +func (c *Cipher) keySchedule(in []byte) { + var t [8]uint32 + var k [32]uint32 + + for i := 0; i < 4; i++ { + j := i * 4 + t[i] = uint32(in[j])<<24 | uint32(in[j+1])<<16 | uint32(in[j+2])<<8 | uint32(in[j+3]) + } + + x := []byte{6, 7, 4, 5} + ki := 0 + + for half := 0; half < 2; half++ { + for _, round := range schedule { + for j := 0; j < 4; j++ { + var a [7]uint8 + copy(a[:], round.a[j][:]) + w := t[a[1]] + w ^= sBox[4][(t[a[2]>>2]>>(24-8*(a[2]&3)))&0xff] + w ^= sBox[5][(t[a[3]>>2]>>(24-8*(a[3]&3)))&0xff] + w ^= sBox[6][(t[a[4]>>2]>>(24-8*(a[4]&3)))&0xff] + w ^= sBox[7][(t[a[5]>>2]>>(24-8*(a[5]&3)))&0xff] + w ^= sBox[x[j]][(t[a[6]>>2]>>(24-8*(a[6]&3)))&0xff] + t[a[0]] = w + } + + for j := 0; j < 4; j++ { + var b [5]uint8 + copy(b[:], round.b[j][:]) + w := sBox[4][(t[b[0]>>2]>>(24-8*(b[0]&3)))&0xff] + w ^= sBox[5][(t[b[1]>>2]>>(24-8*(b[1]&3)))&0xff] + w ^= sBox[6][(t[b[2]>>2]>>(24-8*(b[2]&3)))&0xff] + w ^= sBox[7][(t[b[3]>>2]>>(24-8*(b[3]&3)))&0xff] + w ^= sBox[4+j][(t[b[4]>>2]>>(24-8*(b[4]&3)))&0xff] + k[ki] = w + ki++ + } + } + } + + for i := 0; i < 16; i++ { + c.masking[i] = k[i] + c.rotate[i] = uint8(k[16+i] & 0x1f) + } +} + +// These are the three 'f' functions. See RFC 2144, section 2.2. +func f1(d, m uint32, r uint8) uint32 { + t := m + d + I := bits.RotateLeft32(t, int(r)) + return ((sBox[0][I>>24] ^ sBox[1][(I>>16)&0xff]) - sBox[2][(I>>8)&0xff]) + sBox[3][I&0xff] +} + +func f2(d, m uint32, r uint8) uint32 { + t := m ^ d + I := bits.RotateLeft32(t, int(r)) + return ((sBox[0][I>>24] - sBox[1][(I>>16)&0xff]) + sBox[2][(I>>8)&0xff]) ^ sBox[3][I&0xff] +} + +func f3(d, m uint32, r uint8) uint32 { + t := m - d + I := bits.RotateLeft32(t, int(r)) + return ((sBox[0][I>>24] + sBox[1][(I>>16)&0xff]) ^ sBox[2][(I>>8)&0xff]) - sBox[3][I&0xff] +} + +var sBox = [8][256]uint32{ + { + 0x30fb40d4, 0x9fa0ff0b, 0x6beccd2f, 0x3f258c7a, 0x1e213f2f, 0x9c004dd3, 0x6003e540, 0xcf9fc949, + 0xbfd4af27, 0x88bbbdb5, 0xe2034090, 0x98d09675, 0x6e63a0e0, 0x15c361d2, 0xc2e7661d, 0x22d4ff8e, + 0x28683b6f, 0xc07fd059, 0xff2379c8, 0x775f50e2, 0x43c340d3, 0xdf2f8656, 0x887ca41a, 0xa2d2bd2d, + 0xa1c9e0d6, 0x346c4819, 0x61b76d87, 0x22540f2f, 0x2abe32e1, 0xaa54166b, 0x22568e3a, 0xa2d341d0, + 0x66db40c8, 0xa784392f, 0x004dff2f, 0x2db9d2de, 0x97943fac, 0x4a97c1d8, 0x527644b7, 0xb5f437a7, + 0xb82cbaef, 0xd751d159, 0x6ff7f0ed, 0x5a097a1f, 0x827b68d0, 0x90ecf52e, 0x22b0c054, 0xbc8e5935, + 0x4b6d2f7f, 0x50bb64a2, 0xd2664910, 0xbee5812d, 0xb7332290, 0xe93b159f, 0xb48ee411, 0x4bff345d, + 0xfd45c240, 0xad31973f, 0xc4f6d02e, 0x55fc8165, 0xd5b1caad, 0xa1ac2dae, 0xa2d4b76d, 0xc19b0c50, + 0x882240f2, 0x0c6e4f38, 0xa4e4bfd7, 0x4f5ba272, 0x564c1d2f, 0xc59c5319, 0xb949e354, 0xb04669fe, + 0xb1b6ab8a, 0xc71358dd, 0x6385c545, 0x110f935d, 0x57538ad5, 0x6a390493, 0xe63d37e0, 0x2a54f6b3, + 0x3a787d5f, 0x6276a0b5, 0x19a6fcdf, 0x7a42206a, 0x29f9d4d5, 0xf61b1891, 0xbb72275e, 0xaa508167, + 0x38901091, 0xc6b505eb, 0x84c7cb8c, 0x2ad75a0f, 0x874a1427, 0xa2d1936b, 0x2ad286af, 0xaa56d291, + 0xd7894360, 0x425c750d, 0x93b39e26, 0x187184c9, 0x6c00b32d, 0x73e2bb14, 0xa0bebc3c, 0x54623779, + 0x64459eab, 0x3f328b82, 0x7718cf82, 0x59a2cea6, 0x04ee002e, 0x89fe78e6, 0x3fab0950, 0x325ff6c2, + 0x81383f05, 0x6963c5c8, 0x76cb5ad6, 0xd49974c9, 0xca180dcf, 0x380782d5, 0xc7fa5cf6, 0x8ac31511, + 0x35e79e13, 0x47da91d0, 0xf40f9086, 0xa7e2419e, 0x31366241, 0x051ef495, 0xaa573b04, 0x4a805d8d, + 0x548300d0, 0x00322a3c, 0xbf64cddf, 0xba57a68e, 0x75c6372b, 0x50afd341, 0xa7c13275, 0x915a0bf5, + 0x6b54bfab, 0x2b0b1426, 0xab4cc9d7, 0x449ccd82, 0xf7fbf265, 0xab85c5f3, 0x1b55db94, 0xaad4e324, + 0xcfa4bd3f, 0x2deaa3e2, 0x9e204d02, 0xc8bd25ac, 0xeadf55b3, 0xd5bd9e98, 0xe31231b2, 0x2ad5ad6c, + 0x954329de, 0xadbe4528, 0xd8710f69, 0xaa51c90f, 0xaa786bf6, 0x22513f1e, 0xaa51a79b, 0x2ad344cc, + 0x7b5a41f0, 0xd37cfbad, 0x1b069505, 0x41ece491, 0xb4c332e6, 0x032268d4, 0xc9600acc, 0xce387e6d, + 0xbf6bb16c, 0x6a70fb78, 0x0d03d9c9, 0xd4df39de, 0xe01063da, 0x4736f464, 0x5ad328d8, 0xb347cc96, + 0x75bb0fc3, 0x98511bfb, 0x4ffbcc35, 0xb58bcf6a, 0xe11f0abc, 0xbfc5fe4a, 0xa70aec10, 0xac39570a, + 0x3f04442f, 0x6188b153, 0xe0397a2e, 0x5727cb79, 0x9ceb418f, 0x1cacd68d, 0x2ad37c96, 0x0175cb9d, + 0xc69dff09, 0xc75b65f0, 0xd9db40d8, 0xec0e7779, 0x4744ead4, 0xb11c3274, 0xdd24cb9e, 0x7e1c54bd, + 0xf01144f9, 0xd2240eb1, 0x9675b3fd, 0xa3ac3755, 0xd47c27af, 0x51c85f4d, 0x56907596, 0xa5bb15e6, + 0x580304f0, 0xca042cf1, 0x011a37ea, 0x8dbfaadb, 0x35ba3e4a, 0x3526ffa0, 0xc37b4d09, 0xbc306ed9, + 0x98a52666, 0x5648f725, 0xff5e569d, 0x0ced63d0, 0x7c63b2cf, 0x700b45e1, 0xd5ea50f1, 0x85a92872, + 0xaf1fbda7, 0xd4234870, 0xa7870bf3, 0x2d3b4d79, 0x42e04198, 0x0cd0ede7, 0x26470db8, 0xf881814c, + 0x474d6ad7, 0x7c0c5e5c, 0xd1231959, 0x381b7298, 0xf5d2f4db, 0xab838653, 0x6e2f1e23, 0x83719c9e, + 0xbd91e046, 0x9a56456e, 0xdc39200c, 0x20c8c571, 0x962bda1c, 0xe1e696ff, 0xb141ab08, 0x7cca89b9, + 0x1a69e783, 0x02cc4843, 0xa2f7c579, 0x429ef47d, 0x427b169c, 0x5ac9f049, 0xdd8f0f00, 0x5c8165bf, + }, + { + 0x1f201094, 0xef0ba75b, 0x69e3cf7e, 0x393f4380, 0xfe61cf7a, 0xeec5207a, 0x55889c94, 0x72fc0651, + 0xada7ef79, 0x4e1d7235, 0xd55a63ce, 0xde0436ba, 0x99c430ef, 0x5f0c0794, 0x18dcdb7d, 0xa1d6eff3, + 0xa0b52f7b, 0x59e83605, 0xee15b094, 0xe9ffd909, 0xdc440086, 0xef944459, 0xba83ccb3, 0xe0c3cdfb, + 0xd1da4181, 0x3b092ab1, 0xf997f1c1, 0xa5e6cf7b, 0x01420ddb, 0xe4e7ef5b, 0x25a1ff41, 0xe180f806, + 0x1fc41080, 0x179bee7a, 0xd37ac6a9, 0xfe5830a4, 0x98de8b7f, 0x77e83f4e, 0x79929269, 0x24fa9f7b, + 0xe113c85b, 0xacc40083, 0xd7503525, 0xf7ea615f, 0x62143154, 0x0d554b63, 0x5d681121, 0xc866c359, + 0x3d63cf73, 0xcee234c0, 0xd4d87e87, 0x5c672b21, 0x071f6181, 0x39f7627f, 0x361e3084, 0xe4eb573b, + 0x602f64a4, 0xd63acd9c, 0x1bbc4635, 0x9e81032d, 0x2701f50c, 0x99847ab4, 0xa0e3df79, 0xba6cf38c, + 0x10843094, 0x2537a95e, 0xf46f6ffe, 0xa1ff3b1f, 0x208cfb6a, 0x8f458c74, 0xd9e0a227, 0x4ec73a34, + 0xfc884f69, 0x3e4de8df, 0xef0e0088, 0x3559648d, 0x8a45388c, 0x1d804366, 0x721d9bfd, 0xa58684bb, + 0xe8256333, 0x844e8212, 0x128d8098, 0xfed33fb4, 0xce280ae1, 0x27e19ba5, 0xd5a6c252, 0xe49754bd, + 0xc5d655dd, 0xeb667064, 0x77840b4d, 0xa1b6a801, 0x84db26a9, 0xe0b56714, 0x21f043b7, 0xe5d05860, + 0x54f03084, 0x066ff472, 0xa31aa153, 0xdadc4755, 0xb5625dbf, 0x68561be6, 0x83ca6b94, 0x2d6ed23b, + 0xeccf01db, 0xa6d3d0ba, 0xb6803d5c, 0xaf77a709, 0x33b4a34c, 0x397bc8d6, 0x5ee22b95, 0x5f0e5304, + 0x81ed6f61, 0x20e74364, 0xb45e1378, 0xde18639b, 0x881ca122, 0xb96726d1, 0x8049a7e8, 0x22b7da7b, + 0x5e552d25, 0x5272d237, 0x79d2951c, 0xc60d894c, 0x488cb402, 0x1ba4fe5b, 0xa4b09f6b, 0x1ca815cf, + 0xa20c3005, 0x8871df63, 0xb9de2fcb, 0x0cc6c9e9, 0x0beeff53, 0xe3214517, 0xb4542835, 0x9f63293c, + 0xee41e729, 0x6e1d2d7c, 0x50045286, 0x1e6685f3, 0xf33401c6, 0x30a22c95, 0x31a70850, 0x60930f13, + 0x73f98417, 0xa1269859, 0xec645c44, 0x52c877a9, 0xcdff33a6, 0xa02b1741, 0x7cbad9a2, 0x2180036f, + 0x50d99c08, 0xcb3f4861, 0xc26bd765, 0x64a3f6ab, 0x80342676, 0x25a75e7b, 0xe4e6d1fc, 0x20c710e6, + 0xcdf0b680, 0x17844d3b, 0x31eef84d, 0x7e0824e4, 0x2ccb49eb, 0x846a3bae, 0x8ff77888, 0xee5d60f6, + 0x7af75673, 0x2fdd5cdb, 0xa11631c1, 0x30f66f43, 0xb3faec54, 0x157fd7fa, 0xef8579cc, 0xd152de58, + 0xdb2ffd5e, 0x8f32ce19, 0x306af97a, 0x02f03ef8, 0x99319ad5, 0xc242fa0f, 0xa7e3ebb0, 0xc68e4906, + 0xb8da230c, 0x80823028, 0xdcdef3c8, 0xd35fb171, 0x088a1bc8, 0xbec0c560, 0x61a3c9e8, 0xbca8f54d, + 0xc72feffa, 0x22822e99, 0x82c570b4, 0xd8d94e89, 0x8b1c34bc, 0x301e16e6, 0x273be979, 0xb0ffeaa6, + 0x61d9b8c6, 0x00b24869, 0xb7ffce3f, 0x08dc283b, 0x43daf65a, 0xf7e19798, 0x7619b72f, 0x8f1c9ba4, + 0xdc8637a0, 0x16a7d3b1, 0x9fc393b7, 0xa7136eeb, 0xc6bcc63e, 0x1a513742, 0xef6828bc, 0x520365d6, + 0x2d6a77ab, 0x3527ed4b, 0x821fd216, 0x095c6e2e, 0xdb92f2fb, 0x5eea29cb, 0x145892f5, 0x91584f7f, + 0x5483697b, 0x2667a8cc, 0x85196048, 0x8c4bacea, 0x833860d4, 0x0d23e0f9, 0x6c387e8a, 0x0ae6d249, + 0xb284600c, 0xd835731d, 0xdcb1c647, 0xac4c56ea, 0x3ebd81b3, 0x230eabb0, 0x6438bc87, 0xf0b5b1fa, + 0x8f5ea2b3, 0xfc184642, 0x0a036b7a, 0x4fb089bd, 0x649da589, 0xa345415e, 0x5c038323, 0x3e5d3bb9, + 0x43d79572, 0x7e6dd07c, 0x06dfdf1e, 0x6c6cc4ef, 0x7160a539, 0x73bfbe70, 0x83877605, 0x4523ecf1, + }, + { + 0x8defc240, 0x25fa5d9f, 0xeb903dbf, 0xe810c907, 0x47607fff, 0x369fe44b, 0x8c1fc644, 0xaececa90, + 0xbeb1f9bf, 0xeefbcaea, 0xe8cf1950, 0x51df07ae, 0x920e8806, 0xf0ad0548, 0xe13c8d83, 0x927010d5, + 0x11107d9f, 0x07647db9, 0xb2e3e4d4, 0x3d4f285e, 0xb9afa820, 0xfade82e0, 0xa067268b, 0x8272792e, + 0x553fb2c0, 0x489ae22b, 0xd4ef9794, 0x125e3fbc, 0x21fffcee, 0x825b1bfd, 0x9255c5ed, 0x1257a240, + 0x4e1a8302, 0xbae07fff, 0x528246e7, 0x8e57140e, 0x3373f7bf, 0x8c9f8188, 0xa6fc4ee8, 0xc982b5a5, + 0xa8c01db7, 0x579fc264, 0x67094f31, 0xf2bd3f5f, 0x40fff7c1, 0x1fb78dfc, 0x8e6bd2c1, 0x437be59b, + 0x99b03dbf, 0xb5dbc64b, 0x638dc0e6, 0x55819d99, 0xa197c81c, 0x4a012d6e, 0xc5884a28, 0xccc36f71, + 0xb843c213, 0x6c0743f1, 0x8309893c, 0x0feddd5f, 0x2f7fe850, 0xd7c07f7e, 0x02507fbf, 0x5afb9a04, + 0xa747d2d0, 0x1651192e, 0xaf70bf3e, 0x58c31380, 0x5f98302e, 0x727cc3c4, 0x0a0fb402, 0x0f7fef82, + 0x8c96fdad, 0x5d2c2aae, 0x8ee99a49, 0x50da88b8, 0x8427f4a0, 0x1eac5790, 0x796fb449, 0x8252dc15, + 0xefbd7d9b, 0xa672597d, 0xada840d8, 0x45f54504, 0xfa5d7403, 0xe83ec305, 0x4f91751a, 0x925669c2, + 0x23efe941, 0xa903f12e, 0x60270df2, 0x0276e4b6, 0x94fd6574, 0x927985b2, 0x8276dbcb, 0x02778176, + 0xf8af918d, 0x4e48f79e, 0x8f616ddf, 0xe29d840e, 0x842f7d83, 0x340ce5c8, 0x96bbb682, 0x93b4b148, + 0xef303cab, 0x984faf28, 0x779faf9b, 0x92dc560d, 0x224d1e20, 0x8437aa88, 0x7d29dc96, 0x2756d3dc, + 0x8b907cee, 0xb51fd240, 0xe7c07ce3, 0xe566b4a1, 0xc3e9615e, 0x3cf8209d, 0x6094d1e3, 0xcd9ca341, + 0x5c76460e, 0x00ea983b, 0xd4d67881, 0xfd47572c, 0xf76cedd9, 0xbda8229c, 0x127dadaa, 0x438a074e, + 0x1f97c090, 0x081bdb8a, 0x93a07ebe, 0xb938ca15, 0x97b03cff, 0x3dc2c0f8, 0x8d1ab2ec, 0x64380e51, + 0x68cc7bfb, 0xd90f2788, 0x12490181, 0x5de5ffd4, 0xdd7ef86a, 0x76a2e214, 0xb9a40368, 0x925d958f, + 0x4b39fffa, 0xba39aee9, 0xa4ffd30b, 0xfaf7933b, 0x6d498623, 0x193cbcfa, 0x27627545, 0x825cf47a, + 0x61bd8ba0, 0xd11e42d1, 0xcead04f4, 0x127ea392, 0x10428db7, 0x8272a972, 0x9270c4a8, 0x127de50b, + 0x285ba1c8, 0x3c62f44f, 0x35c0eaa5, 0xe805d231, 0x428929fb, 0xb4fcdf82, 0x4fb66a53, 0x0e7dc15b, + 0x1f081fab, 0x108618ae, 0xfcfd086d, 0xf9ff2889, 0x694bcc11, 0x236a5cae, 0x12deca4d, 0x2c3f8cc5, + 0xd2d02dfe, 0xf8ef5896, 0xe4cf52da, 0x95155b67, 0x494a488c, 0xb9b6a80c, 0x5c8f82bc, 0x89d36b45, + 0x3a609437, 0xec00c9a9, 0x44715253, 0x0a874b49, 0xd773bc40, 0x7c34671c, 0x02717ef6, 0x4feb5536, + 0xa2d02fff, 0xd2bf60c4, 0xd43f03c0, 0x50b4ef6d, 0x07478cd1, 0x006e1888, 0xa2e53f55, 0xb9e6d4bc, + 0xa2048016, 0x97573833, 0xd7207d67, 0xde0f8f3d, 0x72f87b33, 0xabcc4f33, 0x7688c55d, 0x7b00a6b0, + 0x947b0001, 0x570075d2, 0xf9bb88f8, 0x8942019e, 0x4264a5ff, 0x856302e0, 0x72dbd92b, 0xee971b69, + 0x6ea22fde, 0x5f08ae2b, 0xaf7a616d, 0xe5c98767, 0xcf1febd2, 0x61efc8c2, 0xf1ac2571, 0xcc8239c2, + 0x67214cb8, 0xb1e583d1, 0xb7dc3e62, 0x7f10bdce, 0xf90a5c38, 0x0ff0443d, 0x606e6dc6, 0x60543a49, + 0x5727c148, 0x2be98a1d, 0x8ab41738, 0x20e1be24, 0xaf96da0f, 0x68458425, 0x99833be5, 0x600d457d, + 0x282f9350, 0x8334b362, 0xd91d1120, 0x2b6d8da0, 0x642b1e31, 0x9c305a00, 0x52bce688, 0x1b03588a, + 0xf7baefd5, 0x4142ed9c, 0xa4315c11, 0x83323ec5, 0xdfef4636, 0xa133c501, 0xe9d3531c, 0xee353783, + }, + { + 0x9db30420, 0x1fb6e9de, 0xa7be7bef, 0xd273a298, 0x4a4f7bdb, 0x64ad8c57, 0x85510443, 0xfa020ed1, + 0x7e287aff, 0xe60fb663, 0x095f35a1, 0x79ebf120, 0xfd059d43, 0x6497b7b1, 0xf3641f63, 0x241e4adf, + 0x28147f5f, 0x4fa2b8cd, 0xc9430040, 0x0cc32220, 0xfdd30b30, 0xc0a5374f, 0x1d2d00d9, 0x24147b15, + 0xee4d111a, 0x0fca5167, 0x71ff904c, 0x2d195ffe, 0x1a05645f, 0x0c13fefe, 0x081b08ca, 0x05170121, + 0x80530100, 0xe83e5efe, 0xac9af4f8, 0x7fe72701, 0xd2b8ee5f, 0x06df4261, 0xbb9e9b8a, 0x7293ea25, + 0xce84ffdf, 0xf5718801, 0x3dd64b04, 0xa26f263b, 0x7ed48400, 0x547eebe6, 0x446d4ca0, 0x6cf3d6f5, + 0x2649abdf, 0xaea0c7f5, 0x36338cc1, 0x503f7e93, 0xd3772061, 0x11b638e1, 0x72500e03, 0xf80eb2bb, + 0xabe0502e, 0xec8d77de, 0x57971e81, 0xe14f6746, 0xc9335400, 0x6920318f, 0x081dbb99, 0xffc304a5, + 0x4d351805, 0x7f3d5ce3, 0xa6c866c6, 0x5d5bcca9, 0xdaec6fea, 0x9f926f91, 0x9f46222f, 0x3991467d, + 0xa5bf6d8e, 0x1143c44f, 0x43958302, 0xd0214eeb, 0x022083b8, 0x3fb6180c, 0x18f8931e, 0x281658e6, + 0x26486e3e, 0x8bd78a70, 0x7477e4c1, 0xb506e07c, 0xf32d0a25, 0x79098b02, 0xe4eabb81, 0x28123b23, + 0x69dead38, 0x1574ca16, 0xdf871b62, 0x211c40b7, 0xa51a9ef9, 0x0014377b, 0x041e8ac8, 0x09114003, + 0xbd59e4d2, 0xe3d156d5, 0x4fe876d5, 0x2f91a340, 0x557be8de, 0x00eae4a7, 0x0ce5c2ec, 0x4db4bba6, + 0xe756bdff, 0xdd3369ac, 0xec17b035, 0x06572327, 0x99afc8b0, 0x56c8c391, 0x6b65811c, 0x5e146119, + 0x6e85cb75, 0xbe07c002, 0xc2325577, 0x893ff4ec, 0x5bbfc92d, 0xd0ec3b25, 0xb7801ab7, 0x8d6d3b24, + 0x20c763ef, 0xc366a5fc, 0x9c382880, 0x0ace3205, 0xaac9548a, 0xeca1d7c7, 0x041afa32, 0x1d16625a, + 0x6701902c, 0x9b757a54, 0x31d477f7, 0x9126b031, 0x36cc6fdb, 0xc70b8b46, 0xd9e66a48, 0x56e55a79, + 0x026a4ceb, 0x52437eff, 0x2f8f76b4, 0x0df980a5, 0x8674cde3, 0xedda04eb, 0x17a9be04, 0x2c18f4df, + 0xb7747f9d, 0xab2af7b4, 0xefc34d20, 0x2e096b7c, 0x1741a254, 0xe5b6a035, 0x213d42f6, 0x2c1c7c26, + 0x61c2f50f, 0x6552daf9, 0xd2c231f8, 0x25130f69, 0xd8167fa2, 0x0418f2c8, 0x001a96a6, 0x0d1526ab, + 0x63315c21, 0x5e0a72ec, 0x49bafefd, 0x187908d9, 0x8d0dbd86, 0x311170a7, 0x3e9b640c, 0xcc3e10d7, + 0xd5cad3b6, 0x0caec388, 0xf73001e1, 0x6c728aff, 0x71eae2a1, 0x1f9af36e, 0xcfcbd12f, 0xc1de8417, + 0xac07be6b, 0xcb44a1d8, 0x8b9b0f56, 0x013988c3, 0xb1c52fca, 0xb4be31cd, 0xd8782806, 0x12a3a4e2, + 0x6f7de532, 0x58fd7eb6, 0xd01ee900, 0x24adffc2, 0xf4990fc5, 0x9711aac5, 0x001d7b95, 0x82e5e7d2, + 0x109873f6, 0x00613096, 0xc32d9521, 0xada121ff, 0x29908415, 0x7fbb977f, 0xaf9eb3db, 0x29c9ed2a, + 0x5ce2a465, 0xa730f32c, 0xd0aa3fe8, 0x8a5cc091, 0xd49e2ce7, 0x0ce454a9, 0xd60acd86, 0x015f1919, + 0x77079103, 0xdea03af6, 0x78a8565e, 0xdee356df, 0x21f05cbe, 0x8b75e387, 0xb3c50651, 0xb8a5c3ef, + 0xd8eeb6d2, 0xe523be77, 0xc2154529, 0x2f69efdf, 0xafe67afb, 0xf470c4b2, 0xf3e0eb5b, 0xd6cc9876, + 0x39e4460c, 0x1fda8538, 0x1987832f, 0xca007367, 0xa99144f8, 0x296b299e, 0x492fc295, 0x9266beab, + 0xb5676e69, 0x9bd3ddda, 0xdf7e052f, 0xdb25701c, 0x1b5e51ee, 0xf65324e6, 0x6afce36c, 0x0316cc04, + 0x8644213e, 0xb7dc59d0, 0x7965291f, 0xccd6fd43, 0x41823979, 0x932bcdf6, 0xb657c34d, 0x4edfd282, + 0x7ae5290c, 0x3cb9536b, 0x851e20fe, 0x9833557e, 0x13ecf0b0, 0xd3ffb372, 0x3f85c5c1, 0x0aef7ed2, + }, + { + 0x7ec90c04, 0x2c6e74b9, 0x9b0e66df, 0xa6337911, 0xb86a7fff, 0x1dd358f5, 0x44dd9d44, 0x1731167f, + 0x08fbf1fa, 0xe7f511cc, 0xd2051b00, 0x735aba00, 0x2ab722d8, 0x386381cb, 0xacf6243a, 0x69befd7a, + 0xe6a2e77f, 0xf0c720cd, 0xc4494816, 0xccf5c180, 0x38851640, 0x15b0a848, 0xe68b18cb, 0x4caadeff, + 0x5f480a01, 0x0412b2aa, 0x259814fc, 0x41d0efe2, 0x4e40b48d, 0x248eb6fb, 0x8dba1cfe, 0x41a99b02, + 0x1a550a04, 0xba8f65cb, 0x7251f4e7, 0x95a51725, 0xc106ecd7, 0x97a5980a, 0xc539b9aa, 0x4d79fe6a, + 0xf2f3f763, 0x68af8040, 0xed0c9e56, 0x11b4958b, 0xe1eb5a88, 0x8709e6b0, 0xd7e07156, 0x4e29fea7, + 0x6366e52d, 0x02d1c000, 0xc4ac8e05, 0x9377f571, 0x0c05372a, 0x578535f2, 0x2261be02, 0xd642a0c9, + 0xdf13a280, 0x74b55bd2, 0x682199c0, 0xd421e5ec, 0x53fb3ce8, 0xc8adedb3, 0x28a87fc9, 0x3d959981, + 0x5c1ff900, 0xfe38d399, 0x0c4eff0b, 0x062407ea, 0xaa2f4fb1, 0x4fb96976, 0x90c79505, 0xb0a8a774, + 0xef55a1ff, 0xe59ca2c2, 0xa6b62d27, 0xe66a4263, 0xdf65001f, 0x0ec50966, 0xdfdd55bc, 0x29de0655, + 0x911e739a, 0x17af8975, 0x32c7911c, 0x89f89468, 0x0d01e980, 0x524755f4, 0x03b63cc9, 0x0cc844b2, + 0xbcf3f0aa, 0x87ac36e9, 0xe53a7426, 0x01b3d82b, 0x1a9e7449, 0x64ee2d7e, 0xcddbb1da, 0x01c94910, + 0xb868bf80, 0x0d26f3fd, 0x9342ede7, 0x04a5c284, 0x636737b6, 0x50f5b616, 0xf24766e3, 0x8eca36c1, + 0x136e05db, 0xfef18391, 0xfb887a37, 0xd6e7f7d4, 0xc7fb7dc9, 0x3063fcdf, 0xb6f589de, 0xec2941da, + 0x26e46695, 0xb7566419, 0xf654efc5, 0xd08d58b7, 0x48925401, 0xc1bacb7f, 0xe5ff550f, 0xb6083049, + 0x5bb5d0e8, 0x87d72e5a, 0xab6a6ee1, 0x223a66ce, 0xc62bf3cd, 0x9e0885f9, 0x68cb3e47, 0x086c010f, + 0xa21de820, 0xd18b69de, 0xf3f65777, 0xfa02c3f6, 0x407edac3, 0xcbb3d550, 0x1793084d, 0xb0d70eba, + 0x0ab378d5, 0xd951fb0c, 0xded7da56, 0x4124bbe4, 0x94ca0b56, 0x0f5755d1, 0xe0e1e56e, 0x6184b5be, + 0x580a249f, 0x94f74bc0, 0xe327888e, 0x9f7b5561, 0xc3dc0280, 0x05687715, 0x646c6bd7, 0x44904db3, + 0x66b4f0a3, 0xc0f1648a, 0x697ed5af, 0x49e92ff6, 0x309e374f, 0x2cb6356a, 0x85808573, 0x4991f840, + 0x76f0ae02, 0x083be84d, 0x28421c9a, 0x44489406, 0x736e4cb8, 0xc1092910, 0x8bc95fc6, 0x7d869cf4, + 0x134f616f, 0x2e77118d, 0xb31b2be1, 0xaa90b472, 0x3ca5d717, 0x7d161bba, 0x9cad9010, 0xaf462ba2, + 0x9fe459d2, 0x45d34559, 0xd9f2da13, 0xdbc65487, 0xf3e4f94e, 0x176d486f, 0x097c13ea, 0x631da5c7, + 0x445f7382, 0x175683f4, 0xcdc66a97, 0x70be0288, 0xb3cdcf72, 0x6e5dd2f3, 0x20936079, 0x459b80a5, + 0xbe60e2db, 0xa9c23101, 0xeba5315c, 0x224e42f2, 0x1c5c1572, 0xf6721b2c, 0x1ad2fff3, 0x8c25404e, + 0x324ed72f, 0x4067b7fd, 0x0523138e, 0x5ca3bc78, 0xdc0fd66e, 0x75922283, 0x784d6b17, 0x58ebb16e, + 0x44094f85, 0x3f481d87, 0xfcfeae7b, 0x77b5ff76, 0x8c2302bf, 0xaaf47556, 0x5f46b02a, 0x2b092801, + 0x3d38f5f7, 0x0ca81f36, 0x52af4a8a, 0x66d5e7c0, 0xdf3b0874, 0x95055110, 0x1b5ad7a8, 0xf61ed5ad, + 0x6cf6e479, 0x20758184, 0xd0cefa65, 0x88f7be58, 0x4a046826, 0x0ff6f8f3, 0xa09c7f70, 0x5346aba0, + 0x5ce96c28, 0xe176eda3, 0x6bac307f, 0x376829d2, 0x85360fa9, 0x17e3fe2a, 0x24b79767, 0xf5a96b20, + 0xd6cd2595, 0x68ff1ebf, 0x7555442c, 0xf19f06be, 0xf9e0659a, 0xeeb9491d, 0x34010718, 0xbb30cab8, + 0xe822fe15, 0x88570983, 0x750e6249, 0xda627e55, 0x5e76ffa8, 0xb1534546, 0x6d47de08, 0xefe9e7d4, + }, + { + 0xf6fa8f9d, 0x2cac6ce1, 0x4ca34867, 0xe2337f7c, 0x95db08e7, 0x016843b4, 0xeced5cbc, 0x325553ac, + 0xbf9f0960, 0xdfa1e2ed, 0x83f0579d, 0x63ed86b9, 0x1ab6a6b8, 0xde5ebe39, 0xf38ff732, 0x8989b138, + 0x33f14961, 0xc01937bd, 0xf506c6da, 0xe4625e7e, 0xa308ea99, 0x4e23e33c, 0x79cbd7cc, 0x48a14367, + 0xa3149619, 0xfec94bd5, 0xa114174a, 0xeaa01866, 0xa084db2d, 0x09a8486f, 0xa888614a, 0x2900af98, + 0x01665991, 0xe1992863, 0xc8f30c60, 0x2e78ef3c, 0xd0d51932, 0xcf0fec14, 0xf7ca07d2, 0xd0a82072, + 0xfd41197e, 0x9305a6b0, 0xe86be3da, 0x74bed3cd, 0x372da53c, 0x4c7f4448, 0xdab5d440, 0x6dba0ec3, + 0x083919a7, 0x9fbaeed9, 0x49dbcfb0, 0x4e670c53, 0x5c3d9c01, 0x64bdb941, 0x2c0e636a, 0xba7dd9cd, + 0xea6f7388, 0xe70bc762, 0x35f29adb, 0x5c4cdd8d, 0xf0d48d8c, 0xb88153e2, 0x08a19866, 0x1ae2eac8, + 0x284caf89, 0xaa928223, 0x9334be53, 0x3b3a21bf, 0x16434be3, 0x9aea3906, 0xefe8c36e, 0xf890cdd9, + 0x80226dae, 0xc340a4a3, 0xdf7e9c09, 0xa694a807, 0x5b7c5ecc, 0x221db3a6, 0x9a69a02f, 0x68818a54, + 0xceb2296f, 0x53c0843a, 0xfe893655, 0x25bfe68a, 0xb4628abc, 0xcf222ebf, 0x25ac6f48, 0xa9a99387, + 0x53bddb65, 0xe76ffbe7, 0xe967fd78, 0x0ba93563, 0x8e342bc1, 0xe8a11be9, 0x4980740d, 0xc8087dfc, + 0x8de4bf99, 0xa11101a0, 0x7fd37975, 0xda5a26c0, 0xe81f994f, 0x9528cd89, 0xfd339fed, 0xb87834bf, + 0x5f04456d, 0x22258698, 0xc9c4c83b, 0x2dc156be, 0x4f628daa, 0x57f55ec5, 0xe2220abe, 0xd2916ebf, + 0x4ec75b95, 0x24f2c3c0, 0x42d15d99, 0xcd0d7fa0, 0x7b6e27ff, 0xa8dc8af0, 0x7345c106, 0xf41e232f, + 0x35162386, 0xe6ea8926, 0x3333b094, 0x157ec6f2, 0x372b74af, 0x692573e4, 0xe9a9d848, 0xf3160289, + 0x3a62ef1d, 0xa787e238, 0xf3a5f676, 0x74364853, 0x20951063, 0x4576698d, 0xb6fad407, 0x592af950, + 0x36f73523, 0x4cfb6e87, 0x7da4cec0, 0x6c152daa, 0xcb0396a8, 0xc50dfe5d, 0xfcd707ab, 0x0921c42f, + 0x89dff0bb, 0x5fe2be78, 0x448f4f33, 0x754613c9, 0x2b05d08d, 0x48b9d585, 0xdc049441, 0xc8098f9b, + 0x7dede786, 0xc39a3373, 0x42410005, 0x6a091751, 0x0ef3c8a6, 0x890072d6, 0x28207682, 0xa9a9f7be, + 0xbf32679d, 0xd45b5b75, 0xb353fd00, 0xcbb0e358, 0x830f220a, 0x1f8fb214, 0xd372cf08, 0xcc3c4a13, + 0x8cf63166, 0x061c87be, 0x88c98f88, 0x6062e397, 0x47cf8e7a, 0xb6c85283, 0x3cc2acfb, 0x3fc06976, + 0x4e8f0252, 0x64d8314d, 0xda3870e3, 0x1e665459, 0xc10908f0, 0x513021a5, 0x6c5b68b7, 0x822f8aa0, + 0x3007cd3e, 0x74719eef, 0xdc872681, 0x073340d4, 0x7e432fd9, 0x0c5ec241, 0x8809286c, 0xf592d891, + 0x08a930f6, 0x957ef305, 0xb7fbffbd, 0xc266e96f, 0x6fe4ac98, 0xb173ecc0, 0xbc60b42a, 0x953498da, + 0xfba1ae12, 0x2d4bd736, 0x0f25faab, 0xa4f3fceb, 0xe2969123, 0x257f0c3d, 0x9348af49, 0x361400bc, + 0xe8816f4a, 0x3814f200, 0xa3f94043, 0x9c7a54c2, 0xbc704f57, 0xda41e7f9, 0xc25ad33a, 0x54f4a084, + 0xb17f5505, 0x59357cbe, 0xedbd15c8, 0x7f97c5ab, 0xba5ac7b5, 0xb6f6deaf, 0x3a479c3a, 0x5302da25, + 0x653d7e6a, 0x54268d49, 0x51a477ea, 0x5017d55b, 0xd7d25d88, 0x44136c76, 0x0404a8c8, 0xb8e5a121, + 0xb81a928a, 0x60ed5869, 0x97c55b96, 0xeaec991b, 0x29935913, 0x01fdb7f1, 0x088e8dfa, 0x9ab6f6f5, + 0x3b4cbf9f, 0x4a5de3ab, 0xe6051d35, 0xa0e1d855, 0xd36b4cf1, 0xf544edeb, 0xb0e93524, 0xbebb8fbd, + 0xa2d762cf, 0x49c92f54, 0x38b5f331, 0x7128a454, 0x48392905, 0xa65b1db8, 0x851c97bd, 0xd675cf2f, + }, + { + 0x85e04019, 0x332bf567, 0x662dbfff, 0xcfc65693, 0x2a8d7f6f, 0xab9bc912, 0xde6008a1, 0x2028da1f, + 0x0227bce7, 0x4d642916, 0x18fac300, 0x50f18b82, 0x2cb2cb11, 0xb232e75c, 0x4b3695f2, 0xb28707de, + 0xa05fbcf6, 0xcd4181e9, 0xe150210c, 0xe24ef1bd, 0xb168c381, 0xfde4e789, 0x5c79b0d8, 0x1e8bfd43, + 0x4d495001, 0x38be4341, 0x913cee1d, 0x92a79c3f, 0x089766be, 0xbaeeadf4, 0x1286becf, 0xb6eacb19, + 0x2660c200, 0x7565bde4, 0x64241f7a, 0x8248dca9, 0xc3b3ad66, 0x28136086, 0x0bd8dfa8, 0x356d1cf2, + 0x107789be, 0xb3b2e9ce, 0x0502aa8f, 0x0bc0351e, 0x166bf52a, 0xeb12ff82, 0xe3486911, 0xd34d7516, + 0x4e7b3aff, 0x5f43671b, 0x9cf6e037, 0x4981ac83, 0x334266ce, 0x8c9341b7, 0xd0d854c0, 0xcb3a6c88, + 0x47bc2829, 0x4725ba37, 0xa66ad22b, 0x7ad61f1e, 0x0c5cbafa, 0x4437f107, 0xb6e79962, 0x42d2d816, + 0x0a961288, 0xe1a5c06e, 0x13749e67, 0x72fc081a, 0xb1d139f7, 0xf9583745, 0xcf19df58, 0xbec3f756, + 0xc06eba30, 0x07211b24, 0x45c28829, 0xc95e317f, 0xbc8ec511, 0x38bc46e9, 0xc6e6fa14, 0xbae8584a, + 0xad4ebc46, 0x468f508b, 0x7829435f, 0xf124183b, 0x821dba9f, 0xaff60ff4, 0xea2c4e6d, 0x16e39264, + 0x92544a8b, 0x009b4fc3, 0xaba68ced, 0x9ac96f78, 0x06a5b79a, 0xb2856e6e, 0x1aec3ca9, 0xbe838688, + 0x0e0804e9, 0x55f1be56, 0xe7e5363b, 0xb3a1f25d, 0xf7debb85, 0x61fe033c, 0x16746233, 0x3c034c28, + 0xda6d0c74, 0x79aac56c, 0x3ce4e1ad, 0x51f0c802, 0x98f8f35a, 0x1626a49f, 0xeed82b29, 0x1d382fe3, + 0x0c4fb99a, 0xbb325778, 0x3ec6d97b, 0x6e77a6a9, 0xcb658b5c, 0xd45230c7, 0x2bd1408b, 0x60c03eb7, + 0xb9068d78, 0xa33754f4, 0xf430c87d, 0xc8a71302, 0xb96d8c32, 0xebd4e7be, 0xbe8b9d2d, 0x7979fb06, + 0xe7225308, 0x8b75cf77, 0x11ef8da4, 0xe083c858, 0x8d6b786f, 0x5a6317a6, 0xfa5cf7a0, 0x5dda0033, + 0xf28ebfb0, 0xf5b9c310, 0xa0eac280, 0x08b9767a, 0xa3d9d2b0, 0x79d34217, 0x021a718d, 0x9ac6336a, + 0x2711fd60, 0x438050e3, 0x069908a8, 0x3d7fedc4, 0x826d2bef, 0x4eeb8476, 0x488dcf25, 0x36c9d566, + 0x28e74e41, 0xc2610aca, 0x3d49a9cf, 0xbae3b9df, 0xb65f8de6, 0x92aeaf64, 0x3ac7d5e6, 0x9ea80509, + 0xf22b017d, 0xa4173f70, 0xdd1e16c3, 0x15e0d7f9, 0x50b1b887, 0x2b9f4fd5, 0x625aba82, 0x6a017962, + 0x2ec01b9c, 0x15488aa9, 0xd716e740, 0x40055a2c, 0x93d29a22, 0xe32dbf9a, 0x058745b9, 0x3453dc1e, + 0xd699296e, 0x496cff6f, 0x1c9f4986, 0xdfe2ed07, 0xb87242d1, 0x19de7eae, 0x053e561a, 0x15ad6f8c, + 0x66626c1c, 0x7154c24c, 0xea082b2a, 0x93eb2939, 0x17dcb0f0, 0x58d4f2ae, 0x9ea294fb, 0x52cf564c, + 0x9883fe66, 0x2ec40581, 0x763953c3, 0x01d6692e, 0xd3a0c108, 0xa1e7160e, 0xe4f2dfa6, 0x693ed285, + 0x74904698, 0x4c2b0edd, 0x4f757656, 0x5d393378, 0xa132234f, 0x3d321c5d, 0xc3f5e194, 0x4b269301, + 0xc79f022f, 0x3c997e7e, 0x5e4f9504, 0x3ffafbbd, 0x76f7ad0e, 0x296693f4, 0x3d1fce6f, 0xc61e45be, + 0xd3b5ab34, 0xf72bf9b7, 0x1b0434c0, 0x4e72b567, 0x5592a33d, 0xb5229301, 0xcfd2a87f, 0x60aeb767, + 0x1814386b, 0x30bcc33d, 0x38a0c07d, 0xfd1606f2, 0xc363519b, 0x589dd390, 0x5479f8e6, 0x1cb8d647, + 0x97fd61a9, 0xea7759f4, 0x2d57539d, 0x569a58cf, 0xe84e63ad, 0x462e1b78, 0x6580f87e, 0xf3817914, + 0x91da55f4, 0x40a230f3, 0xd1988f35, 0xb6e318d2, 0x3ffa50bc, 0x3d40f021, 0xc3c0bdae, 0x4958c24c, + 0x518f36b2, 0x84b1d370, 0x0fedce83, 0x878ddada, 0xf2a279c7, 0x94e01be8, 0x90716f4b, 0x954b8aa3, + }, + { + 0xe216300d, 0xbbddfffc, 0xa7ebdabd, 0x35648095, 0x7789f8b7, 0xe6c1121b, 0x0e241600, 0x052ce8b5, + 0x11a9cfb0, 0xe5952f11, 0xece7990a, 0x9386d174, 0x2a42931c, 0x76e38111, 0xb12def3a, 0x37ddddfc, + 0xde9adeb1, 0x0a0cc32c, 0xbe197029, 0x84a00940, 0xbb243a0f, 0xb4d137cf, 0xb44e79f0, 0x049eedfd, + 0x0b15a15d, 0x480d3168, 0x8bbbde5a, 0x669ded42, 0xc7ece831, 0x3f8f95e7, 0x72df191b, 0x7580330d, + 0x94074251, 0x5c7dcdfa, 0xabbe6d63, 0xaa402164, 0xb301d40a, 0x02e7d1ca, 0x53571dae, 0x7a3182a2, + 0x12a8ddec, 0xfdaa335d, 0x176f43e8, 0x71fb46d4, 0x38129022, 0xce949ad4, 0xb84769ad, 0x965bd862, + 0x82f3d055, 0x66fb9767, 0x15b80b4e, 0x1d5b47a0, 0x4cfde06f, 0xc28ec4b8, 0x57e8726e, 0x647a78fc, + 0x99865d44, 0x608bd593, 0x6c200e03, 0x39dc5ff6, 0x5d0b00a3, 0xae63aff2, 0x7e8bd632, 0x70108c0c, + 0xbbd35049, 0x2998df04, 0x980cf42a, 0x9b6df491, 0x9e7edd53, 0x06918548, 0x58cb7e07, 0x3b74ef2e, + 0x522fffb1, 0xd24708cc, 0x1c7e27cd, 0xa4eb215b, 0x3cf1d2e2, 0x19b47a38, 0x424f7618, 0x35856039, + 0x9d17dee7, 0x27eb35e6, 0xc9aff67b, 0x36baf5b8, 0x09c467cd, 0xc18910b1, 0xe11dbf7b, 0x06cd1af8, + 0x7170c608, 0x2d5e3354, 0xd4de495a, 0x64c6d006, 0xbcc0c62c, 0x3dd00db3, 0x708f8f34, 0x77d51b42, + 0x264f620f, 0x24b8d2bf, 0x15c1b79e, 0x46a52564, 0xf8d7e54e, 0x3e378160, 0x7895cda5, 0x859c15a5, + 0xe6459788, 0xc37bc75f, 0xdb07ba0c, 0x0676a3ab, 0x7f229b1e, 0x31842e7b, 0x24259fd7, 0xf8bef472, + 0x835ffcb8, 0x6df4c1f2, 0x96f5b195, 0xfd0af0fc, 0xb0fe134c, 0xe2506d3d, 0x4f9b12ea, 0xf215f225, + 0xa223736f, 0x9fb4c428, 0x25d04979, 0x34c713f8, 0xc4618187, 0xea7a6e98, 0x7cd16efc, 0x1436876c, + 0xf1544107, 0xbedeee14, 0x56e9af27, 0xa04aa441, 0x3cf7c899, 0x92ecbae6, 0xdd67016d, 0x151682eb, + 0xa842eedf, 0xfdba60b4, 0xf1907b75, 0x20e3030f, 0x24d8c29e, 0xe139673b, 0xefa63fb8, 0x71873054, + 0xb6f2cf3b, 0x9f326442, 0xcb15a4cc, 0xb01a4504, 0xf1e47d8d, 0x844a1be5, 0xbae7dfdc, 0x42cbda70, + 0xcd7dae0a, 0x57e85b7a, 0xd53f5af6, 0x20cf4d8c, 0xcea4d428, 0x79d130a4, 0x3486ebfb, 0x33d3cddc, + 0x77853b53, 0x37effcb5, 0xc5068778, 0xe580b3e6, 0x4e68b8f4, 0xc5c8b37e, 0x0d809ea2, 0x398feb7c, + 0x132a4f94, 0x43b7950e, 0x2fee7d1c, 0x223613bd, 0xdd06caa2, 0x37df932b, 0xc4248289, 0xacf3ebc3, + 0x5715f6b7, 0xef3478dd, 0xf267616f, 0xc148cbe4, 0x9052815e, 0x5e410fab, 0xb48a2465, 0x2eda7fa4, + 0xe87b40e4, 0xe98ea084, 0x5889e9e1, 0xefd390fc, 0xdd07d35b, 0xdb485694, 0x38d7e5b2, 0x57720101, + 0x730edebc, 0x5b643113, 0x94917e4f, 0x503c2fba, 0x646f1282, 0x7523d24a, 0xe0779695, 0xf9c17a8f, + 0x7a5b2121, 0xd187b896, 0x29263a4d, 0xba510cdf, 0x81f47c9f, 0xad1163ed, 0xea7b5965, 0x1a00726e, + 0x11403092, 0x00da6d77, 0x4a0cdd61, 0xad1f4603, 0x605bdfb0, 0x9eedc364, 0x22ebe6a8, 0xcee7d28a, + 0xa0e736a0, 0x5564a6b9, 0x10853209, 0xc7eb8f37, 0x2de705ca, 0x8951570f, 0xdf09822b, 0xbd691a6c, + 0xaa12e4f2, 0x87451c0f, 0xe0f6a27a, 0x3ada4819, 0x4cf1764f, 0x0d771c2b, 0x67cdb156, 0x350d8384, + 0x5938fa0f, 0x42399ef3, 0x36997b07, 0x0e84093d, 0x4aa93e61, 0x8360d87b, 0x1fa98b0c, 0x1149382c, + 0xe97625a5, 0x0614d1b7, 0x0e25244b, 0x0c768347, 0x589e8d82, 0x0d2059d1, 0xa466bb1e, 0xf8da0a82, + 0x04f19130, 0xba6e4ec0, 0x99265164, 0x1ee7230d, 0x50b2ad80, 0xeaee6801, 0x8db2a283, 0xea8bf59e, + }, +} diff --git a/vendor/golang.org/x/crypto/openpgp/armor/armor.go b/vendor/golang.org/x/crypto/openpgp/armor/armor.go new file mode 100644 index 0000000000..e664d127cb --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/armor/armor.go @@ -0,0 +1,233 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package armor implements OpenPGP ASCII Armor, see RFC 4880. OpenPGP Armor is +// very similar to PEM except that it has an additional CRC checksum. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package armor + +import ( + "bufio" + "bytes" + "encoding/base64" + "io" + + "golang.org/x/crypto/openpgp/errors" +) + +// A Block represents an OpenPGP armored structure. +// +// The encoded form is: +// +// -----BEGIN Type----- +// Headers +// +// base64-encoded Bytes +// '=' base64 encoded checksum +// -----END Type----- +// +// where Headers is a possibly empty sequence of Key: Value lines. +// +// Since the armored data can be very large, this package presents a streaming +// interface. +type Block struct { + Type string // The type, taken from the preamble (i.e. "PGP SIGNATURE"). + Header map[string]string // Optional headers. + Body io.Reader // A Reader from which the contents can be read + lReader lineReader + oReader openpgpReader +} + +var ArmorCorrupt error = errors.StructuralError("armor invalid") + +const crc24Init = 0xb704ce +const crc24Poly = 0x1864cfb +const crc24Mask = 0xffffff + +// crc24 calculates the OpenPGP checksum as specified in RFC 4880, section 6.1 +func crc24(crc uint32, d []byte) uint32 { + for _, b := range d { + crc ^= uint32(b) << 16 + for i := 0; i < 8; i++ { + crc <<= 1 + if crc&0x1000000 != 0 { + crc ^= crc24Poly + } + } + } + return crc +} + +var armorStart = []byte("-----BEGIN ") +var armorEnd = []byte("-----END ") +var armorEndOfLine = []byte("-----") + +// lineReader wraps a line based reader. It watches for the end of an armor +// block and records the expected CRC value. +type lineReader struct { + in *bufio.Reader + buf []byte + eof bool + crc uint32 + crcSet bool +} + +func (l *lineReader) Read(p []byte) (n int, err error) { + if l.eof { + return 0, io.EOF + } + + if len(l.buf) > 0 { + n = copy(p, l.buf) + l.buf = l.buf[n:] + return + } + + line, isPrefix, err := l.in.ReadLine() + if err != nil { + return + } + if isPrefix { + return 0, ArmorCorrupt + } + + if bytes.HasPrefix(line, armorEnd) { + l.eof = true + return 0, io.EOF + } + + if len(line) == 5 && line[0] == '=' { + // This is the checksum line + var expectedBytes [3]byte + var m int + m, err = base64.StdEncoding.Decode(expectedBytes[0:], line[1:]) + if m != 3 || err != nil { + return + } + l.crc = uint32(expectedBytes[0])<<16 | + uint32(expectedBytes[1])<<8 | + uint32(expectedBytes[2]) + + line, _, err = l.in.ReadLine() + if err != nil && err != io.EOF { + return + } + if !bytes.HasPrefix(line, armorEnd) { + return 0, ArmorCorrupt + } + + l.eof = true + l.crcSet = true + return 0, io.EOF + } + + if len(line) > 96 { + return 0, ArmorCorrupt + } + + n = copy(p, line) + bytesToSave := len(line) - n + if bytesToSave > 0 { + if cap(l.buf) < bytesToSave { + l.buf = make([]byte, 0, bytesToSave) + } + l.buf = l.buf[0:bytesToSave] + copy(l.buf, line[n:]) + } + + return +} + +// openpgpReader passes Read calls to the underlying base64 decoder, but keeps +// a running CRC of the resulting data and checks the CRC against the value +// found by the lineReader at EOF. +type openpgpReader struct { + lReader *lineReader + b64Reader io.Reader + currentCRC uint32 +} + +func (r *openpgpReader) Read(p []byte) (n int, err error) { + n, err = r.b64Reader.Read(p) + r.currentCRC = crc24(r.currentCRC, p[:n]) + + if err == io.EOF && r.lReader.crcSet && r.lReader.crc != r.currentCRC&crc24Mask { + return 0, ArmorCorrupt + } + + return +} + +// Decode reads a PGP armored block from the given Reader. It will ignore +// leading garbage. If it doesn't find a block, it will return nil, io.EOF. The +// given Reader is not usable after calling this function: an arbitrary amount +// of data may have been read past the end of the block. +func Decode(in io.Reader) (p *Block, err error) { + r := bufio.NewReaderSize(in, 100) + var line []byte + ignoreNext := false + +TryNextBlock: + p = nil + + // Skip leading garbage + for { + ignoreThis := ignoreNext + line, ignoreNext, err = r.ReadLine() + if err != nil { + return + } + if ignoreNext || ignoreThis { + continue + } + line = bytes.TrimSpace(line) + if len(line) > len(armorStart)+len(armorEndOfLine) && bytes.HasPrefix(line, armorStart) { + break + } + } + + p = new(Block) + p.Type = string(line[len(armorStart) : len(line)-len(armorEndOfLine)]) + p.Header = make(map[string]string) + nextIsContinuation := false + var lastKey string + + // Read headers + for { + isContinuation := nextIsContinuation + line, nextIsContinuation, err = r.ReadLine() + if err != nil { + p = nil + return + } + if isContinuation { + p.Header[lastKey] += string(line) + continue + } + line = bytes.TrimSpace(line) + if len(line) == 0 { + break + } + + i := bytes.Index(line, []byte(": ")) + if i == -1 { + goto TryNextBlock + } + lastKey = string(line[:i]) + p.Header[lastKey] = string(line[i+2:]) + } + + p.lReader.in = r + p.oReader.currentCRC = crc24Init + p.oReader.lReader = &p.lReader + p.oReader.b64Reader = base64.NewDecoder(base64.StdEncoding, &p.lReader) + p.Body = &p.oReader + + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/armor/encode.go b/vendor/golang.org/x/crypto/openpgp/armor/encode.go new file mode 100644 index 0000000000..5b6e16c19d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/armor/encode.go @@ -0,0 +1,161 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package armor + +import ( + "encoding/base64" + "io" +) + +var armorHeaderSep = []byte(": ") +var blockEnd = []byte("\n=") +var newline = []byte("\n") +var armorEndOfLineOut = []byte("-----\n") + +// writeSlices writes its arguments to the given Writer. +func writeSlices(out io.Writer, slices ...[]byte) (err error) { + for _, s := range slices { + _, err = out.Write(s) + if err != nil { + return err + } + } + return +} + +// lineBreaker breaks data across several lines, all of the same byte length +// (except possibly the last). Lines are broken with a single '\n'. +type lineBreaker struct { + lineLength int + line []byte + used int + out io.Writer + haveWritten bool +} + +func newLineBreaker(out io.Writer, lineLength int) *lineBreaker { + return &lineBreaker{ + lineLength: lineLength, + line: make([]byte, lineLength), + used: 0, + out: out, + } +} + +func (l *lineBreaker) Write(b []byte) (n int, err error) { + n = len(b) + + if n == 0 { + return + } + + if l.used == 0 && l.haveWritten { + _, err = l.out.Write([]byte{'\n'}) + if err != nil { + return + } + } + + if l.used+len(b) < l.lineLength { + l.used += copy(l.line[l.used:], b) + return + } + + l.haveWritten = true + _, err = l.out.Write(l.line[0:l.used]) + if err != nil { + return + } + excess := l.lineLength - l.used + l.used = 0 + + _, err = l.out.Write(b[0:excess]) + if err != nil { + return + } + + _, err = l.Write(b[excess:]) + return +} + +func (l *lineBreaker) Close() (err error) { + if l.used > 0 { + _, err = l.out.Write(l.line[0:l.used]) + if err != nil { + return + } + } + + return +} + +// encoding keeps track of a running CRC24 over the data which has been written +// to it and outputs a OpenPGP checksum when closed, followed by an armor +// trailer. +// +// It's built into a stack of io.Writers: +// +// encoding -> base64 encoder -> lineBreaker -> out +type encoding struct { + out io.Writer + breaker *lineBreaker + b64 io.WriteCloser + crc uint32 + blockType []byte +} + +func (e *encoding) Write(data []byte) (n int, err error) { + e.crc = crc24(e.crc, data) + return e.b64.Write(data) +} + +func (e *encoding) Close() (err error) { + err = e.b64.Close() + if err != nil { + return + } + e.breaker.Close() + + var checksumBytes [3]byte + checksumBytes[0] = byte(e.crc >> 16) + checksumBytes[1] = byte(e.crc >> 8) + checksumBytes[2] = byte(e.crc) + + var b64ChecksumBytes [4]byte + base64.StdEncoding.Encode(b64ChecksumBytes[:], checksumBytes[:]) + + return writeSlices(e.out, blockEnd, b64ChecksumBytes[:], newline, armorEnd, e.blockType, armorEndOfLine) +} + +// Encode returns a WriteCloser which will encode the data written to it in +// OpenPGP armor. +func Encode(out io.Writer, blockType string, headers map[string]string) (w io.WriteCloser, err error) { + bType := []byte(blockType) + err = writeSlices(out, armorStart, bType, armorEndOfLineOut) + if err != nil { + return + } + + for k, v := range headers { + err = writeSlices(out, []byte(k), armorHeaderSep, []byte(v), newline) + if err != nil { + return + } + } + + _, err = out.Write(newline) + if err != nil { + return + } + + e := &encoding{ + out: out, + breaker: newLineBreaker(out, 64), + crc: crc24Init, + blockType: bType, + } + e.b64 = base64.NewEncoder(base64.StdEncoding, e.breaker) + return e, nil +} diff --git a/vendor/golang.org/x/crypto/openpgp/canonical_text.go b/vendor/golang.org/x/crypto/openpgp/canonical_text.go new file mode 100644 index 0000000000..e601e389f1 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/canonical_text.go @@ -0,0 +1,59 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package openpgp + +import "hash" + +// NewCanonicalTextHash reformats text written to it into the canonical +// form and then applies the hash h. See RFC 4880, section 5.2.1. +func NewCanonicalTextHash(h hash.Hash) hash.Hash { + return &canonicalTextHash{h, 0} +} + +type canonicalTextHash struct { + h hash.Hash + s int +} + +var newline = []byte{'\r', '\n'} + +func (cth *canonicalTextHash) Write(buf []byte) (int, error) { + start := 0 + + for i, c := range buf { + switch cth.s { + case 0: + if c == '\r' { + cth.s = 1 + } else if c == '\n' { + cth.h.Write(buf[start:i]) + cth.h.Write(newline) + start = i + 1 + } + case 1: + cth.s = 0 + } + } + + cth.h.Write(buf[start:]) + return len(buf), nil +} + +func (cth *canonicalTextHash) Sum(in []byte) []byte { + return cth.h.Sum(in) +} + +func (cth *canonicalTextHash) Reset() { + cth.h.Reset() + cth.s = 0 +} + +func (cth *canonicalTextHash) Size() int { + return cth.h.Size() +} + +func (cth *canonicalTextHash) BlockSize() int { + return cth.h.BlockSize() +} diff --git a/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go new file mode 100644 index 0000000000..cea48efdcd --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/clearsign/clearsign.go @@ -0,0 +1,424 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package clearsign generates and processes OpenPGP, clear-signed data. See +// RFC 4880, section 7. +// +// Clearsigned messages are cryptographically signed, but the contents of the +// message are kept in plaintext so that it can be read without special tools. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package clearsign + +import ( + "bufio" + "bytes" + "crypto" + "fmt" + "hash" + "io" + "net/textproto" + "strconv" + "strings" + + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/packet" +) + +// A Block represents a clearsigned message. A signature on a Block can +// be checked by passing Bytes into openpgp.CheckDetachedSignature. +type Block struct { + Headers textproto.MIMEHeader // Optional unverified Hash headers + Plaintext []byte // The original message text + Bytes []byte // The signed message + ArmoredSignature *armor.Block // The signature block +} + +// start is the marker which denotes the beginning of a clearsigned message. +var start = []byte("\n-----BEGIN PGP SIGNED MESSAGE-----") + +// dashEscape is prefixed to any lines that begin with a hyphen so that they +// can't be confused with endText. +var dashEscape = []byte("- ") + +// endText is a marker which denotes the end of the message and the start of +// an armored signature. +var endText = []byte("-----BEGIN PGP SIGNATURE-----") + +// end is a marker which denotes the end of the armored signature. +var end = []byte("\n-----END PGP SIGNATURE-----") + +var crlf = []byte("\r\n") +var lf = byte('\n') + +// getLine returns the first \r\n or \n delineated line from the given byte +// array. The line does not include the \r\n or \n. The remainder of the byte +// array (also not including the new line bytes) is also returned and this will +// always be smaller than the original argument. +func getLine(data []byte) (line, rest []byte) { + i := bytes.Index(data, []byte{'\n'}) + var j int + if i < 0 { + i = len(data) + j = i + } else { + j = i + 1 + if i > 0 && data[i-1] == '\r' { + i-- + } + } + return data[0:i], data[j:] +} + +// Decode finds the first clearsigned message in data and returns it, as well as +// the suffix of data which remains after the message. Any prefix data is +// discarded. +// +// If no message is found, or if the message is invalid, Decode returns nil and +// the whole data slice. The only allowed header type is Hash, and it is not +// verified against the signature hash. +func Decode(data []byte) (b *Block, rest []byte) { + // start begins with a newline. However, at the very beginning of + // the byte array, we'll accept the start string without it. + rest = data + if bytes.HasPrefix(data, start[1:]) { + rest = rest[len(start)-1:] + } else if i := bytes.Index(data, start); i >= 0 { + rest = rest[i+len(start):] + } else { + return nil, data + } + + // Consume the start line and check it does not have a suffix. + suffix, rest := getLine(rest) + if len(suffix) != 0 { + return nil, data + } + + var line []byte + b = &Block{ + Headers: make(textproto.MIMEHeader), + } + + // Next come a series of header lines. + for { + // This loop terminates because getLine's second result is + // always smaller than its argument. + if len(rest) == 0 { + return nil, data + } + // An empty line marks the end of the headers. + if line, rest = getLine(rest); len(line) == 0 { + break + } + + // Reject headers with control or Unicode characters. + if i := bytes.IndexFunc(line, func(r rune) bool { + return r < 0x20 || r > 0x7e + }); i != -1 { + return nil, data + } + + i := bytes.Index(line, []byte{':'}) + if i == -1 { + return nil, data + } + + key, val := string(line[0:i]), string(line[i+1:]) + key = strings.TrimSpace(key) + if key != "Hash" { + return nil, data + } + val = strings.TrimSpace(val) + b.Headers.Add(key, val) + } + + firstLine := true + for { + start := rest + + line, rest = getLine(rest) + if len(line) == 0 && len(rest) == 0 { + // No armored data was found, so this isn't a complete message. + return nil, data + } + if bytes.Equal(line, endText) { + // Back up to the start of the line because armor expects to see the + // header line. + rest = start + break + } + + // The final CRLF isn't included in the hash so we don't write it until + // we've seen the next line. + if firstLine { + firstLine = false + } else { + b.Bytes = append(b.Bytes, crlf...) + } + + if bytes.HasPrefix(line, dashEscape) { + line = line[2:] + } + line = bytes.TrimRight(line, " \t") + b.Bytes = append(b.Bytes, line...) + + b.Plaintext = append(b.Plaintext, line...) + b.Plaintext = append(b.Plaintext, lf) + } + + // We want to find the extent of the armored data (including any newlines at + // the end). + i := bytes.Index(rest, end) + if i == -1 { + return nil, data + } + i += len(end) + for i < len(rest) && (rest[i] == '\r' || rest[i] == '\n') { + i++ + } + armored := rest[:i] + rest = rest[i:] + + var err error + b.ArmoredSignature, err = armor.Decode(bytes.NewBuffer(armored)) + if err != nil { + return nil, data + } + + return b, rest +} + +// A dashEscaper is an io.WriteCloser which processes the body of a clear-signed +// message. The clear-signed message is written to buffered and a hash, suitable +// for signing, is maintained in h. +// +// When closed, an armored signature is created and written to complete the +// message. +type dashEscaper struct { + buffered *bufio.Writer + hashers []hash.Hash // one per key in privateKeys + hashType crypto.Hash + toHash io.Writer // writes to all the hashes in hashers + + atBeginningOfLine bool + isFirstLine bool + + whitespace []byte + byteBuf []byte // a one byte buffer to save allocations + + privateKeys []*packet.PrivateKey + config *packet.Config +} + +func (d *dashEscaper) Write(data []byte) (n int, err error) { + for _, b := range data { + d.byteBuf[0] = b + + if d.atBeginningOfLine { + // The final CRLF isn't included in the hash so we have to wait + // until this point (the start of the next line) before writing it. + if !d.isFirstLine { + d.toHash.Write(crlf) + } + d.isFirstLine = false + } + + // Any whitespace at the end of the line has to be removed so we + // buffer it until we find out whether there's more on this line. + if b == ' ' || b == '\t' || b == '\r' { + d.whitespace = append(d.whitespace, b) + d.atBeginningOfLine = false + continue + } + + if d.atBeginningOfLine { + // At the beginning of a line, hyphens have to be escaped. + if b == '-' { + // The signature isn't calculated over the dash-escaped text so + // the escape is only written to buffered. + if _, err = d.buffered.Write(dashEscape); err != nil { + return + } + d.toHash.Write(d.byteBuf) + d.atBeginningOfLine = false + } else if b == '\n' { + // Nothing to do because we delay writing CRLF to the hash. + } else { + d.toHash.Write(d.byteBuf) + d.atBeginningOfLine = false + } + if err = d.buffered.WriteByte(b); err != nil { + return + } + } else { + if b == '\n' { + // We got a raw \n. Drop any trailing whitespace and write a + // CRLF. + d.whitespace = d.whitespace[:0] + // We delay writing CRLF to the hash until the start of the + // next line. + if err = d.buffered.WriteByte(b); err != nil { + return + } + d.atBeginningOfLine = true + } else { + // Any buffered whitespace wasn't at the end of the line so + // we need to write it out. + if len(d.whitespace) > 0 { + d.toHash.Write(d.whitespace) + if _, err = d.buffered.Write(d.whitespace); err != nil { + return + } + d.whitespace = d.whitespace[:0] + } + d.toHash.Write(d.byteBuf) + if err = d.buffered.WriteByte(b); err != nil { + return + } + } + } + } + + n = len(data) + return +} + +func (d *dashEscaper) Close() (err error) { + if !d.atBeginningOfLine { + if err = d.buffered.WriteByte(lf); err != nil { + return + } + } + + out, err := armor.Encode(d.buffered, "PGP SIGNATURE", nil) + if err != nil { + return + } + + t := d.config.Now() + for i, k := range d.privateKeys { + sig := new(packet.Signature) + sig.SigType = packet.SigTypeText + sig.PubKeyAlgo = k.PubKeyAlgo + sig.Hash = d.hashType + sig.CreationTime = t + sig.IssuerKeyId = &k.KeyId + + if err = sig.Sign(d.hashers[i], k, d.config); err != nil { + return + } + if err = sig.Serialize(out); err != nil { + return + } + } + + if err = out.Close(); err != nil { + return + } + if err = d.buffered.Flush(); err != nil { + return + } + return +} + +// Encode returns a WriteCloser which will clear-sign a message with privateKey +// and write it to w. If config is nil, sensible defaults are used. +func Encode(w io.Writer, privateKey *packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) { + return EncodeMulti(w, []*packet.PrivateKey{privateKey}, config) +} + +// EncodeMulti returns a WriteCloser which will clear-sign a message with all the +// private keys indicated and write it to w. If config is nil, sensible defaults +// are used. +func EncodeMulti(w io.Writer, privateKeys []*packet.PrivateKey, config *packet.Config) (plaintext io.WriteCloser, err error) { + for _, k := range privateKeys { + if k.Encrypted { + return nil, errors.InvalidArgumentError(fmt.Sprintf("signing key %s is encrypted", k.KeyIdString())) + } + } + + hashType := config.Hash() + name := nameOfHash(hashType) + if len(name) == 0 { + return nil, errors.UnsupportedError("unknown hash type: " + strconv.Itoa(int(hashType))) + } + + if !hashType.Available() { + return nil, errors.UnsupportedError("unsupported hash type: " + strconv.Itoa(int(hashType))) + } + var hashers []hash.Hash + var ws []io.Writer + for range privateKeys { + h := hashType.New() + hashers = append(hashers, h) + ws = append(ws, h) + } + toHash := io.MultiWriter(ws...) + + buffered := bufio.NewWriter(w) + // start has a \n at the beginning that we don't want here. + if _, err = buffered.Write(start[1:]); err != nil { + return + } + if err = buffered.WriteByte(lf); err != nil { + return + } + if _, err = buffered.WriteString("Hash: "); err != nil { + return + } + if _, err = buffered.WriteString(name); err != nil { + return + } + if err = buffered.WriteByte(lf); err != nil { + return + } + if err = buffered.WriteByte(lf); err != nil { + return + } + + plaintext = &dashEscaper{ + buffered: buffered, + hashers: hashers, + hashType: hashType, + toHash: toHash, + + atBeginningOfLine: true, + isFirstLine: true, + + byteBuf: make([]byte, 1), + + privateKeys: privateKeys, + config: config, + } + + return +} + +// nameOfHash returns the OpenPGP name for the given hash, or the empty string +// if the name isn't known. See RFC 4880, section 9.4. +func nameOfHash(h crypto.Hash) string { + switch h { + case crypto.MD5: + return "MD5" + case crypto.SHA1: + return "SHA1" + case crypto.RIPEMD160: + return "RIPEMD160" + case crypto.SHA224: + return "SHA224" + case crypto.SHA256: + return "SHA256" + case crypto.SHA384: + return "SHA384" + case crypto.SHA512: + return "SHA512" + } + return "" +} diff --git a/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go new file mode 100644 index 0000000000..f922bdbcaa --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/elgamal/elgamal.go @@ -0,0 +1,130 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package elgamal implements ElGamal encryption, suitable for OpenPGP, +// as specified in "A Public-Key Cryptosystem and a Signature Scheme Based on +// Discrete Logarithms," IEEE Transactions on Information Theory, v. IT-31, +// n. 4, 1985, pp. 469-472. +// +// This form of ElGamal embeds PKCS#1 v1.5 padding, which may make it +// unsuitable for other protocols. RSA should be used in preference in any +// case. +// +// Deprecated: this package was only provided to support ElGamal encryption in +// OpenPGP. The golang.org/x/crypto/openpgp package is now deprecated (see +// https://golang.org/issue/44226), and ElGamal in the OpenPGP ecosystem has +// compatibility and security issues (see https://eprint.iacr.org/2021/923). +// Moreover, this package doesn't protect against side-channel attacks. +package elgamal + +import ( + "crypto/rand" + "crypto/subtle" + "errors" + "io" + "math/big" +) + +// PublicKey represents an ElGamal public key. +type PublicKey struct { + G, P, Y *big.Int +} + +// PrivateKey represents an ElGamal private key. +type PrivateKey struct { + PublicKey + X *big.Int +} + +// Encrypt encrypts the given message to the given public key. The result is a +// pair of integers. Errors can result from reading random, or because msg is +// too large to be encrypted to the public key. +func Encrypt(random io.Reader, pub *PublicKey, msg []byte) (c1, c2 *big.Int, err error) { + pLen := (pub.P.BitLen() + 7) / 8 + if len(msg) > pLen-11 { + err = errors.New("elgamal: message too long") + return + } + + // EM = 0x02 || PS || 0x00 || M + em := make([]byte, pLen-1) + em[0] = 2 + ps, mm := em[1:len(em)-len(msg)-1], em[len(em)-len(msg):] + err = nonZeroRandomBytes(ps, random) + if err != nil { + return + } + em[len(em)-len(msg)-1] = 0 + copy(mm, msg) + + m := new(big.Int).SetBytes(em) + + k, err := rand.Int(random, pub.P) + if err != nil { + return + } + + c1 = new(big.Int).Exp(pub.G, k, pub.P) + s := new(big.Int).Exp(pub.Y, k, pub.P) + c2 = s.Mul(s, m) + c2.Mod(c2, pub.P) + + return +} + +// Decrypt takes two integers, resulting from an ElGamal encryption, and +// returns the plaintext of the message. An error can result only if the +// ciphertext is invalid. Users should keep in mind that this is a padding +// oracle and thus, if exposed to an adaptive chosen ciphertext attack, can +// be used to break the cryptosystem. See “Chosen Ciphertext Attacks +// Against Protocols Based on the RSA Encryption Standard PKCS #1â€, Daniel +// Bleichenbacher, Advances in Cryptology (Crypto '98), +func Decrypt(priv *PrivateKey, c1, c2 *big.Int) (msg []byte, err error) { + s := new(big.Int).Exp(c1, priv.X, priv.P) + if s.ModInverse(s, priv.P) == nil { + return nil, errors.New("elgamal: invalid private key") + } + s.Mul(s, c2) + s.Mod(s, priv.P) + em := s.Bytes() + + firstByteIsTwo := subtle.ConstantTimeByteEq(em[0], 2) + + // The remainder of the plaintext must be a string of non-zero random + // octets, followed by a 0, followed by the message. + // lookingForIndex: 1 iff we are still looking for the zero. + // index: the offset of the first zero byte. + var lookingForIndex, index int + lookingForIndex = 1 + + for i := 1; i < len(em); i++ { + equals0 := subtle.ConstantTimeByteEq(em[i], 0) + index = subtle.ConstantTimeSelect(lookingForIndex&equals0, i, index) + lookingForIndex = subtle.ConstantTimeSelect(equals0, 0, lookingForIndex) + } + + if firstByteIsTwo != 1 || lookingForIndex != 0 || index < 9 { + return nil, errors.New("elgamal: decryption error") + } + return em[index+1:], nil +} + +// nonZeroRandomBytes fills the given slice with non-zero random octets. +func nonZeroRandomBytes(s []byte, rand io.Reader) (err error) { + _, err = io.ReadFull(rand, s) + if err != nil { + return + } + + for i := 0; i < len(s); i++ { + for s[i] == 0 { + _, err = io.ReadFull(rand, s[i:i+1]) + if err != nil { + return + } + } + } + + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/errors/errors.go b/vendor/golang.org/x/crypto/openpgp/errors/errors.go new file mode 100644 index 0000000000..a328749471 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/errors/errors.go @@ -0,0 +1,78 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package errors contains common error types for the OpenPGP packages. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package errors + +import ( + "strconv" +) + +// A StructuralError is returned when OpenPGP data is found to be syntactically +// invalid. +type StructuralError string + +func (s StructuralError) Error() string { + return "openpgp: invalid data: " + string(s) +} + +// UnsupportedError indicates that, although the OpenPGP data is valid, it +// makes use of currently unimplemented features. +type UnsupportedError string + +func (s UnsupportedError) Error() string { + return "openpgp: unsupported feature: " + string(s) +} + +// InvalidArgumentError indicates that the caller is in error and passed an +// incorrect value. +type InvalidArgumentError string + +func (i InvalidArgumentError) Error() string { + return "openpgp: invalid argument: " + string(i) +} + +// SignatureError indicates that a syntactically valid signature failed to +// validate. +type SignatureError string + +func (b SignatureError) Error() string { + return "openpgp: invalid signature: " + string(b) +} + +type keyIncorrectError int + +func (ki keyIncorrectError) Error() string { + return "openpgp: incorrect key" +} + +var ErrKeyIncorrect error = keyIncorrectError(0) + +type unknownIssuerError int + +func (unknownIssuerError) Error() string { + return "openpgp: signature made by unknown entity" +} + +var ErrUnknownIssuer error = unknownIssuerError(0) + +type keyRevokedError int + +func (keyRevokedError) Error() string { + return "openpgp: signature made by revoked key" +} + +var ErrKeyRevoked error = keyRevokedError(0) + +type UnknownPacketTypeError uint8 + +func (upte UnknownPacketTypeError) Error() string { + return "openpgp: unknown packet type: " + strconv.Itoa(int(upte)) +} diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go new file mode 100644 index 0000000000..d62f787e9d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/keys.go @@ -0,0 +1,693 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package openpgp + +import ( + "crypto/rsa" + "io" + "time" + + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/packet" +) + +// PublicKeyType is the armor type for a PGP public key. +var PublicKeyType = "PGP PUBLIC KEY BLOCK" + +// PrivateKeyType is the armor type for a PGP private key. +var PrivateKeyType = "PGP PRIVATE KEY BLOCK" + +// An Entity represents the components of an OpenPGP key: a primary public key +// (which must be a signing key), one or more identities claimed by that key, +// and zero or more subkeys, which may be encryption keys. +type Entity struct { + PrimaryKey *packet.PublicKey + PrivateKey *packet.PrivateKey + Identities map[string]*Identity // indexed by Identity.Name + Revocations []*packet.Signature + Subkeys []Subkey +} + +// An Identity represents an identity claimed by an Entity and zero or more +// assertions by other entities about that claim. +type Identity struct { + Name string // by convention, has the form "Full Name (comment) " + UserId *packet.UserId + SelfSignature *packet.Signature + Signatures []*packet.Signature +} + +// A Subkey is an additional public key in an Entity. Subkeys can be used for +// encryption. +type Subkey struct { + PublicKey *packet.PublicKey + PrivateKey *packet.PrivateKey + Sig *packet.Signature +} + +// A Key identifies a specific public key in an Entity. This is either the +// Entity's primary key or a subkey. +type Key struct { + Entity *Entity + PublicKey *packet.PublicKey + PrivateKey *packet.PrivateKey + SelfSignature *packet.Signature +} + +// A KeyRing provides access to public and private keys. +type KeyRing interface { + // KeysById returns the set of keys that have the given key id. + KeysById(id uint64) []Key + // KeysByIdUsage returns the set of keys with the given id + // that also meet the key usage given by requiredUsage. + // The requiredUsage is expressed as the bitwise-OR of + // packet.KeyFlag* values. + KeysByIdUsage(id uint64, requiredUsage byte) []Key + // DecryptionKeys returns all private keys that are valid for + // decryption. + DecryptionKeys() []Key +} + +// primaryIdentity returns the Identity marked as primary or the first identity +// if none are so marked. +func (e *Entity) primaryIdentity() *Identity { + var firstIdentity *Identity + for _, ident := range e.Identities { + if firstIdentity == nil { + firstIdentity = ident + } + if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId { + return ident + } + } + return firstIdentity +} + +// encryptionKey returns the best candidate Key for encrypting a message to the +// given Entity. +func (e *Entity) encryptionKey(now time.Time) (Key, bool) { + candidateSubkey := -1 + + // Iterate the keys to find the newest key + var maxTime time.Time + for i, subkey := range e.Subkeys { + if subkey.Sig.FlagsValid && + subkey.Sig.FlagEncryptCommunications && + subkey.PublicKey.PubKeyAlgo.CanEncrypt() && + !subkey.Sig.KeyExpired(now) && + (maxTime.IsZero() || subkey.Sig.CreationTime.After(maxTime)) { + candidateSubkey = i + maxTime = subkey.Sig.CreationTime + } + } + + if candidateSubkey != -1 { + subkey := e.Subkeys[candidateSubkey] + return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true + } + + // If we don't have any candidate subkeys for encryption and + // the primary key doesn't have any usage metadata then we + // assume that the primary key is ok. Or, if the primary key is + // marked as ok to encrypt to, then we can obviously use it. + i := e.primaryIdentity() + if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagEncryptCommunications && + e.PrimaryKey.PubKeyAlgo.CanEncrypt() && + !i.SelfSignature.KeyExpired(now) { + return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true + } + + // This Entity appears to be signing only. + return Key{}, false +} + +// signingKey return the best candidate Key for signing a message with this +// Entity. +func (e *Entity) signingKey(now time.Time) (Key, bool) { + candidateSubkey := -1 + + for i, subkey := range e.Subkeys { + if subkey.Sig.FlagsValid && + subkey.Sig.FlagSign && + subkey.PublicKey.PubKeyAlgo.CanSign() && + !subkey.Sig.KeyExpired(now) { + candidateSubkey = i + break + } + } + + if candidateSubkey != -1 { + subkey := e.Subkeys[candidateSubkey] + return Key{e, subkey.PublicKey, subkey.PrivateKey, subkey.Sig}, true + } + + // If we have no candidate subkey then we assume that it's ok to sign + // with the primary key. + i := e.primaryIdentity() + if !i.SelfSignature.FlagsValid || i.SelfSignature.FlagSign && + !i.SelfSignature.KeyExpired(now) { + return Key{e, e.PrimaryKey, e.PrivateKey, i.SelfSignature}, true + } + + return Key{}, false +} + +// An EntityList contains one or more Entities. +type EntityList []*Entity + +// KeysById returns the set of keys that have the given key id. +func (el EntityList) KeysById(id uint64) (keys []Key) { + for _, e := range el { + if e.PrimaryKey.KeyId == id { + var selfSig *packet.Signature + for _, ident := range e.Identities { + if selfSig == nil { + selfSig = ident.SelfSignature + } else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId { + selfSig = ident.SelfSignature + break + } + } + keys = append(keys, Key{e, e.PrimaryKey, e.PrivateKey, selfSig}) + } + + for _, subKey := range e.Subkeys { + if subKey.PublicKey.KeyId == id { + keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig}) + } + } + } + return +} + +// KeysByIdUsage returns the set of keys with the given id that also meet +// the key usage given by requiredUsage. The requiredUsage is expressed as +// the bitwise-OR of packet.KeyFlag* values. +func (el EntityList) KeysByIdUsage(id uint64, requiredUsage byte) (keys []Key) { + for _, key := range el.KeysById(id) { + if len(key.Entity.Revocations) > 0 { + continue + } + + if key.SelfSignature.RevocationReason != nil { + continue + } + + if key.SelfSignature.FlagsValid && requiredUsage != 0 { + var usage byte + if key.SelfSignature.FlagCertify { + usage |= packet.KeyFlagCertify + } + if key.SelfSignature.FlagSign { + usage |= packet.KeyFlagSign + } + if key.SelfSignature.FlagEncryptCommunications { + usage |= packet.KeyFlagEncryptCommunications + } + if key.SelfSignature.FlagEncryptStorage { + usage |= packet.KeyFlagEncryptStorage + } + if usage&requiredUsage != requiredUsage { + continue + } + } + + keys = append(keys, key) + } + return +} + +// DecryptionKeys returns all private keys that are valid for decryption. +func (el EntityList) DecryptionKeys() (keys []Key) { + for _, e := range el { + for _, subKey := range e.Subkeys { + if subKey.PrivateKey != nil && (!subKey.Sig.FlagsValid || subKey.Sig.FlagEncryptStorage || subKey.Sig.FlagEncryptCommunications) { + keys = append(keys, Key{e, subKey.PublicKey, subKey.PrivateKey, subKey.Sig}) + } + } + } + return +} + +// ReadArmoredKeyRing reads one or more public/private keys from an armor keyring file. +func ReadArmoredKeyRing(r io.Reader) (EntityList, error) { + block, err := armor.Decode(r) + if err == io.EOF { + return nil, errors.InvalidArgumentError("no armored data found") + } + if err != nil { + return nil, err + } + if block.Type != PublicKeyType && block.Type != PrivateKeyType { + return nil, errors.InvalidArgumentError("expected public or private key block, got: " + block.Type) + } + + return ReadKeyRing(block.Body) +} + +// ReadKeyRing reads one or more public/private keys. Unsupported keys are +// ignored as long as at least a single valid key is found. +func ReadKeyRing(r io.Reader) (el EntityList, err error) { + packets := packet.NewReader(r) + var lastUnsupportedError error + + for { + var e *Entity + e, err = ReadEntity(packets) + if err != nil { + // TODO: warn about skipped unsupported/unreadable keys + if _, ok := err.(errors.UnsupportedError); ok { + lastUnsupportedError = err + err = readToNextPublicKey(packets) + } else if _, ok := err.(errors.StructuralError); ok { + // Skip unreadable, badly-formatted keys + lastUnsupportedError = err + err = readToNextPublicKey(packets) + } + if err == io.EOF { + err = nil + break + } + if err != nil { + el = nil + break + } + } else { + el = append(el, e) + } + } + + if len(el) == 0 && err == nil { + err = lastUnsupportedError + } + return +} + +// readToNextPublicKey reads packets until the start of the entity and leaves +// the first packet of the new entity in the Reader. +func readToNextPublicKey(packets *packet.Reader) (err error) { + var p packet.Packet + for { + p, err = packets.Next() + if err == io.EOF { + return + } else if err != nil { + if _, ok := err.(errors.UnsupportedError); ok { + err = nil + continue + } + return + } + + if pk, ok := p.(*packet.PublicKey); ok && !pk.IsSubkey { + packets.Unread(p) + return + } + } +} + +// ReadEntity reads an entity (public key, identities, subkeys etc) from the +// given Reader. +func ReadEntity(packets *packet.Reader) (*Entity, error) { + e := new(Entity) + e.Identities = make(map[string]*Identity) + + p, err := packets.Next() + if err != nil { + return nil, err + } + + var ok bool + if e.PrimaryKey, ok = p.(*packet.PublicKey); !ok { + if e.PrivateKey, ok = p.(*packet.PrivateKey); !ok { + packets.Unread(p) + return nil, errors.StructuralError("first packet was not a public/private key") + } + e.PrimaryKey = &e.PrivateKey.PublicKey + } + + if !e.PrimaryKey.PubKeyAlgo.CanSign() { + return nil, errors.StructuralError("primary key cannot be used for signatures") + } + + var revocations []*packet.Signature +EachPacket: + for { + p, err := packets.Next() + if err == io.EOF { + break + } else if err != nil { + return nil, err + } + + switch pkt := p.(type) { + case *packet.UserId: + if err := addUserID(e, packets, pkt); err != nil { + return nil, err + } + case *packet.Signature: + if pkt.SigType == packet.SigTypeKeyRevocation { + revocations = append(revocations, pkt) + } else if pkt.SigType == packet.SigTypeDirectSignature { + // TODO: RFC4880 5.2.1 permits signatures + // directly on keys (eg. to bind additional + // revocation keys). + } + // Else, ignoring the signature as it does not follow anything + // we would know to attach it to. + case *packet.PrivateKey: + if pkt.IsSubkey == false { + packets.Unread(p) + break EachPacket + } + err = addSubkey(e, packets, &pkt.PublicKey, pkt) + if err != nil { + return nil, err + } + case *packet.PublicKey: + if pkt.IsSubkey == false { + packets.Unread(p) + break EachPacket + } + err = addSubkey(e, packets, pkt, nil) + if err != nil { + return nil, err + } + default: + // we ignore unknown packets + } + } + + if len(e.Identities) == 0 { + return nil, errors.StructuralError("entity without any identities") + } + + for _, revocation := range revocations { + err = e.PrimaryKey.VerifyRevocationSignature(revocation) + if err == nil { + e.Revocations = append(e.Revocations, revocation) + } else { + // TODO: RFC 4880 5.2.3.15 defines revocation keys. + return nil, errors.StructuralError("revocation signature signed by alternate key") + } + } + + return e, nil +} + +func addUserID(e *Entity, packets *packet.Reader, pkt *packet.UserId) error { + // Make a new Identity object, that we might wind up throwing away. + // We'll only add it if we get a valid self-signature over this + // userID. + identity := new(Identity) + identity.Name = pkt.Id + identity.UserId = pkt + + for { + p, err := packets.Next() + if err == io.EOF { + break + } else if err != nil { + return err + } + + sig, ok := p.(*packet.Signature) + if !ok { + packets.Unread(p) + break + } + + if (sig.SigType == packet.SigTypePositiveCert || sig.SigType == packet.SigTypeGenericCert) && sig.IssuerKeyId != nil && *sig.IssuerKeyId == e.PrimaryKey.KeyId { + if err = e.PrimaryKey.VerifyUserIdSignature(pkt.Id, e.PrimaryKey, sig); err != nil { + return errors.StructuralError("user ID self-signature invalid: " + err.Error()) + } + identity.SelfSignature = sig + e.Identities[pkt.Id] = identity + } else { + identity.Signatures = append(identity.Signatures, sig) + } + } + + return nil +} + +func addSubkey(e *Entity, packets *packet.Reader, pub *packet.PublicKey, priv *packet.PrivateKey) error { + var subKey Subkey + subKey.PublicKey = pub + subKey.PrivateKey = priv + + for { + p, err := packets.Next() + if err == io.EOF { + break + } else if err != nil { + return errors.StructuralError("subkey signature invalid: " + err.Error()) + } + + sig, ok := p.(*packet.Signature) + if !ok { + packets.Unread(p) + break + } + + if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation { + return errors.StructuralError("subkey signature with wrong type") + } + + if err := e.PrimaryKey.VerifyKeySignature(subKey.PublicKey, sig); err != nil { + return errors.StructuralError("subkey signature invalid: " + err.Error()) + } + + switch sig.SigType { + case packet.SigTypeSubkeyRevocation: + subKey.Sig = sig + case packet.SigTypeSubkeyBinding: + + if shouldReplaceSubkeySig(subKey.Sig, sig) { + subKey.Sig = sig + } + } + } + + if subKey.Sig == nil { + return errors.StructuralError("subkey packet not followed by signature") + } + + e.Subkeys = append(e.Subkeys, subKey) + + return nil +} + +func shouldReplaceSubkeySig(existingSig, potentialNewSig *packet.Signature) bool { + if potentialNewSig == nil { + return false + } + + if existingSig == nil { + return true + } + + if existingSig.SigType == packet.SigTypeSubkeyRevocation { + return false // never override a revocation signature + } + + return potentialNewSig.CreationTime.After(existingSig.CreationTime) +} + +const defaultRSAKeyBits = 2048 + +// NewEntity returns an Entity that contains a fresh RSA/RSA keypair with a +// single identity composed of the given full name, comment and email, any of +// which may be empty but must not contain any of "()<>\x00". +// If config is nil, sensible defaults will be used. +func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) { + creationTime := config.Now() + + bits := defaultRSAKeyBits + if config != nil && config.RSABits != 0 { + bits = config.RSABits + } + + uid := packet.NewUserId(name, comment, email) + if uid == nil { + return nil, errors.InvalidArgumentError("user id field contained invalid characters") + } + signingPriv, err := rsa.GenerateKey(config.Random(), bits) + if err != nil { + return nil, err + } + encryptingPriv, err := rsa.GenerateKey(config.Random(), bits) + if err != nil { + return nil, err + } + + e := &Entity{ + PrimaryKey: packet.NewRSAPublicKey(creationTime, &signingPriv.PublicKey), + PrivateKey: packet.NewRSAPrivateKey(creationTime, signingPriv), + Identities: make(map[string]*Identity), + } + isPrimaryId := true + e.Identities[uid.Id] = &Identity{ + Name: uid.Id, + UserId: uid, + SelfSignature: &packet.Signature{ + CreationTime: creationTime, + SigType: packet.SigTypePositiveCert, + PubKeyAlgo: packet.PubKeyAlgoRSA, + Hash: config.Hash(), + IsPrimaryId: &isPrimaryId, + FlagsValid: true, + FlagSign: true, + FlagCertify: true, + IssuerKeyId: &e.PrimaryKey.KeyId, + }, + } + err = e.Identities[uid.Id].SelfSignature.SignUserId(uid.Id, e.PrimaryKey, e.PrivateKey, config) + if err != nil { + return nil, err + } + + // If the user passes in a DefaultHash via packet.Config, + // set the PreferredHash for the SelfSignature. + if config != nil && config.DefaultHash != 0 { + e.Identities[uid.Id].SelfSignature.PreferredHash = []uint8{hashToHashId(config.DefaultHash)} + } + + // Likewise for DefaultCipher. + if config != nil && config.DefaultCipher != 0 { + e.Identities[uid.Id].SelfSignature.PreferredSymmetric = []uint8{uint8(config.DefaultCipher)} + } + + e.Subkeys = make([]Subkey, 1) + e.Subkeys[0] = Subkey{ + PublicKey: packet.NewRSAPublicKey(creationTime, &encryptingPriv.PublicKey), + PrivateKey: packet.NewRSAPrivateKey(creationTime, encryptingPriv), + Sig: &packet.Signature{ + CreationTime: creationTime, + SigType: packet.SigTypeSubkeyBinding, + PubKeyAlgo: packet.PubKeyAlgoRSA, + Hash: config.Hash(), + FlagsValid: true, + FlagEncryptStorage: true, + FlagEncryptCommunications: true, + IssuerKeyId: &e.PrimaryKey.KeyId, + }, + } + e.Subkeys[0].PublicKey.IsSubkey = true + e.Subkeys[0].PrivateKey.IsSubkey = true + err = e.Subkeys[0].Sig.SignKey(e.Subkeys[0].PublicKey, e.PrivateKey, config) + if err != nil { + return nil, err + } + return e, nil +} + +// SerializePrivate serializes an Entity, including private key material, but +// excluding signatures from other entities, to the given Writer. +// Identities and subkeys are re-signed in case they changed since NewEntry. +// If config is nil, sensible defaults will be used. +func (e *Entity) SerializePrivate(w io.Writer, config *packet.Config) (err error) { + err = e.PrivateKey.Serialize(w) + if err != nil { + return + } + for _, ident := range e.Identities { + err = ident.UserId.Serialize(w) + if err != nil { + return + } + err = ident.SelfSignature.SignUserId(ident.UserId.Id, e.PrimaryKey, e.PrivateKey, config) + if err != nil { + return + } + err = ident.SelfSignature.Serialize(w) + if err != nil { + return + } + } + for _, subkey := range e.Subkeys { + err = subkey.PrivateKey.Serialize(w) + if err != nil { + return + } + err = subkey.Sig.SignKey(subkey.PublicKey, e.PrivateKey, config) + if err != nil { + return + } + err = subkey.Sig.Serialize(w) + if err != nil { + return + } + } + return nil +} + +// Serialize writes the public part of the given Entity to w, including +// signatures from other entities. No private key material will be output. +func (e *Entity) Serialize(w io.Writer) error { + err := e.PrimaryKey.Serialize(w) + if err != nil { + return err + } + for _, ident := range e.Identities { + err = ident.UserId.Serialize(w) + if err != nil { + return err + } + err = ident.SelfSignature.Serialize(w) + if err != nil { + return err + } + for _, sig := range ident.Signatures { + err = sig.Serialize(w) + if err != nil { + return err + } + } + } + for _, subkey := range e.Subkeys { + err = subkey.PublicKey.Serialize(w) + if err != nil { + return err + } + err = subkey.Sig.Serialize(w) + if err != nil { + return err + } + } + return nil +} + +// SignIdentity adds a signature to e, from signer, attesting that identity is +// associated with e. The provided identity must already be an element of +// e.Identities and the private key of signer must have been decrypted if +// necessary. +// If config is nil, sensible defaults will be used. +func (e *Entity) SignIdentity(identity string, signer *Entity, config *packet.Config) error { + if signer.PrivateKey == nil { + return errors.InvalidArgumentError("signing Entity must have a private key") + } + if signer.PrivateKey.Encrypted { + return errors.InvalidArgumentError("signing Entity's private key must be decrypted") + } + ident, ok := e.Identities[identity] + if !ok { + return errors.InvalidArgumentError("given identity string not found in Entity") + } + + sig := &packet.Signature{ + SigType: packet.SigTypeGenericCert, + PubKeyAlgo: signer.PrivateKey.PubKeyAlgo, + Hash: config.Hash(), + CreationTime: config.Now(), + IssuerKeyId: &signer.PrivateKey.KeyId, + } + if err := sig.SignUserId(identity, e.PrimaryKey, signer.PrivateKey, config); err != nil { + return err + } + ident.Signatures = append(ident.Signatures, sig) + return nil +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/compressed.go b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go new file mode 100644 index 0000000000..353f945247 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/compressed.go @@ -0,0 +1,123 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "compress/bzip2" + "compress/flate" + "compress/zlib" + "golang.org/x/crypto/openpgp/errors" + "io" + "strconv" +) + +// Compressed represents a compressed OpenPGP packet. The decompressed contents +// will contain more OpenPGP packets. See RFC 4880, section 5.6. +type Compressed struct { + Body io.Reader +} + +const ( + NoCompression = flate.NoCompression + BestSpeed = flate.BestSpeed + BestCompression = flate.BestCompression + DefaultCompression = flate.DefaultCompression +) + +// CompressionConfig contains compressor configuration settings. +type CompressionConfig struct { + // Level is the compression level to use. It must be set to + // between -1 and 9, with -1 causing the compressor to use the + // default compression level, 0 causing the compressor to use + // no compression and 1 to 9 representing increasing (better, + // slower) compression levels. If Level is less than -1 or + // more then 9, a non-nil error will be returned during + // encryption. See the constants above for convenient common + // settings for Level. + Level int +} + +func (c *Compressed) parse(r io.Reader) error { + var buf [1]byte + _, err := readFull(r, buf[:]) + if err != nil { + return err + } + + switch buf[0] { + case 1: + c.Body = flate.NewReader(r) + case 2: + c.Body, err = zlib.NewReader(r) + case 3: + c.Body = bzip2.NewReader(r) + default: + err = errors.UnsupportedError("unknown compression algorithm: " + strconv.Itoa(int(buf[0]))) + } + + return err +} + +// compressedWriteCloser represents the serialized compression stream +// header and the compressor. Its Close() method ensures that both the +// compressor and serialized stream header are closed. Its Write() +// method writes to the compressor. +type compressedWriteCloser struct { + sh io.Closer // Stream Header + c io.WriteCloser // Compressor +} + +func (cwc compressedWriteCloser) Write(p []byte) (int, error) { + return cwc.c.Write(p) +} + +func (cwc compressedWriteCloser) Close() (err error) { + err = cwc.c.Close() + if err != nil { + return err + } + + return cwc.sh.Close() +} + +// SerializeCompressed serializes a compressed data packet to w and +// returns a WriteCloser to which the literal data packets themselves +// can be written and which MUST be closed on completion. If cc is +// nil, sensible defaults will be used to configure the compression +// algorithm. +func SerializeCompressed(w io.WriteCloser, algo CompressionAlgo, cc *CompressionConfig) (literaldata io.WriteCloser, err error) { + compressed, err := serializeStreamHeader(w, packetTypeCompressed) + if err != nil { + return + } + + _, err = compressed.Write([]byte{uint8(algo)}) + if err != nil { + return + } + + level := DefaultCompression + if cc != nil { + level = cc.Level + } + + var compressor io.WriteCloser + switch algo { + case CompressionZIP: + compressor, err = flate.NewWriter(compressed, level) + case CompressionZLIB: + compressor, err = zlib.NewWriterLevel(compressed, level) + default: + s := strconv.Itoa(int(algo)) + err = errors.UnsupportedError("Unsupported compression algorithm: " + s) + } + if err != nil { + return + } + + literaldata = compressedWriteCloser{compressed, compressor} + + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/config.go b/vendor/golang.org/x/crypto/openpgp/packet/config.go new file mode 100644 index 0000000000..c76eecc963 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/config.go @@ -0,0 +1,91 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto" + "crypto/rand" + "io" + "time" +) + +// Config collects a number of parameters along with sensible defaults. +// A nil *Config is valid and results in all default values. +type Config struct { + // Rand provides the source of entropy. + // If nil, the crypto/rand Reader is used. + Rand io.Reader + // DefaultHash is the default hash function to be used. + // If zero, SHA-256 is used. + DefaultHash crypto.Hash + // DefaultCipher is the cipher to be used. + // If zero, AES-128 is used. + DefaultCipher CipherFunction + // Time returns the current time as the number of seconds since the + // epoch. If Time is nil, time.Now is used. + Time func() time.Time + // DefaultCompressionAlgo is the compression algorithm to be + // applied to the plaintext before encryption. If zero, no + // compression is done. + DefaultCompressionAlgo CompressionAlgo + // CompressionConfig configures the compression settings. + CompressionConfig *CompressionConfig + // S2KCount is only used for symmetric encryption. It + // determines the strength of the passphrase stretching when + // the said passphrase is hashed to produce a key. S2KCount + // should be between 1024 and 65011712, inclusive. If Config + // is nil or S2KCount is 0, the value 65536 used. Not all + // values in the above range can be represented. S2KCount will + // be rounded up to the next representable value if it cannot + // be encoded exactly. When set, it is strongly encrouraged to + // use a value that is at least 65536. See RFC 4880 Section + // 3.7.1.3. + S2KCount int + // RSABits is the number of bits in new RSA keys made with NewEntity. + // If zero, then 2048 bit keys are created. + RSABits int +} + +func (c *Config) Random() io.Reader { + if c == nil || c.Rand == nil { + return rand.Reader + } + return c.Rand +} + +func (c *Config) Hash() crypto.Hash { + if c == nil || uint(c.DefaultHash) == 0 { + return crypto.SHA256 + } + return c.DefaultHash +} + +func (c *Config) Cipher() CipherFunction { + if c == nil || uint8(c.DefaultCipher) == 0 { + return CipherAES128 + } + return c.DefaultCipher +} + +func (c *Config) Now() time.Time { + if c == nil || c.Time == nil { + return time.Now() + } + return c.Time() +} + +func (c *Config) Compression() CompressionAlgo { + if c == nil { + return CompressionNone + } + return c.DefaultCompressionAlgo +} + +func (c *Config) PasswordHashIterations() int { + if c == nil || c.S2KCount == 0 { + return 0 + } + return c.S2KCount +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go new file mode 100644 index 0000000000..6d7639722c --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/encrypted_key.go @@ -0,0 +1,208 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto" + "crypto/rsa" + "encoding/binary" + "io" + "math/big" + "strconv" + + "golang.org/x/crypto/openpgp/elgamal" + "golang.org/x/crypto/openpgp/errors" +) + +const encryptedKeyVersion = 3 + +// EncryptedKey represents a public-key encrypted session key. See RFC 4880, +// section 5.1. +type EncryptedKey struct { + KeyId uint64 + Algo PublicKeyAlgorithm + CipherFunc CipherFunction // only valid after a successful Decrypt + Key []byte // only valid after a successful Decrypt + + encryptedMPI1, encryptedMPI2 parsedMPI +} + +func (e *EncryptedKey) parse(r io.Reader) (err error) { + var buf [10]byte + _, err = readFull(r, buf[:]) + if err != nil { + return + } + if buf[0] != encryptedKeyVersion { + return errors.UnsupportedError("unknown EncryptedKey version " + strconv.Itoa(int(buf[0]))) + } + e.KeyId = binary.BigEndian.Uint64(buf[1:9]) + e.Algo = PublicKeyAlgorithm(buf[9]) + switch e.Algo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: + e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) + if err != nil { + return + } + case PubKeyAlgoElGamal: + e.encryptedMPI1.bytes, e.encryptedMPI1.bitLength, err = readMPI(r) + if err != nil { + return + } + e.encryptedMPI2.bytes, e.encryptedMPI2.bitLength, err = readMPI(r) + if err != nil { + return + } + } + _, err = consumeAll(r) + return +} + +func checksumKeyMaterial(key []byte) uint16 { + var checksum uint16 + for _, v := range key { + checksum += uint16(v) + } + return checksum +} + +// Decrypt decrypts an encrypted session key with the given private key. The +// private key must have been decrypted first. +// If config is nil, sensible defaults will be used. +func (e *EncryptedKey) Decrypt(priv *PrivateKey, config *Config) error { + var err error + var b []byte + + // TODO(agl): use session key decryption routines here to avoid + // padding oracle attacks. + switch priv.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: + // Supports both *rsa.PrivateKey and crypto.Decrypter + k := priv.PrivateKey.(crypto.Decrypter) + b, err = k.Decrypt(config.Random(), padToKeySize(k.Public().(*rsa.PublicKey), e.encryptedMPI1.bytes), nil) + case PubKeyAlgoElGamal: + c1 := new(big.Int).SetBytes(e.encryptedMPI1.bytes) + c2 := new(big.Int).SetBytes(e.encryptedMPI2.bytes) + b, err = elgamal.Decrypt(priv.PrivateKey.(*elgamal.PrivateKey), c1, c2) + default: + err = errors.InvalidArgumentError("cannot decrypted encrypted session key with private key of type " + strconv.Itoa(int(priv.PubKeyAlgo))) + } + + if err != nil { + return err + } + + e.CipherFunc = CipherFunction(b[0]) + e.Key = b[1 : len(b)-2] + expectedChecksum := uint16(b[len(b)-2])<<8 | uint16(b[len(b)-1]) + checksum := checksumKeyMaterial(e.Key) + if checksum != expectedChecksum { + return errors.StructuralError("EncryptedKey checksum incorrect") + } + + return nil +} + +// Serialize writes the encrypted key packet, e, to w. +func (e *EncryptedKey) Serialize(w io.Writer) error { + var mpiLen int + switch e.Algo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: + mpiLen = 2 + len(e.encryptedMPI1.bytes) + case PubKeyAlgoElGamal: + mpiLen = 2 + len(e.encryptedMPI1.bytes) + 2 + len(e.encryptedMPI2.bytes) + default: + return errors.InvalidArgumentError("don't know how to serialize encrypted key type " + strconv.Itoa(int(e.Algo))) + } + + serializeHeader(w, packetTypeEncryptedKey, 1 /* version */ +8 /* key id */ +1 /* algo */ +mpiLen) + + w.Write([]byte{encryptedKeyVersion}) + binary.Write(w, binary.BigEndian, e.KeyId) + w.Write([]byte{byte(e.Algo)}) + + switch e.Algo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: + writeMPIs(w, e.encryptedMPI1) + case PubKeyAlgoElGamal: + writeMPIs(w, e.encryptedMPI1, e.encryptedMPI2) + default: + panic("internal error") + } + + return nil +} + +// SerializeEncryptedKey serializes an encrypted key packet to w that contains +// key, encrypted to pub. +// If config is nil, sensible defaults will be used. +func SerializeEncryptedKey(w io.Writer, pub *PublicKey, cipherFunc CipherFunction, key []byte, config *Config) error { + var buf [10]byte + buf[0] = encryptedKeyVersion + binary.BigEndian.PutUint64(buf[1:9], pub.KeyId) + buf[9] = byte(pub.PubKeyAlgo) + + keyBlock := make([]byte, 1 /* cipher type */ +len(key)+2 /* checksum */) + keyBlock[0] = byte(cipherFunc) + copy(keyBlock[1:], key) + checksum := checksumKeyMaterial(key) + keyBlock[1+len(key)] = byte(checksum >> 8) + keyBlock[1+len(key)+1] = byte(checksum) + + switch pub.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly: + return serializeEncryptedKeyRSA(w, config.Random(), buf, pub.PublicKey.(*rsa.PublicKey), keyBlock) + case PubKeyAlgoElGamal: + return serializeEncryptedKeyElGamal(w, config.Random(), buf, pub.PublicKey.(*elgamal.PublicKey), keyBlock) + case PubKeyAlgoDSA, PubKeyAlgoRSASignOnly: + return errors.InvalidArgumentError("cannot encrypt to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) + } + + return errors.UnsupportedError("encrypting a key to public key of type " + strconv.Itoa(int(pub.PubKeyAlgo))) +} + +func serializeEncryptedKeyRSA(w io.Writer, rand io.Reader, header [10]byte, pub *rsa.PublicKey, keyBlock []byte) error { + cipherText, err := rsa.EncryptPKCS1v15(rand, pub, keyBlock) + if err != nil { + return errors.InvalidArgumentError("RSA encryption failed: " + err.Error()) + } + + packetLen := 10 /* header length */ + 2 /* mpi size */ + len(cipherText) + + err = serializeHeader(w, packetTypeEncryptedKey, packetLen) + if err != nil { + return err + } + _, err = w.Write(header[:]) + if err != nil { + return err + } + return writeMPI(w, 8*uint16(len(cipherText)), cipherText) +} + +func serializeEncryptedKeyElGamal(w io.Writer, rand io.Reader, header [10]byte, pub *elgamal.PublicKey, keyBlock []byte) error { + c1, c2, err := elgamal.Encrypt(rand, pub, keyBlock) + if err != nil { + return errors.InvalidArgumentError("ElGamal encryption failed: " + err.Error()) + } + + packetLen := 10 /* header length */ + packetLen += 2 /* mpi size */ + (c1.BitLen()+7)/8 + packetLen += 2 /* mpi size */ + (c2.BitLen()+7)/8 + + err = serializeHeader(w, packetTypeEncryptedKey, packetLen) + if err != nil { + return err + } + _, err = w.Write(header[:]) + if err != nil { + return err + } + err = writeBig(w, c1) + if err != nil { + return err + } + return writeBig(w, c2) +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/literal.go b/vendor/golang.org/x/crypto/openpgp/packet/literal.go new file mode 100644 index 0000000000..1a9ec6e51e --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/literal.go @@ -0,0 +1,89 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "encoding/binary" + "io" +) + +// LiteralData represents an encrypted file. See RFC 4880, section 5.9. +type LiteralData struct { + IsBinary bool + FileName string + Time uint32 // Unix epoch time. Either creation time or modification time. 0 means undefined. + Body io.Reader +} + +// ForEyesOnly returns whether the contents of the LiteralData have been marked +// as especially sensitive. +func (l *LiteralData) ForEyesOnly() bool { + return l.FileName == "_CONSOLE" +} + +func (l *LiteralData) parse(r io.Reader) (err error) { + var buf [256]byte + + _, err = readFull(r, buf[:2]) + if err != nil { + return + } + + l.IsBinary = buf[0] == 'b' + fileNameLen := int(buf[1]) + + _, err = readFull(r, buf[:fileNameLen]) + if err != nil { + return + } + + l.FileName = string(buf[:fileNameLen]) + + _, err = readFull(r, buf[:4]) + if err != nil { + return + } + + l.Time = binary.BigEndian.Uint32(buf[:4]) + l.Body = r + return +} + +// SerializeLiteral serializes a literal data packet to w and returns a +// WriteCloser to which the data itself can be written and which MUST be closed +// on completion. The fileName is truncated to 255 bytes. +func SerializeLiteral(w io.WriteCloser, isBinary bool, fileName string, time uint32) (plaintext io.WriteCloser, err error) { + var buf [4]byte + buf[0] = 't' + if isBinary { + buf[0] = 'b' + } + if len(fileName) > 255 { + fileName = fileName[:255] + } + buf[1] = byte(len(fileName)) + + inner, err := serializeStreamHeader(w, packetTypeLiteralData) + if err != nil { + return + } + + _, err = inner.Write(buf[:2]) + if err != nil { + return + } + _, err = inner.Write([]byte(fileName)) + if err != nil { + return + } + binary.BigEndian.PutUint32(buf[:], time) + _, err = inner.Write(buf[:]) + if err != nil { + return + } + + plaintext = inner + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go new file mode 100644 index 0000000000..ce2a33a547 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/ocfb.go @@ -0,0 +1,143 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// OpenPGP CFB Mode. http://tools.ietf.org/html/rfc4880#section-13.9 + +package packet + +import ( + "crypto/cipher" +) + +type ocfbEncrypter struct { + b cipher.Block + fre []byte + outUsed int +} + +// An OCFBResyncOption determines if the "resynchronization step" of OCFB is +// performed. +type OCFBResyncOption bool + +const ( + OCFBResync OCFBResyncOption = true + OCFBNoResync OCFBResyncOption = false +) + +// NewOCFBEncrypter returns a cipher.Stream which encrypts data with OpenPGP's +// cipher feedback mode using the given cipher.Block, and an initial amount of +// ciphertext. randData must be random bytes and be the same length as the +// cipher.Block's block size. Resync determines if the "resynchronization step" +// from RFC 4880, 13.9 step 7 is performed. Different parts of OpenPGP vary on +// this point. +func NewOCFBEncrypter(block cipher.Block, randData []byte, resync OCFBResyncOption) (cipher.Stream, []byte) { + blockSize := block.BlockSize() + if len(randData) != blockSize { + return nil, nil + } + + x := &ocfbEncrypter{ + b: block, + fre: make([]byte, blockSize), + outUsed: 0, + } + prefix := make([]byte, blockSize+2) + + block.Encrypt(x.fre, x.fre) + for i := 0; i < blockSize; i++ { + prefix[i] = randData[i] ^ x.fre[i] + } + + block.Encrypt(x.fre, prefix[:blockSize]) + prefix[blockSize] = x.fre[0] ^ randData[blockSize-2] + prefix[blockSize+1] = x.fre[1] ^ randData[blockSize-1] + + if resync { + block.Encrypt(x.fre, prefix[2:]) + } else { + x.fre[0] = prefix[blockSize] + x.fre[1] = prefix[blockSize+1] + x.outUsed = 2 + } + return x, prefix +} + +func (x *ocfbEncrypter) XORKeyStream(dst, src []byte) { + for i := 0; i < len(src); i++ { + if x.outUsed == len(x.fre) { + x.b.Encrypt(x.fre, x.fre) + x.outUsed = 0 + } + + x.fre[x.outUsed] ^= src[i] + dst[i] = x.fre[x.outUsed] + x.outUsed++ + } +} + +type ocfbDecrypter struct { + b cipher.Block + fre []byte + outUsed int +} + +// NewOCFBDecrypter returns a cipher.Stream which decrypts data with OpenPGP's +// cipher feedback mode using the given cipher.Block. Prefix must be the first +// blockSize + 2 bytes of the ciphertext, where blockSize is the cipher.Block's +// block size. If an incorrect key is detected then nil is returned. On +// successful exit, blockSize+2 bytes of decrypted data are written into +// prefix. Resync determines if the "resynchronization step" from RFC 4880, +// 13.9 step 7 is performed. Different parts of OpenPGP vary on this point. +func NewOCFBDecrypter(block cipher.Block, prefix []byte, resync OCFBResyncOption) cipher.Stream { + blockSize := block.BlockSize() + if len(prefix) != blockSize+2 { + return nil + } + + x := &ocfbDecrypter{ + b: block, + fre: make([]byte, blockSize), + outUsed: 0, + } + prefixCopy := make([]byte, len(prefix)) + copy(prefixCopy, prefix) + + block.Encrypt(x.fre, x.fre) + for i := 0; i < blockSize; i++ { + prefixCopy[i] ^= x.fre[i] + } + + block.Encrypt(x.fre, prefix[:blockSize]) + prefixCopy[blockSize] ^= x.fre[0] + prefixCopy[blockSize+1] ^= x.fre[1] + + if prefixCopy[blockSize-2] != prefixCopy[blockSize] || + prefixCopy[blockSize-1] != prefixCopy[blockSize+1] { + return nil + } + + if resync { + block.Encrypt(x.fre, prefix[2:]) + } else { + x.fre[0] = prefix[blockSize] + x.fre[1] = prefix[blockSize+1] + x.outUsed = 2 + } + copy(prefix, prefixCopy) + return x +} + +func (x *ocfbDecrypter) XORKeyStream(dst, src []byte) { + for i := 0; i < len(src); i++ { + if x.outUsed == len(x.fre) { + x.b.Encrypt(x.fre, x.fre) + x.outUsed = 0 + } + + c := src[i] + dst[i] = x.fre[x.outUsed] ^ src[i] + x.fre[x.outUsed] = c + x.outUsed++ + } +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go new file mode 100644 index 0000000000..1713503395 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/one_pass_signature.go @@ -0,0 +1,73 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto" + "encoding/binary" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/s2k" + "io" + "strconv" +) + +// OnePassSignature represents a one-pass signature packet. See RFC 4880, +// section 5.4. +type OnePassSignature struct { + SigType SignatureType + Hash crypto.Hash + PubKeyAlgo PublicKeyAlgorithm + KeyId uint64 + IsLast bool +} + +const onePassSignatureVersion = 3 + +func (ops *OnePassSignature) parse(r io.Reader) (err error) { + var buf [13]byte + + _, err = readFull(r, buf[:]) + if err != nil { + return + } + if buf[0] != onePassSignatureVersion { + err = errors.UnsupportedError("one-pass-signature packet version " + strconv.Itoa(int(buf[0]))) + } + + var ok bool + ops.Hash, ok = s2k.HashIdToHash(buf[2]) + if !ok { + return errors.UnsupportedError("hash function: " + strconv.Itoa(int(buf[2]))) + } + + ops.SigType = SignatureType(buf[1]) + ops.PubKeyAlgo = PublicKeyAlgorithm(buf[3]) + ops.KeyId = binary.BigEndian.Uint64(buf[4:12]) + ops.IsLast = buf[12] != 0 + return +} + +// Serialize marshals the given OnePassSignature to w. +func (ops *OnePassSignature) Serialize(w io.Writer) error { + var buf [13]byte + buf[0] = onePassSignatureVersion + buf[1] = uint8(ops.SigType) + var ok bool + buf[2], ok = s2k.HashToHashId(ops.Hash) + if !ok { + return errors.UnsupportedError("hash type: " + strconv.Itoa(int(ops.Hash))) + } + buf[3] = uint8(ops.PubKeyAlgo) + binary.BigEndian.PutUint64(buf[4:12], ops.KeyId) + if ops.IsLast { + buf[12] = 1 + } + + if err := serializeHeader(w, packetTypeOnePassSignature, len(buf)); err != nil { + return err + } + _, err := w.Write(buf[:]) + return err +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/opaque.go b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go new file mode 100644 index 0000000000..3984477310 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/opaque.go @@ -0,0 +1,161 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "io" + + "golang.org/x/crypto/openpgp/errors" +) + +// OpaquePacket represents an OpenPGP packet as raw, unparsed data. This is +// useful for splitting and storing the original packet contents separately, +// handling unsupported packet types or accessing parts of the packet not yet +// implemented by this package. +type OpaquePacket struct { + // Packet type + Tag uint8 + // Reason why the packet was parsed opaquely + Reason error + // Binary contents of the packet data + Contents []byte +} + +func (op *OpaquePacket) parse(r io.Reader) (err error) { + op.Contents, err = io.ReadAll(r) + return +} + +// Serialize marshals the packet to a writer in its original form, including +// the packet header. +func (op *OpaquePacket) Serialize(w io.Writer) (err error) { + err = serializeHeader(w, packetType(op.Tag), len(op.Contents)) + if err == nil { + _, err = w.Write(op.Contents) + } + return +} + +// Parse attempts to parse the opaque contents into a structure supported by +// this package. If the packet is not known then the result will be another +// OpaquePacket. +func (op *OpaquePacket) Parse() (p Packet, err error) { + hdr := bytes.NewBuffer(nil) + err = serializeHeader(hdr, packetType(op.Tag), len(op.Contents)) + if err != nil { + op.Reason = err + return op, err + } + p, err = Read(io.MultiReader(hdr, bytes.NewBuffer(op.Contents))) + if err != nil { + op.Reason = err + p = op + } + return +} + +// OpaqueReader reads OpaquePackets from an io.Reader. +type OpaqueReader struct { + r io.Reader +} + +func NewOpaqueReader(r io.Reader) *OpaqueReader { + return &OpaqueReader{r: r} +} + +// Read the next OpaquePacket. +func (or *OpaqueReader) Next() (op *OpaquePacket, err error) { + tag, _, contents, err := readHeader(or.r) + if err != nil { + return + } + op = &OpaquePacket{Tag: uint8(tag), Reason: err} + err = op.parse(contents) + if err != nil { + consumeAll(contents) + } + return +} + +// OpaqueSubpacket represents an unparsed OpenPGP subpacket, +// as found in signature and user attribute packets. +type OpaqueSubpacket struct { + SubType uint8 + Contents []byte +} + +// OpaqueSubpackets extracts opaque, unparsed OpenPGP subpackets from +// their byte representation. +func OpaqueSubpackets(contents []byte) (result []*OpaqueSubpacket, err error) { + var ( + subHeaderLen int + subPacket *OpaqueSubpacket + ) + for len(contents) > 0 { + subHeaderLen, subPacket, err = nextSubpacket(contents) + if err != nil { + break + } + result = append(result, subPacket) + contents = contents[subHeaderLen+len(subPacket.Contents):] + } + return +} + +func nextSubpacket(contents []byte) (subHeaderLen int, subPacket *OpaqueSubpacket, err error) { + // RFC 4880, section 5.2.3.1 + var subLen uint32 + if len(contents) < 1 { + goto Truncated + } + subPacket = &OpaqueSubpacket{} + switch { + case contents[0] < 192: + subHeaderLen = 2 // 1 length byte, 1 subtype byte + if len(contents) < subHeaderLen { + goto Truncated + } + subLen = uint32(contents[0]) + contents = contents[1:] + case contents[0] < 255: + subHeaderLen = 3 // 2 length bytes, 1 subtype + if len(contents) < subHeaderLen { + goto Truncated + } + subLen = uint32(contents[0]-192)<<8 + uint32(contents[1]) + 192 + contents = contents[2:] + default: + subHeaderLen = 6 // 5 length bytes, 1 subtype + if len(contents) < subHeaderLen { + goto Truncated + } + subLen = uint32(contents[1])<<24 | + uint32(contents[2])<<16 | + uint32(contents[3])<<8 | + uint32(contents[4]) + contents = contents[5:] + } + if subLen > uint32(len(contents)) || subLen == 0 { + goto Truncated + } + subPacket.SubType = contents[0] + subPacket.Contents = contents[1:subLen] + return +Truncated: + err = errors.StructuralError("subpacket truncated") + return +} + +func (osp *OpaqueSubpacket) Serialize(w io.Writer) (err error) { + buf := make([]byte, 6) + n := serializeSubpacketLength(buf, len(osp.Contents)+1) + buf[n] = osp.SubType + if _, err = w.Write(buf[:n+1]); err != nil { + return + } + _, err = w.Write(osp.Contents) + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/packet.go b/vendor/golang.org/x/crypto/openpgp/packet/packet.go new file mode 100644 index 0000000000..a84a1a214e --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/packet.go @@ -0,0 +1,590 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package packet implements parsing and serialization of OpenPGP packets, as +// specified in RFC 4880. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package packet + +import ( + "bufio" + "crypto/aes" + "crypto/cipher" + "crypto/des" + "crypto/rsa" + "io" + "math/big" + "math/bits" + + "golang.org/x/crypto/cast5" + "golang.org/x/crypto/openpgp/errors" +) + +// readFull is the same as io.ReadFull except that reading zero bytes returns +// ErrUnexpectedEOF rather than EOF. +func readFull(r io.Reader, buf []byte) (n int, err error) { + n, err = io.ReadFull(r, buf) + if err == io.EOF { + err = io.ErrUnexpectedEOF + } + return +} + +// readLength reads an OpenPGP length from r. See RFC 4880, section 4.2.2. +func readLength(r io.Reader) (length int64, isPartial bool, err error) { + var buf [4]byte + _, err = readFull(r, buf[:1]) + if err != nil { + return + } + switch { + case buf[0] < 192: + length = int64(buf[0]) + case buf[0] < 224: + length = int64(buf[0]-192) << 8 + _, err = readFull(r, buf[0:1]) + if err != nil { + return + } + length += int64(buf[0]) + 192 + case buf[0] < 255: + length = int64(1) << (buf[0] & 0x1f) + isPartial = true + default: + _, err = readFull(r, buf[0:4]) + if err != nil { + return + } + length = int64(buf[0])<<24 | + int64(buf[1])<<16 | + int64(buf[2])<<8 | + int64(buf[3]) + } + return +} + +// partialLengthReader wraps an io.Reader and handles OpenPGP partial lengths. +// The continuation lengths are parsed and removed from the stream and EOF is +// returned at the end of the packet. See RFC 4880, section 4.2.2.4. +type partialLengthReader struct { + r io.Reader + remaining int64 + isPartial bool +} + +func (r *partialLengthReader) Read(p []byte) (n int, err error) { + for r.remaining == 0 { + if !r.isPartial { + return 0, io.EOF + } + r.remaining, r.isPartial, err = readLength(r.r) + if err != nil { + return 0, err + } + } + + toRead := int64(len(p)) + if toRead > r.remaining { + toRead = r.remaining + } + + n, err = r.r.Read(p[:int(toRead)]) + r.remaining -= int64(n) + if n < int(toRead) && err == io.EOF { + err = io.ErrUnexpectedEOF + } + return +} + +// partialLengthWriter writes a stream of data using OpenPGP partial lengths. +// See RFC 4880, section 4.2.2.4. +type partialLengthWriter struct { + w io.WriteCloser + lengthByte [1]byte + sentFirst bool + buf []byte +} + +// RFC 4880 4.2.2.4: the first partial length MUST be at least 512 octets long. +const minFirstPartialWrite = 512 + +func (w *partialLengthWriter) Write(p []byte) (n int, err error) { + off := 0 + if !w.sentFirst { + if len(w.buf) > 0 || len(p) < minFirstPartialWrite { + off = len(w.buf) + w.buf = append(w.buf, p...) + if len(w.buf) < minFirstPartialWrite { + return len(p), nil + } + p = w.buf + w.buf = nil + } + w.sentFirst = true + } + + power := uint8(30) + for len(p) > 0 { + l := 1 << power + if len(p) < l { + power = uint8(bits.Len32(uint32(len(p)))) - 1 + l = 1 << power + } + w.lengthByte[0] = 224 + power + _, err = w.w.Write(w.lengthByte[:]) + if err == nil { + var m int + m, err = w.w.Write(p[:l]) + n += m + } + if err != nil { + if n < off { + return 0, err + } + return n - off, err + } + p = p[l:] + } + return n - off, nil +} + +func (w *partialLengthWriter) Close() error { + if len(w.buf) > 0 { + // In this case we can't send a 512 byte packet. + // Just send what we have. + p := w.buf + w.sentFirst = true + w.buf = nil + if _, err := w.Write(p); err != nil { + return err + } + } + + w.lengthByte[0] = 0 + _, err := w.w.Write(w.lengthByte[:]) + if err != nil { + return err + } + return w.w.Close() +} + +// A spanReader is an io.LimitReader, but it returns ErrUnexpectedEOF if the +// underlying Reader returns EOF before the limit has been reached. +type spanReader struct { + r io.Reader + n int64 +} + +func (l *spanReader) Read(p []byte) (n int, err error) { + if l.n <= 0 { + return 0, io.EOF + } + if int64(len(p)) > l.n { + p = p[0:l.n] + } + n, err = l.r.Read(p) + l.n -= int64(n) + if l.n > 0 && err == io.EOF { + err = io.ErrUnexpectedEOF + } + return +} + +// readHeader parses a packet header and returns an io.Reader which will return +// the contents of the packet. See RFC 4880, section 4.2. +func readHeader(r io.Reader) (tag packetType, length int64, contents io.Reader, err error) { + var buf [4]byte + _, err = io.ReadFull(r, buf[:1]) + if err != nil { + return + } + if buf[0]&0x80 == 0 { + err = errors.StructuralError("tag byte does not have MSB set") + return + } + if buf[0]&0x40 == 0 { + // Old format packet + tag = packetType((buf[0] & 0x3f) >> 2) + lengthType := buf[0] & 3 + if lengthType == 3 { + length = -1 + contents = r + return + } + lengthBytes := 1 << lengthType + _, err = readFull(r, buf[0:lengthBytes]) + if err != nil { + return + } + for i := 0; i < lengthBytes; i++ { + length <<= 8 + length |= int64(buf[i]) + } + contents = &spanReader{r, length} + return + } + + // New format packet + tag = packetType(buf[0] & 0x3f) + length, isPartial, err := readLength(r) + if err != nil { + return + } + if isPartial { + contents = &partialLengthReader{ + remaining: length, + isPartial: true, + r: r, + } + length = -1 + } else { + contents = &spanReader{r, length} + } + return +} + +// serializeHeader writes an OpenPGP packet header to w. See RFC 4880, section +// 4.2. +func serializeHeader(w io.Writer, ptype packetType, length int) (err error) { + var buf [6]byte + var n int + + buf[0] = 0x80 | 0x40 | byte(ptype) + if length < 192 { + buf[1] = byte(length) + n = 2 + } else if length < 8384 { + length -= 192 + buf[1] = 192 + byte(length>>8) + buf[2] = byte(length) + n = 3 + } else { + buf[1] = 255 + buf[2] = byte(length >> 24) + buf[3] = byte(length >> 16) + buf[4] = byte(length >> 8) + buf[5] = byte(length) + n = 6 + } + + _, err = w.Write(buf[:n]) + return +} + +// serializeStreamHeader writes an OpenPGP packet header to w where the +// length of the packet is unknown. It returns a io.WriteCloser which can be +// used to write the contents of the packet. See RFC 4880, section 4.2. +func serializeStreamHeader(w io.WriteCloser, ptype packetType) (out io.WriteCloser, err error) { + var buf [1]byte + buf[0] = 0x80 | 0x40 | byte(ptype) + _, err = w.Write(buf[:]) + if err != nil { + return + } + out = &partialLengthWriter{w: w} + return +} + +// Packet represents an OpenPGP packet. Users are expected to try casting +// instances of this interface to specific packet types. +type Packet interface { + parse(io.Reader) error +} + +// consumeAll reads from the given Reader until error, returning the number of +// bytes read. +func consumeAll(r io.Reader) (n int64, err error) { + var m int + var buf [1024]byte + + for { + m, err = r.Read(buf[:]) + n += int64(m) + if err == io.EOF { + err = nil + return + } + if err != nil { + return + } + } +} + +// packetType represents the numeric ids of the different OpenPGP packet types. See +// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-2 +type packetType uint8 + +const ( + packetTypeEncryptedKey packetType = 1 + packetTypeSignature packetType = 2 + packetTypeSymmetricKeyEncrypted packetType = 3 + packetTypeOnePassSignature packetType = 4 + packetTypePrivateKey packetType = 5 + packetTypePublicKey packetType = 6 + packetTypePrivateSubkey packetType = 7 + packetTypeCompressed packetType = 8 + packetTypeSymmetricallyEncrypted packetType = 9 + packetTypeLiteralData packetType = 11 + packetTypeUserId packetType = 13 + packetTypePublicSubkey packetType = 14 + packetTypeUserAttribute packetType = 17 + packetTypeSymmetricallyEncryptedMDC packetType = 18 +) + +// peekVersion detects the version of a public key packet about to +// be read. A bufio.Reader at the original position of the io.Reader +// is returned. +func peekVersion(r io.Reader) (bufr *bufio.Reader, ver byte, err error) { + bufr = bufio.NewReader(r) + var verBuf []byte + if verBuf, err = bufr.Peek(1); err != nil { + return + } + ver = verBuf[0] + return +} + +// Read reads a single OpenPGP packet from the given io.Reader. If there is an +// error parsing a packet, the whole packet is consumed from the input. +func Read(r io.Reader) (p Packet, err error) { + tag, _, contents, err := readHeader(r) + if err != nil { + return + } + + switch tag { + case packetTypeEncryptedKey: + p = new(EncryptedKey) + case packetTypeSignature: + var version byte + // Detect signature version + if contents, version, err = peekVersion(contents); err != nil { + return + } + if version < 4 { + p = new(SignatureV3) + } else { + p = new(Signature) + } + case packetTypeSymmetricKeyEncrypted: + p = new(SymmetricKeyEncrypted) + case packetTypeOnePassSignature: + p = new(OnePassSignature) + case packetTypePrivateKey, packetTypePrivateSubkey: + pk := new(PrivateKey) + if tag == packetTypePrivateSubkey { + pk.IsSubkey = true + } + p = pk + case packetTypePublicKey, packetTypePublicSubkey: + var version byte + if contents, version, err = peekVersion(contents); err != nil { + return + } + isSubkey := tag == packetTypePublicSubkey + if version < 4 { + p = &PublicKeyV3{IsSubkey: isSubkey} + } else { + p = &PublicKey{IsSubkey: isSubkey} + } + case packetTypeCompressed: + p = new(Compressed) + case packetTypeSymmetricallyEncrypted: + p = new(SymmetricallyEncrypted) + case packetTypeLiteralData: + p = new(LiteralData) + case packetTypeUserId: + p = new(UserId) + case packetTypeUserAttribute: + p = new(UserAttribute) + case packetTypeSymmetricallyEncryptedMDC: + se := new(SymmetricallyEncrypted) + se.MDC = true + p = se + default: + err = errors.UnknownPacketTypeError(tag) + } + if p != nil { + err = p.parse(contents) + } + if err != nil { + consumeAll(contents) + } + return +} + +// SignatureType represents the different semantic meanings of an OpenPGP +// signature. See RFC 4880, section 5.2.1. +type SignatureType uint8 + +const ( + SigTypeBinary SignatureType = 0 + SigTypeText = 1 + SigTypeGenericCert = 0x10 + SigTypePersonaCert = 0x11 + SigTypeCasualCert = 0x12 + SigTypePositiveCert = 0x13 + SigTypeSubkeyBinding = 0x18 + SigTypePrimaryKeyBinding = 0x19 + SigTypeDirectSignature = 0x1F + SigTypeKeyRevocation = 0x20 + SigTypeSubkeyRevocation = 0x28 +) + +// PublicKeyAlgorithm represents the different public key system specified for +// OpenPGP. See +// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-12 +type PublicKeyAlgorithm uint8 + +const ( + PubKeyAlgoRSA PublicKeyAlgorithm = 1 + PubKeyAlgoElGamal PublicKeyAlgorithm = 16 + PubKeyAlgoDSA PublicKeyAlgorithm = 17 + // RFC 6637, Section 5. + PubKeyAlgoECDH PublicKeyAlgorithm = 18 + PubKeyAlgoECDSA PublicKeyAlgorithm = 19 + + // Deprecated in RFC 4880, Section 13.5. Use key flags instead. + PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2 + PubKeyAlgoRSASignOnly PublicKeyAlgorithm = 3 +) + +// CanEncrypt returns true if it's possible to encrypt a message to a public +// key of the given type. +func (pka PublicKeyAlgorithm) CanEncrypt() bool { + switch pka { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoElGamal: + return true + } + return false +} + +// CanSign returns true if it's possible for a public key of the given type to +// sign a message. +func (pka PublicKeyAlgorithm) CanSign() bool { + switch pka { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA: + return true + } + return false +} + +// CipherFunction represents the different block ciphers specified for OpenPGP. See +// http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13 +type CipherFunction uint8 + +const ( + Cipher3DES CipherFunction = 2 + CipherCAST5 CipherFunction = 3 + CipherAES128 CipherFunction = 7 + CipherAES192 CipherFunction = 8 + CipherAES256 CipherFunction = 9 +) + +// KeySize returns the key size, in bytes, of cipher. +func (cipher CipherFunction) KeySize() int { + switch cipher { + case Cipher3DES: + return 24 + case CipherCAST5: + return cast5.KeySize + case CipherAES128: + return 16 + case CipherAES192: + return 24 + case CipherAES256: + return 32 + } + return 0 +} + +// blockSize returns the block size, in bytes, of cipher. +func (cipher CipherFunction) blockSize() int { + switch cipher { + case Cipher3DES: + return des.BlockSize + case CipherCAST5: + return 8 + case CipherAES128, CipherAES192, CipherAES256: + return 16 + } + return 0 +} + +// new returns a fresh instance of the given cipher. +func (cipher CipherFunction) new(key []byte) (block cipher.Block) { + switch cipher { + case Cipher3DES: + block, _ = des.NewTripleDESCipher(key) + case CipherCAST5: + block, _ = cast5.NewCipher(key) + case CipherAES128, CipherAES192, CipherAES256: + block, _ = aes.NewCipher(key) + } + return +} + +// readMPI reads a big integer from r. The bit length returned is the bit +// length that was specified in r. This is preserved so that the integer can be +// reserialized exactly. +func readMPI(r io.Reader) (mpi []byte, bitLength uint16, err error) { + var buf [2]byte + _, err = readFull(r, buf[0:]) + if err != nil { + return + } + bitLength = uint16(buf[0])<<8 | uint16(buf[1]) + numBytes := (int(bitLength) + 7) / 8 + mpi = make([]byte, numBytes) + _, err = readFull(r, mpi) + // According to RFC 4880 3.2. we should check that the MPI has no leading + // zeroes (at least when not an encrypted MPI?), but this implementation + // does generate leading zeroes, so we keep accepting them. + return +} + +// writeMPI serializes a big integer to w. +func writeMPI(w io.Writer, bitLength uint16, mpiBytes []byte) (err error) { + // Note that we can produce leading zeroes, in violation of RFC 4880 3.2. + // Implementations seem to be tolerant of them, and stripping them would + // make it complex to guarantee matching re-serialization. + _, err = w.Write([]byte{byte(bitLength >> 8), byte(bitLength)}) + if err == nil { + _, err = w.Write(mpiBytes) + } + return +} + +// writeBig serializes a *big.Int to w. +func writeBig(w io.Writer, i *big.Int) error { + return writeMPI(w, uint16(i.BitLen()), i.Bytes()) +} + +// padToKeySize left-pads a MPI with zeroes to match the length of the +// specified RSA public. +func padToKeySize(pub *rsa.PublicKey, b []byte) []byte { + k := (pub.N.BitLen() + 7) / 8 + if len(b) >= k { + return b + } + bb := make([]byte, k) + copy(bb[len(bb)-len(b):], b) + return bb +} + +// CompressionAlgo Represents the different compression algorithms +// supported by OpenPGP (except for BZIP2, which is not currently +// supported). See Section 9.3 of RFC 4880. +type CompressionAlgo uint8 + +const ( + CompressionNone CompressionAlgo = 0 + CompressionZIP CompressionAlgo = 1 + CompressionZLIB CompressionAlgo = 2 +) diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go new file mode 100644 index 0000000000..192aac376d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go @@ -0,0 +1,384 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "crypto" + "crypto/cipher" + "crypto/dsa" + "crypto/ecdsa" + "crypto/rsa" + "crypto/sha1" + "io" + "math/big" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/elgamal" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/s2k" +) + +// PrivateKey represents a possibly encrypted private key. See RFC 4880, +// section 5.5.3. +type PrivateKey struct { + PublicKey + Encrypted bool // if true then the private key is unavailable until Decrypt has been called. + encryptedData []byte + cipher CipherFunction + s2k func(out, in []byte) + PrivateKey interface{} // An *{rsa|dsa|ecdsa}.PrivateKey or crypto.Signer/crypto.Decrypter (Decryptor RSA only). + sha1Checksum bool + iv []byte +} + +func NewRSAPrivateKey(creationTime time.Time, priv *rsa.PrivateKey) *PrivateKey { + pk := new(PrivateKey) + pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey) + pk.PrivateKey = priv + return pk +} + +func NewDSAPrivateKey(creationTime time.Time, priv *dsa.PrivateKey) *PrivateKey { + pk := new(PrivateKey) + pk.PublicKey = *NewDSAPublicKey(creationTime, &priv.PublicKey) + pk.PrivateKey = priv + return pk +} + +func NewElGamalPrivateKey(creationTime time.Time, priv *elgamal.PrivateKey) *PrivateKey { + pk := new(PrivateKey) + pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey) + pk.PrivateKey = priv + return pk +} + +func NewECDSAPrivateKey(creationTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey { + pk := new(PrivateKey) + pk.PublicKey = *NewECDSAPublicKey(creationTime, &priv.PublicKey) + pk.PrivateKey = priv + return pk +} + +// NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that +// implements RSA or ECDSA. +func NewSignerPrivateKey(creationTime time.Time, signer crypto.Signer) *PrivateKey { + pk := new(PrivateKey) + // In general, the public Keys should be used as pointers. We still + // type-switch on the values, for backwards-compatibility. + switch pubkey := signer.Public().(type) { + case *rsa.PublicKey: + pk.PublicKey = *NewRSAPublicKey(creationTime, pubkey) + case rsa.PublicKey: + pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey) + case *ecdsa.PublicKey: + pk.PublicKey = *NewECDSAPublicKey(creationTime, pubkey) + case ecdsa.PublicKey: + pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey) + default: + panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey") + } + pk.PrivateKey = signer + return pk +} + +func (pk *PrivateKey) parse(r io.Reader) (err error) { + err = (&pk.PublicKey).parse(r) + if err != nil { + return + } + var buf [1]byte + _, err = readFull(r, buf[:]) + if err != nil { + return + } + + s2kType := buf[0] + + switch s2kType { + case 0: + pk.s2k = nil + pk.Encrypted = false + case 254, 255: + _, err = readFull(r, buf[:]) + if err != nil { + return + } + pk.cipher = CipherFunction(buf[0]) + pk.Encrypted = true + pk.s2k, err = s2k.Parse(r) + if err != nil { + return + } + if s2kType == 254 { + pk.sha1Checksum = true + } + default: + return errors.UnsupportedError("deprecated s2k function in private key") + } + + if pk.Encrypted { + blockSize := pk.cipher.blockSize() + if blockSize == 0 { + return errors.UnsupportedError("unsupported cipher in private key: " + strconv.Itoa(int(pk.cipher))) + } + pk.iv = make([]byte, blockSize) + _, err = readFull(r, pk.iv) + if err != nil { + return + } + } + + pk.encryptedData, err = io.ReadAll(r) + if err != nil { + return + } + + if !pk.Encrypted { + return pk.parsePrivateKey(pk.encryptedData) + } + + return +} + +func mod64kHash(d []byte) uint16 { + var h uint16 + for _, b := range d { + h += uint16(b) + } + return h +} + +func (pk *PrivateKey) Serialize(w io.Writer) (err error) { + // TODO(agl): support encrypted private keys + buf := bytes.NewBuffer(nil) + err = pk.PublicKey.serializeWithoutHeaders(buf) + if err != nil { + return + } + buf.WriteByte(0 /* no encryption */) + + privateKeyBuf := bytes.NewBuffer(nil) + + switch priv := pk.PrivateKey.(type) { + case *rsa.PrivateKey: + err = serializeRSAPrivateKey(privateKeyBuf, priv) + case *dsa.PrivateKey: + err = serializeDSAPrivateKey(privateKeyBuf, priv) + case *elgamal.PrivateKey: + err = serializeElGamalPrivateKey(privateKeyBuf, priv) + case *ecdsa.PrivateKey: + err = serializeECDSAPrivateKey(privateKeyBuf, priv) + default: + err = errors.InvalidArgumentError("unknown private key type") + } + if err != nil { + return + } + + ptype := packetTypePrivateKey + contents := buf.Bytes() + privateKeyBytes := privateKeyBuf.Bytes() + if pk.IsSubkey { + ptype = packetTypePrivateSubkey + } + err = serializeHeader(w, ptype, len(contents)+len(privateKeyBytes)+2) + if err != nil { + return + } + _, err = w.Write(contents) + if err != nil { + return + } + _, err = w.Write(privateKeyBytes) + if err != nil { + return + } + + checksum := mod64kHash(privateKeyBytes) + var checksumBytes [2]byte + checksumBytes[0] = byte(checksum >> 8) + checksumBytes[1] = byte(checksum) + _, err = w.Write(checksumBytes[:]) + + return +} + +func serializeRSAPrivateKey(w io.Writer, priv *rsa.PrivateKey) error { + err := writeBig(w, priv.D) + if err != nil { + return err + } + err = writeBig(w, priv.Primes[1]) + if err != nil { + return err + } + err = writeBig(w, priv.Primes[0]) + if err != nil { + return err + } + return writeBig(w, priv.Precomputed.Qinv) +} + +func serializeDSAPrivateKey(w io.Writer, priv *dsa.PrivateKey) error { + return writeBig(w, priv.X) +} + +func serializeElGamalPrivateKey(w io.Writer, priv *elgamal.PrivateKey) error { + return writeBig(w, priv.X) +} + +func serializeECDSAPrivateKey(w io.Writer, priv *ecdsa.PrivateKey) error { + return writeBig(w, priv.D) +} + +// Decrypt decrypts an encrypted private key using a passphrase. +func (pk *PrivateKey) Decrypt(passphrase []byte) error { + if !pk.Encrypted { + return nil + } + + key := make([]byte, pk.cipher.KeySize()) + pk.s2k(key, passphrase) + block := pk.cipher.new(key) + cfb := cipher.NewCFBDecrypter(block, pk.iv) + + data := make([]byte, len(pk.encryptedData)) + cfb.XORKeyStream(data, pk.encryptedData) + + if pk.sha1Checksum { + if len(data) < sha1.Size { + return errors.StructuralError("truncated private key data") + } + h := sha1.New() + h.Write(data[:len(data)-sha1.Size]) + sum := h.Sum(nil) + if !bytes.Equal(sum, data[len(data)-sha1.Size:]) { + return errors.StructuralError("private key checksum failure") + } + data = data[:len(data)-sha1.Size] + } else { + if len(data) < 2 { + return errors.StructuralError("truncated private key data") + } + var sum uint16 + for i := 0; i < len(data)-2; i++ { + sum += uint16(data[i]) + } + if data[len(data)-2] != uint8(sum>>8) || + data[len(data)-1] != uint8(sum) { + return errors.StructuralError("private key checksum failure") + } + data = data[:len(data)-2] + } + + return pk.parsePrivateKey(data) +} + +func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) { + switch pk.PublicKey.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoRSAEncryptOnly: + return pk.parseRSAPrivateKey(data) + case PubKeyAlgoDSA: + return pk.parseDSAPrivateKey(data) + case PubKeyAlgoElGamal: + return pk.parseElGamalPrivateKey(data) + case PubKeyAlgoECDSA: + return pk.parseECDSAPrivateKey(data) + } + panic("impossible") +} + +func (pk *PrivateKey) parseRSAPrivateKey(data []byte) (err error) { + rsaPub := pk.PublicKey.PublicKey.(*rsa.PublicKey) + rsaPriv := new(rsa.PrivateKey) + rsaPriv.PublicKey = *rsaPub + + buf := bytes.NewBuffer(data) + d, _, err := readMPI(buf) + if err != nil { + return + } + p, _, err := readMPI(buf) + if err != nil { + return + } + q, _, err := readMPI(buf) + if err != nil { + return + } + + rsaPriv.D = new(big.Int).SetBytes(d) + rsaPriv.Primes = make([]*big.Int, 2) + rsaPriv.Primes[0] = new(big.Int).SetBytes(p) + rsaPriv.Primes[1] = new(big.Int).SetBytes(q) + if err := rsaPriv.Validate(); err != nil { + return err + } + rsaPriv.Precompute() + pk.PrivateKey = rsaPriv + pk.Encrypted = false + pk.encryptedData = nil + + return nil +} + +func (pk *PrivateKey) parseDSAPrivateKey(data []byte) (err error) { + dsaPub := pk.PublicKey.PublicKey.(*dsa.PublicKey) + dsaPriv := new(dsa.PrivateKey) + dsaPriv.PublicKey = *dsaPub + + buf := bytes.NewBuffer(data) + x, _, err := readMPI(buf) + if err != nil { + return + } + + dsaPriv.X = new(big.Int).SetBytes(x) + pk.PrivateKey = dsaPriv + pk.Encrypted = false + pk.encryptedData = nil + + return nil +} + +func (pk *PrivateKey) parseElGamalPrivateKey(data []byte) (err error) { + pub := pk.PublicKey.PublicKey.(*elgamal.PublicKey) + priv := new(elgamal.PrivateKey) + priv.PublicKey = *pub + + buf := bytes.NewBuffer(data) + x, _, err := readMPI(buf) + if err != nil { + return + } + + priv.X = new(big.Int).SetBytes(x) + pk.PrivateKey = priv + pk.Encrypted = false + pk.encryptedData = nil + + return nil +} + +func (pk *PrivateKey) parseECDSAPrivateKey(data []byte) (err error) { + ecdsaPub := pk.PublicKey.PublicKey.(*ecdsa.PublicKey) + + buf := bytes.NewBuffer(data) + d, _, err := readMPI(buf) + if err != nil { + return + } + + pk.PrivateKey = &ecdsa.PrivateKey{ + PublicKey: *ecdsaPub, + D: new(big.Int).SetBytes(d), + } + pk.Encrypted = false + pk.encryptedData = nil + + return nil +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go new file mode 100644 index 0000000000..fcd5f52519 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key.go @@ -0,0 +1,753 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "crypto" + "crypto/dsa" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rsa" + "crypto/sha1" + _ "crypto/sha256" + _ "crypto/sha512" + "encoding/binary" + "fmt" + "hash" + "io" + "math/big" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/elgamal" + "golang.org/x/crypto/openpgp/errors" +) + +var ( + // NIST curve P-256 + oidCurveP256 []byte = []byte{0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07} + // NIST curve P-384 + oidCurveP384 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x22} + // NIST curve P-521 + oidCurveP521 []byte = []byte{0x2B, 0x81, 0x04, 0x00, 0x23} +) + +const maxOIDLength = 8 + +// ecdsaKey stores the algorithm-specific fields for ECDSA keys. +// as defined in RFC 6637, Section 9. +type ecdsaKey struct { + // oid contains the OID byte sequence identifying the elliptic curve used + oid []byte + // p contains the elliptic curve point that represents the public key + p parsedMPI +} + +// parseOID reads the OID for the curve as defined in RFC 6637, Section 9. +func parseOID(r io.Reader) (oid []byte, err error) { + buf := make([]byte, maxOIDLength) + if _, err = readFull(r, buf[:1]); err != nil { + return + } + oidLen := buf[0] + if int(oidLen) > len(buf) { + err = errors.UnsupportedError("invalid oid length: " + strconv.Itoa(int(oidLen))) + return + } + oid = buf[:oidLen] + _, err = readFull(r, oid) + return +} + +func (f *ecdsaKey) parse(r io.Reader) (err error) { + if f.oid, err = parseOID(r); err != nil { + return err + } + f.p.bytes, f.p.bitLength, err = readMPI(r) + return +} + +func (f *ecdsaKey) serialize(w io.Writer) (err error) { + buf := make([]byte, maxOIDLength+1) + buf[0] = byte(len(f.oid)) + copy(buf[1:], f.oid) + if _, err = w.Write(buf[:len(f.oid)+1]); err != nil { + return + } + return writeMPIs(w, f.p) +} + +func (f *ecdsaKey) newECDSA() (*ecdsa.PublicKey, error) { + var c elliptic.Curve + if bytes.Equal(f.oid, oidCurveP256) { + c = elliptic.P256() + } else if bytes.Equal(f.oid, oidCurveP384) { + c = elliptic.P384() + } else if bytes.Equal(f.oid, oidCurveP521) { + c = elliptic.P521() + } else { + return nil, errors.UnsupportedError(fmt.Sprintf("unsupported oid: %x", f.oid)) + } + x, y := elliptic.Unmarshal(c, f.p.bytes) + if x == nil { + return nil, errors.UnsupportedError("failed to parse EC point") + } + return &ecdsa.PublicKey{Curve: c, X: x, Y: y}, nil +} + +func (f *ecdsaKey) byteLen() int { + return 1 + len(f.oid) + 2 + len(f.p.bytes) +} + +type kdfHashFunction byte +type kdfAlgorithm byte + +// ecdhKdf stores key derivation function parameters +// used for ECDH encryption. See RFC 6637, Section 9. +type ecdhKdf struct { + KdfHash kdfHashFunction + KdfAlgo kdfAlgorithm +} + +func (f *ecdhKdf) parse(r io.Reader) (err error) { + buf := make([]byte, 1) + if _, err = readFull(r, buf); err != nil { + return + } + kdfLen := int(buf[0]) + if kdfLen < 3 { + return errors.UnsupportedError("Unsupported ECDH KDF length: " + strconv.Itoa(kdfLen)) + } + buf = make([]byte, kdfLen) + if _, err = readFull(r, buf); err != nil { + return + } + reserved := int(buf[0]) + f.KdfHash = kdfHashFunction(buf[1]) + f.KdfAlgo = kdfAlgorithm(buf[2]) + if reserved != 0x01 { + return errors.UnsupportedError("Unsupported KDF reserved field: " + strconv.Itoa(reserved)) + } + return +} + +func (f *ecdhKdf) serialize(w io.Writer) (err error) { + buf := make([]byte, 4) + // See RFC 6637, Section 9, Algorithm-Specific Fields for ECDH keys. + buf[0] = byte(0x03) // Length of the following fields + buf[1] = byte(0x01) // Reserved for future extensions, must be 1 for now + buf[2] = byte(f.KdfHash) + buf[3] = byte(f.KdfAlgo) + _, err = w.Write(buf[:]) + return +} + +func (f *ecdhKdf) byteLen() int { + return 4 +} + +// PublicKey represents an OpenPGP public key. See RFC 4880, section 5.5.2. +type PublicKey struct { + CreationTime time.Time + PubKeyAlgo PublicKeyAlgorithm + PublicKey interface{} // *rsa.PublicKey, *dsa.PublicKey or *ecdsa.PublicKey + Fingerprint [20]byte + KeyId uint64 + IsSubkey bool + + n, e, p, q, g, y parsedMPI + + // RFC 6637 fields + ec *ecdsaKey + ecdh *ecdhKdf +} + +// signingKey provides a convenient abstraction over signature verification +// for v3 and v4 public keys. +type signingKey interface { + SerializeSignaturePrefix(io.Writer) + serializeWithoutHeaders(io.Writer) error +} + +func fromBig(n *big.Int) parsedMPI { + return parsedMPI{ + bytes: n.Bytes(), + bitLength: uint16(n.BitLen()), + } +} + +// NewRSAPublicKey returns a PublicKey that wraps the given rsa.PublicKey. +func NewRSAPublicKey(creationTime time.Time, pub *rsa.PublicKey) *PublicKey { + pk := &PublicKey{ + CreationTime: creationTime, + PubKeyAlgo: PubKeyAlgoRSA, + PublicKey: pub, + n: fromBig(pub.N), + e: fromBig(big.NewInt(int64(pub.E))), + } + + pk.setFingerPrintAndKeyId() + return pk +} + +// NewDSAPublicKey returns a PublicKey that wraps the given dsa.PublicKey. +func NewDSAPublicKey(creationTime time.Time, pub *dsa.PublicKey) *PublicKey { + pk := &PublicKey{ + CreationTime: creationTime, + PubKeyAlgo: PubKeyAlgoDSA, + PublicKey: pub, + p: fromBig(pub.P), + q: fromBig(pub.Q), + g: fromBig(pub.G), + y: fromBig(pub.Y), + } + + pk.setFingerPrintAndKeyId() + return pk +} + +// NewElGamalPublicKey returns a PublicKey that wraps the given elgamal.PublicKey. +func NewElGamalPublicKey(creationTime time.Time, pub *elgamal.PublicKey) *PublicKey { + pk := &PublicKey{ + CreationTime: creationTime, + PubKeyAlgo: PubKeyAlgoElGamal, + PublicKey: pub, + p: fromBig(pub.P), + g: fromBig(pub.G), + y: fromBig(pub.Y), + } + + pk.setFingerPrintAndKeyId() + return pk +} + +func NewECDSAPublicKey(creationTime time.Time, pub *ecdsa.PublicKey) *PublicKey { + pk := &PublicKey{ + CreationTime: creationTime, + PubKeyAlgo: PubKeyAlgoECDSA, + PublicKey: pub, + ec: new(ecdsaKey), + } + + switch pub.Curve { + case elliptic.P256(): + pk.ec.oid = oidCurveP256 + case elliptic.P384(): + pk.ec.oid = oidCurveP384 + case elliptic.P521(): + pk.ec.oid = oidCurveP521 + default: + panic("unknown elliptic curve") + } + + pk.ec.p.bytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) + + // The bit length is 3 (for the 0x04 specifying an uncompressed key) + // plus two field elements (for x and y), which are rounded up to the + // nearest byte. See https://tools.ietf.org/html/rfc6637#section-6 + fieldBytes := (pub.Curve.Params().BitSize + 7) & ^7 + pk.ec.p.bitLength = uint16(3 + fieldBytes + fieldBytes) + + pk.setFingerPrintAndKeyId() + return pk +} + +func (pk *PublicKey) parse(r io.Reader) (err error) { + // RFC 4880, section 5.5.2 + var buf [6]byte + _, err = readFull(r, buf[:]) + if err != nil { + return + } + if buf[0] != 4 { + return errors.UnsupportedError("public key version") + } + pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0) + pk.PubKeyAlgo = PublicKeyAlgorithm(buf[5]) + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + err = pk.parseRSA(r) + case PubKeyAlgoDSA: + err = pk.parseDSA(r) + case PubKeyAlgoElGamal: + err = pk.parseElGamal(r) + case PubKeyAlgoECDSA: + pk.ec = new(ecdsaKey) + if err = pk.ec.parse(r); err != nil { + return err + } + pk.PublicKey, err = pk.ec.newECDSA() + case PubKeyAlgoECDH: + pk.ec = new(ecdsaKey) + if err = pk.ec.parse(r); err != nil { + return + } + pk.ecdh = new(ecdhKdf) + if err = pk.ecdh.parse(r); err != nil { + return + } + // The ECDH key is stored in an ecdsa.PublicKey for convenience. + pk.PublicKey, err = pk.ec.newECDSA() + default: + err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo))) + } + if err != nil { + return + } + + pk.setFingerPrintAndKeyId() + return +} + +func (pk *PublicKey) setFingerPrintAndKeyId() { + // RFC 4880, section 12.2 + fingerPrint := sha1.New() + pk.SerializeSignaturePrefix(fingerPrint) + pk.serializeWithoutHeaders(fingerPrint) + copy(pk.Fingerprint[:], fingerPrint.Sum(nil)) + pk.KeyId = binary.BigEndian.Uint64(pk.Fingerprint[12:20]) +} + +// parseRSA parses RSA public key material from the given Reader. See RFC 4880, +// section 5.5.2. +func (pk *PublicKey) parseRSA(r io.Reader) (err error) { + pk.n.bytes, pk.n.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.e.bytes, pk.e.bitLength, err = readMPI(r) + if err != nil { + return + } + + if len(pk.e.bytes) > 3 { + err = errors.UnsupportedError("large public exponent") + return + } + rsa := &rsa.PublicKey{ + N: new(big.Int).SetBytes(pk.n.bytes), + E: 0, + } + for i := 0; i < len(pk.e.bytes); i++ { + rsa.E <<= 8 + rsa.E |= int(pk.e.bytes[i]) + } + pk.PublicKey = rsa + return +} + +// parseDSA parses DSA public key material from the given Reader. See RFC 4880, +// section 5.5.2. +func (pk *PublicKey) parseDSA(r io.Reader) (err error) { + pk.p.bytes, pk.p.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.q.bytes, pk.q.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.g.bytes, pk.g.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.y.bytes, pk.y.bitLength, err = readMPI(r) + if err != nil { + return + } + + dsa := new(dsa.PublicKey) + dsa.P = new(big.Int).SetBytes(pk.p.bytes) + dsa.Q = new(big.Int).SetBytes(pk.q.bytes) + dsa.G = new(big.Int).SetBytes(pk.g.bytes) + dsa.Y = new(big.Int).SetBytes(pk.y.bytes) + pk.PublicKey = dsa + return +} + +// parseElGamal parses ElGamal public key material from the given Reader. See +// RFC 4880, section 5.5.2. +func (pk *PublicKey) parseElGamal(r io.Reader) (err error) { + pk.p.bytes, pk.p.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.g.bytes, pk.g.bitLength, err = readMPI(r) + if err != nil { + return + } + pk.y.bytes, pk.y.bitLength, err = readMPI(r) + if err != nil { + return + } + + elgamal := new(elgamal.PublicKey) + elgamal.P = new(big.Int).SetBytes(pk.p.bytes) + elgamal.G = new(big.Int).SetBytes(pk.g.bytes) + elgamal.Y = new(big.Int).SetBytes(pk.y.bytes) + pk.PublicKey = elgamal + return +} + +// SerializeSignaturePrefix writes the prefix for this public key to the given Writer. +// The prefix is used when calculating a signature over this public key. See +// RFC 4880, section 5.2.4. +func (pk *PublicKey) SerializeSignaturePrefix(h io.Writer) { + var pLength uint16 + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + pLength += 2 + uint16(len(pk.n.bytes)) + pLength += 2 + uint16(len(pk.e.bytes)) + case PubKeyAlgoDSA: + pLength += 2 + uint16(len(pk.p.bytes)) + pLength += 2 + uint16(len(pk.q.bytes)) + pLength += 2 + uint16(len(pk.g.bytes)) + pLength += 2 + uint16(len(pk.y.bytes)) + case PubKeyAlgoElGamal: + pLength += 2 + uint16(len(pk.p.bytes)) + pLength += 2 + uint16(len(pk.g.bytes)) + pLength += 2 + uint16(len(pk.y.bytes)) + case PubKeyAlgoECDSA: + pLength += uint16(pk.ec.byteLen()) + case PubKeyAlgoECDH: + pLength += uint16(pk.ec.byteLen()) + pLength += uint16(pk.ecdh.byteLen()) + default: + panic("unknown public key algorithm") + } + pLength += 6 + h.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)}) + return +} + +func (pk *PublicKey) Serialize(w io.Writer) (err error) { + length := 6 // 6 byte header + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + length += 2 + len(pk.n.bytes) + length += 2 + len(pk.e.bytes) + case PubKeyAlgoDSA: + length += 2 + len(pk.p.bytes) + length += 2 + len(pk.q.bytes) + length += 2 + len(pk.g.bytes) + length += 2 + len(pk.y.bytes) + case PubKeyAlgoElGamal: + length += 2 + len(pk.p.bytes) + length += 2 + len(pk.g.bytes) + length += 2 + len(pk.y.bytes) + case PubKeyAlgoECDSA: + length += pk.ec.byteLen() + case PubKeyAlgoECDH: + length += pk.ec.byteLen() + length += pk.ecdh.byteLen() + default: + panic("unknown public key algorithm") + } + + packetType := packetTypePublicKey + if pk.IsSubkey { + packetType = packetTypePublicSubkey + } + err = serializeHeader(w, packetType, length) + if err != nil { + return + } + return pk.serializeWithoutHeaders(w) +} + +// serializeWithoutHeaders marshals the PublicKey to w in the form of an +// OpenPGP public key packet, not including the packet header. +func (pk *PublicKey) serializeWithoutHeaders(w io.Writer) (err error) { + var buf [6]byte + buf[0] = 4 + t := uint32(pk.CreationTime.Unix()) + buf[1] = byte(t >> 24) + buf[2] = byte(t >> 16) + buf[3] = byte(t >> 8) + buf[4] = byte(t) + buf[5] = byte(pk.PubKeyAlgo) + + _, err = w.Write(buf[:]) + if err != nil { + return + } + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + return writeMPIs(w, pk.n, pk.e) + case PubKeyAlgoDSA: + return writeMPIs(w, pk.p, pk.q, pk.g, pk.y) + case PubKeyAlgoElGamal: + return writeMPIs(w, pk.p, pk.g, pk.y) + case PubKeyAlgoECDSA: + return pk.ec.serialize(w) + case PubKeyAlgoECDH: + if err = pk.ec.serialize(w); err != nil { + return + } + return pk.ecdh.serialize(w) + } + return errors.InvalidArgumentError("bad public-key algorithm") +} + +// CanSign returns true iff this public key can generate signatures +func (pk *PublicKey) CanSign() bool { + return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly && pk.PubKeyAlgo != PubKeyAlgoElGamal +} + +// VerifySignature returns nil iff sig is a valid signature, made by this +// public key, of the data hashed into signed. signed is mutated by this call. +func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err error) { + if !pk.CanSign() { + return errors.InvalidArgumentError("public key cannot generate signatures") + } + + signed.Write(sig.HashSuffix) + hashBytes := signed.Sum(nil) + + if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { + return errors.SignatureError("hash tag doesn't match") + } + + if pk.PubKeyAlgo != sig.PubKeyAlgo { + return errors.InvalidArgumentError("public key and signature use different algorithms") + } + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + rsaPublicKey, _ := pk.PublicKey.(*rsa.PublicKey) + err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)) + if err != nil { + return errors.SignatureError("RSA verification failure") + } + return nil + case PubKeyAlgoDSA: + dsaPublicKey, _ := pk.PublicKey.(*dsa.PublicKey) + // Need to truncate hashBytes to match FIPS 186-3 section 4.6. + subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8 + if len(hashBytes) > subgroupSize { + hashBytes = hashBytes[:subgroupSize] + } + if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) { + return errors.SignatureError("DSA verification failure") + } + return nil + case PubKeyAlgoECDSA: + ecdsaPublicKey := pk.PublicKey.(*ecdsa.PublicKey) + if !ecdsa.Verify(ecdsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.ECDSASigR.bytes), new(big.Int).SetBytes(sig.ECDSASigS.bytes)) { + return errors.SignatureError("ECDSA verification failure") + } + return nil + default: + return errors.SignatureError("Unsupported public key algorithm used in signature") + } +} + +// VerifySignatureV3 returns nil iff sig is a valid signature, made by this +// public key, of the data hashed into signed. signed is mutated by this call. +func (pk *PublicKey) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) { + if !pk.CanSign() { + return errors.InvalidArgumentError("public key cannot generate signatures") + } + + suffix := make([]byte, 5) + suffix[0] = byte(sig.SigType) + binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix())) + signed.Write(suffix) + hashBytes := signed.Sum(nil) + + if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { + return errors.SignatureError("hash tag doesn't match") + } + + if pk.PubKeyAlgo != sig.PubKeyAlgo { + return errors.InvalidArgumentError("public key and signature use different algorithms") + } + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + rsaPublicKey := pk.PublicKey.(*rsa.PublicKey) + if err = rsa.VerifyPKCS1v15(rsaPublicKey, sig.Hash, hashBytes, padToKeySize(rsaPublicKey, sig.RSASignature.bytes)); err != nil { + return errors.SignatureError("RSA verification failure") + } + return + case PubKeyAlgoDSA: + dsaPublicKey := pk.PublicKey.(*dsa.PublicKey) + // Need to truncate hashBytes to match FIPS 186-3 section 4.6. + subgroupSize := (dsaPublicKey.Q.BitLen() + 7) / 8 + if len(hashBytes) > subgroupSize { + hashBytes = hashBytes[:subgroupSize] + } + if !dsa.Verify(dsaPublicKey, hashBytes, new(big.Int).SetBytes(sig.DSASigR.bytes), new(big.Int).SetBytes(sig.DSASigS.bytes)) { + return errors.SignatureError("DSA verification failure") + } + return nil + default: + panic("shouldn't happen") + } +} + +// keySignatureHash returns a Hash of the message that needs to be signed for +// pk to assert a subkey relationship to signed. +func keySignatureHash(pk, signed signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) { + if !hashFunc.Available() { + return nil, errors.UnsupportedError("hash function") + } + h = hashFunc.New() + + // RFC 4880, section 5.2.4 + pk.SerializeSignaturePrefix(h) + pk.serializeWithoutHeaders(h) + signed.SerializeSignaturePrefix(h) + signed.serializeWithoutHeaders(h) + return +} + +// VerifyKeySignature returns nil iff sig is a valid signature, made by this +// public key, of signed. +func (pk *PublicKey) VerifyKeySignature(signed *PublicKey, sig *Signature) error { + h, err := keySignatureHash(pk, signed, sig.Hash) + if err != nil { + return err + } + if err = pk.VerifySignature(h, sig); err != nil { + return err + } + + if sig.FlagSign { + // Signing subkeys must be cross-signed. See + // https://www.gnupg.org/faq/subkey-cross-certify.html. + if sig.EmbeddedSignature == nil { + return errors.StructuralError("signing subkey is missing cross-signature") + } + // Verify the cross-signature. This is calculated over the same + // data as the main signature, so we cannot just recursively + // call signed.VerifyKeySignature(...) + if h, err = keySignatureHash(pk, signed, sig.EmbeddedSignature.Hash); err != nil { + return errors.StructuralError("error while hashing for cross-signature: " + err.Error()) + } + if err := signed.VerifySignature(h, sig.EmbeddedSignature); err != nil { + return errors.StructuralError("error while verifying cross-signature: " + err.Error()) + } + } + + return nil +} + +func keyRevocationHash(pk signingKey, hashFunc crypto.Hash) (h hash.Hash, err error) { + if !hashFunc.Available() { + return nil, errors.UnsupportedError("hash function") + } + h = hashFunc.New() + + // RFC 4880, section 5.2.4 + pk.SerializeSignaturePrefix(h) + pk.serializeWithoutHeaders(h) + + return +} + +// VerifyRevocationSignature returns nil iff sig is a valid signature, made by this +// public key. +func (pk *PublicKey) VerifyRevocationSignature(sig *Signature) (err error) { + h, err := keyRevocationHash(pk, sig.Hash) + if err != nil { + return err + } + return pk.VerifySignature(h, sig) +} + +// userIdSignatureHash returns a Hash of the message that needs to be signed +// to assert that pk is a valid key for id. +func userIdSignatureHash(id string, pk *PublicKey, hashFunc crypto.Hash) (h hash.Hash, err error) { + if !hashFunc.Available() { + return nil, errors.UnsupportedError("hash function") + } + h = hashFunc.New() + + // RFC 4880, section 5.2.4 + pk.SerializeSignaturePrefix(h) + pk.serializeWithoutHeaders(h) + + var buf [5]byte + buf[0] = 0xb4 + buf[1] = byte(len(id) >> 24) + buf[2] = byte(len(id) >> 16) + buf[3] = byte(len(id) >> 8) + buf[4] = byte(len(id)) + h.Write(buf[:]) + h.Write([]byte(id)) + + return +} + +// VerifyUserIdSignature returns nil iff sig is a valid signature, made by this +// public key, that id is the identity of pub. +func (pk *PublicKey) VerifyUserIdSignature(id string, pub *PublicKey, sig *Signature) (err error) { + h, err := userIdSignatureHash(id, pub, sig.Hash) + if err != nil { + return err + } + return pk.VerifySignature(h, sig) +} + +// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this +// public key, that id is the identity of pub. +func (pk *PublicKey) VerifyUserIdSignatureV3(id string, pub *PublicKey, sig *SignatureV3) (err error) { + h, err := userIdSignatureV3Hash(id, pub, sig.Hash) + if err != nil { + return err + } + return pk.VerifySignatureV3(h, sig) +} + +// KeyIdString returns the public key's fingerprint in capital hex +// (e.g. "6C7EE1B8621CC013"). +func (pk *PublicKey) KeyIdString() string { + return fmt.Sprintf("%X", pk.Fingerprint[12:20]) +} + +// KeyIdShortString returns the short form of public key's fingerprint +// in capital hex, as shown by gpg --list-keys (e.g. "621CC013"). +func (pk *PublicKey) KeyIdShortString() string { + return fmt.Sprintf("%X", pk.Fingerprint[16:20]) +} + +// A parsedMPI is used to store the contents of a big integer, along with the +// bit length that was specified in the original input. This allows the MPI to +// be reserialized exactly. +type parsedMPI struct { + bytes []byte + bitLength uint16 +} + +// writeMPIs is a utility function for serializing several big integers to the +// given Writer. +func writeMPIs(w io.Writer, mpis ...parsedMPI) (err error) { + for _, mpi := range mpis { + err = writeMPI(w, mpi.bitLength, mpi.bytes) + if err != nil { + return + } + } + return +} + +// BitLength returns the bit length for the given public key. +func (pk *PublicKey) BitLength() (bitLength uint16, err error) { + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + bitLength = pk.n.bitLength + case PubKeyAlgoDSA: + bitLength = pk.p.bitLength + case PubKeyAlgoElGamal: + bitLength = pk.p.bitLength + default: + err = errors.InvalidArgumentError("bad public-key algorithm") + } + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go new file mode 100644 index 0000000000..5daf7b6cfd --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/public_key_v3.go @@ -0,0 +1,279 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto" + "crypto/md5" + "crypto/rsa" + "encoding/binary" + "fmt" + "hash" + "io" + "math/big" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/errors" +) + +// PublicKeyV3 represents older, version 3 public keys. These keys are less secure and +// should not be used for signing or encrypting. They are supported here only for +// parsing version 3 key material and validating signatures. +// See RFC 4880, section 5.5.2. +type PublicKeyV3 struct { + CreationTime time.Time + DaysToExpire uint16 + PubKeyAlgo PublicKeyAlgorithm + PublicKey *rsa.PublicKey + Fingerprint [16]byte + KeyId uint64 + IsSubkey bool + + n, e parsedMPI +} + +// newRSAPublicKeyV3 returns a PublicKey that wraps the given rsa.PublicKey. +// Included here for testing purposes only. RFC 4880, section 5.5.2: +// "an implementation MUST NOT generate a V3 key, but MAY accept it." +func newRSAPublicKeyV3(creationTime time.Time, pub *rsa.PublicKey) *PublicKeyV3 { + pk := &PublicKeyV3{ + CreationTime: creationTime, + PublicKey: pub, + n: fromBig(pub.N), + e: fromBig(big.NewInt(int64(pub.E))), + } + + pk.setFingerPrintAndKeyId() + return pk +} + +func (pk *PublicKeyV3) parse(r io.Reader) (err error) { + // RFC 4880, section 5.5.2 + var buf [8]byte + if _, err = readFull(r, buf[:]); err != nil { + return + } + if buf[0] < 2 || buf[0] > 3 { + return errors.UnsupportedError("public key version") + } + pk.CreationTime = time.Unix(int64(uint32(buf[1])<<24|uint32(buf[2])<<16|uint32(buf[3])<<8|uint32(buf[4])), 0) + pk.DaysToExpire = binary.BigEndian.Uint16(buf[5:7]) + pk.PubKeyAlgo = PublicKeyAlgorithm(buf[7]) + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + err = pk.parseRSA(r) + default: + err = errors.UnsupportedError("public key type: " + strconv.Itoa(int(pk.PubKeyAlgo))) + } + if err != nil { + return + } + + pk.setFingerPrintAndKeyId() + return +} + +func (pk *PublicKeyV3) setFingerPrintAndKeyId() { + // RFC 4880, section 12.2 + fingerPrint := md5.New() + fingerPrint.Write(pk.n.bytes) + fingerPrint.Write(pk.e.bytes) + fingerPrint.Sum(pk.Fingerprint[:0]) + pk.KeyId = binary.BigEndian.Uint64(pk.n.bytes[len(pk.n.bytes)-8:]) +} + +// parseRSA parses RSA public key material from the given Reader. See RFC 4880, +// section 5.5.2. +func (pk *PublicKeyV3) parseRSA(r io.Reader) (err error) { + if pk.n.bytes, pk.n.bitLength, err = readMPI(r); err != nil { + return + } + if pk.e.bytes, pk.e.bitLength, err = readMPI(r); err != nil { + return + } + + // RFC 4880 Section 12.2 requires the low 8 bytes of the + // modulus to form the key id. + if len(pk.n.bytes) < 8 { + return errors.StructuralError("v3 public key modulus is too short") + } + if len(pk.e.bytes) > 3 { + err = errors.UnsupportedError("large public exponent") + return + } + rsa := &rsa.PublicKey{N: new(big.Int).SetBytes(pk.n.bytes)} + for i := 0; i < len(pk.e.bytes); i++ { + rsa.E <<= 8 + rsa.E |= int(pk.e.bytes[i]) + } + pk.PublicKey = rsa + return +} + +// SerializeSignaturePrefix writes the prefix for this public key to the given Writer. +// The prefix is used when calculating a signature over this public key. See +// RFC 4880, section 5.2.4. +func (pk *PublicKeyV3) SerializeSignaturePrefix(w io.Writer) { + var pLength uint16 + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + pLength += 2 + uint16(len(pk.n.bytes)) + pLength += 2 + uint16(len(pk.e.bytes)) + default: + panic("unknown public key algorithm") + } + pLength += 6 + w.Write([]byte{0x99, byte(pLength >> 8), byte(pLength)}) + return +} + +func (pk *PublicKeyV3) Serialize(w io.Writer) (err error) { + length := 8 // 8 byte header + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + length += 2 + len(pk.n.bytes) + length += 2 + len(pk.e.bytes) + default: + panic("unknown public key algorithm") + } + + packetType := packetTypePublicKey + if pk.IsSubkey { + packetType = packetTypePublicSubkey + } + if err = serializeHeader(w, packetType, length); err != nil { + return + } + return pk.serializeWithoutHeaders(w) +} + +// serializeWithoutHeaders marshals the PublicKey to w in the form of an +// OpenPGP public key packet, not including the packet header. +func (pk *PublicKeyV3) serializeWithoutHeaders(w io.Writer) (err error) { + var buf [8]byte + // Version 3 + buf[0] = 3 + // Creation time + t := uint32(pk.CreationTime.Unix()) + buf[1] = byte(t >> 24) + buf[2] = byte(t >> 16) + buf[3] = byte(t >> 8) + buf[4] = byte(t) + // Days to expire + buf[5] = byte(pk.DaysToExpire >> 8) + buf[6] = byte(pk.DaysToExpire) + // Public key algorithm + buf[7] = byte(pk.PubKeyAlgo) + + if _, err = w.Write(buf[:]); err != nil { + return + } + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + return writeMPIs(w, pk.n, pk.e) + } + return errors.InvalidArgumentError("bad public-key algorithm") +} + +// CanSign returns true iff this public key can generate signatures +func (pk *PublicKeyV3) CanSign() bool { + return pk.PubKeyAlgo != PubKeyAlgoRSAEncryptOnly +} + +// VerifySignatureV3 returns nil iff sig is a valid signature, made by this +// public key, of the data hashed into signed. signed is mutated by this call. +func (pk *PublicKeyV3) VerifySignatureV3(signed hash.Hash, sig *SignatureV3) (err error) { + if !pk.CanSign() { + return errors.InvalidArgumentError("public key cannot generate signatures") + } + + suffix := make([]byte, 5) + suffix[0] = byte(sig.SigType) + binary.BigEndian.PutUint32(suffix[1:], uint32(sig.CreationTime.Unix())) + signed.Write(suffix) + hashBytes := signed.Sum(nil) + + if hashBytes[0] != sig.HashTag[0] || hashBytes[1] != sig.HashTag[1] { + return errors.SignatureError("hash tag doesn't match") + } + + if pk.PubKeyAlgo != sig.PubKeyAlgo { + return errors.InvalidArgumentError("public key and signature use different algorithms") + } + + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + if err = rsa.VerifyPKCS1v15(pk.PublicKey, sig.Hash, hashBytes, sig.RSASignature.bytes); err != nil { + return errors.SignatureError("RSA verification failure") + } + return + default: + // V3 public keys only support RSA. + panic("shouldn't happen") + } +} + +// VerifyUserIdSignatureV3 returns nil iff sig is a valid signature, made by this +// public key, that id is the identity of pub. +func (pk *PublicKeyV3) VerifyUserIdSignatureV3(id string, pub *PublicKeyV3, sig *SignatureV3) (err error) { + h, err := userIdSignatureV3Hash(id, pk, sig.Hash) + if err != nil { + return err + } + return pk.VerifySignatureV3(h, sig) +} + +// VerifyKeySignatureV3 returns nil iff sig is a valid signature, made by this +// public key, of signed. +func (pk *PublicKeyV3) VerifyKeySignatureV3(signed *PublicKeyV3, sig *SignatureV3) (err error) { + h, err := keySignatureHash(pk, signed, sig.Hash) + if err != nil { + return err + } + return pk.VerifySignatureV3(h, sig) +} + +// userIdSignatureV3Hash returns a Hash of the message that needs to be signed +// to assert that pk is a valid key for id. +func userIdSignatureV3Hash(id string, pk signingKey, hfn crypto.Hash) (h hash.Hash, err error) { + if !hfn.Available() { + return nil, errors.UnsupportedError("hash function") + } + h = hfn.New() + + // RFC 4880, section 5.2.4 + pk.SerializeSignaturePrefix(h) + pk.serializeWithoutHeaders(h) + + h.Write([]byte(id)) + + return +} + +// KeyIdString returns the public key's fingerprint in capital hex +// (e.g. "6C7EE1B8621CC013"). +func (pk *PublicKeyV3) KeyIdString() string { + return fmt.Sprintf("%X", pk.KeyId) +} + +// KeyIdShortString returns the short form of public key's fingerprint +// in capital hex, as shown by gpg --list-keys (e.g. "621CC013"). +func (pk *PublicKeyV3) KeyIdShortString() string { + return fmt.Sprintf("%X", pk.KeyId&0xFFFFFFFF) +} + +// BitLength returns the bit length for the given public key. +func (pk *PublicKeyV3) BitLength() (bitLength uint16, err error) { + switch pk.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSAEncryptOnly, PubKeyAlgoRSASignOnly: + bitLength = pk.n.bitLength + default: + err = errors.InvalidArgumentError("bad public-key algorithm") + } + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/reader.go b/vendor/golang.org/x/crypto/openpgp/packet/reader.go new file mode 100644 index 0000000000..34bc7c613e --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/reader.go @@ -0,0 +1,76 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "golang.org/x/crypto/openpgp/errors" + "io" +) + +// Reader reads packets from an io.Reader and allows packets to be 'unread' so +// that they result from the next call to Next. +type Reader struct { + q []Packet + readers []io.Reader +} + +// New io.Readers are pushed when a compressed or encrypted packet is processed +// and recursively treated as a new source of packets. However, a carefully +// crafted packet can trigger an infinite recursive sequence of packets. See +// http://mumble.net/~campbell/misc/pgp-quine +// https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4402 +// This constant limits the number of recursive packets that may be pushed. +const maxReaders = 32 + +// Next returns the most recently unread Packet, or reads another packet from +// the top-most io.Reader. Unknown packet types are skipped. +func (r *Reader) Next() (p Packet, err error) { + if len(r.q) > 0 { + p = r.q[len(r.q)-1] + r.q = r.q[:len(r.q)-1] + return + } + + for len(r.readers) > 0 { + p, err = Read(r.readers[len(r.readers)-1]) + if err == nil { + return + } + if err == io.EOF { + r.readers = r.readers[:len(r.readers)-1] + continue + } + if _, ok := err.(errors.UnknownPacketTypeError); !ok { + return nil, err + } + } + + return nil, io.EOF +} + +// Push causes the Reader to start reading from a new io.Reader. When an EOF +// error is seen from the new io.Reader, it is popped and the Reader continues +// to read from the next most recent io.Reader. Push returns a StructuralError +// if pushing the reader would exceed the maximum recursion level, otherwise it +// returns nil. +func (r *Reader) Push(reader io.Reader) (err error) { + if len(r.readers) >= maxReaders { + return errors.StructuralError("too many layers of packets") + } + r.readers = append(r.readers, reader) + return nil +} + +// Unread causes the given Packet to be returned from the next call to Next. +func (r *Reader) Unread(p Packet) { + r.q = append(r.q, p) +} + +func NewReader(r io.Reader) *Reader { + return &Reader{ + q: nil, + readers: []io.Reader{r}, + } +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature.go b/vendor/golang.org/x/crypto/openpgp/packet/signature.go new file mode 100644 index 0000000000..b2a24a5323 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/signature.go @@ -0,0 +1,731 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "crypto" + "crypto/dsa" + "crypto/ecdsa" + "encoding/asn1" + "encoding/binary" + "hash" + "io" + "math/big" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/s2k" +) + +const ( + // See RFC 4880, section 5.2.3.21 for details. + KeyFlagCertify = 1 << iota + KeyFlagSign + KeyFlagEncryptCommunications + KeyFlagEncryptStorage +) + +// Signature represents a signature. See RFC 4880, section 5.2. +type Signature struct { + SigType SignatureType + PubKeyAlgo PublicKeyAlgorithm + Hash crypto.Hash + + // HashSuffix is extra data that is hashed in after the signed data. + HashSuffix []byte + // HashTag contains the first two bytes of the hash for fast rejection + // of bad signed data. + HashTag [2]byte + CreationTime time.Time + + RSASignature parsedMPI + DSASigR, DSASigS parsedMPI + ECDSASigR, ECDSASigS parsedMPI + + // rawSubpackets contains the unparsed subpackets, in order. + rawSubpackets []outputSubpacket + + // The following are optional so are nil when not included in the + // signature. + + SigLifetimeSecs, KeyLifetimeSecs *uint32 + PreferredSymmetric, PreferredHash, PreferredCompression []uint8 + IssuerKeyId *uint64 + IsPrimaryId *bool + + // FlagsValid is set if any flags were given. See RFC 4880, section + // 5.2.3.21 for details. + FlagsValid bool + FlagCertify, FlagSign, FlagEncryptCommunications, FlagEncryptStorage bool + + // RevocationReason is set if this signature has been revoked. + // See RFC 4880, section 5.2.3.23 for details. + RevocationReason *uint8 + RevocationReasonText string + + // MDC is set if this signature has a feature packet that indicates + // support for MDC subpackets. + MDC bool + + // EmbeddedSignature, if non-nil, is a signature of the parent key, by + // this key. This prevents an attacker from claiming another's signing + // subkey as their own. + EmbeddedSignature *Signature + + outSubpackets []outputSubpacket +} + +func (sig *Signature) parse(r io.Reader) (err error) { + // RFC 4880, section 5.2.3 + var buf [5]byte + _, err = readFull(r, buf[:1]) + if err != nil { + return + } + if buf[0] != 4 { + err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0]))) + return + } + + _, err = readFull(r, buf[:5]) + if err != nil { + return + } + sig.SigType = SignatureType(buf[0]) + sig.PubKeyAlgo = PublicKeyAlgorithm(buf[1]) + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA, PubKeyAlgoECDSA: + default: + err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo))) + return + } + + var ok bool + sig.Hash, ok = s2k.HashIdToHash(buf[2]) + if !ok { + return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2]))) + } + + hashedSubpacketsLength := int(buf[3])<<8 | int(buf[4]) + l := 6 + hashedSubpacketsLength + sig.HashSuffix = make([]byte, l+6) + sig.HashSuffix[0] = 4 + copy(sig.HashSuffix[1:], buf[:5]) + hashedSubpackets := sig.HashSuffix[6:l] + _, err = readFull(r, hashedSubpackets) + if err != nil { + return + } + // See RFC 4880, section 5.2.4 + trailer := sig.HashSuffix[l:] + trailer[0] = 4 + trailer[1] = 0xff + trailer[2] = uint8(l >> 24) + trailer[3] = uint8(l >> 16) + trailer[4] = uint8(l >> 8) + trailer[5] = uint8(l) + + err = parseSignatureSubpackets(sig, hashedSubpackets, true) + if err != nil { + return + } + + _, err = readFull(r, buf[:2]) + if err != nil { + return + } + unhashedSubpacketsLength := int(buf[0])<<8 | int(buf[1]) + unhashedSubpackets := make([]byte, unhashedSubpacketsLength) + _, err = readFull(r, unhashedSubpackets) + if err != nil { + return + } + err = parseSignatureSubpackets(sig, unhashedSubpackets, false) + if err != nil { + return + } + + _, err = readFull(r, sig.HashTag[:2]) + if err != nil { + return + } + + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r) + case PubKeyAlgoDSA: + sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r) + if err == nil { + sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r) + } + case PubKeyAlgoECDSA: + sig.ECDSASigR.bytes, sig.ECDSASigR.bitLength, err = readMPI(r) + if err == nil { + sig.ECDSASigS.bytes, sig.ECDSASigS.bitLength, err = readMPI(r) + } + default: + panic("unreachable") + } + return +} + +// parseSignatureSubpackets parses subpackets of the main signature packet. See +// RFC 4880, section 5.2.3.1. +func parseSignatureSubpackets(sig *Signature, subpackets []byte, isHashed bool) (err error) { + for len(subpackets) > 0 { + subpackets, err = parseSignatureSubpacket(sig, subpackets, isHashed) + if err != nil { + return + } + } + + if sig.CreationTime.IsZero() { + err = errors.StructuralError("no creation time in signature") + } + + return +} + +type signatureSubpacketType uint8 + +const ( + creationTimeSubpacket signatureSubpacketType = 2 + signatureExpirationSubpacket signatureSubpacketType = 3 + keyExpirationSubpacket signatureSubpacketType = 9 + prefSymmetricAlgosSubpacket signatureSubpacketType = 11 + issuerSubpacket signatureSubpacketType = 16 + prefHashAlgosSubpacket signatureSubpacketType = 21 + prefCompressionSubpacket signatureSubpacketType = 22 + primaryUserIdSubpacket signatureSubpacketType = 25 + keyFlagsSubpacket signatureSubpacketType = 27 + reasonForRevocationSubpacket signatureSubpacketType = 29 + featuresSubpacket signatureSubpacketType = 30 + embeddedSignatureSubpacket signatureSubpacketType = 32 +) + +// parseSignatureSubpacket parses a single subpacket. len(subpacket) is >= 1. +func parseSignatureSubpacket(sig *Signature, subpacket []byte, isHashed bool) (rest []byte, err error) { + // RFC 4880, section 5.2.3.1 + var ( + length uint32 + packetType signatureSubpacketType + isCritical bool + ) + switch { + case subpacket[0] < 192: + length = uint32(subpacket[0]) + subpacket = subpacket[1:] + case subpacket[0] < 255: + if len(subpacket) < 2 { + goto Truncated + } + length = uint32(subpacket[0]-192)<<8 + uint32(subpacket[1]) + 192 + subpacket = subpacket[2:] + default: + if len(subpacket) < 5 { + goto Truncated + } + length = uint32(subpacket[1])<<24 | + uint32(subpacket[2])<<16 | + uint32(subpacket[3])<<8 | + uint32(subpacket[4]) + subpacket = subpacket[5:] + } + if length > uint32(len(subpacket)) { + goto Truncated + } + rest = subpacket[length:] + subpacket = subpacket[:length] + if len(subpacket) == 0 { + err = errors.StructuralError("zero length signature subpacket") + return + } + packetType = signatureSubpacketType(subpacket[0] & 0x7f) + isCritical = subpacket[0]&0x80 == 0x80 + subpacket = subpacket[1:] + sig.rawSubpackets = append(sig.rawSubpackets, outputSubpacket{isHashed, packetType, isCritical, subpacket}) + switch packetType { + case creationTimeSubpacket: + if !isHashed { + err = errors.StructuralError("signature creation time in non-hashed area") + return + } + if len(subpacket) != 4 { + err = errors.StructuralError("signature creation time not four bytes") + return + } + t := binary.BigEndian.Uint32(subpacket) + sig.CreationTime = time.Unix(int64(t), 0) + case signatureExpirationSubpacket: + // Signature expiration time, section 5.2.3.10 + if !isHashed { + return + } + if len(subpacket) != 4 { + err = errors.StructuralError("expiration subpacket with bad length") + return + } + sig.SigLifetimeSecs = new(uint32) + *sig.SigLifetimeSecs = binary.BigEndian.Uint32(subpacket) + case keyExpirationSubpacket: + // Key expiration time, section 5.2.3.6 + if !isHashed { + return + } + if len(subpacket) != 4 { + err = errors.StructuralError("key expiration subpacket with bad length") + return + } + sig.KeyLifetimeSecs = new(uint32) + *sig.KeyLifetimeSecs = binary.BigEndian.Uint32(subpacket) + case prefSymmetricAlgosSubpacket: + // Preferred symmetric algorithms, section 5.2.3.7 + if !isHashed { + return + } + sig.PreferredSymmetric = make([]byte, len(subpacket)) + copy(sig.PreferredSymmetric, subpacket) + case issuerSubpacket: + // Issuer, section 5.2.3.5 + if len(subpacket) != 8 { + err = errors.StructuralError("issuer subpacket with bad length") + return + } + sig.IssuerKeyId = new(uint64) + *sig.IssuerKeyId = binary.BigEndian.Uint64(subpacket) + case prefHashAlgosSubpacket: + // Preferred hash algorithms, section 5.2.3.8 + if !isHashed { + return + } + sig.PreferredHash = make([]byte, len(subpacket)) + copy(sig.PreferredHash, subpacket) + case prefCompressionSubpacket: + // Preferred compression algorithms, section 5.2.3.9 + if !isHashed { + return + } + sig.PreferredCompression = make([]byte, len(subpacket)) + copy(sig.PreferredCompression, subpacket) + case primaryUserIdSubpacket: + // Primary User ID, section 5.2.3.19 + if !isHashed { + return + } + if len(subpacket) != 1 { + err = errors.StructuralError("primary user id subpacket with bad length") + return + } + sig.IsPrimaryId = new(bool) + if subpacket[0] > 0 { + *sig.IsPrimaryId = true + } + case keyFlagsSubpacket: + // Key flags, section 5.2.3.21 + if !isHashed { + return + } + if len(subpacket) == 0 { + err = errors.StructuralError("empty key flags subpacket") + return + } + sig.FlagsValid = true + if subpacket[0]&KeyFlagCertify != 0 { + sig.FlagCertify = true + } + if subpacket[0]&KeyFlagSign != 0 { + sig.FlagSign = true + } + if subpacket[0]&KeyFlagEncryptCommunications != 0 { + sig.FlagEncryptCommunications = true + } + if subpacket[0]&KeyFlagEncryptStorage != 0 { + sig.FlagEncryptStorage = true + } + case reasonForRevocationSubpacket: + // Reason For Revocation, section 5.2.3.23 + if !isHashed { + return + } + if len(subpacket) == 0 { + err = errors.StructuralError("empty revocation reason subpacket") + return + } + sig.RevocationReason = new(uint8) + *sig.RevocationReason = subpacket[0] + sig.RevocationReasonText = string(subpacket[1:]) + case featuresSubpacket: + // Features subpacket, section 5.2.3.24 specifies a very general + // mechanism for OpenPGP implementations to signal support for new + // features. In practice, the subpacket is used exclusively to + // indicate support for MDC-protected encryption. + sig.MDC = len(subpacket) >= 1 && subpacket[0]&1 == 1 + case embeddedSignatureSubpacket: + // Only usage is in signatures that cross-certify + // signing subkeys. section 5.2.3.26 describes the + // format, with its usage described in section 11.1 + if sig.EmbeddedSignature != nil { + err = errors.StructuralError("Cannot have multiple embedded signatures") + return + } + sig.EmbeddedSignature = new(Signature) + // Embedded signatures are required to be v4 signatures see + // section 12.1. However, we only parse v4 signatures in this + // file anyway. + if err := sig.EmbeddedSignature.parse(bytes.NewBuffer(subpacket)); err != nil { + return nil, err + } + if sigType := sig.EmbeddedSignature.SigType; sigType != SigTypePrimaryKeyBinding { + return nil, errors.StructuralError("cross-signature has unexpected type " + strconv.Itoa(int(sigType))) + } + default: + if isCritical { + err = errors.UnsupportedError("unknown critical signature subpacket type " + strconv.Itoa(int(packetType))) + return + } + } + return + +Truncated: + err = errors.StructuralError("signature subpacket truncated") + return +} + +// subpacketLengthLength returns the length, in bytes, of an encoded length value. +func subpacketLengthLength(length int) int { + if length < 192 { + return 1 + } + if length < 16320 { + return 2 + } + return 5 +} + +// serializeSubpacketLength marshals the given length into to. +func serializeSubpacketLength(to []byte, length int) int { + // RFC 4880, Section 4.2.2. + if length < 192 { + to[0] = byte(length) + return 1 + } + if length < 16320 { + length -= 192 + to[0] = byte((length >> 8) + 192) + to[1] = byte(length) + return 2 + } + to[0] = 255 + to[1] = byte(length >> 24) + to[2] = byte(length >> 16) + to[3] = byte(length >> 8) + to[4] = byte(length) + return 5 +} + +// subpacketsLength returns the serialized length, in bytes, of the given +// subpackets. +func subpacketsLength(subpackets []outputSubpacket, hashed bool) (length int) { + for _, subpacket := range subpackets { + if subpacket.hashed == hashed { + length += subpacketLengthLength(len(subpacket.contents) + 1) + length += 1 // type byte + length += len(subpacket.contents) + } + } + return +} + +// serializeSubpackets marshals the given subpackets into to. +func serializeSubpackets(to []byte, subpackets []outputSubpacket, hashed bool) { + for _, subpacket := range subpackets { + if subpacket.hashed == hashed { + n := serializeSubpacketLength(to, len(subpacket.contents)+1) + to[n] = byte(subpacket.subpacketType) + to = to[1+n:] + n = copy(to, subpacket.contents) + to = to[n:] + } + } + return +} + +// KeyExpired returns whether sig is a self-signature of a key that has +// expired. +func (sig *Signature) KeyExpired(currentTime time.Time) bool { + if sig.KeyLifetimeSecs == nil { + return false + } + expiry := sig.CreationTime.Add(time.Duration(*sig.KeyLifetimeSecs) * time.Second) + return currentTime.After(expiry) +} + +// buildHashSuffix constructs the HashSuffix member of sig in preparation for signing. +func (sig *Signature) buildHashSuffix() (err error) { + hashedSubpacketsLen := subpacketsLength(sig.outSubpackets, true) + + var ok bool + l := 6 + hashedSubpacketsLen + sig.HashSuffix = make([]byte, l+6) + sig.HashSuffix[0] = 4 + sig.HashSuffix[1] = uint8(sig.SigType) + sig.HashSuffix[2] = uint8(sig.PubKeyAlgo) + sig.HashSuffix[3], ok = s2k.HashToHashId(sig.Hash) + if !ok { + sig.HashSuffix = nil + return errors.InvalidArgumentError("hash cannot be represented in OpenPGP: " + strconv.Itoa(int(sig.Hash))) + } + sig.HashSuffix[4] = byte(hashedSubpacketsLen >> 8) + sig.HashSuffix[5] = byte(hashedSubpacketsLen) + serializeSubpackets(sig.HashSuffix[6:l], sig.outSubpackets, true) + trailer := sig.HashSuffix[l:] + trailer[0] = 4 + trailer[1] = 0xff + trailer[2] = byte(l >> 24) + trailer[3] = byte(l >> 16) + trailer[4] = byte(l >> 8) + trailer[5] = byte(l) + return +} + +func (sig *Signature) signPrepareHash(h hash.Hash) (digest []byte, err error) { + err = sig.buildHashSuffix() + if err != nil { + return + } + + h.Write(sig.HashSuffix) + digest = h.Sum(nil) + copy(sig.HashTag[:], digest) + return +} + +// Sign signs a message with a private key. The hash, h, must contain +// the hash of the message to be signed and will be mutated by this function. +// On success, the signature is stored in sig. Call Serialize to write it out. +// If config is nil, sensible defaults will be used. +func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err error) { + sig.outSubpackets = sig.buildSubpackets() + digest, err := sig.signPrepareHash(h) + if err != nil { + return + } + + switch priv.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + // supports both *rsa.PrivateKey and crypto.Signer + sig.RSASignature.bytes, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash) + sig.RSASignature.bitLength = uint16(8 * len(sig.RSASignature.bytes)) + case PubKeyAlgoDSA: + dsaPriv := priv.PrivateKey.(*dsa.PrivateKey) + + // Need to truncate hashBytes to match FIPS 186-3 section 4.6. + subgroupSize := (dsaPriv.Q.BitLen() + 7) / 8 + if len(digest) > subgroupSize { + digest = digest[:subgroupSize] + } + r, s, err := dsa.Sign(config.Random(), dsaPriv, digest) + if err == nil { + sig.DSASigR.bytes = r.Bytes() + sig.DSASigR.bitLength = uint16(8 * len(sig.DSASigR.bytes)) + sig.DSASigS.bytes = s.Bytes() + sig.DSASigS.bitLength = uint16(8 * len(sig.DSASigS.bytes)) + } + case PubKeyAlgoECDSA: + var r, s *big.Int + if pk, ok := priv.PrivateKey.(*ecdsa.PrivateKey); ok { + // direct support, avoid asn1 wrapping/unwrapping + r, s, err = ecdsa.Sign(config.Random(), pk, digest) + } else { + var b []byte + b, err = priv.PrivateKey.(crypto.Signer).Sign(config.Random(), digest, sig.Hash) + if err == nil { + r, s, err = unwrapECDSASig(b) + } + } + if err == nil { + sig.ECDSASigR = fromBig(r) + sig.ECDSASigS = fromBig(s) + } + default: + err = errors.UnsupportedError("public key algorithm: " + strconv.Itoa(int(sig.PubKeyAlgo))) + } + + return +} + +// unwrapECDSASig parses the two integer components of an ASN.1-encoded ECDSA +// signature. +func unwrapECDSASig(b []byte) (r, s *big.Int, err error) { + var ecsdaSig struct { + R, S *big.Int + } + _, err = asn1.Unmarshal(b, &ecsdaSig) + if err != nil { + return + } + return ecsdaSig.R, ecsdaSig.S, nil +} + +// SignUserId computes a signature from priv, asserting that pub is a valid +// key for the identity id. On success, the signature is stored in sig. Call +// Serialize to write it out. +// If config is nil, sensible defaults will be used. +func (sig *Signature) SignUserId(id string, pub *PublicKey, priv *PrivateKey, config *Config) error { + h, err := userIdSignatureHash(id, pub, sig.Hash) + if err != nil { + return err + } + return sig.Sign(h, priv, config) +} + +// SignKey computes a signature from priv, asserting that pub is a subkey. On +// success, the signature is stored in sig. Call Serialize to write it out. +// If config is nil, sensible defaults will be used. +func (sig *Signature) SignKey(pub *PublicKey, priv *PrivateKey, config *Config) error { + h, err := keySignatureHash(&priv.PublicKey, pub, sig.Hash) + if err != nil { + return err + } + return sig.Sign(h, priv, config) +} + +// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been +// called first. +func (sig *Signature) Serialize(w io.Writer) (err error) { + if len(sig.outSubpackets) == 0 { + sig.outSubpackets = sig.rawSubpackets + } + if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil && sig.ECDSASigR.bytes == nil { + return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize") + } + + sigLength := 0 + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + sigLength = 2 + len(sig.RSASignature.bytes) + case PubKeyAlgoDSA: + sigLength = 2 + len(sig.DSASigR.bytes) + sigLength += 2 + len(sig.DSASigS.bytes) + case PubKeyAlgoECDSA: + sigLength = 2 + len(sig.ECDSASigR.bytes) + sigLength += 2 + len(sig.ECDSASigS.bytes) + default: + panic("impossible") + } + + unhashedSubpacketsLen := subpacketsLength(sig.outSubpackets, false) + length := len(sig.HashSuffix) - 6 /* trailer not included */ + + 2 /* length of unhashed subpackets */ + unhashedSubpacketsLen + + 2 /* hash tag */ + sigLength + err = serializeHeader(w, packetTypeSignature, length) + if err != nil { + return + } + + _, err = w.Write(sig.HashSuffix[:len(sig.HashSuffix)-6]) + if err != nil { + return + } + + unhashedSubpackets := make([]byte, 2+unhashedSubpacketsLen) + unhashedSubpackets[0] = byte(unhashedSubpacketsLen >> 8) + unhashedSubpackets[1] = byte(unhashedSubpacketsLen) + serializeSubpackets(unhashedSubpackets[2:], sig.outSubpackets, false) + + _, err = w.Write(unhashedSubpackets) + if err != nil { + return + } + _, err = w.Write(sig.HashTag[:]) + if err != nil { + return + } + + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + err = writeMPIs(w, sig.RSASignature) + case PubKeyAlgoDSA: + err = writeMPIs(w, sig.DSASigR, sig.DSASigS) + case PubKeyAlgoECDSA: + err = writeMPIs(w, sig.ECDSASigR, sig.ECDSASigS) + default: + panic("impossible") + } + return +} + +// outputSubpacket represents a subpacket to be marshaled. +type outputSubpacket struct { + hashed bool // true if this subpacket is in the hashed area. + subpacketType signatureSubpacketType + isCritical bool + contents []byte +} + +func (sig *Signature) buildSubpackets() (subpackets []outputSubpacket) { + creationTime := make([]byte, 4) + binary.BigEndian.PutUint32(creationTime, uint32(sig.CreationTime.Unix())) + subpackets = append(subpackets, outputSubpacket{true, creationTimeSubpacket, false, creationTime}) + + if sig.IssuerKeyId != nil { + keyId := make([]byte, 8) + binary.BigEndian.PutUint64(keyId, *sig.IssuerKeyId) + subpackets = append(subpackets, outputSubpacket{true, issuerSubpacket, false, keyId}) + } + + if sig.SigLifetimeSecs != nil && *sig.SigLifetimeSecs != 0 { + sigLifetime := make([]byte, 4) + binary.BigEndian.PutUint32(sigLifetime, *sig.SigLifetimeSecs) + subpackets = append(subpackets, outputSubpacket{true, signatureExpirationSubpacket, true, sigLifetime}) + } + + // Key flags may only appear in self-signatures or certification signatures. + + if sig.FlagsValid { + var flags byte + if sig.FlagCertify { + flags |= KeyFlagCertify + } + if sig.FlagSign { + flags |= KeyFlagSign + } + if sig.FlagEncryptCommunications { + flags |= KeyFlagEncryptCommunications + } + if sig.FlagEncryptStorage { + flags |= KeyFlagEncryptStorage + } + subpackets = append(subpackets, outputSubpacket{true, keyFlagsSubpacket, false, []byte{flags}}) + } + + // The following subpackets may only appear in self-signatures + + if sig.KeyLifetimeSecs != nil && *sig.KeyLifetimeSecs != 0 { + keyLifetime := make([]byte, 4) + binary.BigEndian.PutUint32(keyLifetime, *sig.KeyLifetimeSecs) + subpackets = append(subpackets, outputSubpacket{true, keyExpirationSubpacket, true, keyLifetime}) + } + + if sig.IsPrimaryId != nil && *sig.IsPrimaryId { + subpackets = append(subpackets, outputSubpacket{true, primaryUserIdSubpacket, false, []byte{1}}) + } + + if len(sig.PreferredSymmetric) > 0 { + subpackets = append(subpackets, outputSubpacket{true, prefSymmetricAlgosSubpacket, false, sig.PreferredSymmetric}) + } + + if len(sig.PreferredHash) > 0 { + subpackets = append(subpackets, outputSubpacket{true, prefHashAlgosSubpacket, false, sig.PreferredHash}) + } + + if len(sig.PreferredCompression) > 0 { + subpackets = append(subpackets, outputSubpacket{true, prefCompressionSubpacket, false, sig.PreferredCompression}) + } + + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go new file mode 100644 index 0000000000..6edff88934 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/signature_v3.go @@ -0,0 +1,146 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto" + "encoding/binary" + "fmt" + "io" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/s2k" +) + +// SignatureV3 represents older version 3 signatures. These signatures are less secure +// than version 4 and should not be used to create new signatures. They are included +// here for backwards compatibility to read and validate with older key material. +// See RFC 4880, section 5.2.2. +type SignatureV3 struct { + SigType SignatureType + CreationTime time.Time + IssuerKeyId uint64 + PubKeyAlgo PublicKeyAlgorithm + Hash crypto.Hash + HashTag [2]byte + + RSASignature parsedMPI + DSASigR, DSASigS parsedMPI +} + +func (sig *SignatureV3) parse(r io.Reader) (err error) { + // RFC 4880, section 5.2.2 + var buf [8]byte + if _, err = readFull(r, buf[:1]); err != nil { + return + } + if buf[0] < 2 || buf[0] > 3 { + err = errors.UnsupportedError("signature packet version " + strconv.Itoa(int(buf[0]))) + return + } + if _, err = readFull(r, buf[:1]); err != nil { + return + } + if buf[0] != 5 { + err = errors.UnsupportedError( + "invalid hashed material length " + strconv.Itoa(int(buf[0]))) + return + } + + // Read hashed material: signature type + creation time + if _, err = readFull(r, buf[:5]); err != nil { + return + } + sig.SigType = SignatureType(buf[0]) + t := binary.BigEndian.Uint32(buf[1:5]) + sig.CreationTime = time.Unix(int64(t), 0) + + // Eight-octet Key ID of signer. + if _, err = readFull(r, buf[:8]); err != nil { + return + } + sig.IssuerKeyId = binary.BigEndian.Uint64(buf[:]) + + // Public-key and hash algorithm + if _, err = readFull(r, buf[:2]); err != nil { + return + } + sig.PubKeyAlgo = PublicKeyAlgorithm(buf[0]) + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly, PubKeyAlgoDSA: + default: + err = errors.UnsupportedError("public key algorithm " + strconv.Itoa(int(sig.PubKeyAlgo))) + return + } + var ok bool + if sig.Hash, ok = s2k.HashIdToHash(buf[1]); !ok { + return errors.UnsupportedError("hash function " + strconv.Itoa(int(buf[2]))) + } + + // Two-octet field holding left 16 bits of signed hash value. + if _, err = readFull(r, sig.HashTag[:2]); err != nil { + return + } + + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + sig.RSASignature.bytes, sig.RSASignature.bitLength, err = readMPI(r) + case PubKeyAlgoDSA: + if sig.DSASigR.bytes, sig.DSASigR.bitLength, err = readMPI(r); err != nil { + return + } + sig.DSASigS.bytes, sig.DSASigS.bitLength, err = readMPI(r) + default: + panic("unreachable") + } + return +} + +// Serialize marshals sig to w. Sign, SignUserId or SignKey must have been +// called first. +func (sig *SignatureV3) Serialize(w io.Writer) (err error) { + buf := make([]byte, 8) + + // Write the sig type and creation time + buf[0] = byte(sig.SigType) + binary.BigEndian.PutUint32(buf[1:5], uint32(sig.CreationTime.Unix())) + if _, err = w.Write(buf[:5]); err != nil { + return + } + + // Write the issuer long key ID + binary.BigEndian.PutUint64(buf[:8], sig.IssuerKeyId) + if _, err = w.Write(buf[:8]); err != nil { + return + } + + // Write public key algorithm, hash ID, and hash value + buf[0] = byte(sig.PubKeyAlgo) + hashId, ok := s2k.HashToHashId(sig.Hash) + if !ok { + return errors.UnsupportedError(fmt.Sprintf("hash function %v", sig.Hash)) + } + buf[1] = hashId + copy(buf[2:4], sig.HashTag[:]) + if _, err = w.Write(buf[:4]); err != nil { + return + } + + if sig.RSASignature.bytes == nil && sig.DSASigR.bytes == nil { + return errors.InvalidArgumentError("Signature: need to call Sign, SignUserId or SignKey before Serialize") + } + + switch sig.PubKeyAlgo { + case PubKeyAlgoRSA, PubKeyAlgoRSASignOnly: + err = writeMPIs(w, sig.RSASignature) + case PubKeyAlgoDSA: + err = writeMPIs(w, sig.DSASigR, sig.DSASigS) + default: + panic("impossible") + } + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go new file mode 100644 index 0000000000..744c2d2c42 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetric_key_encrypted.go @@ -0,0 +1,155 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "crypto/cipher" + "io" + "strconv" + + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/s2k" +) + +// This is the largest session key that we'll support. Since no 512-bit cipher +// has even been seriously used, this is comfortably large. +const maxSessionKeySizeInBytes = 64 + +// SymmetricKeyEncrypted represents a passphrase protected session key. See RFC +// 4880, section 5.3. +type SymmetricKeyEncrypted struct { + CipherFunc CipherFunction + s2k func(out, in []byte) + encryptedKey []byte +} + +const symmetricKeyEncryptedVersion = 4 + +func (ske *SymmetricKeyEncrypted) parse(r io.Reader) error { + // RFC 4880, section 5.3. + var buf [2]byte + if _, err := readFull(r, buf[:]); err != nil { + return err + } + if buf[0] != symmetricKeyEncryptedVersion { + return errors.UnsupportedError("SymmetricKeyEncrypted version") + } + ske.CipherFunc = CipherFunction(buf[1]) + + if ske.CipherFunc.KeySize() == 0 { + return errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(buf[1]))) + } + + var err error + ske.s2k, err = s2k.Parse(r) + if err != nil { + return err + } + + encryptedKey := make([]byte, maxSessionKeySizeInBytes) + // The session key may follow. We just have to try and read to find + // out. If it exists then we limit it to maxSessionKeySizeInBytes. + n, err := readFull(r, encryptedKey) + if err != nil && err != io.ErrUnexpectedEOF { + return err + } + + if n != 0 { + if n == maxSessionKeySizeInBytes { + return errors.UnsupportedError("oversized encrypted session key") + } + ske.encryptedKey = encryptedKey[:n] + } + + return nil +} + +// Decrypt attempts to decrypt an encrypted session key and returns the key and +// the cipher to use when decrypting a subsequent Symmetrically Encrypted Data +// packet. +func (ske *SymmetricKeyEncrypted) Decrypt(passphrase []byte) ([]byte, CipherFunction, error) { + key := make([]byte, ske.CipherFunc.KeySize()) + ske.s2k(key, passphrase) + + if len(ske.encryptedKey) == 0 { + return key, ske.CipherFunc, nil + } + + // the IV is all zeros + iv := make([]byte, ske.CipherFunc.blockSize()) + c := cipher.NewCFBDecrypter(ske.CipherFunc.new(key), iv) + plaintextKey := make([]byte, len(ske.encryptedKey)) + c.XORKeyStream(plaintextKey, ske.encryptedKey) + cipherFunc := CipherFunction(plaintextKey[0]) + if cipherFunc.blockSize() == 0 { + return nil, ske.CipherFunc, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) + } + plaintextKey = plaintextKey[1:] + if l, cipherKeySize := len(plaintextKey), cipherFunc.KeySize(); l != cipherFunc.KeySize() { + return nil, cipherFunc, errors.StructuralError("length of decrypted key (" + strconv.Itoa(l) + ") " + + "not equal to cipher keysize (" + strconv.Itoa(cipherKeySize) + ")") + } + return plaintextKey, cipherFunc, nil +} + +// SerializeSymmetricKeyEncrypted serializes a symmetric key packet to w. The +// packet contains a random session key, encrypted by a key derived from the +// given passphrase. The session key is returned and must be passed to +// SerializeSymmetricallyEncrypted. +// If config is nil, sensible defaults will be used. +func SerializeSymmetricKeyEncrypted(w io.Writer, passphrase []byte, config *Config) (key []byte, err error) { + cipherFunc := config.Cipher() + keySize := cipherFunc.KeySize() + if keySize == 0 { + return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(cipherFunc))) + } + + s2kBuf := new(bytes.Buffer) + keyEncryptingKey := make([]byte, keySize) + // s2k.Serialize salts and stretches the passphrase, and writes the + // resulting key to keyEncryptingKey and the s2k descriptor to s2kBuf. + err = s2k.Serialize(s2kBuf, keyEncryptingKey, config.Random(), passphrase, &s2k.Config{Hash: config.Hash(), S2KCount: config.PasswordHashIterations()}) + if err != nil { + return + } + s2kBytes := s2kBuf.Bytes() + + packetLength := 2 /* header */ + len(s2kBytes) + 1 /* cipher type */ + keySize + err = serializeHeader(w, packetTypeSymmetricKeyEncrypted, packetLength) + if err != nil { + return + } + + var buf [2]byte + buf[0] = symmetricKeyEncryptedVersion + buf[1] = byte(cipherFunc) + _, err = w.Write(buf[:]) + if err != nil { + return + } + _, err = w.Write(s2kBytes) + if err != nil { + return + } + + sessionKey := make([]byte, keySize) + _, err = io.ReadFull(config.Random(), sessionKey) + if err != nil { + return + } + iv := make([]byte, cipherFunc.blockSize()) + c := cipher.NewCFBEncrypter(cipherFunc.new(keyEncryptingKey), iv) + encryptedCipherAndKey := make([]byte, keySize+1) + c.XORKeyStream(encryptedCipherAndKey, buf[1:]) + c.XORKeyStream(encryptedCipherAndKey[1:], sessionKey) + _, err = w.Write(encryptedCipherAndKey) + if err != nil { + return + } + + key = sessionKey + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go new file mode 100644 index 0000000000..1a1a62964f --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/symmetrically_encrypted.go @@ -0,0 +1,290 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "crypto/cipher" + "crypto/sha1" + "crypto/subtle" + "golang.org/x/crypto/openpgp/errors" + "hash" + "io" + "strconv" +) + +// SymmetricallyEncrypted represents a symmetrically encrypted byte string. The +// encrypted contents will consist of more OpenPGP packets. See RFC 4880, +// sections 5.7 and 5.13. +type SymmetricallyEncrypted struct { + MDC bool // true iff this is a type 18 packet and thus has an embedded MAC. + contents io.Reader + prefix []byte +} + +const symmetricallyEncryptedVersion = 1 + +func (se *SymmetricallyEncrypted) parse(r io.Reader) error { + if se.MDC { + // See RFC 4880, section 5.13. + var buf [1]byte + _, err := readFull(r, buf[:]) + if err != nil { + return err + } + if buf[0] != symmetricallyEncryptedVersion { + return errors.UnsupportedError("unknown SymmetricallyEncrypted version") + } + } + se.contents = r + return nil +} + +// Decrypt returns a ReadCloser, from which the decrypted contents of the +// packet can be read. An incorrect key can, with high probability, be detected +// immediately and this will result in a KeyIncorrect error being returned. +func (se *SymmetricallyEncrypted) Decrypt(c CipherFunction, key []byte) (io.ReadCloser, error) { + keySize := c.KeySize() + if keySize == 0 { + return nil, errors.UnsupportedError("unknown cipher: " + strconv.Itoa(int(c))) + } + if len(key) != keySize { + return nil, errors.InvalidArgumentError("SymmetricallyEncrypted: incorrect key length") + } + + if se.prefix == nil { + se.prefix = make([]byte, c.blockSize()+2) + _, err := readFull(se.contents, se.prefix) + if err != nil { + return nil, err + } + } else if len(se.prefix) != c.blockSize()+2 { + return nil, errors.InvalidArgumentError("can't try ciphers with different block lengths") + } + + ocfbResync := OCFBResync + if se.MDC { + // MDC packets use a different form of OCFB mode. + ocfbResync = OCFBNoResync + } + + s := NewOCFBDecrypter(c.new(key), se.prefix, ocfbResync) + if s == nil { + return nil, errors.ErrKeyIncorrect + } + + plaintext := cipher.StreamReader{S: s, R: se.contents} + + if se.MDC { + // MDC packets have an embedded hash that we need to check. + h := sha1.New() + h.Write(se.prefix) + return &seMDCReader{in: plaintext, h: h}, nil + } + + // Otherwise, we just need to wrap plaintext so that it's a valid ReadCloser. + return seReader{plaintext}, nil +} + +// seReader wraps an io.Reader with a no-op Close method. +type seReader struct { + in io.Reader +} + +func (ser seReader) Read(buf []byte) (int, error) { + return ser.in.Read(buf) +} + +func (ser seReader) Close() error { + return nil +} + +const mdcTrailerSize = 1 /* tag byte */ + 1 /* length byte */ + sha1.Size + +// An seMDCReader wraps an io.Reader, maintains a running hash and keeps hold +// of the most recent 22 bytes (mdcTrailerSize). Upon EOF, those bytes form an +// MDC packet containing a hash of the previous contents which is checked +// against the running hash. See RFC 4880, section 5.13. +type seMDCReader struct { + in io.Reader + h hash.Hash + trailer [mdcTrailerSize]byte + scratch [mdcTrailerSize]byte + trailerUsed int + error bool + eof bool +} + +func (ser *seMDCReader) Read(buf []byte) (n int, err error) { + if ser.error { + err = io.ErrUnexpectedEOF + return + } + if ser.eof { + err = io.EOF + return + } + + // If we haven't yet filled the trailer buffer then we must do that + // first. + for ser.trailerUsed < mdcTrailerSize { + n, err = ser.in.Read(ser.trailer[ser.trailerUsed:]) + ser.trailerUsed += n + if err == io.EOF { + if ser.trailerUsed != mdcTrailerSize { + n = 0 + err = io.ErrUnexpectedEOF + ser.error = true + return + } + ser.eof = true + n = 0 + return + } + + if err != nil { + n = 0 + return + } + } + + // If it's a short read then we read into a temporary buffer and shift + // the data into the caller's buffer. + if len(buf) <= mdcTrailerSize { + n, err = readFull(ser.in, ser.scratch[:len(buf)]) + copy(buf, ser.trailer[:n]) + ser.h.Write(buf[:n]) + copy(ser.trailer[:], ser.trailer[n:]) + copy(ser.trailer[mdcTrailerSize-n:], ser.scratch[:]) + if n < len(buf) { + ser.eof = true + err = io.EOF + } + return + } + + n, err = ser.in.Read(buf[mdcTrailerSize:]) + copy(buf, ser.trailer[:]) + ser.h.Write(buf[:n]) + copy(ser.trailer[:], buf[n:]) + + if err == io.EOF { + ser.eof = true + } + return +} + +// This is a new-format packet tag byte for a type 19 (MDC) packet. +const mdcPacketTagByte = byte(0x80) | 0x40 | 19 + +func (ser *seMDCReader) Close() error { + if ser.error { + return errors.SignatureError("error during reading") + } + + for !ser.eof { + // We haven't seen EOF so we need to read to the end + var buf [1024]byte + _, err := ser.Read(buf[:]) + if err == io.EOF { + break + } + if err != nil { + return errors.SignatureError("error during reading") + } + } + + if ser.trailer[0] != mdcPacketTagByte || ser.trailer[1] != sha1.Size { + return errors.SignatureError("MDC packet not found") + } + ser.h.Write(ser.trailer[:2]) + + final := ser.h.Sum(nil) + if subtle.ConstantTimeCompare(final, ser.trailer[2:]) != 1 { + return errors.SignatureError("hash mismatch") + } + return nil +} + +// An seMDCWriter writes through to an io.WriteCloser while maintains a running +// hash of the data written. On close, it emits an MDC packet containing the +// running hash. +type seMDCWriter struct { + w io.WriteCloser + h hash.Hash +} + +func (w *seMDCWriter) Write(buf []byte) (n int, err error) { + w.h.Write(buf) + return w.w.Write(buf) +} + +func (w *seMDCWriter) Close() (err error) { + var buf [mdcTrailerSize]byte + + buf[0] = mdcPacketTagByte + buf[1] = sha1.Size + w.h.Write(buf[:2]) + digest := w.h.Sum(nil) + copy(buf[2:], digest) + + _, err = w.w.Write(buf[:]) + if err != nil { + return + } + return w.w.Close() +} + +// noOpCloser is like an io.NopCloser, but for an io.Writer. +type noOpCloser struct { + w io.Writer +} + +func (c noOpCloser) Write(data []byte) (n int, err error) { + return c.w.Write(data) +} + +func (c noOpCloser) Close() error { + return nil +} + +// SerializeSymmetricallyEncrypted serializes a symmetrically encrypted packet +// to w and returns a WriteCloser to which the to-be-encrypted packets can be +// written. +// If config is nil, sensible defaults will be used. +func SerializeSymmetricallyEncrypted(w io.Writer, c CipherFunction, key []byte, config *Config) (contents io.WriteCloser, err error) { + if c.KeySize() != len(key) { + return nil, errors.InvalidArgumentError("SymmetricallyEncrypted.Serialize: bad key length") + } + writeCloser := noOpCloser{w} + ciphertext, err := serializeStreamHeader(writeCloser, packetTypeSymmetricallyEncryptedMDC) + if err != nil { + return + } + + _, err = ciphertext.Write([]byte{symmetricallyEncryptedVersion}) + if err != nil { + return + } + + block := c.new(key) + blockSize := block.BlockSize() + iv := make([]byte, blockSize) + _, err = config.Random().Read(iv) + if err != nil { + return + } + s, prefix := NewOCFBEncrypter(block, iv, OCFBNoResync) + _, err = ciphertext.Write(prefix) + if err != nil { + return + } + plaintext := cipher.StreamWriter{S: s, W: ciphertext} + + h := sha1.New() + h.Write(iv) + h.Write(iv[blockSize-2:]) + contents = &seMDCWriter{w: plaintext, h: h} + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go new file mode 100644 index 0000000000..ff7ef53075 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/userattribute.go @@ -0,0 +1,90 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "bytes" + "image" + "image/jpeg" + "io" +) + +const UserAttrImageSubpacket = 1 + +// UserAttribute is capable of storing other types of data about a user +// beyond name, email and a text comment. In practice, user attributes are typically used +// to store a signed thumbnail photo JPEG image of the user. +// See RFC 4880, section 5.12. +type UserAttribute struct { + Contents []*OpaqueSubpacket +} + +// NewUserAttributePhoto creates a user attribute packet +// containing the given images. +func NewUserAttributePhoto(photos ...image.Image) (uat *UserAttribute, err error) { + uat = new(UserAttribute) + for _, photo := range photos { + var buf bytes.Buffer + // RFC 4880, Section 5.12.1. + data := []byte{ + 0x10, 0x00, // Little-endian image header length (16 bytes) + 0x01, // Image header version 1 + 0x01, // JPEG + 0, 0, 0, 0, // 12 reserved octets, must be all zero. + 0, 0, 0, 0, + 0, 0, 0, 0} + if _, err = buf.Write(data); err != nil { + return + } + if err = jpeg.Encode(&buf, photo, nil); err != nil { + return + } + uat.Contents = append(uat.Contents, &OpaqueSubpacket{ + SubType: UserAttrImageSubpacket, + Contents: buf.Bytes()}) + } + return +} + +// NewUserAttribute creates a new user attribute packet containing the given subpackets. +func NewUserAttribute(contents ...*OpaqueSubpacket) *UserAttribute { + return &UserAttribute{Contents: contents} +} + +func (uat *UserAttribute) parse(r io.Reader) (err error) { + // RFC 4880, section 5.13 + b, err := io.ReadAll(r) + if err != nil { + return + } + uat.Contents, err = OpaqueSubpackets(b) + return +} + +// Serialize marshals the user attribute to w in the form of an OpenPGP packet, including +// header. +func (uat *UserAttribute) Serialize(w io.Writer) (err error) { + var buf bytes.Buffer + for _, sp := range uat.Contents { + sp.Serialize(&buf) + } + if err = serializeHeader(w, packetTypeUserAttribute, buf.Len()); err != nil { + return err + } + _, err = w.Write(buf.Bytes()) + return +} + +// ImageData returns zero or more byte slices, each containing +// JPEG File Interchange Format (JFIF), for each photo in the +// user attribute packet. +func (uat *UserAttribute) ImageData() (imageData [][]byte) { + for _, sp := range uat.Contents { + if sp.SubType == UserAttrImageSubpacket && len(sp.Contents) > 16 { + imageData = append(imageData, sp.Contents[16:]) + } + } + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/packet/userid.go b/vendor/golang.org/x/crypto/openpgp/packet/userid.go new file mode 100644 index 0000000000..359a462eb8 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/packet/userid.go @@ -0,0 +1,159 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package packet + +import ( + "io" + "strings" +) + +// UserId contains text that is intended to represent the name and email +// address of the key holder. See RFC 4880, section 5.11. By convention, this +// takes the form "Full Name (Comment) " +type UserId struct { + Id string // By convention, this takes the form "Full Name (Comment) " which is split out in the fields below. + + Name, Comment, Email string +} + +func hasInvalidCharacters(s string) bool { + for _, c := range s { + switch c { + case '(', ')', '<', '>', 0: + return true + } + } + return false +} + +// NewUserId returns a UserId or nil if any of the arguments contain invalid +// characters. The invalid characters are '\x00', '(', ')', '<' and '>' +func NewUserId(name, comment, email string) *UserId { + // RFC 4880 doesn't deal with the structure of userid strings; the + // name, comment and email form is just a convention. However, there's + // no convention about escaping the metacharacters and GPG just refuses + // to create user ids where, say, the name contains a '('. We mirror + // this behaviour. + + if hasInvalidCharacters(name) || hasInvalidCharacters(comment) || hasInvalidCharacters(email) { + return nil + } + + uid := new(UserId) + uid.Name, uid.Comment, uid.Email = name, comment, email + uid.Id = name + if len(comment) > 0 { + if len(uid.Id) > 0 { + uid.Id += " " + } + uid.Id += "(" + uid.Id += comment + uid.Id += ")" + } + if len(email) > 0 { + if len(uid.Id) > 0 { + uid.Id += " " + } + uid.Id += "<" + uid.Id += email + uid.Id += ">" + } + return uid +} + +func (uid *UserId) parse(r io.Reader) (err error) { + // RFC 4880, section 5.11 + b, err := io.ReadAll(r) + if err != nil { + return + } + uid.Id = string(b) + uid.Name, uid.Comment, uid.Email = parseUserId(uid.Id) + return +} + +// Serialize marshals uid to w in the form of an OpenPGP packet, including +// header. +func (uid *UserId) Serialize(w io.Writer) error { + err := serializeHeader(w, packetTypeUserId, len(uid.Id)) + if err != nil { + return err + } + _, err = w.Write([]byte(uid.Id)) + return err +} + +// parseUserId extracts the name, comment and email from a user id string that +// is formatted as "Full Name (Comment) ". +func parseUserId(id string) (name, comment, email string) { + var n, c, e struct { + start, end int + } + var state int + + for offset, rune := range id { + switch state { + case 0: + // Entering name + n.start = offset + state = 1 + fallthrough + case 1: + // In name + if rune == '(' { + state = 2 + n.end = offset + } else if rune == '<' { + state = 5 + n.end = offset + } + case 2: + // Entering comment + c.start = offset + state = 3 + fallthrough + case 3: + // In comment + if rune == ')' { + state = 4 + c.end = offset + } + case 4: + // Between comment and email + if rune == '<' { + state = 5 + } + case 5: + // Entering email + e.start = offset + state = 6 + fallthrough + case 6: + // In email + if rune == '>' { + state = 7 + e.end = offset + } + default: + // After email + } + } + switch state { + case 1: + // ended in the name + n.end = len(id) + case 3: + // ended in comment + c.end = len(id) + case 6: + // ended in email + e.end = len(id) + } + + name = strings.TrimSpace(id[n.start:n.end]) + comment = strings.TrimSpace(id[c.start:c.end]) + email = strings.TrimSpace(id[e.start:e.end]) + return +} diff --git a/vendor/golang.org/x/crypto/openpgp/read.go b/vendor/golang.org/x/crypto/openpgp/read.go new file mode 100644 index 0000000000..cff3db9196 --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/read.go @@ -0,0 +1,448 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package openpgp implements high level operations on OpenPGP messages. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package openpgp + +import ( + "crypto" + _ "crypto/sha256" + "hash" + "io" + "strconv" + + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/packet" +) + +// SignatureType is the armor type for a PGP signature. +var SignatureType = "PGP SIGNATURE" + +// readArmored reads an armored block with the given type. +func readArmored(r io.Reader, expectedType string) (body io.Reader, err error) { + block, err := armor.Decode(r) + if err != nil { + return + } + + if block.Type != expectedType { + return nil, errors.InvalidArgumentError("expected '" + expectedType + "', got: " + block.Type) + } + + return block.Body, nil +} + +// MessageDetails contains the result of parsing an OpenPGP encrypted and/or +// signed message. +type MessageDetails struct { + IsEncrypted bool // true if the message was encrypted. + EncryptedToKeyIds []uint64 // the list of recipient key ids. + IsSymmetricallyEncrypted bool // true if a passphrase could have decrypted the message. + DecryptedWith Key // the private key used to decrypt the message, if any. + IsSigned bool // true if the message is signed. + SignedByKeyId uint64 // the key id of the signer, if any. + SignedBy *Key // the key of the signer, if available. + LiteralData *packet.LiteralData // the metadata of the contents + UnverifiedBody io.Reader // the contents of the message. + + // If IsSigned is true and SignedBy is non-zero then the signature will + // be verified as UnverifiedBody is read. The signature cannot be + // checked until the whole of UnverifiedBody is read so UnverifiedBody + // must be consumed until EOF before the data can be trusted. Even if a + // message isn't signed (or the signer is unknown) the data may contain + // an authentication code that is only checked once UnverifiedBody has + // been consumed. Once EOF has been seen, the following fields are + // valid. (An authentication code failure is reported as a + // SignatureError error when reading from UnverifiedBody.) + SignatureError error // nil if the signature is good. + Signature *packet.Signature // the signature packet itself, if v4 (default) + SignatureV3 *packet.SignatureV3 // the signature packet if it is a v2 or v3 signature + + decrypted io.ReadCloser +} + +// A PromptFunction is used as a callback by functions that may need to decrypt +// a private key, or prompt for a passphrase. It is called with a list of +// acceptable, encrypted private keys and a boolean that indicates whether a +// passphrase is usable. It should either decrypt a private key or return a +// passphrase to try. If the decrypted private key or given passphrase isn't +// correct, the function will be called again, forever. Any error returned will +// be passed up. +type PromptFunction func(keys []Key, symmetric bool) ([]byte, error) + +// A keyEnvelopePair is used to store a private key with the envelope that +// contains a symmetric key, encrypted with that key. +type keyEnvelopePair struct { + key Key + encryptedKey *packet.EncryptedKey +} + +// ReadMessage parses an OpenPGP message that may be signed and/or encrypted. +// The given KeyRing should contain both public keys (for signature +// verification) and, possibly encrypted, private keys for decrypting. +// If config is nil, sensible defaults will be used. +func ReadMessage(r io.Reader, keyring KeyRing, prompt PromptFunction, config *packet.Config) (md *MessageDetails, err error) { + var p packet.Packet + + var symKeys []*packet.SymmetricKeyEncrypted + var pubKeys []keyEnvelopePair + var se *packet.SymmetricallyEncrypted + + packets := packet.NewReader(r) + md = new(MessageDetails) + md.IsEncrypted = true + + // The message, if encrypted, starts with a number of packets + // containing an encrypted decryption key. The decryption key is either + // encrypted to a public key, or with a passphrase. This loop + // collects these packets. +ParsePackets: + for { + p, err = packets.Next() + if err != nil { + return nil, err + } + switch p := p.(type) { + case *packet.SymmetricKeyEncrypted: + // This packet contains the decryption key encrypted with a passphrase. + md.IsSymmetricallyEncrypted = true + symKeys = append(symKeys, p) + case *packet.EncryptedKey: + // This packet contains the decryption key encrypted to a public key. + md.EncryptedToKeyIds = append(md.EncryptedToKeyIds, p.KeyId) + switch p.Algo { + case packet.PubKeyAlgoRSA, packet.PubKeyAlgoRSAEncryptOnly, packet.PubKeyAlgoElGamal: + break + default: + continue + } + var keys []Key + if p.KeyId == 0 { + keys = keyring.DecryptionKeys() + } else { + keys = keyring.KeysById(p.KeyId) + } + for _, k := range keys { + pubKeys = append(pubKeys, keyEnvelopePair{k, p}) + } + case *packet.SymmetricallyEncrypted: + se = p + break ParsePackets + case *packet.Compressed, *packet.LiteralData, *packet.OnePassSignature: + // This message isn't encrypted. + if len(symKeys) != 0 || len(pubKeys) != 0 { + return nil, errors.StructuralError("key material not followed by encrypted message") + } + packets.Unread(p) + return readSignedMessage(packets, nil, keyring) + } + } + + var candidates []Key + var decrypted io.ReadCloser + + // Now that we have the list of encrypted keys we need to decrypt at + // least one of them or, if we cannot, we need to call the prompt + // function so that it can decrypt a key or give us a passphrase. +FindKey: + for { + // See if any of the keys already have a private key available + candidates = candidates[:0] + candidateFingerprints := make(map[string]bool) + + for _, pk := range pubKeys { + if pk.key.PrivateKey == nil { + continue + } + if !pk.key.PrivateKey.Encrypted { + if len(pk.encryptedKey.Key) == 0 { + pk.encryptedKey.Decrypt(pk.key.PrivateKey, config) + } + if len(pk.encryptedKey.Key) == 0 { + continue + } + decrypted, err = se.Decrypt(pk.encryptedKey.CipherFunc, pk.encryptedKey.Key) + if err != nil && err != errors.ErrKeyIncorrect { + return nil, err + } + if decrypted != nil { + md.DecryptedWith = pk.key + break FindKey + } + } else { + fpr := string(pk.key.PublicKey.Fingerprint[:]) + if v := candidateFingerprints[fpr]; v { + continue + } + candidates = append(candidates, pk.key) + candidateFingerprints[fpr] = true + } + } + + if len(candidates) == 0 && len(symKeys) == 0 { + return nil, errors.ErrKeyIncorrect + } + + if prompt == nil { + return nil, errors.ErrKeyIncorrect + } + + passphrase, err := prompt(candidates, len(symKeys) != 0) + if err != nil { + return nil, err + } + + // Try the symmetric passphrase first + if len(symKeys) != 0 && passphrase != nil { + for _, s := range symKeys { + key, cipherFunc, err := s.Decrypt(passphrase) + if err == nil { + decrypted, err = se.Decrypt(cipherFunc, key) + if err != nil && err != errors.ErrKeyIncorrect { + return nil, err + } + if decrypted != nil { + break FindKey + } + } + + } + } + } + + md.decrypted = decrypted + if err := packets.Push(decrypted); err != nil { + return nil, err + } + return readSignedMessage(packets, md, keyring) +} + +// readSignedMessage reads a possibly signed message if mdin is non-zero then +// that structure is updated and returned. Otherwise a fresh MessageDetails is +// used. +func readSignedMessage(packets *packet.Reader, mdin *MessageDetails, keyring KeyRing) (md *MessageDetails, err error) { + if mdin == nil { + mdin = new(MessageDetails) + } + md = mdin + + var p packet.Packet + var h hash.Hash + var wrappedHash hash.Hash +FindLiteralData: + for { + p, err = packets.Next() + if err != nil { + return nil, err + } + switch p := p.(type) { + case *packet.Compressed: + if err := packets.Push(p.Body); err != nil { + return nil, err + } + case *packet.OnePassSignature: + if !p.IsLast { + return nil, errors.UnsupportedError("nested signatures") + } + + h, wrappedHash, err = hashForSignature(p.Hash, p.SigType) + if err != nil { + md = nil + return + } + + md.IsSigned = true + md.SignedByKeyId = p.KeyId + keys := keyring.KeysByIdUsage(p.KeyId, packet.KeyFlagSign) + if len(keys) > 0 { + md.SignedBy = &keys[0] + } + case *packet.LiteralData: + md.LiteralData = p + break FindLiteralData + } + } + + if md.SignedBy != nil { + md.UnverifiedBody = &signatureCheckReader{packets, h, wrappedHash, md} + } else if md.decrypted != nil { + md.UnverifiedBody = checkReader{md} + } else { + md.UnverifiedBody = md.LiteralData.Body + } + + return md, nil +} + +// hashForSignature returns a pair of hashes that can be used to verify a +// signature. The signature may specify that the contents of the signed message +// should be preprocessed (i.e. to normalize line endings). Thus this function +// returns two hashes. The second should be used to hash the message itself and +// performs any needed preprocessing. +func hashForSignature(hashId crypto.Hash, sigType packet.SignatureType) (hash.Hash, hash.Hash, error) { + if !hashId.Available() { + return nil, nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hashId))) + } + h := hashId.New() + + switch sigType { + case packet.SigTypeBinary: + return h, h, nil + case packet.SigTypeText: + return h, NewCanonicalTextHash(h), nil + } + + return nil, nil, errors.UnsupportedError("unsupported signature type: " + strconv.Itoa(int(sigType))) +} + +// checkReader wraps an io.Reader from a LiteralData packet. When it sees EOF +// it closes the ReadCloser from any SymmetricallyEncrypted packet to trigger +// MDC checks. +type checkReader struct { + md *MessageDetails +} + +func (cr checkReader) Read(buf []byte) (n int, err error) { + n, err = cr.md.LiteralData.Body.Read(buf) + if err == io.EOF { + mdcErr := cr.md.decrypted.Close() + if mdcErr != nil { + err = mdcErr + } + } + return +} + +// signatureCheckReader wraps an io.Reader from a LiteralData packet and hashes +// the data as it is read. When it sees an EOF from the underlying io.Reader +// it parses and checks a trailing Signature packet and triggers any MDC checks. +type signatureCheckReader struct { + packets *packet.Reader + h, wrappedHash hash.Hash + md *MessageDetails +} + +func (scr *signatureCheckReader) Read(buf []byte) (n int, err error) { + n, err = scr.md.LiteralData.Body.Read(buf) + scr.wrappedHash.Write(buf[:n]) + if err == io.EOF { + var p packet.Packet + p, scr.md.SignatureError = scr.packets.Next() + if scr.md.SignatureError != nil { + return + } + + var ok bool + if scr.md.Signature, ok = p.(*packet.Signature); ok { + scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignature(scr.h, scr.md.Signature) + } else if scr.md.SignatureV3, ok = p.(*packet.SignatureV3); ok { + scr.md.SignatureError = scr.md.SignedBy.PublicKey.VerifySignatureV3(scr.h, scr.md.SignatureV3) + } else { + scr.md.SignatureError = errors.StructuralError("LiteralData not followed by Signature") + return + } + + // The SymmetricallyEncrypted packet, if any, might have an + // unsigned hash of its own. In order to check this we need to + // close that Reader. + if scr.md.decrypted != nil { + mdcErr := scr.md.decrypted.Close() + if mdcErr != nil { + err = mdcErr + } + } + } + return +} + +// CheckDetachedSignature takes a signed file and a detached signature and +// returns the signer if the signature is valid. If the signer isn't known, +// ErrUnknownIssuer is returned. +func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) { + var issuerKeyId uint64 + var hashFunc crypto.Hash + var sigType packet.SignatureType + var keys []Key + var p packet.Packet + + packets := packet.NewReader(signature) + for { + p, err = packets.Next() + if err == io.EOF { + return nil, errors.ErrUnknownIssuer + } + if err != nil { + return nil, err + } + + switch sig := p.(type) { + case *packet.Signature: + if sig.IssuerKeyId == nil { + return nil, errors.StructuralError("signature doesn't have an issuer") + } + issuerKeyId = *sig.IssuerKeyId + hashFunc = sig.Hash + sigType = sig.SigType + case *packet.SignatureV3: + issuerKeyId = sig.IssuerKeyId + hashFunc = sig.Hash + sigType = sig.SigType + default: + return nil, errors.StructuralError("non signature packet found") + } + + keys = keyring.KeysByIdUsage(issuerKeyId, packet.KeyFlagSign) + if len(keys) > 0 { + break + } + } + + if len(keys) == 0 { + panic("unreachable") + } + + h, wrappedHash, err := hashForSignature(hashFunc, sigType) + if err != nil { + return nil, err + } + + if _, err := io.Copy(wrappedHash, signed); err != nil && err != io.EOF { + return nil, err + } + + for _, key := range keys { + switch sig := p.(type) { + case *packet.Signature: + err = key.PublicKey.VerifySignature(h, sig) + case *packet.SignatureV3: + err = key.PublicKey.VerifySignatureV3(h, sig) + default: + panic("unreachable") + } + + if err == nil { + return key.Entity, nil + } + } + + return nil, err +} + +// CheckArmoredDetachedSignature performs the same actions as +// CheckDetachedSignature but expects the signature to be armored. +func CheckArmoredDetachedSignature(keyring KeyRing, signed, signature io.Reader) (signer *Entity, err error) { + body, err := readArmored(signature, SignatureType) + if err != nil { + return + } + + return CheckDetachedSignature(keyring, signed, body) +} diff --git a/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go new file mode 100644 index 0000000000..490cb633ce --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/s2k/s2k.go @@ -0,0 +1,279 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package s2k implements the various OpenPGP string-to-key transforms as +// specified in RFC 4800 section 3.7.1. +// +// Deprecated: this package is unmaintained except for security fixes. New +// applications should consider a more focused, modern alternative to OpenPGP +// for their specific task. If you are required to interoperate with OpenPGP +// systems and need a maintained package, consider a community fork. +// See https://golang.org/issue/44226. +package s2k + +import ( + "crypto" + "hash" + "io" + "strconv" + + "golang.org/x/crypto/openpgp/errors" +) + +// Config collects configuration parameters for s2k key-stretching +// transformatioms. A nil *Config is valid and results in all default +// values. Currently, Config is used only by the Serialize function in +// this package. +type Config struct { + // Hash is the default hash function to be used. If + // nil, SHA1 is used. + Hash crypto.Hash + // S2KCount is only used for symmetric encryption. It + // determines the strength of the passphrase stretching when + // the said passphrase is hashed to produce a key. S2KCount + // should be between 1024 and 65011712, inclusive. If Config + // is nil or S2KCount is 0, the value 65536 used. Not all + // values in the above range can be represented. S2KCount will + // be rounded up to the next representable value if it cannot + // be encoded exactly. When set, it is strongly encrouraged to + // use a value that is at least 65536. See RFC 4880 Section + // 3.7.1.3. + S2KCount int +} + +func (c *Config) hash() crypto.Hash { + if c == nil || uint(c.Hash) == 0 { + // SHA1 is the historical default in this package. + return crypto.SHA1 + } + + return c.Hash +} + +func (c *Config) encodedCount() uint8 { + if c == nil || c.S2KCount == 0 { + return 96 // The common case. Corresponding to 65536 + } + + i := c.S2KCount + switch { + // Behave like GPG. Should we make 65536 the lowest value used? + case i < 1024: + i = 1024 + case i > 65011712: + i = 65011712 + } + + return encodeCount(i) +} + +// encodeCount converts an iterative "count" in the range 1024 to +// 65011712, inclusive, to an encoded count. The return value is the +// octet that is actually stored in the GPG file. encodeCount panics +// if i is not in the above range (encodedCount above takes care to +// pass i in the correct range). See RFC 4880 Section 3.7.7.1. +func encodeCount(i int) uint8 { + if i < 1024 || i > 65011712 { + panic("count arg i outside the required range") + } + + for encoded := 0; encoded < 256; encoded++ { + count := decodeCount(uint8(encoded)) + if count >= i { + return uint8(encoded) + } + } + + return 255 +} + +// decodeCount returns the s2k mode 3 iterative "count" corresponding to +// the encoded octet c. +func decodeCount(c uint8) int { + return (16 + int(c&15)) << (uint32(c>>4) + 6) +} + +// Simple writes to out the result of computing the Simple S2K function (RFC +// 4880, section 3.7.1.1) using the given hash and input passphrase. +func Simple(out []byte, h hash.Hash, in []byte) { + Salted(out, h, in, nil) +} + +var zero [1]byte + +// Salted writes to out the result of computing the Salted S2K function (RFC +// 4880, section 3.7.1.2) using the given hash, input passphrase and salt. +func Salted(out []byte, h hash.Hash, in []byte, salt []byte) { + done := 0 + var digest []byte + + for i := 0; done < len(out); i++ { + h.Reset() + for j := 0; j < i; j++ { + h.Write(zero[:]) + } + h.Write(salt) + h.Write(in) + digest = h.Sum(digest[:0]) + n := copy(out[done:], digest) + done += n + } +} + +// Iterated writes to out the result of computing the Iterated and Salted S2K +// function (RFC 4880, section 3.7.1.3) using the given hash, input passphrase, +// salt and iteration count. +func Iterated(out []byte, h hash.Hash, in []byte, salt []byte, count int) { + combined := make([]byte, len(in)+len(salt)) + copy(combined, salt) + copy(combined[len(salt):], in) + + if count < len(combined) { + count = len(combined) + } + + done := 0 + var digest []byte + for i := 0; done < len(out); i++ { + h.Reset() + for j := 0; j < i; j++ { + h.Write(zero[:]) + } + written := 0 + for written < count { + if written+len(combined) > count { + todo := count - written + h.Write(combined[:todo]) + written = count + } else { + h.Write(combined) + written += len(combined) + } + } + digest = h.Sum(digest[:0]) + n := copy(out[done:], digest) + done += n + } +} + +// Parse reads a binary specification for a string-to-key transformation from r +// and returns a function which performs that transform. +func Parse(r io.Reader) (f func(out, in []byte), err error) { + var buf [9]byte + + _, err = io.ReadFull(r, buf[:2]) + if err != nil { + return + } + + hash, ok := HashIdToHash(buf[1]) + if !ok { + return nil, errors.UnsupportedError("hash for S2K function: " + strconv.Itoa(int(buf[1]))) + } + if !hash.Available() { + return nil, errors.UnsupportedError("hash not available: " + strconv.Itoa(int(hash))) + } + h := hash.New() + + switch buf[0] { + case 0: + f := func(out, in []byte) { + Simple(out, h, in) + } + return f, nil + case 1: + _, err = io.ReadFull(r, buf[:8]) + if err != nil { + return + } + f := func(out, in []byte) { + Salted(out, h, in, buf[:8]) + } + return f, nil + case 3: + _, err = io.ReadFull(r, buf[:9]) + if err != nil { + return + } + count := decodeCount(buf[8]) + f := func(out, in []byte) { + Iterated(out, h, in, buf[:8], count) + } + return f, nil + } + + return nil, errors.UnsupportedError("S2K function") +} + +// Serialize salts and stretches the given passphrase and writes the +// resulting key into key. It also serializes an S2K descriptor to +// w. The key stretching can be configured with c, which may be +// nil. In that case, sensible defaults will be used. +func Serialize(w io.Writer, key []byte, rand io.Reader, passphrase []byte, c *Config) error { + var buf [11]byte + buf[0] = 3 /* iterated and salted */ + buf[1], _ = HashToHashId(c.hash()) + salt := buf[2:10] + if _, err := io.ReadFull(rand, salt); err != nil { + return err + } + encodedCount := c.encodedCount() + count := decodeCount(encodedCount) + buf[10] = encodedCount + if _, err := w.Write(buf[:]); err != nil { + return err + } + + Iterated(key, c.hash().New(), passphrase, salt, count) + return nil +} + +// hashToHashIdMapping contains pairs relating OpenPGP's hash identifier with +// Go's crypto.Hash type. See RFC 4880, section 9.4. +var hashToHashIdMapping = []struct { + id byte + hash crypto.Hash + name string +}{ + {1, crypto.MD5, "MD5"}, + {2, crypto.SHA1, "SHA1"}, + {3, crypto.RIPEMD160, "RIPEMD160"}, + {8, crypto.SHA256, "SHA256"}, + {9, crypto.SHA384, "SHA384"}, + {10, crypto.SHA512, "SHA512"}, + {11, crypto.SHA224, "SHA224"}, +} + +// HashIdToHash returns a crypto.Hash which corresponds to the given OpenPGP +// hash id. +func HashIdToHash(id byte) (h crypto.Hash, ok bool) { + for _, m := range hashToHashIdMapping { + if m.id == id { + return m.hash, true + } + } + return 0, false +} + +// HashIdToString returns the name of the hash function corresponding to the +// given OpenPGP hash id. +func HashIdToString(id byte) (name string, ok bool) { + for _, m := range hashToHashIdMapping { + if m.id == id { + return m.name, true + } + } + + return "", false +} + +// HashToHashId returns an OpenPGP hash id which corresponds the given Hash. +func HashToHashId(h crypto.Hash) (id byte, ok bool) { + for _, m := range hashToHashIdMapping { + if m.hash == h { + return m.id, true + } + } + return 0, false +} diff --git a/vendor/golang.org/x/crypto/openpgp/write.go b/vendor/golang.org/x/crypto/openpgp/write.go new file mode 100644 index 0000000000..b89d48b81d --- /dev/null +++ b/vendor/golang.org/x/crypto/openpgp/write.go @@ -0,0 +1,418 @@ +// Copyright 2011 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package openpgp + +import ( + "crypto" + "hash" + "io" + "strconv" + "time" + + "golang.org/x/crypto/openpgp/armor" + "golang.org/x/crypto/openpgp/errors" + "golang.org/x/crypto/openpgp/packet" + "golang.org/x/crypto/openpgp/s2k" +) + +// DetachSign signs message with the private key from signer (which must +// already have been decrypted) and writes the signature to w. +// If config is nil, sensible defaults will be used. +func DetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { + return detachSign(w, signer, message, packet.SigTypeBinary, config) +} + +// ArmoredDetachSign signs message with the private key from signer (which +// must already have been decrypted) and writes an armored signature to w. +// If config is nil, sensible defaults will be used. +func ArmoredDetachSign(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) (err error) { + return armoredDetachSign(w, signer, message, packet.SigTypeBinary, config) +} + +// DetachSignText signs message (after canonicalising the line endings) with +// the private key from signer (which must already have been decrypted) and +// writes the signature to w. +// If config is nil, sensible defaults will be used. +func DetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { + return detachSign(w, signer, message, packet.SigTypeText, config) +} + +// ArmoredDetachSignText signs message (after canonicalising the line endings) +// with the private key from signer (which must already have been decrypted) +// and writes an armored signature to w. +// If config is nil, sensible defaults will be used. +func ArmoredDetachSignText(w io.Writer, signer *Entity, message io.Reader, config *packet.Config) error { + return armoredDetachSign(w, signer, message, packet.SigTypeText, config) +} + +func armoredDetachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) { + out, err := armor.Encode(w, SignatureType, nil) + if err != nil { + return + } + err = detachSign(out, signer, message, sigType, config) + if err != nil { + return + } + return out.Close() +} + +func detachSign(w io.Writer, signer *Entity, message io.Reader, sigType packet.SignatureType, config *packet.Config) (err error) { + if signer.PrivateKey == nil { + return errors.InvalidArgumentError("signing key doesn't have a private key") + } + if signer.PrivateKey.Encrypted { + return errors.InvalidArgumentError("signing key is encrypted") + } + + sig := new(packet.Signature) + sig.SigType = sigType + sig.PubKeyAlgo = signer.PrivateKey.PubKeyAlgo + sig.Hash = config.Hash() + sig.CreationTime = config.Now() + sig.IssuerKeyId = &signer.PrivateKey.KeyId + + h, wrappedHash, err := hashForSignature(sig.Hash, sig.SigType) + if err != nil { + return + } + io.Copy(wrappedHash, message) + + err = sig.Sign(h, signer.PrivateKey, config) + if err != nil { + return + } + + return sig.Serialize(w) +} + +// FileHints contains metadata about encrypted files. This metadata is, itself, +// encrypted. +type FileHints struct { + // IsBinary can be set to hint that the contents are binary data. + IsBinary bool + // FileName hints at the name of the file that should be written. It's + // truncated to 255 bytes if longer. It may be empty to suggest that the + // file should not be written to disk. It may be equal to "_CONSOLE" to + // suggest the data should not be written to disk. + FileName string + // ModTime contains the modification time of the file, or the zero time if not applicable. + ModTime time.Time +} + +// SymmetricallyEncrypt acts like gpg -c: it encrypts a file with a passphrase. +// The resulting WriteCloser must be closed after the contents of the file have +// been written. +// If config is nil, sensible defaults will be used. +func SymmetricallyEncrypt(ciphertext io.Writer, passphrase []byte, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) { + if hints == nil { + hints = &FileHints{} + } + + key, err := packet.SerializeSymmetricKeyEncrypted(ciphertext, passphrase, config) + if err != nil { + return + } + w, err := packet.SerializeSymmetricallyEncrypted(ciphertext, config.Cipher(), key, config) + if err != nil { + return + } + + literaldata := w + if algo := config.Compression(); algo != packet.CompressionNone { + var compConfig *packet.CompressionConfig + if config != nil { + compConfig = config.CompressionConfig + } + literaldata, err = packet.SerializeCompressed(w, algo, compConfig) + if err != nil { + return + } + } + + var epochSeconds uint32 + if !hints.ModTime.IsZero() { + epochSeconds = uint32(hints.ModTime.Unix()) + } + return packet.SerializeLiteral(literaldata, hints.IsBinary, hints.FileName, epochSeconds) +} + +// intersectPreferences mutates and returns a prefix of a that contains only +// the values in the intersection of a and b. The order of a is preserved. +func intersectPreferences(a []uint8, b []uint8) (intersection []uint8) { + var j int + for _, v := range a { + for _, v2 := range b { + if v == v2 { + a[j] = v + j++ + break + } + } + } + + return a[:j] +} + +func hashToHashId(h crypto.Hash) uint8 { + v, ok := s2k.HashToHashId(h) + if !ok { + panic("tried to convert unknown hash") + } + return v +} + +// writeAndSign writes the data as a payload package and, optionally, signs +// it. hints contains optional information, that is also encrypted, +// that aids the recipients in processing the message. The resulting +// WriteCloser must be closed after the contents of the file have been +// written. If config is nil, sensible defaults will be used. +func writeAndSign(payload io.WriteCloser, candidateHashes []uint8, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) { + var signer *packet.PrivateKey + if signed != nil { + signKey, ok := signed.signingKey(config.Now()) + if !ok { + return nil, errors.InvalidArgumentError("no valid signing keys") + } + signer = signKey.PrivateKey + if signer == nil { + return nil, errors.InvalidArgumentError("no private key in signing key") + } + if signer.Encrypted { + return nil, errors.InvalidArgumentError("signing key must be decrypted") + } + } + + var hash crypto.Hash + for _, hashId := range candidateHashes { + if h, ok := s2k.HashIdToHash(hashId); ok && h.Available() { + hash = h + break + } + } + + // If the hash specified by config is a candidate, we'll use that. + if configuredHash := config.Hash(); configuredHash.Available() { + for _, hashId := range candidateHashes { + if h, ok := s2k.HashIdToHash(hashId); ok && h == configuredHash { + hash = h + break + } + } + } + + if hash == 0 { + hashId := candidateHashes[0] + name, ok := s2k.HashIdToString(hashId) + if !ok { + name = "#" + strconv.Itoa(int(hashId)) + } + return nil, errors.InvalidArgumentError("cannot encrypt because no candidate hash functions are compiled in. (Wanted " + name + " in this case.)") + } + + if signer != nil { + ops := &packet.OnePassSignature{ + SigType: packet.SigTypeBinary, + Hash: hash, + PubKeyAlgo: signer.PubKeyAlgo, + KeyId: signer.KeyId, + IsLast: true, + } + if err := ops.Serialize(payload); err != nil { + return nil, err + } + } + + if hints == nil { + hints = &FileHints{} + } + + w := payload + if signer != nil { + // If we need to write a signature packet after the literal + // data then we need to stop literalData from closing + // encryptedData. + w = noOpCloser{w} + + } + var epochSeconds uint32 + if !hints.ModTime.IsZero() { + epochSeconds = uint32(hints.ModTime.Unix()) + } + literalData, err := packet.SerializeLiteral(w, hints.IsBinary, hints.FileName, epochSeconds) + if err != nil { + return nil, err + } + + if signer != nil { + return signatureWriter{payload, literalData, hash, hash.New(), signer, config}, nil + } + return literalData, nil +} + +// Encrypt encrypts a message to a number of recipients and, optionally, signs +// it. hints contains optional information, that is also encrypted, that aids +// the recipients in processing the message. The resulting WriteCloser must +// be closed after the contents of the file have been written. +// If config is nil, sensible defaults will be used. +func Encrypt(ciphertext io.Writer, to []*Entity, signed *Entity, hints *FileHints, config *packet.Config) (plaintext io.WriteCloser, err error) { + if len(to) == 0 { + return nil, errors.InvalidArgumentError("no encryption recipient provided") + } + + // These are the possible ciphers that we'll use for the message. + candidateCiphers := []uint8{ + uint8(packet.CipherAES128), + uint8(packet.CipherAES256), + uint8(packet.CipherCAST5), + } + // These are the possible hash functions that we'll use for the signature. + candidateHashes := []uint8{ + hashToHashId(crypto.SHA256), + hashToHashId(crypto.SHA384), + hashToHashId(crypto.SHA512), + hashToHashId(crypto.SHA1), + hashToHashId(crypto.RIPEMD160), + } + // In the event that a recipient doesn't specify any supported ciphers + // or hash functions, these are the ones that we assume that every + // implementation supports. + defaultCiphers := candidateCiphers[len(candidateCiphers)-1:] + defaultHashes := candidateHashes[len(candidateHashes)-1:] + + encryptKeys := make([]Key, len(to)) + for i := range to { + var ok bool + encryptKeys[i], ok = to[i].encryptionKey(config.Now()) + if !ok { + return nil, errors.InvalidArgumentError("cannot encrypt a message to key id " + strconv.FormatUint(to[i].PrimaryKey.KeyId, 16) + " because it has no encryption keys") + } + + sig := to[i].primaryIdentity().SelfSignature + + preferredSymmetric := sig.PreferredSymmetric + if len(preferredSymmetric) == 0 { + preferredSymmetric = defaultCiphers + } + preferredHashes := sig.PreferredHash + if len(preferredHashes) == 0 { + preferredHashes = defaultHashes + } + candidateCiphers = intersectPreferences(candidateCiphers, preferredSymmetric) + candidateHashes = intersectPreferences(candidateHashes, preferredHashes) + } + + if len(candidateCiphers) == 0 || len(candidateHashes) == 0 { + return nil, errors.InvalidArgumentError("cannot encrypt because recipient set shares no common algorithms") + } + + cipher := packet.CipherFunction(candidateCiphers[0]) + // If the cipher specified by config is a candidate, we'll use that. + configuredCipher := config.Cipher() + for _, c := range candidateCiphers { + cipherFunc := packet.CipherFunction(c) + if cipherFunc == configuredCipher { + cipher = cipherFunc + break + } + } + + symKey := make([]byte, cipher.KeySize()) + if _, err := io.ReadFull(config.Random(), symKey); err != nil { + return nil, err + } + + for _, key := range encryptKeys { + if err := packet.SerializeEncryptedKey(ciphertext, key.PublicKey, cipher, symKey, config); err != nil { + return nil, err + } + } + + payload, err := packet.SerializeSymmetricallyEncrypted(ciphertext, cipher, symKey, config) + if err != nil { + return + } + + return writeAndSign(payload, candidateHashes, signed, hints, config) +} + +// Sign signs a message. The resulting WriteCloser must be closed after the +// contents of the file have been written. hints contains optional information +// that aids the recipients in processing the message. +// If config is nil, sensible defaults will be used. +func Sign(output io.Writer, signed *Entity, hints *FileHints, config *packet.Config) (input io.WriteCloser, err error) { + if signed == nil { + return nil, errors.InvalidArgumentError("no signer provided") + } + + // These are the possible hash functions that we'll use for the signature. + candidateHashes := []uint8{ + hashToHashId(crypto.SHA256), + hashToHashId(crypto.SHA384), + hashToHashId(crypto.SHA512), + hashToHashId(crypto.SHA1), + hashToHashId(crypto.RIPEMD160), + } + defaultHashes := candidateHashes[len(candidateHashes)-1:] + preferredHashes := signed.primaryIdentity().SelfSignature.PreferredHash + if len(preferredHashes) == 0 { + preferredHashes = defaultHashes + } + candidateHashes = intersectPreferences(candidateHashes, preferredHashes) + return writeAndSign(noOpCloser{output}, candidateHashes, signed, hints, config) +} + +// signatureWriter hashes the contents of a message while passing it along to +// literalData. When closed, it closes literalData, writes a signature packet +// to encryptedData and then also closes encryptedData. +type signatureWriter struct { + encryptedData io.WriteCloser + literalData io.WriteCloser + hashType crypto.Hash + h hash.Hash + signer *packet.PrivateKey + config *packet.Config +} + +func (s signatureWriter) Write(data []byte) (int, error) { + s.h.Write(data) + return s.literalData.Write(data) +} + +func (s signatureWriter) Close() error { + sig := &packet.Signature{ + SigType: packet.SigTypeBinary, + PubKeyAlgo: s.signer.PubKeyAlgo, + Hash: s.hashType, + CreationTime: s.config.Now(), + IssuerKeyId: &s.signer.KeyId, + } + + if err := sig.Sign(s.h, s.signer, s.config); err != nil { + return err + } + if err := s.literalData.Close(); err != nil { + return err + } + if err := sig.Serialize(s.encryptedData); err != nil { + return err + } + return s.encryptedData.Close() +} + +// noOpCloser is like an io.NopCloser, but for an io.Writer. +// TODO: we have two of these in OpenPGP packages alone. This probably needs +// to be promoted somewhere more common. +type noOpCloser struct { + w io.Writer +} + +func (c noOpCloser) Write(data []byte) (n int, err error) { + return c.w.Write(data) +} + +func (c noOpCloser) Close() error { + return nil +} diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go new file mode 100644 index 0000000000..28cd99c7f3 --- /dev/null +++ b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go @@ -0,0 +1,77 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +/* +Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC +2898 / PKCS #5 v2.0. + +A key derivation function is useful when encrypting data based on a password +or any other not-fully-random data. It uses a pseudorandom function to derive +a secure encryption key based on the password. + +While v2.0 of the standard defines only one pseudorandom function to use, +HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved +Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To +choose, you can pass the `New` functions from the different SHA packages to +pbkdf2.Key. +*/ +package pbkdf2 + +import ( + "crypto/hmac" + "hash" +) + +// Key derives a key from the password, salt and iteration count, returning a +// []byte of length keylen that can be used as cryptographic key. The key is +// derived based on the method described as PBKDF2 with the HMAC variant using +// the supplied hash function. +// +// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you +// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by +// doing: +// +// dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New) +// +// Remember to get a good random salt. At least 8 bytes is recommended by the +// RFC. +// +// Using a higher iteration count will increase the cost of an exhaustive +// search but will also make derivation proportionally slower. +func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { + prf := hmac.New(h, password) + hashLen := prf.Size() + numBlocks := (keyLen + hashLen - 1) / hashLen + + var buf [4]byte + dk := make([]byte, 0, numBlocks*hashLen) + U := make([]byte, hashLen) + for block := 1; block <= numBlocks; block++ { + // N.B.: || means concatenation, ^ means XOR + // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter + // U_1 = PRF(password, salt || uint(i)) + prf.Reset() + prf.Write(salt) + buf[0] = byte(block >> 24) + buf[1] = byte(block >> 16) + buf[2] = byte(block >> 8) + buf[3] = byte(block) + prf.Write(buf[:4]) + dk = prf.Sum(dk) + T := dk[len(dk)-hashLen:] + copy(U, T) + + // U_n = PRF(password, U_(n-1)) + for n := 2; n <= iter; n++ { + prf.Reset() + prf.Write(U) + U = U[:0] + U = prf.Sum(U) + for x := range U { + T[x] ^= U[x] + } + } + } + return dk[:keyLen] +} diff --git a/vendor/golang.org/x/crypto/scrypt/scrypt.go b/vendor/golang.org/x/crypto/scrypt/scrypt.go new file mode 100644 index 0000000000..76fa40fb20 --- /dev/null +++ b/vendor/golang.org/x/crypto/scrypt/scrypt.go @@ -0,0 +1,212 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package scrypt implements the scrypt key derivation function as defined in +// Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard +// Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf). +package scrypt + +import ( + "crypto/sha256" + "encoding/binary" + "errors" + "math/bits" + + "golang.org/x/crypto/pbkdf2" +) + +const maxInt = int(^uint(0) >> 1) + +// blockCopy copies n numbers from src into dst. +func blockCopy(dst, src []uint32, n int) { + copy(dst, src[:n]) +} + +// blockXOR XORs numbers from dst with n numbers from src. +func blockXOR(dst, src []uint32, n int) { + for i, v := range src[:n] { + dst[i] ^= v + } +} + +// salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in, +// and puts the result into both tmp and out. +func salsaXOR(tmp *[16]uint32, in, out []uint32) { + w0 := tmp[0] ^ in[0] + w1 := tmp[1] ^ in[1] + w2 := tmp[2] ^ in[2] + w3 := tmp[3] ^ in[3] + w4 := tmp[4] ^ in[4] + w5 := tmp[5] ^ in[5] + w6 := tmp[6] ^ in[6] + w7 := tmp[7] ^ in[7] + w8 := tmp[8] ^ in[8] + w9 := tmp[9] ^ in[9] + w10 := tmp[10] ^ in[10] + w11 := tmp[11] ^ in[11] + w12 := tmp[12] ^ in[12] + w13 := tmp[13] ^ in[13] + w14 := tmp[14] ^ in[14] + w15 := tmp[15] ^ in[15] + + x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8 + x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15 + + for i := 0; i < 8; i += 2 { + x4 ^= bits.RotateLeft32(x0+x12, 7) + x8 ^= bits.RotateLeft32(x4+x0, 9) + x12 ^= bits.RotateLeft32(x8+x4, 13) + x0 ^= bits.RotateLeft32(x12+x8, 18) + + x9 ^= bits.RotateLeft32(x5+x1, 7) + x13 ^= bits.RotateLeft32(x9+x5, 9) + x1 ^= bits.RotateLeft32(x13+x9, 13) + x5 ^= bits.RotateLeft32(x1+x13, 18) + + x14 ^= bits.RotateLeft32(x10+x6, 7) + x2 ^= bits.RotateLeft32(x14+x10, 9) + x6 ^= bits.RotateLeft32(x2+x14, 13) + x10 ^= bits.RotateLeft32(x6+x2, 18) + + x3 ^= bits.RotateLeft32(x15+x11, 7) + x7 ^= bits.RotateLeft32(x3+x15, 9) + x11 ^= bits.RotateLeft32(x7+x3, 13) + x15 ^= bits.RotateLeft32(x11+x7, 18) + + x1 ^= bits.RotateLeft32(x0+x3, 7) + x2 ^= bits.RotateLeft32(x1+x0, 9) + x3 ^= bits.RotateLeft32(x2+x1, 13) + x0 ^= bits.RotateLeft32(x3+x2, 18) + + x6 ^= bits.RotateLeft32(x5+x4, 7) + x7 ^= bits.RotateLeft32(x6+x5, 9) + x4 ^= bits.RotateLeft32(x7+x6, 13) + x5 ^= bits.RotateLeft32(x4+x7, 18) + + x11 ^= bits.RotateLeft32(x10+x9, 7) + x8 ^= bits.RotateLeft32(x11+x10, 9) + x9 ^= bits.RotateLeft32(x8+x11, 13) + x10 ^= bits.RotateLeft32(x9+x8, 18) + + x12 ^= bits.RotateLeft32(x15+x14, 7) + x13 ^= bits.RotateLeft32(x12+x15, 9) + x14 ^= bits.RotateLeft32(x13+x12, 13) + x15 ^= bits.RotateLeft32(x14+x13, 18) + } + x0 += w0 + x1 += w1 + x2 += w2 + x3 += w3 + x4 += w4 + x5 += w5 + x6 += w6 + x7 += w7 + x8 += w8 + x9 += w9 + x10 += w10 + x11 += w11 + x12 += w12 + x13 += w13 + x14 += w14 + x15 += w15 + + out[0], tmp[0] = x0, x0 + out[1], tmp[1] = x1, x1 + out[2], tmp[2] = x2, x2 + out[3], tmp[3] = x3, x3 + out[4], tmp[4] = x4, x4 + out[5], tmp[5] = x5, x5 + out[6], tmp[6] = x6, x6 + out[7], tmp[7] = x7, x7 + out[8], tmp[8] = x8, x8 + out[9], tmp[9] = x9, x9 + out[10], tmp[10] = x10, x10 + out[11], tmp[11] = x11, x11 + out[12], tmp[12] = x12, x12 + out[13], tmp[13] = x13, x13 + out[14], tmp[14] = x14, x14 + out[15], tmp[15] = x15, x15 +} + +func blockMix(tmp *[16]uint32, in, out []uint32, r int) { + blockCopy(tmp[:], in[(2*r-1)*16:], 16) + for i := 0; i < 2*r; i += 2 { + salsaXOR(tmp, in[i*16:], out[i*8:]) + salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:]) + } +} + +func integer(b []uint32, r int) uint64 { + j := (2*r - 1) * 16 + return uint64(b[j]) | uint64(b[j+1])<<32 +} + +func smix(b []byte, r, N int, v, xy []uint32) { + var tmp [16]uint32 + R := 32 * r + x := xy + y := xy[R:] + + j := 0 + for i := 0; i < R; i++ { + x[i] = binary.LittleEndian.Uint32(b[j:]) + j += 4 + } + for i := 0; i < N; i += 2 { + blockCopy(v[i*R:], x, R) + blockMix(&tmp, x, y, r) + + blockCopy(v[(i+1)*R:], y, R) + blockMix(&tmp, y, x, r) + } + for i := 0; i < N; i += 2 { + j := int(integer(x, r) & uint64(N-1)) + blockXOR(x, v[j*R:], R) + blockMix(&tmp, x, y, r) + + j = int(integer(y, r) & uint64(N-1)) + blockXOR(y, v[j*R:], R) + blockMix(&tmp, y, x, r) + } + j = 0 + for _, v := range x[:R] { + binary.LittleEndian.PutUint32(b[j:], v) + j += 4 + } +} + +// Key derives a key from the password, salt, and cost parameters, returning +// a byte slice of length keyLen that can be used as cryptographic key. +// +// N is a CPU/memory cost parameter, which must be a power of two greater than 1. +// r and p must satisfy r * p < 2³â°. If the parameters do not satisfy the +// limits, the function returns a nil byte slice and an error. +// +// For example, you can get a derived key for e.g. AES-256 (which needs a +// 32-byte key) by doing: +// +// dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32) +// +// The recommended parameters for interactive logins as of 2017 are N=32768, r=8 +// and p=1. The parameters N, r, and p should be increased as memory latency and +// CPU parallelism increases; consider setting N to the highest power of 2 you +// can derive within 100 milliseconds. Remember to get a good random salt. +func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) { + if N <= 1 || N&(N-1) != 0 { + return nil, errors.New("scrypt: N must be > 1 and a power of 2") + } + if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r { + return nil, errors.New("scrypt: parameters are too large") + } + + xy := make([]uint32, 64*r) + v := make([]uint32, 32*N*r) + b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New) + + for i := 0; i < p; i++ { + smix(b[i*128*r:], r, N, v, xy) + } + + return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil +} diff --git a/vendor/golang.org/x/sync/semaphore/semaphore.go b/vendor/golang.org/x/sync/semaphore/semaphore.go new file mode 100644 index 0000000000..b618162aab --- /dev/null +++ b/vendor/golang.org/x/sync/semaphore/semaphore.go @@ -0,0 +1,160 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package semaphore provides a weighted semaphore implementation. +package semaphore // import "golang.org/x/sync/semaphore" + +import ( + "container/list" + "context" + "sync" +) + +type waiter struct { + n int64 + ready chan<- struct{} // Closed when semaphore acquired. +} + +// NewWeighted creates a new weighted semaphore with the given +// maximum combined weight for concurrent access. +func NewWeighted(n int64) *Weighted { + w := &Weighted{size: n} + return w +} + +// Weighted provides a way to bound concurrent access to a resource. +// The callers can request access with a given weight. +type Weighted struct { + size int64 + cur int64 + mu sync.Mutex + waiters list.List +} + +// Acquire acquires the semaphore with a weight of n, blocking until resources +// are available or ctx is done. On success, returns nil. On failure, returns +// ctx.Err() and leaves the semaphore unchanged. +func (s *Weighted) Acquire(ctx context.Context, n int64) error { + done := ctx.Done() + + s.mu.Lock() + select { + case <-done: + // ctx becoming done has "happened before" acquiring the semaphore, + // whether it became done before the call began or while we were + // waiting for the mutex. We prefer to fail even if we could acquire + // the mutex without blocking. + s.mu.Unlock() + return ctx.Err() + default: + } + if s.size-s.cur >= n && s.waiters.Len() == 0 { + // Since we hold s.mu and haven't synchronized since checking done, if + // ctx becomes done before we return here, it becoming done must have + // "happened concurrently" with this call - it cannot "happen before" + // we return in this branch. So, we're ok to always acquire here. + s.cur += n + s.mu.Unlock() + return nil + } + + if n > s.size { + // Don't make other Acquire calls block on one that's doomed to fail. + s.mu.Unlock() + <-done + return ctx.Err() + } + + ready := make(chan struct{}) + w := waiter{n: n, ready: ready} + elem := s.waiters.PushBack(w) + s.mu.Unlock() + + select { + case <-done: + s.mu.Lock() + select { + case <-ready: + // Acquired the semaphore after we were canceled. + // Pretend we didn't and put the tokens back. + s.cur -= n + s.notifyWaiters() + default: + isFront := s.waiters.Front() == elem + s.waiters.Remove(elem) + // If we're at the front and there're extra tokens left, notify other waiters. + if isFront && s.size > s.cur { + s.notifyWaiters() + } + } + s.mu.Unlock() + return ctx.Err() + + case <-ready: + // Acquired the semaphore. Check that ctx isn't already done. + // We check the done channel instead of calling ctx.Err because we + // already have the channel, and ctx.Err is O(n) with the nesting + // depth of ctx. + select { + case <-done: + s.Release(n) + return ctx.Err() + default: + } + return nil + } +} + +// TryAcquire acquires the semaphore with a weight of n without blocking. +// On success, returns true. On failure, returns false and leaves the semaphore unchanged. +func (s *Weighted) TryAcquire(n int64) bool { + s.mu.Lock() + success := s.size-s.cur >= n && s.waiters.Len() == 0 + if success { + s.cur += n + } + s.mu.Unlock() + return success +} + +// Release releases the semaphore with a weight of n. +func (s *Weighted) Release(n int64) { + s.mu.Lock() + s.cur -= n + if s.cur < 0 { + s.mu.Unlock() + panic("semaphore: released more than held") + } + s.notifyWaiters() + s.mu.Unlock() +} + +func (s *Weighted) notifyWaiters() { + for { + next := s.waiters.Front() + if next == nil { + break // No more waiters blocked. + } + + w := next.Value.(waiter) + if s.size-s.cur < w.n { + // Not enough tokens for the next waiter. We could keep going (to try to + // find a waiter with a smaller request), but under load that could cause + // starvation for large requests; instead, we leave all remaining waiters + // blocked. + // + // Consider a semaphore used as a read-write lock, with N tokens, N + // readers, and one writer. Each reader can Acquire(1) to obtain a read + // lock. The writer can Acquire(N) to obtain a write lock, excluding all + // of the readers. If we allow the readers to jump ahead in the queue, + // the writer will starve — there is always one token available for every + // reader. + break + } + + s.cur += w.n + s.waiters.Remove(next) + close(w.ready) + } +} diff --git a/vendor/golang.org/x/text/encoding/encoding.go b/vendor/golang.org/x/text/encoding/encoding.go new file mode 100644 index 0000000000..a0bd7cd4d0 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/encoding.go @@ -0,0 +1,335 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package encoding defines an interface for character encodings, such as Shift +// JIS and Windows 1252, that can convert to and from UTF-8. +// +// Encoding implementations are provided in other packages, such as +// golang.org/x/text/encoding/charmap and +// golang.org/x/text/encoding/japanese. +package encoding // import "golang.org/x/text/encoding" + +import ( + "errors" + "io" + "strconv" + "unicode/utf8" + + "golang.org/x/text/encoding/internal/identifier" + "golang.org/x/text/transform" +) + +// TODO: +// - There seems to be some inconsistency in when decoders return errors +// and when not. Also documentation seems to suggest they shouldn't return +// errors at all (except for UTF-16). +// - Encoders seem to rely on or at least benefit from the input being in NFC +// normal form. Perhaps add an example how users could prepare their output. + +// Encoding is a character set encoding that can be transformed to and from +// UTF-8. +type Encoding interface { + // NewDecoder returns a Decoder. + NewDecoder() *Decoder + + // NewEncoder returns an Encoder. + NewEncoder() *Encoder +} + +// A Decoder converts bytes to UTF-8. It implements transform.Transformer. +// +// Transforming source bytes that are not of that encoding will not result in an +// error per se. Each byte that cannot be transcoded will be represented in the +// output by the UTF-8 encoding of '\uFFFD', the replacement rune. +type Decoder struct { + transform.Transformer + + // This forces external creators of Decoders to use names in struct + // initializers, allowing for future extendibility without having to break + // code. + _ struct{} +} + +// Bytes converts the given encoded bytes to UTF-8. It returns the converted +// bytes or nil, err if any error occurred. +func (d *Decoder) Bytes(b []byte) ([]byte, error) { + b, _, err := transform.Bytes(d, b) + if err != nil { + return nil, err + } + return b, nil +} + +// String converts the given encoded string to UTF-8. It returns the converted +// string or "", err if any error occurred. +func (d *Decoder) String(s string) (string, error) { + s, _, err := transform.String(d, s) + if err != nil { + return "", err + } + return s, nil +} + +// Reader wraps another Reader to decode its bytes. +// +// The Decoder may not be used for any other operation as long as the returned +// Reader is in use. +func (d *Decoder) Reader(r io.Reader) io.Reader { + return transform.NewReader(r, d) +} + +// An Encoder converts bytes from UTF-8. It implements transform.Transformer. +// +// Each rune that cannot be transcoded will result in an error. In this case, +// the transform will consume all source byte up to, not including the offending +// rune. Transforming source bytes that are not valid UTF-8 will be replaced by +// `\uFFFD`. To return early with an error instead, use transform.Chain to +// preprocess the data with a UTF8Validator. +type Encoder struct { + transform.Transformer + + // This forces external creators of Encoders to use names in struct + // initializers, allowing for future extendibility without having to break + // code. + _ struct{} +} + +// Bytes converts bytes from UTF-8. It returns the converted bytes or nil, err if +// any error occurred. +func (e *Encoder) Bytes(b []byte) ([]byte, error) { + b, _, err := transform.Bytes(e, b) + if err != nil { + return nil, err + } + return b, nil +} + +// String converts a string from UTF-8. It returns the converted string or +// "", err if any error occurred. +func (e *Encoder) String(s string) (string, error) { + s, _, err := transform.String(e, s) + if err != nil { + return "", err + } + return s, nil +} + +// Writer wraps another Writer to encode its UTF-8 output. +// +// The Encoder may not be used for any other operation as long as the returned +// Writer is in use. +func (e *Encoder) Writer(w io.Writer) io.Writer { + return transform.NewWriter(w, e) +} + +// ASCIISub is the ASCII substitute character, as recommended by +// https://unicode.org/reports/tr36/#Text_Comparison +const ASCIISub = '\x1a' + +// Nop is the nop encoding. Its transformed bytes are the same as the source +// bytes; it does not replace invalid UTF-8 sequences. +var Nop Encoding = nop{} + +type nop struct{} + +func (nop) NewDecoder() *Decoder { + return &Decoder{Transformer: transform.Nop} +} +func (nop) NewEncoder() *Encoder { + return &Encoder{Transformer: transform.Nop} +} + +// Replacement is the replacement encoding. Decoding from the replacement +// encoding yields a single '\uFFFD' replacement rune. Encoding from UTF-8 to +// the replacement encoding yields the same as the source bytes except that +// invalid UTF-8 is converted to '\uFFFD'. +// +// It is defined at http://encoding.spec.whatwg.org/#replacement +var Replacement Encoding = replacement{} + +type replacement struct{} + +func (replacement) NewDecoder() *Decoder { + return &Decoder{Transformer: replacementDecoder{}} +} + +func (replacement) NewEncoder() *Encoder { + return &Encoder{Transformer: replacementEncoder{}} +} + +func (replacement) ID() (mib identifier.MIB, other string) { + return identifier.Replacement, "" +} + +type replacementDecoder struct{ transform.NopResetter } + +func (replacementDecoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if len(dst) < 3 { + return 0, 0, transform.ErrShortDst + } + if atEOF { + const fffd = "\ufffd" + dst[0] = fffd[0] + dst[1] = fffd[1] + dst[2] = fffd[2] + nDst = 3 + } + return nDst, len(src), nil +} + +type replacementEncoder struct{ transform.NopResetter } + +func (replacementEncoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + r, size := rune(0), 0 + + for ; nSrc < len(src); nSrc += size { + r = rune(src[nSrc]) + + // Decode a 1-byte rune. + if r < utf8.RuneSelf { + size = 1 + + } else { + // Decode a multi-byte rune. + r, size = utf8.DecodeRune(src[nSrc:]) + if size == 1 { + // All valid runes of size 1 (those below utf8.RuneSelf) were + // handled above. We have invalid UTF-8 or we haven't seen the + // full character yet. + if !atEOF && !utf8.FullRune(src[nSrc:]) { + err = transform.ErrShortSrc + break + } + r = '\ufffd' + } + } + + if nDst+utf8.RuneLen(r) > len(dst) { + err = transform.ErrShortDst + break + } + nDst += utf8.EncodeRune(dst[nDst:], r) + } + return nDst, nSrc, err +} + +// HTMLEscapeUnsupported wraps encoders to replace source runes outside the +// repertoire of the destination encoding with HTML escape sequences. +// +// This wrapper exists to comply to URL and HTML forms requiring a +// non-terminating legacy encoder. The produced sequences may lead to data +// loss as they are indistinguishable from legitimate input. To avoid this +// issue, use UTF-8 encodings whenever possible. +func HTMLEscapeUnsupported(e *Encoder) *Encoder { + return &Encoder{Transformer: &errorHandler{e, errorToHTML}} +} + +// ReplaceUnsupported wraps encoders to replace source runes outside the +// repertoire of the destination encoding with an encoding-specific +// replacement. +// +// This wrapper is only provided for backwards compatibility and legacy +// handling. Its use is strongly discouraged. Use UTF-8 whenever possible. +func ReplaceUnsupported(e *Encoder) *Encoder { + return &Encoder{Transformer: &errorHandler{e, errorToReplacement}} +} + +type errorHandler struct { + *Encoder + handler func(dst []byte, r rune, err repertoireError) (n int, ok bool) +} + +// TODO: consider making this error public in some form. +type repertoireError interface { + Replacement() byte +} + +func (h errorHandler) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + nDst, nSrc, err = h.Transformer.Transform(dst, src, atEOF) + for err != nil { + rerr, ok := err.(repertoireError) + if !ok { + return nDst, nSrc, err + } + r, sz := utf8.DecodeRune(src[nSrc:]) + n, ok := h.handler(dst[nDst:], r, rerr) + if !ok { + return nDst, nSrc, transform.ErrShortDst + } + err = nil + nDst += n + if nSrc += sz; nSrc < len(src) { + var dn, sn int + dn, sn, err = h.Transformer.Transform(dst[nDst:], src[nSrc:], atEOF) + nDst += dn + nSrc += sn + } + } + return nDst, nSrc, err +} + +func errorToHTML(dst []byte, r rune, err repertoireError) (n int, ok bool) { + buf := [8]byte{} + b := strconv.AppendUint(buf[:0], uint64(r), 10) + if n = len(b) + len("&#;"); n >= len(dst) { + return 0, false + } + dst[0] = '&' + dst[1] = '#' + dst[copy(dst[2:], b)+2] = ';' + return n, true +} + +func errorToReplacement(dst []byte, r rune, err repertoireError) (n int, ok bool) { + if len(dst) == 0 { + return 0, false + } + dst[0] = err.Replacement() + return 1, true +} + +// ErrInvalidUTF8 means that a transformer encountered invalid UTF-8. +var ErrInvalidUTF8 = errors.New("encoding: invalid UTF-8") + +// UTF8Validator is a transformer that returns ErrInvalidUTF8 on the first +// input byte that is not valid UTF-8. +var UTF8Validator transform.Transformer = utf8Validator{} + +type utf8Validator struct{ transform.NopResetter } + +func (utf8Validator) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + n := len(src) + if n > len(dst) { + n = len(dst) + } + for i := 0; i < n; { + if c := src[i]; c < utf8.RuneSelf { + dst[i] = c + i++ + continue + } + _, size := utf8.DecodeRune(src[i:]) + if size == 1 { + // All valid runes of size 1 (those below utf8.RuneSelf) were + // handled above. We have invalid UTF-8 or we haven't seen the + // full character yet. + err = ErrInvalidUTF8 + if !atEOF && !utf8.FullRune(src[i:]) { + err = transform.ErrShortSrc + } + return i, i, err + } + if i+size > len(dst) { + return i, i, transform.ErrShortDst + } + for ; size > 0; size-- { + dst[i] = src[i] + i++ + } + } + if len(src) > len(dst) { + err = transform.ErrShortDst + } + return n, n, err +} diff --git a/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go b/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go new file mode 100644 index 0000000000..5c9b85c280 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/internal/identifier/identifier.go @@ -0,0 +1,81 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:generate go run gen.go + +// Package identifier defines the contract between implementations of Encoding +// and Index by defining identifiers that uniquely identify standardized coded +// character sets (CCS) and character encoding schemes (CES), which we will +// together refer to as encodings, for which Encoding implementations provide +// converters to and from UTF-8. This package is typically only of concern to +// implementers of Indexes and Encodings. +// +// One part of the identifier is the MIB code, which is defined by IANA and +// uniquely identifies a CCS or CES. Each code is associated with data that +// references authorities, official documentation as well as aliases and MIME +// names. +// +// Not all CESs are covered by the IANA registry. The "other" string that is +// returned by ID can be used to identify other character sets or versions of +// existing ones. +// +// It is recommended that each package that provides a set of Encodings provide +// the All and Common variables to reference all supported encodings and +// commonly used subset. This allows Index implementations to include all +// available encodings without explicitly referencing or knowing about them. +package identifier + +// Note: this package is internal, but could be made public if there is a need +// for writing third-party Indexes and Encodings. + +// References: +// - http://source.icu-project.org/repos/icu/icu/trunk/source/data/mappings/convrtrs.txt +// - http://www.iana.org/assignments/character-sets/character-sets.xhtml +// - http://www.iana.org/assignments/ianacharset-mib/ianacharset-mib +// - http://www.ietf.org/rfc/rfc2978.txt +// - https://www.unicode.org/reports/tr22/ +// - http://www.w3.org/TR/encoding/ +// - https://encoding.spec.whatwg.org/ +// - https://encoding.spec.whatwg.org/encodings.json +// - https://tools.ietf.org/html/rfc6657#section-5 + +// Interface can be implemented by Encodings to define the CCS or CES for which +// it implements conversions. +type Interface interface { + // ID returns an encoding identifier. Exactly one of the mib and other + // values should be non-zero. + // + // In the usual case it is only necessary to indicate the MIB code. The + // other string can be used to specify encodings for which there is no MIB, + // such as "x-mac-dingbat". + // + // The other string may only contain the characters a-z, A-Z, 0-9, - and _. + ID() (mib MIB, other string) + + // NOTE: the restrictions on the encoding are to allow extending the syntax + // with additional information such as versions, vendors and other variants. +} + +// A MIB identifies an encoding. It is derived from the IANA MIB codes and adds +// some identifiers for some encodings that are not covered by the IANA +// standard. +// +// See http://www.iana.org/assignments/ianacharset-mib. +type MIB uint16 + +// These additional MIB types are not defined in IANA. They are added because +// they are common and defined within the text repo. +const ( + // Unofficial marks the start of encodings not registered by IANA. + Unofficial MIB = 10000 + iota + + // Replacement is the WhatWG replacement encoding. + Replacement + + // XUserDefined is the code for x-user-defined. + XUserDefined + + // MacintoshCyrillic is the code for x-mac-cyrillic. + MacintoshCyrillic +) diff --git a/vendor/golang.org/x/text/encoding/internal/identifier/mib.go b/vendor/golang.org/x/text/encoding/internal/identifier/mib.go new file mode 100644 index 0000000000..351fb86e29 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/internal/identifier/mib.go @@ -0,0 +1,1627 @@ +// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT. + +package identifier + +const ( + // ASCII is the MIB identifier with IANA name US-ASCII (MIME: US-ASCII). + // + // ANSI X3.4-1986 + // Reference: RFC2046 + ASCII MIB = 3 + + // ISOLatin1 is the MIB identifier with IANA name ISO_8859-1:1987 (MIME: ISO-8859-1). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin1 MIB = 4 + + // ISOLatin2 is the MIB identifier with IANA name ISO_8859-2:1987 (MIME: ISO-8859-2). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin2 MIB = 5 + + // ISOLatin3 is the MIB identifier with IANA name ISO_8859-3:1988 (MIME: ISO-8859-3). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin3 MIB = 6 + + // ISOLatin4 is the MIB identifier with IANA name ISO_8859-4:1988 (MIME: ISO-8859-4). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin4 MIB = 7 + + // ISOLatinCyrillic is the MIB identifier with IANA name ISO_8859-5:1988 (MIME: ISO-8859-5). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatinCyrillic MIB = 8 + + // ISOLatinArabic is the MIB identifier with IANA name ISO_8859-6:1987 (MIME: ISO-8859-6). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatinArabic MIB = 9 + + // ISOLatinGreek is the MIB identifier with IANA name ISO_8859-7:1987 (MIME: ISO-8859-7). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1947 + // Reference: RFC1345 + ISOLatinGreek MIB = 10 + + // ISOLatinHebrew is the MIB identifier with IANA name ISO_8859-8:1988 (MIME: ISO-8859-8). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatinHebrew MIB = 11 + + // ISOLatin5 is the MIB identifier with IANA name ISO_8859-9:1989 (MIME: ISO-8859-9). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin5 MIB = 12 + + // ISOLatin6 is the MIB identifier with IANA name ISO-8859-10 (MIME: ISO-8859-10). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOLatin6 MIB = 13 + + // ISOTextComm is the MIB identifier with IANA name ISO_6937-2-add. + // + // ISO-IR: International Register of Escape Sequences and ISO 6937-2:1983 + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISOTextComm MIB = 14 + + // HalfWidthKatakana is the MIB identifier with IANA name JIS_X0201. + // + // JIS X 0201-1976. One byte only, this is equivalent to + // JIS/Roman (similar to ASCII) plus eight-bit half-width + // Katakana + // Reference: RFC1345 + HalfWidthKatakana MIB = 15 + + // JISEncoding is the MIB identifier with IANA name JIS_Encoding. + // + // JIS X 0202-1991. Uses ISO 2022 escape sequences to + // shift code sets as documented in JIS X 0202-1991. + JISEncoding MIB = 16 + + // ShiftJIS is the MIB identifier with IANA name Shift_JIS (MIME: Shift_JIS). + // + // This charset is an extension of csHalfWidthKatakana by + // adding graphic characters in JIS X 0208. The CCS's are + // JIS X0201:1997 and JIS X0208:1997. The + // complete definition is shown in Appendix 1 of JIS + // X0208:1997. + // This charset can be used for the top-level media type "text". + ShiftJIS MIB = 17 + + // EUCPkdFmtJapanese is the MIB identifier with IANA name Extended_UNIX_Code_Packed_Format_for_Japanese (MIME: EUC-JP). + // + // Standardized by OSF, UNIX International, and UNIX Systems + // Laboratories Pacific. Uses ISO 2022 rules to select + // code set 0: US-ASCII (a single 7-bit byte set) + // code set 1: JIS X0208-1990 (a double 8-bit byte set) + // restricted to A0-FF in both bytes + // code set 2: Half Width Katakana (a single 7-bit byte set) + // requiring SS2 as the character prefix + // code set 3: JIS X0212-1990 (a double 7-bit byte set) + // restricted to A0-FF in both bytes + // requiring SS3 as the character prefix + EUCPkdFmtJapanese MIB = 18 + + // EUCFixWidJapanese is the MIB identifier with IANA name Extended_UNIX_Code_Fixed_Width_for_Japanese. + // + // Used in Japan. Each character is 2 octets. + // code set 0: US-ASCII (a single 7-bit byte set) + // 1st byte = 00 + // 2nd byte = 20-7E + // code set 1: JIS X0208-1990 (a double 7-bit byte set) + // restricted to A0-FF in both bytes + // code set 2: Half Width Katakana (a single 7-bit byte set) + // 1st byte = 00 + // 2nd byte = A0-FF + // code set 3: JIS X0212-1990 (a double 7-bit byte set) + // restricted to A0-FF in + // the first byte + // and 21-7E in the second byte + EUCFixWidJapanese MIB = 19 + + // ISO4UnitedKingdom is the MIB identifier with IANA name BS_4730. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO4UnitedKingdom MIB = 20 + + // ISO11SwedishForNames is the MIB identifier with IANA name SEN_850200_C. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO11SwedishForNames MIB = 21 + + // ISO15Italian is the MIB identifier with IANA name IT. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO15Italian MIB = 22 + + // ISO17Spanish is the MIB identifier with IANA name ES. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO17Spanish MIB = 23 + + // ISO21German is the MIB identifier with IANA name DIN_66003. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO21German MIB = 24 + + // ISO60Norwegian1 is the MIB identifier with IANA name NS_4551-1. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO60Norwegian1 MIB = 25 + + // ISO69French is the MIB identifier with IANA name NF_Z_62-010. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO69French MIB = 26 + + // ISO10646UTF1 is the MIB identifier with IANA name ISO-10646-UTF-1. + // + // Universal Transfer Format (1), this is the multibyte + // encoding, that subsets ASCII-7. It does not have byte + // ordering issues. + ISO10646UTF1 MIB = 27 + + // ISO646basic1983 is the MIB identifier with IANA name ISO_646.basic:1983. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO646basic1983 MIB = 28 + + // INVARIANT is the MIB identifier with IANA name INVARIANT. + // + // Reference: RFC1345 + INVARIANT MIB = 29 + + // ISO2IntlRefVersion is the MIB identifier with IANA name ISO_646.irv:1983. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO2IntlRefVersion MIB = 30 + + // NATSSEFI is the MIB identifier with IANA name NATS-SEFI. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + NATSSEFI MIB = 31 + + // NATSSEFIADD is the MIB identifier with IANA name NATS-SEFI-ADD. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + NATSSEFIADD MIB = 32 + + // NATSDANO is the MIB identifier with IANA name NATS-DANO. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + NATSDANO MIB = 33 + + // NATSDANOADD is the MIB identifier with IANA name NATS-DANO-ADD. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + NATSDANOADD MIB = 34 + + // ISO10Swedish is the MIB identifier with IANA name SEN_850200_B. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO10Swedish MIB = 35 + + // KSC56011987 is the MIB identifier with IANA name KS_C_5601-1987. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + KSC56011987 MIB = 36 + + // ISO2022KR is the MIB identifier with IANA name ISO-2022-KR (MIME: ISO-2022-KR). + // + // rfc1557 (see also KS_C_5601-1987) + // Reference: RFC1557 + ISO2022KR MIB = 37 + + // EUCKR is the MIB identifier with IANA name EUC-KR (MIME: EUC-KR). + // + // rfc1557 (see also KS_C_5861-1992) + // Reference: RFC1557 + EUCKR MIB = 38 + + // ISO2022JP is the MIB identifier with IANA name ISO-2022-JP (MIME: ISO-2022-JP). + // + // rfc1468 (see also rfc2237 ) + // Reference: RFC1468 + ISO2022JP MIB = 39 + + // ISO2022JP2 is the MIB identifier with IANA name ISO-2022-JP-2 (MIME: ISO-2022-JP-2). + // + // rfc1554 + // Reference: RFC1554 + ISO2022JP2 MIB = 40 + + // ISO13JISC6220jp is the MIB identifier with IANA name JIS_C6220-1969-jp. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO13JISC6220jp MIB = 41 + + // ISO14JISC6220ro is the MIB identifier with IANA name JIS_C6220-1969-ro. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO14JISC6220ro MIB = 42 + + // ISO16Portuguese is the MIB identifier with IANA name PT. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO16Portuguese MIB = 43 + + // ISO18Greek7Old is the MIB identifier with IANA name greek7-old. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO18Greek7Old MIB = 44 + + // ISO19LatinGreek is the MIB identifier with IANA name latin-greek. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO19LatinGreek MIB = 45 + + // ISO25French is the MIB identifier with IANA name NF_Z_62-010_(1973). + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO25French MIB = 46 + + // ISO27LatinGreek1 is the MIB identifier with IANA name Latin-greek-1. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO27LatinGreek1 MIB = 47 + + // ISO5427Cyrillic is the MIB identifier with IANA name ISO_5427. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO5427Cyrillic MIB = 48 + + // ISO42JISC62261978 is the MIB identifier with IANA name JIS_C6226-1978. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO42JISC62261978 MIB = 49 + + // ISO47BSViewdata is the MIB identifier with IANA name BS_viewdata. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO47BSViewdata MIB = 50 + + // ISO49INIS is the MIB identifier with IANA name INIS. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO49INIS MIB = 51 + + // ISO50INIS8 is the MIB identifier with IANA name INIS-8. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO50INIS8 MIB = 52 + + // ISO51INISCyrillic is the MIB identifier with IANA name INIS-cyrillic. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO51INISCyrillic MIB = 53 + + // ISO54271981 is the MIB identifier with IANA name ISO_5427:1981. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO54271981 MIB = 54 + + // ISO5428Greek is the MIB identifier with IANA name ISO_5428:1980. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO5428Greek MIB = 55 + + // ISO57GB1988 is the MIB identifier with IANA name GB_1988-80. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO57GB1988 MIB = 56 + + // ISO58GB231280 is the MIB identifier with IANA name GB_2312-80. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO58GB231280 MIB = 57 + + // ISO61Norwegian2 is the MIB identifier with IANA name NS_4551-2. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO61Norwegian2 MIB = 58 + + // ISO70VideotexSupp1 is the MIB identifier with IANA name videotex-suppl. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO70VideotexSupp1 MIB = 59 + + // ISO84Portuguese2 is the MIB identifier with IANA name PT2. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO84Portuguese2 MIB = 60 + + // ISO85Spanish2 is the MIB identifier with IANA name ES2. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO85Spanish2 MIB = 61 + + // ISO86Hungarian is the MIB identifier with IANA name MSZ_7795.3. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO86Hungarian MIB = 62 + + // ISO87JISX0208 is the MIB identifier with IANA name JIS_C6226-1983. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO87JISX0208 MIB = 63 + + // ISO88Greek7 is the MIB identifier with IANA name greek7. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO88Greek7 MIB = 64 + + // ISO89ASMO449 is the MIB identifier with IANA name ASMO_449. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO89ASMO449 MIB = 65 + + // ISO90 is the MIB identifier with IANA name iso-ir-90. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO90 MIB = 66 + + // ISO91JISC62291984a is the MIB identifier with IANA name JIS_C6229-1984-a. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO91JISC62291984a MIB = 67 + + // ISO92JISC62991984b is the MIB identifier with IANA name JIS_C6229-1984-b. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO92JISC62991984b MIB = 68 + + // ISO93JIS62291984badd is the MIB identifier with IANA name JIS_C6229-1984-b-add. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO93JIS62291984badd MIB = 69 + + // ISO94JIS62291984hand is the MIB identifier with IANA name JIS_C6229-1984-hand. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO94JIS62291984hand MIB = 70 + + // ISO95JIS62291984handadd is the MIB identifier with IANA name JIS_C6229-1984-hand-add. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO95JIS62291984handadd MIB = 71 + + // ISO96JISC62291984kana is the MIB identifier with IANA name JIS_C6229-1984-kana. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO96JISC62291984kana MIB = 72 + + // ISO2033 is the MIB identifier with IANA name ISO_2033-1983. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO2033 MIB = 73 + + // ISO99NAPLPS is the MIB identifier with IANA name ANSI_X3.110-1983. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO99NAPLPS MIB = 74 + + // ISO102T617bit is the MIB identifier with IANA name T.61-7bit. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO102T617bit MIB = 75 + + // ISO103T618bit is the MIB identifier with IANA name T.61-8bit. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO103T618bit MIB = 76 + + // ISO111ECMACyrillic is the MIB identifier with IANA name ECMA-cyrillic. + // + // ISO registry + ISO111ECMACyrillic MIB = 77 + + // ISO121Canadian1 is the MIB identifier with IANA name CSA_Z243.4-1985-1. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO121Canadian1 MIB = 78 + + // ISO122Canadian2 is the MIB identifier with IANA name CSA_Z243.4-1985-2. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO122Canadian2 MIB = 79 + + // ISO123CSAZ24341985gr is the MIB identifier with IANA name CSA_Z243.4-1985-gr. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO123CSAZ24341985gr MIB = 80 + + // ISO88596E is the MIB identifier with IANA name ISO_8859-6-E (MIME: ISO-8859-6-E). + // + // rfc1556 + // Reference: RFC1556 + ISO88596E MIB = 81 + + // ISO88596I is the MIB identifier with IANA name ISO_8859-6-I (MIME: ISO-8859-6-I). + // + // rfc1556 + // Reference: RFC1556 + ISO88596I MIB = 82 + + // ISO128T101G2 is the MIB identifier with IANA name T.101-G2. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO128T101G2 MIB = 83 + + // ISO88598E is the MIB identifier with IANA name ISO_8859-8-E (MIME: ISO-8859-8-E). + // + // rfc1556 + // Reference: RFC1556 + ISO88598E MIB = 84 + + // ISO88598I is the MIB identifier with IANA name ISO_8859-8-I (MIME: ISO-8859-8-I). + // + // rfc1556 + // Reference: RFC1556 + ISO88598I MIB = 85 + + // ISO139CSN369103 is the MIB identifier with IANA name CSN_369103. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO139CSN369103 MIB = 86 + + // ISO141JUSIB1002 is the MIB identifier with IANA name JUS_I.B1.002. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO141JUSIB1002 MIB = 87 + + // ISO143IECP271 is the MIB identifier with IANA name IEC_P27-1. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO143IECP271 MIB = 88 + + // ISO146Serbian is the MIB identifier with IANA name JUS_I.B1.003-serb. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO146Serbian MIB = 89 + + // ISO147Macedonian is the MIB identifier with IANA name JUS_I.B1.003-mac. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO147Macedonian MIB = 90 + + // ISO150GreekCCITT is the MIB identifier with IANA name greek-ccitt. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO150GreekCCITT MIB = 91 + + // ISO151Cuba is the MIB identifier with IANA name NC_NC00-10:81. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO151Cuba MIB = 92 + + // ISO6937Add is the MIB identifier with IANA name ISO_6937-2-25. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO6937Add MIB = 93 + + // ISO153GOST1976874 is the MIB identifier with IANA name GOST_19768-74. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO153GOST1976874 MIB = 94 + + // ISO8859Supp is the MIB identifier with IANA name ISO_8859-supp. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO8859Supp MIB = 95 + + // ISO10367Box is the MIB identifier with IANA name ISO_10367-box. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO10367Box MIB = 96 + + // ISO158Lap is the MIB identifier with IANA name latin-lap. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO158Lap MIB = 97 + + // ISO159JISX02121990 is the MIB identifier with IANA name JIS_X0212-1990. + // + // ISO-IR: International Register of Escape Sequences + // Note: The current registration authority is IPSJ/ITSCJ, Japan. + // Reference: RFC1345 + ISO159JISX02121990 MIB = 98 + + // ISO646Danish is the MIB identifier with IANA name DS_2089. + // + // Danish Standard, DS 2089, February 1974 + // Reference: RFC1345 + ISO646Danish MIB = 99 + + // USDK is the MIB identifier with IANA name us-dk. + // + // Reference: RFC1345 + USDK MIB = 100 + + // DKUS is the MIB identifier with IANA name dk-us. + // + // Reference: RFC1345 + DKUS MIB = 101 + + // KSC5636 is the MIB identifier with IANA name KSC5636. + // + // Reference: RFC1345 + KSC5636 MIB = 102 + + // Unicode11UTF7 is the MIB identifier with IANA name UNICODE-1-1-UTF-7. + // + // rfc1642 + // Reference: RFC1642 + Unicode11UTF7 MIB = 103 + + // ISO2022CN is the MIB identifier with IANA name ISO-2022-CN. + // + // rfc1922 + // Reference: RFC1922 + ISO2022CN MIB = 104 + + // ISO2022CNEXT is the MIB identifier with IANA name ISO-2022-CN-EXT. + // + // rfc1922 + // Reference: RFC1922 + ISO2022CNEXT MIB = 105 + + // UTF8 is the MIB identifier with IANA name UTF-8. + // + // rfc3629 + // Reference: RFC3629 + UTF8 MIB = 106 + + // ISO885913 is the MIB identifier with IANA name ISO-8859-13. + // + // ISO See https://www.iana.org/assignments/charset-reg/ISO-8859-13 https://www.iana.org/assignments/charset-reg/ISO-8859-13 + ISO885913 MIB = 109 + + // ISO885914 is the MIB identifier with IANA name ISO-8859-14. + // + // ISO See https://www.iana.org/assignments/charset-reg/ISO-8859-14 + ISO885914 MIB = 110 + + // ISO885915 is the MIB identifier with IANA name ISO-8859-15. + // + // ISO + // Please see: https://www.iana.org/assignments/charset-reg/ISO-8859-15 + ISO885915 MIB = 111 + + // ISO885916 is the MIB identifier with IANA name ISO-8859-16. + // + // ISO + ISO885916 MIB = 112 + + // GBK is the MIB identifier with IANA name GBK. + // + // Chinese IT Standardization Technical Committee + // Please see: https://www.iana.org/assignments/charset-reg/GBK + GBK MIB = 113 + + // GB18030 is the MIB identifier with IANA name GB18030. + // + // Chinese IT Standardization Technical Committee + // Please see: https://www.iana.org/assignments/charset-reg/GB18030 + GB18030 MIB = 114 + + // OSDEBCDICDF0415 is the MIB identifier with IANA name OSD_EBCDIC_DF04_15. + // + // Fujitsu-Siemens standard mainframe EBCDIC encoding + // Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF04-15 + OSDEBCDICDF0415 MIB = 115 + + // OSDEBCDICDF03IRV is the MIB identifier with IANA name OSD_EBCDIC_DF03_IRV. + // + // Fujitsu-Siemens standard mainframe EBCDIC encoding + // Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF03-IRV + OSDEBCDICDF03IRV MIB = 116 + + // OSDEBCDICDF041 is the MIB identifier with IANA name OSD_EBCDIC_DF04_1. + // + // Fujitsu-Siemens standard mainframe EBCDIC encoding + // Please see: https://www.iana.org/assignments/charset-reg/OSD-EBCDIC-DF04-1 + OSDEBCDICDF041 MIB = 117 + + // ISO115481 is the MIB identifier with IANA name ISO-11548-1. + // + // See https://www.iana.org/assignments/charset-reg/ISO-11548-1 + ISO115481 MIB = 118 + + // KZ1048 is the MIB identifier with IANA name KZ-1048. + // + // See https://www.iana.org/assignments/charset-reg/KZ-1048 + KZ1048 MIB = 119 + + // Unicode is the MIB identifier with IANA name ISO-10646-UCS-2. + // + // the 2-octet Basic Multilingual Plane, aka Unicode + // this needs to specify network byte order: the standard + // does not specify (it is a 16-bit integer space) + Unicode MIB = 1000 + + // UCS4 is the MIB identifier with IANA name ISO-10646-UCS-4. + // + // the full code space. (same comment about byte order, + // these are 31-bit numbers. + UCS4 MIB = 1001 + + // UnicodeASCII is the MIB identifier with IANA name ISO-10646-UCS-Basic. + // + // ASCII subset of Unicode. Basic Latin = collection 1 + // See ISO 10646, Appendix A + UnicodeASCII MIB = 1002 + + // UnicodeLatin1 is the MIB identifier with IANA name ISO-10646-Unicode-Latin1. + // + // ISO Latin-1 subset of Unicode. Basic Latin and Latin-1 + // Supplement = collections 1 and 2. See ISO 10646, + // Appendix A. See rfc1815 . + UnicodeLatin1 MIB = 1003 + + // UnicodeJapanese is the MIB identifier with IANA name ISO-10646-J-1. + // + // ISO 10646 Japanese, see rfc1815 . + UnicodeJapanese MIB = 1004 + + // UnicodeIBM1261 is the MIB identifier with IANA name ISO-Unicode-IBM-1261. + // + // IBM Latin-2, -3, -5, Extended Presentation Set, GCSGID: 1261 + UnicodeIBM1261 MIB = 1005 + + // UnicodeIBM1268 is the MIB identifier with IANA name ISO-Unicode-IBM-1268. + // + // IBM Latin-4 Extended Presentation Set, GCSGID: 1268 + UnicodeIBM1268 MIB = 1006 + + // UnicodeIBM1276 is the MIB identifier with IANA name ISO-Unicode-IBM-1276. + // + // IBM Cyrillic Greek Extended Presentation Set, GCSGID: 1276 + UnicodeIBM1276 MIB = 1007 + + // UnicodeIBM1264 is the MIB identifier with IANA name ISO-Unicode-IBM-1264. + // + // IBM Arabic Presentation Set, GCSGID: 1264 + UnicodeIBM1264 MIB = 1008 + + // UnicodeIBM1265 is the MIB identifier with IANA name ISO-Unicode-IBM-1265. + // + // IBM Hebrew Presentation Set, GCSGID: 1265 + UnicodeIBM1265 MIB = 1009 + + // Unicode11 is the MIB identifier with IANA name UNICODE-1-1. + // + // rfc1641 + // Reference: RFC1641 + Unicode11 MIB = 1010 + + // SCSU is the MIB identifier with IANA name SCSU. + // + // SCSU See https://www.iana.org/assignments/charset-reg/SCSU + SCSU MIB = 1011 + + // UTF7 is the MIB identifier with IANA name UTF-7. + // + // rfc2152 + // Reference: RFC2152 + UTF7 MIB = 1012 + + // UTF16BE is the MIB identifier with IANA name UTF-16BE. + // + // rfc2781 + // Reference: RFC2781 + UTF16BE MIB = 1013 + + // UTF16LE is the MIB identifier with IANA name UTF-16LE. + // + // rfc2781 + // Reference: RFC2781 + UTF16LE MIB = 1014 + + // UTF16 is the MIB identifier with IANA name UTF-16. + // + // rfc2781 + // Reference: RFC2781 + UTF16 MIB = 1015 + + // CESU8 is the MIB identifier with IANA name CESU-8. + // + // https://www.unicode.org/reports/tr26 + CESU8 MIB = 1016 + + // UTF32 is the MIB identifier with IANA name UTF-32. + // + // https://www.unicode.org/reports/tr19/ + UTF32 MIB = 1017 + + // UTF32BE is the MIB identifier with IANA name UTF-32BE. + // + // https://www.unicode.org/reports/tr19/ + UTF32BE MIB = 1018 + + // UTF32LE is the MIB identifier with IANA name UTF-32LE. + // + // https://www.unicode.org/reports/tr19/ + UTF32LE MIB = 1019 + + // BOCU1 is the MIB identifier with IANA name BOCU-1. + // + // https://www.unicode.org/notes/tn6/ + BOCU1 MIB = 1020 + + // UTF7IMAP is the MIB identifier with IANA name UTF-7-IMAP. + // + // Note: This charset is used to encode Unicode in IMAP mailbox names; + // see section 5.1.3 of rfc3501 . It should never be used + // outside this context. A name has been assigned so that charset processing + // implementations can refer to it in a consistent way. + UTF7IMAP MIB = 1021 + + // Windows30Latin1 is the MIB identifier with IANA name ISO-8859-1-Windows-3.0-Latin-1. + // + // Extended ISO 8859-1 Latin-1 for Windows 3.0. + // PCL Symbol Set id: 9U + Windows30Latin1 MIB = 2000 + + // Windows31Latin1 is the MIB identifier with IANA name ISO-8859-1-Windows-3.1-Latin-1. + // + // Extended ISO 8859-1 Latin-1 for Windows 3.1. + // PCL Symbol Set id: 19U + Windows31Latin1 MIB = 2001 + + // Windows31Latin2 is the MIB identifier with IANA name ISO-8859-2-Windows-Latin-2. + // + // Extended ISO 8859-2. Latin-2 for Windows 3.1. + // PCL Symbol Set id: 9E + Windows31Latin2 MIB = 2002 + + // Windows31Latin5 is the MIB identifier with IANA name ISO-8859-9-Windows-Latin-5. + // + // Extended ISO 8859-9. Latin-5 for Windows 3.1 + // PCL Symbol Set id: 5T + Windows31Latin5 MIB = 2003 + + // HPRoman8 is the MIB identifier with IANA name hp-roman8. + // + // LaserJet IIP Printer User's Manual, + // HP part no 33471-90901, Hewlet-Packard, June 1989. + // Reference: RFC1345 + HPRoman8 MIB = 2004 + + // AdobeStandardEncoding is the MIB identifier with IANA name Adobe-Standard-Encoding. + // + // PostScript Language Reference Manual + // PCL Symbol Set id: 10J + AdobeStandardEncoding MIB = 2005 + + // VenturaUS is the MIB identifier with IANA name Ventura-US. + // + // Ventura US. ASCII plus characters typically used in + // publishing, like pilcrow, copyright, registered, trade mark, + // section, dagger, and double dagger in the range A0 (hex) + // to FF (hex). + // PCL Symbol Set id: 14J + VenturaUS MIB = 2006 + + // VenturaInternational is the MIB identifier with IANA name Ventura-International. + // + // Ventura International. ASCII plus coded characters similar + // to Roman8. + // PCL Symbol Set id: 13J + VenturaInternational MIB = 2007 + + // DECMCS is the MIB identifier with IANA name DEC-MCS. + // + // VAX/VMS User's Manual, + // Order Number: AI-Y517A-TE, April 1986. + // Reference: RFC1345 + DECMCS MIB = 2008 + + // PC850Multilingual is the MIB identifier with IANA name IBM850. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + PC850Multilingual MIB = 2009 + + // PC8DanishNorwegian is the MIB identifier with IANA name PC8-Danish-Norwegian. + // + // PC Danish Norwegian + // 8-bit PC set for Danish Norwegian + // PCL Symbol Set id: 11U + PC8DanishNorwegian MIB = 2012 + + // PC862LatinHebrew is the MIB identifier with IANA name IBM862. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + PC862LatinHebrew MIB = 2013 + + // PC8Turkish is the MIB identifier with IANA name PC8-Turkish. + // + // PC Latin Turkish. PCL Symbol Set id: 9T + PC8Turkish MIB = 2014 + + // IBMSymbols is the MIB identifier with IANA name IBM-Symbols. + // + // Presentation Set, CPGID: 259 + IBMSymbols MIB = 2015 + + // IBMThai is the MIB identifier with IANA name IBM-Thai. + // + // Presentation Set, CPGID: 838 + IBMThai MIB = 2016 + + // HPLegal is the MIB identifier with IANA name HP-Legal. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 1U + HPLegal MIB = 2017 + + // HPPiFont is the MIB identifier with IANA name HP-Pi-font. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 15U + HPPiFont MIB = 2018 + + // HPMath8 is the MIB identifier with IANA name HP-Math8. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 8M + HPMath8 MIB = 2019 + + // HPPSMath is the MIB identifier with IANA name Adobe-Symbol-Encoding. + // + // PostScript Language Reference Manual + // PCL Symbol Set id: 5M + HPPSMath MIB = 2020 + + // HPDesktop is the MIB identifier with IANA name HP-DeskTop. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 7J + HPDesktop MIB = 2021 + + // VenturaMath is the MIB identifier with IANA name Ventura-Math. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 6M + VenturaMath MIB = 2022 + + // MicrosoftPublishing is the MIB identifier with IANA name Microsoft-Publishing. + // + // PCL 5 Comparison Guide, Hewlett-Packard, + // HP part number 5961-0510, October 1992 + // PCL Symbol Set id: 6J + MicrosoftPublishing MIB = 2023 + + // Windows31J is the MIB identifier with IANA name Windows-31J. + // + // Windows Japanese. A further extension of Shift_JIS + // to include NEC special characters (Row 13), NEC + // selection of IBM extensions (Rows 89 to 92), and IBM + // extensions (Rows 115 to 119). The CCS's are + // JIS X0201:1997, JIS X0208:1997, and these extensions. + // This charset can be used for the top-level media type "text", + // but it is of limited or specialized use (see rfc2278 ). + // PCL Symbol Set id: 19K + Windows31J MIB = 2024 + + // GB2312 is the MIB identifier with IANA name GB2312 (MIME: GB2312). + // + // Chinese for People's Republic of China (PRC) mixed one byte, + // two byte set: + // 20-7E = one byte ASCII + // A1-FE = two byte PRC Kanji + // See GB 2312-80 + // PCL Symbol Set Id: 18C + GB2312 MIB = 2025 + + // Big5 is the MIB identifier with IANA name Big5 (MIME: Big5). + // + // Chinese for Taiwan Multi-byte set. + // PCL Symbol Set Id: 18T + Big5 MIB = 2026 + + // Macintosh is the MIB identifier with IANA name macintosh. + // + // The Unicode Standard ver1.0, ISBN 0-201-56788-1, Oct 1991 + // Reference: RFC1345 + Macintosh MIB = 2027 + + // IBM037 is the MIB identifier with IANA name IBM037. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM037 MIB = 2028 + + // IBM038 is the MIB identifier with IANA name IBM038. + // + // IBM 3174 Character Set Ref, GA27-3831-02, March 1990 + // Reference: RFC1345 + IBM038 MIB = 2029 + + // IBM273 is the MIB identifier with IANA name IBM273. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM273 MIB = 2030 + + // IBM274 is the MIB identifier with IANA name IBM274. + // + // IBM 3174 Character Set Ref, GA27-3831-02, March 1990 + // Reference: RFC1345 + IBM274 MIB = 2031 + + // IBM275 is the MIB identifier with IANA name IBM275. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM275 MIB = 2032 + + // IBM277 is the MIB identifier with IANA name IBM277. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM277 MIB = 2033 + + // IBM278 is the MIB identifier with IANA name IBM278. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM278 MIB = 2034 + + // IBM280 is the MIB identifier with IANA name IBM280. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM280 MIB = 2035 + + // IBM281 is the MIB identifier with IANA name IBM281. + // + // IBM 3174 Character Set Ref, GA27-3831-02, March 1990 + // Reference: RFC1345 + IBM281 MIB = 2036 + + // IBM284 is the MIB identifier with IANA name IBM284. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM284 MIB = 2037 + + // IBM285 is the MIB identifier with IANA name IBM285. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM285 MIB = 2038 + + // IBM290 is the MIB identifier with IANA name IBM290. + // + // IBM 3174 Character Set Ref, GA27-3831-02, March 1990 + // Reference: RFC1345 + IBM290 MIB = 2039 + + // IBM297 is the MIB identifier with IANA name IBM297. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM297 MIB = 2040 + + // IBM420 is the MIB identifier with IANA name IBM420. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990, + // IBM NLS RM p 11-11 + // Reference: RFC1345 + IBM420 MIB = 2041 + + // IBM423 is the MIB identifier with IANA name IBM423. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM423 MIB = 2042 + + // IBM424 is the MIB identifier with IANA name IBM424. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM424 MIB = 2043 + + // PC8CodePage437 is the MIB identifier with IANA name IBM437. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + PC8CodePage437 MIB = 2011 + + // IBM500 is the MIB identifier with IANA name IBM500. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM500 MIB = 2044 + + // IBM851 is the MIB identifier with IANA name IBM851. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM851 MIB = 2045 + + // PCp852 is the MIB identifier with IANA name IBM852. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + PCp852 MIB = 2010 + + // IBM855 is the MIB identifier with IANA name IBM855. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM855 MIB = 2046 + + // IBM857 is the MIB identifier with IANA name IBM857. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM857 MIB = 2047 + + // IBM860 is the MIB identifier with IANA name IBM860. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM860 MIB = 2048 + + // IBM861 is the MIB identifier with IANA name IBM861. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM861 MIB = 2049 + + // IBM863 is the MIB identifier with IANA name IBM863. + // + // IBM Keyboard layouts and code pages, PN 07G4586 June 1991 + // Reference: RFC1345 + IBM863 MIB = 2050 + + // IBM864 is the MIB identifier with IANA name IBM864. + // + // IBM Keyboard layouts and code pages, PN 07G4586 June 1991 + // Reference: RFC1345 + IBM864 MIB = 2051 + + // IBM865 is the MIB identifier with IANA name IBM865. + // + // IBM DOS 3.3 Ref (Abridged), 94X9575 (Feb 1987) + // Reference: RFC1345 + IBM865 MIB = 2052 + + // IBM868 is the MIB identifier with IANA name IBM868. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM868 MIB = 2053 + + // IBM869 is the MIB identifier with IANA name IBM869. + // + // IBM Keyboard layouts and code pages, PN 07G4586 June 1991 + // Reference: RFC1345 + IBM869 MIB = 2054 + + // IBM870 is the MIB identifier with IANA name IBM870. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM870 MIB = 2055 + + // IBM871 is the MIB identifier with IANA name IBM871. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM871 MIB = 2056 + + // IBM880 is the MIB identifier with IANA name IBM880. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM880 MIB = 2057 + + // IBM891 is the MIB identifier with IANA name IBM891. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM891 MIB = 2058 + + // IBM903 is the MIB identifier with IANA name IBM903. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM903 MIB = 2059 + + // IBBM904 is the MIB identifier with IANA name IBM904. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBBM904 MIB = 2060 + + // IBM905 is the MIB identifier with IANA name IBM905. + // + // IBM 3174 Character Set Ref, GA27-3831-02, March 1990 + // Reference: RFC1345 + IBM905 MIB = 2061 + + // IBM918 is the MIB identifier with IANA name IBM918. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM918 MIB = 2062 + + // IBM1026 is the MIB identifier with IANA name IBM1026. + // + // IBM NLS RM Vol2 SE09-8002-01, March 1990 + // Reference: RFC1345 + IBM1026 MIB = 2063 + + // IBMEBCDICATDE is the MIB identifier with IANA name EBCDIC-AT-DE. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + IBMEBCDICATDE MIB = 2064 + + // EBCDICATDEA is the MIB identifier with IANA name EBCDIC-AT-DE-A. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICATDEA MIB = 2065 + + // EBCDICCAFR is the MIB identifier with IANA name EBCDIC-CA-FR. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICCAFR MIB = 2066 + + // EBCDICDKNO is the MIB identifier with IANA name EBCDIC-DK-NO. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICDKNO MIB = 2067 + + // EBCDICDKNOA is the MIB identifier with IANA name EBCDIC-DK-NO-A. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICDKNOA MIB = 2068 + + // EBCDICFISE is the MIB identifier with IANA name EBCDIC-FI-SE. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICFISE MIB = 2069 + + // EBCDICFISEA is the MIB identifier with IANA name EBCDIC-FI-SE-A. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICFISEA MIB = 2070 + + // EBCDICFR is the MIB identifier with IANA name EBCDIC-FR. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICFR MIB = 2071 + + // EBCDICIT is the MIB identifier with IANA name EBCDIC-IT. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICIT MIB = 2072 + + // EBCDICPT is the MIB identifier with IANA name EBCDIC-PT. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICPT MIB = 2073 + + // EBCDICES is the MIB identifier with IANA name EBCDIC-ES. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICES MIB = 2074 + + // EBCDICESA is the MIB identifier with IANA name EBCDIC-ES-A. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICESA MIB = 2075 + + // EBCDICESS is the MIB identifier with IANA name EBCDIC-ES-S. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICESS MIB = 2076 + + // EBCDICUK is the MIB identifier with IANA name EBCDIC-UK. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICUK MIB = 2077 + + // EBCDICUS is the MIB identifier with IANA name EBCDIC-US. + // + // IBM 3270 Char Set Ref Ch 10, GA27-2837-9, April 1987 + // Reference: RFC1345 + EBCDICUS MIB = 2078 + + // Unknown8BiT is the MIB identifier with IANA name UNKNOWN-8BIT. + // + // Reference: RFC1428 + Unknown8BiT MIB = 2079 + + // Mnemonic is the MIB identifier with IANA name MNEMONIC. + // + // rfc1345 , also known as "mnemonic+ascii+38" + // Reference: RFC1345 + Mnemonic MIB = 2080 + + // Mnem is the MIB identifier with IANA name MNEM. + // + // rfc1345 , also known as "mnemonic+ascii+8200" + // Reference: RFC1345 + Mnem MIB = 2081 + + // VISCII is the MIB identifier with IANA name VISCII. + // + // rfc1456 + // Reference: RFC1456 + VISCII MIB = 2082 + + // VIQR is the MIB identifier with IANA name VIQR. + // + // rfc1456 + // Reference: RFC1456 + VIQR MIB = 2083 + + // KOI8R is the MIB identifier with IANA name KOI8-R (MIME: KOI8-R). + // + // rfc1489 , based on GOST-19768-74, ISO-6937/8, + // INIS-Cyrillic, ISO-5427. + // Reference: RFC1489 + KOI8R MIB = 2084 + + // HZGB2312 is the MIB identifier with IANA name HZ-GB-2312. + // + // rfc1842 , rfc1843 rfc1843 rfc1842 + HZGB2312 MIB = 2085 + + // IBM866 is the MIB identifier with IANA name IBM866. + // + // IBM NLDG Volume 2 (SE09-8002-03) August 1994 + IBM866 MIB = 2086 + + // PC775Baltic is the MIB identifier with IANA name IBM775. + // + // HP PCL 5 Comparison Guide (P/N 5021-0329) pp B-13, 1996 + PC775Baltic MIB = 2087 + + // KOI8U is the MIB identifier with IANA name KOI8-U. + // + // rfc2319 + // Reference: RFC2319 + KOI8U MIB = 2088 + + // IBM00858 is the MIB identifier with IANA name IBM00858. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM00858 + IBM00858 MIB = 2089 + + // IBM00924 is the MIB identifier with IANA name IBM00924. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM00924 + IBM00924 MIB = 2090 + + // IBM01140 is the MIB identifier with IANA name IBM01140. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01140 + IBM01140 MIB = 2091 + + // IBM01141 is the MIB identifier with IANA name IBM01141. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01141 + IBM01141 MIB = 2092 + + // IBM01142 is the MIB identifier with IANA name IBM01142. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01142 + IBM01142 MIB = 2093 + + // IBM01143 is the MIB identifier with IANA name IBM01143. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01143 + IBM01143 MIB = 2094 + + // IBM01144 is the MIB identifier with IANA name IBM01144. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01144 + IBM01144 MIB = 2095 + + // IBM01145 is the MIB identifier with IANA name IBM01145. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01145 + IBM01145 MIB = 2096 + + // IBM01146 is the MIB identifier with IANA name IBM01146. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01146 + IBM01146 MIB = 2097 + + // IBM01147 is the MIB identifier with IANA name IBM01147. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01147 + IBM01147 MIB = 2098 + + // IBM01148 is the MIB identifier with IANA name IBM01148. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01148 + IBM01148 MIB = 2099 + + // IBM01149 is the MIB identifier with IANA name IBM01149. + // + // IBM See https://www.iana.org/assignments/charset-reg/IBM01149 + IBM01149 MIB = 2100 + + // Big5HKSCS is the MIB identifier with IANA name Big5-HKSCS. + // + // See https://www.iana.org/assignments/charset-reg/Big5-HKSCS + Big5HKSCS MIB = 2101 + + // IBM1047 is the MIB identifier with IANA name IBM1047. + // + // IBM1047 (EBCDIC Latin 1/Open Systems) https://www-1.ibm.com/servers/eserver/iseries/software/globalization/pdf/cp01047z.pdf + IBM1047 MIB = 2102 + + // PTCP154 is the MIB identifier with IANA name PTCP154. + // + // See https://www.iana.org/assignments/charset-reg/PTCP154 + PTCP154 MIB = 2103 + + // Amiga1251 is the MIB identifier with IANA name Amiga-1251. + // + // See https://www.amiga.ultranet.ru/Amiga-1251.html + Amiga1251 MIB = 2104 + + // KOI7switched is the MIB identifier with IANA name KOI7-switched. + // + // See https://www.iana.org/assignments/charset-reg/KOI7-switched + KOI7switched MIB = 2105 + + // BRF is the MIB identifier with IANA name BRF. + // + // See https://www.iana.org/assignments/charset-reg/BRF + BRF MIB = 2106 + + // TSCII is the MIB identifier with IANA name TSCII. + // + // See https://www.iana.org/assignments/charset-reg/TSCII + TSCII MIB = 2107 + + // CP51932 is the MIB identifier with IANA name CP51932. + // + // See https://www.iana.org/assignments/charset-reg/CP51932 + CP51932 MIB = 2108 + + // Windows874 is the MIB identifier with IANA name windows-874. + // + // See https://www.iana.org/assignments/charset-reg/windows-874 + Windows874 MIB = 2109 + + // Windows1250 is the MIB identifier with IANA name windows-1250. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1250 + Windows1250 MIB = 2250 + + // Windows1251 is the MIB identifier with IANA name windows-1251. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1251 + Windows1251 MIB = 2251 + + // Windows1252 is the MIB identifier with IANA name windows-1252. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1252 + Windows1252 MIB = 2252 + + // Windows1253 is the MIB identifier with IANA name windows-1253. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1253 + Windows1253 MIB = 2253 + + // Windows1254 is the MIB identifier with IANA name windows-1254. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1254 + Windows1254 MIB = 2254 + + // Windows1255 is the MIB identifier with IANA name windows-1255. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1255 + Windows1255 MIB = 2255 + + // Windows1256 is the MIB identifier with IANA name windows-1256. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1256 + Windows1256 MIB = 2256 + + // Windows1257 is the MIB identifier with IANA name windows-1257. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1257 + Windows1257 MIB = 2257 + + // Windows1258 is the MIB identifier with IANA name windows-1258. + // + // Microsoft https://www.iana.org/assignments/charset-reg/windows-1258 + Windows1258 MIB = 2258 + + // TIS620 is the MIB identifier with IANA name TIS-620. + // + // Thai Industrial Standards Institute (TISI) + TIS620 MIB = 2259 + + // CP50220 is the MIB identifier with IANA name CP50220. + // + // See https://www.iana.org/assignments/charset-reg/CP50220 + CP50220 MIB = 2260 +) diff --git a/vendor/golang.org/x/text/encoding/internal/internal.go b/vendor/golang.org/x/text/encoding/internal/internal.go new file mode 100644 index 0000000000..413e6fc6d7 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/internal/internal.go @@ -0,0 +1,75 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package internal contains code that is shared among encoding implementations. +package internal + +import ( + "golang.org/x/text/encoding" + "golang.org/x/text/encoding/internal/identifier" + "golang.org/x/text/transform" +) + +// Encoding is an implementation of the Encoding interface that adds the String +// and ID methods to an existing encoding. +type Encoding struct { + encoding.Encoding + Name string + MIB identifier.MIB +} + +// _ verifies that Encoding implements identifier.Interface. +var _ identifier.Interface = (*Encoding)(nil) + +func (e *Encoding) String() string { + return e.Name +} + +func (e *Encoding) ID() (mib identifier.MIB, other string) { + return e.MIB, "" +} + +// SimpleEncoding is an Encoding that combines two Transformers. +type SimpleEncoding struct { + Decoder transform.Transformer + Encoder transform.Transformer +} + +func (e *SimpleEncoding) NewDecoder() *encoding.Decoder { + return &encoding.Decoder{Transformer: e.Decoder} +} + +func (e *SimpleEncoding) NewEncoder() *encoding.Encoder { + return &encoding.Encoder{Transformer: e.Encoder} +} + +// FuncEncoding is an Encoding that combines two functions returning a new +// Transformer. +type FuncEncoding struct { + Decoder func() transform.Transformer + Encoder func() transform.Transformer +} + +func (e FuncEncoding) NewDecoder() *encoding.Decoder { + return &encoding.Decoder{Transformer: e.Decoder()} +} + +func (e FuncEncoding) NewEncoder() *encoding.Encoder { + return &encoding.Encoder{Transformer: e.Encoder()} +} + +// A RepertoireError indicates a rune is not in the repertoire of a destination +// encoding. It is associated with an encoding-specific suggested replacement +// byte. +type RepertoireError byte + +// Error implements the error interface. +func (r RepertoireError) Error() string { + return "encoding: rune not supported by encoding." +} + +// Replacement returns the replacement string associated with this error. +func (r RepertoireError) Replacement() byte { return byte(r) } + +var ErrASCIIReplacement = RepertoireError(encoding.ASCIISub) diff --git a/vendor/golang.org/x/text/encoding/unicode/override.go b/vendor/golang.org/x/text/encoding/unicode/override.go new file mode 100644 index 0000000000..35d62fcc99 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/unicode/override.go @@ -0,0 +1,82 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package unicode + +import ( + "golang.org/x/text/transform" +) + +// BOMOverride returns a new decoder transformer that is identical to fallback, +// except that the presence of a Byte Order Mark at the start of the input +// causes it to switch to the corresponding Unicode decoding. It will only +// consider BOMs for UTF-8, UTF-16BE, and UTF-16LE. +// +// This differs from using ExpectBOM by allowing a BOM to switch to UTF-8, not +// just UTF-16 variants, and allowing falling back to any encoding scheme. +// +// This technique is recommended by the W3C for use in HTML 5: "For +// compatibility with deployed content, the byte order mark (also known as BOM) +// is considered more authoritative than anything else." +// http://www.w3.org/TR/encoding/#specification-hooks +// +// Using BOMOverride is mostly intended for use cases where the first characters +// of a fallback encoding are known to not be a BOM, for example, for valid HTML +// and most encodings. +func BOMOverride(fallback transform.Transformer) transform.Transformer { + // TODO: possibly allow a variadic argument of unicode encodings to allow + // specifying details of which fallbacks are supported as well as + // specifying the details of the implementations. This would also allow for + // support for UTF-32, which should not be supported by default. + return &bomOverride{fallback: fallback} +} + +type bomOverride struct { + fallback transform.Transformer + current transform.Transformer +} + +func (d *bomOverride) Reset() { + d.current = nil + d.fallback.Reset() +} + +var ( + // TODO: we could use decode functions here, instead of allocating a new + // decoder on every NewDecoder as IgnoreBOM decoders can be stateless. + utf16le = UTF16(LittleEndian, IgnoreBOM) + utf16be = UTF16(BigEndian, IgnoreBOM) +) + +const utf8BOM = "\ufeff" + +func (d *bomOverride) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if d.current != nil { + return d.current.Transform(dst, src, atEOF) + } + if len(src) < 3 && !atEOF { + return 0, 0, transform.ErrShortSrc + } + d.current = d.fallback + bomSize := 0 + if len(src) >= 2 { + if src[0] == 0xFF && src[1] == 0xFE { + d.current = utf16le.NewDecoder() + bomSize = 2 + } else if src[0] == 0xFE && src[1] == 0xFF { + d.current = utf16be.NewDecoder() + bomSize = 2 + } else if len(src) >= 3 && + src[0] == utf8BOM[0] && + src[1] == utf8BOM[1] && + src[2] == utf8BOM[2] { + d.current = transform.Nop + bomSize = 3 + } + } + if bomSize < len(src) { + nDst, nSrc, err = d.current.Transform(dst, src[bomSize:], atEOF) + } + return nDst, nSrc + bomSize, err +} diff --git a/vendor/golang.org/x/text/encoding/unicode/unicode.go b/vendor/golang.org/x/text/encoding/unicode/unicode.go new file mode 100644 index 0000000000..ce28c90628 --- /dev/null +++ b/vendor/golang.org/x/text/encoding/unicode/unicode.go @@ -0,0 +1,512 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package unicode provides Unicode encodings such as UTF-16. +package unicode // import "golang.org/x/text/encoding/unicode" + +import ( + "bytes" + "errors" + "unicode/utf16" + "unicode/utf8" + + "golang.org/x/text/encoding" + "golang.org/x/text/encoding/internal" + "golang.org/x/text/encoding/internal/identifier" + "golang.org/x/text/internal/utf8internal" + "golang.org/x/text/runes" + "golang.org/x/text/transform" +) + +// TODO: I think the Transformers really should return errors on unmatched +// surrogate pairs and odd numbers of bytes. This is not required by RFC 2781, +// which leaves it open, but is suggested by WhatWG. It will allow for all error +// modes as defined by WhatWG: fatal, HTML and Replacement. This would require +// the introduction of some kind of error type for conveying the erroneous code +// point. + +// UTF8 is the UTF-8 encoding. It neither removes nor adds byte order marks. +var UTF8 encoding.Encoding = utf8enc + +// UTF8BOM is an UTF-8 encoding where the decoder strips a leading byte order +// mark while the encoder adds one. +// +// Some editors add a byte order mark as a signature to UTF-8 files. Although +// the byte order mark is not useful for detecting byte order in UTF-8, it is +// sometimes used as a convention to mark UTF-8-encoded files. This relies on +// the observation that the UTF-8 byte order mark is either an illegal or at +// least very unlikely sequence in any other character encoding. +var UTF8BOM encoding.Encoding = utf8bomEncoding{} + +type utf8bomEncoding struct{} + +func (utf8bomEncoding) String() string { + return "UTF-8-BOM" +} + +func (utf8bomEncoding) ID() (identifier.MIB, string) { + return identifier.Unofficial, "x-utf8bom" +} + +func (utf8bomEncoding) NewEncoder() *encoding.Encoder { + return &encoding.Encoder{ + Transformer: &utf8bomEncoder{t: runes.ReplaceIllFormed()}, + } +} + +func (utf8bomEncoding) NewDecoder() *encoding.Decoder { + return &encoding.Decoder{Transformer: &utf8bomDecoder{}} +} + +var utf8enc = &internal.Encoding{ + Encoding: &internal.SimpleEncoding{Decoder: utf8Decoder{}, Encoder: runes.ReplaceIllFormed()}, + Name: "UTF-8", + MIB: identifier.UTF8, +} + +type utf8bomDecoder struct { + checked bool +} + +func (t *utf8bomDecoder) Reset() { + t.checked = false +} + +func (t *utf8bomDecoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if !t.checked { + if !atEOF && len(src) < len(utf8BOM) { + if len(src) == 0 { + return 0, 0, nil + } + return 0, 0, transform.ErrShortSrc + } + if bytes.HasPrefix(src, []byte(utf8BOM)) { + nSrc += len(utf8BOM) + src = src[len(utf8BOM):] + } + t.checked = true + } + nDst, n, err := utf8Decoder.Transform(utf8Decoder{}, dst[nDst:], src, atEOF) + nSrc += n + return nDst, nSrc, err +} + +type utf8bomEncoder struct { + written bool + t transform.Transformer +} + +func (t *utf8bomEncoder) Reset() { + t.written = false + t.t.Reset() +} + +func (t *utf8bomEncoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if !t.written { + if len(dst) < len(utf8BOM) { + return nDst, 0, transform.ErrShortDst + } + nDst = copy(dst, utf8BOM) + t.written = true + } + n, nSrc, err := utf8Decoder.Transform(utf8Decoder{}, dst[nDst:], src, atEOF) + nDst += n + return nDst, nSrc, err +} + +type utf8Decoder struct{ transform.NopResetter } + +func (utf8Decoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + var pSrc int // point from which to start copy in src + var accept utf8internal.AcceptRange + + // The decoder can only make the input larger, not smaller. + n := len(src) + if len(dst) < n { + err = transform.ErrShortDst + n = len(dst) + atEOF = false + } + for nSrc < n { + c := src[nSrc] + if c < utf8.RuneSelf { + nSrc++ + continue + } + first := utf8internal.First[c] + size := int(first & utf8internal.SizeMask) + if first == utf8internal.FirstInvalid { + goto handleInvalid // invalid starter byte + } + accept = utf8internal.AcceptRanges[first>>utf8internal.AcceptShift] + if nSrc+size > n { + if !atEOF { + // We may stop earlier than necessary here if the short sequence + // has invalid bytes. Not checking for this simplifies the code + // and may avoid duplicate computations in certain conditions. + if err == nil { + err = transform.ErrShortSrc + } + break + } + // Determine the maximal subpart of an ill-formed subsequence. + switch { + case nSrc+1 >= n || src[nSrc+1] < accept.Lo || accept.Hi < src[nSrc+1]: + size = 1 + case nSrc+2 >= n || src[nSrc+2] < utf8internal.LoCB || utf8internal.HiCB < src[nSrc+2]: + size = 2 + default: + size = 3 // As we are short, the maximum is 3. + } + goto handleInvalid + } + if c = src[nSrc+1]; c < accept.Lo || accept.Hi < c { + size = 1 + goto handleInvalid // invalid continuation byte + } else if size == 2 { + } else if c = src[nSrc+2]; c < utf8internal.LoCB || utf8internal.HiCB < c { + size = 2 + goto handleInvalid // invalid continuation byte + } else if size == 3 { + } else if c = src[nSrc+3]; c < utf8internal.LoCB || utf8internal.HiCB < c { + size = 3 + goto handleInvalid // invalid continuation byte + } + nSrc += size + continue + + handleInvalid: + // Copy the scanned input so far. + nDst += copy(dst[nDst:], src[pSrc:nSrc]) + + // Append RuneError to the destination. + const runeError = "\ufffd" + if nDst+len(runeError) > len(dst) { + return nDst, nSrc, transform.ErrShortDst + } + nDst += copy(dst[nDst:], runeError) + + // Skip the maximal subpart of an ill-formed subsequence according to + // the W3C standard way instead of the Go way. This Transform is + // probably the only place in the text repo where it is warranted. + nSrc += size + pSrc = nSrc + + // Recompute the maximum source length. + if sz := len(dst) - nDst; sz < len(src)-nSrc { + err = transform.ErrShortDst + n = nSrc + sz + atEOF = false + } + } + return nDst + copy(dst[nDst:], src[pSrc:nSrc]), nSrc, err +} + +// UTF16 returns a UTF-16 Encoding for the given default endianness and byte +// order mark (BOM) policy. +// +// When decoding from UTF-16 to UTF-8, if the BOMPolicy is IgnoreBOM then +// neither BOMs U+FEFF nor noncharacters U+FFFE in the input stream will affect +// the endianness used for decoding, and will instead be output as their +// standard UTF-8 encodings: "\xef\xbb\xbf" and "\xef\xbf\xbe". If the BOMPolicy +// is UseBOM or ExpectBOM a staring BOM is not written to the UTF-8 output. +// Instead, it overrides the default endianness e for the remainder of the +// transformation. Any subsequent BOMs U+FEFF or noncharacters U+FFFE will not +// affect the endianness used, and will instead be output as their standard +// UTF-8 encodings. For UseBOM, if there is no starting BOM, it will proceed +// with the default Endianness. For ExpectBOM, in that case, the transformation +// will return early with an ErrMissingBOM error. +// +// When encoding from UTF-8 to UTF-16, a BOM will be inserted at the start of +// the output if the BOMPolicy is UseBOM or ExpectBOM. Otherwise, a BOM will not +// be inserted. The UTF-8 input does not need to contain a BOM. +// +// There is no concept of a 'native' endianness. If the UTF-16 data is produced +// and consumed in a greater context that implies a certain endianness, use +// IgnoreBOM. Otherwise, use ExpectBOM and always produce and consume a BOM. +// +// In the language of https://www.unicode.org/faq/utf_bom.html#bom10, IgnoreBOM +// corresponds to "Where the precise type of the data stream is known... the +// BOM should not be used" and ExpectBOM corresponds to "A particular +// protocol... may require use of the BOM". +func UTF16(e Endianness, b BOMPolicy) encoding.Encoding { + return utf16Encoding{config{e, b}, mibValue[e][b&bomMask]} +} + +// mibValue maps Endianness and BOMPolicy settings to MIB constants. Note that +// some configurations map to the same MIB identifier. RFC 2781 has requirements +// and recommendations. Some of the "configurations" are merely recommendations, +// so multiple configurations could match. +var mibValue = map[Endianness][numBOMValues]identifier.MIB{ + BigEndian: [numBOMValues]identifier.MIB{ + IgnoreBOM: identifier.UTF16BE, + UseBOM: identifier.UTF16, // BigEnding default is preferred by RFC 2781. + // TODO: acceptBOM | strictBOM would map to UTF16BE as well. + }, + LittleEndian: [numBOMValues]identifier.MIB{ + IgnoreBOM: identifier.UTF16LE, + UseBOM: identifier.UTF16, // LittleEndian default is allowed and preferred on Windows. + // TODO: acceptBOM | strictBOM would map to UTF16LE as well. + }, + // ExpectBOM is not widely used and has no valid MIB identifier. +} + +// All lists a configuration for each IANA-defined UTF-16 variant. +var All = []encoding.Encoding{ + UTF8, + UTF16(BigEndian, UseBOM), + UTF16(BigEndian, IgnoreBOM), + UTF16(LittleEndian, IgnoreBOM), +} + +// BOMPolicy is a UTF-16 encoding's byte order mark policy. +type BOMPolicy uint8 + +const ( + writeBOM BOMPolicy = 0x01 + acceptBOM BOMPolicy = 0x02 + requireBOM BOMPolicy = 0x04 + bomMask BOMPolicy = 0x07 + + // HACK: numBOMValues == 8 triggers a bug in the 1.4 compiler (cannot have a + // map of an array of length 8 of a type that is also used as a key or value + // in another map). See golang.org/issue/11354. + // TODO: consider changing this value back to 8 if the use of 1.4.* has + // been minimized. + numBOMValues = 8 + 1 + + // IgnoreBOM means to ignore any byte order marks. + IgnoreBOM BOMPolicy = 0 + // Common and RFC 2781-compliant interpretation for UTF-16BE/LE. + + // UseBOM means that the UTF-16 form may start with a byte order mark, which + // will be used to override the default encoding. + UseBOM BOMPolicy = writeBOM | acceptBOM + // Common and RFC 2781-compliant interpretation for UTF-16. + + // ExpectBOM means that the UTF-16 form must start with a byte order mark, + // which will be used to override the default encoding. + ExpectBOM BOMPolicy = writeBOM | acceptBOM | requireBOM + // Used in Java as Unicode (not to be confused with Java's UTF-16) and + // ICU's UTF-16,version=1. Not compliant with RFC 2781. + + // TODO (maybe): strictBOM: BOM must match Endianness. This would allow: + // - UTF-16(B|L)E,version=1: writeBOM | acceptBOM | requireBOM | strictBOM + // (UnicodeBig and UnicodeLittle in Java) + // - RFC 2781-compliant, but less common interpretation for UTF-16(B|L)E: + // acceptBOM | strictBOM (e.g. assigned to CheckBOM). + // This addition would be consistent with supporting ExpectBOM. +) + +// Endianness is a UTF-16 encoding's default endianness. +type Endianness bool + +const ( + // BigEndian is UTF-16BE. + BigEndian Endianness = false + // LittleEndian is UTF-16LE. + LittleEndian Endianness = true +) + +// ErrMissingBOM means that decoding UTF-16 input with ExpectBOM did not find a +// starting byte order mark. +var ErrMissingBOM = errors.New("encoding: missing byte order mark") + +type utf16Encoding struct { + config + mib identifier.MIB +} + +type config struct { + endianness Endianness + bomPolicy BOMPolicy +} + +func (u utf16Encoding) NewDecoder() *encoding.Decoder { + return &encoding.Decoder{Transformer: &utf16Decoder{ + initial: u.config, + current: u.config, + }} +} + +func (u utf16Encoding) NewEncoder() *encoding.Encoder { + return &encoding.Encoder{Transformer: &utf16Encoder{ + endianness: u.endianness, + initialBOMPolicy: u.bomPolicy, + currentBOMPolicy: u.bomPolicy, + }} +} + +func (u utf16Encoding) ID() (mib identifier.MIB, other string) { + return u.mib, "" +} + +func (u utf16Encoding) String() string { + e, b := "B", "" + if u.endianness == LittleEndian { + e = "L" + } + switch u.bomPolicy { + case ExpectBOM: + b = "Expect" + case UseBOM: + b = "Use" + case IgnoreBOM: + b = "Ignore" + } + return "UTF-16" + e + "E (" + b + " BOM)" +} + +type utf16Decoder struct { + initial config + current config +} + +func (u *utf16Decoder) Reset() { + u.current = u.initial +} + +func (u *utf16Decoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if len(src) < 2 && atEOF && u.current.bomPolicy&requireBOM != 0 { + return 0, 0, ErrMissingBOM + } + if len(src) == 0 { + return 0, 0, nil + } + if len(src) >= 2 && u.current.bomPolicy&acceptBOM != 0 { + switch { + case src[0] == 0xfe && src[1] == 0xff: + u.current.endianness = BigEndian + nSrc = 2 + case src[0] == 0xff && src[1] == 0xfe: + u.current.endianness = LittleEndian + nSrc = 2 + default: + if u.current.bomPolicy&requireBOM != 0 { + return 0, 0, ErrMissingBOM + } + } + u.current.bomPolicy = IgnoreBOM + } + + var r rune + var dSize, sSize int + for nSrc < len(src) { + if nSrc+1 < len(src) { + x := uint16(src[nSrc+0])<<8 | uint16(src[nSrc+1]) + if u.current.endianness == LittleEndian { + x = x>>8 | x<<8 + } + r, sSize = rune(x), 2 + if utf16.IsSurrogate(r) { + if nSrc+3 < len(src) { + x = uint16(src[nSrc+2])<<8 | uint16(src[nSrc+3]) + if u.current.endianness == LittleEndian { + x = x>>8 | x<<8 + } + // Save for next iteration if it is not a high surrogate. + if isHighSurrogate(rune(x)) { + r, sSize = utf16.DecodeRune(r, rune(x)), 4 + } + } else if !atEOF { + err = transform.ErrShortSrc + break + } + } + if dSize = utf8.RuneLen(r); dSize < 0 { + r, dSize = utf8.RuneError, 3 + } + } else if atEOF { + // Single trailing byte. + r, dSize, sSize = utf8.RuneError, 3, 1 + } else { + err = transform.ErrShortSrc + break + } + if nDst+dSize > len(dst) { + err = transform.ErrShortDst + break + } + nDst += utf8.EncodeRune(dst[nDst:], r) + nSrc += sSize + } + return nDst, nSrc, err +} + +func isHighSurrogate(r rune) bool { + return 0xDC00 <= r && r <= 0xDFFF +} + +type utf16Encoder struct { + endianness Endianness + initialBOMPolicy BOMPolicy + currentBOMPolicy BOMPolicy +} + +func (u *utf16Encoder) Reset() { + u.currentBOMPolicy = u.initialBOMPolicy +} + +func (u *utf16Encoder) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + if u.currentBOMPolicy&writeBOM != 0 { + if len(dst) < 2 { + return 0, 0, transform.ErrShortDst + } + dst[0], dst[1] = 0xfe, 0xff + u.currentBOMPolicy = IgnoreBOM + nDst = 2 + } + + r, size := rune(0), 0 + for nSrc < len(src) { + r = rune(src[nSrc]) + + // Decode a 1-byte rune. + if r < utf8.RuneSelf { + size = 1 + + } else { + // Decode a multi-byte rune. + r, size = utf8.DecodeRune(src[nSrc:]) + if size == 1 { + // All valid runes of size 1 (those below utf8.RuneSelf) were + // handled above. We have invalid UTF-8 or we haven't seen the + // full character yet. + if !atEOF && !utf8.FullRune(src[nSrc:]) { + err = transform.ErrShortSrc + break + } + } + } + + if r <= 0xffff { + if nDst+2 > len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst+0] = uint8(r >> 8) + dst[nDst+1] = uint8(r) + nDst += 2 + } else { + if nDst+4 > len(dst) { + err = transform.ErrShortDst + break + } + r1, r2 := utf16.EncodeRune(r) + dst[nDst+0] = uint8(r1 >> 8) + dst[nDst+1] = uint8(r1) + dst[nDst+2] = uint8(r2 >> 8) + dst[nDst+3] = uint8(r2) + nDst += 4 + } + nSrc += size + } + + if u.endianness == LittleEndian { + for i := 0; i < nDst; i += 2 { + dst[i], dst[i+1] = dst[i+1], dst[i] + } + } + return nDst, nSrc, err +} diff --git a/vendor/golang.org/x/text/feature/plural/common.go b/vendor/golang.org/x/text/feature/plural/common.go new file mode 100644 index 0000000000..fdcb373fdf --- /dev/null +++ b/vendor/golang.org/x/text/feature/plural/common.go @@ -0,0 +1,70 @@ +// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT. + +package plural + +// Form defines a plural form. +// +// Not all languages support all forms. Also, the meaning of each form varies +// per language. It is important to note that the name of a form does not +// necessarily correspond one-to-one with the set of numbers. For instance, +// for Croation, One matches not only 1, but also 11, 21, etc. +// +// Each language must at least support the form "other". +type Form byte + +const ( + Other Form = iota + Zero + One + Two + Few + Many +) + +var countMap = map[string]Form{ + "other": Other, + "zero": Zero, + "one": One, + "two": Two, + "few": Few, + "many": Many, +} + +type pluralCheck struct { + // category: + // 3..7: opID + // 0..2: category + cat byte + setID byte +} + +// opID identifies the type of operand in the plural rule, being i, n or f. +// (v, w, and t are treated as filters in our implementation.) +type opID byte + +const ( + opMod opID = 0x1 // is '%' used? + opNotEqual opID = 0x2 // using "!=" to compare + opI opID = 0 << 2 // integers after taking the absolute value + opN opID = 1 << 2 // full number (must be integer) + opF opID = 2 << 2 // fraction + opV opID = 3 << 2 // number of visible digits + opW opID = 4 << 2 // number of visible digits without trailing zeros + opBretonM opID = 5 << 2 // hard-wired rule for Breton + opItalian800 opID = 6 << 2 // hard-wired rule for Italian + opAzerbaijan00s opID = 7 << 2 // hard-wired rule for Azerbaijan +) +const ( + // Use this plural form to indicate the next rule needs to match as well. + // The last condition in the list will have the correct plural form. + andNext = 0x7 + formMask = 0x7 + + opShift = 3 + + // numN indicates the maximum integer, or maximum mod value, for which we + // have inclusion masks. + numN = 100 + // The common denominator of the modulo that is taken. + maxMod = 100 +) diff --git a/vendor/golang.org/x/text/feature/plural/message.go b/vendor/golang.org/x/text/feature/plural/message.go new file mode 100644 index 0000000000..56d518cc34 --- /dev/null +++ b/vendor/golang.org/x/text/feature/plural/message.go @@ -0,0 +1,244 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package plural + +import ( + "fmt" + "io" + "reflect" + "strconv" + + "golang.org/x/text/internal/catmsg" + "golang.org/x/text/internal/number" + "golang.org/x/text/language" + "golang.org/x/text/message/catalog" +) + +// TODO: consider deleting this interface. Maybe VisibleDigits is always +// sufficient and practical. + +// Interface is used for types that can determine their own plural form. +type Interface interface { + // PluralForm reports the plural form for the given language of the + // underlying value. It also returns the integer value. If the integer value + // is larger than fits in n, PluralForm may return a value modulo + // 10,000,000. + PluralForm(t language.Tag, scale int) (f Form, n int) +} + +// Selectf returns the first case for which its selector is a match for the +// arg-th substitution argument to a formatting call, formatting it as indicated +// by format. +// +// The cases argument are pairs of selectors and messages. Selectors are of type +// string or Form. Messages are of type string or catalog.Message. A selector +// matches an argument if: +// - it is "other" or Other +// - it matches the plural form of the argument: "zero", "one", "two", "few", +// or "many", or the equivalent Form +// - it is of the form "=x" where x is an integer that matches the value of +// the argument. +// - it is of the form " kindDefault { + e.EncodeUint(uint64(m.scale)) + } + + forms := validForms(cardinal, e.Language()) + + for i := 0; i < len(m.cases); { + if err := compileSelector(e, forms, m.cases[i]); err != nil { + return err + } + if i++; i >= len(m.cases) { + return fmt.Errorf("plural: no message defined for selector %v", m.cases[i-1]) + } + var msg catalog.Message + switch x := m.cases[i].(type) { + case string: + msg = catalog.String(x) + case catalog.Message: + msg = x + default: + return fmt.Errorf("plural: message of type %T; must be string or catalog.Message", x) + } + if err := e.EncodeMessage(msg); err != nil { + return err + } + i++ + } + return nil +} + +func compileSelector(e *catmsg.Encoder, valid []Form, selector interface{}) error { + form := Other + switch x := selector.(type) { + case string: + if x == "" { + return fmt.Errorf("plural: empty selector") + } + if c := x[0]; c == '=' || c == '<' { + val, err := strconv.ParseUint(x[1:], 10, 16) + if err != nil { + return fmt.Errorf("plural: invalid number in selector %q: %v", selector, err) + } + e.EncodeUint(uint64(c)) + e.EncodeUint(val) + return nil + } + var ok bool + form, ok = countMap[x] + if !ok { + return fmt.Errorf("plural: invalid plural form %q", selector) + } + case Form: + form = x + default: + return fmt.Errorf("plural: selector of type %T; want string or Form", selector) + } + + ok := false + for _, f := range valid { + if f == form { + ok = true + break + } + } + if !ok { + return fmt.Errorf("plural: form %q not supported for language %q", selector, e.Language()) + } + e.EncodeUint(uint64(form)) + return nil +} + +func execute(d *catmsg.Decoder) bool { + lang := d.Language() + argN := int(d.DecodeUint()) + kind := int(d.DecodeUint()) + scale := -1 // default + if kind > kindDefault { + scale = int(d.DecodeUint()) + } + form := Other + n := -1 + if arg := d.Arg(argN); arg == nil { + // Default to Other. + } else if x, ok := arg.(number.VisibleDigits); ok { + d := x.Digits(nil, lang, scale) + form, n = cardinal.matchDisplayDigits(lang, &d) + } else if x, ok := arg.(Interface); ok { + // This covers lists and formatters from the number package. + form, n = x.PluralForm(lang, scale) + } else { + var f number.Formatter + switch kind { + case kindScale: + f.InitDecimal(lang) + f.SetScale(scale) + case kindScientific: + f.InitScientific(lang) + f.SetScale(scale) + case kindPrecision: + f.InitDecimal(lang) + f.SetPrecision(scale) + case kindDefault: + // sensible default + f.InitDecimal(lang) + if k := reflect.TypeOf(arg).Kind(); reflect.Int <= k && k <= reflect.Uintptr { + f.SetScale(0) + } else { + f.SetScale(2) + } + } + var dec number.Decimal // TODO: buffer in Printer + dec.Convert(f.RoundingContext, arg) + v := number.FormatDigits(&dec, f.RoundingContext) + if !v.NaN && !v.Inf { + form, n = cardinal.matchDisplayDigits(d.Language(), &v) + } + } + for !d.Done() { + f := d.DecodeUint() + if (f == '=' && n == int(d.DecodeUint())) || + (f == '<' && 0 <= n && n < int(d.DecodeUint())) || + form == Form(f) || + Other == Form(f) { + return d.ExecuteMessage() + } + d.SkipMessage() + } + return false +} diff --git a/vendor/golang.org/x/text/feature/plural/plural.go b/vendor/golang.org/x/text/feature/plural/plural.go new file mode 100644 index 0000000000..e9f2d42e04 --- /dev/null +++ b/vendor/golang.org/x/text/feature/plural/plural.go @@ -0,0 +1,262 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:generate go run gen.go gen_common.go + +// Package plural provides utilities for handling linguistic plurals in text. +// +// The definitions in this package are based on the plural rule handling defined +// in CLDR. See +// https://unicode.org/reports/tr35/tr35-numbers.html#Language_Plural_Rules for +// details. +package plural + +import ( + "golang.org/x/text/internal/language/compact" + "golang.org/x/text/internal/number" + "golang.org/x/text/language" +) + +// Rules defines the plural rules for all languages for a certain plural type. +// +// This package is UNDER CONSTRUCTION and its API may change. +type Rules struct { + rules []pluralCheck + index []byte + langToIndex []byte + inclusionMasks []uint64 +} + +var ( + // Cardinal defines the plural rules for numbers indicating quantities. + Cardinal *Rules = cardinal + + // Ordinal defines the plural rules for numbers indicating position + // (first, second, etc.). + Ordinal *Rules = ordinal + + ordinal = &Rules{ + ordinalRules, + ordinalIndex, + ordinalLangToIndex, + ordinalInclusionMasks[:], + } + + cardinal = &Rules{ + cardinalRules, + cardinalIndex, + cardinalLangToIndex, + cardinalInclusionMasks[:], + } +) + +// getIntApprox converts the digits in slice digits[start:end] to an integer +// according to the following rules: +// - Let i be asInt(digits[start:end]), where out-of-range digits are assumed +// to be zero. +// - Result n is big if i / 10^nMod > 1. +// - Otherwise the result is i % 10^nMod. +// +// For example, if digits is {1, 2, 3} and start:end is 0:5, then the result +// for various values of nMod is: +// - when nMod == 2, n == big +// - when nMod == 3, n == big +// - when nMod == 4, n == big +// - when nMod == 5, n == 12300 +// - when nMod == 6, n == 12300 +// - when nMod == 7, n == 12300 +func getIntApprox(digits []byte, start, end, nMod, big int) (n int) { + // Leading 0 digits just result in 0. + p := start + if p < 0 { + p = 0 + } + // Range only over the part for which we have digits. + mid := end + if mid >= len(digits) { + mid = len(digits) + } + // Check digits more significant that nMod. + if q := end - nMod; q > 0 { + if q > mid { + q = mid + } + for ; p < q; p++ { + if digits[p] != 0 { + return big + } + } + } + for ; p < mid; p++ { + n = 10*n + int(digits[p]) + } + // Multiply for trailing zeros. + for ; p < end; p++ { + n *= 10 + } + return n +} + +// MatchDigits computes the plural form for the given language and the given +// decimal floating point digits. The digits are stored in big-endian order and +// are of value byte(0) - byte(9). The floating point position is indicated by +// exp and the number of visible decimals is scale. All leading and trailing +// zeros may be omitted from digits. +// +// The following table contains examples of possible arguments to represent +// the given numbers. +// +// decimal digits exp scale +// 123 []byte{1, 2, 3} 3 0 +// 123.4 []byte{1, 2, 3, 4} 3 1 +// 123.40 []byte{1, 2, 3, 4} 3 2 +// 100000 []byte{1} 6 0 +// 100000.00 []byte{1} 6 3 +func (p *Rules) MatchDigits(t language.Tag, digits []byte, exp, scale int) Form { + index := tagToID(t) + + // Differentiate up to including mod 1000000 for the integer part. + n := getIntApprox(digits, 0, exp, 6, 1000000) + + // Differentiate up to including mod 100 for the fractional part. + f := getIntApprox(digits, exp, exp+scale, 2, 100) + + return matchPlural(p, index, n, f, scale) +} + +func (p *Rules) matchDisplayDigits(t language.Tag, d *number.Digits) (Form, int) { + n := getIntApprox(d.Digits, 0, int(d.Exp), 6, 1000000) + return p.MatchDigits(t, d.Digits, int(d.Exp), d.NumFracDigits()), n +} + +func validForms(p *Rules, t language.Tag) (forms []Form) { + offset := p.langToIndex[tagToID(t)] + rules := p.rules[p.index[offset]:p.index[offset+1]] + + forms = append(forms, Other) + last := Other + for _, r := range rules { + if cat := Form(r.cat & formMask); cat != andNext && last != cat { + forms = append(forms, cat) + last = cat + } + } + return forms +} + +func (p *Rules) matchComponents(t language.Tag, n, f, scale int) Form { + return matchPlural(p, tagToID(t), n, f, scale) +} + +// MatchPlural returns the plural form for the given language and plural +// operands (as defined in +// https://unicode.org/reports/tr35/tr35-numbers.html#Language_Plural_Rules): +// +// where +// n absolute value of the source number (integer and decimals) +// input +// i integer digits of n. +// v number of visible fraction digits in n, with trailing zeros. +// w number of visible fraction digits in n, without trailing zeros. +// f visible fractional digits in n, with trailing zeros (f = t * 10^(v-w)) +// t visible fractional digits in n, without trailing zeros. +// +// If any of the operand values is too large to fit in an int, it is okay to +// pass the value modulo 10,000,000. +func (p *Rules) MatchPlural(lang language.Tag, i, v, w, f, t int) Form { + return matchPlural(p, tagToID(lang), i, f, v) +} + +func matchPlural(p *Rules, index compact.ID, n, f, v int) Form { + nMask := p.inclusionMasks[n%maxMod] + // Compute the fMask inline in the rules below, as it is relatively rare. + // fMask := p.inclusionMasks[f%maxMod] + vMask := p.inclusionMasks[v%maxMod] + + // Do the matching + offset := p.langToIndex[index] + rules := p.rules[p.index[offset]:p.index[offset+1]] + for i := 0; i < len(rules); i++ { + rule := rules[i] + setBit := uint64(1 << rule.setID) + var skip bool + switch op := opID(rule.cat >> opShift); op { + case opI: // i = x + skip = n >= numN || nMask&setBit == 0 + + case opI | opNotEqual: // i != x + skip = n < numN && nMask&setBit != 0 + + case opI | opMod: // i % m = x + skip = nMask&setBit == 0 + + case opI | opMod | opNotEqual: // i % m != x + skip = nMask&setBit != 0 + + case opN: // n = x + skip = f != 0 || n >= numN || nMask&setBit == 0 + + case opN | opNotEqual: // n != x + skip = f == 0 && n < numN && nMask&setBit != 0 + + case opN | opMod: // n % m = x + skip = f != 0 || nMask&setBit == 0 + + case opN | opMod | opNotEqual: // n % m != x + skip = f == 0 && nMask&setBit != 0 + + case opF: // f = x + skip = f >= numN || p.inclusionMasks[f%maxMod]&setBit == 0 + + case opF | opNotEqual: // f != x + skip = f < numN && p.inclusionMasks[f%maxMod]&setBit != 0 + + case opF | opMod: // f % m = x + skip = p.inclusionMasks[f%maxMod]&setBit == 0 + + case opF | opMod | opNotEqual: // f % m != x + skip = p.inclusionMasks[f%maxMod]&setBit != 0 + + case opV: // v = x + skip = v < numN && vMask&setBit == 0 + + case opV | opNotEqual: // v != x + skip = v < numN && vMask&setBit != 0 + + case opW: // w == 0 + skip = f != 0 + + case opW | opNotEqual: // w != 0 + skip = f == 0 + + // Hard-wired rules that cannot be handled by our algorithm. + + case opBretonM: + skip = f != 0 || n == 0 || n%1000000 != 0 + + case opAzerbaijan00s: + // 100,200,300,400,500,600,700,800,900 + skip = n == 0 || n >= 1000 || n%100 != 0 + + case opItalian800: + skip = (f != 0 || n >= numN || nMask&setBit == 0) && n != 800 + } + if skip { + // advance over AND entries. + for ; i < len(rules) && rules[i].cat&formMask == andNext; i++ { + } + continue + } + // return if we have a final entry. + if cat := rule.cat & formMask; cat != andNext { + return Form(cat) + } + } + return Other +} + +func tagToID(t language.Tag) compact.ID { + id, _ := compact.RegionalID(compact.Tag(t)) + return id +} diff --git a/vendor/golang.org/x/text/feature/plural/tables.go b/vendor/golang.org/x/text/feature/plural/tables.go new file mode 100644 index 0000000000..b06b9cb4ea --- /dev/null +++ b/vendor/golang.org/x/text/feature/plural/tables.go @@ -0,0 +1,552 @@ +// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT. + +package plural + +// CLDRVersion is the CLDR version from which the tables in this package are derived. +const CLDRVersion = "32" + +var ordinalRules = []pluralCheck{ // 64 elements + 0: {cat: 0x2f, setID: 0x4}, + 1: {cat: 0x3a, setID: 0x5}, + 2: {cat: 0x22, setID: 0x1}, + 3: {cat: 0x22, setID: 0x6}, + 4: {cat: 0x22, setID: 0x7}, + 5: {cat: 0x2f, setID: 0x8}, + 6: {cat: 0x3c, setID: 0x9}, + 7: {cat: 0x2f, setID: 0xa}, + 8: {cat: 0x3c, setID: 0xb}, + 9: {cat: 0x2c, setID: 0xc}, + 10: {cat: 0x24, setID: 0xd}, + 11: {cat: 0x2d, setID: 0xe}, + 12: {cat: 0x2d, setID: 0xf}, + 13: {cat: 0x2f, setID: 0x10}, + 14: {cat: 0x35, setID: 0x3}, + 15: {cat: 0xc5, setID: 0x11}, + 16: {cat: 0x2, setID: 0x1}, + 17: {cat: 0x5, setID: 0x3}, + 18: {cat: 0xd, setID: 0x12}, + 19: {cat: 0x22, setID: 0x1}, + 20: {cat: 0x2f, setID: 0x13}, + 21: {cat: 0x3d, setID: 0x14}, + 22: {cat: 0x2f, setID: 0x15}, + 23: {cat: 0x3a, setID: 0x16}, + 24: {cat: 0x2f, setID: 0x17}, + 25: {cat: 0x3b, setID: 0x18}, + 26: {cat: 0x2f, setID: 0xa}, + 27: {cat: 0x3c, setID: 0xb}, + 28: {cat: 0x22, setID: 0x1}, + 29: {cat: 0x23, setID: 0x19}, + 30: {cat: 0x24, setID: 0x1a}, + 31: {cat: 0x22, setID: 0x1b}, + 32: {cat: 0x23, setID: 0x2}, + 33: {cat: 0x24, setID: 0x1a}, + 34: {cat: 0xf, setID: 0x15}, + 35: {cat: 0x1a, setID: 0x16}, + 36: {cat: 0xf, setID: 0x17}, + 37: {cat: 0x1b, setID: 0x18}, + 38: {cat: 0xf, setID: 0x1c}, + 39: {cat: 0x1d, setID: 0x1d}, + 40: {cat: 0xa, setID: 0x1e}, + 41: {cat: 0xa, setID: 0x1f}, + 42: {cat: 0xc, setID: 0x20}, + 43: {cat: 0xe4, setID: 0x0}, + 44: {cat: 0x5, setID: 0x3}, + 45: {cat: 0xd, setID: 0xe}, + 46: {cat: 0xd, setID: 0x21}, + 47: {cat: 0x22, setID: 0x1}, + 48: {cat: 0x23, setID: 0x19}, + 49: {cat: 0x24, setID: 0x1a}, + 50: {cat: 0x25, setID: 0x22}, + 51: {cat: 0x22, setID: 0x23}, + 52: {cat: 0x23, setID: 0x19}, + 53: {cat: 0x24, setID: 0x1a}, + 54: {cat: 0x25, setID: 0x22}, + 55: {cat: 0x22, setID: 0x24}, + 56: {cat: 0x23, setID: 0x19}, + 57: {cat: 0x24, setID: 0x1a}, + 58: {cat: 0x25, setID: 0x22}, + 59: {cat: 0x21, setID: 0x25}, + 60: {cat: 0x22, setID: 0x1}, + 61: {cat: 0x23, setID: 0x2}, + 62: {cat: 0x24, setID: 0x26}, + 63: {cat: 0x25, setID: 0x27}, +} // Size: 152 bytes + +var ordinalIndex = []uint8{ // 22 elements + 0x00, 0x00, 0x02, 0x03, 0x04, 0x05, 0x07, 0x09, + 0x0b, 0x0f, 0x10, 0x13, 0x16, 0x1c, 0x1f, 0x22, + 0x28, 0x2f, 0x33, 0x37, 0x3b, 0x40, +} // Size: 46 bytes + +var ordinalLangToIndex = []uint8{ // 775 elements + // Entry 0 - 3F + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x10, 0x10, + 0x10, 0x10, 0x10, 0x00, 0x00, 0x05, 0x05, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 40 - 7F + 0x12, 0x12, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, + 0x0e, 0x0e, 0x0e, 0x0e, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x14, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 80 - BF + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + // Entry C0 - FF + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, + 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 100 - 13F + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, + 0x00, 0x00, 0x00, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 140 - 17F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x11, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, + 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x03, + 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 180 - 1BF + 0x00, 0x00, 0x00, 0x00, 0x09, 0x09, 0x09, 0x09, + 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x0a, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 1C0 - 1FF + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0f, 0x0f, 0x00, 0x00, + 0x00, 0x00, 0x02, 0x0d, 0x0d, 0x02, 0x02, 0x02, + 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 200 - 23F + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x13, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 240 - 27F + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, + 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 280 - 2BF + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x0b, 0x0b, 0x0b, 0x0b, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x07, 0x07, 0x02, 0x00, 0x00, 0x00, 0x00, + // Entry 2C0 - 2FF + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x06, 0x06, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 300 - 33F + 0x00, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x0c, +} // Size: 799 bytes + +var ordinalInclusionMasks = []uint64{ // 100 elements + // Entry 0 - 1F + 0x0000002000010009, 0x00000018482000d3, 0x0000000042840195, 0x000000410a040581, + 0x00000041040c0081, 0x0000009840040041, 0x0000008400045001, 0x0000003850040001, + 0x0000003850060001, 0x0000003800049001, 0x0000000800052001, 0x0000000040660031, + 0x0000000041840331, 0x0000000100040f01, 0x00000001001c0001, 0x0000000040040001, + 0x0000000000045001, 0x0000000070040001, 0x0000000070040001, 0x0000000000049001, + 0x0000000080050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501, + 0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001, + 0x0000000050000001, 0x0000000000009001, 0x0000000000010001, 0x0000000040200011, + // Entry 20 - 3F + 0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001, + 0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001, + 0x0000000200050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501, + 0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001, + 0x0000000050000001, 0x0000000000009001, 0x0000000080010001, 0x0000000040200011, + 0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001, + 0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001, + 0x0000000200050001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501, + // Entry 40 - 5F + 0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001, + 0x0000000050000001, 0x0000000000009001, 0x0000000080010001, 0x0000000040200011, + 0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001, + 0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001, + 0x0000000080070001, 0x0000000040200011, 0x0000000040800111, 0x0000000100000501, + 0x0000000100080001, 0x0000000040000001, 0x0000000000005001, 0x0000000050000001, + 0x0000000050000001, 0x0000000000009001, 0x0000000200010001, 0x0000000040200011, + 0x0000000040800111, 0x0000000100000501, 0x0000000100080001, 0x0000000040000001, + // Entry 60 - 7F + 0x0000000000005001, 0x0000000050000001, 0x0000000050000001, 0x0000000000009001, +} // Size: 824 bytes + +// Slots used for ordinal: 40 of 0xFF rules; 16 of 0xFF indexes; 40 of 64 sets + +var cardinalRules = []pluralCheck{ // 166 elements + 0: {cat: 0x2, setID: 0x3}, + 1: {cat: 0x22, setID: 0x1}, + 2: {cat: 0x2, setID: 0x4}, + 3: {cat: 0x2, setID: 0x4}, + 4: {cat: 0x7, setID: 0x1}, + 5: {cat: 0x62, setID: 0x3}, + 6: {cat: 0x22, setID: 0x4}, + 7: {cat: 0x7, setID: 0x3}, + 8: {cat: 0x42, setID: 0x1}, + 9: {cat: 0x22, setID: 0x4}, + 10: {cat: 0x22, setID: 0x4}, + 11: {cat: 0x22, setID: 0x5}, + 12: {cat: 0x22, setID: 0x1}, + 13: {cat: 0x22, setID: 0x1}, + 14: {cat: 0x7, setID: 0x4}, + 15: {cat: 0x92, setID: 0x3}, + 16: {cat: 0xf, setID: 0x6}, + 17: {cat: 0x1f, setID: 0x7}, + 18: {cat: 0x82, setID: 0x3}, + 19: {cat: 0x92, setID: 0x3}, + 20: {cat: 0xf, setID: 0x6}, + 21: {cat: 0x62, setID: 0x3}, + 22: {cat: 0x4a, setID: 0x6}, + 23: {cat: 0x7, setID: 0x8}, + 24: {cat: 0x62, setID: 0x3}, + 25: {cat: 0x1f, setID: 0x9}, + 26: {cat: 0x62, setID: 0x3}, + 27: {cat: 0x5f, setID: 0x9}, + 28: {cat: 0x72, setID: 0x3}, + 29: {cat: 0x29, setID: 0xa}, + 30: {cat: 0x29, setID: 0xb}, + 31: {cat: 0x4f, setID: 0xb}, + 32: {cat: 0x61, setID: 0x2}, + 33: {cat: 0x2f, setID: 0x6}, + 34: {cat: 0x3a, setID: 0x7}, + 35: {cat: 0x4f, setID: 0x6}, + 36: {cat: 0x5f, setID: 0x7}, + 37: {cat: 0x62, setID: 0x2}, + 38: {cat: 0x4f, setID: 0x6}, + 39: {cat: 0x72, setID: 0x2}, + 40: {cat: 0x21, setID: 0x3}, + 41: {cat: 0x7, setID: 0x4}, + 42: {cat: 0x32, setID: 0x3}, + 43: {cat: 0x21, setID: 0x3}, + 44: {cat: 0x22, setID: 0x1}, + 45: {cat: 0x22, setID: 0x1}, + 46: {cat: 0x23, setID: 0x2}, + 47: {cat: 0x2, setID: 0x3}, + 48: {cat: 0x22, setID: 0x1}, + 49: {cat: 0x24, setID: 0xc}, + 50: {cat: 0x7, setID: 0x1}, + 51: {cat: 0x62, setID: 0x3}, + 52: {cat: 0x74, setID: 0x3}, + 53: {cat: 0x24, setID: 0x3}, + 54: {cat: 0x2f, setID: 0xd}, + 55: {cat: 0x34, setID: 0x1}, + 56: {cat: 0xf, setID: 0x6}, + 57: {cat: 0x1f, setID: 0x7}, + 58: {cat: 0x62, setID: 0x3}, + 59: {cat: 0x4f, setID: 0x6}, + 60: {cat: 0x5a, setID: 0x7}, + 61: {cat: 0xf, setID: 0xe}, + 62: {cat: 0x1f, setID: 0xf}, + 63: {cat: 0x64, setID: 0x3}, + 64: {cat: 0x4f, setID: 0xe}, + 65: {cat: 0x5c, setID: 0xf}, + 66: {cat: 0x22, setID: 0x10}, + 67: {cat: 0x23, setID: 0x11}, + 68: {cat: 0x24, setID: 0x12}, + 69: {cat: 0xf, setID: 0x1}, + 70: {cat: 0x62, setID: 0x3}, + 71: {cat: 0xf, setID: 0x2}, + 72: {cat: 0x63, setID: 0x3}, + 73: {cat: 0xf, setID: 0x13}, + 74: {cat: 0x64, setID: 0x3}, + 75: {cat: 0x74, setID: 0x3}, + 76: {cat: 0xf, setID: 0x1}, + 77: {cat: 0x62, setID: 0x3}, + 78: {cat: 0x4a, setID: 0x1}, + 79: {cat: 0xf, setID: 0x2}, + 80: {cat: 0x63, setID: 0x3}, + 81: {cat: 0x4b, setID: 0x2}, + 82: {cat: 0xf, setID: 0x13}, + 83: {cat: 0x64, setID: 0x3}, + 84: {cat: 0x4c, setID: 0x13}, + 85: {cat: 0x7, setID: 0x1}, + 86: {cat: 0x62, setID: 0x3}, + 87: {cat: 0x7, setID: 0x2}, + 88: {cat: 0x63, setID: 0x3}, + 89: {cat: 0x2f, setID: 0xa}, + 90: {cat: 0x37, setID: 0x14}, + 91: {cat: 0x65, setID: 0x3}, + 92: {cat: 0x7, setID: 0x1}, + 93: {cat: 0x62, setID: 0x3}, + 94: {cat: 0x7, setID: 0x15}, + 95: {cat: 0x64, setID: 0x3}, + 96: {cat: 0x75, setID: 0x3}, + 97: {cat: 0x7, setID: 0x1}, + 98: {cat: 0x62, setID: 0x3}, + 99: {cat: 0xf, setID: 0xe}, + 100: {cat: 0x1f, setID: 0xf}, + 101: {cat: 0x64, setID: 0x3}, + 102: {cat: 0xf, setID: 0x16}, + 103: {cat: 0x17, setID: 0x1}, + 104: {cat: 0x65, setID: 0x3}, + 105: {cat: 0xf, setID: 0x17}, + 106: {cat: 0x65, setID: 0x3}, + 107: {cat: 0xf, setID: 0xf}, + 108: {cat: 0x65, setID: 0x3}, + 109: {cat: 0x2f, setID: 0x6}, + 110: {cat: 0x3a, setID: 0x7}, + 111: {cat: 0x2f, setID: 0xe}, + 112: {cat: 0x3c, setID: 0xf}, + 113: {cat: 0x2d, setID: 0xa}, + 114: {cat: 0x2d, setID: 0x17}, + 115: {cat: 0x2d, setID: 0x18}, + 116: {cat: 0x2f, setID: 0x6}, + 117: {cat: 0x3a, setID: 0xb}, + 118: {cat: 0x2f, setID: 0x19}, + 119: {cat: 0x3c, setID: 0xb}, + 120: {cat: 0x55, setID: 0x3}, + 121: {cat: 0x22, setID: 0x1}, + 122: {cat: 0x24, setID: 0x3}, + 123: {cat: 0x2c, setID: 0xc}, + 124: {cat: 0x2d, setID: 0xb}, + 125: {cat: 0xf, setID: 0x6}, + 126: {cat: 0x1f, setID: 0x7}, + 127: {cat: 0x62, setID: 0x3}, + 128: {cat: 0xf, setID: 0xe}, + 129: {cat: 0x1f, setID: 0xf}, + 130: {cat: 0x64, setID: 0x3}, + 131: {cat: 0xf, setID: 0xa}, + 132: {cat: 0x65, setID: 0x3}, + 133: {cat: 0xf, setID: 0x17}, + 134: {cat: 0x65, setID: 0x3}, + 135: {cat: 0xf, setID: 0x18}, + 136: {cat: 0x65, setID: 0x3}, + 137: {cat: 0x2f, setID: 0x6}, + 138: {cat: 0x3a, setID: 0x1a}, + 139: {cat: 0x2f, setID: 0x1b}, + 140: {cat: 0x3b, setID: 0x1c}, + 141: {cat: 0x2f, setID: 0x1d}, + 142: {cat: 0x3c, setID: 0x1e}, + 143: {cat: 0x37, setID: 0x3}, + 144: {cat: 0xa5, setID: 0x0}, + 145: {cat: 0x22, setID: 0x1}, + 146: {cat: 0x23, setID: 0x2}, + 147: {cat: 0x24, setID: 0x1f}, + 148: {cat: 0x25, setID: 0x20}, + 149: {cat: 0xf, setID: 0x6}, + 150: {cat: 0x62, setID: 0x3}, + 151: {cat: 0xf, setID: 0x1b}, + 152: {cat: 0x63, setID: 0x3}, + 153: {cat: 0xf, setID: 0x21}, + 154: {cat: 0x64, setID: 0x3}, + 155: {cat: 0x75, setID: 0x3}, + 156: {cat: 0x21, setID: 0x3}, + 157: {cat: 0x22, setID: 0x1}, + 158: {cat: 0x23, setID: 0x2}, + 159: {cat: 0x2c, setID: 0x22}, + 160: {cat: 0x2d, setID: 0x5}, + 161: {cat: 0x21, setID: 0x3}, + 162: {cat: 0x22, setID: 0x1}, + 163: {cat: 0x23, setID: 0x2}, + 164: {cat: 0x24, setID: 0x23}, + 165: {cat: 0x25, setID: 0x24}, +} // Size: 356 bytes + +var cardinalIndex = []uint8{ // 36 elements + 0x00, 0x00, 0x02, 0x03, 0x04, 0x06, 0x09, 0x0a, + 0x0c, 0x0d, 0x10, 0x14, 0x17, 0x1d, 0x28, 0x2b, + 0x2d, 0x2f, 0x32, 0x38, 0x42, 0x45, 0x4c, 0x55, + 0x5c, 0x61, 0x6d, 0x74, 0x79, 0x7d, 0x89, 0x91, + 0x95, 0x9c, 0xa1, 0xa6, +} // Size: 60 bytes + +var cardinalLangToIndex = []uint8{ // 775 elements + // Entry 0 - 3F + 0x00, 0x08, 0x08, 0x08, 0x00, 0x00, 0x06, 0x06, + 0x01, 0x01, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, + 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, + 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, + 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, 0x21, + 0x01, 0x01, 0x08, 0x08, 0x04, 0x04, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x00, 0x00, 0x1a, 0x1a, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x06, 0x00, 0x00, + // Entry 40 - 7F + 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x1e, 0x1e, + 0x08, 0x08, 0x13, 0x13, 0x13, 0x13, 0x13, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x18, 0x18, 0x00, 0x00, 0x22, 0x22, 0x09, 0x09, + 0x09, 0x00, 0x00, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x00, 0x00, 0x16, 0x16, 0x00, + 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 80 - BF + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry C0 - FF + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + // Entry 100 - 13F + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x04, 0x04, + 0x08, 0x08, 0x00, 0x00, 0x01, 0x01, 0x01, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x04, 0x04, 0x0c, 0x0c, + 0x08, 0x08, 0x08, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 140 - 17F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x08, 0x08, 0x04, 0x04, 0x1f, 0x1f, + 0x14, 0x14, 0x04, 0x04, 0x08, 0x08, 0x08, 0x08, + 0x01, 0x01, 0x06, 0x00, 0x00, 0x20, 0x20, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x17, 0x17, 0x01, + 0x01, 0x13, 0x13, 0x13, 0x16, 0x16, 0x08, 0x08, + 0x02, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 180 - 1BF + 0x00, 0x04, 0x0a, 0x0a, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x10, 0x17, 0x00, 0x00, 0x00, 0x08, 0x08, + 0x04, 0x08, 0x08, 0x00, 0x00, 0x08, 0x08, 0x02, + 0x02, 0x08, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01, + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x08, + 0x08, 0x08, 0x00, 0x00, 0x0f, 0x0f, 0x08, 0x10, + // Entry 1C0 - 1FF + 0x10, 0x08, 0x08, 0x0e, 0x0e, 0x08, 0x08, 0x08, + 0x08, 0x00, 0x00, 0x06, 0x06, 0x06, 0x06, 0x06, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x1b, 0x1b, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x0d, 0x08, + 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, + 0x00, 0x00, 0x08, 0x08, 0x0b, 0x0b, 0x08, 0x08, + 0x08, 0x08, 0x12, 0x01, 0x01, 0x00, 0x00, 0x00, + 0x00, 0x1c, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 200 - 23F + 0x00, 0x08, 0x10, 0x10, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x00, 0x00, 0x00, 0x08, 0x08, 0x08, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, + 0x00, 0x08, 0x08, 0x08, 0x08, 0x08, 0x00, 0x08, + 0x06, 0x00, 0x00, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x06, 0x06, + 0x06, 0x06, 0x06, 0x08, 0x19, 0x19, 0x0d, 0x0d, + 0x08, 0x08, 0x03, 0x04, 0x03, 0x04, 0x04, 0x04, + // Entry 240 - 27F + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x12, + 0x12, 0x12, 0x08, 0x08, 0x1d, 0x1d, 0x1d, 0x1d, + 0x1d, 0x1d, 0x1d, 0x00, 0x00, 0x08, 0x08, 0x00, + 0x00, 0x08, 0x08, 0x00, 0x00, 0x08, 0x08, 0x08, + 0x10, 0x10, 0x10, 0x10, 0x08, 0x08, 0x00, 0x00, + 0x00, 0x00, 0x13, 0x11, 0x11, 0x11, 0x11, 0x11, + 0x05, 0x05, 0x18, 0x18, 0x15, 0x15, 0x10, 0x10, + // Entry 280 - 2BF + 0x10, 0x10, 0x10, 0x10, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x13, + 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, + 0x13, 0x13, 0x08, 0x08, 0x08, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x08, 0x08, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, + 0x08, 0x00, 0x00, 0x00, 0x00, 0x06, 0x06, 0x06, + 0x08, 0x08, 0x08, 0x0c, 0x08, 0x00, 0x00, 0x08, + // Entry 2C0 - 2FF + 0x08, 0x08, 0x08, 0x00, 0x00, 0x00, 0x00, 0x07, + 0x07, 0x08, 0x08, 0x1d, 0x1d, 0x04, 0x04, 0x04, + 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x08, + 0x08, 0x08, 0x08, 0x06, 0x08, 0x08, 0x00, 0x00, + 0x08, 0x08, 0x08, 0x00, 0x00, 0x04, 0x04, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + // Entry 300 - 33F + 0x00, 0x00, 0x00, 0x01, 0x01, 0x04, 0x04, +} // Size: 799 bytes + +var cardinalInclusionMasks = []uint64{ // 100 elements + // Entry 0 - 1F + 0x0000000200500419, 0x0000000000512153, 0x000000000a327105, 0x0000000ca23c7101, + 0x00000004a23c7201, 0x0000000482943001, 0x0000001482943201, 0x0000000502943001, + 0x0000000502943001, 0x0000000522943201, 0x0000000540543401, 0x00000000454128e1, + 0x000000005b02e821, 0x000000006304e821, 0x000000006304ea21, 0x0000000042842821, + 0x0000000042842a21, 0x0000000042842821, 0x0000000042842821, 0x0000000062842a21, + 0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021, + 0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021, + 0x0000000002800021, 0x0000000022800221, 0x0000000000400421, 0x0000000000400061, + // Entry 20 - 3F + 0x000000000a004021, 0x0000000022004021, 0x0000000022004221, 0x0000000002800021, + 0x0000000002800221, 0x0000000002800021, 0x0000000002800021, 0x0000000022800221, + 0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021, + 0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021, + 0x0000000002800021, 0x0000000022800221, 0x0000000000400421, 0x0000000000400061, + 0x000000000a004021, 0x0000000022004021, 0x0000000022004221, 0x0000000002800021, + 0x0000000002800221, 0x0000000002800021, 0x0000000002800021, 0x0000000022800221, + 0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021, + // Entry 40 - 5F + 0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021, + 0x0000000002800021, 0x0000000022800221, 0x0000000040400421, 0x0000000044400061, + 0x000000005a004021, 0x0000000062004021, 0x0000000062004221, 0x0000000042800021, + 0x0000000042800221, 0x0000000042800021, 0x0000000042800021, 0x0000000062800221, + 0x0000000200400421, 0x0000000000400061, 0x000000000a004021, 0x0000000022004021, + 0x0000000022004221, 0x0000000002800021, 0x0000000002800221, 0x0000000002800021, + 0x0000000002800021, 0x0000000022800221, 0x0000000040400421, 0x0000000044400061, + 0x000000005a004021, 0x0000000062004021, 0x0000000062004221, 0x0000000042800021, + // Entry 60 - 7F + 0x0000000042800221, 0x0000000042800021, 0x0000000042800021, 0x0000000062800221, +} // Size: 824 bytes + +// Slots used for cardinal: A6 of 0xFF rules; 24 of 0xFF indexes; 37 of 64 sets + +// Total table size 3860 bytes (3KiB); checksum: AAFBF21 diff --git a/vendor/golang.org/x/text/internal/catmsg/catmsg.go b/vendor/golang.org/x/text/internal/catmsg/catmsg.go new file mode 100644 index 0000000000..1b257a7b4d --- /dev/null +++ b/vendor/golang.org/x/text/internal/catmsg/catmsg.go @@ -0,0 +1,417 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package catmsg contains support types for package x/text/message/catalog. +// +// This package contains the low-level implementations of Message used by the +// catalog package and provides primitives for other packages to implement their +// own. For instance, the plural package provides functionality for selecting +// translation strings based on the plural category of substitution arguments. +// +// # Encoding and Decoding +// +// Catalogs store Messages encoded as a single string. Compiling a message into +// a string both results in compacter representation and speeds up evaluation. +// +// A Message must implement a Compile method to convert its arbitrary +// representation to a string. The Compile method takes an Encoder which +// facilitates serializing the message. Encoders also provide more context of +// the messages's creation (such as for which language the message is intended), +// which may not be known at the time of the creation of the message. +// +// Each message type must also have an accompanying decoder registered to decode +// the message. This decoder takes a Decoder argument which provides the +// counterparts for the decoding. +// +// # Renderers +// +// A Decoder must be initialized with a Renderer implementation. These +// implementations must be provided by packages that use Catalogs, typically +// formatting packages such as x/text/message. A typical user will not need to +// worry about this type; it is only relevant to packages that do string +// formatting and want to use the catalog package to handle localized strings. +// +// A package that uses catalogs for selecting strings receives selection results +// as sequence of substrings passed to the Renderer. The following snippet shows +// how to express the above example using the message package. +// +// message.Set(language.English, "You are %d minute(s) late.", +// catalog.Var("minutes", plural.Select(1, "one", "minute")), +// catalog.String("You are %[1]d ${minutes} late.")) +// +// p := message.NewPrinter(language.English) +// p.Printf("You are %d minute(s) late.", 5) // always 5 minutes late. +// +// To evaluate the Printf, package message wraps the arguments in a Renderer +// that is passed to the catalog for message decoding. The call sequence that +// results from evaluating the above message, assuming the person is rather +// tardy, is: +// +// Render("You are %[1]d ") +// Arg(1) +// Render("minutes") +// Render(" late.") +// +// The calls to Arg is caused by the plural.Select execution, which evaluates +// the argument to determine whether the singular or plural message form should +// be selected. The calls to Render reports the partial results to the message +// package for further evaluation. +package catmsg + +import ( + "errors" + "fmt" + "strconv" + "strings" + "sync" + + "golang.org/x/text/language" +) + +// A Handle refers to a registered message type. +type Handle int + +// A Handler decodes and evaluates data compiled by a Message and sends the +// result to the Decoder. The output may depend on the value of the substitution +// arguments, accessible by the Decoder's Arg method. The Handler returns false +// if there is no translation for the given substitution arguments. +type Handler func(d *Decoder) bool + +// Register records the existence of a message type and returns a Handle that +// can be used in the Encoder's EncodeMessageType method to create such +// messages. The prefix of the name should be the package path followed by +// an optional disambiguating string. +// Register will panic if a handle for the same name was already registered. +func Register(name string, handler Handler) Handle { + mutex.Lock() + defer mutex.Unlock() + + if _, ok := names[name]; ok { + panic(fmt.Errorf("catmsg: handler for %q already exists", name)) + } + h := Handle(len(handlers)) + names[name] = h + handlers = append(handlers, handler) + return h +} + +// These handlers require fixed positions in the handlers slice. +const ( + msgVars Handle = iota + msgFirst + msgRaw + msgString + msgAffix + // Leave some arbitrary room for future expansion: 20 should suffice. + numInternal = 20 +) + +const prefix = "golang.org/x/text/internal/catmsg." + +var ( + // TODO: find a more stable way to link handles to message types. + mutex sync.Mutex + names = map[string]Handle{ + prefix + "Vars": msgVars, + prefix + "First": msgFirst, + prefix + "Raw": msgRaw, + prefix + "String": msgString, + prefix + "Affix": msgAffix, + } + handlers = make([]Handler, numInternal) +) + +func init() { + // This handler is a message type wrapper that initializes a decoder + // with a variable block. This message type, if present, is always at the + // start of an encoded message. + handlers[msgVars] = func(d *Decoder) bool { + blockSize := int(d.DecodeUint()) + d.vars = d.data[:blockSize] + d.data = d.data[blockSize:] + return d.executeMessage() + } + + // First takes the first message in a sequence that results in a match for + // the given substitution arguments. + handlers[msgFirst] = func(d *Decoder) bool { + for !d.Done() { + if d.ExecuteMessage() { + return true + } + } + return false + } + + handlers[msgRaw] = func(d *Decoder) bool { + d.Render(d.data) + return true + } + + // A String message alternates between a string constant and a variable + // substitution. + handlers[msgString] = func(d *Decoder) bool { + for !d.Done() { + if str := d.DecodeString(); str != "" { + d.Render(str) + } + if d.Done() { + break + } + d.ExecuteSubstitution() + } + return true + } + + handlers[msgAffix] = func(d *Decoder) bool { + // TODO: use an alternative method for common cases. + prefix := d.DecodeString() + suffix := d.DecodeString() + if prefix != "" { + d.Render(prefix) + } + ret := d.ExecuteMessage() + if suffix != "" { + d.Render(suffix) + } + return ret + } +} + +var ( + // ErrIncomplete indicates a compiled message does not define translations + // for all possible argument values. If this message is returned, evaluating + // a message may result in the ErrNoMatch error. + ErrIncomplete = errors.New("catmsg: incomplete message; may not give result for all inputs") + + // ErrNoMatch indicates no translation message matched the given input + // parameters when evaluating a message. + ErrNoMatch = errors.New("catmsg: no translation for inputs") +) + +// A Message holds a collection of translations for the same phrase that may +// vary based on the values of substitution arguments. +type Message interface { + // Compile encodes the format string(s) of the message as a string for later + // evaluation. + // + // The first call Compile makes on the encoder must be EncodeMessageType. + // The handle passed to this call may either be a handle returned by + // Register to encode a single custom message, or HandleFirst followed by + // a sequence of calls to EncodeMessage. + // + // Compile must return ErrIncomplete if it is possible for evaluation to + // not match any translation for a given set of formatting parameters. + // For example, selecting a translation based on plural form may not yield + // a match if the form "Other" is not one of the selectors. + // + // Compile may return any other application-specific error. For backwards + // compatibility with package like fmt, which often do not do sanity + // checking of format strings ahead of time, Compile should still make an + // effort to have some sensible fallback in case of an error. + Compile(e *Encoder) error +} + +// Compile converts a Message to a data string that can be stored in a Catalog. +// The resulting string can subsequently be decoded by passing to the Execute +// method of a Decoder. +func Compile(tag language.Tag, macros Dictionary, m Message) (data string, err error) { + // TODO: pass macros so they can be used for validation. + v := &Encoder{inBody: true} // encoder for variables + v.root = v + e := &Encoder{root: v, parent: v, tag: tag} // encoder for messages + err = m.Compile(e) + // This package serves te message package, which in turn is meant to be a + // drop-in replacement for fmt. With the fmt package, format strings are + // evaluated lazily and errors are handled by substituting strings in the + // result, rather then returning an error. Dealing with multiple languages + // makes it more important to check errors ahead of time. We chose to be + // consistent and compatible and allow graceful degradation in case of + // errors. + buf := e.buf[stripPrefix(e.buf):] + if len(v.buf) > 0 { + // Prepend variable block. + b := make([]byte, 1+maxVarintBytes+len(v.buf)+len(buf)) + b[0] = byte(msgVars) + b = b[:1+encodeUint(b[1:], uint64(len(v.buf)))] + b = append(b, v.buf...) + b = append(b, buf...) + buf = b + } + if err == nil { + err = v.err + } + return string(buf), err +} + +// FirstOf is a message type that prints the first message in the sequence that +// resolves to a match for the given substitution arguments. +type FirstOf []Message + +// Compile implements Message. +func (s FirstOf) Compile(e *Encoder) error { + e.EncodeMessageType(msgFirst) + err := ErrIncomplete + for i, m := range s { + if err == nil { + return fmt.Errorf("catalog: message argument %d is complete and blocks subsequent messages", i-1) + } + err = e.EncodeMessage(m) + } + return err +} + +// Var defines a message that can be substituted for a placeholder of the same +// name. If an expression does not result in a string after evaluation, Name is +// used as the substitution. For example: +// +// Var{ +// Name: "minutes", +// Message: plural.Select(1, "one", "minute"), +// } +// +// will resolve to minute for singular and minutes for plural forms. +type Var struct { + Name string + Message Message +} + +var errIsVar = errors.New("catmsg: variable used as message") + +// Compile implements Message. +// +// Note that this method merely registers a variable; it does not create an +// encoded message. +func (v *Var) Compile(e *Encoder) error { + if err := e.addVar(v.Name, v.Message); err != nil { + return err + } + // Using a Var by itself is an error. If it is in a sequence followed by + // other messages referring to it, this error will be ignored. + return errIsVar +} + +// Raw is a message consisting of a single format string that is passed as is +// to the Renderer. +// +// Note that a Renderer may still do its own variable substitution. +type Raw string + +// Compile implements Message. +func (r Raw) Compile(e *Encoder) (err error) { + e.EncodeMessageType(msgRaw) + // Special case: raw strings don't have a size encoding and so don't use + // EncodeString. + e.buf = append(e.buf, r...) + return nil +} + +// String is a message consisting of a single format string which contains +// placeholders that may be substituted with variables. +// +// Variable substitutions are marked with placeholders and a variable name of +// the form ${name}. Any other substitutions such as Go templates or +// printf-style substitutions are left to be done by the Renderer. +// +// When evaluation a string interpolation, a Renderer will receive separate +// calls for each placeholder and interstitial string. For example, for the +// message: "%[1]v ${invites} %[2]v to ${their} party." The sequence of calls +// is: +// +// d.Render("%[1]v ") +// d.Arg(1) +// d.Render(resultOfInvites) +// d.Render(" %[2]v to ") +// d.Arg(2) +// d.Render(resultOfTheir) +// d.Render(" party.") +// +// where the messages for "invites" and "their" both use a plural.Select +// referring to the first argument. +// +// Strings may also invoke macros. Macros are essentially variables that can be +// reused. Macros may, for instance, be used to make selections between +// different conjugations of a verb. See the catalog package description for an +// overview of macros. +type String string + +// Compile implements Message. It parses the placeholder formats and returns +// any error. +func (s String) Compile(e *Encoder) (err error) { + msg := string(s) + const subStart = "${" + hasHeader := false + p := 0 + b := []byte{} + for { + i := strings.Index(msg[p:], subStart) + if i == -1 { + break + } + b = append(b, msg[p:p+i]...) + p += i + len(subStart) + if i = strings.IndexByte(msg[p:], '}'); i == -1 { + b = append(b, "$!(MISSINGBRACE)"...) + err = fmt.Errorf("catmsg: missing '}'") + p = len(msg) + break + } + name := strings.TrimSpace(msg[p : p+i]) + if q := strings.IndexByte(name, '('); q == -1 { + if !hasHeader { + hasHeader = true + e.EncodeMessageType(msgString) + } + e.EncodeString(string(b)) + e.EncodeSubstitution(name) + b = b[:0] + } else if j := strings.IndexByte(name[q:], ')'); j == -1 { + // TODO: what should the error be? + b = append(b, "$!(MISSINGPAREN)"...) + err = fmt.Errorf("catmsg: missing ')'") + } else if x, sErr := strconv.ParseUint(strings.TrimSpace(name[q+1:q+j]), 10, 32); sErr != nil { + // TODO: handle more than one argument + b = append(b, "$!(BADNUM)"...) + err = fmt.Errorf("catmsg: invalid number %q", strings.TrimSpace(name[q+1:q+j])) + } else { + if !hasHeader { + hasHeader = true + e.EncodeMessageType(msgString) + } + e.EncodeString(string(b)) + e.EncodeSubstitution(name[:q], int(x)) + b = b[:0] + } + p += i + 1 + } + b = append(b, msg[p:]...) + if !hasHeader { + // Simplify string to a raw string. + Raw(string(b)).Compile(e) + } else if len(b) > 0 { + e.EncodeString(string(b)) + } + return err +} + +// Affix is a message that adds a prefix and suffix to another message. +// This is mostly used add back whitespace to a translation that was stripped +// before sending it out. +type Affix struct { + Message Message + Prefix string + Suffix string +} + +// Compile implements Message. +func (a Affix) Compile(e *Encoder) (err error) { + // TODO: consider adding a special message type that just adds a single + // return. This is probably common enough to handle the majority of cases. + // Get some stats first, though. + e.EncodeMessageType(msgAffix) + e.EncodeString(a.Prefix) + e.EncodeString(a.Suffix) + e.EncodeMessage(a.Message) + return nil +} diff --git a/vendor/golang.org/x/text/internal/catmsg/codec.go b/vendor/golang.org/x/text/internal/catmsg/codec.go new file mode 100644 index 0000000000..547802b0f3 --- /dev/null +++ b/vendor/golang.org/x/text/internal/catmsg/codec.go @@ -0,0 +1,407 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package catmsg + +import ( + "errors" + "fmt" + + "golang.org/x/text/language" +) + +// A Renderer renders a Message. +type Renderer interface { + // Render renders the given string. The given string may be interpreted as a + // format string, such as the one used by the fmt package or a template. + Render(s string) + + // Arg returns the i-th argument passed to format a message. This method + // should return nil if there is no such argument. Messages need access to + // arguments to allow selecting a message based on linguistic features of + // those arguments. + Arg(i int) interface{} +} + +// A Dictionary specifies a source of messages, including variables or macros. +type Dictionary interface { + // Lookup returns the message for the given key. It returns false for ok if + // such a message could not be found. + Lookup(key string) (data string, ok bool) + + // TODO: consider returning an interface, instead of a string. This will + // allow implementations to do their own message type decoding. +} + +// An Encoder serializes a Message to a string. +type Encoder struct { + // The root encoder is used for storing encoded variables. + root *Encoder + // The parent encoder provides the surrounding scopes for resolving variable + // names. + parent *Encoder + + tag language.Tag + + // buf holds the encoded message so far. After a message completes encoding, + // the contents of buf, prefixed by the encoded length, are flushed to the + // parent buffer. + buf []byte + + // vars is the lookup table of variables in the current scope. + vars []keyVal + + err error + inBody bool // if false next call must be EncodeMessageType +} + +type keyVal struct { + key string + offset int +} + +// Language reports the language for which the encoded message will be stored +// in the Catalog. +func (e *Encoder) Language() language.Tag { return e.tag } + +func (e *Encoder) setError(err error) { + if e.root.err == nil { + e.root.err = err + } +} + +// EncodeUint encodes x. +func (e *Encoder) EncodeUint(x uint64) { + e.checkInBody() + var buf [maxVarintBytes]byte + n := encodeUint(buf[:], x) + e.buf = append(e.buf, buf[:n]...) +} + +// EncodeString encodes s. +func (e *Encoder) EncodeString(s string) { + e.checkInBody() + e.EncodeUint(uint64(len(s))) + e.buf = append(e.buf, s...) +} + +// EncodeMessageType marks the current message to be of type h. +// +// It must be the first call of a Message's Compile method. +func (e *Encoder) EncodeMessageType(h Handle) { + if e.inBody { + panic("catmsg: EncodeMessageType not the first method called") + } + e.inBody = true + e.EncodeUint(uint64(h)) +} + +// EncodeMessage serializes the given message inline at the current position. +func (e *Encoder) EncodeMessage(m Message) error { + e = &Encoder{root: e.root, parent: e, tag: e.tag} + err := m.Compile(e) + if _, ok := m.(*Var); !ok { + e.flushTo(e.parent) + } + return err +} + +func (e *Encoder) checkInBody() { + if !e.inBody { + panic("catmsg: expected prior call to EncodeMessageType") + } +} + +// stripPrefix indicates the number of prefix bytes that must be stripped to +// turn a single-element sequence into a message that is just this single member +// without its size prefix. If the message can be stripped, b[1:n] contains the +// size prefix. +func stripPrefix(b []byte) (n int) { + if len(b) > 0 && Handle(b[0]) == msgFirst { + x, n, _ := decodeUint(b[1:]) + if 1+n+int(x) == len(b) { + return 1 + n + } + } + return 0 +} + +func (e *Encoder) flushTo(dst *Encoder) { + data := e.buf + p := stripPrefix(data) + if p > 0 { + data = data[1:] + } else { + // Prefix the size. + dst.EncodeUint(uint64(len(data))) + } + dst.buf = append(dst.buf, data...) +} + +func (e *Encoder) addVar(key string, m Message) error { + for _, v := range e.parent.vars { + if v.key == key { + err := fmt.Errorf("catmsg: duplicate variable %q", key) + e.setError(err) + return err + } + } + scope := e.parent + // If a variable message is Incomplete, and does not evaluate to a message + // during execution, we fall back to the variable name. We encode this by + // appending the variable name if the message reports it's incomplete. + + err := m.Compile(e) + if err != ErrIncomplete { + e.setError(err) + } + switch { + case len(e.buf) == 1 && Handle(e.buf[0]) == msgFirst: // empty sequence + e.buf = e.buf[:0] + e.inBody = false + fallthrough + case len(e.buf) == 0: + // Empty message. + if err := String(key).Compile(e); err != nil { + e.setError(err) + } + case err == ErrIncomplete: + if Handle(e.buf[0]) != msgFirst { + seq := &Encoder{root: e.root, parent: e} + seq.EncodeMessageType(msgFirst) + e.flushTo(seq) + e = seq + } + // e contains a sequence; append the fallback string. + e.EncodeMessage(String(key)) + } + + // Flush result to variable heap. + offset := len(e.root.buf) + e.flushTo(e.root) + e.buf = e.buf[:0] + + // Record variable offset in current scope. + scope.vars = append(scope.vars, keyVal{key: key, offset: offset}) + return err +} + +const ( + substituteVar = iota + substituteMacro + substituteError +) + +// EncodeSubstitution inserts a resolved reference to a variable or macro. +// +// This call must be matched with a call to ExecuteSubstitution at decoding +// time. +func (e *Encoder) EncodeSubstitution(name string, arguments ...int) { + if arity := len(arguments); arity > 0 { + // TODO: also resolve macros. + e.EncodeUint(substituteMacro) + e.EncodeString(name) + for _, a := range arguments { + e.EncodeUint(uint64(a)) + } + return + } + for scope := e; scope != nil; scope = scope.parent { + for _, v := range scope.vars { + if v.key != name { + continue + } + e.EncodeUint(substituteVar) // TODO: support arity > 0 + e.EncodeUint(uint64(v.offset)) + return + } + } + // TODO: refer to dictionary-wide scoped variables. + e.EncodeUint(substituteError) + e.EncodeString(name) + e.setError(fmt.Errorf("catmsg: unknown var %q", name)) +} + +// A Decoder deserializes and evaluates messages that are encoded by an encoder. +type Decoder struct { + tag language.Tag + dst Renderer + macros Dictionary + + err error + vars string + data string + + macroArg int // TODO: allow more than one argument +} + +// NewDecoder returns a new Decoder. +// +// Decoders are designed to be reused for multiple invocations of Execute. +// Only one goroutine may call Execute concurrently. +func NewDecoder(tag language.Tag, r Renderer, macros Dictionary) *Decoder { + return &Decoder{ + tag: tag, + dst: r, + macros: macros, + } +} + +func (d *Decoder) setError(err error) { + if d.err == nil { + d.err = err + } +} + +// Language returns the language in which the message is being rendered. +// +// The destination language may be a child language of the language used for +// encoding. For instance, a decoding language of "pt-PT" is consistent with an +// encoding language of "pt". +func (d *Decoder) Language() language.Tag { return d.tag } + +// Done reports whether there are more bytes to process in this message. +func (d *Decoder) Done() bool { return len(d.data) == 0 } + +// Render implements Renderer. +func (d *Decoder) Render(s string) { d.dst.Render(s) } + +// Arg implements Renderer. +// +// During evaluation of macros, the argument positions may be mapped to +// arguments that differ from the original call. +func (d *Decoder) Arg(i int) interface{} { + if d.macroArg != 0 { + if i != 1 { + panic("catmsg: only macros with single argument supported") + } + i = d.macroArg + } + return d.dst.Arg(i) +} + +// DecodeUint decodes a number that was encoded with EncodeUint and advances the +// position. +func (d *Decoder) DecodeUint() uint64 { + x, n, err := decodeUintString(d.data) + d.data = d.data[n:] + if err != nil { + d.setError(err) + } + return x +} + +// DecodeString decodes a string that was encoded with EncodeString and advances +// the position. +func (d *Decoder) DecodeString() string { + size := d.DecodeUint() + s := d.data[:size] + d.data = d.data[size:] + return s +} + +// SkipMessage skips the message at the current location and advances the +// position. +func (d *Decoder) SkipMessage() { + n := int(d.DecodeUint()) + d.data = d.data[n:] +} + +// Execute decodes and evaluates msg. +// +// Only one goroutine may call execute. +func (d *Decoder) Execute(msg string) error { + d.err = nil + if !d.execute(msg) { + return ErrNoMatch + } + return d.err +} + +func (d *Decoder) execute(msg string) bool { + saved := d.data + d.data = msg + ok := d.executeMessage() + d.data = saved + return ok +} + +// executeMessageFromData is like execute, but also decodes a leading message +// size and clips the given string accordingly. +// +// It reports the number of bytes consumed and whether a message was selected. +func (d *Decoder) executeMessageFromData(s string) (n int, ok bool) { + saved := d.data + d.data = s + size := int(d.DecodeUint()) + n = len(s) - len(d.data) + // Sanitize the setting. This allows skipping a size argument for + // RawString and method Done. + d.data = d.data[:size] + ok = d.executeMessage() + n += size - len(d.data) + d.data = saved + return n, ok +} + +var errUnknownHandler = errors.New("catmsg: string contains unsupported handler") + +// executeMessage reads the handle id, initializes the decoder and executes the +// message. It is assumed that all of d.data[d.p:] is the single message. +func (d *Decoder) executeMessage() bool { + if d.Done() { + // We interpret no data as a valid empty message. + return true + } + handle := d.DecodeUint() + + var fn Handler + mutex.Lock() + if int(handle) < len(handlers) { + fn = handlers[handle] + } + mutex.Unlock() + if fn == nil { + d.setError(errUnknownHandler) + d.execute(fmt.Sprintf("\x02$!(UNKNOWNMSGHANDLER=%#x)", handle)) + return true + } + return fn(d) +} + +// ExecuteMessage decodes and executes the message at the current position. +func (d *Decoder) ExecuteMessage() bool { + n, ok := d.executeMessageFromData(d.data) + d.data = d.data[n:] + return ok +} + +// ExecuteSubstitution executes the message corresponding to the substitution +// as encoded by EncodeSubstitution. +func (d *Decoder) ExecuteSubstitution() { + switch x := d.DecodeUint(); x { + case substituteVar: + offset := d.DecodeUint() + d.executeMessageFromData(d.vars[offset:]) + case substituteMacro: + name := d.DecodeString() + data, ok := d.macros.Lookup(name) + old := d.macroArg + // TODO: support macros of arity other than 1. + d.macroArg = int(d.DecodeUint()) + switch { + case !ok: + // TODO: detect this at creation time. + d.setError(fmt.Errorf("catmsg: undefined macro %q", name)) + fallthrough + case !d.execute(data): + d.dst.Render(name) // fall back to macro name. + } + d.macroArg = old + case substituteError: + d.dst.Render(d.DecodeString()) + default: + panic("catmsg: unreachable") + } +} diff --git a/vendor/golang.org/x/text/internal/catmsg/varint.go b/vendor/golang.org/x/text/internal/catmsg/varint.go new file mode 100644 index 0000000000..a2cee2cf5b --- /dev/null +++ b/vendor/golang.org/x/text/internal/catmsg/varint.go @@ -0,0 +1,62 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package catmsg + +// This file implements varint encoding analogous to the one in encoding/binary. +// We need a string version of this function, so we add that here and then add +// the rest for consistency. + +import "errors" + +var ( + errIllegalVarint = errors.New("catmsg: illegal varint") + errVarintTooLarge = errors.New("catmsg: varint too large for uint64") +) + +const maxVarintBytes = 10 // maximum length of a varint + +// encodeUint encodes x as a variable-sized integer into buf and returns the +// number of bytes written. buf must be at least maxVarintBytes long +func encodeUint(buf []byte, x uint64) (n int) { + for ; x > 127; n++ { + buf[n] = 0x80 | uint8(x&0x7F) + x >>= 7 + } + buf[n] = uint8(x) + n++ + return n +} + +func decodeUintString(s string) (x uint64, size int, err error) { + i := 0 + for shift := uint(0); shift < 64; shift += 7 { + if i >= len(s) { + return 0, i, errIllegalVarint + } + b := uint64(s[i]) + i++ + x |= (b & 0x7F) << shift + if b&0x80 == 0 { + return x, i, nil + } + } + return 0, i, errVarintTooLarge +} + +func decodeUint(b []byte) (x uint64, size int, err error) { + i := 0 + for shift := uint(0); shift < 64; shift += 7 { + if i >= len(b) { + return 0, i, errIllegalVarint + } + c := uint64(b[i]) + i++ + x |= (c & 0x7F) << shift + if c&0x80 == 0 { + return x, i, nil + } + } + return 0, i, errVarintTooLarge +} diff --git a/vendor/golang.org/x/text/internal/format/format.go b/vendor/golang.org/x/text/internal/format/format.go new file mode 100644 index 0000000000..ee1c57a3c5 --- /dev/null +++ b/vendor/golang.org/x/text/internal/format/format.go @@ -0,0 +1,41 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package format contains types for defining language-specific formatting of +// values. +// +// This package is internal now, but will eventually be exposed after the API +// settles. +package format // import "golang.org/x/text/internal/format" + +import ( + "fmt" + + "golang.org/x/text/language" +) + +// State represents the printer state passed to custom formatters. It provides +// access to the fmt.State interface and the sentence and language-related +// context. +type State interface { + fmt.State + + // Language reports the requested language in which to render a message. + Language() language.Tag + + // TODO: consider this and removing rune from the Format method in the + // Formatter interface. + // + // Verb returns the format variant to render, analogous to the types used + // in fmt. Use 'v' for the default or only variant. + // Verb() rune + + // TODO: more info: + // - sentence context such as linguistic features passed by the translator. +} + +// Formatter is analogous to fmt.Formatter. +type Formatter interface { + Format(state State, verb rune) +} diff --git a/vendor/golang.org/x/text/internal/format/parser.go b/vendor/golang.org/x/text/internal/format/parser.go new file mode 100644 index 0000000000..855aed71db --- /dev/null +++ b/vendor/golang.org/x/text/internal/format/parser.go @@ -0,0 +1,358 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package format + +import ( + "reflect" + "unicode/utf8" +) + +// A Parser parses a format string. The result from the parse are set in the +// struct fields. +type Parser struct { + Verb rune + + WidthPresent bool + PrecPresent bool + Minus bool + Plus bool + Sharp bool + Space bool + Zero bool + + // For the formats %+v %#v, we set the plusV/sharpV flags + // and clear the plus/sharp flags since %+v and %#v are in effect + // different, flagless formats set at the top level. + PlusV bool + SharpV bool + + HasIndex bool + + Width int + Prec int // precision + + // retain arguments across calls. + Args []interface{} + // retain current argument number across calls + ArgNum int + + // reordered records whether the format string used argument reordering. + Reordered bool + // goodArgNum records whether the most recent reordering directive was valid. + goodArgNum bool + + // position info + format string + startPos int + endPos int + Status Status +} + +// Reset initializes a parser to scan format strings for the given args. +func (p *Parser) Reset(args []interface{}) { + p.Args = args + p.ArgNum = 0 + p.startPos = 0 + p.Reordered = false +} + +// Text returns the part of the format string that was parsed by the last call +// to Scan. It returns the original substitution clause if the current scan +// parsed a substitution. +func (p *Parser) Text() string { return p.format[p.startPos:p.endPos] } + +// SetFormat sets a new format string to parse. It does not reset the argument +// count. +func (p *Parser) SetFormat(format string) { + p.format = format + p.startPos = 0 + p.endPos = 0 +} + +// Status indicates the result type of a call to Scan. +type Status int + +const ( + StatusText Status = iota + StatusSubstitution + StatusBadWidthSubstitution + StatusBadPrecSubstitution + StatusNoVerb + StatusBadArgNum + StatusMissingArg +) + +// ClearFlags reset the parser to default behavior. +func (p *Parser) ClearFlags() { + p.WidthPresent = false + p.PrecPresent = false + p.Minus = false + p.Plus = false + p.Sharp = false + p.Space = false + p.Zero = false + + p.PlusV = false + p.SharpV = false + + p.HasIndex = false +} + +// Scan scans the next part of the format string and sets the status to +// indicate whether it scanned a string literal, substitution or error. +func (p *Parser) Scan() bool { + p.Status = StatusText + format := p.format + end := len(format) + if p.endPos >= end { + return false + } + afterIndex := false // previous item in format was an index like [3]. + + p.startPos = p.endPos + p.goodArgNum = true + i := p.startPos + for i < end && format[i] != '%' { + i++ + } + if i > p.startPos { + p.endPos = i + return true + } + // Process one verb + i++ + + p.Status = StatusSubstitution + + // Do we have flags? + p.ClearFlags() + +simpleFormat: + for ; i < end; i++ { + c := p.format[i] + switch c { + case '#': + p.Sharp = true + case '0': + p.Zero = !p.Minus // Only allow zero padding to the left. + case '+': + p.Plus = true + case '-': + p.Minus = true + p.Zero = false // Do not pad with zeros to the right. + case ' ': + p.Space = true + default: + // Fast path for common case of ascii lower case simple verbs + // without precision or width or argument indices. + if 'a' <= c && c <= 'z' && p.ArgNum < len(p.Args) { + if c == 'v' { + // Go syntax + p.SharpV = p.Sharp + p.Sharp = false + // Struct-field syntax + p.PlusV = p.Plus + p.Plus = false + } + p.Verb = rune(c) + p.ArgNum++ + p.endPos = i + 1 + return true + } + // Format is more complex than simple flags and a verb or is malformed. + break simpleFormat + } + } + + // Do we have an explicit argument index? + i, afterIndex = p.updateArgNumber(format, i) + + // Do we have width? + if i < end && format[i] == '*' { + i++ + p.Width, p.WidthPresent = p.intFromArg() + + if !p.WidthPresent { + p.Status = StatusBadWidthSubstitution + } + + // We have a negative width, so take its value and ensure + // that the minus flag is set + if p.Width < 0 { + p.Width = -p.Width + p.Minus = true + p.Zero = false // Do not pad with zeros to the right. + } + afterIndex = false + } else { + p.Width, p.WidthPresent, i = parsenum(format, i, end) + if afterIndex && p.WidthPresent { // "%[3]2d" + p.goodArgNum = false + } + } + + // Do we have precision? + if i+1 < end && format[i] == '.' { + i++ + if afterIndex { // "%[3].2d" + p.goodArgNum = false + } + i, afterIndex = p.updateArgNumber(format, i) + if i < end && format[i] == '*' { + i++ + p.Prec, p.PrecPresent = p.intFromArg() + // Negative precision arguments don't make sense + if p.Prec < 0 { + p.Prec = 0 + p.PrecPresent = false + } + if !p.PrecPresent { + p.Status = StatusBadPrecSubstitution + } + afterIndex = false + } else { + p.Prec, p.PrecPresent, i = parsenum(format, i, end) + if !p.PrecPresent { + p.Prec = 0 + p.PrecPresent = true + } + } + } + + if !afterIndex { + i, afterIndex = p.updateArgNumber(format, i) + } + p.HasIndex = afterIndex + + if i >= end { + p.endPos = i + p.Status = StatusNoVerb + return true + } + + verb, w := utf8.DecodeRuneInString(format[i:]) + p.endPos = i + w + p.Verb = verb + + switch { + case verb == '%': // Percent does not absorb operands and ignores f.wid and f.prec. + p.startPos = p.endPos - 1 + p.Status = StatusText + case !p.goodArgNum: + p.Status = StatusBadArgNum + case p.ArgNum >= len(p.Args): // No argument left over to print for the current verb. + p.Status = StatusMissingArg + p.ArgNum++ + case verb == 'v': + // Go syntax + p.SharpV = p.Sharp + p.Sharp = false + // Struct-field syntax + p.PlusV = p.Plus + p.Plus = false + fallthrough + default: + p.ArgNum++ + } + return true +} + +// intFromArg gets the ArgNumth element of Args. On return, isInt reports +// whether the argument has integer type. +func (p *Parser) intFromArg() (num int, isInt bool) { + if p.ArgNum < len(p.Args) { + arg := p.Args[p.ArgNum] + num, isInt = arg.(int) // Almost always OK. + if !isInt { + // Work harder. + switch v := reflect.ValueOf(arg); v.Kind() { + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + n := v.Int() + if int64(int(n)) == n { + num = int(n) + isInt = true + } + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + n := v.Uint() + if int64(n) >= 0 && uint64(int(n)) == n { + num = int(n) + isInt = true + } + default: + // Already 0, false. + } + } + p.ArgNum++ + if tooLarge(num) { + num = 0 + isInt = false + } + } + return +} + +// parseArgNumber returns the value of the bracketed number, minus 1 +// (explicit argument numbers are one-indexed but we want zero-indexed). +// The opening bracket is known to be present at format[0]. +// The returned values are the index, the number of bytes to consume +// up to the closing paren, if present, and whether the number parsed +// ok. The bytes to consume will be 1 if no closing paren is present. +func parseArgNumber(format string) (index int, wid int, ok bool) { + // There must be at least 3 bytes: [n]. + if len(format) < 3 { + return 0, 1, false + } + + // Find closing bracket. + for i := 1; i < len(format); i++ { + if format[i] == ']' { + width, ok, newi := parsenum(format, 1, i) + if !ok || newi != i { + return 0, i + 1, false + } + return width - 1, i + 1, true // arg numbers are one-indexed and skip paren. + } + } + return 0, 1, false +} + +// updateArgNumber returns the next argument to evaluate, which is either the value of the passed-in +// argNum or the value of the bracketed integer that begins format[i:]. It also returns +// the new value of i, that is, the index of the next byte of the format to process. +func (p *Parser) updateArgNumber(format string, i int) (newi int, found bool) { + if len(format) <= i || format[i] != '[' { + return i, false + } + p.Reordered = true + index, wid, ok := parseArgNumber(format[i:]) + if ok && 0 <= index && index < len(p.Args) { + p.ArgNum = index + return i + wid, true + } + p.goodArgNum = false + return i + wid, ok +} + +// tooLarge reports whether the magnitude of the integer is +// too large to be used as a formatting width or precision. +func tooLarge(x int) bool { + const max int = 1e6 + return x > max || x < -max +} + +// parsenum converts ASCII to integer. num is 0 (and isnum is false) if no number present. +func parsenum(s string, start, end int) (num int, isnum bool, newi int) { + if start >= end { + return 0, false, end + } + for newi = start; newi < end && '0' <= s[newi] && s[newi] <= '9'; newi++ { + if tooLarge(num) { + return 0, false, end // Overflow; crazy long number most likely. + } + num = num*10 + int(s[newi]-'0') + isnum = true + } + return +} diff --git a/vendor/golang.org/x/text/internal/internal.go b/vendor/golang.org/x/text/internal/internal.go new file mode 100644 index 0000000000..3cddbbdda8 --- /dev/null +++ b/vendor/golang.org/x/text/internal/internal.go @@ -0,0 +1,49 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package internal contains non-exported functionality that are used by +// packages in the text repository. +package internal // import "golang.org/x/text/internal" + +import ( + "sort" + + "golang.org/x/text/language" +) + +// SortTags sorts tags in place. +func SortTags(tags []language.Tag) { + sort.Sort(sorter(tags)) +} + +type sorter []language.Tag + +func (s sorter) Len() int { + return len(s) +} + +func (s sorter) Swap(i, j int) { + s[i], s[j] = s[j], s[i] +} + +func (s sorter) Less(i, j int) bool { + return s[i].String() < s[j].String() +} + +// UniqueTags sorts and filters duplicate tags in place and returns a slice with +// only unique tags. +func UniqueTags(tags []language.Tag) []language.Tag { + if len(tags) <= 1 { + return tags + } + SortTags(tags) + k := 0 + for i := 1; i < len(tags); i++ { + if tags[k].String() < tags[i].String() { + k++ + tags[k] = tags[i] + } + } + return tags[:k+1] +} diff --git a/vendor/golang.org/x/text/internal/match.go b/vendor/golang.org/x/text/internal/match.go new file mode 100644 index 0000000000..1cc004a6d5 --- /dev/null +++ b/vendor/golang.org/x/text/internal/match.go @@ -0,0 +1,67 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package internal + +// This file contains matchers that implement CLDR inheritance. +// +// See https://unicode.org/reports/tr35/#Locale_Inheritance. +// +// Some of the inheritance described in this document is already handled by +// the cldr package. + +import ( + "golang.org/x/text/language" +) + +// TODO: consider if (some of the) matching algorithm needs to be public after +// getting some feel about what is generic and what is specific. + +// NewInheritanceMatcher returns a matcher that matches based on the inheritance +// chain. +// +// The matcher uses canonicalization and the parent relationship to find a +// match. The resulting match will always be either Und or a language with the +// same language and script as the requested language. It will not match +// languages for which there is understood to be mutual or one-directional +// intelligibility. +// +// A Match will indicate an Exact match if the language matches after +// canonicalization and High if the matched tag is a parent. +func NewInheritanceMatcher(t []language.Tag) *InheritanceMatcher { + tags := &InheritanceMatcher{make(map[language.Tag]int)} + for i, tag := range t { + ct, err := language.All.Canonicalize(tag) + if err != nil { + ct = tag + } + tags.index[ct] = i + } + return tags +} + +type InheritanceMatcher struct { + index map[language.Tag]int +} + +func (m InheritanceMatcher) Match(want ...language.Tag) (language.Tag, int, language.Confidence) { + for _, t := range want { + ct, err := language.All.Canonicalize(t) + if err != nil { + ct = t + } + conf := language.Exact + for { + if index, ok := m.index[ct]; ok { + return ct, index, conf + } + if ct == language.Und { + break + } + ct = ct.Parent() + conf = language.High + } + } + return language.Und, 0, language.No +} diff --git a/vendor/golang.org/x/text/internal/number/common.go b/vendor/golang.org/x/text/internal/number/common.go new file mode 100644 index 0000000000..a6e9c8e0d5 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/common.go @@ -0,0 +1,55 @@ +// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT. + +package number + +import ( + "unicode/utf8" + + "golang.org/x/text/internal/language/compact" +) + +// A system identifies a CLDR numbering system. +type system byte + +type systemData struct { + id system + digitSize byte // number of UTF-8 bytes per digit + zero [utf8.UTFMax]byte // UTF-8 sequence of zero digit. +} + +// A SymbolType identifies a symbol of a specific kind. +type SymbolType int + +const ( + SymDecimal SymbolType = iota + SymGroup + SymList + SymPercentSign + SymPlusSign + SymMinusSign + SymExponential + SymSuperscriptingExponent + SymPerMille + SymInfinity + SymNan + SymTimeSeparator + + NumSymbolTypes +) + +const hasNonLatnMask = 0x8000 + +// symOffset is an offset into altSymData if the bit indicated by hasNonLatnMask +// is not 0 (with this bit masked out), and an offset into symIndex otherwise. +// +// TODO: this type can be a byte again if we use an indirection into altsymData +// and introduce an alt -> offset slice (the length of this will be number of +// alternatives plus 1). This also allows getting rid of the compactTag field +// in altSymData. In total this will save about 1K. +type symOffset uint16 + +type altSymData struct { + compactTag compact.ID + symIndex symOffset + system system +} diff --git a/vendor/golang.org/x/text/internal/number/decimal.go b/vendor/golang.org/x/text/internal/number/decimal.go new file mode 100644 index 0000000000..e128cf3437 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/decimal.go @@ -0,0 +1,500 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:generate stringer -type RoundingMode + +package number + +import ( + "math" + "strconv" +) + +// RoundingMode determines how a number is rounded to the desired precision. +type RoundingMode byte + +const ( + ToNearestEven RoundingMode = iota // towards the nearest integer, or towards an even number if equidistant. + ToNearestZero // towards the nearest integer, or towards zero if equidistant. + ToNearestAway // towards the nearest integer, or away from zero if equidistant. + ToPositiveInf // towards infinity + ToNegativeInf // towards negative infinity + ToZero // towards zero + AwayFromZero // away from zero + numModes +) + +const maxIntDigits = 20 + +// A Decimal represents a floating point number in decimal format. +// Digits represents a number [0, 1.0), and the absolute value represented by +// Decimal is Digits * 10^Exp. Leading and trailing zeros may be omitted and Exp +// may point outside a valid position in Digits. +// +// Examples: +// +// Number Decimal +// 12345 Digits: [1, 2, 3, 4, 5], Exp: 5 +// 12.345 Digits: [1, 2, 3, 4, 5], Exp: 2 +// 12000 Digits: [1, 2], Exp: 5 +// 12000.00 Digits: [1, 2], Exp: 5 +// 0.00123 Digits: [1, 2, 3], Exp: -2 +// 0 Digits: [], Exp: 0 +type Decimal struct { + digits + + buf [maxIntDigits]byte +} + +type digits struct { + Digits []byte // mantissa digits, big-endian + Exp int32 // exponent + Neg bool + Inf bool // Takes precedence over Digits and Exp. + NaN bool // Takes precedence over Inf. +} + +// Digits represents a floating point number represented in digits of the +// base in which a number is to be displayed. It is similar to Decimal, but +// keeps track of trailing fraction zeros and the comma placement for +// engineering notation. Digits must have at least one digit. +// +// Examples: +// +// Number Decimal +// decimal +// 12345 Digits: [1, 2, 3, 4, 5], Exp: 5 End: 5 +// 12.345 Digits: [1, 2, 3, 4, 5], Exp: 2 End: 5 +// 12000 Digits: [1, 2], Exp: 5 End: 5 +// 12000.00 Digits: [1, 2], Exp: 5 End: 7 +// 0.00123 Digits: [1, 2, 3], Exp: -2 End: 3 +// 0 Digits: [], Exp: 0 End: 1 +// scientific (actual exp is Exp - Comma) +// 0e0 Digits: [0], Exp: 1, End: 1, Comma: 1 +// .0e0 Digits: [0], Exp: 0, End: 1, Comma: 0 +// 0.0e0 Digits: [0], Exp: 1, End: 2, Comma: 1 +// 1.23e4 Digits: [1, 2, 3], Exp: 5, End: 3, Comma: 1 +// .123e5 Digits: [1, 2, 3], Exp: 5, End: 3, Comma: 0 +// engineering +// 12.3e3 Digits: [1, 2, 3], Exp: 5, End: 3, Comma: 2 +type Digits struct { + digits + // End indicates the end position of the number. + End int32 // For decimals Exp <= End. For scientific len(Digits) <= End. + // Comma is used for the comma position for scientific (always 0 or 1) and + // engineering notation (always 0, 1, 2, or 3). + Comma uint8 + // IsScientific indicates whether this number is to be rendered as a + // scientific number. + IsScientific bool +} + +func (d *Digits) NumFracDigits() int { + if d.Exp >= d.End { + return 0 + } + return int(d.End - d.Exp) +} + +// normalize returns a new Decimal with leading and trailing zeros removed. +func (d *Decimal) normalize() (n Decimal) { + n = *d + b := n.Digits + // Strip leading zeros. Resulting number of digits is significant digits. + for len(b) > 0 && b[0] == 0 { + b = b[1:] + n.Exp-- + } + // Strip trailing zeros + for len(b) > 0 && b[len(b)-1] == 0 { + b = b[:len(b)-1] + } + if len(b) == 0 { + n.Exp = 0 + } + n.Digits = b + return n +} + +func (d *Decimal) clear() { + b := d.Digits + if b == nil { + b = d.buf[:0] + } + *d = Decimal{} + d.Digits = b[:0] +} + +func (x *Decimal) String() string { + if x.NaN { + return "NaN" + } + var buf []byte + if x.Neg { + buf = append(buf, '-') + } + if x.Inf { + buf = append(buf, "Inf"...) + return string(buf) + } + switch { + case len(x.Digits) == 0: + buf = append(buf, '0') + case x.Exp <= 0: + // 0.00ddd + buf = append(buf, "0."...) + buf = appendZeros(buf, -int(x.Exp)) + buf = appendDigits(buf, x.Digits) + + case /* 0 < */ int(x.Exp) < len(x.Digits): + // dd.ddd + buf = appendDigits(buf, x.Digits[:x.Exp]) + buf = append(buf, '.') + buf = appendDigits(buf, x.Digits[x.Exp:]) + + default: // len(x.Digits) <= x.Exp + // ddd00 + buf = appendDigits(buf, x.Digits) + buf = appendZeros(buf, int(x.Exp)-len(x.Digits)) + } + return string(buf) +} + +func appendDigits(buf []byte, digits []byte) []byte { + for _, c := range digits { + buf = append(buf, c+'0') + } + return buf +} + +// appendZeros appends n 0 digits to buf and returns buf. +func appendZeros(buf []byte, n int) []byte { + for ; n > 0; n-- { + buf = append(buf, '0') + } + return buf +} + +func (d *digits) round(mode RoundingMode, n int) { + if n >= len(d.Digits) { + return + } + // Make rounding decision: The result mantissa is truncated ("rounded down") + // by default. Decide if we need to increment, or "round up", the (unsigned) + // mantissa. + inc := false + switch mode { + case ToNegativeInf: + inc = d.Neg + case ToPositiveInf: + inc = !d.Neg + case ToZero: + // nothing to do + case AwayFromZero: + inc = true + case ToNearestEven: + inc = d.Digits[n] > 5 || d.Digits[n] == 5 && + (len(d.Digits) > n+1 || n == 0 || d.Digits[n-1]&1 != 0) + case ToNearestAway: + inc = d.Digits[n] >= 5 + case ToNearestZero: + inc = d.Digits[n] > 5 || d.Digits[n] == 5 && len(d.Digits) > n+1 + default: + panic("unreachable") + } + if inc { + d.roundUp(n) + } else { + d.roundDown(n) + } +} + +// roundFloat rounds a floating point number. +func (r RoundingMode) roundFloat(x float64) float64 { + // Make rounding decision: The result mantissa is truncated ("rounded down") + // by default. Decide if we need to increment, or "round up", the (unsigned) + // mantissa. + abs := x + if x < 0 { + abs = -x + } + i, f := math.Modf(abs) + if f == 0.0 { + return x + } + inc := false + switch r { + case ToNegativeInf: + inc = x < 0 + case ToPositiveInf: + inc = x >= 0 + case ToZero: + // nothing to do + case AwayFromZero: + inc = true + case ToNearestEven: + // TODO: check overflow + inc = f > 0.5 || f == 0.5 && int64(i)&1 != 0 + case ToNearestAway: + inc = f >= 0.5 + case ToNearestZero: + inc = f > 0.5 + default: + panic("unreachable") + } + if inc { + i += 1 + } + if abs != x { + i = -i + } + return i +} + +func (x *digits) roundUp(n int) { + if n < 0 || n >= len(x.Digits) { + return // nothing to do + } + // find first digit < 9 + for n > 0 && x.Digits[n-1] >= 9 { + n-- + } + + if n == 0 { + // all digits are 9s => round up to 1 and update exponent + x.Digits[0] = 1 // ok since len(x.Digits) > n + x.Digits = x.Digits[:1] + x.Exp++ + return + } + x.Digits[n-1]++ + x.Digits = x.Digits[:n] + // x already trimmed +} + +func (x *digits) roundDown(n int) { + if n < 0 || n >= len(x.Digits) { + return // nothing to do + } + x.Digits = x.Digits[:n] + trim(x) +} + +// trim cuts off any trailing zeros from x's mantissa; +// they are meaningless for the value of x. +func trim(x *digits) { + i := len(x.Digits) + for i > 0 && x.Digits[i-1] == 0 { + i-- + } + x.Digits = x.Digits[:i] + if i == 0 { + x.Exp = 0 + } +} + +// A Converter converts a number into decimals according to the given rounding +// criteria. +type Converter interface { + Convert(d *Decimal, r RoundingContext) +} + +const ( + signed = true + unsigned = false +) + +// Convert converts the given number to the decimal representation using the +// supplied RoundingContext. +func (d *Decimal) Convert(r RoundingContext, number interface{}) { + switch f := number.(type) { + case Converter: + d.clear() + f.Convert(d, r) + case float32: + d.ConvertFloat(r, float64(f), 32) + case float64: + d.ConvertFloat(r, f, 64) + case int: + d.ConvertInt(r, signed, uint64(f)) + case int8: + d.ConvertInt(r, signed, uint64(f)) + case int16: + d.ConvertInt(r, signed, uint64(f)) + case int32: + d.ConvertInt(r, signed, uint64(f)) + case int64: + d.ConvertInt(r, signed, uint64(f)) + case uint: + d.ConvertInt(r, unsigned, uint64(f)) + case uint8: + d.ConvertInt(r, unsigned, uint64(f)) + case uint16: + d.ConvertInt(r, unsigned, uint64(f)) + case uint32: + d.ConvertInt(r, unsigned, uint64(f)) + case uint64: + d.ConvertInt(r, unsigned, f) + + default: + d.NaN = true + // TODO: + // case string: if produced by strconv, allows for easy arbitrary pos. + // case reflect.Value: + // case big.Float + // case big.Int + // case big.Rat? + // catch underlyings using reflect or will this already be done by the + // message package? + } +} + +// ConvertInt converts an integer to decimals. +func (d *Decimal) ConvertInt(r RoundingContext, signed bool, x uint64) { + if r.Increment > 0 { + // TODO: if uint64 is too large, fall back to float64 + if signed { + d.ConvertFloat(r, float64(int64(x)), 64) + } else { + d.ConvertFloat(r, float64(x), 64) + } + return + } + d.clear() + if signed && int64(x) < 0 { + x = uint64(-int64(x)) + d.Neg = true + } + d.fillIntDigits(x) + d.Exp = int32(len(d.Digits)) +} + +// ConvertFloat converts a floating point number to decimals. +func (d *Decimal) ConvertFloat(r RoundingContext, x float64, size int) { + d.clear() + if math.IsNaN(x) { + d.NaN = true + return + } + // Simple case: decimal notation + if r.Increment > 0 { + scale := int(r.IncrementScale) + mult := 1.0 + if scale >= len(scales) { + mult = math.Pow(10, float64(scale)) + } else { + mult = scales[scale] + } + // We multiply x instead of dividing inc as it gives less rounding + // issues. + x *= mult + x /= float64(r.Increment) + x = r.Mode.roundFloat(x) + x *= float64(r.Increment) + x /= mult + } + + abs := x + if x < 0 { + d.Neg = true + abs = -x + } + if math.IsInf(abs, 1) { + d.Inf = true + return + } + + // By default we get the exact decimal representation. + verb := byte('g') + prec := -1 + // As the strconv API does not return the rounding accuracy, we can only + // round using ToNearestEven. + if r.Mode == ToNearestEven { + if n := r.RoundSignificantDigits(); n >= 0 { + prec = n + } else if n = r.RoundFractionDigits(); n >= 0 { + prec = n + verb = 'f' + } + } else { + // TODO: At this point strconv's rounding is imprecise to the point that + // it is not usable for this purpose. + // See https://github.com/golang/go/issues/21714 + // If rounding is requested, we ask for a large number of digits and + // round from there to simulate rounding only once. + // Ideally we would have strconv export an AppendDigits that would take + // a rounding mode and/or return an accuracy. Something like this would + // work: + // AppendDigits(dst []byte, x float64, base, size, prec int) (digits []byte, exp, accuracy int) + hasPrec := r.RoundSignificantDigits() >= 0 + hasScale := r.RoundFractionDigits() >= 0 + if hasPrec || hasScale { + // prec is the number of mantissa bits plus some extra for safety. + // We need at least the number of mantissa bits as decimals to + // accurately represent the floating point without rounding, as each + // bit requires one more decimal to represent: 0.5, 0.25, 0.125, ... + prec = 60 + } + } + + b := strconv.AppendFloat(d.Digits[:0], abs, verb, prec, size) + i := 0 + k := 0 + beforeDot := 1 + for i < len(b) { + if c := b[i]; '0' <= c && c <= '9' { + b[k] = c - '0' + k++ + d.Exp += int32(beforeDot) + } else if c == '.' { + beforeDot = 0 + d.Exp = int32(k) + } else { + break + } + i++ + } + d.Digits = b[:k] + if i != len(b) { + i += len("e") + pSign := i + exp := 0 + for i++; i < len(b); i++ { + exp *= 10 + exp += int(b[i] - '0') + } + if b[pSign] == '-' { + exp = -exp + } + d.Exp = int32(exp) + 1 + } +} + +func (d *Decimal) fillIntDigits(x uint64) { + if cap(d.Digits) < maxIntDigits { + d.Digits = d.buf[:] + } else { + d.Digits = d.buf[:maxIntDigits] + } + i := 0 + for ; x > 0; x /= 10 { + d.Digits[i] = byte(x % 10) + i++ + } + d.Digits = d.Digits[:i] + for p := 0; p < i; p++ { + i-- + d.Digits[p], d.Digits[i] = d.Digits[i], d.Digits[p] + } +} + +var scales [70]float64 + +func init() { + x := 1.0 + for i := range scales { + scales[i] = x + x *= 10 + } +} diff --git a/vendor/golang.org/x/text/internal/number/format.go b/vendor/golang.org/x/text/internal/number/format.go new file mode 100644 index 0000000000..1aadcf4077 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/format.go @@ -0,0 +1,533 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package number + +import ( + "strconv" + "unicode/utf8" + + "golang.org/x/text/language" +) + +// TODO: +// - grouping of fractions +// - allow user-defined superscript notation (such as 4) +// - same for non-breaking spaces, like   + +// A VisibleDigits computes digits, comma placement and trailing zeros as they +// will be shown to the user. +type VisibleDigits interface { + Digits(buf []byte, t language.Tag, scale int) Digits + // TODO: Do we also need to add the verb or pass a format.State? +} + +// Formatting proceeds along the following lines: +// 0) Compose rounding information from format and context. +// 1) Convert a number into a Decimal. +// 2) Sanitize Decimal by adding trailing zeros, removing leading digits, and +// (non-increment) rounding. The Decimal that results from this is suitable +// for determining the plural form. +// 3) Render the Decimal in the localized form. + +// Formatter contains all the information needed to render a number. +type Formatter struct { + Pattern + Info +} + +func (f *Formatter) init(t language.Tag, index []uint8) { + f.Info = InfoFromTag(t) + f.Pattern = formats[index[tagToID(t)]] +} + +// InitPattern initializes a Formatter for the given Pattern. +func (f *Formatter) InitPattern(t language.Tag, pat *Pattern) { + f.Info = InfoFromTag(t) + f.Pattern = *pat +} + +// InitDecimal initializes a Formatter using the default Pattern for the given +// language. +func (f *Formatter) InitDecimal(t language.Tag) { + f.init(t, tagToDecimal) +} + +// InitScientific initializes a Formatter using the default Pattern for the +// given language. +func (f *Formatter) InitScientific(t language.Tag) { + f.init(t, tagToScientific) + f.Pattern.MinFractionDigits = 0 + f.Pattern.MaxFractionDigits = -1 +} + +// InitEngineering initializes a Formatter using the default Pattern for the +// given language. +func (f *Formatter) InitEngineering(t language.Tag) { + f.init(t, tagToScientific) + f.Pattern.MinFractionDigits = 0 + f.Pattern.MaxFractionDigits = -1 + f.Pattern.MaxIntegerDigits = 3 + f.Pattern.MinIntegerDigits = 1 +} + +// InitPercent initializes a Formatter using the default Pattern for the given +// language. +func (f *Formatter) InitPercent(t language.Tag) { + f.init(t, tagToPercent) +} + +// InitPerMille initializes a Formatter using the default Pattern for the given +// language. +func (f *Formatter) InitPerMille(t language.Tag) { + f.init(t, tagToPercent) + f.Pattern.DigitShift = 3 +} + +func (f *Formatter) Append(dst []byte, x interface{}) []byte { + var d Decimal + r := f.RoundingContext + d.Convert(r, x) + return f.Render(dst, FormatDigits(&d, r)) +} + +func FormatDigits(d *Decimal, r RoundingContext) Digits { + if r.isScientific() { + return scientificVisibleDigits(r, d) + } + return decimalVisibleDigits(r, d) +} + +func (f *Formatter) Format(dst []byte, d *Decimal) []byte { + return f.Render(dst, FormatDigits(d, f.RoundingContext)) +} + +func (f *Formatter) Render(dst []byte, d Digits) []byte { + var result []byte + var postPrefix, preSuffix int + if d.IsScientific { + result, postPrefix, preSuffix = appendScientific(dst, f, &d) + } else { + result, postPrefix, preSuffix = appendDecimal(dst, f, &d) + } + if f.PadRune == 0 { + return result + } + width := int(f.FormatWidth) + if count := utf8.RuneCount(result); count < width { + insertPos := 0 + switch f.Flags & PadMask { + case PadAfterPrefix: + insertPos = postPrefix + case PadBeforeSuffix: + insertPos = preSuffix + case PadAfterSuffix: + insertPos = len(result) + } + num := width - count + pad := [utf8.UTFMax]byte{' '} + sz := 1 + if r := f.PadRune; r != 0 { + sz = utf8.EncodeRune(pad[:], r) + } + extra := sz * num + if n := len(result) + extra; n < cap(result) { + result = result[:n] + copy(result[insertPos+extra:], result[insertPos:]) + } else { + buf := make([]byte, n) + copy(buf, result[:insertPos]) + copy(buf[insertPos+extra:], result[insertPos:]) + result = buf + } + for ; num > 0; num-- { + insertPos += copy(result[insertPos:], pad[:sz]) + } + } + return result +} + +// decimalVisibleDigits converts d according to the RoundingContext. Note that +// the exponent may change as a result of this operation. +func decimalVisibleDigits(r RoundingContext, d *Decimal) Digits { + if d.NaN || d.Inf { + return Digits{digits: digits{Neg: d.Neg, NaN: d.NaN, Inf: d.Inf}} + } + n := Digits{digits: d.normalize().digits} + + exp := n.Exp + exp += int32(r.DigitShift) + + // Cap integer digits. Remove *most-significant* digits. + if r.MaxIntegerDigits > 0 { + if p := int(exp) - int(r.MaxIntegerDigits); p > 0 { + if p > len(n.Digits) { + p = len(n.Digits) + } + if n.Digits = n.Digits[p:]; len(n.Digits) == 0 { + exp = 0 + } else { + exp -= int32(p) + } + // Strip leading zeros. + for len(n.Digits) > 0 && n.Digits[0] == 0 { + n.Digits = n.Digits[1:] + exp-- + } + } + } + + // Rounding if not already done by Convert. + p := len(n.Digits) + if maxSig := int(r.MaxSignificantDigits); maxSig > 0 { + p = maxSig + } + if maxFrac := int(r.MaxFractionDigits); maxFrac >= 0 { + if cap := int(exp) + maxFrac; cap < p { + p = int(exp) + maxFrac + } + if p < 0 { + p = 0 + } + } + n.round(r.Mode, p) + + // set End (trailing zeros) + n.End = int32(len(n.Digits)) + if n.End == 0 { + exp = 0 + if r.MinFractionDigits > 0 { + n.End = int32(r.MinFractionDigits) + } + if p := int32(r.MinSignificantDigits) - 1; p > n.End { + n.End = p + } + } else { + if end := exp + int32(r.MinFractionDigits); end > n.End { + n.End = end + } + if n.End < int32(r.MinSignificantDigits) { + n.End = int32(r.MinSignificantDigits) + } + } + n.Exp = exp + return n +} + +// appendDecimal appends a formatted number to dst. It returns two possible +// insertion points for padding. +func appendDecimal(dst []byte, f *Formatter, n *Digits) (b []byte, postPre, preSuf int) { + if dst, ok := f.renderSpecial(dst, n); ok { + return dst, 0, len(dst) + } + digits := n.Digits + exp := n.Exp + + // Split in integer and fraction part. + var intDigits, fracDigits []byte + numInt := 0 + numFrac := int(n.End - n.Exp) + if exp > 0 { + numInt = int(exp) + if int(exp) >= len(digits) { // ddddd | ddddd00 + intDigits = digits + } else { // ddd.dd + intDigits = digits[:exp] + fracDigits = digits[exp:] + } + } else { + fracDigits = digits + } + + neg := n.Neg + affix, suffix := f.getAffixes(neg) + dst = appendAffix(dst, f, affix, neg) + savedLen := len(dst) + + minInt := int(f.MinIntegerDigits) + if minInt == 0 && f.MinSignificantDigits > 0 { + minInt = 1 + } + // add leading zeros + for i := minInt; i > numInt; i-- { + dst = f.AppendDigit(dst, 0) + if f.needsSep(i) { + dst = append(dst, f.Symbol(SymGroup)...) + } + } + i := 0 + for ; i < len(intDigits); i++ { + dst = f.AppendDigit(dst, intDigits[i]) + if f.needsSep(numInt - i) { + dst = append(dst, f.Symbol(SymGroup)...) + } + } + for ; i < numInt; i++ { + dst = f.AppendDigit(dst, 0) + if f.needsSep(numInt - i) { + dst = append(dst, f.Symbol(SymGroup)...) + } + } + + if numFrac > 0 || f.Flags&AlwaysDecimalSeparator != 0 { + dst = append(dst, f.Symbol(SymDecimal)...) + } + // Add trailing zeros + i = 0 + for n := -int(n.Exp); i < n; i++ { + dst = f.AppendDigit(dst, 0) + } + for _, d := range fracDigits { + i++ + dst = f.AppendDigit(dst, d) + } + for ; i < numFrac; i++ { + dst = f.AppendDigit(dst, 0) + } + return appendAffix(dst, f, suffix, neg), savedLen, len(dst) +} + +func scientificVisibleDigits(r RoundingContext, d *Decimal) Digits { + if d.NaN || d.Inf { + return Digits{digits: digits{Neg: d.Neg, NaN: d.NaN, Inf: d.Inf}} + } + n := Digits{digits: d.normalize().digits, IsScientific: true} + + // Normalize to have at least one digit. This simplifies engineering + // notation. + if len(n.Digits) == 0 { + n.Digits = append(n.Digits, 0) + n.Exp = 1 + } + + // Significant digits are transformed by the parser for scientific notation + // and do not need to be handled here. + maxInt, numInt := int(r.MaxIntegerDigits), int(r.MinIntegerDigits) + if numInt == 0 { + numInt = 1 + } + + // If a maximum number of integers is specified, the minimum must be 1 + // and the exponent is grouped by this number (e.g. for engineering) + if maxInt > numInt { + // Correct the exponent to reflect a single integer digit. + numInt = 1 + // engineering + // 0.01234 ([12345]e-1) -> 1.2345e-2 12.345e-3 + // 12345 ([12345]e+5) -> 1.2345e4 12.345e3 + d := int(n.Exp-1) % maxInt + if d < 0 { + d += maxInt + } + numInt += d + } + + p := len(n.Digits) + if maxSig := int(r.MaxSignificantDigits); maxSig > 0 { + p = maxSig + } + if maxFrac := int(r.MaxFractionDigits); maxFrac >= 0 && numInt+maxFrac < p { + p = numInt + maxFrac + } + n.round(r.Mode, p) + + n.Comma = uint8(numInt) + n.End = int32(len(n.Digits)) + if minSig := int32(r.MinFractionDigits) + int32(numInt); n.End < minSig { + n.End = minSig + } + return n +} + +// appendScientific appends a formatted number to dst. It returns two possible +// insertion points for padding. +func appendScientific(dst []byte, f *Formatter, n *Digits) (b []byte, postPre, preSuf int) { + if dst, ok := f.renderSpecial(dst, n); ok { + return dst, 0, 0 + } + digits := n.Digits + numInt := int(n.Comma) + numFrac := int(n.End) - int(n.Comma) + + var intDigits, fracDigits []byte + if numInt <= len(digits) { + intDigits = digits[:numInt] + fracDigits = digits[numInt:] + } else { + intDigits = digits + } + neg := n.Neg + affix, suffix := f.getAffixes(neg) + dst = appendAffix(dst, f, affix, neg) + savedLen := len(dst) + + i := 0 + for ; i < len(intDigits); i++ { + dst = f.AppendDigit(dst, intDigits[i]) + if f.needsSep(numInt - i) { + dst = append(dst, f.Symbol(SymGroup)...) + } + } + for ; i < numInt; i++ { + dst = f.AppendDigit(dst, 0) + if f.needsSep(numInt - i) { + dst = append(dst, f.Symbol(SymGroup)...) + } + } + + if numFrac > 0 || f.Flags&AlwaysDecimalSeparator != 0 { + dst = append(dst, f.Symbol(SymDecimal)...) + } + i = 0 + for ; i < len(fracDigits); i++ { + dst = f.AppendDigit(dst, fracDigits[i]) + } + for ; i < numFrac; i++ { + dst = f.AppendDigit(dst, 0) + } + + // exp + buf := [12]byte{} + // TODO: use exponential if superscripting is not available (no Latin + // numbers or no tags) and use exponential in all other cases. + exp := n.Exp - int32(n.Comma) + exponential := f.Symbol(SymExponential) + if exponential == "E" { + dst = append(dst, f.Symbol(SymSuperscriptingExponent)...) + dst = f.AppendDigit(dst, 1) + dst = f.AppendDigit(dst, 0) + switch { + case exp < 0: + dst = append(dst, superMinus...) + exp = -exp + case f.Flags&AlwaysExpSign != 0: + dst = append(dst, superPlus...) + } + b = strconv.AppendUint(buf[:0], uint64(exp), 10) + for i := len(b); i < int(f.MinExponentDigits); i++ { + dst = append(dst, superDigits[0]...) + } + for _, c := range b { + dst = append(dst, superDigits[c-'0']...) + } + } else { + dst = append(dst, exponential...) + switch { + case exp < 0: + dst = append(dst, f.Symbol(SymMinusSign)...) + exp = -exp + case f.Flags&AlwaysExpSign != 0: + dst = append(dst, f.Symbol(SymPlusSign)...) + } + b = strconv.AppendUint(buf[:0], uint64(exp), 10) + for i := len(b); i < int(f.MinExponentDigits); i++ { + dst = f.AppendDigit(dst, 0) + } + for _, c := range b { + dst = f.AppendDigit(dst, c-'0') + } + } + return appendAffix(dst, f, suffix, neg), savedLen, len(dst) +} + +const ( + superMinus = "\u207B" // SUPERSCRIPT HYPHEN-MINUS + superPlus = "\u207A" // SUPERSCRIPT PLUS SIGN +) + +var ( + // Note: the digits are not sequential!!! + superDigits = []string{ + "\u2070", // SUPERSCRIPT DIGIT ZERO + "\u00B9", // SUPERSCRIPT DIGIT ONE + "\u00B2", // SUPERSCRIPT DIGIT TWO + "\u00B3", // SUPERSCRIPT DIGIT THREE + "\u2074", // SUPERSCRIPT DIGIT FOUR + "\u2075", // SUPERSCRIPT DIGIT FIVE + "\u2076", // SUPERSCRIPT DIGIT SIX + "\u2077", // SUPERSCRIPT DIGIT SEVEN + "\u2078", // SUPERSCRIPT DIGIT EIGHT + "\u2079", // SUPERSCRIPT DIGIT NINE + } +) + +func (f *Formatter) getAffixes(neg bool) (affix, suffix string) { + str := f.Affix + if str != "" { + if f.NegOffset > 0 { + if neg { + str = str[f.NegOffset:] + } else { + str = str[:f.NegOffset] + } + } + sufStart := 1 + str[0] + affix = str[1:sufStart] + suffix = str[sufStart+1:] + } + // TODO: introduce a NeedNeg sign to indicate if the left pattern already + // has a sign marked? + if f.NegOffset == 0 && (neg || f.Flags&AlwaysSign != 0) { + affix = "-" + affix + } + return affix, suffix +} + +func (f *Formatter) renderSpecial(dst []byte, d *Digits) (b []byte, ok bool) { + if d.NaN { + return fmtNaN(dst, f), true + } + if d.Inf { + return fmtInfinite(dst, f, d), true + } + return dst, false +} + +func fmtNaN(dst []byte, f *Formatter) []byte { + return append(dst, f.Symbol(SymNan)...) +} + +func fmtInfinite(dst []byte, f *Formatter, d *Digits) []byte { + affix, suffix := f.getAffixes(d.Neg) + dst = appendAffix(dst, f, affix, d.Neg) + dst = append(dst, f.Symbol(SymInfinity)...) + dst = appendAffix(dst, f, suffix, d.Neg) + return dst +} + +func appendAffix(dst []byte, f *Formatter, affix string, neg bool) []byte { + quoting := false + escaping := false + for _, r := range affix { + switch { + case escaping: + // escaping occurs both inside and outside of quotes + dst = append(dst, string(r)...) + escaping = false + case r == '\\': + escaping = true + case r == '\'': + quoting = !quoting + case quoting: + dst = append(dst, string(r)...) + case r == '%': + if f.DigitShift == 3 { + dst = append(dst, f.Symbol(SymPerMille)...) + } else { + dst = append(dst, f.Symbol(SymPercentSign)...) + } + case r == '-' || r == '+': + if neg { + dst = append(dst, f.Symbol(SymMinusSign)...) + } else if f.Flags&ElideSign == 0 { + dst = append(dst, f.Symbol(SymPlusSign)...) + } else { + dst = append(dst, ' ') + } + default: + dst = append(dst, string(r)...) + } + } + return dst +} diff --git a/vendor/golang.org/x/text/internal/number/number.go b/vendor/golang.org/x/text/internal/number/number.go new file mode 100644 index 0000000000..e1d933c3f7 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/number.go @@ -0,0 +1,152 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:generate go run gen.go gen_common.go + +// Package number contains tools and data for formatting numbers. +package number + +import ( + "unicode/utf8" + + "golang.org/x/text/internal/language/compact" + "golang.org/x/text/language" +) + +// Info holds number formatting configuration data. +type Info struct { + system systemData // numbering system information + symIndex symOffset // index to symbols +} + +// InfoFromLangID returns a Info for the given compact language identifier and +// numbering system identifier. If system is the empty string, the default +// numbering system will be taken for that language. +func InfoFromLangID(compactIndex compact.ID, numberSystem string) Info { + p := langToDefaults[compactIndex] + // Lookup the entry for the language. + pSymIndex := symOffset(0) // Default: Latin, default symbols + system, ok := systemMap[numberSystem] + if !ok { + // Take the value for the default numbering system. This is by far the + // most common case as an alternative numbering system is hardly used. + if p&hasNonLatnMask == 0 { // Latn digits. + pSymIndex = p + } else { // Non-Latn or multiple numbering systems. + // Take the first entry from the alternatives list. + data := langToAlt[p&^hasNonLatnMask] + pSymIndex = data.symIndex + system = data.system + } + } else { + langIndex := compactIndex + ns := system + outerLoop: + for ; ; p = langToDefaults[langIndex] { + if p&hasNonLatnMask == 0 { + if ns == 0 { + // The index directly points to the symbol data. + pSymIndex = p + break + } + // Move to the parent and retry. + langIndex = langIndex.Parent() + } else { + // The index points to a list of symbol data indexes. + for _, e := range langToAlt[p&^hasNonLatnMask:] { + if e.compactTag != langIndex { + if langIndex == 0 { + // The CLDR root defines full symbol information for + // all numbering systems (even though mostly by + // means of aliases). Fall back to the default entry + // for Latn if there is no data for the numbering + // system of this language. + if ns == 0 { + break + } + // Fall back to Latin and start from the original + // language. See + // https://unicode.org/reports/tr35/#Locale_Inheritance. + ns = numLatn + langIndex = compactIndex + continue outerLoop + } + // Fall back to parent. + langIndex = langIndex.Parent() + } else if e.system == ns { + pSymIndex = e.symIndex + break outerLoop + } + } + } + } + } + if int(system) >= len(numSysData) { // algorithmic + // Will generate ASCII digits in case the user inadvertently calls + // WriteDigit or Digit on it. + d := numSysData[0] + d.id = system + return Info{ + system: d, + symIndex: pSymIndex, + } + } + return Info{ + system: numSysData[system], + symIndex: pSymIndex, + } +} + +// InfoFromTag returns a Info for the given language tag. +func InfoFromTag(t language.Tag) Info { + return InfoFromLangID(tagToID(t), t.TypeForKey("nu")) +} + +// IsDecimal reports if the numbering system can convert decimal to native +// symbols one-to-one. +func (n Info) IsDecimal() bool { + return int(n.system.id) < len(numSysData) +} + +// WriteDigit writes the UTF-8 sequence for n corresponding to the given ASCII +// digit to dst and reports the number of bytes written. dst must be large +// enough to hold the rune (can be up to utf8.UTFMax bytes). +func (n Info) WriteDigit(dst []byte, asciiDigit rune) int { + copy(dst, n.system.zero[:n.system.digitSize]) + dst[n.system.digitSize-1] += byte(asciiDigit - '0') + return int(n.system.digitSize) +} + +// AppendDigit appends the UTF-8 sequence for n corresponding to the given digit +// to dst and reports the number of bytes written. dst must be large enough to +// hold the rune (can be up to utf8.UTFMax bytes). +func (n Info) AppendDigit(dst []byte, digit byte) []byte { + dst = append(dst, n.system.zero[:n.system.digitSize]...) + dst[len(dst)-1] += digit + return dst +} + +// Digit returns the digit for the numbering system for the corresponding ASCII +// value. For example, ni.Digit('3') could return '三'. Note that the argument +// is the rune constant '3', which equals 51, not the integer constant 3. +func (n Info) Digit(asciiDigit rune) rune { + var x [utf8.UTFMax]byte + n.WriteDigit(x[:], asciiDigit) + r, _ := utf8.DecodeRune(x[:]) + return r +} + +// Symbol returns the string for the given symbol type. +func (n Info) Symbol(t SymbolType) string { + return symData.Elem(int(symIndex[n.symIndex][t])) +} + +func formatForLang(t language.Tag, index []byte) *Pattern { + return &formats[index[tagToID(t)]] +} + +func tagToID(t language.Tag) compact.ID { + id, _ := compact.RegionalID(compact.Tag(t)) + return id +} diff --git a/vendor/golang.org/x/text/internal/number/pattern.go b/vendor/golang.org/x/text/internal/number/pattern.go new file mode 100644 index 0000000000..06e59559a9 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/pattern.go @@ -0,0 +1,485 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package number + +import ( + "errors" + "unicode/utf8" +) + +// This file contains a parser for the CLDR number patterns as described in +// https://unicode.org/reports/tr35/tr35-numbers.html#Number_Format_Patterns. +// +// The following BNF is derived from this standard. +// +// pattern := subpattern (';' subpattern)? +// subpattern := affix? number exponent? affix? +// number := decimal | sigDigits +// decimal := '#'* '0'* ('.' fraction)? | '#' | '0' +// fraction := '0'* '#'* +// sigDigits := '#'* '@' '@'* '#'* +// exponent := 'E' '+'? '0'* '0' +// padSpec := '*' \L +// +// Notes: +// - An affix pattern may contain any runes, but runes with special meaning +// should be escaped. +// - Sequences of digits, '#', and '@' in decimal and sigDigits may have +// interstitial commas. + +// TODO: replace special characters in affixes (-, +, ¤) with control codes. + +// Pattern holds information for formatting numbers. It is designed to hold +// information from CLDR number patterns. +// +// This pattern is precompiled for all patterns for all languages. Even though +// the number of patterns is not very large, we want to keep this small. +// +// This type is only intended for internal use. +type Pattern struct { + RoundingContext + + Affix string // includes prefix and suffix. First byte is prefix length. + Offset uint16 // Offset into Affix for prefix and suffix + NegOffset uint16 // Offset into Affix for negative prefix and suffix or 0. + PadRune rune + FormatWidth uint16 + + GroupingSize [2]uint8 + Flags PatternFlag +} + +// A RoundingContext indicates how a number should be converted to digits. +// It contains all information needed to determine the "visible digits" as +// required by the pluralization rules. +type RoundingContext struct { + // TODO: unify these two fields so that there is a more unambiguous meaning + // of how precision is handled. + MaxSignificantDigits int16 // -1 is unlimited + MaxFractionDigits int16 // -1 is unlimited + + Increment uint32 + IncrementScale uint8 // May differ from printed scale. + + Mode RoundingMode + + DigitShift uint8 // Number of decimals to shift. Used for % and ‰. + + // Number of digits. + MinIntegerDigits uint8 + + MaxIntegerDigits uint8 + MinFractionDigits uint8 + MinSignificantDigits uint8 + + MinExponentDigits uint8 +} + +// RoundSignificantDigits returns the number of significant digits an +// implementation of Convert may round to or n < 0 if there is no maximum or +// a maximum is not recommended. +func (r *RoundingContext) RoundSignificantDigits() (n int) { + if r.MaxFractionDigits == 0 && r.MaxSignificantDigits > 0 { + return int(r.MaxSignificantDigits) + } else if r.isScientific() && r.MaxIntegerDigits == 1 { + if r.MaxSignificantDigits == 0 || + int(r.MaxFractionDigits+1) == int(r.MaxSignificantDigits) { + // Note: don't add DigitShift: it is only used for decimals. + return int(r.MaxFractionDigits) + 1 + } + } + return -1 +} + +// RoundFractionDigits returns the number of fraction digits an implementation +// of Convert may round to or n < 0 if there is no maximum or a maximum is not +// recommended. +func (r *RoundingContext) RoundFractionDigits() (n int) { + if r.MinExponentDigits == 0 && + r.MaxSignificantDigits == 0 && + r.MaxFractionDigits >= 0 { + return int(r.MaxFractionDigits) + int(r.DigitShift) + } + return -1 +} + +// SetScale fixes the RoundingContext to a fixed number of fraction digits. +func (r *RoundingContext) SetScale(scale int) { + r.MinFractionDigits = uint8(scale) + r.MaxFractionDigits = int16(scale) +} + +func (r *RoundingContext) SetPrecision(prec int) { + r.MaxSignificantDigits = int16(prec) +} + +func (r *RoundingContext) isScientific() bool { + return r.MinExponentDigits > 0 +} + +func (f *Pattern) needsSep(pos int) bool { + p := pos - 1 + size := int(f.GroupingSize[0]) + if size == 0 || p == 0 { + return false + } + if p == size { + return true + } + if p -= size; p < 0 { + return false + } + // TODO: make second groupingsize the same as first if 0 so that we can + // avoid this check. + if x := int(f.GroupingSize[1]); x != 0 { + size = x + } + return p%size == 0 +} + +// A PatternFlag is a bit mask for the flag field of a Pattern. +type PatternFlag uint8 + +const ( + AlwaysSign PatternFlag = 1 << iota + ElideSign // Use space instead of plus sign. AlwaysSign must be true. + AlwaysExpSign + AlwaysDecimalSeparator + ParenthesisForNegative // Common pattern. Saves space. + + PadAfterNumber + PadAfterAffix + + PadBeforePrefix = 0 // Default + PadAfterPrefix = PadAfterAffix + PadBeforeSuffix = PadAfterNumber + PadAfterSuffix = PadAfterNumber | PadAfterAffix + PadMask = PadAfterNumber | PadAfterAffix +) + +type parser struct { + *Pattern + + leadingSharps int + + pos int + err error + doNotTerminate bool + groupingCount uint + hasGroup bool + buf []byte +} + +func (p *parser) setError(err error) { + if p.err == nil { + p.err = err + } +} + +func (p *parser) updateGrouping() { + if p.hasGroup && + 0 < p.groupingCount && p.groupingCount < 255 { + p.GroupingSize[1] = p.GroupingSize[0] + p.GroupingSize[0] = uint8(p.groupingCount) + } + p.groupingCount = 0 + p.hasGroup = true +} + +var ( + // TODO: more sensible and localizeable error messages. + errMultiplePadSpecifiers = errors.New("format: pattern has multiple pad specifiers") + errInvalidPadSpecifier = errors.New("format: invalid pad specifier") + errInvalidQuote = errors.New("format: invalid quote") + errAffixTooLarge = errors.New("format: prefix or suffix exceeds maximum UTF-8 length of 256 bytes") + errDuplicatePercentSign = errors.New("format: duplicate percent sign") + errDuplicatePermilleSign = errors.New("format: duplicate permille sign") + errUnexpectedEnd = errors.New("format: unexpected end of pattern") +) + +// ParsePattern extracts formatting information from a CLDR number pattern. +// +// See https://unicode.org/reports/tr35/tr35-numbers.html#Number_Format_Patterns. +func ParsePattern(s string) (f *Pattern, err error) { + p := parser{Pattern: &Pattern{}} + + s = p.parseSubPattern(s) + + if s != "" { + // Parse negative sub pattern. + if s[0] != ';' { + p.setError(errors.New("format: error parsing first sub pattern")) + return nil, p.err + } + neg := parser{Pattern: &Pattern{}} // just for extracting the affixes. + s = neg.parseSubPattern(s[len(";"):]) + p.NegOffset = uint16(len(p.buf)) + p.buf = append(p.buf, neg.buf...) + } + if s != "" { + p.setError(errors.New("format: spurious characters at end of pattern")) + } + if p.err != nil { + return nil, p.err + } + if affix := string(p.buf); affix == "\x00\x00" || affix == "\x00\x00\x00\x00" { + // No prefix or suffixes. + p.NegOffset = 0 + } else { + p.Affix = affix + } + if p.Increment == 0 { + p.IncrementScale = 0 + } + return p.Pattern, nil +} + +func (p *parser) parseSubPattern(s string) string { + s = p.parsePad(s, PadBeforePrefix) + s = p.parseAffix(s) + s = p.parsePad(s, PadAfterPrefix) + + s = p.parse(p.number, s) + p.updateGrouping() + + s = p.parsePad(s, PadBeforeSuffix) + s = p.parseAffix(s) + s = p.parsePad(s, PadAfterSuffix) + return s +} + +func (p *parser) parsePad(s string, f PatternFlag) (tail string) { + if len(s) >= 2 && s[0] == '*' { + r, sz := utf8.DecodeRuneInString(s[1:]) + if p.PadRune != 0 { + p.err = errMultiplePadSpecifiers + } else { + p.Flags |= f + p.PadRune = r + } + return s[1+sz:] + } + return s +} + +func (p *parser) parseAffix(s string) string { + x := len(p.buf) + p.buf = append(p.buf, 0) // placeholder for affix length + + s = p.parse(p.affix, s) + + n := len(p.buf) - x - 1 + if n > 0xFF { + p.setError(errAffixTooLarge) + } + p.buf[x] = uint8(n) + return s +} + +// state implements a state transition. It returns the new state. A state +// function may set an error on the parser or may simply return on an incorrect +// token and let the next phase fail. +type state func(r rune) state + +// parse repeatedly applies a state function on the given string until a +// termination condition is reached. +func (p *parser) parse(fn state, s string) (tail string) { + for i, r := range s { + p.doNotTerminate = false + if fn = fn(r); fn == nil || p.err != nil { + return s[i:] + } + p.FormatWidth++ + } + if p.doNotTerminate { + p.setError(errUnexpectedEnd) + } + return "" +} + +func (p *parser) affix(r rune) state { + switch r { + case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', + '#', '@', '.', '*', ',', ';': + return nil + case '\'': + p.FormatWidth-- + return p.escapeFirst + case '%': + if p.DigitShift != 0 { + p.setError(errDuplicatePercentSign) + } + p.DigitShift = 2 + case '\u2030': // ‰ Per mille + if p.DigitShift != 0 { + p.setError(errDuplicatePermilleSign) + } + p.DigitShift = 3 + // TODO: handle currency somehow: ¤, ¤¤, ¤¤¤, ¤¤¤¤ + } + p.buf = append(p.buf, string(r)...) + return p.affix +} + +func (p *parser) escapeFirst(r rune) state { + switch r { + case '\'': + p.buf = append(p.buf, "\\'"...) + return p.affix + default: + p.buf = append(p.buf, '\'') + p.buf = append(p.buf, string(r)...) + } + return p.escape +} + +func (p *parser) escape(r rune) state { + switch r { + case '\'': + p.FormatWidth-- + p.buf = append(p.buf, '\'') + return p.affix + default: + p.buf = append(p.buf, string(r)...) + } + return p.escape +} + +// number parses a number. The BNF says the integer part should always have +// a '0', but that does not appear to be the case according to the rest of the +// documentation. We will allow having only '#' numbers. +func (p *parser) number(r rune) state { + switch r { + case '#': + p.groupingCount++ + p.leadingSharps++ + case '@': + p.groupingCount++ + p.leadingSharps = 0 + p.MaxFractionDigits = -1 + return p.sigDigits(r) + case ',': + if p.leadingSharps == 0 { // no leading commas + return nil + } + p.updateGrouping() + case 'E': + p.MaxIntegerDigits = uint8(p.leadingSharps) + return p.exponent + case '.': // allow ".##" etc. + p.updateGrouping() + return p.fraction + case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9': + return p.integer(r) + default: + return nil + } + return p.number +} + +func (p *parser) integer(r rune) state { + if !('0' <= r && r <= '9') { + var next state + switch r { + case 'E': + if p.leadingSharps > 0 { + p.MaxIntegerDigits = uint8(p.leadingSharps) + p.MinIntegerDigits + } + next = p.exponent + case '.': + next = p.fraction + case ',': + next = p.integer + } + p.updateGrouping() + return next + } + p.Increment = p.Increment*10 + uint32(r-'0') + p.groupingCount++ + p.MinIntegerDigits++ + return p.integer +} + +func (p *parser) sigDigits(r rune) state { + switch r { + case '@': + p.groupingCount++ + p.MaxSignificantDigits++ + p.MinSignificantDigits++ + case '#': + return p.sigDigitsFinal(r) + case 'E': + p.updateGrouping() + return p.normalizeSigDigitsWithExponent() + default: + p.updateGrouping() + return nil + } + return p.sigDigits +} + +func (p *parser) sigDigitsFinal(r rune) state { + switch r { + case '#': + p.groupingCount++ + p.MaxSignificantDigits++ + case 'E': + p.updateGrouping() + return p.normalizeSigDigitsWithExponent() + default: + p.updateGrouping() + return nil + } + return p.sigDigitsFinal +} + +func (p *parser) normalizeSigDigitsWithExponent() state { + p.MinIntegerDigits, p.MaxIntegerDigits = 1, 1 + p.MinFractionDigits = p.MinSignificantDigits - 1 + p.MaxFractionDigits = p.MaxSignificantDigits - 1 + p.MinSignificantDigits, p.MaxSignificantDigits = 0, 0 + return p.exponent +} + +func (p *parser) fraction(r rune) state { + switch r { + case '0', '1', '2', '3', '4', '5', '6', '7', '8', '9': + p.Increment = p.Increment*10 + uint32(r-'0') + p.IncrementScale++ + p.MinFractionDigits++ + p.MaxFractionDigits++ + case '#': + p.MaxFractionDigits++ + case 'E': + if p.leadingSharps > 0 { + p.MaxIntegerDigits = uint8(p.leadingSharps) + p.MinIntegerDigits + } + return p.exponent + default: + return nil + } + return p.fraction +} + +func (p *parser) exponent(r rune) state { + switch r { + case '+': + // Set mode and check it wasn't already set. + if p.Flags&AlwaysExpSign != 0 || p.MinExponentDigits > 0 { + break + } + p.Flags |= AlwaysExpSign + p.doNotTerminate = true + return p.exponent + case '0': + p.MinExponentDigits++ + return p.exponent + } + // termination condition + if p.MinExponentDigits == 0 { + p.setError(errors.New("format: need at least one digit")) + } + return nil +} diff --git a/vendor/golang.org/x/text/internal/number/roundingmode_string.go b/vendor/golang.org/x/text/internal/number/roundingmode_string.go new file mode 100644 index 0000000000..bcc22471db --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/roundingmode_string.go @@ -0,0 +1,30 @@ +// Code generated by "stringer -type RoundingMode"; DO NOT EDIT. + +package number + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[ToNearestEven-0] + _ = x[ToNearestZero-1] + _ = x[ToNearestAway-2] + _ = x[ToPositiveInf-3] + _ = x[ToNegativeInf-4] + _ = x[ToZero-5] + _ = x[AwayFromZero-6] + _ = x[numModes-7] +} + +const _RoundingMode_name = "ToNearestEvenToNearestZeroToNearestAwayToPositiveInfToNegativeInfToZeroAwayFromZeronumModes" + +var _RoundingMode_index = [...]uint8{0, 13, 26, 39, 52, 65, 71, 83, 91} + +func (i RoundingMode) String() string { + if i >= RoundingMode(len(_RoundingMode_index)-1) { + return "RoundingMode(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _RoundingMode_name[_RoundingMode_index[i]:_RoundingMode_index[i+1]] +} diff --git a/vendor/golang.org/x/text/internal/number/tables.go b/vendor/golang.org/x/text/internal/number/tables.go new file mode 100644 index 0000000000..8efce81b56 --- /dev/null +++ b/vendor/golang.org/x/text/internal/number/tables.go @@ -0,0 +1,1219 @@ +// Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT. + +package number + +import "golang.org/x/text/internal/stringset" + +// CLDRVersion is the CLDR version from which the tables in this package are derived. +const CLDRVersion = "32" + +var numSysData = []systemData{ // 59 elements + 0: {id: 0x0, digitSize: 0x1, zero: [4]uint8{0x30, 0x0, 0x0, 0x0}}, + 1: {id: 0x1, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9e, 0xa5, 0x90}}, + 2: {id: 0x2, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x9c, 0xb0}}, + 3: {id: 0x3, digitSize: 0x2, zero: [4]uint8{0xd9, 0xa0, 0x0, 0x0}}, + 4: {id: 0x4, digitSize: 0x2, zero: [4]uint8{0xdb, 0xb0, 0x0, 0x0}}, + 5: {id: 0x5, digitSize: 0x3, zero: [4]uint8{0xe1, 0xad, 0x90, 0x0}}, + 6: {id: 0x6, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa7, 0xa6, 0x0}}, + 7: {id: 0x7, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xb1, 0x90}}, + 8: {id: 0x8, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x81, 0xa6}}, + 9: {id: 0x9, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x84, 0xb6}}, + 10: {id: 0xa, digitSize: 0x3, zero: [4]uint8{0xea, 0xa9, 0x90, 0x0}}, + 11: {id: 0xb, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa5, 0xa6, 0x0}}, + 12: {id: 0xc, digitSize: 0x3, zero: [4]uint8{0xef, 0xbc, 0x90, 0x0}}, + 13: {id: 0xd, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xb5, 0x90}}, + 14: {id: 0xe, digitSize: 0x3, zero: [4]uint8{0xe0, 0xab, 0xa6, 0x0}}, + 15: {id: 0xf, digitSize: 0x3, zero: [4]uint8{0xe0, 0xa9, 0xa6, 0x0}}, + 16: {id: 0x10, digitSize: 0x4, zero: [4]uint8{0xf0, 0x96, 0xad, 0x90}}, + 17: {id: 0x11, digitSize: 0x3, zero: [4]uint8{0xea, 0xa7, 0x90, 0x0}}, + 18: {id: 0x12, digitSize: 0x3, zero: [4]uint8{0xea, 0xa4, 0x80, 0x0}}, + 19: {id: 0x13, digitSize: 0x3, zero: [4]uint8{0xe1, 0x9f, 0xa0, 0x0}}, + 20: {id: 0x14, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb3, 0xa6, 0x0}}, + 21: {id: 0x15, digitSize: 0x3, zero: [4]uint8{0xe1, 0xaa, 0x80, 0x0}}, + 22: {id: 0x16, digitSize: 0x3, zero: [4]uint8{0xe1, 0xaa, 0x90, 0x0}}, + 23: {id: 0x17, digitSize: 0x3, zero: [4]uint8{0xe0, 0xbb, 0x90, 0x0}}, + 24: {id: 0x18, digitSize: 0x3, zero: [4]uint8{0xe1, 0xb1, 0x80, 0x0}}, + 25: {id: 0x19, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa5, 0x86, 0x0}}, + 26: {id: 0x1a, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0x8e}}, + 27: {id: 0x1b, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0x98}}, + 28: {id: 0x1c, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xb6}}, + 29: {id: 0x1d, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xac}}, + 30: {id: 0x1e, digitSize: 0x4, zero: [4]uint8{0xf0, 0x9d, 0x9f, 0xa2}}, + 31: {id: 0x1f, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb5, 0xa6, 0x0}}, + 32: {id: 0x20, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x99, 0x90}}, + 33: {id: 0x21, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa0, 0x90, 0x0}}, + 34: {id: 0x22, digitSize: 0x4, zero: [4]uint8{0xf0, 0x96, 0xa9, 0xa0}}, + 35: {id: 0x23, digitSize: 0x3, zero: [4]uint8{0xea, 0xaf, 0xb0, 0x0}}, + 36: {id: 0x24, digitSize: 0x3, zero: [4]uint8{0xe1, 0x81, 0x80, 0x0}}, + 37: {id: 0x25, digitSize: 0x3, zero: [4]uint8{0xe1, 0x82, 0x90, 0x0}}, + 38: {id: 0x26, digitSize: 0x3, zero: [4]uint8{0xea, 0xa7, 0xb0, 0x0}}, + 39: {id: 0x27, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x91, 0x90}}, + 40: {id: 0x28, digitSize: 0x2, zero: [4]uint8{0xdf, 0x80, 0x0, 0x0}}, + 41: {id: 0x29, digitSize: 0x3, zero: [4]uint8{0xe1, 0xb1, 0x90, 0x0}}, + 42: {id: 0x2a, digitSize: 0x3, zero: [4]uint8{0xe0, 0xad, 0xa6, 0x0}}, + 43: {id: 0x2b, digitSize: 0x4, zero: [4]uint8{0xf0, 0x90, 0x92, 0xa0}}, + 44: {id: 0x2c, digitSize: 0x3, zero: [4]uint8{0xea, 0xa3, 0x90, 0x0}}, + 45: {id: 0x2d, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x87, 0x90}}, + 46: {id: 0x2e, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x8b, 0xb0}}, + 47: {id: 0x2f, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb7, 0xa6, 0x0}}, + 48: {id: 0x30, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x83, 0xb0}}, + 49: {id: 0x31, digitSize: 0x3, zero: [4]uint8{0xe1, 0xae, 0xb0, 0x0}}, + 50: {id: 0x32, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x9b, 0x80}}, + 51: {id: 0x33, digitSize: 0x3, zero: [4]uint8{0xe1, 0xa7, 0x90, 0x0}}, + 52: {id: 0x34, digitSize: 0x3, zero: [4]uint8{0xe0, 0xaf, 0xa6, 0x0}}, + 53: {id: 0x35, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb1, 0xa6, 0x0}}, + 54: {id: 0x36, digitSize: 0x3, zero: [4]uint8{0xe0, 0xb9, 0x90, 0x0}}, + 55: {id: 0x37, digitSize: 0x3, zero: [4]uint8{0xe0, 0xbc, 0xa0, 0x0}}, + 56: {id: 0x38, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0x93, 0x90}}, + 57: {id: 0x39, digitSize: 0x3, zero: [4]uint8{0xea, 0x98, 0xa0, 0x0}}, + 58: {id: 0x3a, digitSize: 0x4, zero: [4]uint8{0xf0, 0x91, 0xa3, 0xa0}}, +} // Size: 378 bytes + +const ( + numAdlm = 0x1 + numAhom = 0x2 + numArab = 0x3 + numArabext = 0x4 + numArmn = 0x3b + numArmnlow = 0x3c + numBali = 0x5 + numBeng = 0x6 + numBhks = 0x7 + numBrah = 0x8 + numCakm = 0x9 + numCham = 0xa + numCyrl = 0x3d + numDeva = 0xb + numEthi = 0x3e + numFullwide = 0xc + numGeor = 0x3f + numGonm = 0xd + numGrek = 0x40 + numGreklow = 0x41 + numGujr = 0xe + numGuru = 0xf + numHanidays = 0x42 + numHanidec = 0x43 + numHans = 0x44 + numHansfin = 0x45 + numHant = 0x46 + numHantfin = 0x47 + numHebr = 0x48 + numHmng = 0x10 + numJava = 0x11 + numJpan = 0x49 + numJpanfin = 0x4a + numKali = 0x12 + numKhmr = 0x13 + numKnda = 0x14 + numLana = 0x15 + numLanatham = 0x16 + numLaoo = 0x17 + numLatn = 0x0 + numLepc = 0x18 + numLimb = 0x19 + numMathbold = 0x1a + numMathdbl = 0x1b + numMathmono = 0x1c + numMathsanb = 0x1d + numMathsans = 0x1e + numMlym = 0x1f + numModi = 0x20 + numMong = 0x21 + numMroo = 0x22 + numMtei = 0x23 + numMymr = 0x24 + numMymrshan = 0x25 + numMymrtlng = 0x26 + numNewa = 0x27 + numNkoo = 0x28 + numOlck = 0x29 + numOrya = 0x2a + numOsma = 0x2b + numRoman = 0x4b + numRomanlow = 0x4c + numSaur = 0x2c + numShrd = 0x2d + numSind = 0x2e + numSinh = 0x2f + numSora = 0x30 + numSund = 0x31 + numTakr = 0x32 + numTalu = 0x33 + numTaml = 0x4d + numTamldec = 0x34 + numTelu = 0x35 + numThai = 0x36 + numTibt = 0x37 + numTirh = 0x38 + numVaii = 0x39 + numWara = 0x3a + numNumberSystems +) + +var systemMap = map[string]system{ + "adlm": numAdlm, + "ahom": numAhom, + "arab": numArab, + "arabext": numArabext, + "armn": numArmn, + "armnlow": numArmnlow, + "bali": numBali, + "beng": numBeng, + "bhks": numBhks, + "brah": numBrah, + "cakm": numCakm, + "cham": numCham, + "cyrl": numCyrl, + "deva": numDeva, + "ethi": numEthi, + "fullwide": numFullwide, + "geor": numGeor, + "gonm": numGonm, + "grek": numGrek, + "greklow": numGreklow, + "gujr": numGujr, + "guru": numGuru, + "hanidays": numHanidays, + "hanidec": numHanidec, + "hans": numHans, + "hansfin": numHansfin, + "hant": numHant, + "hantfin": numHantfin, + "hebr": numHebr, + "hmng": numHmng, + "java": numJava, + "jpan": numJpan, + "jpanfin": numJpanfin, + "kali": numKali, + "khmr": numKhmr, + "knda": numKnda, + "lana": numLana, + "lanatham": numLanatham, + "laoo": numLaoo, + "latn": numLatn, + "lepc": numLepc, + "limb": numLimb, + "mathbold": numMathbold, + "mathdbl": numMathdbl, + "mathmono": numMathmono, + "mathsanb": numMathsanb, + "mathsans": numMathsans, + "mlym": numMlym, + "modi": numModi, + "mong": numMong, + "mroo": numMroo, + "mtei": numMtei, + "mymr": numMymr, + "mymrshan": numMymrshan, + "mymrtlng": numMymrtlng, + "newa": numNewa, + "nkoo": numNkoo, + "olck": numOlck, + "orya": numOrya, + "osma": numOsma, + "roman": numRoman, + "romanlow": numRomanlow, + "saur": numSaur, + "shrd": numShrd, + "sind": numSind, + "sinh": numSinh, + "sora": numSora, + "sund": numSund, + "takr": numTakr, + "talu": numTalu, + "taml": numTaml, + "tamldec": numTamldec, + "telu": numTelu, + "thai": numThai, + "tibt": numTibt, + "tirh": numTirh, + "vaii": numVaii, + "wara": numWara, +} + +var symIndex = [][12]uint8{ // 81 elements + 0: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 1: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 2: [12]uint8{0x0, 0x1, 0x2, 0xd, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb}, + 3: [12]uint8{0x1, 0x0, 0x2, 0xd, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb}, + 4: [12]uint8{0x0, 0x1, 0x2, 0x11, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0x10, 0xb}, + 5: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x12, 0xb}, + 6: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 7: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x13, 0xb}, + 8: [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 9: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0}, + 10: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb}, + 11: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb}, + 12: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x14, 0x8, 0x9, 0xa, 0xb}, + 13: [12]uint8{0x0, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 14: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x16, 0xb}, + 15: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb}, + 16: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0x0}, + 17: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb}, + 18: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0}, + 19: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x18, 0x7, 0x8, 0x9, 0xa, 0xb}, + 20: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x19, 0x1a, 0xa, 0xb}, + 21: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 22: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x7, 0x8, 0x9, 0xa, 0xb}, + 23: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 24: [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0x1c, 0x6, 0x7, 0x8, 0x9, 0x1d, 0xb}, + 25: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0x1e, 0x0}, + 26: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x1b, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 27: [12]uint8{0x0, 0x1, 0x2, 0x3, 0xe, 0xf, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 28: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x1f, 0xb}, + 29: [12]uint8{0x0, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 30: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x20, 0xb}, + 31: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x21, 0x7, 0x8, 0x9, 0x22, 0xb}, + 32: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x23, 0xb}, + 33: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x14, 0x8, 0x9, 0x24, 0xb}, + 34: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x18, 0x7, 0x8, 0x9, 0x24, 0xb}, + 35: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x25, 0xb}, + 36: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x26, 0xb}, + 37: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x27, 0xb}, + 38: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x28, 0xb}, + 39: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x29, 0xb}, + 40: [12]uint8{0x1, 0x0, 0x2, 0x3, 0xe, 0x1c, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 41: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2a, 0xb}, + 42: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2b, 0xb}, + 43: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x1b, 0x2c, 0x14, 0x8, 0x9, 0x24, 0xb}, + 44: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x0}, + 45: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb}, + 46: [12]uint8{0x1, 0x0, 0x2, 0x3, 0x4, 0x1b, 0x17, 0x7, 0x8, 0x9, 0xa, 0xb}, + 47: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2d, 0x0}, + 48: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2e, 0xb}, + 49: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x2f, 0xb}, + 50: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x30, 0x7, 0x8, 0x9, 0xa, 0xb}, + 51: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x31, 0xb}, + 52: [12]uint8{0x1, 0xc, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x32, 0xb}, + 53: [12]uint8{0x1, 0x15, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb}, + 54: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x33, 0xb}, + 55: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x34, 0xb}, + 56: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 57: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0x3d, 0xb}, + 58: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 59: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x39, 0x3a, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 60: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x39, 0x40, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 61: [12]uint8{0x35, 0x36, 0x37, 0x41, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 62: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x3e, 0x3f, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0xb}, + 63: [12]uint8{0x35, 0xc, 0x37, 0x38, 0x39, 0x42, 0x3b, 0x7, 0x3c, 0x9, 0xa, 0x0}, + 64: [12]uint8{0x35, 0xc, 0x37, 0x38, 0x39, 0x42, 0x43, 0x7, 0x44, 0x9, 0x24, 0xb}, + 65: [12]uint8{0x35, 0x36, 0x37, 0x38, 0x39, 0x5, 0x3b, 0x7, 0x3c, 0x9, 0x33, 0xb}, + 66: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x45, 0x46, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35}, + 67: [12]uint8{0x35, 0x36, 0x37, 0x11, 0xe, 0x1c, 0x43, 0x7, 0x3c, 0x9, 0x1d, 0xb}, + 68: [12]uint8{0x35, 0x36, 0x37, 0x11, 0xe, 0x1c, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35}, + 69: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x45, 0x5, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35}, + 70: [12]uint8{0x1, 0xc, 0x37, 0x11, 0x45, 0x47, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x0}, + 71: [12]uint8{0x35, 0x1, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0xa, 0x35}, + 72: [12]uint8{0x1, 0xc, 0x37, 0x11, 0x45, 0x47, 0x43, 0x7, 0x3c, 0x9, 0x24, 0xb}, + 73: [12]uint8{0x35, 0x36, 0x2, 0x3, 0x45, 0x46, 0x43, 0x7, 0x8, 0x9, 0xa, 0x35}, + 74: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0x31, 0x35}, + 75: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x4, 0x5, 0x43, 0x7, 0x3c, 0x9, 0x32, 0x35}, + 76: [12]uint8{0x35, 0x36, 0x37, 0x11, 0x48, 0x46, 0x43, 0x7, 0x3c, 0x9, 0x33, 0x35}, + 77: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0x49}, + 78: [12]uint8{0x0, 0x1, 0x4a, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x28, 0xb}, + 79: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0x4b, 0xb}, + 80: [12]uint8{0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x4c, 0x4d, 0xb}, +} // Size: 996 bytes + +var symData = stringset.Set{ + Data: "" + // Size: 599 bytes + ".,;%+-E׉∞NaN:\u00a0\u200e%\u200e\u200e+\u200e-ليس\u00a0رقمًا٪NDТерхьаш" + + "\u00a0дац·’mnne×10^0/00INF−\u200e−ناعددepälukuÕˆÕ¹Ô¹áƒáƒ \u00a0áƒáƒ áƒ˜áƒ¡\u00a0რიცხვ" + + "იZMdMÑан\u00a0емеѤ¤¤Ñан\u00a0ÑмеÑບà»à»ˆ\u200bà»àº¡à»ˆàº™\u200bໂຕ\u200bເລàºNSဂá€á€”်" + + "းမဟုá€á€ºá€žá€±á€¬ÐÐне\u00a0чиÑлочыыһыла\u00a0буотах·10^epilohosan\u00a0dälTFЕs" + + "on\u00a0emasҳақиқий\u00a0Ñон\u00a0ÑмаÑéžæ•¸å€¼éžæ•°å€¼Ù«Ù¬Ø›Ùª\u061c\u061c+\u061c-اس؉ل" + + "يس\u00a0رقم\u200f+\u200f-\u200f−٪\u200f\u061c−×۱۰^؉\u200f\u200e+\u200e" + + "\u200e-\u200e\u200e−\u200e+\u200e:áŠà½¨à½„་མེན་གྲངས་མེདཨང་མད", + Index: []uint16{ // 79 elements + // Entry 0 - 3F + 0x0000, 0x0001, 0x0002, 0x0003, 0x0004, 0x0005, 0x0006, 0x0007, + 0x0009, 0x000c, 0x000f, 0x0012, 0x0013, 0x0015, 0x001c, 0x0020, + 0x0024, 0x0036, 0x0038, 0x003a, 0x0050, 0x0052, 0x0055, 0x0058, + 0x0059, 0x005e, 0x0062, 0x0065, 0x0068, 0x006e, 0x0078, 0x0080, + 0x0086, 0x00ae, 0x00af, 0x00b2, 0x00c2, 0x00c8, 0x00d8, 0x0105, + 0x0107, 0x012e, 0x0132, 0x0142, 0x015e, 0x0163, 0x016a, 0x0173, + 0x0175, 0x0177, 0x0180, 0x01a0, 0x01a9, 0x01b2, 0x01b4, 0x01b6, + 0x01b8, 0x01bc, 0x01bf, 0x01c2, 0x01c6, 0x01c8, 0x01d6, 0x01da, + // Entry 40 - 7F + 0x01de, 0x01e4, 0x01e9, 0x01ee, 0x01f5, 0x01fa, 0x0201, 0x0208, + 0x0211, 0x0215, 0x0218, 0x021b, 0x0230, 0x0248, 0x0257, + }, +} // Size: 797 bytes + +// langToDefaults maps a compact language index to the default numbering system +// and default symbol set +var langToDefaults = [775]symOffset{ + // Entry 0 - 3F + 0x8000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000, 0x0000, + 0x0000, 0x0000, 0x8003, 0x0002, 0x0002, 0x0002, 0x0002, 0x0003, + 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, 0x0002, + 0x0003, 0x0003, 0x0003, 0x0003, 0x0002, 0x0002, 0x0002, 0x0004, + 0x0002, 0x0004, 0x0002, 0x0002, 0x0002, 0x0003, 0x0002, 0x0000, + 0x8005, 0x0000, 0x0000, 0x0000, 0x8006, 0x0005, 0x0006, 0x0006, + 0x0006, 0x0006, 0x0006, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000, + // Entry 40 - 7F + 0x8009, 0x0000, 0x0000, 0x800a, 0x0000, 0x0000, 0x800c, 0x0001, + 0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, + 0x0006, 0x0006, 0x0006, 0x0006, 0x800e, 0x0000, 0x0000, 0x0007, + 0x0007, 0x0000, 0x0000, 0x0000, 0x0000, 0x800f, 0x0008, 0x0008, + 0x8011, 0x0001, 0x0001, 0x0001, 0x803c, 0x0000, 0x0009, 0x0009, + 0x0009, 0x0000, 0x0000, 0x000a, 0x000b, 0x000a, 0x000c, 0x000a, + 0x000a, 0x000c, 0x000a, 0x000d, 0x000d, 0x000a, 0x000a, 0x0001, + 0x0001, 0x0000, 0x0001, 0x0001, 0x803f, 0x0000, 0x0000, 0x0000, + // Entry 80 - BF + 0x000e, 0x000e, 0x000e, 0x000f, 0x000f, 0x000f, 0x0000, 0x0000, + 0x0006, 0x0000, 0x0000, 0x0000, 0x000a, 0x0010, 0x0000, 0x0006, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0011, 0x0000, 0x000a, + 0x0000, 0x0000, 0x0000, 0x0000, 0x000a, 0x0000, 0x0009, 0x0000, + 0x0000, 0x0012, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + // Entry C0 - FF + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0013, 0x0000, + 0x0000, 0x000f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0001, 0x0000, 0x0000, 0x0015, + 0x0015, 0x0006, 0x0000, 0x0006, 0x0006, 0x0000, 0x0000, 0x0006, + 0x0006, 0x0001, 0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006, + // Entry 100 - 13F + 0x0000, 0x0000, 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006, + 0x0000, 0x0006, 0x0000, 0x0000, 0x0006, 0x0006, 0x0016, 0x0016, + 0x0017, 0x0017, 0x0001, 0x0001, 0x8041, 0x0018, 0x0018, 0x0001, + 0x0001, 0x0001, 0x0001, 0x0001, 0x0019, 0x0019, 0x0000, 0x0000, + 0x0017, 0x0017, 0x0017, 0x8044, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0006, 0x0006, 0x0001, 0x0001, 0x0001, 0x0001, + // Entry 140 - 17F + 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x0001, 0x0001, 0x0006, 0x0006, 0x0006, 0x0006, 0x0000, 0x0000, + 0x8047, 0x0000, 0x0006, 0x0006, 0x001a, 0x001a, 0x001a, 0x001a, + 0x804a, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x804c, 0x001b, 0x0000, + 0x0000, 0x0006, 0x0006, 0x0006, 0x000a, 0x000a, 0x0001, 0x0001, + 0x001c, 0x001c, 0x0009, 0x0009, 0x804f, 0x0000, 0x0000, 0x0000, + // Entry 180 - 1BF + 0x0000, 0x0000, 0x8052, 0x0006, 0x0006, 0x001d, 0x0006, 0x0006, + 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006, 0x0006, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x001e, 0x001e, 0x001f, + 0x001f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0001, + 0x0001, 0x000d, 0x000d, 0x0000, 0x0000, 0x0020, 0x0020, 0x0006, + 0x0006, 0x0021, 0x0021, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000, + 0x0000, 0x8054, 0x0000, 0x0000, 0x0000, 0x0000, 0x8056, 0x001b, + 0x0000, 0x0000, 0x0001, 0x0001, 0x0022, 0x0022, 0x0000, 0x0000, + // Entry 1C0 - 1FF + 0x0000, 0x0023, 0x0023, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, + 0x0024, 0x0024, 0x8058, 0x0000, 0x0000, 0x0016, 0x0016, 0x0006, + 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0025, 0x0025, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x000d, 0x000d, 0x0000, 0x0000, + 0x0006, 0x0006, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x805a, 0x0000, 0x0000, 0x0006, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x805b, 0x0026, 0x805d, + // Entry 200 - 23F + 0x0000, 0x0000, 0x0000, 0x0000, 0x805e, 0x0015, 0x0015, 0x0000, + 0x0000, 0x0006, 0x0006, 0x0006, 0x8061, 0x0000, 0x0000, 0x8062, + 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0001, + 0x0001, 0x0015, 0x0015, 0x0006, 0x0006, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0027, 0x0027, 0x0027, 0x8065, 0x8067, + 0x001b, 0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001, + 0x8069, 0x0028, 0x0006, 0x0001, 0x0006, 0x0001, 0x0001, 0x0001, + // Entry 240 - 27F + 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, 0x0000, + 0x0006, 0x0000, 0x0000, 0x001a, 0x001a, 0x0006, 0x0006, 0x0006, + 0x0006, 0x0006, 0x0000, 0x0000, 0x0029, 0x0029, 0x0029, 0x0029, + 0x0029, 0x0029, 0x0029, 0x0006, 0x0006, 0x0000, 0x0000, 0x002a, + 0x002a, 0x0000, 0x0000, 0x0000, 0x0000, 0x806b, 0x0000, 0x0000, + 0x002b, 0x002b, 0x002b, 0x002b, 0x0006, 0x0006, 0x000d, 0x000d, + 0x0006, 0x0006, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0001, + 0x002c, 0x002c, 0x002d, 0x002d, 0x002e, 0x002e, 0x0000, 0x0000, + // Entry 280 - 2BF + 0x0000, 0x002f, 0x002f, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0001, 0x0001, 0x0006, + 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, 0x0006, + 0x0006, 0x0006, 0x0000, 0x0000, 0x0000, 0x806d, 0x0022, 0x0022, + 0x0022, 0x0000, 0x0006, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0030, 0x0030, 0x0000, 0x0000, 0x8071, 0x0031, 0x0006, + // Entry 2C0 - 2FF + 0x0006, 0x0006, 0x0000, 0x0001, 0x0001, 0x000d, 0x000d, 0x0001, + 0x0001, 0x0000, 0x0000, 0x0032, 0x0032, 0x8074, 0x8076, 0x001b, + 0x8077, 0x8079, 0x0028, 0x807b, 0x0034, 0x0033, 0x0033, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0006, 0x0006, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0035, 0x0035, 0x0006, 0x0006, + 0x0000, 0x0000, 0x0000, 0x0001, 0x0001, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0036, 0x0037, 0x0037, 0x0036, 0x0036, 0x0001, + 0x0001, 0x807d, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x8080, + // Entry 300 - 33F + 0x0036, 0x0036, 0x0036, 0x0000, 0x0000, 0x0006, 0x0014, +} // Size: 1550 bytes + +// langToAlt is a list of numbering system and symbol set pairs, sorted and +// marked by compact language index. +var langToAlt = []altSymData{ // 131 elements + 1: {compactTag: 0x0, symIndex: 0x38, system: 0x3}, + 2: {compactTag: 0x0, symIndex: 0x42, system: 0x4}, + 3: {compactTag: 0xa, symIndex: 0x39, system: 0x3}, + 4: {compactTag: 0xa, symIndex: 0x2, system: 0x0}, + 5: {compactTag: 0x28, symIndex: 0x0, system: 0x6}, + 6: {compactTag: 0x2c, symIndex: 0x5, system: 0x0}, + 7: {compactTag: 0x2c, symIndex: 0x3a, system: 0x3}, + 8: {compactTag: 0x2c, symIndex: 0x42, system: 0x4}, + 9: {compactTag: 0x40, symIndex: 0x0, system: 0x6}, + 10: {compactTag: 0x43, symIndex: 0x0, system: 0x0}, + 11: {compactTag: 0x43, symIndex: 0x4f, system: 0x37}, + 12: {compactTag: 0x46, symIndex: 0x1, system: 0x0}, + 13: {compactTag: 0x46, symIndex: 0x38, system: 0x3}, + 14: {compactTag: 0x54, symIndex: 0x0, system: 0x9}, + 15: {compactTag: 0x5d, symIndex: 0x3a, system: 0x3}, + 16: {compactTag: 0x5d, symIndex: 0x8, system: 0x0}, + 17: {compactTag: 0x60, symIndex: 0x1, system: 0x0}, + 18: {compactTag: 0x60, symIndex: 0x38, system: 0x3}, + 19: {compactTag: 0x60, symIndex: 0x42, system: 0x4}, + 20: {compactTag: 0x60, symIndex: 0x0, system: 0x5}, + 21: {compactTag: 0x60, symIndex: 0x0, system: 0x6}, + 22: {compactTag: 0x60, symIndex: 0x0, system: 0x8}, + 23: {compactTag: 0x60, symIndex: 0x0, system: 0x9}, + 24: {compactTag: 0x60, symIndex: 0x0, system: 0xa}, + 25: {compactTag: 0x60, symIndex: 0x0, system: 0xb}, + 26: {compactTag: 0x60, symIndex: 0x0, system: 0xc}, + 27: {compactTag: 0x60, symIndex: 0x0, system: 0xd}, + 28: {compactTag: 0x60, symIndex: 0x0, system: 0xe}, + 29: {compactTag: 0x60, symIndex: 0x0, system: 0xf}, + 30: {compactTag: 0x60, symIndex: 0x0, system: 0x11}, + 31: {compactTag: 0x60, symIndex: 0x0, system: 0x12}, + 32: {compactTag: 0x60, symIndex: 0x0, system: 0x13}, + 33: {compactTag: 0x60, symIndex: 0x0, system: 0x14}, + 34: {compactTag: 0x60, symIndex: 0x0, system: 0x15}, + 35: {compactTag: 0x60, symIndex: 0x0, system: 0x16}, + 36: {compactTag: 0x60, symIndex: 0x0, system: 0x17}, + 37: {compactTag: 0x60, symIndex: 0x0, system: 0x18}, + 38: {compactTag: 0x60, symIndex: 0x0, system: 0x19}, + 39: {compactTag: 0x60, symIndex: 0x0, system: 0x1f}, + 40: {compactTag: 0x60, symIndex: 0x0, system: 0x21}, + 41: {compactTag: 0x60, symIndex: 0x0, system: 0x23}, + 42: {compactTag: 0x60, symIndex: 0x0, system: 0x24}, + 43: {compactTag: 0x60, symIndex: 0x0, system: 0x25}, + 44: {compactTag: 0x60, symIndex: 0x0, system: 0x28}, + 45: {compactTag: 0x60, symIndex: 0x0, system: 0x29}, + 46: {compactTag: 0x60, symIndex: 0x0, system: 0x2a}, + 47: {compactTag: 0x60, symIndex: 0x0, system: 0x2b}, + 48: {compactTag: 0x60, symIndex: 0x0, system: 0x2c}, + 49: {compactTag: 0x60, symIndex: 0x0, system: 0x2d}, + 50: {compactTag: 0x60, symIndex: 0x0, system: 0x30}, + 51: {compactTag: 0x60, symIndex: 0x0, system: 0x31}, + 52: {compactTag: 0x60, symIndex: 0x0, system: 0x32}, + 53: {compactTag: 0x60, symIndex: 0x0, system: 0x33}, + 54: {compactTag: 0x60, symIndex: 0x0, system: 0x34}, + 55: {compactTag: 0x60, symIndex: 0x0, system: 0x35}, + 56: {compactTag: 0x60, symIndex: 0x0, system: 0x36}, + 57: {compactTag: 0x60, symIndex: 0x0, system: 0x37}, + 58: {compactTag: 0x60, symIndex: 0x0, system: 0x39}, + 59: {compactTag: 0x60, symIndex: 0x0, system: 0x43}, + 60: {compactTag: 0x64, symIndex: 0x0, system: 0x0}, + 61: {compactTag: 0x64, symIndex: 0x38, system: 0x3}, + 62: {compactTag: 0x64, symIndex: 0x42, system: 0x4}, + 63: {compactTag: 0x7c, symIndex: 0x50, system: 0x37}, + 64: {compactTag: 0x7c, symIndex: 0x0, system: 0x0}, + 65: {compactTag: 0x114, symIndex: 0x43, system: 0x4}, + 66: {compactTag: 0x114, symIndex: 0x18, system: 0x0}, + 67: {compactTag: 0x114, symIndex: 0x3b, system: 0x3}, + 68: {compactTag: 0x123, symIndex: 0x1, system: 0x0}, + 69: {compactTag: 0x123, symIndex: 0x3c, system: 0x3}, + 70: {compactTag: 0x123, symIndex: 0x44, system: 0x4}, + 71: {compactTag: 0x158, symIndex: 0x0, system: 0x0}, + 72: {compactTag: 0x158, symIndex: 0x3b, system: 0x3}, + 73: {compactTag: 0x158, symIndex: 0x45, system: 0x4}, + 74: {compactTag: 0x160, symIndex: 0x0, system: 0x0}, + 75: {compactTag: 0x160, symIndex: 0x38, system: 0x3}, + 76: {compactTag: 0x16d, symIndex: 0x1b, system: 0x0}, + 77: {compactTag: 0x16d, symIndex: 0x0, system: 0x9}, + 78: {compactTag: 0x16d, symIndex: 0x0, system: 0xa}, + 79: {compactTag: 0x17c, symIndex: 0x0, system: 0x0}, + 80: {compactTag: 0x17c, symIndex: 0x3d, system: 0x3}, + 81: {compactTag: 0x17c, symIndex: 0x42, system: 0x4}, + 82: {compactTag: 0x182, symIndex: 0x6, system: 0x0}, + 83: {compactTag: 0x182, symIndex: 0x38, system: 0x3}, + 84: {compactTag: 0x1b1, symIndex: 0x0, system: 0x0}, + 85: {compactTag: 0x1b1, symIndex: 0x3e, system: 0x3}, + 86: {compactTag: 0x1b6, symIndex: 0x42, system: 0x4}, + 87: {compactTag: 0x1b6, symIndex: 0x1b, system: 0x0}, + 88: {compactTag: 0x1d2, symIndex: 0x42, system: 0x4}, + 89: {compactTag: 0x1d2, symIndex: 0x0, system: 0x0}, + 90: {compactTag: 0x1f3, symIndex: 0x0, system: 0xb}, + 91: {compactTag: 0x1fd, symIndex: 0x4e, system: 0x24}, + 92: {compactTag: 0x1fd, symIndex: 0x26, system: 0x0}, + 93: {compactTag: 0x1ff, symIndex: 0x42, system: 0x4}, + 94: {compactTag: 0x204, symIndex: 0x15, system: 0x0}, + 95: {compactTag: 0x204, symIndex: 0x3f, system: 0x3}, + 96: {compactTag: 0x204, symIndex: 0x46, system: 0x4}, + 97: {compactTag: 0x20c, symIndex: 0x0, system: 0xb}, + 98: {compactTag: 0x20f, symIndex: 0x6, system: 0x0}, + 99: {compactTag: 0x20f, symIndex: 0x38, system: 0x3}, + 100: {compactTag: 0x20f, symIndex: 0x42, system: 0x4}, + 101: {compactTag: 0x22e, symIndex: 0x0, system: 0x0}, + 102: {compactTag: 0x22e, symIndex: 0x47, system: 0x4}, + 103: {compactTag: 0x22f, symIndex: 0x42, system: 0x4}, + 104: {compactTag: 0x22f, symIndex: 0x1b, system: 0x0}, + 105: {compactTag: 0x238, symIndex: 0x42, system: 0x4}, + 106: {compactTag: 0x238, symIndex: 0x28, system: 0x0}, + 107: {compactTag: 0x265, symIndex: 0x38, system: 0x3}, + 108: {compactTag: 0x265, symIndex: 0x0, system: 0x0}, + 109: {compactTag: 0x29d, symIndex: 0x22, system: 0x0}, + 110: {compactTag: 0x29d, symIndex: 0x40, system: 0x3}, + 111: {compactTag: 0x29d, symIndex: 0x48, system: 0x4}, + 112: {compactTag: 0x29d, symIndex: 0x4d, system: 0xc}, + 113: {compactTag: 0x2bd, symIndex: 0x31, system: 0x0}, + 114: {compactTag: 0x2bd, symIndex: 0x3e, system: 0x3}, + 115: {compactTag: 0x2bd, symIndex: 0x42, system: 0x4}, + 116: {compactTag: 0x2cd, symIndex: 0x1b, system: 0x0}, + 117: {compactTag: 0x2cd, symIndex: 0x49, system: 0x4}, + 118: {compactTag: 0x2ce, symIndex: 0x49, system: 0x4}, + 119: {compactTag: 0x2d0, symIndex: 0x33, system: 0x0}, + 120: {compactTag: 0x2d0, symIndex: 0x4a, system: 0x4}, + 121: {compactTag: 0x2d1, symIndex: 0x42, system: 0x4}, + 122: {compactTag: 0x2d1, symIndex: 0x28, system: 0x0}, + 123: {compactTag: 0x2d3, symIndex: 0x34, system: 0x0}, + 124: {compactTag: 0x2d3, symIndex: 0x4b, system: 0x4}, + 125: {compactTag: 0x2f9, symIndex: 0x0, system: 0x0}, + 126: {compactTag: 0x2f9, symIndex: 0x38, system: 0x3}, + 127: {compactTag: 0x2f9, symIndex: 0x42, system: 0x4}, + 128: {compactTag: 0x2ff, symIndex: 0x36, system: 0x0}, + 129: {compactTag: 0x2ff, symIndex: 0x41, system: 0x3}, + 130: {compactTag: 0x2ff, symIndex: 0x4c, system: 0x4}, +} // Size: 810 bytes + +var tagToDecimal = []uint8{ // 775 elements + // Entry 0 - 3F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 40 - 7F + 0x05, 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x05, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x01, 0x01, + // Entry 80 - BF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry C0 - FF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 100 - 13F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 140 - 17F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05, + 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 180 - 1BF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x05, 0x05, 0x05, 0x05, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 1C0 - 1FF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05, 0x05, + 0x01, 0x01, 0x01, 0x05, 0x05, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 200 - 23F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x05, 0x05, 0x01, 0x01, 0x01, 0x05, 0x01, + 0x01, 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 240 - 27F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 280 - 2BF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x05, + 0x05, 0x05, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 2C0 - 2FF + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, + // Entry 300 - 33F + 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x08, +} // Size: 799 bytes + +var tagToScientific = []uint8{ // 775 elements + // Entry 0 - 3F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 40 - 7F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 80 - BF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry C0 - FF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 100 - 13F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 140 - 17F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x0c, 0x0c, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x0c, + 0x0c, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 180 - 1BF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 1C0 - 1FF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x0d, 0x0d, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x0c, 0x0c, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 200 - 23F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x0c, 0x02, + 0x02, 0x0c, 0x0c, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 240 - 27F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x0d, 0x0d, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 280 - 2BF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 2C0 - 2FF + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, + // Entry 300 - 33F + 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x09, +} // Size: 799 bytes + +var tagToPercent = []uint8{ // 775 elements + // Entry 0 - 3F + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry 40 - 7F + 0x06, 0x06, 0x06, 0x04, 0x04, 0x04, 0x03, 0x03, + 0x06, 0x06, 0x03, 0x04, 0x04, 0x03, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x06, 0x06, 0x06, 0x03, + 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, + 0x03, 0x04, 0x04, 0x03, 0x03, 0x03, 0x04, 0x03, + 0x03, 0x04, 0x03, 0x04, 0x04, 0x03, 0x03, 0x03, + 0x03, 0x04, 0x04, 0x04, 0x07, 0x07, 0x04, 0x04, + // Entry 80 - BF + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x03, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x03, 0x04, 0x03, 0x04, + 0x04, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry C0 - FF + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + // Entry 100 - 13F + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x04, 0x04, + 0x0b, 0x0b, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x04, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + // Entry 140 - 17F + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x06, + 0x06, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry 180 - 1BF + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x06, 0x06, 0x06, 0x06, + 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, 0x04, + // Entry 1C0 - 1FF + 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry 200 - 23F + 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x06, 0x06, 0x04, 0x04, 0x04, 0x06, 0x04, + 0x04, 0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry 240 - 27F + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x04, 0x04, 0x03, 0x03, 0x03, 0x03, + 0x03, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x03, 0x03, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x03, 0x03, 0x03, 0x03, 0x04, 0x04, + // Entry 280 - 2BF + 0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, 0x03, 0x03, + 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x06, + 0x06, 0x06, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x03, 0x03, 0x04, 0x04, 0x04, 0x04, 0x0e, + // Entry 2C0 - 2FF + 0x0e, 0x0e, 0x04, 0x03, 0x03, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x03, + 0x03, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, + // Entry 300 - 33F + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x0a, +} // Size: 799 bytes + +var formats = []Pattern{Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x0, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x0, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 3, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x9, + GroupingSize: [2]uint8{0x3, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x0, + MaxIntegerDigits: 0x1, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x1}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x3, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x00\x03\u00a0%", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x7, + GroupingSize: [2]uint8{0x3, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x00\x01%", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x6, + GroupingSize: [2]uint8{0x3, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 3, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0xc, + GroupingSize: [2]uint8{0x3, + 0x2}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x00\x01%", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x9, + GroupingSize: [2]uint8{0x3, + 0x2}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x00\x03\u00a0%", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0xa, + GroupingSize: [2]uint8{0x3, + 0x2}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 6, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x8, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 6, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x6, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x3}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0xd, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x4}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x00\x01%", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x2, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x03%\u00a0\x00", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x7, + GroupingSize: [2]uint8{0x3, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x0, + MaxIntegerDigits: 0x1, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x1}, + Affix: "\x01[\x01]", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x5, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x0, + MinIntegerDigits: 0x0, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x1, + GroupingSize: [2]uint8{0x0, + 0x0}, + Flags: 0x0}, + Pattern{RoundingContext: RoundingContext{MaxSignificantDigits: 0, + MaxFractionDigits: 0, + Increment: 0x0, + IncrementScale: 0x0, + Mode: 0x0, + DigitShift: 0x2, + MinIntegerDigits: 0x1, + MaxIntegerDigits: 0x0, + MinFractionDigits: 0x0, + MinSignificantDigits: 0x0, + MinExponentDigits: 0x0}, + Affix: "\x01%\x00", + Offset: 0x0, + NegOffset: 0x0, + PadRune: 0, + FormatWidth: 0x6, + GroupingSize: [2]uint8{0x3, + 0x0}, + Flags: 0x0}} + +// Total table size 8634 bytes (8KiB); checksum: 8F23386D diff --git a/vendor/golang.org/x/text/internal/stringset/set.go b/vendor/golang.org/x/text/internal/stringset/set.go new file mode 100644 index 0000000000..bb2fffbc75 --- /dev/null +++ b/vendor/golang.org/x/text/internal/stringset/set.go @@ -0,0 +1,86 @@ +// Copyright 2016 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package stringset provides a way to represent a collection of strings +// compactly. +package stringset + +import "sort" + +// A Set holds a collection of strings that can be looked up by an index number. +type Set struct { + // These fields are exported to allow for code generation. + + Data string + Index []uint16 +} + +// Elem returns the string with index i. It panics if i is out of range. +func (s *Set) Elem(i int) string { + return s.Data[s.Index[i]:s.Index[i+1]] +} + +// Len returns the number of strings in the set. +func (s *Set) Len() int { + return len(s.Index) - 1 +} + +// Search returns the index of the given string or -1 if it is not in the set. +// The Set must have been created with strings in sorted order. +func Search(s *Set, str string) int { + // TODO: optimize this if it gets used a lot. + n := len(s.Index) - 1 + p := sort.Search(n, func(i int) bool { + return s.Elem(i) >= str + }) + if p == n || str != s.Elem(p) { + return -1 + } + return p +} + +// A Builder constructs Sets. +type Builder struct { + set Set + index map[string]int +} + +// NewBuilder returns a new and initialized Builder. +func NewBuilder() *Builder { + return &Builder{ + set: Set{ + Index: []uint16{0}, + }, + index: map[string]int{}, + } +} + +// Set creates the set created so far. +func (b *Builder) Set() Set { + return b.set +} + +// Index returns the index for the given string, which must have been added +// before. +func (b *Builder) Index(s string) int { + return b.index[s] +} + +// Add adds a string to the index. Strings that are added by a single Add will +// be stored together, unless they match an existing string. +func (b *Builder) Add(ss ...string) { + // First check if the string already exists. + for _, s := range ss { + if _, ok := b.index[s]; ok { + continue + } + b.index[s] = len(b.set.Index) - 1 + b.set.Data += s + x := len(b.set.Data) + if x > 0xFFFF { + panic("Index too > 0xFFFF") + } + b.set.Index = append(b.set.Index, uint16(x)) + } +} diff --git a/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go b/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go new file mode 100644 index 0000000000..e5c53b1b3e --- /dev/null +++ b/vendor/golang.org/x/text/internal/utf8internal/utf8internal.go @@ -0,0 +1,87 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package utf8internal contains low-level utf8-related constants, tables, etc. +// that are used internally by the text package. +package utf8internal + +// The default lowest and highest continuation byte. +const ( + LoCB = 0x80 // 1000 0000 + HiCB = 0xBF // 1011 1111 +) + +// Constants related to getting information of first bytes of UTF-8 sequences. +const ( + // ASCII identifies a UTF-8 byte as ASCII. + ASCII = as + + // FirstInvalid indicates a byte is invalid as a first byte of a UTF-8 + // sequence. + FirstInvalid = xx + + // SizeMask is a mask for the size bits. Use use x&SizeMask to get the size. + SizeMask = 7 + + // AcceptShift is the right-shift count for the first byte info byte to get + // the index into the AcceptRanges table. See AcceptRanges. + AcceptShift = 4 + + // The names of these constants are chosen to give nice alignment in the + // table below. The first nibble is an index into acceptRanges or F for + // special one-byte cases. The second nibble is the Rune length or the + // Status for the special one-byte case. + xx = 0xF1 // invalid: size 1 + as = 0xF0 // ASCII: size 1 + s1 = 0x02 // accept 0, size 2 + s2 = 0x13 // accept 1, size 3 + s3 = 0x03 // accept 0, size 3 + s4 = 0x23 // accept 2, size 3 + s5 = 0x34 // accept 3, size 4 + s6 = 0x04 // accept 0, size 4 + s7 = 0x44 // accept 4, size 4 +) + +// First is information about the first byte in a UTF-8 sequence. +var First = [256]uint8{ + // 1 2 3 4 5 6 7 8 9 A B C D E F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x00-0x0F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x10-0x1F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x20-0x2F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x30-0x3F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x40-0x4F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x50-0x5F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x60-0x6F + as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, as, // 0x70-0x7F + // 1 2 3 4 5 6 7 8 9 A B C D E F + xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0x80-0x8F + xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0x90-0x9F + xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xA0-0xAF + xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xB0-0xBF + xx, xx, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, // 0xC0-0xCF + s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, s1, // 0xD0-0xDF + s2, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s3, s4, s3, s3, // 0xE0-0xEF + s5, s6, s6, s6, s7, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, xx, // 0xF0-0xFF +} + +// AcceptRange gives the range of valid values for the second byte in a UTF-8 +// sequence for any value for First that is not ASCII or FirstInvalid. +type AcceptRange struct { + Lo uint8 // lowest value for second byte. + Hi uint8 // highest value for second byte. +} + +// AcceptRanges is a slice of AcceptRange values. For a given byte sequence b +// +// AcceptRanges[First[b[0]]>>AcceptShift] +// +// will give the value of AcceptRange for the multi-byte UTF-8 sequence starting +// at b[0]. +var AcceptRanges = [...]AcceptRange{ + 0: {LoCB, HiCB}, + 1: {0xA0, HiCB}, + 2: {LoCB, 0x9F}, + 3: {0x90, HiCB}, + 4: {LoCB, 0x8F}, +} diff --git a/vendor/golang.org/x/text/message/catalog.go b/vendor/golang.org/x/text/message/catalog.go new file mode 100644 index 0000000000..068271def4 --- /dev/null +++ b/vendor/golang.org/x/text/message/catalog.go @@ -0,0 +1,36 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package message + +// TODO: some types in this file will need to be made public at some time. +// Documentation and method names will reflect this by using the exported name. + +import ( + "golang.org/x/text/language" + "golang.org/x/text/message/catalog" +) + +// MatchLanguage reports the matched tag obtained from language.MatchStrings for +// the Matcher of the DefaultCatalog. +func MatchLanguage(preferred ...string) language.Tag { + c := DefaultCatalog + tag, _ := language.MatchStrings(c.Matcher(), preferred...) + return tag +} + +// DefaultCatalog is used by SetString. +var DefaultCatalog catalog.Catalog = defaultCatalog + +var defaultCatalog = catalog.NewBuilder() + +// SetString calls SetString on the initial default Catalog. +func SetString(tag language.Tag, key string, msg string) error { + return defaultCatalog.SetString(tag, key, msg) +} + +// Set calls Set on the initial default Catalog. +func Set(tag language.Tag, key string, msg ...catalog.Message) error { + return defaultCatalog.Set(tag, key, msg...) +} diff --git a/vendor/golang.org/x/text/message/catalog/catalog.go b/vendor/golang.org/x/text/message/catalog/catalog.go new file mode 100644 index 0000000000..96955d0752 --- /dev/null +++ b/vendor/golang.org/x/text/message/catalog/catalog.go @@ -0,0 +1,365 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package catalog defines collections of translated format strings. +// +// This package mostly defines types for populating catalogs with messages. The +// catmsg package contains further definitions for creating custom message and +// dictionary types as well as packages that use Catalogs. +// +// Package catalog defines various interfaces: Dictionary, Loader, and Message. +// A Dictionary maintains a set of translations of format strings for a single +// language. The Loader interface defines a source of dictionaries. A +// translation of a format string is represented by a Message. +// +// # Catalogs +// +// A Catalog defines a programmatic interface for setting message translations. +// It maintains a set of per-language dictionaries with translations for a set +// of keys. For message translation to function properly, a translation should +// be defined for each key for each supported language. A dictionary may be +// underspecified, though, if there is a parent language that already defines +// the key. For example, a Dictionary for "en-GB" could leave out entries that +// are identical to those in a dictionary for "en". +// +// # Messages +// +// A Message is a format string which varies on the value of substitution +// variables. For instance, to indicate the number of results one could want "no +// results" if there are none, "1 result" if there is 1, and "%d results" for +// any other number. Catalog is agnostic to the kind of format strings that are +// used: for instance, messages can follow either the printf-style substitution +// from package fmt or use templates. +// +// A Message does not substitute arguments in the format string. This job is +// reserved for packages that render strings, such as message, that use Catalogs +// to selected string. This separation of concerns allows Catalog to be used to +// store any kind of formatting strings. +// +// # Selecting messages based on linguistic features of substitution arguments +// +// Messages may vary based on any linguistic features of the argument values. +// The most common one is plural form, but others exist. +// +// Selection messages are provided in packages that provide support for a +// specific linguistic feature. The following snippet uses plural.Selectf: +// +// catalog.Set(language.English, "You are %d minute(s) late.", +// plural.Selectf(1, "", +// plural.One, "You are 1 minute late.", +// plural.Other, "You are %d minutes late.")) +// +// In this example, a message is stored in the Catalog where one of two messages +// is selected based on the first argument, a number. The first message is +// selected if the argument is singular (identified by the selector "one") and +// the second message is selected in all other cases. The selectors are defined +// by the plural rules defined in CLDR. The selector "other" is special and will +// always match. Each language always defines one of the linguistic categories +// to be "other." For English, singular is "one" and plural is "other". +// +// Selects can be nested. This allows selecting sentences based on features of +// multiple arguments or multiple linguistic properties of a single argument. +// +// # String interpolation +// +// There is often a lot of commonality between the possible variants of a +// message. For instance, in the example above the word "minute" varies based on +// the plural catogory of the argument, but the rest of the sentence is +// identical. Using interpolation the above message can be rewritten as: +// +// catalog.Set(language.English, "You are %d minute(s) late.", +// catalog.Var("minutes", +// plural.Selectf(1, "", plural.One, "minute", plural.Other, "minutes")), +// catalog.String("You are %[1]d ${minutes} late.")) +// +// Var is defined to return the variable name if the message does not yield a +// match. This allows us to further simplify this snippet to +// +// catalog.Set(language.English, "You are %d minute(s) late.", +// catalog.Var("minutes", plural.Selectf(1, "", plural.One, "minute")), +// catalog.String("You are %d ${minutes} late.")) +// +// Overall this is still only a minor improvement, but things can get a lot more +// unwieldy if more than one linguistic feature is used to determine a message +// variant. Consider the following example: +// +// // argument 1: list of hosts, argument 2: list of guests +// catalog.Set(language.English, "%[1]v invite(s) %[2]v to their party.", +// catalog.Var("their", +// plural.Selectf(1, "" +// plural.One, gender.Select(1, "female", "her", "other", "his"))), +// catalog.Var("invites", plural.Selectf(1, "", plural.One, "invite")) +// catalog.String("%[1]v ${invites} %[2]v to ${their} party.")), +// +// Without variable substitution, this would have to be written as +// +// // argument 1: list of hosts, argument 2: list of guests +// catalog.Set(language.English, "%[1]v invite(s) %[2]v to their party.", +// plural.Selectf(1, "", +// plural.One, gender.Select(1, +// "female", "%[1]v invites %[2]v to her party." +// "other", "%[1]v invites %[2]v to his party."), +// plural.Other, "%[1]v invites %[2]v to their party.")) +// +// Not necessarily shorter, but using variables there is less duplication and +// the messages are more maintenance friendly. Moreover, languages may have up +// to six plural forms. This makes the use of variables more welcome. +// +// Different messages using the same inflections can reuse variables by moving +// them to macros. Using macros we can rewrite the message as: +// +// // argument 1: list of hosts, argument 2: list of guests +// catalog.SetString(language.English, "%[1]v invite(s) %[2]v to their party.", +// "%[1]v ${invites(1)} %[2]v to ${their(1)} party.") +// +// Where the following macros were defined separately. +// +// catalog.SetMacro(language.English, "invites", plural.Selectf(1, "", +// plural.One, "invite")) +// catalog.SetMacro(language.English, "their", plural.Selectf(1, "", +// plural.One, gender.Select(1, "female", "her", "other", "his"))), +// +// Placeholders use parentheses and the arguments to invoke a macro. +// +// # Looking up messages +// +// Message lookup using Catalogs is typically only done by specialized packages +// and is not something the user should be concerned with. For instance, to +// express the tardiness of a user using the related message we defined earlier, +// the user may use the package message like so: +// +// p := message.NewPrinter(language.English) +// p.Printf("You are %d minute(s) late.", 5) +// +// Which would print: +// +// You are 5 minutes late. +// +// This package is UNDER CONSTRUCTION and its API may change. +package catalog // import "golang.org/x/text/message/catalog" + +// TODO: +// Some way to freeze a catalog. +// - Locking on each lockup turns out to be about 50% of the total running time +// for some of the benchmarks in the message package. +// Consider these: +// - Sequence type to support sequences in user-defined messages. +// - Garbage collection: Remove dictionaries that can no longer be reached +// as other dictionaries have been added that cover all possible keys. + +import ( + "errors" + "fmt" + + "golang.org/x/text/internal" + + "golang.org/x/text/internal/catmsg" + "golang.org/x/text/language" +) + +// A Catalog allows lookup of translated messages. +type Catalog interface { + // Languages returns all languages for which the Catalog contains variants. + Languages() []language.Tag + + // Matcher returns a Matcher for languages from this Catalog. + Matcher() language.Matcher + + // A Context is used for evaluating Messages. + Context(tag language.Tag, r catmsg.Renderer) *Context + + // This method also makes Catalog a private interface. + lookup(tag language.Tag, key string) (data string, ok bool) +} + +// NewFromMap creates a Catalog from the given map. If a Dictionary is +// underspecified the entry is retrieved from a parent language. +func NewFromMap(dictionaries map[string]Dictionary, opts ...Option) (Catalog, error) { + options := options{} + for _, o := range opts { + o(&options) + } + c := &catalog{ + dicts: map[language.Tag]Dictionary{}, + } + _, hasFallback := dictionaries[options.fallback.String()] + if hasFallback { + // TODO: Should it be okay to not have a fallback language? + // Catalog generators could enforce there is always a fallback. + c.langs = append(c.langs, options.fallback) + } + for lang, dict := range dictionaries { + tag, err := language.Parse(lang) + if err != nil { + return nil, fmt.Errorf("catalog: invalid language tag %q", lang) + } + if _, ok := c.dicts[tag]; ok { + return nil, fmt.Errorf("catalog: duplicate entry for tag %q after normalization", tag) + } + c.dicts[tag] = dict + if !hasFallback || tag != options.fallback { + c.langs = append(c.langs, tag) + } + } + if hasFallback { + internal.SortTags(c.langs[1:]) + } else { + internal.SortTags(c.langs) + } + c.matcher = language.NewMatcher(c.langs) + return c, nil +} + +// A Dictionary is a source of translations for a single language. +type Dictionary interface { + // Lookup returns a message compiled with catmsg.Compile for the given key. + // It returns false for ok if such a message could not be found. + Lookup(key string) (data string, ok bool) +} + +type catalog struct { + langs []language.Tag + dicts map[language.Tag]Dictionary + macros store + matcher language.Matcher +} + +func (c *catalog) Languages() []language.Tag { return c.langs } +func (c *catalog) Matcher() language.Matcher { return c.matcher } + +func (c *catalog) lookup(tag language.Tag, key string) (data string, ok bool) { + for ; ; tag = tag.Parent() { + if dict, ok := c.dicts[tag]; ok { + if data, ok := dict.Lookup(key); ok { + return data, true + } + } + if tag == language.Und { + break + } + } + return "", false +} + +// Context returns a Context for formatting messages. +// Only one Message may be formatted per context at any given time. +func (c *catalog) Context(tag language.Tag, r catmsg.Renderer) *Context { + return &Context{ + cat: c, + tag: tag, + dec: catmsg.NewDecoder(tag, r, &dict{&c.macros, tag}), + } +} + +// A Builder allows building a Catalog programmatically. +type Builder struct { + options + matcher language.Matcher + + index store + macros store +} + +type options struct { + fallback language.Tag +} + +// An Option configures Catalog behavior. +type Option func(*options) + +// Fallback specifies the default fallback language. The default is Und. +func Fallback(tag language.Tag) Option { + return func(o *options) { o.fallback = tag } +} + +// TODO: +// // Catalogs specifies one or more sources for a Catalog. +// // Lookups are in order. +// // This can be changed inserting a Catalog used for setting, which implements +// // Loader, used for setting in the chain. +// func Catalogs(d ...Loader) Option { +// return nil +// } +// +// func Delims(start, end string) Option {} +// +// func Dict(tag language.Tag, d ...Dictionary) Option + +// NewBuilder returns an empty mutable Catalog. +func NewBuilder(opts ...Option) *Builder { + c := &Builder{} + for _, o := range opts { + o(&c.options) + } + return c +} + +// SetString is shorthand for Set(tag, key, String(msg)). +func (c *Builder) SetString(tag language.Tag, key string, msg string) error { + return c.set(tag, key, &c.index, String(msg)) +} + +// Set sets the translation for the given language and key. +// +// When evaluation this message, the first Message in the sequence to msgs to +// evaluate to a string will be the message returned. +func (c *Builder) Set(tag language.Tag, key string, msg ...Message) error { + return c.set(tag, key, &c.index, msg...) +} + +// SetMacro defines a Message that may be substituted in another message. +// The arguments to a macro Message are passed as arguments in the +// placeholder the form "${foo(arg1, arg2)}". +func (c *Builder) SetMacro(tag language.Tag, name string, msg ...Message) error { + return c.set(tag, name, &c.macros, msg...) +} + +// ErrNotFound indicates there was no message for the given key. +var ErrNotFound = errors.New("catalog: message not found") + +// String specifies a plain message string. It can be used as fallback if no +// other strings match or as a simple standalone message. +// +// It is an error to pass more than one String in a message sequence. +func String(name string) Message { + return catmsg.String(name) +} + +// Var sets a variable that may be substituted in formatting patterns using +// named substitution of the form "${name}". The name argument is used as a +// fallback if the statements do not produce a match. The statement sequence may +// not contain any Var calls. +// +// The name passed to a Var must be unique within message sequence. +func Var(name string, msg ...Message) Message { + return &catmsg.Var{Name: name, Message: firstInSequence(msg)} +} + +// Context returns a Context for formatting messages. +// Only one Message may be formatted per context at any given time. +func (b *Builder) Context(tag language.Tag, r catmsg.Renderer) *Context { + return &Context{ + cat: b, + tag: tag, + dec: catmsg.NewDecoder(tag, r, &dict{&b.macros, tag}), + } +} + +// A Context is used for evaluating Messages. +// Only one Message may be formatted per context at any given time. +type Context struct { + cat Catalog + tag language.Tag // TODO: use compact index. + dec *catmsg.Decoder +} + +// Execute looks up and executes the message with the given key. +// It returns ErrNotFound if no message could be found in the index. +func (c *Context) Execute(key string) error { + data, ok := c.cat.lookup(c.tag, key) + if !ok { + return ErrNotFound + } + return c.dec.Execute(data) +} diff --git a/vendor/golang.org/x/text/message/catalog/dict.go b/vendor/golang.org/x/text/message/catalog/dict.go new file mode 100644 index 0000000000..a0eb81810b --- /dev/null +++ b/vendor/golang.org/x/text/message/catalog/dict.go @@ -0,0 +1,129 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package catalog + +import ( + "sync" + + "golang.org/x/text/internal" + "golang.org/x/text/internal/catmsg" + "golang.org/x/text/language" +) + +// TODO: +// Dictionary returns a Dictionary that returns the first Message, using the +// given language tag, that matches: +// 1. the last one registered by one of the Set methods +// 2. returned by one of the Loaders +// 3. repeat from 1. using the parent language +// This approach allows messages to be underspecified. +// func (c *Catalog) Dictionary(tag language.Tag) (Dictionary, error) { +// // TODO: verify dictionary exists. +// return &dict{&c.index, tag}, nil +// } + +type dict struct { + s *store + tag language.Tag // TODO: make compact tag. +} + +func (d *dict) Lookup(key string) (data string, ok bool) { + return d.s.lookup(d.tag, key) +} + +func (b *Builder) lookup(tag language.Tag, key string) (data string, ok bool) { + return b.index.lookup(tag, key) +} + +func (c *Builder) set(tag language.Tag, key string, s *store, msg ...Message) error { + data, err := catmsg.Compile(tag, &dict{&c.macros, tag}, firstInSequence(msg)) + + s.mutex.Lock() + defer s.mutex.Unlock() + + m := s.index[tag] + if m == nil { + m = msgMap{} + if s.index == nil { + s.index = map[language.Tag]msgMap{} + } + c.matcher = nil + s.index[tag] = m + } + + m[key] = data + return err +} + +func (c *Builder) Matcher() language.Matcher { + c.index.mutex.RLock() + m := c.matcher + c.index.mutex.RUnlock() + if m != nil { + return m + } + + c.index.mutex.Lock() + if c.matcher == nil { + c.matcher = language.NewMatcher(c.unlockedLanguages()) + } + m = c.matcher + c.index.mutex.Unlock() + return m +} + +type store struct { + mutex sync.RWMutex + index map[language.Tag]msgMap +} + +type msgMap map[string]string + +func (s *store) lookup(tag language.Tag, key string) (data string, ok bool) { + s.mutex.RLock() + defer s.mutex.RUnlock() + + for ; ; tag = tag.Parent() { + if msgs, ok := s.index[tag]; ok { + if msg, ok := msgs[key]; ok { + return msg, true + } + } + if tag == language.Und { + break + } + } + return "", false +} + +// Languages returns all languages for which the Catalog contains variants. +func (b *Builder) Languages() []language.Tag { + s := &b.index + s.mutex.RLock() + defer s.mutex.RUnlock() + + return b.unlockedLanguages() +} + +func (b *Builder) unlockedLanguages() []language.Tag { + s := &b.index + if len(s.index) == 0 { + return nil + } + tags := make([]language.Tag, 0, len(s.index)) + _, hasFallback := s.index[b.options.fallback] + offset := 0 + if hasFallback { + tags = append(tags, b.options.fallback) + offset = 1 + } + for t := range s.index { + if t != b.options.fallback { + tags = append(tags, t) + } + } + internal.SortTags(tags[offset:]) + return tags +} diff --git a/vendor/golang.org/x/text/message/catalog/go19.go b/vendor/golang.org/x/text/message/catalog/go19.go new file mode 100644 index 0000000000..291a4df949 --- /dev/null +++ b/vendor/golang.org/x/text/message/catalog/go19.go @@ -0,0 +1,15 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build go1.9 + +package catalog + +import "golang.org/x/text/internal/catmsg" + +// A Message holds a collection of translations for the same phrase that may +// vary based on the values of substitution arguments. +type Message = catmsg.Message + +type firstInSequence = catmsg.FirstOf diff --git a/vendor/golang.org/x/text/message/catalog/gopre19.go b/vendor/golang.org/x/text/message/catalog/gopre19.go new file mode 100644 index 0000000000..da44ebb8be --- /dev/null +++ b/vendor/golang.org/x/text/message/catalog/gopre19.go @@ -0,0 +1,23 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !go1.9 + +package catalog + +import "golang.org/x/text/internal/catmsg" + +// A Message holds a collection of translations for the same phrase that may +// vary based on the values of substitution arguments. +type Message interface { + catmsg.Message +} + +func firstInSequence(m []Message) catmsg.Message { + a := []catmsg.Message{} + for _, m := range m { + a = append(a, m) + } + return catmsg.FirstOf(a) +} diff --git a/vendor/golang.org/x/text/message/doc.go b/vendor/golang.org/x/text/message/doc.go new file mode 100644 index 0000000000..4bf7bdcac3 --- /dev/null +++ b/vendor/golang.org/x/text/message/doc.go @@ -0,0 +1,99 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package message implements formatted I/O for localized strings with functions +// analogous to the fmt's print functions. It is a drop-in replacement for fmt. +// +// # Localized Formatting +// +// A format string can be localized by replacing any of the print functions of +// fmt with an equivalent call to a Printer. +// +// p := message.NewPrinter(message.MatchLanguage("en")) +// p.Println(123456.78) // Prints 123,456.78 +// +// p.Printf("%d ducks in a row", 4331) // Prints 4,331 ducks in a row +// +// p := message.NewPrinter(message.MatchLanguage("nl")) +// p.Printf("Hoogte: %.1f meter", 1244.9) // Prints Hoogte: 1,244.9 meter +// +// p := message.NewPrinter(message.MatchLanguage("bn")) +// p.Println(123456.78) // Prints ১,২৩,৪৫৬.৭৮ +// +// Printer currently supports numbers and specialized types for which packages +// exist in x/text. Other builtin types such as time.Time and slices are +// planned. +// +// Format strings largely have the same meaning as with fmt with the following +// notable exceptions: +// - flag # always resorts to fmt for printing +// - verb 'f', 'e', 'g', 'd' use localized formatting unless the '#' flag is +// specified. +// - verb 'm' inserts a translation of a string argument. +// +// See package fmt for more options. +// +// # Translation +// +// The format strings that are passed to Printf, Sprintf, Fprintf, or Errorf +// are used as keys to look up translations for the specified languages. +// More on how these need to be specified below. +// +// One can use arbitrary keys to distinguish between otherwise ambiguous +// strings: +// +// p := message.NewPrinter(language.English) +// p.Printf("archive(noun)") // Prints "archive" +// p.Printf("archive(verb)") // Prints "archive" +// +// p := message.NewPrinter(language.German) +// p.Printf("archive(noun)") // Prints "Archiv" +// p.Printf("archive(verb)") // Prints "archivieren" +// +// To retain the fallback functionality, use Key: +// +// p.Printf(message.Key("archive(noun)", "archive")) +// p.Printf(message.Key("archive(verb)", "archive")) +// +// # Translation Pipeline +// +// Format strings that contain text need to be translated to support different +// locales. The first step is to extract strings that need to be translated. +// +// 1. Install gotext +// +// go get -u golang.org/x/text/cmd/gotext +// gotext -help +// +// 2. Mark strings in your source to be translated by using message.Printer, +// instead of the functions of the fmt package. +// +// 3. Extract the strings from your source +// +// gotext extract +// +// The output will be written to the textdata directory. +// +// 4. Send the files for translation +// +// It is planned to support multiple formats, but for now one will have to +// rewrite the JSON output to the desired format. +// +// 5. Inject translations into program +// +// 6. Repeat from 2 +// +// Right now this has to be done programmatically with calls to Set or +// SetString. These functions as well as the methods defined in +// see also package golang.org/x/text/message/catalog can be used to implement +// either dynamic or static loading of messages. +// +// # Plural and Gender Forms +// +// Translated messages can vary based on the plural and gender forms of +// substitution values. In general, it is up to the translators to provide +// alternative translations for such forms. See the packages in +// golang.org/x/text/feature and golang.org/x/text/message/catalog for more +// information. +package message diff --git a/vendor/golang.org/x/text/message/format.go b/vendor/golang.org/x/text/message/format.go new file mode 100644 index 0000000000..a47d17dd4d --- /dev/null +++ b/vendor/golang.org/x/text/message/format.go @@ -0,0 +1,510 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package message + +import ( + "bytes" + "strconv" + "unicode/utf8" + + "golang.org/x/text/internal/format" +) + +const ( + ldigits = "0123456789abcdefx" + udigits = "0123456789ABCDEFX" +) + +const ( + signed = true + unsigned = false +) + +// A formatInfo is the raw formatter used by Printf etc. +// It prints into a buffer that must be set up separately. +type formatInfo struct { + buf *bytes.Buffer + + format.Parser + + // intbuf is large enough to store %b of an int64 with a sign and + // avoids padding at the end of the struct on 32 bit architectures. + intbuf [68]byte +} + +func (f *formatInfo) init(buf *bytes.Buffer) { + f.ClearFlags() + f.buf = buf +} + +// writePadding generates n bytes of padding. +func (f *formatInfo) writePadding(n int) { + if n <= 0 { // No padding bytes needed. + return + } + f.buf.Grow(n) + // Decide which byte the padding should be filled with. + padByte := byte(' ') + if f.Zero { + padByte = byte('0') + } + // Fill padding with padByte. + for i := 0; i < n; i++ { + f.buf.WriteByte(padByte) // TODO: make more efficient. + } +} + +// pad appends b to f.buf, padded on left (!f.minus) or right (f.minus). +func (f *formatInfo) pad(b []byte) { + if !f.WidthPresent || f.Width == 0 { + f.buf.Write(b) + return + } + width := f.Width - utf8.RuneCount(b) + if !f.Minus { + // left padding + f.writePadding(width) + f.buf.Write(b) + } else { + // right padding + f.buf.Write(b) + f.writePadding(width) + } +} + +// padString appends s to f.buf, padded on left (!f.minus) or right (f.minus). +func (f *formatInfo) padString(s string) { + if !f.WidthPresent || f.Width == 0 { + f.buf.WriteString(s) + return + } + width := f.Width - utf8.RuneCountInString(s) + if !f.Minus { + // left padding + f.writePadding(width) + f.buf.WriteString(s) + } else { + // right padding + f.buf.WriteString(s) + f.writePadding(width) + } +} + +// fmt_boolean formats a boolean. +func (f *formatInfo) fmt_boolean(v bool) { + if v { + f.padString("true") + } else { + f.padString("false") + } +} + +// fmt_unicode formats a uint64 as "U+0078" or with f.sharp set as "U+0078 'x'". +func (f *formatInfo) fmt_unicode(u uint64) { + buf := f.intbuf[0:] + + // With default precision set the maximum needed buf length is 18 + // for formatting -1 with %#U ("U+FFFFFFFFFFFFFFFF") which fits + // into the already allocated intbuf with a capacity of 68 bytes. + prec := 4 + if f.PrecPresent && f.Prec > 4 { + prec = f.Prec + // Compute space needed for "U+" , number, " '", character, "'". + width := 2 + prec + 2 + utf8.UTFMax + 1 + if width > len(buf) { + buf = make([]byte, width) + } + } + + // Format into buf, ending at buf[i]. Formatting numbers is easier right-to-left. + i := len(buf) + + // For %#U we want to add a space and a quoted character at the end of the buffer. + if f.Sharp && u <= utf8.MaxRune && strconv.IsPrint(rune(u)) { + i-- + buf[i] = '\'' + i -= utf8.RuneLen(rune(u)) + utf8.EncodeRune(buf[i:], rune(u)) + i-- + buf[i] = '\'' + i-- + buf[i] = ' ' + } + // Format the Unicode code point u as a hexadecimal number. + for u >= 16 { + i-- + buf[i] = udigits[u&0xF] + prec-- + u >>= 4 + } + i-- + buf[i] = udigits[u] + prec-- + // Add zeros in front of the number until requested precision is reached. + for prec > 0 { + i-- + buf[i] = '0' + prec-- + } + // Add a leading "U+". + i-- + buf[i] = '+' + i-- + buf[i] = 'U' + + oldZero := f.Zero + f.Zero = false + f.pad(buf[i:]) + f.Zero = oldZero +} + +// fmt_integer formats signed and unsigned integers. +func (f *formatInfo) fmt_integer(u uint64, base int, isSigned bool, digits string) { + negative := isSigned && int64(u) < 0 + if negative { + u = -u + } + + buf := f.intbuf[0:] + // The already allocated f.intbuf with a capacity of 68 bytes + // is large enough for integer formatting when no precision or width is set. + if f.WidthPresent || f.PrecPresent { + // Account 3 extra bytes for possible addition of a sign and "0x". + width := 3 + f.Width + f.Prec // wid and prec are always positive. + if width > len(buf) { + // We're going to need a bigger boat. + buf = make([]byte, width) + } + } + + // Two ways to ask for extra leading zero digits: %.3d or %03d. + // If both are specified the f.zero flag is ignored and + // padding with spaces is used instead. + prec := 0 + if f.PrecPresent { + prec = f.Prec + // Precision of 0 and value of 0 means "print nothing" but padding. + if prec == 0 && u == 0 { + oldZero := f.Zero + f.Zero = false + f.writePadding(f.Width) + f.Zero = oldZero + return + } + } else if f.Zero && f.WidthPresent { + prec = f.Width + if negative || f.Plus || f.Space { + prec-- // leave room for sign + } + } + + // Because printing is easier right-to-left: format u into buf, ending at buf[i]. + // We could make things marginally faster by splitting the 32-bit case out + // into a separate block but it's not worth the duplication, so u has 64 bits. + i := len(buf) + // Use constants for the division and modulo for more efficient code. + // Switch cases ordered by popularity. + switch base { + case 10: + for u >= 10 { + i-- + next := u / 10 + buf[i] = byte('0' + u - next*10) + u = next + } + case 16: + for u >= 16 { + i-- + buf[i] = digits[u&0xF] + u >>= 4 + } + case 8: + for u >= 8 { + i-- + buf[i] = byte('0' + u&7) + u >>= 3 + } + case 2: + for u >= 2 { + i-- + buf[i] = byte('0' + u&1) + u >>= 1 + } + default: + panic("fmt: unknown base; can't happen") + } + i-- + buf[i] = digits[u] + for i > 0 && prec > len(buf)-i { + i-- + buf[i] = '0' + } + + // Various prefixes: 0x, -, etc. + if f.Sharp { + switch base { + case 8: + if buf[i] != '0' { + i-- + buf[i] = '0' + } + case 16: + // Add a leading 0x or 0X. + i-- + buf[i] = digits[16] + i-- + buf[i] = '0' + } + } + + if negative { + i-- + buf[i] = '-' + } else if f.Plus { + i-- + buf[i] = '+' + } else if f.Space { + i-- + buf[i] = ' ' + } + + // Left padding with zeros has already been handled like precision earlier + // or the f.zero flag is ignored due to an explicitly set precision. + oldZero := f.Zero + f.Zero = false + f.pad(buf[i:]) + f.Zero = oldZero +} + +// truncate truncates the string to the specified precision, if present. +func (f *formatInfo) truncate(s string) string { + if f.PrecPresent { + n := f.Prec + for i := range s { + n-- + if n < 0 { + return s[:i] + } + } + } + return s +} + +// fmt_s formats a string. +func (f *formatInfo) fmt_s(s string) { + s = f.truncate(s) + f.padString(s) +} + +// fmt_sbx formats a string or byte slice as a hexadecimal encoding of its bytes. +func (f *formatInfo) fmt_sbx(s string, b []byte, digits string) { + length := len(b) + if b == nil { + // No byte slice present. Assume string s should be encoded. + length = len(s) + } + // Set length to not process more bytes than the precision demands. + if f.PrecPresent && f.Prec < length { + length = f.Prec + } + // Compute width of the encoding taking into account the f.sharp and f.space flag. + width := 2 * length + if width > 0 { + if f.Space { + // Each element encoded by two hexadecimals will get a leading 0x or 0X. + if f.Sharp { + width *= 2 + } + // Elements will be separated by a space. + width += length - 1 + } else if f.Sharp { + // Only a leading 0x or 0X will be added for the whole string. + width += 2 + } + } else { // The byte slice or string that should be encoded is empty. + if f.WidthPresent { + f.writePadding(f.Width) + } + return + } + // Handle padding to the left. + if f.WidthPresent && f.Width > width && !f.Minus { + f.writePadding(f.Width - width) + } + // Write the encoding directly into the output buffer. + buf := f.buf + if f.Sharp { + // Add leading 0x or 0X. + buf.WriteByte('0') + buf.WriteByte(digits[16]) + } + var c byte + for i := 0; i < length; i++ { + if f.Space && i > 0 { + // Separate elements with a space. + buf.WriteByte(' ') + if f.Sharp { + // Add leading 0x or 0X for each element. + buf.WriteByte('0') + buf.WriteByte(digits[16]) + } + } + if b != nil { + c = b[i] // Take a byte from the input byte slice. + } else { + c = s[i] // Take a byte from the input string. + } + // Encode each byte as two hexadecimal digits. + buf.WriteByte(digits[c>>4]) + buf.WriteByte(digits[c&0xF]) + } + // Handle padding to the right. + if f.WidthPresent && f.Width > width && f.Minus { + f.writePadding(f.Width - width) + } +} + +// fmt_sx formats a string as a hexadecimal encoding of its bytes. +func (f *formatInfo) fmt_sx(s, digits string) { + f.fmt_sbx(s, nil, digits) +} + +// fmt_bx formats a byte slice as a hexadecimal encoding of its bytes. +func (f *formatInfo) fmt_bx(b []byte, digits string) { + f.fmt_sbx("", b, digits) +} + +// fmt_q formats a string as a double-quoted, escaped Go string constant. +// If f.sharp is set a raw (backquoted) string may be returned instead +// if the string does not contain any control characters other than tab. +func (f *formatInfo) fmt_q(s string) { + s = f.truncate(s) + if f.Sharp && strconv.CanBackquote(s) { + f.padString("`" + s + "`") + return + } + buf := f.intbuf[:0] + if f.Plus { + f.pad(strconv.AppendQuoteToASCII(buf, s)) + } else { + f.pad(strconv.AppendQuote(buf, s)) + } +} + +// fmt_c formats an integer as a Unicode character. +// If the character is not valid Unicode, it will print '\ufffd'. +func (f *formatInfo) fmt_c(c uint64) { + r := rune(c) + if c > utf8.MaxRune { + r = utf8.RuneError + } + buf := f.intbuf[:0] + w := utf8.EncodeRune(buf[:utf8.UTFMax], r) + f.pad(buf[:w]) +} + +// fmt_qc formats an integer as a single-quoted, escaped Go character constant. +// If the character is not valid Unicode, it will print '\ufffd'. +func (f *formatInfo) fmt_qc(c uint64) { + r := rune(c) + if c > utf8.MaxRune { + r = utf8.RuneError + } + buf := f.intbuf[:0] + if f.Plus { + f.pad(strconv.AppendQuoteRuneToASCII(buf, r)) + } else { + f.pad(strconv.AppendQuoteRune(buf, r)) + } +} + +// fmt_float formats a float64. It assumes that verb is a valid format specifier +// for strconv.AppendFloat and therefore fits into a byte. +func (f *formatInfo) fmt_float(v float64, size int, verb rune, prec int) { + // Explicit precision in format specifier overrules default precision. + if f.PrecPresent { + prec = f.Prec + } + // Format number, reserving space for leading + sign if needed. + num := strconv.AppendFloat(f.intbuf[:1], v, byte(verb), prec, size) + if num[1] == '-' || num[1] == '+' { + num = num[1:] + } else { + num[0] = '+' + } + // f.space means to add a leading space instead of a "+" sign unless + // the sign is explicitly asked for by f.plus. + if f.Space && num[0] == '+' && !f.Plus { + num[0] = ' ' + } + // Special handling for infinities and NaN, + // which don't look like a number so shouldn't be padded with zeros. + if num[1] == 'I' || num[1] == 'N' { + oldZero := f.Zero + f.Zero = false + // Remove sign before NaN if not asked for. + if num[1] == 'N' && !f.Space && !f.Plus { + num = num[1:] + } + f.pad(num) + f.Zero = oldZero + return + } + // The sharp flag forces printing a decimal point for non-binary formats + // and retains trailing zeros, which we may need to restore. + if f.Sharp && verb != 'b' { + digits := 0 + switch verb { + case 'v', 'g', 'G': + digits = prec + // If no precision is set explicitly use a precision of 6. + if digits == -1 { + digits = 6 + } + } + + // Buffer pre-allocated with enough room for + // exponent notations of the form "e+123". + var tailBuf [5]byte + tail := tailBuf[:0] + + hasDecimalPoint := false + // Starting from i = 1 to skip sign at num[0]. + for i := 1; i < len(num); i++ { + switch num[i] { + case '.': + hasDecimalPoint = true + case 'e', 'E': + tail = append(tail, num[i:]...) + num = num[:i] + default: + digits-- + } + } + if !hasDecimalPoint { + num = append(num, '.') + } + for digits > 0 { + num = append(num, '0') + digits-- + } + num = append(num, tail...) + } + // We want a sign if asked for and if the sign is not positive. + if f.Plus || num[0] != '+' { + // If we're zero padding to the left we want the sign before the leading zeros. + // Achieve this by writing the sign out and then padding the unsigned number. + if f.Zero && f.WidthPresent && f.Width > len(num) { + f.buf.WriteByte(num[0]) + f.writePadding(f.Width - len(num)) + f.buf.Write(num[1:]) + return + } + f.pad(num) + return + } + // No sign to show and the number is positive; just print the unsigned number. + f.pad(num[1:]) +} diff --git a/vendor/golang.org/x/text/message/message.go b/vendor/golang.org/x/text/message/message.go new file mode 100644 index 0000000000..91a9726421 --- /dev/null +++ b/vendor/golang.org/x/text/message/message.go @@ -0,0 +1,192 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package message // import "golang.org/x/text/message" + +import ( + "io" + "os" + + // Include features to facilitate generated catalogs. + _ "golang.org/x/text/feature/plural" + + "golang.org/x/text/internal/number" + "golang.org/x/text/language" + "golang.org/x/text/message/catalog" +) + +// A Printer implements language-specific formatted I/O analogous to the fmt +// package. +type Printer struct { + // the language + tag language.Tag + + toDecimal number.Formatter + toScientific number.Formatter + + cat catalog.Catalog +} + +type options struct { + cat catalog.Catalog + // TODO: + // - allow %s to print integers in written form (tables are likely too large + // to enable this by default). + // - list behavior + // +} + +// An Option defines an option of a Printer. +type Option func(o *options) + +// Catalog defines the catalog to be used. +func Catalog(c catalog.Catalog) Option { + return func(o *options) { o.cat = c } +} + +// NewPrinter returns a Printer that formats messages tailored to language t. +func NewPrinter(t language.Tag, opts ...Option) *Printer { + options := &options{ + cat: DefaultCatalog, + } + for _, o := range opts { + o(options) + } + p := &Printer{ + tag: t, + cat: options.cat, + } + p.toDecimal.InitDecimal(t) + p.toScientific.InitScientific(t) + return p +} + +// Sprint is like fmt.Sprint, but using language-specific formatting. +func (p *Printer) Sprint(a ...interface{}) string { + pp := newPrinter(p) + pp.doPrint(a) + s := pp.String() + pp.free() + return s +} + +// Fprint is like fmt.Fprint, but using language-specific formatting. +func (p *Printer) Fprint(w io.Writer, a ...interface{}) (n int, err error) { + pp := newPrinter(p) + pp.doPrint(a) + n64, err := io.Copy(w, &pp.Buffer) + pp.free() + return int(n64), err +} + +// Print is like fmt.Print, but using language-specific formatting. +func (p *Printer) Print(a ...interface{}) (n int, err error) { + return p.Fprint(os.Stdout, a...) +} + +// Sprintln is like fmt.Sprintln, but using language-specific formatting. +func (p *Printer) Sprintln(a ...interface{}) string { + pp := newPrinter(p) + pp.doPrintln(a) + s := pp.String() + pp.free() + return s +} + +// Fprintln is like fmt.Fprintln, but using language-specific formatting. +func (p *Printer) Fprintln(w io.Writer, a ...interface{}) (n int, err error) { + pp := newPrinter(p) + pp.doPrintln(a) + n64, err := io.Copy(w, &pp.Buffer) + pp.free() + return int(n64), err +} + +// Println is like fmt.Println, but using language-specific formatting. +func (p *Printer) Println(a ...interface{}) (n int, err error) { + return p.Fprintln(os.Stdout, a...) +} + +// Sprintf is like fmt.Sprintf, but using language-specific formatting. +func (p *Printer) Sprintf(key Reference, a ...interface{}) string { + pp := newPrinter(p) + lookupAndFormat(pp, key, a) + s := pp.String() + pp.free() + return s +} + +// Fprintf is like fmt.Fprintf, but using language-specific formatting. +func (p *Printer) Fprintf(w io.Writer, key Reference, a ...interface{}) (n int, err error) { + pp := newPrinter(p) + lookupAndFormat(pp, key, a) + n, err = w.Write(pp.Bytes()) + pp.free() + return n, err + +} + +// Printf is like fmt.Printf, but using language-specific formatting. +func (p *Printer) Printf(key Reference, a ...interface{}) (n int, err error) { + pp := newPrinter(p) + lookupAndFormat(pp, key, a) + n, err = os.Stdout.Write(pp.Bytes()) + pp.free() + return n, err +} + +func lookupAndFormat(p *printer, r Reference, a []interface{}) { + p.fmt.Reset(a) + switch v := r.(type) { + case string: + if p.catContext.Execute(v) == catalog.ErrNotFound { + p.Render(v) + return + } + case key: + if p.catContext.Execute(v.id) == catalog.ErrNotFound && + p.catContext.Execute(v.fallback) == catalog.ErrNotFound { + p.Render(v.fallback) + return + } + default: + panic("key argument is not a Reference") + } +} + +type rawPrinter struct { + p *printer +} + +func (p rawPrinter) Render(msg string) { p.p.WriteString(msg) } +func (p rawPrinter) Arg(i int) interface{} { return nil } + +// Arg implements catmsg.Renderer. +func (p *printer) Arg(i int) interface{} { // TODO, also return "ok" bool + i-- + if uint(i) < uint(len(p.fmt.Args)) { + return p.fmt.Args[i] + } + return nil +} + +// Render implements catmsg.Renderer. +func (p *printer) Render(msg string) { + p.doPrintf(msg) +} + +// A Reference is a string or a message reference. +type Reference interface { + // TODO: also allow []string +} + +// Key creates a message Reference for a message where the given id is used for +// message lookup and the fallback is returned when no matches are found. +func Key(id string, fallback string) Reference { + return key{id, fallback} +} + +type key struct { + id, fallback string +} diff --git a/vendor/golang.org/x/text/message/print.go b/vendor/golang.org/x/text/message/print.go new file mode 100644 index 0000000000..da304cc0ed --- /dev/null +++ b/vendor/golang.org/x/text/message/print.go @@ -0,0 +1,984 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package message + +import ( + "bytes" + "fmt" // TODO: consider copying interfaces from package fmt to avoid dependency. + "math" + "reflect" + "sync" + "unicode/utf8" + + "golang.org/x/text/internal/format" + "golang.org/x/text/internal/number" + "golang.org/x/text/language" + "golang.org/x/text/message/catalog" +) + +// Strings for use with buffer.WriteString. +// This is less overhead than using buffer.Write with byte arrays. +const ( + commaSpaceString = ", " + nilAngleString = "" + nilParenString = "(nil)" + nilString = "nil" + mapString = "map[" + percentBangString = "%!" + missingString = "(MISSING)" + badIndexString = "(BADINDEX)" + panicString = "(PANIC=" + extraString = "%!(EXTRA " + badWidthString = "%!(BADWIDTH)" + badPrecString = "%!(BADPREC)" + noVerbString = "%!(NOVERB)" + + invReflectString = "" +) + +var printerPool = sync.Pool{ + New: func() interface{} { return new(printer) }, +} + +// newPrinter allocates a new printer struct or grabs a cached one. +func newPrinter(pp *Printer) *printer { + p := printerPool.Get().(*printer) + p.Printer = *pp + // TODO: cache most of the following call. + p.catContext = pp.cat.Context(pp.tag, p) + + p.panicking = false + p.erroring = false + p.fmt.init(&p.Buffer) + return p +} + +// free saves used printer structs in printerFree; avoids an allocation per invocation. +func (p *printer) free() { + p.Buffer.Reset() + p.arg = nil + p.value = reflect.Value{} + printerPool.Put(p) +} + +// printer is used to store a printer's state. +// It implements "golang.org/x/text/internal/format".State. +type printer struct { + Printer + + // the context for looking up message translations + catContext *catalog.Context + + // buffer for accumulating output. + bytes.Buffer + + // arg holds the current item, as an interface{}. + arg interface{} + // value is used instead of arg for reflect values. + value reflect.Value + + // fmt is used to format basic items such as integers or strings. + fmt formatInfo + + // panicking is set by catchPanic to avoid infinite panic, recover, panic, ... recursion. + panicking bool + // erroring is set when printing an error string to guard against calling handleMethods. + erroring bool +} + +// Language implements "golang.org/x/text/internal/format".State. +func (p *printer) Language() language.Tag { return p.tag } + +func (p *printer) Width() (wid int, ok bool) { return p.fmt.Width, p.fmt.WidthPresent } + +func (p *printer) Precision() (prec int, ok bool) { return p.fmt.Prec, p.fmt.PrecPresent } + +func (p *printer) Flag(b int) bool { + switch b { + case '-': + return p.fmt.Minus + case '+': + return p.fmt.Plus || p.fmt.PlusV + case '#': + return p.fmt.Sharp || p.fmt.SharpV + case ' ': + return p.fmt.Space + case '0': + return p.fmt.Zero + } + return false +} + +// getField gets the i'th field of the struct value. +// If the field is itself is an interface, return a value for +// the thing inside the interface, not the interface itself. +func getField(v reflect.Value, i int) reflect.Value { + val := v.Field(i) + if val.Kind() == reflect.Interface && !val.IsNil() { + val = val.Elem() + } + return val +} + +func (p *printer) unknownType(v reflect.Value) { + if !v.IsValid() { + p.WriteString(nilAngleString) + return + } + p.WriteByte('?') + p.WriteString(v.Type().String()) + p.WriteByte('?') +} + +func (p *printer) badVerb(verb rune) { + p.erroring = true + p.WriteString(percentBangString) + p.WriteRune(verb) + p.WriteByte('(') + switch { + case p.arg != nil: + p.WriteString(reflect.TypeOf(p.arg).String()) + p.WriteByte('=') + p.printArg(p.arg, 'v') + case p.value.IsValid(): + p.WriteString(p.value.Type().String()) + p.WriteByte('=') + p.printValue(p.value, 'v', 0) + default: + p.WriteString(nilAngleString) + } + p.WriteByte(')') + p.erroring = false +} + +func (p *printer) fmtBool(v bool, verb rune) { + switch verb { + case 't', 'v': + p.fmt.fmt_boolean(v) + default: + p.badVerb(verb) + } +} + +// fmt0x64 formats a uint64 in hexadecimal and prefixes it with 0x or +// not, as requested, by temporarily setting the sharp flag. +func (p *printer) fmt0x64(v uint64, leading0x bool) { + sharp := p.fmt.Sharp + p.fmt.Sharp = leading0x + p.fmt.fmt_integer(v, 16, unsigned, ldigits) + p.fmt.Sharp = sharp +} + +// fmtInteger formats a signed or unsigned integer. +func (p *printer) fmtInteger(v uint64, isSigned bool, verb rune) { + switch verb { + case 'v': + if p.fmt.SharpV && !isSigned { + p.fmt0x64(v, true) + return + } + fallthrough + case 'd': + if p.fmt.Sharp || p.fmt.SharpV { + p.fmt.fmt_integer(v, 10, isSigned, ldigits) + } else { + p.fmtDecimalInt(v, isSigned) + } + case 'b': + p.fmt.fmt_integer(v, 2, isSigned, ldigits) + case 'o': + p.fmt.fmt_integer(v, 8, isSigned, ldigits) + case 'x': + p.fmt.fmt_integer(v, 16, isSigned, ldigits) + case 'X': + p.fmt.fmt_integer(v, 16, isSigned, udigits) + case 'c': + p.fmt.fmt_c(v) + case 'q': + if v <= utf8.MaxRune { + p.fmt.fmt_qc(v) + } else { + p.badVerb(verb) + } + case 'U': + p.fmt.fmt_unicode(v) + default: + p.badVerb(verb) + } +} + +// fmtFloat formats a float. The default precision for each verb +// is specified as last argument in the call to fmt_float. +func (p *printer) fmtFloat(v float64, size int, verb rune) { + switch verb { + case 'b': + p.fmt.fmt_float(v, size, verb, -1) + case 'v': + verb = 'g' + fallthrough + case 'g', 'G': + if p.fmt.Sharp || p.fmt.SharpV { + p.fmt.fmt_float(v, size, verb, -1) + } else { + p.fmtVariableFloat(v, size) + } + case 'e', 'E': + if p.fmt.Sharp || p.fmt.SharpV { + p.fmt.fmt_float(v, size, verb, 6) + } else { + p.fmtScientific(v, size, 6) + } + case 'f', 'F': + if p.fmt.Sharp || p.fmt.SharpV { + p.fmt.fmt_float(v, size, verb, 6) + } else { + p.fmtDecimalFloat(v, size, 6) + } + default: + p.badVerb(verb) + } +} + +func (p *printer) setFlags(f *number.Formatter) { + f.Flags &^= number.ElideSign + if p.fmt.Plus || p.fmt.Space { + f.Flags |= number.AlwaysSign + if !p.fmt.Plus { + f.Flags |= number.ElideSign + } + } else { + f.Flags &^= number.AlwaysSign + } +} + +func (p *printer) updatePadding(f *number.Formatter) { + f.Flags &^= number.PadMask + if p.fmt.Minus { + f.Flags |= number.PadAfterSuffix + } else { + f.Flags |= number.PadBeforePrefix + } + f.PadRune = ' ' + f.FormatWidth = uint16(p.fmt.Width) +} + +func (p *printer) initDecimal(minFrac, maxFrac int) { + f := &p.toDecimal + f.MinIntegerDigits = 1 + f.MaxIntegerDigits = 0 + f.MinFractionDigits = uint8(minFrac) + f.MaxFractionDigits = int16(maxFrac) + p.setFlags(f) + f.PadRune = 0 + if p.fmt.WidthPresent { + if p.fmt.Zero { + wid := p.fmt.Width + // Use significant integers for this. + // TODO: this is not the same as width, but so be it. + if f.MinFractionDigits > 0 { + wid -= 1 + int(f.MinFractionDigits) + } + if p.fmt.Plus || p.fmt.Space { + wid-- + } + if wid > 0 && wid > int(f.MinIntegerDigits) { + f.MinIntegerDigits = uint8(wid) + } + } + p.updatePadding(f) + } +} + +func (p *printer) initScientific(minFrac, maxFrac int) { + f := &p.toScientific + if maxFrac < 0 { + f.SetPrecision(maxFrac) + } else { + f.SetPrecision(maxFrac + 1) + f.MinFractionDigits = uint8(minFrac) + f.MaxFractionDigits = int16(maxFrac) + } + f.MinExponentDigits = 2 + p.setFlags(f) + f.PadRune = 0 + if p.fmt.WidthPresent { + f.Flags &^= number.PadMask + if p.fmt.Zero { + f.PadRune = f.Digit(0) + f.Flags |= number.PadAfterPrefix + } else { + f.PadRune = ' ' + f.Flags |= number.PadBeforePrefix + } + p.updatePadding(f) + } +} + +func (p *printer) fmtDecimalInt(v uint64, isSigned bool) { + var d number.Decimal + + f := &p.toDecimal + if p.fmt.PrecPresent { + p.setFlags(f) + f.MinIntegerDigits = uint8(p.fmt.Prec) + f.MaxIntegerDigits = 0 + f.MinFractionDigits = 0 + f.MaxFractionDigits = 0 + if p.fmt.WidthPresent { + p.updatePadding(f) + } + } else { + p.initDecimal(0, 0) + } + d.ConvertInt(p.toDecimal.RoundingContext, isSigned, v) + + out := p.toDecimal.Format([]byte(nil), &d) + p.Buffer.Write(out) +} + +func (p *printer) fmtDecimalFloat(v float64, size, prec int) { + var d number.Decimal + if p.fmt.PrecPresent { + prec = p.fmt.Prec + } + p.initDecimal(prec, prec) + d.ConvertFloat(p.toDecimal.RoundingContext, v, size) + + out := p.toDecimal.Format([]byte(nil), &d) + p.Buffer.Write(out) +} + +func (p *printer) fmtVariableFloat(v float64, size int) { + prec := -1 + if p.fmt.PrecPresent { + prec = p.fmt.Prec + } + var d number.Decimal + p.initScientific(0, prec) + d.ConvertFloat(p.toScientific.RoundingContext, v, size) + + // Copy logic of 'g' formatting from strconv. It is simplified a bit as + // we don't have to mind having prec > len(d.Digits). + shortest := prec < 0 + ePrec := prec + if shortest { + prec = len(d.Digits) + ePrec = 6 + } else if prec == 0 { + prec = 1 + ePrec = 1 + } + exp := int(d.Exp) - 1 + if exp < -4 || exp >= ePrec { + p.initScientific(0, prec) + + out := p.toScientific.Format([]byte(nil), &d) + p.Buffer.Write(out) + } else { + if prec > int(d.Exp) { + prec = len(d.Digits) + } + if prec -= int(d.Exp); prec < 0 { + prec = 0 + } + p.initDecimal(0, prec) + + out := p.toDecimal.Format([]byte(nil), &d) + p.Buffer.Write(out) + } +} + +func (p *printer) fmtScientific(v float64, size, prec int) { + var d number.Decimal + if p.fmt.PrecPresent { + prec = p.fmt.Prec + } + p.initScientific(prec, prec) + rc := p.toScientific.RoundingContext + d.ConvertFloat(rc, v, size) + + out := p.toScientific.Format([]byte(nil), &d) + p.Buffer.Write(out) + +} + +// fmtComplex formats a complex number v with +// r = real(v) and j = imag(v) as (r+ji) using +// fmtFloat for r and j formatting. +func (p *printer) fmtComplex(v complex128, size int, verb rune) { + // Make sure any unsupported verbs are found before the + // calls to fmtFloat to not generate an incorrect error string. + switch verb { + case 'v', 'b', 'g', 'G', 'f', 'F', 'e', 'E': + p.WriteByte('(') + p.fmtFloat(real(v), size/2, verb) + // Imaginary part always has a sign. + if math.IsNaN(imag(v)) { + // By CLDR's rules, NaNs do not use patterns or signs. As this code + // relies on AlwaysSign working for imaginary parts, we need to + // manually handle NaNs. + f := &p.toScientific + p.setFlags(f) + p.updatePadding(f) + p.setFlags(f) + nan := f.Symbol(number.SymNan) + extra := 0 + if w, ok := p.Width(); ok { + extra = w - utf8.RuneCountInString(nan) - 1 + } + if f.Flags&number.PadAfterNumber == 0 { + for ; extra > 0; extra-- { + p.WriteRune(f.PadRune) + } + } + p.WriteString(f.Symbol(number.SymPlusSign)) + p.WriteString(nan) + for ; extra > 0; extra-- { + p.WriteRune(f.PadRune) + } + p.WriteString("i)") + return + } + oldPlus := p.fmt.Plus + p.fmt.Plus = true + p.fmtFloat(imag(v), size/2, verb) + p.WriteString("i)") // TODO: use symbol? + p.fmt.Plus = oldPlus + default: + p.badVerb(verb) + } +} + +func (p *printer) fmtString(v string, verb rune) { + switch verb { + case 'v': + if p.fmt.SharpV { + p.fmt.fmt_q(v) + } else { + p.fmt.fmt_s(v) + } + case 's': + p.fmt.fmt_s(v) + case 'x': + p.fmt.fmt_sx(v, ldigits) + case 'X': + p.fmt.fmt_sx(v, udigits) + case 'q': + p.fmt.fmt_q(v) + case 'm': + ctx := p.cat.Context(p.tag, rawPrinter{p}) + if ctx.Execute(v) == catalog.ErrNotFound { + p.WriteString(v) + } + default: + p.badVerb(verb) + } +} + +func (p *printer) fmtBytes(v []byte, verb rune, typeString string) { + switch verb { + case 'v', 'd': + if p.fmt.SharpV { + p.WriteString(typeString) + if v == nil { + p.WriteString(nilParenString) + return + } + p.WriteByte('{') + for i, c := range v { + if i > 0 { + p.WriteString(commaSpaceString) + } + p.fmt0x64(uint64(c), true) + } + p.WriteByte('}') + } else { + p.WriteByte('[') + for i, c := range v { + if i > 0 { + p.WriteByte(' ') + } + p.fmt.fmt_integer(uint64(c), 10, unsigned, ldigits) + } + p.WriteByte(']') + } + case 's': + p.fmt.fmt_s(string(v)) + case 'x': + p.fmt.fmt_bx(v, ldigits) + case 'X': + p.fmt.fmt_bx(v, udigits) + case 'q': + p.fmt.fmt_q(string(v)) + default: + p.printValue(reflect.ValueOf(v), verb, 0) + } +} + +func (p *printer) fmtPointer(value reflect.Value, verb rune) { + var u uintptr + switch value.Kind() { + case reflect.Chan, reflect.Func, reflect.Map, reflect.Ptr, reflect.Slice, reflect.UnsafePointer: + u = value.Pointer() + default: + p.badVerb(verb) + return + } + + switch verb { + case 'v': + if p.fmt.SharpV { + p.WriteByte('(') + p.WriteString(value.Type().String()) + p.WriteString(")(") + if u == 0 { + p.WriteString(nilString) + } else { + p.fmt0x64(uint64(u), true) + } + p.WriteByte(')') + } else { + if u == 0 { + p.fmt.padString(nilAngleString) + } else { + p.fmt0x64(uint64(u), !p.fmt.Sharp) + } + } + case 'p': + p.fmt0x64(uint64(u), !p.fmt.Sharp) + case 'b', 'o', 'd', 'x', 'X': + if verb == 'd' { + p.fmt.Sharp = true // Print as standard go. TODO: does this make sense? + } + p.fmtInteger(uint64(u), unsigned, verb) + default: + p.badVerb(verb) + } +} + +func (p *printer) catchPanic(arg interface{}, verb rune) { + if err := recover(); err != nil { + // If it's a nil pointer, just say "". The likeliest causes are a + // Stringer that fails to guard against nil or a nil pointer for a + // value receiver, and in either case, "" is a nice result. + if v := reflect.ValueOf(arg); v.Kind() == reflect.Ptr && v.IsNil() { + p.WriteString(nilAngleString) + return + } + // Otherwise print a concise panic message. Most of the time the panic + // value will print itself nicely. + if p.panicking { + // Nested panics; the recursion in printArg cannot succeed. + panic(err) + } + + oldFlags := p.fmt.Parser + // For this output we want default behavior. + p.fmt.ClearFlags() + + p.WriteString(percentBangString) + p.WriteRune(verb) + p.WriteString(panicString) + p.panicking = true + p.printArg(err, 'v') + p.panicking = false + p.WriteByte(')') + + p.fmt.Parser = oldFlags + } +} + +func (p *printer) handleMethods(verb rune) (handled bool) { + if p.erroring { + return + } + // Is it a Formatter? + if formatter, ok := p.arg.(format.Formatter); ok { + handled = true + defer p.catchPanic(p.arg, verb) + formatter.Format(p, verb) + return + } + if formatter, ok := p.arg.(fmt.Formatter); ok { + handled = true + defer p.catchPanic(p.arg, verb) + formatter.Format(p, verb) + return + } + + // If we're doing Go syntax and the argument knows how to supply it, take care of it now. + if p.fmt.SharpV { + if stringer, ok := p.arg.(fmt.GoStringer); ok { + handled = true + defer p.catchPanic(p.arg, verb) + // Print the result of GoString unadorned. + p.fmt.fmt_s(stringer.GoString()) + return + } + } else { + // If a string is acceptable according to the format, see if + // the value satisfies one of the string-valued interfaces. + // Println etc. set verb to %v, which is "stringable". + switch verb { + case 'v', 's', 'x', 'X', 'q': + // Is it an error or Stringer? + // The duplication in the bodies is necessary: + // setting handled and deferring catchPanic + // must happen before calling the method. + switch v := p.arg.(type) { + case error: + handled = true + defer p.catchPanic(p.arg, verb) + p.fmtString(v.Error(), verb) + return + + case fmt.Stringer: + handled = true + defer p.catchPanic(p.arg, verb) + p.fmtString(v.String(), verb) + return + } + } + } + return false +} + +func (p *printer) printArg(arg interface{}, verb rune) { + p.arg = arg + p.value = reflect.Value{} + + if arg == nil { + switch verb { + case 'T', 'v': + p.fmt.padString(nilAngleString) + default: + p.badVerb(verb) + } + return + } + + // Special processing considerations. + // %T (the value's type) and %p (its address) are special; we always do them first. + switch verb { + case 'T': + p.fmt.fmt_s(reflect.TypeOf(arg).String()) + return + case 'p': + p.fmtPointer(reflect.ValueOf(arg), 'p') + return + } + + // Some types can be done without reflection. + switch f := arg.(type) { + case bool: + p.fmtBool(f, verb) + case float32: + p.fmtFloat(float64(f), 32, verb) + case float64: + p.fmtFloat(f, 64, verb) + case complex64: + p.fmtComplex(complex128(f), 64, verb) + case complex128: + p.fmtComplex(f, 128, verb) + case int: + p.fmtInteger(uint64(f), signed, verb) + case int8: + p.fmtInteger(uint64(f), signed, verb) + case int16: + p.fmtInteger(uint64(f), signed, verb) + case int32: + p.fmtInteger(uint64(f), signed, verb) + case int64: + p.fmtInteger(uint64(f), signed, verb) + case uint: + p.fmtInteger(uint64(f), unsigned, verb) + case uint8: + p.fmtInteger(uint64(f), unsigned, verb) + case uint16: + p.fmtInteger(uint64(f), unsigned, verb) + case uint32: + p.fmtInteger(uint64(f), unsigned, verb) + case uint64: + p.fmtInteger(f, unsigned, verb) + case uintptr: + p.fmtInteger(uint64(f), unsigned, verb) + case string: + p.fmtString(f, verb) + case []byte: + p.fmtBytes(f, verb, "[]byte") + case reflect.Value: + // Handle extractable values with special methods + // since printValue does not handle them at depth 0. + if f.IsValid() && f.CanInterface() { + p.arg = f.Interface() + if p.handleMethods(verb) { + return + } + } + p.printValue(f, verb, 0) + default: + // If the type is not simple, it might have methods. + if !p.handleMethods(verb) { + // Need to use reflection, since the type had no + // interface methods that could be used for formatting. + p.printValue(reflect.ValueOf(f), verb, 0) + } + } +} + +// printValue is similar to printArg but starts with a reflect value, not an interface{} value. +// It does not handle 'p' and 'T' verbs because these should have been already handled by printArg. +func (p *printer) printValue(value reflect.Value, verb rune, depth int) { + // Handle values with special methods if not already handled by printArg (depth == 0). + if depth > 0 && value.IsValid() && value.CanInterface() { + p.arg = value.Interface() + if p.handleMethods(verb) { + return + } + } + p.arg = nil + p.value = value + + switch f := value; value.Kind() { + case reflect.Invalid: + if depth == 0 { + p.WriteString(invReflectString) + } else { + switch verb { + case 'v': + p.WriteString(nilAngleString) + default: + p.badVerb(verb) + } + } + case reflect.Bool: + p.fmtBool(f.Bool(), verb) + case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64: + p.fmtInteger(uint64(f.Int()), signed, verb) + case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr: + p.fmtInteger(f.Uint(), unsigned, verb) + case reflect.Float32: + p.fmtFloat(f.Float(), 32, verb) + case reflect.Float64: + p.fmtFloat(f.Float(), 64, verb) + case reflect.Complex64: + p.fmtComplex(f.Complex(), 64, verb) + case reflect.Complex128: + p.fmtComplex(f.Complex(), 128, verb) + case reflect.String: + p.fmtString(f.String(), verb) + case reflect.Map: + if p.fmt.SharpV { + p.WriteString(f.Type().String()) + if f.IsNil() { + p.WriteString(nilParenString) + return + } + p.WriteByte('{') + } else { + p.WriteString(mapString) + } + keys := f.MapKeys() + for i, key := range keys { + if i > 0 { + if p.fmt.SharpV { + p.WriteString(commaSpaceString) + } else { + p.WriteByte(' ') + } + } + p.printValue(key, verb, depth+1) + p.WriteByte(':') + p.printValue(f.MapIndex(key), verb, depth+1) + } + if p.fmt.SharpV { + p.WriteByte('}') + } else { + p.WriteByte(']') + } + case reflect.Struct: + if p.fmt.SharpV { + p.WriteString(f.Type().String()) + } + p.WriteByte('{') + for i := 0; i < f.NumField(); i++ { + if i > 0 { + if p.fmt.SharpV { + p.WriteString(commaSpaceString) + } else { + p.WriteByte(' ') + } + } + if p.fmt.PlusV || p.fmt.SharpV { + if name := f.Type().Field(i).Name; name != "" { + p.WriteString(name) + p.WriteByte(':') + } + } + p.printValue(getField(f, i), verb, depth+1) + } + p.WriteByte('}') + case reflect.Interface: + value := f.Elem() + if !value.IsValid() { + if p.fmt.SharpV { + p.WriteString(f.Type().String()) + p.WriteString(nilParenString) + } else { + p.WriteString(nilAngleString) + } + } else { + p.printValue(value, verb, depth+1) + } + case reflect.Array, reflect.Slice: + switch verb { + case 's', 'q', 'x', 'X': + // Handle byte and uint8 slices and arrays special for the above verbs. + t := f.Type() + if t.Elem().Kind() == reflect.Uint8 { + var bytes []byte + if f.Kind() == reflect.Slice { + bytes = f.Bytes() + } else if f.CanAddr() { + bytes = f.Slice(0, f.Len()).Bytes() + } else { + // We have an array, but we cannot Slice() a non-addressable array, + // so we build a slice by hand. This is a rare case but it would be nice + // if reflection could help a little more. + bytes = make([]byte, f.Len()) + for i := range bytes { + bytes[i] = byte(f.Index(i).Uint()) + } + } + p.fmtBytes(bytes, verb, t.String()) + return + } + } + if p.fmt.SharpV { + p.WriteString(f.Type().String()) + if f.Kind() == reflect.Slice && f.IsNil() { + p.WriteString(nilParenString) + return + } + p.WriteByte('{') + for i := 0; i < f.Len(); i++ { + if i > 0 { + p.WriteString(commaSpaceString) + } + p.printValue(f.Index(i), verb, depth+1) + } + p.WriteByte('}') + } else { + p.WriteByte('[') + for i := 0; i < f.Len(); i++ { + if i > 0 { + p.WriteByte(' ') + } + p.printValue(f.Index(i), verb, depth+1) + } + p.WriteByte(']') + } + case reflect.Ptr: + // pointer to array or slice or struct? ok at top level + // but not embedded (avoid loops) + if depth == 0 && f.Pointer() != 0 { + switch a := f.Elem(); a.Kind() { + case reflect.Array, reflect.Slice, reflect.Struct, reflect.Map: + p.WriteByte('&') + p.printValue(a, verb, depth+1) + return + } + } + fallthrough + case reflect.Chan, reflect.Func, reflect.UnsafePointer: + p.fmtPointer(f, verb) + default: + p.unknownType(f) + } +} + +func (p *printer) badArgNum(verb rune) { + p.WriteString(percentBangString) + p.WriteRune(verb) + p.WriteString(badIndexString) +} + +func (p *printer) missingArg(verb rune) { + p.WriteString(percentBangString) + p.WriteRune(verb) + p.WriteString(missingString) +} + +func (p *printer) doPrintf(fmt string) { + for p.fmt.Parser.SetFormat(fmt); p.fmt.Scan(); { + switch p.fmt.Status { + case format.StatusText: + p.WriteString(p.fmt.Text()) + case format.StatusSubstitution: + p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb) + case format.StatusBadWidthSubstitution: + p.WriteString(badWidthString) + p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb) + case format.StatusBadPrecSubstitution: + p.WriteString(badPrecString) + p.printArg(p.Arg(p.fmt.ArgNum), p.fmt.Verb) + case format.StatusNoVerb: + p.WriteString(noVerbString) + case format.StatusBadArgNum: + p.badArgNum(p.fmt.Verb) + case format.StatusMissingArg: + p.missingArg(p.fmt.Verb) + default: + panic("unreachable") + } + } + + // Check for extra arguments, but only if there was at least one ordered + // argument. Note that this behavior is necessarily different from fmt: + // different variants of messages may opt to drop some or all of the + // arguments. + if !p.fmt.Reordered && p.fmt.ArgNum < len(p.fmt.Args) && p.fmt.ArgNum != 0 { + p.fmt.ClearFlags() + p.WriteString(extraString) + for i, arg := range p.fmt.Args[p.fmt.ArgNum:] { + if i > 0 { + p.WriteString(commaSpaceString) + } + if arg == nil { + p.WriteString(nilAngleString) + } else { + p.WriteString(reflect.TypeOf(arg).String()) + p.WriteString("=") + p.printArg(arg, 'v') + } + } + p.WriteByte(')') + } +} + +func (p *printer) doPrint(a []interface{}) { + prevString := false + for argNum, arg := range a { + isString := arg != nil && reflect.TypeOf(arg).Kind() == reflect.String + // Add a space between two non-string arguments. + if argNum > 0 && !isString && !prevString { + p.WriteByte(' ') + } + p.printArg(arg, 'v') + prevString = isString + } +} + +// doPrintln is like doPrint but always adds a space between arguments +// and a newline after the last argument. +func (p *printer) doPrintln(a []interface{}) { + for argNum, arg := range a { + if argNum > 0 { + p.WriteByte(' ') + } + p.printArg(arg, 'v') + } + p.WriteByte('\n') +} diff --git a/vendor/golang.org/x/text/runes/cond.go b/vendor/golang.org/x/text/runes/cond.go new file mode 100644 index 0000000000..df7aa02db6 --- /dev/null +++ b/vendor/golang.org/x/text/runes/cond.go @@ -0,0 +1,187 @@ +// Copyright 2015 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package runes + +import ( + "unicode/utf8" + + "golang.org/x/text/transform" +) + +// Note: below we pass invalid UTF-8 to the tIn and tNotIn transformers as is. +// This is done for various reasons: +// - To retain the semantics of the Nop transformer: if input is passed to a Nop +// one would expect it to be unchanged. +// - It would be very expensive to pass a converted RuneError to a transformer: +// a transformer might need more source bytes after RuneError, meaning that +// the only way to pass it safely is to create a new buffer and manage the +// intermingling of RuneErrors and normal input. +// - Many transformers leave ill-formed UTF-8 as is, so this is not +// inconsistent. Generally ill-formed UTF-8 is only replaced if it is a +// logical consequence of the operation (as for Map) or if it otherwise would +// pose security concerns (as for Remove). +// - An alternative would be to return an error on ill-formed UTF-8, but this +// would be inconsistent with other operations. + +// If returns a transformer that applies tIn to consecutive runes for which +// s.Contains(r) and tNotIn to consecutive runes for which !s.Contains(r). Reset +// is called on tIn and tNotIn at the start of each run. A Nop transformer will +// substitute a nil value passed to tIn or tNotIn. Invalid UTF-8 is translated +// to RuneError to determine which transformer to apply, but is passed as is to +// the respective transformer. +func If(s Set, tIn, tNotIn transform.Transformer) Transformer { + if tIn == nil && tNotIn == nil { + return Transformer{transform.Nop} + } + if tIn == nil { + tIn = transform.Nop + } + if tNotIn == nil { + tNotIn = transform.Nop + } + sIn, ok := tIn.(transform.SpanningTransformer) + if !ok { + sIn = dummySpan{tIn} + } + sNotIn, ok := tNotIn.(transform.SpanningTransformer) + if !ok { + sNotIn = dummySpan{tNotIn} + } + + a := &cond{ + tIn: sIn, + tNotIn: sNotIn, + f: s.Contains, + } + a.Reset() + return Transformer{a} +} + +type dummySpan struct{ transform.Transformer } + +func (d dummySpan) Span(src []byte, atEOF bool) (n int, err error) { + return 0, transform.ErrEndOfSpan +} + +type cond struct { + tIn, tNotIn transform.SpanningTransformer + f func(rune) bool + check func(rune) bool // current check to perform + t transform.SpanningTransformer // current transformer to use +} + +// Reset implements transform.Transformer. +func (t *cond) Reset() { + t.check = t.is + t.t = t.tIn + t.t.Reset() // notIn will be reset on first usage. +} + +func (t *cond) is(r rune) bool { + if t.f(r) { + return true + } + t.check = t.isNot + t.t = t.tNotIn + t.tNotIn.Reset() + return false +} + +func (t *cond) isNot(r rune) bool { + if !t.f(r) { + return true + } + t.check = t.is + t.t = t.tIn + t.tIn.Reset() + return false +} + +// This implementation of Span doesn't help all too much, but it needs to be +// there to satisfy this package's Transformer interface. +// TODO: there are certainly room for improvements, though. For example, if +// t.t == transform.Nop (which will a common occurrence) it will save a bundle +// to special-case that loop. +func (t *cond) Span(src []byte, atEOF bool) (n int, err error) { + p := 0 + for n < len(src) && err == nil { + // Don't process too much at a time as the Spanner that will be + // called on this block may terminate early. + const maxChunk = 4096 + max := len(src) + if v := n + maxChunk; v < max { + max = v + } + atEnd := false + size := 0 + current := t.t + for ; p < max; p += size { + r := rune(src[p]) + if r < utf8.RuneSelf { + size = 1 + } else if r, size = utf8.DecodeRune(src[p:]); size == 1 { + if !atEOF && !utf8.FullRune(src[p:]) { + err = transform.ErrShortSrc + break + } + } + if !t.check(r) { + // The next rune will be the start of a new run. + atEnd = true + break + } + } + n2, err2 := current.Span(src[n:p], atEnd || (atEOF && p == len(src))) + n += n2 + if err2 != nil { + return n, err2 + } + // At this point either err != nil or t.check will pass for the rune at p. + p = n + size + } + return n, err +} + +func (t *cond) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + p := 0 + for nSrc < len(src) && err == nil { + // Don't process too much at a time, as the work might be wasted if the + // destination buffer isn't large enough to hold the result or a + // transform returns an error early. + const maxChunk = 4096 + max := len(src) + if n := nSrc + maxChunk; n < len(src) { + max = n + } + atEnd := false + size := 0 + current := t.t + for ; p < max; p += size { + r := rune(src[p]) + if r < utf8.RuneSelf { + size = 1 + } else if r, size = utf8.DecodeRune(src[p:]); size == 1 { + if !atEOF && !utf8.FullRune(src[p:]) { + err = transform.ErrShortSrc + break + } + } + if !t.check(r) { + // The next rune will be the start of a new run. + atEnd = true + break + } + } + nDst2, nSrc2, err2 := current.Transform(dst[nDst:], src[nSrc:p], atEnd || (atEOF && p == len(src))) + nDst += nDst2 + nSrc += nSrc2 + if err2 != nil { + return nDst, nSrc, err2 + } + // At this point either err != nil or t.check will pass for the rune at p. + p = nSrc + size + } + return nDst, nSrc, err +} diff --git a/vendor/golang.org/x/text/runes/runes.go b/vendor/golang.org/x/text/runes/runes.go new file mode 100644 index 0000000000..930e87fedb --- /dev/null +++ b/vendor/golang.org/x/text/runes/runes.go @@ -0,0 +1,355 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package runes provide transforms for UTF-8 encoded text. +package runes // import "golang.org/x/text/runes" + +import ( + "unicode" + "unicode/utf8" + + "golang.org/x/text/transform" +) + +// A Set is a collection of runes. +type Set interface { + // Contains returns true if r is contained in the set. + Contains(r rune) bool +} + +type setFunc func(rune) bool + +func (s setFunc) Contains(r rune) bool { + return s(r) +} + +// Note: using funcs here instead of wrapping types result in cleaner +// documentation and a smaller API. + +// In creates a Set with a Contains method that returns true for all runes in +// the given RangeTable. +func In(rt *unicode.RangeTable) Set { + return setFunc(func(r rune) bool { return unicode.Is(rt, r) }) +} + +// NotIn creates a Set with a Contains method that returns true for all runes not +// in the given RangeTable. +func NotIn(rt *unicode.RangeTable) Set { + return setFunc(func(r rune) bool { return !unicode.Is(rt, r) }) +} + +// Predicate creates a Set with a Contains method that returns f(r). +func Predicate(f func(rune) bool) Set { + return setFunc(f) +} + +// Transformer implements the transform.Transformer interface. +type Transformer struct { + t transform.SpanningTransformer +} + +func (t Transformer) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + return t.t.Transform(dst, src, atEOF) +} + +func (t Transformer) Span(b []byte, atEOF bool) (n int, err error) { + return t.t.Span(b, atEOF) +} + +func (t Transformer) Reset() { t.t.Reset() } + +// Bytes returns a new byte slice with the result of converting b using t. It +// calls Reset on t. It returns nil if any error was found. This can only happen +// if an error-producing Transformer is passed to If. +func (t Transformer) Bytes(b []byte) []byte { + b, _, err := transform.Bytes(t, b) + if err != nil { + return nil + } + return b +} + +// String returns a string with the result of converting s using t. It calls +// Reset on t. It returns the empty string if any error was found. This can only +// happen if an error-producing Transformer is passed to If. +func (t Transformer) String(s string) string { + s, _, err := transform.String(t, s) + if err != nil { + return "" + } + return s +} + +// TODO: +// - Copy: copying strings and bytes in whole-rune units. +// - Validation (maybe) +// - Well-formed-ness (maybe) + +const runeErrorString = string(utf8.RuneError) + +// Remove returns a Transformer that removes runes r for which s.Contains(r). +// Illegal input bytes are replaced by RuneError before being passed to f. +func Remove(s Set) Transformer { + if f, ok := s.(setFunc); ok { + // This little trick cuts the running time of BenchmarkRemove for sets + // created by Predicate roughly in half. + // TODO: special-case RangeTables as well. + return Transformer{remove(f)} + } + return Transformer{remove(s.Contains)} +} + +// TODO: remove transform.RemoveFunc. + +type remove func(r rune) bool + +func (remove) Reset() {} + +// Span implements transform.Spanner. +func (t remove) Span(src []byte, atEOF bool) (n int, err error) { + for r, size := rune(0), 0; n < len(src); { + if r = rune(src[n]); r < utf8.RuneSelf { + size = 1 + } else if r, size = utf8.DecodeRune(src[n:]); size == 1 { + // Invalid rune. + if !atEOF && !utf8.FullRune(src[n:]) { + err = transform.ErrShortSrc + } else { + err = transform.ErrEndOfSpan + } + break + } + if t(r) { + err = transform.ErrEndOfSpan + break + } + n += size + } + return +} + +// Transform implements transform.Transformer. +func (t remove) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + for r, size := rune(0), 0; nSrc < len(src); { + if r = rune(src[nSrc]); r < utf8.RuneSelf { + size = 1 + } else if r, size = utf8.DecodeRune(src[nSrc:]); size == 1 { + // Invalid rune. + if !atEOF && !utf8.FullRune(src[nSrc:]) { + err = transform.ErrShortSrc + break + } + // We replace illegal bytes with RuneError. Not doing so might + // otherwise turn a sequence of invalid UTF-8 into valid UTF-8. + // The resulting byte sequence may subsequently contain runes + // for which t(r) is true that were passed unnoticed. + if !t(utf8.RuneError) { + if nDst+3 > len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst+0] = runeErrorString[0] + dst[nDst+1] = runeErrorString[1] + dst[nDst+2] = runeErrorString[2] + nDst += 3 + } + nSrc++ + continue + } + if t(r) { + nSrc += size + continue + } + if nDst+size > len(dst) { + err = transform.ErrShortDst + break + } + for i := 0; i < size; i++ { + dst[nDst] = src[nSrc] + nDst++ + nSrc++ + } + } + return +} + +// Map returns a Transformer that maps the runes in the input using the given +// mapping. Illegal bytes in the input are converted to utf8.RuneError before +// being passed to the mapping func. +func Map(mapping func(rune) rune) Transformer { + return Transformer{mapper(mapping)} +} + +type mapper func(rune) rune + +func (mapper) Reset() {} + +// Span implements transform.Spanner. +func (t mapper) Span(src []byte, atEOF bool) (n int, err error) { + for r, size := rune(0), 0; n < len(src); n += size { + if r = rune(src[n]); r < utf8.RuneSelf { + size = 1 + } else if r, size = utf8.DecodeRune(src[n:]); size == 1 { + // Invalid rune. + if !atEOF && !utf8.FullRune(src[n:]) { + err = transform.ErrShortSrc + } else { + err = transform.ErrEndOfSpan + } + break + } + if t(r) != r { + err = transform.ErrEndOfSpan + break + } + } + return n, err +} + +// Transform implements transform.Transformer. +func (t mapper) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + var replacement rune + var b [utf8.UTFMax]byte + + for r, size := rune(0), 0; nSrc < len(src); { + if r = rune(src[nSrc]); r < utf8.RuneSelf { + if replacement = t(r); replacement < utf8.RuneSelf { + if nDst == len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst] = byte(replacement) + nDst++ + nSrc++ + continue + } + size = 1 + } else if r, size = utf8.DecodeRune(src[nSrc:]); size == 1 { + // Invalid rune. + if !atEOF && !utf8.FullRune(src[nSrc:]) { + err = transform.ErrShortSrc + break + } + + if replacement = t(utf8.RuneError); replacement == utf8.RuneError { + if nDst+3 > len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst+0] = runeErrorString[0] + dst[nDst+1] = runeErrorString[1] + dst[nDst+2] = runeErrorString[2] + nDst += 3 + nSrc++ + continue + } + } else if replacement = t(r); replacement == r { + if nDst+size > len(dst) { + err = transform.ErrShortDst + break + } + for i := 0; i < size; i++ { + dst[nDst] = src[nSrc] + nDst++ + nSrc++ + } + continue + } + + n := utf8.EncodeRune(b[:], replacement) + + if nDst+n > len(dst) { + err = transform.ErrShortDst + break + } + for i := 0; i < n; i++ { + dst[nDst] = b[i] + nDst++ + } + nSrc += size + } + return +} + +// ReplaceIllFormed returns a transformer that replaces all input bytes that are +// not part of a well-formed UTF-8 code sequence with utf8.RuneError. +func ReplaceIllFormed() Transformer { + return Transformer{&replaceIllFormed{}} +} + +type replaceIllFormed struct{ transform.NopResetter } + +func (t replaceIllFormed) Span(src []byte, atEOF bool) (n int, err error) { + for n < len(src) { + // ASCII fast path. + if src[n] < utf8.RuneSelf { + n++ + continue + } + + r, size := utf8.DecodeRune(src[n:]) + + // Look for a valid non-ASCII rune. + if r != utf8.RuneError || size != 1 { + n += size + continue + } + + // Look for short source data. + if !atEOF && !utf8.FullRune(src[n:]) { + err = transform.ErrShortSrc + break + } + + // We have an invalid rune. + err = transform.ErrEndOfSpan + break + } + return n, err +} + +func (t replaceIllFormed) Transform(dst, src []byte, atEOF bool) (nDst, nSrc int, err error) { + for nSrc < len(src) { + // ASCII fast path. + if r := src[nSrc]; r < utf8.RuneSelf { + if nDst == len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst] = r + nDst++ + nSrc++ + continue + } + + // Look for a valid non-ASCII rune. + if _, size := utf8.DecodeRune(src[nSrc:]); size != 1 { + if size != copy(dst[nDst:], src[nSrc:nSrc+size]) { + err = transform.ErrShortDst + break + } + nDst += size + nSrc += size + continue + } + + // Look for short source data. + if !atEOF && !utf8.FullRune(src[nSrc:]) { + err = transform.ErrShortSrc + break + } + + // We have an invalid rune. + if nDst+3 > len(dst) { + err = transform.ErrShortDst + break + } + dst[nDst+0] = runeErrorString[0] + dst[nDst+1] = runeErrorString[1] + dst[nDst+2] = runeErrorString[2] + nDst += 3 + nSrc++ + } + return nDst, nSrc, err +} diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go index 794b2e32bf..563270c154 100644 --- a/vendor/golang.org/x/time/rate/rate.go +++ b/vendor/golang.org/x/time/rate/rate.go @@ -195,7 +195,7 @@ func (r *Reservation) CancelAt(t time.Time) { // update state r.lim.last = t r.lim.tokens = tokens - if r.timeToAct == r.lim.lastEvent { + if r.timeToAct.Equal(r.lim.lastEvent) { prevEvent := r.timeToAct.Add(r.limit.durationFromTokens(float64(-r.tokens))) if !prevEvent.Before(t) { r.lim.lastEvent = prevEvent diff --git a/vendor/golang.org/x/time/rate/sometimes.go b/vendor/golang.org/x/time/rate/sometimes.go index 6ba99ddb67..9b83932692 100644 --- a/vendor/golang.org/x/time/rate/sometimes.go +++ b/vendor/golang.org/x/time/rate/sometimes.go @@ -61,7 +61,9 @@ func (s *Sometimes) Do(f func()) { (s.Every > 0 && s.count%s.Every == 0) || (s.Interval > 0 && time.Since(s.last) >= s.Interval) { f() - s.last = time.Now() + if s.Interval > 0 { + s.last = time.Now() + } } s.count++ } diff --git a/vendor/gopkg.in/evanphx/json-patch.v4/README.md b/vendor/gopkg.in/evanphx/json-patch.v4/README.md index 28e3516937..86fefd5bf7 100644 --- a/vendor/gopkg.in/evanphx/json-patch.v4/README.md +++ b/vendor/gopkg.in/evanphx/json-patch.v4/README.md @@ -4,7 +4,7 @@ well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ietf.org/html/rfc7396). [![GoDoc](https://godoc.org/github.com/evanphx/json-patch?status.svg)](http://godoc.org/github.com/evanphx/json-patch) -[![Build Status](https://travis-ci.org/evanphx/json-patch.svg?branch=master)](https://travis-ci.org/evanphx/json-patch) +[![Build Status](https://github.com/evanphx/json-patch/actions/workflows/go.yml/badge.svg)](https://github.com/evanphx/json-patch/actions/workflows/go.yml) [![Report Card](https://goreportcard.com/badge/github.com/evanphx/json-patch)](https://goreportcard.com/report/github.com/evanphx/json-patch) # Get It! @@ -14,9 +14,7 @@ well as for calculating & applying [RFC7396 JSON merge patches](https://tools.ie go get -u github.com/evanphx/json-patch/v5 ``` -**Stable Versions**: -* Version 5: `go get -u gopkg.in/evanphx/json-patch.v5` -* Version 4: `go get -u gopkg.in/evanphx/json-patch.v4` +If you need version 4, use `go get -u gopkg.in/evanphx/json-patch.v4` (previous versions below `v3` are unavailable) @@ -314,4 +312,4 @@ go test -cover ./... ``` Builds for pull requests are tested automatically -using [TravisCI](https://travis-ci.org/evanphx/json-patch). +using [GitHub Actions](https://github.com/evanphx/json-patch/actions/workflows/go.yml). diff --git a/vendor/gopkg.in/evanphx/json-patch.v4/patch.go b/vendor/gopkg.in/evanphx/json-patch.v4/patch.go index dc2b7e51e6..95136681ba 100644 --- a/vendor/gopkg.in/evanphx/json-patch.v4/patch.go +++ b/vendor/gopkg.in/evanphx/json-patch.v4/patch.go @@ -3,11 +3,10 @@ package jsonpatch import ( "bytes" "encoding/json" + "errors" "fmt" "strconv" "strings" - - "github.com/pkg/errors" ) const ( @@ -277,7 +276,7 @@ func (o Operation) Path() (string, error) { return op, nil } - return "unknown", errors.Wrapf(ErrMissing, "operation missing path field") + return "unknown", fmt.Errorf("operation missing path field: %w", ErrMissing) } // From reads the "from" field of the Operation. @@ -294,7 +293,7 @@ func (o Operation) From() (string, error) { return op, nil } - return "unknown", errors.Wrapf(ErrMissing, "operation, missing from field") + return "unknown", fmt.Errorf("operation, missing from field: %w", ErrMissing) } func (o Operation) value() *lazyNode { @@ -319,7 +318,7 @@ func (o Operation) ValueInterface() (interface{}, error) { return v, nil } - return nil, errors.Wrapf(ErrMissing, "operation, missing value field") + return nil, fmt.Errorf("operation, missing value field: %w", ErrMissing) } func isArray(buf []byte) bool { @@ -359,7 +358,7 @@ func findObject(pd *container, path string) (container, string) { next, ok := doc.get(decodePatchKey(part)) - if next == nil || ok != nil { + if next == nil || ok != nil || next.raw == nil { return nil, "" } @@ -398,7 +397,7 @@ func (d *partialDoc) get(key string) (*lazyNode, error) { func (d *partialDoc) remove(key string) error { _, ok := (*d)[key] if !ok { - return errors.Wrapf(ErrMissing, "Unable to remove nonexistent key: %s", key) + return fmt.Errorf("Unable to remove nonexistent key: %s: %w", key, ErrMissing) } delete(*d, key) @@ -415,10 +414,10 @@ func (d *partialArray) set(key string, val *lazyNode) error { if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(*d) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(*d) } @@ -435,7 +434,7 @@ func (d *partialArray) add(key string, val *lazyNode) error { idx, err := strconv.Atoi(key) if err != nil { - return errors.Wrapf(err, "value was not a proper array index: '%s'", key) + return fmt.Errorf("value was not a proper array index: '%s': %w", key, err) } sz := len(*d) + 1 @@ -445,15 +444,15 @@ func (d *partialArray) add(key string, val *lazyNode) error { cur := *d if idx >= len(ary) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(ary) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(ary) } @@ -475,16 +474,16 @@ func (d *partialArray) get(key string) (*lazyNode, error) { if idx < 0 { if !SupportNegativeIndices { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(*d) { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(*d) } if idx >= len(*d) { - return nil, errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return nil, fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } return (*d)[idx], nil @@ -499,15 +498,15 @@ func (d *partialArray) remove(key string) error { cur := *d if idx >= len(cur) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < 0 { if !SupportNegativeIndices { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } if idx < -len(cur) { - return errors.Wrapf(ErrInvalidIndex, "Unable to access invalid index: %d", idx) + return fmt.Errorf("Unable to access invalid index: %d: %w", idx, ErrInvalidIndex) } idx += len(cur) } @@ -525,18 +524,18 @@ func (d *partialArray) remove(key string) error { func (p Patch) add(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "add operation failed to decode path") + return fmt.Errorf("add operation failed to decode path: %w", ErrMissing) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "add operation does not apply: doc is missing path: \"%s\"", path) + return fmt.Errorf("add operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) } err = con.add(key, op.value()) if err != nil { - return errors.Wrapf(err, "error in add for path: '%s'", path) + return fmt.Errorf("error in add for path: '%s': %w", path, err) } return nil @@ -545,18 +544,18 @@ func (p Patch) add(doc *container, op Operation) error { func (p Patch) remove(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "remove operation failed to decode path") + return fmt.Errorf("remove operation failed to decode path: %w", ErrMissing) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "remove operation does not apply: doc is missing path: \"%s\"", path) + return fmt.Errorf("remove operation does not apply: doc is missing path: \"%s\": %w", path, ErrMissing) } err = con.remove(key) if err != nil { - return errors.Wrapf(err, "error in remove for path: '%s'", path) + return fmt.Errorf("error in remove for path: '%s': %w", path, err) } return nil @@ -565,7 +564,7 @@ func (p Patch) remove(doc *container, op Operation) error { func (p Patch) replace(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(err, "replace operation failed to decode path") + return fmt.Errorf("replace operation failed to decode path: %w", err) } if path == "" { @@ -574,7 +573,7 @@ func (p Patch) replace(doc *container, op Operation) error { if val.which == eRaw { if !val.tryDoc() { if !val.tryAry() { - return errors.Wrapf(err, "replace operation value must be object or array") + return fmt.Errorf("replace operation value must be object or array: %w", err) } } } @@ -585,7 +584,7 @@ func (p Patch) replace(doc *container, op Operation) error { case eDoc: *doc = &val.doc case eRaw: - return errors.Wrapf(err, "replace operation hit impossible case") + return fmt.Errorf("replace operation hit impossible case: %w", err) } return nil @@ -594,17 +593,17 @@ func (p Patch) replace(doc *container, op Operation) error { con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing path: %s", path) + return fmt.Errorf("replace operation does not apply: doc is missing path: %s: %w", path, ErrMissing) } _, ok := con.get(key) if ok != nil { - return errors.Wrapf(ErrMissing, "replace operation does not apply: doc is missing key: %s", path) + return fmt.Errorf("replace operation does not apply: doc is missing key: %s: %w", path, ErrMissing) } err = con.set(key, op.value()) if err != nil { - return errors.Wrapf(err, "error in remove for path: '%s'", path) + return fmt.Errorf("error in remove for path: '%s': %w", path, err) } return nil @@ -613,39 +612,39 @@ func (p Patch) replace(doc *container, op Operation) error { func (p Patch) move(doc *container, op Operation) error { from, err := op.From() if err != nil { - return errors.Wrapf(err, "move operation failed to decode from") + return fmt.Errorf("move operation failed to decode from: %w", err) } con, key := findObject(doc, from) if con == nil { - return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing from path: %s", from) + return fmt.Errorf("move operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", key) + return fmt.Errorf("error in move for path: '%s': %w", key, err) } err = con.remove(key) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", key) + return fmt.Errorf("error in move for path: '%s': %w", key, err) } path, err := op.Path() if err != nil { - return errors.Wrapf(err, "move operation failed to decode path") + return fmt.Errorf("move operation failed to decode path: %w", err) } con, key = findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "move operation does not apply: doc is missing destination path: %s", path) + return fmt.Errorf("move operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) } err = con.add(key, val) if err != nil { - return errors.Wrapf(err, "error in move for path: '%s'", path) + return fmt.Errorf("error in move for path: '%s': %w", path, err) } return nil @@ -654,7 +653,7 @@ func (p Patch) move(doc *container, op Operation) error { func (p Patch) test(doc *container, op Operation) error { path, err := op.Path() if err != nil { - return errors.Wrapf(err, "test operation failed to decode path") + return fmt.Errorf("test operation failed to decode path: %w", err) } if path == "" { @@ -673,67 +672,67 @@ func (p Patch) test(doc *container, op Operation) error { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } con, key := findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "test operation does not apply: is missing path: %s", path) + return fmt.Errorf("test operation does not apply: is missing path: %s: %w", path, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in test for path: '%s'", path) + return fmt.Errorf("error in test for path: '%s': %w", path, err) } if val == nil { - if op.value().raw == nil { + if op.value() == nil || op.value().raw == nil { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } else if op.value() == nil { - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } if val.equal(op.value()) { return nil } - return errors.Wrapf(ErrTestFailed, "testing value %s failed", path) + return fmt.Errorf("testing value %s failed: %w", path, ErrTestFailed) } func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) error { from, err := op.From() if err != nil { - return errors.Wrapf(err, "copy operation failed to decode from") + return fmt.Errorf("copy operation failed to decode from: %w", err) } con, key := findObject(doc, from) if con == nil { - return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing from path: %s", from) + return fmt.Errorf("copy operation does not apply: doc is missing from path: %s: %w", from, ErrMissing) } val, err := con.get(key) if err != nil { - return errors.Wrapf(err, "error in copy for from: '%s'", from) + return fmt.Errorf("error in copy for from: '%s': %w", from, err) } path, err := op.Path() if err != nil { - return errors.Wrapf(ErrMissing, "copy operation failed to decode path") + return fmt.Errorf("copy operation failed to decode path: %w", ErrMissing) } con, key = findObject(doc, path) if con == nil { - return errors.Wrapf(ErrMissing, "copy operation does not apply: doc is missing destination path: %s", path) + return fmt.Errorf("copy operation does not apply: doc is missing destination path: %s: %w", path, ErrMissing) } valCopy, sz, err := deepCopy(val) if err != nil { - return errors.Wrapf(err, "error while performing deep copy") + return fmt.Errorf("error while performing deep copy: %w", err) } (*accumulatedCopySize) += int64(sz) @@ -743,7 +742,7 @@ func (p Patch) copy(doc *container, op Operation, accumulatedCopySize *int64) er err = con.add(key, valCopy) if err != nil { - return errors.Wrapf(err, "error while adding value during copy") + return fmt.Errorf("error while adding value during copy: %w", err) } return nil diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore b/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore new file mode 100644 index 0000000000..836562412f --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/.gitignore @@ -0,0 +1,23 @@ +# Compiled Object files, Static and Dynamic libs (Shared Objects) +*.o +*.a +*.so + +# Folders +_obj +_test + +# Architecture specific extensions/prefixes +*.[568vq] +[568vq].out + +*.cgo1.go +*.cgo2.c +_cgo_defun.c +_cgo_gotypes.go +_cgo_export.* + +_testmain.go + +*.exe +*.test diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml b/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml new file mode 100644 index 0000000000..21166f5c7d --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/.travis.yml @@ -0,0 +1,11 @@ +language: go + +go: + - tip + - 1.15.x + - 1.14.x + - 1.13.x + - 1.12.x + +env: + - GO111MODULE=on diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE b/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE new file mode 100644 index 0000000000..c3d4cc307d --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2014 Nate Finch + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/README.md b/vendor/gopkg.in/natefinch/lumberjack.v2/README.md new file mode 100644 index 0000000000..060eae52a2 --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/README.md @@ -0,0 +1,179 @@ +# lumberjack [![GoDoc](https://godoc.org/gopkg.in/natefinch/lumberjack.v2?status.png)](https://godoc.org/gopkg.in/natefinch/lumberjack.v2) [![Build Status](https://travis-ci.org/natefinch/lumberjack.svg?branch=v2.0)](https://travis-ci.org/natefinch/lumberjack) [![Build status](https://ci.appveyor.com/api/projects/status/00gchpxtg4gkrt5d)](https://ci.appveyor.com/project/natefinch/lumberjack) [![Coverage Status](https://coveralls.io/repos/natefinch/lumberjack/badge.svg?branch=v2.0)](https://coveralls.io/r/natefinch/lumberjack?branch=v2.0) + +### Lumberjack is a Go package for writing logs to rolling files. + +Package lumberjack provides a rolling logger. + +Note that this is v2.0 of lumberjack, and should be imported using gopkg.in +thusly: + + import "gopkg.in/natefinch/lumberjack.v2" + +The package name remains simply lumberjack, and the code resides at +https://github.com/natefinch/lumberjack under the v2.0 branch. + +Lumberjack is intended to be one part of a logging infrastructure. +It is not an all-in-one solution, but instead is a pluggable +component at the bottom of the logging stack that simply controls the files +to which logs are written. + +Lumberjack plays well with any logging package that can write to an +io.Writer, including the standard library's log package. + +Lumberjack assumes that only one process is writing to the output files. +Using the same lumberjack configuration from multiple processes on the same +machine will result in improper behavior. + + +**Example** + +To use lumberjack with the standard library's log package, just pass it into the SetOutput function when your application starts. + +Code: + +```go +log.SetOutput(&lumberjack.Logger{ + Filename: "/var/log/myapp/foo.log", + MaxSize: 500, // megabytes + MaxBackups: 3, + MaxAge: 28, //days + Compress: true, // disabled by default +}) +``` + + + +## type Logger +``` go +type Logger struct { + // Filename is the file to write logs to. Backup log files will be retained + // in the same directory. It uses -lumberjack.log in + // os.TempDir() if empty. + Filename string `json:"filename" yaml:"filename"` + + // MaxSize is the maximum size in megabytes of the log file before it gets + // rotated. It defaults to 100 megabytes. + MaxSize int `json:"maxsize" yaml:"maxsize"` + + // MaxAge is the maximum number of days to retain old log files based on the + // timestamp encoded in their filename. Note that a day is defined as 24 + // hours and may not exactly correspond to calendar days due to daylight + // savings, leap seconds, etc. The default is not to remove old log files + // based on age. + MaxAge int `json:"maxage" yaml:"maxage"` + + // MaxBackups is the maximum number of old log files to retain. The default + // is to retain all old log files (though MaxAge may still cause them to get + // deleted.) + MaxBackups int `json:"maxbackups" yaml:"maxbackups"` + + // LocalTime determines if the time used for formatting the timestamps in + // backup files is the computer's local time. The default is to use UTC + // time. + LocalTime bool `json:"localtime" yaml:"localtime"` + + // Compress determines if the rotated log files should be compressed + // using gzip. The default is not to perform compression. + Compress bool `json:"compress" yaml:"compress"` + // contains filtered or unexported fields +} +``` +Logger is an io.WriteCloser that writes to the specified filename. + +Logger opens or creates the logfile on first Write. If the file exists and +is less than MaxSize megabytes, lumberjack will open and append to that file. +If the file exists and its size is >= MaxSize megabytes, the file is renamed +by putting the current time in a timestamp in the name immediately before the +file's extension (or the end of the filename if there's no extension). A new +log file is then created using original filename. + +Whenever a write would cause the current log file exceed MaxSize megabytes, +the current file is closed, renamed, and a new log file created with the +original name. Thus, the filename you give Logger is always the "current" log +file. + +Backups use the log file name given to Logger, in the form `name-timestamp.ext` +where name is the filename without the extension, timestamp is the time at which +the log was rotated formatted with the time.Time format of +`2006-01-02T15-04-05.000` and the extension is the original extension. For +example, if your Logger.Filename is `/var/log/foo/server.log`, a backup created +at 6:30pm on Nov 11 2016 would use the filename +`/var/log/foo/server-2016-11-04T18-30-00.000.log` + +### Cleaning Up Old Log Files +Whenever a new logfile gets created, old log files may be deleted. The most +recent files according to the encoded timestamp will be retained, up to a +number equal to MaxBackups (or all of them if MaxBackups is 0). Any files +with an encoded timestamp older than MaxAge days are deleted, regardless of +MaxBackups. Note that the time encoded in the timestamp is the rotation +time, which may differ from the last time that file was written to. + +If MaxBackups and MaxAge are both 0, no old log files will be deleted. + + + + + + + + + + + +### func (\*Logger) Close +``` go +func (l *Logger) Close() error +``` +Close implements io.Closer, and closes the current logfile. + + + +### func (\*Logger) Rotate +``` go +func (l *Logger) Rotate() error +``` +Rotate causes Logger to close the existing log file and immediately create a +new one. This is a helper function for applications that want to initiate +rotations outside of the normal rotation rules, such as in response to +SIGHUP. After rotating, this initiates a cleanup of old log files according +to the normal rules. + +**Example** + +Example of how to rotate in response to SIGHUP. + +Code: + +```go +l := &lumberjack.Logger{} +log.SetOutput(l) +c := make(chan os.Signal, 1) +signal.Notify(c, syscall.SIGHUP) + +go func() { + for { + <-c + l.Rotate() + } +}() +``` + +### func (\*Logger) Write +``` go +func (l *Logger) Write(p []byte) (n int, err error) +``` +Write implements io.Writer. If a write would cause the log file to be larger +than MaxSize, the file is closed, renamed to include a timestamp of the +current time, and a new log file is created using the original log file name. +If the length of the write is greater than MaxSize, an error is returned. + + + + + + + + + +- - - +Generated by [godoc2md](http://godoc.org/github.com/davecheney/godoc2md) diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go b/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go new file mode 100644 index 0000000000..11d0669723 --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/chown.go @@ -0,0 +1,11 @@ +// +build !linux + +package lumberjack + +import ( + "os" +) + +func chown(_ string, _ os.FileInfo) error { + return nil +} diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go b/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go new file mode 100644 index 0000000000..465f569270 --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/chown_linux.go @@ -0,0 +1,19 @@ +package lumberjack + +import ( + "os" + "syscall" +) + +// osChown is a var so we can mock it out during tests. +var osChown = os.Chown + +func chown(name string, info os.FileInfo) error { + f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, info.Mode()) + if err != nil { + return err + } + f.Close() + stat := info.Sys().(*syscall.Stat_t) + return osChown(name, int(stat.Uid), int(stat.Gid)) +} diff --git a/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go b/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go new file mode 100644 index 0000000000..3447cdc056 --- /dev/null +++ b/vendor/gopkg.in/natefinch/lumberjack.v2/lumberjack.go @@ -0,0 +1,541 @@ +// Package lumberjack provides a rolling logger. +// +// Note that this is v2.0 of lumberjack, and should be imported using gopkg.in +// thusly: +// +// import "gopkg.in/natefinch/lumberjack.v2" +// +// The package name remains simply lumberjack, and the code resides at +// https://github.com/natefinch/lumberjack under the v2.0 branch. +// +// Lumberjack is intended to be one part of a logging infrastructure. +// It is not an all-in-one solution, but instead is a pluggable +// component at the bottom of the logging stack that simply controls the files +// to which logs are written. +// +// Lumberjack plays well with any logging package that can write to an +// io.Writer, including the standard library's log package. +// +// Lumberjack assumes that only one process is writing to the output files. +// Using the same lumberjack configuration from multiple processes on the same +// machine will result in improper behavior. +package lumberjack + +import ( + "compress/gzip" + "errors" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + "sort" + "strings" + "sync" + "time" +) + +const ( + backupTimeFormat = "2006-01-02T15-04-05.000" + compressSuffix = ".gz" + defaultMaxSize = 100 +) + +// ensure we always implement io.WriteCloser +var _ io.WriteCloser = (*Logger)(nil) + +// Logger is an io.WriteCloser that writes to the specified filename. +// +// Logger opens or creates the logfile on first Write. If the file exists and +// is less than MaxSize megabytes, lumberjack will open and append to that file. +// If the file exists and its size is >= MaxSize megabytes, the file is renamed +// by putting the current time in a timestamp in the name immediately before the +// file's extension (or the end of the filename if there's no extension). A new +// log file is then created using original filename. +// +// Whenever a write would cause the current log file exceed MaxSize megabytes, +// the current file is closed, renamed, and a new log file created with the +// original name. Thus, the filename you give Logger is always the "current" log +// file. +// +// Backups use the log file name given to Logger, in the form +// `name-timestamp.ext` where name is the filename without the extension, +// timestamp is the time at which the log was rotated formatted with the +// time.Time format of `2006-01-02T15-04-05.000` and the extension is the +// original extension. For example, if your Logger.Filename is +// `/var/log/foo/server.log`, a backup created at 6:30pm on Nov 11 2016 would +// use the filename `/var/log/foo/server-2016-11-04T18-30-00.000.log` +// +// Cleaning Up Old Log Files +// +// Whenever a new logfile gets created, old log files may be deleted. The most +// recent files according to the encoded timestamp will be retained, up to a +// number equal to MaxBackups (or all of them if MaxBackups is 0). Any files +// with an encoded timestamp older than MaxAge days are deleted, regardless of +// MaxBackups. Note that the time encoded in the timestamp is the rotation +// time, which may differ from the last time that file was written to. +// +// If MaxBackups and MaxAge are both 0, no old log files will be deleted. +type Logger struct { + // Filename is the file to write logs to. Backup log files will be retained + // in the same directory. It uses -lumberjack.log in + // os.TempDir() if empty. + Filename string `json:"filename" yaml:"filename"` + + // MaxSize is the maximum size in megabytes of the log file before it gets + // rotated. It defaults to 100 megabytes. + MaxSize int `json:"maxsize" yaml:"maxsize"` + + // MaxAge is the maximum number of days to retain old log files based on the + // timestamp encoded in their filename. Note that a day is defined as 24 + // hours and may not exactly correspond to calendar days due to daylight + // savings, leap seconds, etc. The default is not to remove old log files + // based on age. + MaxAge int `json:"maxage" yaml:"maxage"` + + // MaxBackups is the maximum number of old log files to retain. The default + // is to retain all old log files (though MaxAge may still cause them to get + // deleted.) + MaxBackups int `json:"maxbackups" yaml:"maxbackups"` + + // LocalTime determines if the time used for formatting the timestamps in + // backup files is the computer's local time. The default is to use UTC + // time. + LocalTime bool `json:"localtime" yaml:"localtime"` + + // Compress determines if the rotated log files should be compressed + // using gzip. The default is not to perform compression. + Compress bool `json:"compress" yaml:"compress"` + + size int64 + file *os.File + mu sync.Mutex + + millCh chan bool + startMill sync.Once +} + +var ( + // currentTime exists so it can be mocked out by tests. + currentTime = time.Now + + // os_Stat exists so it can be mocked out by tests. + osStat = os.Stat + + // megabyte is the conversion factor between MaxSize and bytes. It is a + // variable so tests can mock it out and not need to write megabytes of data + // to disk. + megabyte = 1024 * 1024 +) + +// Write implements io.Writer. If a write would cause the log file to be larger +// than MaxSize, the file is closed, renamed to include a timestamp of the +// current time, and a new log file is created using the original log file name. +// If the length of the write is greater than MaxSize, an error is returned. +func (l *Logger) Write(p []byte) (n int, err error) { + l.mu.Lock() + defer l.mu.Unlock() + + writeLen := int64(len(p)) + if writeLen > l.max() { + return 0, fmt.Errorf( + "write length %d exceeds maximum file size %d", writeLen, l.max(), + ) + } + + if l.file == nil { + if err = l.openExistingOrNew(len(p)); err != nil { + return 0, err + } + } + + if l.size+writeLen > l.max() { + if err := l.rotate(); err != nil { + return 0, err + } + } + + n, err = l.file.Write(p) + l.size += int64(n) + + return n, err +} + +// Close implements io.Closer, and closes the current logfile. +func (l *Logger) Close() error { + l.mu.Lock() + defer l.mu.Unlock() + return l.close() +} + +// close closes the file if it is open. +func (l *Logger) close() error { + if l.file == nil { + return nil + } + err := l.file.Close() + l.file = nil + return err +} + +// Rotate causes Logger to close the existing log file and immediately create a +// new one. This is a helper function for applications that want to initiate +// rotations outside of the normal rotation rules, such as in response to +// SIGHUP. After rotating, this initiates compression and removal of old log +// files according to the configuration. +func (l *Logger) Rotate() error { + l.mu.Lock() + defer l.mu.Unlock() + return l.rotate() +} + +// rotate closes the current file, moves it aside with a timestamp in the name, +// (if it exists), opens a new file with the original filename, and then runs +// post-rotation processing and removal. +func (l *Logger) rotate() error { + if err := l.close(); err != nil { + return err + } + if err := l.openNew(); err != nil { + return err + } + l.mill() + return nil +} + +// openNew opens a new log file for writing, moving any old log file out of the +// way. This methods assumes the file has already been closed. +func (l *Logger) openNew() error { + err := os.MkdirAll(l.dir(), 0755) + if err != nil { + return fmt.Errorf("can't make directories for new logfile: %s", err) + } + + name := l.filename() + mode := os.FileMode(0600) + info, err := osStat(name) + if err == nil { + // Copy the mode off the old logfile. + mode = info.Mode() + // move the existing file + newname := backupName(name, l.LocalTime) + if err := os.Rename(name, newname); err != nil { + return fmt.Errorf("can't rename log file: %s", err) + } + + // this is a no-op anywhere but linux + if err := chown(name, info); err != nil { + return err + } + } + + // we use truncate here because this should only get called when we've moved + // the file ourselves. if someone else creates the file in the meantime, + // just wipe out the contents. + f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, mode) + if err != nil { + return fmt.Errorf("can't open new logfile: %s", err) + } + l.file = f + l.size = 0 + return nil +} + +// backupName creates a new filename from the given name, inserting a timestamp +// between the filename and the extension, using the local time if requested +// (otherwise UTC). +func backupName(name string, local bool) string { + dir := filepath.Dir(name) + filename := filepath.Base(name) + ext := filepath.Ext(filename) + prefix := filename[:len(filename)-len(ext)] + t := currentTime() + if !local { + t = t.UTC() + } + + timestamp := t.Format(backupTimeFormat) + return filepath.Join(dir, fmt.Sprintf("%s-%s%s", prefix, timestamp, ext)) +} + +// openExistingOrNew opens the logfile if it exists and if the current write +// would not put it over MaxSize. If there is no such file or the write would +// put it over the MaxSize, a new file is created. +func (l *Logger) openExistingOrNew(writeLen int) error { + l.mill() + + filename := l.filename() + info, err := osStat(filename) + if os.IsNotExist(err) { + return l.openNew() + } + if err != nil { + return fmt.Errorf("error getting log file info: %s", err) + } + + if info.Size()+int64(writeLen) >= l.max() { + return l.rotate() + } + + file, err := os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0644) + if err != nil { + // if we fail to open the old log file for some reason, just ignore + // it and open a new log file. + return l.openNew() + } + l.file = file + l.size = info.Size() + return nil +} + +// filename generates the name of the logfile from the current time. +func (l *Logger) filename() string { + if l.Filename != "" { + return l.Filename + } + name := filepath.Base(os.Args[0]) + "-lumberjack.log" + return filepath.Join(os.TempDir(), name) +} + +// millRunOnce performs compression and removal of stale log files. +// Log files are compressed if enabled via configuration and old log +// files are removed, keeping at most l.MaxBackups files, as long as +// none of them are older than MaxAge. +func (l *Logger) millRunOnce() error { + if l.MaxBackups == 0 && l.MaxAge == 0 && !l.Compress { + return nil + } + + files, err := l.oldLogFiles() + if err != nil { + return err + } + + var compress, remove []logInfo + + if l.MaxBackups > 0 && l.MaxBackups < len(files) { + preserved := make(map[string]bool) + var remaining []logInfo + for _, f := range files { + // Only count the uncompressed log file or the + // compressed log file, not both. + fn := f.Name() + if strings.HasSuffix(fn, compressSuffix) { + fn = fn[:len(fn)-len(compressSuffix)] + } + preserved[fn] = true + + if len(preserved) > l.MaxBackups { + remove = append(remove, f) + } else { + remaining = append(remaining, f) + } + } + files = remaining + } + if l.MaxAge > 0 { + diff := time.Duration(int64(24*time.Hour) * int64(l.MaxAge)) + cutoff := currentTime().Add(-1 * diff) + + var remaining []logInfo + for _, f := range files { + if f.timestamp.Before(cutoff) { + remove = append(remove, f) + } else { + remaining = append(remaining, f) + } + } + files = remaining + } + + if l.Compress { + for _, f := range files { + if !strings.HasSuffix(f.Name(), compressSuffix) { + compress = append(compress, f) + } + } + } + + for _, f := range remove { + errRemove := os.Remove(filepath.Join(l.dir(), f.Name())) + if err == nil && errRemove != nil { + err = errRemove + } + } + for _, f := range compress { + fn := filepath.Join(l.dir(), f.Name()) + errCompress := compressLogFile(fn, fn+compressSuffix) + if err == nil && errCompress != nil { + err = errCompress + } + } + + return err +} + +// millRun runs in a goroutine to manage post-rotation compression and removal +// of old log files. +func (l *Logger) millRun() { + for range l.millCh { + // what am I going to do, log this? + _ = l.millRunOnce() + } +} + +// mill performs post-rotation compression and removal of stale log files, +// starting the mill goroutine if necessary. +func (l *Logger) mill() { + l.startMill.Do(func() { + l.millCh = make(chan bool, 1) + go l.millRun() + }) + select { + case l.millCh <- true: + default: + } +} + +// oldLogFiles returns the list of backup log files stored in the same +// directory as the current log file, sorted by ModTime +func (l *Logger) oldLogFiles() ([]logInfo, error) { + files, err := ioutil.ReadDir(l.dir()) + if err != nil { + return nil, fmt.Errorf("can't read log file directory: %s", err) + } + logFiles := []logInfo{} + + prefix, ext := l.prefixAndExt() + + for _, f := range files { + if f.IsDir() { + continue + } + if t, err := l.timeFromName(f.Name(), prefix, ext); err == nil { + logFiles = append(logFiles, logInfo{t, f}) + continue + } + if t, err := l.timeFromName(f.Name(), prefix, ext+compressSuffix); err == nil { + logFiles = append(logFiles, logInfo{t, f}) + continue + } + // error parsing means that the suffix at the end was not generated + // by lumberjack, and therefore it's not a backup file. + } + + sort.Sort(byFormatTime(logFiles)) + + return logFiles, nil +} + +// timeFromName extracts the formatted time from the filename by stripping off +// the filename's prefix and extension. This prevents someone's filename from +// confusing time.parse. +func (l *Logger) timeFromName(filename, prefix, ext string) (time.Time, error) { + if !strings.HasPrefix(filename, prefix) { + return time.Time{}, errors.New("mismatched prefix") + } + if !strings.HasSuffix(filename, ext) { + return time.Time{}, errors.New("mismatched extension") + } + ts := filename[len(prefix) : len(filename)-len(ext)] + return time.Parse(backupTimeFormat, ts) +} + +// max returns the maximum size in bytes of log files before rolling. +func (l *Logger) max() int64 { + if l.MaxSize == 0 { + return int64(defaultMaxSize * megabyte) + } + return int64(l.MaxSize) * int64(megabyte) +} + +// dir returns the directory for the current filename. +func (l *Logger) dir() string { + return filepath.Dir(l.filename()) +} + +// prefixAndExt returns the filename part and extension part from the Logger's +// filename. +func (l *Logger) prefixAndExt() (prefix, ext string) { + filename := filepath.Base(l.filename()) + ext = filepath.Ext(filename) + prefix = filename[:len(filename)-len(ext)] + "-" + return prefix, ext +} + +// compressLogFile compresses the given log file, removing the +// uncompressed log file if successful. +func compressLogFile(src, dst string) (err error) { + f, err := os.Open(src) + if err != nil { + return fmt.Errorf("failed to open log file: %v", err) + } + defer f.Close() + + fi, err := osStat(src) + if err != nil { + return fmt.Errorf("failed to stat log file: %v", err) + } + + if err := chown(dst, fi); err != nil { + return fmt.Errorf("failed to chown compressed log file: %v", err) + } + + // If this file already exists, we presume it was created by + // a previous attempt to compress the log file. + gzf, err := os.OpenFile(dst, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, fi.Mode()) + if err != nil { + return fmt.Errorf("failed to open compressed log file: %v", err) + } + defer gzf.Close() + + gz := gzip.NewWriter(gzf) + + defer func() { + if err != nil { + os.Remove(dst) + err = fmt.Errorf("failed to compress log file: %v", err) + } + }() + + if _, err := io.Copy(gz, f); err != nil { + return err + } + if err := gz.Close(); err != nil { + return err + } + if err := gzf.Close(); err != nil { + return err + } + + if err := f.Close(); err != nil { + return err + } + if err := os.Remove(src); err != nil { + return err + } + + return nil +} + +// logInfo is a convenience struct to return the filename and its embedded +// timestamp. +type logInfo struct { + timestamp time.Time + os.FileInfo +} + +// byFormatTime sorts by newest time formatted in the name. +type byFormatTime []logInfo + +func (b byFormatTime) Less(i, j int) bool { + return b[i].timestamp.After(b[j].timestamp) +} + +func (b byFormatTime) Swap(i, j int) { + b[i], b[j] = b[j], b[i] +} + +func (b byFormatTime) Len() int { + return len(b) +} diff --git a/vendor/helm.sh/helm/v3/LICENSE b/vendor/helm.sh/helm/v3/LICENSE new file mode 100644 index 0000000000..21c57fae21 --- /dev/null +++ b/vendor/helm.sh/helm/v3/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2016 The Kubernetes Authors All Rights Reserved + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go b/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go new file mode 100644 index 0000000000..4ea09cca48 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/fileutil/fileutil.go @@ -0,0 +1,50 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fileutil + +import ( + "io" + "os" + "path/filepath" + + "helm.sh/helm/v3/internal/third_party/dep/fs" +) + +// AtomicWriteFile atomically (as atomic as os.Rename allows) writes a file to a +// disk. +func AtomicWriteFile(filename string, reader io.Reader, mode os.FileMode) error { + tempFile, err := os.CreateTemp(filepath.Split(filename)) + if err != nil { + return err + } + tempName := tempFile.Name() + + if _, err := io.Copy(tempFile, reader); err != nil { + tempFile.Close() // return value is ignored as we are already on error path + return err + } + + if err := tempFile.Close(); err != nil { + return err + } + + if err := os.Chmod(tempName, mode); err != nil { + return err + } + + return fs.RenameWithFallback(tempName, filename) +} diff --git a/vendor/helm.sh/helm/v3/internal/resolver/resolver.go b/vendor/helm.sh/helm/v3/internal/resolver/resolver.go new file mode 100644 index 0000000000..b6f45da9e2 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/resolver/resolver.go @@ -0,0 +1,262 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package resolver + +import ( + "bytes" + "encoding/json" + "fmt" + "os" + "path/filepath" + "strings" + "time" + + "github.com/Masterminds/semver/v3" + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/helmpath" + "helm.sh/helm/v3/pkg/provenance" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/repo" +) + +// Resolver resolves dependencies from semantic version ranges to a particular version. +type Resolver struct { + chartpath string + cachepath string + registryClient *registry.Client +} + +// New creates a new resolver for a given chart, helm home and registry client. +func New(chartpath, cachepath string, registryClient *registry.Client) *Resolver { + return &Resolver{ + chartpath: chartpath, + cachepath: cachepath, + registryClient: registryClient, + } +} + +// Resolve resolves dependencies and returns a lock file with the resolution. +func (r *Resolver) Resolve(reqs []*chart.Dependency, repoNames map[string]string) (*chart.Lock, error) { + + // Now we clone the dependencies, locking as we go. + locked := make([]*chart.Dependency, len(reqs)) + missing := []string{} + for i, d := range reqs { + constraint, err := semver.NewConstraint(d.Version) + if err != nil { + return nil, errors.Wrapf(err, "dependency %q has an invalid version/constraint format", d.Name) + } + + if d.Repository == "" { + // Local chart subfolder + if _, err := GetLocalPath(filepath.Join("charts", d.Name), r.chartpath); err != nil { + return nil, err + } + + locked[i] = &chart.Dependency{ + Name: d.Name, + Repository: "", + Version: d.Version, + } + continue + } + if strings.HasPrefix(d.Repository, "file://") { + chartpath, err := GetLocalPath(d.Repository, r.chartpath) + if err != nil { + return nil, err + } + + ch, err := loader.LoadDir(chartpath) + if err != nil { + return nil, err + } + + v, err := semver.NewVersion(ch.Metadata.Version) + if err != nil { + // Not a legit entry. + continue + } + + if !constraint.Check(v) { + missing = append(missing, fmt.Sprintf("%q (repository %q, version %q)", d.Name, d.Repository, d.Version)) + continue + } + + locked[i] = &chart.Dependency{ + Name: d.Name, + Repository: d.Repository, + Version: ch.Metadata.Version, + } + continue + } + + repoName := repoNames[d.Name] + // if the repository was not defined, but the dependency defines a repository url, bypass the cache + if repoName == "" && d.Repository != "" { + locked[i] = &chart.Dependency{ + Name: d.Name, + Repository: d.Repository, + Version: d.Version, + } + continue + } + + var vs repo.ChartVersions + var version string + var ok bool + found := true + if !registry.IsOCI(d.Repository) { + repoIndex, err := repo.LoadIndexFile(filepath.Join(r.cachepath, helmpath.CacheIndexFile(repoName))) + if err != nil { + return nil, errors.Wrapf(err, "no cached repository for %s found. (try 'helm repo update')", repoName) + } + + vs, ok = repoIndex.Entries[d.Name] + if !ok { + return nil, errors.Errorf("%s chart not found in repo %s", d.Name, d.Repository) + } + found = false + } else { + version = d.Version + + // Check to see if an explicit version has been provided + _, err := semver.NewVersion(version) + + // Use an explicit version, otherwise search for tags + if err == nil { + vs = []*repo.ChartVersion{{ + Metadata: &chart.Metadata{ + Version: version, + }, + }} + + } else { + // Retrieve list of tags for repository + ref := fmt.Sprintf("%s/%s", strings.TrimPrefix(d.Repository, fmt.Sprintf("%s://", registry.OCIScheme)), d.Name) + tags, err := r.registryClient.Tags(ref) + if err != nil { + return nil, errors.Wrapf(err, "could not retrieve list of tags for repository %s", d.Repository) + } + + vs = make(repo.ChartVersions, len(tags)) + for ti, t := range tags { + // Mock chart version objects + version := &repo.ChartVersion{ + Metadata: &chart.Metadata{ + Version: t, + }, + } + vs[ti] = version + } + } + } + + locked[i] = &chart.Dependency{ + Name: d.Name, + Repository: d.Repository, + Version: version, + } + // The versions are already sorted and hence the first one to satisfy the constraint is used + for _, ver := range vs { + v, err := semver.NewVersion(ver.Version) + // OCI does not need URLs + if err != nil || (!registry.IsOCI(d.Repository) && len(ver.URLs) == 0) { + // Not a legit entry. + continue + } + if constraint.Check(v) { + found = true + locked[i].Version = v.Original() + break + } + } + + if !found { + missing = append(missing, fmt.Sprintf("%q (repository %q, version %q)", d.Name, d.Repository, d.Version)) + } + } + if len(missing) > 0 { + return nil, errors.Errorf("can't get a valid version for %d subchart(s): %s. Make sure a matching chart version exists in the repo, or change the version constraint in Chart.yaml", len(missing), strings.Join(missing, ", ")) + } + + digest, err := HashReq(reqs, locked) + if err != nil { + return nil, err + } + + return &chart.Lock{ + Generated: time.Now(), + Digest: digest, + Dependencies: locked, + }, nil +} + +// HashReq generates a hash of the dependencies. +// +// This should be used only to compare against another hash generated by this +// function. +func HashReq(req, lock []*chart.Dependency) (string, error) { + data, err := json.Marshal([2][]*chart.Dependency{req, lock}) + if err != nil { + return "", err + } + s, err := provenance.Digest(bytes.NewBuffer(data)) + return "sha256:" + s, err +} + +// HashV2Req generates a hash of requirements generated in Helm v2. +// +// This should be used only to compare against another hash generated by the +// Helm v2 hash function. It is to handle issue: +// https://github.com/helm/helm/issues/7233 +func HashV2Req(req []*chart.Dependency) (string, error) { + dep := make(map[string][]*chart.Dependency) + dep["dependencies"] = req + data, err := json.Marshal(dep) + if err != nil { + return "", err + } + s, err := provenance.Digest(bytes.NewBuffer(data)) + return "sha256:" + s, err +} + +// GetLocalPath generates absolute local path when use +// "file://" in repository of dependencies +func GetLocalPath(repo, chartpath string) (string, error) { + var depPath string + var err error + p := strings.TrimPrefix(repo, "file://") + + // root path is absolute + if strings.HasPrefix(p, "/") { + if depPath, err = filepath.Abs(p); err != nil { + return "", err + } + } else { + depPath = filepath.Join(chartpath, p) + } + + if _, err = os.Stat(depPath); os.IsNotExist(err) { + return "", errors.Errorf("directory %s not found", depPath) + } else if err != nil { + return "", err + } + + return depPath, nil +} diff --git a/vendor/helm.sh/helm/v3/internal/sympath/walk.go b/vendor/helm.sh/helm/v3/internal/sympath/walk.go new file mode 100644 index 0000000000..6b221fb6cc --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/sympath/walk.go @@ -0,0 +1,120 @@ +/* +Copyright (c) for portions of walk.go are held by The Go Authors, 2009 and are +provided under the BSD license. + +https://github.com/golang/go/blob/master/LICENSE + +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package sympath + +import ( + "log" + "os" + "path/filepath" + "sort" + + "github.com/pkg/errors" +) + +// Walk walks the file tree rooted at root, calling walkFn for each file or directory +// in the tree, including root. All errors that arise visiting files and directories +// are filtered by walkFn. The files are walked in lexical order, which makes the +// output deterministic but means that for very large directories Walk can be +// inefficient. Walk follows symbolic links. +func Walk(root string, walkFn filepath.WalkFunc) error { + info, err := os.Lstat(root) + if err != nil { + err = walkFn(root, nil, err) + } else { + err = symwalk(root, info, walkFn) + } + if err == filepath.SkipDir { + return nil + } + return err +} + +// readDirNames reads the directory named by dirname and returns +// a sorted list of directory entries. +func readDirNames(dirname string) ([]string, error) { + f, err := os.Open(dirname) + if err != nil { + return nil, err + } + names, err := f.Readdirnames(-1) + f.Close() + if err != nil { + return nil, err + } + sort.Strings(names) + return names, nil +} + +// symwalk recursively descends path, calling walkFn. +func symwalk(path string, info os.FileInfo, walkFn filepath.WalkFunc) error { + // Recursively walk symlinked directories. + if IsSymlink(info) { + resolved, err := filepath.EvalSymlinks(path) + if err != nil { + return errors.Wrapf(err, "error evaluating symlink %s", path) + } + //This log message is to highlight a symlink that is being used within a chart, symlinks can be used for nefarious reasons. + log.Printf("found symbolic link in path: %s resolves to %s. Contents of linked file included and used", path, resolved) + if info, err = os.Lstat(resolved); err != nil { + return err + } + if err := symwalk(path, info, walkFn); err != nil && err != filepath.SkipDir { + return err + } + return nil + } + + if err := walkFn(path, info, nil); err != nil { + return err + } + + if !info.IsDir() { + return nil + } + + names, err := readDirNames(path) + if err != nil { + return walkFn(path, info, err) + } + + for _, name := range names { + filename := filepath.Join(path, name) + fileInfo, err := os.Lstat(filename) + if err != nil { + if err := walkFn(filename, fileInfo, err); err != nil && err != filepath.SkipDir { + return err + } + } else { + err = symwalk(filename, fileInfo, walkFn) + if err != nil { + if (!fileInfo.IsDir() && !IsSymlink(fileInfo)) || err != filepath.SkipDir { + return err + } + } + } + } + return nil +} + +// IsSymlink is used to determine if the fileinfo is a symbolic link. +func IsSymlink(fi os.FileInfo) bool { + return fi.Mode()&os.ModeSymlink != 0 +} diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go new file mode 100644 index 0000000000..d29bb5f871 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/fs.go @@ -0,0 +1,372 @@ +/* +Copyright (c) for portions of fs.go are held by The Go Authors, 2016 and are provided under +the BSD license. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +package fs + +import ( + "io" + "os" + "path/filepath" + "runtime" + "syscall" + + "github.com/pkg/errors" +) + +// fs contains a copy of a few functions from dep tool code to avoid a dependency on golang/dep. +// This code is copied from https://github.com/golang/dep/blob/37d6c560cdf407be7b6cd035b23dba89df9275cf/internal/fs/fs.go +// No changes to the code were made other than removing some unused functions + +// RenameWithFallback attempts to rename a file or directory, but falls back to +// copying in the event of a cross-device link error. If the fallback copy +// succeeds, src is still removed, emulating normal rename behavior. +func RenameWithFallback(src, dst string) error { + _, err := os.Stat(src) + if err != nil { + return errors.Wrapf(err, "cannot stat %s", src) + } + + err = os.Rename(src, dst) + if err == nil { + return nil + } + + return renameFallback(err, src, dst) +} + +// renameByCopy attempts to rename a file or directory by copying it to the +// destination and then removing the src thus emulating the rename behavior. +func renameByCopy(src, dst string) error { + var cerr error + if dir, _ := IsDir(src); dir { + cerr = CopyDir(src, dst) + if cerr != nil { + cerr = errors.Wrap(cerr, "copying directory failed") + } + } else { + cerr = copyFile(src, dst) + if cerr != nil { + cerr = errors.Wrap(cerr, "copying file failed") + } + } + + if cerr != nil { + return errors.Wrapf(cerr, "rename fallback failed: cannot rename %s to %s", src, dst) + } + + return errors.Wrapf(os.RemoveAll(src), "cannot delete %s", src) +} + +var ( + errSrcNotDir = errors.New("source is not a directory") + errDstExist = errors.New("destination already exists") +) + +// CopyDir recursively copies a directory tree, attempting to preserve permissions. +// Source directory must exist, destination directory must *not* exist. +func CopyDir(src, dst string) error { + src = filepath.Clean(src) + dst = filepath.Clean(dst) + + // We use os.Lstat() here to ensure we don't fall in a loop where a symlink + // actually links to a one of its parent directories. + fi, err := os.Lstat(src) + if err != nil { + return err + } + if !fi.IsDir() { + return errSrcNotDir + } + + _, err = os.Stat(dst) + if err != nil && !os.IsNotExist(err) { + return err + } + if err == nil { + return errDstExist + } + + if err = os.MkdirAll(dst, fi.Mode()); err != nil { + return errors.Wrapf(err, "cannot mkdir %s", dst) + } + + entries, err := os.ReadDir(src) + if err != nil { + return errors.Wrapf(err, "cannot read directory %s", dst) + } + + for _, entry := range entries { + srcPath := filepath.Join(src, entry.Name()) + dstPath := filepath.Join(dst, entry.Name()) + + if entry.IsDir() { + if err = CopyDir(srcPath, dstPath); err != nil { + return errors.Wrap(err, "copying directory failed") + } + } else { + // This will include symlinks, which is what we want when + // copying things. + if err = copyFile(srcPath, dstPath); err != nil { + return errors.Wrap(err, "copying file failed") + } + } + } + + return nil +} + +// copyFile copies the contents of the file named src to the file named +// by dst. The file will be created if it does not already exist. If the +// destination file exists, all its contents will be replaced by the contents +// of the source file. The file mode will be copied from the source. +func copyFile(src, dst string) (err error) { + if sym, err := IsSymlink(src); err != nil { + return errors.Wrap(err, "symlink check failed") + } else if sym { + if err := cloneSymlink(src, dst); err != nil { + if runtime.GOOS == "windows" { + // If cloning the symlink fails on Windows because the user + // does not have the required privileges, ignore the error and + // fall back to copying the file contents. + // + // ERROR_PRIVILEGE_NOT_HELD is 1314 (0x522): + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx + if lerr, ok := err.(*os.LinkError); ok && lerr.Err != syscall.Errno(1314) { + return err + } + } else { + return err + } + } else { + return nil + } + } + + in, err := os.Open(src) + if err != nil { + return + } + defer in.Close() + + out, err := os.Create(dst) + if err != nil { + return + } + + if _, err = io.Copy(out, in); err != nil { + out.Close() + return + } + + // Check for write errors on Close + if err = out.Close(); err != nil { + return + } + + si, err := os.Stat(src) + if err != nil { + return + } + + // Temporary fix for Go < 1.9 + // + // See: https://github.com/golang/dep/issues/774 + // and https://github.com/golang/go/issues/20829 + if runtime.GOOS == "windows" { + dst = fixLongPath(dst) + } + err = os.Chmod(dst, si.Mode()) + + return +} + +// cloneSymlink will create a new symlink that points to the resolved path of sl. +// If sl is a relative symlink, dst will also be a relative symlink. +func cloneSymlink(sl, dst string) error { + resolved, err := os.Readlink(sl) + if err != nil { + return err + } + + return os.Symlink(resolved, dst) +} + +// IsDir determines is the path given is a directory or not. +func IsDir(name string) (bool, error) { + fi, err := os.Stat(name) + if err != nil { + return false, err + } + if !fi.IsDir() { + return false, errors.Errorf("%q is not a directory", name) + } + return true, nil +} + +// IsSymlink determines if the given path is a symbolic link. +func IsSymlink(path string) (bool, error) { + l, err := os.Lstat(path) + if err != nil { + return false, err + } + + return l.Mode()&os.ModeSymlink == os.ModeSymlink, nil +} + +// fixLongPath returns the extended-length (\\?\-prefixed) form of +// path when needed, in order to avoid the default 260 character file +// path limit imposed by Windows. If path is not easily converted to +// the extended-length form (for example, if path is a relative path +// or contains .. elements), or is short enough, fixLongPath returns +// path unmodified. +// +// See https://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#maxpath +func fixLongPath(path string) string { + // Do nothing (and don't allocate) if the path is "short". + // Empirically (at least on the Windows Server 2013 builder), + // the kernel is arbitrarily okay with < 248 bytes. That + // matches what the docs above say: + // "When using an API to create a directory, the specified + // path cannot be so long that you cannot append an 8.3 file + // name (that is, the directory name cannot exceed MAX_PATH + // minus 12)." Since MAX_PATH is 260, 260 - 12 = 248. + // + // The MSDN docs appear to say that a normal path that is 248 bytes long + // will work; empirically the path must be less than 248 bytes long. + if len(path) < 248 { + // Don't fix. (This is how Go 1.7 and earlier worked, + // not automatically generating the \\?\ form) + return path + } + + // The extended form begins with \\?\, as in + // \\?\c:\windows\foo.txt or \\?\UNC\server\share\foo.txt. + // The extended form disables evaluation of . and .. path + // elements and disables the interpretation of / as equivalent + // to \. The conversion here rewrites / to \ and elides + // . elements as well as trailing or duplicate separators. For + // simplicity it avoids the conversion entirely for relative + // paths or paths containing .. elements. For now, + // \\server\share paths are not converted to + // \\?\UNC\server\share paths because the rules for doing so + // are less well-specified. + if len(path) >= 2 && path[:2] == `\\` { + // Don't canonicalize UNC paths. + return path + } + if !isAbs(path) { + // Relative path + return path + } + + const prefix = `\\?` + + pathbuf := make([]byte, len(prefix)+len(path)+len(`\`)) + copy(pathbuf, prefix) + n := len(path) + r, w := 0, len(prefix) + for r < n { + switch { + case os.IsPathSeparator(path[r]): + // empty block + r++ + case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): + // /./ + r++ + case r+1 < n && path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): + // /../ is currently unhandled + return path + default: + pathbuf[w] = '\\' + w++ + for ; r < n && !os.IsPathSeparator(path[r]); r++ { + pathbuf[w] = path[r] + w++ + } + } + } + // A drive's root directory needs a trailing \ + if w == len(`\\?\c:`) { + pathbuf[w] = '\\' + w++ + } + return string(pathbuf[:w]) +} + +func isAbs(path string) (b bool) { + v := volumeName(path) + if v == "" { + return false + } + path = path[len(v):] + if path == "" { + return false + } + return os.IsPathSeparator(path[0]) +} + +func volumeName(path string) (v string) { + if len(path) < 2 { + return "" + } + // with drive letter + c := path[0] + if path[1] == ':' && + ('0' <= c && c <= '9' || 'a' <= c && c <= 'z' || + 'A' <= c && c <= 'Z') { + return path[:2] + } + // is it UNC + if l := len(path); l >= 5 && os.IsPathSeparator(path[0]) && os.IsPathSeparator(path[1]) && + !os.IsPathSeparator(path[2]) && path[2] != '.' { + // first, leading `\\` and next shouldn't be `\`. its server name. + for n := 3; n < l-1; n++ { + // second, next '\' shouldn't be repeated. + if os.IsPathSeparator(path[n]) { + n++ + // third, following something characters. its share name. + if !os.IsPathSeparator(path[n]) { + if path[n] == '.' { + break + } + for ; n < l; n++ { + if os.IsPathSeparator(path[n]) { + break + } + } + return path[:n] + } + break + } + } + } + return "" +} diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go new file mode 100644 index 0000000000..a3e5e56a61 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename.go @@ -0,0 +1,58 @@ +//go:build !windows + +/* +Copyright (c) for portions of rename.go are held by The Go Authors, 2016 and are provided under +the BSD license. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +package fs + +import ( + "os" + "syscall" + + "github.com/pkg/errors" +) + +// renameFallback attempts to determine the appropriate fallback to failed rename +// operation depending on the resulting error. +func renameFallback(err error, src, dst string) error { + // Rename may fail if src and dst are on different devices; fall back to + // copy if we detect that case. syscall.EXDEV is the common name for the + // cross device link error which has varying output text across different + // operating systems. + terr, ok := err.(*os.LinkError) + if !ok { + return err + } else if terr.Err != syscall.EXDEV { + return errors.Wrapf(terr, "link error: cannot rename %s to %s", src, dst) + } + + return renameByCopy(src, dst) +} diff --git a/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go new file mode 100644 index 0000000000..a377720a6f --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/third_party/dep/fs/rename_windows.go @@ -0,0 +1,69 @@ +//go:build windows + +/* +Copyright (c) for portions of rename_windows.go are held by The Go Authors, 2016 and are provided under +the BSD license. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above +copyright notice, this list of conditions and the following disclaimer +in the documentation and/or other materials provided with the +distribution. + * Neither the name of Google Inc. nor the names of its +contributors may be used to endorse or promote products derived from +this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +*/ + +package fs + +import ( + "os" + "syscall" + + "github.com/pkg/errors" +) + +// renameFallback attempts to determine the appropriate fallback to failed rename +// operation depending on the resulting error. +func renameFallback(err error, src, dst string) error { + // Rename may fail if src and dst are on different devices; fall back to + // copy if we detect that case. syscall.EXDEV is the common name for the + // cross device link error which has varying output text across different + // operating systems. + terr, ok := err.(*os.LinkError) + if !ok { + return err + } + + if terr.Err != syscall.EXDEV { + // In windows it can drop down to an operating system call that + // returns an operating system error with a different number and + // message. Checking for that as a fall back. + noerr, ok := terr.Err.(syscall.Errno) + + // 0x11 (ERROR_NOT_SAME_DEVICE) is the windows error. + // See https://msdn.microsoft.com/en-us/library/cc231199.aspx + if ok && noerr != 0x11 { + return errors.Wrapf(terr, "link error: cannot rename %s to %s", src, dst) + } + } + + return renameByCopy(src, dst) +} diff --git a/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go b/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go new file mode 100644 index 0000000000..ae62d0e6f8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util/deploymentutil.go @@ -0,0 +1,178 @@ +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package util + +import ( + "context" + "sort" + + apps "k8s.io/api/apps/v1" + v1 "k8s.io/api/core/v1" + apiequality "k8s.io/apimachinery/pkg/api/equality" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + intstrutil "k8s.io/apimachinery/pkg/util/intstr" + appsclient "k8s.io/client-go/kubernetes/typed/apps/v1" +) + +// deploymentutil contains a copy of a few functions from Kubernetes controller code to avoid a dependency on k8s.io/kubernetes. +// This code is copied from https://github.com/kubernetes/kubernetes/blob/e856613dd5bb00bcfaca6974431151b5c06cbed5/pkg/controller/deployment/util/deployment_util.go +// No changes to the code were made other than removing some unused functions + +// RsListFunc returns the ReplicaSet from the ReplicaSet namespace and the List metav1.ListOptions. +type RsListFunc func(string, metav1.ListOptions) ([]*apps.ReplicaSet, error) + +// ListReplicaSets returns a slice of RSes the given deployment targets. +// Note that this does NOT attempt to reconcile ControllerRef (adopt/orphan), +// because only the controller itself should do that. +// However, it does filter out anything whose ControllerRef doesn't match. +func ListReplicaSets(deployment *apps.Deployment, getRSList RsListFunc) ([]*apps.ReplicaSet, error) { + // TODO: Right now we list replica sets by their labels. We should list them by selector, i.e. the replica set's selector + // should be a superset of the deployment's selector, see https://github.com/kubernetes/kubernetes/issues/19830. + namespace := deployment.Namespace + selector, err := metav1.LabelSelectorAsSelector(deployment.Spec.Selector) + if err != nil { + return nil, err + } + options := metav1.ListOptions{LabelSelector: selector.String()} + all, err := getRSList(namespace, options) + if err != nil { + return nil, err + } + // Only include those whose ControllerRef matches the Deployment. + owned := make([]*apps.ReplicaSet, 0, len(all)) + for _, rs := range all { + if metav1.IsControlledBy(rs, deployment) { + owned = append(owned, rs) + } + } + return owned, nil +} + +// ReplicaSetsByCreationTimestamp sorts a list of ReplicaSet by creation timestamp, using their names as a tie breaker. +type ReplicaSetsByCreationTimestamp []*apps.ReplicaSet + +func (o ReplicaSetsByCreationTimestamp) Len() int { return len(o) } +func (o ReplicaSetsByCreationTimestamp) Swap(i, j int) { o[i], o[j] = o[j], o[i] } +func (o ReplicaSetsByCreationTimestamp) Less(i, j int) bool { + if o[i].CreationTimestamp.Equal(&o[j].CreationTimestamp) { + return o[i].Name < o[j].Name + } + return o[i].CreationTimestamp.Before(&o[j].CreationTimestamp) +} + +// FindNewReplicaSet returns the new RS this given deployment targets (the one with the same pod template). +func FindNewReplicaSet(deployment *apps.Deployment, rsList []*apps.ReplicaSet) *apps.ReplicaSet { + sort.Sort(ReplicaSetsByCreationTimestamp(rsList)) + for i := range rsList { + if EqualIgnoreHash(&rsList[i].Spec.Template, &deployment.Spec.Template) { + // In rare cases, such as after cluster upgrades, Deployment may end up with + // having more than one new ReplicaSets that have the same template as its template, + // see https://github.com/kubernetes/kubernetes/issues/40415 + // We deterministically choose the oldest new ReplicaSet. + return rsList[i] + } + } + // new ReplicaSet does not exist. + return nil +} + +// EqualIgnoreHash returns true if two given podTemplateSpec are equal, ignoring the diff in value of Labels[pod-template-hash] +// We ignore pod-template-hash because: +// 1. The hash result would be different upon podTemplateSpec API changes +// (e.g. the addition of a new field will cause the hash code to change) +// 2. The deployment template won't have hash labels +func EqualIgnoreHash(template1, template2 *v1.PodTemplateSpec) bool { + t1Copy := template1.DeepCopy() + t2Copy := template2.DeepCopy() + // Remove hash labels from template.Labels before comparing + delete(t1Copy.Labels, apps.DefaultDeploymentUniqueLabelKey) + delete(t2Copy.Labels, apps.DefaultDeploymentUniqueLabelKey) + return apiequality.Semantic.DeepEqual(t1Copy, t2Copy) +} + +// GetNewReplicaSet returns a replica set that matches the intent of the given deployment; get ReplicaSetList from client interface. +// Returns nil if the new replica set doesn't exist yet. +func GetNewReplicaSet(deployment *apps.Deployment, c appsclient.AppsV1Interface) (*apps.ReplicaSet, error) { + rsList, err := ListReplicaSets(deployment, RsListFromClient(c)) + if err != nil { + return nil, err + } + return FindNewReplicaSet(deployment, rsList), nil +} + +// RsListFromClient returns an rsListFunc that wraps the given client. +func RsListFromClient(c appsclient.AppsV1Interface) RsListFunc { + return func(namespace string, options metav1.ListOptions) ([]*apps.ReplicaSet, error) { + rsList, err := c.ReplicaSets(namespace).List(context.Background(), options) + if err != nil { + return nil, err + } + var ret []*apps.ReplicaSet + for i := range rsList.Items { + ret = append(ret, &rsList.Items[i]) + } + return ret, err + } +} + +// IsRollingUpdate returns true if the strategy type is a rolling update. +func IsRollingUpdate(deployment *apps.Deployment) bool { + return deployment.Spec.Strategy.Type == apps.RollingUpdateDeploymentStrategyType +} + +// MaxUnavailable returns the maximum unavailable pods a rolling deployment can take. +func MaxUnavailable(deployment apps.Deployment) int32 { + if !IsRollingUpdate(&deployment) || *(deployment.Spec.Replicas) == 0 { + return int32(0) + } + // Error caught by validation + _, maxUnavailable, _ := ResolveFenceposts(deployment.Spec.Strategy.RollingUpdate.MaxSurge, deployment.Spec.Strategy.RollingUpdate.MaxUnavailable, *(deployment.Spec.Replicas)) + if maxUnavailable > *deployment.Spec.Replicas { + return *deployment.Spec.Replicas + } + return maxUnavailable +} + +// ResolveFenceposts resolves both maxSurge and maxUnavailable. This needs to happen in one +// step. For example: +// +// 2 desired, max unavailable 1%, surge 0% - should scale old(-1), then new(+1), then old(-1), then new(+1) +// 1 desired, max unavailable 1%, surge 0% - should scale old(-1), then new(+1) +// 2 desired, max unavailable 25%, surge 1% - should scale new(+1), then old(-1), then new(+1), then old(-1) +// 1 desired, max unavailable 25%, surge 1% - should scale new(+1), then old(-1) +// 2 desired, max unavailable 0%, surge 1% - should scale new(+1), then old(-1), then new(+1), then old(-1) +// 1 desired, max unavailable 0%, surge 1% - should scale new(+1), then old(-1) +func ResolveFenceposts(maxSurge, maxUnavailable *intstrutil.IntOrString, desired int32) (int32, int32, error) { + surge, err := intstrutil.GetValueFromIntOrPercent(intstrutil.ValueOrDefault(maxSurge, intstrutil.FromInt(0)), int(desired), true) + if err != nil { + return 0, 0, err + } + unavailable, err := intstrutil.GetValueFromIntOrPercent(intstrutil.ValueOrDefault(maxUnavailable, intstrutil.FromInt(0)), int(desired), false) + if err != nil { + return 0, 0, err + } + + if surge == 0 && unavailable == 0 { + // Validation should never allow the user to explicitly use zero values for both maxSurge + // maxUnavailable. Due to rounding down maxUnavailable though, it may resolve to zero. + // If both fenceposts resolve to zero, then we should set maxUnavailable to 1 on the + // theory that surge might not work due to quota. + unavailable = 1 + } + + return int32(surge), int32(unavailable), nil +} diff --git a/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go b/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go new file mode 100644 index 0000000000..8b9d4329fe --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/tlsutil/cfg.go @@ -0,0 +1,58 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tlsutil + +import ( + "crypto/tls" + "crypto/x509" + "os" + + "github.com/pkg/errors" +) + +// Options represents configurable options used to create client and server TLS configurations. +type Options struct { + CaCertFile string + // If either the KeyFile or CertFile is empty, ClientConfig() will not load them. + KeyFile string + CertFile string + // Client-only options + InsecureSkipVerify bool +} + +// ClientConfig returns a TLS configuration for use by a Helm client. +func ClientConfig(opts Options) (cfg *tls.Config, err error) { + var cert *tls.Certificate + var pool *x509.CertPool + + if opts.CertFile != "" || opts.KeyFile != "" { + if cert, err = CertFromFilePair(opts.CertFile, opts.KeyFile); err != nil { + if os.IsNotExist(err) { + return nil, errors.Wrapf(err, "could not load x509 key pair (cert: %q, key: %q)", opts.CertFile, opts.KeyFile) + } + return nil, errors.Wrapf(err, "could not read x509 key pair (cert: %q, key: %q)", opts.CertFile, opts.KeyFile) + } + } + if !opts.InsecureSkipVerify && opts.CaCertFile != "" { + if pool, err = CertPoolFromFile(opts.CaCertFile); err != nil { + return nil, err + } + } + + cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool} + return cfg, nil +} diff --git a/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go b/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go new file mode 100644 index 0000000000..7cd1dace96 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/tlsutil/tls.go @@ -0,0 +1,78 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tlsutil + +import ( + "crypto/tls" + "crypto/x509" + "os" + + "github.com/pkg/errors" +) + +// NewClientTLS returns tls.Config appropriate for client auth. +func NewClientTLS(certFile, keyFile, caFile string, insecureSkipTLSverify bool) (*tls.Config, error) { + config := tls.Config{ + InsecureSkipVerify: insecureSkipTLSverify, + } + + if certFile != "" && keyFile != "" { + cert, err := CertFromFilePair(certFile, keyFile) + if err != nil { + return nil, err + } + config.Certificates = []tls.Certificate{*cert} + } + + if caFile != "" { + cp, err := CertPoolFromFile(caFile) + if err != nil { + return nil, err + } + config.RootCAs = cp + } + + return &config, nil +} + +// CertPoolFromFile returns an x509.CertPool containing the certificates +// in the given PEM-encoded file. +// Returns an error if the file could not be read, a certificate could not +// be parsed, or if the file does not contain any certificates +func CertPoolFromFile(filename string) (*x509.CertPool, error) { + b, err := os.ReadFile(filename) + if err != nil { + return nil, errors.Errorf("can't read CA file: %v", filename) + } + cp := x509.NewCertPool() + if !cp.AppendCertsFromPEM(b) { + return nil, errors.Errorf("failed to append certificates from file: %s", filename) + } + return cp, nil +} + +// CertFromFilePair returns a tls.Certificate containing the +// certificates public/private key pair from a pair of given PEM-encoded files. +// Returns an error if the file could not be read, a certificate could not +// be parsed, or if the file does not contain any certificates +func CertFromFilePair(certFile, keyFile string) (*tls.Certificate, error) { + cert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + return nil, errors.Wrapf(err, "can't load key pair from cert %s and key %s", certFile, keyFile) + } + return &cert, err +} diff --git a/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go b/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go new file mode 100644 index 0000000000..a8cf7398c0 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/urlutil/urlutil.go @@ -0,0 +1,73 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package urlutil + +import ( + "net/url" + "path" + "path/filepath" +) + +// URLJoin joins a base URL to one or more path components. +// +// It's like filepath.Join for URLs. If the baseURL is pathish, this will still +// perform a join. +// +// If the URL is unparsable, this returns an error. +func URLJoin(baseURL string, paths ...string) (string, error) { + u, err := url.Parse(baseURL) + if err != nil { + return "", err + } + // We want path instead of filepath because path always uses /. + all := []string{u.Path} + all = append(all, paths...) + u.Path = path.Join(all...) + return u.String(), nil +} + +// Equal normalizes two URLs and then compares for equality. +func Equal(a, b string) bool { + au, err := url.Parse(a) + if err != nil { + a = filepath.Clean(a) + b = filepath.Clean(b) + // If urls are paths, return true only if they are an exact match + return a == b + } + bu, err := url.Parse(b) + if err != nil { + return false + } + + for _, u := range []*url.URL{au, bu} { + if u.Path == "" { + u.Path = "/" + } + u.Path = filepath.Clean(u.Path) + } + return au.String() == bu.String() +} + +// ExtractHostname returns hostname from URL +func ExtractHostname(addr string) (string, error) { + u, err := url.Parse(addr) + if err != nil { + return "", err + } + return u.Hostname(), nil +} diff --git a/vendor/helm.sh/helm/v3/internal/version/version.go b/vendor/helm.sh/helm/v3/internal/version/version.go new file mode 100644 index 0000000000..6f6f319b01 --- /dev/null +++ b/vendor/helm.sh/helm/v3/internal/version/version.go @@ -0,0 +1,81 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package version // import "helm.sh/helm/v3/internal/version" + +import ( + "flag" + "runtime" + "strings" +) + +var ( + // version is the current version of Helm. + // Update this whenever making a new release. + // The version is of the format Major.Minor.Patch[-Prerelease][+BuildMetadata] + // + // Increment major number for new feature additions and behavioral changes. + // Increment minor number for bug fixes and performance enhancements. + version = "v3.18" + + // metadata is extra build time data + metadata = "" + // gitCommit is the git sha1 + gitCommit = "" + // gitTreeState is the state of the git tree + gitTreeState = "" +) + +// BuildInfo describes the compile time information. +type BuildInfo struct { + // Version is the current semver. + Version string `json:"version,omitempty"` + // GitCommit is the git sha1. + GitCommit string `json:"git_commit,omitempty"` + // GitTreeState is the state of the git tree. + GitTreeState string `json:"git_tree_state,omitempty"` + // GoVersion is the version of the Go compiler used. + GoVersion string `json:"go_version,omitempty"` +} + +// GetVersion returns the semver string of the version +func GetVersion() string { + if metadata == "" { + return version + } + return version + "+" + metadata +} + +// GetUserAgent returns a user agent for user with an HTTP client +func GetUserAgent() string { + return "Helm/" + strings.TrimPrefix(GetVersion(), "v") +} + +// Get returns build info +func Get() BuildInfo { + v := BuildInfo{ + Version: GetVersion(), + GitCommit: gitCommit, + GitTreeState: gitTreeState, + GoVersion: runtime.Version(), + } + + // HACK(bacongobbler): strip out GoVersion during a test run for consistent test output + if flag.Lookup("test.v") != nil { + v.GoVersion = "" + } + return v +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/action.go b/vendor/helm.sh/helm/v3/pkg/action/action.go new file mode 100644 index 0000000000..9aaf64ca46 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/action.go @@ -0,0 +1,437 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "fmt" + "io" + "os" + "path" + "path/filepath" + "regexp" + "strings" + + "github.com/pkg/errors" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/client-go/discovery" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/engine" + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/postrender" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/releaseutil" + "helm.sh/helm/v3/pkg/storage" + "helm.sh/helm/v3/pkg/storage/driver" + "helm.sh/helm/v3/pkg/time" +) + +// Timestamper is a function capable of producing a timestamp.Timestamper. +// +// By default, this is a time.Time function from the Helm time package. This can +// be overridden for testing though, so that timestamps are predictable. +var Timestamper = time.Now + +var ( + // errMissingChart indicates that a chart was not provided. + errMissingChart = errors.New("no chart provided") + // errMissingRelease indicates that a release (name) was not provided. + errMissingRelease = errors.New("no release provided") + // errInvalidRevision indicates that an invalid release revision number was provided. + errInvalidRevision = errors.New("invalid release revision") + // errPending indicates that another instance of Helm is already applying an operation on a release. + errPending = errors.New("another operation (install/upgrade/rollback) is in progress") +) + +// ValidName is a regular expression for resource names. +// +// DEPRECATED: This will be removed in Helm 4, and is no longer used here. See +// pkg/lint/rules.validateMetadataNameFunc for the replacement. +// +// According to the Kubernetes help text, the regular expression it uses is: +// +// [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* +// +// This follows the above regular expression (but requires a full string match, not partial). +// +// The Kubernetes documentation is here, though it is not entirely correct: +// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +var ValidName = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`) + +// Configuration injects the dependencies that all actions share. +type Configuration struct { + // RESTClientGetter is an interface that loads Kubernetes clients. + RESTClientGetter RESTClientGetter + + // Releases stores records of releases. + Releases *storage.Storage + + // KubeClient is a Kubernetes API client. + KubeClient kube.Interface + + // RegistryClient is a client for working with registries + RegistryClient *registry.Client + + // Capabilities describes the capabilities of the Kubernetes cluster. + Capabilities *chartutil.Capabilities + + Log func(string, ...interface{}) + + // HookOutputFunc called with container name and returns and expects writer that will receive the log output. + HookOutputFunc func(namespace, pod, container string) io.Writer +} + +// renderResources renders the templates in a chart +// +// TODO: This function is badly in need of a refactor. +// TODO: As part of the refactor the duplicate code in cmd/helm/template.go should be removed +// +// This code has to do with writing files to disk. +func (cfg *Configuration) renderResources(ch *chart.Chart, values chartutil.Values, releaseName, outputDir string, subNotes, useReleaseName, includeCrds bool, pr postrender.PostRenderer, interactWithRemote, enableDNS, hideSecret bool) ([]*release.Hook, *bytes.Buffer, string, error) { + hs := []*release.Hook{} + b := bytes.NewBuffer(nil) + + caps, err := cfg.getCapabilities() + if err != nil { + return hs, b, "", err + } + + if ch.Metadata.KubeVersion != "" { + if !chartutil.IsCompatibleRange(ch.Metadata.KubeVersion, caps.KubeVersion.String()) { + return hs, b, "", errors.Errorf("chart requires kubeVersion: %s which is incompatible with Kubernetes %s", ch.Metadata.KubeVersion, caps.KubeVersion.String()) + } + } + + var files map[string]string + var err2 error + + // A `helm template` should not talk to the remote cluster. However, commands with the flag + // `--dry-run` with the value of `false`, `none`, or `server` should try to interact with the cluster. + // It may break in interesting and exotic ways because other data (e.g. discovery) is mocked. + if interactWithRemote && cfg.RESTClientGetter != nil { + restConfig, err := cfg.RESTClientGetter.ToRESTConfig() + if err != nil { + return hs, b, "", err + } + e := engine.New(restConfig) + e.EnableDNS = enableDNS + files, err2 = e.Render(ch, values) + } else { + var e engine.Engine + e.EnableDNS = enableDNS + files, err2 = e.Render(ch, values) + } + + if err2 != nil { + return hs, b, "", err2 + } + + // NOTES.txt gets rendered like all the other files, but because it's not a hook nor a resource, + // pull it out of here into a separate file so that we can actually use the output of the rendered + // text file. We have to spin through this map because the file contains path information, so we + // look for terminating NOTES.txt. We also remove it from the files so that we don't have to skip + // it in the sortHooks. + var notesBuffer bytes.Buffer + for k, v := range files { + if strings.HasSuffix(k, notesFileSuffix) { + if subNotes || (k == path.Join(ch.Name(), "templates", notesFileSuffix)) { + // If buffer contains data, add newline before adding more + if notesBuffer.Len() > 0 { + notesBuffer.WriteString("\n") + } + notesBuffer.WriteString(v) + } + delete(files, k) + } + } + notes := notesBuffer.String() + + // Sort hooks, manifests, and partials. Only hooks and manifests are returned, + // as partials are not used after renderer.Render. Empty manifests are also + // removed here. + hs, manifests, err := releaseutil.SortManifests(files, nil, releaseutil.InstallOrder) + if err != nil { + // By catching parse errors here, we can prevent bogus releases from going + // to Kubernetes. + // + // We return the files as a big blob of data to help the user debug parser + // errors. + for name, content := range files { + if strings.TrimSpace(content) == "" { + continue + } + fmt.Fprintf(b, "---\n# Source: %s\n%s\n", name, content) + } + return hs, b, "", err + } + + // Aggregate all valid manifests into one big doc. + fileWritten := make(map[string]bool) + + if includeCrds { + for _, crd := range ch.CRDObjects() { + if outputDir == "" { + fmt.Fprintf(b, "---\n# Source: %s\n%s\n", crd.Filename, string(crd.File.Data[:])) + } else { + err = writeToFile(outputDir, crd.Filename, string(crd.File.Data[:]), fileWritten[crd.Filename]) + if err != nil { + return hs, b, "", err + } + fileWritten[crd.Filename] = true + } + } + } + + for _, m := range manifests { + if outputDir == "" { + if hideSecret && m.Head.Kind == "Secret" && m.Head.Version == "v1" { + fmt.Fprintf(b, "---\n# Source: %s\n# HIDDEN: The Secret output has been suppressed\n", m.Name) + } else { + fmt.Fprintf(b, "---\n# Source: %s\n%s\n", m.Name, m.Content) + } + } else { + newDir := outputDir + if useReleaseName { + newDir = filepath.Join(outputDir, releaseName) + } + // NOTE: We do not have to worry about the post-renderer because + // output dir is only used by `helm template`. In the next major + // release, we should move this logic to template only as it is not + // used by install or upgrade + err = writeToFile(newDir, m.Name, m.Content, fileWritten[m.Name]) + if err != nil { + return hs, b, "", err + } + fileWritten[m.Name] = true + } + } + + if pr != nil { + b, err = pr.Run(b) + if err != nil { + return hs, b, notes, errors.Wrap(err, "error while running post render on files") + } + } + + return hs, b, notes, nil +} + +// RESTClientGetter gets the rest client +type RESTClientGetter interface { + ToRESTConfig() (*rest.Config, error) + ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) + ToRESTMapper() (meta.RESTMapper, error) +} + +// DebugLog sets the logger that writes debug strings +type DebugLog func(format string, v ...interface{}) + +// capabilities builds a Capabilities from discovery information. +func (cfg *Configuration) getCapabilities() (*chartutil.Capabilities, error) { + if cfg.Capabilities != nil { + return cfg.Capabilities, nil + } + dc, err := cfg.RESTClientGetter.ToDiscoveryClient() + if err != nil { + return nil, errors.Wrap(err, "could not get Kubernetes discovery client") + } + // force a discovery cache invalidation to always fetch the latest server version/capabilities. + dc.Invalidate() + kubeVersion, err := dc.ServerVersion() + if err != nil { + return nil, errors.Wrap(err, "could not get server version from Kubernetes") + } + // Issue #6361: + // Client-Go emits an error when an API service is registered but unimplemented. + // We trap that error here and print a warning. But since the discovery client continues + // building the API object, it is correctly populated with all valid APIs. + // See https://github.com/kubernetes/kubernetes/issues/72051#issuecomment-521157642 + apiVersions, err := GetVersionSet(dc) + if err != nil { + if discovery.IsGroupDiscoveryFailedError(err) { + cfg.Log("WARNING: The Kubernetes server has an orphaned API service. Server reports: %s", err) + cfg.Log("WARNING: To fix this, kubectl delete apiservice ") + } else { + return nil, errors.Wrap(err, "could not get apiVersions from Kubernetes") + } + } + + cfg.Capabilities = &chartutil.Capabilities{ + APIVersions: apiVersions, + KubeVersion: chartutil.KubeVersion{ + Version: kubeVersion.GitVersion, + Major: kubeVersion.Major, + Minor: kubeVersion.Minor, + }, + HelmVersion: chartutil.DefaultCapabilities.HelmVersion, + } + return cfg.Capabilities, nil +} + +// KubernetesClientSet creates a new kubernetes ClientSet based on the configuration +func (cfg *Configuration) KubernetesClientSet() (kubernetes.Interface, error) { + conf, err := cfg.RESTClientGetter.ToRESTConfig() + if err != nil { + return nil, errors.Wrap(err, "unable to generate config for kubernetes client") + } + + return kubernetes.NewForConfig(conf) +} + +// Now generates a timestamp +// +// If the configuration has a Timestamper on it, that will be used. +// Otherwise, this will use time.Now(). +func (cfg *Configuration) Now() time.Time { + return Timestamper() +} + +func (cfg *Configuration) releaseContent(name string, version int) (*release.Release, error) { + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, errors.Errorf("releaseContent: Release name is invalid: %s", name) + } + + if version <= 0 { + return cfg.Releases.Last(name) + } + + return cfg.Releases.Get(name, version) +} + +// GetVersionSet retrieves a set of available k8s API versions +func GetVersionSet(client discovery.ServerResourcesInterface) (chartutil.VersionSet, error) { + groups, resources, err := client.ServerGroupsAndResources() + if err != nil && !discovery.IsGroupDiscoveryFailedError(err) { + return chartutil.DefaultVersionSet, errors.Wrap(err, "could not get apiVersions from Kubernetes") + } + + // FIXME: The Kubernetes test fixture for cli appears to always return nil + // for calls to Discovery().ServerGroupsAndResources(). So in this case, we + // return the default API list. This is also a safe value to return in any + // other odd-ball case. + if len(groups) == 0 && len(resources) == 0 { + return chartutil.DefaultVersionSet, nil + } + + versionMap := make(map[string]interface{}) + var versions []string + + // Extract the groups + for _, g := range groups { + for _, gv := range g.Versions { + versionMap[gv.GroupVersion] = struct{}{} + } + } + + // Extract the resources + var id string + var ok bool + for _, r := range resources { + for _, rl := range r.APIResources { + + // A Kind at a GroupVersion can show up more than once. We only want + // it displayed once in the final output. + id = path.Join(r.GroupVersion, rl.Kind) + if _, ok = versionMap[id]; !ok { + versionMap[id] = struct{}{} + } + } + } + + // Convert to a form that NewVersionSet can use + for k := range versionMap { + versions = append(versions, k) + } + + return chartutil.VersionSet(versions), nil +} + +// recordRelease with an update operation in case reuse has been set. +func (cfg *Configuration) recordRelease(r *release.Release) { + if err := cfg.Releases.Update(r); err != nil { + cfg.Log("warning: Failed to update release %s: %s", r.Name, err) + } +} + +// Init initializes the action configuration +func (cfg *Configuration) Init(getter genericclioptions.RESTClientGetter, namespace, helmDriver string, log DebugLog) error { + kc := kube.New(getter) + kc.Log = log + + lazyClient := &lazyClient{ + namespace: namespace, + clientFn: kc.Factory.KubernetesClientSet, + } + + var store *storage.Storage + switch helmDriver { + case "secret", "secrets", "": + d := driver.NewSecrets(newSecretClient(lazyClient)) + d.Log = log + store = storage.Init(d) + case "configmap", "configmaps": + d := driver.NewConfigMaps(newConfigMapClient(lazyClient)) + d.Log = log + store = storage.Init(d) + case "memory": + var d *driver.Memory + if cfg.Releases != nil { + if mem, ok := cfg.Releases.Driver.(*driver.Memory); ok { + // This function can be called more than once (e.g., helm list --all-namespaces). + // If a memory driver was already initialized, re-use it but set the possibly new namespace. + // We re-use it in case some releases where already created in the existing memory driver. + d = mem + } + } + if d == nil { + d = driver.NewMemory() + } + d.SetNamespace(namespace) + store = storage.Init(d) + case "sql": + d, err := driver.NewSQL( + os.Getenv("HELM_DRIVER_SQL_CONNECTION_STRING"), + log, + namespace, + ) + if err != nil { + return errors.Wrap(err, "unable to instantiate SQL driver") + } + store = storage.Init(d) + default: + return errors.Errorf("unknown driver %q", helmDriver) + } + + cfg.RESTClientGetter = getter + cfg.KubeClient = kc + cfg.Releases = store + cfg.Log = log + cfg.HookOutputFunc = func(_, _, _ string) io.Writer { return io.Discard } + + return nil +} + +// SetHookOutputFunc sets the HookOutputFunc on the Configuration. +func (cfg *Configuration) SetHookOutputFunc(hookOutputFunc func(_, _, _ string) io.Writer) { + cfg.HookOutputFunc = hookOutputFunc +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/dependency.go b/vendor/helm.sh/helm/v3/pkg/action/dependency.go new file mode 100644 index 0000000000..19305fee88 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/dependency.go @@ -0,0 +1,237 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "fmt" + "io" + "os" + "path/filepath" + "strings" + + "github.com/Masterminds/semver/v3" + "github.com/gosuri/uitable" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" +) + +// Dependency is the action for building a given chart's dependency tree. +// +// It provides the implementation of 'helm dependency' and its respective subcommands. +type Dependency struct { + Verify bool + Keyring string + SkipRefresh bool + ColumnWidth uint + Username string + Password string + CertFile string + KeyFile string + CaFile string + InsecureSkipTLSverify bool + PlainHTTP bool +} + +// NewDependency creates a new Dependency object with the given configuration. +func NewDependency() *Dependency { + return &Dependency{ + ColumnWidth: 80, + } +} + +// List executes 'helm dependency list'. +func (d *Dependency) List(chartpath string, out io.Writer) error { + c, err := loader.Load(chartpath) + if err != nil { + return err + } + + if c.Metadata.Dependencies == nil { + fmt.Fprintf(out, "WARNING: no dependencies at %s\n", filepath.Join(chartpath, "charts")) + return nil + } + + d.printDependencies(chartpath, out, c) + fmt.Fprintln(out) + d.printMissing(chartpath, out, c.Metadata.Dependencies) + return nil +} + +// dependencyStatus returns a string describing the status of a dependency viz a viz the parent chart. +func (d *Dependency) dependencyStatus(chartpath string, dep *chart.Dependency, parent *chart.Chart) string { + filename := fmt.Sprintf("%s-%s.tgz", dep.Name, "*") + + // If a chart is unpacked, this will check the unpacked chart's `charts/` directory for tarballs. + // Technically, this is COMPLETELY unnecessary, and should be removed in Helm 4. It is here + // to preserved backward compatibility. In Helm 2/3, there is a "difference" between + // the tgz version (which outputs "ok" if it unpacks) and the loaded version (which outputs + // "unpacked"). Early in Helm 2's history, this would have made a difference. But it no + // longer does. However, since this code shipped with Helm 3, the output must remain stable + // until Helm 4. + switch archives, err := filepath.Glob(filepath.Join(chartpath, "charts", filename)); { + case err != nil: + return "bad pattern" + case len(archives) > 1: + // See if the second part is a SemVer + found := []string{} + for _, arc := range archives { + // we need to trip the prefix dirs and the extension off. + filename = strings.TrimSuffix(filepath.Base(arc), ".tgz") + maybeVersion := strings.TrimPrefix(filename, fmt.Sprintf("%s-", dep.Name)) + + if _, err := semver.StrictNewVersion(maybeVersion); err == nil { + // If the version parsed without an error, it is possibly a valid + // version. + found = append(found, arc) + } + } + + if l := len(found); l == 1 { + // If we get here, we do the same thing as in len(archives) == 1. + if r := statArchiveForStatus(found[0], dep); r != "" { + return r + } + + // Fall through and look for directories + } else if l > 1 { + return "too many matches" + } + + // The sanest thing to do here is to fall through and see if we have any directory + // matches. + + case len(archives) == 1: + archive := archives[0] + if r := statArchiveForStatus(archive, dep); r != "" { + return r + } + + } + // End unnecessary code. + + var depChart *chart.Chart + for _, item := range parent.Dependencies() { + if item.Name() == dep.Name { + depChart = item + } + } + + if depChart == nil { + return "missing" + } + + if depChart.Metadata.Version != dep.Version { + constraint, err := semver.NewConstraint(dep.Version) + if err != nil { + return "invalid version" + } + + v, err := semver.NewVersion(depChart.Metadata.Version) + if err != nil { + return "invalid version" + } + + if !constraint.Check(v) { + return "wrong version" + } + } + + return "unpacked" +} + +// stat an archive and return a message if the stat is successful +// +// This is a refactor of the code originally in dependencyStatus. It is here to +// support legacy behavior, and should be removed in Helm 4. +func statArchiveForStatus(archive string, dep *chart.Dependency) string { + if _, err := os.Stat(archive); err == nil { + c, err := loader.Load(archive) + if err != nil { + return "corrupt" + } + if c.Name() != dep.Name { + return "misnamed" + } + + if c.Metadata.Version != dep.Version { + constraint, err := semver.NewConstraint(dep.Version) + if err != nil { + return "invalid version" + } + + v, err := semver.NewVersion(c.Metadata.Version) + if err != nil { + return "invalid version" + } + + if !constraint.Check(v) { + return "wrong version" + } + } + return "ok" + } + return "" +} + +// printDependencies prints all of the dependencies in the yaml file. +func (d *Dependency) printDependencies(chartpath string, out io.Writer, c *chart.Chart) { + table := uitable.New() + table.MaxColWidth = d.ColumnWidth + table.AddRow("NAME", "VERSION", "REPOSITORY", "STATUS") + for _, row := range c.Metadata.Dependencies { + table.AddRow(row.Name, row.Version, row.Repository, d.dependencyStatus(chartpath, row, c)) + } + fmt.Fprintln(out, table) +} + +// printMissing prints warnings about charts that are present on disk, but are +// not in Chart.yaml. +func (d *Dependency) printMissing(chartpath string, out io.Writer, reqs []*chart.Dependency) { + folder := filepath.Join(chartpath, "charts/*") + files, err := filepath.Glob(folder) + if err != nil { + fmt.Fprintln(out, err) + return + } + + for _, f := range files { + fi, err := os.Stat(f) + if err != nil { + fmt.Fprintf(out, "Warning: %s\n", err) + } + // Skip anything that is not a directory and not a tgz file. + if !fi.IsDir() && filepath.Ext(f) != ".tgz" { + continue + } + c, err := loader.Load(f) + if err != nil { + fmt.Fprintf(out, "WARNING: %q is not a chart.\n", f) + continue + } + found := false + for _, d := range reqs { + if d.Name == c.Name() { + found = true + break + } + } + if !found { + fmt.Fprintf(out, "WARNING: %q is not in Chart.yaml.\n", f) + } + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/doc.go b/vendor/helm.sh/helm/v3/pkg/action/doc.go new file mode 100644 index 0000000000..3c91bd6184 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/doc.go @@ -0,0 +1,22 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package action contains the logic for each action that Helm can perform. +// +// This is a library for calling top-level Helm actions like 'install', +// 'upgrade', or 'list'. Actions approximately match the command line +// invocations that the Helm client uses. +package action diff --git a/vendor/helm.sh/helm/v3/pkg/action/get.go b/vendor/helm.sh/helm/v3/pkg/action/get.go new file mode 100644 index 0000000000..f44b53307f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/get.go @@ -0,0 +1,47 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "helm.sh/helm/v3/pkg/release" +) + +// Get is the action for checking a given release's information. +// +// It provides the implementation of 'helm get' and its respective subcommands (except `helm get values`). +type Get struct { + cfg *Configuration + + // Initializing Version to 0 will get the latest revision of the release. + Version int +} + +// NewGet creates a new Get object with the given configuration. +func NewGet(cfg *Configuration) *Get { + return &Get{ + cfg: cfg, + } +} + +// Run executes 'helm get' against the given release. +func (g *Get) Run(name string) (*release.Release, error) { + if err := g.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + return g.cfg.releaseContent(name, g.Version) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go b/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go new file mode 100644 index 0000000000..f79788c3bb --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/get_metadata.go @@ -0,0 +1,90 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "sort" + "strings" + "time" + + "helm.sh/helm/v3/pkg/chart" +) + +// GetMetadata is the action for checking a given release's metadata. +// +// It provides the implementation of 'helm get metadata'. +type GetMetadata struct { + cfg *Configuration + + Version int +} + +type Metadata struct { + Name string `json:"name" yaml:"name"` + Chart string `json:"chart" yaml:"chart"` + Version string `json:"version" yaml:"version"` + AppVersion string `json:"appVersion" yaml:"appVersion"` + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` + Dependencies []*chart.Dependency `json:"dependencies,omitempty" yaml:"dependencies,omitempty"` + Namespace string `json:"namespace" yaml:"namespace"` + Revision int `json:"revision" yaml:"revision"` + Status string `json:"status" yaml:"status"` + DeployedAt string `json:"deployedAt" yaml:"deployedAt"` +} + +// NewGetMetadata creates a new GetMetadata object with the given configuration. +func NewGetMetadata(cfg *Configuration) *GetMetadata { + return &GetMetadata{ + cfg: cfg, + } +} + +// Run executes 'helm get metadata' against the given release. +func (g *GetMetadata) Run(name string) (*Metadata, error) { + if err := g.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + rel, err := g.cfg.releaseContent(name, g.Version) + if err != nil { + return nil, err + } + + return &Metadata{ + Name: rel.Name, + Chart: rel.Chart.Metadata.Name, + Version: rel.Chart.Metadata.Version, + AppVersion: rel.Chart.Metadata.AppVersion, + Dependencies: rel.Chart.Metadata.Dependencies, + Annotations: rel.Chart.Metadata.Annotations, + Namespace: rel.Namespace, + Revision: rel.Version, + Status: rel.Info.Status.String(), + DeployedAt: rel.Info.LastDeployed.Format(time.RFC3339), + }, nil +} + +// FormattedDepNames formats metadata.dependencies names into a comma-separated list. +func (m *Metadata) FormattedDepNames() string { + depsNames := make([]string, 0, len(m.Dependencies)) + for _, dep := range m.Dependencies { + depsNames = append(depsNames, dep.Name) + } + sort.StringSlice(depsNames).Sort() + + return strings.Join(depsNames, ",") +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/get_values.go b/vendor/helm.sh/helm/v3/pkg/action/get_values.go new file mode 100644 index 0000000000..9c32db2132 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/get_values.go @@ -0,0 +1,60 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "helm.sh/helm/v3/pkg/chartutil" +) + +// GetValues is the action for checking a given release's values. +// +// It provides the implementation of 'helm get values'. +type GetValues struct { + cfg *Configuration + + Version int + AllValues bool +} + +// NewGetValues creates a new GetValues object with the given configuration. +func NewGetValues(cfg *Configuration) *GetValues { + return &GetValues{ + cfg: cfg, + } +} + +// Run executes 'helm get values' against the given release. +func (g *GetValues) Run(name string) (map[string]interface{}, error) { + if err := g.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + rel, err := g.cfg.releaseContent(name, g.Version) + if err != nil { + return nil, err + } + + // If the user wants all values, compute the values and return. + if g.AllValues { + cfg, err := chartutil.CoalesceValues(rel.Chart, rel.Config) + if err != nil { + return nil, err + } + return cfg, nil + } + return rel.Config, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/history.go b/vendor/helm.sh/helm/v3/pkg/action/history.go new file mode 100644 index 0000000000..0430aaf7a5 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/history.go @@ -0,0 +1,58 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/release" +) + +// History is the action for checking the release's ledger. +// +// It provides the implementation of 'helm history'. +// It returns all the revisions for a specific release. +// To list up to one revision of every release in one specific, or in all, +// namespaces, see the List action. +type History struct { + cfg *Configuration + + Max int + Version int +} + +// NewHistory creates a new History object with the given configuration. +func NewHistory(cfg *Configuration) *History { + return &History{ + cfg: cfg, + } +} + +// Run executes 'helm history' against the given release. +func (h *History) Run(name string) ([]*release.Release, error) { + if err := h.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, errors.Errorf("release name is invalid: %s", name) + } + + h.cfg.Log("getting history for release %s", name) + return h.cfg.Releases.History(name) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/hooks.go b/vendor/helm.sh/helm/v3/pkg/action/hooks.go new file mode 100644 index 0000000000..16cc13bdd5 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/hooks.go @@ -0,0 +1,230 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "fmt" + "log" + "slices" + "sort" + "time" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/pkg/errors" + "gopkg.in/yaml.v3" + + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/release" + helmtime "helm.sh/helm/v3/pkg/time" +) + +// execHook executes all of the hooks for the given hook event. +func (cfg *Configuration) execHook(rl *release.Release, hook release.HookEvent, timeout time.Duration) error { + executingHooks := []*release.Hook{} + + for _, h := range rl.Hooks { + for _, e := range h.Events { + if e == hook { + executingHooks = append(executingHooks, h) + } + } + } + + // hooke are pre-ordered by kind, so keep order stable + sort.Stable(hookByWeight(executingHooks)) + + for _, h := range executingHooks { + // Set default delete policy to before-hook-creation + if len(h.DeletePolicies) == 0 { + // TODO(jlegrone): Only apply before-hook-creation delete policy to run to completion + // resources. For all other resource types update in place if a + // resource with the same name already exists and is owned by the + // current release. + h.DeletePolicies = []release.HookDeletePolicy{release.HookBeforeHookCreation} + } + + if err := cfg.deleteHookByPolicy(h, release.HookBeforeHookCreation, timeout); err != nil { + return err + } + + resources, err := cfg.KubeClient.Build(bytes.NewBufferString(h.Manifest), true) + if err != nil { + return errors.Wrapf(err, "unable to build kubernetes object for %s hook %s", hook, h.Path) + } + + // Record the time at which the hook was applied to the cluster + h.LastRun = release.HookExecution{ + StartedAt: helmtime.Now(), + Phase: release.HookPhaseRunning, + } + cfg.recordRelease(rl) + + // As long as the implementation of WatchUntilReady does not panic, HookPhaseFailed or HookPhaseSucceeded + // should always be set by this function. If we fail to do that for any reason, then HookPhaseUnknown is + // the most appropriate value to surface. + h.LastRun.Phase = release.HookPhaseUnknown + + // Create hook resources + if _, err := cfg.KubeClient.Create(resources); err != nil { + h.LastRun.CompletedAt = helmtime.Now() + h.LastRun.Phase = release.HookPhaseFailed + return errors.Wrapf(err, "warning: Hook %s %s failed", hook, h.Path) + } + + // Watch hook resources until they have completed + err = cfg.KubeClient.WatchUntilReady(resources, timeout) + // Note the time of success/failure + h.LastRun.CompletedAt = helmtime.Now() + // Mark hook as succeeded or failed + if err != nil { + h.LastRun.Phase = release.HookPhaseFailed + // If a hook is failed, check the annotation of the hook to determine if we should copy the logs client side + if errOutputting := cfg.outputLogsByPolicy(h, rl.Namespace, release.HookOutputOnFailed); errOutputting != nil { + // We log the error here as we want to propagate the hook failure upwards to the release object. + log.Printf("error outputting logs for hook failure: %v", errOutputting) + } + // If a hook is failed, check the annotation of the hook to determine whether the hook should be deleted + // under failed condition. If so, then clear the corresponding resource object in the hook + if errDeleting := cfg.deleteHookByPolicy(h, release.HookFailed, timeout); errDeleting != nil { + // We log the error here as we want to propagate the hook failure upwards to the release object. + log.Printf("error deleting the hook resource on hook failure: %v", errDeleting) + } + return err + } + h.LastRun.Phase = release.HookPhaseSucceeded + } + + // If all hooks are successful, check the annotation of each hook to determine whether the hook should be deleted + // or output should be logged under succeeded condition. If so, then clear the corresponding resource object in each hook + for i := len(executingHooks) - 1; i >= 0; i-- { + h := executingHooks[i] + if err := cfg.outputLogsByPolicy(h, rl.Namespace, release.HookOutputOnSucceeded); err != nil { + // We log here as we still want to attempt hook resource deletion even if output logging fails. + log.Printf("error outputting logs for hook failure: %v", err) + } + if err := cfg.deleteHookByPolicy(h, release.HookSucceeded, timeout); err != nil { + return err + } + } + + return nil +} + +// hookByWeight is a sorter for hooks +type hookByWeight []*release.Hook + +func (x hookByWeight) Len() int { return len(x) } +func (x hookByWeight) Swap(i, j int) { x[i], x[j] = x[j], x[i] } +func (x hookByWeight) Less(i, j int) bool { + if x[i].Weight == x[j].Weight { + return x[i].Name < x[j].Name + } + return x[i].Weight < x[j].Weight +} + +// deleteHookByPolicy deletes a hook if the hook policy instructs it to +func (cfg *Configuration) deleteHookByPolicy(h *release.Hook, policy release.HookDeletePolicy, timeout time.Duration) error { + // Never delete CustomResourceDefinitions; this could cause lots of + // cascading garbage collection. + if h.Kind == "CustomResourceDefinition" { + return nil + } + if hookHasDeletePolicy(h, policy) { + resources, err := cfg.KubeClient.Build(bytes.NewBufferString(h.Manifest), false) + if err != nil { + return errors.Wrapf(err, "unable to build kubernetes object for deleting hook %s", h.Path) + } + _, errs := cfg.KubeClient.Delete(resources) + if len(errs) > 0 { + return errors.New(joinErrors(errs)) + } + + // wait for resources until they are deleted to avoid conflicts + if kubeClient, ok := cfg.KubeClient.(kube.InterfaceExt); ok { + if err := kubeClient.WaitForDelete(resources, timeout); err != nil { + return err + } + } + } + return nil +} + +// hookHasDeletePolicy determines whether the defined hook deletion policy matches the hook deletion polices +// supported by helm. If so, mark the hook as one should be deleted. +func hookHasDeletePolicy(h *release.Hook, policy release.HookDeletePolicy) bool { + for _, v := range h.DeletePolicies { + if policy == v { + return true + } + } + return false +} + +// outputLogsByPolicy outputs a pods logs if the hook policy instructs it to +func (cfg *Configuration) outputLogsByPolicy(h *release.Hook, releaseNamespace string, policy release.HookOutputLogPolicy) error { + if !hookHasOutputLogPolicy(h, policy) { + return nil + } + namespace, err := cfg.deriveNamespace(h, releaseNamespace) + if err != nil { + return err + } + switch h.Kind { + case "Job": + return cfg.outputContainerLogsForListOptions(namespace, metav1.ListOptions{LabelSelector: fmt.Sprintf("job-name=%s", h.Name)}) + case "Pod": + return cfg.outputContainerLogsForListOptions(namespace, metav1.ListOptions{FieldSelector: fmt.Sprintf("metadata.name=%s", h.Name)}) + default: + return nil + } +} + +func (cfg *Configuration) outputContainerLogsForListOptions(namespace string, listOptions metav1.ListOptions) error { + // TODO Helm 4: Remove this check when GetPodList and OutputContainerLogsForPodList are moved from InterfaceLogs to Interface + if kubeClient, ok := cfg.KubeClient.(kube.InterfaceLogs); ok { + podList, err := kubeClient.GetPodList(namespace, listOptions) + if err != nil { + return err + } + err = kubeClient.OutputContainerLogsForPodList(podList, namespace, cfg.HookOutputFunc) + return err + } + return nil +} + +func (cfg *Configuration) deriveNamespace(h *release.Hook, namespace string) (string, error) { + tmp := struct { + Metadata struct { + Namespace string + } + }{} + err := yaml.Unmarshal([]byte(h.Manifest), &tmp) + if err != nil { + return "", errors.Wrapf(err, "unable to parse metadata.namespace from kubernetes manifest for output logs hook %s", h.Path) + } + if tmp.Metadata.Namespace == "" { + return namespace, nil + } + return tmp.Metadata.Namespace, nil +} + +// hookHasOutputLogPolicy determines whether the defined hook output log policy matches the hook output log policies +// supported by helm. +func hookHasOutputLogPolicy(h *release.Hook, policy release.HookOutputLogPolicy) bool { + return slices.Contains(h.OutputLogPolicies, policy) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/install.go b/vendor/helm.sh/helm/v3/pkg/action/install.go new file mode 100644 index 0000000000..7bdfc2ab52 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/install.go @@ -0,0 +1,836 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "context" + "fmt" + "io" + "net/url" + "os" + "path" + "path/filepath" + "strings" + "sync" + "text/template" + "time" + + "github.com/Masterminds/sprig/v3" + "github.com/pkg/errors" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/cli-runtime/pkg/resource" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/downloader" + "helm.sh/helm/v3/pkg/getter" + "helm.sh/helm/v3/pkg/kube" + kubefake "helm.sh/helm/v3/pkg/kube/fake" + "helm.sh/helm/v3/pkg/postrender" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/releaseutil" + "helm.sh/helm/v3/pkg/repo" + "helm.sh/helm/v3/pkg/storage" + "helm.sh/helm/v3/pkg/storage/driver" +) + +// notesFileSuffix that we want to treat special. It goes through the templating engine +// but it's not a yaml file (resource) hence can't have hooks, etc. And the user actually +// wants to see this file after rendering in the status command. However, it must be a suffix +// since there can be filepath in front of it. +const notesFileSuffix = "NOTES.txt" + +const defaultDirectoryPermission = 0755 + +// Install performs an installation operation. +type Install struct { + cfg *Configuration + + ChartPathOptions + + ClientOnly bool + Force bool + CreateNamespace bool + DryRun bool + DryRunOption string + // HideSecret can be set to true when DryRun is enabled in order to hide + // Kubernetes Secrets in the output. It cannot be used outside of DryRun. + HideSecret bool + DisableHooks bool + Replace bool + Wait bool + WaitForJobs bool + Devel bool + DependencyUpdate bool + Timeout time.Duration + Namespace string + ReleaseName string + GenerateName bool + NameTemplate string + Description string + OutputDir string + Atomic bool + SkipCRDs bool + SubNotes bool + HideNotes bool + SkipSchemaValidation bool + DisableOpenAPIValidation bool + IncludeCRDs bool + Labels map[string]string + // KubeVersion allows specifying a custom kubernetes version to use and + // APIVersions allows a manual set of supported API Versions to be passed + // (for things like templating). These are ignored if ClientOnly is false + KubeVersion *chartutil.KubeVersion + APIVersions chartutil.VersionSet + // Used by helm template to render charts with .Release.IsUpgrade. Ignored if Dry-Run is false + IsUpgrade bool + // Enable DNS lookups when rendering templates + EnableDNS bool + // Used by helm template to add the release as part of OutputDir path + // OutputDir/ + UseReleaseName bool + // TakeOwnership will ignore the check for helm annotations and take ownership of the resources. + TakeOwnership bool + PostRenderer postrender.PostRenderer + // Lock to control raceconditions when the process receives a SIGTERM + Lock sync.Mutex +} + +// ChartPathOptions captures common options used for controlling chart paths +type ChartPathOptions struct { + CaFile string // --ca-file + CertFile string // --cert-file + KeyFile string // --key-file + InsecureSkipTLSverify bool // --insecure-skip-verify + PlainHTTP bool // --plain-http + Keyring string // --keyring + Password string // --password + PassCredentialsAll bool // --pass-credentials + RepoURL string // --repo + Username string // --username + Verify bool // --verify + Version string // --version + + // registryClient provides a registry client but is not added with + // options from a flag + registryClient *registry.Client +} + +// NewInstall creates a new Install object with the given configuration. +func NewInstall(cfg *Configuration) *Install { + in := &Install{ + cfg: cfg, + } + in.ChartPathOptions.registryClient = cfg.RegistryClient + + return in +} + +// SetRegistryClient sets the registry client for the install action +func (i *Install) SetRegistryClient(registryClient *registry.Client) { + i.ChartPathOptions.registryClient = registryClient +} + +// GetRegistryClient get the registry client. +func (i *Install) GetRegistryClient() *registry.Client { + return i.ChartPathOptions.registryClient +} + +func (i *Install) installCRDs(crds []chart.CRD) error { + // We do these one file at a time in the order they were read. + totalItems := []*resource.Info{} + for _, obj := range crds { + // Read in the resources + res, err := i.cfg.KubeClient.Build(bytes.NewBuffer(obj.File.Data), false) + if err != nil { + return errors.Wrapf(err, "failed to install CRD %s", obj.Name) + } + + // Send them to Kube + if _, err := i.cfg.KubeClient.Create(res); err != nil { + // If the error is CRD already exists, continue. + if apierrors.IsAlreadyExists(err) { + crdName := res[0].Name + i.cfg.Log("CRD %s is already present. Skipping.", crdName) + continue + } + return errors.Wrapf(err, "failed to install CRD %s", obj.Name) + } + totalItems = append(totalItems, res...) + } + if len(totalItems) > 0 { + // Give time for the CRD to be recognized. + if err := i.cfg.KubeClient.Wait(totalItems, 60*time.Second); err != nil { + return err + } + + // If we have already gathered the capabilities, we need to invalidate + // the cache so that the new CRDs are recognized. This should only be + // the case when an action configuration is reused for multiple actions, + // as otherwise it is later loaded by ourselves when getCapabilities + // is called later on in the installation process. + if i.cfg.Capabilities != nil { + discoveryClient, err := i.cfg.RESTClientGetter.ToDiscoveryClient() + if err != nil { + return err + } + + i.cfg.Log("Clearing discovery cache") + discoveryClient.Invalidate() + + _, _ = discoveryClient.ServerGroups() + } + + // Invalidate the REST mapper, since it will not have the new CRDs + // present. + restMapper, err := i.cfg.RESTClientGetter.ToRESTMapper() + if err != nil { + return err + } + if resettable, ok := restMapper.(meta.ResettableRESTMapper); ok { + i.cfg.Log("Clearing REST mapper cache") + resettable.Reset() + } + } + return nil +} + +// Run executes the installation +// +// If DryRun is set to true, this will prepare the release, but not install it + +func (i *Install) Run(chrt *chart.Chart, vals map[string]interface{}) (*release.Release, error) { + ctx := context.Background() + return i.RunWithContext(ctx, chrt, vals) +} + +// Run executes the installation with Context +// +// When the task is cancelled through ctx, the function returns and the install +// proceeds in the background. +func (i *Install) RunWithContext(ctx context.Context, chrt *chart.Chart, vals map[string]interface{}) (*release.Release, error) { + // Check reachability of cluster unless in client-only mode (e.g. `helm template` without `--validate`) + if !i.ClientOnly { + if err := i.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + } + + // HideSecret must be used with dry run. Otherwise, return an error. + if !i.isDryRun() && i.HideSecret { + return nil, errors.New("Hiding Kubernetes secrets requires a dry-run mode") + } + + if err := i.availableName(); err != nil { + return nil, err + } + + if err := chartutil.ProcessDependenciesWithMerge(chrt, vals); err != nil { + return nil, err + } + + var interactWithRemote bool + if !i.isDryRun() || i.DryRunOption == "server" || i.DryRunOption == "none" || i.DryRunOption == "false" { + interactWithRemote = true + } + + // Pre-install anything in the crd/ directory. We do this before Helm + // contacts the upstream server and builds the capabilities object. + if crds := chrt.CRDObjects(); !i.ClientOnly && !i.SkipCRDs && len(crds) > 0 { + // On dry run, bail here + if i.isDryRun() { + i.cfg.Log("WARNING: This chart or one of its subcharts contains CRDs. Rendering may fail or contain inaccuracies.") + } else if err := i.installCRDs(crds); err != nil { + return nil, err + } + } + + if i.ClientOnly { + // Add mock objects in here so it doesn't use Kube API server + // NOTE(bacongobbler): used for `helm template` + i.cfg.Capabilities = chartutil.DefaultCapabilities.Copy() + if i.KubeVersion != nil { + i.cfg.Capabilities.KubeVersion = *i.KubeVersion + } + i.cfg.Capabilities.APIVersions = append(i.cfg.Capabilities.APIVersions, i.APIVersions...) + i.cfg.KubeClient = &kubefake.PrintingKubeClient{Out: io.Discard} + + mem := driver.NewMemory() + mem.SetNamespace(i.Namespace) + i.cfg.Releases = storage.Init(mem) + } else if !i.ClientOnly && len(i.APIVersions) > 0 { + i.cfg.Log("API Version list given outside of client only mode, this list will be ignored") + } + + // Make sure if Atomic is set, that wait is set as well. This makes it so + // the user doesn't have to specify both + i.Wait = i.Wait || i.Atomic + + caps, err := i.cfg.getCapabilities() + if err != nil { + return nil, err + } + + // special case for helm template --is-upgrade + isUpgrade := i.IsUpgrade && i.isDryRun() + options := chartutil.ReleaseOptions{ + Name: i.ReleaseName, + Namespace: i.Namespace, + Revision: 1, + IsInstall: !isUpgrade, + IsUpgrade: isUpgrade, + } + valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chrt, vals, options, caps, i.SkipSchemaValidation) + if err != nil { + return nil, err + } + + if driver.ContainsSystemLabels(i.Labels) { + return nil, fmt.Errorf("user supplied labels contains system reserved label name. System labels: %+v", driver.GetSystemLabels()) + } + + rel := i.createRelease(chrt, vals, i.Labels) + + var manifestDoc *bytes.Buffer + rel.Hooks, manifestDoc, rel.Info.Notes, err = i.cfg.renderResources(chrt, valuesToRender, i.ReleaseName, i.OutputDir, i.SubNotes, i.UseReleaseName, i.IncludeCRDs, i.PostRenderer, interactWithRemote, i.EnableDNS, i.HideSecret) + // Even for errors, attach this if available + if manifestDoc != nil { + rel.Manifest = manifestDoc.String() + } + // Check error from render + if err != nil { + rel.SetStatus(release.StatusFailed, fmt.Sprintf("failed to render resource: %s", err.Error())) + // Return a release with partial data so that the client can show debugging information. + return rel, err + } + + // Mark this release as in-progress + rel.SetStatus(release.StatusPendingInstall, "Initial install underway") + + var toBeAdopted kube.ResourceList + resources, err := i.cfg.KubeClient.Build(bytes.NewBufferString(rel.Manifest), !i.DisableOpenAPIValidation) + if err != nil { + return nil, errors.Wrap(err, "unable to build kubernetes objects from release manifest") + } + + // It is safe to use "force" here because these are resources currently rendered by the chart. + err = resources.Visit(setMetadataVisitor(rel.Name, rel.Namespace, true)) + if err != nil { + return nil, err + } + + // Install requires an extra validation step of checking that resources + // don't already exist before we actually create resources. If we continue + // forward and create the release object with resources that already exist, + // we'll end up in a state where we will delete those resources upon + // deleting the release because the manifest will be pointing at that + // resource + if !i.ClientOnly && !isUpgrade && len(resources) > 0 { + if i.TakeOwnership { + toBeAdopted, err = requireAdoption(resources) + } else { + toBeAdopted, err = existingResourceConflict(resources, rel.Name, rel.Namespace) + } + if err != nil { + return nil, errors.Wrap(err, "Unable to continue with install") + } + } + + // Bail out here if it is a dry run + if i.isDryRun() { + rel.Info.Description = "Dry run complete" + return rel, nil + } + + if i.CreateNamespace { + ns := &v1.Namespace{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Namespace", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: i.Namespace, + Labels: map[string]string{ + "name": i.Namespace, + }, + }, + } + buf, err := yaml.Marshal(ns) + if err != nil { + return nil, err + } + resourceList, err := i.cfg.KubeClient.Build(bytes.NewBuffer(buf), true) + if err != nil { + return nil, err + } + if _, err := i.cfg.KubeClient.Create(resourceList); err != nil && !apierrors.IsAlreadyExists(err) { + return nil, err + } + } + + // If Replace is true, we need to supersede the last release. + if i.Replace { + if err := i.replaceRelease(rel); err != nil { + return nil, err + } + } + + // Store the release in history before continuing (new in Helm 3). We always know + // that this is a create operation. + if err := i.cfg.Releases.Create(rel); err != nil { + // We could try to recover gracefully here, but since nothing has been installed + // yet, this is probably safer than trying to continue when we know storage is + // not working. + return rel, err + } + + rel, err = i.performInstallCtx(ctx, rel, toBeAdopted, resources) + if err != nil { + rel, err = i.failRelease(rel, err) + } + return rel, err +} + +func (i *Install) performInstallCtx(ctx context.Context, rel *release.Release, toBeAdopted kube.ResourceList, resources kube.ResourceList) (*release.Release, error) { + type Msg struct { + r *release.Release + e error + } + resultChan := make(chan Msg, 1) + + go func() { + rel, err := i.performInstall(rel, toBeAdopted, resources) + resultChan <- Msg{rel, err} + }() + select { + case <-ctx.Done(): + err := ctx.Err() + return rel, err + case msg := <-resultChan: + return msg.r, msg.e + } +} + +// isDryRun returns true if Upgrade is set to run as a DryRun +func (i *Install) isDryRun() bool { + if i.DryRun || i.DryRunOption == "client" || i.DryRunOption == "server" || i.DryRunOption == "true" { + return true + } + return false +} + +func (i *Install) performInstall(rel *release.Release, toBeAdopted kube.ResourceList, resources kube.ResourceList) (*release.Release, error) { + var err error + // pre-install hooks + if !i.DisableHooks { + if err := i.cfg.execHook(rel, release.HookPreInstall, i.Timeout); err != nil { + return rel, fmt.Errorf("failed pre-install: %s", err) + } + } + + // At this point, we can do the install. Note that before we were detecting whether to + // do an update, but it's not clear whether we WANT to do an update if the re-use is set + // to true, since that is basically an upgrade operation. + if len(toBeAdopted) == 0 && len(resources) > 0 { + _, err = i.cfg.KubeClient.Create(resources) + } else if len(resources) > 0 { + if i.TakeOwnership { + _, err = i.cfg.KubeClient.(kube.InterfaceThreeWayMerge).UpdateThreeWayMerge(toBeAdopted, resources, i.Force) + } else { + _, err = i.cfg.KubeClient.Update(toBeAdopted, resources, i.Force) + } + } + if err != nil { + return rel, err + } + + if i.Wait { + if i.WaitForJobs { + err = i.cfg.KubeClient.WaitWithJobs(resources, i.Timeout) + } else { + err = i.cfg.KubeClient.Wait(resources, i.Timeout) + } + if err != nil { + return rel, err + } + } + + if !i.DisableHooks { + if err := i.cfg.execHook(rel, release.HookPostInstall, i.Timeout); err != nil { + return rel, fmt.Errorf("failed post-install: %s", err) + } + } + + if len(i.Description) > 0 { + rel.SetStatus(release.StatusDeployed, i.Description) + } else { + rel.SetStatus(release.StatusDeployed, "Install complete") + } + + // This is a tricky case. The release has been created, but the result + // cannot be recorded. The truest thing to tell the user is that the + // release was created. However, the user will not be able to do anything + // further with this release. + // + // One possible strategy would be to do a timed retry to see if we can get + // this stored in the future. + if err := i.recordRelease(rel); err != nil { + i.cfg.Log("failed to record the release: %s", err) + } + + return rel, nil +} + +func (i *Install) failRelease(rel *release.Release, err error) (*release.Release, error) { + rel.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", i.ReleaseName, err.Error())) + if i.Atomic { + i.cfg.Log("Install failed and atomic is set, uninstalling release") + uninstall := NewUninstall(i.cfg) + uninstall.DisableHooks = i.DisableHooks + uninstall.KeepHistory = false + uninstall.Timeout = i.Timeout + if _, uninstallErr := uninstall.Run(i.ReleaseName); uninstallErr != nil { + return rel, errors.Wrapf(uninstallErr, "an error occurred while uninstalling the release. original install error: %s", err) + } + return rel, errors.Wrapf(err, "release %s failed, and has been uninstalled due to atomic being set", i.ReleaseName) + } + i.recordRelease(rel) // Ignore the error, since we have another error to deal with. + return rel, err +} + +// availableName tests whether a name is available +// +// Roughly, this will return an error if name is +// +// - empty +// - too long +// - already in use, and not deleted +// - used by a deleted release, and i.Replace is false +func (i *Install) availableName() error { + start := i.ReleaseName + + if err := chartutil.ValidateReleaseName(start); err != nil { + return errors.Wrapf(err, "release name %q", start) + } + // On dry run, bail here + if i.isDryRun() { + return nil + } + + h, err := i.cfg.Releases.History(start) + if err != nil || len(h) < 1 { + return nil + } + releaseutil.Reverse(h, releaseutil.SortByRevision) + rel := h[0] + + if st := rel.Info.Status; i.Replace && (st == release.StatusUninstalled || st == release.StatusFailed) { + return nil + } + return errors.New("cannot re-use a name that is still in use") +} + +// createRelease creates a new release object +func (i *Install) createRelease(chrt *chart.Chart, rawVals map[string]interface{}, labels map[string]string) *release.Release { + ts := i.cfg.Now() + return &release.Release{ + Name: i.ReleaseName, + Namespace: i.Namespace, + Chart: chrt, + Config: rawVals, + Info: &release.Info{ + FirstDeployed: ts, + LastDeployed: ts, + Status: release.StatusUnknown, + }, + Version: 1, + Labels: labels, + } +} + +// recordRelease with an update operation in case reuse has been set. +func (i *Install) recordRelease(r *release.Release) error { + // This is a legacy function which has been reduced to a oneliner. Could probably + // refactor it out. + return i.cfg.Releases.Update(r) +} + +// replaceRelease replaces an older release with this one +// +// This allows us to re-use names by superseding an existing release with a new one +func (i *Install) replaceRelease(rel *release.Release) error { + hist, err := i.cfg.Releases.History(rel.Name) + if err != nil || len(hist) == 0 { + // No releases exist for this name, so we can return early + return nil + } + + releaseutil.Reverse(hist, releaseutil.SortByRevision) + last := hist[0] + + // Update version to the next available + rel.Version = last.Version + 1 + + // Do not change the status of a failed release. + if last.Info.Status == release.StatusFailed { + return nil + } + + // For any other status, mark it as superseded and store the old record + last.SetStatus(release.StatusSuperseded, "superseded by new release") + return i.recordRelease(last) +} + +// write the to /. controls if the file is created or content will be appended +func writeToFile(outputDir string, name string, data string, append bool) error { + outfileName := strings.Join([]string{outputDir, name}, string(filepath.Separator)) + + err := ensureDirectoryForFile(outfileName) + if err != nil { + return err + } + + f, err := createOrOpenFile(outfileName, append) + if err != nil { + return err + } + + defer f.Close() + + _, err = f.WriteString(fmt.Sprintf("---\n# Source: %s\n%s\n", name, data)) + + if err != nil { + return err + } + + fmt.Printf("wrote %s\n", outfileName) + return nil +} + +func createOrOpenFile(filename string, append bool) (*os.File, error) { + if append { + return os.OpenFile(filename, os.O_APPEND|os.O_WRONLY, 0600) + } + return os.Create(filename) +} + +// check if the directory exists to create file. creates if doesn't exist +func ensureDirectoryForFile(file string) error { + baseDir := path.Dir(file) + _, err := os.Stat(baseDir) + if err != nil && !os.IsNotExist(err) { + return err + } + + return os.MkdirAll(baseDir, defaultDirectoryPermission) +} + +// NameAndChart returns the name and chart that should be used. +// +// This will read the flags and handle name generation if necessary. +func (i *Install) NameAndChart(args []string) (string, string, error) { + flagsNotSet := func() error { + if i.GenerateName { + return errors.New("cannot set --generate-name and also specify a name") + } + if i.NameTemplate != "" { + return errors.New("cannot set --name-template and also specify a name") + } + return nil + } + + if len(args) > 2 { + return args[0], args[1], errors.Errorf("expected at most two arguments, unexpected arguments: %v", strings.Join(args[2:], ", ")) + } + + if len(args) == 2 { + return args[0], args[1], flagsNotSet() + } + + if i.NameTemplate != "" { + name, err := TemplateName(i.NameTemplate) + return name, args[0], err + } + + if i.ReleaseName != "" { + return i.ReleaseName, args[0], nil + } + + if !i.GenerateName { + return "", args[0], errors.New("must either provide a name or specify --generate-name") + } + + base := filepath.Base(args[0]) + if base == "." || base == "" { + base = "chart" + } + // if present, strip out the file extension from the name + if idx := strings.Index(base, "."); idx != -1 { + base = base[0:idx] + } + + return fmt.Sprintf("%s-%d", base, time.Now().Unix()), args[0], nil +} + +// TemplateName renders a name template, returning the name or an error. +func TemplateName(nameTemplate string) (string, error) { + if nameTemplate == "" { + return "", nil + } + + t, err := template.New("name-template").Funcs(sprig.TxtFuncMap()).Parse(nameTemplate) + if err != nil { + return "", err + } + var b bytes.Buffer + if err := t.Execute(&b, nil); err != nil { + return "", err + } + + return b.String(), nil +} + +// CheckDependencies checks the dependencies for a chart. +func CheckDependencies(ch *chart.Chart, reqs []*chart.Dependency) error { + var missing []string + +OUTER: + for _, r := range reqs { + for _, d := range ch.Dependencies() { + if d.Name() == r.Name { + continue OUTER + } + } + missing = append(missing, r.Name) + } + + if len(missing) > 0 { + return errors.Errorf("found in Chart.yaml, but missing in charts/ directory: %s", strings.Join(missing, ", ")) + } + return nil +} + +// LocateChart looks for a chart directory in known places, and returns either the full path or an error. +// +// This does not ensure that the chart is well-formed; only that the requested filename exists. +// +// Order of resolution: +// - relative to current working directory +// - if path is absolute or begins with '.', error out here +// - URL +// +// If 'verify' was set on ChartPathOptions, this will attempt to also verify the chart. +func (c *ChartPathOptions) LocateChart(name string, settings *cli.EnvSettings) (string, error) { + if registry.IsOCI(name) && c.registryClient == nil { + return "", fmt.Errorf("unable to lookup chart %q, missing registry client", name) + } + + name = strings.TrimSpace(name) + version := strings.TrimSpace(c.Version) + + if _, err := os.Stat(name); err == nil { + abs, err := filepath.Abs(name) + if err != nil { + return abs, err + } + if c.Verify { + if _, err := downloader.VerifyChart(abs, c.Keyring); err != nil { + return "", err + } + } + return abs, nil + } + if filepath.IsAbs(name) || strings.HasPrefix(name, ".") { + return name, errors.Errorf("path %q not found", name) + } + + dl := downloader.ChartDownloader{ + Out: os.Stdout, + Keyring: c.Keyring, + Getters: getter.All(settings), + Options: []getter.Option{ + getter.WithPassCredentialsAll(c.PassCredentialsAll), + getter.WithTLSClientConfig(c.CertFile, c.KeyFile, c.CaFile), + getter.WithInsecureSkipVerifyTLS(c.InsecureSkipTLSverify), + getter.WithPlainHTTP(c.PlainHTTP), + getter.WithBasicAuth(c.Username, c.Password), + }, + RepositoryConfig: settings.RepositoryConfig, + RepositoryCache: settings.RepositoryCache, + RegistryClient: c.registryClient, + } + + if registry.IsOCI(name) { + dl.Options = append(dl.Options, getter.WithRegistryClient(c.registryClient)) + } + + if c.Verify { + dl.Verify = downloader.VerifyAlways + } + if c.RepoURL != "" { + chartURL, err := repo.FindChartInAuthAndTLSAndPassRepoURL(c.RepoURL, c.Username, c.Password, name, version, + c.CertFile, c.KeyFile, c.CaFile, c.InsecureSkipTLSverify, c.PassCredentialsAll, getter.All(settings)) + if err != nil { + return "", err + } + name = chartURL + + // Only pass the user/pass on when the user has said to or when the + // location of the chart repo and the chart are the same domain. + u1, err := url.Parse(c.RepoURL) + if err != nil { + return "", err + } + u2, err := url.Parse(chartURL) + if err != nil { + return "", err + } + + // Host on URL (returned from url.Parse) contains the port if present. + // This check ensures credentials are not passed between different + // services on different ports. + if c.PassCredentialsAll || (u1.Scheme == u2.Scheme && u1.Host == u2.Host) { + dl.Options = append(dl.Options, getter.WithBasicAuth(c.Username, c.Password)) + } else { + dl.Options = append(dl.Options, getter.WithBasicAuth("", "")) + } + } else { + dl.Options = append(dl.Options, getter.WithBasicAuth(c.Username, c.Password)) + } + + if err := os.MkdirAll(settings.RepositoryCache, 0755); err != nil { + return "", err + } + + filename, _, err := dl.DownloadTo(name, version, settings.RepositoryCache) + if err != nil { + return "", err + } + + lname, err := filepath.Abs(filename) + if err != nil { + return filename, err + } + return lname, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go b/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go new file mode 100644 index 0000000000..9037782bb5 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/lazyclient.go @@ -0,0 +1,197 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "context" + "sync" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/watch" + applycorev1 "k8s.io/client-go/applyconfigurations/core/v1" + "k8s.io/client-go/kubernetes" + corev1 "k8s.io/client-go/kubernetes/typed/core/v1" +) + +// lazyClient is a workaround to deal with Kubernetes having an unstable client API. +// In Kubernetes v1.18 the defaults where removed which broke creating a +// client without an explicit configuration. ಠ_ಠ +type lazyClient struct { + // client caches an initialized kubernetes client + initClient sync.Once + client kubernetes.Interface + clientErr error + + // clientFn loads a kubernetes client + clientFn func() (*kubernetes.Clientset, error) + + // namespace passed to each client request + namespace string +} + +func (s *lazyClient) init() error { + s.initClient.Do(func() { + s.client, s.clientErr = s.clientFn() + }) + return s.clientErr +} + +// secretClient implements a corev1.SecretsInterface +type secretClient struct{ *lazyClient } + +var _ corev1.SecretInterface = (*secretClient)(nil) + +func newSecretClient(lc *lazyClient) *secretClient { + return &secretClient{lazyClient: lc} +} + +func (s *secretClient) Create(ctx context.Context, secret *v1.Secret, opts metav1.CreateOptions) (result *v1.Secret, err error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Create(ctx, secret, opts) +} + +func (s *secretClient) Update(ctx context.Context, secret *v1.Secret, opts metav1.UpdateOptions) (*v1.Secret, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Update(ctx, secret, opts) +} + +func (s *secretClient) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error { + if err := s.init(); err != nil { + return err + } + return s.client.CoreV1().Secrets(s.namespace).Delete(ctx, name, opts) +} + +func (s *secretClient) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error { + if err := s.init(); err != nil { + return err + } + return s.client.CoreV1().Secrets(s.namespace).DeleteCollection(ctx, opts, listOpts) +} + +func (s *secretClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.Secret, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Get(ctx, name, opts) +} + +func (s *secretClient) List(ctx context.Context, opts metav1.ListOptions) (*v1.SecretList, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).List(ctx, opts) +} + +func (s *secretClient) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Watch(ctx, opts) +} + +func (s *secretClient) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (*v1.Secret, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Patch(ctx, name, pt, data, opts, subresources...) +} + +func (s *secretClient) Apply(ctx context.Context, secretConfiguration *applycorev1.SecretApplyConfiguration, opts metav1.ApplyOptions) (*v1.Secret, error) { + if err := s.init(); err != nil { + return nil, err + } + return s.client.CoreV1().Secrets(s.namespace).Apply(ctx, secretConfiguration, opts) +} + +// configMapClient implements a corev1.ConfigMapInterface +type configMapClient struct{ *lazyClient } + +var _ corev1.ConfigMapInterface = (*configMapClient)(nil) + +func newConfigMapClient(lc *lazyClient) *configMapClient { + return &configMapClient{lazyClient: lc} +} + +func (c *configMapClient) Create(ctx context.Context, configMap *v1.ConfigMap, opts metav1.CreateOptions) (*v1.ConfigMap, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Create(ctx, configMap, opts) +} + +func (c *configMapClient) Update(ctx context.Context, configMap *v1.ConfigMap, opts metav1.UpdateOptions) (*v1.ConfigMap, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Update(ctx, configMap, opts) +} + +func (c *configMapClient) Delete(ctx context.Context, name string, opts metav1.DeleteOptions) error { + if err := c.init(); err != nil { + return err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Delete(ctx, name, opts) +} + +func (c *configMapClient) DeleteCollection(ctx context.Context, opts metav1.DeleteOptions, listOpts metav1.ListOptions) error { + if err := c.init(); err != nil { + return err + } + return c.client.CoreV1().ConfigMaps(c.namespace).DeleteCollection(ctx, opts, listOpts) +} + +func (c *configMapClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*v1.ConfigMap, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Get(ctx, name, opts) +} + +func (c *configMapClient) List(ctx context.Context, opts metav1.ListOptions) (*v1.ConfigMapList, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).List(ctx, opts) +} + +func (c *configMapClient) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Watch(ctx, opts) +} + +func (c *configMapClient) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts metav1.PatchOptions, subresources ...string) (*v1.ConfigMap, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Patch(ctx, name, pt, data, opts, subresources...) +} + +func (c *configMapClient) Apply(ctx context.Context, configMap *applycorev1.ConfigMapApplyConfiguration, opts metav1.ApplyOptions) (*v1.ConfigMap, error) { + if err := c.init(); err != nil { + return nil, err + } + return c.client.CoreV1().ConfigMaps(c.namespace).Apply(ctx, configMap, opts) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/lint.go b/vendor/helm.sh/helm/v3/pkg/action/lint.go new file mode 100644 index 0000000000..63a1bf354e --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/lint.go @@ -0,0 +1,130 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/lint" + "helm.sh/helm/v3/pkg/lint/support" +) + +// Lint is the action for checking that the semantics of a chart are well-formed. +// +// It provides the implementation of 'helm lint'. +type Lint struct { + Strict bool + Namespace string + WithSubcharts bool + Quiet bool + SkipSchemaValidation bool + KubeVersion *chartutil.KubeVersion +} + +// LintResult is the result of Lint +type LintResult struct { + TotalChartsLinted int + Messages []support.Message + Errors []error +} + +// NewLint creates a new Lint object with the given configuration. +func NewLint() *Lint { + return &Lint{} +} + +// Run executes 'helm Lint' against the given chart. +func (l *Lint) Run(paths []string, vals map[string]interface{}) *LintResult { + lowestTolerance := support.ErrorSev + if l.Strict { + lowestTolerance = support.WarningSev + } + result := &LintResult{} + for _, path := range paths { + linter, err := lintChart(path, vals, l.Namespace, l.KubeVersion, l.SkipSchemaValidation) + if err != nil { + result.Errors = append(result.Errors, err) + continue + } + + result.Messages = append(result.Messages, linter.Messages...) + result.TotalChartsLinted++ + for _, msg := range linter.Messages { + if msg.Severity >= lowestTolerance { + result.Errors = append(result.Errors, msg.Err) + } + } + } + return result +} + +// HasWarningsOrErrors checks is LintResult has any warnings or errors +func HasWarningsOrErrors(result *LintResult) bool { + for _, msg := range result.Messages { + if msg.Severity > support.InfoSev { + return true + } + } + return len(result.Errors) > 0 +} + +func lintChart(path string, vals map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) (support.Linter, error) { + var chartPath string + linter := support.Linter{} + + if strings.HasSuffix(path, ".tgz") || strings.HasSuffix(path, ".tar.gz") { + tempDir, err := os.MkdirTemp("", "helm-lint") + if err != nil { + return linter, errors.Wrap(err, "unable to create temp dir to extract tarball") + } + defer os.RemoveAll(tempDir) + + file, err := os.Open(path) + if err != nil { + return linter, errors.Wrap(err, "unable to open tarball") + } + defer file.Close() + + if err = chartutil.Expand(tempDir, file); err != nil { + return linter, errors.Wrap(err, "unable to extract tarball") + } + + files, err := os.ReadDir(tempDir) + if err != nil { + return linter, errors.Wrapf(err, "unable to read temporary output directory %s", tempDir) + } + if !files[0].IsDir() { + return linter, errors.Errorf("unexpected file %s in temporary output directory %s", files[0].Name(), tempDir) + } + + chartPath = filepath.Join(tempDir, files[0].Name()) + } else { + chartPath = path + } + + // Guard: Error out if this is not a chart. + if _, err := os.Stat(filepath.Join(chartPath, "Chart.yaml")); err != nil { + return linter, errors.Wrap(err, "unable to check Chart.yaml file in chart") + } + + return lint.AllWithKubeVersionAndSchemaValidation(chartPath, vals, namespace, kubeVersion, skipSchemaValidation), nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/list.go b/vendor/helm.sh/helm/v3/pkg/action/list.go new file mode 100644 index 0000000000..af0725c4a9 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/list.go @@ -0,0 +1,324 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "path" + "regexp" + + "k8s.io/apimachinery/pkg/labels" + + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/releaseutil" +) + +// ListStates represents zero or more status codes that a list item may have set +// +// Because this is used as a bitmask filter, more than one bit can be flipped +// in the ListStates. +type ListStates uint + +const ( + // ListDeployed filters on status "deployed" + ListDeployed ListStates = 1 << iota + // ListUninstalled filters on status "uninstalled" + ListUninstalled + // ListUninstalling filters on status "uninstalling" (uninstall in progress) + ListUninstalling + // ListPendingInstall filters on status "pending" (deployment in progress) + ListPendingInstall + // ListPendingUpgrade filters on status "pending_upgrade" (upgrade in progress) + ListPendingUpgrade + // ListPendingRollback filters on status "pending_rollback" (rollback in progress) + ListPendingRollback + // ListSuperseded filters on status "superseded" (historical release version that is no longer deployed) + ListSuperseded + // ListFailed filters on status "failed" (release version not deployed because of error) + ListFailed + // ListUnknown filters on an unknown status + ListUnknown +) + +// FromName takes a state name and returns a ListStates representation. +// +// Currently, there are only names for individual flipped bits, so the returned +// ListStates will only match one of the constants. However, it is possible that +// this behavior could change in the future. +func (s ListStates) FromName(str string) ListStates { + switch str { + case "deployed": + return ListDeployed + case "uninstalled": + return ListUninstalled + case "superseded": + return ListSuperseded + case "failed": + return ListFailed + case "uninstalling": + return ListUninstalling + case "pending-install": + return ListPendingInstall + case "pending-upgrade": + return ListPendingUpgrade + case "pending-rollback": + return ListPendingRollback + } + return ListUnknown +} + +// ListAll is a convenience for enabling all list filters +const ListAll = ListDeployed | ListUninstalled | ListUninstalling | ListPendingInstall | ListPendingRollback | ListPendingUpgrade | ListSuperseded | ListFailed + +// Sorter is a top-level sort +type Sorter uint + +const ( + // ByNameDesc sorts by descending lexicographic order + ByNameDesc Sorter = iota + 1 + // ByDateAsc sorts by ascending dates (oldest updated release first) + ByDateAsc + // ByDateDesc sorts by descending dates (latest updated release first) + ByDateDesc +) + +// List is the action for listing releases. +// +// It provides, for example, the implementation of 'helm list'. +// It returns no more than one revision of every release in one specific, or in +// all, namespaces. +// To list all the revisions of a specific release, see the History action. +type List struct { + cfg *Configuration + + // All ignores the limit/offset + All bool + // AllNamespaces searches across namespaces + AllNamespaces bool + // Sort indicates the sort to use + // + // see pkg/releaseutil for several useful sorters + Sort Sorter + // Overrides the default lexicographic sorting + ByDate bool + SortReverse bool + // StateMask accepts a bitmask of states for items to show. + // The default is ListDeployed + StateMask ListStates + // Limit is the number of items to return per Run() + Limit int + // Offset is the starting index for the Run() call + Offset int + // Filter is a filter that is applied to the results + Filter string + Short bool + NoHeaders bool + TimeFormat string + Uninstalled bool + Superseded bool + Uninstalling bool + Deployed bool + Failed bool + Pending bool + Selector string +} + +// NewList constructs a new *List +func NewList(cfg *Configuration) *List { + return &List{ + StateMask: ListDeployed | ListFailed, + cfg: cfg, + } +} + +// Run executes the list command, returning a set of matches. +func (l *List) Run() ([]*release.Release, error) { + if err := l.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + var filter *regexp.Regexp + if l.Filter != "" { + var err error + filter, err = regexp.Compile(l.Filter) + if err != nil { + return nil, err + } + } + + results, err := l.cfg.Releases.List(func(rel *release.Release) bool { + // Skip anything that doesn't match the filter. + if filter != nil && !filter.MatchString(rel.Name) { + return false + } + + return true + }) + + if err != nil { + return nil, err + } + + if results == nil { + return results, nil + } + + // by definition, superseded releases are never shown if + // only the latest releases are returned. so if requested statemask + // is _only_ ListSuperseded, skip the latest release filter + if l.StateMask != ListSuperseded { + results = filterLatestReleases(results) + } + + // State mask application must occur after filtering to + // latest releases, otherwise outdated entries can be returned + results = l.filterStateMask(results) + + // Skip anything that doesn't match the selector + selectorObj, err := labels.Parse(l.Selector) + if err != nil { + return nil, err + } + results = l.filterSelector(results, selectorObj) + + // Unfortunately, we have to sort before truncating, which can incur substantial overhead + l.sort(results) + + // Guard on offset + if l.Offset >= len(results) { + return []*release.Release{}, nil + } + + // Calculate the limit and offset, and then truncate results if necessary. + limit := len(results) + if l.Limit > 0 && l.Limit < limit { + limit = l.Limit + } + last := l.Offset + limit + if l := len(results); l < last { + last = l + } + results = results[l.Offset:last] + + return results, err +} + +// sort is an in-place sort where order is based on the value of a.Sort +func (l *List) sort(rels []*release.Release) { + if l.SortReverse { + l.Sort = ByNameDesc + } + + if l.ByDate { + l.Sort = ByDateDesc + if l.SortReverse { + l.Sort = ByDateAsc + } + } + + switch l.Sort { + case ByDateDesc: + releaseutil.SortByDate(rels) + case ByDateAsc: + releaseutil.Reverse(rels, releaseutil.SortByDate) + case ByNameDesc: + releaseutil.Reverse(rels, releaseutil.SortByName) + default: + releaseutil.SortByName(rels) + } +} + +// filterLatestReleases returns a list scrubbed of old releases. +func filterLatestReleases(releases []*release.Release) []*release.Release { + latestReleases := make(map[string]*release.Release) + + for _, rls := range releases { + name, namespace := rls.Name, rls.Namespace + key := path.Join(namespace, name) + if latestRelease, exists := latestReleases[key]; exists && latestRelease.Version > rls.Version { + continue + } + latestReleases[key] = rls + } + + var list = make([]*release.Release, 0, len(latestReleases)) + for _, rls := range latestReleases { + list = append(list, rls) + } + return list +} + +func (l *List) filterStateMask(releases []*release.Release) []*release.Release { + desiredStateReleases := make([]*release.Release, 0) + + for _, rls := range releases { + currentStatus := l.StateMask.FromName(rls.Info.Status.String()) + mask := l.StateMask & currentStatus + if mask == 0 { + continue + } + desiredStateReleases = append(desiredStateReleases, rls) + } + + return desiredStateReleases +} + +func (l *List) filterSelector(releases []*release.Release, selector labels.Selector) []*release.Release { + desiredStateReleases := make([]*release.Release, 0) + + for _, rls := range releases { + if selector.Matches(labels.Set(rls.Labels)) { + desiredStateReleases = append(desiredStateReleases, rls) + } + } + + return desiredStateReleases +} + +// SetStateMask calculates the state mask based on parameters. +func (l *List) SetStateMask() { + if l.All { + l.StateMask = ListAll + return + } + + state := ListStates(0) + if l.Deployed { + state |= ListDeployed + } + if l.Uninstalled { + state |= ListUninstalled + } + if l.Uninstalling { + state |= ListUninstalling + } + if l.Pending { + state |= ListPendingInstall | ListPendingRollback | ListPendingUpgrade + } + if l.Failed { + state |= ListFailed + } + if l.Superseded { + state |= ListSuperseded + } + + // Apply a default + if state == 0 { + state = ListDeployed | ListFailed + } + + l.StateMask = state +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/package.go b/vendor/helm.sh/helm/v3/pkg/action/package.go new file mode 100644 index 0000000000..2357e3882a --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/package.go @@ -0,0 +1,188 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bufio" + "fmt" + "os" + "syscall" + + "github.com/Masterminds/semver/v3" + "github.com/pkg/errors" + "golang.org/x/term" + + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/provenance" +) + +// Package is the action for packaging a chart. +// +// It provides the implementation of 'helm package'. +type Package struct { + Sign bool + Key string + Keyring string + PassphraseFile string + Version string + AppVersion string + Destination string + DependencyUpdate bool + + RepositoryConfig string + RepositoryCache string + PlainHTTP bool + Username string + Password string + CertFile string + KeyFile string + CaFile string + InsecureSkipTLSverify bool +} + +// NewPackage creates a new Package object with the given configuration. +func NewPackage() *Package { + return &Package{} +} + +// Run executes 'helm package' against the given chart and returns the path to the packaged chart. +func (p *Package) Run(path string, _ map[string]interface{}) (string, error) { + ch, err := loader.LoadDir(path) + if err != nil { + return "", err + } + + // If version is set, modify the version. + if p.Version != "" { + ch.Metadata.Version = p.Version + } + + if err := validateVersion(ch.Metadata.Version); err != nil { + return "", err + } + + if p.AppVersion != "" { + ch.Metadata.AppVersion = p.AppVersion + } + + if reqs := ch.Metadata.Dependencies; reqs != nil { + if err := CheckDependencies(ch, reqs); err != nil { + return "", err + } + } + + var dest string + if p.Destination == "." { + // Save to the current working directory. + dest, err = os.Getwd() + if err != nil { + return "", err + } + } else { + // Otherwise save to set destination + dest = p.Destination + } + + name, err := chartutil.Save(ch, dest) + if err != nil { + return "", errors.Wrap(err, "failed to save") + } + + if p.Sign { + err = p.Clearsign(name) + } + + return name, err +} + +// validateVersion Verify that version is a Version, and error out if it is not. +func validateVersion(ver string) error { + if _, err := semver.NewVersion(ver); err != nil { + return err + } + return nil +} + +// Clearsign signs a chart +func (p *Package) Clearsign(filename string) error { + // Load keyring + signer, err := provenance.NewFromKeyring(p.Keyring, p.Key) + if err != nil { + return err + } + + passphraseFetcher := promptUser + if p.PassphraseFile != "" { + passphraseFetcher, err = passphraseFileFetcher(p.PassphraseFile, os.Stdin) + if err != nil { + return err + } + } + + if err := signer.DecryptKey(passphraseFetcher); err != nil { + return err + } + + sig, err := signer.ClearSign(filename) + if err != nil { + return err + } + + return os.WriteFile(filename+".prov", []byte(sig), 0644) +} + +// promptUser implements provenance.PassphraseFetcher +func promptUser(name string) ([]byte, error) { + fmt.Printf("Password for key %q > ", name) + // syscall.Stdin is not an int in all environments and needs to be coerced + // into one there (e.g., Windows) + pw, err := term.ReadPassword(int(syscall.Stdin)) + fmt.Println() + return pw, err +} + +func passphraseFileFetcher(passphraseFile string, stdin *os.File) (provenance.PassphraseFetcher, error) { + file, err := openPassphraseFile(passphraseFile, stdin) + if err != nil { + return nil, err + } + defer file.Close() + + reader := bufio.NewReader(file) + passphrase, _, err := reader.ReadLine() + if err != nil { + return nil, err + } + return func(_ string) ([]byte, error) { + return passphrase, nil + }, nil +} + +func openPassphraseFile(passphraseFile string, stdin *os.File) (*os.File, error) { + if passphraseFile == "-" { + stat, err := stdin.Stat() + if err != nil { + return nil, err + } + if (stat.Mode() & os.ModeNamedPipe) == 0 { + return nil, errors.New("specified reading passphrase from stdin, without input on stdin") + } + return stdin, nil + } + return os.Open(passphraseFile) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/pull.go b/vendor/helm.sh/helm/v3/pkg/action/pull.go new file mode 100644 index 0000000000..7875531255 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/pull.go @@ -0,0 +1,172 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/downloader" + "helm.sh/helm/v3/pkg/getter" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/repo" +) + +// Pull is the action for checking a given release's information. +// +// It provides the implementation of 'helm pull'. +type Pull struct { + ChartPathOptions + + Settings *cli.EnvSettings // TODO: refactor this out of pkg/action + + Devel bool + Untar bool + VerifyLater bool + UntarDir string + DestDir string + cfg *Configuration +} + +type PullOpt func(*Pull) + +func WithConfig(cfg *Configuration) PullOpt { + return func(p *Pull) { + p.cfg = cfg + } +} + +// NewPull creates a new Pull object. +func NewPull() *Pull { + return NewPullWithOpts() +} + +// NewPullWithOpts creates a new pull, with configuration options. +func NewPullWithOpts(opts ...PullOpt) *Pull { + p := &Pull{} + for _, fn := range opts { + fn(p) + } + + return p +} + +// SetRegistryClient sets the registry client on the pull configuration object. +func (p *Pull) SetRegistryClient(client *registry.Client) { + p.cfg.RegistryClient = client +} + +// Run executes 'helm pull' against the given release. +func (p *Pull) Run(chartRef string) (string, error) { + var out strings.Builder + + c := downloader.ChartDownloader{ + Out: &out, + Keyring: p.Keyring, + Verify: downloader.VerifyNever, + Getters: getter.All(p.Settings), + Options: []getter.Option{ + getter.WithBasicAuth(p.Username, p.Password), + getter.WithPassCredentialsAll(p.PassCredentialsAll), + getter.WithTLSClientConfig(p.CertFile, p.KeyFile, p.CaFile), + getter.WithInsecureSkipVerifyTLS(p.InsecureSkipTLSverify), + getter.WithPlainHTTP(p.PlainHTTP), + }, + RegistryClient: p.cfg.RegistryClient, + RepositoryConfig: p.Settings.RepositoryConfig, + RepositoryCache: p.Settings.RepositoryCache, + } + + if registry.IsOCI(chartRef) { + c.Options = append(c.Options, + getter.WithRegistryClient(p.cfg.RegistryClient)) + c.RegistryClient = p.cfg.RegistryClient + } + + if p.Verify { + c.Verify = downloader.VerifyAlways + } else if p.VerifyLater { + c.Verify = downloader.VerifyLater + } + + // If untar is set, we fetch to a tempdir, then untar and copy after + // verification. + dest := p.DestDir + if p.Untar { + var err error + dest, err = os.MkdirTemp("", "helm-") + if err != nil { + return out.String(), errors.Wrap(err, "failed to untar") + } + defer os.RemoveAll(dest) + } + + if p.RepoURL != "" { + chartURL, err := repo.FindChartInAuthAndTLSAndPassRepoURL(p.RepoURL, p.Username, p.Password, chartRef, p.Version, p.CertFile, p.KeyFile, p.CaFile, p.InsecureSkipTLSverify, p.PassCredentialsAll, getter.All(p.Settings)) + if err != nil { + return out.String(), err + } + chartRef = chartURL + } + + saved, v, err := c.DownloadTo(chartRef, p.Version, dest) + if err != nil { + return out.String(), err + } + + if p.Verify { + for name := range v.SignedBy.Identities { + fmt.Fprintf(&out, "Signed by: %v\n", name) + } + fmt.Fprintf(&out, "Using Key With Fingerprint: %X\n", v.SignedBy.PrimaryKey.Fingerprint) + fmt.Fprintf(&out, "Chart Hash Verified: %s\n", v.FileHash) + } + + // After verification, untar the chart into the requested directory. + if p.Untar { + ud := p.UntarDir + if !filepath.IsAbs(ud) { + ud = filepath.Join(p.DestDir, ud) + } + // Let udCheck to check conflict file/dir without replacing ud when untarDir is the current directory(.). + udCheck := ud + if udCheck == "." { + _, udCheck = filepath.Split(chartRef) + } else { + _, chartName := filepath.Split(chartRef) + udCheck = filepath.Join(udCheck, chartName) + } + + if _, err := os.Stat(udCheck); err != nil { + if err := os.MkdirAll(udCheck, 0755); err != nil { + return out.String(), errors.Wrap(err, "failed to untar (mkdir)") + } + + } else { + return out.String(), errors.Errorf("failed to untar: a file or directory with the name %s already exists", udCheck) + } + + return out.String(), chartutil.ExpandFile(ud, saved) + } + return out.String(), nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/push.go b/vendor/helm.sh/helm/v3/pkg/action/push.go new file mode 100644 index 0000000000..70e5c15823 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/push.go @@ -0,0 +1,112 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "io" + "strings" + + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/pusher" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/uploader" +) + +// Push is the action for uploading a chart. +// +// It provides the implementation of 'helm push'. +type Push struct { + Settings *cli.EnvSettings + cfg *Configuration + certFile string + keyFile string + caFile string + insecureSkipTLSverify bool + plainHTTP bool + out io.Writer +} + +// PushOpt is a type of function that sets options for a push action. +type PushOpt func(*Push) + +// WithPushConfig sets the cfg field on the push configuration object. +func WithPushConfig(cfg *Configuration) PushOpt { + return func(p *Push) { + p.cfg = cfg + } +} + +// WithTLSClientConfig sets the certFile, keyFile, and caFile fields on the push configuration object. +func WithTLSClientConfig(certFile, keyFile, caFile string) PushOpt { + return func(p *Push) { + p.certFile = certFile + p.keyFile = keyFile + p.caFile = caFile + } +} + +// WithInsecureSkipTLSVerify determines if a TLS Certificate will be checked +func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) PushOpt { + return func(p *Push) { + p.insecureSkipTLSverify = insecureSkipTLSVerify + } +} + +// WithPlainHTTP configures the use of plain HTTP connections. +func WithPlainHTTP(plainHTTP bool) PushOpt { + return func(p *Push) { + p.plainHTTP = plainHTTP + } +} + +// WithPushOptWriter sets the registryOut field on the push configuration object. +func WithPushOptWriter(out io.Writer) PushOpt { + return func(p *Push) { + p.out = out + } +} + +// NewPushWithOpts creates a new push, with configuration options. +func NewPushWithOpts(opts ...PushOpt) *Push { + p := &Push{} + for _, fn := range opts { + fn(p) + } + return p +} + +// Run executes 'helm push' against the given chart archive. +func (p *Push) Run(chartRef string, remote string) (string, error) { + var out strings.Builder + + c := uploader.ChartUploader{ + Out: &out, + Pushers: pusher.All(p.Settings), + Options: []pusher.Option{ + pusher.WithTLSClientConfig(p.certFile, p.keyFile, p.caFile), + pusher.WithInsecureSkipTLSVerify(p.insecureSkipTLSverify), + pusher.WithPlainHTTP(p.plainHTTP), + }, + } + + if registry.IsOCI(remote) { + // Don't use the default registry client if tls options are set. + c.Options = append(c.Options, pusher.WithRegistryClient(p.cfg.RegistryClient)) + } + + return out.String(), c.UploadTo(chartRef, remote) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/registry_login.go b/vendor/helm.sh/helm/v3/pkg/action/registry_login.go new file mode 100644 index 0000000000..b4e038123a --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/registry_login.go @@ -0,0 +1,99 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "io" + + "helm.sh/helm/v3/pkg/registry" +) + +// RegistryLogin performs a registry login operation. +type RegistryLogin struct { + cfg *Configuration + certFile string + keyFile string + caFile string + insecure bool + plainHTTP bool +} + +type RegistryLoginOpt func(*RegistryLogin) error + +// WithCertFile specifies the path to the certificate file to use for TLS. +func WithCertFile(certFile string) RegistryLoginOpt { + return func(r *RegistryLogin) error { + r.certFile = certFile + return nil + } +} + +// WithInsecure specifies whether to verify certificates. +func WithInsecure(insecure bool) RegistryLoginOpt { + return func(r *RegistryLogin) error { + r.insecure = insecure + return nil + } +} + +// WithKeyFile specifies the path to the key file to use for TLS. +func WithKeyFile(keyFile string) RegistryLoginOpt { + return func(r *RegistryLogin) error { + r.keyFile = keyFile + return nil + } +} + +// WithCAFile specifies the path to the CA file to use for TLS. +func WithCAFile(caFile string) RegistryLoginOpt { + return func(r *RegistryLogin) error { + r.caFile = caFile + return nil + } +} + +// WithPlainHTTPLogin use http rather than https for login. +func WithPlainHTTPLogin(isPlain bool) RegistryLoginOpt { + return func(r *RegistryLogin) error { + r.plainHTTP = isPlain + return nil + } +} + +// NewRegistryLogin creates a new RegistryLogin object with the given configuration. +func NewRegistryLogin(cfg *Configuration) *RegistryLogin { + return &RegistryLogin{ + cfg: cfg, + } +} + +// Run executes the registry login operation +func (a *RegistryLogin) Run(_ io.Writer, hostname string, username string, password string, opts ...RegistryLoginOpt) error { + for _, opt := range opts { + if err := opt(a); err != nil { + return err + } + } + + return a.cfg.RegistryClient.Login( + hostname, + registry.LoginOptBasicAuth(username, password), + registry.LoginOptInsecure(a.insecure), + registry.LoginOptTLSClientConfig(a.certFile, a.keyFile, a.caFile), + registry.LoginOptPlainText(a.plainHTTP), + ) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go b/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go new file mode 100644 index 0000000000..7ce92defcf --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/registry_logout.go @@ -0,0 +1,38 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "io" +) + +// RegistryLogout performs a registry login operation. +type RegistryLogout struct { + cfg *Configuration +} + +// NewRegistryLogout creates a new RegistryLogout object with the given configuration. +func NewRegistryLogout(cfg *Configuration) *RegistryLogout { + return &RegistryLogout{ + cfg: cfg, + } +} + +// Run executes the registry logout operation +func (a *RegistryLogout) Run(_ io.Writer, hostname string) error { + return a.cfg.RegistryClient.Logout(hostname) +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/release_testing.go b/vendor/helm.sh/helm/v3/pkg/action/release_testing.go new file mode 100644 index 0000000000..aaffe47cae --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/release_testing.go @@ -0,0 +1,153 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "context" + "fmt" + "io" + "sort" + "time" + + "github.com/pkg/errors" + v1 "k8s.io/api/core/v1" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/release" +) + +const ( + ExcludeNameFilter = "!name" + IncludeNameFilter = "name" +) + +// ReleaseTesting is the action for testing a release. +// +// It provides the implementation of 'helm test'. +type ReleaseTesting struct { + cfg *Configuration + Timeout time.Duration + // Used for fetching logs from test pods + Namespace string + Filters map[string][]string + HideNotes bool +} + +// NewReleaseTesting creates a new ReleaseTesting object with the given configuration. +func NewReleaseTesting(cfg *Configuration) *ReleaseTesting { + return &ReleaseTesting{ + cfg: cfg, + Filters: map[string][]string{}, + } +} + +// Run executes 'helm test' against the given release. +func (r *ReleaseTesting) Run(name string) (*release.Release, error) { + if err := r.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, errors.Errorf("releaseTest: Release name is invalid: %s", name) + } + + // finds the non-deleted release with the given name + rel, err := r.cfg.Releases.Last(name) + if err != nil { + return rel, err + } + + skippedHooks := []*release.Hook{} + executingHooks := []*release.Hook{} + if len(r.Filters[ExcludeNameFilter]) != 0 { + for _, h := range rel.Hooks { + if contains(r.Filters[ExcludeNameFilter], h.Name) { + skippedHooks = append(skippedHooks, h) + } else { + executingHooks = append(executingHooks, h) + } + } + rel.Hooks = executingHooks + } + if len(r.Filters[IncludeNameFilter]) != 0 { + executingHooks = nil + for _, h := range rel.Hooks { + if contains(r.Filters[IncludeNameFilter], h.Name) { + executingHooks = append(executingHooks, h) + } else { + skippedHooks = append(skippedHooks, h) + } + } + rel.Hooks = executingHooks + } + + if err := r.cfg.execHook(rel, release.HookTest, r.Timeout); err != nil { + rel.Hooks = append(skippedHooks, rel.Hooks...) + r.cfg.Releases.Update(rel) + return rel, err + } + + rel.Hooks = append(skippedHooks, rel.Hooks...) + return rel, r.cfg.Releases.Update(rel) +} + +// GetPodLogs will write the logs for all test pods in the given release into +// the given writer. These can be immediately output to the user or captured for +// other uses +func (r *ReleaseTesting) GetPodLogs(out io.Writer, rel *release.Release) error { + client, err := r.cfg.KubernetesClientSet() + if err != nil { + return errors.Wrap(err, "unable to get kubernetes client to fetch pod logs") + } + + hooksByWight := append([]*release.Hook{}, rel.Hooks...) + sort.Stable(hookByWeight(hooksByWight)) + for _, h := range hooksByWight { + for _, e := range h.Events { + if e == release.HookTest { + if contains(r.Filters[ExcludeNameFilter], h.Name) { + continue + } + if len(r.Filters[IncludeNameFilter]) > 0 && !contains(r.Filters[IncludeNameFilter], h.Name) { + continue + } + req := client.CoreV1().Pods(r.Namespace).GetLogs(h.Name, &v1.PodLogOptions{}) + logReader, err := req.Stream(context.Background()) + if err != nil { + return errors.Wrapf(err, "unable to get pod logs for %s", h.Name) + } + + fmt.Fprintf(out, "POD LOGS: %s\n", h.Name) + _, err = io.Copy(out, logReader) + fmt.Fprintln(out) + if err != nil { + return errors.Wrapf(err, "unable to write pod logs for %s", h.Name) + } + } + } + } + return nil +} + +func contains(arr []string, value string) bool { + for _, item := range arr { + if item == value { + return true + } + } + return false +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go b/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go new file mode 100644 index 0000000000..63e83f3d94 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/resource_policy.go @@ -0,0 +1,46 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "strings" + + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/releaseutil" +) + +func filterManifestsToKeep(manifests []releaseutil.Manifest) (keep, remaining []releaseutil.Manifest) { + for _, m := range manifests { + if m.Head.Metadata == nil || m.Head.Metadata.Annotations == nil || len(m.Head.Metadata.Annotations) == 0 { + remaining = append(remaining, m) + continue + } + + resourcePolicyType, ok := m.Head.Metadata.Annotations[kube.ResourcePolicyAnno] + if !ok { + remaining = append(remaining, m) + continue + } + + resourcePolicyType = strings.ToLower(strings.TrimSpace(resourcePolicyType)) + if resourcePolicyType == kube.KeepPolicy { + keep = append(keep, m) + } + + } + return keep, remaining +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/rollback.go b/vendor/helm.sh/helm/v3/pkg/action/rollback.go new file mode 100644 index 0000000000..b0be17d130 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/rollback.go @@ -0,0 +1,265 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "fmt" + "strings" + "time" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/release" + helmtime "helm.sh/helm/v3/pkg/time" +) + +// Rollback is the action for rolling back to a given release. +// +// It provides the implementation of 'helm rollback'. +type Rollback struct { + cfg *Configuration + + Version int + Timeout time.Duration + Wait bool + WaitForJobs bool + DisableHooks bool + DryRun bool + Recreate bool // will (if true) recreate pods after a rollback. + Force bool // will (if true) force resource upgrade through uninstall/recreate if needed + CleanupOnFail bool + MaxHistory int // MaxHistory limits the maximum number of revisions saved per release +} + +// NewRollback creates a new Rollback object with the given configuration. +func NewRollback(cfg *Configuration) *Rollback { + return &Rollback{ + cfg: cfg, + } +} + +// Run executes 'helm rollback' against the given release. +func (r *Rollback) Run(name string) error { + if err := r.cfg.KubeClient.IsReachable(); err != nil { + return err + } + + r.cfg.Releases.MaxHistory = r.MaxHistory + + r.cfg.Log("preparing rollback of %s", name) + currentRelease, targetRelease, err := r.prepareRollback(name) + if err != nil { + return err + } + + if !r.DryRun { + r.cfg.Log("creating rolled back release for %s", name) + if err := r.cfg.Releases.Create(targetRelease); err != nil { + return err + } + } + + r.cfg.Log("performing rollback of %s", name) + if _, err := r.performRollback(currentRelease, targetRelease); err != nil { + return err + } + + if !r.DryRun { + r.cfg.Log("updating status for rolled back release for %s", name) + if err := r.cfg.Releases.Update(targetRelease); err != nil { + return err + } + } + return nil +} + +// prepareRollback finds the previous release and prepares a new release object with +// the previous release's configuration +func (r *Rollback) prepareRollback(name string) (*release.Release, *release.Release, error) { + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, nil, errors.Errorf("prepareRollback: Release name is invalid: %s", name) + } + + if r.Version < 0 { + return nil, nil, errInvalidRevision + } + + currentRelease, err := r.cfg.Releases.Last(name) + if err != nil { + return nil, nil, err + } + + previousVersion := r.Version + if r.Version == 0 { + previousVersion = currentRelease.Version - 1 + } + + historyReleases, err := r.cfg.Releases.History(name) + if err != nil { + return nil, nil, err + } + + // Check if the history version to be rolled back exists + previousVersionExist := false + for _, historyRelease := range historyReleases { + version := historyRelease.Version + if previousVersion == version { + previousVersionExist = true + break + } + } + if !previousVersionExist { + return nil, nil, errors.Errorf("release has no %d version", previousVersion) + } + + r.cfg.Log("rolling back %s (current: v%d, target: v%d)", name, currentRelease.Version, previousVersion) + + previousRelease, err := r.cfg.Releases.Get(name, previousVersion) + if err != nil { + return nil, nil, err + } + + // Store a new release object with previous release's configuration + targetRelease := &release.Release{ + Name: name, + Namespace: currentRelease.Namespace, + Chart: previousRelease.Chart, + Config: previousRelease.Config, + Info: &release.Info{ + FirstDeployed: currentRelease.Info.FirstDeployed, + LastDeployed: helmtime.Now(), + Status: release.StatusPendingRollback, + Notes: previousRelease.Info.Notes, + // Because we lose the reference to previous version elsewhere, we set the + // message here, and only override it later if we experience failure. + Description: fmt.Sprintf("Rollback to %d", previousVersion), + }, + Version: currentRelease.Version + 1, + Labels: previousRelease.Labels, + Manifest: previousRelease.Manifest, + Hooks: previousRelease.Hooks, + } + + return currentRelease, targetRelease, nil +} + +func (r *Rollback) performRollback(currentRelease, targetRelease *release.Release) (*release.Release, error) { + if r.DryRun { + r.cfg.Log("dry run for %s", targetRelease.Name) + return targetRelease, nil + } + + current, err := r.cfg.KubeClient.Build(bytes.NewBufferString(currentRelease.Manifest), false) + if err != nil { + return targetRelease, errors.Wrap(err, "unable to build kubernetes objects from current release manifest") + } + target, err := r.cfg.KubeClient.Build(bytes.NewBufferString(targetRelease.Manifest), false) + if err != nil { + return targetRelease, errors.Wrap(err, "unable to build kubernetes objects from new release manifest") + } + + // pre-rollback hooks + if !r.DisableHooks { + if err := r.cfg.execHook(targetRelease, release.HookPreRollback, r.Timeout); err != nil { + return targetRelease, err + } + } else { + r.cfg.Log("rollback hooks disabled for %s", targetRelease.Name) + } + + // It is safe to use "force" here because these are resources currently rendered by the chart. + err = target.Visit(setMetadataVisitor(targetRelease.Name, targetRelease.Namespace, true)) + if err != nil { + return targetRelease, errors.Wrap(err, "unable to set metadata visitor from target release") + } + results, err := r.cfg.KubeClient.Update(current, target, r.Force) + + if err != nil { + msg := fmt.Sprintf("Rollback %q failed: %s", targetRelease.Name, err) + r.cfg.Log("warning: %s", msg) + currentRelease.Info.Status = release.StatusSuperseded + targetRelease.Info.Status = release.StatusFailed + targetRelease.Info.Description = msg + r.cfg.recordRelease(currentRelease) + r.cfg.recordRelease(targetRelease) + if r.CleanupOnFail { + r.cfg.Log("Cleanup on fail set, cleaning up %d resources", len(results.Created)) + _, errs := r.cfg.KubeClient.Delete(results.Created) + if errs != nil { + var errorList []string + for _, e := range errs { + errorList = append(errorList, e.Error()) + } + return targetRelease, errors.Wrapf(fmt.Errorf("unable to cleanup resources: %s", strings.Join(errorList, ", ")), "an error occurred while cleaning up resources. original rollback error: %s", err) + } + r.cfg.Log("Resource cleanup complete") + } + return targetRelease, err + } + + if r.Recreate { + // NOTE: Because this is not critical for a release to succeed, we just + // log if an error occurs and continue onward. If we ever introduce log + // levels, we should make these error level logs so users are notified + // that they'll need to go do the cleanup on their own + if err := recreate(r.cfg, results.Updated); err != nil { + r.cfg.Log(err.Error()) + } + } + + if r.Wait { + if r.WaitForJobs { + if err := r.cfg.KubeClient.WaitWithJobs(target, r.Timeout); err != nil { + targetRelease.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", targetRelease.Name, err.Error())) + r.cfg.recordRelease(currentRelease) + r.cfg.recordRelease(targetRelease) + return targetRelease, errors.Wrapf(err, "release %s failed", targetRelease.Name) + } + } else { + if err := r.cfg.KubeClient.Wait(target, r.Timeout); err != nil { + targetRelease.SetStatus(release.StatusFailed, fmt.Sprintf("Release %q failed: %s", targetRelease.Name, err.Error())) + r.cfg.recordRelease(currentRelease) + r.cfg.recordRelease(targetRelease) + return targetRelease, errors.Wrapf(err, "release %s failed", targetRelease.Name) + } + } + } + + // post-rollback hooks + if !r.DisableHooks { + if err := r.cfg.execHook(targetRelease, release.HookPostRollback, r.Timeout); err != nil { + return targetRelease, err + } + } + + deployed, err := r.cfg.Releases.DeployedAll(currentRelease.Name) + if err != nil && !strings.Contains(err.Error(), "has no deployed releases") { + return nil, err + } + // Supersede all previous deployments, see issue #2941. + for _, rel := range deployed { + r.cfg.Log("superseding previous deployment %d", rel.Version) + rel.Info.Status = release.StatusSuperseded + r.cfg.recordRelease(rel) + } + + targetRelease.Info.Status = release.StatusDeployed + + return targetRelease, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/show.go b/vendor/helm.sh/helm/v3/pkg/action/show.go new file mode 100644 index 0000000000..6ed855b83f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/show.go @@ -0,0 +1,165 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "fmt" + "strings" + + "github.com/pkg/errors" + "k8s.io/cli-runtime/pkg/printers" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/registry" +) + +// ShowOutputFormat is the format of the output of `helm show` +type ShowOutputFormat string + +const ( + // ShowAll is the format which shows all the information of a chart + ShowAll ShowOutputFormat = "all" + // ShowChart is the format which only shows the chart's definition + ShowChart ShowOutputFormat = "chart" + // ShowValues is the format which only shows the chart's values + ShowValues ShowOutputFormat = "values" + // ShowReadme is the format which only shows the chart's README + ShowReadme ShowOutputFormat = "readme" + // ShowCRDs is the format which only shows the chart's CRDs + ShowCRDs ShowOutputFormat = "crds" +) + +var readmeFileNames = []string{"readme.md", "readme.txt", "readme"} + +func (o ShowOutputFormat) String() string { + return string(o) +} + +// Show is the action for checking a given release's information. +// +// It provides the implementation of 'helm show' and its respective subcommands. +type Show struct { + ChartPathOptions + Devel bool + OutputFormat ShowOutputFormat + JSONPathTemplate string + chart *chart.Chart // for testing +} + +// NewShow creates a new Show object with the given configuration. +// Deprecated: Use NewShowWithConfig +// TODO Helm 4: Fold NewShowWithConfig back into NewShow +func NewShow(output ShowOutputFormat) *Show { + return &Show{ + OutputFormat: output, + } +} + +// NewShowWithConfig creates a new Show object with the given configuration. +func NewShowWithConfig(output ShowOutputFormat, cfg *Configuration) *Show { + sh := &Show{ + OutputFormat: output, + } + sh.ChartPathOptions.registryClient = cfg.RegistryClient + + return sh +} + +// SetRegistryClient sets the registry client to use when pulling a chart from a registry. +func (s *Show) SetRegistryClient(client *registry.Client) { + s.ChartPathOptions.registryClient = client +} + +// Run executes 'helm show' against the given release. +func (s *Show) Run(chartpath string) (string, error) { + if s.chart == nil { + chrt, err := loader.Load(chartpath) + if err != nil { + return "", err + } + s.chart = chrt + } + cf, err := yaml.Marshal(s.chart.Metadata) + if err != nil { + return "", err + } + + var out strings.Builder + if s.OutputFormat == ShowChart || s.OutputFormat == ShowAll { + fmt.Fprintf(&out, "%s\n", cf) + } + + if (s.OutputFormat == ShowValues || s.OutputFormat == ShowAll) && s.chart.Values != nil { + if s.OutputFormat == ShowAll { + fmt.Fprintln(&out, "---") + } + if s.JSONPathTemplate != "" { + printer, err := printers.NewJSONPathPrinter(s.JSONPathTemplate) + if err != nil { + return "", errors.Wrapf(err, "error parsing jsonpath %s", s.JSONPathTemplate) + } + printer.Execute(&out, s.chart.Values) + } else { + for _, f := range s.chart.Raw { + if f.Name == chartutil.ValuesfileName { + fmt.Fprintln(&out, string(f.Data)) + } + } + } + } + + if s.OutputFormat == ShowReadme || s.OutputFormat == ShowAll { + readme := findReadme(s.chart.Files) + if readme != nil { + if s.OutputFormat == ShowAll { + fmt.Fprintln(&out, "---") + } + fmt.Fprintf(&out, "%s\n", readme.Data) + } + } + + if s.OutputFormat == ShowCRDs || s.OutputFormat == ShowAll { + crds := s.chart.CRDObjects() + if len(crds) > 0 { + if s.OutputFormat == ShowAll && !bytes.HasPrefix(crds[0].File.Data, []byte("---")) { + fmt.Fprintln(&out, "---") + } + for _, crd := range crds { + fmt.Fprintf(&out, "%s\n", string(crd.File.Data)) + } + } + } + return out.String(), nil +} + +func findReadme(files []*chart.File) (file *chart.File) { + for _, file := range files { + for _, n := range readmeFileNames { + if file == nil { + continue + } + if strings.EqualFold(file.Name, n) { + return file + } + } + } + return nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/status.go b/vendor/helm.sh/helm/v3/pkg/action/status.go new file mode 100644 index 0000000000..ee1c9d6138 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/status.go @@ -0,0 +1,95 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "errors" + + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/release" +) + +// Status is the action for checking the deployment status of releases. +// +// It provides the implementation of 'helm status'. +type Status struct { + cfg *Configuration + + Version int + + // If true, display description to output format, + // only affect print type table. + // TODO Helm 4: Remove this flag and output the description by default. + ShowDescription bool + + // ShowResources sets if the resources should be retrieved with the status. + // TODO Helm 4: Remove this flag and output the resources by default. + ShowResources bool + + // ShowResourcesTable is used with ShowResources. When true this will cause + // the resulting objects to be retrieved as a kind=table. + ShowResourcesTable bool +} + +// NewStatus creates a new Status object with the given configuration. +func NewStatus(cfg *Configuration) *Status { + return &Status{ + cfg: cfg, + } +} + +// Run executes 'helm status' against the given release. +func (s *Status) Run(name string) (*release.Release, error) { + if err := s.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + if !s.ShowResources { + return s.cfg.releaseContent(name, s.Version) + } + + rel, err := s.cfg.releaseContent(name, s.Version) + if err != nil { + return nil, err + } + + if kubeClient, ok := s.cfg.KubeClient.(kube.InterfaceResources); ok { + var resources kube.ResourceList + if s.ShowResourcesTable { + resources, err = kubeClient.BuildTable(bytes.NewBufferString(rel.Manifest), false) + if err != nil { + return nil, err + } + } else { + resources, err = s.cfg.KubeClient.Build(bytes.NewBufferString(rel.Manifest), false) + if err != nil { + return nil, err + } + } + + resp, err := kubeClient.Get(resources, true) + if err != nil { + return nil, err + } + + rel.Info.Resources = resp + + return rel, nil + } + return nil, errors.New("unable to get kubeClient with interface InterfaceResources") +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/uninstall.go b/vendor/helm.sh/helm/v3/pkg/action/uninstall.go new file mode 100644 index 0000000000..ac0c4fee8c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/uninstall.go @@ -0,0 +1,247 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "strings" + "time" + + "github.com/pkg/errors" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/releaseutil" + helmtime "helm.sh/helm/v3/pkg/time" +) + +// Uninstall is the action for uninstalling releases. +// +// It provides the implementation of 'helm uninstall'. +type Uninstall struct { + cfg *Configuration + + DisableHooks bool + DryRun bool + IgnoreNotFound bool + KeepHistory bool + Wait bool + DeletionPropagation string + Timeout time.Duration + Description string +} + +// NewUninstall creates a new Uninstall object with the given configuration. +func NewUninstall(cfg *Configuration) *Uninstall { + return &Uninstall{ + cfg: cfg, + } +} + +// Run uninstalls the given release. +func (u *Uninstall) Run(name string) (*release.UninstallReleaseResponse, error) { + if err := u.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + if u.DryRun { + // In the dry run case, just see if the release exists + r, err := u.cfg.releaseContent(name, 0) + if err != nil { + return &release.UninstallReleaseResponse{}, err + } + return &release.UninstallReleaseResponse{Release: r}, nil + } + + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, errors.Errorf("uninstall: Release name is invalid: %s", name) + } + + rels, err := u.cfg.Releases.History(name) + if err != nil { + if u.IgnoreNotFound { + return nil, nil + } + return nil, errors.Wrapf(err, "uninstall: Release not loaded: %s", name) + } + if len(rels) < 1 { + return nil, errMissingRelease + } + + releaseutil.SortByRevision(rels) + rel := rels[len(rels)-1] + + // TODO: Are there any cases where we want to force a delete even if it's + // already marked deleted? + if rel.Info.Status == release.StatusUninstalled { + if !u.KeepHistory { + if err := u.purgeReleases(rels...); err != nil { + return nil, errors.Wrap(err, "uninstall: Failed to purge the release") + } + return &release.UninstallReleaseResponse{Release: rel}, nil + } + return nil, errors.Errorf("the release named %q is already deleted", name) + } + + u.cfg.Log("uninstall: Deleting %s", name) + rel.Info.Status = release.StatusUninstalling + rel.Info.Deleted = helmtime.Now() + rel.Info.Description = "Deletion in progress (or silently failed)" + res := &release.UninstallReleaseResponse{Release: rel} + + if !u.DisableHooks { + if err := u.cfg.execHook(rel, release.HookPreDelete, u.Timeout); err != nil { + return res, err + } + } else { + u.cfg.Log("delete hooks disabled for %s", name) + } + + // From here on out, the release is currently considered to be in StatusUninstalling + // state. + if err := u.cfg.Releases.Update(rel); err != nil { + u.cfg.Log("uninstall: Failed to store updated release: %s", err) + } + + deletedResources, kept, errs := u.deleteRelease(rel) + if errs != nil { + u.cfg.Log("uninstall: Failed to delete release: %s", errs) + return nil, errors.Errorf("failed to delete release: %s", name) + } + + if kept != "" { + kept = "These resources were kept due to the resource policy:\n" + kept + } + res.Info = kept + + if u.Wait { + if kubeClient, ok := u.cfg.KubeClient.(kube.InterfaceExt); ok { + if err := kubeClient.WaitForDelete(deletedResources, u.Timeout); err != nil { + errs = append(errs, err) + } + } + } + + if !u.DisableHooks { + if err := u.cfg.execHook(rel, release.HookPostDelete, u.Timeout); err != nil { + errs = append(errs, err) + } + } + + rel.Info.Status = release.StatusUninstalled + if len(u.Description) > 0 { + rel.Info.Description = u.Description + } else { + rel.Info.Description = "Uninstallation complete" + } + + if !u.KeepHistory { + u.cfg.Log("purge requested for %s", name) + err := u.purgeReleases(rels...) + if err != nil { + errs = append(errs, errors.Wrap(err, "uninstall: Failed to purge the release")) + } + + // Return the errors that occurred while deleting the release, if any + if len(errs) > 0 { + return res, errors.Errorf("uninstallation completed with %d error(s): %s", len(errs), joinErrors(errs)) + } + + return res, nil + } + + if err := u.cfg.Releases.Update(rel); err != nil { + u.cfg.Log("uninstall: Failed to store updated release: %s", err) + } + + if len(errs) > 0 { + return res, errors.Errorf("uninstallation completed with %d error(s): %s", len(errs), joinErrors(errs)) + } + return res, nil +} + +func (u *Uninstall) purgeReleases(rels ...*release.Release) error { + for _, rel := range rels { + if _, err := u.cfg.Releases.Delete(rel.Name, rel.Version); err != nil { + return err + } + } + return nil +} + +func joinErrors(errs []error) string { + es := make([]string, 0, len(errs)) + for _, e := range errs { + es = append(es, e.Error()) + } + return strings.Join(es, "; ") +} + +// deleteRelease deletes the release and returns list of delete resources and manifests that were kept in the deletion process +func (u *Uninstall) deleteRelease(rel *release.Release) (kube.ResourceList, string, []error) { + var errs []error + + manifests := releaseutil.SplitManifests(rel.Manifest) + _, files, err := releaseutil.SortManifests(manifests, nil, releaseutil.UninstallOrder) + if err != nil { + // We could instead just delete everything in no particular order. + // FIXME: One way to delete at this point would be to try a label-based + // deletion. The problem with this is that we could get a false positive + // and delete something that was not legitimately part of this release. + return nil, rel.Manifest, []error{errors.Wrap(err, "corrupted release record. You must manually delete the resources")} + } + + filesToKeep, filesToDelete := filterManifestsToKeep(files) + var kept string + for _, f := range filesToKeep { + kept += "[" + f.Head.Kind + "] " + f.Head.Metadata.Name + "\n" + } + + var builder strings.Builder + for _, file := range filesToDelete { + builder.WriteString("\n---\n" + file.Content) + } + + resources, err := u.cfg.KubeClient.Build(strings.NewReader(builder.String()), false) + if err != nil { + return nil, "", []error{errors.Wrap(err, "unable to build kubernetes objects for delete")} + } + if len(resources) > 0 { + if kubeClient, ok := u.cfg.KubeClient.(kube.InterfaceDeletionPropagation); ok { + _, errs = kubeClient.DeleteWithPropagationPolicy(resources, parseCascadingFlag(u.cfg, u.DeletionPropagation)) + return resources, kept, errs + } + _, errs = u.cfg.KubeClient.Delete(resources) + } + return resources, kept, errs +} + +func parseCascadingFlag(cfg *Configuration, cascadingFlag string) v1.DeletionPropagation { + switch cascadingFlag { + case "orphan": + return v1.DeletePropagationOrphan + case "foreground": + return v1.DeletePropagationForeground + case "background": + return v1.DeletePropagationBackground + default: + cfg.Log("uninstall: given cascade value: %s, defaulting to delete propagation background", cascadingFlag) + return v1.DeletePropagationBackground + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/upgrade.go b/vendor/helm.sh/helm/v3/pkg/action/upgrade.go new file mode 100644 index 0000000000..a08d68495f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/upgrade.go @@ -0,0 +1,646 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "bytes" + "context" + "fmt" + "strings" + "sync" + "time" + + "github.com/pkg/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/cli-runtime/pkg/resource" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/kube" + "helm.sh/helm/v3/pkg/postrender" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/release" + "helm.sh/helm/v3/pkg/releaseutil" + "helm.sh/helm/v3/pkg/storage/driver" +) + +// Upgrade is the action for upgrading releases. +// +// It provides the implementation of 'helm upgrade'. +type Upgrade struct { + cfg *Configuration + + ChartPathOptions + + // Install is a purely informative flag that indicates whether this upgrade was done in "install" mode. + // + // Applications may use this to determine whether this Upgrade operation was done as part of a + // pure upgrade (Upgrade.Install == false) or as part of an install-or-upgrade operation + // (Upgrade.Install == true). + // + // Setting this to `true` will NOT cause `Upgrade` to perform an install if the release does not exist. + // That process must be handled by creating an Install action directly. See cmd/upgrade.go for an + // example of how this flag is used. + Install bool + // Devel indicates that the operation is done in devel mode. + Devel bool + // Namespace is the namespace in which this operation should be performed. + Namespace string + // SkipCRDs skips installing CRDs when install flag is enabled during upgrade + SkipCRDs bool + // Timeout is the timeout for this operation + Timeout time.Duration + // Wait determines whether the wait operation should be performed after the upgrade is requested. + Wait bool + // WaitForJobs determines whether the wait operation for the Jobs should be performed after the upgrade is requested. + WaitForJobs bool + // DisableHooks disables hook processing if set to true. + DisableHooks bool + // DryRun controls whether the operation is prepared, but not executed. + DryRun bool + // DryRunOption controls whether the operation is prepared, but not executed with options on whether or not to interact with the remote cluster. + DryRunOption string + // HideSecret can be set to true when DryRun is enabled in order to hide + // Kubernetes Secrets in the output. It cannot be used outside of DryRun. + HideSecret bool + // Force will, if set to `true`, ignore certain warnings and perform the upgrade anyway. + // + // This should be used with caution. + Force bool + // ResetValues will reset the values to the chart's built-ins rather than merging with existing. + ResetValues bool + // ReuseValues will re-use the user's last supplied values. + ReuseValues bool + // ResetThenReuseValues will reset the values to the chart's built-ins then merge with user's last supplied values. + ResetThenReuseValues bool + // Recreate will (if true) recreate pods after a rollback. + Recreate bool + // MaxHistory limits the maximum number of revisions saved per release + MaxHistory int + // Atomic, if true, will roll back on failure. + Atomic bool + // CleanupOnFail will, if true, cause the upgrade to delete newly-created resources on a failed update. + CleanupOnFail bool + // SubNotes determines whether sub-notes are rendered in the chart. + SubNotes bool + // HideNotes determines whether notes are output during upgrade + HideNotes bool + // SkipSchemaValidation determines if JSON schema validation is disabled. + SkipSchemaValidation bool + // Description is the description of this operation + Description string + Labels map[string]string + // PostRender is an optional post-renderer + // + // If this is non-nil, then after templates are rendered, they will be sent to the + // post renderer before sending to the Kubernetes API server. + PostRenderer postrender.PostRenderer + // DisableOpenAPIValidation controls whether OpenAPI validation is enforced. + DisableOpenAPIValidation bool + // Get missing dependencies + DependencyUpdate bool + // Lock to control raceconditions when the process receives a SIGTERM + Lock sync.Mutex + // Enable DNS lookups when rendering templates + EnableDNS bool + // TakeOwnership will skip the check for helm annotations and adopt all existing resources. + TakeOwnership bool +} + +type resultMessage struct { + r *release.Release + e error +} + +// NewUpgrade creates a new Upgrade object with the given configuration. +func NewUpgrade(cfg *Configuration) *Upgrade { + up := &Upgrade{ + cfg: cfg, + } + up.ChartPathOptions.registryClient = cfg.RegistryClient + + return up +} + +// SetRegistryClient sets the registry client to use when fetching charts. +func (u *Upgrade) SetRegistryClient(client *registry.Client) { + u.ChartPathOptions.registryClient = client +} + +// Run executes the upgrade on the given release. +func (u *Upgrade) Run(name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, error) { + ctx := context.Background() + return u.RunWithContext(ctx, name, chart, vals) +} + +// RunWithContext executes the upgrade on the given release with context. +func (u *Upgrade) RunWithContext(ctx context.Context, name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, error) { + if err := u.cfg.KubeClient.IsReachable(); err != nil { + return nil, err + } + + // Make sure if Atomic is set, that wait is set as well. This makes it so + // the user doesn't have to specify both + u.Wait = u.Wait || u.Atomic + + if err := chartutil.ValidateReleaseName(name); err != nil { + return nil, errors.Errorf("release name is invalid: %s", name) + } + + u.cfg.Log("preparing upgrade for %s", name) + currentRelease, upgradedRelease, err := u.prepareUpgrade(name, chart, vals) + if err != nil { + return nil, err + } + + u.cfg.Releases.MaxHistory = u.MaxHistory + + u.cfg.Log("performing update for %s", name) + res, err := u.performUpgrade(ctx, currentRelease, upgradedRelease) + if err != nil { + return res, err + } + + // Do not update for dry runs + if !u.isDryRun() { + u.cfg.Log("updating status for upgraded release for %s", name) + if err := u.cfg.Releases.Update(upgradedRelease); err != nil { + return res, err + } + } + + return res, nil +} + +// isDryRun returns true if Upgrade is set to run as a DryRun +func (u *Upgrade) isDryRun() bool { + if u.DryRun || u.DryRunOption == "client" || u.DryRunOption == "server" || u.DryRunOption == "true" { + return true + } + return false +} + +// prepareUpgrade builds an upgraded release for an upgrade operation. +func (u *Upgrade) prepareUpgrade(name string, chart *chart.Chart, vals map[string]interface{}) (*release.Release, *release.Release, error) { + if chart == nil { + return nil, nil, errMissingChart + } + + // HideSecret must be used with dry run. Otherwise, return an error. + if !u.isDryRun() && u.HideSecret { + return nil, nil, errors.New("Hiding Kubernetes secrets requires a dry-run mode") + } + + // finds the last non-deleted release with the given name + lastRelease, err := u.cfg.Releases.Last(name) + if err != nil { + // to keep existing behavior of returning the "%q has no deployed releases" error when an existing release does not exist + if errors.Is(err, driver.ErrReleaseNotFound) { + return nil, nil, driver.NewErrNoDeployedReleases(name) + } + return nil, nil, err + } + + // Concurrent `helm upgrade`s will either fail here with `errPending` or when creating the release with "already exists". This should act as a pessimistic lock. + if lastRelease.Info.Status.IsPending() { + return nil, nil, errPending + } + + var currentRelease *release.Release + if lastRelease.Info.Status == release.StatusDeployed { + // no need to retrieve the last deployed release from storage as the last release is deployed + currentRelease = lastRelease + } else { + // finds the deployed release with the given name + currentRelease, err = u.cfg.Releases.Deployed(name) + if err != nil { + if errors.Is(err, driver.ErrNoDeployedReleases) && + (lastRelease.Info.Status == release.StatusFailed || lastRelease.Info.Status == release.StatusSuperseded) { + currentRelease = lastRelease + } else { + return nil, nil, err + } + } + } + + // determine if values will be reused + vals, err = u.reuseValues(chart, currentRelease, vals) + if err != nil { + return nil, nil, err + } + + if err := chartutil.ProcessDependenciesWithMerge(chart, vals); err != nil { + return nil, nil, err + } + + // Increment revision count. This is passed to templates, and also stored on + // the release object. + revision := lastRelease.Version + 1 + + options := chartutil.ReleaseOptions{ + Name: name, + Namespace: currentRelease.Namespace, + Revision: revision, + IsUpgrade: true, + } + + caps, err := u.cfg.getCapabilities() + if err != nil { + return nil, nil, err + } + valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chart, vals, options, caps, u.SkipSchemaValidation) + if err != nil { + return nil, nil, err + } + + // Determine whether or not to interact with remote + var interactWithRemote bool + if !u.isDryRun() || u.DryRunOption == "server" || u.DryRunOption == "none" || u.DryRunOption == "false" { + interactWithRemote = true + } + + hooks, manifestDoc, notesTxt, err := u.cfg.renderResources(chart, valuesToRender, "", "", u.SubNotes, false, false, u.PostRenderer, interactWithRemote, u.EnableDNS, u.HideSecret) + if err != nil { + return nil, nil, err + } + + if driver.ContainsSystemLabels(u.Labels) { + return nil, nil, fmt.Errorf("user supplied labels contains system reserved label name. System labels: %+v", driver.GetSystemLabels()) + } + + // Store an upgraded release. + upgradedRelease := &release.Release{ + Name: name, + Namespace: currentRelease.Namespace, + Chart: chart, + Config: vals, + Info: &release.Info{ + FirstDeployed: currentRelease.Info.FirstDeployed, + LastDeployed: Timestamper(), + Status: release.StatusPendingUpgrade, + Description: "Preparing upgrade", // This should be overwritten later. + }, + Version: revision, + Manifest: manifestDoc.String(), + Hooks: hooks, + Labels: mergeCustomLabels(lastRelease.Labels, u.Labels), + } + + if len(notesTxt) > 0 { + upgradedRelease.Info.Notes = notesTxt + } + err = validateManifest(u.cfg.KubeClient, manifestDoc.Bytes(), !u.DisableOpenAPIValidation) + return currentRelease, upgradedRelease, err +} + +func (u *Upgrade) performUpgrade(ctx context.Context, originalRelease, upgradedRelease *release.Release) (*release.Release, error) { + current, err := u.cfg.KubeClient.Build(bytes.NewBufferString(originalRelease.Manifest), false) + if err != nil { + // Checking for removed Kubernetes API error so can provide a more informative error message to the user + // Ref: https://github.com/helm/helm/issues/7219 + if strings.Contains(err.Error(), "unable to recognize \"\": no matches for kind") { + return upgradedRelease, errors.Wrap(err, "current release manifest contains removed kubernetes api(s) for this "+ + "kubernetes version and it is therefore unable to build the kubernetes "+ + "objects for performing the diff. error from kubernetes") + } + return upgradedRelease, errors.Wrap(err, "unable to build kubernetes objects from current release manifest") + } + target, err := u.cfg.KubeClient.Build(bytes.NewBufferString(upgradedRelease.Manifest), !u.DisableOpenAPIValidation) + if err != nil { + return upgradedRelease, errors.Wrap(err, "unable to build kubernetes objects from new release manifest") + } + + // It is safe to use force only on target because these are resources currently rendered by the chart. + err = target.Visit(setMetadataVisitor(upgradedRelease.Name, upgradedRelease.Namespace, true)) + if err != nil { + return upgradedRelease, err + } + + // Do a basic diff using gvk + name to figure out what new resources are being created so we can validate they don't already exist + existingResources := make(map[string]bool) + for _, r := range current { + existingResources[objectKey(r)] = true + } + + var toBeCreated kube.ResourceList + for _, r := range target { + if !existingResources[objectKey(r)] { + toBeCreated = append(toBeCreated, r) + } + } + + var toBeUpdated kube.ResourceList + if u.TakeOwnership { + toBeUpdated, err = requireAdoption(toBeCreated) + } else { + toBeUpdated, err = existingResourceConflict(toBeCreated, upgradedRelease.Name, upgradedRelease.Namespace) + } + if err != nil { + return nil, errors.Wrap(err, "Unable to continue with update") + } + + toBeUpdated.Visit(func(r *resource.Info, err error) error { + if err != nil { + return err + } + current.Append(r) + return nil + }) + + // Run if it is a dry run + if u.isDryRun() { + u.cfg.Log("dry run for %s", upgradedRelease.Name) + if len(u.Description) > 0 { + upgradedRelease.Info.Description = u.Description + } else { + upgradedRelease.Info.Description = "Dry run complete" + } + return upgradedRelease, nil + } + + u.cfg.Log("creating upgraded release for %s", upgradedRelease.Name) + if err := u.cfg.Releases.Create(upgradedRelease); err != nil { + return nil, err + } + rChan := make(chan resultMessage) + ctxChan := make(chan resultMessage) + doneChan := make(chan interface{}) + defer close(doneChan) + go u.releasingUpgrade(rChan, upgradedRelease, current, target, originalRelease) + go u.handleContext(ctx, doneChan, ctxChan, upgradedRelease) + select { + case result := <-rChan: + return result.r, result.e + case result := <-ctxChan: + return result.r, result.e + } +} + +// Function used to lock the Mutex, this is important for the case when the atomic flag is set. +// In that case the upgrade will finish before the rollback is finished so it is necessary to wait for the rollback to finish. +// The rollback will be trigger by the function failRelease +func (u *Upgrade) reportToPerformUpgrade(c chan<- resultMessage, rel *release.Release, created kube.ResourceList, err error) { + u.Lock.Lock() + if err != nil { + rel, err = u.failRelease(rel, created, err) + } + c <- resultMessage{r: rel, e: err} + u.Lock.Unlock() +} + +// Setup listener for SIGINT and SIGTERM +func (u *Upgrade) handleContext(ctx context.Context, done chan interface{}, c chan<- resultMessage, upgradedRelease *release.Release) { + select { + case <-ctx.Done(): + err := ctx.Err() + + // when the atomic flag is set the ongoing release finish first and doesn't give time for the rollback happens. + u.reportToPerformUpgrade(c, upgradedRelease, kube.ResourceList{}, err) + case <-done: + return + } +} +func (u *Upgrade) releasingUpgrade(c chan<- resultMessage, upgradedRelease *release.Release, current kube.ResourceList, target kube.ResourceList, originalRelease *release.Release) { + // pre-upgrade hooks + + if !u.DisableHooks { + if err := u.cfg.execHook(upgradedRelease, release.HookPreUpgrade, u.Timeout); err != nil { + u.reportToPerformUpgrade(c, upgradedRelease, kube.ResourceList{}, fmt.Errorf("pre-upgrade hooks failed: %s", err)) + return + } + } else { + u.cfg.Log("upgrade hooks disabled for %s", upgradedRelease.Name) + } + + results, err := u.cfg.KubeClient.Update(current, target, u.Force) + if err != nil { + u.cfg.recordRelease(originalRelease) + u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err) + return + } + + if u.Recreate { + // NOTE: Because this is not critical for a release to succeed, we just + // log if an error occurs and continue onward. If we ever introduce log + // levels, we should make these error level logs so users are notified + // that they'll need to go do the cleanup on their own + if err := recreate(u.cfg, results.Updated); err != nil { + u.cfg.Log(err.Error()) + } + } + + if u.Wait { + u.cfg.Log( + "waiting for release %s resources (created: %d updated: %d deleted: %d)", + upgradedRelease.Name, len(results.Created), len(results.Updated), len(results.Deleted)) + if u.WaitForJobs { + if err := u.cfg.KubeClient.WaitWithJobs(target, u.Timeout); err != nil { + u.cfg.recordRelease(originalRelease) + u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err) + return + } + } else { + if err := u.cfg.KubeClient.Wait(target, u.Timeout); err != nil { + u.cfg.recordRelease(originalRelease) + u.reportToPerformUpgrade(c, upgradedRelease, results.Created, err) + return + } + } + } + + // post-upgrade hooks + if !u.DisableHooks { + if err := u.cfg.execHook(upgradedRelease, release.HookPostUpgrade, u.Timeout); err != nil { + u.reportToPerformUpgrade(c, upgradedRelease, results.Created, fmt.Errorf("post-upgrade hooks failed: %s", err)) + return + } + } + + originalRelease.Info.Status = release.StatusSuperseded + u.cfg.recordRelease(originalRelease) + + upgradedRelease.Info.Status = release.StatusDeployed + if len(u.Description) > 0 { + upgradedRelease.Info.Description = u.Description + } else { + upgradedRelease.Info.Description = "Upgrade complete" + } + u.reportToPerformUpgrade(c, upgradedRelease, nil, nil) +} + +func (u *Upgrade) failRelease(rel *release.Release, created kube.ResourceList, err error) (*release.Release, error) { + msg := fmt.Sprintf("Upgrade %q failed: %s", rel.Name, err) + u.cfg.Log("warning: %s", msg) + + rel.Info.Status = release.StatusFailed + rel.Info.Description = msg + u.cfg.recordRelease(rel) + if u.CleanupOnFail && len(created) > 0 { + u.cfg.Log("Cleanup on fail set, cleaning up %d resources", len(created)) + _, errs := u.cfg.KubeClient.Delete(created) + if errs != nil { + var errorList []string + for _, e := range errs { + errorList = append(errorList, e.Error()) + } + return rel, errors.Wrapf(fmt.Errorf("unable to cleanup resources: %s", strings.Join(errorList, ", ")), "an error occurred while cleaning up resources. original upgrade error: %s", err) + } + u.cfg.Log("Resource cleanup complete") + } + if u.Atomic { + u.cfg.Log("Upgrade failed and atomic is set, rolling back to last successful release") + + // As a protection, get the last successful release before rollback. + // If there are no successful releases, bail out + hist := NewHistory(u.cfg) + fullHistory, herr := hist.Run(rel.Name) + if herr != nil { + return rel, errors.Wrapf(herr, "an error occurred while finding last successful release. original upgrade error: %s", err) + } + + // There isn't a way to tell if a previous release was successful, but + // generally failed releases do not get superseded unless the next + // release is successful, so this should be relatively safe + filteredHistory := releaseutil.FilterFunc(func(r *release.Release) bool { + return r.Info.Status == release.StatusSuperseded || r.Info.Status == release.StatusDeployed + }).Filter(fullHistory) + if len(filteredHistory) == 0 { + return rel, errors.Wrap(err, "unable to find a previously successful release when attempting to rollback. original upgrade error") + } + + releaseutil.Reverse(filteredHistory, releaseutil.SortByRevision) + + rollin := NewRollback(u.cfg) + rollin.Version = filteredHistory[0].Version + rollin.Wait = true + rollin.WaitForJobs = u.WaitForJobs + rollin.DisableHooks = u.DisableHooks + rollin.Recreate = u.Recreate + rollin.Force = u.Force + rollin.Timeout = u.Timeout + if rollErr := rollin.Run(rel.Name); rollErr != nil { + return rel, errors.Wrapf(rollErr, "an error occurred while rolling back the release. original upgrade error: %s", err) + } + return rel, errors.Wrapf(err, "release %s failed, and has been rolled back due to atomic being set", rel.Name) + } + + return rel, err +} + +// reuseValues copies values from the current release to a new release if the +// new release does not have any values. +// +// If the request already has values, or if there are no values in the current +// release, this does nothing. +// +// This is skipped if the u.ResetValues flag is set, in which case the +// request values are not altered. +func (u *Upgrade) reuseValues(chart *chart.Chart, current *release.Release, newVals map[string]interface{}) (map[string]interface{}, error) { + if u.ResetValues { + // If ResetValues is set, we completely ignore current.Config. + u.cfg.Log("resetting values to the chart's original version") + return newVals, nil + } + + // If the ReuseValues flag is set, we always copy the old values over the new config's values. + if u.ReuseValues { + u.cfg.Log("reusing the old release's values") + + // We have to regenerate the old coalesced values: + oldVals, err := chartutil.CoalesceValues(current.Chart, current.Config) + if err != nil { + return nil, errors.Wrap(err, "failed to rebuild old values") + } + + newVals = chartutil.CoalesceTables(newVals, current.Config) + + chart.Values = oldVals + + return newVals, nil + } + + // If the ResetThenReuseValues flag is set, we use the new chart's values, but we copy the old config's values over the new config's values. + if u.ResetThenReuseValues { + u.cfg.Log("merging values from old release to new values") + + newVals = chartutil.CoalesceTables(newVals, current.Config) + + return newVals, nil + } + + if len(newVals) == 0 && len(current.Config) > 0 { + u.cfg.Log("copying values from %s (v%d) to new release.", current.Name, current.Version) + newVals = current.Config + } + return newVals, nil +} + +func validateManifest(c kube.Interface, manifest []byte, openAPIValidation bool) error { + _, err := c.Build(bytes.NewReader(manifest), openAPIValidation) + return err +} + +// recreate captures all the logic for recreating pods for both upgrade and +// rollback. If we end up refactoring rollback to use upgrade, this can just be +// made an unexported method on the upgrade action. +func recreate(cfg *Configuration, resources kube.ResourceList) error { + for _, res := range resources { + versioned := kube.AsVersioned(res) + selector, err := kube.SelectorsForObject(versioned) + if err != nil { + // If no selector is returned, it means this object is + // definitely not a pod, so continue onward + continue + } + + client, err := cfg.KubernetesClientSet() + if err != nil { + return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name) + } + + pods, err := client.CoreV1().Pods(res.Namespace).List(context.Background(), metav1.ListOptions{ + LabelSelector: selector.String(), + }) + if err != nil { + return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name) + } + + // Restart pods + for _, pod := range pods.Items { + // Delete each pod for get them restarted with changed spec. + if err := client.CoreV1().Pods(pod.Namespace).Delete(context.Background(), pod.Name, *metav1.NewPreconditionDeleteOptions(string(pod.UID))); err != nil { + return errors.Wrapf(err, "unable to recreate pods for object %s/%s because an error occurred", res.Namespace, res.Name) + } + } + } + return nil +} + +func objectKey(r *resource.Info) string { + gvk := r.Object.GetObjectKind().GroupVersionKind() + return fmt.Sprintf("%s/%s/%s/%s", gvk.GroupVersion().String(), gvk.Kind, r.Namespace, r.Name) +} + +func mergeCustomLabels(current, desired map[string]string) map[string]string { + labels := mergeStrStrMaps(current, desired) + for k, v := range labels { + if v == "null" { + delete(labels, k) + } + } + return labels +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/validate.go b/vendor/helm.sh/helm/v3/pkg/action/validate.go new file mode 100644 index 0000000000..127e9bf962 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/validate.go @@ -0,0 +1,209 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "fmt" + + "github.com/pkg/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/cli-runtime/pkg/resource" + + "helm.sh/helm/v3/pkg/kube" +) + +var accessor = meta.NewAccessor() + +const ( + appManagedByLabel = "app.kubernetes.io/managed-by" + appManagedByHelm = "Helm" + helmReleaseNameAnnotation = "meta.helm.sh/release-name" + helmReleaseNamespaceAnnotation = "meta.helm.sh/release-namespace" +) + +// requireAdoption returns the subset of resources that already exist in the cluster. +func requireAdoption(resources kube.ResourceList) (kube.ResourceList, error) { + var requireUpdate kube.ResourceList + + err := resources.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + + helper := resource.NewHelper(info.Client, info.Mapping) + _, err = helper.Get(info.Namespace, info.Name) + if err != nil { + if apierrors.IsNotFound(err) { + return nil + } + return errors.Wrapf(err, "could not get information about the resource %s", resourceString(info)) + } + + requireUpdate.Append(info) + return nil + }) + + return requireUpdate, err +} + +func existingResourceConflict(resources kube.ResourceList, releaseName, releaseNamespace string) (kube.ResourceList, error) { + var requireUpdate kube.ResourceList + + err := resources.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + + helper := resource.NewHelper(info.Client, info.Mapping) + existing, err := helper.Get(info.Namespace, info.Name) + if err != nil { + if apierrors.IsNotFound(err) { + return nil + } + return errors.Wrapf(err, "could not get information about the resource %s", resourceString(info)) + } + + // Allow adoption of the resource if it is managed by Helm and is annotated with correct release name and namespace. + if err := checkOwnership(existing, releaseName, releaseNamespace); err != nil { + return fmt.Errorf("%s exists and cannot be imported into the current release: %s", resourceString(info), err) + } + + requireUpdate.Append(info) + return nil + }) + + return requireUpdate, err +} + +func checkOwnership(obj runtime.Object, releaseName, releaseNamespace string) error { + lbls, err := accessor.Labels(obj) + if err != nil { + return err + } + annos, err := accessor.Annotations(obj) + if err != nil { + return err + } + + var errs []error + if err := requireValue(lbls, appManagedByLabel, appManagedByHelm); err != nil { + errs = append(errs, fmt.Errorf("label validation error: %s", err)) + } + if err := requireValue(annos, helmReleaseNameAnnotation, releaseName); err != nil { + errs = append(errs, fmt.Errorf("annotation validation error: %s", err)) + } + if err := requireValue(annos, helmReleaseNamespaceAnnotation, releaseNamespace); err != nil { + errs = append(errs, fmt.Errorf("annotation validation error: %s", err)) + } + + if len(errs) > 0 { + err := errors.New("invalid ownership metadata") + for _, e := range errs { + err = fmt.Errorf("%w; %s", err, e) + } + return err + } + + return nil +} + +func requireValue(meta map[string]string, k, v string) error { + actual, ok := meta[k] + if !ok { + return fmt.Errorf("missing key %q: must be set to %q", k, v) + } + if actual != v { + return fmt.Errorf("key %q must equal %q: current value is %q", k, v, actual) + } + return nil +} + +// setMetadataVisitor adds release tracking metadata to all resources. If force is enabled, existing +// ownership metadata will be overwritten. Otherwise an error will be returned if any resource has an +// existing and conflicting value for the managed by label or Helm release/namespace annotations. +func setMetadataVisitor(releaseName, releaseNamespace string, force bool) resource.VisitorFunc { + return func(info *resource.Info, err error) error { + if err != nil { + return err + } + + if !force { + if err := checkOwnership(info.Object, releaseName, releaseNamespace); err != nil { + return fmt.Errorf("%s cannot be owned: %s", resourceString(info), err) + } + } + + if err := mergeLabels(info.Object, map[string]string{ + appManagedByLabel: appManagedByHelm, + }); err != nil { + return fmt.Errorf( + "%s labels could not be updated: %s", + resourceString(info), err, + ) + } + + if err := mergeAnnotations(info.Object, map[string]string{ + helmReleaseNameAnnotation: releaseName, + helmReleaseNamespaceAnnotation: releaseNamespace, + }); err != nil { + return fmt.Errorf( + "%s annotations could not be updated: %s", + resourceString(info), err, + ) + } + + return nil + } +} + +func resourceString(info *resource.Info) string { + _, k := info.Mapping.GroupVersionKind.ToAPIVersionAndKind() + return fmt.Sprintf( + "%s %q in namespace %q", + k, info.Name, info.Namespace, + ) +} + +func mergeLabels(obj runtime.Object, labels map[string]string) error { + current, err := accessor.Labels(obj) + if err != nil { + return err + } + return accessor.SetLabels(obj, mergeStrStrMaps(current, labels)) +} + +func mergeAnnotations(obj runtime.Object, annotations map[string]string) error { + current, err := accessor.Annotations(obj) + if err != nil { + return err + } + return accessor.SetAnnotations(obj, mergeStrStrMaps(current, annotations)) +} + +// merge two maps, always taking the value on the right +func mergeStrStrMaps(current, desired map[string]string) map[string]string { + result := make(map[string]string) + for k, v := range current { + result[k] = v + } + for k, desiredVal := range desired { + result[k] = desiredVal + } + return result +} diff --git a/vendor/helm.sh/helm/v3/pkg/action/verify.go b/vendor/helm.sh/helm/v3/pkg/action/verify.go new file mode 100644 index 0000000000..f362394962 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/action/verify.go @@ -0,0 +1,59 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package action + +import ( + "fmt" + "strings" + + "helm.sh/helm/v3/pkg/downloader" +) + +// Verify is the action for building a given chart's Verify tree. +// +// It provides the implementation of 'helm verify'. +type Verify struct { + Keyring string + Out string +} + +// NewVerify creates a new Verify object with the given configuration. +func NewVerify() *Verify { + return &Verify{} +} + +// Run executes 'helm verify'. +func (v *Verify) Run(chartfile string) error { + var out strings.Builder + p, err := downloader.VerifyChart(chartfile, v.Keyring) + if err != nil { + return err + } + + for name := range p.SignedBy.Identities { + fmt.Fprintf(&out, "Signed by: %v\n", name) + } + fmt.Fprintf(&out, "Using Key With Fingerprint: %X\n", p.SignedBy.PrimaryKey.Fingerprint) + fmt.Fprintf(&out, "Chart Hash Verified: %s\n", p.FileHash) + + // TODO(mattfarina): The output is set as a property rather than returned + // to maintain the Go API. In Helm v4 this function should return the out + // and the property on the struct can be removed. + v.Out = out.String() + + return nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/chart.go b/vendor/helm.sh/helm/v3/pkg/chart/chart.go new file mode 100644 index 0000000000..a3bed63a38 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/chart.go @@ -0,0 +1,173 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chart + +import ( + "path/filepath" + "regexp" + "strings" +) + +// APIVersionV1 is the API version number for version 1. +const APIVersionV1 = "v1" + +// APIVersionV2 is the API version number for version 2. +const APIVersionV2 = "v2" + +// aliasNameFormat defines the characters that are legal in an alias name. +var aliasNameFormat = regexp.MustCompile("^[a-zA-Z0-9_-]+$") + +// Chart is a helm package that contains metadata, a default config, zero or more +// optionally parameterizable templates, and zero or more charts (dependencies). +type Chart struct { + // Raw contains the raw contents of the files originally contained in the chart archive. + // + // This should not be used except in special cases like `helm show values`, + // where we want to display the raw values, comments and all. + Raw []*File `json:"-"` + // Metadata is the contents of the Chartfile. + Metadata *Metadata `json:"metadata"` + // Lock is the contents of Chart.lock. + Lock *Lock `json:"lock"` + // Templates for this chart. + Templates []*File `json:"templates"` + // Values are default config for this chart. + Values map[string]interface{} `json:"values"` + // Schema is an optional JSON schema for imposing structure on Values + Schema []byte `json:"schema"` + // Files are miscellaneous files in a chart archive, + // e.g. README, LICENSE, etc. + Files []*File `json:"files"` + + parent *Chart + dependencies []*Chart +} + +type CRD struct { + // Name is the File.Name for the crd file + Name string + // Filename is the File obj Name including (sub-)chart.ChartFullPath + Filename string + // File is the File obj for the crd + File *File +} + +// SetDependencies replaces the chart dependencies. +func (ch *Chart) SetDependencies(charts ...*Chart) { + ch.dependencies = nil + ch.AddDependency(charts...) +} + +// Name returns the name of the chart. +func (ch *Chart) Name() string { + if ch.Metadata == nil { + return "" + } + return ch.Metadata.Name +} + +// AddDependency determines if the chart is a subchart. +func (ch *Chart) AddDependency(charts ...*Chart) { + for i, x := range charts { + charts[i].parent = ch + ch.dependencies = append(ch.dependencies, x) + } +} + +// Root finds the root chart. +func (ch *Chart) Root() *Chart { + if ch.IsRoot() { + return ch + } + return ch.Parent().Root() +} + +// Dependencies are the charts that this chart depends on. +func (ch *Chart) Dependencies() []*Chart { return ch.dependencies } + +// IsRoot determines if the chart is the root chart. +func (ch *Chart) IsRoot() bool { return ch.parent == nil } + +// Parent returns a subchart's parent chart. +func (ch *Chart) Parent() *Chart { return ch.parent } + +// ChartPath returns the full path to this chart in dot notation. +func (ch *Chart) ChartPath() string { + if !ch.IsRoot() { + return ch.Parent().ChartPath() + "." + ch.Name() + } + return ch.Name() +} + +// ChartFullPath returns the full path to this chart. +func (ch *Chart) ChartFullPath() string { + if !ch.IsRoot() { + return ch.Parent().ChartFullPath() + "/charts/" + ch.Name() + } + return ch.Name() +} + +// Validate validates the metadata. +func (ch *Chart) Validate() error { + return ch.Metadata.Validate() +} + +// AppVersion returns the appversion of the chart. +func (ch *Chart) AppVersion() string { + if ch.Metadata == nil { + return "" + } + return ch.Metadata.AppVersion +} + +// CRDs returns a list of File objects in the 'crds/' directory of a Helm chart. +// Deprecated: use CRDObjects() +func (ch *Chart) CRDs() []*File { + files := []*File{} + // Find all resources in the crds/ directory + for _, f := range ch.Files { + if strings.HasPrefix(f.Name, "crds/") && hasManifestExtension(f.Name) { + files = append(files, f) + } + } + // Get CRDs from dependencies, too. + for _, dep := range ch.Dependencies() { + files = append(files, dep.CRDs()...) + } + return files +} + +// CRDObjects returns a list of CRD objects in the 'crds/' directory of a Helm chart & subcharts +func (ch *Chart) CRDObjects() []CRD { + crds := []CRD{} + // Find all resources in the crds/ directory + for _, f := range ch.Files { + if strings.HasPrefix(f.Name, "crds/") && hasManifestExtension(f.Name) { + mycrd := CRD{Name: f.Name, Filename: filepath.Join(ch.ChartFullPath(), f.Name), File: f} + crds = append(crds, mycrd) + } + } + // Get CRDs from dependencies, too. + for _, dep := range ch.Dependencies() { + crds = append(crds, dep.CRDObjects()...) + } + return crds +} + +func hasManifestExtension(fname string) bool { + ext := filepath.Ext(fname) + return strings.EqualFold(ext, ".yaml") || strings.EqualFold(ext, ".yml") || strings.EqualFold(ext, ".json") +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/dependency.go b/vendor/helm.sh/helm/v3/pkg/chart/dependency.go new file mode 100644 index 0000000000..eda0f5a89d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/dependency.go @@ -0,0 +1,82 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chart + +import "time" + +// Dependency describes a chart upon which another chart depends. +// +// Dependencies can be used to express developer intent, or to capture the state +// of a chart. +type Dependency struct { + // Name is the name of the dependency. + // + // This must mach the name in the dependency's Chart.yaml. + Name string `json:"name" yaml:"name"` + // Version is the version (range) of this chart. + // + // A lock file will always produce a single version, while a dependency + // may contain a semantic version range. + Version string `json:"version,omitempty" yaml:"version,omitempty"` + // The URL to the repository. + // + // Appending `index.yaml` to this string should result in a URL that can be + // used to fetch the repository index. + Repository string `json:"repository" yaml:"repository"` + // A yaml path that resolves to a boolean, used for enabling/disabling charts (e.g. subchart1.enabled ) + Condition string `json:"condition,omitempty" yaml:"condition,omitempty"` + // Tags can be used to group charts for enabling/disabling together + Tags []string `json:"tags,omitempty" yaml:"tags,omitempty"` + // Enabled bool determines if chart should be loaded + Enabled bool `json:"enabled,omitempty" yaml:"enabled,omitempty"` + // ImportValues holds the mapping of source values to parent key to be imported. Each item can be a + // string or pair of child/parent sublist items. + ImportValues []interface{} `json:"import-values,omitempty" yaml:"import-values,omitempty"` + // Alias usable alias to be used for the chart + Alias string `json:"alias,omitempty" yaml:"alias,omitempty"` +} + +// Validate checks for common problems with the dependency datastructure in +// the chart. This check must be done at load time before the dependency's charts are +// loaded. +func (d *Dependency) Validate() error { + if d == nil { + return ValidationError("dependencies must not contain empty or null nodes") + } + d.Name = sanitizeString(d.Name) + d.Version = sanitizeString(d.Version) + d.Repository = sanitizeString(d.Repository) + d.Condition = sanitizeString(d.Condition) + for i := range d.Tags { + d.Tags[i] = sanitizeString(d.Tags[i]) + } + if d.Alias != "" && !aliasNameFormat.MatchString(d.Alias) { + return ValidationErrorf("dependency %q has disallowed characters in the alias", d.Name) + } + return nil +} + +// Lock is a lock file for dependencies. +// +// It represents the state that the dependencies should be in. +type Lock struct { + // Generated is the date the lock file was last generated. + Generated time.Time `json:"generated"` + // Digest is a hash of the dependencies in Chart.yaml. + Digest string `json:"digest"` + // Dependencies is the list of dependencies that this lock file has locked. + Dependencies []*Dependency `json:"dependencies"` +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/errors.go b/vendor/helm.sh/helm/v3/pkg/chart/errors.go new file mode 100644 index 0000000000..2fad5f3708 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/errors.go @@ -0,0 +1,30 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chart + +import "fmt" + +// ValidationError represents a data validation error. +type ValidationError string + +func (v ValidationError) Error() string { + return "validation: " + string(v) +} + +// ValidationErrorf takes a message and formatting options and creates a ValidationError +func ValidationErrorf(msg string, args ...interface{}) ValidationError { + return ValidationError(fmt.Sprintf(msg, args...)) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/file.go b/vendor/helm.sh/helm/v3/pkg/chart/file.go new file mode 100644 index 0000000000..9dd7c08d52 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/file.go @@ -0,0 +1,27 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chart + +// File represents a file as a name/value pair. +// +// By convention, name is a relative path within the scope of the chart's +// base directory. +type File struct { + // Name is the path-like name of the template. + Name string `json:"name"` + // Data is the template as byte data. + Data []byte `json:"data"` +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go new file mode 100644 index 0000000000..6272a564f8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go @@ -0,0 +1,235 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package loader + +import ( + "archive/tar" + "bytes" + "compress/gzip" + "fmt" + "io" + "net/http" + "os" + "path" + "regexp" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chart" +) + +// MaxDecompressedChartSize is the maximum size of a chart archive that will be +// decompressed. This is the decompressed size of all the files. +// The default value is 100 MiB. +var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB + +// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load. +// The size of the file is the decompressed version of it when it is stored in an archive. +var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB + +var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`) + +// FileLoader loads a chart from a file +type FileLoader string + +// Load loads a chart +func (l FileLoader) Load() (*chart.Chart, error) { + return LoadFile(string(l)) +} + +// LoadFile loads from an archive file. +func LoadFile(name string) (*chart.Chart, error) { + if fi, err := os.Stat(name); err != nil { + return nil, err + } else if fi.IsDir() { + return nil, errors.New("cannot load a directory") + } + + raw, err := os.Open(name) + if err != nil { + return nil, err + } + defer raw.Close() + + err = ensureArchive(name, raw) + if err != nil { + return nil, err + } + + c, err := LoadArchive(raw) + if err != nil { + if err == gzip.ErrHeader { + return nil, fmt.Errorf("file '%s' does not appear to be a valid chart file (details: %s)", name, err) + } + } + return c, err +} + +// ensureArchive's job is to return an informative error if the file does not appear to be a gzipped archive. +// +// Sometimes users will provide a values.yaml for an argument where a chart is expected. One common occurrence +// of this is invoking `helm template values.yaml mychart` which would otherwise produce a confusing error +// if we didn't check for this. +func ensureArchive(name string, raw *os.File) error { + defer raw.Seek(0, 0) // reset read offset to allow archive loading to proceed. + + // Check the file format to give us a chance to provide the user with more actionable feedback. + buffer := make([]byte, 512) + _, err := raw.Read(buffer) + if err != nil && err != io.EOF { + return fmt.Errorf("file '%s' cannot be read: %s", name, err) + } + + // Helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject. + // Fix for: https://github.com/helm/helm/issues/12261 + if contentType := http.DetectContentType(buffer); contentType != "application/x-gzip" && !isGZipApplication(buffer) { + // TODO: Is there a way to reliably test if a file content is YAML? ghodss/yaml accepts a wide + // variety of content (Makefile, .zshrc) as valid YAML without errors. + + // Wrong content type. Let's check if it's yaml and give an extra hint? + if strings.HasSuffix(name, ".yml") || strings.HasSuffix(name, ".yaml") { + return fmt.Errorf("file '%s' seems to be a YAML file, but expected a gzipped archive", name) + } + return fmt.Errorf("file '%s' does not appear to be a gzipped archive; got '%s'", name, contentType) + } + return nil +} + +// isGZipApplication checks whether the archive is of the application/x-gzip type. +func isGZipApplication(data []byte) bool { + sig := []byte("\x1F\x8B\x08") + return bytes.HasPrefix(data, sig) +} + +// LoadArchiveFiles reads in files out of an archive into memory. This function +// performs important path security checks and should always be used before +// expanding a tarball +func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) { + unzipped, err := gzip.NewReader(in) + if err != nil { + return nil, err + } + defer unzipped.Close() + + files := []*BufferedFile{} + tr := tar.NewReader(unzipped) + remainingSize := MaxDecompressedChartSize + for { + b := bytes.NewBuffer(nil) + hd, err := tr.Next() + if err == io.EOF { + break + } + if err != nil { + return nil, err + } + + if hd.FileInfo().IsDir() { + // Use this instead of hd.Typeflag because we don't have to do any + // inference chasing. + continue + } + + switch hd.Typeflag { + // We don't want to process these extension header files. + case tar.TypeXGlobalHeader, tar.TypeXHeader: + continue + } + + // Archive could contain \ if generated on Windows + delimiter := "/" + if strings.ContainsRune(hd.Name, '\\') { + delimiter = "\\" + } + + parts := strings.Split(hd.Name, delimiter) + n := strings.Join(parts[1:], delimiter) + + // Normalize the path to the / delimiter + n = strings.ReplaceAll(n, delimiter, "/") + + if path.IsAbs(n) { + return nil, errors.New("chart illegally contains absolute paths") + } + + n = path.Clean(n) + if n == "." { + // In this case, the original path was relative when it should have been absolute. + return nil, errors.Errorf("chart illegally contains content outside the base directory: %q", hd.Name) + } + if strings.HasPrefix(n, "..") { + return nil, errors.New("chart illegally references parent directory") + } + + // In some particularly arcane acts of path creativity, it is possible to intermix + // UNIX and Windows style paths in such a way that you produce a result of the form + // c:/foo even after all the built-in absolute path checks. So we explicitly check + // for this condition. + if drivePathPattern.MatchString(n) { + return nil, errors.New("chart contains illegally named files") + } + + if parts[0] == "Chart.yaml" { + return nil, errors.New("chart yaml not in base directory") + } + + if hd.Size > remainingSize { + return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize) + } + + if hd.Size > MaxDecompressedFileSize { + return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize) + } + + limitedReader := io.LimitReader(tr, remainingSize) + + bytesWritten, err := io.Copy(b, limitedReader) + if err != nil { + return nil, err + } + + remainingSize -= bytesWritten + // When the bytesWritten are less than the file size it means the limit reader ended + // copying early. Here we report that error. This is important if the last file extracted + // is the one that goes over the limit. It assumes the Size stored in the tar header + // is correct, something many applications do. + if bytesWritten < hd.Size || remainingSize <= 0 { + return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize) + } + + data := bytes.TrimPrefix(b.Bytes(), utf8bom) + + files = append(files, &BufferedFile{Name: n, Data: data}) + b.Reset() + } + + if len(files) == 0 { + return nil, errors.New("no files in chart archive") + } + return files, nil +} + +// LoadArchive loads from a reader containing a compressed tar archive. +func LoadArchive(in io.Reader) (*chart.Chart, error) { + files, err := LoadArchiveFiles(in) + if err != nil { + return nil, err + } + + return LoadFiles(files) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go new file mode 100644 index 0000000000..fd8e02e1ac --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go @@ -0,0 +1,123 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package loader + +import ( + "bytes" + "fmt" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/internal/sympath" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/ignore" +) + +var utf8bom = []byte{0xEF, 0xBB, 0xBF} + +// DirLoader loads a chart from a directory +type DirLoader string + +// Load loads the chart +func (l DirLoader) Load() (*chart.Chart, error) { + return LoadDir(string(l)) +} + +// LoadDir loads from a directory. +// +// This loads charts only from directories. +func LoadDir(dir string) (*chart.Chart, error) { + topdir, err := filepath.Abs(dir) + if err != nil { + return nil, err + } + + // Just used for errors. + c := &chart.Chart{} + + rules := ignore.Empty() + ifile := filepath.Join(topdir, ignore.HelmIgnore) + if _, err := os.Stat(ifile); err == nil { + r, err := ignore.ParseFile(ifile) + if err != nil { + return c, err + } + rules = r + } + rules.AddDefaults() + + files := []*BufferedFile{} + topdir += string(filepath.Separator) + + walk := func(name string, fi os.FileInfo, err error) error { + n := strings.TrimPrefix(name, topdir) + if n == "" { + // No need to process top level. Avoid bug with helmignore .* matching + // empty names. See issue 1779. + return nil + } + + // Normalize to / since it will also work on Windows + n = filepath.ToSlash(n) + + if err != nil { + return err + } + if fi.IsDir() { + // Directory-based ignore rules should involve skipping the entire + // contents of that directory. + if rules.Ignore(n, fi) { + return filepath.SkipDir + } + return nil + } + + // If a .helmignore file matches, skip this file. + if rules.Ignore(n, fi) { + return nil + } + + // Irregular files include devices, sockets, and other uses of files that + // are not regular files. In Go they have a file mode type bit set. + // See https://golang.org/pkg/os/#FileMode for examples. + if !fi.Mode().IsRegular() { + return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name) + } + + if fi.Size() > MaxDecompressedFileSize { + return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize) + } + + data, err := os.ReadFile(name) + if err != nil { + return errors.Wrapf(err, "error reading %s", n) + } + + data = bytes.TrimPrefix(data, utf8bom) + + files = append(files, &BufferedFile{Name: n, Data: data}) + return nil + } + if err = sympath.Walk(topdir, walk); err != nil { + return c, err + } + + return LoadFiles(files) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go new file mode 100644 index 0000000000..a68a05aa9a --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/loader/load.go @@ -0,0 +1,203 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package loader + +import ( + "bytes" + "log" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" +) + +// ChartLoader loads a chart. +type ChartLoader interface { + Load() (*chart.Chart, error) +} + +// Loader returns a new ChartLoader appropriate for the given chart name +func Loader(name string) (ChartLoader, error) { + fi, err := os.Stat(name) + if err != nil { + return nil, err + } + if fi.IsDir() { + return DirLoader(name), nil + } + return FileLoader(name), nil + +} + +// Load takes a string name, tries to resolve it to a file or directory, and then loads it. +// +// This is the preferred way to load a chart. It will discover the chart encoding +// and hand off to the appropriate chart reader. +// +// If a .helmignore file is present, the directory loader will skip loading any files +// matching it. But .helmignore is not evaluated when reading out of an archive. +func Load(name string) (*chart.Chart, error) { + l, err := Loader(name) + if err != nil { + return nil, err + } + return l.Load() +} + +// BufferedFile represents an archive file buffered for later processing. +type BufferedFile struct { + Name string + Data []byte +} + +// LoadFiles loads from in-memory files. +func LoadFiles(files []*BufferedFile) (*chart.Chart, error) { + c := new(chart.Chart) + subcharts := make(map[string][]*BufferedFile) + + // do not rely on assumed ordering of files in the chart and crash + // if Chart.yaml was not coming early enough to initialize metadata + for _, f := range files { + c.Raw = append(c.Raw, &chart.File{Name: f.Name, Data: f.Data}) + if f.Name == "Chart.yaml" { + if c.Metadata == nil { + c.Metadata = new(chart.Metadata) + } + if err := yaml.Unmarshal(f.Data, c.Metadata); err != nil { + return c, errors.Wrap(err, "cannot load Chart.yaml") + } + // NOTE(bacongobbler): while the chart specification says that APIVersion must be set, + // Helm 2 accepted charts that did not provide an APIVersion in their chart metadata. + // Because of that, if APIVersion is unset, we should assume we're loading a v1 chart. + if c.Metadata.APIVersion == "" { + c.Metadata.APIVersion = chart.APIVersionV1 + } + } + } + for _, f := range files { + switch { + case f.Name == "Chart.yaml": + // already processed + continue + case f.Name == "Chart.lock": + c.Lock = new(chart.Lock) + if err := yaml.Unmarshal(f.Data, &c.Lock); err != nil { + return c, errors.Wrap(err, "cannot load Chart.lock") + } + case f.Name == "values.yaml": + c.Values = make(map[string]interface{}) + if err := yaml.Unmarshal(f.Data, &c.Values); err != nil { + return c, errors.Wrap(err, "cannot load values.yaml") + } + case f.Name == "values.schema.json": + c.Schema = f.Data + + // Deprecated: requirements.yaml is deprecated use Chart.yaml. + // We will handle it for you because we are nice people + case f.Name == "requirements.yaml": + if c.Metadata == nil { + c.Metadata = new(chart.Metadata) + } + if c.Metadata.APIVersion != chart.APIVersionV1 { + log.Printf("Warning: Dependencies are handled in Chart.yaml since apiVersion \"v2\". We recommend migrating dependencies to Chart.yaml.") + } + if err := yaml.Unmarshal(f.Data, c.Metadata); err != nil { + return c, errors.Wrap(err, "cannot load requirements.yaml") + } + if c.Metadata.APIVersion == chart.APIVersionV1 { + c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data}) + } + // Deprecated: requirements.lock is deprecated use Chart.lock. + case f.Name == "requirements.lock": + c.Lock = new(chart.Lock) + if err := yaml.Unmarshal(f.Data, &c.Lock); err != nil { + return c, errors.Wrap(err, "cannot load requirements.lock") + } + if c.Metadata == nil { + c.Metadata = new(chart.Metadata) + } + if c.Metadata.APIVersion != chart.APIVersionV1 { + log.Printf("Warning: Dependency locking is handled in Chart.lock since apiVersion \"v2\". We recommend migrating to Chart.lock.") + } + if c.Metadata.APIVersion == chart.APIVersionV1 { + c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data}) + } + + case strings.HasPrefix(f.Name, "templates/"): + c.Templates = append(c.Templates, &chart.File{Name: f.Name, Data: f.Data}) + case strings.HasPrefix(f.Name, "charts/"): + if filepath.Ext(f.Name) == ".prov" { + c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data}) + continue + } + + fname := strings.TrimPrefix(f.Name, "charts/") + cname := strings.SplitN(fname, "/", 2)[0] + subcharts[cname] = append(subcharts[cname], &BufferedFile{Name: fname, Data: f.Data}) + default: + c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data}) + } + } + + if c.Metadata == nil { + return c, errors.New("Chart.yaml file is missing") + } + + if err := c.Validate(); err != nil { + return c, err + } + + for n, files := range subcharts { + var sc *chart.Chart + var err error + switch { + case strings.IndexAny(n, "_.") == 0: + continue + case filepath.Ext(n) == ".tgz": + file := files[0] + if file.Name != n { + return c, errors.Errorf("error unpacking subchart tar in %s: expected %s, got %s", c.Name(), n, file.Name) + } + // Untar the chart and add to c.Dependencies + sc, err = LoadArchive(bytes.NewBuffer(file.Data)) + default: + // We have to trim the prefix off of every file, and ignore any file + // that is in charts/, but isn't actually a chart. + buff := make([]*BufferedFile, 0, len(files)) + for _, f := range files { + parts := strings.SplitN(f.Name, "/", 2) + if len(parts) < 2 { + continue + } + f.Name = parts[1] + buff = append(buff, f) + } + sc, err = LoadFiles(buff) + } + + if err != nil { + return c, errors.Wrapf(err, "error unpacking subchart %s in %s", n, c.Name()) + } + c.AddDependency(sc) + } + + return c, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go new file mode 100644 index 0000000000..a08a97cd1d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go @@ -0,0 +1,178 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chart + +import ( + "path/filepath" + "strings" + "unicode" + + "github.com/Masterminds/semver/v3" +) + +// Maintainer describes a Chart maintainer. +type Maintainer struct { + // Name is a user name or organization name + Name string `json:"name,omitempty"` + // Email is an optional email address to contact the named maintainer + Email string `json:"email,omitempty"` + // URL is an optional URL to an address for the named maintainer + URL string `json:"url,omitempty"` +} + +// Validate checks valid data and sanitizes string characters. +func (m *Maintainer) Validate() error { + if m == nil { + return ValidationError("maintainers must not contain empty or null nodes") + } + m.Name = sanitizeString(m.Name) + m.Email = sanitizeString(m.Email) + m.URL = sanitizeString(m.URL) + return nil +} + +// Metadata for a Chart file. This models the structure of a Chart.yaml file. +type Metadata struct { + // The name of the chart. Required. + Name string `json:"name,omitempty"` + // The URL to a relevant project page, git repo, or contact person + Home string `json:"home,omitempty"` + // Source is the URL to the source code of this chart + Sources []string `json:"sources,omitempty"` + // A SemVer 2 conformant version string of the chart. Required. + Version string `json:"version,omitempty"` + // A one-sentence description of the chart + Description string `json:"description,omitempty"` + // A list of string keywords + Keywords []string `json:"keywords,omitempty"` + // A list of name and URL/email address combinations for the maintainer(s) + Maintainers []*Maintainer `json:"maintainers,omitempty"` + // The URL to an icon file. + Icon string `json:"icon,omitempty"` + // The API Version of this chart. Required. + APIVersion string `json:"apiVersion,omitempty"` + // The condition to check to enable chart + Condition string `json:"condition,omitempty"` + // The tags to check to enable chart + Tags string `json:"tags,omitempty"` + // The version of the application enclosed inside of this chart. + AppVersion string `json:"appVersion,omitempty"` + // Whether or not this chart is deprecated + Deprecated bool `json:"deprecated,omitempty"` + // Annotations are additional mappings uninterpreted by Helm, + // made available for inspection by other applications. + Annotations map[string]string `json:"annotations,omitempty"` + // KubeVersion is a SemVer constraint specifying the version of Kubernetes required. + KubeVersion string `json:"kubeVersion,omitempty"` + // Dependencies are a list of dependencies for a chart. + Dependencies []*Dependency `json:"dependencies,omitempty"` + // Specifies the chart type: application or library + Type string `json:"type,omitempty"` +} + +// Validate checks the metadata for known issues and sanitizes string +// characters. +func (md *Metadata) Validate() error { + if md == nil { + return ValidationError("chart.metadata is required") + } + + md.Name = sanitizeString(md.Name) + md.Description = sanitizeString(md.Description) + md.Home = sanitizeString(md.Home) + md.Icon = sanitizeString(md.Icon) + md.Condition = sanitizeString(md.Condition) + md.Tags = sanitizeString(md.Tags) + md.AppVersion = sanitizeString(md.AppVersion) + md.KubeVersion = sanitizeString(md.KubeVersion) + for i := range md.Sources { + md.Sources[i] = sanitizeString(md.Sources[i]) + } + for i := range md.Keywords { + md.Keywords[i] = sanitizeString(md.Keywords[i]) + } + + if md.APIVersion == "" { + return ValidationError("chart.metadata.apiVersion is required") + } + if md.Name == "" { + return ValidationError("chart.metadata.name is required") + } + + if md.Name != filepath.Base(md.Name) { + return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) + } + + if md.Version == "" { + return ValidationError("chart.metadata.version is required") + } + if !isValidSemver(md.Version) { + return ValidationErrorf("chart.metadata.version %q is invalid", md.Version) + } + if !isValidChartType(md.Type) { + return ValidationError("chart.metadata.type must be application or library") + } + + for _, m := range md.Maintainers { + if err := m.Validate(); err != nil { + return err + } + } + + // Aliases need to be validated here to make sure that the alias name does + // not contain any illegal characters. + dependencies := map[string]*Dependency{} + for _, dependency := range md.Dependencies { + if err := dependency.Validate(); err != nil { + return err + } + key := dependency.Name + if dependency.Alias != "" { + key = dependency.Alias + } + if dependencies[key] != nil { + return ValidationErrorf("more than one dependency with name or alias %q", key) + } + dependencies[key] = dependency + } + return nil +} + +func isValidChartType(in string) bool { + switch in { + case "", "application", "library": + return true + } + return false +} + +func isValidSemver(v string) bool { + _, err := semver.NewVersion(v) + return err == nil +} + +// sanitizeString normalize spaces and removes non-printable characters. +func sanitizeString(str string) string { + return strings.Map(func(r rune) rune { + if unicode.IsSpace(r) { + return ' ' + } + if unicode.IsPrint(r) { + return r + } + return -1 + }, str) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go b/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go new file mode 100644 index 0000000000..48fab0ea40 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/capabilities.go @@ -0,0 +1,126 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "strconv" + + "github.com/Masterminds/semver/v3" + "k8s.io/client-go/kubernetes/scheme" + + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" + + helmversion "helm.sh/helm/v3/internal/version" +) + +var ( + // The Kubernetes version can be set by LDFLAGS. In order to do that the value + // must be a string. + k8sVersionMajor = "1" + k8sVersionMinor = "20" + + // DefaultVersionSet is the default version set, which includes only Core V1 ("v1"). + DefaultVersionSet = allKnownVersions() + + // DefaultCapabilities is the default set of capabilities. + DefaultCapabilities = &Capabilities{ + KubeVersion: KubeVersion{ + Version: fmt.Sprintf("v%s.%s.0", k8sVersionMajor, k8sVersionMinor), + Major: k8sVersionMajor, + Minor: k8sVersionMinor, + }, + APIVersions: DefaultVersionSet, + HelmVersion: helmversion.Get(), + } +) + +// Capabilities describes the capabilities of the Kubernetes cluster. +type Capabilities struct { + // KubeVersion is the Kubernetes version. + KubeVersion KubeVersion + // APIVersions are supported Kubernetes API versions. + APIVersions VersionSet + // HelmVersion is the build information for this helm version + HelmVersion helmversion.BuildInfo +} + +func (capabilities *Capabilities) Copy() *Capabilities { + return &Capabilities{ + KubeVersion: capabilities.KubeVersion, + APIVersions: capabilities.APIVersions, + HelmVersion: capabilities.HelmVersion, + } +} + +// KubeVersion is the Kubernetes version. +type KubeVersion struct { + Version string // Kubernetes version + Major string // Kubernetes major version + Minor string // Kubernetes minor version +} + +// String implements fmt.Stringer +func (kv *KubeVersion) String() string { return kv.Version } + +// GitVersion returns the Kubernetes version string. +// +// Deprecated: use KubeVersion.Version. +func (kv *KubeVersion) GitVersion() string { return kv.Version } + +// ParseKubeVersion parses kubernetes version from string +func ParseKubeVersion(version string) (*KubeVersion, error) { + sv, err := semver.NewVersion(version) + if err != nil { + return nil, err + } + return &KubeVersion{ + Version: "v" + sv.String(), + Major: strconv.FormatUint(sv.Major(), 10), + Minor: strconv.FormatUint(sv.Minor(), 10), + }, nil +} + +// VersionSet is a set of Kubernetes API versions. +type VersionSet []string + +// Has returns true if the version string is in the set. +// +// vs.Has("apps/v1") +func (v VersionSet) Has(apiVersion string) bool { + for _, x := range v { + if x == apiVersion { + return true + } + } + return false +} + +func allKnownVersions() VersionSet { + // We should register the built in extension APIs as well so CRDs are + // supported in the default version set. This has caused problems with `helm + // template` in the past, so let's be safe + apiextensionsv1beta1.AddToScheme(scheme.Scheme) + apiextensionsv1.AddToScheme(scheme.Scheme) + + groups := scheme.Scheme.PrioritizedVersionsAllGroups() + vs := make(VersionSet, 0, len(groups)) + for _, gv := range groups { + vs = append(vs, gv.String()) + } + return vs +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go b/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go new file mode 100644 index 0000000000..4f537a6e76 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/chartfile.go @@ -0,0 +1,92 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "os" + "path/filepath" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" +) + +// LoadChartfile loads a Chart.yaml file into a *chart.Metadata. +func LoadChartfile(filename string) (*chart.Metadata, error) { + b, err := os.ReadFile(filename) + if err != nil { + return nil, err + } + y := new(chart.Metadata) + err = yaml.Unmarshal(b, y) + return y, err +} + +// SaveChartfile saves the given metadata as a Chart.yaml file at the given path. +// +// 'filename' should be the complete path and filename ('foo/Chart.yaml') +func SaveChartfile(filename string, cf *chart.Metadata) error { + // Pull out the dependencies of a v1 Chart, since there's no way + // to tell the serializer to skip a field for just this use case + savedDependencies := cf.Dependencies + if cf.APIVersion == chart.APIVersionV1 { + cf.Dependencies = nil + } + out, err := yaml.Marshal(cf) + if cf.APIVersion == chart.APIVersionV1 { + cf.Dependencies = savedDependencies + } + if err != nil { + return err + } + return os.WriteFile(filename, out, 0644) +} + +// IsChartDir validate a chart directory. +// +// Checks for a valid Chart.yaml. +func IsChartDir(dirName string) (bool, error) { + if fi, err := os.Stat(dirName); err != nil { + return false, err + } else if !fi.IsDir() { + return false, errors.Errorf("%q is not a directory", dirName) + } + + chartYaml := filepath.Join(dirName, ChartfileName) + if _, err := os.Stat(chartYaml); os.IsNotExist(err) { + return false, errors.Errorf("no %s exists in directory %q", ChartfileName, dirName) + } + + chartYamlContent, err := os.ReadFile(chartYaml) + if err != nil { + return false, errors.Errorf("cannot read %s in directory %q", ChartfileName, dirName) + } + + chartContent := new(chart.Metadata) + if err := yaml.Unmarshal(chartYamlContent, &chartContent); err != nil { + return false, err + } + if chartContent == nil { + return false, errors.Errorf("chart metadata (%s) missing", ChartfileName) + } + if chartContent.Name == "" { + return false, errors.Errorf("invalid chart (%s): name must not be empty", ChartfileName) + } + + return true, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go b/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go new file mode 100644 index 0000000000..40bce2a68e --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/coalesce.go @@ -0,0 +1,305 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "log" + + "github.com/mitchellh/copystructure" + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chart" +) + +func concatPrefix(a, b string) string { + if a == "" { + return b + } + return fmt.Sprintf("%s.%s", a, b) +} + +// CoalesceValues coalesces all of the values in a chart (and its subcharts). +// +// Values are coalesced together using the following rules: +// +// - Values in a higher level chart always override values in a lower-level +// dependency chart +// - Scalar values and arrays are replaced, maps are merged +// - A chart has access to all of the variables for it, as well as all of +// the values destined for its dependencies. +func CoalesceValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) { + valsCopy, err := copyValues(vals) + if err != nil { + return vals, err + } + return coalesce(log.Printf, chrt, valsCopy, "", false) +} + +// MergeValues is used to merge the values in a chart and its subcharts. This +// is different from Coalescing as nil/null values are preserved. +// +// Values are coalesced together using the following rules: +// +// - Values in a higher level chart always override values in a lower-level +// dependency chart +// - Scalar values and arrays are replaced, maps are merged +// - A chart has access to all of the variables for it, as well as all of +// the values destined for its dependencies. +// +// Retaining Nils is useful when processes early in a Helm action or business +// logic need to retain them for when Coalescing will happen again later in the +// business logic. +func MergeValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) { + valsCopy, err := copyValues(vals) + if err != nil { + return vals, err + } + return coalesce(log.Printf, chrt, valsCopy, "", true) +} + +func copyValues(vals map[string]interface{}) (Values, error) { + v, err := copystructure.Copy(vals) + if err != nil { + return vals, err + } + + valsCopy := v.(map[string]interface{}) + // if we have an empty map, make sure it is initialized + if valsCopy == nil { + valsCopy = make(map[string]interface{}) + } + + return valsCopy, nil +} + +type printFn func(format string, v ...interface{}) + +// coalesce coalesces the dest values and the chart values, giving priority to the dest values. +// +// This is a helper function for CoalesceValues and MergeValues. +// +// Note, the merge argument specifies whether this is being used by MergeValues +// or CoalesceValues. Coalescing removes null values and their keys in some +// situations while merging keeps the null values. +func coalesce(printf printFn, ch *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) { + coalesceValues(printf, ch, dest, prefix, merge) + return coalesceDeps(printf, ch, dest, prefix, merge) +} + +// coalesceDeps coalesces the dependencies of the given chart. +func coalesceDeps(printf printFn, chrt *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) { + for _, subchart := range chrt.Dependencies() { + if c, ok := dest[subchart.Name()]; !ok { + // If dest doesn't already have the key, create it. + dest[subchart.Name()] = make(map[string]interface{}) + } else if !istable(c) { + return dest, errors.Errorf("type mismatch on %s: %t", subchart.Name(), c) + } + if dv, ok := dest[subchart.Name()]; ok { + dvmap := dv.(map[string]interface{}) + subPrefix := concatPrefix(prefix, chrt.Metadata.Name) + // Get globals out of dest and merge them into dvmap. + coalesceGlobals(printf, dvmap, dest, subPrefix, merge) + // Now coalesce the rest of the values. + var err error + dest[subchart.Name()], err = coalesce(printf, subchart, dvmap, subPrefix, merge) + if err != nil { + return dest, err + } + } + } + return dest, nil +} + +// coalesceGlobals copies the globals out of src and merges them into dest. +// +// For convenience, returns dest. +func coalesceGlobals(printf printFn, dest, src map[string]interface{}, prefix string, _ bool) { + var dg, sg map[string]interface{} + + if destglob, ok := dest[GlobalKey]; !ok { + dg = make(map[string]interface{}) + } else if dg, ok = destglob.(map[string]interface{}); !ok { + printf("warning: skipping globals because destination %s is not a table.", GlobalKey) + return + } + + if srcglob, ok := src[GlobalKey]; !ok { + sg = make(map[string]interface{}) + } else if sg, ok = srcglob.(map[string]interface{}); !ok { + printf("warning: skipping globals because source %s is not a table.", GlobalKey) + return + } + + // EXPERIMENTAL: In the past, we have disallowed globals to test tables. This + // reverses that decision. It may somehow be possible to introduce a loop + // here, but I haven't found a way. So for the time being, let's allow + // tables in globals. + for key, val := range sg { + if istable(val) { + vv := copyMap(val.(map[string]interface{})) + if destv, ok := dg[key]; !ok { + // Here there is no merge. We're just adding. + dg[key] = vv + } else { + if destvmap, ok := destv.(map[string]interface{}); !ok { + printf("Conflict: cannot merge map onto non-map for %q. Skipping.", key) + } else { + // Basically, we reverse order of coalesce here to merge + // top-down. + subPrefix := concatPrefix(prefix, key) + // In this location coalesceTablesFullKey should always have + // merge set to true. The output of coalesceGlobals is run + // through coalesce where any nils will be removed. + coalesceTablesFullKey(printf, vv, destvmap, subPrefix, true) + dg[key] = vv + } + } + } else if dv, ok := dg[key]; ok && istable(dv) { + // It's not clear if this condition can actually ever trigger. + printf("key %s is table. Skipping", key) + } else { + // TODO: Do we need to do any additional checking on the value? + dg[key] = val + } + } + dest[GlobalKey] = dg +} + +func copyMap(src map[string]interface{}) map[string]interface{} { + m := make(map[string]interface{}, len(src)) + for k, v := range src { + m[k] = v + } + return m +} + +// coalesceValues builds up a values map for a particular chart. +// +// Values in v will override the values in the chart. +func coalesceValues(printf printFn, c *chart.Chart, v map[string]interface{}, prefix string, merge bool) { + subPrefix := concatPrefix(prefix, c.Metadata.Name) + + // Using c.Values directly when coalescing a table can cause problems where + // the original c.Values is altered. Creating a deep copy stops the problem. + // This section is fault-tolerant as there is no ability to return an error. + valuesCopy, err := copystructure.Copy(c.Values) + var vc map[string]interface{} + var ok bool + if err != nil { + // If there is an error something is wrong with copying c.Values it + // means there is a problem in the deep copying package or something + // wrong with c.Values. In this case we will use c.Values and report + // an error. + printf("warning: unable to copy values, err: %s", err) + vc = c.Values + } else { + vc, ok = valuesCopy.(map[string]interface{}) + if !ok { + // c.Values has a map[string]interface{} structure. If the copy of + // it cannot be treated as map[string]interface{} there is something + // strangely wrong. Log it and use c.Values + printf("warning: unable to convert values copy to values type") + vc = c.Values + } + } + + for key, val := range vc { + if value, ok := v[key]; ok { + if value == nil && !merge { + // When the YAML value is null and we are coalescing instead of + // merging, we remove the value's key. + // This allows Helm's various sources of values (value files or --set) to + // remove incompatible keys from any previous chart, file, or set values. + delete(v, key) + } else if dest, ok := value.(map[string]interface{}); ok { + // if v[key] is a table, merge nv's val table into v[key]. + src, ok := val.(map[string]interface{}) + if !ok { + // If the original value is nil, there is nothing to coalesce, so we don't print + // the warning + if val != nil { + printf("warning: skipped value for %s.%s: Not a table.", subPrefix, key) + } + } else { + // If the key is a child chart, coalesce tables with Merge set to true + merge := childChartMergeTrue(c, key, merge) + + // Because v has higher precedence than nv, dest values override src + // values. + coalesceTablesFullKey(printf, dest, src, concatPrefix(subPrefix, key), merge) + } + } + } else { + // If the key is not in v, copy it from nv. + v[key] = val + } + } +} + +func childChartMergeTrue(chrt *chart.Chart, key string, merge bool) bool { + for _, subchart := range chrt.Dependencies() { + if subchart.Name() == key { + return true + } + } + return merge +} + +// CoalesceTables merges a source map into a destination map. +// +// dest is considered authoritative. +func CoalesceTables(dst, src map[string]interface{}) map[string]interface{} { + return coalesceTablesFullKey(log.Printf, dst, src, "", false) +} + +func MergeTables(dst, src map[string]interface{}) map[string]interface{} { + return coalesceTablesFullKey(log.Printf, dst, src, "", true) +} + +// coalesceTablesFullKey merges a source map into a destination map. +// +// dest is considered authoritative. +func coalesceTablesFullKey(printf printFn, dst, src map[string]interface{}, prefix string, merge bool) map[string]interface{} { + // When --reuse-values is set but there are no modifications yet, return new values + if src == nil { + return dst + } + if dst == nil { + return src + } + // Because dest has higher precedence than src, dest values override src + // values. + for key, val := range src { + fullkey := concatPrefix(prefix, key) + if dv, ok := dst[key]; ok && !merge && dv == nil { + delete(dst, key) + } else if !ok { + dst[key] = val + } else if istable(val) { + if istable(dv) { + coalesceTablesFullKey(printf, dv.(map[string]interface{}), val.(map[string]interface{}), fullkey, merge) + } else { + printf("warning: cannot overwrite table with non table for %s (%v)", fullkey, val) + } + } else if istable(dv) && val != nil { + printf("warning: destination for %s is a table. Ignoring non-table value (%v)", fullkey, val) + } + } + return dst +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go b/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go new file mode 100644 index 0000000000..f4656c9135 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/compatible.go @@ -0,0 +1,34 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import "github.com/Masterminds/semver/v3" + +// IsCompatibleRange compares a version to a constraint. +// It returns true if the version matches the constraint, and false in all other cases. +func IsCompatibleRange(constraint, ver string) bool { + sv, err := semver.NewVersion(ver) + if err != nil { + return false + } + + c, err := semver.NewConstraint(constraint) + if err != nil { + return false + } + return c.Check(sv) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/create.go b/vendor/helm.sh/helm/v3/pkg/chartutil/create.go new file mode 100644 index 0000000000..321d3d2c04 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/create.go @@ -0,0 +1,735 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "io" + "os" + "path/filepath" + "regexp" + "strings" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" +) + +// chartName is a regular expression for testing the supplied name of a chart. +// This regular expression is probably stricter than it needs to be. We can relax it +// somewhat. Newline characters, as well as $, quotes, +, parens, and % are known to be +// problematic. +var chartName = regexp.MustCompile("^[a-zA-Z0-9._-]+$") + +const ( + // ChartfileName is the default Chart file name. + ChartfileName = "Chart.yaml" + // ValuesfileName is the default values file name. + ValuesfileName = "values.yaml" + // SchemafileName is the default values schema file name. + SchemafileName = "values.schema.json" + // TemplatesDir is the relative directory name for templates. + TemplatesDir = "templates" + // ChartsDir is the relative directory name for charts dependencies. + ChartsDir = "charts" + // TemplatesTestsDir is the relative directory name for tests. + TemplatesTestsDir = TemplatesDir + sep + "tests" + // IgnorefileName is the name of the Helm ignore file. + IgnorefileName = ".helmignore" + // IngressFileName is the name of the example ingress file. + IngressFileName = TemplatesDir + sep + "ingress.yaml" + // DeploymentName is the name of the example deployment file. + DeploymentName = TemplatesDir + sep + "deployment.yaml" + // ServiceName is the name of the example service file. + ServiceName = TemplatesDir + sep + "service.yaml" + // ServiceAccountName is the name of the example serviceaccount file. + ServiceAccountName = TemplatesDir + sep + "serviceaccount.yaml" + // HorizontalPodAutoscalerName is the name of the example hpa file. + HorizontalPodAutoscalerName = TemplatesDir + sep + "hpa.yaml" + // NotesName is the name of the example NOTES.txt file. + NotesName = TemplatesDir + sep + "NOTES.txt" + // HelpersName is the name of the example helpers file. + HelpersName = TemplatesDir + sep + "_helpers.tpl" + // TestConnectionName is the name of the example test file. + TestConnectionName = TemplatesTestsDir + sep + "test-connection.yaml" +) + +// maxChartNameLength is lower than the limits we know of with certain file systems, +// and with certain Kubernetes fields. +const maxChartNameLength = 250 + +const sep = string(filepath.Separator) + +const defaultChartfile = `apiVersion: v2 +name: %s +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" +` + +const defaultValues = `# Default values for %s. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ +replicaCount: 1 + +# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/ +image: + repository: nginx + # This sets the pull policy for images. + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# This is to override the chart name. +nameOverride: "" +fullnameOverride: "" + +# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# This is for setting Kubernetes Annotations to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +podAnnotations: {} +# This is for setting Kubernetes Labels to a Pod. +# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/ +service: + # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types + type: ClusterIP + # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports + port: 80 + +# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +livenessProbe: + httpGet: + path: / + port: http +readinessProbe: + httpGet: + path: / + port: http + +# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +# Additional volumes on the output Deployment definition. +volumes: [] +# - name: foo +# secret: +# secretName: mysecret +# optional: false + +# Additional volumeMounts on the output Deployment definition. +volumeMounts: [] +# - name: foo +# mountPath: "/etc/foo" +# readOnly: true + +nodeSelector: {} + +tolerations: [] + +affinity: {} +` + +const defaultIgnore = `# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +` + +const defaultIngress = `{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include ".fullname" . }} + labels: + {{- include ".labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- with .pathType }} + pathType: {{ . }} + {{- end }} + backend: + service: + name: {{ include ".fullname" $ }} + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- end }} +{{- end }} +` + +const defaultDeployment = `apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include ".fullname" . }} + labels: + {{- include ".labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include ".selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include ".labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include ".serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.volumes }} + volumes: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +` + +const defaultService = `apiVersion: v1 +kind: Service +metadata: + name: {{ include ".fullname" . }} + labels: + {{- include ".labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include ".selectorLabels" . | nindent 4 }} +` + +const defaultServiceAccount = `{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include ".serviceAccountName" . }} + labels: + {{- include ".labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} +` + +const defaultHorizontalPodAutoscaler = `{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include ".fullname" . }} + labels: + {{- include ".labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include ".fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} +` + +const defaultNotes = `1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include ".fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include ".fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include ".fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include ".name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} +` + +const defaultHelpers = `{{/* +Expand the name of the chart. +*/}} +{{- define ".name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define ".fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define ".chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define ".labels" -}} +helm.sh/chart: {{ include ".chart" . }} +{{ include ".selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define ".selectorLabels" -}} +app.kubernetes.io/name: {{ include ".name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define ".serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include ".fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} +` + +const defaultTestConnection = `apiVersion: v1 +kind: Pod +metadata: + name: "{{ include ".fullname" . }}-test-connection" + labels: + {{- include ".labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include ".fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +` + +// Stderr is an io.Writer to which error messages can be written +// +// In Helm 4, this will be replaced. It is needed in Helm 3 to preserve API backward +// compatibility. +var Stderr io.Writer = os.Stderr + +// CreateFrom creates a new chart, but scaffolds it from the src chart. +func CreateFrom(chartfile *chart.Metadata, dest, src string) error { + schart, err := loader.Load(src) + if err != nil { + return errors.Wrapf(err, "could not load %s", src) + } + + schart.Metadata = chartfile + + var updatedTemplates []*chart.File + + for _, template := range schart.Templates { + newData := transform(string(template.Data), schart.Name()) + updatedTemplates = append(updatedTemplates, &chart.File{Name: template.Name, Data: newData}) + } + + schart.Templates = updatedTemplates + b, err := yaml.Marshal(schart.Values) + if err != nil { + return errors.Wrap(err, "reading values file") + } + + var m map[string]interface{} + if err := yaml.Unmarshal(transform(string(b), schart.Name()), &m); err != nil { + return errors.Wrap(err, "transforming values file") + } + schart.Values = m + + // SaveDir looks for the file values.yaml when saving rather than the values + // key in order to preserve the comments in the YAML. The name placeholder + // needs to be replaced on that file. + for _, f := range schart.Raw { + if f.Name == ValuesfileName { + f.Data = transform(string(f.Data), schart.Name()) + } + } + + return SaveDir(schart, dest) +} + +// Create creates a new chart in a directory. +// +// Inside of dir, this will create a directory based on the name of +// chartfile.Name. It will then write the Chart.yaml into this directory and +// create the (empty) appropriate directories. +// +// The returned string will point to the newly created directory. It will be +// an absolute path, even if the provided base directory was relative. +// +// If dir does not exist, this will return an error. +// If Chart.yaml or any directories cannot be created, this will return an +// error. In such a case, this will attempt to clean up by removing the +// new chart directory. +func Create(name, dir string) (string, error) { + + // Sanity-check the name of a chart so user doesn't create one that causes problems. + if err := validateChartName(name); err != nil { + return "", err + } + + path, err := filepath.Abs(dir) + if err != nil { + return path, err + } + + if fi, err := os.Stat(path); err != nil { + return path, err + } else if !fi.IsDir() { + return path, errors.Errorf("no such directory %s", path) + } + + cdir := filepath.Join(path, name) + if fi, err := os.Stat(cdir); err == nil && !fi.IsDir() { + return cdir, errors.Errorf("file %s already exists and is not a directory", cdir) + } + + // Note: If adding a new template below (i.e., to `helm create`) which is disabled by default (similar to hpa and + // ingress below); or making an existing template disabled by default, add the enabling condition in + // `TestHelmCreateChart_CheckDeprecatedWarnings` in `pkg/lint/lint_test.go` to make it run through deprecation checks + // with latest Kubernetes version. + files := []struct { + path string + content []byte + }{ + { + // Chart.yaml + path: filepath.Join(cdir, ChartfileName), + content: []byte(fmt.Sprintf(defaultChartfile, name)), + }, + { + // values.yaml + path: filepath.Join(cdir, ValuesfileName), + content: []byte(fmt.Sprintf(defaultValues, name)), + }, + { + // .helmignore + path: filepath.Join(cdir, IgnorefileName), + content: []byte(defaultIgnore), + }, + { + // ingress.yaml + path: filepath.Join(cdir, IngressFileName), + content: transform(defaultIngress, name), + }, + { + // deployment.yaml + path: filepath.Join(cdir, DeploymentName), + content: transform(defaultDeployment, name), + }, + { + // service.yaml + path: filepath.Join(cdir, ServiceName), + content: transform(defaultService, name), + }, + { + // serviceaccount.yaml + path: filepath.Join(cdir, ServiceAccountName), + content: transform(defaultServiceAccount, name), + }, + { + // hpa.yaml + path: filepath.Join(cdir, HorizontalPodAutoscalerName), + content: transform(defaultHorizontalPodAutoscaler, name), + }, + { + // NOTES.txt + path: filepath.Join(cdir, NotesName), + content: transform(defaultNotes, name), + }, + { + // _helpers.tpl + path: filepath.Join(cdir, HelpersName), + content: transform(defaultHelpers, name), + }, + { + // test-connection.yaml + path: filepath.Join(cdir, TestConnectionName), + content: transform(defaultTestConnection, name), + }, + } + + for _, file := range files { + if _, err := os.Stat(file.path); err == nil { + // There is no handle to a preferred output stream here. + fmt.Fprintf(Stderr, "WARNING: File %q already exists. Overwriting.\n", file.path) + } + if err := writeFile(file.path, file.content); err != nil { + return cdir, err + } + } + // Need to add the ChartsDir explicitly as it does not contain any file OOTB + if err := os.MkdirAll(filepath.Join(cdir, ChartsDir), 0755); err != nil { + return cdir, err + } + return cdir, nil +} + +// transform performs a string replacement of the specified source for +// a given key with the replacement string +func transform(src, replacement string) []byte { + return []byte(strings.ReplaceAll(src, "", replacement)) +} + +func writeFile(name string, content []byte) error { + if err := os.MkdirAll(filepath.Dir(name), 0755); err != nil { + return err + } + return os.WriteFile(name, content, 0644) +} + +func validateChartName(name string) error { + if name == "" || len(name) > maxChartNameLength { + return fmt.Errorf("chart name must be between 1 and %d characters", maxChartNameLength) + } + if !chartName.MatchString(name) { + return fmt.Errorf("chart name must match the regular expression %q", chartName.String()) + } + return nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go b/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go new file mode 100644 index 0000000000..37452cec7a --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/dependencies.go @@ -0,0 +1,357 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "log" + "strings" + + "github.com/mitchellh/copystructure" + + "helm.sh/helm/v3/pkg/chart" +) + +// ProcessDependencies checks through this chart's dependencies, processing accordingly. +// +// TODO: For Helm v4 this can be combined with or turned into ProcessDependenciesWithMerge +func ProcessDependencies(c *chart.Chart, v Values) error { + if err := processDependencyEnabled(c, v, ""); err != nil { + return err + } + return processDependencyImportValues(c, false) +} + +// ProcessDependenciesWithMerge checks through this chart's dependencies, processing accordingly. +// It is similar to ProcessDependencies but it does not remove nil values during +// the import/export handling process. +func ProcessDependenciesWithMerge(c *chart.Chart, v Values) error { + if err := processDependencyEnabled(c, v, ""); err != nil { + return err + } + return processDependencyImportValues(c, true) +} + +// processDependencyConditions disables charts based on condition path value in values +func processDependencyConditions(reqs []*chart.Dependency, cvals Values, cpath string) { + if reqs == nil { + return + } + for _, r := range reqs { + for _, c := range strings.Split(strings.TrimSpace(r.Condition), ",") { + if len(c) > 0 { + // retrieve value + vv, err := cvals.PathValue(cpath + c) + if err == nil { + // if not bool, warn + if bv, ok := vv.(bool); ok { + r.Enabled = bv + break + } + log.Printf("Warning: Condition path '%s' for chart %s returned non-bool value", c, r.Name) + } else if _, ok := err.(ErrNoValue); !ok { + // this is a real error + log.Printf("Warning: PathValue returned error %v", err) + } + } + } + } +} + +// processDependencyTags disables charts based on tags in values +func processDependencyTags(reqs []*chart.Dependency, cvals Values) { + if reqs == nil { + return + } + vt, err := cvals.Table("tags") + if err != nil { + return + } + for _, r := range reqs { + var hasTrue, hasFalse bool + for _, k := range r.Tags { + if b, ok := vt[k]; ok { + // if not bool, warn + if bv, ok := b.(bool); ok { + if bv { + hasTrue = true + } else { + hasFalse = true + } + } else { + log.Printf("Warning: Tag '%s' for chart %s returned non-bool value", k, r.Name) + } + } + } + if !hasTrue && hasFalse { + r.Enabled = false + } else if hasTrue || !hasTrue && !hasFalse { + r.Enabled = true + } + } +} + +func getAliasDependency(charts []*chart.Chart, dep *chart.Dependency) *chart.Chart { + for _, c := range charts { + if c == nil { + continue + } + if c.Name() != dep.Name { + continue + } + if !IsCompatibleRange(dep.Version, c.Metadata.Version) { + continue + } + + out := *c + md := *c.Metadata + out.Metadata = &md + + if dep.Alias != "" { + md.Name = dep.Alias + } + return &out + } + return nil +} + +// processDependencyEnabled removes disabled charts from dependencies +func processDependencyEnabled(c *chart.Chart, v map[string]interface{}, path string) error { + if c.Metadata.Dependencies == nil { + return nil + } + + var chartDependencies []*chart.Chart + // If any dependency is not a part of Chart.yaml + // then this should be added to chartDependencies. + // However, if the dependency is already specified in Chart.yaml + // we should not add it, as it would be processed from Chart.yaml anyway. + +Loop: + for _, existing := range c.Dependencies() { + for _, req := range c.Metadata.Dependencies { + if existing.Name() == req.Name && IsCompatibleRange(req.Version, existing.Metadata.Version) { + continue Loop + } + } + chartDependencies = append(chartDependencies, existing) + } + + for _, req := range c.Metadata.Dependencies { + if req == nil { + continue + } + if chartDependency := getAliasDependency(c.Dependencies(), req); chartDependency != nil { + chartDependencies = append(chartDependencies, chartDependency) + } + if req.Alias != "" { + req.Name = req.Alias + } + } + c.SetDependencies(chartDependencies...) + + // set all to true + for _, lr := range c.Metadata.Dependencies { + lr.Enabled = true + } + cvals, err := CoalesceValues(c, v) + if err != nil { + return err + } + // flag dependencies as enabled/disabled + processDependencyTags(c.Metadata.Dependencies, cvals) + processDependencyConditions(c.Metadata.Dependencies, cvals, path) + // make a map of charts to remove + rm := map[string]struct{}{} + for _, r := range c.Metadata.Dependencies { + if !r.Enabled { + // remove disabled chart + rm[r.Name] = struct{}{} + } + } + // don't keep disabled charts in new slice + cd := []*chart.Chart{} + copy(cd, c.Dependencies()[:0]) + for _, n := range c.Dependencies() { + if _, ok := rm[n.Metadata.Name]; !ok { + cd = append(cd, n) + } + } + // don't keep disabled charts in metadata + cdMetadata := []*chart.Dependency{} + copy(cdMetadata, c.Metadata.Dependencies[:0]) + for _, n := range c.Metadata.Dependencies { + if _, ok := rm[n.Name]; !ok { + cdMetadata = append(cdMetadata, n) + } + } + + // recursively call self to process sub dependencies + for _, t := range cd { + subpath := path + t.Metadata.Name + "." + if err := processDependencyEnabled(t, cvals, subpath); err != nil { + return err + } + } + // set the correct dependencies in metadata + c.Metadata.Dependencies = nil + c.Metadata.Dependencies = append(c.Metadata.Dependencies, cdMetadata...) + c.SetDependencies(cd...) + + return nil +} + +// pathToMap creates a nested map given a YAML path in dot notation. +func pathToMap(path string, data map[string]interface{}) map[string]interface{} { + if path == "." { + return data + } + return set(parsePath(path), data) +} + +func set(path []string, data map[string]interface{}) map[string]interface{} { + if len(path) == 0 { + return nil + } + cur := data + for i := len(path) - 1; i >= 0; i-- { + cur = map[string]interface{}{path[i]: cur} + } + return cur +} + +// processImportValues merges values from child to parent based on the chart's dependencies' ImportValues field. +func processImportValues(c *chart.Chart, merge bool) error { + if c.Metadata.Dependencies == nil { + return nil + } + // combine chart values and empty config to get Values + var cvals Values + var err error + if merge { + cvals, err = MergeValues(c, nil) + } else { + cvals, err = CoalesceValues(c, nil) + } + if err != nil { + return err + } + b := make(map[string]interface{}) + // import values from each dependency if specified in import-values + for _, r := range c.Metadata.Dependencies { + var outiv []interface{} + for _, riv := range r.ImportValues { + switch iv := riv.(type) { + case map[string]interface{}: + child := fmt.Sprintf("%v", iv["child"]) + parent := fmt.Sprintf("%v", iv["parent"]) + + outiv = append(outiv, map[string]string{ + "child": child, + "parent": parent, + }) + + // get child table + vv, err := cvals.Table(r.Name + "." + child) + if err != nil { + log.Printf("Warning: ImportValues missing table from chart %s: %v", r.Name, err) + continue + } + // create value map from child to be merged into parent + if merge { + b = MergeTables(b, pathToMap(parent, vv.AsMap())) + } else { + b = CoalesceTables(b, pathToMap(parent, vv.AsMap())) + } + case string: + child := "exports." + iv + outiv = append(outiv, map[string]string{ + "child": child, + "parent": ".", + }) + vm, err := cvals.Table(r.Name + "." + child) + if err != nil { + log.Printf("Warning: ImportValues missing table: %v", err) + continue + } + if merge { + b = MergeTables(b, vm.AsMap()) + } else { + b = CoalesceTables(b, vm.AsMap()) + } + } + } + r.ImportValues = outiv + } + + // Imported values from a child to a parent chart have a lower priority than + // the parents values. This enables parent charts to import a large section + // from a child and then override select parts. This is why b is merged into + // cvals in the code below and not the other way around. + if merge { + // deep copying the cvals as there are cases where pointers can end + // up in the cvals when they are copied onto b in ways that break things. + cvals = deepCopyMap(cvals) + c.Values = MergeTables(cvals, b) + } else { + // Trimming the nil values from cvals is needed for backwards compatibility. + // Previously, the b value had been populated with cvals along with some + // overrides. This caused the coalescing functionality to remove the + // nil/null values. This trimming is for backwards compat. + cvals = trimNilValues(cvals) + c.Values = CoalesceTables(cvals, b) + } + + return nil +} + +func deepCopyMap(vals map[string]interface{}) map[string]interface{} { + valsCopy, err := copystructure.Copy(vals) + if err != nil { + return vals + } + return valsCopy.(map[string]interface{}) +} + +func trimNilValues(vals map[string]interface{}) map[string]interface{} { + valsCopy, err := copystructure.Copy(vals) + if err != nil { + return vals + } + valsCopyMap := valsCopy.(map[string]interface{}) + for key, val := range valsCopyMap { + if val == nil { + // Iterate over the values and remove nil keys + delete(valsCopyMap, key) + } else if istable(val) { + // Recursively call into ourselves to remove keys from inner tables + valsCopyMap[key] = trimNilValues(val.(map[string]interface{})) + } + } + + return valsCopyMap +} + +// processDependencyImportValues imports specified chart values from child to parent. +func processDependencyImportValues(c *chart.Chart, merge bool) error { + for _, d := range c.Dependencies() { + // recurse + if err := processDependencyImportValues(d, merge); err != nil { + return err + } + } + return processImportValues(c, merge) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go b/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go new file mode 100644 index 0000000000..49c55ac521 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/doc.go @@ -0,0 +1,45 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package chartutil contains tools for working with charts. + +Charts are described in the chart package (pkg/chart). +This package provides utilities for serializing and deserializing charts. + +A chart can be represented on the file system in one of two ways: + + - As a directory that contains a Chart.yaml file and other chart things. + - As a tarred gzipped file containing a directory that then contains a + Chart.yaml file. + +This package provides utilities for working with those file formats. + +The preferred way of loading a chart is using 'loader.Load`: + + chart, err := loader.Load(filename) + +This will attempt to discover whether the file at 'filename' is a directory or +a chart archive. It will then load accordingly. + +For accepting raw compressed tar file data from an io.Reader, the +'loader.LoadArchive()' will read in the data, uncompress it, and unpack it +into a Chart. + +When creating charts in memory, use the 'helm.sh/helm/pkg/chart' +package directly. +*/ +package chartutil // import "helm.sh/helm/v3/pkg/chartutil" diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go new file mode 100644 index 0000000000..0a4046d2e2 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go @@ -0,0 +1,43 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" +) + +// ErrNoTable indicates that a chart does not have a matching table. +type ErrNoTable struct { + Key string +} + +func (e ErrNoTable) Error() string { return fmt.Sprintf("%q is not a table", e.Key) } + +// ErrNoValue indicates that Values does not contain a key with a value +type ErrNoValue struct { + Key string +} + +func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) } + +type ErrInvalidChartName struct { + Name string +} + +func (e ErrInvalidChartName) Error() string { + return fmt.Sprintf("%q is not a valid chart name", e.Name) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go b/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go new file mode 100644 index 0000000000..ac59f25753 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/expand.go @@ -0,0 +1,93 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "io" + "os" + "path/filepath" + + securejoin "github.com/cyphar/filepath-securejoin" + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" +) + +// Expand uncompresses and extracts a chart into the specified directory. +func Expand(dir string, r io.Reader) error { + files, err := loader.LoadArchiveFiles(r) + if err != nil { + return err + } + + // Get the name of the chart + var chartName string + for _, file := range files { + if file.Name == "Chart.yaml" { + ch := &chart.Metadata{} + if err := yaml.Unmarshal(file.Data, ch); err != nil { + return errors.Wrap(err, "cannot load Chart.yaml") + } + chartName = ch.Name + } + } + if chartName == "" { + return errors.New("chart name not specified") + } + + // Find the base directory + // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up + // being wrong or returning an error. This was introduced in v0.4.0. + dir = filepath.Clean(dir) + chartdir, err := securejoin.SecureJoin(dir, chartName) + if err != nil { + return err + } + + // Copy all files verbatim. We don't parse these files because parsing can remove + // comments. + for _, file := range files { + outpath, err := securejoin.SecureJoin(chartdir, file.Name) + if err != nil { + return err + } + + // Make sure the necessary subdirs get created. + basedir := filepath.Dir(outpath) + if err := os.MkdirAll(basedir, 0755); err != nil { + return err + } + + if err := os.WriteFile(outpath, file.Data, 0644); err != nil { + return err + } + } + + return nil +} + +// ExpandFile expands the src file into the dest directory. +func ExpandFile(dest, src string) error { + h, err := os.Open(src) + if err != nil { + return err + } + defer h.Close() + return Expand(dest, h) +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go b/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go new file mode 100644 index 0000000000..d712316c59 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/jsonschema.go @@ -0,0 +1,150 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "bytes" + "crypto/tls" + "errors" + "fmt" + "strings" + "time" + + "github.com/santhosh-tekuri/jsonschema/v6" + + "net/http" + + "helm.sh/helm/v3/internal/version" + "helm.sh/helm/v3/pkg/chart" +) + +// HTTPURLLoader implements a loader for HTTP/HTTPS URLs +type HTTPURLLoader http.Client + +func (l *HTTPURLLoader) Load(urlStr string) (any, error) { + client := (*http.Client)(l) + + req, err := http.NewRequest(http.MethodGet, urlStr, nil) + if err != nil { + return nil, fmt.Errorf("failed to create HTTP request for %s: %w", urlStr, err) + } + req.Header.Set("User-Agent", version.GetUserAgent()) + + resp, err := client.Do(req) + if err != nil { + return nil, fmt.Errorf("HTTP request failed for %s: %w", urlStr, err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("HTTP request to %s returned status %d (%s)", urlStr, resp.StatusCode, http.StatusText(resp.StatusCode)) + } + + return jsonschema.UnmarshalJSON(resp.Body) +} + +// newHTTPURLLoader creates a HTTP URL loader with proxy support. +func newHTTPURLLoader() *HTTPURLLoader { + httpLoader := HTTPURLLoader(http.Client{ + Timeout: 15 * time.Second, + Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: &tls.Config{}, + }, + }) + return &httpLoader +} + +// ValidateAgainstSchema checks that values does not violate the structure laid out in schema +func ValidateAgainstSchema(chrt *chart.Chart, values map[string]interface{}) error { + var sb strings.Builder + if chrt.Schema != nil { + + err := ValidateAgainstSingleSchema(values, chrt.Schema) + if err != nil { + sb.WriteString(fmt.Sprintf("%s:\n", chrt.Name())) + sb.WriteString(err.Error()) + } + } + + for _, subchart := range chrt.Dependencies() { + subchartValues := values[subchart.Name()].(map[string]interface{}) + if err := ValidateAgainstSchema(subchart, subchartValues); err != nil { + sb.WriteString(err.Error()) + } + } + + if sb.Len() > 0 { + return errors.New(sb.String()) + } + + return nil +} + +// ValidateAgainstSingleSchema checks that values does not violate the structure laid out in this schema +func ValidateAgainstSingleSchema(values Values, schemaJSON []byte) (reterr error) { + defer func() { + if r := recover(); r != nil { + reterr = fmt.Errorf("unable to validate schema: %s", r) + } + }() + + // This unmarshal function leverages UseNumber() for number precision. The parser + // used for values does this as well. + schema, err := jsonschema.UnmarshalJSON(bytes.NewReader(schemaJSON)) + if err != nil { + return err + } + + // Configure compiler with loaders for different URL schemes + loader := jsonschema.SchemeURLLoader{ + "file": jsonschema.FileLoader{}, + "http": newHTTPURLLoader(), + "https": newHTTPURLLoader(), + } + + compiler := jsonschema.NewCompiler() + compiler.UseLoader(loader) + err = compiler.AddResource("file:///values.schema.json", schema) + if err != nil { + return err + } + + validator, err := compiler.Compile("file:///values.schema.json") + if err != nil { + return err + } + + err = validator.Validate(values.AsMap()) + if err != nil { + return JSONSchemaValidationError{err} + } + + return nil +} + +type JSONSchemaValidationError struct { + embeddedErr error +} + +func (e JSONSchemaValidationError) Error() string { + errStr := e.embeddedErr.Error() + + errStr = strings.TrimPrefix(errStr, "jsonschema validation failed with 'file:///values.schema.json#'\n") + + return errStr + "\n" +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go new file mode 100644 index 0000000000..4ee90709c9 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go @@ -0,0 +1,264 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "archive/tar" + "compress/gzip" + "encoding/json" + "fmt" + "os" + "path/filepath" + "time" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" +) + +var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=") + +// SaveDir saves a chart as files in a directory. +// +// This takes the chart name, and creates a new subdirectory inside of the given dest +// directory, writing the chart's contents to that subdirectory. +func SaveDir(c *chart.Chart, dest string) error { + // Create the chart directory + err := validateName(c.Name()) + if err != nil { + return err + } + outdir := filepath.Join(dest, c.Name()) + if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() { + return errors.Errorf("file %s already exists and is not a directory", outdir) + } + if err := os.MkdirAll(outdir, 0755); err != nil { + return err + } + + // Save the chart file. + if err := SaveChartfile(filepath.Join(outdir, ChartfileName), c.Metadata); err != nil { + return err + } + + // Save values.yaml + for _, f := range c.Raw { + if f.Name == ValuesfileName { + vf := filepath.Join(outdir, ValuesfileName) + if err := writeFile(vf, f.Data); err != nil { + return err + } + } + } + + // Save values.schema.json if it exists + if c.Schema != nil { + filename := filepath.Join(outdir, SchemafileName) + if err := writeFile(filename, c.Schema); err != nil { + return err + } + } + + // Save templates and files + for _, o := range [][]*chart.File{c.Templates, c.Files} { + for _, f := range o { + n := filepath.Join(outdir, f.Name) + if err := writeFile(n, f.Data); err != nil { + return err + } + } + } + + // Save dependencies + base := filepath.Join(outdir, ChartsDir) + for _, dep := range c.Dependencies() { + // Here, we write each dependency as a tar file. + if _, err := Save(dep, base); err != nil { + return errors.Wrapf(err, "saving %s", dep.ChartFullPath()) + } + } + return nil +} + +// Save creates an archived chart to the given directory. +// +// This takes an existing chart and a destination directory. +// +// If the directory is /foo, and the chart is named bar, with version 1.0.0, this +// will generate /foo/bar-1.0.0.tgz. +// +// This returns the absolute path to the chart archive file. +func Save(c *chart.Chart, outDir string) (string, error) { + if err := c.Validate(); err != nil { + return "", errors.Wrap(err, "chart validation") + } + + filename := fmt.Sprintf("%s-%s.tgz", c.Name(), c.Metadata.Version) + filename = filepath.Join(outDir, filename) + dir := filepath.Dir(filename) + if stat, err := os.Stat(dir); err != nil { + if os.IsNotExist(err) { + if err2 := os.MkdirAll(dir, 0755); err2 != nil { + return "", err2 + } + } else { + return "", errors.Wrapf(err, "stat %s", dir) + } + } else if !stat.IsDir() { + return "", errors.Errorf("is not a directory: %s", dir) + } + + f, err := os.Create(filename) + if err != nil { + return "", err + } + + // Wrap in gzip writer + zipper := gzip.NewWriter(f) + zipper.Header.Extra = headerBytes + zipper.Header.Comment = "Helm" + + // Wrap in tar writer + twriter := tar.NewWriter(zipper) + rollback := false + defer func() { + twriter.Close() + zipper.Close() + f.Close() + if rollback { + os.Remove(filename) + } + }() + + if err := writeTarContents(twriter, c, ""); err != nil { + rollback = true + return filename, err + } + return filename, nil +} + +func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error { + err := validateName(c.Name()) + if err != nil { + return err + } + base := filepath.Join(prefix, c.Name()) + + // Pull out the dependencies of a v1 Chart, since there's no way + // to tell the serializer to skip a field for just this use case + savedDependencies := c.Metadata.Dependencies + if c.Metadata.APIVersion == chart.APIVersionV1 { + c.Metadata.Dependencies = nil + } + // Save Chart.yaml + cdata, err := yaml.Marshal(c.Metadata) + if c.Metadata.APIVersion == chart.APIVersionV1 { + c.Metadata.Dependencies = savedDependencies + } + if err != nil { + return err + } + if err := writeToTar(out, filepath.Join(base, ChartfileName), cdata); err != nil { + return err + } + + // Save Chart.lock + // TODO: remove the APIVersion check when APIVersionV1 is not used anymore + if c.Metadata.APIVersion == chart.APIVersionV2 { + if c.Lock != nil { + ldata, err := yaml.Marshal(c.Lock) + if err != nil { + return err + } + if err := writeToTar(out, filepath.Join(base, "Chart.lock"), ldata); err != nil { + return err + } + } + } + + // Save values.yaml + for _, f := range c.Raw { + if f.Name == ValuesfileName { + if err := writeToTar(out, filepath.Join(base, ValuesfileName), f.Data); err != nil { + return err + } + } + } + + // Save values.schema.json if it exists + if c.Schema != nil { + if !json.Valid(c.Schema) { + return errors.New("Invalid JSON in " + SchemafileName) + } + if err := writeToTar(out, filepath.Join(base, SchemafileName), c.Schema); err != nil { + return err + } + } + + // Save templates + for _, f := range c.Templates { + n := filepath.Join(base, f.Name) + if err := writeToTar(out, n, f.Data); err != nil { + return err + } + } + + // Save files + for _, f := range c.Files { + n := filepath.Join(base, f.Name) + if err := writeToTar(out, n, f.Data); err != nil { + return err + } + } + + // Save dependencies + for _, dep := range c.Dependencies() { + if err := writeTarContents(out, dep, filepath.Join(base, ChartsDir)); err != nil { + return err + } + } + return nil +} + +// writeToTar writes a single file to a tar archive. +func writeToTar(out *tar.Writer, name string, body []byte) error { + // TODO: Do we need to create dummy parent directory names if none exist? + h := &tar.Header{ + Name: filepath.ToSlash(name), + Mode: 0644, + Size: int64(len(body)), + ModTime: time.Now(), + } + if err := out.WriteHeader(h); err != nil { + return err + } + _, err := out.Write(body) + return err +} + +// If the name has directory name has characters which would change the location +// they need to be removed. +func validateName(name string) error { + nname := filepath.Base(name) + + if nname != name { + return ErrInvalidChartName{name} + } + + return nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go b/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go new file mode 100644 index 0000000000..05c090cb66 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/validate_name.go @@ -0,0 +1,112 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "regexp" + + "github.com/pkg/errors" +) + +// validName is a regular expression for resource names. +// +// According to the Kubernetes help text, the regular expression it uses is: +// +// [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* +// +// This follows the above regular expression (but requires a full string match, not partial). +// +// The Kubernetes documentation is here, though it is not entirely correct: +// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +var validName = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`) + +var ( + // errMissingName indicates that a release (name) was not provided. + errMissingName = errors.New("no name provided") + + // errInvalidName indicates that an invalid release name was provided + errInvalidName = fmt.Errorf( + "invalid release name, must match regex %s and the length must not be longer than 53", + validName.String()) + + // errInvalidKubernetesName indicates that the name does not meet the Kubernetes + // restrictions on metadata names. + errInvalidKubernetesName = fmt.Errorf( + "invalid metadata name, must match regex %s and the length must not be longer than 253", + validName.String()) +) + +const ( + // According to the Kubernetes docs (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#rfc-1035-label-names) + // some resource names have a max length of 63 characters while others have a max + // length of 253 characters. As we cannot be sure the resources used in a chart, we + // therefore need to limit it to 63 chars and reserve 10 chars for additional part to name + // of the resource. The reason is that chart maintainers can use release name as part of + // the resource name (and some additional chars). + maxReleaseNameLen = 53 + // maxMetadataNameLen is the maximum length Kubernetes allows for any name. + maxMetadataNameLen = 253 +) + +// ValidateReleaseName performs checks for an entry for a Helm release name +// +// For Helm to allow a name, it must be below a certain character count (53) and also match +// a regular expression. +// +// According to the Kubernetes help text, the regular expression it uses is: +// +// [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* +// +// This follows the above regular expression (but requires a full string match, not partial). +// +// The Kubernetes documentation is here, though it is not entirely correct: +// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +func ValidateReleaseName(name string) error { + // This case is preserved for backwards compatibility + if name == "" { + return errMissingName + + } + if len(name) > maxReleaseNameLen || !validName.MatchString(name) { + return errInvalidName + } + return nil +} + +// ValidateMetadataName validates the name field of a Kubernetes metadata object. +// +// Empty strings, strings longer than 253 chars, or strings that don't match the regexp +// will fail. +// +// According to the Kubernetes help text, the regular expression it uses is: +// +// [a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)* +// +// This follows the above regular expression (but requires a full string match, not partial). +// +// The Kubernetes documentation is here, though it is not entirely correct: +// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names +// +// Deprecated: remove in Helm 4. Name validation now uses rules defined in +// pkg/lint/rules.validateMetadataNameFunc() +func ValidateMetadataName(name string) error { + if name == "" || len(name) > maxMetadataNameLen || !validName.MatchString(name) { + return errInvalidKubernetesName + } + return nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/values.go b/vendor/helm.sh/helm/v3/pkg/chartutil/values.go new file mode 100644 index 0000000000..61c633a6d5 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/chartutil/values.go @@ -0,0 +1,221 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package chartutil + +import ( + "fmt" + "io" + "os" + "strings" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" +) + +// GlobalKey is the name of the Values key that is used for storing global vars. +const GlobalKey = "global" + +// Values represents a collection of chart values. +type Values map[string]interface{} + +// YAML encodes the Values into a YAML string. +func (v Values) YAML() (string, error) { + b, err := yaml.Marshal(v) + return string(b), err +} + +// Table gets a table (YAML subsection) from a Values object. +// +// The table is returned as a Values. +// +// Compound table names may be specified with dots: +// +// foo.bar +// +// The above will be evaluated as "The table bar inside the table +// foo". +// +// An ErrNoTable is returned if the table does not exist. +func (v Values) Table(name string) (Values, error) { + table := v + var err error + + for _, n := range parsePath(name) { + if table, err = tableLookup(table, n); err != nil { + break + } + } + return table, err +} + +// AsMap is a utility function for converting Values to a map[string]interface{}. +// +// It protects against nil map panics. +func (v Values) AsMap() map[string]interface{} { + if len(v) == 0 { + return map[string]interface{}{} + } + return v +} + +// Encode writes serialized Values information to the given io.Writer. +func (v Values) Encode(w io.Writer) error { + out, err := yaml.Marshal(v) + if err != nil { + return err + } + _, err = w.Write(out) + return err +} + +func tableLookup(v Values, simple string) (Values, error) { + v2, ok := v[simple] + if !ok { + return v, ErrNoTable{simple} + } + if vv, ok := v2.(map[string]interface{}); ok { + return vv, nil + } + + // This catches a case where a value is of type Values, but doesn't (for some + // reason) match the map[string]interface{}. This has been observed in the + // wild, and might be a result of a nil map of type Values. + if vv, ok := v2.(Values); ok { + return vv, nil + } + + return Values{}, ErrNoTable{simple} +} + +// ReadValues will parse YAML byte data into a Values. +func ReadValues(data []byte) (vals Values, err error) { + err = yaml.Unmarshal(data, &vals) + if len(vals) == 0 { + vals = Values{} + } + return vals, err +} + +// ReadValuesFile will parse a YAML file into a map of values. +func ReadValuesFile(filename string) (Values, error) { + data, err := os.ReadFile(filename) + if err != nil { + return map[string]interface{}{}, err + } + return ReadValues(data) +} + +// ReleaseOptions represents the additional release options needed +// for the composition of the final values struct +type ReleaseOptions struct { + Name string + Namespace string + Revision int + IsUpgrade bool + IsInstall bool +} + +// ToRenderValues composes the struct from the data coming from the Releases, Charts and Values files +// +// This takes both ReleaseOptions and Capabilities to merge into the render values. +func ToRenderValues(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities) (Values, error) { + return ToRenderValuesWithSchemaValidation(chrt, chrtVals, options, caps, false) +} + +// ToRenderValuesWithSchemaValidation composes the struct from the data coming from the Releases, Charts and Values files +// +// This takes both ReleaseOptions and Capabilities to merge into the render values. +func ToRenderValuesWithSchemaValidation(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities, skipSchemaValidation bool) (Values, error) { + if caps == nil { + caps = DefaultCapabilities + } + top := map[string]interface{}{ + "Chart": chrt.Metadata, + "Capabilities": caps, + "Release": map[string]interface{}{ + "Name": options.Name, + "Namespace": options.Namespace, + "IsUpgrade": options.IsUpgrade, + "IsInstall": options.IsInstall, + "Revision": options.Revision, + "Service": "Helm", + }, + } + + vals, err := CoalesceValues(chrt, chrtVals) + if err != nil { + return top, err + } + + if !skipSchemaValidation { + if err := ValidateAgainstSchema(chrt, vals); err != nil { + errFmt := "values don't meet the specifications of the schema(s) in the following chart(s):\n%s" + return top, fmt.Errorf(errFmt, err.Error()) + } + } + + top["Values"] = vals + return top, nil +} + +// istable is a special-purpose function to see if the present thing matches the definition of a YAML table. +func istable(v interface{}) bool { + _, ok := v.(map[string]interface{}) + return ok +} + +// PathValue takes a path that traverses a YAML structure and returns the value at the end of that path. +// The path starts at the root of the YAML structure and is comprised of YAML keys separated by periods. +// Given the following YAML data the value at path "chapter.one.title" is "Loomings". +// +// chapter: +// one: +// title: "Loomings" +func (v Values) PathValue(path string) (interface{}, error) { + if path == "" { + return nil, errors.New("YAML path cannot be empty") + } + return v.pathValue(parsePath(path)) +} + +func (v Values) pathValue(path []string) (interface{}, error) { + if len(path) == 1 { + // if exists must be root key not table + if _, ok := v[path[0]]; ok && !istable(v[path[0]]) { + return v[path[0]], nil + } + return nil, ErrNoValue{path[0]} + } + + key, path := path[len(path)-1], path[:len(path)-1] + // get our table for table path + t, err := v.Table(joinPath(path...)) + if err != nil { + return nil, ErrNoValue{key} + } + // check table for key and ensure value is not a table + if k, ok := t[key]; ok && !istable(k) { + return k, nil + } + return nil, ErrNoValue{key} +} + +func parsePath(key string) []string { return strings.Split(key, ".") } + +func joinPath(path ...string) string { return strings.Join(path, ".") } diff --git a/vendor/helm.sh/helm/v3/pkg/cli/environment.go b/vendor/helm.sh/helm/v3/pkg/cli/environment.go new file mode 100644 index 0000000000..6358063442 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/cli/environment.go @@ -0,0 +1,267 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package cli describes the operating environment for the Helm CLI. + +Helm's environment encapsulates all of the service dependencies Helm has. +These dependencies are expressed as interfaces so that alternate implementations +(mocks, etc.) can be easily generated. +*/ +package cli + +import ( + "fmt" + "net/http" + "os" + "strconv" + "strings" + + "github.com/spf13/pflag" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/client-go/rest" + + "helm.sh/helm/v3/internal/version" + "helm.sh/helm/v3/pkg/helmpath" + "helm.sh/helm/v3/pkg/kube" +) + +// defaultMaxHistory sets the maximum number of releases to 0: unlimited +const defaultMaxHistory = 10 + +// defaultBurstLimit sets the default client-side throttling limit +const defaultBurstLimit = 100 + +// defaultQPS sets the default QPS value to 0 to use library defaults unless specified +const defaultQPS = float32(0) + +// EnvSettings describes all of the environment settings. +type EnvSettings struct { + namespace string + config *genericclioptions.ConfigFlags + + // KubeConfig is the path to the kubeconfig file + KubeConfig string + // KubeContext is the name of the kubeconfig context. + KubeContext string + // Bearer KubeToken used for authentication + KubeToken string + // Username to impersonate for the operation + KubeAsUser string + // Groups to impersonate for the operation, multiple groups parsed from a comma delimited list + KubeAsGroups []string + // Kubernetes API Server Endpoint for authentication + KubeAPIServer string + // Custom certificate authority file. + KubeCaFile string + // KubeInsecureSkipTLSVerify indicates if server's certificate will not be checked for validity. + // This makes the HTTPS connections insecure + KubeInsecureSkipTLSVerify bool + // KubeTLSServerName overrides the name to use for server certificate validation. + // If it is not provided, the hostname used to contact the server is used + KubeTLSServerName string + // Debug indicates whether or not Helm is running in Debug mode. + Debug bool + // RegistryConfig is the path to the registry config file. + RegistryConfig string + // RepositoryConfig is the path to the repositories file. + RepositoryConfig string + // RepositoryCache is the path to the repository cache directory. + RepositoryCache string + // PluginsDirectory is the path to the plugins directory. + PluginsDirectory string + // MaxHistory is the max release history maintained. + MaxHistory int + // BurstLimit is the default client-side throttling limit. + BurstLimit int + // QPS is queries per second which may be used to avoid throttling. + QPS float32 +} + +func New() *EnvSettings { + env := &EnvSettings{ + namespace: os.Getenv("HELM_NAMESPACE"), + MaxHistory: envIntOr("HELM_MAX_HISTORY", defaultMaxHistory), + KubeContext: os.Getenv("HELM_KUBECONTEXT"), + KubeToken: os.Getenv("HELM_KUBETOKEN"), + KubeAsUser: os.Getenv("HELM_KUBEASUSER"), + KubeAsGroups: envCSV("HELM_KUBEASGROUPS"), + KubeAPIServer: os.Getenv("HELM_KUBEAPISERVER"), + KubeCaFile: os.Getenv("HELM_KUBECAFILE"), + KubeTLSServerName: os.Getenv("HELM_KUBETLS_SERVER_NAME"), + KubeInsecureSkipTLSVerify: envBoolOr("HELM_KUBEINSECURE_SKIP_TLS_VERIFY", false), + PluginsDirectory: envOr("HELM_PLUGINS", helmpath.DataPath("plugins")), + RegistryConfig: envOr("HELM_REGISTRY_CONFIG", helmpath.ConfigPath("registry/config.json")), + RepositoryConfig: envOr("HELM_REPOSITORY_CONFIG", helmpath.ConfigPath("repositories.yaml")), + RepositoryCache: envOr("HELM_REPOSITORY_CACHE", helmpath.CachePath("repository")), + BurstLimit: envIntOr("HELM_BURST_LIMIT", defaultBurstLimit), + QPS: envFloat32Or("HELM_QPS", defaultQPS), + } + env.Debug, _ = strconv.ParseBool(os.Getenv("HELM_DEBUG")) + + // bind to kubernetes config flags + config := &genericclioptions.ConfigFlags{ + Namespace: &env.namespace, + Context: &env.KubeContext, + BearerToken: &env.KubeToken, + APIServer: &env.KubeAPIServer, + CAFile: &env.KubeCaFile, + KubeConfig: &env.KubeConfig, + Impersonate: &env.KubeAsUser, + Insecure: &env.KubeInsecureSkipTLSVerify, + TLSServerName: &env.KubeTLSServerName, + ImpersonateGroup: &env.KubeAsGroups, + WrapConfigFn: func(config *rest.Config) *rest.Config { + config.Burst = env.BurstLimit + config.QPS = env.QPS + config.Wrap(func(rt http.RoundTripper) http.RoundTripper { + return &kube.RetryingRoundTripper{Wrapped: rt} + }) + config.UserAgent = version.GetUserAgent() + return config + }, + } + if env.BurstLimit != defaultBurstLimit { + config = config.WithDiscoveryBurst(env.BurstLimit) + } + env.config = config + + return env +} + +// AddFlags binds flags to the given flagset. +func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) { + fs.StringVarP(&s.namespace, "namespace", "n", s.namespace, "namespace scope for this request") + fs.StringVar(&s.KubeConfig, "kubeconfig", "", "path to the kubeconfig file") + fs.StringVar(&s.KubeContext, "kube-context", s.KubeContext, "name of the kubeconfig context to use") + fs.StringVar(&s.KubeToken, "kube-token", s.KubeToken, "bearer token used for authentication") + fs.StringVar(&s.KubeAsUser, "kube-as-user", s.KubeAsUser, "username to impersonate for the operation") + fs.StringArrayVar(&s.KubeAsGroups, "kube-as-group", s.KubeAsGroups, "group to impersonate for the operation, this flag can be repeated to specify multiple groups.") + fs.StringVar(&s.KubeAPIServer, "kube-apiserver", s.KubeAPIServer, "the address and the port for the Kubernetes API server") + fs.StringVar(&s.KubeCaFile, "kube-ca-file", s.KubeCaFile, "the certificate authority file for the Kubernetes API server connection") + fs.StringVar(&s.KubeTLSServerName, "kube-tls-server-name", s.KubeTLSServerName, "server name to use for Kubernetes API server certificate validation. If it is not provided, the hostname used to contact the server is used") + fs.BoolVar(&s.KubeInsecureSkipTLSVerify, "kube-insecure-skip-tls-verify", s.KubeInsecureSkipTLSVerify, "if true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure") + fs.BoolVar(&s.Debug, "debug", s.Debug, "enable verbose output") + fs.StringVar(&s.RegistryConfig, "registry-config", s.RegistryConfig, "path to the registry config file") + fs.StringVar(&s.RepositoryConfig, "repository-config", s.RepositoryConfig, "path to the file containing repository names and URLs") + fs.StringVar(&s.RepositoryCache, "repository-cache", s.RepositoryCache, "path to the directory containing cached repository indexes") + fs.IntVar(&s.BurstLimit, "burst-limit", s.BurstLimit, "client-side default throttling limit") + fs.Float32Var(&s.QPS, "qps", s.QPS, "queries per second used when communicating with the Kubernetes API, not including bursting") +} + +func envOr(name, def string) string { + if v, ok := os.LookupEnv(name); ok { + return v + } + return def +} + +func envBoolOr(name string, def bool) bool { + if name == "" { + return def + } + envVal := envOr(name, strconv.FormatBool(def)) + ret, err := strconv.ParseBool(envVal) + if err != nil { + return def + } + return ret +} + +func envIntOr(name string, def int) int { + if name == "" { + return def + } + envVal := envOr(name, strconv.Itoa(def)) + ret, err := strconv.Atoi(envVal) + if err != nil { + return def + } + return ret +} + +func envFloat32Or(name string, def float32) float32 { + if name == "" { + return def + } + envVal := envOr(name, strconv.FormatFloat(float64(def), 'f', 2, 32)) + ret, err := strconv.ParseFloat(envVal, 32) + if err != nil { + return def + } + return float32(ret) +} + +func envCSV(name string) (ls []string) { + trimmed := strings.Trim(os.Getenv(name), ", ") + if trimmed != "" { + ls = strings.Split(trimmed, ",") + } + return +} + +func (s *EnvSettings) EnvVars() map[string]string { + envvars := map[string]string{ + "HELM_BIN": os.Args[0], + "HELM_CACHE_HOME": helmpath.CachePath(""), + "HELM_CONFIG_HOME": helmpath.ConfigPath(""), + "HELM_DATA_HOME": helmpath.DataPath(""), + "HELM_DEBUG": fmt.Sprint(s.Debug), + "HELM_PLUGINS": s.PluginsDirectory, + "HELM_REGISTRY_CONFIG": s.RegistryConfig, + "HELM_REPOSITORY_CACHE": s.RepositoryCache, + "HELM_REPOSITORY_CONFIG": s.RepositoryConfig, + "HELM_NAMESPACE": s.Namespace(), + "HELM_MAX_HISTORY": strconv.Itoa(s.MaxHistory), + "HELM_BURST_LIMIT": strconv.Itoa(s.BurstLimit), + "HELM_QPS": strconv.FormatFloat(float64(s.QPS), 'f', 2, 32), + + // broken, these are populated from helm flags and not kubeconfig. + "HELM_KUBECONTEXT": s.KubeContext, + "HELM_KUBETOKEN": s.KubeToken, + "HELM_KUBEASUSER": s.KubeAsUser, + "HELM_KUBEASGROUPS": strings.Join(s.KubeAsGroups, ","), + "HELM_KUBEAPISERVER": s.KubeAPIServer, + "HELM_KUBECAFILE": s.KubeCaFile, + "HELM_KUBEINSECURE_SKIP_TLS_VERIFY": strconv.FormatBool(s.KubeInsecureSkipTLSVerify), + "HELM_KUBETLS_SERVER_NAME": s.KubeTLSServerName, + } + if s.KubeConfig != "" { + envvars["KUBECONFIG"] = s.KubeConfig + } + return envvars +} + +// Namespace gets the namespace from the configuration +func (s *EnvSettings) Namespace() string { + if ns, _, err := s.config.ToRawKubeConfigLoader().Namespace(); err == nil { + return ns + } + if s.namespace != "" { + return s.namespace + } + return "default" +} + +// SetNamespace sets the namespace in the configuration +func (s *EnvSettings) SetNamespace(namespace string) { + s.namespace = namespace +} + +// RESTClientGetter gets the kubeconfig from EnvSettings +func (s *EnvSettings) RESTClientGetter() genericclioptions.RESTClientGetter { + return s.config +} diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go b/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go new file mode 100644 index 0000000000..9e8e243b8c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/downloader/chart_downloader.go @@ -0,0 +1,374 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package downloader + +import ( + "fmt" + "io" + "net/url" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/internal/fileutil" + "helm.sh/helm/v3/internal/urlutil" + "helm.sh/helm/v3/pkg/getter" + "helm.sh/helm/v3/pkg/helmpath" + "helm.sh/helm/v3/pkg/provenance" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/repo" +) + +// VerificationStrategy describes a strategy for determining whether to verify a chart. +type VerificationStrategy int + +const ( + // VerifyNever will skip all verification of a chart. + VerifyNever VerificationStrategy = iota + // VerifyIfPossible will attempt a verification, it will not error if verification + // data is missing. But it will not stop processing if verification fails. + VerifyIfPossible + // VerifyAlways will always attempt a verification, and will fail if the + // verification fails. + VerifyAlways + // VerifyLater will fetch verification data, but not do any verification. + // This is to accommodate the case where another step of the process will + // perform verification. + VerifyLater +) + +// ErrNoOwnerRepo indicates that a given chart URL can't be found in any repos. +var ErrNoOwnerRepo = errors.New("could not find a repo containing the given URL") + +// ChartDownloader handles downloading a chart. +// +// It is capable of performing verifications on charts as well. +type ChartDownloader struct { + // Out is the location to write warning and info messages. + Out io.Writer + // Verify indicates what verification strategy to use. + Verify VerificationStrategy + // Keyring is the keyring file used for verification. + Keyring string + // Getter collection for the operation + Getters getter.Providers + // Options provide parameters to be passed along to the Getter being initialized. + Options []getter.Option + RegistryClient *registry.Client + RepositoryConfig string + RepositoryCache string +} + +// DownloadTo retrieves a chart. Depending on the settings, it may also download a provenance file. +// +// If Verify is set to VerifyNever, the verification will be nil. +// If Verify is set to VerifyIfPossible, this will return a verification (or nil on failure), and print a warning on failure. +// If Verify is set to VerifyAlways, this will return a verification or an error if the verification fails. +// If Verify is set to VerifyLater, this will download the prov file (if it exists), but not verify it. +// +// For VerifyNever and VerifyIfPossible, the Verification may be empty. +// +// Returns a string path to the location where the file was downloaded and a verification +// (if provenance was verified), or an error if something bad happened. +func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *provenance.Verification, error) { + u, err := c.ResolveChartVersion(ref, version) + if err != nil { + return "", nil, err + } + + g, err := c.Getters.ByScheme(u.Scheme) + if err != nil { + return "", nil, err + } + + c.Options = append(c.Options, getter.WithAcceptHeader("application/gzip,application/octet-stream")) + + data, err := g.Get(u.String(), c.Options...) + if err != nil { + return "", nil, err + } + + name := filepath.Base(u.Path) + if u.Scheme == registry.OCIScheme { + idx := strings.LastIndexByte(name, ':') + name = fmt.Sprintf("%s-%s.tgz", name[:idx], name[idx+1:]) + } + + destfile := filepath.Join(dest, name) + if err := fileutil.AtomicWriteFile(destfile, data, 0644); err != nil { + return destfile, nil, err + } + + // If provenance is requested, verify it. + ver := &provenance.Verification{} + if c.Verify > VerifyNever { + body, err := g.Get(u.String() + ".prov") + if err != nil { + if c.Verify == VerifyAlways { + return destfile, ver, errors.Errorf("failed to fetch provenance %q", u.String()+".prov") + } + fmt.Fprintf(c.Out, "WARNING: Verification not found for %s: %s\n", ref, err) + return destfile, ver, nil + } + provfile := destfile + ".prov" + if err := fileutil.AtomicWriteFile(provfile, body, 0644); err != nil { + return destfile, nil, err + } + + if c.Verify != VerifyLater { + ver, err = VerifyChart(destfile, c.Keyring) + if err != nil { + // Fail always in this case, since it means the verification step + // failed. + return destfile, ver, err + } + } + } + return destfile, ver, nil +} + +// ResolveChartVersion resolves a chart reference to a URL. +// +// It returns the URL and sets the ChartDownloader's Options that can fetch +// the URL using the appropriate Getter. +// +// A reference may be an HTTP URL, an oci reference URL, a 'reponame/chartname' +// reference, or a local path. +// +// A version is a SemVer string (1.2.3-beta.1+f334a6789). +// +// - For fully qualified URLs, the version will be ignored (since URLs aren't versioned) +// - For a chart reference +// - If version is non-empty, this will return the URL for that version +// - If version is empty, this will return the URL for the latest version +// - If no version can be found, an error is returned +func (c *ChartDownloader) ResolveChartVersion(ref, version string) (*url.URL, error) { + u, err := url.Parse(ref) + if err != nil { + return nil, errors.Errorf("invalid chart URL format: %s", ref) + } + + if registry.IsOCI(u.String()) { + return c.RegistryClient.ValidateReference(ref, version, u) + } + + rf, err := loadRepoConfig(c.RepositoryConfig) + if err != nil { + return u, err + } + + if u.IsAbs() && len(u.Host) > 0 && len(u.Path) > 0 { + // In this case, we have to find the parent repo that contains this chart + // URL. And this is an unfortunate problem, as it requires actually going + // through each repo cache file and finding a matching URL. But basically + // we want to find the repo in case we have special SSL cert config + // for that repo. + + rc, err := c.scanReposForURL(ref, rf) + if err != nil { + // If there is no special config, return the default HTTP client and + // swallow the error. + if err == ErrNoOwnerRepo { + // Make sure to add the ref URL as the URL for the getter + c.Options = append(c.Options, getter.WithURL(ref)) + return u, nil + } + return u, err + } + + // If we get here, we don't need to go through the next phase of looking + // up the URL. We have it already. So we just set the parameters and return. + c.Options = append( + c.Options, + getter.WithURL(rc.URL), + ) + if rc.CertFile != "" || rc.KeyFile != "" || rc.CAFile != "" { + c.Options = append(c.Options, getter.WithTLSClientConfig(rc.CertFile, rc.KeyFile, rc.CAFile)) + } + if rc.Username != "" && rc.Password != "" { + c.Options = append( + c.Options, + getter.WithBasicAuth(rc.Username, rc.Password), + getter.WithPassCredentialsAll(rc.PassCredentialsAll), + ) + } + return u, nil + } + + // See if it's of the form: repo/path_to_chart + p := strings.SplitN(u.Path, "/", 2) + if len(p) < 2 { + return u, errors.Errorf("non-absolute URLs should be in form of repo_name/path_to_chart, got: %s", u) + } + + repoName := p[0] + chartName := p[1] + rc, err := pickChartRepositoryConfigByName(repoName, rf.Repositories) + + if err != nil { + return u, err + } + + // Now that we have the chart repository information we can use that URL + // to set the URL for the getter. + c.Options = append(c.Options, getter.WithURL(rc.URL)) + + r, err := repo.NewChartRepository(rc, c.Getters) + if err != nil { + return u, err + } + + if r != nil && r.Config != nil { + if r.Config.CertFile != "" || r.Config.KeyFile != "" || r.Config.CAFile != "" { + c.Options = append(c.Options, getter.WithTLSClientConfig(r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile)) + } + if r.Config.Username != "" && r.Config.Password != "" { + c.Options = append(c.Options, + getter.WithBasicAuth(r.Config.Username, r.Config.Password), + getter.WithPassCredentialsAll(r.Config.PassCredentialsAll), + ) + } + } + + // Next, we need to load the index, and actually look up the chart. + idxFile := filepath.Join(c.RepositoryCache, helmpath.CacheIndexFile(r.Config.Name)) + i, err := repo.LoadIndexFile(idxFile) + if err != nil { + return u, errors.Wrap(err, "no cached repo found. (try 'helm repo update')") + } + + cv, err := i.Get(chartName, version) + if err != nil { + return u, errors.Wrapf(err, "chart %q matching %s not found in %s index. (try 'helm repo update')", chartName, version, r.Config.Name) + } + + if len(cv.URLs) == 0 { + return u, errors.Errorf("chart %q has no downloadable URLs", ref) + } + + // TODO: Seems that picking first URL is not fully correct + resolvedURL, err := repo.ResolveReferenceURL(rc.URL, cv.URLs[0]) + + if err != nil { + return u, errors.Errorf("invalid chart URL format: %s", ref) + } + + return url.Parse(resolvedURL) +} + +// VerifyChart takes a path to a chart archive and a keyring, and verifies the chart. +// +// It assumes that a chart archive file is accompanied by a provenance file whose +// name is the archive file name plus the ".prov" extension. +func VerifyChart(path, keyring string) (*provenance.Verification, error) { + // For now, error out if it's not a tar file. + switch fi, err := os.Stat(path); { + case err != nil: + return nil, err + case fi.IsDir(): + return nil, errors.New("unpacked charts cannot be verified") + case !isTar(path): + return nil, errors.New("chart must be a tgz file") + } + + provfile := path + ".prov" + if _, err := os.Stat(provfile); err != nil { + return nil, errors.Wrapf(err, "could not load provenance file %s", provfile) + } + + sig, err := provenance.NewFromKeyring(keyring, "") + if err != nil { + return nil, errors.Wrap(err, "failed to load keyring") + } + return sig.Verify(path, provfile) +} + +// isTar tests whether the given file is a tar file. +// +// Currently, this simply checks extension, since a subsequent function will +// untar the file and validate its binary format. +func isTar(filename string) bool { + return strings.EqualFold(filepath.Ext(filename), ".tgz") +} + +func pickChartRepositoryConfigByName(name string, cfgs []*repo.Entry) (*repo.Entry, error) { + for _, rc := range cfgs { + if rc.Name == name { + if rc.URL == "" { + return nil, errors.Errorf("no URL found for repository %s", name) + } + return rc, nil + } + } + return nil, errors.Errorf("repo %s not found", name) +} + +// scanReposForURL scans all repos to find which repo contains the given URL. +// +// This will attempt to find the given URL in all of the known repositories files. +// +// If the URL is found, this will return the repo entry that contained that URL. +// +// If all of the repos are checked, but the URL is not found, an ErrNoOwnerRepo +// error is returned. +// +// Other errors may be returned when repositories cannot be loaded or searched. +// +// Technically, the fact that a URL is not found in a repo is not a failure indication. +// Charts are not required to be included in an index before they are valid. So +// be mindful of this case. +// +// The same URL can technically exist in two or more repositories. This algorithm +// will return the first one it finds. Order is determined by the order of repositories +// in the repositories.yaml file. +func (c *ChartDownloader) scanReposForURL(u string, rf *repo.File) (*repo.Entry, error) { + // FIXME: This is far from optimal. Larger installations and index files will + // incur a performance hit for this type of scanning. + for _, rc := range rf.Repositories { + r, err := repo.NewChartRepository(rc, c.Getters) + if err != nil { + return nil, err + } + + idxFile := filepath.Join(c.RepositoryCache, helmpath.CacheIndexFile(r.Config.Name)) + i, err := repo.LoadIndexFile(idxFile) + if err != nil { + return nil, errors.Wrap(err, "no cached repo found. (try 'helm repo update')") + } + + for _, entry := range i.Entries { + for _, ver := range entry { + for _, dl := range ver.URLs { + if urlutil.Equal(u, dl) { + return rc, nil + } + } + } + } + } + // This means that there is no repo file for the given URL. + return nil, ErrNoOwnerRepo +} + +func loadRepoConfig(file string) (*repo.File, error) { + r, err := repo.LoadFile(file) + if err != nil && !os.IsNotExist(errors.Cause(err)) { + return nil, err + } + return r, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/doc.go b/vendor/helm.sh/helm/v3/pkg/downloader/doc.go new file mode 100644 index 0000000000..8484680907 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/downloader/doc.go @@ -0,0 +1,24 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package downloader provides a library for downloading charts. + +This package contains various tools for downloading charts from repository +servers, and then storing them in Helm-specific directory structures. This +library contains many functions that depend on a specific +filesystem layout. +*/ +package downloader diff --git a/vendor/helm.sh/helm/v3/pkg/downloader/manager.go b/vendor/helm.sh/helm/v3/pkg/downloader/manager.go new file mode 100644 index 0000000000..cc7850aae4 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/downloader/manager.go @@ -0,0 +1,919 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package downloader + +import ( + "crypto" + "encoding/hex" + "fmt" + "io" + "log" + "net/url" + "os" + "path" + "path/filepath" + "regexp" + "strings" + "sync" + + "github.com/Masterminds/semver/v3" + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/internal/resolver" + "helm.sh/helm/v3/internal/third_party/dep/fs" + "helm.sh/helm/v3/internal/urlutil" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/getter" + "helm.sh/helm/v3/pkg/helmpath" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/repo" +) + +// ErrRepoNotFound indicates that chart repositories can't be found in local repo cache. +// The value of Repos is missing repos. +type ErrRepoNotFound struct { + Repos []string +} + +// Error implements the error interface. +func (e ErrRepoNotFound) Error() string { + return fmt.Sprintf("no repository definition for %s", strings.Join(e.Repos, ", ")) +} + +// Manager handles the lifecycle of fetching, resolving, and storing dependencies. +type Manager struct { + // Out is used to print warnings and notifications. + Out io.Writer + // ChartPath is the path to the unpacked base chart upon which this operates. + ChartPath string + // Verification indicates whether the chart should be verified. + Verify VerificationStrategy + // Debug is the global "--debug" flag + Debug bool + // Keyring is the key ring file. + Keyring string + // SkipUpdate indicates that the repository should not be updated first. + SkipUpdate bool + // Getter collection for the operation + Getters []getter.Provider + RegistryClient *registry.Client + RepositoryConfig string + RepositoryCache string +} + +// Build rebuilds a local charts directory from a lockfile. +// +// If the lockfile is not present, this will run a Manager.Update() +// +// If SkipUpdate is set, this will not update the repository. +func (m *Manager) Build() error { + c, err := m.loadChartDir() + if err != nil { + return err + } + + // If a lock file is found, run a build from that. Otherwise, just do + // an update. + lock := c.Lock + if lock == nil { + return m.Update() + } + + // Check that all of the repos we're dependent on actually exist. + req := c.Metadata.Dependencies + + // If using apiVersion v1, calculate the hash before resolve repo names + // because resolveRepoNames will change req if req uses repo alias + // and Helm 2 calculate the digest from the original req + // Fix for: https://github.com/helm/helm/issues/7619 + var v2Sum string + if c.Metadata.APIVersion == chart.APIVersionV1 { + v2Sum, err = resolver.HashV2Req(req) + if err != nil { + return errors.New("the lock file (requirements.lock) is out of sync with the dependencies file (requirements.yaml). Please update the dependencies") + } + } + + if _, err := m.resolveRepoNames(req); err != nil { + return err + } + + if sum, err := resolver.HashReq(req, lock.Dependencies); err != nil || sum != lock.Digest { + // If lock digest differs and chart is apiVersion v1, it maybe because the lock was built + // with Helm 2 and therefore should be checked with Helm v2 hash + // Fix for: https://github.com/helm/helm/issues/7233 + if c.Metadata.APIVersion == chart.APIVersionV1 { + log.Println("warning: a valid Helm v3 hash was not found. Checking against Helm v2 hash...") + if v2Sum != lock.Digest { + return errors.New("the lock file (requirements.lock) is out of sync with the dependencies file (requirements.yaml). Please update the dependencies") + } + } else { + return errors.New("the lock file (Chart.lock) is out of sync with the dependencies file (Chart.yaml). Please update the dependencies") + } + } + + // Check that all of the repos we're dependent on actually exist. + if err := m.hasAllRepos(lock.Dependencies); err != nil { + return err + } + + if !m.SkipUpdate { + // For each repo in the file, update the cached copy of that repo + if err := m.UpdateRepositories(); err != nil { + return err + } + } + + // Now we need to fetch every package here into charts/ + return m.downloadAll(lock.Dependencies) +} + +// Update updates a local charts directory. +// +// It first reads the Chart.yaml file, and then attempts to +// negotiate versions based on that. It will download the versions +// from remote chart repositories unless SkipUpdate is true. +func (m *Manager) Update() error { + c, err := m.loadChartDir() + if err != nil { + return err + } + + // If no dependencies are found, we consider this a successful + // completion. + req := c.Metadata.Dependencies + if req == nil { + return nil + } + + // Get the names of the repositories the dependencies need that Helm is + // configured to know about. + repoNames, err := m.resolveRepoNames(req) + if err != nil { + return err + } + + // For the repositories Helm is not configured to know about, ensure Helm + // has some information about them and, when possible, the index files + // locally. + // TODO(mattfarina): Repositories should be explicitly added by end users + // rather than automatic. In Helm v4 require users to add repositories. They + // should have to add them in order to make sure they are aware of the + // repositories and opt-in to any locations, for security. + repoNames, err = m.ensureMissingRepos(repoNames, req) + if err != nil { + return err + } + + // For each of the repositories Helm is configured to know about, update + // the index information locally. + if !m.SkipUpdate { + if err := m.UpdateRepositories(); err != nil { + return err + } + } + + // Now we need to find out which version of a chart best satisfies the + // dependencies in the Chart.yaml + lock, err := m.resolve(req, repoNames) + if err != nil { + return err + } + + // Now we need to fetch every package here into charts/ + if err := m.downloadAll(lock.Dependencies); err != nil { + return err + } + + // downloadAll might overwrite dependency version, recalculate lock digest + newDigest, err := resolver.HashReq(req, lock.Dependencies) + if err != nil { + return err + } + lock.Digest = newDigest + + // If the lock file hasn't changed, don't write a new one. + oldLock := c.Lock + if oldLock != nil && oldLock.Digest == lock.Digest { + return nil + } + + // Finally, we need to write the lockfile. + return writeLock(m.ChartPath, lock, c.Metadata.APIVersion == chart.APIVersionV1) +} + +func (m *Manager) loadChartDir() (*chart.Chart, error) { + if fi, err := os.Stat(m.ChartPath); err != nil { + return nil, errors.Wrapf(err, "could not find %s", m.ChartPath) + } else if !fi.IsDir() { + return nil, errors.New("only unpacked charts can be updated") + } + return loader.LoadDir(m.ChartPath) +} + +// resolve takes a list of dependencies and translates them into an exact version to download. +// +// This returns a lock file, which has all of the dependencies normalized to a specific version. +func (m *Manager) resolve(req []*chart.Dependency, repoNames map[string]string) (*chart.Lock, error) { + res := resolver.New(m.ChartPath, m.RepositoryCache, m.RegistryClient) + return res.Resolve(req, repoNames) +} + +// downloadAll takes a list of dependencies and downloads them into charts/ +// +// It will delete versions of the chart that exist on disk and might cause +// a conflict. +func (m *Manager) downloadAll(deps []*chart.Dependency) error { + repos, err := m.loadChartRepositories() + if err != nil { + return err + } + + destPath := filepath.Join(m.ChartPath, "charts") + tmpPath := filepath.Join(m.ChartPath, fmt.Sprintf("tmpcharts-%d", os.Getpid())) + + // Check if 'charts' directory is not actually a directory. If it does not exist, create it. + if fi, err := os.Stat(destPath); err == nil { + if !fi.IsDir() { + return errors.Errorf("%q is not a directory", destPath) + } + } else if os.IsNotExist(err) { + if err := os.MkdirAll(destPath, 0755); err != nil { + return err + } + } else { + return fmt.Errorf("unable to retrieve file info for '%s': %v", destPath, err) + } + + // Prepare tmpPath + if err := os.MkdirAll(tmpPath, 0755); err != nil { + return err + } + defer os.RemoveAll(tmpPath) + + fmt.Fprintf(m.Out, "Saving %d charts\n", len(deps)) + var saveError error + churls := make(map[string]struct{}) + for _, dep := range deps { + // No repository means the chart is in charts directory + if dep.Repository == "" { + fmt.Fprintf(m.Out, "Dependency %s did not declare a repository. Assuming it exists in the charts directory\n", dep.Name) + // NOTE: we are only validating the local dependency conforms to the constraints. No copying to tmpPath is necessary. + chartPath := filepath.Join(destPath, dep.Name) + ch, err := loader.LoadDir(chartPath) + if err != nil { + return fmt.Errorf("unable to load chart '%s': %v", chartPath, err) + } + + constraint, err := semver.NewConstraint(dep.Version) + if err != nil { + return fmt.Errorf("dependency %s has an invalid version/constraint format: %s", dep.Name, err) + } + + v, err := semver.NewVersion(ch.Metadata.Version) + if err != nil { + return fmt.Errorf("invalid version %s for dependency %s: %s", dep.Version, dep.Name, err) + } + + if !constraint.Check(v) { + saveError = fmt.Errorf("dependency %s at version %s does not satisfy the constraint %s", dep.Name, ch.Metadata.Version, dep.Version) + break + } + continue + } + if strings.HasPrefix(dep.Repository, "file://") { + if m.Debug { + fmt.Fprintf(m.Out, "Archiving %s from repo %s\n", dep.Name, dep.Repository) + } + ver, err := tarFromLocalDir(m.ChartPath, dep.Name, dep.Repository, dep.Version, tmpPath) + if err != nil { + saveError = err + break + } + dep.Version = ver + continue + } + + // Any failure to resolve/download a chart should fail: + // https://github.com/helm/helm/issues/1439 + churl, username, password, insecureskiptlsverify, passcredentialsall, caFile, certFile, keyFile, err := m.findChartURL(dep.Name, dep.Version, dep.Repository, repos) + if err != nil { + saveError = errors.Wrapf(err, "could not find %s", churl) + break + } + + if _, ok := churls[churl]; ok { + fmt.Fprintf(m.Out, "Already downloaded %s from repo %s\n", dep.Name, dep.Repository) + continue + } + + fmt.Fprintf(m.Out, "Downloading %s from repo %s\n", dep.Name, dep.Repository) + + dl := ChartDownloader{ + Out: m.Out, + Verify: m.Verify, + Keyring: m.Keyring, + RepositoryConfig: m.RepositoryConfig, + RepositoryCache: m.RepositoryCache, + RegistryClient: m.RegistryClient, + Getters: m.Getters, + Options: []getter.Option{ + getter.WithBasicAuth(username, password), + getter.WithPassCredentialsAll(passcredentialsall), + getter.WithInsecureSkipVerifyTLS(insecureskiptlsverify), + getter.WithTLSClientConfig(certFile, keyFile, caFile), + }, + } + + version := "" + if registry.IsOCI(churl) { + churl, version, err = parseOCIRef(churl) + if err != nil { + return errors.Wrapf(err, "could not parse OCI reference") + } + dl.Options = append(dl.Options, + getter.WithRegistryClient(m.RegistryClient), + getter.WithTagName(version)) + } + + if _, _, err = dl.DownloadTo(churl, version, tmpPath); err != nil { + saveError = errors.Wrapf(err, "could not download %s", churl) + break + } + + churls[churl] = struct{}{} + } + + // TODO: this should probably be refactored to be a []error, so we can capture and provide more information rather than "last error wins". + if saveError == nil { + // now we can move all downloaded charts to destPath and delete outdated dependencies + if err := m.safeMoveDeps(deps, tmpPath, destPath); err != nil { + return err + } + } else { + fmt.Fprintln(m.Out, "Save error occurred: ", saveError) + return saveError + } + return nil +} + +func parseOCIRef(chartRef string) (string, string, error) { + refTagRegexp := regexp.MustCompile(`^(oci://[^:]+(:[0-9]{1,5})?[^:]+):(.*)$`) + caps := refTagRegexp.FindStringSubmatch(chartRef) + if len(caps) != 4 { + return "", "", errors.Errorf("improperly formatted oci chart reference: %s", chartRef) + } + chartRef = caps[1] + tag := caps[3] + + return chartRef, tag, nil +} + +// safeMoveDep moves all dependencies in the source and moves them into dest. +// +// It does this by first matching the file name to an expected pattern, then loading +// the file to verify that it is a chart. +// +// Any charts in dest that do not exist in source are removed (barring local dependencies) +// +// Because it requires tar file introspection, it is more intensive than a basic move. +// +// This will only return errors that should stop processing entirely. Other errors +// will emit log messages or be ignored. +func (m *Manager) safeMoveDeps(deps []*chart.Dependency, source, dest string) error { + existsInSourceDirectory := map[string]bool{} + isLocalDependency := map[string]bool{} + sourceFiles, err := os.ReadDir(source) + if err != nil { + return err + } + // attempt to read destFiles; fail fast if we can't + destFiles, err := os.ReadDir(dest) + if err != nil { + return err + } + + for _, dep := range deps { + if dep.Repository == "" { + isLocalDependency[dep.Name] = true + } + } + + for _, file := range sourceFiles { + if file.IsDir() { + continue + } + filename := file.Name() + sourcefile := filepath.Join(source, filename) + destfile := filepath.Join(dest, filename) + existsInSourceDirectory[filename] = true + if _, err := loader.LoadFile(sourcefile); err != nil { + fmt.Fprintf(m.Out, "Could not verify %s for moving: %s (Skipping)", sourcefile, err) + continue + } + // NOTE: no need to delete the dest; os.Rename replaces it. + if err := fs.RenameWithFallback(sourcefile, destfile); err != nil { + fmt.Fprintf(m.Out, "Unable to move %s to charts dir %s (Skipping)", sourcefile, err) + continue + } + } + + fmt.Fprintln(m.Out, "Deleting outdated charts") + // find all files that exist in dest that do not exist in source; delete them (outdated dependencies) + for _, file := range destFiles { + if !file.IsDir() && !existsInSourceDirectory[file.Name()] { + fname := filepath.Join(dest, file.Name()) + ch, err := loader.LoadFile(fname) + if err != nil { + fmt.Fprintf(m.Out, "Could not verify %s for deletion: %s (Skipping)\n", fname, err) + continue + } + // local dependency - skip + if isLocalDependency[ch.Name()] { + continue + } + if err := os.Remove(fname); err != nil { + fmt.Fprintf(m.Out, "Could not delete %s: %s (Skipping)", fname, err) + continue + } + } + } + + return nil +} + +// hasAllRepos ensures that all of the referenced deps are in the local repo cache. +func (m *Manager) hasAllRepos(deps []*chart.Dependency) error { + rf, err := loadRepoConfig(m.RepositoryConfig) + if err != nil { + return err + } + repos := rf.Repositories + + // Verify that all repositories referenced in the deps are actually known + // by Helm. + missing := []string{} +Loop: + for _, dd := range deps { + // If repo is from local path or OCI, continue + if strings.HasPrefix(dd.Repository, "file://") || registry.IsOCI(dd.Repository) { + continue + } + + if dd.Repository == "" { + continue + } + for _, repo := range repos { + if urlutil.Equal(repo.URL, strings.TrimSuffix(dd.Repository, "/")) { + continue Loop + } + } + missing = append(missing, dd.Repository) + } + if len(missing) > 0 { + return ErrRepoNotFound{missing} + } + return nil +} + +// ensureMissingRepos attempts to ensure the repository information for repos +// not managed by Helm is present. This takes in the repoNames Helm is configured +// to work with along with the chart dependencies. It will find the deps not +// in a known repo and attempt to ensure the data is present for steps like +// version resolution. +func (m *Manager) ensureMissingRepos(repoNames map[string]string, deps []*chart.Dependency) (map[string]string, error) { + + var ru []*repo.Entry + + for _, dd := range deps { + + // If the chart is in the local charts directory no repository needs + // to be specified. + if dd.Repository == "" { + continue + } + + // When the repoName for a dependency is known we can skip ensuring + if _, ok := repoNames[dd.Name]; ok { + continue + } + + // The generated repository name, which will result in an index being + // locally cached, has a name pattern of "helm-manager-" followed by a + // sha256 of the repo name. This assumes end users will never create + // repositories with these names pointing to other repositories. Using + // this method of naming allows the existing repository pulling and + // resolution code to do most of the work. + rn, err := key(dd.Repository) + if err != nil { + return repoNames, err + } + rn = managerKeyPrefix + rn + + repoNames[dd.Name] = rn + + // Assuming the repository is generally available. For Helm managed + // access controls the repository needs to be added through the user + // managed system. This path will work for public charts, like those + // supplied by Bitnami, but not for protected charts, like corp ones + // behind a username and pass. + ri := &repo.Entry{ + Name: rn, + URL: dd.Repository, + } + ru = append(ru, ri) + } + + // Calls to UpdateRepositories (a public function) will only update + // repositories configured by the user. Here we update repos found in + // the dependencies that are not known to the user if update skipping + // is not configured. + if !m.SkipUpdate && len(ru) > 0 { + fmt.Fprintln(m.Out, "Getting updates for unmanaged Helm repositories...") + if err := m.parallelRepoUpdate(ru); err != nil { + return repoNames, err + } + } + + return repoNames, nil +} + +// resolveRepoNames returns the repo names of the referenced deps which can be used to fetch the cached index file +// and replaces aliased repository URLs into resolved URLs in dependencies. +func (m *Manager) resolveRepoNames(deps []*chart.Dependency) (map[string]string, error) { + rf, err := loadRepoConfig(m.RepositoryConfig) + if err != nil { + if os.IsNotExist(err) { + return make(map[string]string), nil + } + return nil, err + } + repos := rf.Repositories + + reposMap := make(map[string]string) + + // Verify that all repositories referenced in the deps are actually known + // by Helm. + missing := []string{} + for _, dd := range deps { + // Don't map the repository, we don't need to download chart from charts directory + if dd.Repository == "" { + continue + } + // if dep chart is from local path, verify the path is valid + if strings.HasPrefix(dd.Repository, "file://") { + if _, err := resolver.GetLocalPath(dd.Repository, m.ChartPath); err != nil { + return nil, err + } + + if m.Debug { + fmt.Fprintf(m.Out, "Repository from local path: %s\n", dd.Repository) + } + reposMap[dd.Name] = dd.Repository + continue + } + + if registry.IsOCI(dd.Repository) { + reposMap[dd.Name] = dd.Repository + continue + } + + found := false + + for _, repo := range repos { + if (strings.HasPrefix(dd.Repository, "@") && strings.TrimPrefix(dd.Repository, "@") == repo.Name) || + (strings.HasPrefix(dd.Repository, "alias:") && strings.TrimPrefix(dd.Repository, "alias:") == repo.Name) { + found = true + dd.Repository = repo.URL + reposMap[dd.Name] = repo.Name + break + } else if urlutil.Equal(repo.URL, dd.Repository) { + found = true + reposMap[dd.Name] = repo.Name + break + } + } + if !found { + repository := dd.Repository + // Add if URL + _, err := url.ParseRequestURI(repository) + if err == nil { + reposMap[repository] = repository + continue + } + missing = append(missing, repository) + } + } + if len(missing) > 0 { + errorMessage := fmt.Sprintf("no repository definition for %s. Please add them via 'helm repo add'", strings.Join(missing, ", ")) + // It is common for people to try to enter "stable" as a repository instead of the actual URL. + // For this case, let's give them a suggestion. + containsNonURL := false + for _, repo := range missing { + if !strings.Contains(repo, "//") && !strings.HasPrefix(repo, "@") && !strings.HasPrefix(repo, "alias:") { + containsNonURL = true + } + } + if containsNonURL { + errorMessage += ` +Note that repositories must be URLs or aliases. For example, to refer to the "example" +repository, use "https://charts.example.com/" or "@example" instead of +"example". Don't forget to add the repo, too ('helm repo add').` + } + return nil, errors.New(errorMessage) + } + return reposMap, nil +} + +// UpdateRepositories updates all of the local repos to the latest. +func (m *Manager) UpdateRepositories() error { + rf, err := loadRepoConfig(m.RepositoryConfig) + if err != nil { + return err + } + repos := rf.Repositories + if len(repos) > 0 { + fmt.Fprintln(m.Out, "Hang tight while we grab the latest from your chart repositories...") + // This prints warnings straight to out. + if err := m.parallelRepoUpdate(repos); err != nil { + return err + } + fmt.Fprintln(m.Out, "Update Complete. ⎈Happy Helming!⎈") + } + return nil +} + +func (m *Manager) parallelRepoUpdate(repos []*repo.Entry) error { + + var wg sync.WaitGroup + for _, c := range repos { + r, err := repo.NewChartRepository(c, m.Getters) + if err != nil { + return err + } + r.CachePath = m.RepositoryCache + wg.Add(1) + go func(r *repo.ChartRepository) { + if _, err := r.DownloadIndexFile(); err != nil { + // For those dependencies that are not known to helm and using a + // generated key name we display the repo url. + if strings.HasPrefix(r.Config.Name, managerKeyPrefix) { + fmt.Fprintf(m.Out, "...Unable to get an update from the %q chart repository:\n\t%s\n", r.Config.URL, err) + } else { + fmt.Fprintf(m.Out, "...Unable to get an update from the %q chart repository (%s):\n\t%s\n", r.Config.Name, r.Config.URL, err) + } + } else { + // For those dependencies that are not known to helm and using a + // generated key name we display the repo url. + if strings.HasPrefix(r.Config.Name, managerKeyPrefix) { + fmt.Fprintf(m.Out, "...Successfully got an update from the %q chart repository\n", r.Config.URL) + } else { + fmt.Fprintf(m.Out, "...Successfully got an update from the %q chart repository\n", r.Config.Name) + } + } + wg.Done() + }(r) + } + wg.Wait() + + return nil +} + +// findChartURL searches the cache of repo data for a chart that has the name and the repoURL specified. +// +// 'name' is the name of the chart. Version is an exact semver, or an empty string. If empty, the +// newest version will be returned. +// +// repoURL is the repository to search +// +// If it finds a URL that is "relative", it will prepend the repoURL. +func (m *Manager) findChartURL(name, version, repoURL string, repos map[string]*repo.ChartRepository) (url, username, password string, insecureskiptlsverify, passcredentialsall bool, caFile, certFile, keyFile string, err error) { + if registry.IsOCI(repoURL) { + return fmt.Sprintf("%s/%s:%s", repoURL, name, version), "", "", false, false, "", "", "", nil + } + + for _, cr := range repos { + + if urlutil.Equal(repoURL, cr.Config.URL) { + var entry repo.ChartVersions + entry, err = findEntryByName(name, cr) + if err != nil { + // TODO: Where linting is skipped in this function we should + // refactor to remove naked returns while ensuring the same + // behavior + //nolint:nakedret + return + } + var ve *repo.ChartVersion + ve, err = findVersionedEntry(version, entry) + if err != nil { + //nolint:nakedret + return + } + url, err = normalizeURL(repoURL, ve.URLs[0]) + if err != nil { + //nolint:nakedret + return + } + username = cr.Config.Username + password = cr.Config.Password + passcredentialsall = cr.Config.PassCredentialsAll + insecureskiptlsverify = cr.Config.InsecureSkipTLSverify + caFile = cr.Config.CAFile + certFile = cr.Config.CertFile + keyFile = cr.Config.KeyFile + //nolint:nakedret + return + } + } + url, err = repo.FindChartInRepoURL(repoURL, name, version, certFile, keyFile, caFile, m.Getters) + if err == nil { + return url, username, password, false, false, "", "", "", err + } + err = errors.Errorf("chart %s not found in %s: %s", name, repoURL, err) + return url, username, password, false, false, "", "", "", err +} + +// findEntryByName finds an entry in the chart repository whose name matches the given name. +// +// It returns the ChartVersions for that entry. +func findEntryByName(name string, cr *repo.ChartRepository) (repo.ChartVersions, error) { + for ename, entry := range cr.IndexFile.Entries { + if ename == name { + return entry, nil + } + } + return nil, errors.New("entry not found") +} + +// findVersionedEntry takes a ChartVersions list and returns a single chart version that satisfies the version constraints. +// +// If version is empty, the first chart found is returned. +func findVersionedEntry(version string, vers repo.ChartVersions) (*repo.ChartVersion, error) { + for _, verEntry := range vers { + if len(verEntry.URLs) == 0 { + // Not a legit entry. + continue + } + + if version == "" || versionEquals(version, verEntry.Version) { + return verEntry, nil + } + } + return nil, errors.New("no matching version") +} + +func versionEquals(v1, v2 string) bool { + sv1, err := semver.NewVersion(v1) + if err != nil { + // Fallback to string comparison. + return v1 == v2 + } + sv2, err := semver.NewVersion(v2) + if err != nil { + return false + } + return sv1.Equal(sv2) +} + +func normalizeURL(baseURL, urlOrPath string) (string, error) { + u, err := url.Parse(urlOrPath) + if err != nil { + return urlOrPath, err + } + if u.IsAbs() { + return u.String(), nil + } + u2, err := url.Parse(baseURL) + if err != nil { + return urlOrPath, errors.Wrap(err, "base URL failed to parse") + } + + u2.RawPath = path.Join(u2.RawPath, urlOrPath) + u2.Path = path.Join(u2.Path, urlOrPath) + return u2.String(), nil +} + +// loadChartRepositories reads the repositories.yaml, and then builds a map of +// ChartRepositories. +// +// The key is the local name (which is only present in the repositories.yaml). +func (m *Manager) loadChartRepositories() (map[string]*repo.ChartRepository, error) { + indices := map[string]*repo.ChartRepository{} + + // Load repositories.yaml file + rf, err := loadRepoConfig(m.RepositoryConfig) + if err != nil { + return indices, errors.Wrapf(err, "failed to load %s", m.RepositoryConfig) + } + + for _, re := range rf.Repositories { + lname := re.Name + idxFile := filepath.Join(m.RepositoryCache, helmpath.CacheIndexFile(lname)) + index, err := repo.LoadIndexFile(idxFile) + if err != nil { + return indices, err + } + + // TODO: use constructor + cr := &repo.ChartRepository{ + Config: re, + IndexFile: index, + } + indices[lname] = cr + } + return indices, nil +} + +// writeLock writes a lockfile to disk +func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error { + data, err := yaml.Marshal(lock) + if err != nil { + return err + } + lockfileName := "Chart.lock" + if legacyLockfile { + lockfileName = "requirements.lock" + } + dest := filepath.Join(chartpath, lockfileName) + + info, err := os.Lstat(dest) + if err != nil && !os.IsNotExist(err) { + return fmt.Errorf("error getting info for %q: %w", dest, err) + } else if err == nil { + if info.Mode()&os.ModeSymlink != 0 { + link, err := os.Readlink(dest) + if err != nil { + return fmt.Errorf("error reading symlink for %q: %w", dest, err) + } + return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link) + } + } + + return os.WriteFile(dest, data, 0644) +} + +// archive a dep chart from local directory and save it into destPath +func tarFromLocalDir(chartpath, name, repo, version, destPath string) (string, error) { + if !strings.HasPrefix(repo, "file://") { + return "", errors.Errorf("wrong format: chart %s repository %s", name, repo) + } + + origPath, err := resolver.GetLocalPath(repo, chartpath) + if err != nil { + return "", err + } + + ch, err := loader.LoadDir(origPath) + if err != nil { + return "", err + } + + constraint, err := semver.NewConstraint(version) + if err != nil { + return "", errors.Wrapf(err, "dependency %s has an invalid version/constraint format", name) + } + + v, err := semver.NewVersion(ch.Metadata.Version) + if err != nil { + return "", err + } + + if constraint.Check(v) { + _, err = chartutil.Save(ch, destPath) + return ch.Metadata.Version, err + } + + return "", errors.Errorf("can't get a valid version for dependency %s", name) +} + +// The prefix to use for cache keys created by the manager for repo names +const managerKeyPrefix = "helm-manager-" + +// key is used to turn a name, such as a repository url, into a filesystem +// safe name that is unique for querying. To accomplish this a unique hash of +// the string is used. +func key(name string) (string, error) { + in := strings.NewReader(name) + hash := crypto.SHA256.New() + if _, err := io.Copy(hash, in); err != nil { + return "", nil + } + return hex.EncodeToString(hash.Sum(nil)), nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/engine/doc.go b/vendor/helm.sh/helm/v3/pkg/engine/doc.go new file mode 100644 index 0000000000..6b3443aaf0 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/engine/doc.go @@ -0,0 +1,24 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package engine implements the Go text template engine as needed for Helm. + +When Helm renders templates it does so with additional functions and different +modes (e.g., strict, lint mode). This package handles the helm specific +implementation. +*/ +package engine // import "helm.sh/helm/v3/pkg/engine" diff --git a/vendor/helm.sh/helm/v3/pkg/engine/engine.go b/vendor/helm.sh/helm/v3/pkg/engine/engine.go new file mode 100644 index 0000000000..d8ee313e1e --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/engine/engine.go @@ -0,0 +1,441 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package engine + +import ( + "fmt" + "log" + "path" + "path/filepath" + "regexp" + "sort" + "strings" + "text/template" + + "github.com/pkg/errors" + "k8s.io/client-go/rest" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chartutil" +) + +// Engine is an implementation of the Helm rendering implementation for templates. +type Engine struct { + // If strict is enabled, template rendering will fail if a template references + // a value that was not passed in. + Strict bool + // In LintMode, some 'required' template values may be missing, so don't fail + LintMode bool + // optional provider of clients to talk to the Kubernetes API + clientProvider *ClientProvider + // EnableDNS tells the engine to allow DNS lookups when rendering templates + EnableDNS bool +} + +// New creates a new instance of Engine using the passed in rest config. +func New(config *rest.Config) Engine { + var clientProvider ClientProvider = clientProviderFromConfig{config} + return Engine{ + clientProvider: &clientProvider, + } +} + +// Render takes a chart, optional values, and value overrides, and attempts to render the Go templates. +// +// Render can be called repeatedly on the same engine. +// +// This will look in the chart's 'templates' data (e.g. the 'templates/' directory) +// and attempt to render the templates there using the values passed in. +// +// Values are scoped to their templates. A dependency template will not have +// access to the values set for its parent. If chart "foo" includes chart "bar", +// "bar" will not have access to the values for "foo". +// +// Values should be prepared with something like `chartutils.ReadValues`. +// +// Values are passed through the templates according to scope. If the top layer +// chart includes the chart foo, which includes the chart bar, the values map +// will be examined for a table called "foo". If "foo" is found in vals, +// that section of the values will be passed into the "foo" chart. And if that +// section contains a value named "bar", that value will be passed on to the +// bar chart during render time. +func (e Engine) Render(chrt *chart.Chart, values chartutil.Values) (map[string]string, error) { + tmap := allTemplates(chrt, values) + return e.render(tmap) +} + +// Render takes a chart, optional values, and value overrides, and attempts to +// render the Go templates using the default options. +func Render(chrt *chart.Chart, values chartutil.Values) (map[string]string, error) { + return new(Engine).Render(chrt, values) +} + +// RenderWithClient takes a chart, optional values, and value overrides, and attempts to +// render the Go templates using the default options. This engine is client aware and so can have template +// functions that interact with the client. +func RenderWithClient(chrt *chart.Chart, values chartutil.Values, config *rest.Config) (map[string]string, error) { + var clientProvider ClientProvider = clientProviderFromConfig{config} + return Engine{ + clientProvider: &clientProvider, + }.Render(chrt, values) +} + +// RenderWithClientProvider takes a chart, optional values, and value overrides, and attempts to +// render the Go templates using the default options. This engine is client aware and so can have template +// functions that interact with the client. +// This function differs from RenderWithClient in that it lets you customize the way a dynamic client is constructed. +func RenderWithClientProvider(chrt *chart.Chart, values chartutil.Values, clientProvider ClientProvider) (map[string]string, error) { + return Engine{ + clientProvider: &clientProvider, + }.Render(chrt, values) +} + +// renderable is an object that can be rendered. +type renderable struct { + // tpl is the current template. + tpl string + // vals are the values to be supplied to the template. + vals chartutil.Values + // namespace prefix to the templates of the current chart + basePath string +} + +const warnStartDelim = "HELM_ERR_START" +const warnEndDelim = "HELM_ERR_END" +const recursionMaxNums = 1000 + +var warnRegex = regexp.MustCompile(warnStartDelim + `((?s).*)` + warnEndDelim) + +func warnWrap(warn string) string { + return warnStartDelim + warn + warnEndDelim +} + +// 'include' needs to be defined in the scope of a 'tpl' template as +// well as regular file-loaded templates. +func includeFun(t *template.Template, includedNames map[string]int) func(string, interface{}) (string, error) { + return func(name string, data interface{}) (string, error) { + var buf strings.Builder + if v, ok := includedNames[name]; ok { + if v > recursionMaxNums { + return "", errors.Wrapf(fmt.Errorf("unable to execute template"), "rendering template has a nested reference name: %s", name) + } + includedNames[name]++ + } else { + includedNames[name] = 1 + } + err := t.ExecuteTemplate(&buf, name, data) + includedNames[name]-- + return buf.String(), err + } +} + +// As does 'tpl', so that nested calls to 'tpl' see the templates +// defined by their enclosing contexts. +func tplFun(parent *template.Template, includedNames map[string]int, strict bool) func(string, interface{}) (string, error) { + return func(tpl string, vals interface{}) (string, error) { + t, err := parent.Clone() + if err != nil { + return "", errors.Wrapf(err, "cannot clone template") + } + + // Re-inject the missingkey option, see text/template issue https://github.com/golang/go/issues/43022 + // We have to go by strict from our engine configuration, as the option fields are private in Template. + // TODO: Remove workaround (and the strict parameter) once we build only with golang versions with a fix. + if strict { + t.Option("missingkey=error") + } else { + t.Option("missingkey=zero") + } + + // Re-inject 'include' so that it can close over our clone of t; + // this lets any 'define's inside tpl be 'include'd. + t.Funcs(template.FuncMap{ + "include": includeFun(t, includedNames), + "tpl": tplFun(t, includedNames, strict), + }) + + // We need a .New template, as template text which is just blanks + // or comments after parsing out defines just adds new named + // template definitions without changing the main template. + // https://pkg.go.dev/text/template#Template.Parse + // Use the parent's name for lack of a better way to identify the tpl + // text string. (Maybe we could use a hash appended to the name?) + t, err = t.New(parent.Name()).Parse(tpl) + if err != nil { + return "", errors.Wrapf(err, "cannot parse template %q", tpl) + } + + var buf strings.Builder + if err := t.Execute(&buf, vals); err != nil { + return "", errors.Wrapf(err, "error during tpl function execution for %q", tpl) + } + + // See comment in renderWithReferences explaining the hack. + return strings.ReplaceAll(buf.String(), "", ""), nil + } +} + +// initFunMap creates the Engine's FuncMap and adds context-specific functions. +func (e Engine) initFunMap(t *template.Template) { + funcMap := funcMap() + includedNames := make(map[string]int) + + // Add the template-rendering functions here so we can close over t. + funcMap["include"] = includeFun(t, includedNames) + funcMap["tpl"] = tplFun(t, includedNames, e.Strict) + + // Add the `required` function here so we can use lintMode + funcMap["required"] = func(warn string, val interface{}) (interface{}, error) { + if val == nil { + if e.LintMode { + // Don't fail on missing required values when linting + log.Printf("[INFO] Missing required value: %s", warn) + return "", nil + } + return val, errors.New(warnWrap(warn)) + } else if _, ok := val.(string); ok { + if val == "" { + if e.LintMode { + // Don't fail on missing required values when linting + log.Printf("[INFO] Missing required value: %s", warn) + return "", nil + } + return val, errors.New(warnWrap(warn)) + } + } + return val, nil + } + + // Override sprig fail function for linting and wrapping message + funcMap["fail"] = func(msg string) (string, error) { + if e.LintMode { + // Don't fail when linting + log.Printf("[INFO] Fail: %s", msg) + return "", nil + } + return "", errors.New(warnWrap(msg)) + } + + // If we are not linting and have a cluster connection, provide a Kubernetes-backed + // implementation. + if !e.LintMode && e.clientProvider != nil { + funcMap["lookup"] = newLookupFunction(*e.clientProvider) + } + + // When DNS lookups are not enabled override the sprig function and return + // an empty string. + if !e.EnableDNS { + funcMap["getHostByName"] = func(_ string) string { + return "" + } + } + + t.Funcs(funcMap) +} + +// render takes a map of templates/values and renders them. +func (e Engine) render(tpls map[string]renderable) (rendered map[string]string, err error) { + // Basically, what we do here is start with an empty parent template and then + // build up a list of templates -- one for each file. Once all of the templates + // have been parsed, we loop through again and execute every template. + // + // The idea with this process is to make it possible for more complex templates + // to share common blocks, but to make the entire thing feel like a file-based + // template engine. + defer func() { + if r := recover(); r != nil { + err = errors.Errorf("rendering template failed: %v", r) + } + }() + t := template.New("gotpl") + if e.Strict { + t.Option("missingkey=error") + } else { + // Not that zero will attempt to add default values for types it knows, + // but will still emit for others. We mitigate that later. + t.Option("missingkey=zero") + } + + e.initFunMap(t) + + // We want to parse the templates in a predictable order. The order favors + // higher-level (in file system) templates over deeply nested templates. + keys := sortTemplates(tpls) + + for _, filename := range keys { + r := tpls[filename] + if _, err := t.New(filename).Parse(r.tpl); err != nil { + return map[string]string{}, cleanupParseError(filename, err) + } + } + + rendered = make(map[string]string, len(keys)) + for _, filename := range keys { + // Don't render partials. We don't care out the direct output of partials. + // They are only included from other templates. + if strings.HasPrefix(path.Base(filename), "_") { + continue + } + // At render time, add information about the template that is being rendered. + vals := tpls[filename].vals + vals["Template"] = chartutil.Values{"Name": filename, "BasePath": tpls[filename].basePath} + var buf strings.Builder + if err := t.ExecuteTemplate(&buf, filename, vals); err != nil { + return map[string]string{}, cleanupExecError(filename, err) + } + + // Work around the issue where Go will emit "" even if Options(missing=zero) + // is set. Since missing=error will never get here, we do not need to handle + // the Strict case. + rendered[filename] = strings.ReplaceAll(buf.String(), "", "") + } + + return rendered, nil +} + +func cleanupParseError(filename string, err error) error { + tokens := strings.Split(err.Error(), ": ") + if len(tokens) == 1 { + // This might happen if a non-templating error occurs + return fmt.Errorf("parse error in (%s): %s", filename, err) + } + // The first token is "template" + // The second token is either "filename:lineno" or "filename:lineNo:columnNo" + location := tokens[1] + // The remaining tokens make up a stacktrace-like chain, ending with the relevant error + errMsg := tokens[len(tokens)-1] + return fmt.Errorf("parse error at (%s): %s", string(location), errMsg) +} + +func cleanupExecError(filename string, err error) error { + if _, isExecError := err.(template.ExecError); !isExecError { + return err + } + + tokens := strings.SplitN(err.Error(), ": ", 3) + if len(tokens) != 3 { + // This might happen if a non-templating error occurs + return fmt.Errorf("execution error in (%s): %s", filename, err) + } + + // The first token is "template" + // The second token is either "filename:lineno" or "filename:lineNo:columnNo" + location := tokens[1] + + parts := warnRegex.FindStringSubmatch(tokens[2]) + if len(parts) >= 2 { + return fmt.Errorf("execution error at (%s): %s", string(location), parts[1]) + } + + return err +} + +func sortTemplates(tpls map[string]renderable) []string { + keys := make([]string, len(tpls)) + i := 0 + for key := range tpls { + keys[i] = key + i++ + } + sort.Sort(sort.Reverse(byPathLen(keys))) + return keys +} + +type byPathLen []string + +func (p byPathLen) Len() int { return len(p) } +func (p byPathLen) Swap(i, j int) { p[j], p[i] = p[i], p[j] } +func (p byPathLen) Less(i, j int) bool { + a, b := p[i], p[j] + ca, cb := strings.Count(a, "/"), strings.Count(b, "/") + if ca == cb { + return strings.Compare(a, b) == -1 + } + return ca < cb +} + +// allTemplates returns all templates for a chart and its dependencies. +// +// As it goes, it also prepares the values in a scope-sensitive manner. +func allTemplates(c *chart.Chart, vals chartutil.Values) map[string]renderable { + templates := make(map[string]renderable) + recAllTpls(c, templates, vals) + return templates +} + +// recAllTpls recurses through the templates in a chart. +// +// As it recurses, it also sets the values to be appropriate for the template +// scope. +func recAllTpls(c *chart.Chart, templates map[string]renderable, vals chartutil.Values) map[string]interface{} { + subCharts := make(map[string]interface{}) + chartMetaData := struct { + chart.Metadata + IsRoot bool + }{*c.Metadata, c.IsRoot()} + + next := map[string]interface{}{ + "Chart": chartMetaData, + "Files": newFiles(c.Files), + "Release": vals["Release"], + "Capabilities": vals["Capabilities"], + "Values": make(chartutil.Values), + "Subcharts": subCharts, + } + + // If there is a {{.Values.ThisChart}} in the parent metadata, + // copy that into the {{.Values}} for this template. + if c.IsRoot() { + next["Values"] = vals["Values"] + } else if vs, err := vals.Table("Values." + c.Name()); err == nil { + next["Values"] = vs + } + + for _, child := range c.Dependencies() { + subCharts[child.Name()] = recAllTpls(child, templates, next) + } + + newParentID := c.ChartFullPath() + for _, t := range c.Templates { + if t == nil { + continue + } + if !isTemplateValid(c, t.Name) { + continue + } + templates[path.Join(newParentID, t.Name)] = renderable{ + tpl: string(t.Data), + vals: next, + basePath: path.Join(newParentID, "templates"), + } + } + + return next +} + +// isTemplateValid returns true if the template is valid for the chart type +func isTemplateValid(ch *chart.Chart, templateName string) bool { + if isLibraryChart(ch) { + return strings.HasPrefix(filepath.Base(templateName), "_") + } + return true +} + +// isLibraryChart returns true if the chart is a library chart +func isLibraryChart(c *chart.Chart) bool { + return strings.EqualFold(c.Metadata.Type, "library") +} diff --git a/vendor/helm.sh/helm/v3/pkg/engine/files.go b/vendor/helm.sh/helm/v3/pkg/engine/files.go new file mode 100644 index 0000000000..f2cfdb3f38 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/engine/files.go @@ -0,0 +1,165 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package engine + +import ( + "encoding/base64" + "path" + "strings" + + "github.com/gobwas/glob" + + "helm.sh/helm/v3/pkg/chart" +) + +// files is a map of files in a chart that can be accessed from a template. +type files map[string][]byte + +// NewFiles creates a new files from chart files. +// Given an []*chart.File (the format for files in a chart.Chart), extract a map of files. +func newFiles(from []*chart.File) files { + files := make(map[string][]byte) + for _, f := range from { + files[f.Name] = f.Data + } + return files +} + +// GetBytes gets a file by path. +// +// The returned data is raw. In a template context, this is identical to calling +// {{index .Files $path}}. +// +// This is intended to be accessed from within a template, so a missed key returns +// an empty []byte. +func (f files) GetBytes(name string) []byte { + if v, ok := f[name]; ok { + return v + } + return []byte{} +} + +// Get returns a string representation of the given file. +// +// Fetch the contents of a file as a string. It is designed to be called in a +// template. +// +// {{.Files.Get "foo"}} +func (f files) Get(name string) string { + return string(f.GetBytes(name)) +} + +// Glob takes a glob pattern and returns another files object only containing +// matched files. +// +// This is designed to be called from a template. +// +// {{ range $name, $content := .Files.Glob("foo/**") }} +// {{ $name }}: | +// {{ .Files.Get($name) | indent 4 }}{{ end }} +func (f files) Glob(pattern string) files { + g, err := glob.Compile(pattern, '/') + if err != nil { + g, _ = glob.Compile("**") + } + + nf := newFiles(nil) + for name, contents := range f { + if g.Match(name) { + nf[name] = contents + } + } + + return nf +} + +// AsConfig turns a Files group and flattens it to a YAML map suitable for +// including in the 'data' section of a Kubernetes ConfigMap definition. +// Duplicate keys will be overwritten, so be aware that your file names +// (regardless of path) should be unique. +// +// This is designed to be called from a template, and will return empty string +// (via toYAML function) if it cannot be serialized to YAML, or if the Files +// object is nil. +// +// The output will not be indented, so you will want to pipe this to the +// 'indent' template function. +// +// data: +// +// {{ .Files.Glob("config/**").AsConfig() | indent 4 }} +func (f files) AsConfig() string { + if f == nil { + return "" + } + + m := make(map[string]string) + + // Explicitly convert to strings, and file names + for k, v := range f { + m[path.Base(k)] = string(v) + } + + return toYAML(m) +} + +// AsSecrets returns the base64-encoded value of a Files object suitable for +// including in the 'data' section of a Kubernetes Secret definition. +// Duplicate keys will be overwritten, so be aware that your file names +// (regardless of path) should be unique. +// +// This is designed to be called from a template, and will return empty string +// (via toYAML function) if it cannot be serialized to YAML, or if the Files +// object is nil. +// +// The output will not be indented, so you will want to pipe this to the +// 'indent' template function. +// +// data: +// +// {{ .Files.Glob("secrets/*").AsSecrets() | indent 4 }} +func (f files) AsSecrets() string { + if f == nil { + return "" + } + + m := make(map[string]string) + + for k, v := range f { + m[path.Base(k)] = base64.StdEncoding.EncodeToString(v) + } + + return toYAML(m) +} + +// Lines returns each line of a named file (split by "\n") as a slice, so it can +// be ranged over in your templates. +// +// This is designed to be called from a template. +// +// {{ range .Files.Lines "foo/bar.html" }} +// {{ . }}{{ end }} +func (f files) Lines(path string) []string { + if f == nil || f[path] == nil { + return []string{} + } + s := string(f[path]) + if s[len(s)-1] == '\n' { + s = s[:len(s)-1] + } + return strings.Split(s, "\n") +} diff --git a/vendor/helm.sh/helm/v3/pkg/engine/funcs.go b/vendor/helm.sh/helm/v3/pkg/engine/funcs.go new file mode 100644 index 0000000000..d03a818c28 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/engine/funcs.go @@ -0,0 +1,207 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package engine + +import ( + "bytes" + "encoding/json" + "strings" + "text/template" + + "github.com/BurntSushi/toml" + "github.com/Masterminds/sprig/v3" + "sigs.k8s.io/yaml" + goYaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// funcMap returns a mapping of all of the functions that Engine has. +// +// Because some functions are late-bound (e.g. contain context-sensitive +// data), the functions may not all perform identically outside of an Engine +// as they will inside of an Engine. +// +// Known late-bound functions: +// +// - "include" +// - "tpl" +// +// These are late-bound in Engine.Render(). The +// version included in the FuncMap is a placeholder. +func funcMap() template.FuncMap { + f := sprig.TxtFuncMap() + delete(f, "env") + delete(f, "expandenv") + + // Add some extra functionality + extra := template.FuncMap{ + "toToml": toTOML, + "fromToml": fromTOML, + "toYaml": toYAML, + "toYamlPretty": toYAMLPretty, + "fromYaml": fromYAML, + "fromYamlArray": fromYAMLArray, + "toJson": toJSON, + "fromJson": fromJSON, + "fromJsonArray": fromJSONArray, + + // This is a placeholder for the "include" function, which is + // late-bound to a template. By declaring it here, we preserve the + // integrity of the linter. + "include": func(string, interface{}) string { return "not implemented" }, + "tpl": func(string, interface{}) interface{} { return "not implemented" }, + "required": func(string, interface{}) (interface{}, error) { return "not implemented", nil }, + // Provide a placeholder for the "lookup" function, which requires a kubernetes + // connection. + "lookup": func(string, string, string, string) (map[string]interface{}, error) { + return map[string]interface{}{}, nil + }, + } + + for k, v := range extra { + f[k] = v + } + + return f +} + +// toYAML takes an interface, marshals it to yaml, and returns a string. It will +// always return a string, even on marshal error (empty string). +// +// This is designed to be called from a template. +func toYAML(v interface{}) string { + data, err := yaml.Marshal(v) + if err != nil { + // Swallow errors inside of a template. + return "" + } + return strings.TrimSuffix(string(data), "\n") +} + +func toYAMLPretty(v interface{}) string { + var data bytes.Buffer + encoder := goYaml.NewEncoder(&data) + encoder.SetIndent(2) + err := encoder.Encode(v) + + if err != nil { + // Swallow errors inside of a template. + return "" + } + return strings.TrimSuffix(data.String(), "\n") +} + +// fromYAML converts a YAML document into a map[string]interface{}. +// +// This is not a general-purpose YAML parser, and will not parse all valid +// YAML documents. Additionally, because its intended use is within templates +// it tolerates errors. It will insert the returned error message string into +// m["Error"] in the returned map. +func fromYAML(str string) map[string]interface{} { + m := map[string]interface{}{} + + if err := yaml.Unmarshal([]byte(str), &m); err != nil { + m["Error"] = err.Error() + } + return m +} + +// fromYAMLArray converts a YAML array into a []interface{}. +// +// This is not a general-purpose YAML parser, and will not parse all valid +// YAML documents. Additionally, because its intended use is within templates +// it tolerates errors. It will insert the returned error message string as +// the first and only item in the returned array. +func fromYAMLArray(str string) []interface{} { + a := []interface{}{} + + if err := yaml.Unmarshal([]byte(str), &a); err != nil { + a = []interface{}{err.Error()} + } + return a +} + +// toTOML takes an interface, marshals it to toml, and returns a string. It will +// always return a string, even on marshal error (empty string). +// +// This is designed to be called from a template. +func toTOML(v interface{}) string { + b := bytes.NewBuffer(nil) + e := toml.NewEncoder(b) + err := e.Encode(v) + if err != nil { + return err.Error() + } + return b.String() +} + +// fromTOML converts a TOML document into a map[string]interface{}. +// +// This is not a general-purpose TOML parser, and will not parse all valid +// TOML documents. Additionally, because its intended use is within templates +// it tolerates errors. It will insert the returned error message string into +// m["Error"] in the returned map. +func fromTOML(str string) map[string]interface{} { + m := make(map[string]interface{}) + + if err := toml.Unmarshal([]byte(str), &m); err != nil { + m["Error"] = err.Error() + } + return m +} + +// toJSON takes an interface, marshals it to json, and returns a string. It will +// always return a string, even on marshal error (empty string). +// +// This is designed to be called from a template. +func toJSON(v interface{}) string { + data, err := json.Marshal(v) + if err != nil { + // Swallow errors inside of a template. + return "" + } + return string(data) +} + +// fromJSON converts a JSON document into a map[string]interface{}. +// +// This is not a general-purpose JSON parser, and will not parse all valid +// JSON documents. Additionally, because its intended use is within templates +// it tolerates errors. It will insert the returned error message string into +// m["Error"] in the returned map. +func fromJSON(str string) map[string]interface{} { + m := make(map[string]interface{}) + + if err := json.Unmarshal([]byte(str), &m); err != nil { + m["Error"] = err.Error() + } + return m +} + +// fromJSONArray converts a JSON array into a []interface{}. +// +// This is not a general-purpose JSON parser, and will not parse all valid +// JSON documents. Additionally, because its intended use is within templates +// it tolerates errors. It will insert the returned error message string as +// the first and only item in the returned array. +func fromJSONArray(str string) []interface{} { + a := []interface{}{} + + if err := json.Unmarshal([]byte(str), &a); err != nil { + a = []interface{}{err.Error()} + } + return a +} diff --git a/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go b/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go new file mode 100644 index 0000000000..75e85098d1 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/engine/lookup_func.go @@ -0,0 +1,143 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package engine + +import ( + "context" + "log" + "strings" + + "github.com/pkg/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/discovery" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/rest" +) + +type lookupFunc = func(apiversion string, resource string, namespace string, name string) (map[string]interface{}, error) + +// NewLookupFunction returns a function for looking up objects in the cluster. +// +// If the resource does not exist, no error is raised. +// +// This function is considered deprecated, and will be renamed in Helm 4. It will no +// longer be a public function. +func NewLookupFunction(config *rest.Config) lookupFunc { + return newLookupFunction(clientProviderFromConfig{config: config}) +} + +type ClientProvider interface { + // GetClientFor returns a dynamic.NamespaceableResourceInterface suitable for interacting with resources + // corresponding to the provided apiVersion and kind, as well as a boolean indicating whether the resources + // are namespaced. + GetClientFor(apiVersion, kind string) (dynamic.NamespaceableResourceInterface, bool, error) +} + +type clientProviderFromConfig struct { + config *rest.Config +} + +func (c clientProviderFromConfig) GetClientFor(apiVersion, kind string) (dynamic.NamespaceableResourceInterface, bool, error) { + return getDynamicClientOnKind(apiVersion, kind, c.config) +} + +func newLookupFunction(clientProvider ClientProvider) lookupFunc { + return func(apiversion string, kind string, namespace string, name string) (map[string]interface{}, error) { + var client dynamic.ResourceInterface + c, namespaced, err := clientProvider.GetClientFor(apiversion, kind) + if err != nil { + return map[string]interface{}{}, err + } + if namespaced && namespace != "" { + client = c.Namespace(namespace) + } else { + client = c + } + if name != "" { + // this will return a single object + obj, err := client.Get(context.Background(), name, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + // Just return an empty interface when the object was not found. + // That way, users can use `if not (lookup ...)` in their templates. + return map[string]interface{}{}, nil + } + return map[string]interface{}{}, err + } + return obj.UnstructuredContent(), nil + } + // this will return a list + obj, err := client.List(context.Background(), metav1.ListOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + // Just return an empty interface when the object was not found. + // That way, users can use `if not (lookup ...)` in their templates. + return map[string]interface{}{}, nil + } + return map[string]interface{}{}, err + } + return obj.UnstructuredContent(), nil + } +} + +// getDynamicClientOnKind returns a dynamic client on an Unstructured type. This client can be further namespaced. +func getDynamicClientOnKind(apiversion string, kind string, config *rest.Config) (dynamic.NamespaceableResourceInterface, bool, error) { + gvk := schema.FromAPIVersionAndKind(apiversion, kind) + apiRes, err := getAPIResourceForGVK(gvk, config) + if err != nil { + log.Printf("[ERROR] unable to get apiresource from unstructured: %s , error %s", gvk.String(), err) + return nil, false, errors.Wrapf(err, "unable to get apiresource from unstructured: %s", gvk.String()) + } + gvr := schema.GroupVersionResource{ + Group: apiRes.Group, + Version: apiRes.Version, + Resource: apiRes.Name, + } + intf, err := dynamic.NewForConfig(config) + if err != nil { + log.Printf("[ERROR] unable to get dynamic client %s", err) + return nil, false, err + } + res := intf.Resource(gvr) + return res, apiRes.Namespaced, nil +} + +func getAPIResourceForGVK(gvk schema.GroupVersionKind, config *rest.Config) (metav1.APIResource, error) { + res := metav1.APIResource{} + discoveryClient, err := discovery.NewDiscoveryClientForConfig(config) + if err != nil { + log.Printf("[ERROR] unable to create discovery client %s", err) + return res, err + } + resList, err := discoveryClient.ServerResourcesForGroupVersion(gvk.GroupVersion().String()) + if err != nil { + log.Printf("[ERROR] unable to retrieve resource list for: %s , error: %s", gvk.GroupVersion().String(), err) + return res, err + } + for _, resource := range resList.APIResources { + // if a resource contains a "/" it's referencing a subresource. we don't support subresource for now. + if resource.Kind == gvk.Kind && !strings.Contains(resource.Name, "/") { + res = resource + res.Group = gvk.Group + res.Version = gvk.Version + break + } + } + return res, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/getter/doc.go b/vendor/helm.sh/helm/v3/pkg/getter/doc.go new file mode 100644 index 0000000000..11cf6153eb --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/getter/doc.go @@ -0,0 +1,22 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package getter provides a generalize tool for fetching data by scheme. + +This provides a method by which the plugin system can load arbitrary protocol +handlers based upon a URL scheme. +*/ +package getter diff --git a/vendor/helm.sh/helm/v3/pkg/getter/getter.go b/vendor/helm.sh/helm/v3/pkg/getter/getter.go new file mode 100644 index 0000000000..1acb2093dc --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/getter/getter.go @@ -0,0 +1,220 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package getter + +import ( + "bytes" + "net/http" + "time" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/registry" +) + +// options are generic parameters to be provided to the getter during instantiation. +// +// Getters may or may not ignore these parameters as they are passed in. +type options struct { + url string + certFile string + keyFile string + caFile string + unTar bool + insecureSkipVerifyTLS bool + plainHTTP bool + acceptHeader string + username string + password string + passCredentialsAll bool + userAgent string + version string + registryClient *registry.Client + timeout time.Duration + transport *http.Transport +} + +// Option allows specifying various settings configurable by the user for overriding the defaults +// used when performing Get operations with the Getter. +type Option func(*options) + +// WithURL informs the getter the server name that will be used when fetching objects. Used in conjunction with +// WithTLSClientConfig to set the TLSClientConfig's server name. +func WithURL(url string) Option { + return func(opts *options) { + opts.url = url + } +} + +// WithAcceptHeader sets the request's Accept header as some REST APIs serve multiple content types +func WithAcceptHeader(header string) Option { + return func(opts *options) { + opts.acceptHeader = header + } +} + +// WithBasicAuth sets the request's Authorization header to use the provided credentials +func WithBasicAuth(username, password string) Option { + return func(opts *options) { + opts.username = username + opts.password = password + } +} + +func WithPassCredentialsAll(pass bool) Option { + return func(opts *options) { + opts.passCredentialsAll = pass + } +} + +// WithUserAgent sets the request's User-Agent header to use the provided agent name. +func WithUserAgent(userAgent string) Option { + return func(opts *options) { + opts.userAgent = userAgent + } +} + +// WithInsecureSkipVerifyTLS determines if a TLS Certificate will be checked +func WithInsecureSkipVerifyTLS(insecureSkipVerifyTLS bool) Option { + return func(opts *options) { + opts.insecureSkipVerifyTLS = insecureSkipVerifyTLS + } +} + +// WithTLSClientConfig sets the client auth with the provided credentials. +func WithTLSClientConfig(certFile, keyFile, caFile string) Option { + return func(opts *options) { + opts.certFile = certFile + opts.keyFile = keyFile + opts.caFile = caFile + } +} + +func WithPlainHTTP(plainHTTP bool) Option { + return func(opts *options) { + opts.plainHTTP = plainHTTP + } +} + +// WithTimeout sets the timeout for requests +func WithTimeout(timeout time.Duration) Option { + return func(opts *options) { + opts.timeout = timeout + } +} + +func WithTagName(tagname string) Option { + return func(opts *options) { + opts.version = tagname + } +} + +func WithRegistryClient(client *registry.Client) Option { + return func(opts *options) { + opts.registryClient = client + } +} + +func WithUntar() Option { + return func(opts *options) { + opts.unTar = true + } +} + +// WithTransport sets the http.Transport to allow overwriting the HTTPGetter default. +func WithTransport(transport *http.Transport) Option { + return func(opts *options) { + opts.transport = transport + } +} + +// Getter is an interface to support GET to the specified URL. +type Getter interface { + // Get file content by url string + Get(url string, options ...Option) (*bytes.Buffer, error) +} + +// Constructor is the function for every getter which creates a specific instance +// according to the configuration +type Constructor func(options ...Option) (Getter, error) + +// Provider represents any getter and the schemes that it supports. +// +// For example, an HTTP provider may provide one getter that handles both +// 'http' and 'https' schemes. +type Provider struct { + Schemes []string + New Constructor +} + +// Provides returns true if the given scheme is supported by this Provider. +func (p Provider) Provides(scheme string) bool { + for _, i := range p.Schemes { + if i == scheme { + return true + } + } + return false +} + +// Providers is a collection of Provider objects. +type Providers []Provider + +// ByScheme returns a Provider that handles the given scheme. +// +// If no provider handles this scheme, this will return an error. +func (p Providers) ByScheme(scheme string) (Getter, error) { + for _, pp := range p { + if pp.Provides(scheme) { + return pp.New() + } + } + return nil, errors.Errorf("scheme %q not supported", scheme) +} + +const ( + // The cost timeout references curl's default connection timeout. + // https://github.com/curl/curl/blob/master/lib/connect.h#L40C21-L40C21 + // The helm commands are usually executed manually. Considering the acceptable waiting time, we reduced the entire request time to 120s. + DefaultHTTPTimeout = 120 +) + +var defaultOptions = []Option{WithTimeout(time.Second * DefaultHTTPTimeout)} + +var httpProvider = Provider{ + Schemes: []string{"http", "https"}, + New: func(options ...Option) (Getter, error) { + options = append(options, defaultOptions...) + return NewHTTPGetter(options...) + }, +} + +var ociProvider = Provider{ + Schemes: []string{registry.OCIScheme}, + New: NewOCIGetter, +} + +// All finds all of the registered getters as a list of Provider instances. +// Currently, the built-in getters and the discovered plugins with downloader +// notations are collected. +func All(settings *cli.EnvSettings) Providers { + result := Providers{httpProvider, ociProvider} + pluginDownloaders, _ := collectPlugins(settings) + result = append(result, pluginDownloaders...) + return result +} diff --git a/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go b/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go new file mode 100644 index 0000000000..df3dcd9109 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/getter/httpgetter.go @@ -0,0 +1,161 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package getter + +import ( + "bytes" + "crypto/tls" + "io" + "net/http" + "net/url" + "sync" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/internal/tlsutil" + "helm.sh/helm/v3/internal/urlutil" + "helm.sh/helm/v3/internal/version" +) + +// HTTPGetter is the default HTTP(/S) backend handler +type HTTPGetter struct { + opts options + transport *http.Transport + once sync.Once +} + +// Get performs a Get from repo.Getter and returns the body. +func (g *HTTPGetter) Get(href string, options ...Option) (*bytes.Buffer, error) { + for _, opt := range options { + opt(&g.opts) + } + return g.get(href) +} + +func (g *HTTPGetter) get(href string) (*bytes.Buffer, error) { + // Set a helm specific user agent so that a repo server and metrics can + // separate helm calls from other tools interacting with repos. + req, err := http.NewRequest(http.MethodGet, href, nil) + if err != nil { + return nil, err + } + + if g.opts.acceptHeader != "" { + req.Header.Set("Accept", g.opts.acceptHeader) + } + + req.Header.Set("User-Agent", version.GetUserAgent()) + if g.opts.userAgent != "" { + req.Header.Set("User-Agent", g.opts.userAgent) + } + + // Before setting the basic auth credentials, make sure the URL associated + // with the basic auth is the one being fetched. + u1, err := url.Parse(g.opts.url) + if err != nil { + return nil, errors.Wrap(err, "Unable to parse getter URL") + } + u2, err := url.Parse(href) + if err != nil { + return nil, errors.Wrap(err, "Unable to parse URL getting from") + } + + // Host on URL (returned from url.Parse) contains the port if present. + // This check ensures credentials are not passed between different + // services on different ports. + if g.opts.passCredentialsAll || (u1.Scheme == u2.Scheme && u1.Host == u2.Host) { + if g.opts.username != "" && g.opts.password != "" { + req.SetBasicAuth(g.opts.username, g.opts.password) + } + } + + client, err := g.httpClient() + if err != nil { + return nil, err + } + + resp, err := client.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return nil, errors.Errorf("failed to fetch %s : %s", href, resp.Status) + } + + buf := bytes.NewBuffer(nil) + _, err = io.Copy(buf, resp.Body) + return buf, err +} + +// NewHTTPGetter constructs a valid http/https client as a Getter +func NewHTTPGetter(options ...Option) (Getter, error) { + var client HTTPGetter + + for _, opt := range options { + opt(&client.opts) + } + + return &client, nil +} + +func (g *HTTPGetter) httpClient() (*http.Client, error) { + if g.opts.transport != nil { + return &http.Client{ + Transport: g.opts.transport, + Timeout: g.opts.timeout, + }, nil + } + + g.once.Do(func() { + g.transport = &http.Transport{ + DisableCompression: true, + Proxy: http.ProxyFromEnvironment, + } + }) + + if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS { + tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile, g.opts.insecureSkipVerifyTLS) + if err != nil { + return nil, errors.Wrap(err, "can't create TLS config for client") + } + + sni, err := urlutil.ExtractHostname(g.opts.url) + if err != nil { + return nil, err + } + tlsConf.ServerName = sni + + g.transport.TLSClientConfig = tlsConf + } + + if g.opts.insecureSkipVerifyTLS { + if g.transport.TLSClientConfig == nil { + g.transport.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: true, + } + } else { + g.transport.TLSClientConfig.InsecureSkipVerify = true + } + } + + client := &http.Client{ + Transport: g.transport, + Timeout: g.opts.timeout, + } + + return client, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go b/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go new file mode 100644 index 0000000000..5b0522395c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/getter/ocigetter.go @@ -0,0 +1,160 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package getter + +import ( + "bytes" + "fmt" + "net" + "net/http" + "path" + "strings" + "sync" + "time" + + "helm.sh/helm/v3/internal/tlsutil" + "helm.sh/helm/v3/internal/urlutil" + "helm.sh/helm/v3/pkg/registry" +) + +// OCIGetter is the default HTTP(/S) backend handler +type OCIGetter struct { + opts options + transport *http.Transport + once sync.Once +} + +// Get performs a Get from repo.Getter and returns the body. +func (g *OCIGetter) Get(href string, options ...Option) (*bytes.Buffer, error) { + for _, opt := range options { + opt(&g.opts) + } + return g.get(href) +} + +func (g *OCIGetter) get(href string) (*bytes.Buffer, error) { + client := g.opts.registryClient + // if the user has already provided a configured registry client, use it, + // this is particularly true when user has his own way of handling the client credentials. + if client == nil { + c, err := g.newRegistryClient() + if err != nil { + return nil, err + } + client = c + } + + ref := strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme)) + + if version := g.opts.version; version != "" && !strings.Contains(path.Base(ref), ":") { + ref = fmt.Sprintf("%s:%s", ref, version) + } + var pullOpts []registry.PullOption + requestingProv := strings.HasSuffix(ref, ".prov") + if requestingProv { + ref = strings.TrimSuffix(ref, ".prov") + pullOpts = append(pullOpts, + registry.PullOptWithChart(false), + registry.PullOptWithProv(true)) + } + + result, err := client.Pull(ref, pullOpts...) + if err != nil { + return nil, err + } + + if requestingProv { + return bytes.NewBuffer(result.Prov.Data), nil + } + return bytes.NewBuffer(result.Chart.Data), nil +} + +// NewOCIGetter constructs a valid http/https client as a Getter +func NewOCIGetter(ops ...Option) (Getter, error) { + var client OCIGetter + + for _, opt := range ops { + opt(&client.opts) + } + + return &client, nil +} + +func (g *OCIGetter) newRegistryClient() (*registry.Client, error) { + if g.opts.transport != nil { + client, err := registry.NewClient( + registry.ClientOptHTTPClient(&http.Client{ + Transport: g.opts.transport, + Timeout: g.opts.timeout, + }), + ) + if err != nil { + return nil, err + } + return client, nil + } + + g.once.Do(func() { + g.transport = &http.Transport{ + // From https://github.com/google/go-containerregistry/blob/31786c6cbb82d6ec4fb8eb79cd9387905130534e/pkg/v1/remote/options.go#L87 + DisableCompression: true, + DialContext: (&net.Dialer{ + // By default we wrap the transport in retries, so reduce the + // default dial timeout to 5s to avoid 5x 30s of connection + // timeouts when doing the "ping" on certain http registries. + Timeout: 5 * time.Second, + KeepAlive: 30 * time.Second, + }).DialContext, + ForceAttemptHTTP2: true, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + Proxy: http.ProxyFromEnvironment, + } + }) + + if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS { + tlsConf, err := tlsutil.NewClientTLS(g.opts.certFile, g.opts.keyFile, g.opts.caFile, g.opts.insecureSkipVerifyTLS) + if err != nil { + return nil, fmt.Errorf("can't create TLS config for client: %w", err) + } + + sni, err := urlutil.ExtractHostname(g.opts.url) + if err != nil { + return nil, err + } + tlsConf.ServerName = sni + + g.transport.TLSClientConfig = tlsConf + } + + opts := []registry.ClientOption{registry.ClientOptHTTPClient(&http.Client{ + Transport: g.transport, + Timeout: g.opts.timeout, + })} + if g.opts.plainHTTP { + opts = append(opts, registry.ClientOptPlainHTTP()) + } + + client, err := registry.NewClient(opts...) + + if err != nil { + return nil, err + } + + return client, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go b/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go new file mode 100644 index 0000000000..a371b52eb8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/getter/plugingetter.go @@ -0,0 +1,110 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package getter + +import ( + "bytes" + "fmt" + "os" + "os/exec" + "path/filepath" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/plugin" +) + +// collectPlugins scans for getter plugins. +// This will load plugins according to the cli. +func collectPlugins(settings *cli.EnvSettings) (Providers, error) { + plugins, err := plugin.FindPlugins(settings.PluginsDirectory) + if err != nil { + return nil, err + } + var result Providers + for _, plugin := range plugins { + for _, downloader := range plugin.Metadata.Downloaders { + result = append(result, Provider{ + Schemes: downloader.Protocols, + New: NewPluginGetter( + downloader.Command, + settings, + plugin.Metadata.Name, + plugin.Dir, + ), + }) + } + } + return result, nil +} + +// pluginGetter is a generic type to invoke custom downloaders, +// implemented in plugins. +type pluginGetter struct { + command string + settings *cli.EnvSettings + name string + base string + opts options +} + +func (p *pluginGetter) setupOptionsEnv(env []string) []string { + env = append(env, fmt.Sprintf("HELM_PLUGIN_USERNAME=%s", p.opts.username)) + env = append(env, fmt.Sprintf("HELM_PLUGIN_PASSWORD=%s", p.opts.password)) + env = append(env, fmt.Sprintf("HELM_PLUGIN_PASS_CREDENTIALS_ALL=%t", p.opts.passCredentialsAll)) + return env +} + +// Get runs downloader plugin command +func (p *pluginGetter) Get(href string, options ...Option) (*bytes.Buffer, error) { + for _, opt := range options { + opt(&p.opts) + } + commands := strings.Split(p.command, " ") + argv := append(commands[1:], p.opts.certFile, p.opts.keyFile, p.opts.caFile, href) + prog := exec.Command(filepath.Join(p.base, commands[0]), argv...) + plugin.SetupPluginEnv(p.settings, p.name, p.base) + prog.Env = p.setupOptionsEnv(os.Environ()) + buf := bytes.NewBuffer(nil) + prog.Stdout = buf + prog.Stderr = os.Stderr + if err := prog.Run(); err != nil { + if eerr, ok := err.(*exec.ExitError); ok { + os.Stderr.Write(eerr.Stderr) + return nil, errors.Errorf("plugin %q exited with error", p.command) + } + return nil, err + } + return buf, nil +} + +// NewPluginGetter constructs a valid plugin getter +func NewPluginGetter(command string, settings *cli.EnvSettings, name, base string) Constructor { + return func(options ...Option) (Getter, error) { + result := &pluginGetter{ + command: command, + settings: settings, + name: name, + base: base, + } + for _, opt := range options { + opt(&result.opts) + } + return result, nil + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/home.go b/vendor/helm.sh/helm/v3/pkg/helmpath/home.go new file mode 100644 index 0000000000..bd43e8890c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/home.go @@ -0,0 +1,44 @@ +// Copyright The Helm Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package helmpath calculates filesystem paths to Helm's configuration, cache and data. +package helmpath + +// This helper builds paths to Helm's configuration, cache and data paths. +const lp = lazypath("helm") + +// ConfigPath returns the path where Helm stores configuration. +func ConfigPath(elem ...string) string { return lp.configPath(elem...) } + +// CachePath returns the path where Helm stores cached objects. +func CachePath(elem ...string) string { return lp.cachePath(elem...) } + +// DataPath returns the path where Helm stores data. +func DataPath(elem ...string) string { return lp.dataPath(elem...) } + +// CacheIndexFile returns the path to an index for the given named repository. +func CacheIndexFile(name string) string { + if name != "" { + name += "-" + } + return name + "index.yaml" +} + +// CacheChartsFile returns the path to a text file listing all the charts +// within the given named repository. +func CacheChartsFile(name string) string { + if name != "" { + name += "-" + } + return name + "charts.txt" +} diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go new file mode 100644 index 0000000000..6b4f1fc770 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath.go @@ -0,0 +1,72 @@ +// Copyright The Helm Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package helmpath + +import ( + "os" + "path/filepath" + + "helm.sh/helm/v3/pkg/helmpath/xdg" +) + +const ( + // CacheHomeEnvVar is the environment variable used by Helm + // for the cache directory. When no value is set a default is used. + CacheHomeEnvVar = "HELM_CACHE_HOME" + + // ConfigHomeEnvVar is the environment variable used by Helm + // for the config directory. When no value is set a default is used. + ConfigHomeEnvVar = "HELM_CONFIG_HOME" + + // DataHomeEnvVar is the environment variable used by Helm + // for the data directory. When no value is set a default is used. + DataHomeEnvVar = "HELM_DATA_HOME" +) + +// lazypath is a lazy-loaded path buffer for the XDG base directory specification. +type lazypath string + +func (l lazypath) path(helmEnvVar, xdgEnvVar string, defaultFn func() string, elem ...string) string { + + // There is an order to checking for a path. + // 1. See if a Helm specific environment variable has been set. + // 2. Check if an XDG environment variable is set + // 3. Fall back to a default + base := os.Getenv(helmEnvVar) + if base != "" { + return filepath.Join(base, filepath.Join(elem...)) + } + base = os.Getenv(xdgEnvVar) + if base == "" { + base = defaultFn() + } + return filepath.Join(base, string(l), filepath.Join(elem...)) +} + +// cachePath defines the base directory relative to which user specific non-essential data files +// should be stored. +func (l lazypath) cachePath(elem ...string) string { + return l.path(CacheHomeEnvVar, xdg.CacheHomeEnvVar, cacheHome, filepath.Join(elem...)) +} + +// configPath defines the base directory relative to which user specific configuration files should +// be stored. +func (l lazypath) configPath(elem ...string) string { + return l.path(ConfigHomeEnvVar, xdg.ConfigHomeEnvVar, configHome, filepath.Join(elem...)) +} + +// dataPath defines the base directory relative to which user specific data files should be stored. +func (l lazypath) dataPath(elem ...string) string { + return l.path(DataHomeEnvVar, xdg.DataHomeEnvVar, dataHome, filepath.Join(elem...)) +} diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go new file mode 100644 index 0000000000..eba6dde151 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_darwin.go @@ -0,0 +1,34 @@ +// Copyright The Helm Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build darwin + +package helmpath + +import ( + "path/filepath" + + "k8s.io/client-go/util/homedir" +) + +func dataHome() string { + return filepath.Join(homedir.HomeDir(), "Library") +} + +func configHome() string { + return filepath.Join(homedir.HomeDir(), "Library", "Preferences") +} + +func cacheHome() string { + return filepath.Join(homedir.HomeDir(), "Library", "Caches") +} diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go new file mode 100644 index 0000000000..82fb4b6f1f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_unix.go @@ -0,0 +1,45 @@ +// Copyright The Helm Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build !windows && !darwin + +package helmpath + +import ( + "path/filepath" + + "k8s.io/client-go/util/homedir" +) + +// dataHome defines the base directory relative to which user specific data files should be stored. +// +// If $XDG_DATA_HOME is either not set or empty, a default equal to $HOME/.local/share is used. +func dataHome() string { + return filepath.Join(homedir.HomeDir(), ".local", "share") +} + +// configHome defines the base directory relative to which user specific configuration files should +// be stored. +// +// If $XDG_CONFIG_HOME is either not set or empty, a default equal to $HOME/.config is used. +func configHome() string { + return filepath.Join(homedir.HomeDir(), ".config") +} + +// cacheHome defines the base directory relative to which user specific non-essential data files +// should be stored. +// +// If $XDG_CACHE_HOME is either not set or empty, a default equal to $HOME/.cache is used. +func cacheHome() string { + return filepath.Join(homedir.HomeDir(), ".cache") +} diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go new file mode 100644 index 0000000000..230aee2a93 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/lazypath_windows.go @@ -0,0 +1,24 @@ +// Copyright The Helm Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +//go:build windows + +package helmpath + +import "os" + +func dataHome() string { return configHome() } + +func configHome() string { return os.Getenv("APPDATA") } + +func cacheHome() string { return os.Getenv("TEMP") } diff --git a/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go b/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go new file mode 100644 index 0000000000..eaa3e68643 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/helmpath/xdg/xdg.go @@ -0,0 +1,34 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package xdg holds constants pertaining to XDG Base Directory Specification. +// +// The XDG Base Directory Specification https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html +// specifies the environment variables that define user-specific base directories for various categories of files. +package xdg + +const ( + // CacheHomeEnvVar is the environment variable used by the + // XDG base directory specification for the cache directory. + CacheHomeEnvVar = "XDG_CACHE_HOME" + + // ConfigHomeEnvVar is the environment variable used by the + // XDG base directory specification for the config directory. + ConfigHomeEnvVar = "XDG_CONFIG_HOME" + + // DataHomeEnvVar is the environment variable used by the + // XDG base directory specification for the data directory. + DataHomeEnvVar = "XDG_DATA_HOME" +) diff --git a/vendor/helm.sh/helm/v3/pkg/ignore/doc.go b/vendor/helm.sh/helm/v3/pkg/ignore/doc.go new file mode 100644 index 0000000000..1f5e918477 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/ignore/doc.go @@ -0,0 +1,68 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package ignore provides tools for writing ignore files (a la .gitignore). + +This provides both an ignore parser and a file-aware processor. + +The format of ignore files closely follows, but does not exactly match, the +format for .gitignore files (https://git-scm.com/docs/gitignore). + +The formatting rules are as follows: + + - Parsing is line-by-line + - Empty lines are ignored + - Lines that begin with # (comments) will be ignored + - Leading and trailing spaces are always ignored + - Inline comments are NOT supported ('foo* # Any foo' does not contain a comment) + - There is no support for multi-line patterns + - Shell glob patterns are supported. See Go's "path/filepath".Match + - If a pattern begins with a leading !, the match will be negated. + - If a pattern begins with a leading /, only paths relatively rooted will match. + - If the pattern ends with a trailing /, only directories will match + - If a pattern contains no slashes, file basenames are tested (not paths) + - The pattern sequence "**", while legal in a glob, will cause an error here + (to indicate incompatibility with .gitignore). + +Example: + + # Match any file named foo.txt + foo.txt + + # Match any text file + *.txt + + # Match only directories named mydir + mydir/ + + # Match only text files in the top-level directory + /*.txt + + # Match only the file foo.txt in the top-level directory + /foo.txt + + # Match any file named ab.txt, ac.txt, or ad.txt + a[b-d].txt + +Notable differences from .gitignore: + - The '**' syntax is not supported. + - The globbing library is Go's 'filepath.Match', not fnmatch(3) + - Trailing spaces are always ignored (there is no supported escape sequence) + - The evaluation of escape sequences has not been tested for compatibility + - There is no support for '\!' as a special leading sequence. +*/ +package ignore // import "helm.sh/helm/v3/pkg/ignore" diff --git a/vendor/helm.sh/helm/v3/pkg/ignore/rules.go b/vendor/helm.sh/helm/v3/pkg/ignore/rules.go new file mode 100644 index 0000000000..88de407ad8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/ignore/rules.go @@ -0,0 +1,228 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ignore + +import ( + "bufio" + "bytes" + "io" + "log" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" +) + +// HelmIgnore default name of an ignorefile. +const HelmIgnore = ".helmignore" + +// Rules is a collection of path matching rules. +// +// Parse() and ParseFile() will construct and populate new Rules. +// Empty() will create an immutable empty ruleset. +type Rules struct { + patterns []*pattern +} + +// Empty builds an empty ruleset. +func Empty() *Rules { + return &Rules{patterns: []*pattern{}} +} + +// AddDefaults adds default ignore patterns. +// +// Ignore all dotfiles in "templates/" +func (r *Rules) AddDefaults() { + r.parseRule(`templates/.?*`) +} + +// ParseFile parses a helmignore file and returns the *Rules. +func ParseFile(file string) (*Rules, error) { + f, err := os.Open(file) + if err != nil { + return nil, err + } + defer f.Close() + return Parse(f) +} + +// Parse parses a rules file +func Parse(file io.Reader) (*Rules, error) { + r := &Rules{patterns: []*pattern{}} + + s := bufio.NewScanner(file) + currentLine := 0 + utf8bom := []byte{0xEF, 0xBB, 0xBF} + for s.Scan() { + scannedBytes := s.Bytes() + // We trim UTF8 BOM + if currentLine == 0 { + scannedBytes = bytes.TrimPrefix(scannedBytes, utf8bom) + } + line := string(scannedBytes) + currentLine++ + + if err := r.parseRule(line); err != nil { + return r, err + } + } + return r, s.Err() +} + +// Ignore evaluates the file at the given path, and returns true if it should be ignored. +// +// Ignore evaluates path against the rules in order. Evaluation stops when a match +// is found. Matching a negative rule will stop evaluation. +func (r *Rules) Ignore(path string, fi os.FileInfo) bool { + // Don't match on empty dirs. + if path == "" { + return false + } + + // Disallow ignoring the current working directory. + // See issue: + // 1776 (New York City) Hamilton: "Pardon me, are you Aaron Burr, sir?" + if path == "." || path == "./" { + return false + } + for _, p := range r.patterns { + if p.match == nil { + log.Printf("ignore: no matcher supplied for %q", p.raw) + return false + } + + // For negative rules, we need to capture and return non-matches, + // and continue for matches. + if p.negate { + if p.mustDir && !fi.IsDir() { + return true + } + if !p.match(path, fi) { + return true + } + continue + } + + // If the rule is looking for directories, and this is not a directory, + // skip it. + if p.mustDir && !fi.IsDir() { + continue + } + if p.match(path, fi) { + return true + } + } + return false +} + +// parseRule parses a rule string and creates a pattern, which is then stored in the Rules object. +func (r *Rules) parseRule(rule string) error { + rule = strings.TrimSpace(rule) + + // Ignore blank lines + if rule == "" { + return nil + } + // Comment + if strings.HasPrefix(rule, "#") { + return nil + } + + // Fail any rules that contain ** + if strings.Contains(rule, "**") { + return errors.New("double-star (**) syntax is not supported") + } + + // Fail any patterns that can't compile. A non-empty string must be + // given to Match() to avoid optimization that skips rule evaluation. + if _, err := filepath.Match(rule, "abc"); err != nil { + return err + } + + p := &pattern{raw: rule} + + // Negation is handled at a higher level, so strip the leading ! from the + // string. + if strings.HasPrefix(rule, "!") { + p.negate = true + rule = rule[1:] + } + + // Directory verification is handled by a higher level, so the trailing / + // is removed from the rule. That way, a directory named "foo" matches, + // even if the supplied string does not contain a literal slash character. + if strings.HasSuffix(rule, "/") { + p.mustDir = true + rule = strings.TrimSuffix(rule, "/") + } + + if strings.HasPrefix(rule, "/") { + // Require path matches the root path. + p.match = func(n string, _ os.FileInfo) bool { + rule = strings.TrimPrefix(rule, "/") + ok, err := filepath.Match(rule, n) + if err != nil { + log.Printf("Failed to compile %q: %s", rule, err) + return false + } + return ok + } + } else if strings.Contains(rule, "/") { + // require structural match. + p.match = func(n string, _ os.FileInfo) bool { + ok, err := filepath.Match(rule, n) + if err != nil { + log.Printf("Failed to compile %q: %s", rule, err) + return false + } + return ok + } + } else { + p.match = func(n string, _ os.FileInfo) bool { + // When there is no slash in the pattern, we evaluate ONLY the + // filename. + n = filepath.Base(n) + ok, err := filepath.Match(rule, n) + if err != nil { + log.Printf("Failed to compile %q: %s", rule, err) + return false + } + return ok + } + } + + r.patterns = append(r.patterns, p) + return nil +} + +// matcher is a function capable of computing a match. +// +// It returns true if the rule matches. +type matcher func(name string, fi os.FileInfo) bool + +// pattern describes a pattern to be matched in a rule set. +type pattern struct { + // raw is the unparsed string, with nothing stripped. + raw string + // match is the matcher function. + match matcher + // negate indicates that the rule's outcome should be negated. + negate bool + // mustDir indicates that the matched file must be a directory. + mustDir bool +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/client.go b/vendor/helm.sh/helm/v3/pkg/kube/client.go new file mode 100644 index 0000000000..6e71421199 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/client.go @@ -0,0 +1,933 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "os" + "path/filepath" + "reflect" + "strings" + "sync" + "time" + + jsonpatch "github.com/evanphx/json-patch" + "github.com/pkg/errors" + batch "k8s.io/api/batch/v1" + v1 "k8s.io/api/core/v1" + apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + + multierror "github.com/hashicorp/go-multierror" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + metav1beta1 "k8s.io/apimachinery/pkg/apis/meta/v1beta1" + "k8s.io/apimachinery/pkg/fields" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/jsonmergepatch" + "k8s.io/apimachinery/pkg/util/mergepatch" + "k8s.io/apimachinery/pkg/util/strategicpatch" + "k8s.io/apimachinery/pkg/watch" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/cli-runtime/pkg/resource" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" + "k8s.io/client-go/rest" + cachetools "k8s.io/client-go/tools/cache" + watchtools "k8s.io/client-go/tools/watch" + "k8s.io/client-go/util/retry" + cmdutil "k8s.io/kubectl/pkg/cmd/util" +) + +// ErrNoObjectsVisited indicates that during a visit operation, no matching objects were found. +var ErrNoObjectsVisited = errors.New("no objects visited") + +var metadataAccessor = meta.NewAccessor() + +// ManagedFieldsManager is the name of the manager of Kubernetes managedFields +// first introduced in Kubernetes 1.18 +var ManagedFieldsManager string + +// Client represents a client capable of communicating with the Kubernetes API. +type Client struct { + // Factory provides a minimal version of the kubectl Factory interface. If + // you need the full Factory you can type switch to the full interface. + // Since Kubernetes Go API does not provide backwards compatibility across + // minor versions, this API does not follow Helm backwards compatibility. + // Helm is exposing Kubernetes in this property and cannot guarantee this + // will not change. The minimal interface only has the functions that Helm + // needs. The smaller surface area of the interface means there is a lower + // chance of it changing. + Factory Factory + Log func(string, ...interface{}) + // Namespace allows to bypass the kubeconfig file for the choice of the namespace + Namespace string + + kubeClient kubernetes.Interface +} + +func init() { + // Add CRDs to the scheme. They are missing by default. + if err := apiextv1.AddToScheme(scheme.Scheme); err != nil { + // This should never happen. + panic(err) + } + if err := apiextv1beta1.AddToScheme(scheme.Scheme); err != nil { + panic(err) + } +} + +// New creates a new Client. +func New(getter genericclioptions.RESTClientGetter) *Client { + if getter == nil { + getter = genericclioptions.NewConfigFlags(true) + } + return &Client{ + Factory: cmdutil.NewFactory(getter), + Log: nopLogger, + } +} + +var nopLogger = func(_ string, _ ...interface{}) {} + +// getKubeClient get or create a new KubernetesClientSet +func (c *Client) getKubeClient() (kubernetes.Interface, error) { + var err error + if c.kubeClient == nil { + c.kubeClient, err = c.Factory.KubernetesClientSet() + } + + return c.kubeClient, err +} + +// IsReachable tests connectivity to the cluster. +func (c *Client) IsReachable() error { + client, err := c.getKubeClient() + if err == genericclioptions.ErrEmptyConfig { + // re-replace kubernetes ErrEmptyConfig error with a friendly error + // moar workarounds for Kubernetes API breaking. + return errors.New("Kubernetes cluster unreachable") + } + if err != nil { + return errors.Wrap(err, "Kubernetes cluster unreachable") + } + if _, err := client.Discovery().ServerVersion(); err != nil { + return errors.Wrap(err, "Kubernetes cluster unreachable") + } + return nil +} + +// Create creates Kubernetes resources specified in the resource list. +func (c *Client) Create(resources ResourceList) (*Result, error) { + c.Log("creating %d resource(s)", len(resources)) + if err := perform(resources, createResource); err != nil { + return nil, err + } + return &Result{Created: resources}, nil +} + +func transformRequests(req *rest.Request) { + tableParam := strings.Join([]string{ + fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1.SchemeGroupVersion.Version, metav1.GroupName), + fmt.Sprintf("application/json;as=Table;v=%s;g=%s", metav1beta1.SchemeGroupVersion.Version, metav1beta1.GroupName), + "application/json", + }, ",") + req.SetHeader("Accept", tableParam) + + // if sorting, ensure we receive the full object in order to introspect its fields via jsonpath + req.Param("includeObject", "Object") +} + +// Get retrieves the resource objects supplied. If related is set to true the +// related pods are fetched as well. If the passed in resources are a table kind +// the related resources will also be fetched as kind=table. +func (c *Client) Get(resources ResourceList, related bool) (map[string][]runtime.Object, error) { + buf := new(bytes.Buffer) + objs := make(map[string][]runtime.Object) + + podSelectors := []map[string]string{} + err := resources.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + + gvk := info.ResourceMapping().GroupVersionKind + vk := gvk.Version + "/" + gvk.Kind + obj, err := getResource(info) + if err != nil { + fmt.Fprintf(buf, "Get resource %s failed, err:%v\n", info.Name, err) + } else { + objs[vk] = append(objs[vk], obj) + + // Only fetch related pods if they are requested + if related { + // Discover if the existing object is a table. If it is, request + // the pods as Tables. Otherwise request them normally. + objGVK := obj.GetObjectKind().GroupVersionKind() + var isTable bool + if objGVK.Kind == "Table" { + isTable = true + } + + objs, err = c.getSelectRelationPod(info, objs, isTable, &podSelectors) + if err != nil { + c.Log("Warning: get the relation pod is failed, err:%s", err.Error()) + } + } + } + + return nil + }) + if err != nil { + return nil, err + } + + return objs, nil +} + +func (c *Client) getSelectRelationPod(info *resource.Info, objs map[string][]runtime.Object, table bool, podSelectors *[]map[string]string) (map[string][]runtime.Object, error) { + if info == nil { + return objs, nil + } + c.Log("get relation pod of object: %s/%s/%s", info.Namespace, info.Mapping.GroupVersionKind.Kind, info.Name) + selector, ok, _ := getSelectorFromObject(info.Object) + if !ok { + return objs, nil + } + + for index := range *podSelectors { + if reflect.DeepEqual((*podSelectors)[index], selector) { + // check if pods for selectors are already added. This avoids duplicate printing of pods + return objs, nil + } + } + + *podSelectors = append(*podSelectors, selector) + + var infos []*resource.Info + var err error + if table { + infos, err = c.Factory.NewBuilder(). + Unstructured(). + ContinueOnError(). + NamespaceParam(info.Namespace). + DefaultNamespace(). + ResourceTypes("pods"). + LabelSelector(labels.Set(selector).AsSelector().String()). + TransformRequests(transformRequests). + Do().Infos() + if err != nil { + return objs, err + } + } else { + infos, err = c.Factory.NewBuilder(). + Unstructured(). + ContinueOnError(). + NamespaceParam(info.Namespace). + DefaultNamespace(). + ResourceTypes("pods"). + LabelSelector(labels.Set(selector).AsSelector().String()). + Do().Infos() + if err != nil { + return objs, err + } + } + vk := "v1/Pod(related)" + + for _, info := range infos { + objs[vk] = append(objs[vk], info.Object) + } + return objs, nil +} + +func getSelectorFromObject(obj runtime.Object) (map[string]string, bool, error) { + typed := obj.(*unstructured.Unstructured) + kind := typed.Object["kind"] + switch kind { + case "ReplicaSet", "Deployment", "StatefulSet", "DaemonSet", "Job": + return unstructured.NestedStringMap(typed.Object, "spec", "selector", "matchLabels") + case "ReplicationController": + return unstructured.NestedStringMap(typed.Object, "spec", "selector") + default: + return nil, false, nil + } +} + +func getResource(info *resource.Info) (runtime.Object, error) { + obj, err := resource.NewHelper(info.Client, info.Mapping).Get(info.Namespace, info.Name) + if err != nil { + return nil, err + } + return obj, nil +} + +// Wait waits up to the given timeout for the specified resources to be ready. +func (c *Client) Wait(resources ResourceList, timeout time.Duration) error { + cs, err := c.getKubeClient() + if err != nil { + return err + } + checker := NewReadyChecker(cs, c.Log, PausedAsReady(true)) + w := waiter{ + c: checker, + log: c.Log, + timeout: timeout, + } + return w.waitForResources(resources) +} + +// WaitWithJobs wait up to the given timeout for the specified resources to be ready, including jobs. +func (c *Client) WaitWithJobs(resources ResourceList, timeout time.Duration) error { + cs, err := c.getKubeClient() + if err != nil { + return err + } + checker := NewReadyChecker(cs, c.Log, PausedAsReady(true), CheckJobs(true)) + w := waiter{ + c: checker, + log: c.Log, + timeout: timeout, + } + return w.waitForResources(resources) +} + +// WaitForDelete wait up to the given timeout for the specified resources to be deleted. +func (c *Client) WaitForDelete(resources ResourceList, timeout time.Duration) error { + w := waiter{ + log: c.Log, + timeout: timeout, + } + return w.waitForDeletedResources(resources) +} + +func (c *Client) namespace() string { + if c.Namespace != "" { + return c.Namespace + } + if ns, _, err := c.Factory.ToRawKubeConfigLoader().Namespace(); err == nil { + return ns + } + return v1.NamespaceDefault +} + +// newBuilder returns a new resource builder for structured api objects. +func (c *Client) newBuilder() *resource.Builder { + return c.Factory.NewBuilder(). + ContinueOnError(). + NamespaceParam(c.namespace()). + DefaultNamespace(). + Flatten() +} + +// Build validates for Kubernetes objects and returns unstructured infos. +func (c *Client) Build(reader io.Reader, validate bool) (ResourceList, error) { + validationDirective := metav1.FieldValidationIgnore + if validate { + validationDirective = metav1.FieldValidationStrict + } + + schema, err := c.Factory.Validator(validationDirective) + if err != nil { + return nil, err + } + result, err := c.newBuilder(). + Unstructured(). + Schema(schema). + Stream(reader, ""). + Do().Infos() + return result, scrubValidationError(err) +} + +// BuildTable validates for Kubernetes objects and returns unstructured infos. +// The returned kind is a Table. +func (c *Client) BuildTable(reader io.Reader, validate bool) (ResourceList, error) { + validationDirective := metav1.FieldValidationIgnore + if validate { + validationDirective = metav1.FieldValidationStrict + } + + schema, err := c.Factory.Validator(validationDirective) + if err != nil { + return nil, err + } + result, err := c.newBuilder(). + Unstructured(). + Schema(schema). + Stream(reader, ""). + TransformRequests(transformRequests). + Do().Infos() + return result, scrubValidationError(err) +} + +func (c *Client) update(original, target ResourceList, force, threeWayMerge bool) (*Result, error) { + updateErrors := []string{} + res := &Result{} + + c.Log("checking %d resources for changes", len(target)) + err := target.Visit(func(info *resource.Info, err error) error { + if err != nil { + return err + } + + helper := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager()) + if _, err := helper.Get(info.Namespace, info.Name); err != nil { + if !apierrors.IsNotFound(err) { + return errors.Wrap(err, "could not get information about the resource") + } + + // Append the created resource to the results, even if something fails + res.Created = append(res.Created, info) + + // Since the resource does not exist, create it. + if err := createResource(info); err != nil { + return errors.Wrap(err, "failed to create resource") + } + + kind := info.Mapping.GroupVersionKind.Kind + c.Log("Created a new %s called %q in %s\n", kind, info.Name, info.Namespace) + return nil + } + + originalInfo := original.Get(info) + if originalInfo == nil { + kind := info.Mapping.GroupVersionKind.Kind + return errors.Errorf("no %s with the name %q found", kind, info.Name) + } + + if err := updateResource(c, info, originalInfo.Object, force, threeWayMerge); err != nil { + c.Log("error updating the resource %q:\n\t %v", info.Name, err) + updateErrors = append(updateErrors, err.Error()) + } + // Because we check for errors later, append the info regardless + res.Updated = append(res.Updated, info) + + return nil + }) + + switch { + case err != nil: + return res, err + case len(updateErrors) != 0: + return res, errors.New(strings.Join(updateErrors, " && ")) + } + + for _, info := range original.Difference(target) { + c.Log("Deleting %s %q in namespace %s...", info.Mapping.GroupVersionKind.Kind, info.Name, info.Namespace) + + if err := info.Get(); err != nil { + c.Log("Unable to get obj %q, err: %s", info.Name, err) + continue + } + annotations, err := metadataAccessor.Annotations(info.Object) + if err != nil { + c.Log("Unable to get annotations on %q, err: %s", info.Name, err) + } + if annotations != nil && annotations[ResourcePolicyAnno] == KeepPolicy { + c.Log("Skipping delete of %q due to annotation [%s=%s]", info.Name, ResourcePolicyAnno, KeepPolicy) + continue + } + if err := deleteResource(info, metav1.DeletePropagationBackground); err != nil { + c.Log("Failed to delete %q, err: %s", info.ObjectName(), err) + continue + } + res.Deleted = append(res.Deleted, info) + } + return res, nil +} + +// Update takes the current list of objects and target list of objects and +// creates resources that don't already exist, updates resources that have been +// modified in the target configuration, and deletes resources from the current +// configuration that are not present in the target configuration. If an error +// occurs, a Result will still be returned with the error, containing all +// resource updates, creations, and deletions that were attempted. These can be +// used for cleanup or other logging purposes. +// +// The difference to Update is that UpdateThreeWayMerge does a three-way-merge +// for unstructured objects. +func (c *Client) UpdateThreeWayMerge(original, target ResourceList, force bool) (*Result, error) { + return c.update(original, target, force, true) +} + +// Update takes the current list of objects and target list of objects and +// creates resources that don't already exist, updates resources that have been +// modified in the target configuration, and deletes resources from the current +// configuration that are not present in the target configuration. If an error +// occurs, a Result will still be returned with the error, containing all +// resource updates, creations, and deletions that were attempted. These can be +// used for cleanup or other logging purposes. +func (c *Client) Update(original, target ResourceList, force bool) (*Result, error) { + return c.update(original, target, force, false) +} + +// Delete deletes Kubernetes resources specified in the resources list with +// background cascade deletion. It will attempt to delete all resources even +// if one or more fail and collect any errors. All successfully deleted items +// will be returned in the `Deleted` ResourceList that is part of the result. +func (c *Client) Delete(resources ResourceList) (*Result, []error) { + return rdelete(c, resources, metav1.DeletePropagationBackground) +} + +// Delete deletes Kubernetes resources specified in the resources list with +// given deletion propagation policy. It will attempt to delete all resources even +// if one or more fail and collect any errors. All successfully deleted items +// will be returned in the `Deleted` ResourceList that is part of the result. +func (c *Client) DeleteWithPropagationPolicy(resources ResourceList, policy metav1.DeletionPropagation) (*Result, []error) { + return rdelete(c, resources, policy) +} + +func rdelete(c *Client, resources ResourceList, propagation metav1.DeletionPropagation) (*Result, []error) { + var errs []error + res := &Result{} + mtx := sync.Mutex{} + err := perform(resources, func(info *resource.Info) error { + c.Log("Starting delete for %q %s", info.Name, info.Mapping.GroupVersionKind.Kind) + err := deleteResource(info, propagation) + if err == nil || apierrors.IsNotFound(err) { + if err != nil { + c.Log("Ignoring delete failure for %q %s: %v", info.Name, info.Mapping.GroupVersionKind, err) + } + mtx.Lock() + defer mtx.Unlock() + res.Deleted = append(res.Deleted, info) + return nil + } + mtx.Lock() + defer mtx.Unlock() + // Collect the error and continue on + errs = append(errs, err) + return nil + }) + if err != nil { + if errors.Is(err, ErrNoObjectsVisited) { + err = fmt.Errorf("object not found, skipping delete: %w", err) + } + errs = append(errs, err) + } + if errs != nil { + return nil, errs + } + return res, nil +} + +func (c *Client) watchTimeout(t time.Duration) func(*resource.Info) error { + return func(info *resource.Info) error { + return c.watchUntilReady(t, info) + } +} + +// WatchUntilReady watches the resources given and waits until it is ready. +// +// This method is mainly for hook implementations. It watches for a resource to +// hit a particular milestone. The milestone depends on the Kind. +// +// For most kinds, it checks to see if the resource is marked as Added or Modified +// by the Kubernetes event stream. For some kinds, it does more: +// +// - Jobs: A job is marked "Ready" when it has successfully completed. This is +// ascertained by watching the Status fields in a job's output. +// - Pods: A pod is marked "Ready" when it has successfully completed. This is +// ascertained by watching the status.phase field in a pod's output. +// +// Handling for other kinds will be added as necessary. +func (c *Client) WatchUntilReady(resources ResourceList, timeout time.Duration) error { + // For jobs, there's also the option to do poll c.Jobs(namespace).Get(): + // https://github.com/adamreese/kubernetes/blob/master/test/e2e/job.go#L291-L300 + return perform(resources, c.watchTimeout(timeout)) +} + +func perform(infos ResourceList, fn func(*resource.Info) error) error { + var result error + + if len(infos) == 0 { + return ErrNoObjectsVisited + } + + errs := make(chan error) + go batchPerform(infos, fn, errs) + + for range infos { + err := <-errs + if err != nil { + result = multierror.Append(result, err) + } + } + + return result +} + +// getManagedFieldsManager returns the manager string. If one was set it will be returned. +// Otherwise, one is calculated based on the name of the binary. +func getManagedFieldsManager() string { + + // When a manager is explicitly set use it + if ManagedFieldsManager != "" { + return ManagedFieldsManager + } + + // When no manager is set and no calling application can be found it is unknown + if len(os.Args[0]) == 0 { + return "unknown" + } + + // When there is an application that can be determined and no set manager + // use the base name. This is one of the ways Kubernetes libs handle figuring + // names out. + return filepath.Base(os.Args[0]) +} + +func batchPerform(infos ResourceList, fn func(*resource.Info) error, errs chan<- error) { + var kind string + var wg sync.WaitGroup + for _, info := range infos { + currentKind := info.Object.GetObjectKind().GroupVersionKind().Kind + if kind != currentKind { + wg.Wait() + kind = currentKind + } + wg.Add(1) + go func(i *resource.Info) { + errs <- fn(i) + wg.Done() + }(info) + } +} + +func createResource(info *resource.Info) error { + return retry.RetryOnConflict( + retry.DefaultRetry, + func() error { + obj, err := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager()).Create(info.Namespace, true, info.Object) + if err != nil { + return err + } + return info.Refresh(obj, true) + }) +} + +func deleteResource(info *resource.Info, policy metav1.DeletionPropagation) error { + return retry.RetryOnConflict( + retry.DefaultRetry, + func() error { + opts := &metav1.DeleteOptions{PropagationPolicy: &policy} + _, err := resource.NewHelper(info.Client, info.Mapping).WithFieldManager(getManagedFieldsManager()).DeleteWithOptions(info.Namespace, info.Name, opts) + return err + }) +} + +func createPatch(target *resource.Info, current runtime.Object, threeWayMergeForUnstructured bool) ([]byte, types.PatchType, error) { + oldData, err := json.Marshal(current) + if err != nil { + return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing current configuration") + } + newData, err := json.Marshal(target.Object) + if err != nil { + return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing target configuration") + } + + // Fetch the current object for the three way merge + helper := resource.NewHelper(target.Client, target.Mapping).WithFieldManager(getManagedFieldsManager()) + currentObj, err := helper.Get(target.Namespace, target.Name) + if err != nil && !apierrors.IsNotFound(err) { + return nil, types.StrategicMergePatchType, errors.Wrapf(err, "unable to get data for current object %s/%s", target.Namespace, target.Name) + } + + // Even if currentObj is nil (because it was not found), it will marshal just fine + currentData, err := json.Marshal(currentObj) + if err != nil { + return nil, types.StrategicMergePatchType, errors.Wrap(err, "serializing live configuration") + } + + // Get a versioned object + versionedObject := AsVersioned(target) + + // Unstructured objects, such as CRDs, may not have a not registered error + // returned from ConvertToVersion. Anything that's unstructured should + // use generic JSON merge patch. Strategic Merge Patch is not supported + // on objects like CRDs. + _, isUnstructured := versionedObject.(runtime.Unstructured) + + // On newer K8s versions, CRDs aren't unstructured but has this dedicated type + _, isCRD := versionedObject.(*apiextv1beta1.CustomResourceDefinition) + + if isUnstructured || isCRD { + if threeWayMergeForUnstructured { + // from https://github.com/kubernetes/kubectl/blob/b83b2ec7d15f286720bccf7872b5c72372cb8e80/pkg/cmd/apply/patcher.go#L129 + preconditions := []mergepatch.PreconditionFunc{ + mergepatch.RequireKeyUnchanged("apiVersion"), + mergepatch.RequireKeyUnchanged("kind"), + mergepatch.RequireMetadataKeyUnchanged("name"), + } + patch, err := jsonmergepatch.CreateThreeWayJSONMergePatch(oldData, newData, currentData, preconditions...) + if err != nil && mergepatch.IsPreconditionFailed(err) { + err = fmt.Errorf("%w: at least one field was changed: apiVersion, kind or name", err) + } + return patch, types.MergePatchType, err + } + // fall back to generic JSON merge patch + patch, err := jsonpatch.CreateMergePatch(oldData, newData) + return patch, types.MergePatchType, err + } + + patchMeta, err := strategicpatch.NewPatchMetaFromStruct(versionedObject) + if err != nil { + return nil, types.StrategicMergePatchType, errors.Wrap(err, "unable to create patch metadata from object") + } + + patch, err := strategicpatch.CreateThreeWayMergePatch(oldData, newData, currentData, patchMeta, true) + return patch, types.StrategicMergePatchType, err +} + +func updateResource(c *Client, target *resource.Info, currentObj runtime.Object, force, threeWayMergeForUnstructured bool) error { + var ( + obj runtime.Object + helper = resource.NewHelper(target.Client, target.Mapping).WithFieldManager(getManagedFieldsManager()) + kind = target.Mapping.GroupVersionKind.Kind + ) + + // if --force is applied, attempt to replace the existing resource with the new object. + if force { + var err error + obj, err = helper.Replace(target.Namespace, target.Name, true, target.Object) + if err != nil { + return errors.Wrap(err, "failed to replace object") + } + c.Log("Replaced %q with kind %s for kind %s", target.Name, currentObj.GetObjectKind().GroupVersionKind().Kind, kind) + } else { + patch, patchType, err := createPatch(target, currentObj, threeWayMergeForUnstructured) + if err != nil { + return errors.Wrap(err, "failed to create patch") + } + + if patch == nil || string(patch) == "{}" { + c.Log("Looks like there are no changes for %s %q", kind, target.Name) + // This needs to happen to make sure that Helm has the latest info from the API + // Otherwise there will be no labels and other functions that use labels will panic + if err := target.Get(); err != nil { + return errors.Wrap(err, "failed to refresh resource information") + } + return nil + } + // send patch to server + c.Log("Patch %s %q in namespace %s", kind, target.Name, target.Namespace) + obj, err = helper.Patch(target.Namespace, target.Name, patchType, patch, nil) + if err != nil { + return errors.Wrapf(err, "cannot patch %q with kind %s", target.Name, kind) + } + } + + target.Refresh(obj, true) + return nil +} + +func (c *Client) watchUntilReady(timeout time.Duration, info *resource.Info) error { + kind := info.Mapping.GroupVersionKind.Kind + switch kind { + case "Job", "Pod": + default: + return nil + } + + c.Log("Watching for changes to %s %s with timeout of %v", kind, info.Name, timeout) + + // Use a selector on the name of the resource. This should be unique for the + // given version and kind + selector, err := fields.ParseSelector(fmt.Sprintf("metadata.name=%s", info.Name)) + if err != nil { + return err + } + lw := cachetools.NewListWatchFromClient(info.Client, info.Mapping.Resource.Resource, info.Namespace, selector) + + // What we watch for depends on the Kind. + // - For a Job, we watch for completion. + // - For all else, we watch until Ready. + // In the future, we might want to add some special logic for types + // like Ingress, Volume, etc. + + ctx, cancel := watchtools.ContextWithOptionalTimeout(context.Background(), timeout) + defer cancel() + _, err = watchtools.UntilWithSync(ctx, lw, &unstructured.Unstructured{}, nil, func(e watch.Event) (bool, error) { + // Make sure the incoming object is versioned as we use unstructured + // objects when we build manifests + obj := convertWithMapper(e.Object, info.Mapping) + switch e.Type { + case watch.Added, watch.Modified: + // For things like a secret or a config map, this is the best indicator + // we get. We care mostly about jobs, where what we want to see is + // the status go into a good state. For other types, like ReplicaSet + // we don't really do anything to support these as hooks. + c.Log("Add/Modify event for %s: %v", info.Name, e.Type) + switch kind { + case "Job": + return c.waitForJob(obj, info.Name) + case "Pod": + return c.waitForPodSuccess(obj, info.Name) + } + return true, nil + case watch.Deleted: + c.Log("Deleted event for %s", info.Name) + return true, nil + case watch.Error: + // Handle error and return with an error. + c.Log("Error event for %s", info.Name) + return true, errors.Errorf("failed to deploy %s", info.Name) + default: + return false, nil + } + }) + return err +} + +// waitForJob is a helper that waits for a job to complete. +// +// This operates on an event returned from a watcher. +func (c *Client) waitForJob(obj runtime.Object, name string) (bool, error) { + o, ok := obj.(*batch.Job) + if !ok { + return true, errors.Errorf("expected %s to be a *batch.Job, got %T", name, obj) + } + + for _, c := range o.Status.Conditions { + if c.Type == batch.JobComplete && c.Status == "True" { + return true, nil + } else if c.Type == batch.JobFailed && c.Status == "True" { + return true, errors.Errorf("job %s failed: %s", name, c.Reason) + } + } + + c.Log("%s: Jobs active: %d, jobs failed: %d, jobs succeeded: %d", name, o.Status.Active, o.Status.Failed, o.Status.Succeeded) + return false, nil +} + +// waitForPodSuccess is a helper that waits for a pod to complete. +// +// This operates on an event returned from a watcher. +func (c *Client) waitForPodSuccess(obj runtime.Object, name string) (bool, error) { + o, ok := obj.(*v1.Pod) + if !ok { + return true, errors.Errorf("expected %s to be a *v1.Pod, got %T", name, obj) + } + + switch o.Status.Phase { + case v1.PodSucceeded: + c.Log("Pod %s succeeded", o.Name) + return true, nil + case v1.PodFailed: + return true, errors.Errorf("pod %s failed", o.Name) + case v1.PodPending: + c.Log("Pod %s pending", o.Name) + case v1.PodRunning: + c.Log("Pod %s running", o.Name) + } + + return false, nil +} + +// GetPodList uses the kubernetes interface to get the list of pods filtered by listOptions +func (c *Client) GetPodList(namespace string, listOptions metav1.ListOptions) (*v1.PodList, error) { + podList, err := c.kubeClient.CoreV1().Pods(namespace).List(context.Background(), listOptions) + if err != nil { + return nil, fmt.Errorf("failed to get pod list with options: %+v with error: %v", listOptions, err) + } + return podList, nil +} + +// OutputContainerLogsForPodList is a helper that outputs logs for a list of pods +func (c *Client) OutputContainerLogsForPodList(podList *v1.PodList, namespace string, writerFunc func(namespace, pod, container string) io.Writer) error { + for _, pod := range podList.Items { + for _, container := range pod.Spec.Containers { + options := &v1.PodLogOptions{ + Container: container.Name, + } + request := c.kubeClient.CoreV1().Pods(namespace).GetLogs(pod.Name, options) + err2 := copyRequestStreamToWriter(request, pod.Name, container.Name, writerFunc(namespace, pod.Name, container.Name)) + if err2 != nil { + return err2 + } + } + } + return nil +} + +func copyRequestStreamToWriter(request *rest.Request, podName, containerName string, writer io.Writer) error { + readCloser, err := request.Stream(context.Background()) + if err != nil { + return errors.Errorf("Failed to stream pod logs for pod: %s, container: %s", podName, containerName) + } + defer readCloser.Close() + _, err = io.Copy(writer, readCloser) + if err != nil { + return errors.Errorf("Failed to copy IO from logs for pod: %s, container: %s", podName, containerName) + } + if err != nil { + return errors.Errorf("Failed to close reader for pod: %s, container: %s", podName, containerName) + } + return nil +} + +// scrubValidationError removes kubectl info from the message. +func scrubValidationError(err error) error { + if err == nil { + return nil + } + const stopValidateMessage = "if you choose to ignore these errors, turn validation off with --validate=false" + + if strings.Contains(err.Error(), stopValidateMessage) { + return errors.New(strings.ReplaceAll(err.Error(), "; "+stopValidateMessage, "")) + } + return err +} + +// WaitAndGetCompletedPodPhase waits up to a timeout until a pod enters a completed phase +// and returns said phase (PodSucceeded or PodFailed qualify). +func (c *Client) WaitAndGetCompletedPodPhase(name string, timeout time.Duration) (v1.PodPhase, error) { + client, err := c.getKubeClient() + if err != nil { + return v1.PodUnknown, err + } + to := int64(timeout) + watcher, err := client.CoreV1().Pods(c.namespace()).Watch(context.Background(), metav1.ListOptions{ + FieldSelector: fmt.Sprintf("metadata.name=%s", name), + TimeoutSeconds: &to, + }) + if err != nil { + return v1.PodUnknown, err + } + + for event := range watcher.ResultChan() { + p, ok := event.Object.(*v1.Pod) + if !ok { + return v1.PodUnknown, fmt.Errorf("%s not a pod", name) + } + switch p.Status.Phase { + case v1.PodFailed: + return v1.PodFailed, nil + case v1.PodSucceeded: + return v1.PodSucceeded, nil + } + } + + return v1.PodUnknown, err +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/config.go b/vendor/helm.sh/helm/v3/pkg/kube/config.go new file mode 100644 index 0000000000..e00c9acb15 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/config.go @@ -0,0 +1,30 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import "k8s.io/cli-runtime/pkg/genericclioptions" + +// GetConfig returns a Kubernetes client config. +// +// Deprecated +func GetConfig(kubeconfig, context, namespace string) *genericclioptions.ConfigFlags { + cf := genericclioptions.NewConfigFlags(true) + cf.Namespace = &namespace + cf.Context = &context + cf.KubeConfig = &kubeconfig + return cf +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/converter.go b/vendor/helm.sh/helm/v3/pkg/kube/converter.go new file mode 100644 index 0000000000..3bf0e358c3 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/converter.go @@ -0,0 +1,69 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import ( + "sync" + + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" + "k8s.io/apimachinery/pkg/api/meta" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/cli-runtime/pkg/resource" + "k8s.io/client-go/kubernetes/scheme" +) + +var k8sNativeScheme *runtime.Scheme +var k8sNativeSchemeOnce sync.Once + +// AsVersioned converts the given info into a runtime.Object with the correct +// group and version set +func AsVersioned(info *resource.Info) runtime.Object { + return convertWithMapper(info.Object, info.Mapping) +} + +// convertWithMapper converts the given object with the optional provided +// RESTMapping. If no mapping is provided, the default schema versioner is used +func convertWithMapper(obj runtime.Object, mapping *meta.RESTMapping) runtime.Object { + s := kubernetesNativeScheme() + var gv = runtime.GroupVersioner(schema.GroupVersions(s.PrioritizedVersionsAllGroups())) + if mapping != nil { + gv = mapping.GroupVersionKind.GroupVersion() + } + if obj, err := runtime.ObjectConvertor(s).ConvertToVersion(obj, gv); err == nil { + return obj + } + return obj +} + +// kubernetesNativeScheme returns a clean *runtime.Scheme with _only_ Kubernetes +// native resources added to it. This is required to break free of custom resources +// that may have been added to scheme.Scheme due to Helm being used as a package in +// combination with e.g. a versioned kube client. If we would not do this, the client +// may attempt to perform e.g. a 3-way-merge strategy patch for custom resources. +func kubernetesNativeScheme() *runtime.Scheme { + k8sNativeSchemeOnce.Do(func() { + k8sNativeScheme = runtime.NewScheme() + scheme.AddToScheme(k8sNativeScheme) + // API extensions are not in the above scheme set, + // and must thus be added separately. + apiextensionsv1beta1.AddToScheme(k8sNativeScheme) + apiextensionsv1.AddToScheme(k8sNativeScheme) + }) + return k8sNativeScheme +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/factory.go b/vendor/helm.sh/helm/v3/pkg/kube/factory.go new file mode 100644 index 0000000000..f19d62dc3c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/factory.go @@ -0,0 +1,51 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import ( + "k8s.io/cli-runtime/pkg/resource" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/tools/clientcmd" + "k8s.io/kubectl/pkg/validation" +) + +// Factory provides abstractions that allow the Kubectl command to be extended across multiple types +// of resources and different API sets. +// This interface is a minimal copy of the kubectl Factory interface containing only the functions +// needed by Helm. Since Kubernetes Go APIs, including interfaces, can change in any minor release +// this interface is not covered by the Helm backwards compatibility guarantee. The reasons for the +// minimal copy is that it does not include the full interface. Changes or additions to functions +// Helm does not need are not impacted or exposed. This minimizes the impact of Kubernetes changes +// being exposed. +type Factory interface { + // ToRawKubeConfigLoader return kubeconfig loader as-is + ToRawKubeConfigLoader() clientcmd.ClientConfig + + // DynamicClient returns a dynamic client ready for use + DynamicClient() (dynamic.Interface, error) + + // KubernetesClientSet gives you back an external clientset + KubernetesClientSet() (*kubernetes.Clientset, error) + + // NewBuilder returns an object that assists in loading objects from both disk and the server + // and which implements the common patterns for CLI interactions with generic resources. + NewBuilder() *resource.Builder + + // Returns a schema that can validate objects stored on disk. + Validator(validationDirective string) (validation.Schema, error) +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go b/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go new file mode 100644 index 0000000000..852a3e015d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/fake/fake.go @@ -0,0 +1,172 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package fake implements various fake KubeClients for use in testing +package fake + +import ( + "io" + "time" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/cli-runtime/pkg/resource" + + "helm.sh/helm/v3/pkg/kube" +) + +// FailingKubeClient implements KubeClient for testing purposes. It also has +// additional errors you can set to fail different functions, otherwise it +// delegates all its calls to `PrintingKubeClient` +type FailingKubeClient struct { + PrintingKubeClient + CreateError error + GetError error + WaitError error + DeleteError error + DeleteWithPropagationError error + WatchUntilReadyError error + UpdateError error + BuildError error + BuildTableError error + BuildDummy bool + DummyResources kube.ResourceList + BuildUnstructuredError error + WaitAndGetCompletedPodPhaseError error + WaitDuration time.Duration +} + +// Create returns the configured error if set or prints +func (f *FailingKubeClient) Create(resources kube.ResourceList) (*kube.Result, error) { + if f.CreateError != nil { + return nil, f.CreateError + } + return f.PrintingKubeClient.Create(resources) +} + +// Get returns the configured error if set or prints +func (f *FailingKubeClient) Get(resources kube.ResourceList, related bool) (map[string][]runtime.Object, error) { + if f.GetError != nil { + return nil, f.GetError + } + return f.PrintingKubeClient.Get(resources, related) +} + +// Waits the amount of time defined on f.WaitDuration, then returns the configured error if set or prints. +func (f *FailingKubeClient) Wait(resources kube.ResourceList, d time.Duration) error { + time.Sleep(f.WaitDuration) + if f.WaitError != nil { + return f.WaitError + } + return f.PrintingKubeClient.Wait(resources, d) +} + +// WaitWithJobs returns the configured error if set or prints +func (f *FailingKubeClient) WaitWithJobs(resources kube.ResourceList, d time.Duration) error { + if f.WaitError != nil { + return f.WaitError + } + return f.PrintingKubeClient.WaitWithJobs(resources, d) +} + +// WaitForDelete returns the configured error if set or prints +func (f *FailingKubeClient) WaitForDelete(resources kube.ResourceList, d time.Duration) error { + if f.WaitError != nil { + return f.WaitError + } + return f.PrintingKubeClient.WaitForDelete(resources, d) +} + +// Delete returns the configured error if set or prints +func (f *FailingKubeClient) Delete(resources kube.ResourceList) (*kube.Result, []error) { + if f.DeleteError != nil { + return nil, []error{f.DeleteError} + } + return f.PrintingKubeClient.Delete(resources) +} + +// WatchUntilReady returns the configured error if set or prints +func (f *FailingKubeClient) WatchUntilReady(resources kube.ResourceList, d time.Duration) error { + if f.WatchUntilReadyError != nil { + return f.WatchUntilReadyError + } + return f.PrintingKubeClient.WatchUntilReady(resources, d) +} + +// Update returns the configured error if set or prints +func (f *FailingKubeClient) Update(r, modified kube.ResourceList, ignoreMe bool) (*kube.Result, error) { + if f.UpdateError != nil { + return &kube.Result{}, f.UpdateError + } + return f.PrintingKubeClient.Update(r, modified, ignoreMe) +} + +// Update returns the configured error if set or prints +func (f *FailingKubeClient) UpdateThreeWayMerge(r, modified kube.ResourceList, ignoreMe bool) (*kube.Result, error) { + if f.UpdateError != nil { + return &kube.Result{}, f.UpdateError + } + return f.PrintingKubeClient.Update(r, modified, ignoreMe) +} + +// Build returns the configured error if set or prints +func (f *FailingKubeClient) Build(r io.Reader, _ bool) (kube.ResourceList, error) { + if f.BuildError != nil { + return []*resource.Info{}, f.BuildError + } + if f.DummyResources != nil { + return f.DummyResources, nil + } + if f.BuildDummy { + return createDummyResourceList(), nil + } + return f.PrintingKubeClient.Build(r, false) +} + +// BuildTable returns the configured error if set or prints +func (f *FailingKubeClient) BuildTable(r io.Reader, _ bool) (kube.ResourceList, error) { + if f.BuildTableError != nil { + return []*resource.Info{}, f.BuildTableError + } + return f.PrintingKubeClient.BuildTable(r, false) +} + +// WaitAndGetCompletedPodPhase returns the configured error if set or prints +func (f *FailingKubeClient) WaitAndGetCompletedPodPhase(s string, d time.Duration) (v1.PodPhase, error) { + if f.WaitAndGetCompletedPodPhaseError != nil { + return v1.PodSucceeded, f.WaitAndGetCompletedPodPhaseError + } + return f.PrintingKubeClient.WaitAndGetCompletedPodPhase(s, d) +} + +// DeleteWithPropagationPolicy returns the configured error if set or prints +func (f *FailingKubeClient) DeleteWithPropagationPolicy(resources kube.ResourceList, policy metav1.DeletionPropagation) (*kube.Result, []error) { + if f.DeleteWithPropagationError != nil { + return nil, []error{f.DeleteWithPropagationError} + } + return f.PrintingKubeClient.DeleteWithPropagationPolicy(resources, policy) +} + +func createDummyResourceList() kube.ResourceList { + var resInfo resource.Info + resInfo.Name = "dummyName" + resInfo.Namespace = "dummyNamespace" + var resourceList kube.ResourceList + resourceList.Append(&resInfo) + return resourceList + +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go b/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go new file mode 100644 index 0000000000..95c89e0fd5 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/fake/printer.go @@ -0,0 +1,149 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package fake + +import ( + "fmt" + "io" + "strings" + "time" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/cli-runtime/pkg/resource" + + "helm.sh/helm/v3/pkg/kube" +) + +// PrintingKubeClient implements KubeClient, but simply prints the reader to +// the given output. +type PrintingKubeClient struct { + Out io.Writer + LogOutput io.Writer +} + +// IsReachable checks if the cluster is reachable +func (p *PrintingKubeClient) IsReachable() error { + return nil +} + +// Create prints the values of what would be created with a real KubeClient. +func (p *PrintingKubeClient) Create(resources kube.ResourceList) (*kube.Result, error) { + _, err := io.Copy(p.Out, bufferize(resources)) + if err != nil { + return nil, err + } + return &kube.Result{Created: resources}, nil +} + +func (p *PrintingKubeClient) Get(resources kube.ResourceList, _ bool) (map[string][]runtime.Object, error) { + _, err := io.Copy(p.Out, bufferize(resources)) + if err != nil { + return nil, err + } + return make(map[string][]runtime.Object), nil +} + +func (p *PrintingKubeClient) Wait(resources kube.ResourceList, _ time.Duration) error { + _, err := io.Copy(p.Out, bufferize(resources)) + return err +} + +func (p *PrintingKubeClient) WaitWithJobs(resources kube.ResourceList, _ time.Duration) error { + _, err := io.Copy(p.Out, bufferize(resources)) + return err +} + +func (p *PrintingKubeClient) WaitForDelete(resources kube.ResourceList, _ time.Duration) error { + _, err := io.Copy(p.Out, bufferize(resources)) + return err +} + +// Delete implements KubeClient delete. +// +// It only prints out the content to be deleted. +func (p *PrintingKubeClient) Delete(resources kube.ResourceList) (*kube.Result, []error) { + _, err := io.Copy(p.Out, bufferize(resources)) + if err != nil { + return nil, []error{err} + } + return &kube.Result{Deleted: resources}, nil +} + +// WatchUntilReady implements KubeClient WatchUntilReady. +func (p *PrintingKubeClient) WatchUntilReady(resources kube.ResourceList, _ time.Duration) error { + _, err := io.Copy(p.Out, bufferize(resources)) + return err +} + +// Update implements KubeClient Update. +func (p *PrintingKubeClient) Update(_, modified kube.ResourceList, _ bool) (*kube.Result, error) { + _, err := io.Copy(p.Out, bufferize(modified)) + if err != nil { + return nil, err + } + // TODO: This doesn't completely mock out have some that get created, + // updated, and deleted. I don't think these are used in any unit tests, but + // we may want to refactor a way to handle future tests + return &kube.Result{Updated: modified}, nil +} + +// Build implements KubeClient Build. +func (p *PrintingKubeClient) Build(_ io.Reader, _ bool) (kube.ResourceList, error) { + return []*resource.Info{}, nil +} + +// BuildTable implements KubeClient BuildTable. +func (p *PrintingKubeClient) BuildTable(_ io.Reader, _ bool) (kube.ResourceList, error) { + return []*resource.Info{}, nil +} + +// WaitAndGetCompletedPodPhase implements KubeClient WaitAndGetCompletedPodPhase. +func (p *PrintingKubeClient) WaitAndGetCompletedPodPhase(_ string, _ time.Duration) (v1.PodPhase, error) { + return v1.PodSucceeded, nil +} + +// GetPodList implements KubeClient GetPodList. +func (p *PrintingKubeClient) GetPodList(_ string, _ metav1.ListOptions) (*v1.PodList, error) { + return &v1.PodList{}, nil +} + +// OutputContainerLogsForPodList implements KubeClient OutputContainerLogsForPodList. +func (p *PrintingKubeClient) OutputContainerLogsForPodList(_ *v1.PodList, someNamespace string, _ func(namespace, pod, container string) io.Writer) error { + _, err := io.Copy(p.LogOutput, strings.NewReader(fmt.Sprintf("attempted to output logs for namespace: %s", someNamespace))) + return err +} + +// DeleteWithPropagationPolicy implements KubeClient delete. +// +// It only prints out the content to be deleted. +func (p *PrintingKubeClient) DeleteWithPropagationPolicy(resources kube.ResourceList, _ metav1.DeletionPropagation) (*kube.Result, []error) { + _, err := io.Copy(p.Out, bufferize(resources)) + if err != nil { + return nil, []error{err} + } + return &kube.Result{Deleted: resources}, nil +} + +func bufferize(resources kube.ResourceList) io.Reader { + var builder strings.Builder + for _, info := range resources { + builder.WriteString(info.String() + "\n") + } + return strings.NewReader(builder.String()) +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/interface.go b/vendor/helm.sh/helm/v3/pkg/kube/interface.go new file mode 100644 index 0000000000..db7591f650 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/interface.go @@ -0,0 +1,136 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube + +import ( + "io" + "time" + + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +// Interface represents a client capable of communicating with the Kubernetes API. +// +// A KubernetesClient must be concurrency safe. +type Interface interface { + // Create creates one or more resources. + Create(resources ResourceList) (*Result, error) + + // Wait waits up to the given timeout for the specified resources to be ready. + Wait(resources ResourceList, timeout time.Duration) error + + // WaitWithJobs wait up to the given timeout for the specified resources to be ready, including jobs. + WaitWithJobs(resources ResourceList, timeout time.Duration) error + + // Delete destroys one or more resources. + Delete(resources ResourceList) (*Result, []error) + + // WatchUntilReady watches the resources given and waits until it is ready. + // + // This method is mainly for hook implementations. It watches for a resource to + // hit a particular milestone. The milestone depends on the Kind. + // + // For Jobs, "ready" means the Job ran to completion (exited without error). + // For Pods, "ready" means the Pod phase is marked "succeeded". + // For all other kinds, it means the kind was created or modified without + // error. + WatchUntilReady(resources ResourceList, timeout time.Duration) error + + // Update updates one or more resources or creates the resource + // if it doesn't exist. + Update(original, target ResourceList, force bool) (*Result, error) + + // Build creates a resource list from a Reader. + // + // Reader must contain a YAML stream (one or more YAML documents separated + // by "\n---\n") + // + // Validates against OpenAPI schema if validate is true. + Build(reader io.Reader, validate bool) (ResourceList, error) + + // WaitAndGetCompletedPodPhase waits up to a timeout until a pod enters a completed phase + // and returns said phase (PodSucceeded or PodFailed qualify). + WaitAndGetCompletedPodPhase(name string, timeout time.Duration) (v1.PodPhase, error) + + // IsReachable checks whether the client is able to connect to the cluster. + IsReachable() error +} + +// InterfaceExt was introduced to avoid breaking backwards compatibility for Interface implementers. +// +// TODO Helm 4: Remove InterfaceExt and integrate its method(s) into the Interface. +type InterfaceExt interface { + // WaitForDelete wait up to the given timeout for the specified resources to be deleted. + WaitForDelete(resources ResourceList, timeout time.Duration) error +} + +// InterfaceThreeWayMerge was introduced to avoid breaking backwards compatibility for Interface implementers. +// +// TODO Helm 4: Remove InterfaceThreeWayMerge and integrate its method(s) into the Interface. +type InterfaceThreeWayMerge interface { + UpdateThreeWayMerge(original, target ResourceList, force bool) (*Result, error) +} + +// InterfaceLogs was introduced to avoid breaking backwards compatibility for Interface implementers. +// +// TODO Helm 4: Remove InterfaceLogs and integrate its method(s) into the Interface. +type InterfaceLogs interface { + // GetPodList list all pods that match the specified listOptions + GetPodList(namespace string, listOptions metav1.ListOptions) (*v1.PodList, error) + + // OutputContainerLogsForPodList output the logs for a pod list + OutputContainerLogsForPodList(podList *v1.PodList, namespace string, writerFunc func(namespace, pod, container string) io.Writer) error +} + +// InterfaceDeletionPropagation is introduced to avoid breaking backwards compatibility for Interface implementers. +// +// TODO Helm 4: Remove InterfaceDeletionPropagation and integrate its method(s) into the Interface. +type InterfaceDeletionPropagation interface { + // DeleteWithPropagationPolicy destroys one or more resources. The deletion propagation is handled as per the given deletion propagation value. + DeleteWithPropagationPolicy(resources ResourceList, policy metav1.DeletionPropagation) (*Result, []error) +} + +// InterfaceResources is introduced to avoid breaking backwards compatibility for Interface implementers. +// +// TODO Helm 4: Remove InterfaceResources and integrate its method(s) into the Interface. +type InterfaceResources interface { + // Get details of deployed resources. + // The first argument is a list of resources to get. The second argument + // specifies if related pods should be fetched. For example, the pods being + // managed by a deployment. + Get(resources ResourceList, related bool) (map[string][]runtime.Object, error) + + // BuildTable creates a resource list from a Reader. This differs from + // Interface.Build() in that a table kind is returned. A table is useful + // if you want to use a printer to display the information. + // + // Reader must contain a YAML stream (one or more YAML documents separated + // by "\n---\n") + // + // Validates against OpenAPI schema if validate is true. + // TODO Helm 4: Integrate into Build with an argument + BuildTable(reader io.Reader, validate bool) (ResourceList, error) +} + +var _ Interface = (*Client)(nil) +var _ InterfaceExt = (*Client)(nil) +var _ InterfaceThreeWayMerge = (*Client)(nil) +var _ InterfaceLogs = (*Client)(nil) +var _ InterfaceDeletionPropagation = (*Client)(nil) +var _ InterfaceResources = (*Client)(nil) diff --git a/vendor/helm.sh/helm/v3/pkg/kube/ready.go b/vendor/helm.sh/helm/v3/pkg/kube/ready.go new file mode 100644 index 0000000000..55c4a39bf1 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/ready.go @@ -0,0 +1,463 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import ( + "context" + "fmt" + + appsv1 "k8s.io/api/apps/v1" + appsv1beta1 "k8s.io/api/apps/v1beta1" + appsv1beta2 "k8s.io/api/apps/v1beta2" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + extensionsv1beta1 "k8s.io/api/extensions/v1beta1" + apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + apiextv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/cli-runtime/pkg/resource" + "k8s.io/client-go/kubernetes" + "k8s.io/client-go/kubernetes/scheme" + + deploymentutil "helm.sh/helm/v3/internal/third_party/k8s.io/kubernetes/deployment/util" +) + +// ReadyCheckerOption is a function that configures a ReadyChecker. +type ReadyCheckerOption func(*ReadyChecker) + +// PausedAsReady returns a ReadyCheckerOption that configures a ReadyChecker +// to consider paused resources to be ready. For example a Deployment +// with spec.paused equal to true would be considered ready. +func PausedAsReady(pausedAsReady bool) ReadyCheckerOption { + return func(c *ReadyChecker) { + c.pausedAsReady = pausedAsReady + } +} + +// CheckJobs returns a ReadyCheckerOption that configures a ReadyChecker +// to consider readiness of Job resources. +func CheckJobs(checkJobs bool) ReadyCheckerOption { + return func(c *ReadyChecker) { + c.checkJobs = checkJobs + } +} + +// NewReadyChecker creates a new checker. Passed ReadyCheckerOptions can +// be used to override defaults. +func NewReadyChecker(cl kubernetes.Interface, log func(string, ...interface{}), opts ...ReadyCheckerOption) ReadyChecker { + c := ReadyChecker{ + client: cl, + log: log, + } + if c.log == nil { + c.log = nopLogger + } + for _, opt := range opts { + opt(&c) + } + return c +} + +// ReadyChecker is a type that can check core Kubernetes types for readiness. +type ReadyChecker struct { + client kubernetes.Interface + log func(string, ...interface{}) + checkJobs bool + pausedAsReady bool +} + +// IsReady checks if v is ready. It supports checking readiness for pods, +// deployments, persistent volume claims, services, daemon sets, custom +// resource definitions, stateful sets, replication controllers, jobs (optional), +// and replica sets. All other resource kinds are always considered ready. +// +// IsReady will fetch the latest state of the object from the server prior to +// performing readiness checks, and it will return any error encountered. +func (c *ReadyChecker) IsReady(ctx context.Context, v *resource.Info) (bool, error) { + switch value := AsVersioned(v).(type) { + case *corev1.Pod: + pod, err := c.client.CoreV1().Pods(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil || !c.isPodReady(pod) { + return false, err + } + case *batchv1.Job: + if c.checkJobs { + job, err := c.client.BatchV1().Jobs(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + ready, err := c.jobReady(job) + return ready, err + } + case *appsv1.Deployment, *appsv1beta1.Deployment, *appsv1beta2.Deployment, *extensionsv1beta1.Deployment: + currentDeployment, err := c.client.AppsV1().Deployments(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + // If paused deployment will never be ready + if currentDeployment.Spec.Paused { + return c.pausedAsReady, nil + } + // Find RS associated with deployment + newReplicaSet, err := deploymentutil.GetNewReplicaSet(currentDeployment, c.client.AppsV1()) + if err != nil || newReplicaSet == nil { + return false, err + } + if !c.deploymentReady(newReplicaSet, currentDeployment) { + return false, nil + } + case *corev1.PersistentVolumeClaim: + claim, err := c.client.CoreV1().PersistentVolumeClaims(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.volumeReady(claim) { + return false, nil + } + case *corev1.Service: + svc, err := c.client.CoreV1().Services(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.serviceReady(svc) { + return false, nil + } + case *extensionsv1beta1.DaemonSet, *appsv1.DaemonSet, *appsv1beta2.DaemonSet: + ds, err := c.client.AppsV1().DaemonSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.daemonSetReady(ds) { + return false, nil + } + case *apiextv1beta1.CustomResourceDefinition: + if err := v.Get(); err != nil { + return false, err + } + crd := &apiextv1beta1.CustomResourceDefinition{} + if err := scheme.Scheme.Convert(v.Object, crd, nil); err != nil { + return false, err + } + if !c.crdBetaReady(*crd) { + return false, nil + } + case *apiextv1.CustomResourceDefinition: + if err := v.Get(); err != nil { + return false, err + } + crd := &apiextv1.CustomResourceDefinition{} + if err := scheme.Scheme.Convert(v.Object, crd, nil); err != nil { + return false, err + } + if !c.crdReady(*crd) { + return false, nil + } + case *appsv1.StatefulSet, *appsv1beta1.StatefulSet, *appsv1beta2.StatefulSet: + sts, err := c.client.AppsV1().StatefulSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.statefulSetReady(sts) { + return false, nil + } + case *corev1.ReplicationController: + rc, err := c.client.CoreV1().ReplicationControllers(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.replicationControllerReady(rc) { + return false, nil + } + ready, err := c.podsReadyForObject(ctx, v.Namespace, value) + if !ready || err != nil { + return false, err + } + case *extensionsv1beta1.ReplicaSet, *appsv1beta2.ReplicaSet, *appsv1.ReplicaSet: + rs, err := c.client.AppsV1().ReplicaSets(v.Namespace).Get(ctx, v.Name, metav1.GetOptions{}) + if err != nil { + return false, err + } + if !c.replicaSetReady(rs) { + return false, nil + } + ready, err := c.podsReadyForObject(ctx, v.Namespace, value) + if !ready || err != nil { + return false, err + } + } + return true, nil +} + +func (c *ReadyChecker) podsReadyForObject(ctx context.Context, namespace string, obj runtime.Object) (bool, error) { + pods, err := c.podsforObject(ctx, namespace, obj) + if err != nil { + return false, err + } + for _, pod := range pods { + if !c.isPodReady(&pod) { + return false, nil + } + } + return true, nil +} + +func (c *ReadyChecker) podsforObject(ctx context.Context, namespace string, obj runtime.Object) ([]corev1.Pod, error) { + selector, err := SelectorsForObject(obj) + if err != nil { + return nil, err + } + list, err := getPods(ctx, c.client, namespace, selector.String()) + return list, err +} + +// isPodReady returns true if a pod is ready; false otherwise. +func (c *ReadyChecker) isPodReady(pod *corev1.Pod) bool { + for _, c := range pod.Status.Conditions { + if c.Type == corev1.PodReady && c.Status == corev1.ConditionTrue { + return true + } + } + c.log("Pod is not ready: %s/%s", pod.GetNamespace(), pod.GetName()) + return false +} + +func (c *ReadyChecker) jobReady(job *batchv1.Job) (bool, error) { + if job.Status.Failed > *job.Spec.BackoffLimit { + c.log("Job is failed: %s/%s", job.GetNamespace(), job.GetName()) + // If a job is failed, it can't recover, so throw an error + return false, fmt.Errorf("job is failed: %s/%s", job.GetNamespace(), job.GetName()) + } + if job.Spec.Completions != nil && job.Status.Succeeded < *job.Spec.Completions { + c.log("Job is not completed: %s/%s", job.GetNamespace(), job.GetName()) + return false, nil + } + return true, nil +} + +func (c *ReadyChecker) serviceReady(s *corev1.Service) bool { + // ExternalName Services are external to cluster so helm shouldn't be checking to see if they're 'ready' (i.e. have an IP Set) + if s.Spec.Type == corev1.ServiceTypeExternalName { + return true + } + + // Ensure that the service cluster IP is not empty + if s.Spec.ClusterIP == "" { + c.log("Service does not have cluster IP address: %s/%s", s.GetNamespace(), s.GetName()) + return false + } + + // This checks if the service has a LoadBalancer and that balancer has an Ingress defined + if s.Spec.Type == corev1.ServiceTypeLoadBalancer { + // do not wait when at least 1 external IP is set + if len(s.Spec.ExternalIPs) > 0 { + c.log("Service %s/%s has external IP addresses (%v), marking as ready", s.GetNamespace(), s.GetName(), s.Spec.ExternalIPs) + return true + } + + if s.Status.LoadBalancer.Ingress == nil { + c.log("Service does not have load balancer ingress IP address: %s/%s", s.GetNamespace(), s.GetName()) + return false + } + } + + return true +} + +func (c *ReadyChecker) volumeReady(v *corev1.PersistentVolumeClaim) bool { + if v.Status.Phase != corev1.ClaimBound { + c.log("PersistentVolumeClaim is not bound: %s/%s", v.GetNamespace(), v.GetName()) + return false + } + return true +} + +func (c *ReadyChecker) deploymentReady(rs *appsv1.ReplicaSet, dep *appsv1.Deployment) bool { + // Verify the replicaset readiness + if !c.replicaSetReady(rs) { + return false + } + // Verify the generation observed by the deployment controller matches the spec generation + if dep.Status.ObservedGeneration != dep.ObjectMeta.Generation { + c.log("Deployment is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", dep.Namespace, dep.Name, dep.Status.ObservedGeneration, dep.ObjectMeta.Generation) + return false + } + + expectedReady := *dep.Spec.Replicas - deploymentutil.MaxUnavailable(*dep) + if !(rs.Status.ReadyReplicas >= expectedReady) { + c.log("Deployment is not ready: %s/%s. %d out of %d expected pods are ready", dep.Namespace, dep.Name, rs.Status.ReadyReplicas, expectedReady) + return false + } + return true +} + +func (c *ReadyChecker) daemonSetReady(ds *appsv1.DaemonSet) bool { + // Verify the generation observed by the daemonSet controller matches the spec generation + if ds.Status.ObservedGeneration != ds.ObjectMeta.Generation { + c.log("DaemonSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", ds.Namespace, ds.Name, ds.Status.ObservedGeneration, ds.ObjectMeta.Generation) + return false + } + + // If the update strategy is not a rolling update, there will be nothing to wait for + if ds.Spec.UpdateStrategy.Type != appsv1.RollingUpdateDaemonSetStrategyType { + return true + } + + // Make sure all the updated pods have been scheduled + if ds.Status.UpdatedNumberScheduled != ds.Status.DesiredNumberScheduled { + c.log("DaemonSet is not ready: %s/%s. %d out of %d expected pods have been scheduled", ds.Namespace, ds.Name, ds.Status.UpdatedNumberScheduled, ds.Status.DesiredNumberScheduled) + return false + } + maxUnavailable, err := intstr.GetScaledValueFromIntOrPercent(ds.Spec.UpdateStrategy.RollingUpdate.MaxUnavailable, int(ds.Status.DesiredNumberScheduled), true) + if err != nil { + // If for some reason the value is invalid, set max unavailable to the + // number of desired replicas. This is the same behavior as the + // `MaxUnavailable` function in deploymentutil + maxUnavailable = int(ds.Status.DesiredNumberScheduled) + } + + expectedReady := int(ds.Status.DesiredNumberScheduled) - maxUnavailable + if !(int(ds.Status.NumberReady) >= expectedReady) { + c.log("DaemonSet is not ready: %s/%s. %d out of %d expected pods are ready", ds.Namespace, ds.Name, ds.Status.NumberReady, expectedReady) + return false + } + return true +} + +// Because the v1 extensions API is not available on all supported k8s versions +// yet and because Go doesn't support generics, we need to have a duplicate +// function to support the v1beta1 types +func (c *ReadyChecker) crdBetaReady(crd apiextv1beta1.CustomResourceDefinition) bool { + for _, cond := range crd.Status.Conditions { + switch cond.Type { + case apiextv1beta1.Established: + if cond.Status == apiextv1beta1.ConditionTrue { + return true + } + case apiextv1beta1.NamesAccepted: + if cond.Status == apiextv1beta1.ConditionFalse { + // This indicates a naming conflict, but it's probably not the + // job of this function to fail because of that. Instead, + // we treat it as a success, since the process should be able to + // continue. + return true + } + } + } + return false +} + +func (c *ReadyChecker) crdReady(crd apiextv1.CustomResourceDefinition) bool { + for _, cond := range crd.Status.Conditions { + switch cond.Type { + case apiextv1.Established: + if cond.Status == apiextv1.ConditionTrue { + return true + } + case apiextv1.NamesAccepted: + if cond.Status == apiextv1.ConditionFalse { + // This indicates a naming conflict, but it's probably not the + // job of this function to fail because of that. Instead, + // we treat it as a success, since the process should be able to + // continue. + return true + } + } + } + return false +} + +func (c *ReadyChecker) statefulSetReady(sts *appsv1.StatefulSet) bool { + // Verify the generation observed by the statefulSet controller matches the spec generation + if sts.Status.ObservedGeneration != sts.ObjectMeta.Generation { + c.log("StatefulSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", sts.Namespace, sts.Name, sts.Status.ObservedGeneration, sts.ObjectMeta.Generation) + return false + } + + // If the update strategy is not a rolling update, there will be nothing to wait for + if sts.Spec.UpdateStrategy.Type != appsv1.RollingUpdateStatefulSetStrategyType { + c.log("StatefulSet skipped ready check: %s/%s. updateStrategy is %v", sts.Namespace, sts.Name, sts.Spec.UpdateStrategy.Type) + return true + } + + // Dereference all the pointers because StatefulSets like them + var partition int + // 1 is the default for replicas if not set + replicas := 1 + // For some reason, even if the update strategy is a rolling update, the + // actual rollingUpdate field can be nil. If it is, we can safely assume + // there is no partition value + if sts.Spec.UpdateStrategy.RollingUpdate != nil && sts.Spec.UpdateStrategy.RollingUpdate.Partition != nil { + partition = int(*sts.Spec.UpdateStrategy.RollingUpdate.Partition) + } + if sts.Spec.Replicas != nil { + replicas = int(*sts.Spec.Replicas) + } + + // Because an update strategy can use partitioning, we need to calculate the + // number of updated replicas we should have. For example, if the replicas + // is set to 3 and the partition is 2, we'd expect only one pod to be + // updated + expectedReplicas := replicas - partition + + // Make sure all the updated pods have been scheduled + if int(sts.Status.UpdatedReplicas) < expectedReplicas { + c.log("StatefulSet is not ready: %s/%s. %d out of %d expected pods have been scheduled", sts.Namespace, sts.Name, sts.Status.UpdatedReplicas, expectedReplicas) + return false + } + + if int(sts.Status.ReadyReplicas) != replicas { + c.log("StatefulSet is not ready: %s/%s. %d out of %d expected pods are ready", sts.Namespace, sts.Name, sts.Status.ReadyReplicas, replicas) + return false + } + // This check only makes sense when all partitions are being upgraded otherwise during a + // partitioned rolling upgrade, this condition will never evaluate to true, leading to + // error. + if partition == 0 && sts.Status.CurrentRevision != sts.Status.UpdateRevision { + c.log("StatefulSet is not ready: %s/%s. currentRevision %s does not yet match updateRevision %s", sts.Namespace, sts.Name, sts.Status.CurrentRevision, sts.Status.UpdateRevision) + return false + } + + c.log("StatefulSet is ready: %s/%s. %d out of %d expected pods are ready", sts.Namespace, sts.Name, sts.Status.ReadyReplicas, replicas) + return true +} + +func (c *ReadyChecker) replicationControllerReady(rc *corev1.ReplicationController) bool { + // Verify the generation observed by the replicationController controller matches the spec generation + if rc.Status.ObservedGeneration != rc.ObjectMeta.Generation { + c.log("ReplicationController is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", rc.Namespace, rc.Name, rc.Status.ObservedGeneration, rc.ObjectMeta.Generation) + return false + } + return true +} + +func (c *ReadyChecker) replicaSetReady(rs *appsv1.ReplicaSet) bool { + // Verify the generation observed by the replicaSet controller matches the spec generation + if rs.Status.ObservedGeneration != rs.ObjectMeta.Generation { + c.log("ReplicaSet is not ready: %s/%s. observedGeneration (%d) does not match spec generation (%d).", rs.Namespace, rs.Name, rs.Status.ObservedGeneration, rs.ObjectMeta.Generation) + return false + } + return true +} + +func getPods(ctx context.Context, client kubernetes.Interface, namespace, selector string) ([]corev1.Pod, error) { + list, err := client.CoreV1().Pods(namespace).List(ctx, metav1.ListOptions{ + LabelSelector: selector, + }) + return list.Items, err +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/resource.go b/vendor/helm.sh/helm/v3/pkg/kube/resource.go new file mode 100644 index 0000000000..db8e9178e7 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/resource.go @@ -0,0 +1,85 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import "k8s.io/cli-runtime/pkg/resource" + +// ResourceList provides convenience methods for comparing collections of Infos. +type ResourceList []*resource.Info + +// Append adds an Info to the Result. +func (r *ResourceList) Append(val *resource.Info) { + *r = append(*r, val) +} + +// Visit implements resource.Visitor. The visitor stops if fn returns an error. +func (r ResourceList) Visit(fn resource.VisitorFunc) error { + for _, i := range r { + if err := fn(i, nil); err != nil { + return err + } + } + return nil +} + +// Filter returns a new Result with Infos that satisfy the predicate fn. +func (r ResourceList) Filter(fn func(*resource.Info) bool) ResourceList { + var result ResourceList + for _, i := range r { + if fn(i) { + result.Append(i) + } + } + return result +} + +// Get returns the Info from the result that matches the name and kind. +func (r ResourceList) Get(info *resource.Info) *resource.Info { + for _, i := range r { + if isMatchingInfo(i, info) { + return i + } + } + return nil +} + +// Contains checks to see if an object exists. +func (r ResourceList) Contains(info *resource.Info) bool { + for _, i := range r { + if isMatchingInfo(i, info) { + return true + } + } + return false +} + +// Difference will return a new Result with objects not contained in rs. +func (r ResourceList) Difference(rs ResourceList) ResourceList { + return r.Filter(func(info *resource.Info) bool { + return !rs.Contains(info) + }) +} + +// Intersect will return a new Result with objects contained in both Results. +func (r ResourceList) Intersect(rs ResourceList) ResourceList { + return r.Filter(rs.Contains) +} + +// isMatchingInfo returns true if infos match on Name and GroupVersionKind. +func isMatchingInfo(a, b *resource.Info) bool { + return a.Name == b.Name && a.Namespace == b.Namespace && a.Mapping.GroupVersionKind.Kind == b.Mapping.GroupVersionKind.Kind && a.Mapping.GroupVersionKind.Group == b.Mapping.GroupVersionKind.Group +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go b/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go new file mode 100644 index 0000000000..46b8680dd2 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/resource_policy.go @@ -0,0 +1,27 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +// ResourcePolicyAnno is the annotation name for a resource policy +const ResourcePolicyAnno = "helm.sh/resource-policy" + +// KeepPolicy is the resource policy type for keep +// +// This resource policy type allows resources to skip being deleted +// +// during an uninstallRelease action. +const KeepPolicy = "keep" diff --git a/vendor/helm.sh/helm/v3/pkg/kube/result.go b/vendor/helm.sh/helm/v3/pkg/kube/result.go new file mode 100644 index 0000000000..c3e171c2e4 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/result.go @@ -0,0 +1,28 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube + +// Result contains the information of created, updated, and deleted resources +// for various kube API calls along with helper methods for using those +// resources +type Result struct { + Created ResourceList + Updated ResourceList + Deleted ResourceList +} + +// If needed, we can add methods to the Result type for things like diffing diff --git a/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go b/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go new file mode 100644 index 0000000000..fdb1035291 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/roundtripper.go @@ -0,0 +1,80 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube + +import ( + "bytes" + "encoding/json" + "io" + "net/http" + "strings" +) + +type RetryingRoundTripper struct { + Wrapped http.RoundTripper +} + +func (rt *RetryingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { + return rt.roundTrip(req, 1, nil) +} + +func (rt *RetryingRoundTripper) roundTrip(req *http.Request, retry int, prevResp *http.Response) (*http.Response, error) { + if retry < 0 { + return prevResp, nil + } + resp, rtErr := rt.Wrapped.RoundTrip(req) + if rtErr != nil { + return resp, rtErr + } + if resp.StatusCode < 500 { + return resp, rtErr + } + if resp.Header.Get("content-type") != "application/json" { + return resp, rtErr + } + b, err := io.ReadAll(resp.Body) + resp.Body.Close() + if err != nil { + return resp, rtErr + } + + var ke kubernetesError + r := bytes.NewReader(b) + err = json.NewDecoder(r).Decode(&ke) + r.Seek(0, io.SeekStart) + resp.Body = io.NopCloser(r) + if err != nil { + return resp, rtErr + } + if ke.Code < 500 { + return resp, rtErr + } + // Matches messages like "etcdserver: leader changed" + if strings.HasSuffix(ke.Message, "etcdserver: leader changed") { + return rt.roundTrip(req, retry-1, resp) + } + // Matches messages like "rpc error: code = Unknown desc = raft proposal dropped" + if strings.HasSuffix(ke.Message, "raft proposal dropped") { + return rt.roundTrip(req, retry-1, resp) + } + return resp, rtErr +} + +type kubernetesError struct { + Message string `json:"message"` + Code int `json:"code"` +} diff --git a/vendor/helm.sh/helm/v3/pkg/kube/wait.go b/vendor/helm.sh/helm/v3/pkg/kube/wait.go new file mode 100644 index 0000000000..c602004ad4 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/kube/wait.go @@ -0,0 +1,176 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kube // import "helm.sh/helm/v3/pkg/kube" + +import ( + "context" + "fmt" + "net/http" + "time" + + "github.com/pkg/errors" + appsv1 "k8s.io/api/apps/v1" + appsv1beta1 "k8s.io/api/apps/v1beta1" + appsv1beta2 "k8s.io/api/apps/v1beta2" + batchv1 "k8s.io/api/batch/v1" + corev1 "k8s.io/api/core/v1" + extensionsv1beta1 "k8s.io/api/extensions/v1beta1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/cli-runtime/pkg/resource" + + "k8s.io/apimachinery/pkg/util/wait" +) + +type waiter struct { + c ReadyChecker + timeout time.Duration + log func(string, ...interface{}) +} + +// waitForResources polls to get the current status of all pods, PVCs, Services and +// Jobs(optional) until all are ready or a timeout is reached +func (w *waiter) waitForResources(created ResourceList) error { + w.log("beginning wait for %d resources with timeout of %v", len(created), w.timeout) + + startTime := time.Now() + ctx, cancel := context.WithTimeout(context.Background(), w.timeout) + defer cancel() + + numberOfErrors := make([]int, len(created)) + for i := range numberOfErrors { + numberOfErrors[i] = 0 + } + + err := wait.PollUntilContextCancel(ctx, 2*time.Second, true, func(ctx context.Context) (bool, error) { + waitRetries := 30 + for i, v := range created { + ready, err := w.c.IsReady(ctx, v) + + if waitRetries > 0 && w.isRetryableError(err, v) { + numberOfErrors[i]++ + if numberOfErrors[i] > waitRetries { + w.log("Max number of retries reached") + return false, err + } + w.log("Retrying as current number of retries %d less than max number of retries %d", numberOfErrors[i]-1, waitRetries) + return false, nil + } + numberOfErrors[i] = 0 + if !ready { + return false, err + } + } + return true, nil + }) + + elapsed := time.Since(startTime).Round(time.Second) + if err != nil { + w.log("wait for resources failed after %v: %v", elapsed, err) + } else { + w.log("wait for resources succeeded within %v", elapsed) + } + + return err +} + +func (w *waiter) isRetryableError(err error, resource *resource.Info) bool { + if err == nil { + return false + } + w.log("Error received when checking status of resource %s. Error: '%s', Resource details: '%s'", resource.Name, err, resource) + if ev, ok := err.(*apierrors.StatusError); ok { + statusCode := ev.Status().Code + retryable := w.isRetryableHTTPStatusCode(statusCode) + w.log("Status code received: %d. Retryable error? %t", statusCode, retryable) + return retryable + } + w.log("Retryable error? %t", true) + return true +} + +func (w *waiter) isRetryableHTTPStatusCode(httpStatusCode int32) bool { + return httpStatusCode == 0 || httpStatusCode == http.StatusTooManyRequests || (httpStatusCode >= 500 && httpStatusCode != http.StatusNotImplemented) +} + +// waitForDeletedResources polls to check if all the resources are deleted or a timeout is reached +func (w *waiter) waitForDeletedResources(deleted ResourceList) error { + w.log("beginning wait for %d resources to be deleted with timeout of %v", len(deleted), w.timeout) + + ctx, cancel := context.WithTimeout(context.Background(), w.timeout) + defer cancel() + + return wait.PollUntilContextCancel(ctx, 2*time.Second, true, func(_ context.Context) (bool, error) { + for _, v := range deleted { + err := v.Get() + if err == nil || !apierrors.IsNotFound(err) { + return false, err + } + } + return true, nil + }) +} + +// SelectorsForObject returns the pod label selector for a given object +// +// Modified version of https://github.com/kubernetes/kubernetes/blob/v1.14.1/pkg/kubectl/polymorphichelpers/helpers.go#L84 +func SelectorsForObject(object runtime.Object) (selector labels.Selector, err error) { + switch t := object.(type) { + case *extensionsv1beta1.ReplicaSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1.ReplicaSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta2.ReplicaSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *corev1.ReplicationController: + selector = labels.SelectorFromSet(t.Spec.Selector) + case *appsv1.StatefulSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta1.StatefulSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta2.StatefulSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *extensionsv1beta1.DaemonSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1.DaemonSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta2.DaemonSet: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *extensionsv1beta1.Deployment: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1.Deployment: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta1.Deployment: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *appsv1beta2.Deployment: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *batchv1.Job: + selector, err = metav1.LabelSelectorAsSelector(t.Spec.Selector) + case *corev1.Service: + if len(t.Spec.Selector) == 0 { + return nil, fmt.Errorf("invalid service '%s': Service is defined without a selector", t.Name) + } + selector = labels.SelectorFromSet(t.Spec.Selector) + + default: + return nil, fmt.Errorf("selector for %T not implemented", object) + } + + return selector, errors.Wrap(err, "invalid label selector") +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/lint.go b/vendor/helm.sh/helm/v3/pkg/lint/lint.go new file mode 100644 index 0000000000..ef23ee7c89 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/lint.go @@ -0,0 +1,48 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package lint // import "helm.sh/helm/v3/pkg/lint" + +import ( + "path/filepath" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/lint/rules" + "helm.sh/helm/v3/pkg/lint/support" +) + +// All runs all the available linters on the given base directory. +func All(basedir string, values map[string]interface{}, namespace string, _ bool) support.Linter { + return AllWithKubeVersion(basedir, values, namespace, nil) +} + +// AllWithKubeVersion runs all the available linters on the given base directory, allowing to specify the kubernetes version. +func AllWithKubeVersion(basedir string, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion) support.Linter { + return AllWithKubeVersionAndSchemaValidation(basedir, values, namespace, kubeVersion, false) +} + +// AllWithKubeVersionAndSchemaValidation runs all the available linters on the given base directory, allowing to specify the kubernetes version and if schema validation is enabled or not. +func AllWithKubeVersionAndSchemaValidation(basedir string, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) support.Linter { + // Using abs path to get directory context + chartDir, _ := filepath.Abs(basedir) + + linter := support.Linter{ChartDir: chartDir} + rules.Chartfile(&linter) + rules.ValuesWithOverrides(&linter, values) + rules.TemplatesWithSkipSchemaValidation(&linter, values, namespace, kubeVersion, skipSchemaValidation) + rules.Dependencies(&linter) + return linter +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go new file mode 100644 index 0000000000..555ec71baf --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go @@ -0,0 +1,216 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rules // import "helm.sh/helm/v3/pkg/lint/rules" + +import ( + "fmt" + "os" + "path/filepath" + + "github.com/Masterminds/semver/v3" + "github.com/asaskevich/govalidator" + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/lint/support" +) + +// Chartfile runs a set of linter rules related to Chart.yaml file +func Chartfile(linter *support.Linter) { + chartFileName := "Chart.yaml" + chartPath := filepath.Join(linter.ChartDir, chartFileName) + + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlNotDirectory(chartPath)) + + chartFile, err := chartutil.LoadChartfile(chartPath) + validChartFile := linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlFormat(err)) + + // Guard clause. Following linter rules require a parsable ChartFile + if !validChartFile { + return + } + + // type check for Chart.yaml . ignoring error as any parse + // errors would already be caught in the above load function + chartFileForTypeCheck, _ := loadChartFileForTypeCheck(chartPath) + + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartName(chartFile)) + + // Chart metadata + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAPIVersion(chartFile)) + + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersionType(chartFileForTypeCheck)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersion(chartFile)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAppVersionType(chartFileForTypeCheck)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartMaintainer(chartFile)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartSources(chartFile)) + linter.RunLinterRule(support.InfoSev, chartFileName, validateChartIconPresence(chartFile)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartIconURL(chartFile)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartType(chartFile)) + linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartDependencies(chartFile)) +} + +func validateChartVersionType(data map[string]interface{}) error { + return isStringValue(data, "version") +} + +func validateChartAppVersionType(data map[string]interface{}) error { + return isStringValue(data, "appVersion") +} + +func isStringValue(data map[string]interface{}, key string) error { + value, ok := data[key] + if !ok { + return nil + } + valueType := fmt.Sprintf("%T", value) + if valueType != "string" { + return errors.Errorf("%s should be of type string but it's of type %s", key, valueType) + } + return nil +} + +func validateChartYamlNotDirectory(chartPath string) error { + fi, err := os.Stat(chartPath) + + if err == nil && fi.IsDir() { + return errors.New("should be a file, not a directory") + } + return nil +} + +func validateChartYamlFormat(chartFileError error) error { + if chartFileError != nil { + return errors.Errorf("unable to parse YAML\n\t%s", chartFileError.Error()) + } + return nil +} + +func validateChartName(cf *chart.Metadata) error { + if cf.Name == "" { + return errors.New("name is required") + } + name := filepath.Base(cf.Name) + if name != cf.Name { + return fmt.Errorf("chart name %q is invalid", cf.Name) + } + return nil +} + +func validateChartAPIVersion(cf *chart.Metadata) error { + if cf.APIVersion == "" { + return errors.New("apiVersion is required. The value must be either \"v1\" or \"v2\"") + } + + if cf.APIVersion != chart.APIVersionV1 && cf.APIVersion != chart.APIVersionV2 { + return fmt.Errorf("apiVersion '%s' is not valid. The value must be either \"v1\" or \"v2\"", cf.APIVersion) + } + + return nil +} + +func validateChartVersion(cf *chart.Metadata) error { + if cf.Version == "" { + return errors.New("version is required") + } + + version, err := semver.NewVersion(cf.Version) + + if err != nil { + return errors.Errorf("version '%s' is not a valid SemVer", cf.Version) + } + + c, err := semver.NewConstraint(">0.0.0-0") + if err != nil { + return err + } + valid, msg := c.Validate(version) + + if !valid && len(msg) > 0 { + return errors.Errorf("version %v", msg[0]) + } + + return nil +} + +func validateChartMaintainer(cf *chart.Metadata) error { + for _, maintainer := range cf.Maintainers { + if maintainer == nil { + return errors.New("a maintainer entry is empty") + } + if maintainer.Name == "" { + return errors.New("each maintainer requires a name") + } else if maintainer.Email != "" && !govalidator.IsEmail(maintainer.Email) { + return errors.Errorf("invalid email '%s' for maintainer '%s'", maintainer.Email, maintainer.Name) + } else if maintainer.URL != "" && !govalidator.IsURL(maintainer.URL) { + return errors.Errorf("invalid url '%s' for maintainer '%s'", maintainer.URL, maintainer.Name) + } + } + return nil +} + +func validateChartSources(cf *chart.Metadata) error { + for _, source := range cf.Sources { + if source == "" || !govalidator.IsRequestURL(source) { + return errors.Errorf("invalid source URL '%s'", source) + } + } + return nil +} + +func validateChartIconPresence(cf *chart.Metadata) error { + if cf.Icon == "" { + return errors.New("icon is recommended") + } + return nil +} + +func validateChartIconURL(cf *chart.Metadata) error { + if cf.Icon != "" && !govalidator.IsRequestURL(cf.Icon) { + return errors.Errorf("invalid icon URL '%s'", cf.Icon) + } + return nil +} + +func validateChartDependencies(cf *chart.Metadata) error { + if len(cf.Dependencies) > 0 && cf.APIVersion != chart.APIVersionV2 { + return fmt.Errorf("dependencies are not valid in the Chart file with apiVersion '%s'. They are valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV2) + } + return nil +} + +func validateChartType(cf *chart.Metadata) error { + if len(cf.Type) > 0 && cf.APIVersion != chart.APIVersionV2 { + return fmt.Errorf("chart type is not valid in apiVersion '%s'. It is valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV2) + } + return nil +} + +// loadChartFileForTypeCheck loads the Chart.yaml +// in a generic form of a map[string]interface{}, so that the type +// of the values can be checked +func loadChartFileForTypeCheck(filename string) (map[string]interface{}, error) { + b, err := os.ReadFile(filename) + if err != nil { + return nil, err + } + y := make(map[string]interface{}) + err = yaml.Unmarshal(b, &y) + return y, err +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go new file mode 100644 index 0000000000..f1ab1dcadc --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/dependencies.go @@ -0,0 +1,103 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rules // import "helm.sh/helm/v3/pkg/lint/rules" + +import ( + "fmt" + "strings" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/lint/support" +) + +// Dependencies runs lints against a chart's dependencies +// +// See https://github.com/helm/helm/issues/7910 +func Dependencies(linter *support.Linter) { + c, err := loader.LoadDir(linter.ChartDir) + if !linter.RunLinterRule(support.ErrorSev, "", validateChartFormat(err)) { + return + } + + linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependencyInMetadata(c)) + linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependenciesUnique(c)) + linter.RunLinterRule(support.WarningSev, linter.ChartDir, validateDependencyInChartsDir(c)) +} + +func validateChartFormat(chartError error) error { + if chartError != nil { + return errors.Errorf("unable to load chart\n\t%s", chartError) + } + return nil +} + +func validateDependencyInChartsDir(c *chart.Chart) (err error) { + dependencies := map[string]struct{}{} + missing := []string{} + for _, dep := range c.Dependencies() { + dependencies[dep.Metadata.Name] = struct{}{} + } + for _, dep := range c.Metadata.Dependencies { + if _, ok := dependencies[dep.Name]; !ok { + missing = append(missing, dep.Name) + } + } + if len(missing) > 0 { + err = fmt.Errorf("chart directory is missing these dependencies: %s", strings.Join(missing, ",")) + } + return err +} + +func validateDependencyInMetadata(c *chart.Chart) (err error) { + dependencies := map[string]struct{}{} + missing := []string{} + for _, dep := range c.Metadata.Dependencies { + dependencies[dep.Name] = struct{}{} + } + for _, dep := range c.Dependencies() { + if _, ok := dependencies[dep.Metadata.Name]; !ok { + missing = append(missing, dep.Metadata.Name) + } + } + if len(missing) > 0 { + err = fmt.Errorf("chart metadata is missing these dependencies: %s", strings.Join(missing, ",")) + } + return err +} + +func validateDependenciesUnique(c *chart.Chart) (err error) { + dependencies := map[string]*chart.Dependency{} + shadowing := []string{} + + for _, dep := range c.Metadata.Dependencies { + key := dep.Name + if dep.Alias != "" { + key = dep.Alias + } + if dependencies[key] != nil { + shadowing = append(shadowing, key) + } + dependencies[key] = dep + } + if len(shadowing) > 0 { + err = fmt.Errorf("multiple dependencies with name or alias: %s", strings.Join(shadowing, ",")) + } + return err +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go new file mode 100644 index 0000000000..90e7748a42 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/deprecations.go @@ -0,0 +1,106 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rules // import "helm.sh/helm/v3/pkg/lint/rules" + +import ( + "fmt" + "strconv" + + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apiserver/pkg/endpoints/deprecation" + kscheme "k8s.io/client-go/kubernetes/scheme" + + "helm.sh/helm/v3/pkg/chartutil" +) + +var ( + // This should be set in the Makefile based on the version of client-go being imported. + // These constants will be overwritten with LDFLAGS. The version components must be + // strings in order for LDFLAGS to set them. + k8sVersionMajor = "1" + k8sVersionMinor = "20" +) + +// deprecatedAPIError indicates than an API is deprecated in Kubernetes +type deprecatedAPIError struct { + Deprecated string + Message string +} + +func (e deprecatedAPIError) Error() string { + msg := e.Message + return msg +} + +func validateNoDeprecations(resource *K8sYamlStruct, kubeVersion *chartutil.KubeVersion) error { + // if `resource` does not have an APIVersion or Kind, we cannot test it for deprecation + if resource.APIVersion == "" { + return nil + } + if resource.Kind == "" { + return nil + } + + majorVersion := k8sVersionMajor + minorVersion := k8sVersionMinor + + if kubeVersion != nil { + majorVersion = kubeVersion.Major + minorVersion = kubeVersion.Minor + } + + runtimeObject, err := resourceToRuntimeObject(resource) + if err != nil { + // do not error for non-kubernetes resources + if runtime.IsNotRegisteredError(err) { + return nil + } + return err + } + + maj, err := strconv.Atoi(majorVersion) + if err != nil { + return err + } + min, err := strconv.Atoi(minorVersion) + if err != nil { + return err + } + + if !deprecation.IsDeprecated(runtimeObject, maj, min) { + return nil + } + gvk := fmt.Sprintf("%s %s", resource.APIVersion, resource.Kind) + return deprecatedAPIError{ + Deprecated: gvk, + Message: deprecation.WarningMessage(runtimeObject), + } +} + +func resourceToRuntimeObject(resource *K8sYamlStruct) (runtime.Object, error) { + scheme := runtime.NewScheme() + kscheme.AddToScheme(scheme) + + gvk := schema.FromAPIVersionAndKind(resource.APIVersion, resource.Kind) + out, err := scheme.New(gvk) + if err != nil { + return nil, err + } + out.GetObjectKind().SetGroupVersionKind(gvk) + return out, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go new file mode 100644 index 0000000000..41d1a1bab2 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/template.go @@ -0,0 +1,356 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rules + +import ( + "bufio" + "bytes" + "fmt" + "io" + "os" + "path" + "path/filepath" + "regexp" + "strings" + + "github.com/pkg/errors" + "k8s.io/apimachinery/pkg/api/validation" + apipath "k8s.io/apimachinery/pkg/api/validation/path" + "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/apimachinery/pkg/util/yaml" + + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/engine" + "helm.sh/helm/v3/pkg/lint/support" +) + +var ( + crdHookSearch = regexp.MustCompile(`"?helm\.sh/hook"?:\s+crd-install`) + releaseTimeSearch = regexp.MustCompile(`\.Release\.Time`) +) + +// Templates lints the templates in the Linter. +func Templates(linter *support.Linter, values map[string]interface{}, namespace string, _ bool) { + TemplatesWithKubeVersion(linter, values, namespace, nil) +} + +// TemplatesWithKubeVersion lints the templates in the Linter, allowing to specify the kubernetes version. +func TemplatesWithKubeVersion(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion) { + TemplatesWithSkipSchemaValidation(linter, values, namespace, kubeVersion, false) +} + +// TemplatesWithSkipSchemaValidation lints the templates in the Linter, allowing to specify the kubernetes version and if schema validation is enabled or not. +func TemplatesWithSkipSchemaValidation(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *chartutil.KubeVersion, skipSchemaValidation bool) { + fpath := "templates/" + templatesPath := filepath.Join(linter.ChartDir, fpath) + + templatesDirExist := linter.RunLinterRule(support.WarningSev, fpath, validateTemplatesDir(templatesPath)) + + // Templates directory is optional for now + if !templatesDirExist { + return + } + + // Load chart and parse templates + chart, err := loader.Load(linter.ChartDir) + + chartLoaded := linter.RunLinterRule(support.ErrorSev, fpath, err) + + if !chartLoaded { + return + } + + options := chartutil.ReleaseOptions{ + Name: "test-release", + Namespace: namespace, + } + + caps := chartutil.DefaultCapabilities.Copy() + if kubeVersion != nil { + caps.KubeVersion = *kubeVersion + } + + // lint ignores import-values + // See https://github.com/helm/helm/issues/9658 + if err := chartutil.ProcessDependenciesWithMerge(chart, values); err != nil { + return + } + + cvals, err := chartutil.CoalesceValues(chart, values) + if err != nil { + return + } + + valuesToRender, err := chartutil.ToRenderValuesWithSchemaValidation(chart, cvals, options, caps, skipSchemaValidation) + if err != nil { + linter.RunLinterRule(support.ErrorSev, fpath, err) + return + } + var e engine.Engine + e.LintMode = true + renderedContentMap, err := e.Render(chart, valuesToRender) + + renderOk := linter.RunLinterRule(support.ErrorSev, fpath, err) + + if !renderOk { + return + } + + /* Iterate over all the templates to check: + - It is a .yaml file + - All the values in the template file is defined + - {{}} include | quote + - Generated content is a valid Yaml file + - Metadata.Namespace is not set + */ + for _, template := range chart.Templates { + fileName, data := template.Name, template.Data + fpath = fileName + + linter.RunLinterRule(support.ErrorSev, fpath, validateAllowedExtension(fileName)) + // These are v3 specific checks to make sure and warn people if their + // chart is not compatible with v3 + linter.RunLinterRule(support.WarningSev, fpath, validateNoCRDHooks(data)) + linter.RunLinterRule(support.ErrorSev, fpath, validateNoReleaseTime(data)) + + // We only apply the following lint rules to yaml files + if filepath.Ext(fileName) != ".yaml" || filepath.Ext(fileName) == ".yml" { + continue + } + + // NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1463 + // Check that all the templates have a matching value + // linter.RunLinterRule(support.WarningSev, fpath, validateNoMissingValues(templatesPath, valuesToRender, preExecutedTemplate)) + + // NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1037 + // linter.RunLinterRule(support.WarningSev, fpath, validateQuotes(string(preExecutedTemplate))) + + renderedContent := renderedContentMap[path.Join(chart.Name(), fileName)] + if strings.TrimSpace(renderedContent) != "" { + linter.RunLinterRule(support.WarningSev, fpath, validateTopIndentLevel(renderedContent)) + + decoder := yaml.NewYAMLOrJSONDecoder(strings.NewReader(renderedContent), 4096) + + // Lint all resources if the file contains multiple documents separated by --- + for { + // Even though K8sYamlStruct only defines a few fields, an error in any other + // key will be raised as well + var yamlStruct *K8sYamlStruct + + err := decoder.Decode(&yamlStruct) + if err == io.EOF { + break + } + + // If YAML linting fails here, it will always fail in the next block as well, so we should return here. + // fix https://github.com/helm/helm/issues/11391 + if !linter.RunLinterRule(support.ErrorSev, fpath, validateYamlContent(err)) { + return + } + if yamlStruct != nil { + // NOTE: set to warnings to allow users to support out-of-date kubernetes + // Refs https://github.com/helm/helm/issues/8596 + linter.RunLinterRule(support.WarningSev, fpath, validateMetadataName(yamlStruct)) + linter.RunLinterRule(support.WarningSev, fpath, validateNoDeprecations(yamlStruct, kubeVersion)) + + linter.RunLinterRule(support.ErrorSev, fpath, validateMatchSelector(yamlStruct, renderedContent)) + linter.RunLinterRule(support.ErrorSev, fpath, validateListAnnotations(yamlStruct, renderedContent)) + } + } + } + } +} + +// validateTopIndentLevel checks that the content does not start with an indent level > 0. +// +// This error can occur when a template accidentally inserts space. It can cause +// unpredictable errors depending on whether the text is normalized before being passed +// into the YAML parser. So we trap it here. +// +// See https://github.com/helm/helm/issues/8467 +func validateTopIndentLevel(content string) error { + // Read lines until we get to a non-empty one + scanner := bufio.NewScanner(bytes.NewBufferString(content)) + for scanner.Scan() { + line := scanner.Text() + // If line is empty, skip + if strings.TrimSpace(line) == "" { + continue + } + // If it starts with one or more spaces, this is an error + if strings.HasPrefix(line, " ") || strings.HasPrefix(line, "\t") { + return fmt.Errorf("document starts with an illegal indent: %q, which may cause parsing problems", line) + } + // Any other condition passes. + return nil + } + return scanner.Err() +} + +// Validation functions +func validateTemplatesDir(templatesPath string) error { + if fi, err := os.Stat(templatesPath); err == nil { + if !fi.IsDir() { + return errors.New("not a directory") + } + } + return nil +} + +func validateAllowedExtension(fileName string) error { + ext := filepath.Ext(fileName) + validExtensions := []string{".yaml", ".yml", ".tpl", ".txt"} + + for _, b := range validExtensions { + if b == ext { + return nil + } + } + + return errors.Errorf("file extension '%s' not valid. Valid extensions are .yaml, .yml, .tpl, or .txt", ext) +} + +func validateYamlContent(err error) error { + return errors.Wrap(err, "unable to parse YAML") +} + +// validateMetadataName uses the correct validation function for the object +// Kind, or if not set, defaults to the standard definition of a subdomain in +// DNS (RFC 1123), used by most resources. +func validateMetadataName(obj *K8sYamlStruct) error { + fn := validateMetadataNameFunc(obj) + allErrs := field.ErrorList{} + for _, msg := range fn(obj.Metadata.Name, false) { + allErrs = append(allErrs, field.Invalid(field.NewPath("metadata").Child("name"), obj.Metadata.Name, msg)) + } + if len(allErrs) > 0 { + return errors.Wrapf(allErrs.ToAggregate(), "object name does not conform to Kubernetes naming requirements: %q", obj.Metadata.Name) + } + return nil +} + +// validateMetadataNameFunc will return a name validation function for the +// object kind, if defined below. +// +// Rules should match those set in the various api validations: +// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/core/validation/validation.go#L205-L274 +// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/apps/validation/validation.go#L39 +// ... +// +// Implementing here to avoid importing k/k. +// +// If no mapping is defined, returns NameIsDNSSubdomain. This is used by object +// kinds that don't have special requirements, so is the most likely to work if +// new kinds are added. +func validateMetadataNameFunc(obj *K8sYamlStruct) validation.ValidateNameFunc { + switch strings.ToLower(obj.Kind) { + case "pod", "node", "secret", "endpoints", "resourcequota", // core + "controllerrevision", "daemonset", "deployment", "replicaset", "statefulset", // apps + "autoscaler", // autoscaler + "cronjob", "job", // batch + "lease", // coordination + "endpointslice", // discovery + "networkpolicy", "ingress", // networking + "podsecuritypolicy", // policy + "priorityclass", // scheduling + "podpreset", // settings + "storageclass", "volumeattachment", "csinode": // storage + return validation.NameIsDNSSubdomain + case "service": + return validation.NameIsDNS1035Label + case "namespace": + return validation.ValidateNamespaceName + case "serviceaccount": + return validation.ValidateServiceAccountName + case "certificatesigningrequest": + // No validation. + // https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/certificates/validation/validation.go#L137-L140 + return func(_ string, _ bool) []string { return nil } + case "role", "clusterrole", "rolebinding", "clusterrolebinding": + // https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/rbac/validation/validation.go#L32-L34 + return func(name string, _ bool) []string { + return apipath.IsValidPathSegmentName(name) + } + default: + return validation.NameIsDNSSubdomain + } +} + +func validateNoCRDHooks(manifest []byte) error { + if crdHookSearch.Match(manifest) { + return errors.New("manifest is a crd-install hook. This hook is no longer supported in v3 and all CRDs should also exist the crds/ directory at the top level of the chart") + } + return nil +} + +func validateNoReleaseTime(manifest []byte) error { + if releaseTimeSearch.Match(manifest) { + return errors.New(".Release.Time has been removed in v3, please replace with the `now` function in your templates") + } + return nil +} + +// validateMatchSelector ensures that template specs have a selector declared. +// See https://github.com/helm/helm/issues/1990 +func validateMatchSelector(yamlStruct *K8sYamlStruct, manifest string) error { + switch yamlStruct.Kind { + case "Deployment", "ReplicaSet", "DaemonSet", "StatefulSet": + // verify that matchLabels or matchExpressions is present + if !(strings.Contains(manifest, "matchLabels") || strings.Contains(manifest, "matchExpressions")) { + return fmt.Errorf("a %s must contain matchLabels or matchExpressions, and %q does not", yamlStruct.Kind, yamlStruct.Metadata.Name) + } + } + return nil +} +func validateListAnnotations(yamlStruct *K8sYamlStruct, manifest string) error { + if yamlStruct.Kind == "List" { + m := struct { + Items []struct { + Metadata struct { + Annotations map[string]string + } + } + }{} + + if err := yaml.Unmarshal([]byte(manifest), &m); err != nil { + return validateYamlContent(err) + } + + for _, i := range m.Items { + if _, ok := i.Metadata.Annotations["helm.sh/resource-policy"]; ok { + return errors.New("Annotation 'helm.sh/resource-policy' within List objects are ignored") + } + } + } + return nil +} + +// K8sYamlStruct stubs a Kubernetes YAML file. +// +// DEPRECATED: In Helm 4, this will be made a private type, as it is for use only within +// the rules package. +type K8sYamlStruct struct { + APIVersion string `json:"apiVersion"` + Kind string + Metadata k8sYamlMetadata +} + +type k8sYamlMetadata struct { + Namespace string + Name string +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go new file mode 100644 index 0000000000..538d8381b6 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/values.go @@ -0,0 +1,86 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package rules + +import ( + "os" + "path/filepath" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/lint/support" +) + +// Values lints a chart's values.yaml file. +// +// This function is deprecated and will be removed in Helm 4. +func Values(linter *support.Linter) { + ValuesWithOverrides(linter, map[string]interface{}{}) +} + +// ValuesWithOverrides tests the values.yaml file. +// +// If a schema is present in the chart, values are tested against that. Otherwise, +// they are only tested for well-formedness. +// +// If additional values are supplied, they are coalesced into the values in values.yaml. +func ValuesWithOverrides(linter *support.Linter, values map[string]interface{}) { + file := "values.yaml" + vf := filepath.Join(linter.ChartDir, file) + fileExists := linter.RunLinterRule(support.InfoSev, file, validateValuesFileExistence(vf)) + + if !fileExists { + return + } + + linter.RunLinterRule(support.ErrorSev, file, validateValuesFile(vf, values)) +} + +func validateValuesFileExistence(valuesPath string) error { + _, err := os.Stat(valuesPath) + if err != nil { + return errors.Errorf("file does not exist") + } + return nil +} + +func validateValuesFile(valuesPath string, overrides map[string]interface{}) error { + values, err := chartutil.ReadValuesFile(valuesPath) + if err != nil { + return errors.Wrap(err, "unable to parse YAML") + } + + // Helm 3.0.0 carried over the values linting from Helm 2.x, which only tests the top + // level values against the top-level expectations. Subchart values are not linted. + // We could change that. For now, though, we retain that strategy, and thus can + // coalesce tables (like reuse-values does) instead of doing the full chart + // CoalesceValues + coalescedValues := chartutil.CoalesceTables(make(map[string]interface{}, len(overrides)), overrides) + coalescedValues = chartutil.CoalesceTables(coalescedValues, values) + + ext := filepath.Ext(valuesPath) + schemaPath := valuesPath[:len(valuesPath)-len(ext)] + ".schema.json" + schema, err := os.ReadFile(schemaPath) + if len(schema) == 0 { + return nil + } + if err != nil { + return err + } + return chartutil.ValidateAgainstSingleSchema(coalescedValues, schema) +} diff --git a/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go b/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go new file mode 100644 index 0000000000..bffefe8ffd --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/support/doc.go @@ -0,0 +1,23 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package support contains tools for linting charts. + +Linting is the process of testing charts for errors or warnings regarding +formatting, compilation, or standards compliance. +*/ +package support // import "helm.sh/helm/v3/pkg/lint/support" diff --git a/vendor/helm.sh/helm/v3/pkg/lint/support/message.go b/vendor/helm.sh/helm/v3/pkg/lint/support/message.go new file mode 100644 index 0000000000..5efbc7a61c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/lint/support/message.go @@ -0,0 +1,76 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package support + +import "fmt" + +// Severity indicates the severity of a Message. +const ( + // UnknownSev indicates that the severity of the error is unknown, and should not stop processing. + UnknownSev = iota + // InfoSev indicates information, for example missing values.yaml file + InfoSev + // WarningSev indicates that something does not meet code standards, but will likely function. + WarningSev + // ErrorSev indicates that something will not likely function. + ErrorSev +) + +// sev matches the *Sev states. +var sev = []string{"UNKNOWN", "INFO", "WARNING", "ERROR"} + +// Linter encapsulates a linting run of a particular chart. +type Linter struct { + Messages []Message + // The highest severity of all the failing lint rules + HighestSeverity int + ChartDir string +} + +// Message describes an error encountered while linting. +type Message struct { + // Severity is one of the *Sev constants + Severity int + Path string + Err error +} + +func (m Message) Error() string { + return fmt.Sprintf("[%s] %s: %s", sev[m.Severity], m.Path, m.Err.Error()) +} + +// NewMessage creates a new Message struct +func NewMessage(severity int, path string, err error) Message { + return Message{Severity: severity, Path: path, Err: err} +} + +// RunLinterRule returns true if the validation passed +func (l *Linter) RunLinterRule(severity int, path string, err error) bool { + // severity is out of bound + if severity < 0 || severity >= len(sev) { + return false + } + + if err != nil { + l.Messages = append(l.Messages, NewMessage(severity, path, err)) + + if severity > l.HighestSeverity { + l.HighestSeverity = severity + } + } + return err == nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go b/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go new file mode 100644 index 0000000000..34d3163a40 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/plugin/hooks.go @@ -0,0 +1,32 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package plugin // import "helm.sh/helm/v3/pkg/plugin" + +// Types of hooks +const ( + // Install is executed after the plugin is added. + Install = "install" + // Delete is executed after the plugin is removed. + Delete = "delete" + // Update is executed after the plugin is updated. + Update = "update" +) + +// PlatformHooks is a map of events to a command for a particular operating system and architecture. +type PlatformHooks map[string][]PlatformCommand + +// Hooks is a map of events to commands. +type Hooks map[string]string diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go new file mode 100644 index 0000000000..e2fb78672e --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go @@ -0,0 +1,377 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package plugin // import "helm.sh/helm/v3/pkg/plugin" + +import ( + "fmt" + "os" + "path/filepath" + "regexp" + "runtime" + "strings" + "unicode" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/cli" +) + +const PluginFileName = "plugin.yaml" + +// Downloaders represents the plugins capability if it can retrieve +// charts from special sources +type Downloaders struct { + // Protocols are the list of schemes from the charts URL. + Protocols []string `json:"protocols"` + // Command is the executable path with which the plugin performs + // the actual download for the corresponding Protocols + Command string `json:"command"` +} + +// PlatformCommand represents a command for a particular operating system and architecture +type PlatformCommand struct { + OperatingSystem string `json:"os"` + Architecture string `json:"arch"` + Command string `json:"command"` + Args []string `json:"args"` +} + +// Metadata describes a plugin. +// +// This is the plugin equivalent of a chart.Metadata. +type Metadata struct { + // Name is the name of the plugin + Name string `json:"name"` + + // Version is a SemVer 2 version of the plugin. + Version string `json:"version"` + + // Usage is the single-line usage text shown in help + Usage string `json:"usage"` + + // Description is a long description shown in places like `helm help` + Description string `json:"description"` + + // PlatformCommand is the plugin command, with a platform selector and support for args. + // + // The command and args will be passed through environment expansion, so env vars can + // be present in this command. Unless IgnoreFlags is set, this will + // also merge the flags passed from Helm. + // + // Note that the command is not executed in a shell. To do so, we suggest + // pointing the command to a shell script. + // + // The following rules will apply to processing platform commands: + // - If PlatformCommand is present, it will be used + // - If both OS and Arch match the current platform, search will stop and the command will be executed + // - If OS matches and Arch is empty, the command will be executed + // - If no OS/Arch match is found, the default command will be executed + // - If no matches are found in platformCommand, Helm will exit with an error + PlatformCommand []PlatformCommand `json:"platformCommand"` + + // Command is the plugin command, as a single string. + // Providing a command will result in an deprecation warning if PlatformCommand is also set. + // + // The command will be passed through environment expansion, so env vars can + // be present in this command. Unless IgnoreFlags is set, this will + // also merge the flags passed from Helm. + // + // Note that command is not executed in a shell. To do so, we suggest + // pointing the command to a shell script. + // + // DEPRECATED: Use PlatformCommand instead. Remove in Helm 4. + Command string `json:"command"` + + // IgnoreFlags ignores any flags passed in from Helm + // + // For example, if the plugin is invoked as `helm --debug myplugin`, if this + // is false, `--debug` will be appended to `--command`. If this is true, + // the `--debug` flag will be discarded. + IgnoreFlags bool `json:"ignoreFlags"` + + // PlatformHooks are commands that will run on plugin events, with a platform selector and support for args. + // + // The command and args will be passed through environment expansion, so env vars can + // be present in the command. + // + // Note that the command is not executed in a shell. To do so, we suggest + // pointing the command to a shell script. + // + // The following rules will apply to processing platform hooks: + // - If PlatformHooks is present, it will be used + // - If both OS and Arch match the current platform, search will stop and the command will be executed + // - If OS matches and Arch is empty, the command will be executed + // - If no OS/Arch match is found, the default command will be executed + // - If no matches are found in platformHooks, Helm will skip the event + PlatformHooks PlatformHooks `json:"platformHooks"` + + // Hooks are commands that will run on plugin events, as a single string. + // Providing a hooks will result in an error if PlatformHooks is also set. + // + // The command will be passed through environment expansion, so env vars can + // be present in this command. + // + // Note that the command is executed in the sh shell. + // + // DEPRECATED: Use PlatformHooks instead. Remove in Helm 4. + Hooks Hooks + + // Downloaders field is used if the plugin supply downloader mechanism + // for special protocols. + Downloaders []Downloaders `json:"downloaders"` + + // UseTunnelDeprecated indicates that this command needs a tunnel. + // Setting this will cause a number of side effects, such as the + // automatic setting of HELM_HOST. + // DEPRECATED and unused, but retained for backwards compatibility with Helm 2 plugins. Remove in Helm 4 + UseTunnelDeprecated bool `json:"useTunnel,omitempty"` +} + +// Plugin represents a plugin. +type Plugin struct { + // Metadata is a parsed representation of a plugin.yaml + Metadata *Metadata + // Dir is the string path to the directory that holds the plugin. + Dir string +} + +// Returns command and args strings based on the following rules in priority order: +// - From the PlatformCommand where OS and Arch match the current platform +// - From the PlatformCommand where OS matches the current platform and Arch is empty/unspecified +// - From the PlatformCommand where OS is empty/unspecified and Arch matches the current platform +// - From the PlatformCommand where OS and Arch are both empty/unspecified +// - Return nil, nil +func getPlatformCommand(cmds []PlatformCommand) ([]string, []string) { + var command, args []string + found := false + foundOs := false + + eq := strings.EqualFold + for _, c := range cmds { + if eq(c.OperatingSystem, runtime.GOOS) && eq(c.Architecture, runtime.GOARCH) { + // Return early for an exact match + return strings.Split(c.Command, " "), c.Args + } + + if (len(c.OperatingSystem) > 0 && !eq(c.OperatingSystem, runtime.GOOS)) || len(c.Architecture) > 0 { + // Skip if OS is not empty and doesn't match or if arch is set as a set arch requires an OS match + continue + } + + if !foundOs && len(c.OperatingSystem) > 0 && eq(c.OperatingSystem, runtime.GOOS) { + // First OS match with empty arch, can only be overridden by a direct match + command = strings.Split(c.Command, " ") + args = c.Args + found = true + foundOs = true + } else if !found { + // First empty match, can be overridden by a direct match or an OS match + command = strings.Split(c.Command, " ") + args = c.Args + found = true + } + } + + return command, args +} + +// PrepareCommands takes a []Plugin.PlatformCommand +// and prepares the command and arguments for execution. +// +// It merges extraArgs into any arguments supplied in the plugin. It +// returns the main command and an args array. +// +// The result is suitable to pass to exec.Command. +func PrepareCommands(cmds []PlatformCommand, expandArgs bool, extraArgs []string) (string, []string, error) { + cmdParts, args := getPlatformCommand(cmds) + if len(cmdParts) == 0 || cmdParts[0] == "" { + return "", nil, fmt.Errorf("no plugin command is applicable") + } + + main := os.ExpandEnv(cmdParts[0]) + baseArgs := []string{} + if len(cmdParts) > 1 { + for _, cmdPart := range cmdParts[1:] { + if expandArgs { + baseArgs = append(baseArgs, os.ExpandEnv(cmdPart)) + } else { + baseArgs = append(baseArgs, cmdPart) + } + } + } + + for _, arg := range args { + if expandArgs { + baseArgs = append(baseArgs, os.ExpandEnv(arg)) + } else { + baseArgs = append(baseArgs, arg) + } + } + + if len(extraArgs) > 0 { + baseArgs = append(baseArgs, extraArgs...) + } + + return main, baseArgs, nil +} + +// PrepareCommand gets the correct command and arguments for a plugin. +// +// It merges extraArgs into any arguments supplied in the plugin. It returns the name of the command and an args array. +// +// The result is suitable to pass to exec.Command. +func (p *Plugin) PrepareCommand(extraArgs []string) (string, []string, error) { + var extraArgsIn []string + + if !p.Metadata.IgnoreFlags { + extraArgsIn = extraArgs + } + + cmds := p.Metadata.PlatformCommand + if len(cmds) == 0 && len(p.Metadata.Command) > 0 { + cmds = []PlatformCommand{{Command: p.Metadata.Command}} + } + + return PrepareCommands(cmds, true, extraArgsIn) +} + +// validPluginName is a regular expression that validates plugin names. +// +// Plugin names can only contain the ASCII characters a-z, A-Z, 0-9, ​_​ and ​-. +var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$") + +// validatePluginData validates a plugin's YAML data. +func validatePluginData(plug *Plugin, filepath string) error { + // When metadata section missing, initialize with no data + if plug.Metadata == nil { + plug.Metadata = &Metadata{} + } + if !validPluginName.MatchString(plug.Metadata.Name) { + return fmt.Errorf("invalid plugin name at %q", filepath) + } + plug.Metadata.Usage = sanitizeString(plug.Metadata.Usage) + + if len(plug.Metadata.PlatformCommand) > 0 && len(plug.Metadata.Command) > 0 { + fmt.Printf("WARNING: both 'platformCommand' and 'command' are set in %q (this will become an error in a future Helm version)\n", filepath) + } + + if len(plug.Metadata.PlatformHooks) > 0 && len(plug.Metadata.Hooks) > 0 { + fmt.Printf("WARNING: both 'platformHooks' and 'hooks' are set in %q (this will become an error in a future Helm version)\n", filepath) + } + + // We could also validate SemVer, executable, and other fields should we so choose. + return nil +} + +// sanitizeString normalize spaces and removes non-printable characters. +func sanitizeString(str string) string { + return strings.Map(func(r rune) rune { + if unicode.IsSpace(r) { + return ' ' + } + if unicode.IsPrint(r) { + return r + } + return -1 + }, str) +} + +func detectDuplicates(plugs []*Plugin) error { + names := map[string]string{} + + for _, plug := range plugs { + if oldpath, ok := names[plug.Metadata.Name]; ok { + return fmt.Errorf( + "two plugins claim the name %q at %q and %q", + plug.Metadata.Name, + oldpath, + plug.Dir, + ) + } + names[plug.Metadata.Name] = plug.Dir + } + + return nil +} + +// LoadDir loads a plugin from the given directory. +func LoadDir(dirname string) (*Plugin, error) { + pluginfile := filepath.Join(dirname, PluginFileName) + data, err := os.ReadFile(pluginfile) + if err != nil { + return nil, errors.Wrapf(err, "failed to read plugin at %q", pluginfile) + } + + plug := &Plugin{Dir: dirname} + if err := yaml.UnmarshalStrict(data, &plug.Metadata); err != nil { + return nil, errors.Wrapf(err, "failed to load plugin at %q", pluginfile) + } + return plug, validatePluginData(plug, pluginfile) +} + +// LoadAll loads all plugins found beneath the base directory. +// +// This scans only one directory level. +func LoadAll(basedir string) ([]*Plugin, error) { + plugins := []*Plugin{} + // We want basedir/*/plugin.yaml + scanpath := filepath.Join(basedir, "*", PluginFileName) + matches, err := filepath.Glob(scanpath) + if err != nil { + return plugins, errors.Wrapf(err, "failed to find plugins in %q", scanpath) + } + + if matches == nil { + return plugins, nil + } + + for _, yaml := range matches { + dir := filepath.Dir(yaml) + p, err := LoadDir(dir) + if err != nil { + return plugins, err + } + plugins = append(plugins, p) + } + return plugins, detectDuplicates(plugins) +} + +// FindPlugins returns a list of YAML files that describe plugins. +func FindPlugins(plugdirs string) ([]*Plugin, error) { + found := []*Plugin{} + // Let's get all UNIXy and allow path separators + for _, p := range filepath.SplitList(plugdirs) { + matches, err := LoadAll(p) + if err != nil { + return matches, err + } + found = append(found, matches...) + } + return found, nil +} + +// SetupPluginEnv prepares os.Env for plugins. It operates on os.Env because +// the plugin subsystem itself needs access to the environment variables +// created here. +func SetupPluginEnv(settings *cli.EnvSettings, name, base string) { + env := settings.EnvVars() + env["HELM_PLUGIN_NAME"] = name + env["HELM_PLUGIN_DIR"] = base + for key, val := range env { + os.Setenv(key, val) + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/postrender/exec.go b/vendor/helm.sh/helm/v3/pkg/postrender/exec.go new file mode 100644 index 0000000000..167e737d65 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/postrender/exec.go @@ -0,0 +1,109 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package postrender + +import ( + "bytes" + "io" + "os/exec" + "path/filepath" + + "github.com/pkg/errors" +) + +type execRender struct { + binaryPath string + args []string +} + +// NewExec returns a PostRenderer implementation that calls the provided binary. +// It returns an error if the binary cannot be found. If the path does not +// contain any separators, it will search in $PATH, otherwise it will resolve +// any relative paths to a fully qualified path +func NewExec(binaryPath string, args ...string) (PostRenderer, error) { + fullPath, err := getFullPath(binaryPath) + if err != nil { + return nil, err + } + return &execRender{fullPath, args}, nil +} + +// Run the configured binary for the post render +func (p *execRender) Run(renderedManifests *bytes.Buffer) (*bytes.Buffer, error) { + cmd := exec.Command(p.binaryPath, p.args...) + stdin, err := cmd.StdinPipe() + if err != nil { + return nil, err + } + + var postRendered = &bytes.Buffer{} + var stderr = &bytes.Buffer{} + cmd.Stdout = postRendered + cmd.Stderr = stderr + + go func() { + defer stdin.Close() + io.Copy(stdin, renderedManifests) + }() + err = cmd.Run() + if err != nil { + return nil, errors.Wrapf(err, "error while running command %s. error output:\n%s", p.binaryPath, stderr.String()) + } + + return postRendered, nil +} + +// getFullPath returns the full filepath to the binary to execute. If the path +// does not contain any separators, it will search in $PATH, otherwise it will +// resolve any relative paths to a fully qualified path +func getFullPath(binaryPath string) (string, error) { + // NOTE(thomastaylor312): I am leaving this code commented out here. During + // the implementation of post-render, it was brought up that if we are + // relying on plugins, we should actually use the plugin system so it can + // properly handle multiple OSs. This will be a feature add in the future, + // so I left this code for reference. It can be deleted or reused once the + // feature is implemented + + // Manually check the plugin dir first + // if !strings.Contains(binaryPath, string(filepath.Separator)) { + // // First check the plugin dir + // pluginDir := helmpath.DataPath("plugins") // Default location + // // If location for plugins is explicitly set, check there + // if v, ok := os.LookupEnv("HELM_PLUGINS"); ok { + // pluginDir = v + // } + // // The plugins variable can actually contain multiple paths, so loop through those + // for _, p := range filepath.SplitList(pluginDir) { + // _, err := os.Stat(filepath.Join(p, binaryPath)) + // if err != nil && !os.IsNotExist(err) { + // return "", err + // } else if err == nil { + // binaryPath = filepath.Join(p, binaryPath) + // break + // } + // } + // } + + // Now check for the binary using the given path or check if it exists in + // the path and is executable + checkedPath, err := exec.LookPath(binaryPath) + if err != nil { + return "", errors.Wrapf(err, "unable to find binary at %s", binaryPath) + } + + return filepath.Abs(checkedPath) +} diff --git a/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go b/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go new file mode 100644 index 0000000000..3af3842907 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/postrender/postrender.go @@ -0,0 +1,29 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package postrender contains an interface that can be implemented for custom +// post-renderers and an exec implementation that can be used for arbitrary +// binaries and scripts +package postrender + +import "bytes" + +type PostRenderer interface { + // Run expects a single buffer filled with Helm rendered manifests. It + // expects the modified results to be returned on a separate buffer or an + // error if there was an issue or failure while running the post render step + Run(renderedManifests *bytes.Buffer) (modifiedManifests *bytes.Buffer, err error) +} diff --git a/vendor/helm.sh/helm/v3/pkg/provenance/doc.go b/vendor/helm.sh/helm/v3/pkg/provenance/doc.go new file mode 100644 index 0000000000..0c7ae06180 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/provenance/doc.go @@ -0,0 +1,38 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package provenance provides tools for establishing the authenticity of a chart. + +In Helm, provenance is established via several factors. The primary factor is the +cryptographic signature of a chart. Chart authors may sign charts, which in turn +provide the necessary metadata to ensure the integrity of the chart file, the +Chart.yaml, and the referenced Docker images. + +A provenance file is clear-signed. This provides cryptographic verification that +a particular block of information (Chart.yaml, archive file, images) have not +been tampered with or altered. To learn more, read the GnuPG documentation on +clear signatures: +https://www.gnupg.org/gph/en/manual/x135.html + +The cryptography used by Helm should be compatible with OpenGPG. For example, +you should be able to verify a signature by importing the desired public key +and using `gpg --verify`, `keybase pgp verify`, or similar: + + $ gpg --verify some.sig + gpg: Signature made Mon Jul 25 17:23:44 2016 MDT using RSA key ID 1FC18762 + gpg: Good signature from "Helm Testing (This key should only be used for testing. DO NOT TRUST.) " [ultimate] +*/ +package provenance // import "helm.sh/helm/v3/pkg/provenance" diff --git a/vendor/helm.sh/helm/v3/pkg/provenance/sign.go b/vendor/helm.sh/helm/v3/pkg/provenance/sign.go new file mode 100644 index 0000000000..7f89ef3f53 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/provenance/sign.go @@ -0,0 +1,427 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package provenance + +import ( + "bytes" + "crypto" + "encoding/hex" + "io" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + "golang.org/x/crypto/openpgp" //nolint + "golang.org/x/crypto/openpgp/clearsign" //nolint + "golang.org/x/crypto/openpgp/packet" //nolint + "sigs.k8s.io/yaml" + + hapi "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" +) + +var defaultPGPConfig = packet.Config{ + DefaultHash: crypto.SHA512, +} + +// SumCollection represents a collection of file and image checksums. +// +// Files are of the form: +// +// FILENAME: "sha256:SUM" +// +// Images are of the form: +// +// "IMAGE:TAG": "sha256:SUM" +// +// Docker optionally supports sha512, and if this is the case, the hash marker +// will be 'sha512' instead of 'sha256'. +type SumCollection struct { + Files map[string]string `json:"files"` + Images map[string]string `json:"images,omitempty"` +} + +// Verification contains information about a verification operation. +type Verification struct { + // SignedBy contains the entity that signed a chart. + SignedBy *openpgp.Entity + // FileHash is the hash, prepended with the scheme, for the file that was verified. + FileHash string + // FileName is the name of the file that FileHash verifies. + FileName string +} + +// Signatory signs things. +// +// Signatories can be constructed from a PGP private key file using NewFromFiles +// or they can be constructed manually by setting the Entity to a valid +// PGP entity. +// +// The same Signatory can be used to sign or validate multiple charts. +type Signatory struct { + // The signatory for this instance of Helm. This is used for signing. + Entity *openpgp.Entity + // The keyring for this instance of Helm. This is used for verification. + KeyRing openpgp.EntityList +} + +// NewFromFiles constructs a new Signatory from the PGP key in the given filename. +// +// This will emit an error if it cannot find a valid GPG keyfile (entity) at the +// given location. +// +// Note that the keyfile may have just a public key, just a private key, or +// both. The Signatory methods may have different requirements of the keys. For +// example, ClearSign must have a valid `openpgp.Entity.PrivateKey` before it +// can sign something. +func NewFromFiles(keyfile, keyringfile string) (*Signatory, error) { + e, err := loadKey(keyfile) + if err != nil { + return nil, err + } + + ring, err := loadKeyRing(keyringfile) + if err != nil { + return nil, err + } + + return &Signatory{ + Entity: e, + KeyRing: ring, + }, nil +} + +// NewFromKeyring reads a keyring file and creates a Signatory. +// +// If id is not the empty string, this will also try to find an Entity in the +// keyring whose name matches, and set that as the signing entity. It will return +// an error if the id is not empty and also not found. +func NewFromKeyring(keyringfile, id string) (*Signatory, error) { + ring, err := loadKeyRing(keyringfile) + if err != nil { + return nil, err + } + + s := &Signatory{KeyRing: ring} + + // If the ID is empty, we can return now. + if id == "" { + return s, nil + } + + // We're gonna go all GnuPG on this and look for a string that _contains_. If + // two or more keys contain the string and none are a direct match, we error + // out. + var candidate *openpgp.Entity + vague := false + for _, e := range ring { + for n := range e.Identities { + if n == id { + s.Entity = e + return s, nil + } + if strings.Contains(n, id) { + if candidate != nil { + vague = true + } + candidate = e + } + } + } + if vague { + return s, errors.Errorf("more than one key contain the id %q", id) + } + + s.Entity = candidate + return s, nil +} + +// PassphraseFetcher returns a passphrase for decrypting keys. +// +// This is used as a callback to read a passphrase from some other location. The +// given name is the Name field on the key, typically of the form: +// +// USER_NAME (COMMENT) +type PassphraseFetcher func(name string) ([]byte, error) + +// DecryptKey decrypts a private key in the Signatory. +// +// If the key is not encrypted, this will return without error. +// +// If the key does not exist, this will return an error. +// +// If the key exists, but cannot be unlocked with the passphrase returned by +// the PassphraseFetcher, this will return an error. +// +// If the key is successfully unlocked, it will return nil. +func (s *Signatory) DecryptKey(fn PassphraseFetcher) error { + if s.Entity == nil { + return errors.New("private key not found") + } else if s.Entity.PrivateKey == nil { + return errors.New("provided key is not a private key. Try providing a keyring with secret keys") + } + + // Nothing else to do if key is not encrypted. + if !s.Entity.PrivateKey.Encrypted { + return nil + } + + fname := "Unknown" + for i := range s.Entity.Identities { + if i != "" { + fname = i + break + } + } + + p, err := fn(fname) + if err != nil { + return err + } + + return s.Entity.PrivateKey.Decrypt(p) +} + +// ClearSign signs a chart with the given key. +// +// This takes the path to a chart archive file and a key, and it returns a clear signature. +// +// The Signatory must have a valid Entity.PrivateKey for this to work. If it does +// not, an error will be returned. +func (s *Signatory) ClearSign(chartpath string) (string, error) { + if s.Entity == nil { + return "", errors.New("private key not found") + } else if s.Entity.PrivateKey == nil { + return "", errors.New("provided key is not a private key. Try providing a keyring with secret keys") + } + + if fi, err := os.Stat(chartpath); err != nil { + return "", err + } else if fi.IsDir() { + return "", errors.New("cannot sign a directory") + } + + out := bytes.NewBuffer(nil) + + b, err := messageBlock(chartpath) + if err != nil { + return "", err + } + + // Sign the buffer + w, err := clearsign.Encode(out, s.Entity.PrivateKey, &defaultPGPConfig) + if err != nil { + return "", err + } + + _, err = io.Copy(w, b) + + if err != nil { + // NB: We intentionally don't call `w.Close()` here! `w.Close()` is the method which + // actually does the PGP signing, and therefore is the part which uses the private key. + // In other words, if we call Close here, there's a risk that there's an attempt to use the + // private key to sign garbage data (since we know that io.Copy failed, `w` won't contain + // anything useful). + return "", errors.Wrap(err, "failed to write to clearsign encoder") + } + + err = w.Close() + if err != nil { + return "", errors.Wrap(err, "failed to either sign or armor message block") + } + + return out.String(), nil +} + +// Verify checks a signature and verifies that it is legit for a chart. +func (s *Signatory) Verify(chartpath, sigpath string) (*Verification, error) { + ver := &Verification{} + for _, fname := range []string{chartpath, sigpath} { + if fi, err := os.Stat(fname); err != nil { + return ver, err + } else if fi.IsDir() { + return ver, errors.Errorf("%s cannot be a directory", fname) + } + } + + // First verify the signature + sig, err := s.decodeSignature(sigpath) + if err != nil { + return ver, errors.Wrap(err, "failed to decode signature") + } + + by, err := s.verifySignature(sig) + if err != nil { + return ver, err + } + ver.SignedBy = by + + // Second, verify the hash of the tarball. + sum, err := DigestFile(chartpath) + if err != nil { + return ver, err + } + _, sums, err := parseMessageBlock(sig.Plaintext) + if err != nil { + return ver, err + } + + sum = "sha256:" + sum + basename := filepath.Base(chartpath) + if sha, ok := sums.Files[basename]; !ok { + return ver, errors.Errorf("provenance does not contain a SHA for a file named %q", basename) + } else if sha != sum { + return ver, errors.Errorf("sha256 sum does not match for %s: %q != %q", basename, sha, sum) + } + ver.FileHash = sum + ver.FileName = basename + + // TODO: when image signing is added, verify that here. + + return ver, nil +} + +func (s *Signatory) decodeSignature(filename string) (*clearsign.Block, error) { + data, err := os.ReadFile(filename) + if err != nil { + return nil, err + } + + block, _ := clearsign.Decode(data) + if block == nil { + // There was no sig in the file. + return nil, errors.New("signature block not found") + } + + return block, nil +} + +// verifySignature verifies that the given block is validly signed, and returns the signer. +func (s *Signatory) verifySignature(block *clearsign.Block) (*openpgp.Entity, error) { + return openpgp.CheckDetachedSignature( + s.KeyRing, + bytes.NewBuffer(block.Bytes), + block.ArmoredSignature.Body, + ) +} + +func messageBlock(chartpath string) (*bytes.Buffer, error) { + var b *bytes.Buffer + // Checksum the archive + chash, err := DigestFile(chartpath) + if err != nil { + return b, err + } + + base := filepath.Base(chartpath) + sums := &SumCollection{ + Files: map[string]string{ + base: "sha256:" + chash, + }, + } + + // Load the archive into memory. + chart, err := loader.LoadFile(chartpath) + if err != nil { + return b, err + } + + // Buffer a hash + checksums YAML file + data, err := yaml.Marshal(chart.Metadata) + if err != nil { + return b, err + } + + // FIXME: YAML uses ---\n as a file start indicator, but this is not legal in a PGP + // clearsign block. So we use ...\n, which is the YAML document end marker. + // http://yaml.org/spec/1.2/spec.html#id2800168 + b = bytes.NewBuffer(data) + b.WriteString("\n...\n") + + data, err = yaml.Marshal(sums) + if err != nil { + return b, err + } + b.Write(data) + + return b, nil +} + +// parseMessageBlock +func parseMessageBlock(data []byte) (*hapi.Metadata, *SumCollection, error) { + // This sucks. + parts := bytes.Split(data, []byte("\n...\n")) + if len(parts) < 2 { + return nil, nil, errors.New("message block must have at least two parts") + } + + md := &hapi.Metadata{} + sc := &SumCollection{} + + if err := yaml.Unmarshal(parts[0], md); err != nil { + return md, sc, err + } + err := yaml.Unmarshal(parts[1], sc) + return md, sc, err +} + +// loadKey loads a GPG key found at a particular path. +func loadKey(keypath string) (*openpgp.Entity, error) { + f, err := os.Open(keypath) + if err != nil { + return nil, err + } + defer f.Close() + + pr := packet.NewReader(f) + return openpgp.ReadEntity(pr) +} + +func loadKeyRing(ringpath string) (openpgp.EntityList, error) { + f, err := os.Open(ringpath) + if err != nil { + return nil, err + } + defer f.Close() + return openpgp.ReadKeyRing(f) +} + +// DigestFile calculates a SHA256 hash (like Docker) for a given file. +// +// It takes the path to the archive file, and returns a string representation of +// the SHA256 sum. +// +// The intended use of this function is to generate a sum of a chart TGZ file. +func DigestFile(filename string) (string, error) { + f, err := os.Open(filename) + if err != nil { + return "", err + } + defer f.Close() + return Digest(f) +} + +// Digest hashes a reader and returns a SHA256 digest. +// +// Helm uses SHA256 as its default hash for all non-cryptographic applications. +func Digest(in io.Reader) (string, error) { + hash := crypto.SHA256.New() + if _, err := io.Copy(hash, in); err != nil { + return "", nil + } + return hex.EncodeToString(hash.Sum(nil)), nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/doc.go b/vendor/helm.sh/helm/v3/pkg/pusher/doc.go new file mode 100644 index 0000000000..df89ab112b --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/pusher/doc.go @@ -0,0 +1,21 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package pusher provides a generalized tool for uploading data by scheme. +This provides a method by which the plugin system can load arbitrary protocol +handlers based upon a URL scheme. +*/ +package pusher diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go b/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go new file mode 100644 index 0000000000..33296aaddc --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/pusher/ocipusher.go @@ -0,0 +1,157 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package pusher + +import ( + "fmt" + "net" + "net/http" + "os" + "path" + "strings" + "time" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/internal/tlsutil" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/registry" + "helm.sh/helm/v3/pkg/time/ctime" +) + +// OCIPusher is the default OCI backend handler +type OCIPusher struct { + opts options +} + +// Push performs a Push from repo.Pusher. +func (pusher *OCIPusher) Push(chartRef, href string, options ...Option) error { + for _, opt := range options { + opt(&pusher.opts) + } + return pusher.push(chartRef, href) +} + +func (pusher *OCIPusher) push(chartRef, href string) error { + stat, err := os.Stat(chartRef) + if err != nil { + if os.IsNotExist(err) { + return errors.Errorf("%s: no such file", chartRef) + } + return err + } + if stat.IsDir() { + return errors.New("cannot push directory, must provide chart archive (.tgz)") + } + + meta, err := loader.Load(chartRef) + if err != nil { + return err + } + + client := pusher.opts.registryClient + if client == nil { + c, err := pusher.newRegistryClient() + if err != nil { + return err + } + client = c + } + + chartBytes, err := os.ReadFile(chartRef) + if err != nil { + return err + } + + var pushOpts []registry.PushOption + provRef := fmt.Sprintf("%s.prov", chartRef) + if _, err := os.Stat(provRef); err == nil { + provBytes, err := os.ReadFile(provRef) + if err != nil { + return err + } + pushOpts = append(pushOpts, registry.PushOptProvData(provBytes)) + } + + ref := fmt.Sprintf("%s:%s", + path.Join(strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme)), meta.Metadata.Name), + meta.Metadata.Version) + + // The time the chart was "created" is semantically the time the chart archive file was last written(modified) + chartArchiveFileCreatedTime := ctime.Modified(stat) + pushOpts = append(pushOpts, registry.PushOptCreationTime(chartArchiveFileCreatedTime.Format(time.RFC3339))) + + _, err = client.Push(chartBytes, ref, pushOpts...) + return err +} + +// NewOCIPusher constructs a valid OCI client as a Pusher +func NewOCIPusher(ops ...Option) (Pusher, error) { + var client OCIPusher + + for _, opt := range ops { + opt(&client.opts) + } + + return &client, nil +} + +func (pusher *OCIPusher) newRegistryClient() (*registry.Client, error) { + if (pusher.opts.certFile != "" && pusher.opts.keyFile != "") || pusher.opts.caFile != "" || pusher.opts.insecureSkipTLSverify { + tlsConf, err := tlsutil.NewClientTLS(pusher.opts.certFile, pusher.opts.keyFile, pusher.opts.caFile, pusher.opts.insecureSkipTLSverify) + if err != nil { + return nil, errors.Wrap(err, "can't create TLS config for client") + } + + registryClient, err := registry.NewClient( + registry.ClientOptHTTPClient(&http.Client{ + // From https://github.com/google/go-containerregistry/blob/31786c6cbb82d6ec4fb8eb79cd9387905130534e/pkg/v1/remote/options.go#L87 + Transport: &http.Transport{ + Proxy: http.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + // By default we wrap the transport in retries, so reduce the + // default dial timeout to 5s to avoid 5x 30s of connection + // timeouts when doing the "ping" on certain http registries. + Timeout: 5 * time.Second, + KeepAlive: 30 * time.Second, + }).DialContext, + ForceAttemptHTTP2: true, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + TLSClientConfig: tlsConf, + }, + }), + registry.ClientOptEnableCache(true), + ) + if err != nil { + return nil, err + } + return registryClient, nil + } + + opts := []registry.ClientOption{registry.ClientOptEnableCache(true)} + if pusher.opts.plainHTTP { + opts = append(opts, registry.ClientOptPlainHTTP()) + } + + registryClient, err := registry.NewClient(opts...) + if err != nil { + return nil, err + } + return registryClient, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go b/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go new file mode 100644 index 0000000000..5b8a9160f0 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/pusher/pusher.go @@ -0,0 +1,122 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package pusher + +import ( + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/cli" + "helm.sh/helm/v3/pkg/registry" +) + +// options are generic parameters to be provided to the pusher during instantiation. +// +// Pushers may or may not ignore these parameters as they are passed in. +type options struct { + registryClient *registry.Client + certFile string + keyFile string + caFile string + insecureSkipTLSverify bool + plainHTTP bool +} + +// Option allows specifying various settings configurable by the user for overriding the defaults +// used when performing Push operations with the Pusher. +type Option func(*options) + +// WithRegistryClient sets the registryClient option. +func WithRegistryClient(client *registry.Client) Option { + return func(opts *options) { + opts.registryClient = client + } +} + +// WithTLSClientConfig sets the client auth with the provided credentials. +func WithTLSClientConfig(certFile, keyFile, caFile string) Option { + return func(opts *options) { + opts.certFile = certFile + opts.keyFile = keyFile + opts.caFile = caFile + } +} + +// WithInsecureSkipTLSVerify determines if a TLS Certificate will be checked +func WithInsecureSkipTLSVerify(insecureSkipTLSVerify bool) Option { + return func(opts *options) { + opts.insecureSkipTLSverify = insecureSkipTLSVerify + } +} + +func WithPlainHTTP(plainHTTP bool) Option { + return func(opts *options) { + opts.plainHTTP = plainHTTP + } +} + +// Pusher is an interface to support upload to the specified URL. +type Pusher interface { + // Push file content by url string + Push(chartRef, url string, options ...Option) error +} + +// Constructor is the function for every pusher which creates a specific instance +// according to the configuration +type Constructor func(options ...Option) (Pusher, error) + +// Provider represents any pusher and the schemes that it supports. +type Provider struct { + Schemes []string + New Constructor +} + +// Provides returns true if the given scheme is supported by this Provider. +func (p Provider) Provides(scheme string) bool { + for _, i := range p.Schemes { + if i == scheme { + return true + } + } + return false +} + +// Providers is a collection of Provider objects. +type Providers []Provider + +// ByScheme returns a Provider that handles the given scheme. +// +// If no provider handles this scheme, this will return an error. +func (p Providers) ByScheme(scheme string) (Pusher, error) { + for _, pp := range p { + if pp.Provides(scheme) { + return pp.New() + } + } + return nil, errors.Errorf("scheme %q not supported", scheme) +} + +var ociProvider = Provider{ + Schemes: []string{registry.OCIScheme}, + New: NewOCIPusher, +} + +// All finds all of the registered pushers as a list of Provider instances. +// Currently, just the built-in pushers are collected. +func All(_ *cli.EnvSettings) Providers { + result := Providers{ociProvider} + return result +} diff --git a/vendor/helm.sh/helm/v3/pkg/registry/client.go b/vendor/helm.sh/helm/v3/pkg/registry/client.go new file mode 100644 index 0000000000..8818f5763b --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/client.go @@ -0,0 +1,985 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry // import "helm.sh/helm/v3/pkg/registry" + +import ( + "context" + "crypto/tls" + "crypto/x509" + "encoding/json" + "fmt" + "io" + "net/http" + "net/url" + "os" + "sort" + "strings" + "sync" + + "github.com/Masterminds/semver/v3" + "github.com/containerd/containerd/remotes" + "github.com/opencontainers/image-spec/specs-go" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/pkg/errors" + "oras.land/oras-go/v2" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/content/memory" + "oras.land/oras-go/v2/registry" + "oras.land/oras-go/v2/registry/remote" + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials" + "oras.land/oras-go/v2/registry/remote/retry" + + "helm.sh/helm/v3/internal/version" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/helmpath" +) + +// See https://github.com/helm/helm/issues/10166 +const registryUnderscoreMessage = ` +OCI artifact references (e.g. tags) do not support the plus sign (+). To support +storing semantic versions, Helm adopts the convention of changing plus (+) to +an underscore (_) in chart version tags when pushing to a registry and back to +a plus (+) when pulling from a registry.` + +var errDeprecatedRemote = errors.New("providing github.com/containerd/containerd/remotes.Resolver via ClientOptResolver is no longer suported") + +type ( + // RemoteClient shadows the ORAS remote.Client interface + // (hiding the ORAS type from Helm client visibility) + // https://pkg.go.dev/oras.land/oras-go/pkg/registry/remote#Client + RemoteClient interface { + Do(req *http.Request) (*http.Response, error) + } + + // Client works with OCI-compliant registries + Client struct { + debug bool + enableCache bool + // path to repository config file e.g. ~/.docker/config.json + credentialsFile string + username string + password string + out io.Writer + authorizer *auth.Client + registryAuthorizer RemoteClient + credentialsStore credentials.Store + httpClient *http.Client + plainHTTP bool + err error // pass any errors from the ClientOption functions + + // credentialsFileTemp captures if the empty file / EOF work around is being used. + credentialsFileTemp bool + } + + // ClientOption allows specifying various settings configurable by the user for overriding the defaults + // used when creating a new default client + ClientOption func(*Client) +) + +// NewClient returns a new registry client with config +func NewClient(options ...ClientOption) (*Client, error) { + client := &Client{ + out: io.Discard, + } + for _, option := range options { + option(client) + if client.err != nil { + return nil, client.err + } + } + if client.credentialsFile == "" { + client.credentialsFile = helmpath.ConfigPath(CredentialsFileBasename) + } + if client.httpClient == nil { + transport := newTransport(client.debug) + client.httpClient = &http.Client{ + Transport: transport, + } + } + + storeOptions := credentials.StoreOptions{ + AllowPlaintextPut: true, + DetectDefaultNativeStore: true, + } + store, err := credentials.NewStore(client.credentialsFile, storeOptions) + if err != nil { + // If the file exists and is empty there will be an EOF error. This error is not wrapped so + // a check with errors.Is will not work. The only way to capture it is an EOF error is + // with string parsing. + // This handling passes no file location which will cause NewStore to invoke its + // fault tolerance for a file not existing. A bool records this bypass so that if the + // credential store needs to be written to it this work around can be handled. See the + // Login method for more details. + if strings.Contains(err.Error(), "invalid config format: EOF") { + var err2 error + store, err2 = credentials.NewStore("", storeOptions) + if err2 != nil { + return nil, err + } + client.credentialsFileTemp = true + } else { + return nil, err + } + } + dockerStore, err := credentials.NewStoreFromDocker(storeOptions) + if err != nil { + client.credentialsStore = store + } else { + // use Helm credentials with fallback to Docker + client.credentialsStore = credentials.NewStoreWithFallbacks(store, dockerStore) + } + + if client.authorizer == nil { + authorizer := auth.Client{ + Client: client.httpClient, + } + authorizer.SetUserAgent(version.GetUserAgent()) + + authorizer.Credential = credentials.Credential(client.credentialsStore) + + if client.enableCache { + authorizer.Cache = auth.NewCache() + } + + client.authorizer = &authorizer + } + + return client, nil +} + +// ClientOptDebug returns a function that sets the debug setting on client options set +func ClientOptDebug(debug bool) ClientOption { + return func(client *Client) { + client.debug = debug + } +} + +// ClientOptEnableCache returns a function that sets the enableCache setting on a client options set +func ClientOptEnableCache(enableCache bool) ClientOption { + return func(client *Client) { + client.enableCache = enableCache + } +} + +// ClientOptBasicAuth returns a function that sets the username and password setting on client options set +func ClientOptBasicAuth(username, password string) ClientOption { + return func(client *Client) { + client.username = username + client.password = password + } +} + +// ClientOptWriter returns a function that sets the writer setting on client options set +func ClientOptWriter(out io.Writer) ClientOption { + return func(client *Client) { + client.out = out + } +} + +// ClientOptAuthorizer returns a function that sets the authorizer setting on a client options set. This +// can be used to override the default authorization mechanism. +// +// Depending on the use-case you may need to set both ClientOptAuthorizer and ClientOptRegistryAuthorizer. +func ClientOptAuthorizer(authorizer auth.Client) ClientOption { + return func(client *Client) { + client.authorizer = &authorizer + } +} + +// ClientOptRegistryAuthorizer returns a function that sets the registry authorizer setting on a client options set. This +// can be used to override the default authorization mechanism. +// +// Depending on the use-case you may need to set both ClientOptAuthorizer and ClientOptRegistryAuthorizer. +func ClientOptRegistryAuthorizer(registryAuthorizer RemoteClient) ClientOption { + return func(client *Client) { + client.registryAuthorizer = registryAuthorizer + } +} + +// ClientOptCredentialsFile returns a function that sets the credentialsFile setting on a client options set +func ClientOptCredentialsFile(credentialsFile string) ClientOption { + return func(client *Client) { + client.credentialsFile = credentialsFile + } +} + +// ClientOptHTTPClient returns a function that sets the httpClient setting on a client options set +func ClientOptHTTPClient(httpClient *http.Client) ClientOption { + return func(client *Client) { + client.httpClient = httpClient + } +} + +func ClientOptPlainHTTP() ClientOption { + return func(c *Client) { + c.plainHTTP = true + } +} + +func ClientOptResolver(_ remotes.Resolver) ClientOption { + return func(c *Client) { + c.err = errDeprecatedRemote + } +} + +type ( + // LoginOption allows specifying various settings on login + LoginOption func(*loginOperation) + + loginOperation struct { + host string + client *Client + } +) + +// Deprecated: will be removed in Helm 4 +// Added for backwards compatibility for Helm < 3.18.0 after moving to ORAS v2 +// ref: https://github.com/helm/helm/issues/30873 +// TODO: document that Helm 4 `registry login` does accept full URLs +func (c *Client) stripURL(host string) string { + // strip scheme from host in URL + for _, s := range []string{"oci://", "http://", "https://"} { + if strings.HasPrefix(host, s) { + plain := strings.TrimPrefix(host, s) + if c.debug { + fmt.Fprintf(c.out, "[WARNING] Invalid registry passed: registries should NOT be prefixed with a URL scheme. Use %q instead\n", plain) + } + host = plain + break + } + } + // strip repo from registry in URL + if idx := strings.Index(host, "/"); idx != -1 { + host = host[:idx] + if c.debug { + fmt.Fprintf(c.out, "[WARNING] Invalid registry passed: registries should NOT include a repository. Use %q instead\n", host) + } + return host + } + + return host +} + +// Login logs into a registry +func (c *Client) Login(host string, options ...LoginOption) error { + // This is the lowest available point to strip incorrect URL parts + host = c.stripURL(host) + + for _, option := range options { + option(&loginOperation{host, c}) + } + + reg, err := remote.NewRegistry(host) + if err != nil { + return err + } + reg.PlainHTTP = c.plainHTTP + cred := auth.Credential{Username: c.username, Password: c.password} + c.authorizer.ForceAttemptOAuth2 = true + reg.Client = c.authorizer + + ctx := context.Background() + if err := reg.Ping(ctx); err != nil { + c.authorizer.ForceAttemptOAuth2 = false + if err := reg.Ping(ctx); err != nil { + return fmt.Errorf("authenticating to %q: %w", host, err) + } + } + + // The credentialsStore loader does not handle empty files. So, there is a workaround. + // This can be removed when the credentials loader can handle empty files. + // When Helm catches an empty file error it causes the loader to trigger its fault + // tolerance for a file not existing and records it with a bool. If that bool is set and the + // file needs to be written, the file needs to be put into a usable state and loaded + // properly. + // See the NewClient function for the bypass setup. + if c.credentialsFileTemp { + err = os.WriteFile(c.credentialsFile, []byte("{}"), 0600) + if err != nil { + return err + } + storeOptions := credentials.StoreOptions{ + AllowPlaintextPut: true, + DetectDefaultNativeStore: true, + } + store, err := credentials.NewStore(c.credentialsFile, storeOptions) + if err != nil { + return err + } + c.credentialsStore = store + c.credentialsFileTemp = false + } + + key := credentials.ServerAddressFromRegistry(host) + key = credentials.ServerAddressFromHostname(key) + if err := c.credentialsStore.Put(ctx, key, cred); err != nil { + return err + } + + fmt.Fprintln(c.out, "Login Succeeded") + return nil +} + +// LoginOptBasicAuth returns a function that sets the username/password settings on login +func LoginOptBasicAuth(username string, password string) LoginOption { + return func(o *loginOperation) { + o.client.username = username + o.client.password = password + o.client.authorizer.Credential = auth.StaticCredential(o.host, auth.Credential{Username: username, Password: password}) + } +} + +// LoginOptPlainText returns a function that allows plaintext (HTTP) login +func LoginOptPlainText(isPlainText bool) LoginOption { + return func(o *loginOperation) { + o.client.plainHTTP = isPlainText + } +} + +func ensureTLSConfig(client *auth.Client) (*tls.Config, error) { + var transport *http.Transport + + switch t := client.Client.Transport.(type) { + case *http.Transport: + transport = t + case *fallbackTransport: + switch t := t.Base.(type) { + case *http.Transport: + transport = t + case *retry.Transport: + switch t := t.Base.(type) { + case *http.Transport: + transport = t + case *LoggingTransport: + switch t := t.RoundTripper.(type) { + case *http.Transport: + transport = t + } + } + } + } + + if transport == nil { + // we don't know how to access the http.Transport, most likely the + // auth.Client.Client was provided by API user + return nil, fmt.Errorf("unable to access TLS client configuration, the provided HTTP Transport is not supported, given: %T", client.Client.Transport) + } + + if transport.TLSClientConfig == nil { + transport.TLSClientConfig = &tls.Config{} + } + + return transport.TLSClientConfig, nil +} + +// LoginOptInsecure returns a function that sets the insecure setting on login +func LoginOptInsecure(insecure bool) LoginOption { + return func(o *loginOperation) { + tlsConfig, err := ensureTLSConfig(o.client.authorizer) + + if err != nil { + panic(err) + } + + tlsConfig.InsecureSkipVerify = insecure + } +} + +// LoginOptTLSClientConfig returns a function that sets the TLS settings on login. +func LoginOptTLSClientConfig(certFile, keyFile, caFile string) LoginOption { + return func(o *loginOperation) { + if (certFile == "" || keyFile == "") && caFile == "" { + return + } + tlsConfig, err := ensureTLSConfig(o.client.authorizer) + if err != nil { + panic(err) + } + + if certFile != "" && keyFile != "" { + authCert, err := tls.LoadX509KeyPair(certFile, keyFile) + if err != nil { + panic(err) + } + tlsConfig.Certificates = []tls.Certificate{authCert} + } + + if caFile != "" { + certPool := x509.NewCertPool() + ca, err := os.ReadFile(caFile) + if err != nil { + panic(err) + } + if !certPool.AppendCertsFromPEM(ca) { + panic(fmt.Errorf("unable to parse CA file: %q", caFile)) + } + tlsConfig.RootCAs = certPool + } + } +} + +type ( + // LogoutOption allows specifying various settings on logout + LogoutOption func(*logoutOperation) + + logoutOperation struct{} +) + +// Logout logs out of a registry +func (c *Client) Logout(host string, opts ...LogoutOption) error { + operation := &logoutOperation{} + for _, opt := range opts { + opt(operation) + } + + if err := credentials.Logout(context.Background(), c.credentialsStore, host); err != nil { + return err + } + fmt.Fprintf(c.out, "Removing login credentials for %s\n", host) + return nil +} + +type ( + // PullOption allows specifying various settings on pull + PullOption func(*pullOperation) + + // PullResult is the result returned upon successful pull. + PullResult struct { + Manifest *DescriptorPullSummary `json:"manifest"` + Config *DescriptorPullSummary `json:"config"` + Chart *DescriptorPullSummaryWithMeta `json:"chart"` + Prov *DescriptorPullSummary `json:"prov"` + Ref string `json:"ref"` + } + + DescriptorPullSummary struct { + Data []byte `json:"-"` + Digest string `json:"digest"` + Size int64 `json:"size"` + } + + DescriptorPullSummaryWithMeta struct { + DescriptorPullSummary + Meta *chart.Metadata `json:"meta"` + } + + pullOperation struct { + withChart bool + withProv bool + ignoreMissingProv bool + } +) + +// Pull downloads a chart from a registry +func (c *Client) Pull(ref string, options ...PullOption) (*PullResult, error) { + parsedRef, err := newReference(ref) + if err != nil { + return nil, err + } + + operation := &pullOperation{ + withChart: true, // By default, always download the chart layer + } + for _, option := range options { + option(operation) + } + if !operation.withChart && !operation.withProv { + return nil, errors.New( + "must specify at least one layer to pull (chart/prov)") + } + memoryStore := memory.New() + allowedMediaTypes := []string{ + ocispec.MediaTypeImageManifest, + ConfigMediaType, + } + minNumDescriptors := 1 // 1 for the config + if operation.withChart { + minNumDescriptors++ + allowedMediaTypes = append(allowedMediaTypes, ChartLayerMediaType, LegacyChartLayerMediaType) + } + if operation.withProv { + if !operation.ignoreMissingProv { + minNumDescriptors++ + } + allowedMediaTypes = append(allowedMediaTypes, ProvLayerMediaType) + } + + var descriptors, layers []ocispec.Descriptor + + repository, err := remote.NewRepository(parsedRef.String()) + if err != nil { + return nil, err + } + repository.PlainHTTP = c.plainHTTP + repository.Client = c.authorizer + + ctx := context.Background() + + sort.Strings(allowedMediaTypes) + + var mu sync.Mutex + manifest, err := oras.Copy(ctx, repository, parsedRef.String(), memoryStore, "", oras.CopyOptions{ + CopyGraphOptions: oras.CopyGraphOptions{ + PreCopy: func(_ context.Context, desc ocispec.Descriptor) error { + mediaType := desc.MediaType + if i := sort.SearchStrings(allowedMediaTypes, mediaType); i >= len(allowedMediaTypes) || allowedMediaTypes[i] != mediaType { + return oras.SkipNode + } + + mu.Lock() + layers = append(layers, desc) + mu.Unlock() + return nil + }, + }, + }) + if err != nil { + return nil, err + } + + descriptors = append(descriptors, layers...) + + numDescriptors := len(descriptors) + if numDescriptors < minNumDescriptors { + return nil, fmt.Errorf("manifest does not contain minimum number of descriptors (%d), descriptors found: %d", + minNumDescriptors, numDescriptors) + } + var configDescriptor *ocispec.Descriptor + var chartDescriptor *ocispec.Descriptor + var provDescriptor *ocispec.Descriptor + for _, descriptor := range descriptors { + d := descriptor + switch d.MediaType { + case ConfigMediaType: + configDescriptor = &d + case ChartLayerMediaType: + chartDescriptor = &d + case ProvLayerMediaType: + provDescriptor = &d + case LegacyChartLayerMediaType: + chartDescriptor = &d + fmt.Fprintf(c.out, "Warning: chart media type %s is deprecated\n", LegacyChartLayerMediaType) + } + } + if configDescriptor == nil { + return nil, fmt.Errorf("could not load config with mediatype %s", ConfigMediaType) + } + if operation.withChart && chartDescriptor == nil { + return nil, fmt.Errorf("manifest does not contain a layer with mediatype %s", + ChartLayerMediaType) + } + var provMissing bool + if operation.withProv && provDescriptor == nil { + if operation.ignoreMissingProv { + provMissing = true + } else { + return nil, fmt.Errorf("manifest does not contain a layer with mediatype %s", + ProvLayerMediaType) + } + } + result := &PullResult{ + Manifest: &DescriptorPullSummary{ + Digest: manifest.Digest.String(), + Size: manifest.Size, + }, + Config: &DescriptorPullSummary{ + Digest: configDescriptor.Digest.String(), + Size: configDescriptor.Size, + }, + Chart: &DescriptorPullSummaryWithMeta{}, + Prov: &DescriptorPullSummary{}, + Ref: parsedRef.String(), + } + + result.Manifest.Data, err = content.FetchAll(ctx, memoryStore, manifest) + if err != nil { + return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", manifest.Digest, err) + } + + result.Config.Data, err = content.FetchAll(ctx, memoryStore, *configDescriptor) + if err != nil { + return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", configDescriptor.Digest, err) + } + + if err := json.Unmarshal(result.Config.Data, &result.Chart.Meta); err != nil { + return nil, err + } + + if operation.withChart { + result.Chart.Data, err = content.FetchAll(ctx, memoryStore, *chartDescriptor) + if err != nil { + return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", chartDescriptor.Digest, err) + } + result.Chart.Digest = chartDescriptor.Digest.String() + result.Chart.Size = chartDescriptor.Size + } + + if operation.withProv && !provMissing { + result.Prov.Data, err = content.FetchAll(ctx, memoryStore, *provDescriptor) + if err != nil { + return nil, fmt.Errorf("unable to retrieve blob with digest %s: %w", provDescriptor.Digest, err) + } + result.Prov.Digest = provDescriptor.Digest.String() + result.Prov.Size = provDescriptor.Size + } + + fmt.Fprintf(c.out, "Pulled: %s\n", result.Ref) + fmt.Fprintf(c.out, "Digest: %s\n", result.Manifest.Digest) + + if strings.Contains(result.Ref, "_") { + fmt.Fprintf(c.out, "%s contains an underscore.\n", result.Ref) + fmt.Fprint(c.out, registryUnderscoreMessage+"\n") + } + + return result, nil +} + +// PullOptWithChart returns a function that sets the withChart setting on pull +func PullOptWithChart(withChart bool) PullOption { + return func(operation *pullOperation) { + operation.withChart = withChart + } +} + +// PullOptWithProv returns a function that sets the withProv setting on pull +func PullOptWithProv(withProv bool) PullOption { + return func(operation *pullOperation) { + operation.withProv = withProv + } +} + +// PullOptIgnoreMissingProv returns a function that sets the ignoreMissingProv setting on pull +func PullOptIgnoreMissingProv(ignoreMissingProv bool) PullOption { + return func(operation *pullOperation) { + operation.ignoreMissingProv = ignoreMissingProv + } +} + +type ( + // PushOption allows specifying various settings on push + PushOption func(*pushOperation) + + // PushResult is the result returned upon successful push. + PushResult struct { + Manifest *descriptorPushSummary `json:"manifest"` + Config *descriptorPushSummary `json:"config"` + Chart *descriptorPushSummaryWithMeta `json:"chart"` + Prov *descriptorPushSummary `json:"prov"` + Ref string `json:"ref"` + } + + descriptorPushSummary struct { + Digest string `json:"digest"` + Size int64 `json:"size"` + } + + descriptorPushSummaryWithMeta struct { + descriptorPushSummary + Meta *chart.Metadata `json:"meta"` + } + + pushOperation struct { + provData []byte + strictMode bool + creationTime string + } +) + +// Push uploads a chart to a registry. +func (c *Client) Push(data []byte, ref string, options ...PushOption) (*PushResult, error) { + parsedRef, err := newReference(ref) + if err != nil { + return nil, err + } + + operation := &pushOperation{ + strictMode: true, // By default, enable strict mode + } + for _, option := range options { + option(operation) + } + meta, err := extractChartMeta(data) + if err != nil { + return nil, err + } + if operation.strictMode { + if !strings.HasSuffix(ref, fmt.Sprintf("/%s:%s", meta.Name, meta.Version)) { + return nil, errors.New( + "strict mode enabled, ref basename and tag must match the chart name and version") + } + } + + ctx := context.Background() + + memoryStore := memory.New() + chartDescriptor, err := oras.PushBytes(ctx, memoryStore, ChartLayerMediaType, data) + if err != nil { + return nil, err + } + + configData, err := json.Marshal(meta) + if err != nil { + return nil, err + } + + configDescriptor, err := oras.PushBytes(ctx, memoryStore, ConfigMediaType, configData) + if err != nil { + return nil, err + } + + layers := []ocispec.Descriptor{chartDescriptor} + var provDescriptor ocispec.Descriptor + if operation.provData != nil { + provDescriptor, err = oras.PushBytes(ctx, memoryStore, ProvLayerMediaType, operation.provData) + if err != nil { + return nil, err + } + + layers = append(layers, provDescriptor) + } + + // sort layers for determinism, similar to how ORAS v1 does it + sort.Slice(layers, func(i, j int) bool { + return layers[i].Digest < layers[j].Digest + }) + + ociAnnotations := generateOCIAnnotations(meta, operation.creationTime) + + manifestDescriptor, err := c.tagManifest(ctx, memoryStore, configDescriptor, + layers, ociAnnotations, parsedRef) + if err != nil { + return nil, err + } + + repository, err := remote.NewRepository(parsedRef.String()) + if err != nil { + return nil, err + } + repository.PlainHTTP = c.plainHTTP + repository.Client = c.authorizer + + manifestDescriptor, err = oras.ExtendedCopy(ctx, memoryStore, parsedRef.String(), repository, parsedRef.String(), oras.DefaultExtendedCopyOptions) + if err != nil { + return nil, err + } + + chartSummary := &descriptorPushSummaryWithMeta{ + Meta: meta, + } + chartSummary.Digest = chartDescriptor.Digest.String() + chartSummary.Size = chartDescriptor.Size + result := &PushResult{ + Manifest: &descriptorPushSummary{ + Digest: manifestDescriptor.Digest.String(), + Size: manifestDescriptor.Size, + }, + Config: &descriptorPushSummary{ + Digest: configDescriptor.Digest.String(), + Size: configDescriptor.Size, + }, + Chart: chartSummary, + Prov: &descriptorPushSummary{}, // prevent nil references + Ref: parsedRef.String(), + } + if operation.provData != nil { + result.Prov = &descriptorPushSummary{ + Digest: provDescriptor.Digest.String(), + Size: provDescriptor.Size, + } + } + fmt.Fprintf(c.out, "Pushed: %s\n", result.Ref) + fmt.Fprintf(c.out, "Digest: %s\n", result.Manifest.Digest) + if strings.Contains(parsedRef.orasReference.Reference, "_") { + fmt.Fprintf(c.out, "%s contains an underscore.\n", result.Ref) + fmt.Fprint(c.out, registryUnderscoreMessage+"\n") + } + + return result, err +} + +// PushOptProvData returns a function that sets the prov bytes setting on push +func PushOptProvData(provData []byte) PushOption { + return func(operation *pushOperation) { + operation.provData = provData + } +} + +// PushOptStrictMode returns a function that sets the strictMode setting on push +func PushOptStrictMode(strictMode bool) PushOption { + return func(operation *pushOperation) { + operation.strictMode = strictMode + } +} + +// PushOptCreationDate returns a function that sets the creation time +func PushOptCreationTime(creationTime string) PushOption { + return func(operation *pushOperation) { + operation.creationTime = creationTime + } +} + +// Tags provides a sorted list all semver compliant tags for a given repository +func (c *Client) Tags(ref string) ([]string, error) { + parsedReference, err := registry.ParseReference(ref) + if err != nil { + return nil, err + } + + ctx := context.Background() + repository, err := remote.NewRepository(parsedReference.String()) + if err != nil { + return nil, err + } + repository.PlainHTTP = c.plainHTTP + repository.Client = c.authorizer + + var tagVersions []*semver.Version + err = repository.Tags(ctx, "", func(tags []string) error { + for _, tag := range tags { + // Change underscore (_) back to plus (+) for Helm + // See https://github.com/helm/helm/issues/10166 + tagVersion, err := semver.StrictNewVersion(strings.ReplaceAll(tag, "_", "+")) + if err == nil { + tagVersions = append(tagVersions, tagVersion) + } + } + + return nil + }) + if err != nil { + return nil, err + } + + // Sort the collection + sort.Sort(sort.Reverse(semver.Collection(tagVersions))) + + tags := make([]string, len(tagVersions)) + + for iTv, tv := range tagVersions { + tags[iTv] = tv.String() + } + + return tags, nil + +} + +// Resolve a reference to a descriptor. +func (c *Client) Resolve(ref string) (desc ocispec.Descriptor, err error) { + remoteRepository, err := remote.NewRepository(ref) + if err != nil { + return desc, err + } + remoteRepository.PlainHTTP = c.plainHTTP + + parsedReference, err := newReference(ref) + if err != nil { + return desc, err + } + + ctx := context.Background() + parsedString := parsedReference.String() + return remoteRepository.Resolve(ctx, parsedString) +} + +// ValidateReference for path and version +func (c *Client) ValidateReference(ref, version string, u *url.URL) (*url.URL, error) { + var tag string + + registryReference, err := newReference(u.Host + u.Path) + if err != nil { + return nil, err + } + + if version == "" { + // Use OCI URI tag as default + version = registryReference.Tag + } else { + if registryReference.Tag != "" && registryReference.Tag != version { + return nil, errors.Errorf("chart reference and version mismatch: %s is not %s", version, registryReference.Tag) + } + } + + if registryReference.Digest != "" { + if version == "" { + // Install by digest only + return u, nil + } + u.Path = fmt.Sprintf("%s@%s", registryReference.Repository, registryReference.Digest) + + // Validate the tag if it was specified + path := registryReference.Registry + "/" + registryReference.Repository + ":" + version + desc, err := c.Resolve(path) + if err != nil { + // The resource does not have to be tagged when digest is specified + return u, nil + } + if desc.Digest.String() != registryReference.Digest { + return nil, errors.Errorf("chart reference digest mismatch: %s is not %s", desc.Digest.String(), registryReference.Digest) + } + return u, nil + } + + // Evaluate whether an explicit version has been provided. Otherwise, determine version to use + _, errSemVer := semver.NewVersion(version) + if errSemVer == nil { + tag = version + } else { + // Retrieve list of repository tags + tags, err := c.Tags(strings.TrimPrefix(ref, fmt.Sprintf("%s://", OCIScheme))) + if err != nil { + return nil, err + } + if len(tags) == 0 { + return nil, errors.Errorf("Unable to locate any tags in provided repository: %s", ref) + } + + // Determine if version provided + // If empty, try to get the highest available tag + // If exact version, try to find it + // If semver constraint string, try to find a match + tag, err = GetTagMatchingVersionOrConstraint(tags, version) + if err != nil { + return nil, err + } + } + + u.Path = fmt.Sprintf("%s:%s", registryReference.Repository, tag) + + return u, err +} + +// tagManifest prepares and tags a manifest in memory storage +func (c *Client) tagManifest(ctx context.Context, memoryStore *memory.Store, + configDescriptor ocispec.Descriptor, layers []ocispec.Descriptor, + ociAnnotations map[string]string, parsedRef reference) (ocispec.Descriptor, error) { + + manifest := ocispec.Manifest{ + Versioned: specs.Versioned{SchemaVersion: 2}, + Config: configDescriptor, + Layers: layers, + Annotations: ociAnnotations, + } + + manifestData, err := json.Marshal(manifest) + if err != nil { + return ocispec.Descriptor{}, err + } + + return oras.TagBytes(ctx, memoryStore, ocispec.MediaTypeImageManifest, + manifestData, parsedRef.String()) +} diff --git a/vendor/helm.sh/helm/v3/pkg/registry/constants.go b/vendor/helm.sh/helm/v3/pkg/registry/constants.go new file mode 100644 index 0000000000..570b6f0d3f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/constants.go @@ -0,0 +1,37 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry // import "helm.sh/helm/v3/pkg/registry" + +const ( + // OCIScheme is the URL scheme for OCI-based requests + OCIScheme = "oci" + + // CredentialsFileBasename is the filename for auth credentials file + CredentialsFileBasename = "registry/config.json" + + // ConfigMediaType is the reserved media type for the Helm chart manifest config + ConfigMediaType = "application/vnd.cncf.helm.config.v1+json" + + // ChartLayerMediaType is the reserved media type for Helm chart package content + ChartLayerMediaType = "application/vnd.cncf.helm.chart.content.v1.tar+gzip" + + // ProvLayerMediaType is the reserved media type for Helm chart provenance files + ProvLayerMediaType = "application/vnd.cncf.helm.chart.provenance.v1.prov" + + // LegacyChartLayerMediaType is the legacy reserved media type for Helm chart package content. + LegacyChartLayerMediaType = "application/tar+gzip" +) diff --git a/vendor/helm.sh/helm/v3/pkg/registry/fallback.go b/vendor/helm.sh/helm/v3/pkg/registry/fallback.go new file mode 100644 index 0000000000..1db7295764 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/fallback.go @@ -0,0 +1,60 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "crypto/tls" + "net/http" + "sync/atomic" +) + +// NOTE(terryhowe): This fallback feature is only provided in v3 for backward +// compatibility. ORAS v1 had this feature and this code was added when helm +// updated to ORAS v2. This will not be supported in helm v4. + +type fallbackTransport struct { + Base http.RoundTripper + forceHTTP atomic.Bool +} + +func newTransport(debug bool) *fallbackTransport { + baseTransport := NewTransport(debug) + return &fallbackTransport{ + Base: baseTransport, + } +} + +// RoundTrip wraps base round trip with conditional insecure retry. +func (t *fallbackTransport) RoundTrip(req *http.Request) (*http.Response, error) { + if ok := t.forceHTTP.Load(); ok { + req.URL.Scheme = "http" + return t.Base.RoundTrip(req) + } + resp, err := t.Base.RoundTrip(req) + // We are falling back to http here for backward compatibility with Helm v3. + // ORAS v1 provided fallback automatically, but ORAS v2 does not. + if err != nil && req.URL.Scheme == "https" { + if tlsErr, ok := err.(tls.RecordHeaderError); ok { + if string(tlsErr.RecordHeader[:]) == "HTTP/" { + t.forceHTTP.Store(true) + req.URL.Scheme = "http" + return t.Base.RoundTrip(req) + } + } + } + return resp, err +} diff --git a/vendor/helm.sh/helm/v3/pkg/registry/reference.go b/vendor/helm.sh/helm/v3/pkg/registry/reference.go new file mode 100644 index 0000000000..b5677761da --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/reference.go @@ -0,0 +1,78 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "strings" + + "oras.land/oras-go/v2/registry" +) + +type reference struct { + orasReference registry.Reference + Registry string + Repository string + Tag string + Digest string +} + +// newReference will parse and validate the reference, and clean tags when +// applicable tags are only cleaned when plus (+) signs are present, and are +// converted to underscores (_) before pushing +// See https://github.com/helm/helm/issues/10166 +func newReference(raw string) (result reference, err error) { + // Remove oci:// prefix if it is there + raw = strings.TrimPrefix(raw, OCIScheme+"://") + + // The sole possible reference modification is replacing plus (+) signs + // present in tags with underscores (_). To do this properly, we first + // need to identify a tag, and then pass it on to the reference parser + // NOTE: Passing immediately to the reference parser will fail since (+) + // signs are an invalid tag character, and simply replacing all plus (+) + // occurrences could invalidate other portions of the URI + lastIndex := strings.LastIndex(raw, "@") + if lastIndex >= 0 { + result.Digest = raw[(lastIndex + 1):] + raw = raw[:lastIndex] + } + parts := strings.Split(raw, ":") + if len(parts) > 1 && !strings.Contains(parts[len(parts)-1], "/") { + tag := parts[len(parts)-1] + + if tag != "" { + // Replace any plus (+) signs with known underscore (_) conversion + newTag := strings.ReplaceAll(tag, "+", "_") + raw = strings.ReplaceAll(raw, tag, newTag) + } + } + + result.orasReference, err = registry.ParseReference(raw) + if err != nil { + return result, err + } + result.Registry = result.orasReference.Registry + result.Repository = result.orasReference.Repository + result.Tag = result.orasReference.Reference + return result, nil +} + +func (r *reference) String() string { + if r.Tag == "" { + return r.orasReference.String() + "@" + r.Digest + } + return r.orasReference.String() +} diff --git a/vendor/helm.sh/helm/v3/pkg/registry/transport.go b/vendor/helm.sh/helm/v3/pkg/registry/transport.go new file mode 100644 index 0000000000..4d8a59ac65 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/transport.go @@ -0,0 +1,187 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "bytes" + "fmt" + "io" + "log/slog" + "mime" + "net/http" + "os" + "strings" + "sync/atomic" + + "oras.land/oras-go/v2/registry/remote/retry" +) + +var ( + // requestCount records the number of logged request-response pairs and will + // be used as the unique id for the next pair. + requestCount uint64 + + // toScrub is a set of headers that should be scrubbed from the log. + toScrub = []string{ + "Authorization", + "Set-Cookie", + } +) + +// payloadSizeLimit limits the maximum size of the response body to be printed. +const payloadSizeLimit int64 = 16 * 1024 // 16 KiB + +// LoggingTransport is an http.RoundTripper that keeps track of the in-flight +// request and add hooks to report HTTP tracing events. +type LoggingTransport struct { + http.RoundTripper + logger *slog.Logger +} + +// NewTransport creates and returns a new instance of LoggingTransport +func NewTransport(debug bool) *retry.Transport { + type cloner[T any] interface { + Clone() T + } + + // try to copy (clone) the http.DefaultTransport so any mutations we + // perform on it (e.g. TLS config) are not reflected globally + // follow https://github.com/golang/go/issues/39299 for a more elegant + // solution in the future + transport := http.DefaultTransport + if t, ok := transport.(cloner[*http.Transport]); ok { + transport = t.Clone() + } else if t, ok := transport.(cloner[http.RoundTripper]); ok { + // this branch will not be used with go 1.20, it was added + // optimistically to try to clone if the http.DefaultTransport + // implementation changes, still the Clone method in that case + // might not return http.RoundTripper... + transport = t.Clone() + } + if debug { + replace := func(groups []string, a slog.Attr) slog.Attr { + // Remove time. + if a.Key == slog.TimeKey && len(groups) == 0 { + return slog.Attr{} + } + return a + } + logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{ + ReplaceAttr: replace, + Level: slog.LevelDebug})) + transport = &LoggingTransport{RoundTripper: transport, logger: logger} + } + + return retry.NewTransport(transport) +} + +// RoundTrip calls base round trip while keeping track of the current request. +func (t *LoggingTransport) RoundTrip(req *http.Request) (resp *http.Response, err error) { + id := atomic.AddUint64(&requestCount, 1) - 1 + + t.logger.Debug("Request", "id", id, "url", req.URL, "method", req.Method, "header", logHeader(req.Header)) + resp, err = t.RoundTripper.RoundTrip(req) + if err != nil { + t.logger.Debug("Response", "id", id, "error", err) + } else if resp != nil { + t.logger.Debug("Response", "id", id, "status", resp.Status, "header", logHeader(resp.Header), "body", logResponseBody(resp)) + } else { + t.logger.Debug("Response", "id", id, "response", "nil") + } + + return resp, err +} + +// logHeader prints out the provided header keys and values, with auth header scrubbed. +func logHeader(header http.Header) string { + if len(header) > 0 { + headers := []string{} + for k, v := range header { + for _, h := range toScrub { + if strings.EqualFold(k, h) { + v = []string{"*****"} + } + } + headers = append(headers, fmt.Sprintf(" %q: %q", k, strings.Join(v, ", "))) + } + return strings.Join(headers, "\n") + } + return " Empty header" +} + +// logResponseBody prints out the response body if it is printable and within size limit. +func logResponseBody(resp *http.Response) string { + if resp.Body == nil || resp.Body == http.NoBody { + return " No response body to print" + } + + // non-applicable body is not printed and remains untouched for subsequent processing + contentType := resp.Header.Get("Content-Type") + if contentType == "" { + return " Response body without a content type is not printed" + } + if !isPrintableContentType(contentType) { + return fmt.Sprintf(" Response body of content type %q is not printed", contentType) + } + + buf := bytes.NewBuffer(nil) + body := resp.Body + // restore the body by concatenating the read body with the remaining body + resp.Body = struct { + io.Reader + io.Closer + }{ + Reader: io.MultiReader(buf, body), + Closer: body, + } + // read the body up to limit+1 to check if the body exceeds the limit + if _, err := io.CopyN(buf, body, payloadSizeLimit+1); err != nil && err != io.EOF { + return fmt.Sprintf(" Error reading response body: %v", err) + } + + readBody := buf.String() + if len(readBody) == 0 { + return " Response body is empty" + } + if containsCredentials(readBody) { + return " Response body redacted due to potential credentials" + } + if len(readBody) > int(payloadSizeLimit) { + return readBody[:payloadSizeLimit] + "\n...(truncated)" + } + return readBody +} + +// isPrintableContentType returns true if the contentType is printable. +func isPrintableContentType(contentType string) bool { + mediaType, _, err := mime.ParseMediaType(contentType) + if err != nil { + return false + } + + switch mediaType { + case "application/json", // JSON types + "text/plain", "text/html": // text types + return true + } + return strings.HasSuffix(mediaType, "+json") +} + +// containsCredentials returns true if the body contains potential credentials. +func containsCredentials(body string) bool { + return strings.Contains(body, `"token"`) || strings.Contains(body, `"access_token"`) +} diff --git a/vendor/helm.sh/helm/v3/pkg/registry/util.go b/vendor/helm.sh/helm/v3/pkg/registry/util.go new file mode 100644 index 0000000000..84ee698072 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/registry/util.go @@ -0,0 +1,208 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry // import "helm.sh/helm/v3/pkg/registry" + +import ( + "bytes" + "fmt" + "io" + "net/http" + "strings" + "time" + + "helm.sh/helm/v3/internal/tlsutil" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + helmtime "helm.sh/helm/v3/pkg/time" + + "github.com/Masterminds/semver/v3" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "github.com/pkg/errors" +) + +var immutableOciAnnotations = []string{ + ocispec.AnnotationVersion, + ocispec.AnnotationTitle, +} + +// IsOCI determines whether a URL is to be treated as an OCI URL +func IsOCI(url string) bool { + return strings.HasPrefix(url, fmt.Sprintf("%s://", OCIScheme)) +} + +// ContainsTag determines whether a tag is found in a provided list of tags +func ContainsTag(tags []string, tag string) bool { + for _, t := range tags { + if tag == t { + return true + } + } + return false +} + +func GetTagMatchingVersionOrConstraint(tags []string, versionString string) (string, error) { + var constraint *semver.Constraints + if versionString == "" { + // If string is empty, set wildcard constraint + constraint, _ = semver.NewConstraint("*") + } else { + // when customer inputs specific version, check whether there's an exact match first + for _, v := range tags { + if versionString == v { + return v, nil + } + } + + // Otherwise set constraint to the string given + var err error + constraint, err = semver.NewConstraint(versionString) + if err != nil { + return "", err + } + } + + // Otherwise try to find the first available version matching the string, + // in case it is a constraint + for _, v := range tags { + test, err := semver.NewVersion(v) + if err != nil { + continue + } + if constraint.Check(test) { + return v, nil + } + } + + return "", errors.Errorf("Could not locate a version matching provided version string %s", versionString) +} + +// extractChartMeta is used to extract a chart metadata from a byte array +func extractChartMeta(chartData []byte) (*chart.Metadata, error) { + ch, err := loader.LoadArchive(bytes.NewReader(chartData)) + if err != nil { + return nil, err + } + return ch.Metadata, nil +} + +// NewRegistryClientWithTLS is a helper function to create a new registry client with TLS enabled. +func NewRegistryClientWithTLS(out io.Writer, certFile, keyFile, caFile string, insecureSkipTLSverify bool, registryConfig string, debug bool) (*Client, error) { + tlsConf, err := tlsutil.NewClientTLS(certFile, keyFile, caFile, insecureSkipTLSverify) + if err != nil { + return nil, fmt.Errorf("can't create TLS config for client: %s", err) + } + // Create a new registry client + registryClient, err := NewClient( + ClientOptDebug(debug), + ClientOptEnableCache(true), + ClientOptWriter(out), + ClientOptCredentialsFile(registryConfig), + ClientOptHTTPClient(&http.Client{ + Transport: &http.Transport{ + TLSClientConfig: tlsConf, + Proxy: http.ProxyFromEnvironment, + }, + }), + ) + if err != nil { + return nil, err + } + return registryClient, nil +} + +// generateOCIAnnotations will generate OCI annotations to include within the OCI manifest +func generateOCIAnnotations(meta *chart.Metadata, creationTime string) map[string]string { + + // Get annotations from Chart attributes + ociAnnotations := generateChartOCIAnnotations(meta, creationTime) + + // Copy Chart annotations +annotations: + for chartAnnotationKey, chartAnnotationValue := range meta.Annotations { + + // Avoid overriding key properties + for _, immutableOciKey := range immutableOciAnnotations { + if immutableOciKey == chartAnnotationKey { + continue annotations + } + } + + // Add chart annotation + ociAnnotations[chartAnnotationKey] = chartAnnotationValue + } + + return ociAnnotations +} + +// getChartOCIAnnotations will generate OCI annotations from the provided chart +func generateChartOCIAnnotations(meta *chart.Metadata, creationTime string) map[string]string { + chartOCIAnnotations := map[string]string{} + + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationDescription, meta.Description) + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationTitle, meta.Name) + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationVersion, meta.Version) + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationURL, meta.Home) + + if len(creationTime) == 0 { + creationTime = helmtime.Now().UTC().Format(time.RFC3339) + } + + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationCreated, creationTime) + + if len(meta.Sources) > 0 { + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationSource, meta.Sources[0]) + } + + if len(meta.Maintainers) > 0 { + var maintainerSb strings.Builder + + for maintainerIdx, maintainer := range meta.Maintainers { + + if len(maintainer.Name) > 0 { + maintainerSb.WriteString(maintainer.Name) + } + + if len(maintainer.Email) > 0 { + maintainerSb.WriteString(" (") + maintainerSb.WriteString(maintainer.Email) + maintainerSb.WriteString(")") + } + + if maintainerIdx < len(meta.Maintainers)-1 { + maintainerSb.WriteString(", ") + } + + } + + chartOCIAnnotations = addToMap(chartOCIAnnotations, ocispec.AnnotationAuthors, maintainerSb.String()) + + } + + return chartOCIAnnotations +} + +// addToMap takes an existing map and adds an item if the value is not empty +func addToMap(inputMap map[string]string, newKey string, newValue string) map[string]string { + + // Add item to map if its + if len(strings.TrimSpace(newValue)) > 0 { + inputMap[newKey] = newValue + } + + return inputMap + +} diff --git a/vendor/helm.sh/helm/v3/pkg/release/hook.go b/vendor/helm.sh/helm/v3/pkg/release/hook.go new file mode 100644 index 0000000000..425074ac1d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/hook.go @@ -0,0 +1,122 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +import ( + "helm.sh/helm/v3/pkg/time" +) + +// HookEvent specifies the hook event +type HookEvent string + +// Hook event types +const ( + HookPreInstall HookEvent = "pre-install" + HookPostInstall HookEvent = "post-install" + HookPreDelete HookEvent = "pre-delete" + HookPostDelete HookEvent = "post-delete" + HookPreUpgrade HookEvent = "pre-upgrade" + HookPostUpgrade HookEvent = "post-upgrade" + HookPreRollback HookEvent = "pre-rollback" + HookPostRollback HookEvent = "post-rollback" + HookTest HookEvent = "test" +) + +func (x HookEvent) String() string { return string(x) } + +// HookDeletePolicy specifies the hook delete policy +type HookDeletePolicy string + +// Hook delete policy types +const ( + HookSucceeded HookDeletePolicy = "hook-succeeded" + HookFailed HookDeletePolicy = "hook-failed" + HookBeforeHookCreation HookDeletePolicy = "before-hook-creation" +) + +func (x HookDeletePolicy) String() string { return string(x) } + +// HookOutputLogPolicy specifies the hook output log policy +type HookOutputLogPolicy string + +// Hook output log policy types +const ( + HookOutputOnSucceeded HookOutputLogPolicy = "hook-succeeded" + HookOutputOnFailed HookOutputLogPolicy = "hook-failed" +) + +func (x HookOutputLogPolicy) String() string { return string(x) } + +// HookAnnotation is the label name for a hook +const HookAnnotation = "helm.sh/hook" + +// HookWeightAnnotation is the label name for a hook weight +const HookWeightAnnotation = "helm.sh/hook-weight" + +// HookDeleteAnnotation is the label name for the delete policy for a hook +const HookDeleteAnnotation = "helm.sh/hook-delete-policy" + +// HookOutputLogAnnotation is the label name for the output log policy for a hook +const HookOutputLogAnnotation = "helm.sh/hook-output-log-policy" + +// Hook defines a hook object. +type Hook struct { + Name string `json:"name,omitempty"` + // Kind is the Kubernetes kind. + Kind string `json:"kind,omitempty"` + // Path is the chart-relative path to the template. + Path string `json:"path,omitempty"` + // Manifest is the manifest contents. + Manifest string `json:"manifest,omitempty"` + // Events are the events that this hook fires on. + Events []HookEvent `json:"events,omitempty"` + // LastRun indicates the date/time this was last run. + LastRun HookExecution `json:"last_run,omitempty"` + // Weight indicates the sort order for execution among similar Hook type + Weight int `json:"weight,omitempty"` + // DeletePolicies are the policies that indicate when to delete the hook + DeletePolicies []HookDeletePolicy `json:"delete_policies,omitempty"` + // OutputLogPolicies defines whether we should copy hook logs back to main process + OutputLogPolicies []HookOutputLogPolicy `json:"output_log_policies,omitempty"` +} + +// A HookExecution records the result for the last execution of a hook for a given release. +type HookExecution struct { + // StartedAt indicates the date/time this hook was started + StartedAt time.Time `json:"started_at,omitempty"` + // CompletedAt indicates the date/time this hook was completed. + CompletedAt time.Time `json:"completed_at,omitempty"` + // Phase indicates whether the hook completed successfully + Phase HookPhase `json:"phase"` +} + +// A HookPhase indicates the state of a hook execution +type HookPhase string + +const ( + // HookPhaseUnknown indicates that a hook is in an unknown state + HookPhaseUnknown HookPhase = "Unknown" + // HookPhaseRunning indicates that a hook is currently executing + HookPhaseRunning HookPhase = "Running" + // HookPhaseSucceeded indicates that hook execution succeeded + HookPhaseSucceeded HookPhase = "Succeeded" + // HookPhaseFailed indicates that hook execution failed + HookPhaseFailed HookPhase = "Failed" +) + +// String converts a hook phase to a printable string +func (x HookPhase) String() string { return string(x) } diff --git a/vendor/helm.sh/helm/v3/pkg/release/info.go b/vendor/helm.sh/helm/v3/pkg/release/info.go new file mode 100644 index 0000000000..b030a8a545 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/info.go @@ -0,0 +1,40 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +import ( + "k8s.io/apimachinery/pkg/runtime" + + "helm.sh/helm/v3/pkg/time" +) + +// Info describes release information. +type Info struct { + // FirstDeployed is when the release was first deployed. + FirstDeployed time.Time `json:"first_deployed,omitempty"` + // LastDeployed is when the release was last deployed. + LastDeployed time.Time `json:"last_deployed,omitempty"` + // Deleted tracks when this object was deleted. + Deleted time.Time `json:"deleted"` + // Description is human-friendly "log entry" about this release. + Description string `json:"description,omitempty"` + // Status is the current state of the release + Status Status `json:"status,omitempty"` + // Contains the rendered templates/NOTES.txt if available + Notes string `json:"notes,omitempty"` + // Contains the deployed resources information + Resources map[string][]runtime.Object `json:"resources,omitempty"` +} diff --git a/vendor/helm.sh/helm/v3/pkg/release/mock.go b/vendor/helm.sh/helm/v3/pkg/release/mock.go new file mode 100644 index 0000000000..eb0b5157df --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/mock.go @@ -0,0 +1,134 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +import ( + "fmt" + "math/rand" + + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/time" +) + +// MockHookTemplate is the hook template used for all mock release objects. +var MockHookTemplate = `apiVersion: v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-install +` + +// MockManifest is the manifest used for all mock release objects. +var MockManifest = `apiVersion: v1 +kind: Secret +metadata: + name: fixture +` + +// MockReleaseOptions allows for user-configurable options on mock release objects. +type MockReleaseOptions struct { + Name string + Version int + Chart *chart.Chart + Status Status + Namespace string +} + +// Mock creates a mock release object based on options set by MockReleaseOptions. This function should typically not be used outside of testing. +func Mock(opts *MockReleaseOptions) *Release { + date := time.Unix(242085845, 0).UTC() + + name := opts.Name + if name == "" { + name = "testrelease-" + fmt.Sprint(rand.Intn(100)) + } + + version := 1 + if opts.Version != 0 { + version = opts.Version + } + + namespace := opts.Namespace + if namespace == "" { + namespace = "default" + } + + ch := opts.Chart + if opts.Chart == nil { + ch = &chart.Chart{ + Metadata: &chart.Metadata{ + Name: "foo", + Version: "0.1.0-beta.1", + AppVersion: "1.0", + Annotations: map[string]string{ + "category": "web-apps", + "supported": "true", + }, + Dependencies: []*chart.Dependency{ + { + Name: "cool-plugin", + Version: "1.0.0", + Repository: "https://coolplugin.io/charts", + Condition: "coolPlugin.enabled", + Enabled: true, + }, + { + Name: "crds", + Version: "2.7.1", + Condition: "crds.enabled", + }, + }, + }, + Templates: []*chart.File{ + {Name: "templates/foo.tpl", Data: []byte(MockManifest)}, + }, + } + } + + scode := StatusDeployed + if len(opts.Status) > 0 { + scode = opts.Status + } + + info := &Info{ + FirstDeployed: date, + LastDeployed: date, + Status: scode, + Description: "Release mock", + Notes: "Some mock release notes!", + } + + return &Release{ + Name: name, + Info: info, + Chart: ch, + Config: map[string]interface{}{"name": "value"}, + Version: version, + Namespace: namespace, + Hooks: []*Hook{ + { + Name: "pre-install-hook", + Kind: "Job", + Path: "pre-install-hook.yaml", + Manifest: MockHookTemplate, + LastRun: HookExecution{}, + Events: []HookEvent{HookPreInstall}, + }, + }, + Manifest: MockManifest, + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/release/release.go b/vendor/helm.sh/helm/v3/pkg/release/release.go new file mode 100644 index 0000000000..b906128736 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/release.go @@ -0,0 +1,49 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +import "helm.sh/helm/v3/pkg/chart" + +// Release describes a deployment of a chart, together with the chart +// and the variables used to deploy that chart. +type Release struct { + // Name is the name of the release + Name string `json:"name,omitempty"` + // Info provides information about a release + Info *Info `json:"info,omitempty"` + // Chart is the chart that was released. + Chart *chart.Chart `json:"chart,omitempty"` + // Config is the set of extra Values added to the chart. + // These values override the default values inside of the chart. + Config map[string]interface{} `json:"config,omitempty"` + // Manifest is the string representation of the rendered template. + Manifest string `json:"manifest,omitempty"` + // Hooks are all of the hooks declared for this release. + Hooks []*Hook `json:"hooks,omitempty"` + // Version is an int which represents the revision of the release. + Version int `json:"version,omitempty"` + // Namespace is the kubernetes namespace of the release. + Namespace string `json:"namespace,omitempty"` + // Labels of the release. + // Disabled encoding into Json cause labels are stored in storage driver metadata field. + Labels map[string]string `json:"-"` +} + +// SetStatus is a helper for setting the status on a release. +func (r *Release) SetStatus(status Status, msg string) { + r.Info.Status = status + r.Info.Description = msg +} diff --git a/vendor/helm.sh/helm/v3/pkg/release/responses.go b/vendor/helm.sh/helm/v3/pkg/release/responses.go new file mode 100644 index 0000000000..7ee1fc2eee --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/responses.go @@ -0,0 +1,24 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +// UninstallReleaseResponse represents a successful response to an uninstall request. +type UninstallReleaseResponse struct { + // Release is the release that was marked deleted. + Release *Release `json:"release,omitempty"` + // Info is an uninstall message + Info string `json:"info,omitempty"` +} diff --git a/vendor/helm.sh/helm/v3/pkg/release/status.go b/vendor/helm.sh/helm/v3/pkg/release/status.go new file mode 100644 index 0000000000..edd27a5f14 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/release/status.go @@ -0,0 +1,49 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package release + +// Status is the status of a release +type Status string + +// Describe the status of a release +// NOTE: Make sure to update cmd/helm/status.go when adding or modifying any of these statuses. +const ( + // StatusUnknown indicates that a release is in an uncertain state. + StatusUnknown Status = "unknown" + // StatusDeployed indicates that the release has been pushed to Kubernetes. + StatusDeployed Status = "deployed" + // StatusUninstalled indicates that a release has been uninstalled from Kubernetes. + StatusUninstalled Status = "uninstalled" + // StatusSuperseded indicates that this release object is outdated and a newer one exists. + StatusSuperseded Status = "superseded" + // StatusFailed indicates that the release was not successfully deployed. + StatusFailed Status = "failed" + // StatusUninstalling indicates that an uninstall operation is underway. + StatusUninstalling Status = "uninstalling" + // StatusPendingInstall indicates that an install operation is underway. + StatusPendingInstall Status = "pending-install" + // StatusPendingUpgrade indicates that an upgrade operation is underway. + StatusPendingUpgrade Status = "pending-upgrade" + // StatusPendingRollback indicates that a rollback operation is underway. + StatusPendingRollback Status = "pending-rollback" +) + +func (x Status) String() string { return string(x) } + +// IsPending determines if this status is a state or a transition. +func (x Status) IsPending() bool { + return x == StatusPendingInstall || x == StatusPendingUpgrade || x == StatusPendingRollback +} diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go new file mode 100644 index 0000000000..dbd0df8e2d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/filter.go @@ -0,0 +1,78 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package releaseutil // import "helm.sh/helm/v3/pkg/releaseutil" + +import rspb "helm.sh/helm/v3/pkg/release" + +// FilterFunc returns true if the release object satisfies +// the predicate of the underlying filter func. +type FilterFunc func(*rspb.Release) bool + +// Check applies the FilterFunc to the release object. +func (fn FilterFunc) Check(rls *rspb.Release) bool { + if rls == nil { + return false + } + return fn(rls) +} + +// Filter applies the filter(s) to the list of provided releases +// returning the list that satisfies the filtering predicate. +func (fn FilterFunc) Filter(rels []*rspb.Release) (rets []*rspb.Release) { + for _, rel := range rels { + if fn.Check(rel) { + rets = append(rets, rel) + } + } + return +} + +// Any returns a FilterFunc that filters a list of releases +// determined by the predicate 'f0 || f1 || ... || fn'. +func Any(filters ...FilterFunc) FilterFunc { + return func(rls *rspb.Release) bool { + for _, filter := range filters { + if filter(rls) { + return true + } + } + return false + } +} + +// All returns a FilterFunc that filters a list of releases +// determined by the predicate 'f0 && f1 && ... && fn'. +func All(filters ...FilterFunc) FilterFunc { + return func(rls *rspb.Release) bool { + for _, filter := range filters { + if !filter(rls) { + return false + } + } + return true + } +} + +// StatusFilter filters a set of releases by status code. +func StatusFilter(status rspb.Status) FilterFunc { + return FilterFunc(func(rls *rspb.Release) bool { + if rls == nil { + return true + } + return rls.Info.Status == status + }) +} diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go new file mode 100644 index 0000000000..bb8e84dda8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/kind_sorter.go @@ -0,0 +1,160 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package releaseutil + +import ( + "sort" + + "helm.sh/helm/v3/pkg/release" +) + +// KindSortOrder is an ordering of Kinds. +type KindSortOrder []string + +// InstallOrder is the order in which manifests should be installed (by Kind). +// +// Those occurring earlier in the list get installed before those occurring later in the list. +var InstallOrder KindSortOrder = []string{ + "PriorityClass", + "Namespace", + "NetworkPolicy", + "ResourceQuota", + "LimitRange", + "PodSecurityPolicy", + "PodDisruptionBudget", + "ServiceAccount", + "Secret", + "SecretList", + "ConfigMap", + "StorageClass", + "PersistentVolume", + "PersistentVolumeClaim", + "CustomResourceDefinition", + "ClusterRole", + "ClusterRoleList", + "ClusterRoleBinding", + "ClusterRoleBindingList", + "Role", + "RoleList", + "RoleBinding", + "RoleBindingList", + "Service", + "DaemonSet", + "Pod", + "ReplicationController", + "ReplicaSet", + "Deployment", + "HorizontalPodAutoscaler", + "StatefulSet", + "Job", + "CronJob", + "IngressClass", + "Ingress", + "APIService", +} + +// UninstallOrder is the order in which manifests should be uninstalled (by Kind). +// +// Those occurring earlier in the list get uninstalled before those occurring later in the list. +var UninstallOrder KindSortOrder = []string{ + "APIService", + "Ingress", + "IngressClass", + "Service", + "CronJob", + "Job", + "StatefulSet", + "HorizontalPodAutoscaler", + "Deployment", + "ReplicaSet", + "ReplicationController", + "Pod", + "DaemonSet", + "RoleBindingList", + "RoleBinding", + "RoleList", + "Role", + "ClusterRoleBindingList", + "ClusterRoleBinding", + "ClusterRoleList", + "ClusterRole", + "CustomResourceDefinition", + "PersistentVolumeClaim", + "PersistentVolume", + "StorageClass", + "ConfigMap", + "SecretList", + "Secret", + "ServiceAccount", + "PodDisruptionBudget", + "PodSecurityPolicy", + "LimitRange", + "ResourceQuota", + "NetworkPolicy", + "Namespace", + "PriorityClass", +} + +// sort manifests by kind. +// +// Results are sorted by 'ordering', keeping order of items with equal kind/priority +func sortManifestsByKind(manifests []Manifest, ordering KindSortOrder) []Manifest { + sort.SliceStable(manifests, func(i, j int) bool { + return lessByKind(manifests[i], manifests[j], manifests[i].Head.Kind, manifests[j].Head.Kind, ordering) + }) + + return manifests +} + +// sort hooks by kind, using an out-of-place sort to preserve the input parameters. +// +// Results are sorted by 'ordering', keeping order of items with equal kind/priority +func sortHooksByKind(hooks []*release.Hook, ordering KindSortOrder) []*release.Hook { + h := hooks + sort.SliceStable(h, func(i, j int) bool { + return lessByKind(h[i], h[j], h[i].Kind, h[j].Kind, ordering) + }) + + return h +} + +func lessByKind(_ interface{}, _ interface{}, kindA string, kindB string, o KindSortOrder) bool { + ordering := make(map[string]int, len(o)) + for v, k := range o { + ordering[k] = v + } + + first, aok := ordering[kindA] + second, bok := ordering[kindB] + + if !aok && !bok { + // if both are unknown then sort alphabetically by kind, keep original order if same kind + if kindA != kindB { + return kindA < kindB + } + return first < second + } + // unknown kind is last + if !aok { + return false + } + if !bok { + return true + } + // sort different kinds, keep original order if same priority + return first < second +} diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go new file mode 100644 index 0000000000..0b04a4599b --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest.go @@ -0,0 +1,72 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package releaseutil + +import ( + "fmt" + "regexp" + "strconv" + "strings" +) + +// SimpleHead defines what the structure of the head of a manifest file +type SimpleHead struct { + Version string `json:"apiVersion"` + Kind string `json:"kind,omitempty"` + Metadata *struct { + Name string `json:"name"` + Annotations map[string]string `json:"annotations"` + } `json:"metadata,omitempty"` +} + +var sep = regexp.MustCompile("(?:^|\\s*\n)---\\s*") + +// SplitManifests takes a string of manifest and returns a map contains individual manifests +func SplitManifests(bigFile string) map[string]string { + // Basically, we're quickly splitting a stream of YAML documents into an + // array of YAML docs. The file name is just a place holder, but should be + // integer-sortable so that manifests get output in the same order as the + // input (see `BySplitManifestsOrder`). + tpl := "manifest-%d" + res := map[string]string{} + // Making sure that any extra whitespace in YAML stream doesn't interfere in splitting documents correctly. + bigFileTmp := strings.TrimSpace(bigFile) + docs := sep.Split(bigFileTmp, -1) + var count int + for _, d := range docs { + if d == "" { + continue + } + + d = strings.TrimSpace(d) + res[fmt.Sprintf(tpl, count)] = d + count = count + 1 + } + return res +} + +// BySplitManifestsOrder sorts by in-file manifest order, as provided in function `SplitManifests` +type BySplitManifestsOrder []string + +func (a BySplitManifestsOrder) Len() int { return len(a) } +func (a BySplitManifestsOrder) Less(i, j int) bool { + // Split `manifest-%d` + anum, _ := strconv.ParseInt(a[i][len("manifest-"):], 10, 0) + bnum, _ := strconv.ParseInt(a[j][len("manifest-"):], 10, 0) + return anum < bnum +} +func (a BySplitManifestsOrder) Swap(i, j int) { a[i], a[j] = a[j], a[i] } diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go new file mode 100644 index 0000000000..cf851baa81 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go @@ -0,0 +1,244 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package releaseutil + +import ( + "log" + "path" + "sort" + "strconv" + "strings" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chartutil" + "helm.sh/helm/v3/pkg/release" +) + +// Manifest represents a manifest file, which has a name and some content. +type Manifest struct { + Name string + Content string + Head *SimpleHead +} + +// manifestFile represents a file that contains a manifest. +type manifestFile struct { + entries map[string]string + path string +} + +// result is an intermediate structure used during sorting. +type result struct { + hooks []*release.Hook + generic []Manifest +} + +// TODO: Refactor this out. It's here because naming conventions were not followed through. +// So fix the Test hook names and then remove this. +var events = map[string]release.HookEvent{ + release.HookPreInstall.String(): release.HookPreInstall, + release.HookPostInstall.String(): release.HookPostInstall, + release.HookPreDelete.String(): release.HookPreDelete, + release.HookPostDelete.String(): release.HookPostDelete, + release.HookPreUpgrade.String(): release.HookPreUpgrade, + release.HookPostUpgrade.String(): release.HookPostUpgrade, + release.HookPreRollback.String(): release.HookPreRollback, + release.HookPostRollback.String(): release.HookPostRollback, + release.HookTest.String(): release.HookTest, + // Support test-success for backward compatibility with Helm 2 tests + "test-success": release.HookTest, +} + +// SortManifests takes a map of filename/YAML contents, splits the file +// by manifest entries, and sorts the entries into hook types. +// +// The resulting hooks struct will be populated with all of the generated hooks. +// Any file that does not declare one of the hook types will be placed in the +// 'generic' bucket. +// +// Files that do not parse into the expected format are simply placed into a map and +// returned. +func SortManifests(files map[string]string, _ chartutil.VersionSet, ordering KindSortOrder) ([]*release.Hook, []Manifest, error) { + result := &result{} + + var sortedFilePaths []string + for filePath := range files { + sortedFilePaths = append(sortedFilePaths, filePath) + } + sort.Strings(sortedFilePaths) + + for _, filePath := range sortedFilePaths { + content := files[filePath] + + // Skip partials. We could return these as a separate map, but there doesn't + // seem to be any need for that at this time. + if strings.HasPrefix(path.Base(filePath), "_") { + continue + } + // Skip empty files and log this. + if strings.TrimSpace(content) == "" { + continue + } + + manifestFile := &manifestFile{ + entries: SplitManifests(content), + path: filePath, + } + + if err := manifestFile.sort(result); err != nil { + return result.hooks, result.generic, err + } + } + + return sortHooksByKind(result.hooks, ordering), sortManifestsByKind(result.generic, ordering), nil +} + +// sort takes a manifestFile object which may contain multiple resource definition +// entries and sorts each entry by hook types, and saves the resulting hooks and +// generic manifests (or non-hooks) to the result struct. +// +// To determine hook type, it looks for a YAML structure like this: +// +// kind: SomeKind +// apiVersion: v1 +// metadata: +// annotations: +// helm.sh/hook: pre-install +// +// To determine the policy to delete the hook, it looks for a YAML structure like this: +// +// kind: SomeKind +// apiVersion: v1 +// metadata: +// annotations: +// helm.sh/hook-delete-policy: hook-succeeded +// +// To determine the policy to output logs of the hook (for Pod and Job only), it looks for a YAML structure like this: +// +// kind: Pod +// apiVersion: v1 +// metadata: +// annotations: +// helm.sh/hook-output-log-policy: hook-succeeded,hook-failed +func (file *manifestFile) sort(result *result) error { + // Go through manifests in order found in file (function `SplitManifests` creates integer-sortable keys) + var sortedEntryKeys []string + for entryKey := range file.entries { + sortedEntryKeys = append(sortedEntryKeys, entryKey) + } + sort.Sort(BySplitManifestsOrder(sortedEntryKeys)) + + for _, entryKey := range sortedEntryKeys { + m := file.entries[entryKey] + + var entry SimpleHead + if err := yaml.Unmarshal([]byte(m), &entry); err != nil { + return errors.Wrapf(err, "YAML parse error on %s", file.path) + } + + if !hasAnyAnnotation(entry) { + result.generic = append(result.generic, Manifest{ + Name: file.path, + Content: m, + Head: &entry, + }) + continue + } + + hookTypes, ok := entry.Metadata.Annotations[release.HookAnnotation] + if !ok { + result.generic = append(result.generic, Manifest{ + Name: file.path, + Content: m, + Head: &entry, + }) + continue + } + + hw := calculateHookWeight(entry) + + h := &release.Hook{ + Name: entry.Metadata.Name, + Kind: entry.Kind, + Path: file.path, + Manifest: m, + Events: []release.HookEvent{}, + Weight: hw, + DeletePolicies: []release.HookDeletePolicy{}, + OutputLogPolicies: []release.HookOutputLogPolicy{}, + } + + isUnknownHook := false + for _, hookType := range strings.Split(hookTypes, ",") { + hookType = strings.ToLower(strings.TrimSpace(hookType)) + e, ok := events[hookType] + if !ok { + isUnknownHook = true + break + } + h.Events = append(h.Events, e) + } + + if isUnknownHook { + log.Printf("info: skipping unknown hook: %q", hookTypes) + continue + } + + result.hooks = append(result.hooks, h) + + operateAnnotationValues(entry, release.HookDeleteAnnotation, func(value string) { + h.DeletePolicies = append(h.DeletePolicies, release.HookDeletePolicy(value)) + }) + + operateAnnotationValues(entry, release.HookOutputLogAnnotation, func(value string) { + h.OutputLogPolicies = append(h.OutputLogPolicies, release.HookOutputLogPolicy(value)) + }) + } + + return nil +} + +// hasAnyAnnotation returns true if the given entry has any annotations at all. +func hasAnyAnnotation(entry SimpleHead) bool { + return entry.Metadata != nil && + entry.Metadata.Annotations != nil && + len(entry.Metadata.Annotations) != 0 +} + +// calculateHookWeight finds the weight in the hook weight annotation. +// +// If no weight is found, the assigned weight is 0 +func calculateHookWeight(entry SimpleHead) int { + hws := entry.Metadata.Annotations[release.HookWeightAnnotation] + hw, err := strconv.Atoi(hws) + if err != nil { + hw = 0 + } + return hw +} + +// operateAnnotationValues finds the given annotation and runs the operate function with the value of that annotation +func operateAnnotationValues(entry SimpleHead, annotation string, operate func(p string)) { + if dps, ok := entry.Metadata.Annotations[annotation]; ok { + for _, dp := range strings.Split(dps, ",") { + dp = strings.ToLower(strings.TrimSpace(dp)) + operate(dp) + } + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go b/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go new file mode 100644 index 0000000000..1a8aa78a62 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/releaseutil/sorter.go @@ -0,0 +1,78 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package releaseutil // import "helm.sh/helm/v3/pkg/releaseutil" + +import ( + "sort" + + rspb "helm.sh/helm/v3/pkg/release" +) + +type list []*rspb.Release + +func (s list) Len() int { return len(s) } +func (s list) Swap(i, j int) { s[i], s[j] = s[j], s[i] } + +// ByName sorts releases by name +type ByName struct{ list } + +// Less compares to releases +func (s ByName) Less(i, j int) bool { return s.list[i].Name < s.list[j].Name } + +// ByDate sorts releases by date +type ByDate struct{ list } + +// Less compares to releases +func (s ByDate) Less(i, j int) bool { + ti := s.list[i].Info.LastDeployed.Unix() + tj := s.list[j].Info.LastDeployed.Unix() + return ti < tj +} + +// ByRevision sorts releases by revision number +type ByRevision struct{ list } + +// Less compares to releases +func (s ByRevision) Less(i, j int) bool { + return s.list[i].Version < s.list[j].Version +} + +// Reverse reverses the list of releases sorted by the sort func. +func Reverse(list []*rspb.Release, sortFn func([]*rspb.Release)) { + sortFn(list) + for i, j := 0, len(list)-1; i < j; i, j = i+1, j-1 { + list[i], list[j] = list[j], list[i] + } +} + +// SortByName returns the list of releases sorted +// in lexicographical order. +func SortByName(list []*rspb.Release) { + sort.Sort(ByName{list}) +} + +// SortByDate returns the list of releases sorted by a +// release's last deployed time (in seconds). +func SortByDate(list []*rspb.Release) { + sort.Sort(ByDate{list}) +} + +// SortByRevision returns the list of releases sorted by a +// release's revision number (release.Version). +func SortByRevision(list []*rspb.Release) { + sort.Sort(ByRevision{list}) +} diff --git a/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go b/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go new file mode 100644 index 0000000000..970e96da2d --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/repo/chartrepo.go @@ -0,0 +1,317 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package repo // import "helm.sh/helm/v3/pkg/repo" + +import ( + "crypto/rand" + "encoding/base64" + "encoding/json" + "fmt" + "io" + "log" + "net/url" + "os" + "path/filepath" + "strings" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/getter" + "helm.sh/helm/v3/pkg/helmpath" + "helm.sh/helm/v3/pkg/provenance" +) + +// Entry represents a collection of parameters for chart repository +type Entry struct { + Name string `json:"name"` + URL string `json:"url"` + Username string `json:"username"` + Password string `json:"password"` + CertFile string `json:"certFile"` + KeyFile string `json:"keyFile"` + CAFile string `json:"caFile"` + InsecureSkipTLSverify bool `json:"insecure_skip_tls_verify"` + PassCredentialsAll bool `json:"pass_credentials_all"` +} + +// ChartRepository represents a chart repository +type ChartRepository struct { + Config *Entry + ChartPaths []string + IndexFile *IndexFile + Client getter.Getter + CachePath string +} + +// NewChartRepository constructs ChartRepository +func NewChartRepository(cfg *Entry, getters getter.Providers) (*ChartRepository, error) { + u, err := url.Parse(cfg.URL) + if err != nil { + return nil, errors.Errorf("invalid chart URL format: %s", cfg.URL) + } + + client, err := getters.ByScheme(u.Scheme) + if err != nil { + return nil, errors.Errorf("could not find protocol handler for: %s", u.Scheme) + } + + return &ChartRepository{ + Config: cfg, + IndexFile: NewIndexFile(), + Client: client, + CachePath: helmpath.CachePath("repository"), + }, nil +} + +// Load loads a directory of charts as if it were a repository. +// +// It requires the presence of an index.yaml file in the directory. +// +// Deprecated: remove in Helm 4. +func (r *ChartRepository) Load() error { + dirInfo, err := os.Stat(r.Config.Name) + if err != nil { + return err + } + if !dirInfo.IsDir() { + return errors.Errorf("%q is not a directory", r.Config.Name) + } + + // FIXME: Why are we recursively walking directories? + // FIXME: Why are we not reading the repositories.yaml to figure out + // what repos to use? + filepath.Walk(r.Config.Name, func(path string, f os.FileInfo, _ error) error { + if !f.IsDir() { + if strings.Contains(f.Name(), "-index.yaml") { + i, err := LoadIndexFile(path) + if err != nil { + return err + } + r.IndexFile = i + } else if strings.HasSuffix(f.Name(), ".tgz") { + r.ChartPaths = append(r.ChartPaths, path) + } + } + return nil + }) + return nil +} + +// DownloadIndexFile fetches the index from a repository. +func (r *ChartRepository) DownloadIndexFile() (string, error) { + indexURL, err := ResolveReferenceURL(r.Config.URL, "index.yaml") + if err != nil { + return "", err + } + + resp, err := r.Client.Get(indexURL, + getter.WithURL(r.Config.URL), + getter.WithInsecureSkipVerifyTLS(r.Config.InsecureSkipTLSverify), + getter.WithTLSClientConfig(r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile), + getter.WithBasicAuth(r.Config.Username, r.Config.Password), + getter.WithPassCredentialsAll(r.Config.PassCredentialsAll), + ) + if err != nil { + return "", err + } + + index, err := io.ReadAll(resp) + if err != nil { + return "", err + } + + indexFile, err := loadIndex(index, r.Config.URL) + if err != nil { + return "", err + } + + // Create the chart list file in the cache directory + var charts strings.Builder + for name := range indexFile.Entries { + fmt.Fprintln(&charts, name) + } + chartsFile := filepath.Join(r.CachePath, helmpath.CacheChartsFile(r.Config.Name)) + os.MkdirAll(filepath.Dir(chartsFile), 0755) + os.WriteFile(chartsFile, []byte(charts.String()), 0644) + + // Create the index file in the cache directory + fname := filepath.Join(r.CachePath, helmpath.CacheIndexFile(r.Config.Name)) + os.MkdirAll(filepath.Dir(fname), 0755) + return fname, os.WriteFile(fname, index, 0644) +} + +// Index generates an index for the chart repository and writes an index.yaml file. +func (r *ChartRepository) Index() error { + err := r.generateIndex() + if err != nil { + return err + } + return r.saveIndexFile() +} + +func (r *ChartRepository) saveIndexFile() error { + index, err := yaml.Marshal(r.IndexFile) + if err != nil { + return err + } + return os.WriteFile(filepath.Join(r.Config.Name, indexPath), index, 0644) +} + +func (r *ChartRepository) generateIndex() error { + for _, path := range r.ChartPaths { + ch, err := loader.Load(path) + if err != nil { + return err + } + + digest, err := provenance.DigestFile(path) + if err != nil { + return err + } + + if !r.IndexFile.Has(ch.Name(), ch.Metadata.Version) { + if err := r.IndexFile.MustAdd(ch.Metadata, path, r.Config.URL, digest); err != nil { + return errors.Wrapf(err, "failed adding to %s to index", path) + } + } + // TODO: If a chart exists, but has a different Digest, should we error? + } + r.IndexFile.SortEntries() + return nil +} + +// FindChartInRepoURL finds chart in chart repository pointed by repoURL +// without adding repo to repositories +func FindChartInRepoURL(repoURL, chartName, chartVersion, certFile, keyFile, caFile string, getters getter.Providers) (string, error) { + return FindChartInAuthRepoURL(repoURL, "", "", chartName, chartVersion, certFile, keyFile, caFile, getters) +} + +// FindChartInAuthRepoURL finds chart in chart repository pointed by repoURL +// without adding repo to repositories, like FindChartInRepoURL, +// but it also receives credentials for the chart repository. +func FindChartInAuthRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, getters getter.Providers) (string, error) { + return FindChartInAuthAndTLSRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile, false, getters) +} + +// FindChartInAuthAndTLSRepoURL finds chart in chart repository pointed by repoURL +// without adding repo to repositories, like FindChartInRepoURL, +// but it also receives credentials and TLS verify flag for the chart repository. +// TODO Helm 4, FindChartInAuthAndTLSRepoURL should be integrated into FindChartInAuthRepoURL. +func FindChartInAuthAndTLSRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, insecureSkipTLSverify bool, getters getter.Providers) (string, error) { + return FindChartInAuthAndTLSAndPassRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile, insecureSkipTLSverify, false, getters) +} + +// FindChartInAuthAndTLSAndPassRepoURL finds chart in chart repository pointed by repoURL +// without adding repo to repositories, like FindChartInRepoURL, +// but it also receives credentials, TLS verify flag, and if credentials should +// be passed on to other domains. +// TODO Helm 4, FindChartInAuthAndTLSAndPassRepoURL should be integrated into FindChartInAuthRepoURL. +func FindChartInAuthAndTLSAndPassRepoURL(repoURL, username, password, chartName, chartVersion, certFile, keyFile, caFile string, insecureSkipTLSverify, passCredentialsAll bool, getters getter.Providers) (string, error) { + + // Download and write the index file to a temporary location + buf := make([]byte, 20) + rand.Read(buf) + name := strings.ReplaceAll(base64.StdEncoding.EncodeToString(buf), "/", "-") + + c := Entry{ + URL: repoURL, + Username: username, + Password: password, + PassCredentialsAll: passCredentialsAll, + CertFile: certFile, + KeyFile: keyFile, + CAFile: caFile, + Name: name, + InsecureSkipTLSverify: insecureSkipTLSverify, + } + r, err := NewChartRepository(&c, getters) + if err != nil { + return "", err + } + idx, err := r.DownloadIndexFile() + if err != nil { + return "", errors.Wrapf(err, "looks like %q is not a valid chart repository or cannot be reached", repoURL) + } + defer func() { + os.RemoveAll(filepath.Join(r.CachePath, helmpath.CacheChartsFile(r.Config.Name))) + os.RemoveAll(filepath.Join(r.CachePath, helmpath.CacheIndexFile(r.Config.Name))) + }() + + // Read the index file for the repository to get chart information and return chart URL + repoIndex, err := LoadIndexFile(idx) + if err != nil { + return "", err + } + + errMsg := fmt.Sprintf("chart %q", chartName) + if chartVersion != "" { + errMsg = fmt.Sprintf("%s version %q", errMsg, chartVersion) + } + cv, err := repoIndex.Get(chartName, chartVersion) + if err != nil { + return "", errors.Errorf("%s not found in %s repository", errMsg, repoURL) + } + + if len(cv.URLs) == 0 { + return "", errors.Errorf("%s has no downloadable URLs", errMsg) + } + + chartURL := cv.URLs[0] + + absoluteChartURL, err := ResolveReferenceURL(repoURL, chartURL) + if err != nil { + return "", errors.Wrap(err, "failed to make chart URL absolute") + } + + return absoluteChartURL, nil +} + +// ResolveReferenceURL resolves refURL relative to baseURL. +// If refURL is absolute, it simply returns refURL. +func ResolveReferenceURL(baseURL, refURL string) (string, error) { + parsedRefURL, err := url.Parse(refURL) + if err != nil { + return "", errors.Wrapf(err, "failed to parse %s as URL", refURL) + } + + if parsedRefURL.IsAbs() { + return refURL, nil + } + + parsedBaseURL, err := url.Parse(baseURL) + if err != nil { + return "", errors.Wrapf(err, "failed to parse %s as URL", baseURL) + } + + // We need a trailing slash for ResolveReference to work, but make sure there isn't already one + parsedBaseURL.RawPath = strings.TrimSuffix(parsedBaseURL.RawPath, "/") + "/" + parsedBaseURL.Path = strings.TrimSuffix(parsedBaseURL.Path, "/") + "/" + + resolvedURL := parsedBaseURL.ResolveReference(parsedRefURL) + resolvedURL.RawQuery = parsedBaseURL.RawQuery + return resolvedURL.String(), nil +} + +func (e *Entry) String() string { + buf, err := json.Marshal(e) + if err != nil { + log.Panic(err) + } + return string(buf) +} diff --git a/vendor/helm.sh/helm/v3/pkg/repo/doc.go b/vendor/helm.sh/helm/v3/pkg/repo/doc.go new file mode 100644 index 0000000000..fc54bbf7af --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/repo/doc.go @@ -0,0 +1,94 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package repo implements the Helm Chart Repository. + +A chart repository is an HTTP server that provides information on charts. A local +repository cache is an on-disk representation of a chart repository. + +There are two important file formats for chart repositories. + +The first is the 'index.yaml' format, which is expressed like this: + + apiVersion: v1 + entries: + frobnitz: + - created: 2016-09-29T12:14:34.830161306-06:00 + description: This is a frobnitz. + digest: 587bd19a9bd9d2bc4a6d25ab91c8c8e7042c47b4ac246e37bf8e1e74386190f4 + home: http://example.com + keywords: + - frobnitz + - sprocket + - dodad + maintainers: + - email: helm@example.com + name: The Helm Team + - email: nobody@example.com + name: Someone Else + name: frobnitz + urls: + - http://example-charts.com/testdata/repository/frobnitz-1.2.3.tgz + version: 1.2.3 + sprocket: + - created: 2016-09-29T12:14:34.830507606-06:00 + description: This is a sprocket" + digest: 8505ff813c39502cc849a38e1e4a8ac24b8e6e1dcea88f4c34ad9b7439685ae6 + home: http://example.com + keywords: + - frobnitz + - sprocket + - dodad + maintainers: + - email: helm@example.com + name: The Helm Team + - email: nobody@example.com + name: Someone Else + name: sprocket + urls: + - http://example-charts.com/testdata/repository/sprocket-1.2.0.tgz + version: 1.2.0 + generated: 2016-09-29T12:14:34.829721375-06:00 + +An index.yaml file contains the necessary descriptive information about what +charts are available in a repository, and how to get them. + +The second file format is the repositories.yaml file format. This file is for +facilitating local cached copies of one or more chart repositories. + +The format of a repository.yaml file is: + + apiVersion: v1 + generated: TIMESTAMP + repositories: + - name: stable + url: http://example.com/charts + cache: stable-index.yaml + - name: incubator + url: http://example.com/incubator + cache: incubator-index.yaml + +This file maps three bits of information about a repository: + + - The name the user uses to refer to it + - The fully qualified URL to the repository (index.yaml will be appended) + - The name of the local cachefile + +The format for both files was changed after Helm v2.0.0-Alpha.4. Helm is not +backwards compatible with those earlier versions. +*/ +package repo diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go new file mode 100644 index 0000000000..a93314ab8b --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go @@ -0,0 +1,417 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package repo + +import ( + "bytes" + "encoding/json" + "log" + "os" + "path" + "path/filepath" + "sort" + "strings" + "time" + + "github.com/Masterminds/semver/v3" + "github.com/pkg/errors" + "sigs.k8s.io/yaml" + + "helm.sh/helm/v3/internal/fileutil" + "helm.sh/helm/v3/internal/urlutil" + "helm.sh/helm/v3/pkg/chart" + "helm.sh/helm/v3/pkg/chart/loader" + "helm.sh/helm/v3/pkg/provenance" +) + +var indexPath = "index.yaml" + +// APIVersionV1 is the v1 API version for index and repository files. +const APIVersionV1 = "v1" + +var ( + // ErrNoAPIVersion indicates that an API version was not specified. + ErrNoAPIVersion = errors.New("no API version specified") + // ErrNoChartVersion indicates that a chart with the given version is not found. + ErrNoChartVersion = errors.New("no chart version found") + // ErrNoChartName indicates that a chart with the given name is not found. + ErrNoChartName = errors.New("no chart name found") + // ErrEmptyIndexYaml indicates that the content of index.yaml is empty. + ErrEmptyIndexYaml = errors.New("empty index.yaml file") +) + +// ChartVersions is a list of versioned chart references. +// Implements a sorter on Version. +type ChartVersions []*ChartVersion + +// Len returns the length. +func (c ChartVersions) Len() int { return len(c) } + +// Swap swaps the position of two items in the versions slice. +func (c ChartVersions) Swap(i, j int) { c[i], c[j] = c[j], c[i] } + +// Less returns true if the version of entry a is less than the version of entry b. +func (c ChartVersions) Less(a, b int) bool { + // Failed parse pushes to the back. + i, err := semver.NewVersion(c[a].Version) + if err != nil { + return true + } + j, err := semver.NewVersion(c[b].Version) + if err != nil { + return false + } + return i.LessThan(j) +} + +// IndexFile represents the index file in a chart repository +type IndexFile struct { + // This is used ONLY for validation against chartmuseum's index files and is discarded after validation. + ServerInfo map[string]interface{} `json:"serverInfo,omitempty"` + APIVersion string `json:"apiVersion"` + Generated time.Time `json:"generated"` + Entries map[string]ChartVersions `json:"entries"` + PublicKeys []string `json:"publicKeys,omitempty"` + + // Annotations are additional mappings uninterpreted by Helm. They are made available for + // other applications to add information to the index file. + Annotations map[string]string `json:"annotations,omitempty"` +} + +// NewIndexFile initializes an index. +func NewIndexFile() *IndexFile { + return &IndexFile{ + APIVersion: APIVersionV1, + Generated: time.Now(), + Entries: map[string]ChartVersions{}, + PublicKeys: []string{}, + } +} + +// LoadIndexFile takes a file at the given path and returns an IndexFile object +func LoadIndexFile(path string) (*IndexFile, error) { + b, err := os.ReadFile(path) + if err != nil { + return nil, err + } + i, err := loadIndex(b, path) + if err != nil { + return nil, errors.Wrapf(err, "error loading %s", path) + } + return i, nil +} + +// MustAdd adds a file to the index +// This can leave the index in an unsorted state +func (i IndexFile) MustAdd(md *chart.Metadata, filename, baseURL, digest string) error { + if i.Entries == nil { + return errors.New("entries not initialized") + } + + if md.APIVersion == "" { + md.APIVersion = chart.APIVersionV1 + } + if err := md.Validate(); err != nil { + return errors.Wrapf(err, "validate failed for %s", filename) + } + + u := filename + if baseURL != "" { + _, file := filepath.Split(filename) + var err error + u, err = urlutil.URLJoin(baseURL, file) + if err != nil { + u = path.Join(baseURL, file) + } + } + cr := &ChartVersion{ + URLs: []string{u}, + Metadata: md, + Digest: digest, + Created: time.Now(), + } + ee := i.Entries[md.Name] + i.Entries[md.Name] = append(ee, cr) + return nil +} + +// Add adds a file to the index and logs an error. +// +// Deprecated: Use index.MustAdd instead. +func (i IndexFile) Add(md *chart.Metadata, filename, baseURL, digest string) { + if err := i.MustAdd(md, filename, baseURL, digest); err != nil { + log.Printf("skipping loading invalid entry for chart %q %q from %s: %s", md.Name, md.Version, filename, err) + } +} + +// Has returns true if the index has an entry for a chart with the given name and exact version. +func (i IndexFile) Has(name, version string) bool { + _, err := i.Get(name, version) + return err == nil +} + +// SortEntries sorts the entries by version in descending order. +// +// In canonical form, the individual version records should be sorted so that +// the most recent release for every version is in the 0th slot in the +// Entries.ChartVersions array. That way, tooling can predict the newest +// version without needing to parse SemVers. +func (i IndexFile) SortEntries() { + for _, versions := range i.Entries { + sort.Sort(sort.Reverse(versions)) + } +} + +// Get returns the ChartVersion for the given name. +// +// If version is empty, this will return the chart with the latest stable version, +// prerelease versions will be skipped. +func (i IndexFile) Get(name, version string) (*ChartVersion, error) { + vs, ok := i.Entries[name] + if !ok { + return nil, ErrNoChartName + } + if len(vs) == 0 { + return nil, ErrNoChartVersion + } + + var constraint *semver.Constraints + if version == "" { + constraint, _ = semver.NewConstraint("*") + } else { + var err error + constraint, err = semver.NewConstraint(version) + if err != nil { + return nil, err + } + } + + // when customer inputs specific version, check whether there's an exact match first + if len(version) != 0 { + for _, ver := range vs { + if version == ver.Version { + return ver, nil + } + } + } + + for _, ver := range vs { + test, err := semver.NewVersion(ver.Version) + if err != nil { + continue + } + + if constraint.Check(test) { + return ver, nil + } + } + return nil, errors.Errorf("no chart version found for %s-%s", name, version) +} + +// WriteFile writes an index file to the given destination path. +// +// The mode on the file is set to 'mode'. +func (i IndexFile) WriteFile(dest string, mode os.FileMode) error { + b, err := yaml.Marshal(i) + if err != nil { + return err + } + return fileutil.AtomicWriteFile(dest, bytes.NewReader(b), mode) +} + +// WriteJSONFile writes an index file in JSON format to the given destination +// path. +// +// The mode on the file is set to 'mode'. +func (i IndexFile) WriteJSONFile(dest string, mode os.FileMode) error { + b, err := json.MarshalIndent(i, "", " ") + if err != nil { + return err + } + return fileutil.AtomicWriteFile(dest, bytes.NewReader(b), mode) +} + +// Merge merges the given index file into this index. +// +// This merges by name and version. +// +// If one of the entries in the given index does _not_ already exist, it is added. +// In all other cases, the existing record is preserved. +// +// This can leave the index in an unsorted state +func (i *IndexFile) Merge(f *IndexFile) { + for _, cvs := range f.Entries { + for _, cv := range cvs { + if !i.Has(cv.Name, cv.Version) { + e := i.Entries[cv.Name] + i.Entries[cv.Name] = append(e, cv) + } + } + } +} + +// ChartVersion represents a chart entry in the IndexFile +type ChartVersion struct { + *chart.Metadata + URLs []string `json:"urls"` + Created time.Time `json:"created,omitempty"` + Removed bool `json:"removed,omitempty"` + Digest string `json:"digest,omitempty"` + + // ChecksumDeprecated is deprecated in Helm 3, and therefore ignored. Helm 3 replaced + // this with Digest. However, with a strict YAML parser enabled, a field must be + // present on the struct for backwards compatibility. + ChecksumDeprecated string `json:"checksum,omitempty"` + + // EngineDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict + // YAML parser enabled, this field must be present. + EngineDeprecated string `json:"engine,omitempty"` + + // TillerVersionDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict + // YAML parser enabled, this field must be present. + TillerVersionDeprecated string `json:"tillerVersion,omitempty"` + + // URLDeprecated is deprecated in Helm 3, superseded by URLs. It is ignored. However, + // with a strict YAML parser enabled, this must be present on the struct. + URLDeprecated string `json:"url,omitempty"` +} + +// IndexDirectory reads a (flat) directory and generates an index. +// +// It indexes only charts that have been packaged (*.tgz). +// +// The index returned will be in an unsorted state +func IndexDirectory(dir, baseURL string) (*IndexFile, error) { + archives, err := filepath.Glob(filepath.Join(dir, "*.tgz")) + if err != nil { + return nil, err + } + moreArchives, err := filepath.Glob(filepath.Join(dir, "**/*.tgz")) + if err != nil { + return nil, err + } + archives = append(archives, moreArchives...) + + index := NewIndexFile() + for _, arch := range archives { + fname, err := filepath.Rel(dir, arch) + if err != nil { + return index, err + } + + var parentDir string + parentDir, fname = filepath.Split(fname) + // filepath.Split appends an extra slash to the end of parentDir. We want to strip that out. + parentDir = strings.TrimSuffix(parentDir, string(os.PathSeparator)) + parentURL, err := urlutil.URLJoin(baseURL, parentDir) + if err != nil { + parentURL = path.Join(baseURL, parentDir) + } + + c, err := loader.Load(arch) + if err != nil { + // Assume this is not a chart. + continue + } + hash, err := provenance.DigestFile(arch) + if err != nil { + return index, err + } + if err := index.MustAdd(c.Metadata, fname, parentURL, hash); err != nil { + return index, errors.Wrapf(err, "failed adding to %s to index", fname) + } + } + return index, nil +} + +// loadIndex loads an index file and does minimal validity checking. +// +// The source parameter is only used for logging. +// This will fail if API Version is not set (ErrNoAPIVersion) or if the unmarshal fails. +func loadIndex(data []byte, source string) (*IndexFile, error) { + i := &IndexFile{} + + if len(data) == 0 { + return i, ErrEmptyIndexYaml + } + + if err := jsonOrYamlUnmarshal(data, i); err != nil { + return i, err + } + + for name, cvs := range i.Entries { + for idx := len(cvs) - 1; idx >= 0; idx-- { + if cvs[idx] == nil { + log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source) + cvs = append(cvs[:idx], cvs[idx+1:]...) + continue + } + // When metadata section missing, initialize with no data + if cvs[idx].Metadata == nil { + cvs[idx].Metadata = &chart.Metadata{} + } + if cvs[idx].APIVersion == "" { + cvs[idx].APIVersion = chart.APIVersionV1 + } + if err := cvs[idx].Validate(); ignoreSkippableChartValidationError(err) != nil { + log.Printf("skipping loading invalid entry for chart %q %q from %s: %s", name, cvs[idx].Version, source, err) + cvs = append(cvs[:idx], cvs[idx+1:]...) + } + } + // adjust slice to only contain a set of valid versions + i.Entries[name] = cvs + } + i.SortEntries() + if i.APIVersion == "" { + return i, ErrNoAPIVersion + } + return i, nil +} + +// jsonOrYamlUnmarshal unmarshals the given byte slice containing JSON or YAML +// into the provided interface. +// +// It automatically detects whether the data is in JSON or YAML format by +// checking its validity as JSON. If the data is valid JSON, it will use the +// `encoding/json` package to unmarshal it. Otherwise, it will use the +// `sigs.k8s.io/yaml` package to unmarshal the YAML data. +func jsonOrYamlUnmarshal(b []byte, i interface{}) error { + if json.Valid(b) { + return json.Unmarshal(b, i) + } + return yaml.UnmarshalStrict(b, i) +} + +// ignoreSkippableChartValidationError inspect the given error and returns nil if +// the error isn't important for index loading +// +// In particular, charts may introduce validations that don't impact repository indexes +// And repository indexes may be generated by older/non-compliant software, which doesn't +// conform to all validations. +func ignoreSkippableChartValidationError(err error) error { + verr, ok := err.(chart.ValidationError) + if !ok { + return err + } + + // https://github.com/helm/helm/issues/12748 (JFrog repository strips alias field) + if strings.HasPrefix(verr.Error(), "validation: more than one dependency with name or alias") { + return nil + } + + return err +} diff --git a/vendor/helm.sh/helm/v3/pkg/repo/repo.go b/vendor/helm.sh/helm/v3/pkg/repo/repo.go new file mode 100644 index 0000000000..834d554bd9 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/repo/repo.go @@ -0,0 +1,125 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package repo // import "helm.sh/helm/v3/pkg/repo" + +import ( + "os" + "path/filepath" + "time" + + "github.com/pkg/errors" + "sigs.k8s.io/yaml" +) + +// File represents the repositories.yaml file +type File struct { + APIVersion string `json:"apiVersion"` + Generated time.Time `json:"generated"` + Repositories []*Entry `json:"repositories"` +} + +// NewFile generates an empty repositories file. +// +// Generated and APIVersion are automatically set. +func NewFile() *File { + return &File{ + APIVersion: APIVersionV1, + Generated: time.Now(), + Repositories: []*Entry{}, + } +} + +// LoadFile takes a file at the given path and returns a File object +func LoadFile(path string) (*File, error) { + r := new(File) + b, err := os.ReadFile(path) + if err != nil { + return r, errors.Wrapf(err, "couldn't load repositories file (%s)", path) + } + + err = yaml.Unmarshal(b, r) + return r, err +} + +// Add adds one or more repo entries to a repo file. +func (r *File) Add(re ...*Entry) { + r.Repositories = append(r.Repositories, re...) +} + +// Update attempts to replace one or more repo entries in a repo file. If an +// entry with the same name doesn't exist in the repo file it will add it. +func (r *File) Update(re ...*Entry) { + for _, target := range re { + r.update(target) + } +} + +func (r *File) update(e *Entry) { + for j, repo := range r.Repositories { + if repo.Name == e.Name { + r.Repositories[j] = e + return + } + } + r.Add(e) +} + +// Has returns true if the given name is already a repository name. +func (r *File) Has(name string) bool { + entry := r.Get(name) + return entry != nil +} + +// Get returns an entry with the given name if it exists, otherwise returns nil +func (r *File) Get(name string) *Entry { + for _, entry := range r.Repositories { + if entry.Name == name { + return entry + } + } + return nil +} + +// Remove removes the entry from the list of repositories. +func (r *File) Remove(name string) bool { + cp := []*Entry{} + found := false + for _, rf := range r.Repositories { + if rf == nil { + continue + } + if rf.Name == name { + found = true + continue + } + cp = append(cp, rf) + } + r.Repositories = cp + return found +} + +// WriteFile writes a repositories file to the given path. +func (r *File) WriteFile(path string, perm os.FileMode) error { + data, err := yaml.Marshal(r) + if err != nil { + return err + } + if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil { + return err + } + return os.WriteFile(path, data, perm) +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go new file mode 100644 index 0000000000..ce88c662b0 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/cfgmaps.go @@ -0,0 +1,264 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "context" + "fmt" + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kblabels "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/util/validation" + corev1 "k8s.io/client-go/kubernetes/typed/core/v1" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var _ Driver = (*ConfigMaps)(nil) + +// ConfigMapsDriverName is the string name of the driver. +const ConfigMapsDriverName = "ConfigMap" + +// ConfigMaps is a wrapper around an implementation of a kubernetes +// ConfigMapsInterface. +type ConfigMaps struct { + impl corev1.ConfigMapInterface + Log func(string, ...interface{}) +} + +// NewConfigMaps initializes a new ConfigMaps wrapping an implementation of +// the kubernetes ConfigMapsInterface. +func NewConfigMaps(impl corev1.ConfigMapInterface) *ConfigMaps { + return &ConfigMaps{ + impl: impl, + Log: func(_ string, _ ...interface{}) {}, + } +} + +// Name returns the name of the driver. +func (cfgmaps *ConfigMaps) Name() string { + return ConfigMapsDriverName +} + +// Get fetches the release named by key. The corresponding release is returned +// or error if not found. +func (cfgmaps *ConfigMaps) Get(key string) (*rspb.Release, error) { + // fetch the configmap holding the release named by key + obj, err := cfgmaps.impl.Get(context.Background(), key, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, ErrReleaseNotFound + } + + cfgmaps.Log("get: failed to get %q: %s", key, err) + return nil, err + } + // found the configmap, decode the base64 data string + r, err := decodeRelease(obj.Data["release"]) + if err != nil { + cfgmaps.Log("get: failed to decode data %q: %s", key, err) + return nil, err + } + r.Labels = filterSystemLabels(obj.ObjectMeta.Labels) + // return the release object + return r, nil +} + +// List fetches all releases and returns the list releases such +// that filter(release) == true. An error is returned if the +// configmap fails to retrieve the releases. +func (cfgmaps *ConfigMaps) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) { + lsel := kblabels.Set{"owner": "helm"}.AsSelector() + opts := metav1.ListOptions{LabelSelector: lsel.String()} + + list, err := cfgmaps.impl.List(context.Background(), opts) + if err != nil { + cfgmaps.Log("list: failed to list: %s", err) + return nil, err + } + + var results []*rspb.Release + + // iterate over the configmaps object list + // and decode each release + for _, item := range list.Items { + rls, err := decodeRelease(item.Data["release"]) + if err != nil { + cfgmaps.Log("list: failed to decode release: %v: %s", item, err) + continue + } + + rls.Labels = item.ObjectMeta.Labels + + if filter(rls) { + results = append(results, rls) + } + } + return results, nil +} + +// Query fetches all releases that match the provided map of labels. +// An error is returned if the configmap fails to retrieve the releases. +func (cfgmaps *ConfigMaps) Query(labels map[string]string) ([]*rspb.Release, error) { + ls := kblabels.Set{} + for k, v := range labels { + if errs := validation.IsValidLabelValue(v); len(errs) != 0 { + return nil, errors.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; ")) + } + ls[k] = v + } + + opts := metav1.ListOptions{LabelSelector: ls.AsSelector().String()} + + list, err := cfgmaps.impl.List(context.Background(), opts) + if err != nil { + cfgmaps.Log("query: failed to query with labels: %s", err) + return nil, err + } + + if len(list.Items) == 0 { + return nil, ErrReleaseNotFound + } + + var results []*rspb.Release + for _, item := range list.Items { + rls, err := decodeRelease(item.Data["release"]) + if err != nil { + cfgmaps.Log("query: failed to decode release: %s", err) + continue + } + rls.Labels = item.ObjectMeta.Labels + results = append(results, rls) + } + return results, nil +} + +// Create creates a new ConfigMap holding the release. If the +// ConfigMap already exists, ErrReleaseExists is returned. +func (cfgmaps *ConfigMaps) Create(key string, rls *rspb.Release) error { + // set labels for configmaps object meta data + var lbs labels + + lbs.init() + lbs.fromMap(rls.Labels) + lbs.set("createdAt", fmt.Sprintf("%v", time.Now().Unix())) + + // create a new configmap to hold the release + obj, err := newConfigMapsObject(key, rls, lbs) + if err != nil { + cfgmaps.Log("create: failed to encode release %q: %s", rls.Name, err) + return err + } + // push the configmap object out into the kubiverse + if _, err := cfgmaps.impl.Create(context.Background(), obj, metav1.CreateOptions{}); err != nil { + if apierrors.IsAlreadyExists(err) { + return ErrReleaseExists + } + + cfgmaps.Log("create: failed to create: %s", err) + return err + } + return nil +} + +// Update updates the ConfigMap holding the release. If not found +// the ConfigMap is created to hold the release. +func (cfgmaps *ConfigMaps) Update(key string, rls *rspb.Release) error { + // set labels for configmaps object meta data + var lbs labels + + lbs.init() + lbs.fromMap(rls.Labels) + lbs.set("modifiedAt", fmt.Sprintf("%v", time.Now().Unix())) + + // create a new configmap object to hold the release + obj, err := newConfigMapsObject(key, rls, lbs) + if err != nil { + cfgmaps.Log("update: failed to encode release %q: %s", rls.Name, err) + return err + } + // push the configmap object out into the kubiverse + _, err = cfgmaps.impl.Update(context.Background(), obj, metav1.UpdateOptions{}) + if err != nil { + cfgmaps.Log("update: failed to update: %s", err) + return err + } + return nil +} + +// Delete deletes the ConfigMap holding the release named by key. +func (cfgmaps *ConfigMaps) Delete(key string) (rls *rspb.Release, err error) { + // fetch the release to check existence + if rls, err = cfgmaps.Get(key); err != nil { + return nil, err + } + // delete the release + if err = cfgmaps.impl.Delete(context.Background(), key, metav1.DeleteOptions{}); err != nil { + return rls, err + } + return rls, nil +} + +// newConfigMapsObject constructs a kubernetes ConfigMap object +// to store a release. Each configmap data entry is the base64 +// encoded gzipped string of a release. +// +// The following labels are used within each configmap: +// +// "modifiedAt" - timestamp indicating when this configmap was last modified. (set in Update) +// "createdAt" - timestamp indicating when this configmap was created. (set in Create) +// "version" - version of the release. +// "status" - status of the release (see pkg/release/status.go for variants) +// "owner" - owner of the configmap, currently "helm". +// "name" - name of the release. +func newConfigMapsObject(key string, rls *rspb.Release, lbs labels) (*v1.ConfigMap, error) { + const owner = "helm" + + // encode the release + s, err := encodeRelease(rls) + if err != nil { + return nil, err + } + + if lbs == nil { + lbs.init() + } + + // apply custom labels + lbs.fromMap(rls.Labels) + + // apply labels + lbs.set("name", rls.Name) + lbs.set("owner", owner) + lbs.set("status", rls.Info.Status.String()) + lbs.set("version", strconv.Itoa(rls.Version)) + + // create and return configmap object + return &v1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: key, + Labels: lbs.toMap(), + }, + Data: map[string]string{"release": s}, + }, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go new file mode 100644 index 0000000000..9c01f37660 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/driver.go @@ -0,0 +1,105 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "fmt" + + "github.com/pkg/errors" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var ( + // ErrReleaseNotFound indicates that a release is not found. + ErrReleaseNotFound = errors.New("release: not found") + // ErrReleaseExists indicates that a release already exists. + ErrReleaseExists = errors.New("release: already exists") + // ErrInvalidKey indicates that a release key could not be parsed. + ErrInvalidKey = errors.New("release: invalid key") + // ErrNoDeployedReleases indicates that there are no releases with the given key in the deployed state + ErrNoDeployedReleases = errors.New("has no deployed releases") +) + +// StorageDriverError records an error and the release name that caused it +type StorageDriverError struct { + ReleaseName string + Err error +} + +func (e *StorageDriverError) Error() string { + return fmt.Sprintf("%q %s", e.ReleaseName, e.Err.Error()) +} + +func (e *StorageDriverError) Unwrap() error { return e.Err } + +func NewErrNoDeployedReleases(releaseName string) error { + return &StorageDriverError{ + ReleaseName: releaseName, + Err: ErrNoDeployedReleases, + } +} + +// Creator is the interface that wraps the Create method. +// +// Create stores the release or returns ErrReleaseExists +// if an identical release already exists. +type Creator interface { + Create(key string, rls *rspb.Release) error +} + +// Updator is the interface that wraps the Update method. +// +// Update updates an existing release or returns +// ErrReleaseNotFound if the release does not exist. +type Updator interface { + Update(key string, rls *rspb.Release) error +} + +// Deletor is the interface that wraps the Delete method. +// +// Delete deletes the release named by key or returns +// ErrReleaseNotFound if the release does not exist. +type Deletor interface { + Delete(key string) (*rspb.Release, error) +} + +// Queryor is the interface that wraps the Get and List methods. +// +// Get returns the release named by key or returns ErrReleaseNotFound +// if the release does not exist. +// +// List returns the set of all releases that satisfy the filter predicate. +// +// Query returns the set of all releases that match the provided label set. +type Queryor interface { + Get(key string) (*rspb.Release, error) + List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) + Query(labels map[string]string) ([]*rspb.Release, error) +} + +// Driver is the interface composed of Creator, Updator, Deletor, and Queryor +// interfaces. It defines the behavior for storing, updating, deleted, +// and retrieving Helm releases from some underlying storage mechanism, +// e.g. memory, configmaps. +type Driver interface { + Creator + Updator + Deletor + Queryor + Name() string +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go new file mode 100644 index 0000000000..eb7118fe5f --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/labels.go @@ -0,0 +1,48 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver + +// labels is a map of key value pairs to be included as metadata in a configmap object. +type labels map[string]string + +func (lbs *labels) init() { *lbs = labels(make(map[string]string)) } +func (lbs labels) get(key string) string { return lbs[key] } +func (lbs labels) set(key, val string) { lbs[key] = val } + +func (lbs labels) keys() (ls []string) { + for key := range lbs { + ls = append(ls, key) + } + return +} + +func (lbs labels) match(set labels) bool { + for _, key := range set.keys() { + if lbs.get(key) != set.get(key) { + return false + } + } + return true +} + +func (lbs labels) toMap() map[string]string { return lbs } + +func (lbs *labels) fromMap(kvs map[string]string) { + for k, v := range kvs { + lbs.set(k, v) + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go new file mode 100644 index 0000000000..91378f5885 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/memory.go @@ -0,0 +1,240 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver + +import ( + "strconv" + "strings" + "sync" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var _ Driver = (*Memory)(nil) + +const ( + // MemoryDriverName is the string name of this driver. + MemoryDriverName = "Memory" + + defaultNamespace = "default" +) + +// A map of release names to list of release records +type memReleases map[string]records + +// Memory is the in-memory storage driver implementation. +type Memory struct { + sync.RWMutex + namespace string + // A map of namespaces to releases + cache map[string]memReleases +} + +// NewMemory initializes a new memory driver. +func NewMemory() *Memory { + return &Memory{cache: map[string]memReleases{}, namespace: "default"} +} + +// SetNamespace sets a specific namespace in which releases will be accessed. +// An empty string indicates all namespaces (for the list operation) +func (mem *Memory) SetNamespace(ns string) { + mem.namespace = ns +} + +// Name returns the name of the driver. +func (mem *Memory) Name() string { + return MemoryDriverName +} + +// Get returns the release named by key or returns ErrReleaseNotFound. +func (mem *Memory) Get(key string) (*rspb.Release, error) { + defer unlock(mem.rlock()) + + keyWithoutPrefix := strings.TrimPrefix(key, "sh.helm.release.v1.") + switch elems := strings.Split(keyWithoutPrefix, ".v"); len(elems) { + case 2: + name, ver := elems[0], elems[1] + if _, err := strconv.Atoi(ver); err != nil { + return nil, ErrInvalidKey + } + if recs, ok := mem.cache[mem.namespace][name]; ok { + if r := recs.Get(key); r != nil { + return r.rls, nil + } + } + return nil, ErrReleaseNotFound + default: + return nil, ErrInvalidKey + } +} + +// List returns the list of all releases such that filter(release) == true +func (mem *Memory) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) { + defer unlock(mem.rlock()) + + var ls []*rspb.Release + for namespace := range mem.cache { + if mem.namespace != "" { + // Should only list releases of this namespace + namespace = mem.namespace + } + for _, recs := range mem.cache[namespace] { + recs.Iter(func(_ int, rec *record) bool { + if filter(rec.rls) { + ls = append(ls, rec.rls) + } + return true + }) + } + if mem.namespace != "" { + // Should only list releases of this namespace + break + } + } + return ls, nil +} + +// Query returns the set of releases that match the provided set of labels +func (mem *Memory) Query(keyvals map[string]string) ([]*rspb.Release, error) { + defer unlock(mem.rlock()) + + var lbs labels + + lbs.init() + lbs.fromMap(keyvals) + + var ls []*rspb.Release + for namespace := range mem.cache { + if mem.namespace != "" { + // Should only query releases of this namespace + namespace = mem.namespace + } + for _, recs := range mem.cache[namespace] { + recs.Iter(func(_ int, rec *record) bool { + // A query for a release name that doesn't exist (has been deleted) + // can cause rec to be nil. + if rec == nil { + return false + } + if rec.lbs.match(lbs) { + ls = append(ls, rec.rls) + } + return true + }) + } + if mem.namespace != "" { + // Should only query releases of this namespace + break + } + } + + if len(ls) == 0 { + return nil, ErrReleaseNotFound + } + + return ls, nil +} + +// Create creates a new release or returns ErrReleaseExists. +func (mem *Memory) Create(key string, rls *rspb.Release) error { + defer unlock(mem.wlock()) + + // For backwards compatibility, we protect against an unset namespace + namespace := rls.Namespace + if namespace == "" { + namespace = defaultNamespace + } + mem.SetNamespace(namespace) + + if _, ok := mem.cache[namespace]; !ok { + mem.cache[namespace] = memReleases{} + } + + if recs, ok := mem.cache[namespace][rls.Name]; ok { + if err := recs.Add(newRecord(key, rls)); err != nil { + return err + } + mem.cache[namespace][rls.Name] = recs + return nil + } + mem.cache[namespace][rls.Name] = records{newRecord(key, rls)} + return nil +} + +// Update updates a release or returns ErrReleaseNotFound. +func (mem *Memory) Update(key string, rls *rspb.Release) error { + defer unlock(mem.wlock()) + + // For backwards compatibility, we protect against an unset namespace + namespace := rls.Namespace + if namespace == "" { + namespace = defaultNamespace + } + mem.SetNamespace(namespace) + + if _, ok := mem.cache[namespace]; ok { + if rs, ok := mem.cache[namespace][rls.Name]; ok && rs.Exists(key) { + rs.Replace(key, newRecord(key, rls)) + return nil + } + } + return ErrReleaseNotFound +} + +// Delete deletes a release or returns ErrReleaseNotFound. +func (mem *Memory) Delete(key string) (*rspb.Release, error) { + defer unlock(mem.wlock()) + + keyWithoutPrefix := strings.TrimPrefix(key, "sh.helm.release.v1.") + elems := strings.Split(keyWithoutPrefix, ".v") + + if len(elems) != 2 { + return nil, ErrInvalidKey + } + + name, ver := elems[0], elems[1] + if _, err := strconv.Atoi(ver); err != nil { + return nil, ErrInvalidKey + } + if _, ok := mem.cache[mem.namespace]; ok { + if recs, ok := mem.cache[mem.namespace][name]; ok { + if r := recs.Remove(key); r != nil { + // recs.Remove changes the slice reference, so we have to re-assign it. + mem.cache[mem.namespace][name] = recs + return r.rls, nil + } + } + } + return nil, ErrReleaseNotFound +} + +// wlock locks mem for writing +func (mem *Memory) wlock() func() { + mem.Lock() + return func() { mem.Unlock() } +} + +// rlock locks mem for reading +func (mem *Memory) rlock() func() { + mem.RLock() + return func() { mem.RUnlock() } +} + +// unlock calls fn which reverses a mem.rlock or mem.wlock. e.g: +// ```defer unlock(mem.rlock())```, locks mem for reading at the +// call point of defer and unlocks upon exiting the block. +func unlock(fn func()) { fn() } diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go new file mode 100644 index 0000000000..9df173384c --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/records.go @@ -0,0 +1,124 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "sort" + "strconv" + + rspb "helm.sh/helm/v3/pkg/release" +) + +// records holds a list of in-memory release records +type records []*record + +func (rs records) Len() int { return len(rs) } +func (rs records) Swap(i, j int) { rs[i], rs[j] = rs[j], rs[i] } +func (rs records) Less(i, j int) bool { return rs[i].rls.Version < rs[j].rls.Version } + +func (rs *records) Add(r *record) error { + if r == nil { + return nil + } + + if rs.Exists(r.key) { + return ErrReleaseExists + } + + *rs = append(*rs, r) + sort.Sort(*rs) + + return nil +} + +func (rs records) Get(key string) *record { + if i, ok := rs.Index(key); ok { + return rs[i] + } + return nil +} + +func (rs *records) Iter(fn func(int, *record) bool) { + cp := make([]*record, len(*rs)) + copy(cp, *rs) + + for i, r := range cp { + if !fn(i, r) { + return + } + } +} + +func (rs *records) Index(key string) (int, bool) { + for i, r := range *rs { + if r.key == key { + return i, true + } + } + return -1, false +} + +func (rs records) Exists(key string) bool { + _, ok := rs.Index(key) + return ok +} + +func (rs *records) Remove(key string) (r *record) { + if i, ok := rs.Index(key); ok { + return rs.removeAt(i) + } + return nil +} + +func (rs *records) Replace(key string, rec *record) *record { + if i, ok := rs.Index(key); ok { + old := (*rs)[i] + (*rs)[i] = rec + return old + } + return nil +} + +func (rs *records) removeAt(index int) *record { + r := (*rs)[index] + (*rs)[index] = nil + copy((*rs)[index:], (*rs)[index+1:]) + *rs = (*rs)[:len(*rs)-1] + return r +} + +// record is the data structure used to cache releases +// for the in-memory storage driver +type record struct { + key string + lbs labels + rls *rspb.Release +} + +// newRecord creates a new in-memory release record +func newRecord(key string, rls *rspb.Release) *record { + var lbs labels + + lbs.init() + lbs.set("name", rls.Name) + lbs.set("owner", "helm") + lbs.set("status", rls.Info.Status.String()) + lbs.set("version", strconv.Itoa(rls.Version)) + + // return &record{key: key, lbs: lbs, rls: proto.Clone(rls).(*rspb.Release)} + return &record{key: key, lbs: lbs, rls: rls} +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go new file mode 100644 index 0000000000..95a7e90324 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/secrets.go @@ -0,0 +1,257 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "context" + "fmt" + "strconv" + "strings" + "time" + + "github.com/pkg/errors" + v1 "k8s.io/api/core/v1" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + kblabels "k8s.io/apimachinery/pkg/labels" + "k8s.io/apimachinery/pkg/util/validation" + corev1 "k8s.io/client-go/kubernetes/typed/core/v1" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var _ Driver = (*Secrets)(nil) + +// SecretsDriverName is the string name of the driver. +const SecretsDriverName = "Secret" + +// Secrets is a wrapper around an implementation of a kubernetes +// SecretsInterface. +type Secrets struct { + impl corev1.SecretInterface + Log func(string, ...interface{}) +} + +// NewSecrets initializes a new Secrets wrapping an implementation of +// the kubernetes SecretsInterface. +func NewSecrets(impl corev1.SecretInterface) *Secrets { + return &Secrets{ + impl: impl, + Log: func(_ string, _ ...interface{}) {}, + } +} + +// Name returns the name of the driver. +func (secrets *Secrets) Name() string { + return SecretsDriverName +} + +// Get fetches the release named by key. The corresponding release is returned +// or error if not found. +func (secrets *Secrets) Get(key string) (*rspb.Release, error) { + // fetch the secret holding the release named by key + obj, err := secrets.impl.Get(context.Background(), key, metav1.GetOptions{}) + if err != nil { + if apierrors.IsNotFound(err) { + return nil, ErrReleaseNotFound + } + return nil, errors.Wrapf(err, "get: failed to get %q", key) + } + // found the secret, decode the base64 data string + r, err := decodeRelease(string(obj.Data["release"])) + r.Labels = filterSystemLabels(obj.ObjectMeta.Labels) + return r, errors.Wrapf(err, "get: failed to decode data %q", key) +} + +// List fetches all releases and returns the list releases such +// that filter(release) == true. An error is returned if the +// secret fails to retrieve the releases. +func (secrets *Secrets) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) { + lsel := kblabels.Set{"owner": "helm"}.AsSelector() + opts := metav1.ListOptions{LabelSelector: lsel.String()} + + list, err := secrets.impl.List(context.Background(), opts) + if err != nil { + return nil, errors.Wrap(err, "list: failed to list") + } + + var results []*rspb.Release + + // iterate over the secrets object list + // and decode each release + for _, item := range list.Items { + rls, err := decodeRelease(string(item.Data["release"])) + if err != nil { + secrets.Log("list: failed to decode release: %v: %s", item, err) + continue + } + + rls.Labels = item.ObjectMeta.Labels + + if filter(rls) { + results = append(results, rls) + } + } + return results, nil +} + +// Query fetches all releases that match the provided map of labels. +// An error is returned if the secret fails to retrieve the releases. +func (secrets *Secrets) Query(labels map[string]string) ([]*rspb.Release, error) { + ls := kblabels.Set{} + for k, v := range labels { + if errs := validation.IsValidLabelValue(v); len(errs) != 0 { + return nil, errors.Errorf("invalid label value: %q: %s", v, strings.Join(errs, "; ")) + } + ls[k] = v + } + + opts := metav1.ListOptions{LabelSelector: ls.AsSelector().String()} + + list, err := secrets.impl.List(context.Background(), opts) + if err != nil { + return nil, errors.Wrap(err, "query: failed to query with labels") + } + + if len(list.Items) == 0 { + return nil, ErrReleaseNotFound + } + + var results []*rspb.Release + for _, item := range list.Items { + rls, err := decodeRelease(string(item.Data["release"])) + if err != nil { + secrets.Log("query: failed to decode release: %s", err) + continue + } + rls.Labels = item.ObjectMeta.Labels + results = append(results, rls) + } + return results, nil +} + +// Create creates a new Secret holding the release. If the +// Secret already exists, ErrReleaseExists is returned. +func (secrets *Secrets) Create(key string, rls *rspb.Release) error { + // set labels for secrets object meta data + var lbs labels + + lbs.init() + lbs.fromMap(rls.Labels) + lbs.set("createdAt", fmt.Sprintf("%v", time.Now().Unix())) + + // create a new secret to hold the release + obj, err := newSecretsObject(key, rls, lbs) + if err != nil { + return errors.Wrapf(err, "create: failed to encode release %q", rls.Name) + } + // push the secret object out into the kubiverse + if _, err := secrets.impl.Create(context.Background(), obj, metav1.CreateOptions{}); err != nil { + if apierrors.IsAlreadyExists(err) { + return ErrReleaseExists + } + + return errors.Wrap(err, "create: failed to create") + } + return nil +} + +// Update updates the Secret holding the release. If not found +// the Secret is created to hold the release. +func (secrets *Secrets) Update(key string, rls *rspb.Release) error { + // set labels for secrets object meta data + var lbs labels + + lbs.init() + lbs.fromMap(rls.Labels) + lbs.set("modifiedAt", fmt.Sprintf("%v", time.Now().Unix())) + + // create a new secret object to hold the release + obj, err := newSecretsObject(key, rls, lbs) + if err != nil { + return errors.Wrapf(err, "update: failed to encode release %q", rls.Name) + } + // push the secret object out into the kubiverse + _, err = secrets.impl.Update(context.Background(), obj, metav1.UpdateOptions{}) + return errors.Wrap(err, "update: failed to update") +} + +// Delete deletes the Secret holding the release named by key. +func (secrets *Secrets) Delete(key string) (rls *rspb.Release, err error) { + // fetch the release to check existence + if rls, err = secrets.Get(key); err != nil { + return nil, err + } + // delete the release + err = secrets.impl.Delete(context.Background(), key, metav1.DeleteOptions{}) + return rls, err +} + +// newSecretsObject constructs a kubernetes Secret object +// to store a release. Each secret data entry is the base64 +// encoded gzipped string of a release. +// +// The following labels are used within each secret: +// +// "modifiedAt" - timestamp indicating when this secret was last modified. (set in Update) +// "createdAt" - timestamp indicating when this secret was created. (set in Create) +// "version" - version of the release. +// "status" - status of the release (see pkg/release/status.go for variants) +// "owner" - owner of the secret, currently "helm". +// "name" - name of the release. +func newSecretsObject(key string, rls *rspb.Release, lbs labels) (*v1.Secret, error) { + const owner = "helm" + + // encode the release + s, err := encodeRelease(rls) + if err != nil { + return nil, err + } + + if lbs == nil { + lbs.init() + } + + // apply custom labels + lbs.fromMap(rls.Labels) + + // apply labels + lbs.set("name", rls.Name) + lbs.set("owner", owner) + lbs.set("status", rls.Info.Status.String()) + lbs.set("version", strconv.Itoa(rls.Version)) + + // create and return secret object. + // Helm 3 introduced setting the 'Type' field + // in the Kubernetes storage object. + // Helm defines the field content as follows: + // /.v + // Type field for Helm 3: helm.sh/release.v1 + // Note: Version starts at 'v1' for Helm 3 and + // should be incremented if the release object + // metadata is modified. + // This would potentially be a breaking change + // and should only happen between major versions. + return &v1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: key, + Labels: lbs.toMap(), + }, + Type: "helm.sh/release.v1", + Data: map[string][]byte{"release": []byte(s)}, + }, nil +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go new file mode 100644 index 0000000000..33bde9b6a4 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/sql.go @@ -0,0 +1,697 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "fmt" + "sort" + "strconv" + "time" + + "github.com/jmoiron/sqlx" + migrate "github.com/rubenv/sql-migrate" + + sq "github.com/Masterminds/squirrel" + + // Import pq for postgres dialect + _ "github.com/lib/pq" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var _ Driver = (*SQL)(nil) + +var labelMap = map[string]struct{}{ + "modifiedAt": {}, + "createdAt": {}, + "version": {}, + "status": {}, + "owner": {}, + "name": {}, +} + +const postgreSQLDialect = "postgres" + +// SQLDriverName is the string name of this driver. +const SQLDriverName = "SQL" + +const sqlReleaseTableName = "releases_v1" +const sqlCustomLabelsTableName = "custom_labels_v1" + +const ( + sqlReleaseTableKeyColumn = "key" + sqlReleaseTableTypeColumn = "type" + sqlReleaseTableBodyColumn = "body" + sqlReleaseTableNameColumn = "name" + sqlReleaseTableNamespaceColumn = "namespace" + sqlReleaseTableVersionColumn = "version" + sqlReleaseTableStatusColumn = "status" + sqlReleaseTableOwnerColumn = "owner" + sqlReleaseTableCreatedAtColumn = "createdAt" + sqlReleaseTableModifiedAtColumn = "modifiedAt" + + sqlCustomLabelsTableReleaseKeyColumn = "releaseKey" + sqlCustomLabelsTableReleaseNamespaceColumn = "releaseNamespace" + sqlCustomLabelsTableKeyColumn = "key" + sqlCustomLabelsTableValueColumn = "value" +) + +// Following limits based on k8s labels limits - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set +const ( + sqlCustomLabelsTableKeyMaxLength = 253 + 1 + 63 + sqlCustomLabelsTableValueMaxLength = 63 +) + +const ( + sqlReleaseDefaultOwner = "helm" + sqlReleaseDefaultType = "helm.sh/release.v1" +) + +// SQL is the sql storage driver implementation. +type SQL struct { + db *sqlx.DB + namespace string + statementBuilder sq.StatementBuilderType + + Log func(string, ...interface{}) +} + +// Name returns the name of the driver. +func (s *SQL) Name() string { + return SQLDriverName +} + +// Check if all migrations al +func (s *SQL) checkAlreadyApplied(migrations []*migrate.Migration) bool { + // make map (set) of ids for fast search + migrationsIDs := make(map[string]struct{}) + for _, migration := range migrations { + migrationsIDs[migration.Id] = struct{}{} + } + + // get list of applied migrations + migrate.SetDisableCreateTable(true) + records, err := migrate.GetMigrationRecords(s.db.DB, postgreSQLDialect) + migrate.SetDisableCreateTable(false) + if err != nil { + s.Log("checkAlreadyApplied: failed to get migration records: %v", err) + return false + } + + for _, record := range records { + if _, ok := migrationsIDs[record.Id]; ok { + s.Log("checkAlreadyApplied: found previous migration (Id: %v) applied at %v", record.Id, record.AppliedAt) + delete(migrationsIDs, record.Id) + } + } + + // check if all migrations applied + if len(migrationsIDs) != 0 { + for id := range migrationsIDs { + s.Log("checkAlreadyApplied: find unapplied migration (id: %v)", id) + } + return false + } + return true +} + +func (s *SQL) ensureDBSetup() error { + + migrations := &migrate.MemoryMigrationSource{ + Migrations: []*migrate.Migration{ + { + Id: "init", + Up: []string{ + fmt.Sprintf(` + CREATE TABLE %s ( + %s VARCHAR(90), + %s VARCHAR(64) NOT NULL, + %s TEXT NOT NULL, + %s VARCHAR(64) NOT NULL, + %s VARCHAR(64) NOT NULL, + %s INTEGER NOT NULL, + %s TEXT NOT NULL, + %s TEXT NOT NULL, + %s INTEGER NOT NULL, + %s INTEGER NOT NULL DEFAULT 0, + PRIMARY KEY(%s, %s) + ); + CREATE INDEX ON %s (%s, %s); + CREATE INDEX ON %s (%s); + CREATE INDEX ON %s (%s); + CREATE INDEX ON %s (%s); + CREATE INDEX ON %s (%s); + CREATE INDEX ON %s (%s); + + GRANT ALL ON %s TO PUBLIC; + + ALTER TABLE %s ENABLE ROW LEVEL SECURITY; + `, + sqlReleaseTableName, + sqlReleaseTableKeyColumn, + sqlReleaseTableTypeColumn, + sqlReleaseTableBodyColumn, + sqlReleaseTableNameColumn, + sqlReleaseTableNamespaceColumn, + sqlReleaseTableVersionColumn, + sqlReleaseTableStatusColumn, + sqlReleaseTableOwnerColumn, + sqlReleaseTableCreatedAtColumn, + sqlReleaseTableModifiedAtColumn, + sqlReleaseTableKeyColumn, + sqlReleaseTableNamespaceColumn, + sqlReleaseTableName, + sqlReleaseTableKeyColumn, + sqlReleaseTableNamespaceColumn, + sqlReleaseTableName, + sqlReleaseTableVersionColumn, + sqlReleaseTableName, + sqlReleaseTableStatusColumn, + sqlReleaseTableName, + sqlReleaseTableOwnerColumn, + sqlReleaseTableName, + sqlReleaseTableCreatedAtColumn, + sqlReleaseTableName, + sqlReleaseTableModifiedAtColumn, + sqlReleaseTableName, + sqlReleaseTableName, + ), + }, + Down: []string{ + fmt.Sprintf(` + DROP TABLE %s; + `, sqlReleaseTableName), + }, + }, + { + Id: "custom_labels", + Up: []string{ + fmt.Sprintf(` + CREATE TABLE %s ( + %s VARCHAR(64), + %s VARCHAR(67), + %s VARCHAR(%d), + %s VARCHAR(%d) + ); + CREATE INDEX ON %s (%s, %s); + + GRANT ALL ON %s TO PUBLIC; + ALTER TABLE %s ENABLE ROW LEVEL SECURITY; + `, + sqlCustomLabelsTableName, + sqlCustomLabelsTableReleaseKeyColumn, + sqlCustomLabelsTableReleaseNamespaceColumn, + sqlCustomLabelsTableKeyColumn, + sqlCustomLabelsTableKeyMaxLength, + sqlCustomLabelsTableValueColumn, + sqlCustomLabelsTableValueMaxLength, + sqlCustomLabelsTableName, + sqlCustomLabelsTableReleaseKeyColumn, + sqlCustomLabelsTableReleaseNamespaceColumn, + sqlCustomLabelsTableName, + sqlCustomLabelsTableName, + ), + }, + Down: []string{ + fmt.Sprintf(` + DELETE TABLE %s; + `, sqlCustomLabelsTableName), + }, + }, + }, + } + + // Check that init migration already applied + if s.checkAlreadyApplied(migrations.Migrations) { + return nil + } + + // Populate the database with the relations we need if they don't exist yet + _, err := migrate.Exec(s.db.DB, postgreSQLDialect, migrations, migrate.Up) + return err +} + +// SQLReleaseWrapper describes how Helm releases are stored in an SQL database +type SQLReleaseWrapper struct { + // The primary key, made of {release-name}.{release-version} + Key string `db:"key"` + + // See https://github.com/helm/helm/blob/c9fe3d118caec699eb2565df9838673af379ce12/pkg/storage/driver/secrets.go#L231 + Type string `db:"type"` + + // The rspb.Release body, as a base64-encoded string + Body string `db:"body"` + + // Release "labels" that can be used as filters in the storage.Query(labels map[string]string) + // we implemented. Note that allowing Helm users to filter against new dimensions will require a + // new migration to be added, and the Create and/or update functions to be updated accordingly. + Name string `db:"name"` + Namespace string `db:"namespace"` + Version int `db:"version"` + Status string `db:"status"` + Owner string `db:"owner"` + CreatedAt int `db:"createdAt"` + ModifiedAt int `db:"modifiedAt"` +} + +type SQLReleaseCustomLabelWrapper struct { + ReleaseKey string `db:"release_key"` + ReleaseNamespace string `db:"release_namespace"` + Key string `db:"key"` + Value string `db:"value"` +} + +// NewSQL initializes a new sql driver. +func NewSQL(connectionString string, logger func(string, ...interface{}), namespace string) (*SQL, error) { + db, err := sqlx.Connect(postgreSQLDialect, connectionString) + if err != nil { + return nil, err + } + + driver := &SQL{ + db: db, + Log: logger, + statementBuilder: sq.StatementBuilder.PlaceholderFormat(sq.Dollar), + } + + if err := driver.ensureDBSetup(); err != nil { + return nil, err + } + + driver.namespace = namespace + + return driver, nil +} + +// Get returns the release named by key. +func (s *SQL) Get(key string) (*rspb.Release, error) { + var record SQLReleaseWrapper + + qb := s.statementBuilder. + Select(sqlReleaseTableBodyColumn). + From(sqlReleaseTableName). + Where(sq.Eq{sqlReleaseTableKeyColumn: key}). + Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}) + + query, args, err := qb.ToSql() + if err != nil { + s.Log("failed to build query: %v", err) + return nil, err + } + + // Get will return an error if the result is empty + if err := s.db.Get(&record, query, args...); err != nil { + s.Log("got SQL error when getting release %s: %v", key, err) + return nil, ErrReleaseNotFound + } + + release, err := decodeRelease(record.Body) + if err != nil { + s.Log("get: failed to decode data %q: %v", key, err) + return nil, err + } + + if release.Labels, err = s.getReleaseCustomLabels(key, s.namespace); err != nil { + s.Log("failed to get release %s/%s custom labels: %v", s.namespace, key, err) + return nil, err + } + + return release, nil +} + +// List returns the list of all releases such that filter(release) == true +func (s *SQL) List(filter func(*rspb.Release) bool) ([]*rspb.Release, error) { + sb := s.statementBuilder. + Select(sqlReleaseTableKeyColumn, sqlReleaseTableNamespaceColumn, sqlReleaseTableBodyColumn). + From(sqlReleaseTableName). + Where(sq.Eq{sqlReleaseTableOwnerColumn: sqlReleaseDefaultOwner}) + + // If a namespace was specified, we only list releases from that namespace + if s.namespace != "" { + sb = sb.Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}) + } + + query, args, err := sb.ToSql() + if err != nil { + s.Log("failed to build query: %v", err) + return nil, err + } + + var records = []SQLReleaseWrapper{} + if err := s.db.Select(&records, query, args...); err != nil { + s.Log("list: failed to list: %v", err) + return nil, err + } + + var releases []*rspb.Release + for _, record := range records { + release, err := decodeRelease(record.Body) + if err != nil { + s.Log("list: failed to decode release: %v: %v", record, err) + continue + } + + if release.Labels, err = s.getReleaseCustomLabels(record.Key, record.Namespace); err != nil { + s.Log("failed to get release %s/%s custom labels: %v", record.Namespace, record.Key, err) + return nil, err + } + for k, v := range getReleaseSystemLabels(release) { + release.Labels[k] = v + } + + if filter(release) { + releases = append(releases, release) + } + } + + return releases, nil +} + +// Query returns the set of releases that match the provided set of labels. +func (s *SQL) Query(labels map[string]string) ([]*rspb.Release, error) { + sb := s.statementBuilder. + Select(sqlReleaseTableKeyColumn, sqlReleaseTableNamespaceColumn, sqlReleaseTableBodyColumn). + From(sqlReleaseTableName) + + keys := make([]string, 0, len(labels)) + for key := range labels { + keys = append(keys, key) + } + sort.Strings(keys) + for _, key := range keys { + if _, ok := labelMap[key]; ok { + sb = sb.Where(sq.Eq{key: labels[key]}) + } else { + s.Log("unknown label %s", key) + return nil, fmt.Errorf("unknown label %s", key) + } + } + + // If a namespace was specified, we only list releases from that namespace + if s.namespace != "" { + sb = sb.Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}) + } + + // Build our query + query, args, err := sb.ToSql() + if err != nil { + s.Log("failed to build query: %v", err) + return nil, err + } + + var records = []SQLReleaseWrapper{} + if err := s.db.Select(&records, query, args...); err != nil { + s.Log("list: failed to query with labels: %v", err) + return nil, err + } + + if len(records) == 0 { + return nil, ErrReleaseNotFound + } + + var releases []*rspb.Release + for _, record := range records { + release, err := decodeRelease(record.Body) + if err != nil { + s.Log("list: failed to decode release: %v: %v", record, err) + continue + } + + if release.Labels, err = s.getReleaseCustomLabels(record.Key, record.Namespace); err != nil { + s.Log("failed to get release %s/%s custom labels: %v", record.Namespace, record.Key, err) + return nil, err + } + + releases = append(releases, release) + } + + if len(releases) == 0 { + return nil, ErrReleaseNotFound + } + + return releases, nil +} + +// Create creates a new release. +func (s *SQL) Create(key string, rls *rspb.Release) error { + namespace := rls.Namespace + if namespace == "" { + namespace = defaultNamespace + } + s.namespace = namespace + + body, err := encodeRelease(rls) + if err != nil { + s.Log("failed to encode release: %v", err) + return err + } + + transaction, err := s.db.Beginx() + if err != nil { + s.Log("failed to start SQL transaction: %v", err) + return fmt.Errorf("error beginning transaction: %v", err) + } + + insertQuery, args, err := s.statementBuilder. + Insert(sqlReleaseTableName). + Columns( + sqlReleaseTableKeyColumn, + sqlReleaseTableTypeColumn, + sqlReleaseTableBodyColumn, + sqlReleaseTableNameColumn, + sqlReleaseTableNamespaceColumn, + sqlReleaseTableVersionColumn, + sqlReleaseTableStatusColumn, + sqlReleaseTableOwnerColumn, + sqlReleaseTableCreatedAtColumn, + ). + Values( + key, + sqlReleaseDefaultType, + body, + rls.Name, + namespace, + int(rls.Version), + rls.Info.Status.String(), + sqlReleaseDefaultOwner, + int(time.Now().Unix()), + ).ToSql() + if err != nil { + s.Log("failed to build insert query: %v", err) + return err + } + + if _, err := transaction.Exec(insertQuery, args...); err != nil { + defer transaction.Rollback() + + selectQuery, args, buildErr := s.statementBuilder. + Select(sqlReleaseTableKeyColumn). + From(sqlReleaseTableName). + Where(sq.Eq{sqlReleaseTableKeyColumn: key}). + Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}). + ToSql() + if buildErr != nil { + s.Log("failed to build select query: %v", buildErr) + return err + } + + var record SQLReleaseWrapper + if err := transaction.Get(&record, selectQuery, args...); err == nil { + s.Log("release %s already exists", key) + return ErrReleaseExists + } + + s.Log("failed to store release %s in SQL database: %v", key, err) + return err + } + + // Filtering labels before insert cause in SQL storage driver system releases are stored in separate columns of release table + for k, v := range filterSystemLabels(rls.Labels) { + insertLabelsQuery, args, err := s.statementBuilder. + Insert(sqlCustomLabelsTableName). + Columns( + sqlCustomLabelsTableReleaseKeyColumn, + sqlCustomLabelsTableReleaseNamespaceColumn, + sqlCustomLabelsTableKeyColumn, + sqlCustomLabelsTableValueColumn, + ). + Values( + key, + namespace, + k, + v, + ).ToSql() + + if err != nil { + defer transaction.Rollback() + s.Log("failed to build insert query: %v", err) + return err + } + + if _, err := transaction.Exec(insertLabelsQuery, args...); err != nil { + defer transaction.Rollback() + s.Log("failed to write Labels: %v", err) + return err + } + } + defer transaction.Commit() + + return nil +} + +// Update updates a release. +func (s *SQL) Update(key string, rls *rspb.Release) error { + namespace := rls.Namespace + if namespace == "" { + namespace = defaultNamespace + } + s.namespace = namespace + + body, err := encodeRelease(rls) + if err != nil { + s.Log("failed to encode release: %v", err) + return err + } + + query, args, err := s.statementBuilder. + Update(sqlReleaseTableName). + Set(sqlReleaseTableBodyColumn, body). + Set(sqlReleaseTableNameColumn, rls.Name). + Set(sqlReleaseTableVersionColumn, int(rls.Version)). + Set(sqlReleaseTableStatusColumn, rls.Info.Status.String()). + Set(sqlReleaseTableOwnerColumn, sqlReleaseDefaultOwner). + Set(sqlReleaseTableModifiedAtColumn, int(time.Now().Unix())). + Where(sq.Eq{sqlReleaseTableKeyColumn: key}). + Where(sq.Eq{sqlReleaseTableNamespaceColumn: namespace}). + ToSql() + + if err != nil { + s.Log("failed to build update query: %v", err) + return err + } + + if _, err := s.db.Exec(query, args...); err != nil { + s.Log("failed to update release %s in SQL database: %v", key, err) + return err + } + + return nil +} + +// Delete deletes a release or returns ErrReleaseNotFound. +func (s *SQL) Delete(key string) (*rspb.Release, error) { + transaction, err := s.db.Beginx() + if err != nil { + s.Log("failed to start SQL transaction: %v", err) + return nil, fmt.Errorf("error beginning transaction: %v", err) + } + + selectQuery, args, err := s.statementBuilder. + Select(sqlReleaseTableBodyColumn). + From(sqlReleaseTableName). + Where(sq.Eq{sqlReleaseTableKeyColumn: key}). + Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}). + ToSql() + if err != nil { + s.Log("failed to build select query: %v", err) + return nil, err + } + + var record SQLReleaseWrapper + err = transaction.Get(&record, selectQuery, args...) + if err != nil { + s.Log("release %s not found: %v", key, err) + return nil, ErrReleaseNotFound + } + + release, err := decodeRelease(record.Body) + if err != nil { + s.Log("failed to decode release %s: %v", key, err) + transaction.Rollback() + return nil, err + } + defer transaction.Commit() + + deleteQuery, args, err := s.statementBuilder. + Delete(sqlReleaseTableName). + Where(sq.Eq{sqlReleaseTableKeyColumn: key}). + Where(sq.Eq{sqlReleaseTableNamespaceColumn: s.namespace}). + ToSql() + if err != nil { + s.Log("failed to build delete query: %v", err) + return nil, err + } + + _, err = transaction.Exec(deleteQuery, args...) + if err != nil { + s.Log("failed perform delete query: %v", err) + return release, err + } + + if release.Labels, err = s.getReleaseCustomLabels(key, s.namespace); err != nil { + s.Log("failed to get release %s/%s custom labels: %v", s.namespace, key, err) + return nil, err + } + + deleteCustomLabelsQuery, args, err := s.statementBuilder. + Delete(sqlCustomLabelsTableName). + Where(sq.Eq{sqlCustomLabelsTableReleaseKeyColumn: key}). + Where(sq.Eq{sqlCustomLabelsTableReleaseNamespaceColumn: s.namespace}). + ToSql() + + if err != nil { + s.Log("failed to build delete Labels query: %v", err) + return nil, err + } + _, err = transaction.Exec(deleteCustomLabelsQuery, args...) + return release, err +} + +// Get release custom labels from database +func (s *SQL) getReleaseCustomLabels(key string, _ string) (map[string]string, error) { + query, args, err := s.statementBuilder. + Select(sqlCustomLabelsTableKeyColumn, sqlCustomLabelsTableValueColumn). + From(sqlCustomLabelsTableName). + Where(sq.Eq{sqlCustomLabelsTableReleaseKeyColumn: key, + sqlCustomLabelsTableReleaseNamespaceColumn: s.namespace}). + ToSql() + if err != nil { + return nil, err + } + + var labelsList = []SQLReleaseCustomLabelWrapper{} + if err := s.db.Select(&labelsList, query, args...); err != nil { + return nil, err + } + + labelsMap := make(map[string]string) + for _, i := range labelsList { + labelsMap[i.Key] = i.Value + } + + return filterSystemLabels(labelsMap), nil +} + +// Rebuild system labels from release object +func getReleaseSystemLabels(rls *rspb.Release) map[string]string { + return map[string]string{ + "name": rls.Name, + "owner": sqlReleaseDefaultOwner, + "status": rls.Info.Status.String(), + "version": strconv.Itoa(rls.Version), + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go b/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go new file mode 100644 index 0000000000..7bda5ec966 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/driver/util.go @@ -0,0 +1,122 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package driver // import "helm.sh/helm/v3/pkg/storage/driver" + +import ( + "bytes" + "compress/gzip" + "encoding/base64" + "encoding/json" + "io" + + rspb "helm.sh/helm/v3/pkg/release" +) + +var b64 = base64.StdEncoding + +var magicGzip = []byte{0x1f, 0x8b, 0x08} + +var systemLabels = []string{"name", "owner", "status", "version", "createdAt", "modifiedAt"} + +// encodeRelease encodes a release returning a base64 encoded +// gzipped string representation, or error. +func encodeRelease(rls *rspb.Release) (string, error) { + b, err := json.Marshal(rls) + if err != nil { + return "", err + } + var buf bytes.Buffer + w, err := gzip.NewWriterLevel(&buf, gzip.BestCompression) + if err != nil { + return "", err + } + if _, err = w.Write(b); err != nil { + return "", err + } + w.Close() + + return b64.EncodeToString(buf.Bytes()), nil +} + +// decodeRelease decodes the bytes of data into a release +// type. Data must contain a base64 encoded gzipped string of a +// valid release, otherwise an error is returned. +func decodeRelease(data string) (*rspb.Release, error) { + // base64 decode string + b, err := b64.DecodeString(data) + if err != nil { + return nil, err + } + + // For backwards compatibility with releases that were stored before + // compression was introduced we skip decompression if the + // gzip magic header is not found + if len(b) > 3 && bytes.Equal(b[0:3], magicGzip) { + r, err := gzip.NewReader(bytes.NewReader(b)) + if err != nil { + return nil, err + } + defer r.Close() + b2, err := io.ReadAll(r) + if err != nil { + return nil, err + } + b = b2 + } + + var rls rspb.Release + // unmarshal release object bytes + if err := json.Unmarshal(b, &rls); err != nil { + return nil, err + } + return &rls, nil +} + +// Checks if label is system +func isSystemLabel(key string) bool { + for _, v := range GetSystemLabels() { + if key == v { + return true + } + } + return false +} + +// Removes system labels from labels map +func filterSystemLabels(lbs map[string]string) map[string]string { + result := make(map[string]string) + for k, v := range lbs { + if !isSystemLabel(k) { + result[k] = v + } + } + return result +} + +// Checks if labels array contains system labels +func ContainsSystemLabels(lbs map[string]string) bool { + for k := range lbs { + if isSystemLabel(k) { + return true + } + } + return false +} + +func GetSystemLabels() []string { + return systemLabels +} diff --git a/vendor/helm.sh/helm/v3/pkg/storage/storage.go b/vendor/helm.sh/helm/v3/pkg/storage/storage.go new file mode 100644 index 0000000000..0da0688fd6 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/storage/storage.go @@ -0,0 +1,266 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package storage // import "helm.sh/helm/v3/pkg/storage" + +import ( + "fmt" + "strings" + + "github.com/pkg/errors" + + rspb "helm.sh/helm/v3/pkg/release" + relutil "helm.sh/helm/v3/pkg/releaseutil" + "helm.sh/helm/v3/pkg/storage/driver" +) + +// HelmStorageType is the type field of the Kubernetes storage object which stores the Helm release +// version. It is modified slightly replacing the '/': sh.helm/release.v1 +// Note: The version 'v1' is incremented if the release object metadata is +// modified between major releases. +// This constant is used as a prefix for the Kubernetes storage object name. +const HelmStorageType = "sh.helm.release.v1" + +// Storage represents a storage engine for a Release. +type Storage struct { + driver.Driver + + // MaxHistory specifies the maximum number of historical releases that will + // be retained, including the most recent release. Values of 0 or less are + // ignored (meaning no limits are imposed). + MaxHistory int + + Log func(string, ...interface{}) +} + +// Get retrieves the release from storage. An error is returned +// if the storage driver failed to fetch the release, or the +// release identified by the key, version pair does not exist. +func (s *Storage) Get(name string, version int) (*rspb.Release, error) { + s.Log("getting release %q", makeKey(name, version)) + return s.Driver.Get(makeKey(name, version)) +} + +// Create creates a new storage entry holding the release. An +// error is returned if the storage driver fails to store the +// release, or a release with an identical key already exists. +func (s *Storage) Create(rls *rspb.Release) error { + s.Log("creating release %q", makeKey(rls.Name, rls.Version)) + if s.MaxHistory > 0 { + // Want to make space for one more release. + if err := s.removeLeastRecent(rls.Name, s.MaxHistory-1); err != nil && + !errors.Is(err, driver.ErrReleaseNotFound) { + return err + } + } + return s.Driver.Create(makeKey(rls.Name, rls.Version), rls) +} + +// Update updates the release in storage. An error is returned if the +// storage backend fails to update the release or if the release +// does not exist. +func (s *Storage) Update(rls *rspb.Release) error { + s.Log("updating release %q", makeKey(rls.Name, rls.Version)) + return s.Driver.Update(makeKey(rls.Name, rls.Version), rls) +} + +// Delete deletes the release from storage. An error is returned if +// the storage backend fails to delete the release or if the release +// does not exist. +func (s *Storage) Delete(name string, version int) (*rspb.Release, error) { + s.Log("deleting release %q", makeKey(name, version)) + return s.Driver.Delete(makeKey(name, version)) +} + +// ListReleases returns all releases from storage. An error is returned if the +// storage backend fails to retrieve the releases. +func (s *Storage) ListReleases() ([]*rspb.Release, error) { + s.Log("listing all releases in storage") + return s.Driver.List(func(_ *rspb.Release) bool { return true }) +} + +// ListUninstalled returns all releases with Status == UNINSTALLED. An error is returned +// if the storage backend fails to retrieve the releases. +func (s *Storage) ListUninstalled() ([]*rspb.Release, error) { + s.Log("listing uninstalled releases in storage") + return s.Driver.List(func(rls *rspb.Release) bool { + return relutil.StatusFilter(rspb.StatusUninstalled).Check(rls) + }) +} + +// ListDeployed returns all releases with Status == DEPLOYED. An error is returned +// if the storage backend fails to retrieve the releases. +func (s *Storage) ListDeployed() ([]*rspb.Release, error) { + s.Log("listing all deployed releases in storage") + return s.Driver.List(func(rls *rspb.Release) bool { + return relutil.StatusFilter(rspb.StatusDeployed).Check(rls) + }) +} + +// Deployed returns the last deployed release with the provided release name, or +// returns driver.NewErrNoDeployedReleases if not found. +func (s *Storage) Deployed(name string) (*rspb.Release, error) { + ls, err := s.DeployedAll(name) + if err != nil { + return nil, err + } + + if len(ls) == 0 { + return nil, driver.NewErrNoDeployedReleases(name) + } + + // If executed concurrently, Helm's database gets corrupted + // and multiple releases are DEPLOYED. Take the latest. + relutil.Reverse(ls, relutil.SortByRevision) + + return ls[0], nil +} + +// DeployedAll returns all deployed releases with the provided name, or +// returns driver.NewErrNoDeployedReleases if not found. +func (s *Storage) DeployedAll(name string) ([]*rspb.Release, error) { + s.Log("getting deployed releases from %q history", name) + + ls, err := s.Driver.Query(map[string]string{ + "name": name, + "owner": "helm", + "status": "deployed", + }) + if err == nil { + return ls, nil + } + if strings.Contains(err.Error(), "not found") { + return nil, driver.NewErrNoDeployedReleases(name) + } + return nil, err +} + +// History returns the revision history for the release with the provided name, or +// returns driver.ErrReleaseNotFound if no such release name exists. +func (s *Storage) History(name string) ([]*rspb.Release, error) { + s.Log("getting release history for %q", name) + + return s.Driver.Query(map[string]string{"name": name, "owner": "helm"}) +} + +// removeLeastRecent removes items from history until the length number of releases +// does not exceed max. +// +// We allow max to be set explicitly so that calling functions can "make space" +// for the new records they are going to write. +func (s *Storage) removeLeastRecent(name string, max int) error { + if max < 0 { + return nil + } + h, err := s.History(name) + if err != nil { + return err + } + if len(h) <= max { + return nil + } + + // We want oldest to newest + relutil.SortByRevision(h) + + lastDeployed, err := s.Deployed(name) + if err != nil && !errors.Is(err, driver.ErrNoDeployedReleases) { + return err + } + + var toDelete []*rspb.Release + for _, rel := range h { + // once we have enough releases to delete to reach the max, stop + if len(h)-len(toDelete) == max { + break + } + if lastDeployed != nil { + if rel.Version != lastDeployed.Version { + toDelete = append(toDelete, rel) + } + } else { + toDelete = append(toDelete, rel) + } + } + + // Delete as many as possible. In the case of API throughput limitations, + // multiple invocations of this function will eventually delete them all. + errs := []error{} + for _, rel := range toDelete { + err = s.deleteReleaseVersion(name, rel.Version) + if err != nil { + errs = append(errs, err) + } + } + + s.Log("Pruned %d record(s) from %s with %d error(s)", len(toDelete), name, len(errs)) + switch c := len(errs); c { + case 0: + return nil + case 1: + return errs[0] + default: + return errors.Errorf("encountered %d deletion errors. First is: %s", c, errs[0]) + } +} + +func (s *Storage) deleteReleaseVersion(name string, version int) error { + key := makeKey(name, version) + _, err := s.Delete(name, version) + if err != nil { + s.Log("error pruning %s from release history: %s", key, err) + return err + } + return nil +} + +// Last fetches the last revision of the named release. +func (s *Storage) Last(name string) (*rspb.Release, error) { + s.Log("getting last revision of %q", name) + h, err := s.History(name) + if err != nil { + return nil, err + } + if len(h) == 0 { + return nil, errors.Errorf("no revision for release %q", name) + } + + relutil.Reverse(h, relutil.SortByRevision) + return h[0], nil +} + +// makeKey concatenates the Kubernetes storage object type, a release name and version +// into a string with format:```..v```. +// The storage type is prepended to keep name uniqueness between different +// release storage types. An example of clash when not using the type: +// https://github.com/helm/helm/issues/6435. +// This key is used to uniquely identify storage objects. +func makeKey(rlsname string, version int) string { + return fmt.Sprintf("%s.%s.v%d", HelmStorageType, rlsname, version) +} + +// Init initializes a new storage backend with the driver d. +// If d is nil, the default in-memory driver is used. +func Init(d driver.Driver) *Storage { + // default driver is in memory + if d == nil { + d = driver.NewMemory() + } + return &Storage{ + Driver: d, + Log: func(_ string, _ ...interface{}) {}, + } +} diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go new file mode 100644 index 0000000000..63a41c0bf4 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime.go @@ -0,0 +1,29 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package ctime + +import ( + "os" + "time" +) + +func Created(fi os.FileInfo) time.Time { + return modified(fi) +} + +func Modified(fi os.FileInfo) time.Time { + return modified(fi) +} diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go new file mode 100644 index 0000000000..d8a6ea1a17 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_linux.go @@ -0,0 +1,30 @@ +//go:build linux + +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package ctime + +import ( + "os" + "syscall" + "time" +) + +func modified(fi os.FileInfo) time.Time { + st := fi.Sys().(*syscall.Stat_t) + //nolint + return time.Unix(int64(st.Mtim.Sec), int64(st.Mtim.Nsec)) +} diff --git a/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go new file mode 100644 index 0000000000..12afc6df2e --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/time/ctime/ctime_other.go @@ -0,0 +1,27 @@ +//go:build !linux + +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package ctime + +import ( + "os" + "time" +) + +func modified(fi os.FileInfo) time.Time { + return fi.ModTime() +} diff --git a/vendor/helm.sh/helm/v3/pkg/time/time.go b/vendor/helm.sh/helm/v3/pkg/time/time.go new file mode 100644 index 0000000000..1abe8ae3d8 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/time/time.go @@ -0,0 +1,91 @@ +/* +Copyright The Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package time contains a wrapper for time.Time in the standard library and +// associated methods. This package mainly exists to work around an issue in Go +// where the serializer doesn't omit an empty value for time: +// https://github.com/golang/go/issues/11939. As such, this can be removed if a +// proposal is ever accepted for Go +package time + +import ( + "bytes" + "time" +) + +// emptyString contains an empty JSON string value to be used as output +var emptyString = `""` + +// Time is a convenience wrapper around stdlib time, but with different +// marshalling and unmarshaling for zero values +type Time struct { + time.Time +} + +// Now returns the current time. It is a convenience wrapper around time.Now() +func Now() Time { + return Time{time.Now()} +} + +func (t Time) MarshalJSON() ([]byte, error) { + if t.Time.IsZero() { + return []byte(emptyString), nil + } + + return t.Time.MarshalJSON() +} + +func (t *Time) UnmarshalJSON(b []byte) error { + if bytes.Equal(b, []byte("null")) { + return nil + } + // If it is empty, we don't have to set anything since time.Time is not a + // pointer and will be set to the zero value + if bytes.Equal([]byte(emptyString), b) { + return nil + } + + return t.Time.UnmarshalJSON(b) +} + +func Parse(layout, value string) (Time, error) { + t, err := time.Parse(layout, value) + return Time{Time: t}, err +} +func ParseInLocation(layout, value string, loc *time.Location) (Time, error) { + t, err := time.ParseInLocation(layout, value, loc) + return Time{Time: t}, err +} + +func Date(year int, month time.Month, day, hour, min, sec, nsec int, loc *time.Location) Time { + return Time{Time: time.Date(year, month, day, hour, min, sec, nsec, loc)} +} + +func Unix(sec int64, nsec int64) Time { return Time{Time: time.Unix(sec, nsec)} } + +func (t Time) Add(d time.Duration) Time { return Time{Time: t.Time.Add(d)} } +func (t Time) AddDate(years int, months int, days int) Time { + return Time{Time: t.Time.AddDate(years, months, days)} +} +func (t Time) After(u Time) bool { return t.Time.After(u.Time) } +func (t Time) Before(u Time) bool { return t.Time.Before(u.Time) } +func (t Time) Equal(u Time) bool { return t.Time.Equal(u.Time) } +func (t Time) In(loc *time.Location) Time { return Time{Time: t.Time.In(loc)} } +func (t Time) Local() Time { return Time{Time: t.Time.Local()} } +func (t Time) Round(d time.Duration) Time { return Time{Time: t.Time.Round(d)} } +func (t Time) Sub(u Time) time.Duration { return t.Time.Sub(u.Time) } +func (t Time) Truncate(d time.Duration) Time { return Time{Time: t.Time.Truncate(d)} } +func (t Time) UTC() Time { return Time{Time: t.Time.UTC()} } diff --git a/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go b/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go new file mode 100644 index 0000000000..d7e9404066 --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/uploader/chart_uploader.go @@ -0,0 +1,58 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package uploader + +import ( + "fmt" + "io" + "net/url" + + "github.com/pkg/errors" + + "helm.sh/helm/v3/pkg/pusher" + "helm.sh/helm/v3/pkg/registry" +) + +// ChartUploader handles uploading a chart. +type ChartUploader struct { + // Out is the location to write warning and info messages. + Out io.Writer + // Pusher collection for the operation + Pushers pusher.Providers + // Options provide parameters to be passed along to the Pusher being initialized. + Options []pusher.Option + // RegistryClient is a client for interacting with registries. + RegistryClient *registry.Client +} + +// UploadTo uploads a chart. Depending on the settings, it may also upload a provenance file. +func (c *ChartUploader) UploadTo(ref, remote string) error { + u, err := url.Parse(remote) + if err != nil { + return errors.Errorf("invalid chart URL format: %s", remote) + } + + if u.Scheme == "" { + return fmt.Errorf("scheme prefix missing from remote (e.g. \"%s://\")", registry.OCIScheme) + } + + p, err := c.Pushers.ByScheme(u.Scheme) + if err != nil { + return err + } + + return p.Push(ref, u.String(), c.Options...) +} diff --git a/vendor/helm.sh/helm/v3/pkg/uploader/doc.go b/vendor/helm.sh/helm/v3/pkg/uploader/doc.go new file mode 100644 index 0000000000..112ddbf2ce --- /dev/null +++ b/vendor/helm.sh/helm/v3/pkg/uploader/doc.go @@ -0,0 +1,21 @@ +/* +Copyright The Helm Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package uploader provides a library for uploading charts. + +This package contains tools for uploading charts to registries. +*/ +package uploader diff --git a/vendor/istio.io/istio/LICENSE b/vendor/istio.io/istio/LICENSE new file mode 100644 index 0000000000..75bfd113b3 --- /dev/null +++ b/vendor/istio.io/istio/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/istio.io/istio/pkg/log/config.go b/vendor/istio.io/istio/pkg/log/config.go new file mode 100644 index 0000000000..43b5bec76f --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/config.go @@ -0,0 +1,420 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Package log provides the canonical logging functionality used by Go-based +// Istio components. +// +// Istio's logging subsystem is built on top of the [Zap](https://godoc.org/go.uber.org/zap) package. +// High performance scenarios should use the Error, Warn, Info, and Debug methods. Lower perf +// scenarios can use the more expensive convenience methods such as Debugf and Warnw. +// +// The package provides direct integration with the Cobra command-line processor which makes it +// easy to build programs that use a consistent interface for logging. Here's an example +// of a simple Cobra-based program using this log package: +// +// func main() { +// // get the default logging options +// options := log.DefaultOptions() +// +// rootCmd := &cobra.Command{ +// Run: func(cmd *cobra.Command, args []string) { +// +// // configure the logging system +// if err := log.Configure(options); err != nil { +// // print an error and quit +// } +// +// // output some logs +// log.Info("Hello") +// log.Sync() +// }, +// } +// +// // add logging-specific flags to the cobra command +// options.AttachCobraFlags(rootCmd) +// rootCmd.SetArgs(os.Args[1:]) +// rootCmd.Execute() +// } +// +// Once configured, this package intercepts the output of the standard golang "log" package as well as anything +// sent to the global zap logger (zap.L()). +package log + +import ( + "os" + "strings" + "sync/atomic" + "time" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + "go.uber.org/zap/zapgrpc" + "google.golang.org/grpc/grpclog" + "k8s.io/klog/v2" +) + +const ( + // none is used to disable logging output as well as to disable stack tracing. + none zapcore.Level = 100 + GrpcScopeName string = "grpc" +) + +var levelToZap = map[Level]zapcore.Level{ + DebugLevel: zapcore.DebugLevel, + InfoLevel: zapcore.InfoLevel, + WarnLevel: zapcore.WarnLevel, + ErrorLevel: zapcore.ErrorLevel, + FatalLevel: zapcore.FatalLevel, + NoneLevel: none, +} + +var defaultEncoderConfig = zapcore.EncoderConfig{ + TimeKey: "time", + LevelKey: "level", + NameKey: "scope", + CallerKey: "caller", + MessageKey: "msg", + StacktraceKey: "stack", + LineEnding: zapcore.DefaultLineEnding, + EncodeLevel: zapcore.LowercaseLevelEncoder, + EncodeCaller: zapcore.ShortCallerEncoder, + EncodeDuration: zapcore.StringDurationEncoder, + EncodeTime: formatDate, +} + +// functions that can be replaced in a test setting +type patchTable struct { + write func(ent zapcore.Entry, fields []zapcore.Field) error + sync func() error + exitProcess func(code int) + errorSink zapcore.WriteSyncer + close func() error +} + +var ( + // function table that can be replaced by tests + funcs = &atomic.Value{} + // controls whether all output is JSON or CLI style. This makes it easier to query how the zap encoder is configured + // vs. reading it's internal state. + useJSON atomic.Value +) + +func init() { + // use our defaults for starters so that logging works even before everything is fully configured + _ = Configure(DefaultOptions()) +} + +// See: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry#LogSeverity +var stackdriverSeverityMapping = map[zapcore.Level]string{ + zapcore.DebugLevel: "Debug", + zapcore.InfoLevel: "Info", + zapcore.WarnLevel: "Warning", + zapcore.ErrorLevel: "Error", + zapcore.DPanicLevel: "Critical", + zapcore.FatalLevel: "Critical", + zapcore.PanicLevel: "Critical", +} + +func encodeStackdriverLevel(l zapcore.Level, enc zapcore.PrimitiveArrayEncoder) { + enc.AppendString(stackdriverSeverityMapping[l]) +} + +// prepZap sets up the core Zap loggers +func prepZap(options *Options) (zapcore.Core, func(string) zapcore.Core, zapcore.WriteSyncer, error) { + var enc zapcore.Encoder + if options.useStackdriverFormat { + // See also: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry + encCfg := zapcore.EncoderConfig{ + TimeKey: "timestamp", + LevelKey: "severity", + NameKey: "logger", + CallerKey: "caller", + MessageKey: "message", + StacktraceKey: "stacktrace", + LineEnding: zapcore.DefaultLineEnding, + EncodeLevel: encodeStackdriverLevel, + EncodeTime: zapcore.RFC3339NanoTimeEncoder, + EncodeDuration: zapcore.SecondsDurationEncoder, + EncodeCaller: zapcore.ShortCallerEncoder, + } + enc = zapcore.NewJSONEncoder(encCfg) + useJSON.Store(true) + } else { + encCfg := defaultEncoderConfig + + if options.JSONEncoding { + enc = zapcore.NewJSONEncoder(encCfg) + useJSON.Store(true) + } else { + enc = zapcore.NewConsoleEncoder(encCfg) + useJSON.Store(false) + } + } + + errSink, closeErrorSink, err := zap.Open(options.ErrorOutputPaths...) + if err != nil { + return nil, nil, nil, err + } + + var outputSink zapcore.WriteSyncer + if len(options.OutputPaths) > 0 { + outputSink, _, err = zap.Open(options.OutputPaths...) + if err != nil { + closeErrorSink() + return nil, nil, nil, err + } + } + + alwaysOn := zapcore.NewCore(enc, outputSink, zap.NewAtomicLevelAt(zapcore.DebugLevel)) + conditionallyOn := func(scopeName string) zapcore.Core { + scope := FindScope(scopeName) + enabler := func(lvl zapcore.Level) bool { + switch lvl { + case zapcore.ErrorLevel: + return scope.ErrorEnabled() + case zapcore.WarnLevel: + return scope.WarnEnabled() + case zapcore.InfoLevel: + return scope.InfoEnabled() + } + return scope.DebugEnabled() + } + return zapcore.NewCore(enc, outputSink, zap.LevelEnablerFunc(enabler)) + } + return alwaysOn, + conditionallyOn, + errSink, nil +} + +func formatDate(t time.Time, enc zapcore.PrimitiveArrayEncoder) { + t = t.UTC() + year, month, day := t.Date() + hour, minute, second := t.Clock() + micros := t.Nanosecond() / 1000 + + buf := make([]byte, 27) + + buf[0] = byte((year/1000)%10) + '0' + buf[1] = byte((year/100)%10) + '0' + buf[2] = byte((year/10)%10) + '0' + buf[3] = byte(year%10) + '0' + buf[4] = '-' + buf[5] = byte((month)/10) + '0' + buf[6] = byte((month)%10) + '0' + buf[7] = '-' + buf[8] = byte((day)/10) + '0' + buf[9] = byte((day)%10) + '0' + buf[10] = 'T' + buf[11] = byte((hour)/10) + '0' + buf[12] = byte((hour)%10) + '0' + buf[13] = ':' + buf[14] = byte((minute)/10) + '0' + buf[15] = byte((minute)%10) + '0' + buf[16] = ':' + buf[17] = byte((second)/10) + '0' + buf[18] = byte((second)%10) + '0' + buf[19] = '.' + buf[20] = byte((micros/100000)%10) + '0' + buf[21] = byte((micros/10000)%10) + '0' + buf[22] = byte((micros/1000)%10) + '0' + buf[23] = byte((micros/100)%10) + '0' + buf[24] = byte((micros/10)%10) + '0' + buf[25] = byte((micros)%10) + '0' + buf[26] = 'Z' + + enc.AppendString(string(buf)) +} + +func updateScopes(options *Options) error { + // snapshot what's there + allScopes := Scopes() + + // Join defaultOutputLevels and outputLevels + levels := options.defaultOutputLevels + if levels == "" { + levels = options.outputLevels + } else if options.outputLevels != "" { + levels = levels + "," + options.outputLevels + } + + // update the output levels of all listed scopes + if err := processLevels(allScopes, levels, func(s *Scope, l Level) { s.SetOutputLevel(l) }); err != nil { + return err + } + + // update the stack tracing levels of all listed scopes + if err := processLevels(allScopes, options.stackTraceLevels, func(s *Scope, l Level) { s.SetStackTraceLevel(l) }); err != nil { + return err + } + + // update the caller location setting of all listed scopes + sc := strings.Split(options.logCallers, ",") + for _, s := range sc { + if s == "" { + continue + } + + if s == OverrideScopeName { + // ignore everything else and just apply the override value + for _, scope := range allScopes { + scope.SetLogCallers(true) + } + } + + if scope, ok := allScopes[s]; ok { + scope.SetLogCallers(true) + } + } + + // If gRPC logging is enabled, turn on gRPC logging automatically + if grpcScope.GetOutputLevel() != NoneLevel { + options.logGRPC = true + } + + return nil +} + +// processLevels breaks down an argument string into a set of scope & levels and then +// tries to apply the result to the scopes. It supports the use of a global override. +func processLevels(allScopes map[string]*Scope, arg string, setter func(*Scope, Level)) error { + levels := strings.Split(arg, ",") + for _, sl := range levels { + s, l, err := convertScopedLevel(sl) + if err != nil { + return err + } + + if scope, ok := allScopes[s]; ok { + setter(scope, l) + } else if s == OverrideScopeName { + // override replaces everything + for _, scope := range allScopes { + setter(scope, l) + } + } + } + + return nil +} + +// Configure initializes Istio's logging subsystem. +// +// You typically call this once at process startup. +// Once this call returns, the logging system is ready to accept data. +// nolint: staticcheck +func Configure(options *Options) error { + if err := updateScopes(options); err != nil { + return err + } + baseLogger, logBuilder, errSink, err := prepZap(options) + if err != nil { + return err + } + defaultLogger := logBuilder(DefaultScopeName) + allLoggers := []*zapcore.Core{&baseLogger, &defaultLogger} + + var grpcLogger zapcore.Core + if options.logGRPC { + grpcLogger = logBuilder(GrpcScopeName) + allLoggers = append(allLoggers, &grpcLogger) + } + + closeFns := make([]func() error, 0) + + for _, ext := range options.extensions { + for _, logger := range allLoggers { + newLogger, closeFn, err := ext(*logger) + if err != nil { + return err + } + *logger = newLogger + closeFns = append(closeFns, closeFn) + } + } + + pt := patchTable{ + write: func(ent zapcore.Entry, fields []zapcore.Field) error { + err := baseLogger.Write(ent, fields) + if ent.Level == zapcore.FatalLevel { + funcs.Load().(patchTable).exitProcess(1) + } + + return err + }, + sync: baseLogger.Sync, + exitProcess: os.Exit, + errorSink: errSink, + close: func() error { + // best-effort to sync + baseLogger.Sync() // nolint: errcheck + for _, f := range closeFns { + if err := f(); err != nil { + return err + } + } + return nil + }, + } + funcs.Store(pt) + + opts := []zap.Option{ + zap.ErrorOutput(errSink), + zap.AddCallerSkip(1), + } + + if defaultScope.GetLogCallers() { + opts = append(opts, zap.AddCaller()) + } + + l := defaultScope.GetStackTraceLevel() + if l != NoneLevel { + opts = append(opts, zap.AddStacktrace(levelToZap[l])) + } + + defaultZapLogger := zap.New(defaultLogger, opts...) + + // capture global zap logging and force it through our logger + _ = zap.ReplaceGlobals(defaultZapLogger) + + // capture standard golang "log" package output and force it through our logger + _ = zap.RedirectStdLog(defaultZapLogger) + + // capture gRPC logging + if options.logGRPC { + grpclog.SetLoggerV2(zapgrpc.NewLogger(zap.New(grpcLogger, opts...).WithOptions(zap.AddCallerSkip(3)))) + } + + // capture klog (Kubernetes logging) through our logging + configureKlog.Do(func() { + klog.SetLogger(NewLogrAdapter(KlogScope)) + }) + // --vklog is non zero then KlogScope should be increased. + // klog is a special case. + if klogVerbose() { + KlogScope.SetOutputLevel(DebugLevel) + } + + return nil +} + +// Sync flushes any buffered log entries. +// Processes should normally take care to call Sync before exiting. +func Sync() error { + return funcs.Load().(patchTable).sync() +} + +// Close implements io.Closer. +func Close() error { + return funcs.Load().(patchTable).close() +} diff --git a/vendor/istio.io/istio/pkg/log/default.go b/vendor/istio.io/istio/pkg/log/default.go new file mode 100644 index 0000000000..d8debf8d7e --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/default.go @@ -0,0 +1,105 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package log + +// These functions enable logging using a global Scope. See scope.go for usage information. + +func registerDefaultScopes() (defaults *Scope, grpc *Scope) { + return registerScope(DefaultScopeName, "Unscoped logging messages.", 1), + registerScope(GrpcScopeName, "logs from gRPC", 3) +} + +var defaultScope, grpcScope = registerDefaultScopes() + +// Fatal outputs a message at fatal level. +func Fatal(fields any) { + defaultScope.Fatal(fields) +} + +// Fatalf uses fmt.Sprintf to construct and log a message at fatal level. +func Fatalf(format string, args ...any) { + defaultScope.Fatalf(format, args...) +} + +// FatalEnabled returns whether output of messages using this scope is currently enabled for fatal-level output. +func FatalEnabled() bool { + return defaultScope.FatalEnabled() +} + +// Error outputs a message at error level. +func Error(fields any) { + defaultScope.Error(fields) +} + +// Errorf uses fmt.Sprintf to construct and log a message at error level. +func Errorf(format string, args ...any) { + defaultScope.Errorf(format, args...) +} + +// ErrorEnabled returns whether output of messages using this scope is currently enabled for error-level output. +func ErrorEnabled() bool { + return defaultScope.ErrorEnabled() +} + +// Warn outputs a message at warn level. +func Warn(fields any) { + defaultScope.Warn(fields) +} + +// Warnf uses fmt.Sprintf to construct and log a message at warn level. +func Warnf(format string, args ...any) { + defaultScope.Warnf(format, args...) +} + +// WarnEnabled returns whether output of messages using this scope is currently enabled for warn-level output. +func WarnEnabled() bool { + return defaultScope.WarnEnabled() +} + +// Info outputs a message at info level. +func Info(fields any) { + defaultScope.Info(fields) +} + +// Infof uses fmt.Sprintf to construct and log a message at info level. +func Infof(format string, args ...any) { + defaultScope.Infof(format, args...) +} + +// InfoEnabled returns whether output of messages using this scope is currently enabled for info-level output. +func InfoEnabled() bool { + return defaultScope.InfoEnabled() +} + +// Debug outputs a message at debug level. +func Debug(fields any) { + defaultScope.Debug(fields) +} + +// Debugf uses fmt.Sprintf to construct and log a message at debug level. +func Debugf(format string, args ...any) { + defaultScope.Debugf(format, args...) +} + +// DebugEnabled returns whether output of messages using this scope is currently enabled for debug-level output. +func DebugEnabled() bool { + return defaultScope.DebugEnabled() +} + +// WithLabels adds a key-value pairs to the labels in s. The key must be a string, while the value may be any type. +// It returns a copy of the default scope, with the labels added. +func WithLabels(kvlist ...any) *Scope { + return defaultScope.WithLabels(kvlist...) +} diff --git a/vendor/istio.io/istio/pkg/log/klog.go b/vendor/istio.io/istio/pkg/log/klog.go new file mode 100644 index 0000000000..f2b502d111 --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/klog.go @@ -0,0 +1,76 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package log + +import ( + goflag "flag" + "fmt" + "sync" + + "github.com/spf13/pflag" + "k8s.io/klog/v2" +) + +var ( + KlogScope = RegisterScope("klog", "") + configureKlog = sync.Once{} +) + +// EnableKlogWithCobra enables klog to work with cobra / pflags. +// k8s libraries like client-go use klog. +func EnableKlogWithCobra() { + gf := klogVerboseFlag() + pflag.CommandLine.AddFlag(pflag.PFlagFromGoFlag( + &goflag.Flag{ + Name: "vklog", + Value: gf.Value, + DefValue: gf.DefValue, + Usage: gf.Usage + ". Like -v flag. ex: --vklog=9", + })) +} + +// EnableKlogWithCobra enables klog to work with go flags. +// k8s libraries like client-go use klog. +func EnableKlogWithGoFlag() { + gf := klogVerboseFlag() + goflag.CommandLine.Var(gf.Value, "vklog", gf.Usage+". Like -v flag. ex: --vklog=9") +} + +// isKlogVerbose returns true if klog verbosity is non-zero. +func klogVerbose() bool { + gf := klogVerboseFlag() + return gf.Value.String() != "0" +} + +var ( + klogFlagSet = &goflag.FlagSet{} + klogFlagSetOnce = sync.Once{} +) + +// KlogVerboseFlag returns verbose flag from the klog library. +// After parsing it contains the parsed verbosity value. +func klogVerboseFlag() *goflag.Flag { + klogFlagSetOnce.Do(func() { + klog.InitFlags(klogFlagSet) + }) + // --v= flag of klog. + return klogFlagSet.Lookup("v") +} + +// EnableKlogWithVerbosity sets the klog verbosity directly. +// When using in an application, EnableKlogWithCobra is preferred to expose a --vklog flag. +func EnableKlogWithVerbosity(v int) { + _ = klogFlagSet.Set("v", fmt.Sprint(v)) +} diff --git a/vendor/istio.io/istio/pkg/log/logr.go b/vendor/istio.io/istio/pkg/log/logr.go new file mode 100644 index 0000000000..b63edcacbf --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/logr.go @@ -0,0 +1,103 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package log + +import ( + "fmt" + + "github.com/go-logr/logr" +) + +// zapLogger is a logr.Logger that uses Zap to log. This is needed to get +// libraries, namely Kubernetes/klog, that use logr, to use our standard logging. +// This enables standard formatting, scope filtering, and options. The logr +// interface does not have a concept of Debug/Info/Warn/Error as we do. Instead, +// logging is based on Verbosity levels, where 0 is the most important. We treat +// levels 0-3 as info level and 4+ as debug; there are no warnings. This +// threshold is fairly arbitrary based on inspection of Kubernetes usage and +// https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-output-verbosity-and-debugging. +// Errors are passed through as errors. +// Zap does come with its own logr implementation, but we have chosen to re-implement to allow usage of +// our Scope - in particular, this allows changing the logging level of kubernetes logs by users. +type zapLogger struct { + l *Scope +} + +const debugLevelThreshold = 3 + +func (zl *zapLogger) Enabled(level int) bool { + if level > debugLevelThreshold { + return zl.l.DebugEnabled() + } + return zl.l.InfoEnabled() +} + +// Logs will come in with newlines, but our logger auto appends newline +func trimNewline(msg string) string { + if len(msg) == 0 { + return msg + } + lc := len(msg) - 1 + if msg[lc] == '\n' { + return msg[:lc] + } + return msg +} + +func (zl *zapLogger) Init(logr.RuntimeInfo) { +} + +func (zl *zapLogger) Info(level int, msg string, keysAndVals ...any) { + if level > debugLevelThreshold { + zl.l.WithLabels(keysAndVals...).Debug(trimNewline(msg)) + } else { + zl.l.WithLabels(keysAndVals...).Info(trimNewline(msg)) + } +} + +func (zl *zapLogger) Error(err error, msg string, keysAndVals ...any) { + if zl.l.ErrorEnabled() { + if err == nil { + zl.l.WithLabels(keysAndVals...).Error(trimNewline(msg)) + } else { + zl.l.WithLabels(keysAndVals...).Error(fmt.Sprintf("%v: %s", err.Error(), msg)) + } + } +} + +func (zl *zapLogger) V(int) logr.Logger { + zlog := &zapLogger{ + l: zl.l, + } + + return logr.New(zlog) +} + +func (zl *zapLogger) WithValues(keysAndValues ...any) logr.LogSink { + return NewLogrAdapter(zl.l.WithLabels(keysAndValues...)).GetSink() +} + +func (zl *zapLogger) WithName(string) logr.LogSink { + return zl +} + +// NewLogrAdapter creates a new logr.Logger using the given Zap Logger to log. +func NewLogrAdapter(l *Scope) logr.Logger { + zlog := &zapLogger{ + l: l, + } + + return logr.New(zlog) +} diff --git a/vendor/istio.io/istio/pkg/log/options.go b/vendor/istio.io/istio/pkg/log/options.go new file mode 100644 index 0000000000..d3958fb0c3 --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/options.go @@ -0,0 +1,276 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package log + +import ( + "fmt" + "sort" + "strings" + + "github.com/spf13/cobra" + "go.uber.org/zap/zapcore" +) + +const ( + DefaultScopeName = "default" + OverrideScopeName = "all" + defaultOutputLevel = InfoLevel + defaultStackTraceLevel = NoneLevel + defaultOutputPath = "stdout" + defaultErrorOutputPath = "stderr" +) + +// Level is an enumeration of all supported log levels. +type Level int + +const ( + // NoneLevel disables logging + NoneLevel Level = iota + // FatalLevel enables fatal level logging + FatalLevel + // ErrorLevel enables error level logging + ErrorLevel + // WarnLevel enables warn level logging + WarnLevel + // InfoLevel enables info level logging + InfoLevel + // DebugLevel enables debug level logging + DebugLevel +) + +var levelToString = map[Level]string{ + DebugLevel: "debug", + InfoLevel: "info", + WarnLevel: "warn", + ErrorLevel: "error", + FatalLevel: "fatal", + NoneLevel: "none", +} + +var stringToLevel = map[string]Level{ + "debug": DebugLevel, + "info": InfoLevel, + "warn": WarnLevel, + "error": ErrorLevel, + "fatal": FatalLevel, + "none": NoneLevel, +} + +func StringToLevel(level string) Level { + return stringToLevel[level] +} + +func LevelToString(level Level) string { + return levelToString[level] +} + +// Options defines the set of options supported by Istio's component logging package. +type Options struct { + // OutputPaths is a list of file system paths to write the log data to. + // The special values stdout and stderr can be used to output to the + // standard I/O streams. This defaults to stdout. + OutputPaths []string + + // ErrorOutputPaths is a list of file system paths to write logger errors to. + // The special values stdout and stderr can be used to output to the + // standard I/O streams. This defaults to stderr. + ErrorOutputPaths []string + + // JSONEncoding controls whether the log is formatted as JSON. + JSONEncoding bool + + // logGRPC indicates that Grpc logs should be captured. + // This is enabled by a --log_output_level=grpc: typically + logGRPC bool + + outputLevels string + defaultOutputLevels string + logCallers string + stackTraceLevels string + + useStackdriverFormat bool + extensions []Extension +} + +// DefaultOptions returns a new set of options, initialized to the defaults +func DefaultOptions() *Options { + return &Options{ + OutputPaths: []string{defaultOutputPath}, + ErrorOutputPaths: []string{defaultErrorOutputPath}, + defaultOutputLevels: "default:info,grpc:none", + stackTraceLevels: DefaultScopeName + ":" + levelToString[defaultStackTraceLevel], + logGRPC: false, + useStackdriverFormat: false, + } +} + +// WithStackdriverLoggingFormat configures logging output to match Stackdriver structured logging conventions. +func (o *Options) WithStackdriverLoggingFormat() *Options { + o.useStackdriverFormat = true + return o +} + +// WithTeeToUDS configures a parallel logging pipeline that writes logs to a server over UDS. +// addr is the socket that the server listens on, and path is the HTTP path that process the log message. +func (o *Options) WithTeeToUDS(addr, path string) *Options { + return o.WithExtension(func(c zapcore.Core) (zapcore.Core, func() error, error) { + return teeToUDSServer(c, addr, path), func() error { return nil }, nil + }) +} + +// WithTeeToRolling configures a parallel logging pipeline that writes logs to a local rolling log of fixed size. +// This is mainly used by the CNI plugin, and so the size and rollover is intentionally kept small. +// rollingPath is the path the rolling log(s) will be written to. +func (o *Options) WithTeeToRollingLocal(rollingPath string, maxSizeInMB int) *Options { + return o.WithExtension(func(c zapcore.Core) (zapcore.Core, func() error, error) { + return teeToRollingLocal(c, rollingPath, maxSizeInMB), func() error { return nil }, nil + }) +} + +// Extension provides an extension mechanism for logs. +// This is essentially like https://pkg.go.dev/golang.org/x/exp/slog#Handler. +// This interface should be considered unstable; we will likely swap it for slog in the future and not expose zap internals. +// Returns a modified Core interface, and a Close() function. +type Extension func(c zapcore.Core) (zapcore.Core, func() error, error) + +func (o *Options) WithExtension(e Extension) *Options { + o.extensions = append(o.extensions, e) + return o +} + +// SetDefaultOutputLevel sets the minimum log output level for a given scope. +// This can be overwritten by flags +func (o *Options) SetDefaultOutputLevel(scope string, level Level) { + sl := scope + ":" + levelToString[level] + levels := strings.Split(o.defaultOutputLevels, ",") + if scope == DefaultScopeName { + // see if we have an entry without a scope prefix (which represents the default scope) + for i, ol := range levels { + if !strings.Contains(ol, ":") { + levels[i] = sl + o.defaultOutputLevels = strings.Join(levels, ",") + return + } + } + } + + prefix := scope + ":" + for i, ol := range levels { + if strings.HasPrefix(ol, prefix) { + levels[i] = sl + o.defaultOutputLevels = strings.Join(levels, ",") + return + } + } + + levels = append(levels, sl) + o.defaultOutputLevels = strings.Join(levels, ",") +} + +func convertScopedLevel(sl string) (string, Level, error) { + var s string + var l string + + pieces := strings.Split(sl, ":") + if len(pieces) == 1 { + s = DefaultScopeName + l = pieces[0] + } else if len(pieces) == 2 { + s = pieces[0] + l = pieces[1] + } else { + return "", NoneLevel, fmt.Errorf("invalid output level format '%s'", sl) + } + + level, ok := stringToLevel[l] + if !ok { + return "", NoneLevel, fmt.Errorf("invalid output level '%s'", l) + } + + return s, level, nil +} + +// AttachCobraFlags attaches a set of Cobra flags to the given Cobra command. +// +// Cobra is the command-line processor that Istio uses. This command attaches +// the necessary set of flags to expose a CLI to let the user control all +// logging options. +func (o *Options) AttachCobraFlags(cmd *cobra.Command) { + o.AttachFlags( + cmd.PersistentFlags().StringArrayVar, + cmd.PersistentFlags().StringVar, + cmd.PersistentFlags().IntVar, + cmd.PersistentFlags().BoolVar) +} + +// AttachFlags allows attaching of flags through a set of lambda functions. +func (o *Options) AttachFlags( + stringArrayVar func(p *[]string, name string, value []string, usage string), + stringVar func(p *string, name string, value string, usage string), + _ func(p *int, name string, value int, usage string), + boolVar func(p *bool, name string, value bool, usage string), +) { + stringArrayVar(&o.OutputPaths, "log_target", o.OutputPaths, + "The set of paths where to output the log. This can be any path as well as the special values stdout and stderr") + + boolVar(&o.JSONEncoding, "log_as_json", o.JSONEncoding, + "Whether to format output as JSON or in plain console-friendly format") + + levelListString := fmt.Sprintf("[%s, %s, %s, %s, %s, %s]", + levelToString[DebugLevel], + levelToString[InfoLevel], + levelToString[WarnLevel], + levelToString[ErrorLevel], + levelToString[FatalLevel], + levelToString[NoneLevel]) + + allScopes := Scopes() + if len(allScopes) > 1 { + keys := make([]string, 0, len(allScopes)) + for name := range allScopes { + keys = append(keys, name) + } + keys = append(keys, OverrideScopeName) + sort.Strings(keys) + s := strings.Join(keys, ", ") + + stringVar(&o.outputLevels, "log_output_level", o.outputLevels, + fmt.Sprintf("Comma-separated minimum per-scope logging level of messages to output, in the form of "+ + ":,:,... where scope can be one of [%s] and level can be one of %s", + s, levelListString)) + + stringVar(&o.stackTraceLevels, "log_stacktrace_level", o.stackTraceLevels, + fmt.Sprintf("Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of "+ + ":,,... where scope can be one of [%s] and level can be one of %s", + s, levelListString)) + + stringVar(&o.logCallers, "log_caller", o.logCallers, + fmt.Sprintf("Comma-separated list of scopes for which to include caller information, scopes can be any of [%s]", s)) + } else { + stringVar(&o.outputLevels, "log_output_level", o.outputLevels, + fmt.Sprintf("The minimum logging level of messages to output, can be one of %s", + levelListString)) + + stringVar(&o.stackTraceLevels, "log_stacktrace_level", o.stackTraceLevels, + fmt.Sprintf("The minimum logging level at which stack traces are captured, can be one of %s", + levelListString)) + + stringVar(&o.logCallers, "log_caller", o.logCallers, + "Comma-separated list of scopes for which to include called information, scopes can be any of [default]") + } + + // NOTE: we don't currently expose a command-line option to control ErrorOutputPaths since it + // seems too esoteric. +} diff --git a/vendor/istio.io/istio/pkg/log/scope.go b/vendor/istio.io/istio/pkg/log/scope.go new file mode 100644 index 0000000000..e1c9eca866 --- /dev/null +++ b/vendor/istio.io/istio/pkg/log/scope.go @@ -0,0 +1,404 @@ +// Copyright Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package log + +import ( + "fmt" + "runtime" + "strings" + "sync" + "sync/atomic" + "time" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" +) + +// Scope constrains logging control to a named scope level. It gives users a fine grained control over output severity +// threshold and stack traces. +// +// Scope supports structured logging using WithLabels: +// +// s := RegisterScope("MyScope", "Description", 0) +// s = s.WithLabels("foo", "bar", "baz", 123, "qux", 0.123) +// s.Info("Hello") //

    +ORAS logo +

    + +`oras-go` is a Go library for managing OCI artifacts, compliant with the [OCI Image Format Specification](https://github.com/opencontainers/image-spec) and the [OCI Distribution Specification](https://github.com/opencontainers/distribution-spec). It provides unified APIs for pushing, pulling, and managing artifacts across OCI-compliant registries, local file systems, and in-memory stores. + +> [!Note] +> The `main` branch follows [Go's Security Policy](https://github.com/golang/go/security/policy) and supports the two latest versions of Go (currently `1.23` and `1.24`). + +## Getting Started + +### Concepts + +Gain insights into the fundamental concepts: + +- [Modeling Artifacts](docs/Modeling-Artifacts.md) +- [Targets and Content Stores](docs/Targets.md) + +### Quickstart + +Follow the step-by-step tutorial to use `oras-go` v2: + +- [Quickstart: Managing OCI Artifacts with `oras-go` v2](docs/tutorial/quickstart.md) + +### Examples + +Check out sample code for common use cases: + +- [Artifact copying](https://pkg.go.dev/oras.land/oras-go/v2#pkg-examples) +- [Registry operations](https://pkg.go.dev/oras.land/oras-go/v2/registry#pkg-examples) +- [Repository operations](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote#pkg-examples) +- [Authentication](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/auth#pkg-examples) +- [Credentials management](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote/credentials#pkg-examples) + +Find more API examples at [pkg.go.dev](https://pkg.go.dev/oras.land/oras-go/v2). + + +## Versioning + +This project follows [Semantic Versioning](https://semver.org/) (`MAJOR`.`MINOR`.`PATCH`), with `MAJOR` for breaking changes, `MINOR` for backward-compatible features, and `PATCH` for backward-compatible fixes. + +## Previous Major Versions + +### v1 (maintenance) + +[![Build Status](https://github.com/oras-project/oras-go/actions/workflows/build.yml/badge.svg?event=push&branch=v1)](https://github.com/oras-project/oras-go/actions/workflows/build.yml?query=workflow%3Abuild+event%3Apush+branch%3Av1) +[![Go Report Card](https://goreportcard.com/badge/oras.land/oras-go)](https://goreportcard.com/report/oras.land/oras-go) +[![Go Reference](https://pkg.go.dev/badge/oras.land/oras-go.svg)](https://pkg.go.dev/oras.land/oras-go) + +The [`v1`](https://github.com/oras-project/oras-go/tree/v1) branch is maintained for dependency updates and security fixes only. All feature development happens in the [`main`](https://github.com/oras-project/oras-go/tree/main) branch. + +To migrate from `v1` to `v2`, see [MIGRATION_GUIDE.md](MIGRATION_GUIDE.md). + +## Community + +- Code of Conduct: [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) +- Security Policy: [SECURITY.md](SECURITY.md) +- Reviewing Guide: [Reviewing Guide](https://github.com/oras-project/community/blob/main/REVIEWING.md) +- Slack: [`#oras`](https://cloud-native.slack.com/archives/CJ1KHJM5Z) channel on CNCF Slack diff --git a/vendor/oras.land/oras-go/v2/SECURITY.md b/vendor/oras.land/oras-go/v2/SECURITY.md new file mode 100644 index 0000000000..ffefe3417f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/SECURITY.md @@ -0,0 +1,3 @@ +# Security Policy + +Please follow the [security policy](https://oras.land/docs/community/reporting_security_concerns) to report a security vulnerability or concern. diff --git a/vendor/oras.land/oras-go/v2/content.go b/vendor/oras.land/oras-go/v2/content.go new file mode 100644 index 0000000000..b8bf26386f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content.go @@ -0,0 +1,411 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import ( + "bytes" + "context" + "errors" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/interfaces" + "oras.land/oras-go/v2/internal/platform" + "oras.land/oras-go/v2/internal/syncutil" + "oras.land/oras-go/v2/registry" + "oras.land/oras-go/v2/registry/remote/auth" +) + +const ( + // defaultTagConcurrency is the default concurrency of tagging. + defaultTagConcurrency int = 5 // This value is consistent with dockerd + + // defaultTagNMaxMetadataBytes is the default value of + // TagNOptions.MaxMetadataBytes. + defaultTagNMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB + + // defaultResolveMaxMetadataBytes is the default value of + // ResolveOptions.MaxMetadataBytes. + defaultResolveMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB + + // defaultMaxBytes is the default value of FetchBytesOptions.MaxBytes. + defaultMaxBytes int64 = 4 * 1024 * 1024 // 4 MiB +) + +// DefaultTagNOptions provides the default TagNOptions. +var DefaultTagNOptions TagNOptions + +// TagNOptions contains parameters for [oras.TagN]. +type TagNOptions struct { + // Concurrency limits the maximum number of concurrent tag tasks. + // If less than or equal to 0, a default (currently 5) is used. + Concurrency int + + // MaxMetadataBytes limits the maximum size of metadata that can be cached + // in the memory. + // If less than or equal to 0, a default (currently 4 MiB) is used. + MaxMetadataBytes int64 +} + +// TagN tags the descriptor identified by srcReference with dstReferences. +func TagN(ctx context.Context, target Target, srcReference string, dstReferences []string, opts TagNOptions) (ocispec.Descriptor, error) { + switch len(dstReferences) { + case 0: + return ocispec.Descriptor{}, fmt.Errorf("dstReferences cannot be empty: %w", errdef.ErrMissingReference) + case 1: + return Tag(ctx, target, srcReference, dstReferences[0]) + } + + if opts.Concurrency <= 0 { + opts.Concurrency = defaultTagConcurrency + } + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultTagNMaxMetadataBytes + } + + _, isRefFetcher := target.(registry.ReferenceFetcher) + _, isRefPusher := target.(registry.ReferencePusher) + if isRefFetcher && isRefPusher { + if repo, ok := target.(interfaces.ReferenceParser); ok { + // add scope hints to minimize the number of auth requests + ref, err := repo.ParseReference(srcReference) + if err != nil { + return ocispec.Descriptor{}, err + } + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush) + } + + desc, contentBytes, err := FetchBytes(ctx, target, srcReference, FetchBytesOptions{ + MaxBytes: opts.MaxMetadataBytes, + }) + if err != nil { + if errors.Is(err, errdef.ErrSizeExceedsLimit) { + err = fmt.Errorf( + "content size %v exceeds MaxMetadataBytes %v: %w", + desc.Size, + opts.MaxMetadataBytes, + errdef.ErrSizeExceedsLimit) + } + return ocispec.Descriptor{}, err + } + + if err := tagBytesN(ctx, target, desc, contentBytes, dstReferences, TagBytesNOptions{ + Concurrency: opts.Concurrency, + }); err != nil { + return ocispec.Descriptor{}, err + } + return desc, nil + } + + desc, err := target.Resolve(ctx, srcReference) + if err != nil { + return ocispec.Descriptor{}, err + } + eg, egCtx := syncutil.LimitGroup(ctx, opts.Concurrency) + for _, dstRef := range dstReferences { + eg.Go(func(dst string) func() error { + return func() error { + if err := target.Tag(egCtx, desc, dst); err != nil { + return fmt.Errorf("failed to tag %s as %s: %w", srcReference, dst, err) + } + return nil + } + }(dstRef)) + } + + if err := eg.Wait(); err != nil { + return ocispec.Descriptor{}, err + } + return desc, nil +} + +// Tag tags the descriptor identified by src with dst. +func Tag(ctx context.Context, target Target, src, dst string) (ocispec.Descriptor, error) { + refFetcher, okFetch := target.(registry.ReferenceFetcher) + refPusher, okPush := target.(registry.ReferencePusher) + if okFetch && okPush { + if repo, ok := target.(interfaces.ReferenceParser); ok { + // add scope hints to minimize the number of auth requests + ref, err := repo.ParseReference(src) + if err != nil { + return ocispec.Descriptor{}, err + } + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush) + } + desc, rc, err := refFetcher.FetchReference(ctx, src) + if err != nil { + return ocispec.Descriptor{}, err + } + defer rc.Close() + if err := refPusher.PushReference(ctx, desc, rc, dst); err != nil { + return ocispec.Descriptor{}, err + } + return desc, nil + } + + desc, err := target.Resolve(ctx, src) + if err != nil { + return ocispec.Descriptor{}, err + } + if err := target.Tag(ctx, desc, dst); err != nil { + return ocispec.Descriptor{}, err + } + return desc, nil +} + +// DefaultResolveOptions provides the default ResolveOptions. +var DefaultResolveOptions ResolveOptions + +// ResolveOptions contains parameters for [oras.Resolve]. +type ResolveOptions struct { + // TargetPlatform ensures the resolved content matches the target platform + // if the node is a manifest, or selects the first resolved content that + // matches the target platform if the node is a manifest list. + TargetPlatform *ocispec.Platform + + // MaxMetadataBytes limits the maximum size of metadata that can be cached + // in the memory. + // If less than or equal to 0, a default (currently 4 MiB) is used. + MaxMetadataBytes int64 +} + +// Resolve resolves a descriptor with provided reference from the target. +func Resolve(ctx context.Context, target ReadOnlyTarget, reference string, opts ResolveOptions) (ocispec.Descriptor, error) { + if opts.TargetPlatform == nil { + return target.Resolve(ctx, reference) + } + return resolve(ctx, target, nil, reference, opts) +} + +// resolve resolves a descriptor with provided reference from the target, with +// specified caching. +func resolve(ctx context.Context, target ReadOnlyTarget, proxy *cas.Proxy, reference string, opts ResolveOptions) (ocispec.Descriptor, error) { + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultResolveMaxMetadataBytes + } + + if refFetcher, ok := target.(registry.ReferenceFetcher); ok { + // optimize performance for ReferenceFetcher targets + desc, rc, err := refFetcher.FetchReference(ctx, reference) + if err != nil { + return ocispec.Descriptor{}, err + } + defer rc.Close() + + switch desc.MediaType { + case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex, + docker.MediaTypeManifest, ocispec.MediaTypeImageManifest: + // cache the fetched content + if desc.Size > opts.MaxMetadataBytes { + return ocispec.Descriptor{}, fmt.Errorf( + "content size %v exceeds MaxMetadataBytes %v: %w", + desc.Size, + opts.MaxMetadataBytes, + errdef.ErrSizeExceedsLimit) + } + if proxy == nil { + proxy = cas.NewProxyWithLimit(target, cas.NewMemory(), opts.MaxMetadataBytes) + } + if err := proxy.Cache.Push(ctx, desc, rc); err != nil { + return ocispec.Descriptor{}, err + } + // stop caching as SelectManifest may fetch a config blob + proxy.StopCaching = true + return platform.SelectManifest(ctx, proxy, desc, opts.TargetPlatform) + default: + return ocispec.Descriptor{}, fmt.Errorf("%s: %s: %w", desc.Digest, desc.MediaType, errdef.ErrUnsupported) + } + } + + desc, err := target.Resolve(ctx, reference) + if err != nil { + return ocispec.Descriptor{}, err + } + return platform.SelectManifest(ctx, target, desc, opts.TargetPlatform) +} + +// DefaultFetchOptions provides the default FetchOptions. +var DefaultFetchOptions FetchOptions + +// FetchOptions contains parameters for [oras.Fetch]. +type FetchOptions struct { + // ResolveOptions contains parameters for resolving reference. + ResolveOptions +} + +// Fetch fetches the content identified by the reference. +func Fetch(ctx context.Context, target ReadOnlyTarget, reference string, opts FetchOptions) (ocispec.Descriptor, io.ReadCloser, error) { + if opts.TargetPlatform == nil { + if refFetcher, ok := target.(registry.ReferenceFetcher); ok { + return refFetcher.FetchReference(ctx, reference) + } + + desc, err := target.Resolve(ctx, reference) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + rc, err := target.Fetch(ctx, desc) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + return desc, rc, nil + } + + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultResolveMaxMetadataBytes + } + proxy := cas.NewProxyWithLimit(target, cas.NewMemory(), opts.MaxMetadataBytes) + desc, err := resolve(ctx, target, proxy, reference, opts.ResolveOptions) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + // if the content exists in cache, fetch it from cache + // otherwise fetch without caching + proxy.StopCaching = true + rc, err := proxy.Fetch(ctx, desc) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + return desc, rc, nil +} + +// DefaultFetchBytesOptions provides the default FetchBytesOptions. +var DefaultFetchBytesOptions FetchBytesOptions + +// FetchBytesOptions contains parameters for [oras.FetchBytes]. +type FetchBytesOptions struct { + // FetchOptions contains parameters for fetching content. + FetchOptions + // MaxBytes limits the maximum size of the fetched content bytes. + // If less than or equal to 0, a default (currently 4 MiB) is used. + MaxBytes int64 +} + +// FetchBytes fetches the content bytes identified by the reference. +func FetchBytes(ctx context.Context, target ReadOnlyTarget, reference string, opts FetchBytesOptions) (ocispec.Descriptor, []byte, error) { + if opts.MaxBytes <= 0 { + opts.MaxBytes = defaultMaxBytes + } + + desc, rc, err := Fetch(ctx, target, reference, opts.FetchOptions) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + defer rc.Close() + + if desc.Size > opts.MaxBytes { + return ocispec.Descriptor{}, nil, fmt.Errorf( + "content size %v exceeds MaxBytes %v: %w", + desc.Size, + opts.MaxBytes, + errdef.ErrSizeExceedsLimit) + } + bytes, err := content.ReadAll(rc, desc) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + return desc, bytes, nil +} + +// PushBytes describes the contentBytes using the given mediaType and pushes it. +// If mediaType is not specified, "application/octet-stream" is used. +func PushBytes(ctx context.Context, pusher content.Pusher, mediaType string, contentBytes []byte) (ocispec.Descriptor, error) { + desc := content.NewDescriptorFromBytes(mediaType, contentBytes) + r := bytes.NewReader(contentBytes) + if err := pusher.Push(ctx, desc, r); err != nil { + return ocispec.Descriptor{}, err + } + + return desc, nil +} + +// DefaultTagBytesNOptions provides the default TagBytesNOptions. +var DefaultTagBytesNOptions TagBytesNOptions + +// TagBytesNOptions contains parameters for [oras.TagBytesN]. +type TagBytesNOptions struct { + // Concurrency limits the maximum number of concurrent tag tasks. + // If less than or equal to 0, a default (currently 5) is used. + Concurrency int +} + +// TagBytesN describes the contentBytes using the given mediaType, pushes it, +// and tag it with the given references. +// If mediaType is not specified, "application/octet-stream" is used. +func TagBytesN(ctx context.Context, target Target, mediaType string, contentBytes []byte, references []string, opts TagBytesNOptions) (ocispec.Descriptor, error) { + if len(references) == 0 { + return PushBytes(ctx, target, mediaType, contentBytes) + } + + desc := content.NewDescriptorFromBytes(mediaType, contentBytes) + if opts.Concurrency <= 0 { + opts.Concurrency = defaultTagConcurrency + } + + if err := tagBytesN(ctx, target, desc, contentBytes, references, opts); err != nil { + return ocispec.Descriptor{}, err + } + return desc, nil +} + +// tagBytesN pushes the contentBytes using the given desc, and tag it with the +// given references. +func tagBytesN(ctx context.Context, target Target, desc ocispec.Descriptor, contentBytes []byte, references []string, opts TagBytesNOptions) error { + eg, egCtx := syncutil.LimitGroup(ctx, opts.Concurrency) + if refPusher, ok := target.(registry.ReferencePusher); ok { + for _, reference := range references { + eg.Go(func(ref string) func() error { + return func() error { + r := bytes.NewReader(contentBytes) + if err := refPusher.PushReference(egCtx, desc, r, ref); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return fmt.Errorf("failed to tag %s: %w", ref, err) + } + return nil + } + }(reference)) + } + } else { + r := bytes.NewReader(contentBytes) + if err := target.Push(ctx, desc, r); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return fmt.Errorf("failed to push content: %w", err) + } + for _, reference := range references { + eg.Go(func(ref string) func() error { + return func() error { + if err := target.Tag(egCtx, desc, ref); err != nil { + return fmt.Errorf("failed to tag %s: %w", ref, err) + } + return nil + } + }(reference)) + } + } + + return eg.Wait() +} + +// TagBytes describes the contentBytes using the given mediaType, pushes it, +// and tag it with the given reference. +// If mediaType is not specified, "application/octet-stream" is used. +func TagBytes(ctx context.Context, target Target, mediaType string, contentBytes []byte, reference string) (ocispec.Descriptor, error) { + return TagBytesN(ctx, target, mediaType, contentBytes, []string{reference}, DefaultTagBytesNOptions) +} diff --git a/vendor/oras.land/oras-go/v2/content/descriptor.go b/vendor/oras.land/oras-go/v2/content/descriptor.go new file mode 100644 index 0000000000..8e6c25dec2 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/descriptor.go @@ -0,0 +1,40 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package content + +import ( + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/internal/descriptor" +) + +// NewDescriptorFromBytes returns a descriptor, given the content and media type. +// If no media type is specified, "application/octet-stream" will be used. +func NewDescriptorFromBytes(mediaType string, content []byte) ocispec.Descriptor { + if mediaType == "" { + mediaType = descriptor.DefaultMediaType + } + return ocispec.Descriptor{ + MediaType: mediaType, + Digest: digest.FromBytes(content), + Size: int64(len(content)), + } +} + +// Equal returns true if two descriptors point to the same content. +func Equal(a, b ocispec.Descriptor) bool { + return a.Size == b.Size && a.Digest == b.Digest && a.MediaType == b.MediaType +} diff --git a/vendor/oras.land/oras-go/v2/content/graph.go b/vendor/oras.land/oras-go/v2/content/graph.go new file mode 100644 index 0000000000..9ae837285e --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/graph.go @@ -0,0 +1,122 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package content + +import ( + "context" + "encoding/json" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/spec" +) + +// PredecessorFinder finds out the nodes directly pointing to a given node of a +// directed acyclic graph. +// In other words, returns the "parents" of the current descriptor. +// PredecessorFinder is an extension of Storage. +type PredecessorFinder interface { + // Predecessors returns the nodes directly pointing to the current node. + Predecessors(ctx context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error) +} + +// GraphStorage represents a CAS that supports direct predecessor node finding. +type GraphStorage interface { + Storage + PredecessorFinder +} + +// ReadOnlyGraphStorage represents a read-only GraphStorage. +type ReadOnlyGraphStorage interface { + ReadOnlyStorage + PredecessorFinder +} + +// Successors returns the nodes directly pointed by the current node. +// In other words, returns the "children" of the current descriptor. +func Successors(ctx context.Context, fetcher Fetcher, node ocispec.Descriptor) ([]ocispec.Descriptor, error) { + switch node.MediaType { + case docker.MediaTypeManifest: + content, err := FetchAll(ctx, fetcher, node) + if err != nil { + return nil, err + } + // OCI manifest schema can be used to marshal docker manifest + var manifest ocispec.Manifest + if err := json.Unmarshal(content, &manifest); err != nil { + return nil, err + } + return append([]ocispec.Descriptor{manifest.Config}, manifest.Layers...), nil + case ocispec.MediaTypeImageManifest: + content, err := FetchAll(ctx, fetcher, node) + if err != nil { + return nil, err + } + var manifest ocispec.Manifest + if err := json.Unmarshal(content, &manifest); err != nil { + return nil, err + } + var nodes []ocispec.Descriptor + if manifest.Subject != nil { + nodes = append(nodes, *manifest.Subject) + } + nodes = append(nodes, manifest.Config) + return append(nodes, manifest.Layers...), nil + case docker.MediaTypeManifestList: + content, err := FetchAll(ctx, fetcher, node) + if err != nil { + return nil, err + } + + // OCI manifest index schema can be used to marshal docker manifest list + var index ocispec.Index + if err := json.Unmarshal(content, &index); err != nil { + return nil, err + } + return index.Manifests, nil + case ocispec.MediaTypeImageIndex: + content, err := FetchAll(ctx, fetcher, node) + if err != nil { + return nil, err + } + + var index ocispec.Index + if err := json.Unmarshal(content, &index); err != nil { + return nil, err + } + var nodes []ocispec.Descriptor + if index.Subject != nil { + nodes = append(nodes, *index.Subject) + } + return append(nodes, index.Manifests...), nil + case spec.MediaTypeArtifactManifest: + content, err := FetchAll(ctx, fetcher, node) + if err != nil { + return nil, err + } + + var manifest spec.Artifact + if err := json.Unmarshal(content, &manifest); err != nil { + return nil, err + } + var nodes []ocispec.Descriptor + if manifest.Subject != nil { + nodes = append(nodes, *manifest.Subject) + } + return append(nodes, manifest.Blobs...), nil + } + return nil, nil +} diff --git a/vendor/oras.land/oras-go/v2/content/limitedstorage.go b/vendor/oras.land/oras-go/v2/content/limitedstorage.go new file mode 100644 index 0000000000..9a6df2f82f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/limitedstorage.go @@ -0,0 +1,50 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package content + +import ( + "context" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/errdef" +) + +// LimitedStorage represents a CAS with a push size limit. +type LimitedStorage struct { + Storage // underlying storage + PushLimit int64 // max size for push +} + +// Push pushes the content, matching the expected descriptor. +// The size of the content cannot exceed the push size limit. +func (ls *LimitedStorage) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error { + if expected.Size > ls.PushLimit { + return fmt.Errorf( + "content size %v exceeds push size limit %v: %w", + expected.Size, + ls.PushLimit, + errdef.ErrSizeExceedsLimit) + } + + return ls.Storage.Push(ctx, expected, io.LimitReader(content, expected.Size)) +} + +// LimitStorage returns a storage with a push size limit. +func LimitStorage(s Storage, n int64) *LimitedStorage { + return &LimitedStorage{s, n} +} diff --git a/vendor/oras.land/oras-go/v2/content/memory/memory.go b/vendor/oras.land/oras-go/v2/content/memory/memory.go new file mode 100644 index 0000000000..f4e6c1d963 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/memory/memory.go @@ -0,0 +1,96 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package memory provides implementation of a memory backed content store. +package memory + +import ( + "context" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/graph" + "oras.land/oras-go/v2/internal/resolver" +) + +// Store represents a memory based store, which implements `oras.Target`. +type Store struct { + storage content.Storage + resolver content.TagResolver + graph *graph.Memory +} + +// New creates a new memory based store. +func New() *Store { + return &Store{ + storage: cas.NewMemory(), + resolver: resolver.NewMemory(), + graph: graph.NewMemory(), + } +} + +// Fetch fetches the content identified by the descriptor. +func (s *Store) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + return s.storage.Fetch(ctx, target) +} + +// Push pushes the content, matching the expected descriptor. +func (s *Store) Push(ctx context.Context, expected ocispec.Descriptor, reader io.Reader) error { + if err := s.storage.Push(ctx, expected, reader); err != nil { + return err + } + + // index predecessors. + // there is no data consistency issue as long as deletion is not implemented + // for the memory store. + return s.graph.Index(ctx, s.storage, expected) +} + +// Exists returns true if the described content exists. +func (s *Store) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) { + return s.storage.Exists(ctx, target) +} + +// Resolve resolves a reference to a descriptor. +func (s *Store) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) { + return s.resolver.Resolve(ctx, reference) +} + +// Tag tags a descriptor with a reference string. +// Returns ErrNotFound if the tagged content does not exist. +func (s *Store) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error { + exists, err := s.storage.Exists(ctx, desc) + if err != nil { + return err + } + if !exists { + return fmt.Errorf("%s: %s: %w", desc.Digest, desc.MediaType, errdef.ErrNotFound) + } + return s.resolver.Tag(ctx, desc, reference) +} + +// Predecessors returns the nodes directly pointing to the current node. +// Predecessors returns nil without error if the node does not exists in the +// store. +// Like other operations, calling Predecessors() is go-routine safe. However, +// it does not necessarily correspond to any consistent snapshot of the stored +// contents. +func (s *Store) Predecessors(ctx context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error) { + return s.graph.Predecessors(ctx, node) +} diff --git a/vendor/oras.land/oras-go/v2/content/reader.go b/vendor/oras.land/oras-go/v2/content/reader.go new file mode 100644 index 0000000000..37bab5e1b2 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/reader.go @@ -0,0 +1,149 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package content + +import ( + "errors" + "fmt" + "io" + + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +var ( + // ErrInvalidDescriptorSize is returned by ReadAll() when + // the descriptor has an invalid size. + ErrInvalidDescriptorSize = errors.New("invalid descriptor size") + + // ErrMismatchedDigest is returned by ReadAll() when + // the descriptor has an invalid digest. + ErrMismatchedDigest = errors.New("mismatched digest") + + // ErrTrailingData is returned by ReadAll() when + // there exists trailing data unread when the read terminates. + ErrTrailingData = errors.New("trailing data") +) + +var ( + // errEarlyVerify is returned by VerifyReader.Verify() when + // Verify() is called before completing reading the entire content blob. + errEarlyVerify = errors.New("early verify") +) + +// VerifyReader reads the content described by its descriptor and verifies +// against its size and digest. +type VerifyReader struct { + base *io.LimitedReader + verifier digest.Verifier + verified bool + err error +} + +// Read reads up to len(p) bytes into p. It returns the number of bytes +// read (0 <= n <= len(p)) and any error encountered. +func (vr *VerifyReader) Read(p []byte) (n int, err error) { + if vr.err != nil { + return 0, vr.err + } + + n, err = vr.base.Read(p) + if err != nil { + if err == io.EOF && vr.base.N > 0 { + err = io.ErrUnexpectedEOF + } + vr.err = err + } + return +} + +// Verify checks for remaining unread content and verifies the read content against the digest +func (vr *VerifyReader) Verify() error { + if vr.verified { + return nil + } + if vr.err == nil { + if vr.base.N > 0 { + return errEarlyVerify + } + } else if vr.err != io.EOF { + return vr.err + } + + if err := ensureEOF(vr.base.R); err != nil { + vr.err = err + return vr.err + } + if !vr.verifier.Verified() { + vr.err = ErrMismatchedDigest + return vr.err + } + + vr.verified = true + vr.err = io.EOF + return nil +} + +// NewVerifyReader wraps r for reading content with verification against desc. +func NewVerifyReader(r io.Reader, desc ocispec.Descriptor) *VerifyReader { + if err := desc.Digest.Validate(); err != nil { + return &VerifyReader{ + err: fmt.Errorf("failed to validate %s: %w", desc.Digest, err), + } + } + verifier := desc.Digest.Verifier() + lr := &io.LimitedReader{ + R: io.TeeReader(r, verifier), + N: desc.Size, + } + return &VerifyReader{ + base: lr, + verifier: verifier, + } +} + +// ReadAll safely reads the content described by the descriptor. +// The read content is verified against the size and the digest +// using a VerifyReader. +func ReadAll(r io.Reader, desc ocispec.Descriptor) ([]byte, error) { + if desc.Size < 0 { + return nil, ErrInvalidDescriptorSize + } + buf := make([]byte, desc.Size) + + vr := NewVerifyReader(r, desc) + if n, err := io.ReadFull(vr, buf); err != nil { + if errors.Is(err, io.ErrUnexpectedEOF) { + return nil, fmt.Errorf("read failed: expected content size of %d, got %d, for digest %s: %w", desc.Size, n, desc.Digest.String(), err) + } + return nil, fmt.Errorf("read failed: %w", err) + } + if err := vr.Verify(); err != nil { + return nil, err + } + return buf, nil +} + +// ensureEOF ensures the read operation ends with an EOF and no +// trailing data is present. +func ensureEOF(r io.Reader) error { + var peek [1]byte + _, err := io.ReadFull(r, peek[:]) + if err != io.EOF { + return ErrTrailingData + } + return nil +} diff --git a/vendor/oras.land/oras-go/v2/content/resolver.go b/vendor/oras.land/oras-go/v2/content/resolver.go new file mode 100644 index 0000000000..bc0fd8df9c --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/resolver.go @@ -0,0 +1,47 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package content provides implementations to access content stores. +package content + +import ( + "context" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// Resolver resolves reference tags. +type Resolver interface { + // Resolve resolves a reference to a descriptor. + Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) +} + +// Tagger tags reference tags. +type Tagger interface { + // Tag tags a descriptor with a reference string. + Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error +} + +// TagResolver provides reference tag indexing services. +type TagResolver interface { + Tagger + Resolver +} + +// Untagger untags reference tags. +type Untagger interface { + // Untag untags the given reference string. + Untag(ctx context.Context, reference string) error +} diff --git a/vendor/oras.land/oras-go/v2/content/storage.go b/vendor/oras.land/oras-go/v2/content/storage.go new file mode 100644 index 0000000000..47c95d8769 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/content/storage.go @@ -0,0 +1,80 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package content + +import ( + "context" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// Fetcher fetches content. +type Fetcher interface { + // Fetch fetches the content identified by the descriptor. + Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) +} + +// Pusher pushes content. +type Pusher interface { + // Push pushes the content, matching the expected descriptor. + // Reader is preferred to Writer so that the suitable buffer size can be + // chosen by the underlying implementation. Furthermore, the implementation + // can also do reflection on the Reader for more advanced I/O optimization. + Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error +} + +// Storage represents a content-addressable storage (CAS) where contents are +// accessed via Descriptors. +// The storage is designed to handle blobs of large sizes. +type Storage interface { + ReadOnlyStorage + Pusher +} + +// ReadOnlyStorage represents a read-only Storage. +type ReadOnlyStorage interface { + Fetcher + + // Exists returns true if the described content exists. + Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) +} + +// Deleter removes content. +// Deleter is an extension of Storage. +type Deleter interface { + // Delete removes the content identified by the descriptor. + Delete(ctx context.Context, target ocispec.Descriptor) error +} + +// FetchAll safely fetches the content described by the descriptor. +// The fetched content is verified against the size and the digest. +func FetchAll(ctx context.Context, fetcher Fetcher, desc ocispec.Descriptor) ([]byte, error) { + rc, err := fetcher.Fetch(ctx, desc) + if err != nil { + return nil, err + } + defer rc.Close() + return ReadAll(rc, desc) +} + +// FetcherFunc is the basic Fetch method defined in Fetcher. +type FetcherFunc func(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) + +// Fetch performs Fetch operation by the FetcherFunc. +func (fn FetcherFunc) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + return fn(ctx, target) +} diff --git a/vendor/oras.land/oras-go/v2/copy.go b/vendor/oras.land/oras-go/v2/copy.go new file mode 100644 index 0000000000..2c61469401 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/copy.go @@ -0,0 +1,533 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import ( + "context" + "errors" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/sync/semaphore" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/descriptor" + "oras.land/oras-go/v2/internal/platform" + "oras.land/oras-go/v2/internal/registryutil" + "oras.land/oras-go/v2/internal/status" + "oras.land/oras-go/v2/internal/syncutil" + "oras.land/oras-go/v2/registry" +) + +// defaultConcurrency is the default value of CopyGraphOptions.Concurrency. +const defaultConcurrency int = 3 // This value is consistent with dockerd and containerd. + +// SkipNode signals to stop copying a node. When returned from PreCopy the blob must exist in the target. +// This can be used to signal that a blob has been made available in the target repository by "Mount()" or some other technique. +var SkipNode = errors.New("skip node") + +// DefaultCopyOptions provides the default CopyOptions. +var DefaultCopyOptions CopyOptions = CopyOptions{ + CopyGraphOptions: DefaultCopyGraphOptions, +} + +// CopyOptions contains parameters for [oras.Copy]. +type CopyOptions struct { + CopyGraphOptions + // MapRoot maps the resolved root node to a desired root node for copy. + // When MapRoot is provided, the descriptor resolved from the source + // reference will be passed to MapRoot, and the mapped descriptor will be + // used as the root node for copy. + MapRoot func(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor) (ocispec.Descriptor, error) +} + +// WithTargetPlatform configures opts.MapRoot to select the manifest whose +// platform matches the given platform. When MapRoot is provided, the platform +// selection will be applied on the mapped root node. +// - If the given platform is nil, no platform selection will be applied. +// - If the root node is a manifest, it will remain the same if platform +// matches, otherwise ErrNotFound will be returned. +// - If the root node is a manifest list, it will be mapped to the first +// matching manifest if exists, otherwise ErrNotFound will be returned. +// - Otherwise ErrUnsupported will be returned. +func (opts *CopyOptions) WithTargetPlatform(p *ocispec.Platform) { + if p == nil { + return + } + mapRoot := opts.MapRoot + opts.MapRoot = func(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor) (desc ocispec.Descriptor, err error) { + if mapRoot != nil { + if root, err = mapRoot(ctx, src, root); err != nil { + return ocispec.Descriptor{}, err + } + } + return platform.SelectManifest(ctx, src, root, p) + } +} + +// defaultCopyMaxMetadataBytes is the default value of +// CopyGraphOptions.MaxMetadataBytes. +const defaultCopyMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB + +// DefaultCopyGraphOptions provides the default CopyGraphOptions. +var DefaultCopyGraphOptions CopyGraphOptions + +// CopyGraphOptions contains parameters for [oras.CopyGraph]. +type CopyGraphOptions struct { + // Concurrency limits the maximum number of concurrent copy tasks. + // If less than or equal to 0, a default (currently 3) is used. + Concurrency int + // MaxMetadataBytes limits the maximum size of the metadata that can be + // cached in the memory. + // If less than or equal to 0, a default (currently 4 MiB) is used. + MaxMetadataBytes int64 + // PreCopy handles the current descriptor before it is copied. PreCopy can + // return a SkipNode to signal that desc should be skipped when it already + // exists in the target. + PreCopy func(ctx context.Context, desc ocispec.Descriptor) error + // PostCopy handles the current descriptor after it is copied. + PostCopy func(ctx context.Context, desc ocispec.Descriptor) error + // OnCopySkipped will be called when the sub-DAG rooted by the current node + // is skipped. + OnCopySkipped func(ctx context.Context, desc ocispec.Descriptor) error + // MountFrom returns the candidate repositories that desc may be mounted from. + // The OCI references will be tried in turn. If mounting fails on all of them, + // then it falls back to a copy. + MountFrom func(ctx context.Context, desc ocispec.Descriptor) ([]string, error) + // OnMounted will be invoked when desc is mounted. + OnMounted func(ctx context.Context, desc ocispec.Descriptor) error + // FindSuccessors finds the successors of the current node. + // fetcher provides cached access to the source storage, and is suitable + // for fetching non-leaf nodes like manifests. Since anything fetched from + // fetcher will be cached in the memory, it is recommended to use original + // source storage to fetch large blobs. + // If FindSuccessors is nil, content.Successors will be used. + FindSuccessors func(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) +} + +// Copy copies a rooted directed acyclic graph (DAG), such as an artifact, +// from the source Target to the destination Target. +// +// The root node (e.g. a tagged manifest of the artifact) is identified by the +// source reference. +// The destination reference will be the same as the source reference if the +// destination reference is left blank. +// +// Returns the descriptor of the root node on successful copy. +func Copy(ctx context.Context, src ReadOnlyTarget, srcRef string, dst Target, dstRef string, opts CopyOptions) (ocispec.Descriptor, error) { + if src == nil { + return ocispec.Descriptor{}, newCopyError("Copy", CopyErrorOriginSource, errors.New("nil source target")) + } + if dst == nil { + return ocispec.Descriptor{}, newCopyError("Copy", CopyErrorOriginDestination, errors.New("nil destination target")) + } + if dstRef == "" { + dstRef = srcRef + } + + // use caching proxy on non-leaf nodes + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes + } + proxy := cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes) + root, err := resolveRoot(ctx, src, srcRef, proxy) + if err != nil { + return ocispec.Descriptor{}, err + } + + if opts.MapRoot != nil { + proxy.StopCaching = true + root, err = opts.MapRoot(ctx, proxy, root) + if err != nil { + return ocispec.Descriptor{}, newCopyError("MapRoot", CopyErrorOriginSource, err) + } + proxy.StopCaching = false + } + + if err := prepareCopy(ctx, dst, dstRef, proxy, root, &opts); err != nil { + return ocispec.Descriptor{}, err + } + + if err := copyGraph(ctx, src, dst, root, proxy, nil, nil, opts.CopyGraphOptions); err != nil { + return ocispec.Descriptor{}, err + } + + return root, nil +} + +// CopyGraph copies a rooted directed acyclic graph (DAG), such as an artifact, +// from the source CAS to the destination CAS. +// The root node (e.g. a manifest of the artifact) is identified by a descriptor. +func CopyGraph(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, root ocispec.Descriptor, opts CopyGraphOptions) error { + if src == nil { + return newCopyError("CopyGraph", CopyErrorOriginSource, errors.New("nil source target")) + } + if dst == nil { + return newCopyError("CopyGraph", CopyErrorOriginDestination, errors.New("nil destination target")) + } + return copyGraph(ctx, src, dst, root, nil, nil, nil, opts) +} + +// copyGraph copies a rooted directed acyclic graph (DAG) from the source CAS to +// the destination CAS with specified caching, concurrency limiter and tracker. +func copyGraph(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, root ocispec.Descriptor, + proxy *cas.Proxy, limiter *semaphore.Weighted, tracker *status.Tracker, opts CopyGraphOptions) error { + if proxy == nil { + // use caching proxy on non-leaf nodes + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes + } + proxy = cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes) + } + if limiter == nil { + // if Concurrency is not set or invalid, use the default concurrency + if opts.Concurrency <= 0 { + opts.Concurrency = defaultConcurrency + } + limiter = semaphore.NewWeighted(int64(opts.Concurrency)) + } + if tracker == nil { + // track content status + tracker = status.NewTracker() + } + // if FindSuccessors is not provided, use the default one + if opts.FindSuccessors == nil { + opts.FindSuccessors = content.Successors + } + + // traverse the graph + var fn syncutil.GoFunc[ocispec.Descriptor] + fn = func(ctx context.Context, region *syncutil.LimitedRegion, desc ocispec.Descriptor) (err error) { + // skip the descriptor if other go routine is working on it + done, committed := tracker.TryCommit(desc) + if !committed { + return nil + } + defer func() { + if err == nil { + // mark the content as done on success + close(done) + } + }() + + // skip if a rooted sub-DAG exists + exists, err := dst.Exists(ctx, desc) + if err != nil { + return newCopyError("Exists", CopyErrorOriginDestination, err) + } + if exists { + if opts.OnCopySkipped != nil { + if err := opts.OnCopySkipped(ctx, desc); err != nil { + return err + } + } + return nil + } + + // find successors while non-leaf nodes will be fetched and cached + successors, err := opts.FindSuccessors(ctx, proxy, desc) + if err != nil { + return newCopyError("FindSuccessors", CopyErrorOriginSource, err) + } + successors = removeForeignLayers(successors) + + if len(successors) != 0 { + // for non-leaf nodes, process successors and wait for them to complete + region.End() + if err := syncutil.Go(ctx, limiter, fn, successors...); err != nil { + return err + } + for _, node := range successors { + done, committed := tracker.TryCommit(node) + if committed { + return fmt.Errorf("%s: %s: successor not committed", desc.Digest, node.Digest) + } + select { + case <-done: + case <-ctx.Done(): + return ctx.Err() + } + } + if err := region.Start(); err != nil { + return err + } + } + + exists, err = proxy.Cache.Exists(ctx, desc) + if err != nil { + return fmt.Errorf("failed to check cache existence: %s: %w", desc.Digest, err) + } + if exists { + return copyNode(ctx, proxy.Cache, dst, desc, opts) + } + return mountOrCopyNode(ctx, src, dst, desc, opts) + } + + return syncutil.Go(ctx, limiter, fn, root) +} + +// mountOrCopyNode tries to mount the node, if not falls back to copying. +func mountOrCopyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor, opts CopyGraphOptions) error { + // Need MountFrom and it must be a blob + if opts.MountFrom == nil || descriptor.IsManifest(desc) { + return copyNode(ctx, src, dst, desc, opts) + } + + mounter, ok := dst.(registry.Mounter) + if !ok { + // mounting is not supported by the destination + return copyNode(ctx, src, dst, desc, opts) + } + + sourceRepositories, err := opts.MountFrom(ctx, desc) + if err != nil { + // Technically this error is not fatal, we can still attempt to copy the node + // But for consistency with the other callbacks we bail out. + return err + } + + if len(sourceRepositories) == 0 { + return copyNode(ctx, src, dst, desc, opts) + } + + skipSource := errors.New("skip source") + for i, sourceRepository := range sourceRepositories { + // try mounting this source repository + var mountFailed bool + getContent := func() (io.ReadCloser, error) { + // the invocation of getContent indicates that mounting has failed + mountFailed = true + + if i < len(sourceRepositories)-1 { + // If this is not the last one, skip this source and try next one + // We want to return an error that we will test for from mounter.Mount() + return nil, skipSource + } + // this is the last iteration so we need to actually get the content and do the copy + // but first call the PreCopy function + if opts.PreCopy != nil { + if err := opts.PreCopy(ctx, desc); err != nil { + return nil, err + } + } + return src.Fetch(ctx, desc) + } + + // Mount or copy + if err := mounter.Mount(ctx, desc, sourceRepository, getContent); err != nil && !errors.Is(err, skipSource) { + return newCopyError("Mount", CopyErrorOriginDestination, err) + } + + if !mountFailed { + // mounted, success + if opts.OnMounted != nil { + if err := opts.OnMounted(ctx, desc); err != nil { + return err + } + } + return nil + } + } + + // we copied it + if opts.PostCopy != nil { + if err := opts.PostCopy(ctx, desc); err != nil { + return err + } + } + + return nil +} + +// doCopyNode copies a single content from the source CAS to the destination CAS. +func doCopyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor) error { + rc, err := src.Fetch(ctx, desc) + if err != nil { + return newCopyError("Fetch", CopyErrorOriginSource, err) + } + defer rc.Close() + err = dst.Push(ctx, desc, rc) + if err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return newCopyError("Push", CopyErrorOriginDestination, err) + } + return nil +} + +// copyNode copies a single content from the source CAS to the destination CAS, +// and apply the given options. +func copyNode(ctx context.Context, src content.ReadOnlyStorage, dst content.Storage, desc ocispec.Descriptor, opts CopyGraphOptions) error { + if opts.PreCopy != nil { + if err := opts.PreCopy(ctx, desc); err != nil { + if err == SkipNode { + return nil + } + return err + } + } + + if err := doCopyNode(ctx, src, dst, desc); err != nil { + return err + } + + if opts.PostCopy != nil { + return opts.PostCopy(ctx, desc) + } + return nil +} + +// copyCachedNodeWithReference copies a single content with a reference from the +// source cache to the destination ReferencePusher. +func copyCachedNodeWithReference(ctx context.Context, src *cas.Proxy, dst registry.ReferencePusher, desc ocispec.Descriptor, dstRef string) error { + rc, err := src.FetchCached(ctx, desc) + if err != nil { + return newCopyError("Fetch", CopyErrorOriginSource, err) + } + defer rc.Close() + + err = dst.PushReference(ctx, desc, rc, dstRef) + if err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return newCopyError("PushReference", CopyErrorOriginDestination, err) + } + return nil +} + +// resolveRoot resolves the source reference to the root node. +func resolveRoot(ctx context.Context, src ReadOnlyTarget, srcRef string, proxy *cas.Proxy) (ocispec.Descriptor, error) { + refFetcher, ok := src.(registry.ReferenceFetcher) + if !ok { + desc, err := src.Resolve(ctx, srcRef) + if err != nil { + return ocispec.Descriptor{}, newCopyError("Resolve", CopyErrorOriginSource, err) + } + return desc, nil + } + + // optimize performance for ReferenceFetcher targets + refProxy := ®istryutil.Proxy{ + ReferenceFetcher: refFetcher, + Proxy: proxy, + } + root, rc, err := refProxy.FetchReference(ctx, srcRef) + if err != nil { + return ocispec.Descriptor{}, newCopyError("FetchReference", CopyErrorOriginSource, err) + } + defer rc.Close() + // cache root if it is a non-leaf node + fetcher := content.FetcherFunc(func(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + if content.Equal(target, root) { + return rc, nil + } + return nil, errors.New("fetching only root node expected") + }) + if _, err = content.Successors(ctx, fetcher, root); err != nil { + return ocispec.Descriptor{}, newCopyError("Successors", CopyErrorOriginSource, err) + } + + // TODO: optimize special case where root is a leaf node (i.e. a blob) + // and dst is a ReferencePusher. + return root, nil +} + +// prepareCopy prepares the hooks for copy. +func prepareCopy(_ context.Context, dst Target, dstRef string, proxy *cas.Proxy, root ocispec.Descriptor, opts *CopyOptions) error { + if refPusher, ok := dst.(registry.ReferencePusher); ok { + // optimize performance for ReferencePusher targets + preCopy := opts.PreCopy + opts.PreCopy = func(ctx context.Context, desc ocispec.Descriptor) error { + if preCopy != nil { + if err := preCopy(ctx, desc); err != nil { + return err + } + } + if !content.Equal(desc, root) { + // for non-root node, do nothing + return nil + } + + // for root node, prepare optimized copy + if err := copyCachedNodeWithReference(ctx, proxy, refPusher, desc, dstRef); err != nil { + return err + } + if opts.PostCopy != nil { + if err := opts.PostCopy(ctx, desc); err != nil { + return err + } + } + // skip the regular copy workflow + return SkipNode + } + } else { + postCopy := opts.PostCopy + opts.PostCopy = func(ctx context.Context, desc ocispec.Descriptor) error { + if content.Equal(desc, root) { + // for root node, tag it after copying it + if err := dst.Tag(ctx, root, dstRef); err != nil { + return newCopyError("Tag", CopyErrorOriginDestination, err) + } + } + if postCopy != nil { + return postCopy(ctx, desc) + } + return nil + } + } + + onCopySkipped := opts.OnCopySkipped + opts.OnCopySkipped = func(ctx context.Context, desc ocispec.Descriptor) error { + if !content.Equal(desc, root) { + if onCopySkipped != nil { + return onCopySkipped(ctx, desc) + } + return nil + } + + // enforce tagging when the skipped node is root + if refPusher, ok := dst.(registry.ReferencePusher); ok { + // NOTE: refPusher tags the node by copying it with the reference, + // so onCopySkipped shouldn't be invoked in this case + return copyCachedNodeWithReference(ctx, proxy, refPusher, desc, dstRef) + } + + // invoke onCopySkipped before tagging + if onCopySkipped != nil { + if err := onCopySkipped(ctx, desc); err != nil { + return err + } + } + if err := dst.Tag(ctx, root, dstRef); err != nil { + return newCopyError("Tag", CopyErrorOriginDestination, err) + } + return nil + } + + return nil +} + +// removeForeignLayers in-place removes all foreign layers in the given slice. +func removeForeignLayers(descs []ocispec.Descriptor) []ocispec.Descriptor { + var j int + for i, desc := range descs { + if !descriptor.IsForeignLayer(desc) { + if i != j { + descs[j] = desc + } + j++ + } + } + return descs[:j] +} diff --git a/vendor/oras.land/oras-go/v2/copyerror.go b/vendor/oras.land/oras-go/v2/copyerror.go new file mode 100644 index 0000000000..03ed8e243f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/copyerror.go @@ -0,0 +1,78 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import "fmt" + +// CopyErrorOrigin defines the source of a copy error. +type CopyErrorOrigin int + +const ( + // CopyErrorOriginSource indicates the error occurred at the source side. + CopyErrorOriginSource CopyErrorOrigin = 1 + + // CopyErrorOriginDestination indicates the error occurred at the destination side. + CopyErrorOriginDestination CopyErrorOrigin = 2 +) + +// String returns the string representation of the CopyErrorOrigin. +func (o CopyErrorOrigin) String() string { + switch o { + case CopyErrorOriginSource: + return "source" + case CopyErrorOriginDestination: + return "destination" + default: + return "unknown" + } +} + +// CopyError represents an error encountered during a copy operation. +type CopyError struct { + // Op is the operation that caused the error. + Op string + // Origin indicates the source of the error. + Origin CopyErrorOrigin + // Err is the underlying error. + Err error +} + +// newCopyError creates a new CopyError. +func newCopyError(op string, origin CopyErrorOrigin, err error) error { + if err == nil { + return nil + } + return &CopyError{ + Op: op, + Origin: origin, + Err: err, + } +} + +// Error implements the error interface for CopyError. +func (e *CopyError) Error() string { + switch e.Origin { + case CopyErrorOriginSource, CopyErrorOriginDestination: + return fmt.Sprintf("failed to perform %q on %s: %v", e.Op, e.Origin, e.Err) + default: + return fmt.Sprintf("failed to perform %q: %v", e.Op, e.Err) + } +} + +// Unwrap implements the errors.Unwrap interface for CopyError. +func (e *CopyError) Unwrap() error { + return e.Err +} diff --git a/vendor/oras.land/oras-go/v2/errdef/errors.go b/vendor/oras.land/oras-go/v2/errdef/errors.go new file mode 100644 index 0000000000..7adb44b173 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/errdef/errors.go @@ -0,0 +1,31 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package errdef + +import "errors" + +// Common errors used in ORAS +var ( + ErrAlreadyExists = errors.New("already exists") + ErrInvalidDigest = errors.New("invalid digest") + ErrInvalidReference = errors.New("invalid reference") + ErrInvalidMediaType = errors.New("invalid media type") + ErrMissingReference = errors.New("missing reference") + ErrNotFound = errors.New("not found") + ErrSizeExceedsLimit = errors.New("size exceeds limit") + ErrUnsupported = errors.New("unsupported") + ErrUnsupportedVersion = errors.New("unsupported version") +) diff --git a/vendor/oras.land/oras-go/v2/extendedcopy.go b/vendor/oras.land/oras-go/v2/extendedcopy.go new file mode 100644 index 0000000000..40f57832c8 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/extendedcopy.go @@ -0,0 +1,404 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import ( + "context" + "encoding/json" + "errors" + "regexp" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "golang.org/x/sync/semaphore" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/container/set" + "oras.land/oras-go/v2/internal/copyutil" + "oras.land/oras-go/v2/internal/descriptor" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/spec" + "oras.land/oras-go/v2/internal/status" + "oras.land/oras-go/v2/internal/syncutil" + "oras.land/oras-go/v2/registry" +) + +// DefaultExtendedCopyOptions provides the default ExtendedCopyOptions. +var DefaultExtendedCopyOptions ExtendedCopyOptions = ExtendedCopyOptions{ + ExtendedCopyGraphOptions: DefaultExtendedCopyGraphOptions, +} + +// ExtendedCopyOptions contains parameters for [oras.ExtendedCopy]. +type ExtendedCopyOptions struct { + ExtendedCopyGraphOptions +} + +// DefaultExtendedCopyGraphOptions provides the default ExtendedCopyGraphOptions. +var DefaultExtendedCopyGraphOptions ExtendedCopyGraphOptions = ExtendedCopyGraphOptions{ + CopyGraphOptions: DefaultCopyGraphOptions, +} + +// ExtendedCopyGraphOptions contains parameters for [oras.ExtendedCopyGraph]. +type ExtendedCopyGraphOptions struct { + CopyGraphOptions + // Depth limits the maximum depth of the directed acyclic graph (DAG) that + // will be extended-copied. + // If Depth is no specified, or the specified value is less than or + // equal to 0, the depth limit will be considered as infinity. + Depth int + // FindPredecessors finds the predecessors of the current node. + // If FindPredecessors is nil, src.Predecessors will be adapted and used. + FindPredecessors func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) +} + +// ExtendedCopy copies the directed acyclic graph (DAG) that are reachable from +// the given tagged node from the source GraphTarget to the destination Target. +// In other words, it copies a tagged artifact along with its referrers or +// other predecessor manifests referencing it. +// +// The tagged node (e.g. a tagged manifest of the artifact) is identified by the +// source reference. +// The destination reference will be the same as the source reference if the +// destination reference is left blank. +// +// Returns the descriptor of the tagged node on successful copy. +func ExtendedCopy(ctx context.Context, src ReadOnlyGraphTarget, srcRef string, dst Target, dstRef string, opts ExtendedCopyOptions) (ocispec.Descriptor, error) { + if src == nil { + return ocispec.Descriptor{}, newCopyError("ExtendedCopy", CopyErrorOriginSource, errors.New("nil source target")) + } + if dst == nil { + return ocispec.Descriptor{}, newCopyError("ExtendedCopy", CopyErrorOriginDestination, errors.New("nil destination target")) + } + if dstRef == "" { + dstRef = srcRef + } + + node, err := src.Resolve(ctx, srcRef) + if err != nil { + return ocispec.Descriptor{}, newCopyError("Resolve", CopyErrorOriginSource, err) + } + + if err := ExtendedCopyGraph(ctx, src, dst, node, opts.ExtendedCopyGraphOptions); err != nil { + return ocispec.Descriptor{}, err + } + + if err := dst.Tag(ctx, node, dstRef); err != nil { + return ocispec.Descriptor{}, newCopyError("Tag", CopyErrorOriginDestination, err) + } + + return node, nil +} + +// ExtendedCopyGraph copies the directed acyclic graph (DAG) that are reachable +// from the given node from the source GraphStorage to the destination Storage. +// In other words, it copies an artifact along with its referrers or other +// predecessor manifests referencing it. +// The node (e.g. a manifest of the artifact) is identified by a descriptor. +func ExtendedCopyGraph(ctx context.Context, src content.ReadOnlyGraphStorage, dst content.Storage, node ocispec.Descriptor, opts ExtendedCopyGraphOptions) error { + if src == nil { + return newCopyError("ExtendedCopyGraph", CopyErrorOriginSource, errors.New("nil source target")) + } + if dst == nil { + return newCopyError("ExtendedCopyGraph", CopyErrorOriginDestination, errors.New("nil destination target")) + } + + roots, err := findRoots(ctx, src, node, opts) + if err != nil { + return err + } + + // if Concurrency is not set or invalid, use the default concurrency + if opts.Concurrency <= 0 { + opts.Concurrency = defaultConcurrency + } + limiter := semaphore.NewWeighted(int64(opts.Concurrency)) + // use caching proxy on non-leaf nodes + if opts.MaxMetadataBytes <= 0 { + opts.MaxMetadataBytes = defaultCopyMaxMetadataBytes + } + proxy := cas.NewProxyWithLimit(src, cas.NewMemory(), opts.MaxMetadataBytes) + // track content status + tracker := status.NewTracker() + + // copy the sub-DAGs rooted by the root nodes + return syncutil.Go(ctx, limiter, func(ctx context.Context, region *syncutil.LimitedRegion, root ocispec.Descriptor) error { + // As a root can be a predecessor of other roots, release the limit here + // for dispatching, to avoid dead locks where predecessor roots are + // handled first and are waiting for its successors to complete. + region.End() + if err := copyGraph(ctx, src, dst, root, proxy, limiter, tracker, opts.CopyGraphOptions); err != nil { + return err + } + return region.Start() + }, roots...) +} + +// findRoots finds the root nodes reachable from the given node through a +// depth-first search. +func findRoots(ctx context.Context, storage content.ReadOnlyGraphStorage, node ocispec.Descriptor, opts ExtendedCopyGraphOptions) ([]ocispec.Descriptor, error) { + visited := set.New[descriptor.Descriptor]() + rootMap := make(map[descriptor.Descriptor]ocispec.Descriptor) + addRoot := func(key descriptor.Descriptor, val ocispec.Descriptor) { + if _, exists := rootMap[key]; !exists { + rootMap[key] = val + } + } + + // if FindPredecessors is not provided, use the default one + if opts.FindPredecessors == nil { + opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + return src.Predecessors(ctx, desc) + } + } + + var stack copyutil.Stack + // push the initial node to the stack, set the depth to 0 + stack.Push(copyutil.NodeInfo{Node: node, Depth: 0}) + for { + current, ok := stack.Pop() + if !ok { + // empty stack + break + } + currentNode := current.Node + currentKey := descriptor.FromOCI(currentNode) + + if visited.Contains(currentKey) { + // skip the current node if it has been visited + continue + } + visited.Add(currentKey) + + // stop finding predecessors if the target depth is reached + if opts.Depth > 0 && current.Depth == opts.Depth { + addRoot(currentKey, currentNode) + continue + } + + predecessors, err := opts.FindPredecessors(ctx, storage, currentNode) + if err != nil { + return nil, newCopyError("FindPredecessors", CopyErrorOriginSource, err) + } + + // The current node has no predecessor node, + // which means it is a root node of a sub-DAG. + if len(predecessors) == 0 { + addRoot(currentKey, currentNode) + continue + } + + // The current node has predecessor nodes, which means it is NOT a root node. + // Push the predecessor nodes to the stack and keep finding from there. + for _, predecessor := range predecessors { + predecessorKey := descriptor.FromOCI(predecessor) + if !visited.Contains(predecessorKey) { + // push the predecessor node with increased depth + stack.Push(copyutil.NodeInfo{Node: predecessor, Depth: current.Depth + 1}) + } + } + } + + roots := make([]ocispec.Descriptor, 0, len(rootMap)) + for _, root := range rootMap { + roots = append(roots, root) + } + return roots, nil +} + +// FilterAnnotation configures opts.FindPredecessors to filter the predecessors +// whose annotation matches a given regex pattern. +// +// A predecessor is kept if key is in its annotations and the annotation value +// matches regex. +// If regex is nil, predecessors whose annotations contain key will be kept, +// no matter of the annotation value. +// +// For performance consideration, when using both FilterArtifactType and +// FilterAnnotation, it's recommended to call FilterArtifactType first. +func (opts *ExtendedCopyGraphOptions) FilterAnnotation(key string, regex *regexp.Regexp) { + keep := func(desc ocispec.Descriptor) bool { + value, ok := desc.Annotations[key] + return ok && (regex == nil || regex.MatchString(value)) + } + + fp := opts.FindPredecessors + opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + var predecessors []ocispec.Descriptor + var err error + if fp == nil { + if rf, ok := src.(registry.ReferrerLister); ok { + // if src is a ReferrerLister, use Referrers() for possible memory saving + if err := rf.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error { + // for each page of the results, filter the referrers + for _, r := range referrers { + if keep(r) { + predecessors = append(predecessors, r) + } + } + return nil + }); err != nil { + return nil, err + } + return predecessors, nil + } + predecessors, err = src.Predecessors(ctx, desc) + } else { + predecessors, err = fp(ctx, src, desc) + } + if err != nil { + return nil, err + } + + // Predecessor descriptors that are not from Referrers API are not + // guaranteed to include the annotations of the corresponding manifests. + var kept []ocispec.Descriptor + for _, p := range predecessors { + if p.Annotations == nil { + // If the annotations are not present in the descriptors, + // fetch it from the manifest content. + switch p.MediaType { + case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest, + docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex, + spec.MediaTypeArtifactManifest: + annotations, err := fetchAnnotations(ctx, src, p) + if err != nil { + return nil, err + } + p.Annotations = annotations + } + } + if keep(p) { + kept = append(kept, p) + } + } + return kept, nil + } +} + +// fetchAnnotations fetches the annotations of the manifest described by desc. +func fetchAnnotations(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) (map[string]string, error) { + rc, err := src.Fetch(ctx, desc) + if err != nil { + return nil, err + } + defer rc.Close() + + var manifest struct { + Annotations map[string]string `json:"annotations"` + } + if err := json.NewDecoder(rc).Decode(&manifest); err != nil { + return nil, err + } + if manifest.Annotations == nil { + // to differentiate with nil + return make(map[string]string), nil + } + return manifest.Annotations, nil +} + +// FilterArtifactType configures opts.FindPredecessors to filter the +// predecessors whose artifact type matches a given regex pattern. +// +// A predecessor is kept if its artifact type matches regex. +// If regex is nil, all predecessors will be kept. +// +// For performance consideration, when using both FilterArtifactType and +// FilterAnnotation, it's recommended to call FilterArtifactType first. +func (opts *ExtendedCopyGraphOptions) FilterArtifactType(regex *regexp.Regexp) { + if regex == nil { + return + } + keep := func(desc ocispec.Descriptor) bool { + return regex.MatchString(desc.ArtifactType) + } + + fp := opts.FindPredecessors + opts.FindPredecessors = func(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + var predecessors []ocispec.Descriptor + var err error + if fp == nil { + if rf, ok := src.(registry.ReferrerLister); ok { + // if src is a ReferrerLister, use Referrers() for possible memory saving + if err := rf.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error { + // for each page of the results, filter the referrers + for _, r := range referrers { + if keep(r) { + predecessors = append(predecessors, r) + } + } + return nil + }); err != nil { + return nil, err + } + return predecessors, nil + } + predecessors, err = src.Predecessors(ctx, desc) + } else { + predecessors, err = fp(ctx, src, desc) + } + if err != nil { + return nil, err + } + + // predecessor descriptors that are not from Referrers API are not + // guaranteed to include the artifact type of the corresponding + // manifests. + var kept []ocispec.Descriptor + for _, p := range predecessors { + if p.ArtifactType == "" { + // if the artifact type is not present in the descriptors, + // fetch it from the manifest content. + switch p.MediaType { + case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest: + artifactType, err := fetchArtifactType(ctx, src, p) + if err != nil { + return nil, err + } + p.ArtifactType = artifactType + } + } + if keep(p) { + kept = append(kept, p) + } + } + return kept, nil + } +} + +// fetchArtifactType fetches the artifact type of the manifest described by desc. +func fetchArtifactType(ctx context.Context, src content.ReadOnlyGraphStorage, desc ocispec.Descriptor) (string, error) { + rc, err := src.Fetch(ctx, desc) + if err != nil { + return "", err + } + defer rc.Close() + + switch desc.MediaType { + case spec.MediaTypeArtifactManifest: + var manifest spec.Artifact + if err := json.NewDecoder(rc).Decode(&manifest); err != nil { + return "", err + } + return manifest.ArtifactType, nil + case ocispec.MediaTypeImageManifest: + var manifest ocispec.Manifest + if err := json.NewDecoder(rc).Decode(&manifest); err != nil { + return "", err + } + return manifest.Config.MediaType, nil + default: + return "", nil + } +} diff --git a/vendor/oras.land/oras-go/v2/internal/cas/memory.go b/vendor/oras.land/oras-go/v2/internal/cas/memory.go new file mode 100644 index 0000000000..7e358e136c --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/cas/memory.go @@ -0,0 +1,88 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cas + +import ( + "bytes" + "context" + "fmt" + "io" + "sync" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + contentpkg "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/descriptor" +) + +// Memory is a memory based CAS. +type Memory struct { + content sync.Map // map[descriptor.Descriptor][]byte +} + +// NewMemory creates a new Memory CAS. +func NewMemory() *Memory { + return &Memory{} +} + +// Fetch fetches the content identified by the descriptor. +func (m *Memory) Fetch(_ context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + key := descriptor.FromOCI(target) + content, exists := m.content.Load(key) + if !exists { + return nil, fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrNotFound) + } + return io.NopCloser(bytes.NewReader(content.([]byte))), nil +} + +// Push pushes the content, matching the expected descriptor. +func (m *Memory) Push(_ context.Context, expected ocispec.Descriptor, content io.Reader) error { + key := descriptor.FromOCI(expected) + + // check if the content exists in advance to avoid reading from the content. + if _, exists := m.content.Load(key); exists { + return fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrAlreadyExists) + } + + // read and try to store the content. + value, err := contentpkg.ReadAll(content, expected) + if err != nil { + return err + } + if _, exists := m.content.LoadOrStore(key, value); exists { + return fmt.Errorf("%s: %s: %w", key.Digest, key.MediaType, errdef.ErrAlreadyExists) + } + return nil +} + +// Exists returns true if the described content exists. +func (m *Memory) Exists(_ context.Context, target ocispec.Descriptor) (bool, error) { + key := descriptor.FromOCI(target) + _, exists := m.content.Load(key) + return exists, nil +} + +// Map dumps the memory into a built-in map structure. +// Like other operations, calling Map() is go-routine safe. However, it does not +// necessarily correspond to any consistent snapshot of the storage contents. +func (m *Memory) Map() map[descriptor.Descriptor][]byte { + res := make(map[descriptor.Descriptor][]byte) + m.content.Range(func(key, value interface{}) bool { + res[key.(descriptor.Descriptor)] = value.([]byte) + return true + }) + return res +} diff --git a/vendor/oras.land/oras-go/v2/internal/cas/proxy.go b/vendor/oras.land/oras-go/v2/internal/cas/proxy.go new file mode 100644 index 0000000000..ada5f94e00 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/cas/proxy.go @@ -0,0 +1,125 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package cas + +import ( + "context" + "io" + "sync" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/internal/ioutil" +) + +// Proxy is a caching proxy for the storage. +// The first fetch call of a described content will read from the remote and +// cache the fetched content. +// The subsequent fetch call will read from the local cache. +type Proxy struct { + content.ReadOnlyStorage + Cache content.Storage + StopCaching bool +} + +// NewProxy creates a proxy for the `base` storage, using the `cache` storage as +// the cache. +func NewProxy(base content.ReadOnlyStorage, cache content.Storage) *Proxy { + return &Proxy{ + ReadOnlyStorage: base, + Cache: cache, + } +} + +// NewProxyWithLimit creates a proxy for the `base` storage, using the `cache` +// storage with a push size limit as the cache. +func NewProxyWithLimit(base content.ReadOnlyStorage, cache content.Storage, pushLimit int64) *Proxy { + limitedCache := content.LimitStorage(cache, pushLimit) + return &Proxy{ + ReadOnlyStorage: base, + Cache: limitedCache, + } +} + +// Fetch fetches the content identified by the descriptor. +func (p *Proxy) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + if p.StopCaching { + return p.FetchCached(ctx, target) + } + + rc, err := p.Cache.Fetch(ctx, target) + if err == nil { + return rc, nil + } + + rc, err = p.ReadOnlyStorage.Fetch(ctx, target) + if err != nil { + return nil, err + } + pr, pw := io.Pipe() + var wg sync.WaitGroup + wg.Add(1) + var pushErr error + go func() { + defer wg.Done() + pushErr = p.Cache.Push(ctx, target, pr) + if pushErr != nil { + pr.CloseWithError(pushErr) + } + }() + closer := ioutil.CloserFunc(func() error { + rcErr := rc.Close() + if err := pw.Close(); err != nil { + return err + } + wg.Wait() + if pushErr != nil { + return pushErr + } + return rcErr + }) + + return struct { + io.Reader + io.Closer + }{ + Reader: io.TeeReader(rc, pw), + Closer: closer, + }, nil +} + +// FetchCached fetches the content identified by the descriptor. +// If the content is not cached, it will be fetched from the remote without +// caching. +func (p *Proxy) FetchCached(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + exists, err := p.Cache.Exists(ctx, target) + if err != nil { + return nil, err + } + if exists { + return p.Cache.Fetch(ctx, target) + } + return p.ReadOnlyStorage.Fetch(ctx, target) +} + +// Exists returns true if the described content exists. +func (p *Proxy) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) { + exists, err := p.Cache.Exists(ctx, target) + if err == nil && exists { + return true, nil + } + return p.ReadOnlyStorage.Exists(ctx, target) +} diff --git a/vendor/oras.land/oras-go/v2/internal/container/set/set.go b/vendor/oras.land/oras-go/v2/internal/container/set/set.go new file mode 100644 index 0000000000..07c96d47d1 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/container/set/set.go @@ -0,0 +1,40 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package set + +// Set represents a set data structure. +type Set[T comparable] map[T]struct{} + +// New returns an initialized set. +func New[T comparable]() Set[T] { + return make(Set[T]) +} + +// Add adds item into the set s. +func (s Set[T]) Add(item T) { + s[item] = struct{}{} +} + +// Contains returns true if the set s contains item. +func (s Set[T]) Contains(item T) bool { + _, ok := s[item] + return ok +} + +// Delete deletes an item from the set. +func (s Set[T]) Delete(item T) { + delete(s, item) +} diff --git a/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go b/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go new file mode 100644 index 0000000000..69412b0099 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/copyutil/stack.go @@ -0,0 +1,55 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package copyutil + +import ( + ocispec "github.com/opencontainers/image-spec/specs-go/v1" +) + +// NodeInfo represents information of a node that is being visited in +// ExtendedCopy. +type NodeInfo struct { + // Node represents a node in the graph. + Node ocispec.Descriptor + // Depth represents the depth of the node in the graph. + Depth int +} + +// Stack represents a stack data structure that is used in ExtendedCopy for +// storing node information. +type Stack []NodeInfo + +// IsEmpty returns true if the stack is empty, otherwise returns false. +func (s *Stack) IsEmpty() bool { + return len(*s) == 0 +} + +// Push pushes an item to the stack. +func (s *Stack) Push(i NodeInfo) { + *s = append(*s, i) +} + +// Pop pops the top item out of the stack. +func (s *Stack) Pop() (NodeInfo, bool) { + if s.IsEmpty() { + return NodeInfo{}, false + } + + last := len(*s) - 1 + top := (*s)[last] + *s = (*s)[:last] + return top, true +} diff --git a/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go b/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go new file mode 100644 index 0000000000..b9b339c048 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/descriptor/descriptor.go @@ -0,0 +1,89 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package descriptor + +import ( + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/spec" +) + +// DefaultMediaType is the media type used when no media type is specified. +const DefaultMediaType string = "application/octet-stream" + +// Descriptor contains the minimun information to describe the disposition of +// targeted content. +// Since it only has strings and integers, Descriptor is a comparable struct. +type Descriptor struct { + // MediaType is the media type of the object this schema refers to. + MediaType string `json:"mediaType,omitempty"` + + // Digest is the digest of the targeted content. + Digest digest.Digest `json:"digest"` + + // Size specifies the size in bytes of the blob. + Size int64 `json:"size"` +} + +// Empty is an empty descriptor +var Empty Descriptor + +// FromOCI shrinks the OCI descriptor to the minimum. +func FromOCI(desc ocispec.Descriptor) Descriptor { + return Descriptor{ + MediaType: desc.MediaType, + Digest: desc.Digest, + Size: desc.Size, + } +} + +// IsForeignLayer checks if a descriptor describes a foreign layer. +func IsForeignLayer(desc ocispec.Descriptor) bool { + switch desc.MediaType { + case ocispec.MediaTypeImageLayerNonDistributable, + ocispec.MediaTypeImageLayerNonDistributableGzip, + ocispec.MediaTypeImageLayerNonDistributableZstd, + docker.MediaTypeForeignLayer: + return true + default: + return false + } +} + +// IsManifest checks if a descriptor describes a manifest. +func IsManifest(desc ocispec.Descriptor) bool { + switch desc.MediaType { + case docker.MediaTypeManifest, + docker.MediaTypeManifestList, + ocispec.MediaTypeImageManifest, + ocispec.MediaTypeImageIndex, + spec.MediaTypeArtifactManifest: + return true + default: + return false + } +} + +// Plain returns a plain descriptor that contains only MediaType, Digest and +// Size. +func Plain(desc ocispec.Descriptor) ocispec.Descriptor { + return ocispec.Descriptor{ + MediaType: desc.MediaType, + Digest: desc.Digest, + Size: desc.Size, + } +} diff --git a/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go b/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go new file mode 100644 index 0000000000..76a4ba9ed9 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/docker/mediatype.go @@ -0,0 +1,24 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package docker + +// docker media types +const ( + MediaTypeConfig = "application/vnd.docker.container.image.v1+json" + MediaTypeManifestList = "application/vnd.docker.distribution.manifest.list.v2+json" + MediaTypeManifest = "application/vnd.docker.distribution.manifest.v2+json" + MediaTypeForeignLayer = "application/vnd.docker.image.rootfs.foreign.diff.tar.gzip" +) diff --git a/vendor/oras.land/oras-go/v2/internal/graph/memory.go b/vendor/oras.land/oras-go/v2/internal/graph/memory.go new file mode 100644 index 0000000000..016e5f96a8 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/graph/memory.go @@ -0,0 +1,201 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package graph + +import ( + "context" + "errors" + "sync" + + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/container/set" + "oras.land/oras-go/v2/internal/descriptor" + "oras.land/oras-go/v2/internal/status" + "oras.land/oras-go/v2/internal/syncutil" +) + +// Memory is a memory based PredecessorFinder. +type Memory struct { + // nodes has the following properties and behaviors: + // 1. a node exists in Memory.nodes if and only if it exists in the memory + // 2. Memory.nodes saves the ocispec.Descriptor map keys, which are used by + // the other fields. + nodes map[descriptor.Descriptor]ocispec.Descriptor + + // predecessors has the following properties and behaviors: + // 1. a node exists in Memory.predecessors if it has at least one predecessor + // in the memory, regardless of whether or not the node itself exists in + // the memory. + // 2. a node does not exist in Memory.predecessors, if it doesn't have any predecessors + // in the memory. + predecessors map[descriptor.Descriptor]set.Set[descriptor.Descriptor] + + // successors has the following properties and behaviors: + // 1. a node exists in Memory.successors if and only if it exists in the memory. + // 2. a node's entry in Memory.successors is always consistent with the actual + // content of the node, regardless of whether or not each successor exists + // in the memory. + successors map[descriptor.Descriptor]set.Set[descriptor.Descriptor] + + lock sync.RWMutex +} + +// NewMemory creates a new memory PredecessorFinder. +func NewMemory() *Memory { + return &Memory{ + nodes: make(map[descriptor.Descriptor]ocispec.Descriptor), + predecessors: make(map[descriptor.Descriptor]set.Set[descriptor.Descriptor]), + successors: make(map[descriptor.Descriptor]set.Set[descriptor.Descriptor]), + } +} + +// Index indexes predecessors for each direct successor of the given node. +func (m *Memory) Index(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) error { + _, err := m.index(ctx, fetcher, node) + return err +} + +// Index indexes predecessors for all the successors of the given node. +func (m *Memory) IndexAll(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) error { + // track content status + tracker := status.NewTracker() + var fn syncutil.GoFunc[ocispec.Descriptor] + fn = func(ctx context.Context, region *syncutil.LimitedRegion, desc ocispec.Descriptor) error { + // skip the node if other go routine is working on it + _, committed := tracker.TryCommit(desc) + if !committed { + return nil + } + successors, err := m.index(ctx, fetcher, desc) + if err != nil { + if errors.Is(err, errdef.ErrNotFound) { + // skip the node if it does not exist + return nil + } + return err + } + if len(successors) > 0 { + // traverse and index successors + return syncutil.Go(ctx, nil, fn, successors...) + } + return nil + } + return syncutil.Go(ctx, nil, fn, node) +} + +// Predecessors returns the nodes directly pointing to the current node. +// Predecessors returns nil without error if the node does not exists in the +// store. Like other operations, calling Predecessors() is go-routine safe. +// However, it does not necessarily correspond to any consistent snapshot of +// the stored contents. +func (m *Memory) Predecessors(_ context.Context, node ocispec.Descriptor) ([]ocispec.Descriptor, error) { + m.lock.RLock() + defer m.lock.RUnlock() + + key := descriptor.FromOCI(node) + set, exists := m.predecessors[key] + if !exists { + return nil, nil + } + var res []ocispec.Descriptor + for k := range set { + res = append(res, m.nodes[k]) + } + return res, nil +} + +// Remove removes the node from its predecessors and successors, and returns the +// dangling root nodes caused by the deletion. +func (m *Memory) Remove(node ocispec.Descriptor) []ocispec.Descriptor { + m.lock.Lock() + defer m.lock.Unlock() + + nodeKey := descriptor.FromOCI(node) + var danglings []ocispec.Descriptor + // remove the node from its successors' predecessor list + for successorKey := range m.successors[nodeKey] { + predecessorEntry := m.predecessors[successorKey] + predecessorEntry.Delete(nodeKey) + + // if none of the predecessors of the node still exists, we remove the + // predecessors entry and return it as a dangling node. Otherwise, we do + // not remove the entry. + if len(predecessorEntry) == 0 { + delete(m.predecessors, successorKey) + if _, exists := m.nodes[successorKey]; exists { + danglings = append(danglings, m.nodes[successorKey]) + } + } + } + delete(m.successors, nodeKey) + delete(m.nodes, nodeKey) + return danglings +} + +// DigestSet returns the set of node digest in memory. +func (m *Memory) DigestSet() set.Set[digest.Digest] { + m.lock.RLock() + defer m.lock.RUnlock() + + s := set.New[digest.Digest]() + for desc := range m.nodes { + s.Add(desc.Digest) + } + return s +} + +// index indexes predecessors for each direct successor of the given node. +func (m *Memory) index(ctx context.Context, fetcher content.Fetcher, node ocispec.Descriptor) ([]ocispec.Descriptor, error) { + successors, err := content.Successors(ctx, fetcher, node) + if err != nil { + return nil, err + } + m.lock.Lock() + defer m.lock.Unlock() + + // index the node + nodeKey := descriptor.FromOCI(node) + m.nodes[nodeKey] = node + + // for each successor, put it into the node's successors list, and + // put node into the succeesor's predecessors list + successorSet := set.New[descriptor.Descriptor]() + m.successors[nodeKey] = successorSet + for _, successor := range successors { + successorKey := descriptor.FromOCI(successor) + successorSet.Add(successorKey) + predecessorSet, exists := m.predecessors[successorKey] + if !exists { + predecessorSet = set.New[descriptor.Descriptor]() + m.predecessors[successorKey] = predecessorSet + } + predecessorSet.Add(nodeKey) + } + return successors, nil +} + +// Exists checks if the node exists in the graph +func (m *Memory) Exists(node ocispec.Descriptor) bool { + m.lock.RLock() + defer m.lock.RUnlock() + + nodeKey := descriptor.FromOCI(node) + _, exists := m.nodes[nodeKey] + return exists +} diff --git a/vendor/oras.land/oras-go/v2/internal/httputil/seek.go b/vendor/oras.land/oras-go/v2/internal/httputil/seek.go new file mode 100644 index 0000000000..3fa14e2dd3 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/httputil/seek.go @@ -0,0 +1,116 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package httputil + +import ( + "errors" + "fmt" + "io" + "net/http" +) + +// Client is an interface for a HTTP client. +// This interface is defined inside this package to prevent potential import +// loop. +type Client interface { + // Do sends an HTTP request and returns an HTTP response. + Do(*http.Request) (*http.Response, error) +} + +// readSeekCloser seeks http body by starting new connections. +type readSeekCloser struct { + client Client + req *http.Request + rc io.ReadCloser + size int64 + offset int64 + closed bool +} + +// NewReadSeekCloser returns a seeker to make the HTTP response seekable. +// Callers should ensure that the server supports Range request. +func NewReadSeekCloser(client Client, req *http.Request, respBody io.ReadCloser, size int64) io.ReadSeekCloser { + return &readSeekCloser{ + client: client, + req: req, + rc: respBody, + size: size, + } +} + +// Read reads the content body and counts offset. +func (rsc *readSeekCloser) Read(p []byte) (n int, err error) { + if rsc.closed { + return 0, errors.New("read: already closed") + } + n, err = rsc.rc.Read(p) + rsc.offset += int64(n) + return +} + +// Seek starts a new connection to the remote for reading if position changes. +func (rsc *readSeekCloser) Seek(offset int64, whence int) (int64, error) { + if rsc.closed { + return 0, errors.New("seek: already closed") + } + switch whence { + case io.SeekCurrent: + offset += rsc.offset + case io.SeekStart: + // no-op + case io.SeekEnd: + offset += rsc.size + default: + return 0, errors.New("seek: invalid whence") + } + if offset < 0 { + return 0, errors.New("seek: an attempt was made to move the pointer before the beginning of the content") + } + if offset == rsc.offset { + return offset, nil + } + if offset >= rsc.size { + rsc.rc.Close() + rsc.rc = http.NoBody + rsc.offset = offset + return offset, nil + } + + req := rsc.req.Clone(rsc.req.Context()) + req.Header.Set("Range", fmt.Sprintf("bytes=%d-%d", offset, rsc.size-1)) + resp, err := rsc.client.Do(req) + if err != nil { + return 0, fmt.Errorf("seek: %s %q: %w", req.Method, req.URL, err) + } + if resp.StatusCode != http.StatusPartialContent { + resp.Body.Close() + return 0, fmt.Errorf("seek: %s %q: unexpected status code %d", resp.Request.Method, resp.Request.URL, resp.StatusCode) + } + + rsc.rc.Close() + rsc.rc = resp.Body + rsc.offset = offset + return offset, nil +} + +// Close closes the content body. +func (rsc *readSeekCloser) Close() error { + if rsc.closed { + return nil + } + rsc.closed = true + return rsc.rc.Close() +} diff --git a/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go b/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go new file mode 100644 index 0000000000..05600148e6 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/interfaces/registry.go @@ -0,0 +1,24 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package interfaces + +import "oras.land/oras-go/v2/registry" + +// ReferenceParser provides reference parsing. +type ReferenceParser interface { + // ParseReference parses a reference to a fully qualified reference. + ParseReference(reference string) (registry.Reference, error) +} diff --git a/vendor/oras.land/oras-go/v2/internal/ioutil/io.go b/vendor/oras.land/oras-go/v2/internal/ioutil/io.go new file mode 100644 index 0000000000..de41bda909 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/ioutil/io.go @@ -0,0 +1,66 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ioutil + +import ( + "fmt" + "io" + "reflect" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" +) + +// CloserFunc is the basic Close method defined in io.Closer. +type CloserFunc func() error + +// Close performs close operation by the CloserFunc. +func (fn CloserFunc) Close() error { + return fn() +} + +// CopyBuffer copies from src to dst through the provided buffer +// until either EOF is reached on src, or an error occurs. +// The copied content is verified against the size and the digest. +func CopyBuffer(dst io.Writer, src io.Reader, buf []byte, desc ocispec.Descriptor) error { + // verify while copying + vr := content.NewVerifyReader(src, desc) + if _, err := io.CopyBuffer(dst, vr, buf); err != nil { + return fmt.Errorf("copy failed: %w", err) + } + return vr.Verify() +} + +// Types returned by `io.NopCloser()`. +var ( + nopCloserType = reflect.TypeOf(io.NopCloser(nil)) + nopCloserWriterToType = reflect.TypeOf(io.NopCloser(struct { + io.Reader + io.WriterTo + }{})) +) + +// UnwrapNopCloser unwraps the reader wrapped by `io.NopCloser()`. +// Similar implementation can be found in the built-in package `net/http`. +// Reference: https://github.com/golang/go/blob/go1.22.1/src/net/http/transfer.go#L1090-L1105 +func UnwrapNopCloser(r io.Reader) io.Reader { + switch reflect.TypeOf(r) { + case nopCloserType, nopCloserWriterToType: + return reflect.ValueOf(r).Field(0).Interface().(io.Reader) + default: + return r + } +} diff --git a/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go b/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go new file mode 100644 index 0000000000..89d556b8fe --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/manifestutil/parser.go @@ -0,0 +1,84 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package manifestutil + +import ( + "context" + "encoding/json" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/spec" +) + +// Config returns the config of desc, if present. +func Config(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) (*ocispec.Descriptor, error) { + switch desc.MediaType { + case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest: + content, err := content.FetchAll(ctx, fetcher, desc) + if err != nil { + return nil, err + } + // OCI manifest schema can be used to marshal docker manifest + var manifest ocispec.Manifest + if err := json.Unmarshal(content, &manifest); err != nil { + return nil, err + } + return &manifest.Config, nil + default: + return nil, nil + } +} + +// Manifest returns the manifests of desc, if present. +func Manifests(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + switch desc.MediaType { + case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex: + content, err := content.FetchAll(ctx, fetcher, desc) + if err != nil { + return nil, err + } + // OCI manifest index schema can be used to marshal docker manifest list + var index ocispec.Index + if err := json.Unmarshal(content, &index); err != nil { + return nil, err + } + return index.Manifests, nil + default: + return nil, nil + } +} + +// Subject returns the subject of desc, if present. +func Subject(ctx context.Context, fetcher content.Fetcher, desc ocispec.Descriptor) (*ocispec.Descriptor, error) { + switch desc.MediaType { + case ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex, spec.MediaTypeArtifactManifest: + content, err := content.FetchAll(ctx, fetcher, desc) + if err != nil { + return nil, err + } + var manifest struct { + Subject *ocispec.Descriptor `json:"subject,omitempty"` + } + if err := json.Unmarshal(content, &manifest); err != nil { + return nil, err + } + return manifest.Subject, nil + default: + return nil, nil + } +} diff --git a/vendor/oras.land/oras-go/v2/internal/platform/platform.go b/vendor/oras.land/oras-go/v2/internal/platform/platform.go new file mode 100644 index 0000000000..60d000d14f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/platform/platform.go @@ -0,0 +1,145 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package platform + +import ( + "context" + "encoding/json" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/manifestutil" +) + +// Match checks whether the current platform matches the target platform. +// Match will return true if all of the following conditions are met. +// - Architecture and OS exactly match. +// - Variant and OSVersion exactly match if target platform provided. +// - OSFeatures of the target platform are the subsets of the OSFeatures +// array of the current platform. +// +// Note: Variant, OSVersion and OSFeatures are optional fields, will skip +// the comparison if the target platform does not provide specific value. +func Match(got *ocispec.Platform, want *ocispec.Platform) bool { + if got == nil && want == nil { + return true + } + + if got == nil || want == nil { + return false + } + + if got.Architecture != want.Architecture || got.OS != want.OS { + return false + } + + if want.OSVersion != "" && got.OSVersion != want.OSVersion { + return false + } + + if want.Variant != "" && got.Variant != want.Variant { + return false + } + + if len(want.OSFeatures) != 0 && !isSubset(want.OSFeatures, got.OSFeatures) { + return false + } + + return true +} + +// isSubset returns true if all items in slice A are present in slice B. +func isSubset(a, b []string) bool { + set := make(map[string]bool, len(b)) + for _, v := range b { + set[v] = true + } + for _, v := range a { + if _, ok := set[v]; !ok { + return false + } + } + + return true +} + +// SelectManifest implements platform filter and returns the descriptor of the +// first matched manifest if the root is a manifest list. If the root is a +// manifest, then return the root descriptor if platform matches. +func SelectManifest(ctx context.Context, src content.ReadOnlyStorage, root ocispec.Descriptor, p *ocispec.Platform) (ocispec.Descriptor, error) { + switch root.MediaType { + case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex: + manifests, err := manifestutil.Manifests(ctx, src, root) + if err != nil { + return ocispec.Descriptor{}, err + } + + // platform filter + for _, m := range manifests { + if Match(m.Platform, p) { + return m, nil + } + } + return ocispec.Descriptor{}, fmt.Errorf("%s: %w: no matching manifest was found in the manifest list", root.Digest, errdef.ErrNotFound) + case docker.MediaTypeManifest, ocispec.MediaTypeImageManifest: + // config will be non-nil for docker manifest and OCI image manifest + config, err := manifestutil.Config(ctx, src, root) + if err != nil { + return ocispec.Descriptor{}, err + } + + configMediaType := docker.MediaTypeConfig + if root.MediaType == ocispec.MediaTypeImageManifest { + configMediaType = ocispec.MediaTypeImageConfig + } + cfgPlatform, err := getPlatformFromConfig(ctx, src, *config, configMediaType) + if err != nil { + return ocispec.Descriptor{}, err + } + + if Match(cfgPlatform, p) { + return root, nil + } + return ocispec.Descriptor{}, fmt.Errorf("%s: %w: platform in manifest does not match target platform", root.Digest, errdef.ErrNotFound) + default: + return ocispec.Descriptor{}, fmt.Errorf("%s: %s: %w", root.Digest, root.MediaType, errdef.ErrUnsupported) + } +} + +// getPlatformFromConfig returns a platform object which is made up from the +// fields in config blob. +func getPlatformFromConfig(ctx context.Context, src content.ReadOnlyStorage, desc ocispec.Descriptor, targetConfigMediaType string) (*ocispec.Platform, error) { + if desc.MediaType != targetConfigMediaType { + return nil, fmt.Errorf("fail to recognize platform from unknown config %s: expect %s: %w", desc.MediaType, targetConfigMediaType, errdef.ErrUnsupported) + } + + rc, err := src.Fetch(ctx, desc) + if err != nil { + return nil, err + } + defer rc.Close() + + var platform ocispec.Platform + if err = json.NewDecoder(rc).Decode(&platform); err != nil && err != io.EOF { + return nil, err + } + + return &platform, nil +} diff --git a/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go b/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go new file mode 100644 index 0000000000..c238713e5f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/registryutil/proxy.go @@ -0,0 +1,102 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registryutil + +import ( + "context" + "io" + "sync" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/ioutil" + "oras.land/oras-go/v2/registry" +) + +// ReferenceStorage represents a CAS that supports registry.ReferenceFetcher. +type ReferenceStorage interface { + content.ReadOnlyStorage + registry.ReferenceFetcher +} + +// Proxy is a caching proxy dedicated for registry.ReferenceFetcher. +// The first fetch call of a described content will read from the remote and +// cache the fetched content. +// The subsequent fetch call will read from the local cache. +type Proxy struct { + registry.ReferenceFetcher + *cas.Proxy +} + +// NewProxy creates a proxy for the `base` ReferenceStorage, using the `cache` +// storage as the cache. +func NewProxy(base ReferenceStorage, cache content.Storage) *Proxy { + return &Proxy{ + ReferenceFetcher: base, + Proxy: cas.NewProxy(base, cache), + } +} + +// FetchReference fetches the content identified by the reference from the +// remote and cache the fetched content. +func (p *Proxy) FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error) { + target, rc, err := p.ReferenceFetcher.FetchReference(ctx, reference) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + // skip caching if the content already exists in cache + exists, err := p.Cache.Exists(ctx, target) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + if exists { + return target, rc, nil + } + + // cache content while reading + pr, pw := io.Pipe() + var wg sync.WaitGroup + wg.Add(1) + var pushErr error + go func() { + defer wg.Done() + pushErr = p.Cache.Push(ctx, target, pr) + if pushErr != nil { + pr.CloseWithError(pushErr) + } + }() + closer := ioutil.CloserFunc(func() error { + rcErr := rc.Close() + if err := pw.Close(); err != nil { + return err + } + wg.Wait() + if pushErr != nil { + return pushErr + } + return rcErr + }) + + return target, struct { + io.Reader + io.Closer + }{ + Reader: io.TeeReader(rc, pw), + Closer: closer, + }, nil +} diff --git a/vendor/oras.land/oras-go/v2/internal/resolver/memory.go b/vendor/oras.land/oras-go/v2/internal/resolver/memory.go new file mode 100644 index 0000000000..df710e66de --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/resolver/memory.go @@ -0,0 +1,105 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package resolver + +import ( + "context" + "fmt" + "maps" + "sync" + + "github.com/opencontainers/go-digest" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/container/set" +) + +// Memory is a memory based resolver. +type Memory struct { + lock sync.RWMutex + index map[string]ocispec.Descriptor + tags map[digest.Digest]set.Set[string] +} + +// NewMemory creates a new Memory resolver. +func NewMemory() *Memory { + return &Memory{ + index: make(map[string]ocispec.Descriptor), + tags: make(map[digest.Digest]set.Set[string]), + } +} + +// Resolve resolves a reference to a descriptor. +func (m *Memory) Resolve(_ context.Context, reference string) (ocispec.Descriptor, error) { + m.lock.RLock() + defer m.lock.RUnlock() + + desc, ok := m.index[reference] + if !ok { + return ocispec.Descriptor{}, fmt.Errorf("%s: %w", reference, errdef.ErrNotFound) + } + return desc, nil +} + +// Tag tags a descriptor with a reference string. +func (m *Memory) Tag(_ context.Context, desc ocispec.Descriptor, reference string) error { + m.lock.Lock() + defer m.lock.Unlock() + + m.index[reference] = desc + tagSet, ok := m.tags[desc.Digest] + if !ok { + tagSet = set.New[string]() + m.tags[desc.Digest] = tagSet + } + tagSet.Add(reference) + return nil +} + +// Untag removes a reference from index map. +func (m *Memory) Untag(reference string) { + m.lock.Lock() + defer m.lock.Unlock() + + desc, ok := m.index[reference] + if !ok { + return + } + delete(m.index, reference) + tagSet := m.tags[desc.Digest] + tagSet.Delete(reference) + if len(tagSet) == 0 { + delete(m.tags, desc.Digest) + } +} + +// Map dumps the memory into a built-in map structure. +// Like other operations, calling Map() is go-routine safe. +func (m *Memory) Map() map[string]ocispec.Descriptor { + m.lock.RLock() + defer m.lock.RUnlock() + + return maps.Clone(m.index) +} + +// TagSet returns the set of tags of the descriptor. +func (m *Memory) TagSet(desc ocispec.Descriptor) set.Set[string] { + m.lock.RLock() + defer m.lock.RUnlock() + + tagSet := m.tags[desc.Digest] + return maps.Clone(tagSet) +} diff --git a/vendor/oras.land/oras-go/v2/internal/spec/artifact.go b/vendor/oras.land/oras-go/v2/internal/spec/artifact.go new file mode 100644 index 0000000000..7f801fd9ca --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/spec/artifact.go @@ -0,0 +1,57 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package spec + +import ocispec "github.com/opencontainers/image-spec/specs-go/v1" + +const ( + // AnnotationArtifactCreated is the annotation key for the date and time on which the artifact was built, conforming to RFC 3339. + AnnotationArtifactCreated = "org.opencontainers.artifact.created" + + // AnnotationArtifactDescription is the annotation key for the human readable description for the artifact. + AnnotationArtifactDescription = "org.opencontainers.artifact.description" + + // AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing. + AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied" +) + +// MediaTypeArtifactManifest specifies the media type for a content descriptor. +const MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json" + +// Artifact describes an artifact manifest. +// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON. +// +// This manifest type was introduced in image-spec v1.1.0-rc1 and was removed in +// image-spec v1.1.0-rc3. It is not part of the current image-spec and is kept +// here for Go compatibility. +// +// Reference: https://github.com/opencontainers/image-spec/pull/999 +type Artifact struct { + // MediaType is the media type of the object this schema refers to. + MediaType string `json:"mediaType"` + + // ArtifactType is the IANA media type of the artifact this schema refers to. + ArtifactType string `json:"artifactType"` + + // Blobs is a collection of blobs referenced by this manifest. + Blobs []ocispec.Descriptor `json:"blobs,omitempty"` + + // Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest. + Subject *ocispec.Descriptor `json:"subject,omitempty"` + + // Annotations contains arbitrary metadata for the artifact manifest. + Annotations map[string]string `json:"annotations,omitempty"` +} diff --git a/vendor/oras.land/oras-go/v2/internal/status/tracker.go b/vendor/oras.land/oras-go/v2/internal/status/tracker.go new file mode 100644 index 0000000000..1a48bb5aff --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/status/tracker.go @@ -0,0 +1,43 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package status + +import ( + "sync" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/internal/descriptor" +) + +// Tracker tracks content status described by a descriptor. +type Tracker struct { + status sync.Map // map[descriptor.Descriptor]chan struct{} +} + +// NewTracker creates a new content status tracker. +func NewTracker() *Tracker { + return &Tracker{} +} + +// TryCommit tries to commit the work for the target descriptor. +// Returns true if committed. A channel is also returned for sending +// notifications. Once the work is done, the channel should be closed. +// Returns false if the work is done or still in progress. +func (t *Tracker) TryCommit(target ocispec.Descriptor) (chan struct{}, bool) { + key := descriptor.FromOCI(target) + status, exists := t.status.LoadOrStore(key, make(chan struct{})) + return status.(chan struct{}), !exists +} diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go b/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go new file mode 100644 index 0000000000..e429f24f47 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/syncutil/limit.go @@ -0,0 +1,107 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syncutil + +import ( + "context" + + "golang.org/x/sync/errgroup" + "golang.org/x/sync/semaphore" +) + +// LimitedRegion provides a way to bound concurrent access to a code block. +type LimitedRegion struct { + ctx context.Context + limiter *semaphore.Weighted + ended bool +} + +// LimitRegion creates a new LimitedRegion. +func LimitRegion(ctx context.Context, limiter *semaphore.Weighted) *LimitedRegion { + if limiter == nil { + return nil + } + return &LimitedRegion{ + ctx: ctx, + limiter: limiter, + ended: true, + } +} + +// Start starts the region with concurrency limit. +func (lr *LimitedRegion) Start() error { + if lr == nil || !lr.ended { + return nil + } + if err := lr.limiter.Acquire(lr.ctx, 1); err != nil { + return err + } + lr.ended = false + return nil +} + +// End ends the region with concurrency limit. +func (lr *LimitedRegion) End() { + if lr == nil || lr.ended { + return + } + lr.limiter.Release(1) + lr.ended = true +} + +// GoFunc represents a function that can be invoked by Go. +type GoFunc[T any] func(ctx context.Context, region *LimitedRegion, t T) error + +// Go concurrently invokes fn on items. +func Go[T any](ctx context.Context, limiter *semaphore.Weighted, fn GoFunc[T], items ...T) error { + ctx, cancel := context.WithCancelCause(ctx) + defer cancel(nil) + + eg, egCtx := errgroup.WithContext(ctx) + for _, item := range items { + region := LimitRegion(egCtx, limiter) + if err := region.Start(); err != nil { + cancel(err) + // break loop instead of returning to allow previously scheduled + // goroutines to finish their deferred region.End() calls + break + } + + eg.Go(func(t T, lr *LimitedRegion) func() error { + return func() error { + defer lr.End() + + select { + case <-egCtx.Done(): + // skip the task if the context is already cancelled + return nil + default: + } + + if err := fn(egCtx, lr, t); err != nil { + cancel(err) + return err + } + return nil + } + }(item, region)) + } + + if err := eg.Wait(); err != nil { + cancel(err) + } + return context.Cause(ctx) +} diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go b/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go new file mode 100644 index 0000000000..4ef087dcc0 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/syncutil/limitgroup.go @@ -0,0 +1,67 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syncutil + +import ( + "context" + + "golang.org/x/sync/errgroup" +) + +// LimitedGroup is a collection of goroutines working on subtasks that are part of +// the same overall task. +type LimitedGroup struct { + grp *errgroup.Group + ctx context.Context +} + +// LimitGroup returns a new LimitedGroup and an associated Context derived from ctx. +// +// The number of active goroutines in this group is limited to the given limit. +// A negative value indicates no limit. +// +// The derived Context is canceled the first time a function passed to Go +// returns a non-nil error or the first time Wait returns, whichever occurs +// first. +func LimitGroup(ctx context.Context, limit int) (*LimitedGroup, context.Context) { + grp, ctx := errgroup.WithContext(ctx) + grp.SetLimit(limit) + return &LimitedGroup{grp: grp, ctx: ctx}, ctx +} + +// Go calls the given function in a new goroutine. +// It blocks until the new goroutine can be added without the number of +// active goroutines in the group exceeding the configured limit. +// +// The first call to return a non-nil error cancels the group's context. +// After which, any subsequent calls to Go will not execute their given function. +// The error will be returned by Wait. +func (g *LimitedGroup) Go(f func() error) { + g.grp.Go(func() error { + select { + case <-g.ctx.Done(): + return g.ctx.Err() + default: + return f() + } + }) +} + +// Wait blocks until all function calls from the Go method have returned, then +// returns the first non-nil error (if any) from them. +func (g *LimitedGroup) Wait() error { + return g.grp.Wait() +} diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go b/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go new file mode 100644 index 0000000000..44788990c2 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/syncutil/merge.go @@ -0,0 +1,140 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syncutil + +import "sync" + +// mergeStatus represents the merge status of an item. +type mergeStatus struct { + // main indicates if items are being merged by the current go-routine. + main bool + // err represents the error of the merge operation. + err error +} + +// Merge represents merge operations on items. +// The state transfer is shown as below: +// +// +----------+ +// | Start +--------+-------------+ +// +----+-----+ | | +// | | | +// v v v +// +----+-----+ +----+----+ +----+----+ +// +-------+ Prepare +<--+ Pending +-->+ Waiting | +// | +----+-----+ +---------+ +----+----+ +// | | | +// | v | +// | + ---+---- + | +// On Error | Resolve | | +// | + ---+---- + | +// | | | +// | v | +// | +----+-----+ | +// +------>+ Complete +<---------------------+ +// +----+-----+ +// | +// v +// +----+-----+ +// | End | +// +----------+ +type Merge[T any] struct { + lock sync.Mutex + committed bool + items []T + status chan mergeStatus + pending []T + pendingStatus chan mergeStatus +} + +// Do merges concurrent operations of items into a single call of prepare and +// resolve. +// If Do is called multiple times concurrently, only one of the calls will be +// selected to invoke prepare and resolve. +func (m *Merge[T]) Do(item T, prepare func() error, resolve func(items []T) error) error { + status := <-m.assign(item) + if status.main { + err := prepare() + items := m.commit() + if err == nil { + err = resolve(items) + } + m.complete(err) + return err + } + return status.err +} + +// assign adds a new item into the item list. +func (m *Merge[T]) assign(item T) <-chan mergeStatus { + m.lock.Lock() + defer m.lock.Unlock() + + if m.committed { + if m.pendingStatus == nil { + m.pendingStatus = make(chan mergeStatus, 1) + } + m.pending = append(m.pending, item) + return m.pendingStatus + } + + if m.status == nil { + m.status = make(chan mergeStatus, 1) + m.status <- mergeStatus{main: true} + } + m.items = append(m.items, item) + return m.status +} + +// commit closes the assignment window, and the assigned items will be ready +// for resolve. +func (m *Merge[T]) commit() []T { + m.lock.Lock() + defer m.lock.Unlock() + + m.committed = true + return m.items +} + +// complete completes the previous merge, and moves the pending items to the +// stage for the next merge. +func (m *Merge[T]) complete(err error) { + // notify results + if err == nil { + close(m.status) + } else { + remaining := len(m.items) - 1 + status := m.status + for remaining > 0 { + status <- mergeStatus{err: err} + remaining-- + } + } + + // move pending items to the stage + m.lock.Lock() + defer m.lock.Unlock() + + m.committed = false + m.items = m.pending + m.status = m.pendingStatus + m.pending = nil + m.pendingStatus = nil + + if m.status != nil { + m.status <- mergeStatus{main: true} + } +} diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/once.go b/vendor/oras.land/oras-go/v2/internal/syncutil/once.go new file mode 100644 index 0000000000..e449705304 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/syncutil/once.go @@ -0,0 +1,102 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syncutil + +import ( + "context" + "sync" + "sync/atomic" +) + +// Once is an object that will perform exactly one action. +// Unlike sync.Once, this Once allows the action to have return values. +type Once struct { + result interface{} + err error + status chan bool +} + +// NewOnce creates a new Once instance. +func NewOnce() *Once { + status := make(chan bool, 1) + status <- true + return &Once{ + status: status, + } +} + +// Do calls the function f if and only if Do is being called first time or all +// previous function calls are cancelled, deadline exceeded, or panicking. +// When `once.Do(ctx, f)` is called multiple times, the return value of the +// first call of the function f is stored, and is directly returned for other +// calls. +// Besides the return value of the function f, including the error, Do returns +// true if the function f passed is called first and is not cancelled, deadline +// exceeded, or panicking. Otherwise, returns false. +func (o *Once) Do(ctx context.Context, f func() (interface{}, error)) (bool, interface{}, error) { + defer func() { + if r := recover(); r != nil { + o.status <- true + panic(r) + } + }() + for { + select { + case inProgress := <-o.status: + if !inProgress { + return false, o.result, o.err + } + result, err := f() + if err == context.Canceled || err == context.DeadlineExceeded { + o.status <- true + return false, nil, err + } + o.result, o.err = result, err + close(o.status) + return true, result, err + case <-ctx.Done(): + return false, nil, ctx.Err() + } + } +} + +// OnceOrRetry is an object that will perform exactly one success action. +type OnceOrRetry struct { + done atomic.Bool + lock sync.Mutex +} + +// OnceOrRetry calls the function f if and only if Do is being called for the +// first time for this instance of Once or all previous calls to Do are failed. +func (o *OnceOrRetry) Do(f func() error) error { + // fast path + if o.done.Load() { + return nil + } + + // slow path + o.lock.Lock() + defer o.lock.Unlock() + + if o.done.Load() { + return nil + } + if err := f(); err != nil { + return err + } + o.done.Store(true) + return nil +} diff --git a/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go b/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go new file mode 100644 index 0000000000..6fb4a69c51 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/internal/syncutil/pool.go @@ -0,0 +1,64 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package syncutil + +import "sync" + +// poolItem represents an item in Pool. +type poolItem[T any] struct { + value T + refCount int +} + +// Pool is a scalable pool with items identified by keys. +type Pool[T any] struct { + // New optionally specifies a function to generate a value when Get would + // otherwise return nil. + // It may not be changed concurrently with calls to Get. + New func() T + + lock sync.Mutex + items map[any]*poolItem[T] +} + +// Get gets the value identified by key. +// The caller should invoke the returned function after using the returned item. +func (p *Pool[T]) Get(key any) (*T, func()) { + p.lock.Lock() + defer p.lock.Unlock() + + item, ok := p.items[key] + if !ok { + if p.items == nil { + p.items = make(map[any]*poolItem[T]) + } + item = &poolItem[T]{} + if p.New != nil { + item.value = p.New() + } + p.items[key] = item + } + item.refCount++ + + return &item.value, func() { + p.lock.Lock() + defer p.lock.Unlock() + item.refCount-- + if item.refCount <= 0 { + delete(p.items, key) + } + } +} diff --git a/vendor/oras.land/oras-go/v2/pack.go b/vendor/oras.land/oras-go/v2/pack.go new file mode 100644 index 0000000000..6d1635c9fc --- /dev/null +++ b/vendor/oras.land/oras-go/v2/pack.go @@ -0,0 +1,448 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import ( + "bytes" + "context" + "encoding/json" + "errors" + "fmt" + "maps" + "regexp" + "time" + + specs "github.com/opencontainers/image-spec/specs-go" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/spec" +) + +const ( + // MediaTypeUnknownConfig is the default config mediaType used + // - for [Pack] when PackOptions.PackImageManifest is true and + // PackOptions.ConfigDescriptor is not specified. + // - for [PackManifest] when packManifestVersion is PackManifestVersion1_0 + // and PackManifestOptions.ConfigDescriptor is not specified. + MediaTypeUnknownConfig = "application/vnd.unknown.config.v1+json" + + // MediaTypeUnknownArtifact is the default artifactType used for [Pack] + // when PackOptions.PackImageManifest is false and artifactType is + // not specified. + MediaTypeUnknownArtifact = "application/vnd.unknown.artifact.v1" +) + +var ( + // ErrInvalidDateTimeFormat is returned by [Pack] and [PackManifest] when + // "org.opencontainers.artifact.created" or "org.opencontainers.image.created" + // is provided, but its value is not in RFC 3339 format. + // Reference: https://www.rfc-editor.org/rfc/rfc3339#section-5.6 + ErrInvalidDateTimeFormat = errors.New("invalid date and time format") + + // ErrMissingArtifactType is returned by [PackManifest] when + // packManifestVersion is PackManifestVersion1_1 and artifactType is + // empty and the config media type is set to + // "application/vnd.oci.empty.v1+json". + ErrMissingArtifactType = errors.New("missing artifact type") +) + +// PackManifestVersion represents the manifest version used for [PackManifest]. +type PackManifestVersion int + +const ( + // PackManifestVersion1_0 represents the OCI Image Manifest defined in + // image-spec v1.0.2. + // Reference: https://github.com/opencontainers/image-spec/blob/v1.0.2/manifest.md + PackManifestVersion1_0 PackManifestVersion = 1 + + // PackManifestVersion1_1_RC4 represents the OCI Image Manifest defined + // in image-spec v1.1.0-rc4. + // Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc4/manifest.md + // + // Deprecated: This constant is deprecated and not recommended for future use. + // Use [PackManifestVersion1_1] instead. + PackManifestVersion1_1_RC4 PackManifestVersion = PackManifestVersion1_1 + + // PackManifestVersion1_1 represents the OCI Image Manifest defined in + // image-spec v1.1.1. + // Reference: https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md + PackManifestVersion1_1 PackManifestVersion = 2 +) + +// PackManifestOptions contains optional parameters for [PackManifest]. +type PackManifestOptions struct { + // Subject is the subject of the manifest. + // This option is only valid when PackManifestVersion is + // NOT PackManifestVersion1_0. + Subject *ocispec.Descriptor + + // Layers is the layers of the manifest. + Layers []ocispec.Descriptor + + // ManifestAnnotations is the annotation map of the manifest. In order to + // make [PackManifest] reproducible, set the key ocispec.AnnotationCreated + // (i.e. "org.opencontainers.image.created") to a fixed value. The value + // must conform to RFC 3339. + ManifestAnnotations map[string]string + + // ConfigDescriptor is a pointer to the descriptor of the config blob. + // If not nil, ConfigAnnotations will be ignored. + ConfigDescriptor *ocispec.Descriptor + + // ConfigAnnotations is the annotation map of the config descriptor. + // This option is valid only when ConfigDescriptor is nil. + ConfigAnnotations map[string]string +} + +// mediaTypeRegexp checks the format of media types. +// References: +// - https://github.com/opencontainers/image-spec/blob/v1.1.1/schema/defs-descriptor.json#L7 +// - https://datatracker.ietf.org/doc/html/rfc6838#section-4.2 +var mediaTypeRegexp = regexp.MustCompile(`^[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}/[A-Za-z0-9][A-Za-z0-9!#$&^_.+-]{0,126}$`) + +// PackManifest generates an OCI Image Manifest based on the given parameters +// and pushes the packed manifest to a content storage using pusher. The version +// of the manifest to be packed is determined by packManifestVersion +// (Recommended value: PackManifestVersion1_1). +// +// - If packManifestVersion is [PackManifestVersion1_1]: +// artifactType MUST NOT be empty unless opts.ConfigDescriptor is specified. +// - If packManifestVersion is [PackManifestVersion1_0]: +// if opts.ConfigDescriptor is nil, artifactType will be used as the +// config media type; if artifactType is empty, +// "application/vnd.unknown.config.v1+json" will be used. +// if opts.ConfigDescriptor is NOT nil, artifactType will be ignored. +// +// artifactType and opts.ConfigDescriptor.MediaType MUST comply with RFC 6838. +// +// Each time when PackManifest is called, if a time stamp is not specified, a new time +// stamp is generated in the manifest annotations with the key ocispec.AnnotationCreated +// (i.e. "org.opencontainers.image.created"). To make [PackManifest] reproducible, +// set the key ocispec.AnnotationCreated to a fixed value in +// opts.ManifestAnnotations. The value MUST conform to RFC 3339. +// +// If succeeded, returns a descriptor of the packed manifest. +func PackManifest(ctx context.Context, pusher content.Pusher, packManifestVersion PackManifestVersion, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) { + switch packManifestVersion { + case PackManifestVersion1_0: + return packManifestV1_0(ctx, pusher, artifactType, opts) + case PackManifestVersion1_1: + return packManifestV1_1(ctx, pusher, artifactType, opts) + default: + return ocispec.Descriptor{}, fmt.Errorf("PackManifestVersion(%v): %w", packManifestVersion, errdef.ErrUnsupported) + } +} + +// PackOptions contains optional parameters for [Pack]. +// +// Deprecated: This type is deprecated and not recommended for future use. +// Use [PackManifestOptions] instead. +type PackOptions struct { + // Subject is the subject of the manifest. + Subject *ocispec.Descriptor + + // ManifestAnnotations is the annotation map of the manifest. + ManifestAnnotations map[string]string + + // PackImageManifest controls whether to pack an OCI Image Manifest or not. + // - If true, pack an OCI Image Manifest. + // - If false, pack an OCI Artifact Manifest (deprecated). + // + // Default value: false. + PackImageManifest bool + + // ConfigDescriptor is a pointer to the descriptor of the config blob. + // If not nil, artifactType will be implied by the mediaType of the + // specified ConfigDescriptor, and ConfigAnnotations will be ignored. + // This option is valid only when PackImageManifest is true. + ConfigDescriptor *ocispec.Descriptor + + // ConfigAnnotations is the annotation map of the config descriptor. + // This option is valid only when PackImageManifest is true + // and ConfigDescriptor is nil. + ConfigAnnotations map[string]string +} + +// Pack packs the given blobs, generates a manifest for the pack, +// and pushes it to a content storage. +// +// When opts.PackImageManifest is true, artifactType will be used as the +// the config descriptor mediaType of the image manifest. +// +// If succeeded, returns a descriptor of the manifest. +// +// Deprecated: This method is deprecated and not recommended for future use. +// Use [PackManifest] instead. +func Pack(ctx context.Context, pusher content.Pusher, artifactType string, blobs []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) { + if opts.PackImageManifest { + return packManifestV1_1_RC2(ctx, pusher, artifactType, blobs, opts) + } + return packArtifact(ctx, pusher, artifactType, blobs, opts) +} + +// packArtifact packs an Artifact manifest as defined in image-spec v1.1.0-rc2. +// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/artifact.md +func packArtifact(ctx context.Context, pusher content.Pusher, artifactType string, blobs []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) { + if artifactType == "" { + artifactType = MediaTypeUnknownArtifact + } + + annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, spec.AnnotationArtifactCreated) + if err != nil { + return ocispec.Descriptor{}, err + } + manifest := spec.Artifact{ + MediaType: spec.MediaTypeArtifactManifest, + ArtifactType: artifactType, + Blobs: blobs, + Subject: opts.Subject, + Annotations: annotations, + } + return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.ArtifactType, manifest.Annotations) +} + +// packManifestV1_0 packs an image manifest defined in image-spec v1.0.2. +// Reference: https://github.com/opencontainers/image-spec/blob/v1.0.2/manifest.md +func packManifestV1_0(ctx context.Context, pusher content.Pusher, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) { + if opts.Subject != nil { + return ocispec.Descriptor{}, fmt.Errorf("subject is not supported for manifest version %v: %w", PackManifestVersion1_0, errdef.ErrUnsupported) + } + + // prepare config + var configDesc ocispec.Descriptor + if opts.ConfigDescriptor != nil { + if err := validateMediaType(opts.ConfigDescriptor.MediaType); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("invalid config mediaType format: %w", err) + } + configDesc = *opts.ConfigDescriptor + } else { + if artifactType == "" { + artifactType = MediaTypeUnknownConfig + } else if err := validateMediaType(artifactType); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("invalid artifactType format: %w", err) + } + var err error + configDesc, err = pushCustomEmptyConfig(ctx, pusher, artifactType, opts.ConfigAnnotations) + if err != nil { + return ocispec.Descriptor{}, err + } + } + + annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated) + if err != nil { + return ocispec.Descriptor{}, err + } + if opts.Layers == nil { + opts.Layers = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs + } + manifest := ocispec.Manifest{ + Versioned: specs.Versioned{ + SchemaVersion: 2, // historical value. does not pertain to OCI or docker version + }, + Config: configDesc, + MediaType: ocispec.MediaTypeImageManifest, + Layers: opts.Layers, + Annotations: annotations, + } + return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.Config.MediaType, manifest.Annotations) +} + +// packManifestV1_1_RC2 packs an image manifest as defined in image-spec +// v1.1.0-rc2. +// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/manifest.md +func packManifestV1_1_RC2(ctx context.Context, pusher content.Pusher, configMediaType string, layers []ocispec.Descriptor, opts PackOptions) (ocispec.Descriptor, error) { + if configMediaType == "" { + configMediaType = MediaTypeUnknownConfig + } + + // prepare config + var configDesc ocispec.Descriptor + if opts.ConfigDescriptor != nil { + configDesc = *opts.ConfigDescriptor + } else { + var err error + configDesc, err = pushCustomEmptyConfig(ctx, pusher, configMediaType, opts.ConfigAnnotations) + if err != nil { + return ocispec.Descriptor{}, err + } + } + + annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated) + if err != nil { + return ocispec.Descriptor{}, err + } + if layers == nil { + layers = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs + } + manifest := ocispec.Manifest{ + Versioned: specs.Versioned{ + SchemaVersion: 2, // historical value. does not pertain to OCI or docker version + }, + Config: configDesc, + MediaType: ocispec.MediaTypeImageManifest, + Layers: layers, + Subject: opts.Subject, + Annotations: annotations, + } + return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.Config.MediaType, manifest.Annotations) +} + +// packManifestV1_1 packs an image manifest defined in image-spec v1.1.1. +// Reference: https://github.com/opencontainers/image-spec/blob/v1.1.1/manifest.md#guidelines-for-artifact-usage +func packManifestV1_1(ctx context.Context, pusher content.Pusher, artifactType string, opts PackManifestOptions) (ocispec.Descriptor, error) { + if artifactType == "" && (opts.ConfigDescriptor == nil || opts.ConfigDescriptor.MediaType == ocispec.MediaTypeEmptyJSON) { + // artifactType MUST be set when config.mediaType is set to the empty value + return ocispec.Descriptor{}, ErrMissingArtifactType + } + if artifactType != "" { + if err := validateMediaType(artifactType); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("invalid artifactType format: %w", err) + } + } + + // prepare config + var emptyBlobExists bool + var configDesc ocispec.Descriptor + if opts.ConfigDescriptor != nil { + if err := validateMediaType(opts.ConfigDescriptor.MediaType); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("invalid config mediaType format: %w", err) + } + configDesc = *opts.ConfigDescriptor + } else { + // use the empty descriptor for config + configDesc = ocispec.DescriptorEmptyJSON + configDesc.Annotations = opts.ConfigAnnotations + configBytes := ocispec.DescriptorEmptyJSON.Data + // push config + if err := pushIfNotExist(ctx, pusher, configDesc, configBytes); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("failed to push config: %w", err) + } + emptyBlobExists = true + } + + annotations, err := ensureAnnotationCreated(opts.ManifestAnnotations, ocispec.AnnotationCreated) + if err != nil { + return ocispec.Descriptor{}, err + } + if len(opts.Layers) == 0 { + // use the empty descriptor as the single layer + layerDesc := ocispec.DescriptorEmptyJSON + layerData := ocispec.DescriptorEmptyJSON.Data + if !emptyBlobExists { + if err := pushIfNotExist(ctx, pusher, layerDesc, layerData); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("failed to push layer: %w", err) + } + } + opts.Layers = []ocispec.Descriptor{layerDesc} + } + + manifest := ocispec.Manifest{ + Versioned: specs.Versioned{ + SchemaVersion: 2, // historical value. does not pertain to OCI or docker version + }, + Config: configDesc, + MediaType: ocispec.MediaTypeImageManifest, + Layers: opts.Layers, + Subject: opts.Subject, + ArtifactType: artifactType, + Annotations: annotations, + } + return pushManifest(ctx, pusher, manifest, manifest.MediaType, manifest.ArtifactType, manifest.Annotations) +} + +// pushIfNotExist pushes data described by desc if it does not exist in the +// target. +func pushIfNotExist(ctx context.Context, pusher content.Pusher, desc ocispec.Descriptor, data []byte) error { + if ros, ok := pusher.(content.ReadOnlyStorage); ok { + exists, err := ros.Exists(ctx, desc) + if err != nil { + return fmt.Errorf("failed to check existence: %s: %s: %w", desc.Digest.String(), desc.MediaType, err) + } + if exists { + return nil + } + } + + if err := pusher.Push(ctx, desc, bytes.NewReader(data)); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return fmt.Errorf("failed to push: %s: %s: %w", desc.Digest.String(), desc.MediaType, err) + } + return nil +} + +// pushManifest marshals manifest into JSON bytes and pushes it. +func pushManifest(ctx context.Context, pusher content.Pusher, manifest any, mediaType string, artifactType string, annotations map[string]string) (ocispec.Descriptor, error) { + manifestJSON, err := json.Marshal(manifest) + if err != nil { + return ocispec.Descriptor{}, fmt.Errorf("failed to marshal manifest: %w", err) + } + manifestDesc := content.NewDescriptorFromBytes(mediaType, manifestJSON) + // populate ArtifactType and Annotations of the manifest into manifestDesc + manifestDesc.ArtifactType = artifactType + manifestDesc.Annotations = annotations + // push manifest + if err := pusher.Push(ctx, manifestDesc, bytes.NewReader(manifestJSON)); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) { + return ocispec.Descriptor{}, fmt.Errorf("failed to push manifest: %w", err) + } + return manifestDesc, nil +} + +// pushCustomEmptyConfig generates and pushes an empty config blob. +func pushCustomEmptyConfig(ctx context.Context, pusher content.Pusher, mediaType string, annotations map[string]string) (ocispec.Descriptor, error) { + // Use an empty JSON object here, because some registries may not accept + // empty config blob. + // As of September 2022, GAR is known to return 400 on empty blob upload. + // See https://github.com/oras-project/oras-go/issues/294 for details. + configBytes := []byte("{}") + configDesc := content.NewDescriptorFromBytes(mediaType, configBytes) + configDesc.Annotations = annotations + // push config + if err := pushIfNotExist(ctx, pusher, configDesc, configBytes); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("failed to push config: %w", err) + } + return configDesc, nil +} + +// ensureAnnotationCreated ensures that annotationCreatedKey is in annotations, +// and that its value conforms to RFC 3339. Otherwise returns a new annotation +// map with annotationCreatedKey created. +func ensureAnnotationCreated(annotations map[string]string, annotationCreatedKey string) (map[string]string, error) { + if createdTime, ok := annotations[annotationCreatedKey]; ok { + // if annotationCreatedKey is provided, validate its format + if _, err := time.Parse(time.RFC3339, createdTime); err != nil { + return nil, fmt.Errorf("%w: %v", ErrInvalidDateTimeFormat, err) + } + return annotations, nil + } + + // copy the original annotation map + copied := make(map[string]string, len(annotations)+1) + maps.Copy(copied, annotations) + + // set creation time in RFC 3339 format + // reference: https://github.com/opencontainers/image-spec/blob/v1.1.0-rc2/annotations.md#pre-defined-annotation-keys + now := time.Now().UTC() + copied[annotationCreatedKey] = now.Format(time.RFC3339) + return copied, nil +} + +// validateMediaType validates the format of mediaType. +func validateMediaType(mediaType string) error { + if !mediaTypeRegexp.MatchString(mediaType) { + return fmt.Errorf("%s: %w", mediaType, errdef.ErrInvalidMediaType) + } + return nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/reference.go b/vendor/oras.land/oras-go/v2/registry/reference.go new file mode 100644 index 0000000000..54c72fd29c --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/reference.go @@ -0,0 +1,276 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "fmt" + "net/url" + "regexp" + "strings" + + "github.com/opencontainers/go-digest" + "oras.land/oras-go/v2/errdef" +) + +// regular expressions for components. +var ( + // repositoryRegexp is adapted from the distribution implementation. The + // repository name set under OCI distribution spec is a subset of the docker + // spec. For maximum compatability, the docker spec is verified client-side. + // Further checks are left to the server-side. + // + // References: + // - https://github.com/distribution/distribution/blob/v2.7.1/reference/regexp.go#L53 + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pulling-manifests + repositoryRegexp = regexp.MustCompile(`^[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*(?:/[a-z0-9]+(?:(?:[._]|__|[-]*)[a-z0-9]+)*)*$`) + + // tagRegexp checks the tag name. + // The docker and OCI spec have the same regular expression. + // + // Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pulling-manifests + tagRegexp = regexp.MustCompile(`^[\w][\w.-]{0,127}$`) +) + +// Reference references either a resource descriptor (where Reference.Reference +// is a tag or a digest), or a resource repository (where Reference.Reference +// is the empty string). +type Reference struct { + // Registry is the name of the registry. It is usually the domain name of + // the registry optionally with a port. + Registry string + + // Repository is the name of the repository. + Repository string + + // Reference is the reference of the object in the repository. This field + // can take any one of the four valid forms (see ParseReference). In the + // case where it's the empty string, it necessarily implies valid form D, + // and where it is non-empty, then it is either a tag, or a digest + // (implying one of valid forms A, B, or C). + Reference string +} + +// ParseReference parses a string (artifact) into an `artifact reference`. +// Corresponding cryptographic hash implementations are required to be imported +// as specified by https://pkg.go.dev/github.com/opencontainers/go-digest#readme-usage +// if the string contains a digest. +// +// Note: An "image" is an "artifact", however, an "artifact" is not necessarily +// an "image". +// +// The token `artifact` is composed of other tokens, and those in turn are +// composed of others. This definition recursivity requires a notation capable +// of recursion, thus the following two forms have been adopted: +// +// 1. Backus–Naur Form (BNF) has been adopted to address the recursive nature +// of the definition. +// 2. Token opacity is revealed via its label letter-casing. That is, "opaque" +// tokens (i.e., tokens that are not final, and must therefore be further +// broken down into their constituents) are denoted in *lowercase*, while +// final tokens (i.e., leaf-node tokens that are final) are denoted in +// *uppercase*. +// +// Finally, note that a number of the opaque tokens are polymorphic in nature; +// that is, they can take on one of numerous forms, not restricted to a single +// defining form. +// +// The top-level token, `artifact`, is composed of two (opaque) tokens; namely +// `socketaddr` and `path`: +// +// ::= "/" +// +// The former is described as follows: +// +// ::= | ":" +// ::= | +// ::= | +// +// The latter, which is of greater interest here, is described as follows: +// +// ::= | +// ::= "@" | ":" "@" | ":" +// ::= ":" +// +// This second token--`path`--can take on exactly four forms, each of which will +// now be illustrated: +// +// <--- path --------------------------------------------> | - Decode `path` +// <=== REPOSITORY ===> <--- reference ------------------> | - Decode `reference` +// <=== REPOSITORY ===> @ <=================== digest ===> | - Valid Form A +// <=== REPOSITORY ===> : @ <=== digest ===> | - Valid Form B (tag is dropped) +// <=== REPOSITORY ===> : <=== TAG ======================> | - Valid Form C +// <=== REPOSITORY ======================================> | - Valid Form D +// +// Note: In the case of Valid Form B, TAG is dropped without any validation or +// further consideration. +func ParseReference(artifact string) (Reference, error) { + parts := strings.SplitN(artifact, "/", 2) + if len(parts) == 1 { + // Invalid Form + return Reference{}, fmt.Errorf("%w: missing registry or repository", errdef.ErrInvalidReference) + } + registry, path := parts[0], parts[1] + + var isTag bool + var repository string + var reference string + if index := strings.Index(path, "@"); index != -1 { + // `digest` found; Valid Form A (if not B) + isTag = false + repository = path[:index] + reference = path[index+1:] + + if index = strings.Index(repository, ":"); index != -1 { + // `tag` found (and now dropped without validation) since `the + // `digest` already present; Valid Form B + repository = repository[:index] + } + } else if index = strings.Index(path, ":"); index != -1 { + // `tag` found; Valid Form C + isTag = true + repository = path[:index] + reference = path[index+1:] + } else { + // empty `reference`; Valid Form D + repository = path + } + ref := Reference{ + Registry: registry, + Repository: repository, + Reference: reference, + } + + if err := ref.ValidateRegistry(); err != nil { + return Reference{}, err + } + + if err := ref.ValidateRepository(); err != nil { + return Reference{}, err + } + + if len(ref.Reference) == 0 { + return ref, nil + } + + validator := ref.ValidateReferenceAsDigest + if isTag { + validator = ref.ValidateReferenceAsTag + } + if err := validator(); err != nil { + return Reference{}, err + } + + return ref, nil +} + +// Validate the entire reference object; the registry, the repository, and the +// reference. +func (r Reference) Validate() error { + if err := r.ValidateRegistry(); err != nil { + return err + } + + if err := r.ValidateRepository(); err != nil { + return err + } + + return r.ValidateReference() +} + +// ValidateRegistry validates the registry. +func (r Reference) ValidateRegistry() error { + if uri, err := url.ParseRequestURI("dummy://" + r.Registry); err != nil || uri.Host == "" || uri.Host != r.Registry { + return fmt.Errorf("%w: invalid registry %q", errdef.ErrInvalidReference, r.Registry) + } + return nil +} + +// ValidateRepository validates the repository. +func (r Reference) ValidateRepository() error { + if !repositoryRegexp.MatchString(r.Repository) { + return fmt.Errorf("%w: invalid repository %q", errdef.ErrInvalidReference, r.Repository) + } + return nil +} + +// ValidateReferenceAsTag validates the reference as a tag. +func (r Reference) ValidateReferenceAsTag() error { + if !tagRegexp.MatchString(r.Reference) { + return fmt.Errorf("%w: invalid tag %q", errdef.ErrInvalidReference, r.Reference) + } + return nil +} + +// ValidateReferenceAsDigest validates the reference as a digest. +func (r Reference) ValidateReferenceAsDigest() error { + if _, err := r.Digest(); err != nil { + return fmt.Errorf("%w: invalid digest %q: %v", errdef.ErrInvalidReference, r.Reference, err) + } + return nil +} + +// ValidateReference where the reference is first tried as an ampty string, then +// as a digest, and if that fails, as a tag. +func (r Reference) ValidateReference() error { + if len(r.Reference) == 0 { + return nil + } + + if index := strings.IndexByte(r.Reference, ':'); index != -1 { + return r.ValidateReferenceAsDigest() + } + + return r.ValidateReferenceAsTag() +} + +// Host returns the host name of the registry. +func (r Reference) Host() string { + if r.Registry == "docker.io" { + return "registry-1.docker.io" + } + return r.Registry +} + +// ReferenceOrDefault returns the reference or the default reference if empty. +func (r Reference) ReferenceOrDefault() string { + if r.Reference == "" { + return "latest" + } + return r.Reference +} + +// Digest returns the reference as a digest. +// Corresponding cryptographic hash implementations are required to be imported +// as specified by https://pkg.go.dev/github.com/opencontainers/go-digest#readme-usage +func (r Reference) Digest() (digest.Digest, error) { + return digest.Parse(r.Reference) +} + +// String implements `fmt.Stringer` and returns the reference string. +// The resulted string is meaningful only if the reference is valid. +func (r Reference) String() string { + if r.Repository == "" { + return r.Registry + } + ref := r.Registry + "/" + r.Repository + if r.Reference == "" { + return ref + } + if d, err := r.Digest(); err == nil { + return ref + "@" + d.String() + } + return ref + ":" + r.Reference +} diff --git a/vendor/oras.land/oras-go/v2/registry/registry.go b/vendor/oras.land/oras-go/v2/registry/registry.go new file mode 100644 index 0000000000..4736efa84f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/registry.go @@ -0,0 +1,52 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package registry provides high-level operations to manage registries. +package registry + +import "context" + +// Registry represents a collection of repositories. +type Registry interface { + // Repositories lists the name of repositories available in the registry. + // Since the returned repositories may be paginated by the underlying + // implementation, a function should be passed in to process the paginated + // repository list. + // `last` argument is the `last` parameter when invoking the catalog API. + // If `last` is NOT empty, the entries in the response start after the + // repo specified by `last`. Otherwise, the response starts from the top + // of the Repositories list. + // Note: When implemented by a remote registry, the catalog API is called. + // However, not all registries supports pagination or conforms the + // specification. + // Reference: https://distribution.github.io/distribution/spec/api/#catalog + // See also `Repositories()` in this package. + Repositories(ctx context.Context, last string, fn func(repos []string) error) error + + // Repository returns a repository reference by the given name. + Repository(ctx context.Context, name string) (Repository, error) +} + +// Repositories lists the name of repositories available in the registry. +func Repositories(ctx context.Context, reg Registry) ([]string, error) { + var res []string + if err := reg.Repositories(ctx, "", func(repos []string) error { + res = append(res, repos...) + return nil + }); err != nil { + return nil, err + } + return res, nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go new file mode 100644 index 0000000000..d11c092bf5 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/cache.go @@ -0,0 +1,232 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "context" + "strings" + "sync" + + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/syncutil" +) + +// DefaultCache is the sharable cache used by DefaultClient. +var DefaultCache Cache = NewCache() + +// Cache caches the auth-scheme and auth-token for the "Authorization" header in +// accessing the remote registry. +// Precisely, the header is `Authorization: auth-scheme auth-token`. +// The `auth-token` is a generic term as `token68` in RFC 7235 section 2.1. +type Cache interface { + // GetScheme returns the auth-scheme part cached for the given registry. + // A single registry is assumed to have a consistent scheme. + // If a registry has different schemes per path, the auth client is still + // workable. However, the cache may not be effective as the cache cannot + // correctly guess the scheme. + GetScheme(ctx context.Context, registry string) (Scheme, error) + + // GetToken returns the auth-token part cached for the given registry of a + // given scheme. + // The underlying implementation MAY cache the token for all schemes for the + // given registry. + GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) + + // Set fetches the token using the given fetch function and caches the token + // for the given scheme with the given key for the given registry. + // The return values of the fetch function is returned by this function. + // The underlying implementation MAY combine the fetch operation if the Set + // function is invoked multiple times at the same time. + Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) +} + +// cacheEntry is a cache entry for a single registry. +type cacheEntry struct { + scheme Scheme + tokens sync.Map // map[string]string +} + +// concurrentCache is a cache suitable for concurrent invocation. +type concurrentCache struct { + status sync.Map // map[string]*syncutil.Once + cache sync.Map // map[string]*cacheEntry +} + +// NewCache creates a new go-routine safe cache instance. +func NewCache() Cache { + return &concurrentCache{} +} + +// GetScheme returns the auth-scheme part cached for the given registry. +func (cc *concurrentCache) GetScheme(ctx context.Context, registry string) (Scheme, error) { + entry, ok := cc.cache.Load(registry) + if !ok { + return SchemeUnknown, errdef.ErrNotFound + } + return entry.(*cacheEntry).scheme, nil +} + +// GetToken returns the auth-token part cached for the given registry of a given +// scheme. +func (cc *concurrentCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) { + entryValue, ok := cc.cache.Load(registry) + if !ok { + return "", errdef.ErrNotFound + } + entry := entryValue.(*cacheEntry) + if entry.scheme != scheme { + return "", errdef.ErrNotFound + } + if token, ok := entry.tokens.Load(key); ok { + return token.(string), nil + } + return "", errdef.ErrNotFound +} + +// Set fetches the token using the given fetch function and caches the token +// for the given scheme with the given key for the given registry. +// Set combines the fetch operation if the Set is invoked multiple times at the +// same time. +func (cc *concurrentCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) { + // fetch token + statusKey := strings.Join([]string{ + registry, + scheme.String(), + key, + }, " ") + statusValue, _ := cc.status.LoadOrStore(statusKey, syncutil.NewOnce()) + fetchOnce := statusValue.(*syncutil.Once) + fetchedFirst, result, err := fetchOnce.Do(ctx, func() (interface{}, error) { + return fetch(ctx) + }) + if fetchedFirst { + cc.status.Delete(statusKey) + } + if err != nil { + return "", err + } + token := result.(string) + if !fetchedFirst { + return token, nil + } + + // cache token + newEntry := &cacheEntry{ + scheme: scheme, + } + entryValue, exists := cc.cache.LoadOrStore(registry, newEntry) + entry := entryValue.(*cacheEntry) + if exists && entry.scheme != scheme { + // there is a scheme change, which is not expected in most scenarios. + // force invalidating all previous cache. + entry = newEntry + cc.cache.Store(registry, entry) + } + entry.tokens.Store(key, token) + + return token, nil +} + +// noCache is a cache implementation that does not do cache at all. +type noCache struct{} + +// GetScheme always returns not found error as it has no cache. +func (noCache) GetScheme(ctx context.Context, registry string) (Scheme, error) { + return SchemeUnknown, errdef.ErrNotFound +} + +// GetToken always returns not found error as it has no cache. +func (noCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) { + return "", errdef.ErrNotFound +} + +// Set calls fetch directly without caching. +func (noCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) { + return fetch(ctx) +} + +// hostCache is an auth cache that ignores scopes. Uses only the registry's hostname to find a token. +type hostCache struct { + Cache +} + +// GetToken implements Cache. +func (c *hostCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) { + return c.Cache.GetToken(ctx, registry, scheme, "") +} + +// Set implements Cache. +func (c *hostCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) { + return c.Cache.Set(ctx, registry, scheme, "", fetch) +} + +// fallbackCache tries the primary cache then falls back to the secondary cache. +type fallbackCache struct { + primary Cache + secondary Cache +} + +// GetScheme implements Cache. +func (fc *fallbackCache) GetScheme(ctx context.Context, registry string) (Scheme, error) { + scheme, err := fc.primary.GetScheme(ctx, registry) + if err == nil { + return scheme, nil + } + + // fallback + return fc.secondary.GetScheme(ctx, registry) +} + +// GetToken implements Cache. +func (fc *fallbackCache) GetToken(ctx context.Context, registry string, scheme Scheme, key string) (string, error) { + token, err := fc.primary.GetToken(ctx, registry, scheme, key) + if err == nil { + return token, nil + } + + // fallback + return fc.secondary.GetToken(ctx, registry, scheme, key) +} + +// Set implements Cache. +func (fc *fallbackCache) Set(ctx context.Context, registry string, scheme Scheme, key string, fetch func(context.Context) (string, error)) (string, error) { + token, err := fc.primary.Set(ctx, registry, scheme, key, fetch) + if err != nil { + return "", err + } + + return fc.secondary.Set(ctx, registry, scheme, key, func(ctx context.Context) (string, error) { + return token, nil + }) +} + +// NewSingleContextCache creates a host-based cache for optimizing the auth flow for non-compliant registries. +// It is intended to be used in a single context, such as pulling from a single repository. +// This cache should not be shared. +// +// Note: [NewCache] should be used for compliant registries as it can be shared +// across context and will generally make less re-authentication requests. +func NewSingleContextCache() Cache { + cache := NewCache() + return &fallbackCache{ + primary: cache, + // We can re-use the came concurrentCache here because the key space is different + // (keys are always empty for the hostCache) so there is no collision. + // Even if there is a collision it is not an issue. + // Re-using saves a little memory. + secondary: &hostCache{cache}, + } +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go new file mode 100644 index 0000000000..ffc52f8e21 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/challenge.go @@ -0,0 +1,167 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "strconv" + "strings" +) + +// Scheme define the authentication method. +type Scheme byte + +const ( + // SchemeUnknown represents unknown or unsupported schemes + SchemeUnknown Scheme = iota + + // SchemeBasic represents the "Basic" HTTP authentication scheme. + // Reference: https://tools.ietf.org/html/rfc7617 + SchemeBasic + + // SchemeBearer represents the Bearer token in OAuth 2.0. + // Reference: https://tools.ietf.org/html/rfc6750 + SchemeBearer +) + +// parseScheme parse the authentication scheme from the given string +// case-insensitively. +func parseScheme(scheme string) Scheme { + switch { + case strings.EqualFold(scheme, "basic"): + return SchemeBasic + case strings.EqualFold(scheme, "bearer"): + return SchemeBearer + } + return SchemeUnknown +} + +// String return the string for the scheme. +func (s Scheme) String() string { + switch s { + case SchemeBasic: + return "Basic" + case SchemeBearer: + return "Bearer" + } + return "Unknown" +} + +// parseChallenge parses the "WWW-Authenticate" header returned by the remote +// registry, and extracts parameters if scheme is Bearer. +// References: +// - https://distribution.github.io/distribution/spec/auth/token/#how-to-authenticate +// - https://tools.ietf.org/html/rfc7235#section-2.1 +func parseChallenge(header string) (scheme Scheme, params map[string]string) { + // as defined in RFC 7235 section 2.1, we have + // challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] + // auth-scheme = token + // auth-param = token BWS "=" BWS ( token / quoted-string ) + // + // since we focus parameters only on Bearer, we have + // challenge = auth-scheme [ 1*SP #auth-param ] + schemeString, rest := parseToken(header) + scheme = parseScheme(schemeString) + + // fast path for non bearer challenge + if scheme != SchemeBearer { + return + } + + // parse params for bearer auth. + // combining RFC 7235 section 2.1 with RFC 7230 section 7, we have + // #auth-param => auth-param *( OWS "," OWS auth-param ) + var key, value string + for { + key, rest = parseToken(skipSpace(rest)) + if key == "" { + return + } + + rest = skipSpace(rest) + if rest == "" || rest[0] != '=' { + return + } + rest = skipSpace(rest[1:]) + if rest == "" { + return + } + + if rest[0] == '"' { + prefix, err := strconv.QuotedPrefix(rest) + if err != nil { + return + } + value, err = strconv.Unquote(prefix) + if err != nil { + return + } + rest = rest[len(prefix):] + } else { + value, rest = parseToken(rest) + if value == "" { + return + } + } + if params == nil { + params = map[string]string{ + key: value, + } + } else { + params[key] = value + } + + rest = skipSpace(rest) + if rest == "" || rest[0] != ',' { + return + } + rest = rest[1:] + } +} + +// isNotTokenChar reports whether rune is not a `tchar` defined in RFC 7230 +// section 3.2.6. +func isNotTokenChar(r rune) bool { + // tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" + // / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" + // / DIGIT / ALPHA + // ; any VCHAR, except delimiters + return (r < 'A' || r > 'Z') && (r < 'a' || r > 'z') && + (r < '0' || r > '9') && !strings.ContainsRune("!#$%&'*+-.^_`|~", r) +} + +// parseToken finds the next token from the given string. If no token found, +// an empty token is returned and the whole of the input is returned in rest. +// Note: Since token = 1*tchar, empty string is not a valid token. +func parseToken(s string) (token, rest string) { + if i := strings.IndexFunc(s, isNotTokenChar); i != -1 { + return s[:i], s[i:] + } + return s, "" +} + +// skipSpace skips "bad" whitespace (BWS) defined in RFC 7230 section 3.2.3. +func skipSpace(s string) string { + // OWS = *( SP / HTAB ) + // ; optional whitespace + // BWS = OWS + // ; "bad" whitespace + if i := strings.IndexFunc(s, func(r rune) bool { + return r != ' ' && r != '\t' + }); i != -1 { + return s[i:] + } + return s +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go new file mode 100644 index 0000000000..5c5330e725 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/client.go @@ -0,0 +1,430 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package auth provides authentication for a client to a remote registry. +package auth + +import ( + "context" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "io" + "net/http" + "net/url" + "strings" + + "oras.land/oras-go/v2/registry/remote/internal/errutil" + "oras.land/oras-go/v2/registry/remote/retry" +) + +// ErrBasicCredentialNotFound is returned when the credential is not found for +// basic auth. +var ErrBasicCredentialNotFound = errors.New("basic credential not found") + +// DefaultClient is the default auth-decorated client. +var DefaultClient = &Client{ + Client: retry.DefaultClient, + Header: http.Header{ + "User-Agent": {"oras-go"}, + }, + Cache: DefaultCache, +} + +// maxResponseBytes specifies the default limit on how many response bytes are +// allowed in the server's response from authorization service servers. +// A typical response message from authorization service servers is around 1 to +// 4 KiB. Since the size of a token must be smaller than the HTTP header size +// limit, which is usually 16 KiB. As specified by the distribution, the +// response may contain 2 identical tokens, that is, 16 x 2 = 32 KiB. +// Hence, 128 KiB should be sufficient. +// References: https://distribution.github.io/distribution/spec/auth/token/ +var maxResponseBytes int64 = 128 * 1024 // 128 KiB + +// defaultClientID specifies the default client ID used in OAuth2. +// See also ClientID. +var defaultClientID = "oras-go" + +// CredentialFunc represents a function that resolves the credential for the +// given registry (i.e. host:port). +// +// [EmptyCredential] is a valid return value and should not be considered as +// an error. +type CredentialFunc func(ctx context.Context, hostport string) (Credential, error) + +// StaticCredential specifies static credentials for the given host. +func StaticCredential(registry string, cred Credential) CredentialFunc { + if registry == "docker.io" { + // it is expected that traffic targeting "docker.io" will be redirected + // to "registry-1.docker.io" + // reference: https://github.com/moby/moby/blob/v24.0.0-beta.2/registry/config.go#L25-L48 + registry = "registry-1.docker.io" + } + return func(_ context.Context, hostport string) (Credential, error) { + if hostport == registry { + return cred, nil + } + return EmptyCredential, nil + } +} + +// Client is an auth-decorated HTTP client. +// Its zero value is a usable client that uses http.DefaultClient with no cache. +type Client struct { + // Client is the underlying HTTP client used to access the remote + // server. + // If nil, http.DefaultClient is used. + // It is possible to use the default retry client from the package + // `oras.land/oras-go/v2/registry/remote/retry`. That client is already available + // in the DefaultClient. + // It is also possible to use a custom client. For example, github.com/hashicorp/go-retryablehttp + // is a popular HTTP client that supports retries. + Client *http.Client + + // Header contains the custom headers to be added to each request. + Header http.Header + + // Credential specifies the function for resolving the credential for the + // given registry (i.e. host:port). + // EmptyCredential is a valid return value and should not be considered as + // an error. + // If nil, the credential is always resolved to EmptyCredential. + Credential CredentialFunc + + // Cache caches credentials for direct accessing the remote registry. + // If nil, no cache is used. + Cache Cache + + // ClientID used in fetching OAuth2 token as a required field. + // If empty, a default client ID is used. + // Reference: https://distribution.github.io/distribution/spec/auth/oauth/#getting-a-token + ClientID string + + // ForceAttemptOAuth2 controls whether to follow OAuth2 with password grant + // instead the distribution spec when authenticating using username and + // password. + // References: + // - https://distribution.github.io/distribution/spec/auth/jwt/ + // - https://distribution.github.io/distribution/spec/auth/oauth/ + ForceAttemptOAuth2 bool +} + +// client returns an HTTP client used to access the remote registry. +// http.DefaultClient is return if the client is not configured. +func (c *Client) client() *http.Client { + if c.Client == nil { + return http.DefaultClient + } + return c.Client +} + +// send adds headers to the request and sends the request to the remote server. +func (c *Client) send(req *http.Request) (*http.Response, error) { + for key, values := range c.Header { + req.Header[key] = append(req.Header[key], values...) + } + return c.client().Do(req) +} + +// credential resolves the credential for the given registry. +func (c *Client) credential(ctx context.Context, reg string) (Credential, error) { + if c.Credential == nil { + return EmptyCredential, nil + } + return c.Credential(ctx, reg) +} + +// cache resolves the cache. +// noCache is return if the cache is not configured. +func (c *Client) cache() Cache { + if c.Cache == nil { + return noCache{} + } + return c.Cache +} + +// SetUserAgent sets the user agent for all out-going requests. +func (c *Client) SetUserAgent(userAgent string) { + if c.Header == nil { + c.Header = http.Header{} + } + c.Header.Set("User-Agent", userAgent) +} + +// Do sends the request to the remote server, attempting to resolve +// authentication if 'Authorization' header is not set. +// +// On authentication failure due to bad credential, +// - Do returns error if it fails to fetch token for bearer auth. +// - Do returns the registry response without error for basic auth. +func (c *Client) Do(originalReq *http.Request) (*http.Response, error) { + if auth := originalReq.Header.Get("Authorization"); auth != "" { + return c.send(originalReq) + } + + ctx := originalReq.Context() + req := originalReq.Clone(ctx) + + // attempt cached auth token + var attemptedKey string + cache := c.cache() + host := originalReq.Host + scheme, err := cache.GetScheme(ctx, host) + if err == nil { + switch scheme { + case SchemeBasic: + token, err := cache.GetToken(ctx, host, SchemeBasic, "") + if err == nil { + req.Header.Set("Authorization", "Basic "+token) + } + case SchemeBearer: + scopes := GetAllScopesForHost(ctx, host) + attemptedKey = strings.Join(scopes, " ") + token, err := cache.GetToken(ctx, host, SchemeBearer, attemptedKey) + if err == nil { + req.Header.Set("Authorization", "Bearer "+token) + } + } + } + + resp, err := c.send(req) + if err != nil { + return nil, err + } + if resp.StatusCode != http.StatusUnauthorized { + return resp, nil + } + + // attempt again with credentials for recognized schemes + challenge := resp.Header.Get("Www-Authenticate") + scheme, params := parseChallenge(challenge) + switch scheme { + case SchemeBasic: + resp.Body.Close() + + token, err := cache.Set(ctx, host, SchemeBasic, "", func(ctx context.Context) (string, error) { + return c.fetchBasicAuth(ctx, host) + }) + if err != nil { + return nil, fmt.Errorf("%s %q: %w", resp.Request.Method, resp.Request.URL, err) + } + + req = originalReq.Clone(ctx) + req.Header.Set("Authorization", "Basic "+token) + case SchemeBearer: + resp.Body.Close() + + scopes := GetAllScopesForHost(ctx, host) + if paramScope := params["scope"]; paramScope != "" { + // merge hinted scopes with challenged scopes + scopes = append(scopes, strings.Split(paramScope, " ")...) + scopes = CleanScopes(scopes) + } + key := strings.Join(scopes, " ") + + // attempt the cache again if there is a scope change + if key != attemptedKey { + if token, err := cache.GetToken(ctx, host, SchemeBearer, key); err == nil { + req = originalReq.Clone(ctx) + req.Header.Set("Authorization", "Bearer "+token) + if err := rewindRequestBody(req); err != nil { + return nil, err + } + + resp, err := c.send(req) + if err != nil { + return nil, err + } + if resp.StatusCode != http.StatusUnauthorized { + return resp, nil + } + resp.Body.Close() + } + } + + // attempt with credentials + realm := params["realm"] + service := params["service"] + token, err := cache.Set(ctx, host, SchemeBearer, key, func(ctx context.Context) (string, error) { + return c.fetchBearerToken(ctx, host, realm, service, scopes) + }) + if err != nil { + return nil, fmt.Errorf("%s %q: %w", resp.Request.Method, resp.Request.URL, err) + } + + req = originalReq.Clone(ctx) + req.Header.Set("Authorization", "Bearer "+token) + default: + return resp, nil + } + if err := rewindRequestBody(req); err != nil { + return nil, err + } + + return c.send(req) +} + +// fetchBasicAuth fetches a basic auth token for the basic challenge. +func (c *Client) fetchBasicAuth(ctx context.Context, registry string) (string, error) { + cred, err := c.credential(ctx, registry) + if err != nil { + return "", fmt.Errorf("failed to resolve credential: %w", err) + } + if cred == EmptyCredential { + return "", ErrBasicCredentialNotFound + } + if cred.Username == "" || cred.Password == "" { + return "", errors.New("missing username or password for basic auth") + } + auth := cred.Username + ":" + cred.Password + return base64.StdEncoding.EncodeToString([]byte(auth)), nil +} + +// fetchBearerToken fetches an access token for the bearer challenge. +func (c *Client) fetchBearerToken(ctx context.Context, registry, realm, service string, scopes []string) (string, error) { + cred, err := c.credential(ctx, registry) + if err != nil { + return "", err + } + if cred.AccessToken != "" { + return cred.AccessToken, nil + } + if cred == EmptyCredential || (cred.RefreshToken == "" && !c.ForceAttemptOAuth2) { + return c.fetchDistributionToken(ctx, realm, service, scopes, cred.Username, cred.Password) + } + return c.fetchOAuth2Token(ctx, realm, service, scopes, cred) +} + +// fetchDistributionToken fetches an access token as defined by the distribution +// specification. +// It fetches anonymous tokens if no credential is provided. +// References: +// - https://distribution.github.io/distribution/spec/auth/jwt/ +// - https://distribution.github.io/distribution/spec/auth/token/ +func (c *Client) fetchDistributionToken(ctx context.Context, realm, service string, scopes []string, username, password string) (string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, realm, nil) + if err != nil { + return "", err + } + if username != "" || password != "" { + req.SetBasicAuth(username, password) + } + q := req.URL.Query() + if service != "" { + q.Set("service", service) + } + for _, scope := range scopes { + q.Add("scope", scope) + } + req.URL.RawQuery = q.Encode() + + resp, err := c.send(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return "", errutil.ParseErrorResponse(resp) + } + + // As specified in https://distribution.github.io/distribution/spec/auth/token/ section + // "Token Response Fields", the token is either in `token` or + // `access_token`. If both present, they are identical. + var result struct { + Token string `json:"token"` + AccessToken string `json:"access_token"` + } + lr := io.LimitReader(resp.Body, maxResponseBytes) + if err := json.NewDecoder(lr).Decode(&result); err != nil { + return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err) + } + if result.AccessToken != "" { + return result.AccessToken, nil + } + if result.Token != "" { + return result.Token, nil + } + return "", fmt.Errorf("%s %q: empty token returned", resp.Request.Method, resp.Request.URL) +} + +// fetchOAuth2Token fetches an OAuth2 access token. +// Reference: https://distribution.github.io/distribution/spec/auth/oauth/ +func (c *Client) fetchOAuth2Token(ctx context.Context, realm, service string, scopes []string, cred Credential) (string, error) { + form := url.Values{} + if cred.RefreshToken != "" { + form.Set("grant_type", "refresh_token") + form.Set("refresh_token", cred.RefreshToken) + } else if cred.Username != "" && cred.Password != "" { + form.Set("grant_type", "password") + form.Set("username", cred.Username) + form.Set("password", cred.Password) + } else { + return "", errors.New("missing username or password for bearer auth") + } + form.Set("service", service) + clientID := c.ClientID + if clientID == "" { + clientID = defaultClientID + } + form.Set("client_id", clientID) + if len(scopes) != 0 { + form.Set("scope", strings.Join(scopes, " ")) + } + body := strings.NewReader(form.Encode()) + + req, err := http.NewRequestWithContext(ctx, http.MethodPost, realm, body) + if err != nil { + return "", err + } + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + + resp, err := c.send(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + if resp.StatusCode != http.StatusOK { + return "", errutil.ParseErrorResponse(resp) + } + + var result struct { + AccessToken string `json:"access_token"` + } + lr := io.LimitReader(resp.Body, maxResponseBytes) + if err := json.NewDecoder(lr).Decode(&result); err != nil { + return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err) + } + if result.AccessToken != "" { + return result.AccessToken, nil + } + return "", fmt.Errorf("%s %q: empty token returned", resp.Request.Method, resp.Request.URL) +} + +// rewindRequestBody tries to rewind the request body if exists. +func rewindRequestBody(req *http.Request) error { + if req.Body == nil || req.Body == http.NoBody { + return nil + } + if req.GetBody == nil { + return fmt.Errorf("%s %q: request body is not rewindable", req.Method, req.URL) + } + body, err := req.GetBody() + if err != nil { + return fmt.Errorf("%s %q: failed to get request body: %w", req.Method, req.URL, err) + } + req.Body = body + return nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go new file mode 100644 index 0000000000..044bcaecdf --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/credential.go @@ -0,0 +1,40 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +// EmptyCredential represents an empty credential. +var EmptyCredential Credential + +// Credential contains authentication credentials used to access remote +// registries. +type Credential struct { + // Username is the name of the user for the remote registry. + Username string + + // Password is the secret associated with the username. + Password string + + // RefreshToken is a bearer token to be sent to the authorization service + // for fetching access tokens. + // A refresh token is often referred as an identity token. + // Reference: https://distribution.github.io/distribution/spec/auth/oauth/ + RefreshToken string + + // AccessToken is a bearer token to be sent to the registry. + // An access token is often referred as a registry token. + // Reference: https://distribution.github.io/distribution/spec/auth/token/ + AccessToken string +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go b/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go new file mode 100644 index 0000000000..bdd6e5c48c --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/auth/scope.go @@ -0,0 +1,325 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package auth + +import ( + "context" + "slices" + "strings" + + "oras.land/oras-go/v2/registry" +) + +// Actions used in scopes. +// Reference: https://distribution.github.io/distribution/spec/auth/scope/ +const ( + // ActionPull represents generic read access for resources of the repository + // type. + ActionPull = "pull" + + // ActionPush represents generic write access for resources of the + // repository type. + ActionPush = "push" + + // ActionDelete represents the delete permission for resources of the + // repository type. + ActionDelete = "delete" +) + +// ScopeRegistryCatalog is the scope for registry catalog access. +const ScopeRegistryCatalog = "registry:catalog:*" + +// ScopeRepository returns a repository scope with given actions. +// Reference: https://distribution.github.io/distribution/spec/auth/scope/ +func ScopeRepository(repository string, actions ...string) string { + actions = cleanActions(actions) + if repository == "" || len(actions) == 0 { + return "" + } + return strings.Join([]string{ + "repository", + repository, + strings.Join(actions, ","), + }, ":") +} + +// AppendRepositoryScope returns a new context containing scope hints for the +// auth client to fetch bearer tokens with the given actions on the repository. +// If called multiple times, the new scopes will be appended to the existing +// scopes. The resulted scopes are de-duplicated. +// +// For example, uploading blob to the repository "hello-world" does HEAD request +// first then POST and PUT. The HEAD request will return a challenge for scope +// `repository:hello-world:pull`, and the auth client will fetch a token for +// that challenge. Later, the POST request will return a challenge for scope +// `repository:hello-world:push`, and the auth client will fetch a token for +// that challenge again. By invoking AppendRepositoryScope with the actions +// [ActionPull] and [ActionPush] for the repository `hello-world`, +// the auth client with cache is hinted to fetch a token via a single token +// fetch request for all the HEAD, POST, PUT requests. +func AppendRepositoryScope(ctx context.Context, ref registry.Reference, actions ...string) context.Context { + if len(actions) == 0 { + return ctx + } + scope := ScopeRepository(ref.Repository, actions...) + return AppendScopesForHost(ctx, ref.Host(), scope) +} + +// scopesContextKey is the context key for scopes. +type scopesContextKey struct{} + +// WithScopes returns a context with scopes added. Scopes are de-duplicated. +// Scopes are used as hints for the auth client to fetch bearer tokens with +// larger scopes. +// +// For example, uploading blob to the repository "hello-world" does HEAD request +// first then POST and PUT. The HEAD request will return a challenge for scope +// `repository:hello-world:pull`, and the auth client will fetch a token for +// that challenge. Later, the POST request will return a challenge for scope +// `repository:hello-world:push`, and the auth client will fetch a token for +// that challenge again. By invoking WithScopes with the scope +// `repository:hello-world:pull,push`, the auth client with cache is hinted to +// fetch a token via a single token fetch request for all the HEAD, POST, PUT +// requests. +// +// Passing an empty list of scopes will virtually remove the scope hints in the +// context. +// +// Reference: https://distribution.github.io/distribution/spec/auth/scope/ +func WithScopes(ctx context.Context, scopes ...string) context.Context { + scopes = CleanScopes(scopes) + return context.WithValue(ctx, scopesContextKey{}, scopes) +} + +// AppendScopes appends additional scopes to the existing scopes in the context +// and returns a new context. The resulted scopes are de-duplicated. +// The append operation does modify the existing scope in the context passed in. +func AppendScopes(ctx context.Context, scopes ...string) context.Context { + if len(scopes) == 0 { + return ctx + } + return WithScopes(ctx, append(GetScopes(ctx), scopes...)...) +} + +// GetScopes returns the scopes in the context. +func GetScopes(ctx context.Context) []string { + if scopes, ok := ctx.Value(scopesContextKey{}).([]string); ok { + return slices.Clone(scopes) + } + return nil +} + +// scopesForHostContextKey is the context key for per-host scopes. +type scopesForHostContextKey string + +// WithScopesForHost returns a context with per-host scopes added. +// Scopes are de-duplicated. +// Scopes are used as hints for the auth client to fetch bearer tokens with +// larger scopes. +// +// For example, uploading blob to the repository "hello-world" does HEAD request +// first then POST and PUT. The HEAD request will return a challenge for scope +// `repository:hello-world:pull`, and the auth client will fetch a token for +// that challenge. Later, the POST request will return a challenge for scope +// `repository:hello-world:push`, and the auth client will fetch a token for +// that challenge again. By invoking WithScopesForHost with the scope +// `repository:hello-world:pull,push`, the auth client with cache is hinted to +// fetch a token via a single token fetch request for all the HEAD, POST, PUT +// requests. +// +// Passing an empty list of scopes will virtually remove the scope hints in the +// context for the given host. +// +// Reference: https://distribution.github.io/distribution/spec/auth/scope/ +func WithScopesForHost(ctx context.Context, host string, scopes ...string) context.Context { + scopes = CleanScopes(scopes) + return context.WithValue(ctx, scopesForHostContextKey(host), scopes) +} + +// AppendScopesForHost appends additional scopes to the existing scopes +// in the context for the given host and returns a new context. +// The resulted scopes are de-duplicated. +// The append operation does modify the existing scope in the context passed in. +func AppendScopesForHost(ctx context.Context, host string, scopes ...string) context.Context { + if len(scopes) == 0 { + return ctx + } + oldScopes := GetScopesForHost(ctx, host) + return WithScopesForHost(ctx, host, append(oldScopes, scopes...)...) +} + +// GetScopesForHost returns the scopes in the context for the given host, +// excluding global scopes added by [WithScopes] and [AppendScopes]. +func GetScopesForHost(ctx context.Context, host string) []string { + if scopes, ok := ctx.Value(scopesForHostContextKey(host)).([]string); ok { + return slices.Clone(scopes) + } + return nil +} + +// GetAllScopesForHost returns the scopes in the context for the given host, +// including global scopes added by [WithScopes] and [AppendScopes]. +func GetAllScopesForHost(ctx context.Context, host string) []string { + scopes := GetScopesForHost(ctx, host) + globalScopes := GetScopes(ctx) + + if len(scopes) == 0 { + return globalScopes + } + if len(globalScopes) == 0 { + return scopes + } + // re-clean the scopes + allScopes := append(scopes, globalScopes...) + return CleanScopes(allScopes) +} + +// CleanScopes merges and sort the actions in ascending order if the scopes have +// the same resource type and name. The final scopes are sorted in ascending +// order. In other words, the scopes passed in are de-duplicated and sorted. +// Therefore, the output of this function is deterministic. +// +// If there is a wildcard `*` in the action, other actions in the same resource +// type and name are ignored. +func CleanScopes(scopes []string) []string { + // fast paths + switch len(scopes) { + case 0: + return nil + case 1: + scope := scopes[0] + i := strings.LastIndex(scope, ":") + if i == -1 { + return []string{scope} + } + actionList := strings.Split(scope[i+1:], ",") + actionList = cleanActions(actionList) + if len(actionList) == 0 { + return nil + } + actions := strings.Join(actionList, ",") + scope = scope[:i+1] + actions + return []string{scope} + } + + // slow path + var result []string + + // merge recognizable scopes + resourceTypes := make(map[string]map[string]map[string]struct{}) + for _, scope := range scopes { + // extract resource type + i := strings.Index(scope, ":") + if i == -1 { + result = append(result, scope) + continue + } + resourceType := scope[:i] + + // extract resource name and actions + rest := scope[i+1:] + i = strings.LastIndex(rest, ":") + if i == -1 { + result = append(result, scope) + continue + } + resourceName := rest[:i] + actions := rest[i+1:] + if actions == "" { + // drop scope since no action found + continue + } + + // add to the intermediate map for de-duplication + namedActions := resourceTypes[resourceType] + if namedActions == nil { + namedActions = make(map[string]map[string]struct{}) + resourceTypes[resourceType] = namedActions + } + actionSet := namedActions[resourceName] + if actionSet == nil { + actionSet = make(map[string]struct{}) + namedActions[resourceName] = actionSet + } + for _, action := range strings.Split(actions, ",") { + if action != "" { + actionSet[action] = struct{}{} + } + } + } + + // reconstruct scopes + for resourceType, namedActions := range resourceTypes { + for resourceName, actionSet := range namedActions { + if len(actionSet) == 0 { + continue + } + var actions []string + for action := range actionSet { + if action == "*" { + actions = []string{"*"} + break + } + actions = append(actions, action) + } + slices.Sort(actions) + scope := resourceType + ":" + resourceName + ":" + strings.Join(actions, ",") + result = append(result, scope) + } + } + + // sort and return + slices.Sort(result) + return result +} + +// cleanActions removes the duplicated actions and sort in ascending order. +// If there is a wildcard `*` in the action, other actions are ignored. +func cleanActions(actions []string) []string { + // fast paths + switch len(actions) { + case 0: + return nil + case 1: + if actions[0] == "" { + return nil + } + return actions + } + + // slow path + slices.Sort(actions) + n := 0 + for i := range len(actions) { + if actions[i] == "*" { + return []string{"*"} + } + if actions[i] != actions[n] { + n++ + if n != i { + actions[n] = actions[i] + } + } + } + n++ + if actions[0] == "" { + if n == 1 { + return nil + } + return actions[1:n] + } + return actions[:n] +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go new file mode 100644 index 0000000000..7664cc2ab0 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/file_store.go @@ -0,0 +1,97 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import ( + "context" + "errors" + "fmt" + "strings" + + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials/internal/config" +) + +// FileStore implements a credentials store using the docker configuration file +// to keep the credentials in plain-text. +// +// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties +type FileStore struct { + // DisablePut disables putting credentials in plaintext. + // If DisablePut is set to true, Put() will return ErrPlaintextPutDisabled. + DisablePut bool + + config *config.Config +} + +var ( + // ErrPlaintextPutDisabled is returned by Put() when DisablePut is set + // to true. + ErrPlaintextPutDisabled = errors.New("putting plaintext credentials is disabled") + // ErrBadCredentialFormat is returned by Put() when the credential format + // is bad. + ErrBadCredentialFormat = errors.New("bad credential format") +) + +// NewFileStore creates a new file credentials store. +// +// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties +func NewFileStore(configPath string) (*FileStore, error) { + cfg, err := config.Load(configPath) + if err != nil { + return nil, err + } + return newFileStore(cfg), nil +} + +// newFileStore creates a file credentials store based on the given config instance. +func newFileStore(cfg *config.Config) *FileStore { + return &FileStore{config: cfg} +} + +// Get retrieves credentials from the store for the given server address. +func (fs *FileStore) Get(_ context.Context, serverAddress string) (auth.Credential, error) { + return fs.config.GetCredential(serverAddress) +} + +// Put saves credentials into the store for the given server address. +// Returns ErrPlaintextPutDisabled if fs.DisablePut is set to true. +func (fs *FileStore) Put(_ context.Context, serverAddress string, cred auth.Credential) error { + if fs.DisablePut { + return ErrPlaintextPutDisabled + } + if err := validateCredentialFormat(cred); err != nil { + return err + } + + return fs.config.PutCredential(serverAddress, cred) +} + +// Delete removes credentials from the store for the given server address. +func (fs *FileStore) Delete(_ context.Context, serverAddress string) error { + return fs.config.DeleteCredential(serverAddress) +} + +// validateCredentialFormat validates the format of cred. +func validateCredentialFormat(cred auth.Credential) error { + if strings.ContainsRune(cred.Username, ':') { + // Username and password will be encoded in the base64(username:password) + // format in the file. The decoded result will be wrong if username + // contains colon(s). + return fmt.Errorf("%w: colons(:) are not allowed in username", ErrBadCredentialFormat) + } + return nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go new file mode 100644 index 0000000000..3a898f22b1 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/config/config.go @@ -0,0 +1,332 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package config + +import ( + "bytes" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "os" + "path/filepath" + "strings" + "sync" + + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil" +) + +const ( + // configFieldAuths is the "auths" field in the config file. + // Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L19 + configFieldAuths = "auths" + // configFieldCredentialsStore is the "credsStore" field in the config file. + configFieldCredentialsStore = "credsStore" + // configFieldCredentialHelpers is the "credHelpers" field in the config file. + configFieldCredentialHelpers = "credHelpers" +) + +// ErrInvalidConfigFormat is returned when the config format is invalid. +var ErrInvalidConfigFormat = errors.New("invalid config format") + +// AuthConfig contains authorization information for connecting to a Registry. +// References: +// - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L45 +// - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/types/authconfig.go#L3-L22 +type AuthConfig struct { + // Auth is a base64-encoded string of "{username}:{password}". + Auth string `json:"auth,omitempty"` + // IdentityToken is used to authenticate the user and get an access token + // for the registry. + IdentityToken string `json:"identitytoken,omitempty"` + // RegistryToken is a bearer token to be sent to a registry. + RegistryToken string `json:"registrytoken,omitempty"` + + Username string `json:"username,omitempty"` // legacy field for compatibility + Password string `json:"password,omitempty"` // legacy field for compatibility +} + +// NewAuthConfig creates an authConfig based on cred. +func NewAuthConfig(cred auth.Credential) AuthConfig { + return AuthConfig{ + Auth: encodeAuth(cred.Username, cred.Password), + IdentityToken: cred.RefreshToken, + RegistryToken: cred.AccessToken, + } +} + +// Credential returns an auth.Credential based on ac. +func (ac AuthConfig) Credential() (auth.Credential, error) { + cred := auth.Credential{ + Username: ac.Username, + Password: ac.Password, + RefreshToken: ac.IdentityToken, + AccessToken: ac.RegistryToken, + } + if ac.Auth != "" { + var err error + // override username and password + cred.Username, cred.Password, err = decodeAuth(ac.Auth) + if err != nil { + return auth.EmptyCredential, fmt.Errorf("failed to decode auth field: %w: %v", ErrInvalidConfigFormat, err) + } + } + return cred, nil +} + +// Config represents a docker configuration file. +// References: +// - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties +// - https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L44 +type Config struct { + // path is the path to the config file. + path string + // rwLock is a read-write-lock for the file store. + rwLock sync.RWMutex + // content is the content of the config file. + // Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L17-L44 + content map[string]json.RawMessage + // authsCache is a cache of the auths field of the config. + // Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L19 + authsCache map[string]json.RawMessage + // credentialsStore is the credsStore field of the config. + // Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L28 + credentialsStore string + // credentialHelpers is the credHelpers field of the config. + // Reference: https://github.com/docker/cli/blob/v24.0.0-beta.2/cli/config/configfile/file.go#L29 + credentialHelpers map[string]string +} + +// Load loads Config from the given config path. +func Load(configPath string) (*Config, error) { + cfg := &Config{path: configPath} + configFile, err := os.Open(configPath) + if err != nil { + if os.IsNotExist(err) { + // init content and caches if the content file does not exist + cfg.content = make(map[string]json.RawMessage) + cfg.authsCache = make(map[string]json.RawMessage) + return cfg, nil + } + return nil, fmt.Errorf("failed to open config file at %s: %w", configPath, err) + } + defer configFile.Close() + + // decode config content if the config file exists + if err := json.NewDecoder(configFile).Decode(&cfg.content); err != nil { + return nil, fmt.Errorf("failed to decode config file at %s: %w: %v", configPath, ErrInvalidConfigFormat, err) + } + + if credsStoreBytes, ok := cfg.content[configFieldCredentialsStore]; ok { + if err := json.Unmarshal(credsStoreBytes, &cfg.credentialsStore); err != nil { + return nil, fmt.Errorf("failed to unmarshal creds store field: %w: %v", ErrInvalidConfigFormat, err) + } + } + + if credHelpersBytes, ok := cfg.content[configFieldCredentialHelpers]; ok { + if err := json.Unmarshal(credHelpersBytes, &cfg.credentialHelpers); err != nil { + return nil, fmt.Errorf("failed to unmarshal cred helpers field: %w: %v", ErrInvalidConfigFormat, err) + } + } + + if authsBytes, ok := cfg.content[configFieldAuths]; ok { + if err := json.Unmarshal(authsBytes, &cfg.authsCache); err != nil { + return nil, fmt.Errorf("failed to unmarshal auths field: %w: %v", ErrInvalidConfigFormat, err) + } + } + if cfg.authsCache == nil { + cfg.authsCache = make(map[string]json.RawMessage) + } + + return cfg, nil +} + +// GetAuthConfig returns an auth.Credential for serverAddress. +func (cfg *Config) GetCredential(serverAddress string) (auth.Credential, error) { + cfg.rwLock.RLock() + defer cfg.rwLock.RUnlock() + + authCfgBytes, ok := cfg.authsCache[serverAddress] + if !ok { + // NOTE: the auth key for the server address may have been stored with + // a http/https prefix in legacy config files, e.g. "registry.example.com" + // can be stored as "https://registry.example.com/". + var matched bool + for addr, auth := range cfg.authsCache { + if ToHostname(addr) == serverAddress { + matched = true + authCfgBytes = auth + break + } + } + if !matched { + return auth.EmptyCredential, nil + } + } + var authCfg AuthConfig + if err := json.Unmarshal(authCfgBytes, &authCfg); err != nil { + return auth.EmptyCredential, fmt.Errorf("failed to unmarshal auth field: %w: %v", ErrInvalidConfigFormat, err) + } + return authCfg.Credential() +} + +// PutAuthConfig puts cred for serverAddress. +func (cfg *Config) PutCredential(serverAddress string, cred auth.Credential) error { + cfg.rwLock.Lock() + defer cfg.rwLock.Unlock() + + authCfg := NewAuthConfig(cred) + authCfgBytes, err := json.Marshal(authCfg) + if err != nil { + return fmt.Errorf("failed to marshal auth field: %w", err) + } + cfg.authsCache[serverAddress] = authCfgBytes + return cfg.saveFile() +} + +// DeleteAuthConfig deletes the corresponding credential for serverAddress. +func (cfg *Config) DeleteCredential(serverAddress string) error { + cfg.rwLock.Lock() + defer cfg.rwLock.Unlock() + + if _, ok := cfg.authsCache[serverAddress]; !ok { + // no ops + return nil + } + delete(cfg.authsCache, serverAddress) + return cfg.saveFile() +} + +// GetCredentialHelper returns the credential helpers for serverAddress. +func (cfg *Config) GetCredentialHelper(serverAddress string) string { + return cfg.credentialHelpers[serverAddress] +} + +// CredentialsStore returns the configured credentials store. +func (cfg *Config) CredentialsStore() string { + cfg.rwLock.RLock() + defer cfg.rwLock.RUnlock() + + return cfg.credentialsStore +} + +// Path returns the path to the config file. +func (cfg *Config) Path() string { + return cfg.path +} + +// SetCredentialsStore puts the configured credentials store. +func (cfg *Config) SetCredentialsStore(credsStore string) error { + cfg.rwLock.Lock() + defer cfg.rwLock.Unlock() + + cfg.credentialsStore = credsStore + return cfg.saveFile() +} + +// IsAuthConfigured returns whether there is authentication configured in this +// config file or not. +func (cfg *Config) IsAuthConfigured() bool { + return cfg.credentialsStore != "" || + len(cfg.credentialHelpers) > 0 || + len(cfg.authsCache) > 0 +} + +// saveFile saves Config into the file. +func (cfg *Config) saveFile() (returnErr error) { + // marshal content + // credentialHelpers is skipped as it's never set + if cfg.credentialsStore != "" { + credsStoreBytes, err := json.Marshal(cfg.credentialsStore) + if err != nil { + return fmt.Errorf("failed to marshal creds store: %w", err) + } + cfg.content[configFieldCredentialsStore] = credsStoreBytes + } else { + // omit empty + delete(cfg.content, configFieldCredentialsStore) + } + authsBytes, err := json.Marshal(cfg.authsCache) + if err != nil { + return fmt.Errorf("failed to marshal credentials: %w", err) + } + cfg.content[configFieldAuths] = authsBytes + jsonBytes, err := json.MarshalIndent(cfg.content, "", "\t") + if err != nil { + return fmt.Errorf("failed to marshal config: %w", err) + } + + // write the content to a ingest file for atomicity + configDir := filepath.Dir(cfg.path) + if err := os.MkdirAll(configDir, 0700); err != nil { + return fmt.Errorf("failed to make directory %s: %w", configDir, err) + } + ingest, err := ioutil.Ingest(configDir, bytes.NewReader(jsonBytes)) + if err != nil { + return fmt.Errorf("failed to save config file: %w", err) + } + defer func() { + if returnErr != nil { + // clean up the ingest file in case of error + os.Remove(ingest) + } + }() + + // overwrite the config file + if err := os.Rename(ingest, cfg.path); err != nil { + return fmt.Errorf("failed to save config file: %w", err) + } + return nil +} + +// encodeAuth base64-encodes username and password into base64(username:password). +func encodeAuth(username, password string) string { + if username == "" && password == "" { + return "" + } + return base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) +} + +// decodeAuth decodes a base64 encoded string and returns username and password. +func decodeAuth(authStr string) (username string, password string, err error) { + if authStr == "" { + return "", "", nil + } + + decoded, err := base64.StdEncoding.DecodeString(authStr) + if err != nil { + return "", "", err + } + decodedStr := string(decoded) + username, password, ok := strings.Cut(decodedStr, ":") + if !ok { + return "", "", fmt.Errorf("auth '%s' does not conform the base64(username:password) format", decodedStr) + } + return username, password, nil +} + +// ToHostname normalizes a server address to just its hostname, removing +// the scheme and the path parts. +// It is used to match keys in the auths map, which may be either stored as +// hostname or as hostname including scheme (in legacy docker config files). +// Reference: https://github.com/docker/cli/blob/v24.0.6/cli/config/credentials/file_store.go#L71 +func ToHostname(addr string) string { + addr = strings.TrimPrefix(addr, "http://") + addr = strings.TrimPrefix(addr, "https://") + addr, _, _ = strings.Cut(addr, "/") + return addr +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go new file mode 100644 index 0000000000..a074c68462 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/executer/executer.go @@ -0,0 +1,80 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package executer is an abstraction for the docker credential helper protocol +// binaries. It is used by nativeStore to interact with installed binaries. +package executer + +import ( + "bytes" + "context" + "errors" + "io" + "os" + "os/exec" + + "oras.land/oras-go/v2/registry/remote/credentials/trace" +) + +// dockerDesktopHelperName is the name of the docker credentials helper +// execuatable. +const dockerDesktopHelperName = "docker-credential-desktop.exe" + +// Executer is an interface that simulates an executable binary. +type Executer interface { + Execute(ctx context.Context, input io.Reader, action string) ([]byte, error) +} + +// executable implements the Executer interface. +type executable struct { + name string +} + +// New returns a new Executer instance. +func New(name string) Executer { + return &executable{ + name: name, + } +} + +// Execute operates on an executable binary and supports context. +func (c *executable) Execute(ctx context.Context, input io.Reader, action string) ([]byte, error) { + cmd := exec.CommandContext(ctx, c.name, action) + cmd.Stdin = input + cmd.Stderr = os.Stderr + trace := trace.ContextExecutableTrace(ctx) + if trace != nil && trace.ExecuteStart != nil { + trace.ExecuteStart(c.name, action) + } + output, err := cmd.Output() + if trace != nil && trace.ExecuteDone != nil { + trace.ExecuteDone(c.name, action, err) + } + if err != nil { + switch execErr := err.(type) { + case *exec.ExitError: + if errMessage := string(bytes.TrimSpace(output)); errMessage != "" { + return nil, errors.New(errMessage) + } + case *exec.Error: + // check if the error is caused by Docker Desktop not running + if execErr.Err == exec.ErrNotFound && c.name == dockerDesktopHelperName { + return nil, errors.New("credentials store is configured to `desktop.exe` but Docker Desktop seems not running") + } + } + return nil, err + } + return output, nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go new file mode 100644 index 0000000000..b2e3179ddb --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/internal/ioutil/ioutil.go @@ -0,0 +1,49 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ioutil + +import ( + "fmt" + "io" + "os" +) + +// Ingest writes content into a temporary ingest file with the file name format +// "oras_credstore_temp_{randomString}". +func Ingest(dir string, content io.Reader) (path string, ingestErr error) { + tempFile, err := os.CreateTemp(dir, "oras_credstore_temp_*") + if err != nil { + return "", fmt.Errorf("failed to create ingest file: %w", err) + } + path = tempFile.Name() + defer func() { + if err := tempFile.Close(); err != nil && ingestErr == nil { + ingestErr = fmt.Errorf("failed to close ingest file: %w", err) + } + // remove the temp file in case of error. + if ingestErr != nil { + os.Remove(path) + } + }() + + if err := tempFile.Chmod(0600); err != nil { + return "", fmt.Errorf("failed to ensure permission: %w", err) + } + if _, err := io.Copy(tempFile, content); err != nil { + return "", fmt.Errorf("failed to ingest: %w", err) + } + return +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go new file mode 100644 index 0000000000..7fdabb1e8a --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/memory_store.go @@ -0,0 +1,81 @@ +/* + Copyright The ORAS Authors. + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package credentials + +import ( + "context" + "encoding/json" + "fmt" + "sync" + + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials/internal/config" +) + +// memoryStore is a store that keeps credentials in memory. +type memoryStore struct { + store sync.Map +} + +// NewMemoryStore creates a new in-memory credentials store. +func NewMemoryStore() Store { + return &memoryStore{} +} + +// NewMemoryStoreFromDockerConfig creates a new in-memory credentials store from the given configuration. +// +// Reference: https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties +func NewMemoryStoreFromDockerConfig(c []byte) (Store, error) { + cfg := struct { + Auths map[string]config.AuthConfig `json:"auths"` + }{} + if err := json.Unmarshal(c, &cfg); err != nil { + return nil, fmt.Errorf("failed to unmarshal auth field: %w: %v", config.ErrInvalidConfigFormat, err) + } + + s := &memoryStore{} + for addr, auth := range cfg.Auths { + // Normalize the auth key to hostname. + hostname := config.ToHostname(addr) + cred, err := auth.Credential() + if err != nil { + return nil, err + } + _, _ = s.store.LoadOrStore(hostname, cred) + } + return s, nil +} + +// Get retrieves credentials from the store for the given server address. +func (ms *memoryStore) Get(_ context.Context, serverAddress string) (auth.Credential, error) { + cred, found := ms.store.Load(serverAddress) + if !found { + return auth.EmptyCredential, nil + } + return cred.(auth.Credential), nil +} + +// Put saves credentials into the store for the given server address. +func (ms *memoryStore) Put(_ context.Context, serverAddress string, cred auth.Credential) error { + ms.store.Store(serverAddress, cred) + return nil +} + +// Delete removes credentials from the store for the given server address. +func (ms *memoryStore) Delete(_ context.Context, serverAddress string) error { + ms.store.Delete(serverAddress) + return nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go new file mode 100644 index 0000000000..9f4c7f742d --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store.go @@ -0,0 +1,139 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import ( + "bytes" + "context" + "encoding/json" + "os/exec" + "strings" + + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials/internal/executer" +) + +const ( + remoteCredentialsPrefix = "docker-credential-" + emptyUsername = "" + errCredentialsNotFoundMessage = "credentials not found in native keychain" +) + +// dockerCredentials mimics how docker credential helper binaries store +// credential information. +// Reference: +// - https://docs.docker.com/engine/reference/commandline/login/#credential-helper-protocol +type dockerCredentials struct { + ServerURL string `json:"ServerURL"` + Username string `json:"Username"` + Secret string `json:"Secret"` +} + +// nativeStore implements a credentials store using native keychain to keep +// credentials secure. +type nativeStore struct { + exec executer.Executer +} + +// NewNativeStore creates a new native store that uses a remote helper program to +// manage credentials. +// +// The argument of NewNativeStore can be the native keychains +// ("wincred" for Windows, "pass" for linux and "osxkeychain" for macOS), +// or any program that follows the docker-credentials-helper protocol. +// +// Reference: +// - https://docs.docker.com/engine/reference/commandline/login#credentials-store +func NewNativeStore(helperSuffix string) Store { + return &nativeStore{ + exec: executer.New(remoteCredentialsPrefix + helperSuffix), + } +} + +// NewDefaultNativeStore returns a native store based on the platform-default +// docker credentials helper and a bool indicating if the native store is +// available. +// - Windows: "wincred" +// - Linux: "pass" or "secretservice" +// - macOS: "osxkeychain" +// +// Reference: +// - https://docs.docker.com/engine/reference/commandline/login/#credentials-store +func NewDefaultNativeStore() (Store, bool) { + if helper := getDefaultHelperSuffix(); helper != "" { + return NewNativeStore(helper), true + } + return nil, false +} + +// Get retrieves credentials from the store for the given server. +func (ns *nativeStore) Get(ctx context.Context, serverAddress string) (auth.Credential, error) { + var cred auth.Credential + out, err := ns.exec.Execute(ctx, strings.NewReader(serverAddress), "get") + if err != nil { + if err.Error() == errCredentialsNotFoundMessage { + // do not return an error if the credentials are not in the keychain. + return auth.EmptyCredential, nil + } + return auth.EmptyCredential, err + } + var dockerCred dockerCredentials + if err := json.Unmarshal(out, &dockerCred); err != nil { + return auth.EmptyCredential, err + } + // bearer auth is used if the username is "" + if dockerCred.Username == emptyUsername { + cred.RefreshToken = dockerCred.Secret + } else { + cred.Username = dockerCred.Username + cred.Password = dockerCred.Secret + } + return cred, nil +} + +// Put saves credentials into the store. +func (ns *nativeStore) Put(ctx context.Context, serverAddress string, cred auth.Credential) error { + dockerCred := &dockerCredentials{ + ServerURL: serverAddress, + Username: cred.Username, + Secret: cred.Password, + } + if cred.RefreshToken != "" { + dockerCred.Username = emptyUsername + dockerCred.Secret = cred.RefreshToken + } + credJSON, err := json.Marshal(dockerCred) + if err != nil { + return err + } + _, err = ns.exec.Execute(ctx, bytes.NewReader(credJSON), "store") + return err +} + +// Delete removes credentials from the store for the given server. +func (ns *nativeStore) Delete(ctx context.Context, serverAddress string) error { + _, err := ns.exec.Execute(ctx, strings.NewReader(serverAddress), "erase") + return err +} + +// getDefaultHelperSuffix returns the default credential helper suffix. +func getDefaultHelperSuffix() string { + platformDefault := getPlatformDefaultHelperSuffix() + if _, err := exec.LookPath(remoteCredentialsPrefix + platformDefault); err == nil { + return platformDefault + } + return "" +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go new file mode 100644 index 0000000000..1a9aca6fc7 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_darwin.go @@ -0,0 +1,23 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +// getPlatformDefaultHelperSuffix returns the platform default credential +// helper suffix. +// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior +func getPlatformDefaultHelperSuffix() string { + return "osxkeychain" +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go new file mode 100644 index 0000000000..5c7d4a3b27 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_generic.go @@ -0,0 +1,25 @@ +//go:build !windows && !darwin && !linux + +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +// getPlatformDefaultHelperSuffix returns the platform default credential +// helper suffix. +// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior +func getPlatformDefaultHelperSuffix() string { + return "" +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go new file mode 100644 index 0000000000..f182923b7a --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_linux.go @@ -0,0 +1,29 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import "os/exec" + +// getPlatformDefaultHelperSuffix returns the platform default credential +// helper suffix. +// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior +func getPlatformDefaultHelperSuffix() string { + if _, err := exec.LookPath("pass"); err == nil { + return "pass" + } + + return "secretservice" +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go new file mode 100644 index 0000000000..e334cc79b1 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/native_store_windows.go @@ -0,0 +1,23 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +// getPlatformDefaultHelperSuffix returns the platform default credential +// helper suffix. +// Reference: https://docs.docker.com/engine/reference/commandline/login/#default-behavior +func getPlatformDefaultHelperSuffix() string { + return "wincred" +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go new file mode 100644 index 0000000000..39735b77cb --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/registry.go @@ -0,0 +1,102 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package credentials + +import ( + "context" + "errors" + "fmt" + + "oras.land/oras-go/v2/registry/remote" + "oras.land/oras-go/v2/registry/remote/auth" +) + +// ErrClientTypeUnsupported is thrown by Login() when the registry's client type +// is not supported. +var ErrClientTypeUnsupported = errors.New("client type not supported") + +// Login provides the login functionality with the given credentials. The target +// registry's client should be nil or of type *auth.Client. Login uses +// a client local to the function and will not modify the original client of +// the registry. +func Login(ctx context.Context, store Store, reg *remote.Registry, cred auth.Credential) error { + // create a clone of the original registry for login purpose + regClone := *reg + // we use the original client if applicable, otherwise use a default client + var authClient auth.Client + if reg.Client == nil { + authClient = *auth.DefaultClient + authClient.Cache = nil // no cache + } else if client, ok := reg.Client.(*auth.Client); ok { + authClient = *client + } else { + return ErrClientTypeUnsupported + } + regClone.Client = &authClient + // update credentials with the client + authClient.Credential = auth.StaticCredential(reg.Reference.Registry, cred) + // validate and store the credential + if err := regClone.Ping(ctx); err != nil { + return fmt.Errorf("failed to validate the credentials for %s: %w", regClone.Reference.Registry, err) + } + hostname := ServerAddressFromRegistry(regClone.Reference.Registry) + if err := store.Put(ctx, hostname, cred); err != nil { + return fmt.Errorf("failed to store the credentials for %s: %w", hostname, err) + } + return nil +} + +// Logout provides the logout functionality given the registry name. +func Logout(ctx context.Context, store Store, registryName string) error { + registryName = ServerAddressFromRegistry(registryName) + if err := store.Delete(ctx, registryName); err != nil { + return fmt.Errorf("failed to delete the credential for %s: %w", registryName, err) + } + return nil +} + +// Credential returns a Credential() function that can be used by auth.Client. +func Credential(store Store) auth.CredentialFunc { + return func(ctx context.Context, hostport string) (auth.Credential, error) { + hostport = ServerAddressFromHostname(hostport) + if hostport == "" { + return auth.EmptyCredential, nil + } + return store.Get(ctx, hostport) + } +} + +// ServerAddressFromRegistry maps a registry to a server address, which is used as +// a key for credentials store. The Docker CLI expects that the credentials of +// the registry 'docker.io' will be added under the key "https://index.docker.io/v1/". +// See: https://github.com/moby/moby/blob/v24.0.2/registry/config.go#L25-L48 +func ServerAddressFromRegistry(registry string) string { + if registry == "docker.io" { + return "https://index.docker.io/v1/" + } + return registry +} + +// ServerAddressFromHostname maps a hostname to a server address, which is used as +// a key for credentials store. It is expected that the traffic targetting the +// host "registry-1.docker.io" will be redirected to "https://index.docker.io/v1/". +// See: https://github.com/moby/moby/blob/v24.0.2/registry/config.go#L25-L48 +func ServerAddressFromHostname(hostname string) string { + if hostname == "registry-1.docker.io" { + return "https://index.docker.io/v1/" + } + return hostname +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go new file mode 100644 index 0000000000..e26a98ae7a --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/store.go @@ -0,0 +1,262 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package credentials supports reading, saving, and removing credentials from +// Docker configuration files and external credential stores that follow +// the Docker credential helper protocol. +// +// Reference: https://docs.docker.com/engine/reference/commandline/login/#credential-stores +package credentials + +import ( + "context" + "fmt" + "os" + "path/filepath" + + "oras.land/oras-go/v2/internal/syncutil" + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/credentials/internal/config" +) + +const ( + dockerConfigDirEnv = "DOCKER_CONFIG" + dockerConfigFileDir = ".docker" + dockerConfigFileName = "config.json" +) + +// Store is the interface that any credentials store must implement. +type Store interface { + // Get retrieves credentials from the store for the given server address. + Get(ctx context.Context, serverAddress string) (auth.Credential, error) + // Put saves credentials into the store for the given server address. + Put(ctx context.Context, serverAddress string, cred auth.Credential) error + // Delete removes credentials from the store for the given server address. + Delete(ctx context.Context, serverAddress string) error +} + +// DynamicStore dynamically determines which store to use based on the settings +// in the config file. +type DynamicStore struct { + config *config.Config + options StoreOptions + detectedCredsStore string + setCredsStoreOnce syncutil.OnceOrRetry +} + +// StoreOptions provides options for NewStore. +type StoreOptions struct { + // AllowPlaintextPut allows saving credentials in plaintext in the config + // file. + // - If AllowPlaintextPut is set to false (default value), Put() will + // return an error when native store is not available. + // - If AllowPlaintextPut is set to true, Put() will save credentials in + // plaintext in the config file when native store is not available. + AllowPlaintextPut bool + + // DetectDefaultNativeStore enables detecting the platform-default native + // credentials store when the config file has no authentication information. + // + // If DetectDefaultNativeStore is set to true, the store will detect and set + // the default native credentials store in the "credsStore" field of the + // config file. + // - Windows: "wincred" + // - Linux: "pass" or "secretservice" + // - macOS: "osxkeychain" + // + // References: + // - https://docs.docker.com/engine/reference/commandline/login/#credentials-store + // - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties + DetectDefaultNativeStore bool +} + +// NewStore returns a Store based on the given configuration file. +// +// For Get(), Put() and Delete(), the returned Store will dynamically determine +// which underlying credentials store to use for the given server address. +// The underlying credentials store is determined in the following order: +// 1. Native server-specific credential helper +// 2. Native credentials store +// 3. The plain-text config file itself +// +// References: +// - https://docs.docker.com/engine/reference/commandline/login/#credentials-store +// - https://docs.docker.com/engine/reference/commandline/cli/#docker-cli-configuration-file-configjson-properties +func NewStore(configPath string, opts StoreOptions) (*DynamicStore, error) { + cfg, err := config.Load(configPath) + if err != nil { + return nil, err + } + ds := &DynamicStore{ + config: cfg, + options: opts, + } + if opts.DetectDefaultNativeStore && !cfg.IsAuthConfigured() { + // no authentication configured, detect the default credentials store + ds.detectedCredsStore = getDefaultHelperSuffix() + } + return ds, nil +} + +// NewStoreFromDocker returns a Store based on the default docker config file. +// - If the $DOCKER_CONFIG environment variable is set, +// $DOCKER_CONFIG/config.json will be used. +// - Otherwise, the default location $HOME/.docker/config.json will be used. +// +// NewStoreFromDocker internally calls [NewStore]. +// +// References: +// - https://docs.docker.com/engine/reference/commandline/cli/#configuration-files +// - https://docs.docker.com/engine/reference/commandline/cli/#change-the-docker-directory +func NewStoreFromDocker(opt StoreOptions) (*DynamicStore, error) { + configPath, err := getDockerConfigPath() + if err != nil { + return nil, err + } + return NewStore(configPath, opt) +} + +// Get retrieves credentials from the store for the given server address. +func (ds *DynamicStore) Get(ctx context.Context, serverAddress string) (auth.Credential, error) { + return ds.getStore(serverAddress).Get(ctx, serverAddress) +} + +// Put saves credentials into the store for the given server address. +// Put returns ErrPlaintextPutDisabled if native store is not available and +// [StoreOptions].AllowPlaintextPut is set to false. +func (ds *DynamicStore) Put(ctx context.Context, serverAddress string, cred auth.Credential) error { + if err := ds.getStore(serverAddress).Put(ctx, serverAddress, cred); err != nil { + return err + } + // save the detected creds store back to the config file on first put + return ds.setCredsStoreOnce.Do(func() error { + if ds.detectedCredsStore != "" { + if err := ds.config.SetCredentialsStore(ds.detectedCredsStore); err != nil { + return fmt.Errorf("failed to set credsStore: %w", err) + } + } + return nil + }) +} + +// Delete removes credentials from the store for the given server address. +func (ds *DynamicStore) Delete(ctx context.Context, serverAddress string) error { + return ds.getStore(serverAddress).Delete(ctx, serverAddress) +} + +// IsAuthConfigured returns whether there is authentication configured in the +// config file or not. +// +// IsAuthConfigured returns true when: +// - The "credsStore" field is not empty +// - Or the "credHelpers" field is not empty +// - Or there is any entry in the "auths" field +func (ds *DynamicStore) IsAuthConfigured() bool { + return ds.config.IsAuthConfigured() +} + +// ConfigPath returns the path to the config file. +func (ds *DynamicStore) ConfigPath() string { + return ds.config.Path() +} + +// getHelperSuffix returns the credential helper suffix for the given server +// address. +func (ds *DynamicStore) getHelperSuffix(serverAddress string) string { + // 1. Look for a server-specific credential helper first + if helper := ds.config.GetCredentialHelper(serverAddress); helper != "" { + return helper + } + // 2. Then look for the configured native store + if credsStore := ds.config.CredentialsStore(); credsStore != "" { + return credsStore + } + // 3. Use the detected default store + return ds.detectedCredsStore +} + +// getStore returns a store for the given server address. +func (ds *DynamicStore) getStore(serverAddress string) Store { + if helper := ds.getHelperSuffix(serverAddress); helper != "" { + return NewNativeStore(helper) + } + + fs := newFileStore(ds.config) + fs.DisablePut = !ds.options.AllowPlaintextPut + return fs +} + +// getDockerConfigPath returns the path to the default docker config file. +func getDockerConfigPath() (string, error) { + // first try the environment variable + configDir := os.Getenv(dockerConfigDirEnv) + if configDir == "" { + // then try home directory + homeDir, err := os.UserHomeDir() + if err != nil { + return "", fmt.Errorf("failed to get user home directory: %w", err) + } + configDir = filepath.Join(homeDir, dockerConfigFileDir) + } + return filepath.Join(configDir, dockerConfigFileName), nil +} + +// storeWithFallbacks is a store that has multiple fallback stores. +type storeWithFallbacks struct { + stores []Store +} + +// NewStoreWithFallbacks returns a new store based on the given stores. +// - Get() searches the primary and the fallback stores +// for the credentials and returns when it finds the +// credentials in any of the stores. +// - Put() saves the credentials into the primary store. +// - Delete() deletes the credentials from the primary store. +func NewStoreWithFallbacks(primary Store, fallbacks ...Store) Store { + if len(fallbacks) == 0 { + return primary + } + return &storeWithFallbacks{ + stores: append([]Store{primary}, fallbacks...), + } +} + +// Get retrieves credentials from the StoreWithFallbacks for the given server. +// It searches the primary and the fallback stores for the credentials of serverAddress +// and returns when it finds the credentials in any of the stores. +func (sf *storeWithFallbacks) Get(ctx context.Context, serverAddress string) (auth.Credential, error) { + for _, s := range sf.stores { + cred, err := s.Get(ctx, serverAddress) + if err != nil { + return auth.EmptyCredential, err + } + if cred != auth.EmptyCredential { + return cred, nil + } + } + return auth.EmptyCredential, nil +} + +// Put saves credentials into the StoreWithFallbacks. It puts +// the credentials into the primary store. +func (sf *storeWithFallbacks) Put(ctx context.Context, serverAddress string, cred auth.Credential) error { + return sf.stores[0].Put(ctx, serverAddress, cred) +} + +// Delete removes credentials from the StoreWithFallbacks for the given server. +// It deletes the credentials from the primary store. +func (sf *storeWithFallbacks) Delete(ctx context.Context, serverAddress string) error { + return sf.stores[0].Delete(ctx, serverAddress) +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go b/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go new file mode 100644 index 0000000000..b7cd8683c4 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/credentials/trace/trace.go @@ -0,0 +1,94 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package trace + +import "context" + +// executableTraceContextKey is a value key used to retrieve the ExecutableTrace +// from Context. +type executableTraceContextKey struct{} + +// ExecutableTrace is a set of hooks used to trace the execution of binary +// executables. Any particular hook may be nil. +type ExecutableTrace struct { + // ExecuteStart is called before the execution of the executable. The + // executableName parameter is the name of the credential helper executable + // used with NativeStore. The action parameter is one of "store", "get" and + // "erase". + // + // Reference: + // - https://docs.docker.com/engine/reference/commandline/login#credentials-store + ExecuteStart func(executableName string, action string) + + // ExecuteDone is called after the execution of an executable completes. + // The executableName parameter is the name of the credential helper + // executable used with NativeStore. The action parameter is one of "store", + // "get" and "erase". The err parameter is the error (if any) returned from + // the execution. + // + // Reference: + // - https://docs.docker.com/engine/reference/commandline/login#credentials-store + ExecuteDone func(executableName string, action string, err error) +} + +// ContextExecutableTrace returns the ExecutableTrace associated with the +// context. If none, it returns nil. +func ContextExecutableTrace(ctx context.Context) *ExecutableTrace { + trace, _ := ctx.Value(executableTraceContextKey{}).(*ExecutableTrace) + return trace +} + +// WithExecutableTrace takes a Context and an ExecutableTrace, and returns a +// Context with the ExecutableTrace added as a Value. If the Context has a +// previously added trace, the hooks defined in the new trace will be added +// in addition to the previous ones. The recent hooks will be called first. +func WithExecutableTrace(ctx context.Context, trace *ExecutableTrace) context.Context { + if trace == nil { + return ctx + } + if oldTrace := ContextExecutableTrace(ctx); oldTrace != nil { + trace.compose(oldTrace) + } + return context.WithValue(ctx, executableTraceContextKey{}, trace) +} + +// compose takes an oldTrace and modifies the existing trace to include +// the hooks defined in the oldTrace. The hooks in the existing trace will +// be called first. +func (trace *ExecutableTrace) compose(oldTrace *ExecutableTrace) { + if oldStart := oldTrace.ExecuteStart; oldStart != nil { + start := trace.ExecuteStart + if start != nil { + trace.ExecuteStart = func(executableName, action string) { + start(executableName, action) + oldStart(executableName, action) + } + } else { + trace.ExecuteStart = oldStart + } + } + if oldDone := oldTrace.ExecuteDone; oldDone != nil { + done := trace.ExecuteDone + if done != nil { + trace.ExecuteDone = func(executableName, action string, err error) { + done(executableName, action, err) + oldDone(executableName, action, err) + } + } else { + trace.ExecuteDone = oldDone + } + } +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go b/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go new file mode 100644 index 0000000000..a32f1e5eee --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/errcode/errors.go @@ -0,0 +1,128 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package errcode + +import ( + "fmt" + "net/http" + "net/url" + "strings" + "unicode" +) + +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes +// - https://distribution.github.io/distribution/spec/api/#errors-2 +const ( + ErrorCodeBlobUnknown = "BLOB_UNKNOWN" + ErrorCodeBlobUploadInvalid = "BLOB_UPLOAD_INVALID" + ErrorCodeBlobUploadUnknown = "BLOB_UPLOAD_UNKNOWN" + ErrorCodeDigestInvalid = "DIGEST_INVALID" + ErrorCodeManifestBlobUnknown = "MANIFEST_BLOB_UNKNOWN" + ErrorCodeManifestInvalid = "MANIFEST_INVALID" + ErrorCodeManifestUnknown = "MANIFEST_UNKNOWN" + ErrorCodeNameInvalid = "NAME_INVALID" + ErrorCodeNameUnknown = "NAME_UNKNOWN" + ErrorCodeSizeInvalid = "SIZE_INVALID" + ErrorCodeUnauthorized = "UNAUTHORIZED" + ErrorCodeDenied = "DENIED" + ErrorCodeUnsupported = "UNSUPPORTED" +) + +// Error represents a response inner error returned by the remote +// registry. +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes +// - https://distribution.github.io/distribution/spec/api/#errors-2 +type Error struct { + Code string `json:"code"` + Message string `json:"message"` + Detail any `json:"detail,omitempty"` +} + +// Error returns a error string describing the error. +func (e Error) Error() string { + code := strings.Map(func(r rune) rune { + if r == '_' { + return ' ' + } + return unicode.ToLower(r) + }, e.Code) + if e.Message == "" { + return code + } + if e.Detail == nil { + return fmt.Sprintf("%s: %s", code, e.Message) + } + return fmt.Sprintf("%s: %s: %v", code, e.Message, e.Detail) +} + +// Errors represents a list of response inner errors returned by the remote +// server. +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#error-codes +// - https://distribution.github.io/distribution/spec/api/#errors-2 +type Errors []Error + +// Error returns a error string describing the error. +func (errs Errors) Error() string { + switch len(errs) { + case 0: + return "" + case 1: + return errs[0].Error() + } + var errmsgs []string + for _, err := range errs { + errmsgs = append(errmsgs, err.Error()) + } + return strings.Join(errmsgs, "; ") +} + +// Unwrap returns the inner error only when there is exactly one error. +func (errs Errors) Unwrap() error { + if len(errs) == 1 { + return errs[0] + } + return nil +} + +// ErrorResponse represents an error response. +type ErrorResponse struct { + Method string + URL *url.URL + StatusCode int + Errors Errors +} + +// Error returns a error string describing the error. +func (err *ErrorResponse) Error() string { + var errmsg string + if len(err.Errors) > 0 { + errmsg = err.Errors.Error() + } else { + errmsg = http.StatusText(err.StatusCode) + } + return fmt.Sprintf("%s %q: response status code %d: %s", err.Method, err.URL, err.StatusCode, errmsg) +} + +// Unwrap returns the internal errors of err if any. +func (err *ErrorResponse) Unwrap() error { + if len(err.Errors) == 0 { + return nil + } + return err.Errors +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go b/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go new file mode 100644 index 0000000000..52dc3612aa --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/internal/errutil/errutil.go @@ -0,0 +1,54 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package errutil + +import ( + "encoding/json" + "errors" + "io" + "net/http" + + "oras.land/oras-go/v2/registry/remote/errcode" +) + +// maxErrorBytes specifies the default limit on how many response bytes are +// allowed in the server's error response. +// A typical error message is around 200 bytes. Hence, 8 KiB should be +// sufficient. +const maxErrorBytes int64 = 8 * 1024 // 8 KiB + +// ParseErrorResponse parses the error returned by the remote registry. +func ParseErrorResponse(resp *http.Response) error { + resultErr := &errcode.ErrorResponse{ + Method: resp.Request.Method, + URL: resp.Request.URL, + StatusCode: resp.StatusCode, + } + var body struct { + Errors errcode.Errors `json:"errors"` + } + lr := io.LimitReader(resp.Body, maxErrorBytes) + if err := json.NewDecoder(lr).Decode(&body); err == nil { + resultErr.Errors = body.Errors + } + return resultErr +} + +// IsErrorCode returns true if err is an Error and its Code equals to code. +func IsErrorCode(err error, code string) bool { + var ec errcode.Error + return errors.As(err, &ec) && ec.Code == code +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/manifest.go b/vendor/oras.land/oras-go/v2/registry/remote/manifest.go new file mode 100644 index 0000000000..0e10297cb1 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/manifest.go @@ -0,0 +1,59 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "strings" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/internal/docker" + "oras.land/oras-go/v2/internal/spec" +) + +// defaultManifestMediaTypes contains the default set of manifests media types. +var defaultManifestMediaTypes = []string{ + docker.MediaTypeManifest, + docker.MediaTypeManifestList, + ocispec.MediaTypeImageManifest, + ocispec.MediaTypeImageIndex, + spec.MediaTypeArtifactManifest, +} + +// defaultManifestAcceptHeader is the default set in the `Accept` header for +// resolving manifests from tags. +var defaultManifestAcceptHeader = strings.Join(defaultManifestMediaTypes, ", ") + +// isManifest determines if the given descriptor points to a manifest. +func isManifest(manifestMediaTypes []string, desc ocispec.Descriptor) bool { + if len(manifestMediaTypes) == 0 { + manifestMediaTypes = defaultManifestMediaTypes + } + for _, mediaType := range manifestMediaTypes { + if desc.MediaType == mediaType { + return true + } + } + return false +} + +// manifestAcceptHeader generates the set in the `Accept` header for resolving +// manifests from tags. +func manifestAcceptHeader(manifestMediaTypes []string) string { + if len(manifestMediaTypes) == 0 { + return defaultManifestAcceptHeader + } + return strings.Join(manifestMediaTypes, ", ") +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/referrers.go b/vendor/oras.land/oras-go/v2/registry/remote/referrers.go new file mode 100644 index 0000000000..720430d392 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/referrers.go @@ -0,0 +1,225 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "errors" + "fmt" + "strings" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/internal/descriptor" +) + +// zeroDigest represents a digest that consists of zeros. zeroDigest is used +// for pinging Referrers API. +const zeroDigest = "sha256:0000000000000000000000000000000000000000000000000000000000000000" + +// referrersState represents the state of Referrers API. +type referrersState = int32 + +const ( + // referrersStateUnknown represents an unknown state of Referrers API. + referrersStateUnknown referrersState = iota + // referrersStateSupported represents that the repository is known to + // support Referrers API. + referrersStateSupported + // referrersStateUnsupported represents that the repository is known to + // not support Referrers API. + referrersStateUnsupported +) + +// referrerOperation represents an operation on a referrer. +type referrerOperation = int32 + +const ( + // referrerOperationAdd represents an addition operation on a referrer. + referrerOperationAdd referrerOperation = iota + // referrerOperationRemove represents a removal operation on a referrer. + referrerOperationRemove +) + +// referrerChange represents a change on a referrer. +type referrerChange struct { + referrer ocispec.Descriptor + operation referrerOperation +} + +var ( + // ErrReferrersCapabilityAlreadySet is returned by SetReferrersCapability() + // when the Referrers API capability has been already set. + ErrReferrersCapabilityAlreadySet = errors.New("referrers capability cannot be changed once set") + + // errNoReferrerUpdate is returned by applyReferrerChanges() when there + // is no any referrer update. + errNoReferrerUpdate = errors.New("no referrer update") +) + +const ( + // opDeleteReferrersIndex represents the operation for deleting a + // referrers index. + opDeleteReferrersIndex = "DeleteReferrersIndex" +) + +// ReferrersError records an error and the operation and the subject descriptor. +type ReferrersError struct { + // Op represents the failing operation. + Op string + // Subject is the descriptor of referenced artifact. + Subject ocispec.Descriptor + // Err is the entity of referrers error. + Err error +} + +// Error returns error msg of IgnorableError. +func (e *ReferrersError) Error() string { + return e.Err.Error() +} + +// Unwrap returns the inner error of IgnorableError. +func (e *ReferrersError) Unwrap() error { + return errors.Unwrap(e.Err) +} + +// IsIndexDelete tells if e is kind of error related to referrers +// index deletion. +func (e *ReferrersError) IsReferrersIndexDelete() bool { + return e.Op == opDeleteReferrersIndex +} + +// buildReferrersTag builds the referrers tag for the given manifest descriptor. +// Format: - +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#unavailable-referrers-api +func buildReferrersTag(desc ocispec.Descriptor) (string, error) { + if err := desc.Digest.Validate(); err != nil { + return "", fmt.Errorf("failed to build referrers tag for %s: %w", desc.Digest, err) + } + alg := desc.Digest.Algorithm().String() + encoded := desc.Digest.Encoded() + return alg + "-" + encoded, nil +} + +// isReferrersFilterApplied checks if requsted is in the applied filter list. +func isReferrersFilterApplied(applied, requested string) bool { + if applied == "" || requested == "" { + return false + } + filters := strings.Split(applied, ",") + for _, f := range filters { + if f == requested { + return true + } + } + return false +} + +// filterReferrers filters a slice of referrers by artifactType in place. +// The returned slice contains matching referrers. +func filterReferrers(refs []ocispec.Descriptor, artifactType string) []ocispec.Descriptor { + if artifactType == "" { + return refs + } + var j int + for i, ref := range refs { + if ref.ArtifactType == artifactType { + if i != j { + refs[j] = ref + } + j++ + } + } + return refs[:j] +} + +// applyReferrerChanges applies referrerChanges on referrers and returns the +// updated referrers. +// Returns errNoReferrerUpdate if there is no any referrers updates. +func applyReferrerChanges(referrers []ocispec.Descriptor, referrerChanges []referrerChange) ([]ocispec.Descriptor, error) { + referrersMap := make(map[descriptor.Descriptor]int, len(referrers)+len(referrerChanges)) + updatedReferrers := make([]ocispec.Descriptor, 0, len(referrers)+len(referrerChanges)) + var updateRequired bool + for _, r := range referrers { + if content.Equal(r, ocispec.Descriptor{}) { + // skip bad entry + updateRequired = true + continue + } + key := descriptor.FromOCI(r) + if _, ok := referrersMap[key]; ok { + // skip duplicates + updateRequired = true + continue + } + updatedReferrers = append(updatedReferrers, r) + referrersMap[key] = len(updatedReferrers) - 1 + } + + // apply changes + for _, change := range referrerChanges { + key := descriptor.FromOCI(change.referrer) + switch change.operation { + case referrerOperationAdd: + if _, ok := referrersMap[key]; !ok { + // add distinct referrers + updatedReferrers = append(updatedReferrers, change.referrer) + referrersMap[key] = len(updatedReferrers) - 1 + } + case referrerOperationRemove: + if pos, ok := referrersMap[key]; ok { + // remove referrers that are already in the map + updatedReferrers[pos] = ocispec.Descriptor{} + delete(referrersMap, key) + } + } + } + + // skip unnecessary update + if !updateRequired && len(referrersMap) == len(referrers) { + // if the result referrer map contains the same content as the + // original referrers, consider that there is no update on the + // referrers. + for _, r := range referrers { + key := descriptor.FromOCI(r) + if _, ok := referrersMap[key]; !ok { + updateRequired = true + } + } + if !updateRequired { + return nil, errNoReferrerUpdate + } + } + + return removeEmptyDescriptors(updatedReferrers, len(referrersMap)), nil +} + +// removeEmptyDescriptors in-place removes empty items from descs, given a hint +// of the number of non-empty descriptors. +func removeEmptyDescriptors(descs []ocispec.Descriptor, hint int) []ocispec.Descriptor { + j := 0 + for i, r := range descs { + if !content.Equal(r, ocispec.Descriptor{}) { + if i > j { + descs[j] = r + } + j++ + } + if j == hint { + break + } + } + return descs[:j] +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/registry.go b/vendor/oras.land/oras-go/v2/registry/remote/registry.go new file mode 100644 index 0000000000..bb707c7e18 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/registry.go @@ -0,0 +1,190 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package remote provides a client to the remote registry. +// Reference: https://github.com/distribution/distribution +package remote + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "strconv" + + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/registry" + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/internal/errutil" +) + +// RepositoryOptions is an alias of Repository to avoid name conflicts. +// It also hides all methods associated with Repository. +type RepositoryOptions Repository + +// Registry is an HTTP client to a remote registry. +type Registry struct { + // RepositoryOptions contains common options for Registry and Repository. + // It is also used as a template for derived repositories. + RepositoryOptions + + // RepositoryListPageSize specifies the page size when invoking the catalog + // API. + // If zero, the page size is determined by the remote registry. + // Reference: https://distribution.github.io/distribution/spec/api/#catalog + RepositoryListPageSize int +} + +// NewRegistry creates a client to the remote registry with the specified domain +// name. +// Example: localhost:5000 +func NewRegistry(name string) (*Registry, error) { + ref := registry.Reference{ + Registry: name, + } + if err := ref.ValidateRegistry(); err != nil { + return nil, err + } + return &Registry{ + RepositoryOptions: RepositoryOptions{ + Reference: ref, + }, + }, nil +} + +// client returns an HTTP client used to access the remote registry. +// A default HTTP client is return if the client is not configured. +func (r *Registry) client() Client { + if r.Client == nil { + return auth.DefaultClient + } + return r.Client +} + +// do sends an HTTP request and returns an HTTP response using the HTTP client +// returned by r.client(). +func (r *Registry) do(req *http.Request) (*http.Response, error) { + if r.HandleWarning == nil { + return r.client().Do(req) + } + + resp, err := r.client().Do(req) + if err != nil { + return nil, err + } + handleWarningHeaders(resp.Header.Values(headerWarning), r.HandleWarning) + return resp, nil +} + +// Ping checks whether or not the registry implement Docker Registry API V2 or +// OCI Distribution Specification. +// Ping can be used to check authentication when an auth client is configured. +// +// References: +// - https://distribution.github.io/distribution/spec/api/#base +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#api +func (r *Registry) Ping(ctx context.Context) error { + url := buildRegistryBaseURL(r.PlainHTTP, r.Reference) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return err + } + + resp, err := r.do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusOK: + return nil + case http.StatusNotFound: + return errdef.ErrNotFound + default: + return errutil.ParseErrorResponse(resp) + } +} + +// Repositories lists the name of repositories available in the registry. +// See also `RepositoryListPageSize`. +// +// If `last` is NOT empty, the entries in the response start after the +// repo specified by `last`. Otherwise, the response starts from the top +// of the Repositories list. +// +// Reference: https://distribution.github.io/distribution/spec/api/#catalog +func (r *Registry) Repositories(ctx context.Context, last string, fn func(repos []string) error) error { + ctx = auth.AppendScopesForHost(ctx, r.Reference.Host(), auth.ScopeRegistryCatalog) + url := buildRegistryCatalogURL(r.PlainHTTP, r.Reference) + var err error + for err == nil { + url, err = r.repositories(ctx, last, fn, url) + // clear `last` for subsequent pages + last = "" + } + if err != errNoLink { + return err + } + return nil +} + +// repositories returns a single page of repository list with the next link. +func (r *Registry) repositories(ctx context.Context, last string, fn func(repos []string) error, url string) (string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return "", err + } + if r.RepositoryListPageSize > 0 || last != "" { + q := req.URL.Query() + if r.RepositoryListPageSize > 0 { + q.Set("n", strconv.Itoa(r.RepositoryListPageSize)) + } + if last != "" { + q.Set("last", last) + } + req.URL.RawQuery = q.Encode() + } + resp, err := r.do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errutil.ParseErrorResponse(resp) + } + var page struct { + Repositories []string `json:"repositories"` + } + lr := limitReader(resp.Body, r.MaxMetadataBytes) + if err := json.NewDecoder(lr).Decode(&page); err != nil { + return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err) + } + if err := fn(page.Repositories); err != nil { + return "", err + } + + return parseLink(resp) +} + +// Repository returns a repository reference by the given name. +func (r *Registry) Repository(ctx context.Context, name string) (registry.Repository, error) { + ref := registry.Reference{ + Registry: r.Reference.Registry, + Repository: name, + } + return newRepositoryWithOptions(ref, &r.RepositoryOptions) +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/repository.go b/vendor/oras.land/oras-go/v2/registry/remote/repository.go new file mode 100644 index 0000000000..fed993dffd --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/repository.go @@ -0,0 +1,1681 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "bytes" + "context" + "encoding/json" + "errors" + "fmt" + "io" + "mime" + "net/http" + "slices" + "strconv" + "strings" + "sync" + "sync/atomic" + + "github.com/opencontainers/go-digest" + specs "github.com/opencontainers/image-spec/specs-go" + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/cas" + "oras.land/oras-go/v2/internal/httputil" + "oras.land/oras-go/v2/internal/ioutil" + "oras.land/oras-go/v2/internal/spec" + "oras.land/oras-go/v2/internal/syncutil" + "oras.land/oras-go/v2/registry" + "oras.land/oras-go/v2/registry/remote/auth" + "oras.land/oras-go/v2/registry/remote/errcode" + "oras.land/oras-go/v2/registry/remote/internal/errutil" +) + +const ( + // headerDockerContentDigest is the "Docker-Content-Digest" header. + // If present on the response, it contains the canonical digest of the + // uploaded blob. + // + // References: + // - https://distribution.github.io/distribution/spec/api/#digest-header + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pull + headerDockerContentDigest = "Docker-Content-Digest" + + // headerOCIFiltersApplied is the "OCI-Filters-Applied" header. + // If present on the response, it contains a comma-separated list of the + // applied filters. + // + // Reference: + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers + headerOCIFiltersApplied = "OCI-Filters-Applied" + + // headerOCISubject is the "OCI-Subject" header. + // If present on the response, it contains the digest of the subject, + // indicating that Referrers API is supported by the registry. + headerOCISubject = "OCI-Subject" +) + +// filterTypeArtifactType is the "artifactType" filter applied on the list of +// referrers. +// +// References: +// - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +// - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers +const filterTypeArtifactType = "artifactType" + +// Client is an interface for a HTTP client. +type Client interface { + // Do sends an HTTP request and returns an HTTP response. + // + // Unlike http.RoundTripper, Client can attempt to interpret the response + // and handle higher-level protocol details such as redirects and + // authentication. + // + // Like http.RoundTripper, Client should not modify the request, and must + // always close the request body. + Do(*http.Request) (*http.Response, error) +} + +// Repository is an HTTP client to a remote repository. +type Repository struct { + // Client is the underlying HTTP client used to access the remote registry. + // If nil, auth.DefaultClient is used. + Client Client + + // Reference references the remote repository. + Reference registry.Reference + + // PlainHTTP signals the transport to access the remote repository via HTTP + // instead of HTTPS. + PlainHTTP bool + + // ManifestMediaTypes is used in `Accept` header for resolving manifests + // from references. It is also used in identifying manifests and blobs from + // descriptors. If an empty list is present, default manifest media types + // are used. + ManifestMediaTypes []string + + // TagListPageSize specifies the page size when invoking the tag list API. + // If zero, the page size is determined by the remote registry. + // Reference: https://distribution.github.io/distribution/spec/api/#tags + TagListPageSize int + + // ReferrerListPageSize specifies the page size when invoking the Referrers + // API. + // If zero, the page size is determined by the remote registry. + // + // NOTE: Pagination for the Referrers API is not defined in the distribution + // spec, so not all registries support it. ReferrerListPageSize may be + // ignored if pagination is unsupported by the remote registry. + // + // Reference: https://github.com/oras-project/oras-go/issues/841 + ReferrerListPageSize int + + // MaxMetadataBytes specifies a limit on how many response bytes are allowed + // in the server's response to the metadata APIs, such as catalog list, tag + // list, and referrers list. + // If less than or equal to zero, a default (currently 4MiB) is used. + MaxMetadataBytes int64 + + // SkipReferrersGC specifies whether to delete the dangling referrers + // index when referrers tag schema is utilized. + // - If false, the old referrers index will be deleted after the new one + // is successfully uploaded. + // - If true, the old referrers index is kept. + // By default, it is disabled (set to false). See also: + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#referrers-tag-schema + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests + SkipReferrersGC bool + + // HandleWarning handles the warning returned by the remote server. + // Callers SHOULD deduplicate warnings from multiple associated responses. + // + // References: + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings + // - https://www.rfc-editor.org/rfc/rfc7234#section-5.5 + HandleWarning func(warning Warning) + + // NOTE: Must keep fields in sync with clone(). + + // referrersState represents that if the repository supports Referrers API. + // default: referrersStateUnknown + referrersState referrersState + + // referrersPingLock locks the pingReferrers() method and allows only + // one go-routine to send the request. + referrersPingLock sync.Mutex + + // referrersMergePool provides a way to manage concurrent updates to a + // referrers index tagged by referrers tag schema. + referrersMergePool syncutil.Pool[syncutil.Merge[referrerChange]] +} + +// NewRepository creates a client to the remote repository identified by a +// reference. +// Example: localhost:5000/hello-world +func NewRepository(reference string) (*Repository, error) { + ref, err := registry.ParseReference(reference) + if err != nil { + return nil, err + } + return &Repository{ + Reference: ref, + }, nil +} + +// newRepositoryWithOptions returns a Repository with the given Reference and +// RepositoryOptions. +// +// RepositoryOptions are part of the Registry struct and set its defaults. +// RepositoryOptions shares the same struct definition as Repository, which +// contains unexported state that must not be copied to multiple Repositories. +// To handle this we explicitly copy only the fields that we want to reproduce. +func newRepositoryWithOptions(ref registry.Reference, opts *RepositoryOptions) (*Repository, error) { + if err := ref.ValidateRepository(); err != nil { + return nil, err + } + repo := (*Repository)(opts).clone() + repo.Reference = ref + return repo, nil +} + +// clone makes a copy of the Repository being careful not to copy non-copyable fields (sync.Mutex and syncutil.Pool types) +func (r *Repository) clone() *Repository { + return &Repository{ + Client: r.Client, + Reference: r.Reference, + PlainHTTP: r.PlainHTTP, + ManifestMediaTypes: slices.Clone(r.ManifestMediaTypes), + TagListPageSize: r.TagListPageSize, + ReferrerListPageSize: r.ReferrerListPageSize, + MaxMetadataBytes: r.MaxMetadataBytes, + SkipReferrersGC: r.SkipReferrersGC, + HandleWarning: r.HandleWarning, + } +} + +// SetReferrersCapability indicates the Referrers API capability of the remote +// repository. true: capable; false: not capable. +// +// SetReferrersCapability is valid only when it is called for the first time. +// SetReferrersCapability returns ErrReferrersCapabilityAlreadySet if the +// Referrers API capability has been already set. +// - When the capability is set to true, the Referrers() function will always +// request the Referrers API. Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +// - When the capability is set to false, the Referrers() function will always +// request the Referrers Tag. Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#referrers-tag-schema +// - When the capability is not set, the Referrers() function will automatically +// determine which API to use. +func (r *Repository) SetReferrersCapability(capable bool) error { + var state referrersState + if capable { + state = referrersStateSupported + } else { + state = referrersStateUnsupported + } + if swapped := atomic.CompareAndSwapInt32(&r.referrersState, referrersStateUnknown, state); !swapped { + if fact := r.loadReferrersState(); fact != state { + return fmt.Errorf("%w: current capability = %v, new capability = %v", + ErrReferrersCapabilityAlreadySet, + fact == referrersStateSupported, + capable) + } + } + return nil +} + +// setReferrersState atomically loads r.referrersState. +func (r *Repository) loadReferrersState() referrersState { + return atomic.LoadInt32(&r.referrersState) +} + +// client returns an HTTP client used to access the remote repository. +// A default HTTP client is return if the client is not configured. +func (r *Repository) client() Client { + if r.Client == nil { + return auth.DefaultClient + } + return r.Client +} + +// do sends an HTTP request and returns an HTTP response using the HTTP client +// returned by r.client(). +func (r *Repository) do(req *http.Request) (*http.Response, error) { + if r.HandleWarning == nil { + return r.client().Do(req) + } + + resp, err := r.client().Do(req) + if err != nil { + return nil, err + } + handleWarningHeaders(resp.Header.Values(headerWarning), r.HandleWarning) + return resp, nil +} + +// blobStore detects the blob store for the given descriptor. +func (r *Repository) blobStore(desc ocispec.Descriptor) registry.BlobStore { + if isManifest(r.ManifestMediaTypes, desc) { + return r.Manifests() + } + return r.Blobs() +} + +// Fetch fetches the content identified by the descriptor. +func (r *Repository) Fetch(ctx context.Context, target ocispec.Descriptor) (io.ReadCloser, error) { + return r.blobStore(target).Fetch(ctx, target) +} + +// Push pushes the content, matching the expected descriptor. +func (r *Repository) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error { + return r.blobStore(expected).Push(ctx, expected, content) +} + +// Mount makes the blob with the given digest in fromRepo +// available in the repository signified by the receiver. +// +// This avoids the need to pull content down from fromRepo only to push it to r. +// +// If the registry does not implement mounting, getContent will be used to get the +// content to push. If getContent is nil, the content will be pulled from the source +// repository. If getContent returns an error, it will be wrapped inside the error +// returned from Mount. +func (r *Repository) Mount(ctx context.Context, desc ocispec.Descriptor, fromRepo string, getContent func() (io.ReadCloser, error)) error { + return r.Blobs().(registry.Mounter).Mount(ctx, desc, fromRepo, getContent) +} + +// Exists returns true if the described content exists. +func (r *Repository) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) { + return r.blobStore(target).Exists(ctx, target) +} + +// Delete removes the content identified by the descriptor. +func (r *Repository) Delete(ctx context.Context, target ocispec.Descriptor) error { + return r.blobStore(target).Delete(ctx, target) +} + +// Blobs provides access to the blob CAS only, which contains config blobs, +// layers, and other generic blobs. +func (r *Repository) Blobs() registry.BlobStore { + return &blobStore{repo: r} +} + +// Manifests provides access to the manifest CAS only. +func (r *Repository) Manifests() registry.ManifestStore { + return &manifestStore{repo: r} +} + +// Resolve resolves a reference to a manifest descriptor. +// See also `ManifestMediaTypes`. +func (r *Repository) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) { + return r.Manifests().Resolve(ctx, reference) +} + +// Tag tags a manifest descriptor with a reference string. +func (r *Repository) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error { + return r.Manifests().Tag(ctx, desc, reference) +} + +// PushReference pushes the manifest with a reference tag. +func (r *Repository) PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error { + return r.Manifests().PushReference(ctx, expected, content, reference) +} + +// FetchReference fetches the manifest identified by the reference. +// The reference can be a tag or digest. +func (r *Repository) FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error) { + return r.Manifests().FetchReference(ctx, reference) +} + +// ParseReference resolves a tag or a digest reference to a fully qualified +// reference from a base reference r.Reference. +// Tag, digest, or fully qualified references are accepted as input. +// +// If reference is a fully qualified reference, then ParseReference parses it +// and returns the parsed reference. If the parsed reference does not share +// the same base reference with the Repository r, ParseReference returns a +// wrapped error ErrInvalidReference. +func (r *Repository) ParseReference(reference string) (registry.Reference, error) { + ref, err := registry.ParseReference(reference) + if err != nil { + ref = registry.Reference{ + Registry: r.Reference.Registry, + Repository: r.Reference.Repository, + Reference: reference, + } + + // reference is not a FQDN + if index := strings.IndexByte(reference, '@'); index != -1 { + // `@` implies *digest*, so drop the *tag* (irrespective of what it is). + ref.Reference = reference[index+1:] + err = ref.ValidateReferenceAsDigest() + } else { + err = ref.ValidateReference() + } + + if err != nil { + return registry.Reference{}, err + } + } else if ref.Registry != r.Reference.Registry || ref.Repository != r.Reference.Repository { + return registry.Reference{}, fmt.Errorf( + "%w: mismatch between received %q and expected %q", + errdef.ErrInvalidReference, ref, r.Reference, + ) + } + + if len(ref.Reference) == 0 { + return registry.Reference{}, errdef.ErrInvalidReference + } + + return ref, nil +} + +// Tags lists the tags available in the repository. +// See also `TagListPageSize`. +// If `last` is NOT empty, the entries in the response start after the +// tag specified by `last`. Otherwise, the response starts from the top +// of the Tags list. +// +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#content-discovery +// - https://distribution.github.io/distribution/spec/api/#tags +func (r *Repository) Tags(ctx context.Context, last string, fn func(tags []string) error) error { + ctx = auth.AppendRepositoryScope(ctx, r.Reference, auth.ActionPull) + url := buildRepositoryTagListURL(r.PlainHTTP, r.Reference) + var err error + for err == nil { + url, err = r.tags(ctx, last, fn, url) + // clear `last` for subsequent pages + last = "" + } + if err != errNoLink { + return err + } + return nil +} + +// tags returns a single page of tag list with the next link. +func (r *Repository) tags(ctx context.Context, last string, fn func(tags []string) error, url string) (string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return "", err + } + if r.TagListPageSize > 0 || last != "" { + q := req.URL.Query() + if r.TagListPageSize > 0 { + q.Set("n", strconv.Itoa(r.TagListPageSize)) + } + if last != "" { + q.Set("last", last) + } + req.URL.RawQuery = q.Encode() + } + resp, err := r.do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return "", errutil.ParseErrorResponse(resp) + } + var page struct { + Tags []string `json:"tags"` + } + lr := limitReader(resp.Body, r.MaxMetadataBytes) + if err := json.NewDecoder(lr).Decode(&page); err != nil { + return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err) + } + if err := fn(page.Tags); err != nil { + return "", err + } + + return parseLink(resp) +} + +// Predecessors returns the descriptors of image or artifact manifests directly +// referencing the given manifest descriptor. +// Predecessors internally leverages Referrers. +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +func (r *Repository) Predecessors(ctx context.Context, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) { + var res []ocispec.Descriptor + if err := r.Referrers(ctx, desc, "", func(referrers []ocispec.Descriptor) error { + res = append(res, referrers...) + return nil + }); err != nil { + return nil, err + } + return res, nil +} + +// Referrers lists the descriptors of image or artifact manifests directly +// referencing the given manifest descriptor. +// +// fn is called for each page of the referrers result. +// If artifactType is not empty, only referrers of the same artifact type are +// fed to fn. +// +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +func (r *Repository) Referrers(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error { + state := r.loadReferrersState() + if state == referrersStateUnsupported { + // The repository is known to not support Referrers API, fallback to + // referrers tag schema. + return r.referrersByTagSchema(ctx, desc, artifactType, fn) + } + + err := r.referrersByAPI(ctx, desc, artifactType, fn) + if state == referrersStateSupported { + // The repository is known to support Referrers API, no fallback. + return err + } + + // The referrers state is unknown. + if err != nil { + if errors.Is(err, errdef.ErrUnsupported) { + // Referrers API is not supported, fallback to referrers tag schema. + r.SetReferrersCapability(false) + return r.referrersByTagSchema(ctx, desc, artifactType, fn) + } + return err + } + + r.SetReferrersCapability(true) + return nil +} + +// referrersByAPI lists the descriptors of manifests directly referencing +// the given manifest descriptor by requesting Referrers API. +// fn is called for the referrers result. If artifactType is not empty, +// only referrers of the same artifact type are fed to fn. +func (r *Repository) referrersByAPI(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error { + ref := r.Reference + ref.Reference = desc.Digest.String() + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + + url := buildReferrersURL(r.PlainHTTP, ref, artifactType) + var err error + for err == nil { + url, err = r.referrersPageByAPI(ctx, artifactType, fn, url) + } + if err == errNoLink { + return nil + } + return err +} + +// referrersPageByAPI lists a single page of the descriptors of manifests +// directly referencing the given manifest descriptor. fn is called for +// a page of referrersPageByAPI result. +// If artifactType is not empty, only referrersPageByAPI of the same +// artifact type are fed to fn. +// referrersPageByAPI returns the link url for the next page. +func (r *Repository) referrersPageByAPI(ctx context.Context, artifactType string, fn func(referrers []ocispec.Descriptor) error, url string) (string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return "", err + } + if r.ReferrerListPageSize > 0 { + q := req.URL.Query() + q.Set("n", strconv.Itoa(r.ReferrerListPageSize)) + req.URL.RawQuery = q.Encode() + } + + resp, err := r.do(req) + if err != nil { + return "", err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusOK: + case http.StatusNotFound: + if errResp := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(errResp, errcode.ErrorCodeNameUnknown) { + // The repository is not found, Referrers API status is unknown + return "", errResp + } + // Referrers API is not supported. + return "", fmt.Errorf("failed to query referrers API: %w", errdef.ErrUnsupported) + default: + return "", errutil.ParseErrorResponse(resp) + } + + // also check the content type + if ct := resp.Header.Get("Content-Type"); ct != ocispec.MediaTypeImageIndex { + return "", fmt.Errorf("unknown content returned (%s), expecting image index: %w", ct, errdef.ErrUnsupported) + } + + var index ocispec.Index + lr := limitReader(resp.Body, r.MaxMetadataBytes) + if err := json.NewDecoder(lr).Decode(&index); err != nil { + return "", fmt.Errorf("%s %q: failed to decode response: %w", resp.Request.Method, resp.Request.URL, err) + } + + referrers := index.Manifests + if artifactType != "" { + // check both filters header and filters annotations for compatibility + // latest spec for filters header: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers + // older spec for filters annotations: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#listing-referrers + filtersHeader := resp.Header.Get(headerOCIFiltersApplied) + filtersAnnotation := index.Annotations[spec.AnnotationReferrersFiltersApplied] + if !isReferrersFilterApplied(filtersHeader, filterTypeArtifactType) && + !isReferrersFilterApplied(filtersAnnotation, filterTypeArtifactType) { + // perform client side filtering if the filter is not applied on the server side + referrers = filterReferrers(referrers, artifactType) + } + } + if len(referrers) > 0 { + if err := fn(referrers); err != nil { + return "", err + } + } + return parseLink(resp) +} + +// referrersByTagSchema lists the descriptors of manifests directly +// referencing the given manifest descriptor by requesting referrers tag. +// fn is called for the referrers result. If artifactType is not empty, +// only referrers of the same artifact type are fed to fn. +// reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#backwards-compatibility +func (r *Repository) referrersByTagSchema(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error { + referrersTag, err := buildReferrersTag(desc) + if err != nil { + return err + } + _, referrers, err := r.referrersFromIndex(ctx, referrersTag) + if err != nil { + if errors.Is(err, errdef.ErrNotFound) { + // no referrers to the manifest + return nil + } + return err + } + + filtered := filterReferrers(referrers, artifactType) + if len(filtered) == 0 { + return nil + } + return fn(filtered) +} + +// referrersFromIndex queries the referrers index using the the given referrers +// tag. If Succeeded, returns the descriptor of referrers index and the +// referrers list. +func (r *Repository) referrersFromIndex(ctx context.Context, referrersTag string) (ocispec.Descriptor, []ocispec.Descriptor, error) { + desc, rc, err := r.FetchReference(ctx, referrersTag) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + defer rc.Close() + + if err := limitSize(desc, r.MaxMetadataBytes); err != nil { + return ocispec.Descriptor{}, nil, fmt.Errorf("failed to read referrers index from referrers tag %s: %w", referrersTag, err) + } + var index ocispec.Index + if err := decodeJSON(rc, desc, &index); err != nil { + return ocispec.Descriptor{}, nil, fmt.Errorf("failed to decode referrers index from referrers tag %s: %w", referrersTag, err) + } + + return desc, index.Manifests, nil +} + +// pingReferrers returns true if the Referrers API is available for r. +func (r *Repository) pingReferrers(ctx context.Context) (bool, error) { + switch r.loadReferrersState() { + case referrersStateSupported: + return true, nil + case referrersStateUnsupported: + return false, nil + } + + // referrers state is unknown + // limit the rate of pinging referrers API + r.referrersPingLock.Lock() + defer r.referrersPingLock.Unlock() + + switch r.loadReferrersState() { + case referrersStateSupported: + return true, nil + case referrersStateUnsupported: + return false, nil + } + + ref := r.Reference + ref.Reference = zeroDigest + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + + url := buildReferrersURL(r.PlainHTTP, ref, "") + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return false, err + } + resp, err := r.do(req) + if err != nil { + return false, err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusOK: + supported := resp.Header.Get("Content-Type") == ocispec.MediaTypeImageIndex + r.SetReferrersCapability(supported) + return supported, nil + case http.StatusNotFound: + if err := errutil.ParseErrorResponse(resp); errutil.IsErrorCode(err, errcode.ErrorCodeNameUnknown) { + // repository not found + return false, err + } + r.SetReferrersCapability(false) + return false, nil + default: + return false, errutil.ParseErrorResponse(resp) + } +} + +// delete removes the content identified by the descriptor in the entity "blobs" +// or "manifests". +func (r *Repository) delete(ctx context.Context, target ocispec.Descriptor, isManifest bool) error { + ref := r.Reference + ref.Reference = target.Digest.String() + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionDelete) + buildURL := buildRepositoryBlobURL + if isManifest { + buildURL = buildRepositoryManifestURL + } + url := buildURL(r.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodDelete, url, nil) + if err != nil { + return err + } + + resp, err := r.do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusAccepted: + return verifyContentDigest(resp, target.Digest) + case http.StatusNotFound: + return fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound) + default: + return errutil.ParseErrorResponse(resp) + } +} + +// blobStore accesses the blob part of the repository. +type blobStore struct { + repo *Repository +} + +// Fetch fetches the content identified by the descriptor. +func (s *blobStore) Fetch(ctx context.Context, target ocispec.Descriptor) (rc io.ReadCloser, err error) { + ref := s.repo.Reference + ref.Reference = target.Digest.String() + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return nil, err + } + + resp, err := s.repo.do(req) + if err != nil { + return nil, err + } + defer func() { + if err != nil { + resp.Body.Close() + } + }() + + switch resp.StatusCode { + case http.StatusOK: + if size := resp.ContentLength; size != -1 && size != target.Size { + return nil, fmt.Errorf("%s %q: mismatch Content-Length", resp.Request.Method, resp.Request.URL) + } + if err := verifyContentDigest(resp, target.Digest); err != nil { + return nil, err + } + + // check server range request capability. + // Docker spec allows range header form of "Range: bytes=-". + // However, the remote server may still not RFC 7233 compliant. + // Reference: https://distribution.github.io/distribution/spec/api/#blob + if rangeUnit := resp.Header.Get("Accept-Ranges"); rangeUnit == "bytes" { + return httputil.NewReadSeekCloser(s.repo.client(), req, resp.Body, target.Size), nil + } + return resp.Body, nil + case http.StatusNotFound: + return nil, fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound) + default: + return nil, errutil.ParseErrorResponse(resp) + } +} + +// Mount mounts the given descriptor from fromRepo into s. +func (s *blobStore) Mount(ctx context.Context, desc ocispec.Descriptor, fromRepo string, getContent func() (io.ReadCloser, error)) error { + // pushing usually requires both pull and push actions. + // Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930 + ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionPush) + + // We also need pull access to the source repo. + fromRef := s.repo.Reference + fromRef.Repository = fromRepo + ctx = auth.AppendRepositoryScope(ctx, fromRef, auth.ActionPull) + + url := buildRepositoryBlobMountURL(s.repo.PlainHTTP, s.repo.Reference, desc.Digest, fromRepo) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil) + if err != nil { + return err + } + resp, err := s.repo.do(req) + if err != nil { + return err + } + if resp.StatusCode == http.StatusCreated { + defer resp.Body.Close() + // Check the server seems to be behaving. + return verifyContentDigest(resp, desc.Digest) + } + if resp.StatusCode != http.StatusAccepted { + defer resp.Body.Close() + return errutil.ParseErrorResponse(resp) + } + resp.Body.Close() + // From the [spec]: + // + // "If a registry does not support cross-repository mounting + // or is unable to mount the requested blob, + // it SHOULD return a 202. + // This indicates that the upload session has begun + // and that the client MAY proceed with the upload." + // + // So we need to get the content from somewhere in order to + // push it. If the caller has provided a getContent function, we + // can use that, otherwise pull the content from the source repository. + // + // [spec]: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#mounting-a-blob-from-another-repository + + var r io.ReadCloser + if getContent != nil { + r, err = getContent() + } else { + r, err = s.sibling(fromRepo).Fetch(ctx, desc) + } + if err != nil { + return fmt.Errorf("cannot read source blob: %w", err) + } + defer r.Close() + return s.completePushAfterInitialPost(ctx, req, resp, desc, r) +} + +// sibling returns a blob store for another repository in the same +// registry. +func (s *blobStore) sibling(otherRepoName string) *blobStore { + otherRepo := s.repo.clone() + otherRepo.Reference.Repository = otherRepoName + return &blobStore{ + repo: otherRepo, + } +} + +// Push pushes the content, matching the expected descriptor. +// Existing content is not checked by Push() to minimize the number of out-going +// requests. +// Push is done by conventional 2-step monolithic upload instead of a single +// `POST` request for better overall performance. It also allows early fail on +// authentication errors. +// +// References: +// - https://distribution.github.io/distribution/spec/api/#pushing-an-image +// - https://distribution.github.io/distribution/spec/api/#initiate-blob-upload +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-a-blob-monolithically +func (s *blobStore) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error { + // start an upload + // pushing usually requires both pull and push actions. + // Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930 + ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionPush) + url := buildRepositoryBlobUploadURL(s.repo.PlainHTTP, s.repo.Reference) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, nil) + if err != nil { + return err + } + + resp, err := s.repo.do(req) + if err != nil { + return err + } + + if resp.StatusCode != http.StatusAccepted { + defer resp.Body.Close() + return errutil.ParseErrorResponse(resp) + } + resp.Body.Close() + return s.completePushAfterInitialPost(ctx, req, resp, expected, content) +} + +// completePushAfterInitialPost implements step 2 of the push protocol. This can be invoked either by +// Push or by Mount when the receiving repository does not implement the +// mount endpoint. +func (s *blobStore) completePushAfterInitialPost(ctx context.Context, req *http.Request, resp *http.Response, expected ocispec.Descriptor, content io.Reader) error { + reqHostname := req.URL.Hostname() + reqPort := req.URL.Port() + // monolithic upload + location, err := resp.Location() + if err != nil { + return err + } + // work-around solution for https://github.com/oras-project/oras-go/issues/177 + // For some registries, if the port 443 is explicitly set to the hostname + // like registry.wabbit-networks.io:443/myrepo, blob push will fail since + // the hostname of the Location header in the response is set to + // registry.wabbit-networks.io instead of registry.wabbit-networks.io:443. + locationHostname := location.Hostname() + locationPort := location.Port() + // if location port 443 is missing, add it back + if reqPort == "443" && locationHostname == reqHostname && locationPort == "" { + location.Host = locationHostname + ":" + reqPort + } + url := location.String() + req, err = http.NewRequestWithContext(ctx, http.MethodPut, url, content) + if err != nil { + return err + } + if req.GetBody != nil && req.ContentLength != expected.Size { + // short circuit a size mismatch for built-in types. + return fmt.Errorf("mismatch content length %d: expect %d", req.ContentLength, expected.Size) + } + req.ContentLength = expected.Size + // the expected media type is ignored as in the API doc. + req.Header.Set("Content-Type", "application/octet-stream") + q := req.URL.Query() + q.Set("digest", expected.Digest.String()) + req.URL.RawQuery = q.Encode() + + // reuse credential from previous POST request + if auth := resp.Request.Header.Get("Authorization"); auth != "" { + req.Header.Set("Authorization", auth) + } + resp, err = s.repo.do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusCreated { + return errutil.ParseErrorResponse(resp) + } + return nil +} + +// Exists returns true if the described content exists. +func (s *blobStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) { + _, err := s.Resolve(ctx, target.Digest.String()) + if err == nil { + return true, nil + } + if errors.Is(err, errdef.ErrNotFound) { + return false, nil + } + return false, err +} + +// Delete removes the content identified by the descriptor. +func (s *blobStore) Delete(ctx context.Context, target ocispec.Descriptor) error { + return s.repo.delete(ctx, target, false) +} + +// Resolve resolves a reference to a descriptor. +func (s *blobStore) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return ocispec.Descriptor{}, err + } + refDigest, err := ref.Digest() + if err != nil { + return ocispec.Descriptor{}, err + } + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil) + if err != nil { + return ocispec.Descriptor{}, err + } + + resp, err := s.repo.do(req) + if err != nil { + return ocispec.Descriptor{}, err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusOK: + return generateBlobDescriptor(resp, refDigest) + case http.StatusNotFound: + return ocispec.Descriptor{}, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound) + default: + return ocispec.Descriptor{}, errutil.ParseErrorResponse(resp) + } +} + +// FetchReference fetches the blob identified by the reference. +// The reference must be a digest. +func (s *blobStore) FetchReference(ctx context.Context, reference string) (desc ocispec.Descriptor, rc io.ReadCloser, err error) { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + refDigest, err := ref.Digest() + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryBlobURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + resp, err := s.repo.do(req) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + defer func() { + if err != nil { + resp.Body.Close() + } + }() + + switch resp.StatusCode { + case http.StatusOK: // server does not support seek as `Range` was ignored. + if resp.ContentLength == -1 { + desc, err = s.Resolve(ctx, reference) + } else { + desc, err = generateBlobDescriptor(resp, refDigest) + } + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + // check server range request capability. + // Docker spec allows range header form of "Range: bytes=-". + // However, the remote server may still not RFC 7233 compliant. + // Reference: https://distribution.github.io/distribution/spec/api/#blob + if rangeUnit := resp.Header.Get("Accept-Ranges"); rangeUnit == "bytes" { + return desc, httputil.NewReadSeekCloser(s.repo.client(), req, resp.Body, desc.Size), nil + } + return desc, resp.Body, nil + case http.StatusNotFound: + return ocispec.Descriptor{}, nil, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound) + default: + return ocispec.Descriptor{}, nil, errutil.ParseErrorResponse(resp) + } +} + +// generateBlobDescriptor returns a descriptor generated from the response. +func generateBlobDescriptor(resp *http.Response, refDigest digest.Digest) (ocispec.Descriptor, error) { + mediaType, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Type")) + if mediaType == "" { + mediaType = "application/octet-stream" + } + + size := resp.ContentLength + if size == -1 { + return ocispec.Descriptor{}, fmt.Errorf("%s %q: unknown response Content-Length", resp.Request.Method, resp.Request.URL) + } + + if err := verifyContentDigest(resp, refDigest); err != nil { + return ocispec.Descriptor{}, err + } + + return ocispec.Descriptor{ + MediaType: mediaType, + Digest: refDigest, + Size: size, + }, nil +} + +// manifestStore accesses the manifest part of the repository. +type manifestStore struct { + repo *Repository +} + +// Fetch fetches the content identified by the descriptor. +func (s *manifestStore) Fetch(ctx context.Context, target ocispec.Descriptor) (rc io.ReadCloser, err error) { + ref := s.repo.Reference + ref.Reference = target.Digest.String() + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return nil, err + } + req.Header.Set("Accept", target.MediaType) + + resp, err := s.repo.do(req) + if err != nil { + return nil, err + } + defer func() { + if err != nil { + resp.Body.Close() + } + }() + + switch resp.StatusCode { + case http.StatusOK: + // no-op + case http.StatusNotFound: + return nil, fmt.Errorf("%s: %w", target.Digest, errdef.ErrNotFound) + default: + return nil, errutil.ParseErrorResponse(resp) + } + mediaType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type")) + if err != nil { + return nil, fmt.Errorf("%s %q: invalid response Content-Type: %w", resp.Request.Method, resp.Request.URL, err) + } + if mediaType != target.MediaType { + return nil, fmt.Errorf("%s %q: mismatch response Content-Type %q: expect %q", resp.Request.Method, resp.Request.URL, mediaType, target.MediaType) + } + if size := resp.ContentLength; size != -1 && size != target.Size { + return nil, fmt.Errorf("%s %q: mismatch Content-Length", resp.Request.Method, resp.Request.URL) + } + if err := verifyContentDigest(resp, target.Digest); err != nil { + return nil, err + } + return resp.Body, nil +} + +// Push pushes the content, matching the expected descriptor. +func (s *manifestStore) Push(ctx context.Context, expected ocispec.Descriptor, content io.Reader) error { + return s.pushWithIndexing(ctx, expected, content, expected.Digest.String()) +} + +// Exists returns true if the described content exists. +func (s *manifestStore) Exists(ctx context.Context, target ocispec.Descriptor) (bool, error) { + _, err := s.Resolve(ctx, target.Digest.String()) + if err == nil { + return true, nil + } + if errors.Is(err, errdef.ErrNotFound) { + return false, nil + } + return false, err +} + +// Delete removes the manifest content identified by the descriptor. +func (s *manifestStore) Delete(ctx context.Context, target ocispec.Descriptor) error { + return s.deleteWithIndexing(ctx, target) +} + +// deleteWithIndexing removes the manifest content identified by the descriptor, +// and indexes referrers for the manifest when needed. +func (s *manifestStore) deleteWithIndexing(ctx context.Context, target ocispec.Descriptor) error { + switch target.MediaType { + case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex: + if state := s.repo.loadReferrersState(); state == referrersStateSupported { + // referrers API is available, no client-side indexing needed + return s.repo.delete(ctx, target, true) + } + + if err := limitSize(target, s.repo.MaxMetadataBytes); err != nil { + return err + } + ctx = auth.AppendRepositoryScope(ctx, s.repo.Reference, auth.ActionPull, auth.ActionDelete) + manifestJSON, err := content.FetchAll(ctx, s, target) + if err != nil { + return err + } + if err := s.indexReferrersForDelete(ctx, target, manifestJSON); err != nil { + return err + } + } + + return s.repo.delete(ctx, target, true) +} + +// indexReferrersForDelete indexes referrers for manifests with a subject field +// on manifest delete. +// +// References: +// - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests +// - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#deleting-manifests +func (s *manifestStore) indexReferrersForDelete(ctx context.Context, desc ocispec.Descriptor, manifestJSON []byte) error { + var manifest struct { + Subject *ocispec.Descriptor `json:"subject"` + } + if err := json.Unmarshal(manifestJSON, &manifest); err != nil { + return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err) + } + if manifest.Subject == nil { + // no subject, no indexing needed + return nil + } + + subject := *manifest.Subject + ok, err := s.repo.pingReferrers(ctx) + if err != nil { + return err + } + if ok { + // referrers API is available, no client-side indexing needed + return nil + } + return s.updateReferrersIndex(ctx, subject, referrerChange{desc, referrerOperationRemove}) +} + +// Resolve resolves a reference to a descriptor. +// See also `ManifestMediaTypes`. +func (s *manifestStore) Resolve(ctx context.Context, reference string) (ocispec.Descriptor, error) { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return ocispec.Descriptor{}, err + } + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil) + if err != nil { + return ocispec.Descriptor{}, err + } + req.Header.Set("Accept", manifestAcceptHeader(s.repo.ManifestMediaTypes)) + + resp, err := s.repo.do(req) + if err != nil { + return ocispec.Descriptor{}, err + } + defer resp.Body.Close() + + switch resp.StatusCode { + case http.StatusOK: + return s.generateDescriptor(resp, ref, req.Method) + case http.StatusNotFound: + return ocispec.Descriptor{}, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound) + default: + return ocispec.Descriptor{}, errutil.ParseErrorResponse(resp) + } +} + +// FetchReference fetches the manifest identified by the reference. +// The reference can be a tag or digest. +func (s *manifestStore) FetchReference(ctx context.Context, reference string) (desc ocispec.Descriptor, rc io.ReadCloser, err error) { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull) + url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref) + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + req.Header.Set("Accept", manifestAcceptHeader(s.repo.ManifestMediaTypes)) + + resp, err := s.repo.do(req) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + defer func() { + if err != nil { + resp.Body.Close() + } + }() + + switch resp.StatusCode { + case http.StatusOK: + if resp.ContentLength == -1 { + desc, err = s.Resolve(ctx, reference) + } else { + desc, err = s.generateDescriptor(resp, ref, req.Method) + } + if err != nil { + return ocispec.Descriptor{}, nil, err + } + return desc, resp.Body, nil + case http.StatusNotFound: + return ocispec.Descriptor{}, nil, fmt.Errorf("%s: %w", ref, errdef.ErrNotFound) + default: + return ocispec.Descriptor{}, nil, errutil.ParseErrorResponse(resp) + } +} + +// Tag tags a manifest descriptor with a reference string. +func (s *manifestStore) Tag(ctx context.Context, desc ocispec.Descriptor, reference string) error { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return err + } + + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush) + rc, err := s.Fetch(ctx, desc) + if err != nil { + return err + } + defer rc.Close() + + return s.push(ctx, desc, rc, ref.Reference) +} + +// PushReference pushes the manifest with a reference tag. +func (s *manifestStore) PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error { + ref, err := s.repo.ParseReference(reference) + if err != nil { + return err + } + return s.pushWithIndexing(ctx, expected, content, ref.Reference) +} + +// push pushes the manifest content, matching the expected descriptor. +func (s *manifestStore) push(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error { + ref := s.repo.Reference + ref.Reference = reference + // pushing usually requires both pull and push actions. + // Reference: https://github.com/distribution/distribution/blob/v2.7.1/registry/handlers/app.go#L921-L930 + ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush) + url := buildRepositoryManifestURL(s.repo.PlainHTTP, ref) + // unwrap the content for optimizations of built-in types. + body := ioutil.UnwrapNopCloser(content) + if _, ok := body.(io.ReadCloser); ok { + // undo unwrap if the nopCloser is intended. + body = content + } + req, err := http.NewRequestWithContext(ctx, http.MethodPut, url, body) + if err != nil { + return err + } + if req.GetBody != nil && req.ContentLength != expected.Size { + // short circuit a size mismatch for built-in types. + return fmt.Errorf("mismatch content length %d: expect %d", req.ContentLength, expected.Size) + } + req.ContentLength = expected.Size + req.Header.Set("Content-Type", expected.MediaType) + + // if the underlying client is an auth client, the content might be read + // more than once for obtaining the auth challenge and the actual request. + // To prevent double reading, the manifest is read and stored in the memory, + // and serve from the memory. + client := s.repo.client() + if _, ok := client.(*auth.Client); ok && req.GetBody == nil { + store := cas.NewMemory() + err := store.Push(ctx, expected, content) + if err != nil { + return err + } + req.GetBody = func() (io.ReadCloser, error) { + return store.Fetch(ctx, expected) + } + req.Body, err = req.GetBody() + if err != nil { + return err + } + } + resp, err := s.repo.do(req) + if err != nil { + return err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusCreated { + return errutil.ParseErrorResponse(resp) + } + s.checkOCISubjectHeader(resp) + return verifyContentDigest(resp, expected.Digest) +} + +// checkOCISubjectHeader checks the "OCI-Subject" header in the response and +// sets referrers capability accordingly. +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject +func (s *manifestStore) checkOCISubjectHeader(resp *http.Response) { + // If the "OCI-Subject" header is set, it indicates that the registry + // supports the Referrers API and has processed the subject of the manifest. + if subjectHeader := resp.Header.Get(headerOCISubject); subjectHeader != "" { + s.repo.SetReferrersCapability(true) + } + + // If the "OCI-Subject" header is NOT set, it means that either the manifest + // has no subject OR the referrers API is NOT supported by the registry. + // + // Since we don't know whether the pushed manifest has a subject or not, + // we do not set the referrers capability to false at here. +} + +// pushWithIndexing pushes the manifest content matching the expected descriptor, +// and indexes referrers for the manifest when needed. +func (s *manifestStore) pushWithIndexing(ctx context.Context, expected ocispec.Descriptor, r io.Reader, reference string) error { + switch expected.MediaType { + case spec.MediaTypeArtifactManifest, ocispec.MediaTypeImageManifest, ocispec.MediaTypeImageIndex: + if state := s.repo.loadReferrersState(); state == referrersStateSupported { + // referrers API is available, no client-side indexing needed + return s.push(ctx, expected, r, reference) + } + + if err := limitSize(expected, s.repo.MaxMetadataBytes); err != nil { + return err + } + manifestJSON, err := content.ReadAll(r, expected) + if err != nil { + return err + } + if err := s.push(ctx, expected, bytes.NewReader(manifestJSON), reference); err != nil { + return err + } + // check referrers API availability again after push + if state := s.repo.loadReferrersState(); state == referrersStateSupported { + // the subject has been processed the registry, no client-side + // indexing needed + return nil + } + return s.indexReferrersForPush(ctx, expected, manifestJSON) + default: + return s.push(ctx, expected, r, reference) + } +} + +// indexReferrersForPush indexes referrers for manifests with a subject field +// on manifest push. +// +// References: +// - Latest spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject +// - Compatible spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc1/spec.md#pushing-manifests-with-subject +func (s *manifestStore) indexReferrersForPush(ctx context.Context, desc ocispec.Descriptor, manifestJSON []byte) error { + var subject ocispec.Descriptor + switch desc.MediaType { + case spec.MediaTypeArtifactManifest: + var manifest spec.Artifact + if err := json.Unmarshal(manifestJSON, &manifest); err != nil { + return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err) + } + if manifest.Subject == nil { + // no subject, no indexing needed + return nil + } + subject = *manifest.Subject + desc.ArtifactType = manifest.ArtifactType + desc.Annotations = manifest.Annotations + case ocispec.MediaTypeImageManifest: + var manifest ocispec.Manifest + if err := json.Unmarshal(manifestJSON, &manifest); err != nil { + return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err) + } + if manifest.Subject == nil { + // no subject, no indexing needed + return nil + } + subject = *manifest.Subject + desc.ArtifactType = manifest.ArtifactType + if desc.ArtifactType == "" { + desc.ArtifactType = manifest.Config.MediaType + } + desc.Annotations = manifest.Annotations + case ocispec.MediaTypeImageIndex: + var manifest ocispec.Index + if err := json.Unmarshal(manifestJSON, &manifest); err != nil { + return fmt.Errorf("failed to decode manifest: %s: %s: %w", desc.Digest, desc.MediaType, err) + } + if manifest.Subject == nil { + // no subject, no indexing needed + return nil + } + subject = *manifest.Subject + desc.ArtifactType = manifest.ArtifactType + desc.Annotations = manifest.Annotations + default: + return nil + } + + // if the manifest has a subject but the remote registry does not process it, + // it means that the Referrers API is not supported by the registry. + s.repo.SetReferrersCapability(false) + return s.updateReferrersIndex(ctx, subject, referrerChange{desc, referrerOperationAdd}) +} + +// updateReferrersIndex updates the referrers index for desc referencing subject +// on manifest push and manifest delete. +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#pushing-manifests-with-subject +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#deleting-manifests +func (s *manifestStore) updateReferrersIndex(ctx context.Context, subject ocispec.Descriptor, change referrerChange) (err error) { + referrersTag, err := buildReferrersTag(subject) + if err != nil { + return err + } + + var oldIndexDesc *ocispec.Descriptor + var oldReferrers []ocispec.Descriptor + prepare := func() error { + // 1. pull the original referrers list using the referrers tag schema + indexDesc, referrers, err := s.repo.referrersFromIndex(ctx, referrersTag) + if err != nil { + if errors.Is(err, errdef.ErrNotFound) { + // valid case: no old referrers index + return nil + } + return err + } + oldIndexDesc = &indexDesc + oldReferrers = referrers + return nil + } + update := func(referrerChanges []referrerChange) error { + // 2. apply the referrer changes on the referrers list + updatedReferrers, err := applyReferrerChanges(oldReferrers, referrerChanges) + if err != nil { + if err == errNoReferrerUpdate { + return nil + } + return err + } + + // 3. push the updated referrers list using referrers tag schema + if len(updatedReferrers) > 0 || s.repo.SkipReferrersGC { + // push a new index in either case: + // 1. the referrers list has been updated with a non-zero size + // 2. OR the updated referrers list is empty but referrers GC + // is skipped, in this case an empty index should still be pushed + // as the old index won't get deleted + newIndexDesc, newIndex, err := generateIndex(updatedReferrers) + if err != nil { + return fmt.Errorf("failed to generate referrers index for referrers tag %s: %w", referrersTag, err) + } + if err := s.push(ctx, newIndexDesc, bytes.NewReader(newIndex), referrersTag); err != nil { + return fmt.Errorf("failed to push referrers index tagged by %s: %w", referrersTag, err) + } + } + + // 4. delete the dangling original referrers index, if applicable + if s.repo.SkipReferrersGC || oldIndexDesc == nil { + return nil + } + if err := s.repo.delete(ctx, *oldIndexDesc, true); err != nil { + return &ReferrersError{ + Op: opDeleteReferrersIndex, + Err: fmt.Errorf("failed to delete dangling referrers index %s for referrers tag %s: %w", oldIndexDesc.Digest.String(), referrersTag, err), + Subject: subject, + } + } + return nil + } + + merge, done := s.repo.referrersMergePool.Get(referrersTag) + defer done() + return merge.Do(change, prepare, update) +} + +// ParseReference parses a reference to a fully qualified reference. +func (s *manifestStore) ParseReference(reference string) (registry.Reference, error) { + return s.repo.ParseReference(reference) +} + +// generateDescriptor returns a descriptor generated from the response. +// See the truth table at the top of `repository_test.go` +func (s *manifestStore) generateDescriptor(resp *http.Response, ref registry.Reference, httpMethod string) (ocispec.Descriptor, error) { + // 1. Validate Content-Type + mediaType, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type")) + if err != nil { + return ocispec.Descriptor{}, fmt.Errorf( + "%s %q: invalid response `Content-Type` header; %w", + resp.Request.Method, + resp.Request.URL, + err, + ) + } + + // 2. Validate Size + if resp.ContentLength == -1 { + return ocispec.Descriptor{}, fmt.Errorf( + "%s %q: unknown response Content-Length", + resp.Request.Method, + resp.Request.URL, + ) + } + + // 3. Validate Client Reference + var refDigest digest.Digest + if d, err := ref.Digest(); err == nil { + refDigest = d + } + + // 4. Validate Server Digest (if present) + var serverHeaderDigest digest.Digest + if serverHeaderDigestStr := resp.Header.Get(headerDockerContentDigest); serverHeaderDigestStr != "" { + if serverHeaderDigest, err = digest.Parse(serverHeaderDigestStr); err != nil { + return ocispec.Descriptor{}, fmt.Errorf( + "%s %q: invalid response header value: `%s: %s`; %w", + resp.Request.Method, + resp.Request.URL, + headerDockerContentDigest, + serverHeaderDigestStr, + err, + ) + } + } + + /* 5. Now, look for specific error conditions; see truth table in method docstring */ + var contentDigest digest.Digest + + if len(serverHeaderDigest) == 0 { + if httpMethod == http.MethodHead { + if len(refDigest) == 0 { + // HEAD without server `Docker-Content-Digest` header is an + // immediate fail + return ocispec.Descriptor{}, fmt.Errorf( + "HTTP %s request missing required header %q", + httpMethod, headerDockerContentDigest, + ) + } + // Otherwise, just trust the client-supplied digest + contentDigest = refDigest + } else { + // GET without server `Docker-Content-Digest` header forces the + // expensive calculation + var calculatedDigest digest.Digest + if calculatedDigest, err = calculateDigestFromResponse(resp, s.repo.MaxMetadataBytes); err != nil { + return ocispec.Descriptor{}, fmt.Errorf("failed to calculate digest on response body; %w", err) + } + contentDigest = calculatedDigest + } + } else { + contentDigest = serverHeaderDigest + } + + if len(refDigest) > 0 && refDigest != contentDigest { + return ocispec.Descriptor{}, fmt.Errorf( + "%s %q: invalid response; digest mismatch in %s: received %q when expecting %q", + resp.Request.Method, resp.Request.URL, + headerDockerContentDigest, contentDigest, + refDigest, + ) + } + + // 6. Finally, if we made it this far, then all is good; return. + return ocispec.Descriptor{ + MediaType: mediaType, + Digest: contentDigest, + Size: resp.ContentLength, + }, nil +} + +// calculateDigestFromResponse calculates the actual digest of the response body +// taking care not to destroy it in the process. +func calculateDigestFromResponse(resp *http.Response, maxMetadataBytes int64) (digest.Digest, error) { + defer resp.Body.Close() + + body := limitReader(resp.Body, maxMetadataBytes) + content, err := io.ReadAll(body) + if err != nil { + return "", fmt.Errorf("%s %q: failed to read response body: %w", resp.Request.Method, resp.Request.URL, err) + } + resp.Body = io.NopCloser(bytes.NewReader(content)) + + return digest.FromBytes(content), nil +} + +// verifyContentDigest verifies "Docker-Content-Digest" header if present. +// OCI distribution-spec states the Docker-Content-Digest header is optional. +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.0.1/spec.md#legacy-docker-support-http-headers +func verifyContentDigest(resp *http.Response, expected digest.Digest) error { + digestStr := resp.Header.Get(headerDockerContentDigest) + + if len(digestStr) == 0 { + return nil + } + + contentDigest, err := digest.Parse(digestStr) + if err != nil { + return fmt.Errorf( + "%s %q: invalid response header: `%s: %s`", + resp.Request.Method, resp.Request.URL, + headerDockerContentDigest, digestStr, + ) + } + + if contentDigest != expected { + return fmt.Errorf( + "%s %q: invalid response; digest mismatch in %s: received %q when expecting %q", + resp.Request.Method, resp.Request.URL, + headerDockerContentDigest, contentDigest, + expected, + ) + } + + return nil +} + +// generateIndex generates an image index containing the given manifests list. +func generateIndex(manifests []ocispec.Descriptor) (ocispec.Descriptor, []byte, error) { + if manifests == nil { + manifests = []ocispec.Descriptor{} // make it an empty array to prevent potential server-side bugs + } + index := ocispec.Index{ + Versioned: specs.Versioned{ + SchemaVersion: 2, // historical value. does not pertain to OCI or docker version + }, + MediaType: ocispec.MediaTypeImageIndex, + Manifests: manifests, + } + indexJSON, err := json.Marshal(index) + if err != nil { + return ocispec.Descriptor{}, nil, err + } + indexDesc := content.NewDescriptorFromBytes(index.MediaType, indexJSON) + return indexDesc, indexJSON, nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go b/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go new file mode 100644 index 0000000000..5e986ea02a --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/retry/client.go @@ -0,0 +1,114 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package retry + +import ( + "net/http" + "time" +) + +// DefaultClient is a client with the default retry policy. +var DefaultClient = NewClient() + +// NewClient creates an HTTP client with the default retry policy. +func NewClient() *http.Client { + return &http.Client{ + Transport: NewTransport(nil), + } +} + +// Transport is an HTTP transport with retry policy. +type Transport struct { + // Base is the underlying HTTP transport to use. + // If nil, http.DefaultTransport is used for round trips. + Base http.RoundTripper + + // Policy returns a retry Policy to use for the request. + // If nil, DefaultPolicy is used to determine if the request should be retried. + Policy func() Policy +} + +// NewTransport creates an HTTP Transport with the default retry policy. +func NewTransport(base http.RoundTripper) *Transport { + return &Transport{ + Base: base, + } +} + +// RoundTrip executes a single HTTP transaction, returning a Response for the +// provided Request. +// It relies on the configured Policy to determine if the request should be +// retried and to backoff. +func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) { + ctx := req.Context() + policy := t.policy() + attempt := 0 + for { + resp, respErr := t.roundTrip(req) + duration, err := policy.Retry(attempt, resp, respErr) + if err != nil { + if respErr == nil { + resp.Body.Close() + } + return nil, err + } + if duration < 0 { + return resp, respErr + } + + // rewind the body if possible + if req.Body != nil { + if req.GetBody == nil { + // body can't be rewound, so we can't retry + return resp, respErr + } + body, err := req.GetBody() + if err != nil { + // failed to rewind the body, so we can't retry + return resp, respErr + } + req.Body = body + } + + // close the response body if needed + if respErr == nil { + resp.Body.Close() + } + + timer := time.NewTimer(duration) + select { + case <-ctx.Done(): + timer.Stop() + return nil, ctx.Err() + case <-timer.C: + } + attempt++ + } +} + +func (t *Transport) roundTrip(req *http.Request) (*http.Response, error) { + if t.Base == nil { + return http.DefaultTransport.RoundTrip(req) + } + return t.Base.RoundTrip(req) +} + +func (t *Transport) policy() Policy { + if t.Policy == nil { + return DefaultPolicy + } + return t.Policy() +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go b/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go new file mode 100644 index 0000000000..ebe8b37301 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/retry/policy.go @@ -0,0 +1,154 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package retry + +import ( + "hash/maphash" + "math" + "math/rand/v2" + "net" + "net/http" + "strconv" + "time" +) + +// headerRetryAfter is the header key for Retry-After. +const headerRetryAfter = "Retry-After" + +// DefaultPolicy is a policy with fine-tuned retry parameters. +// It uses an exponential backoff with jitter. +var DefaultPolicy Policy = &GenericPolicy{ + Retryable: DefaultPredicate, + Backoff: DefaultBackoff, + MinWait: 200 * time.Millisecond, + MaxWait: 3 * time.Second, + MaxRetry: 5, +} + +// DefaultPredicate is a predicate that retries on 5xx errors, 429 Too Many +// Requests, 408 Request Timeout and on network dial timeout. +var DefaultPredicate Predicate = func(resp *http.Response, err error) (bool, error) { + if err != nil { + // retry on Dial timeout + if err, ok := err.(net.Error); ok && err.Timeout() { + return true, nil + } + return false, err + } + + if resp.StatusCode == http.StatusRequestTimeout || resp.StatusCode == http.StatusTooManyRequests { + return true, nil + } + + if resp.StatusCode == 0 || resp.StatusCode >= 500 { + return true, nil + } + + return false, nil +} + +// DefaultBackoff is a backoff that uses an exponential backoff with jitter. +// It uses a base of 250ms, a factor of 2 and a jitter of 10%. +var DefaultBackoff Backoff = ExponentialBackoff(250*time.Millisecond, 2, 0.1) + +// Policy is a retry policy. +type Policy interface { + // Retry returns the duration to wait before retrying the request. + // It returns a negative value if the request should not be retried. + // The attempt is used to: + // - calculate the backoff duration, the default backoff is an exponential backoff. + // - determine if the request should be retried. + // The attempt starts at 0 and should be less than MaxRetry for the request to + // be retried. + Retry(attempt int, resp *http.Response, err error) (time.Duration, error) +} + +// Predicate is a function that returns true if the request should be retried. +type Predicate func(resp *http.Response, err error) (bool, error) + +// Backoff is a function that returns the duration to wait before retrying the +// request. The attempt, is the next attempt number. The response is the +// response from the previous request. +type Backoff func(attempt int, resp *http.Response) time.Duration + +// ExponentialBackoff returns a Backoff that uses an exponential backoff with +// jitter. The backoff is calculated as: +// +// temp = backoff * factor ^ attempt +// interval = temp * (1 - jitter) + rand.Int64N(2 * jitter * temp) +// +// The HTTP response is checked for a Retry-After header. If it is present, the +// value is used as the backoff duration. +func ExponentialBackoff(backoff time.Duration, factor, jitter float64) Backoff { + return func(attempt int, resp *http.Response) time.Duration { + var h maphash.Hash + h.SetSeed(maphash.MakeSeed()) + rand := rand.New(rand.NewPCG(0, h.Sum64())) + + // check Retry-After + if resp != nil && resp.StatusCode == http.StatusTooManyRequests { + if v := resp.Header.Get(headerRetryAfter); v != "" { + if retryAfter, _ := strconv.ParseInt(v, 10, 64); retryAfter > 0 { + return time.Duration(retryAfter) * time.Second + } + } + } + + // do exponential backoff with jitter + temp := float64(backoff) * math.Pow(factor, float64(attempt)) + return time.Duration(temp*(1-jitter)) + time.Duration(rand.Int64N(int64(2*jitter*temp))) + } +} + +// GenericPolicy is a generic retry policy. +type GenericPolicy struct { + // Retryable is a predicate that returns true if the request should be + // retried. + Retryable Predicate + + // Backoff is a function that returns the duration to wait before retrying. + Backoff Backoff + + // MinWait is the minimum duration to wait before retrying. + MinWait time.Duration + + // MaxWait is the maximum duration to wait before retrying. + MaxWait time.Duration + + // MaxRetry is the maximum number of retries. + MaxRetry int +} + +// Retry returns the duration to wait before retrying the request. +// It returns -1 if the request should not be retried. +func (p *GenericPolicy) Retry(attempt int, resp *http.Response, err error) (time.Duration, error) { + if attempt >= p.MaxRetry { + return -1, nil + } + if ok, err := p.Retryable(resp, err); err != nil { + return -1, err + } else if !ok { + return -1, nil + } + backoff := p.Backoff(attempt, resp) + if backoff < p.MinWait { + backoff = p.MinWait + } + if backoff > p.MaxWait { + backoff = p.MaxWait + } + return backoff, nil +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/url.go b/vendor/oras.land/oras-go/v2/registry/remote/url.go new file mode 100644 index 0000000000..64f6670a34 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/url.go @@ -0,0 +1,119 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "fmt" + "net/url" + "strings" + + "github.com/opencontainers/go-digest" + "oras.land/oras-go/v2/registry" +) + +// buildScheme returns HTTP scheme used to access the remote registry. +func buildScheme(plainHTTP bool) string { + if plainHTTP { + return "http" + } + return "https" +} + +// buildRegistryBaseURL builds the URL for accessing the base API. +// Format: :///v2/ +// Reference: https://distribution.github.io/distribution/spec/api/#base +func buildRegistryBaseURL(plainHTTP bool, ref registry.Reference) string { + return fmt.Sprintf("%s://%s/v2/", buildScheme(plainHTTP), ref.Host()) +} + +// buildRegistryCatalogURL builds the URL for accessing the catalog API. +// Format: :///v2/_catalog +// Reference: https://distribution.github.io/distribution/spec/api/#catalog +func buildRegistryCatalogURL(plainHTTP bool, ref registry.Reference) string { + return fmt.Sprintf("%s://%s/v2/_catalog", buildScheme(plainHTTP), ref.Host()) +} + +// buildRepositoryBaseURL builds the base endpoint of the remote repository. +// Format: :///v2/ +func buildRepositoryBaseURL(plainHTTP bool, ref registry.Reference) string { + return fmt.Sprintf("%s://%s/v2/%s", buildScheme(plainHTTP), ref.Host(), ref.Repository) +} + +// buildRepositoryTagListURL builds the URL for accessing the tag list API. +// Format: :///v2//tags/list +// Reference: https://distribution.github.io/distribution/spec/api/#tags +func buildRepositoryTagListURL(plainHTTP bool, ref registry.Reference) string { + return buildRepositoryBaseURL(plainHTTP, ref) + "/tags/list" +} + +// buildRepositoryManifestURL builds the URL for accessing the manifest API. +// Format: :///v2//manifests/ +// Reference: https://distribution.github.io/distribution/spec/api/#manifest +func buildRepositoryManifestURL(plainHTTP bool, ref registry.Reference) string { + return strings.Join([]string{ + buildRepositoryBaseURL(plainHTTP, ref), + "manifests", + ref.Reference, + }, "/") +} + +// buildRepositoryBlobURL builds the URL for accessing the blob API. +// Format: :///v2//blobs/ +// Reference: https://distribution.github.io/distribution/spec/api/#blob +func buildRepositoryBlobURL(plainHTTP bool, ref registry.Reference) string { + return strings.Join([]string{ + buildRepositoryBaseURL(plainHTTP, ref), + "blobs", + ref.Reference, + }, "/") +} + +// buildRepositoryBlobUploadURL builds the URL for blob uploading. +// Format: :///v2//blobs/uploads/ +// Reference: https://distribution.github.io/distribution/spec/api/#initiate-blob-upload +func buildRepositoryBlobUploadURL(plainHTTP bool, ref registry.Reference) string { + return buildRepositoryBaseURL(plainHTTP, ref) + "/blobs/uploads/" +} + +// buildRepositoryBlobMountURLbuilds the URL for cross-repository mounting. +// Format: :///v2//blobs/uploads/?mount=&from= +// Reference: https://distribution.github.io/distribution/spec/api/#blob +func buildRepositoryBlobMountURL(plainHTTP bool, ref registry.Reference, d digest.Digest, fromRepo string) string { + return fmt.Sprintf("%s?mount=%s&from=%s", + buildRepositoryBlobUploadURL(plainHTTP, ref), + d, + fromRepo, + ) +} + +// buildReferrersURL builds the URL for querying the Referrers API. +// Format: :///v2//referrers/?artifactType= +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +func buildReferrersURL(plainHTTP bool, ref registry.Reference, artifactType string) string { + var query string + if artifactType != "" { + v := url.Values{} + v.Set("artifactType", artifactType) + query = "?" + v.Encode() + } + + return fmt.Sprintf( + "%s/referrers/%s%s", + buildRepositoryBaseURL(plainHTTP, ref), + ref.Reference, + query, + ) +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/utils.go b/vendor/oras.land/oras-go/v2/registry/remote/utils.go new file mode 100644 index 0000000000..797169f48f --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/utils.go @@ -0,0 +1,94 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "encoding/json" + "errors" + "fmt" + "io" + "net/http" + "strings" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" +) + +// defaultMaxMetadataBytes specifies the default limit on how many response +// bytes are allowed in the server's response to the metadata APIs. +// See also: Repository.MaxMetadataBytes +var defaultMaxMetadataBytes int64 = 4 * 1024 * 1024 // 4 MiB + +// errNoLink is returned by parseLink() when no Link header is present. +var errNoLink = errors.New("no Link header in response") + +// parseLink returns the URL of the response's "Link" header, if present. +func parseLink(resp *http.Response) (string, error) { + link := resp.Header.Get("Link") + if link == "" { + return "", errNoLink + } + if link[0] != '<' { + return "", fmt.Errorf("invalid next link %q: missing '<'", link) + } + if i := strings.IndexByte(link, '>'); i == -1 { + return "", fmt.Errorf("invalid next link %q: missing '>'", link) + } else { + link = link[1:i] + } + + linkURL, err := resp.Request.URL.Parse(link) + if err != nil { + return "", err + } + return linkURL.String(), nil +} + +// limitReader returns a Reader that reads from r but stops with EOF after n +// bytes. If n is less than or equal to zero, defaultMaxMetadataBytes is used. +func limitReader(r io.Reader, n int64) io.Reader { + if n <= 0 { + n = defaultMaxMetadataBytes + } + return io.LimitReader(r, n) +} + +// limitSize returns ErrSizeExceedsLimit if the size of desc exceeds the limit n. +// If n is less than or equal to zero, defaultMaxMetadataBytes is used. +func limitSize(desc ocispec.Descriptor, n int64) error { + if n <= 0 { + n = defaultMaxMetadataBytes + } + if desc.Size > n { + return fmt.Errorf( + "content size %v exceeds MaxMetadataBytes %v: %w", + desc.Size, + n, + errdef.ErrSizeExceedsLimit) + } + return nil +} + +// decodeJSON safely reads the JSON content described by desc, and +// decodes it into v. +func decodeJSON(r io.Reader, desc ocispec.Descriptor, v any) error { + jsonBytes, err := content.ReadAll(r, desc) + if err != nil { + return err + } + return json.Unmarshal(jsonBytes, v) +} diff --git a/vendor/oras.land/oras-go/v2/registry/remote/warning.go b/vendor/oras.land/oras-go/v2/registry/remote/warning.go new file mode 100644 index 0000000000..02d758eaf9 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/remote/warning.go @@ -0,0 +1,100 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package remote + +import ( + "errors" + "fmt" + "strconv" + "strings" +) + +const ( + // headerWarning is the "Warning" header. + // Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5 + headerWarning = "Warning" + + // warnCode299 is the 299 warn-code. + // Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5 + warnCode299 = 299 + + // warnAgentUnknown represents an unknown warn-agent. + // Reference: https://www.rfc-editor.org/rfc/rfc7234#section-5.5 + warnAgentUnknown = "-" +) + +// errUnexpectedWarningFormat is returned by parseWarningHeader when +// an unexpected warning format is encountered. +var errUnexpectedWarningFormat = errors.New("unexpected warning format") + +// WarningValue represents the value of the Warning header. +// +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings +// - https://www.rfc-editor.org/rfc/rfc7234#section-5.5 +type WarningValue struct { + // Code is the warn-code. + Code int + // Agent is the warn-agent. + Agent string + // Text is the warn-text. + Text string +} + +// Warning contains the value of the warning header and may contain +// other information related to the warning. +// +// References: +// - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#warnings +// - https://www.rfc-editor.org/rfc/rfc7234#section-5.5 +type Warning struct { + // WarningValue is the value of the warning header. + WarningValue +} + +// parseWarningHeader parses the warning header into WarningValue. +func parseWarningHeader(header string) (WarningValue, error) { + if len(header) < 9 || !strings.HasPrefix(header, `299 - "`) || !strings.HasSuffix(header, `"`) { + // minimum header value: `299 - "x"` + return WarningValue{}, fmt.Errorf("%s: %w", header, errUnexpectedWarningFormat) + } + + // validate text only as code and agent are fixed + quotedText := header[6:] // behind `299 - `, quoted by " + text, err := strconv.Unquote(quotedText) + if err != nil { + return WarningValue{}, fmt.Errorf("%s: unexpected text: %w: %v", header, errUnexpectedWarningFormat, err) + } + + return WarningValue{ + Code: warnCode299, + Agent: warnAgentUnknown, + Text: text, + }, nil +} + +// handleWarningHeaders parses the warning headers and handles the parsed +// warnings using handleWarning. +func handleWarningHeaders(headers []string, handleWarning func(Warning)) { + for _, h := range headers { + if value, err := parseWarningHeader(h); err == nil { + // ignore warnings in unexpected formats + handleWarning(Warning{ + WarningValue: value, + }) + } + } +} diff --git a/vendor/oras.land/oras-go/v2/registry/repository.go b/vendor/oras.land/oras-go/v2/registry/repository.go new file mode 100644 index 0000000000..367f2d0f91 --- /dev/null +++ b/vendor/oras.land/oras-go/v2/registry/repository.go @@ -0,0 +1,226 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package registry + +import ( + "context" + "encoding/json" + "fmt" + "io" + + ocispec "github.com/opencontainers/image-spec/specs-go/v1" + "oras.land/oras-go/v2/content" + "oras.land/oras-go/v2/errdef" + "oras.land/oras-go/v2/internal/descriptor" + "oras.land/oras-go/v2/internal/spec" +) + +// Repository is an ORAS target and an union of the blob and the manifest CASs. +// +// As specified by https://distribution.github.io/distribution/spec/api/, it is natural to +// assume that content.Resolver interface only works for manifests. Tagging a +// blob may be resulted in an `ErrUnsupported` error. However, this interface +// does not restrict tagging blobs. +// +// Since a repository is an union of the blob and the manifest CASs, all +// operations defined in the `BlobStore` are executed depending on the media +// type of the given descriptor accordingly. +// +// Furthermore, this interface also provides the ability to enforce the +// separation of the blob and the manifests CASs. +type Repository interface { + content.Storage + content.Deleter + content.TagResolver + ReferenceFetcher + ReferencePusher + ReferrerLister + TagLister + + // Blobs provides access to the blob CAS only, which contains config blobs, + // layers, and other generic blobs. + Blobs() BlobStore + + // Manifests provides access to the manifest CAS only. + Manifests() ManifestStore +} + +// BlobStore is a CAS with the ability to stat and delete its content. +type BlobStore interface { + content.Storage + content.Deleter + content.Resolver + ReferenceFetcher +} + +// ManifestStore is a CAS with the ability to stat and delete its content. +// Besides, ManifestStore provides reference tagging. +type ManifestStore interface { + BlobStore + content.Tagger + ReferencePusher +} + +// ReferencePusher provides advanced push with the tag service. +type ReferencePusher interface { + // PushReference pushes the manifest with a reference tag. + PushReference(ctx context.Context, expected ocispec.Descriptor, content io.Reader, reference string) error +} + +// ReferenceFetcher provides advanced fetch with the tag service. +type ReferenceFetcher interface { + // FetchReference fetches the content identified by the reference. + FetchReference(ctx context.Context, reference string) (ocispec.Descriptor, io.ReadCloser, error) +} + +// ReferrerLister provides the Referrers API. +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +type ReferrerLister interface { + Referrers(ctx context.Context, desc ocispec.Descriptor, artifactType string, fn func(referrers []ocispec.Descriptor) error) error +} + +// TagLister lists tags by the tag service. +type TagLister interface { + // Tags lists the tags available in the repository. + // Since the returned tag list may be paginated by the underlying + // implementation, a function should be passed in to process the paginated + // tag list. + // + // `last` argument is the `last` parameter when invoking the tags API. + // If `last` is NOT empty, the entries in the response start after the + // tag specified by `last`. Otherwise, the response starts from the top + // of the Tags list. + // + // Note: When implemented by a remote registry, the tags API is called. + // However, not all registries supports pagination or conforms the + // specification. + // + // References: + // - https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#content-discovery + // - https://distribution.github.io/distribution/spec/api/#tags + // See also `Tags()` in this package. + Tags(ctx context.Context, last string, fn func(tags []string) error) error +} + +// Mounter allows cross-repository blob mounts. +// For backward compatibility reasons, this is not implemented by +// BlobStore: use a type assertion to check availability. +type Mounter interface { + // Mount makes the blob with the given descriptor in fromRepo + // available in the repository signified by the receiver. + Mount(ctx context.Context, + desc ocispec.Descriptor, + fromRepo string, + getContent func() (io.ReadCloser, error), + ) error +} + +// Tags lists the tags available in the repository. +func Tags(ctx context.Context, repo TagLister) ([]string, error) { + var res []string + if err := repo.Tags(ctx, "", func(tags []string) error { + res = append(res, tags...) + return nil + }); err != nil { + return nil, err + } + return res, nil +} + +// Referrers lists the descriptors of image or artifact manifests directly +// referencing the given manifest descriptor. +// +// Reference: https://github.com/opencontainers/distribution-spec/blob/v1.1.1/spec.md#listing-referrers +func Referrers(ctx context.Context, store content.ReadOnlyGraphStorage, desc ocispec.Descriptor, artifactType string) ([]ocispec.Descriptor, error) { + if !descriptor.IsManifest(desc) { + return nil, fmt.Errorf("the descriptor %v is not a manifest: %w", desc, errdef.ErrUnsupported) + } + + var results []ocispec.Descriptor + + // use the Referrer API if it is available + if rf, ok := store.(ReferrerLister); ok { + if err := rf.Referrers(ctx, desc, artifactType, func(referrers []ocispec.Descriptor) error { + results = append(results, referrers...) + return nil + }); err != nil { + return nil, err + } + return results, nil + } + + predecessors, err := store.Predecessors(ctx, desc) + if err != nil { + return nil, err + } + for _, node := range predecessors { + switch node.MediaType { + case ocispec.MediaTypeImageManifest: + fetched, err := content.FetchAll(ctx, store, node) + if err != nil { + return nil, err + } + var manifest ocispec.Manifest + if err := json.Unmarshal(fetched, &manifest); err != nil { + return nil, err + } + if manifest.Subject == nil || !content.Equal(*manifest.Subject, desc) { + continue + } + node.ArtifactType = manifest.ArtifactType + if node.ArtifactType == "" { + node.ArtifactType = manifest.Config.MediaType + } + node.Annotations = manifest.Annotations + case ocispec.MediaTypeImageIndex: + fetched, err := content.FetchAll(ctx, store, node) + if err != nil { + return nil, err + } + var index ocispec.Index + if err := json.Unmarshal(fetched, &index); err != nil { + return nil, err + } + if index.Subject == nil || !content.Equal(*index.Subject, desc) { + continue + } + node.ArtifactType = index.ArtifactType + node.Annotations = index.Annotations + case spec.MediaTypeArtifactManifest: + fetched, err := content.FetchAll(ctx, store, node) + if err != nil { + return nil, err + } + var artifact spec.Artifact + if err := json.Unmarshal(fetched, &artifact); err != nil { + return nil, err + } + if artifact.Subject == nil || !content.Equal(*artifact.Subject, desc) { + continue + } + node.ArtifactType = artifact.ArtifactType + node.Annotations = artifact.Annotations + default: + continue + } + if artifactType == "" || artifactType == node.ArtifactType { + // the field artifactType in referrers descriptor is allowed to be empty + // https://github.com/opencontainers/distribution-spec/issues/458 + results = append(results, node) + } + } + return results, nil +} diff --git a/vendor/oras.land/oras-go/v2/target.go b/vendor/oras.land/oras-go/v2/target.go new file mode 100644 index 0000000000..c6dcaef9ba --- /dev/null +++ b/vendor/oras.land/oras-go/v2/target.go @@ -0,0 +1,43 @@ +/* +Copyright The ORAS Authors. +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package oras + +import "oras.land/oras-go/v2/content" + +// Target is a CAS with generic tags. +type Target interface { + content.Storage + content.TagResolver +} + +// GraphTarget is a CAS with generic tags that supports direct predecessor node +// finding. +type GraphTarget interface { + content.GraphStorage + content.TagResolver +} + +// ReadOnlyTarget represents a read-only Target. +type ReadOnlyTarget interface { + content.ReadOnlyStorage + content.Resolver +} + +// ReadOnlyGraphTarget represents a read-only GraphTarget. +type ReadOnlyGraphTarget interface { + content.ReadOnlyGraphStorage + content.Resolver +} diff --git a/vendor/sigs.k8s.io/controller-runtime/.gitignore b/vendor/sigs.k8s.io/controller-runtime/.gitignore new file mode 100644 index 0000000000..2ddc5a8b87 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/.gitignore @@ -0,0 +1,30 @@ +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, build with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# editor and IDE paraphernalia +.idea +*.swp +*.swo +*~ + +# Vscode files +.vscode + +# Tools binaries. +hack/tools/bin + +# Release artifacts +tools/setup-envtest/out + +junit-report.xml +/artifacts diff --git a/vendor/sigs.k8s.io/controller-runtime/.golangci.yml b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml new file mode 100644 index 0000000000..7390d2024b --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/.golangci.yml @@ -0,0 +1,184 @@ +version: "2" +run: + go: "1.24" + timeout: 10m + allow-parallel-runners: true +linters: + default: none + enable: + - asasalint + - asciicheck + - bidichk + - bodyclose + - copyloopvar + - dogsled + - dupl + - errcheck + - errchkjson + - errorlint + - exhaustive + - ginkgolinter + - goconst + - gocritic + - gocyclo + - goprintffuncname + - govet + - importas + - ineffassign + - makezero + - misspell + - nakedret + - nilerr + - nolintlint + - prealloc + - revive + - staticcheck + - tagliatelle + - unconvert + - unparam + - unused + - whitespace + settings: + govet: + disable: + - fieldalignment + - shadow + enable-all: true + importas: + alias: + - pkg: k8s.io/api/core/v1 + alias: corev1 + - pkg: k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 + alias: apiextensionsv1 + - pkg: k8s.io/apimachinery/pkg/apis/meta/v1 + alias: metav1 + - pkg: k8s.io/apimachinery/pkg/api/errors + alias: apierrors + - pkg: k8s.io/apimachinery/pkg/util/errors + alias: kerrors + - pkg: sigs.k8s.io/controller-runtime + alias: ctrl + no-unaliased: true + revive: + rules: + # The following rules are recommended https://github.com/mgechev/revive#recommended-configuration + - name: blank-imports + - name: context-as-argument + - name: context-keys-type + - name: dot-imports + - name: error-return + - name: error-strings + - name: error-naming + - name: exported + - name: if-return + - name: increment-decrement + - name: var-naming + - name: var-declaration + - name: range + - name: receiver-naming + - name: time-naming + - name: unexported-return + - name: indent-error-flow + - name: errorf + - name: superfluous-else + - name: unreachable-code + - name: redefines-builtin-id + # + # Rules in addition to the recommended configuration above. + # + - name: bool-literal-in-expr + - name: constant-logical-expr + exclusions: + generated: strict + paths: + - zz_generated.*\.go$ + - .*conversion.*\.go$ + rules: + - linters: + - gosec + text: 'G108: Profiling endpoint is automatically exposed on /debug/pprof' + - linters: + - revive + text: 'exported: exported method .*\.(Reconcile|SetupWithManager|SetupWebhookWithManager) should have comment or be unexported' + - linters: + - errcheck + text: Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked + - linters: + - staticcheck + text: 'SA1019: .*The component config package has been deprecated and will be removed in a future release.' + # With Go 1.16, the new embed directive can be used with an un-named import, + # revive (previously, golint) only allows these to be imported in a main.go, which wouldn't work for us. + # This directive allows the embed package to be imported with an underscore everywhere. + - linters: + - revive + source: _ "embed" + # Exclude some packages or code to require comments, for example test code, or fake clients. + - linters: + - revive + text: exported (method|function|type|const) (.+) should have comment or be unexported + source: (func|type).*Fake.* + - linters: + - revive + path: fake_\.go + text: exported (method|function|type|const) (.+) should have comment or be unexported + # Disable unparam "always receives" which might not be really + # useful when building libraries. + - linters: + - unparam + text: always receives + # Dot imports for gomega and ginkgo are allowed + # within test files. + - path: _test\.go + text: should not use dot imports + - path: _test\.go + text: cyclomatic complexity + - path: _test\.go + text: 'G107: Potential HTTP request made with variable url' + # Append should be able to assign to a different var/slice. + - linters: + - gocritic + text: 'appendAssign: append result not assigned to the same slice' + - linters: + - gocritic + text: 'singleCaseSwitch: should rewrite switch statement to if statement' + # It considers all file access to a filename that comes from a variable problematic, + # which is naiv at best. + - linters: + - gosec + text: 'G304: Potential file inclusion via variable' + - linters: + - dupl + path: _test\.go + - linters: + - revive + path: .*/internal/.* + - linters: + - unused + # Seems to incorrectly trigger on the two implementations that are only + # used through an interface and not directly..? + # Likely same issue as https://github.com/dominikh/go-tools/issues/1616 + path: pkg/controller/priorityqueue/metrics\.go + # The following are being worked on to remove their exclusion. This list should be reduced or go away all together over time. + # If it is decided they will not be addressed they should be moved above this comment. + - path: (.+)\.go$ + text: Subprocess launch(ed with variable|ing should be audited) + - linters: + - gosec + path: (.+)\.go$ + text: (G204|G104|G307) + - linters: + - staticcheck + path: (.+)\.go$ + text: (ST1000|QF1008) +issues: + max-issues-per-linter: 0 + max-same-issues: 0 +formatters: + enable: + - gofmt + - goimports + exclusions: + generated: strict + paths: + - zz_generated.*\.go$ + - .*conversion.*\.go$ diff --git a/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml b/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml new file mode 100644 index 0000000000..3608de331d --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/.gomodcheck.yaml @@ -0,0 +1,17 @@ +upstreamRefs: + - k8s.io/api + - k8s.io/apiextensions-apiserver + - k8s.io/apimachinery + - k8s.io/apiserver + - k8s.io/client-go + - k8s.io/component-base + # k8s.io/klog/v2 -> conflicts with k/k deps + # k8s.io/utils -> conflicts with k/k deps + +excludedModules: + # --- test dependencies: + - github.com/onsi/ginkgo/v2 + - github.com/onsi/gomega + + # --- We want a newer version with generics support for this + - github.com/google/btree diff --git a/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md b/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md new file mode 100644 index 0000000000..2c0ea1f667 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/CONTRIBUTING.md @@ -0,0 +1,19 @@ +# Contributing guidelines + +## Sign the CLA + +Kubernetes projects require that you sign a Contributor License Agreement (CLA) before we can accept your pull requests. + +Please see https://git.k8s.io/community/CLA.md for more info + +## Contributing steps + +1. Submit an issue describing your proposed change to the repo in question. +1. The [repo owners](OWNERS) will respond to your issue promptly. +1. If your proposed change is accepted, and you haven't already done so, sign a Contributor License Agreement (see details above). +1. Fork the desired repo, develop and test your code changes. +1. Submit a pull request. + +## Test locally + +Run the command `make test` to test the changes locally. diff --git a/vendor/sigs.k8s.io/controller-runtime/FAQ.md b/vendor/sigs.k8s.io/controller-runtime/FAQ.md new file mode 100644 index 0000000000..9c36c8112e --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/FAQ.md @@ -0,0 +1,81 @@ +# FAQ + +### Q: How do I know which type of object a controller references? + +**A**: Each controller should only reconcile one object type. Other +affected objects should be mapped to a single type of root object, using +the `handler.EnqueueRequestForOwner` or `handler.EnqueueRequestsFromMapFunc` event +handlers, and potentially indices. Then, your Reconcile method should +attempt to reconcile *all* state for that given root objects. + +### Q: How do I have different logic in my reconciler for different types of events (e.g. create, update, delete)? + +**A**: You should not. Reconcile functions should be idempotent, and +should always reconcile state by reading all the state it needs, then +writing updates. This allows your reconciler to correctly respond to +generic events, adjust to skipped or coalesced events, and easily deal +with application startup. The controller will enqueue reconcile requests +for both old and new objects if a mapping changes, but it's your +responsibility to make sure you have enough information to be able clean +up state that's no longer referenced. + +### Q: My cache might be stale if I read from a cache! How should I deal with that? + +**A**: There are several different approaches that can be taken, depending +on your situation. + +- When you can, take advantage of optimistic locking: use deterministic + names for objects you create, so that the Kubernetes API server will + warn you if the object already exists. Many controllers in Kubernetes + take this approach: the StatefulSet controller appends a specific number + to each pod that it creates, while the Deployment controller hashes the + pod template spec and appends that. + +- In the few cases when you cannot take advantage of deterministic names + (e.g. when using generateName), it may be useful in to track which + actions you took, and assume that they need to be repeated if they don't + occur after a given time (e.g. using a requeue result). This is what + the ReplicaSet controller does. + +In general, write your controller with the assumption that information +will eventually be correct, but may be slightly out of date. Make sure +that your reconcile function enforces the entire state of the world each +time it runs. If none of this works for you, you can always construct +a client that reads directly from the API server, but this is generally +considered to be a last resort, and the two approaches above should +generally cover most circumstances. + +### Q: Where's the fake client? How do I use it? + +**A**: The fake client +[exists](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/client/fake), +but we generally recommend using +[envtest.Environment](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#Environment) +to test against a real API server. In our experience, tests using fake +clients gradually re-implement poorly-written impressions of a real API +server, which leads to hard-to-maintain, complex test code. + +### Q: How should I write tests? Any suggestions for getting started? + +- Use the aforementioned + [envtest.Environment](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/envtest#Environment) + to spin up a real API server instead of trying to mock one out. + +- Structure your tests to check that the state of the world is as you + expect it, *not* that a particular set of API calls were made, when + working with Kubernetes APIs. This will allow you to more easily + refactor and improve the internals of your controllers without changing + your tests. + +- Remember that any time you're interacting with the API server, changes + may have some delay between write time and reconcile time. + +### Q: What are these errors about no Kind being registered for a type? + +**A**: You're probably missing a fully-set-up Scheme. Schemes record the +mapping between Go types and group-version-kinds in Kubernetes. In +general, your application should have its own Scheme containing the types +from the API groups that it needs (be they Kubernetes types or your own). +See the [scheme builder +docs](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/scheme) for +more information. diff --git a/vendor/sigs.k8s.io/controller-runtime/Makefile b/vendor/sigs.k8s.io/controller-runtime/Makefile new file mode 100644 index 0000000000..b8e9cfa877 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/Makefile @@ -0,0 +1,218 @@ +#!/usr/bin/env bash + +# Copyright 2020 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# If you update this file, please follow +# https://suva.sh/posts/well-documented-makefiles + +## -------------------------------------- +## General +## -------------------------------------- + +SHELL:=/usr/bin/env bash +.DEFAULT_GOAL:=help + +# +# Go. +# +GO_VERSION ?= 1.24.0 + +# Use GOPROXY environment variable if set +GOPROXY := $(shell go env GOPROXY) +ifeq ($(GOPROXY),) +GOPROXY := https://proxy.golang.org +endif +export GOPROXY + +# Active module mode, as we use go modules to manage dependencies +export GO111MODULE=on + +# Hosts running SELinux need :z added to volume mounts +SELINUX_ENABLED := $(shell cat /sys/fs/selinux/enforce 2> /dev/null || echo 0) + +ifeq ($(SELINUX_ENABLED),1) + DOCKER_VOL_OPTS?=:z +endif + +# Tools. +TOOLS_DIR := hack/tools +TOOLS_BIN_DIR := $(abspath $(TOOLS_DIR)/bin) +GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/golangci-lint) +GO_APIDIFF := $(TOOLS_BIN_DIR)/go-apidiff +CONTROLLER_GEN := $(TOOLS_BIN_DIR)/controller-gen +ENVTEST_DIR := $(abspath tools/setup-envtest) +SCRATCH_ENV_DIR := $(abspath examples/scratch-env) +GO_INSTALL := ./hack/go-install.sh + +# The help will print out all targets with their descriptions organized bellow their categories. The categories are represented by `##@` and the target descriptions by `##`. +# The awk commands is responsible to read the entire set of makefiles included in this invocation, looking for lines of the file as xyz: ## something, and then pretty-format the target and help. Then, if there's a line with ##@ something, that gets pretty-printed as a category. +# More info over the usage of ANSI control characters for terminal formatting: https://en.wikipedia.org/wiki/ANSI_escape_code#SGR_parameters +# More info over awk command: http://linuxcommand.org/lc3_adv_awk.php +.PHONY: help +help: ## Display this help + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + +## -------------------------------------- +## Testing +## -------------------------------------- + +.PHONY: test +test: test-tools ## Run the script check-everything.sh which will check all. + TRACE=1 ./hack/check-everything.sh + +.PHONY: test-tools +test-tools: ## tests the tools codebase (setup-envtest) + cd tools/setup-envtest && go test ./... + +## -------------------------------------- +## Binaries +## -------------------------------------- + +GO_APIDIFF_VER := v0.8.2 +GO_APIDIFF_BIN := go-apidiff +GO_APIDIFF := $(abspath $(TOOLS_BIN_DIR)/$(GO_APIDIFF_BIN)-$(GO_APIDIFF_VER)) +GO_APIDIFF_PKG := github.com/joelanford/go-apidiff + +$(GO_APIDIFF): # Build go-apidiff from tools folder. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GO_APIDIFF_PKG) $(GO_APIDIFF_BIN) $(GO_APIDIFF_VER) + +CONTROLLER_GEN_VER := v0.17.1 +CONTROLLER_GEN_BIN := controller-gen +CONTROLLER_GEN := $(abspath $(TOOLS_BIN_DIR)/$(CONTROLLER_GEN_BIN)-$(CONTROLLER_GEN_VER)) +CONTROLLER_GEN_PKG := sigs.k8s.io/controller-tools/cmd/controller-gen + +$(CONTROLLER_GEN): # Build controller-gen from tools folder. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(CONTROLLER_GEN_PKG) $(CONTROLLER_GEN_BIN) $(CONTROLLER_GEN_VER) + +GOLANGCI_LINT_BIN := golangci-lint +GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yml | grep [[:space:]]version: | sed 's/.*version: //') +GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)) +GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/v2/cmd/golangci-lint + +$(GOLANGCI_LINT): # Build golangci-lint from tools folder. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER) + +GO_MOD_CHECK_DIR := $(abspath ./hack/tools/cmd/gomodcheck) +GO_MOD_CHECK := $(abspath $(TOOLS_BIN_DIR)/gomodcheck) +GO_MOD_CHECK_IGNORE := $(abspath .gomodcheck.yaml) +.PHONY: $(GO_MOD_CHECK) +$(GO_MOD_CHECK): # Build gomodcheck + go build -C $(GO_MOD_CHECK_DIR) -o $(GO_MOD_CHECK) + +## -------------------------------------- +## Linting +## -------------------------------------- + +.PHONY: lint +lint: $(GOLANGCI_LINT) ## Lint codebase + $(GOLANGCI_LINT) run -v $(GOLANGCI_LINT_EXTRA_ARGS) + cd tools/setup-envtest; $(GOLANGCI_LINT) run -v $(GOLANGCI_LINT_EXTRA_ARGS) + +.PHONY: lint-fix +lint-fix: $(GOLANGCI_LINT) ## Lint the codebase and run auto-fixers if supported by the linter. + GOLANGCI_LINT_EXTRA_ARGS=--fix $(MAKE) lint + +## -------------------------------------- +## Generate +## -------------------------------------- + +.PHONY: modules +modules: ## Runs go mod to ensure modules are up to date. + go mod tidy + cd $(TOOLS_DIR); go mod tidy + cd $(ENVTEST_DIR); go mod tidy + cd $(SCRATCH_ENV_DIR); go mod tidy + +## -------------------------------------- +## Release +## -------------------------------------- + +RELEASE_DIR := tools/setup-envtest/out + +.PHONY: $(RELEASE_DIR) +$(RELEASE_DIR): + mkdir -p $(RELEASE_DIR)/ + +.PHONY: release +release: clean-release $(RELEASE_DIR) ## Build release. + @if ! [ -z "$$(git status --porcelain)" ]; then echo "Your local git repository contains uncommitted changes, use git clean before proceeding."; exit 1; fi + + # Build binaries first. + $(MAKE) release-binaries + +.PHONY: release-binaries +release-binaries: ## Build release binaries. + RELEASE_BINARY=setup-envtest-linux-amd64 GOOS=linux GOARCH=amd64 $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-linux-arm64 GOOS=linux GOARCH=arm64 $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-linux-ppc64le GOOS=linux GOARCH=ppc64le $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-linux-s390x GOOS=linux GOARCH=s390x $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-darwin-amd64 GOOS=darwin GOARCH=amd64 $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-darwin-arm64 GOOS=darwin GOARCH=arm64 $(MAKE) release-binary + RELEASE_BINARY=setup-envtest-windows-amd64.exe GOOS=windows GOARCH=amd64 $(MAKE) release-binary + +.PHONY: release-binary +release-binary: $(RELEASE_DIR) + docker run \ + --rm \ + -e CGO_ENABLED=0 \ + -e GOOS=$(GOOS) \ + -e GOARCH=$(GOARCH) \ + -e GOCACHE=/tmp/ \ + --user $$(id -u):$$(id -g) \ + -v "$$(pwd):/workspace$(DOCKER_VOL_OPTS)" \ + -w /workspace/tools/setup-envtest \ + golang:$(GO_VERSION) \ + go build -a -trimpath -ldflags "-X 'sigs.k8s.io/controller-runtime/tools/setup-envtest/version.version=$(RELEASE_TAG)' -extldflags '-static'" \ + -o ./out/$(RELEASE_BINARY) ./ + +## -------------------------------------- +## Cleanup / Verification +## -------------------------------------- + +.PHONY: clean +clean: ## Cleanup. + $(GOLANGCI_LINT) cache clean + $(MAKE) clean-bin + +.PHONY: clean-bin +clean-bin: ## Remove all generated binaries. + rm -rf hack/tools/bin + +.PHONY: clean-release +clean-release: ## Remove the release folder + rm -rf $(RELEASE_DIR) + +.PHONY: verify-modules +verify-modules: modules $(GO_MOD_CHECK) ## Verify go modules are up to date + @if !(git diff --quiet HEAD -- go.sum go.mod $(TOOLS_DIR)/go.mod $(TOOLS_DIR)/go.sum $(ENVTEST_DIR)/go.mod $(ENVTEST_DIR)/go.sum $(SCRATCH_ENV_DIR)/go.sum); then \ + git diff; \ + echo "go module files are out of date, please run 'make modules'"; exit 1; \ + fi + $(GO_MOD_CHECK) $(GO_MOD_CHECK_IGNORE) + +APIDIFF_OLD_COMMIT ?= $(shell git rev-parse origin/main) + +.PHONY: apidiff +verify-apidiff: $(GO_APIDIFF) ## Check for API differences + $(GO_APIDIFF) $(APIDIFF_OLD_COMMIT) --print-compatible + +## -------------------------------------- +## Helpers +## -------------------------------------- + +##@ helpers: + +go-version: ## Print the go version we use to compile our binaries and images + @echo $(GO_VERSION) diff --git a/vendor/sigs.k8s.io/controller-runtime/OWNERS b/vendor/sigs.k8s.io/controller-runtime/OWNERS new file mode 100644 index 0000000000..9f2d296e4c --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/OWNERS @@ -0,0 +1,11 @@ +# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md + +approvers: + - controller-runtime-admins + - controller-runtime-maintainers + - controller-runtime-approvers +reviewers: + - controller-runtime-admins + - controller-runtime-maintainers + - controller-runtime-approvers + - controller-runtime-reviewers diff --git a/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES new file mode 100644 index 0000000000..5f5b2b66d5 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/OWNERS_ALIASES @@ -0,0 +1,37 @@ +# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md + +aliases: + # active folks who can be contacted to perform admin-related + # tasks on the repo, or otherwise approve any PRS. + controller-runtime-admins: + - vincepri + - joelanford + + # non-admin folks who have write-access and can approve any PRs in the repo + controller-runtime-maintainers: + - alvaroaleman + - joelanford + - sbueringer + - vincepri + + # non-admin folks who can approve any PRs in the repo + controller-runtime-approvers: + - fillzpp + + # folks who can review and LGTM any PRs in the repo (doesn't + # include approvers & admins -- those count too via the OWNERS + # file) + controller-runtime-reviewers: + - varshaprasad96 + - inteon + - JoelSpeed + - troy0820 + + # folks who may have context on ancient history, + # but are no longer directly involved + controller-runtime-emeritus-maintainers: + - directxman12 + controller-runtime-emeritus-admins: + - droot + - mengqiy + - pwittrock diff --git a/vendor/sigs.k8s.io/controller-runtime/README.md b/vendor/sigs.k8s.io/controller-runtime/README.md new file mode 100644 index 0000000000..20f7fd817b --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/README.md @@ -0,0 +1,85 @@ +[![Go Report Card](https://goreportcard.com/badge/sigs.k8s.io/controller-runtime)](https://goreportcard.com/report/sigs.k8s.io/controller-runtime) +[![godoc](https://pkg.go.dev/badge/sigs.k8s.io/controller-runtime)](https://pkg.go.dev/sigs.k8s.io/controller-runtime) + +# Kubernetes controller-runtime Project + +The Kubernetes controller-runtime Project is a set of go libraries for building +Controllers. It is leveraged by [Kubebuilder](https://book.kubebuilder.io/) and +[Operator SDK](https://github.com/operator-framework/operator-sdk). Both are +a great place to start for new projects. See +[Kubebuilder's Quick Start](https://book.kubebuilder.io/quick-start.html) to +see how it can be used. + +Documentation: + +- [Package overview](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg) +- [Basic controller using builder](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/builder#example-Builder) +- [Creating a manager](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/manager#example-New) +- [Creating a controller](https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/controller#example-New) +- [Examples](https://github.com/kubernetes-sigs/controller-runtime/blob/main/examples) +- [Designs](https://github.com/kubernetes-sigs/controller-runtime/blob/main/designs) + +# Versioning, Maintenance, and Compatibility + +The full documentation can be found at [VERSIONING.md](VERSIONING.md), but TL;DR: + +Users: + +- We follow [Semantic Versioning (semver)](https://semver.org) +- Use releases with your dependency management to ensure that you get compatible code +- The main branch contains all the latest code, some of which may break compatibility (so "normal" `go get` is not recommended) + +Contributors: + +- All code PR must be labeled with :bug: (patch fixes), :sparkles: (backwards-compatible features), or :warning: (breaking changes) +- Breaking changes will find their way into the next major release, other changes will go into an semi-immediate patch or minor release +- For a quick PR template suggesting the right information, use one of these PR templates: + * [Breaking Changes/Features](/.github/PULL_REQUEST_TEMPLATE/breaking_change.md) + * [Backwards-Compatible Features](/.github/PULL_REQUEST_TEMPLATE/compat_feature.md) + * [Bug fixes](/.github/PULL_REQUEST_TEMPLATE/bug_fix.md) + * [Documentation Changes](/.github/PULL_REQUEST_TEMPLATE/docs.md) + * [Test/Build/Other Changes](/.github/PULL_REQUEST_TEMPLATE/other.md) + +## Compatibility + +Every minor version of controller-runtime has been tested with a specific minor version of client-go. A controller-runtime minor version *may* be compatible with +other client-go minor versions, but this is by chance and neither supported nor tested. In general, we create one minor version of controller-runtime +for each minor version of client-go and other k8s.io/* dependencies. + +The minimum Go version of controller-runtime is the highest minimum Go version of our Go dependencies. Usually, this will +be identical to the minimum Go version of the corresponding k8s.io/* dependencies. + +Compatible k8s.io/*, client-go and minimum Go versions can be looked up in our [go.mod](go.mod) file. + +| | k8s.io/*, client-go | minimum Go version | +|----------|:-------------------:|:------------------:| +| CR v0.21 | v0.33 | 1.24 | +| CR v0.20 | v0.32 | 1.23 | +| CR v0.19 | v0.31 | 1.22 | +| CR v0.18 | v0.30 | 1.22 | +| CR v0.17 | v0.29 | 1.21 | +| CR v0.16 | v0.28 | 1.20 | +| CR v0.15 | v0.27 | 1.20 | + +## FAQ + +See [FAQ.md](FAQ.md) + +## Community, discussion, contribution, and support + +Learn how to engage with the Kubernetes community on the [community page](http://kubernetes.io/community/). + +You can reach the maintainers of this project at: + +- Slack channel: [#controller-runtime](https://kubernetes.slack.com/archives/C02MRBMN00Z) +- Google Group: [kubebuilder@googlegroups.com](https://groups.google.com/forum/#!forum/kubebuilder) + +## Contributing + +Contributions are greatly appreciated. The maintainers actively manage the issues list, and try to highlight issues suitable for newcomers. +The project follows the typical GitHub pull request model. See [CONTRIBUTING.md](CONTRIBUTING.md) for more details. +Before starting any work, please either comment on an existing issue, or file a new one. + +## Code of conduct + +Participation in the Kubernetes community is governed by the [Kubernetes Code of Conduct](code-of-conduct.md). diff --git a/vendor/sigs.k8s.io/controller-runtime/RELEASE.md b/vendor/sigs.k8s.io/controller-runtime/RELEASE.md new file mode 100644 index 0000000000..2a857b976e --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/RELEASE.md @@ -0,0 +1,51 @@ +# Release Process + +The Kubernetes controller-runtime Project is released on an as-needed basis. The process is as follows: + +**Note:** Releases are done from the `release-MAJOR.MINOR` branches. For PATCH releases is not required +to create a new branch you will just need to ensure that all big fixes are cherry-picked into the respective +`release-MAJOR.MINOR` branch. To know more about versioning check https://semver.org/. + +## How to do a release + +### Create the new branch and the release tag + +1. Create a new branch `git checkout -b release-` from main +2. Push the new branch to the remote repository + +### Now, let's generate the changelog + +1. Create the changelog from the new branch `release-` (`git checkout release-`). +You will need to use the [kubebuilder-release-tools][kubebuilder-release-tools] to generate the notes. See [here][release-notes-generation] + +> **Note** +> - You will need to have checkout locally from the remote repository the previous branch +> - Also, ensure that you fetch all tags from the remote `git fetch --all --tags` + +### Draft a new release from GitHub + +1. Create a new tag with the correct version from the new `release-` branch +2. Add the changelog on it and publish. Now, the code source is released ! + +### Add a new Prow test the for the new branch release + +1. Create a new prow test under [github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/controller-runtime](https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/controller-runtime) +for the new `release-` branch. (i.e. for the `0.11.0` release see the PR: https://github.com/kubernetes/test-infra/pull/25205) +2. Ping the infra PR in the controller-runtime slack channel for reviews. + +### Announce the new release: + +1. Publish on the Slack channel the new release, i.e: + +```` +:announce: Controller-Runtime v0.12.0 has been released! +This release includes a Kubernetes dependency bump to v1.24. +For more info, see the release page: https://github.com/kubernetes-sigs/controller-runtime/releases. + :tada: Thanks to all our contributors! +```` + +2. An announcement email is sent to `kubebuilder@googlegroups.com` with the subject `[ANNOUNCE] Controller-Runtime $VERSION is released` + +[kubebuilder-release-tools]: https://github.com/kubernetes-sigs/kubebuilder-release-tools +[release-notes-generation]: https://github.com/kubernetes-sigs/kubebuilder-release-tools/blob/master/README.md#release-notes-generation +[release-process]: https://github.com/kubernetes-sigs/kubebuilder/blob/master/VERSIONING.md#releasing diff --git a/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS b/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS new file mode 100644 index 0000000000..9c5241c6b4 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/SECURITY_CONTACTS @@ -0,0 +1,15 @@ +# Defined below are the security contacts for this repo. +# +# They are the contact point for the Product Security Team to reach out +# to for triaging and handling of incoming issues. +# +# The below names agree to abide by the +# [Embargo Policy](https://github.com/kubernetes/sig-release/blob/master/security-release-process-documentation/security-release-process.md#embargo-policy) +# and will be removed and replaced if they violate that agreement. +# +# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE +# INSTRUCTIONS AT https://kubernetes.io/security/ + +alvaroaleman +sbueringer +vincepri diff --git a/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md b/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md new file mode 100644 index 0000000000..97e091fd48 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/TMP-LOGGING.md @@ -0,0 +1,169 @@ +Logging Guidelines +================== + +controller-runtime uses a kind of logging called *structured logging*. If +you've used a library like Zap or logrus before, you'll be familiar with +the concepts we use. If you've only used a logging library like the "log" +package (in the Go standard library) or "glog" (in Kubernetes), you'll +need to adjust how you think about logging a bit. + +### Getting Started With Structured Logging + +With structured logging, we associate a *constant* log message with some +variable key-value pairs. For instance, suppose we wanted to log that we +were starting reconciliation on a pod. In the Go standard library logger, +we might write: + +```go +log.Printf("starting reconciliation for pod %s/%s", podNamespace, podName) +``` + +In controller-runtime, we'd instead write: + +```go +logger.Info("starting reconciliation", "pod", req.NamespacedName) +``` + +or even write + +```go +func (r *Reconciler) Reconcile(req reconcile.Request) (reconcile.Response, error) { + logger := logger.WithValues("pod", req.NamespacedName) + // do some stuff + logger.Info("starting reconciliation") +} +``` + +Notice how we've broken out the information that we want to convey into +a constant message (`"starting reconciliation"`) and some key-value pairs +that convey variable information (`"pod", req.NamespacedName`). We've +there-by added "structure" to our logs, which makes them easier to save +and search later, as well as correlate with metrics and events. + +All of controller-runtime's logging is done via +[logr](https://github.com/go-logr/logr), a generic interface for +structured logging. You can use whichever logging library you want to +implement the actual mechanics of the logging. controller-runtime +provides some helpers to make it easy to use +[Zap](https://go.uber.org/zap) as the implementation. + +You can configure the logging implementation using +`"sigs.k8s.io/controller-runtime/pkg/log".SetLogger`. That +package also contains the convenience functions for setting up Zap. + +You can get a handle to the "root" logger using +`"sigs.k8s.io/controller-runtime/pkg/log".Log`, and can then call +`WithName` to create individual named loggers. You can call `WithName` +repeatedly to chain names together: + +```go +logger := log.Log.WithName("controller").WithName("replicaset") +// in reconcile... +logger = logger.WithValues("replicaset", req.NamespacedName) +// later on in reconcile... +logger.Info("doing things with pods", "pod", newPod) +``` + +As seen above, you can also call `WithValue` to create a new sub-logger +that always attaches some key-value pairs to a logger. + +Finally, you can use `V(1)` to mark a particular log line as "debug" logs: + +```go +logger.V(1).Info("this is particularly verbose!", "state of the world", +allKubernetesObjectsEverywhere) +``` + +While it's possible to use higher log levels, it's recommended that you +stick with `V(1)` or `V(0)` (which is equivalent to not specifying `V`), +and then filter later based on key-value pairs or messages; different +numbers tend to lose meaning easily over time, and you'll be left +wondering why particular logs lines are at `V(5)` instead of `V(7)`. + +## Logging errors + +Errors should *always* be logged with `log.Error`, which allows logr +implementations to provide special handling of errors (for instance, +providing stack traces in debug mode). + +It's acceptable to log call `log.Error` with a nil error object. This +conveys that an error occurred in some capacity, but that no actual +`error` object was involved. + +Errors returned by the `Reconcile` implementation of the `Reconciler` interface are commonly logged as a `Reconciler error`. +It's a developer choice to create an additional error log in the `Reconcile` implementation so a more specific file name and line for the error are returned. + +## Logging messages + +- Don't put variable content in your messages -- use key-value pairs for + that. Never use `fmt.Sprintf` in your message. + +- Try to match the terminology in your messages with your key-value pairs + -- for instance, if you have a key-value pairs `api version`, use the + term `APIVersion` instead of `GroupVersion` in your message. + +## Logging Kubernetes Objects + +Kubernetes objects should be logged directly, like `log.Info("this is +a Kubernetes object", "pod", somePod)`. controller-runtime provides +a special encoder for Zap that will transform Kubernetes objects into +`name, namespace, apiVersion, kind` objects, when available and not in +development mode. Other logr implementations should implement similar +logic. + +## Logging Structured Values (Key-Value pairs) + +- Use lower-case, space separated keys. For example `object` for objects, + `api version` for `APIVersion` + +- Be consistent across your application, and with controller-runtime when + possible. + +- Try to be brief but descriptive. + +- Match terminology in keys with terminology in the message. + +- Be careful logging non-Kubernetes objects verbatim if they're very + large. + +### Groups, Versions, and Kinds + +- Kinds should not be logged alone (they're meaningless alone). Use + a `GroupKind` object to log them instead, or a `GroupVersionKind` when + version is relevant. + +- If you need to log an API version string, use `api version` as the key + (formatted as with a `GroupVersion`, or as received directly from API + discovery). + +### Objects and Types + +- If code works with a generic Kubernetes `runtime.Object`, use the + `object` key. For specific objects, prefer the resource name as the key + (e.g. `pod` for `v1.Pod` objects). + +- For non-Kubernetes objects, the `object` key may also be used, if you + accept a generic interface. + +- When logging a raw type, log it using the `type` key, with a value of + `fmt.Sprintf("%T", typ)` + +- If there's specific context around a type, the key may be more specific, + but should end with `type` -- for instance, `OwnerType` should be logged + as `owner` in the context of `log.Error(err, "Could not get ObjectKinds + for OwnerType", `owner type`, fmt.Sprintf("%T"))`. When possible, favor + communicating kind instead. + +### Multiple things + +- When logging multiple things, simply pluralize the key. + +### controller-runtime Specifics + +- Reconcile requests should be logged as `request`, although normal code + should favor logging the key. + +- Reconcile keys should be logged as with the same key as if you were + logging the object directly (e.g. `log.Info("reconciling pod", "pod", + req.NamespacedName)`). This ends up having a similar effect to logging + the object directly. diff --git a/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md new file mode 100644 index 0000000000..2c0f2f9b2d --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/VERSIONING.md @@ -0,0 +1,30 @@ +# Versioning and Branching in controller-runtime + +We follow the [common KubeBuilder versioning guidelines][guidelines], and +use the corresponding tooling. + +For the purposes of the aforementioned guidelines, controller-runtime +counts as a "library project", but otherwise follows the guidelines +exactly. + +[guidelines]: https://sigs.k8s.io/kubebuilder-release-tools/VERSIONING.md + +## Compatibility and Release Support + +For release branches, we generally tend to support backporting one (1) +major release (`release-{X-1}` or `release-0.{Y-1}`), but may go back +further if the need arises and is very pressing (e.g. security updates). + +### Dependency Support + +Note the [guidelines on dependency versions][dep-versions]. Particularly: + +- We **DO** guarantee Kubernetes REST API compatibility -- if a given + version of controller-runtime stops working with what should be + a supported version of Kubernetes, this is almost certainly a bug. + +- We **DO NOT** guarantee any particular compatibility matrix between + kubernetes library dependencies (client-go, apimachinery, etc); Such + compatibility is infeasible due to the way those libraries are versioned. + +[dep-versions]: https://sigs.k8s.io/kubebuilder-release-tools/VERSIONING.md#kubernetes-version-compatibility diff --git a/vendor/sigs.k8s.io/controller-runtime/alias.go b/vendor/sigs.k8s.io/controller-runtime/alias.go new file mode 100644 index 0000000000..01ba012dcc --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/alias.go @@ -0,0 +1,157 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllerruntime + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/builder" + "sigs.k8s.io/controller-runtime/pkg/client/config" + "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" + "sigs.k8s.io/controller-runtime/pkg/log" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/manager/signals" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/scheme" +) + +// Builder builds an Application ControllerManagedBy (e.g. Operator) and returns a manager.Manager to start it. +type Builder = builder.Builder + +// Request contains the information necessary to reconcile a Kubernetes object. This includes the +// information to uniquely identify the object - its Name and Namespace. It does NOT contain information about +// any specific Event or the object contents itself. +type Request = reconcile.Request + +// Result contains the result of a Reconciler invocation. +type Result = reconcile.Result + +// Manager initializes shared dependencies such as Caches and Clients, and provides them to Runnables. +// A Manager is required to create Controllers. +type Manager = manager.Manager + +// Options are the arguments for creating a new Manager. +type Options = manager.Options + +// SchemeBuilder builds a new Scheme for mapping go types to Kubernetes GroupVersionKinds. +type SchemeBuilder = scheme.Builder + +// GroupVersion contains the "group" and the "version", which uniquely identifies the API. +type GroupVersion = schema.GroupVersion + +// GroupResource specifies a Group and a Resource, but does not force a version. This is useful for identifying +// concepts during lookup stages without having partially valid types. +type GroupResource = schema.GroupResource + +// TypeMeta describes an individual object in an API response or request +// with strings representing the type of the object and its API schema version. +// Structures that are versioned or persisted should inline TypeMeta. +// +// +k8s:deepcopy-gen=false +type TypeMeta = metav1.TypeMeta + +// ObjectMeta is metadata that all persisted resources must have, which includes all objects +// users must create. +type ObjectMeta = metav1.ObjectMeta + +var ( + // RegisterFlags registers flag variables to the given FlagSet if not already registered. + // It uses the default command line FlagSet, if none is provided. Currently, it only registers the kubeconfig flag. + RegisterFlags = config.RegisterFlags + + // GetConfigOrDie creates a *rest.Config for talking to a Kubernetes apiserver. + // If --kubeconfig is set, will use the kubeconfig file at that location. Otherwise will assume running + // in cluster and use the cluster provided kubeconfig. + // + // The returned `*rest.Config` has client-side ratelimting disabled as we can rely on API priority and + // fairness. Set its QPS to a value equal or bigger than 0 to re-enable it. + // + // Will log an error and exit if there is an error creating the rest.Config. + GetConfigOrDie = config.GetConfigOrDie + + // GetConfig creates a *rest.Config for talking to a Kubernetes apiserver. + // If --kubeconfig is set, will use the kubeconfig file at that location. Otherwise will assume running + // in cluster and use the cluster provided kubeconfig. + // + // The returned `*rest.Config` has client-side ratelimting disabled as we can rely on API priority and + // fairness. Set its QPS to a value equal or bigger than 0 to re-enable it. + // + // Config precedence + // + // * --kubeconfig flag pointing at a file + // + // * KUBECONFIG environment variable pointing at a file + // + // * In-cluster config if running in cluster + // + // * $HOME/.kube/config if exists. + GetConfig = config.GetConfig + + // NewControllerManagedBy returns a new controller builder that will be started by the provided Manager. + NewControllerManagedBy = builder.ControllerManagedBy + + // NewWebhookManagedBy returns a new webhook builder that will be started by the provided Manager. + NewWebhookManagedBy = builder.WebhookManagedBy + + // NewManager returns a new Manager for creating Controllers. + // Note that if ContentType in the given config is not set, "application/vnd.kubernetes.protobuf" + // will be used for all built-in resources of Kubernetes, and "application/json" is for other types + // including all CRD resources. + NewManager = manager.New + + // CreateOrUpdate creates or updates the given object obj in the Kubernetes + // cluster. The object's desired state should be reconciled with the existing + // state using the passed in ReconcileFn. obj must be a struct pointer so that + // obj can be updated with the content returned by the Server. + // + // It returns the executed operation and an error. + CreateOrUpdate = controllerutil.CreateOrUpdate + + // SetControllerReference sets owner as a Controller OwnerReference on owned. + // This is used for garbage collection of the owned object and for + // reconciling the owner object on changes to owned (with a Watch + EnqueueRequestForOwner). + // Since only one OwnerReference can be a controller, it returns an error if + // there is another OwnerReference with Controller flag set. + SetControllerReference = controllerutil.SetControllerReference + + // SetupSignalHandler registers for SIGTERM and SIGINT. A context is returned + // which is canceled on one of these signals. If a second signal is caught, the program + // is terminated with exit code 1. + SetupSignalHandler = signals.SetupSignalHandler + + // Log is the base logger used by controller-runtime. It delegates + // to another logr.Logger. You *must* call SetLogger to + // get any actual logging. + Log = log.Log + + // LoggerFrom returns a logger with predefined values from a context.Context. + // The logger, when used with controllers, can be expected to contain basic information about the object + // that's being reconciled like: + // - `reconciler group` and `reconciler kind` coming from the For(...) object passed in when building a controller. + // - `name` and `namespace` from the reconciliation request. + // + // This is meant to be used with the context supplied in a struct that satisfies the Reconciler interface. + LoggerFrom = log.FromContext + + // LoggerInto takes a context and sets the logger as one of its keys. + // + // This is meant to be used in reconcilers to enrich the logger within a context with additional values. + LoggerInto = log.IntoContext + + // SetLogger sets a concrete logging implementation for all deferred Loggers. + SetLogger = log.SetLogger +) diff --git a/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md b/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md new file mode 100644 index 0000000000..0d15c00cf3 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/code-of-conduct.md @@ -0,0 +1,3 @@ +# Kubernetes Community Code of Conduct + +Please refer to our [Kubernetes Community Code of Conduct](https://git.k8s.io/community/code-of-conduct.md) diff --git a/vendor/sigs.k8s.io/controller-runtime/doc.go b/vendor/sigs.k8s.io/controller-runtime/doc.go new file mode 100644 index 0000000000..75d1d908c5 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/doc.go @@ -0,0 +1,128 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package controllerruntime provides tools to construct Kubernetes-style +// controllers that manipulate both Kubernetes CRDs and aggregated/built-in +// Kubernetes APIs. +// +// It defines easy helpers for the common use cases when building CRDs, built +// on top of customizable layers of abstraction. Common cases should be easy, +// and uncommon cases should be possible. In general, controller-runtime tries +// to guide users towards Kubernetes controller best-practices. +// +// # Getting Started +// +// The main entrypoint for controller-runtime is this root package, which +// contains all of the common types needed to get started building controllers: +// +// import ( +// ctrl "sigs.k8s.io/controller-runtime" +// ) +// +// The examples in this package walk through a basic controller setup. The +// kubebuilder book (https://book.kubebuilder.io) has some more in-depth +// walkthroughs. +// +// controller-runtime favors structs with sane defaults over constructors, so +// it's fairly common to see structs being used directly in controller-runtime. +// +// # Organization +// +// A brief-ish walkthrough of the layout of this library can be found below. Each +// package contains more information about how to use it. +// +// Frequently asked questions about using controller-runtime and designing +// controllers can be found at +// https://github.com/kubernetes-sigs/controller-runtime/blob/main/FAQ.md. +// +// # Managers +// +// Every controller and webhook is ultimately run by a Manager (pkg/manager). A +// manager is responsible for running controllers and webhooks, and setting up +// common dependencies, like shared caches and clients, as +// well as managing leader election (pkg/leaderelection). Managers are +// generally configured to gracefully shut down controllers on pod termination +// by wiring up a signal handler (pkg/manager/signals). +// +// # Controllers +// +// Controllers (pkg/controller) use events (pkg/event) to eventually trigger +// reconcile requests. They may be constructed manually, but are often +// constructed with a Builder (pkg/builder), which eases the wiring of event +// sources (pkg/source), like Kubernetes API object changes, to event handlers +// (pkg/handler), like "enqueue a reconcile request for the object owner". +// Predicates (pkg/predicate) can be used to filter which events actually +// trigger reconciles. There are pre-written utilities for the common cases, and +// interfaces and helpers for advanced cases. +// +// # Reconcilers +// +// Controller logic is implemented in terms of Reconcilers (pkg/reconcile). A +// Reconciler implements a function which takes a reconcile Request containing +// the name and namespace of the object to reconcile, reconciles the object, +// and returns a Response or an error indicating whether to requeue for a +// second round of processing. +// +// # Clients and Caches +// +// Reconcilers use Clients (pkg/client) to access API objects. The default +// client provided by the manager reads from a local shared cache (pkg/cache) +// and writes directly to the API server, but clients can be constructed that +// only talk to the API server, without a cache. The Cache will auto-populate +// with watched objects, as well as when other structured objects are +// requested. The default split client does not promise to invalidate the cache +// during writes (nor does it promise sequential create/get coherence), and code +// should not assume a get immediately following a create/update will return +// the updated resource. Caches may also have indexes, which can be created via +// a FieldIndexer (pkg/client) obtained from the manager. Indexes can be used to +// quickly and easily look up all objects with certain fields set. Reconcilers +// may retrieve event recorders (pkg/recorder) to emit events using the +// manager. +// +// # Schemes +// +// Clients, Caches, and many other things in Kubernetes use Schemes +// (pkg/scheme) to associate Go types to Kubernetes API Kinds +// (Group-Version-Kinds, to be specific). +// +// # Webhooks +// +// Similarly, webhooks (pkg/webhook/admission) may be implemented directly, but +// are often constructed using a builder (pkg/webhook/admission/builder). They +// are run via a server (pkg/webhook) which is managed by a Manager. +// +// # Logging and Metrics +// +// Logging (pkg/log) in controller-runtime is done via structured logs, using a +// log set of interfaces called logr +// (https://pkg.go.dev/github.com/go-logr/logr). While controller-runtime +// provides easy setup for using Zap (https://go.uber.org/zap, pkg/log/zap), +// you can provide any implementation of logr as the base logger for +// controller-runtime. +// +// Metrics (pkg/metrics) provided by controller-runtime are registered into a +// controller-runtime-specific Prometheus metrics registry. The manager can +// serve these by an HTTP endpoint, and additional metrics may be registered to +// this Registry as normal. +// +// # Testing +// +// You can easily build integration and unit tests for your controllers and +// webhooks using the test Environment (pkg/envtest). This will automatically +// stand up a copy of etcd and kube-apiserver, and provide the correct options +// to connect to the API server. It's designed to work well with the Ginkgo +// testing framework, but should work with any testing setup. +package controllerruntime diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go new file mode 100644 index 0000000000..6d906f6e52 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/controller.go @@ -0,0 +1,466 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package builder + +import ( + "errors" + "fmt" + "reflect" + "strings" + + "github.com/go-logr/logr" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/klog/v2" + + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" + "sigs.k8s.io/controller-runtime/pkg/controller" + "sigs.k8s.io/controller-runtime/pkg/handler" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/predicate" + "sigs.k8s.io/controller-runtime/pkg/reconcile" + "sigs.k8s.io/controller-runtime/pkg/source" +) + +// project represents other forms that we can use to +// send/receive a given resource (metadata-only, unstructured, etc). +type objectProjection int + +const ( + // projectAsNormal doesn't change the object from the form given. + projectAsNormal objectProjection = iota + // projectAsMetadata turns this into a metadata-only watch. + projectAsMetadata +) + +// Builder builds a Controller. +type Builder = TypedBuilder[reconcile.Request] + +// TypedBuilder builds a Controller. The request is the request type +// that is passed to the workqueue and then to the Reconciler. +// The workqueue de-duplicates identical requests. +type TypedBuilder[request comparable] struct { + forInput ForInput + ownsInput []OwnsInput + rawSources []source.TypedSource[request] + watchesInput []WatchesInput[request] + mgr manager.Manager + globalPredicates []predicate.Predicate + ctrl controller.TypedController[request] + ctrlOptions controller.TypedOptions[request] + name string + newController func(name string, mgr manager.Manager, options controller.TypedOptions[request]) (controller.TypedController[request], error) +} + +// ControllerManagedBy returns a new controller builder that will be started by the provided Manager. +func ControllerManagedBy(m manager.Manager) *Builder { + return TypedControllerManagedBy[reconcile.Request](m) +} + +// TypedControllerManagedBy returns a new typed controller builder that will be started by the provided Manager. +func TypedControllerManagedBy[request comparable](m manager.Manager) *TypedBuilder[request] { + return &TypedBuilder[request]{mgr: m} +} + +// ForInput represents the information set by the For method. +type ForInput struct { + object client.Object + predicates []predicate.Predicate + objectProjection objectProjection + err error +} + +// For defines the type of Object being *reconciled*, and configures the ControllerManagedBy to respond to create / delete / +// update events by *reconciling the object*. +// +// This is the equivalent of calling +// Watches(source.Kind(cache, &Type{}, &handler.EnqueueRequestForObject{})). +func (blder *TypedBuilder[request]) For(object client.Object, opts ...ForOption) *TypedBuilder[request] { + if blder.forInput.object != nil { + blder.forInput.err = fmt.Errorf("For(...) should only be called once, could not assign multiple objects for reconciliation") + return blder + } + input := ForInput{object: object} + for _, opt := range opts { + opt.ApplyToFor(&input) + } + + blder.forInput = input + return blder +} + +// OwnsInput represents the information set by Owns method. +type OwnsInput struct { + matchEveryOwner bool + object client.Object + predicates []predicate.Predicate + objectProjection objectProjection +} + +// Owns defines types of Objects being *generated* by the ControllerManagedBy, and configures the ControllerManagedBy to respond to +// create / delete / update events by *reconciling the owner object*. +// +// The default behavior reconciles only the first controller-type OwnerReference of the given type. +// Use Owns(object, builder.MatchEveryOwner) to reconcile all owners. +// +// By default, this is the equivalent of calling +// Watches(source.Kind(cache, &Type{}, handler.EnqueueRequestForOwner([...], &OwnerType{}, OnlyControllerOwner()))). +func (blder *TypedBuilder[request]) Owns(object client.Object, opts ...OwnsOption) *TypedBuilder[request] { + input := OwnsInput{object: object} + for _, opt := range opts { + opt.ApplyToOwns(&input) + } + + blder.ownsInput = append(blder.ownsInput, input) + return blder +} + +type untypedWatchesInput interface { + setPredicates([]predicate.Predicate) + setObjectProjection(objectProjection) +} + +// WatchesInput represents the information set by Watches method. +type WatchesInput[request comparable] struct { + obj client.Object + handler handler.TypedEventHandler[client.Object, request] + predicates []predicate.Predicate + objectProjection objectProjection +} + +func (w *WatchesInput[request]) setPredicates(predicates []predicate.Predicate) { + w.predicates = predicates +} + +func (w *WatchesInput[request]) setObjectProjection(objectProjection objectProjection) { + w.objectProjection = objectProjection +} + +// Watches defines the type of Object to watch, and configures the ControllerManagedBy to respond to create / delete / +// update events by *reconciling the object* with the given EventHandler. +// +// This is the equivalent of calling +// WatchesRawSource(source.Kind(cache, object, eventHandler, predicates...)). +func (blder *TypedBuilder[request]) Watches( + object client.Object, + eventHandler handler.TypedEventHandler[client.Object, request], + opts ...WatchesOption, +) *TypedBuilder[request] { + input := WatchesInput[request]{ + obj: object, + handler: eventHandler, + } + for _, opt := range opts { + opt.ApplyToWatches(&input) + } + + blder.watchesInput = append(blder.watchesInput, input) + + return blder +} + +// WatchesMetadata is the same as Watches, but forces the internal cache to only watch PartialObjectMetadata. +// +// This is useful when watching lots of objects, really big objects, or objects for which you only know +// the GVK, but not the structure. You'll need to pass metav1.PartialObjectMetadata to the client +// when fetching objects in your reconciler, otherwise you'll end up with a duplicate structured or unstructured cache. +// +// When watching a resource with metadata only, for example the v1.Pod, you should not Get and List using the v1.Pod type. +// Instead, you should use the special metav1.PartialObjectMetadata type. +// +// ⌠Incorrect: +// +// pod := &v1.Pod{} +// mgr.GetClient().Get(ctx, nsAndName, pod) +// +// ✅ Correct: +// +// pod := &metav1.PartialObjectMetadata{} +// pod.SetGroupVersionKind(schema.GroupVersionKind{ +// Group: "", +// Version: "v1", +// Kind: "Pod", +// }) +// mgr.GetClient().Get(ctx, nsAndName, pod) +// +// In the first case, controller-runtime will create another cache for the +// concrete type on top of the metadata cache; this increases memory +// consumption and leads to race conditions as caches are not in sync. +func (blder *TypedBuilder[request]) WatchesMetadata( + object client.Object, + eventHandler handler.TypedEventHandler[client.Object, request], + opts ...WatchesOption, +) *TypedBuilder[request] { + opts = append(opts, OnlyMetadata) + return blder.Watches(object, eventHandler, opts...) +} + +// WatchesRawSource exposes the lower-level ControllerManagedBy Watches functions through the builder. +// +// WatchesRawSource does not respect predicates configured through WithEventFilter. +// +// WatchesRawSource makes it possible to use typed handlers and predicates with `source.Kind` as well as custom source implementations. +func (blder *TypedBuilder[request]) WatchesRawSource(src source.TypedSource[request]) *TypedBuilder[request] { + blder.rawSources = append(blder.rawSources, src) + + return blder +} + +// WithEventFilter sets the event filters, to filter which create/update/delete/generic events eventually +// trigger reconciliations. For example, filtering on whether the resource version has changed. +// Given predicate is added for all watched objects and thus must be able to deal with the type +// of all watched objects. +// +// Defaults to the empty list. +func (blder *TypedBuilder[request]) WithEventFilter(p predicate.Predicate) *TypedBuilder[request] { + blder.globalPredicates = append(blder.globalPredicates, p) + return blder +} + +// WithOptions overrides the controller options used in doController. Defaults to empty. +func (blder *TypedBuilder[request]) WithOptions(options controller.TypedOptions[request]) *TypedBuilder[request] { + blder.ctrlOptions = options + return blder +} + +// WithLogConstructor overrides the controller options's LogConstructor. +func (blder *TypedBuilder[request]) WithLogConstructor(logConstructor func(*request) logr.Logger) *TypedBuilder[request] { + blder.ctrlOptions.LogConstructor = logConstructor + return blder +} + +// Named sets the name of the controller to the given name. The name shows up +// in metrics, among other things, and thus should be a prometheus compatible name +// (underscores and alphanumeric characters only). +// +// By default, controllers are named using the lowercase version of their kind. +// +// The name must be unique as it is used to identify the controller in metrics and logs. +func (blder *TypedBuilder[request]) Named(name string) *TypedBuilder[request] { + blder.name = name + return blder +} + +// Complete builds the Application Controller. +func (blder *TypedBuilder[request]) Complete(r reconcile.TypedReconciler[request]) error { + _, err := blder.Build(r) + return err +} + +// Build builds the Application Controller and returns the Controller it created. +func (blder *TypedBuilder[request]) Build(r reconcile.TypedReconciler[request]) (controller.TypedController[request], error) { + if r == nil { + return nil, fmt.Errorf("must provide a non-nil Reconciler") + } + if blder.mgr == nil { + return nil, fmt.Errorf("must provide a non-nil Manager") + } + if blder.forInput.err != nil { + return nil, blder.forInput.err + } + + // Set the ControllerManagedBy + if err := blder.doController(r); err != nil { + return nil, err + } + + // Set the Watch + if err := blder.doWatch(); err != nil { + return nil, err + } + + return blder.ctrl, nil +} + +func (blder *TypedBuilder[request]) project(obj client.Object, proj objectProjection) (client.Object, error) { + switch proj { + case projectAsNormal: + return obj, nil + case projectAsMetadata: + metaObj := &metav1.PartialObjectMetadata{} + gvk, err := apiutil.GVKForObject(obj, blder.mgr.GetScheme()) + if err != nil { + return nil, fmt.Errorf("unable to determine GVK of %T for a metadata-only watch: %w", obj, err) + } + metaObj.SetGroupVersionKind(gvk) + return metaObj, nil + default: + panic(fmt.Sprintf("unexpected projection type %v on type %T, should not be possible since this is an internal field", proj, obj)) + } +} + +func (blder *TypedBuilder[request]) doWatch() error { + // Reconcile type + if blder.forInput.object != nil { + obj, err := blder.project(blder.forInput.object, blder.forInput.objectProjection) + if err != nil { + return err + } + + if reflect.TypeFor[request]() != reflect.TypeOf(reconcile.Request{}) { + return fmt.Errorf("For() can only be used with reconcile.Request, got %T", *new(request)) + } + + var hdler handler.TypedEventHandler[client.Object, request] + reflect.ValueOf(&hdler).Elem().Set(reflect.ValueOf(&handler.EnqueueRequestForObject{})) + allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...) + allPredicates = append(allPredicates, blder.forInput.predicates...) + src := source.TypedKind(blder.mgr.GetCache(), obj, hdler, allPredicates...) + if err := blder.ctrl.Watch(src); err != nil { + return err + } + } + + // Watches the managed types + if len(blder.ownsInput) > 0 && blder.forInput.object == nil { + return errors.New("Owns() can only be used together with For()") + } + for _, own := range blder.ownsInput { + obj, err := blder.project(own.object, own.objectProjection) + if err != nil { + return err + } + opts := []handler.OwnerOption{} + if !own.matchEveryOwner { + opts = append(opts, handler.OnlyControllerOwner()) + } + + var hdler handler.TypedEventHandler[client.Object, request] + reflect.ValueOf(&hdler).Elem().Set(reflect.ValueOf(handler.EnqueueRequestForOwner( + blder.mgr.GetScheme(), blder.mgr.GetRESTMapper(), + blder.forInput.object, + opts..., + ))) + allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...) + allPredicates = append(allPredicates, own.predicates...) + src := source.TypedKind(blder.mgr.GetCache(), obj, hdler, allPredicates...) + if err := blder.ctrl.Watch(src); err != nil { + return err + } + } + + // Do the watch requests + if len(blder.watchesInput) == 0 && blder.forInput.object == nil && len(blder.rawSources) == 0 { + return errors.New("there are no watches configured, controller will never get triggered. Use For(), Owns(), Watches() or WatchesRawSource() to set them up") + } + for _, w := range blder.watchesInput { + projected, err := blder.project(w.obj, w.objectProjection) + if err != nil { + return fmt.Errorf("failed to project for %T: %w", w.obj, err) + } + allPredicates := append([]predicate.Predicate(nil), blder.globalPredicates...) + allPredicates = append(allPredicates, w.predicates...) + if err := blder.ctrl.Watch(source.TypedKind(blder.mgr.GetCache(), projected, w.handler, allPredicates...)); err != nil { + return err + } + } + for _, src := range blder.rawSources { + if err := blder.ctrl.Watch(src); err != nil { + return err + } + } + return nil +} + +func (blder *TypedBuilder[request]) getControllerName(gvk schema.GroupVersionKind, hasGVK bool) (string, error) { + if blder.name != "" { + return blder.name, nil + } + if !hasGVK { + return "", errors.New("one of For() or Named() must be called") + } + return strings.ToLower(gvk.Kind), nil +} + +func (blder *TypedBuilder[request]) doController(r reconcile.TypedReconciler[request]) error { + globalOpts := blder.mgr.GetControllerOptions() + + ctrlOptions := blder.ctrlOptions + if ctrlOptions.Reconciler != nil && r != nil { + return errors.New("reconciler was set via WithOptions() and via Build() or Complete()") + } + if ctrlOptions.Reconciler == nil { + ctrlOptions.Reconciler = r + } + + // Retrieve the GVK from the object we're reconciling + // to pre-populate logger information, and to optionally generate a default name. + var gvk schema.GroupVersionKind + hasGVK := blder.forInput.object != nil + if hasGVK { + var err error + gvk, err = apiutil.GVKForObject(blder.forInput.object, blder.mgr.GetScheme()) + if err != nil { + return err + } + } + + // Setup concurrency. + if ctrlOptions.MaxConcurrentReconciles == 0 && hasGVK { + groupKind := gvk.GroupKind().String() + + if concurrency, ok := globalOpts.GroupKindConcurrency[groupKind]; ok && concurrency > 0 { + ctrlOptions.MaxConcurrentReconciles = concurrency + } + } + + // Setup cache sync timeout. + if ctrlOptions.CacheSyncTimeout == 0 && globalOpts.CacheSyncTimeout > 0 { + ctrlOptions.CacheSyncTimeout = globalOpts.CacheSyncTimeout + } + + controllerName, err := blder.getControllerName(gvk, hasGVK) + if err != nil { + return err + } + + // Setup the logger. + if ctrlOptions.LogConstructor == nil { + log := blder.mgr.GetLogger().WithValues( + "controller", controllerName, + ) + if hasGVK { + log = log.WithValues( + "controllerGroup", gvk.Group, + "controllerKind", gvk.Kind, + ) + } + + ctrlOptions.LogConstructor = func(in *request) logr.Logger { + log := log + + if req, ok := any(in).(*reconcile.Request); ok && req != nil { + if hasGVK { + log = log.WithValues(gvk.Kind, klog.KRef(req.Namespace, req.Name)) + } + log = log.WithValues( + "namespace", req.Namespace, "name", req.Name, + ) + } + return log + } + } + + if blder.newController == nil { + blder.newController = controller.NewTyped[request] + } + + // Build the controller and return. + blder.ctrl, err = blder.newController(controllerName, blder.mgr, ctrlOptions) + return err +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go new file mode 100644 index 0000000000..e4df1b709f --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/doc.go @@ -0,0 +1,28 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Package builder wraps other controller-runtime libraries and exposes simple +// patterns for building common Controllers. +// +// Projects built with the builder package can trivially be rebased on top of the underlying +// packages if the project requires more customized behavior in the future. +package builder + +import ( + logf "sigs.k8s.io/controller-runtime/pkg/internal/log" +) + +var log = logf.RuntimeLog.WithName("builder") diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go new file mode 100644 index 0000000000..b907b5d020 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/options.go @@ -0,0 +1,156 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package builder + +import ( + "sigs.k8s.io/controller-runtime/pkg/predicate" +) + +// {{{ "Functional" Option Interfaces + +// ForOption is some configuration that modifies options for a For request. +type ForOption interface { + // ApplyToFor applies this configuration to the given for input. + ApplyToFor(*ForInput) +} + +// OwnsOption is some configuration that modifies options for an owns request. +type OwnsOption interface { + // ApplyToOwns applies this configuration to the given owns input. + ApplyToOwns(*OwnsInput) +} + +// WatchesOption is some configuration that modifies options for a watches request. +type WatchesOption interface { + // ApplyToWatches applies this configuration to the given watches options. + ApplyToWatches(untypedWatchesInput) +} + +// }}} + +// {{{ Multi-Type Options + +// WithPredicates sets the given predicates list. +func WithPredicates(predicates ...predicate.Predicate) Predicates { + return Predicates{ + predicates: predicates, + } +} + +// Predicates filters events before enqueuing the keys. +type Predicates struct { + predicates []predicate.Predicate +} + +// ApplyToFor applies this configuration to the given ForInput options. +func (w Predicates) ApplyToFor(opts *ForInput) { + opts.predicates = w.predicates +} + +// ApplyToOwns applies this configuration to the given OwnsInput options. +func (w Predicates) ApplyToOwns(opts *OwnsInput) { + opts.predicates = w.predicates +} + +// ApplyToWatches applies this configuration to the given WatchesInput options. +func (w Predicates) ApplyToWatches(opts untypedWatchesInput) { + opts.setPredicates(w.predicates) +} + +var _ ForOption = &Predicates{} +var _ OwnsOption = &Predicates{} +var _ WatchesOption = &Predicates{} + +// }}} + +// {{{ For & Owns Dual-Type options + +// projectAs configures the projection on the input. +// Currently only OnlyMetadata is supported. We might want to expand +// this to arbitrary non-special local projections in the future. +type projectAs objectProjection + +// ApplyToFor applies this configuration to the given ForInput options. +func (p projectAs) ApplyToFor(opts *ForInput) { + opts.objectProjection = objectProjection(p) +} + +// ApplyToOwns applies this configuration to the given OwnsInput options. +func (p projectAs) ApplyToOwns(opts *OwnsInput) { + opts.objectProjection = objectProjection(p) +} + +// ApplyToWatches applies this configuration to the given WatchesInput options. +func (p projectAs) ApplyToWatches(opts untypedWatchesInput) { + opts.setObjectProjection(objectProjection(p)) +} + +var ( + // OnlyMetadata tells the controller to *only* cache metadata, and to watch + // the API server in metadata-only form. This is useful when watching + // lots of objects, really big objects, or objects for which you only know + // the GVK, but not the structure. You'll need to pass + // metav1.PartialObjectMetadata to the client when fetching objects in your + // reconciler, otherwise you'll end up with a duplicate structured or + // unstructured cache. + // + // When watching a resource with OnlyMetadata, for example the v1.Pod, you + // should not Get and List using the v1.Pod type. Instead, you should use + // the special metav1.PartialObjectMetadata type. + // + // ⌠Incorrect: + // + // pod := &v1.Pod{} + // mgr.GetClient().Get(ctx, nsAndName, pod) + // + // ✅ Correct: + // + // pod := &metav1.PartialObjectMetadata{} + // pod.SetGroupVersionKind(schema.GroupVersionKind{ + // Group: "", + // Version: "v1", + // Kind: "Pod", + // }) + // mgr.GetClient().Get(ctx, nsAndName, pod) + // + // In the first case, controller-runtime will create another cache for the + // concrete type on top of the metadata cache; this increases memory + // consumption and leads to race conditions as caches are not in sync. + OnlyMetadata = projectAs(projectAsMetadata) + + _ ForOption = OnlyMetadata + _ OwnsOption = OnlyMetadata + _ WatchesOption = OnlyMetadata +) + +// }}} + +// MatchEveryOwner determines whether the watch should be filtered based on +// controller ownership. As in, when the OwnerReference.Controller field is set. +// +// If passed as an option, +// the handler receives notification for every owner of the object with the given type. +// If unset (default), the handler receives notification only for the first +// OwnerReference with `Controller: true`. +var MatchEveryOwner = &matchEveryOwner{} + +type matchEveryOwner struct{} + +// ApplyToOwns applies this configuration to the given OwnsInput options. +func (o matchEveryOwner) ApplyToOwns(opts *OwnsInput) { + opts.matchEveryOwner = true +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go new file mode 100644 index 0000000000..8ec6d58fda --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/builder/webhook.go @@ -0,0 +1,331 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package builder + +import ( + "errors" + "net/http" + "net/url" + "regexp" + "strings" + + "github.com/go-logr/logr" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/rest" + "k8s.io/klog/v2" + + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" + "sigs.k8s.io/controller-runtime/pkg/manager" + "sigs.k8s.io/controller-runtime/pkg/webhook/admission" + "sigs.k8s.io/controller-runtime/pkg/webhook/conversion" +) + +// WebhookBuilder builds a Webhook. +type WebhookBuilder struct { + apiType runtime.Object + customDefaulter admission.CustomDefaulter + customDefaulterOpts []admission.DefaulterOption + customValidator admission.CustomValidator + customPath string + customValidatorCustomPath string + customDefaulterCustomPath string + gvk schema.GroupVersionKind + mgr manager.Manager + config *rest.Config + recoverPanic *bool + logConstructor func(base logr.Logger, req *admission.Request) logr.Logger + err error +} + +// WebhookManagedBy returns a new webhook builder. +func WebhookManagedBy(m manager.Manager) *WebhookBuilder { + return &WebhookBuilder{mgr: m} +} + +// TODO(droot): update the GoDoc for conversion. + +// For takes a runtime.Object which should be a CR. +// If the given object implements the admission.Defaulter interface, a MutatingWebhook will be wired for this type. +// If the given object implements the admission.Validator interface, a ValidatingWebhook will be wired for this type. +func (blder *WebhookBuilder) For(apiType runtime.Object) *WebhookBuilder { + if blder.apiType != nil { + blder.err = errors.New("For(...) should only be called once, could not assign multiple objects for webhook registration") + } + blder.apiType = apiType + return blder +} + +// WithDefaulter takes an admission.CustomDefaulter interface, a MutatingWebhook with the provided opts (admission.DefaulterOption) +// will be wired for this type. +func (blder *WebhookBuilder) WithDefaulter(defaulter admission.CustomDefaulter, opts ...admission.DefaulterOption) *WebhookBuilder { + blder.customDefaulter = defaulter + blder.customDefaulterOpts = opts + return blder +} + +// WithValidator takes a admission.CustomValidator interface, a ValidatingWebhook will be wired for this type. +func (blder *WebhookBuilder) WithValidator(validator admission.CustomValidator) *WebhookBuilder { + blder.customValidator = validator + return blder +} + +// WithLogConstructor overrides the webhook's LogConstructor. +func (blder *WebhookBuilder) WithLogConstructor(logConstructor func(base logr.Logger, req *admission.Request) logr.Logger) *WebhookBuilder { + blder.logConstructor = logConstructor + return blder +} + +// RecoverPanic indicates whether panics caused by the webhook should be recovered. +// Defaults to true. +func (blder *WebhookBuilder) RecoverPanic(recoverPanic bool) *WebhookBuilder { + blder.recoverPanic = &recoverPanic + return blder +} + +// WithCustomPath overrides the webhook's default path by the customPath +// Deprecated: WithCustomPath should not be used anymore. +// Please use WithValidatorCustomPath or WithDefaulterCustomPath instead. +func (blder *WebhookBuilder) WithCustomPath(customPath string) *WebhookBuilder { + blder.customPath = customPath + return blder +} + +// WithValidatorCustomPath overrides the path of the Validator. +func (blder *WebhookBuilder) WithValidatorCustomPath(customPath string) *WebhookBuilder { + blder.customValidatorCustomPath = customPath + return blder +} + +// WithDefaulterCustomPath overrides the path of the Defaulter. +func (blder *WebhookBuilder) WithDefaulterCustomPath(customPath string) *WebhookBuilder { + blder.customDefaulterCustomPath = customPath + return blder +} + +// Complete builds the webhook. +func (blder *WebhookBuilder) Complete() error { + // Set the Config + blder.loadRestConfig() + + // Configure the default LogConstructor + blder.setLogConstructor() + + // Set the Webhook if needed + return blder.registerWebhooks() +} + +func (blder *WebhookBuilder) loadRestConfig() { + if blder.config == nil { + blder.config = blder.mgr.GetConfig() + } +} + +func (blder *WebhookBuilder) setLogConstructor() { + if blder.logConstructor == nil { + blder.logConstructor = func(base logr.Logger, req *admission.Request) logr.Logger { + log := base.WithValues( + "webhookGroup", blder.gvk.Group, + "webhookKind", blder.gvk.Kind, + ) + if req != nil { + return log.WithValues( + blder.gvk.Kind, klog.KRef(req.Namespace, req.Name), + "namespace", req.Namespace, "name", req.Name, + "resource", req.Resource, "user", req.UserInfo.Username, + "requestID", req.UID, + ) + } + return log + } + } +} + +func (blder *WebhookBuilder) isThereCustomPathConflict() bool { + return (blder.customPath != "" && blder.customDefaulter != nil && blder.customValidator != nil) || (blder.customPath != "" && blder.customDefaulterCustomPath != "") || (blder.customPath != "" && blder.customValidatorCustomPath != "") +} + +func (blder *WebhookBuilder) registerWebhooks() error { + typ, err := blder.getType() + if err != nil { + return err + } + + blder.gvk, err = apiutil.GVKForObject(typ, blder.mgr.GetScheme()) + if err != nil { + return err + } + + if blder.isThereCustomPathConflict() { + return errors.New("only one of CustomDefaulter or CustomValidator should be set when using WithCustomPath. Otherwise, WithDefaulterCustomPath() and WithValidatorCustomPath() should be used") + } + if blder.customPath != "" { + // isThereCustomPathConflict() already checks for potential conflicts. + // Since we are sure that only one of customDefaulter or customValidator will be used, + // we can set both customDefaulterCustomPath and validatingCustomPath. + blder.customDefaulterCustomPath = blder.customPath + blder.customValidatorCustomPath = blder.customPath + } + + // Register webhook(s) for type + err = blder.registerDefaultingWebhook() + if err != nil { + return err + } + + err = blder.registerValidatingWebhook() + if err != nil { + return err + } + + err = blder.registerConversionWebhook() + if err != nil { + return err + } + return blder.err +} + +// registerDefaultingWebhook registers a defaulting webhook if necessary. +func (blder *WebhookBuilder) registerDefaultingWebhook() error { + mwh := blder.getDefaultingWebhook() + if mwh != nil { + mwh.LogConstructor = blder.logConstructor + path := generateMutatePath(blder.gvk) + if blder.customDefaulterCustomPath != "" { + generatedCustomPath, err := generateCustomPath(blder.customDefaulterCustomPath) + if err != nil { + return err + } + path = generatedCustomPath + } + + // Checking if the path is already registered. + // If so, just skip it. + if !blder.isAlreadyHandled(path) { + log.Info("Registering a mutating webhook", + "GVK", blder.gvk, + "path", path) + blder.mgr.GetWebhookServer().Register(path, mwh) + } + } + + return nil +} + +func (blder *WebhookBuilder) getDefaultingWebhook() *admission.Webhook { + if defaulter := blder.customDefaulter; defaulter != nil { + w := admission.WithCustomDefaulter(blder.mgr.GetScheme(), blder.apiType, defaulter, blder.customDefaulterOpts...) + if blder.recoverPanic != nil { + w = w.WithRecoverPanic(*blder.recoverPanic) + } + return w + } + return nil +} + +// registerValidatingWebhook registers a validating webhook if necessary. +func (blder *WebhookBuilder) registerValidatingWebhook() error { + vwh := blder.getValidatingWebhook() + if vwh != nil { + vwh.LogConstructor = blder.logConstructor + path := generateValidatePath(blder.gvk) + if blder.customValidatorCustomPath != "" { + generatedCustomPath, err := generateCustomPath(blder.customValidatorCustomPath) + if err != nil { + return err + } + path = generatedCustomPath + } + + // Checking if the path is already registered. + // If so, just skip it. + if !blder.isAlreadyHandled(path) { + log.Info("Registering a validating webhook", + "GVK", blder.gvk, + "path", path) + blder.mgr.GetWebhookServer().Register(path, vwh) + } + } + + return nil +} + +func (blder *WebhookBuilder) getValidatingWebhook() *admission.Webhook { + if validator := blder.customValidator; validator != nil { + w := admission.WithCustomValidator(blder.mgr.GetScheme(), blder.apiType, validator) + if blder.recoverPanic != nil { + w = w.WithRecoverPanic(*blder.recoverPanic) + } + return w + } + return nil +} + +func (blder *WebhookBuilder) registerConversionWebhook() error { + ok, err := conversion.IsConvertible(blder.mgr.GetScheme(), blder.apiType) + if err != nil { + log.Error(err, "conversion check failed", "GVK", blder.gvk) + return err + } + if ok { + if !blder.isAlreadyHandled("/convert") { + blder.mgr.GetWebhookServer().Register("/convert", conversion.NewWebhookHandler(blder.mgr.GetScheme())) + } + log.Info("Conversion webhook enabled", "GVK", blder.gvk) + } + + return nil +} + +func (blder *WebhookBuilder) getType() (runtime.Object, error) { + if blder.apiType != nil { + return blder.apiType, nil + } + return nil, errors.New("For() must be called with a valid object") +} + +func (blder *WebhookBuilder) isAlreadyHandled(path string) bool { + if blder.mgr.GetWebhookServer().WebhookMux() == nil { + return false + } + h, p := blder.mgr.GetWebhookServer().WebhookMux().Handler(&http.Request{URL: &url.URL{Path: path}}) + if p == path && h != nil { + return true + } + return false +} + +func generateMutatePath(gvk schema.GroupVersionKind) string { + return "/mutate-" + strings.ReplaceAll(gvk.Group, ".", "-") + "-" + + gvk.Version + "-" + strings.ToLower(gvk.Kind) +} + +func generateValidatePath(gvk schema.GroupVersionKind) string { + return "/validate-" + strings.ReplaceAll(gvk.Group, ".", "-") + "-" + + gvk.Version + "-" + strings.ToLower(gvk.Kind) +} + +const webhookPathStringValidation = `^((/[a-zA-Z0-9-_]+)+|/)$` + +var validWebhookPathRegex = regexp.MustCompile(webhookPathStringValidation) + +func generateCustomPath(customPath string) (string, error) { + if !validWebhookPathRegex.MatchString(customPath) { + return "", errors.New("customPath \"" + customPath + "\" does not match this regex: " + webhookPathStringValidation) + } + return customPath, nil +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go new file mode 100644 index 0000000000..0088f88e5d --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/controllerutil.go @@ -0,0 +1,540 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllerutil + +import ( + "context" + "fmt" + "reflect" + + "k8s.io/apimachinery/pkg/api/equality" + apierrors "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/utils/ptr" + + "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/client/apiutil" +) + +// AlreadyOwnedError is an error returned if the object you are trying to assign +// a controller reference is already owned by another controller Object is the +// subject and Owner is the reference for the current owner. +type AlreadyOwnedError struct { + Object metav1.Object + Owner metav1.OwnerReference +} + +func (e *AlreadyOwnedError) Error() string { + return fmt.Sprintf("Object %s/%s is already owned by another %s controller %s", e.Object.GetNamespace(), e.Object.GetName(), e.Owner.Kind, e.Owner.Name) +} + +func newAlreadyOwnedError(obj metav1.Object, owner metav1.OwnerReference) *AlreadyOwnedError { + return &AlreadyOwnedError{ + Object: obj, + Owner: owner, + } +} + +// OwnerReferenceOption is a function that can modify a `metav1.OwnerReference`. +type OwnerReferenceOption func(*metav1.OwnerReference) + +// WithBlockOwnerDeletion allows configuring the BlockOwnerDeletion field on the `metav1.OwnerReference`. +func WithBlockOwnerDeletion(blockOwnerDeletion bool) OwnerReferenceOption { + return func(ref *metav1.OwnerReference) { + ref.BlockOwnerDeletion = &blockOwnerDeletion + } +} + +// SetControllerReference sets owner as a Controller OwnerReference on controlled. +// This is used for garbage collection of the controlled object and for +// reconciling the owner object on changes to controlled (with a Watch + EnqueueRequestForOwner). +// Since only one OwnerReference can be a controller, it returns an error if +// there is another OwnerReference with Controller flag set. +func SetControllerReference(owner, controlled metav1.Object, scheme *runtime.Scheme, opts ...OwnerReferenceOption) error { + // Validate the owner. + ro, ok := owner.(runtime.Object) + if !ok { + return fmt.Errorf("%T is not a runtime.Object, cannot call SetControllerReference", owner) + } + if err := validateOwner(owner, controlled); err != nil { + return err + } + + // Create a new controller ref. + gvk, err := apiutil.GVKForObject(ro, scheme) + if err != nil { + return err + } + ref := metav1.OwnerReference{ + APIVersion: gvk.GroupVersion().String(), + Kind: gvk.Kind, + Name: owner.GetName(), + UID: owner.GetUID(), + BlockOwnerDeletion: ptr.To(true), + Controller: ptr.To(true), + } + for _, opt := range opts { + opt(&ref) + } + + // Return early with an error if the object is already controlled. + if existing := metav1.GetControllerOf(controlled); existing != nil && !referSameObject(*existing, ref) { + return newAlreadyOwnedError(controlled, *existing) + } + + // Update owner references and return. + upsertOwnerRef(ref, controlled) + return nil +} + +// SetOwnerReference is a helper method to make sure the given object contains an object reference to the object provided. +// This allows you to declare that owner has a dependency on the object without specifying it as a controller. +// If a reference to the same object already exists, it'll be overwritten with the newly provided version. +func SetOwnerReference(owner, object metav1.Object, scheme *runtime.Scheme, opts ...OwnerReferenceOption) error { + // Validate the owner. + ro, ok := owner.(runtime.Object) + if !ok { + return fmt.Errorf("%T is not a runtime.Object, cannot call SetOwnerReference", owner) + } + if err := validateOwner(owner, object); err != nil { + return err + } + + // Create a new owner ref. + gvk, err := apiutil.GVKForObject(ro, scheme) + if err != nil { + return err + } + ref := metav1.OwnerReference{ + APIVersion: gvk.GroupVersion().String(), + Kind: gvk.Kind, + UID: owner.GetUID(), + Name: owner.GetName(), + } + for _, opt := range opts { + opt(&ref) + } + + // Update owner references and return. + upsertOwnerRef(ref, object) + return nil +} + +// RemoveOwnerReference is a helper method to make sure the given object removes an owner reference to the object provided. +// This allows you to remove the owner to establish a new owner of the object in a subsequent call. +func RemoveOwnerReference(owner, object metav1.Object, scheme *runtime.Scheme) error { + owners := object.GetOwnerReferences() + length := len(owners) + if length < 1 { + return fmt.Errorf("%T does not have any owner references", object) + } + ro, ok := owner.(runtime.Object) + if !ok { + return fmt.Errorf("%T is not a runtime.Object, cannot call RemoveOwnerReference", owner) + } + gvk, err := apiutil.GVKForObject(ro, scheme) + if err != nil { + return err + } + + index := indexOwnerRef(owners, metav1.OwnerReference{ + APIVersion: gvk.GroupVersion().String(), + Name: owner.GetName(), + Kind: gvk.Kind, + }) + if index == -1 { + return fmt.Errorf("%T does not have an owner reference for %T", object, owner) + } + + owners = append(owners[:index], owners[index+1:]...) + object.SetOwnerReferences(owners) + return nil +} + +// HasControllerReference returns true if the object +// has an owner ref with controller equal to true +func HasControllerReference(object metav1.Object) bool { + owners := object.GetOwnerReferences() + for _, owner := range owners { + isTrue := owner.Controller + if owner.Controller != nil && *isTrue { + return true + } + } + return false +} + +// HasOwnerReference returns true if the owners list contains an owner reference +// that matches the object's group, kind, and name. +func HasOwnerReference(ownerRefs []metav1.OwnerReference, obj client.Object, scheme *runtime.Scheme) (bool, error) { + gvk, err := apiutil.GVKForObject(obj, scheme) + if err != nil { + return false, err + } + idx := indexOwnerRef(ownerRefs, metav1.OwnerReference{ + APIVersion: gvk.GroupVersion().String(), + Name: obj.GetName(), + Kind: gvk.Kind, + }) + return idx != -1, nil +} + +// RemoveControllerReference removes an owner reference where the controller +// equals true +func RemoveControllerReference(owner, object metav1.Object, scheme *runtime.Scheme) error { + if ok := HasControllerReference(object); !ok { + return fmt.Errorf("%T does not have a owner reference with controller equals true", object) + } + ro, ok := owner.(runtime.Object) + if !ok { + return fmt.Errorf("%T is not a runtime.Object, cannot call RemoveControllerReference", owner) + } + gvk, err := apiutil.GVKForObject(ro, scheme) + if err != nil { + return err + } + ownerRefs := object.GetOwnerReferences() + index := indexOwnerRef(ownerRefs, metav1.OwnerReference{ + APIVersion: gvk.GroupVersion().String(), + Name: owner.GetName(), + Kind: gvk.Kind, + }) + + if index == -1 { + return fmt.Errorf("%T does not have an controller reference for %T", object, owner) + } + + if ownerRefs[index].Controller == nil || !*ownerRefs[index].Controller { + return fmt.Errorf("%T owner is not the controller reference for %T", owner, object) + } + + ownerRefs = append(ownerRefs[:index], ownerRefs[index+1:]...) + object.SetOwnerReferences(ownerRefs) + return nil +} + +func upsertOwnerRef(ref metav1.OwnerReference, object metav1.Object) { + owners := object.GetOwnerReferences() + if idx := indexOwnerRef(owners, ref); idx == -1 { + owners = append(owners, ref) + } else { + owners[idx] = ref + } + object.SetOwnerReferences(owners) +} + +// indexOwnerRef returns the index of the owner reference in the slice if found, or -1. +func indexOwnerRef(ownerReferences []metav1.OwnerReference, ref metav1.OwnerReference) int { + for index, r := range ownerReferences { + if referSameObject(r, ref) { + return index + } + } + return -1 +} + +func validateOwner(owner, object metav1.Object) error { + ownerNs := owner.GetNamespace() + if ownerNs != "" { + objNs := object.GetNamespace() + if objNs == "" { + return fmt.Errorf("cluster-scoped resource must not have a namespace-scoped owner, owner's namespace %s", ownerNs) + } + if ownerNs != objNs { + return fmt.Errorf("cross-namespace owner references are disallowed, owner's namespace %s, obj's namespace %s", owner.GetNamespace(), object.GetNamespace()) + } + } + return nil +} + +// Returns true if a and b point to the same object. +func referSameObject(a, b metav1.OwnerReference) bool { + aGV, err := schema.ParseGroupVersion(a.APIVersion) + if err != nil { + return false + } + + bGV, err := schema.ParseGroupVersion(b.APIVersion) + if err != nil { + return false + } + return aGV.Group == bGV.Group && a.Kind == b.Kind && a.Name == b.Name +} + +// OperationResult is the action result of a CreateOrUpdate or CreateOrPatch call. +type OperationResult string + +const ( // They should complete the sentence "Deployment default/foo has been ..." + // OperationResultNone means that the resource has not been changed. + OperationResultNone OperationResult = "unchanged" + // OperationResultCreated means that a new resource is created. + OperationResultCreated OperationResult = "created" + // OperationResultUpdated means that an existing resource is updated. + OperationResultUpdated OperationResult = "updated" + // OperationResultUpdatedStatus means that an existing resource and its status is updated. + OperationResultUpdatedStatus OperationResult = "updatedStatus" + // OperationResultUpdatedStatusOnly means that only an existing status is updated. + OperationResultUpdatedStatusOnly OperationResult = "updatedStatusOnly" +) + +// CreateOrUpdate attempts to fetch the given object from the Kubernetes cluster. +// If the object didn't exist, MutateFn will be called, and it will be created. +// If the object did exist, MutateFn will be called, and if it changed the +// object, it will be updated. +// Otherwise, it will be left unchanged. +// The executed operation (and an error) will be returned. +// +// WARNING: If the MutateFn resets a value on obj that has a default value, +// CreateOrUpdate will *always* perform an update. This is because when the +// object is fetched from the API server, the value will have taken on the +// default value, and the check for equality will fail. For example, Deployments +// must have a Replicas value set. If the MutateFn sets a Deployment's Replicas +// to nil, then it will never match with the object returned from the API +// server, which defaults the value to 1. +// +// WARNING: CreateOrUpdate assumes that no values have been set on obj aside +// from the Name/Namespace. Values other than Name and Namespace that existed on +// obj may be overwritten by the corresponding values in the object returned +// from the Kubernetes API server. When this happens, the Update will not work +// as expected. +// +// Note: changes made by MutateFn to any sub-resource (status...), will be +// discarded. +func CreateOrUpdate(ctx context.Context, c client.Client, obj client.Object, f MutateFn) (OperationResult, error) { + key := client.ObjectKeyFromObject(obj) + if err := c.Get(ctx, key, obj); err != nil { + if !apierrors.IsNotFound(err) { + return OperationResultNone, err + } + if f != nil { + if err := mutate(f, key, obj); err != nil { + return OperationResultNone, err + } + } + + if err := c.Create(ctx, obj); err != nil { + return OperationResultNone, err + } + return OperationResultCreated, nil + } + + existing := obj.DeepCopyObject() + if f != nil { + if err := mutate(f, key, obj); err != nil { + return OperationResultNone, err + } + } + + if equality.Semantic.DeepEqual(existing, obj) { + return OperationResultNone, nil + } + + if err := c.Update(ctx, obj); err != nil { + return OperationResultNone, err + } + return OperationResultUpdated, nil +} + +// CreateOrPatch attempts to fetch the given object from the Kubernetes cluster. +// If the object didn't exist, MutateFn will be called, and it will be created. +// If the object did exist, MutateFn will be called, and if it changed the +// object, it will be patched. +// Otherwise, it will be left unchanged. +// The executed operation (and an error) will be returned. +// +// WARNING: If the MutateFn resets a value on obj that has a default value, +// CreateOrPatch will *always* perform a patch. This is because when the +// object is fetched from the API server, the value will have taken on the +// default value, and the check for equality will fail. +// For example, Deployments must have a Replicas value set. If the MutateFn sets +// a Deployment's Replicas to nil, then it will never match with the object +// returned from the API server, which defaults the value to 1. +// +// WARNING: CreateOrPatch assumes that no values have been set on obj aside +// from the Name/Namespace. Values other than Name and Namespace that existed on +// obj may be overwritten by the corresponding values in the object returned +// from the Kubernetes API server. When this happens, the Patch will not work +// as expected. +// +// Note: changes to any sub-resource other than status will be ignored. +// Changes to the status sub-resource will only be applied if the object +// already exist. To change the status on object creation, the easiest +// way is to requeue the object in the controller if OperationResult is +// OperationResultCreated +func CreateOrPatch(ctx context.Context, c client.Client, obj client.Object, f MutateFn) (OperationResult, error) { + key := client.ObjectKeyFromObject(obj) + if err := c.Get(ctx, key, obj); err != nil { + if !apierrors.IsNotFound(err) { + return OperationResultNone, err + } + if f != nil { + if err := mutate(f, key, obj); err != nil { + return OperationResultNone, err + } + } + if err := c.Create(ctx, obj); err != nil { + return OperationResultNone, err + } + return OperationResultCreated, nil + } + + // Create patches for the object and its possible status. + objPatch := client.MergeFrom(obj.DeepCopyObject().(client.Object)) + statusPatch := client.MergeFrom(obj.DeepCopyObject().(client.Object)) + + // Create a copy of the original object as well as converting that copy to + // unstructured data. + before, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj.DeepCopyObject()) + if err != nil { + return OperationResultNone, err + } + + // Attempt to extract the status from the resource for easier comparison later + beforeStatus, hasBeforeStatus, err := unstructured.NestedFieldCopy(before, "status") + if err != nil { + return OperationResultNone, err + } + + // If the resource contains a status then remove it from the unstructured + // copy to avoid unnecessary patching later. + if hasBeforeStatus { + unstructured.RemoveNestedField(before, "status") + } + + // Mutate the original object. + if f != nil { + if err := mutate(f, key, obj); err != nil { + return OperationResultNone, err + } + } + + // Convert the resource to unstructured to compare against our before copy. + after, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj) + if err != nil { + return OperationResultNone, err + } + + // Attempt to extract the status from the resource for easier comparison later + afterStatus, hasAfterStatus, err := unstructured.NestedFieldCopy(after, "status") + if err != nil { + return OperationResultNone, err + } + + // If the resource contains a status then remove it from the unstructured + // copy to avoid unnecessary patching later. + if hasAfterStatus { + unstructured.RemoveNestedField(after, "status") + } + + result := OperationResultNone + + if !reflect.DeepEqual(before, after) { + // Only issue a Patch if the before and after resources (minus status) differ + if err := c.Patch(ctx, obj, objPatch); err != nil { + return result, err + } + result = OperationResultUpdated + } + + if (hasBeforeStatus || hasAfterStatus) && !reflect.DeepEqual(beforeStatus, afterStatus) { + // Only issue a Status Patch if the resource has a status and the beforeStatus + // and afterStatus copies differ + if result == OperationResultUpdated { + // If Status was replaced by Patch before, set it to afterStatus + objectAfterPatch, err := runtime.DefaultUnstructuredConverter.ToUnstructured(obj) + if err != nil { + return result, err + } + if err = unstructured.SetNestedField(objectAfterPatch, afterStatus, "status"); err != nil { + return result, err + } + // If Status was replaced by Patch before, restore patched structure to the obj + if err = runtime.DefaultUnstructuredConverter.FromUnstructured(objectAfterPatch, obj); err != nil { + return result, err + } + } + if err := c.Status().Patch(ctx, obj, statusPatch); err != nil { + return result, err + } + if result == OperationResultUpdated { + result = OperationResultUpdatedStatus + } else { + result = OperationResultUpdatedStatusOnly + } + } + + return result, nil +} + +// mutate wraps a MutateFn and applies validation to its result. +func mutate(f MutateFn, key client.ObjectKey, obj client.Object) error { + if err := f(); err != nil { + return err + } + if newKey := client.ObjectKeyFromObject(obj); key != newKey { + return fmt.Errorf("MutateFn cannot mutate object name and/or object namespace") + } + return nil +} + +// MutateFn is a function which mutates the existing object into its desired state. +type MutateFn func() error + +// AddFinalizer accepts an Object and adds the provided finalizer if not present. +// It returns an indication of whether it updated the object's list of finalizers. +func AddFinalizer(o client.Object, finalizer string) (finalizersUpdated bool) { + f := o.GetFinalizers() + for _, e := range f { + if e == finalizer { + return false + } + } + o.SetFinalizers(append(f, finalizer)) + return true +} + +// RemoveFinalizer accepts an Object and removes the provided finalizer if present. +// It returns an indication of whether it updated the object's list of finalizers. +func RemoveFinalizer(o client.Object, finalizer string) (finalizersUpdated bool) { + f := o.GetFinalizers() + length := len(f) + + index := 0 + for i := 0; i < length; i++ { + if f[i] == finalizer { + continue + } + f[index] = f[i] + index++ + } + o.SetFinalizers(f[:index]) + return length != index +} + +// ContainsFinalizer checks an Object that the provided finalizer is present. +func ContainsFinalizer(o client.Object, finalizer string) bool { + f := o.GetFinalizers() + for _, e := range f { + if e == finalizer { + return true + } + } + return false +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go new file mode 100644 index 0000000000..ab386b29cd --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/controller/controllerutil/doc.go @@ -0,0 +1,20 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package controllerutil contains utility functions for working with and implementing Controllers. +*/ +package controllerutil diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/conversion/conversion.go b/vendor/sigs.k8s.io/controller-runtime/pkg/conversion/conversion.go new file mode 100644 index 0000000000..da32ab48e4 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/conversion/conversion.go @@ -0,0 +1,40 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package conversion provides interface definitions that an API Type needs to +implement for it to be supported by the generic conversion webhook handler +defined under pkg/webhook/conversion. +*/ +package conversion + +import "k8s.io/apimachinery/pkg/runtime" + +// Convertible defines capability of a type to convertible i.e. it can be converted to/from a hub type. +type Convertible interface { + runtime.Object + ConvertTo(dst Hub) error + ConvertFrom(src Hub) error +} + +// Hub marks that a given type is the hub type for conversion. This means that +// all conversions will first convert to the hub type, then convert from the hub +// type to the destination type. All types besides the hub type should implement +// Convertible. +type Hub interface { + runtime.Object + Hub() +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go new file mode 100644 index 0000000000..249a364b38 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/conversion.go @@ -0,0 +1,343 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +/* +Package conversion provides implementation for CRD conversion webhook that implements handler for version conversion requests for types that are convertible. + +See pkg/conversion for interface definitions required to ensure an API Type is convertible. +*/ +package conversion + +import ( + "encoding/json" + "fmt" + "net/http" + + apix "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/conversion" + logf "sigs.k8s.io/controller-runtime/pkg/log" +) + +var ( + log = logf.Log.WithName("conversion-webhook") +) + +func NewWebhookHandler(scheme *runtime.Scheme) http.Handler { + return &webhook{scheme: scheme, decoder: NewDecoder(scheme)} +} + +// webhook implements a CRD conversion webhook HTTP handler. +type webhook struct { + scheme *runtime.Scheme + decoder *Decoder +} + +// ensure Webhook implements http.Handler +var _ http.Handler = &webhook{} + +func (wh *webhook) ServeHTTP(w http.ResponseWriter, r *http.Request) { + convertReview := &apix.ConversionReview{} + err := json.NewDecoder(r.Body).Decode(convertReview) + if err != nil { + log.Error(err, "failed to read conversion request") + w.WriteHeader(http.StatusBadRequest) + return + } + + if convertReview.Request == nil { + log.Error(nil, "conversion request is nil") + w.WriteHeader(http.StatusBadRequest) + return + } + + // TODO(droot): may be move the conversion logic to a separate module to + // decouple it from the http layer ? + resp, err := wh.handleConvertRequest(convertReview.Request) + if err != nil { + log.Error(err, "failed to convert", "request", convertReview.Request.UID) + convertReview.Response = errored(err) + } else { + convertReview.Response = resp + } + convertReview.Response.UID = convertReview.Request.UID + convertReview.Request = nil + + err = json.NewEncoder(w).Encode(convertReview) + if err != nil { + log.Error(err, "failed to write response") + return + } +} + +// handles a version conversion request. +func (wh *webhook) handleConvertRequest(req *apix.ConversionRequest) (*apix.ConversionResponse, error) { + if req == nil { + return nil, fmt.Errorf("conversion request is nil") + } + var objects []runtime.RawExtension + + for _, obj := range req.Objects { + src, gvk, err := wh.decoder.Decode(obj.Raw) + if err != nil { + return nil, err + } + dst, err := wh.allocateDstObject(req.DesiredAPIVersion, gvk.Kind) + if err != nil { + return nil, err + } + err = wh.convertObject(src, dst) + if err != nil { + return nil, err + } + objects = append(objects, runtime.RawExtension{Object: dst}) + } + return &apix.ConversionResponse{ + UID: req.UID, + ConvertedObjects: objects, + Result: metav1.Status{ + Status: metav1.StatusSuccess, + }, + }, nil +} + +// convertObject will convert given a src object to dst object. +// Note(droot): couldn't find a way to reduce the cyclomatic complexity under 10 +// without compromising readability, so disabling gocyclo linter +func (wh *webhook) convertObject(src, dst runtime.Object) error { + srcGVK := src.GetObjectKind().GroupVersionKind() + dstGVK := dst.GetObjectKind().GroupVersionKind() + + if srcGVK.GroupKind() != dstGVK.GroupKind() { + return fmt.Errorf("src %T and dst %T does not belong to same API Group", src, dst) + } + + if srcGVK == dstGVK { + return fmt.Errorf("conversion is not allowed between same type %T", src) + } + + srcIsHub, dstIsHub := isHub(src), isHub(dst) + srcIsConvertible, dstIsConvertible := isConvertible(src), isConvertible(dst) + + switch { + case srcIsHub && dstIsConvertible: + return dst.(conversion.Convertible).ConvertFrom(src.(conversion.Hub)) + case dstIsHub && srcIsConvertible: + return src.(conversion.Convertible).ConvertTo(dst.(conversion.Hub)) + case srcIsConvertible && dstIsConvertible: + return wh.convertViaHub(src.(conversion.Convertible), dst.(conversion.Convertible)) + default: + return fmt.Errorf("%T is not convertible to %T", src, dst) + } +} + +func (wh *webhook) convertViaHub(src, dst conversion.Convertible) error { + hub, err := wh.getHub(src) + if err != nil { + return err + } + + if hub == nil { + return fmt.Errorf("%s does not have any Hub defined", src) + } + + err = src.ConvertTo(hub) + if err != nil { + return fmt.Errorf("%T failed to convert to hub version %T : %w", src, hub, err) + } + + err = dst.ConvertFrom(hub) + if err != nil { + return fmt.Errorf("%T failed to convert from hub version %T : %w", dst, hub, err) + } + + return nil +} + +// getHub returns an instance of the Hub for passed-in object's group/kind. +func (wh *webhook) getHub(obj runtime.Object) (conversion.Hub, error) { + gvks, err := objectGVKs(wh.scheme, obj) + if err != nil { + return nil, err + } + if len(gvks) == 0 { + return nil, fmt.Errorf("error retrieving gvks for object : %v", obj) + } + + var hub conversion.Hub + var hubFoundAlready bool + for _, gvk := range gvks { + instance, err := wh.scheme.New(gvk) + if err != nil { + return nil, fmt.Errorf("failed to allocate an instance for gvk %v: %w", gvk, err) + } + if val, isHub := instance.(conversion.Hub); isHub { + if hubFoundAlready { + return nil, fmt.Errorf("multiple hub version defined for %T", obj) + } + hubFoundAlready = true + hub = val + } + } + return hub, nil +} + +// allocateDstObject returns an instance for a given GVK. +func (wh *webhook) allocateDstObject(apiVersion, kind string) (runtime.Object, error) { + gvk := schema.FromAPIVersionAndKind(apiVersion, kind) + + obj, err := wh.scheme.New(gvk) + if err != nil { + return obj, err + } + + t, err := meta.TypeAccessor(obj) + if err != nil { + return obj, err + } + + t.SetAPIVersion(apiVersion) + t.SetKind(kind) + + return obj, nil +} + +// IsConvertible determines if given type is convertible or not. For a type +// to be convertible, the group-kind needs to have a Hub type defined and all +// non-hub types must be able to convert to/from Hub. +func IsConvertible(scheme *runtime.Scheme, obj runtime.Object) (bool, error) { + var hubs, spokes, nonSpokes []runtime.Object + + gvks, err := objectGVKs(scheme, obj) + if err != nil { + return false, err + } + if len(gvks) == 0 { + return false, fmt.Errorf("error retrieving gvks for object : %v", obj) + } + + for _, gvk := range gvks { + instance, err := scheme.New(gvk) + if err != nil { + return false, fmt.Errorf("failed to allocate an instance for gvk %v: %w", gvk, err) + } + + if isHub(instance) { + hubs = append(hubs, instance) + continue + } + + if !isConvertible(instance) { + nonSpokes = append(nonSpokes, instance) + continue + } + + spokes = append(spokes, instance) + } + + if len(gvks) == 1 { + return false, nil // single version + } + + if len(hubs) == 0 && len(spokes) == 0 { + // multiple version detected with no conversion implementation. This is + // true for multi-version built-in types. + return false, nil + } + + if len(hubs) == 1 && len(nonSpokes) == 0 { // convertible + return true, nil + } + + return false, PartialImplementationError{ + hubs: hubs, + nonSpokes: nonSpokes, + spokes: spokes, + } +} + +// objectGVKs returns all (Group,Version,Kind) for the Group/Kind of given object. +func objectGVKs(scheme *runtime.Scheme, obj runtime.Object) ([]schema.GroupVersionKind, error) { + // NB: we should not use `obj.GetObjectKind().GroupVersionKind()` to get the + // GVK here, since it is parsed from apiVersion and kind fields and it may + // return empty GVK if obj is an uninitialized object. + objGVKs, _, err := scheme.ObjectKinds(obj) + if err != nil { + return nil, err + } + if len(objGVKs) != 1 { + return nil, fmt.Errorf("expect to get only one GVK for %v", obj) + } + objGVK := objGVKs[0] + knownTypes := scheme.AllKnownTypes() + + var gvks []schema.GroupVersionKind + for gvk := range knownTypes { + if objGVK.GroupKind() == gvk.GroupKind() { + gvks = append(gvks, gvk) + } + } + return gvks, nil +} + +// PartialImplementationError represents an error due to partial conversion +// implementation such as hub without spokes, multiple hubs or spokes without hub. +type PartialImplementationError struct { + gvk schema.GroupVersionKind + hubs []runtime.Object + nonSpokes []runtime.Object + spokes []runtime.Object +} + +func (e PartialImplementationError) Error() string { + if len(e.hubs) == 0 { + return fmt.Sprintf("no hub defined for gvk %s", e.gvk) + } + if len(e.hubs) > 1 { + return fmt.Sprintf("multiple(%d) hubs defined for group-kind '%s' ", + len(e.hubs), e.gvk.GroupKind()) + } + if len(e.nonSpokes) > 0 { + return fmt.Sprintf("%d inconvertible types detected for group-kind '%s'", + len(e.nonSpokes), e.gvk.GroupKind()) + } + return "" +} + +// isHub determines if passed-in object is a Hub or not. +func isHub(obj runtime.Object) bool { + _, yes := obj.(conversion.Hub) + return yes +} + +// isConvertible determines if passed-in object is a convertible. +func isConvertible(obj runtime.Object) bool { + _, yes := obj.(conversion.Convertible) + return yes +} + +// helper to construct error response. +func errored(err error) *apix.ConversionResponse { + return &apix.ConversionResponse{ + Result: metav1.Status{ + Status: metav1.StatusFailure, + Message: err.Error(), + }, + } +} diff --git a/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/decoder.go b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/decoder.go new file mode 100644 index 0000000000..b6bb8bd938 --- /dev/null +++ b/vendor/sigs.k8s.io/controller-runtime/pkg/webhook/conversion/decoder.go @@ -0,0 +1,50 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package conversion + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/runtime/serializer" +) + +// Decoder knows how to decode the contents of a CRD version conversion +// request into a concrete object. +// TODO(droot): consider reusing decoder from admission pkg for this. +type Decoder struct { + codecs serializer.CodecFactory +} + +// NewDecoder creates a Decoder given the runtime.Scheme +func NewDecoder(scheme *runtime.Scheme) *Decoder { + if scheme == nil { + panic("scheme should never be nil") + } + return &Decoder{codecs: serializer.NewCodecFactory(scheme)} +} + +// Decode decodes the inlined object. +func (d *Decoder) Decode(content []byte) (runtime.Object, *schema.GroupVersionKind, error) { + deserializer := d.codecs.UniversalDeserializer() + return deserializer.Decode(content, nil, nil) +} + +// DecodeInto decodes the inlined object in the into the passed-in runtime.Object. +func (d *Decoder) DecodeInto(content []byte, into runtime.Object) error { + deserializer := d.codecs.UniversalDeserializer() + return runtime.DecodeInto(deserializer, content, into) +} diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go index d538ac119b..3fe528bbf3 100644 --- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go +++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/decode.go @@ -52,8 +52,8 @@ import ( // - bool, for JSON booleans // - float64, for JSON numbers // - string, for JSON strings -// - []interface{}, for JSON arrays -// - map[string]interface{}, for JSON objects +// - []any, for JSON arrays +// - map[string]any, for JSON objects // - nil for JSON null // // To unmarshal a JSON array into a slice, Unmarshal resets the slice length @@ -117,9 +117,6 @@ func Unmarshal(data []byte, v any, opts ...UnmarshalOpt) error { // The input can be assumed to be a valid encoding of // a JSON value. UnmarshalJSON must copy the JSON data // if it wishes to retain the data after returning. -// -// By convention, to approximate the behavior of [Unmarshal] itself, -// Unmarshalers implement UnmarshalJSON([]byte("null")) as a no-op. type Unmarshaler interface { UnmarshalJSON([]byte) error } @@ -132,7 +129,7 @@ type UnmarshalTypeError struct { Type reflect.Type // type of Go value it could not be assigned to Offset int64 // error occurred after reading Offset bytes Struct string // name of the struct type containing the field - Field string // the full path from root node to the field + Field string // the full path from root node to the field, include embedded struct } func (e *UnmarshalTypeError) Error() string { @@ -281,7 +278,11 @@ func (d *decodeState) addErrorContext(err error) error { switch err := err.(type) { case *UnmarshalTypeError: err.Struct = d.errorContext.Struct.Name() - err.Field = strings.Join(d.errorContext.FieldStack, ".") + fieldStack := d.errorContext.FieldStack + if err.Field != "" { + fieldStack = append(fieldStack, err.Field) + } + err.Field = strings.Join(fieldStack, ".") } } return err @@ -492,9 +493,9 @@ func indirect(v reflect.Value, decodingNull bool) (Unmarshaler, encoding.TextUnm } // Prevent infinite loop if v is an interface pointing to its own address: - // var v interface{} + // var v any // v = &v - if v.Elem().Kind() == reflect.Interface && v.Elem().Elem() == v { + if v.Elem().Kind() == reflect.Interface && v.Elem().Elem().Equal(v) { v = v.Elem() break } @@ -784,7 +785,10 @@ func (d *decodeState) object(v reflect.Value) error { } subv = v destring = f.quoted - for _, i := range f.index { + if d.errorContext == nil { + d.errorContext = new(errorContext) + } + for i, ind := range f.index { if subv.Kind() == reflect.Pointer { if subv.IsNil() { // If a struct embeds a pointer to an unexported type, @@ -804,13 +808,16 @@ func (d *decodeState) object(v reflect.Value) error { } subv = subv.Elem() } - subv = subv.Field(i) - } - if d.errorContext == nil { - d.errorContext = new(errorContext) + if i < len(f.index)-1 { + d.errorContext.FieldStack = append( + d.errorContext.FieldStack, + subv.Type().Field(ind).Name, + ) + } + subv = subv.Field(ind) } - d.errorContext.FieldStack = append(d.errorContext.FieldStack, f.name) d.errorContext.Struct = t + d.errorContext.FieldStack = append(d.errorContext.FieldStack, f.name) d.appendStrictFieldStackKey(f.name) } else if d.disallowUnknownFields { d.saveStrictError(d.newFieldError(unknownStrictErrType, string(key))) @@ -1118,7 +1125,7 @@ func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool // in an empty interface. They are not strictly necessary, // but they avoid the weight of reflection in this common case. -// valueInterface is like value but returns interface{} +// valueInterface is like value but returns any. func (d *decodeState) valueInterface() (val any) { switch d.opcode { default: @@ -1135,7 +1142,7 @@ func (d *decodeState) valueInterface() (val any) { return } -// arrayInterface is like array but returns []interface{}. +// arrayInterface is like array but returns []any. func (d *decodeState) arrayInterface() []any { origStrictFieldStackLen := len(d.strictFieldStack) defer func() { @@ -1170,7 +1177,7 @@ func (d *decodeState) arrayInterface() []any { return v } -// objectInterface is like object but returns map[string]interface{}. +// objectInterface is like object but returns map[string]any. func (d *decodeState) objectInterface() map[string]any { origStrictFieldStackLen := len(d.strictFieldStack) defer func() { diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go index eb73bff58b..4e3a1a2f10 100644 --- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go +++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/encode.go @@ -71,8 +71,8 @@ import ( // // The "omitempty" option specifies that the field should be omitted // from the encoding if the field has an empty value, defined as -// false, 0, a nil pointer, a nil interface value, and any empty array, -// slice, map, or string. +// false, 0, a nil pointer, a nil interface value, and any array, +// slice, map, or string of length zero. // // As a special case, if the field tag is "-", the field is always omitted. // Note that a field with name "-" can still be generated using the tag "-,". @@ -98,6 +98,17 @@ import ( // // Field appears in JSON as key "-". // Field int `json:"-,"` // +// The "omitzero" option specifies that the field should be omitted +// from the encoding if the field has a zero value, according to rules: +// +// 1) If the field type has an "IsZero() bool" method, that will be used to +// determine whether the value is zero. +// +// 2) Otherwise, the value is zero if it is the zero value for its type. +// +// If both "omitempty" and "omitzero" are specified, the field will be omitted +// if the value is either empty or zero (or both). +// // The "string" option signals that a field is stored as JSON inside a // JSON-encoded string. It applies only to fields of string, floating point, // integer, or boolean types. This extra level of encoding is sometimes used @@ -690,7 +701,8 @@ FieldLoop: fv = fv.Field(i) } - if f.omitEmpty && isEmptyValue(fv) { + if (f.omitEmpty && isEmptyValue(fv)) || + (f.omitZero && (f.isZero == nil && fv.IsZero() || (f.isZero != nil && f.isZero(fv)))) { continue } e.WriteByte(next) @@ -808,7 +820,7 @@ func (se sliceEncoder) encode(e *encodeState, v reflect.Value, opts encOpts) { // Here we use a struct to memorize the pointer to the first element of the slice // and its length. ptr := struct { - ptr interface{} // always an unsafe.Pointer, but avoids a dependency on package unsafe + ptr any // always an unsafe.Pointer, but avoids a dependency on package unsafe len int }{v.UnsafePointer(), v.Len()} if _, ok := e.ptrSeen[ptr]; ok { @@ -1039,11 +1051,19 @@ type field struct { index []int typ reflect.Type omitEmpty bool + omitZero bool + isZero func(reflect.Value) bool quoted bool encoder encoderFunc } +type isZeroer interface { + IsZero() bool +} + +var isZeroerType = reflect.TypeFor[isZeroer]() + // typeFields returns a list of fields that JSON should recognize for the given type. // The algorithm is breadth-first search over the set of structs to include - the top struct // and then any reachable anonymous structs. @@ -1135,6 +1155,7 @@ func typeFields(t reflect.Type) structFields { index: index, typ: ft, omitEmpty: opts.Contains("omitempty"), + omitZero: opts.Contains("omitzero"), quoted: quoted, } field.nameBytes = []byte(field.name) @@ -1144,6 +1165,40 @@ func typeFields(t reflect.Type) structFields { field.nameEscHTML = `"` + string(nameEscBuf) + `":` field.nameNonEsc = `"` + field.name + `":` + if field.omitZero { + t := sf.Type + // Provide a function that uses a type's IsZero method. + switch { + case t.Kind() == reflect.Interface && t.Implements(isZeroerType): + field.isZero = func(v reflect.Value) bool { + // Avoid panics calling IsZero on a nil interface or + // non-nil interface with nil pointer. + return v.IsNil() || + (v.Elem().Kind() == reflect.Pointer && v.Elem().IsNil()) || + v.Interface().(isZeroer).IsZero() + } + case t.Kind() == reflect.Pointer && t.Implements(isZeroerType): + field.isZero = func(v reflect.Value) bool { + // Avoid panics calling IsZero on nil pointer. + return v.IsNil() || v.Interface().(isZeroer).IsZero() + } + case t.Implements(isZeroerType): + field.isZero = func(v reflect.Value) bool { + return v.Interface().(isZeroer).IsZero() + } + case reflect.PointerTo(t).Implements(isZeroerType): + field.isZero = func(v reflect.Value) bool { + if !v.CanAddr() { + // Temporarily box v so we can take the address. + v2 := reflect.New(v.Type()).Elem() + v2.Set(v) + v = v2 + } + return v.Addr().Interface().(isZeroer).IsZero() + } + } + } + fields = append(fields, field) if count[f.typ] > 1 { // If there were multiple instances, add a second, diff --git a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go index 48fc4d9453..cc2108b927 100644 --- a/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go +++ b/vendor/sigs.k8s.io/json/internal/golang/encoding/json/stream.go @@ -31,8 +31,8 @@ func NewDecoder(r io.Reader) *Decoder { return &Decoder{r: r} } -// UseNumber causes the Decoder to unmarshal a number into an interface{} as a -// [Number] instead of as a float64. +// UseNumber causes the Decoder to unmarshal a number into an +// interface value as a [Number] instead of as a float64. func (dec *Decoder) UseNumber() { dec.d.useNumber = true } // DisallowUnknownFields causes the Decoder to return an error when the destination diff --git a/vendor/sigs.k8s.io/kustomize/api/LICENSE b/vendor/sigs.k8s.io/kustomize/api/LICENSE new file mode 100644 index 0000000000..8dada3edaf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go new file mode 100644 index 0000000000..4998f5a3e7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/annotations.go @@ -0,0 +1,52 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package annotations + +import ( + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/filters/fsslice" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type annoMap map[string]string + +type Filter struct { + // Annotations is the set of annotations to apply to the inputs + Annotations annoMap `yaml:"annotations,omitempty"` + + // FsSlice contains the FieldSpecs to locate the namespace field + FsSlice types.FsSlice + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + f.trackableSetter.WithMutationTracker(callback) +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + keys := yaml.SortedMapKeys(f.Annotations) + _, err := kio.FilterAll(yaml.FilterFunc( + func(node *yaml.RNode) (*yaml.RNode, error) { + for _, k := range keys { + if err := node.PipeE(fsslice.Filter{ + FsSlice: f.FsSlice, + SetValue: f.trackableSetter.SetEntry( + k, f.Annotations[k], yaml.NodeTagString), + CreateKind: yaml.MappingNode, // Annotations are MappingNodes. + CreateTag: yaml.NodeTagMap, + }); err != nil { + return nil, err + } + } + return node, nil + })).Filter(nodes) + return nodes, err +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go new file mode 100644 index 0000000000..b1f6a0b66e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/annotations/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package annotations contains a kio.Filter implementation of the kustomize +// annotations transformer. +package annotations diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go new file mode 100644 index 0000000000..6f643630a5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package fieldspec contains a yaml.Filter to modify a resource +// that matches the FieldSpec. +package fieldspec diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go new file mode 100644 index 0000000000..8e4e78ca6e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/fieldspec/fieldspec.go @@ -0,0 +1,182 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package fieldspec + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/utils" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +var _ yaml.Filter = Filter{} + +// Filter possibly mutates its object argument using a FieldSpec. +// If the object matches the FieldSpec, and the node found +// by following the fieldSpec's path is non-null, this filter calls +// the setValue function on the node at the end of the path. +// If any part of the path doesn't exist, the filter returns +// without doing anything and without error, unless it was set +// to create the path. If set to create, it creates a tree of maps +// along the path, and the leaf node gets the setValue called on it. +// Error on GVK mismatch, empty or poorly formed path. +// Filter expect kustomize style paths, not JSON paths. +// Filter stores internal state and should not be reused +type Filter struct { + // FieldSpec contains the path to the value to set. + FieldSpec types.FieldSpec `yaml:"fieldSpec"` + + // Set the field using this function + SetValue filtersutil.SetFn + + // CreateKind defines the type of node to create if the field is not found + CreateKind yaml.Kind + + CreateTag string + + // path keeps internal state about the current path + path []string +} + +func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) { + // check if the FieldSpec applies to the object + if match := isMatchGVK(fltr.FieldSpec, obj); !match { + return obj, nil + } + fltr.path = utils.PathSplitter(fltr.FieldSpec.Path, "/") + if err := fltr.filter(obj); err != nil { + return nil, errors.WrapPrefixf(err, + "considering field '%s' of object %s", fltr.FieldSpec.Path, resid.FromRNode(obj)) + } + return obj, nil +} + +// Recursively called. +func (fltr Filter) filter(obj *yaml.RNode) error { + if len(fltr.path) == 0 { + // found the field -- set its value + return fltr.SetValue(obj) + } + if obj.IsTaggedNull() || obj.IsNil() { + return nil + } + switch obj.YNode().Kind { + case yaml.SequenceNode: + return fltr.handleSequence(obj) + case yaml.MappingNode: + return fltr.handleMap(obj) + case yaml.AliasNode: + return fltr.filter(yaml.NewRNode(obj.YNode().Alias)) + default: + return errors.Errorf("expected sequence or mapping node") + } +} + +// handleMap calls filter on the map field matching the next path element +func (fltr Filter) handleMap(obj *yaml.RNode) error { + fieldName, isSeq := isSequenceField(fltr.path[0]) + if fieldName == "" { + return fmt.Errorf("cannot set or create an empty field name") + } + // lookup the field matching the next path element + var operation yaml.Filter + var kind yaml.Kind + tag := yaml.NodeTagEmpty + switch { + case !fltr.FieldSpec.CreateIfNotPresent || fltr.CreateKind == 0 || isSeq: + // don't create the field if we don't find it + operation = yaml.Lookup(fieldName) + if isSeq { + // The query path thinks this field should be a sequence; + // accept this hint for use later if the tag is NodeTagNull. + kind = yaml.SequenceNode + } + case len(fltr.path) <= 1: + // create the field if it is missing: use the provided node kind + operation = yaml.LookupCreate(fltr.CreateKind, fieldName) + kind = fltr.CreateKind + tag = fltr.CreateTag + default: + // create the field if it is missing: must be a mapping node + operation = yaml.LookupCreate(yaml.MappingNode, fieldName) + kind = yaml.MappingNode + tag = yaml.NodeTagMap + } + + // locate (or maybe create) the field + field, err := obj.Pipe(operation) + if err != nil { + return errors.WrapPrefixf(err, "fieldName: %s", fieldName) + } + if field == nil { + // No error if field not found. + return nil + } + + // if the value exists, but is null and kind is set, + // then change it to the creation type + // TODO: update yaml.LookupCreate to support this + if field.YNode().Tag == yaml.NodeTagNull && yaml.IsCreate(kind) { + field.YNode().Kind = kind + field.YNode().Tag = tag + } + + // copy the current fltr and change the path on the copy + var next = fltr + // call filter for the next path element on the matching field + next.path = fltr.path[1:] + return next.filter(field) +} + +// seq calls filter on all sequence elements +func (fltr Filter) handleSequence(obj *yaml.RNode) error { + if err := obj.VisitElements(func(node *yaml.RNode) error { + // set an accurate FieldPath for nested elements + node.AppendToFieldPath(obj.FieldPath()...) + // recurse on each element -- re-allocating a Filter is + // not strictly required, but is more consistent with field + // and less likely to have side effects + // keep the entire path -- it does not contain parts for sequences + return fltr.filter(node) + }); err != nil { + return errors.WrapPrefixf(err, + "visit traversal on path: %v", fltr.path) + } + return nil +} + +// isSequenceField returns true if the path element is for a sequence field. +// isSequence also returns the path element with the '[]' suffix trimmed +func isSequenceField(name string) (string, bool) { + shorter := strings.TrimSuffix(name, "[]") + return shorter, shorter != name +} + +// isMatchGVK returns true if the fs.GVK matches the obj GVK. +func isMatchGVK(fs types.FieldSpec, obj *yaml.RNode) bool { + if kind := obj.GetKind(); fs.Kind != "" && fs.Kind != kind { + // kind doesn't match + return false + } + + // parse the group and version from the apiVersion field + group, version := resid.ParseGroupVersion(obj.GetApiVersion()) + + if fs.Group != "" && fs.Group != group { + // group doesn't match + return false + } + + if fs.Version != "" && fs.Version != version { + // version doesn't match + return false + } + + return true +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go b/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go new file mode 100644 index 0000000000..f776667856 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/filtersutil/setters.go @@ -0,0 +1,105 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filtersutil + +import ( + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// SetFn is a function that accepts an RNode to possibly modify. +type SetFn func(*yaml.RNode) error + +// SetScalar returns a SetFn to set a scalar value +func SetScalar(value string) SetFn { + return SetEntry("", value, yaml.NodeTagEmpty) +} + +// SetEntry returns a SetFn to set a field or a map entry to a value. +// It can be used with an empty name to set both a value and a tag on a scalar node. +// When setting only a value on a scalar node, use SetScalar instead. +func SetEntry(name, value, tag string) SetFn { + n := &yaml.Node{ + Kind: yaml.ScalarNode, + Value: value, + Tag: tag, + } + return func(node *yaml.RNode) error { + return node.PipeE(yaml.FieldSetter{ + Name: name, + Value: yaml.NewRNode(n), + }) + } +} + +type TrackableSetter struct { + // SetValueCallback will be invoked each time a field is set + setValueCallback func(name, value, tag string, node *yaml.RNode) +} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (s *TrackableSetter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) *TrackableSetter { + s.setValueCallback = callback + return s +} + +// SetScalar returns a SetFn to set a scalar value. +// if a mutation tracker has been registered, the tracker will be invoked each +// time a scalar is set +func (s TrackableSetter) SetScalar(value string) SetFn { + return s.SetEntry("", value, yaml.NodeTagEmpty) +} + +// SetScalarIfEmpty returns a SetFn to set a scalar value only if it isn't already set. +// If a mutation tracker has been registered, the tracker will be invoked each +// time a scalar is actually set. +func (s TrackableSetter) SetScalarIfEmpty(value string) SetFn { + return s.SetEntryIfEmpty("", value, yaml.NodeTagEmpty) +} + +// SetEntry returns a SetFn to set a field or a map entry to a value. +// It can be used with an empty name to set both a value and a tag on a scalar node. +// When setting only a value on a scalar node, use SetScalar instead. +// If a mutation tracker has been registered, the tracker will be invoked each +// time an entry is set. +func (s TrackableSetter) SetEntry(name, value, tag string) SetFn { + origSetEntry := SetEntry(name, value, tag) + return func(node *yaml.RNode) error { + if s.setValueCallback != nil { + s.setValueCallback(name, value, tag, node) + } + return origSetEntry(node) + } +} + +// SetEntryIfEmpty returns a SetFn to set a field or a map entry to a value only if it isn't already set. +// It can be used with an empty name to set both a value and a tag on a scalar node. +// When setting only a value on a scalar node, use SetScalar instead. +// If a mutation tracker has been registered, the tracker will be invoked each +// time an entry is actually set. +func (s TrackableSetter) SetEntryIfEmpty(key, value, tag string) SetFn { + origSetEntry := SetEntry(key, value, tag) + return func(node *yaml.RNode) error { + if hasExistingValue(node, key) { + return nil + } + if s.setValueCallback != nil { + s.setValueCallback(key, value, tag, node) + } + return origSetEntry(node) + } +} + +func hasExistingValue(node *yaml.RNode, key string) bool { + if node.IsNilOrEmpty() { + return false + } + if err := yaml.ErrorIfInvalid(node, yaml.ScalarNode); err == nil { + return yaml.GetValue(node) != "" + } + entry := node.Field(key) + if entry.IsNilOrEmpty() { + return false + } + return yaml.GetValue(entry.Value) != "" +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go new file mode 100644 index 0000000000..b0f197722e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package fsslice contains a yaml.Filter to modify a resource if +// it matches one or more FieldSpec entries. +package fsslice diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go new file mode 100644 index 0000000000..9eb5c13133 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/fsslice/fsslice.go @@ -0,0 +1,47 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package fsslice + +import ( + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +var _ yaml.Filter = Filter{} + +// Filter ranges over an FsSlice to modify fields on a single object. +// An FsSlice is a range of FieldSpecs. A FieldSpec is a GVK plus a path. +type Filter struct { + // FieldSpecList list of FieldSpecs to set + FsSlice types.FsSlice `yaml:"fsSlice"` + + // SetValue is called on each field that matches one of the FieldSpecs + SetValue filtersutil.SetFn + + // CreateKind is used to create fields that do not exist + CreateKind yaml.Kind + + // CreateTag is used to set the tag if encountering a null field + CreateTag string +} + +func (fltr Filter) Filter(obj *yaml.RNode) (*yaml.RNode, error) { + for i := range fltr.FsSlice { + // apply this FieldSpec + // create a new filter for each iteration because they + // store internal state about the field paths + _, err := (&fieldspec.Filter{ + FieldSpec: fltr.FsSlice[i], + SetValue: fltr.SetValue, + CreateKind: fltr.CreateKind, + CreateTag: fltr.CreateTag, + }).Filter(obj) + if err != nil { + return nil, err + } + } + return obj, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go new file mode 100644 index 0000000000..3fe20a6d6d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/doc.go @@ -0,0 +1,6 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package gkesagenerator contains a kio.Filter that that generates a +// iampolicy-related resources for a given cloud provider +package iampolicygenerator diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go new file mode 100644 index 0000000000..97ea31693e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/iampolicygenerator/iampolicygenerator.go @@ -0,0 +1,55 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package iampolicygenerator + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type Filter struct { + IAMPolicyGenerator types.IAMPolicyGeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"` +} + +// Filter adds a GKE service account object to nodes +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + switch f.IAMPolicyGenerator.Cloud { + case types.GKE: + IAMPolicyResources, err := f.generateGkeIAMPolicyResources() + if err != nil { + return nil, err + } + nodes = append(nodes, IAMPolicyResources...) + default: + return nil, fmt.Errorf("cloud provider %s not supported yet", f.IAMPolicyGenerator.Cloud) + } + return nodes, nil +} + +func (f Filter) generateGkeIAMPolicyResources() ([]*yaml.RNode, error) { + var result []*yaml.RNode + input := fmt.Sprintf(` +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + iam.gke.io/gcp-service-account: %s@%s.iam.gserviceaccount.com + name: %s +`, f.IAMPolicyGenerator.ServiceAccount.Name, + f.IAMPolicyGenerator.ProjectId, + f.IAMPolicyGenerator.KubernetesService.Name) + + if f.IAMPolicyGenerator.Namespace != "" { + input += fmt.Sprintf("\n namespace: %s", f.IAMPolicyGenerator.Namespace) + } + + sa, err := yaml.Parse(input) + if err != nil { + return nil, err + } + + return append(result, sa), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go new file mode 100644 index 0000000000..d919491dd6 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/doc.go @@ -0,0 +1,12 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package imagetag contains two kio.Filter implementations to cover the +// functionality of the kustomize imagetag transformer. +// +// Filter updates fields based on a FieldSpec and an ImageTag. +// +// LegacyFilter doesn't use a FieldSpec, and instead only updates image +// references if the field is name image and it is underneath a field called +// either containers or initContainers. +package imagetag diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go new file mode 100644 index 0000000000..24ab99f740 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/imagetag.go @@ -0,0 +1,72 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package imagetag + +import ( + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/filters/fsslice" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter modifies an "image tag", the value used to specify the +// name, tag, version digest etc. of (docker) container images +// used by a pod template. +type Filter struct { + // imageTag is the tag we want to apply to the inputs + // The name of the image is used as a key, and other fields + // can specify a new name, tag, etc. + ImageTag types.Image `json:"imageTag,omitempty" yaml:"imageTag,omitempty"` + + // FsSlice contains the FieldSpecs to locate an image field, + // e.g. Path: "spec/myContainers[]/image" + FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + f.trackableSetter.WithMutationTracker(callback) +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + _, err := kio.FilterAll(yaml.FilterFunc(f.filter)).Filter(nodes) + return nodes, err +} + +func (f Filter) filter(node *yaml.RNode) (*yaml.RNode, error) { + // FsSlice is an allowlist, not a denyList, so to deny + // something via configuration a new config mechanism is + // needed. Until then, hardcode it. + if f.isOnDenyList(node) { + return node, nil + } + if err := node.PipeE(fsslice.Filter{ + FsSlice: f.FsSlice, + SetValue: imageTagUpdater{ + ImageTag: f.ImageTag, + trackableSetter: f.trackableSetter, + }.SetImageValue, + }); err != nil { + return nil, err + } + return node, nil +} + +func (f Filter) isOnDenyList(node *yaml.RNode) bool { + meta, err := node.GetMeta() + if err != nil { + // A missing 'meta' field will cause problems elsewhere; + // ignore it here to keep the signature simple. + return false + } + // Ignore CRDs + // https://github.com/kubernetes-sigs/kustomize/issues/890 + return meta.Kind == `CustomResourceDefinition` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go new file mode 100644 index 0000000000..d6f5b33f27 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/legacy.go @@ -0,0 +1,104 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package imagetag + +import ( + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// LegacyFilter is an implementation of the kio.Filter interface +// that scans through the provided kyaml data structure and updates +// any values of any image fields that is inside a sequence under +// a field called either containers or initContainers. The field is only +// update if it has a value that matches and image reference and the name +// of the image is a match with the provided ImageTag. +type LegacyFilter struct { + ImageTag types.Image `json:"imageTag,omitempty" yaml:"imageTag,omitempty"` +} + +var _ kio.Filter = LegacyFilter{} + +func (lf LegacyFilter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(lf.filter)).Filter(nodes) +} + +func (lf LegacyFilter) filter(node *yaml.RNode) (*yaml.RNode, error) { + meta, err := node.GetMeta() + if err != nil { + return nil, err + } + + // We do not make any changes if the type of the resource + // is CustomResourceDefinition. + if meta.Kind == `CustomResourceDefinition` { + return node, nil + } + + fff := findFieldsFilter{ + fields: []string{"containers", "initContainers"}, + fieldCallback: checkImageTagsFn(lf.ImageTag), + } + if err := node.PipeE(fff); err != nil { + return nil, err + } + return node, nil +} + +type fieldCallback func(node *yaml.RNode) error + +// findFieldsFilter is an implementation of the kio.Filter +// interface. It will walk the data structure and look for fields +// that matches the provided list of field names. For each match, +// the value of the field will be passed in as a parameter to the +// provided fieldCallback. +// TODO: move this to kyaml/filterutils +type findFieldsFilter struct { + fields []string + + fieldCallback fieldCallback +} + +func (f findFieldsFilter) Filter(obj *yaml.RNode) (*yaml.RNode, error) { + return obj, f.walk(obj) +} + +func (f findFieldsFilter) walk(node *yaml.RNode) error { + switch node.YNode().Kind { + case yaml.MappingNode: + return node.VisitFields(func(n *yaml.MapNode) error { + err := f.walk(n.Value) + if err != nil { + return err + } + key := n.Key.YNode().Value + if utils.StringSliceContains(f.fields, key) { + return f.fieldCallback(n.Value) + } + return nil + }) + case yaml.SequenceNode: + return errors.Wrap(node.VisitElements(f.walk)) + } + return nil +} + +func checkImageTagsFn(imageTag types.Image) fieldCallback { + return func(node *yaml.RNode) error { + if node.YNode().Kind != yaml.SequenceNode { + return nil + } + + return node.VisitElements(func(n *yaml.RNode) error { + // Look up any fields on the provided node that is named + // image. + return n.PipeE(yaml.Get("image"), imageTagUpdater{ + ImageTag: imageTag, + }) + }) + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go new file mode 100644 index 0000000000..58297d4415 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/imagetag/updater.go @@ -0,0 +1,71 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package imagetag + +import ( + "sigs.k8s.io/kustomize/api/filters/filtersutil" + + "sigs.k8s.io/kustomize/api/internal/image" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// imageTagUpdater is an implementation of the kio.Filter interface +// that will update the value of the yaml node based on the provided +// ImageTag if the current value matches the format of an image reference. +type imageTagUpdater struct { + Kind string `yaml:"kind,omitempty"` + ImageTag types.Image `yaml:"imageTag,omitempty"` + trackableSetter filtersutil.TrackableSetter +} + +func (u imageTagUpdater) SetImageValue(rn *yaml.RNode) error { + if err := yaml.ErrorIfInvalid(rn, yaml.ScalarNode); err != nil { + return err + } + + value := rn.YNode().Value + + if !image.IsImageMatched(value, u.ImageTag.Name) { + return nil + } + + name, tag, digest := image.Split(value) + if u.ImageTag.NewName != "" { + name = u.ImageTag.NewName + } + + // overriding tag or digest will replace both original tag and digest values + switch { + case u.ImageTag.NewTag != "" && u.ImageTag.Digest != "": + tag = u.ImageTag.NewTag + digest = u.ImageTag.Digest + case u.ImageTag.NewTag != "": + tag = u.ImageTag.NewTag + digest = "" + case u.ImageTag.Digest != "": + tag = "" + digest = u.ImageTag.Digest + case u.ImageTag.TagSuffix != "": + tag += u.ImageTag.TagSuffix + digest = "" + } + + // build final image name + if tag != "" { + name += ":" + tag + } + if digest != "" { + name += "@" + digest + } + + return u.trackableSetter.SetScalar(name)(rn) +} + +func (u imageTagUpdater) Filter(rn *yaml.RNode) (*yaml.RNode, error) { + if err := u.SetImageValue(rn); err != nil { + return nil, err + } + return rn, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go new file mode 100644 index 0000000000..978033c7e0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/labels/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package labels contains a kio.Filter implementation of the kustomize +// labels transformer. +package labels diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go b/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go new file mode 100644 index 0000000000..b67d4d4b13 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/labels/labels.go @@ -0,0 +1,53 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package labels + +import ( + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/filters/fsslice" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type labelMap map[string]string + +// Filter sets labels. +type Filter struct { + // Labels is the set of labels to apply to the inputs + Labels labelMap `yaml:"labels,omitempty"` + + // FsSlice identifies the label fields. + FsSlice types.FsSlice + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + f.trackableSetter.WithMutationTracker(callback) +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + keys := yaml.SortedMapKeys(f.Labels) + _, err := kio.FilterAll(yaml.FilterFunc( + func(node *yaml.RNode) (*yaml.RNode, error) { + for _, k := range keys { + if err := node.PipeE(fsslice.Filter{ + FsSlice: f.FsSlice, + SetValue: f.trackableSetter.SetEntry( + k, f.Labels[k], yaml.NodeTagString), + CreateKind: yaml.MappingNode, // Labels are MappingNodes. + CreateTag: yaml.NodeTagMap, + }); err != nil { + return nil, err + } + } + return node, nil + })).Filter(nodes) + return nodes, err +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go new file mode 100644 index 0000000000..78f938933e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/doc.go @@ -0,0 +1,6 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package nameref contains a kio.Filter implementation of the kustomize +// name reference transformer. +package nameref diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go new file mode 100644 index 0000000000..ff83420cb1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/nameref.go @@ -0,0 +1,416 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package nameref + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter updates a name references. +type Filter struct { + // Referrer refers to another resource X by X's name. + // E.g. A Deployment can refer to a ConfigMap. + // The Deployment is the Referrer, + // the ConfigMap is the ReferralTarget. + // This filter seeks to repair the reference in Deployment, given + // that the ConfigMap's name may have changed. + Referrer *resource.Resource + + // NameFieldToUpdate is the field in the Referrer + // that holds the name requiring an update. + // This is the field to write. + NameFieldToUpdate types.FieldSpec + + // ReferralTarget is the source of the new value for + // the name, always in the 'metadata/name' field. + // This is the field to read. + ReferralTarget resid.Gvk + + // Set of resources to scan to find the ReferralTarget. + ReferralCandidates resmap.ResMap +} + +// At time of writing, in practice this is called with a slice with only +// one entry, the node also referred to be the resource in the Referrer field. +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes) +} + +// The node passed in here is the same node as held in Referrer; +// that's how the referrer's name field is updated. +// Currently, however, this filter still needs the extra methods on Referrer +// to consult things like the resource Id, its namespace, etc. +// TODO(3455): No filter should use the Resource api; all information +// about names should come from annotations, with helper methods +// on the RNode object. Resource should get stupider, RNode smarter. +func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + if err := f.confirmNodeMatchesReferrer(node); err != nil { + // sanity check. + return nil, err + } + f.NameFieldToUpdate.Gvk = f.Referrer.GetGvk() + if err := node.PipeE(fieldspec.Filter{ + FieldSpec: f.NameFieldToUpdate, + SetValue: f.set, + }); err != nil { + return nil, errors.WrapPrefixf( + err, "updating name reference in '%s' field of '%s'", + f.NameFieldToUpdate.Path, f.Referrer.CurId().String()) + } + return node, nil +} + +// This function is called on the node found at FieldSpec.Path. +// It's some node in the Referrer. +func (f Filter) set(node *yaml.RNode) error { + if yaml.IsMissingOrNull(node) { + return nil + } + switch node.YNode().Kind { + case yaml.ScalarNode: + return f.setScalar(node) + case yaml.MappingNode: + return f.setMapping(node) + case yaml.SequenceNode: + return applyFilterToSeq(seqFilter{ + setScalarFn: f.setScalar, + setMappingFn: f.setMapping, + }, node) + default: + return fmt.Errorf("node must be a scalar, sequence or map") + } +} + +// This method used when NameFieldToUpdate doesn't lead to +// one scalar field (typically called 'name'), but rather +// leads to a map field (called anything). In this case we +// must complete the field path, looking for both a 'name' +// and a 'namespace' field to help select the proper +// ReferralTarget to read the name and namespace from. +func (f Filter) setMapping(node *yaml.RNode) error { + if node.YNode().Kind != yaml.MappingNode { + return fmt.Errorf("expect a mapping node") + } + nameNode, err := node.Pipe(yaml.FieldMatcher{Name: "name"}) + if err != nil { + return errors.WrapPrefixf(err, "trying to match 'name' field") + } + if nameNode == nil { + // This is a _configuration_ error; the field path + // specified in NameFieldToUpdate.Path doesn't resolve + // to a map with a 'name' field, so we have no idea what + // field to update with a new name. + return fmt.Errorf("path config error; no 'name' field in node") + } + candidates, err := f.filterMapCandidatesByNamespace(node) + if err != nil { + return err + } + oldName := nameNode.YNode().Value + // use allNamesAndNamespacesAreTheSame to compare referral candidates for functional identity, + // because we source both name and namespace values from the referral in this case. + referral, err := f.selectReferral(oldName, candidates, allNamesAndNamespacesAreTheSame) + if err != nil || referral == nil { + // Nil referral means nothing to do. + return err + } + f.recordTheReferral(referral) + if referral.GetName() == oldName && referral.GetNamespace() == "" { + // The name has not changed, nothing to do. + return nil + } + if err = node.PipeE(yaml.FieldSetter{ + Name: "name", + StringValue: referral.GetName(), + }); err != nil { + return err + } + if referral.GetNamespace() == "" { + // Don't write an empty string into the namespace field, as + // it should not replace the value "default". The empty + // string is handled as a wild card here, not as an implicit + // specification of the "default" k8s namespace. + return nil + } + return node.PipeE(yaml.FieldSetter{ + Name: "namespace", + StringValue: referral.GetNamespace(), + }) +} + +func (f Filter) filterMapCandidatesByNamespace( + node *yaml.RNode) ([]*resource.Resource, error) { + namespaceNode, err := node.Pipe(yaml.FieldMatcher{Name: "namespace"}) + if err != nil { + return nil, errors.WrapPrefixf(err, "trying to match 'namespace' field") + } + if namespaceNode == nil { + return f.ReferralCandidates.Resources(), nil + } + namespace := namespaceNode.YNode().Value + nsMap := f.ReferralCandidates.GroupedByOriginalNamespace() + if candidates, ok := nsMap[namespace]; ok { + return candidates, nil + } + nsMap = f.ReferralCandidates.GroupedByCurrentNamespace() + // This could be nil, or an empty list. + return nsMap[namespace], nil +} + +func (f Filter) setScalar(node *yaml.RNode) error { + // use allNamesAreTheSame to compare referral candidates for functional identity, + // because we only source the name from the referral in this case. + referral, err := f.selectReferral( + node.YNode().Value, f.ReferralCandidates.Resources(), allNamesAreTheSame) + if err != nil || referral == nil { + // Nil referral means nothing to do. + return err + } + f.recordTheReferral(referral) + if referral.GetName() == node.YNode().Value { + // The name has not changed, nothing to do. + return nil + } + return node.PipeE(yaml.FieldSetter{StringValue: referral.GetName()}) +} + +// In the resource, make a note that it is referred to by the Referrer. +func (f Filter) recordTheReferral(referral *resource.Resource) { + referral.AppendRefBy(f.Referrer.CurId()) +} + +// getRoleRefGvk returns a Gvk in the roleRef field. Return error +// if the roleRef, roleRef/apiGroup or roleRef/kind is missing. +func getRoleRefGvk(n *resource.Resource) (*resid.Gvk, error) { + roleRef, err := n.Pipe(yaml.Lookup("roleRef")) + if err != nil { + return nil, err + } + if roleRef.IsNil() { + return nil, fmt.Errorf("roleRef cannot be found in %s", n.MustString()) + } + apiGroup, err := roleRef.Pipe(yaml.Lookup("apiGroup")) + if err != nil { + return nil, err + } + if apiGroup.IsNil() { + return nil, fmt.Errorf( + "apiGroup cannot be found in roleRef %s", roleRef.MustString()) + } + kind, err := roleRef.Pipe(yaml.Lookup("kind")) + if err != nil { + return nil, err + } + if kind.IsNil() { + return nil, fmt.Errorf( + "kind cannot be found in roleRef %s", roleRef.MustString()) + } + return &resid.Gvk{ + Group: apiGroup.YNode().Value, + Kind: kind.YNode().Value, + }, nil +} + +// sieveFunc returns true if the resource argument satisfies some criteria. +type sieveFunc func(*resource.Resource) bool + +// doSieve uses a function to accept or ignore resources from a list. +// If list is nil, returns immediately. +// It's a filter obviously, but that term is overloaded here. +func doSieve(list []*resource.Resource, fn sieveFunc) (s []*resource.Resource) { + for _, r := range list { + if fn(r) { + s = append(s, r) + } + } + return +} + +func acceptAll(r *resource.Resource) bool { + return true +} + +func previousNameMatches(name string) sieveFunc { + return func(r *resource.Resource) bool { + for _, id := range r.PrevIds() { + if id.Name == name { + return true + } + } + return false + } +} + +func previousIdSelectedByGvk(gvk *resid.Gvk) sieveFunc { + return func(r *resource.Resource) bool { + for _, id := range r.PrevIds() { + if id.IsSelected(gvk) { + return true + } + } + return false + } +} + +// If the we are updating a 'roleRef/name' field, the 'apiGroup' and 'kind' +// fields in the same 'roleRef' map must be considered. +// If either object is cluster-scoped, there can be a referral. +// E.g. a RoleBinding (which exists in a namespace) can refer +// to a ClusterRole (cluster-scoped) object. +// https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole +// Likewise, a ClusterRole can refer to a Secret (in a namespace). +// Objects in different namespaces generally cannot refer to other +// with some exceptions (e.g. RoleBinding and ServiceAccount are both +// namespaceable, but the former can refer to accounts in other namespaces). +func (f Filter) roleRefFilter() sieveFunc { + if !strings.HasSuffix(f.NameFieldToUpdate.Path, "roleRef/name") { + return acceptAll + } + roleRefGvk, err := getRoleRefGvk(f.Referrer) + if err != nil { + return acceptAll + } + return previousIdSelectedByGvk(roleRefGvk) +} + +func prefixSuffixEquals(other resource.ResCtx, allowEmpty bool) sieveFunc { + return func(r *resource.Resource) bool { + return r.PrefixesSuffixesEquals(other, allowEmpty) + } +} + +func (f Filter) sameCurrentNamespaceAsReferrer() sieveFunc { + referrerCurId := f.Referrer.CurId() + if referrerCurId.IsClusterScoped() { + // If the referrer is cluster-scoped, let anything through. + return acceptAll + } + return func(r *resource.Resource) bool { + if r.CurId().IsClusterScoped() { + // Allow cluster-scoped through. + return true + } + if r.GetKind() == "ServiceAccount" { + // Allow service accounts through, even though they + // are in a namespace. A RoleBinding in another namespace + // can reference them. + return true + } + return referrerCurId.IsNsEquals(r.CurId()) + } +} + +// selectReferral picks the best referral from a list of candidates. +func (f Filter) selectReferral( + // The name referral that may need to be updated. + oldName string, + candidates []*resource.Resource, + // function that returns whether two referrals are identical for the purposes of the transformation + candidatesIdentical func(resources []*resource.Resource) bool) (*resource.Resource, error) { + candidates = doSieve(candidates, previousNameMatches(oldName)) + candidates = doSieve(candidates, previousIdSelectedByGvk(&f.ReferralTarget)) + candidates = doSieve(candidates, f.roleRefFilter()) + candidates = doSieve(candidates, f.sameCurrentNamespaceAsReferrer()) + if len(candidates) == 1 { + return candidates[0], nil + } + candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, true)) + if len(candidates) > 1 { + candidates = doSieve(candidates, prefixSuffixEquals(f.Referrer, false)) + } + if len(candidates) == 1 { + return candidates[0], nil + } + if len(candidates) == 0 { + return nil, nil + } + if candidatesIdentical(candidates) { + // Just take the first one. + return candidates[0], nil + } + ids := getIds(candidates) + return nil, fmt.Errorf("found multiple possible referrals: %s\n%s", ids, f.failureDetails(candidates)) +} + +func (f Filter) failureDetails(resources []*resource.Resource) string { + msg := strings.Builder{} + msg.WriteString(fmt.Sprintf("\n**** Too many possible referral targets to referrer:\n%s\n", f.Referrer.MustYaml())) + for i, r := range resources { + msg.WriteString(fmt.Sprintf("--- possible referral %d:\n%s\n", i, r.MustYaml())) + } + return msg.String() +} + +func allNamesAreTheSame(resources []*resource.Resource) bool { + name := resources[0].GetName() + for i := 1; i < len(resources); i++ { + if name != resources[i].GetName() { + return false + } + } + return true +} + +func allNamesAndNamespacesAreTheSame(resources []*resource.Resource) bool { + name := resources[0].GetName() + namespace := resources[0].GetNamespace() + for i := 1; i < len(resources); i++ { + if name != resources[i].GetName() || namespace != resources[i].GetNamespace() { + return false + } + } + return true +} + +func getIds(rs []*resource.Resource) string { + var result []string + for _, r := range rs { + result = append(result, r.CurId().String()) + } + return strings.Join(result, ", ") +} + +func checkEqual(k, a, b string) error { + if a != b { + return fmt.Errorf( + "node-referrerOriginal '%s' mismatch '%s' != '%s'", + k, a, b) + } + return nil +} + +func (f Filter) confirmNodeMatchesReferrer(node *yaml.RNode) error { + meta, err := node.GetMeta() + if err != nil { + return err + } + gvk := f.Referrer.GetGvk() + if err = checkEqual( + "APIVersion", meta.APIVersion, gvk.ApiVersion()); err != nil { + return err + } + if err = checkEqual( + "Kind", meta.Kind, gvk.Kind); err != nil { + return err + } + if err = checkEqual( + "Name", meta.Name, f.Referrer.GetName()); err != nil { + return err + } + if err = checkEqual( + "Namespace", meta.Namespace, f.Referrer.GetNamespace()); err != nil { + return err + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go new file mode 100644 index 0000000000..0caab4c9b7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/nameref/seqfilter.go @@ -0,0 +1,60 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package nameref + +import ( + "fmt" + + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type setFn func(*yaml.RNode) error + +type seqFilter struct { + setScalarFn setFn + setMappingFn setFn +} + +func (sf seqFilter) Filter(node *yaml.RNode) (*yaml.RNode, error) { + if yaml.IsMissingOrNull(node) { + return node, nil + } + switch node.YNode().Kind { + case yaml.ScalarNode: + // Kind: Role/ClusterRole + // FieldSpec is rules.resourceNames + err := sf.setScalarFn(node) + return node, err + case yaml.MappingNode: + // Kind: RoleBinding/ClusterRoleBinding + // FieldSpec is subjects + // Note: The corresponding fieldSpec had been changed from + // from path: subjects/name to just path: subjects. This is + // what get mutatefield to request the mapping of the whole + // map containing namespace and name instead of just a simple + // string field containing the name + err := sf.setMappingFn(node) + return node, err + default: + return node, fmt.Errorf( + "%#v is expected to be either a string or a map of string", node) + } +} + +// applyFilterToSeq will apply the filter to each element in the sequence node +func applyFilterToSeq(filter yaml.Filter, node *yaml.RNode) error { + if node.YNode().Kind != yaml.SequenceNode { + return fmt.Errorf("expect a sequence node but got %v", node.YNode().Kind) + } + + for _, elem := range node.Content() { + rnode := yaml.NewRNode(elem) + err := rnode.PipeE(filter) + if err != nil { + return err + } + } + + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go new file mode 100644 index 0000000000..539758b282 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/doc.go @@ -0,0 +1,9 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package namespace contains a kio.Filter implementation of the kustomize +// namespace transformer. +// +// Special cases for known Kubernetes resources have been hardcoded in addition +// to those defined by the FsSlice. +package namespace diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go new file mode 100644 index 0000000000..9279abb9d4 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/namespace/namespace.go @@ -0,0 +1,217 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package namespace + +import ( + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/filters/fsslice" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type Filter struct { + // Namespace is the namespace to apply to the inputs + Namespace string `yaml:"namespace,omitempty"` + + // FsSlice contains the FieldSpecs to locate the namespace field + FsSlice types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + + // UnsetOnly means only blank namespace fields will be set + UnsetOnly bool `json:"unsetOnly" yaml:"unsetOnly"` + + // SetRoleBindingSubjects determines which subject fields in RoleBinding and ClusterRoleBinding + // objects will have their namespace fields set. Overrides field specs provided for these types, if any. + // - defaultOnly (default): namespace will be set only on subjects named "default". + // - allServiceAccounts: namespace will be set on all subjects with "kind: ServiceAccount" + // - none: all subjects will be skipped. + SetRoleBindingSubjects RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"` + + trackableSetter filtersutil.TrackableSetter +} + +type RoleBindingSubjectMode string + +const ( + DefaultSubjectsOnly RoleBindingSubjectMode = "defaultOnly" + SubjectModeUnspecified RoleBindingSubjectMode = "" + AllServiceAccountSubjects RoleBindingSubjectMode = "allServiceAccounts" + NoSubjects RoleBindingSubjectMode = "none" +) + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (ns *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + ns.trackableSetter.WithMutationTracker(callback) +} + +func (ns Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(ns.run)).Filter(nodes) +} + +// Run runs the filter on a single node rather than a slice +func (ns Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + // Special handling for metadata.namespace and metadata.name -- :( + // never let SetEntry handle metadata.namespace--it will incorrectly include cluster-scoped resources + // only update metadata.name if api version is expected one--so-as it leaves other resources of kind namespace alone + apiVersion := node.GetApiVersion() + ns.FsSlice = ns.removeUnneededMetaFieldSpecs(apiVersion, ns.FsSlice) + gvk := resid.GvkFromNode(node) + if err := ns.metaNamespaceHack(node, gvk); err != nil { + return nil, err + } + + // Special handling for (cluster) role binding subjects -- :( + if isRoleBinding(gvk.Kind) { + ns.FsSlice = ns.removeRoleBindingSubjectFieldSpecs(ns.FsSlice) + if err := ns.roleBindingHack(node); err != nil { + return nil, err + } + } + + // transformations based on data -- :) + err := node.PipeE(fsslice.Filter{ + FsSlice: ns.FsSlice, + SetValue: ns.fieldSetter(), + CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode + CreateTag: yaml.NodeTagString, + }) + invalidKindErr := &yaml.InvalidNodeKindError{} + if err != nil && errors.As(err, &invalidKindErr) && invalidKindErr.ActualNodeKind() != yaml.ScalarNode { + return nil, errors.WrapPrefixf(err, "namespace field specs must target scalar nodes") + } + return node, errors.WrapPrefixf(err, "namespace transformation failed") +} + +// metaNamespaceHack is a hack for implementing the namespace transform +// for the metadata.namespace field on namespace scoped resources. +func (ns Filter) metaNamespaceHack(obj *yaml.RNode, gvk resid.Gvk) error { + if gvk.IsClusterScoped() { + return nil + } + f := fsslice.Filter{ + FsSlice: []types.FieldSpec{ + {Path: types.MetadataNamespacePath, CreateIfNotPresent: true}, + }, + SetValue: ns.fieldSetter(), + CreateKind: yaml.ScalarNode, // Namespace is a ScalarNode + } + _, err := f.Filter(obj) + return err +} + +// roleBindingHack is a hack for implementing the transformer's SetRoleBindingSubjects option +// for RoleBinding and ClusterRoleBinding resource types. +// +// In NoSubjects mode, it does nothing. +// +// In AllServiceAccountSubjects mode, it sets the namespace on subjects with "kind: ServiceAccount". +// +// In DefaultSubjectsOnly mode (default mode), RoleBinding and ClusterRoleBinding have namespace set on +// elements of the "subjects" field if and only if the subject elements +// "name" is "default". Otherwise the namespace is not set. +// Example: +// +// kind: RoleBinding +// subjects: +// - name: "default" # this will have the namespace set +// ... +// - name: "something-else" # this will not have the namespace set +// ... +func (ns Filter) roleBindingHack(obj *yaml.RNode) error { + var visitor filtersutil.SetFn + switch ns.SetRoleBindingSubjects { + case NoSubjects: + return nil + case DefaultSubjectsOnly, SubjectModeUnspecified: + visitor = ns.setSubjectsNamedDefault + case AllServiceAccountSubjects: + visitor = ns.setServiceAccountNamespaces + default: + return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+ + "must be one of %q, %q or %q", ns.SetRoleBindingSubjects, + DefaultSubjectsOnly, NoSubjects, AllServiceAccountSubjects) + } + + // Lookup the subjects field on all elements. + obj, err := obj.Pipe(yaml.Lookup(subjectsField)) + if err != nil || yaml.IsMissingOrNull(obj) { + return err + } + // Use the appropriate visitor to set the namespace field on the correct subset of subjects + return errors.WrapPrefixf(obj.VisitElements(visitor), "setting namespace on (cluster)role binding subjects") +} + +func isRoleBinding(kind string) bool { + return kind == roleBindingKind || kind == clusterRoleBindingKind +} + +func (ns Filter) setServiceAccountNamespaces(o *yaml.RNode) error { + name, err := o.Pipe(yaml.Lookup("kind"), yaml.Match("ServiceAccount")) + if err != nil || yaml.IsMissingOrNull(name) { + return errors.WrapPrefixf(err, "looking up kind on (cluster)role binding subject") + } + return setNamespaceField(o, ns.fieldSetter()) +} + +func (ns Filter) setSubjectsNamedDefault(o *yaml.RNode) error { + name, err := o.Pipe(yaml.Lookup("name"), yaml.Match("default")) + if err != nil || yaml.IsMissingOrNull(name) { + return errors.WrapPrefixf(err, "looking up name on (cluster)role binding subject") + } + return setNamespaceField(o, ns.fieldSetter()) +} + +func setNamespaceField(node *yaml.RNode, setter filtersutil.SetFn) error { + node, err := node.Pipe(yaml.LookupCreate(yaml.ScalarNode, "namespace")) + if err != nil { + return errors.WrapPrefixf(err, "setting namespace field on (cluster)role binding subject") + } + return setter(node) +} + +// removeRoleBindingSubjectFieldSpecs removes from the list fieldspecs that +// have hardcoded implementations +func (ns Filter) removeRoleBindingSubjectFieldSpecs(fs types.FsSlice) types.FsSlice { + var val types.FsSlice + for i := range fs { + if isRoleBinding(fs[i].Kind) && fs[i].Path == subjectsNamespacePath { + continue + } + val = append(val, fs[i]) + } + return val +} + +func (ns Filter) removeUnneededMetaFieldSpecs(apiVersion string, fs types.FsSlice) types.FsSlice { + var val types.FsSlice + for i := range fs { + if fs[i].Path == types.MetadataNamespacePath { + continue + } + if apiVersion != types.MetadataNamespaceApiVersion && fs[i].Path == types.MetadataNamePath { + continue + } + val = append(val, fs[i]) + } + return val +} + +func (ns *Filter) fieldSetter() filtersutil.SetFn { + if ns.UnsetOnly { + return ns.trackableSetter.SetEntryIfEmpty("", ns.Namespace, yaml.NodeTagString) + } + return ns.trackableSetter.SetEntry("", ns.Namespace, yaml.NodeTagString) +} + +const ( + subjectsField = "subjects" + subjectsNamespacePath = "subjects/namespace" + roleBindingKind = "RoleBinding" + clusterRoleBindingKind = "ClusterRoleBinding" +) diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go new file mode 100644 index 0000000000..ec4cfa8211 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package namespace contains a kio.Filter implementation of the kustomize +// patchjson6902 transformer +package patchjson6902 diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go new file mode 100644 index 0000000000..671567d9a1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchjson6902/patchjson6902.go @@ -0,0 +1,65 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package patchjson6902 + +import ( + "strings" + + jsonpatch "gopkg.in/evanphx/json-patch.v4" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" + k8syaml "sigs.k8s.io/yaml" +) + +type Filter struct { + Patch string + + decodedPatch jsonpatch.Patch +} + +var _ kio.Filter = Filter{} + +func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + decodedPatch, err := pf.decodePatch() + if err != nil { + return nil, err + } + pf.decodedPatch = decodedPatch + return kio.FilterAll(yaml.FilterFunc(pf.run)).Filter(nodes) +} + +func (pf Filter) decodePatch() (jsonpatch.Patch, error) { + patch := pf.Patch + // If the patch doesn't look like a JSON6902 patch, we + // try to parse it to json. + if !strings.HasPrefix(pf.Patch, "[") { + p, err := k8syaml.YAMLToJSON([]byte(patch)) + if err != nil { + return nil, err + } + patch = string(p) + } + decodedPatch, err := jsonpatch.DecodePatch([]byte(patch)) + if err != nil { + return nil, err + } + return decodedPatch, nil +} + +func (pf Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + // We don't actually use the kyaml library for manipulating the + // yaml here. We just marshal it to json and rely on the + // jsonpatch library to take care of applying the patch. + // This means ordering might not be preserved with this filter. + b, err := node.MarshalJSON() + if err != nil { + return nil, err + } + res, err := pf.decodedPatch.Apply(b) + if err != nil { + return nil, err + } + err = node.UnmarshalJSON(res) + return node, err +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go new file mode 100644 index 0000000000..1733fd8a2c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package patchstrategicmerge contains a kio.Filter implementation of the +// kustomize strategic merge patch transformer. +package patchstrategicmerge diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go new file mode 100644 index 0000000000..1a70d19aac --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/patchstrategicmerge/patchstrategicmerge.go @@ -0,0 +1,36 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package patchstrategicmerge + +import ( + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/merge2" +) + +type Filter struct { + Patch *yaml.RNode +} + +var _ kio.Filter = Filter{} + +// Filter does a strategic merge patch, which can delete nodes. +func (pf Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + var result []*yaml.RNode + for i := range nodes { + r, err := merge2.Merge( + pf.Patch, nodes[i], + yaml.MergeOptions{ + ListIncreaseDirection: yaml.MergeOptionsListPrepend, + }, + ) + if err != nil { + return nil, err + } + if r != nil { + result = append(result, r) + } + } + return result, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go new file mode 100644 index 0000000000..95236859fa --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package prefix contains a kio.Filter implementation of the kustomize +// PrefixTransformer. +package prefix diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go new file mode 100644 index 0000000000..daa375d1f7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/prefix/prefix.go @@ -0,0 +1,50 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package prefix + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter applies resource name prefix's using the fieldSpecs +type Filter struct { + Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"` + + FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"` + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + f.trackableSetter.WithMutationTracker(callback) +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes) +} + +func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + err := node.PipeE(fieldspec.Filter{ + FieldSpec: f.FieldSpec, + SetValue: f.evaluateField, + CreateKind: yaml.ScalarNode, // Name is a ScalarNode + CreateTag: yaml.NodeTagString, + }) + return node, err +} + +func (f Filter) evaluateField(node *yaml.RNode) error { + return f.trackableSetter.SetScalar(fmt.Sprintf( + "%s%s", f.Prefix, node.YNode().Value))(node) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go new file mode 100644 index 0000000000..e307198712 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/doc.go @@ -0,0 +1,6 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package refvar contains a kio.Filter implementation of the kustomize +// refvar transformer (find and replace $(FOO) style variables in strings). +package refvar diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go new file mode 100644 index 0000000000..3bcbd7a53b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/expand.go @@ -0,0 +1,147 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package refvar + +import ( + "fmt" + "log" + "strings" +) + +const ( + operator = '$' + referenceOpener = '(' + referenceCloser = ')' +) + +// syntaxWrap returns the input string wrapped by the expansion syntax. +func syntaxWrap(input string) string { + var sb strings.Builder + sb.WriteByte(operator) + sb.WriteByte(referenceOpener) + sb.WriteString(input) + sb.WriteByte(referenceCloser) + return sb.String() +} + +// MappingFunc maps a string to anything. +type MappingFunc func(string) interface{} + +// MakePrimitiveReplacer returns a MappingFunc that uses a map to do +// replacements, and a histogram to count map hits. +// +// Func behavior: +// +// If the input key is NOT found in the map, the key is wrapped up as +// as a variable declaration string and returned, e.g. key FOO becomes $(FOO). +// This string is presumably put back where it was found, and might get replaced +// later. +// +// If the key is found in the map, the value is returned if it is a primitive +// type (string, bool, number), and the hit is counted. +// +// If it's not a primitive type (e.g. a map, struct, func, etc.) then this +// function doesn't know what to do with it and it returns the key wrapped up +// again as if it had not been replaced. This should probably be an error. +func MakePrimitiveReplacer( + counts map[string]int, someMap map[string]interface{}) MappingFunc { + return func(key string) interface{} { + if value, ok := someMap[key]; ok { + switch typedV := value.(type) { + case string, int, int32, int64, float32, float64, bool: + counts[key]++ + return typedV + default: + // If the value is some complicated type (e.g. a map or struct), + // this function doesn't know how to jam it into a string, + // so just pretend it was a cache miss. + // Likely this should be an error instead of a silent failure, + // since the programmer passed an impossible value. + log.Printf( + "MakePrimitiveReplacer: bad replacement type=%T val=%v", + typedV, typedV) + return syntaxWrap(key) + } + } + // If unable to return the mapped variable, return it + // as it was found, and a later mapping might be able to + // replace it. + return syntaxWrap(key) + } +} + +// DoReplacements replaces variable references in the input string +// using the mapping function. +func DoReplacements(input string, mapping MappingFunc) interface{} { + var buf strings.Builder + checkpoint := 0 + for cursor := 0; cursor < len(input); cursor++ { + if input[cursor] == operator && cursor+1 < len(input) { + // Copy the portion of the input string since the last + // checkpoint into the buffer + buf.WriteString(input[checkpoint:cursor]) + + // Attempt to read the variable name as defined by the + // syntax from the input string + read, isVar, advance := tryReadVariableName(input[cursor+1:]) + + if isVar { + // We were able to read a variable name correctly; + // apply the mapping to the variable name and copy the + // bytes into the buffer + mapped := mapping(read) + if input == syntaxWrap(read) { + // Preserve the type of variable + return mapped + } + + // Variable is used in a middle of a string + buf.WriteString(fmt.Sprintf("%v", mapped)) + } else { + // Not a variable name; copy the read bytes into the buffer + buf.WriteString(read) + } + + // Advance the cursor in the input string to account for + // bytes consumed to read the variable name expression + cursor += advance + + // Advance the checkpoint in the input string + checkpoint = cursor + 1 + } + } + + // Return the buffer and any remaining unwritten bytes in the + // input string. + return buf.String() + input[checkpoint:] +} + +// tryReadVariableName attempts to read a variable name from the input +// string and returns the content read from the input, whether that content +// represents a variable name to perform mapping on, and the number of bytes +// consumed in the input string. +// +// The input string is assumed not to contain the initial operator. +func tryReadVariableName(input string) (string, bool, int) { + switch input[0] { + case operator: + // Escaped operator; return it. + return input[0:1], false, 1 + case referenceOpener: + // Scan to expression closer + for i := 1; i < len(input); i++ { + if input[i] == referenceCloser { + return input[1:i], true, i + 1 + } + } + + // Incomplete reference; return it. + return string(operator) + string(referenceOpener), false, 1 + default: + // Not the beginning of an expression, ie, an operator + // that doesn't begin an expression. Return the operator + // and the first rune in the string. + return string(operator) + string(input[0]), false, 1 + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go new file mode 100644 index 0000000000..e00afafd7b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/refvar/refvar.go @@ -0,0 +1,113 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package refvar + +import ( + "fmt" + "strconv" + + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter updates $(VAR) style variables with values. +// The fieldSpecs are the places to look for occurrences of $(VAR). +type Filter struct { + MappingFunc MappingFunc `json:"mappingFunc,omitempty" yaml:"mappingFunc,omitempty"` + FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"` +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes) +} + +func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + err := node.PipeE(fieldspec.Filter{ + FieldSpec: f.FieldSpec, + SetValue: f.set, + }) + return node, err +} + +func (f Filter) set(node *yaml.RNode) error { + if yaml.IsMissingOrNull(node) { + return nil + } + switch node.YNode().Kind { + case yaml.ScalarNode: + return f.setScalar(node) + case yaml.MappingNode: + return f.setMap(node) + case yaml.SequenceNode: + return f.setSeq(node) + default: + return fmt.Errorf("invalid type encountered %v", node.YNode().Kind) + } +} + +func updateNodeValue(node *yaml.Node, newValue interface{}) { + switch newValue := newValue.(type) { + case int: + node.Value = strconv.FormatInt(int64(newValue), 10) + node.Tag = yaml.NodeTagInt + case int32: + node.Value = strconv.FormatInt(int64(newValue), 10) + node.Tag = yaml.NodeTagInt + case int64: + node.Value = strconv.FormatInt(newValue, 10) + node.Tag = yaml.NodeTagInt + case bool: + node.SetString(strconv.FormatBool(newValue)) + node.Tag = yaml.NodeTagBool + case float32: + node.SetString(strconv.FormatFloat(float64(newValue), 'f', -1, 32)) + node.Tag = yaml.NodeTagFloat + case float64: + node.SetString(strconv.FormatFloat(newValue, 'f', -1, 64)) + node.Tag = yaml.NodeTagFloat + default: + node.SetString(newValue.(string)) + node.Tag = yaml.NodeTagString + } + node.Style = 0 +} + +func (f Filter) setScalar(node *yaml.RNode) error { + if !yaml.IsYNodeString(node.YNode()) { + return nil + } + v := DoReplacements(node.YNode().Value, f.MappingFunc) + updateNodeValue(node.YNode(), v) + return nil +} + +func (f Filter) setMap(node *yaml.RNode) error { + contents := node.YNode().Content + for i := 0; i < len(contents); i += 2 { + if !yaml.IsYNodeString(contents[i]) { + return fmt.Errorf( + "invalid map key: value='%s', tag='%s'", + contents[i].Value, contents[i].Tag) + } + if !yaml.IsYNodeString(contents[i+1]) { + continue + } + newValue := DoReplacements(contents[i+1].Value, f.MappingFunc) + updateNodeValue(contents[i+1], newValue) + } + return nil +} + +func (f Filter) setSeq(node *yaml.RNode) error { + for _, item := range node.YNode().Content { + if !yaml.IsYNodeString(item) { + return fmt.Errorf("invalid value type expect a string") + } + newValue := DoReplacements(item.Value, f.MappingFunc) + updateNodeValue(item, newValue) + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go new file mode 100644 index 0000000000..667c928933 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/doc.go @@ -0,0 +1,7 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package replacement contains a kio.Filter implementation of the kustomize +// replacement transformer (accepts sources and looks for targets to replace +// their values with values from the sources). +package replacement diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go new file mode 100644 index 0000000000..a988b60e8d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/replacement/replacement.go @@ -0,0 +1,249 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package replacement + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/resid" + kyaml_utils "sigs.k8s.io/kustomize/kyaml/utils" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type Filter struct { + Replacements []types.Replacement `json:"replacements,omitempty" yaml:"replacements,omitempty"` +} + +// Filter replaces values of targets with values from sources +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + for i, r := range f.Replacements { + if r.Source == nil || r.Targets == nil { + return nil, fmt.Errorf("replacements must specify a source and at least one target") + } + value, err := getReplacement(nodes, &f.Replacements[i]) + if err != nil { + return nil, err + } + nodes, err = applyReplacement(nodes, value, r.Targets) + if err != nil { + return nil, err + } + } + return nodes, nil +} + +func getReplacement(nodes []*yaml.RNode, r *types.Replacement) (*yaml.RNode, error) { + source, err := selectSourceNode(nodes, r.Source) + if err != nil { + return nil, err + } + + if r.Source.FieldPath == "" { + r.Source.FieldPath = types.DefaultReplacementFieldPath + } + fieldPath := kyaml_utils.SmarterPathSplitter(r.Source.FieldPath, ".") + + rn, err := source.Pipe(yaml.Lookup(fieldPath...)) + if err != nil { + return nil, fmt.Errorf("error looking up replacement source: %w", err) + } + if rn.IsNilOrEmpty() { + return nil, fmt.Errorf("fieldPath `%s` is missing for replacement source %s", r.Source.FieldPath, r.Source.ResId) + } + + return getRefinedValue(r.Source.Options, rn) +} + +// selectSourceNode finds the node that matches the selector, returning +// an error if multiple or none are found +func selectSourceNode(nodes []*yaml.RNode, selector *types.SourceSelector) (*yaml.RNode, error) { + var matches []*yaml.RNode + for _, n := range nodes { + ids, err := utils.MakeResIds(n) + if err != nil { + return nil, fmt.Errorf("error getting node IDs: %w", err) + } + for _, id := range ids { + if id.IsSelectedBy(selector.ResId) { + if len(matches) > 0 { + return nil, fmt.Errorf( + "multiple matches for selector %s", selector) + } + matches = append(matches, n) + break + } + } + } + if len(matches) == 0 { + return nil, fmt.Errorf("nothing selected by %s", selector) + } + return matches[0], nil +} + +func getRefinedValue(options *types.FieldOptions, rn *yaml.RNode) (*yaml.RNode, error) { + if options == nil || options.Delimiter == "" { + return rn, nil + } + if rn.YNode().Kind != yaml.ScalarNode { + return nil, fmt.Errorf("delimiter option can only be used with scalar nodes") + } + value := strings.Split(yaml.GetValue(rn), options.Delimiter) + if options.Index >= len(value) || options.Index < 0 { + return nil, fmt.Errorf("options.index %d is out of bounds for value %s", options.Index, yaml.GetValue(rn)) + } + n := rn.Copy() + n.YNode().Value = value[options.Index] + return n, nil +} + +func applyReplacement(nodes []*yaml.RNode, value *yaml.RNode, targetSelectors []*types.TargetSelector) ([]*yaml.RNode, error) { + for _, selector := range targetSelectors { + if selector.Select == nil { + return nil, errors.Errorf("target must specify resources to select") + } + if len(selector.FieldPaths) == 0 { + selector.FieldPaths = []string{types.DefaultReplacementFieldPath} + } + for _, possibleTarget := range nodes { + ids, err := utils.MakeResIds(possibleTarget) + if err != nil { + return nil, err + } + + // filter targets by label and annotation selectors + selectByAnnoAndLabel, err := selectByAnnoAndLabel(possibleTarget, selector) + if err != nil { + return nil, err + } + if !selectByAnnoAndLabel { + continue + } + + // filter targets by matching resource IDs + for _, id := range ids { + if id.IsSelectedBy(selector.Select.ResId) && !containsRejectId(selector.Reject, ids) { + err := copyValueToTarget(possibleTarget, value, selector) + if err != nil { + return nil, err + } + break + } + } + } + } + return nodes, nil +} + +func selectByAnnoAndLabel(n *yaml.RNode, t *types.TargetSelector) (bool, error) { + if matchesSelect, err := matchesAnnoAndLabelSelector(n, t.Select); !matchesSelect || err != nil { + return false, err + } + for _, reject := range t.Reject { + if reject.AnnotationSelector == "" && reject.LabelSelector == "" { + continue + } + if m, err := matchesAnnoAndLabelSelector(n, reject); m || err != nil { + return false, err + } + } + return true, nil +} + +func matchesAnnoAndLabelSelector(n *yaml.RNode, selector *types.Selector) (bool, error) { + r := resource.Resource{RNode: *n} + annoMatch, err := r.MatchesAnnotationSelector(selector.AnnotationSelector) + if err != nil { + return false, err + } + labelMatch, err := r.MatchesLabelSelector(selector.LabelSelector) + if err != nil { + return false, err + } + return annoMatch && labelMatch, nil +} + +func containsRejectId(rejects []*types.Selector, ids []resid.ResId) bool { + for _, r := range rejects { + if r.ResId.IsEmpty() { + continue + } + for _, id := range ids { + if id.IsSelectedBy(r.ResId) { + return true + } + } + } + return false +} + +func copyValueToTarget(target *yaml.RNode, value *yaml.RNode, selector *types.TargetSelector) error { + for _, fp := range selector.FieldPaths { + createKind := yaml.Kind(0) // do not create + if selector.Options != nil && selector.Options.Create { + createKind = value.YNode().Kind + } + targetFieldList, err := target.Pipe(&yaml.PathMatcher{ + Path: kyaml_utils.SmarterPathSplitter(fp, "."), + Create: createKind}) + if err != nil { + return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0)) //nolint:govet + } + targetFields, err := targetFieldList.Elements() + if err != nil { + return errors.WrapPrefixf(err, fieldRetrievalError(fp, createKind != 0)) //nolint:govet + } + if len(targetFields) == 0 { + return errors.Errorf(fieldRetrievalError(fp, createKind != 0)) //nolint:govet + } + + for _, t := range targetFields { + if err := setFieldValue(selector.Options, t, value); err != nil { + return err + } + } + } + return nil +} + +func fieldRetrievalError(fieldPath string, isCreate bool) string { + if isCreate { + return fmt.Sprintf("unable to find or create field %q in replacement target", fieldPath) + } + return fmt.Sprintf("unable to find field %q in replacement target", fieldPath) +} + +func setFieldValue(options *types.FieldOptions, targetField *yaml.RNode, value *yaml.RNode) error { + value = value.Copy() + if options != nil && options.Delimiter != "" { + if targetField.YNode().Kind != yaml.ScalarNode { + return fmt.Errorf("delimiter option can only be used with scalar nodes") + } + tv := strings.Split(targetField.YNode().Value, options.Delimiter) + v := yaml.GetValue(value) + // TODO: Add a way to remove an element + switch { + case options.Index < 0: // prefix + tv = append([]string{v}, tv...) + case options.Index >= len(tv): // suffix + tv = append(tv, v) + default: // replace an element + tv[options.Index] = v + } + value.YNode().Value = strings.Join(tv, options.Delimiter) + } + + if targetField.YNode().Kind == yaml.ScalarNode { + // For scalar, only copy the value (leave any type intact to auto-convert int->string or string->int) + targetField.YNode().Value = value.YNode().Value + } else { + targetField.SetYNode(value.YNode()) + } + + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go new file mode 100644 index 0000000000..a22d13034b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/doc.go @@ -0,0 +1,6 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package replicacount contains a kio.Filter implementation of the kustomize +// ReplicaCountTransformer. +package replicacount diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go new file mode 100644 index 0000000000..ea5351f9bd --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/replicacount/replicacount.go @@ -0,0 +1,48 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package replicacount + +import ( + "strconv" + + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter updates/sets replicas fields using the fieldSpecs +type Filter struct { + Replica types.Replica `json:"replica,omitempty" yaml:"replica,omitempty"` + FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"` + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (rc *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + rc.trackableSetter.WithMutationTracker(callback) +} + +func (rc Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(rc.run)).Filter(nodes) +} + +func (rc Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + err := node.PipeE(fieldspec.Filter{ + FieldSpec: rc.FieldSpec, + SetValue: rc.set, + CreateKind: yaml.ScalarNode, // replicas is a ScalarNode + CreateTag: yaml.NodeTagInt, + }) + return node, err +} + +func (rc Filter) set(node *yaml.RNode) error { + return rc.trackableSetter.SetEntry("", strconv.FormatInt(rc.Replica.Count, 10), yaml.NodeTagInt)(node) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go new file mode 100644 index 0000000000..18be62dfdb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/doc.go @@ -0,0 +1,6 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package suffix contains a kio.Filter implementation of the kustomize +// SuffixTransformer. +package suffix diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go new file mode 100644 index 0000000000..babc257be4 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/suffix/suffix.go @@ -0,0 +1,50 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package suffix + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/filters/fieldspec" + "sigs.k8s.io/kustomize/api/filters/filtersutil" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter applies resource name suffix's using the fieldSpecs +type Filter struct { + Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"` + + FieldSpec types.FieldSpec `json:"fieldSpec,omitempty" yaml:"fieldSpec,omitempty"` + + trackableSetter filtersutil.TrackableSetter +} + +var _ kio.Filter = Filter{} +var _ kio.TrackableFilter = &Filter{} + +// WithMutationTracker registers a callback which will be invoked each time a field is mutated +func (f *Filter) WithMutationTracker(callback func(key, value, tag string, node *yaml.RNode)) { + f.trackableSetter.WithMutationTracker(callback) +} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + return kio.FilterAll(yaml.FilterFunc(f.run)).Filter(nodes) +} + +func (f Filter) run(node *yaml.RNode) (*yaml.RNode, error) { + err := node.PipeE(fieldspec.Filter{ + FieldSpec: f.FieldSpec, + SetValue: f.evaluateField, + CreateKind: yaml.ScalarNode, // Name is a ScalarNode + CreateTag: yaml.NodeTagString, + }) + return node, err +} + +func (f Filter) evaluateField(node *yaml.RNode) error { + return f.trackableSetter.SetScalar(fmt.Sprintf( + "%s%s", node.YNode().Value, f.Suffix))(node) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go b/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go new file mode 100644 index 0000000000..f8e6b2f826 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/filters/valueadd/valueadd.go @@ -0,0 +1,134 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package valueadd + +import ( + "strings" + + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// An 'Add' operation aspiring to IETF RFC 6902 JSON. +// +// The filter tries to add a value to a node at a particular field path. +// +// Kinds of target fields: +// +// - Non-existent target field. +// +// The field will be added and the value inserted. +// +// - Existing field, scalar or map. +// +// E.g. 'spec/template/spec/containers/[name:nginx]/image' +// +// This behaves like an IETF RFC 6902 Replace operation would; +// the existing value is replaced without complaint, even though +// this is an Add operation. In contrast, a Replace operation +// must fail (report an error) if the field doesn't exist. +// +// - Existing field, list (array) +// Not supported yet. +// TODO: Honor fields with RFC-6902-style array indices +// TODO: like 'spec/template/spec/containers/2' +// TODO: Modify kyaml/yaml/PathGetter to allow this. +// The value will be inserted into the array at the given position, +// shifting other contents. To instead replace an array entry, use +// an implementation of an IETF RFC 6902 Replace operation. +// +// For the common case of a filepath in the field value, and a desire +// to add the value to the filepath (rather than replace the filepath), +// use a non-zero value of FilePathPosition (see below). +type Filter struct { + // Value is the value to add. + // + // Empty values are disallowed, i.e. this filter isn't intended + // for use in erasing or removing fields. For that, use a filter + // more aligned with the IETF RFC 6902 JSON Remove operation. + // + // At the time of writing, Value's value should be a simple string, + // not a JSON document. This particular filter focuses on easing + // injection of a single-sourced cloud project and/or cluster name + // into various fields, especially namespace and various filepath + // specifications. + Value string + + // FieldPath is a JSON-style path to the field intended to hold the value. + FieldPath string + + // FilePathPosition is a filepath field index. + // + // Call the value of this field _i_. + // + // If _i_ is zero, negative or unspecified, this field has no effect. + // + // If _i_ is > 0, then it's assumed that + // - 'Value' is a string that can work as a directory or file name, + // - the field value intended for replacement holds a filepath. + // + // The filepath is split into a string slice, the value is inserted + // at position [i-1], shifting the rest of the path to the right. + // A value of i==1 puts the new value at the start of the path. + // This change never converts an absolute path to a relative path, + // meaning adding a new field at position i==1 will preserve a + // leading slash. E.g. if Value == 'PEACH' + // + // OLD : NEW : FilePathPosition + // -------------------------------------------------------- + // {empty} : PEACH : irrelevant + // / : /PEACH : irrelevant + // pie : PEACH/pie : 1 (or less to prefix) + // /pie : /PEACH/pie : 1 (or less to prefix) + // raw : raw/PEACH : 2 (or more to postfix) + // /raw : /raw/PEACH : 2 (or more to postfix) + // a/nice/warm/pie : a/nice/warm/PEACH/pie : 4 + // /a/nice/warm/pie : /a/nice/warm/PEACH/pie : 4 + // + // For robustness (liberal input, conservative output) FilePathPosition + // values that that are too large to index the split filepath result in a + // postfix rather than an error. So use 1 to prefix, 9999 to postfix. + FilePathPosition int `json:"filePathPosition,omitempty" yaml:"filePathPosition,omitempty"` +} + +var _ kio.Filter = Filter{} + +func (f Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + _, err := kio.FilterAll(yaml.FilterFunc( + func(node *yaml.RNode) (*yaml.RNode, error) { + var fields []string + // if there is forward slash '/' in the field name, a back slash '\' + // will be used to escape it. + for _, f := range strings.Split(f.FieldPath, "/") { + if len(fields) > 0 && strings.HasSuffix(fields[len(fields)-1], "\\") { + concatField := strings.TrimSuffix(fields[len(fields)-1], "\\") + "/" + f + fields = append(fields[:len(fields)-1], concatField) + } else { + fields = append(fields, f) + } + } + // TODO: support SequenceNode. + // Presumably here one could look for array indices (digits) at + // the end of the field path (as described in IETF RFC 6902 JSON), + // and if found, take it as a signal that this should be a + // SequenceNode instead of a ScalarNode, and insert the value + // into the proper slot, shifting every over. + n, err := node.Pipe(yaml.LookupCreate(yaml.ScalarNode, fields...)) + if err != nil { + return node, err + } + // TODO: allow more kinds + if err := yaml.ErrorIfInvalid(n, yaml.ScalarNode); err != nil { + return nil, err + } + newValue := f.Value + if f.FilePathPosition > 0 { + newValue = filesys.InsertPathPart( + n.YNode().Value, f.FilePathPosition-1, newValue) + } + return n.Pipe(yaml.FieldSetter{StringValue: newValue}) + })).Filter(nodes) + return nodes, err +} diff --git a/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go b/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go new file mode 100644 index 0000000000..aef436d919 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/hasher/hasher.go @@ -0,0 +1,155 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package hasher + +import ( + "crypto/sha256" + "encoding/json" + "fmt" + "sort" + + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// SortArrayAndComputeHash sorts a string array and +// returns a hash for it +func SortArrayAndComputeHash(s []string) (string, error) { + sort.Strings(s) + data, err := json.Marshal(s) + if err != nil { + return "", err + } + return encode(hex256(string(data))) +} + +// Copied from https://github.com/kubernetes/kubernetes +// /blob/master/pkg/kubectl/util/hash/hash.go +func encode(hex string) (string, error) { + if len(hex) < 10 { + return "", fmt.Errorf( + "input length must be at least 10") + } + enc := []rune(hex[:10]) + for i := range enc { + switch enc[i] { + case '0': + enc[i] = 'g' + case '1': + enc[i] = 'h' + case '3': + enc[i] = 'k' + case 'a': + enc[i] = 'm' + case 'e': + enc[i] = 't' + } + } + return string(enc), nil +} + +// hex256 returns the hex form of the sha256 of the argument. +func hex256(data string) string { + return fmt.Sprintf("%x", sha256.Sum256([]byte(data))) +} + +// Hasher computes the hash of an RNode. +type Hasher struct{} + +// Hash returns a hash of the argument. +func (h *Hasher) Hash(node *yaml.RNode) (r string, err error) { + var encoded string + switch node.GetKind() { + case "ConfigMap": + encoded, err = encodeConfigMap(node) + case "Secret": + encoded, err = encodeSecret(node) + default: + var encodedBytes []byte + encodedBytes, err = json.Marshal(node.YNode()) + encoded = string(encodedBytes) + } + if err != nil { + return "", err + } + return encode(hex256(encoded)) +} + +func getNodeValues( + node *yaml.RNode, paths []string) (map[string]interface{}, error) { + values := make(map[string]interface{}) + for _, p := range paths { + vn, err := node.Pipe(yaml.Lookup(p)) + if err != nil { + return map[string]interface{}{}, err + } + if vn == nil { + values[p] = "" + continue + } + if vn.YNode().Kind != yaml.ScalarNode { + vs, err := vn.MarshalJSON() + if err != nil { + return map[string]interface{}{}, err + } + // data, binaryData and stringData are all maps + var v map[string]interface{} + json.Unmarshal(vs, &v) + values[p] = v + } else { + values[p] = vn.YNode().Value + } + } + return values, nil +} + +// encodeConfigMap encodes a ConfigMap. +// Data, Kind, and Name are taken into account. +// BinaryData is included if it's not empty to avoid useless key in output. +func encodeConfigMap(node *yaml.RNode) (string, error) { + // get fields + paths := []string{"metadata/name", "data", "binaryData"} + values, err := getNodeValues(node, paths) + if err != nil { + return "", err + } + m := map[string]interface{}{ + "kind": "ConfigMap", + "name": values["metadata/name"], + "data": values["data"], + } + if _, ok := values["binaryData"].(map[string]interface{}); ok { + m["binaryData"] = values["binaryData"] + } + + // json.Marshal sorts the keys in a stable order in the encoding + data, err := json.Marshal(m) + if err != nil { + return "", err + } + return string(data), nil +} + +// encodeSecret encodes a Secret. +// Data, Kind, Name, and Type are taken into account. +// StringData is included if it's not empty to avoid useless key in output. +func encodeSecret(node *yaml.RNode) (string, error) { + // get fields + paths := []string{"type", "metadata/name", "data", "stringData"} + values, err := getNodeValues(node, paths) + if err != nil { + return "", err + } + m := map[string]interface{}{"kind": "Secret", "type": values["type"], + "name": values["metadata/name"], "data": values["data"]} + if _, ok := values["stringData"].(map[string]interface{}); ok { + m["stringData"] = values["stringData"] + } + + // json.Marshal sorts the keys in a stable order in the encoding + data, err := json.Marshal(m) + if err != nil { + return "", err + } + return string(data), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go b/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go new file mode 100644 index 0000000000..4cd62dd596 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/ifc/ifc.go @@ -0,0 +1,56 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package ifc holds miscellaneous interfaces used by kustomize. +package ifc + +import ( + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Validator provides functions to validate annotations and labels +type Validator interface { + MakeAnnotationValidator() func(map[string]string) error + MakeAnnotationNameValidator() func([]string) error + MakeLabelValidator() func(map[string]string) error + MakeLabelNameValidator() func([]string) error + ValidateNamespace(string) []string + ErrIfInvalidKey(string) error + IsEnvVarName(k string) error +} + +// KvLoader reads and validates KV pairs. +type KvLoader interface { + Validator() Validator + Load(args types.KvPairSources) (all []types.Pair, err error) +} + +// Loader interface exposes methods to read bytes. +type Loader interface { + + // Repo returns the repo location if this Loader was created from a url + // or the empty string otherwise. + Repo() string + + // Root returns the root location for this Loader. + Root() string + + // New returns Loader located at newRoot. + New(newRoot string) (Loader, error) + + // Load returns the bytes read from the location or an error. + Load(location string) ([]byte, error) + + // Cleanup cleans the loader + Cleanup() error +} + +// KustHasher returns a hash of the argument +// or an error. +type KustHasher interface { + Hash(*yaml.RNode) (string, error) +} + +// See core.v1.SecretTypeOpaque +const SecretTypeOpaque = "Opaque" diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go new file mode 100644 index 0000000000..f60c517b76 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/loadconfigfromcrds.go @@ -0,0 +1,198 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package accumulator + +import ( + "encoding/json" + "strings" + + "k8s.io/kube-openapi/pkg/validation/spec" + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/yaml" +) + +// OpenAPIDefinition describes single type. +// Normally these definitions are auto-generated using gen-openapi. +// Same as in k8s.io / kube-openapi / pkg / common. +type OpenAPIDefinition struct { + Schema spec.Schema + Dependencies []string +} + +type myProperties = map[string]spec.Schema +type nameToApiMap map[string]OpenAPIDefinition + +// LoadConfigFromCRDs parse CRD schemas from paths into a TransformerConfig +func LoadConfigFromCRDs( + ldr ifc.Loader, paths []string) (*builtinconfig.TransformerConfig, error) { + tc := builtinconfig.MakeEmptyConfig() + for _, path := range paths { + content, err := ldr.Load(path) + if err != nil { + return nil, err + } + m, err := makeNameToApiMap(content) + if err != nil { + return nil, errors.WrapPrefixf(err, "unable to parse open API definition from '%s'", path) + } + otherTc, err := makeConfigFromApiMap(m) + if err != nil { + return nil, err + } + tc, err = tc.Merge(otherTc) + if err != nil { + return nil, err + } + } + return tc, nil +} + +func makeNameToApiMap(content []byte) (result nameToApiMap, err error) { + if content[0] == '{' { + err = json.Unmarshal(content, &result) + } else { + err = yaml.Unmarshal(content, &result) + } + return +} + +func makeConfigFromApiMap(m nameToApiMap) (*builtinconfig.TransformerConfig, error) { + result := builtinconfig.MakeEmptyConfig() + for name, api := range m { + if !looksLikeAk8sType(api.Schema.SchemaProps.Properties) { + continue + } + tc := builtinconfig.MakeEmptyConfig() + err := loadCrdIntoConfig( + tc, makeGvkFromTypeName(name), m, name, []string{}) + if err != nil { + return result, err + } + result, err = result.Merge(tc) + if err != nil { + return result, err + } + } + return result, nil +} + +// TODO: Get Group and Version for CRD from the +// openAPI definition once +// "x-kubernetes-group-version-kind" is available in CRD +func makeGvkFromTypeName(n string) resid.Gvk { + names := strings.Split(n, filesys.SelfDir) + kind := names[len(names)-1] + return resid.Gvk{Kind: kind} +} + +func looksLikeAk8sType(properties myProperties) bool { + _, ok := properties["kind"] + if !ok { + return false + } + _, ok = properties["apiVersion"] + if !ok { + return false + } + _, ok = properties["metadata"] + return ok +} + +const ( + // "x-kubernetes-annotation": "" + xAnnotation = "x-kubernetes-annotation" + + // "x-kubernetes-label-selector": "" + xLabelSelector = "x-kubernetes-label-selector" + + // "x-kubernetes-identity": "" + xIdentity = "x-kubernetes-identity" + + // "x-kubernetes-object-ref-api-version": + xVersion = "x-kubernetes-object-ref-api-version" + + // "x-kubernetes-object-ref-kind": + xKind = "x-kubernetes-object-ref-kind" + + // "x-kubernetes-object-ref-name-key": "name" + // default is "name" + xNameKey = "x-kubernetes-object-ref-name-key" +) + +// loadCrdIntoConfig loads a CRD spec into a TransformerConfig +func loadCrdIntoConfig( + theConfig *builtinconfig.TransformerConfig, theGvk resid.Gvk, theMap nameToApiMap, + typeName string, path []string) (err error) { + api, ok := theMap[typeName] + if !ok { + return nil + } + for propName, property := range api.Schema.SchemaProps.Properties { + _, annotate := property.Extensions.GetString(xAnnotation) + if annotate { + err = theConfig.AddAnnotationFieldSpec( + makeFs(theGvk, append(path, propName))) + if err != nil { + return + } + } + _, label := property.Extensions.GetString(xLabelSelector) + if label { + err = theConfig.AddCommonLabelsFieldSpec( + makeFs(theGvk, append(path, propName))) + if err != nil { + return + } + } + _, identity := property.Extensions.GetString(xIdentity) + if identity { + err = theConfig.AddPrefixFieldSpec( + makeFs(theGvk, append(path, propName))) + if err != nil { + return + } + } + version, ok := property.Extensions.GetString(xVersion) + if ok { + kind, ok := property.Extensions.GetString(xKind) + if ok { + nameKey, ok := property.Extensions.GetString(xNameKey) + if !ok { + nameKey = "name" + } + err = theConfig.AddNamereferenceFieldSpec( + builtinconfig.NameBackReferences{ + Gvk: resid.Gvk{Kind: kind, Version: version}, + Referrers: []types.FieldSpec{ + makeFs(theGvk, append(path, propName, nameKey))}, + }) + if err != nil { + return + } + } + } + if property.Ref.GetURL() != nil { + err = loadCrdIntoConfig( + theConfig, theGvk, theMap, + property.Ref.String(), append(path, propName)) + if err != nil { + return + } + } + } + return nil +} + +func makeFs(in resid.Gvk, path []string) types.FieldSpec { + return types.FieldSpec{ + CreateIfNotPresent: false, + Gvk: in, + Path: strings.Join(path, "/"), + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go new file mode 100644 index 0000000000..f8f12b4f2b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/namereferencetransformer.go @@ -0,0 +1,164 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package accumulator + +import ( + "fmt" + "log" + + "sigs.k8s.io/kustomize/api/filters/nameref" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +type nameReferenceTransformer struct { + backRefs []builtinconfig.NameBackReferences +} + +const doDebug = false + +var _ resmap.Transformer = &nameReferenceTransformer{} + +type filterMap map[*resource.Resource][]nameref.Filter + +// newNameReferenceTransformer constructs a nameReferenceTransformer +// with a given slice of NameBackReferences. +func newNameReferenceTransformer( + br []builtinconfig.NameBackReferences) resmap.Transformer { + if br == nil { + log.Fatal("backrefs not expected to be nil") + } + return &nameReferenceTransformer{backRefs: br} +} + +// Transform updates name references in resource A that +// refer to resource B, given that B's name may have +// changed. +// +// For example, a HorizontalPodAutoscaler (HPA) +// necessarily refers to a Deployment, the thing that +// an HPA scales. In this case: +// +// - the HPA instance is the Referrer, +// - the Deployment instance is the ReferralTarget. +// +// If the Deployment's name changes, e.g. a prefix is added, +// then the HPA's reference to the Deployment must be fixed. +// +func (t *nameReferenceTransformer) Transform(m resmap.ResMap) error { + fMap := t.determineFilters(m.Resources()) + debug(fMap) + for r, fList := range fMap { + c, err := m.SubsetThatCouldBeReferencedByResource(r) + if err != nil { + return err + } + for _, f := range fList { + f.Referrer = r + f.ReferralCandidates = c + if err := f.Referrer.ApplyFilter(f); err != nil { + return err + } + } + } + return nil +} + +func debug(fMap filterMap) { + if !doDebug { + return + } + fmt.Printf("filterMap has %d entries:\n", len(fMap)) + rCount := 0 + for r, fList := range fMap { + yml, _ := r.AsYAML() + rCount++ + fmt.Printf(` +---- %3d. possible referrer ------------- +%s +---------`, rCount, string(yml), + ) + for i, f := range fList { + fmt.Printf(` +%3d/%3d update: %s + from: %s +`, rCount, i+1, f.NameFieldToUpdate.Path, f.ReferralTarget, + ) + } + } +} + +// Produce a map from referrer resources that might need to be fixed +// to filters that might fix them. The keys to this map are potential +// referrers, so won't include resources like ConfigMap or Secret. +// +// In the inner loop over the resources below, say we +// encounter an HPA instance. Then, in scanning the set +// of all known backrefs, we encounter an entry like +// +// - kind: Deployment +// fieldSpecs: +// - kind: HorizontalPodAutoscaler +// path: spec/scaleTargetRef/name +// +// This entry says that an HPA, via its +// 'spec/scaleTargetRef/name' field, may refer to a +// Deployment. +// +// This means that a filter will need to hunt for the right Deployment, +// obtain it's new name, and write that name into the HPA's +// 'spec/scaleTargetRef/name' field. Return a filter that can do that. +func (t *nameReferenceTransformer) determineFilters( + resources []*resource.Resource) (fMap filterMap) { + // We cache the resource OrgId values because they don't change and otherwise are very visible in a memory pprof + resourceOrgIds := make([]resid.ResId, len(resources)) + for i, resource := range resources { + resourceOrgIds[i] = resource.OrgId() + } + + fMap = make(filterMap) + for _, backReference := range t.backRefs { + for _, referrerSpec := range backReference.Referrers { + for i, res := range resources { + if resourceOrgIds[i].IsSelected(&referrerSpec.Gvk) { + // If this is true, the res might be a referrer, and if + // so, the name reference it holds might need an update. + if resHasField(res, referrerSpec.Path) { + // Optimization - the referrer has the field + // that might need updating. + fMap[res] = append(fMap[res], nameref.Filter{ + // Name field to write in the Referrer. + // If the path specified here isn't found in + // the Referrer, nothing happens (no error, + // no field creation). + NameFieldToUpdate: referrerSpec, + // Specification of object class to read from. + // Always read from metadata/name field. + ReferralTarget: backReference.Gvk, + }) + } + } + } + } + } + return fMap +} + +// TODO: check res for field existence here to avoid extra work. +// res.GetFieldValue, which uses yaml.Lookup under the hood, doesn't know +// how to parse fieldspec-style paths that make no distinction +// between maps and sequences. This means it cannot lookup commonly +// used "indeterminate" paths like +// spec/containers/env/valueFrom/configMapKeyRef/name +// ('containers' is a list, not a map). +// However, the fieldspec filter does know how to handle this; +// extract that code and call it here? +func resHasField(res *resource.Resource, path string) bool { + return true + // fld := strings.Join(utils.PathSplitter(path), ".") + // _, e := res.GetFieldValue(fld) + // return e == nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go new file mode 100644 index 0000000000..a02edc4fb3 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/refvartransformer.go @@ -0,0 +1,57 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package accumulator + +import ( + "sigs.k8s.io/kustomize/api/filters/refvar" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" +) + +type refVarTransformer struct { + varMap map[string]interface{} + replacementCounts map[string]int + fieldSpecs []types.FieldSpec +} + +// newRefVarTransformer returns a new refVarTransformer +// that replaces $(VAR) style variables with values. +// The fieldSpecs are the places to look for occurrences of $(VAR). +func newRefVarTransformer( + varMap map[string]interface{}, fs []types.FieldSpec) *refVarTransformer { + return &refVarTransformer{ + varMap: varMap, + fieldSpecs: fs, + } +} + +// UnusedVars returns slice of Var names that were unused +// after a Transform run. +func (rv *refVarTransformer) UnusedVars() []string { + var unused []string + for k := range rv.varMap { + if _, ok := rv.replacementCounts[k]; !ok { + unused = append(unused, k) + } + } + return unused +} + +// Transform replaces $(VAR) style variables with values. +func (rv *refVarTransformer) Transform(m resmap.ResMap) error { + rv.replacementCounts = make(map[string]int) + mf := refvar.MakePrimitiveReplacer(rv.replacementCounts, rv.varMap) + for _, res := range m.Resources() { + for _, fieldSpec := range rv.fieldSpecs { + err := res.ApplyFilter(refvar.Filter{ + MappingFunc: mf, + FieldSpec: fieldSpec, + }) + if err != nil { + return err + } + } + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go new file mode 100644 index 0000000000..d3a894123f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/accumulator/resaccumulator.go @@ -0,0 +1,190 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package accumulator + +import ( + "fmt" + "log" + "strings" + + "sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// ResAccumulator accumulates resources and the rules +// used to customize those resources. It's a ResMap +// plus stuff needed to modify the ResMap. +type ResAccumulator struct { + resMap resmap.ResMap + tConfig *builtinconfig.TransformerConfig + varSet types.VarSet +} + +func MakeEmptyAccumulator() *ResAccumulator { + ra := &ResAccumulator{} + ra.resMap = resmap.New() + ra.tConfig = &builtinconfig.TransformerConfig{} + ra.varSet = types.NewVarSet() + return ra +} + +// ResMap returns a copy of the internal resMap. +func (ra *ResAccumulator) ResMap() resmap.ResMap { + return ra.resMap.ShallowCopy() +} + +// Vars returns a copy of underlying vars. +func (ra *ResAccumulator) Vars() []types.Var { + return ra.varSet.AsSlice() +} + +func (ra *ResAccumulator) AppendAll(resources resmap.ResMap) error { + return ra.resMap.AppendAll(resources) +} + +func (ra *ResAccumulator) AbsorbAll(resources resmap.ResMap) error { + return ra.resMap.AbsorbAll(resources) +} + +func (ra *ResAccumulator) MergeConfig( + tConfig *builtinconfig.TransformerConfig) (err error) { + ra.tConfig, err = ra.tConfig.Merge(tConfig) + return err +} + +func (ra *ResAccumulator) GetTransformerConfig() *builtinconfig.TransformerConfig { + return ra.tConfig +} + +// MergeVars accumulates vars into ResAccumulator. +// A Var is a tuple of name, object reference and field reference. +// This func takes a list of vars from the current kustomization file and +// annotates the accumulated resources with the names of the vars that match +// those resources. E.g. if there's a var named "sam" that wants to get +// its data from a ConfigMap named "james", and the resource list contains a +// ConfigMap named "james", then that ConfigMap will be annotated with the +// var name "sam". Later this annotation is used to find the data for "sam" +// by digging into a particular fieldpath of "james". +func (ra *ResAccumulator) MergeVars(incoming []types.Var) error { + for _, v := range incoming { + targetId := resid.NewResIdWithNamespace(v.ObjRef.GVK(), v.ObjRef.Name, v.ObjRef.Namespace) + idMatcher := targetId.GvknEquals + if targetId.Namespace != "" || targetId.IsClusterScoped() { + // Preserve backward compatibility. An empty namespace means + // wildcard search on the namespace hence we still use GvknEquals + idMatcher = targetId.Equals + } + matched := ra.resMap.GetMatchingResourcesByAnyId(idMatcher) + if len(matched) > 1 { + return fmt.Errorf( + "found %d resId matches for var %s "+ + "(unable to disambiguate)", + len(matched), v) + } + if len(matched) == 1 { + matched[0].AppendRefVarName(v) + } + } + return ra.varSet.MergeSlice(incoming) +} + +func (ra *ResAccumulator) MergeAccumulator(other *ResAccumulator) (err error) { + err = ra.AppendAll(other.resMap) + if err != nil { + return err + } + err = ra.MergeConfig(other.tConfig) + if err != nil { + return err + } + return ra.varSet.MergeSet(other.varSet) +} + +func (ra *ResAccumulator) findVarValueFromResources(v types.Var) (interface{}, error) { + for _, res := range ra.resMap.Resources() { + for _, varName := range res.GetRefVarNames() { + if varName == v.Name { + s, err := res.GetFieldValue(v.FieldRef.FieldPath) + if err != nil { + return "", fmt.Errorf( + "field specified in var '%v' "+ + "not found in corresponding resource", v) + } + return s, nil + } + } + } + return "", fmt.Errorf( + "var '%v' cannot be mapped to a field "+ + "in the set of known resources", v) +} + +// makeVarReplacementMap returns a map of Var names to +// their final values. The values are strings intended +// for substitution wherever the $(var.Name) occurs. +func (ra *ResAccumulator) makeVarReplacementMap() (map[string]interface{}, error) { + result := map[string]interface{}{} + for _, v := range ra.Vars() { + s, err := ra.findVarValueFromResources(v) + if err != nil { + return nil, err + } + result[v.Name] = s + } + return result, nil +} + +func (ra *ResAccumulator) Transform(t resmap.Transformer) error { + return t.Transform(ra.resMap) +} + +func (ra *ResAccumulator) ResolveVars() error { + replacementMap, err := ra.makeVarReplacementMap() + if err != nil { + return err + } + if len(replacementMap) == 0 { + return nil + } + t := newRefVarTransformer( + replacementMap, ra.tConfig.VarReference) + err = ra.Transform(t) + if len(t.UnusedVars()) > 0 { + log.Printf( + "well-defined vars that were never replaced: %s\n", + strings.Join(t.UnusedVars(), ",")) + } + return err +} + +func (ra *ResAccumulator) FixBackReferences() (err error) { + if ra.tConfig.NameReference == nil { + return nil + } + return ra.Transform( + newNameReferenceTransformer(ra.tConfig.NameReference)) +} + +// Intersection drops the resources which "other" does not have. +func (ra *ResAccumulator) Intersection(other resmap.ResMap) error { + otherIds := other.AllIds() //nolint:revive + for _, curId := range ra.resMap.AllIds() { + toDelete := true + for _, otherId := range otherIds { + if otherId == curId { + toDelete = false + break + } + } + if toDelete { + err := ra.resMap.Remove(curId) + if err != nil { + return err + } + } + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go new file mode 100644 index 0000000000..0910c472b8 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/AnnotationsTransformer.go @@ -0,0 +1,38 @@ +// Code generated by pluginator on AnnotationsTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/filters/annotations" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +// Add the given annotations to the given field specifications. +type AnnotationsTransformerPlugin struct { + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +func (p *AnnotationsTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Annotations = nil + p.FieldSpecs = nil + return yaml.Unmarshal(c, p) +} + +func (p *AnnotationsTransformerPlugin) Transform(m resmap.ResMap) error { + if len(p.Annotations) == 0 { + return nil + } + return m.ApplyFilter(annotations.Filter{ + Annotations: p.Annotations, + FsSlice: p.FieldSpecs, + }) +} + +func NewAnnotationsTransformerPlugin() resmap.TransformerPlugin { + return &AnnotationsTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go new file mode 100644 index 0000000000..dc18bce858 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ConfigMapGenerator.go @@ -0,0 +1,39 @@ +// Code generated by pluginator on ConfigMapGenerator; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/kv" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +type ConfigMapGeneratorPlugin struct { + h *resmap.PluginHelpers + types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + types.ConfigMapArgs +} + +func (p *ConfigMapGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) { + p.ConfigMapArgs = types.ConfigMapArgs{} + err = yaml.Unmarshal(config, p) + if p.ConfigMapArgs.Name == "" { + p.ConfigMapArgs.Name = p.Name + } + if p.ConfigMapArgs.Namespace == "" { + p.ConfigMapArgs.Namespace = p.Namespace + } + p.h = h + return +} + +func (p *ConfigMapGeneratorPlugin) Generate() (resmap.ResMap, error) { + return p.h.ResmapFactory().FromConfigMapArgs( + kv.NewLoader(p.h.Loader(), p.h.Validator()), p.ConfigMapArgs) +} + +func NewConfigMapGeneratorPlugin() resmap.GeneratorPlugin { + return &ConfigMapGeneratorPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go new file mode 100644 index 0000000000..ec23312651 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HashTransformer.go @@ -0,0 +1,40 @@ +// Code generated by pluginator on HashTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/resmap" +) + +type HashTransformerPlugin struct { + hasher ifc.KustHasher +} + +func (p *HashTransformerPlugin) Config( + h *resmap.PluginHelpers, _ []byte) (err error) { + p.hasher = h.ResmapFactory().RF().Hasher() + return nil +} + +// Transform appends hash to generated resources. +func (p *HashTransformerPlugin) Transform(m resmap.ResMap) error { + for _, res := range m.Resources() { + if res.NeedHashSuffix() { + h, err := res.Hash(p.hasher) + if err != nil { + return err + } + res.StorePreviousId() + res.SetName(fmt.Sprintf("%s-%s", res.GetName(), h)) + } + } + return nil +} + +func NewHashTransformerPlugin() resmap.TransformerPlugin { + return &HashTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go new file mode 100644 index 0000000000..86017301ef --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/HelmChartInflationGenerator.go @@ -0,0 +1,380 @@ +// Code generated by pluginator on HelmChartInflationGenerator; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "bytes" + "fmt" + "os" + "os/exec" + "path/filepath" + "regexp" + "slices" + "strings" + + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + kyaml "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/merge2" + "sigs.k8s.io/yaml" +) + +// Generate resources from a remote or local helm chart. +type HelmChartInflationGeneratorPlugin struct { + h *resmap.PluginHelpers + types.HelmGlobals + types.HelmChart + tmpDir string +} + +const ( + valuesMergeOptionMerge = "merge" + valuesMergeOptionOverride = "override" + valuesMergeOptionReplace = "replace" +) + +var legalMergeOptions = []string{ + valuesMergeOptionMerge, + valuesMergeOptionOverride, + valuesMergeOptionReplace, +} + +// Config uses the input plugin configurations `config` to setup the generator +// options +func (p *HelmChartInflationGeneratorPlugin) Config( + h *resmap.PluginHelpers, config []byte) (err error) { + if h.GeneralConfig() == nil { + return fmt.Errorf("unable to access general config") + } + if !h.GeneralConfig().HelmConfig.Enabled { + return fmt.Errorf("must specify --enable-helm") + } + if h.GeneralConfig().HelmConfig.Command == "" { + return fmt.Errorf("must specify --helm-command") + } + + // CLI args takes precedence + if h.GeneralConfig().HelmConfig.KubeVersion != "" { + p.HelmChart.KubeVersion = h.GeneralConfig().HelmConfig.KubeVersion + } + if len(h.GeneralConfig().HelmConfig.ApiVersions) != 0 { + p.HelmChart.ApiVersions = h.GeneralConfig().HelmConfig.ApiVersions + } + if h.GeneralConfig().HelmConfig.Debug { + p.HelmChart.Debug = h.GeneralConfig().HelmConfig.Debug + } + + p.h = h + if err = yaml.Unmarshal(config, p); err != nil { + return + } + return p.validateArgs() +} + +// This uses the real file system since tmpDir may be used +// by the helm subprocess. Cannot use a chroot jail or fake +// filesystem since we allow the user to use previously +// downloaded charts. This is safe since this plugin is +// owned by kustomize. +func (p *HelmChartInflationGeneratorPlugin) establishTmpDir() (err error) { + if p.tmpDir != "" { + // already done. + return nil + } + p.tmpDir, err = os.MkdirTemp("", "kustomize-helm-") + return err +} + +func (p *HelmChartInflationGeneratorPlugin) validateArgs() (err error) { + if p.Name == "" { + return fmt.Errorf("chart name cannot be empty") + } + + // ChartHome might be consulted by the plugin (to read + // values files below it), so it must be located under + // the loader root (unless root restrictions are + // disabled, in which case this can be an absolute path). + if p.ChartHome == "" { + p.ChartHome = types.HelmDefaultHome + } + + // The ValuesFile(s) may be consulted by the plugin, so it must + // be under the loader root (unless root restrictions are + // disabled). + if p.ValuesFile == "" { + p.ValuesFile = filepath.Join(p.absChartHome(), p.Name, "values.yaml") + } + for i, file := range p.AdditionalValuesFiles { + // use Load() to enforce root restrictions + if _, err := p.h.Loader().Load(file); err != nil { + return errors.WrapPrefixf(err, "could not load additionalValuesFile") + } + // the additional values filepaths must be relative to the kust root + p.AdditionalValuesFiles[i] = filepath.Join(p.h.Loader().Root(), file) + } + + if err = p.errIfIllegalValuesMerge(); err != nil { + return err + } + + // ConfigHome is not loaded by the plugin, and can be located anywhere. + if p.ConfigHome == "" { + if err = p.establishTmpDir(); err != nil { + return errors.WrapPrefixf( + err, "unable to create tmp dir for HELM_CONFIG_HOME") + } + p.ConfigHome = filepath.Join(p.tmpDir, "helm") + } + return nil +} + +func (p *HelmChartInflationGeneratorPlugin) errIfIllegalValuesMerge() error { + if p.ValuesMerge == "" { + // Use the default. + p.ValuesMerge = valuesMergeOptionOverride + return nil + } + for _, opt := range legalMergeOptions { + if p.ValuesMerge == opt { + return nil + } + } + return fmt.Errorf("valuesMerge must be one of %v", legalMergeOptions) +} + +func (p *HelmChartInflationGeneratorPlugin) absChartHome() string { + var chartHome string + if filepath.IsAbs(p.ChartHome) { + chartHome = p.ChartHome + } else { + chartHome = filepath.Join(p.h.Loader().Root(), p.ChartHome) + } + + if p.Version != "" && p.Repo != "" { + return filepath.Join(chartHome, fmt.Sprintf("%s-%s", p.Name, p.Version)) + } + return chartHome +} + +func (p *HelmChartInflationGeneratorPlugin) runHelmCommand( + args []string) ([]byte, error) { + stdout := new(bytes.Buffer) + stderr := new(bytes.Buffer) + cmd := exec.Command(p.h.GeneralConfig().HelmConfig.Command, args...) + cmd.Stdout = stdout + cmd.Stderr = stderr + env := []string{ + fmt.Sprintf("HELM_CONFIG_HOME=%s", p.ConfigHome), + fmt.Sprintf("HELM_CACHE_HOME=%s/.cache", p.ConfigHome), + fmt.Sprintf("HELM_DATA_HOME=%s/.data", p.ConfigHome)} + cmd.Env = append(os.Environ(), env...) + err := cmd.Run() + errorOutput := stderr.String() + if slices.Contains(args, "--debug") { + errorOutput = " Helm stack trace:\n" + errorOutput + "\nHelm template:\n" + stdout.String() + "\n" + } + if err != nil { + helm := p.h.GeneralConfig().HelmConfig.Command + //nolint:govet + err = errors.WrapPrefixf( + fmt.Errorf( + "unable to run: '%s %s' with env=%s (is '%s' installed?): %w", + helm, strings.Join(args, " "), env, helm, err), + errorOutput, + ) + } + return stdout.Bytes(), err +} + +// createNewMergedValuesFile replaces/merges original values file with ValuesInline. +func (p *HelmChartInflationGeneratorPlugin) createNewMergedValuesFile() ( + path string, err error) { + if p.ValuesMerge == valuesMergeOptionMerge || + p.ValuesMerge == valuesMergeOptionOverride { + if err = p.replaceValuesInline(); err != nil { + return "", err + } + } + var b []byte + b, err = yaml.Marshal(p.ValuesInline) + if err != nil { + return "", err + } + return p.writeValuesBytes(b) +} + +func (p *HelmChartInflationGeneratorPlugin) replaceValuesInline() error { + pValues, err := p.h.Loader().Load(p.ValuesFile) + if err != nil { + return err + } + chValues, err := kyaml.Parse(string(pValues)) + if err != nil { + return errors.WrapPrefixf(err, "could not parse values file into rnode") + } + inlineValues, err := kyaml.FromMap(p.ValuesInline) + if err != nil { + return errors.WrapPrefixf(err, "could not parse values inline into rnode") + } + var outValues *kyaml.RNode + switch p.ValuesMerge { + // Function `merge2.Merge` overrides values in dest with values from src. + // To achieve override or merge behavior, we pass parameters in different order. + // Object passed as dest will be modified, so we copy it just in case someone + // decides to use it after this is called. + case valuesMergeOptionOverride: + outValues, err = merge2.Merge(inlineValues, chValues.Copy(), kyaml.MergeOptions{}) + case valuesMergeOptionMerge: + outValues, err = merge2.Merge(chValues, inlineValues.Copy(), kyaml.MergeOptions{}) + } + if err != nil { + return errors.WrapPrefixf(err, "could not merge values") + } + mapValues, err := outValues.Map() + if err != nil { + return errors.WrapPrefixf(err, "could not parse merged values into map") + } + p.ValuesInline = mapValues + return err +} + +// copyValuesFile to avoid branching. TODO: get rid of this. +func (p *HelmChartInflationGeneratorPlugin) copyValuesFile() (string, error) { + b, err := p.h.Loader().Load(p.ValuesFile) + if err != nil { + return "", err + } + return p.writeValuesBytes(b) +} + +// Write a absolute path file in the tmp file system. +func (p *HelmChartInflationGeneratorPlugin) writeValuesBytes( + b []byte) (string, error) { + if err := p.establishTmpDir(); err != nil { + return "", fmt.Errorf("cannot create tmp dir to write helm values") + } + path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml") + return path, errors.WrapPrefixf(os.WriteFile(path, b, 0644), "failed to write values file") +} + +func (p *HelmChartInflationGeneratorPlugin) cleanup() { + if p.tmpDir != "" { + os.RemoveAll(p.tmpDir) + } +} + +// Generate implements generator +func (p *HelmChartInflationGeneratorPlugin) Generate() (rm resmap.ResMap, err error) { + defer p.cleanup() + if err = p.checkHelmVersion(); err != nil { + return nil, err + } + if path, exists := p.chartExistsLocally(); !exists { + if p.Repo == "" { + return nil, fmt.Errorf( + "no repo specified for pull, no chart found at '%s'", path) + } + if _, err := p.runHelmCommand(p.pullCommand()); err != nil { + return nil, err + } + } + if len(p.ValuesInline) > 0 { + p.ValuesFile, err = p.createNewMergedValuesFile() + } else { + p.ValuesFile, err = p.copyValuesFile() + } + if err != nil { + return nil, err + } + var stdout []byte + stdout, err = p.runHelmCommand(p.AsHelmArgs(p.absChartHome())) + if err != nil { + return nil, err + } + + rm, resMapErr := p.h.ResmapFactory().NewResMapFromBytes(stdout) + if resMapErr == nil { + return rm, nil + } + // try to remove the contents before first "---" because + // helm may produce messages to stdout before it + r := &kio.ByteReader{Reader: bytes.NewBuffer(stdout), OmitReaderAnnotations: true} + nodes, err := r.Read() + if err != nil { + return nil, fmt.Errorf("error reading helm output: %w", err) + } + + if len(nodes) != 0 { + rm, err = p.h.ResmapFactory().NewResMapFromRNodeSlice(nodes) + if err != nil { + return nil, fmt.Errorf("could not parse rnode slice into resource map: %w", err) + } + return rm, nil + } + return nil, fmt.Errorf("could not parse bytes into resource map: %w", resMapErr) +} + +func (p *HelmChartInflationGeneratorPlugin) pullCommand() []string { + args := []string{ + "pull", + "--untar", + "--untardir", p.absChartHome(), + } + + switch { + case strings.HasPrefix(p.Repo, "oci://"): + args = append(args, strings.TrimSuffix(p.Repo, "/")+"/"+p.Name) + case p.Repo != "": + args = append(args, "--repo", p.Repo) + fallthrough + default: + args = append(args, p.Name) + } + + if p.Version != "" { + args = append(args, "--version", p.Version) + } + return args +} + +// chartExistsLocally will return true if the chart does exist in +// local chart home. +func (p *HelmChartInflationGeneratorPlugin) chartExistsLocally() (string, bool) { + path := filepath.Join(p.absChartHome(), p.Name) + s, err := os.Stat(path) + if err != nil { + return "", false + } + return path, s.IsDir() +} + +// checkHelmVersion will return an error if the helm version is not V3 +func (p *HelmChartInflationGeneratorPlugin) checkHelmVersion() error { + stdout, err := p.runHelmCommand([]string{"version", "-c", "--short"}) + if err != nil { + return err + } + r, err := regexp.Compile(`v?\d+(\.\d+)+`) + if err != nil { + return err + } + v := r.FindString(string(stdout)) + if v == "" { + return fmt.Errorf("cannot find version string in %s", string(stdout)) + } + if v[0] == 'v' { + v = v[1:] + } + majorVersion := strings.Split(v, ".")[0] + if majorVersion != "3" { + return fmt.Errorf("this plugin requires helm V3 but got v%s", v) + } + return nil +} + +func NewHelmChartInflationGeneratorPlugin() resmap.GeneratorPlugin { + return &HelmChartInflationGeneratorPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go new file mode 100644 index 0000000000..cfb1fa81b6 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/IAMPolicyGenerator.go @@ -0,0 +1,33 @@ +// Code generated by pluginator on IAMPolicyGenerator; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/filters/iampolicygenerator" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +type IAMPolicyGeneratorPlugin struct { + types.IAMPolicyGeneratorArgs +} + +func (p *IAMPolicyGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) { + p.IAMPolicyGeneratorArgs = types.IAMPolicyGeneratorArgs{} + err = yaml.Unmarshal(config, p) + return +} + +func (p *IAMPolicyGeneratorPlugin) Generate() (resmap.ResMap, error) { + r := resmap.New() + err := r.ApplyFilter(iampolicygenerator.Filter{ + IAMPolicyGenerator: p.IAMPolicyGeneratorArgs, + }) + return r, err +} + +func NewIAMPolicyGeneratorPlugin() resmap.GeneratorPlugin { + return &IAMPolicyGeneratorPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go new file mode 100644 index 0000000000..ffde73a7a1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ImageTagTransformer.go @@ -0,0 +1,41 @@ +// Code generated by pluginator on ImageTagTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/filters/imagetag" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +// Find matching image declarations and replace +// the name, tag and/or digest. +type ImageTagTransformerPlugin struct { + ImageTag types.Image `json:"imageTag,omitempty" yaml:"imageTag,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +func (p *ImageTagTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.ImageTag = types.Image{} + p.FieldSpecs = nil + return yaml.Unmarshal(c, p) +} + +func (p *ImageTagTransformerPlugin) Transform(m resmap.ResMap) error { + if err := m.ApplyFilter(imagetag.LegacyFilter{ + ImageTag: p.ImageTag, + }); err != nil { + return err + } + return m.ApplyFilter(imagetag.Filter{ + ImageTag: p.ImageTag, + FsSlice: p.FieldSpecs, + }) +} + +func NewImageTagTransformerPlugin() resmap.TransformerPlugin { + return &ImageTagTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go new file mode 100644 index 0000000000..c45731b54b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/LabelTransformer.go @@ -0,0 +1,38 @@ +// Code generated by pluginator on LabelTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/filters/labels" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +// Add the given labels to the given field specifications. +type LabelTransformerPlugin struct { + Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +func (p *LabelTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Labels = nil + p.FieldSpecs = nil + return yaml.Unmarshal(c, p) +} + +func (p *LabelTransformerPlugin) Transform(m resmap.ResMap) error { + if len(p.Labels) == 0 { + return nil + } + return m.ApplyFilter(labels.Filter{ + Labels: p.Labels, + FsSlice: p.FieldSpecs, + }) +} + +func NewLabelTransformerPlugin() resmap.TransformerPlugin { + return &LabelTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go new file mode 100644 index 0000000000..d839fb9751 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/NamespaceTransformer.go @@ -0,0 +1,76 @@ +// Code generated by pluginator on NamespaceTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/filters/namespace" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/yaml" +) + +// Change or set the namespace of non-cluster level resources. +// +//nolint:tagalign +type NamespaceTransformerPlugin struct { + types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + UnsetOnly bool `json:"unsetOnly" yaml:"unsetOnly"` + SetRoleBindingSubjects namespace.RoleBindingSubjectMode `json:"setRoleBindingSubjects" yaml:"setRoleBindingSubjects"` +} + +func (p *NamespaceTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Namespace = "" + p.FieldSpecs = nil + if err := yaml.Unmarshal(c, p); err != nil { + return errors.WrapPrefixf(err, "unmarshalling NamespaceTransformer config") + } + switch p.SetRoleBindingSubjects { + case namespace.AllServiceAccountSubjects, namespace.DefaultSubjectsOnly, namespace.NoSubjects: + // valid + case namespace.SubjectModeUnspecified: + p.SetRoleBindingSubjects = namespace.DefaultSubjectsOnly + default: + return errors.Errorf("invalid value %q for setRoleBindingSubjects: "+ + "must be one of %q, %q or %q", p.SetRoleBindingSubjects, + namespace.DefaultSubjectsOnly, namespace.NoSubjects, namespace.AllServiceAccountSubjects) + } + + return nil +} + +func (p *NamespaceTransformerPlugin) Transform(m resmap.ResMap) error { + if len(p.Namespace) == 0 { + return nil + } + for _, r := range m.Resources() { + if r.IsNilOrEmpty() { + // Don't mutate empty objects? + continue + } + r.StorePreviousId() + if err := r.ApplyFilter(namespace.Filter{ + Namespace: p.Namespace, + FsSlice: p.FieldSpecs, + SetRoleBindingSubjects: p.SetRoleBindingSubjects, + UnsetOnly: p.UnsetOnly, + }); err != nil { + return err + } + matches := m.GetMatchingResourcesByCurrentId(r.CurId().Equals) + if len(matches) != 1 { + return fmt.Errorf( + "namespace transformation produces ID conflict: %+v", matches) + } + } + return nil +} + +func NewNamespaceTransformerPlugin() resmap.TransformerPlugin { + return &NamespaceTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go new file mode 100644 index 0000000000..04625e5109 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchJson6902Transformer.go @@ -0,0 +1,105 @@ +// Code generated by pluginator on PatchJson6902Transformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + + jsonpatch "gopkg.in/evanphx/json-patch.v4" + "sigs.k8s.io/kustomize/api/filters/patchjson6902" + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/yaml" +) + +type PatchJson6902TransformerPlugin struct { + ldr ifc.Loader + decodedPatch jsonpatch.Patch + Target *types.Selector `json:"target,omitempty" yaml:"target,omitempty"` + Path string `json:"path,omitempty" yaml:"path,omitempty"` + JsonOp string `json:"jsonOp,omitempty" yaml:"jsonOp,omitempty"` +} + +func (p *PatchJson6902TransformerPlugin) Config( + h *resmap.PluginHelpers, c []byte) (err error) { + p.ldr = h.Loader() + err = yaml.Unmarshal(c, p) + if err != nil { + return err + } + if p.Target.Name == "" { + return fmt.Errorf("must specify the target name") + } + if p.Path == "" && p.JsonOp == "" { + return fmt.Errorf("empty file path and empty jsonOp") + } + if p.Path != "" { + if p.JsonOp != "" { + return fmt.Errorf("must specify a file path or jsonOp, not both") + } + rawOp, err := p.ldr.Load(p.Path) + if err != nil { + return err + } + p.JsonOp = string(rawOp) + if p.JsonOp == "" { + return fmt.Errorf("patch file '%s' empty seems to be empty", p.Path) + } + } + if p.JsonOp[0] != '[' { + // if it doesn't seem to be JSON, imagine + // it is YAML, and convert to JSON. + op, err := yaml.YAMLToJSON([]byte(p.JsonOp)) + if err != nil { + return err + } + p.JsonOp = string(op) + } + p.decodedPatch, err = jsonpatch.DecodePatch([]byte(p.JsonOp)) + if err != nil { + return errors.WrapPrefixf(err, "decoding %s", p.JsonOp) + } + if len(p.decodedPatch) == 0 { + return fmt.Errorf( + "patch appears to be empty; file=%s, JsonOp=%s", p.Path, p.JsonOp) + } + return err +} + +func (p *PatchJson6902TransformerPlugin) Transform(m resmap.ResMap) error { + if p.Target == nil { + return fmt.Errorf("must specify a target for patch %s", p.JsonOp) + } + resources, err := m.Select(*p.Target) + if err != nil { + return err + } + for _, res := range resources { + internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode) + + err = res.ApplyFilter(patchjson6902.Filter{ + Patch: p.JsonOp, + }) + if err != nil { + return err + } + + annotations := res.GetAnnotations() + for key, value := range internalAnnotations { + annotations[key] = value + } + err = res.SetAnnotations(annotations) + if err != nil { + return err + } + } + return nil +} + +func NewPatchJson6902TransformerPlugin() resmap.TransformerPlugin { + return &PatchJson6902TransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go new file mode 100644 index 0000000000..d68f2425ea --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchStrategicMergeTransformer.go @@ -0,0 +1,89 @@ +// Code generated by pluginator on PatchStrategicMergeTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +type PatchStrategicMergeTransformerPlugin struct { + loadedPatches []*resource.Resource + Paths []types.PatchStrategicMerge `json:"paths,omitempty" yaml:"paths,omitempty"` + Patches string `json:"patches,omitempty" yaml:"patches,omitempty"` +} + +func (p *PatchStrategicMergeTransformerPlugin) Config( + h *resmap.PluginHelpers, c []byte) (err error) { + err = yaml.Unmarshal(c, p) + if err != nil { + return err + } + if len(p.Paths) == 0 && p.Patches == "" { + return fmt.Errorf("empty file path and empty patch content") + } + if len(p.Paths) != 0 { + patches, err := loadFromPaths(h, p.Paths) + if err != nil { + return err + } + p.loadedPatches = append(p.loadedPatches, patches...) + } + if p.Patches != "" { + patches, err := h.ResmapFactory().RF().SliceFromBytes([]byte(p.Patches)) + if err != nil { + return err + } + p.loadedPatches = append(p.loadedPatches, patches...) + } + if len(p.loadedPatches) == 0 { + return fmt.Errorf( + "patch appears to be empty; files=%v, Patch=%s", p.Paths, p.Patches) + } + return nil +} + +func loadFromPaths( + h *resmap.PluginHelpers, + paths []types.PatchStrategicMerge) ( + result []*resource.Resource, err error) { + var patches []*resource.Resource + for _, path := range paths { + // For legacy reasons, attempt to treat the path string as + // actual patch content. + patches, err = h.ResmapFactory().RF().SliceFromBytes([]byte(path)) + if err != nil { + // Failing that, treat it as a file path. + patches, err = h.ResmapFactory().RF().SliceFromPatches( + h.Loader(), []types.PatchStrategicMerge{path}) + if err != nil { + return + } + } + result = append(result, patches...) + } + return +} + +func (p *PatchStrategicMergeTransformerPlugin) Transform(m resmap.ResMap) error { + for _, patch := range p.loadedPatches { + target, err := m.GetById(patch.OrgId()) + if err != nil { + return err + } + if err = m.ApplySmPatch( + resource.MakeIdSet([]*resource.Resource{target}), patch); err != nil { + return err + } + } + return nil +} + +func NewPatchStrategicMergeTransformerPlugin() resmap.TransformerPlugin { + return &PatchStrategicMergeTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go new file mode 100644 index 0000000000..8e6eb41128 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PatchTransformer.go @@ -0,0 +1,173 @@ +// Code generated by pluginator on PatchTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + "strings" + + jsonpatch "gopkg.in/evanphx/json-patch.v4" + "sigs.k8s.io/kustomize/api/filters/patchjson6902" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/yaml" +) + +type PatchTransformerPlugin struct { + smPatches []*resource.Resource // strategic-merge patches + jsonPatches jsonpatch.Patch // json6902 patch + // patchText is pure patch text created by Path or Patch + patchText string + // patchSource is patch source message + patchSource string + Path string `json:"path,omitempty" yaml:"path,omitempty"` + Patch string `json:"patch,omitempty" yaml:"patch,omitempty"` + Target *types.Selector `json:"target,omitempty" yaml:"target,omitempty"` + Options map[string]bool `json:"options,omitempty" yaml:"options,omitempty"` +} + +func (p *PatchTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error { + if err := yaml.Unmarshal(c, p); err != nil { + return err + } + + p.Patch = strings.TrimSpace(p.Patch) + switch { + case p.Patch == "" && p.Path == "": + return fmt.Errorf("must specify one of patch and path in\n%s", string(c)) + case p.Patch != "" && p.Path != "": + return fmt.Errorf("patch and path can't be set at the same time\n%s", string(c)) + case p.Patch != "": + p.patchText = p.Patch + p.patchSource = fmt.Sprintf("[patch: %q]", p.patchText) + case p.Path != "": + loaded, err := h.Loader().Load(p.Path) + if err != nil { + return fmt.Errorf("failed to get the patch file from path(%s): %w", p.Path, err) + } + p.patchText = string(loaded) + p.patchSource = fmt.Sprintf("[path: %q]", p.Path) + } + + patchesSM, errSM := h.ResmapFactory().RF().SliceFromBytes([]byte(p.patchText)) + patchesJson, errJson := jsonPatchFromBytes([]byte(p.patchText)) + + if (errSM == nil && errJson == nil) || + (patchesSM != nil && patchesJson != nil) { + return fmt.Errorf( + "illegally qualifies as both an SM and JSON patch: %s", + p.patchSource) + } + if errSM != nil && errJson != nil { + return fmt.Errorf( + "unable to parse SM or JSON patch from %s", p.patchSource) + } + if errSM == nil { + p.smPatches = patchesSM + for _, loadedPatch := range p.smPatches { + if p.Options["allowNameChange"] { + loadedPatch.AllowNameChange() + } + if p.Options["allowKindChange"] { + loadedPatch.AllowKindChange() + } + } + } else { + p.jsonPatches = patchesJson + } + return nil +} + +func (p *PatchTransformerPlugin) Transform(m resmap.ResMap) error { + if p.smPatches != nil { + return p.transformStrategicMerge(m) + } + return p.transformJson6902(m) +} + +// transformStrategicMerge applies each loaded strategic merge patch +// to the resource in the ResMap that matches the identifier of the patch. +// If only one patch is specified, the Target can be used instead. +func (p *PatchTransformerPlugin) transformStrategicMerge(m resmap.ResMap) error { + if p.Target != nil { + if len(p.smPatches) > 1 { + // detail: https://github.com/kubernetes-sigs/kustomize/issues/5049#issuecomment-1440604403 + return fmt.Errorf("Multiple Strategic-Merge Patches in one `patches` entry is not allowed to set `patches.target` field: %s", p.patchSource) + } + + // single patch + patch := p.smPatches[0] + selected, err := m.Select(*p.Target) + if err != nil { + return fmt.Errorf("unable to find patch target %q in `resources`: %w", p.Target, err) + } + return errors.Wrap(m.ApplySmPatch(resource.MakeIdSet(selected), patch)) + } + + for _, patch := range p.smPatches { + target, err := m.GetById(patch.OrgId()) + if err != nil { + return fmt.Errorf("no resource matches strategic merge patch %q: %w", patch.OrgId(), err) + } + if err := target.ApplySmPatch(patch); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// transformJson6902 applies json6902 Patch to all the resources in the ResMap that match Target. +func (p *PatchTransformerPlugin) transformJson6902(m resmap.ResMap) error { + if p.Target == nil { + return fmt.Errorf("must specify a target for JSON patch %s", p.patchSource) + } + resources, err := m.Select(*p.Target) + if err != nil { + return err + } + for _, res := range resources { + res.StorePreviousId() + internalAnnotations := kioutil.GetInternalAnnotations(&res.RNode) + err = res.ApplyFilter(patchjson6902.Filter{ + Patch: p.patchText, + }) + if err != nil { + return err + } + + annotations := res.GetAnnotations() + for key, value := range internalAnnotations { + annotations[key] = value + } + err = res.SetAnnotations(annotations) + } + return nil +} + +// jsonPatchFromBytes loads a Json 6902 patch from a bytes input +func jsonPatchFromBytes(in []byte) (jsonpatch.Patch, error) { + ops := string(in) + if ops == "" { + return nil, fmt.Errorf("empty json patch operations") + } + + if ops[0] != '[' { + // TODO(5049): + // In the case of multiple yaml documents, return error instead of ignoring all but first. + // Details: https://github.com/kubernetes-sigs/kustomize/pull/5194#discussion_r1256686728 + jsonOps, err := yaml.YAMLToJSON(in) + if err != nil { + return nil, err + } + ops = string(jsonOps) + } + return jsonpatch.DecodePatch([]byte(ops)) +} + +func NewPatchTransformerPlugin() resmap.TransformerPlugin { + return &PatchTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go new file mode 100644 index 0000000000..33700bb4b1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/PrefixTransformer.go @@ -0,0 +1,96 @@ +// Code generated by pluginator on PrefixTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "errors" + + "sigs.k8s.io/kustomize/api/filters/prefix" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Add the given prefix to the field +type PrefixTransformerPlugin struct { + Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"` + FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +// TODO: Make this gvk skip list part of the config. +var prefixFieldSpecsToSkip = types.FsSlice{ + {Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}}, + {Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}}, + {Gvk: resid.Gvk{Kind: "Namespace"}}, +} + +func (p *PrefixTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Prefix = "" + p.FieldSpecs = nil + err = yaml.Unmarshal(c, p) + if err != nil { + return + } + if p.FieldSpecs == nil { + return errors.New("fieldSpecs is not expected to be nil") + } + return +} + +func (p *PrefixTransformerPlugin) Transform(m resmap.ResMap) error { + // Even if the Prefix is empty we want to proceed with the + // transformation. This allows to add contextual information + // to the resources (AddNamePrefix). + for _, r := range m.Resources() { + // TODO: move this test into the filter (i.e. make a better filter) + if p.shouldSkip(r.OrgId()) { + continue + } + id := r.OrgId() + // current default configuration contains + // only one entry: "metadata/name" with no GVK + for _, fs := range p.FieldSpecs { + // TODO: this is redundant to filter (but needed for now) + if !id.IsSelected(&fs.Gvk) { + continue + } + // TODO: move this test into the filter. + if fs.Path == "metadata/name" { + // "metadata/name" is the only field. + // this will add a prefix to the resource + // even if it is empty + + r.AddNamePrefix(p.Prefix) + if p.Prefix != "" { + // TODO: There are multiple transformers that can change a resource's name, and each makes a call to + // StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer + // to avoid storing intermediate names between transformations, to prevent intermediate name conflicts. + r.StorePreviousId() + } + } + if err := r.ApplyFilter(prefix.Filter{ + Prefix: p.Prefix, + FieldSpec: fs, + }); err != nil { + return err + } + } + } + return nil +} + +func (p *PrefixTransformerPlugin) shouldSkip(id resid.ResId) bool { + for _, path := range prefixFieldSpecsToSkip { + if id.IsSelected(&path.Gvk) { + return true + } + } + return false +} + +func NewPrefixTransformerPlugin() resmap.TransformerPlugin { + return &PrefixTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go new file mode 100644 index 0000000000..02cb1927ae --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplacementTransformer.go @@ -0,0 +1,78 @@ +// Code generated by pluginator on ReplacementTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + "reflect" + + "sigs.k8s.io/kustomize/api/filters/replacement" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +// Replace values in targets with values from a source +type ReplacementTransformerPlugin struct { + ReplacementList []types.ReplacementField `json:"replacements,omitempty" yaml:"replacements,omitempty"` + Replacements []types.Replacement `json:"omitempty" yaml:"omitempty"` +} + +func (p *ReplacementTransformerPlugin) Config( + h *resmap.PluginHelpers, c []byte) (err error) { + p.ReplacementList = []types.ReplacementField{} + if err := yaml.Unmarshal(c, p); err != nil { + return err + } + + for _, r := range p.ReplacementList { + if r.Path != "" && (r.Source != nil || len(r.Targets) != 0) { + return fmt.Errorf("cannot specify both path and inline replacement") + } + if r.Path != "" { + // load the replacement from the path + content, err := h.Loader().Load(r.Path) + if err != nil { + return err + } + // find if the path contains a a list of replacements or a single replacement + var replacement interface{} + err = yaml.Unmarshal(content, &replacement) + if err != nil { + return err + } + items := reflect.ValueOf(replacement) + switch items.Kind() { + case reflect.Slice: + repl := []types.Replacement{} + if err := yaml.Unmarshal(content, &repl); err != nil { + return err + } + p.Replacements = append(p.Replacements, repl...) + case reflect.Map: + repl := types.Replacement{} + if err := yaml.Unmarshal(content, &repl); err != nil { + return err + } + p.Replacements = append(p.Replacements, repl) + default: + return fmt.Errorf("unsupported replacement type encountered within replacement path: %v", items.Kind()) + } + } else { + // replacement information is already loaded + p.Replacements = append(p.Replacements, r.Replacement) + } + } + return nil +} + +func (p *ReplacementTransformerPlugin) Transform(m resmap.ResMap) (err error) { + return m.ApplyFilter(replacement.Filter{ + Replacements: p.Replacements, + }) +} + +func NewReplacementTransformerPlugin() resmap.TransformerPlugin { + return &ReplacementTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go new file mode 100644 index 0000000000..c87d64251c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ReplicaCountTransformer.go @@ -0,0 +1,73 @@ +// Code generated by pluginator on ReplicaCountTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/filters/replicacount" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/yaml" +) + +// Find matching replicas declarations and replace the count. +// Eases the kustomization configuration of replica changes. +type ReplicaCountTransformerPlugin struct { + Replica types.Replica `json:"replica,omitempty" yaml:"replica,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +func (p *ReplicaCountTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Replica = types.Replica{} + p.FieldSpecs = nil + return yaml.Unmarshal(c, p) +} + +func (p *ReplicaCountTransformerPlugin) Transform(m resmap.ResMap) error { + found := false + for _, fs := range p.FieldSpecs { + matcher := p.createMatcher(fs) + resList := m.GetMatchingResourcesByAnyId(matcher) + if len(resList) > 0 { + found = true + for _, r := range resList { + // There are redundant checks in the filter + // that we'll live with until resolution of + // https://github.com/kubernetes-sigs/kustomize/issues/2506 + err := r.ApplyFilter(replicacount.Filter{ + Replica: p.Replica, + FieldSpec: fs, + }) + if err != nil { + return err + } + } + } + } + + if !found { + gvks := make([]string, len(p.FieldSpecs)) + for i, replicaSpec := range p.FieldSpecs { + gvks[i] = replicaSpec.Gvk.String() + } + return fmt.Errorf("resource with name %s does not match a config with the following GVK %v", + p.Replica.Name, gvks) + } + + return nil +} + +// Match Replica.Name and FieldSpec +func (p *ReplicaCountTransformerPlugin) createMatcher(fs types.FieldSpec) resmap.IdMatcher { + return func(r resid.ResId) bool { + return r.Name == p.Replica.Name && r.Gvk.IsSelected(&fs.Gvk) + } +} + +func NewReplicaCountTransformerPlugin() resmap.TransformerPlugin { + return &ReplicaCountTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go new file mode 100644 index 0000000000..2a4ef1c903 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SecretGenerator.go @@ -0,0 +1,39 @@ +// Code generated by pluginator on SecretGenerator; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sigs.k8s.io/kustomize/api/kv" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +type SecretGeneratorPlugin struct { + h *resmap.PluginHelpers + types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` + types.SecretArgs +} + +func (p *SecretGeneratorPlugin) Config(h *resmap.PluginHelpers, config []byte) (err error) { + p.SecretArgs = types.SecretArgs{} + err = yaml.Unmarshal(config, p) + if p.SecretArgs.Name == "" { + p.SecretArgs.Name = p.Name + } + if p.SecretArgs.Namespace == "" { + p.SecretArgs.Namespace = p.Namespace + } + p.h = h + return +} + +func (p *SecretGeneratorPlugin) Generate() (resmap.ResMap, error) { + return p.h.ResmapFactory().FromSecretArgs( + kv.NewLoader(p.h.Loader(), p.h.Validator()), p.SecretArgs) +} + +func NewSecretGeneratorPlugin() resmap.GeneratorPlugin { + return &SecretGeneratorPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go new file mode 100644 index 0000000000..90e290719e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SortOrderTransformer.go @@ -0,0 +1,238 @@ +// Code generated by pluginator on SortOrderTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "sort" + "strings" + + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/yaml" +) + +// Sort the resources using a customizable ordering based of Kind. +// Defaults to the ordering of the GVK struct, which puts cluster-wide basic +// resources with no dependencies (like Namespace, StorageClass, etc.) first, +// and resources with a high number of dependencies +// (like ValidatingWebhookConfiguration) last. +type SortOrderTransformerPlugin struct { + SortOptions *types.SortOptions `json:"sortOptions,omitempty" yaml:"sortOptions,omitempty"` +} + +func (p *SortOrderTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) error { + return errors.WrapPrefixf(yaml.Unmarshal(c, p), "Failed to unmarshal SortOrderTransformer config") +} + +func (p *SortOrderTransformerPlugin) applyDefaults() { + // Default to FIFO sort, aka no-op. + if p.SortOptions == nil { + p.SortOptions = &types.SortOptions{ + Order: types.FIFOSortOrder, + } + } + + // If legacy sort is selected and no options are given, default to + // hardcoded order. + if p.SortOptions.Order == types.LegacySortOrder && p.SortOptions.LegacySortOptions == nil { + p.SortOptions.LegacySortOptions = &types.LegacySortOptions{ + OrderFirst: defaultOrderFirst, + OrderLast: defaultOrderLast, + } + } +} + +func (p *SortOrderTransformerPlugin) validate() error { + // Check valid values for SortOrder + if p.SortOptions.Order != types.FIFOSortOrder && p.SortOptions.Order != types.LegacySortOrder { + return errors.Errorf("the field 'sortOptions.order' must be one of [%s, %s]", + types.FIFOSortOrder, types.LegacySortOrder) + } + + // Validate that the only options set are the ones corresponding to the + // selected sort order. + if p.SortOptions.Order == types.FIFOSortOrder && + p.SortOptions.LegacySortOptions != nil { + return errors.Errorf("the field 'sortOptions.legacySortOptions' is"+ + " set but the selected sort order is '%v', not 'legacy'", + p.SortOptions.Order) + } + return nil +} + +func (p *SortOrderTransformerPlugin) Transform(m resmap.ResMap) (err error) { + p.applyDefaults() + err = p.validate() + if err != nil { + return err + } + + // Sort + if p.SortOptions.Order == types.LegacySortOrder { + s := newLegacyIDSorter(m.Resources(), p.SortOptions.LegacySortOptions) + sort.Sort(s) + + // Clear the map and re-add the resources in the sorted order. + m.Clear() + for _, r := range s.resources { + err := m.Append(r) + if err != nil { + return errors.WrapPrefixf(err, "SortOrderTransformer: Failed to append to resources") + } + } + } + return nil +} + +// Code for legacy sorting. +// Legacy sorting is a "fixed" order sorting maintained for backwards +// compatibility. + +// legacyIDSorter sorts resources based on two priority lists: +// - orderFirst: Resources that should be placed in the start, in the given order. +// - orderLast: Resources that should be placed in the end, in the given order. +type legacyIDSorter struct { + // resids only stores the metadata of the object. This is an optimization as + // it's expensive to compute these again and again during ordering. + resids []resid.ResId + // Initially, we sorted the metadata (ResId) of each object and then called GetByCurrentId on each to construct the final list. + // The problem is that GetByCurrentId is inefficient and does a linear scan in a list every time we do that. + // So instead, we sort resources alongside the ResIds. + resources []*resource.Resource + + typeOrders map[string]int +} + +func newLegacyIDSorter( + resources []*resource.Resource, + options *types.LegacySortOptions) *legacyIDSorter { + // Precalculate a resource ranking based on the priority lists. + var typeOrders = func() map[string]int { + m := map[string]int{} + for i, n := range options.OrderFirst { + m[n] = -len(options.OrderFirst) + i + } + for i, n := range options.OrderLast { + m[n] = 1 + i + } + return m + }() + + ret := &legacyIDSorter{typeOrders: typeOrders} + for _, res := range resources { + ret.resids = append(ret.resids, res.CurId()) + ret.resources = append(ret.resources, res) + } + return ret +} + +var _ sort.Interface = legacyIDSorter{} + +func (a legacyIDSorter) Len() int { return len(a.resids) } +func (a legacyIDSorter) Swap(i, j int) { + a.resids[i], a.resids[j] = a.resids[j], a.resids[i] + a.resources[i], a.resources[j] = a.resources[j], a.resources[i] +} +func (a legacyIDSorter) Less(i, j int) bool { + if !a.resids[i].Gvk.Equals(a.resids[j].Gvk) { + return gvkLessThan(a.resids[i].Gvk, a.resids[j].Gvk, a.typeOrders) + } + return legacyResIDSortString(a.resids[i]) < legacyResIDSortString(a.resids[j]) +} + +func gvkLessThan(gvk1, gvk2 resid.Gvk, typeOrders map[string]int) bool { + index1 := typeOrders[gvk1.Kind] + index2 := typeOrders[gvk2.Kind] + if index1 != index2 { + return index1 < index2 + } + if (gvk1.Kind == types.NamespaceKind && gvk2.Kind == types.NamespaceKind) && (gvk1.Group == "" || gvk2.Group == "") { + return legacyGVKSortString(gvk1) > legacyGVKSortString(gvk2) + } + return legacyGVKSortString(gvk1) < legacyGVKSortString(gvk2) +} + +// legacyGVKSortString returns a string representation of given GVK used for +// stable sorting. +func legacyGVKSortString(x resid.Gvk) string { + legacyNoGroup := "~G" + legacyNoVersion := "~V" + legacyNoKind := "~K" + legacyFieldSeparator := "_" + + g := x.Group + if g == "" { + g = legacyNoGroup + } + v := x.Version + if v == "" { + v = legacyNoVersion + } + k := x.Kind + if k == "" { + k = legacyNoKind + } + return strings.Join([]string{g, v, k}, legacyFieldSeparator) +} + +// legacyResIDSortString returns a string representation of given ResID used for +// stable sorting. +func legacyResIDSortString(id resid.ResId) string { + legacyNoNamespace := "~X" + legacyNoName := "~N" + legacySeparator := "|" + + ns := id.Namespace + if ns == "" { + ns = legacyNoNamespace + } + nm := id.Name + if nm == "" { + nm = legacyNoName + } + return strings.Join( + []string{id.Gvk.String(), ns, nm}, legacySeparator) +} + +// DO NOT CHANGE! +// Final legacy ordering provided as a default by kustomize. +// Originally an attempt to apply resources in the correct order, an effort +// which later proved impossible as not all types are known beforehand. +// See: https://github.com/kubernetes-sigs/kustomize/issues/3913 +var defaultOrderFirst = []string{ //nolint:gochecknoglobals + "Namespace", + "ResourceQuota", + "StorageClass", + "CustomResourceDefinition", + "ServiceAccount", + "PodSecurityPolicy", + "Role", + "ClusterRole", + "RoleBinding", + "ClusterRoleBinding", + "ConfigMap", + "Secret", + "Endpoints", + "Service", + "LimitRange", + "PriorityClass", + "PersistentVolume", + "PersistentVolumeClaim", + "Deployment", + "StatefulSet", + "CronJob", + "PodDisruptionBudget", +} +var defaultOrderLast = []string{ //nolint:gochecknoglobals + "MutatingWebhookConfiguration", + "ValidatingWebhookConfiguration", +} + +func NewSortOrderTransformerPlugin() resmap.TransformerPlugin { + return &SortOrderTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go new file mode 100644 index 0000000000..31b5b8fea0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/SuffixTransformer.go @@ -0,0 +1,96 @@ +// Code generated by pluginator on SuffixTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "errors" + + "sigs.k8s.io/kustomize/api/filters/suffix" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Add the given suffix to the field +type SuffixTransformerPlugin struct { + Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"` + FieldSpecs types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` +} + +// TODO: Make this gvk skip list part of the config. +var suffixFieldSpecsToSkip = types.FsSlice{ + {Gvk: resid.Gvk{Kind: "CustomResourceDefinition"}}, + {Gvk: resid.Gvk{Group: "apiregistration.k8s.io", Kind: "APIService"}}, + {Gvk: resid.Gvk{Kind: "Namespace"}}, +} + +func (p *SuffixTransformerPlugin) Config( + _ *resmap.PluginHelpers, c []byte) (err error) { + p.Suffix = "" + p.FieldSpecs = nil + err = yaml.Unmarshal(c, p) + if err != nil { + return + } + if p.FieldSpecs == nil { + return errors.New("fieldSpecs is not expected to be nil") + } + return +} + +func (p *SuffixTransformerPlugin) Transform(m resmap.ResMap) error { + // Even if the Suffix is empty we want to proceed with the + // transformation. This allows to add contextual information + // to the resources (AddNameSuffix). + for _, r := range m.Resources() { + // TODO: move this test into the filter (i.e. make a better filter) + if p.shouldSkip(r.OrgId()) { + continue + } + id := r.OrgId() + // current default configuration contains + // only one entry: "metadata/name" with no GVK + for _, fs := range p.FieldSpecs { + // TODO: this is redundant to filter (but needed for now) + if !id.IsSelected(&fs.Gvk) { + continue + } + // TODO: move this test into the filter. + if fs.Path == "metadata/name" { + // "metadata/name" is the only field. + // this will add a suffix to the resource + // even if it is empty + + r.AddNameSuffix(p.Suffix) + if p.Suffix != "" { + // TODO: There are multiple transformers that can change a resource's name, and each makes a call to + // StorePreviousID(). We should make it so that we only call StorePreviousID once per kustomization layer + // to avoid storing intermediate names between transformations, to prevent intermediate name conflicts. + r.StorePreviousId() + } + } + if err := r.ApplyFilter(suffix.Filter{ + Suffix: p.Suffix, + FieldSpec: fs, + }); err != nil { + return err + } + } + } + return nil +} + +func (p *SuffixTransformerPlugin) shouldSkip(id resid.ResId) bool { + for _, path := range suffixFieldSpecsToSkip { + if id.IsSelected(&path.Gvk) { + return true + } + } + return false +} + +func NewSuffixTransformerPlugin() resmap.TransformerPlugin { + return &SuffixTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go new file mode 100644 index 0000000000..1d70c98c2c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/ValueAddTransformer.go @@ -0,0 +1,141 @@ +// Code generated by pluginator on ValueAddTransformer; DO NOT EDIT. +// pluginator {(devel) unknown } + +package builtins + +import ( + "fmt" + "path/filepath" + "strings" + + "sigs.k8s.io/kustomize/api/filters/namespace" + "sigs.k8s.io/kustomize/api/filters/valueadd" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/yaml" +) + +// An 'Add' transformer inspired by the IETF RFC 6902 JSON spec Add operation. +type ValueAddTransformerPlugin struct { + // Value is the value to add. + // Defaults to base name of encompassing kustomization root. + Value string `json:"value,omitempty" yaml:"value,omitempty"` + + // Targets is a slice of targets that should have the value added. + Targets []Target `json:"targets,omitempty" yaml:"targets,omitempty"` + + // TargetFilePath is a file path. If specified, the file will be parsed into + // a slice of Target, and appended to anything that was specified in the + // Targets field. This is just a means to share common target specifications. + TargetFilePath string `json:"targetFilePath,omitempty" yaml:"targetFilePath,omitempty"` +} + +// Target describes where to put the value. +type Target struct { + // Selector selects the resources to modify. + Selector *types.Selector `json:"selector,omitempty" yaml:"selector,omitempty"` + + // NotSelector selects the resources to exclude + // from those included by overly broad selectors. + // TODO: implement this? + // NotSelector *types.Selector `json:"notSelector,omitempty" yaml:"notSelector,omitempty"` + + // FieldPath is a JSON-style path to the field intended to hold the value. + FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"` + + // FilePathPosition is passed to the filter directly. Look there for doc. + FilePathPosition int `json:"filePathPosition,omitempty" yaml:"filePathPosition,omitempty"` +} + +func (p *ValueAddTransformerPlugin) Config(h *resmap.PluginHelpers, c []byte) error { + err := yaml.Unmarshal(c, p) + if err != nil { + return err + } + p.Value = strings.TrimSpace(p.Value) + if p.Value == "" { + p.Value = filepath.Base(h.Loader().Root()) + } + if p.TargetFilePath != "" { + bytes, err := h.Loader().Load(p.TargetFilePath) + if err != nil { + return err + } + var targets struct { + Targets []Target `json:"targets,omitempty" yaml:"targets,omitempty"` + } + err = yaml.Unmarshal(bytes, &targets) + if err != nil { + return err + } + p.Targets = append(p.Targets, targets.Targets...) + } + if len(p.Targets) == 0 { + return fmt.Errorf("must specify at least one target") + } + for _, target := range p.Targets { + if err = validateSelector(target.Selector); err != nil { + return err + } + // TODO: call validateSelector(target.NotSelector) if field added. + if err = validateJsonFieldPath(target.FieldPath); err != nil { + return err + } + if target.FilePathPosition < 0 { + return fmt.Errorf( + "value of FilePathPosition (%d) cannot be negative", + target.FilePathPosition) + } + } + return nil +} + +// TODO: implement +func validateSelector(_ *types.Selector) error { + return nil +} + +// TODO: Enforce RFC 6902? +func validateJsonFieldPath(p string) error { + if len(p) == 0 { + return fmt.Errorf("fieldPath cannot be empty") + } + return nil +} + +func (p *ValueAddTransformerPlugin) Transform(m resmap.ResMap) (err error) { + for _, t := range p.Targets { + var resources []*resource.Resource + if t.Selector == nil { + resources = m.Resources() + } else { + resources, err = m.Select(*t.Selector) + if err != nil { + return err + } + } + // TODO: consider t.NotSelector if implemented + for _, res := range resources { + if t.FieldPath == types.MetadataNamespacePath { + err = res.ApplyFilter(namespace.Filter{ + Namespace: p.Value, + }) + } else { + err = res.ApplyFilter(valueadd.Filter{ + Value: p.Value, + FieldPath: t.FieldPath, + FilePathPosition: t.FilePathPosition, + }) + } + if err != nil { + return err + } + } + } + return nil +} + +func NewValueAddTransformerPlugin() resmap.TransformerPlugin { + return &ValueAddTransformerPlugin{} +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go new file mode 100644 index 0000000000..37a8dc6e7d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/builtins/doc.go @@ -0,0 +1,8 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package builtins holds code generated from the builtin plugins. +// The "builtin" plugins are written as normal plugins and can +// be used as such, but they are also used to generate the code +// in this package so they can be statically linked to client code. +package builtins diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go new file mode 100644 index 0000000000..47498aaa58 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/configmap.go @@ -0,0 +1,52 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package generators + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// MakeConfigMap makes a configmap. +// +// ConfigMap: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#configmap-v1-core +// +// ConfigMaps and Secrets are similar. +// +// Both objects have a `data` field, which contains a map from keys to +// values that must be UTF-8 valid strings. Such data might be simple text, +// or whoever made the data may have done so by performing a base64 encoding +// on binary data. Regardless, k8s has no means to know this, so it treats +// the data field as a string. +// +// The ConfigMap has an additional field `binaryData`, also a map, but its +// values are _intended_ to be interpreted as a base64 encoding of []byte, +// by whatever makes use of the ConfigMap. +// +// In a ConfigMap, any key used in `data` cannot also be used in `binaryData` +// and vice-versa. A key must be unique across both maps. +func MakeConfigMap( + ldr ifc.KvLoader, args *types.ConfigMapArgs) (rn *yaml.RNode, err error) { + rn, err = makeBaseNode("ConfigMap", args.Name, args.Namespace) + if err != nil { + return nil, err + } + m, err := makeValidatedDataMap(ldr, args.Name, args.KvPairSources) + if err != nil { + return nil, err + } + if err = rn.LoadMapIntoConfigMapData(m); err != nil { + return nil, err + } + err = copyLabelsAndAnnotations(rn, args.Options) + if err != nil { + return nil, err + } + err = setImmutable(rn, args.Options) + if err != nil { + return nil, err + } + return rn, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go new file mode 100644 index 0000000000..9afaff156a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/secret.go @@ -0,0 +1,59 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package generators + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// MakeSecret makes a kubernetes Secret. +// +// Secret: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#secret-v1-core +// +// ConfigMaps and Secrets are similar. +// +// Like a ConfigMap, a Secret has a `data` field, but unlike a ConfigMap it has +// no `binaryData` field. +// +// All of a Secret's data is assumed to be opaque in nature, and assumed to be +// base64 encoded from its original representation, regardless of whether the +// original data was UTF-8 text or binary. +// +// This encoding provides no secrecy. It's just a neutral, common means to +// represent opaque text and binary data. Beneath the base64 encoding +// is presumably further encoding under control of the Secret's consumer. +// +// A Secret has string field `type` which holds an identifier, used by the +// client, to choose the algorithm to interpret the `data` field. Kubernetes +// cannot make use of this data; it's up to a controller or some pod's service +// to interpret the value, using `type` as a clue as to how to do this. +func MakeSecret( + ldr ifc.KvLoader, args *types.SecretArgs) (rn *yaml.RNode, err error) { + rn, err = makeBaseNode("Secret", args.Name, args.Namespace) + if err != nil { + return nil, err + } + t := "Opaque" + if args.Type != "" { + t = args.Type + } + if _, err := rn.Pipe( + yaml.FieldSetter{ + Name: "type", + Value: yaml.NewStringRNode(t)}); err != nil { + return nil, err + } + m, err := makeValidatedDataMap(ldr, args.Name, args.KvPairSources) + if err != nil { + return nil, err + } + if err = rn.LoadMapIntoSecretData(m); err != nil { + return nil, err + } + copyLabelsAndAnnotations(rn, args.Options) + setImmutable(rn, args.Options) + return rn, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go b/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go new file mode 100644 index 0000000000..b570c7e91b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/generators/utils.go @@ -0,0 +1,124 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package generators + +import ( + "fmt" + "path" + "strings" + + "github.com/go-errors/errors" + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +func makeBaseNode(kind, name, namespace string) (*yaml.RNode, error) { + rn, err := yaml.Parse(fmt.Sprintf(` +apiVersion: v1 +kind: %s +`, kind)) + if err != nil { + return nil, err + } + if name == "" { + return nil, errors.Errorf("a configmap must have a name") + } + if _, err := rn.Pipe(yaml.SetK8sName(name)); err != nil { + return nil, err + } + if namespace != "" { + if _, err := rn.Pipe(yaml.SetK8sNamespace(namespace)); err != nil { + return nil, err + } + } + return rn, nil +} + +func makeValidatedDataMap( + ldr ifc.KvLoader, name string, sources types.KvPairSources) (map[string]string, error) { + pairs, err := ldr.Load(sources) + if err != nil { + return nil, errors.WrapPrefix(err, "loading KV pairs", 0) + } + knownKeys := make(map[string]string) + for _, p := range pairs { + // legal key: alphanumeric characters, '-', '_' or '.' + if err := ldr.Validator().ErrIfInvalidKey(p.Key); err != nil { + return nil, err + } + if _, ok := knownKeys[p.Key]; ok { + return nil, errors.Errorf( + "configmap %s illegally repeats the key `%s`", name, p.Key) + } + knownKeys[p.Key] = p.Value + } + return knownKeys, nil +} + +// copyLabelsAndAnnotations copies labels and annotations from +// GeneratorOptions into the given object. +func copyLabelsAndAnnotations( + rn *yaml.RNode, opts *types.GeneratorOptions) error { + if opts == nil { + return nil + } + for _, k := range yaml.SortedMapKeys(opts.Labels) { + v := opts.Labels[k] + if _, err := rn.Pipe(yaml.SetLabel(k, v)); err != nil { + return err + } + } + for _, k := range yaml.SortedMapKeys(opts.Annotations) { + v := opts.Annotations[k] + if _, err := rn.Pipe(yaml.SetAnnotation(k, v)); err != nil { + return err + } + } + return nil +} + +func setImmutable( + rn *yaml.RNode, opts *types.GeneratorOptions) error { + if opts == nil { + return nil + } + if opts.Immutable { + n := &yaml.Node{ + Kind: yaml.ScalarNode, + Value: "true", + Tag: yaml.NodeTagBool, + } + if _, err := rn.Pipe(yaml.FieldSetter{Name: "immutable", Value: yaml.NewRNode(n)}); err != nil { + return err + } + } + + return nil +} + +// ParseFileSource parses the source given. +// +// Acceptable formats include: +// 1. source-path: the basename will become the key name +// 2. source-name=source-path: the source-name will become the key name and +// source-path is the path to the key file. +// +// Key names cannot include '='. +func ParseFileSource(source string) (keyName, filePath string, err error) { + numSeparators := strings.Count(source, "=") + switch { + case numSeparators == 0: + return path.Base(source), source, nil + case numSeparators == 1 && strings.HasPrefix(source, "="): + return "", "", errors.Errorf("missing key name for file path %q in source %q", strings.TrimPrefix(source, "="), source) + case numSeparators == 1 && strings.HasSuffix(source, "="): + return "", "", errors.Errorf("missing file path for key name %q in source %q", strings.TrimSuffix(source, "="), source) + case numSeparators > 1: + return "", "", errors.Errorf("source %q key name or file path contains '='", source) + default: + components := strings.Split(source, "=") + return components[0], components[1], nil + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go new file mode 100644 index 0000000000..2098cdd31e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/cloner.go @@ -0,0 +1,56 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package git + +import ( + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// Cloner is a function that can clone a git repo. +type Cloner func(repoSpec *RepoSpec) error + +// ClonerUsingGitExec uses a local git install, as opposed +// to say, some remote API, to obtain a local clone of +// a remote repo. +func ClonerUsingGitExec(repoSpec *RepoSpec) error { + r, err := newCmdRunner(repoSpec.Timeout) + if err != nil { + return err + } + repoSpec.Dir = r.dir + if err = r.run("init"); err != nil { + return err + } + // git relative submodule need origin, see https://github.com/kubernetes-sigs/kustomize/issues/5131 + if err = r.run("remote", "add", "origin", repoSpec.CloneSpec()); err != nil { + return err + } + ref := "HEAD" + if repoSpec.Ref != "" { + ref = repoSpec.Ref + } + // we use repoSpec.CloneSpec() instead of origin because on error, + // the prior prints the actual repo url for the user. + if err = r.run("fetch", "--depth=1", repoSpec.CloneSpec(), ref); err != nil { + return err + } + if err = r.run("checkout", "FETCH_HEAD"); err != nil { + return err + } + if repoSpec.Submodules { + return r.run("submodule", "update", "--init", "--recursive") + } + return nil +} + +// DoNothingCloner returns a cloner that only sets +// cloneDir field in the repoSpec. It's assumed that +// the cloneDir is associated with some fake filesystem +// used in a test. +func DoNothingCloner(dir filesys.ConfirmedDir) Cloner { + return func(rs *RepoSpec) error { + rs.Dir = dir + return nil + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go new file mode 100644 index 0000000000..134eb41c5f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/gitrunner.go @@ -0,0 +1,55 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package git + +import ( + "os/exec" + "time" + + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// gitRunner runs the external git binary. +type gitRunner struct { + gitProgram string + duration time.Duration + dir filesys.ConfirmedDir +} + +// newCmdRunner returns a gitRunner if it can find the binary. +// It also creats a temp directory for cloning repos. +func newCmdRunner(timeout time.Duration) (*gitRunner, error) { + gitProgram, err := exec.LookPath("git") + if err != nil { + return nil, errors.WrapPrefixf(err, "no 'git' program on path") + } + dir, err := filesys.NewTmpConfirmedDir() + if err != nil { + return nil, err + } + return &gitRunner{ + gitProgram: gitProgram, + duration: timeout, + dir: dir, + }, nil +} + +// run a command with a timeout. +func (r gitRunner) run(args ...string) error { + //nolint: gosec + cmd := exec.Command(r.gitProgram, args...) + cmd.Dir = r.dir.String() + return utils.TimedCall( + cmd.String(), + r.duration, + func() error { + out, err := cmd.CombinedOutput() + if err != nil { + return errors.WrapPrefixf(err, "failed to run '%s': %s", cmd.String(), string(out)) + } + return err + }) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go b/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go new file mode 100644 index 0000000000..ba6156cc5b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/git/repospec.go @@ -0,0 +1,387 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package git + +import ( + "fmt" + "log" + "net/url" + "path/filepath" + "regexp" + "strconv" + "strings" + "time" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// Used as a temporary non-empty occupant of the cloneDir +// field, as something distinguishable from the empty string +// in various outputs (especially tests). Not using an +// actual directory name here, as that's a temporary directory +// with a unique name that isn't created until clone time. +const notCloned = filesys.ConfirmedDir("/notCloned") + +// RepoSpec specifies a git repository and a branch and path therein. +type RepoSpec struct { + // Raw, original spec, used to look for cycles. + // TODO(monopole): Drop raw, use processed fields instead. + raw string + + // Host, e.g. https://github.com/ + Host string + + // RepoPath name (Path to repository), + // e.g. kubernetes-sigs/kustomize + RepoPath string + + // Dir is where the repository is cloned to. + Dir filesys.ConfirmedDir + + // Relative path in the repository, and in the cloneDir, + // to a Kustomization. + KustRootPath string + + // Branch or tag reference. + Ref string + + // Submodules indicates whether or not to clone git submodules. + Submodules bool + + // Timeout is the maximum duration allowed for execing git commands. + Timeout time.Duration +} + +// CloneSpec returns a string suitable for "git clone {spec}". +func (x *RepoSpec) CloneSpec() string { + return x.Host + x.RepoPath +} + +func (x *RepoSpec) CloneDir() filesys.ConfirmedDir { + return x.Dir +} + +func (x *RepoSpec) Raw() string { + return x.raw +} + +func (x *RepoSpec) AbsPath() string { + return x.Dir.Join(x.KustRootPath) +} + +func (x *RepoSpec) Cleaner(fSys filesys.FileSystem) func() error { + return func() error { return fSys.RemoveAll(x.Dir.String()) } +} + +const ( + refQuery = "?ref=" + gitSuffix = ".git" + gitRootDelimiter = "_git/" + pathSeparator = "/" // do not use filepath.Separator, as this is a URL +) + +// NewRepoSpecFromURL parses git-like urls. +// From strings like git@github.com:someOrg/someRepo.git or +// https://github.com/someOrg/someRepo?ref=someHash, extract +// the different parts of URL, set into a RepoSpec object and return RepoSpec object. +// It MUST return an error if the input is not a git-like URL, as this is used by some code paths +// to distinguish between local and remote paths. +// +// In particular, NewRepoSpecFromURL separates the URL used to clone the repo from the +// elements Kustomize uses for other purposes (e.g. query params that turn into args, and +// the path to the kustomization root within the repo). +func NewRepoSpecFromURL(n string) (*RepoSpec, error) { + repoSpec := &RepoSpec{raw: n, Dir: notCloned, Timeout: defaultTimeout, Submodules: defaultSubmodules} + if filepath.IsAbs(n) { + return nil, fmt.Errorf("uri looks like abs path: %s", n) + } + + // Parse the query first. This is safe because according to rfc3986 "?" is only allowed in the + // query and is not recognized %-encoded. + // Note that parseQuery returns default values for empty parameters. + n, query, _ := strings.Cut(n, "?") + repoSpec.Ref, repoSpec.Timeout, repoSpec.Submodules = parseQuery(query) + + var err error + + // Parse the host (e.g. scheme, username, domain) segment. + repoSpec.Host, n, err = extractHost(n) + if err != nil { + return nil, err + } + + // In some cases, we're given a path to a git repo + a path to the kustomization root within + // that repo. We need to split them so that we can ultimately give the repo only to the cloner. + repoSpec.RepoPath, repoSpec.KustRootPath, err = parsePathParts(n, defaultRepoPathLength(repoSpec.Host)) + if err != nil { + return nil, err + } + + return repoSpec, nil +} + +const allSegments = -999999 +const orgRepoSegments = 2 + +func defaultRepoPathLength(host string) int { + if strings.HasPrefix(host, fileScheme) { + return allSegments + } + return orgRepoSegments +} + +// parsePathParts splits the repo path that will ultimately be passed to git to clone the +// repo from the kustomization root path, which Kustomize will execute the build in after the repo +// is cloned. +// +// We first try to do this based on explicit markers in the URL (e.g. _git, .git or //). +// If none are present, we try to apply a historical default repo path length that is derived from +// Github URLs. If there aren't enough segments, we have historically considered the URL invalid. +func parsePathParts(n string, defaultSegmentLength int) (string, string, error) { + repoPath, kustRootPath, success := tryExplicitMarkerSplit(n) + if !success { + repoPath, kustRootPath, success = tryDefaultLengthSplit(n, defaultSegmentLength) + } + + // Validate the result + if !success || len(repoPath) == 0 { + return "", "", fmt.Errorf("failed to parse repo path segment") + } + if kustRootPathExitsRepo(kustRootPath) { + return "", "", fmt.Errorf("url path exits repo: %s", n) + } + + return repoPath, strings.TrimPrefix(kustRootPath, pathSeparator), nil +} + +func tryExplicitMarkerSplit(n string) (string, string, bool) { + // Look for the _git delimiter, which by convention is expected to be ONE directory above the repo root. + // If found, split on the NEXT path element, which is the repo root. + // Example: https://username@dev.azure.com/org/project/_git/repo/path/to/kustomization/root + if gitRootIdx := strings.Index(n, gitRootDelimiter); gitRootIdx >= 0 { + gitRootPath := n[:gitRootIdx+len(gitRootDelimiter)] + subpathSegments := strings.Split(n[gitRootIdx+len(gitRootDelimiter):], pathSeparator) + return gitRootPath + subpathSegments[0], strings.Join(subpathSegments[1:], pathSeparator), true + + // Look for a double-slash in the path, which if present separates the repo root from the kust path. + // It is a convention, not a real path element, so do not preserve it in the returned value. + // Example: https://github.com/org/repo//path/to/kustomozation/root + } else if repoRootIdx := strings.Index(n, "//"); repoRootIdx >= 0 { + return n[:repoRootIdx], n[repoRootIdx+2:], true + + // Look for .git in the path, which if present is part of the directory name of the git repo. + // This means we want to grab everything up to and including that suffix + // Example: https://github.com/org/repo.git/path/to/kustomozation/root + } else if gitSuffixIdx := strings.Index(n, gitSuffix); gitSuffixIdx >= 0 { + upToGitSuffix := n[:gitSuffixIdx+len(gitSuffix)] + afterGitSuffix := n[gitSuffixIdx+len(gitSuffix):] + return upToGitSuffix, afterGitSuffix, true + } + return "", "", false +} + +func tryDefaultLengthSplit(n string, defaultSegmentLength int) (string, string, bool) { + // If the default is to take all segments, do so. + if defaultSegmentLength == allSegments { + return n, "", true + + // If the default is N segments, make sure we have at least that many and take them if so. + // If we have less than N, we have historically considered the URL invalid. + } else if segments := strings.Split(n, pathSeparator); len(segments) >= defaultSegmentLength { + firstNSegments := strings.Join(segments[:defaultSegmentLength], pathSeparator) + rest := strings.Join(segments[defaultSegmentLength:], pathSeparator) + return firstNSegments, rest, true + } + return "", "", false +} + +func kustRootPathExitsRepo(kustRootPath string) bool { + cleanedPath := filepath.Clean(strings.TrimPrefix(kustRootPath, string(filepath.Separator))) + pathElements := strings.Split(cleanedPath, string(filepath.Separator)) + return len(pathElements) > 0 && + pathElements[0] == filesys.ParentDir +} + +// Clone git submodules by default. +const defaultSubmodules = true + +// Arbitrary, but non-infinite, timeout for running commands. +const defaultTimeout = 27 * time.Second + +func parseQuery(query string) (string, time.Duration, bool) { + values, err := url.ParseQuery(query) + // in event of parse failure, return defaults + if err != nil { + return "", defaultTimeout, defaultSubmodules + } + + // ref is the desired git ref to target. Can be specified by in a git URL + // with ?ref= or ?version=, although ref takes precedence. + ref := values.Get("version") + if queryValue := values.Get("ref"); queryValue != "" { + ref = queryValue + } + + // depth is the desired git exec timeout. Can be specified by in a git URL + // with ?timeout=. + duration := defaultTimeout + if queryValue := values.Get("timeout"); queryValue != "" { + // Attempt to first parse as a number of integer seconds (like "61"), + // and then attempt to parse as a suffixed duration (like "61s"). + if intValue, err := strconv.Atoi(queryValue); err == nil && intValue > 0 { + duration = time.Duration(intValue) * time.Second + } else if durationValue, err := time.ParseDuration(queryValue); err == nil && durationValue > 0 { + duration = durationValue + } + } + + // submodules indicates if git submodule cloning is desired. Can be + // specified by in a git URL with ?submodules=. + submodules := defaultSubmodules + if queryValue := values.Get("submodules"); queryValue != "" { + if boolValue, err := strconv.ParseBool(queryValue); err == nil { + submodules = boolValue + } + } + + return ref, duration, submodules +} + +func extractHost(n string) (string, string, error) { + n = ignoreForcedGitProtocol(n) + scheme, n := extractScheme(n) + username, n := extractUsername(n) + stdGithub := isStandardGithubHost(n) + acceptSCP := acceptSCPStyle(scheme, username, stdGithub) + + // Validate the username and scheme before attempting host/path parsing, because if the parsing + // so far has not succeeded, we will not be able to extract the host and path correctly. + if err := validateScheme(scheme, acceptSCP); err != nil { + return "", "", err + } + + // Now that we have extracted a valid scheme+username, we can parse host itself. + + // The file protocol specifies an absolute path to a local git repo. + // Everything after the scheme (including any 'username' we found) is actually part of that path. + if scheme == fileScheme { + return scheme, username + n, nil + } + var host, rest = n, "" + if sepIndex := findPathSeparator(n, acceptSCP); sepIndex >= 0 { + host, rest = n[:sepIndex+1], n[sepIndex+1:] + } + + // Github URLs are strictly normalized in a way that may discard scheme and username components. + if stdGithub { + scheme, username, host = normalizeGithubHostParts(scheme, username) + } + + // Host is required, so do not concat the scheme and username if we didn't find one. + if host == "" { + return "", "", errors.Errorf("failed to parse host segment") + } + return scheme + username + host, rest, nil +} + +// ignoreForcedGitProtocol strips the "git::" prefix from URLs. +// We used to use go-getter to handle our urls: https://github.com/hashicorp/go-getter. +// The git:: prefix signaled go-getter to use the git protocol to fetch the url's contents. +// We silently strip this prefix to allow these go-getter-style urls to continue to work, +// although the git protocol (which is insecure and unsupported on many platforms, including Github) +// will not actually be used as intended. +func ignoreForcedGitProtocol(n string) string { + n, found := trimPrefixIgnoreCase(n, "git::") + if found { + log.Println("Warning: Forcing the git protocol using the 'git::' URL prefix is not supported. " + + "Kustomize currently strips this invalid prefix, but will stop doing so in a future release. " + + "Please remove the 'git::' prefix from your configuration.") + } + return n +} + +// acceptSCPStyle returns true if the scheme and username indicate potential use of an SCP-style URL. +// With this style, the scheme is not explicit and the path is delimited by a colon. +// Strictly speaking the username is optional in SCP-like syntax, but Kustomize has always +// required it for non-Github URLs. +// Example: user@host.xz:path/to/repo.git/ +func acceptSCPStyle(scheme, username string, isGithubURL bool) bool { + return scheme == "" && (username != "" || isGithubURL) +} + +func validateScheme(scheme string, acceptSCPStyle bool) error { + // see https://git-scm.com/docs/git-fetch#_git_urls for info relevant to these validations + switch scheme { + case "": + // Empty scheme is only ok if it's a Github URL or if it looks like SCP-style syntax + if !acceptSCPStyle { + return fmt.Errorf("failed to parse scheme") + } + case sshScheme, fileScheme, httpsScheme, httpScheme: + // These are all supported schemes + default: + // At time of writing, we should never end up here because we do not parse out + // unsupported schemes to begin with. + return fmt.Errorf("unsupported scheme %q", scheme) + } + return nil +} + +const fileScheme = "file://" +const httpScheme = "http://" +const httpsScheme = "https://" +const sshScheme = "ssh://" + +func extractScheme(s string) (string, string) { + for _, prefix := range []string{sshScheme, httpsScheme, httpScheme, fileScheme} { + if rest, found := trimPrefixIgnoreCase(s, prefix); found { + return prefix, rest + } + } + return "", s +} + +func extractUsername(s string) (string, string) { + var userRegexp = regexp.MustCompile(`^([a-zA-Z][a-zA-Z0-9-]*)@`) + if m := userRegexp.FindStringSubmatch(s); m != nil { + username := m[1] + "@" + return username, s[len(username):] + } + return "", s +} + +func isStandardGithubHost(s string) bool { + lowerCased := strings.ToLower(s) + return strings.HasPrefix(lowerCased, "github.com/") || + strings.HasPrefix(lowerCased, "github.com:") +} + +// trimPrefixIgnoreCase returns the rest of s and true if prefix, ignoring case, prefixes s. +// Otherwise, trimPrefixIgnoreCase returns s and false. +func trimPrefixIgnoreCase(s, prefix string) (string, bool) { + if len(prefix) <= len(s) && strings.ToLower(s[:len(prefix)]) == prefix { + return s[len(prefix):], true + } + return s, false +} + +func findPathSeparator(hostPath string, acceptSCP bool) int { + sepIndex := strings.Index(hostPath, pathSeparator) + if acceptSCP { + colonIndex := strings.Index(hostPath, ":") + // The colon acts as a delimiter in scp-style ssh URLs only if not prefixed by '/'. + if sepIndex == -1 || (colonIndex > 0 && colonIndex < sepIndex) { + sepIndex = colonIndex + } + } + return sepIndex +} + +func normalizeGithubHostParts(scheme, username string) (string, string, string) { + if strings.HasPrefix(scheme, sshScheme) || username != "" { + return "", username, "github.com:" + } + return httpsScheme, "", "github.com/" +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go b/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go new file mode 100644 index 0000000000..4a88050b48 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/image/image.go @@ -0,0 +1,66 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package image + +import ( + "regexp" + "strings" +) + +// IsImageMatched returns true if the value of t is identical to the +// image name in the full image name and tag as given by s. +func IsImageMatched(s, t string) bool { + // Tag values are limited to [a-zA-Z0-9_.{}-]. + // Some tools like Bazel rules_k8s allow tag patterns with {} characters. + // More info: https://github.com/bazelbuild/rules_k8s/pull/423 + pattern, _ := regexp.Compile("^" + t + "(:[a-zA-Z0-9_.{}-]*)?(@sha256:[a-zA-Z0-9_.{}-]*)?$") + return pattern.MatchString(s) +} + +// Split separates and returns the name and tag parts +// from the image string using either colon `:` or at `@` separators. +// image reference pattern: [[host[:port]/]component/]component[:tag][@digest] +func Split(imageName string) (name string, tag string, digest string) { + // check if image name contains a domain + // if domain is present, ignore domain and check for `:` + searchName := imageName + slashIndex := strings.Index(imageName, "/") + if slashIndex > 0 { + searchName = imageName[slashIndex:] + } else { + slashIndex = 0 + } + + id := strings.Index(searchName, "@") + ic := strings.Index(searchName, ":") + + // no tag or digest + if ic < 0 && id < 0 { + return imageName, "", "" + } + + // digest only + if id >= 0 && (id < ic || ic < 0) { + id += slashIndex + name = imageName[:id] + digest = strings.TrimPrefix(imageName[id:], "@") + return name, "", digest + } + + // tag and digest + if id >= 0 && ic >= 0 { + id += slashIndex + ic += slashIndex + name = imageName[:ic] + tag = strings.TrimPrefix(imageName[ic:id], ":") + digest = strings.TrimPrefix(imageName[id:], "@") + return name, tag, digest + } + + // tag only + ic += slashIndex + name = imageName[:ic] + tag = strings.TrimPrefix(imageName[ic:], ":") + return name, tag, "" +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go new file mode 100644 index 0000000000..97c1d6b22d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonannotations.go @@ -0,0 +1,47 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const commonAnnotationFieldSpecs = ` +commonAnnotations: +- path: metadata/annotations + create: true + +- path: spec/template/metadata/annotations + create: true + version: v1 + kind: ReplicationController + +- path: spec/template/metadata/annotations + create: true + kind: Deployment + +- path: spec/template/metadata/annotations + create: true + kind: ReplicaSet + +- path: spec/template/metadata/annotations + create: true + kind: DaemonSet + +- path: spec/template/metadata/annotations + create: true + kind: StatefulSet + +- path: spec/template/metadata/annotations + create: true + group: batch + kind: Job + +- path: spec/jobTemplate/metadata/annotations + create: true + group: batch + kind: CronJob + +- path: spec/jobTemplate/spec/template/metadata/annotations + create: true + group: batch + kind: CronJob + +` diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go new file mode 100644 index 0000000000..b2a78f5681 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/commonlabels.go @@ -0,0 +1,113 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const commonLabelFieldSpecs = ` +commonLabels: +- path: spec/selector + create: true + version: v1 + kind: Service + +- path: spec/selector + create: true + version: v1 + kind: ReplicationController +- path: spec/selector/matchLabels + create: true + kind: Deployment + +- path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels + create: false + group: apps + kind: Deployment + +- path: spec/template/spec/affinity/podAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels + create: false + group: apps + kind: Deployment + +- path: spec/template/spec/affinity/podAntiAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels + create: false + group: apps + kind: Deployment + +- path: spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels + create: false + group: apps + kind: Deployment + +- path: spec/template/spec/topologySpreadConstraints/labelSelector/matchLabels + create: false + group: apps + kind: Deployment + +- path: spec/selector/matchLabels + create: true + kind: ReplicaSet + +- path: spec/selector/matchLabels + create: true + kind: DaemonSet + +- path: spec/selector/matchLabels + create: true + group: apps + kind: StatefulSet + +- path: spec/template/spec/affinity/podAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels + create: false + group: apps + kind: StatefulSet + +- path: spec/template/spec/affinity/podAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels + create: false + group: apps + kind: StatefulSet + +- path: spec/template/spec/affinity/podAntiAffinity/preferredDuringSchedulingIgnoredDuringExecution/podAffinityTerm/labelSelector/matchLabels + create: false + group: apps + kind: StatefulSet + +- path: spec/template/spec/affinity/podAntiAffinity/requiredDuringSchedulingIgnoredDuringExecution/labelSelector/matchLabels + create: false + group: apps + kind: StatefulSet + +- path: spec/template/spec/topologySpreadConstraints/labelSelector/matchLabels + create: false + group: apps + kind: StatefulSet + +- path: spec/selector/matchLabels + create: false + group: batch + kind: Job + +- path: spec/jobTemplate/spec/selector/matchLabels + create: false + group: batch + kind: CronJob + +- path: spec/selector/matchLabels + create: false + group: policy + kind: PodDisruptionBudget + +- path: spec/podSelector/matchLabels + create: false + group: networking.k8s.io + kind: NetworkPolicy + +- path: spec/ingress/from/podSelector/matchLabels + create: false + group: networking.k8s.io + kind: NetworkPolicy + +- path: spec/egress/to/podSelector/matchLabels + create: false + group: networking.k8s.io + kind: NetworkPolicy +` + metadataLabelsFieldSpecs diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go new file mode 100644 index 0000000000..2f220cb29a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/defaultconfig.go @@ -0,0 +1,42 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +import ( + "bytes" +) + +// GetDefaultFieldSpecs returns default fieldSpecs. +func GetDefaultFieldSpecs() []byte { + configData := [][]byte{ + []byte(namePrefixFieldSpecs), + []byte(nameSuffixFieldSpecs), + []byte(commonLabelFieldSpecs), + []byte(templateLabelFieldSpecs), + []byte(commonAnnotationFieldSpecs), + []byte(namespaceFieldSpecs), + []byte(varReferenceFieldSpecs), + []byte(nameReferenceFieldSpecs), + []byte(imagesFieldSpecs), + []byte(replicasFieldSpecs), + } + return bytes.Join(configData, []byte("\n")) +} + +// GetDefaultFieldSpecsAsMap returns default fieldSpecs +// as a string->string map. +func GetDefaultFieldSpecsAsMap() map[string]string { + result := make(map[string]string) + result["nameprefix"] = namePrefixFieldSpecs + result["namesuffix"] = nameSuffixFieldSpecs + result["commonlabels"] = commonLabelFieldSpecs + result["templatelabels"] = templateLabelFieldSpecs + result["commonannotations"] = commonAnnotationFieldSpecs + result["namespace"] = namespaceFieldSpecs + result["varreference"] = varReferenceFieldSpecs + result["namereference"] = nameReferenceFieldSpecs + result["images"] = imagesFieldSpecs + result["replicas"] = replicasFieldSpecs + return result +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go new file mode 100644 index 0000000000..4b7b5faac5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/doc.go @@ -0,0 +1,8 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package builtinpluginconsts provides builtin plugin +// configuration data. Builtin plugins can also be +// configured individually with plugin config files, +// in which case the constants in this package are ignored. +package builtinpluginconsts diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go new file mode 100644 index 0000000000..b8d8bf1e38 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/images.go @@ -0,0 +1,18 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const ( + imagesFieldSpecs = ` +images: +- path: spec/containers[]/image + create: true +- path: spec/initContainers[]/image + create: true +- path: spec/template/spec/containers[]/image + create: true +- path: spec/template/spec/initContainers[]/image + create: true +` +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go new file mode 100644 index 0000000000..d070cca4b8 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/metadatalabels.go @@ -0,0 +1,51 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const metadataLabelsFieldSpecs = ` +- path: metadata/labels + create: true + +- path: spec/template/metadata/labels + create: true + version: v1 + kind: ReplicationController + +- path: spec/template/metadata/labels + create: true + kind: Deployment + +- path: spec/template/metadata/labels + create: true + kind: ReplicaSet + +- path: spec/template/metadata/labels + create: true + kind: DaemonSet + +- path: spec/template/metadata/labels + create: true + group: apps + kind: StatefulSet + +- path: spec/volumeClaimTemplates[]/metadata/labels + create: true + group: apps + kind: StatefulSet + +- path: spec/template/metadata/labels + create: true + group: batch + kind: Job + +- path: spec/jobTemplate/metadata/labels + create: true + group: batch + kind: CronJob + +- path: spec/jobTemplate/spec/template/metadata/labels + create: true + group: batch + kind: CronJob +` diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go new file mode 100644 index 0000000000..59a25a61fa --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/nameprefix.go @@ -0,0 +1,11 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const ( + namePrefixFieldSpecs = ` +namePrefix: +- path: metadata/name +` +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go new file mode 100644 index 0000000000..383dcf83ea --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namereference.go @@ -0,0 +1,434 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +// LINT.IfChange +const ( + nameReferenceFieldSpecs = ` +nameReference: +- kind: Deployment + fieldSpecs: + - path: spec/scaleTargetRef/name + kind: HorizontalPodAutoscaler + +- kind: ReplicationController + fieldSpecs: + - path: spec/scaleTargetRef/name + kind: HorizontalPodAutoscaler + +- kind: ReplicaSet + fieldSpecs: + - path: spec/scaleTargetRef/name + kind: HorizontalPodAutoscaler + +- kind: StatefulSet + fieldSpecs: + - path: spec/scaleTargetRef/name + kind: HorizontalPodAutoscaler + +- kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/volumes/configMap/name + version: v1 + kind: Pod + - path: spec/containers/env/valueFrom/configMapKeyRef/name + version: v1 + kind: Pod + - path: spec/initContainers/env/valueFrom/configMapKeyRef/name + version: v1 + kind: Pod + - path: spec/containers/envFrom/configMapRef/name + version: v1 + kind: Pod + - path: spec/initContainers/envFrom/configMapRef/name + version: v1 + kind: Pod + - path: spec/volumes/projected/sources/configMap/name + version: v1 + kind: Pod + - path: template/spec/volumes/configMap/name + kind: PodTemplate + - path: template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: PodTemplate + - path: template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: PodTemplate + - path: template/spec/containers/envFrom/configMapRef/name + kind: PodTemplate + - path: template/spec/initContainers/envFrom/configMapRef/name + kind: PodTemplate + - path: template/spec/volumes/projected/sources/configMap/name + kind: PodTemplate + - path: spec/template/spec/volumes/configMap/name + kind: Deployment + - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: Deployment + - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: Deployment + - path: spec/template/spec/containers/envFrom/configMapRef/name + kind: Deployment + - path: spec/template/spec/initContainers/envFrom/configMapRef/name + kind: Deployment + - path: spec/template/spec/volumes/projected/sources/configMap/name + kind: Deployment + - path: spec/template/spec/volumes/configMap/name + kind: ReplicaSet + - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: ReplicaSet + - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: ReplicaSet + - path: spec/template/spec/containers/envFrom/configMapRef/name + kind: ReplicaSet + - path: spec/template/spec/initContainers/envFrom/configMapRef/name + kind: ReplicaSet + - path: spec/template/spec/volumes/projected/sources/configMap/name + kind: ReplicaSet + - path: spec/template/spec/volumes/configMap/name + kind: DaemonSet + - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: DaemonSet + - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: DaemonSet + - path: spec/template/spec/containers/envFrom/configMapRef/name + kind: DaemonSet + - path: spec/template/spec/initContainers/envFrom/configMapRef/name + kind: DaemonSet + - path: spec/template/spec/volumes/projected/sources/configMap/name + kind: DaemonSet + - path: spec/template/spec/volumes/configMap/name + kind: StatefulSet + - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: StatefulSet + - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: StatefulSet + - path: spec/template/spec/containers/envFrom/configMapRef/name + kind: StatefulSet + - path: spec/template/spec/initContainers/envFrom/configMapRef/name + kind: StatefulSet + - path: spec/template/spec/volumes/projected/sources/configMap/name + kind: StatefulSet + - path: spec/template/spec/volumes/configMap/name + kind: Job + - path: spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: Job + - path: spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: Job + - path: spec/template/spec/containers/envFrom/configMapRef/name + kind: Job + - path: spec/template/spec/initContainers/envFrom/configMapRef/name + kind: Job + - path: spec/template/spec/volumes/projected/sources/configMap/name + kind: Job + - path: spec/jobTemplate/spec/template/spec/volumes/configMap/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/volumes/projected/sources/configMap/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/containers/env/valueFrom/configMapKeyRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/initContainers/env/valueFrom/configMapKeyRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/containers/envFrom/configMapRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/initContainers/envFrom/configMapRef/name + kind: CronJob + - path: spec/configSource/configMap + kind: Node + - path: rules/resourceNames + kind: Role + - path: rules/resourceNames + kind: ClusterRole + - path: metadata/annotations/nginx.ingress.kubernetes.io\/fastcgi-params-configmap + kind: Ingress + +- kind: Secret + version: v1 + fieldSpecs: + - path: spec/volumes/secret/secretName + version: v1 + kind: Pod + - path: spec/containers/env/valueFrom/secretKeyRef/name + version: v1 + kind: Pod + - path: spec/initContainers/env/valueFrom/secretKeyRef/name + version: v1 + kind: Pod + - path: spec/containers/envFrom/secretRef/name + version: v1 + kind: Pod + - path: spec/initContainers/envFrom/secretRef/name + version: v1 + kind: Pod + - path: spec/imagePullSecrets/name + version: v1 + kind: Pod + - path: spec/volumes/projected/sources/secret/name + version: v1 + kind: Pod + - path: template/spec/volumes/secret/secretName + kind: PodTemplate + - path: template/spec/containers/env/valueFrom/secretKeyRef/name + kind: PodTemplate + - path: template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: PodTemplate + - path: template/spec/containers/envFrom/secretRef/name + kind: PodTemplate + - path: template/spec/initContainers/envFrom/secretRef/name + kind: PodTemplate + - path: template/spec/imagePullSecrets/name + kind: PodTemplate + - path: template/spec/volumes/projected/sources/secret/name + kind: PodTemplate + - path: spec/template/spec/volumes/secret/secretName + kind: Deployment + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: Deployment + - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: Deployment + - path: spec/template/spec/containers/envFrom/secretRef/name + kind: Deployment + - path: spec/template/spec/initContainers/envFrom/secretRef/name + kind: Deployment + - path: spec/template/spec/imagePullSecrets/name + kind: Deployment + - path: spec/template/spec/volumes/projected/sources/secret/name + kind: Deployment + - path: spec/template/spec/volumes/secret/secretName + kind: ReplicaSet + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: ReplicaSet + - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: ReplicaSet + - path: spec/template/spec/containers/envFrom/secretRef/name + kind: ReplicaSet + - path: spec/template/spec/initContainers/envFrom/secretRef/name + kind: ReplicaSet + - path: spec/template/spec/imagePullSecrets/name + kind: ReplicaSet + - path: spec/template/spec/volumes/projected/sources/secret/name + kind: ReplicaSet + - path: spec/template/spec/volumes/secret/secretName + kind: DaemonSet + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: DaemonSet + - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: DaemonSet + - path: spec/template/spec/containers/envFrom/secretRef/name + kind: DaemonSet + - path: spec/template/spec/initContainers/envFrom/secretRef/name + kind: DaemonSet + - path: spec/template/spec/imagePullSecrets/name + kind: DaemonSet + - path: spec/template/spec/volumes/projected/sources/secret/name + kind: DaemonSet + - path: spec/template/spec/volumes/secret/secretName + kind: StatefulSet + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: StatefulSet + - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: StatefulSet + - path: spec/template/spec/containers/envFrom/secretRef/name + kind: StatefulSet + - path: spec/template/spec/initContainers/envFrom/secretRef/name + kind: StatefulSet + - path: spec/template/spec/imagePullSecrets/name + kind: StatefulSet + - path: spec/template/spec/volumes/projected/sources/secret/name + kind: StatefulSet + - path: spec/template/spec/volumes/secret/secretName + kind: Job + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: Job + - path: spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: Job + - path: spec/template/spec/containers/envFrom/secretRef/name + kind: Job + - path: spec/template/spec/initContainers/envFrom/secretRef/name + kind: Job + - path: spec/template/spec/imagePullSecrets/name + kind: Job + - path: spec/template/spec/volumes/projected/sources/secret/name + kind: Job + - path: spec/jobTemplate/spec/template/spec/volumes/secret/secretName + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/volumes/projected/sources/secret/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/initContainers/env/valueFrom/secretKeyRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/containers/envFrom/secretRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/initContainers/envFrom/secretRef/name + kind: CronJob + - path: spec/jobTemplate/spec/template/spec/imagePullSecrets/name + kind: CronJob + - path: spec/tls/secretName + kind: Ingress + - path: metadata/annotations/ingress.kubernetes.io\/auth-secret + kind: Ingress + - path: metadata/annotations/nginx.ingress.kubernetes.io\/auth-secret + kind: Ingress + - path: metadata/annotations/nginx.ingress.kubernetes.io\/auth-tls-secret + kind: Ingress + - path: spec/tls/secretName + kind: Ingress + - path: imagePullSecrets/name + kind: ServiceAccount + - path: parameters/secretName + kind: StorageClass + - path: parameters/adminSecretName + kind: StorageClass + - path: parameters/userSecretName + kind: StorageClass + - path: parameters/secretRef + kind: StorageClass + - path: rules/resourceNames + kind: Role + - path: rules/resourceNames + kind: ClusterRole + - path: spec/template/spec/containers/env/valueFrom/secretKeyRef/name + kind: Service + group: serving.knative.dev + version: v1 + - path: spec/azureFile/secretName + kind: PersistentVolume + +- kind: Service + version: v1 + fieldSpecs: + - path: spec/serviceName + kind: StatefulSet + group: apps + - path: spec/rules/http/paths/backend/serviceName + kind: Ingress + - path: spec/backend/serviceName + kind: Ingress + - path: spec/rules/http/paths/backend/service/name + kind: Ingress + - path: spec/defaultBackend/service/name + kind: Ingress + - path: spec/service/name + kind: APIService + group: apiregistration.k8s.io + - path: webhooks/clientConfig/service + kind: ValidatingWebhookConfiguration + group: admissionregistration.k8s.io + - path: webhooks/clientConfig/service + kind: MutatingWebhookConfiguration + group: admissionregistration.k8s.io + +- kind: Role + group: rbac.authorization.k8s.io + fieldSpecs: + - path: roleRef/name + kind: RoleBinding + group: rbac.authorization.k8s.io + +- kind: ClusterRole + group: rbac.authorization.k8s.io + fieldSpecs: + - path: roleRef/name + kind: RoleBinding + group: rbac.authorization.k8s.io + - path: roleRef/name + kind: ClusterRoleBinding + group: rbac.authorization.k8s.io + +- kind: ServiceAccount + version: v1 + fieldSpecs: + - path: subjects + kind: RoleBinding + group: rbac.authorization.k8s.io + - path: subjects + kind: ClusterRoleBinding + group: rbac.authorization.k8s.io + - path: spec/serviceAccountName + kind: Pod + - path: spec/template/spec/serviceAccountName + kind: StatefulSet + - path: spec/template/spec/serviceAccountName + kind: Deployment + - path: spec/template/spec/serviceAccountName + kind: ReplicationController + - path: spec/jobTemplate/spec/template/spec/serviceAccountName + kind: CronJob + - path: spec/template/spec/serviceAccountName + kind: Job + - path: spec/template/spec/serviceAccountName + kind: DaemonSet + +- kind: PersistentVolumeClaim + version: v1 + fieldSpecs: + - path: spec/volumes/persistentVolumeClaim/claimName + kind: Pod + - path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: StatefulSet + - path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Deployment + - path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: ReplicationController + - path: spec/jobTemplate/spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: CronJob + - path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: Job + - path: spec/template/spec/volumes/persistentVolumeClaim/claimName + kind: DaemonSet + +- kind: PersistentVolume + version: v1 + fieldSpecs: + - path: spec/volumeName + kind: PersistentVolumeClaim + - path: rules/resourceNames + kind: ClusterRole + +- kind: StorageClass + version: v1 + group: storage.k8s.io + fieldSpecs: + - path: spec/storageClassName + kind: PersistentVolume + - path: spec/storageClassName + kind: PersistentVolumeClaim + - path: spec/volumeClaimTemplates/spec/storageClassName + kind: StatefulSet + +- kind: PriorityClass + version: v1 + group: scheduling.k8s.io + fieldSpecs: + - path: spec/priorityClassName + kind: Pod + - path: spec/template/spec/priorityClassName + kind: StatefulSet + - path: spec/template/spec/priorityClassName + kind: Deployment + - path: spec/template/spec/priorityClassName + kind: ReplicationController + - path: spec/jobTemplate/spec/template/spec/priorityClassName + kind: CronJob + - path: spec/template/spec/priorityClassName + kind: Job + - path: spec/template/spec/priorityClassName + kind: DaemonSet + +- kind: IngressClass + version: v1 + group: networking.k8s.io/v1 + fieldSpecs: + - path: spec/ingressClassName + kind: Ingress + +- kind: ValidatingAdmissionPolicy + group: admissionregistration.k8s.io + fieldSpecs: + - path: spec/policyName + kind: ValidatingAdmissionPolicyBinding + group: admissionregistration.k8s.io +` +) + +// LINT.ThenChange(/examples/transformerconfigs/README.md) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go new file mode 100644 index 0000000000..35774a7db3 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namespace.go @@ -0,0 +1,20 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const ( + namespaceFieldSpecs = ` +namespace: +- path: metadata/name + kind: Namespace + create: true +- path: spec/service/namespace + group: apiregistration.k8s.io + kind: APIService + create: true +- path: spec/conversion/webhook/clientConfig/service/namespace + group: apiextensions.k8s.io + kind: CustomResourceDefinition +` +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go new file mode 100644 index 0000000000..11592bd2b9 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/namesuffix.go @@ -0,0 +1,11 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const ( + nameSuffixFieldSpecs = ` +nameSuffix: +- path: metadata/name +` +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go new file mode 100644 index 0000000000..76549c21fa --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/replicas.go @@ -0,0 +1,23 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const replicasFieldSpecs = ` +replicas: +- path: spec/replicas + create: true + kind: Deployment + +- path: spec/replicas + create: true + kind: ReplicationController + +- path: spec/replicas + create: true + kind: ReplicaSet + +- path: spec/replicas + create: true + kind: StatefulSet +` diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go new file mode 100644 index 0000000000..5d3c9c1957 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/templatelabels.go @@ -0,0 +1,8 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const templateLabelFieldSpecs = ` +templateLabels: +` + metadataLabelsFieldSpecs diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go new file mode 100644 index 0000000000..f4011d825d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts/varreference.go @@ -0,0 +1,223 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinpluginconsts + +const ( + varReferenceFieldSpecs = ` +varReference: +- path: spec/jobTemplate/spec/template/spec/containers/args + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/containers/command + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/containers/env/value + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/containers/volumeMounts/mountPath + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/initContainers/args + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/initContainers/command + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/initContainers/env/value + kind: CronJob + +- path: spec/jobTemplate/spec/template/spec/initContainers/volumeMounts/mountPath + kind: CronJob + +- path: spec/jobTemplate/spec/template/volumes/nfs/server + kind: CronJob + +- path: spec/template/spec/containers/args + kind: DaemonSet + +- path: spec/template/spec/containers/command + kind: DaemonSet + +- path: spec/template/spec/containers/env/value + kind: DaemonSet + +- path: spec/template/spec/containers/volumeMounts/mountPath + kind: DaemonSet + +- path: spec/template/spec/initContainers/args + kind: DaemonSet + +- path: spec/template/spec/initContainers/command + kind: DaemonSet + +- path: spec/template/spec/initContainers/env/value + kind: DaemonSet + +- path: spec/template/spec/initContainers/volumeMounts/mountPath + kind: DaemonSet + +- path: spec/template/spec/volumes/nfs/server + kind: DaemonSet + +- path: spec/template/spec/containers/args + kind: Deployment + +- path: spec/template/spec/containers/command + kind: Deployment + +- path: spec/template/spec/containers/env/value + kind: Deployment + +- path: spec/template/spec/containers/volumeMounts/mountPath + kind: Deployment + +- path: spec/template/spec/initContainers/args + kind: Deployment + +- path: spec/template/spec/initContainers/command + kind: Deployment + +- path: spec/template/spec/initContainers/env/value + kind: Deployment + +- path: spec/template/spec/initContainers/volumeMounts/mountPath + kind: Deployment + +- path: spec/template/spec/volumes/nfs/server + kind: Deployment + +- path: spec/template/metadata/annotations + kind: Deployment + +- path: spec/rules/host + kind: Ingress + +- path: spec/tls/hosts + kind: Ingress + +- path: spec/tls/secretName + kind: Ingress + +- path: spec/template/spec/containers/args + kind: Job + +- path: spec/template/spec/containers/command + kind: Job + +- path: spec/template/spec/containers/env/value + kind: Job + +- path: spec/template/spec/containers/volumeMounts/mountPath + kind: Job + +- path: spec/template/spec/initContainers/args + kind: Job + +- path: spec/template/spec/initContainers/command + kind: Job + +- path: spec/template/spec/initContainers/env/value + kind: Job + +- path: spec/template/spec/initContainers/volumeMounts/mountPath + kind: Job + +- path: spec/template/spec/volumes/nfs/server + kind: Job + +- path: spec/containers/args + kind: Pod + +- path: spec/containers/command + kind: Pod + +- path: spec/containers/env/value + kind: Pod + +- path: spec/containers/volumeMounts/mountPath + kind: Pod + +- path: spec/initContainers/args + kind: Pod + +- path: spec/initContainers/command + kind: Pod + +- path: spec/initContainers/env/value + kind: Pod + +- path: spec/initContainers/volumeMounts/mountPath + kind: Pod + +- path: spec/volumes/nfs/server + kind: Pod + +- path: spec/template/spec/containers/args + kind: ReplicaSet + +- path: spec/template/spec/containers/command + kind: ReplicaSet + +- path: spec/template/spec/containers/env/value + kind: ReplicaSet + +- path: spec/template/spec/containers/volumeMounts/mountPath + kind: ReplicaSet + +- path: spec/template/spec/initContainers/args + kind: ReplicaSet + +- path: spec/template/spec/initContainers/command + kind: ReplicaSet + +- path: spec/template/spec/initContainers/env/value + kind: ReplicaSet + +- path: spec/template/spec/initContainers/volumeMounts/mountPath + kind: ReplicaSet + +- path: spec/template/spec/volumes/nfs/server + kind: ReplicaSet + +- path: spec/ports/port + kind: Service + +- path: spec/ports/targetPort + kind: Service + +- path: spec/template/spec/containers/args + kind: StatefulSet + +- path: spec/template/spec/containers/command + kind: StatefulSet + +- path: spec/template/spec/containers/env/value + kind: StatefulSet + +- path: spec/template/spec/containers/volumeMounts/mountPath + kind: StatefulSet + +- path: spec/template/spec/initContainers/args + kind: StatefulSet + +- path: spec/template/spec/initContainers/command + kind: StatefulSet + +- path: spec/template/spec/initContainers/env/value + kind: StatefulSet + +- path: spec/template/spec/initContainers/volumeMounts/mountPath + kind: StatefulSet + +- path: spec/volumeClaimTemplates/spec/nfs/server + kind: StatefulSet + +- path: spec/nfs/server + kind: PersistentVolume + +- path: metadata/labels + +- path: metadata/annotations +` +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go b/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go new file mode 100644 index 0000000000..aa76d1dd7f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/kusterr/yamlformaterror.go @@ -0,0 +1,55 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package error has contextual error types. +package kusterr + +import ( + "fmt" + "strings" +) + +// YamlFormatError represents error with yaml file name where json/yaml format error happens. +type YamlFormatError struct { + Path string + ErrorMsg string +} + +func (e YamlFormatError) Error() string { + return fmt.Sprintf("YAML file [%s] encounters a format error.\n%s\n", e.Path, e.ErrorMsg) +} + +// MalformedYamlError represents an error that occurred while trying to decode a given YAML. +type MalformedYamlError struct { + Path string + ErrorMsg string +} + +func (e MalformedYamlError) Error() string { + return fmt.Sprintf("%s in File: %s", e.ErrorMsg, e.Path) +} + +// Handler handles YamlFormatError +func Handler(e error, path string) error { + if isYAMLSyntaxError(e) { + return YamlFormatError{ + Path: path, + ErrorMsg: e.Error(), + } + } + if IsMalformedYAMLError(e) { + return MalformedYamlError{ + Path: path, + ErrorMsg: e.Error(), + } + } + return e +} + +func isYAMLSyntaxError(e error) bool { + return strings.Contains(e.Error(), "error converting YAML to JSON") || strings.Contains(e.Error(), "error unmarshaling JSON") +} + +func IsMalformedYAMLError(e error) bool { + return strings.Contains(e.Error(), "MalformedYAMLError") +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go new file mode 100644 index 0000000000..2463debdbb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/errors.go @@ -0,0 +1,11 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package loader + +import "sigs.k8s.io/kustomize/kyaml/errors" + +var ( + ErrHTTP = errors.Errorf("HTTP Error") + ErrRtNotDir = errors.Errorf("must build at directory") +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go new file mode 100644 index 0000000000..69b8295eb7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/fileloader.go @@ -0,0 +1,334 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package loader + +import ( + "fmt" + "io" + "log" + "net/http" + "net/url" + "path/filepath" + "strings" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/git" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// IsRemoteFile returns whether path has a url scheme that kustomize allows for +// remote files. See https://github.com/kubernetes-sigs/kustomize/blob/master/examples/remoteBuild.md +func IsRemoteFile(path string) bool { + u, err := url.Parse(path) + return err == nil && (u.Scheme == "http" || u.Scheme == "https") +} + +// FileLoader is a kustomization's interface to files. +// +// The directory in which a kustomization file sits +// is referred to below as the kustomization's _root_. +// +// An instance of fileLoader has an immutable root, +// and offers a `New` method returning a new loader +// with a new root. +// +// A kustomization file refers to two kinds of files: +// +// * supplemental data paths +// +// `Load` is used to visit these paths. +// +// These paths refer to resources, patches, +// data for ConfigMaps and Secrets, etc. +// +// The loadRestrictor may disallow certain paths +// or classes of paths. +// +// * bases (other kustomizations) +// +// `New` is used to load bases. +// +// A base can be either a remote git repo URL, or +// a directory specified relative to the current +// root. In the former case, the repo is locally +// cloned, and the new loader is rooted on a path +// in that clone. +// +// As loaders create new loaders, a root history +// is established, and used to disallow: +// +// - A base that is a repository that, in turn, +// specifies a base repository seen previously +// in the loading stack (a cycle). +// +// - An overlay depending on a base positioned at +// or above it. I.e. '../foo' is OK, but '.', +// '..', '../..', etc. are disallowed. Allowing +// such a base has no advantages and encourages +// cycles, particularly if some future change +// were to introduce globbing to file +// specifications in the kustomization file. +// +// These restrictions assure that kustomizations +// are self-contained and relocatable, and impose +// some safety when relying on remote kustomizations, +// e.g. a remotely loaded ConfigMap generator specified +// to read from /etc/passwd will fail. +type FileLoader struct { + // Loader that spawned this loader. + // Used to avoid cycles. + referrer *FileLoader + + // An absolute, cleaned path to a directory. + // The Load function will read non-absolute + // paths relative to this directory. + root filesys.ConfirmedDir + + // Restricts behavior of Load function. + loadRestrictor LoadRestrictorFunc + + // If this is non-nil, the files were + // obtained from the given repository. + repoSpec *git.RepoSpec + + // File system utilities. + fSys filesys.FileSystem + + // Used to load from HTTP + http *http.Client + + // Used to clone repositories. + cloner git.Cloner + + // Used to clean up, as needed. + cleaner func() error +} + +// Repo returns the absolute path to the repo that contains Root if this fileLoader was created from a url +// or the empty string otherwise. +func (fl *FileLoader) Repo() string { + if fl.repoSpec != nil { + return fl.repoSpec.Dir.String() + } + return "" +} + +// Root returns the absolute path that is prepended to any +// relative paths used in Load. +func (fl *FileLoader) Root() string { + return fl.root.String() +} + +func NewLoaderOrDie( + lr LoadRestrictorFunc, + fSys filesys.FileSystem, path string) *FileLoader { + root, err := filesys.ConfirmDir(fSys, path) + if err != nil { + log.Fatalf("unable to make loader at '%s'; %v", path, err) + } + return newLoaderAtConfirmedDir( + lr, root, fSys, nil, git.ClonerUsingGitExec) +} + +// newLoaderAtConfirmedDir returns a new FileLoader with given root. +func newLoaderAtConfirmedDir( + lr LoadRestrictorFunc, + root filesys.ConfirmedDir, fSys filesys.FileSystem, + referrer *FileLoader, cloner git.Cloner) *FileLoader { + return &FileLoader{ + loadRestrictor: lr, + root: root, + referrer: referrer, + fSys: fSys, + cloner: cloner, + cleaner: func() error { return nil }, + } +} + +// New returns a new Loader, rooted relative to current loader, +// or rooted in a temp directory holding a git repo clone. +func (fl *FileLoader) New(path string) (ifc.Loader, error) { + if path == "" { + return nil, errors.Errorf("new root cannot be empty") + } + + repoSpec, err := git.NewRepoSpecFromURL(path) + if err == nil { + // Treat this as git repo clone request. + if err = fl.errIfRepoCycle(repoSpec); err != nil { + return nil, err + } + return newLoaderAtGitClone( + repoSpec, fl.fSys, fl, fl.cloner) + } + + if filepath.IsAbs(path) { + return nil, fmt.Errorf("new root '%s' cannot be absolute", path) + } + root, err := filesys.ConfirmDir(fl.fSys, fl.root.Join(path)) + if err != nil { + return nil, errors.WrapPrefixf(err, ErrRtNotDir.Error()) //nolint:govet + } + if err = fl.errIfGitContainmentViolation(root); err != nil { + return nil, err + } + if err = fl.errIfArgEqualOrHigher(root); err != nil { + return nil, err + } + return newLoaderAtConfirmedDir( + fl.loadRestrictor, root, fl.fSys, fl, fl.cloner), nil +} + +// newLoaderAtGitClone returns a new Loader pinned to a temporary +// directory holding a cloned git repo. +func newLoaderAtGitClone( + repoSpec *git.RepoSpec, fSys filesys.FileSystem, + referrer *FileLoader, cloner git.Cloner) (ifc.Loader, error) { + cleaner := repoSpec.Cleaner(fSys) + err := cloner(repoSpec) + if err != nil { + cleaner() + return nil, err + } + root, f, err := fSys.CleanedAbs(repoSpec.AbsPath()) + if err != nil { + cleaner() + return nil, err + } + // We don't know that the path requested in repoSpec + // is a directory until we actually clone it and look + // inside. That just happened, hence the error check + // is here. + if f != "" { + cleaner() + return nil, fmt.Errorf( + "'%s' refers to file '%s'; expecting directory", + repoSpec.AbsPath(), f) + } + // Path in repo can contain symlinks that exit repo. We can only + // check for this after cloning repo. + if !root.HasPrefix(repoSpec.CloneDir()) { + _ = cleaner() + return nil, fmt.Errorf("%q refers to directory outside of repo %q", repoSpec.AbsPath(), + repoSpec.CloneDir()) + } + return &FileLoader{ + // Clones never allowed to escape root. + loadRestrictor: RestrictionRootOnly, + root: root, + referrer: referrer, + repoSpec: repoSpec, + fSys: fSys, + cloner: cloner, + cleaner: cleaner, + }, nil +} + +func (fl *FileLoader) errIfGitContainmentViolation( + base filesys.ConfirmedDir) error { + containingRepo := fl.containingRepo() + if containingRepo == nil { + return nil + } + if !base.HasPrefix(containingRepo.CloneDir()) { + return fmt.Errorf( + "security; bases in kustomizations found in "+ + "cloned git repos must be within the repo, "+ + "but base '%s' is outside '%s'", + base, containingRepo.CloneDir()) + } + return nil +} + +// Looks back through referrers for a git repo, returning nil +// if none found. +func (fl *FileLoader) containingRepo() *git.RepoSpec { + if fl.repoSpec != nil { + return fl.repoSpec + } + if fl.referrer == nil { + return nil + } + return fl.referrer.containingRepo() +} + +// errIfArgEqualOrHigher tests whether the argument, +// is equal to or above the root of any ancestor. +func (fl *FileLoader) errIfArgEqualOrHigher( + candidateRoot filesys.ConfirmedDir) error { + if fl.root.HasPrefix(candidateRoot) { + return fmt.Errorf( + "cycle detected: candidate root '%s' contains visited root '%s'", + candidateRoot, fl.root) + } + if fl.referrer == nil { + return nil + } + return fl.referrer.errIfArgEqualOrHigher(candidateRoot) +} + +// TODO(monopole): Distinguish branches? +// I.e. Allow a distinction between git URI with +// path foo and tag bar and a git URI with the same +// path but a different tag? +func (fl *FileLoader) errIfRepoCycle(newRepoSpec *git.RepoSpec) error { + // TODO(monopole): Use parsed data instead of Raw(). + if fl.repoSpec != nil && + strings.HasPrefix(fl.repoSpec.Raw(), newRepoSpec.Raw()) { + return fmt.Errorf( + "cycle detected: URI '%s' referenced by previous URI '%s'", + newRepoSpec.Raw(), fl.repoSpec.Raw()) + } + if fl.referrer == nil { + return nil + } + return fl.referrer.errIfRepoCycle(newRepoSpec) +} + +// Load returns the content of file at the given path, +// else an error. Relative paths are taken relative +// to the root. +func (fl *FileLoader) Load(path string) ([]byte, error) { + if IsRemoteFile(path) { + return fl.httpClientGetContent(path) + } + if !filepath.IsAbs(path) { + path = fl.root.Join(path) + } + path, err := fl.loadRestrictor(fl.fSys, fl.root, path) + if err != nil { + return nil, err + } + return fl.fSys.ReadFile(path) +} + +func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) { + var hc *http.Client + if fl.http != nil { + hc = fl.http + } else { + hc = &http.Client{} + } + resp, err := hc.Get(path) + if err != nil { + return nil, errors.Wrap(err) + } + defer resp.Body.Close() + // response unsuccessful + if resp.StatusCode < 200 || resp.StatusCode > 299 { + _, err = git.NewRepoSpecFromURL(path) + if err == nil { + return nil, errors.Errorf("URL is a git repository") + } + return nil, fmt.Errorf("%w: status code %d (%s)", ErrHTTP, resp.StatusCode, http.StatusText(resp.StatusCode)) + } + content, err := io.ReadAll(resp.Body) + return content, errors.Wrap(err) +} + +// Cleanup runs the cleaner. +func (fl *FileLoader) Cleanup() error { + return fl.cleaner() +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go new file mode 100644 index 0000000000..60b254fa7e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loader.go @@ -0,0 +1,35 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package loader has a data loading interface and various implementations. +package loader + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/git" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// NewLoader returns a Loader pointed at the given target. +// If the target is remote, the loader will be restricted +// to the root and below only. If the target is local, the +// loader will have the restrictions passed in. Regardless, +// if a local target attempts to transitively load remote bases, +// the remote bases will all be root-only restricted. +func NewLoader( + lr LoadRestrictorFunc, + target string, fSys filesys.FileSystem) (ifc.Loader, error) { + repoSpec, err := git.NewRepoSpecFromURL(target) + if err == nil { + // The target qualifies as a remote git target. + return newLoaderAtGitClone( + repoSpec, fSys, nil, git.ClonerUsingGitExec) + } + root, err := filesys.ConfirmDir(fSys, target) + if err != nil { + return nil, errors.WrapPrefixf(err, ErrRtNotDir.Error()) //nolint:govet + } + return newLoaderAtConfirmedDir( + lr, root, fSys, nil, git.ClonerUsingGitExec), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go new file mode 100644 index 0000000000..a016a96254 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/loader/loadrestrictions.go @@ -0,0 +1,35 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package loader + +import ( + "fmt" + + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +type LoadRestrictorFunc func( + filesys.FileSystem, filesys.ConfirmedDir, string) (string, error) + +func RestrictionRootOnly( + fSys filesys.FileSystem, root filesys.ConfirmedDir, path string) (string, error) { + d, f, err := fSys.CleanedAbs(path) + if err != nil { + return "", err + } + if f == "" { + return "", fmt.Errorf("'%s' must resolve to a file", path) + } + if !d.HasPrefix(root) { + return "", fmt.Errorf( + "security; file '%s' is not in or below '%s'", + path, root) + } + return d.Join(f), nil +} + +func RestrictionNone( + _ filesys.FileSystem, _ filesys.ConfirmedDir, path string) (string, error) { + return path, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go new file mode 100644 index 0000000000..f41f79b0c1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/doc.go @@ -0,0 +1,10 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package builtinconfig provides legacy methods for +// configuring builtin plugins from a common config file. +// As a user, its best to configure plugins individually +// with plugin config files specified in the `transformers:` +// or `generators:` field, than to use this legacy +// configuration technique. +package builtinconfig diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go new file mode 100644 index 0000000000..434941b6e0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/loaddefaultconfig.go @@ -0,0 +1,42 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinconfig + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/yaml" +) + +// loadDefaultConfig returns a TranformerConfig +// object from a list of files. +func loadDefaultConfig( + ldr ifc.Loader, paths []string) (*TransformerConfig, error) { + result := &TransformerConfig{} + for _, path := range paths { + data, err := ldr.Load(path) + if err != nil { + return nil, err + } + t, err := makeTransformerConfigFromBytes(data) + if err != nil { + return nil, err + } + result, err = result.Merge(t) + if err != nil { + return nil, err + } + } + return result, nil +} + +// makeTransformerConfigFromBytes returns a TransformerConfig object from bytes +func makeTransformerConfigFromBytes(data []byte) (*TransformerConfig, error) { + var t TransformerConfig + err := yaml.UnmarshalStrict(data, &t) + if err != nil { + return nil, err + } + t.sortFields() + return &t, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go new file mode 100644 index 0000000000..eb0f307338 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/namebackreferences.go @@ -0,0 +1,112 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinconfig + +import ( + "strings" + + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// NameBackReferences is an association between a gvk.GVK (a ReferralTarget) +// and a list of Referrers that could refer to it. +// +// It is used to handle name changes, and can be thought of as a +// a contact list. If you change your own contact info (name, +// phone number, etc.), you must tell your contacts or they won't +// know about the change. +// +// For example, ConfigMaps can be used by Pods and everything that +// contains a Pod; Deployment, Job, StatefulSet, etc. +// The ConfigMap is the ReferralTarget, the others are Referrers. +// +// If the name of a ConfigMap instance changed from 'alice' to 'bob', +// one must +// - visit all objects that could refer to the ConfigMap (the Referrers) +// - see if they mention 'alice', +// - if so, change the Referrer's name reference to 'bob'. +// +// The NameBackReferences instance to aid in this could look like +// { +// kind: ConfigMap +// version: v1 +// fieldSpecs: +// - kind: Pod +// version: v1 +// path: spec/volumes/configMap/name +// - kind: Deployment +// path: spec/template/spec/volumes/configMap/name +// - kind: Job +// path: spec/template/spec/volumes/configMap/name +// (etc.) +// } +type NameBackReferences struct { + resid.Gvk `json:",inline,omitempty" yaml:",inline,omitempty"` + // TODO: rename json 'fieldSpecs' to 'referrers' for clarity. + // This will, however, break anyone using a custom config. + Referrers types.FsSlice `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + + // Note: If any new pointer based members are added, DeepCopy needs to be updated +} + +func (n NameBackReferences) String() string { + var r []string + for _, f := range n.Referrers { + r = append(r, f.String()) + } + return n.Gvk.String() + ": (\n" + + strings.Join(r, "\n") + "\n)" +} + +type nbrSlice []NameBackReferences + +func (s nbrSlice) Len() int { return len(s) } +func (s nbrSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] } +func (s nbrSlice) Less(i, j int) bool { + return s[i].Gvk.IsLessThan(s[j].Gvk) +} + +// DeepCopy returns a new copy of nbrSlice +func (s nbrSlice) DeepCopy() nbrSlice { + ret := make(nbrSlice, len(s)) + copy(ret, s) + for i, slice := range ret { + ret[i].Referrers = slice.Referrers.DeepCopy() + } + + return ret +} + +func (s nbrSlice) mergeAll(o nbrSlice) (result nbrSlice, err error) { + result = s + for _, r := range o { + result, err = result.mergeOne(r) + if err != nil { + return nil, err + } + } + return result, nil +} + +func (s nbrSlice) mergeOne(other NameBackReferences) (nbrSlice, error) { + var result nbrSlice + var err error + found := false + for _, c := range s { + if c.Gvk.Equals(other.Gvk) { + c.Referrers, err = c.Referrers.MergeAll(other.Referrers) + if err != nil { + return nil, err + } + found = true + } + result = append(result, c) + } + + if !found { + result = append(result, other) + } + return result, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go new file mode 100644 index 0000000000..b5d4b7aec1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig/transformerconfig.go @@ -0,0 +1,202 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinconfig + +import ( + "log" + "sort" + "sync" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/konfig/builtinpluginconsts" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" +) + +// TransformerConfig holds the data needed to perform transformations. +// +//nolint:tagalign +type TransformerConfig struct { + // if any fields are added, update the DeepCopy implementation + NamePrefix types.FsSlice `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"` + NameSuffix types.FsSlice `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"` + NameSpace types.FsSlice `json:"namespace,omitempty" yaml:"namespace,omitempty"` + CommonLabels types.FsSlice `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"` + Labels types.FsSlice `json:"labels,omitempty" yaml:"labels,omitempty"` + TemplateLabels types.FsSlice `json:"templateLabels,omitempty" yaml:"templateLabels,omitempty"` + CommonAnnotations types.FsSlice `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"` + NameReference nbrSlice `json:"nameReference,omitempty" yaml:"nameReference,omitempty"` + VarReference types.FsSlice `json:"varReference,omitempty" yaml:"varReference,omitempty"` + Images types.FsSlice `json:"images,omitempty" yaml:"images,omitempty"` + Replicas types.FsSlice `json:"replicas,omitempty" yaml:"replicas,omitempty"` +} + +// MakeEmptyConfig returns an empty TransformerConfig object +func MakeEmptyConfig() *TransformerConfig { + return &TransformerConfig{} +} + +// DeepCopy returns a new copy of TransformerConfig +func (t *TransformerConfig) DeepCopy() *TransformerConfig { + return &TransformerConfig{ + NamePrefix: t.NamePrefix.DeepCopy(), + NameSuffix: t.NameSuffix.DeepCopy(), + NameSpace: t.NameSpace.DeepCopy(), + CommonLabels: t.CommonLabels.DeepCopy(), + Labels: t.Labels.DeepCopy(), + TemplateLabels: t.TemplateLabels.DeepCopy(), + CommonAnnotations: t.CommonAnnotations.DeepCopy(), + NameReference: t.NameReference.DeepCopy(), + VarReference: t.VarReference.DeepCopy(), + Images: t.Images.DeepCopy(), + Replicas: t.Replicas.DeepCopy(), + } +} + +// the default transformer config is initialized by MakeDefaultConfig, +// and must only be accessed via that function. +var ( + initDefaultConfig sync.Once //nolint:gochecknoglobals + defaultConfig *TransformerConfig //nolint:gochecknoglobals +) + +// MakeDefaultConfig returns a default TransformerConfig. +func MakeDefaultConfig() *TransformerConfig { + // parsing is expensive when having a large tree with many kustomization modules, so only do it once + initDefaultConfig.Do(func() { + var err error + defaultConfig, err = makeTransformerConfigFromBytes( + builtinpluginconsts.GetDefaultFieldSpecs()) + if err != nil { + log.Fatalf("Unable to make default transformconfig: %v", err) + } + }) + + // return a copy to avoid any mutations to protect the reference copy + return defaultConfig.DeepCopy() +} + +// MakeTransformerConfig returns a merger of custom config, +// if any, with default config. +func MakeTransformerConfig( + ldr ifc.Loader, paths []string) (*TransformerConfig, error) { + t1 := MakeDefaultConfig() + if len(paths) == 0 { + return t1, nil + } + t2, err := loadDefaultConfig(ldr, paths) + if err != nil { + return nil, err + } + return t1.Merge(t2) +} + +// sortFields provides determinism in logging, tests, etc. +func (t *TransformerConfig) sortFields() { + sort.Sort(t.NamePrefix) + sort.Sort(t.NameSuffix) + sort.Sort(t.NameSpace) + sort.Sort(t.CommonLabels) + sort.Sort(t.Labels) + sort.Sort(t.TemplateLabels) + sort.Sort(t.CommonAnnotations) + sort.Sort(t.NameReference) + sort.Sort(t.VarReference) + sort.Sort(t.Images) + sort.Sort(t.Replicas) +} + +// AddPrefixFieldSpec adds a FieldSpec to NamePrefix +func (t *TransformerConfig) AddPrefixFieldSpec(fs types.FieldSpec) (err error) { + t.NamePrefix, err = t.NamePrefix.MergeOne(fs) + return err +} + +// AddSuffixFieldSpec adds a FieldSpec to NameSuffix +func (t *TransformerConfig) AddSuffixFieldSpec(fs types.FieldSpec) (err error) { + t.NameSuffix, err = t.NameSuffix.MergeOne(fs) + return err +} + +// AddCommonLabelsFieldSpec adds a FieldSpec to CommonLabels +func (t *TransformerConfig) AddCommonLabelsFieldSpec(fs types.FieldSpec) (err error) { + t.CommonLabels, err = t.CommonLabels.MergeOne(fs) + return err +} + +// AddLabelsFieldSpec adds a FieldSpec to Labels +func (t *TransformerConfig) AddLabelsFieldSpec(fs types.FieldSpec) (err error) { + t.Labels, err = t.Labels.MergeOne(fs) + return err //nolint:wrapcheck +} + +// AddAnnotationFieldSpec adds a FieldSpec to CommonAnnotations +func (t *TransformerConfig) AddAnnotationFieldSpec(fs types.FieldSpec) (err error) { + t.CommonAnnotations, err = t.CommonAnnotations.MergeOne(fs) + return err +} + +// AddNamereferenceFieldSpec adds a NameBackReferences to NameReference +func (t *TransformerConfig) AddNamereferenceFieldSpec( + nbrs NameBackReferences) (err error) { + t.NameReference, err = t.NameReference.mergeOne(nbrs) + return err +} + +// Merge merges two TransformerConfigs objects into +// a new TransformerConfig object +func (t *TransformerConfig) Merge(input *TransformerConfig) ( + merged *TransformerConfig, err error) { + if input == nil { + return t, nil + } + merged = &TransformerConfig{} + merged.NamePrefix, err = t.NamePrefix.MergeAll(input.NamePrefix) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge NamePrefix fieldSpec") + } + merged.NameSuffix, err = t.NameSuffix.MergeAll(input.NameSuffix) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge NameSuffix fieldSpec") + } + merged.NameSpace, err = t.NameSpace.MergeAll(input.NameSpace) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge NameSpace fieldSpec") + } + merged.CommonAnnotations, err = t.CommonAnnotations.MergeAll( + input.CommonAnnotations) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge CommonAnnotations fieldSpec") + } + merged.CommonLabels, err = t.CommonLabels.MergeAll(input.CommonLabels) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge CommonLabels fieldSpec") + } + merged.Labels, err = t.Labels.MergeAll(input.Labels) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge Labels fieldSpec") + } + merged.TemplateLabels, err = t.TemplateLabels.MergeAll(input.TemplateLabels) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge TemplateLabels fieldSpec") + } + merged.VarReference, err = t.VarReference.MergeAll(input.VarReference) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge VarReference fieldSpec") + } + merged.NameReference, err = t.NameReference.mergeAll(input.NameReference) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge NameReference fieldSpec") + } + merged.Images, err = t.Images.MergeAll(input.Images) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge Images fieldSpec") + } + merged.Replicas, err = t.Replicas.MergeAll(input.Replicas) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge Replicas fieldSpec") + } + merged.sortFields() + return merged, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go new file mode 100644 index 0000000000..ddcfcc190c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtinplugintype_string.go @@ -0,0 +1,41 @@ +// Code generated by "stringer -type=BuiltinPluginType"; DO NOT EDIT. + +package builtinhelpers + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[Unknown-0] + _ = x[AnnotationsTransformer-1] + _ = x[ConfigMapGenerator-2] + _ = x[IAMPolicyGenerator-3] + _ = x[HashTransformer-4] + _ = x[ImageTagTransformer-5] + _ = x[LabelTransformer-6] + _ = x[NamespaceTransformer-7] + _ = x[PatchJson6902Transformer-8] + _ = x[PatchStrategicMergeTransformer-9] + _ = x[PatchTransformer-10] + _ = x[PrefixSuffixTransformer-11] + _ = x[PrefixTransformer-12] + _ = x[SuffixTransformer-13] + _ = x[ReplicaCountTransformer-14] + _ = x[SecretGenerator-15] + _ = x[ValueAddTransformer-16] + _ = x[HelmChartInflationGenerator-17] + _ = x[ReplacementTransformer-18] +} + +const _BuiltinPluginType_name = "UnknownAnnotationsTransformerConfigMapGeneratorIAMPolicyGeneratorHashTransformerImageTagTransformerLabelTransformerNamespaceTransformerPatchJson6902TransformerPatchStrategicMergeTransformerPatchTransformerPrefixSuffixTransformerPrefixTransformerSuffixTransformerReplicaCountTransformerSecretGeneratorValueAddTransformerHelmChartInflationGeneratorReplacementTransformer" + +var _BuiltinPluginType_index = [...]uint16{0, 7, 29, 47, 65, 80, 99, 115, 135, 159, 189, 205, 228, 245, 262, 285, 300, 319, 346, 368} + +func (i BuiltinPluginType) String() string { + if i < 0 || i >= BuiltinPluginType(len(_BuiltinPluginType_index)-1) { + return "BuiltinPluginType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _BuiltinPluginType_name[_BuiltinPluginType_index[i]:_BuiltinPluginType_index[i+1]] +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go new file mode 100644 index 0000000000..a98a23d398 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers/builtins.go @@ -0,0 +1,115 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package builtinhelpers + +import ( + "sigs.k8s.io/kustomize/api/internal/builtins" + "sigs.k8s.io/kustomize/api/resmap" +) + +//go:generate stringer -type=BuiltinPluginType +type BuiltinPluginType int + +const ( + Unknown BuiltinPluginType = iota + AnnotationsTransformer + ConfigMapGenerator + IAMPolicyGenerator + HashTransformer + ImageTagTransformer + LabelTransformer + NamespaceTransformer + PatchJson6902Transformer + PatchStrategicMergeTransformer + PatchTransformer + PrefixSuffixTransformer + PrefixTransformer + SuffixTransformer + ReplicaCountTransformer + SecretGenerator + ValueAddTransformer + HelmChartInflationGenerator + ReplacementTransformer +) + +var stringToBuiltinPluginTypeMap map[string]BuiltinPluginType + +func init() { //nolint:gochecknoinits + stringToBuiltinPluginTypeMap = makeStringToBuiltinPluginTypeMap() +} + +func makeStringToBuiltinPluginTypeMap() (result map[string]BuiltinPluginType) { + result = make(map[string]BuiltinPluginType, 23) + for k := range GeneratorFactories { + result[k.String()] = k + } + for k := range TransformerFactories { + result[k.String()] = k + } + return +} + +func GetBuiltinPluginType(n string) BuiltinPluginType { + result, ok := stringToBuiltinPluginTypeMap[n] + if ok { + return result + } + return Unknown +} + +var GeneratorFactories = map[BuiltinPluginType]func() resmap.GeneratorPlugin{ + ConfigMapGenerator: builtins.NewConfigMapGeneratorPlugin, + IAMPolicyGenerator: builtins.NewIAMPolicyGeneratorPlugin, + SecretGenerator: builtins.NewSecretGeneratorPlugin, + HelmChartInflationGenerator: builtins.NewHelmChartInflationGeneratorPlugin, +} + +type MultiTransformer struct { + transformers []resmap.TransformerPlugin +} + +func (t *MultiTransformer) Transform(m resmap.ResMap) error { + for _, transformer := range t.transformers { + if err := transformer.Transform(m); err != nil { + return err + } + } + return nil +} + +func (t *MultiTransformer) Config(h *resmap.PluginHelpers, b []byte) error { + for _, transformer := range t.transformers { + if err := transformer.Config(h, b); err != nil { + return err + } + } + return nil +} + +func NewMultiTransformer() resmap.TransformerPlugin { + return &MultiTransformer{[]resmap.TransformerPlugin{ + builtins.NewPrefixTransformerPlugin(), + builtins.NewSuffixTransformerPlugin(), + }} +} + +var TransformerFactories = map[BuiltinPluginType]func() resmap.TransformerPlugin{ + AnnotationsTransformer: builtins.NewAnnotationsTransformerPlugin, + HashTransformer: builtins.NewHashTransformerPlugin, + ImageTagTransformer: builtins.NewImageTagTransformerPlugin, + LabelTransformer: builtins.NewLabelTransformerPlugin, + NamespaceTransformer: builtins.NewNamespaceTransformerPlugin, + PatchJson6902Transformer: builtins.NewPatchJson6902TransformerPlugin, + PatchStrategicMergeTransformer: builtins.NewPatchStrategicMergeTransformerPlugin, + PatchTransformer: builtins.NewPatchTransformerPlugin, + PrefixSuffixTransformer: NewMultiTransformer, + PrefixTransformer: builtins.NewPrefixTransformerPlugin, + SuffixTransformer: builtins.NewSuffixTransformerPlugin, + ReplacementTransformer: builtins.NewReplacementTransformerPlugin, + ReplicaCountTransformer: builtins.NewReplicaCountTransformerPlugin, + ValueAddTransformer: builtins.NewValueAddTransformerPlugin, + // Do not wired SortOrderTransformer as a builtin plugin. + // We only want it to be available in the top-level kustomization. + // See: https://github.com/kubernetes-sigs/kustomize/issues/3913 +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go new file mode 100644 index 0000000000..108c3b2908 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/execplugin/execplugin.go @@ -0,0 +1,206 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package execplugin + +import ( + "bytes" + "fmt" + "log" + "os" + "os/exec" + "runtime" + "strings" + + "github.com/google/shlex" + + "sigs.k8s.io/kustomize/api/internal/plugins/utils" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/yaml" +) + +const ( + tmpConfigFilePrefix = "kust-plugin-config-" + maxArgStringLength = 131071 +) + +// ExecPlugin record the name and args of an executable +// It triggers the executable generator and transformer +type ExecPlugin struct { + // absolute path of the executable + path string + + // Optional command line arguments to the executable + // pulled from specially named fields in cfg. + // This is for executables that don't want to parse YAML. + args []string + + // Plugin configuration data. + cfg []byte + + // PluginHelpers + h *resmap.PluginHelpers +} + +func NewExecPlugin(p string) *ExecPlugin { + return &ExecPlugin{path: p} +} + +func (p *ExecPlugin) ErrIfNotExecutable() error { + f, err := os.Stat(p.path) + if err != nil { + return err + } + // In Windows, it is not possible to determine whether a + // file is executable through file mode. + // TODO: provide for setting the executable FileMode bit on Windows + // The (fs *fileStat) Mode() (m FileMode) {} function in + // https://golang.org/src/os/types_windows.go + // lacks the ability to set the FileMode executable bit in response + // to file data on Windows. + if f.Mode()&0111 == 0000 && runtime.GOOS != "windows" { + return fmt.Errorf("unexecutable plugin at: %s", p.path) + } + return nil +} + +func (p *ExecPlugin) Path() string { + return p.path +} + +func (p *ExecPlugin) Args() []string { + return p.args +} + +func (p *ExecPlugin) Cfg() []byte { + return p.cfg +} + +func (p *ExecPlugin) Config(h *resmap.PluginHelpers, config []byte) error { + p.h = h + p.cfg = config + return p.processOptionalArgsFields() +} + +type argsConfig struct { + ArgsOneLiner string `json:"argsOneLiner,omitempty" yaml:"argsOneLiner,omitempty"` + ArgsFromFile string `json:"argsFromFile,omitempty" yaml:"argsFromFile,omitempty"` +} + +func (p *ExecPlugin) processOptionalArgsFields() error { + var c argsConfig + err := yaml.Unmarshal(p.cfg, &c) + if err != nil { + return err + } + if c.ArgsOneLiner != "" { + p.args, _ = shlex.Split(c.ArgsOneLiner) + } + if c.ArgsFromFile != "" { + content, err := p.h.Loader().Load(c.ArgsFromFile) + if err != nil { + return err + } + for _, x := range strings.Split(string(content), "\n") { + x := strings.TrimLeft(x, " ") + if x != "" { + p.args = append(p.args, x) + } + } + } + return nil +} + +func (p *ExecPlugin) Generate() (resmap.ResMap, error) { + output, err := p.invokePlugin(nil) + if err != nil { + return nil, err + } + rm, err := p.h.ResmapFactory().NewResMapFromBytes(output) + if err != nil { + return nil, err + } + return utils.UpdateResourceOptions(rm) +} + +func (p *ExecPlugin) Transform(rm resmap.ResMap) error { + // add ResIds as annotations to all objects so that we can add them back + inputRM, err := utils.GetResMapWithIDAnnotation(rm) + if err != nil { + return err + } + + // encode the ResMap so it can be fed to the plugin + resources, err := inputRM.AsYaml() + if err != nil { + return err + } + + // invoke the plugin with resources as the input + output, err := p.invokePlugin(resources) + if err != nil { + return fmt.Errorf("%v %s", err, string(output)) + } + + // update the original ResMap based on the output + return utils.UpdateResMapValues(p.path, p.h, output, rm) +} + +// invokePlugin writes plugin config to a temp file, then +// passes the full temp file path as the first arg to a process +// running the plugin binary. Process output is returned. +func (p *ExecPlugin) invokePlugin(input []byte) ([]byte, error) { + f, err := os.CreateTemp("", tmpConfigFilePrefix) + if err != nil { + return nil, errors.WrapPrefixf( + err, "creating tmp plugin config file") + } + _, err = f.Write(p.cfg) + if err != nil { + return nil, errors.WrapPrefixf( + err, "writing plugin config to "+f.Name()) + } + err = f.Close() + if err != nil { + return nil, errors.WrapPrefixf( + err, "closing plugin config file "+f.Name()) + } + //nolint:gosec + cmd := exec.Command( + p.path, append([]string{f.Name()}, p.args...)...) + cmd.Env = p.getEnv() + cmd.Stdin = bytes.NewReader(input) + var stdErr bytes.Buffer + cmd.Stderr = &stdErr + if _, err := os.Stat(p.h.Loader().Root()); err == nil { + cmd.Dir = p.h.Loader().Root() + } + result, err := cmd.Output() + if err != nil { + //nolint:govet + return nil, errors.WrapPrefixf( + fmt.Errorf("failure in plugin configured via %s; %w", + f.Name(), err), stdErr.String()) + } + return result, os.Remove(f.Name()) +} + +func (p *ExecPlugin) getEnv() []string { + env := os.Environ() + pluginConfigString := "KUSTOMIZE_PLUGIN_CONFIG_STRING=" + string(p.cfg) + if len(pluginConfigString) <= maxArgStringLength { + env = append(env, pluginConfigString) + } else { + log.Printf("KUSTOMIZE_PLUGIN_CONFIG_STRING exceeds hard limit of %d characters, the environment variable "+ + "will be omitted", maxArgStringLength) + } + pluginConfigRoot := "KUSTOMIZE_PLUGIN_CONFIG_ROOT=" + p.h.Loader().Root() + if len(pluginConfigRoot) <= maxArgStringLength { + env = append(env, pluginConfigRoot) + } else { + log.Printf("KUSTOMIZE_PLUGIN_CONFIG_ROOT exceeds hard limit of %d characters, the environment variable "+ + "will be omitted", maxArgStringLength) + } + return env +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go new file mode 100644 index 0000000000..0ec067562b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/fnplugin/fnplugin.go @@ -0,0 +1,201 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package fnplugin + +import ( + "bytes" + "fmt" + + "sigs.k8s.io/kustomize/kyaml/errors" + + "sigs.k8s.io/kustomize/api/internal/plugins/utils" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil" + "sigs.k8s.io/kustomize/kyaml/runfn" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// FnPlugin is the struct to hold function information +type FnPlugin struct { + // Function runner + runFns runfn.RunFns + + // Plugin configuration data. + cfg []byte + + // Plugin name cache for error output + pluginName string + + // PluginHelpers + h *resmap.PluginHelpers +} + +func bytesToRNode(yml []byte) (*yaml.RNode, error) { + rnode, err := yaml.Parse(string(yml)) + if err != nil { + return nil, err + } + return rnode, nil +} + +func resourceToRNode(res *resource.Resource) (*yaml.RNode, error) { + yml, err := res.AsYAML() + if err != nil { + return nil, err + } + + return bytesToRNode(yml) +} + +// GetFunctionSpec return function spec is there is. Otherwise return nil +func GetFunctionSpec(res *resource.Resource) (*runtimeutil.FunctionSpec, error) { + rnode, err := resourceToRNode(res) + if err != nil { + return nil, fmt.Errorf("could not convert resource to RNode: %w", err) + } + functionSpec, err := runtimeutil.GetFunctionSpec(rnode) + if err != nil { + return nil, fmt.Errorf("failed to get FunctionSpec: %w", err) + } + return functionSpec, nil +} + +func toStorageMounts(mounts []string) []runtimeutil.StorageMount { + var sms []runtimeutil.StorageMount + for _, mount := range mounts { + sms = append(sms, runtimeutil.StringToStorageMount(mount)) + } + return sms +} + +// NewFnPlugin creates a FnPlugin struct +func NewFnPlugin(o *types.FnPluginLoadingOptions) *FnPlugin { + return &FnPlugin{ + runFns: runfn.RunFns{ + Functions: []*yaml.RNode{}, + Network: o.Network, + EnableExec: o.EnableExec, + StorageMounts: toStorageMounts(o.Mounts), + Env: o.Env, + AsCurrentUser: o.AsCurrentUser, + WorkingDir: o.WorkingDir, + }, + } +} + +// Cfg returns function config +func (p *FnPlugin) Cfg() []byte { + return p.cfg +} + +// Config is called by kustomize to pass-in config information +func (p *FnPlugin) Config(h *resmap.PluginHelpers, config []byte) error { + p.h = h + p.cfg = config + + fn, err := bytesToRNode(p.cfg) + if err != nil { + return err + } + + meta, err := fn.GetMeta() + if err != nil { + return err + } + + p.pluginName = fmt.Sprintf("api: %s, kind: %s, name: %s", + meta.APIVersion, meta.Kind, meta.Name) + + return nil +} + +// Generate is called when run as generator +func (p *FnPlugin) Generate() (resmap.ResMap, error) { + output, err := p.invokePlugin(nil) + if err != nil { + return nil, err + } + rm, err := p.h.ResmapFactory().NewResMapFromBytes(output) + if err != nil { + return nil, err + } + return utils.UpdateResourceOptions(rm) +} + +// Transform is called when run as transformer +func (p *FnPlugin) Transform(rm resmap.ResMap) error { + // add ResIds as annotations to all objects so that we can add them back + inputRM, err := utils.GetResMapWithIDAnnotation(rm) + if err != nil { + return err + } + + // encode the ResMap so it can be fed to the plugin + resources, err := inputRM.AsYaml() + if err != nil { + return err + } + + // invoke the plugin with resources as the input + output, err := p.invokePlugin(resources) + if err != nil { + return fmt.Errorf("%v %s", err, string(output)) + } + + // update the original ResMap based on the output + return utils.UpdateResMapValues(p.pluginName, p.h, output, rm) +} + +func injectAnnotation(input *yaml.RNode, k, v string) error { + err := input.PipeE(yaml.SetAnnotation(k, v)) + if err != nil { + return err + } + return nil +} + +// invokePlugin uses Function runner to run function as plugin +func (p *FnPlugin) invokePlugin(input []byte) ([]byte, error) { + // get function config rnode + functionConfig, err := bytesToRNode(p.cfg) + if err != nil { + return nil, err + } + + // This annotation will let kustomize ingnore this item in output + err = injectAnnotation(functionConfig, "config.kubernetes.io/local-config", "true") + if err != nil { + return nil, err + } + // we need to add config as input for generators. Some of them don't work with FunctionConfig + // and in addition kio.Pipeline won't create anything if there are no objects + // see https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/kio/kio.go#L93 + // Since we added `local-config` annotation so it will be ignored in generator output + // TODO(donnyxia): This is actually not used by generator and only used to bypass a kio limitation. + // Need better solution. + if input == nil { + yml, err := functionConfig.String() + if err != nil { + return nil, err + } + input = []byte(yml) + } + + // Configure and Execute Fn. We don't need to convert resources to ResourceList here + // because function runtime will do that. See kyaml/fn/runtime/runtimeutil/runtimeutil.go + var ouputBuffer bytes.Buffer + p.runFns.Input = bytes.NewReader(input) + p.runFns.Functions = append(p.runFns.Functions, functionConfig) + p.runFns.Output = &ouputBuffer + + err = p.runFns.Execute() + if err != nil { + return nil, errors.WrapPrefixf( + err, "couldn't execute function") + } + + return ouputBuffer.Bytes(), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go new file mode 100644 index 0000000000..3757cfc646 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin.go @@ -0,0 +1,62 @@ +// Copyright 2024 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 +//go:build !kustomize_disable_go_plugin_support + +package loader + +import ( + "fmt" + "log" + "plugin" + "reflect" + + "sigs.k8s.io/kustomize/api/internal/plugins/utils" + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// registry is a means to avoid trying to load the same .so file +// into memory more than once, which results in an error. +// Each test makes its own loader, and tries to load its own plugins, +// but the loaded .so files are in shared memory, so one will get +// "this plugin already loaded" errors if the registry is maintained +// as a Loader instance variable. So make it a package variable. +var registry = make(map[string]resmap.Configurable) //nolint:gochecknoglobals + +func copyPlugin(c resmap.Configurable) resmap.Configurable { + indirect := reflect.Indirect(reflect.ValueOf(c)) + newIndirect := reflect.New(indirect.Type()) + newIndirect.Elem().Set(reflect.ValueOf(indirect.Interface())) + newNamed := newIndirect.Interface() + return newNamed.(resmap.Configurable) //nolint:forcetypeassert +} + +func (l *Loader) loadGoPlugin(id resid.ResId, absPath string) (resmap.Configurable, error) { + regId := relativePluginPath(id) + if c, ok := registry[regId]; ok { + return copyPlugin(c), nil + } + if !utils.FileExists(absPath) { + return nil, fmt.Errorf( + "expected file with Go object code at: %s", absPath) + } + log.Printf("Attempting plugin load from %q", absPath) + p, err := plugin.Open(absPath) + if err != nil { + return nil, errors.WrapPrefixf(err, "plugin %s fails to load", absPath) + } + symbol, err := p.Lookup(konfig.PluginSymbol) + if err != nil { + return nil, errors.WrapPrefixf( + err, "plugin %s doesn't have symbol %s", + regId, konfig.PluginSymbol) + } + c, ok := symbol.(resmap.Configurable) + if !ok { + return nil, fmt.Errorf("plugin %q not configurable", regId) + } + registry[regId] = c + return copyPlugin(c), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go new file mode 100644 index 0000000000..5531b7967f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/load_go_plugin_disabled.go @@ -0,0 +1,25 @@ +// Copyright 2024 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// The build tag "kustomize_disable_go_plugin_support" is used to deactivate the +// kustomize API's dependency on the "plugins" package. This is beneficial for +// applications that need to embed it but do not have requirements for dynamic +// Go plugins. +// Including plugins as a dependency can lead to an increase in binary size due +// to the population of ELF's sections such as .dynsym and .dynstr. +// By utilizing this flag, applications have the flexibility to exclude the +// import if they do not require support for dynamic Go plugins. +//go:build kustomize_disable_go_plugin_support + +package loader + +import ( + "fmt" + + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +func (l *Loader) loadGoPlugin(_ resid.ResId, _ string) (resmap.Configurable, error) { + return nil, fmt.Errorf("plugin load is disabled") +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go new file mode 100644 index 0000000000..2edf8791ff --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/loader/loader.go @@ -0,0 +1,290 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package loader + +import ( + "fmt" + "os" + "path/filepath" + "strings" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers" + "sigs.k8s.io/kustomize/api/internal/plugins/execplugin" + "sigs.k8s.io/kustomize/api/internal/plugins/fnplugin" + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// Loader loads plugins using a file loader (a different loader). +type Loader struct { + pc *types.PluginConfig + rf *resmap.Factory + fs filesys.FileSystem + + // absolutePluginHome caches the location of a valid plugin root directory. + // It should only be set once the directory's existence has been confirmed. + absolutePluginHome string +} + +func NewLoader( + pc *types.PluginConfig, rf *resmap.Factory, fs filesys.FileSystem, +) *Loader { + return &Loader{pc: pc, rf: rf, fs: fs} +} + +// LoaderWithWorkingDir returns loader after setting its working directory. +// NOTE: This is not really a new loader since some of the Loader struct fields are pointers. +func (l *Loader) LoaderWithWorkingDir(wd string) *Loader { + lpc := &types.PluginConfig{ + PluginRestrictions: l.pc.PluginRestrictions, + BpLoadingOptions: l.pc.BpLoadingOptions, + FnpLoadingOptions: l.pc.FnpLoadingOptions, + HelmConfig: l.pc.HelmConfig, + } + lpc.FnpLoadingOptions.WorkingDir = wd + return &Loader{pc: lpc, rf: l.rf, fs: l.fs} +} + +// Config provides the global (not plugin specific) PluginConfig data. +func (l *Loader) Config() *types.PluginConfig { + return l.pc +} + +func (l *Loader) LoadGenerators( + ldr ifc.Loader, v ifc.Validator, rm resmap.ResMap) ( + result []*resmap.GeneratorWithProperties, err error, +) { + for _, res := range rm.Resources() { + g, err := l.LoadGenerator(ldr, v, res) + if err != nil { + return nil, fmt.Errorf("failed to load generator: %w", err) + } + generatorOrigin, err := resource.OriginFromCustomPlugin(res) + if err != nil { + return nil, fmt.Errorf("failed to get origin from CustomPlugin: %w", err) + } + result = append(result, &resmap.GeneratorWithProperties{Generator: g, Origin: generatorOrigin}) + } + return result, nil +} + +func (l *Loader) LoadGenerator( + ldr ifc.Loader, v ifc.Validator, res *resource.Resource, +) (resmap.Generator, error) { + c, err := l.loadAndConfigurePlugin(ldr, v, res) + if err != nil { + return nil, err + } + g, ok := c.(resmap.Generator) + if !ok { + return nil, fmt.Errorf("plugin %s not a generator", res.OrgId()) + } + return g, nil +} + +func (l *Loader) LoadTransformers( + ldr ifc.Loader, v ifc.Validator, rm resmap.ResMap, +) ([]*resmap.TransformerWithProperties, error) { + var result []*resmap.TransformerWithProperties + for _, res := range rm.Resources() { + t, err := l.LoadTransformer(ldr, v, res) + if err != nil { + return nil, err + } + transformerOrigin, err := resource.OriginFromCustomPlugin(res) + if err != nil { + return nil, err + } + result = append(result, &resmap.TransformerWithProperties{Transformer: t, Origin: transformerOrigin}) + } + return result, nil +} + +func (l *Loader) LoadTransformer( + ldr ifc.Loader, v ifc.Validator, res *resource.Resource, +) (*resmap.TransformerWithProperties, error) { + c, err := l.loadAndConfigurePlugin(ldr, v, res) + if err != nil { + return nil, err + } + t, ok := c.(resmap.Transformer) + if !ok { + return nil, fmt.Errorf("plugin %s not a transformer", res.OrgId()) + } + return &resmap.TransformerWithProperties{Transformer: t}, nil +} + +func relativePluginPath(id resid.ResId) string { + return filepath.Join( + id.Group, + id.Version, + strings.ToLower(id.Kind)) +} + +func (l *Loader) AbsolutePluginPath(id resid.ResId) (string, error) { + pluginHome, err := l.absPluginHome() + if err != nil { + return "", err + } + return filepath.Join(pluginHome, relativePluginPath(id), id.Kind), nil +} + +// absPluginHome is the home of kustomize Exec and Go plugins. +// Kustomize plugin configuration files are k8s-style objects +// containing the fields 'apiVersion' and 'kind', e.g. +// +// apiVersion: apps/v1 +// kind: Deployment +// +// kustomize reads plugin configuration data from a file path +// specified in the 'generators:' or 'transformers:' field of a +// kustomization file. For Exec and Go plugins, kustomize +// uses this data to both locate the plugin and configure it. +// Each Exec or Go plugin (its code, its tests, its supporting data +// files, etc.) must be housed in its own directory at +// +// ${absPluginHome}/${pluginApiVersion}/LOWERCASE(${pluginKind}) +// +// where +// - ${absPluginHome} is an absolute path, defined below. +// - ${pluginApiVersion} is taken from the plugin config file. +// - ${pluginKind} is taken from the plugin config file. +func (l *Loader) absPluginHome() (string, error) { + // External plugins are disabled--return the dummy plugin root. + if l.pc.PluginRestrictions != types.PluginRestrictionsNone { + return konfig.NoPluginHomeSentinal, nil + } + // We've already determined plugin home--use the cached value. + if l.absolutePluginHome != "" { + return l.absolutePluginHome, nil + } + + // Check default locations for a valid plugin root, and cache it if found. + dir, err := konfig.DefaultAbsPluginHome(l.fs) + if err != nil { + return "", err + } + l.absolutePluginHome = dir + return l.absolutePluginHome, nil +} + +func isBuiltinPlugin(res *resource.Resource) bool { + // TODO: the special string should appear in Group, not Version. + return res.GetGvk().Group == "" && + res.GetGvk().Version == konfig.BuiltinPluginApiVersion +} + +func (l *Loader) loadAndConfigurePlugin( + ldr ifc.Loader, + v ifc.Validator, + res *resource.Resource, +) (c resmap.Configurable, err error) { + if isBuiltinPlugin(res) { + switch l.pc.BpLoadingOptions { + case types.BploLoadFromFileSys: + c, err = l.loadPlugin(res) + case types.BploUseStaticallyLinked: + // Instead of looking for and loading a .so file, + // instantiate the plugin from a generated factory + // function (see "pluginator"). Being able to do this + // is what makes a plugin "builtin". + c, err = l.makeBuiltinPlugin(res.GetGvk()) + default: + err = fmt.Errorf( + "unknown plugin loader behavior specified: %s %v", res.GetGvk().String(), + l.pc.BpLoadingOptions) + } + } else { + switch l.pc.PluginRestrictions { + case types.PluginRestrictionsNone: + c, err = l.loadPlugin(res) + case types.PluginRestrictionsBuiltinsOnly: + err = types.NewErrOnlyBuiltinPluginsAllowed(res.OrgId().Kind) + default: + err = fmt.Errorf( + "unknown plugin restriction specified: %v", + l.pc.PluginRestrictions) + } + } + if err != nil { + return nil, err + } + yaml, err := res.AsYAML() + if err != nil { + return nil, errors.WrapPrefixf(err, "marshalling yaml from res %s", res.OrgId()) + } + err = c.Config(resmap.NewPluginHelpers(ldr, v, l.rf, l.pc), yaml) + if err != nil { + return nil, errors.WrapPrefixf( + err, "plugin %s fails configuration", res.OrgId()) + } + return c, nil +} + +func (l *Loader) makeBuiltinPlugin(r resid.Gvk) (resmap.Configurable, error) { + bpt := builtinhelpers.GetBuiltinPluginType(r.Kind) + if f, ok := builtinhelpers.GeneratorFactories[bpt]; ok { + return f(), nil + } + if f, ok := builtinhelpers.TransformerFactories[bpt]; ok { + return f(), nil + } + return nil, errors.Errorf("unable to load builtin %s", r) +} + +func (l *Loader) loadPlugin(res *resource.Resource) (resmap.Configurable, error) { + spec, err := fnplugin.GetFunctionSpec(res) + if err != nil { + return nil, fmt.Errorf("loader: %w", err) + } + if spec != nil { + // validation check that function mounts are under the current kustomization directory + for _, mount := range spec.Container.StorageMounts { + if filepath.IsAbs(mount.Src) { + return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+ + "mount paths must be relative to the current kustomization directory", res.OrgId(), mount.Src) + } + if strings.HasPrefix(filepath.Clean(mount.Src), "../") { + return nil, errors.Errorf("plugin %s with mount path '%s' is not permitted; "+ + "mount paths must be under the current kustomization directory", res.OrgId(), mount.Src) + } + } + return fnplugin.NewFnPlugin(&l.pc.FnpLoadingOptions), nil + } + return l.loadExecOrGoPlugin(res.OrgId()) +} + +func (l *Loader) loadExecOrGoPlugin(resId resid.ResId) (resmap.Configurable, error) { + absPluginPath, err := l.AbsolutePluginPath(resId) + if err != nil { + return nil, err + } + // First try to load the plugin as an executable. + p := execplugin.NewExecPlugin(absPluginPath) + if err = p.ErrIfNotExecutable(); err == nil { + return p, nil + } + if !os.IsNotExist(err) { + // The file exists, but something else is wrong, + // likely it's not executable. + // Assume the user forgot to set the exec bit, + // and return an error, rather than adding ".so" + // to the name and attempting to load it as a Go + // plugin, which will likely fail and result + // in an obscure message. + return nil, err + } + // Failing the above, try loading it as a Go plugin. + c, err := l.loadGoPlugin(resId, absPluginPath+".so") + if err != nil { + return nil, err + } + return c, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go new file mode 100644 index 0000000000..8182f203eb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/plugins/utils/utils.go @@ -0,0 +1,240 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + "runtime" + "strconv" + "time" + + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/yaml" +) + +const ( + idAnnotation = "kustomize.config.k8s.io/id" + HashAnnotation = "kustomize.config.k8s.io/needs-hash" + BehaviorAnnotation = "kustomize.config.k8s.io/behavior" +) + +func GoBin() string { + return filepath.Join(runtime.GOROOT(), "bin", "go") +} + +// DeterminePluginSrcRoot guesses where the user +// has her ${g}/${v}/$lower(${k})/${k}.go files. +func DeterminePluginSrcRoot(fSys filesys.FileSystem) (string, error) { + return konfig.FirstDirThatExistsElseError( + "plugin src root", fSys, []konfig.NotedFunc{ + { + Note: "relative to unit test", + F: func() string { + return filepath.Clean( + filepath.Join( + os.Getenv("PWD"), + "..", "..", + konfig.RelPluginHome)) + }, + }, + { + Note: "relative to unit test (internal pkg)", + F: func() string { + return filepath.Clean( + filepath.Join( + os.Getenv("PWD"), + "..", "..", "..", "..", + konfig.RelPluginHome)) + }, + }, + { + Note: "relative to api package", + F: func() string { + return filepath.Clean( + filepath.Join( + os.Getenv("PWD"), + "..", "..", "..", + konfig.RelPluginHome)) + }, + }, + { + Note: "old style $GOPATH", + F: func() string { + return filepath.Join( + os.Getenv("GOPATH"), + "src", konfig.DomainName, + konfig.ProgramName, konfig.RelPluginHome) + }, + }, + { + Note: "HOME with literal 'gopath'", + F: func() string { + return filepath.Join( + konfig.HomeDir(), "gopath", + "src", konfig.DomainName, + konfig.ProgramName, konfig.RelPluginHome) + }, + }, + { + Note: "home directory", + F: func() string { + return filepath.Join( + konfig.HomeDir(), konfig.DomainName, + konfig.ProgramName, konfig.RelPluginHome) + }, + }, + }) +} + +// FileYoungerThan returns true if the file both exists and has an +// age is <= the Duration argument. +func FileYoungerThan(path string, d time.Duration) bool { + fi, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return false + } + } + return time.Since(fi.ModTime()) <= d +} + +// FileModifiedAfter returns true if the file both exists and was +// modified after the given time.. +func FileModifiedAfter(path string, t time.Time) bool { + fi, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return false + } + } + return fi.ModTime().After(t) +} + +func FileExists(path string) bool { + if _, err := os.Stat(path); err != nil { + if os.IsNotExist(err) { + return false + } + } + return true +} + +// GetResMapWithIDAnnotation returns a new copy of the given ResMap with the ResIds annotated in each Resource +func GetResMapWithIDAnnotation(rm resmap.ResMap) (resmap.ResMap, error) { + inputRM := rm.DeepCopy() + for _, r := range inputRM.Resources() { + idString, err := yaml.Marshal(r.CurId()) + if err != nil { + return nil, err + } + annotations := r.GetAnnotations() + annotations[idAnnotation] = string(idString) + if err = r.SetAnnotations(annotations); err != nil { + return nil, err + } + } + return inputRM, nil +} + +// UpdateResMapValues updates the Resource value in the given ResMap +// with the emitted Resource values in output. +func UpdateResMapValues(pluginName string, h *resmap.PluginHelpers, output []byte, rm resmap.ResMap) error { + mapFactory := h.ResmapFactory() + resFactory := mapFactory.RF() + resources, err := resFactory.SliceFromBytes(output) + if err != nil { + return err + } + // Don't use resources here, or error message will be unfriendly to plugin builders + newMap, err := mapFactory.NewResMapFromBytes([]byte{}) + if err != nil { + return err + } + + for _, r := range resources { + // stale--not manipulated by plugin transformers + if err = removeIDAnnotation(r); err != nil { + return err + } + + // Add to the new map, checking for duplicates + if err := newMap.Append(r); err != nil { + prettyID, err := json.Marshal(r.CurId()) + if err != nil { + prettyID = []byte(r.CurId().String()) + } + return fmt.Errorf("plugin %s generated duplicate resource: %s", pluginName, prettyID) + } + + // Add to or update the old map + oldIdx, err := rm.GetIndexOfCurrentId(r.CurId()) + if err != nil { + return err + } + if oldIdx != -1 { + rm.GetByIndex(oldIdx).ResetRNode(r) + } else { + if err := rm.Append(r); err != nil { + return err + } + } + } + + // Remove items the transformer deleted from the old map + for _, id := range rm.AllIds() { + newIdx, _ := newMap.GetIndexOfCurrentId(id) + if newIdx == -1 { + if err = rm.Remove(id); err != nil { + return err + } + } + } + + return nil +} + +func removeIDAnnotation(r *resource.Resource) error { + // remove the annotation set by Kustomize to track the resource + annotations := r.GetAnnotations() + delete(annotations, idAnnotation) + return r.SetAnnotations(annotations) +} + +// UpdateResourceOptions updates the generator options for each resource in the +// given ResMap based on plugin provided annotations. +func UpdateResourceOptions(rm resmap.ResMap) (resmap.ResMap, error) { + for _, r := range rm.Resources() { + // Disable name hashing by default and require plugin to explicitly + // request it for each resource. + annotations := r.GetAnnotations() + behavior := annotations[BehaviorAnnotation] + var needsHash bool + if val, ok := annotations[HashAnnotation]; ok { + b, err := strconv.ParseBool(val) + if err != nil { + return nil, fmt.Errorf( + "the annotation %q contains an invalid value (%q)", + HashAnnotation, val) + } + needsHash = b + } + delete(annotations, HashAnnotation) + delete(annotations, BehaviorAnnotation) + if err := r.SetAnnotations(annotations); err != nil { + return nil, err + } + if needsHash { + r.EnableHashSuffix() + } + r.SetBehavior(types.NewGenerationBehavior(behavior)) + } + return rm, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go new file mode 100644 index 0000000000..8b939db1eb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/errmissingkustomization.go @@ -0,0 +1,44 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package target + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/kyaml/errors" +) + +type errMissingKustomization struct { + path string +} + +func (e *errMissingKustomization) Error() string { + return fmt.Sprintf( + "unable to find one of %v in directory '%s'", + commaOr(quoted(konfig.RecognizedKustomizationFileNames())), + e.path) +} + +func IsMissingKustomizationFileError(err error) bool { + e := &errMissingKustomization{} + return errors.As(err, &e) +} + +func NewErrMissingKustomization(p string) *errMissingKustomization { + return &errMissingKustomization{path: p} +} + +func quoted(l []string) []string { + r := make([]string, len(l)) + for i, v := range l { + r[i] = "'" + v + "'" + } + return r +} + +func commaOr(q []string) string { + return strings.Join(q[:len(q)-1], ", ") + " or " + q[len(q)-1] +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go new file mode 100644 index 0000000000..5f1d1095a1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget.go @@ -0,0 +1,582 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package target + +import ( + "encoding/json" + "fmt" + "os" + "strings" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/accumulator" + "sigs.k8s.io/kustomize/api/internal/builtins" + "sigs.k8s.io/kustomize/api/internal/kusterr" + load "sigs.k8s.io/kustomize/api/internal/loader" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers" + "sigs.k8s.io/kustomize/api/internal/plugins/loader" + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/yaml" +) + +// KustTarget encapsulates the entirety of a kustomization build. +type KustTarget struct { + kustomization *types.Kustomization + kustFileName string + ldr ifc.Loader + validator ifc.Validator + rFactory *resmap.Factory + pLdr *loader.Loader + origin *resource.Origin +} + +// NewKustTarget returns a new instance of KustTarget. +func NewKustTarget( + ldr ifc.Loader, + validator ifc.Validator, + rFactory *resmap.Factory, + pLdr *loader.Loader) *KustTarget { + return &KustTarget{ + ldr: ldr, + validator: validator, + rFactory: rFactory, + pLdr: pLdr.LoaderWithWorkingDir(ldr.Root()), + } +} + +// Load attempts to load the target's kustomization file. +func (kt *KustTarget) Load() error { + content, kustFileName, err := LoadKustFile(kt.ldr) + if err != nil { + return err + } + + var k types.Kustomization + if err := k.Unmarshal(content); err != nil { + return err + } + + // show warning message when using deprecated fields. + if warningMessages := k.CheckDeprecatedFields(); warningMessages != nil { + for _, msg := range *warningMessages { + fmt.Fprintf(os.Stderr, "%v\n", msg) + } + } + + k.FixKustomization() + + // check that Kustomization is empty + if err := k.CheckEmpty(); err != nil { + return err + } + + errs := k.EnforceFields() + if len(errs) > 0 { + return fmt.Errorf( + "Failed to read kustomization file under %s:\n"+ + strings.Join(errs, "\n"), kt.ldr.Root()) + } + kt.kustomization = &k + kt.kustFileName = kustFileName + return nil +} + +// Kustomization returns a copy of the immutable, internal kustomization object. +func (kt *KustTarget) Kustomization() types.Kustomization { + var result types.Kustomization + b, _ := json.Marshal(*kt.kustomization) + json.Unmarshal(b, &result) + return result +} + +func LoadKustFile(ldr ifc.Loader) ([]byte, string, error) { + var content []byte + match := 0 + var kustFileName string + for _, kf := range konfig.RecognizedKustomizationFileNames() { + c, err := ldr.Load(kf) + if err == nil { + match += 1 + content = c + kustFileName = kf + } + } + switch match { + case 0: + return nil, "", NewErrMissingKustomization(ldr.Root()) + case 1: + return content, kustFileName, nil + default: + return nil, "", fmt.Errorf( + "Found multiple kustomization files under: %s\n", ldr.Root()) + } +} + +// MakeCustomizedResMap creates a fully customized ResMap +// per the instructions contained in its kustomization instance. +func (kt *KustTarget) MakeCustomizedResMap() (resmap.ResMap, error) { + return kt.makeCustomizedResMap() +} + +func (kt *KustTarget) makeCustomizedResMap() (resmap.ResMap, error) { + var origin *resource.Origin + if len(kt.kustomization.BuildMetadata) != 0 { + origin = &resource.Origin{} + } + kt.origin = origin + ra, err := kt.AccumulateTarget() + if err != nil { + return nil, err + } + + // The following steps must be done last, not as part of + // the recursion implicit in AccumulateTarget. + + err = kt.addHashesToNames(ra) + if err != nil { + return nil, err + } + + // Given that names have changed (prefixs/suffixes added), + // fix all the back references to those names. + err = ra.FixBackReferences() + if err != nil { + return nil, err + } + + // With all the back references fixed, it's OK to resolve Vars. + err = ra.ResolveVars() + if err != nil { + return nil, err + } + + err = kt.IgnoreLocal(ra) + if err != nil { + return nil, err + } + + return ra.ResMap(), nil +} + +func (kt *KustTarget) addHashesToNames( + ra *accumulator.ResAccumulator) error { + p := builtins.NewHashTransformerPlugin() + err := kt.configureBuiltinPlugin(p, nil, builtinhelpers.HashTransformer) + if err != nil { + return err + } + return ra.Transform(p) +} + +// AccumulateTarget returns a new ResAccumulator, +// holding customized resources and the data/rules used +// to do so. The name back references and vars are +// not yet fixed. +// The origin parameter is used through the recursive calls +// to annotate each resource with information about where +// the resource came from, e.g. the file and/or the repository +// it originated from. +// As an entrypoint, one can pass an empty resource.Origin object to +// AccumulateTarget. As AccumulateTarget moves recursively +// through kustomization directories, it updates `origin.path` +// accordingly. When a remote base is found, it updates `origin.repo` +// and `origin.ref` accordingly. +func (kt *KustTarget) AccumulateTarget() ( + ra *accumulator.ResAccumulator, err error) { + return kt.accumulateTarget(accumulator.MakeEmptyAccumulator()) +} + +// ra should be empty when this KustTarget is a Kustomization, or the ra of the parent if this KustTarget is a Component +// (or empty if the Component does not have a parent). +func (kt *KustTarget) accumulateTarget(ra *accumulator.ResAccumulator) ( + resRa *accumulator.ResAccumulator, err error) { + ra, err = kt.accumulateResources(ra, kt.kustomization.Resources) + if err != nil { + return nil, errors.WrapPrefixf(err, "accumulating resources") + } + tConfig, err := builtinconfig.MakeTransformerConfig( + kt.ldr, kt.kustomization.Configurations) + if err != nil { + return nil, err + } + err = ra.MergeConfig(tConfig) + if err != nil { + return nil, errors.WrapPrefixf( + err, "merging config %v", tConfig) + } + crdTc, err := accumulator.LoadConfigFromCRDs(kt.ldr, kt.kustomization.Crds) + if err != nil { + return nil, errors.WrapPrefixf( + err, "loading CRDs %v", kt.kustomization.Crds) + } + err = ra.MergeConfig(crdTc) + if err != nil { + return nil, errors.WrapPrefixf( + err, "merging CRDs %v", crdTc) + } + err = kt.runGenerators(ra) + if err != nil { + return nil, err + } + + // components are expected to execute after reading resources and adding generators ,before applying transformers and validation. + // https://github.com/kubernetes-sigs/kustomize/pull/5170#discussion_r1212101287 + ra, err = kt.accumulateComponents(ra, kt.kustomization.Components) + if err != nil { + return nil, errors.WrapPrefixf(err, "accumulating components") + } + + err = kt.runTransformers(ra) + if err != nil { + return nil, err + } + err = kt.runValidators(ra) + if err != nil { + return nil, err + } + err = ra.MergeVars(kt.kustomization.Vars) + if err != nil { + return nil, errors.WrapPrefixf( + err, "merging vars %v", kt.kustomization.Vars) + } + return ra, nil +} + +// IgnoreLocal drops the local resource by checking the annotation "config.kubernetes.io/local-config". +func (kt *KustTarget) IgnoreLocal(ra *accumulator.ResAccumulator) error { + rf := kt.rFactory.RF() + if rf.IncludeLocalConfigs { + return nil + } + remainRes, err := rf.DropLocalNodes(ra.ResMap().ToRNodeSlice()) + if err != nil { + return err + } + return ra.Intersection(kt.rFactory.FromResourceSlice(remainRes)) +} + +func (kt *KustTarget) runGenerators( + ra *accumulator.ResAccumulator) error { + var generators []*resmap.GeneratorWithProperties + gs, err := kt.configureBuiltinGenerators() + if err != nil { + return err + } + generators = append(generators, gs...) + + gs, err = kt.configureExternalGenerators() + if err != nil { + return errors.WrapPrefixf(err, "loading generator plugins") + } + generators = append(generators, gs...) + for i, g := range generators { + resMap, err := g.Generate() + if err != nil { + return err + } + if resMap != nil { + err = resMap.AddOriginAnnotation(generators[i].Origin) + if err != nil { + return errors.WrapPrefixf(err, "adding origin annotations for generator %v", g) + } + } + err = ra.AbsorbAll(resMap) + if err != nil { + return errors.WrapPrefixf(err, "merging from generator %v", g) + } + } + return nil +} + +func (kt *KustTarget) configureExternalGenerators() ( + []*resmap.GeneratorWithProperties, error) { + ra := accumulator.MakeEmptyAccumulator() + var generatorPaths []string + for _, p := range kt.kustomization.Generators { + // handle inline generators + rm, err := kt.rFactory.NewResMapFromBytes([]byte(p)) + if err != nil { + // not an inline config + generatorPaths = append(generatorPaths, p) + continue + } + // inline config, track the origin + if kt.origin != nil { + resources := rm.Resources() + for _, r := range resources { + r.SetOrigin(kt.origin.Append(kt.kustFileName)) + rm.Replace(r) + } + } + if err = ra.AppendAll(rm); err != nil { + return nil, errors.WrapPrefixf(err, "configuring external generator") + } + } + ra, err := kt.accumulateResources(ra, generatorPaths) + if err != nil { + return nil, err + } + return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, ra.ResMap()) +} + +func (kt *KustTarget) runTransformers(ra *accumulator.ResAccumulator) error { + var r []*resmap.TransformerWithProperties + tConfig := ra.GetTransformerConfig() + lts, err := kt.configureBuiltinTransformers(tConfig) + if err != nil { + return err + } + r = append(r, lts...) + lts, err = kt.configureExternalTransformers(kt.kustomization.Transformers) + if err != nil { + return err + } + r = append(r, lts...) + return ra.Transform(newMultiTransformer(r)) +} + +func (kt *KustTarget) configureExternalTransformers(transformers []string) ([]*resmap.TransformerWithProperties, error) { + ra := accumulator.MakeEmptyAccumulator() + var transformerPaths []string + for _, p := range transformers { + // handle inline transformers + rm, err := kt.rFactory.NewResMapFromBytes([]byte(p)) + if err != nil { + // not an inline config + transformerPaths = append(transformerPaths, p) + continue + } + // inline config, track the origin + if kt.origin != nil { + resources := rm.Resources() + for _, r := range resources { + r.SetOrigin(kt.origin.Append(kt.kustFileName)) + rm.Replace(r) + } + } + + if err = ra.AppendAll(rm); err != nil { + return nil, errors.WrapPrefixf(err, "configuring external transformer") + } + } + ra, err := kt.accumulateResources(ra, transformerPaths) + if err != nil { + return nil, err + } + return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, ra.ResMap()) +} + +func (kt *KustTarget) runValidators(ra *accumulator.ResAccumulator) error { + validators, err := kt.configureExternalTransformers(kt.kustomization.Validators) + if err != nil { + return err + } + for _, v := range validators { + // Validators shouldn't modify the resource map + orignal := ra.ResMap().DeepCopy() + err = v.Transform(ra.ResMap()) + if err != nil { + return err + } + newMap := ra.ResMap().DeepCopy() + if err = kt.removeValidatedByLabel(newMap); err != nil { + return err + } + if err = orignal.ErrorIfNotEqualSets(newMap); err != nil { + return fmt.Errorf("validator shouldn't modify the resource map: %v", err) + } + } + return nil +} + +func (kt *KustTarget) removeValidatedByLabel(rm resmap.ResMap) error { + resources := rm.Resources() + for _, r := range resources { + labels := r.GetLabels() + if _, found := labels[konfig.ValidatedByLabelKey]; !found { + continue + } + delete(labels, konfig.ValidatedByLabelKey) + if err := r.SetLabels(labels); err != nil { + return err + } + } + return nil +} + +// accumulateResources fills the given resourceAccumulator +// with resources read from the given list of paths. +func (kt *KustTarget) accumulateResources( + ra *accumulator.ResAccumulator, paths []string) (*accumulator.ResAccumulator, error) { + for _, path := range paths { + // try loading resource as file then as base (directory or git repository) + if errF := kt.accumulateFile(ra, path); errF != nil { + // not much we can do if the error is an HTTP error so we bail out + if errors.Is(errF, load.ErrHTTP) { + return nil, errF + } + ldr, err := kt.ldr.New(path) + if err != nil { + // If accumulateFile found malformed YAML and there was a failure + // loading the resource as a base, then the resource is likely a + // file. The loader failure message is unnecessary, and could be + // confusing. Report only the file load error. + // + // However, a loader timeout implies there is a git repo at the + // path. In that case, both errors could be important. + if kusterr.IsMalformedYAMLError(errF) && !utils.IsErrTimeout(err) { + return nil, errF + } + return nil, errors.WrapPrefixf( + err, "accumulation err='%s'", errF.Error()) + } + // store the origin, we'll need it later + origin := kt.origin.Copy() + if kt.origin != nil { + kt.origin = kt.origin.Append(path) + ra, err = kt.accumulateDirectory(ra, ldr, false) + // after we are done recursing through the directory, reset the origin + kt.origin = &origin + } else { + ra, err = kt.accumulateDirectory(ra, ldr, false) + } + if err != nil { + return nil, errors.WrapPrefixf( + err, "accumulation err='%s'", errF.Error()) + } + } + } + return ra, nil +} + +// accumulateComponents fills the given resourceAccumulator +// with resources read from the given list of paths. +func (kt *KustTarget) accumulateComponents( + ra *accumulator.ResAccumulator, paths []string) (*accumulator.ResAccumulator, error) { + for _, path := range paths { + // Components always refer to directories + ldr, errL := kt.ldr.New(path) + if errL != nil { + return nil, fmt.Errorf("loader.New %q", errL) + } + var errD error + // store the origin, we'll need it later + origin := kt.origin.Copy() + if kt.origin != nil { + kt.origin = kt.origin.Append(path) + ra, errD = kt.accumulateDirectory(ra, ldr, true) + // after we are done recursing through the directory, reset the origin + kt.origin = &origin + } else { + ra, errD = kt.accumulateDirectory(ra, ldr, true) + } + if errD != nil { + return nil, fmt.Errorf("accumulateDirectory: %q", errD) + } + } + return ra, nil +} + +func (kt *KustTarget) accumulateDirectory( + ra *accumulator.ResAccumulator, ldr ifc.Loader, isComponent bool) (*accumulator.ResAccumulator, error) { + defer ldr.Cleanup() + subKt := NewKustTarget(ldr, kt.validator, kt.rFactory, kt.pLdr) + err := subKt.Load() + if err != nil { + return nil, errors.WrapPrefixf( + err, "couldn't make target for path '%s'", ldr.Root()) + } + subKt.kustomization.BuildMetadata = kt.kustomization.BuildMetadata + subKt.origin = kt.origin + var bytes []byte + if openApiPath, exists := subKt.Kustomization().OpenAPI["path"]; exists { + bytes, err = ldr.Load(openApiPath) + if err != nil { + return nil, err + } + } + err = openapi.SetSchema(subKt.Kustomization().OpenAPI, bytes, false) + if err != nil { + return nil, err + } + if isComponent && subKt.kustomization.Kind != types.ComponentKind { + return nil, fmt.Errorf( + "expected kind '%s' for path '%s' but got '%s'", types.ComponentKind, ldr.Root(), subKt.kustomization.Kind) + } else if !isComponent && subKt.kustomization.Kind == types.ComponentKind { + return nil, fmt.Errorf( + "expected kind != '%s' for path '%s'", types.ComponentKind, ldr.Root()) + } + + var subRa *accumulator.ResAccumulator + if isComponent { + // Components don't create a new accumulator: the kustomization directives are added to the current accumulator + subRa, err = subKt.accumulateTarget(ra) + ra = accumulator.MakeEmptyAccumulator() + } else { + // Child Kustomizations create a new accumulator which resolves their kustomization directives, which will later + // be merged into the current accumulator. + subRa, err = subKt.AccumulateTarget() + } + if err != nil { + return nil, errors.WrapPrefixf( + err, "recursed accumulation of path '%s'", ldr.Root()) + } + err = ra.MergeAccumulator(subRa) + if err != nil { + return nil, errors.WrapPrefixf( + err, "recursed merging from path '%s'", ldr.Root()) + } + return ra, nil +} + +func (kt *KustTarget) accumulateFile( + ra *accumulator.ResAccumulator, path string) error { + resources, err := kt.rFactory.FromFile(kt.ldr, path) + if err != nil { + return errors.WrapPrefixf(err, "accumulating resources from '%s'", path) + } + if kt.origin != nil { + originAnno, err := kt.origin.Append(path).String() + if err != nil { + return errors.WrapPrefixf(err, "cannot add path annotation for '%s'", path) + } + err = resources.AnnotateAll(utils.OriginAnnotationKey, originAnno) + if err != nil || originAnno == "" { + return errors.WrapPrefixf(err, "cannot add path annotation for '%s'", path) + } + } + err = ra.AppendAll(resources) + if err != nil { + return errors.WrapPrefixf(err, "merging resources from '%s'", path) + } + return nil +} + +func (kt *KustTarget) configureBuiltinPlugin( + p resmap.Configurable, c interface{}, bpt builtinhelpers.BuiltinPluginType) (err error) { + var y []byte + if c != nil { + y, err = yaml.Marshal(c) + if err != nil { + return errors.WrapPrefixf( + err, "builtin %s marshal", bpt) + } + } + err = p.Config( + resmap.NewPluginHelpers( + kt.ldr, kt.validator, kt.rFactory, kt.pLdr.Config()), + y) + if err != nil { + return errors.WrapPrefixf( + err, "trouble configuring builtin %s with config: `\n%s`", bpt, string(y)) + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go new file mode 100644 index 0000000000..1ba028a36f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/kusttarget_configplugin.go @@ -0,0 +1,457 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package target + +import ( + "fmt" + "path/filepath" + + "sigs.k8s.io/kustomize/api/internal/plugins/builtinconfig" + "sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Functions dedicated to configuring the builtin +// transformer and generator plugins using config data +// read from a kustomization file and from the +// config.TransformerConfig, whose data may be a +// mix of hardcoded values and data read from file. +// +// Non-builtin plugins will get their configuration +// from their own dedicated structs and YAML files. +// +// There are some loops in the functions below because +// the kustomization file would, say, allow someone to +// request multiple secrets be made, or run multiple +// image tag transforms. In these cases, we'll need +// N plugin instances with differing configurations. + +func (kt *KustTarget) configureBuiltinGenerators() ( + result []*resmap.GeneratorWithProperties, err error) { + for _, bpt := range []builtinhelpers.BuiltinPluginType{ + builtinhelpers.ConfigMapGenerator, + builtinhelpers.SecretGenerator, + builtinhelpers.HelmChartInflationGenerator, + } { + r, err := generatorConfigurators[bpt]( + kt, bpt, builtinhelpers.GeneratorFactories[bpt]) + if err != nil { + return nil, err + } + + var generatorOrigin *resource.Origin + if kt.origin != nil { + generatorOrigin = &resource.Origin{ + Repo: kt.origin.Repo, + Ref: kt.origin.Ref, + ConfiguredIn: filepath.Join(kt.origin.Path, kt.kustFileName), + ConfiguredBy: yaml.ResourceIdentifier{ + TypeMeta: yaml.TypeMeta{ + APIVersion: "builtin", + Kind: bpt.String(), + }, + }, + } + } + + for i := range r { + result = append(result, &resmap.GeneratorWithProperties{Generator: r[i], Origin: generatorOrigin}) + } + } + return result, nil +} + +func (kt *KustTarget) configureBuiltinTransformers( + tc *builtinconfig.TransformerConfig) ( + result []*resmap.TransformerWithProperties, err error) { + for _, bpt := range []builtinhelpers.BuiltinPluginType{ + builtinhelpers.PatchStrategicMergeTransformer, + builtinhelpers.PatchTransformer, + builtinhelpers.NamespaceTransformer, + builtinhelpers.PrefixTransformer, + builtinhelpers.SuffixTransformer, + builtinhelpers.LabelTransformer, + builtinhelpers.AnnotationsTransformer, + builtinhelpers.PatchJson6902Transformer, + builtinhelpers.ReplicaCountTransformer, + builtinhelpers.ImageTagTransformer, + builtinhelpers.ReplacementTransformer, + } { + r, err := transformerConfigurators[bpt]( + kt, bpt, builtinhelpers.TransformerFactories[bpt], tc) + if err != nil { + return nil, err + } + var transformerOrigin *resource.Origin + if kt.origin != nil { + transformerOrigin = &resource.Origin{ + Repo: kt.origin.Repo, + Ref: kt.origin.Ref, + ConfiguredIn: filepath.Join(kt.origin.Path, kt.kustFileName), + ConfiguredBy: yaml.ResourceIdentifier{ + TypeMeta: yaml.TypeMeta{ + APIVersion: "builtin", + Kind: bpt.String(), + }, + }, + } + } + for i := range r { + result = append(result, &resmap.TransformerWithProperties{Transformer: r[i], Origin: transformerOrigin}) + } + } + return result, nil +} + +type gFactory func() resmap.GeneratorPlugin + +var generatorConfigurators = map[builtinhelpers.BuiltinPluginType]func( + kt *KustTarget, + bpt builtinhelpers.BuiltinPluginType, + factory gFactory) (result []resmap.Generator, err error){ + builtinhelpers.SecretGenerator: func(kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) ( + result []resmap.Generator, err error) { + var c struct { + types.SecretArgs + } + for _, args := range kt.kustomization.SecretGenerator { + c.SecretArgs = args + c.SecretArgs.Options = types.MergeGlobalOptionsIntoLocal( + c.SecretArgs.Options, kt.kustomization.GeneratorOptions) + p := f() + err := kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + + builtinhelpers.ConfigMapGenerator: func(kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) ( + result []resmap.Generator, err error) { + var c struct { + types.ConfigMapArgs + } + for _, args := range kt.kustomization.ConfigMapGenerator { + c.ConfigMapArgs = args + c.ConfigMapArgs.Options = types.MergeGlobalOptionsIntoLocal( + c.ConfigMapArgs.Options, kt.kustomization.GeneratorOptions) + p := f() + err := kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + + builtinhelpers.HelmChartInflationGenerator: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f gFactory) ( + result []resmap.Generator, err error) { + var c struct { + types.HelmGlobals + types.HelmChart + } + var globals types.HelmGlobals + if kt.kustomization.HelmGlobals != nil { + globals = *kt.kustomization.HelmGlobals + } + for _, chart := range kt.kustomization.HelmCharts { + c.HelmGlobals = globals + c.HelmChart = chart + p := f() + if err = kt.configureBuiltinPlugin(p, c, bpt); err != nil { + return nil, err + } + result = append(result, p) + } + return + }, +} + +type tFactory func() resmap.TransformerPlugin + +var transformerConfigurators = map[builtinhelpers.BuiltinPluginType]func( + kt *KustTarget, + bpt builtinhelpers.BuiltinPluginType, + f tFactory, + tc *builtinconfig.TransformerConfig) (result []resmap.Transformer, err error){ + builtinhelpers.NamespaceTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if kt.kustomization.Namespace == "" { + return + } + var c struct { + types.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` + FieldSpecs []types.FieldSpec + } + c.Namespace = kt.kustomization.Namespace + c.FieldSpecs = tc.NameSpace + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + + builtinhelpers.PatchJson6902Transformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + var c struct { + Target *types.Selector `json:"target,omitempty" yaml:"target,omitempty"` + Path string `json:"path,omitempty" yaml:"path,omitempty"` + JsonOp string `json:"jsonOp,omitempty" yaml:"jsonOp,omitempty"` + } + for _, args := range kt.kustomization.PatchesJson6902 { + c.Target = args.Target + c.Path = args.Path + c.JsonOp = args.Patch + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + builtinhelpers.PatchStrategicMergeTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if len(kt.kustomization.PatchesStrategicMerge) == 0 { + return + } + var c struct { + Paths []types.PatchStrategicMerge `json:"paths,omitempty" yaml:"paths,omitempty"` + } + c.Paths = kt.kustomization.PatchesStrategicMerge + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + builtinhelpers.PatchTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if len(kt.kustomization.Patches) == 0 { + return + } + var c struct { + Path string `json:"path,omitempty" yaml:"path,omitempty"` + Patch string `json:"patch,omitempty" yaml:"patch,omitempty"` + Target *types.Selector `json:"target,omitempty" yaml:"target,omitempty"` + Options map[string]bool `json:"options,omitempty" yaml:"options,omitempty"` + } + for _, pc := range kt.kustomization.Patches { + c.Target = pc.Target + c.Patch = pc.Patch + c.Path = pc.Path + c.Options = pc.Options + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + builtinhelpers.LabelTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if len(kt.kustomization.Labels) == 0 && len(kt.kustomization.CommonLabels) == 0 { + return + } + + type labelStruct struct { + Labels map[string]string + FieldSpecs []types.FieldSpec + } + + for _, label := range kt.kustomization.Labels { + var c labelStruct + + c.Labels = label.Pairs + fss := types.FsSlice(label.FieldSpecs) + + // merge labels specified in the label section of transformer configs + // these apply to selectors and templates + fss, err := fss.MergeAll(tc.Labels) + if err != nil { + return nil, fmt.Errorf("failed to merge labels: %w", err) + } + + // merge the custom fieldSpecs with the default + if label.IncludeSelectors { + fss, err = fss.MergeAll(tc.CommonLabels) + } else { + // merge spec/template/metadata fieldSpecs if includeTemplate flag is true + if label.IncludeTemplates { + fss, err = fss.MergeAll(tc.TemplateLabels) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to merge template fieldSpec") + } + } + // only add to metadata by default + fss, err = fss.MergeOne(types.FieldSpec{Path: "metadata/labels", CreateIfNotPresent: true}) + } + if err != nil { + return nil, fmt.Errorf("failed to merge labels: %w", err) + } + c.FieldSpecs = fss + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + + var c labelStruct + + c.Labels = kt.kustomization.CommonLabels + c.FieldSpecs = tc.CommonLabels + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + builtinhelpers.AnnotationsTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if len(kt.kustomization.CommonAnnotations) == 0 { + return + } + var c struct { + Annotations map[string]string + FieldSpecs []types.FieldSpec + } + c.Annotations = kt.kustomization.CommonAnnotations + c.FieldSpecs = tc.CommonAnnotations + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + builtinhelpers.PrefixTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if kt.kustomization.NamePrefix == "" { + return + } + var c struct { + Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + } + c.Prefix = kt.kustomization.NamePrefix + c.FieldSpecs = tc.NamePrefix + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + builtinhelpers.SuffixTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if kt.kustomization.NameSuffix == "" { + return + } + var c struct { + Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"` + FieldSpecs []types.FieldSpec `json:"fieldSpecs,omitempty" yaml:"fieldSpecs,omitempty"` + } + c.Suffix = kt.kustomization.NameSuffix + c.FieldSpecs = tc.NameSuffix + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return + }, + builtinhelpers.ImageTagTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + var c struct { + ImageTag types.Image + FieldSpecs []types.FieldSpec + } + for _, args := range kt.kustomization.Images { + c.ImageTag = args + c.FieldSpecs = tc.Images + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + builtinhelpers.ReplacementTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, _ *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + if len(kt.kustomization.Replacements) == 0 { + return + } + var c struct { + Replacements []types.ReplacementField + } + c.Replacements = kt.kustomization.Replacements + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + return result, nil + }, + builtinhelpers.ReplicaCountTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + var c struct { + Replica types.Replica + FieldSpecs []types.FieldSpec + } + for _, args := range kt.kustomization.Replicas { + c.Replica = args + c.FieldSpecs = tc.Replicas + p := f() + err = kt.configureBuiltinPlugin(p, c, bpt) + if err != nil { + return nil, err + } + result = append(result, p) + } + return + }, + // No kustomization file keyword for this yet. + builtinhelpers.ValueAddTransformer: func( + kt *KustTarget, bpt builtinhelpers.BuiltinPluginType, f tFactory, tc *builtinconfig.TransformerConfig) ( + result []resmap.Transformer, err error) { + return nil, fmt.Errorf("valueadd keyword not yet defined") + }, +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go b/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go new file mode 100644 index 0000000000..3bc0a87159 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/target/multitransformer.go @@ -0,0 +1,41 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package target + +import ( + "sigs.k8s.io/kustomize/api/resmap" +) + +// multiTransformer contains a list of transformers. +type multiTransformer struct { + transformers []*resmap.TransformerWithProperties +} + +var _ resmap.Transformer = &multiTransformer{} + +// newMultiTransformer constructs a multiTransformer. +func newMultiTransformer(t []*resmap.TransformerWithProperties) resmap.Transformer { + r := &multiTransformer{ + transformers: make([]*resmap.TransformerWithProperties, len(t)), + } + copy(r.transformers, t) + return r +} + +// Transform applies the member transformers in order to the resources, +// optionally detecting and erroring on commutation conflict. +func (o *multiTransformer) Transform(m resmap.ResMap) error { + for _, t := range o.transformers { + if err := t.Transform(m); err != nil { + return err + } + if t.Origin != nil { + if err := m.AddTransformerAnnotation(t.Origin); err != nil { + return err + } + } + m.DropEmpties() + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go new file mode 100644 index 0000000000..8a2d5bb4ba --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/annotations.go @@ -0,0 +1,29 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import "sigs.k8s.io/kustomize/api/konfig" + +const ( + // build annotations + BuildAnnotationPreviousKinds = konfig.ConfigAnnoDomain + "/previousKinds" + BuildAnnotationPreviousNames = konfig.ConfigAnnoDomain + "/previousNames" + BuildAnnotationPrefixes = konfig.ConfigAnnoDomain + "/prefixes" + BuildAnnotationSuffixes = konfig.ConfigAnnoDomain + "/suffixes" + BuildAnnotationPreviousNamespaces = konfig.ConfigAnnoDomain + "/previousNamespaces" + BuildAnnotationsRefBy = konfig.ConfigAnnoDomain + "/refBy" + BuildAnnotationsGenBehavior = konfig.ConfigAnnoDomain + "/generatorBehavior" + BuildAnnotationsGenAddHashSuffix = konfig.ConfigAnnoDomain + "/needsHashSuffix" + + // the following are only for patches, to specify whether they can change names + // and kinds of their targets + BuildAnnotationAllowNameChange = konfig.ConfigAnnoDomain + "/allowNameChange" + BuildAnnotationAllowKindChange = konfig.ConfigAnnoDomain + "/allowKindChange" + + // for keeping track of origin and transformer data + OriginAnnotationKey = "config.kubernetes.io/origin" + TransformerAnnotationKey = "alpha.config.kubernetes.io/transformations" + + Enabled = "enabled" +) diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go new file mode 100644 index 0000000000..a0d861c7bf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/errtimeout.go @@ -0,0 +1,29 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import ( + "fmt" + "time" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +type errTimeOut struct { + duration time.Duration + cmd string +} + +func NewErrTimeOut(d time.Duration, c string) *errTimeOut { + return &errTimeOut{duration: d, cmd: c} +} + +func (e *errTimeOut) Error() string { + return fmt.Sprintf("hit %s timeout running '%s'", e.duration, e.cmd) +} + +func IsErrTimeout(err error) bool { + e := &errTimeOut{} + return errors.As(err, &e) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go new file mode 100644 index 0000000000..ec7320c404 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/makeResIds.go @@ -0,0 +1,68 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// MakeResIds returns all of an RNode's current and previous Ids +func MakeResIds(n *yaml.RNode) ([]resid.ResId, error) { + var result []resid.ResId + apiVersion := n.Field(yaml.APIVersionField) + var group, version string + if apiVersion != nil { + group, version = resid.ParseGroupVersion(yaml.GetValue(apiVersion.Value)) + } + result = append(result, resid.NewResIdWithNamespace( + resid.Gvk{Group: group, Version: version, Kind: n.GetKind()}, n.GetName(), n.GetNamespace()), + ) + prevIds, err := PrevIds(n) + if err != nil { + return nil, err + } + result = append(result, prevIds...) + return result, nil +} + +// PrevIds returns all of an RNode's previous Ids +func PrevIds(n *yaml.RNode) ([]resid.ResId, error) { + var ids []resid.ResId + // TODO: merge previous names and namespaces into one list of + // pairs on one annotation so there is no chance of error + annotations := n.GetAnnotations( + BuildAnnotationPreviousNames, + BuildAnnotationPreviousNamespaces, + BuildAnnotationPreviousKinds) + if _, ok := annotations[BuildAnnotationPreviousNames]; !ok { + return nil, nil + } + names := strings.Split(annotations[BuildAnnotationPreviousNames], ",") + ns := strings.Split(annotations[BuildAnnotationPreviousNamespaces], ",") + kinds := strings.Split(annotations[BuildAnnotationPreviousKinds], ",") + // This should never happen + if len(names) != len(ns) || len(names) != len(kinds) { + return nil, fmt.Errorf( + "number of previous names, " + + "number of previous namespaces, " + + "number of previous kinds not equal") + } + apiVersion := n.GetApiVersion() + group, version := resid.ParseGroupVersion(apiVersion) + ids = make([]resid.ResId, 0, len(names)) + for i := range names { + gvk := resid.Gvk{ + Group: group, + Version: version, + Kind: kinds[i], + } + ids = append(ids, resid.NewResIdWithNamespace( + gvk, names[i], ns[i])) + } + return ids, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go new file mode 100644 index 0000000000..3dc4227255 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/stringslice.go @@ -0,0 +1,44 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +// StringSliceIndex returns the index of the str, else -1. +func StringSliceIndex(slice []string, str string) int { + for i := range slice { + if slice[i] == str { + return i + } + } + return -1 +} + +// StringSliceContains returns true if the slice has the string. +func StringSliceContains(slice []string, str string) bool { + for _, s := range slice { + if s == str { + return true + } + } + return false +} + +// SameEndingSubSlice returns true if the slices end the same way, e.g. +// {"a", "b", "c"}, {"b", "c"} => true +// {"a", "b", "c"}, {"a", "b"} => false +// If one slice is empty and the other is not, return false. +func SameEndingSubSlice(shortest, longest []string) bool { + if len(shortest) > len(longest) { + longest, shortest = shortest, longest + } + diff := len(longest) - len(shortest) + if len(shortest) == 0 { + return diff == 0 + } + for i := len(shortest) - 1; i >= 0; i-- { + if longest[i+diff] != shortest[i] { + return false + } + } + return true +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go b/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go new file mode 100644 index 0000000000..cda53f864b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/utils/timedcall.go @@ -0,0 +1,23 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import ( + "time" +) + +// TimedCall runs fn, failing if it doesn't complete in the given duration. +// The description is used in the timeout error message. +func TimedCall(description string, d time.Duration, fn func() error) error { + done := make(chan error, 1) + timer := time.NewTimer(d) + defer timer.Stop() + go func() { done <- fn() }() + select { + case err := <-done: + return err + case <-timer.C: + return NewErrTimeOut(d, description) + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go b/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go new file mode 100644 index 0000000000..5ccfc3ce7b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/internal/validate/fieldvalidator.go @@ -0,0 +1,68 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package validate + +import ( + "sigs.k8s.io/kustomize/api/ifc" +) + +// FieldValidator implements ifc.Validator to check +// the values of various KRM string fields, +// e.g. labels, annotations, names, namespaces. +// +// TODO: Have this use kyaml/yaml/internal/k8sgen/pkg/labels +// which has label and annotation validation code, but is internal +// so this impl would need to move to kyaml (a fine idea). +type FieldValidator struct { +} + +var _ ifc.Validator = (*FieldValidator)(nil) + +func NewFieldValidator() *FieldValidator { + return &FieldValidator{} +} + +// TODO(#FieldValidator): implement MakeAnnotationValidator +func (f FieldValidator) MakeAnnotationValidator() func(map[string]string) error { + return func(x map[string]string) error { + return nil + } +} + +// TODO(#FieldValidator): implement MakeAnnotationNameValidator +func (f FieldValidator) MakeAnnotationNameValidator() func([]string) error { + return func(x []string) error { + return nil + } +} + +// TODO(#FieldValidator): implement MakeLabelValidator +func (f FieldValidator) MakeLabelValidator() func(map[string]string) error { + return func(x map[string]string) error { + return nil + } +} + +// TODO(#FieldValidator): implement MakeLabelNameValidator +func (f FieldValidator) MakeLabelNameValidator() func([]string) error { + return func(x []string) error { + return nil + } +} + +// TODO(#FieldValidator): implement ValidateNamespace +func (f FieldValidator) ValidateNamespace(s string) []string { + var errs []string + return errs +} + +// TODO(#FieldValidator): implement ErrIfInvalidKey +func (f FieldValidator) ErrIfInvalidKey(s string) error { + return nil +} + +// TODO(#FieldValidator): implement IsEnvVarName +func (f FieldValidator) IsEnvVarName(k string) error { + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go b/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go new file mode 100644 index 0000000000..8c5f8f2cdf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/konfig/doc.go @@ -0,0 +1,7 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package konfig provides configuration methods and constants +// for the kustomize API, e.g. the set of file names to look for +// to identify a kustomization root. +package konfig diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/general.go b/vendor/sigs.k8s.io/kustomize/api/konfig/general.go new file mode 100644 index 0000000000..712bfe7894 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/konfig/general.go @@ -0,0 +1,49 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package konfig + +// RecognizedKustomizationFileNames is a list of file names +// that kustomize recognizes. +// To avoid ambiguity, a kustomization directory may not +// contain more than one match to this list. +func RecognizedKustomizationFileNames() []string { + return []string{ + "kustomization.yaml", + "kustomization.yml", + "Kustomization", + } +} + +func DefaultKustomizationFileName() string { + return RecognizedKustomizationFileNames()[0] +} + +const ( + // An environment variable to consult for kustomization + // configuration data. See: + // https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html + XdgConfigHomeEnv = "XDG_CONFIG_HOME" + + // Use this when XdgConfigHomeEnv not defined. + XdgConfigHomeEnvDefault = ".config" + + // A program name, for use in help, finding the XDG_CONFIG_DIR, etc. + ProgramName = "kustomize" + + // ConfigAnnoDomain is internal configuration-related annotation namespace. + // See https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md. + ConfigAnnoDomain = "internal.config.kubernetes.io" + + // If a resource has this annotation, kustomize will drop it. + IgnoredByKustomizeAnnotation = "config.kubernetes.io/local-config" + + // Label key that indicates the resources are built from Kustomize + ManagedbyLabelKey = "app.kubernetes.io/managed-by" + + // An environment variable to turn on/off adding the ManagedByLabelKey + EnableManagedbyLabelEnv = "KUSTOMIZE_ENABLE_MANAGEDBY_LABEL" + + // Label key that indicates the resources are validated by a validator + ValidatedByLabelKey = "validated-by" +) diff --git a/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go b/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go new file mode 100644 index 0000000000..30bd3b6e38 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/konfig/plugins.go @@ -0,0 +1,138 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package konfig + +import ( + "os" + "path/filepath" + "runtime" + + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +const ( + // Symbol that must be used inside Go plugins. + PluginSymbol = "KustomizePlugin" + + // Name of environment variable used to set AbsPluginHome. + // See that variable for an explanation. + KustomizePluginHomeEnv = "KUSTOMIZE_PLUGIN_HOME" + + // Relative path below XDG_CONFIG_HOME/kustomize to find plugins. + // e.g. AbsPluginHome = XDG_CONFIG_HOME/kustomize/plugin + RelPluginHome = "plugin" + + // Location of builtin plugins below AbsPluginHome. + BuiltinPluginPackage = "builtin" + + // The value of kubernetes ApiVersion to use in configuration + // files for builtin plugins. + // The value for non-builtins can be anything. + BuiltinPluginApiVersion = BuiltinPluginPackage + + // Domain from which kustomize code is imported, for locating + // plugin source code under $GOPATH when GOPATH is defined. + DomainName = "sigs.k8s.io" + + // Injected into plugin paths when plugins are disabled. + // Provides a clue in flows that shouldn't happen. + NoPluginHomeSentinal = "/No/non-builtin/plugins!" +) + +type NotedFunc struct { + Note string + F func() string +} + +// DefaultAbsPluginHome returns the absolute path in the given file +// system to first directory that looks like a good candidate for +// the home of kustomize plugins. +func DefaultAbsPluginHome(fSys filesys.FileSystem) (string, error) { + return FirstDirThatExistsElseError( + "plugin root", fSys, []NotedFunc{ + { + Note: "homed in $" + KustomizePluginHomeEnv, + F: func() string { + return os.Getenv(KustomizePluginHomeEnv) + }, + }, + { + Note: "homed in $" + XdgConfigHomeEnv, + F: func() string { + if root := os.Getenv(XdgConfigHomeEnv); root != "" { + return filepath.Join(root, ProgramName, RelPluginHome) + } + // do not look in "kustomize/plugin" if XdgConfigHomeEnv is unset + return "" + }, + }, + { + Note: "homed in default value of $" + XdgConfigHomeEnv, + F: func() string { + return filepath.Join( + HomeDir(), XdgConfigHomeEnvDefault, + ProgramName, RelPluginHome) + }, + }, + { + Note: "homed in home directory", + F: func() string { + return filepath.Join( + HomeDir(), ProgramName, RelPluginHome) + }, + }, + }) +} + +// FirstDirThatExistsElseError tests different path functions for +// existence, returning the first that works, else error if all fail. +func FirstDirThatExistsElseError( + what string, + fSys filesys.FileSystem, + pathFuncs []NotedFunc) (string, error) { + var nope []types.Pair + for _, dt := range pathFuncs { + if dir := dt.F(); dir != "" { + if fSys.Exists(dir) { + return dir, nil + } + nope = append(nope, types.Pair{Key: dt.Note, Value: dir}) + } else { + nope = append(nope, types.Pair{Key: dt.Note, Value: ""}) + } + } + return "", types.NewErrUnableToFind(what, nope) +} + +func HomeDir() string { + home := os.Getenv(homeEnv()) + if len(home) > 0 { + return home + } + return "~" +} + +func homeEnv() string { + if runtime.GOOS == "windows" { + return "USERPROFILE" + } + return "HOME" +} + +func CurrentWorkingDir() string { + // Try for full path first to be explicit. + pwd := os.Getenv(pwdEnv()) + if len(pwd) > 0 { + return pwd + } + return filesys.SelfDir +} + +func pwdEnv() string { + if runtime.GOOS == "windows" { + return "CD" + } + return "PWD" +} diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go b/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go new file mode 100644 index 0000000000..bf516ca94b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/krusty/doc.go @@ -0,0 +1,11 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package krusty is intended as the entry point package +// for those seeking to add kustomize ability to other +// programs. +// +// To use, follow the example of the kustomize CLI's 'build' +// command. Also, see the high level tests in this package, +// which serve a dual purpose as examples. +package krusty diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go b/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go new file mode 100644 index 0000000000..999cbf4537 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/krusty/kustomizer.go @@ -0,0 +1,163 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package krusty + +import ( + "fmt" + "log" + + "sigs.k8s.io/kustomize/api/internal/builtins" + fLdr "sigs.k8s.io/kustomize/api/internal/loader" + pLdr "sigs.k8s.io/kustomize/api/internal/plugins/loader" + "sigs.k8s.io/kustomize/api/internal/target" + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/provenance" + "sigs.k8s.io/kustomize/api/provider" + "sigs.k8s.io/kustomize/api/resmap" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/openapi" +) + +// Kustomizer performs kustomizations. +// +// It's meant to behave similarly to the kustomize CLI, and can be +// used instead of performing an exec to a kustomize CLI subprocess. +// To use, load a filesystem with kustomization files (any +// number of overlays and bases), then make a Kustomizer +// injected with the given filesystem, then call Run. +type Kustomizer struct { + options *Options + depProvider *provider.DepProvider +} + +// MakeKustomizer returns an instance of Kustomizer. +func MakeKustomizer(o *Options) *Kustomizer { + return &Kustomizer{ + options: o, + depProvider: provider.NewDepProvider(), + } +} + +// Run performs a kustomization. +// +// It reads given path from the given file system, interprets it as +// a kustomization.yaml file, perform the kustomization it represents, +// and return the resulting resources. +// +// Any files referenced by the kustomization must be present on the +// filesystem. One may call Run any number of times, on any number +// of internal paths (e.g. the filesystem may contain multiple overlays, +// and Run can be called on each of them). +func (b *Kustomizer) Run( + fSys filesys.FileSystem, path string) (resmap.ResMap, error) { + resmapFactory := resmap.NewFactory(b.depProvider.GetResourceFactory()) + lr := fLdr.RestrictionNone + if b.options.LoadRestrictions == types.LoadRestrictionsRootOnly { + lr = fLdr.RestrictionRootOnly + } + ldr, err := fLdr.NewLoader(lr, path, fSys) + if err != nil { + return nil, err + } + defer ldr.Cleanup() + kt := target.NewKustTarget( + ldr, + b.depProvider.GetFieldValidator(), + resmapFactory, + // The plugin configs are always located on disk, regardless of the fSys passed in + pLdr.NewLoader(b.options.PluginConfig, resmapFactory, filesys.MakeFsOnDisk()), + ) + err = kt.Load() + if err != nil { + return nil, err + } + var bytes []byte + if openApiPath, exists := kt.Kustomization().OpenAPI["path"]; exists { + bytes, err = ldr.Load(openApiPath) + if err != nil { + return nil, err + } + } + err = openapi.SetSchema(kt.Kustomization().OpenAPI, bytes, true) + if err != nil { + return nil, err + } + var m resmap.ResMap + m, err = kt.MakeCustomizedResMap() + if err != nil { + return nil, err + } + err = b.applySortOrder(m, kt) + if err != nil { + return nil, err + } + if b.options.AddManagedbyLabel || utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.ManagedByLabelOption) { + t := builtins.LabelTransformerPlugin{ + Labels: map[string]string{ + konfig.ManagedbyLabelKey: fmt.Sprintf("kustomize-%s", provenance.GetProvenance().Semver()), + }, + FieldSpecs: []types.FieldSpec{{ + Path: "metadata/labels", + CreateIfNotPresent: true, + }}, + } + err = t.Transform(m) + if err != nil { + return nil, err + } + } + m.RemoveBuildAnnotations() + if !utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.OriginAnnotations) { + err = m.RemoveOriginAnnotations() + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to clean up origin tracking annotations") + } + } + if !utils.StringSliceContains(kt.Kustomization().BuildMetadata, types.TransformerAnnotations) { + err = m.RemoveTransformerAnnotations() + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to clean up transformer annotations") + } + } + return m, nil +} + +func (b *Kustomizer) applySortOrder(m resmap.ResMap, kt *target.KustTarget) error { + // Sort order can be defined in two places: + // - (new) kustomization file + // - (old) CLI flag + // + // We want the kustomization file to take precedence over the CLI flag. + // Eventually, we may want to move away from having a CLI flag altogether: + // https://github.com/kubernetes-sigs/kustomize/issues/3947 + + // Case 1: Sort order set in kustomization file. + if kt.Kustomization().SortOptions != nil { + // If set in CLI flag too, warn the user. + if b.options.Reorder != ReorderOptionUnspecified { + log.Println("Warning: Sorting order is set both in 'kustomization.yaml'" + + " ('sortOptions') and in a CLI flag ('--reorder'). Using the" + + " kustomization file over the CLI flag.") + } + pl := &builtins.SortOrderTransformerPlugin{ + SortOptions: kt.Kustomization().SortOptions, + } + err := pl.Transform(m) + if err != nil { + return errors.Wrap(err) + } + } else if b.options.Reorder == ReorderOptionLegacy || b.options.Reorder == ReorderOptionUnspecified { + // Case 2: Sort order set in CLI flag only or not at all. + pl := &builtins.SortOrderTransformerPlugin{ + SortOptions: &types.SortOptions{ + Order: types.LegacySortOrder, + }, + } + return errors.Wrap(pl.Transform(m)) + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/krusty/options.go b/vendor/sigs.k8s.io/kustomize/api/krusty/options.go new file mode 100644 index 0000000000..086242c8ed --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/krusty/options.go @@ -0,0 +1,70 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package krusty + +import ( + "sigs.k8s.io/kustomize/api/internal/plugins/builtinhelpers" + "sigs.k8s.io/kustomize/api/types" +) + +type ReorderOption string + +const ( + ReorderOptionLegacy ReorderOption = "legacy" + ReorderOptionNone ReorderOption = "none" + ReorderOptionUnspecified ReorderOption = "unspecified" +) + +// Options holds high-level kustomize configuration options, +// e.g. are plugins enabled, should the loader be restricted +// to the kustomization root, etc. +type Options struct { + // When true, sort the resources before emitting them, + // per a particular sort order. When false, don't do the + // sort, and instead respect the depth-first resource input + // order as specified by the kustomization file(s). + + // Sort the resources before emitting them. Possible values: + // - "legacy": Use a fixed order that kustomize provides for backwards + // compatibility. + // - "none": Respect the depth-first resource input order as specified by the + // kustomization file. + // - "unspecified": The user didn't specify any preference. Kustomize will + // select the appropriate default. + Reorder ReorderOption + + // When true, a label + // app.kubernetes.io/managed-by: kustomize- + // is added to all the resources in the build out. + AddManagedbyLabel bool + + // Restrictions on what can be loaded from the file system. + // See type definition. + LoadRestrictions types.LoadRestrictions + + // Options related to kustomize plugins. + PluginConfig *types.PluginConfig +} + +// MakeDefaultOptions returns a default instance of Options. +func MakeDefaultOptions() *Options { + return &Options{ + Reorder: ReorderOptionNone, + AddManagedbyLabel: false, + LoadRestrictions: types.LoadRestrictionsRootOnly, + PluginConfig: types.DisabledPluginConfig(), + } +} + +// GetBuiltinPluginNames returns a list of builtin plugin names +func GetBuiltinPluginNames() []string { + var ret []string + for k := range builtinhelpers.GeneratorFactories { + ret = append(ret, k.String()) + } + for k := range builtinhelpers.TransformerFactories { + ret = append(ret, k.String()) + } + return ret +} diff --git a/vendor/sigs.k8s.io/kustomize/api/kv/kv.go b/vendor/sigs.k8s.io/kustomize/api/kv/kv.go new file mode 100644 index 0000000000..61a0463c3c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/kv/kv.go @@ -0,0 +1,197 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kv + +import ( + "bufio" + "bytes" + "fmt" + "strings" + "unicode" + "unicode/utf8" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/generators" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" +) + +var utf8bom = []byte{0xEF, 0xBB, 0xBF} + +// loader reads and validates KV pairs. +type loader struct { + // Used to read the filesystem. + ldr ifc.Loader + + // Used to validate various k8s data fields. + validator ifc.Validator +} + +func NewLoader(ldr ifc.Loader, v ifc.Validator) ifc.KvLoader { + return &loader{ldr: ldr, validator: v} +} + +func (kvl *loader) Validator() ifc.Validator { + return kvl.validator +} + +func (kvl *loader) Load( + args types.KvPairSources) (all []types.Pair, err error) { + pairs, err := kvl.keyValuesFromEnvFiles(args.EnvSources) + if err != nil { + return nil, errors.WrapPrefixf(err, + "env source files: %v", + args.EnvSources) + } + all = append(all, pairs...) + + pairs, err = keyValuesFromLiteralSources(args.LiteralSources) + if err != nil { + return nil, errors.WrapPrefixf(err, + "literal sources %v", args.LiteralSources) + } + all = append(all, pairs...) + + pairs, err = kvl.keyValuesFromFileSources(args.FileSources) + if err != nil { + return nil, errors.WrapPrefixf(err, + "file sources: %v", args.FileSources) + } + return append(all, pairs...), nil +} + +func keyValuesFromLiteralSources(sources []string) ([]types.Pair, error) { + var kvs []types.Pair + for _, s := range sources { + k, v, err := parseLiteralSource(s) + if err != nil { + return nil, err + } + kvs = append(kvs, types.Pair{Key: k, Value: v}) + } + return kvs, nil +} + +func (kvl *loader) keyValuesFromFileSources(sources []string) ([]types.Pair, error) { + var kvs []types.Pair + for _, s := range sources { + k, fPath, err := generators.ParseFileSource(s) + if err != nil { + return nil, err + } + content, err := kvl.ldr.Load(fPath) + if err != nil { + return nil, err + } + kvs = append(kvs, types.Pair{Key: k, Value: string(content)}) + } + return kvs, nil +} + +func (kvl *loader) keyValuesFromEnvFiles(paths []string) ([]types.Pair, error) { + var kvs []types.Pair + for _, p := range paths { + content, err := kvl.ldr.Load(p) + if err != nil { + return nil, err + } + more, err := kvl.keyValuesFromLines(content) + if err != nil { + return nil, err + } + kvs = append(kvs, more...) + } + return kvs, nil +} + +// keyValuesFromLines parses given content in to a list of key-value pairs. +func (kvl *loader) keyValuesFromLines(content []byte) ([]types.Pair, error) { + var kvs []types.Pair + + scanner := bufio.NewScanner(bytes.NewReader(content)) + currentLine := 0 + for scanner.Scan() { + // Process the current line, retrieving a key/value pair if + // possible. + scannedBytes := scanner.Bytes() + kv, err := kvl.keyValuesFromLine(scannedBytes, currentLine) + if err != nil { + return nil, err + } + currentLine++ + + if len(kv.Key) == 0 { + // no key means line was empty or a comment + continue + } + + kvs = append(kvs, kv) + } + return kvs, nil +} + +// KeyValuesFromLine returns a kv with blank key if the line is empty or a comment. +func (kvl *loader) keyValuesFromLine(line []byte, currentLine int) (types.Pair, error) { + kv := types.Pair{} + + if !utf8.Valid(line) { + return kv, fmt.Errorf("line %d has invalid utf8 bytes : %v", line, string(line)) + } + + // We trim UTF8 BOM from the first line of the file but no others + if currentLine == 0 { + line = bytes.TrimPrefix(line, utf8bom) + } + + // trim the line from all leading whitespace first + line = bytes.TrimLeftFunc(line, unicode.IsSpace) + + // If the line is empty or a comment, we return a blank key/value pair. + if len(line) == 0 || line[0] == '#' { + return kv, nil + } + + data := strings.SplitN(string(line), "=", 2) + key := data[0] + if err := kvl.validator.IsEnvVarName(key); err != nil { + return kv, err + } + + if len(data) == 2 { + kv.Value = data[1] + } else { + // If there is no value (no `=` in the line), we set the value to an empty string + kv.Value = "" + } + kv.Key = key + return kv, nil +} + +// ParseLiteralSource parses the source key=val pair into its component pieces. +// This functionality is distinguished from strings.SplitN(source, "=", 2) since +// it returns an error in the case of empty keys, values, or a missing equals sign. +func parseLiteralSource(source string) (keyName, value string, err error) { + // leading equal is invalid + if strings.Index(source, "=") == 0 { + return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source) + } + // split after the first equal (so values can have the = character) + items := strings.SplitN(source, "=", 2) + if len(items) != 2 { + return "", "", fmt.Errorf("invalid literal source %v, expected key=value", source) + } + return items[0], removeQuotes(items[1]), nil +} + +// removeQuotes removes the surrounding quotes from the provided string only if it is surrounded on both sides +// rather than blindly trimming all quotation marks on either side. +func removeQuotes(str string) string { + if len(str) < 2 || str[0] != str[len(str)-1] { + return str + } + if str[0] == '"' || str[0] == '\'' { + return str[1 : len(str)-1] + } + return str +} diff --git a/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go b/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go new file mode 100644 index 0000000000..c637ac2e1a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/provenance/provenance.go @@ -0,0 +1,119 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package provenance + +import ( + "fmt" + "runtime" + "runtime/debug" + "strings" + + "github.com/blang/semver/v4" +) + +// These variables are set at build time using ldflags. +// +//nolint:gochecknoglobals +var ( + // During a release, this will be set to the release tag, e.g. "kustomize/v4.5.7" + version = developmentVersion + // build date in ISO8601 format, output of $(date -u +'%Y-%m-%dT%H:%M:%SZ') + buildDate = "unknown" +) + +// This default value, (devel), matches +// the value debug.BuildInfo uses for an unset main module version. +const developmentVersion = "(devel)" + +// Provenance holds information about the build of an executable. +type Provenance struct { + // Version of the kustomize binary. + Version string `json:"version,omitempty" yaml:"version,omitempty"` + // GitCommit is a git commit + GitCommit string `json:"gitCommit,omitempty" yaml:"gitCommit,omitempty"` + // BuildDate is date of the build. + BuildDate string `json:"buildDate,omitempty" yaml:"buildDate,omitempty"` + // GoOs holds OS name. + GoOs string `json:"goOs,omitempty" yaml:"goOs,omitempty"` + // GoArch holds architecture name. + GoArch string `json:"goArch,omitempty" yaml:"goArch,omitempty"` + // GoVersion holds Go version. + GoVersion string `json:"goVersion,omitempty" yaml:"goVersion,omitempty"` +} + +// GetProvenance returns an instance of Provenance. +func GetProvenance() Provenance { + p := Provenance{ + BuildDate: buildDate, + Version: version, + GitCommit: "unknown", + GoOs: runtime.GOOS, + GoArch: runtime.GOARCH, + GoVersion: runtime.Version(), + } + info, ok := debug.ReadBuildInfo() + if !ok { + return p + } + + for _, setting := range info.Settings { + // For now, the git commit is the only information of interest. + // We could consider adding other info such as the commit date in the future. + if setting.Key == "vcs.revision" { + p.GitCommit = setting.Value + } + } + + for _, dep := range info.Deps { + if dep != nil && dep.Path == "sigs.k8s.io/kustomize/kustomize/v5" { + if dep.Version != "devel" { + continue + } + v, err := GetMostRecentTag(*dep) + if err != nil { + fmt.Printf("failed to get most recent tag for %s: %v\n", dep.Path, err) + continue + } + p.Version = v + } + } + + return p +} + +func GetMostRecentTag(m debug.Module) (string, error) { + for m.Replace != nil { + m = *m.Replace + } + + split := strings.Split(m.Version, "-") + sv, err := semver.Parse(strings.TrimPrefix(split[0], "v")) + + if err != nil { + return "", fmt.Errorf("failed to parse version %s: %w", m.Version, err) + } + + if len(split) > 1 && sv.Patch > 0 { + sv.Patch -= 1 + } + return fmt.Sprintf("v%s", sv.FinalizeVersion()), nil +} + +// Short returns the shortened provenance stamp. +func (v Provenance) Short() string { + return fmt.Sprintf( + "%v", + Provenance{ + Version: v.Version, + BuildDate: v.BuildDate, + }) +} + +// Semver returns the semantic version of kustomize. +// kustomize version is set in format "kustomize/vX.X.X" in every release. +// X.X.X is a semver. If the version string is not in this format, +// return the original version string +func (v Provenance) Semver() string { + return strings.TrimPrefix(v.Version, "kustomize/") +} diff --git a/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go b/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go new file mode 100644 index 0000000000..0102c89ce0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/provider/depprovider.go @@ -0,0 +1,42 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package provider + +import ( + "sigs.k8s.io/kustomize/api/hasher" + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/validate" + "sigs.k8s.io/kustomize/api/resource" +) + +// DepProvider is a dependency provider, injecting different +// implementations depending on the context. +type DepProvider struct { + resourceFactory *resource.Factory + // implemented by api/internal/validate.FieldValidator + // See TODO inside the validator for status. + // At time of writing, this is a do-nothing + // validator as it's not critical to kustomize function. + fieldValidator ifc.Validator +} + +func NewDepProvider() *DepProvider { + rf := resource.NewFactory(&hasher.Hasher{}) + return &DepProvider{ + resourceFactory: rf, + fieldValidator: validate.NewFieldValidator(), + } +} + +func NewDefaultDepProvider() *DepProvider { + return NewDepProvider() +} + +func (dp *DepProvider) GetResourceFactory() *resource.Factory { + return dp.resourceFactory +} + +func (dp *DepProvider) GetFieldValidator() ifc.Validator { + return dp.fieldValidator +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go b/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go new file mode 100644 index 0000000000..9cc860749c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resmap/factory.go @@ -0,0 +1,145 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resmap + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/kusterr" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Factory makes instances of ResMap. +type Factory struct { + // Makes resources. + resF *resource.Factory +} + +// NewFactory returns a new resmap.Factory. +func NewFactory(rf *resource.Factory) *Factory { + return &Factory{resF: rf} +} + +// RF returns a resource.Factory. +func (rmF *Factory) RF() *resource.Factory { + return rmF.resF +} + +func New() ResMap { + return newOne() +} + +// FromResource returns a ResMap with one entry. +func (rmF *Factory) FromResource(res *resource.Resource) ResMap { + m, err := newResMapFromResourceSlice([]*resource.Resource{res}) + if err != nil { + panic(err) + } + return m +} + +// FromResourceSlice returns a ResMap with a slice of resources. +func (rmF *Factory) FromResourceSlice(ress []*resource.Resource) ResMap { + m, err := newResMapFromResourceSlice(ress) + if err != nil { + panic(err) + } + return m +} + +// FromFile returns a ResMap given a resource path. +func (rmF *Factory) FromFile( + loader ifc.Loader, path string) (ResMap, error) { + content, err := loader.Load(path) + if err != nil { + return nil, err + } + m, err := rmF.NewResMapFromBytes(content) + if err != nil { + return nil, kusterr.Handler(err, path) + } + return m, nil +} + +// NewResMapFromBytes decodes a list of objects in byte array format. +func (rmF *Factory) NewResMapFromBytes(b []byte) (ResMap, error) { + resources, err := rmF.resF.SliceFromBytes(b) + if err != nil { + return nil, err + } + return newResMapFromResourceSlice(resources) +} + +// NewResMapFromConfigMapArgs returns a Resource slice given +// a configmap metadata slice from kustomization file. +func (rmF *Factory) NewResMapFromConfigMapArgs( + kvLdr ifc.KvLoader, argList []types.ConfigMapArgs) (ResMap, error) { + var resources []*resource.Resource + for i := range argList { + res, err := rmF.resF.MakeConfigMap(kvLdr, &argList[i]) + if err != nil { + return nil, errors.WrapPrefixf(err, "NewResMapFromConfigMapArgs") + } + resources = append(resources, res) + } + return newResMapFromResourceSlice(resources) +} + +// FromConfigMapArgs creates a new ResMap containing one ConfigMap. +func (rmF *Factory) FromConfigMapArgs( + kvLdr ifc.KvLoader, args types.ConfigMapArgs) (ResMap, error) { + res, err := rmF.resF.MakeConfigMap(kvLdr, &args) + if err != nil { + return nil, err + } + return rmF.FromResource(res), nil +} + +// NewResMapFromSecretArgs takes a SecretArgs slice, generates +// secrets from each entry, and accumulates them in a ResMap. +func (rmF *Factory) NewResMapFromSecretArgs( + kvLdr ifc.KvLoader, argsList []types.SecretArgs) (ResMap, error) { + var resources []*resource.Resource + for i := range argsList { + res, err := rmF.resF.MakeSecret(kvLdr, &argsList[i]) + if err != nil { + return nil, errors.WrapPrefixf(err, "NewResMapFromSecretArgs") + } + resources = append(resources, res) + } + return newResMapFromResourceSlice(resources) +} + +// FromSecretArgs creates a new ResMap containing one secret. +func (rmF *Factory) FromSecretArgs( + kvLdr ifc.KvLoader, args types.SecretArgs) (ResMap, error) { + res, err := rmF.resF.MakeSecret(kvLdr, &args) + if err != nil { + return nil, err + } + return rmF.FromResource(res), nil +} + +func newResMapFromResourceSlice( + resources []*resource.Resource) (ResMap, error) { + result := New() + for _, res := range resources { + err := result.Append(res) + if err != nil { + return nil, err + } + } + return result, nil +} + +// NewResMapFromRNodeSlice returns a ResMap from a slice of RNodes +func (rmF *Factory) NewResMapFromRNodeSlice(s []*yaml.RNode) (ResMap, error) { + rs, err := rmF.resF.ResourcesFromRNodes(s) + if err != nil { + return nil, err + } + return newResMapFromResourceSlice(rs) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go b/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go new file mode 100644 index 0000000000..ea913ba6ba --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resmap/resmap.go @@ -0,0 +1,333 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package resmap implements a map from ResId to Resource that +// tracks all resources in a kustomization. +package resmap + +import ( + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// A Transformer modifies an instance of ResMap. +type Transformer interface { + // Transform modifies data in the argument, + // e.g. adding labels to resources that can be labelled. + Transform(m ResMap) error +} + +// A TransformerWithProperties contains a Transformer and stores +// some of its properties +type TransformerWithProperties struct { + Transformer + Origin *resource.Origin +} + +// A Generator creates an instance of ResMap. +type Generator interface { + Generate() (ResMap, error) +} + +// A GeneratorWithProperties contains a Generator and stores +// some of its properties +type GeneratorWithProperties struct { + Generator + Origin *resource.Origin +} + +// Something that's configurable accepts an +// instance of PluginHelpers and a raw config +// object (YAML in []byte form). +type Configurable interface { + Config(h *PluginHelpers, config []byte) error +} + +// NewPluginHelpers makes an instance of PluginHelpers. +func NewPluginHelpers( + ldr ifc.Loader, v ifc.Validator, rf *Factory, + pc *types.PluginConfig) *PluginHelpers { + return &PluginHelpers{ldr: ldr, v: v, rf: rf, pc: pc} +} + +// PluginHelpers holds things that any or all plugins might need. +// This should be available to each plugin, in addition to +// any plugin-specific configuration. +type PluginHelpers struct { + ldr ifc.Loader + v ifc.Validator + rf *Factory + pc *types.PluginConfig +} + +func (c *PluginHelpers) GeneralConfig() *types.PluginConfig { + return c.pc +} + +func (c *PluginHelpers) Loader() ifc.Loader { + return c.ldr +} + +func (c *PluginHelpers) ResmapFactory() *Factory { + return c.rf +} + +func (c *PluginHelpers) Validator() ifc.Validator { + return c.v +} + +type GeneratorPlugin interface { + Generator + Configurable +} + +type TransformerPlugin interface { + Transformer + Configurable +} + +// ResMap is an interface describing operations on the +// core kustomize data structure, a list of Resources. +// +// Every Resource has two ResIds: OrgId and CurId. +// +// In a ResMap, no two resources may have the same CurId, +// but they may have the same OrgId. The latter can happen +// when mixing two or more different overlays apply different +// transformations to a common base. When looking for a +// resource to transform, try the OrgId first, and if this +// fails or finds too many, it might make sense to then try +// the CurrId. Depends on the situation. +// +// TODO: get rid of this interface (use bare resWrangler). +// There aren't multiple implementations any more. +type ResMap interface { + // Size reports the number of resources. + Size() int + + // Resources provides a discardable slice + // of resource pointers, returned in the order + // as appended. + Resources() []*resource.Resource + + // Append adds a Resource. Error on CurId collision. + // + // A class invariant of ResMap is that all of its + // resources must differ in their value of + // CurId(), aka current Id. The Id is the tuple + // of {namespace, group, version, kind, name} + // (see ResId). + // + // This invariant reflects the invariant of a + // kubernetes cluster, where if one tries to add + // a resource to the cluster whose Id matches + // that of a resource already in the cluster, + // only two outcomes are allowed. Either the + // incoming resource is _merged_ into the existing + // one, or the incoming resource is rejected. + // One cannot end up with two resources + // in the cluster with the same Id. + Append(*resource.Resource) error + + // AppendAll appends another ResMap to self, + // failing on any CurId collision. + AppendAll(ResMap) error + + // AbsorbAll appends, replaces or merges the contents + // of another ResMap into self, + // allowing and sometimes demanding ID collisions. + // A collision would be demanded, say, when a generated + // ConfigMap has the "replace" option in its generation + // instructions, meaning it _must_ replace + // something in the known set of resources. + // If a resource id for resource X is found to already + // be in self, then the behavior field for X must + // be BehaviorMerge or BehaviorReplace. If X is not in + // self, then its behavior _cannot_ be merge or replace. + AbsorbAll(ResMap) error + + // AddOriginAnnotation will add the provided origin as + // an origin annotation to all resources in the ResMap, if + // the origin is not nil. + AddOriginAnnotation(origin *resource.Origin) error + + // RemoveOriginAnnotation will remove the origin annotation + // from all resources in the ResMap + RemoveOriginAnnotations() error + + // AddTransformerAnnotation will add the provided origin as + // an origin annotation if the resource doesn't have one; a + // transformer annotation otherwise; to all resources in + // ResMap + AddTransformerAnnotation(origin *resource.Origin) error + + // RemoveTransformerAnnotation will remove the transformer annotation + // from all resources in the ResMap + RemoveTransformerAnnotations() error + + // AnnotateAll annotates all resources in the ResMap with + // the provided key value pair. + AnnotateAll(key string, value string) error + + // AsYaml returns the yaml form of resources. + AsYaml() ([]byte, error) + + // GetByIndex returns a resource at the given index, + // nil if out of range. + GetByIndex(int) *resource.Resource + + // GetIndexOfCurrentId returns the index of the resource + // with the given CurId. + // Returns error if there is more than one match. + // Returns (-1, nil) if there is no match. + GetIndexOfCurrentId(id resid.ResId) (int, error) + + // GetMatchingResourcesByCurrentId returns the resources + // who's CurId is matched by the argument. + GetMatchingResourcesByCurrentId(matches IdMatcher) []*resource.Resource + + // GetMatchingResourcesByAnyId returns the resources + // who's current or previous IDs is matched by the argument. + GetMatchingResourcesByAnyId(matches IdMatcher) []*resource.Resource + + // GetByCurrentId is shorthand for calling + // GetMatchingResourcesByCurrentId with a matcher requiring + // an exact match, returning an error on multiple or no matches. + GetByCurrentId(resid.ResId) (*resource.Resource, error) + + // GetById is shorthand for calling + // GetMatchingResourcesByAnyId with a matcher requiring + // an exact match, returning an error on multiple or no matches. + GetById(resid.ResId) (*resource.Resource, error) + + // GroupedByCurrentNamespace returns a map of namespace + // to a slice of *Resource in that namespace. + // Cluster-scoped Resources are not included (see ClusterScoped). + // Resources with an empty namespace are placed + // in the resid.DefaultNamespace entry. + GroupedByCurrentNamespace() map[string][]*resource.Resource + + // GroupedByOriginalNamespace performs as GroupByNamespace + // but use the original namespace instead of the current + // one to perform the grouping. + GroupedByOriginalNamespace() map[string][]*resource.Resource + + // ClusterScoped returns a slice of resources that + // cannot be placed in a namespace, e.g. + // Node, ClusterRole, Namespace itself, etc. + ClusterScoped() []*resource.Resource + + // AllIds returns all CurrentIds. + AllIds() []resid.ResId + + // Replace replaces the resource with the matching CurId. + // Error if there's no match or more than one match. + // Returns the index where the replacement happened. + Replace(*resource.Resource) (int, error) + + // Remove removes the resource whose CurId matches the argument. + // Error if not found. + Remove(resid.ResId) error + + // Clear removes all resources and Ids. + Clear() + + // DropEmpties drops empty resources from the ResMap. + DropEmpties() + + // SubsetThatCouldBeReferencedByResource returns a ResMap subset + // of self with resources that could be referenced by the + // resource argument. + // This is a filter; it excludes things that cannot be + // referenced by the resource, e.g. objects in other + // namespaces. Cluster wide objects are never excluded. + SubsetThatCouldBeReferencedByResource(*resource.Resource) (ResMap, error) + + // DeAnchor replaces YAML aliases with structured data copied from anchors. + // This cannot be undone; if desired, call DeepCopy first. + // Subsequent marshalling to YAML will no longer have anchor + // definitions ('&') or aliases ('*'). + // + // Anchors are not expected to work across YAML 'documents'. + // If three resources are loaded from one file containing three YAML docs: + // + // {resourceA} + // --- + // {resourceB} + // --- + // {resourceC} + // + // then anchors defined in A cannot be seen from B and C and vice versa. + // OTOH, cross-resource links (a field in B referencing fields in A) will + // work if the resources are gathered in a ResourceList: + // + // apiVersion: config.kubernetes.io/v1 + // kind: ResourceList + // metadata: + // name: someList + // items: + // - {resourceA} + // - {resourceB} + // - {resourceC} + // + DeAnchor() error + + // DeepCopy copies the ResMap and underlying resources. + DeepCopy() ResMap + + // ShallowCopy copies the ResMap but + // not the underlying resources. + ShallowCopy() ResMap + + // ErrorIfNotEqualSets returns an error if the + // argument doesn't have the same resources as self. + // Ordering is _not_ taken into account, + // as this function was solely used in tests written + // before internal resource order was maintained, + // and those tests are initialized with maps which + // by definition have random ordering, and will + // fail spuriously. + // TODO: modify tests to not use resmap.FromMap, + // TODO: - and replace this with a stricter equals. + ErrorIfNotEqualSets(ResMap) error + + // ErrorIfNotEqualLists returns an error if the + // argument doesn't have the resource objects + // data as self, in the same order. + // Meta information is ignored; this is similar + // to comparing the AsYaml() strings, but allows + // for more informed errors on not equals. + ErrorIfNotEqualLists(ResMap) error + + // Debug prints the ResMap. + Debug(title string) + + // Select returns a list of resources that + // are selected by a Selector + Select(types.Selector) ([]*resource.Resource, error) + + // ToRNodeSlice returns a copy of the resources as RNodes. + ToRNodeSlice() []*yaml.RNode + + // ApplySmPatch applies a strategic-merge patch to the + // selected set of resources. + ApplySmPatch( + selectedSet *resource.IdSet, patch *resource.Resource) error + + // RemoveBuildAnnotations removes annotations created by the build process. + RemoveBuildAnnotations() + + // ApplyFilter applies an RNode filter to all Resources in the ResMap. + // TODO: Send/recover ancillary Resource data to/from subprocesses. + // Assure that the ancillary data in Resource (everything not in the RNode) + // is sent to and re-captured from transformer subprocess (as the process + // might edit that information). One way to do this would be to solely use + // RNode metadata annotation reading and writing instead of using Resource + // struct data members, i.e. the Resource struct is replaced by RNode + // and use of (slow) k8s metadata annotations inside the RNode. + ApplyFilter(f kio.Filter) error +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go b/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go new file mode 100644 index 0000000000..2e34fae6a7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resmap/reswrangler.go @@ -0,0 +1,763 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resmap + +import ( + "bytes" + "fmt" + "reflect" + + "sigs.k8s.io/kustomize/api/filters/annotations" + "sigs.k8s.io/kustomize/api/resource" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/resid" + kyaml "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// resWrangler implements ResMap. +type resWrangler struct { + // Resource list maintained in load (append) order. + // This is important for transformers, which must + // be performed in a specific order, and for users + // who for whatever reasons wish the order they + // specify in kustomizations to be maintained and + // available as an option for final YAML rendering. + rList []*resource.Resource +} + +func newOne() *resWrangler { + result := &resWrangler{} + result.Clear() + return result +} + +// Clear implements ResMap. +func (m *resWrangler) Clear() { + m.rList = nil +} + +// DropEmpties quickly drops empty resources. +// It doesn't use Append, which checks for Id collisions. +func (m *resWrangler) DropEmpties() { + var rList []*resource.Resource + for _, r := range m.rList { + if !r.IsNilOrEmpty() { + rList = append(rList, r) + } + } + m.rList = rList +} + +// Size implements ResMap. +func (m *resWrangler) Size() int { + return len(m.rList) +} + +func (m *resWrangler) indexOfResource(other *resource.Resource) int { + for i, r := range m.rList { + if r == other { + return i + } + } + return -1 +} + +// Resources implements ResMap. +func (m *resWrangler) Resources() []*resource.Resource { + tmp := make([]*resource.Resource, len(m.rList)) + copy(tmp, m.rList) + return tmp +} + +// Append implements ResMap. +func (m *resWrangler) Append(res *resource.Resource) error { + id := res.CurId() + if r := m.GetMatchingResourcesByCurrentId(id.Equals); len(r) > 0 { + return fmt.Errorf( + "may not add resource with an already registered id: %s", id) + } + m.append(res) + return nil +} + +// append appends without performing an Id check +func (m *resWrangler) append(res *resource.Resource) { + m.rList = append(m.rList, res) +} + +// Remove implements ResMap. +func (m *resWrangler) Remove(adios resid.ResId) error { + var rList []*resource.Resource + for _, r := range m.rList { + if r.CurId() != adios { + rList = append(rList, r) + } + } + if len(rList) != m.Size()-1 { + return fmt.Errorf("id %s not found in removal", adios) + } + m.rList = rList + return nil +} + +// Replace implements ResMap. +func (m *resWrangler) Replace(res *resource.Resource) (int, error) { + id := res.CurId() + i, err := m.GetIndexOfCurrentId(id) + if err != nil { + return -1, errors.WrapPrefixf(err, "in Replace") + } + if i < 0 { + return -1, fmt.Errorf("cannot find resource with id %s to replace", id) + } + m.rList[i] = res + return i, nil +} + +// AllIds implements ResMap. +func (m *resWrangler) AllIds() (ids []resid.ResId) { + ids = make([]resid.ResId, m.Size()) + for i, r := range m.rList { + ids[i] = r.CurId() + } + return +} + +// Debug implements ResMap. +func (m *resWrangler) Debug(title string) { + fmt.Println("--------------------------- " + title) + firstObj := true + for i, r := range m.rList { + if firstObj { + firstObj = false + } else { + fmt.Println("---") + } + fmt.Printf("# %d %s\n%s\n", i, r.OrgId(), r.String()) + } +} + +type IdMatcher func(resid.ResId) bool + +// GetByIndex implements ResMap. +func (m *resWrangler) GetByIndex(i int) *resource.Resource { + if i < 0 || i >= m.Size() { + return nil + } + return m.rList[i] +} + +// GetIndexOfCurrentId implements ResMap. +func (m *resWrangler) GetIndexOfCurrentId(id resid.ResId) (int, error) { + count := 0 + result := -1 + for i, r := range m.rList { + if id.Equals(r.CurId()) { + count++ + result = i + } + } + if count > 1 { + return -1, fmt.Errorf("id matched %d resources", count) + } + return result, nil +} + +type IdFromResource func(r *resource.Resource) resid.ResId + +func GetCurrentId(r *resource.Resource) resid.ResId { return r.CurId() } + +// GetMatchingResourcesByCurrentId implements ResMap. +func (m *resWrangler) GetMatchingResourcesByCurrentId( + matches IdMatcher) []*resource.Resource { + return m.filteredById(matches, GetCurrentId) +} + +// GetMatchingResourcesByAnyId implements ResMap. +func (m *resWrangler) GetMatchingResourcesByAnyId( + matches IdMatcher) []*resource.Resource { + var result []*resource.Resource + for _, r := range m.rList { + for _, id := range append(r.PrevIds(), r.CurId()) { + if matches(id) { + result = append(result, r) + break + } + } + } + return result +} + +func (m *resWrangler) filteredById( + matches IdMatcher, idGetter IdFromResource) []*resource.Resource { + var result []*resource.Resource + for _, r := range m.rList { + if matches(idGetter(r)) { + result = append(result, r) + } + } + return result +} + +// GetByCurrentId implements ResMap. +func (m *resWrangler) GetByCurrentId( + id resid.ResId) (*resource.Resource, error) { + return demandOneMatch(m.GetMatchingResourcesByCurrentId, id, "Current") +} + +// GetById implements ResMap. +func (m *resWrangler) GetById( + id resid.ResId) (*resource.Resource, error) { + r, err := demandOneMatch(m.GetMatchingResourcesByAnyId, id, "Id") + if err != nil { + return nil, fmt.Errorf( + "%s; failed to find unique target for patch %s", + err.Error(), id.String()) + } + return r, nil +} + +type resFinder func(IdMatcher) []*resource.Resource + +func demandOneMatch( + f resFinder, id resid.ResId, s string) (*resource.Resource, error) { + r := f(id.Equals) + if len(r) == 1 { + return r[0], nil + } + if len(r) > 1 { + return nil, fmt.Errorf("multiple matches for %s %s", s, id) + } + return nil, fmt.Errorf("no matches for %s %s", s, id) +} + +// GroupedByCurrentNamespace implements ResMap. +func (m *resWrangler) GroupedByCurrentNamespace() map[string][]*resource.Resource { + items := m.groupedByCurrentNamespace() + delete(items, resid.TotallyNotANamespace) + return items +} + +// ClusterScoped implements ResMap. +func (m *resWrangler) ClusterScoped() []*resource.Resource { + return m.groupedByCurrentNamespace()[resid.TotallyNotANamespace] +} + +func (m *resWrangler) groupedByCurrentNamespace() map[string][]*resource.Resource { + byNamespace := make(map[string][]*resource.Resource) + for _, res := range m.rList { + namespace := res.CurId().EffectiveNamespace() + if _, found := byNamespace[namespace]; !found { + byNamespace[namespace] = []*resource.Resource{} + } + byNamespace[namespace] = append(byNamespace[namespace], res) + } + return byNamespace +} + +// GroupedByOriginalNamespace implements ResMap. +func (m *resWrangler) GroupedByOriginalNamespace() map[string][]*resource.Resource { + items := m.groupedByOriginalNamespace() + delete(items, resid.TotallyNotANamespace) + return items +} + +func (m *resWrangler) groupedByOriginalNamespace() map[string][]*resource.Resource { + byNamespace := make(map[string][]*resource.Resource) + for _, res := range m.rList { + namespace := res.OrgId().EffectiveNamespace() + if _, found := byNamespace[namespace]; !found { + byNamespace[namespace] = []*resource.Resource{} + } + byNamespace[namespace] = append(byNamespace[namespace], res) + } + return byNamespace +} + +// AsYaml implements ResMap. +func (m *resWrangler) AsYaml() ([]byte, error) { + firstObj := true + var b []byte + buf := bytes.NewBuffer(b) + for _, res := range m.rList { + out, err := res.AsYAML() + if err != nil { + m, _ := res.Map() + return nil, errors.WrapPrefixf(err, "%#v", m) + } + if firstObj { + firstObj = false + } else { + if _, err = buf.WriteString("---\n"); err != nil { + return nil, err + } + } + if _, err = buf.Write(out); err != nil { + return nil, err + } + } + return buf.Bytes(), nil +} + +// ErrorIfNotEqualSets implements ResMap. +func (m *resWrangler) ErrorIfNotEqualSets(other ResMap) error { + m2, ok := other.(*resWrangler) + if !ok { + return fmt.Errorf("bad cast to resWrangler 1") + } + if m.Size() != m2.Size() { + return fmt.Errorf( + "lists have different number of entries: %#v doesn't equal %#v", + m.rList, m2.rList) + } + seen := make(map[int]bool) + for _, r1 := range m.rList { + id := r1.CurId() + others := m2.GetMatchingResourcesByCurrentId(id.Equals) + if len(others) == 0 { + return fmt.Errorf( + "id in self missing from other; id: %s", id) + } + if len(others) > 1 { + return fmt.Errorf( + "id in self matches %d in other; id: %s", len(others), id) + } + r2 := others[0] + if !reflect.DeepEqual(r1.RNode, r2.RNode) { + return fmt.Errorf( + "nodes unequal: \n -- %s,\n -- %s\n\n--\n%#v\n------\n%#v\n", + r1, r2, r1, r2) + } + seen[m2.indexOfResource(r2)] = true + } + if len(seen) != m.Size() { + return fmt.Errorf("counting problem %d != %d", len(seen), m.Size()) + } + return nil +} + +// ErrorIfNotEqualLists implements ResMap. +func (m *resWrangler) ErrorIfNotEqualLists(other ResMap) error { + m2, ok := other.(*resWrangler) + if !ok { + return fmt.Errorf("bad cast to resWrangler 2") + } + if m.Size() != m2.Size() { + return fmt.Errorf( + "lists have different number of entries: %#v doesn't equal %#v", + m.rList, m2.rList) + } + for i, r1 := range m.rList { + r2 := m2.rList[i] + if err := r1.ErrIfNotEquals(r2); err != nil { + return err + } + } + return nil +} + +type resCopier func(r *resource.Resource) *resource.Resource + +// ShallowCopy implements ResMap. +func (m *resWrangler) ShallowCopy() ResMap { + return m.makeCopy( + func(r *resource.Resource) *resource.Resource { + return r + }) +} + +// DeepCopy implements ResMap. +func (m *resWrangler) DeepCopy() ResMap { + return m.makeCopy( + func(r *resource.Resource) *resource.Resource { + return r.DeepCopy() + }) +} + +// makeCopy copies the ResMap. +func (m *resWrangler) makeCopy(copier resCopier) ResMap { + result := &resWrangler{} + result.rList = make([]*resource.Resource, m.Size()) + for i, r := range m.rList { + result.rList[i] = copier(r) + } + return result +} + +// SubsetThatCouldBeReferencedByResource implements ResMap. +func (m *resWrangler) SubsetThatCouldBeReferencedByResource( + referrer *resource.Resource) (ResMap, error) { + referrerId := referrer.CurId() + if referrerId.IsClusterScoped() { + // A cluster scoped resource can refer to anything. + return m, nil + } + result := newOne() + roleBindingNamespaces, err := getNamespacesForRoleBinding(referrer) + if err != nil { + return nil, err + } + for _, possibleTarget := range m.rList { + id := possibleTarget.CurId() + if id.IsClusterScoped() { + // A cluster-scoped resource can be referred to by anything. + result.append(possibleTarget) + continue + } + if id.IsNsEquals(referrerId) { + // The two objects are in the same namespace. + result.append(possibleTarget) + continue + } + // The two objects are namespaced (not cluster-scoped), AND + // are in different namespaces. + // There's still a chance they can refer to each other. + if roleBindingNamespaces[possibleTarget.GetNamespace()] { + result.append(possibleTarget) + } + } + return result, nil +} + +// getNamespacesForRoleBinding returns referenced ServiceAccount namespaces +// if the resource is a RoleBinding +func getNamespacesForRoleBinding(r *resource.Resource) (map[string]bool, error) { + result := make(map[string]bool) + if r.GetKind() != "RoleBinding" { + return result, nil + } + subjects, err := r.GetSlice("subjects") + if err != nil || subjects == nil { + return result, nil + } + for _, s := range subjects { + subject := s.(map[string]interface{}) + if ns, ok1 := subject["namespace"]; ok1 { + if kind, ok2 := subject["kind"]; ok2 { + if kind.(string) == "ServiceAccount" { + if n, ok3 := ns.(string); ok3 { + result[n] = true + } else { + return nil, errors.Errorf("Invalid Input: namespace is blank for resource %q\n", r.CurId()) + } + } + } + } + } + return result, nil +} + +// AppendAll implements ResMap. +func (m *resWrangler) AppendAll(other ResMap) error { + if other == nil { + return nil + } + m2, ok := other.(*resWrangler) + if !ok { + return fmt.Errorf("bad cast to resWrangler 3") + } + return m.appendAll(m2.rList) +} + +// appendAll appends all the resources, error on Id collision. +func (m *resWrangler) appendAll(list []*resource.Resource) error { + for _, res := range list { + if err := m.Append(res); err != nil { + return err + } + } + return nil +} + +// AbsorbAll implements ResMap. +func (m *resWrangler) AbsorbAll(other ResMap) error { + if other == nil { + return nil + } + m2, ok := other.(*resWrangler) + if !ok { + return fmt.Errorf("bad cast to resWrangler 4") + } + for _, r := range m2.rList { + err := m.appendReplaceOrMerge(r) + if err != nil { + return err + } + } + return nil +} + +// AddOriginAnnotation implements ResMap. +func (m *resWrangler) AddOriginAnnotation(origin *resource.Origin) error { + if origin == nil { + return nil + } + for _, res := range m.rList { + or, err := res.GetOrigin() + if or != nil || err != nil { + // if any resources already have an origin annotation, + // skip it + continue + } + if err := res.SetOrigin(origin); err != nil { + return err + } + } + return nil +} + +// RemoveOriginAnnotation implements ResMap +func (m *resWrangler) RemoveOriginAnnotations() error { + for _, res := range m.rList { + if err := res.SetOrigin(nil); err != nil { + return err + } + } + return nil +} + +// AddTransformerAnnotation implements ResMap +func (m *resWrangler) AddTransformerAnnotation(origin *resource.Origin) error { + for _, res := range m.rList { + or, err := res.GetOrigin() + if err != nil { + return err + } + if or == nil { + // the resource does not have an origin annotation, so + // we assume that the transformer generated the resource + // rather than modifying it + err = res.SetOrigin(origin) + } else { + // the resource already has an origin annotation, so we + // record the provided origin as a transformation + err = res.AddTransformation(origin) + } + if err != nil { + return err + } + } + return nil +} + +// RemoveTransformerAnnotations implements ResMap +func (m *resWrangler) RemoveTransformerAnnotations() error { + for _, res := range m.rList { + if err := res.ClearTransformations(); err != nil { + return err + } + } + return nil +} + +func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error { + id := res.CurId() + matches := m.GetMatchingResourcesByAnyId(id.Equals) + switch len(matches) { + case 0: + switch res.Behavior() { + case types.BehaviorMerge, types.BehaviorReplace: + return fmt.Errorf( + "id %#v does not exist; cannot merge or replace", id) + default: + // presumably types.BehaviorCreate + return m.Append(res) + } + case 1: + old := matches[0] + if old == nil { + return fmt.Errorf("id lookup failure") + } + index := m.indexOfResource(old) + if index < 0 { + return fmt.Errorf("indexing problem") + } + switch res.Behavior() { + case types.BehaviorReplace: + res.CopyMergeMetaDataFieldsFrom(old) + case types.BehaviorMerge: + // ensure the origin annotation doesn't get overwritten + orig, err := old.GetOrigin() + if err != nil { + return err + } + res.CopyMergeMetaDataFieldsFrom(old) + res.MergeDataMapFrom(old) + res.MergeBinaryDataMapFrom(old) + if orig != nil { + res.SetOrigin(orig) + } + + default: + return fmt.Errorf( + "id %#v exists; behavior must be merge or replace", id) + } + i, err := m.Replace(res) + if err != nil { + return err + } + if i != index { + return fmt.Errorf("unexpected target index in replacement") + } + return nil + default: + return fmt.Errorf( + "found multiple objects %v that could accept merge of %v", + matches, id) + } +} + +// AnnotateAll implements ResMap +func (m *resWrangler) AnnotateAll(key string, value string) error { + return m.ApplyFilter(annotations.Filter{ + Annotations: map[string]string{ + key: value, + }, + FsSlice: []types.FieldSpec{{ + Path: "metadata/annotations", + CreateIfNotPresent: true, + }}, + }) +} + +// Select returns a list of resources that +// are selected by a Selector +func (m *resWrangler) Select(s types.Selector) ([]*resource.Resource, error) { + var result []*resource.Resource + sr, err := types.NewSelectorRegex(&s) + if err != nil { + return nil, err + } + for _, r := range m.rList { + curId := r.CurId() + orgId := r.OrgId() + + // It first tries to match with the original namespace + // then matches with the current namespace + if !sr.MatchNamespace(orgId.EffectiveNamespace()) && + !sr.MatchNamespace(curId.EffectiveNamespace()) { + continue + } + + // It first tries to match with the original name + // then matches with the current name + if !sr.MatchName(orgId.Name) && + !sr.MatchName(curId.Name) { + continue + } + + // matches the GVK + if !sr.MatchGvk(r.GetGvk()) { + continue + } + + // matches the label selector + matched, err := r.MatchesLabelSelector(s.LabelSelector) + if err != nil { + return nil, err + } + if !matched { + continue + } + + // matches the annotation selector + matched, err = r.MatchesAnnotationSelector(s.AnnotationSelector) + if err != nil { + return nil, err + } + if !matched { + continue + } + result = append(result, r) + } + return result, nil +} + +// ToRNodeSlice returns a copy of the resources as RNodes. +func (m *resWrangler) ToRNodeSlice() []*kyaml.RNode { + result := make([]*kyaml.RNode, len(m.rList)) + for i := range m.rList { + result[i] = m.rList[i].Copy() + } + return result +} + +// DeAnchor implements ResMap. +func (m *resWrangler) DeAnchor() (err error) { + for i := range m.rList { + if err = m.rList[i].DeAnchor(); err != nil { + return err + } + } + return nil +} + +// ApplySmPatch applies the patch, and errors on Id collisions. +func (m *resWrangler) ApplySmPatch(selectedSet *resource.IdSet, patch *resource.Resource) error { + var list []*resource.Resource + for _, res := range m.rList { + if selectedSet.Contains(res.CurId()) { + patchCopy := patch.DeepCopy() + patchCopy.CopyMergeMetaDataFieldsFrom(patch) + patchCopy.SetGvk(res.GetGvk()) + patchCopy.SetKind(patch.GetKind()) + if err := res.ApplySmPatch(patchCopy); err != nil { + return err + } + } + if !res.IsNilOrEmpty() { + list = append(list, res) + } + } + m.Clear() + return m.appendAll(list) +} + +func (m *resWrangler) RemoveBuildAnnotations() { + for _, r := range m.rList { + r.RemoveBuildAnnotations() + } +} + +// ApplyFilter implements ResMap. +func (m *resWrangler) ApplyFilter(f kio.Filter) error { + reverseLookup := make(map[*kyaml.RNode]*resource.Resource, len(m.rList)) + nodes := make([]*kyaml.RNode, len(m.rList)) + for i, r := range m.rList { + ptr := &(r.RNode) + nodes[i] = ptr + reverseLookup[ptr] = r + } + // The filter can modify nodes, but also delete and create them. + // The filtered list might be smaller or larger than the nodes list. + filtered, err := f.Filter(nodes) + if err != nil { + return err + } + // Rebuild the resmap from the filtered RNodes. + var nRList []*resource.Resource + for _, rn := range filtered { + if rn.IsNilOrEmpty() { + // A node might make it through the filter as an object, + // but still be empty. Drop such entries. + continue + } + res, ok := reverseLookup[rn] + if !ok { + // A node was created; make a Resource to wrap it. + res = &resource.Resource{ + RNode: *rn, + // Leave remaining fields empty. + // At at time of writing, seeking to eliminate those fields. + // Alternatively, could just return error on creation attempt + // until remaining fields eliminated. + } + } + nRList = append(nRList, res) + } + m.rList = nRList + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/doc.go b/vendor/sigs.k8s.io/kustomize/api/resource/doc.go new file mode 100644 index 0000000000..32d34b1626 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resource/doc.go @@ -0,0 +1,5 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package resource implements representations of k8s API resources. +package resource diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/factory.go b/vendor/sigs.k8s.io/kustomize/api/resource/factory.go new file mode 100644 index 0000000000..a42f93bb8e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resource/factory.go @@ -0,0 +1,302 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resource + +import ( + "encoding/json" + "fmt" + "log" + "strings" + + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/generators" + "sigs.k8s.io/kustomize/api/internal/kusterr" + "sigs.k8s.io/kustomize/api/konfig" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/resid" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Factory makes instances of Resource. +type Factory struct { + hasher ifc.KustHasher + + // When set to true, IncludeLocalConfigs indicates + // that Factory should include resources with the + // annotation 'config.kubernetes.io/local-config'. + // By default these resources are ignored. + IncludeLocalConfigs bool +} + +// NewFactory makes an instance of Factory. +func NewFactory(h ifc.KustHasher) *Factory { + return &Factory{hasher: h} +} + +// Hasher returns an ifc.KustHasher +func (rf *Factory) Hasher() ifc.KustHasher { + return rf.hasher +} + +// FromMap returns a new instance of Resource. +func (rf *Factory) FromMap(m map[string]interface{}) (*Resource, error) { + res, err := rf.FromMapAndOption(m, nil) + if err != nil { + return nil, fmt.Errorf("failed to create resource from map: %w", err) + } + return res, nil +} + +// FromMapWithName returns a new instance with the given "original" name. +func (rf *Factory) FromMapWithName(n string, m map[string]interface{}) (*Resource, error) { + return rf.FromMapWithNamespaceAndName(resid.DefaultNamespace, n, m) +} + +// FromMapWithNamespaceAndName returns a new instance with the given "original" namespace. +func (rf *Factory) FromMapWithNamespaceAndName(ns string, n string, m map[string]interface{}) (*Resource, error) { + r, err := rf.FromMapAndOption(m, nil) + if err != nil { + return nil, fmt.Errorf("failed to create resource from map: %w", err) + } + return r.setPreviousId(ns, n, r.GetKind()), nil +} + +// FromMapAndOption returns a new instance of Resource with given options. +func (rf *Factory) FromMapAndOption( + m map[string]interface{}, args *types.GeneratorArgs) (*Resource, error) { + n, err := yaml.FromMap(m) + if err != nil { + return nil, fmt.Errorf("failed to convert map to YAML node: %w", err) + } + return rf.makeOne(n, args), nil +} + +// makeOne returns a new instance of Resource. +func (rf *Factory) makeOne(rn *yaml.RNode, o *types.GeneratorArgs) *Resource { + if rn == nil { + log.Fatal("RNode must not be null") + } + resource := &Resource{RNode: *rn} + if o != nil { + if o.Options == nil || !o.Options.DisableNameSuffixHash { + resource.EnableHashSuffix() + } + resource.SetBehavior(types.NewGenerationBehavior(o.Behavior)) + } + + return resource +} + +// SliceFromPatches returns a slice of resources given a patch path +// slice from a kustomization file. +func (rf *Factory) SliceFromPatches( + ldr ifc.Loader, paths []types.PatchStrategicMerge) ([]*Resource, error) { + var result []*Resource + for _, path := range paths { + content, err := ldr.Load(string(path)) + if err != nil { + return nil, err + } + res, err := rf.SliceFromBytes(content) + if err != nil { + return nil, kusterr.Handler(err, string(path)) + } + result = append(result, res...) + } + return result, nil +} + +// FromBytes unmarshalls bytes into one Resource. +func (rf *Factory) FromBytes(in []byte) (*Resource, error) { + result, err := rf.SliceFromBytes(in) + if err != nil { + return nil, err + } + if len(result) != 1 { + return nil, fmt.Errorf( + "expected 1 resource, found %d in %v", len(result), in) + } + return result[0], nil +} + +// SliceFromBytes unmarshals bytes into a Resource slice. +func (rf *Factory) SliceFromBytes(in []byte) ([]*Resource, error) { + nodes, err := rf.RNodesFromBytes(in) + if err != nil { + return nil, err + } + return rf.resourcesFromRNodes(nodes), nil +} + +// DropLocalNodes removes the local nodes by default. Local nodes are detected via the annotation `config.kubernetes.io/local-config: "true"` +func (rf *Factory) DropLocalNodes(nodes []*yaml.RNode) ([]*Resource, error) { + var result []*yaml.RNode + for _, node := range nodes { + if node.IsNilOrEmpty() { + continue + } + md, err := node.GetValidatedMetadata() + if err != nil { + return nil, err + } + + if rf.IncludeLocalConfigs { + result = append(result, node) + continue + } + localConfig, exist := md.ObjectMeta.Annotations[konfig.IgnoredByKustomizeAnnotation] + if !exist || localConfig == "false" { + result = append(result, node) + } + } + return rf.resourcesFromRNodes(result), nil +} + +// ResourcesFromRNodes converts RNodes to Resources. +func (rf *Factory) ResourcesFromRNodes( + nodes []*yaml.RNode) (result []*Resource, err error) { + return rf.DropLocalNodes(nodes) +} + +// resourcesFromRNode assumes all nodes are good. +func (rf *Factory) resourcesFromRNodes( + nodes []*yaml.RNode) (result []*Resource) { + for _, n := range nodes { + result = append(result, rf.makeOne(n, nil)) + } + return +} + +func (rf *Factory) RNodesFromBytes(b []byte) ([]*yaml.RNode, error) { + nodes, err := kio.FromBytes(b) + if err != nil { + return nil, err + } + nodes, err = rf.dropBadNodes(nodes) + if err != nil { + return nil, err + } + return rf.inlineAnyEmbeddedLists(nodes) +} + +// inlineAnyEmbeddedLists scans the RNode slice for nodes named FooList. +// Such nodes are expected to be lists of resources, each of type Foo. +// These lists are replaced in the result by their inlined resources. +func (rf *Factory) inlineAnyEmbeddedLists( + nodes []*yaml.RNode) (result []*yaml.RNode, err error) { + var n0 *yaml.RNode + for len(nodes) > 0 { + n0, nodes = nodes[0], nodes[1:] + kind := n0.GetKind() + if !strings.HasSuffix(kind, "List") { + result = append(result, n0) + continue + } + // Convert a FooList into a slice of Foo. + var m map[string]interface{} + m, err = n0.Map() + if err != nil { + return nil, fmt.Errorf("trouble expanding list of %s; %w", kind, err) + } + items, ok := m["items"] + if !ok { + // Items field is not present. + // This is not a collections resource. + // read more https://kubernetes.io/docs/reference/using-api/api-concepts/#collections + result = append(result, n0) + continue + } + slice, ok := items.([]interface{}) + if !ok { + if items == nil { + // an empty list + continue + } + return nil, fmt.Errorf( + "expected array in %s/items, but found %T", kind, items) + } + innerNodes, err := rf.convertObjectSliceToNodeSlice(slice) + if err != nil { + return nil, err + } + nodes = append(nodes, innerNodes...) + } + return result, nil +} + +// convertObjectSlice converts a list of objects to a list of RNode. +func (rf *Factory) convertObjectSliceToNodeSlice( + objects []interface{}) (result []*yaml.RNode, err error) { + var bytes []byte + var nodes []*yaml.RNode + for _, obj := range objects { + bytes, err = json.Marshal(obj) + if err != nil { + return + } + nodes, err = kio.FromBytes(bytes) + if err != nil { + return + } + nodes, err = rf.dropBadNodes(nodes) + if err != nil { + return + } + result = append(result, nodes...) + } + return +} + +// dropBadNodes may drop some nodes from its input argument. +func (rf *Factory) dropBadNodes(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + var result []*yaml.RNode + for _, n := range nodes { + if n.IsNilOrEmpty() { + continue + } + if _, err := n.GetValidatedMetadata(); err != nil { + return nil, err + } + if foundNil, path := n.HasNilEntryInList(); foundNil { + return nil, fmt.Errorf("empty item at %v in object %v", path, n) + } + result = append(result, n) + } + return result, nil +} + +// SliceFromBytesWithNames unmarshals bytes into a Resource slice with specified original +// name. +func (rf *Factory) SliceFromBytesWithNames(names []string, in []byte) ([]*Resource, error) { + result, err := rf.SliceFromBytes(in) + if err != nil { + return nil, err + } + if len(names) != len(result) { + return nil, fmt.Errorf("number of names doesn't match number of resources") + } + for i, res := range result { + res.setPreviousId(resid.DefaultNamespace, names[i], res.GetKind()) + } + return result, nil +} + +// MakeConfigMap makes an instance of Resource for ConfigMap +func (rf *Factory) MakeConfigMap(kvLdr ifc.KvLoader, args *types.ConfigMapArgs) (*Resource, error) { + rn, err := generators.MakeConfigMap(kvLdr, args) + if err != nil { + return nil, err + } + return rf.makeOne(rn, &args.GeneratorArgs), nil +} + +// MakeSecret makes an instance of Resource for Secret +func (rf *Factory) MakeSecret(kvLdr ifc.KvLoader, args *types.SecretArgs) (*Resource, error) { + rn, err := generators.MakeSecret(kvLdr, args) + if err != nil { + return nil, err + } + return rf.makeOne(rn, &args.GeneratorArgs), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/idset.go b/vendor/sigs.k8s.io/kustomize/api/resource/idset.go new file mode 100644 index 0000000000..5d6bd63edc --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resource/idset.go @@ -0,0 +1,30 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resource + +import "sigs.k8s.io/kustomize/kyaml/resid" + +type IdSet struct { + ids map[resid.ResId]bool +} + +func MakeIdSet(slice []*Resource) *IdSet { + set := make(map[resid.ResId]bool) + for _, r := range slice { + id := r.CurId() + if _, ok := set[id]; !ok { + set[id] = true + } + } + return &IdSet{ids: set} +} + +func (s IdSet) Contains(id resid.ResId) bool { + _, ok := s.ids[id] + return ok +} + +func (s IdSet) Size() int { + return len(s.ids) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/origin.go b/vendor/sigs.k8s.io/kustomize/api/resource/origin.go new file mode 100644 index 0000000000..f0a4ae75d5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resource/origin.go @@ -0,0 +1,106 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resource + +import ( + "path/filepath" + "strings" + + "sigs.k8s.io/kustomize/api/internal/git" + kyaml "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Origin retains information about the origin of resources and transformer configs +// that contributed to the output of `kustomize build` +type Origin struct { + // Path is the path to the resource. If a local resource, this path is + // rooted from the directory upon which `kustomize build` was invoked. If a + // remote resource, this path is rooted from the root of the remote repo. + Path string `json:"path,omitempty" yaml:"path,omitempty"` + + // Repo is the remote repository that the resource or transformer originated from if it is + // not from a local file + Repo string `json:"repo,omitempty" yaml:"repo,omitempty"` + + // Ref is the ref of the remote repository that the resource or transformer originated from + // if it is not from a local file + Ref string `json:"ref,omitempty" yaml:"ref,omitempty"` + + // The following fields only apply to resources that have been + // generated by fields other than the `resources` field, or to transformer + // configs. + + // ConfiguredIn is the file path to the generator or transformer config that created the + // resource + ConfiguredIn string `json:"configuredIn,omitempty" yaml:"configuredIn,omitempty"` + + // ConfiguredBy is the ObjectReference of the generator or transformer config + ConfiguredBy kyaml.ResourceIdentifier `json:"configuredBy,omitempty" yaml:"configuredBy,omitempty"` +} + +// Copy returns a copy of origin +func (origin *Origin) Copy() Origin { + if origin == nil { + return Origin{} + } + return *origin +} + +// Append returns a copy of origin with a path appended to it +func (origin *Origin) Append(path string) *Origin { + originCopy := origin.Copy() + repoSpec, err := git.NewRepoSpecFromURL(path) + if err == nil { + originCopy.Repo = repoSpec.CloneSpec() + absPath := repoSpec.AbsPath() + path = absPath[strings.Index(absPath[1:], "/")+1:][1:] + originCopy.Path = "" + originCopy.Ref = repoSpec.Ref + } + originCopy.Path = filepath.Join(originCopy.Path, path) + return &originCopy +} + +// String returns a string version of origin +func (origin *Origin) String() (string, error) { + anno, err := kyaml.Marshal(origin) + return string(anno), err +} + +// Transformations is a list of Origin +type Transformations []*Origin + +// String returns a string version of Transformations +func (transformations *Transformations) String() (string, error) { + anno, err := kyaml.Marshal(transformations) + return string(anno), err +} + +// OriginFromCustomPlugin takes a custom plugin defined as a resource +// and returns an origin object to describe it +func OriginFromCustomPlugin(res *Resource) (*Origin, error) { + origin, err := res.GetOrigin() + if err != nil { + return nil, err + } + var result *Origin + if origin != nil { + result = &Origin{ + Repo: origin.Repo, + Ref: origin.Ref, + ConfiguredIn: origin.Path, + ConfiguredBy: kyaml.ResourceIdentifier{ + TypeMeta: kyaml.TypeMeta{ + APIVersion: res.GetApiVersion(), + Kind: res.GetKind(), + }, + NameMeta: kyaml.NameMeta{ + Name: res.GetName(), + Namespace: res.GetNamespace(), + }, + }, + } + } + return result, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/resource/resource.go b/vendor/sigs.k8s.io/kustomize/api/resource/resource.go new file mode 100644 index 0000000000..9884a672c5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/resource/resource.go @@ -0,0 +1,547 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resource + +import ( + "fmt" + "log" + "strings" + + "sigs.k8s.io/kustomize/api/filters/patchstrategicmerge" + "sigs.k8s.io/kustomize/api/ifc" + "sigs.k8s.io/kustomize/api/internal/utils" + "sigs.k8s.io/kustomize/api/types" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/resid" + kyaml "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/yaml" +) + +// Resource is an RNode, representing a Kubernetes Resource Model object, +// paired with metadata used by kustomize. +type Resource struct { + kyaml.RNode + refVarNames []string +} + +var BuildAnnotations = []string{ + utils.BuildAnnotationPreviousKinds, + utils.BuildAnnotationPreviousNames, + utils.BuildAnnotationPrefixes, + utils.BuildAnnotationSuffixes, + utils.BuildAnnotationPreviousNamespaces, + utils.BuildAnnotationAllowNameChange, + utils.BuildAnnotationAllowKindChange, + utils.BuildAnnotationsRefBy, + utils.BuildAnnotationsGenBehavior, + utils.BuildAnnotationsGenAddHashSuffix, + + kioutil.PathAnnotation, + kioutil.IndexAnnotation, + kioutil.SeqIndentAnnotation, + kioutil.IdAnnotation, + kioutil.InternalAnnotationsMigrationResourceIDAnnotation, + + kioutil.LegacyPathAnnotation, + kioutil.LegacyIndexAnnotation, + kioutil.LegacyIdAnnotation, +} + +func (r *Resource) ResetRNode(incoming *Resource) { + r.RNode = *incoming.Copy() +} + +func (r *Resource) GetGvk() resid.Gvk { + return resid.GvkFromNode(&r.RNode) +} + +func (r *Resource) Hash(h ifc.KustHasher) (string, error) { + return h.Hash(&r.RNode) +} + +func (r *Resource) SetGvk(gvk resid.Gvk) { + r.SetKind(gvk.Kind) + r.SetApiVersion(gvk.ApiVersion()) +} + +func (r *Resource) GetOrigin() (*Origin, error) { + annotations := r.GetAnnotations() + originAnnotations, ok := annotations[utils.OriginAnnotationKey] + if !ok { + return nil, nil + } + var origin Origin + if err := yaml.Unmarshal([]byte(originAnnotations), &origin); err != nil { + return nil, err + } + return &origin, nil +} + +func (r *Resource) SetOrigin(origin *Origin) error { + annotations := r.GetAnnotations() + if origin == nil { + delete(annotations, utils.OriginAnnotationKey) + } else { + originStr, err := origin.String() + if err != nil { + return err + } + annotations[utils.OriginAnnotationKey] = originStr + } + return r.SetAnnotations(annotations) +} + +func (r *Resource) GetTransformations() (Transformations, error) { + annotations := r.GetAnnotations() + transformerAnnotations, ok := annotations[utils.TransformerAnnotationKey] + if !ok { + return nil, nil + } + var transformations Transformations + if err := yaml.Unmarshal([]byte(transformerAnnotations), &transformations); err != nil { + return nil, err + } + return transformations, nil +} + +func (r *Resource) AddTransformation(origin *Origin) error { + annotations := r.GetAnnotations() + transformations, err := r.GetTransformations() + if err != nil { + return err + } + if transformations == nil { + transformations = Transformations{} + } + transformations = append(transformations, origin) + transformationStr, err := transformations.String() + if err != nil { + return err + } + annotations[utils.TransformerAnnotationKey] = transformationStr + return r.SetAnnotations(annotations) +} + +func (r *Resource) ClearTransformations() error { + annotations := r.GetAnnotations() + delete(annotations, utils.TransformerAnnotationKey) + return r.SetAnnotations(annotations) +} + +// ResCtx is an interface describing the contextual added +// kept kustomize in the context of each Resource object. +// Currently mainly the name prefix and name suffix are added. +type ResCtx interface { + AddNamePrefix(p string) + AddNameSuffix(s string) + GetNamePrefixes() []string + GetNameSuffixes() []string +} + +// ResCtxMatcher returns true if two Resources are being +// modified in the same kustomize context. +type ResCtxMatcher func(ResCtx) bool + +// DeepCopy returns a new copy of resource +func (r *Resource) DeepCopy() *Resource { + rc := &Resource{ + RNode: *r.Copy(), + } + rc.copyKustomizeSpecificFields(r) + return rc +} + +// CopyMergeMetaDataFieldsFrom copies everything but the non-metadata in +// the resource. +// TODO: move to RNode, use GetMeta to improve performance. +// TODO: make a version of mergeStringMaps that is build-annotation aware +// to avoid repeatedly setting refby and genargs annotations +// Must remove the kustomize bit at the end. +func (r *Resource) CopyMergeMetaDataFieldsFrom(other *Resource) error { + if err := r.SetLabels( + mergeStringMaps(other.GetLabels(), r.GetLabels())); err != nil { + return fmt.Errorf("copyMerge cannot set labels - %w", err) + } + + ra := r.GetAnnotations() + _, enableNameSuffixHash := ra[utils.BuildAnnotationsGenAddHashSuffix] + merged := mergeStringMapsWithBuildAnnotations(other.GetAnnotations(), ra) + if !enableNameSuffixHash { + delete(merged, utils.BuildAnnotationsGenAddHashSuffix) + } + if err := r.SetAnnotations(merged); err != nil { + return fmt.Errorf("copyMerge cannot set annotations - %w", err) + } + + if err := r.SetName(other.GetName()); err != nil { + return fmt.Errorf("copyMerge cannot set name - %w", err) + } + if err := r.SetNamespace(other.GetNamespace()); err != nil { + return fmt.Errorf("copyMerge cannot set namespace - %w", err) + } + r.copyKustomizeSpecificFields(other) + return nil +} + +func (r *Resource) copyKustomizeSpecificFields(other *Resource) { + r.refVarNames = copyStringSlice(other.refVarNames) +} + +func (r *Resource) MergeDataMapFrom(o *Resource) { + r.SetDataMap(mergeStringMaps(o.GetDataMap(), r.GetDataMap())) +} + +func (r *Resource) MergeBinaryDataMapFrom(o *Resource) { + r.SetBinaryDataMap(mergeStringMaps(o.GetBinaryDataMap(), r.GetBinaryDataMap())) +} + +func (r *Resource) ErrIfNotEquals(o *Resource) error { + meYaml, err := r.AsYAML() + if err != nil { + return err + } + otherYaml, err := o.AsYAML() + if err != nil { + return err + } + if !r.ReferencesEqual(o) { + return fmt.Errorf( + `unequal references - self: +%sreferenced by: %s +--- other: +%sreferenced by: %s +`, meYaml, r.GetRefBy(), otherYaml, o.GetRefBy()) + } + if string(meYaml) != string(otherYaml) { + return fmt.Errorf(`--- self: +%s +--- other: +%s +`, meYaml, otherYaml) + } + return nil +} + +func (r *Resource) ReferencesEqual(other *Resource) bool { + setSelf := make(map[resid.ResId]bool) + setOther := make(map[resid.ResId]bool) + for _, ref := range other.GetRefBy() { + setOther[ref] = true + } + for _, ref := range r.GetRefBy() { + if _, ok := setOther[ref]; !ok { + return false + } + setSelf[ref] = true + } + return len(setSelf) == len(setOther) +} + +func copyStringSlice(s []string) []string { + if s == nil { + return nil + } + c := make([]string, len(s)) + copy(c, s) + return c +} + +// Implements ResCtx AddNamePrefix +func (r *Resource) AddNamePrefix(p string) { + r.appendCsvAnnotation(utils.BuildAnnotationPrefixes, p) +} + +// Implements ResCtx AddNameSuffix +func (r *Resource) AddNameSuffix(s string) { + r.appendCsvAnnotation(utils.BuildAnnotationSuffixes, s) +} + +func (r *Resource) appendCsvAnnotation(name, value string) { + if value == "" { + return + } + currentValue := r.getCsvAnnotation(name) + newValue := strings.Join(append(currentValue, value), ",") + if err := r.RNode.PipeE(kyaml.SetAnnotation(name, newValue)); err != nil { + panic(err) + } +} + +// Implements ResCtx GetNamePrefixes +func (r *Resource) GetNamePrefixes() []string { + return r.getCsvAnnotation(utils.BuildAnnotationPrefixes) +} + +// Implements ResCtx GetNameSuffixes +func (r *Resource) GetNameSuffixes() []string { + return r.getCsvAnnotation(utils.BuildAnnotationSuffixes) +} + +func (r *Resource) getCsvAnnotation(name string) []string { + annotations := r.GetAnnotations() + if _, ok := annotations[name]; !ok { + return nil + } + return strings.Split(annotations[name], ",") +} + +// PrefixesSuffixesEquals is conceptually doing the same task as +// OutermostPrefixSuffix but performs a deeper comparison of the suffix and +// prefix slices. +// The allowEmpty flag determines whether an empty prefix/suffix +// should be considered a match on anything. +// This is used when filtering, starting with a coarser pass allowing empty +// matches, before requiring exact matches if there are multiple +// remaining candidates. +func (r *Resource) PrefixesSuffixesEquals(o ResCtx, allowEmpty bool) bool { + if allowEmpty { + eitherPrefixEmpty := len(r.GetNamePrefixes()) == 0 || len(o.GetNamePrefixes()) == 0 + eitherSuffixEmpty := len(r.GetNameSuffixes()) == 0 || len(o.GetNameSuffixes()) == 0 + + return (eitherPrefixEmpty || utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes())) && + (eitherSuffixEmpty || utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes())) + } else { + return utils.SameEndingSubSlice(r.GetNamePrefixes(), o.GetNamePrefixes()) && + utils.SameEndingSubSlice(r.GetNameSuffixes(), o.GetNameSuffixes()) + } +} + +// RemoveBuildAnnotations removes annotations created by the build process. +// These are internal-only to kustomize, added to the data pipeline to +// track name changes so name references can be fixed. +func (r *Resource) RemoveBuildAnnotations() { + annotations := r.GetAnnotations() + if len(annotations) == 0 { + return + } + for _, a := range BuildAnnotations { + delete(annotations, a) + } + if err := r.SetAnnotations(annotations); err != nil { + panic(err) + } +} + +func (r *Resource) setPreviousId(ns string, n string, k string) *Resource { + r.appendCsvAnnotation(utils.BuildAnnotationPreviousNames, n) + r.appendCsvAnnotation(utils.BuildAnnotationPreviousNamespaces, ns) + r.appendCsvAnnotation(utils.BuildAnnotationPreviousKinds, k) + return r +} + +// AllowNameChange allows name changes to the resource. +func (r *Resource) AllowNameChange() { + r.enable(utils.BuildAnnotationAllowNameChange) +} + +// NameChangeAllowed checks if a patch resource is allowed to change another resource's name. +func (r *Resource) NameChangeAllowed() bool { + return r.isEnabled(utils.BuildAnnotationAllowNameChange) +} + +// AllowKindChange allows kind changes to the resource. +func (r *Resource) AllowKindChange() { + r.enable(utils.BuildAnnotationAllowKindChange) +} + +// KindChangeAllowed checks if a patch resource is allowed to change another resource's kind. +func (r *Resource) KindChangeAllowed() bool { + return r.isEnabled(utils.BuildAnnotationAllowKindChange) +} + +func (r *Resource) isEnabled(annoKey string) bool { + annotations := r.GetAnnotations() + v, ok := annotations[annoKey] + return ok && v == utils.Enabled +} + +func (r *Resource) enable(annoKey string) { + annotations := r.GetAnnotations() + annotations[annoKey] = utils.Enabled + if err := r.SetAnnotations(annotations); err != nil { + panic(err) + } +} + +// String returns resource as JSON. +func (r *Resource) String() string { + bs, err := r.MarshalJSON() + if err != nil { + return "<" + err.Error() + ">" + } + return strings.TrimSpace(string(bs)) +} + +// AsYAML returns the resource in Yaml form. +// Easier to read than JSON. +func (r *Resource) AsYAML() ([]byte, error) { + json, err := r.MarshalJSON() + if err != nil { + return nil, err + } + return yaml.JSONToYAML(json) +} + +// MustYaml returns YAML or panics. +func (r *Resource) MustYaml() string { + yml, err := r.AsYAML() + if err != nil { + log.Fatal(err) + } + return string(yml) +} + +// Behavior returns the behavior for the resource. +func (r *Resource) Behavior() types.GenerationBehavior { + annotations := r.GetAnnotations() + if v, ok := annotations[utils.BuildAnnotationsGenBehavior]; ok { + return types.NewGenerationBehavior(v) + } + return types.NewGenerationBehavior("") +} + +// SetBehavior sets the behavior for the resource. +func (r *Resource) SetBehavior(behavior types.GenerationBehavior) { + annotations := r.GetAnnotations() + annotations[utils.BuildAnnotationsGenBehavior] = behavior.String() + if err := r.SetAnnotations(annotations); err != nil { + panic(err) + } +} + +// NeedHashSuffix returns true if a resource content +// hash should be appended to the name of the resource. +func (r *Resource) NeedHashSuffix() bool { + return r.isEnabled(utils.BuildAnnotationsGenAddHashSuffix) +} + +// EnableHashSuffix marks the resource as needing a content +// hash to be appended to the name of the resource. +func (r *Resource) EnableHashSuffix() { + r.enable(utils.BuildAnnotationsGenAddHashSuffix) +} + +// OrgId returns the original, immutable ResId for the resource. +// This doesn't have to be unique in a ResMap. +func (r *Resource) OrgId() resid.ResId { + ids := r.PrevIds() + if len(ids) > 0 { + return ids[0] + } + return r.CurId() +} + +// PrevIds returns a list of ResIds that includes every +// previous ResId the resource has had through all of its +// GVKN transformations, in the order that it had that ID. +// I.e. the oldest ID is first. +// The returned array does not include the resource's current +// ID. If there are no previous IDs, this will return nil. +func (r *Resource) PrevIds() []resid.ResId { + prevIds, err := utils.PrevIds(&r.RNode) + if err != nil { + // this should never happen + panic(err) + } + return prevIds +} + +// StorePreviousId stores the resource's current ID via build annotations. +func (r *Resource) StorePreviousId() { + id := r.CurId() + r.setPreviousId(id.EffectiveNamespace(), id.Name, id.Kind) +} + +// CurId returns a ResId for the resource using the +// mutable parts of the resource. +// This should be unique in any ResMap. +func (r *Resource) CurId() resid.ResId { + return resid.NewResIdWithNamespace( + r.GetGvk(), r.GetName(), r.GetNamespace()) +} + +// GetRefBy returns the ResIds that referred to current resource +func (r *Resource) GetRefBy() []resid.ResId { + var resIds []resid.ResId + asStrings := r.getCsvAnnotation(utils.BuildAnnotationsRefBy) + for _, s := range asStrings { + resIds = append(resIds, resid.FromString(s)) + } + return resIds +} + +// AppendRefBy appends a ResId into the refBy list +// Using any type except fmt.Stringer here results in a compilation error +func (r *Resource) AppendRefBy(id fmt.Stringer) { + r.appendCsvAnnotation(utils.BuildAnnotationsRefBy, id.String()) +} + +// GetRefVarNames returns vars that refer to current resource +func (r *Resource) GetRefVarNames() []string { + return r.refVarNames +} + +// AppendRefVarName appends a name of a var into the refVar list +func (r *Resource) AppendRefVarName(variable types.Var) { + r.refVarNames = append(r.refVarNames, variable.Name) +} + +// ApplySmPatch applies the provided strategic merge patch. +func (r *Resource) ApplySmPatch(patch *Resource) error { + n, ns, k := r.GetName(), r.GetNamespace(), r.GetKind() + if patch.NameChangeAllowed() || patch.KindChangeAllowed() { + r.StorePreviousId() + } + if err := r.ApplyFilter(patchstrategicmerge.Filter{ + Patch: &patch.RNode, + }); err != nil { + return err + } + if r.IsNilOrEmpty() { + return nil + } + if !patch.KindChangeAllowed() { + r.SetKind(k) + } + if !patch.NameChangeAllowed() { + r.SetName(n) + } + r.SetNamespace(ns) + return nil +} + +func (r *Resource) ApplyFilter(f kio.Filter) error { + l, err := f.Filter([]*kyaml.RNode{&r.RNode}) + if len(l) == 0 { + // The node was deleted, which means the entire resource + // must be deleted. Signal that via the following: + r.SetYNode(nil) + } + return err +} + +func mergeStringMaps(maps ...map[string]string) map[string]string { + result := map[string]string{} + for _, m := range maps { + for key, value := range m { + result[key] = value + } + } + return result +} + +func mergeStringMapsWithBuildAnnotations(maps ...map[string]string) map[string]string { + result := mergeStringMaps(maps...) + for i := range BuildAnnotations { + if len(maps) > 0 { + if v, ok := maps[0][BuildAnnotations[i]]; ok { + result[BuildAnnotations[i]] = v + continue + } + } + delete(result, BuildAnnotations[i]) + } + return result +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go new file mode 100644 index 0000000000..033a451234 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/builtinpluginloadingoptions_string.go @@ -0,0 +1,25 @@ +// Code generated by "stringer -type=BuiltinPluginLoadingOptions"; DO NOT EDIT. + +package types + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[BploUndefined-0] + _ = x[BploUseStaticallyLinked-1] + _ = x[BploLoadFromFileSys-2] +} + +const _BuiltinPluginLoadingOptions_name = "BploUndefinedBploUseStaticallyLinkedBploLoadFromFileSys" + +var _BuiltinPluginLoadingOptions_index = [...]uint8{0, 13, 36, 55} + +func (i BuiltinPluginLoadingOptions) String() string { + if i < 0 || i >= BuiltinPluginLoadingOptions(len(_BuiltinPluginLoadingOptions_index)-1) { + return "BuiltinPluginLoadingOptions(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _BuiltinPluginLoadingOptions_name[_BuiltinPluginLoadingOptions_index[i]:_BuiltinPluginLoadingOptions_index[i+1]] +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go b/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go new file mode 100644 index 0000000000..69877769fb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/configmapargs.go @@ -0,0 +1,10 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// ConfigMapArgs contains the metadata of how to generate a configmap. +type ConfigMapArgs struct { + // GeneratorArgs for the configmap. + GeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/doc.go b/vendor/sigs.k8s.io/kustomize/api/types/doc.go new file mode 100644 index 0000000000..22c38a6510 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/doc.go @@ -0,0 +1,9 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package types holds the definition of the kustomization struct and +// supporting structs. It's the k8s API conformant object that describes +// a set of generation and transformation operations to create and/or +// modify k8s resources. +// A kustomization file is a serialization of this struct. +package types diff --git a/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go b/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go new file mode 100644 index 0000000000..9e6ffacffe --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/erronlybuiltinpluginsallowed.go @@ -0,0 +1,29 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +type errOnlyBuiltinPluginsAllowed struct { + name string +} + +func (e *errOnlyBuiltinPluginsAllowed) Error() string { + return fmt.Sprintf( + "external plugins disabled; unable to load external plugin '%s'", + e.name) +} + +func NewErrOnlyBuiltinPluginsAllowed(n string) *errOnlyBuiltinPluginsAllowed { + return &errOnlyBuiltinPluginsAllowed{name: n} +} + +func IsErrOnlyBuiltinPluginsAllowed(err error) bool { + e := &errOnlyBuiltinPluginsAllowed{} + return errors.As(err, &e) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go b/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go new file mode 100644 index 0000000000..b91bb68ff4 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/errunabletofind.go @@ -0,0 +1,36 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +type errUnableToFind struct { + // What are we unable to find? + what string + // What things did we try? + attempts []Pair +} + +func (e *errUnableToFind) Error() string { + var m []string + for _, p := range e.attempts { + m = append(m, "('"+p.Value+"'; "+p.Key+")") + } + return fmt.Sprintf( + "unable to find %s - tried: %s", e.what, strings.Join(m, ", ")) +} + +func NewErrUnableToFind(w string, a []Pair) *errUnableToFind { + return &errUnableToFind{what: w, attempts: a} +} + +func IsErrUnableToFind(err error) bool { + e := &errUnableToFind{} + return errors.As(err, &e) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go b/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go new file mode 100644 index 0000000000..8b78889ea0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/fieldspec.go @@ -0,0 +1,100 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// FieldSpec completely specifies a kustomizable field in a k8s API object. +// It helps define the operands of transformations. +// +// For example, a directive to add a common label to objects +// will need to know that a 'Deployment' object (in API group +// 'apps', any version) can have labels at field path +// 'spec/template/metadata/labels', and further that it is OK +// (or not OK) to add that field path to the object if the +// field path doesn't exist already. +// +// This would look like +// { +// group: apps +// kind: Deployment +// path: spec/template/metadata/labels +// create: true +// } +type FieldSpec struct { + resid.Gvk `json:",inline,omitempty" yaml:",inline,omitempty"` + Path string `json:"path,omitempty" yaml:"path,omitempty"` + CreateIfNotPresent bool `json:"create,omitempty" yaml:"create,omitempty"` + + // Note: If any new pointer based members are added, FsSlice.DeepCopy needs to be updated +} + +func (fs FieldSpec) String() string { + return fmt.Sprintf( + "%s:%v:%s", fs.Gvk.String(), fs.CreateIfNotPresent, fs.Path) +} + +// If true, the primary key is the same, but other fields might not be. +func (fs FieldSpec) effectivelyEquals(other FieldSpec) bool { + return fs.IsSelected(&other.Gvk) && fs.Path == other.Path +} + +type FsSlice []FieldSpec + +func (s FsSlice) Len() int { return len(s) } +func (s FsSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] } +func (s FsSlice) Less(i, j int) bool { + return s[i].Gvk.IsLessThan(s[j].Gvk) +} + +// DeepCopy returns a new copy of FsSlice +func (s FsSlice) DeepCopy() FsSlice { + ret := make(FsSlice, len(s)) + copy(ret, s) + return ret +} + +// MergeAll merges the argument into this, returning the result. +// Items already present are ignored. +// Items that conflict (primary key matches, but remain data differs) +// result in an error. +func (s FsSlice) MergeAll(incoming FsSlice) (result FsSlice, err error) { + result = s + for _, x := range incoming { + result, err = result.MergeOne(x) + if err != nil { + return nil, err + } + } + return result, nil +} + +// MergeOne merges the argument into this, returning the result. +// If the item's primary key is already present, and there are no +// conflicts, it is ignored (we don't want duplicates). +// If there is a conflict, the merge fails. +func (s FsSlice) MergeOne(x FieldSpec) (FsSlice, error) { + i := s.index(x) + if i > -1 { + // It's already there. + if s[i].CreateIfNotPresent != x.CreateIfNotPresent { + return nil, fmt.Errorf("conflicting fieldspecs") + } + return s, nil + } + return append(s, x), nil +} + +func (s FsSlice) index(fs FieldSpec) int { + for i, x := range s { + if x.effectivelyEquals(fs) { + return i + } + } + return -1 +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go b/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go new file mode 100644 index 0000000000..f8f3627803 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/generationbehavior.go @@ -0,0 +1,46 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// GenerationBehavior specifies generation behavior of configmaps, secrets and maybe other resources. +type GenerationBehavior int + +const ( + // BehaviorUnspecified is an Unspecified behavior; typically treated as a Create. + BehaviorUnspecified GenerationBehavior = iota + // BehaviorCreate makes a new resource. + BehaviorCreate + // BehaviorReplace replaces a resource. + BehaviorReplace + // BehaviorMerge attempts to merge a new resource with an existing resource. + BehaviorMerge +) + +// String converts a GenerationBehavior to a string. +func (b GenerationBehavior) String() string { + switch b { + case BehaviorReplace: + return "replace" + case BehaviorMerge: + return "merge" + case BehaviorCreate: + return "create" + default: + return "unspecified" + } +} + +// NewGenerationBehavior converts a string to a GenerationBehavior. +func NewGenerationBehavior(s string) GenerationBehavior { + switch s { + case "replace": + return BehaviorReplace + case "merge": + return BehaviorMerge + case "create": + return BehaviorCreate + default: + return BehaviorUnspecified + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go b/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go new file mode 100644 index 0000000000..eae221bed8 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/generatorargs.go @@ -0,0 +1,27 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// GeneratorArgs contains arguments common to ConfigMap and Secret generators. +type GeneratorArgs struct { + // Namespace for the resource, optional + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` + + // Name - actually the partial name - of the generated resource. + // The full name ends up being something like + // NamePrefix + this.Name + hash(content of generated resource). + Name string `json:"name,omitempty" yaml:"name,omitempty"` + + // Behavior of generated resource, must be one of: + // 'create': create a new one + // 'replace': replace the existing one + // 'merge': merge with the existing one + Behavior string `json:"behavior,omitempty" yaml:"behavior,omitempty"` + + // KvPairSources for the generator. + KvPairSources `json:",inline,omitempty" yaml:",inline,omitempty"` + + // Local overrides to global generatorOptions field. + Options *GeneratorOptions `json:"options,omitempty" yaml:"options,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go b/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go new file mode 100644 index 0000000000..683d89bfde --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/generatoroptions.go @@ -0,0 +1,76 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// GeneratorOptions modify behavior of all ConfigMap and Secret generators. +type GeneratorOptions struct { + // Labels to add to all generated resources. + Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` + + // Annotations to add to all generated resources. + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` + + // DisableNameSuffixHash if true disables the default behavior of adding a + // suffix to the names of generated resources that is a hash of the + // resource contents. + DisableNameSuffixHash bool `json:"disableNameSuffixHash,omitempty" yaml:"disableNameSuffixHash,omitempty"` + + // Immutable if true add to all generated resources. + Immutable bool `json:"immutable,omitempty" yaml:"immutable,omitempty"` +} + +// MergeGlobalOptionsIntoLocal merges two instances of GeneratorOptions. +// Values in the first 'local' argument cannot be overridden by the second +// 'global' argument, except in the case of booleans. +// +// With booleans, there's no way to distinguish an 'intentional' +// false from 'default' false. So the rule is, if the global value +// of the value of a boolean is true, i.e. disable, it trumps the +// local value. If the global value is false, then the local value is +// respected. Bottom line: a local false cannot override a global true. +// +// boolean fields are always a bad idea; should always use enums instead. +func MergeGlobalOptionsIntoLocal( + localOpts *GeneratorOptions, + globalOpts *GeneratorOptions) *GeneratorOptions { + if globalOpts == nil { + return localOpts + } + if localOpts == nil { + localOpts = &GeneratorOptions{} + } + overrideMap(&localOpts.Labels, globalOpts.Labels) + overrideMap(&localOpts.Annotations, globalOpts.Annotations) + if globalOpts.DisableNameSuffixHash { + localOpts.DisableNameSuffixHash = true + } + if globalOpts.Immutable { + localOpts.Immutable = true + } + return localOpts +} + +func overrideMap(localMap *map[string]string, globalMap map[string]string) { + if *localMap == nil { + if globalMap != nil { + *localMap = CopyMap(globalMap) + } + return + } + for k, v := range globalMap { + _, ok := (*localMap)[k] + if !ok { + (*localMap)[k] = v + } + } +} + +// CopyMap copies a map. +func CopyMap(in map[string]string) map[string]string { + out := make(map[string]string) + for k, v := range in { + out[k] = v + } + return out +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go b/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go new file mode 100644 index 0000000000..b96fbfb166 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/helmchartargs.go @@ -0,0 +1,198 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import "path/filepath" + +const HelmDefaultHome = "charts" + +type HelmGlobals struct { + // ChartHome is a file path, relative to the kustomization root, + // to a directory containing a subdirectory for each chart to be + // included in the kustomization. + // The default value of this field is "charts". + // So, for example, kustomize looks for the minecraft chart + // at {kustomizationRoot}/{ChartHome}/minecraft. + // If the chart is there at build time, kustomize will use it as found, + // and not check version numbers or dates. + // If the chart is not there, kustomize will attempt to pull it + // using the version number specified in the kustomization file, + // and put it there. To suppress the pull attempt, simply assure + // that the chart is already there. + ChartHome string `json:"chartHome,omitempty" yaml:"chartHome,omitempty"` + + // ConfigHome defines a value that kustomize should pass to helm via + // the HELM_CONFIG_HOME environment variable. kustomize doesn't attempt + // to read or write this directory. + // If omitted, {tmpDir}/helm is used, where {tmpDir} is some temporary + // directory created by kustomize for the benefit of helm. + // Likewise, kustomize sets + // HELM_CACHE_HOME={ConfigHome}/.cache + // HELM_DATA_HOME={ConfigHome}/.data + // for the helm subprocess. + ConfigHome string `json:"configHome,omitempty" yaml:"configHome,omitempty"` +} + +type HelmChart struct { + // Name is the name of the chart, e.g. 'minecraft'. + Name string `json:"name,omitempty" yaml:"name,omitempty"` + + // Version is the version of the chart, e.g. '3.1.3' + Version string `json:"version,omitempty" yaml:"version,omitempty"` + + // Repo is a URL locating the chart on the internet. + // This is the argument to helm's `--repo` flag, e.g. + // `https://itzg.github.io/minecraft-server-charts`. + Repo string `json:"repo,omitempty" yaml:"repo,omitempty"` + + // ReleaseName replaces RELEASE-NAME in chart template output, + // making a particular inflation of a chart unique with respect to + // other inflations of the same chart in a cluster. It's the first + // argument to the helm `install` and `template` commands, i.e. + // helm install {RELEASE-NAME} {chartName} + // helm template {RELEASE-NAME} {chartName} + // If omitted, the flag --generate-name is passed to 'helm template'. + ReleaseName string `json:"releaseName,omitempty" yaml:"releaseName,omitempty"` + + // Namespace set the target namespace for a release. It is .Release.Namespace + // in the helm template + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` + + // AdditionalValuesFiles are local file paths to values files to be used in + // addition to either the default values file or the values specified in ValuesFile. + AdditionalValuesFiles []string `json:"additionalValuesFiles,omitempty" yaml:"additionalValuesFiles,omitempty"` + + // ValuesFile is a local file path to a values file to use _instead of_ + // the default values that accompanied the chart. + // The default values are in '{ChartHome}/{Name}/values.yaml'. + ValuesFile string `json:"valuesFile,omitempty" yaml:"valuesFile,omitempty"` + + // ValuesInline holds value mappings specified directly, + // rather than in a separate file. + ValuesInline map[string]interface{} `json:"valuesInline,omitempty" yaml:"valuesInline,omitempty"` + + // ValuesMerge specifies how to treat ValuesInline with respect to Values. + // Legal values: 'merge', 'override', 'replace'. + // Defaults to 'override'. + ValuesMerge string `json:"valuesMerge,omitempty" yaml:"valuesMerge,omitempty"` + + // IncludeCRDs specifies if Helm should also generate CustomResourceDefinitions. + // Defaults to 'false'. + IncludeCRDs bool `json:"includeCRDs,omitempty" yaml:"includeCRDs,omitempty"` //nolint: tagliatelle + + // SkipHooks sets the --no-hooks flag when calling helm template. This prevents + // helm from erroneously rendering test templates. + SkipHooks bool `json:"skipHooks,omitempty" yaml:"skipHooks,omitempty"` + + // ApiVersions is the kubernetes apiversions used for Capabilities.APIVersions + ApiVersions []string `json:"apiVersions,omitempty" yaml:"apiVersions,omitempty"` + + // KubeVersion is the kubernetes version used by Helm for Capabilities.KubeVersion" + KubeVersion string `json:"kubeVersion,omitempty" yaml:"kubeVersion,omitempty"` + + // NameTemplate is for specifying the name template used to name the release. + NameTemplate string `json:"nameTemplate,omitempty" yaml:"nameTemplate,omitempty"` + + // SkipTests skips tests from templated output. + SkipTests bool `json:"skipTests,omitempty" yaml:"skipTests,omitempty"` + + // debug enables debug output from the Helm chart inflator generator. + Debug bool `json:"debug,omitempty" yaml:"debug,omitempty"` +} + +// HelmChartArgs contains arguments to helm. +// Deprecated. Use HelmGlobals and HelmChart instead. +type HelmChartArgs struct { + ChartName string `json:"chartName,omitempty" yaml:"chartName,omitempty"` + ChartVersion string `json:"chartVersion,omitempty" yaml:"chartVersion,omitempty"` + ChartRepoURL string `json:"chartRepoUrl,omitempty" yaml:"chartRepoUrl,omitempty"` + ChartHome string `json:"chartHome,omitempty" yaml:"chartHome,omitempty"` + ChartRepoName string `json:"chartRepoName,omitempty" yaml:"chartRepoName,omitempty"` + HelmBin string `json:"helmBin,omitempty" yaml:"helmBin,omitempty"` + HelmHome string `json:"helmHome,omitempty" yaml:"helmHome,omitempty"` + Values string `json:"values,omitempty" yaml:"values,omitempty"` + ValuesLocal map[string]interface{} `json:"valuesLocal,omitempty" yaml:"valuesLocal,omitempty"` + ValuesMerge string `json:"valuesMerge,omitempty" yaml:"valuesMerge,omitempty"` + ReleaseName string `json:"releaseName,omitempty" yaml:"releaseName,omitempty"` + ReleaseNamespace string `json:"releaseNamespace,omitempty" yaml:"releaseNamespace,omitempty"` + ExtraArgs []string `json:"extraArgs,omitempty" yaml:"extraArgs,omitempty"` +} + +// SplitHelmParameters splits helm parameters into +// per-chart params and global chart-independent parameters. +func SplitHelmParameters( + oldArgs []HelmChartArgs) (charts []HelmChart, globals HelmGlobals) { + for i, old := range oldArgs { + charts = append(charts, makeHelmChartFromHca(&oldArgs[i])) + if old.HelmHome != "" { + // last non-empty wins + globals.ConfigHome = old.HelmHome + } + if old.ChartHome != "" { + // last non-empty wins + globals.ChartHome = old.ChartHome + } + } + return charts, globals +} + +func makeHelmChartFromHca(old *HelmChartArgs) (c HelmChart) { + c.Name = old.ChartName + c.Version = old.ChartVersion + c.Repo = old.ChartRepoURL + c.ValuesFile = old.Values + c.ValuesInline = old.ValuesLocal + c.ValuesMerge = old.ValuesMerge + c.ReleaseName = old.ReleaseName + return +} + +func (h HelmChart) AsHelmArgs(absChartHome string) []string { + args := []string{"template"} + if h.ReleaseName != "" { + args = append(args, h.ReleaseName) + } else { + // AFAICT, this doesn't work as intended due to a bug in helm. + // See https://github.com/helm/helm/issues/6019 + // I've tried placing the flag before and after the name argument. + args = append(args, "--generate-name") + } + if h.Name != "" { + args = append(args, filepath.Join(absChartHome, h.Name)) + } + if h.Namespace != "" { + args = append(args, "--namespace", h.Namespace) + } + if h.NameTemplate != "" { + args = append(args, "--name-template", h.NameTemplate) + } + + if h.ValuesFile != "" { + args = append(args, "-f", h.ValuesFile) + } + for _, valuesFile := range h.AdditionalValuesFiles { + args = append(args, "-f", valuesFile) + } + + for _, apiVer := range h.ApiVersions { + args = append(args, "--api-versions", apiVer) + } + if h.KubeVersion != "" { + args = append(args, "--kube-version", h.KubeVersion) + } + + if h.IncludeCRDs { + args = append(args, "--include-crds") + } + if h.SkipTests { + args = append(args, "--skip-tests") + } + if h.SkipHooks { + args = append(args, "--no-hooks") + } + if h.Debug { + args = append(args, "--debug") + } + return args +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go b/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go new file mode 100644 index 0000000000..f1d27ba7b7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/iampolicygenerator.go @@ -0,0 +1,36 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +type Cloud string + +const GKE Cloud = "gke" + +// IAMPolicyGeneratorArgs contains arguments to generate a GKE service account resource. +type IAMPolicyGeneratorArgs struct { + // which cloud provider to generate for (e.g. "gke") + Cloud `json:"cloud" yaml:"cloud"` + + // information about the kubernetes cluster for this object + KubernetesService `json:"kubernetesService" yaml:"kubernetesService"` + + // information about the service account and project + ServiceAccount `json:"serviceAccount" yaml:"serviceAccount"` +} + +type KubernetesService struct { + // the name used for the Kubernetes service account + Name string `json:"name" yaml:"name"` + + // the name of the Kubernetes namespace for this object + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` +} + +type ServiceAccount struct { + // the name of the new cloud provider service account + Name string `json:"name" yaml:"name"` + + // The ID of the project + ProjectId string `json:"projectId" yaml:"projectId"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/image.go b/vendor/sigs.k8s.io/kustomize/api/types/image.go new file mode 100644 index 0000000000..e40ed324df --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/image.go @@ -0,0 +1,25 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// Image contains an image name, a new name, a new tag or digest, +// which will replace the original name and tag. +type Image struct { + // Name is a tag-less image name. + Name string `json:"name,omitempty" yaml:"name,omitempty"` + + // NewName is the value used to replace the original name. + NewName string `json:"newName,omitempty" yaml:"newName,omitempty"` + + // TagSuffix is the value used to suffix the original tag + // If Digest and NewTag is present an error is thrown + TagSuffix string `json:"tagSuffix,omitempty" yaml:"tagSuffix,omitempty"` + + // NewTag is the value used to replace the original tag. + NewTag string `json:"newTag,omitempty" yaml:"newTag,omitempty"` + + // Digest is the value used to replace the original image tag. + // If digest is present NewTag value is ignored. + Digest string `json:"digest,omitempty" yaml:"digest,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go b/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go new file mode 100644 index 0000000000..6caa296644 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/kustomization.go @@ -0,0 +1,357 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "bytes" + "encoding/json" + "fmt" + "reflect" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/yaml" +) + +const ( + KustomizationVersion = "kustomize.config.k8s.io/v1beta1" + KustomizationKind = "Kustomization" + ComponentVersion = "kustomize.config.k8s.io/v1alpha1" + ComponentKind = "Component" + MetadataNamespacePath = "metadata/namespace" + MetadataNamespaceApiVersion = "v1" + MetadataNamePath = "metadata/name" + NamespaceKind = "Namespace" + + OriginAnnotations = "originAnnotations" + TransformerAnnotations = "transformerAnnotations" + ManagedByLabelOption = "managedByLabel" +) + +var BuildMetadataOptions = []string{OriginAnnotations, TransformerAnnotations, ManagedByLabelOption} + +// Kustomization holds the information needed to generate customized k8s api resources. +type Kustomization struct { + TypeMeta `json:",inline" yaml:",inline"` + + // MetaData is a pointer to avoid marshalling empty struct + MetaData *ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` + + // OpenAPI contains information about what kubernetes schema to use. + OpenAPI map[string]string `json:"openapi,omitempty" yaml:"openapi,omitempty"` + + // + // Operators - what kustomize can do. + // + + // NamePrefix will prefix the names of all resources mentioned in the kustomization + // file including generated configmaps and secrets. + NamePrefix string `json:"namePrefix,omitempty" yaml:"namePrefix,omitempty"` + + // NameSuffix will suffix the names of all resources mentioned in the kustomization + // file including generated configmaps and secrets. + NameSuffix string `json:"nameSuffix,omitempty" yaml:"nameSuffix,omitempty"` + + // Namespace to add to all objects. + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` + + // Deprecated: Use the Labels field instead, which provides a superset of the functionality of CommonLabels. + // CommonLabels to add to all objects and selectors. + CommonLabels map[string]string `json:"commonLabels,omitempty" yaml:"commonLabels,omitempty"` + + // Labels to add to all objects but not selectors. + Labels []Label `json:"labels,omitempty" yaml:"labels,omitempty"` + + // CommonAnnotations to add to all objects. + CommonAnnotations map[string]string `json:"commonAnnotations,omitempty" yaml:"commonAnnotations,omitempty"` + + // Deprecated: Use the Patches field instead, which provides a superset of the functionality of PatchesStrategicMerge. + // PatchesStrategicMerge specifies the relative path to a file + // containing a strategic merge patch. Format documented at + // https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md + // URLs and globs are not supported. + PatchesStrategicMerge []PatchStrategicMerge `json:"patchesStrategicMerge,omitempty" yaml:"patchesStrategicMerge,omitempty"` + + // Deprecated: Use the Patches field instead, which provides a superset of the functionality of JSONPatches. + // JSONPatches is a list of JSONPatch for applying JSON patch. + // Format documented at https://tools.ietf.org/html/rfc6902 + // and http://jsonpatch.com + PatchesJson6902 []Patch `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"` + + // Patches is a list of patches, where each one can be either a + // Strategic Merge Patch or a JSON patch. + // Each patch can be applied to multiple target objects. + Patches []Patch `json:"patches,omitempty" yaml:"patches,omitempty"` + + // Images is a list of (image name, new name, new tag or digest) + // for changing image names, tags or digests. This can also be achieved with a + // patch, but this operator is simpler to specify. + Images []Image `json:"images,omitempty" yaml:"images,omitempty"` + + // Deprecated: Use the Images field instead. + ImageTags []Image `json:"imageTags,omitempty" yaml:"imageTags,omitempty"` + + // Replacements is a list of replacements, which will copy nodes from a + // specified source to N specified targets. + Replacements []ReplacementField `json:"replacements,omitempty" yaml:"replacements,omitempty"` + + // Replicas is a list of {resourcename, count} that allows for simpler replica + // specification. This can also be done with a patch. + Replicas []Replica `json:"replicas,omitempty" yaml:"replicas,omitempty"` + + // Deprecated: Vars will be removed in future release. Migrate to Replacements instead. + // Vars allow things modified by kustomize to be injected into a + // kubernetes object specification. A var is a name (e.g. FOO) associated + // with a field in a specific resource instance. The field must + // contain a value of type string/bool/int/float, and defaults to the name field + // of the instance. Any appearance of "$(FOO)" in the object + // spec will be replaced at kustomize build time, after the final + // value of the specified field has been determined. + Vars []Var `json:"vars,omitempty" yaml:"vars,omitempty"` + + // SortOptions change the order that kustomize outputs resources. + SortOptions *SortOptions `json:"sortOptions,omitempty" yaml:"sortOptions,omitempty"` + + // + // Operands - what kustomize operates on. + // + + // Resources specifies relative paths to files holding YAML representations + // of kubernetes API objects, or specifications of other kustomizations + // via relative paths, absolute paths, or URLs. + Resources []string `json:"resources,omitempty" yaml:"resources,omitempty"` + + // Components specifies relative paths to specifications of other Components + // via relative paths, absolute paths, or URLs. + Components []string `json:"components,omitempty" yaml:"components,omitempty"` + + // Crds specifies relative paths to Custom Resource Definition files. + // This allows custom resources to be recognized as operands, making + // it possible to add them to the Resources list. + // CRDs themselves are not modified. + Crds []string `json:"crds,omitempty" yaml:"crds,omitempty"` + + // Deprecated: Anything that would have been specified here should be specified in the Resources field instead. + Bases []string `json:"bases,omitempty" yaml:"bases,omitempty"` + + // + // Generators (operators that create operands) + // + + // ConfigMapGenerator is a list of configmaps to generate from + // local data (one configMap per list item). + // The resulting resource is a normal operand, subject to + // name prefixing, patching, etc. By default, the name of + // the map will have a suffix hash generated from its contents. + ConfigMapGenerator []ConfigMapArgs `json:"configMapGenerator,omitempty" yaml:"configMapGenerator,omitempty"` + + // SecretGenerator is a list of secrets to generate from + // local data (one secret per list item). + // The resulting resource is a normal operand, subject to + // name prefixing, patching, etc. By default, the name of + // the map will have a suffix hash generated from its contents. + SecretGenerator []SecretArgs `json:"secretGenerator,omitempty" yaml:"secretGenerator,omitempty"` + + // HelmGlobals contains helm configuration that isn't chart specific. + HelmGlobals *HelmGlobals `json:"helmGlobals,omitempty" yaml:"helmGlobals,omitempty"` + + // HelmCharts is a list of helm chart configuration instances. + HelmCharts []HelmChart `json:"helmCharts,omitempty" yaml:"helmCharts,omitempty"` + + // HelmChartInflationGenerator is a list of helm chart configurations. + // Deprecated. Auto-converted to HelmGlobals and HelmCharts. + HelmChartInflationGenerator []HelmChartArgs `json:"helmChartInflationGenerator,omitempty" yaml:"helmChartInflationGenerator,omitempty"` + + // GeneratorOptions modify behavior of all ConfigMap and Secret generators. + GeneratorOptions *GeneratorOptions `json:"generatorOptions,omitempty" yaml:"generatorOptions,omitempty"` + + // Configurations is a list of transformer configuration files + Configurations []string `json:"configurations,omitempty" yaml:"configurations,omitempty"` + + // Generators is a list of files containing custom generators + Generators []string `json:"generators,omitempty" yaml:"generators,omitempty"` + + // Transformers is a list of files containing transformers + Transformers []string `json:"transformers,omitempty" yaml:"transformers,omitempty"` + + // Validators is a list of files containing validators + Validators []string `json:"validators,omitempty" yaml:"validators,omitempty"` + + // BuildMetadata is a list of strings used to toggle different build options + BuildMetadata []string `json:"buildMetadata,omitempty" yaml:"buildMetadata,omitempty"` +} + +const ( + deprecatedWarningToRunEditFix = "Run 'kustomize edit fix' to update your Kustomization automatically." + deprecatedWarningToRunEditFixExperimential = "[EXPERIMENTAL] Run 'kustomize edit fix' to update your Kustomization automatically." + deprecatedBaseWarningMessage = "# Warning: 'bases' is deprecated. Please use 'resources' instead." + " " + deprecatedWarningToRunEditFix + deprecatedImageTagsWarningMessage = "# Warning: 'imageTags' is deprecated. Please use 'images' instead." + " " + deprecatedWarningToRunEditFix + deprecatedPatchesJson6902Message = "# Warning: 'patchesJson6902' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix + deprecatedPatchesStrategicMergeMessage = "# Warning: 'patchesStrategicMerge' is deprecated. Please use 'patches' instead." + " " + deprecatedWarningToRunEditFix + deprecatedVarsMessage = "# Warning: 'vars' is deprecated. Please use 'replacements' instead." + " " + deprecatedWarningToRunEditFixExperimential + deprecatedCommonLabelsWarningMessage = "# Warning: 'commonLabels' is deprecated. Please use 'labels' instead." + " " + deprecatedWarningToRunEditFix +) + +// CheckDeprecatedFields check deprecated field is used or not. +func (k *Kustomization) CheckDeprecatedFields() *[]string { + var warningMessages []string + if k.Bases != nil { + warningMessages = append(warningMessages, deprecatedBaseWarningMessage) + } + if k.CommonLabels != nil { + warningMessages = append(warningMessages, deprecatedCommonLabelsWarningMessage) + } + if k.ImageTags != nil { + warningMessages = append(warningMessages, deprecatedImageTagsWarningMessage) + } + if k.PatchesJson6902 != nil { + warningMessages = append(warningMessages, deprecatedPatchesJson6902Message) + } + if k.PatchesStrategicMerge != nil { + warningMessages = append(warningMessages, deprecatedPatchesStrategicMergeMessage) + } + if k.Vars != nil { + warningMessages = append(warningMessages, deprecatedVarsMessage) + } + return &warningMessages +} + +// FixKustomization fixes things +// like empty fields that should not be empty, or +// moving content of deprecated fields to newer +// fields. +func (k *Kustomization) FixKustomization() { + if k.Kind == "" { + k.Kind = KustomizationKind + } + if k.APIVersion == "" { + if k.Kind == ComponentKind { + k.APIVersion = ComponentVersion + } else { + k.APIVersion = KustomizationVersion + } + } + + // 'bases' field was deprecated in favor of the 'resources' field. + k.Resources = append(k.Resources, k.Bases...) + k.Bases = nil + + // 'imageTags' field was deprecated in favor of the 'images' field. + k.Images = append(k.Images, k.ImageTags...) + k.ImageTags = nil + + for i, g := range k.ConfigMapGenerator { + if g.EnvSource != "" { + k.ConfigMapGenerator[i].EnvSources = + append(g.EnvSources, g.EnvSource) //nolint:gocritic + k.ConfigMapGenerator[i].EnvSource = "" + } + } + for i, g := range k.SecretGenerator { + if g.EnvSource != "" { + k.SecretGenerator[i].EnvSources = + append(g.EnvSources, g.EnvSource) //nolint:gocritic + k.SecretGenerator[i].EnvSource = "" + } + } + charts, globals := SplitHelmParameters(k.HelmChartInflationGenerator) + if k.HelmGlobals == nil { + if globals.ChartHome != "" || globals.ConfigHome != "" { + k.HelmGlobals = &globals + } + } + k.HelmCharts = append(k.HelmCharts, charts...) + // Wipe it for the fix command. + k.HelmChartInflationGenerator = nil +} + +// FixKustomizationPreMarshalling fixes things +// that should occur after the kustomization file +// has been processed. +func (k *Kustomization) FixKustomizationPreMarshalling(fSys filesys.FileSystem) error { + // PatchesJson6902 should be under the Patches field. + k.Patches = append(k.Patches, k.PatchesJson6902...) + k.PatchesJson6902 = nil + + if k.PatchesStrategicMerge != nil { + for _, patchStrategicMerge := range k.PatchesStrategicMerge { + // check this patch is file path select. + if _, err := fSys.ReadFile(string(patchStrategicMerge)); err == nil { + // path patch + k.Patches = append(k.Patches, Patch{Path: string(patchStrategicMerge)}) + } else { + // inline string patch + k.Patches = append(k.Patches, Patch{Patch: string(patchStrategicMerge)}) + } + } + k.PatchesStrategicMerge = nil + } + + // this fix is not in FixKustomizationPostUnmarshalling because + // it will break some commands like `create` and `add`. those + // commands depend on 'commonLabels' field + if cl := labelFromCommonLabels(k.CommonLabels); cl != nil { + // check conflicts between commonLabels and labels + for _, l := range k.Labels { + for k := range l.Pairs { + if _, exist := cl.Pairs[k]; exist { + return fmt.Errorf("label name '%s' exists in both commonLabels and labels", k) + } + } + } + k.Labels = append(k.Labels, *cl) + k.CommonLabels = nil + } + + return nil +} + +func (k *Kustomization) CheckEmpty() error { + // generate empty Kustomization + emptyKustomization := &Kustomization{} + + // k.TypeMeta is metadata. It Isn't related to whether empty or not. + emptyKustomization.TypeMeta = k.TypeMeta + + if reflect.DeepEqual(k, emptyKustomization) { + return fmt.Errorf("kustomization.yaml is empty") + } + + return nil +} + +func (k *Kustomization) EnforceFields() []string { + var errs []string + if k.Kind != "" && k.Kind != KustomizationKind && k.Kind != ComponentKind { + errs = append(errs, "kind should be "+KustomizationKind+" or "+ComponentKind) + } + requiredVersion := KustomizationVersion + if k.Kind == ComponentKind { + requiredVersion = ComponentVersion + } + if k.APIVersion != "" && k.APIVersion != requiredVersion { + errs = append(errs, "apiVersion for "+k.Kind+" should be "+requiredVersion) + } + return errs +} + +// Unmarshal replace k with the content in YAML input y +func (k *Kustomization) Unmarshal(y []byte) error { + // TODO: switch to strict decoding to catch duplicate keys. + // We can't do so until there is a yaml decoder that supports anchors AND case-insensitive keys. + // See https://github.com/kubernetes-sigs/kustomize/issues/5061 + j, err := yaml.YAMLToJSON(y) + if err != nil { + return errors.WrapPrefixf(err, "invalid Kustomization") + } + dec := json.NewDecoder(bytes.NewReader(j)) + dec.DisallowUnknownFields() + var nk Kustomization + err = dec.Decode(&nk) + if err != nil { + return errors.WrapPrefixf(err, "invalid Kustomization") + } + *k = nk + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go b/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go new file mode 100644 index 0000000000..9898defade --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/kvpairsources.go @@ -0,0 +1,36 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// KvPairSources defines places to obtain key value pairs. +type KvPairSources struct { + // LiteralSources is a list of literal + // pair sources. Each literal source should + // be a key and literal value, e.g. `key=value` + LiteralSources []string `json:"literals,omitempty" yaml:"literals,omitempty"` + + // FileSources is a list of file "sources" to + // use in creating a list of key, value pairs. + // A source takes the form: [{key}=]{path} + // If the "key=" part is missing, the key is the + // path's basename. If they "key=" part is present, + // it becomes the key (replacing the basename). + // In either case, the value is the file contents. + // Specifying a directory will iterate each named + // file in the directory whose basename is a + // valid configmap key. + FileSources []string `json:"files,omitempty" yaml:"files,omitempty"` + + // EnvSources is a list of file paths. + // The contents of each file should be one + // key=value pair per line, e.g. a Docker + // or npm ".env" file or a ".ini" file + // (wikipedia.org/wiki/INI_file) + EnvSources []string `json:"envs,omitempty" yaml:"envs,omitempty"` + + // Older, singular form of EnvSources. + // On edits (e.g. `kustomize fix`) this is merged into the plural form + // for consistency with LiteralSources and FileSources. + EnvSource string `json:"env,omitempty" yaml:"env,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/labels.go b/vendor/sigs.k8s.io/kustomize/api/types/labels.go new file mode 100644 index 0000000000..35f7fb2a5b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/labels.go @@ -0,0 +1,30 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +type Label struct { + // Pairs contains the key-value pairs for labels to add + Pairs map[string]string `json:"pairs,omitempty" yaml:"pairs,omitempty"` + // IncludeSelectors indicates whether the transformer should include the + // fieldSpecs for selectors. Custom fieldSpecs specified by + // FieldSpecs will be merged with builtin fieldSpecs if this + // is true. + IncludeSelectors bool `json:"includeSelectors,omitempty" yaml:"includeSelectors,omitempty"` + // IncludeTemplates indicates whether the transformer should include the + // spec/template/metadata fieldSpec. Custom fieldSpecs specified by + // FieldSpecs will be merged with spec/template/metadata fieldSpec if this + // is true. If IncludeSelectors is true, IncludeTemplates is not needed. + IncludeTemplates bool `json:"includeTemplates,omitempty" yaml:"includeTemplates,omitempty"` + FieldSpecs []FieldSpec `json:"fields,omitempty" yaml:"fields,omitempty"` +} + +func labelFromCommonLabels(commonLabels map[string]string) *Label { + if len(commonLabels) == 0 { + return nil + } + return &Label{ + Pairs: commonLabels, + IncludeSelectors: true, + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go new file mode 100644 index 0000000000..6617abdac2 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions.go @@ -0,0 +1,24 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// Restrictions on what things can be referred to +// in a kustomization file. +// +//go:generate stringer -type=LoadRestrictions +type LoadRestrictions int + +const ( + LoadRestrictionsUnknown LoadRestrictions = iota + + // Files referenced by a kustomization file must be in + // or under the directory holding the kustomization + // file itself. + LoadRestrictionsRootOnly + + // The kustomization file may specify absolute or + // relative paths to patch or resources files outside + // its own tree. + LoadRestrictionsNone +) diff --git a/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go new file mode 100644 index 0000000000..d2355950be --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/loadrestrictions_string.go @@ -0,0 +1,25 @@ +// Code generated by "stringer -type=LoadRestrictions"; DO NOT EDIT. + +package types + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[LoadRestrictionsUnknown-0] + _ = x[LoadRestrictionsRootOnly-1] + _ = x[LoadRestrictionsNone-2] +} + +const _LoadRestrictions_name = "LoadRestrictionsUnknownLoadRestrictionsRootOnlyLoadRestrictionsNone" + +var _LoadRestrictions_index = [...]uint8{0, 23, 47, 67} + +func (i LoadRestrictions) String() string { + if i < 0 || i >= LoadRestrictions(len(_LoadRestrictions_index)-1) { + return "LoadRestrictions(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _LoadRestrictions_name[_LoadRestrictions_index[i]:_LoadRestrictions_index[i+1]] +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go b/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go new file mode 100644 index 0000000000..4f5d41f4a3 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/objectmeta.go @@ -0,0 +1,13 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// ObjectMeta partially copies apimachinery/pkg/apis/meta/v1.ObjectMeta +// No need for a direct dependence; the fields are stable. +type ObjectMeta struct { + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` + Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pair.go b/vendor/sigs.k8s.io/kustomize/api/types/pair.go new file mode 100644 index 0000000000..63cfb776e0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/pair.go @@ -0,0 +1,10 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// Pair is a key value pair. +type Pair struct { + Key string + Value string +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/patch.go b/vendor/sigs.k8s.io/kustomize/api/types/patch.go new file mode 100644 index 0000000000..5310a6e66d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/patch.go @@ -0,0 +1,34 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import "reflect" + +// Patch represent either a Strategic Merge Patch or a JSON patch +// and its targets. +// The content of the patch can either be from a file +// or from an inline string. +type Patch struct { + // Path is a relative file path to the patch file. + Path string `json:"path,omitempty" yaml:"path,omitempty"` + + // Patch is the content of a patch. + Patch string `json:"patch,omitempty" yaml:"patch,omitempty"` + + // Target points to the resources that the patch is applied to + Target *Selector `json:"target,omitempty" yaml:"target,omitempty"` + + // Options is a list of options for the patch + Options map[string]bool `json:"options,omitempty" yaml:"options,omitempty"` +} + +// Equals return true if p equals o. +func (p *Patch) Equals(o Patch) bool { + targetEqual := (p.Target == o.Target) || + (p.Target != nil && o.Target != nil && *p.Target == *o.Target) + return p.Path == o.Path && + p.Patch == o.Patch && + targetEqual && + reflect.DeepEqual(p.Options, o.Options) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go b/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go new file mode 100644 index 0000000000..81a5ba456d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/patchstrategicmerge.go @@ -0,0 +1,9 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// PatchStrategicMerge represents a relative path to a +// stategic merge patch with the format +// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md +type PatchStrategicMerge string diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go new file mode 100644 index 0000000000..9721eb724a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginconfig.go @@ -0,0 +1,49 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +type HelmConfig struct { + Enabled bool + Command string + ApiVersions []string + KubeVersion string + Debug bool +} + +// PluginConfig holds plugin configuration. +type PluginConfig struct { + // PluginRestrictions distinguishes plugin restrictions. + PluginRestrictions PluginRestrictions + + // BpLoadingOptions distinguishes builtin plugin behaviors. + BpLoadingOptions BuiltinPluginLoadingOptions + + // FnpLoadingOptions sets the way function-based plugin behaviors. + FnpLoadingOptions FnPluginLoadingOptions + + // HelmConfig contains metadata needed for allowing and running helm. + HelmConfig HelmConfig +} + +func EnabledPluginConfig(b BuiltinPluginLoadingOptions) (pc *PluginConfig) { + pc = MakePluginConfig(PluginRestrictionsNone, b) + pc.HelmConfig.Enabled = true + // If this command is not on PATH, tests needing it should skip. + pc.HelmConfig.Command = "helmV3" + return +} + +func DisabledPluginConfig() *PluginConfig { + return MakePluginConfig( + PluginRestrictionsBuiltinsOnly, + BploUseStaticallyLinked) +} + +func MakePluginConfig(pr PluginRestrictions, + b BuiltinPluginLoadingOptions) *PluginConfig { + return &PluginConfig{ + PluginRestrictions: pr, + BpLoadingOptions: b, + } +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go new file mode 100644 index 0000000000..0e4ee42e41 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions.go @@ -0,0 +1,60 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// Some plugin classes +// - builtin: plugins defined in the kustomize repo. +// May be freely used and re-configured. +// - local: plugins that aren't builtin but are +// locally defined (presumably by the user), meaning +// the kustomization refers to them via a relative +// file path, not a URL. +// - remote: require a build-time download to obtain. +// Unadvised, unless one controls the +// serving site. +// +//go:generate stringer -type=PluginRestrictions +type PluginRestrictions int + +const ( + PluginRestrictionsUnknown PluginRestrictions = iota + + // Non-builtin plugins completely disabled. + PluginRestrictionsBuiltinsOnly + + // No restrictions, do whatever you want. + PluginRestrictionsNone +) + +// BuiltinPluginLoadingOptions distinguish ways in which builtin plugins are used. +//go:generate stringer -type=BuiltinPluginLoadingOptions +type BuiltinPluginLoadingOptions int + +const ( + BploUndefined BuiltinPluginLoadingOptions = iota + + // Desired in production use for performance. + BploUseStaticallyLinked + + // Desired in testing and development cycles where it's undesirable + // to generate static code. + BploLoadFromFileSys +) + +// FnPluginLoadingOptions set way functions-based plugins are restricted +type FnPluginLoadingOptions struct { + // Allow to run executables + EnableExec bool + // Allow container access to network + Network bool + NetworkName string + // list of mounts + Mounts []string + // list of env variables to pass to fn + Env []string + // Run as uid and gid of the command executor + AsCurrentUser bool + // Run in this working directory + WorkingDir string +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go new file mode 100644 index 0000000000..b9dba7dfc6 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/pluginrestrictions_string.go @@ -0,0 +1,25 @@ +// Code generated by "stringer -type=PluginRestrictions"; DO NOT EDIT. + +package types + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[PluginRestrictionsUnknown-0] + _ = x[PluginRestrictionsBuiltinsOnly-1] + _ = x[PluginRestrictionsNone-2] +} + +const _PluginRestrictions_name = "PluginRestrictionsUnknownPluginRestrictionsBuiltinsOnlyPluginRestrictionsNone" + +var _PluginRestrictions_index = [...]uint8{0, 25, 55, 77} + +func (i PluginRestrictions) String() string { + if i < 0 || i >= PluginRestrictions(len(_PluginRestrictions_index)-1) { + return "PluginRestrictions(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _PluginRestrictions_name[_PluginRestrictions_index[i]:_PluginRestrictions_index[i+1]] +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replacement.go b/vendor/sigs.k8s.io/kustomize/api/types/replacement.go new file mode 100644 index 0000000000..cb4163429a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/replacement.go @@ -0,0 +1,87 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + "strings" + + "sigs.k8s.io/kustomize/kyaml/resid" +) + +const DefaultReplacementFieldPath = "metadata.name" + +// Replacement defines how to perform a substitution +// where it is from and where it is to. +type Replacement struct { + // The source of the value. + Source *SourceSelector `json:"source,omitempty" yaml:"source,omitempty"` + + // The N fields to write the value to. + Targets []*TargetSelector `json:"targets,omitempty" yaml:"targets,omitempty"` +} + +// SourceSelector is the source of the replacement transformer. +type SourceSelector struct { + // A specific object to read it from. + resid.ResId `json:",inline,omitempty" yaml:",inline,omitempty"` + + // Structured field path expected in the allowed object. + FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"` + + // Used to refine the interpretation of the field. + Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"` +} + +func (s *SourceSelector) String() string { + if s == nil { + return "" + } + result := []string{s.ResId.String()} + if s.FieldPath != "" { + result = append(result, s.FieldPath) + } + if opts := s.Options.String(); opts != "" { + result = append(result, opts) + } + return strings.Join(result, ":") +} + +// TargetSelector specifies fields in one or more objects. +type TargetSelector struct { + // Include objects that match this. + Select *Selector `json:"select" yaml:"select"` + + // From the allowed set, remove objects that match this. + Reject []*Selector `json:"reject,omitempty" yaml:"reject,omitempty"` + + // Structured field paths expected in each allowed object. + FieldPaths []string `json:"fieldPaths,omitempty" yaml:"fieldPaths,omitempty"` + + // Used to refine the interpretation of the field. + Options *FieldOptions `json:"options,omitempty" yaml:"options,omitempty"` +} + +// FieldOptions refine the interpretation of FieldPaths. +type FieldOptions struct { + // Used to split/join the field. + Delimiter string `json:"delimiter,omitempty" yaml:"delimiter,omitempty"` + + // Which position in the split to consider. + Index int `json:"index,omitempty" yaml:"index,omitempty"` + + // TODO (#3492): Implement use of this option + // None, Base64, URL, Hex, etc + Encoding string `json:"encoding,omitempty" yaml:"encoding,omitempty"` + + // If field missing, add it. + Create bool `json:"create,omitempty" yaml:"create,omitempty"` +} + +func (fo *FieldOptions) String() string { + if fo == nil || (fo.Delimiter == "" && !fo.Create) { + return "" + } + return fmt.Sprintf("%s(%d), create=%t", fo.Delimiter, fo.Index, fo.Create) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go b/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go new file mode 100644 index 0000000000..303e5c9e23 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/replacementfield.go @@ -0,0 +1,9 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +type ReplacementField struct { + Replacement `json:",inline,omitempty" yaml:",inline,omitempty"` + Path string `json:"path,omitempty" yaml:"path,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/replica.go b/vendor/sigs.k8s.io/kustomize/api/types/replica.go new file mode 100644 index 0000000000..8267366b5d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/replica.go @@ -0,0 +1,16 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// Replica specifies a modification to a replica config. +// The number of replicas of a resource whose name matches will be set to count. +// This struct is used by the ReplicaCountTransform, and is meant to supplement +// the existing patch functionality with a simpler syntax for replica configuration. +type Replica struct { + // The name of the resource to change the replica count + Name string `json:"name,omitempty" yaml:"name,omitempty"` + + // The number of replicas required. + Count int64 `json:"count" yaml:"count"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go b/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go new file mode 100644 index 0000000000..62dbe26a73 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/secretargs.go @@ -0,0 +1,19 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// SecretArgs contains the metadata of how to generate a secret. +type SecretArgs struct { + // GeneratorArgs for the secret. + GeneratorArgs `json:",inline,omitempty" yaml:",inline,omitempty"` + + // Type of the secret. + // + // This is the same field as the secret type field in v1/Secret: + // It can be "Opaque" (default), or "kubernetes.io/tls". + // + // If type is "kubernetes.io/tls", then "literals" or "files" must have exactly two + // keys: "tls.key" and "tls.crt" + Type string `json:"type,omitempty" yaml:"type,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/selector.go b/vendor/sigs.k8s.io/kustomize/api/types/selector.go new file mode 100644 index 0000000000..2c07f0b01b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/selector.go @@ -0,0 +1,124 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + "regexp" + + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// Selector specifies a set of resources. +// Any resource that matches intersection of all conditions +// is included in this set. +type Selector struct { + // ResId refers to a GVKN/Ns of a resource. + resid.ResId `json:",inline,omitempty" yaml:",inline,omitempty"` + + // AnnotationSelector is a string that follows the label selection expression + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + // It matches with the resource annotations. + AnnotationSelector string `json:"annotationSelector,omitempty" yaml:"annotationSelector,omitempty"` + + // LabelSelector is a string that follows the label selection expression + // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + // It matches with the resource labels. + LabelSelector string `json:"labelSelector,omitempty" yaml:"labelSelector,omitempty"` +} + +func (s *Selector) Copy() Selector { + return *s +} + +func (s *Selector) String() string { + return fmt.Sprintf( + "%s:a=%s:l=%s", s.ResId, s.AnnotationSelector, s.LabelSelector) +} + +// SelectorRegex is a Selector with regex in GVK +// Any resource that matches intersection of all conditions +// is included in this set. +type SelectorRegex struct { + selector *Selector + groupRegex *regexp.Regexp + versionRegex *regexp.Regexp + kindRegex *regexp.Regexp + nameRegex *regexp.Regexp + namespaceRegex *regexp.Regexp +} + +// NewSelectorRegex returns a pointer to a new SelectorRegex +// which uses the same condition as s. +func NewSelectorRegex(s *Selector) (*SelectorRegex, error) { + sr := new(SelectorRegex) + var err error + sr.selector = s + sr.groupRegex, err = regexp.Compile(anchorRegex(s.Gvk.Group)) + if err != nil { + return nil, err + } + sr.versionRegex, err = regexp.Compile(anchorRegex(s.Gvk.Version)) + if err != nil { + return nil, err + } + sr.kindRegex, err = regexp.Compile(anchorRegex(s.Gvk.Kind)) + if err != nil { + return nil, err + } + sr.nameRegex, err = regexp.Compile(anchorRegex(s.Name)) + if err != nil { + return nil, err + } + sr.namespaceRegex, err = regexp.Compile(anchorRegex(s.Namespace)) + if err != nil { + return nil, err + } + return sr, nil +} + +func anchorRegex(pattern string) string { + if pattern == "" { + return pattern + } + return "^(?:" + pattern + ")$" +} + +// MatchGvk return true if gvk can be matched by s. +func (s *SelectorRegex) MatchGvk(gvk resid.Gvk) bool { + if len(s.selector.Gvk.Group) > 0 { + if !s.groupRegex.MatchString(gvk.Group) { + return false + } + } + if len(s.selector.Gvk.Version) > 0 { + if !s.versionRegex.MatchString(gvk.Version) { + return false + } + } + if len(s.selector.Gvk.Kind) > 0 { + if !s.kindRegex.MatchString(gvk.Kind) { + return false + } + } + return true +} + +// MatchName returns true if the name in selector is +// empty or the n can be matches by the name in selector +func (s *SelectorRegex) MatchName(n string) bool { + if s.selector.Name == "" { + return true + } + return s.nameRegex.MatchString(n) +} + +// MatchNamespace returns true if the namespace in selector is +// empty or the ns can be matches by the namespace in selector +func (s *SelectorRegex) MatchNamespace(ns string) bool { + if s.selector.Namespace == "" { + return true + } + return s.namespaceRegex.MatchString(ns) +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go b/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go new file mode 100644 index 0000000000..64dd48808c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/sortoptions.go @@ -0,0 +1,28 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// SortOptions defines the order that kustomize outputs resources. +type SortOptions struct { + // Order selects the ordering strategy. + Order SortOrder `json:"order,omitempty" yaml:"order,omitempty"` + // LegacySortOptions tweaks the sorting for the "legacy" sort ordering + // strategy. + LegacySortOptions *LegacySortOptions `json:"legacySortOptions,omitempty" yaml:"legacySortOptions,omitempty"` +} + +// SortOrder defines different ordering strategies. +type SortOrder string + +const LegacySortOrder SortOrder = "legacy" +const FIFOSortOrder SortOrder = "fifo" + +// LegacySortOptions define various options for tweaking the "legacy" ordering +// strategy. +type LegacySortOptions struct { + // OrderFirst selects the resource kinds to order first. + OrderFirst []string `json:"orderFirst" yaml:"orderFirst"` + // OrderLast selects the resource kinds to order last. + OrderLast []string `json:"orderLast" yaml:"orderLast"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go b/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go new file mode 100644 index 0000000000..0ddafd3d80 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/typemeta.go @@ -0,0 +1,11 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta +// No need for a direct dependence; the fields are stable. +type TypeMeta struct { + Kind string `json:"kind,omitempty" yaml:"kind,omitempty"` + APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"` +} diff --git a/vendor/sigs.k8s.io/kustomize/api/types/var.go b/vendor/sigs.k8s.io/kustomize/api/types/var.go new file mode 100644 index 0000000000..0ca5579c0d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/api/types/var.go @@ -0,0 +1,211 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package types + +import ( + "fmt" + "reflect" + "sort" + "strings" + + "sigs.k8s.io/kustomize/kyaml/resid" +) + +// Var represents a variable whose value will be sourced +// from a field in a Kubernetes object. +type Var struct { + // Value of identifier name e.g. FOO used in container args, annotations + // Appears in pod template as $(FOO) + Name string `json:"name" yaml:"name"` + + // ObjRef must refer to a Kubernetes resource under the + // purview of this kustomization. ObjRef should use the + // raw name of the object (the name specified in its YAML, + // before addition of a namePrefix and a nameSuffix). + ObjRef Target `json:"objref" yaml:"objref"` + + // FieldRef refers to the field of the object referred to by + // ObjRef whose value will be extracted for use in + // replacing $(FOO). + // If unspecified, this defaults to fieldPath: $defaultFieldPath + FieldRef FieldSelector `json:"fieldref,omitempty" yaml:"fieldref,omitempty"` +} + +// Target refers to a kubernetes object by Group, Version, Kind and Name +// gvk.Gvk contains Group, Version and Kind +// APIVersion is added to keep the backward compatibility of using ObjectReference +// for Var.ObjRef +type Target struct { + APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"` + resid.Gvk `json:",inline,omitempty" yaml:",inline,omitempty"` + Name string `json:"name" yaml:"name"` + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` +} + +// GVK returns the Gvk object in Target +func (t *Target) GVK() resid.Gvk { + if t.APIVersion == "" { + return t.Gvk + } + versions := strings.Split(t.APIVersion, "/") + if len(versions) == 2 { + t.Group = versions[0] + t.Version = versions[1] + } + if len(versions) == 1 { + t.Version = versions[0] + } + return t.Gvk +} + +// FieldSelector contains the fieldPath to an object field. +// This struct is added to keep the backward compatibility of using ObjectFieldSelector +// for Var.FieldRef +type FieldSelector struct { + FieldPath string `json:"fieldPath,omitempty" yaml:"fieldPath,omitempty"` +} + +// defaulting sets reference to field used by default. +func (v *Var) Defaulting() { + if v.FieldRef.FieldPath == "" { + v.FieldRef.FieldPath = DefaultReplacementFieldPath + } + v.ObjRef.GVK() +} + +// DeepEqual returns true if var a and b are Equals. +// Note 1: The objects are unchanged by the VarEqual +// Note 2: Should be normalize be FieldPath before doing +// the DeepEqual. spec.a[b] is supposed to be the same +// as spec.a.b +func (v Var) DeepEqual(other Var) bool { + v.Defaulting() + other.Defaulting() + return reflect.DeepEqual(v, other) +} + +// VarSet is a set of Vars where no var.Name is repeated. +type VarSet struct { + set map[string]Var +} + +// NewVarSet returns an initialized VarSet +func NewVarSet() VarSet { + return VarSet{set: map[string]Var{}} +} + +// AsSlice returns the vars as a slice. +func (vs *VarSet) AsSlice() []Var { + s := make([]Var, len(vs.set)) + i := 0 + for _, v := range vs.set { + s[i] = v + i++ + } + sort.Sort(byName(s)) + return s +} + +// Copy returns a copy of the var set. +func (vs *VarSet) Copy() VarSet { + newSet := make(map[string]Var, len(vs.set)) + for k, v := range vs.set { + newSet[k] = v + } + return VarSet{set: newSet} +} + +// MergeSet absorbs other vars with error on name collision. +func (vs *VarSet) MergeSet(incoming VarSet) error { + for _, incomingVar := range incoming.set { + if err := vs.Merge(incomingVar); err != nil { + return err + } + } + return nil +} + +// MergeSlice absorbs a Var slice with error on name collision. +// Empty fields in incoming vars are defaulted. +func (vs *VarSet) MergeSlice(incoming []Var) error { + for _, v := range incoming { + if err := vs.Merge(v); err != nil { + return err + } + } + return nil +} + +// Merge absorbs another Var with error on name collision. +// Empty fields in incoming Var is defaulted. +func (vs *VarSet) Merge(v Var) error { + if vs.Contains(v) { + return fmt.Errorf( + "var '%s' already encountered", v.Name) + } + v.Defaulting() + vs.set[v.Name] = v + return nil +} + +// AbsorbSet absorbs other vars with error on (name,value) collision. +func (vs *VarSet) AbsorbSet(incoming VarSet) error { + for _, v := range incoming.set { + if err := vs.Absorb(v); err != nil { + return err + } + } + return nil +} + +// AbsorbSlice absorbs a Var slice with error on (name,value) collision. +// Empty fields in incoming vars are defaulted. +func (vs *VarSet) AbsorbSlice(incoming []Var) error { + for _, v := range incoming { + if err := vs.Absorb(v); err != nil { + return err + } + } + return nil +} + +// Absorb absorbs another Var with error on (name,value) collision. +// Empty fields in incoming Var is defaulted. +func (vs *VarSet) Absorb(v Var) error { + conflicting := vs.Get(v.Name) + if conflicting == nil { + // no conflict. The var is valid. + v.Defaulting() + vs.set[v.Name] = v + return nil + } + + if !reflect.DeepEqual(v, *conflicting) { + // two vars with the same name are pointing at two + // different resources. + return fmt.Errorf( + "var '%s' already encountered", v.Name) + } + return nil +} + +// Contains is true if the set has the other var. +func (vs *VarSet) Contains(other Var) bool { + return vs.Get(other.Name) != nil +} + +// Get returns the var with the given name, else nil. +func (vs *VarSet) Get(name string) *Var { + if v, found := vs.set[name]; found { + return &v + } + return nil +} + +// byName is a sort interface which sorts Vars by name alphabetically +type byName []Var + +func (v byName) Len() int { return len(v) } +func (v byName) Swap(i, j int) { v[i], v[j] = v[j], v[i] } +func (v byName) Less(i, j int) bool { return v[i].Name < v[j].Name } diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE b/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE new file mode 100644 index 0000000000..8dada3edaf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go b/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go new file mode 100644 index 0000000000..97334d0f08 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/comments/comments.go @@ -0,0 +1,83 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package comments + +import ( + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/walk" +) + +// CopyComments recursively copies the comments on fields in from to fields in to +func CopyComments(from, to *yaml.RNode) error { + // from node should not be modified, it should be just used as a reference + fromCopy := from.Copy() + copyFieldComments(fromCopy, to) + // walk the fields copying comments + _, err := walk.Walker{ + Sources: []*yaml.RNode{fromCopy, to}, + Visitor: &copier{}, + VisitKeysAsScalars: true}.Walk() + return err +} + +// copier implements walk.Visitor, and copies comments to fields shared between 2 instances +// of a resource +type copier struct{} + +func (c *copier) VisitMap(s walk.Sources, _ *openapi.ResourceSchema) (*yaml.RNode, error) { + copyFieldComments(s.Dest(), s.Origin()) + return s.Dest(), nil +} + +func (c *copier) VisitScalar(s walk.Sources, _ *openapi.ResourceSchema) (*yaml.RNode, error) { + to := s.Origin() + // TODO: File a bug with upstream yaml to handle comments for FoldedStyle scalar nodes + // Hack: convert FoldedStyle scalar node to DoubleQuotedStyle as the line comments are + // being serialized without space + // https://github.com/GoogleContainerTools/kpt/issues/766 + if to != nil && to.Document().Style == yaml.FoldedStyle { + to.Document().Style = yaml.DoubleQuotedStyle + } + + copyFieldComments(s.Dest(), to) + return s.Dest(), nil +} + +func (c *copier) VisitList(s walk.Sources, _ *openapi.ResourceSchema, _ walk.ListKind) ( + *yaml.RNode, error) { + copyFieldComments(s.Dest(), s.Origin()) + destItems := s.Dest().Content() + originItems := s.Origin().Content() + + for i := 0; i < len(destItems) && i < len(originItems); i++ { + dest := destItems[i] + origin := originItems[i] + + if dest.Value == origin.Value { + // We copy the comments recursively on each node in the list. + if err := CopyComments(yaml.NewRNode(dest), yaml.NewRNode(origin)); err != nil { + return nil, err + } + } + } + + return s.Dest(), nil +} + +// copyFieldComments copies the comment from one field to another +func copyFieldComments(from, to *yaml.RNode) { + if from == nil || to == nil { + return + } + if to.Document().LineComment == "" { + to.Document().LineComment = from.Document().LineComment + } + if to.Document().HeadComment == "" { + to.Document().HeadComment = from.Document().HeadComment + } + if to.Document().FootComment == "" { + to.Document().FootComment = from.Document().FootComment + } +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go new file mode 100644 index 0000000000..c292d7c681 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/errors/errors.go @@ -0,0 +1,50 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package errors provides libraries for working with the go-errors/errors library. +package errors + +import ( + "fmt" + + goerrors "github.com/go-errors/errors" +) + +// Wrap returns err wrapped in a go-error. If err is nil, returns nil. +func Wrap(err interface{}) error { + if err == nil { + return nil + } + return goerrors.Wrap(err, 1) +} + +// WrapPrefixf returns err wrapped in a go-error with a message prefix. If err is nil, returns nil. +func WrapPrefixf(err interface{}, msg string, args ...interface{}) error { + if err == nil { + return nil + } + return goerrors.WrapPrefix(err, fmt.Sprintf(msg, args...), 1) +} + +// Errorf returns a new go-error. +func Errorf(msg string, args ...interface{}) error { + return goerrors.Wrap(fmt.Errorf(msg, args...), 1) +} + +// As finds the targeted error in any wrapped error. +func As(err error, target interface{}) bool { + return goerrors.As(err, target) +} + +// Is detects whether the error is equal to a given error. +func Is(err error, target error) bool { + return goerrors.Is(err, target) +} + +// GetStack returns a stack trace for the error if it has one +func GetStack(err error) string { + if e, ok := err.(*goerrors.Error); ok { + return string(e.Stack()) + } + return "" +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go b/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go new file mode 100644 index 0000000000..c946577cce --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/ext/ext.go @@ -0,0 +1,10 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package ext + +// IgnoreFileName returns the name for ignore files in +// packages. It can be overridden by tools using this library. +var IgnoreFileName = func() string { + return ".krmignore" +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go b/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go new file mode 100644 index 0000000000..c537c33725 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fieldmeta/fieldmeta.go @@ -0,0 +1,275 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package fieldmeta + +import ( + "encoding/json" + "fmt" + "reflect" + "strconv" + "strings" + + "k8s.io/kube-openapi/pkg/validation/spec" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// FieldMeta contains metadata that may be attached to fields as comments +type FieldMeta struct { + Schema spec.Schema + + Extensions XKustomize + + SettersSchema *spec.Schema +} + +type XKustomize struct { + SetBy string `yaml:"setBy,omitempty" json:"setBy,omitempty"` + PartialFieldSetters []PartialFieldSetter `yaml:"partialSetters,omitempty" json:"partialSetters,omitempty"` + FieldSetter *PartialFieldSetter `yaml:"setter,omitempty" json:"setter,omitempty"` +} + +// PartialFieldSetter defines how to set part of a field rather than the full field +// value. e.g. the tag part of an image field +type PartialFieldSetter struct { + // Name is the name of this setter. + Name string `yaml:"name" json:"name"` + + // Value is the current value that has been set. + Value string `yaml:"value" json:"value"` +} + +// IsEmpty returns true if the FieldMeta has any empty Schema +func (fm *FieldMeta) IsEmpty() bool { + if fm == nil { + return true + } + return reflect.DeepEqual(fm.Schema, spec.Schema{}) +} + +// Read reads the FieldMeta from a node +func (fm *FieldMeta) Read(n *yaml.RNode) error { + // check for metadata on head and line comments + comments := []string{n.YNode().LineComment, n.YNode().HeadComment} + for _, c := range comments { + if c == "" { + continue + } + c := strings.TrimLeft(c, "#") + + // check for new short hand notation or fall back to openAPI ref format + if !fm.processShortHand(c) { + // if it doesn't Unmarshal that is fine, it means there is no metadata + // other comments are valid, they just don't parse + // TODO: consider more sophisticated parsing techniques similar to what is used + // for go struct tags. + if err := fm.Schema.UnmarshalJSON([]byte(c)); err != nil { + // note: don't return an error if the comment isn't a fieldmeta struct + return nil + } + } + fe := fm.Schema.VendorExtensible.Extensions["x-kustomize"] + if fe == nil { + return nil + } + b, err := json.Marshal(fe) + if err != nil { + return errors.Wrap(err) + } + return json.Unmarshal(b, &fm.Extensions) + } + return nil +} + +// processShortHand parses the comment for short hand ref, loads schema to fm +// and returns true if successful, returns false for any other cases and not throw +// error, as the comment might not be a setter ref +func (fm *FieldMeta) processShortHand(comment string) bool { + input := map[string]string{} + err := json.Unmarshal([]byte(comment), &input) + if err != nil { + return false + } + name := input[shortHandRef] + if name == "" { + return false + } + + // check if setter with the name exists, else check for a substitution + // setter and substitution can't have same name in shorthand + + setterRef, err := spec.NewRef(DefinitionsPrefix + SetterDefinitionPrefix + name) + if err != nil { + return false + } + + setterRefBytes, err := setterRef.MarshalJSON() + if err != nil { + return false + } + + if _, err := openapi.Resolve(&setterRef, fm.SettersSchema); err == nil { + setterErr := fm.Schema.UnmarshalJSON(setterRefBytes) + return setterErr == nil + } + + substRef, err := spec.NewRef(DefinitionsPrefix + SubstitutionDefinitionPrefix + name) + if err != nil { + return false + } + + substRefBytes, err := substRef.MarshalJSON() + if err != nil { + return false + } + + if _, err := openapi.Resolve(&substRef, fm.SettersSchema); err == nil { + substErr := fm.Schema.UnmarshalJSON(substRefBytes) + return substErr == nil + } + return false +} + +func isExtensionEmpty(x XKustomize) bool { + if x.FieldSetter != nil { + return false + } + if x.SetBy != "" { + return false + } + if len(x.PartialFieldSetters) > 0 { + return false + } + return true +} + +// Write writes the FieldMeta to a node +func (fm *FieldMeta) Write(n *yaml.RNode) error { + if !isExtensionEmpty(fm.Extensions) { + return fm.WriteV1Setters(n) + } + + // Ref is removed when a setter is deleted, so the Ref string could be empty. + if fm.Schema.Ref.String() != "" { + // Ex: {"$ref":"#/definitions/io.k8s.cli.setters.replicas"} should be converted to + // {"$openAPI":"replicas"} and added to the line comment + ref := fm.Schema.Ref.String() + var shortHandRefValue string + switch { + case strings.HasPrefix(ref, DefinitionsPrefix+SetterDefinitionPrefix): + shortHandRefValue = strings.TrimPrefix(ref, DefinitionsPrefix+SetterDefinitionPrefix) + case strings.HasPrefix(ref, DefinitionsPrefix+SubstitutionDefinitionPrefix): + shortHandRefValue = strings.TrimPrefix(ref, DefinitionsPrefix+SubstitutionDefinitionPrefix) + default: + return fmt.Errorf("unexpected ref format: %s", ref) + } + n.YNode().LineComment = fmt.Sprintf(`{"%s":"%s"}`, shortHandRef, + shortHandRefValue) + } else { + n.YNode().LineComment = "" + } + + return nil +} + +// WriteV1Setters is the v1 setters way of writing setter definitions +// TODO: pmarupaka - remove this method after migration +func (fm *FieldMeta) WriteV1Setters(n *yaml.RNode) error { + fm.Schema.VendorExtensible.AddExtension("x-kustomize", fm.Extensions) + b, err := json.Marshal(fm.Schema) + if err != nil { + return errors.Wrap(err) + } + n.YNode().LineComment = string(b) + return nil +} + +// FieldValueType defines the type of input to register +type FieldValueType string + +const ( + // String defines a string flag + String FieldValueType = "string" + // Bool defines a bool flag + Bool = "boolean" + // Int defines an int flag + Int = "integer" +) + +func (it FieldValueType) String() string { + if it == "" { + return "string" + } + return string(it) +} + +func (it FieldValueType) Validate(value string) error { + switch it { + case Int: + if _, err := strconv.Atoi(value); err != nil { + return errors.WrapPrefixf(err, "value must be an int") + } + case Bool: + if _, err := strconv.ParseBool(value); err != nil { + return errors.WrapPrefixf(err, "value must be a bool") + } + } + return nil +} + +func (it FieldValueType) Tag() string { + switch it { + case String: + return yaml.NodeTagString + case Bool: + return yaml.NodeTagBool + case Int: + return yaml.NodeTagInt + } + return "" +} + +func (it FieldValueType) TagForValue(value string) string { + switch it { + case String: + return yaml.NodeTagString + case Bool: + if _, err := strconv.ParseBool(string(it)); err != nil { + return "" + } + return yaml.NodeTagBool + case Int: + if _, err := strconv.ParseInt(string(it), 0, 32); err != nil { + return "" + } + return yaml.NodeTagInt + } + return "" +} + +const ( + // CLIDefinitionsPrefix is the prefix for cli definition keys. + CLIDefinitionsPrefix = "io.k8s.cli." + + // SetterDefinitionPrefix is the prefix for setter definition keys. + SetterDefinitionPrefix = CLIDefinitionsPrefix + "setters." + + // SubstitutionDefinitionPrefix is the prefix for substitution definition keys. + SubstitutionDefinitionPrefix = CLIDefinitionsPrefix + "substitutions." + + // DefinitionsPrefix is the prefix used to reference definitions in the OpenAPI + DefinitionsPrefix = "#/definitions/" +) + +// shortHandRef is the shorthand reference to setters and substitutions +var shortHandRef = "$openapi" + +func SetShortHandRef(ref string) { + shortHandRef = ref +} + +func ShortHandRef() string { + return shortHandRef +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go new file mode 100644 index 0000000000..ea6eff90ba --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/confirmeddir.go @@ -0,0 +1,79 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "os" + "path/filepath" + "strings" +) + +// ConfirmedDir is a clean, absolute, delinkified path +// that was confirmed to point to an existing directory. +type ConfirmedDir string + +// NewTmpConfirmedDir returns a temporary dir, else error. +// The directory is cleaned, no symlinks, etc. so it's +// returned as a ConfirmedDir. +func NewTmpConfirmedDir() (ConfirmedDir, error) { + n, err := os.MkdirTemp("", "kustomize-") + if err != nil { + return "", err + } + + // In MacOs `os.MkdirTemp` creates a directory + // with root in the `/var` folder, which is in turn + // a symlinked path to `/private/var`. + // Function `filepath.EvalSymlinks`is used to + // resolve the real absolute path. + deLinked, err := filepath.EvalSymlinks(n) + return ConfirmedDir(deLinked), err +} + +// HasPrefix returns true if the directory argument +// is a prefix of self (d) from the point of view of +// a file system. +// +// I.e., it's true if the argument equals or contains +// self (d) in a file path sense. +// +// HasPrefix emulates the semantics of strings.HasPrefix +// such that the following are true: +// +// strings.HasPrefix("foobar", "foobar") +// strings.HasPrefix("foobar", "foo") +// strings.HasPrefix("foobar", "") +// +// d := fSys.ConfirmDir("/foo/bar") +// d.HasPrefix("/foo/bar") +// d.HasPrefix("/foo") +// d.HasPrefix("/") +// +// Not contacting a file system here to check for +// actual path existence. +// +// This is tested on linux, but will have trouble +// on other operating systems. +// TODO(monopole) Refactor when #golang/go/18358 closes. +// See also: +// https://github.com/golang/go/issues/18358 +// https://github.com/golang/dep/issues/296 +// https://github.com/golang/dep/blob/master/internal/fs/fs.go#L33 +// https://codereview.appspot.com/5712045 +func (d ConfirmedDir) HasPrefix(path ConfirmedDir) bool { + if path.String() == string(filepath.Separator) || path == d { + return true + } + return strings.HasPrefix( + string(d), + string(path)+string(filepath.Separator)) +} + +func (d ConfirmedDir) Join(path string) string { + return filepath.Join(string(d), path) +} + +func (d ConfirmedDir) String() string { + return string(d) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go new file mode 100644 index 0000000000..bd39634416 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/doc.go @@ -0,0 +1,7 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package filesys provides a file system abstraction, +// a subset of that provided by golang.org/pkg/os, +// with an on-disk and in-memory representation. +package filesys diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go new file mode 100644 index 0000000000..5044c653e7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/file.go @@ -0,0 +1,15 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "io" + "os" +) + +// File groups the basic os.File methods. +type File interface { + io.ReadWriteCloser + Stat() (os.FileInfo, error) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go new file mode 100644 index 0000000000..57646d2440 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileinfo.go @@ -0,0 +1,34 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "os" + "time" +) + +var _ os.FileInfo = fileInfo{} + +// fileInfo implements os.FileInfo for a fileInMemory instance. +type fileInfo struct { + node *fsNode +} + +// Name returns the name of the file +func (fi fileInfo) Name() string { return fi.node.Name() } + +// Size returns the size of the file +func (fi fileInfo) Size() int64 { return fi.node.Size() } + +// Mode returns the file mode +func (fi fileInfo) Mode() os.FileMode { return 0777 } + +// ModTime returns a bogus time +func (fi fileInfo) ModTime() time.Time { return time.Time{} } + +// IsDir returns true if it is a directory +func (fi fileInfo) IsDir() bool { return fi.node.isNodeADir() } + +// Sys should return underlying data source, but it now returns nil +func (fi fileInfo) Sys() interface{} { return nil } diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go new file mode 100644 index 0000000000..8ed92d90ee --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fileondisk.go @@ -0,0 +1,27 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "os" +) + +var _ File = &fileOnDisk{} + +// fileOnDisk implements File using the local filesystem. +type fileOnDisk struct { + file *os.File +} + +// Close closes a file. +func (f *fileOnDisk) Close() error { return f.file.Close() } + +// Read reads a file's content. +func (f *fileOnDisk) Read(p []byte) (n int, err error) { return f.file.Read(p) } + +// Write writes bytes to a file +func (f *fileOnDisk) Write(p []byte) (n int, err error) { return f.file.Write(p) } + +// Stat returns an interface which has all the information regarding the file. +func (f *fileOnDisk) Stat() (os.FileInfo, error) { return f.file.Stat() } diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go new file mode 100644 index 0000000000..c29d5ad8a7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/filesystem.go @@ -0,0 +1,154 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "fmt" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +const ( + Separator = string(filepath.Separator) + SelfDir = "." + ParentDir = ".." +) + +// FileSystem groups basic os filesystem methods. +// It's supposed be functional subset of https://golang.org/pkg/os +type FileSystem interface { + + // Create a file. + Create(path string) (File, error) + + // MkDir makes a directory. + Mkdir(path string) error + + // MkDirAll makes a directory path, creating intervening directories. + MkdirAll(path string) error + + // RemoveAll removes path and any children it contains. + RemoveAll(path string) error + + // Open opens the named file for reading. + Open(path string) (File, error) + + // IsDir returns true if the path is a directory. + IsDir(path string) bool + + // ReadDir returns a list of files and directories within a directory. + ReadDir(path string) ([]string, error) + + // CleanedAbs converts the given path into a + // directory and a file name, where the directory + // is represented as a ConfirmedDir and all that implies. + // If the entire path is a directory, the file component + // is an empty string. + CleanedAbs(path string) (ConfirmedDir, string, error) + + // Exists is true if the path exists in the file system. + Exists(path string) bool + + // Glob returns the list of matching files, + // emulating https://golang.org/pkg/path/filepath/#Glob + Glob(pattern string) ([]string, error) + + // ReadFile returns the contents of the file at the given path. + ReadFile(path string) ([]byte, error) + + // WriteFile writes the data to a file at the given path, + // overwriting anything that's already there. + WriteFile(path string, data []byte) error + + // Walk walks the file system with the given WalkFunc. + Walk(path string, walkFn filepath.WalkFunc) error +} + +// ConfirmDir returns an error if the user-specified path is not an existing directory on fSys. +// Otherwise, ConfirmDir returns path, which can be relative, as a ConfirmedDir and all that implies. +func ConfirmDir(fSys FileSystem, path string) (ConfirmedDir, error) { + if path == "" { + return "", errors.Errorf("directory path cannot be empty") + } + + d, f, err := fSys.CleanedAbs(path) + if err != nil { + return "", errors.WrapPrefixf(err, "not a valid directory") + } + if f != "" { + //nolint:govet + return "", errors.WrapPrefixf(errors.Errorf("file is not directory"), fmt.Sprintf("'%s'", path)) + } + return d, nil +} + +// FileSystemOrOnDisk satisfies the FileSystem interface by forwarding +// all of its method calls to the given FileSystem whenever it's not nil. +// If it's nil, the call is forwarded to the OS's underlying file system. +type FileSystemOrOnDisk struct { + FileSystem FileSystem +} + +// Set sets the given FileSystem as the target for all the FileSystem method calls. +func (fs *FileSystemOrOnDisk) Set(f FileSystem) { fs.FileSystem = f } + +func (fs FileSystemOrOnDisk) fs() FileSystem { + if fs.FileSystem != nil { + return fs.FileSystem + } + return MakeFsOnDisk() +} + +func (fs FileSystemOrOnDisk) Create(path string) (File, error) { + return fs.fs().Create(path) +} + +func (fs FileSystemOrOnDisk) Mkdir(path string) error { + return fs.fs().Mkdir(path) +} + +func (fs FileSystemOrOnDisk) MkdirAll(path string) error { + return fs.fs().MkdirAll(path) +} + +func (fs FileSystemOrOnDisk) RemoveAll(path string) error { + return fs.fs().RemoveAll(path) +} + +func (fs FileSystemOrOnDisk) Open(path string) (File, error) { + return fs.fs().Open(path) +} + +func (fs FileSystemOrOnDisk) IsDir(path string) bool { + return fs.fs().IsDir(path) +} + +func (fs FileSystemOrOnDisk) ReadDir(path string) ([]string, error) { + return fs.fs().ReadDir(path) +} + +func (fs FileSystemOrOnDisk) CleanedAbs(path string) (ConfirmedDir, string, error) { + return fs.fs().CleanedAbs(path) +} + +func (fs FileSystemOrOnDisk) Exists(path string) bool { + return fs.fs().Exists(path) +} + +func (fs FileSystemOrOnDisk) Glob(pattern string) ([]string, error) { + return fs.fs().Glob(pattern) +} + +func (fs FileSystemOrOnDisk) ReadFile(path string) ([]byte, error) { + return fs.fs().ReadFile(path) +} + +func (fs FileSystemOrOnDisk) WriteFile(path string, data []byte) error { + return fs.fs().WriteFile(path, data) +} + +func (fs FileSystemOrOnDisk) Walk(path string, walkFn filepath.WalkFunc) error { + return fs.fs().Walk(path, walkFn) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go new file mode 100644 index 0000000000..608b8e38ac --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsnode.go @@ -0,0 +1,647 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "bytes" + "fmt" + "io" + "log" + "os" + "path/filepath" + "regexp" + "sort" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +var _ File = &fsNode{} +var _ FileSystem = &fsNode{} + +// fsNode is either a file or a directory. +type fsNode struct { + // What node owns me? + parent *fsNode + + // Value to return as the Name() when the + // parent is nil. + nilParentName string + + // A directory mapping names to nodes. + // If dir is nil, then self node is a file. + // If dir is non-nil, then self node is a directory, + // albeit possibly an empty directory. + dir map[string]*fsNode + + // if this node is a file, this is the content. + content []byte + + // if offset is not nil the file is open and it tracks + // the current file offset. + offset *int +} + +// MakeEmptyDirInMemory returns an empty directory. +// The paths of nodes in this object will never +// report a leading Separator, meaning they +// aren't "absolute" in the sense defined by +// https://golang.org/pkg/path/filepath/#IsAbs. +func MakeEmptyDirInMemory() *fsNode { + return &fsNode{ + dir: make(map[string]*fsNode), + } +} + +// MakeFsInMemory returns an empty 'file system'. +// The paths of nodes in this object will always +// report a leading Separator, meaning they +// are "absolute" in the sense defined by +// https://golang.org/pkg/path/filepath/#IsAbs. +// This is a relevant difference when using Walk, +// Glob, Match, etc. +func MakeFsInMemory() FileSystem { + return &fsNode{ + nilParentName: Separator, + dir: make(map[string]*fsNode), + } +} + +// Name returns the name of the node. +func (n *fsNode) Name() string { + if n.parent == nil { + // Unable to lookup name in parent. + return n.nilParentName + } + if !n.parent.isNodeADir() { + log.Fatal("parent not a dir") + } + for key, value := range n.parent.dir { + if value == n { + return key + } + } + log.Fatal("unable to find fsNode name") + return "" +} + +// Path returns the full path to the node. +func (n *fsNode) Path() string { + if n.parent == nil { + return n.nilParentName + } + if !n.parent.isNodeADir() { + log.Fatal("parent not a dir, structural error") + } + return filepath.Join(n.parent.Path(), n.Name()) +} + +// mySplit trims trailing separators from the directory +// result of filepath.Split. +func mySplit(s string) (string, string) { + dName, fName := filepath.Split(s) + return StripTrailingSeps(dName), fName +} + +func (n *fsNode) addFile(name string, c []byte) (result *fsNode, err error) { + parent := n + dName, fileName := mySplit(name) + if dName != "" { + parent, err = parent.addDir(dName) + if err != nil { + return nil, err + } + } + if !isLegalFileNameForCreation(fileName) { + return nil, fmt.Errorf( + "illegal name '%s' in file creation", fileName) + } + result, ok := parent.dir[fileName] + if ok { + // File already exists; overwrite it. + if result.offset != nil { + return nil, fmt.Errorf("cannot add already opened file '%s'", n.Path()) + } + result.content = append(result.content[:0], c...) + return result, nil + } + result = &fsNode{ + content: append([]byte(nil), c...), + parent: parent, + } + parent.dir[fileName] = result + return result, nil +} + +// Create implements FileSystem. +// Create makes an empty file. +func (n *fsNode) Create(path string) (result File, err error) { + f, err := n.AddFile(path, nil) + if err != nil { + return f, err + } + f.offset = new(int) + return f, nil +} + +// WriteFile implements FileSystem. +func (n *fsNode) WriteFile(path string, d []byte) error { + _, err := n.AddFile(path, d) + return err +} + +// AddFile adds a file and any necessary containing +// directories to the node. +func (n *fsNode) AddFile( + name string, c []byte) (result *fsNode, err error) { + if n.dir == nil { + return nil, fmt.Errorf( + "cannot add a file to a non-directory '%s'", n.Name()) + } + return n.addFile(cleanQueryPath(name), c) +} + +func (n *fsNode) addDir(path string) (result *fsNode, err error) { + parent := n + dName, subDirName := mySplit(path) + if dName != "" { + parent, err = n.addDir(dName) + if err != nil { + return nil, err + } + } + switch subDirName { + case "", SelfDir: + return n, nil + case ParentDir: + if n.parent == nil { + return nil, fmt.Errorf( + "cannot add a directory above '%s'", n.Path()) + } + return n.parent, nil + default: + if !isLegalFileNameForCreation(subDirName) { + return nil, fmt.Errorf( + "illegal name '%s' in directory creation", subDirName) + } + result, ok := parent.dir[subDirName] + if ok { + if result.isNodeADir() { + // it's already there. + return result, nil + } + return nil, fmt.Errorf( + "cannot make dir '%s'; a file of that name already exists in '%s'", + subDirName, parent.Name()) + } + result = &fsNode{ + dir: make(map[string]*fsNode), + parent: parent, + } + parent.dir[subDirName] = result + return result, nil + } +} + +// Mkdir implements FileSystem. +// Mkdir creates a directory. +func (n *fsNode) Mkdir(path string) error { + _, err := n.AddDir(path) + return err +} + +// MkdirAll implements FileSystem. +// MkdirAll creates a directory. +func (n *fsNode) MkdirAll(path string) error { + _, err := n.AddDir(path) + return err +} + +// AddDir adds a directory to the node, not complaining +// if it is already there. +func (n *fsNode) AddDir(path string) (result *fsNode, err error) { + if n.dir == nil { + return nil, fmt.Errorf( + "cannot add a directory to file node '%s'", n.Name()) + } + return n.addDir(cleanQueryPath(path)) +} + +// CleanedAbs implements FileSystem. +func (n *fsNode) CleanedAbs(path string) (ConfirmedDir, string, error) { + node, err := n.Find(path) + if err != nil { + return "", "", errors.WrapPrefixf(err, "unable to clean") + } + if node == nil { + return "", "", notExistError(path) + } + if node.isNodeADir() { + return ConfirmedDir(node.Path()), "", nil + } + return ConfirmedDir(node.parent.Path()), node.Name(), nil +} + +// Exists implements FileSystem. +// Exists returns true if the path exists. +func (n *fsNode) Exists(path string) bool { + if !n.isNodeADir() { + return n.Name() == path + } + result, err := n.Find(path) + if err != nil { + return false + } + return result != nil +} + +func cleanQueryPath(path string) string { + // Always ignore leading separator? + // Remember that filepath.Clean returns "." if + // given an empty string argument. + return filepath.Clean(StripLeadingSeps(path)) +} + +// Find finds the given node, else nil if not found. +// Return error on structural/argument errors. +func (n *fsNode) Find(path string) (*fsNode, error) { + if !n.isNodeADir() { + return nil, fmt.Errorf("can only find inside a dir") + } + if path == "" { + // Special case; check *before* cleaning and *before* + // comparison to nilParentName. + return nil, nil + } + if (n.parent == nil && path == n.nilParentName) || path == SelfDir { + // Special case + return n, nil + } + return n.findIt(cleanQueryPath(path)) +} + +func (n *fsNode) findIt(path string) (result *fsNode, err error) { + parent := n + dName, item := mySplit(path) + if dName != "" { + parent, err = n.findIt(dName) + if err != nil { + return nil, err + } + if parent == nil { + // all done, target doesn't exist. + return nil, nil + } + } + if !parent.isNodeADir() { + return nil, fmt.Errorf("'%s' is not a directory", parent.Path()) + } + return parent.dir[item], nil +} + +// RemoveAll implements FileSystem. +// RemoveAll removes an item and everything it contains. +func (n *fsNode) RemoveAll(path string) error { + result, err := n.Find(path) + if err != nil { + return err + } + if result == nil { + // If the path doesn't exist, no need to remove anything. + return nil + } + return result.Remove() +} + +// Remove drop the node, and everything it contains, from its parent. +func (n *fsNode) Remove() error { + if n.parent == nil { + return fmt.Errorf("cannot remove a root node") + } + if !n.parent.isNodeADir() { + log.Fatal("parent not a dir") + } + for key, value := range n.parent.dir { + if value == n { + delete(n.parent.dir, key) + return nil + } + } + log.Fatal("unable to find self in parent") + return nil +} + +// isNodeADir returns true if the node is a directory. +// Cannot collide with the poorly named "IsDir". +func (n *fsNode) isNodeADir() bool { + return n.dir != nil +} + +// IsDir implements FileSystem. +// IsDir returns true if the argument resolves +// to a directory rooted at the node. +func (n *fsNode) IsDir(path string) bool { + result, err := n.Find(path) + if err != nil || result == nil { + return false + } + return result.isNodeADir() +} + +// ReadDir implements FileSystem. +func (n *fsNode) ReadDir(path string) ([]string, error) { + if !n.Exists(path) { + return nil, notExistError(path) + } + if !n.IsDir(path) { + return nil, fmt.Errorf("%s is not a directory", path) + } + + dir, err := n.Find(path) + if err != nil { + return nil, err + } + if dir == nil { + return nil, fmt.Errorf("could not find directory %s", path) + } + + keys := make([]string, len(dir.dir)) + i := 0 + for k := range dir.dir { + keys[i] = k + i++ + } + return keys, nil +} + +// Size returns the size of the node. +func (n *fsNode) Size() int64 { + if n.isNodeADir() { + return int64(len(n.dir)) + } + return int64(len(n.content)) +} + +// Open implements FileSystem. +// Open opens the node in read-write mode and sets the offset its start. +// Writing right after opening the file will replace the original content +// and move the offset forward, as with a file opened with O_RDWR | O_CREATE. +// +// As an example, let's consider a file with content "content": +// - open: sets offset to start, content is "content" +// - write "@": offset increases by one, the content is now "@ontent" +// - read the rest: since offset is 1, the read operation returns "ontent" +// - write "$": offset is at EOF, so "$" is appended and content is now "@ontent$" +// - read the rest: returns 0 bytes and EOF +// - close: the content is still "@ontent$" +func (n *fsNode) Open(path string) (File, error) { + result, err := n.Find(path) + if err != nil { + return nil, err + } + if result == nil { + return nil, notExistError(path) + } + if result.offset != nil { + return nil, fmt.Errorf("cannot open previously opened file '%s'", path) + } + result.offset = new(int) + return result, nil +} + +// Close marks the node closed. +func (n *fsNode) Close() error { + if n.offset == nil { + return fmt.Errorf("cannot close already closed file '%s'", n.Path()) + } + n.offset = nil + return nil +} + +// ReadFile implements FileSystem. +func (n *fsNode) ReadFile(path string) (c []byte, err error) { + result, err := n.Find(path) + if err != nil { + return nil, err + } + if result == nil { + return nil, notExistError(path) + } + if result.isNodeADir() { + return nil, fmt.Errorf("cannot read content from non-file '%s'", n.Path()) + } + c = make([]byte, len(result.content)) + copy(c, result.content) + return c, nil +} + +// Read returns the content of the file node. +func (n *fsNode) Read(d []byte) (c int, err error) { + if n.isNodeADir() { + return 0, fmt.Errorf( + "cannot read content from non-file '%s'", n.Path()) + } + if n.offset == nil { + return 0, fmt.Errorf("cannot read from closed file '%s'", n.Path()) + } + + rest := n.content[*n.offset:] + if len(d) < len(rest) { + rest = rest[:len(d)] + } else { + err = io.EOF + } + copy(d, rest) + *n.offset += len(rest) + return len(rest), err +} + +// Write saves the contents of the argument to the file node. +func (n *fsNode) Write(p []byte) (c int, err error) { + if n.isNodeADir() { + return 0, fmt.Errorf( + "cannot write content to non-file '%s'", n.Path()) + } + if n.offset == nil { + return 0, fmt.Errorf("cannot write to closed file '%s'", n.Path()) + } + n.content = append(n.content[:*n.offset], p...) + *n.offset = len(n.content) + return len(p), nil +} + +// ContentMatches returns true if v matches fake file's content. +func (n *fsNode) ContentMatches(v []byte) bool { + return bytes.Equal(v, n.content) +} + +// GetContent the content of a fake file. +func (n *fsNode) GetContent() []byte { + return n.content +} + +// Stat returns an instance of FileInfo. +func (n *fsNode) Stat() (os.FileInfo, error) { + return fileInfo{node: n}, nil +} + +// Walk implements FileSystem. +func (n *fsNode) Walk(path string, walkFn filepath.WalkFunc) error { + result, err := n.Find(path) + if err != nil { + return err + } + if result == nil { + return notExistError(path) + } + return result.WalkMe(walkFn) +} + +// Walk runs the given walkFn on each node. +func (n *fsNode) WalkMe(walkFn filepath.WalkFunc) error { + fi, err := n.Stat() + // always visit self first + err = walkFn(n.Path(), fi, err) + if !n.isNodeADir() { + // it's a file, so nothing more to do + return err + } + // process self as a directory + if err == filepath.SkipDir { + return nil + } + // Walk is supposed to visit in lexical order. + for _, k := range n.sortedDirEntries() { + if err := n.dir[k].WalkMe(walkFn); err != nil { + if err == filepath.SkipDir { + // stop processing this directory + break + } + // bail out completely + return err + } + } + return nil +} + +func (n *fsNode) sortedDirEntries() []string { + keys := make([]string, len(n.dir)) + i := 0 + for k := range n.dir { + keys[i] = k + i++ + } + sort.Strings(keys) + return keys +} + +// FileCount returns a count of files. +// Directories, empty or otherwise, not counted. +func (n *fsNode) FileCount() int { + count := 0 + n.WalkMe(func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + if !info.IsDir() { + count++ + } + return nil + }) + return count +} + +func (n *fsNode) DebugPrint() { + n.WalkMe(func(path string, info os.FileInfo, err error) error { + if err != nil { + fmt.Printf("err '%v' at path %q\n", err, path) + return nil + } + if info.IsDir() { + if info.Size() == 0 { + fmt.Println("empty dir: " + path) + } + } else { + fmt.Println(" file: " + path) + } + return nil + }) +} + +var legalFileNamePattern = regexp.MustCompile("^[a-zA-Z0-9-_.:]+$") + +// This rules enforced here should be simpler and tighter +// than what's allowed on a real OS. +// Should be fine for testing or in-memory purposes. +func isLegalFileNameForCreation(n string) bool { + if n == "" || n == SelfDir || !legalFileNamePattern.MatchString(n) { + return false + } + return !strings.Contains(n, ParentDir) +} + +// RegExpGlob returns a list of file paths matching the regexp. +// Excludes directories. +func (n *fsNode) RegExpGlob(pattern string) ([]string, error) { + var result []string + var expression = regexp.MustCompile(pattern) + err := n.WalkMe(func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + if !info.IsDir() { + if expression.MatchString(path) { + result = append(result, path) + } + } + return nil + }) + if err != nil { + return nil, err + } + sort.Strings(result) + return result, nil +} + +// Glob implements FileSystem. +// Glob returns the list of file paths matching +// per filepath.Match semantics, i.e. unlike RegExpGlob, +// Match("foo/a*") will not match sub-sub directories of foo. +// This is how /bin/ls behaves. +func (n *fsNode) Glob(pattern string) ([]string, error) { + var result []string + var allFiles []string + err := n.WalkMe(func(path string, info os.FileInfo, err error) error { + if err != nil { + return err + } + if !info.IsDir() { + match, err := filepath.Match(pattern, path) + if err != nil { + return err + } + if match { + allFiles = append(allFiles, path) + } + } + return nil + }) + if err != nil { + return nil, err + } + if IsHiddenFilePath(pattern) { + result = allFiles + } else { + result = RemoveHiddenFiles(allFiles) + } + sort.Strings(result) + return result, nil +} + +// notExistError indicates that a file or directory does not exist. +// Unwrapping returns os.ErrNotExist so errors.Is(err, os.ErrNotExist) works correctly. +type notExistError string + +func (err notExistError) Error() string { return fmt.Sprintf("'%s' doesn't exist", string(err)) } +func (err notExistError) Unwrap() error { return os.ErrNotExist } diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go new file mode 100644 index 0000000000..10ce83f122 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk.go @@ -0,0 +1,141 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "fmt" + "log" + "os" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" +) + +var _ FileSystem = fsOnDisk{} + +// fsOnDisk implements FileSystem using the local filesystem. +type fsOnDisk struct{} + +// MakeFsOnDisk makes an instance of fsOnDisk. +func MakeFsOnDisk() FileSystem { + return fsOnDisk{} +} + +// Create delegates to os.Create. +func (fsOnDisk) Create(name string) (File, error) { return os.Create(name) } + +// Mkdir delegates to os.Mkdir. +func (fsOnDisk) Mkdir(name string) error { + return os.Mkdir(name, 0777|os.ModeDir) +} + +// MkdirAll delegates to os.MkdirAll. +func (fsOnDisk) MkdirAll(name string) error { + return os.MkdirAll(name, 0777|os.ModeDir) +} + +// RemoveAll delegates to os.RemoveAll. +func (fsOnDisk) RemoveAll(name string) error { + return os.RemoveAll(name) +} + +// Open delegates to os.Open. +func (fsOnDisk) Open(name string) (File, error) { return os.Open(name) } + +// CleanedAbs converts the given path into a +// directory and a file name, where the directory +// is represented as a ConfirmedDir and all that implies. +// If the entire path is a directory, the file component +// is an empty string. +func (x fsOnDisk) CleanedAbs( + path string) (ConfirmedDir, string, error) { + absRoot, err := filepath.Abs(path) + if err != nil { + return "", "", fmt.Errorf( + "abs path error on '%s' : %v", path, err) + } + deLinked, err := filepath.EvalSymlinks(absRoot) + if err != nil { + return "", "", fmt.Errorf( + "evalsymlink failure on '%s' : %w", path, err) + } + if x.IsDir(deLinked) { + return ConfirmedDir(deLinked), "", nil + } + d := filepath.Dir(deLinked) + if !x.IsDir(d) { + // Programmer/assumption error. + log.Fatalf("first part of '%s' not a directory", deLinked) + } + if d == deLinked { + // Programmer/assumption error. + log.Fatalf("d '%s' should be a subset of deLinked", d) + } + f := filepath.Base(deLinked) + if filepath.Join(d, f) != deLinked { + // Programmer/assumption error. + log.Fatalf("these should be equal: '%s', '%s'", + filepath.Join(d, f), deLinked) + } + return ConfirmedDir(d), f, nil +} + +// Exists returns true if os.Stat succeeds. +func (fsOnDisk) Exists(name string) bool { + _, err := os.Stat(name) + return err == nil +} + +// Glob returns the list of matching files +func (fsOnDisk) Glob(pattern string) ([]string, error) { + var result []string + allFilePaths, err := filepath.Glob(pattern) + if err != nil { + return nil, err + } + if IsHiddenFilePath(pattern) { + result = allFilePaths + } else { + result = RemoveHiddenFiles(allFilePaths) + } + return result, nil +} + +// IsDir delegates to os.Stat and FileInfo.IsDir +func (fsOnDisk) IsDir(name string) bool { + info, err := os.Stat(name) + if err != nil { + return false + } + return info.IsDir() +} + +// ReadDir delegates to os.ReadDir +func (fsOnDisk) ReadDir(name string) ([]string, error) { + dirEntries, err := os.ReadDir(name) + if err != nil { + return nil, err + } + result := make([]string, len(dirEntries)) + for i := range dirEntries { + result[i] = dirEntries[i].Name() + } + return result, nil +} + +// ReadFile delegates to os.ReadFile. +func (fsOnDisk) ReadFile(name string) ([]byte, error) { + content, err := os.ReadFile(name) + return content, errors.Wrap(err) +} + +// WriteFile delegates to os.WriteFile with read/write permissions. +func (fsOnDisk) WriteFile(name string, c []byte) error { + return errors.Wrap(os.WriteFile(name, c, 0666)) //nolint:gosec +} + +// Walk delegates to filepath.Walk. +func (fsOnDisk) Walk(path string, walkFn filepath.WalkFunc) error { + return filepath.Walk(path, walkFn) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go new file mode 100644 index 0000000000..15935a462a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_unix.go @@ -0,0 +1,15 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +//go:build !windows +// +build !windows + +package filesys + +import ( + "path/filepath" +) + +func getOSRoot() (string, error) { + return string(filepath.Separator), nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go new file mode 100644 index 0000000000..8c8a33c4db --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/fsondisk_windows.go @@ -0,0 +1,18 @@ +// Copyright 2022 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "path/filepath" + + "golang.org/x/sys/windows" +) + +func getOSRoot() (string, error) { + sysDir, err := windows.GetSystemDirectory() + if err != nil { + return "", err + } + return filepath.VolumeName(sysDir) + `\`, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go new file mode 100644 index 0000000000..0713ffe2cb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/filesys/util.go @@ -0,0 +1,143 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package filesys + +import ( + "os" + "path/filepath" + "strings" +) + +// RootedPath returns a rooted path, e.g. "/foo/bar" as +// opposed to "foo/bar". +func RootedPath(elem ...string) string { + return Separator + filepath.Join(elem...) +} + +// StripTrailingSeps trims trailing filepath separators from input. +func StripTrailingSeps(s string) string { + k := len(s) + for k > 0 && s[k-1] == filepath.Separator { + k-- + } + return s[:k] +} + +// StripLeadingSeps trims leading filepath separators from input. +func StripLeadingSeps(s string) string { + k := 0 + for k < len(s) && s[k] == filepath.Separator { + k++ + } + return s[k:] +} + +// PathSplit converts a file path to a slice of string. +// If the path is absolute (if the path has a leading slash), +// then the first entry in the result is an empty string. +// Desired: path == PathJoin(PathSplit(path)) +func PathSplit(incoming string) []string { + if incoming == "" { + return []string{} + } + dir, path := filepath.Split(incoming) + if dir == string(os.PathSeparator) { + if path == "" { + return []string{""} + } + return []string{"", path} + } + dir = strings.TrimSuffix(dir, string(os.PathSeparator)) + if dir == "" { + return []string{path} + } + return append(PathSplit(dir), path) +} + +// PathJoin converts a slice of string to a file path. +// If the first entry is an empty string, then the returned +// path is absolute (it has a leading slash). +// Desired: path == PathJoin(PathSplit(path)) +func PathJoin(incoming []string) string { + if len(incoming) == 0 { + return "" + } + if incoming[0] == "" { + return string(os.PathSeparator) + filepath.Join(incoming[1:]...) + } + return filepath.Join(incoming...) +} + +// InsertPathPart inserts 'part' at position 'pos' in the given filepath. +// The first position is 0. +// +// E.g. if part == 'PEACH' +// +// OLD : NEW : POS +// -------------------------------------------------------- +// {empty} : PEACH : irrelevant +// / : /PEACH : irrelevant +// pie : PEACH/pie : 0 (or negative) +// /pie : /PEACH/pie : 0 (or negative) +// raw : raw/PEACH : 1 (or larger) +// /raw : /raw/PEACH : 1 (or larger) +// a/nice/warm/pie : a/nice/warm/PEACH/pie : 3 +// /a/nice/warm/pie : /a/nice/warm/PEACH/pie : 3 +// +// * An empty part results in no change. +// +// - Absolute paths get their leading '/' stripped, treated like +// relative paths, and the leading '/' is re-added on output. +// The meaning of pos is intentionally the same in either absolute or +// relative paths; if it weren't, this function could convert absolute +// paths to relative paths, which is not desirable. +// +// - For robustness (liberal input, conservative output) Pos values +// that are too small (large) to index the split filepath result in a +// prefix (postfix) rather than an error. Use extreme position values +// to assure a prefix or postfix (e.g. 0 will always prefix, and +// 9999 will presumably always postfix). +func InsertPathPart(path string, pos int, part string) string { + if part == "" { + return path + } + parts := PathSplit(path) + if pos < 0 { + pos = 0 + } else if pos > len(parts) { + pos = len(parts) + } + if len(parts) > 0 && parts[0] == "" && pos < len(parts) { + // An empty string at 0 indicates an absolute path, and means + // we must increment pos. This change means that a position + // specification has the same meaning in relative and absolute paths. + // E.g. in either the path 'a/b/c' or the path '/a/b/c', + // 'a' is at 0, 'b' is at 1 and 'c' is at 2, and inserting at + // zero means a new first field _without_ changing an absolute + // path to a relative path. + pos++ + } + result := make([]string, len(parts)+1) + copy(result, parts[0:pos]) + result[pos] = part + return PathJoin(append(result, parts[pos:]...)) //nolint: makezero +} + +func IsHiddenFilePath(pattern string) bool { + return strings.HasPrefix(filepath.Base(pattern), ".") +} + +// Removes paths containing hidden files/folders from a list of paths +func RemoveHiddenFiles(paths []string) []string { + if len(paths) == 0 { + return paths + } + var result []string + for _, path := range paths { + if !IsHiddenFilePath(path) { + result = append(result, path) + } + } + return result +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go new file mode 100644 index 0000000000..62aa76f53a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/container/container.go @@ -0,0 +1,208 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package container + +import ( + "fmt" + "os" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" + runtimeexec "sigs.k8s.io/kustomize/kyaml/fn/runtime/exec" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Filter filters Resources using a container image. +// The container must start a process that reads the list of +// input Resources from stdin, reads the Configuration from the env +// API_CONFIG, and writes the filtered Resources to stdout. +// If there is a error or validation failure, the process must exit +// non-zero. +// The full set of environment variables from the parent process +// are passed to the container. +// +// Function Scoping: +// Filter applies the function only to Resources to which it is scoped. +// +// Resources are scoped to a function if any of the following are true: +// - the Resource were read from the same directory as the function config +// - the Resource were read from a subdirectory of the function config directory +// - the function config is in a directory named "functions" and +// they were read from a subdirectory of "functions" parent +// - the function config doesn't have a path annotation (considered globally scoped) +// - the Filter has GlobalScope == true +// +// In Scope Examples: +// +// Example 1: deployment.yaml and service.yaml in function.yaml scope +// same directory as the function config directory +// . +// ├── function.yaml +// ├── deployment.yaml +// └── service.yaml +// +// Example 2: apps/deployment.yaml and apps/service.yaml in function.yaml scope +// subdirectory of the function config directory +// . +// ├── function.yaml +// └── apps +//    ├── deployment.yaml +//    └── service.yaml +// +// Example 3: apps/deployment.yaml and apps/service.yaml in functions/function.yaml scope +// function config is in a directory named "functions" +// . +// ├── functions +// │   └── function.yaml +// └── apps +//    ├── deployment.yaml +//    └── service.yaml +// +// Out of Scope Examples: +// +// Example 1: apps/deployment.yaml and apps/service.yaml NOT in stuff/function.yaml scope +// . +// ├── stuff +// │   └── function.yaml +// └── apps +//    ├── deployment.yaml +//    └── service.yaml +// +// Example 2: apps/deployment.yaml and apps/service.yaml NOT in stuff/functions/function.yaml scope +// . +// ├── stuff +// │   └── functions +// │    └── function.yaml +// └── apps +//    ├── deployment.yaml +//    └── service.yaml +// +// Default Paths: +// Resources emitted by functions will have default path applied as annotations +// if none is present. +// The default path will be the function-dir/ (or parent directory in the case of "functions") +// + function-file-name/ + namespace/ + kind_name.yaml +// +// Example 1: Given a function in fn.yaml that produces a Deployment name foo and a Service named bar +// dir +// └── fn.yaml +// +// Would default newly generated Resources to: +// +// dir +// ├── fn.yaml +// └── fn +//    ├── deployment_foo.yaml +//    └── service_bar.yaml +// +// Example 2: Given a function in functions/fn.yaml that produces a Deployment name foo and a Service named bar +// dir +// └── fn.yaml +// +// Would default newly generated Resources to: +// +// dir +// ├── functions +// │   └── fn.yaml +// └── fn +//    ├── deployment_foo.yaml +//    └── service_bar.yaml +// +// Example 3: Given a function in fn.yaml that produces a Deployment name foo, namespace baz and a Service named bar namespace baz +// dir +// └── fn.yaml +// +// Would default newly generated Resources to: +// +// dir +// ├── fn.yaml +// └── fn +// └── baz +//    ├── deployment_foo.yaml +//    └── service_bar.yaml +type Filter struct { + runtimeutil.ContainerSpec `json:",inline" yaml:",inline"` + + Exec runtimeexec.Filter + + UIDGID string +} + +func (c Filter) String() string { + if c.Exec.DeferFailure { + return fmt.Sprintf("%s deferFailure: %v", c.Image, c.Exec.DeferFailure) + } + return c.Image +} +func (c Filter) GetExit() error { + return c.Exec.GetExit() +} + +func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + if err := c.setupExec(); err != nil { + return nil, err + } + return c.Exec.Filter(nodes) +} + +func (c *Filter) setupExec() error { + // don't init 2x + if c.Exec.Path != "" { + return nil + } + + if c.Exec.WorkingDir == "" { + wd, err := os.Getwd() + if err != nil { + return errors.Wrap(err) + } + c.Exec.WorkingDir = wd + } + + path, args := c.getCommand() + c.Exec.Path = path + c.Exec.Args = args + return nil +} + +// getCommand returns the command + args to run to spawn the container +func (c *Filter) getCommand() (string, []string) { + network := runtimeutil.NetworkNameNone + if c.ContainerSpec.Network { + network = runtimeutil.NetworkNameHost + } + // run the container using docker. this is simpler than using the docker + // libraries, and ensures things like auth work the same as if the container + // was run from the cli. + args := []string{"run", + "--rm", // delete the container afterward + "-i", "-a", "STDIN", "-a", "STDOUT", "-a", "STDERR", // attach stdin, stdout, stderr + "--network", string(network), + + // added security options + "--user", c.UIDGID, + "--security-opt=no-new-privileges", // don't allow the user to escalate privileges + // note: don't make fs readonly because things like heredoc rely on writing tmp files + } + + for _, storageMount := range c.StorageMounts { + // convert declarative relative paths to absolute (otherwise docker will throw an error) + if !filepath.IsAbs(storageMount.Src) { + storageMount.Src = filepath.Join(c.Exec.WorkingDir, storageMount.Src) + } + args = append(args, "--mount", storageMount.String()) + } + + args = append(args, runtimeutil.NewContainerEnvFromStringSlice(c.Env).GetDockerFlags()...) + a := append(args, c.Image) //nolint:gocritic + return "docker", a +} + +// NewContainer returns a new container filter +func NewContainer(spec runtimeutil.ContainerSpec, uidgid string) Filter { + f := Filter{ContainerSpec: spec, UIDGID: uidgid} + + return f +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go new file mode 100644 index 0000000000..2747a96fba --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/doc.go @@ -0,0 +1,5 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package exec contains the exec function implementation. +package exec diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go new file mode 100644 index 0000000000..8bb3fe12e6 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/exec/exec.go @@ -0,0 +1,54 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package exec + +import ( + "io" + "os" + "os/exec" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type Filter struct { + // Path is the path to the executable to run + Path string `yaml:"path,omitempty"` + + // Args are the arguments to the executable + Args []string `yaml:"args,omitempty"` + + // WorkingDir is the working directory that the executable + // should run in + WorkingDir string + + runtimeutil.FunctionFilter +} + +func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + c.FunctionFilter.Run = c.Run + return c.FunctionFilter.Filter(nodes) +} + +func (c *Filter) Run(reader io.Reader, writer io.Writer) error { + cmd := exec.Command(c.Path, c.Args...) //nolint:gosec + cmd.Stdin = reader + cmd.Stdout = writer + cmd.Stderr = os.Stderr + if c.WorkingDir == "" { + return errors.Errorf("no working directory set for exec function") + } + if !filepath.IsAbs(c.WorkingDir) { + return errors.Errorf( + "relative working directory %s not allowed", c.WorkingDir) + } + if c.WorkingDir == "/" { + return errors.Errorf( + "root working directory '/' not allowed") + } + cmd.Dir = c.WorkingDir + return cmd.Run() +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go new file mode 100644 index 0000000000..89f9036a4c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/doc.go @@ -0,0 +1,5 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package runtimeutil contains libraries for implementing function runtimes. +package runtimeutil diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go new file mode 100644 index 0000000000..f56962c146 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/functiontypes.go @@ -0,0 +1,298 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package runtimeutil + +import ( + "fmt" + "os" + "sort" + "strings" + + "sigs.k8s.io/kustomize/kyaml/yaml" + k8syaml "sigs.k8s.io/yaml" +) + +const ( + FunctionAnnotationKey = "config.kubernetes.io/function" + oldFunctionAnnotationKey = "config.k8s.io/function" +) + +var functionAnnotationKeys = []string{FunctionAnnotationKey, oldFunctionAnnotationKey} + +// ContainerNetworkName is a type for network name used in container +type ContainerNetworkName string + +const ( + NetworkNameNone ContainerNetworkName = "none" + NetworkNameHost ContainerNetworkName = "host" +) +const defaultEnvValue string = "true" + +// ContainerEnv defines the environment present in a container. +type ContainerEnv struct { + // EnvVars is a key-value map that will be set as env in container + EnvVars map[string]string + + // VarsToExport are only env key. Value will be the value in the host system + VarsToExport []string +} + +// GetDockerFlags returns docker run style env flags +func (ce *ContainerEnv) GetDockerFlags() []string { + envs := ce.EnvVars + if envs == nil { + envs = make(map[string]string) + } + + flags := []string{} + // return in order to keep consistent among different runs + keys := []string{} + for k := range envs { + keys = append(keys, k) + } + sort.Strings(keys) + for _, key := range keys { + flags = append(flags, "-e", key+"="+envs[key]) + } + + for _, key := range ce.VarsToExport { + flags = append(flags, "-e", key) + } + + return flags +} + +// AddKeyValue adds a key-value pair into the envs +func (ce *ContainerEnv) AddKeyValue(key, value string) { + if ce.EnvVars == nil { + ce.EnvVars = make(map[string]string) + } + ce.EnvVars[key] = value +} + +// HasExportedKey returns true if the key is a exported key +func (ce *ContainerEnv) HasExportedKey(key string) bool { + for _, k := range ce.VarsToExport { + if k == key { + return true + } + } + return false +} + +// AddKey adds a key into the envs +func (ce *ContainerEnv) AddKey(key string) { + if !ce.HasExportedKey(key) { + ce.VarsToExport = append(ce.VarsToExport, key) + } +} + +// Raw returns a slice of string which represents the envs. +// Example: [foo=bar, baz] +func (ce *ContainerEnv) Raw() []string { + var ret []string + for k, v := range ce.EnvVars { + ret = append(ret, k+"="+v) + } + + ret = append(ret, ce.VarsToExport...) + return ret +} + +// NewContainerEnv returns a pointer to a new ContainerEnv +func NewContainerEnv() *ContainerEnv { + var ce ContainerEnv + ce.EnvVars = make(map[string]string) + // default envs + ce.EnvVars["LOG_TO_STDERR"] = defaultEnvValue + ce.EnvVars["STRUCTURED_RESULTS"] = defaultEnvValue + return &ce +} + +// NewContainerEnvFromStringSlice returns a new ContainerEnv pointer with parsing +// input envStr. envStr example: ["foo=bar", "baz"] +func NewContainerEnvFromStringSlice(envStr []string) *ContainerEnv { + ce := NewContainerEnv() + for _, e := range envStr { + parts := strings.SplitN(e, "=", 2) + if len(parts) == 1 { + ce.AddKey(e) + } else { + ce.AddKeyValue(parts[0], parts[1]) + } + } + return ce +} + +// FunctionSpec defines a spec for running a function +type FunctionSpec struct { + DeferFailure bool `json:"deferFailure,omitempty" yaml:"deferFailure,omitempty"` + + // Container is the spec for running a function as a container + Container ContainerSpec `json:"container,omitempty" yaml:"container,omitempty"` + + // ExecSpec is the spec for running a function as an executable + Exec ExecSpec `json:"exec,omitempty" yaml:"exec,omitempty"` +} + +type ExecSpec struct { + Path string `json:"path,omitempty" yaml:"path,omitempty"` +} + +// ContainerSpec defines a spec for running a function as a container +type ContainerSpec struct { + // Image is the container image to run + Image string `json:"image,omitempty" yaml:"image,omitempty"` + + // Network defines network specific configuration + Network bool `json:"network,omitempty" yaml:"network,omitempty"` + + // Mounts are the storage or directories to mount into the container + StorageMounts []StorageMount `json:"mounts,omitempty" yaml:"mounts,omitempty"` + + // Env is a slice of env string that will be exposed to container + Env []string `json:"envs,omitempty" yaml:"envs,omitempty"` +} + +// StorageMount represents a container's mounted storage option(s) +type StorageMount struct { + // Type of mount e.g. bind mount, local volume, etc. + MountType string `json:"type,omitempty" yaml:"type,omitempty"` + + // Source for the storage to be mounted. + // For named volumes, this is the name of the volume. + // For anonymous volumes, this field is omitted (empty string). + // For bind mounts, this is the path to the file or directory on the host. + Src string `json:"src,omitempty" yaml:"src,omitempty"` + + // The path where the file or directory is mounted in the container. + DstPath string `json:"dst,omitempty" yaml:"dst,omitempty"` + + // Mount in ReadWrite mode if it's explicitly configured + // See https://docs.docker.com/storage/bind-mounts/#use-a-read-only-bind-mount + ReadWriteMode bool `json:"rw,omitempty" yaml:"rw,omitempty"` +} + +func (s *StorageMount) String() string { + mode := "" + if !s.ReadWriteMode { + mode = ",readonly" + } + return fmt.Sprintf("type=%s,source=%s,target=%s%s", s.MountType, s.Src, s.DstPath, mode) +} + +// GetFunctionSpec returns the FunctionSpec for a resource. Returns +// nil if the resource does not have a FunctionSpec. +// +// The FunctionSpec is read from the resource metadata.annotation +// "config.kubernetes.io/function" +func GetFunctionSpec(n *yaml.RNode) (*FunctionSpec, error) { + meta, err := n.GetMeta() + if err != nil { + return nil, fmt.Errorf("failed to get ResourceMeta: %w", err) + } + + fn, err := getFunctionSpecFromAnnotation(n, meta) + if err != nil { + return nil, err + } + if fn != nil { + return fn, nil + } + + // legacy function specification for backwards compatibility + container := meta.Annotations["config.kubernetes.io/container"] + if container != "" { + return &FunctionSpec{Container: ContainerSpec{Image: container}}, nil + } + return nil, nil +} + +// getFunctionSpecFromAnnotation parses the config function from an annotation +// if it is found +func getFunctionSpecFromAnnotation(n *yaml.RNode, meta yaml.ResourceMeta) (*FunctionSpec, error) { + var fs FunctionSpec + for _, s := range functionAnnotationKeys { + fn := meta.Annotations[s] + if fn != "" { + if err := k8syaml.UnmarshalStrict([]byte(fn), &fs); err != nil { + return nil, fmt.Errorf("%s unmarshal error: %w", s, err) + } + return &fs, nil + } + } + n, err := n.Pipe(yaml.Lookup("metadata", "configFn")) + if err != nil { + return nil, fmt.Errorf("failed to look up metadata.configFn: %w", err) + } + if yaml.IsMissingOrNull(n) { + return nil, nil + } + s, err := n.String() + if err != nil { + fmt.Fprintf(os.Stderr, "configFn parse error: %v\n", err) + return nil, fmt.Errorf("configFn parse error: %w", err) + } + if err := k8syaml.UnmarshalStrict([]byte(s), &fs); err != nil { + return nil, fmt.Errorf("%s unmarshal error: %w", "configFn", err) + } + return &fs, nil +} + +func StringToStorageMount(s string) StorageMount { + m := make(map[string]string) + options := strings.Split(s, ",") + for _, option := range options { + keyVal := strings.SplitN(option, "=", 2) + if len(keyVal) == 2 { + m[keyVal[0]] = keyVal[1] + } + } + var sm StorageMount + for key, value := range m { + switch { + case key == "type": + sm.MountType = value + case key == "src" || key == "source": + sm.Src = value + case key == "dst" || key == "target": + sm.DstPath = value + case key == "rw" && value == "true": + sm.ReadWriteMode = true + } + } + return sm +} + +// IsReconcilerFilter filters Resources based on whether or not they are Reconciler Resource. +// Resources with an apiVersion starting with '*.gcr.io', 'gcr.io' or 'docker.io' are considered +// Reconciler Resources. +type IsReconcilerFilter struct { + // ExcludeReconcilers if set to true, then Reconcilers will be excluded -- e.g. + // Resources with a reconcile container through the apiVersion (gcr.io prefix) or + // through the annotations + ExcludeReconcilers bool `yaml:"excludeReconcilers,omitempty"` + + // IncludeNonReconcilers if set to true, the NonReconciler will be included. + IncludeNonReconcilers bool `yaml:"includeNonReconcilers,omitempty"` +} + +// Filter implements kio.Filter +func (c *IsReconcilerFilter) Filter(inputs []*yaml.RNode) ([]*yaml.RNode, error) { + var out []*yaml.RNode + for i := range inputs { + functionSpec, err := GetFunctionSpec(inputs[i]) + if err != nil { + return nil, err + } + isFnResource := functionSpec != nil + if isFnResource && !c.ExcludeReconcilers { + out = append(out, inputs[i]) + } + if !isFnResource && c.IncludeNonReconcilers { + out = append(out, inputs[i]) + } + } + return out, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go new file mode 100644 index 0000000000..6a06b81c39 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/runtimeutil.go @@ -0,0 +1,281 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package runtimeutil + +import ( + "bytes" + "fmt" + "io" + "os" + "path" + "strings" + + "sigs.k8s.io/kustomize/kyaml/comments" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/order" + + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// FunctionFilter wraps another filter to be invoked in the context of a function. +// FunctionFilter manages scoping the function, deferring failures, and saving results +// to files. +type FunctionFilter struct { + // Run implements the function. + Run func(reader io.Reader, writer io.Writer) error + + // FunctionConfig is passed to the function through ResourceList.functionConfig. + FunctionConfig *yaml.RNode `yaml:"functionConfig,omitempty"` + + // GlobalScope explicitly scopes the function to all input resources rather than only those + // resources scoped to it by path. + GlobalScope bool + + // ResultsFile is the file to write function ResourceList.results to. + // If unset, results will not be written. + ResultsFile string + + // DeferFailure will cause the Filter to return a nil error even if Run returns an error. + // The Run error will be available through GetExit(). + DeferFailure bool + + // results saves the results emitted from Run + Results *yaml.RNode + + // exit saves the error returned from Run + exit error + + ids map[string]*yaml.RNode +} + +// GetExit returns the error from Run +func (c FunctionFilter) GetExit() error { + return c.exit +} + +// functionsDirectoryName is keyword directory name for functions scoped 1 directory higher +const functionsDirectoryName = "functions" + +// getFunctionScope returns the path of the directory containing the function config, +// or its parent directory if the base directory is named "functions" +func (c *FunctionFilter) getFunctionScope() (string, error) { + m, err := c.FunctionConfig.GetMeta() + if err != nil { + return "", errors.Wrap(err) + } + var p string + var found bool + p, found = m.Annotations[kioutil.PathAnnotation] + if !found { + p, found = m.Annotations[kioutil.LegacyPathAnnotation] + if !found { + return "", nil + } + } + + functionDir := path.Clean(path.Dir(p)) + + if path.Base(functionDir) == functionsDirectoryName { + // the scope of functions in a directory called "functions" is 1 level higher + // this is similar to how the golang "internal" directory scoping works + functionDir = path.Dir(functionDir) + } + return functionDir, nil +} + +// scope partitions the input nodes into 2 slices. The first slice contains only Resources +// which are scoped under dir, and the second slice contains the Resources which are not. +func (c *FunctionFilter) scope(dir string, nodes []*yaml.RNode) ([]*yaml.RNode, []*yaml.RNode, error) { + // scope container filtered Resources to Resources under that directory + var input, saved []*yaml.RNode + if c.GlobalScope { + return nodes, nil, nil + } + + // global function + if dir == "" || dir == "." { + return nodes, nil, nil + } + + // identify Resources read from directories under the function configuration + for i := range nodes { + m, err := nodes[i].GetMeta() + if err != nil { + return nil, nil, err + } + var p string + var found bool + p, found = m.Annotations[kioutil.PathAnnotation] + if !found { + p, found = m.Annotations[kioutil.LegacyPathAnnotation] + if !found { + // this Resource isn't scoped under the function -- don't know where it came from + // consider it out of scope + saved = append(saved, nodes[i]) + continue + } + } + + resourceDir := path.Clean(path.Dir(p)) + if path.Base(resourceDir) == functionsDirectoryName { + // Functions in the `functions` directory are scoped to + // themselves, and should see themselves as input + resourceDir = path.Dir(resourceDir) + } + if !strings.HasPrefix(resourceDir, dir) { + // this Resource doesn't fall under the function scope if it + // isn't in a subdirectory of where the function lives + saved = append(saved, nodes[i]) + continue + } + + // this input is scoped under the function + input = append(input, nodes[i]) + } + + return input, saved, nil +} + +func (c *FunctionFilter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + in := &bytes.Buffer{} + out := &bytes.Buffer{} + + // only process Resources scoped to this function, save the others + functionDir, err := c.getFunctionScope() + if err != nil { + return nil, err + } + input, saved, err := c.scope(functionDir, nodes) + if err != nil { + return nil, err + } + + // set ids on each input so it is possible to copy comments from inputs back to outputs + if err := c.setIds(input); err != nil { + return nil, err + } + + // write the input + err = kio.ByteWriter{ + WrappingAPIVersion: kio.ResourceListAPIVersion, + WrappingKind: kio.ResourceListKind, + Writer: in, + KeepReaderAnnotations: true, + FunctionConfig: c.FunctionConfig}.Write(input) + if err != nil { + return nil, err + } + + // capture the command stdout for the return value + r := &kio.ByteReader{Reader: out} + + // don't exit immediately if the function fails -- write out the validation + c.exit = c.Run(in, out) + + output, err := r.Read() + if err != nil { + return nil, err + } + + // copy the comments and sync the order of fields from the inputs to the outputs + if err := c.copyCommentsAndSyncOrder(output); err != nil { + return nil, err + } + + if err := c.doResults(r); err != nil { + return nil, err + } + + if c.exit != nil && !c.DeferFailure { + return append(output, saved...), c.exit + } + + // annotate any generated Resources with a path and index if they don't already have one + if err := kioutil.DefaultPathAnnotation(functionDir, output); err != nil { + return nil, err + } + + // emit both the Resources output from the function, and the out-of-scope Resources + // which were not provided to the function + return append(output, saved...), nil +} + +func (c *FunctionFilter) setIds(nodes []*yaml.RNode) error { + // set the id on each node to map inputs to outputs + var id int + c.ids = map[string]*yaml.RNode{} + for i := range nodes { + id++ + idStr := fmt.Sprintf("%v", id) + err := nodes[i].PipeE(yaml.SetAnnotation(kioutil.IdAnnotation, idStr)) + if err != nil { + return errors.Wrap(err) + } + err = nodes[i].PipeE(yaml.SetAnnotation(kioutil.LegacyIdAnnotation, idStr)) + if err != nil { + return errors.Wrap(err) + } + c.ids[idStr] = nodes[i] + } + return nil +} + +func (c *FunctionFilter) copyCommentsAndSyncOrder(nodes []*yaml.RNode) error { + for i := range nodes { + node := nodes[i] + anID, err := node.Pipe(yaml.GetAnnotation(kioutil.IdAnnotation)) + if err != nil { + return errors.Wrap(err) + } + if anID == nil { + anID, err = node.Pipe(yaml.GetAnnotation(kioutil.LegacyIdAnnotation)) + if err != nil { + return errors.Wrap(err) + } + if anID == nil { + continue + } + } + + var in *yaml.RNode + var found bool + if in, found = c.ids[anID.YNode().Value]; !found { + continue + } + if err := comments.CopyComments(in, node); err != nil { + return errors.Wrap(err) + } + if err := order.SyncOrder(in, node); err != nil { + return errors.Wrap(err) + } + if err := node.PipeE(yaml.ClearAnnotation(kioutil.IdAnnotation)); err != nil { + return errors.Wrap(err) + } + if err := node.PipeE(yaml.ClearAnnotation(kioutil.LegacyIdAnnotation)); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +func (c *FunctionFilter) doResults(r *kio.ByteReader) error { + // Write the results to a file if configured to do so + if c.ResultsFile != "" && r.Results != nil { + results, err := r.Results.String() + if err != nil { + return err + } + err = os.WriteFile(c.ResultsFile, []byte(results), 0600) + if err != nil { + return err + } + } + + if r.Results != nil { + c.Results = r.Results + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go new file mode 100644 index 0000000000..5edc4ebc33 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil/types.go @@ -0,0 +1,8 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package runtimeutil + +type DeferFailureFunction interface { + GetExit() error +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go new file mode 100644 index 0000000000..230ab891bb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_reader.go @@ -0,0 +1,349 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "bytes" + "fmt" + "io" + "regexp" + "sort" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +const ( + ResourceListKind = "ResourceList" + ResourceListAPIVersion = "config.kubernetes.io/v1" +) + +// ByteReadWriter reads from an input and writes to an output. +type ByteReadWriter struct { + // Reader is where ResourceNodes are decoded from. + Reader io.Reader + + // Writer is where ResourceNodes are encoded. + Writer io.Writer + + // OmitReaderAnnotations will configures Read to skip setting the config.kubernetes.io/index + // annotation on Resources as they are Read. + OmitReaderAnnotations bool + + // KeepReaderAnnotations if set will keep the Reader specific annotations when writing + // the Resources, otherwise they will be cleared. + KeepReaderAnnotations bool + + // PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource + PreserveSeqIndent bool + + // Style is a style that is set on the Resource Node Document. + Style yaml.Style + + // WrapBareSeqNode wraps the bare sequence node document with map node, + // kyaml uses reader annotations to track resources, it is not possible to + // add them to bare sequence nodes, this option enables wrapping such bare + // sequence nodes into map node with key yaml.BareSeqNodeWrappingKey + // note that this wrapping is different and not related to ResourceList wrapping + WrapBareSeqNode bool + + FunctionConfig *yaml.RNode + + Results *yaml.RNode + + NoWrap bool + WrappingAPIVersion string + WrappingKind string +} + +func (rw *ByteReadWriter) Read() ([]*yaml.RNode, error) { + b := &ByteReader{ + Reader: rw.Reader, + OmitReaderAnnotations: rw.OmitReaderAnnotations, + PreserveSeqIndent: rw.PreserveSeqIndent, + WrapBareSeqNode: rw.WrapBareSeqNode, + } + val, err := b.Read() + rw.Results = b.Results + + if rw.FunctionConfig == nil { + rw.FunctionConfig = b.FunctionConfig + } + if !rw.NoWrap && rw.WrappingKind == "" { + rw.WrappingAPIVersion = b.WrappingAPIVersion + rw.WrappingKind = b.WrappingKind + } + return val, errors.Wrap(err) +} + +func (rw *ByteReadWriter) Write(nodes []*yaml.RNode) error { + w := ByteWriter{ + Writer: rw.Writer, + KeepReaderAnnotations: rw.KeepReaderAnnotations, + Style: rw.Style, + FunctionConfig: rw.FunctionConfig, + Results: rw.Results, + } + if !rw.NoWrap { + w.WrappingAPIVersion = rw.WrappingAPIVersion + w.WrappingKind = rw.WrappingKind + } + return w.Write(nodes) +} + +// ParseAll reads all of the inputs into resources +func ParseAll(inputs ...string) ([]*yaml.RNode, error) { + return (&ByteReader{ + Reader: bytes.NewBufferString(strings.Join(inputs, "\n---\n")), + }).Read() +} + +// FromBytes reads from a byte slice. +func FromBytes(bs []byte) ([]*yaml.RNode, error) { + return (&ByteReader{ + OmitReaderAnnotations: true, + AnchorsAweigh: true, + Reader: bytes.NewBuffer(bs), + }).Read() +} + +// StringAll writes all of the resources to a string +func StringAll(resources []*yaml.RNode) (string, error) { + var b bytes.Buffer + err := (&ByteWriter{Writer: &b}).Write(resources) + return b.String(), err +} + +// ByteReader decodes ResourceNodes from bytes. +// By default, Read will set the config.kubernetes.io/index annotation on each RNode as it +// is read so they can be written back in the same order. +type ByteReader struct { + // Reader is where ResourceNodes are decoded from. + Reader io.Reader + + // OmitReaderAnnotations will configures Read to skip setting the config.kubernetes.io/index + // and internal.config.kubernetes.io/seqindent annotations on Resources as they are Read. + OmitReaderAnnotations bool + + // PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource + PreserveSeqIndent bool + + // SetAnnotations is a map of caller specified annotations to set on resources as they are read + // These are independent of the annotations controlled by OmitReaderAnnotations + SetAnnotations map[string]string + + FunctionConfig *yaml.RNode + + Results *yaml.RNode + + // DisableUnwrapping prevents Resources in Lists and ResourceLists from being unwrapped + DisableUnwrapping bool + + // WrappingAPIVersion is set by Read(), and is the apiVersion of the object that + // the read objects were originally wrapped in. + WrappingAPIVersion string + + // WrappingKind is set by Read(), and is the kind of the object that + // the read objects were originally wrapped in. + WrappingKind string + + // WrapBareSeqNode wraps the bare sequence node document with map node, + // kyaml uses reader annotations to track resources, it is not possible to + // add them to bare sequence nodes, this option enables wrapping such bare + // sequence nodes into map node with key yaml.BareSeqNodeWrappingKey + // note that this wrapping is different and not related to ResourceList wrapping + WrapBareSeqNode bool + + // AnchorsAweigh set to true attempts to replace all YAML anchor aliases + // with their definitions (anchor values) immediately after the read. + AnchorsAweigh bool +} + +var _ Reader = &ByteReader{} + +// splitDocuments returns a slice of all documents contained in a YAML string. Multiple documents can be divided by the +// YAML document separator (---). It allows for white space and comments to be after the separator on the same line, +// but will return an error if anything else is on the line. +func splitDocuments(s string) ([]string, error) { + docs := make([]string, 0) + if len(s) > 0 { + // The YAML document separator is any line that starts with --- + yamlSeparatorRegexp := regexp.MustCompile(`\n---.*\n`) + + // Find all separators, check them for invalid content, and append each document to docs + separatorLocations := yamlSeparatorRegexp.FindAllStringIndex(s, -1) + prev := 0 + for i := range separatorLocations { + loc := separatorLocations[i] + separator := s[loc[0]:loc[1]] + + // If the next non-whitespace character on the line following the separator is not a comment, return an error + trimmedContentAfterSeparator := strings.TrimSpace(separator[4:]) + if len(trimmedContentAfterSeparator) > 0 && trimmedContentAfterSeparator[0] != '#' { + return nil, errors.Errorf("invalid document separator: %s", strings.TrimSpace(separator)) + } + + docs = append(docs, s[prev:loc[0]]) + prev = loc[1] + } + docs = append(docs, s[prev:]) + } + + return docs, nil +} + +func (r *ByteReader) Read() ([]*yaml.RNode, error) { + if r.PreserveSeqIndent && r.OmitReaderAnnotations { + return nil, errors.Errorf(`"PreserveSeqIndent" option adds a reader annotation, please set "OmitReaderAnnotations" to false`) + } + + output := ResourceNodeSlice{} + + // by manually splitting resources -- otherwise the decoder will get the Resource + // boundaries wrong for header comments. + input := &bytes.Buffer{} + _, err := io.Copy(input, r.Reader) + if err != nil { + return nil, errors.Wrap(err) + } + + // Replace the ending \r\n (line ending used in windows) with \n and then split it into multiple YAML documents + // if it contains document separators (---) + values, err := splitDocuments(strings.ReplaceAll(input.String(), "\r\n", "\n")) + if err != nil { + return nil, errors.Wrap(err) + } + + index := 0 + for i := range values { + // the Split used above will eat the tail '\n' from each resource. This may affect the + // literal string value since '\n' is meaningful in it. + if i != len(values)-1 { + values[i] += "\n" + } + decoder := yaml.NewDecoder(bytes.NewBufferString(values[i])) + node, err := r.decode(values[i], index, decoder) + if err == io.EOF { + continue + } + + if err != nil { + return nil, errors.Wrap(err) + } + if yaml.IsMissingOrNull(node) { + // empty value + continue + } + + // ok if no metadata -- assume not an InputList + meta, err := node.GetMeta() + if err != yaml.ErrMissingMetadata && err != nil { + return nil, errors.WrapPrefixf(err, "[%d]", i) + } + + // the elements are wrapped in an InputList, unwrap them + // don't check apiVersion, we haven't standardized on the domain + if !r.DisableUnwrapping && + len(values) == 1 && // Only unwrap if there is only 1 value + (meta.Kind == ResourceListKind || meta.Kind == "List") && + (node.Field("items") != nil || node.Field("functionConfig") != nil) { + r.WrappingKind = meta.Kind + r.WrappingAPIVersion = meta.APIVersion + + // unwrap the list + if fc := node.Field("functionConfig"); fc != nil { + r.FunctionConfig = fc.Value + } + if res := node.Field("results"); res != nil { + r.Results = res.Value + } + + items := node.Field("items") + if items != nil { + for i := range items.Value.Content() { + // add items + output = append(output, yaml.NewRNode(items.Value.Content()[i])) + } + } + continue + } + + // add the node to the list + output = append(output, node) + + // increment the index annotation value + index++ + } + if r.AnchorsAweigh { + for _, n := range output { + if err = n.DeAnchor(); err != nil { + return nil, err + } + } + } + return output, nil +} + +func (r *ByteReader) decode(originalYAML string, index int, decoder *yaml.Decoder) (*yaml.RNode, error) { + node := &yaml.Node{} + err := decoder.Decode(node) + if err == io.EOF { + return nil, io.EOF + } + if err != nil { + return nil, errors.WrapPrefixf(err, "MalformedYAMLError") + } + + if yaml.IsYNodeEmptyDoc(node) { + return nil, nil + } + + // set annotations on the read Resources + // sort the annotations by key so the output Resources is consistent (otherwise the + // annotations will be in a random order) + n := yaml.NewRNode(node) + // check if it is a bare sequence node and wrap it with a yaml.BareSeqNodeWrappingKey + if r.WrapBareSeqNode && node.Kind == yaml.DocumentNode && len(node.Content) > 0 && + node.Content[0] != nil && node.Content[0].Kind == yaml.SequenceNode { + wrappedNode := yaml.NewRNode(&yaml.Node{ + Kind: yaml.MappingNode, + }) + wrappedNode.PipeE(yaml.SetField(yaml.BareSeqNodeWrappingKey, n)) + n = wrappedNode + } + + if r.SetAnnotations == nil { + r.SetAnnotations = map[string]string{} + } + if !r.OmitReaderAnnotations { + err := kioutil.CopyLegacyAnnotations(n) + if err != nil { + return nil, err + } + r.SetAnnotations[kioutil.IndexAnnotation] = fmt.Sprintf("%d", index) + r.SetAnnotations[kioutil.LegacyIndexAnnotation] = fmt.Sprintf("%d", index) + + if r.PreserveSeqIndent { + // derive and add the seqindent annotation + seqIndentStyle := yaml.DeriveSeqIndentStyle(originalYAML) + if seqIndentStyle != "" { + r.SetAnnotations[kioutil.SeqIndentAnnotation] = seqIndentStyle + } + } + } + var keys []string + for k := range r.SetAnnotations { + keys = append(keys, k) + } + sort.Strings(keys) + for _, k := range keys { + _, err = n.Pipe(yaml.SetAnnotation(k, r.SetAnnotations[k])) + if err != nil { + return nil, errors.Wrap(err) + } + } + return n, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go new file mode 100644 index 0000000000..ec4cafe303 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/byteio_writer.go @@ -0,0 +1,198 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "encoding/json" + "io" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// ByteWriter writes ResourceNodes to bytes. Generally YAML encoding will be used but in the special +// case of writing a single, bare yaml.RNode that has a kioutil.PathAnnotation indicating that the +// target is a JSON file JSON encoding is used. See shouldJSONEncodeSingleBareNode below for more +// information. +type ByteWriter struct { + // Writer is where ResourceNodes are encoded. + Writer io.Writer + + // KeepReaderAnnotations if set will keep the Reader specific annotations when writing + // the Resources, otherwise they will be cleared. + KeepReaderAnnotations bool + + // ClearAnnotations is a list of annotations to clear when writing the Resources. + ClearAnnotations []string + + // Style is a style that is set on the Resource Node Document. + Style yaml.Style + + // FunctionConfig is the function config for an ResourceList. If non-nil + // wrap the results in an ResourceList. + FunctionConfig *yaml.RNode + + Results *yaml.RNode + + // WrappingKind if set will cause ByteWriter to wrap the Resources in + // an 'items' field in this kind. e.g. if WrappingKind is 'List', + // ByteWriter will wrap the Resources in a List .items field. + WrappingKind string + + // WrappingAPIVersion is the apiVersion for WrappingKind + WrappingAPIVersion string + + // Sort if set, will cause ByteWriter to sort the nodes before writing them. + Sort bool +} + +var _ Writer = ByteWriter{} + +func (w ByteWriter) Write(inputNodes []*yaml.RNode) error { + // Copy the nodes to prevent writer from mutating the original nodes. + nodes := copyRNodes(inputNodes) + if w.Sort { + if err := kioutil.SortNodes(nodes); err != nil { + return errors.Wrap(err) + } + } + + // Even though we use the this value further down we must check this before removing annotations + jsonEncodeSingleBareNode := w.shouldJSONEncodeSingleBareNode(nodes) + + // store seqindent annotation value for each node in order to set the encoder indentation + var seqIndentsForNodes []string + for i := range nodes { + seqIndentsForNodes = append(seqIndentsForNodes, nodes[i].GetAnnotations()[kioutil.SeqIndentAnnotation]) + } + + for i := range nodes { + // clean resources by removing annotations set by the Reader + if !w.KeepReaderAnnotations { + _, err := nodes[i].Pipe(yaml.ClearAnnotation(kioutil.IndexAnnotation)) + if err != nil { + return errors.Wrap(err) + } + _, err = nodes[i].Pipe(yaml.ClearAnnotation(kioutil.LegacyIndexAnnotation)) + if err != nil { + return errors.Wrap(err) + } + + _, err = nodes[i].Pipe(yaml.ClearAnnotation(kioutil.SeqIndentAnnotation)) + if err != nil { + return errors.Wrap(err) + } + } + for _, a := range w.ClearAnnotations { + _, err := nodes[i].Pipe(yaml.ClearAnnotation(a)) + if err != nil { + return errors.Wrap(err) + } + } + + if err := yaml.ClearEmptyAnnotations(nodes[i]); err != nil { + return err + } + + if w.Style != 0 { + nodes[i].YNode().Style = w.Style + } + } + + if jsonEncodeSingleBareNode { + encoder := json.NewEncoder(w.Writer) + encoder.SetIndent("", " ") + return errors.Wrap(encoder.Encode(nodes[0])) + } + + encoder := yaml.NewEncoder(w.Writer) + defer encoder.Close() + // don't wrap the elements + if w.WrappingKind == "" { + for i := range nodes { + if seqIndentsForNodes[i] == string(yaml.WideSequenceStyle) { + encoder.DefaultSeqIndent() + } else { + encoder.CompactSeqIndent() + } + if err := encoder.Encode(upWrapBareSequenceNode(nodes[i].Document())); err != nil { + return errors.Wrap(err) + } + } + return nil + } + // wrap the elements in a list + items := &yaml.Node{Kind: yaml.SequenceNode} + list := &yaml.Node{ + Kind: yaml.MappingNode, + Style: w.Style, + Content: []*yaml.Node{ + {Kind: yaml.ScalarNode, Value: "apiVersion"}, + {Kind: yaml.ScalarNode, Value: w.WrappingAPIVersion}, + {Kind: yaml.ScalarNode, Value: "kind"}, + {Kind: yaml.ScalarNode, Value: w.WrappingKind}, + {Kind: yaml.ScalarNode, Value: "items"}, items, + }} + if w.FunctionConfig != nil { + list.Content = append(list.Content, + &yaml.Node{Kind: yaml.ScalarNode, Value: "functionConfig"}, + w.FunctionConfig.YNode()) + } + if w.Results != nil { + list.Content = append(list.Content, + &yaml.Node{Kind: yaml.ScalarNode, Value: "results"}, + w.Results.YNode()) + } + doc := &yaml.Node{ + Kind: yaml.DocumentNode, + Content: []*yaml.Node{list}} + for i := range nodes { + items.Content = append(items.Content, nodes[i].YNode()) + } + return encoder.Encode(doc) +} + +func copyRNodes(in []*yaml.RNode) []*yaml.RNode { + out := make([]*yaml.RNode, len(in)) + for i := range in { + out[i] = in[i].Copy() + } + return out +} + +// shouldJSONEncodeSingleBareNode determines if nodes contain a single node that should not be +// wrapped and has a JSON file extension, which in turn means that the node should be JSON encoded. +// Note 1: this must be checked before any annotations to avoid losing information about the target +// filename extension. +// Note 2: JSON encoding should only be used for single, unwrapped nodes because multiple unwrapped +// nodes cannot be represented in JSON (no multi doc support). Furthermore, the typical use +// cases for wrapping nodes would likely not include later writing the whole wrapper to a +// .json file, i.e. there is no point risking any edge case information loss e.g. comments +// disappearing, that could come from JSON encoding the whole wrapper just to ensure that +// one (or all nodes) can be read as JSON. +func (w ByteWriter) shouldJSONEncodeSingleBareNode(nodes []*yaml.RNode) bool { + if w.WrappingKind == "" && len(nodes) == 1 { + if path, _, _ := kioutil.GetFileAnnotations(nodes[0]); path != "" { + filename := filepath.Base(path) + for _, glob := range JSONMatch { + if match, _ := filepath.Match(glob, filename); match { + return true + } + } + } + } + return false +} + +// upWrapBareSequenceNode unwraps the bare sequence nodes wrapped by yaml.BareSeqNodeWrappingKey +func upWrapBareSequenceNode(node *yaml.Node) *yaml.Node { + rNode := yaml.NewRNode(node) + seqNode, err := rNode.Pipe(yaml.Lookup(yaml.BareSeqNodeWrappingKey)) + if err == nil && !seqNode.IsNilOrEmpty() { + return seqNode.YNode() + } + return node +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go new file mode 100644 index 0000000000..9c11a14630 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/doc.go @@ -0,0 +1,35 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package kio contains libraries for reading and writing collections of Resources. +// +// Reading Resources +// +// Resources are Read using a kio.Reader function. Examples: +// [kio.LocalPackageReader{}, kio.ByteReader{}] +// +// Resources read using a LocalPackageReader will have annotations applied so they can be +// written back to the files they were read from. +// +// Modifying Resources +// +// Resources are modified using a kio.Filter. The kio.Filter accepts a collection of +// Resources as input, and returns a new collection as output. +// It is recommended to use the yaml package for manipulating individual Resources in +// the collection. +// +// Writing Resources +// +// Resources are Read using a kio.Reader function. Examples: +// [kio.LocalPackageWriter{}, kio.ByteWriter{}] +// +// ReadWriters +// +// It is preferred to use a ReadWriter when reading and writing from / to the same source. +// +// Building Pipelines +// +// The preferred way to transforms a collection of Resources is to use kio.Pipeline to Read, +// Modify and Write the collection of Resources. Pipeline will automatically sequentially +// invoke the Read, Modify, Write steps, returning and error immediately on any failure. +package kio diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go new file mode 100644 index 0000000000..5ef48d7e36 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/ignorefilesmatcher.go @@ -0,0 +1,105 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "errors" + "os" + "path/filepath" + "strings" + + gitignore "github.com/monochromegane/go-gitignore" + "sigs.k8s.io/kustomize/kyaml/ext" + "sigs.k8s.io/kustomize/kyaml/filesys" +) + +// ignoreFilesMatcher handles `.krmignore` files, which allows for ignoring +// files or folders in a package. The format of this file is a subset of the +// gitignore format, with recursive patterns (like a/**/c) not supported. If a +// file or folder matches any of the patterns in the .krmignore file for the +// package, it will be excluded. +// +// It works as follows: +// +// * It will look for .krmignore file in the top folder and on the top level +// of any subpackages. Subpackages are defined by the presence of a Krmfile +// in the folder. +// * `.krmignore` files only cover files and folders for the package in which +// it is defined. So ignore patterns defined in a parent package does not +// affect which files are ignored from a subpackage. +// * An ignore pattern can not ignore a subpackage. So even if the parent +// package contains a pattern that ignores the directory foo, if foo is a +// subpackage, it will still be included if the IncludeSubpackages property +// is set to true +type ignoreFilesMatcher struct { + matchers []matcher + fs filesys.FileSystemOrOnDisk +} + +// readIgnoreFile checks whether there is a .krmignore file in the path, and +// if it is, reads it in and turns it into a matcher. If we can't find a file, +// we just add a matcher that match nothing. +func (i *ignoreFilesMatcher) readIgnoreFile(path string) error { + i.verifyPath(path) + f, err := i.fs.Open(filepath.Join(path, ext.IgnoreFileName())) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + i.matchers = append(i.matchers, matcher{ + matcher: gitignore.DummyIgnoreMatcher(false), + basePath: path, + }) + return nil + } + return err + } + defer f.Close() + + i.matchers = append(i.matchers, matcher{ + matcher: gitignore.NewGitIgnoreFromReader(path, f), + basePath: path, + }) + return nil +} + +// verifyPath checks whether the top matcher on the stack +// is correct for the provided filepath. Matchers are removed once +// we encounter a filepath that is not a subpath of the basepath for +// the matcher. +func (i *ignoreFilesMatcher) verifyPath(path string) { + for j := len(i.matchers) - 1; j >= 0; j-- { + matcher := i.matchers[j] + if strings.HasPrefix(path, matcher.basePath) || path == matcher.basePath { + i.matchers = i.matchers[:j+1] + return + } + } +} + +// matchFile checks whether the file given by the provided path matches +// any of the patterns in the .krmignore file for the package. +func (i *ignoreFilesMatcher) matchFile(path string) bool { + if len(i.matchers) == 0 { + return false + } + i.verifyPath(filepath.Dir(path)) + return i.matchers[len(i.matchers)-1].matcher.Match(path, false) +} + +// matchDir checks whether the directory given by the provided path matches +// any of the patterns in the .krmignore file for the package. +func (i *ignoreFilesMatcher) matchDir(path string) bool { + if len(i.matchers) == 0 { + return false + } + i.verifyPath(path) + return i.matchers[len(i.matchers)-1].matcher.Match(path, true) +} + +// matcher wraps the gitignore matcher and the path to the folder +// where the file was found. +type matcher struct { + matcher gitignore.IgnoreMatcher + + basePath string +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go new file mode 100644 index 0000000000..9e00509ebe --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kio.go @@ -0,0 +1,447 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package kio contains low-level libraries for reading, modifying and writing +// Resource Configuration and packages. +package kio + +import ( + "fmt" + "strconv" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Reader reads ResourceNodes. Analogous to io.Reader. +type Reader interface { + Read() ([]*yaml.RNode, error) +} + +// ResourceNodeSlice is a collection of ResourceNodes. +// While ResourceNodeSlice has no inherent constraints on ordering or uniqueness, specific +// Readers, Filters or Writers may have constraints. +type ResourceNodeSlice []*yaml.RNode + +var _ Reader = ResourceNodeSlice{} + +func (o ResourceNodeSlice) Read() ([]*yaml.RNode, error) { + return o, nil +} + +// Writer writes ResourceNodes. Analogous to io.Writer. +type Writer interface { + Write([]*yaml.RNode) error +} + +// WriterFunc implements a Writer as a function. +type WriterFunc func([]*yaml.RNode) error + +func (fn WriterFunc) Write(o []*yaml.RNode) error { + return fn(o) +} + +// ReaderWriter implements both Reader and Writer interfaces +type ReaderWriter interface { + Reader + Writer +} + +// Filter modifies a collection of Resource Configuration by returning the modified slice. +// When possible, Filters should be serializable to yaml so that they can be described +// as either data or code. +// +// Analogous to http://www.linfo.org/filters.html +type Filter interface { + Filter([]*yaml.RNode) ([]*yaml.RNode, error) +} + +// TrackableFilter is an extension of Filter which is also capable of tracking +// which fields were mutated by the filter. +type TrackableFilter interface { + Filter + WithMutationTracker(func(key, value, tag string, node *yaml.RNode)) +} + +// FilterFunc implements a Filter as a function. +type FilterFunc func([]*yaml.RNode) ([]*yaml.RNode, error) + +func (fn FilterFunc) Filter(o []*yaml.RNode) ([]*yaml.RNode, error) { + return fn(o) +} + +// Pipeline reads Resource Configuration from a set of Inputs, applies some +// transformation filters, and writes the results to a set of Outputs. +// +// Analogous to http://www.linfo.org/pipes.html +type Pipeline struct { + // Inputs provide sources for Resource Configuration to be read. + Inputs []Reader `yaml:"inputs,omitempty"` + + // Filters are transformations applied to the Resource Configuration. + // They are applied in the order they are specified. + // Analogous to http://www.linfo.org/filters.html + Filters []Filter `yaml:"filters,omitempty"` + + // Outputs are where the transformed Resource Configuration is written. + Outputs []Writer `yaml:"outputs,omitempty"` + + // ContinueOnEmptyResult configures what happens when a filter in the pipeline + // returns an empty result. + // If it is false (default), subsequent filters will be skipped and the result + // will be returned immediately. This is useful as an optimization when you + // know that subsequent filters will not alter the empty result. + // If it is true, the empty result will be provided as input to the next + // filter in the list. This is useful when subsequent functions in the + // pipeline may generate new resources. + ContinueOnEmptyResult bool `yaml:"continueOnEmptyResult,omitempty"` +} + +// Execute executes each step in the sequence, returning immediately after encountering +// any error as part of the Pipeline. +func (p Pipeline) Execute() error { + return p.ExecuteWithCallback(nil) +} + +// PipelineExecuteCallbackFunc defines a callback function that will be called each time a step in the pipeline succeeds. +type PipelineExecuteCallbackFunc = func(op Filter) + +// ExecuteWithCallback executes each step in the sequence, returning immediately after encountering +// any error as part of the Pipeline. The callback will be called each time a step succeeds. +func (p Pipeline) ExecuteWithCallback(callback PipelineExecuteCallbackFunc) error { + var result []*yaml.RNode + + // read from the inputs + for _, i := range p.Inputs { + nodes, err := i.Read() + if err != nil { + return errors.Wrap(err) + } + result = append(result, nodes...) + } + + // apply operations + for i := range p.Filters { + // Not all RNodes passed through kio.Pipeline have metadata nor should + // they all be required to. + nodeAnnos, err := PreprocessResourcesForInternalAnnotationMigration(result) + if err != nil { + return err + } + + op := p.Filters[i] + if callback != nil { + callback(op) + } + result, err = op.Filter(result) + // TODO (issue 2872): This len(result) == 0 should be removed and empty result list should be + // handled by outputs. However currently some writer like LocalPackageReadWriter + // will clear the output directory and which will cause unpredictable results + if len(result) == 0 && !p.ContinueOnEmptyResult || err != nil { + return errors.Wrap(err) + } + + // If either the internal annotations for path, index, and id OR the legacy + // annotations for path, index, and id are changed, we have to update the other. + err = ReconcileInternalAnnotations(result, nodeAnnos) + if err != nil { + return err + } + } + + // write to the outputs + for _, o := range p.Outputs { + if err := o.Write(result); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// FilterAll runs the yaml.Filter against all inputs +func FilterAll(filter yaml.Filter) Filter { + return FilterFunc(func(nodes []*yaml.RNode) ([]*yaml.RNode, error) { + for i := range nodes { + _, err := filter.Filter(nodes[i]) + if err != nil { + return nil, errors.Wrap(err) + } + } + return nodes, nil + }) +} + +// PreprocessResourcesForInternalAnnotationMigration returns a mapping from id to all +// internal annotations, so that we can use it to reconcile the annotations +// later. This is necessary because currently both internal-prefixed annotations +// and legacy annotations are currently supported, and a change to one must be +// reflected in the other if needed. +func PreprocessResourcesForInternalAnnotationMigration(result []*yaml.RNode) (map[string]map[string]string, error) { + idToAnnosMap := make(map[string]map[string]string) + for i := range result { + idStr := strconv.Itoa(i) + err := result[i].PipeE(yaml.SetAnnotation(kioutil.InternalAnnotationsMigrationResourceIDAnnotation, idStr)) + if err != nil { + return nil, err + } + idToAnnosMap[idStr] = kioutil.GetInternalAnnotations(result[i]) + if err = kioutil.CopyLegacyAnnotations(result[i]); err != nil { + return nil, err + } + meta, _ := result[i].GetMeta() + if err = checkMismatchedAnnos(meta.Annotations); err != nil { + return nil, err + } + } + return idToAnnosMap, nil +} + +func checkMismatchedAnnos(annotations map[string]string) error { + path := annotations[kioutil.PathAnnotation] + index := annotations[kioutil.IndexAnnotation] + id := annotations[kioutil.IdAnnotation] + + legacyPath := annotations[kioutil.LegacyPathAnnotation] + legacyIndex := annotations[kioutil.LegacyIndexAnnotation] + legacyId := annotations[kioutil.LegacyIdAnnotation] + + // if prior to running the functions, the legacy and internal annotations differ, + // throw an error as we cannot infer the user's intent. + if path != "" && legacyPath != "" && path != legacyPath { + return fmt.Errorf("resource input to function has mismatched legacy and internal path annotations") + } + if index != "" && legacyIndex != "" && index != legacyIndex { + return fmt.Errorf("resource input to function has mismatched legacy and internal index annotations") + } + if id != "" && legacyId != "" && id != legacyId { + return fmt.Errorf("resource input to function has mismatched legacy and internal id annotations") + } + return nil +} + +type nodeAnnotations struct { + path string + index string + id string +} + +// ReconcileInternalAnnotations reconciles the annotation format for path, index and id annotations. +// It will ensure the output annotation format matches the format in the input. e.g. if the input +// format uses the legacy format and the output will be converted to the legacy format if it's not. +func ReconcileInternalAnnotations(result []*yaml.RNode, nodeAnnosMap map[string]map[string]string) error { + useInternal, useLegacy, err := determineAnnotationsFormat(nodeAnnosMap) + if err != nil { + return err + } + + for i := range result { + // if only one annotation is set, set the other. + err = missingInternalOrLegacyAnnotations(result[i]) + if err != nil { + return err + } + // we must check to see if the function changed either the new internal annotations + // or the old legacy annotations. If one is changed, the change must be reflected + // in the other. + err = checkAnnotationsAltered(result[i], nodeAnnosMap) + if err != nil { + return err + } + // We invoke determineAnnotationsFormat to find out if the original annotations + // use the internal or (and) the legacy format. We format the resources to + // make them consistent with original format. + err = formatInternalAnnotations(result[i], useInternal, useLegacy) + if err != nil { + return err + } + // if the annotations are still somehow out of sync, throw an error + meta, _ := result[i].GetMeta() + err = checkMismatchedAnnos(meta.Annotations) + if err != nil { + return err + } + + if _, err = result[i].Pipe(yaml.ClearAnnotation(kioutil.InternalAnnotationsMigrationResourceIDAnnotation)); err != nil { + return err + } + } + return nil +} + +// determineAnnotationsFormat determines if the resources are using one of the internal and legacy annotation format or both of them. +func determineAnnotationsFormat(nodeAnnosMap map[string]map[string]string) (bool, bool, error) { + var useInternal, useLegacy bool + var err error + + if len(nodeAnnosMap) == 0 { + return true, true, nil + } + + var internal, legacy *bool + for _, annos := range nodeAnnosMap { + _, foundPath := annos[kioutil.PathAnnotation] + _, foundIndex := annos[kioutil.IndexAnnotation] + _, foundId := annos[kioutil.IdAnnotation] + _, foundLegacyPath := annos[kioutil.LegacyPathAnnotation] + _, foundLegacyIndex := annos[kioutil.LegacyIndexAnnotation] + _, foundLegacyId := annos[kioutil.LegacyIdAnnotation] + + if !(foundPath || foundIndex || foundId || foundLegacyPath || foundLegacyIndex || foundLegacyId) { + continue + } + + foundOneOf := foundPath || foundIndex || foundId + if internal == nil { + f := foundOneOf + internal = &f + } + if (foundOneOf && !*internal) || (!foundOneOf && *internal) { + err = fmt.Errorf("the annotation formatting in the input resources is not consistent") + return useInternal, useLegacy, err + } + + foundOneOf = foundLegacyPath || foundLegacyIndex || foundLegacyId + if legacy == nil { + f := foundOneOf + legacy = &f + } + if (foundOneOf && !*legacy) || (!foundOneOf && *legacy) { + err = fmt.Errorf("the annotation formatting in the input resources is not consistent") + return useInternal, useLegacy, err + } + } + if internal != nil { + useInternal = *internal + } + if legacy != nil { + useLegacy = *legacy + } + return useInternal, useLegacy, err +} + +func missingInternalOrLegacyAnnotations(rn *yaml.RNode) error { + if err := missingInternalOrLegacyAnnotation(rn, kioutil.PathAnnotation, kioutil.LegacyPathAnnotation); err != nil { + return err + } + if err := missingInternalOrLegacyAnnotation(rn, kioutil.IndexAnnotation, kioutil.LegacyIndexAnnotation); err != nil { + return err + } + if err := missingInternalOrLegacyAnnotation(rn, kioutil.IdAnnotation, kioutil.LegacyIdAnnotation); err != nil { + return err + } + return nil +} + +func missingInternalOrLegacyAnnotation(rn *yaml.RNode, newKey string, legacyKey string) error { + meta, _ := rn.GetMeta() + annotations := meta.Annotations + value := annotations[newKey] + legacyValue := annotations[legacyKey] + + if value == "" && legacyValue == "" { + // do nothing + return nil + } + + if value == "" { + // new key is not set, copy from legacy key + if err := rn.PipeE(yaml.SetAnnotation(newKey, legacyValue)); err != nil { + return err + } + } else if legacyValue == "" { + // legacy key is not set, copy from new key + if err := rn.PipeE(yaml.SetAnnotation(legacyKey, value)); err != nil { + return err + } + } + return nil +} + +func checkAnnotationsAltered(rn *yaml.RNode, nodeAnnosMap map[string]map[string]string) error { + meta, _ := rn.GetMeta() + annotations := meta.Annotations + // get the resource's current path, index, and ids from the new annotations + internal := nodeAnnotations{ + path: annotations[kioutil.PathAnnotation], + index: annotations[kioutil.IndexAnnotation], + id: annotations[kioutil.IdAnnotation], + } + + // get the resource's current path, index, and ids from the legacy annotations + legacy := nodeAnnotations{ + path: annotations[kioutil.LegacyPathAnnotation], + index: annotations[kioutil.LegacyIndexAnnotation], + id: annotations[kioutil.LegacyIdAnnotation], + } + + rid := annotations[kioutil.InternalAnnotationsMigrationResourceIDAnnotation] + originalAnnotations, found := nodeAnnosMap[rid] + if !found { + return nil + } + originalPath, found := originalAnnotations[kioutil.PathAnnotation] + if !found { + originalPath = originalAnnotations[kioutil.LegacyPathAnnotation] + } + if originalPath != "" { + switch { + case originalPath != internal.path && originalPath != legacy.path && internal.path != legacy.path: + return fmt.Errorf("resource input to function has mismatched legacy and internal path annotations") + case originalPath != internal.path: + if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.LegacyPathAnnotation, internal.path)); err != nil { + return err + } + case originalPath != legacy.path: + if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.PathAnnotation, legacy.path)); err != nil { + return err + } + } + } + + originalIndex, found := originalAnnotations[kioutil.IndexAnnotation] + if !found { + originalIndex = originalAnnotations[kioutil.LegacyIndexAnnotation] + } + if originalIndex != "" { + switch { + case originalIndex != internal.index && originalIndex != legacy.index && internal.index != legacy.index: + return fmt.Errorf("resource input to function has mismatched legacy and internal index annotations") + case originalIndex != internal.index: + if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.LegacyIndexAnnotation, internal.index)); err != nil { + return err + } + case originalIndex != legacy.index: + if _, err := rn.Pipe(yaml.SetAnnotation(kioutil.IndexAnnotation, legacy.index)); err != nil { + return err + } + } + } + return nil +} + +func formatInternalAnnotations(rn *yaml.RNode, useInternal, useLegacy bool) error { + if !useInternal { + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.IdAnnotation)); err != nil { + return err + } + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.PathAnnotation)); err != nil { + return err + } + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.IndexAnnotation)); err != nil { + return err + } + } + if !useLegacy { + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyIdAnnotation)); err != nil { + return err + } + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyPathAnnotation)); err != nil { + return err + } + if err := rn.PipeE(yaml.ClearAnnotation(kioutil.LegacyIndexAnnotation)); err != nil { + return err + } + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go new file mode 100644 index 0000000000..510ecae18f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/kioutil/kioutil.go @@ -0,0 +1,420 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kioutil + +import ( + "fmt" + "path" + "sort" + "strconv" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type AnnotationKey = string + +const ( + // internalPrefix is the prefix given to internal annotations that are used + // internally by the orchestrator + internalPrefix string = "internal.config.kubernetes.io/" + + // IndexAnnotation records the index of a specific resource in a file or input stream. + IndexAnnotation AnnotationKey = internalPrefix + "index" + + // PathAnnotation records the path to the file the Resource was read from + PathAnnotation AnnotationKey = internalPrefix + "path" + + // SeqIndentAnnotation records the sequence nodes indentation of the input resource + SeqIndentAnnotation AnnotationKey = internalPrefix + "seqindent" + + // IdAnnotation records the id of the resource to map inputs to outputs + IdAnnotation AnnotationKey = internalPrefix + "id" + + // Deprecated: Use IndexAnnotation instead. + LegacyIndexAnnotation AnnotationKey = "config.kubernetes.io/index" + + // Deprecated: use PathAnnotation instead. + LegacyPathAnnotation AnnotationKey = "config.kubernetes.io/path" + + // Deprecated: use IdAnnotation instead. + LegacyIdAnnotation = "config.k8s.io/id" + + // InternalAnnotationsMigrationResourceIDAnnotation is used to uniquely identify + // resources during round trip to and from a function execution. We will use it + // to track the internal annotations and reconcile them if needed. + InternalAnnotationsMigrationResourceIDAnnotation = internalPrefix + "annotations-migration-resource-id" +) + +func GetFileAnnotations(rn *yaml.RNode) (string, string, error) { + rm, _ := rn.GetMeta() + annotations := rm.Annotations + path, found := annotations[PathAnnotation] + if !found { + path = annotations[LegacyPathAnnotation] + } + index, found := annotations[IndexAnnotation] + if !found { + index = annotations[LegacyIndexAnnotation] + } + return path, index, nil +} + +func GetIdAnnotation(rn *yaml.RNode) string { + rm, _ := rn.GetMeta() + annotations := rm.Annotations + id, found := annotations[IdAnnotation] + if !found { + id = annotations[LegacyIdAnnotation] + } + return id +} + +func CopyLegacyAnnotations(rn *yaml.RNode) error { + meta, err := rn.GetMeta() + if err != nil { + if err == yaml.ErrMissingMetadata { + // resource has no metadata, this should be a no-op + return nil + } + return err + } + if err := copyAnnotations(meta, rn, LegacyPathAnnotation, PathAnnotation); err != nil { + return err + } + if err := copyAnnotations(meta, rn, LegacyIndexAnnotation, IndexAnnotation); err != nil { + return err + } + if err := copyAnnotations(meta, rn, LegacyIdAnnotation, IdAnnotation); err != nil { + return err + } + return nil +} + +func copyAnnotations(meta yaml.ResourceMeta, rn *yaml.RNode, legacyKey string, newKey string) error { + newValue := meta.Annotations[newKey] + legacyValue := meta.Annotations[legacyKey] + if newValue != "" { + if legacyValue == "" { + if err := rn.PipeE(yaml.SetAnnotation(legacyKey, newValue)); err != nil { + return err + } + } + } else { + if legacyValue != "" { + if err := rn.PipeE(yaml.SetAnnotation(newKey, legacyValue)); err != nil { + return err + } + } + } + return nil +} + +// ErrorIfMissingAnnotation validates the provided annotations are present on the given resources +func ErrorIfMissingAnnotation(nodes []*yaml.RNode, keys ...AnnotationKey) error { + for _, key := range keys { + for _, node := range nodes { + val, err := node.Pipe(yaml.GetAnnotation(key)) + if err != nil { + return errors.Wrap(err) + } + if val == nil { + return errors.Errorf("missing annotation %s", key) + } + } + } + return nil +} + +// CreatePathAnnotationValue creates a default path annotation value for a Resource. +// The path prefix will be dir. +func CreatePathAnnotationValue(dir string, m yaml.ResourceMeta) string { + filename := fmt.Sprintf("%s_%s.yaml", strings.ToLower(m.Kind), m.Name) + return path.Join(dir, m.Namespace, filename) +} + +// DefaultPathAndIndexAnnotation sets a default path or index value on any nodes missing the +// annotation +func DefaultPathAndIndexAnnotation(dir string, nodes []*yaml.RNode) error { + counts := map[string]int{} + + // check each node for the path annotation + for i := range nodes { + if err := CopyLegacyAnnotations(nodes[i]); err != nil { + return err + } + m, err := nodes[i].GetMeta() + if err != nil { + return err + } + + // calculate the max index in each file in case we are appending + if p, found := m.Annotations[PathAnnotation]; found { + // record the max indexes into each file + if i, found := m.Annotations[IndexAnnotation]; found { + index, _ := strconv.Atoi(i) + if index > counts[p] { + counts[p] = index + } + } + + // has the path annotation already -- do nothing + continue + } + + // set a path annotation on the Resource + path := CreatePathAnnotationValue(dir, m) + if err := nodes[i].PipeE(yaml.SetAnnotation(PathAnnotation, path)); err != nil { + return err + } + if err := nodes[i].PipeE(yaml.SetAnnotation(LegacyPathAnnotation, path)); err != nil { + return err + } + } + + // set the index annotations + for i := range nodes { + m, err := nodes[i].GetMeta() + if err != nil { + return err + } + + if _, found := m.Annotations[IndexAnnotation]; found { + continue + } + + p := m.Annotations[PathAnnotation] + + // set an index annotation on the Resource + c := counts[p] + counts[p] = c + 1 + if err := nodes[i].PipeE( + yaml.SetAnnotation(IndexAnnotation, fmt.Sprintf("%d", c))); err != nil { + return err + } + if err := nodes[i].PipeE( + yaml.SetAnnotation(LegacyIndexAnnotation, fmt.Sprintf("%d", c))); err != nil { + return err + } + } + return nil +} + +// DefaultPathAnnotation sets a default path annotation on any Reources +// missing it. +func DefaultPathAnnotation(dir string, nodes []*yaml.RNode) error { + // check each node for the path annotation + for i := range nodes { + if err := CopyLegacyAnnotations(nodes[i]); err != nil { + return err + } + m, err := nodes[i].GetMeta() + if err != nil { + return err + } + + if _, found := m.Annotations[PathAnnotation]; found { + // has the path annotation already -- do nothing + continue + } + + // set a path annotation on the Resource + path := CreatePathAnnotationValue(dir, m) + if err := nodes[i].PipeE(yaml.SetAnnotation(PathAnnotation, path)); err != nil { + return err + } + if err := nodes[i].PipeE(yaml.SetAnnotation(LegacyPathAnnotation, path)); err != nil { + return err + } + } + return nil +} + +// Map invokes fn for each element in nodes. +func Map(nodes []*yaml.RNode, fn func(*yaml.RNode) (*yaml.RNode, error)) ([]*yaml.RNode, error) { + var returnNodes []*yaml.RNode + for i := range nodes { + n, err := fn(nodes[i]) + if err != nil { + return nil, errors.Wrap(err) + } + if n != nil { + returnNodes = append(returnNodes, n) + } + } + return returnNodes, nil +} + +func MapMeta(nodes []*yaml.RNode, fn func(*yaml.RNode, yaml.ResourceMeta) (*yaml.RNode, error)) ( + []*yaml.RNode, error) { + var returnNodes []*yaml.RNode + for i := range nodes { + meta, err := nodes[i].GetMeta() + if err != nil { + return nil, errors.Wrap(err) + } + n, err := fn(nodes[i], meta) + if err != nil { + return nil, errors.Wrap(err) + } + if n != nil { + returnNodes = append(returnNodes, n) + } + } + return returnNodes, nil +} + +// SortNodes sorts nodes in place: +// - by PathAnnotation annotation +// - by IndexAnnotation annotation +func SortNodes(nodes []*yaml.RNode) error { + var err error + // use stable sort to keep ordering of equal elements + sort.SliceStable(nodes, func(i, j int) bool { + if err != nil { + return false + } + if err := CopyLegacyAnnotations(nodes[i]); err != nil { + return false + } + if err := CopyLegacyAnnotations(nodes[j]); err != nil { + return false + } + var iMeta, jMeta yaml.ResourceMeta + if iMeta, _ = nodes[i].GetMeta(); err != nil { + return false + } + if jMeta, _ = nodes[j].GetMeta(); err != nil { + return false + } + + iValue := iMeta.Annotations[PathAnnotation] + jValue := jMeta.Annotations[PathAnnotation] + if iValue != jValue { + return iValue < jValue + } + + iValue = iMeta.Annotations[IndexAnnotation] + jValue = jMeta.Annotations[IndexAnnotation] + + // put resource config without an index first + if iValue == jValue { + return false + } + if iValue == "" { + return true + } + if jValue == "" { + return false + } + + // sort by index + var iIndex, jIndex int + iIndex, err = strconv.Atoi(iValue) + if err != nil { + err = fmt.Errorf("unable to parse config.kubernetes.io/index %s :%v", iValue, err) + return false + } + jIndex, err = strconv.Atoi(jValue) + if err != nil { + err = fmt.Errorf("unable to parse config.kubernetes.io/index %s :%v", jValue, err) + return false + } + if iIndex != jIndex { + return iIndex < jIndex + } + + // elements are equal + return false + }) + return errors.Wrap(err) +} + +// CopyInternalAnnotations copies the annotations that begin with the prefix +// `internal.config.kubernetes.io` from the source RNode to the destination RNode. +// It takes a parameter exclusions, which is a list of annotation keys to ignore. +func CopyInternalAnnotations(src *yaml.RNode, dst *yaml.RNode, exclusions ...AnnotationKey) error { + srcAnnotations := GetInternalAnnotations(src) + for k, v := range srcAnnotations { + if stringSliceContains(exclusions, k) { + continue + } + if err := dst.PipeE(yaml.SetAnnotation(k, v)); err != nil { + return err + } + } + return nil +} + +// ConfirmInternalAnnotationUnchanged compares the annotations of the RNodes that begin with the prefix +// `internal.config.kubernetes.io`, throwing an error if they differ. It takes a parameter exclusions, +// which is a list of annotation keys to ignore. +func ConfirmInternalAnnotationUnchanged(r1 *yaml.RNode, r2 *yaml.RNode, exclusions ...AnnotationKey) error { + r1Annotations := GetInternalAnnotations(r1) + r2Annotations := GetInternalAnnotations(r2) + + // this is a map to prevent duplicates + diffAnnos := make(map[string]bool) + + for k, v1 := range r1Annotations { + if stringSliceContains(exclusions, k) { + continue + } + if v2, ok := r2Annotations[k]; !ok || v1 != v2 { + diffAnnos[k] = true + } + } + + for k, v2 := range r2Annotations { + if stringSliceContains(exclusions, k) { + continue + } + if v1, ok := r1Annotations[k]; !ok || v2 != v1 { + diffAnnos[k] = true + } + } + + if len(diffAnnos) > 0 { + keys := make([]string, 0, len(diffAnnos)) + for k := range diffAnnos { + keys = append(keys, k) + } + sort.Strings(keys) + + errorString := "internal annotations differ: " + for _, key := range keys { + errorString = errorString + key + ", " + } + return errors.Errorf(errorString[0 : len(errorString)-2]) + } + + return nil +} + +// GetInternalAnnotations returns a map of all the annotations of the provided +// RNode that satisfies one of the following: 1) begin with the prefix +// `internal.config.kubernetes.io` 2) is one of `config.kubernetes.io/path`, +// `config.kubernetes.io/index` and `config.k8s.io/id`. +func GetInternalAnnotations(rn *yaml.RNode) map[string]string { + meta, _ := rn.GetMeta() + annotations := meta.Annotations + result := make(map[string]string) + for k, v := range annotations { + if strings.HasPrefix(k, internalPrefix) || k == LegacyPathAnnotation || k == LegacyIndexAnnotation || k == LegacyIdAnnotation { + result[k] = v + } + } + return result +} + +// stringSliceContains returns true if the slice has the string. +func stringSliceContains(slice []string, str string) bool { + for _, s := range slice { + if s == str { + return true + } + } + return false +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go new file mode 100644 index 0000000000..609a791f39 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_reader.go @@ -0,0 +1,360 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "fmt" + "os" + "path/filepath" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/sets" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// requiredResourcePackageAnnotations are annotations that are required to write resources back to +// files. +var requiredResourcePackageAnnotations = []string{kioutil.IndexAnnotation, kioutil.PathAnnotation} + +// PackageBuffer implements Reader and Writer, storing Resources in a local field. +type PackageBuffer struct { + Nodes []*yaml.RNode +} + +func (r *PackageBuffer) Read() ([]*yaml.RNode, error) { + return r.Nodes, nil +} + +func (r *PackageBuffer) Write(nodes []*yaml.RNode) error { + r.Nodes = nodes + return nil +} + +// LocalPackageReadWriter reads and writes Resources from / to a local directory. +// When writing, LocalPackageReadWriter will delete files if all of the Resources from +// that file have been removed from the output. +type LocalPackageReadWriter struct { + Kind string `yaml:"kind,omitempty"` + + KeepReaderAnnotations bool `yaml:"keepReaderAnnotations,omitempty"` + + // PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource + PreserveSeqIndent bool + + // PackagePath is the path to the package directory. + PackagePath string `yaml:"path,omitempty"` + + // PackageFileName is the name of file containing package metadata. + // It will be used to identify package. + PackageFileName string `yaml:"packageFileName,omitempty"` + + // MatchFilesGlob configures Read to only read Resources from files matching any of the + // provided patterns. + // Defaults to ["*.yaml", "*.yml"] if empty. To match all files specify ["*"]. + MatchFilesGlob []string `yaml:"matchFilesGlob,omitempty"` + + // IncludeSubpackages will configure Read to read Resources from subpackages. + // Subpackages are identified by presence of PackageFileName. + IncludeSubpackages bool `yaml:"includeSubpackages,omitempty"` + + // ErrorIfNonResources will configure Read to throw an error if yaml missing missing + // apiVersion or kind is read. + ErrorIfNonResources bool `yaml:"errorIfNonResources,omitempty"` + + // OmitReaderAnnotations will cause the reader to skip annotating Resources with the file + // path and mode. + OmitReaderAnnotations bool `yaml:"omitReaderAnnotations,omitempty"` + + // SetAnnotations are annotations to set on the Resources as they are read. + SetAnnotations map[string]string `yaml:"setAnnotations,omitempty"` + + // NoDeleteFiles if set to true, LocalPackageReadWriter won't delete any files + NoDeleteFiles bool `yaml:"noDeleteFiles,omitempty"` + + files sets.String + + // FileSkipFunc is a function which returns true if reader should ignore + // the file + FileSkipFunc LocalPackageSkipFileFunc + + // FileSystem can be used to mock the disk file system. + FileSystem filesys.FileSystemOrOnDisk + + // WrapBareSeqNode wraps the bare sequence node document with map node, + // kyaml uses reader annotations to track resources, it is not possible to + // add them to bare sequence nodes, this option enables wrapping such bare + // sequence nodes into map node with key yaml.BareSeqNodeWrappingKey + // note that this wrapping is different and not related to ResourceList wrapping + WrapBareSeqNode bool +} + +func (r *LocalPackageReadWriter) Read() ([]*yaml.RNode, error) { + nodes, err := LocalPackageReader{ + PackagePath: r.PackagePath, + MatchFilesGlob: r.MatchFilesGlob, + IncludeSubpackages: r.IncludeSubpackages, + ErrorIfNonResources: r.ErrorIfNonResources, + SetAnnotations: r.SetAnnotations, + PackageFileName: r.PackageFileName, + FileSkipFunc: r.FileSkipFunc, + PreserveSeqIndent: r.PreserveSeqIndent, + FileSystem: r.FileSystem, + WrapBareSeqNode: r.WrapBareSeqNode, + }.Read() + if err != nil { + return nil, errors.Wrap(err) + } + // keep track of all the files + if !r.NoDeleteFiles { + r.files, err = r.getFiles(nodes) + if err != nil { + return nil, errors.Wrap(err) + } + } + return nodes, nil +} + +func (r *LocalPackageReadWriter) Write(nodes []*yaml.RNode) error { + newFiles, err := r.getFiles(nodes) + if err != nil { + return errors.Wrap(err) + } + var clear []string + for k := range r.SetAnnotations { + clear = append(clear, k) + } + err = LocalPackageWriter{ + PackagePath: r.PackagePath, + ClearAnnotations: clear, + KeepReaderAnnotations: r.KeepReaderAnnotations, + FileSystem: r.FileSystem, + }.Write(nodes) + if err != nil { + return errors.Wrap(err) + } + deleteFiles := r.files.Difference(newFiles) + for f := range deleteFiles { + if err = r.FileSystem.RemoveAll(filepath.Join(r.PackagePath, f)); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +func (r *LocalPackageReadWriter) getFiles(nodes []*yaml.RNode) (sets.String, error) { + val := sets.String{} + for _, n := range nodes { + path, _, err := kioutil.GetFileAnnotations(n) + if err != nil { + return nil, errors.Wrap(err) + } + val.Insert(path) + } + return val, nil +} + +// LocalPackageSkipFileFunc is a function which returns true if the file +// in the package should be ignored by reader. +// relPath is an OS specific relative path +type LocalPackageSkipFileFunc func(relPath string) bool + +// LocalPackageReader reads ResourceNodes from a local package. +type LocalPackageReader struct { + Kind string `yaml:"kind,omitempty"` + + // PackagePath is the path to the package directory. + PackagePath string `yaml:"path,omitempty"` + + // PackageFileName is the name of file containing package metadata. + // It will be used to identify package. + PackageFileName string `yaml:"packageFileName,omitempty"` + + // MatchFilesGlob configures Read to only read Resources from files matching any of the + // provided patterns. + // Defaults to ["*.yaml", "*.yml"] if empty. To match all files specify ["*"]. + MatchFilesGlob []string `yaml:"matchFilesGlob,omitempty"` + + // IncludeSubpackages will configure Read to read Resources from subpackages. + // Subpackages are identified by presence of PackageFileName. + IncludeSubpackages bool `yaml:"includeSubpackages,omitempty"` + + // ErrorIfNonResources will configure Read to throw an error if yaml missing missing + // apiVersion or kind is read. + ErrorIfNonResources bool `yaml:"errorIfNonResources,omitempty"` + + // OmitReaderAnnotations will cause the reader to skip annotating Resources with the file + // path and mode. + OmitReaderAnnotations bool `yaml:"omitReaderAnnotations,omitempty"` + + // SetAnnotations are annotations to set on the Resources as they are read. + SetAnnotations map[string]string `yaml:"setAnnotations,omitempty"` + + // FileSkipFunc is a function which returns true if reader should ignore + // the file + FileSkipFunc LocalPackageSkipFileFunc + + // PreserveSeqIndent if true adds kioutil.SeqIndentAnnotation to each resource + PreserveSeqIndent bool + + // FileSystem can be used to mock the disk file system. + FileSystem filesys.FileSystemOrOnDisk + + // WrapBareSeqNode wraps the bare sequence node document with map node, + // kyaml uses reader annotations to track resources, it is not possible to + // add them to bare sequence nodes, this option enables wrapping such bare + // sequence nodes into map node with key yaml.BareSeqNodeWrappingKey + // note that this wrapping is different and not related to ResourceList wrapping + WrapBareSeqNode bool +} + +var _ Reader = LocalPackageReader{} + +var DefaultMatch = []string{"*.yaml", "*.yml"} +var JSONMatch = []string{"*.json"} +var MatchAll = append(DefaultMatch, JSONMatch...) + +// Read reads the Resources. +func (r LocalPackageReader) Read() ([]*yaml.RNode, error) { + if r.PackagePath == "" { + return nil, fmt.Errorf("must specify package path") + } + + // use slash for path + r.PackagePath = filepath.ToSlash(r.PackagePath) + if len(r.MatchFilesGlob) == 0 { + r.MatchFilesGlob = DefaultMatch + } + + var operand ResourceNodeSlice + var pathRelativeTo string + var err error + ignoreFilesMatcher := &ignoreFilesMatcher{ + fs: r.FileSystem, + } + dir, file, err := r.FileSystem.CleanedAbs(r.PackagePath) + if err != nil { + return nil, errors.Wrap(err) + } + r.PackagePath = filepath.Join(string(dir), file) + err = r.FileSystem.Walk(r.PackagePath, func( + path string, info os.FileInfo, err error) error { + if err != nil { + return errors.Wrap(err) + } + + // is this the user specified path? + if path == r.PackagePath { + if info.IsDir() { + // skip the root package directory, but check for a + // .krmignore file first. + pathRelativeTo = r.PackagePath + return ignoreFilesMatcher.readIgnoreFile(path) + } + + // user specified path is a file rather than a directory. + // make its path relative to its parent so it can be written to another file. + pathRelativeTo = filepath.Dir(r.PackagePath) + } + + // check if we should skip the directory or file + if info.IsDir() { + return r.shouldSkipDir(path, ignoreFilesMatcher) + } + + // get the relative path to file within the package so we can write the files back out + // to another location. + relPath, err := filepath.Rel(pathRelativeTo, path) + if err != nil { + return errors.WrapPrefixf(err, pathRelativeTo) + } + if match, err := r.shouldSkipFile(path, relPath, ignoreFilesMatcher); err != nil { + return err + } else if match { + // skip this file + return nil + } + + r.initReaderAnnotations(relPath, info) + nodes, err := r.readFile(path, info) + if err != nil { + return errors.WrapPrefixf(err, path) + } + operand = append(operand, nodes...) + return nil + }) + return operand, err +} + +// readFile reads the ResourceNodes from a file +func (r *LocalPackageReader) readFile(path string, _ os.FileInfo) ([]*yaml.RNode, error) { + f, err := r.FileSystem.Open(path) + if err != nil { + return nil, err + } + defer f.Close() + + rr := &ByteReader{ + DisableUnwrapping: true, + Reader: f, + OmitReaderAnnotations: r.OmitReaderAnnotations, + SetAnnotations: r.SetAnnotations, + PreserveSeqIndent: r.PreserveSeqIndent, + WrapBareSeqNode: r.WrapBareSeqNode, + } + return rr.Read() +} + +// shouldSkipFile returns true if the file should be skipped +func (r *LocalPackageReader) shouldSkipFile(path, relPath string, matcher *ignoreFilesMatcher) (bool, error) { + // check if the file is covered by a .krmignore file. + if matcher.matchFile(path) { + return true, nil + } + + if r.FileSkipFunc != nil && r.FileSkipFunc(relPath) { + return true, nil + } + + // check if the files are in scope + for _, g := range r.MatchFilesGlob { + if match, err := filepath.Match(g, filepath.Base(path)); err != nil { + return true, errors.Wrap(err) + } else if match { + return false, nil + } + } + return true, nil +} + +// initReaderAnnotations adds the LocalPackageReader Annotations to r.SetAnnotations +func (r *LocalPackageReader) initReaderAnnotations(path string, _ os.FileInfo) { + if r.SetAnnotations == nil { + r.SetAnnotations = map[string]string{} + } + if !r.OmitReaderAnnotations { + r.SetAnnotations[kioutil.PathAnnotation] = path + r.SetAnnotations[kioutil.LegacyPathAnnotation] = path + } +} + +// shouldSkipDir returns a filepath.SkipDir if the directory should be skipped +func (r *LocalPackageReader) shouldSkipDir(path string, matcher *ignoreFilesMatcher) error { + if matcher.matchDir(path) { + return filepath.SkipDir + } + + if r.PackageFileName == "" { + return nil + } + // check if this is a subpackage + if !r.FileSystem.Exists(filepath.Join(path, r.PackageFileName)) { + return nil + } + if !r.IncludeSubpackages { + return filepath.SkipDir + } + return matcher.readIgnoreFile(path) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go new file mode 100644 index 0000000000..ce6fa45a5e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/pkgio_writer.go @@ -0,0 +1,150 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "bytes" + "fmt" + "os" + "path/filepath" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/filesys" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// LocalPackageWriter writes ResourceNodes to a filesystem +type LocalPackageWriter struct { + Kind string `yaml:"kind,omitempty"` + + // PackagePath is the path to the package directory. + PackagePath string `yaml:"path,omitempty"` + + // KeepReaderAnnotations if set will retain the annotations set by LocalPackageReader + KeepReaderAnnotations bool `yaml:"keepReaderAnnotations,omitempty"` + + // ClearAnnotations will clear annotations before writing the resources + ClearAnnotations []string `yaml:"clearAnnotations,omitempty"` + + // FileSystem can be used to mock the disk file system. + FileSystem filesys.FileSystemOrOnDisk +} + +var _ Writer = LocalPackageWriter{} + +func (r LocalPackageWriter) Write(nodes []*yaml.RNode) error { + // set the path and index annotations if they are missing + if err := kioutil.DefaultPathAndIndexAnnotation("", nodes); err != nil { + return err + } + + if !r.FileSystem.Exists(r.PackagePath) { + return errors.WrapPrefixf(os.ErrNotExist, "could not write to %q", r.PackagePath) + } + if !r.FileSystem.IsDir(r.PackagePath) { + // if the user specified input isn't a directory, the package is the directory of the + // target + r.PackagePath = filepath.Dir(r.PackagePath) + } + + // setup indexes for writing Resources back to files + if err := r.errorIfMissingRequiredAnnotation(nodes); err != nil { + return err + } + outputFiles, err := r.indexByFilePath(nodes) + if err != nil { + return err + } + for k := range outputFiles { + if err = kioutil.SortNodes(outputFiles[k]); err != nil { + return errors.Wrap(err) + } + } + + if !r.KeepReaderAnnotations { + r.ClearAnnotations = append(r.ClearAnnotations, kioutil.PathAnnotation) + r.ClearAnnotations = append(r.ClearAnnotations, kioutil.LegacyPathAnnotation) + } + + // validate outputs before writing any + for path := range outputFiles { + outputPath := filepath.Join(r.PackagePath, path) + if r.FileSystem.IsDir(outputPath) { + return fmt.Errorf("config.kubernetes.io/path cannot be a directory: %s", path) + } + + err = r.FileSystem.MkdirAll(filepath.Dir(outputPath)) + if err != nil { + return errors.Wrap(err) + } + } + + // write files + buf := bytes.NewBuffer(nil) + for path := range outputFiles { + outputPath := filepath.Join(r.PackagePath, path) + err = r.FileSystem.MkdirAll(filepath.Dir(filepath.Join(r.PackagePath, path))) + if err != nil { + return errors.Wrap(err) + } + + buf.Reset() + w := ByteWriter{ + Writer: buf, + KeepReaderAnnotations: r.KeepReaderAnnotations, + ClearAnnotations: r.ClearAnnotations, + } + if err = w.Write(outputFiles[path]); err != nil { + return errors.Wrap(err) + } + + if err := r.FileSystem.WriteFile(outputPath, buf.Bytes()); err != nil { + return errors.Wrap(err) + } + } + + return nil +} + +func (r LocalPackageWriter) errorIfMissingRequiredAnnotation(nodes []*yaml.RNode) error { + for i := range nodes { + for _, s := range requiredResourcePackageAnnotations { + key, err := nodes[i].Pipe(yaml.GetAnnotation(s)) + if err != nil { + return errors.Wrap(err) + } + if key == nil || key.YNode() == nil || key.YNode().Value == "" { + return errors.Errorf( + "resources must be annotated with %s to be written to files", s) + } + } + } + return nil +} + +func (r LocalPackageWriter) indexByFilePath(nodes []*yaml.RNode) (map[string][]*yaml.RNode, error) { + outputFiles := map[string][]*yaml.RNode{} + for i := range nodes { + // parse the file write path + node := nodes[i] + value, err := node.Pipe(yaml.GetAnnotation(kioutil.PathAnnotation)) + if err != nil { + // this should never happen if errorIfMissingRequiredAnnotation was run + return nil, errors.Wrap(err) + } + path := value.YNode().Value + outputFiles[path] = append(outputFiles[path], node) + + if filepath.IsAbs(path) { + return nil, errors.Errorf("package paths may not be absolute paths") + } + if strings.Contains(filepath.Clean(path), "..") { + return nil, fmt.Errorf("resource must be written under package %s: %s", + r.PackagePath, filepath.Clean(path)) + } + } + return outputFiles, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go b/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go new file mode 100644 index 0000000000..a14181578e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/kio/tree.go @@ -0,0 +1,519 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package kio + +import ( + "fmt" + "io" + "os" + "path/filepath" + "sort" + "strings" + + "github.com/xlab/treeprint" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type TreeStructure string + +const ( + // TreeStructurePackage configures TreeWriter to generate the tree structure off of the + // Resources packages. + TreeStructurePackage TreeStructure = "directory" + + // TreeStructureOwners configures TreeWriter to generate the tree structure off of the + // Resource owners. + TreeStructureGraph TreeStructure = "owners" +) + +var GraphStructures = []string{string(TreeStructureGraph), string(TreeStructurePackage)} + +// TreeWriter prints the package structured as a tree. +// TODO(pwittrock): test this package better. it is lower-risk since it is only +// used for printing rather than updating or editing. +type TreeWriter struct { + Writer io.Writer + Root string + Fields []TreeWriterField + Structure TreeStructure + OpenAPIFileName string +} + +// TreeWriterField configures a Resource field to be included in the tree +type TreeWriterField struct { + yaml.PathMatcher + Name string + SubName string +} + +func (p TreeWriter) packageStructure(nodes []*yaml.RNode) error { + for i := range nodes { + if err := kioutil.CopyLegacyAnnotations(nodes[i]); err != nil { + return err + } + } + indexByPackage := p.index(nodes) + + // create the new tree + tree := treeprint.New() + tree.SetValue(p.Root) + + // add each package to the tree + treeIndex := map[string]treeprint.Tree{} + keys := p.sort(indexByPackage) + for _, pkg := range keys { + // create a branch for this package -- search for the parent package and create + // the branch under it -- requires that the keys are sorted + branch := tree + for parent, subTree := range treeIndex { + if strings.HasPrefix(pkg, parent) { + // found a package whose path is a prefix to our own, use this + // package if a closer one isn't found + branch = subTree + // don't break, continue searching for more closely related ancestors + } + } + + // create a new branch for the package + createOk := pkg != "." // special edge case logic for tree on current working dir + if createOk { + branch = branch.AddBranch(branchName(p.Root, pkg, p.OpenAPIFileName)) + } + + // cache the branch for this package + treeIndex[pkg] = branch + + // print each resource in the package + for i := range indexByPackage[pkg] { + var err error + if _, err = p.doResource(indexByPackage[pkg][i], "", branch); err != nil { + return err + } + } + } + + _, err := io.WriteString(p.Writer, tree.String()) + return err +} + +// branchName takes the root directory and relative path to the directory +// and returns the branch name +func branchName(root, dirRelPath, openAPIFileName string) string { + name := filepath.Base(dirRelPath) + _, err := os.Stat(filepath.Join(root, dirRelPath, openAPIFileName)) + if !os.IsNotExist(err) { + // add Pkg: prefix indicating that it is a separate package as it has + // openAPIFile + return fmt.Sprintf("Pkg: %s", name) + } + return name +} + +// Write writes the ascii tree to p.Writer +func (p TreeWriter) Write(nodes []*yaml.RNode) error { + switch p.Structure { + case TreeStructurePackage: + return p.packageStructure(nodes) + case TreeStructureGraph: + return p.graphStructure(nodes) + } + + // If any resource has an owner reference, default to the graph structure. Otherwise, use package structure. + for _, node := range nodes { + if owners, _ := node.Pipe(yaml.Lookup("metadata", "ownerReferences")); owners != nil { + return p.graphStructure(nodes) + } + } + return p.packageStructure(nodes) +} + +// node wraps a tree node, and any children nodes +type node struct { + p TreeWriter + *yaml.RNode + children []*node +} + +func (a node) Len() int { return len(a.children) } +func (a node) Swap(i, j int) { a.children[i], a.children[j] = a.children[j], a.children[i] } +func (a node) Less(i, j int) bool { + return compareNodes(a.children[i].RNode, a.children[j].RNode) +} + +// Tree adds this node to the root +func (a node) Tree(root treeprint.Tree) error { + sort.Sort(a) + branch := root + var err error + + // generate a node for the Resource + if a.RNode != nil { + branch, err = a.p.doResource(a.RNode, "Resource", root) + if err != nil { + return err + } + } + + // attach children to the branch + for _, n := range a.children { + if err := n.Tree(branch); err != nil { + return err + } + } + return nil +} + +// graphStructure writes the tree using owners for structure +func (p TreeWriter) graphStructure(nodes []*yaml.RNode) error { + resourceToOwner := map[string]*node{} + root := &node{} + // index each of the nodes by their owner + for _, n := range nodes { + ownerVal, err := ownerToString(n) + if err != nil { + return err + } + var owner *node + if ownerVal == "" { + // no owner -- attach to the root + owner = root + } else { + // owner found -- attach to the owner + var found bool + owner, found = resourceToOwner[ownerVal] + if !found { + // initialize the owner if not found + resourceToOwner[ownerVal] = &node{p: p} + owner = resourceToOwner[ownerVal] + } + } + + nodeVal, err := nodeToString(n) + if err != nil { + return err + } + val, found := resourceToOwner[nodeVal] + if !found { + // initialize the node if not found -- may have already been initialized if it + // is the owner of another node + resourceToOwner[nodeVal] = &node{p: p} + val = resourceToOwner[nodeVal] + } + val.RNode = n + owner.children = append(owner.children, val) + } + + for k, v := range resourceToOwner { + if v.RNode == nil { + return fmt.Errorf( + "owner '%s' not found in input, but found as an owner of input objects", k) + } + } + + // print the tree + tree := treeprint.New() + if err := root.Tree(tree); err != nil { + return err + } + + _, err := io.WriteString(p.Writer, tree.String()) + return err +} + +// nodeToString generates a string to identify the node -- matches ownerToString format +func nodeToString(node *yaml.RNode) (string, error) { + meta, err := node.GetMeta() + if err != nil { + return "", err + } + + return fmt.Sprintf("%s %s/%s", meta.Kind, meta.Namespace, meta.Name), nil +} + +// ownerToString generate a string to identify the owner -- matches nodeToString format +func ownerToString(node *yaml.RNode) (string, error) { + meta, err := node.GetMeta() + if err != nil { + return "", err + } + namespace := meta.Namespace + + owners, err := node.Pipe(yaml.Lookup("metadata", "ownerReferences")) + if err != nil { + return "", err + } + if owners == nil { + return "", nil + } + + elements, err := owners.Elements() + if err != nil { + return "", err + } + if len(elements) == 0 { + return "", err + } + owner := elements[0] + var kind, name string + + if value := owner.Field("kind"); !value.IsNilOrEmpty() { + kind = value.Value.YNode().Value + } + if value := owner.Field("name"); !value.IsNilOrEmpty() { + name = value.Value.YNode().Value + } + + return fmt.Sprintf("%s %s/%s", kind, namespace, name), nil +} + +// index indexes the Resources by their package +func (p TreeWriter) index(nodes []*yaml.RNode) map[string][]*yaml.RNode { + // index the ResourceNodes by package + indexByPackage := map[string][]*yaml.RNode{} + for i := range nodes { + meta, err := nodes[i].GetMeta() + if err != nil || meta.Kind == "" { + // not a resource + continue + } + pkg := filepath.Dir(meta.Annotations[kioutil.PathAnnotation]) + indexByPackage[pkg] = append(indexByPackage[pkg], nodes[i]) + } + return indexByPackage +} + +func compareNodes(i, j *yaml.RNode) bool { + metai, _ := i.GetMeta() + metaj, _ := j.GetMeta() + pi := metai.Annotations[kioutil.PathAnnotation] + pj := metaj.Annotations[kioutil.PathAnnotation] + + // compare file names + if filepath.Base(pi) != filepath.Base(pj) { + return filepath.Base(pi) < filepath.Base(pj) + } + + // compare namespace + if metai.Namespace != metaj.Namespace { + return metai.Namespace < metaj.Namespace + } + + // compare name + if metai.Name != metaj.Name { + return metai.Name < metaj.Name + } + + // compare kind + if metai.Kind != metaj.Kind { + return metai.Kind < metaj.Kind + } + + // compare apiVersion + if metai.APIVersion != metaj.APIVersion { + return metai.APIVersion < metaj.APIVersion + } + return true +} + +// sort sorts the Resources in the index in display order and returns the ordered +// keys for the index +// +// Packages are sorted by package name +// Resources within a package are sorted by: [filename, namespace, name, kind, apiVersion] +func (p TreeWriter) sort(indexByPackage map[string][]*yaml.RNode) []string { + var keys []string + for k := range indexByPackage { + pkgNodes := indexByPackage[k] + sort.Slice(pkgNodes, func(i, j int) bool { return compareNodes(pkgNodes[i], pkgNodes[j]) }) + keys = append(keys, k) + } + + // return the package names sorted lexicographically + sort.Strings(keys) + return keys +} + +func (p TreeWriter) doResource(leaf *yaml.RNode, metaString string, branch treeprint.Tree) (treeprint.Tree, error) { + meta, _ := leaf.GetMeta() + if metaString == "" { + path := meta.Annotations[kioutil.PathAnnotation] + path = filepath.Base(path) + metaString = path + } + + value := fmt.Sprintf("%s %s", meta.Kind, meta.Name) + if len(meta.Namespace) > 0 { + value = fmt.Sprintf("%s %s/%s", meta.Kind, meta.Namespace, meta.Name) + } + + fields, err := p.getFields(leaf) + if err != nil { + return nil, err + } + + n := branch.AddMetaBranch(metaString, value) + for i := range fields { + field := fields[i] + + // do leaf node + if len(field.matchingElementsAndFields) == 0 { + n.AddNode(fmt.Sprintf("%s: %s", field.name, field.value)) + continue + } + + // do nested nodes + b := n.AddBranch(field.name) + for j := range field.matchingElementsAndFields { + elem := field.matchingElementsAndFields[j] + b := b.AddBranch(elem.name) + for k := range elem.matchingElementsAndFields { + field := elem.matchingElementsAndFields[k] + b.AddNode(fmt.Sprintf("%s: %s", field.name, field.value)) + } + } + } + + return n, nil +} + +// getFields looks up p.Fields from leaf and structures them into treeFields. +// TODO(pwittrock): simplify this function +func (p TreeWriter) getFields(leaf *yaml.RNode) (treeFields, error) { + fieldsByName := map[string]*treeField{} + + // index nested and non-nested fields + for i := range p.Fields { + f := p.Fields[i] + seq, err := leaf.Pipe(&f) + if err != nil { + return nil, err + } + if seq == nil { + continue + } + + if fieldsByName[f.Name] == nil { + fieldsByName[f.Name] = &treeField{name: f.Name} + } + + // non-nested field -- add directly to the treeFields list + if f.SubName == "" { + // non-nested field -- only 1 element + val, err := yaml.String(seq.Content()[0], yaml.Trim, yaml.Flow) + if err != nil { + return nil, err + } + fieldsByName[f.Name].value = val + continue + } + + // nested-field -- create a parent elem, and index by the 'match' value + if fieldsByName[f.Name].subFieldByMatch == nil { + fieldsByName[f.Name].subFieldByMatch = map[string]treeFields{} + } + index := fieldsByName[f.Name].subFieldByMatch + for j := range seq.Content() { + elem := seq.Content()[j] + matches := f.Matches[elem] + str, err := yaml.String(elem, yaml.Trim, yaml.Flow) + if err != nil { + return nil, err + } + + // map the field by the name of the element + // index the subfields by the matching element so we can put all the fields for the + // same element under the same branch + matchKey := strings.Join(matches, "/") + index[matchKey] = append(index[matchKey], &treeField{name: f.SubName, value: str}) + } + } + + // iterate over collection of all queried fields in the Resource + for _, field := range fieldsByName { + // iterate over collection of elements under the field -- indexed by element name + for match, subFields := range field.subFieldByMatch { + // create a new element for this collection of fields + // note: we will convert name to an index later, but keep the match for sorting + elem := &treeField{name: match} + field.matchingElementsAndFields = append(field.matchingElementsAndFields, elem) + + // iterate over collection of queried fields for the element + for i := range subFields { + // add to the list of fields for this element + elem.matchingElementsAndFields = append(elem.matchingElementsAndFields, subFields[i]) + } + } + // clear this cached data + field.subFieldByMatch = nil + } + + // put the fields in a list so they are ordered + fieldList := treeFields{} + for _, v := range fieldsByName { + fieldList = append(fieldList, v) + } + + // sort the fields + sort.Sort(fieldList) + for i := range fieldList { + field := fieldList[i] + // sort the elements under this field + sort.Sort(field.matchingElementsAndFields) + + for i := range field.matchingElementsAndFields { + element := field.matchingElementsAndFields[i] + // sort the elements under a list field by their name + sort.Sort(element.matchingElementsAndFields) + // set the name of the element to its index + element.name = fmt.Sprintf("%d", i) + } + } + + return fieldList, nil +} + +// treeField wraps a field node +type treeField struct { + // name is the name of the node + name string + + // value is the value of the node -- may be empty + value string + + // matchingElementsAndFields is a slice of fields that go under this as a branch + matchingElementsAndFields treeFields + + // subFieldByMatch caches matchingElementsAndFields indexed by the name of the matching elem + subFieldByMatch map[string]treeFields +} + +// treeFields wraps a slice of treeField so they can be sorted +type treeFields []*treeField + +func (nodes treeFields) Len() int { return len(nodes) } + +func (nodes treeFields) Less(i, j int) bool { + iIndex, iFound := yaml.FieldOrder[nodes[i].name] + jIndex, jFound := yaml.FieldOrder[nodes[j].name] + if iFound && jFound { + return iIndex < jIndex + } + if iFound { + return true + } + if jFound { + return false + } + + if nodes[i].name != nodes[j].name { + return nodes[i].name < nodes[j].name + } + if nodes[i].value != nodes[j].value { + return nodes[i].value < nodes[j].value + } + return false +} + +func (nodes treeFields) Swap(i, j int) { nodes[i], nodes[j] = nodes[j], nodes[i] } diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile new file mode 100644 index 0000000000..c616a6c6d3 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/Makefile @@ -0,0 +1,62 @@ +# Copyright 2020 The Kubernetes Authors. +# SPDX-License-Identifier: Apache-2.0 + +MYGOBIN = $(shell go env GOBIN) +ifeq ($(MYGOBIN),) +MYGOBIN = $(shell go env GOPATH)/bin +endif +KIND_VERSION := "v0.11.1" +API_VERSION ?= "v1.21.2" + +.PHONY: all +all: \ + kustomizationapi/swagger.go \ + kubernetesapi/swagger.go \ + kubernetesapi/openapiinfo.go + +.PHONY: clean +clean: + rm kustomizationapi/swagger.go + rm kubernetesapi/openapiinfo.go + +# This will remove all currently built-in schema, +# so think twice before deleting. +# To replace what this will delete typically requires the ability +# to contact a live kubernetes API server. +.PHONY: nuke +nuke: clean + rm -r kubernetesapi/* + +$(MYGOBIN)/go-bindata: + go install github.com/go-bindata/go-bindata/v3/go-bindata@latest + +$(MYGOBIN)/kind: + ( \ + set -e; \ + d=$(shell mktemp -d); cd $$d; \ + wget -O ./kind https://github.com/kubernetes-sigs/kind/releases/download/$(KIND_VERSION)/kind-$(shell uname)-amd64; \ + chmod +x ./kind; \ + mv ./kind $(MYGOBIN); \ + rm -rf $$d; \ + ) + +.PHONY: kubernetesapi/openapiinfo.go +kubernetesapi/openapiinfo.go: + ./scripts/makeOpenApiInfoDotGo.sh + +kustomizationapi/swagger.go: $(MYGOBIN)/go-bindata kustomizationapi/swagger.json + $(MYGOBIN)/go-bindata \ + --pkg kustomizationapi \ + -o kustomizationapi/swagger.go \ + kustomizationapi/swagger.json + +.PHONY: kubernetesapi/swagger.pb +kubernetesapi/swagger.pb: $(MYGOBIN)/kind $(MYGOBIN)/kustomize + ./scripts/fetchSchemaFromCluster.sh $(API_VERSION) + +.PHONY: kubernetesapi/swagger.go +kubernetesapi/swagger.go: $(MYGOBIN)/go-bindata kubernetesapi/swagger.pb + ./scripts/generateSwaggerDotGo.sh $(API_VERSION) + +$(MYGOBIN)/kustomize: + $(shell cd ../.. && MYGOBIN=$(MYGOBIN) make $(MYGOBIN)/kustomize) diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md new file mode 100644 index 0000000000..3bffb952ca --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/README.md @@ -0,0 +1,84 @@ +# Sampling New OpenAPI Data + +[OpenAPI schema]: ./kubernetesapi/ +[Kustomization schema]: ./kustomizationapi/ +[kind]: https://hub.docker.com/r/kindest/node/tags + +This document describes how to fetch OpenAPI data from a +live kubernetes API server. +The scripts used will create a clean [kind] instance for this purpose. + +## Replacing the default openapi schema version + +### Delete all currently built-in schema + +This will remove both the Kustomization and Kubernetes schemas: + +``` +make nuke +``` + +### Choose the new version to use + +The compiled-in schema version should maximize API availability with respect to all actively supported Kubernetes versions. For example, while 1.20, 1.21 and 1.22 are the actively supported versions, 1.21 is the best choice. This is because 1.21 introduces at least one new API and does not remove any, while 1.22 removes a large set of long-deprecated APIs that are still supported in 1.20/1.21. + +### Generating additional schema + +If you'd like to change the default schema version, then in the Makefile in this directory, update the `API_VERSION` to your desired version. + +You may need to update the version of Kind these scripts use by changing `KIND_VERSION` in the Makefile in this directory. You can find compatibility information in the [kind release notes](https://github.com/kubernetes-sigs/kind/releases). + +In this directory, fetch the openapi schema, generate the +corresponding swagger.go for the kubernetes api, and update `kubernetesapi/openapiinfo.go`: + +``` +make all +``` + +If you want to run the steps individually instead of using `make all`, you can run +the following commands: + +``` +make kustomizationapi/swagger.go +make kubernetesapi/swagger.go +make kubernetesapi/openapiinfo.go +``` + +You can optionally delete the old `swagger.pb` and `swagger.go` files if we no longer need to support that kubernetes version of +openapi data. Make sure you rerun `make kubernetesapi/openapiinfo.go` after deleting any old schemas. + + +#### Precomputations + +To avoid expensive schema lookups, some functions have precomputed results based on the schema. Unit tests +ensure these are kept in sync with the schema; if these tests fail you will need to follow the suggested diff +to update the precomputed results. + +### Run all tests + +At the top of the repository, run the tests. + +``` +make prow-presubmit-check >& /tmp/k.txt; echo $? +``` + +The exit code should be zero; if not, examine `/tmp/k.txt`. + +## Partial regeneration + +You can also regenerate the kubernetes api schemas specifically with: + +``` +rm kubernetesapi/swagger.go +make kubernetesapi/swagger.go +``` + +To fetch the schema without generating the swagger.go, you can +run: + +``` +rm kubernetesapi/swagger.pb +make kubernetesapi/swagger.pb +``` + +Note that generating the swagger.go will re-fetch the schema. diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go new file mode 100644 index 0000000000..e8b3d8360c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/openapiinfo.go @@ -0,0 +1,18 @@ +// Copyright 2020 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated by ./scripts/makeOpenApiInfoDotGo.sh; DO NOT EDIT. + +package kubernetesapi + +import ( + "sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2" +) + +const Info = "{title:Kubernetes,version:v1.21.2}" + +var OpenAPIMustAsset = map[string]func(string) []byte{ + "v1.21.2": v1_21_2.MustAsset, +} + +const DefaultOpenAPI = "v1.21.2" diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go new file mode 100644 index 0000000000..b599e539a5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.go @@ -0,0 +1,249 @@ +// Code generated by go-bindata. (@generated) DO NOT EDIT. + + //Package v1_21_2 generated by go-bindata.// sources: +// kubernetesapi/v1_21_2/swagger.pb +package v1_21_2 + +import ( + "bytes" + "compress/gzip" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + "strings" + "time" +) + +func bindataRead(data []byte, name string) ([]byte, error) { + gz, err := gzip.NewReader(bytes.NewBuffer(data)) + if err != nil { + return nil, fmt.Errorf("read %q: %v", name, err) + } + + var buf bytes.Buffer + _, err = io.Copy(&buf, gz) + clErr := gz.Close() + + if err != nil { + return nil, fmt.Errorf("read %q: %v", name, err) + } + if clErr != nil { + return nil, err + } + + return buf.Bytes(), nil +} + +type asset struct { + bytes []byte + info os.FileInfo +} + +type bindataFileInfo struct { + name string + size int64 + mode os.FileMode + modTime time.Time +} + +// Name return file name +func (fi bindataFileInfo) Name() string { + return fi.name +} + +// Size return file size +func (fi bindataFileInfo) Size() int64 { + return fi.size +} + +// Mode return file mode +func (fi bindataFileInfo) Mode() os.FileMode { + return fi.mode +} + +// ModTime return file modify time +func (fi bindataFileInfo) ModTime() time.Time { + return fi.modTime +} + +// IsDir return file whether a directory +func (fi bindataFileInfo) IsDir() bool { + return fi.mode&os.ModeDir != 0 +} + +// Sys return file is sys mode +func (fi bindataFileInfo) Sys() interface{} { + return nil +} + +var _kubernetesapiV1_21_2SwaggerPb = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xec\xfd\x79\x78\x1c\xd7\x79\xe0\x0b\x3f\xdd\x00\x45\xf2\x48\xb2\xa9\xa3\xc5\x51\x5b\x4b\xa9\x29\x11\x40\x13\x68\xb0\xc1\x1d\x5c\xd1\x00\x49\xa1\x09\x92\x30\x21\x91\xb6\x23\x89\x2a\x54\x1d\x34\x8a\xec\xae\x53\xaa\xaa\x06\x05\xe7\xf3\xcc\xc4\xb2\x3d\x9e\x6f\x1e\x3b\x1e\x27\x5e\xee\x38\xd7\xe3\x6c\x1e\x3b\xf1\xc8\x71\xe2\x3b\x49\x1e\x4f\x96\x9b\x1b\x67\x94\x91\xa3\xc4\x71\x66\x9c\x71\x12\x27\x4e\x9c\x79\x32\x9e\x9b\x9b\x78\x32\xb9\x71\x56\xdf\xe7\x2c\xb5\x75\x57\xa3\x1a\x60\x77\xa3\xc1\x7e\xff\x91\xc0\xae\xaa\x53\xa7\xce\xf2\x9e\xf7\xfc\xde\xe5\xa0\x81\x89\xfc\x3e\x7c\x3f\x42\xe7\x6b\x8b\xc4\x36\x89\x4b\x1c\xbc\x7d\xa5\x90\x9f\x28\xe4\x27\x8a\xbf\xff\xa7\x3f\x9c\xc2\x7f\xb1\x07\xdd\x3b\xae\x5a\xc6\xf8\x4a\x61\xbc\x62\x54\x0d\xd7\x56\xcd\x32\x71\xf0\xef\xec\xc1\x5f\x1c\x40\xdb\x35\x6a\x93\x6b\x2b\x85\xcc\x70\xc5\x70\x5c\x85\xda\xca\x4d\xd5\xd5\x96\x15\xba\x78\x9d\x68\xae\xa3\xd0\x25\xe5\x86\x61\xea\xca\x1c\x7b\xf2\x32\x7b\x32\xf7\x38\xbb\x73\x9a\xda\xe4\x4a\x21\xf8\xf5\x2c\xb5\xa7\x2a\x95\x8b\x6a\x95\x38\x96\xaa\x11\x67\x62\x97\x6a\x59\x15\x43\x53\x5d\x83\x9a\xe3\xd7\x1d\x6a\x46\x7f\x59\x55\xab\x95\x89\xdd\xe1\x5f\x56\x4c\x3d\x7f\xc3\xff\x88\xbc\x65\x53\x97\x2e\xd6\x96\x26\x1e\xae\x2f\xe8\x98\xe3\xda\x44\xad\x9e\xe0\x15\x9d\xd8\xd7\x42\x19\x91\x27\x26\x07\x72\xe3\xb9\xd2\xb3\xe8\x0d\x68\xe0\xc0\xbe\x02\xde\x85\x5e\x87\xee\x7a\xda\x54\x6b\xee\x32\xb5\x8d\xb7\x11\x1d\x15\xd1\xc0\xc4\xbe\x7d\xf8\x18\x3a\x8a\xd2\x97\xce\xe3\xfd\xa8\x80\xc6\x77\x8f\xeb\x64\xc9\x30\x0d\xf6\x16\x67\xdc\xa0\xf9\x1b\x47\x9c\xbc\x6a\x19\x79\xd6\x7c\xf9\x95\x42\x3e\x68\x89\x39\xc3\x71\x2f\x6f\x5b\x76\x5d\xcb\xb9\xfe\x08\xba\xf7\xc5\xb1\xa0\x42\x63\xaa\xc6\x0a\xc0\xdb\xf1\x36\xd6\x86\xe8\xfa\x1c\x7a\x34\x72\xbd\x6c\xd3\x9a\x35\xb6\x42\x6c\xc7\xa0\xe6\x18\x6b\x78\x3c\x82\x87\xd8\xff\x27\x43\x3d\x80\xe4\x0d\x93\xca\x4a\x01\xf1\x47\x26\x95\x6c\x16\x95\xde\x31\x88\xbe\x33\x80\xff\x7e\x20\xf3\x37\x03\x78\xdb\x0b\x35\x62\xaf\x66\x5e\x1b\x50\x2b\x15\x7a\xf3\x2a\xfb\xf0\x22\xa5\x37\xaa\xaa\x7d\xc3\x51\x6c\xf2\x42\x8d\x38\xae\x23\xfb\x9a\xac\x10\x93\xfd\xc3\x70\x97\x15\x77\xd5\x22\x4a\xb6\x78\xe9\xd2\xf9\x0b\x53\x97\xcf\x67\xf3\xca\x02\xb1\xd9\xeb\x14\x77\x59\x75\x15\x9d\x2a\x26\x75\x15\xa3\x6a\x55\x48\x95\x98\xae\xb2\xe8\x97\x59\x55\x57\x15\xa3\x6c\x52\x9b\x28\xee\xb2\xe1\x28\x4b\x15\xb5\xac\xa8\xa6\x1e\xba\x45\xb5\x89\xe2\xb0\xa7\x54\x57\x71\x97\xd9\xdf\xac\xe8\x21\x47\xd1\x0d\x47\xb3\x09\x6b\x9a\xbc\x32\x5d\x31\x78\x6d\x9c\x65\x5a\xab\xe8\xfc\x75\xaa\xe3\xd4\xaa\xa4\xae\x20\x9b\xb8\x35\xdb\x24\x3a\x2b\x4c\x35\x57\x15\xc7\x22\x9a\xb1\x64\x68\x8a\x61\xba\xc4\x5e\x51\x2b\xa3\x8a\x49\x6d\x5e\x2d\x77\x99\xac\x7a\x85\x04\xef\x55\x6e\x1a\x95\x0a\xab\x8f\xce\x9f\xf7\x3e\x59\xb4\x86\xa2\xd7\x6c\xc3\x2c\x2b\xaa\xe2\x10\xc7\xe1\x15\x9b\x5d\x12\x1f\x66\x38\xa2\x52\xa2\xf1\x46\xe5\xd7\x1a\xa4\xa2\xb3\x4b\xa2\x09\x74\x79\x3b\x51\x96\x88\xea\xd6\x6c\xa2\x94\x55\x97\x28\x75\xdd\x20\x4b\x22\xa6\xba\x58\x21\xba\x62\x98\x8a\x6a\x19\xa2\x72\xcd\x8a\xcd\xde\x1b\xd3\x9f\x13\xdb\x17\x29\xad\x10\xd5\xfc\x78\x2a\x55\xfa\xf3\x9d\xe8\xff\xde\x89\xff\xfb\xce\xcc\x7f\xdb\xe9\x0d\x82\xff\xb8\xf3\xa9\x65\xa2\x68\xd4\x74\x0d\xb3\x46\x14\x6a\xb1\x96\xf6\x1a\x78\x91\xb5\x87\xab\xdc\x5c\x26\x26\x6b\x53\xdb\x20\x2b\xec\xc3\xab\x94\xb7\xb1\x53\xab\xb8\x8e\xb2\x64\xd3\x6a\xa8\xe5\xf2\xca\x82\x61\x6a\xb2\x9f\x57\xd4\x4a\x8d\xb0\x2a\xca\x56\xe5\xf3\x84\xe8\xa3\x8a\x26\x3b\x92\xf5\x00\x35\x2b\xab\x4a\xcd\x11\xcd\xef\x57\x44\x3c\xca\x0b\x57\x15\xcb\x26\x2b\x06\xad\x39\x0a\xaf\xb3\x7c\xb5\x18\x93\x86\x4e\x4c\xd7\xd0\xd4\x8a\xbc\x66\xa9\xb6\x5a\x25\x2e\x1b\x95\xc3\xe4\x45\x8d\x58\xae\xb2\x44\x6d\x5e\xb6\x28\x92\x2e\xf9\x2f\x19\xe1\x63\x30\xd4\xeb\xac\x3a\x36\x61\xc2\x4d\x51\xeb\xab\x62\xb0\x11\x4e\x44\xaf\xd8\x44\xa3\x65\xd3\x78\x1b\xf1\xbb\x52\x8e\x30\xa2\x37\x3c\xc6\x9e\x50\x2a\xd4\x2c\x13\x9b\xfd\x64\xe8\xac\x39\xdd\x65\xd6\x1a\x35\xa2\xb8\x54\x21\x2f\x5a\x86\xcd\x45\x94\x32\x5c\x26\x26\xb1\xd5\x4a\x65\x55\x59\x32\x56\xf8\xd5\x25\x63\xc9\x25\xc4\x54\xaa\x86\x59\x73\x89\x33\xc2\xa4\x30\xaf\xdb\x92\x51\xae\xc9\xc7\xb4\x65\x36\xf3\x15\x6a\x86\xbe\x65\xb4\x61\x34\xdb\xc4\xb1\xa8\xa9\x8b\x66\x53\x95\x03\x85\x7d\xca\x65\xe2\xd0\x9a\xad\x91\x33\xac\x0a\x44\x57\x88\x6d\xb3\xb6\xa2\x65\x51\x41\x79\xa7\xff\x45\x2e\xbd\x41\x4c\xff\x93\x45\x1f\x2a\x26\x21\xba\x23\xee\x72\x0c\xc7\x65\x3f\x31\xf9\x35\xca\x1a\xac\x5a\x73\x58\x63\x39\xae\x6a\xf3\x59\x6d\xd8\xfc\x1a\x2f\x98\xd6\xdc\x68\x8f\xf3\xf1\x9c\x57\x2e\xb1\x57\xdf\x34\x1c\x32\x1a\x7e\x0b\xeb\x19\x39\x1d\x29\xaf\x1b\x2f\x47\xca\x2a\x29\x9d\x96\x65\x0d\x59\xf7\x10\x63\x85\xe8\xc1\xef\xec\x63\xf9\xc7\x25\x36\x0b\x2f\x97\x57\x98\x8d\x74\x7f\x70\x9b\xe4\x45\x57\xb9\x41\x56\x47\x95\xc5\x9a\x1b\xfc\x5c\x51\x5d\xf6\x7e\xc7\x54\x2d\x67\x99\xba\xa3\xca\xcd\x65\x43\x5b\xe6\x93\xd2\x0c\x35\x88\x7f\xbf\x3f\x90\x65\xf5\xc5\x14\x1a\xf3\x57\x54\x2e\x48\x99\x04\xd3\x6c\xa2\xba\x6c\xa6\x54\xa9\xce\xc7\xd5\x28\xeb\x78\x9d\x54\x88\xcb\xc4\xda\x92\x4b\xc4\x98\x5e\x32\x6c\xc7\xad\x6f\x8c\x4a\x85\xcd\x5c\xc3\xd4\x2a\x35\x5d\xc8\x0e\x76\xab\xf8\x50\xd6\xae\xaa\xc3\x07\x24\xfb\xbf\xe8\x94\x1b\x64\x55\x08\xce\xa0\xe0\xac\xf7\xc5\xd9\x3c\x42\x4f\x45\xe4\x0d\x9b\x01\x4e\xcd\xb2\xa8\xcd\xea\xc2\x85\x83\x58\x2b\x0c\x47\x71\xed\x1a\x09\xe4\x34\xef\x35\xde\xf9\x52\x22\x86\x5b\x4e\x34\x00\x1f\x7f\x57\xc4\x9a\x25\xa7\x8c\x2f\xbd\x17\x57\xc3\xbd\xc5\xe6\x2a\x7b\x75\xd5\x70\x1c\x2e\x95\x45\xd3\x88\xd5\xdd\xc9\x67\x77\x78\x23\x69\xe2\x0e\xc7\x65\x02\x9a\x49\xbc\x7f\x9e\x42\xef\x4c\xe1\xef\x4d\x65\xfe\xa9\x27\xf0\x9e\x99\x52\x1c\x52\x21\x9a\xcb\x47\x3a\x1f\x9d\xb6\xa1\x89\xb1\x28\xd4\x9c\xa5\xa0\x06\x5e\xbf\x88\x9a\x18\xb6\x68\x04\x27\xaf\xcc\x90\x25\x95\xf7\x1d\x9b\xc0\x2b\xc4\x5e\x75\x97\x0d\xb3\x9c\xcf\xde\xcd\x6f\x58\x90\x2f\xe8\x64\x4d\x2a\xea\x22\xa9\xac\x55\x13\x7e\x43\x5c\x4d\xfe\x16\xa1\xbf\x46\xf8\x7f\xa1\xcc\xb7\x90\x57\x95\xdf\x46\x5c\xfb\x63\x3d\xa8\x2a\x55\xf5\x45\xa3\x5a\xab\x2a\x66\xad\xba\x48\x6c\x51\x0b\x31\x74\x1c\x51\x4f\x56\x25\x2e\x55\xe5\x74\xd1\xd4\x4a\x85\x8b\x05\xbe\x30\x18\x2e\xa9\x3a\x0a\x79\x91\x0b\x81\xc6\x25\x55\x7c\xdf\xf3\x5e\x67\x3d\x2f\xc7\x95\x14\x5e\xbc\xbc\x2a\x71\x55\x5d\x75\x55\xf6\x36\x55\x0e\x0a\x3e\x33\x34\xd5\x64\x23\xbb\xe6\x84\xe7\xb6\xa3\x56\xd9\x60\x37\x5c\xc3\x5f\x04\x44\x2d\xd9\x72\x45\x82\xd9\xcb\x5e\x2d\xbe\x85\x35\x17\x53\x5e\x5c\x57\x2c\xe3\xe2\xdb\x85\xf0\x17\xdf\x46\x6e\xf2\x69\xa0\x7a\x33\x87\xcf\x2c\x36\xf1\xaa\xb4\x66\xf2\x62\xc4\x57\x0e\xd7\x2c\xf6\xb2\xb7\x11\x9b\x8a\x5f\x46\xbc\xd9\x26\x34\x05\x95\x0b\x18\xef\x69\xaf\x0f\xd9\x4c\x5b\x32\x2a\x2e\x61\x32\x97\xc9\x41\x36\xb4\xb5\xa8\x6e\x13\x59\x15\x2d\x9b\x38\x84\xad\xaa\x74\x29\x46\x66\xb2\x1a\xe8\x6c\xc9\xab\x1a\x26\xf1\x57\x97\xc8\x22\xcd\xe7\xf6\x8a\x6a\x54\x98\x36\x11\xe8\x6d\xec\x93\xb5\x65\x4a\x1d\xc2\x67\x96\x4b\xbd\x79\x2d\xfb\x82\x35\x8b\x6a\x97\x6b\x5c\x9d\x53\xb9\x90\xe4\x1f\xc4\x1b\x89\x7d\x9b\xac\x8f\x5f\x74\xd0\xba\xb3\x4b\x8a\x3f\xa4\x82\xc5\xd1\x5b\x6f\xeb\x3e\xc0\x70\x14\x52\xb5\xdc\xd5\xa8\x62\xe0\x6b\x65\xaa\xcb\xd6\xd0\xb5\x3e\x68\x2d\x01\x65\x2c\xd5\x89\x27\x26\xcf\xfc\x51\x59\xae\xa9\xb6\x6a\xba\x84\x48\xe1\xcb\x6a\xe7\xf5\x93\x3f\xf9\xb8\x8c\xab\x39\x6c\xb4\xf8\x35\xf7\xc5\xac\xaf\x80\xb8\x54\x31\x1c\xa7\x26\x55\x43\xc3\x2c\x57\x48\x30\x3f\xfc\x35\xcf\x1b\x6e\x63\xe2\x7d\x86\xc3\x74\x51\xff\x95\xeb\x93\xfb\x9e\xc8\xe7\x9a\xa7\x53\x23\x7a\xac\xf0\xe7\x1a\x70\x6d\xd1\x61\x37\x9b\xae\xff\x05\xba\xaf\xea\xcb\xf6\x63\x3d\x45\xab\xc4\x35\xaa\x84\x7d\xfb\x12\xb1\xd9\xf8\x64\x73\xb0\x6e\x7d\x0f\x96\x3b\xd6\x9f\xc4\x74\x6a\xb6\xd7\x7c\xaa\xb7\x60\xcb\x8f\x93\xad\x26\x3e\x99\x4f\x4b\xbe\x34\x2b\x4e\x55\xad\x54\x88\xad\x68\xcb\x35\xf3\x06\xdf\x49\xaa\x0a\x13\x5e\x4a\x45\xb5\xcb\x5e\x37\xf3\xf9\x2e\x8a\x17\x7a\xba\x43\x08\x1f\x76\x16\x75\x1c\x83\x0d\x37\xd9\x6c\x7c\xb8\x85\x67\x57\xcd\xd2\x59\x33\x06\x9a\x3a\x7f\x0f\xd1\x45\x7f\x70\x65\x50\x2e\x39\x72\x04\x8b\x87\x45\xad\x6f\xaa\x8e\x9c\x71\xfe\x6e\x84\xb5\x49\xe3\x7a\x2b\xb4\x50\xd5\x61\x1d\xac\xd5\x2a\xfc\x8d\x46\x30\x6c\xf2\xd9\x6d\xfc\xbb\x27\xb6\xb3\x6d\x47\x99\xd8\x4c\xf8\x5e\x42\x17\xf0\xf9\xcc\xac\x27\x78\xc7\x66\x97\x94\x21\x36\x2a\x87\xb8\xac\x14\xb2\x83\xd6\x5c\xab\xc6\x5b\xcf\xb2\x89\xeb\xae\x2a\x96\xcd\x4a\xd0\xf3\xd9\x3b\xc4\x0f\x61\x69\xfe\x77\x29\xf4\xed\x14\xfe\xab\x54\xe6\x7f\xa6\xbc\x42\xbf\x98\xaa\x5f\x58\x1d\xe2\x7a\x7d\xe8\xda\xaa\xc1\x44\x98\xa9\xdc\x64\x1f\xeb\xdd\xe9\x35\x08\xbb\xcd\x1b\x56\x6c\x12\x2e\xca\x99\xa2\xf3\xa5\x9b\x89\x0e\xa2\xf0\xfd\xeb\xe4\xf8\x78\x68\x37\x6d\xd0\x71\x9d\x6a\xce\x38\x1f\x36\x4c\x54\x8d\xf3\x8e\x1f\x53\x2d\x63\x5c\xb5\x8c\x31\x8d\x9a\x4c\x17\x77\xc6\x77\x7b\x2f\x1c\xf3\x5f\xb8\xc4\x47\xb8\xab\x1a\x15\x27\x8f\x50\x78\x3d\xab\x99\x0e\x71\xb3\xaf\xaf\xfb\x9a\xf0\xd7\x7f\x35\x8d\xbe\x92\xc6\xbf\x9d\xce\x7c\x29\xed\x7d\xfd\x27\xd2\x75\xf7\x5f\xe0\xb3\xdf\x97\x90\x8e\xb2\x4c\x6f\x36\xa8\x1e\x6c\xe5\xb3\xac\x8a\x21\x46\xbc\x3f\x6d\xd9\xd0\xe2\x3d\xb1\x6c\x94\x97\x2b\xab\x5c\xf3\xaf\x56\x89\xc9\xa6\x96\x1b\x6e\xbf\xc8\xbb\xe4\xbe\x89\x7d\x58\x50\x12\x93\x22\x42\x82\xd5\xbf\x98\xdd\xbb\x09\xed\x7a\x5f\x5c\xdd\xc3\x8d\xfb\xb1\x14\xfa\x68\x0a\x7f\x24\x95\xf9\xa0\x3f\xb4\xac\xa7\x8c\x2a\x61\x62\xcc\xdb\x54\xb1\xef\x1b\x17\xf2\x55\xa8\x01\x5c\x94\xf0\x71\xcf\xb5\x4b\x36\x05\xc5\x2e\xc5\x5b\xbb\xd4\x4a\x65\x54\xb1\x49\x59\xb5\xf5\x0a\x71\xc4\xdc\x37\x57\x15\x55\x73\x8d\x15\xc3\x5d\x65\xf2\xce\x30\xbd\x7f\xe5\xb3\xaf\x73\xc5\x1b\x17\x88\x46\x4d\xdd\x89\x4c\xa6\xcf\xa6\xd0\xcb\x29\xfc\x13\xa9\xcc\x27\xfd\x0a\xfe\xcb\xd4\x55\xa1\x68\x52\x5b\xee\x8b\xf8\x17\xf3\x9a\x10\x47\xb3\x8d\x45\x2e\xf8\xc4\x87\x3b\x5c\x80\xc9\xf5\xcc\x5d\x26\x55\x21\xea\x04\x11\xe2\x15\xd3\xf5\x51\x29\x4c\x46\xe5\xbd\x55\xba\xc2\x57\xcb\x90\xea\xa9\x2c\xf0\x05\x6e\xb5\xbe\x6f\xf3\xd9\x6d\x82\x43\x85\xf6\xe0\xf8\xa7\x87\xd1\x88\x87\xdc\xf8\xd5\x71\xd3\x07\x63\xe3\xdf\xe3\xff\xfd\xf6\x71\x8b\xea\x0e\x7e\xd7\x30\xfe\xf0\x60\x00\xe2\xa8\x5c\xc9\x4c\xdd\x58\x31\xf4\x9a\x5a\x09\x7f\xa3\xea\x6b\x8d\xf3\x54\xcf\x2b\x3a\xb1\x6c\xa2\x31\xa1\x34\xe9\x2b\x12\x43\xfc\xf9\xa1\x60\x97\x1c\xd9\xf6\x50\x8b\xc8\xbe\x32\x4c\xc7\x25\xaa\x9e\xcf\x3d\xc4\x1f\x10\x40\xcf\x07\x78\xfa\x3c\xd5\xe7\x0c\xc7\xed\x75\x8e\x77\x03\xcd\x0b\x5c\x37\x8b\xce\x71\x5c\x37\x85\x4e\xa1\x13\xcd\x70\x5d\x55\xd5\x96\x0d\x93\xd8\xab\x79\xeb\x46\x99\xfd\xe0\xe4\x99\x22\x9a\x5f\x29\xe4\xf9\x90\x3a\xc3\x34\xba\xa6\x64\xd0\xa3\x7a\xbb\xe3\xa9\xde\x5d\x18\xf1\x8a\x09\xb4\x77\x26\x19\xed\x65\xb1\x12\xd0\x3b\x01\xf9\xe6\xa9\x1e\xa1\x7b\xc0\xf4\x80\xe9\x01\xd3\x03\xa6\x07\x4c\x0f\x98\x1e\x30\x3d\x60\x7a\xc0\xf4\x80\xe9\x01\xd3\x03\xa6\x07\x4c\xaf\xcb\x4c\xef\x79\xf4\x1c\x7e\x26\xfb\xd6\x1d\x29\x3c\x68\xa9\xee\x72\x66\x52\xbe\x99\x6d\xe6\x79\x73\xb2\x6d\xa2\xe2\x68\xd4\x22\xa3\x8a\x53\xd3\x96\x59\xeb\x73\x0d\x96\xa8\x55\xc1\x20\x2c\x9b\xf2\x2f\xcd\xee\xf4\x09\x40\x4e\x8a\xf7\x8f\x00\x35\x04\x6a\x08\xd4\xb0\xbf\xa9\xe1\xb7\x86\xd1\x69\xd6\x75\xce\xb8\x46\xa9\xad\x1b\x26\x2f\x84\xa3\x2b\x83\x26\xa2\xc4\x0a\x51\x1d\xe2\xe0\x4f\x0f\xe3\x5f\x18\x44\xaf\x0f\x97\x70\x6d\xa5\x90\x79\xa1\x35\xa8\x38\xc7\x0a\x69\x13\x56\xdc\x23\xb1\x62\x50\x91\x30\x5e\xe4\x6f\x02\xc0\x78\x0b\x80\xf1\xcd\xc9\x80\xf1\x20\xde\x2f\x01\x63\xcc\x88\x92\xc4\x91\x77\x04\x30\x47\x60\x8e\xc0\x1c\x81\x39\x02\x73\x04\xe6\x08\xcc\x11\x98\x23\x30\x47\x60\x8e\xc0\x1c\x81\x39\x02\x73\x04\xe6\x08\xcc\x11\x98\x23\x30\xc7\xdb\x94\x39\xfe\xf5\x33\x68\x8f\x60\x8e\x8e\x4b\x6d\xb5\x4c\x42\xb8\x51\xfe\xa2\x55\x54\xc7\x21\x0e\xfe\xe2\x33\xf8\x5f\xed\x41\x48\xfe\x7a\x6d\xa5\x90\xc9\xad\x1d\x32\xbc\x20\xee\x9c\x66\xcf\xe7\x1e\x64\xf7\xca\x5f\xae\x14\xc2\x97\x7a\x1c\x00\x16\x81\x86\x01\x0d\x2b\x02\x0d\x03\x1a\x06\x34\x0c\x68\x58\xdf\xd0\xb0\x62\xcf\xd0\xb0\xb6\xd7\x64\xc3\x34\xac\x08\x34\x0c\x68\x18\xd0\x30\xa0\x61\x40\xc3\xba\x4f\xc3\x8a\x7d\x8d\x96\x8a\x80\x96\x3a\x87\x96\x8a\xbd\x8e\x96\x8a\x5b\x10\x2d\x95\x16\xd1\x39\xe1\x38\x75\x1a\x9d\xe4\x8e\x53\x47\xd0\x21\x74\xa0\x69\x22\x35\x8f\x3f\xad\x14\xf2\x61\x3a\x34\x67\x38\xc9\xfe\x52\x49\x69\xd6\xde\x9a\xec\x2a\x75\x18\x1f\x94\xae\x52\x51\x10\x26\xbd\xa4\xc2\x55\x8a\x38\x4b\x65\xff\xc5\xce\x08\x13\xbb\x5f\xac\x43\x8a\x1a\xc5\x5f\x6f\x14\x3f\x77\x16\x80\x09\x5e\x75\x16\xcd\xa0\x22\x1e\x5c\xa4\xfa\x6a\x86\xff\x57\x49\xe5\x26\xd0\xbe\xf5\x36\x7c\xf1\x63\x69\xf4\xd1\x34\xfe\x48\x3a\xf3\x41\x5f\xe2\x7c\x3b\x75\x95\xad\xe7\x52\xc4\x8f\x72\x77\x42\x8d\x6d\xe4\x84\x88\x88\x6c\x2b\xc2\xa8\x69\x91\x28\x16\x6b\x33\xa6\xcb\xe5\x95\x29\x53\x31\x4c\xb1\xa1\xa7\xb6\x52\x33\x7d\x26\xa0\x2b\xba\xbd\x7a\xb9\x66\x2a\xba\x61\x13\x36\x2f\x88\xbf\xd1\x64\xeb\x05\x5f\x90\xe5\x4e\xdb\xd3\xab\xe5\xde\x46\x59\xaa\xd9\x5c\x77\xb3\x6c\xaa\x11\x87\xaf\x9c\x72\x1a\x4a\x19\x9f\x57\xae\xf0\x37\x72\x9d\x98\x2f\x75\x93\xca\x98\x32\x55\xa9\x4c\xf2\x75\x51\xb7\x57\x15\xbb\x66\xb2\x3d\x17\x9b\x48\x9e\x32\x20\x8b\x23\x7a\xf6\x0e\x51\xb5\xb0\xd4\xf8\x50\x1a\x7d\x7f\x1a\xbf\x3f\x9d\x79\xaf\xdf\x40\xdf\x4c\x71\x55\xea\x82\x6a\xaa\x65\x62\x8b\x4d\x81\xb0\xd6\x38\x0e\xd5\x0c\xbe\xce\xf9\xea\xb7\xca\xf7\x2f\xd4\x56\x98\x1a\xe4\xae\xfa\x0b\x7f\x55\xbd\xc1\xea\xef\x2e\x13\x87\x78\x53\x9b\x89\x1b\x0f\x8c\x70\x36\xb0\x48\x14\x2e\x54\xb8\xaa\x4d\x6d\xa5\x30\x71\x84\xdd\x6b\xab\x1a\x27\x38\x6c\x97\x2a\x26\x32\x57\x87\x99\xe6\xa2\x1a\xa6\x30\xdd\x70\x75\x33\xb8\x97\xef\x6a\x25\x5f\x62\x9b\x24\x4f\x38\x97\x69\x45\x35\xcb\x79\x6a\x97\xc7\xad\x1b\xe5\xf1\x9a\x69\x68\x54\x27\xe3\xbb\x67\x9d\x79\x56\x4a\x3e\x7b\x57\xf8\x5b\xc3\xa4\xfe\x2f\x53\x68\x5a\x4c\xfd\xe3\x68\x92\x4f\xfd\x03\x68\x03\x23\x10\x3d\xc9\x0a\x29\x70\x87\xcb\xed\xd3\x42\xbd\xdb\x60\x49\xb3\xac\xa4\x09\x5c\x44\xa7\xd1\x8e\x29\x8d\x2d\x24\x1b\x2e\x6a\xe3\xb2\xc8\xa2\x1d\x96\x45\xb9\xdf\x19\x8d\xc8\xa2\xc7\x84\xf6\xab\x68\xb4\xc2\xf6\xb2\x72\x6d\x8a\xc8\xa5\x27\xc4\x2d\xbe\x5c\x9a\xf6\x6f\xed\xa0\x84\x7a\x0a\x5d\x46\xf3\x61\x09\x95\x2b\xa2\xd3\x1b\xf0\xa8\x9d\xe1\x75\xbf\xc4\xc1\xab\x03\x88\x16\x10\x2d\x20\x5a\x40\xb4\x7d\x84\x68\x41\x43\x4b\xd0\xd0\x7a\x87\x61\x7f\x23\x8d\xbe\x9e\xc6\x5f\x4b\x67\x7e\xd7\xef\xaa\xcf\xa6\x9f\x0a\xef\x1a\x0d\x53\x71\xc4\xce\x4f\x59\x24\x4b\xc2\xe0\xeb\xd3\x95\x60\xc9\x92\xb3\x84\x37\x56\x48\x17\x34\xa9\x39\x66\x92\xb2\xca\xbb\x44\x6e\x1c\xc3\x3a\xa3\xe0\xac\xfe\x60\x90\x8a\x81\x51\xad\x12\x9d\x69\xa5\x95\xd5\xc0\x12\x1b\x88\x76\xa3\x32\x2a\xf7\x93\xfc\x73\x95\xb2\xad\x6a\x7c\x9c\x18\x54\xf7\x17\x9e\x60\x71\xe0\x46\x6e\xaf\x5f\x6a\x0e\xab\x64\xb8\xa1\x54\xf6\xa4\xf7\x41\xf2\x25\x4b\x62\xbe\x79\x45\xe4\x45\x3d\xab\x44\x35\x63\xeb\x98\xc5\xbc\x0a\xf3\xbc\x06\x71\xfb\x64\x30\x15\x80\xa9\x00\x4c\x05\x60\x2a\x00\x53\x41\x5f\x9b\x0a\xbe\x94\x46\xaf\xa5\xf1\xab\xe9\xcc\x2b\xfe\x6a\xfb\xf1\xf4\x4c\x28\xa8\xd5\xe2\xd1\xb2\xfe\xd4\x9f\xb7\xa9\xa5\x96\xf9\x3a\x3c\x4f\x2b\x86\xb6\x1a\x71\x14\xf2\xba\x3b\x88\x8a\x65\x1d\x5e\xc8\x1f\xce\x2b\x0b\x42\x8e\x88\x45\xd2\x22\x26\x1b\xa6\xc1\x2a\x42\x14\x6a\x5b\xcb\xaa\xe9\x39\x2e\xd9\x35\x32\xbe\xa4\x56\x3c\xed\x3f\x2b\xae\x66\x95\x25\xc3\x54\x2b\xc6\xdb\x3c\xf1\xbd\x48\x14\x55\xe7\xdc\x9d\x8e\x0b\x0c\xab\x07\xaa\xa5\x28\x7c\xc8\x09\x1e\x12\xfa\x76\x5e\x39\x63\x70\x91\x14\xaa\x38\xb5\x1b\xbf\x2c\xb0\x75\xb8\x42\xdd\xe7\xda\x1f\x75\x97\xf3\xd9\x5d\xa2\x3e\x33\xde\x87\x44\x3d\xa0\xde\x33\x88\xde\x35\x88\xdf\x31\x98\xf9\x8e\xef\x06\xf7\x95\x81\xab\x52\x0e\xb2\x21\xba\x4c\x6f\x2a\x65\xd5\x5e\x54\xcb\x11\xe2\xe0\x2b\x6a\xc4\x5e\xa2\x76\x95\xb5\x45\x6c\x4d\x2f\xd5\xbd\xbc\x79\x45\xb9\x5a\xe3\xe9\x24\x96\xf8\x2a\x83\xe9\x0b\x9a\xa1\x07\x8a\x35\x5f\x1b\xf9\x36\xc7\x6f\x5d\xb6\x38\xc9\x95\xc3\x5b\xfd\xf2\xa1\x66\xf4\xe4\xa6\x6f\x60\xf0\x9d\xdf\xa2\x2f\xcb\x2b\x02\x21\x71\x59\x1c\xd6\x56\x87\xc4\x37\x0c\xb1\x3d\x0f\xff\x2b\x3a\x30\x9c\x63\xca\x50\x51\xd5\x6e\x94\x6d\x5a\x33\x75\x76\x17\xf7\x3a\xe3\x37\xd5\x35\x9c\x50\x56\xa4\x06\x14\x2d\xc4\xfb\x82\x45\xbf\xa4\x63\xca\xd0\x59\x6a\x93\x50\xb1\x8a\xa6\x3a\x9a\xaa\xb3\xaf\x97\xed\x23\xfc\x0c\x79\x79\x8e\x50\xa7\x1b\x0a\x5c\xf2\xcb\xc8\x67\xef\xb1\xea\xc7\x4d\x58\xb7\x01\x4b\x1c\x58\xe2\xfa\xd4\x12\x57\x2a\xa3\x39\x81\xb6\xcf\xa0\x69\x8e\xb6\x4f\xa0\x63\xe8\xe8\x06\xe0\xe5\x82\xab\xba\xb5\x64\x9c\x9c\x8b\xc7\xc9\xf7\xe2\x7b\xc4\x6c\x0e\x24\x6d\x47\xd1\x72\xdb\x23\x45\xf0\x7f\x4a\xa3\x6d\x3c\x47\x2e\xfe\xa5\x34\xfe\xf9\x34\x1a\xd4\xa8\x4d\x32\x99\x32\x71\x43\x9a\xee\xd4\xfc\xac\x2f\x25\x72\xb8\x4c\xf8\xb1\x53\x53\xf3\xb3\x72\xf8\xb4\x11\x4c\x37\x14\x34\xd9\x50\xd0\x64\x2b\x05\x95\x2a\xe8\x4d\x62\x80\x94\xd0\x93\x7c\x80\x14\xd1\x69\x74\x72\x03\x03\x24\xf4\x99\x49\xa3\x04\x7f\xea\xbb\xd1\xdd\x5e\xc2\x61\x93\xea\xc4\xc1\x1f\xfe\x6e\xfc\x7b\x4f\x04\x49\x85\xb3\x6b\xbb\xea\x5f\xa4\x3a\xc9\xbd\x2e\x38\xd7\x8b\xfd\x1b\xfc\xf2\xc1\x2f\x1f\xfc\xf2\xc1\xe8\x03\x46\x1f\x30\xfa\x80\xd1\xa7\x67\x8c\x3e\xbd\x63\xd3\x00\xd8\x0e\xb0\x1d\x60\x3b\xc0\x76\x80\xed\x7d\x0d\xdb\x81\x06\x02\x0d\xec\x53\x1a\xb8\x25\xfd\xf2\xaf\xa2\xe3\x02\x50\x1d\x44\xfb\x39\xa0\x1a\x43\x7b\xd1\x48\xe2\x01\xe7\x17\xa9\x4e\xda\xe2\x8c\x7f\x36\x99\x52\xee\xc6\x8f\xd5\x1f\x8c\xc4\x5e\x1f\x75\xbc\xff\xe9\x1d\x01\xde\xba\xdb\xf7\xba\xe7\x24\x6b\x97\xf8\x67\x07\x58\x96\x40\x4f\xc7\xd0\x51\x74\xb8\xce\xc5\x7e\x08\x3d\xd1\x52\x1b\x82\xd7\x16\xf8\xd5\x6f\xd0\xaf\xfe\xb7\x52\xe8\x88\x98\xba\x05\x34\xce\xa7\xee\x08\x6a\x75\xd8\xa1\x13\xc2\x99\xfe\x10\x3a\x10\x38\xd3\xaf\xe3\xf1\x93\xc2\x83\xfe\x30\x3a\x18\xf2\xa0\x5f\xc7\xf3\x49\x52\xa3\x4d\x52\x21\xc9\xfd\x3e\xf7\xf2\x68\x20\x35\x1e\x8c\xf5\x8f\xe7\x12\x24\x23\x2e\x09\x09\x12\x38\xc5\x77\x40\x96\x80\x33\x3c\x70\x51\xe0\xa2\xc0\x45\x81\x8b\x82\x33\x3c\x38\xc3\x83\x33\x3c\x38\xc3\x03\x9f\x07\x3e\x0f\x7c\x1e\xf8\x3c\xf0\x79\x70\x86\x07\x67\x78\x70\x86\x07\x67\x78\x30\x7f\x81\xf9\xab\x07\xcd\x5f\x3d\xed\x0c\xdf\x26\xa0\xdc\x7e\xc7\xf7\xbf\x1f\x46\xc7\x3c\x5f\xed\x35\x4f\x74\xb4\x89\x8f\x90\x99\x06\x65\xb3\x8f\xb3\x1d\xfc\x1f\x86\xf1\x6b\x83\x01\xc4\xfe\xde\x54\x6b\x47\x3b\x5e\x0e\x4a\x9b\xf6\x4b\x6b\xd3\x51\x8f\x79\x79\xd4\x23\x37\xb7\xf9\x47\x3c\xc6\xbe\x11\x8e\x7c\x8c\x1f\xda\x57\x93\x87\xeb\x01\x3c\x51\x3f\x5c\x63\x9b\x38\x6a\x10\x69\xe5\x2c\x49\x38\xf1\x11\x7c\xe9\xe1\xc4\x47\xb0\x19\x81\xcd\x08\x6c\x46\x7d\x64\x33\x82\x13\x1f\xe1\xc4\x47\x60\xf5\xc0\xea\x81\xd5\x03\xab\xef\x09\x56\x0f\x27\x3e\x6e\x31\xfe\x09\x27\x3e\xc2\x89\x8f\x5b\xcb\xfd\x1f\xff\xf6\x08\x3a\x2d\x4e\x7c\x5c\xe4\xf0\x71\xa5\xb0\x48\x5c\x35\x01\x45\x6a\x36\x35\xaf\xd3\x45\xf9\xe3\xdb\xf1\xf7\x8d\xe0\xff\x31\x88\xee\xe6\x25\x5c\x93\x25\x64\x5e\x96\x24\x32\x8c\x1f\x4d\x4f\x76\x7a\x99\x26\xa6\x6d\x6a\x96\xe8\x62\x5b\xc0\xe3\x68\xa0\x27\x71\x5d\x50\xae\xaa\x4c\xd5\x0a\x14\xc0\xa1\x88\xce\x1d\x2a\x3b\x9f\xcb\xf2\xd7\x15\xd9\x7f\xae\x88\x6f\x08\xe0\xa5\xac\x27\xa0\xca\x46\x54\xf9\x68\x3c\x51\xdc\x81\xef\xe0\x15\x43\xd7\xdf\x94\xcc\x32\xf3\x78\x54\xb2\x4c\x3e\x86\x24\xce\x94\x8d\x1e\x06\x98\xbc\x5b\x00\x50\x02\xa0\x04\x40\x09\x80\x12\x00\x25\x00\x4a\x00\x94\x00\x28\x01\x50\x02\xa0\x04\x40\x09\x80\x12\x00\x65\xb7\x01\xe5\x01\x34\x81\xf7\x65\xf3\x3e\xa0\xbc\x97\x93\x49\x59\x0b\xb9\x7d\xcb\x0e\xb2\x1f\xc3\xd0\x11\xb0\x26\x60\x4d\xc0\x9a\x80\x35\x3b\x88\x35\x3f\xfc\x2c\x1a\x17\x58\x53\xb5\x2c\x87\xe7\xc1\x8d\x47\x99\xba\x4a\xaa\x4c\x19\x74\x1d\xfc\xc7\xcf\xe0\xbf\x7f\x02\x6d\x67\x0f\x5c\x5b\x29\x64\x86\xd6\xce\x91\x3b\xc3\x1f\x5c\x20\x6e\xee\x61\x76\xe3\x94\x65\x39\x61\x6f\x47\xff\x72\x8f\x23\x43\xc8\x9b\x0b\x28\x0d\xf2\xe6\x02\x4a\x03\x94\x06\x28\xad\x8f\x50\x5a\x0f\xa5\x3f\xe8\x19\x94\x06\x71\xf9\x80\xd2\x00\xa5\x01\x4a\x03\x94\x06\x79\x73\x21\x70\xf8\xf6\x21\x4c\x3d\x1f\x38\xbc\x25\xf3\xe6\x3e\x83\xa6\x84\xab\xd5\x24\x3a\xc2\x5d\xad\x26\xd0\x3e\x94\x6f\x9a\xfd\x52\xb5\x2c\x87\xe7\x65\xf4\xb8\x50\x4b\xc9\x73\x2f\x24\xbb\x4e\xe5\xf0\x70\x38\xc0\x53\xba\x51\xb1\xd7\x49\x2f\x2a\xff\x8d\x6b\x65\xc3\xe4\x71\x9f\xd9\x3f\xda\x11\xe0\x2f\xec\xe7\xd0\x0d\x48\xd7\xa3\xe2\xb7\xce\xb3\x2e\x81\xa6\x4e\xa3\x93\xe8\x78\x5d\x5e\xdd\x51\x94\x6b\xbd\x8d\x21\x0b\x1c\x24\xd7\xdd\x60\x72\xdd\xaf\xa7\xd0\xb4\xc8\x71\x7b\x1c\x4d\x86\x72\xdc\xe6\xd1\xba\x46\x60\xd3\x19\x2e\x12\xf0\xee\xe3\x09\x78\x99\xf4\x58\x6f\xb9\x45\x91\xbf\xf7\x18\x3a\x1a\xe4\xef\x5d\x67\x19\xc9\x19\xba\x79\x8e\xdc\x36\x0b\xa1\xdc\xaf\x8d\x06\x42\xe6\x91\xd8\x94\xbb\x81\xc0\x19\x11\xd7\x85\xc0\x09\xe5\xdd\xed\xb8\xe8\x81\x34\xbc\x80\x59\x01\xb3\x02\x66\x05\xcc\x0a\x69\x78\x21\x0d\x2f\xa4\xe1\x85\x34\xbc\x80\xfb\x01\xf7\x03\xee\x07\xdc\x0f\xb8\xbf\x2d\xb8\x1f\xd2\xf0\x42\x1a\x5e\x48\xc3\x0b\x69\x78\xc1\x9a\x06\xd6\xb4\x3e\x4a\xc3\xdb\x1a\x4b\x5e\x8b\x1f\x47\xb2\xf1\x6e\xbd\x48\x12\xfc\x97\x77\x06\xf9\x7e\x9b\xf8\xa4\x33\xd1\x62\x68\x44\xd5\x34\xb6\xcb\xf0\xb2\x6c\x8c\x73\xb8\x86\x7f\xfa\xce\xec\x7b\xb6\x05\xf9\x7e\xa5\xa6\x28\xc9\x1b\xd7\x9f\x16\xc4\xe3\x53\xe2\xf1\xdc\x48\xe4\xf4\x4b\x9f\x9c\x47\xef\x7a\x8a\x3d\xde\x66\x86\x7e\x01\x9d\x47\xb3\x75\xe6\xbb\xa3\xe8\x70\x73\x03\x45\x8d\xb5\xa8\x2b\xcb\x66\x03\x90\xd7\xea\xb2\x90\xbb\xa5\xf7\xa4\x45\x72\x8b\x09\x9e\xdc\x22\xb0\xc8\xf0\xd3\x37\x37\x58\x68\x73\xf3\x4c\x49\x4c\xa1\x69\x34\xc5\xa7\xd0\x2d\xbd\xe4\x92\xb0\xd5\x3c\x89\xce\x06\xb6\x9a\x5b\x29\xd0\x9b\x78\x6a\xf2\x64\x3a\x89\x8f\x7b\x93\x29\x5a\x24\x7b\x93\x41\xe5\xec\x8a\xd4\x76\x3d\xe7\x27\x96\x80\xef\xad\xcd\xf7\x4a\x60\x60\x6d\x62\x60\x3d\x8a\x0e\xe3\x83\xd9\xfd\xbe\xe8\xfe\xae\x70\xe8\x60\x78\x40\xde\x0e\xf1\x83\xf8\x17\x87\xd1\x09\x2f\x1e\xc9\x20\x2f\xba\xc4\xe4\xda\x88\x9c\x86\x41\xee\x77\xad\xe6\xb8\xb4\xea\xa9\x20\x21\xe9\x80\xff\x61\x08\x7f\x6b\x10\xed\x8a\x3c\xce\x16\x80\x77\xb6\x98\xf0\x7d\x9a\x97\xec\x59\x9c\x66\xfc\x92\xdb\x94\xf3\x7d\x1f\x7f\x60\x2a\x5c\xbb\x2b\x85\x66\xef\x84\xac\xef\xf1\x9a\x54\x25\x59\xa0\xcf\xe2\x73\xbe\x76\xd4\x38\x90\xbc\xc4\x49\x4d\xda\x1d\x52\xc1\x43\x78\x18\x64\x5a\x02\xbf\x05\xf0\x5b\x00\xbf\x05\xf0\x5b\x80\x4c\x4b\x90\x69\x09\xec\xc5\x60\x2f\x06\x7b\x31\xd8\x8b\x7b\xdd\x5e\x0c\x19\x8d\x20\xa3\xd1\x56\xb1\x90\x41\x46\xa3\x4e\x64\x34\xfa\x8b\x34\xca\x08\x82\x68\x52\x9d\x04\xe0\x50\xa4\x6b\xc7\x5f\x4a\xe3\xd7\xd2\xe8\x2e\x76\xcd\xcf\xc0\xfe\x86\x32\x71\xa3\x6b\xac\xa8\x7d\x2e\x53\x26\xee\x45\xaa\x13\x99\xe6\x7c\x6a\x7e\xd6\xdb\xd1\x39\xed\xb3\x01\x35\x14\x34\xd9\x50\xd0\x64\x2b\x05\x95\x2c\xf4\xb4\x20\x71\x17\xd1\x1c\x27\x71\x67\xd1\x0c\x2a\x6e\x80\xc4\x85\xbe\xb3\x95\xe8\x3b\xfc\x8f\xc3\xe8\xb0\x68\x72\x47\x5b\x26\x7a\xad\xc2\x14\xe4\x7a\x62\x6b\xd9\x06\xb5\x0d\x77\x55\xab\xa8\x8e\x43\xfc\x94\xf8\xbf\x3c\x8c\xff\x76\x10\xdd\x1d\x3c\x78\x6d\xa5\x90\xf9\x5c\x2b\x29\xf1\xe7\x65\x81\xd3\xac\xc0\x9e\x48\x8c\xff\x08\x7f\xdd\x82\xff\x29\x57\x0a\x91\x3a\x02\xc9\xdd\x40\x52\xfc\xe7\x92\x51\xef\x31\x7c\x54\xa2\xde\x86\xe1\x27\x39\x6f\xa4\x1b\xa2\x96\x71\xe0\xb6\xc0\x6d\x81\xdb\x02\xb7\x05\x6e\x0b\xdc\x16\xb8\x2d\x70\x5b\xe0\xb6\xc0\x6d\x81\xdb\x02\xb7\x05\x6e\xdb\x5d\x6e\x3b\x89\x8e\xe0\x43\xd9\x03\xbe\xaf\xda\x83\x61\x37\xb7\xc8\xfe\xad\xd1\xcf\x0d\x98\x2f\x30\x5f\x60\xbe\x7d\xcc\x7c\x7f\xf1\x39\x74\x30\x21\x56\xc0\x26\x3e\x12\x63\x82\xde\xa6\x4c\xcc\x3a\xf8\x5d\xcf\xe1\x1f\xdf\x13\x44\x09\xec\x5f\x3b\x97\xfd\xe5\xa0\x90\x69\xbf\x90\xdc\x08\x7b\xa8\x3e\x6c\x20\xf6\xd6\x1e\x27\x80\x90\xe3\x1e\x60\x18\xe4\xb8\x07\x18\x06\x30\x0c\x60\x58\x1f\xc1\xb0\x1e\xca\x2d\xd4\x33\x30\x0c\x92\xde\x00\x0c\x03\x18\x06\x30\x0c\x60\x18\xe4\xb8\x87\xac\x1c\xb7\x0f\x7f\xea\xf9\xac\x1c\x5b\x32\xc7\xfd\x32\xba\x20\x3c\xa7\xce\xa2\x19\xee\x39\x75\x12\x1d\x47\x93\x4d\xb3\x16\x68\xd4\x26\xf9\x95\x42\x3e\x96\x11\xb5\x94\xef\x3e\x21\x41\xfd\xf5\xab\xc9\x5e\x53\x07\xf0\x84\xf4\x9a\xca\x66\xa5\x9b\x54\x6c\x7d\x22\xee\x52\xd9\xcf\xed\x0c\x60\xd9\x23\x7e\xe6\xfb\x78\x2e\xb6\x37\x3e\xa1\x46\x67\xc9\x98\x00\x59\x73\xa8\x84\x9e\xac\x4b\xa9\x71\x04\x1d\xda\x58\x8f\x40\x72\x56\xc8\x8e\xbf\xc1\xe4\x0d\xef\x4a\xa3\x59\x21\x19\x8a\xe8\x34\x97\x0c\x93\x68\xc3\xe3\x10\x5d\x14\xf9\x51\xce\xa1\x33\x41\x7e\x94\x5b\x29\xef\x92\x48\x13\xf3\x24\x3a\x1b\x4a\x13\x73\x2b\x05\x6e\x5c\x6c\x89\x0c\xfa\x9d\x12\x5b\xb9\xff\x31\x1a\x88\xad\x5c\x6c\x2e\xfd\x78\x11\x76\x50\xdc\x2b\x44\x58\x5c\x5e\xfd\x6e\x08\x33\xc8\xb1\x0f\x98\x17\x30\x2f\x60\x5e\xc0\xbc\x90\x63\x1f\x72\xec\x43\x8e\x7d\xc8\xb1\x0f\xe6\x06\x30\x37\x80\xb9\x01\xcc\x0d\x60\x6e\x68\x8b\xb9\x01\x72\xec\x43\x8e\x7d\xc8\xb1\x0f\x39\xf6\xc1\x9a\x07\xd6\xbc\x3e\xca\xb1\xdf\x29\xda\xbc\x15\xf3\x2e\xff\xd5\x83\xe8\x94\x97\x77\xd9\x72\xd6\xca\xb9\xef\xaa\x2e\x59\xaa\x55\x98\xbc\xf2\x12\xee\x3b\xbc\x6f\xf0\x67\x1f\xc4\x7f\x97\x0e\xce\xac\x1d\xb6\x89\xaa\x2b\xe2\x9a\x37\xb4\x02\xad\x7b\x41\x96\xb3\x40\xdc\xdc\x13\xec\xce\xfa\xc3\xb2\x43\x37\x88\xbe\x6f\x2f\x55\x2f\xbd\x15\x9d\x12\x23\xf3\x08\x3a\xc4\x47\xe6\x3e\x94\x47\xa3\x89\xa7\x02\x87\xaa\x95\x38\x18\x1f\x8e\x1f\x8c\x77\xe0\xc1\x32\x71\xd1\xf5\x4b\xc9\xe3\x6f\x14\xe7\x1a\xcf\x78\x08\x57\x21\x3c\xee\x32\xbf\x1a\x3a\x96\x7c\xaf\x4d\xac\x8a\xaa\x91\x96\x3a\x60\x58\xde\xdc\xe5\x3e\x28\x16\xd1\x69\x74\xb2\xce\x4c\xbb\xce\x4e\x00\xaa\x07\xc6\xd9\x0d\x1a\x67\x3f\x9e\xba\x75\x11\x30\x23\x4c\xb2\x6c\x55\xf3\x4d\xb2\xdd\x14\x24\x56\xad\x03\x82\xa4\xf8\xb7\x77\x06\x82\xe4\x80\xa5\xda\xae\xc1\xed\x50\x62\x07\xdb\x92\x44\xd9\x63\x89\x34\xf7\x5d\x93\x27\x6f\xac\x2f\x68\x8c\xd7\x60\x2f\x4f\xa8\xf5\x50\xf8\x62\x95\xd8\x65\x12\xbe\xba\x27\x7c\x95\x69\xdf\x2e\x29\x1b\xda\x58\xc3\x7d\x91\x52\xd8\xdf\xab\xf2\x2a\xab\x65\xf1\x22\x9a\x43\xa5\x3a\x59\x36\x89\x8e\x6c\x40\xd5\x99\xe7\xb1\x39\x20\xd7\x12\xe4\xda\x67\x06\xd0\xa7\x07\xf0\xa7\x06\x32\x9f\xf0\x77\xd8\x2f\x0d\xf4\x8f\x5c\xab\xe3\x8b\xac\x9d\xb9\xdd\x96\x33\x70\x36\x38\x83\x20\xbd\xe1\x26\x03\x77\x84\x83\x02\x61\xe6\x57\x2b\xfc\x49\x93\x9a\x63\xe2\x69\x7e\x07\x37\x52\x38\xca\x70\xc9\xa1\xe6\xbc\x88\x56\xbb\xc0\xa6\x85\xfc\x7b\xc1\x9b\x2c\xc1\x8f\x23\xcd\x05\x6e\xf1\xb5\x14\x7a\x35\x85\x5f\x49\x65\xbe\xe0\xef\x56\x3e\x99\x3a\x4b\xd9\xde\xd6\x70\x94\x32\xe5\xcd\x4e\x95\xec\x12\xfb\x29\xab\x4c\x45\xbe\x82\x6f\xf3\x84\xa9\xa3\xe6\x04\x06\xdb\x31\x55\xe3\x1f\xce\xcd\xe0\x15\x43\x93\x0c\x83\x54\x74\x47\xa1\x37\x65\x9b\x0a\x33\xb1\x45\xa8\x55\x21\x79\x45\xbc\x91\x87\x17\x7a\x7d\xc9\xb7\x5b\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\xe2\xf7\xd7\x05\x1d\xb2\x79\x82\x34\x4b\x24\x48\x6b\xb7\xf0\x2f\x1d\x41\x87\xf0\x81\xec\x84\xbf\x7b\x79\x43\x38\x12\x3f\xf4\xd4\x6d\x71\xde\xcc\x1f\xa4\x11\x96\xfb\x9e\x9a\x4b\x1d\x4d\xad\x18\x66\x79\x1c\xbf\x92\xc6\x5f\x48\xa3\x3b\x43\xbf\x65\x32\x65\x8e\xc3\x96\xa8\x5d\xf5\x77\xcb\xaa\xc2\xdb\x35\xf7\x40\x99\xb8\x53\xc1\xbd\x53\xf3\xb3\xe7\xd8\xef\x3d\x98\x23\xd2\x10\x4e\x64\xfb\xb8\x13\x19\x1b\xb1\xa7\xd0\x09\x74\x6c\x63\x39\x22\xf9\x37\x26\x26\x87\xfc\xa3\x37\xa0\x37\xfa\xb1\xd9\x54\x27\xf5\xbb\xc6\x5f\x7e\x03\xfe\x72\x3a\xf0\xce\x7a\x6c\xcd\x5d\xe3\x45\xaa\x93\xdc\x7d\xec\x16\xe9\x55\x4a\x75\xd2\x91\xdd\xe1\x02\x3a\x22\xda\xa9\x80\xc6\x79\x3b\x8d\xa0\x21\xf4\x44\xa2\x5b\x1c\xab\x4f\xe2\x94\x3e\x9b\x3c\x63\x77\xe3\xc7\xea\xb9\x03\x2f\x3a\x72\x2e\xcd\xda\xdb\xcb\xcc\xfb\x77\x04\xad\xfa\x78\xd2\x6e\x90\x37\xec\x1b\xe4\x5d\x9d\x6d\xdb\x22\x3f\xd2\xad\x4e\x53\x6a\xb5\x71\x41\x2d\x82\xed\xde\x06\xb7\x7b\x1f\x48\xdd\xc2\x9c\x3e\x21\xf6\x79\x87\xd0\x81\x60\x9f\xd7\x46\x91\x90\xb0\xc1\x6b\x4d\x62\x34\x91\x13\x81\x20\x29\xfe\xd6\x9d\x81\x48\x18\x6b\x79\x5f\xc7\x65\xc3\xfd\x5c\xdd\xe8\x9c\x64\x80\xfd\x5b\xbf\x09\x2a\xd8\xbf\xc1\xfe\x6d\x93\xf7\x6f\x9d\xd4\xf2\x12\x37\x6e\x6d\x52\x03\x4b\x05\x34\x8e\xc7\xb2\x7b\xfd\x5d\xd7\xae\xf0\x7e\x8d\xdd\xde\xf9\x84\x69\xf8\x1b\x43\xe8\xd1\xa8\xf9\x48\x24\x7d\xd7\x89\x55\xa1\xab\x55\x62\xba\x0e\xfe\xa5\x21\xfc\xb9\xc1\x80\x2b\xae\xb4\x76\x1c\xe7\x8c\x5f\x42\x9b\x0e\xe0\x1c\xb9\x19\x90\xc9\xa0\xf0\x39\xc3\x71\xcf\x52\x7b\xaa\x52\xf1\x69\x25\xe4\x6b\x8f\x19\xd5\x17\x93\x07\xed\x5e\x3c\x12\xa3\x7e\x84\xcf\x28\xf7\x5b\x1d\xce\xd6\x84\xb4\x54\x90\xa3\x1d\xe2\x95\x20\x5e\x09\xe2\x95\x20\x5e\x09\x72\xb4\x43\x8e\x76\x88\x13\x81\x38\x11\x88\x13\x81\x38\x91\x5e\x8c\x13\x81\x3c\xeb\x90\x67\x7d\xab\x78\xc6\x43\x9e\xf5\x4e\xe4\x59\xff\x97\xcf\xa1\x03\x02\xf3\xd9\x8b\xaa\x96\xf7\xf0\x10\x2f\xaa\xfe\xa4\x4d\xad\x52\x73\x5c\xb6\x6f\xa9\x10\x07\xff\xd6\xb3\xf8\xe7\xf7\xa0\x07\xd9\x53\x53\xe1\x87\xfc\x23\x38\x47\xd6\x4e\xbc\x3e\x2d\x0a\xbb\x4c\x2b\x24\x37\xc4\x6e\xbd\x5c\x5f\x92\x3c\xa2\x33\x74\x63\x8f\xe3\x3b\x48\xb6\x0e\x54\x0b\x92\xad\x03\xd5\x02\xaa\x05\x54\xab\x8f\xa8\x56\x0f\x25\x99\xe9\x19\xaa\x05\xd9\x4f\x80\x6a\x01\xd5\x02\xaa\x05\x54\x0b\x92\xad\x43\x7a\x86\xdb\x07\x42\xf5\x7c\x7a\x86\x2d\x99\x6c\x5d\x43\x4f\x0a\xb7\xa7\x29\x74\x8a\xbb\x3d\x1d\x45\x87\xd1\xc1\xa6\x4e\x7b\x9c\x54\x49\xcc\x94\x0f\xe1\xa1\x96\xf2\xac\x1b\xc9\xee\x4e\x67\xf1\x8c\x74\x71\x6a\xca\xc4\xa4\xdf\x53\xe8\xe5\x61\x0f\x3e\x5e\x33\x94\x94\xd2\x3d\xfb\xb3\x3b\xd7\xe2\x67\xf7\xf9\xb9\xd8\xc3\xa8\x6c\x44\xfc\xda\x4d\x58\x26\xd8\xd6\x39\x74\x06\x4d\xd7\x39\x53\xef\x47\x85\x75\x77\x12\x78\x51\x43\xb8\xc7\x06\xc3\x3d\xfe\xdf\x94\x48\xbd\x5e\xe0\xa9\xd7\xfd\xa0\x8d\x83\x68\x23\xe3\x10\x95\x44\xaa\xf4\x69\x34\x15\x4a\x95\xbe\xc1\xb2\x9a\x09\x1d\x91\x4c\x60\x1f\x4f\x26\xc0\xe4\xda\xc6\x8a\x6f\x35\xd7\x7a\x6b\xa2\xad\x05\xc9\x95\x28\xfd\x72\x2f\x8d\xad\x25\xba\x94\xd8\x7c\xec\x61\x31\xb6\x5f\xdc\xd1\x54\x8c\xf9\x0f\x76\x4e\xa0\x41\x0e\x76\xa0\xbf\x40\x7f\x81\xfe\x02\xfd\x85\x1c\xec\x90\x83\x1d\x72\xb0\x43\x0e\x76\xb0\x42\x80\x15\x02\xac\x10\x60\x85\x00\x2b\x44\x5b\xac\x10\x90\x83\x1d\x72\xb0\x43\x0e\x76\xc8\xc1\x0e\x46\x3e\x30\xf2\xf5\x51\x0e\xf6\xee\x51\xe8\xf6\x27\xbd\xf8\xeb\x61\x74\x32\x2e\xe9\x45\x93\xcc\xe9\x9a\x9f\x2d\xde\x26\x2b\x06\x1f\x7c\xf8\x73\xc3\xf8\x57\x43\x39\x31\xfe\x49\x6b\x39\x31\x82\xbc\xf3\x97\x65\x49\x6d\xca\x8d\xb1\xf7\x66\x5c\xd6\xde\xc6\xd7\xcd\x19\x8e\xdb\xe3\xee\xf5\xa5\x1b\xcd\xed\x2c\x6d\x4f\x9b\xe1\x8d\xfc\x2b\xc9\xa3\x79\x3f\x2e\x34\x66\xc4\x68\x6c\xe1\x68\xa6\x3f\xc8\x92\x01\xf1\x04\x90\x25\x03\x2c\x4a\x60\x51\x02\x8b\x12\x58\x94\x20\x4b\x06\x64\xc9\x00\x92\x0f\x24\x1f\x48\x3e\x90\xfc\xde\x23\xf9\x5b\xf0\x14\x04\xc8\xc3\x01\x74\x14\xf2\x70\x6c\x9d\x10\x08\xfc\xae\x11\x74\x46\x90\x47\x8d\x52\x5b\x37\xcc\xd8\x0c\x1c\x6b\xd2\x48\x6e\x4d\x74\xf0\xe7\x87\xf1\xaf\x0f\xa2\xfb\xc2\xc5\xf8\x8e\xb9\x2f\xb4\x46\x23\xe7\x58\x49\x6d\x05\x90\xd3\xa1\xda\x48\x1f\xdf\x80\x46\xf2\xd7\x6d\x0d\x00\xd9\xfd\xf4\xbc\xcf\x26\x03\xc8\x49\x7c\x44\x02\xc8\x98\xb1\x23\x79\x24\x6f\xe3\x98\x18\x15\xe0\x90\xc0\x21\x81\x43\x02\x87\x04\x0e\x09\x1c\x12\x38\x24\x70\x48\xe0\x90\xc0\x21\x81\x43\x02\x87\x04\x0e\x09\x1c\x12\x38\x24\x70\x48\xe0\x90\xfd\xc5\x21\x3f\x34\x8c\x86\x04\x87\x74\x5c\x6a\xab\x65\x12\x20\xc8\x71\xcd\x31\xc2\xc7\xfd\xe2\x6f\x0e\xe1\x6f\xa4\x11\x92\x37\x5e\x5b\x29\x64\x32\xfc\xa8\xdf\xe8\x9e\x76\x7a\x61\x36\x38\xe3\x77\x41\xdc\x7b\xa5\x20\x7f\x6d\xf3\x19\xbf\x6f\x41\x27\x05\xa0\x3b\x8c\x0e\x72\x40\x37\x8e\xc6\xd0\xde\xa6\x09\x17\xbc\x4f\x5c\x29\xe4\x65\x7d\x6e\xe1\x58\xcf\x32\x71\xd1\xf5\xa7\x93\x69\xdd\x04\xde\x27\x69\x5d\xb4\x85\x3d\xc7\x41\x59\x91\xb0\xb7\x60\xe6\xdf\xed\x88\x34\xf3\xc3\xde\xd9\xbf\xf1\x2d\xed\x1d\xfa\xdb\xd9\xc6\x2e\x72\xf8\x59\x97\x11\x66\x7d\xad\x0d\xb1\xc3\x90\x0b\x66\x83\xb9\x60\x3e\x96\xba\xe5\xa9\x3e\x2d\x72\xc9\x1c\x47\x93\x41\x2e\x99\x2e\xca\x0b\x7e\x0c\x70\x6b\xf2\x22\xe6\xf0\xbd\x35\x65\x47\xee\x8f\x5f\x1f\x91\x17\xbb\x64\x0c\x8f\xea\x8b\x88\x07\xc4\x2f\x1d\x96\x10\x9d\x49\xb1\x02\x42\x23\x41\x68\x40\x98\x7f\x57\xc2\xfc\x21\xbe\x13\xe2\x3b\x21\xbe\xb3\x53\xf1\x9d\xa5\x7f\x73\xeb\x2b\xfc\x8c\x48\xf1\x76\x02\x1d\x0b\xa5\x78\x6b\xfb\x12\xdf\x99\x35\xfc\xba\x12\xaf\x39\xec\xc4\xdb\x45\x0b\xa3\xe2\x1f\xdf\x19\x59\xe5\xf7\x34\x1c\xff\x1f\xbf\x3d\x10\xe7\xfe\x77\x6e\xe9\x87\x73\xff\xfb\x4d\xe1\x80\x73\xff\xe1\xdc\xff\x4d\x3e\xf7\xbf\xf3\xe4\xa7\x33\x68\xe7\xfa\xa3\xf1\x62\x7e\x07\xbe\x83\x7f\x35\x2a\x1d\x40\x13\x78\x5f\x36\xef\x43\xff\x7b\xf9\x34\x92\x73\x5a\x16\x99\x1d\x64\x3f\x76\x12\xe4\xe3\x1f\x1b\x41\x85\x71\xd5\x32\xc6\x57\x0a\x4d\x1d\x10\x8d\xaa\xe1\xda\x7c\x96\x7a\x88\xf0\xcf\x87\xf1\x9f\xa4\xd1\x76\x8d\xda\x1e\xb8\x6a\xe0\x83\x73\xec\xa9\xcb\xec\xa9\xdc\x23\xec\xf2\x34\xb5\x49\x38\x56\x39\xb8\xbe\xb9\xb0\x90\x7d\x03\x1b\x2f\x41\x7d\x6e\x15\x16\xce\x25\x8f\xa8\x11\x3c\x14\xa3\x38\x64\xb3\x9e\x57\x5f\x50\x97\xcc\xcb\x3b\x82\x76\x56\xe2\x01\x61\xa8\xa9\x1f\x93\x77\x74\xab\xb5\xd7\x4d\x0b\x1b\x9b\x1b\xd6\x61\xa0\x85\x5d\xa2\x85\x31\x73\x7d\xfd\xb4\xb0\xad\x02\x83\xd3\xc2\xb6\x0a\x8c\xdc\x3f\xdb\x15\x08\x8c\x7b\x7d\x42\x18\x92\x11\x72\x2b\xd7\x35\x11\x01\xb8\x10\x70\x21\xe0\x42\xc0\x85\x80\x0b\x01\x17\xae\x1b\x17\x7e\x3e\xd5\xe6\x9c\x58\x97\x05\x3c\x3c\x8f\x66\x43\xf0\xb0\xc3\x79\xb6\x5a\x5b\xe0\xd7\x58\xd4\x23\x5b\xcb\x64\x82\xf8\x8d\x3b\x03\x15\x60\x24\x01\x1f\x86\x14\x83\x47\x2d\x11\xd3\xd5\x79\xbd\x00\x58\x62\xbf\x69\x23\xc0\x12\x81\x25\x6e\x2d\x96\xb8\x81\x7d\x5e\x12\xf4\x6b\xef\x42\x50\x3a\x8c\x0e\xe2\xfd\xd9\x82\x8f\x10\x1f\x08\x23\xc4\xe0\xa1\x46\x8a\xb8\xf5\x1c\x8e\xf1\x2f\xe7\xd0\x69\xe1\xc0\x48\x5e\x74\x89\xc9\x7d\x4d\xfd\xf8\xe9\x26\xe0\xd2\x30\xcb\x36\x13\x48\x3e\xb6\xfc\x87\x11\xfc\xcf\x07\x10\x0e\x4a\xf0\x23\xa8\xe3\x3c\x1c\x67\xc5\xe3\xb9\x3d\xec\xda\x19\xff\x99\x86\x38\x67\x79\x5f\x9b\x31\xa6\x8a\xce\x8a\xd1\x7a\x0a\x9d\xe0\xa3\x95\x8d\xda\xfd\x4d\x47\x6b\xf0\x4d\xfe\x51\x53\xb2\x5e\xb7\x8a\x33\xd7\x95\x2a\x31\xa8\x86\x1c\xbb\x5e\x25\x1a\x42\x94\x33\x7f\xb8\x23\xb6\x27\x9a\x38\x41\x7a\x9d\x31\x22\x2f\x77\xbb\x3f\x8a\xb3\xe8\x1c\x3a\x53\xa7\x31\x6c\xac\x43\x40\x59\x00\xe0\xb9\x41\xe0\xf9\x72\xaa\x6d\x52\xe1\xbc\x00\x9f\x33\xa8\x18\x80\xcf\x8e\x89\x98\x0e\xc9\x90\x04\xb0\x9a\xfb\xe8\xae\x58\x11\x73\x8f\x47\x45\x4d\x5f\xac\x0c\x8b\x9f\xba\x2e\x55\x80\x8d\x02\x1b\x05\x36\x0a\x6c\x14\xd8\x28\xb0\xd1\x8d\xb0\xd1\x6e\xd2\xcc\xf6\x82\x58\x4f\x35\x48\xa4\x99\x2d\x2a\x0f\x09\xaa\x42\xa3\x6e\x51\x7c\xf7\x5d\xb1\xda\x41\x92\xbf\xa5\xa7\x32\x0c\xf1\x3d\x7d\x37\x35\x06\xa0\xa6\xfd\xa6\xa7\x00\x35\x05\x6a\xba\xc9\xd4\xb4\x7b\x1c\xaa\x53\x9b\xc4\x5b\x73\xc5\x94\xe5\xde\x16\x10\xf5\xa5\x11\x34\x25\x20\xaa\x50\x47\x12\x4f\xc2\xb1\xa8\xae\x1b\x8e\x5d\xe3\xd3\x67\xb1\xa6\x97\x89\xeb\xe0\x9f\x1f\xc6\xbf\x31\x88\x76\x8a\x22\xae\xad\x14\x32\xff\xb4\xb5\xf4\x93\xf3\x54\x9f\xf1\x0b\x2b\xf2\xc2\xda\x94\x8c\x32\xcf\x1f\x10\x0a\x52\xd8\x74\x19\xf3\x46\xc8\x47\x19\x3f\xf9\xde\x92\x3c\xf9\x0e\xe1\x03\x72\xf2\x89\xae\x97\x13\x2f\xa6\x91\xe1\x4c\x1c\xc8\x45\x09\xb9\x28\x21\x17\x25\xe4\xa2\x84\x5c\x94\x90\x8b\xd2\x85\x5c\x94\x90\x8b\x12\x72\x51\x42\x2e\x4a\xc8\x45\x09\xb9\x28\x21\x17\x25\xe4\xa2\x84\x5c\x94\x90\x8b\xb2\x8f\x73\x51\x7e\x65\x08\xbd\xc1\x0b\x39\x17\xf4\x91\x98\xba\x45\x0d\xd3\x75\xf0\xe7\x87\xf0\x67\x06\x83\xe0\x85\x5a\x6b\x64\xf1\x8c\xf7\x7c\x9b\x78\xe2\xf0\xcd\x20\x10\xc2\x2f\x7b\xce\x70\xdc\xb3\xd4\x9e\xaa\x54\x7c\xc0\xd8\x3e\xdb\xde\x6d\x44\x12\xcf\x27\x93\xc4\x61\xbc\xa7\xde\xc7\xd9\x6f\x66\x60\x87\xc0\x0e\x81\x1d\x02\x3b\x04\x76\x08\xec\x10\xd8\x21\xb0\x43\x60\x87\xc0\x0e\x81\x1d\x02\x3b\x04\x76\xd8\xf3\xec\x10\xc8\x1e\x90\x3d\x20\x7b\x7d\x4c\xf6\xfe\x00\xa1\x7d\xc2\xbf\x50\xad\xb1\x19\xef\xca\x62\xea\xcf\xbb\xe6\x5b\x19\xb6\x5d\x20\x37\x1d\xfc\xe3\x28\xfb\x83\xdb\xd0\x03\xd1\x27\x7c\x6f\xfc\xfb\xc4\xaa\xa1\xa8\xca\x53\xec\xa1\xcb\xfc\xa1\xdc\x1e\xf1\xeb\x54\xe4\x19\xe9\x80\x1f\xba\xaf\xcd\xc1\x7a\x6f\x42\x4c\xc2\x45\xdd\xdf\x4f\xa0\x63\x4d\x7d\x61\xeb\x1a\xc1\xf3\x87\x0d\x55\xb0\xf4\x03\x69\x74\x51\x10\xba\x73\xe8\x0c\x27\x74\xa7\xd0\xad\x15\x89\x16\x44\x60\xe7\x1c\x2a\x05\x81\x9d\xb7\x5c\xe8\x53\x22\xce\xe4\x02\x3a\x1f\x8a\x33\xb9\xe5\x52\x93\x50\x22\x49\x46\x89\x45\x7c\x5a\xa2\xc4\xd8\x21\x27\xe9\x62\xf8\xa5\x8d\x0e\xc2\x8f\xc4\x43\xc6\xed\x78\x9b\x45\x1d\x17\x95\x20\x4c\x61\xed\x30\x85\x12\xc4\x6b\x37\x89\xd7\x6e\xbb\x07\xf7\xd7\x9f\x45\x47\x65\x1a\x0c\x0e\xaf\xeb\x25\x6b\x13\x3f\x6e\x71\x33\xfe\x91\x67\xf1\xf7\xed\x41\xaf\x13\xff\xf2\x45\xec\x6e\xb1\x21\xb7\xe5\x56\xc2\xd3\x35\xe9\x92\xc2\x26\x8f\xc2\xa9\x7f\x8e\x2f\x86\xfc\xcf\xc6\x40\x27\xfe\x73\x8f\x9b\x42\x8a\x60\x24\x00\x23\x41\x11\x8c\x04\x60\x24\x00\x23\x01\x18\x09\xfa\xc6\x48\x50\xec\x19\x23\x41\xdb\x6b\xb2\x61\x23\x41\x11\x8c\x04\x60\x24\x00\x23\x01\x18\x09\xc0\x48\xd0\x7d\x23\x41\xb1\xaf\x99\x7e\x11\x98\x7e\xe7\x98\x7e\xb1\xd7\x99\x7e\x71\x0b\x32\xfd\xd2\x35\x71\xdc\xe2\x3e\x9e\xee\x27\x7d\xe9\x3c\x3e\x88\xf6\xa3\x42\xf3\xfc\x0f\x02\x4b\x79\xb4\x97\xa3\xa1\x39\xc3\x49\x76\x1b\x6d\x0e\x61\xb9\x93\xe7\xf5\xab\xc9\x2c\xf8\x00\x9e\xf0\xb2\x43\x84\xe1\x98\xe7\x61\xca\xbd\x57\x1b\xe8\x6f\xf6\x3b\x3b\x1a\x88\xd8\xeb\x3d\xa3\x83\x29\xe9\x57\x56\xfc\xd0\x15\xfe\x25\x70\xd5\x34\x9a\x42\xa7\xea\x6c\x0d\xe3\x68\x6c\x5d\xed\x0e\xf9\x75\x20\xd1\xe8\x06\xc1\xf5\x37\x53\xcd\xd3\x80\x9d\x16\xf2\xe0\x28\x3a\xcc\xe5\x41\x01\xad\x77\x5c\xa2\x33\xc2\x44\x75\x12\x1d\x0f\x4c\x54\x1b\x28\xe6\xac\x30\x4a\x9d\x42\x27\x42\x46\xa9\xf5\x97\x93\x2c\x81\xb8\x19\xa8\x63\x12\x28\xf7\x5f\x47\x1b\x24\x50\x46\xe6\x9c\x0b\x25\xf0\xa3\x4b\x52\x18\x8d\xca\x5c\xa5\x61\x61\x34\xed\xdf\xd7\x59\xb1\xd4\x99\x7c\xa5\x80\x65\x01\xcb\x02\x96\x05\x2c\xdb\x3f\x58\x16\x34\xb3\x04\xcd\xac\x77\xb8\x35\xe4\x8a\xee\x4a\xae\x68\x30\x0f\x80\x79\x00\xcc\x03\x60\x1e\x00\xf3\x40\x5f\x9b\x07\xe0\xc8\x00\x38\x32\x00\x8e\x0c\xe8\xd4\x91\x01\x60\x7d\x03\xeb\x5b\xbf\x5a\xdf\x4a\xe5\x36\x9f\x24\x9c\x64\xd1\xea\x14\x2f\xbe\x9e\x8b\x07\xd5\xf7\x62\x79\xb0\x55\x20\xc2\xd1\x16\xcc\xe7\x85\x3f\x3d\x82\xa6\x85\x8f\xfb\x52\x85\xde\x64\xea\x98\x4d\x2b\x79\xdf\xfb\xb7\xde\xe5\x5d\xa4\x10\x62\xb7\x3a\xda\x32\xa9\xaa\xfe\x69\x8f\xdf\x18\xc6\xff\x66\x1b\x7a\x28\x54\xc8\x94\x57\x86\xcf\xd9\x3f\x9b\x92\xa3\x31\x94\x56\xc8\xf4\xb4\x1d\xcf\x03\xfe\x6c\x85\xde\x5c\xe0\x65\xb7\x25\xbf\xd0\x68\xb0\xb9\xe1\x1b\x38\xa9\x0a\xb3\xfd\x51\xb0\x6b\x1b\x8a\xf0\x88\x50\xd9\xf9\x5c\x8e\xbf\xee\x6c\xcc\x67\x49\x63\x40\x50\xdf\x1e\x77\xca\xdf\x94\xfc\x44\xcd\x8f\x03\xb8\x29\x0e\x69\xbd\x91\x3c\x6f\x9f\xc4\x67\xc5\x14\x0d\x9a\xba\xe9\x91\x33\x6b\x0d\x62\xc8\x5d\x04\x61\x09\x90\xbb\x08\xec\x5f\x60\xff\x02\xfb\x57\x3f\xd9\xbf\x20\x77\x11\xe4\x2e\x02\xbb\x03\xd8\x1d\xc0\xee\x00\x76\x87\x9e\xb0\x3b\x94\x0e\xa3\x83\x78\x7f\xb6\xe0\x73\x92\x07\xc2\x67\xc0\x05\xbb\xbc\xc6\x63\xe0\x20\xe9\x11\x24\x3d\xda\x22\x88\x16\x92\x1e\x75\x22\xe9\xd1\xab\xc3\x68\x3c\x9a\xce\xbc\x49\x12\x0e\xb1\x39\xac\xaa\x96\x83\x3f\x3c\x8c\x3f\xb5\xfe\x34\xe7\xd3\xbc\x80\x0b\xaa\xd5\xa6\x34\xe7\xd9\x50\x9a\xf3\xc0\x6d\xd8\x7f\x0b\x1c\x95\x18\x0f\x10\x5b\xc9\x49\xde\x62\x16\xf4\x70\xae\xf3\xfa\x8c\xe8\x7e\x3f\x00\x24\x04\x48\x08\x90\x10\x20\x21\x40\x42\x80\x84\x00\x09\x01\x12\x02\x24\x04\x48\x08\x90\x10\x20\x21\x40\x42\x38\x1c\x11\x68\x22\xd0\x44\xa0\x89\xb7\x11\x4d\xfc\xa5\x11\x34\x23\x53\xa8\x5b\x06\x79\xd1\x25\x26\xef\xad\xc0\xe9\x51\x32\x46\xad\xe6\xb8\xb4\xea\x95\x18\xc6\x5d\xd2\xfb\xf1\xaf\x87\xf1\x8f\x6e\x43\xbb\x22\xa5\x5c\x5b\x29\x64\x7e\xb1\x15\x8f\xc7\x69\x5e\xba\xb7\xc3\x9c\xf1\x4b\xef\x09\xff\xc7\x51\xfe\xba\xa9\xf0\x87\x5d\x29\x34\xab\x31\x00\xcc\x46\x80\x59\x49\x66\x93\xb3\xf8\x9c\x97\x56\x3d\x66\x18\x7a\x84\xb2\x49\x9b\x47\x8f\x70\x4c\xf2\xb7\x04\xba\x09\x74\x13\xe8\x26\xd0\x4d\xa0\x9b\x40\x37\x81\x6e\x02\xdd\x04\xba\x09\x74\x13\xe8\x26\xd0\x4d\xa0\x9b\x5d\xa6\x9b\x67\xd0\x34\x9e\xca\x9e\xf2\xe9\xe6\xe3\x61\x17\xc8\x66\x7b\x3d\x70\x88\x04\x84\x09\x08\x13\x10\x66\x08\x61\xfe\xe6\x08\x3a\xe9\x21\x4c\xcb\x49\x74\x8b\x74\x5c\xd5\x25\x4b\xb5\x0a\x9b\xc1\x1e\xbc\x7c\xef\x08\xfe\x93\x41\xb4\x9d\x3d\x7f\x6d\xa5\x90\xf9\xa9\x56\x98\xe5\x82\x2c\x67\x81\xb8\x3d\x81\x29\x15\x89\x29\x2d\x27\xec\x5d\x19\xaa\x25\xa0\xc9\x46\x34\x79\x29\x19\x4d\x8e\xe2\x9c\x8f\x26\x2d\x47\xa2\xc8\x50\xb3\x02\x7d\x04\xfa\x08\xf4\x11\xe8\x23\xd0\x47\xa0\x8f\x40\x1f\x81\x3e\x02\x7d\x04\xfa\x08\xf4\x11\xe8\x23\xd0\xc7\x9e\xa6\x8f\x47\xd0\x21\x7c\x20\x3b\xe1\xd3\xc7\x37\x84\xe9\x63\x68\x7b\xd7\x08\x1c\xc1\x2b\x13\x90\x26\x20\x4d\x40\x9a\x1d\x44\x9a\x5f\x4d\xa3\xfb\x05\xd2\x74\x5c\x6a\xab\x65\xe2\xf9\x63\xe2\x5f\x4a\xe3\x9f\x4f\xa3\xed\xf2\xe7\x4c\xa6\xcc\x13\x15\x2f\x51\xbb\xea\x37\xa0\xaa\x70\x5e\x95\xc3\x65\xe2\x2e\x88\xfb\xa6\xe6\x67\xcf\xb1\xdf\xda\x77\x3a\x53\x43\x41\x93\x0d\x05\x4d\xb6\x52\x50\xc9\x68\x7e\xf0\xd7\x45\x81\x03\xcf\xa1\x33\x1c\x07\x9e\x42\x27\xd0\xb1\x0d\xe0\x40\xef\xe3\x25\xf3\xc3\x1f\x1c\x42\xbb\x45\xe3\x6a\x94\xda\xba\x61\xf2\x0a\x86\x3c\x5e\x79\xc6\x6f\x07\xff\xd9\x1e\xfc\xf5\x01\xf4\xfa\xf0\x4d\xd7\x56\x0a\x99\xdd\x62\x4b\x60\x4b\x65\xc6\x5b\xed\x3c\x2c\x3c\xc7\x1e\xce\x0d\xb1\x9b\xa6\x43\x4f\x5e\x29\xf0\x0b\x67\xa9\x3d\x55\xa9\xf8\x78\xd6\xe9\x75\x26\xfb\xbc\x38\x3b\x6d\x1f\x3f\x3b\x8d\x75\xc2\x21\x74\x00\x4d\x34\x3d\xee\x2c\xd2\xa0\x2b\x85\x3c\xff\xe6\x96\x8e\x63\x7c\x73\x32\x88\x3d\x88\xf7\x4b\x10\x1b\xd3\x6f\x92\xcb\xf2\x17\x46\x89\x6c\xc2\x41\x8f\x00\x64\x01\xc8\x02\x90\x05\x20\x0b\x40\x16\x80\x2c\x00\x59\x00\xb2\x00\x64\x01\xc8\x02\x90\x05\x20\x0b\x40\xb6\xcb\x40\x16\xa0\x27\x40\x4f\x80\x9e\x7d\x0c\x3d\x7f\xe2\x19\xa4\xc4\x42\xcf\x95\xc2\xb8\xe6\x18\x26\xd5\x89\x83\xdf\xfd\x0c\xfe\x87\x27\x10\x92\x77\x5c\x5b\x29\x64\x9e\x58\x9b\xc7\x4d\x2f\xcc\x5e\xa4\x3a\xc9\xdd\xc7\x6e\x93\x38\xf4\x4a\x41\xfe\xda\xe3\xf8\xad\x08\x6c\x0a\xd8\x54\x11\xd8\x14\xb0\x29\x60\x53\xc0\xa6\xfa\x86\x4d\xf5\xd0\x61\xfc\x3d\xc3\xa6\xe0\x94\x78\x60\x53\xc0\xa6\x80\x4d\x01\x9b\xda\x8c\x53\xe2\xfb\x1a\x25\xc1\x31\xd6\xfd\x7c\x8c\x75\x71\x0b\xa2\xa4\xd2\xb3\xa8\x28\xdc\x96\x8e\xa1\xa3\xdc\x6d\x69\x3f\x2a\xa0\xf1\xa6\x6e\x4b\x1e\x6f\x5a\x29\xe4\x25\x18\x6a\xc9\x67\xe9\xe9\x64\x9f\xa5\x09\xbc\x4f\xe6\xae\x13\xe5\xa2\x98\x13\x38\xa2\xb4\x2b\xd1\x61\x29\xfb\xdf\x76\x44\xf8\xd7\x2e\xb1\xfa\x28\xaa\x8f\xba\x1e\x10\xbf\x74\x0c\x76\x09\x36\xc5\xa3\x73\xf1\xe0\x22\xd5\x57\x33\xfc\xbf\x4a\x2a\x37\x86\xf6\xae\xa3\x91\x8b\x1f\x4b\xa3\x8f\xa6\xf1\x47\xd2\x99\x0f\xfa\x82\xe5\xdb\xa9\xab\x6c\xd9\x96\x92\x7c\x94\x9f\x51\xa3\xb1\xfd\x9a\x90\x04\x91\xdd\x43\x98\x28\x2d\x12\xc5\x62\x4d\xcb\x54\xb6\xbc\x32\x65\x2a\x86\x29\xf6\xed\xd4\x56\x6a\xa6\xbf\xf5\xd7\x15\xdd\x5e\xbd\x5c\x33\x15\xdd\xb0\x09\x1b\xfe\xc4\xdf\x4f\xb2\x65\x81\xaf\xbb\x72\x43\xed\xa9\xcf\x72\x0b\xa3\x2c\xd5\x6c\xae\xa2\x59\x36\xd5\x88\xc3\x17\x48\x39\xdb\xa4\x28\xcf\x2b\x57\xf8\x1b\xb9\xea\xcb\x57\xb4\x49\x65\x4c\x99\xaa\x54\x26\xf9\xf2\xa7\xdb\xab\x8a\x5d\x33\xd9\xd6\x8a\xcd\x17\x6f\xcd\x97\xc5\x11\x3d\x7b\x87\xa8\x5a\x58\x38\x7c\x28\x8d\xbe\x3f\x8d\xdf\x9f\xce\xbc\xd7\x6f\xa0\x6f\xa6\xb8\xc6\x74\x41\x35\xd5\x32\xb1\x85\xee\x2f\x3c\xcf\x1d\x87\x6a\x06\x5f\xce\x7c\x2d\x5b\xe5\xdb\x14\x6a\x2b\x4c\xdb\x71\x57\xfd\xf5\xbd\xaa\xde\x60\xf5\x77\x97\x89\x43\xbc\x19\xcc\xa4\x8a\xc7\x3f\x38\x02\x58\x24\x0a\x97\x1d\x5c\xa3\xa6\xb6\x52\x98\x38\xc2\xee\xb5\x55\x8d\x83\x1a\xb6\x19\x15\xf3\x95\x6b\xbd\x4c\x41\x51\x0d\x53\x58\x64\xb8\x56\x19\xdc\xcb\x37\xaf\x12\x23\xb1\xbd\x90\x27\x83\xcb\xb4\xa2\x9a\xe5\x3c\xb5\xcb\xe3\xd6\x8d\xf2\x78\xcd\x34\x34\xaa\x93\xf1\xdd\xb3\xce\x3c\x2b\x25\x9f\xbd\x2b\xfc\xad\x61\x00\xff\x8d\x14\x3a\x29\x66\xf8\x61\x74\x90\xcf\xf0\x71\xb4\xbe\xc1\x87\xa6\xd9\xf3\x05\x7c\x1c\x4d\xa2\xed\xd3\x42\x81\x5b\x7f\x21\x33\xac\x90\x09\x7e\xb2\xff\x8e\x29\x8d\xad\x12\x1b\x29\xa5\x3d\x82\x26\x5e\x9c\x34\x17\x3f\x6b\x08\x1a\x8b\x3a\x2e\xca\xfd\xda\x68\x44\xd0\x3c\x24\x14\x5a\x25\x38\xee\x9f\x1f\x12\x25\x85\x8e\x54\x77\x03\xa1\xe3\xdf\xd5\x19\xf1\xf3\x14\xba\x8c\xe6\xc3\xe2\x27\x57\x44\xa7\x37\xe0\x1d\x3c\xc3\xab\x7d\x89\x13\x54\x07\x58\x2b\xb0\x56\x60\xad\xc0\x5a\xfb\x88\xb5\x82\x0e\x96\xa0\x83\xf5\x0e\x8c\xfe\x46\x1a\x7d\x3d\x8d\xbf\x96\xce\xfc\xae\xdf\x55\x9f\x4d\x3f\x15\xde\xfe\x19\xa6\xe2\x88\x2d\x9c\xb2\x48\x96\x84\xe5\xd6\xc7\x24\xc1\x92\x25\x67\x09\x6f\xac\x90\xb6\x67\x52\x73\xcc\x24\x65\x95\x77\x89\xdc\x01\x86\xb5\x42\x01\x4c\xfd\xc1\x20\xd5\x01\xa3\x5a\x25\x3a\xd3\x3b\x2b\xab\x81\x49\x35\x10\xed\x46\x65\x54\x6e\x0c\xf9\xe7\x2a\x65\x5b\xd5\xf8\x38\x31\xa8\xee\x2f\x3c\xc1\xe2\xc0\xad\xd5\x5e\xbf\xd4\x1c\x56\xc9\x70\x43\xa9\xec\x49\xef\x83\xe4\x4b\x96\xc4\x7c\xf3\x8a\xc8\x8b\x7a\x56\x89\x6a\xc6\xd6\x31\x8b\x79\x15\xe6\x79\x0d\xe2\x36\xbc\xc0\xfc\x81\xf9\x03\xf3\x07\xe6\x0f\xcc\xbf\xaf\x99\xff\x97\xd2\xe8\xb5\x34\x7e\x35\x9d\x79\xc5\x5f\x6d\x3f\x9e\x9e\x09\xe5\xf9\xb3\x78\x9c\xa8\x3f\xf5\xe7\x6d\x6a\xa9\x65\xbe\x0e\xcf\xd3\x8a\xa1\xad\x46\x3c\x7e\xbc\xee\x0e\x12\x05\xb2\x0e\x2f\xe4\x0f\xe7\x95\x05\x21\x47\xc4\x22\x69\x11\x93\x0d\xd3\x60\x15\x21\x0a\xb5\xad\x65\xd5\xf4\x3c\x90\xec\x1a\x19\x5f\x52\x2b\x9e\xf6\x9f\x15\x57\xb3\xca\x92\x61\xaa\x15\xe3\x6d\x9e\xf8\x5e\x24\x8a\xaa\x73\x80\x4e\xc7\x05\x4f\xd5\x03\xd5\x52\x14\x3e\xe4\x04\x0f\x09\x7d\x3b\xaf\x9c\x31\xb8\x48\x0a\x55\x9c\xda\x8d\x5f\x16\x18\x2d\x5c\xa1\xee\x73\xed\x8f\xba\xcb\xf9\xec\x2e\x51\x9f\x19\xef\x43\xa2\xae\x4c\xef\x19\x44\xef\x1a\xc4\xef\x18\xcc\x7c\xc7\xf7\x67\xfb\xca\xc0\x55\x29\x07\xd9\x10\x5d\xa6\x37\x95\xb2\x6a\x2f\xaa\xe5\x08\x67\xf0\x15\x35\x62\x2f\x51\xbb\xca\xda\x22\xb6\xa6\x97\xea\x5e\xde\xbc\xa2\x5c\xad\xf1\x74\x12\x4b\x7c\x95\xc1\xf4\x05\xcd\xd0\x03\xc5\x9a\xaf\x8d\x7c\x9b\xe3\xb7\xae\xc3\x03\xae\xf9\x55\x6f\xf5\xcb\x87\x9a\xd1\x93\x9b\xbe\xa5\xc0\xf7\x62\x8b\xbe\x2c\xaf\x08\x5c\xc4\x65\x71\x58\x5b\x1d\x12\xdf\x30\xc4\xf6\x3c\xfc\xaf\xe8\xc0\x70\x8e\x29\x43\x45\x55\xbb\x51\xb6\x69\xcd\xd4\xd9\x5d\xdc\x7d\x8c\xdf\x54\xd7\x70\x42\x59\x91\x1a\x50\xb4\x10\xef\x0b\x16\xfd\x92\x8e\x29\x43\x67\xa9\x4d\x42\xc5\x2a\x9a\xea\x68\xaa\xce\xbe\x5e\xb6\x8f\x70\x18\xe4\xe5\x39\x42\x9d\x6e\x28\x70\xc9\x2f\x23\x9f\xbd\xc7\xaa\x1f\x37\x61\xdd\x06\x4c\x6a\x60\x52\xeb\x53\x93\x5a\xa9\x8c\xe6\x04\xbc\x3e\x83\xa6\x39\xbc\x3e\x81\x8e\xa1\xa3\x1b\x80\x97\x0b\xae\xea\xd6\x9c\x36\xf1\xe3\x64\xd3\x54\x94\x25\x5f\xcf\xc5\xf3\xe3\x7b\xf1\x3d\x42\x48\x04\x02\x1c\xb5\x3d\xba\x03\x7f\x6b\x0f\x7a\x90\x0d\x25\xee\x1d\x4e\xab\x16\x35\x99\x1c\xe2\xed\x41\x1c\xfc\xe5\x3d\xf8\x3f\x0e\xa0\xed\x1a\xb5\x39\xba\x7e\x5c\xec\xd2\xea\x5d\xc3\xbd\xc7\x44\x33\xe6\x1e\x14\x49\x1b\x6c\x4e\xaf\x23\x97\x7a\xdc\x4f\xbc\xb4\x88\xce\x89\x01\x75\x1a\x9d\xe4\x03\xea\x08\x3a\x84\x0e\xac\x91\xa6\xc1\x16\xf6\x87\xe8\x57\xb6\x64\xf4\x4c\xb0\x4e\x5e\x7f\x53\xf2\x58\xcb\xe3\xd1\x98\xb1\x96\xcd\x7a\xe3\x2b\x5a\x2b\xc8\xd0\x00\x5e\xf0\x90\xa1\x01\x2c\x33\x60\x99\x01\xcb\x4c\x3f\x59\x66\x20\x43\x03\x64\x68\x00\x22\x0e\x44\x1c\x88\x38\x10\xf1\x9e\x20\xe2\x90\xa1\x01\x32\x34\x6c\x15\x06\x08\x19\x1a\x3a\x91\xa1\xe1\x1b\x43\xe8\xd1\xb8\x93\xb6\x6c\xc2\xa1\x15\x9b\xa9\xf8\x97\x86\xf0\xe7\x42\x47\x69\xad\xc8\xf5\xcb\xd4\x8d\x15\x43\xaf\xa9\x95\xc8\xa1\x5a\xbe\xae\x78\x59\x94\xd0\xae\xb3\xb4\xf2\xb9\x91\xd0\x69\x58\x41\xe1\x73\x86\xe3\x6e\xb5\x14\xac\x9b\x71\x2c\xd6\xc5\x64\x88\xb7\x17\x8f\x34\x1e\x8b\x15\xb4\x74\xd4\xd3\x78\x77\x3c\x34\xbc\x0b\x23\xfe\xa1\x90\x88\x15\x30\x1f\x60\x3e\xc0\x7c\x80\xf9\x00\xf3\x01\xe6\x03\xcc\x07\x98\x0f\x30\x1f\x60\x3e\xc0\x7c\x80\xf9\x00\xf3\x01\xe6\x03\xcc\x07\x98\xaf\xab\x98\xef\x57\x1e\x44\xc7\x05\xe6\x5b\xe4\x78\x6f\xa5\xd0\xec\x2c\x7d\xcd\xa6\xe6\x75\xba\xe8\x9d\xa3\x3f\x2e\xfc\xef\xf0\x4b\x0f\xe2\x3f\x4f\xa3\x1d\xfc\x69\xee\x7e\x67\x13\x55\x57\xc4\x45\xaf\x91\x83\x15\x77\xda\xa6\x66\x89\x2e\xe6\xb2\xec\xae\x22\x7b\x26\x7c\x80\xbd\xbc\xda\x66\x3f\x3c\x81\xd6\xae\xa2\xe3\x02\xad\x1d\x44\xfb\x39\x5a\x1b\x43\x7b\xd1\x48\x53\xb7\x39\xfe\x3d\xdc\x6f\x4e\xd4\x29\x11\xa3\x3d\x1c\x8f\xbd\xee\xc0\x83\x65\xe2\xa2\xeb\x73\xc9\x94\x6d\x04\x0f\x49\xca\xc6\x5f\xee\x79\xc8\xc9\xf7\x87\x19\x5b\xe6\x73\x3b\x42\x2d\x3e\x64\x13\xab\xa2\x6a\x24\xb1\xd1\x9f\x90\x37\x76\xb3\xdd\x8b\xfc\x24\xaf\xba\xd4\x21\xeb\x69\x78\x08\x5a\x85\xc4\x21\x1b\x4c\x1c\xf2\xaf\x53\xb7\x38\xe7\xa7\x44\xda\x90\x49\x74\x24\x48\x1b\xd2\x35\xb1\x61\xd5\xda\x2d\x36\x8a\xff\xcf\x9d\x21\xb1\xb1\xcf\x52\x6d\xb6\x49\x65\x1b\x3b\xbe\xa4\x24\xca\x8f\xdd\x16\x67\xb9\x5d\x92\x1e\x6f\xac\x2f\x68\x8c\xbf\x7e\x2f\x3f\x80\xf0\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\x2a\x53\x31\x5d\x52\x36\xb4\xb1\x86\xfb\x22\xa5\xb0\xbf\x57\xe5\x55\x56\xcb\xe2\x45\x34\x87\x4a\x75\x92\x6b\x12\x1d\xd9\x80\x35\x66\x9e\xb7\x1b\x08\xb2\x04\x41\xf6\x99\x01\xf4\xe9\x01\xfc\xa9\x81\xcc\x27\x7c\xa3\xd0\x4b\x03\xfd\x23\xc8\xea\xb0\x01\x6b\x67\x8e\xc1\x39\xda\x62\x83\x33\x30\x86\x0d\x37\x19\xb8\x23\x9c\x07\x0b\xab\x89\x5a\xe1\x4f\x9a\xd4\x1c\x13\x4f\xf3\x3b\xb8\xd5\xcc\x51\x86\x4b\x0e\x35\xe7\x85\x55\xe8\x02\x9b\x16\xf2\xef\x05\x6f\xb2\x04\x3f\x8e\x34\x97\xb0\xc5\xd7\x52\xe8\xd5\x14\x7e\x25\x95\xf9\x82\xaf\xf1\x7e\x32\x75\x96\xb2\x0d\x9c\xe1\x28\x65\xca\x9b\x9d\x2a\xd9\x25\xf6\x53\x56\x99\x8a\x7c\x05\xdf\xcb\x88\xd0\xfd\x9a\x13\xf0\xef\x31\x55\xe3\x1f\xce\xad\x0a\x15\x43\x93\x31\x79\xa4\xa2\x3b\x0a\xbd\x29\xdb\x54\x50\x77\x8b\x50\xab\x42\xf2\x8a\x78\x23\x37\xe3\x79\x7d\xc9\xf7\x14\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\x62\x92\xea\xb4\x96\xf8\x68\xbc\xb8\xdf\x81\xef\xe0\x95\x6b\xb3\xc0\x2f\x1d\x40\x13\x78\x5f\x36\xef\x1f\x5f\x7d\x6f\xf8\xe0\x6b\xf9\xc4\xed\x70\xe8\x35\xfe\xbe\x0c\x9a\x8a\x6e\x63\x16\x89\xab\xae\x77\x2f\xf3\x6b\x0f\xe2\x97\x06\xd0\xdd\xde\x12\xc9\x8b\x68\x71\x43\x33\x14\xda\xd0\xf0\xe7\xba\xb3\xab\x79\x46\xe8\x28\xfb\xb8\x8e\xc2\xc6\xeb\x04\xda\x87\xf2\x89\xe3\x95\xd7\xb0\x5d\x5b\x9b\x75\x47\x01\xf1\xb7\xa3\x35\xc6\x70\xe6\xb7\x76\xd4\xf7\x42\xcb\x9b\x9c\x5c\x74\x93\xd3\xbd\xbe\x28\xce\xa0\x22\x3a\x5d\xa7\x2f\xac\xbb\x33\x40\x4b\x80\xed\xce\x06\xb7\x3b\x3f\x9a\x6a\x87\x30\x38\x2b\xf6\x3c\x6c\xdb\xee\xef\x79\xba\x2b\x54\xf8\xc6\xa7\x35\xa1\xd2\xda\x3a\x28\xe4\x4d\xf1\x1d\x77\xd5\x0b\x95\xf5\x6f\x81\x86\xc3\x5b\xa0\xee\xc8\x16\xd8\x07\xf5\x9b\x84\x83\x7d\x10\xec\x83\x36\x79\x1f\xd4\x15\xbd\xb2\xfd\x32\x3e\x71\x7f\xd5\x3f\x3b\xa2\xff\x34\x8c\xf2\x5e\xce\x04\xe1\xb9\xdd\x64\x2f\x44\x4c\xdd\xa2\x86\xe9\x3a\xf8\xc3\xc3\xf8\x53\x83\x41\x22\x85\x5a\x6b\xee\xdc\x67\xbc\xe7\xdb\xe4\xcd\x9d\xe5\x0f\x88\xd4\x0c\xc1\xe2\xea\xbf\x65\xce\x70\x5c\x70\xe3\x6e\x9c\x4c\xad\xb8\x5d\x5f\x3f\x9f\x3c\xe3\x86\xf1\x9e\xfa\x24\x0d\x7e\xdb\x47\xe1\x02\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x83\x0f\x37\xf8\x70\x77\xd7\x87\x7b\xeb\xc1\x09\xf0\x12\x07\x2f\x71\xf0\x12\xdf\x42\x5e\xe2\x9f\x1b\x41\x07\x5a\x82\x89\x6c\xda\x19\xfe\x8f\x6f\xc7\x7f\x37\x8c\xbf\x12\x42\x8a\x2f\xa7\x64\xab\x87\x40\xa2\xe9\x49\x4a\x2f\x55\xeb\x82\x28\xa3\x2d\x38\x71\x34\xd0\x8a\xb8\xe6\x27\xd7\x50\xa6\x58\x05\xea\xde\x50\x44\xc3\x0e\x95\x9d\xcf\x3d\x14\x0b\x23\x65\x0d\x01\x43\xae\xc7\xc1\xe9\xa6\x70\x70\x9a\x4d\x46\x90\x7b\xf0\xe3\xf5\x08\x52\xb6\x38\x00\x48\x00\x90\x00\x20\x01\x40\x02\x80\x04\x00\x09\x00\x12\x00\x24\x00\x48\x00\x90\x00\x20\x01\x40\x02\x80\xdc\x4c\x00\xb9\xa6\x4f\x95\xdc\xb9\xdd\x0e\x3e\x55\x80\x2d\x01\x5b\x02\xb6\xdc\x42\xd8\xf2\x2f\x86\x50\x36\x2e\x2a\x4c\x20\x4c\x2f\x08\x0c\xff\xda\x10\xfe\xf9\xc1\xfa\xd8\x00\xa7\x35\xef\x47\xe9\x32\xda\x26\xdf\xc7\xd1\x9b\xf5\xe1\x05\xb2\x7c\x48\x66\xdb\x46\x2f\xc8\xd6\xfc\x8e\x13\x5c\x8d\x23\x6e\xc9\x80\x22\x01\x45\x02\x8a\x04\x14\x09\x28\x12\x50\x24\xa0\x48\x40\x91\x80\x22\x01\x45\x02\x8a\x04\x14\x09\x28\x12\xf2\xd9\x02\xf2\x03\xe4\x07\xc8\xaf\x5b\xc8\xef\xa3\xc3\xe8\xa0\x40\x7e\x8e\xb6\x4c\xf4\x5a\x85\x69\x6b\xe2\x48\xfb\x3a\xfc\x67\xd9\x06\xb5\x0d\x77\x55\xab\xa8\x8e\x43\x1c\xfc\xf5\x21\xfc\x9f\x07\x11\x0e\x1e\xf3\x51\xe0\x6a\x6b\x28\x70\x5e\x16\x38\xcd\x0a\x6c\x13\x10\x14\x0f\x2c\xf8\x75\x92\x54\x30\xf2\x2a\x88\x88\x8e\x67\x81\x5a\x32\xe6\x3b\x8d\x4f\x4a\x8e\xd7\x30\x5a\xa4\xe3\x61\xa4\xa5\x63\x12\x0e\xc0\x69\x57\x40\x07\x81\x0e\x02\x1d\x04\x3a\x08\x74\x10\xe8\x20\xd0\x41\xa0\x83\x40\x07\x81\x0e\x02\x1d\x04\x3a\x08\x74\x10\xe8\x20\xd0\x41\xa0\x83\xbd\x44\x07\xbf\x37\x87\x2e\x0a\x3a\x68\x12\xf7\x26\xb5\x6f\x44\xe8\xe0\xda\xa1\xcd\xf2\x09\x8b\x56\x0c\xcd\x08\x22\x9c\x5f\x1e\xc1\xef\xdc\x86\xee\x0e\xca\xbb\xb6\x52\xc8\x7c\xae\x95\x38\xe7\x8b\xe2\x91\x79\x56\xe0\x6a\x4f\x44\x3b\x0f\xf3\xd7\x5d\xf4\x3f\x25\x1c\xf3\x1c\xa9\x2d\xe0\xc6\x0d\x44\x3e\x3f\x97\xcc\x23\x8f\xe1\xa3\x92\x47\x36\x8c\x4f\xc9\x23\x23\xdd\x00\xe1\xd0\x40\x19\x81\x32\x02\x65\x04\xca\x08\x94\x11\x28\x23\x50\x46\xa0\x8c\x40\x19\x81\x32\x02\x65\x04\xca\xb8\x99\x94\x71\x12\x1d\xc1\x87\xb2\x07\xfc\xc0\xe6\x07\xc3\xe1\xd0\x91\xfd\x1b\x04\x45\x03\x03\x05\x06\x0a\x0c\xb4\xab\x0c\xf4\x37\x9f\x41\x4f\x78\xb9\x1c\x9b\x1d\x09\xc3\x89\x10\xfe\xc4\x33\xf8\x9b\x4f\x04\xc9\x1b\x77\x0b\x8d\xd5\x96\x6b\xad\x27\x8c\x3d\x9c\xc9\x29\x59\xee\x41\x76\x53\xc3\xe1\x2d\xec\x52\x8f\x33\xc3\x22\xe0\x33\xc0\x67\x45\xc0\x67\x80\xcf\x00\x9f\x01\x3e\xeb\x1b\x7c\x56\xec\x19\x7c\xd6\xf6\x9a\x6c\x18\x9f\x15\x01\x9f\x01\x3e\x03\x7c\x06\xf8\x0c\xf0\x59\xf7\xf1\x59\xb1\xaf\x79\x52\x11\x78\x52\xe7\x78\x52\xb1\xd7\x79\x52\x71\x0b\xf2\xa4\xd2\x9b\xd1\x09\xe1\x6b\x75\x08\x1d\xe0\xbe\x56\x79\x34\x8a\x72\x4d\x8f\x8a\xd6\xa8\x4d\xf2\x2b\x85\x3c\x67\x42\x73\x86\x93\xec\x58\x75\x2e\xd9\x6f\xea\x71\x9c\x6d\x38\xb4\x96\x3b\x6d\x85\x1d\xa4\xae\x3f\x12\xef\xa1\xb5\x1d\x6f\xe3\x61\x9a\xd9\x2f\xec\x08\x60\xd7\xeb\xc5\x3a\xa3\xa8\xa6\x04\x5b\x6f\x14\x3f\x74\x16\x6d\x09\x12\x75\x1c\x4d\xa2\x23\x75\x07\xee\x0f\xa3\x3d\xad\x35\x29\x1c\xaf\x9f\x74\xbc\xfe\x87\xd2\xe8\xfb\xd3\xf8\xfd\xe9\xcc\x7b\xfd\x06\xfa\x66\xaa\x7f\x8e\xd7\x6f\x7a\x8a\x7d\xe9\x3f\xa7\xd0\x51\x31\x95\x27\xd0\x3e\x3e\x95\x73\xa8\xe5\x71\x87\x4e\xb2\x47\x0b\xf8\x30\x3a\x88\xb6\x4f\x0b\x25\x6d\x5d\xcf\x9f\x62\xcf\x4f\xe0\x23\xe8\x10\xda\x31\xa5\xb1\x45\x60\x9d\x05\x24\xc9\x91\xe6\xd3\xdf\xa2\x8e\x8b\xda\x26\x67\x72\x9f\x1f\x0d\xe4\x48\x46\x68\xa6\x8a\x46\x2b\x6c\x9f\x29\xd7\x0d\x21\x52\x9e\x10\xd7\x84\x48\x99\xf6\x6f\xe8\xac\x70\x79\x0a\x5d\x46\xf3\x61\xe1\x92\x2b\xa2\xd3\x1b\xf0\x8c\x9d\xe1\x75\xbf\xc4\x69\xa8\x03\xdc\x14\xb8\x29\x70\x53\xe0\xa6\x7d\xc4\x4d\x41\xcd\x4a\x50\xb3\x7a\x07\x2c\x7f\x23\x8d\xbe\x9e\xc6\x5f\x4b\x67\x7e\xd7\xef\xaa\xcf\xa6\x9f\x0a\x6f\xe5\x0c\x53\x71\xc4\x76\x4c\x59\x24\x4b\xc2\x0a\xeb\x23\x8f\x60\xc9\x92\xb3\x84\x37\x56\x48\xa1\x33\xa9\x39\x66\x92\xb2\xca\xbb\x44\xee\xe6\xc2\x8a\x9f\x80\x9f\xfe\x60\x90\x1a\x81\x51\xad\x12\x9d\xa9\x96\x95\xd5\xc0\x3c\x1a\x88\x76\xa3\x32\x2a\x37\x79\xfc\x73\x95\xb2\xad\x6a\x7c\x9c\x18\x54\xf7\x17\x9e\x60\x71\xe0\x96\x67\xaf\x5f\x6a\x0e\xab\x64\xb8\xa1\x54\xf6\xa4\xf7\x41\xf2\x25\x4b\x62\xbe\x79\x45\xe4\x45\x3d\xab\x44\x35\x63\xeb\x98\xc5\xbc\x0a\xf3\xbc\x06\x71\x9b\x57\xe0\xf7\xc0\xef\x81\xdf\x03\xbf\x07\x7e\xdf\xd7\xfc\xfe\x4b\x69\xf4\x5a\x1a\xbf\x9a\xce\xbc\xe2\xaf\xb6\x1f\x4f\xcf\x84\x82\x5b\xad\x0a\x51\x1d\xe2\x4f\xfd\x79\x9b\x5a\x6a\x99\xaf\xc3\xc2\x2b\x36\xe2\xbd\xe3\x75\x77\x10\x1d\xcb\x3a\xbc\x90\x3f\x9c\x57\x16\x84\x1c\x11\x8b\xa4\x45\x4c\x36\x4c\x83\x55\x84\x28\xd4\xb6\x96\x55\xd3\xf3\x26\xb2\x6b\x64\x7c\x49\xad\x78\xda\x7f\x56\x5c\xcd\x2a\x4b\x86\xa9\x56\x8c\xb7\x79\xe2\x7b\x91\x28\xaa\xce\x61\x38\x1d\x17\x6c\x54\x0f\x54\x4b\x51\xf8\x90\x13\x3c\x24\xf4\xed\xbc\x72\xc6\xe0\x22\x29\x54\x71\x6a\x37\x7e\x59\x60\x80\x70\x85\xba\xcf\xb5\x3f\xea\x2e\xe7\xb3\xbb\x44\x7d\x66\xbc\x0f\x89\xba\x25\xbd\x67\x10\xbd\x6b\x10\xbf\x63\x30\xf3\x1d\xdf\x37\xed\x2b\x03\x57\xa5\x1c\x64\x43\x74\x99\xde\x54\xca\xaa\xbd\xa8\x96\x23\xa8\xc1\x57\xd4\x88\xbd\x44\xed\x2a\x6b\x8b\xd8\x9a\x5e\xaa\x7b\x79\xf3\x8a\x72\xb5\xc6\xd3\x49\x2c\xf1\x55\x06\xd3\x17\x34\x43\x0f\x14\x6b\xbe\x36\xf2\x6d\x8e\xdf\xba\x6c\x71\x92\x2b\x87\xb7\xfa\xe5\x43\xcd\xe8\xc9\x4d\x9f\xfa\xfb\x1e\x69\xd1\x97\xe5\x15\xc1\x86\xb8\x2c\x0e\x6b\xab\x43\xe2\x1b\x86\xd8\x9e\x87\xff\x15\x1d\x18\xce\x31\x65\xa8\xa8\x6a\x37\xca\x36\xad\x99\x3a\xbb\x8b\xbb\x82\xf1\x9b\xea\x1a\x4e\x28\x2b\x52\x03\x8a\x16\xe2\x7d\xc1\xa2\x5f\xd2\x31\x65\xe8\x2c\xb5\x49\xa8\x58\x45\x53\x1d\x4d\xd5\xd9\xd7\xcb\xf6\x11\xce\x7f\xbc\x3c\x47\xa8\xd3\x0d\x05\x2e\xf9\x65\xe4\xb3\xf7\x58\xf5\xe3\x26\xac\xdb\x80\x79\x0c\xcc\x63\x7d\x6a\x1e\x2b\x95\x9b\x32\x5e\x34\x27\xc0\xf5\x19\x34\xcd\xc1\xf5\x09\x74\x0c\x1d\xdd\x00\xd5\x5c\x70\x55\xb7\xe6\x78\xc4\x38\x17\x4f\x8c\xef\xc5\xf7\x88\xd9\x1c\x48\xda\xf6\xd1\xe3\x2d\x18\x02\x82\xbf\x7e\x27\x1a\x4f\x70\x29\xb7\xa8\xee\xa5\xcc\x18\x27\x2f\x12\x0d\xff\xbb\x3b\xf1\xfb\xd3\x21\xe7\x72\x8d\x9a\x26\xfb\xcc\x73\x67\x9e\x0a\x3c\xac\x39\xc4\x24\x1a\xcf\xae\x4b\xf5\xdc\x63\xf2\x26\x41\xcc\xcf\x11\x37\x40\xe5\xf3\x54\x3f\xf3\x22\xd1\x26\x06\x72\xe3\x39\x91\x03\xe2\x30\x7a\x48\x8c\x89\xfb\xd1\xbd\x7c\x4c\xdc\x8d\xee\xfc\xa9\xd4\x0e\x24\xeb\x9d\x68\x2e\x78\x2c\xbe\xf3\x11\xde\x21\x6b\x81\xae\xcf\x27\xf7\xf9\x18\xde\x5b\xdf\xe7\xb2\xaa\x12\x9d\x47\x3a\x3f\xfb\x81\x50\x93\x3c\xee\x35\xc9\xfc\xa5\x85\xe6\x6d\x92\x8d\xb4\xc9\x3c\x75\x3a\xda\x28\x6d\xff\xe2\x16\x9a\xb9\x54\x43\x0e\x7e\x21\x43\xbd\xf1\x7a\x79\x9a\x56\xab\x6c\x98\x1b\x8e\x54\x19\xaa\x94\x5b\x58\xc4\xaf\xb2\x7d\x6a\x2e\xc9\xb3\xad\xdd\x8a\xa2\xda\xb6\xba\x9a\x57\x2e\x52\xd7\xbb\x20\xf6\xd6\x6c\xe3\xa0\x38\xcb\xa4\x52\xc9\x67\xb7\xcb\xa7\xc3\xe6\xb0\x8f\xa4\xd0\x07\x53\xf8\x03\xa9\xcc\xf7\x05\xe2\x70\x5a\x18\xe4\x08\x93\x59\x12\xc9\x06\xef\x93\x1b\x3f\x5e\x50\x14\x5b\x84\x8d\x79\xec\x59\x2e\x1a\x6d\x0e\x7a\xf8\x25\x6a\x92\xf0\x65\x31\x05\x2d\xaa\xe7\xb3\x3b\xfd\x9f\xc3\x55\x3b\x86\x8e\xe2\xc3\xd9\x83\xbe\x8c\xc8\x84\x43\xcc\xa2\xad\xbd\x19\x31\x66\x2f\x20\x8a\xab\x99\x1b\x5e\xab\x5d\xbc\x4c\x04\xb2\x14\x34\xc3\x55\x4d\x5d\xb5\x3d\x9b\x40\xe0\x9b\x20\xbf\x59\x2e\x35\x86\x23\x17\x98\x70\x3b\xf2\xdd\x6d\xf6\x0e\xc7\xd5\x89\x6d\x47\xbc\x10\xea\x5e\x79\x29\xfe\x95\x86\xc9\x84\xda\xba\x5e\xc9\xf7\x0c\xf9\xec\x36\xc7\xd5\x0d\x33\xf2\x4a\x1b\x59\xd8\xcc\x54\x12\x5e\x29\x05\xe9\x06\x3f\x93\xd6\xdc\xc8\x3b\x5f\x44\x2b\xd8\xcd\xd8\xde\x3b\xdf\xfc\xd4\x53\x6f\xe1\xa3\xc9\xae\x91\x7a\xdc\xac\x2a\x4c\x6c\xfb\x9b\x9a\x4a\x85\x8a\xed\x93\xb7\x92\x73\x21\xd2\xf4\x7b\x07\x98\x88\x0f\x87\x0d\x7d\x72\x14\x9d\x17\xa9\x93\xd4\x9a\x4b\x1d\x4d\xad\x18\x66\x79\x0d\x81\xcf\x05\x07\x1b\xbb\x15\x8b\xea\xde\x23\xc4\xf6\xf3\x26\xfd\xce\x5e\xfc\x33\x03\xe8\x75\xa1\xc2\x98\xcc\xcb\xd9\x44\xd5\xeb\xd0\xe6\x93\x7e\x49\xf3\x54\x9f\xf2\x4b\xca\x4d\xb0\x7b\xa7\x82\xe7\xc3\x6e\x19\x4d\x9e\x69\xaf\x2d\xb5\x54\x45\x97\x85\x34\x3d\x8f\x66\xb9\x34\x9d\x46\x53\xe8\x54\x53\x73\x75\xe8\x5b\x99\xae\xd1\xa4\x8e\x89\x32\xf8\xe1\x78\x89\x79\x07\x1e\x2c\x13\x17\x5d\x5f\x4c\x16\xd1\xa7\xf0\x09\x29\xa2\x43\x55\x92\xb2\xba\x59\xad\xc2\x42\x3b\xf3\xc9\x9d\x0d\x3d\x37\x66\x13\xab\xa2\x6a\xa4\xc5\xce\x3b\x28\x6f\xdf\xcc\xfe\x2b\x3e\x8d\x16\xd0\x9b\xea\x1c\x6d\x6e\xbd\x03\xc1\x34\x04\x1e\x38\x1b\xf4\xc0\xf9\xd5\x14\xba\x2a\xdc\x68\xe6\xd1\xc5\xc0\x8d\xa6\xa3\x62\xa5\x13\x32\x2c\x59\x54\x59\xb5\xee\x88\xaa\xdc\x2f\xec\x6a\x10\x55\x1e\xdb\x51\x9b\x4a\xa7\x03\xe2\x8e\x4d\x15\x4e\x9d\x71\xd4\x01\xd9\x94\x20\x9b\xc0\x58\xdc\x15\x63\x31\x58\x09\xc0\x4a\x00\x56\x82\x4e\x59\x09\x4a\x9f\x4f\xb5\x97\x88\x0a\x25\x61\x82\x2b\x09\x81\x77\xee\x2d\x96\x99\xb4\xd1\x51\xe2\xb5\x87\x9d\x78\xbb\x68\xa6\xae\x28\x10\xc5\x7f\x7f\x57\x83\x02\x71\xc8\x52\x6d\xd7\xe0\xde\x94\xc2\x0e\xdb\xe2\xa6\x67\xbf\xa5\xba\xda\xf2\x66\x69\x15\x6f\xac\x2f\x68\x8c\x57\x67\x2f\xfb\x73\xf2\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\xaa\xe3\xda\xaa\x4b\xca\x86\x36\xd6\x70\x5f\xa4\x14\xf6\xf7\xaa\xbc\xca\x6a\x59\xbc\x88\xe6\x50\xa9\x6e\xbb\x35\x89\x8e\x6c\x60\x00\xcd\xf3\x0c\x0e\xa0\xcb\x24\xe8\x32\x9f\x19\x40\x9f\x1e\xc0\x9f\x1a\xc8\x7c\xc2\x5f\x10\x5e\x1a\xe8\x9f\x7d\x56\x9d\xd3\x0c\x6b\x67\xee\x8c\xcc\x1d\xbb\xd8\xe0\x0c\xa0\xfa\x70\x93\x81\x3b\xc2\xd7\x35\xe1\xbb\xae\x56\xf8\x93\x4c\x81\x13\x4f\xf3\x3b\xb8\x32\xe5\x28\xc3\x25\x87\x9a\xf3\x22\xa7\xc9\x05\x36\x2d\xe4\xdf\x0b\xde\x64\x09\x7e\x1c\x69\xbe\x01\x2c\xbe\x96\x42\xaf\xa6\xf0\x2b\xa9\xcc\x17\x7c\xe6\xfc\xc9\xd4\x59\x6a\x6b\x5c\xcf\x2b\x53\xde\xec\x54\xc9\x2e\xb1\x9f\xb2\xca\x54\xe4\x2b\xb8\xed\x52\xa8\x64\x35\x27\xf0\x42\x1e\x53\x35\xfe\xe1\xdc\xb7\xbb\x62\x68\x72\xc9\x25\x15\xdd\x51\xe8\x4d\xd9\xa6\xc2\xf7\xd9\x22\xd4\xaa\x90\xbc\x22\xde\xc8\x93\xd0\x78\x7d\xc9\x6d\x88\xb1\x0d\xe0\xbf\x3e\xbb\x8d\x57\x2b\x02\x2c\x37\x07\x91\x35\xcf\xc5\x6d\x89\x5c\xdc\x5d\x58\x38\x4a\x33\xa8\x88\x4f\x67\x4f\xfa\x9c\x7d\x77\x18\xd2\x37\x29\xe1\x76\xc8\x08\x87\xbf\xba\x07\xdd\x2b\x50\xf1\x22\x4f\xa8\xbf\x52\x18\xbf\x4e\x17\x1d\xfc\xcb\x7b\xf0\xbf\x1f\x40\x3b\xf8\x8f\x6c\x19\x7d\x6c\xed\x84\x52\x25\xba\x98\x7b\x84\xdd\x52\x64\x97\xaf\x14\x4a\x74\xf1\x2c\xb5\xa7\x2a\x15\x7f\xcd\x74\x7a\x3c\xa7\x54\xe9\x2a\x3a\x2e\x46\xff\x41\xb4\x9f\x8f\xfe\x31\xb4\x17\x8d\x34\x1d\xfd\xbc\x65\xd8\xb8\x2f\xd1\xc5\x96\x42\x23\x13\x22\x1a\xaf\x3f\x99\x3c\xcc\x9f\xc0\xbb\xe5\x30\xe7\x6f\x97\x03\xbc\x44\x17\x21\xb9\x3c\x64\xc7\x82\xe4\xf2\x10\xe5\x05\x51\x5e\x10\xe5\xd5\xaf\x51\x5e\x90\x5c\x1e\x92\xcb\x43\x74\x0d\x44\xd7\x40\x74\x0d\x44\xd7\xf4\x44\x74\x0d\xa4\x6f\x87\xf4\xed\x5b\x25\x9e\x00\xd2\xb7\x77\x22\x7d\xfb\xdf\x0f\xa3\x63\x9e\xaf\xfd\x9a\xe7\x55\x7a\xf6\x0c\xd3\x5d\xa1\x95\x5a\x95\x68\x15\xd5\xa8\x3a\xf8\x3f\x0c\xe3\xd7\x06\x03\x27\xf3\xef\x95\x27\x55\x1a\xa6\x6e\xac\x18\x7a\x4d\xad\x44\x0e\xad\xf4\x15\xc9\x79\xbf\xb4\x2b\xbc\xb4\x69\x56\x5a\x5b\x0e\xad\xcc\xe7\xf2\xfc\x81\xfa\xcc\x5a\xb1\x6f\x9c\x33\x9c\x5e\x4f\x24\xbf\x29\x87\x4f\x5e\x4d\x06\x7d\x07\xf0\x44\x98\xe8\x35\xf8\xe8\xc7\x35\x37\xba\xbe\x3b\x9e\x30\xde\x85\x11\xff\x62\x8e\x19\x01\x0e\x02\x1c\x04\x38\x08\x70\x10\xe0\x20\xc0\x41\x80\x83\x00\x07\x01\x0e\x02\x1c\x04\x38\x08\x70\x10\xe0\x60\x97\xe1\xe0\xd6\xf3\x15\x02\xfc\x08\xf8\x11\xf0\xe3\x16\xc2\x8f\xaf\x8d\xa1\x69\x19\x06\x6e\x19\xe4\x45\x97\x98\xbc\xb7\x38\xcd\x32\xe8\xf8\x4a\x61\x91\xb8\x6a\x61\x5c\xab\x39\x2e\xad\x7a\x05\x86\xc9\x97\x0c\xff\x7e\xf7\x18\xfe\x9f\x03\xe8\xfe\x48\x21\xd7\xe4\xd3\x99\xbd\x31\x51\xe0\xd3\xbc\x44\x6f\x53\x39\xe3\x97\x98\xdb\xc7\xc3\xc0\xc3\xe5\x5c\x11\xc5\x34\x7b\xa2\xcd\x41\xe0\x1f\x48\x35\x0f\xad\xbc\x29\x40\xa0\x85\x4c\x0e\x02\x97\xd1\x12\xd2\x9b\x81\xc0\xa0\xfe\x63\x3e\x8d\x09\x98\x60\xb4\xb5\x65\x43\xe5\x9b\x7d\x62\x8b\xa1\xe2\x2f\x24\x53\xc3\x8b\x78\xce\xf3\x82\x8d\xe9\x6f\xc9\x0e\x9b\x55\x23\xec\x42\xc8\x2b\x8c\x32\x9f\x46\xcd\x3a\x3d\x1f\x1f\x40\xde\xb4\xdf\xf7\x7b\x11\xe4\x9b\xd6\xf5\xc5\xb7\xa1\x17\xd1\x4a\x5d\x40\x43\x97\x7a\x18\x82\x1f\x20\xc8\x7c\x83\x41\xe6\xef\x4f\xf7\x9e\xc0\x42\xff\x3f\x11\xf6\x5e\x43\x4e\x10\xf6\xde\x43\xe2\x92\x87\xab\x77\x5f\x5c\xe6\xbe\xbc\xab\x99\xb8\x7c\xcc\x0f\x62\x6f\x2a\x21\x27\x64\x14\xfb\xe6\x09\x48\x88\x61\x87\x18\x76\x88\x61\x87\x18\x76\x88\x61\x87\x18\x76\x88\x61\x8f\x8f\x61\xef\xbe\x56\x51\xfc\xd6\x5d\xcd\xb4\x8a\xc3\x09\x91\xed\x4d\x75\x8d\x82\x08\x6d\xdf\x14\x55\x03\x02\xdb\xfb\x4d\xc1\x81\xc0\x76\x08\x6c\xdf\xe4\xc0\xf6\x0f\xa4\x36\x6f\xb3\x7c\xcb\xe1\xef\xdd\x5f\x73\x4a\x67\xd0\x34\x9e\xca\x9e\xf2\x6d\x53\x8f\x87\xa3\xe1\x9b\x95\xd3\x18\x0e\xdf\xf6\x60\xf5\x77\x0c\xa0\xdd\x02\x68\x2f\x55\xe8\x4d\x36\x5b\x6d\x5a\xc9\x07\x7d\x24\xc1\x36\xfe\x6a\x1a\x7f\x25\x8d\xee\x0b\xdd\x34\xe5\xdd\x93\xc9\x94\xb9\xca\xc7\x14\x4f\xdf\x58\xa0\x2a\xbc\xf9\x72\x8f\x96\x89\x7b\x36\xe6\xa1\xa9\xf9\xd9\x73\xec\x86\xf6\x2d\x83\x0d\x05\x4d\x36\x14\x34\xd9\x4a\x41\x25\x03\x5d\x14\x23\xfb\x1c\x3a\xc3\x47\xf6\x29\x74\x02\x1d\xdb\xc0\x6a\xe6\x7d\x63\xd2\x80\xc5\x7f\xb5\x07\xdd\xe7\x39\x35\x5b\x54\x77\x49\xd5\xe2\xde\x4f\xf8\xf7\xf6\xe0\xdf\x1c\x08\xbc\x95\x47\xd6\xce\x18\x30\x4f\xf5\xa7\xe4\xa3\xb9\x27\xd8\xad\x5e\x52\x6c\xff\xe7\xad\x96\x40\xe0\x39\x34\x2d\xba\xe2\x38\x9a\xe4\x5d\x71\x00\x4d\xa0\x7d\x89\x07\xa2\x86\xbe\xb8\xa5\x3c\x02\x17\x92\xe5\x41\x0e\x0f\xc7\xa4\xf5\xf6\xde\xb2\xae\x83\x96\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\xfc\x85\xc1\x5f\x18\x92\x09\x80\x37\x2f\x78\xf3\x82\x37\x6f\xb7\xbc\x79\x7f\x61\x04\x1d\x6a\x29\x99\x80\xd8\xe3\x55\x55\xcb\x77\xe0\x7d\x69\x04\xff\x7e\x28\x8f\xc0\x4f\xca\x3c\x02\xe1\xe4\x01\xa6\x27\xc9\x3c\x3e\x37\xcd\x4b\xb9\xa0\x5a\x6d\x49\x1c\x30\x1a\xe8\x2d\x5c\x37\x93\xab\x1c\x53\x7d\x02\x85\x6c\x28\xa2\x03\x87\xca\xce\xe7\x1e\x89\x4d\x3b\xe0\xd7\xb1\xd7\xd1\xe0\x66\xa4\x19\x38\x9f\xcc\x09\x87\xf1\x9e\x7a\x4e\xe8\x37\x69\x94\x12\x36\xb7\x52\xf0\xaf\x04\x4c\x08\x98\x10\x30\x21\x60\x42\xc0\x84\x80\x09\x01\x13\x02\x26\x04\x4c\x08\x98\x10\x30\x21\x60\x42\xc0\x84\xdd\xc6\x84\x87\xd0\x01\x3c\x91\xdd\xe7\xbb\x6e\xdd\x1f\x71\xdd\xf2\x36\x77\xb7\xc3\xd1\x25\x00\x30\x01\x60\x02\xc0\xdc\x42\x00\xf3\xcf\x87\xd1\xac\x4c\x47\xa0\x33\x25\xdb\xa0\xa6\x4d\xca\x06\xf7\xe4\x67\xcf\xf8\x69\x09\x24\xde\xac\xd6\x5c\x95\x69\x50\x37\xc9\xe2\x32\xa5\x37\x22\x7b\x52\x07\xff\xd0\x30\xfe\xe0\x36\xf4\x5d\xb1\x45\x5d\x5b\x29\x64\xde\xd3\x62\xb2\xd4\x0b\xf2\x2d\x57\xc5\x5b\xa6\xc3\x6f\x69\x53\xce\xd4\xe3\xfc\x81\xa9\xb8\x9a\x5e\x29\xac\xf5\x7e\xc8\xa0\x1a\x8f\x36\x5b\x49\x74\x7a\xfd\xc5\x64\xfe\xf9\x34\x5e\x88\x49\xb3\xba\xd6\xe8\x94\x94\x74\xad\x4e\x03\x16\x0a\x2c\x14\x58\x28\xb0\x50\x60\xa1\xc0\x42\x81\x85\x02\x0b\x05\x16\x0a\x2c\x14\x58\x28\xb0\x50\x60\xa1\xe0\x32\x09\xc4\x11\x88\x23\x10\xc7\xae\x11\xc7\x77\xaa\xe8\xc9\x96\x88\xa3\x48\x84\xba\x36\x70\xfc\x99\xe7\xf1\xc7\x86\xd0\xc3\xcd\x80\xa3\xc8\xc9\x32\xb9\x76\xd0\xf3\x5a\xdc\x28\x77\x9c\x3d\xdb\x84\x12\xf2\xd2\xd7\x7a\xba\xc7\x31\x61\x11\x98\x18\x30\xb1\x22\x30\x31\x60\x62\xc0\xc4\x80\x89\xf5\x0d\x13\x2b\xf6\x0c\x13\x6b\x7b\x4d\x36\xcc\xc4\x8a\xc0\xc4\x80\x89\x01\x13\x03\x26\x06\x4c\xac\xfb\x4c\xac\xd8\xd7\x08\xab\x08\x08\xab\x73\x08\xab\xd8\xeb\x08\xab\xb8\x05\x11\x56\xe9\x5d\x29\x74\x5d\xf8\x57\x69\x48\xe5\xfe\x55\xdf\x8d\xde\x82\xae\x36\xcd\x2a\x17\x0f\xba\xbc\x2c\x95\x49\xce\x66\x89\x9e\x57\x09\xd9\xe2\xae\xbf\x3d\xd9\xe9\xea\xad\xf8\xcd\x6d\x72\xb4\x6a\x48\x5c\x99\xfd\x47\x94\x04\xe8\x9e\x10\x2b\x9c\xa2\xae\xcd\xe2\x4e\x8a\xdb\x36\x9d\xc6\x09\x78\x66\xa0\x32\x22\x75\x39\x8b\x9f\x46\x0b\x1d\x18\x04\x90\xce\x18\x8e\xaa\xd9\xe0\x51\x35\xbf\xb7\xc6\x51\x35\x4b\x42\x84\x5d\x43\xcf\x72\x11\x76\x15\x75\x66\xf4\xa2\x1b\xe2\x64\x1a\x1d\x2d\x06\x27\xd3\x74\xec\x65\x15\x91\xa2\x9e\x20\x2d\x94\xa2\xbe\x53\x6f\x4b\x16\xc0\x16\xdd\x7c\x01\x9c\xfb\x3f\xc7\x92\x04\x70\x41\x1e\x61\x10\x3a\x0f\x22\xc1\x0b\x3b\xf7\xa4\x3c\x1b\x67\x0d\x61\x3c\xed\x97\xd6\x45\xb1\xdc\x99\x13\x73\x00\x92\x03\x24\x07\x48\x0e\x90\xbc\x7f\x20\x39\xe8\x9c\x09\x3a\x67\xef\x58\x11\xe0\xb4\xb2\xae\x9c\x56\x06\xc6\x1a\x30\xd6\x80\xb1\x06\x8c\x35\x60\xac\xe9\x6b\x63\x0d\x1c\x5a\x09\x87\x56\xc2\xa1\x95\x9d\x3a\xb4\x12\x6c\xa1\x60\x0b\xed\x57\x5b\x68\xa9\xdc\xe6\xf3\x5a\x93\x0c\x87\xb9\x78\x6e\x7d\x2f\xbe\x47\xcc\xe6\x40\xd2\x6e\x36\xc3\x6e\xff\xb1\x75\xaf\x0c\x05\x27\xa6\x89\xd4\x26\xc2\xab\x1d\x7f\x66\x08\xff\x48\x28\x2f\xf3\x0b\xad\x65\x2c\xe1\x39\x32\xda\x94\x9a\xe4\xf1\x50\x5e\x65\x5e\xee\x9c\xe1\xb8\x5b\xed\xe0\xb5\x9e\x4d\x41\x72\x2e\x79\x20\x3f\x8e\xb3\xf5\x29\x98\x45\x05\xc2\x89\x49\x20\xa3\x08\x44\x4f\x40\x46\x11\x30\x0c\x81\x61\x08\x0c\x43\x7d\x64\x18\x82\x8c\x22\x90\x51\x04\x80\x3c\x00\x79\x00\xf2\x00\xe4\x7b\x02\xc8\x43\x46\x11\xc8\x28\xb2\x55\x10\x24\x64\x14\xe9\x44\x46\x91\xdf\xb8\x86\x8e\x8b\x8c\x22\x1a\xb1\x65\x29\xc4\xa9\x4f\x24\x12\xbe\x66\x94\x4d\xc3\x2c\x7b\xc2\x1a\xbf\xef\x1a\xfe\xb3\x3d\xe8\xbe\xf0\x1d\xbe\x6b\xec\xe1\xb5\x93\x87\x4c\x07\xcf\x2c\x88\x52\x2f\x8b\x52\x73\xfb\xd8\x83\xa1\xcb\x8e\xe7\x15\xdb\xec\x89\x1e\x27\x7a\x90\x2d\x04\x78\x17\x64\x0b\x01\xde\x05\xbc\x0b\x78\x57\x1f\xf1\xae\x1e\xf2\xf3\xed\x19\xde\x05\x0e\xa8\xc0\xbb\x80\x77\x01\xef\x02\xde\x05\xd9\x42\xc0\x43\xee\xf6\xc1\x53\x3d\xef\x21\xb7\x25\xb3\x85\xac\xa2\xe7\x84\x27\xd4\x55\xf4\x34\xf7\x84\xba\x84\x2e\xa0\xf3\x4d\xc3\xd1\x23\x0c\xcb\x8b\x42\x6f\x0a\x8d\xda\x92\x20\xe4\x85\x64\x97\xa8\x8b\x78\x4e\xba\x44\xc5\x30\x36\xef\x98\xfa\x66\x95\x8c\x49\x0a\xf2\xe3\xa8\x09\x6f\xcb\xfa\xb9\x40\x9a\xa3\xb5\x09\x71\xcf\xa6\xc0\x35\xc1\xc2\x9e\x45\xdf\x8d\xde\x52\x97\xfc\x63\x16\x9d\x6b\x53\xa7\x42\xf0\x25\x24\xfc\xd8\x60\xc2\x8f\x9f\x4d\xa3\xb7\x0a\x69\xb3\x80\xde\xc4\xa5\xcd\x79\xd4\xbe\x81\x89\xae\x89\x5c\x1e\x6f\x46\x57\x82\x5c\x1e\x6d\x7d\xc1\xf3\x22\x7f\xc7\x5b\xd0\xd5\x50\xfe\x8e\xb6\xbe\x61\xe3\xc2\x52\x24\xf3\xe8\xbe\xb0\xcc\xfd\xef\x63\x4d\x84\x65\x3e\x36\x6f\x47\x73\xc1\x79\x5c\xdc\x1f\x27\x38\xfd\x12\xba\x25\x42\x21\x51\x07\xf0\x69\xe0\xd3\xc0\xa7\x81\x4f\x43\xa2\x0e\x48\xd4\x01\x89\x3a\x20\x51\x07\xd8\x49\xc0\x4e\x02\x76\x12\xb0\x93\x80\x9d\xa4\x2d\x76\x12\x48\xd4\x01\x89\x3a\x20\x51\x07\x24\xea\x00\x33\x24\x98\x21\xfb\x28\x51\x47\xf7\xf9\x74\xfb\x93\x73\x7c\x75\x08\x1d\x10\x1e\xfd\xf6\xa2\xaa\xe5\xbd\x06\x89\x3d\x20\xd4\xa6\x15\xb2\xc8\x36\xb5\x66\xd9\xc1\x3f\x34\x84\x3f\x38\x88\x1e\x64\x4f\x4d\x85\x1f\xf2\x89\xf9\xc8\xda\xee\xfc\x97\x69\x85\x14\x45\x61\x39\xee\xf9\x7f\xb9\xbe\x24\xc9\xcb\x43\x37\x6e\xb5\xcc\x1c\x1a\x7a\x52\x0c\xde\x29\x74\x8a\x0f\xde\xa3\xe8\x30\x3a\xd8\xd4\xbc\xc2\x7b\xc0\x33\xab\x84\x3e\xbb\x25\xcb\xb3\x91\x3c\x18\xcf\xe2\x19\x39\x18\x9b\xf6\xb5\x1c\x92\xa1\x97\x37\x0e\xc2\x24\x23\x37\xa4\xeb\x80\xf0\x05\x48\xd7\x01\xe6\x21\x30\x0f\x81\x79\xa8\x8f\xcc\x43\x90\xae\x03\xd2\x75\x00\x96\x07\x2c\x0f\x58\x1e\xb0\x7c\x4f\x60\x79\x48\xd7\x01\xe9\x3a\xb6\x0a\x88\x84\x74\x1d\x9d\x48\xd7\xf1\xea\x08\x3a\x21\xe0\x9e\x6a\x59\x4e\x90\x7f\xd7\xf4\x09\xda\xf8\xf7\xf8\x7f\xbf\x7d\x5c\x27\x56\x85\xae\xb2\x05\x58\xfe\xfe\x76\xfc\x2f\x46\xf0\x1f\x0d\xa2\xed\xec\xf1\x6b\x2b\x85\xcc\x67\x53\xb2\xf9\x43\x89\x79\x4d\x4f\xa0\x79\x64\x6f\xc6\x2f\xa6\x2d\x59\x7a\x47\x03\xfd\x85\xeb\x68\x72\xb5\x63\x2a\x50\xa0\x98\x0d\x45\x74\xe1\x50\xd9\xf9\xdc\xa3\xfc\x75\x53\x96\xe5\x5c\x29\xf8\xe8\x50\x0f\x2a\xd9\xeb\x10\x71\x33\xd2\xfb\x3e\x1a\x4f\xf8\x76\xe0\x3b\x78\xc5\xd0\xf5\x8b\xc9\xb4\x71\x2f\x1e\xf1\x72\x54\x5b\x96\x23\xc1\x62\xd0\xec\x90\xe1\x17\x90\x21\x20\x43\x40\x86\x80\x0c\x01\x19\x02\x32\x04\x64\x08\xc8\x10\x90\x21\x20\x43\x40\x86\x80\x0c\x37\x13\x19\x1e\x46\x07\xf1\xfe\x6c\x61\x47\x0a\x0f\x5a\xaa\xbb\x9c\x79\x80\xc7\x75\xcb\x5a\x04\x9b\xb7\xec\x20\xfb\x3d\x27\xa5\xf6\x47\x52\xa9\xd2\xf3\xe8\x39\xfc\x4c\xf6\xad\xfe\x83\x93\xb2\xca\x22\x2e\x9c\x69\x46\x35\x77\x59\x71\x34\x6a\x91\x51\xc5\xa9\x69\xcb\xac\xdb\xb8\xea\x4b\xd4\xaa\x60\x23\x96\x4d\x79\x13\x65\x77\xfa\x4c\x22\xfc\x06\xa0\x99\x40\x33\x81\x66\xf6\x31\xcd\xfc\xb9\xe7\xd0\x4c\xab\xae\x8a\x4d\x08\xa7\x4d\x2b\xc4\xc1\x7f\xf1\x2c\xfe\x89\x3d\x6b\xb9\x2e\x66\x93\x5d\x17\x73\xb9\xb5\x7c\x16\x03\xce\xc8\xee\xed\x71\xc2\x08\xe9\x86\x01\xbe\x41\xba\x61\x80\x6f\x00\xdf\x00\xbe\xf5\x11\x7c\xeb\xa1\x6c\x05\x3d\x03\xdf\x20\x8c\x1e\xe0\x1b\xc0\x37\x80\x6f\x00\xdf\x20\xdd\x30\xc4\xf9\xde\x3e\x40\xaa\xe7\xe3\x7c\xb7\x64\xba\xe1\x67\xd0\x94\xf0\xcc\x9a\x44\x47\xb8\x67\xd6\x04\xda\x87\xf2\xad\x87\x77\xb6\x25\xa3\xf0\x62\xb2\x27\xd6\x29\x7c\x62\x1d\x71\x9f\x31\x29\x84\xff\xd5\xce\xb5\x68\xd9\xdd\x7e\x1e\x61\x0e\xc6\x46\xc5\x3f\xbb\x8c\xc6\x04\xc9\x3a\x8d\x4e\xa2\xe3\x75\xc9\x82\x47\x51\x6e\x1d\x11\xb7\x90\xe3\x0d\xf2\x01\x6f\x2c\x1f\xf0\xd7\x53\x68\x5a\xa4\xd4\x3d\x8e\x26\x43\x29\x75\xf3\x68\x5d\x23\xb0\xa9\x40\x40\x27\x84\xb0\x39\x84\x0e\x70\x61\xb3\xde\x72\x8b\x22\xa1\xf0\x31\x74\x34\x48\x28\xbc\xce\x32\x5a\x4d\xdc\xdb\x05\x99\x94\xfb\xf6\xe8\x5a\x32\xe9\xc1\xd8\x74\xbd\x5c\x3e\x1d\x12\x97\x9a\xc9\xa7\x20\x3d\x6f\x47\x25\x15\xe4\xe4\x05\x88\x0b\x10\x17\x20\x2e\x40\x5c\xc8\xc9\x0b\x39\x79\x21\x27\x2f\xe4\xe4\x05\x63\x02\x18\x13\xc0\x98\x00\xc6\x04\x30\x26\xb4\xc5\x98\x00\x39\x79\x21\x27\x2f\xe4\xe4\x85\x9c\xbc\x60\xab\x03\x5b\x5d\xdb\x73\xf2\x36\x65\xd4\x6d\x4d\xd6\xbb\x91\x9c\xbc\x5d\x40\xcf\x5b\x30\xd6\x05\xbf\x6f\x18\x15\xbc\x4c\x20\x86\x4d\xca\x06\x13\x48\x51\xc7\x79\x99\x1b\x44\xba\x12\x1b\x1a\x71\xf0\xef\x0c\xe1\x2f\x0e\x22\x5c\xf7\xc8\xb5\x95\x42\x66\x45\x6a\xba\xa6\x6e\xac\x18\x7a\x4d\xad\x44\x52\x82\xf8\xbb\xca\xa9\xf9\xd9\x05\x51\x58\x5b\x52\x81\xe4\x73\x8f\xcb\x64\x1e\x91\x0a\x5d\x29\x04\xef\x99\x33\xda\x78\x7c\xde\x6d\x94\xd1\x63\x77\xfc\x1c\xba\x0b\x23\x5e\x31\x61\x4b\x7e\x3e\x79\xf2\x9c\xc0\xc7\xc4\xdc\x08\x9a\x1c\xf9\x69\x3e\xe2\x46\x16\xe4\xf9\x80\x50\x03\xc8\xf3\x01\x56\x2a\xb0\x52\x81\x95\xaa\x5f\xad\x54\x90\xe7\x03\xf2\x7c\x80\x75\x00\xac\x03\x60\x1d\x00\xeb\x40\x4f\x58\x07\x20\x99\x06\x24\xd3\xd8\x2a\x3c\x14\x92\x69\x74\x22\x99\xc6\x3f\x0e\xa1\x11\x01\x04\x35\x4a\x6d\xdd\x30\xe3\x69\x20\xb7\x11\x3a\xf8\x37\x87\xf0\xaf\x0c\xa2\xd7\x87\x6f\xbd\xb6\x52\xc8\xbc\xd0\x1a\x05\x9c\x63\x85\xb4\x09\x00\x8e\xf2\x07\xa6\x43\x15\xb9\x52\xe0\xe5\xcf\x19\x8e\xbb\xd5\xce\x07\xdb\x0c\x10\xf8\xe6\x64\xc6\x77\x10\xef\xf7\x0e\xad\x6b\x1c\x1b\x12\x8d\xf3\x36\x8f\xb0\xbd\x96\x10\x23\x00\x40\x00\x80\x00\x00\x01\x00\x02\x00\x04\x00\x08\x00\x10\x00\x20\x00\x40\x00\x80\x00\x00\x01\x00\x02\x00\x04\x00\x08\x00\x10\x00\x20\x00\xc0\x6e\x01\xc0\xbf\x4f\xa3\x47\xa4\x47\x60\x7c\x22\xdd\x71\xfc\x5f\xd3\xf8\xbf\xa4\xd1\x2e\xb5\x2e\xc2\x3e\xf3\x86\x32\x71\xa3\x6b\xad\xf8\x8a\xdc\x23\x65\xe2\xd6\xc5\xd4\x4f\xcd\xcf\x7a\xbb\xbb\xf6\xe1\xb8\xc9\x86\x82\x26\x1b\x0a\x9a\x6c\xa5\xa0\x92\x85\x9e\x16\x04\xee\x22\x9a\xe3\x04\xee\x2c\x9a\x41\xc5\x0d\x10\xb8\xd0\x77\xb6\x92\xd6\x05\xff\xcd\x30\x9a\x13\xcd\xbf\x54\xa1\x37\xd9\x5a\x68\xd3\x4a\xde\x67\x2b\xf5\xf9\x8c\x05\x8d\xb5\x6c\x83\xda\x86\xbb\x5a\x21\x2b\xa4\x12\xd9\x7b\x3b\xf8\x93\xc3\xf8\x07\xb7\xa1\x87\x42\xa5\x4d\x79\x85\xf9\x59\x11\xde\x9d\x6a\x0d\xd8\xce\xcb\xf7\xcc\xb1\xf7\x4c\x87\xdf\xd3\x26\x8a\x7b\x92\x3f\x70\x36\xa6\xae\x32\x0b\x43\xf3\x1a\x6c\x0d\x07\xcf\xa6\x0e\xd2\x6d\x07\xbe\x1e\xd7\xfd\x9e\x64\xae\xfb\x66\x7c\x45\xc0\xdb\xe6\xad\xdb\xe8\xed\x2c\x49\xf0\x5a\xa3\x14\xd0\x2f\xa0\x5f\x40\xbf\x80\x7e\x01\xfd\x02\xfa\x05\xf4\x0b\xe8\x17\xd0\x2f\xa0\x5f\x40\xbf\x80\x7e\x01\xfd\x02\xfa\x05\xf4\x0b\xe8\x17\xd0\x6f\x6f\xa1\xdf\x0f\x8f\xa0\xb3\x82\x3d\x8a\xcc\x18\x75\x94\xb1\xc9\xd9\x69\x16\xd5\x75\xc3\xb1\x6b\x7c\x7b\xbe\x58\xd3\xcb\xc4\x75\xf0\x17\x87\xf1\xd7\x06\xd1\xeb\x44\x39\x3e\x67\xfc\xa7\x2d\x62\x46\xaa\xcf\xf8\x25\x16\x79\x89\x6d\xe2\x8b\xfb\xf9\x03\x22\x6b\x47\x43\xde\xe9\x98\xd7\x6e\x0d\xa8\xd8\xa3\x51\xe3\xcf\x25\x93\xc7\x63\xf8\xa8\xe4\x88\x62\xa4\x48\x27\xd2\x98\x9e\x88\x49\xb7\x00\xdc\x10\xb8\x21\x70\x43\xe0\x86\xc0\x0d\x81\x1b\x02\x37\x04\x6e\x08\xdc\x10\xb8\x21\x70\x43\xe0\x86\xc0\x0d\xbb\xcb\x0d\xb7\x5e\xda\x3b\x20\x93\x40\x26\x81\x4c\x6e\x21\x32\xf9\x81\x11\xb4\x8f\x75\xdd\xf8\x4a\xa1\x19\x86\x14\xfb\xc7\xaa\x6a\xc9\x9f\xdf\x8e\x7f\x7f\x18\x7f\x3d\x8d\xb6\x6b\xd4\x26\xd7\x56\x0a\x99\x87\x6c\xa2\xea\x75\x3b\x5b\xe1\xe3\x76\x41\xb5\x72\x0f\xb3\xab\xd3\xd4\x26\x57\x42\x44\xd0\xbf\xdc\xde\x43\x9e\x4a\x6f\x5e\xdf\x99\x5d\xec\x0b\xf2\x2b\x85\xbc\x5f\x9d\x44\x3e\xf7\x70\x3c\x9f\xbb\x03\x0f\x96\x89\x8b\xae\x9f\x4f\x26\x73\xc3\x78\x8f\x24\x73\xd9\xac\xa4\x72\xc1\xeb\xc3\xe1\xdd\x99\x4f\xee\x08\xda\xf8\x51\x9b\x58\x15\x55\x23\x4d\x9b\x59\x91\x37\x74\xa9\xa5\xd7\x7d\xf0\x5f\x43\x53\xc3\x41\x32\x70\xf0\xdf\x06\x0f\xfe\xfb\xc1\xd4\xad\x4e\xf3\xf5\x1f\xcd\xd7\x4e\x51\x61\xd5\xda\x2c\x2a\x72\xff\xf0\xfa\x40\x54\x60\x99\xc1\x5d\x0d\x49\x87\x47\xc5\x6f\xdd\x12\x0e\x9d\x39\x6b\x0f\x04\x46\x82\xc0\x80\xf3\x9e\xba\x72\xde\x13\x1c\xf4\x01\x07\x7d\xc0\x41\x1f\x9d\x3a\xe8\xa3\xf4\xf9\x54\x97\x4e\x3b\x40\x97\xc5\xe9\xc1\xe7\xd1\x6c\xe8\xf4\xe0\xf6\x9c\xa0\xa0\xc4\x2f\xfe\x3b\xf1\x76\xd1\x4c\xad\xae\xff\xe1\x55\xbe\xb9\x2e\x50\xfc\xc3\x3b\x83\xf5\x7f\xd8\x52\x6d\xd7\xe0\x86\x41\xb1\x57\x6c\xba\x67\x78\xc4\x12\xa9\xbd\x3a\xae\x14\xbc\xb1\xbe\xa0\x31\xfe\xe6\xbd\x3c\x90\xf0\xa1\xf0\xc5\x2a\xb1\xcb\x24\x7c\x75\x4f\xf8\x2a\xcf\x74\x4f\xca\x86\x36\xd6\x70\x5f\xa4\x14\xf6\xf7\xaa\xbc\xca\x6a\x59\xbc\x88\xe6\x50\xa9\x6e\xb7\x32\x89\x8e\x6c\xa0\x9b\xe7\xb9\xc5\x1c\x54\x91\x04\x55\xe4\x33\x03\xe8\xd3\x03\xf8\x53\x03\x99\x4f\xf8\xf2\xfc\xa5\x81\xfe\xd9\xbb\xd4\x19\x19\x58\x3b\x73\xa3\x39\x37\x84\xb1\xc1\x19\xb8\xce\x0c\x37\x19\xb8\x23\x7c\x59\x12\x3e\x16\x6a\x85\x3f\xc9\xf4\x2f\xf1\x34\xbf\x83\xeb\x42\x8e\x32\x5c\x72\xa8\x39\x2f\x7c\x48\x2e\xb0\x69\x21\xff\x5e\xf0\x26\x4b\xf0\xe3\x48\xf3\x4d\x55\xf1\xb5\x14\x7a\x35\x85\x5f\x49\x65\xbe\xe0\xd3\xab\x4f\xa6\xce\x52\x5b\xe3\x6a\x5a\x99\xf2\x66\xa7\x4a\x76\x89\xfd\x94\x55\xa6\x22\x5f\xc1\xb9\xa4\xd0\xa8\x6a\x4e\x60\x2d\x1f\x53\x35\xfe\xe1\xdc\x07\xa1\x62\x68\x72\xc5\x24\x15\xdd\x51\xe8\x4d\xd9\xa6\xc2\x46\x6f\x11\x6a\x55\x48\x5e\x11\x6f\xe4\x4e\x3f\x5e\x5f\x72\x3e\x18\xdb\x00\xfe\xeb\xb3\xdb\x78\xb5\x22\x0e\x2c\x1d\x67\x41\xed\xdc\xc1\x5d\x7f\x34\x7e\xc1\xd8\x81\xef\xe0\x9f\x8a\x4a\x87\xd0\x01\x3c\x91\xdd\xe7\x1b\x03\xee\xe7\x73\x47\x4e\x64\xbf\xd0\xec\x20\xfb\x39\x8c\xf8\xb7\x9e\x11\x01\xbf\x6f\x3b\x3a\x94\x00\x25\x2d\xaa\x7b\x38\x72\xdc\xa2\xb6\xbb\x44\xed\x9b\xaa\xad\xe3\x2f\xdf\x81\x7f\x2c\x84\x26\x73\x1a\x35\x4d\xf6\xb5\xe7\xce\x3c\x15\x4c\x39\x97\x2a\xa1\x67\xa4\x63\x64\x6e\x58\xde\x2b\xd6\xc3\x73\xc4\x8d\x38\x30\xce\x07\x0f\x4c\xb0\x3d\xae\xe0\x8d\x87\xd1\x43\x62\x8c\xdd\x8f\xee\xe5\x63\xec\x6e\x74\xe7\x4f\xa5\x76\x20\xf9\x31\x89\x43\xe8\x6a\xf2\x10\x3a\x80\x27\xea\x87\x90\xac\xce\x59\x51\x1d\xb9\x3d\x8e\x0e\xa7\xc7\xe2\x87\x13\xc2\x3b\xe4\x57\xa2\xec\xbf\x0d\xb5\xd3\x5e\xaf\x9d\xe6\x2f\x2d\x24\x36\xd4\x48\xa4\xa1\xe6\xa9\xd3\x5a\x4b\x35\x55\xea\xd6\x6c\xc2\x1e\x68\xa9\x52\x11\x9d\xc6\x27\xb3\xc7\xfd\x29\xf4\x58\x78\xea\xc5\xbe\x62\x33\xa6\xe1\x5b\xd0\x55\xfc\x74\x66\xc1\x9b\x86\x87\xe7\xa4\x5b\x08\xeb\x41\xde\x95\x5e\x37\x5e\xf6\x56\xa3\x90\xa9\xfa\x2a\x59\x5c\xa0\xda\x0d\xe2\x3a\xd9\x6d\xfc\x81\xf0\x8e\x17\xff\x64\x06\x15\x13\x26\xa4\x4d\xfc\x55\x4c\x46\xad\x57\x88\xed\x4f\x51\x47\x53\x2b\x04\xff\xf7\x07\xf1\xf7\x0d\x04\x83\xae\xc0\xed\x06\xfc\x92\xd7\x98\x81\x96\x7a\x39\x28\x6f\xda\x2f\x2f\x97\x8f\x33\x26\xc4\xde\xba\xc0\x8a\x6d\xb3\x75\xe1\xbb\xd1\x69\x31\x54\x8f\xa2\xc3\x7c\xa8\x16\xd0\x38\x1a\x6b\xba\xa2\xa8\x35\x97\xb2\xaf\x33\xcc\x32\xdf\x20\xb0\x1a\xdd\xaa\x81\x61\x3e\x79\x1a\x8c\xe1\xbd\xde\xf9\x50\x41\x05\xe4\x7c\x10\x75\x88\x58\x19\x7e\x2f\x64\x65\x38\xe0\x59\x19\xd6\xd5\x29\x85\x26\xa6\x87\x6e\xf5\x4b\x71\x1a\x4d\xa1\x53\x75\xda\xfd\x7a\x3b\x06\x54\x7a\x30\x47\x6c\xd0\x1c\xf1\xc3\xa9\x36\xc8\x85\x33\xc2\x22\x71\x12\x1d\x0f\x2c\x12\x1d\x10\x2f\x6d\x97\x1f\x09\x66\x8e\xe2\xfb\xee\x0a\xc4\xcb\x89\x06\x32\xb1\x2e\x39\x33\x1e\x8b\x2b\xba\x21\x65\x80\x5f\xf4\x9b\xb0\x03\x7e\x01\xfc\x62\x93\xf9\x45\x37\xb4\xcd\x24\xea\xd0\xfe\xf5\xa2\x34\x81\xf6\xe1\x7c\x76\xd4\xdf\x08\xdd\x13\xde\x4c\xf1\xfb\x6f\x0b\x86\xf1\x1b\xc3\x81\x63\xd5\x9a\x51\x9e\xdc\x39\xcd\xe6\x82\x00\xff\xeb\x61\xfc\xe9\xc1\x60\xbd\x6c\xf1\xcc\xdf\x39\x56\xc2\x65\x76\xa1\x4d\xc1\x9c\xbb\x6f\xc6\x2d\xb4\xc1\x6b\x20\x78\xf3\x16\x82\x37\xe7\x92\x67\xd4\x08\x1e\x92\x67\x7e\xf8\x4d\x8e\xe2\x0d\x41\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x09\xa1\x9a\x10\xaa\x79\xfb\x84\x6a\x7e\x79\x18\x8d\x89\x24\x72\x8e\x4b\x6d\xb5\x4c\x1a\xce\x0e\xd6\x1c\xc3\xa4\x3a\xf1\xe3\x34\x7f\x68\x18\xff\xc1\x20\x42\xf2\xf6\x6b\x2b\x85\xcc\xcb\xf2\x3c\x8a\x30\x47\x34\x3d\x29\x49\x97\x94\x1b\x86\xa9\x2b\xd3\x0b\xb3\x17\xa9\xde\x1e\x98\x38\x1a\x68\x44\x5c\xeb\x93\xeb\x27\x53\xaa\x02\x55\x6f\x28\xa2\x5d\x87\xca\xce\xe7\xee\xe7\xaf\x5b\x10\x5f\x70\xa5\x20\xab\x06\xf0\x71\x3d\x28\xff\xa6\x40\xf9\x4f\x27\x83\xc7\x09\xbc\x4f\xb2\xc5\xe8\x10\xf3\x5c\x17\x45\xeb\x47\x79\x3e\x10\x48\x20\x90\x40\x20\x81\x40\x02\x81\x04\x02\x09\x04\x12\x08\x24\x10\x48\x20\x90\x40\x20\x81\x40\x02\x81\xec\x2e\x81\x3c\x80\x26\xf0\xbe\x6c\xde\x27\x90\xf7\x46\xe2\xc3\xc4\xce\xad\xd1\xb3\x0a\xa8\x22\x50\x45\xa0\x8a\x7d\x4c\x15\xbf\x38\x84\xee\x8f\xfa\x29\x3a\x44\xb3\x89\xeb\xe0\x9f\x1a\xc2\x9f\x08\x39\x23\xda\xad\x39\x23\x2e\xf0\xa7\xdb\xe4\x88\xf8\x44\xc8\x11\x51\x14\x3c\x67\x38\xee\x59\x6a\x4f\x55\x2a\xbe\x63\x62\xfb\x4e\x39\xbe\x8d\x0e\xa7\x6d\xc9\x15\xf1\xc9\x64\x22\xf8\x04\xde\x5d\x1f\x53\x29\x3a\x02\x20\x20\x40\x40\x80\x80\x00\x01\x01\x02\x02\x04\x04\x08\x08\x10\x10\x20\x20\x40\x40\x80\x80\x00\x01\x01\x02\x6e\x26\x04\x04\x9c\x07\x38\x0f\x70\x5e\x1f\xe3\xbc\x9f\x7b\x1e\x4d\x0b\x27\x41\x55\x67\xaa\xac\x41\x4d\x9b\x94\x0d\x9e\x78\x82\x3d\x13\xb8\x0c\x56\x6b\xae\xca\x34\x94\x9b\x64\x71\x99\xd2\x1b\x91\x3d\x9f\x83\xbf\x75\x0d\xff\xff\x87\xd0\x77\xc5\x16\x72\x6d\xa5\x90\x99\x14\x2a\xa4\x2d\x17\x3f\x4f\x3a\x7a\x2e\x84\x17\x64\xe1\x57\x45\xe1\xd3\xe1\xc2\x73\x87\xd9\xb3\x53\x71\x25\x5f\x29\xac\xf5\x60\x8f\x73\xbe\x22\x40\x30\x80\x60\x45\x80\x60\x00\xc1\x00\x82\x01\x04\xeb\x1b\x08\x56\xec\x19\x08\xd6\xf6\x9a\x6c\x18\x82\x15\x01\x82\x01\x04\x03\x08\x06\x10\x0c\x20\x58\xf7\x21\x58\xb1\xaf\x99\x55\x11\x98\x55\xe7\x98\x55\xb1\xd7\x99\x55\x71\x0b\x32\xab\xd2\x3f\x4b\x21\x22\xfc\xa0\x9e\x43\xcf\x70\x3f\xa8\x2b\xe8\x29\x74\xb9\x79\xa6\xc3\x58\xb2\xb5\x52\xc8\xaf\x05\x8f\xe6\x0c\x27\x39\x86\xf2\x91\x78\xaf\xa9\xed\x78\x9b\x70\x98\x7a\x31\xd9\x61\xea\x69\xbc\x10\x93\xaa\x6d\x2d\x18\x27\xdd\xaa\xd6\xaa\x3c\xca\xfe\x2e\x5a\x03\xc6\x3d\x21\x96\x34\x45\x5d\x9b\xbb\x1d\x15\xb7\x6d\x26\x79\x13\xa0\x4c\x47\x8b\xe8\xf9\xba\x6c\xb6\xf3\xe8\x62\x7b\x3b\x1c\x72\xdc\x42\x42\xef\x0d\x26\xf4\xfe\xf5\x34\x52\x85\x40\x7a\x2b\x7a\x33\x17\x48\x97\x51\xdb\xc7\x27\x5a\x12\x19\xbf\xaf\xa1\x67\x83\x8c\xdf\x9d\x78\x4f\x59\x9c\x72\xf6\x3c\x7a\x2e\x74\xca\x59\x27\x5e\xb4\x71\xe9\x6a\xd1\xd6\xa5\x6b\x9b\x24\x6a\xe4\xf8\xd4\x9f\x1a\x5b\x43\xba\x16\xe4\x41\x79\xa1\x53\x07\xe9\xd2\xda\x92\x76\x5a\x3c\xd2\x44\xd2\x4e\xfb\x05\x75\x51\xe6\x76\xe6\x48\x56\xa0\xdd\x40\xbb\x81\x76\x03\xed\xee\x1f\xda\x0d\x5a\x65\x82\x56\xd9\x3b\xe6\x00\x38\x0e\xbb\x2b\xc7\x61\x83\xd5\x05\xac\x2e\x60\x75\x01\xab\x0b\x58\x5d\xfa\xda\xea\xf2\xa5\x34\x7a\x2d\x8d\x5f\x4d\x67\x5e\xf1\x57\xdb\x8f\xa7\x67\x42\x51\xc0\x56\x85\xa8\x0e\xf1\xa7\xfe\x7c\xfd\x19\xf0\x11\x9f\x2b\xaf\xbb\x83\x30\x62\xd6\xe1\x85\xfc\xe1\xbc\xb2\x20\xe4\x88\x1b\x3e\xb7\x3e\x58\x45\x88\x3c\x1c\xdf\xf3\x01\xb3\x6b\x64\x7c\x49\xad\x78\xda\x7f\x56\x5c\xcd\x86\xce\xed\xf7\x5e\xa5\xea\xdc\x84\x41\xc7\x05\xd1\xd6\x03\xd5\x52\x14\x3e\xe4\x28\xa1\xe3\xfc\x59\x4b\xe5\x95\x33\x06\x17\x49\xa1\x8a\x53\xbb\xf1\xcb\x02\xb3\x91\x2b\xd4\x7d\xae\xfd\x51\x77\x39\x9f\xdd\x25\xea\x33\xe3\x9f\x97\x1f\x71\x26\x7b\xcf\x20\x7a\xd7\x20\x7e\xc7\x60\xe6\x3b\xbe\x47\xe1\x57\x06\xae\x4a\x39\xc8\x86\xe8\x32\xbd\x59\x7f\xb8\x3f\xeb\x7b\x5f\x51\x23\xf6\x12\xb5\xab\xac\x2d\x62\x6b\x7a\xa9\xee\xe5\xcd\x2b\xca\xd5\x1a\x4f\x27\x91\xa7\xfe\x1b\x4c\x5f\xd0\x0c\x3d\x50\xac\xf9\xda\x28\xce\x48\xf2\x5a\x97\x2d\x4e\x72\xe5\xf0\x56\xbf\x7c\xa8\x19\x3d\xb9\xe9\xdb\x6a\x7c\x3f\xc2\xe8\xcb\xf2\x8a\x40\x57\x5c\x16\x87\xb5\xd5\x21\xf1\x0d\x43\x6c\xcf\xc3\xff\x8a\x0e\x0c\xe7\x98\x32\x54\x54\xb5\x1b\x65\x9b\xd6\x4c\x9d\xdd\xc5\x1d\xf8\xf8\x4d\x75\x0d\x27\x94\x15\xa9\x01\x45\x0b\xf1\xbe\x60\xd1\x2f\xe9\x98\x32\x74\x96\xda\x24\x54\xac\xa2\xa9\x8e\xa6\xea\xec\xeb\x65\xfb\x08\x97\x4d\x5e\x9e\x23\xd4\xe9\x86\x02\x97\xfc\x32\xf2\xd9\x7b\xac\xfa\x71\x13\xd6\x6d\xc0\xa8\x09\x46\xcd\x3e\x35\x6a\x96\xca\x68\x4e\xe0\xf8\x33\x68\x9a\xe3\xf8\x13\xe8\x18\x3a\xba\x01\x78\xb9\xe0\xaa\x6e\xcd\x49\x04\xd5\xb9\x78\x50\x7d\x2f\xbe\x47\xcc\xe6\x40\xd2\x6e\x22\xb4\x6e\xff\x91\x65\x1f\x7a\x1e\x1d\x96\xb1\x03\x96\x41\x5e\x74\x89\xc9\x07\x58\x28\x66\x40\xab\x39\x2e\xad\x7a\xe3\x29\xd4\xfc\xf8\xab\xd7\xf0\x5f\xef\x41\xbb\x22\x0f\x5e\x5b\x29\x64\x0e\xad\x1d\x27\x30\xcd\x0b\xf4\xa8\xe1\x8c\x5f\x60\x6e\x2f\x8f\x11\x08\x97\x76\xa5\xd0\xec\x66\x88\x0b\x80\xb8\x00\x88\x0b\x00\x4b\x09\x58\x4a\xc0\x52\x02\x96\x92\x9e\xb1\x94\xf4\x8e\x21\x00\x08\x35\x10\x6a\x20\xd4\x40\xa8\x81\x50\xf7\x35\xa1\x06\x84\x06\x08\xad\x4f\x11\xda\x96\x8c\x0b\xf8\x57\x29\xb4\x22\xb8\x1f\x45\x55\xce\xfd\xca\x88\x20\xad\x19\xf7\x0b\x50\xd1\x98\xbf\x5f\x0f\x10\x60\x14\x69\xad\x14\xf2\xcd\x68\x52\x5b\x02\x05\x2a\xc9\x54\x70\x16\x9f\x93\xa7\x2a\x35\xa9\x48\xdc\x91\xef\x71\x60\x0e\x65\xff\x0e\xc5\x90\xb7\xc7\xfc\xa0\x80\xa6\x90\x6d\x4c\x06\x04\x74\x19\xb3\x09\x2a\x56\x43\x0e\x7a\xa1\x2e\x08\x40\x45\xd7\x3a\xdc\xbb\xe0\xbf\x05\x51\x01\x1b\x8c\x0a\xf8\x67\x03\xc8\x16\xe2\xe8\x06\x32\xb8\x38\xd2\x50\xe7\x07\x2c\xba\x29\xc2\x04\x2c\x64\x06\x61\x02\x5d\x79\xf1\x8b\x22\x6e\xe0\x05\x44\x43\x71\x03\x5d\x79\xf3\xad\x06\x12\xb4\x26\x7d\xd7\x12\xa9\xeb\x90\xcc\xb9\xf7\x8d\xc5\x48\xdf\xb1\xd8\xa0\x81\xa6\x92\xf8\xb0\x0c\x18\xa8\x93\xc4\xfe\xc3\x5d\x92\xc9\x10\x24\x00\xe8\x1b\xd0\x37\xa0\x6f\x40\xdf\x10\x24\x00\x41\x02\x10\x24\x00\x41\x02\x60\x82\x01\x13\x0c\x98\x60\xc0\x04\x03\x26\x18\x08\x12\x80\x20\x01\x08\x12\x80\x20\x01\xb0\x70\x82\x85\xb3\x07\x2d\x9c\x3d\x1d\x24\xd0\x55\x20\xdd\xfe\xc0\x80\xff\x35\x8a\x4e\x6e\x30\x30\x60\xfc\x7b\x4c\xb5\x4a\xde\x8e\x3f\x3b\x8a\xbf\x36\x10\xc3\xc9\xf7\xda\x44\xd5\xeb\xb6\xab\xcd\x83\x02\xd8\xcd\x9b\x62\xad\x2c\xbd\x37\xd5\xfc\x10\xcf\x4d\xb0\x0a\x79\x83\xf0\xe1\xf8\x41\x78\x07\x1e\x2c\x93\x6e\x1b\x42\x32\xef\x8b\x33\x43\xe7\x6d\x62\x55\x54\x8d\xb4\xda\xc7\xde\xfd\x60\x94\x06\x5e\x08\x46\xe9\x44\xa3\xf4\xbb\xd3\xfd\x65\x94\x4e\x5a\x95\x9b\x0b\x44\xab\xd6\xb2\x40\x6c\xd5\xf1\x26\x41\x38\xe6\x7e\x65\x57\x9c\x5f\x8e\xdc\x3c\xac\xe5\x97\x13\x6f\x0d\xde\xca\x36\x60\x90\x70\x09\x12\x0e\xec\x10\x5d\xb1\x43\x00\x80\x02\x00\x05\x00\xaa\x53\x00\xaa\xf4\xf9\x54\x9b\x77\xe1\x97\x85\x13\xda\x79\x34\x1b\x72\x42\xeb\xf0\xce\x5e\x89\xd7\x21\x76\xe2\xed\xa2\x99\xba\xbc\xaf\x2a\xfe\xfe\x5d\x31\x6a\xc4\x61\x4b\xb5\x5d\x83\x3b\xed\x08\xdc\xdf\xea\x06\x6b\xd4\x52\x5d\x6d\xb9\xeb\xba\xc5\x1b\xeb\x0b\x1a\xe3\xf5\xd8\xcb\xfe\x9c\x7c\x28\x7c\xb1\x4a\xec\x32\x09\x5f\xdd\x13\xbe\xca\xb3\x26\x90\xb2\xa1\x8d\x35\xdc\x17\x29\x85\xfd\xbd\x2a\xaf\xb2\x5a\x16\x2f\xa2\x39\x54\xaa\xdb\xda\x4d\xa2\x23\x1b\x18\x46\xf3\x3c\xca\x1b\x34\x9a\x04\x8d\xe6\x33\x03\xe8\xd3\x03\xf8\x53\x03\x99\x4f\xf8\xcb\xc2\x4b\x03\xfd\xb3\x67\xab\xb3\xca\xb2\x76\xe6\xde\x6e\xdc\x73\x80\x0d\xce\x20\xdd\xc3\x70\x93\x81\x3b\xc2\x57\x37\xe1\x1c\xa9\x56\xf8\x93\x4c\x8d\x13\x4f\xf3\x3b\xb8\x4a\xe5\x28\xc3\x25\x87\x9a\xf3\x22\xef\xc1\x05\x36\x2d\xe4\xdf\x0b\xde\x64\x09\x7e\x1c\x69\xbe\x99\x2c\xbe\x96\x42\xaf\xa6\xf0\x2b\xa9\xcc\x17\x7c\xc6\xfb\xc9\xd4\x59\x6a\x6b\x5c\xdb\x2b\x53\xde\xec\x54\xc9\x2e\xb1\x9f\xb2\xca\x54\xe4\x2b\x38\x1c\x17\x8a\x59\xcd\x09\xdc\xdc\xc6\x54\x8d\x7f\x38\x77\x1e\xac\x18\x9a\x5c\x78\x49\x45\x77\x14\x7a\x53\xb6\xa9\x70\xae\xb3\x08\xb5\x2a\x24\xaf\x88\x37\xf2\x44\x15\x5e\x5f\x72\x48\x1d\xdb\x00\xfe\xeb\xb3\xdb\x78\xb5\x22\x11\x24\xef\x4d\x6d\xca\xee\x38\x69\x81\x79\x34\x7e\x81\xd9\x81\xef\xe0\xdf\xd4\x6d\x5e\x7c\x06\x4d\xe3\xa9\xec\xa9\x1d\x29\x3c\x68\xa9\xee\x72\xe6\x71\x3e\x25\xa5\x7c\x68\x56\x44\x76\x90\xdd\x95\x93\xa3\xe7\x23\x1d\x38\x7b\x1a\xff\xda\x08\xda\x27\xb0\xb3\x49\xdc\x9b\xd4\x66\xd3\x3e\xc4\x9c\x0d\xb3\x6c\x13\xc7\xd1\x2a\xaa\xe3\x10\x1f\x34\xff\xc0\x08\x7e\xe7\x00\xba\x3b\x78\x82\x2d\x96\x8f\xc6\x50\xe6\x59\xf1\xf8\x34\x7b\x3c\xf7\x10\xbb\xe1\xa2\xff\xcc\x95\x42\xf8\x6a\x9b\x51\xb2\x8a\xce\x8a\x31\x79\x0a\x9d\xe0\x63\xf2\x30\x3a\x88\xf6\x37\xcd\xc5\x1f\xfa\xf6\x95\x42\x3e\x5c\xaf\xc4\x71\xf6\x6c\xf2\x30\x9a\xc4\x47\xe4\x30\x6a\x68\x63\x39\x86\x22\x6f\x0c\x8f\x9b\x04\xf8\x9c\xf9\xfd\x1d\xf5\xdd\x90\x8d\x67\xc1\x91\x9e\x78\x54\xde\xd3\x9d\xce\x28\xce\xa2\x73\xe8\x4c\x9d\x56\xb0\xb1\xde\x00\x85\x00\x20\xee\x06\x21\xee\xcb\xa9\xb6\x89\x84\xf3\x02\xcc\xce\xa0\x62\x00\x66\x6f\x3f\xf9\x62\xd5\x5c\x94\xfb\xc8\xae\x7a\xf9\xf2\x80\x87\x56\xcd\xa8\x4c\x79\x44\xfc\xde\x25\x91\x02\x00\x15\x00\x2a\x00\x54\x00\xa8\x00\x50\x01\xa0\xf6\x27\x40\xed\xb0\x5e\x90\xc8\x67\x8b\x2f\xdd\x55\xaf\x1a\xec\x4d\xc0\xa5\x11\x7d\xe1\x61\xbe\x0d\xef\xbc\xba\x00\x4c\xb4\xdf\x94\x14\x60\xa2\xc0\x44\x37\x99\x89\xde\x36\xf8\x29\x89\xa2\x96\x8e\xa2\xc3\xf8\x60\x76\xbf\xcf\x35\xbf\x2b\xcc\x35\xc3\xe5\x76\x81\x65\x7e\x6b\x04\xcd\x09\x96\x69\x2f\xaa\x5a\xde\x6b\xac\x70\x02\xf0\xf1\x95\x82\x70\x9e\x1e\x67\xb5\x71\x2c\x55\xf3\xa8\x26\xff\xfb\xed\xe3\x36\xad\x04\x9c\xf3\xe3\x23\xf8\x3b\x83\xe8\x3e\x56\xda\x54\xb8\x30\xb6\xd8\xfd\x44\x4a\x3a\x61\x07\x59\x9d\xd8\x8c\x17\xfb\x02\x2f\xf5\xf6\x65\xca\xc6\x95\x1e\xd2\xdc\x3d\x95\x7d\x88\x3f\x3d\x14\x24\x35\x88\x44\xa9\x53\x8b\xf8\xfb\x29\xc7\x25\xaa\x3e\x1a\x44\xf3\xf1\x3d\x88\x8c\xfd\x32\x5c\x52\x0d\x04\xd7\x50\x24\x00\x37\x54\x76\x3e\xb7\x87\xbf\xee\x72\xfd\x87\x5c\x29\x5c\xf4\x3e\x5d\x67\x75\xed\xf1\x2c\xdf\xa5\x1b\x68\x5e\xcc\xab\x59\x74\x8e\xcf\xab\x29\x74\x0a\x9d\xd8\xc0\x52\xca\xb3\x72\x9d\x59\x21\x66\x72\x1a\xaa\xe6\x53\xe0\xa6\x30\x24\xac\x6b\x0a\x36\x1d\x99\x72\x2a\xb2\x5e\x88\x5a\x0e\x20\xb3\x39\x64\x36\x2f\x41\x7a\x17\x48\xef\x02\xe9\x5d\x20\xbd\x4b\xdf\xa4\x77\x29\xf5\x4c\xf6\x92\xb6\xd7\x64\xc3\x69\x35\x4a\x90\x56\x03\xd2\x6a\x40\x5a\x0d\x48\xab\x01\x69\x35\xba\x9f\x56\xa3\x54\x40\xe3\x78\x2c\xbb\xd7\x27\x1d\xbb\xc2\xa4\x83\x6d\xdb\x1a\x09\xc7\xf3\xe8\x39\xfc\x4c\xf6\xad\xfe\x23\x93\xb2\xb2\x02\x3d\x32\x9d\xa8\xe6\x2e\x2b\x8e\x46\x2d\x32\xaa\x38\x35\x6d\x99\x75\x18\x57\x7a\x89\x5a\x15\x06\x1d\xcb\xa6\xbc\x71\xb2\x3b\x7d\x48\xd1\x49\x86\x52\xea\xeb\xec\x06\x25\xc8\x6e\xd0\xb9\xec\x06\xa5\x9e\xcf\x6e\xb0\x05\xf3\xb7\xe3\x7f\x3b\x84\x1e\x61\x5d\x37\xbe\x52\x18\xf7\x6c\x39\xa6\xbb\x42\x2b\xb5\x2a\xd1\x2a\xaa\x51\x75\xf0\x3b\x87\xf0\xb7\x07\xd0\x76\x8d\xda\xe4\xda\x4a\x21\xb3\x7f\xed\xd3\x02\xe7\xfd\x42\xae\xf0\x42\xa6\x59\x21\xb9\x71\xf6\xd0\x34\xb5\xc9\x95\x42\xec\x0d\x67\xa9\x3d\x55\xa9\xf8\x30\xb1\x7d\xf6\xbb\x0e\x81\xc4\x65\x74\x41\x80\xc4\xb3\x68\x86\x83\xc4\x93\xe8\x38\x9a\x6c\x0a\xe8\x59\xdb\x71\x0b\x5c\xdc\xb7\xb7\x94\xcc\xfe\x6a\x32\x24\x3c\x80\x27\x24\x24\xcc\x66\x25\x0d\x8c\x7d\x5f\x94\xd0\x27\x64\xc9\x07\x7c\x08\xf8\x10\xf0\x21\xe0\x43\xc0\x87\x80\x0f\x01\x1f\x02\x3e\x04\x7c\x08\xf8\x10\xf0\x21\xe0\x43\xc0\x87\x5d\xc6\x87\x40\xea\x80\xd4\x01\xa9\xeb\x63\x52\xf7\x7f\x8d\xa0\xc3\x1e\xa9\x5b\xd3\x05\x91\xb7\xa1\xcd\xbf\xc0\x73\x44\xfc\xe7\x23\xf8\x0f\x07\x03\x84\xf7\xd9\x56\x7c\x0f\xe7\x58\x31\x97\xd9\x0d\x3d\xe1\x81\xf8\x28\x7f\x9d\x40\x88\x81\xd3\x61\x50\xc9\x5e\x27\x86\x3d\xe9\x7a\x38\x97\x4c\x15\x47\xf0\x50\x3d\x55\x0c\x1a\x1d\x3c\x0d\x01\x15\x02\x2a\x04\x54\x08\xa8\x10\x50\x21\xa0\x42\x40\x85\x80\x0a\x01\x15\x02\x2a\x04\x54\x08\xa8\x70\x33\x51\xe1\x61\x74\x10\xef\xcf\x16\x7c\xb7\xc1\x07\xc2\x9e\x86\xc1\xe6\x0d\xfc\x0d\x81\x62\x02\xc5\x04\x8a\xd9\x55\x8a\xf9\x7f\x0c\xa3\xfd\xf2\x98\xa2\x9a\x4b\x1d\x4d\xad\x18\x66\x39\x40\x9a\x1c\x60\x51\xd3\x55\x2b\x16\xd5\xbd\x3b\x88\xed\xe0\x7f\x18\xc2\xdf\x1a\x44\xaf\x0b\x3d\x74\x6d\xa5\x90\x79\x49\x82\x4c\xc3\xd4\x8d\x15\x43\xaf\xa9\x95\x08\xd3\xf4\x55\xdc\x27\xfd\x62\xe7\xa9\x3e\xe5\x17\xdb\x16\xb0\x99\xcf\x09\xcc\x37\x15\x54\xed\x4a\xa1\xc9\x0b\xe7\x0c\xc7\xdd\x6a\xae\x8e\x9b\x01\x2e\x77\xc7\x83\xcb\xbb\x30\xe2\x15\xe3\x9e\x89\xd7\x17\x93\xe1\xe5\x29\x7c\xc2\x4b\xc0\x1a\xf4\x8e\xa4\x98\x4d\xba\x08\x90\x26\x20\x4d\x40\x9a\x80\x34\x01\x69\x02\xd2\x04\xa4\x09\x48\x13\x90\x26\x20\x4d\x40\x9a\x80\x34\x01\x69\x82\xf7\x23\x70\x43\xe0\x86\xc0\x0d\x37\x85\x1b\x7e\x65\x18\x1d\xf2\x8e\x37\xb7\x9c\xe4\x34\x8c\x84\xa3\x2e\x36\x81\xf1\x0f\x0e\xe3\x97\x07\xd1\x76\xf6\xdc\xb5\x95\x42\x66\xa5\x35\x64\x78\x59\x94\xb0\x40\xdc\x36\x51\xc2\xdd\x82\x12\x5a\x96\x13\xc9\x9a\xe8\xbf\x66\xce\x70\x5c\x60\x81\x8d\x2c\xf0\x62\x32\xe6\xdb\x8b\x47\xfc\x73\x96\x2c\xc7\xcb\x84\xe8\xb7\x6c\x34\xe0\xb9\x15\xb6\x08\xdc\x0f\xb8\x1f\x70\x3f\xe0\x7e\xc0\xfd\x80\xfb\x01\xf7\x03\xee\x07\xdc\x0f\xb8\x1f\x70\x3f\xe0\x7e\xc0\xfd\xba\xcc\xfd\xc0\x23\x11\xc8\x22\x90\x45\x20\x8b\x1d\x24\x8b\xbf\x99\x46\x77\x0b\xb2\x28\xce\x8a\x1b\xc7\xbf\x90\xc6\x9f\x4f\xa3\x3b\xc4\x3f\x33\x99\x32\x3f\x36\x6f\x89\xda\x55\xbf\xdd\x54\x85\xf3\xa6\xdc\x3d\x65\xe2\x8a\xf3\xe1\xa6\xe6\x67\xcf\xb1\x9f\xda\x77\xf0\x58\x43\x41\x93\x0d\x05\x4d\xb6\x52\x50\xc9\x40\x17\x05\xb4\x3b\x87\xce\x70\x68\x77\x0a\x9d\x40\xc7\x36\x00\xed\xbc\x6f\x4c\x42\x76\xf8\xbd\x23\xe8\x58\xf3\x43\xc1\x17\x89\xab\x7a\xf8\x36\xfe\x7c\xf0\x5f\x1f\xc6\xef\xde\x86\x70\xe4\x74\x38\xfe\x54\xe6\xa7\x5b\x89\x5c\x0f\x1f\x1b\xd4\x13\xb1\xeb\xd9\x9b\xf5\x67\xd5\xf1\xaf\xe9\xc8\x81\x75\xb7\x11\xf9\x4d\x0c\x5f\x5f\x97\x07\xe8\x7a\x0f\xaf\xe2\x5d\x04\x24\x18\x48\x30\x90\x60\x20\xc1\x40\x82\x81\x04\x03\x09\x06\x12\x0c\x24\x18\x48\x30\x90\x60\x20\xc1\x40\x82\xbb\x4d\x82\x7b\xe8\xa0\x60\x40\xbc\x80\x78\x01\xf1\x6e\x21\xc4\xfb\xfd\x6f\x44\xb3\x11\xc4\xbb\x52\x68\xe6\x38\x6a\x51\x5d\x37\x1c\xbb\xc6\xb7\xf3\x8b\x35\xbd\x4c\x5c\x0f\x4b\x8e\x3b\xae\xea\xd6\x1c\xfc\x85\x0c\xfe\x91\x01\xb4\x53\x14\x75\x6d\xa5\x90\xd9\x67\x13\x55\x57\xc4\x55\xaf\xc9\x83\xa5\x7b\x9e\xea\x33\x7e\x89\x45\x5e\x62\x6e\x9c\x3d\x21\xc0\x71\xd8\x19\x34\xe6\xd6\x05\x5e\x6a\xfb\xa8\x32\x87\x79\x7a\x53\xf4\x86\x66\x05\xe5\x2b\xa2\xd3\x9c\xf2\x4d\xa2\x23\xe8\x50\xd3\x63\x6d\x44\x13\xf0\x83\x6d\x1a\x6b\xee\x51\xbc\x87\xe3\x29\xde\x1d\x78\xb0\x4c\x5c\x74\xfd\x2d\xc9\x0c\xef\x10\x3e\x20\x19\x9e\x78\xa1\x77\xb8\x4d\xe3\x3b\x23\x9e\x9e\x99\x77\xec\x0c\xf7\xd2\x7e\x9b\x58\x15\x55\x23\xeb\xea\xa8\x09\xf9\xd0\xa6\xf5\x55\x71\x0e\x95\xd0\x93\x78\x70\x91\xea\xab\x19\xfe\x5f\x25\x95\xdb\x70\x9f\x14\x3f\x96\x46\x1f\x4d\xe3\x8f\xa4\x33\x1f\xf4\x65\xf7\xb7\x53\x57\xd9\x22\x28\x17\xee\x51\xee\x18\xad\xb1\xed\xb9\x10\xb6\x91\xcd\x62\x18\x20\x2e\x12\xc5\x3b\x30\x4a\xcf\x2b\x53\xa6\x62\x98\x02\xd3\x50\x5b\xa9\x99\x3e\xe9\xd1\x15\xdd\x5e\xbd\x5c\x33\x15\xdd\xb0\x09\x93\x30\xc4\xc7\x07\x4c\x0b\xe0\x6a\x96\xe4\x27\xde\x6e\x49\xee\x58\x95\xa5\x9a\xcd\x35\x72\xcb\xa6\x1a\x71\xb8\x3e\x24\x3b\x4d\xae\x96\x79\xe5\x0a\x7f\x23\xdf\xe9\x70\x05\x66\x52\x19\x53\xa6\x2a\x95\x49\xae\xed\xe8\xf6\xaa\x62\xd7\x4c\xd6\xe1\x4c\x24\x79\x2a\x9e\x2c\x8e\xe8\xd9\x3b\x44\xd5\x42\xf2\xb7\xf8\xa1\x34\xfa\xfe\x34\x7e\x7f\x3a\xf3\x5e\xbf\x81\xbe\x99\xe2\x0a\xf2\x05\xd5\x54\xcb\xc4\x16\x5b\x3d\x61\x7f\x76\x1c\xaa\x19\x5c\x7b\xf1\x37\x55\x2a\xdf\x95\x52\x5b\x61\xca\xad\xbb\xea\xab\x73\x55\xf5\x06\xab\xbf\xbb\x4c\x1c\xe2\x09\x49\x26\xb8\x3d\xdc\xc5\x89\xcf\x22\x51\xb8\x78\xe6\x1b\x28\x6a\x2b\x85\x89\x23\xec\x5e\x5b\xd5\x38\x97\xab\x50\xb3\x2c\x44\x22\xdf\xe4\x30\x7d\x54\x35\x4c\xa1\xa9\xf0\x4d\x44\x70\x2f\x67\x15\x92\x1a\xb2\xad\xaf\xb7\xcc\x95\x69\x45\x35\xcb\x79\x6a\x97\xc7\xad\x1b\xe5\xf1\x9a\x69\x68\x54\x27\xe3\xbb\x67\x9d\x79\x56\x4a\x3e\x7b\x57\xf8\x5b\xc3\x0b\xd3\xe7\x52\x6d\x94\x0d\xc2\x22\x55\xe0\x16\xa9\xed\xd3\x42\x75\xbf\xa5\xf2\x92\x4c\x09\xcd\x85\x90\x55\x6b\x59\x08\xb5\x26\x76\xa2\xa2\xaa\xf8\xc3\x77\x85\x85\xd0\x71\x4b\xb5\xd9\x7e\x9b\xed\x51\xf9\x12\xb7\x2e\x69\xb4\xcf\x62\x4b\xdb\xa6\xc8\xa2\x37\xd6\x17\x34\xc6\xeb\xb2\x97\x1b\x26\x1f\x0a\x5f\xac\x12\xbb\x4c\xc2\x57\xf7\x84\xaf\x32\x5d\xd8\x25\x65\x43\x1b\x6b\xb8\x2f\x52\x0a\xfb\x7b\x55\x5e\x65\xb5\x2c\x5e\x44\x73\xa8\x54\x27\x07\x27\xd1\x91\x0d\x58\xa0\xe6\x39\xe7\x07\x49\x98\x20\x09\x3f\x33\x80\x3e\x3d\x80\x3f\x35\x90\xf9\x84\x6f\xf8\x7a\x69\xa0\x7f\x24\x61\x1d\x1a\x61\xed\xcc\x51\x3f\xc7\x77\x6c\x70\x06\x06\xbf\xe1\x26\x03\x77\x84\x33\x6f\x61\x19\x52\x2b\xfc\x49\x93\x9a\x63\xe2\x69\x7e\x07\xb7\x0c\x3a\xca\x70\xc9\xa1\xe6\xbc\xb0\x7c\x5d\x60\xd3\x42\xfe\xbd\xe0\x4d\x96\xe0\xc7\x91\xe6\x22\xba\xf8\x5a\x0a\xbd\x9a\xc2\xaf\xa4\x32\x5f\xf0\x55\xf3\x4f\xa6\xce\x52\xb6\xd3\x34\x1c\xa5\x4c\x79\xb3\x53\x25\xbb\xc4\x7e\xca\x2a\x53\x91\xaf\xe0\x9b\xae\x2a\x51\x4d\x47\xa9\x39\x01\xe3\x1f\x53\x35\xfe\xe1\xdc\x72\x52\x31\x34\x41\xf7\x39\xcc\x55\xe8\x4d\xd9\xa6\xc2\xb2\x60\x11\x6a\x55\x48\x5e\x11\x6f\xe4\xa6\x4a\xaf\x2f\xf9\xe6\x27\xb6\x01\xfc\xd7\x67\xb7\xf1\x6a\x45\xcc\x6e\xed\x54\x47\x13\x97\x88\xce\x29\xa2\x6b\x18\xb2\x79\x23\xa0\xd2\x69\x74\x12\x1f\xcf\x4e\xfa\x70\xe3\xd1\x30\xdc\x88\x29\xfe\x76\x48\xdd\x87\xdf\x3b\x8c\xf2\x75\xbb\xb2\xb0\x6b\x88\x45\x75\x87\x68\x35\xdb\x70\x57\xf9\x75\x83\x38\xf8\xab\x43\xf8\xb5\x41\xf4\x3a\x7f\x3d\x15\x4e\x21\x6f\x6f\x2d\xa2\x6f\x9e\xea\x0b\xb2\x40\xb1\x84\xb6\x29\xb0\x4f\x3c\xe0\xad\xca\xbc\x4a\x0d\xaf\xda\x1a\xc1\x7d\x4d\x77\x85\x6d\xf7\xfd\xf0\x26\xdd\x33\xc9\x93\xee\x28\x3e\xdc\x64\xd2\x45\x9b\xb8\xd1\x77\x03\x42\xfd\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\xc0\xc1\x03\x1c\x3c\x7a\xd1\xc1\x03\xbc\x34\xc0\x4b\x03\xbc\x34\xfa\xd8\x4b\xe3\x5b\x43\xe8\x41\xef\x80\xd3\x7a\xef\x8c\xb7\xe3\x2f\x0f\xe1\xaf\xa4\x83\x23\x4c\x1f\xe2\x3e\x17\xd1\x0d\xa6\x6f\x10\xcb\xdd\xcb\xae\xd6\x9d\x15\xda\x66\x1f\x8a\x37\xa3\x13\x02\x8a\x1d\x42\x07\x38\x14\xcb\xa3\x51\x94\x6b\xca\xa6\x59\xbd\xf3\x2b\x85\xbc\x5f\x9d\x5b\x30\x59\x72\xbf\x89\xf3\xc9\xe4\x6c\x18\xef\xa9\x3f\xba\x33\x78\x7d\xc4\x53\xe2\x63\x3b\x82\x96\x7d\xd4\xf3\x93\x68\xd6\xb8\x0f\xc8\x1b\x3a\xda\xbe\xc5\xd3\xe8\x24\x3a\x5e\x67\xef\x5b\x57\x03\x83\x85\x0f\x7c\x1d\x36\xe8\xeb\xf0\x83\x29\x54\x14\x0e\x0a\xc7\xd0\xd1\xc0\x41\xa1\x5d\x33\xfc\x16\x25\x47\x8b\x3e\x0d\xed\x14\x10\xb9\xbf\x7c\x7d\x20\x20\xb0\x50\xba\x15\x35\x24\x13\xee\x17\xbf\x75\x56\x24\x3c\x85\x2e\xa3\xf9\xb0\x48\xc8\x15\xd1\xe9\x0d\x98\x21\x66\x78\x5d\x2f\x71\xa0\xeb\x80\x98\x48\x12\x13\xdf\x48\xa3\xaf\xa7\xf1\xd7\xd2\x99\xdf\xf5\x1b\xe8\xb3\xe9\xa7\xc2\x0a\x8c\xc1\xf4\x68\xae\x84\x28\x8b\x64\x49\x18\x33\xfc\x9d\x43\x40\xcc\xe5\x66\x8d\x57\x31\x24\x06\x4c\x6a\x8e\x99\xa4\xac\xf2\x86\x90\x3a\x4c\x58\x5c\x08\x86\xe0\x77\x81\x1c\x7d\x46\xb5\x4a\x74\x26\x90\x2a\xab\x81\x95\x21\x20\xcb\x46\x65\x54\xaa\x36\x5c\xb9\x53\xca\x36\x5b\xd2\x2c\x62\x1b\x54\xf7\x55\xb4\x60\x75\xe3\x06\x1c\xaf\x35\x6a\x0e\xab\x64\x58\x2d\x54\xd9\x93\xde\x07\xc9\x97\x2c\x89\xdd\xb4\x57\x44\x5e\xd4\x53\x58\xd0\x63\xea\x98\xc5\xbc\x0a\xf3\xbc\x06\x31\x2a\x5b\xf1\x4b\x69\xf4\x5a\x1a\xbf\x9a\xce\xbc\xe2\x37\xf3\xc7\xd3\x33\x21\x03\xa5\x55\x21\xaa\x43\x7c\xf4\x31\x6f\x53\x4b\x2d\xf3\x0e\x10\x06\xb0\x88\xf5\xc3\xfb\x96\xc0\xc2\xc9\x7a\xa9\x90\x3f\x9c\x57\x16\x44\x87\x88\xd6\xb1\x98\xc6\xce\x76\x3d\x1e\x45\x23\x0a\xb5\xad\x65\xd5\xf4\xac\x31\x76\x8d\x8c\x2f\xa9\x15\x8f\x3a\x67\xc5\xd5\xac\xb2\x64\x98\x6a\xc5\x78\x9b\x87\xaf\x16\x09\x53\x09\xf9\x1e\x61\x5c\xa8\x82\x7a\x80\x34\x45\xe1\x43\x4e\xf0\x90\xe0\xbc\x79\xe5\x8c\xc1\x87\x73\xa8\xe2\xd4\x6e\xfc\xb2\x60\xbf\xe5\x0a\xcc\xcc\x27\x1b\x75\x97\xf3\xd9\x5d\xa2\x3e\x33\xde\x87\x44\xcc\x3a\xc5\xf7\x0c\xa2\x77\x0d\xe2\x77\x0c\x66\xbe\xe3\xdb\xf6\xbe\x32\x70\x55\x72\x20\x36\xa5\xd8\x86\xa7\xac\xda\x8b\x6a\x99\x28\x1a\xad\x54\x08\x97\xa1\xc1\xbc\x20\xf6\x12\xb5\xab\xac\x2d\x62\x6b\x7a\xa9\xee\xe5\xcd\x2b\xca\xc7\xb3\x37\x18\x85\x21\x93\x8d\x53\x9d\x68\x86\x1e\x00\x5d\xce\x06\x85\x87\x85\xd7\xba\x0e\xcf\x3e\xc1\xaf\x7a\xf4\x2f\x1f\x6a\x46\x8f\x1b\xf9\x9b\x1c\xdf\xa2\x17\x7d\x59\x5e\x99\xd2\xd8\x7e\x88\xaf\x9d\x61\xe1\x30\x24\xbe\x61\x48\x19\x93\x1d\x1f\x1d\x18\xce\x31\x65\xa8\xa8\x6a\x37\xd8\x3a\x61\xea\xec\x2e\x6e\x4a\xe3\x37\xd5\x35\x9c\x80\xb5\x72\xe8\x47\x0b\xf1\xbe\x60\xd1\x2f\xe9\x98\x32\x74\x96\xda\x24\x54\xac\xa2\xa9\x8e\xa6\xea\xec\xeb\x65\xfb\x08\xe3\x29\x2f\xcf\x11\xd2\xab\xa1\xc0\x25\xbf\x8c\x7c\xf6\x1e\xab\x7e\xdc\x84\xd7\xf4\xcf\xa7\xd0\x9c\x58\x76\xcf\xa0\x69\xbe\xec\x9e\x40\xc7\xd0\xd1\x0d\x2c\x1f\xc2\xb5\x0e\x5d\x66\xa5\x4d\xe0\xf3\x68\x16\xed\x10\x6d\x4b\xf4\x5b\x2d\x33\x69\x4f\xd0\xce\x35\xfd\xba\x12\xaf\x3f\xec\xc4\xdb\x45\x9b\xa3\xe2\x7f\xb9\x33\x58\xf5\x87\x1b\x3c\x17\x9b\xed\x0f\xee\xe3\x4e\x2d\x1d\x53\x05\xc0\x13\xb1\xdf\x14\x10\xf0\x44\x04\x4f\xc4\x4d\xf6\x44\xec\x38\xed\x69\xab\x64\x4f\xf4\x37\x3c\x84\x0e\xe0\x89\xec\x3e\xdf\x5b\xf0\xfe\xb0\xbf\xa1\x5f\x68\xe7\x23\x29\xf1\x0f\x0f\xa3\x8c\xc7\xfc\x64\x42\x7f\xaa\x07\xd0\xef\xa5\x61\xfc\x2b\x83\xc1\x1a\xf4\x13\xad\x64\x7f\xba\x48\x75\xd2\x13\x59\x9f\x5e\x7f\x33\xb4\x0e\x52\xbd\x7d\x4b\x60\x3f\xa5\x78\x3a\x9b\x3c\x2f\x76\xe3\xc7\x1a\xe6\x05\xd5\x09\x1c\xe4\x09\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\x07\x5e\x7e\xe0\xe5\xb7\x99\x5e\x7e\x05\x34\x8e\xc7\xb2\x7b\x7d\xf2\xb0\x2b\x42\x1e\xa8\xde\x05\xe8\x00\x8e\x81\xe0\x18\x08\x8e\x81\x5b\xc8\x31\xf0\x2f\xd2\x02\x12\x3a\xe3\xba\xe1\x68\x94\xc9\xc9\x20\x9b\xfc\x38\xfe\x52\x1a\xbf\x96\x46\x77\xf9\xd7\xae\xad\x14\x32\x6f\x28\x13\x37\xba\x2c\x8b\xda\xe7\x32\x65\xe2\xce\x78\x77\x5e\x29\x4c\xcd\xcf\x7a\x9b\xc0\x36\x26\xcb\x68\x5b\xea\x7e\x0b\x3d\x2d\x90\xdc\x45\x34\xc7\x91\xdc\x59\x34\x83\x8a\x1b\x4b\xdd\xef\x7d\xe7\x9c\xe1\x24\x72\x39\xfc\xae\x11\x74\xa6\x79\x93\xaf\x79\xf4\x2a\x31\x75\x8b\x1a\xa6\xeb\x54\x0c\x8d\x38\xf8\xf3\xc3\xf8\xd7\x07\xeb\x7a\x67\xb5\xb5\x80\xed\x33\xb2\xa4\x05\x56\x52\x9b\x82\xb5\xf7\xf2\x07\x42\x23\x20\xc8\xa2\x12\x79\xdd\xd6\x08\xd8\xee\x3e\xb0\x6d\x25\xa4\xfa\xfa\xb3\xc9\xd0\x76\x12\x1f\x11\xa8\x36\xd2\xea\x71\x89\x74\xea\x07\x20\xb0\x5c\x60\xb9\xc0\x72\x81\xe5\x02\xcb\x05\x96\x0b\x2c\x17\x58\x2e\xb0\x5c\x60\xb9\xc0\x72\x81\xe5\x02\xcb\x85\xc3\x59\x01\xfd\x02\xfa\x05\xf4\x7b\x1b\xa1\xdf\x3f\xc9\xa1\x09\xc1\x21\x55\xb6\xad\x2b\x1b\xdc\x6b\x9f\xdd\x1d\xd0\x48\x09\x13\x8c\x50\xb0\xf8\xcb\x39\xfc\x63\x03\x08\xd7\x3d\x73\x6d\xa5\x90\x79\x38\x26\x6e\x7c\x6a\x7e\x76\x41\x14\x90\x7b\x94\x5d\x9e\x8a\x3e\xc6\x29\xb1\xbc\xa1\xcd\x41\xe4\xab\xe8\x39\x41\xf0\xae\xa2\xa7\x39\xc1\xbb\x84\x2e\xa0\xf3\xb1\x04\x8f\x95\x31\xa6\x96\xcb\x6c\x2c\xb8\xd4\x0e\x20\x5e\x7d\xc3\x08\xda\x2b\xeb\x7b\xab\x51\xe6\xcf\x27\x93\xbc\x13\xf8\x98\x24\x75\xf1\x5d\x14\x61\x7a\x82\xf9\x85\xea\x97\x79\x79\x67\x6c\x3f\x29\xf1\x51\xe8\xa1\xae\xca\xca\x3b\xba\xd6\x5b\x45\x15\x5d\x43\xcf\xd6\x05\x7e\xb4\xb7\xbb\x20\x16\x04\x62\xd6\x37\x18\xb3\xfe\xb5\x54\xf3\x78\xf3\x4e\x0b\x19\x4d\x04\xcb\x3f\x83\xde\x1a\x04\xcb\xb7\xfb\x25\x2d\x46\xbd\xb7\x26\xb0\xd6\x14\x49\x6b\x4b\xb3\xdc\x0f\xed\x8a\x15\x58\xf7\x79\x51\xf1\x66\x58\x48\x3d\x26\x7e\xed\x9e\x8c\x82\x18\x79\x88\x91\x87\x18\x79\x88\x91\x87\x18\x79\x88\x91\xef\xcf\x18\xf9\xc4\xb0\xf6\xce\x6f\x6a\x8a\x3f\x7a\x57\xac\x8e\x30\x92\x10\x43\x1f\x52\x1c\x44\x50\x6a\x57\xf4\x06\x08\xa8\xef\x37\x6d\x05\x02\xea\x21\xa0\x7e\x93\x03\xea\x57\x37\x6d\xb7\x9a\x1c\x7a\x2c\x82\xe4\x3b\xbf\x4c\x94\x0e\xa3\x83\x78\x7f\xb6\xe0\x1b\x50\x1e\x08\x3b\xc3\x07\x37\x76\x21\x0e\xff\xcf\x86\xd1\x29\xc1\x59\x85\x93\x5c\x80\x57\xc3\x47\xf2\x34\xf3\xf8\xe4\x8f\xe0\x4f\x0d\xe3\xcf\x0f\xa2\xd7\x89\x7f\xf9\x87\xf3\xbc\xd0\xa2\xaf\x27\x7b\xaa\x4d\x3e\x9e\x4f\xdc\xf4\xfd\x19\x1d\x79\x20\x4f\xc8\xcb\x93\xfd\x0c\xde\x9d\xb7\xe0\xdd\x79\x35\x79\x5e\x1c\xc0\x13\x72\x5e\x44\x86\x93\x9c\x02\xa2\x2e\x0d\xc7\xf5\x80\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\x27\xf8\x75\x82\x5f\xe7\xed\xe3\xd7\xf9\xbe\x01\xf4\xb8\xf4\xeb\xac\xb1\x19\xef\xca\x62\xea\xb9\x23\xfe\x93\x34\xfe\xa3\x34\x7a\x20\x7a\x97\x0f\x17\x9b\x86\xf9\x3f\x5e\x26\xee\x54\xe4\x19\x09\x02\x21\xe0\x3f\x3e\xe0\xff\x07\x9e\x45\x43\xa2\x43\x1c\x97\xda\x6a\x99\xd4\xf7\x84\xe6\x18\xba\x6d\xb0\x69\x85\xff\xf4\x19\xfc\xbf\xed\x41\xaf\x97\x37\xfa\x9d\x31\x24\x36\x04\xb6\x54\x65\xbc\xb5\xce\xcb\xcb\x3a\xbd\x30\x3b\xc3\x0b\xc8\xbd\x91\xdd\xb8\x20\x9e\x96\xdd\xe2\x5f\xec\x71\x2a\x5b\x04\x46\x09\x8c\xb2\x08\x8c\x12\x18\x25\x30\x4a\x60\x94\x7d\xc3\x28\x8b\x3d\xc3\x28\xdb\x5e\x93\x0d\x33\xca\x22\x30\x4a\x60\x94\xc0\x28\x81\x51\x02\xa3\xec\x3e\xa3\x2c\xf6\x35\xf0\x2b\x02\xf0\xeb\x1c\xf0\x2b\xf6\x3a\xf0\x2b\x6e\x41\xe0\x57\xd2\xd1\xac\x00\x5b\x45\x74\x9a\x83\xad\x49\x74\x04\x1d\x6a\x7a\x80\x92\x07\xa1\x24\x5b\xca\xfb\x7c\xa8\x15\x98\x75\xfd\x99\x64\x0f\xb5\xa3\xf8\xb0\xf4\x50\x8b\xf2\x2e\xe9\xa2\xe6\xbf\xaf\xd1\x4d\xed\xfa\x23\xf1\x4e\x72\xdb\xf1\x36\xee\x1f\x97\xfd\xf0\xce\x46\x36\x86\xc5\x82\xa4\xa8\x21\x0c\xf6\xb0\xf8\xad\xd3\x20\x4c\x70\xab\x27\xd1\x59\x34\x53\xe7\x63\x7f\x00\x4d\xac\xbf\x03\xc0\xbb\x1e\x42\x94\x37\x18\xa2\xfc\x37\x29\x74\x46\x08\x81\x93\xe8\x38\x17\x02\x87\xd0\x86\xc6\x20\x2a\x89\x80\xe3\x69\x34\x15\x04\x1c\x6f\xb4\xac\xf3\x22\x46\x69\x06\x15\x43\x31\x4a\x1b\x2d\x2c\x49\x32\x35\x97\x1d\x16\x75\x5c\xd4\xa2\xe4\x4a\x94\x51\xf1\xa2\x2d\xf7\xb5\xd1\x46\xc9\xf4\x88\x0c\x46\x0b\x45\xf6\xd1\xa5\x90\x94\x1a\x12\xd7\xeb\xa4\x94\x7f\x73\xa7\xe4\x55\x67\xe2\x98\x01\xdc\x02\xb8\x05\x70\x0b\xe0\xb6\x7f\xc0\x2d\x68\x6b\x09\xda\x5a\xef\x90\x6d\xc8\x21\xd1\x95\x1c\x12\x60\x40\x00\x03\x02\x18\x10\xc0\x80\x00\x06\x84\xbe\x36\x20\x40\x2a\x21\x48\x25\x04\xa9\x84\x3a\x95\x4a\x08\xec\x73\x60\x9f\xeb\x57\xfb\x5c\xa9\xdc\xe6\x2c\x5a\x49\x50\x39\x17\x0f\x95\xef\xc5\xf7\x88\xd9\x1c\x48\xda\x56\x01\xf3\x06\x4d\x63\xed\xcf\x4b\xf2\x8b\x7b\xd1\xe1\x84\xfc\xcf\xc2\x3d\x3d\x26\x09\xf4\x4b\x7b\xf1\xcf\x0d\xa0\x37\x34\xe6\xe1\x12\xe0\x3b\x21\x13\xf4\xe3\xb1\x99\xa0\xbd\x18\x82\xce\xa4\x83\xfe\x27\x22\x93\xea\x3e\x9e\x49\x95\x0d\x1c\x4e\xc1\x6f\x35\xf7\x8d\xb0\x51\xac\x23\x27\x34\x49\x1e\x23\x45\x7c\xba\xe5\xc4\x37\x62\x6c\x34\x64\xbf\x49\x48\x3d\x9d\xf9\xe2\xce\xe6\x7d\x97\x9c\x1d\x7a\xa8\x59\x76\xe8\x8e\xf6\x60\x71\x09\xe9\x68\xb1\xce\xcc\xda\x81\x2e\x04\xac\x07\x46\xd8\x0d\x1a\x61\xff\x34\xd5\x1d\x21\xb3\x2c\x4c\xb4\x2a\xba\x16\x98\x68\xfb\x54\x9c\x59\x35\x17\xe5\x7e\x72\x57\x73\x71\x16\x9f\x3b\x7a\x4f\x93\xdc\xd1\x9d\x95\x60\x90\x40\x1a\x12\x48\xdf\xbe\xf0\x1f\xa8\x0f\x50\x1f\xa0\x3e\x90\x40\xba\x07\xf4\x85\xc4\x3c\xd5\xc5\x9f\xbd\xab\xb9\xca\xb0\x8e\x54\xd2\x4f\xc4\xa7\x92\xee\x98\x1a\x01\xf9\xa4\xfb\x4d\x79\x81\x7c\xd2\x90\x4f\x7a\x93\xf3\x49\xff\x93\xe6\xf9\xa4\xbb\xb1\xdd\xed\xf2\xda\x91\x94\xbb\xba\x87\x32\x4b\xff\xf1\x30\x3a\x2a\x08\xee\x22\xcf\x21\xdd\x52\x46\x69\xcd\xa6\xe6\x75\xba\xe8\xe0\x1f\x1b\xc6\x3f\x33\x88\xee\xe6\x8f\xfa\x6b\x9f\xd3\x5a\x4a\xe9\x69\x9b\x9a\x25\xba\xd8\xa6\xa4\xd2\x7b\xf8\x03\x45\xf6\x9f\x86\x9c\xd2\xf2\x4d\x90\x55\xfa\x16\xb2\x4a\xbf\x29\x79\xe6\xe4\xf1\xa8\x9c\x39\x7c\x3c\x78\xf6\x08\xd1\xf8\x90\x4f\x1a\x72\xb5\x40\x3e\x69\x70\xf9\x07\x97\x7f\x70\xf9\xef\x6b\x97\x7f\xc8\x27\x0d\xf9\xa4\xc1\xd5\x1a\x5c\xad\xc1\xd5\x1a\x5c\xad\x7b\xc2\xd5\x1a\xf2\x49\x6f\x31\xf7\x55\xc8\x27\x0d\xf9\xa4\xb7\x56\x7a\x19\xfc\xd2\x08\x3a\x23\x28\xa3\xbd\xa8\x6a\xf9\xff\x8f\xbd\x7f\x8f\x6f\xe3\x3a\xef\xfc\xf1\x17\x48\x2a\x92\x1e\x2b\x6b\xeb\xc8\x8e\x6d\x48\xb2\x61\xc8\x26\x41\x88\x04\x09\xea\x4e\x5d\x09\x52\x94\x08\xd1\x32\x43\xda\x74\x9a\xd8\x51\x86\xc0\x08\x82\x0c\x61\x90\x19\x90\x8a\xda\xcd\xbe\xd2\x66\xb3\xc9\x6e\xf7\x92\x66\xb3\xe9\xb6\xdb\xa4\xd9\xb4\x75\xe3\xd6\x89\x93\x6e\xba\x6d\xe2\xb6\x69\xbb\x4d\xe2\xad\x5b\xff\x72\x69\xda\x74\xd3\xa4\x49\x9b\xfc\xb6\x6d\x7a\x4f\xb7\x49\xb3\xed\xe6\xfb\x9a\x73\xe6\x0a\xcc\x70\x00\x68\x00\x82\xc2\xe7\x9f\x44\xe6\xcc\x1c\xcc\x9c\x33\xf3\x9c\x73\xde\xcf\xe7\x79\x1e\x93\x41\xd5\x48\x45\xd7\x87\x8e\xaa\x52\x92\x35\xf6\xd1\x04\x7b\x71\x80\xee\xd4\x9b\x99\x72\xb6\x72\x69\x2d\x1d\xad\x34\x06\x1e\x17\x15\x7d\x7e\x0e\x85\x3a\x26\xf9\x05\x8b\xb5\x37\xb3\xec\x80\x8f\xfa\xaf\x6d\x0e\xf2\xe8\x4b\xe8\x43\x47\x92\x26\x79\x7c\x32\x18\x2a\x4e\xb2\xa3\xce\x22\x8d\x06\x60\xf4\x7d\x8b\x0c\xe8\xa8\x77\x3a\x35\x04\x36\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x41\x21\x6f\x1d\x0a\xf9\xf7\x43\xb4\x7f\xdd\x22\x6a\x82\x3f\xe6\xb4\x62\x59\xc9\xcb\x1a\xfb\xe4\x10\xfb\xd8\x40\x7d\x4a\xd6\x46\xf5\x8d\x4b\x73\x17\x95\x7c\x58\xa4\xf1\x3e\x7e\x41\x5d\x32\x6a\xfd\x17\x36\x07\x5d\xec\x52\x5d\xe3\xab\x83\x11\xe4\x11\x76\xa8\xc1\x0c\xbe\x56\x06\x06\x7d\x58\x80\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x81\x16\x3b\x8d\x16\x01\xfe\x00\xfe\x00\xfe\x7a\x18\xfc\xfd\xe8\x93\x94\xd4\x87\x6e\x6c\x2d\xed\xa7\x2e\xe4\xbd\xa7\xf2\x7b\x67\xdf\x78\x82\xfd\xbf\x87\x68\x6b\x4e\x51\xe5\x4b\x6b\xe9\x68\x42\x2c\x0c\x55\x63\x4a\x33\x6d\x9e\x72\x39\xf6\x54\xb1\x9c\x8f\xcd\xeb\x57\x2e\xea\x57\x26\xef\xd3\xcf\x9c\x56\x54\xd9\x29\x00\xb4\x8f\x77\x39\xa4\xcb\x80\x57\x81\x57\xa1\x06\x17\x78\x15\x78\x15\x78\x55\xef\xf0\xaa\x2e\x2a\x31\xd5\x35\xbc\x0a\xb5\x8f\xc0\xab\xc0\xab\xc0\xab\xc0\xab\x36\xa2\xf6\x51\x4f\xe3\x25\x14\x67\xe9\xe5\xe2\x2c\x99\x4d\x88\x97\xb2\x4f\x52\x46\x88\x9b\x8e\xd3\x31\x2e\x6e\x3a\x40\x69\x1a\xf3\x2d\x4f\x9e\x53\x54\x39\xb5\x96\x4e\xd9\x60\x68\xbe\xa8\x05\xcb\x99\xfc\x6b\x93\x0b\x25\xd3\x7c\xb0\x92\x69\x98\x0d\x19\xc2\xa5\x78\xdc\x10\x2b\xd9\x37\xe1\xcc\xd0\x46\xf1\xff\xbd\xcd\x06\x60\xbb\xc4\x8c\x13\x93\x9c\xac\xcb\x98\x86\x3a\x40\xbb\x04\x9c\xe2\x82\xb1\x9a\xac\xb1\xa3\xb4\xbf\x89\x5e\x46\xa2\x58\x54\xe5\x68\xb1\x2a\xc7\xd7\x22\x74\x4a\x7c\xe2\x47\xe8\x10\xff\xc4\xc7\xa8\xb9\x97\x8f\xa6\x45\xc1\x8d\x13\x34\x69\x17\xdc\x68\xba\x91\x19\x91\x6f\xfb\x24\x1d\x77\xe4\xdb\x6e\xba\x95\xd6\x2d\x4d\x45\x09\xdd\xd2\x24\x7f\x73\xc4\xb6\x34\xf7\x1b\x99\xd3\x1d\x69\xe8\x95\xcb\x4e\xab\x93\x14\x27\x08\xab\x33\x6d\x9d\xd5\x01\xfb\xd3\x9e\xc2\x1b\xa0\xad\xa0\xad\xa0\xad\xa0\xad\xbd\x43\x5b\xb1\x08\x0b\x58\x84\x75\x0f\x8e\x46\xd1\xa3\x8e\x14\x3d\x02\xf5\x07\xf5\x07\xf5\x07\xf5\x07\xf5\xef\x69\xea\x8f\xda\x77\xa8\x7d\x87\xda\x77\xed\xaa\x7d\x07\xa7\x1a\x9c\x6a\xbd\xea\x54\xcb\x16\xfc\x73\x7b\x86\x5a\x0f\xd2\x04\xc8\xa1\x02\xe2\xab\x49\x6f\x1c\xbd\x8b\xed\x14\xb6\xc1\xb6\xdb\xb4\x09\xb3\xc8\xb0\xb7\x3d\x49\x29\x77\x05\xae\xc0\xb2\x5b\x9f\x7f\x82\x7d\xfb\x21\xda\x66\x96\xdd\x8a\x3e\xb4\xbe\x42\xdd\x28\xc1\x94\xdc\xa3\x9f\x66\x94\xc8\xaa\xab\x8e\x05\x71\x3a\xc4\xe9\x10\xa7\xc3\x5d\x02\x77\x09\xdc\x25\x70\x97\x74\x8d\xbb\xa4\x7b\xbc\x01\xc0\xd4\xc0\xd4\xc0\xd4\xc0\xd4\xc0\xd4\x3d\x8d\xa9\xc1\xd1\xc0\xd1\x7a\x94\xa3\x6d\x4a\x71\xfa\x6b\xe8\x8c\x40\x7c\xc7\xe8\x08\x47\x7c\x69\x1a\xa3\x51\x5f\xb9\x28\x67\x4a\xa9\xb5\x74\xca\x51\x34\xbd\xb3\xd2\xf4\x80\xe2\xe1\x14\xff\xe2\x36\x07\xfa\xba\xc3\xd2\xa6\x9b\x94\xeb\x3e\xf1\x97\xb6\x73\x2e\x81\xa5\x4e\xd3\x49\x3a\x5e\x23\x4b\xdf\x4f\xc3\x0d\xf7\x2f\xf4\x50\x10\xa5\xb7\x28\x4a\xff\x72\x84\xa6\x84\xa8\x7c\x92\x8e\xda\xa2\xf2\x51\x6a\xe6\xfd\x13\xa1\x2b\x13\x3c\x74\xc5\x96\x94\x37\xd9\x86\xaf\x77\xe1\x84\x30\x3d\x87\xe8\x00\x37\x3d\xcd\x35\xdb\x16\x39\x7a\x90\x75\x49\x7e\x72\xc4\x61\x5d\xf6\x78\xea\xd1\x4d\x4b\x93\x10\x47\x0d\x4b\xe3\xa5\x46\x6f\x8f\xcd\x81\x14\x1d\x6c\x15\x6c\x15\x6c\x15\x6c\x15\x52\x74\x48\xd1\x21\x45\x87\x14\x1d\x8c\x1f\x8c\x1f\x8c\x1f\x8c\x1f\x8c\x1f\x52\x74\x48\xd1\x21\x45\x87\x14\x1d\x2e\x34\xb8\xd0\xba\xd0\x85\x96\x2d\x84\xab\x38\x0f\x74\x4d\x35\x21\x1e\x6f\x10\x24\x3b\x69\xf1\x3a\x50\x79\x33\x4a\xd1\x3f\xbb\x9b\xce\x0a\x29\x7a\x4e\x56\x0d\x8f\xa3\xac\xd9\x55\x12\x5d\x7f\x2e\x16\xca\xc5\x72\xc1\x5c\x9e\x09\xa1\xfa\x1b\xc7\x34\x3e\x2c\xec\x6d\xbb\xd9\xa7\xfb\xe9\x76\xe7\xf9\x97\xd6\xd2\xd1\xc3\xaa\x2c\xe5\x63\xe2\x1c\xf3\xed\xb2\x17\xde\xd3\xf6\xd9\x4b\xa2\xf5\x45\xd1\x7a\x32\xad\x5f\xe7\x38\xac\x2d\xa7\x7d\x4f\x16\x2f\x46\xb8\xc8\x3d\x5b\xa1\xc7\xc4\x6b\x7b\x91\xe6\xf9\x6b\x3b\x4b\x33\x94\xf1\x4f\xba\xe3\xec\xbe\xb5\x74\xca\xf7\x66\x03\xdf\xdf\xbd\xde\xef\xef\xcb\xd8\x40\x41\xae\xd2\xd5\x52\xf0\x2b\x3b\xc7\xce\x19\xaf\xa9\xc7\xa0\x9a\x2f\xad\xef\xfd\x39\xdf\xf6\xe8\xa7\xb6\xd7\x0f\xe9\x31\x55\xae\x94\xa4\x9c\xdc\xc2\xa8\x1e\x34\x2e\xdd\xc0\x81\xcd\xbc\x8a\x96\xe9\xd1\x1a\xff\x6d\x28\x23\x0b\xba\x08\xc7\x6e\x8b\x8e\xdd\xdf\x8a\xd0\xab\x85\x63\x77\x89\x5e\x69\x3b\x76\xdb\x6d\x72\xda\x64\xe2\x82\x2d\x59\x65\xb5\xd3\x96\x2c\xf3\xff\xdb\x51\x6f\xc9\x32\x15\x49\xad\x16\xb9\x83\x4d\x6c\xcd\x5b\x30\x69\x13\x15\x7d\x29\xb0\x41\x06\x6d\x77\x6d\x43\xa3\xfc\x6e\xf6\xeb\xff\x9c\xdc\xe3\x3c\x78\x4d\x56\x0b\xb2\xf3\xe8\xa0\xf3\xa8\xbe\xe1\xa8\xca\x85\x62\x6e\xb4\xee\x3c\x57\x2b\xfa\xbf\x6f\x18\x47\xf5\xbb\xcc\xe8\x6f\x4e\xb6\xc6\x98\x4e\xd2\xd1\x16\x56\x77\x0b\x3c\x06\x08\x26\x34\xc0\x84\x3e\xd7\x4f\xcf\xf6\xb3\x67\xfa\xa3\x4f\x5b\x50\xe1\xcd\xfd\xbd\x63\x42\x6b\x90\xaa\xde\xcf\xdc\x55\xcd\xb1\xbf\xfe\x72\xda\xc1\x80\x09\x9f\x17\x77\x98\xb3\x11\xa1\x6c\x90\x4a\xfc\xca\xb2\x52\x1e\x15\x57\xf3\x33\xb8\x5f\x46\x8b\x25\xb2\x9a\x52\x5e\x10\x51\x71\x0f\xeb\x9f\x85\xf1\xef\x25\xf3\x63\xb1\xff\x38\xec\x6f\xdb\x33\x2f\x45\xe8\xc5\x08\x7b\x21\x12\xfd\x84\xb5\x41\x7b\x7f\x64\x56\xd1\xb7\xf3\x45\x2d\x56\x50\x78\xb7\x2b\xb1\xf8\x65\xfd\x4f\xf1\xd8\x94\xeb\x29\xf8\xce\x56\x78\x77\x56\x35\xdb\x47\x3d\x2a\xe5\xf8\x83\x73\xcf\x7f\xa9\x98\x33\xb0\x8d\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\xc2\x33\x5e\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\xf2\x30\x46\x73\x2c\xf9\x0e\xd3\xb3\x03\xac\x9f\x8f\x6f\xe1\xb7\xe5\xd2\x17\x56\x36\x6a\x3e\xb9\xdf\x7b\x3e\xd9\xc6\x5e\xc6\xef\xba\xc3\x33\x4a\x76\x96\x66\x58\x26\x7e\xc6\xda\xee\x3d\xc4\x3f\x3a\xc3\x02\xf8\xb6\x11\x1f\xd0\x4f\x6b\xeb\xa6\xee\xdd\x7b\x28\xbb\xde\xa6\x4e\x94\xbe\x6f\x78\x67\xf7\xd2\x6e\xf6\xb5\x7e\xba\xb3\x66\xf2\x14\x95\xf1\x5b\xdd\xde\x1d\xae\xdf\xde\x89\x02\xf7\x1d\xdd\xe3\xad\x8a\x55\xd7\x38\x5f\x75\xe9\x2f\xec\x05\x9a\xa3\x73\x8d\xbe\xb0\xfc\x86\xdb\xb7\xd1\x7b\x7d\xf0\xcb\x7c\x91\xcd\x87\xf3\x32\x8b\x12\xf7\xd1\xaf\x6f\xf7\x19\xe6\x9b\xd8\xf2\x1d\xf3\xdc\xf2\x75\x7e\xb0\x33\x4f\xd2\x6b\xe8\x7b\x6a\x96\x2a\xe1\x8d\x36\x56\x2e\xd8\xfc\xb5\xb8\xf9\xfb\xdd\x48\x5b\xcd\xd0\x25\xb1\xb1\x7c\x15\x2d\xdb\x1b\xcb\x2e\xb1\x73\x7c\x1b\xd8\x98\x9d\x6b\xda\x98\xad\x63\x18\x33\x7f\xbc\xc3\xc7\xce\x85\xb1\x21\x3c\xe2\xb1\x21\xec\xac\xb9\xc3\xae\xb0\xd7\x6c\x2b\x76\x85\xd8\x15\x6e\xf0\xae\x70\x63\xd7\xd2\x81\x5b\xc3\xc6\x66\x99\x66\x66\x91\xa0\x19\xa9\x7b\xf7\x87\x5f\x4c\xd0\x11\xb1\x3f\x94\x2a\x15\x6d\x6c\x2d\x2d\x7c\xc3\x7e\x49\xa8\xf4\x29\x50\xbe\xbc\x5a\xd2\xe4\xaa\xc6\x7e\x3c\xc1\x3e\x3c\x40\x5b\xf5\x0b\x2f\xad\xa5\xa3\xd7\x0d\x0d\x5b\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\x33\x24\x52\xb2\xf4\xa2\x4b\x46\x13\x4b\x72\x35\xe5\x50\x05\x4d\x5a\x7a\xa2\x21\xde\xce\x90\x1d\xaf\xe1\x12\xe0\x2b\x15\xd9\xd2\xfc\x6a\x55\x59\xca\xa7\x92\x0f\xf2\x0b\xa6\x2a\x15\xcd\x19\xf1\xe7\xf8\x9d\xf9\xa2\x56\xed\xf2\x0c\x57\xd9\xa7\x68\x41\x7c\x33\x73\x74\x8e\x7f\x33\xbc\xe4\x4d\x0b\xd3\x24\x8f\x48\x3d\xbb\x26\x97\x83\xbf\x94\x7d\xde\x5f\xca\x0e\x46\xfc\xc6\x44\xf8\xe6\x23\xc1\x5f\xcb\x08\x4b\x1a\x1f\x87\xfe\x2e\x18\x5f\x83\xa3\xff\xdd\xac\x04\xb9\xbc\x90\xcb\x2b\x8b\x78\x33\xc4\x9b\x21\xde\x0c\xf1\x66\x3d\x13\x6f\x96\xed\x9a\x70\xaa\xd0\xef\xa4\xe5\x38\x9f\x2c\xe2\x7c\x10\xe7\x83\x38\x1f\xc4\xf9\x20\xce\xa7\xf3\x71\x3e\x9b\x50\xa2\x9c\xed\xe9\xd8\x89\x2c\x62\x27\xda\x17\x3b\x91\xed\xfa\xd8\x89\x4d\x98\x7e\x8c\x7d\x64\x8c\x98\x3e\x74\xee\xb4\xf6\xec\xdd\x63\xec\xaf\x1f\xb2\xeb\xbe\x0e\xad\x9f\xc0\xde\x42\x7a\xc9\x5d\xfa\x89\x35\x35\xa7\xbb\x9c\xeb\x21\x73\x3d\x68\x17\x32\xd7\x83\x76\x81\x76\x81\x76\xf5\x10\xed\xea\xa2\xe4\x41\x5d\x43\xbb\x90\xd5\x06\xb4\x0b\xb4\x0b\xb4\x0b\xb4\x0b\x99\xeb\x91\x76\xe3\xd6\x41\x47\x5d\x9f\x76\x63\x53\x66\xae\x7f\x42\xa4\xb7\x1e\xe7\xe9\xad\xfb\x1e\xb9\xc0\x26\x68\x9c\x52\xfe\x1a\x42\x45\x95\x53\x6b\xe9\x94\xc5\x85\x1a\x4a\x5d\x7f\x21\x58\xdb\x94\x60\x83\xb5\xa5\x2a\xad\xdf\x70\x57\xaa\x0c\xc8\x83\x1f\xff\xdd\x6d\x36\xf2\x62\x56\xe2\x7a\x9b\x6e\xdd\x25\xfe\xd6\x2e\xbe\x25\x70\xd4\x19\x3a\x45\x27\x6a\xe4\xd8\x23\x94\x6c\xbc\x5f\x21\xc0\x46\x70\x4b\x8b\xc1\x2d\x5f\x8d\xd0\x49\xf1\x4d\x1f\xa6\x83\xfc\x9b\x4e\x51\x53\xef\x9e\x48\x57\x9f\xe6\xe9\xea\xad\xf8\x95\x66\xdb\x98\x16\x29\xef\x4f\xd0\xa4\x23\xe5\x7d\xb3\x8d\x74\x89\x61\xe1\x29\xf0\xc3\x17\x05\x7f\x7a\x88\x5e\x61\x62\x7b\x21\x07\xd6\xd7\x36\xc5\x9c\xac\xb1\x9f\x1f\x62\xcf\x0c\xd8\x76\x4c\x6b\x50\xf3\x2b\x2e\x0f\x49\xef\x3b\xc8\x2f\x10\x76\xd2\x68\x59\xb7\xf6\xb3\x8a\x3a\x55\x2a\x59\x7d\x18\x5e\x10\xcd\x2d\xa4\xf8\x9d\x0b\x7e\x2f\x07\xd9\x83\xb5\xef\xa5\xd1\xc9\xee\xb7\xb2\x11\xf1\x30\xb4\xbe\xf0\x7e\x40\xeb\x0b\xef\x07\xbc\x1f\xf0\x7e\xf4\x90\xf7\x03\x5a\x5f\x68\x7d\xe1\xfd\x80\xf7\x03\xde\x0f\x78\x3f\xba\xc2\xfb\x01\x25\x2e\x94\xb8\x9b\xc5\x9d\x02\x25\x6e\x3b\x94\xb8\xbf\xbe\x83\x96\x8c\x38\x7f\x03\x0a\xf1\x56\x6a\x13\xc1\xf9\x84\xfd\x97\x94\x9c\x54\xd2\x56\xb9\xb5\x92\x72\x39\x59\xd3\xf4\x1d\x85\x7c\x5d\x63\x7f\x76\x5b\xfc\x3b\x5b\xe8\x2e\x57\xa3\x56\x0a\x9d\x07\x2c\x2f\xc7\xbc\xde\xc0\x92\x68\x60\x8a\x37\xb0\xc8\x1b\x48\x9e\x10\xa7\x4c\x39\xaf\x37\x72\xe4\xd8\xa1\xfc\x7e\x57\x6f\x70\x56\x30\x77\x4f\x9a\x89\x2b\xfc\x6e\x36\xfb\x8b\x7d\xf4\x3a\xc1\x9e\xbf\x87\x1e\x77\xb0\xe7\xf5\x93\x63\x34\xf7\x23\xfe\xe9\x18\x9b\xca\xc8\xd1\xe4\x8f\x36\x9f\x56\xaa\xb9\x1f\x30\xe9\x65\x53\x69\xf0\xbc\xde\x73\x83\x67\xfa\x3e\x48\x5d\xce\x8f\x40\xf6\x0e\x6f\xd8\xfa\xde\xb0\x2c\xbc\x61\x3e\xde\xb0\xcd\x17\x7e\xc5\x7e\x61\x94\x1e\x16\x93\xc8\xe5\x92\x72\x5d\xef\x2e\x55\x29\xa5\x2c\x42\x5c\x3b\x99\x54\xd4\xa2\xa2\x16\xab\x37\x4a\xf2\x9a\x5c\x72\xb1\x43\x33\xad\x28\xfb\xfa\x08\xfb\xeb\x7e\xda\xe3\x68\x6e\xca\x6c\xcd\x9a\x45\x46\x79\x5e\x51\x37\xee\x5c\x30\x9a\x9e\xd7\x9b\x9e\x76\x36\x9d\x3c\xa6\x9f\x3e\xeb\xd1\xa0\x31\xad\xf8\x5f\xba\xb1\x19\x45\x9d\x5d\x6a\x1a\x44\xff\x7b\x0d\xf4\xf4\x7c\x5f\xb0\xad\x7c\x15\x5b\x36\x6c\xe5\x7a\xc3\x69\xd8\xcc\x75\x6e\xa5\xde\x6a\xae\x9f\xce\x34\xfa\x37\xdb\x03\x86\x7c\xdc\xcc\x31\xda\xf0\xa8\x9f\x30\xae\xe8\x82\x81\x6f\x7a\x1d\xd1\xdc\xc8\x43\x80\x01\x01\x46\xeb\xd9\x45\x9b\x5f\xaa\x85\x64\x97\xda\x69\x0c\x1b\xcc\x2e\xba\x91\x26\x31\xf9\x57\x77\x04\xd8\xbc\x7d\x46\xc1\x3a\x69\x3d\x33\x77\x5c\x9c\xd4\x0d\x56\xee\x51\x5a\xa4\x05\xa7\x95\x4b\x66\xe8\x4c\x0b\xea\x85\x19\xfe\x44\x8f\x70\x0f\xb0\x06\xe3\x16\x64\xdc\x50\x0b\xbb\x23\xb5\xb0\x51\x04\x15\x45\x50\x51\x04\xb5\x5d\x45\x50\xb3\xcf\x47\x42\xae\x04\xb9\x28\xc8\x9a\xbe\xaa\xb0\xc9\x5a\x9b\xab\x4b\xc6\xbc\x97\x1b\xdb\xd9\x56\xd1\x4d\x1b\xbb\xe2\xc8\xfc\xd5\x8e\x80\x15\xc7\xb1\xba\x0c\xe7\x0d\x6f\xb7\x26\x79\x2a\xdd\x0d\x5e\x86\x20\xb7\x79\xaf\x2d\x7e\x90\xdb\x1c\xb9\xcd\x37\x57\x6e\xf3\x90\xa9\x5e\x60\x6e\xf3\x8d\x9c\x71\xb2\xe7\xe8\x2c\x9b\x8e\x4f\x59\x48\x7b\xd0\x99\xe5\xdc\xbf\xa5\x0e\xa4\x39\xff\xc1\x27\x69\xb8\x3e\x11\x91\xcb\xc7\x29\x00\xf5\x35\xa9\xa2\xb1\x2f\x3d\xc1\xbe\xd3\x78\x7e\x22\xf1\x2c\x0f\x4b\x95\xe4\x5e\x8f\xfc\x44\x79\xeb\x70\x97\xc7\x23\x20\x53\x11\xb4\xfa\xc8\x54\x04\xad\x3e\xb4\xfa\xd0\xea\xf7\x90\x56\x1f\x99\x8a\x90\xa9\x08\x5a\x7d\x68\xf5\xa1\xd5\x87\x56\xbf\x2b\xb4\xfa\xc8\x54\x04\x69\x3d\x32\x15\x6d\x1e\x69\x7d\xab\x99\x8a\x2c\x2e\xd4\x50\xa6\xa2\x80\xe4\x42\x2d\x26\x1c\xb1\xee\xc1\x95\xda\x21\xfe\x15\xcf\x4c\x45\x36\xe7\xba\xdf\x33\x53\x51\x1b\x48\xd7\xcd\xe5\x2c\xb2\xee\x07\x8e\x15\x48\xe6\x3a\x9c\xb3\xc8\xfe\xb2\x5a\xcf\x59\x64\xb7\x71\x13\x39\x8b\xec\x46\xda\x93\xb3\xc8\xdb\x84\x04\xc5\x4d\x24\x3f\x35\x62\x9b\x98\xfb\x0c\x95\x82\x43\xf2\xa1\x5c\x76\x98\x9b\x61\x71\x5c\x98\x9b\x69\xeb\xa4\xf6\x1b\x9e\xf6\x48\xdc\x80\x58\x81\x58\x81\x58\x81\x58\x7b\x07\xb1\x62\xf9\x15\xb0\xfc\xea\x1e\x06\x0d\x79\x71\x47\xe4\xc5\x40\xfd\x40\xfd\x40\xfd\x40\xfd\x40\xfd\x3d\x8d\xfa\x11\x65\x82\x28\x13\x44\x99\xb4\x2b\xca\x04\x9e\x34\x78\xd2\x7a\xd5\x93\x96\x2d\x84\x1c\x60\x15\x44\x8f\x93\xde\xc0\x77\x17\xdb\x29\xbe\x66\xdb\xd2\x86\xeb\xac\xda\x8c\x79\x54\x7e\x69\x98\x1e\xb1\x92\x71\x29\x5a\x4e\x2a\x15\xcb\x85\xb1\xb5\x89\x15\xb9\x2a\x4d\x18\x19\xf7\x7d\x54\xea\xbc\xd7\x95\x72\x55\x2a\x55\x94\xbc\x79\xb5\xac\x6a\xec\x4f\x12\xec\x3b\x03\xb4\xcb\xd1\xe0\x25\xa3\xc1\xe8\x9b\x23\x8d\x65\xe9\x3f\x6f\xb5\xbd\xa0\xe4\xa7\xac\xb6\x43\xca\xda\x7f\x82\x5f\x30\x65\xdf\xdf\xb2\xb8\x3d\x1b\xe3\xfb\xfc\xfe\x7c\x51\xab\x76\xb9\x76\x7e\x43\x72\xf9\x37\x92\x80\xff\x6a\x21\xf8\x53\x9b\x61\x19\x3b\x65\x96\x39\x38\xc6\x37\xe7\x33\x24\x8e\x2f\x50\x0c\x22\x32\xfd\x23\x7a\x00\x99\xfe\xe1\xda\x82\x6b\x0b\xae\xad\x5e\x72\x6d\x21\xd3\x3f\x32\xfd\xc3\xa5\x00\x97\x02\x5c\x0a\x70\x29\x74\x85\x4b\x61\x13\xe2\x10\xd4\x12\x00\xa6\x45\x2d\x81\xcd\x13\xf0\xc0\x9e\x1e\xa6\x8b\x02\x5f\x6a\x55\x45\x95\x0a\x72\x6d\xe2\xe7\x75\x09\x66\x4e\xb7\xf2\xfc\xb2\x9c\x54\x91\x72\xc5\x6a\x51\xd6\xd8\xe7\x12\xec\xeb\x03\x74\xbb\x71\xc0\xca\x50\xf5\x2f\x1a\x03\x97\xd3\x4b\x73\x4b\xe2\xca\x69\xd1\xe4\x8d\x90\x98\xe5\x01\x7e\x81\xd1\x76\x5d\x59\x82\xfa\x9f\xdd\x1c\xa8\xd2\x37\x45\x6b\xe8\x0c\xd3\x44\x95\x72\x30\x85\xcc\xb0\x33\x06\x85\x74\xbf\x54\x26\xfc\xaf\xeb\x6b\x8f\xb4\xd3\x28\x49\x0a\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\x09\x50\xd9\x5b\xa0\xf2\xed\x49\x7a\xa5\x00\x95\xf9\xa2\x96\x53\x74\xb3\xda\x14\xaa\x94\xcb\xf9\x8a\x52\x2c\x57\xb5\x52\xd1\x3a\xf4\x46\xf6\xb1\x61\xf6\xf6\x2d\xb4\xd3\x6a\xd2\xa2\x95\x1f\x31\x74\x96\x4e\x46\x59\x36\x0d\xaa\x99\x2d\xf8\xac\xd1\xe6\x92\xde\x66\x28\x98\x72\xc4\x5e\x42\xf1\x65\xa2\x31\xe1\xea\xab\x30\x7b\x6d\x38\xe4\x5a\x8e\x3b\xda\x4e\x25\x47\xf8\xcf\xcd\x98\x8f\x53\x87\x39\x5d\x77\xdc\xfd\x74\xb3\xf3\x42\x4c\xff\xa4\xdc\xd7\x45\x52\xee\x95\x60\xfc\x79\x9a\x9d\x34\xf0\x67\xed\xab\x6a\x00\x50\xd7\x28\x78\xe4\xde\x06\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\x04\xd6\xec\x2c\xd6\x9c\xa4\xa3\xec\x70\xfc\xa0\x85\x35\xef\x75\xd6\x40\x72\x6d\xe2\xea\xcb\x1e\x01\x89\x02\x89\x02\x89\x02\x89\xb6\x11\x89\xfe\xe9\x30\xcd\x0a\x24\x2a\xbf\xa1\x2a\x97\xf9\x50\x35\x06\x43\x8b\xe5\x82\x2a\x6b\x9a\xcd\x41\xdf\x33\xcc\xbe\x33\x40\xcc\x6e\xc7\x02\xa1\x1f\x6c\x04\x84\xce\x89\xf6\xba\x02\x81\x8a\x9f\x3b\x6b\x3d\x49\x1d\x03\x35\x6e\x16\xf4\xb3\x05\xfa\xb9\x1c\x4c\x3f\x0f\xb0\xb4\x41\x3f\xed\xb7\xc9\xe0\x9e\x46\xcf\x83\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x82\x78\x6e\x38\xf1\x3c\x48\x13\x6c\x3c\x9e\xb2\xa8\xe5\x2e\x27\xf1\x34\xb6\x6f\x60\x9d\x60\x9d\x60\x9d\x60\x9d\x1d\x65\x9d\x6f\xdd\x4f\x27\x05\xeb\xbc\x5c\x52\xae\xeb\x93\x84\xaa\x94\x52\x16\x74\xa8\x95\x82\xea\x27\x69\xb9\x2b\xf2\x35\xc9\x42\x9c\x9f\x48\xb2\x0f\xf5\xd3\x1e\xc7\xe5\x53\xe6\xd5\x16\xec\xdc\xab\xca\x52\xbe\x66\xc7\x3c\x5b\x52\xae\x2f\xf1\xa6\x92\xc3\xfa\xe1\x59\x8f\x06\x0c\xc6\x68\x9f\x1a\x6e\xf1\xaa\xac\x4c\x59\xc1\x02\xa7\x69\x8a\xb3\xc0\xe3\x74\x8c\x8e\xf8\xd6\x0b\x73\x76\x91\xf1\x68\x29\xfb\xde\x02\x29\xe0\x5e\x6f\x0a\xf8\x32\x36\x50\x90\xab\x74\xf5\xa9\x60\x06\x78\x9e\xcd\xd6\x31\x3e\x03\x0a\xae\x37\x7c\x06\x26\x74\xdc\x6a\xf4\x87\xb6\x07\x0c\x59\x4c\x95\x2b\x25\x29\x27\xfb\x8f\xda\x88\x71\xc6\x06\x0c\x5c\xe6\x61\xba\x40\x73\x35\xe5\x0e\x5b\x1f\x39\x14\xdf\x41\xed\xc3\x16\x6b\x1f\xfe\xf7\x48\xa8\x26\xe4\x11\x51\x08\xf1\x3c\xcd\xda\x85\x10\x37\xc8\x26\x55\x56\x1b\xb6\x49\x2d\x99\xa0\x3a\x43\x96\xfc\xf8\x1d\x01\x36\x69\x97\x91\x44\x5f\x72\x9a\xa1\xfd\xe2\x8f\x1b\x61\x85\xda\x53\xfb\x10\xc6\x28\xc0\x18\xa1\xfe\x56\x47\xea\x6f\xa1\xf0\x0a\x0a\xaf\xa0\xf0\x4a\xbb\x0a\xaf\x64\x9f\x8f\x84\x5c\x7d\x62\x51\x14\x40\xbe\x40\x73\x8e\x02\xc8\x6d\xae\x68\x11\xf3\x5e\x3e\x6c\x67\x5b\x45\x37\x75\x76\x05\x91\x79\x6e\x47\xc0\x0a\x62\xb8\x22\xa9\xd5\x22\x77\xb5\x8a\x7d\xb4\xff\xf6\x26\x59\xd1\x37\xcb\x1d\x5e\x56\xec\xae\x6d\x68\x94\xdf\xc5\x7e\xfd\x9f\x93\x7b\x9c\x07\xaf\xc9\x6a\x41\x76\x1e\x1d\x74\x1e\xd5\xaa\xaa\x54\x95\x0b\xc5\xdc\x68\xdd\x79\xae\x56\xf4\x7f\xdf\x30\x8e\xea\x77\x99\xb9\x48\xf3\x94\xad\xd9\x58\x4d\xd2\xd1\x16\xde\xa0\x05\x2e\x48\xc0\x62\x26\x60\x31\xf3\x5c\x3f\x3d\xdb\xcf\x9e\xe9\x8f\x3e\x6d\xcd\x08\x6f\xee\xef\x9d\x9d\x55\x8d\x0f\x47\xef\x67\xae\x49\xe0\x7e\x46\xfd\xe5\xb4\x95\x49\x09\x9f\x17\x77\x98\x4f\x6c\x42\xc2\x22\x95\xf8\x95\xfa\x0a\x4e\x5c\xcd\xcf\xe0\xab\x29\x2d\x96\xc8\x6a\x4a\x79\x41\x48\x74\x1e\xd6\x3f\x0b\xe3\xdf\x4b\xe6\xc7\x62\xff\x71\xd8\x7f\xcb\x97\x79\x29\x42\x2f\x46\xd8\x0b\x91\xe8\x27\x2c\xcc\xf7\xfe\xc8\xac\xa2\xe6\xf8\x42\xaf\xa0\xf0\x6e\x57\x62\xf1\xcb\xfa\x9f\xe2\xb1\x29\xd7\x53\x70\x80\x2b\xd6\x64\xab\x9a\x2d\x46\x18\x95\x72\xfc\xc1\xb9\xc4\xa3\x54\xcc\x19\x73\xae\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\x42\x02\x51\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\x72\x4d\x95\x39\x96\x1c\xa4\x7a\x76\x80\xf5\xf3\xf1\x2d\xfc\xb6\x5c\xfa\xa0\xce\x52\x30\x7f\x2d\x5c\x45\x68\xe1\x1a\x9b\x31\x82\x67\x83\x46\xe6\x94\xec\x11\x3a\xc4\x0e\xc4\xd3\x96\x8b\xe5\x15\x4e\xc7\x8c\xdd\x7a\xbd\x6f\x26\xf4\x82\x47\xff\x7d\x98\xc6\x04\x89\x2d\x2b\xf9\xba\x74\xa1\xea\x6a\xb9\x5a\xbc\x26\xe7\x4a\x92\x53\x5e\xfa\x03\xc3\xec\x4d\xfd\xb4\x43\xbf\xc0\x9a\xe2\xee\xf7\x60\xad\x8b\xe2\xea\x69\xfd\xea\xe4\x6e\xfd\x84\x8b\x4a\xde\x4c\xd6\xe9\x3c\x18\x32\x5f\x7d\x1d\x9d\x15\x6f\xd6\x29\x3a\xc1\xdf\xac\xc3\x74\x90\x26\x7c\xdf\x2c\xfe\xe0\xe6\x2b\xe5\xbc\xad\x9b\x45\xab\x4f\x04\xbf\x52\xc7\xd8\x11\xe3\x85\x71\x74\xbf\xb1\xe6\x70\xdd\x4a\xdd\x7b\x16\xfd\xbd\x6d\x35\x43\x10\xf7\x66\xa7\xae\x51\xb8\xcf\x38\xa7\x23\x03\x91\x39\x4f\xb3\x34\x53\x33\xad\xb7\x34\x12\x98\xd0\x81\x4a\x5b\x44\xa5\xcf\x46\xc2\xb2\x06\x59\x41\x49\xf5\xe9\xca\xa2\xa4\x9d\xb7\x2c\x1c\x90\xb6\xd5\xb2\x24\xdf\x79\x47\x8d\x65\xb9\xcb\x22\xa0\x2e\x63\xb2\x57\xfc\xb9\x33\xb6\x04\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\x13\xd4\xd3\x9b\x7a\xb6\x75\x59\x90\xf9\xee\x6d\x35\xcb\x82\xfd\x01\x58\xd3\xb5\x58\xd8\xc3\xf7\xd9\x6d\x5f\x2b\x00\x65\xf6\xda\x0a\x05\x28\x13\x28\x73\x83\x51\x66\xc7\x80\x53\x20\xc5\x6c\xeb\x0c\x90\x3d\x46\x47\xd8\xa1\xf8\x01\x0b\x5b\xde\xe3\xc4\x96\xce\x6b\x3b\x00\x2e\xbf\x9e\xa4\x73\x06\xb8\x94\xab\xd7\x15\x55\xff\x58\x6b\xf1\x65\xa3\xf1\xf2\x3f\x92\x64\xff\xbe\x9f\x98\xdd\x90\x35\xc5\x45\x3d\xb0\xa6\x21\x9c\x4f\x0e\x72\xa2\x69\x5d\xd3\xf6\xc8\x74\x01\x37\x25\x9a\x15\xef\xda\x69\x3a\xc9\xdf\xb5\x23\x74\x88\x0e\xf8\xbf\x6b\x76\xe7\x98\x6f\x9c\x19\xb7\x1d\xf4\xb2\x3d\x19\xfc\x2e\x4d\xb2\xa3\xe6\xbb\x54\x3b\x08\x41\x41\xe2\x01\xf0\x34\xfa\xbf\xb7\x79\x0e\xc8\x5e\x6f\xc8\x69\x8e\xc9\xb0\xc9\x37\x3b\x3c\x2c\x99\x39\x3a\x47\x67\x6b\xa6\xfd\xd6\xc6\x05\x33\x3e\x58\x67\x8b\xac\xf3\x83\x91\xd0\x8c\xc3\x05\x01\x3b\x67\x28\x63\xc3\xce\x5b\xcf\xd2\x54\x56\xab\x94\x7c\xdf\x1d\x9e\x96\x66\xa7\x09\x3d\xcb\x96\x75\x49\x18\xc0\xb3\xd3\xc6\x05\xec\x13\xec\x13\xec\x13\xec\x13\xec\x13\xec\xb3\x37\xd9\x67\x9b\x57\x08\x81\x68\x35\xf3\xef\x76\x78\x2e\x12\x06\x03\x10\xa8\xb9\x72\x18\x12\xf4\xb3\x83\x0b\x07\x80\xd0\x5e\x5b\xae\x00\x84\x02\x84\x6e\x30\x08\xed\x1c\x9c\x0a\x24\xa1\xed\x9d\x31\x7a\x26\xb5\x06\xfb\xc8\x30\x4d\x0b\xce\xaa\xae\x48\xb9\x94\x39\x12\xfc\xdb\xb1\x79\xab\x91\xa0\x34\x57\x5a\xd5\xaa\xba\x45\x2c\xc9\x2b\xba\x31\x2e\x17\x2c\xc6\xfa\xe7\x09\xf6\xe3\x5b\xe8\x4e\xbd\x91\x29\x67\x1b\x97\xd6\xd2\xd1\x8f\x36\x92\x95\x74\x5a\xb4\xbd\xa8\x94\xe4\x8c\x68\xbb\x2b\x12\x94\x26\xf9\xcf\x2d\xd6\x3e\xd6\x72\xba\xfe\x7e\x91\xa3\xb4\x85\x1c\xa5\x4d\x45\xf2\xf8\xbe\xa2\x66\xad\xfa\xba\x31\x71\x7e\xda\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x1a\xd4\x2d\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x48\x5c\x8a\xc4\xa5\x61\x27\x2e\x3d\x4d\x27\xd9\xf1\xf8\x31\x8b\x93\xdc\xe7\xa4\x2b\xf5\x9b\xb8\xf6\xcb\xcd\x90\x61\x14\x19\x46\x91\x61\x74\x13\x65\x18\xfd\xa1\x61\x3a\xd1\x0a\xb6\xb4\x78\xe5\xa7\x13\xec\xdf\xf8\xf1\xca\x9f\x6b\x92\x57\x76\x05\xa8\xdc\xd7\x00\xa8\xec\x7e\x42\xe9\xc7\x13\xc3\x47\x97\x26\xa1\xcc\x07\x03\xc8\x29\x76\xda\x89\x11\x9b\x87\x91\x14\xc8\x41\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x81\x26\x3b\x8c\x26\x8f\xd2\x61\x76\x30\x3e\x61\xa1\xc9\xbb\x7d\xd0\x24\x98\x24\x98\x24\x98\x24\x98\xa4\x83\x49\xfe\xd4\x30\x4d\x05\x33\x49\x67\xc1\x77\x2f\x30\xf9\x87\x09\xf6\x23\x5b\xe8\x5e\x2f\x30\x29\x62\x12\x36\x25\x9d\x4c\xf8\xd1\x49\xfe\x4c\x40\x94\xeb\x22\xca\x40\x11\x65\x31\x98\x61\xce\xb2\x99\x16\xb8\x25\x6a\xbf\x83\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x6e\x42\x4e\xf9\xb5\x21\xba\x5f\x1f\x3a\x5b\x20\x69\x66\xcb\x28\x57\xd7\x94\xd2\xea\x35\x59\x63\xbf\x3a\xc4\x3e\x32\x40\x5b\x73\x8a\x2a\x5f\x5a\x4b\x47\xff\xb9\x31\xf3\x95\xf3\xc5\xb5\x62\x7e\x55\x2a\xb9\xe8\xa3\xb5\xca\x5c\xb0\xda\x59\xe6\xed\x84\x82\x1e\x53\xc9\xfb\xf9\x05\xd3\x8a\x2a\x2f\xa7\x6b\x7f\x62\xbe\xa8\x55\xbb\x9f\x19\x76\x3e\xf0\x7a\x9f\x37\x33\xdc\xc1\x88\xdf\x98\xde\xd5\x74\x75\x31\x98\x1b\x8e\xb1\x51\x83\x1b\xc6\xe3\x06\x20\xac\x1d\x02\xc4\x58\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x6e\x24\x20\x04\xe6\x03\xe6\x03\xe6\xeb\x61\xcc\xf7\x27\x43\xb4\xc7\x8d\xf9\xcc\xab\x5e\xbf\xaa\x54\x25\x8d\x7d\x6a\x88\x3d\xef\x60\x7c\x37\x1a\x63\x7c\xe6\x56\xee\x95\x7a\x23\x21\x01\xbe\x11\x07\xe0\x73\xb5\x3f\x5f\xd4\xaa\xb3\x8a\x3a\x55\x2a\x59\xa9\x94\xc3\xcb\xa1\xdc\x6b\xb4\xef\x91\x60\xda\x37\xc2\x92\xb5\xb4\xcf\x35\x1e\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x40\x7d\x1b\x82\xfa\x7e\xa2\x9f\xf6\x8b\xc8\x63\x29\xaf\x2f\x65\x8b\x4a\x59\x95\x0b\x45\x5e\xdb\xcb\x23\xf8\x98\x7d\xb3\x8f\xfd\x75\x1f\xed\xf5\x3c\xd9\x8a\x33\xbe\xbb\x20\x57\xdd\xb3\xb0\x78\xbe\xe4\xfe\x82\x5c\x9d\xf2\xba\xd4\x88\xe6\x9d\x5a\x98\x33\x37\x81\x21\x16\x3c\xab\x6b\x68\xb2\xae\xa1\xc9\x46\x1a\xca\x56\xe8\x31\xc1\xe7\x2e\xd2\x3c\xe7\x73\xb3\x34\x43\x99\x16\xf8\x9c\xe3\x39\xe7\x8b\x5a\x20\xa4\x63\xff\x32\x41\x43\xc6\x28\x55\x2a\x9a\x23\x3d\xa5\x52\xae\xaa\x8a\x3e\x75\xe9\x3b\x39\xfe\x9d\xb1\x2f\x0c\xb1\xdf\x1a\xa0\xad\xfa\x89\x97\xd6\xd2\xd1\x7f\xd1\x18\x9b\x9d\xb6\x5a\x5a\x34\x5a\x0a\x09\xd0\xa6\xf9\x05\x53\x95\x8a\xb6\x9c\xae\xff\x11\x50\xda\x10\x29\xed\x72\x30\xa5\x3d\xc0\xd2\x06\xa5\xd5\xdf\x0f\x33\x6c\xbb\x6e\x58\x00\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x01\x6b\x37\x04\xd6\xfe\xf2\x30\x1d\x72\xeb\x32\xad\x4a\xdf\x46\x12\x48\xfe\xef\x37\x8e\xc9\xe5\x7c\x45\x29\x96\xab\x56\x6a\xc8\x37\x0f\xb3\x2f\x39\x04\x9b\x1f\x6a\x24\x11\xe4\x59\xb3\x91\xae\x48\x03\x79\x9f\x43\xe8\x69\xb1\xc2\xbc\x75\x8f\x80\x86\x2d\x54\xd0\xbe\x10\x0c\x0c\x13\x6c\xb0\x56\xd6\x69\xf5\x39\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\x21\x28\xe1\x46\x52\xc2\xc3\x74\x90\x4d\xc4\xc7\xad\xf4\x8e\x77\x39\xd3\x3b\x5a\x7b\xb7\xfa\xe4\x8e\xaf\xa3\xd7\xb2\x27\xe2\xaf\xb6\xae\x9b\x34\xee\x98\x5f\xae\x0f\x83\xbe\xc1\x8c\x69\x39\xa5\x22\x8f\xc4\xb4\xd5\xdc\x15\x7d\xd4\xf8\xca\x57\x96\xae\x09\x1a\x52\x51\x15\xde\x43\xf1\xed\x16\x8b\x40\xfa\x48\xf0\x4b\xf0\x4b\xf0\x4b\xce\x2f\x7f\x72\x98\x52\x42\xc6\xa8\x55\x15\x55\x2a\xc8\xb5\xf2\xd2\x9c\x56\xcc\xab\x45\x7d\x14\x4d\x70\xf9\x37\x09\xf6\xa6\x7e\xba\xdd\x38\xdf\x52\x98\xee\x51\x65\x29\x5f\xb3\x2f\x9e\x5e\x9a\x9b\xe1\x17\x27\x77\xeb\x47\x97\xc4\x25\x66\x9d\x18\xf3\x60\x78\xb2\x52\xce\xf5\x5e\x47\x67\x05\xd7\x3b\x45\x27\x38\xd7\x3b\x4c\x07\x69\xc2\x8f\xeb\xa5\xcc\xe7\x36\x9e\x23\x65\xdd\x56\x20\xcc\x7b\x22\x98\xd5\x1d\x63\x47\x0c\x56\xe7\xee\x5e\x53\xe6\x67\xfd\x56\x5d\x6d\x96\xab\x7b\xbd\x51\xe1\xcb\xd8\x40\x41\xae\x52\xf4\xf7\xb6\xd5\x0f\xc1\xfd\xaa\x5c\x29\x49\x39\xd9\x77\x14\xee\x33\x4e\xe8\xc8\x40\x64\xce\xd3\x2c\xcd\xb0\x81\x15\x25\x7f\x23\xca\xff\x37\x16\x49\xb6\x34\x12\x99\xf7\xf4\xd1\x7f\xe9\x63\xff\xb9\x2f\xfa\x9f\x2c\xbb\xfa\xed\xc8\xe3\xfa\x04\x65\xcc\xd9\x23\x5c\x4d\x9b\xd3\x77\xe6\xc2\x10\xba\xf6\x89\x4e\x76\xb8\x22\xc7\xcc\x04\xa9\xf9\x54\x6c\xaa\x1c\x2b\x96\x05\xa1\x51\xd4\xd8\x6a\xd9\x82\x3c\xf9\x58\x5e\xbd\xb1\xb8\x5a\x8e\xe5\x8b\xaa\xac\x7f\xfd\xb2\x45\x0e\xf4\x05\x00\x5f\x61\x19\xe8\xc4\xdc\x28\x19\x9b\xd5\xd8\xe5\x55\x95\x2f\xc6\x2b\xaa\x92\x93\x35\xbe\x14\x32\x8c\x8d\x31\x93\xa5\x62\xcb\xfc\x17\xf9\x26\x87\xaf\x5d\x26\x63\xa3\xb1\xa9\x52\x69\x92\x2f\x74\xf2\xea\x8d\x98\xba\x5a\xd6\x37\xd1\xba\xb9\x30\x57\x77\x46\x73\x72\x3e\xfe\x32\x71\x6b\x0e\xdb\x98\x79\x57\x1f\xfd\xc7\x3e\xf6\xf6\xbe\xe8\xbf\xb3\x3a\xe8\xcf\x22\x7c\x6d\xfc\xb0\x54\x96\x0a\xb2\x2a\x76\x79\x62\xe1\xa0\x69\x4a\xae\xc8\x17\x2e\xd6\x7e\x4a\xe2\x1b\x52\x45\x8d\xe9\xeb\xda\xea\x0d\x6b\x25\x77\x4d\x7a\x4a\xbf\xff\xea\x15\x59\x93\x4d\x03\xa6\x1b\x55\x93\x74\x71\xd8\xb3\x22\xc7\xb8\xe9\xe4\x7b\x27\x45\x8d\xa5\x27\x8e\xea\xe7\xaa\x52\x8e\x23\xb9\x92\x52\x2e\x08\x73\xc5\xf7\x37\xfa\x52\x54\x2a\x96\xc5\x2a\x82\xef\x1f\xec\x73\x39\xa6\x30\x80\xa1\xbe\xeb\x35\xa7\xa0\x82\x52\x92\xca\x85\x94\xa2\x16\xc6\x2a\x4f\x15\xc6\x56\xcb\xc5\x9c\x92\x97\xc7\xf6\xcd\x69\x0b\x7a\x2b\xa9\xf8\x0e\xe7\xb3\x3a\x27\x8d\x67\x23\x61\x59\x83\xac\xde\x4c\x9a\x4d\xd3\x14\x6d\x9d\x16\x2b\xf6\x5b\xce\xb2\x54\x56\xab\x94\xfc\x57\x77\xd4\x5b\x16\x26\x76\x23\x31\xc9\x61\x4c\xf6\x8a\xbf\x75\xc6\x96\x3c\x4a\x8b\xb4\xe0\xb4\x25\xc9\x0c\x9d\x69\xc1\x57\x33\xc3\xef\xf9\x11\x4e\xbc\x35\xd8\x95\x20\xbb\xf2\xb5\x3e\xfa\x6a\x1f\xfb\x72\x5f\xf4\x8b\x56\x07\x7d\xb8\xef\x51\xe7\x3a\xaa\xa8\x2f\xe7\xf9\x5a\x28\xb6\x22\x5f\x16\xde\x1e\x6b\x6b\x65\xbb\x14\x8c\xdd\x2c\xbf\x45\x87\xdd\x28\x2b\xe5\xd1\xb2\x5c\x90\x78\x47\x18\x4b\x29\xa7\x7d\x11\x90\xc5\x1a\x02\xe3\x2d\x2c\x5e\xbb\x26\xe7\x75\x0b\x56\xba\x61\xbb\x61\x6c\xf4\x5e\x2c\x8d\x18\x2b\x2c\xbe\xc6\x8c\x15\x54\x7d\x4e\xac\xc8\x6a\x51\xc9\x5b\x2b\x45\x7b\x7a\xe4\x1e\x2e\xb3\x37\x56\x35\xfd\x26\x9d\xab\x53\x49\xbf\xd2\x7c\x20\xe3\x47\x2e\x0b\xdc\x60\x36\x91\x12\xf7\x79\x4d\x96\xca\x9e\xf7\x18\x67\xfc\x16\x16\xf8\x1d\x78\xac\x1c\x33\x9f\xe9\xa3\x97\xfa\xd8\x8b\x7d\xd1\x17\xac\x6e\x7e\x6f\xdf\x8c\xc3\xc3\x5b\x29\xc9\x92\x26\x5b\x6c\x68\x41\x55\x2a\x52\x81\x0f\xc0\x82\x52\x2a\xe6\x6e\xb8\xdc\x43\xe6\xb3\xd8\x2e\x62\x7d\x94\xd2\xa9\x23\xa9\xd8\x92\x18\x10\xd1\x3b\x15\x7d\xe3\xa0\x6f\xbe\x4c\xcc\x28\xc7\x14\xb5\x72\x45\x2a\x9b\xee\x2a\x75\x55\x1e\xbb\x2c\x95\x4c\x2c\x1f\x17\x47\xe3\xb1\xcb\xc5\xb2\x54\x2a\x7e\xaf\xc9\xf7\x56\x64\x7d\x65\xca\xb7\x2a\x63\x62\x45\x9a\xb7\x99\xaf\x68\x7c\x48\xb3\x2f\x12\x20\x3c\x15\x3b\x5b\xe4\xaf\xb3\xe3\xc6\x15\xb5\xfe\xc9\xec\x6d\x5f\x55\x70\x78\xfe\xb1\x29\xd5\x2b\xa9\xf8\x1d\xe2\x7e\x66\xcc\x07\x71\xf9\xbd\x32\x6f\x1b\xa0\xb7\x0c\xb0\x1f\x18\x88\x7e\xd7\x72\x7e\xfe\x5e\xff\xe3\x06\x28\xd3\x3f\x29\x7d\xdf\x55\x90\xd4\x15\xa9\x20\xc7\x72\x4a\xa9\x24\x73\x33\x68\x7f\x17\xb2\x7a\x59\x51\xaf\xe9\x7d\xe1\x79\xa7\x8f\xd4\xfc\xb8\xff\x8d\xf2\xf7\xd9\x7c\x19\x2b\xe2\xa9\x8a\xfa\x8b\x92\x2b\xe6\x6d\xe2\xcd\xe1\x29\xf7\x3f\x58\xbd\xab\xef\xc4\x0c\xb4\x68\xe2\xd1\x94\xa3\x1b\x4d\xb0\x66\xed\xb5\x2c\x97\xa7\xfb\xc7\x52\xb1\xa9\x9c\xbe\x2d\xe3\x93\xad\xd3\x38\x0c\x89\x67\x18\x8a\x8d\x1a\x03\xef\x7e\x31\xb4\xe3\xb1\xa1\x8c\x94\x7b\x4a\x9f\x67\xca\x79\xfd\x2c\xee\x6b\xe4\x27\xd5\x74\x9c\xa0\xd9\xc6\xab\xef\x6e\xc4\x7c\x82\x15\xab\xa5\xe3\xb1\xa1\x59\x45\x95\x1d\xcd\xc6\x72\x92\x96\x93\xf2\xfa\xd3\x1b\xfd\x23\xbc\xcb\xbc\x3d\x4d\x58\xaf\xba\x06\x2f\x5b\x6d\xa4\xe2\x3b\x2b\xb5\xef\x8d\x73\x11\xf0\x81\xd0\x16\x01\x17\xf4\x66\x26\xd8\x0c\x65\x68\x9b\xe8\xd4\x36\xae\x02\x62\xde\xf3\xf4\x76\xb6\x55\x74\x0c\xb5\x77\x9d\x90\xf9\xee\x6d\xf5\x0b\x81\x44\x45\x52\xab\x45\xee\xad\x14\x1b\x51\xdf\xbd\xc6\x9e\x8a\xbe\xd9\x6c\xfb\xea\x60\x77\x6d\x43\xa3\xfc\x77\xf7\xf3\xa0\xc2\x3d\xce\x83\xd7\x64\xb5\x20\x3b\x8f\x0e\x3a\x8f\xf2\xb0\x47\xb9\x50\xcc\x8d\xd6\x9d\xe7\x6a\x45\xff\xf7\x0d\xe3\xa8\x7e\x97\x99\x8b\x34\x4f\xd9\x9a\x5d\xce\x24\x1d\x6d\x61\x6d\xb2\xc0\x9d\xf8\x58\x93\x04\xac\x49\x9e\xeb\xa7\x67\xfb\xd9\x33\xfd\xd1\xa7\x2d\xc3\xfe\xe6\xfe\xde\xd9\xeb\xd4\xf8\x3d\xf4\x7e\xe6\x7e\x7c\xee\x9b\xd3\x5f\x4e\x5b\xcd\x93\xf0\x79\x71\x87\xf9\xfc\x24\x64\x1f\x52\x89\x5f\xa9\x2f\xc4\xc4\xd5\xfc\x0c\xbe\x28\xd2\x62\x89\xac\xa6\x94\x17\x84\xac\xe5\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\x37\x61\x99\x97\x22\xf4\x62\x84\xbd\x10\x89\x7e\xc2\x02\x63\xef\x8f\xcc\x2a\x6a\x8e\xaf\xd7\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\x47\x9e\x62\x69\xb5\xaa\xd9\x0e\xfc\x51\x29\xc7\x1f\x9c\xcb\x22\x4a\xc5\x9c\x31\x75\xca\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\x64\x03\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\xd7\x21\x99\x63\xc9\xd1\xa3\x67\x07\x58\x3f\x1f\xdf\xc2\x6f\xcb\xa5\xa9\xe9\x18\x62\xf2\xd7\x8b\x55\x84\x5e\xac\xad\x33\xc0\xfa\x8e\x0b\xeb\xc2\xf6\x57\xa5\x62\xef\x1c\xa6\xe3\xeb\x62\x4a\xa1\xbd\x14\x05\x6f\xa4\x6a\x55\xca\x5d\xb9\x26\x3b\xc4\x96\xbf\x93\x60\xff\x7a\x4b\xfd\x6c\xf6\x0b\x8d\x88\x2e\x45\x5d\x94\x29\xab\xd1\xae\xd0\x5e\xee\xbb\x5e\x3f\xbb\xd6\xde\x28\x04\x98\x2d\x08\x30\x73\xc1\x1f\xd4\x19\x76\x4a\x7c\x3a\xb5\x1d\x5e\xff\x05\x79\x7f\x78\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x42\x98\x09\x61\x26\x84\x99\x10\x66\x76\x58\x98\x79\x92\x8e\xb3\x63\xf1\x23\x16\xdf\xd8\xe3\xe4\x1b\xb5\xbb\x3b\x14\xdf\x86\x7a\x12\xea\x49\xa8\x27\x1d\xea\xc9\xff\xf4\x24\x25\x04\x96\x2c\x2b\xf9\x3a\x26\xa9\xae\x96\xf5\xe7\xcd\x95\x24\x4d\x93\x35\xf6\x27\x4f\xb0\x1f\x19\xa4\x1d\xfa\x99\x16\x80\x4c\x8a\xa5\xa5\x6a\x4c\x8a\xa6\xd5\x34\xd1\xe3\xa2\x68\x61\x5a\x6f\x21\xb9\x5b\x3f\xf7\xa2\x92\x37\x71\x9f\xf3\x60\x97\xa3\xbe\x0c\x80\x17\x80\x57\x06\xc0\x0b\xc0\x0b\xc0\x0b\xc0\xab\x67\x80\x57\xa6\x6b\x80\x57\xe8\x77\xd2\x32\xf0\xca\x00\x78\x01\x78\x01\x78\x01\x78\x01\x78\x75\x1e\x78\x65\x7a\x1a\x30\x65\x00\x98\xda\x07\x98\x32\xdd\x0e\x98\x32\x9b\x10\x30\x65\xf3\x34\x27\x24\x52\x19\x3a\xc3\x25\x52\x93\x74\x94\x0e\xfb\x0a\x0d\x39\x85\x32\x55\x86\x4e\x3e\xd4\x48\x49\x93\xab\xf7\x79\x6b\xa3\xb6\xb2\x2d\xa2\x98\x45\x53\x5a\x43\x07\x10\x33\x6b\x0f\x3b\xee\xa7\x5e\x29\x15\xff\xe1\xed\x35\x6c\xec\x2e\x31\x1b\xc5\x24\x37\x06\xdb\x2b\xfe\xdc\x6e\x10\xd6\x5a\x08\xab\xef\x00\x40\xd6\x8d\x10\xd6\x16\x43\x58\xff\x21\xd2\x4a\xd8\x89\xef\x9b\xe8\x6b\x06\x9a\xd3\x34\xfb\xb7\xdf\x7c\xa0\xac\x6f\x5b\x2d\xc5\xc3\x36\x6b\x79\xd6\xb1\x7b\x15\x45\xab\x52\xf2\xcb\x23\x35\x96\xe9\x01\x23\xd0\xc9\x11\x35\xa6\x5c\x76\x5b\xa9\x21\x71\x8a\xc3\x4a\x4d\x5b\x27\xb7\xd1\x5e\xb5\x27\x4c\x16\xe0\x16\xe0\x16\xe0\x16\xe0\xb6\x77\xc0\x2d\x56\x6b\x01\xab\xb5\xee\x21\xdb\x48\x51\xd0\x91\x14\x05\x70\x20\xc0\x81\x00\x07\x02\x1c\x08\x70\x20\xf4\xb4\x03\x01\x99\x6a\x90\xa9\x06\x99\x6a\xda\x95\xa9\x06\xfe\x39\xf8\xe7\x7a\xd5\x3f\x97\x2d\xf8\x93\xe9\x79\x41\xa6\xcf\xd2\x34\x27\xd3\x27\xe9\x38\x1d\x6b\x81\x6a\x2e\x55\xa5\xea\xaa\x05\x95\x93\xde\xd8\x77\x17\xdb\x29\xbe\x66\xdb\xd2\xb6\xd9\xf5\xd5\x86\x74\x19\x49\x5a\x12\xba\x74\x75\x45\xca\xa5\xcc\x9e\xe4\x43\x67\xab\xd4\xd7\x2f\x58\xa6\x2a\x25\x79\x45\xdf\xd7\x96\x0b\x56\x1a\x8d\x5f\x1a\x66\xef\xdc\x42\x77\xea\x8d\x4e\x39\xdb\xbc\xb4\x96\x8e\xfe\x5c\x23\xb9\x34\x16\x95\x92\x9c\x11\x8d\x76\x45\x1a\x8d\x51\xfe\x73\x8b\xb5\xcf\xe3\xac\x67\xe6\xb8\xe5\x2e\x57\xd9\x77\x67\x42\x8d\x7c\xf0\xa7\x33\xc5\x4e\x1b\x9f\x8e\xef\xeb\x6a\x7e\x48\xf6\x60\xa0\xd4\x19\x02\x0c\x90\x51\x03\x7e\x2a\xf8\xa9\xe0\xa7\xea\x55\x3f\x15\x32\x6a\x20\xa3\x06\xfc\x03\xf0\x0f\xc0\x3f\x00\xff\x40\x57\xf8\x07\xb2\x47\xe9\x30\x3b\x18\x9f\xb0\x32\x6a\xdc\xed\xcc\xa8\xe1\xd8\xbd\xa1\xd8\xd9\x66\xa7\xb5\x48\xd7\x81\x74\x1d\x9b\x2b\x9a\x82\x7d\x65\x88\xa2\xfa\xd0\xd9\xec\xb3\xa2\xe4\xab\xf2\xb5\x0a\xdf\xe7\xb0\x5f\x1b\x62\x3f\x3f\x40\x5b\x73\x8a\x2a\x5f\x5a\x4b\x47\xaf\x1b\xd3\x6a\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\x0b\x6d\x5a\x4b\xd8\x05\x25\xff\xa8\xd1\x44\x28\x48\x33\x95\x4c\xf2\x0b\xa6\x15\x55\x5e\x4e\x3b\x5a\x9f\x2f\x6a\xd5\x59\x45\x9d\x2a\x95\x2c\x38\xd9\xed\x79\x3f\x36\x84\x48\x3e\x1c\x0c\x1c\x93\x2c\x21\x78\xa2\xa3\x7b\x5d\x3c\xd1\xc0\x91\xf1\x38\x5d\xdd\xe7\x0d\x38\x77\x30\xe2\xcf\xc9\x43\x63\x80\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x81\x1f\x3b\x8c\x1f\x81\xf8\x80\xf8\x80\xf8\x7a\x18\xf1\xfd\x40\x3f\xc5\x84\xf2\x51\xd2\x37\x5d\x85\x22\xaf\xeb\xe8\x96\x3d\xb2\x2f\xf5\xb1\xff\xd5\x47\xac\xe6\x8c\x4b\x6b\xe9\xe8\xdd\x05\xb9\xea\x9e\x6f\xc5\x93\x24\x63\x05\xb9\x3a\xe5\x3e\x7f\x39\x3d\xb5\x30\x67\xee\xf1\x42\x0c\xe4\xaf\x6b\x68\xb2\xae\xa1\xc9\x46\x1a\xca\x56\xe8\x31\x01\xdf\x2e\xd2\x3c\x87\x6f\xb3\x34\x43\x99\x16\xe0\x9b\xe3\x39\x1b\x49\x24\xc3\x7e\xb0\x9f\xf6\x19\x83\xe0\xad\x3c\x15\xf9\x91\xd9\x1f\xf7\xb1\xaf\xf4\xd1\x5d\x52\x8d\x94\x54\x24\x59\xf0\x1d\x8a\x7d\xfa\x50\xb8\xd5\x9a\xfc\x8a\xae\x1f\x0d\x5f\x79\x73\x7b\x86\xc9\x1c\x8d\x7f\x4c\xd2\x79\x23\x49\xb5\x5c\xbd\xae\xa8\x4f\xe9\x1b\x18\xfb\x6b\xf0\x91\xff\x1a\xe7\xf2\x20\x87\xa2\x6c\x29\x80\x9f\x4b\xb2\x77\xf4\xd3\xcb\xed\x96\xf4\xaf\x26\xa6\xca\x52\xbe\x06\xd4\x5c\x14\x67\x88\x10\x87\xe4\x90\x7e\xc6\x45\xeb\x22\xa7\xbe\xd6\x75\x62\xb8\xe9\x30\xb2\x2b\x74\x4e\x74\xed\x19\x3a\xc5\xbb\xf6\x28\x1d\xa6\x83\xfe\x79\x48\xec\xfe\x59\x4b\xa7\x5c\x37\x16\x48\x9d\xfd\x8b\xea\x17\xe4\x2a\x5d\x7d\x6d\x30\x94\x3e\xce\x8e\x09\x28\xed\xfe\x61\x0f\x2c\x5d\x37\x8e\x14\xfd\x8b\x6d\xb5\x83\xb2\x4f\x95\x2b\x25\x29\x57\x5b\xa0\xd7\x3d\x2e\x49\xe3\xa4\x8e\x0f\x4d\x26\x4b\xe7\x69\xb6\x26\xb3\x52\x8b\x63\x83\x68\x7d\xe4\x56\x6a\x31\xb7\xd2\x87\x22\xe1\x59\x88\x79\x91\xf7\xe8\x2c\x4d\xdb\x79\x8f\x36\xc2\xde\x54\x56\x1b\xb6\x37\xbe\xf6\x24\xc8\x10\x25\x7f\xf2\x8e\x5a\x7b\xf3\x0a\x23\xa6\x4e\xaa\x31\x31\xc3\x46\x26\xa4\x8e\x5b\x98\xf6\xe4\x42\x82\xad\x09\xb0\x35\xc8\xc7\xd1\x91\x7c\x1c\x08\xc4\x46\x20\x36\x02\xb1\xdb\x15\x88\x9d\x7d\x3e\x12\x6e\xd0\x29\x2d\x8a\x14\x8e\x17\x68\xce\x91\xc2\xf1\x26\xdb\x0c\x5a\x23\xc4\xbc\xd7\x08\xdb\xd9\x56\xd1\x4d\x6d\xdf\x96\x64\x7e\x68\x47\xed\x32\x61\xa4\x22\xa9\xd5\x22\x77\xc2\x0b\xf2\xb3\xee\xfe\x24\xc1\xcb\xdc\x77\x74\xed\xb0\xbb\xb6\xa1\x51\x7e\x0f\xfb\xf9\xde\x7f\x8f\xf3\xe0\x35\x59\x2d\xc8\xce\xa3\x83\xce\xa3\x1c\x13\xc9\x85\x62\x6e\xb4\xee\x3c\x57\x2b\xfa\xbf\x6f\x18\x47\xf5\xbb\xcc\x5c\xa4\x79\xca\xd6\xec\x8c\x26\xe9\x68\x0b\xaf\xc9\x02\xd7\xaa\x60\xc5\x12\xb0\x62\x79\xae\x9f\x9e\xed\x67\xcf\xf4\x47\x9f\xb6\xcc\xfe\x9b\xfb\x7b\x67\x77\x54\xe3\xde\xd3\xfb\x99\xcb\x55\xb8\x0b\x5a\x7f\x39\x6d\xd1\x5a\xc2\xe7\xc5\x1d\xe6\xb3\x97\x50\x37\x49\x25\x7e\xa5\xbe\x4c\x13\x57\xf3\x33\xf8\x92\x49\x8b\x25\xb2\x9a\x52\x5e\x10\xea\xad\x87\xf5\xcf\xc2\xf8\xf7\x92\xf9\xb1\xd8\x7f\x1c\xf6\xdf\xb6\x65\x5e\x8a\xd0\x8b\x11\xf6\x42\x24\xfa\x09\x8b\x4c\xbf\x3f\x32\xab\xa8\x39\xbe\x9a\x2b\x28\xbc\xdb\x95\x58\xfc\xb2\xfe\xa7\x78\x6c\xca\xf5\x14\xdc\xe7\x20\x16\x5e\xab\x9a\xad\x53\x19\x95\x72\xfc\xc1\xb9\xfa\xa7\x54\xcc\x19\x13\xab\x5c\xca\x6b\x31\xe5\xba\xd1\xa7\x42\x1d\x53\x91\x95\x4a\x49\x4e\xc5\xc4\x2f\x72\xb9\x9d\x39\x96\x9c\xfd\x7b\x76\x80\xf5\xf3\xf1\x2d\xfc\xb6\x5c\xd2\xb1\x0e\x82\xaa\x36\xef\x0c\xd7\x09\x08\xe7\xfd\x40\xd9\x49\x3a\xca\x0e\xc7\x0f\x5a\x42\xff\x7b\x9d\x21\x02\xae\x86\x6f\x85\x20\x01\xf6\xaf\x86\x69\xd6\x1f\xbf\x0a\x12\xbe\x6e\x22\x86\x62\xb9\xa0\xca\xbc\x82\xe0\xf3\x09\xf6\xdb\x03\xc4\x5c\x13\xaa\x80\xe5\x5a\x63\x5a\xe5\x39\xd1\x54\x48\x3a\xe5\xfd\xd7\x6b\x27\x67\x7e\x33\xf6\x0c\x6d\xfc\xdc\x7c\x51\xab\x42\xa8\x5c\xff\x25\x36\xa2\x2c\xbe\xfa\x64\xf0\xe7\x3a\xc9\x8e\x06\x7c\xae\xc6\x40\x78\xa4\x1e\x81\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\x19\xc2\x65\x08\x97\x21\x5c\x86\x70\xb9\xb3\xc2\xe5\xcd\x07\x36\x20\x8d\x86\x34\x1a\xd2\xe8\x4d\x24\x8d\x7e\xdb\x93\x94\x30\xb3\x1f\xf8\xa0\x46\xb9\x9c\xaf\x28\xc5\x72\x55\x63\x5f\x7c\x82\x7d\xe7\x21\x3b\x17\xc2\x90\x58\x78\xaa\xc6\x94\x69\xda\x54\x33\xad\xeb\x59\xf3\xba\xe4\x5e\xfd\x44\x91\xba\xc0\xe6\x80\xd6\xe1\x2e\xa7\x80\x19\xd0\x30\xd0\x30\x54\xbb\x03\x0d\x03\x0d\x03\x0d\xeb\x1d\x1a\xd6\x45\xc5\xdc\xba\x86\x86\xa1\xca\x18\x68\x18\x68\x18\x68\x18\x68\xd8\x46\x54\x19\xeb\x69\xb4\x84\x32\x48\xbd\x5c\x06\x29\xb3\x09\xd1\x52\xf6\x09\x9a\x12\xea\xa9\x49\x3a\xca\xd5\x53\x13\x34\x4e\x29\x5f\xf9\x62\x4e\x51\xe5\xd4\x5a\x3a\x65\x71\xa1\x46\xa2\xca\xd7\x29\xd3\x2f\x94\x52\x17\x82\x95\x52\x09\x36\x68\x67\x76\x14\xd2\x28\xeb\x1e\x5c\x2a\xc6\xf8\x97\xb7\xd9\xf0\xeb\x0e\x31\xdf\x38\x28\xd7\xfd\xe2\x2f\xed\xe7\x5c\x02\x4b\x9d\xa1\x53\x74\xa2\x46\x11\x3e\x42\xc9\xc6\xfb\x17\x1a\x70\x44\xc8\xb6\x18\x21\xfb\xd5\x08\x4d\x8b\xd0\x95\x13\x34\xe9\x08\x5d\x49\x51\x53\x6f\xa0\x7f\xf2\x83\x93\xc2\x72\x1c\xa6\x83\xdc\x72\x34\xdb\x6e\x46\x44\xdd\x1e\xa7\x63\x76\xd4\x6d\x93\x6d\x04\x1b\x98\x8a\x12\xb6\x81\x49\x7e\x6a\xc4\x36\x30\xf7\x19\x51\x50\x8e\x90\x32\xe5\xb2\xc3\xdc\x18\x21\xb4\xc2\xdc\x4c\x5b\x27\xb5\xdf\xf0\xb4\x27\x84\x16\x80\x15\x80\x15\x80\x15\x80\xb5\x77\x00\x2b\x96\x5f\x01\xcb\xaf\xee\x21\xd0\x48\x5f\xd0\x91\xf4\x05\x00\xfd\x00\xfd\x00\xfd\x00\xfd\x00\xfd\x3d\x0d\xfa\x91\xc5\x06\x59\x6c\x90\xc5\xa6\x5d\x59\x6c\xe0\x47\x83\x1f\xad\x57\xfd\x68\xd9\x42\xc8\x09\x9c\x82\xdc\x53\x49\x6f\x7a\xbc\x8b\xed\x14\x5f\xb3\x6d\x69\x1b\x25\xc9\xde\x05\xc9\x6a\xa9\xf2\x26\x0c\x1d\x61\x1f\x4f\xd0\x88\xbb\x10\x9f\x8f\x20\x5d\x93\x73\xaa\x5c\xd5\xd8\xbf\x4f\xb0\xf7\x3a\x4a\xf3\xa9\x8d\xa5\xbb\x58\xe2\x57\x87\x94\xed\xe2\x7e\x47\x55\x3e\x9b\xbc\x8b\x9f\x40\x86\x8b\x9b\xc8\x70\x71\x3e\xf8\x63\x78\x88\xed\xab\xfd\x00\x44\xc7\xbb\x7c\x2a\x48\x66\x01\xf9\x3e\x92\x59\xc0\xbb\x04\xef\x12\xbc\x4b\x3d\xe4\x5d\x42\x32\x0b\x24\xb3\x00\xd5\x07\xd5\x07\xd5\x07\xd5\xef\x0a\xaa\xbf\x09\x89\x04\x92\x59\x80\x94\x22\x99\xc5\xe6\x89\x38\x60\x7f\x7a\x2f\x9d\x34\xeb\xfc\x55\xb4\x75\x52\x5a\xe4\xe5\x4a\x49\xb9\xa1\x4f\xee\x66\x0d\xb3\x31\x2d\x27\x95\x64\xf6\xd3\xf7\xb2\x7f\xe8\xa3\xad\xfa\xe5\x97\xd6\xd2\xd1\x41\x5e\xc3\x8c\x1f\x32\xfb\xd8\x9e\xd2\x67\xac\x46\x92\xfb\xf4\xf3\xa6\x2a\x15\xcd\x49\x01\xed\xe3\x4b\x7a\x03\x21\x57\x31\x7b\x8d\xbf\x78\xfa\x8c\x40\x7a\xc7\xe8\x08\x47\x7a\x69\x1a\xa3\x51\x5f\xe1\xb3\xb4\x5a\x55\xf4\x07\x34\xd2\x46\xf3\x5b\x35\x49\xdd\x42\x30\x84\x1b\x65\xfb\x0d\x08\xe7\x68\xc8\xa4\x71\x7a\x5b\xee\x3c\xd0\xeb\x17\x44\x8b\x7e\x72\x9b\xdd\xf7\xc3\x66\xa9\xb2\xe0\xee\x1f\x34\x4e\xed\xe8\x08\x64\xa6\x69\x8a\x4e\xd7\x04\x60\x34\xdb\xd3\x10\x01\x22\x06\xa3\xc5\x18\x8c\xf7\x45\xe8\xac\x08\x73\x38\x45\x27\xec\x30\x87\xe6\xbf\xf6\x0e\x18\x92\x80\xba\x64\xa1\xdb\x99\xcc\xb7\x6f\xb3\x0d\xc9\x44\x5d\x71\x91\x60\x8b\xf2\x20\x4f\x4b\xdf\x31\x7b\x82\xf2\x22\xbd\x66\xd6\x50\x5e\x04\xe5\x45\x36\xb8\xbc\xc8\x6b\x6e\xde\xbe\x07\xfa\x7a\xc3\x5f\x41\x06\x56\x12\x99\xa0\x71\x96\x8a\x8f\x58\x9c\x61\xa7\xb3\x92\x08\x6f\xf0\x96\xa8\x20\xf2\x97\x83\x74\xb7\xd8\xeb\xac\x70\xad\xc4\x5a\x7a\x2c\xa7\x2a\xe5\xab\xca\x8a\xc6\x3e\x3b\xc8\x3e\xd9\x4f\xdb\xf8\x01\x7d\x06\x7c\x68\xfd\x44\x7d\xd3\xaa\x52\xce\x2a\x2b\xc9\xb8\x7e\x5a\x46\x3f\x65\x39\x6d\xfc\x6d\x56\x51\xa7\x4a\x25\x6b\x06\xec\xf6\x5c\x7d\xcd\xbe\xd3\xbc\x87\xf4\xb7\xd9\x78\xdc\x86\x42\xce\xe7\x83\xdf\xe9\x61\x36\x64\xbc\xd3\xfc\x17\x8c\xb7\xd9\xf8\x11\xf7\xfb\x1c\x10\xc0\x0e\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x02\xe4\x0b\x90\x2f\x40\xbe\x00\xf9\x42\x87\xe5\x0b\x10\x17\x40\x5c\x00\x71\x41\x0f\x8b\x0b\xfe\xf5\x6e\x9a\x0e\xa8\x94\xa1\xca\x16\xb3\xd2\x8d\xb5\xaa\xe8\xa6\xd2\x56\x18\xf0\x90\x31\xf6\x6b\x51\xf6\x5f\xfb\xed\xa8\xa5\x09\x21\x31\xe0\xc7\xea\x5d\x52\x8b\x76\x8b\xd3\x56\x8b\xc9\x31\xfd\x9a\xda\xa0\x23\xcf\x53\x45\x98\x5a\xc8\xd2\x83\x3c\xcd\x09\xc8\x96\xa1\x33\x1c\xb2\x4d\xd2\x51\x3a\x1c\x98\x5a\xcd\xf3\x06\x03\x69\xdb\xe3\xc1\xb4\xed\x20\x9b\xa8\x0d\x04\xf2\xfe\xad\x66\xa4\x08\x6f\xda\x6e\x8f\xd1\x21\x4b\x8a\xd0\xd4\x30\x4d\x18\x97\x6d\xd8\x48\x65\xe6\x29\x4b\xe7\x6b\xdc\x7a\x2d\x0f\x15\x9c\x7a\xd0\x2a\xb4\xa8\x55\xf8\x48\x24\x4c\x93\x71\x51\xc8\x1e\xce\xd1\x59\x5b\xf6\x70\x8b\x99\xa0\xca\x6a\x95\x32\xef\xdd\x61\x9b\xa0\x53\xf5\x22\x86\xa6\x6c\xd1\x78\xc5\x2b\x50\xb5\x23\x96\x08\xe2\x86\x5e\xb3\x83\x10\x37\x40\xdc\xb0\xc1\xe2\x86\x8e\xae\x51\x83\x34\x09\x0d\xce\x20\xeb\xa5\x76\xf0\xbe\xb1\x6c\x86\xce\xb0\x53\xf1\x13\x96\x70\xe1\x01\xa7\xd8\xc1\xf3\x9a\x5b\x42\xfc\xf0\xf4\x93\x34\xde\xac\xd0\x9b\xfd\xcd\x13\xec\x4d\x83\xb6\x2c\x30\xb1\xbe\x28\xc2\x21\x06\xbc\x4f\x3f\xd3\x5f\x0b\xd8\xe5\x9a\x08\xd4\x2f\x84\x82\x00\xf5\x0b\xa1\x20\x80\x82\x00\x0a\x82\x1e\x52\x10\x74\x51\xf6\xe8\xae\x51\x10\x20\xad\x31\x14\x04\x50\x10\x40\x41\x00\x05\x01\xea\x17\x22\xef\xea\xad\xe3\xf0\xef\xfa\xbc\xab\x9b\xb2\x7e\xe1\x93\xfe\x81\xb1\x19\xc1\x16\x8f\xd3\x31\xce\x16\x0f\x50\x9a\xc6\xfc\x03\xa7\x2a\x15\x4d\xd4\xbb\x32\x89\xd1\x7c\x51\xab\x36\x5a\xc0\xf0\x62\x30\x3a\xdc\xcf\x86\xcd\x08\xaa\x4a\x45\x33\x80\xa1\xfd\x6b\xee\x1a\x86\x7f\xea\x08\xb1\xdf\x65\xd4\x30\x94\x9c\xb4\xcb\x98\x88\x3a\xc0\xbb\x04\x9e\xe2\x19\x47\x6b\xbc\x33\xa3\xb4\xbf\x89\xee\x84\x43\x06\x8e\xe9\x16\x1d\xd3\x5f\x8b\xd0\x29\xf1\x2d\x1f\xa1\x43\xfc\x5b\x1e\xa3\xe6\x5e\x3e\x51\x08\x31\xcd\x0b\x21\x5a\xde\xe8\xa6\x1b\x99\x11\xd5\x14\x4f\xd2\x71\x47\x35\xc5\xa6\x5b\x69\xbd\x58\xaa\xa8\x65\x18\xb2\xad\x49\xfe\xd6\x88\x6d\x6b\xee\xf7\x2c\x67\xe8\xb0\x3b\x49\x71\x82\xb0\x3b\x5e\xf5\x0c\xdb\x66\x81\x50\xd0\x10\xc4\x15\xc4\x15\xc4\x15\xc4\x15\x05\x0d\x51\xd0\x10\x05\x0d\x51\xd0\x10\xe4\x1f\xe4\x1f\xe4\x1f\xe4\x1f\xe4\x3f\x14\xf2\x8f\x82\x86\x28\x68\x88\x82\x86\x28\x68\x08\xc7\x1a\x1c\x6b\xa1\x17\x34\xf4\x75\x52\x85\x5a\xe9\xb0\x95\x82\x86\x8d\xe1\x64\x0f\xd5\xbb\x37\x5a\xde\x8c\x42\xf5\x6f\x0d\xd2\x5e\x21\x54\x17\x6a\x6a\xde\xdf\x45\x65\x6c\x2d\x6d\xfc\x81\x7d\x7e\x90\xfd\xcf\x7e\xda\x2e\xfe\xeb\xd2\x5a\x3a\xba\x6f\x7d\x5d\x3a\xaf\xb1\x97\x7c\x40\x3f\x89\xff\x53\x5b\x4e\xf3\xff\xdf\x6c\x99\xfa\x5e\x4d\xa7\xc5\xfb\x79\x94\x0e\xf3\xf7\x73\x9c\x52\x34\xe2\xeb\xed\x30\xba\x6f\x2d\x9d\xe2\x4f\xdb\x50\xa2\xbe\xc5\xe0\xf7\x6f\x8c\x8d\x1a\xef\x9c\x6b\x7c\xcc\x7a\x9a\x6b\xb5\x2e\x0d\xa4\xeb\x83\xd8\x1e\xe9\xfa\xe0\xfa\x81\xeb\x07\xae\x1f\xb8\x7e\x90\xae\x0f\xe9\xfa\x80\xdc\x81\xdc\x81\xdc\x81\xdc\xbb\x0b\xb9\x23\x5d\x1f\xd2\xf5\x6d\x16\xc8\x88\x74\x7d\xed\x48\xd7\xf7\x8e\x24\xcd\x0a\xf2\xa6\xae\x48\xb9\x94\x49\x87\x78\x53\x0e\x0a\xe7\x97\xc9\x4f\x29\x99\x7f\x79\x23\xfb\xd4\x30\xfb\x7f\x7d\x74\xa7\xde\xce\x94\xb3\x99\x4b\x6b\xe9\xe8\xdd\x3c\x7d\x9f\x7b\x6b\xba\xa8\x94\xe4\xe4\x43\xfa\x81\xc5\xda\x4b\x5c\xc9\x97\x94\xd0\x8b\x02\x2e\xd1\x51\x01\xd5\xd2\x34\xc6\xa1\xda\x30\x0d\xd1\x43\xbe\x50\x8d\xf7\xcc\x5a\x3a\xa5\xdf\x49\x20\x4d\x7b\x32\x98\xa6\x4d\xb2\xa3\x06\x4d\xf3\xed\x73\x33\x9d\x89\xd2\x64\x65\xc0\xe7\xb7\xf9\x0c\x40\xd4\xcc\xcd\xe7\x31\x06\x09\xe3\x58\x87\x87\x21\x73\x9c\x8e\xd1\x91\x9a\x90\x86\x46\xc7\x01\x2a\x3a\x04\x33\xb4\x18\xcc\xf0\x8e\x88\xbf\x33\xa8\x75\xbb\x70\x52\xc4\x37\x1c\xa6\x83\x76\x7c\x43\xe3\x97\x37\x58\x01\xb0\xbd\xc6\x25\xf9\xe3\x77\xf8\x58\x8f\x97\x1b\x3e\x6d\x49\x18\x8c\x21\xf1\x9f\x9d\xb6\x17\xed\x09\x40\x80\x21\x09\x30\x24\x10\xc1\x76\x44\x04\x0b\xf5\x13\xd4\x4f\x50\x3f\xb5\x4b\xfd\x94\x7d\x3e\x12\xae\xd2\x83\x16\x45\x2c\xe2\x05\x9a\x73\xc4\x22\xde\x64\x9b\x41\x9b\x8b\x98\xf7\xf2\x60\x3b\xdb\x2a\xba\xa9\xdd\x2b\x84\xcc\x3f\xdd\xe6\xb3\x42\xd8\x57\x97\x78\xd7\x63\xa3\x31\xc8\xf3\x3c\x76\x70\xd9\x80\x9c\xba\xbd\xb6\x58\x41\x4e\x5d\xe4\xd4\xdd\xe0\x9c\xba\xed\xa4\x4b\x81\x29\x74\xdb\x6b\xff\xb3\x69\x1a\x63\xa3\xf1\xfd\x96\xb6\xf0\x0e\x57\x22\x5d\xe5\x16\x29\x1a\xfc\xbe\x24\x3d\x26\xa0\xa8\x56\x55\x54\xa9\x20\xdb\x24\x74\x45\xae\x4a\x69\x41\x98\xfd\xa0\x68\x4e\xb7\xa9\xfc\xb2\x9c\x54\x91\x72\xc5\x6a\xd1\x66\xa4\x2f\x0c\xb3\x1f\xd9\x42\xb7\x1b\xc7\x2f\x19\xed\x45\x3f\x1a\x31\x98\xb5\x8d\x88\x75\x0b\x22\x3a\xca\xaa\x3f\xbc\x34\xb7\x24\xae\x9b\x16\xed\xde\x48\x39\x96\xf7\x93\xd6\xc6\x60\x88\xb7\x35\x64\x6b\x8f\x5c\x62\x12\xa5\x22\x5b\xbb\x36\xad\x2a\x4b\xf9\x11\xdb\xf9\xcb\x77\x3a\x86\xab\xb0\x58\x95\xaf\xd9\x66\x71\xc8\x25\x24\x70\xb4\x9d\x4a\x8a\xce\x30\xee\x6c\x59\x3c\x90\x3d\x9f\xd7\xdf\x74\xb7\x2b\x2e\x9f\xa2\x05\xf1\xf9\xce\xd1\x39\xfe\xf9\xf2\xcc\x2b\x2d\xcc\xd8\x9c\xfc\x0b\x6d\x64\xd0\x67\x2d\x07\x7f\xb5\x19\x76\xc6\xf8\x6a\xdd\xef\xa4\x59\x34\xb9\xae\x9f\x9d\x1f\x2e\x1f\x94\xf5\x8a\x82\x5f\x17\x45\xc1\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\x84\x2c\x13\xb2\x4c\xc8\x32\x21\xcb\xec\xac\x2c\xf3\x34\x9d\x64\xc7\xe3\xc7\x2c\x66\x72\x9f\x13\xb3\xd4\x6f\xf5\x6e\x05\xe8\x02\xe5\x28\x94\xa3\x50\x8e\x6e\x22\xe5\xe8\x17\x86\xe8\x1e\xb3\xd0\xb3\xe0\xa1\x62\xbf\x79\x4d\xaa\x68\xec\xf9\x21\xf6\xdc\x80\x5d\x96\x73\xd5\x98\x5b\xcb\xf9\xe2\x5a\x31\xbf\x2a\x95\x5c\xa4\xd3\x5a\xc7\x4e\xf3\x06\x1e\x96\x2a\xa1\x80\xcd\x54\x32\x71\xdd\xae\xe6\x69\xb5\x3d\x5f\xd4\x36\x5d\x14\xf8\x53\xfe\x8a\xb5\xd0\x61\xa5\xc9\x24\xf7\x79\xc3\xc2\x1d\x8c\xf8\x8d\x89\xb4\xdb\x17\x82\xc1\x65\x82\x0d\xd6\x56\xe9\xb3\xc6\xc2\xed\x5c\x00\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\x04\x7d\xec\x2c\x7d\x04\xda\x03\xda\x03\xda\xeb\x61\xb4\xf7\xf9\x7b\xe9\xa4\xd0\x3f\x4a\x95\x8a\xb6\x4e\xfc\x77\x5e\x92\xaf\xe9\x8b\xae\xaa\x29\x70\x1c\xd3\x78\x20\x03\xfb\x8f\xf7\xb2\x6f\xf6\xd9\x55\x8d\x06\x79\xf8\xb7\x38\x66\x76\xb2\x3d\xe3\xce\xf0\x56\x96\xe4\x6a\x72\x9f\x7e\x5e\x5d\x49\x35\xf3\xb0\x08\x92\x08\x39\x16\xfc\x55\x22\x72\x73\x9c\x47\x6e\xf6\x3d\x72\x81\xa5\x68\x84\x92\xc1\xe5\xa4\xcc\x9b\x0a\xd4\xf6\xad\x1f\xb1\x7d\xf5\xe1\x60\x82\x96\x64\x09\x23\xcb\xa7\xf5\xa3\x7e\xd9\x40\xa3\x1f\x73\xd4\xad\x1b\x36\x63\xbe\x83\x3b\x7e\xd0\x38\xb5\xa3\x7d\x9f\x39\x43\xa7\xe8\x44\x4d\x74\x44\x53\x9d\x8f\x78\x08\x44\x81\xb7\x18\x05\xfe\x63\xeb\x44\x81\xdf\xa4\x45\xc8\x88\x50\xf0\xe3\x74\xcc\x0e\x05\x6f\xb2\x0d\xd3\x78\x84\x6b\x1d\x02\xc2\xcb\x33\x7f\x7b\x9b\x6d\x3c\x26\xea\x02\xba\x82\xad\xc8\x83\x3c\x08\xa1\x63\x36\x04\xd1\x5d\xbd\x66\xcd\x10\xdd\x85\xe8\xae\x0d\x8e\xee\x6a\xfb\x7a\x31\x30\xc4\xab\xb1\x39\xc1\x23\x47\xbc\xe7\xfc\x90\x3d\x4c\x07\xd9\x44\x7c\xdc\x92\x0a\xdd\xe5\xd4\x1a\x59\xd7\xdc\x0a\x12\x23\xf6\x4b\x49\x5a\x36\xf6\x35\xab\x55\x45\xcb\x49\xa5\x62\xb9\x30\xb6\x36\xb1\x22\x57\xa5\x89\xf5\x83\xba\xf8\x20\xe9\x9f\x74\xa9\xa2\xe4\xcd\xab\x65\xd5\x0a\xec\xfa\xea\x30\xfb\xc0\x16\xda\xe5\x68\xf7\x92\xd1\x6e\xf4\x57\x1a\x09\xee\x3a\x6f\xb5\xbf\xa0\xe4\xa7\xac\xf6\xbb\x22\xc2\xeb\x28\xff\xb9\x29\xfb\xd1\x96\xc5\x93\xd9\x53\xbc\xcf\xdd\x77\xbf\xac\xa2\xf3\xa1\x5e\x41\x31\x58\x57\x0b\xc1\x9f\xf7\x0c\xcb\x98\x9f\xb7\x3d\x28\xc6\x57\xee\x33\x14\x8e\x6f\x5e\x0c\x1e\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x90\x5b\x40\x6e\x01\xb9\x05\xe4\x16\x9d\x96\x5b\xcc\x50\x86\x9d\x89\x9f\xb2\x40\xca\x3e\x27\x80\xf1\xd9\xce\xdd\x0a\x38\x06\xb2\x10\xc8\x42\x20\x0b\xd9\x44\xb2\x90\x2f\x0e\x53\xda\x48\x8b\x95\xbb\x22\xe7\x57\x4b\xfa\xaa\xd2\xae\x11\x50\x51\x8b\x8a\x5a\xac\xde\xc8\x95\x24\x4d\xb3\x53\x5e\xfd\xd4\x30\x7b\x5b\x3f\xbd\xdc\xbe\xe4\xd2\x5a\x3a\x1a\xf3\xa8\x07\xb0\x60\x5c\x3f\xad\x5f\x9f\xdc\xab\x9f\xb1\x64\x5d\xb4\x9c\x76\x1d\x0e\x59\x04\xb2\x42\xe7\x04\x08\x3c\x43\xa7\x38\x08\x3c\x4a\x87\xe9\xa0\x2f\xd4\x77\x3c\xfe\x5a\x3a\xe5\xba\xb1\x9b\x95\x83\xbc\x36\x98\xfe\x1d\x67\xc7\xcc\x4c\x50\xb5\xc3\x60\x30\x40\xf7\x1d\x39\x69\x7f\xf4\x8f\xb7\xd5\x0e\xc5\x3e\xef\xca\x00\xee\xd1\x88\x19\x27\x75\x68\x40\x32\x59\x3a\x4f\xb3\x35\x9e\xd5\x16\x47\x04\x5e\x55\x68\x44\x5a\xd4\x88\x7c\x28\x12\x9e\x5d\x98\x17\xa2\x90\xb3\x34\x6d\x8b\x42\xda\x67\x65\xda\x6c\x46\x02\x84\x24\xc9\x1f\xbd\xa3\xd6\xca\xbc\xc2\xaa\x20\xe0\x36\x2c\xf7\x8b\xbf\x77\xca\xae\xa0\x84\x00\x4a\x08\xa0\x84\x00\x4a\x08\xa0\x84\x00\x4a\x08\xa0\x84\x80\x77\x09\x81\x36\xaf\x1d\x32\x6f\xdd\x51\xbb\x38\x18\x09\x28\x1e\xe0\x5e\x32\xdc\xc7\x75\x50\x1d\x58\x31\x40\x5f\xda\x6b\xeb\x14\xe8\x4b\xa1\x2f\xdd\x60\x7d\x69\x07\x51\x54\xa0\xd2\xb4\xb1\x99\x20\xc8\xe0\xfb\xce\x14\xd9\x49\x3a\xca\x0e\xc7\x0f\x5a\x3e\x8b\x7b\x9d\x9e\x0f\x57\x83\xf5\xfe\x8e\xd0\xc5\xa1\x7f\x9b\xa0\x29\x41\x37\xcb\x72\xf5\xba\xa2\x3e\xe5\xa6\x9b\xeb\xaa\x43\x8b\xe5\x82\xaa\x1b\x15\x8d\x3d\x9b\x60\xbf\x32\x40\x2f\xb7\x9b\xd0\xe7\x37\xad\xb1\xf4\x57\x73\xa2\x95\x90\x92\x5f\x0d\xf2\x0b\x2e\x5a\x37\xe2\x0c\xc9\x30\x7e\x69\xbe\xa8\x55\xa1\xd1\xac\xff\x30\x1a\x4a\x7d\xf5\xaa\xe0\x8f\xe3\x10\x3b\x20\x3e\x0e\xa3\xbf\xbd\x3e\x8b\xba\x97\x0d\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\x4c\x08\x33\x21\xcc\x84\x30\x13\xc2\xcc\x4e\x0b\x33\x21\xa9\x84\xa4\x12\x92\x4a\x48\x2a\xdb\x28\xa9\xfc\xc8\x10\xed\x72\x27\xd1\x2f\x2b\x79\x59\x63\x3f\x36\xc4\xde\xee\xc8\x9f\x5f\x69\x0c\x20\x5e\x54\xf2\x72\x48\xf4\x70\x97\x23\x75\xbe\xde\x2c\x50\xe1\x4d\xa0\xc2\xd9\x60\x54\xb8\x8f\x3d\xe0\x01\x07\xad\x8c\xf9\xfa\x10\x00\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x02\x0c\x22\x41\x3e\xb0\x1d\xb0\x1d\xb0\x5d\xc7\xb0\xdd\x57\x5f\x47\x27\xcc\x04\xf9\x45\xf9\x0d\x55\xb9\xcc\x47\xcb\x96\x0b\xae\xc8\x55\x29\x3d\x96\x5b\xd5\xaa\xca\x35\xb3\x41\x07\x86\x62\xef\x7d\x1d\xfb\xc1\x21\xba\xcb\x75\xf5\x25\xe3\xb2\xe8\x61\xb1\x70\x54\x8d\x29\xcf\xb4\x89\x66\xaa\xc8\x69\xde\xaa\xb9\xed\x9b\xb1\x5a\x4d\x8e\xeb\xd7\x4d\x39\x9b\x5c\x16\x2d\xfa\x5d\xd1\xe5\x40\x2f\x03\xde\x05\xde\x95\x01\xef\x02\xef\x02\xef\x02\xef\xea\x19\xde\x95\xe9\x1a\xde\x15\xfa\x9d\xb4\xcc\xbb\x32\xe0\x5d\xe0\x5d\xe0\x5d\xe0\x5d\xe0\x5d\x9d\xe7\x5d\x99\x9e\xc6\x53\x19\xe0\xa9\xf6\xe1\xa9\x4c\xb7\xe3\xa9\xcc\x26\xc4\x53\xd9\x77\x45\xe8\xfb\x84\x12\xaa\x4a\x2a\x57\x42\x95\xe8\x2a\x5d\xf1\x53\x42\xd9\xbc\x68\xd4\xda\xaf\xdb\xa2\x28\x37\xe1\x32\x18\x55\xca\x0f\x29\xcd\x17\xb5\x60\xd1\xd4\x7d\xde\xa2\xa9\xad\x6c\x8b\xd0\x4b\xbd\x3e\x58\x2f\x75\x91\xcd\x3b\xf4\x52\xfc\x9e\xec\x52\x67\xf5\x48\xce\x90\x51\xf9\xdd\x35\xc5\xdf\x73\x9b\x1f\x8d\x7b\x40\x4c\x6f\x31\xc9\x1f\xbc\x4d\x88\x53\x36\x04\xbd\x09\x52\xf6\xbd\xf4\x06\x5a\xab\xc9\x14\x71\x99\xf2\x9d\x18\x71\x64\x95\x40\x7e\xbd\x16\xf3\xeb\xfd\x87\x7e\xba\x2e\xec\x54\x85\xca\xdc\x4e\x5d\xa1\x0e\xbd\xb5\xf4\xcf\x45\x3e\xbe\x55\xd2\xec\x7c\x7c\x9d\xfb\xf5\x37\x8a\xcc\x3f\x6b\x54\x75\x64\xfe\xe9\xdc\xcf\x07\x19\xe8\xc6\x0c\x70\x80\x4d\x6d\xca\x3e\xaf\x33\x27\x54\x14\xad\x4a\xc9\x77\x8f\xfa\x19\xe8\x51\x23\x5f\x94\x23\xf9\x96\x72\xd9\xdf\x58\x9f\x10\xa7\x7b\x1a\x6b\xab\x85\x0e\x99\xed\xf6\xa4\x23\x04\x31\x07\x31\x07\x31\x07\x31\xef\x1d\x62\x8e\x25\x68\xc0\x12\xb4\x7b\x5c\x0a\x48\x05\xdb\x91\x54\xb0\xf0\xdc\xc0\x73\x03\xcf\x0d\x3c\x37\xf0\xdc\xf4\xb4\xe7\x06\x19\xc1\x91\x11\x1c\x19\xc1\xdb\x95\x11\x1c\x8e\x51\x38\x46\x7b\xd5\x31\x9a\x2d\x84\x9c\x0c\x3f\x1c\x26\x7d\x13\x3e\xc0\x3a\x5e\x7d\x35\xe9\xcd\xa4\x77\xb1\x9d\xc2\x80\xd8\xc6\x9d\xc2\xcf\x47\xfc\xc5\x28\x9d\x13\x31\x06\xf6\x93\x58\x91\x05\x41\x79\x88\x8d\xe2\x6b\x63\x1a\xef\x5b\xf6\x1f\xa2\xec\x87\xfb\x89\x79\xc0\xf3\x07\x79\x21\x36\x71\x9a\xf9\x96\xd8\x0b\x68\x23\x6f\x6d\x72\x44\x3f\xeb\x6c\x2d\x2e\xaf\xcb\x27\x2c\x46\x32\xe4\xda\x6c\x12\xcd\x8a\xf7\xec\x34\x9d\xe4\xef\xd9\x11\x3a\x44\x07\x7c\x13\x62\x7b\xb8\x41\xcc\xec\xbb\x37\x59\x9a\x6d\x39\xf8\x05\x3c\xc0\xd2\xc6\x0b\x68\xdf\x06\xf9\xa6\x00\x16\x6f\x59\xf4\xaf\xb7\x79\x8e\xcc\x90\x59\x97\x2d\x68\x70\xc6\x8c\x13\x37\x66\x7c\x32\x73\x74\x8e\xce\xd6\xb8\x9e\x5b\x1b\x20\x60\x3c\x78\x92\x5b\xf4\x24\x7f\x30\x12\x9a\x95\xb8\x20\x1c\xc3\x33\x94\xb1\x1d\xc3\x6d\x33\x39\x6d\xb2\x29\x01\xf5\xd9\x32\xef\xda\xe1\x69\x72\xc6\xeb\xea\xb0\x04\xd9\x1e\x51\xf4\xa1\xf3\x96\x07\xa5\x59\x7a\xcd\xf4\xa1\x34\x0b\x4a\xb3\x6c\x70\x69\x16\xc9\xd7\x9c\x87\x35\xf9\x34\x37\x2d\x04\x4c\x02\xf5\xb3\x46\x60\xc5\x97\xec\x41\x9a\x60\xe3\xf1\x94\x95\xf2\x74\x97\xb3\x22\x8b\xf1\x4b\xb7\x42\xed\x79\xf6\x6c\x94\xe6\xd6\xa9\xf6\xd2\xe4\xfe\xea\xcb\xf7\xb2\x7f\xd3\x5f\x5b\xf5\xa5\xb1\xad\xd5\x90\x7e\xd6\xba\x55\x5a\xda\xb2\xab\x7a\x82\xa6\xc4\x2b\x3b\x49\x47\xf9\x2b\x3b\x41\xe3\x94\xf2\x7d\x65\x1d\x9d\xb4\x16\xda\x86\xaa\xb1\x0a\x2a\xbe\x75\x52\xfc\x4b\xab\x44\x7f\x7f\x5b\xed\x60\x34\xbc\x9b\x4a\x1a\x27\x76\x7c\x48\x32\xfa\x8a\xf3\x4c\xcd\x92\xa2\xe9\x31\xc1\x42\x02\x7b\xa8\x16\xf7\x50\x3f\x19\x09\xc3\x26\xcc\x8a\xed\x93\x3e\x13\x5a\xdb\xa7\x76\xd8\x96\xb6\x19\x8f\xa0\xbd\xd3\xbf\xde\x51\x6b\x5b\x9a\xdf\x36\x25\x2a\x81\xb5\xb9\xb0\x63\xc2\x8e\x09\x3b\x26\xec\x98\x36\xf5\x8e\xa9\x23\xab\xcc\xb6\x15\xe2\xc3\x76\xc9\xda\x2e\xfd\x55\x1f\xdd\x65\x24\xbc\x5a\xad\x2a\x5a\x4e\x2a\x15\xcb\x05\x7d\xa3\xc4\x3e\xdf\xc7\x3e\xdb\x47\xff\xcc\xf1\x67\x7d\x4a\xbc\xbb\x20\x57\xdd\x3a\x2d\x11\x0c\x99\xdc\x53\x90\xab\x53\xf6\xb9\xcb\xe9\xa9\x85\x39\xd3\x17\x17\xe2\x6c\x57\xd7\xd0\x64\x5d\x43\x93\x8d\x34\x94\xad\xd0\x63\xe2\x0d\xd6\xa7\x2f\xfd\x0d\x9e\xa5\x19\xca\xb4\x30\x69\x39\x9e\xb3\x91\x18\x49\xf6\x03\xa3\xb4\xe0\xd1\xe3\x13\xfa\xde\x7e\xc2\x6f\x7f\xca\xdb\xd0\x6d\x69\xa9\xa2\xe4\xcd\xeb\x64\xd5\xdc\xae\xb2\x0f\x8c\xb0\x17\xfb\x69\x97\x6b\xb0\x44\x8b\xd1\x24\xdf\xad\xba\x97\x2b\xe7\xad\xe6\x16\x94\xfc\x94\xd5\x5c\xf2\x88\x7e\xae\x73\x14\x45\x1b\xf6\x1a\xc6\xe7\xc2\x90\xf7\xb0\xaa\x3f\x8f\x79\x5c\x0c\xda\x02\x5d\xe4\x83\x76\x9e\x66\x69\xc6\xd7\xec\x38\xba\x23\x65\x74\x47\xca\xe7\x09\x1a\xdc\xd9\x16\x82\x4d\xd2\x0c\xcb\xd8\x46\x48\xfc\xa8\x15\x20\x65\xdf\x8f\xb1\x4e\xf5\xb9\x1b\x8a\x7e\x72\xbb\xf7\x68\x8e\x9a\xdb\xdd\xc6\x06\x74\xd2\x38\x7d\xc3\xc7\x34\xf3\x6a\x7a\x15\x2d\xd7\xac\x12\x43\x1a\x3b\xac\x18\xb1\x35\x6e\x71\x6b\xfc\xe9\x48\xdb\x2c\x0a\x3d\x21\x36\xcc\x8f\xd1\x92\xbd\x61\x0e\xaf\xf5\xd6\x11\x9d\xbe\xd9\x6d\xd0\x90\x35\x6d\xb7\xea\x2c\x5f\xf2\xb7\xef\xf0\x36\x64\xa6\xf4\x4f\xf2\xb5\x5d\xc7\x8c\x78\xce\x0d\x37\x5d\xed\x09\xe6\x84\xd1\x0a\x30\x5a\x08\x28\xea\x48\x40\x11\x94\xe4\x50\x92\x43\x49\xde\x2e\x25\x79\xf6\xf9\x48\xc8\x72\xda\x45\x91\x61\xe2\x02\xcd\x39\x32\x4c\xb4\x59\xa2\x1b\xf3\x5e\x4c\x6c\x67\x5b\x45\x37\x75\x6e\x3d\x91\xf9\xcd\x1d\xde\xeb\x89\xc3\x75\xac\xbe\xb1\x1d\xd2\x51\x4e\x7c\x36\x74\x91\x01\x82\xdf\x6b\x4b\x1b\x10\x7c\x10\xfc\x0d\x26\xf8\x6a\xfb\x36\xbe\x41\xb3\x49\x10\x7d\xef\xd8\x64\x92\x9d\xa1\x0c\x3b\x13\x3f\x65\x01\xfb\x7d\x4e\xcc\xef\xd3\xcc\x2d\x81\xfd\xff\x6e\x98\xe6\x05\x84\xce\x29\x8a\x9a\x2f\x96\xf9\x07\x56\x5b\xe6\xc2\x28\x5c\xeb\x8d\xa4\xf9\xae\xc0\x02\xd0\x3f\x31\xcc\xbe\x7f\x0b\xdd\xe9\x6c\xcd\x52\x1f\x3f\x1b\x31\x42\x99\x1c\xa5\x6d\xcb\xe6\xae\xc6\x2c\x7e\x31\xaf\x37\x17\x4a\x8d\xdb\x11\x3b\x28\x9e\x6f\xa1\x8c\x10\xea\x62\x55\xbe\x66\x5b\xd0\x21\x57\x1e\x0b\x47\xdb\xa9\xe4\x90\x51\x21\xd7\x7e\x92\x3a\xf1\x33\xbf\xd9\x2e\x2f\xb2\xb1\x21\x55\x73\xfd\x3f\xed\xeb\xe2\xd3\x7e\x32\xf8\xd3\x9e\x64\x47\xc5\x77\xcc\x7b\xd9\x57\xfe\xe8\xf1\xe2\xa2\x90\x2e\x0a\x8b\xa0\x90\x2e\xd2\xa4\x21\x4d\x1a\xd2\xa4\xf5\x52\x9a\x34\x14\xd2\x45\x21\x5d\xa4\xa7\x42\x7a\x2a\xa4\xa7\x42\x7a\xaa\xae\x48\x4f\x95\x9d\xa0\x71\x96\x8a\x8f\x58\x48\x64\xa7\x13\xac\xf0\x7d\xdd\xad\x80\x51\x50\xde\x17\x69\x82\x50\xde\x77\xf3\xd4\x4f\x61\x4f\x27\xe8\x80\xc0\x9e\xf9\xa2\x96\x53\x74\x53\xec\xcd\x3c\xe5\x72\xbe\xa2\x14\xcb\x55\xad\x54\xcc\xc9\x1a\xfb\xcb\x21\xf6\x47\x03\xb4\xd3\xba\xc8\x42\x9b\x37\x8c\x39\xb7\x9c\x2f\xae\x15\xf3\xab\x52\xc9\x05\x39\xad\xf5\xed\x59\xa3\xb9\x25\xbd\xb9\x50\x20\x67\x2a\x79\x98\x5f\x30\x63\xde\x92\xc1\x28\x5d\xbf\x34\x5f\xd4\xaa\xb3\x8a\x3a\x55\x2a\x59\xe8\x32\x3c\x29\xf6\x2d\x44\x2d\x57\x82\xa1\xe4\x69\x76\xd2\xe0\x8e\xb5\x6f\x8e\xe1\x74\x70\x75\xbc\x47\xe2\x8e\x7d\xde\x64\x74\x07\x23\xfe\xf0\xbc\x3e\x0e\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x25\xf0\x65\x87\xf1\x25\x40\x21\x40\x21\x40\x61\x0f\x83\xc2\x5f\x7a\x2d\x9d\xf1\xcf\x22\xd7\x58\xaa\x6e\xf6\xad\x27\xd9\x4f\x0f\x12\x73\xe5\x14\x12\xd8\xf0\x21\xb1\x72\x54\x8d\x39\xcf\x34\x8a\xa6\x16\xd2\xcc\x26\x34\xa8\x9f\xe6\x4c\x26\xe4\x9d\x83\xb5\xcb\x91\x5e\x06\x54\x0b\x54\x0b\xb5\x4b\x41\xb5\x40\xb5\x40\xb5\x7a\x87\x6a\x75\x51\x69\xce\xae\xa1\x5a\xa8\x19\x09\xaa\x05\xaa\x05\xaa\x05\xaa\xb5\x11\x35\x23\x7b\x1a\x42\xa1\xa8\x5d\x2f\x17\xb5\xcb\x6c\x42\x08\x95\x95\xfd\xd3\x20\x66\x85\x46\x6a\x9a\xa6\xb8\x46\xea\x38\x1d\xa3\x23\x8d\x65\x5f\x75\x95\xa5\x98\x2f\x6a\x55\x53\x04\x75\x9f\xb7\x40\x69\x2b\xdb\xc2\xb5\x49\x0d\x46\x6e\x36\x9f\x97\x5b\xe8\xa3\xe2\xcf\x6c\xf7\x24\x65\x3b\xc5\xac\x14\x93\xca\x76\x8e\x6d\xf1\xa7\x0e\x72\xb1\xd6\xea\xa1\xf9\x77\x3b\x12\x64\x20\x61\x61\x8b\x09\x0b\xff\xb1\xc9\x7a\x68\xfe\x2f\x61\x0b\xf5\xd0\xd6\x69\x6c\x5e\x64\x25\x3a\x4b\xd3\x8e\xac\x44\x2d\xb7\x16\x24\xd8\x6c\xaf\x2d\x5a\xc7\x14\x56\x14\xad\x4a\xc9\x6f\x8c\x78\xda\xaa\x3d\x46\x0e\x2a\x47\x42\x2f\xe5\xb2\x65\xb6\x26\xc4\xd1\x3a\xb3\x35\x6d\x9d\xdd\x6e\x03\xd6\x9e\x3c\x86\x00\xbb\x00\xbb\x00\xbb\x00\xbb\xbd\x03\x76\xb1\x7a\x0b\x58\xbd\x75\x0f\xf9\x46\x0e\xd9\x8e\xe4\x90\x85\x83\x01\x0e\x06\x38\x18\xe0\x60\x80\x83\xa1\xa7\x1d\x0c\x48\x25\x8e\x54\xe2\x48\x25\xde\xae\x54\xe2\xf0\xdf\xc1\x7f\xd7\xab\xfe\xbb\x6c\x21\xe4\x2c\xfa\x41\x84\x39\xe9\x8d\x80\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\xbb\x3d\x63\x9b\x30\x2f\x0e\x7b\x66\x9c\x86\xf4\x97\x76\x9d\x8a\xeb\xba\xa9\xe1\xb9\x35\xfe\x69\x8c\xfd\xed\x43\xb4\x35\xa7\xa8\xf2\xa5\xb5\x40\x69\xfc\x92\xb8\x2c\xb9\x5b\x3f\x6d\x5a\x51\x65\x67\x85\x5d\xe3\x20\xf4\xf0\xd0\xc3\x43\x0f\x0f\xb7\x09\xdc\x26\x70\x9b\xc0\x6d\xd2\x35\x6e\x93\xee\xf1\x0a\x00\x57\x03\x57\x03\x57\x03\x57\x03\x57\xf7\x34\xae\x06\x4f\x03\x4f\xeb\x51\x9e\xb6\x29\xf5\xf0\xaf\xa6\xd3\x82\x01\x1e\xa5\xc3\x9c\x01\x8e\x53\x8a\x46\x7c\xf5\xa5\x39\x45\x95\x39\xf1\x13\x54\x68\xbe\xa8\x05\x67\x02\x0d\x12\xc1\xcf\x05\xa3\xbe\x41\xf6\xa0\x81\xfa\xe2\x71\x83\xed\x19\x77\xe0\x64\x7b\x14\xff\xec\x36\x1b\x7a\xdd\x61\xaa\xdc\x2d\xbe\xb5\x57\xfc\xa5\xdd\x84\x4b\x00\xa9\x53\x74\x82\x26\x6b\x94\xed\x49\x4a\x34\xda\xb3\x10\x44\x41\xce\xde\xa2\x9c\xfd\x8b\x11\x3a\x2e\xbe\xe9\x83\x34\xc1\xbf\xe9\x11\x6a\xe2\xcd\xa3\x33\x42\xc3\x7e\x8c\x8e\xd8\x1a\xf6\xe6\x5a\x98\x12\xc2\xf5\x49\x3a\xea\x10\xae\x37\xd7\x44\xeb\x46\x85\xcb\xc9\x43\x34\x2a\x9b\xd1\x57\xf0\xc2\x10\xdd\x63\xfa\x0a\x6a\x0b\x0e\xb2\x9f\x1d\x62\x3f\x3e\x60\xdb\xc9\xd5\xc6\xd2\x6d\x5b\xf6\x32\xa4\x54\xdb\xf7\x18\x15\x01\x5d\xb6\x58\x9f\x4f\xba\xdc\xd3\xb0\x21\xc9\xb4\x1b\x49\x74\x7d\xf5\x42\xf0\x2b\x9f\x60\x83\xb5\xaf\xbc\xd5\xf7\xee\x97\x1e\xfe\x14\xf8\x53\x90\x35\x1b\xfe\x14\xf8\x53\xe0\x4f\xe9\x1d\x7f\x0a\xb2\x66\x23\x6b\x36\xfc\x29\xf0\xa7\xc0\x9f\x02\x7f\x4a\x57\xf8\x53\x90\x35\x1b\x59\xb3\x37\x8b\x83\x06\x59\xb3\xdb\x91\x35\xfb\x73\x09\x4a\xfb\xa1\x3c\x97\xf8\xb7\xa2\xe4\xab\xf2\xb5\x0a\xdf\x62\xb0\x77\x27\xd8\x73\x0e\xc6\x77\xbd\x31\xc6\xb7\xa0\xe4\x1f\x35\x9a\x08\x89\xf2\x3d\xe8\x45\xf9\xf2\x8e\xdf\xd9\x1c\xc4\xcf\x37\x67\x54\xe8\x28\xb0\x29\xe2\xf7\x70\x30\xf1\x4b\xb2\x44\x2d\xf1\x73\xf4\x3e\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\x1f\x98\xdf\x46\x32\xbf\xcd\x27\x38\x02\x55\x04\x55\x04\x55\xdc\x44\x54\xf1\x57\x87\x88\xb9\xa9\x62\x45\xc9\x6b\xec\x99\x21\xf6\x6e\x07\x36\x54\x1a\xc6\x86\x21\xe1\xc2\xb8\x03\x17\x2e\x28\xf9\xf9\xa2\x56\x9d\x55\xd4\xa9\x52\xc9\x62\x87\xdd\x5e\x98\x6f\x43\xe4\x81\x67\x83\x39\x60\x9c\xc5\x2c\xfa\xe7\xa2\x7e\x36\x1d\x6c\x88\x39\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x02\x12\x42\x18\x08\x84\x07\x84\x07\x84\xd7\x29\x84\xf7\xf1\x04\x9d\xd4\x87\x4e\x1b\xcb\xc9\xaa\xd1\x8a\xac\x19\x09\x50\x6d\xae\xe7\x3c\x58\x2c\x94\x8b\xe5\x82\x69\xad\xd9\x3f\x0d\xb1\xbf\x19\xa0\xdb\x9d\x67\x5c\x5a\x4b\x47\xdf\x12\x69\x0c\xfb\x4d\xdb\xd7\x2d\x89\x96\x17\xcd\x60\xff\x50\x60\xe0\xb8\x80\x81\x8e\xbb\x5b\x4e\xfb\xfe\xe6\xe6\xd0\x11\x76\x69\xe4\x70\x29\x98\x1f\xce\xb1\x73\x06\x29\xf4\x78\xdb\x0c\x61\xa1\xef\xe0\x40\x66\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\x08\x82\xb8\x21\x04\xf1\x5b\x51\xba\x28\x08\x62\x5d\x01\xa5\x31\xa3\x52\x92\x5f\xb0\x71\x51\x54\x56\x32\xff\xfa\xc6\x31\x8d\x97\x80\x62\x3f\x19\x65\xef\xe9\xf7\x2c\xe4\xff\xa0\x2a\x4b\xf9\x98\x38\xcd\x1c\x00\x7b\x36\x36\x0b\xfa\x8f\xe8\x67\xd5\x95\xf3\xaf\x2b\xe2\x2f\x0a\x4e\x85\x9b\xb1\x35\x2b\xd1\xac\xc0\x73\xa7\xe9\x24\xc7\x73\x47\xe8\x10\x1d\xf0\xcd\x58\xe9\xe8\x33\xe3\x19\x53\x66\xbd\xa9\x20\x28\xb7\xd7\x1b\xca\xbd\x8c\x0d\x14\xe4\x6a\xa3\xb5\xaf\x02\x4a\x5c\xf9\x96\xc6\x8a\x7e\x6b\x9b\xe7\x00\x0d\xa9\x72\xa5\x24\xe5\xe4\xc0\x31\x1a\x33\x4e\xdc\x98\x61\xca\xcc\xd1\x39\x3a\x5b\x93\x58\xb7\xb5\x71\x42\x8e\x5d\xe4\xd8\x6d\x31\xc7\xee\x07\x23\xa1\x19\x8b\x0b\x22\xdd\xee\x0c\x65\xec\x74\xbb\x1b\x60\x79\x2a\xab\x0d\x5b\x9e\xc6\x6d\x8d\xdb\x46\x65\xde\xbd\xc3\xd3\xf2\x8c\x57\x24\x55\xdf\x32\xeb\xdb\x4c\x3e\xc1\x05\x9a\xa0\xd1\x8a\x3e\x99\x75\xde\x00\xed\xae\x6d\x48\xdc\xc8\x7e\xfd\x9f\x93\x7b\x9c\x07\xaf\xc9\x6a\x41\x76\x1e\x1d\x74\x1e\xd5\x97\xbe\x55\xb9\x50\xcc\x8d\xd6\x9d\xe7\x6a\x45\xff\xf7\x0d\xe3\xa8\x7e\x97\x99\x8b\x34\x4f\xd9\x1a\xe3\x37\x49\x47\x5b\xf0\x21\x2d\x70\x36\x0f\x0b\x18\x60\x01\x9f\xeb\xa7\x67\xfb\xd9\x33\xfd\xd1\xa7\x2d\x67\xd5\x9b\xfb\x7b\xc7\x02\xd6\xe0\x0c\xbd\x9f\x39\x9e\xe7\xc8\x4d\x7f\x39\x6d\x27\x5d\xc2\xe7\xc5\x1d\xe6\x9c\x5a\x78\x73\xa4\x12\xbf\xb2\xac\x94\x47\xc5\xd5\xfc\x0c\xee\xcd\xd3\x62\x89\xac\xa6\x94\x17\x84\xb7\xea\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\x4d\x73\xe6\xa5\x08\xbd\x18\x61\x2f\x44\xa2\x9f\xb0\x56\xe2\xef\x8f\xcc\x2a\xfa\xc6\xb2\xa8\xc5\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\xdf\x63\x5d\x93\xa5\xb2\x16\x5b\xd5\x6c\x2e\x3f\x2a\xe5\xf8\x83\x73\x6f\x47\xa9\x98\x33\x8a\x31\xcb\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\xbc\x01\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\x77\x2f\x9a\x63\xc9\xf7\x3a\x9e\x1d\x60\xfd\x7c\x7c\x0b\xbf\x2d\x97\xab\xac\x73\xeb\xd2\xf6\x9a\xff\xab\xf7\x7b\x4f\x3e\xdb\xd8\xcb\x78\x2f\x50\xf6\x20\x4d\xb0\xf1\x78\xca\x0a\x7c\xdc\xc5\x3f\x2b\xe3\x1b\x37\x9a\x89\x0f\xe8\x7f\x74\x06\x33\x6e\xbe\x70\x49\xf6\xe3\xc3\x34\x2f\x76\x5e\xea\x8a\x94\x4b\x99\x23\xc1\xbf\x9d\x3a\x05\x87\xcf\x16\x4c\x55\x4a\xf2\x8a\x6e\x9c\xcb\x05\x8d\xbd\x94\x60\x5f\x19\xa0\x3b\xf5\xd6\xa6\x9c\x8d\x35\x91\xfc\x69\x51\x29\xc9\x19\xd1\x5e\x48\x02\x8e\x34\xbf\x60\xb1\xf6\x9e\x9c\x99\xa0\x1c\x3f\xba\x39\x14\x1c\x5d\x9a\x09\x2a\x1f\xfc\xe5\x4e\xb1\xd3\xc6\x87\xea\xfb\xce\x19\x1f\xac\x63\x50\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\x80\x72\x03\xca\x0d\x28\x37\xa0\xdc\xd8\x48\xe5\xc6\xe6\x23\x1e\xd0\x86\x40\x1b\x02\x6d\xc8\x26\xd2\x86\xbc\x35\x41\xe3\x82\x50\x6a\xb9\x2b\x72\x7e\xb5\xe4\xd2\x86\x98\x39\xa3\xd4\xa2\xa2\x16\xab\x37\x72\x25\x49\xd3\x64\x8d\x7d\x76\x88\x7d\x72\x80\x5e\x6e\x5f\x71\x69\x2d\x1d\xbd\xd1\x60\x12\x29\xa3\xad\x69\xbd\xad\x50\xd3\x49\x2d\x59\xb7\xb3\x9c\x76\xfd\xca\xe6\x20\x8e\x9d\x8f\x19\x7b\x6d\x30\x4c\x3c\xce\x8e\x19\x30\xb1\xee\xf5\x30\xb3\xcc\x3b\x7b\xda\x85\x11\x91\x67\x0a\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\x11\xac\xb1\x1b\x59\x23\x48\x20\x48\x20\x48\x60\x0f\x93\xc0\x3f\x48\x50\xd2\x88\x12\x53\xf2\xb2\x83\x01\xaa\xab\x65\xfd\x51\x0d\xf8\x67\x04\x82\xb1\x0f\x24\xd8\x9f\xf7\xd1\x56\xfd\xdc\x4b\x6b\xe9\xe8\xfd\x3c\xec\xcb\xbd\xe3\x5c\x14\x17\x72\x32\x94\x7c\x05\x8f\xf8\x52\xf2\xf2\x72\xda\xf9\xf7\x90\x63\xbb\x5e\x43\x67\x04\x46\x3b\x46\x47\x38\x46\x4b\xd3\x18\x8d\xfa\x6b\x68\xf5\x27\x5d\x4b\xa7\x9c\x77\x74\xb3\x51\x5d\x8f\x07\x53\xb5\x83\x6c\xc2\x23\x35\xbb\xa3\xdb\x4d\x81\x9e\xf3\xb6\xa2\x1f\xdd\x66\x77\x77\xdc\x0c\xe2\x5a\xa7\xc7\xef\x35\xe3\xb7\xda\xdc\xe9\x99\x69\x9a\xa2\xd3\x35\xc1\x0a\xcd\xf6\x3a\x22\x14\x10\xa3\xd5\x62\x8c\xd6\xfb\x22\x21\x7c\xf4\x67\x45\x74\xd6\x29\x3a\x61\x47\x67\xb5\xc1\x76\xb4\xcb\x38\x04\x04\x7c\x25\xdf\x72\x87\x6d\x3b\xee\x12\xab\xf6\x98\xe4\x36\x17\xf7\x88\x3f\xb7\xdd\x5a\x3c\x4a\x8b\xb4\xe0\xb4\x16\xc9\x0c\x9d\x69\xc1\xd1\x31\xc3\x6f\xf7\x11\xce\x85\x61\x3e\x02\xcd\xc7\xd7\xfa\xe8\xab\x7d\xec\xcb\x7d\xd1\x2f\x5a\x1d\xf4\xe1\xbe\x47\x9d\xeb\xa0\xa2\xbe\x1c\xe7\x6b\x99\xd8\x8a\x7c\x59\xf8\x44\xac\x0d\x88\x0d\xde\x8d\x3d\x1f\xbf\x45\x87\x79\x28\x2b\xe5\xd1\xb2\x5c\x90\x78\x47\x18\x4b\x21\xa7\x19\x11\x28\xc2\x1a\x02\xe3\x1d\x2c\x5e\xbb\x26\xe7\x75\x43\x55\xba\x61\x3b\x2b\x6c\x40\x5d\x2c\x8d\x18\x2b\x24\xbe\x46\x8c\x15\x54\x7d\xce\xab\xc8\x6a\x51\xc9\x5b\x2b\x3d\x7b\xfa\xe3\x7e\x20\xb3\x37\x56\x35\xfd\x26\x9d\xab\x4b\x49\xbf\xd2\x7c\x20\xe3\x47\x2e\x8b\x4d\xb9\xd9\x44\x4a\xdc\xa7\x88\x0c\xf2\xb8\xc7\x38\xe3\xb7\xb0\xc0\xef\xc0\x63\xe5\x97\xf9\x4c\x1f\xbd\xd4\xc7\x5e\xec\x8b\xbe\x60\x75\xf3\x7b\xfb\x66\x1c\x4e\xce\x4a\x49\x96\x34\xd9\x22\x28\x0b\xaa\x52\x91\x0a\x7c\x00\x16\x94\x52\x31\x77\xc3\xe5\x44\x31\x9f\xc5\xf6\x92\xea\xa3\x94\x4e\x1d\x49\xc5\x96\xc4\x80\x88\xde\xa9\xe8\x0b\x7f\x7d\xf3\x64\xc2\x38\x39\xa6\xa8\x95\x2b\x52\xd9\x74\xea\xa8\xab\xf2\xd8\x65\xa9\x64\xc2\xeb\xb8\x38\x1a\x8f\x5d\x2e\x96\xa5\x52\xf1\x7b\x4d\x0a\xb6\x22\xeb\x2b\x4b\xbe\xd5\x18\x13\x2b\xca\xbc\x4d\x46\x45\xe3\x43\x9a\x7d\x91\xc0\xc5\xa9\xd8\xd9\x22\x7f\x9d\x1d\x37\xae\xa8\xf5\x4f\x66\x6f\xdb\xaa\x82\x56\xf3\x8f\x4d\xa9\x5e\x49\xc5\xef\x10\xf7\x33\x63\x3e\x88\xcb\x3b\x94\x79\xdb\x00\xbd\x65\x80\xfd\xc0\x40\xf4\xbb\x96\x8b\xf0\xf7\xfa\x1f\x37\x70\x92\xfe\x49\xe9\xfb\xa6\x82\xa4\xae\x48\x05\x39\x96\x53\x4a\x25\x99\x1b\x3f\xfb\xbb\x90\xd5\xcb\x8a\x7a\x4d\xef\x0b\xcf\x3b\x7d\xa4\xe6\xc7\xfd\x6f\x94\xbf\xcf\xe6\xcb\x58\x11\x4f\x55\xd4\x5f\x94\x5c\x31\x6f\x73\x61\x8e\x18\x45\xe4\x98\xd9\xbb\xfa\x4e\xca\x00\x70\x26\x44\x4c\x39\xba\xd1\xc4\x4f\xd6\x5e\xc9\x72\x0c\xba\x7f\x2c\x15\x9b\xca\xe9\xdb\x2a\x3e\xa7\x3a\x8d\xc3\x90\x78\x86\xa1\xd8\xa8\x31\xf0\xee\x17\x43\x3b\x1e\x1b\xca\x48\xb9\xa7\xf4\xc9\xa4\x9c\xd7\xcf\xe2\x1e\x39\x7e\x52\x4d\xc7\x09\xe6\x6b\xbc\xfa\xee\x46\xcc\x27\x58\xb1\x5a\x3a\x1e\x1b\x9a\x55\x54\xd9\xd1\x6c\x2c\x27\x69\x39\x29\xaf\x3f\xbd\xd1\x3f\xc2\x07\xcb\xdb\xd3\x84\xf5\xaa\x6b\xf0\xb2\xd5\x46\x2a\xbe\xb3\x52\xfb\xde\x38\xe7\xfa\xe7\x23\x34\x2f\xe6\xfa\xb3\x34\xcd\xe7\xfa\x93\x74\x9c\x8e\xb5\x30\x7d\x88\x90\x61\x5a\xd4\x5b\x9b\x60\x17\x68\x8e\xb6\x89\xbe\x95\xf3\x37\xdb\x66\xd0\x22\x20\xe6\x3d\x57\x6f\x67\x5b\x45\x37\x35\xba\x87\x68\x6c\x69\xe0\x5c\x4c\x64\xbe\x71\x9b\xbd\x0e\xd8\x5f\x17\x8e\xbd\xce\x66\xe2\x6e\x11\x89\xdd\xc6\xc5\x01\x62\xae\x7b\x6d\x49\x82\x98\x6b\xc4\x5c\x6f\x70\xcc\x75\x27\x78\x51\x50\x38\x74\xdb\x36\x85\xd9\x63\x74\x84\x1d\x8a\x1f\xb0\xf4\xc3\xf7\x38\xe3\xac\x9d\xa7\xd6\x07\x5b\x87\x1e\x0a\xfd\xa9\x04\x8d\x98\x95\x28\x7d\x22\x9d\x85\xa4\xcb\x04\x8c\xef\x4a\xb0\xcf\xf4\xd9\x35\x2a\xef\xf1\x00\x8c\x5c\xe6\x96\xbc\x57\x3f\x22\x6a\x49\xda\x01\xc7\xfc\x50\xc8\x70\xf1\x51\x3a\x26\x5e\x96\x09\x1a\xe7\x2f\x4b\x92\x12\x34\xe8\xfb\xb2\xe8\x77\xae\xbf\x2c\x8d\x89\xf1\x02\xa8\xe2\xb9\xe0\x77\xe4\x41\x16\xf7\x2e\xf8\x28\x5e\x0d\x71\x1b\xd1\xb7\x6f\xb3\xfb\x74\xb7\x37\x45\x14\xdd\xba\xc7\x38\xd8\x81\x9e\xcd\x9c\xa0\x49\x3a\x5a\x33\xf5\x36\xdc\xb5\x98\x68\x81\x0e\x5b\x44\x87\xef\x8c\xdc\xcc\x27\x7d\x4a\x30\xc3\x23\x74\xc8\x66\x86\x61\x9a\x84\xc6\xbe\x79\xef\xef\xdc\x25\xc4\x0d\x80\x83\x7f\x7b\xbb\x6d\x12\x6e\x37\xe1\x60\xd9\x30\x03\xbb\xc5\x1f\x3a\x61\x05\x40\x06\x41\x06\x41\x06\x41\x06\x41\x06\x41\x06\x5b\x21\x83\x9d\x64\x79\xe1\x62\xc8\xd0\x67\xfc\x40\xc4\x98\xf9\xf4\x6d\xf6\xa4\xff\x60\x00\x09\x14\x2b\x81\x68\xc5\x2e\xda\xdf\xb6\x85\x00\x28\x60\xaf\x2d\x3f\x40\x01\x41\x01\x37\x98\x02\xb6\x15\xec\x04\xe2\xbf\xb0\x8c\x7e\x76\x82\xc6\x59\x2a\x3e\x62\xe1\xbe\x9d\x4e\xdc\xc7\xcf\xbf\x25\x92\x2a\x7e\x65\x98\xce\x19\x05\x31\x15\x45\xcd\x17\xcb\x4d\xa5\x53\xe4\x8b\x6c\x0b\x32\xbe\x73\x98\xfd\xed\x00\xdd\xee\x6c\x48\x9f\x10\x9f\x35\x4a\x63\x3a\x23\x98\xcb\xe6\xfe\x40\xb9\x1c\xd3\x87\x20\x36\xaf\xb7\x14\x4a\x04\xf3\x88\x1d\x75\xc1\x37\x23\x86\x46\xbf\x58\x95\xaf\xd9\x76\x6e\xc8\x15\xc1\xe3\x68\xdb\x8c\x7f\x9e\x76\x3c\x84\x73\x86\xe6\xf7\x89\xf8\xe7\x66\xbe\xcc\xeb\xe2\xcb\x7c\x55\xf0\x97\x79\x88\x1d\x30\xeb\x65\xd6\xbf\x8c\xc6\xa7\xca\x07\x00\x19\x16\x11\xf5\x8c\xa8\x67\x44\x3d\x23\xea\x19\x51\xcf\x88\x7a\x46\xd4\x33\xa2\x9e\x11\xf5\x8c\xa8\x67\x44\x3d\x23\xea\x79\x23\xa3\x9e\xd7\x45\x26\x7c\xdf\x76\x2b\x20\x13\xc4\x62\x23\x16\x1b\xb1\xd8\x9b\x28\x16\xfb\x1d\x09\x4a\xad\x87\x38\x45\xcd\x4e\xc1\x39\x05\xd0\x64\x7f\x38\xc4\x3e\x37\x40\x77\xd6\x90\x4c\x51\x78\xed\xf5\x8d\xa5\x66\x0c\x0f\x68\x9a\x35\x61\xdc\x48\x92\xdf\x0c\xff\x91\xf9\xa2\x56\x9d\x55\xd4\xa9\x52\xc9\xc2\x94\xe1\x45\x12\xdc\x42\x84\xb2\xa1\x9a\x30\x8d\x55\x73\x6a\x9e\x52\x8a\xa2\x4f\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x40\x95\x48\xd0\x08\x28\x08\x28\x08\x28\xd8\x29\x28\xf8\xc7\x7d\x74\x8f\x91\xa0\xb1\xb6\x02\xf7\x18\xfb\x64\x1f\xfb\x1f\x7d\x44\xf6\x91\x68\xb4\xc0\x23\x4b\x2e\x2b\xea\x35\xab\x1b\xa5\x18\xc7\x40\xc9\xbb\x0a\x72\xf5\xa2\x75\xea\xd4\xc2\xdc\x39\xfd\xcf\xe1\xa9\xf8\xeb\x1a\x9a\xac\x6b\x68\xb2\x91\x86\xb2\x45\xba\x28\xa0\xdb\x39\x3a\xcb\xa1\xdb\x69\x3a\x49\xc7\x5b\x80\x6e\xe6\x33\x06\x21\x37\xf6\x99\x3e\x62\xf5\x69\x30\xd9\xc7\xfa\xd8\x2f\xf4\xd1\x80\xfe\xb7\x75\x7b\xf6\x76\xbd\x67\x95\xbc\x8c\x3e\x75\xf4\xe9\x6f\x0f\xd2\x0e\x33\xf6\xbf\xa2\xe4\x35\xf6\x4b\x83\xec\x43\xfd\x76\xfc\xc9\x03\x62\xd3\xa2\x1a\xcb\x2d\x73\x3e\x36\x85\xb6\x0b\x4a\x3e\xb9\x57\x3f\x45\xc4\x9e\x2c\x28\xf9\xcd\xc6\x8e\x97\xe9\xb8\xe8\xf2\x83\x34\xc1\xbb\x7c\x84\x92\x94\x08\x14\x98\x2f\x28\xf9\xf9\xa2\x16\x8c\x89\xef\xf3\xc6\xc4\x5b\xd9\x16\x41\x88\xcf\x06\x13\xe2\x38\x8b\xd5\x2a\xcc\x17\x94\x3c\x44\xab\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x20\xc1\x1b\x42\x82\x7f\xeb\x09\xb3\x54\xcf\x0a\x97\x80\xfa\xa7\xd4\xbc\xaa\xac\x68\xec\xdd\x4f\xb0\x3f\x79\x88\xb6\xf1\x73\x1b\xc0\x6d\x59\x65\x25\x79\x8f\x7e\x4a\x46\x3f\xec\x8c\x24\xcf\x2a\x2b\x5d\x4e\xda\x32\x60\x54\x60\x54\x19\x30\x2a\x30\x2a\x30\x2a\x30\xaa\x9e\x61\x54\x99\xae\x61\x54\xa1\xdf\x49\xcb\x8c\x2a\x03\x46\x05\x46\x05\x46\x05\x46\x05\x46\xd5\x79\x46\x95\xe9\x69\xa4\x94\x01\x52\x6a\x1f\x52\xca\x74\x3b\x52\xca\x6c\x42\xa4\x94\x7d\x9c\x4e\x08\x85\xd2\x21\x3a\xc0\x15\x4a\xa3\xb4\x9f\x86\x7d\x15\x4a\x9c\x25\xa5\xd6\xd2\xa9\xac\xb2\xd2\x90\x44\xe9\x7c\xb0\x04\xe9\x21\xb6\xcf\x90\x20\xf1\xd6\x0d\x15\x52\x56\x59\x71\xa7\x36\x0e\x10\x3b\xc5\x3f\xbe\xcd\x81\xba\x76\x88\x89\x26\x26\x71\xaa\x15\x15\xff\xd5\x56\xae\x25\x30\xd4\x71\x3a\x46\x47\x6a\xb2\x08\x0f\xd1\x43\x0d\xf5\x27\x52\x06\xa3\x9e\x49\x8b\xf5\x4c\x3e\x1b\xa1\xa3\xe2\x33\x4e\xd3\x18\xff\x8c\x87\xa9\xd1\xd7\x8e\x4e\x8a\x72\x26\x87\xe9\xa0\x5d\xce\xa4\x89\xcb\x4f\x89\xec\xeb\x47\xe8\x90\x23\xfb\x7a\x13\xd7\xb7\x2e\x72\xac\x28\x5a\x95\xc2\xb3\x30\xc9\x8f\x8d\x38\x2c\x88\x51\x16\xd9\x59\x3d\x40\xb9\xcc\xad\xc9\x83\xe2\x88\x61\x4d\xa6\xad\xe3\xed\xb4\x2b\xed\x29\x91\x02\x5e\x0a\x5e\x0a\x5e\x0a\x5e\xda\x3b\xbc\x14\x4b\xac\x80\x25\x56\xf7\x00\x65\x94\xa7\xea\x48\x79\x2a\x70\x7b\x70\x7b\x70\x7b\x70\x7b\x70\xfb\x9e\xe6\xf6\xa8\x52\x88\x2a\x85\xa8\x52\xd8\xae\x2a\x85\x70\x8b\xc1\x2d\xd6\xab\x6e\xb1\x6c\x21\xdc\x9a\x99\x81\xc0\x38\xe9\x0d\x8c\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\x88\xf0\x78\x13\x66\x07\x67\x9f\x1f\xa6\x39\x23\xdb\xb0\xac\x1a\x1e\x44\x59\xf3\xce\x36\xec\x3c\xa3\x58\x28\x17\xcb\x05\x73\x95\x66\x96\x54\x7b\xeb\x30\xfb\x6f\x5b\xe8\x4e\xe7\x89\x56\x22\xe2\x5f\x6d\xa4\xae\xda\xb4\x7d\xe5\x92\xf8\x89\x45\x13\x73\x74\x41\xad\x35\x23\xb1\xb1\xe3\xe9\x8c\xc4\xc6\xbe\xb7\xdd\xe5\x92\xf9\xee\x2c\xbd\xf6\xfa\xe0\x0f\xf2\x22\x9b\xaf\xcb\x56\x6c\x66\x39\xae\x7f\x8f\x8d\xef\xd5\x77\x94\x90\xde\x02\xa1\x03\x48\x6f\x01\x57\x18\x5c\x61\x70\x85\xf5\x92\x2b\x0c\xe9\x2d\x90\xde\x02\x2e\x08\xb8\x20\xe0\x82\x80\x0b\xa2\x2b\x5c\x10\xd9\x59\x9a\x61\x99\xf8\x19\x8b\xa0\x3c\xe4\xac\xc9\xe6\xbb\x7f\xab\xaf\xd3\x86\x34\x19\x48\x93\xb1\x49\xe0\x2d\xd2\x64\xb4\x23\x4d\xc6\x6f\xec\xa7\x0b\x82\x6b\xe6\x8b\x5a\x4e\xd1\x8d\x67\x2d\xd4\xf4\x49\x9b\x21\x97\xf3\x15\xa5\x58\xae\x6a\xa5\xa2\x75\xe8\x8d\xec\xef\x92\xec\x7d\xfd\xb4\xd3\x6a\xcc\xc2\x9a\x31\x55\x96\xf2\x35\x9b\xdc\xb3\x46\x13\x4b\x7a\x13\xc9\xfd\xfa\x19\x33\xe6\x85\x06\x31\xb4\x85\xc2\xae\x93\xc3\x95\x0c\x67\x2f\xfb\xc2\x38\xba\x20\xb8\xdf\x0c\x65\x38\xf7\x3b\x41\x93\x74\xd4\x57\xac\x6d\xf7\xa1\xf1\xd8\x29\xd7\x5d\x9b\x64\x6f\x25\x18\xdc\x9d\x66\x27\x05\x8c\x73\x35\x50\x5f\x7a\xcc\x80\x79\xb5\x83\x47\x57\xf7\x7a\xd3\xc3\x97\xb1\x81\x82\x5c\xa5\xe8\x5b\xb6\x7b\x0d\xd2\x3e\x55\xae\x94\xa4\x9c\xbc\xee\x38\xa5\x8c\x93\x36\x64\xa8\x32\x17\x69\x9e\xb2\x35\x51\x23\x37\x31\x24\x50\x39\x22\x90\xa4\xc5\x40\x92\x5f\x8c\x08\xa7\x40\x9a\x3b\x05\xac\x70\x90\x9b\xb2\x10\x9d\xb5\x43\xfe\x36\xa2\xb2\x5a\xa5\x4e\x98\xa9\xe4\x87\xef\xf0\xb2\x43\x77\x1b\xda\x04\xa9\x5c\x63\x7b\x46\xc5\x81\x8d\x31\x3d\xed\x09\x2c\x81\x01\x0a\x30\x40\x10\x37\x77\x44\xdc\x0c\x55\x1b\x54\x6d\x50\xb5\xb5\x4b\xd5\x96\x7d\x3e\x12\xb2\xb4\x67\x51\xc4\x92\x5e\xa0\x39\x47\x2c\x69\x9b\xe5\x42\x31\xef\x05\xc3\x76\xb6\x55\x74\x53\xa3\x6b\x06\xbf\xe5\x40\x43\x6b\x89\xcc\x7f\xdd\xe1\xb5\x66\x18\xa9\x48\x6a\xb5\xc8\xbd\x9e\x62\x8b\xbc\xee\x26\x66\xa4\xa2\x6f\x85\x3b\xbe\x8e\xd8\x5d\xdb\xd0\x28\xbf\x8f\xfd\xbc\x56\xcd\x1e\xe7\xc1\x6b\xb2\x5a\x90\x9d\x47\x07\x9d\x47\xb5\xaa\x2a\x55\xe5\x42\x31\x37\x5a\x77\x9e\xab\x15\xfd\xdf\x37\x8c\xa3\xfa\x5d\x36\xbb\x7d\x5a\xe7\x95\x59\xe0\x02\x01\xac\x5e\x02\x56\x2f\xcf\xf5\xd3\xb3\xfd\xec\x99\xfe\xe8\xd3\xd6\x14\xf0\xe6\xfe\xde\xd9\x3e\xd5\xf8\x54\xf4\x7e\xe6\x1a\x01\xee\xf7\xd3\x5f\x4e\x5b\x29\x94\xf0\x79\x71\x87\xf9\x4c\x26\x24\x25\x52\x89\x5f\xa9\x2f\xd9\xc4\xd5\xfc\x0c\xbe\x7c\xd2\x62\x89\xac\xa6\x94\x17\x84\x64\xe6\x61\xfd\xb3\x30\xfe\xbd\x64\x7e\x2c\xf6\x1f\x87\xfd\xf7\x75\x99\x97\x22\xf4\x62\x84\xbd\x10\x89\x7e\xc2\xc2\x78\xef\x8f\xcc\x2a\x6a\x8e\xaf\xec\x0a\x0a\xef\x76\x25\x16\xbf\xac\xff\x29\x1e\x9b\x72\x3d\x05\x07\xb4\x62\x11\xb6\xaa\xd9\xe2\x80\x51\x29\xc7\x1f\x9c\x4b\x2e\x4a\xc5\x9c\x31\xc9\xca\xa5\xbc\x16\x53\xae\x1b\x7d\x2a\x24\x09\x15\x59\xa9\x94\xe4\x54\x4c\xfc\x22\xd7\x38\x99\x63\xc9\x41\xa9\x67\x07\x58\x3f\x1f\xdf\xc2\x6f\xcb\xa5\xd7\xb9\x1c\xea\xe6\xf1\x26\x74\x6b\x15\xa1\x5b\xeb\xc0\x1c\x91\x9d\xa4\xa3\xec\x70\xfc\xa0\xe5\x20\xb9\xd7\xe9\x20\x71\x5d\x5c\xef\x14\xd9\x84\xf2\xd4\xff\x70\x1b\x1d\x16\x18\xd7\x1c\x0f\xfe\x19\xd9\x28\x77\x4c\x93\x4b\x97\xb5\x55\xfe\x20\x52\x4e\x37\x57\xaa\xbc\x56\x94\xaf\x6b\xec\x77\x28\xfe\xc9\x2d\x74\x87\xeb\xba\x4b\x6b\xe9\x68\xcc\x4a\x0b\xb3\x24\x97\x2e\x2f\x89\x4b\xa7\xf8\xa5\x8b\xfc\xd2\xe4\x88\x38\x63\xca\x79\xe5\x72\xda\xe7\xec\x90\xf7\xe2\x8f\xd3\x63\xb4\x54\x33\x8f\x4d\xd3\x94\xef\x4b\xed\xee\x16\x7d\xc5\xe3\x7d\x9b\xd9\xa7\xfb\xe8\x51\xf1\xb5\x3c\x4c\x17\xf8\xd7\xa2\xaf\xd7\x6e\xbe\x61\xfa\x1e\xc1\x8a\x16\x69\xc1\x66\x45\x21\x35\xfd\x6a\xb1\x14\x5c\xa2\x57\x3a\x96\x82\x21\xb5\x7d\xb3\x29\x47\x9e\x0a\xfe\xd8\xcf\xb3\x59\xe3\x63\xf7\x7a\x79\x8d\x0f\xde\xef\xfe\x5c\xc2\x72\xac\x46\xd6\x5f\x8d\x64\x01\x73\x7d\x60\x6e\xe8\x16\xf9\xe9\x01\x8a\x99\xf5\x1c\x73\xca\xb5\x8a\x52\xd6\xf7\x8d\x7c\x9b\x65\x7b\xcb\xbe\x7f\x80\xfd\x55\x9f\x5d\xe3\x31\xee\xe1\x23\x9b\x36\xaf\x15\x5b\xb4\xe4\xbd\xfa\x39\xa2\xc8\x63\xcd\xa1\x90\x7d\x62\xaf\xa5\x69\x61\x07\xf5\xd5\x82\x6e\x07\x0f\xd2\x04\x8d\x07\xd6\x63\xac\xb9\xa9\x40\xfb\xb1\xbe\x9f\xea\xea\x2b\x83\xcd\x47\x8a\x8d\xd4\x96\x65\xac\xbd\x09\x97\x91\x38\x41\x93\xec\x68\xfc\xb0\x35\xbd\xef\x76\x69\x27\xdc\x57\xb6\x5f\x31\xc1\xbe\xda\x47\x77\xd5\x17\x53\x5d\x4b\x8f\xb1\x4f\xf5\xb1\xdf\xe8\xa3\xad\xfa\x9f\xf5\xb7\xe3\xee\x82\x5c\x75\x6b\xa4\x84\xd7\x58\x54\xaa\x55\xf2\xf2\x72\x7a\x6a\x61\xce\x14\xe3\x86\xf8\x3a\x84\x56\x55\xb5\x42\x8f\x89\x57\x4a\xdf\x85\xea\xaf\xd4\x2c\xcd\x50\xa6\xb5\xaa\xaa\xe6\x73\x36\x92\x59\x8f\x7d\x28\x41\x93\xa2\x8f\xd5\x15\x29\x97\xf2\x59\x23\xb9\x62\x78\x4a\xab\x5a\x55\xb7\xdb\x25\x59\x63\x7f\x33\xc4\xbe\x3e\x40\xf7\xea\xd7\x4e\xd5\x2c\x93\x04\x7b\xb8\x6e\x48\xc3\xca\xf9\xe2\x5a\x31\xbf\x2a\x95\x5c\xd1\x3b\x96\x0c\x73\x5a\x34\xba\xa8\xe8\xeb\xfb\x10\xe2\x74\x52\xc9\x11\x7e\xc1\x62\xed\x8d\x99\xe1\x36\xf6\xef\xe9\xdd\x84\x20\x9b\x7a\xf3\xb3\xcf\xdb\xfc\xec\x60\xc4\x6f\x4c\xd4\x86\x2d\x06\x1b\xa1\x59\x36\x63\x18\x21\xdf\x37\xcc\xb4\x4d\xf6\xa0\x78\xec\x5b\x10\x60\x83\x00\x1b\x04\xd8\x20\xc0\x06\x01\x36\x08\xb0\x41\x80\x0d\x02\x6c\x10\x60\x83\x00\x1b\x04\xd8\x20\xc0\x06\x01\x36\x9d\x0d\xb0\x41\x60\x0c\x02\x63\x10\x18\xd3\xc3\x81\x31\x7f\x9e\xa0\x94\xc9\xef\x7d\x22\x60\xf4\x0f\xce\x19\xfb\xf2\xd1\x04\xfb\x7d\x07\xcd\x8f\x7a\xd0\xfc\x25\x71\x49\x72\xb7\x4d\xf1\x6d\xcd\x91\x71\x30\x64\x8e\xbf\x4c\xc7\x05\x55\x3b\x48\x13\x9c\xaa\x8d\x50\x92\x12\x81\x1c\xdf\xb8\x99\x9b\xe5\xf7\x73\xc1\xe8\x6c\x90\x3d\x68\xba\xf8\xc4\x4f\x3a\x69\xbd\x4d\xf6\xa3\x3f\xb6\xcd\xee\xdb\xbd\xde\x81\x2a\x66\xf7\xde\x67\x1c\xee\x48\x0f\x67\x4e\xd1\x09\x9a\xac\xf1\x45\x37\xd1\xc5\xd0\x50\x21\x04\xa5\x45\xaf\xe5\x7f\x8e\xdc\xdc\xc7\x7d\x46\x68\x12\x8e\xd1\x11\x5b\x93\xd0\x29\xf3\xc0\x43\x4c\x1a\x33\x0f\xb5\xee\x3d\x2f\x43\x91\xfc\xd6\xed\xb6\x79\xb8\xc3\x8c\x1f\xb1\x2c\xc2\x5e\xf1\x97\xce\x18\x04\x04\x8a\x20\x50\x04\x81\x22\x08\x14\x41\xa0\x08\x02\x45\x7a\x33\x50\x24\xbc\x79\x3d\x38\xe6\x24\xf3\x85\xdb\xec\x99\x7f\x30\x20\x0a\xc4\x5c\x0f\xec\xe1\x5a\xe4\xb6\x2f\x07\x10\xef\xd1\x6b\x8b\x10\xc4\x7b\x20\xde\x63\x83\xe3\x3d\xda\x4c\x7c\x02\xe3\x3b\xc2\x33\xfe\xd9\x83\x34\xc1\xc6\xe3\x29\x4b\xab\xb9\xcb\xa9\xd5\x34\xae\xb8\x25\x02\x38\xde\xf5\x24\x1d\x14\x0a\x45\xa1\xe4\x72\xe8\x40\xfd\xf2\xef\xf0\xf3\xd8\x97\x9e\x60\xff\xf7\x21\xda\x2e\xfe\x4b\x9f\x01\xf7\x09\x9f\xb4\x6a\x78\xd3\xcc\xf5\xb2\x99\x39\x9c\xcb\xe2\x92\xbb\xf5\x93\xf8\x3f\x35\xe7\xfc\xc7\xff\xd2\xe5\x32\xc1\x0c\x24\x72\x90\xc8\xa1\x1c\x2b\x24\x72\x90\xc8\x41\x22\xd7\x3b\x12\xb9\x2e\xaa\x36\xda\x35\x12\x39\x94\xc1\x84\x44\x0e\x12\x39\x48\xe4\x20\x91\xdb\x88\x32\x98\x3d\xad\x68\x43\x9d\xbe\x5e\xae\xd3\x97\xd9\x84\x8a\xb6\xec\xab\xe9\xb4\xc0\x82\x47\xe9\x30\xc7\x82\xe3\x94\xa2\x11\x5f\x2c\x68\x70\xa8\xb5\x74\x8a\x53\xa1\x46\xe2\x6c\xd7\x49\x06\x21\x02\x29\x17\x83\xc9\xe0\x18\x1b\x35\xc8\xa0\x0b\x84\x99\x69\x5f\x78\x50\xa7\x13\x11\xc6\xff\x60\x9b\x93\x7e\xdd\x6e\x66\x2d\x29\x1b\xa4\x6b\xaf\xf8\x43\xbb\x59\x57\x6b\x4a\xb0\x9a\x3e\x86\x77\x05\x4a\xb0\x16\x95\x60\x5f\x8c\xb4\x20\xe6\xaa\x79\xfd\x68\x4a\x78\x8a\x27\xe9\xa8\xc3\x53\xdc\x5c\x13\xbe\xf9\x8b\x9b\x72\x49\xd4\xb4\xda\x68\xae\x99\x36\x98\x97\xe4\x6f\x8e\x38\xcd\x4b\xd4\x50\x0d\x38\x24\x18\xca\x65\xc3\xd2\x0c\x89\x63\xa6\xa5\x99\xb6\x4e\x69\xaf\xcd\x69\x8f\xd8\x0c\x7c\x15\x7c\x15\x7c\x15\x7c\xb5\x77\xf8\x2a\xd6\x5e\x01\x6b\xaf\xee\x01\xd0\x10\xfa\x76\x44\xe8\x0b\xce\x0f\xce\x0f\xce\x0f\xce\x0f\xce\xdf\xd3\x9c\x1f\xf1\x1e\x88\xf7\x40\xbc\x47\xbb\xe2\x3d\xe0\x46\x83\x1b\xad\x57\xdd\x68\xd9\x42\xc8\xa1\x4e\x41\xfe\xa9\xa4\x37\x40\xde\xc5\x76\x8a\xaf\xd9\xb6\xb4\x6d\x81\xc9\x9b\x51\x98\xfe\xc3\x09\x53\x98\x5e\x96\xab\xd7\x15\xf5\x29\x7d\xab\xe6\x99\x32\xb7\x58\x2e\xa8\xb2\xa6\xe5\x4a\x92\xa6\xc9\x1a\xfb\xf2\x10\xfb\xec\x00\x31\xfb\x2a\x2b\x5b\xee\x1b\x1a\xcb\x96\x3b\x27\xda\x9b\xd6\xdb\x0b\x29\x5d\xee\x20\xbf\xe0\xa2\x75\x4b\x46\x9e\x5c\xe7\x2f\x21\x51\xae\xf7\xa7\xd3\x4c\x31\x48\x67\x7f\xfa\xd6\x82\xac\x7b\x9d\xa8\xa1\x64\xbc\xc8\x90\x0b\xf9\x3f\x32\xe4\xc2\x3d\x05\xf7\x14\xdc\x53\x3d\xe4\x9e\x42\x86\x5c\x64\xc8\x85\x5b\x00\x6e\x01\xb8\x05\xe0\x16\xe8\x0a\xb7\x00\x32\xe4\x22\x43\xee\x66\x01\xa1\xc8\x90\xdb\x8e\x0c\xb9\xdf\x18\xa2\x61\xcf\xc2\x65\x02\x07\xaa\xab\x65\xfd\x81\x4d\x1c\xf8\xcb\x43\xec\xc3\x03\x76\x31\xb3\x06\x19\xe0\xa2\x68\x24\x4c\x06\xb8\x5b\x30\x40\x5e\x2f\xcd\xd9\x3c\xc0\xdf\x4d\x54\xc8\x7a\x3c\x98\x0e\x1e\x64\x13\x1e\x89\x7d\x1d\xaf\x8e\x81\xcd\x9d\x63\x02\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\x07\xda\xd7\x31\xda\xf7\xab\x09\x93\xf6\x69\x55\x45\x95\x0a\x4e\xe0\x97\xd3\x8a\x79\xb5\xa8\x0f\xa0\x59\x0a\xeb\x1d\x09\xf6\xe7\x7d\x44\xc6\xa9\x97\xd6\xd2\xd1\x3d\x1e\xd5\xb0\xa6\x97\xe6\x66\xf8\x75\xc9\x57\xe8\x47\x97\xc4\xd9\xcb\x69\xeb\xef\x21\x97\xc2\x7a\x8d\xc8\x91\x30\xce\x73\x24\xf4\x3d\x72\x81\xa5\x69\x8c\x46\x7d\xb3\x10\x98\x0f\xba\x96\x4e\x59\x77\x14\x88\xcb\x1a\x23\x61\x06\xfd\x72\x77\xa5\x59\x20\xde\xfa\x2d\x57\x1e\xfc\xf5\x0b\x6d\x45\x3f\xba\xcd\xd5\xdd\xf7\x7b\x17\xc8\xb2\x7b\xfc\x5e\xe3\x84\x76\x77\x7a\x66\x9a\xa6\xe8\x74\x4d\x4e\x94\x66\x7b\x1d\xc1\xb9\x48\x8c\xd2\x62\x62\x94\xf7\x45\x42\xf8\xe8\xcf\x8a\xd4\x2a\xa7\xe8\x84\x9d\x5a\xa5\x0d\xb6\x23\xa0\x58\x56\xbb\x4c\x4b\xf2\x2f\x6e\x77\xd9\x0e\x66\x55\xcf\xb2\xcd\xc5\x3d\xe2\x6f\x6d\xb7\x16\x28\x9d\x85\xd2\x59\xb7\x6e\x44\x3d\x42\x29\x11\x4a\x89\x50\xca\xb6\x95\xce\xfa\x89\x08\xcd\x8a\x14\x66\xa7\xe9\xa4\x23\x85\x59\x88\x53\xf5\xcd\x2f\x26\xcc\xc9\x3e\xb0\xae\x55\xdb\xe6\xfb\xcc\x37\x6e\x73\xcd\xf7\x89\x80\x9a\x59\xf6\x2a\xe0\x6e\x5e\xe1\xa5\x9d\x8b\x00\x14\xcc\xea\xb5\xa5\x07\x0a\x66\xa1\x60\xd6\x06\x17\xcc\xea\x04\x17\x0a\xac\x9a\xd5\x2e\x6b\x9f\x3d\x4c\x07\xd9\x44\x7c\xdc\x0a\x3a\xbe\xcb\x59\x43\xcb\xba\xa6\xbe\x8a\x56\xe8\xa1\xc4\xdf\x1d\xa4\x57\x98\x25\xf5\xcd\xb5\xcc\xeb\x57\x95\xaa\xa4\xb1\xaf\x0d\xb2\x2f\xf4\xdb\x55\x1c\xf7\xaf\x5f\xc3\xca\xd4\x7f\xbc\x52\xbf\x38\x39\xa4\x9f\x2c\x2a\x39\xba\x0e\xcc\x2a\xea\x54\xa9\x64\x25\xdf\xd4\xba\x5d\xdc\xf7\x3a\x81\x19\xc6\x39\x66\xd0\xdf\xc2\xc3\x74\x90\x26\x02\xcb\xb6\xb9\x9e\xb9\xa1\x2c\xcd\x8f\x04\xbf\x69\x23\x2c\x59\x5b\x9f\xcd\xf5\x3b\x6e\x34\x19\x90\xf6\x19\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\x3e\x88\xf8\x20\xe2\x83\x88\x0f\x22\xbe\x4e\x89\xf8\xde\x3b\x4c\xe3\x26\x81\x13\x51\xba\x3e\xc5\xe5\x2b\x4a\xde\xd2\xf2\x7d\x23\xc1\x5e\x1c\xb0\xd9\xdc\xcf\x44\x8c\x1e\x77\xc4\xeb\x96\x4d\x1b\x66\x12\xba\x05\x25\x1f\x4a\xb8\xee\x88\xbd\x56\xe1\xeb\x31\x63\x66\xd3\x97\x3b\xf6\x22\x6c\xc8\xb5\xee\x75\xb4\x9d\x4a\xde\xc3\x7f\x4e\xc0\x41\xbb\x0c\xcf\x82\x92\xef\x76\x18\xf8\x94\xbf\x07\x32\xf4\x10\x60\x93\x0b\x9e\x0d\xe6\x82\x71\x16\xab\xe5\x82\x0b\x4a\xde\x4d\x03\xfd\x49\x37\x7f\x3e\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\x40\xe0\xc0\x4e\xe3\xc0\x71\x4a\xb1\x91\x78\xd2\x12\x06\xdd\xee\x14\x06\x2d\x28\xf9\x7a\x49\xd0\xe6\xab\x5f\x00\x44\x09\x44\x09\x44\xb9\x89\x10\xe5\x77\xfb\xe8\x7e\x11\x67\xac\xdb\x12\x31\x9f\x71\xe2\x62\x87\x1b\xb3\x2f\xf6\xb1\x2f\xf4\xd1\x4e\xf7\x09\x97\xd6\xd2\xd1\xbb\x0b\x72\xd5\xbd\x02\x10\xcf\x91\xbc\xbf\x20\x57\xa7\x5c\xa7\x2f\xa7\xa7\x16\xe6\xcc\x4d\x67\x78\xda\xc0\xc9\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\xc5\x9f\x00\x3e\x26\x08\xe0\x45\x9a\xe7\x04\x70\x96\x66\x28\xd3\x02\x01\x74\x74\xc0\x7c\x51\x33\x31\x20\xfb\xb7\xc3\x74\x48\x8c\xc0\x0a\x47\xc4\x6b\x69\x3f\x4a\x9c\x53\x95\xf2\x55\x65\xc5\x22\xc5\x9f\x4d\xb0\x3f\xec\xa3\x6d\xfc\x32\x5e\x2d\xdd\x2b\xe6\x5b\x55\xca\x59\x65\x25\xc9\xe3\xc1\x33\xfa\x99\x4e\x32\x6b\x1c\x0d\x39\xee\xfb\x71\xff\xae\x3c\x21\xba\xf2\x10\x1d\xe0\x5d\x39\x4a\xfb\x69\xd8\x57\x72\xc9\x1f\x8c\xcb\x7e\xc5\x6d\x06\xc7\x6d\x16\xe4\x2a\x5d\x9d\x0f\xe6\xaa\xc3\x6c\xc8\xd0\xf0\x8a\x96\xc9\x23\x55\x22\xff\x75\x8a\xfe\xe4\x36\x47\x0f\xef\xf5\x09\xf3\x36\x3a\xd9\x8c\x02\xef\x4c\x3f\x67\x4e\xd3\x49\x3a\x5e\x13\x3b\xd1\x4c\x7f\x22\x58\x02\x61\xde\x2d\x86\x79\xff\x68\xe4\xe6\x3e\x65\x9a\x12\x21\xde\x93\x74\xd4\x0e\xf1\x6e\xb2\x89\x9b\x0c\xef\x6e\xcc\x4c\xb8\x8c\x81\xbf\xcd\x48\xfe\xe3\xed\x0e\x33\x71\x87\x1d\xd1\x6d\x58\x86\xfb\xc4\x5f\x3a\x64\x18\x10\xd5\x8d\xa8\x6e\x44\x75\x23\xaa\x1b\x51\xdd\x88\xea\x6e\x3a\xaa\xfb\xf9\x48\xc8\x55\x42\x17\x45\x8c\xf8\x05\x9a\x73\xc4\x88\xb7\xb9\xf2\x68\xa8\x93\x7b\x70\xec\x78\xe6\xcb\xb7\x39\xa6\xff\xc1\xa0\x00\x6f\x63\x51\xb0\x97\x87\x22\xb6\x7f\x4d\x80\x20\xef\x5e\x5b\x89\x20\xc8\x1b\x41\xde\x1b\x1c\xe4\xfd\xf8\x4d\x6e\x10\x6f\x3a\xc0\x3b\xd4\x29\x20\x7b\x90\x26\xd8\x78\x3c\x65\xb9\x62\x76\xb9\xa2\xba\xc5\x15\xb7\x82\x03\x87\xfd\xa1\x51\x80\x3a\x50\xb3\xaa\xc9\xea\x5a\x31\x27\x4b\xb9\x9c\xb2\x5a\xae\x6a\xec\xe9\x04\xfb\x45\x87\x6e\xf5\x7b\x1b\xab\x38\xb3\x24\x5a\x99\x12\xad\x84\x54\x73\x66\xc8\x53\x86\xea\xfe\x29\xd4\x9f\xb9\x89\xfa\x33\x0b\xc1\xdf\xd6\x28\xdb\x5f\x2b\x5d\x75\x0f\x80\xfb\xfb\x82\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\x15\x22\x55\x88\x54\x21\x52\x85\x48\xb5\xb3\x22\xd5\xcd\x47\x2c\x20\x39\x85\xe4\x14\x92\xd3\x4d\x24\x39\xfd\x1f\x09\x1a\x6d\x86\x30\x6a\xec\x87\x12\xec\x27\x1c\x68\x51\x6b\x0a\x2d\x86\xc4\x14\x63\xeb\x31\x45\xc0\xc4\x9b\x80\x89\x73\xc1\x30\x71\x90\x3d\xe8\xa1\xd0\xac\x05\x8b\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xa0\x88\xb7\x10\x45\xfc\xc1\x7e\xda\x67\x04\xae\x57\x8a\xf2\x1b\xaa\x72\x99\x8f\x96\x1d\xb7\xbe\x22\x57\xa5\xf4\x18\xfb\xe3\x3e\xf6\x95\x3e\xba\xcb\x75\xd2\x25\xe3\xa8\x7f\x00\xfb\xbe\x82\x5c\x9d\x72\x5e\xb2\x2c\xae\xe8\xfa\x20\xf6\xf6\xc4\xaa\x07\x81\x3e\xf6\xf7\x7d\xb4\x47\x8c\x86\x40\x69\x75\xc3\xf0\xf9\x3e\xf6\xd9\x3e\xfa\x67\xe2\x68\x70\xff\xef\x29\xc8\x55\x8e\x18\xd1\xf1\xeb\x77\xfc\x3f\x24\xe8\xb0\xe8\xf8\xb2\x5c\xbd\xae\xa8\x4f\xe9\xdb\x22\x3b\x77\x83\xe0\xeb\xc5\x72\x41\x95\x35\x2d\x57\x92\x34\x4d\xb6\xd2\x07\xfc\x4a\x82\x7d\x6b\x80\x5e\x6e\x5f\x77\x69\x2d\x1d\xfd\x6f\x8d\xa4\x9b\x9d\x13\xed\x4d\xeb\xed\x75\x45\xde\xd9\xbd\xfc\xe7\x2e\x5a\x4f\xb2\x9c\x76\xde\x22\xc8\x7c\x33\xf2\x79\x91\x35\xf6\xea\x93\xc1\x54\x7e\x92\x1d\x35\x48\x7c\xdd\xbb\x67\x80\x79\xe7\x28\x40\xef\x0b\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\x0f\x52\xbf\x91\xa4\xfe\x18\x1d\x61\x87\xe2\x07\x2c\x52\x7f\x8f\x33\xae\xd9\xb9\x7d\x6b\x7f\xc1\x6a\x20\x78\x20\x78\x20\xf8\x4d\x84\xe0\xdf\x99\xa4\x87\x05\x7b\x14\x79\x88\x2c\xda\x1b\x54\xeb\x2a\x5f\xd4\xd4\x55\xbe\xb3\x5f\x59\xcd\x17\xe4\xaa\x85\x24\x7f\x7d\x98\xbd\x63\x0b\xfd\x33\xd1\x9c\x45\x89\x3f\xd6\x60\x09\xac\x19\xab\xd9\x0c\x6f\xb6\x2b\xd0\xa4\xe8\x0c\x91\x66\xc9\x60\xd9\xae\xca\x58\xb5\x37\x0d\x58\x59\x0f\x2b\x5f\x1b\xcc\x22\x8f\xb3\x63\x06\x8b\x14\x2f\x8f\x5d\x2d\xab\xb6\x83\x9d\x1c\x92\x0f\x07\x4a\x68\x81\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x82\x56\x76\x1d\xad\x3c\x43\xa7\xd8\x89\xf8\xa4\x45\x2b\xef\xaf\x29\xa1\x55\xbb\xd7\xbb\x15\x32\x32\x02\x8b\x02\x8b\x02\x8b\x6e\x22\x2c\xfa\xa6\x61\x91\xdf\x40\x1b\xd3\xaa\x8a\x2a\x15\x64\x87\x1e\xd3\xf8\x4b\x8d\x12\xf3\xa5\x04\xfb\x76\x1f\x91\x71\xf0\xd2\x5a\x3a\x7a\xbf\x47\x29\xa7\x25\x71\x98\x7b\x63\x92\xf7\xea\x27\x18\x7f\x59\x4e\x3b\x0f\x85\x5c\xcc\xe9\xb5\x34\x2d\x78\xdf\x09\x9a\xe4\xbc\xef\x20\x4d\xd0\xb8\x6f\x1e\x5f\xf3\x91\x79\xaa\x76\xfb\xa6\x6e\xa2\x58\x0b\xaf\xe9\xf4\xea\x60\x02\x78\x84\x1d\x32\x08\xa0\xbb\xdb\xcd\x1c\x01\xce\xbb\x71\x4a\x11\xa3\x2f\x6e\x73\x75\x7d\xdc\xbb\xc6\x93\xab\xf7\xf7\x18\xe7\x74\x60\x00\x32\x5c\x49\x5c\x93\x3c\xbd\x85\x11\x40\xd2\x74\x14\x7b\x6a\xb1\xd8\xd3\xfb\x23\xe1\xd8\x80\xf3\xa2\xe6\xd3\x14\x9d\xb6\x6b\x3e\x75\xda\x9a\xf0\xd2\x4f\x6d\xb4\x26\xc9\x7f\xbc\xdd\x65\x4d\xee\xb2\x4a\x41\xb9\x0c\xc8\x6e\xf1\xe7\x4e\xd8\x0f\x14\x83\x42\x31\x28\x14\x83\x42\x31\x28\x14\x83\x42\x31\xa8\xa6\x8b\x41\x3d\x13\xd2\xd4\x3f\x27\x6a\x40\x65\xe8\x8c\xa3\x06\x54\x7b\xe6\xfe\x36\x4e\xee\x0d\x14\x82\xfa\xd6\x6d\xae\xe9\x7f\x7f\x40\x29\x28\xd7\xa2\x20\xca\x2b\x97\xb4\x79\x4d\x80\x62\x50\xbd\xb6\x12\x41\x31\x28\x14\x83\xda\xe0\x62\x50\x1d\x82\x48\x81\x35\xa1\xda\x38\x37\xac\xaf\xa4\x76\x5e\xd6\x7e\x25\x35\xfb\xa7\x27\x29\xe5\x83\x20\x85\x42\x73\x4d\x29\xad\x5e\x93\xa5\x6a\x55\xca\x5d\xb9\xa6\x2f\x0d\xd8\x6f\x3e\xc9\x7e\x7e\x90\x6e\xb7\xe7\x2e\xa1\xbd\x4c\x09\x5f\xba\x6a\x78\x01\xcd\x05\xaf\xa9\xba\x5c\xe6\xed\x4c\x59\xed\x24\xe3\xfa\xf9\xd6\x14\xc6\xdb\xa8\x3d\xa7\xcb\x15\x8e\x19\x88\xfd\x20\xf6\xcb\x40\xec\x07\xb1\x1f\xc4\x7e\x10\xfb\xf5\x8c\xd8\x2f\xd3\x35\x62\xbf\xd0\xef\xa4\x65\xb1\x5f\x06\x62\x3f\x88\xfd\x20\xf6\x83\xd8\x0f\x62\xbf\xce\x8b\xfd\x32\x3d\xad\x7b\xcb\x40\xf7\xd6\x3e\xdd\x5b\xa6\xdb\x75\x6f\x99\x4d\xa8\x7b\x6b\x32\x32\xd4\x01\xf9\x38\x25\x4a\xd5\x62\xa2\x46\xd2\x1f\x5e\xbd\xcf\x9b\xf8\x6d\x65\x5b\x44\x6d\x99\x5c\x30\xf0\x3b\xc3\x4e\xad\x07\xfc\x6a\x6f\xab\x3e\x7c\x34\xfe\xc2\xf6\x7a\x6e\x76\xaf\x98\x9e\x62\x52\x3d\x22\x7b\x50\x1c\xea\x10\x24\x13\x4c\xeb\x11\x7a\x98\x2e\xd4\x38\x5d\x8e\xd3\xb1\x96\x07\x07\x5e\x17\xa8\xc9\x5a\x54\x93\xfd\xfb\x3e\x9a\x17\x76\xe2\x2c\x4d\x73\x3b\x71\x92\x6e\xe6\x55\xa4\x57\x0a\x59\x59\x96\xce\xdb\xb2\xb2\x9b\x6c\x72\x51\xb8\xab\x2f\xd0\x9c\xc3\x5d\x7d\x93\x6d\x06\x99\xb2\x4e\x98\xaa\x75\xec\x65\x45\xd1\xaa\x94\xfc\xe6\x48\xbd\x29\x7b\xc8\x10\x27\x38\x94\x1e\xca\xe5\x7a\xb3\x96\xaa\x91\xb4\xf1\x8b\xa7\xad\x6b\xda\x6c\xe0\xda\xa3\x72\x03\x05\x06\x05\x06\x05\x06\x05\xee\x1d\x0a\x8c\x75\x5d\xc0\xba\xae\x7b\x30\x39\x14\xc6\x1d\x51\x18\xc3\x1b\x01\x6f\x04\xbc\x11\xf0\x46\xc0\x1b\xd1\xd3\xde\x08\x04\x9a\x20\xd0\x04\x81\x26\xed\x0a\x34\x81\xb3\x0f\xce\xbe\x5e\x75\xf6\x65\x0b\x4d\x01\xf1\x75\xe0\xe5\x52\x55\xaa\xae\x06\xcb\xe4\x3b\x42\x9a\x93\xde\xa4\x79\x17\xdb\x29\x4c\x86\x6d\xce\x29\x7c\xfd\xfb\x97\x86\xe9\x90\xfe\x62\x8d\xad\xa5\xfd\xd2\x10\xeb\xe6\xa0\x98\x93\xa5\x5c\x4e\xdf\x19\x58\xa9\x38\x7e\x62\x98\xfd\x9f\x3e\xda\x9a\x53\x54\x1e\xbf\xf5\x80\x57\x1e\x0e\x71\xe5\x94\xb8\x32\x19\xd7\x4f\x99\x56\x54\x79\xd9\x91\xd8\xd7\x7d\x4e\xc8\x29\x39\x9e\xa4\x8c\x78\x5f\x8e\xd3\x31\xfe\xbe\x1c\xa0\x34\x8d\xf9\x7a\x26\xf4\x67\xe1\x6f\x87\xeb\x9e\x6e\x36\x23\xc7\x42\xf0\x4b\x34\xca\xf6\x3b\x23\x24\x8c\x17\x2a\x1e\x37\x43\x29\xdc\xf7\x13\xfd\xe4\x36\xbb\xdf\x1f\xf4\x49\xc2\xe1\xee\xfa\x87\x8c\xb3\x3a\xd9\xfb\x19\xfd\x23\x9d\xaa\x71\xa5\x36\xdf\xfd\x00\x6d\x70\xa0\xb6\xe8\x40\x7d\x3a\x12\xca\xf7\x7f\x4e\xb8\x4d\xcf\xd0\x29\xdb\x6d\xda\x61\x43\xc2\x93\x71\x34\x66\x48\x3c\x4d\x86\xb7\x75\x49\x7e\xfb\x76\xdb\x90\xdc\x6d\xe7\xdf\x70\xdb\x8e\x07\xc5\x81\x8e\x9a\x0e\xa4\xe2\x40\x2a\x8e\x5b\x17\x94\x83\x90\x80\x90\x80\x90\xb4\x2d\x15\xc7\x4f\x87\x33\xed\x9f\x17\xd2\xa6\x29\x3a\xed\x90\x36\xb5\x65\xde\x6f\x6c\x62\x0f\xd8\x15\x34\x99\x7e\xe3\xef\x6e\xb3\xa7\xfe\xd1\xa0\xdc\x1b\xee\x05\xc1\x3e\x1e\x23\xde\xa9\xf5\x00\xd2\x70\xf4\xda\x2a\x04\x69\x38\x90\x86\x63\x83\xd3\x70\x74\x06\x1c\x85\x6f\xf7\x83\xf2\x7a\x64\x8f\xd3\x31\x76\x24\x7e\xc8\xca\xbd\x11\x75\xe5\xde\x70\xb5\x7c\x2b\xa4\x04\x67\xcf\x27\x68\xbf\xc9\x37\xd7\x2d\xb6\x26\x72\x52\xb0\x1f\x4c\xb0\x77\x0f\xd8\x33\xe3\xeb\x0d\xbf\x7a\x39\x5f\x5c\x2b\xe6\x57\xa5\x92\xab\xb4\x9a\xa5\x61\xe1\xc5\xb9\x42\x29\xa2\x96\x4a\xde\x77\xdd\x6b\x76\xe5\xbf\x30\x5f\xd4\xba\x3d\x27\xc8\x86\x54\x3d\xdb\xe7\xfd\xd6\xef\x60\xc4\x6f\x4c\x04\xb8\x9c\x0b\xfe\xd8\x1e\x64\xf1\xda\x8f\x4d\xdc\x80\x2b\x7d\x0d\xb2\x9e\x20\xeb\x09\x4a\x9c\x41\xef\x0e\xbd\x3b\xf4\xee\xbd\xa3\x77\x47\x89\x33\x94\x38\x83\xce\x18\x3a\x63\xe8\x8c\xa1\x33\xee\x0a\x9d\xf1\x26\xa4\x11\x28\x50\x06\xed\x26\x0a\x94\x6d\x9e\x44\x2d\xec\xc5\x24\x9d\x16\xd9\x81\xa5\x4a\x45\x5b\x47\x23\xa9\xcf\x04\xaa\xa2\xdb\x61\x7d\x5b\xc2\x87\xd4\xd4\x49\xbe\x35\xc9\xde\xda\x4f\x5b\xf5\x06\x2e\xad\xa5\xa3\x0f\x79\xe8\x24\xa7\xad\xab\x17\x8d\xab\x93\x83\xfa\x69\x53\x95\x8a\xe6\x84\x80\xf5\xe7\x85\xac\x97\x94\x68\x56\xc0\xbb\xd3\x74\x92\xc3\xbb\x23\x74\x88\x0e\xf8\x62\x6f\xfd\x99\x52\x6b\xe9\x54\xfd\x7d\x05\x22\xbb\xe5\x60\x1a\x77\x80\xa5\x0d\x1a\xa7\xff\x8e\xc1\xe3\x3c\x7e\xca\x05\xc0\xd7\xd7\x62\x46\xbf\xb2\xcd\x1e\x89\x84\xb7\x72\xd2\x63\x30\x86\x8d\x33\x3b\x3d\x1e\x99\x39\x3a\x47\x67\x6b\x5c\x8f\xad\x0d\x08\xbc\x8e\x50\x51\xb6\xa8\xa2\xfc\x60\x24\x34\xab\x70\x41\x28\x29\x67\x28\x63\x2b\x29\xdb\x66\x62\x02\xd4\x94\x8d\x59\xa0\x86\xac\x8e\xd3\x4c\x25\x7f\xf4\x0e\xdb\xc4\xec\xb6\x34\x95\x1e\x56\x25\x21\x0e\x76\xdc\xa8\x40\x5b\x09\x6d\x25\xb4\x95\xd0\x56\x42\x5b\x09\x6d\x65\xd3\xda\xca\xe7\x23\x21\x87\xe0\x35\x9f\x40\xee\xe6\xc3\xfa\x02\xd5\x91\xed\xda\x9e\x64\xfe\xd5\x0e\x7b\x71\x90\x0e\x50\x5d\x7a\x2c\x19\x86\xb8\x8a\xa7\x93\x2b\x06\xa8\x2f\x7b\x6d\x9d\x02\xf5\x25\xd4\x97\x1b\xac\xbe\xec\x1c\x86\x0a\xac\x83\xd6\xa6\x89\x20\x7b\x9a\x4e\xb2\xe3\xf1\x63\x96\xf3\xe2\x3e\xa7\x0e\xb3\xfe\xe2\x5b\x42\x8b\xf9\xae\x21\x7a\x50\xd0\xd4\xb2\x5c\xbd\xae\xa8\xba\x3d\xb0\xcb\xad\x8d\x15\xcb\x05\x55\xb7\x4a\x1a\xfb\x8b\x41\xf6\xd5\x7e\x7a\xb9\x7d\x16\x07\xa7\xeb\xd7\x57\x9b\x13\x57\x27\x87\xf4\xd3\x2e\x5a\x57\x2e\xa7\x8d\x03\xb3\x8a\x3a\x55\x2a\x59\x93\x66\x78\x75\x42\xdb\xa4\xa3\x7c\x1d\x9d\x15\xdf\xc0\x29\x3a\xc1\xbf\x81\xc3\x74\x90\x26\x7c\xbf\x01\x47\x8f\xae\xa5\x53\xc6\x33\x87\x92\x18\xfc\x55\xc1\x5f\xc0\x21\x76\xc0\x03\x87\xd4\x0d\xb2\xf1\x69\x18\x37\x07\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x25\x84\x94\x10\x52\x42\x48\x09\x21\x65\xa7\x85\x94\x90\x39\x42\xe6\x08\x99\x63\x0f\xcb\x1c\xbf\x7e\x2f\x9d\x6a\x48\xe6\xa8\xca\x1c\x65\xe9\x9f\xae\x21\x6f\x1c\xd3\xb8\xcb\x8d\xbd\xef\x5e\xf6\xad\x3e\xdb\xb7\x35\xc4\x55\x8e\xe2\x98\xd9\xcb\xf6\x94\xbb\x28\x9a\x59\x92\xab\xc9\x07\xbd\x74\x8e\xf6\x71\xe1\xd0\x0b\x59\xe5\xf8\x3d\x74\x4a\xa0\xb5\x23\x74\x88\xa3\xb5\x31\x1a\xa5\xfd\x81\x78\xd9\xbe\xab\x9b\xcd\x08\x79\x31\x18\xa9\xed\x67\xc3\xf5\x50\xd9\x71\x07\x4e\xde\x16\xfd\x55\x87\xaa\x31\x69\xaa\x1a\x1b\xe8\xfc\x21\x1f\x5d\x63\x7b\xfb\x3f\xc3\x23\xc2\x6b\x5c\x7a\xcd\x0d\x00\xbc\x78\x50\x33\xb6\xa8\x66\x7c\x4f\xe4\xa6\xbf\xfe\x69\xa1\x62\x3c\x41\x93\xb6\x8a\x31\x74\x13\xd2\x98\x8d\xf0\x53\x21\xd6\xd9\x8b\x00\x35\x64\xe6\xef\x6f\xb3\x4d\xc8\x81\x3a\x61\x42\x03\xb6\xe4\x21\x4f\x69\x42\xfb\x2c\x09\x84\x09\xbd\x66\xd2\x20\x4c\x80\x30\x61\x83\x85\x09\xed\x5f\x39\x06\x0a\x12\x42\x5e\x3b\x66\x8f\xd0\x21\x76\x20\x9e\xb6\x74\x04\xaf\x70\x0a\x11\xec\x8b\x6e\x09\x01\xc2\x37\x87\xe9\xac\x7b\x9f\xb3\x6e\x4a\xa8\x75\x82\xba\x9e\x19\x66\xdf\x19\xb0\x67\xcc\x8f\x46\x8c\xed\xa6\x23\x39\x54\xd9\x04\x38\xa6\x42\xa1\x5e\xd5\x11\x4a\xc6\xa8\x11\x9b\xdb\x72\x36\x6d\x50\xbe\x62\x55\xbe\x66\xdb\xbe\x21\x97\x0f\xc0\xd1\x76\x2a\x29\x7e\xae\x83\x9a\xc2\xb6\x25\x9e\xf2\xfb\xb6\xc2\xcf\x48\x15\xfc\xb5\x5e\x6f\xaf\x7c\x08\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x09\x48\x27\x20\x9d\x80\x74\x02\xd2\x89\xce\x4a\x27\x7a\x30\x8c\x03\xea\x0e\xa8\x3b\xa0\xee\xd8\x44\xea\x8e\xff\xff\x10\xed\x13\xd4\x53\xd0\x1f\x47\xc8\x95\xc0\x9f\x46\xea\xfb\x5f\x19\x62\x3f\x37\x40\xdb\xc5\x7f\x6d\x50\xf2\xfb\xc1\xeb\x16\x63\xd3\x96\xd3\x56\xd2\xfb\xcd\x16\xbc\xd5\xb5\x49\xf0\x17\x83\x79\xe4\x18\x1b\x35\x78\xa4\xeb\x75\x41\x3e\x7c\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\x48\xb0\xc8\x6e\x61\x91\x00\x7d\x00\x7d\x00\x7d\x3d\x0c\xfa\xbe\xd9\x47\xbb\x05\xe8\xd3\x72\x57\xe4\xfc\x6a\xc9\x9d\x5f\x89\x7d\xae\x8f\x7d\xba\x8f\x5e\x6e\x1f\xbc\xb4\x96\x8e\xde\x5d\x90\xab\xee\x59\x56\xdc\x7f\x72\x77\x41\xae\x2e\x59\xa7\x2e\xa7\xa7\x16\xe6\xcc\x4d\x5d\x88\x32\xfe\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\xc5\x5f\xfe\xf7\x98\x60\x71\x17\x69\x9e\xb3\xb8\x59\x9a\xa1\x4c\x0b\x2c\xce\xd1\x01\xf3\x45\xcd\xd4\x00\xb2\x7f\xdb\x47\xf1\xb1\xd4\x75\xb9\x54\x1a\x7d\xaa\xac\x5c\x2f\x8f\x29\x15\xb9\x5c\xcc\x8f\xba\x36\xd2\x63\xec\xeb\x11\xf6\x47\x11\xda\xfe\xb8\x5c\x2a\x5d\xd0\x4f\x8b\x3e\xae\x77\xbc\x26\x2a\xae\xc6\x24\x51\x72\x55\xcc\xb5\x6a\xec\x91\x8a\x5c\x9e\x9b\x71\xef\xc5\x47\x62\x52\x49\x53\x62\xfc\x37\x8c\xfd\x55\x6c\xe8\x91\xb9\x99\x69\xce\xb1\x14\x3e\xc5\xe5\x95\xdc\x50\x32\xa9\x0f\x9c\xab\x92\xeb\x1c\x6f\x55\x34\x3a\xed\x6c\xb3\x7e\x1c\xb3\x47\x68\x8f\xe8\xae\xbb\x68\x17\xef\xae\x97\xd3\x6d\x3f\x17\xd9\x46\xc6\xc7\x1b\x84\x21\xd9\xdf\x0f\x51\xd2\x2c\xb8\xea\xa3\xab\xad\x28\x79\x4b\x48\xfb\xa9\x21\xf6\x3f\xfb\xec\x7a\xab\xaf\xf0\xa8\x8e\xb0\xa0\xe4\x93\x77\xeb\x7f\xaf\xad\x89\xba\xa0\xe4\x43\x8e\x0c\x5c\xa4\x23\xe2\xe1\xc7\x29\xc5\x1f\x3e\x41\x83\xf4\x60\x60\xd9\xdf\x05\x25\x1f\x88\x67\xcf\x06\x93\xd7\x38\x8b\xd5\x96\x1f\xd5\x5b\x6e\xa6\xbe\xc1\xbf\xdc\x66\xf7\xe5\xbd\xde\xf5\x0d\xf4\xee\x8c\x1a\x87\xda\xde\xa3\x99\x49\x3a\x4a\x87\x6b\xa2\x64\x1a\xec\x52\x44\xc4\x20\xc8\xaf\xc5\x20\xbf\xb7\x47\x5a\xff\x90\x4f\x88\xe8\xbe\x43\x74\xc0\x8e\xee\xdb\x44\x66\xa0\xb2\x5a\xa5\xe4\xaf\xdd\x6e\x9b\x81\x1d\x56\x0d\x02\xfd\xcb\xbf\x57\xfc\x57\xfb\x3f\x7c\x54\x19\x40\x95\x01\x54\x19\x40\x95\x01\x54\x19\x40\x95\x81\xa6\xab\x0c\xfc\xd0\x4d\xcc\xdf\x27\x45\x41\x81\xc3\x74\xd0\x51\x50\x20\xbc\x09\x3c\xb8\x76\x40\x38\x53\x7c\xe6\x85\xdb\xec\x39\x3c\x1e\x50\x2a\x40\x9f\xd9\xef\xe1\x01\xa2\x6d\x9d\xd8\x11\x73\xdf\x6b\xcb\x09\xc4\xdc\x23\xe6\x7e\x83\x63\xee\x37\x9c\xc9\x78\xe4\x58\x71\x59\xed\xc0\x98\xfd\xec\x38\xa5\xd8\x48\x3c\x69\x89\xbc\x6f\x77\xaa\xc4\x17\x94\xfc\xad\x20\x0b\x67\x1f\xb8\x8d\x0e\x34\x0e\xfe\xc6\xe4\xb5\xa2\xe8\xa6\xff\x43\xf1\x97\x06\xec\xa9\xee\x1e\xe1\xa7\x8c\x99\xc7\x85\x03\x4f\x9f\xe0\x1e\x10\x47\x3c\x66\xb8\xb3\xc6\xb9\x21\x6f\x61\x39\x28\xae\x99\x6d\x26\x68\xdc\xf7\xd5\x33\x16\x6f\x6b\xe9\x15\xb9\x2a\xa5\x53\xe6\x5d\x65\xbf\x19\xf1\x67\xd3\xd3\xe2\xdd\x3e\x41\x93\xfc\xdd\x3e\x48\x2d\xfc\x00\x9d\x17\xc8\x62\x8a\x4e\xdb\xc8\xa2\xb5\x96\xe6\xc4\xe2\x29\x43\x67\x1c\x8b\xa7\x96\x9a\x0a\x2e\x2f\x50\x51\xb4\x2a\x5d\x5d\x0a\xfe\x06\xc7\x59\xca\xf8\xee\xc4\x6f\x59\x52\x54\xe3\xa6\x1d\x1f\x28\xbf\x07\xca\x62\x5e\x5f\x7f\x5e\xcf\x82\x1c\xfa\x90\xc3\x43\x74\x80\xa5\xe3\x63\x96\xe1\xbd\xd3\x69\xaa\xcd\x37\xee\x96\xb0\xd7\x3f\x73\x17\x1d\x0f\xb0\xd7\x86\x77\xca\xb2\xd9\x15\x55\x79\xc3\x8d\xb1\xef\xd3\x9f\xf0\x8d\xec\xcf\xee\x64\x3f\xed\xf0\xdc\x24\x72\x4a\xb9\xac\x3f\xf2\xb9\xb3\x8f\xda\xab\xa2\xaa\x12\xe3\x17\xe9\x3d\x68\xf8\xa4\x92\x29\xe3\x4c\x61\xc8\xcf\xc9\x55\xdb\x96\x1b\xa7\x2c\xe8\x97\x3c\x5e\xac\x5e\x59\x90\xaa\x57\x26\x74\x5b\x2c\xdc\x33\x37\xe9\x9b\xba\xfa\x80\xb7\x2d\x22\xb6\xcd\xb8\x25\xba\xfa\x58\xb0\x39\x9a\x60\xe3\xc2\x00\x39\xef\xd6\x00\x94\x5e\x65\x61\xe3\x71\x8a\x7a\xf6\xd4\xc2\x63\x4d\xf5\xd4\xc2\x6a\x33\x3d\xe5\x3b\xe3\xac\xdb\x85\xa1\xf7\x54\xed\x82\x29\xa8\xcf\xe2\xcf\x38\x7a\x6a\xd8\xea\xa9\x47\x96\x02\xba\x6a\xcc\xdd\x55\x8a\xd6\x03\x7d\x95\xfc\x80\xa3\xaf\xf6\x9b\x7d\x35\x73\x76\xfe\xec\xa3\x67\xd7\xef\xad\xb4\xab\xb7\x04\x62\xdf\x7c\x5f\x61\xb3\xfd\x35\xf1\x9c\xa3\xbf\x46\xcc\xfe\x7a\x64\xe1\xd1\xb9\x47\x2e\x2e\xad\xdf\x61\x13\xae\x0e\x33\x1a\xbf\xf5\x7b\x6c\xd2\xf3\x6b\x3c\x7f\x76\x6a\xa6\x99\xaf\xf1\xbc\x2c\xe5\x6f\xfd\xbe\xca\xfc\xac\xa3\xaf\x92\x96\xe5\x9a\x7a\x74\xfa\xfc\xfa\x9d\x35\xee\x36\x5d\xfa\x96\xf1\xd6\xef\xad\xec\x19\x3a\xc5\x4e\xc4\x27\xad\x15\xd3\xfd\xce\x85\x96\xc7\xd5\x1b\xb1\xe6\xaa\x5b\x0c\xea\xff\x6b\x6a\xbe\x4c\x88\x1f\xe7\xc7\x9c\x97\x7d\xba\x8f\x7e\xbb\x8f\xfd\x66\x5f\xf4\x53\xd6\xe2\xfa\xd9\x3e\x7d\xe0\xb8\x4e\xf8\x8a\x1c\xab\x48\x2a\x57\x7a\x3f\xb6\x38\x6f\x6c\x3f\x0c\x51\xad\xa5\x07\x92\xcb\xf9\x8a\x52\x2c\x57\x35\xfd\xce\x2f\x5f\x2e\xbe\x41\xd6\xc4\x92\xd8\x11\x84\x54\x55\xb8\x7b\xc9\xf4\x8f\xe5\x56\x55\x55\x2e\x57\x8d\xf7\xcb\x14\x5a\x56\x15\xb3\x4d\xce\x64\x62\xf2\x1b\xa4\x6b\x95\x92\xe1\x1f\xba\x7e\x45\x29\x59\xbb\x0c\xfd\x6e\xb8\x1c\xb1\x5a\xad\x4c\x8e\x8d\x95\x94\x9c\x54\xba\xa2\x68\x55\x8f\x35\xa2\xfe\x36\x8c\x6a\x37\xb4\xaa\x7c\xcd\x5e\x23\xca\x25\x49\xab\x16\x73\x9a\x2c\xa9\xb9\x2b\xa3\x25\xa5\x50\x28\x96\x0b\x63\x97\xc4\x7f\x9f\x7e\xfd\xc9\x55\x4d\x56\x27\x9f\x2a\x5e\xcb\x5d\xb9\x91\x8a\x99\xbd\xe1\x7d\x58\x74\xa9\x73\xb1\xfa\x7f\x93\x74\x52\x48\xdb\xd4\x15\x29\x97\x32\x5f\x64\xbe\x5d\x73\x48\xdc\x72\xa5\x55\xad\xaa\xef\xb2\x4a\xf2\x8a\xbe\xc1\x2b\x17\x2c\xa1\xd1\x47\x93\xec\xd9\x7e\xba\x53\xbf\x7c\xca\x79\x35\x2f\x2d\xe8\xa1\x3a\x9a\x16\x4d\x2d\x2a\x25\x39\x23\x9a\x4a\x0e\xeb\xa7\x2d\xd6\x36\xb0\x9c\xae\x3f\x35\x64\x59\x52\x93\xf5\x30\x79\x17\xad\xa5\x53\xf5\xf7\x75\xb3\x89\xcb\x9f\x0a\xb6\x05\xe7\xd9\xac\x61\x0b\x7c\x47\xca\xcc\x71\x57\x7f\x7b\xae\xac\xe6\x6f\xd9\xee\x33\x5c\x09\x6f\x61\x93\xc7\x88\x8d\x18\x67\x6e\xc0\xa0\x65\xe6\xe8\x1c\x9d\xad\xa1\x47\xad\x8d\x1a\xdc\x14\x10\x42\xb5\x88\x33\x3e\x18\x09\xcd\x74\x5c\x10\x90\x71\x86\x32\x36\x64\xdc\x00\x3b\x54\x59\xed\xb0\x1d\x4a\x7e\xfc\x0e\x1f\x3b\xb4\xdb\x52\x56\x79\x98\x9e\xfd\xe2\xe0\x46\x58\x1e\x48\xaf\x20\xbd\x82\xf4\x0a\xd2\x2b\x48\xaf\x20\xbd\x6a\x5a\x7a\xf5\x7c\x84\xe6\xc5\x8a\xe1\x2c\x4d\xf3\x15\xc3\x49\x3a\x4e\xc7\x5a\x98\x3e\x44\xc5\x0f\x5a\x14\x2e\xc5\x0b\x34\xe7\x70\x29\xde\x64\x9b\x41\xcb\x87\x4e\xae\x0f\x82\x15\x61\x99\x9f\xdd\xe1\xb3\x82\x48\x07\xe8\xba\x3c\xd6\x15\x49\xae\x29\xe8\xf0\xb2\x02\xc2\xaf\x5e\x5b\xcc\x40\xf8\x05\xe1\xd7\x06\x0b\xbf\x3a\x47\xbd\x02\x8b\xae\x74\x72\x3e\x09\xc8\x29\x5a\x77\x71\x3d\x18\x0f\x5d\x2a\xf0\xf1\xd7\xd2\xa1\x20\x69\x97\x61\x02\xcb\xd5\x35\xa5\xb4\x7a\x4d\xce\x95\xa4\xe2\x35\x8d\xbd\xe5\xb5\xec\x67\x06\x6d\xb7\xc8\x01\x91\x7c\x46\x35\xd2\x66\x98\x8b\x69\xb3\x42\xca\x82\xd5\xc8\x32\x6f\x64\x5a\x6f\x24\x39\xac\x5f\x54\xa7\xfa\xf2\x3a\xb5\xcb\xd3\x02\x66\x90\x29\x0f\x99\xf2\x32\xc8\x94\x87\x4c\x79\xc8\x94\x87\x4c\x79\x3d\x93\x29\x2f\xd3\x35\x99\xf2\x42\xbf\x93\x96\x33\xe5\x65\x90\x29\x0f\x99\xf2\x90\x29\x0f\x99\xf2\x90\x29\xaf\xf3\x99\xf2\x32\x3d\x9d\xd8\x2e\x83\xc4\x76\xed\x4b\x6c\x97\xe9\xf6\xc4\x76\x99\x4d\x98\xd8\x2e\x7b\x85\x1e\x16\x24\x70\x96\x66\x38\x09\x3c\x45\x27\x68\x32\x38\x04\xd4\x8b\x11\xcd\x17\xb5\xe0\x5a\x0a\x8f\x07\xf3\xbe\x83\x6c\x62\xdd\xc0\x50\xaf\xdf\xa6\x75\xa2\xe1\x78\x7d\x86\xf8\x47\xb6\xdb\xb0\xec\x3e\x23\x12\x52\xf2\xe1\x62\xfb\x7d\xe2\x21\xdb\x4a\xc6\x04\xc8\x9a\xa7\x2c\x9d\xaf\x71\xc7\x1c\xa5\xc3\xad\x8d\x08\x9c\x31\x90\xb7\xb5\x28\x6f\x7b\x4b\x9f\x7f\xec\xce\x9c\x30\x19\x19\x3a\xc3\x4d\x06\x4f\x44\xd7\xda\x0b\x4a\x17\x85\xf4\xed\x1c\x9d\xb5\xa5\x6f\x37\xd3\xde\x23\xc2\x25\x7e\x9e\x66\x1d\x2e\xf1\x9b\x68\xb0\xd1\x58\xdb\xc6\xcc\x5a\x63\xa6\xcc\x25\x91\xfb\xc6\x88\x23\xf4\xc1\x50\x36\x38\x64\x22\xca\x65\x1f\x13\x76\xc8\x99\x8d\x6c\xda\xba\xa0\xb3\xc6\xac\x3d\x72\x39\x60\x5e\x60\x5e\x60\x5e\x60\xde\xde\xc1\xbc\x58\xc6\x05\x2c\xe3\xba\x87\x83\x43\xaa\xdc\x11\xa9\x32\xdc\x0d\x70\x37\xc0\xdd\x00\x77\x03\xdc\x0d\x3d\xed\x6e\x40\xc4\x0a\x22\x56\x10\xb1\xd2\xae\x88\x15\x78\xf3\xe0\xcd\xeb\x55\x6f\x5e\xb6\x10\x72\xb0\x56\x90\x63\x2c\xe9\x4d\x98\x77\xb1\x9d\xe2\x6b\xb6\x2d\x6d\xfb\x68\xf3\x66\x4c\xb6\xf7\xb9\x04\x65\x44\xfe\x92\x9c\xac\x1a\x7e\x50\xd9\x51\x89\x9f\xe7\xad\x34\xca\xf1\x3b\xcf\x28\x16\xca\xc5\x72\xc1\x5c\xb4\xb1\x7f\x9b\x60\x6f\xda\x42\x77\x3a\xcf\xb8\x64\x5c\x1c\x7d\x4b\xa4\xb1\x72\xfd\xd3\xf6\xc5\x4b\xa2\xf9\x45\x93\x78\x84\x52\xc2\xff\x10\xbf\xc0\xf1\x2b\xda\xb2\xb8\x43\xdf\x1f\x9e\x2f\x6a\xd5\x2e\x97\xee\x77\x6f\x45\xff\xd7\x07\x7f\x65\x17\xd9\xbc\xf1\x95\x79\xbc\x7c\x66\x50\x8a\xdf\xe0\x78\x64\x57\x45\x18\x03\xc2\x18\x50\xf0\x1f\xfe\x2d\xf8\xb7\xe0\xdf\xea\x1d\xff\x16\x0a\xfe\xa3\xe0\x3f\xfc\x0a\xf0\x2b\xc0\xaf\x00\xbf\x42\x57\xf8\x15\x50\xf0\x1f\x05\xff\x37\x0b\x49\x45\xc1\xff\x76\x14\xfc\xff\x6e\x1f\xdd\x2f\xa8\xa2\x55\x02\xbe\x16\x29\xb2\x2f\xf6\xb1\x2f\xf4\xd1\x4e\xeb\x04\x8b\x17\xfa\x16\xfe\xbf\xbf\x20\x57\x67\xcc\xd3\x0d\x76\xd7\xf5\xc5\xff\xdb\x53\xe3\x3f\xb0\xda\xfd\x7f\x1d\xa2\xb8\x18\x01\xf9\x0d\x55\xb9\xcc\x3f\x16\xab\xef\x39\xb9\xd5\x34\x59\x63\xdf\x19\x64\x7f\xd9\x4f\xcc\x3e\xc7\x1a\x85\x87\xd6\xcf\x88\x32\x27\x9a\x48\x8e\xe8\xa7\x9d\xb5\x2e\x37\x46\xc5\x38\x3a\xab\xa8\x53\xa5\x92\x25\x9a\x0e\x6f\x80\xda\xc4\x52\x65\xca\x8a\xd1\x9a\xa6\x29\x3e\x5a\xc7\xe9\x18\x1d\xf1\x95\xbe\xdb\xbd\x66\x15\x99\x32\x1e\xbc\xa1\x58\x9e\x80\x90\x9b\xab\xcb\xc1\x00\xf5\x00\x4b\x1b\x00\xd5\xbe\x17\x83\x9b\x1a\x77\x02\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\x0a\x4a\xba\x71\x94\xf4\xbd\x43\xf4\x80\x60\x74\x52\xa5\xa2\xf1\x32\x71\x4a\xb9\xaa\x2a\xba\x39\xd4\x77\x07\x7c\xec\x0c\x44\xb7\x55\x3f\xe5\xd2\x5a\x3a\x3a\xbe\x3e\x97\x9b\xb6\x5a\x58\x34\x5a\x10\x88\x6e\xaa\x52\xd1\x96\xd3\xf5\x47\x6f\x71\x44\xa7\xf7\x1a\xcf\xbd\x5d\xf7\xe0\x9d\x47\x74\xfa\xbd\x98\xa2\xc6\xba\xdb\x71\x0b\x89\x81\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x80\xe8\x3a\x84\xe8\x7e\x38\x41\xe3\x02\xd1\x95\xe5\xea\x75\x45\x7d\x4a\x5f\xad\x59\x4a\x46\x23\x2e\xda\x38\xc4\x53\x48\x14\x65\x8d\xfd\xd1\x10\xfb\xdd\x01\x7a\xb9\x7d\xc5\xa5\xb5\x74\xf4\x46\x63\x41\xd0\x17\xc5\x45\x0b\x46\x06\x8d\x50\x02\x9f\x27\xf8\x05\x17\xad\xdb\x59\x4e\xbb\x7e\x65\xbe\xa8\x55\x37\x1b\x06\xdc\x88\xa8\xe7\xd7\x06\xc3\xbe\xe3\xec\x98\x01\xfb\xea\x5e\x17\x83\xfc\xb9\x7a\xde\x5d\xae\xb5\x91\xa8\x6a\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\x41\x90\xc1\x8e\x91\xc1\x61\xca\x0a\x32\xa8\xae\x48\xb9\x94\x89\x8b\x78\x53\xde\xe9\x13\xad\x84\x8e\xda\xd8\xf7\x59\xff\x7e\xe3\x98\xaa\x94\x64\x8d\xbd\x90\x60\xff\x6b\x80\xee\xd5\xdb\x9a\x72\x36\x65\xc5\xe3\x56\x1a\xe3\x87\x8b\x8a\x3e\x8f\x86\x82\x0d\xc5\x6d\x2f\xd6\xde\x91\x11\xe2\x6b\x97\x42\xd2\x7f\x12\x99\x12\xbd\x99\xe1\x4a\x30\x33\x3c\xcd\x4e\x0a\x34\xa8\xf7\x63\x7d\xb8\xae\xc1\x13\x7d\x5f\x32\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\x43\x70\xc3\xae\xe4\x86\x9b\xaf\x44\x04\xc8\x24\xc8\x24\xc8\xe4\x26\x22\x93\xbf\x90\xa4\x43\x82\x4c\x6a\x55\x45\x95\x0a\x72\x2d\x8e\x5c\xe3\xf5\x6b\xa4\x6a\x55\xca\x5d\xd1\xa7\x76\x83\x47\xbe\x91\xfd\xd3\x30\xfb\xb1\x7e\xba\xdd\xb8\xcc\x42\x8f\xfb\x54\x59\xca\xd7\x6c\x73\x45\x0d\x9c\x29\xab\x8d\x64\x5c\x3f\x69\x49\x5c\x69\x20\xc2\xda\x73\xc2\x2d\x8f\xde\x64\x89\xa1\x94\xd9\x19\x66\xaa\xbe\xda\xbb\x0b\x64\x79\xb9\x60\x96\x77\x86\x9d\x32\x78\x9d\xbb\xeb\x0d\xf1\x5f\xdd\x4f\xd6\xd1\xbe\xab\x7b\xbd\x61\xde\xcb\xd8\x40\x41\xae\x52\xf4\xfb\xb7\xd7\x0f\xcf\xa0\x2a\x57\x4a\x52\x4e\x0e\x1a\xa1\x87\x8c\xf3\x3a\x39\x48\x99\x47\xe8\x61\xba\xe0\xac\x61\x1f\x8b\x24\x6f\x66\x94\x50\xcc\x39\xa8\x98\xf3\xbb\xfa\xe8\x3f\xf6\xb1\xb7\xf7\x45\xff\x9d\xd5\x41\x7f\x16\xe1\x6b\xe3\x87\xa5\xb2\x54\x90\x55\xb1\xcb\x13\x0b\x0e\x4d\x53\x72\x45\xbe\x70\xb1\xf6\x53\x12\xdf\x90\x2a\x6a\x4c\x5f\xd7\x56\x6f\x58\x2b\xb9\x6b\xd2\x53\xfa\xfd\x57\xaf\xc8\x9a\x6c\x1a\x3e\x67\xe9\x64\xb3\xc4\x32\x37\xb9\x7c\xef\xa4\xa8\xb1\xf4\xc4\x51\xfd\x5c\x55\xca\x71\x24\x57\x52\xca\x05\x61\xe6\xf8\xfe\x46\x5f\x8a\x4a\xc5\xb2\x58\x7d\xf0\xfd\x83\x7d\x2e\xc7\x14\x06\x30\xd4\x77\xbd\xe6\xd4\x55\x50\x4a\x52\xb9\x90\x52\xd4\xc2\x58\xe5\xa9\xc2\xd8\x6a\xb9\x98\x53\xf2\xf2\xd8\xbe\x39\x6d\x41\x6f\x25\x15\xdf\xe1\x7c\x56\xe7\x64\xf3\xb1\x48\xc8\x06\xe3\x95\x7a\x6b\x69\x96\xa5\xf3\xb4\x75\x5a\x2c\xdc\x6f\x71\x1b\x54\x59\xad\x52\xf2\x99\x3b\xea\x6d\xd0\xbd\x46\x0d\x46\xa9\xde\xec\x3c\x28\x0e\x75\xd4\xea\x3c\x4a\x8b\xb4\xe0\xb4\x3a\xc9\x0c\x9d\x69\xc1\xd3\x33\xc3\x6f\xfd\x11\x0e\xc5\x35\x98\x9e\x20\xd3\x83\xea\xed\x1d\xa9\xde\x8e\xb2\xbd\x28\xdb\x8b\xb2\xbd\xed\x2a\xdb\x9b\x7d\x3e\xec\x75\xc2\xa2\xde\xda\x04\xbb\x40\x73\xb4\x4d\xf4\x6d\xfb\x17\x0a\x31\xef\x39\x7c\x3b\xdb\x2a\xba\x89\x3a\xb2\x94\xc8\xfc\x97\x1d\xf5\x6b\x85\xb1\x8a\xa4\x56\x8b\xdc\xcb\x29\x36\xbe\x41\x1b\x97\x7d\x15\x7d\x8f\xdb\xa9\x05\xc4\xee\xda\x86\x46\xf9\xcf\xef\xe7\x65\x00\xf6\x38\x0f\x5e\x93\xd5\x82\xec\x3c\x3a\xe8\x3c\xaa\x55\x55\xa9\x2a\x17\x8a\xb9\xd1\xba\xf3\x5c\xad\xe8\xff\xbe\x61\x1c\xd5\xef\x32\x73\x91\xe6\x29\x5b\xb3\x65\x9a\xa4\xa3\x2d\x2c\x5f\x16\xb8\x14\x00\xcb\x96\x80\x65\xcb\x73\xfd\xf4\x6c\x3f\x7b\xa6\x3f\xfa\xb4\x65\xfb\xdf\xdc\xdf\x3b\x3b\xa6\x1a\xef\x89\xde\xcf\x5c\x0d\xc0\x3d\x7c\xfa\xcb\x69\x6b\x82\x12\x3e\x2f\xee\x30\x9f\xc2\x84\x78\x44\x2a\xf1\x2b\xf5\xb5\x9a\xb8\x9a\x9f\xc1\xd7\x4d\x5a\x2c\x91\xd5\x94\xf2\x82\x10\xc7\x3c\xac\x7f\x16\xc6\xbf\x97\xcc\x8f\xc5\xfe\xe3\xb0\xff\x56\x2e\xf3\x52\x84\x5e\x8c\xb0\x17\x22\xd1\x4f\x58\x58\xee\xfd\x91\x59\x45\xcd\xf1\x25\x5d\x41\xe1\xdd\xae\xc4\xe2\x97\xf5\x3f\xc5\x63\x53\xae\xa7\xe0\xc0\x55\xac\xbe\x56\x35\x5b\x06\x30\x2a\xe5\xf8\x83\x73\x71\x45\xa9\x98\x33\x66\x57\xb9\x94\xd7\x62\xca\x75\xa3\x4f\x85\xf8\xa0\x22\x2b\x95\x92\x9c\x8a\x89\x5f\xe4\x6a\x26\x73\x2c\x39\xf8\xf4\xec\x00\xeb\xe7\xe3\x5b\xf8\x6d\xb9\x94\x39\xdd\xc9\xb2\xfc\xc4\x68\x8d\xcd\x06\x57\xef\xf7\x9e\x83\xb6\xb1\x97\xf1\x1e\xa1\xec\x49\x3a\xce\x8e\xc5\x8f\x58\xce\x90\x3d\xfc\x13\x33\xbe\xf7\xda\xf6\xe2\x03\xfa\xd1\xb6\x16\xc3\xfe\x99\x61\x9a\x18\x93\x2a\x45\x47\x68\xb7\xb7\x66\x53\xa8\xe2\x4c\x6c\xfa\xcd\x04\xfb\xcc\x00\x6d\xcd\x29\xaa\x3e\xc9\x45\x9f\x35\xea\x5d\x3b\xf5\x99\x65\x73\x4b\x60\xe6\x69\xe4\xf2\xc1\x50\x84\x9a\x23\xb6\x2f\x99\xef\x3f\x0c\xcf\x63\xb1\x2a\x5f\xb3\x4d\xd4\x90\x4b\x97\xe0\x68\x3b\x95\x8c\x8a\xb2\xd8\x8a\x2a\x2f\x3b\x44\x9d\xfc\xfe\xa0\xe8\xac\xff\x72\xfc\x5f\x6a\x7e\x63\x74\xf5\x5c\xf0\xa7\xf5\x20\x8b\xd7\x56\x97\x17\x3f\x8e\x24\x90\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x90\x6c\x42\xb2\x09\xc9\x26\x24\x9b\x1b\x28\xd9\x9c\xa0\x71\x96\x8a\x8f\x58\x94\x62\xa7\x93\x52\xf0\x7d\x5b\x3d\x9a\x80\xcc\x13\x32\x4f\xc8\x3c\x21\xf3\x6c\xa3\xcc\xf3\xf9\x84\xa8\xb1\xed\x0f\x2b\xdf\xc8\x7e\x38\xc1\x3e\xe7\x20\x93\x1f\x6a\x84\x4c\x5a\x0c\xb0\x2b\xe8\xe4\x9d\x5e\x74\xb2\xfb\xb9\xa4\x1f\x45\x0c\x1f\x58\x36\xcc\x25\x2f\x04\x73\xc9\x04\x1b\x34\xb2\x54\x9a\x3d\xed\x22\x92\x36\xb3\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\x04\x9b\xec\x30\x9b\x3c\x4c\x07\xd9\x44\x7c\xdc\xe2\x8c\x77\x39\xd9\xa4\xb5\x8b\x6b\xbf\x74\x0a\xf4\x10\xf4\x10\xf4\x70\x13\xd1\xc3\x7f\xd9\x4f\xfb\x8c\xda\xd3\x79\x7d\x09\x5c\x54\xca\xaa\x5c\x28\x72\xd1\xba\x23\x83\x25\xfb\x83\x3e\xf6\xfb\x7d\x74\x97\xe7\x49\xd1\x68\x81\x87\x9c\x5c\x56\xd4\x6b\x56\xe7\x4a\x31\x8e\x89\x92\xb1\x82\x5c\x9d\xf2\xba\x6a\x6a\x61\xee\x9c\x7e\x46\x78\x8a\xfd\xba\x86\x26\xeb\x1a\x9a\x6c\xa4\xa1\x6c\x91\x2e\x0a\x3c\x77\x8e\xce\x72\x3c\x77\x9a\x4e\xd2\xf1\x16\xf0\x9c\xf9\x8c\x41\x6a\x42\xf6\xad\x61\x7a\xd8\xbf\xbe\x50\x03\xd9\x43\x8b\xe5\x82\x2a\x6b\x9a\x8d\x7c\x7f\x6a\x98\x7d\xff\x16\x62\xae\xe2\x43\x22\xee\xe2\x83\x8d\xd0\xdf\x39\xd1\x5e\x57\xb0\xdf\xa1\xba\xba\x45\x35\x99\x47\x8d\x9b\xed\x7e\x1c\xdc\x85\x32\xd5\x27\x83\x71\xf0\x24\x3b\x1a\x50\xcd\xc8\x18\x80\xfa\xc0\x1f\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\x62\x00\xe2\x0e\x03\xe2\x83\x34\xc1\xc6\xe3\x29\x0b\x10\xef\x72\x02\x62\x63\xfb\x06\xf9\x2a\x00\x34\x00\x34\x00\x74\x47\x01\xf4\x3f\xf4\x51\x2c\xa8\x7e\x12\xfb\x9d\x3e\xf6\x99\x3e\xda\x59\x57\x15\x69\x5d\xf2\xbc\xa7\x20\x57\xeb\xaa\x16\x81\x3a\x3b\xa8\xf3\x97\x12\x34\xe6\x93\x21\xd6\xa0\xcd\x39\xad\x98\x57\x8b\xfa\x27\x64\x72\xe5\x67\x12\xec\xeb\x03\x44\x76\x32\x9f\xc6\xd4\xc4\xd3\x4b\x73\x33\xbc\xa1\xae\x20\xca\x77\x5f\x77\x65\x12\xb2\x6e\x0e\x04\xb9\x05\x82\xfc\x78\x30\x41\x3e\xc8\x26\xd6\x4b\x19\x62\xf5\x3f\x12\x1f\x80\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x83\x1d\x77\xad\xb8\xd8\xda\xbb\x41\x5c\x0c\xb6\x0b\xb6\x0b\xb6\xeb\x60\xbb\xdf\x1d\xa2\xa4\xbf\xaa\xd5\x40\x8c\x96\x72\x95\x7d\x7a\x88\xfd\xc6\x00\xbd\xdc\x25\x59\x8d\x6a\x8d\xd5\xbb\x0f\x53\xaf\x9a\x4a\x8e\xd4\x29\x4e\x8d\xf6\xe7\x8b\x5a\x75\x56\x51\xa7\x4a\x25\x4b\x7d\x0a\xd9\xa9\x07\x34\x6c\xa4\x16\xfd\xd5\x57\x05\x83\xc3\x43\xec\x40\xf3\xd2\x53\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\x43\x90\xc3\x4e\x93\x43\x10\x40\x10\x40\x10\xc0\x1e\x26\x80\x7f\xfd\x24\xa5\x82\xe2\xda\x0d\x00\x98\x2b\x49\x9c\x02\xfe\xf2\x93\xec\xc3\x83\x9e\x81\xeb\x49\xb1\x4e\x54\x8d\x19\xce\x34\x81\x35\x21\xeb\xd3\x7a\x3b\xc9\x07\xf4\x73\xeb\x42\xc6\x9d\xa7\x74\x39\xb6\xcb\x80\x61\x81\x61\x65\xc0\xb0\xc0\xb0\xc0\xb0\xc0\xb0\x7a\x86\x61\x65\xba\x86\x61\x85\x7e\x27\x2d\x33\xac\x0c\x18\x16\x18\x16\x18\x16\x18\x16\x18\x56\xe7\x19\x56\xa6\xa7\x91\x53\x06\xc8\xa9\x7d\xc8\x29\xd3\xed\xc8\x29\xb3\x09\x91\x53\xf6\x2a\x3d\x22\xe4\x4e\xe7\x69\x96\xcb\x9d\xce\xd0\x29\x3a\xe1\x5b\x42\xdd\xc1\xa5\xcc\x2a\xea\x4e\x4a\x34\x5f\xd4\x82\xd5\x4e\xf7\x79\xab\x9d\xb6\xb2\x2d\x42\xe8\xb4\x12\x2c\x74\x3a\xcd\x4e\x36\x26\x74\xe2\x77\x55\x9f\x68\x2f\xfe\xeb\xdb\x3d\x99\xd9\x2b\xc4\xfc\x14\x93\xca\x6e\x3e\xb6\x4f\xfc\xbd\x33\x84\x4c\x00\xad\x8b\x34\x4f\x59\x36\xb0\xa2\xe4\x6f\x44\xf9\xff\xc6\x22\xc9\x49\x3a\xda\xea\xc8\x64\xde\xd3\x47\xff\xa5\x8f\xfd\xe7\xbe\xe8\x7f\xb2\x4c\xd3\xb7\x23\x8f\xeb\x13\xbf\x31\x17\x8c\x70\xd5\x60\x4e\xdf\xf1\x09\x5b\xe2\xda\x7f\x38\x99\xd4\x8a\x1c\xab\xe8\x3d\xaa\x2f\xfa\x52\xb1\xa9\xf2\xff\xc7\xde\xdb\xc7\xb7\x71\x9d\x77\xbe\x1f\x82\x54\x2c\x3d\x56\x62\xf9\x38\x69\x6c\x58\xb6\x61\xc8\x26\x48\x88\x04\x05\xea\x9d\x7a\x25\xf8\x22\x11\x92\x25\x5a\x94\x29\xc7\x95\xc2\x0c\x81\x21\x34\x12\x88\x41\x66\x40\x2a\xca\x6e\xb6\x89\xb3\xe9\xa6\x6d\xd2\xdb\x4d\xb6\x69\xf7\xb6\xdb\x9b\xf4\x6d\x93\x36\x4d\x36\x6f\x6d\x6f\x93\x6d\xda\xbd\x9b\xd6\xad\x1b\xb7\x69\xda\xe6\x73\x6f\xba\xd9\xa6\xeb\x6d\x9a\x6e\xdb\xcd\xde\x6e\x9b\x9b\x7c\xd2\xcd\xfd\xcc\x39\xf3\x0a\xcc\x60\x40\x08\x00\x41\xe1\xf7\x8f\x3f\x32\x31\x73\xe6\xcc\x99\x33\xcf\x9c\xf3\x7d\x9e\xe7\xf7\xc4\x94\x92\xd8\xf9\xab\x5a\x6c\xad\x64\xc3\x83\x7c\x2c\xaf\xdd\xbe\xb4\x56\x8a\xe5\x15\x4d\x36\x5e\x20\xd9\xde\x91\x1a\x1f\x16\xfe\xe5\x36\xb7\xe4\xd6\x02\xdc\xdc\x04\xc5\x56\xd6\x34\xbe\xc8\x2b\x6b\x6a\x4e\xd6\xf9\x27\xd6\x7c\x5f\xcd\x8f\x41\x2a\xb6\xc8\xaf\xc8\x17\xcf\xfc\x9b\x38\x11\x1b\x8d\x4d\x16\x8b\x13\xfc\x03\x9a\xd7\x6e\xc7\xb4\xb5\x92\xb1\x39\x33\xde\x38\x6b\xd5\x60\x36\x27\xe7\xe3\xaf\x10\x5d\x73\x9b\x97\xf7\x45\xe8\xbd\x11\xf6\x23\x91\xe8\xbb\xed\x01\xfa\xab\x3e\xbe\xe6\x7a\x4a\x2a\x49\x05\x59\x13\xbb\x07\x21\xe6\xa1\xeb\x6a\x4e\xe1\x1f\x44\x7b\x9d\x2e\xf1\x8d\x8e\xaa\xc5\x8c\xf5\x52\xe5\xb6\xbd\x42\x58\x95\x8c\x87\x62\x1c\xa2\xcb\x96\x0d\x30\xec\x92\x45\x50\x38\x44\x58\x96\x63\xdc\xfa\xf0\x35\xb9\xaa\xc5\xd2\xe3\x47\x8c\x63\x35\x29\xc7\x51\x8f\xb1\x9d\x15\x6f\x3c\x5f\x37\x1b\x4b\x1c\x49\x29\x09\xdf\x0f\x5f\x97\x3a\xc7\xf2\xed\xaf\x09\xa2\x8c\xdd\x94\x65\xc5\x0b\x6a\x51\x2a\x15\x52\xaa\x56\x18\x2b\xdf\x2c\x8c\xad\x95\x94\x9c\x9a\x97\xc7\xf6\xcc\xe9\xf3\x46\x2b\xa9\xf8\x4e\xf7\xbd\xba\x51\xff\x0f\x45\xe8\x9c\xb0\x11\xd3\x94\xe1\x36\xe2\x38\xdd\xc1\x4c\x14\xf1\x95\x69\x1e\x5f\x79\xcf\x94\x58\x0f\xde\x61\x8b\x4f\x1b\x2d\x8e\xb3\x2c\x9d\xa5\xed\x93\x39\xe3\x0b\x74\xc7\x4d\x36\x6f\xc4\xca\x6a\x87\x8c\x58\xf2\x1b\x23\xbe\x46\xec\x71\xb1\x9c\x8e\xe5\xd4\xa2\xb1\x39\x36\x3f\x76\x1e\x7b\x36\x2a\x0e\xa9\xb1\x67\x53\xf6\x29\x6d\xb4\x6c\x97\xe9\x12\xcd\xbb\x2d\x5b\x32\x43\xa7\x9b\x08\xb0\x9d\xe6\xf7\x70\x91\x13\x5d\x1d\xec\x17\xec\x17\xec\x17\xec\xb7\x87\xd8\x2f\x56\x74\x21\x2b\xba\xee\x81\xe3\x2f\x47\xe8\xab\x11\xf6\x95\x48\xf4\xcb\xf6\xa3\xfa\x58\xe4\xb2\x7b\x3b\xaa\x94\x62\xba\xd8\x52\xc6\x96\xe5\x15\xe1\x49\xb6\xb1\x8d\xf3\xc9\x32\xdf\x12\x3e\x58\xae\xb5\x63\x49\x2d\x8d\x96\xe4\x82\xc4\x1f\x89\xb9\x23\x75\xaf\x31\x05\xc0\xb5\x27\x83\xb9\x40\x50\x56\x57\xe5\xbc\xb1\x8a\x2d\xde\x76\x5c\xbc\x8e\x69\x57\x8a\x23\xe6\x46\x95\xdf\x6e\xac\xa0\x49\x39\x3e\x4f\x14\x35\x6f\x7f\x78\x9c\x8f\x03\xf7\x9e\x5b\xcf\x65\x4d\x37\x3a\xe9\x1e\x28\xc9\x38\xd3\xba\x21\xf3\x22\x2b\xe2\x7d\xb3\x9a\x48\x89\x7e\xae\xca\x52\xc9\xb7\x8f\x71\xc6\xbb\x30\xcf\x7b\xe0\xb7\x01\x87\x0f\x02\x3e\x08\xf8\x20\xe0\x83\x80\x0f\xa2\xa7\x7d\x10\x5f\x88\xd0\x4b\x11\xf6\x62\x24\xfa\x82\xfd\xb5\x7d\x7f\x64\xda\x95\xe9\x5a\x2e\xca\x92\x2e\xdb\xaf\xfe\xbc\xa6\x96\xa5\x02\xff\x0e\xcf\xab\x45\x25\x77\xdb\x13\x81\x64\x3d\x6e\x27\x55\xd6\x78\xe0\xe9\xd4\xe1\x54\x6c\x41\xd8\x11\xf1\x91\x2c\xcb\x25\x63\x9a\x3a\x5f\x11\x39\xa6\x6a\xe5\xeb\x52\xc9\x8a\x88\xd2\xd6\xe4\xb1\x15\xa9\x68\xad\xfe\xe3\xe2\xd7\x78\x6c\x45\x29\x49\x45\xe5\xcd\x96\xf9\x5e\x96\x63\x52\x9e\x03\x7d\x75\x4c\xf0\xdd\xbc\xb3\xb4\x14\x8d\x27\x74\xe7\x24\xb1\xde\x4e\xc5\x66\x14\x6e\x92\x5c\x1d\x57\xb5\xda\x3b\x73\x9c\x28\x15\xb1\xdc\xe7\xab\x3f\xb5\x72\x3d\x15\xdf\x25\xfa\x33\x6d\xdd\x88\x37\xb4\xea\x9d\x03\xf4\x8e\x01\xf6\xfc\x40\xf4\xbb\x76\x7c\xdd\x97\xfa\xaf\x98\x76\xd0\x98\xa2\xd7\xd5\x5b\xb1\x82\xa4\x2d\x4b\x05\x0f\x79\xb0\x17\x6a\xb2\xb6\xa2\x6a\xab\xc6\x58\xf8\xf6\xf4\x62\xd5\xc5\x83\x3b\xca\x97\x35\xd6\x9a\xa4\x2c\xee\x4a\x31\xd6\x0b\x39\x25\xef\x2c\xac\xf9\xb7\x91\x6f\x73\xec\xd1\xd5\xb9\xf8\x25\xff\xd5\xfa\xfa\xa5\x5c\xc3\x68\xd9\x4d\xdb\x73\x61\x47\xd5\x79\x2f\x96\x8a\x09\xc4\xc4\x6d\xb1\x7b\xb5\x9a\x10\xf7\x90\x30\xf6\x3c\xfc\x5f\xde\x89\xa1\x1f\x8b\x25\x32\x52\xee\x66\x41\x53\xd7\x4a\x79\xe3\x28\x1e\xce\xc6\x0f\xaa\x1a\x38\xb1\x58\x31\x57\x40\xde\x46\xac\x3b\x58\xb6\x5b\x3a\x16\x4b\xcc\xaa\x9a\xec\x6a\x36\x96\x93\xf4\x9c\x94\x37\xee\xde\x1c\x1f\x11\xc0\xc8\xdb\xd3\xc5\x72\xba\xa6\xc1\x15\xbb\x8d\x54\xfc\xfe\x72\xf5\xbc\x71\xaf\x6d\xe0\xe2\x83\x8b\xaf\x47\x5d\x7c\xd9\x02\x9d\x17\x28\x7c\x86\xa6\x38\x0a\x3f\x41\xc7\xe8\x68\x13\xf0\x72\xa1\x22\x55\xd6\xc2\x31\x73\x07\x30\xf2\x8d\xa4\x3f\xca\x7e\x80\xdd\x2f\x2c\x86\x63\xcd\xa9\xe5\x29\x2a\xec\x1d\x49\x7a\x3a\x4c\xd0\xb8\xa1\x92\x6e\x9a\x5a\x74\xca\xb9\x7d\x74\x98\xfd\xf0\x36\x7a\xa8\x46\x01\xd9\x66\xe4\xbf\xd8\x88\x0a\xef\x25\xd5\x58\xf7\x76\x81\x00\xef\x5e\x7e\xb9\x1a\x75\xe6\x9a\xca\x6e\x46\x87\xbb\x3c\x50\xbf\x3b\x45\x79\x37\xf4\x9a\x05\x4e\x54\xf3\x75\x33\x9e\x02\x6a\xbb\x21\x43\x01\x2a\x1b\xf0\x52\xc1\x4b\x05\x2f\x55\x4f\x7b\xa9\xa0\xb2\x01\x95\x0d\x78\x07\xe0\x1d\x80\x77\x00\xde\x81\xae\xf0\x0e\x64\xd3\x34\xc6\x46\xe3\x7b\x6d\x7d\xde\x5d\x6e\x7d\x5e\x63\xef\x86\xc2\x6e\x5b\x1d\xd2\x42\xfa\x03\xd2\x1f\x5b\x2b\x0f\x83\xbd\x7d\x98\x2e\x08\x0e\x2a\xe5\x8d\xf5\xb5\xa2\x96\x34\xb9\xa0\x18\xef\x65\x30\x0a\x5d\x5d\xab\x48\xc6\x0a\xea\x96\xbc\x7c\x5d\x55\x6f\x7a\xf6\xa4\x3a\xfb\x77\x43\xec\x67\xb7\xd1\x23\xbe\xed\xd9\x20\xf4\x9d\x7d\x8d\x29\x06\x3f\x65\x5e\xea\x8a\xb8\xd4\x94\xfb\x52\x2d\x92\x11\x9e\xe4\x27\x4c\xfa\x75\xd7\x24\x9d\xf5\x3a\x71\x5e\xd1\x2b\x60\x9f\x4d\x6a\x0b\xbf\x25\x9c\x7f\x3e\xc7\x9e\x15\x78\xb3\xde\x43\xa8\xc5\x9e\x26\x33\xad\x37\xa9\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x81\x46\x21\x40\x0c\x0a\x09\x0a\x09\x0a\xd9\x31\x0a\xf9\x3b\x43\x74\xc4\xa4\x90\x6b\x15\x55\xcf\x49\x45\xa5\x54\x18\x5b\x1f\x77\x43\x47\xce\x97\xd4\x52\x45\x2a\x96\xd5\xbc\x75\x98\xac\xe9\xec\x5d\x43\xec\xad\xdb\xe8\x01\xd7\x99\x4b\xe6\x99\xd1\xb7\x37\x48\x19\xcf\xda\x6d\xcf\xab\xf9\x49\xbb\xed\x16\x01\xc6\x8c\x00\x8c\x4e\xff\x16\x45\xf7\x02\xae\x8a\xea\x65\x2d\x24\x8c\x85\x70\xc2\x38\xcd\x32\x16\x2d\x74\x1e\x91\x19\x53\x19\xf0\x88\x5c\xbc\x71\x1c\x61\x96\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x60\x89\x9d\x65\x89\x7f\x79\x3f\xed\x33\x1e\xdd\xd8\x7a\x3a\x28\x67\xbb\xac\xe6\xad\x94\xed\xb1\xb2\xa6\xbe\xe9\x36\xfb\xc4\xfd\xec\xbd\x11\xba\x27\xa7\x6a\xf2\xd2\x7a\x3a\xfa\x44\x4e\x2d\x95\x0c\x7b\x75\x66\xe6\xb2\x03\x6c\x2a\x6a\x8c\x1f\x6d\x74\x7c\x5e\xcd\x27\xe3\xe6\x51\x53\xaa\x26\x2f\xa6\xcf\xc8\x15\x27\x23\x7a\x5e\xcd\xcf\x1b\x87\x8e\xf7\x27\xc7\x92\x02\x91\x1d\xa6\xdd\x02\x91\xbd\x86\x1e\xe0\x88\xec\x95\x74\xef\xc7\xfb\xb6\x93\x39\x1f\x42\x71\xd7\xe3\xfe\xb8\x8b\xd8\x76\xb3\x1b\x74\xe3\xe9\x70\xd8\x95\x62\x23\x26\xec\x8a\xc7\x4d\xc6\x65\xf5\xd5\x54\x34\xf5\xd4\xe8\x8f\xfa\x8e\xca\xfc\x33\x0d\x8f\xca\xfc\xda\x5d\x38\x2a\xf1\x1f\x75\x8d\xca\x93\xf6\xa8\x5c\x5c\xa8\x33\x2c\x7b\xbc\xc3\xa2\xea\x77\xe1\xb8\x24\xff\xb5\x6b\x5c\x12\xd6\xb8\x4c\xcf\x9c\x9f\xb9\x3c\x13\x3c\x32\x4f\x7a\x46\x46\xa8\xeb\xde\x7d\x63\x33\xfe\x13\xae\xb1\x19\xb2\xc6\xe6\xe2\xfc\xe5\xb9\x8b\x17\x16\x82\x07\x67\xd0\x33\x38\x66\xc3\x5b\x63\x74\xdc\x77\x1f\x36\x52\x13\xbe\x6f\xd4\xd9\x99\xc9\xe9\x46\xdf\xa8\xb3\xb2\x94\xdf\x1a\xe3\xb2\x91\x59\x93\xf9\x31\xd7\xb8\x0c\xda\x96\x66\xf2\xf2\xd4\xd9\xe0\x81\x79\xc2\x6b\x6a\x8c\x2f\x64\xc8\xc8\x04\xdd\x7b\xfd\x21\xdb\xd4\x91\xc9\x1e\xa7\x09\x76\x24\x7e\xc8\x4e\x8e\x7a\xd8\x9d\x4f\x55\x75\xe6\x66\xa4\x56\x49\xb4\xc4\xae\x45\xbf\xd7\x5a\x37\x4d\xce\x4b\x15\xb1\x45\xbe\x2e\xc7\x9e\xb9\x74\x3e\x66\x5c\x96\xaf\x15\x75\xd9\x5e\xec\xe5\xd6\x34\xcd\xd8\x15\x89\xc7\x69\x6d\x13\x8c\xe7\xab\xe6\x53\x71\xde\x53\xb7\x88\xcd\x6f\x5f\xa3\xd1\x90\xa5\x8e\xb5\x62\x7a\xe3\x9a\x5a\x91\x74\xf6\xa3\xd7\xd8\x0f\x0e\x3a\x33\x6a\x6f\xfd\x5a\xad\x16\xbe\x7e\xda\x38\x59\x14\x6b\x15\x73\xca\x25\xfd\xe2\x3e\xa4\xcb\xbd\x94\x28\xd6\x0a\x1f\x1d\x8a\xb5\xc2\x47\x07\x1f\x1d\x7c\x74\x3d\xe4\xa3\xeb\x22\x3d\xfa\xae\xf1\xd1\x41\x28\x1d\x3e\x3a\xf8\xe8\xe0\xa3\x83\x8f\x0e\xc5\x5a\xa1\xe4\x7c\xf7\xb8\xd4\xba\x5e\xc9\x79\x4b\x16\x6b\x7d\x03\xcd\x08\x0e\x78\x92\x8e\x73\x0e\x78\x88\x0e\xd0\x78\x60\x8d\xc3\x9c\xaa\xc9\xa9\xf5\x74\xca\xc3\x86\x5a\x52\xa2\xf5\x62\x38\x46\x1c\x61\xc9\x6a\x8c\xe8\xe9\x87\xd7\x91\xf3\x9d\xed\x0e\x0c\xb3\x8b\xb0\x56\x71\x2f\xb3\x08\x6b\x67\xc8\x97\x00\x55\xd3\x94\xa1\xd3\x55\x45\x58\xf7\x51\x6a\x63\x23\x8e\x42\x5d\x28\xbd\xda\x64\xe9\xd5\xbf\xe9\xa3\x33\xa2\xb6\xe9\x69\x3a\xe9\xaa\x6d\x3a\x4e\x1b\x9e\x85\xc1\xbe\x85\x49\x61\x53\x26\xe8\x08\xb7\x29\xcd\xb4\x3d\x2b\x4a\xba\x9e\xa2\x13\x4e\x49\xd7\x26\xda\x69\xb4\xb8\x6a\xab\xcd\x4f\xf2\x8b\x23\x8e\xf9\x89\xfb\x96\x4f\xf5\x9a\x22\xb3\x7e\xaa\x30\x45\x4e\xd1\xd4\xce\x18\x25\xd4\x4f\x05\x8e\x05\x8e\x05\x8e\x05\x8e\x45\xfd\x54\xd4\x4f\x45\xfd\x54\xd4\x4f\x85\x5b\x00\x6e\x01\xb8\x05\xe0\x16\x80\x5b\xa0\x25\x6e\x01\xd4\x4f\x45\xfd\x54\xd4\x4f\x45\xfd\x54\x78\xdd\xe0\x75\xdb\xe2\xf5\x53\x5b\x4d\x8a\x37\x54\x2c\x75\xeb\x95\x0d\x61\x1f\x49\xd0\x90\x10\x00\xcb\x2b\x7a\x4e\x35\x96\x3b\x4e\xe9\x81\x31\xb9\x94\x2f\xab\x4a\xa9\xa2\x17\x95\x9c\xac\xb3\xb7\x25\xd8\xdf\xf7\xd3\x4e\xfb\xc8\x06\x22\xd9\x67\xcc\x16\x16\x8c\x16\x92\x23\xc6\xc1\xd3\xd6\xe9\x8b\x69\xcf\xaf\x5b\x4d\x7a\x4b\xa6\xac\x98\xda\x53\x34\xc9\xa7\xf6\x31\x3a\x4a\x87\x03\x1d\x20\xce\xf8\xae\xa7\x53\x9e\x1b\x6f\x89\x87\xf6\x5a\xf8\xc4\x9f\x60\x47\xcc\x89\x5f\xfd\xac\xcd\xd7\xc0\xd3\x2b\x6f\xd2\x07\x22\xf8\x11\xc1\x0f\x95\x2d\xb8\x8c\xe0\x32\x82\xcb\xa8\x77\x5c\x46\x50\xd9\x82\xca\x16\x50\x3d\x50\x3d\x50\x3d\x50\x7d\x57\xa0\x7a\xa8\x6c\x41\x65\x6b\xab\xc0\x49\xa8\x6c\xb5\x43\x65\xeb\x67\x87\x68\xbf\x00\x76\xda\xb2\x94\x4b\x59\xa0\xa8\x4e\xd1\x50\x4d\x2d\xca\x3a\xfb\xeb\x04\xfb\xb3\x01\x7a\xc8\x38\x69\xd2\x7d\x8e\x5d\x18\xb4\xdc\x98\x62\xff\x25\xd5\xf8\x60\xb6\x44\x9e\xff\x20\x3f\xe1\x52\x75\x8f\xcc\xda\x9f\xc6\x85\xa0\xc8\xdf\x42\x45\xfe\xe5\x70\x42\x78\x8a\x9d\x30\x09\x61\xe0\xe4\xb2\x88\xb9\x5a\x94\x6b\x8b\x7f\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x02\x13\x76\x0a\x13\x7e\xbe\x8f\x76\x8c\x99\xcf\x68\x8c\x7d\xb6\x8f\x7d\xa6\x8f\xee\x31\xff\x3f\xfa\xea\x82\x6c\xed\x8a\xf2\xf6\x2b\x99\x7c\x55\x41\xae\x4c\xa9\x79\x7b\xfe\xd7\x70\xb6\x89\x9a\xbf\x6c\x50\xa0\xc4\x0b\xbb\xcc\xeb\xa6\xe6\x4a\x2b\x6a\x18\xe1\x62\xdf\x89\xd0\xa3\x66\xa1\xd2\xb2\x22\xbf\xa9\x22\x97\xf8\xec\x73\xc5\x2a\xb2\xff\x3b\xc2\xfe\x24\x42\xbb\x3c\xbf\x2f\xad\xa7\xa3\xaf\x35\xee\xd6\xb3\x76\x10\x4f\x25\xf9\x68\x41\xae\x4c\xba\x8f\x5e\x4c\x4f\xce\xcf\x59\xbb\xd5\xd6\x81\xc6\xda\x71\x9b\xa8\x69\x68\xa2\x91\x86\xb2\xe5\x60\x51\x87\x67\xc4\x73\xb8\x40\xe7\xf9\x73\x98\xa5\x69\xca\x34\x01\x1d\x5d\x03\x70\x5e\xd1\x2b\xd6\xf0\xff\xc6\x10\xa5\xc5\xf0\x2f\x73\xa6\x1c\xac\x7b\x7c\x43\x5d\xb6\x4a\x3c\xb0\x1f\x1c\x62\xbf\x1f\xa1\xed\xfc\x14\x2e\xf4\xa2\xc9\x52\xbe\x0a\x64\x64\xd5\xe5\xe4\x83\xc6\xdf\x33\xc6\x51\x6e\x9d\x97\xac\xba\xdc\x5a\x21\x85\xec\x02\x1d\x11\xa3\x94\xa6\x31\x3e\x4a\xc3\x94\xa0\x27\x03\x23\x36\x79\xbf\x8d\x41\xc9\xaa\xcb\xa1\x08\xf6\x6c\x38\x5d\x7d\x92\xed\xf1\x91\x66\xe7\x57\x31\xa9\xaa\x71\xa1\x1b\x8f\xf8\xc3\xdc\x57\xb0\x81\x82\x5c\xa1\xe8\xbb\xb6\xbb\x46\xf4\x21\x4d\x2e\x17\xa5\x9c\xec\x33\xa8\x0f\x9b\x3f\xb5\x7f\x5c\x33\x3c\xf0\xb5\x4a\x35\xa7\xd1\x81\x45\x56\x36\xc4\x72\x9a\x14\xcb\x79\x4f\xdf\x1d\xbc\xcf\x27\x84\x82\x8d\xf1\xbd\xb2\x15\x6c\x3a\x6e\x0e\x02\x4c\x80\x27\x01\x21\xd8\x1c\x94\xd7\x2a\x94\xfc\xc6\x7d\x2e\x73\xb0\xd3\x4c\x81\x92\xb8\x05\x88\x8a\xff\xeb\x80\x01\x68\x8f\x42\x0d\x2c\x43\x88\x65\x80\x4a\x42\x47\x54\x12\x90\x1e\x8b\xf4\x58\xa4\xc7\xb6\x2b\x3d\x36\xfb\xe9\x3e\xba\x24\x34\xef\xce\xd1\x9c\x4b\xf3\xae\x4d\x99\x82\xad\x4d\x48\xb4\xbe\xf7\x31\xff\xaf\xf4\x0e\x76\x8f\x18\x26\x6a\xdd\x8a\x20\xf3\xd2\xbd\xae\x4f\x7e\xbc\x2c\x69\x15\x85\x3b\x73\x05\x41\xf0\xd9\x0a\x3c\x54\xe6\xce\xfa\xb6\xae\x03\x1e\xae\x6e\x68\x94\x5f\x74\x2f\xdf\xee\xee\x76\xff\xb8\x2a\x6b\x05\xd9\xfd\xeb\xa0\xfb\x57\xbd\xa2\x49\x15\xb9\xa0\xe4\x46\x6b\x8e\xf3\xb4\x62\xfc\xfb\xb6\xf9\xab\xd1\xcb\x8c\xb1\xf3\xcd\x56\x6d\x42\x26\xe8\x48\x13\x4f\x96\x17\x6e\xc2\xea\x23\x6c\xf5\xf1\xd1\x7e\xfa\x70\x3f\xfb\x50\x7f\xf4\xe7\x6d\x13\xfe\xf6\xfe\xde\xd9\x97\x54\x79\x83\x8c\x71\xe6\xd1\x0d\xdc\x63\x69\x4c\x4e\x27\xc6\x69\x28\x60\xe2\x0e\xf3\x2f\x91\x08\x86\x91\x8a\xfc\x4c\x63\xc9\x25\xce\xe6\x47\xf0\xe5\x8f\x1e\x1b\xca\xea\x6a\x69\x5e\x04\xfb\x3c\x65\xbc\x16\xe6\xbf\x17\xac\x97\xc5\xf9\xe3\x70\xf0\x86\x29\xf3\x52\x1f\xbd\xd8\xc7\x5e\xe8\x8b\x7e\xce\x06\x99\x1f\xec\x9b\x55\xb5\x1c\x5f\x99\x15\x54\x3e\xec\x6a\x2c\xbe\x62\xfc\x29\x1e\x9b\xf4\xdc\x05\x47\xd4\x62\x11\xb5\xa6\x3b\x61\x0d\xa3\x52\x8e\xdf\x38\x0f\x16\x29\x2a\x39\xf3\x23\x29\x17\xf3\x7a\x4c\xbd\x65\x8e\xa9\x08\xa6\x28\xcb\x6a\xb9\x28\xa7\x62\xe2\x8a\x3c\x3a\xcb\x7a\x96\x1c\x15\xfb\x0e\x80\x7d\xf9\xf8\x36\xde\x2d\x4f\xa4\x51\x3b\x81\xce\x63\xfe\x16\x7d\x3b\x7b\x05\xef\x58\x0b\x0d\x7a\x76\x1f\xa5\xd8\x48\x3c\x69\xe7\x8d\xdf\xe7\xae\xa8\x96\x55\x97\x37\xa3\x8a\x5a\xcb\x33\xcd\x3f\x33\x42\x53\x02\x21\xe6\x64\xcd\xe4\xda\xb2\x5e\x1d\xb2\xea\xfe\x4d\x29\x94\x94\x52\xc1\x9a\x00\x16\x54\xfc\x9f\x7b\xd9\x1f\xf5\xd3\xab\xdd\x07\xda\x31\xac\x23\x3e\x80\x71\xca\x39\x70\x41\xb4\x78\x49\xb4\x98\xdc\x67\x1c\xed\xfa\x59\x37\x23\x4f\x03\xcf\x68\x31\x8e\x5c\xa3\xe7\xc4\xec\x5d\xa0\xa7\xf9\xec\x35\xd6\x3f\x67\x82\x15\x74\xdd\xc3\x66\xde\x71\x2a\xb0\xaf\xa1\xf3\xbb\x3e\x66\xbc\xf1\xc6\xf0\xd9\x7d\x81\x9d\x37\x67\xb7\xcf\x13\x35\xe7\x7a\x70\xff\x6a\x82\x47\xa3\x7f\xbc\x23\xe0\xb1\x8e\xf9\x53\xce\xe0\x27\xbb\xdf\x3c\x61\xf3\x1e\x6e\xe6\x1a\x7d\x2f\xbd\xae\x6a\x39\xd2\xba\xa7\x8b\xd5\x09\xa8\x69\x93\xd4\xf4\x4f\xfa\xda\x6a\x76\x96\x04\x57\x7d\x96\x16\x1d\xae\xda\x51\xbb\xd6\x98\xe1\xda\xb0\x75\xaa\x63\xe9\xc2\x10\xed\x17\x77\x05\xd8\xb5\xb8\x8d\x6b\x83\x4d\xd9\xb8\xa9\x3c\xbe\x79\x96\x0c\x70\x17\x70\x17\x70\x17\x70\x17\x70\x17\x70\xb7\x19\xb8\xdb\x5a\x01\xb8\x4e\xa2\xe2\xc6\xe1\x6e\xe7\x17\x1d\x99\x2f\xee\x0c\x58\x55\x1c\x09\x21\xc2\xc1\x6b\x8d\x34\x27\x1b\x9b\xb3\xd4\x00\x3f\xee\xb5\x05\x0e\xf8\x31\xf8\xf1\x26\xf3\xe3\xcd\x25\x70\xa1\x84\xb9\xf3\x0c\x2e\x3b\x4b\xd3\x2c\x13\x3f\x6d\x83\xe5\x27\xdd\x28\x3a\xb0\xa1\x5a\x40\xdd\x72\x7c\xfc\x7c\x1f\xdd\x37\x56\x54\x0b\xfa\xd8\x3f\x29\xaa\x05\xa3\x6f\x6f\x61\x2a\x3b\x42\x03\xc6\xdf\x92\xaf\x2a\xaa\x85\x59\xa5\x28\x9f\x95\x4a\xf9\xa2\xac\x65\x1f\x0a\x1b\xfc\xec\x7e\x4a\xb3\xb1\xf8\xa8\xc3\xdc\x8d\xff\x5a\x31\xdc\x45\xb5\x10\xbf\xc7\xbc\x8c\xeb\xae\xd8\xbf\x79\x03\xcd\x99\x51\xc8\x6b\x15\x55\xcf\x49\x45\xa5\x54\x18\x5b\x1f\x37\x06\x6f\x3c\x28\x22\x96\x5f\xd8\x30\x20\xc5\xb2\x9a\xb7\xce\x93\x35\x9d\xfd\xfe\x12\x7b\x79\x90\x1e\x70\x35\xb5\x64\x36\x15\x3d\x58\x5f\x55\xf5\xac\xdd\xe4\xbc\x9a\x9f\xb4\x9b\x4c\x1e\x36\x4e\x9b\x74\xda\x5b\x14\xcd\x39\x2e\xdf\x80\x13\xbb\x5c\x53\x21\x03\x59\x01\xc8\x0a\xa0\x60\x1d\x64\x05\x20\x2b\x00\x59\x81\xde\x91\x15\xe8\xa2\x7a\x6c\x5d\x23\x2b\x80\x42\x61\x90\x15\x80\xac\x00\x64\x05\x20\x2b\xb0\x19\x85\xc2\x7a\x5a\x05\x00\x95\x8c\x7a\xb9\x92\x51\x66\x0b\xaa\x00\x64\xd7\xe9\x7b\x05\xdf\xbc\x4c\x97\x38\xdf\x3c\x4f\x59\x3a\x1b\xc8\x37\x5d\x24\x2a\x65\x92\xa8\x54\x00\x31\x6a\x49\xcd\x9a\x42\x38\xdf\x9c\x66\x19\x93\x6f\xba\x3a\x67\x72\xcd\x80\xae\xb9\xa8\xa6\xb8\x07\x8a\xff\x38\xf9\x63\x36\xf3\x8b\x15\x93\x02\x89\xda\x51\x71\xc4\x66\x32\x35\x81\xc0\x9e\xa3\x67\x69\xb1\xca\x3d\x35\x4b\xd3\xad\x78\x96\x70\x55\x21\x98\xb0\xc9\x60\xc2\x8f\x46\x82\xf3\xac\xae\x08\xd3\x33\x4f\x17\xb8\xe9\x39\x4b\x2d\x9a\xae\x74\x55\x84\x18\x3e\x43\x0b\x4e\x88\x61\xeb\x5a\xbf\x26\x02\x0c\x16\xe9\xb2\x2b\xc0\xa0\x65\xcd\x5b\xa6\xb1\x53\xa6\xaf\x8e\x0d\x2e\xab\x7a\x85\x92\x3f\x36\xea\x6f\x1a\x47\xcc\x88\x12\x57\x78\x8e\xba\x12\x68\x26\xa7\xc4\xd1\xb5\x66\x72\xca\x3e\xbd\xd3\x06\xb3\x3d\x61\x8b\x80\xd0\x80\xd0\x80\xd0\x80\xd0\xbd\x03\xa1\xb1\x38\x0c\x59\x1c\x76\x0f\xa5\x47\xc8\x78\x47\x42\xc6\xe1\x0c\x81\x33\x04\xce\x10\x38\x43\xe0\x0c\xe9\x69\x67\x08\x32\x87\x90\x39\x84\xcc\xa1\x76\x65\x0e\xc1\xd7\x08\x5f\x63\xaf\xfa\x1a\xb3\x85\x0e\xab\x97\x75\x8c\x46\x27\xfd\x69\xf4\x03\xec\x7e\x61\x36\x1c\x93\x4e\x5b\x51\xe3\xe6\xcf\x13\x34\x28\xf2\x03\xf4\x8a\xaa\x49\x05\xd9\xa5\x4f\x2e\x8a\x31\xe6\x74\xa5\xa4\xe6\x65\x9d\xfd\x4a\x82\xfd\xe2\x00\x91\x79\xdc\xd2\x7a\x3a\xaa\x37\x56\x80\x71\x6a\x61\xee\x82\x9a\x6f\x55\x0d\xc6\x87\xf8\x09\x0b\xa2\x17\x8b\x69\xb3\xf1\xf3\x4a\x0b\x53\xfb\x7a\xad\xce\xe2\x33\xe1\x2f\xd3\x38\xdb\x67\xbe\x4c\xde\x79\x62\x25\xec\x88\xa7\xe0\x15\x89\x42\x0e\x04\x72\x20\x50\x5a\x11\xee\x27\xb8\x9f\xe0\x7e\xea\x1d\xf7\x13\x4a\x2b\xa2\xb4\x22\xb0\x3f\xb0\x3f\xb0\x3f\xb0\x7f\x57\x60\x7f\x94\x56\x44\x69\xc5\xad\x02\x3a\x51\x5a\xb1\x1d\xa5\x15\xbf\x15\xa1\x47\x02\x20\x9f\xd0\xb0\x66\x7c\x42\xd3\x7d\x0e\xdb\x13\xc2\x5c\x81\x85\x08\x1f\x29\xc8\x15\x1b\xc1\xf1\x63\x51\x87\xd0\xbf\x0e\xe1\x0f\x3c\x2c\x44\xc4\xeb\x14\x20\xb4\x22\xcc\x4a\x95\x75\xb5\xb8\xb6\x2a\xe7\x8a\x92\xb2\x6a\xa9\x87\x8f\xe9\x9c\x7b\xb3\xdf\x8c\xb2\x0f\xf4\xd3\x3d\x39\x55\xe3\xe8\x75\x9c\xeb\x86\x8b\xdf\xac\x69\xee\xac\x79\xe6\xed\x16\x17\x79\x8b\x53\x46\x8b\xc9\x31\xae\x1e\xae\x6a\xb2\xbb\xa4\x86\xef\xa1\x82\xb5\xb7\x58\x3c\x3c\x4f\x73\x62\xa4\x33\x74\x9a\x8f\xf4\x04\x1d\xa1\x43\xc1\xd2\x45\xaa\x26\x73\x6d\x32\xbf\x0e\xde\xa9\x56\xf8\x95\x70\xe2\x79\x80\x8d\x9b\xc4\x33\x1e\x37\x29\xa7\x7f\x57\xdc\xcc\x33\xfa\xd6\x1d\xce\x33\x3a\x68\x89\x80\x6f\xec\x31\x8d\x5b\x52\xe0\x9b\xf5\xa4\x32\x3c\xe7\xaa\x2a\x73\xa7\xe9\x47\x85\x70\x4c\xe4\xea\x34\x99\xab\xf3\xc9\xbe\x56\x9a\x8c\x0b\x22\x09\xe7\x0c\xcd\x38\x49\x38\xed\x34\x41\xed\xb2\x31\x21\xe2\xdd\x99\xf7\xef\x74\x4c\xd0\xc9\x1a\x65\xcd\x8d\xd9\xa2\x7d\x42\x5f\x73\x33\x2c\x11\xe4\x35\x7b\xcd\x0e\x42\x5e\x13\xf2\x9a\x9b\x2c\xaf\xd9\xd1\x35\x6a\xdb\x3e\x10\x61\x32\x9d\xd9\x0c\x9d\x66\x27\xe3\xc7\xed\x40\x95\xc7\xdd\x9a\x99\xbe\x17\xb8\x2b\x0a\x3a\xfd\xab\x7e\x2b\xd8\x45\xca\xaf\x2a\xdc\x8f\xae\xc9\x05\x85\x7f\x21\x8c\xbd\xb3\xab\x34\xff\xd7\x23\xec\x2f\x22\xf4\xa0\xef\x71\x75\x4b\xf4\x0f\x16\xe4\xca\xa4\xdf\x59\x5b\xa0\x54\x7f\x7b\x76\xc2\x61\xef\x01\xfb\xe2\x10\x65\xcc\xc7\x52\x56\xe4\x37\x55\xe4\x12\x87\x49\xd5\x90\xc2\x0c\x47\x5a\xd3\x2b\xea\xaa\x35\xde\xae\xbe\xb1\x77\x0d\xb1\xb7\x6e\xa3\xd7\x78\xda\xb0\x49\xc6\x3f\xef\x6b\x30\x56\x89\x37\x6f\x75\x7f\xda\x6e\xbe\x45\xc1\x4b\x07\xf9\x09\x93\xee\x2e\x5a\x82\xe5\x01\x17\x46\x60\xd3\x9d\x14\xcd\xb1\x02\x00\x7d\xe6\x95\x15\xb9\x14\x30\xee\xb5\x4a\xc3\x0d\xc5\x52\x21\xe8\x09\x41\x4f\x08\x7a\x42\xd0\x13\x82\x9e\x10\xf4\x84\xa0\x27\x04\x3d\x21\xe8\x09\x41\x4f\x08\x7a\x42\xd0\x13\x82\x9e\x10\xf4\x84\xa0\x27\x04\x3d\x21\xe8\xa9\x53\x41\x4f\x9f\x49\xd2\x62\x50\xe5\x23\x0b\x26\x6e\xb0\xfe\x91\x55\xd0\xff\xab\xc3\xec\x97\xb6\xf9\x89\x10\xa6\xa3\xbf\x6e\x72\x46\x37\x5c\x2c\x59\x56\x2f\xa4\x18\x52\x4b\x18\xe3\x88\xb3\xe2\xe1\xab\x3a\xf3\xfb\x68\x2c\x9a\x9c\xa5\x5c\xc2\xb3\x7a\x76\xb5\x9d\x4a\x1e\x11\x84\xb2\x5a\x16\x31\xbd\xd5\x2b\x32\x6d\x0a\xa4\xec\x4c\x96\x72\x5d\x8f\xcf\x2d\xe1\xf1\x01\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\x04\x96\xec\x2c\x96\x9c\xa6\x0c\x3b\x1d\x3f\x69\x47\xcd\xed\x71\x47\xde\x05\xec\xf7\xee\x86\xd8\x3b\xe0\x53\xe0\x53\xe0\xd3\x2d\x84\x4f\xff\x3e\x41\xe3\xc1\xf8\x34\xb0\x42\xfc\xaf\x27\xd8\xc7\x07\xfc\xd1\x68\x93\x15\xe2\x4f\xf8\x56\x88\x4f\x07\x1c\x3e\xab\x6a\x93\xc5\xa2\x0d\x2b\x5b\x17\x67\xdb\x26\x2a\x79\xc7\xf5\xce\xd2\x77\x41\xbd\x33\x68\xc5\x81\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x82\x4f\x22\x6c\x12\xdc\x0f\xdc\x0f\xdc\xaf\x73\xdc\xef\xcf\x1e\xa6\x33\x82\xfb\xe5\x64\xcd\x6c\x45\x76\xe5\x62\x7b\xfe\xac\x14\x4a\x4a\xa9\x60\xd9\x69\x4b\xb1\x4c\x2a\x97\x35\x75\x5d\x2a\xb2\x7f\xf5\x30\xfb\xa3\x7e\xba\xcf\x7d\xc6\xd2\x7a\x3a\x7a\x84\x6b\x97\x59\x47\xd5\x4a\xd1\x4c\x39\xc7\x2f\x88\x2b\x5c\x12\x57\x48\xee\xe7\x0a\x66\xae\xe6\x16\xd3\x81\x07\x4f\x9a\xed\xb7\x58\xc5\x6c\x63\x59\xf2\x29\xcf\x20\xae\xa7\x53\x81\xdd\x0d\x45\x75\xc5\x70\x14\x37\xc7\xce\x98\x28\xce\xe7\xd9\x59\xf9\xce\x81\x1d\x68\x50\x63\xa8\x20\x57\x28\xfa\xe2\x8e\xda\xc7\x7a\xcc\x92\x3b\x6b\xe6\xc9\x1e\xb2\x44\xcf\x36\xf3\xe1\x66\x9e\xa5\x45\xba\x5c\x25\xf9\xd3\x92\xa7\x0b\xf1\x1f\x88\xa0\x35\x29\x82\xf6\x7b\x7d\xed\xb2\x38\xcf\x09\x41\xb4\x05\x7a\xda\x11\x44\xeb\x94\x35\xab\xaf\x61\xd6\x59\x63\x97\xf9\xe2\xce\x5a\x6b\x36\x5d\xa3\x9c\xd6\x8c\x59\x3b\x20\xf4\xd3\x36\xcb\xa8\x41\x43\xad\xd7\xcc\x28\x34\xd4\xa0\xa1\xb6\xc9\x1a\x6a\x9b\xb6\x42\x0e\x93\x3d\xeb\xec\x57\x25\x3b\x4b\xd3\x2c\x13\x3f\x6d\x07\x69\x3d\xe9\x0e\xf5\x0a\x6c\xa3\x36\xd8\xab\xe5\x32\x68\x1f\x4d\xd0\x13\x62\x8b\x27\xaa\xa0\x1a\xbb\xba\xb2\x9a\xcf\x2b\xba\xb6\xc6\xa7\xfd\xf2\x5a\xbe\x20\x57\x74\xf6\xfd\x09\xf6\xed\x7e\xda\x21\x8e\x32\x3e\x8a\xe9\xfa\x21\x1c\xf3\x6a\x7e\xda\x6e\x24\xc3\x1b\x49\x8e\x19\xa7\x88\x5a\xa9\x8b\x69\x9f\x03\xb6\x5a\xc0\xc6\x75\x7a\x4a\xcc\x6e\x63\x56\x1b\xb3\xfb\x24\x1d\xa7\x89\xc0\xd9\x6d\x96\xc6\x35\x3e\x60\xb5\xf7\xde\x92\x10\x8d\xd7\x85\x4f\xea\x43\xec\x80\x39\xa9\x45\x77\x2c\x25\xc1\xda\x1e\xa1\x80\x1f\x82\x32\x10\x94\x81\xa0\x0c\x04\x65\x20\x28\x03\x41\x19\x08\xca\x40\x50\x06\x82\x32\x10\x94\x81\xa0\x0c\x04\x65\x20\x28\x03\x41\x19\x08\xca\x40\x50\xc6\xa6\x04\x65\x7c\xe8\x1a\xed\x0d\x2b\x22\xa7\xe6\x2b\xf2\x6a\x99\x6f\x2e\xd8\xb7\xae\xb2\xe7\x07\x9d\x2a\x40\xc3\xa1\xd8\xee\xb2\x79\x6a\xf2\x31\xe3\xd0\x9a\x7a\x3f\xce\x01\x5d\x8e\xe7\x32\x40\x56\x40\x56\x19\x20\x2b\x20\x2b\x20\x2b\x20\xab\x9e\x41\x56\x99\xae\x41\x56\x2d\xef\x49\xd3\xc8\x2a\x03\x64\x05\x64\x05\x64\x05\x64\x05\x64\xd5\x79\x64\x95\xe9\x69\xc2\x94\x01\x61\x6a\x1f\x61\xca\x74\x3b\x61\xca\x6c\x41\xc2\x94\x7d\x3d\x4d\x89\xb0\xa6\xe3\x34\xc1\xc3\x9a\x0e\xd0\x38\xed\x0b\x2f\x7c\xea\x90\xa1\x96\x04\x33\x3d\x15\x1e\xcc\x94\x64\x43\x35\x25\x51\x9d\x5e\x78\x02\x98\xe2\x7f\xbb\xdd\x81\x60\xaf\x16\xdf\x9c\x98\xe4\xe1\x5d\x8f\x8b\xbf\x76\x82\x78\x09\x40\x95\xa1\xd3\x74\xb2\x2a\x22\x3a\x45\x23\x1b\x19\x69\x44\x41\x23\x99\xa4\xc9\x64\x92\xaf\xf5\xd1\x29\xf1\x9e\x1f\xa1\x43\xfc\x3d\xdf\x47\x1b\x9c\x7d\x34\x2d\xd2\x46\x4e\xd0\x31\x27\x6d\x64\xe3\xad\xcc\x18\xad\x8c\xf3\xe8\xc9\xed\x93\x39\xe3\x6b\xd1\x54\x33\x61\x06\xa7\xb5\x06\xa5\x8e\xfd\x2a\xab\x7a\x85\x92\x9f\x1f\x71\x0c\x8e\xb9\x9c\x8d\xe5\xd4\xa2\xb1\x39\x35\x3f\x36\x6e\xe3\xb3\x57\x1c\x21\x8c\xcf\x94\x7d\x58\x27\xcc\xd0\x65\xba\x44\xf3\x6e\x33\x94\xcc\xd0\xe9\x26\xd2\x32\xa6\xf9\x1d\x5c\xe4\x38\x55\x07\x78\x05\x78\x05\x78\x05\x78\xed\x21\xf0\x8a\xa5\x58\xc8\x52\xac\x7b\xc8\xf4\xcb\x11\xfa\x6a\x84\x7d\x25\x12\xfd\xb2\xfd\xa8\x3e\x16\xb9\xec\xde\x0b\x2a\xa5\x98\x2e\xf6\x73\xb1\x65\x79\x45\xb8\x71\x6d\x66\xe2\x7c\xb2\xcc\xb7\x84\x0f\x96\x6b\xd1\x57\x52\x4b\xa3\x25\xb9\x20\xf1\x47\x62\x6e\x07\xdd\x8b\x43\x41\x4f\xed\xc9\x60\xae\x0e\x94\xd5\x55\x39\x6f\x2c\x3f\x8b\xb7\x1d\xff\xaa\x63\xda\x95\xe2\x88\xb9\x4b\xe4\xb7\x1b\x2b\x68\x52\x8e\xcf\x13\x45\xcd\xdb\x1f\x1e\xe7\xe3\xc0\x5d\xd7\xd6\x73\x59\xd3\x8d\x4e\xba\x07\x4a\x32\xce\xb4\x6e\xc8\xbc\xc8\x8a\x78\xdf\xac\x26\x52\xa2\x9f\x22\xa7\xcc\xa7\x8f\x71\xc6\xbb\x30\xcf\x7b\xe0\xb7\xfb\x85\x03\x00\x0e\x00\x38\x00\xe0\x00\x80\x03\xa0\xa7\x1d\x00\x5f\x88\xd0\x4b\x11\xf6\x62\x24\xfa\x82\xfd\xb5\x7d\x7f\x64\xda\x55\xdf\xb0\x5c\x94\x25\x5d\xb6\x5f\xfd\x79\x4d\x2d\x4b\x05\xfe\x1d\x16\xd9\xa2\x9e\xf0\x1f\xeb\x71\x3b\x05\x12\x8d\x07\x9e\x4e\x1d\x4e\xc5\x16\x84\x1d\x11\x1f\xc9\xb2\x5c\x32\xa6\xa9\xf3\x15\x91\x63\xaa\x56\xbe\x2e\x95\xac\x70\x24\x6d\x4d\x1e\x5b\x91\x8a\xd6\xea\x3f\x2e\x7e\x8d\xc7\x56\x94\x92\x54\x54\xde\x6c\x99\xef\x65\x39\x26\xe5\x39\x4d\x57\xc7\x04\x5c\xcd\x3b\x4b\x4b\xd1\x78\x42\x77\x4e\x12\xeb\xed\x54\x6c\x46\xe1\x26\xc9\xd5\x71\x55\xab\xbd\x33\xc7\x83\x51\x11\xcb\x7d\xbe\xfa\x53\x2b\xd7\x53\xf1\x5d\xa2\x3f\xd3\xd6\x8d\x78\xe3\x9a\xde\x39\x40\xef\x18\x60\xcf\x0f\x44\xbf\x6b\x07\xb7\x7d\xa9\xff\x8a\x69\x07\x8d\x29\x7a\x5d\xbd\x15\x2b\x48\xda\xb2\x54\xf0\x60\x07\x7b\xa1\x26\x6b\x2b\xaa\xb6\x6a\x8c\x85\x6f\x4f\x2f\x56\x5d\x3c\xb8\xa3\x7c\x59\x63\xad\x49\x44\x52\xa9\x31\x23\xf2\x72\x4e\xc9\x3b\x0b\x6b\xfe\x6d\x14\xa9\xe7\xd6\xe8\x1a\x1f\x27\xf3\xcb\x61\x7d\xfd\x52\xae\x61\xb4\xec\xa6\xed\x36\xb0\x43\xda\xbc\x17\x4b\xc5\x04\x33\xe2\xb6\xd8\xbd\x5a\x4d\x88\x7b\x48\x18\x7b\x1e\xfe\x2f\xef\xc4\xd0\x8f\xc5\x12\x19\x29\x77\xb3\xa0\xa9\x6b\xa5\xbc\x71\x14\x8f\x25\xe3\x07\x55\x0d\x9c\x58\xac\x98\x2b\x20\x6f\x23\xd6\x1d\x2c\xdb\x2d\x1d\x8b\x25\x66\x55\x4d\x76\x35\x1b\xcb\x49\x7a\x4e\xca\x1b\x77\x6f\x8e\x8f\x88\x1e\xe4\xed\xe9\x62\x39\x5d\xd3\xe0\x8a\xdd\x46\x2a\x7e\x7f\xb9\x7a\xde\xb8\xd7\x36\xf0\xaf\xc1\xbf\xd6\xa3\xfe\xb5\x6c\x21\x90\xfa\xd2\x79\x01\xb7\x67\x68\x8a\xc3\xed\x13\x74\x8c\x8e\x36\x41\x35\x17\x2a\x52\x65\x4d\xb7\x18\x72\xd2\x1f\xfa\x3e\xc0\xee\x17\x6f\xb3\x63\x69\x1b\x75\x60\xb9\x99\x72\x3d\xf6\xbc\x05\x0b\xfd\xb0\x7f\x48\xd2\xf1\x90\x58\x75\x4d\xb6\x29\xb5\xb1\x48\xd3\x8c\xf1\x73\xaa\x2b\x7f\x2a\xc9\xfe\x65\xbf\x83\xd1\x87\xb8\x5a\xa0\x77\x9b\x7b\xc9\x69\x60\xca\x6e\x20\x39\xcc\xd5\x01\xab\x3c\x79\xbe\x87\xb6\x58\x13\x30\x4f\x73\x62\xde\x65\xe8\x34\x9f\x77\x13\x74\x84\x0e\x85\xfa\x31\x7c\xbb\x16\xea\xd1\xb8\x12\x3e\xc3\x0e\xb0\xf1\xea\x59\xe5\x7f\xad\x8d\x48\xfe\x7d\xc3\xe5\x4b\xdd\x6b\x49\xfd\x35\xf2\x58\x46\x2c\x69\xbf\xce\x3f\x99\x0c\xaf\xa6\x52\xe5\x6d\x6d\xfa\xd1\x00\xf6\xc1\xef\xda\xa4\xdf\xf5\x93\x7d\xad\x34\x11\x17\x84\x07\xf6\x0c\xcd\x38\x1e\xd8\x76\x9a\x9c\x10\xb1\xbe\x76\x59\xa4\xe4\x07\x76\x39\x26\xe7\x51\x73\x25\x2e\x05\x58\x19\x8f\x2f\xb5\xb3\x46\xa6\x3d\xbe\x54\x18\x9b\x10\x63\x03\x9e\xdf\x11\x9e\x0f\x90\x03\x90\x03\x90\xd3\x2e\x90\x93\xfd\x74\x5f\x6b\x37\xad\x74\x49\x04\x56\x9d\xa3\x39\x57\x60\xd5\x1d\xb6\x19\xb6\x40\x88\xf9\x2f\x10\x76\xb0\x7b\xc4\x30\xb5\x6f\x8d\x90\xf9\x91\x9d\xce\x1a\xe1\x40\x8d\x66\x6f\x23\xfb\x93\xa4\xd0\xe8\xed\xec\xc2\x01\xca\xbc\xbd\xb6\x5c\x81\x32\x2f\x94\x79\x37\x59\x99\xb7\xa3\x9c\x2a\x54\x8d\xb7\x5d\x9f\x84\x6c\x86\x4e\xb3\x93\xf1\xe3\x36\x34\x7d\xdc\x2d\xbc\xeb\x7b\xfe\xdd\x50\x61\x9d\xbd\x27\x49\x57\xcc\x8a\xcd\xf9\x55\x85\x2b\x36\x68\x72\x41\xe1\x5f\x08\x45\x2d\x39\x25\x5c\x44\x09\x67\x4e\xef\xc7\xb8\x61\x95\x8c\x59\x78\x4b\x5e\xbe\xae\xaa\x37\x3d\x91\x9f\x36\x93\xfd\xe5\x61\xf6\x9f\xb6\xd1\x23\xbe\x0d\x2f\x99\x2d\x46\x3f\xd7\x67\x7a\x04\x9c\x04\x17\xc3\xda\x88\x81\xb3\xc4\x46\x16\xed\x0b\x5e\x11\x17\x9c\x72\x5f\x30\xe5\xda\x18\x4c\xd8\x5b\x8a\x04\x6f\x37\xe1\xc4\xde\x7a\x82\x29\xd5\xb2\x6c\xef\xf7\xf4\x8a\x2c\xe5\x47\x9c\xa0\x13\xbe\x47\x32\x43\x14\x94\x8a\xbc\xea\x98\xd3\x84\x27\x4e\xcc\xd5\x76\x2a\x79\x8a\x5f\x6e\xd2\xef\x5e\x17\xc5\xad\xd6\xbf\x89\x2e\xd7\x48\xc9\xde\xa4\x79\x61\x06\xe6\xe8\x0c\x37\x03\x93\x74\x8a\x4e\x34\xf1\xe5\xe7\x39\x4d\x33\xeb\x72\x29\x3c\xf1\xe7\xfb\xc2\x5f\xf6\xab\xec\x39\xab\x90\x74\x9d\xf9\x6b\x9a\x81\xfa\x4f\xc0\x6d\x0f\x44\x81\xe9\x3a\xe6\x88\x8f\x0c\xc4\x8e\xa1\x1c\x03\xb1\x63\x24\x30\x20\x81\x01\x09\x0c\xbd\x94\xc0\x00\xb1\x63\x88\x1d\x23\x70\x1c\x81\xe3\x08\x1c\x47\xe0\x78\x57\x04\x8e\x67\xcf\xd1\x1c\x3b\x13\x9f\xb1\xc9\x4b\xd2\x4d\x6f\xea\x6f\xfb\xda\x5f\x3b\x09\xca\xc9\x88\xbb\x85\x72\xf2\xd6\xd1\xb5\x61\xff\xe2\x5e\x3a\x68\x42\x51\x93\x49\x55\xc1\xd0\x31\x5d\x2e\xae\xe8\x6b\xdc\xba\x69\x6b\x45\x59\x37\x36\x20\xf2\x2d\x9d\x7d\x9e\xe2\x9f\xdd\x46\xbb\x3c\xa7\x2d\xad\xa7\xa3\x8f\xd9\x3a\x32\x0b\x72\x71\x65\x41\x9c\x79\xc9\x38\xf3\x12\x3f\x33\xb9\x57\x1c\x30\xe9\x3e\x71\x31\xed\x7f\x70\x8b\x23\x91\x16\xe9\x32\x5d\xaa\x72\xea\xd5\x89\x45\x4a\x79\xc7\x64\x3d\x9d\xf2\xef\x65\xf6\x67\x22\xc1\x21\xd7\x0b\x82\x25\x9e\xa7\x2c\x67\x89\xd3\xd4\x82\x0b\xd2\xb3\x22\xc2\xed\x69\xba\xe8\x44\xb8\xb5\xa6\xe5\xd7\x09\xf7\xf8\x25\x9a\x77\xb9\xc7\x5b\xd2\x74\xb8\xc6\x11\xd7\x08\xb9\x71\x23\x1c\x85\x9e\x61\x33\x16\x0a\xf5\x99\xb5\x26\x02\x0d\xb8\x41\x8f\x2b\x04\x5e\xd9\xfa\x5e\xd9\x2c\x22\x56\x03\x22\x56\x5b\xee\x9e\x7a\xdb\x30\x1d\x11\x96\x58\xaf\xa8\x9a\x54\x90\xfd\x1d\x52\xe6\x8f\xb9\xa2\xa4\xeb\xb2\xed\x7f\xfa\x8f\x43\xec\x1f\x07\xe8\x3e\xf3\x47\xdb\xe3\xf4\x89\x46\x3c\x4e\x0b\xe2\xa4\x29\xa3\xc5\xae\xf0\x2f\x3d\xc6\x2f\x67\x76\xcb\xf4\x28\xb9\x3b\x09\xff\xd1\x46\xbc\xc9\xc2\x7d\x73\x63\x29\xdc\xaa\x1e\x67\x13\xa6\x55\xf5\xce\x40\xcb\x9e\xba\x1e\x41\xad\x03\x09\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\x21\xf8\x87\xe0\x1f\x82\x7f\x08\xfe\xa1\x0e\xfb\x87\x8e\xd2\x61\x76\x30\xbe\xdf\xf6\x0f\x3d\xe8\xf6\x0f\xb9\xf7\x70\xf0\x06\xc1\x1b\x04\x6f\x10\xbc\x41\x2e\x6f\xd0\x97\x86\xe9\x98\xa5\x4d\x22\x70\x63\x80\x42\x89\xf1\xda\x29\x39\x59\xca\xe5\x8c\xe5\x8a\x8d\x21\x7f\x6c\x98\xfd\xf5\x80\x93\x6f\xf6\xa9\x86\xf0\xa3\x68\x6a\x52\x34\xd5\x15\x00\x72\xcf\x2d\xbf\x8c\x37\x6f\x47\x01\x21\x6b\x21\xe4\x7c\x38\x63\x1c\x65\x7b\x2d\xef\x8c\x7b\x34\xc9\x5f\xf1\x07\x51\xe9\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xa0\x8e\xdd\x46\x1d\x8f\xd1\x51\x76\x38\x7e\xd0\xa6\x8e\x51\x0f\x75\xf4\xec\xf5\xee\x06\x31\x01\x90\x4d\x90\x4d\x90\xcd\x2d\x44\x36\xbf\x39\x44\xe7\x1a\x12\xff\x68\x4c\xf7\x83\xfd\xdb\x21\xf6\x13\xdb\xe8\xc1\x20\xc1\x8f\xe8\x0f\x9a\xe8\x53\x29\xe5\x95\x75\x25\xbf\x26\x15\x3d\x14\xd4\x5e\x08\x77\x40\xee\x23\x95\x3c\x59\x4f\xb0\xa3\x7e\x0f\xce\x2b\x3a\x50\xa7\x0f\xea\x7c\x73\x38\xea\xbc\xc2\x9e\x69\x87\x5e\x07\xdd\xd8\xe3\x0f\x45\x77\x32\xe2\x83\xc2\x2b\x05\x03\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x02\x8c\x76\x18\x8c\x82\x3c\x82\x3c\x82\x3c\xf6\x30\x79\xfc\xfe\x25\x9a\x16\xe4\x31\xaf\xe8\x39\xd5\x30\x7a\xd5\x99\xdd\x01\x41\x96\x72\x29\x5f\x56\x95\x52\x45\x2f\x2a\x39\x59\x67\xff\xfe\xf5\xec\xd3\x83\x74\xbf\xdd\x8a\x9d\xe5\xbd\x57\x2c\x1e\x35\xf3\xb3\x67\xd9\x45\x2b\xc0\x72\xc6\x6c\x66\xc1\x68\x26\xc9\x0f\x9e\xb6\xda\x30\xb3\xab\x9d\x20\x47\xcf\xc1\x5d\x0e\xfe\x32\x60\x5c\x60\x5c\x19\x30\x2e\x30\x2e\x30\x2e\x30\xae\x9e\x61\x5c\x99\xae\x61\x5c\x2d\xef\x49\xd3\x8c\x2b\x03\xc6\x05\xc6\x05\xc6\x05\xc6\x05\xc6\xd5\x79\xc6\x95\xe9\x69\x24\x95\x01\x92\x6a\x1f\x92\xca\x74\x3b\x92\xca\x6c\x41\x24\x95\xbd\x41\x17\x45\xc0\xd4\x59\x9a\xe5\x01\x53\xa7\xe9\x24\x1d\x0f\xd4\xf7\x74\xb8\x95\x49\x9c\x52\x1e\x4a\x74\x5e\xd1\xc3\xe3\xa5\x82\x45\x3f\x79\xb8\xd2\x8d\xe5\xf0\x78\xaa\x53\xec\x84\x19\x4f\x55\x0d\xd2\xcc\x18\x2a\x4f\xaf\x6a\x15\xea\xe2\xbf\xb7\xc3\x8f\x9e\xbd\xd6\xd2\xab\x2d\x55\x91\xb2\x51\xf1\x43\xa7\x59\x99\x40\x5b\x1b\x2c\x3f\x19\xf6\x8c\x50\x7e\x12\xa5\xf9\x9b\x14\x3a\xfd\xa1\x3a\xda\xc6\xe7\x84\x19\x99\xa6\x0c\x37\x23\xc7\xe9\x0e\xa6\xa8\x08\xe2\x4c\xf3\x20\x4e\x5b\xd3\xf8\xce\x5a\x7c\x5a\x68\x19\x67\xe9\xac\x4b\xcb\xf8\x8e\x9a\xb4\xcc\x59\x63\xe6\xaa\x21\xb3\x14\x64\xd3\xc2\x74\x92\x93\xdf\x1e\xf1\x33\x67\x71\xb3\x90\xb3\xab\x2a\xb6\xba\x52\x65\xd9\x0e\x8b\x63\xaa\x2d\xdb\x94\x7d\x4a\x67\x6c\xdc\x65\xba\x44\xf3\x6e\x1b\x57\x4f\x8b\xbb\x4e\xd8\xee\x34\xbf\x9b\x8b\x9c\xf2\xea\xe0\xc1\xe0\xc1\xe0\xc1\xe0\xc1\x3d\xc4\x83\xb1\xb6\x0b\x59\xdb\x75\x0f\x30\x7f\x39\x42\x5f\x8d\xb0\xaf\x44\xa2\x5f\xb6\x1f\xd5\xc7\x22\x97\xdd\x5b\x54\xa5\x14\xd3\xc5\x36\x33\xb6\x2c\xaf\x08\xef\xb2\x8d\x72\x9c\x4f\x96\xf9\x96\xf0\xc1\x72\xad\x22\x4b\x6a\x69\xb4\x24\x17\x24\xfe\x48\xcc\x5d\xaa\x7b\xb5\x29\xa0\xae\x3d\x19\xcc\xb5\x82\xb2\xba\x2a\xe7\x8d\xf5\x6c\xf1\xb6\xe3\xf6\x75\x4c\xbb\x52\x1c\x31\x37\xaf\xfc\x76\x63\x05\x4d\xca\xf1\x79\xa2\xa8\x79\xfb\xc3\xe3\x7c\x1c\xb8\x47\xdd\x7a\x2e\x6b\xba\xd1\x49\xf7\x40\x49\xc6\x99\xd6\x0d\x99\x17\x59\x11\xef\x9b\xd5\x44\x4a\xf4\x53\x54\x07\xf7\xe9\x63\x9c\xf1\x2e\xcc\xf3\x1e\xf8\x6d\xca\xe1\x97\x80\x5f\x02\x7e\x09\xf8\x25\xe0\x97\xe8\x69\xbf\xc4\x17\x22\xf4\x52\x84\xbd\x18\x89\xbe\x60\x7f\x6d\xdf\x1f\x99\x76\x65\xd4\x96\x8b\xb2\xa4\xcb\xf6\xab\x3f\xaf\xa9\x65\xa9\xc0\xbf\xc3\xf3\x6a\x51\xc9\xdd\xf6\x44\x25\x59\x8f\xdb\x49\xc9\x35\x1e\x78\x3a\x75\x38\x15\x5b\x10\x76\x44\x7c\x24\xcb\x72\xc9\x98\xa6\xce\x57\x44\x8e\xa9\x5a\xf9\xba\x54\xb2\xa2\xa4\xb4\x35\x79\x6c\x45\x2a\x5a\xab\xff\xb8\xf8\x35\x1e\x5b\x51\x4a\x52\x51\x79\xb3\x65\xbe\x97\xe5\x98\x94\xe7\x90\x5f\x1d\x13\xcc\x37\xef\x2c\x2d\x45\xe3\x09\xdd\x39\x49\xac\xb7\x53\xb1\x19\x85\x9b\x24\x57\xc7\x55\xad\xf6\xce\x1c\xc7\x4a\x45\x2c\xf7\xf9\xea\x4f\xad\x5c\x4f\xc5\x77\x89\xfe\x4c\x5b\x37\xe2\x0d\xb7\x7a\xe7\x00\xbd\x63\x80\x3d\x3f\x10\xfd\xae\x1d\x73\xf7\xa5\xfe\x2b\xa6\x1d\x34\xa6\xe8\x75\xf5\x56\xac\x20\x69\xcb\x52\xc1\x03\x21\xec\x85\x9a\xac\xad\xa8\xda\xaa\x31\x16\xbe\x3d\xbd\x58\x75\xf1\xe0\x8e\xf2\x65\x8d\xb5\x26\x29\x8b\xbb\x52\x8c\xf5\x42\x4e\xc9\x3b\x0b\x6b\xfe\x6d\xe4\xdb\x1c\x7b\x74\x8d\x8f\x93\xf9\xe5\xb0\xbe\x7e\x29\xd7\x30\x5a\x76\xd3\xf6\x66\xd8\x91\x76\xde\x8b\xa5\x62\x82\x29\x71\x5b\xec\x5e\xad\x26\xc4\x3d\x24\x8c\x3d\x0f\xff\x97\x77\x62\xe8\xc7\x62\x89\x8c\x94\xbb\x59\xd0\xd4\xb5\x52\xde\x38\x8a\x87\xb8\xf1\x83\xaa\x06\x4e\x2c\x56\xcc\x15\x90\xb7\x11\xeb\x0e\x96\xed\x96\x8e\xc5\x12\xb3\xaa\x26\xbb\x9a\x8d\xe5\x24\x3d\x27\xe5\x8d\xbb\x37\xc7\x47\x04\x35\xf2\xf6\x74\xb1\x9c\xae\x69\x70\xc5\x6e\x23\x15\xbf\xbf\x5c\x3d\x6f\xdc\x6b\x1b\xb8\xfd\xe0\xf6\xeb\x51\xb7\x5f\xb6\x40\xe7\x05\xfb\x9e\xa1\x29\xce\xbe\x4f\xd0\x31\x3a\xda\x04\xbc\x5c\xa8\x48\x95\x35\x3d\xd4\x7f\xd6\x09\xe0\x9c\xf4\x07\xce\x0f\xb0\xfb\x85\xc5\x70\xac\x39\x6d\x41\xc9\x1e\xf6\xa1\xd7\xd3\x21\x11\x88\xaf\x2d\x4b\xb9\x54\x50\xbd\xcb\x5c\x71\x4d\xaf\xc8\x9a\xa6\x16\xe5\x65\x63\xa7\x5c\x2a\xe8\xec\x6f\xaf\xb1\xcf\x0d\xd2\xab\x8d\xf3\x26\xab\xeb\x5d\xee\xab\x1f\x7d\x3f\x25\x9a\xbb\xa4\x16\xe5\x8c\x68\x2e\x39\x6c\x9c\x71\xa9\xba\xad\xc5\x74\xed\xa1\x08\xc0\x47\x00\x3e\x02\xf0\xe1\x70\x81\xc3\x05\x0e\x17\x38\x5c\xba\xc6\xe1\xd2\x3d\xfe\x04\x80\x6e\x80\x6e\x80\x6e\x80\x6e\x80\xee\x9e\x06\xdd\x20\x71\x20\x71\x3d\x4a\xe2\xb6\x64\x00\xbe\x4c\x59\x41\x0f\xa7\x68\x92\xd3\xc3\x63\x74\x94\x0e\x07\x06\xa5\x72\x5e\xb5\x9e\x4e\xd5\x02\xa2\x96\xc4\xde\xdf\x0c\x67\x8b\x67\xd9\xac\x89\x0d\x03\xd9\x99\x19\x84\x5f\xdb\x47\x8f\x78\x69\xfc\xb7\x76\x04\x70\xb4\x87\xad\x38\x7c\x3f\x64\xb6\x57\xfc\xd8\x59\x68\x26\x18\xd7\x1c\x9d\xa1\x99\xaa\x48\xfc\x83\xb4\xbf\x89\x87\x85\x40\x2d\x04\xe1\x37\x19\x84\xff\x9d\x3e\x9a\x15\x16\xe3\x14\x9d\xe0\x16\xe3\x30\x35\x37\x09\x45\xcc\x7e\x9a\xc7\xec\xdb\x61\xf6\x4d\x37\x76\x5e\x44\xd8\xcf\xd0\x94\x2b\xc2\xbe\xe9\xd6\x9a\x37\x64\x3c\x22\xbe\xa3\x86\x2c\xf9\x03\xa3\x01\x86\x2c\xe1\x1b\x81\xef\x63\xd4\x0e\x8a\x03\xfd\x8c\x9a\x7d\x6a\xdb\xcd\x1b\x82\xf0\xc1\x84\xc1\x84\xc1\x84\xc1\x84\x11\x84\x8f\x20\x7c\x04\xe1\x23\x08\x1f\xbe\x09\xf8\x26\xe0\x9b\x80\x6f\x02\xbe\x09\x04\xe1\x23\x08\x1f\x41\xf8\x08\xc2\x87\xeb\x0f\xae\xbf\x2e\x74\xfd\x75\x3c\x08\x7f\x03\x01\xf2\x0d\xb2\xe8\x86\x50\x73\x28\xb0\x6e\x7d\xac\xfc\x37\x92\x74\xdc\x98\x60\x63\xeb\x81\xea\xf4\x16\xa2\x28\x55\xd6\xd5\xe2\xda\xaa\x9c\x2b\x4a\xca\xaa\x79\xc8\x5b\xd8\x47\x93\xec\x5f\xf6\xd3\x3d\x39\x55\x93\x97\xd6\xd3\xd1\x21\x4d\x96\xf2\x55\x5b\xd4\x79\xbb\x81\x45\xde\xc0\x94\xd1\x40\x72\xd8\x38\x72\x4a\xd5\xe4\x45\x97\xd2\x96\xef\xa1\xad\x05\xe1\xd9\x3c\xcd\x89\xc9\x94\xa1\xd3\x7c\x32\x4d\xd0\x11\x3a\x14\xe8\xc6\x30\xee\xcc\x98\x3a\xbe\x5d\x0b\x9d\x49\x8f\xf8\xcf\xa4\x57\xb0\x81\x82\x5c\xa1\x1b\x57\xc2\x27\xcf\x01\x36\x6e\xce\x8b\x78\xdc\xf4\x58\xf8\x77\xc5\x3d\x93\xa2\xdf\xd8\xee\x3c\x93\xbd\x9a\x5c\x2e\x4a\x39\xb9\xa1\xc7\x32\x62\x1e\xbc\x09\x4f\x26\x73\x9e\xb2\x74\xb6\xca\x03\xdb\xf4\xa3\x01\xa8\x83\x13\xb6\x49\x27\xec\x27\xfb\xe8\x82\x70\x9e\x9e\xa1\x19\xc7\x79\xda\x0e\x3b\xd1\x42\x5b\x64\x99\x9c\x76\xd9\x94\x3a\xb6\xac\xbc\x56\xa1\xe4\x4f\xec\x72\x4c\xce\xa3\xe6\x2a\x5a\x0a\xb0\x32\x7b\xc5\xef\x9b\x61\x64\xda\xe3\x07\x85\xb1\x09\x31\x36\x60\xf1\x1d\x61\xf1\x80\x30\x80\x30\x80\x30\xed\x82\x30\xd9\x4f\xf5\x09\x45\xe5\x71\xae\xa8\xec\x44\x42\xf5\xfa\xd2\x20\xe6\xbf\x34\xd8\xc1\xee\x11\x23\x4f\x99\x1f\xd9\xe9\xac\x0e\x0e\x94\x25\xad\xa2\xf0\xa0\x14\x81\xb3\x1b\xda\x99\x24\xcb\x52\x25\x77\xbd\xc3\x4b\x86\x87\xab\x1b\x1a\xe5\xbd\xd8\x6b\xfc\x73\x62\xb7\xfb\xc7\x55\x59\x2b\xc8\xee\x5f\x07\xdd\xbf\xea\x15\x4d\xaa\xc8\x05\x25\x37\x5a\x73\x9c\xa7\x15\xe3\xdf\xb7\xcd\x5f\x8d\x5e\x6e\x54\x1f\xba\xce\x82\x65\x9e\x67\xf6\x62\xa1\x12\xb2\x50\xf9\x68\x3f\x7d\xb8\x9f\x7d\xa8\x3f\xfa\xf3\xb6\xb5\x7f\x7b\x7f\xef\xec\x8a\xaa\x1c\x8e\xc6\x38\xf3\x40\x2e\xee\x14\x37\x26\xa7\x93\xe2\x3f\x14\x30\x71\x87\xf9\x47\x4b\xc4\xfd\x49\x45\x7e\xa6\xb1\x3a\x13\x67\xf3\x23\xf8\x4a\x49\x8f\x0d\x65\x75\xb5\x34\x2f\x72\xdd\x9f\x32\x5e\x0b\xf3\xdf\x0b\xd6\xcb\xe2\xfc\x71\x38\x78\xbb\x96\x79\xa9\x8f\x5e\xec\x63\x2f\xf4\x45\x3f\x67\xe3\xcb\x0f\xf6\xcd\xaa\x5a\x8e\x2f\xe2\x0a\x2a\x1f\x76\x35\x16\x5f\x31\xfe\x14\x8f\x4d\x7a\xee\x82\x73\x5f\xb1\xde\x5a\xd3\x9d\x08\xae\x51\x29\xc7\x6f\x9c\xc7\xc5\x15\x95\x9c\xf9\x3d\x95\x8b\x79\x3d\xa6\xde\x32\xc7\x54\xc4\x8d\x95\x65\xb5\x5c\x94\x53\x31\x71\x45\x2e\x4e\x60\x3d\x4b\xce\x5f\x7d\x07\xc0\xbe\x7c\x7c\x1b\xef\x96\x27\x6b\xa0\xa3\x84\xaa\x6d\xdf\x84\xc7\xfc\xbf\x09\xdb\xd9\x2b\xf8\x10\x50\x36\x43\xa7\xd9\xc9\xf8\x71\x5b\x5a\xe4\x71\xfe\x4e\x99\x2f\xb8\xef\x05\xe2\x03\xc6\x21\x6e\xf1\x90\x2d\x28\x4f\xf2\xef\x47\x29\x2b\xe4\x49\xa4\xfc\xaa\xc2\x25\x20\x34\xb9\xa0\xf0\x2f\x84\x57\xa1\x64\x75\xad\x22\x19\x13\xef\x96\xbc\x7c\x5d\x55\x6f\x7a\x42\x34\x6d\x00\xfb\xb7\x23\xec\x1b\xfd\xf4\xa0\x6f\x5b\xc6\xc7\x76\xcc\x87\xc8\x3e\x65\x36\x7c\x45\x34\x3c\xe5\x6e\x38\x79\xd8\x38\x61\xd2\xaf\xb9\xc5\x74\xbd\x13\x5b\x8c\x69\xff\x29\x49\xe2\x25\x78\x8e\x9e\xe5\x2f\xc1\x25\x9a\xa7\x0b\x81\x2f\x81\xff\x58\xae\xa7\x53\xf5\xba\x7c\xa7\xf8\xf6\x4d\xe1\xef\xce\x33\x6c\x41\xbc\x31\x75\xfb\xe1\xe3\x05\xa8\x37\x39\x28\xfa\xdd\x1d\x75\x1e\xf9\xb8\x3f\xf0\xad\xfb\xd4\x27\xcc\x73\x36\xfd\xc1\x67\xf2\xb4\x4c\x6f\xa8\x5a\xf1\xb4\xfc\xc9\x63\x1d\x04\x3a\xdc\x24\x1d\x7e\xb9\x8f\x56\x04\x1d\x5e\xa2\x6b\x0e\x1d\xee\xa4\x79\xea\x80\x69\xb4\x2c\xe0\xa6\x99\xb8\x30\xdc\xfc\x97\xbb\xea\x58\xc0\x27\x6d\xfe\x5c\xd7\xe8\x1d\x15\x87\x6d\xbe\xcd\x03\x94\x06\x94\x06\x94\x06\x94\x06\x94\x06\x94\xde\x30\x94\xfe\x74\x5f\x8b\xc3\xa3\x2e\x09\xc4\x7d\x8e\xe6\x5c\x88\xbb\xcd\x21\x57\xa1\x04\xb9\xc1\x95\x48\x23\x4b\x8b\x0d\xae\x56\x32\xff\x7d\x67\x9d\xa5\xc6\xb1\x10\x98\x5d\x77\x01\x72\x84\xa3\x90\x4d\x5d\x7f\x80\x70\xf7\xda\xaa\x07\x84\x1b\x84\x7b\x93\x09\xf7\x3f\xed\x86\xad\x6d\x18\xa0\xde\xbc\x2f\x4e\x76\x8e\xce\xb0\x99\xf8\x94\x8d\xb5\x87\xdc\x68\xbc\x5e\x33\xb5\x84\xbc\xe5\xfc\xfa\xe5\xdd\x34\x63\xf2\xeb\xb2\x22\xbf\xa9\x22\x97\x78\x18\xba\x5b\x59\x7b\x4d\xaf\xa8\xab\xd6\xba\xcd\xfd\xe8\x04\xb3\x1e\xd3\xf9\x9a\x80\xfd\xef\xbb\xd9\xdf\xf6\xd3\x2e\x4f\x33\xc6\x27\xf5\x20\x47\xd6\xe2\x20\xeb\xa6\x9d\x0f\xea\x14\x6f\xdd\x12\x1a\x98\xb6\x5b\x4f\xa6\x39\xb8\x76\x37\xb6\x98\x0e\x3a\x58\xac\x4a\x5a\x8c\xac\xdf\xdd\x47\x9a\x98\xbd\x37\x49\xe1\xb3\x37\x47\x12\x2d\x05\xcd\x5e\xa7\x9f\xa3\xb6\x3a\xb3\xf3\x51\xf3\x0e\xee\x7a\x3a\x15\x74\x2b\x77\x0a\xb1\x8b\xe1\xb3\x7c\x8e\x9d\x31\x03\xd8\x83\xfa\xe0\x47\x77\x7c\x66\x07\x45\x7f\x8a\x7c\x1e\xf8\x11\x0b\x58\x6f\xf8\x99\x1f\xb0\xb0\xf5\xe6\x3d\xf6\xcc\x1a\xe9\xf4\xc6\xaa\x05\x4c\xfb\x1f\x3b\xd6\x39\x20\xd8\x4d\x12\xec\xef\x8f\x6c\x8a\x9d\xba\x25\xa8\x79\x99\x4a\x0e\x35\xef\x72\x03\x59\x5e\xeb\xb4\x81\xcc\xfc\xcd\x4e\x1f\x03\x39\x59\xb3\xc9\xdc\xb0\xa5\x1c\x17\x5b\xcd\xcd\xb1\x93\xd8\x64\xf6\x9a\xf1\xc5\x26\x13\x9b\xcc\x4d\xde\x64\x76\xe9\x72\xbc\xb1\xcf\x49\xbd\x6f\xc4\x06\x3e\x35\xe1\x51\x58\x33\x34\xc5\x26\xe3\xa7\xec\xad\xe6\x13\xee\xad\x66\xd0\x35\x3a\xb0\xcd\x7c\xef\x10\x8d\x89\x6d\x66\x49\xae\xdc\x52\x35\xe3\xb5\x77\xf6\x98\xbc\xc2\x95\xc8\x47\x1e\x53\x4a\x05\xcd\xb0\x43\x3a\xfb\xcf\x09\xf6\xc5\x01\x62\xce\x09\x4b\xe6\x91\x51\xdd\x14\x4a\x29\xe5\x95\x75\x25\xbf\x26\x15\xdd\x7a\xc1\x92\x2d\x4a\x34\x27\x9a\x4a\xb9\x9c\x4b\x13\xb6\x5b\x2a\xc1\xdb\x48\x38\x82\x80\x1e\x85\x37\xb5\x2c\xdb\x3e\x43\xbd\x22\x4b\xf9\x54\x32\xcd\x4f\xb8\x60\xf7\x66\x51\x74\xc6\xbc\xc8\x79\x45\xaf\xcc\xaa\xda\x64\xb1\x68\x47\x33\xb7\xee\x8b\xdb\x9e\x3a\x50\xd9\x9b\x34\x2f\xde\xa8\x39\x3a\xc3\xdf\xa8\x49\x3a\x45\x27\x9a\xf8\x8a\x72\xdd\xe6\x99\x75\xb9\x14\xae\x6a\x7c\x2d\xfc\x7d\x99\x60\x47\xcc\xf7\xa5\x66\xae\x98\x2f\x8b\x39\xe6\xb5\x45\xd2\x6e\xec\xf1\x7f\x41\x76\x32\xe2\xf7\xcd\x95\x93\xb3\xa8\x7f\x85\xfa\x57\x59\x68\x9d\x42\xeb\x14\x5a\xa7\xd0\x3a\xed\x19\xad\xd3\x6c\xd7\x48\x79\xb6\xbc\x27\x4d\x6b\x4c\x66\xa1\x31\x09\x8d\x49\x68\x4c\x42\x63\x12\x1a\x93\x9d\xd7\x98\x6c\x39\x65\xc8\xf6\xb4\xaa\x5e\x16\xaa\x7a\xed\x53\xd5\xcb\x76\xbd\xaa\xde\x16\x2c\xa8\xc5\x3e\x7e\x8d\x86\x05\x15\xd4\x2b\xaa\x26\x15\x64\x57\xd8\x89\x90\xa7\x93\x2a\x15\x29\x77\xdd\xf8\xe6\xea\xec\x9f\x5f\x63\x1f\x18\x24\x32\x0f\x5d\x5a\x4f\x47\x53\xf5\x8b\xb8\x8b\x5c\xd3\x49\xbb\x89\xe4\x23\xc6\xf1\x0b\xe2\xfc\xc5\x74\xf5\xcf\x5d\x8e\xeb\x50\xb6\x1d\xd8\x0a\x65\xdb\x81\xad\x80\xad\x80\xad\x7a\x08\x5b\x75\x51\x05\x9a\xae\xc1\x56\x28\x8d\x02\x6c\x05\x6c\x05\x6c\x05\x6c\x85\xb2\xed\xa8\xdd\x70\xf7\x50\xa6\xae\xaf\xdd\xb0\x25\xcb\xb6\xaf\x88\xe2\xc9\xfb\x78\xf1\xe4\xc8\xc5\x73\xec\x38\xd5\x09\x16\x4e\x59\x28\x6a\x3d\x9d\xaa\x26\x44\x2d\xa9\xdb\xfe\xfa\xf0\x08\xa8\x63\xec\xa8\x4f\x84\xb9\x97\x91\x99\xa1\x50\xd5\x5d\xa4\xf8\xcf\xed\xf0\x30\xb2\x87\xec\x02\xed\x35\x38\xec\x31\xf1\x53\xfb\x81\x98\xe0\x57\x59\x3a\x4b\xb3\x55\x51\xdb\x87\xe8\x40\x33\x0f\x02\x11\xdb\x48\x97\x69\x32\x5d\xe6\xbb\x7d\x74\x46\x98\x83\xd3\x74\x92\x9b\x83\x23\xd4\xe4\x2c\x14\x42\x0d\x69\x2e\xd4\x60\xe7\xc0\x34\xdf\xda\x53\x42\xa8\x61\x96\xa6\x5d\x42\x0d\xcd\x37\x17\x66\xa7\x1a\xb3\x43\x1b\xb2\x3d\x9e\x58\xe5\x90\xb2\xef\xc9\x97\x47\x3c\x76\xea\x49\xdf\xfa\xeb\x35\x36\x6b\x58\x1c\x66\xdb\x2c\xa7\xe6\x7a\x9b\xad\x17\x2a\xae\x03\xe7\x02\xe7\x02\xe7\x02\xe7\xa2\xe2\x3a\x2a\xae\x43\x50\x0f\x15\xd7\xe1\x56\x80\x5b\x01\x6e\x05\xb8\x15\xe0\x56\x68\x89\x5b\x01\xba\xaa\xd0\x55\x85\xae\x2a\x2a\xae\xc3\x6b\x07\xaf\xdd\x16\xaf\xb8\xde\x18\x5a\x6e\x00\x22\xfb\xd3\xe7\x8d\x54\x74\x6f\x83\x62\xe2\x30\x8d\x07\x04\xad\x0b\x1d\x0b\xf3\xcf\xb9\xa2\xa4\xeb\xb2\x5d\xd9\xe7\x97\x86\xd9\xbb\xfa\xe9\x3e\x87\x78\x0b\x29\x8b\xc7\x7c\x0a\xfa\x98\x70\x7b\xca\x68\x20\xf9\xa8\x71\x80\x8d\xbb\xf9\x49\xee\xdf\x5b\x2c\x7a\x98\xa3\xb3\x62\xa6\x4c\xd2\x29\x3e\x53\x8e\xd2\x61\x3a\xd8\x80\xff\x81\x77\x2c\xe5\xee\xd9\x9d\x2a\x19\x2e\x85\x4f\xa2\xe3\x6c\xa2\x9e\x7f\xc2\xd3\x9b\x1a\xad\x88\xe8\xd7\xb7\xd7\x3e\x8e\xb8\x7f\xb1\x1d\xcf\x13\x79\xdc\x3c\xa6\x53\x0f\x25\x73\x8e\xe6\xe8\x4c\x95\xe3\xb4\xd9\xa7\x02\xfe\x06\xcf\x69\x93\x9e\xd3\x8f\xf7\xb5\xd0\x38\x3c\x25\x5c\xa7\xb3\x34\xed\xb8\x4e\x37\xc5\xd6\x70\x51\xc0\x76\xdb\x9a\xe4\x8f\xee\xaa\xb5\x35\xaf\xb1\xcb\xda\x78\xcc\x4b\xac\xca\xc3\xd9\x6e\xeb\x82\x6a\x35\xa8\x56\x73\xf7\xc2\x75\x50\x15\x50\x15\x50\x95\xb6\x55\xab\xf9\x44\x2b\xd7\x04\x17\x44\x00\xd4\x19\x9a\x71\x05\x40\xb5\x71\x51\x10\x5e\xa5\xa6\xdd\xeb\x82\xcc\x0f\xed\xac\x5d\x17\xec\x0d\xa9\x41\xe3\x59\x2d\x3c\xc6\x85\x1f\x3b\xb1\x58\x80\xea\x6f\xaf\x2d\x51\xa0\xfa\x0b\xd5\xdf\x4d\x56\xfd\xed\x24\x8f\x6a\xb7\xb1\x0f\x57\xef\x3d\x4a\x87\xd9\xc1\xf8\x7e\x5b\xbd\xf7\x41\xb7\x7a\xaf\xbb\xf1\x0e\x28\xf6\xfe\xa7\xab\xf4\xd0\x98\x54\x56\xc6\xd6\xd3\x63\x65\xbb\x7c\xbb\x50\xe5\xd0\xd9\x67\xaf\xb2\x77\x0d\xd2\x3d\x39\x55\x6b\x44\x88\xa3\xba\xfc\x7b\x32\x6a\x1c\x3f\xa5\x6a\xf2\x62\xba\xfa\x37\xa8\x70\x40\x85\x03\x2a\x1c\x08\xdb\x46\xd8\x36\xc2\xb6\x11\xb6\xdd\x35\x61\xdb\xdd\x13\x95\x8c\x70\x59\x84\xcb\x22\x5c\x16\xe1\xb2\x08\x97\xed\xe9\x70\x59\xc4\xf3\x21\x9e\xaf\x47\xe3\xf9\xb6\xa4\x0a\xc7\x06\x49\x5e\x4e\xd5\x78\x5a\x7b\x35\x1e\x6a\x89\x04\xc7\xa5\x70\xd2\x37\xc6\x46\x4d\xd2\x17\x8f\x9b\x74\xaf\xba\x2b\x9e\x48\xc5\xf8\xbf\xd8\xe1\xe0\x30\x47\x73\xa3\x86\x7c\xed\x16\x3f\xb5\x99\x7d\x09\x54\x75\x86\x66\x68\xaa\xca\x61\xb2\x9f\xd2\x1b\x1e\x73\x78\x4a\x10\x33\xd6\x64\xcc\xd8\x3f\xf4\xd1\xb4\x78\xed\x4f\xd0\x31\xfe\xda\x1f\xa4\x66\xa6\x20\xcd\x89\x78\xb1\x0c\x9d\x76\xe2\xc5\x9a\x6c\x2a\x2b\xdc\xcc\x53\x34\xe9\x72\x33\x37\xd9\x56\xf3\x96\x88\x8b\x60\x34\x68\x89\x7c\x42\xa2\x83\xad\x52\xf2\x0f\x47\x1c\x4b\xe4\xaf\xaa\x51\x63\x95\x06\xc5\x61\xc2\x2a\x39\x92\x1a\x6d\xb6\x4f\x90\xd4\x00\x9b\x05\x9b\x05\x9b\x05\x9b\x85\xa4\x06\x24\x35\x10\xf5\x0b\x49\x0d\xf8\x08\xe0\x23\x80\x8f\x00\x3e\x02\xf8\x08\x5a\xe2\x23\x40\xf2\x07\x92\x3f\x90\xfc\x01\x49\x0d\xb8\xe0\xe0\x82\x6b\xb9\xa4\x46\x10\xfa\x6d\xad\xd6\x86\x05\x92\xdb\xe0\xb2\xda\x5c\x19\x8d\xdf\x8d\xd0\xbd\x42\x46\x43\x2a\x97\xf5\x31\xf6\x6b\x11\xf6\x2b\x11\x1a\x30\xfe\x27\x1a\x2d\x70\x0b\x6d\x7c\x27\xec\x07\x28\xc5\xf8\xcd\x25\xef\x2b\xc8\x95\xc9\x72\x59\x9f\x9c\x9f\x3b\x63\xfc\xa1\x75\x4c\xba\xa6\xa1\x89\x9a\x86\x26\x1a\x69\x28\xab\x88\x4c\xb6\x7d\x3c\x93\xcd\x98\x02\xa7\xe8\x04\x1d\x6b\x62\x0a\x58\xf7\x18\xe6\x66\x60\x9f\x1d\xa2\x7d\x62\x30\x97\x8d\xf7\x61\x6c\x3d\x2d\x5e\x8c\xb1\x92\xb4\x2a\xeb\x65\x29\x67\xe9\x90\xf0\x7f\xbf\x65\xec\x86\xba\xac\xb3\x1f\x1c\x62\x3f\x39\x40\xdb\xf9\x19\x4b\xeb\xe9\xa8\x6a\xae\xdc\x4b\x79\x65\x5d\xc9\xaf\x49\x45\xb7\x23\x59\xb2\x77\xc9\x59\x75\x39\xe5\x5a\x03\x4d\xd8\xab\xa7\x04\x3f\x3f\xe1\xd0\x69\x0f\x6e\x54\xcb\xb2\x4d\x38\xf4\x8a\x2c\xe5\x53\xc9\x47\xf8\x09\x19\xe3\x3f\x8b\xe9\x0b\x56\xef\xf2\x59\x75\xf9\xbc\xa2\x77\x7b\x39\xce\xec\x4d\x9a\x17\x4f\x79\x8e\xce\xf0\xa7\x3c\x49\xa7\xe8\x44\x13\x4f\x99\x3b\xee\x67\xd6\x1b\xd1\x6c\x3f\x1b\x6e\x05\x9e\x64\x7b\x4c\x2b\xc0\x1f\xac\x69\x08\xb2\xea\xb2\xf7\xdd\xdf\xe3\xff\xee\xef\x64\xc4\x6f\x91\xfb\xc9\xb3\xc8\x75\x40\xae\x43\x16\xfe\x34\xf8\xd3\xe0\x4f\x83\x3f\xad\x67\xfc\x69\xd9\xae\x71\x17\xb5\xbc\x27\x4d\xfb\x31\xb2\xf0\x63\xc0\x8f\x01\x3f\x06\xfc\x18\xf0\x63\x74\xde\x8f\x91\x7d\x03\xbd\x9e\x5d\x8d\x3f\x67\xeb\x02\x4c\x98\x57\x16\xf1\xa4\xc6\x02\x67\xad\x72\x3d\xa6\xe7\xd4\xb2\x3c\x12\xd3\xd7\x72\xd7\x8d\xd1\xe7\x2b\x58\x59\x5a\x15\x40\xbb\xac\xa9\xfc\x4e\xe3\x3b\x6c\x0c\xd0\x4e\xf9\x80\x6c\x4f\xb3\xe1\x2c\xd8\x70\xfb\xd8\x70\xb6\xeb\xd9\xf0\x16\x4c\xcf\x60\x5f\x4d\xd2\xac\x20\x88\x39\x55\xd5\xf2\x4a\x89\x37\x52\x2d\x6d\x1c\x80\x13\xb9\x17\xd5\x56\x3a\x7e\x5f\x92\xfd\x70\x3f\xbd\xda\xdd\x8e\xad\x6d\xf5\xa0\x8f\xdc\xf1\x79\xe3\xec\xe4\xa0\xf1\xcb\x94\xeb\x1c\x53\xcc\xca\xe1\x82\xfc\xb8\x16\xeb\x1d\x4b\x34\x2b\x20\xde\x29\x3a\xc1\x21\xde\x61\x3a\x48\xfb\xeb\xc4\x81\xbb\xc6\xc6\x12\x99\xe1\xfd\xba\x53\xb5\xe3\x6b\xe1\x64\x6f\x82\x1d\x31\xc9\x9e\xcf\x23\x32\x39\x9f\xe8\x4b\xad\xd6\xf1\xd7\xb6\x07\x3c\x90\x87\xfd\x05\x8f\xc5\x33\x19\x36\x7f\xec\xf4\x63\xc9\xcc\xd1\x19\x9a\xa9\xca\x5c\x69\xee\xb9\x20\x38\x12\xb9\x2b\x4d\xe6\xae\x7c\xa4\xaf\x65\xc6\xe1\x9c\xc8\x5e\x99\xa6\x8c\x93\xbd\xb2\x09\x96\x86\x6b\x1d\xb7\xd7\xd2\x24\x3f\xb0\x2b\xc0\xd2\xbc\xca\x96\x3b\x16\xc6\x65\xc8\xca\x39\xe9\xb0\x6d\x81\xde\x31\xf4\x8e\xef\xde\xc8\x67\x84\xbc\x21\xe4\x0d\x21\x6f\x6d\xd3\x3b\xfe\x74\x1f\x5d\x12\xe9\xa3\xe7\x68\xce\x95\x3e\xda\xa6\x82\x3a\xed\x89\x25\x6a\xef\x0a\x20\x5c\x56\x39\xf3\xee\x9d\x01\x6b\x84\x27\x42\xa4\x8f\xc5\xca\x21\xc1\xe5\x32\x3b\xb9\x70\x80\xf6\x71\xaf\x2d\x57\xa0\x7d\x0c\xed\xe3\x4d\xd6\x3e\xee\x1c\x9b\x6a\xf3\x07\x21\x54\xf7\x78\x9c\xf6\xb1\x54\x7c\xc4\xf6\x6f\xdc\xef\xd6\x3d\xe6\xad\xd6\x0a\x1e\x6f\x3d\x9f\x08\xfb\xab\x41\xba\xdf\x92\x54\x96\x4b\xf9\xb2\xaa\x94\x2a\x3a\xfb\xa3\x41\xf6\x42\xbf\xa3\xd8\x90\xa8\x2f\xa5\x3c\x63\x9d\x97\xdc\xe3\x68\x28\xdb\x7f\x9c\x55\xb5\xc9\x62\xd1\xfe\x0c\xb6\x4e\xfd\xbf\x4d\x31\x94\x57\x69\x52\x4c\xf1\x09\x3a\xc2\xa7\xf8\x38\xed\xa3\x54\xa8\x0c\x87\x7d\xbf\x2d\x51\x03\x3a\x17\x3e\xfb\x87\xd8\x60\x75\x68\xb5\xdd\x07\x4f\x5c\x25\x42\x26\x11\x32\x89\x90\x49\x84\x4c\x22\x64\x12\x21\x93\x08\x99\x44\xc8\x24\x42\x26\x11\x32\x89\x90\x49\x84\x4c\x22\x64\xb2\xc3\x21\x93\x08\x68\x44\x40\x23\x02\x1a\x7b\x38\xa0\xf1\x4b\x83\xf4\x2a\x1b\xb6\x71\xb8\xc2\xfe\xe3\x20\xfb\x55\x17\x69\xdb\x13\x42\xda\x8c\x93\x92\x8f\xb9\x28\x9b\xf1\x87\xad\x46\xd8\x9e\xa5\x13\x82\xb0\x1d\xa2\x03\x9c\xb0\xa5\x68\x84\x92\xe1\x84\xcd\xb8\xd7\x96\xd0\xb5\x33\xe1\x74\xed\x09\x16\xaf\xa1\x6b\x3c\x1d\x1a\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x0d\x64\x6d\x33\xc8\xda\x0f\x0d\xd3\xbc\xa9\xdc\x98\x37\x96\xb2\x8a\x5a\xd2\xe4\x82\xc2\x63\x9b\x7d\x72\x86\x85\x10\x21\xdf\x38\x4a\xc6\x72\xe5\x96\xbc\x7c\x5d\x55\x6f\x7a\x36\x80\x3a\xfb\xe5\x21\xf6\x0b\xdb\xe8\x11\xdf\x16\xed\xf0\xf0\x1f\xec\x6b\x4c\xa2\x70\xd1\xbe\xd8\x15\x71\xb1\x29\xf7\xc5\x5a\xa4\x5e\x38\xc5\x4f\x98\xf4\xeb\xb0\x19\x8e\x5e\xbf\x1b\xd0\x38\xf4\x07\x8a\x8d\x28\x13\xde\xf8\xbe\x70\xaa\x78\x95\x3d\x67\x52\xc5\x7a\xd3\xd4\xe4\x8d\xf5\x1f\x55\x6d\x4c\x2b\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x24\x68\x64\xa7\x68\xe4\x3b\x87\xe9\xa0\xa0\x91\x42\xef\xa3\x8a\x3b\x96\xd5\xbc\x2e\xe7\xd6\x34\xa5\x72\x9b\xff\xae\x38\x3a\x85\x2f\x0d\xb1\xe7\xb7\xd1\xab\xc4\x69\x36\x63\xfc\x55\x93\x31\xba\xc1\x62\xc9\xb2\x67\x56\x6c\xe0\x3c\x17\xdf\xe1\xad\xce\x9b\xc2\x28\x2d\x60\x8a\x23\xce\x2a\x86\xaf\xd4\xcc\x6f\x9e\xb1\x10\x72\x96\x67\x09\xcf\x8a\xd8\xd5\x76\x2a\xb9\x87\x5f\x4e\x74\xc8\x44\x90\x35\x1d\x05\x71\xac\x25\x8e\xc1\xf9\xe9\xbc\x63\x74\xe3\x6a\x38\x6d\x3c\xca\x0e\x9b\xb4\x51\xcc\x27\xab\x00\x53\xf5\xf8\x03\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x02\x25\x6e\x3a\x4a\x3c\x49\xc7\xd9\x44\xfc\x88\xad\x28\xf6\x88\x5b\x85\xac\x66\x23\x57\xab\x48\x06\x14\x09\x14\x09\x14\xd9\xc3\x28\xf2\xaf\x23\xf4\xb0\x55\xd2\x5a\x91\xdf\x54\x91\x4b\xfc\x69\x59\x01\x91\xec\xf7\x22\xec\x77\x22\xf4\x4a\xcf\x8f\x75\x6b\x5d\x3f\xc8\x6b\x5d\xbb\x8e\x46\xd1\x6b\x57\xd1\xeb\x7f\xfe\x10\x1d\xa9\x2a\x7a\x5d\xa7\xdc\xb5\x49\x7d\xc7\x74\x2e\x85\xcc\x7e\xfb\x41\xf6\x9f\x23\xae\xe2\xd7\x31\x5e\x98\x46\xfc\x68\xcd\x67\x67\x71\x94\x55\x97\x93\x8f\x1a\x47\xf8\x15\xab\x16\xe2\xca\x2d\x2e\x4c\xb3\x40\x47\xc4\x70\xa6\x69\x8c\x0f\xe7\x30\x25\xe8\xc9\xc0\xbc\x6d\x7e\x1f\xc6\xe8\x65\xd5\xe5\x3b\x2d\x45\xd3\xb2\x22\xd3\xd1\x9f\xdc\xee\x1a\xe1\x3d\x56\xa5\x99\x7a\x83\xfc\xb8\x79\x50\xa7\xc6\x39\x73\x8c\x8e\xd2\xe1\x2a\x61\xe5\x46\x07\x1a\x2a\xca\xa8\x2d\xd3\x64\x6d\x99\xf7\xf4\x09\x5d\x86\x34\xd7\x65\xb0\x6b\xc2\xb4\xe0\x25\x6f\xde\x6e\x34\x58\x3f\xa6\x31\xf3\xe0\x6f\x11\x3c\x46\x23\xf3\x95\x7b\x5d\xe6\x61\xa4\x46\xfa\xbd\x9e\x9d\x78\x8c\x2b\x07\x77\xc2\x4a\x40\xfa\xbd\xd7\x8c\x16\xa4\xdf\x21\xfd\xbe\xc9\xd2\xef\xed\x5c\xfd\x85\xa9\xb1\xb7\x6e\xfd\x97\xdd\x47\x29\x36\x12\x4f\xda\x44\xe5\x3e\x37\x51\xc9\xaa\xcb\x77\x85\xaa\xfb\x77\x76\xd3\x65\xb1\x0d\x59\x29\xaa\xb7\x8c\x37\x52\x53\x8b\x29\xdb\x25\x5c\x9d\x0e\x57\xd6\x14\x55\x53\x2a\xb7\x8b\xf2\xba\x5c\xf4\x26\xc1\x55\x6d\x51\x7e\x66\x37\x7b\xeb\x00\xed\x76\xb5\x3a\x69\x35\x6a\x47\xab\x1c\xae\xbb\x6d\x99\x37\xaf\x75\xde\xb8\x96\x27\xa3\x29\x79\xca\x38\x71\xd6\xa7\x69\x2b\x70\x24\xf0\xd4\xb6\x6c\x77\xd6\xe8\x39\x31\xe1\x17\xe8\x69\x3e\xe1\xcf\xd1\x1c\x9d\x09\x9c\xf0\xee\x91\xb6\x4a\x1d\x04\xf7\xf8\x4e\x37\x44\xff\x24\xfc\x85\x78\x96\x2d\x9a\x2f\x44\xbd\x49\x60\x05\x85\x04\xf7\xb4\xb6\x72\xe7\xdb\x28\x64\x0a\x4c\x84\xed\xab\xea\xcc\x82\x8c\x79\x6e\xd7\x4c\x84\xcc\x35\xfa\x5e\x7a\x5d\xd5\x6a\xa7\x75\x33\x01\x8b\x1f\xec\xd8\x9a\xdc\xb1\xfd\x49\x5f\x5b\x4d\xd4\x92\xd8\x0d\x3e\x4b\x8b\xce\x6e\xb0\x4b\x6c\x20\xdf\xf5\x35\x66\x03\x6b\xcc\x57\x4b\x8c\x62\xe6\xbb\x3b\x43\x6c\xe0\x54\xc3\x9b\xc7\x3a\xc6\xf0\x34\x5f\xff\x74\x85\x29\xc4\xa6\xb3\xd7\xec\x2e\x36\x9d\xd8\x74\x6e\xf2\xa6\x73\x73\xd7\xe0\xa1\xdb\xd2\xcd\x5c\x85\x67\xcf\xd0\x0c\x9b\x8a\x4f\xda\xfb\xd2\x41\x4f\x6c\x40\x60\x4b\xed\x0f\x12\x60\x3f\x32\x44\xc9\xaa\xfc\x07\x27\xf5\x21\xaf\xe8\xda\x1a\x7f\x23\x96\xd7\xf2\x05\xb9\xa2\xb3\xaf\x26\xd8\x1f\x0f\xd0\x0e\x3b\xe9\x21\xfa\x7d\x8d\x49\xaa\xcc\xab\xf9\x69\xbb\xb1\x0c\x6f\xac\x45\x3a\x2a\x07\x3c\x59\x0b\x3e\xd7\x39\xaf\xe8\x5b\x4e\x76\xb9\x6b\x85\x53\x5e\x17\xfe\x16\x1d\x62\x07\x02\x52\x19\xaa\x9f\x0c\x04\x9a\x91\xc7\x80\x3c\x06\xe4\x31\x20\x8f\x01\x79\x0c\xc8\x63\x40\x1e\x03\xf2\x18\x90\xc7\x80\x3c\x06\xe4\x31\x20\x8f\x01\x92\x28\xc8\x43\x40\x1e\x02\xf2\x10\x36\x25\x0f\xe1\x0f\x87\x69\xc2\x2a\x7d\x26\x50\x60\x40\x5c\xbc\xd5\xd8\x1b\xd7\xd4\x8a\x64\xeb\xa2\xbc\x77\x98\x7d\x7d\xc0\x29\x93\xf6\xc9\x46\x04\x51\xac\x6d\xde\xd3\x46\x4b\x5d\x21\x86\x12\xe7\x97\x13\x95\xdb\x9c\x00\x51\x4f\x3f\xbb\x1f\x22\x06\x06\xf9\xb6\x9c\x2e\x5a\x10\xf1\x62\x38\x1f\x1c\x61\xc9\xea\x72\x6d\x9e\x61\xf5\x50\xc1\x50\x71\x15\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\x43\x60\xc3\x0e\x63\xc3\x09\x3a\xc2\x0e\xc5\x0f\xd8\x21\x4e\x0f\xb9\x43\x9c\x3c\x1b\xbc\xbb\x21\x6d\x07\x50\x13\x50\x13\x50\x73\x0b\x41\xcd\x8f\x0e\xd3\xfe\x86\xa0\xa6\x2e\xe7\x34\xb9\x62\xd3\xcc\x6f\x0e\xb1\x3f\x72\xd1\xcc\x5f\x6a\x84\x66\x2e\xf0\x26\xba\x02\x63\x3e\xec\x8b\x31\x45\x07\xbb\x9f\x5f\x76\xa1\x96\xf3\x86\xb2\x5b\x6d\xc0\x29\x06\x1c\xf1\x8e\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x00\x97\x9b\x09\x2e\xf7\x53\x9a\x8d\xc5\x47\x6d\xf8\xc8\xdc\xe0\x52\x6c\xdc\x40\x2c\x41\x2c\x41\x2c\x41\x2c\x3b\x4a\x2c\x3f\x1f\xa1\x9d\x6e\x7d\x62\xf6\x99\x08\xfb\x3f\x23\xb4\x8d\xff\x5f\x5d\xdd\xe7\x5d\x05\xb9\xc2\xb5\x2d\xa1\xf7\xec\xd2\x7b\xfe\x17\x49\x9a\x14\xe3\x99\x53\x55\x2d\xaf\x94\x78\x07\x1d\x7d\xb5\x20\x20\x5c\x94\x25\xdd\xa9\xfa\xf7\x9b\xc3\xec\xdb\x11\xba\xcf\xdd\xc4\xd2\x7a\x3a\xfa\x20\x17\x52\xf3\x72\x87\xf3\xc6\x89\xc9\xc7\x8d\x5f\xa6\x5c\x87\xbb\x41\x2c\x3f\xa4\xc5\x5a\x68\x57\x69\x52\x8c\xec\x04\x1d\xe1\x23\x3b\x4e\xfb\x28\x15\xa8\xc3\xe0\x19\x8c\xf5\x74\x8a\x77\xe9\x4e\x25\xcf\x9e\x0d\xa7\xa4\x07\xd9\x7e\x93\x92\xfa\x3c\x0e\x13\x9b\x8a\xbe\x78\x34\xa1\x7f\x67\x7b\xed\xe0\x3f\x6c\x49\x98\xf9\x8d\xff\x13\xe6\x8f\x1d\x7c\x04\x99\x69\xca\xd0\xe9\x2a\xf9\x9b\x0d\x3f\x03\x88\xde\x40\x6c\xac\x49\xb1\xb1\x9f\xed\x6b\x85\x0d\x98\x15\x9a\x62\x86\x61\xb6\x35\xc5\xda\x61\x4b\xda\x66\x2c\x42\x44\xc9\x92\xef\xd9\x55\x6b\x4b\x5e\x25\x76\x76\x31\xc9\x34\x1f\x7b\xc4\xff\x77\xd2\x7a\x5c\xa6\x4b\x34\xef\xb6\x1e\xc9\x0c\x9d\x6e\xe2\xcb\x38\xcd\x7b\x7e\x91\xfb\x0f\x74\x58\x93\x30\x6b\xf2\x72\x84\xbe\x1a\x61\x5f\x89\x44\xbf\x6c\x0f\xd0\xc7\x22\x97\xdd\x0b\x53\xc5\xd8\x1f\xf1\xc5\x65\x6c\x59\x5e\x11\xbe\x33\x7b\xa3\xea\x38\x68\x4c\x36\xc0\xbb\xe8\xb2\x16\x25\xb5\x34\x5a\x92\x0b\x12\x1f\x08\x73\x6d\xea\xb6\x2a\x02\x59\xd9\x8f\xc0\x9c\x87\xca\xea\xaa\x9c\x37\xec\x56\xf1\xb6\xe3\xd4\x72\x1c\x19\x4a\x71\xc4\x5c\xb2\xf2\x45\x7b\xac\xa0\x19\xdf\xc1\xb2\xac\x29\x6a\xde\x5e\x7a\x3b\x9f\x44\xee\x2f\xb4\x46\x63\x4d\x37\x3a\xe9\x5e\xee\x4b\xc6\x99\xd6\x0d\x99\x17\x59\x11\xf0\xc6\x6a\x22\x25\xfa\x29\xb4\xa7\x7c\xfa\x18\x67\xbc\x0b\xf3\xbc\x07\x3e\x4b\xf1\xcc\x17\x22\xf4\x52\x84\xbd\x18\x89\xbe\x60\x0f\xf3\xfb\x23\xd3\x2e\x4f\x79\x99\x2f\xb8\x6c\xd2\x36\xaf\xa9\x65\xa9\xc0\x1f\x80\x10\xf9\xf1\x38\xdb\xac\x7b\x71\x5c\xed\xc6\x53\x4a\xa7\x0e\xa7\x62\x0b\xe2\x81\x88\xd1\x29\x1b\x3b\x31\x63\x37\x6b\x41\x5b\x39\xa6\x6a\xe5\xeb\x52\xc9\x72\xfe\x69\x6b\xf2\xd8\x8a\x54\xb4\x9c\x1c\x71\xf1\x6b\x3c\xb6\xa2\x94\xa4\xa2\xf2\x66\x8b\x96\x2e\xcb\xc6\x52\x9f\xef\xfd\xc6\xc4\x12\x3f\xef\x10\x74\xd1\x78\x42\x77\x4e\x12\x6e\x85\x54\x6c\x46\xe1\xd3\xd9\xd5\x71\x55\xab\xbd\x33\x67\x1f\x5d\x11\x5e\x0d\xfe\xb2\xa9\x95\xeb\xa9\xf8\x2e\xd1\x9f\x69\xeb\x46\x3c\x5e\xc4\xcc\x3b\x07\xe8\x1d\x03\xec\xf9\x81\xe8\x77\x6d\x57\xf2\x97\xfa\xaf\x98\xd8\xd1\x78\xa5\x8c\x8d\x6c\x41\xd2\x96\xa5\x82\x1c\xcb\xa9\xc5\xa2\xcc\x0d\xa1\xf3\x5e\xc8\x9a\xb1\x91\x30\xc6\xc2\xb7\xa7\x17\xab\x2e\x1e\xdc\x51\x3e\x9f\xad\xc9\x28\xf4\x7f\x8c\x79\x9a\x97\x73\x4a\xde\xf1\x1f\x70\x14\x2d\xb4\xc9\xac\xd1\xd5\xf9\x76\x86\xff\x6a\xc1\xe6\x94\x6b\x18\x2d\x4c\x69\x6f\x5e\x6d\x07\xb2\xf7\x62\xa9\xd8\x64\xce\xd8\xe7\xf2\x4f\xac\xdb\x38\x24\xc4\x3d\x24\x62\xa3\xe6\x83\xf7\x4e\x0c\xfd\x58\x2c\x91\x91\x72\x37\x8d\xaf\x4c\x29\x6f\x1c\xc5\x3d\xb7\xfc\xa0\xaa\x81\x13\xbe\x01\x73\xea\x7b\x1b\xb1\xee\x60\xd9\x6e\xe9\x58\x2c\x31\xab\x6a\xb2\xab\xd9\x58\x4e\xd2\x73\x52\xde\xb8\x7b\x73\x7c\x84\xaf\x9e\xb7\xa7\x0b\xeb\x55\xd3\xe0\x8a\xdd\x46\x2a\x7e\x7f\xb9\x7a\xde\xb8\x3f\xfd\x9f\xee\xa3\xf3\xe2\xd3\x3f\x43\x53\xfc\xd3\x7f\x82\x8e\xd1\xd1\x26\x3e\x1f\x42\x94\x92\x2e\x19\xad\x8d\x73\x31\xb7\xed\x62\x6c\xe5\xfc\x9d\xb6\x19\xb6\x22\x88\xf9\x7f\xb7\x77\xb0\x7b\xc4\x30\xb5\x71\x83\x91\xf9\xd6\xbd\xb5\x8b\x82\x27\x6a\xf4\x41\xfd\x76\x1a\xf1\xb2\x88\xb5\xe9\xc8\x4a\x01\x12\x9f\xbd\xb6\x3e\x81\xc4\x27\x24\x3e\x37\x59\xe2\xb3\x23\x68\x29\x54\xc9\xb3\x6d\xb6\x3f\x3b\x4e\xfb\x58\x2a\x3e\x62\x7b\x75\xee\x77\xbb\x82\xf8\xf1\x77\x83\x27\x88\xbd\x2f\x49\x63\x55\x9a\x9f\x66\x71\x09\x35\xaf\x9b\x55\x4a\xf9\x2f\x8a\xc3\x3d\xff\x7c\x98\xfd\x68\x3f\xbd\xca\x16\xfe\x14\xc2\xd9\x4f\xf8\x60\xcf\x9a\x52\xa7\xc9\xb8\x71\x94\xa5\xd0\x29\xa4\xb0\xab\x8f\x69\x31\x03\x2d\x6c\x68\x11\x94\x32\xd7\x8e\xb6\x0c\x6d\x75\xef\xee\x14\x87\x5e\x0d\x9f\xb1\x47\xd9\xe1\x00\xd5\xcc\xaa\xae\xd4\x96\x78\xf8\xf6\xf6\x9a\xe7\x92\xf0\x27\xa2\xb5\x8f\xe6\x49\xf3\xc0\x4e\x3e\x9d\xcc\x45\x7a\x8a\xce\x55\x2d\x1d\xee\xe4\xf1\x60\xed\x00\x52\xda\x24\x29\xfd\xb5\x3e\x7a\x5a\x60\xce\x2c\x9d\x75\x30\x67\x9b\xcc\x45\x6b\xad\x52\x83\xa5\x17\x1a\x33\x3e\x41\xa5\x17\x42\xac\x51\xf2\xa7\x77\xd5\x18\x9f\xa8\x8d\x50\x6b\xed\xcd\x13\xe2\xb7\x8e\x9a\x1b\xf0\x54\xf0\x54\xf0\x54\xf0\x54\xf0\x54\xf0\xd4\x76\xf3\xd4\xf0\xb5\xc1\xc6\x79\xea\x9d\x6f\x4f\xc2\x79\x6a\x5b\x77\x28\x99\x7f\xb5\xb3\x66\x91\xb0\x2f\x04\xa9\xd6\x2e\x1d\xf6\x94\xdd\x85\x1e\xda\xbd\x72\x00\x5f\xed\xb5\xf5\x0a\xf8\x2a\xf8\xea\x26\xf3\xd5\x4e\x63\xab\xb6\x5a\xfd\x50\x90\x9b\x3d\x49\xc7\xd9\x44\xfc\x88\x8d\x4e\x1f\xf1\x54\x45\xaa\xbe\x42\x07\x8a\x21\x7d\x7b\x98\x32\x0d\x89\x04\x58\xe6\xaf\x54\x59\x57\x8b\x6b\xab\x72\xae\x28\x29\xab\x36\x2b\xfd\xc4\x30\x7b\xdb\x36\x47\x33\xe0\x33\x8d\x68\x06\xcc\xdb\x2d\x2e\xf2\x16\xa7\x8c\x16\xbb\x42\x42\x20\xe9\x2b\x21\xe0\xdb\x5f\x28\x0a\x34\xa1\x28\x70\x25\xfc\x25\x3c\xc0\xc6\xab\x15\x05\x7c\xc7\x1f\x02\x03\x10\x18\x80\xc0\x00\x04\x06\x20\x30\x00\x81\x01\x08\x0c\x40\x60\x00\x02\x03\x10\x18\x80\xc0\x00\x04\x06\x20\x30\xb0\x99\x02\x03\x19\x3a\xcd\x4e\xc6\x8f\xdb\x98\xe3\x71\x0f\xe6\xf0\xdb\xc7\xdd\x0d\x51\x66\xd0\x1b\x80\xde\x00\xf4\x06\xb6\x90\xde\xc0\xfb\x87\xe9\x90\x88\x0a\x95\xca\x65\xbd\x4e\x42\x7c\x5e\x92\x57\x8d\xa5\xa1\x23\x92\xfa\x5f\x87\xd8\x7f\x89\xd0\x3d\xc6\x79\x4b\xeb\xe9\xe8\x6e\x9f\xa8\xd0\x69\x7e\xd2\x82\x5c\x49\x3e\x62\xfc\x3a\x59\x2e\xeb\x6e\x9c\x68\xff\xdc\xe2\x40\xd0\x67\xe9\x84\x20\x7e\x87\xe8\x00\x27\x7e\x29\x1a\xa1\x64\x20\x51\x37\xee\x80\x87\xfa\x58\xdd\xb9\xd3\xc8\xcf\xa7\xc2\xe1\x5e\x92\x0d\x99\x70\xcf\xb8\xba\x89\xf7\x9c\x0e\x78\xb2\xdf\x7f\x61\xbb\x33\xca\x8f\xf9\xc7\x78\x3a\x03\x1d\x33\x0f\xe8\xd0\x58\x67\x4e\xd3\x49\x3a\x5e\xe5\xb1\xdc\xd0\x60\xc3\x47\x89\x38\xce\x26\xe3\x38\x7f\xb2\xef\x4e\x5f\xf4\x8c\x08\x03\x3d\x46\x47\x9d\x30\xd0\xce\x19\x0b\x1e\xa9\xd9\x5a\x63\x91\xfc\xee\x7d\x8e\xb1\x60\x76\x4c\xa6\x63\x1f\x1e\x13\x7f\xeb\x94\x79\x40\x18\x26\xc2\x30\x11\x86\x89\x30\x4c\x84\x61\x22\x0c\xb3\x37\xd3\xda\x5b\xfb\x7d\x0f\x8f\xea\xcc\xfc\xf9\xbd\xce\x0a\x60\x28\x24\xe0\xd2\x59\x17\x3c\xca\xc3\x73\x3a\xb0\x2c\x40\x8c\x65\xaf\x2d\x46\x10\x63\x89\x18\xcb\x4d\x8e\xb1\x6c\x3b\x11\x6a\xb1\x95\x0f\x8d\xa2\x3c\x44\x07\xd8\x78\x7c\x9f\xed\x1a\x78\x8d\xdb\xbd\x60\x37\x7a\x37\xb8\x14\xd8\x07\x93\xf4\xb4\x89\x28\xd7\x2a\xaa\x9e\x93\x8a\x4a\xa9\x10\x1a\xac\xc9\x9f\x8f\xf1\x36\x17\xcb\x6a\xde\x3a\x51\xd6\x6c\x7a\xf9\x87\xc3\xec\xa7\xb6\xd1\xab\x5c\x4d\x1a\xdf\xcb\x5f\x6f\x24\x6a\xf3\xac\xdd\xf4\xbc\x9a\x9f\xb4\x9b\xee\x8a\xb8\xcd\xfd\xfc\x72\x93\xce\x5d\xb9\xbf\xe6\x01\x1d\x47\x00\x67\xed\xfb\xbc\x1c\xfe\x3e\x9f\x62\x27\xac\xf7\xd9\x19\x6e\xf3\xb5\x0e\x18\x69\x54\xb9\x47\x2c\x27\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\x13\xb1\x9c\x88\xe5\x44\x2c\x27\x62\x39\x11\xcb\x89\x58\xce\xae\x8e\xe5\x9c\xa6\x0c\x3b\x1d\x3f\x69\x43\x93\x3d\x6e\xd8\x12\xb0\xd5\xbb\x1b\xd0\x0b\xa2\x39\x11\xcd\x89\x68\xce\x2d\x14\xcd\xf9\xfc\x28\xcd\xfb\xa0\xd2\x71\x21\xf4\xd9\x24\x29\xfd\xa5\x11\xf6\x62\x3f\x3d\xe0\x21\xa5\xa2\xc5\x68\xd2\x27\xe6\x33\xc0\x1e\x26\x0f\xf3\x08\x50\x17\x98\x14\x6d\x74\x8e\x4e\x0a\x98\xa8\xd1\x15\x01\x13\xe7\xe9\x02\x87\x89\x67\x69\x96\xa6\x83\x3d\x01\x4e\x87\x53\xe6\x5d\xa7\x82\xe0\xde\x1d\x46\x8d\x16\xc2\x91\xe3\x34\xcb\x38\x04\x71\xdc\x23\xd9\xd7\x38\x83\x8c\xfe\xd6\x0e\xff\xa7\x39\xea\x1f\x5b\x1a\xf4\x40\x27\xac\x48\xd3\xcd\x7e\xa6\x99\xe7\xe8\x59\x5a\xac\xf2\xe8\xb6\xe8\xa1\xc2\xbb\x8b\xe8\xd4\x26\xa3\x53\xff\xa0\x8f\xae\x8a\xf0\xd2\x67\x68\xc1\x09\x2f\x6d\xbf\xbd\x69\x9b\x85\x6b\x30\xa2\xb5\x31\x43\x76\x07\xbe\x13\xd3\xf2\x25\x3f\xbf\xcb\xdf\x90\xc5\xec\xb8\xd7\x20\xdb\x75\xd4\x8c\x82\xdd\x74\xd3\x85\xf8\x58\xc4\xc7\x22\x3e\x16\xf1\xb1\x88\x8f\x45\x7c\x6c\x6f\xc6\xc7\x76\x6a\xb5\xd0\x40\xe4\xec\xef\xee\xf4\x5f\x4f\x1c\x0a\x89\xa2\x0d\x5a\x65\x1c\x29\x57\x07\xe3\x74\x7c\x91\x81\x68\xdb\x5e\x5b\xda\x20\xda\x16\xd1\xb6\x9b\x1c\x6d\xbb\x89\x8c\xad\xb1\xaf\xc9\x06\x3f\x1d\x3e\x1f\x9f\xf0\x08\xdd\x5e\x75\x1a\xb1\x17\x86\xad\x92\xfb\x22\x0e\xd1\x55\x6c\xbf\x6e\xc4\xae\x38\xda\xa2\xce\xcf\x0f\xb3\x3f\x1b\xa0\x1d\xe2\x8f\x4b\xeb\xe9\xe8\x87\x1b\x09\xcd\xe5\xc1\x9d\x5d\x11\x88\xbb\xfb\x96\x1d\x6c\xea\xc9\xa8\xe1\x7f\x41\xc4\x6d\xed\x9b\x7b\x29\xfc\xcd\x1d\x63\xa3\xe6\xab\xe8\x99\x59\xe6\x4a\x50\x5c\x06\x11\xb6\x88\xb0\x45\x84\x2d\x22\x6c\x11\x61\x8b\x08\x5b\x44\xd8\x22\xc2\x16\x11\xb6\x88\xb0\x45\x84\x2d\x22\x6c\x11\x61\xdb\xcd\x11\xb6\x75\x6b\x70\xf3\x8d\xdd\xdd\x80\x46\x10\x4f\x8b\x78\x5a\xc4\xd3\x6e\xa1\x78\xda\x6f\x26\x68\x44\xa0\x4c\xbd\xa2\x6a\x52\x41\xae\x61\x99\xe6\xdf\x73\x45\x49\xd7\x65\x9d\xfd\x56\x82\xfd\xda\x00\x91\xf9\xd7\xa5\xf5\x74\xf4\x4d\xe6\x57\xb6\x94\x57\xd6\x95\xfc\x9a\x54\xf4\x00\x4c\x7b\x45\xbb\x20\xce\x98\x32\xda\x69\x09\xbf\x4c\x25\x1f\xe5\x27\x98\x0d\x2f\xa6\xdd\x57\x38\xaf\xe8\x60\x90\x3e\x0c\x72\x8f\x3f\x2f\xdc\xc9\x88\x77\xcc\x18\x69\xba\xf1\x5c\x38\xa8\x3c\xcc\x0e\x9a\xa0\xd2\x3b\x6f\x4c\x52\xe9\x7e\x14\xa8\xde\x04\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\x09\x1e\xb9\x99\x3c\x12\xe4\x0f\xe4\x0f\xe4\xaf\x87\xc9\xdf\xc7\x1f\xa4\x98\x55\x14\xbe\x3a\x5e\xf1\x2d\x63\x3a\x4f\x6d\x60\xef\x7e\x90\x7d\x2d\xe2\x94\x7c\x1f\xe4\xd9\xf0\xe2\x37\x6b\x1c\x9d\x8f\xaa\x1d\x02\x98\x7c\xc8\x38\xae\xaa\xb4\xba\x48\x96\xd8\xdc\x3a\x48\xc6\x7d\xa4\xd6\xd3\x29\xbb\x53\x77\x9a\xd1\x7e\x2e\x9c\x94\x0d\xb1\x41\x37\x00\xab\x2e\x78\xee\x74\x25\xfa\x91\xed\xce\x48\x0f\x5b\x99\xea\xe1\x83\xbd\xdb\x3c\xb4\x03\xe3\xbd\xe1\x5a\x48\x35\x03\x8e\xec\x06\x64\x9b\x77\xa8\x16\x52\xed\xcb\xbe\xf1\x5a\x48\x1b\x37\x18\x8d\x59\x84\x60\x2b\xe0\x89\xee\xad\x9f\x86\x9e\xf9\x8b\x7b\x1d\x83\x31\x5e\x93\xc1\x15\x6e\x39\xa2\x3c\x90\xbf\xcd\x76\x03\xf9\x59\xbd\x66\xc1\x90\x9f\x85\xfc\xac\xad\x55\x0d\x61\xe3\x66\x3e\x2c\x39\xaa\xa5\x2b\xc3\xfa\xb5\x10\xec\xe3\x6a\x03\x88\x5a\x9e\xf9\xf4\x77\x83\xf4\xa0\xb7\x98\xaa\x53\x35\x95\xfd\xc9\x20\xfb\xdd\x7e\xa7\x32\x4f\x42\xb0\x63\xcd\xa4\x5e\x16\x16\xb1\x12\x99\x9c\xc2\x3c\x7b\x8c\x03\x45\x5d\x1e\xfb\x8f\xb3\xaa\x36\x59\x2c\xda\xb7\xd6\xba\xef\x51\x9b\x7c\xf9\x57\x69\x52\x4c\xb8\x09\x3a\xc2\x27\xdc\x38\xed\xa3\x54\xe3\xe5\x37\xce\x2b\x7a\xc7\x4b\x70\x3c\xea\x3f\x87\xef\x61\xdb\x78\x18\x00\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x70\xd5\xc3\x55\x0f\x57\x3d\x5c\xf5\x9d\x72\xd5\xbf\x38\x4c\x27\xbc\xd4\xad\xae\xcc\x90\x26\x73\x82\x65\xbc\xc0\x96\xd6\xd0\x0f\x0c\xb3\x3f\x1f\x70\xd0\xdc\xc7\x1a\x51\x1a\xba\x24\x9a\x59\x90\xbb\x43\x6e\xe8\xb1\x5b\x7e\xe5\xbb\x9d\x4e\x76\x3b\x21\xdc\x8c\x6c\x9f\x0b\xe1\xc0\x70\x2f\x1b\xae\x05\x86\xce\xa8\x42\x6d\x08\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\x10\xc8\xb0\xab\x91\xe1\x61\x3a\xc8\xf6\xc7\xd3\x76\xc0\xd0\xf7\xb8\x03\x86\x9c\xdd\x1d\x24\x87\x40\x33\x41\x33\x41\x33\x3b\x4a\x33\xbf\x78\x8d\xf6\x0b\x9a\xb9\xcc\x29\xe6\x7a\xba\x6e\xf1\xce\x9c\xa6\x96\x6e\xa8\xcb\x3a\xfb\x89\x6b\xec\x5d\x83\xf4\x4a\x7e\xd2\x92\x79\x52\xf4\xc9\xfa\x41\x86\x53\x9a\x5a\xca\xaa\xcb\xc9\xc7\x8d\xc3\x32\xc6\x21\x8b\xe9\xaa\x02\x25\xe6\x21\x5d\x8e\x0f\x33\x20\x6b\x20\x6b\x19\x90\x35\x90\x35\x90\x35\x90\xb5\x9e\x21\x6b\x99\xae\x21\x6b\x2d\xef\x49\xd3\x64\x2d\x03\xb2\x06\xb2\x06\xb2\x06\xb2\x06\xb2\xd6\x79\xb2\x96\xe9\x69\xda\x94\x01\x6d\x6a\x1f\x6d\xca\x74\x3b\x6d\xca\x6c\x41\xda\x94\x7d\x03\xcd\x88\xb0\xab\x93\x74\x9c\x87\x5d\x1d\xa2\x03\x34\x1e\x98\x98\xc9\xe9\x52\xca\xa4\x4b\x29\x93\x0d\x35\x94\x9c\x19\x92\x4d\x79\xe3\xe9\xf0\x58\xac\x14\x1b\x31\x63\xb1\x78\x37\xcc\x60\x2c\xb3\x13\xee\x48\x2c\x51\xb4\x31\xfe\xbf\xb6\x57\xe3\xb0\x5d\xe2\xfb\x13\x93\x6c\xf2\xb5\x47\xfc\xa5\x33\xec\x4b\xa0\xaa\x69\xca\xd0\xe9\x2a\xc1\x85\x7a\xc9\xb0\xbe\x63\x0e\x99\x05\x08\xc5\x34\x29\x14\xf3\x37\x7d\x74\x46\x94\xf9\x3e\x4d\x27\x5d\x65\xbe\xeb\xa7\x64\xfb\xce\xc2\xc0\xb7\x7e\x63\xe9\xde\xfe\x6d\xcf\x0a\x39\x9a\x53\x74\xc2\x91\xa3\x69\xa2\x9d\x70\x03\x54\x56\xdb\x63\x80\x92\x7f\x3c\x52\x6d\x80\x76\x9b\x95\xe4\x5d\x65\xf9\xd5\x15\xdb\x18\x8d\x8a\x5f\xdd\xc6\x68\xca\x3e\xb0\xdd\x66\xe9\x32\x5d\xa2\x79\xb7\x59\x4a\x66\xe8\x74\x13\xf1\xb7\xd3\xfc\x1e\x2e\x72\xd0\xaa\x03\xc9\x02\xc9\x02\xc9\x02\xc9\xf6\x10\x92\xc5\xc2\x2c\x64\x61\xd6\x3d\xcc\xfa\xe5\x08\x7d\x35\xc2\xbe\x12\x89\x7e\xd9\x7e\x54\x1f\x8b\x5c\x76\xef\x12\x95\x52\x4c\x17\x3b\xbd\xd8\xb2\xbc\x22\x1c\xbc\x36\x4d\x71\x3e\x59\xe6\x5b\xc2\x07\xcb\xb5\x04\x2c\xa9\xa5\xd1\x92\x5c\x90\xf8\x23\x31\x37\x8a\xee\xa5\xa2\xe0\xaa\xf6\x64\x30\xd7\x06\xca\xea\xaa\x9c\x37\x16\xa3\xc5\xdb\x8e\xe7\xd5\x31\xed\x4a\x71\xc4\xdc\x3f\xf2\xdb\x8d\x15\x34\x29\xc7\xe7\x89\xa2\xe6\xed\x0f\x8f\xf3\x71\xe0\x4e\x6d\xeb\xb9\xac\xe9\x46\x27\xdd\x03\x25\x19\x67\x5a\x37\x64\x5e\x64\x45\xbc\x6f\x56\x13\x29\xd1\x4f\x21\x61\xe5\xd3\xc7\x38\xe3\x5d\x98\xe7\x3d\xf0\xdb\x17\xc3\x35\x00\xd7\x00\x5c\x03\x70\x0d\xc0\x35\xd0\xd3\xae\x81\x2f\x44\xe8\xa5\x08\x7b\x31\x12\x7d\xc1\xfe\xda\xbe\x3f\x32\xed\xca\x9c\x2d\x17\x65\x49\x97\xed\x57\x7f\x5e\x53\xcb\x52\x81\x7f\x87\xe7\xd5\xa2\x92\xbb\xed\x09\x0c\xb2\x1e\xb7\x93\x7a\x6b\x3c\xf0\x74\xea\x70\x2a\xb6\x20\xec\x88\xf8\x48\x96\xe5\x92\x31\x4d\x9d\xaf\x88\x1c\x53\xb5\xf2\x75\xa9\x64\x05\x2a\x69\x6b\xf2\xd8\x8a\x54\xb4\x56\xff\x71\xf1\x6b\x3c\xb6\xa2\x94\xa4\xa2\xf2\x66\xcb\x7c\x2f\xcb\x31\x29\xcf\x39\xbb\x3a\x26\xb0\x6b\xde\x59\x5a\x8a\xc6\x13\xba\x73\x92\x58\x6f\xa7\x62\x33\x0a\x37\x49\xae\x8e\xab\x5a\xed\x9d\x39\xbe\x8d\x8a\x58\xee\xf3\xd5\x9f\x5a\xb9\x9e\x8a\xef\x12\xfd\x99\xb6\x6e\xc4\x1b\xf1\xf4\xce\x01\x7a\xc7\x00\x7b\x7e\x20\xfa\x5d\x3b\xec\xed\x4b\xfd\x57\x4c\x3b\x68\x4c\xd1\xeb\xea\xad\x58\x41\xd2\x96\xa5\x82\x07\x3a\xd8\x0b\x35\x59\x5b\x51\xb5\x55\x63\x2c\x7c\x7b\x7a\xb1\xea\xe2\xc1\x1d\xe5\xcb\x1a\x6b\x4d\x52\x16\x77\xa5\x18\xeb\x85\x9c\x92\x77\x16\xd6\xfc\xdb\x28\x94\x2e\xad\xd1\x35\x3e\x4e\xe6\x97\xc3\xfa\xfa\xa5\x5c\xc3\x68\xd9\x4d\xdb\xa1\x60\x07\xbb\x79\x2f\x96\x8a\x09\x90\xc5\x6d\xb1\x7b\xb5\x9a\x10\xf7\x90\x30\xf6\x3c\xfc\x5f\xde\x89\xa1\x1f\x8b\x25\x32\x52\xee\x66\x41\x53\xd7\x4a\x79\xe3\x28\x1e\x65\xc6\x0f\xaa\x1a\x38\xb1\x58\x31\x57\x40\xde\x46\xac\x3b\x58\xb6\x5b\x3a\x16\x4b\xcc\xaa\x9a\xec\x6a\x36\x96\x93\xf4\x9c\x94\x37\xee\xde\x1c\x1f\x11\x57\xc8\xdb\xd3\xc5\x72\xba\xa6\xc1\x15\xbb\x8d\x54\xfc\xfe\x72\xf5\xbc\x71\xaf\x6d\xe0\x79\x83\xe7\xad\x47\x3d\x6f\xd9\x42\x30\x88\x3e\x2f\x40\xf4\x0c\x4d\x71\x10\x7d\x82\x8e\xd1\xd1\x26\xa8\xa6\x90\xfd\xb6\x58\x72\xd2\x9f\x25\x3f\xc0\xee\x17\x6f\xb3\x63\x69\xdb\xc1\x95\xb7\x60\x16\x0a\xfb\x5a\x84\x5e\x2b\xa2\xda\x45\xc4\xb5\xab\x8e\x2e\x7b\x31\xc2\x5e\x88\xd0\x0e\xf1\xc3\xd2\x7a\x3a\xfa\xda\x82\x5c\xf1\xae\xac\x85\x7f\x34\x69\xfc\xc0\xa5\x1d\xf4\xc5\xf4\xe4\xfc\x9c\x05\x13\x5b\x28\xc7\x5e\xd3\xd0\x44\x4d\x43\x13\x8d\x34\x94\x2d\xd3\x33\x62\xe6\x5d\xa0\xf3\x7c\xe6\xcd\xd2\x34\x65\x9a\x98\x79\xae\xfb\x6c\xc4\xd1\xca\xfe\xd7\x35\x1a\x33\x4b\x16\xe7\xae\xcb\xf9\xb5\xa2\xb1\x27\xb6\x47\x5b\xe4\x12\x94\x35\x45\xd5\x94\xca\x6d\xab\x6a\xf1\xef\x5e\x63\x9f\x1a\x24\xe6\x9c\x60\x3b\x2c\xf6\xd6\x4f\x20\x98\x37\x1b\xe2\x95\x6c\x93\x71\xe3\xe0\x05\xbb\x11\xd3\x85\xe1\x39\x06\x79\x04\xc8\x23\x40\x1e\x01\x9c\x56\x70\x5a\xc1\x69\x05\xa7\x55\xd7\x38\xad\xba\xc7\x27\x03\x67\x01\x9c\x05\x70\x16\xc0\x59\x00\x67\x41\x4f\x3b\x0b\x40\x33\x41\x33\x7b\x94\x66\x6e\xc9\x3c\x82\x8d\xc9\xb7\xa6\x5c\x68\xca\x0a\xd7\xf5\x60\xa2\x96\xa4\x14\xe4\xc2\xc9\xeb\x69\x76\xb2\x06\xaf\x9a\x28\xb6\x86\x9e\x99\x58\xd6\xd3\x4f\x8a\xbf\xb0\xc3\x97\x9b\x7d\x8f\x9d\x69\xe0\x45\x64\x4f\x88\xbf\x77\x08\x92\x09\xa6\x75\x91\x9e\xa2\x73\x55\x09\x07\x75\x28\x78\xe8\xc3\x41\x88\x1b\x72\x0f\x9a\xcc\x3d\xf8\xe1\xc8\x86\x1c\x32\xa1\x53\x91\x9e\x16\x49\x02\x59\x3a\xeb\x24\x09\xdc\x61\x93\x97\x44\x72\xc4\x39\x9a\x73\x25\x47\xdc\x61\x9b\xcd\x9b\x32\x91\x9c\xd0\x98\x29\xdb\x90\xe5\xaa\x4d\x57\xf8\xbb\x11\x5f\x53\x16\xf7\xcd\x59\xf0\x9a\xb5\x94\x38\xa6\xc6\xac\x39\xe9\x0b\xed\x34\x70\x48\x5d\x00\x05\x06\x05\x06\x05\x06\x05\x46\xea\x02\x52\x17\x90\xba\x80\xd4\x05\x78\x23\xe0\x8d\x80\x37\x02\xde\x08\x78\x23\x90\xba\x80\xd4\x05\xa4\x2e\x20\x75\x01\xce\x3e\x38\xfb\xba\xd0\xd9\x97\x2d\xb4\x36\x43\x21\x94\x34\x6f\x24\x75\xa1\x13\x0e\xb4\xd6\xa7\x1a\xfc\xb7\x41\x62\xc6\xc4\x1a\x5b\x4f\x8f\x09\xf4\xb7\x2a\x95\x75\xf6\x47\x83\xec\x85\x7e\xba\x27\xa7\x6a\xf2\xd2\x7a\x3a\x9a\x08\x51\xc6\xe7\x27\x3e\x25\x95\x93\x7b\x8c\x03\xa7\x54\x4d\x5e\x4c\xdb\x7f\x9c\x55\xb5\xc9\x62\xd1\x56\xe4\xe9\xf6\xa8\xf6\xec\xd5\x8d\xe9\x31\x19\x63\x64\x4c\x29\xfb\x7e\x5b\xe2\x8e\x3d\x17\x3e\x9b\x86\xd8\xa0\x39\x79\xe2\x71\x2b\x0b\xc6\xea\x83\xa7\xd4\x26\x2a\x69\x22\x4e\x1f\x95\x34\xe1\xa1\x81\x87\x06\x1e\x9a\x1e\xf2\xd0\xa0\x92\x26\x2a\x69\x82\x8c\x83\x8c\x83\x8c\x83\x8c\x77\x05\x19\x47\xb9\x4a\x94\xab\xdc\x2a\x2c\x10\xe5\x2a\xdb\x51\xae\xf2\xbb\x44\xe3\x16\x6d\x0b\x28\x51\x59\x56\xf3\xe6\x1f\xde\x32\xb6\xac\x94\xf2\x4a\xa9\xc0\x5e\xa0\xf8\x4f\x0f\x38\x34\xee\xb5\x66\xb8\xbc\xf9\xb3\x30\xa0\xf3\x6a\x3e\x69\x7e\x41\x04\x7f\x73\x24\xb0\xe7\xd5\x7c\x46\x1c\xda\xe2\x50\xd2\x93\x74\x9c\x26\xaa\x62\xe5\x93\x34\x14\x8a\xca\xcc\xde\x64\xbf\xdc\x17\x2c\x45\x73\x4c\x30\xb8\x03\x34\xce\x19\xdc\x08\x6d\xa0\x61\x3a\x2d\x02\x9d\x8f\xd2\x61\x27\xd0\x79\x63\x2d\x4c\x8a\xb8\xe6\x09\x3a\xe2\x8a\x6b\xde\x50\x13\x16\xe9\x9b\x0b\x27\x79\x83\xec\x89\x6a\x92\x67\xf5\xc3\xcd\xf1\xc2\x02\x9f\xb3\x08\x49\xab\x1f\x92\x96\x45\xaa\x41\x40\xaa\xc1\x01\x1a\x67\xfb\xe2\x29\x5b\x24\xe9\x01\x77\x8d\x6f\x73\x2e\xde\x0d\x05\xbe\xd9\xd7\x77\xd3\x15\x21\xf8\x23\xad\x55\x54\x3d\x27\x15\x95\x52\x61\x6c\x7d\xbc\x6e\xd9\x60\x6e\x93\x8c\xe7\x51\x2c\xab\x79\xeb\x3c\x59\xb3\xed\xb4\xce\xbd\x49\xec\xdd\xbb\xd9\x97\xfb\xe9\x01\x57\xc3\x4b\x66\xc3\xd1\x03\x9a\x2c\xe5\x63\xe2\x38\x6b\x58\x9d\x9d\xd1\x59\xbb\xfd\x79\x35\x3f\x69\xb7\x9f\x3c\x61\x9c\x35\xe9\x34\xb7\x38\x5e\x55\x73\x25\xe0\x44\xe1\xdd\x6a\xad\xb1\xcf\x6a\x74\x45\x98\xe4\x79\xba\xc0\x4d\xf2\x59\x9a\xa5\xe9\x40\x6b\xe8\x1a\x85\x94\x39\x0a\xa9\x80\xee\x86\x3a\x4b\x0a\xe1\x26\x74\x9a\x65\x4c\x13\xea\xba\xb0\x69\x4b\x83\x2e\xeb\xd8\x56\xd1\x3f\xba\xf1\x88\xbf\x81\x7d\x05\x1b\x28\xc8\x15\x8a\xfe\xc9\x0e\xff\xa7\x7b\x58\x93\xcb\x45\x29\x27\x6f\xf8\x01\x9f\x36\x4f\xec\x92\x67\x9c\x79\x8e\x9e\xa5\xc5\xaa\x0f\x7a\x8b\x1e\x32\xe2\xa5\x91\x07\xd7\xe4\xc7\xe9\x0f\xfa\xda\x67\x7a\xae\x8a\x95\xe2\x33\xb4\xe0\xac\x14\x3b\x67\xd8\x82\xed\x4d\x79\xad\x42\x1d\xb3\x7b\x99\xff\x67\xa7\xbf\x61\x3b\x5d\x96\xb4\x8a\xc2\x7d\x52\x62\x23\xb4\x61\x0b\x77\xb2\x6c\x6c\x82\xba\xc0\xbe\x3d\x5c\xdd\xd0\x28\xef\xd9\x5e\x2e\x5b\xb8\xdb\xfd\xe3\xaa\xac\x15\x64\xf7\xaf\x83\xee\x5f\xf5\x8a\x26\x55\xe4\x82\x92\x1b\xad\x39\xce\xd3\x8a\xf1\xef\xdb\xe6\xaf\x46\x2f\x33\x17\xe8\x3c\x65\xab\x6c\xeb\x04\x1d\x69\x22\x78\x65\x9e\x3b\x79\x61\x4f\x43\xec\xe9\x47\xfb\xe9\xc3\xfd\xec\x43\xfd\xd1\x9f\xb7\xa3\x1e\xde\xde\xdf\x3b\xf6\xb4\x8a\x8b\x1b\xe3\xcc\xfd\xbc\xdc\x77\x63\x4c\x4e\x27\xda\x63\x28\x60\xe2\x0e\x73\x87\xa7\x08\x0b\x90\x8a\xfc\xcc\x92\x5a\x1a\x15\x67\xf3\x23\x78\x58\x88\x1e\x1b\xca\xea\x6a\x69\x5e\x84\x3d\x3c\x65\xbc\x16\xe6\xbf\x17\xac\x97\xc5\xf9\xe3\x70\xb0\xa1\xcf\xbc\xd4\x47\x2f\xf6\xb1\x17\xfa\xa2\x9f\xb3\x91\xce\x07\xfb\x66\x55\x2d\xc7\x5d\xe9\x05\x95\x0f\xbb\x1a\x8b\xaf\x18\x7f\x8a\xc7\x26\x3d\x77\xc1\x61\x9d\x48\x5e\x59\xd3\x1d\x07\xef\xa8\x94\xe3\x37\xce\xdd\xe6\x45\x25\x67\x46\xa5\xca\xc5\xbc\x1e\x53\x6f\x99\x63\x2a\xdc\xca\x65\x59\x2d\x17\xe5\x54\x4c\x5c\x91\xc7\xa9\x58\xcf\x92\x43\x33\xdf\x01\xb0\x2f\x1f\xdf\xc6\xbb\xe5\x89\xb9\xe8\x85\x35\xf3\x63\xfe\xdf\xb0\xed\xec\x15\x7c\x80\x28\x3b\x4d\x19\x76\x3a\x7e\xd2\xde\x25\xee\x71\xef\x2d\x03\xae\x73\x57\xec\x35\x7f\x3b\x41\xa3\x62\xaf\x99\x57\xf4\x9c\xba\x6e\x18\xf3\x2a\x6d\x59\xb9\x94\x2f\xab\x4a\xa9\xa2\x17\x95\x9c\xac\xb3\x1f\x4d\xb0\x1f\x18\xa0\xfb\xed\xc3\x1b\x55\x96\x9d\x31\x9b\x59\x30\x9a\x49\xa6\x8d\x83\xa7\xad\x36\xcc\xe4\x72\xcf\x21\x5b\x2d\x24\xef\x06\x5d\x14\xef\x91\xf1\xfe\x18\xef\xd1\x69\x3a\x49\xc7\x03\xdf\x23\x67\xb8\x2d\x81\x01\xcf\xdd\x37\x14\xa0\xb7\x1c\xfe\xfe\x9c\x62\x27\xc4\xcb\xe2\x69\xbd\x56\x2b\xc0\x7c\xc9\xaa\x27\x41\x3d\x9e\xc7\x83\x00\x11\xb7\x87\xb8\x3d\xc4\xed\x21\x6e\x0f\x71\x7b\x88\xdb\x43\xdc\x1e\xe2\xf6\x10\xb7\x87\xb8\x3d\xc4\xed\x21\x6e\x0f\x71\x7b\x88\xdb\x43\xdc\x1e\xe2\xf6\x10\xb7\xd7\xa9\xb8\xbd\x7f\xec\xa3\x5d\x63\x6a\x59\x2e\x29\xf9\xb1\xf5\xf4\xd8\x8d\x5b\x37\xf5\x31\xf6\x97\x7d\xec\xbf\xf6\xd1\x2b\xc4\x9f\xa3\x57\x0b\x72\x85\xbf\x75\x4a\x4e\x8e\x49\xb9\x1c\x5f\x73\x70\x03\xaf\xc5\x2e\x96\xe5\xd2\xdc\x74\x2c\xbb\x70\xf1\x42\xec\x8a\xbc\x1c\x3b\x27\xdf\x36\x56\x32\xb1\x21\x93\xfb\xeb\xb1\xf2\xda\x72\x51\xc9\x99\x5b\xa1\x75\x59\xb3\x3b\xca\x97\xf9\xc3\xc9\x3d\x05\xb9\xb2\x20\x1a\x9f\x14\x6d\xcf\xf1\xa6\x45\xcb\xe7\xe4\xdb\xba\x5c\x19\x7f\xd0\xc3\xde\x6e\xdd\x1c\xd5\xe5\x0a\xf7\x4c\x65\x0f\x07\xc7\xd9\xed\x16\x60\xed\x35\xf4\x00\x07\x6b\xaf\xa4\x7b\x3f\xde\xb7\x9d\xcc\x09\x65\x97\xc9\x1a\xa6\x4b\x66\xd4\x4c\xde\x58\xca\x2b\x6a\x49\x93\x0b\x0a\xf7\x85\x19\x63\xe6\xd4\x27\xe3\x63\x37\xc6\xf7\xcc\x92\xb1\x52\xbb\x25\x2f\x5f\x57\xd5\x9b\x9e\xbd\xaf\x15\x37\xc3\xfe\xed\x30\x7b\x69\x1b\x3d\xe8\xdb\xe6\xd2\x7a\x3a\xfa\xb9\x3e\x73\x92\x3a\x73\x42\x2a\x59\x66\xdf\x62\x9f\x8b\xf6\xb5\xae\x88\x6b\x4d\xb9\xaf\x95\x72\x09\x87\x4c\xd8\x6b\xb3\x04\x6f\x37\xe1\x80\x07\xcf\x4e\x52\x2d\xcb\xb6\x2c\x98\x5e\x91\xa5\xfc\x88\xb3\xf2\xe3\xab\x5b\x73\x9d\x60\x2c\x1e\x9d\x25\x6d\xc2\xb3\x8b\x70\xb5\x9d\x4a\x4e\xf0\xcb\x4d\xfa\xdd\xe6\x62\xba\x7e\xff\xbb\x9d\xcc\x6e\x4c\xca\xba\x8e\x53\x93\x5b\x00\x5e\xae\x2e\x14\xcd\xbe\x39\x1c\xcd\x5e\x61\xcf\x58\xae\x8d\x3a\x13\xd6\xf4\x75\xd4\x7f\x02\xde\x10\xcc\x60\x6f\xc7\x2d\xe1\xed\x00\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\x05\xb3\xed\x2c\xb3\x3d\x47\x73\xec\x4c\x7c\xc6\x8e\x17\x4b\xba\xa3\xce\xea\xef\xf8\x6a\x83\xcf\x00\x80\x01\x80\x01\x80\x7b\x18\x00\xff\xca\xbd\x74\xcc\x4e\x1b\xe4\x38\xaa\x0a\x7c\x8a\x70\x4e\x5d\x2e\xae\xe8\x6b\xdc\xc4\x49\xb9\x9c\xac\xeb\xc6\x36\x44\xbe\xa5\xb3\x6f\x52\xfc\xeb\xdb\xe8\x35\x9e\x93\xed\xe0\xce\x98\x5d\xfe\x6c\x41\x2e\xae\x2c\x88\xf3\x27\xf9\xf9\x97\xf8\xf9\xc9\xb4\x38\x62\xd2\x7d\xba\x19\xd7\x19\x70\x4a\x8b\x13\xc3\xae\xd2\x73\xf4\x6c\x55\xf2\xc2\x59\x9a\xad\x17\xc9\xec\x1a\x25\x2b\x0a\x33\xa0\xaf\xd9\x4f\x45\x68\x49\xe4\x5b\x3f\x4b\x8b\xae\x7c\xeb\x2c\xb5\xec\x1a\xc1\x00\xfc\x75\x82\x5f\x5e\xa2\x79\xce\x2f\x5b\x79\xcd\xd7\x8b\xe4\xa2\x2b\xf4\x8c\x93\x5c\xd4\xc2\xf6\x1b\xad\x87\x55\x0e\xe7\xa5\x4f\xb1\x73\x4e\x28\x78\xcd\xfc\x36\x39\x69\xd0\x6d\xd6\x04\xbc\x22\x11\x1d\x89\xe8\x4d\xe6\xfa\xb5\x3c\x08\xff\xf7\x87\xe8\x80\xb0\xdc\xcb\xc2\x35\x65\xf9\xa8\x02\x72\xbd\x73\x9a\x5a\xba\xa1\x2e\xeb\xec\x7d\x43\xec\x83\x03\xb4\x9d\x9f\xb5\xb4\x9e\x8e\xea\xe6\xe6\xa6\x94\x57\xd6\x95\xfc\x9a\x54\xf4\xb8\xa5\x6c\x90\x30\xa5\xa9\xa5\xac\xba\xdc\x12\xbf\x53\x2a\xf9\x38\x3f\x21\x63\xfc\xc7\xad\xe8\x61\x5e\xe4\xbc\xa2\x57\xba\xdf\x41\x14\x68\x79\x5b\xee\x39\xb2\x0c\xe2\x1e\x7f\x83\xb8\x93\x11\xef\x98\x50\xd8\x3d\x1f\x6e\x15\x87\x59\xc2\xb4\x8a\x7c\x16\x58\x22\xbb\x62\xf0\x21\xb1\x0b\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\x03\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\x03\xb7\x0f\xdc\x3e\x70\xfb\xc0\xed\xb3\x99\x6e\x9f\xad\x27\x13\x00\x5f\x10\x7c\x41\xf0\x05\x6d\x21\x5f\xd0\x6f\x0c\x5b\xbe\xa0\x8d\x11\x45\x2b\xea\xfd\xad\xc3\xec\x4f\xdd\x60\xf1\x23\x8d\x44\xb9\xb7\x12\x2b\xde\x69\x38\xfb\x23\x75\xa1\x64\xf7\x03\xc9\xce\x47\xac\x87\x45\x8d\x03\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x02\x46\x6e\x69\x18\x59\xb7\xaa\x86\xb9\x73\xbb\x1b\x94\x4e\x81\x30\x81\x30\x81\x30\xb7\x10\xc2\xfc\xa9\xd7\xd3\x11\x33\x9c\xbd\x5c\xd6\xeb\x54\x23\x33\xbe\x1f\x9a\x6a\x58\x6f\x63\x33\xc3\x1f\x29\xfb\xea\x35\xf6\xfe\x41\xba\xc7\x38\x73\x69\x3d\x1d\xdd\x57\x5f\x9a\x78\xca\x6e\xe1\x92\xd9\x42\x72\xd0\x38\x63\xb2\x5c\xd6\x3d\xf4\xb0\xe6\xb8\x2e\x07\x89\x19\x50\x36\x50\xb6\x0c\x28\x1b\x28\x1b\x28\x1b\x28\x5b\xcf\x50\xb6\x4c\xd7\x50\xb6\x96\xf7\xa4\x69\xca\x96\x01\x65\x03\x65\x03\x65\x03\x65\x03\x65\xeb\x3c\x65\xcb\xf4\x34\x7c\xca\x00\x3e\xb5\x0f\x3e\x65\xba\x1d\x3e\x65\xb6\x20\x7c\xca\xca\xc1\x19\xa1\x59\x11\x99\x35\x45\x93\x3c\x32\xeb\x18\x1d\xa5\xc3\xc1\xb9\xf2\xe5\xb2\x9e\x5a\x4f\xa7\x6a\xc9\xd1\x79\x45\xaf\x84\x27\xc7\x8b\x34\xd0\xc5\xf0\xc8\xab\xfd\x2c\x6d\x25\xc7\x97\xcb\xba\x15\x78\x55\x73\x55\x4f\x0c\x56\xfc\x03\x3b\x1c\x44\xf6\xb0\x2d\xf0\xe0\x43\xc3\x86\x4c\x6d\x87\xce\xf1\x30\x81\xaf\xe6\xe8\x0c\xcd\x54\x49\x3a\x1c\xa4\xfd\x4d\x0c\x37\x4a\x51\xa2\xb4\x6f\x93\xe9\xfe\xdf\xe9\xa3\x59\xf1\xce\x9f\xa2\x13\xfc\x9d\x3f\x4c\xcd\x4d\x42\x3a\x27\xc4\x36\xa6\x29\xe3\x88\x6d\x34\xdd\xd8\x79\x21\x47\x32\x43\x53\x2e\x39\x92\xa6\x5b\x0b\x0b\x0f\x6d\x93\x0d\x0a\x13\x06\x49\xbe\x3c\xe2\xd8\xa8\x84\x58\x11\xc7\x72\x46\x7b\x39\xeb\x7b\xe5\x63\xaf\xc6\xc5\x81\xc2\x5e\x4d\xd9\x47\x77\xd0\x72\x5d\xa6\x4b\x34\xef\xb6\x5c\xc9\x0c\x9d\x6e\x22\x80\x77\x9a\xdf\xc8\x45\xce\x67\x75\x90\x5c\x90\x5c\x90\x5c\x90\xdc\x1e\x22\xb9\x58\xb6\x85\x2c\xdb\xba\x07\x75\xbf\x1c\xa1\xaf\x46\xd8\x57\x22\xd1\x2f\xdb\x8f\xea\x63\x91\xcb\xee\xcd\xa5\x52\x8a\xe9\x62\x83\x18\x5b\x96\x57\x84\x5f\xd8\x86\x30\xce\x27\xcb\x7c\x4b\xf8\x60\xb9\x16\x88\x25\xb5\x34\x5a\x92\x0b\x12\x7f\x24\xe6\xfe\xd2\xbd\x90\x14\x38\xd6\x9e\x0c\xe6\x5a\x41\x59\x5d\x95\xf3\xc6\x52\xb5\x78\xdb\x71\xd8\x3a\xa6\x5d\x29\x8e\x98\xdb\x4e\x7e\xbb\xb1\x82\x26\xe5\xf8\x3c\x51\xd4\xbc\xfd\xe1\x71\x3e\x0e\xdc\x17\x6e\x3d\x97\x35\xdd\xe8\xa4\x7b\xa0\x24\xe3\x4c\xeb\x86\xcc\x8b\xac\x88\xf7\xcd\x6a\x22\x25\xfa\x29\x8a\x80\xfb\xf4\x31\xce\x78\x17\xe6\x79\x0f\xfc\xb6\xd3\xf0\x28\xc0\xa3\x00\x8f\x02\x3c\x0a\xf0\x28\xf4\xb4\x47\xe1\x0b\x11\x7a\x29\xc2\x5e\x8c\x44\x5f\xb0\xbf\xb6\xef\x8f\x4c\xbb\x12\x6f\xcb\x45\x59\xd2\x65\xfb\xd5\x9f\xd7\xd4\xb2\x54\xe0\xdf\xe1\x79\xb5\xa8\xe4\x6e\x7b\xe2\x89\xac\xc7\xed\x64\xee\x1a\x0f\x3c\x9d\x3a\x9c\x8a\x2d\x08\x3b\x22\x3e\x92\x65\xb9\x64\x4c\x53\xe7\x2b\x22\xc7\x54\xad\x7c\x5d\x2a\x59\xf1\x4d\xda\x9a\x3c\xb6\x22\x15\xad\xd5\x7f\x5c\xfc\x1a\x8f\xad\x28\x25\xa9\xa8\xbc\xd9\x32\xdf\xcb\x72\x4c\xca\x73\x3c\xaf\x8e\x09\x5a\x9b\x77\x96\x96\xa2\xf1\x84\xee\x9c\x24\xd6\xdb\xa9\xd8\x8c\xc2\x4d\x92\xab\xe3\xaa\x56\x7b\x67\x8e\x4b\xa4\x22\x96\xfb\x7c\xf5\xa7\x56\xae\xa7\xe2\xbb\x44\x7f\xa6\xad\x1b\xf1\x06\x4a\xbd\x73\x80\xde\x31\xc0\x9e\x1f\x88\x7e\xd7\x8e\x96\xfb\x52\xff\x15\xd3\x0e\x1a\x53\xf4\xba\x7a\x2b\x56\x90\xb4\x65\xa9\xe0\x81\x10\xf6\x42\x4d\xd6\x56\x54\x6d\xd5\x18\x0b\xdf\x9e\x5e\xac\xba\x78\x70\x47\xf9\xb2\xc6\x5a\x93\x94\xc5\x5d\x29\xc6\x7a\x21\xa7\xe4\x9d\x85\x35\xff\x36\xf2\x6d\x8e\x3d\xba\xc6\xc7\xc9\xfc\x72\x58\x5f\xbf\x94\x6b\x18\x2d\xbb\x69\xfb\x21\xec\x18\x39\xef\xc5\x52\x31\x41\x94\xb8\x2d\x76\xaf\x56\x13\xe2\x1e\x12\xc6\x9e\x87\xff\xcb\x3b\x31\xf4\x63\xb1\x44\x46\xca\xdd\x2c\x68\xea\x5a\x29\x6f\x1c\xc5\x83\xd3\xf8\x41\x55\x03\x27\x16\x2b\xe6\x0a\xc8\xdb\x88\x75\x07\xcb\x76\x4b\xc7\x62\x89\x59\x55\x93\x5d\xcd\xc6\x72\x92\x9e\x93\xf2\xc6\xdd\x9b\xe3\x23\xc2\x11\x79\x7b\xba\x58\x4e\xd7\x34\xb8\x62\xb7\x91\x8a\xdf\x5f\xae\x9e\x37\xee\xb5\x0d\x1c\x76\x70\xd8\xf5\xa8\xc3\x2e\x5b\x10\x68\x79\x1f\x47\xcb\x91\x8b\xe7\xd8\x09\x3a\x46\x47\x9b\x80\x97\x0b\x15\xa9\xb2\xa6\x87\xa2\xe5\xa4\x3f\x02\x7e\x80\xdd\x2f\xde\x66\xc7\xd2\xb6\xcd\x15\xb6\x05\x13\x5a\xd8\x9f\x26\x68\xd4\xd6\x7b\x57\xf5\x9c\x54\x54\x4a\x85\xb1\xf5\xf4\x18\x1f\x5e\xb5\x54\x91\x8a\x65\x35\x6f\xfd\x26\x6b\x3a\xfb\x85\x04\xfb\xa9\x01\x7a\x95\xeb\xf0\xa5\xf5\x74\xf4\x60\xfd\xe0\xf8\xb3\x76\x6b\xf3\x6a\x7e\xd2\x6e\x2d\x79\x84\x47\xc8\x3b\x4d\x2d\xa6\x03\x8e\x9c\x55\xb5\xc9\x62\xd1\x66\xef\x7a\x97\xc7\xcc\x67\xdf\x48\x8b\x62\xfa\x5f\xa4\xa7\xf8\xf4\x3f\x43\x33\x34\x55\x4f\x0e\xdd\x1a\x02\x63\xce\x07\x0c\xc2\x79\x45\x0f\x97\xe0\x58\x0e\x9f\xdc\xa7\xd8\x09\xf7\xbc\x75\x04\xd1\xad\x3e\x98\xf3\x3d\xa0\x1b\xf5\xfc\x2d\xdc\xd7\x0c\x5d\x0e\x64\x0c\x40\x97\x03\x7e\x26\xf8\x99\xe0\x67\xea\x21\x3f\x13\x74\x39\xa0\xcb\x01\xbe\x0f\xbe\x0f\xbe\x0f\xbe\xdf\x15\x7c\x1f\xfa\x17\xd0\xbf\xd8\x2a\x44\x13\xfa\x17\xed\xd0\xbf\xf8\x4e\x94\xa6\x05\xde\x5b\x29\xaa\xb7\x4c\x91\x8b\x94\xbd\xb9\xaf\x2e\xeb\x68\x1c\xa4\xe7\xae\xcb\xab\x92\x25\xe2\x3b\xa6\x73\xfc\xca\x3e\x11\x65\xbf\xd1\x4f\xbb\x5d\xad\x4c\x5a\x8d\xd8\xe5\x1d\x13\x9a\x2c\xe5\x63\xe2\x04\xeb\x01\x38\x5f\xe3\xd9\xa2\x7a\x6b\x81\xb7\x9d\x1c\x33\x0e\x9c\xf5\x69\xca\x2c\xf5\xe8\x1c\x2a\xe0\x6f\x6b\xc3\x6a\xb3\xf2\xc6\xd2\x2f\xdc\x23\x67\x15\x2a\x74\x7a\x18\xca\xe3\x6e\x86\xf3\xb8\xb3\x6c\xd6\x64\x70\xf5\x9e\x92\x09\xe5\x5c\x97\xae\xa9\x47\x78\xe3\x11\x7f\x30\xf7\x0a\x36\x50\x90\x2b\x14\xfd\xc0\x8e\x90\x47\x98\xd4\xe4\x72\x51\xca\xc9\x8d\x3c\xc5\x71\xf3\xd8\x4d\x7b\x90\x99\xa7\xe8\x1c\xcd\x55\x65\x76\x34\xff\x24\x11\x26\x88\xec\x8e\x26\xb3\x3b\x7e\xb9\x8f\x2e\x8a\xac\x8c\xb3\x34\xeb\x64\x65\xb4\xc5\xae\xb4\xd2\x78\x6d\xcc\x46\x85\xdb\x9f\x46\xac\x58\x1d\x1b\x55\x5e\xab\x50\xe6\xb3\x3b\x43\x6c\xd4\xfe\xb2\xa4\x19\xdb\x6f\x63\xcb\xca\x3f\x96\x8d\x18\xab\x7d\x65\xe3\xdb\xb8\x29\xa6\xea\xe1\xea\x86\x46\x79\x5f\xf6\x1a\xff\x9c\xd8\xed\xfe\x71\x55\xd6\x0a\xb2\xfb\xd7\x41\xf7\xaf\xc6\x62\xba\x22\x17\x94\xdc\x68\xcd\x71\x9e\x56\x8c\x7f\xdf\x36\x7f\x35\x7a\x99\xb9\x40\xe7\x29\x5b\x65\x26\x27\xe8\x48\x13\xbe\xd8\x79\x4e\xfb\x61\x27\x43\xec\xe4\x47\xfb\xe9\xc3\xfd\xec\x43\xfd\xd1\x9f\xb7\xdd\x5f\x6f\xef\xef\x1d\x3b\x59\x05\x48\x8c\x71\xe6\xc0\x9f\x43\x3c\x63\x72\x3a\x6e\xbf\xa1\x80\x89\x3b\xcc\xc9\xb7\xf0\x0f\x49\x45\x7e\x66\x49\x2d\x8d\x8a\xb3\xf9\x11\xdc\x3f\xa8\xc7\x86\xb2\xba\x5a\x9a\x17\xfe\xaf\xa7\x8c\xd7\xc2\xfc\xf7\x82\xf5\xb2\x38\x7f\x1c\x0e\x36\xe0\x99\x97\xfa\xe8\xc5\x3e\xf6\x42\x5f\xf4\x73\xf6\xda\xfe\x83\x7d\xb3\xaa\xb1\x55\x55\xf4\x58\x41\xe5\xc3\xae\xc6\xe2\x2b\xc6\x9f\xe2\xb1\x49\xcf\x5d\xf0\x5d\x9b\x88\xc5\x5e\xd3\x1d\xd2\x3f\x2a\xe5\xf8\x8d\x73\xff\x49\x51\xc9\x99\x41\x56\x72\x31\xaf\xc7\xd4\x5b\xe6\x98\x0a\xff\x42\x59\x56\xcb\x45\x39\x15\x13\x57\xe4\x0e\x4b\xeb\x59\xf2\xdd\x93\xef\x00\xd8\x97\x8f\x6f\xe3\xdd\xaa\xca\x3d\xee\xe4\x1a\x37\xb8\xec\x43\x59\x94\x7d\xe8\xe4\x22\x38\x7b\x98\x0e\xb2\xfd\xf1\xb4\x1d\x86\xf1\x3d\x6e\x35\x52\xe7\xcc\x5a\x41\xd2\x96\x47\x57\xfc\xd2\x4e\x4a\x1b\xdb\xaf\x3a\xc2\x83\x65\x35\x6f\xef\xb5\xa4\x4a\x45\xca\x5d\x67\xdf\xbc\x97\xbd\x2f\x42\xf7\xe4\x54\x4d\x5e\x5a\x4f\x47\x9f\xcc\xa9\xa5\x92\x9c\xab\xc4\xce\xcc\x5c\x76\xde\x9c\x8a\x1a\x13\x87\x1b\x37\x36\xaf\xe6\x93\x7b\xcc\xc3\xa6\x54\x4d\x5e\x4c\x9f\x91\x2b\x4e\xa2\xe2\xbc\x9a\x9f\xe4\xc7\x8e\x1b\xcb\x66\xb1\x09\x3a\x1c\xbc\xc0\xd8\x2d\x66\xce\x6b\xe8\x01\x3e\x73\x5e\x49\xf7\x7e\xbc\x6f\x3b\x99\xb7\x65\x3d\xf2\xc7\xfd\x1f\x39\xb1\xed\x66\x3f\xe8\xc6\xa5\xf0\x87\x3e\xc6\x46\xcd\x87\x1e\x8f\x9b\x8f\xd6\xee\xac\x99\xaf\xe8\xcd\x36\xff\x71\xd7\xc0\x0c\x5a\x03\x33\x7f\x71\xa1\xde\xc8\x3c\xe1\x19\x99\x79\x55\xbf\x2b\x87\x26\xfb\x93\x7d\xf4\xaf\xfb\xd8\xfb\xfa\xa2\xef\xb5\x6d\x58\xc5\x72\xb7\x4b\xc6\x07\xdd\xf8\x4e\x0a\x97\x21\x77\x04\xcb\xb9\xb5\x8a\xe5\x07\x5f\x5d\x95\x4a\x55\x69\x28\xee\xcf\x83\x71\x2e\x7f\x7d\x34\x6e\x0f\xf9\x4f\x6a\xa9\xaa\x69\xee\x3b\x50\xf3\xa9\xf8\x0e\xfb\xcf\xee\x35\xf2\x09\x3a\xc6\x8e\xc6\x0f\xdb\x6f\xe5\x6e\xf7\x5b\x59\x7d\x67\x9b\x21\x16\xfc\xf6\x3e\x7a\x6b\x1f\xfb\x67\xd1\x7f\x6a\x8d\xde\xd2\x42\x25\x2f\x6b\xe2\xd6\xb5\x35\xb9\x7a\x51\xa3\x9b\xbf\xf2\xd1\x5a\x36\xd6\x13\x62\x75\x22\x3b\x39\x3f\xe6\x3c\x14\xac\xca\x3d\xb8\xdc\x35\x10\x7f\x85\x68\xc2\x63\xb8\xdf\xd6\x47\xdf\xc7\xde\x12\xfd\x27\xee\x4e\x28\x25\xab\x0f\x23\xf6\x55\x04\xef\xd2\x2b\x52\x29\x2f\x69\xf9\x98\x52\x32\xac\x92\xc3\x92\xcc\x87\x61\xf6\x44\xd1\x7d\xfa\xc0\x23\xac\x53\xf1\x6d\xba\x71\x01\x4f\x1f\x7c\x47\x42\x35\xac\x5e\xe0\x48\xa8\xc2\x26\xde\xc9\x48\xa8\x6b\x15\x4f\x2f\xbe\xd1\x47\x7f\xd3\xc7\xfe\xaa\x2f\xfa\x35\x17\x6b\xbe\x7c\xf9\x75\x41\xbd\x90\x62\x86\x39\xb6\x23\xc3\x8b\x45\x55\xc4\xa0\xfb\x76\xc1\xf2\x41\x94\x25\x63\x11\x17\xab\x5c\xd7\xd4\xb5\xc2\x75\xdb\x5d\x24\x26\xb5\xb6\x56\xe2\x2c\x5e\x17\x48\xcf\x68\x5e\xd1\x5d\x2d\x9b\x6e\xc4\x5b\xaa\x76\x53\x36\xbe\xcf\x79\xd9\xf2\x22\xd7\xb4\xe1\x3b\xf4\xfd\xc6\xe7\xc2\x8d\xeb\xbe\x3a\x48\xbb\xac\xef\x85\xf1\xd9\x53\x72\xb2\xce\x7e\x6f\x90\xfd\x46\xbf\xeb\x73\x50\x3f\xd2\x6e\x41\x9c\x96\x7c\xdc\x38\x4c\x58\x3c\xf3\x4f\x5b\x2d\x84\xee\x39\x3a\x25\xac\xed\x11\x3a\xc4\xad\xed\x3e\x4a\xd1\x48\xe0\x12\xc6\x18\x1f\x1e\x2f\x2a\xee\xb6\xa1\x58\xb9\xb9\x70\x33\x3c\xc8\x9e\xa8\x36\xc3\xe6\x15\x1a\x95\x20\x40\x48\x1c\x42\xe2\x10\x12\x87\x90\x38\x84\xc4\x21\x24\x0e\x21\x71\x08\x89\x43\x48\x1c\x42\xe2\x10\x12\x87\x90\x38\x84\xc4\x21\x24\x0e\x21\x71\x08\x89\x43\x48\x5c\x47\x43\xe2\xfe\x34\x42\xf7\x8b\x90\x38\xf9\x4d\x15\xb9\xc4\x1f\xd5\x18\xfb\xad\x08\xfb\xbf\x22\x44\xce\x9f\xa2\xd1\x02\x57\x41\x58\x51\xb5\x55\x7b\xfc\xa4\x18\x67\x41\xc9\xd7\x14\xe4\xca\x8c\x7d\xe8\xe4\xfc\xdc\x19\xe3\xcf\xad\x0b\x19\xa8\x69\x68\xa2\xa6\xa1\x89\x46\x1a\xca\x2a\x74\x41\x30\xb4\x33\x34\xc3\x19\xda\x29\x3a\x41\xc7\x9a\xf0\xfc\x5b\xf7\x18\x86\xd4\xd8\x9f\x5f\xa3\x21\x31\xbc\x42\x51\xc1\x8e\x2d\x2c\xab\x79\x5d\xce\xad\x69\x4a\xe5\x36\xff\x45\x91\x75\xf6\xa9\x6b\xec\x23\x83\xf4\x2a\x71\xa4\x1d\xe0\x31\x56\x9f\x70\xce\x73\x49\x2b\xde\x90\x90\x5c\x48\xc6\x8d\x13\xc4\xbf\xcd\x68\x8e\x9a\x63\xba\x1c\x76\xa2\xc6\x16\xf0\x20\x6a\x6c\x01\x0f\x02\x0f\x02\x0f\xf6\x10\x1e\xec\x22\xe1\xd1\xae\xc1\x83\x50\xc4\x04\x1e\x04\x1e\x04\x1e\x04\x1e\x44\x8d\x2d\x48\xf6\xdd\x3d\x34\xaf\xeb\x25\xfb\xb6\x64\x8d\xad\x9b\x34\x2f\x00\xd7\x1c\x9d\xe1\x80\x6b\x92\x4e\xd1\x89\xc0\x20\x31\x53\x98\xd4\x0a\x71\xaf\xc1\x44\x0d\x45\x8d\x85\x55\xda\xba\x1a\x1e\x55\x76\x94\x1d\x0e\x4a\x9e\x12\x5d\x74\x22\x7e\xbd\x1d\xa4\xf8\x6f\xee\xa8\x01\x66\x51\xbb\xec\x56\x2d\x1b\x7b\x42\xfc\xd6\x21\x3a\x26\x60\xd6\x45\x7a\x8a\xce\x55\x25\x1c\xd5\x11\x7f\x0c\x7d\x2a\xc8\x38\x42\x66\x66\x93\x99\x99\x3f\x1c\xd9\x90\x0e\x69\xe8\x54\xa4\xa7\x45\x9e\x67\x96\xce\x3a\x79\x9e\x77\xd8\xe4\x25\x51\x83\xeb\x1c\xcd\xb9\x6a\x70\xdd\x61\x9b\xcd\xdb\x30\x5e\x31\xab\xbd\x36\x2c\xf9\xd7\x23\x35\x36\x6c\xd0\xb7\x2c\x57\xad\x3d\x4b\x89\xe3\x3c\xf6\xcc\x29\xce\xd5\x6e\xcb\x86\x8a\x5c\xe0\xbe\xe0\xbe\xe0\xbe\xe0\xbe\xa8\xc8\x85\x8a\x5c\xa8\xc8\x85\x8a\x5c\xf0\x3f\xc0\xff\x00\xff\x03\xfc\x0f\xf0\x3f\xb4\xc4\xff\x80\x8a\x5c\xa8\xc8\x85\x8a\x5c\xa8\xc8\x05\xf7\x1e\xdc\x7b\x3d\x54\x91\xab\x31\xdc\xdc\x18\x5d\xae\x15\x84\x6a\xb9\xae\xd3\x0b\xc3\x74\x20\x44\xd7\xc9\x9a\x2e\x6f\x5c\x53\x2b\xb6\x9a\x2e\xfb\xdf\x86\xd9\xff\x70\x29\x18\xc5\xb8\x62\xae\x77\x2f\x6a\xc1\xbf\xa7\x8d\x13\x93\x8f\x1b\x47\x08\x19\x0f\x47\xb4\xc8\x73\x48\x8b\xc5\x71\xaf\xd2\xa4\x98\x25\x13\x74\x84\xcf\x92\x71\xda\x47\xa9\x50\xd5\x0d\x4f\x97\x42\xa7\x46\x7d\x99\xda\x1b\x17\xc3\x67\xc3\x08\x4b\xfa\x94\xb0\xb2\x25\x3a\xbc\xdd\x89\xfe\xc6\x76\x67\xcc\xf7\x58\x12\xb7\xf5\x86\xfd\x09\xf3\xa0\x0e\x8e\x7c\x66\x9a\x32\x74\xba\xca\x6b\xba\xe1\xa1\x07\x59\x83\xab\xb4\x49\x57\xe9\xcf\xf6\xb5\xe2\xd5\x9f\x15\xfe\xd1\x53\x74\xc2\xf1\x8f\x76\xd6\x84\x94\xd7\x1a\x36\x21\xf5\xcd\x86\xdb\xc0\x24\xff\xee\x3e\xc7\x84\x7c\x8f\xb9\xbc\x95\xaa\xac\xc6\x1e\xf1\xf7\x4e\x1a\x8d\xf6\x38\x24\x61\x44\x42\x8c\x08\xa0\x78\x47\xa0\x38\x68\x08\x68\x08\x68\x48\xbb\x68\x48\xf6\xe7\x5a\xf2\xc5\x3f\x23\xc2\x97\x4e\xd3\x49\x57\xf8\x52\x3b\x3e\xf9\x31\xff\x4f\xfe\x0e\x76\x8f\x18\x90\xd6\x7f\xf5\x33\xdf\xb8\xd7\xf9\xea\x8f\xd4\xe8\xce\xd7\xdb\x41\xc4\xb9\xf2\x71\x87\x96\x02\x90\x98\xef\xb5\x05\x08\x24\xe6\x21\x31\xbf\xc9\x12\xf3\x57\x83\x65\xb2\xef\xfc\xab\xd2\xb0\xb2\x7c\xab\x4d\x7e\x76\x82\x8e\xb0\x43\xf1\x03\xb6\xd0\xf4\x43\x6e\x9d\x6a\xcf\x79\x9b\x21\x52\xdd\x72\x94\xf9\xd9\x14\x3d\x2d\xf4\x3a\xa4\xfc\xaa\xc2\xf5\x12\x34\xb9\xa0\xf0\x2f\x81\xa2\x96\xaa\x2b\x84\x71\xd3\x29\x19\xf3\xec\x96\xbc\x7c\x5d\x55\x6f\x7a\x42\x1e\x6d\xce\xf9\xf5\x51\xf6\xee\x01\x7a\xc4\xb7\x49\x3b\xe4\x37\xed\x43\x3f\x17\xed\xf6\xaf\x88\xf6\xa7\xdc\xed\x27\x4f\x1a\xa7\x4c\xfa\xb5\x6a\x86\x02\xd7\x3f\xbf\xc5\xac\xf4\xed\x7d\x74\x5d\xcc\x74\x89\x96\xf8\x4c\x7f\x1d\x5d\xa1\x67\x82\xab\xfc\xfb\x8e\xb0\x15\xc4\x5d\xbf\xeb\x77\xca\x54\xbf\x2f\xfc\x3d\xb9\xca\x9e\x33\xdf\x93\x7a\x53\xc1\x7c\x83\x42\x7a\x5b\x03\xe1\xa3\x1f\xa2\xb0\xf9\x70\xc0\x9f\xcc\x86\x4c\x89\x49\xf3\xac\x6e\x99\x15\x99\x9b\xa4\x50\xa1\x6a\x2d\xd4\xae\x59\x81\x85\x12\x70\x6f\x93\xb8\xf7\xff\xed\x0b\xfe\x7e\x77\xce\xaa\xad\x0a\x5c\xbc\x42\x79\x07\x17\xb7\xef\x72\x96\xad\xdc\x6c\x63\x18\x42\xaf\x93\xff\xb8\x2b\xcc\x56\x26\x6c\x04\x1d\x62\x1e\x4f\x8b\x03\xbb\xc6\x3a\x02\x58\x03\x58\x03\x58\x03\x58\x03\x58\x03\x58\x6f\x18\x58\x7f\xba\xaf\xc5\x31\x4c\x1b\x4f\xbd\xbd\xf3\xb8\xa8\x70\x8c\xbd\xd9\xcb\x93\xcc\xbb\x5e\x19\xb6\xfe\x38\x11\x02\xc3\x43\x56\x25\xa7\x38\xbd\xe9\x86\x45\x09\xd0\x79\xaf\x2d\x85\x80\xce\x81\xce\x37\x19\x9d\x77\x15\x38\x0c\x45\xec\x9b\xfd\x39\xca\x9e\xa3\x39\x76\x26\x3e\x63\x63\xf5\xa4\x1b\xc9\xd7\x6f\xad\x03\x45\x5e\x7f\x75\x88\x8e\x0b\x82\x5e\xaf\x70\xad\x4d\xd0\x79\xf8\x37\x3f\x54\xe7\x65\x68\x75\xf6\xcd\x04\xfb\x6f\x03\x21\x45\xcf\xd7\xcd\x1c\xb5\x52\x5e\x59\x57\xf2\x6b\x52\xd1\x2d\xc7\x24\xd9\xf9\xa0\x4e\x75\xdb\x94\x6b\xd7\x30\x61\xef\x37\x12\xbc\x99\x84\x23\xc7\xe0\xc9\xaf\x57\xcb\xb2\xbd\x19\xd4\x2b\xb2\x94\x4f\x25\x53\xb7\x1a\xae\x9b\x7e\x5e\xd1\x2b\x5d\x2e\xb3\xbd\x41\xb9\xa8\x3a\xdf\x5a\x2e\x8b\x35\xb3\x2e\x97\xc2\xe5\xa2\xf6\xf8\xbf\x5f\x3b\x19\xf1\x8e\x09\xcd\xa8\x4e\x56\xe0\x47\x2d\x42\x88\x8d\xa3\x16\x21\x44\x67\x20\x3a\x03\xd1\x99\x1e\x12\x9d\x41\x2d\x42\xd4\x22\x84\xd8\x07\xc4\x3e\x20\xf6\x01\xb1\x8f\xae\x10\xfb\x40\x2d\x42\xd4\x22\xdc\x2a\xf2\x06\xa8\x45\xd8\x8e\x5a\x84\x7f\x3f\x44\x07\x05\x3a\x2c\xa9\x79\xd9\x9f\x14\x6a\x6b\x25\xe3\xae\x73\x45\x49\xd7\x65\x3b\xc0\xf6\xd3\x43\xec\x7f\x0e\xd0\x4e\xe3\x34\x9b\x11\x7e\xa2\xcf\x1c\x7b\x17\x19\x2c\x59\xd6\xcc\xaa\x9e\x77\x49\x34\x37\x65\x34\xd7\x12\x46\x38\xe2\x2c\x5f\xf8\x12\xcd\xfc\xd8\x19\x2b\x20\x67\x5d\x96\xf0\x2c\x85\x5d\x6d\xa7\x92\xbb\xf9\xe5\x2e\xa8\x79\xd9\x24\x8a\xee\x1e\x82\x27\xd6\xf2\xc4\x0d\x69\x65\xb8\xe6\x95\x15\xfa\xee\x1a\x5e\x9f\xc8\xb4\x60\x6f\x00\xbf\x6d\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\x43\xc0\xc3\x4e\xc3\xc3\xa3\x74\x98\x1d\x8c\xef\xb7\x83\xa2\x1e\xf4\xe4\x29\xbb\x36\x79\xed\x0f\x81\x02\x77\x04\x77\x04\x77\xdc\x42\xdc\xf1\x37\x13\x34\x26\xb8\xa3\xb6\x2c\xe5\x52\x16\x63\xaa\xca\xf8\x1f\xd3\xd4\xa2\xbc\xac\x94\xf2\x4a\xa9\xa0\xb3\x77\x27\xd8\xdb\x06\xe8\xd5\xc6\x09\x93\xee\xe3\x97\xd6\xd3\xd1\x61\xb1\xca\xd4\xcc\xef\xa3\x65\x40\x6d\xe6\xa8\x16\xe5\x8c\x68\x27\x39\x6e\x1c\x7a\xa9\xba\x91\xc5\xb4\xeb\x98\x59\x55\x9b\x2c\x16\x6d\xd1\x9c\xae\x87\x80\xaf\xa7\x29\x01\x01\x8f\xd3\x04\x87\x80\x07\x68\x9c\xf6\x05\x06\xf3\xf2\x21\x5f\x4f\xa7\x5c\x77\xdc\x50\xd9\xc9\x7c\x38\xf7\x9b\x64\xa7\x4c\xee\x17\xf8\x5c\x2d\x0a\xe8\x5c\xdc\x23\x7f\x11\x56\xdc\x12\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xf8\x0f\xb1\x83\x60\x78\x60\x78\x60\x78\x9d\x62\x78\x9f\x4a\xd2\x21\xc1\xf0\xf4\xdc\x75\x39\xbf\x56\x34\x56\x6b\x55\x11\x84\x65\x4d\x51\x35\xa5\x72\xbb\x2a\x78\xf0\xdb\xc3\xec\x27\xfb\x89\x39\xe7\xd9\x21\x84\x7e\x05\x89\xe6\xcd\x46\xb8\x33\x21\x19\x37\x8e\x58\xb0\xcf\x34\x63\xf6\x3c\xc7\xb4\x58\x65\x73\x63\x75\xab\x52\xae\xd1\xb0\x12\xe4\x3d\xbd\x0b\xe5\x6c\xb9\x70\xce\x76\x9a\x9d\x34\x39\x5b\xcd\xd8\x5b\x65\xa9\x3c\x97\xdc\x88\x00\x5c\x41\xae\x50\xf4\x6d\x3b\x7c\x1f\x4f\x40\xed\x22\xef\x13\x7a\xd2\x3c\xa8\x93\x0f\x29\x73\x91\x9e\xa2\x73\x55\x2a\x26\x77\xf2\x94\x20\x63\x02\x61\xcb\x26\x85\x2d\x7f\x6d\x63\x22\x51\xe1\x06\xe3\x69\xa1\x51\x99\xa5\xb3\x8e\x46\x65\x9b\x6d\x50\x48\x75\xa3\x4e\x98\xa8\xe4\x87\x76\xf9\xda\x20\xa7\xf8\x91\xd7\xec\x3c\x21\xfe\xde\x51\xab\x03\x31\x49\x88\x49\x42\x4c\x12\x62\x92\x10\x93\x84\x98\x64\x6f\x8a\x49\x76\x64\xb3\x12\xaa\x58\x99\xf9\x89\x9d\xbe\x6b\x85\xb0\x92\x49\xde\x15\xc4\x1e\xae\x37\xd6\xa9\x05\x04\x84\x1f\x7b\x6d\xd9\x02\xe1\x47\x08\x3f\x6e\xb2\xf0\xe3\x5d\xc9\xb2\xc2\x04\x24\xeb\x97\x54\xf2\xb4\xde\x01\xb9\xc6\x4f\x0c\xd3\x61\xb3\xe0\x51\xb9\xac\xd7\xa9\xe0\x9e\x97\xcb\x45\xf5\xf6\xaa\xb1\xb8\xb0\xc0\xe9\x37\x87\xd8\xd7\x22\x74\x8f\x71\xe2\xd2\x7a\x3a\xfa\x88\x0f\x2d\x9d\xb6\xcf\x4a\x3e\xca\x8b\x15\x95\xcb\xba\xbb\x02\xa0\xf3\x7b\x8b\x31\xe9\xeb\xe8\xa4\x98\x5a\x87\xe9\x20\x9f\x5a\x63\x34\x4a\x7b\x83\x25\x45\xcb\x65\x5d\x6c\x7d\xad\xfe\xdc\x69\x85\xa1\x0b\xe1\x73\x6d\x2f\x1b\xb6\x64\x42\xcb\x65\xdd\x9c\x5e\xae\x1e\xb8\x23\x11\xa3\xff\x6e\xbb\x33\xd2\x31\x7f\xf0\xe9\x1a\xec\xc7\xad\x32\x40\x1d\x1a\xef\x0c\xcf\xf4\xae\xfa\x7c\x6f\x6c\xc0\xf1\xc5\x06\xe3\x6c\x92\x71\xfe\x54\x9f\x88\x39\x4e\xf3\x98\x63\x9b\x4a\xb6\xec\x95\xbf\x53\x5b\xd2\x20\xc7\x6c\xcc\x64\xd4\x35\x13\x6e\x7b\x92\x7c\x7e\x97\x63\x32\x1e\xb0\x39\xa5\xcb\x4a\x98\x9b\xc7\x8e\x19\x09\x00\x4a\x00\x4a\x00\x4a\x00\x4a\x00\x4a\x00\xca\xde\x04\x94\x8d\x7d\xe2\x83\xbe\xe8\x35\x9f\xfe\x06\x58\xe4\x5f\xdc\xeb\x2c\x02\x86\x43\x00\xa4\x6b\x69\xf0\x98\x28\x49\xd3\x81\x95\x01\xc8\x63\xaf\xad\x47\x40\x1e\x41\x1e\x37\x99\x3c\xb6\x1f\x0f\xb5\x98\xff\x84\x63\xc5\xc3\x74\x90\xed\x8f\xa7\x6d\xac\xf8\x3d\x6e\xac\xe8\xb4\x7a\x57\x94\x69\xff\x56\x84\x1e\x11\xd4\x32\x27\x6b\x66\xcc\xa8\xac\xbb\x72\xb5\x19\x0f\x5f\xa6\xfb\xdc\x3f\x1b\x5f\xc0\xd7\x16\xe4\x8a\x37\xaf\x42\x44\xac\x26\x1f\x29\xc8\x95\x29\xd7\xc1\x8b\xe9\xc9\xf9\x39\x2b\x91\xaf\x85\x7e\xb6\x9a\x86\x26\x6a\x1a\x9a\x68\xa4\xa1\x6c\x99\x9e\x11\x33\xd8\xf8\x7c\x19\x33\x78\x96\xa6\x29\xd3\xc4\x47\xcb\x75\x9f\x8d\x24\x5e\xb3\xaf\x47\x28\x6a\x8e\xbd\xaa\x6a\x79\xa5\xe4\xc9\x93\x67\xbf\x1b\x61\xbf\x1d\xa1\x9d\xee\xdf\xa2\xd1\x02\x5f\x03\x1b\x2b\x71\x3b\x68\x59\x8a\xf1\xb9\x9f\x34\x9e\xc8\x94\xeb\xe0\xc9\xf9\xb9\x33\xc6\x0f\x5d\x38\xe4\x0a\x5d\x10\x43\x7e\x86\x66\xf8\x90\x9f\xa2\x13\x74\xac\xb9\x21\xe7\xf7\x18\x3a\xd6\x9f\x4c\x50\xd2\x54\x44\x95\x2b\xb7\x54\xed\xa6\x27\xaa\xd9\xfa\x23\x5f\x6d\x2b\xb2\xce\xde\x91\x60\xdf\xea\xa7\x57\x3a\xc7\x1a\x53\x7e\x6f\x7d\x35\x82\x0b\xe2\x60\xb1\xde\x4e\x8e\x1a\x07\x5f\xb0\xcf\x5f\x4c\x7b\x7e\xde\x6a\x52\x04\x2b\x74\x4e\x3c\xb0\x69\xca\xf0\x07\x76\x9c\xea\x2c\xec\x52\xae\x31\x5e\x4f\xa7\x3c\x77\xde\x90\x24\x41\x88\x58\xc0\x8d\xd7\x87\x7f\x12\x8e\xb1\xa3\x96\x54\x69\xf5\x03\x37\xbf\x0f\x9e\x6e\x79\x3e\x11\x10\x23\x80\x18\x01\xc4\x08\x20\x46\x00\x31\x02\x88\x11\x40\x8c\x00\x62\x04\x10\x23\x80\x18\x01\xc4\x08\x20\x46\x00\x31\x02\x88\x11\x40\x8c\x00\x62\x04\x10\x23\xe8\x94\x18\xc1\x7f\xb8\x46\x7b\x4d\x31\x82\x8a\xaa\x49\x85\x9a\x5a\x46\xe6\x9f\x4d\x21\x02\xf6\x9e\x6b\xec\xe7\x06\xe9\x3e\xf3\xaf\x76\xbe\x48\xb2\x3e\xb9\x5b\x10\x87\x8b\x6c\x91\x47\x8d\x63\xcd\xbf\x98\x99\x22\xee\xdf\xbb\x9c\xd4\x65\x80\xae\x80\xae\x32\x40\x57\x40\x57\x40\x57\x40\x57\x3d\x83\xae\x32\x5d\x83\xae\x5a\xde\x93\xa6\xd1\x55\x06\xe8\x0a\xe8\x0a\xe8\x0a\xe8\x0a\xe8\xaa\xf3\xe8\x2a\xd3\xd3\xa4\x29\x03\xd2\xd4\x3e\xd2\x94\xe9\x76\xd2\x94\xd9\x82\xa4\x29\x5b\x08\xce\x59\xdc\x58\x6a\xbd\xc9\xa9\xac\xbc\x7a\x37\x3b\x3a\xaf\xe8\x76\x06\xe3\x52\x78\x08\xd3\x71\x36\x61\x65\xd0\x7b\xe0\x97\x19\xbf\xe4\x6e\xd9\x27\x7b\x3e\x24\x86\x2a\xfe\xe1\x1d\xb5\x9c\xec\x35\xe2\xb3\x14\x93\xbc\x48\xcc\xfc\x5a\x75\x00\x8a\x09\x86\x75\x8e\xe6\xe8\x4c\x55\x1e\xc1\x61\x3a\xd8\xd4\x98\x23\x89\x00\xc9\xd0\x4d\x26\x43\x3f\x1f\x11\x61\xaa\xe3\x3c\x4c\xd5\xc9\x6c\x3a\x4a\xcd\x4e\xc6\x60\x1b\x73\x56\xd8\x98\x49\x3a\xc5\x6d\xcc\x1d\x5c\xe2\x29\x91\xbf\x3d\x4b\xd3\x4e\xfe\x76\xf3\xcd\x85\x47\x64\x96\x55\xbd\x42\x0d\x9a\xb3\x1a\x2b\xd5\xb0\x7d\x4b\x7e\x6d\xa4\xd6\x5c\x3d\x6e\x66\xd8\xb9\xd2\x15\xd5\x15\xaf\xe9\x4a\x9a\xea\x91\x1e\xd3\x35\x65\x1f\xdf\x46\x23\xd6\x9e\x14\x6d\x90\x5d\x90\x5d\x90\x5d\x90\xdd\xde\x21\xbb\x58\xbf\x85\xac\xdf\xba\x07\x7d\x43\x1e\xa3\x23\xf2\x18\xf0\x30\xc0\xc3\x00\x0f\x03\x3c\x0c\xf0\x30\xf4\xb4\x87\x01\x2a\x49\x50\x49\x82\x4a\x52\xbb\x54\x92\xe0\xc0\x83\x03\xaf\x57\x1d\x78\x1b\x94\x93\xbe\x73\x31\xaf\xa4\x3f\x5d\x7e\x80\xdd\x2f\xde\x66\xc7\xd2\x36\x4a\x9a\x9b\x77\x9c\xb5\x5e\x63\xe5\x4f\x13\xf4\x90\x31\xa9\xc6\xd6\xd3\xe2\x89\x8e\xf1\xc7\xa8\x71\x8f\x08\xfb\xf5\x04\xfb\xf8\x00\xdd\x93\x53\x35\x79\x69\x3d\x1d\x5d\x37\x57\x98\xa5\xbc\xb2\xae\xe4\xd7\xa4\xa2\xdb\x5d\x2a\xd9\xbb\xb9\xf3\x46\x0b\x97\x8c\x1f\x52\xae\x4f\xf6\x84\xfd\xb1\x4f\xf0\x66\x12\x0e\x4c\xf5\xd0\x31\xb5\x2c\xdb\x1b\x72\xbd\x22\x4b\xf9\x54\x72\x98\x9f\x30\xa5\x6a\xf2\x62\xda\x69\xfc\xbc\xa2\x57\xb6\x9a\x56\xc5\x4d\x9a\x17\x93\x77\x8e\xce\xf0\xc9\xcb\x15\x95\x9b\x98\xbc\xdc\x63\x3d\xb3\xde\x88\x46\xd1\xf9\xf0\x49\x39\xcc\x12\x3e\x6a\x74\xf1\xb8\x39\x29\x9d\x31\xa7\x1b\x7b\xfc\x5f\x87\x9d\x8c\xf8\x6d\x72\xff\x2d\x34\x2a\x10\xe8\x0f\x8d\x0a\xb8\x83\xe0\x0e\x82\x3b\xa8\x87\xdc\x41\xd0\xa8\x80\x46\x05\x30\x3c\x30\x3c\x30\x3c\x30\x7c\x57\x60\x78\x68\x54\x40\xa3\x62\xab\x80\x47\x68\x54\xb4\x43\xa3\xe2\xcb\x43\xb4\xdf\x8b\xf7\x02\x0a\xbf\x59\x8d\xbd\x71\x4d\xad\x48\x3a\xfb\x99\x21\xf6\x29\x17\xf8\xbb\xdd\x18\xf8\xb3\x76\x78\x4f\x1b\x8d\xb4\x88\xfd\x0d\xba\xd8\x9f\x53\xa2\xc0\x73\xa5\xf3\x8a\xde\xba\x4a\x05\x77\x11\xf8\xbb\x18\x0e\xfe\x46\x58\x52\x20\x3e\xcf\x80\xfa\x15\x9b\x8a\xc7\xc1\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xc0\xfe\xba\x92\xfd\x6d\xbd\x82\x4f\xa0\x8b\xa0\x8b\xa0\x8b\x5b\x88\x2e\xfe\x55\x92\x66\x85\x02\x6e\x5e\xd1\x73\xaa\x61\x56\xdd\x75\xab\xfc\x49\xa3\x5c\xca\x97\x55\xa5\x54\xd1\x8b\x8a\xfd\xd3\x5b\xd8\xff\x91\x64\x3f\xdc\x4f\x3b\xed\x76\x96\xd6\xd3\xd1\x98\x26\x4b\xf9\xaa\x4d\xef\x8c\x79\xf6\x82\x71\x76\x72\xd0\x38\x62\xda\x3a\xc7\x0d\x08\x3d\xc7\xb5\x36\x7b\x3e\x2b\xd1\xac\x60\x79\xa7\xe8\x04\x67\x79\x87\xe9\x20\xed\x0f\x94\x30\x70\xc6\x66\x3d\x9d\xf2\xf4\x2b\x94\xe0\x05\x97\x92\x2f\xc8\x15\xba\x71\x2d\x1c\xf0\x4d\xb0\x23\x26\xc0\xab\x7e\x44\x66\x6c\x9f\xb7\x43\x6e\xf0\x17\xfd\xda\xf6\xaa\x07\xb2\x47\x93\xcb\x45\x29\x57\x5d\x50\xd6\xfb\x4c\x86\xcd\x83\x3a\xfd\x58\x32\x73\x74\x86\x66\xaa\x94\x59\x9a\x7b\x2e\xc8\xeb\x85\x2e\x4b\x93\xba\x2c\x1f\xe9\x6b\x99\x71\x38\x27\xc4\x52\xa6\x29\xe3\x88\xa5\x6c\x82\xa5\x29\xaf\xb5\xdd\xd2\x24\x7f\x7a\x57\x95\xa5\x79\xad\x99\x79\x23\x95\xaa\xac\xcb\x90\xf8\xa1\xe3\xc6\xa5\x3d\x8a\x29\xb0\x33\x21\x76\x06\x59\xfb\x1d\xc9\xda\x47\xba\x26\xd2\x35\x91\xae\xd9\xae\x74\xcd\xec\xa7\xfb\x5a\x9c\xb3\x76\x49\x48\xbf\x9d\xa3\x39\x97\xf4\x5b\x9b\xf3\xe0\x62\xfe\x2b\x84\x1d\xec\x1e\x31\x4c\xed\x5e\x24\x64\xde\xbd\xb3\x6a\x91\x30\x52\x96\xb4\x8a\xc2\x9d\x98\x62\x5f\x5b\x77\x5f\x92\xe0\x15\xd4\x3b\xb9\x70\x78\xb8\xba\x21\x51\xd6\x7f\x2f\xaf\x4e\xbd\xdb\xfd\xe3\xaa\xac\x15\x64\xf7\xaf\x83\xee\x5f\x75\xab\x8c\xff\x68\xcd\x71\x9e\x56\x78\x5d\x7c\xf3\x57\xa3\x97\x99\x0b\x74\x9e\xb2\x55\x3b\xa2\x3a\xa5\x91\xeb\xcc\x91\x79\xee\xea\xc7\x72\x25\x64\xb9\xf2\xd1\x7e\xfa\x70\x3f\xfb\x50\x7f\xf4\xe7\x6d\x9b\xff\xf6\xfe\xde\xd9\x16\x55\x79\x47\x8c\x71\xe6\xde\x7e\xee\xc1\x33\x26\xa7\x13\xf3\x33\x14\x30\x71\x87\xf9\xa7\x4b\x04\x87\x48\x45\x7e\xa6\xb1\x46\x13\x67\xf3\x23\xf8\x7a\x49\x8f\x0d\x65\x75\xb5\x34\x2f\x82\x5f\x9e\x32\x5e\x0b\xf3\xdf\x0b\xd6\xcb\xe2\xfc\x71\x38\x78\xbf\x96\x79\xa9\x8f\x5e\xec\x63\x2f\xf4\x45\x3f\x67\x63\xb7\x0f\xf6\xcd\xaa\x5a\x8e\x2f\xe5\x0a\x2a\x1f\x76\x35\x16\x5f\x31\xfe\x14\x8f\x4d\x7a\xee\x82\x03\x55\xb1\xea\x5a\xd3\x1d\x37\xff\xa8\x94\xe3\x37\xce\x83\x27\x8a\x4a\xce\xfc\xaa\xca\xc5\xbc\x1e\x53\x6f\x99\x63\x2a\x82\x0b\xca\xb2\x5a\x2e\xca\xa9\x98\xb8\x22\x8f\x56\xb2\x9e\x25\x07\x9b\xbe\x03\x60\x5f\x3e\xbe\x8d\x77\xcb\x13\x79\xd3\x39\x38\xd5\x5e\x73\x7f\xe3\x31\xff\xef\xcd\x76\xf6\x0a\x3e\x0a\x94\x9d\xa0\x23\xec\x50\xfc\x80\xed\xe0\x78\x88\xbf\x56\xe6\x3b\xee\x69\x38\x3e\x60\xfc\xe4\x76\x5d\x6c\x3d\xe7\x08\xfb\x76\x82\x86\x04\x6c\x15\x91\x72\xd5\xd5\xc6\x44\x78\xa7\xf8\x8d\x7d\x3e\xc1\x7e\x73\x80\x5e\x25\xfe\xcf\xd6\x24\x7d\x63\x63\x61\x9c\x3c\xba\xb0\x45\xe1\x9b\x7b\x6f\xd9\xf1\x8a\xba\xa9\x70\xca\xff\x07\xc9\xdb\x8d\xc5\x70\x36\x12\x72\x79\xe3\x4a\xf8\x9b\x78\x80\x8d\x9b\x6f\xa2\x67\xf6\x58\xaf\x21\xef\x4b\xad\xdc\x00\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\x13\xb1\x9c\x88\xe5\x44\x2c\x27\x62\x39\x11\xcb\x89\x58\x4e\xc4\x72\x22\x96\xb3\xb3\xb1\x9c\x88\xb4\x44\xa4\x25\x22\x2d\x7b\x38\xd2\xf2\x43\x0f\xd1\x41\x2b\x8f\x3b\x20\xae\xd2\x78\xe1\x5c\x11\x95\x63\x3a\x77\xeb\xb1\xff\xfe\x20\xfb\x7a\xc4\xc9\xe4\x7e\x82\xc7\x54\x8a\xdf\xac\xc1\x75\xbe\xb4\x0b\xa2\x8d\xe4\xe3\xc6\x51\xd5\x39\xd7\xe6\x8f\xc2\x5d\xd8\xe2\x90\xca\x45\x3a\x26\xd0\xda\x01\x1a\xe7\x68\x6d\x84\x92\x34\x14\x48\xad\x8d\xbb\xe1\xae\x4b\xd1\xa5\x3b\x8d\xa3\x9c\x0b\xe7\x67\x83\xec\x89\x6a\x55\x44\xeb\xe2\x9e\x98\xc9\x0f\x6f\x77\xc6\x3a\x61\x85\x4b\x86\x0d\xf7\x13\xe6\x81\x1d\x1c\xf1\xcc\x49\x3a\x4e\x13\x55\xbe\xc1\x0d\x0c\x39\x7c\x81\x08\x91\x6c\x32\x44\xf2\xc7\xfb\xee\xec\x65\x3f\x2d\xe2\x22\x8f\xd2\x61\x27\x2e\xb2\x53\xe6\x82\x07\x43\xb6\xce\x5c\x64\xfe\xf2\x5e\xc7\x5c\xec\xab\x09\x67\x08\xb3\x1b\xf1\xb2\x9f\x36\x46\x9b\xac\x06\xa2\x19\x7a\xcd\x82\x21\x9a\x01\xd1\x0c\x9b\x1c\xcd\xd0\xe6\x75\x61\xeb\x2c\x79\x78\xb8\xc2\x01\x1a\x67\xfb\xe2\x29\x3b\xe4\xe0\x01\x77\xb8\x82\xd9\xe4\x5d\x11\xa8\xf0\x5f\x46\xe9\xbc\x08\x54\x90\xf2\xab\x0a\xf7\x75\x6a\x72\x41\xe1\x76\xdf\xd8\xdf\x38\x19\x62\xdc\x46\x4a\xc6\x84\xba\x25\x2f\x5f\x57\xd5\x9b\x1e\x0f\x95\x9d\x1b\xf6\x9e\x51\xf6\xff\xf5\xd3\x83\xbe\xad\x19\x1f\xce\xb4\x4f\x9e\xd8\xa2\xdd\xf4\x15\xd1\xf4\x94\xbb\xe9\xe4\x51\xe3\x94\x49\xbf\x06\x17\xd3\xf5\x4f\x6d\xf1\xc6\xe7\x9f\x51\x4e\x4c\xf0\xab\xf4\x1c\x9f\xe0\x3c\xd1\x20\x70\x82\xfb\x8f\xe8\x7a\x3a\x55\xbf\xd3\x77\xba\x41\x7a\x73\xf8\x7b\x72\x85\x3d\x63\xbe\x27\xf5\x9e\xba\xf9\x06\x85\xf4\xd6\xb3\xa3\xfa\x21\xaa\xf3\xe8\x0f\xf8\x67\xa4\x85\x3c\xfd\xe3\xe6\x59\x5d\x30\x01\x32\x2b\x94\xa7\xe5\xaa\x55\x4d\x1b\x66\x00\x56\x3b\xd8\xaf\x35\xb9\x5f\xfb\xcb\xbe\xe0\xd2\xe0\x1d\x31\x5e\xd7\xc5\x86\x4f\xa2\x25\x67\xc3\xd7\x96\x2b\x35\xb8\xff\xdb\x44\x6b\x98\xfc\xdb\x5d\x75\xac\x61\xc2\xca\x9a\x0b\x33\x80\xc7\xc4\x81\xdd\x60\xff\x90\x58\x87\xc4\x3a\x24\xd6\x21\xb1\x0e\x89\x75\x48\xac\x6b\x26\xb1\xae\x93\xa9\x70\xad\xcd\xe2\x6b\x3c\xb1\xae\xb1\x05\xc7\x86\x17\x13\x8d\xac\x50\x32\xdf\xdc\x59\x67\xc1\x71\x22\x24\x03\x2f\x64\x19\x32\xc1\xd1\xc8\x26\xaf\x42\xc0\xb5\x7b\x6d\xed\x03\xae\x0d\xae\xbd\xc9\x5c\xbb\x4b\xb0\xdf\x26\xee\x64\xc3\x81\xf9\x39\x9a\x63\x67\xe2\x33\x36\xfa\x4e\xba\x81\x79\xfd\x2b\xd5\x72\xf4\x96\x53\xee\x8f\xd8\xe9\x78\x39\x55\xd5\xf2\x4a\xa9\x0a\x6e\x8b\xa4\x3c\xbe\xba\xd7\xd9\xdb\x12\xec\xef\xfb\xe9\xd5\xee\x23\xed\xa4\xbc\x3d\x22\x6a\x5b\x33\xe3\x4d\xad\x35\xbb\xba\x12\x33\xc6\x34\x76\xde\x68\x21\x39\x62\x1c\x34\xe5\x3a\xdd\xcc\xa5\xe3\xbf\x6e\xb5\x3c\x3a\x99\xb2\x62\xf2\x4f\xd1\x24\x9f\xfc\xc7\xe8\x28\x1d\xae\xe3\xd4\x71\x8d\xaf\x39\x6a\x29\x7e\xe3\xe7\x15\x3d\x3c\x83\xae\xb1\x34\x55\xb3\xd0\xa9\xd1\x6a\x6d\x1e\x9c\xf9\x02\xf8\x3c\x68\xba\xf1\xa8\xff\x34\xbe\x87\x6d\x43\x39\x04\xa4\xd0\x21\x85\x0e\x29\x74\x48\xa1\x43\x0a\x1d\x52\xe8\x90\x42\x87\x14\x3a\xa4\xd0\x21\x85\x0e\x29\x74\x48\xa1\x43\x0a\x1d\x52\xe8\x90\x42\x87\x14\xba\x8e\xa6\xd0\x7d\x67\xd8\x0a\x4b\xf5\x2b\x56\x50\xb7\x38\xaa\x7f\xc9\x82\x5f\x1c\x66\x6f\xdb\x56\x25\x49\xf9\xc9\x3e\xf3\x91\xb8\x74\xb5\x4a\x96\x91\xb3\x90\x9e\x47\x9b\xac\x25\x3a\x5b\x23\xce\xb2\x86\x2f\xdd\xcc\x8f\xa0\xb1\x32\x72\xd6\x6b\x09\xcf\x12\xd9\xd5\x76\x2a\x29\x2e\xd7\x41\x6d\xcc\xbb\x48\xa1\x2b\x98\x63\xf3\x8e\xb5\x5b\x16\x15\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\x11\x80\xb1\xc3\x80\xb1\xb7\xe4\xc8\x81\x3f\x81\x3f\x81\x3f\xb7\x10\xfe\xfc\x1f\xd7\xe8\x98\xc0\x9f\x25\xb9\x72\x4b\xd5\x6e\x1a\x6b\xc9\xd0\x62\xad\x4a\xa9\xa0\xc9\xba\x2e\xeb\xec\x63\xd7\xd8\x7b\x07\xe9\x95\xce\xc9\x4b\xeb\xe9\xe8\x93\xf5\x63\x17\xe7\xc4\xd9\xc9\xc7\x8d\xc3\x2e\xd8\x67\xba\xf1\xa2\x79\x48\x97\x83\xc5\x0c\x20\x1b\x20\x5b\x06\x90\x0d\x90\x0d\x90\x0d\x90\xad\x67\x20\x5b\xa6\x6b\x20\x5b\xcb\x7b\xd2\x34\x64\xcb\x00\xb2\x01\xb2\x01\xb2\x01\xb2\x01\xb2\x75\x1e\xb2\x65\x7a\x9a\x3a\x65\x40\x9d\xda\x47\x9d\x32\xdd\x4e\x9d\x32\x5b\x90\x3a\x65\xdf\x40\x33\x22\x20\xeb\x24\x1d\xe7\x01\x59\x87\xe8\x00\x8d\x07\xa6\x7a\xba\xd0\xd4\x7a\x3a\x65\xb2\xa1\x86\xb2\x3c\x9f\x0d\x0f\xb2\x3a\xc8\xf6\x8b\x60\x2a\xb3\x5d\x3f\x2d\x8c\x1a\x36\x16\x9a\xe0\x19\xff\xfe\x1d\xd5\x54\xec\x7e\xf1\x19\x8a\x49\x25\x9b\x80\xed\x11\x7f\xea\x0c\x03\x13\xc8\x6a\x9a\x32\x74\xba\x4a\x56\x62\x1f\xa5\x36\x36\xf6\x10\x93\x80\x6c\x60\x93\xb2\x81\x7f\xd3\x47\x93\xe2\xdd\x9f\xa0\x23\xfc\xdd\x1f\xa7\x0d\xcf\x3f\x51\xcc\x38\xcd\x8b\x19\xdb\xda\x7f\xcd\xb4\x73\x46\xc8\x04\x9d\xa6\x93\x2e\x99\xa0\x66\x1a\x0a\x33\x44\xc1\xe6\xa2\xac\xea\x15\x6a\xd0\x50\x05\x9a\xa3\x60\x0b\x96\xfc\xd3\x91\x6a\x43\xb4\xdb\xd4\x6d\x72\x89\x60\xa9\x2b\xb6\x4d\x1a\x15\xbf\xba\x6d\xd2\x94\x7d\x60\xbb\xad\x53\x7b\x64\xff\x40\x68\x41\x68\x41\x68\x41\x68\x7b\x87\xd0\x62\x7d\x16\xb2\x3e\xeb\x1e\x84\x0d\xc9\xd5\x8e\x48\xae\xc2\x53\x00\x4f\x01\x3c\x05\xf0\x14\xc0\x53\xd0\xd3\x9e\x02\x28\x6f\x43\x79\x1b\xca\xdb\xed\x52\xde\x86\x23\x0e\x8e\xb8\x5e\x75\xc4\x65\x0b\xad\xd5\x81\x0f\x45\xca\x49\x7f\xa4\xfc\x00\xbb\x5f\xbc\xcd\x8e\xa5\x6d\x23\x5e\xde\x82\x39\x2a\xec\xdb\xc3\x94\xb1\xaa\x66\xd7\x15\xf8\xd0\x64\x1b\x5b\x1b\xab\x36\xcd\x18\x50\xcd\x16\xfa\xf8\x04\x17\xfa\xb0\xeb\xb4\x7e\xa6\x11\x8d\x8f\x4b\x4e\x8b\x53\x76\x8b\x5d\xa1\xf5\x91\xbc\xe5\x57\x34\xd6\xb7\xbf\x5d\x1e\x95\x9f\xbd\x19\x5c\xa9\xa1\xe5\x3a\x20\x0d\xcb\x7d\x5c\x09\x7f\x03\x0f\xb0\x71\x1f\xdf\xb3\x5d\x5f\xd2\xf7\x59\x40\xe8\x03\x39\x08\x10\xfa\x80\x87\x0b\x1e\x2e\x78\xb8\x7a\xc9\xc3\x05\xa1\x0f\x08\x7d\xc0\xb3\x00\xcf\x02\x3c\x0b\xf0\x2c\x74\x85\x67\x21\x9b\xa1\xd3\xec\x64\xfc\xb8\x0d\x42\x1e\x77\x0b\x7d\xf8\xee\xdd\x20\xf8\xb1\xd5\x89\x2f\x04\x3f\x20\xf8\xb1\xb5\x52\x2f\xd8\xaf\x24\x68\x54\x08\x7e\x68\xcb\x52\x2e\x65\xb1\x31\xdf\x32\x65\x9a\x5a\x94\x75\xf6\x8e\x04\xfb\x56\x3f\x3d\x64\x1c\x3e\xe9\x3e\xda\x2e\x55\x16\xaf\x2f\xf7\x71\x49\x2d\xca\xc9\x7d\xc6\x31\x97\xaa\x9b\x30\xcb\x95\x19\x47\x6c\xb5\x6a\x65\x57\x37\x16\xc6\xce\x07\xdb\xaa\x52\x66\xdc\x6f\x43\xe9\x2b\x21\x49\x26\x37\x96\xc3\xa1\xe2\x29\x76\xc2\x04\x89\x81\xcf\xdb\xe2\x8b\x6a\xd1\xa7\xc8\x19\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\xf8\x22\x2a\x95\x81\xdc\x81\xdc\x81\xdc\x75\x8a\xdc\xfd\x9b\x37\xd0\x9c\x20\x77\xd2\x5a\x45\xd5\x73\x52\x51\x29\x15\xc6\xd6\xc7\x05\xab\x0b\x08\x61\xe4\xb0\x47\x2d\x55\xa4\x62\x59\xcd\x5b\xe7\xc9\x9a\xce\x7e\x7f\x89\xbd\x3c\x48\x0f\xb8\x9a\x5a\x32\x9b\x8a\x1e\xac\xcf\xf3\xce\xda\x4d\xce\xab\xf9\x49\xbb\xc9\xe4\x61\xe3\xb4\x49\xa7\xbd\x45\xd1\x9c\x13\x4c\x18\x70\x62\x97\x93\x3e\x88\xfc\x02\x80\x41\xe4\x17\x00\x0c\x00\x0c\x00\xac\x87\x00\x58\x17\x29\x24\x74\x0d\x00\x43\xea\x3e\x00\x18\x00\x18\x00\x18\x00\x18\x44\x7e\x91\x5b\x7c\xf7\xf0\xaa\xae\xcf\x2d\xde\x92\x22\xbf\xeb\xf4\xbd\x22\x42\xea\x32\x5d\xe2\x11\x52\xe7\x29\x4b\x67\x03\x23\xa4\x5c\x24\x2a\x65\x92\xa8\x54\x00\x31\x6a\x49\xec\x54\x21\x3c\x76\x6a\x9a\x65\x9c\x78\x28\xd1\x25\x2b\x2b\xd3\xd5\x5b\x33\x7c\x2a\xa0\xaf\x14\xff\x71\xf2\xc7\x6c\x31\x4b\x0f\x38\x90\xa8\x1d\x15\x47\x6c\x26\x53\x13\x08\xec\x39\x7a\x96\x16\xab\x44\x83\x67\x69\xba\x15\xcf\x12\x52\x75\x90\x12\x6e\x52\x4a\xf8\xa3\x11\xba\x22\x2c\xcc\x3c\x5d\xe0\x16\xe6\x2c\xb5\x68\x56\xd2\x55\x21\x30\xfc\x0c\x2d\x38\x02\xc3\xad\x6b\xfd\x9a\x90\x1d\x5e\xa4\xcb\x2e\xd9\xe1\xd6\x35\x7f\xa7\x62\xc4\x8d\x99\xc6\x0d\x5b\xc2\x1a\x5b\x9a\xfc\xb1\x51\x7f\xd3\x38\xe2\xab\x50\x1c\x64\x26\xa7\xc4\xd1\xb5\x66\xd2\x4f\xb7\xb8\x33\x06\x13\x3a\xc6\x80\xd0\x80\xd0\x80\xd0\x80\xd0\xd0\x31\x86\x8e\x31\x74\x8c\xa1\x63\x0c\x67\x08\x9c\x21\x70\x86\xc0\x19\x02\x67\x48\x4b\x9c\x21\xd0\x31\x86\x8e\x31\x74\x8c\xa1\x63\x0c\x5f\x23\x7c\x8d\x3d\xa4\x63\xdc\x29\xa7\xdd\x16\x54\xe2\x61\x7f\x17\xa1\x87\x45\x7e\x40\x8d\x80\xf3\xd8\x7a\x7a\x8c\x7d\x31\xc2\xfe\x20\x52\x5d\x0b\xf0\xb5\x05\xb9\xe2\x5d\x77\x0b\x7f\x71\xf2\xe1\x82\x5c\x71\xd7\x00\x9c\x9c\x9f\xb3\x70\x63\x0b\x8b\xfe\xd5\x34\x34\x51\xd3\xd0\x44\x23\x0d\x65\xcb\xf4\x8c\x98\xb4\x17\xe8\x3c\x9f\xb4\xb3\x34\x4d\x99\x26\x26\xad\xeb\x3e\x1b\x71\x33\xb3\x9f\x5e\xa2\x73\x8d\xea\xa9\x04\xc9\x4c\xab\x45\x79\x59\x29\x19\x1f\x33\x9d\xfd\xe1\xeb\xd9\x6f\x0f\xd6\x53\x5b\x19\x0e\x57\x5b\xc9\x88\xc6\x92\xe9\x7a\xa2\x2b\x2e\x91\x67\xe7\x14\xe4\x62\x20\x17\x03\xb9\x18\x70\x83\xc1\x0d\x06\x37\x18\xdc\x60\x5d\xe3\x06\xeb\x1e\x2f\x0f\xdc\x0f\x70\x3f\xc0\xfd\x00\xf7\x03\xdc\x0f\x3d\xed\x7e\x00\x1f\x05\x1f\xed\x51\x3e\xba\x25\x73\x31\x72\x74\x56\xe0\xb1\x49\x3a\xc5\xf1\xd8\x51\x3a\x4c\x07\x1b\x57\xab\x35\xf1\x50\x4b\x12\x2f\x94\x70\x86\x3b\xcb\xa6\x37\x20\x5a\x6b\x76\xae\x56\xbb\x36\xfe\x1f\x76\xd4\x23\x69\xaf\xb6\x13\x30\xdc\xd0\x6c\xbf\xf8\xeb\xe6\x60\x33\x41\xb9\xce\xd0\x0c\x4d\x55\xa5\x5b\xec\xa7\xf4\x86\x1f\x17\xc2\xe7\x90\x5b\xd1\x64\x6e\xc5\x3f\xf4\xd1\xb4\xb0\x18\x27\xe8\x18\xb7\x18\x07\xa9\x99\x29\x48\x73\x22\x91\x22\x43\xa7\x9d\x44\x8a\x26\x9b\xca\x8a\xac\x89\x29\x9a\x74\x65\x4d\x34\xd9\xd6\x9d\xa6\x48\x34\x66\xc4\x6a\x2c\x52\x13\x56\x2d\xf9\xee\xd1\x7a\x46\x2c\xe6\x9b\x2a\xe1\x36\x68\x27\xc4\x11\x41\x06\xcd\x2f\x49\xa2\x7d\xa6\x0d\x89\x11\x20\xc2\x20\xc2\x20\xc2\x20\xc2\x48\x8c\x40\x62\x04\x12\x23\x90\x18\x01\xcf\x04\x3c\x13\xf0\x4c\xc0\x33\x01\xcf\x04\x12\x23\x90\x18\x81\xc4\x08\x24\x46\xc0\xf1\x07\xc7\x5f\x17\x3a\xfe\xba\x3a\x31\xa2\x31\x1e\xdd\x80\xcf\x2c\x94\x50\x6f\xc5\xd4\x88\x7f\xd9\x4f\x4f\x9a\xa5\x13\xca\x8a\x26\x17\x14\xc3\x2e\xf9\x45\xe8\xb3\xaf\x45\xd8\xcb\x11\x7a\x6d\xd5\x61\x36\x6d\x0f\x4c\x97\x78\xb2\x20\x57\x26\xbd\x27\x99\x7c\x1d\x89\x13\xfe\x89\x13\x5f\x1c\xa2\x83\xd6\x33\x29\xeb\x63\xeb\x69\xf1\x5e\x07\x25\x49\xe4\x25\x79\xd5\xd8\x22\x57\x74\xf6\xaf\x87\xd8\x2f\x0e\xd0\x3d\xc6\x69\x4b\xeb\xe9\xe8\x9a\xb9\xfb\x28\xe5\x95\x75\x25\xbf\x26\x15\xdd\x2e\x78\xc9\xde\xe9\x4f\xf3\x06\x16\xe4\x4a\xca\xb5\x9a\x9b\xb0\xd7\x81\x09\xde\x4a\xc2\xe1\xec\x1e\x70\xaa\x96\x65\x9b\xd5\xe8\x15\x59\xca\xa7\x92\x71\x7e\xc2\x64\xb9\xac\x2f\xba\x9c\xc2\xf6\x55\x8c\x31\xe8\xf2\x6c\x8a\xec\x4d\x9a\x17\xcf\x7e\x8e\xce\xf0\x67\x3f\x49\xa7\xe8\xc4\xff\xcf\xde\xbf\x87\xb9\x71\x9e\xf7\xdd\xf8\xb5\x07\x49\xe4\x2d\x59\x87\x47\x92\x65\x41\x94\x04\x81\xd2\x1e\xc0\x5d\xec\x62\x79\x58\x72\x79\x5c\xec\x81\x5c\x70\x49\xae\xb8\x24\x65\xc9\x12\xe9\x59\x60\x16\x04\x89\xc5\xc0\x18\xec\x52\x6c\x7f\xba\x7e\xb6\x15\xbf\xb1\x9b\xb4\x75\xd3\x24\x75\x53\xd7\x71\x9c\xd6\xb1\x53\xbd\xb6\x63\xbb\x71\xae\xb8\x75\xdd\x37\x3e\xc8\x51\xea\x38\x7d\x9b\xb8\x3e\xc4\x6f\xea\x26\xb1\x9d\xbc\x49\x9a\x34\xa9\x5d\x27\x6d\xde\x6b\x9e\xe7\x99\x13\x30\x83\x01\xb0\x00\x16\x4b\x7c\xff\xe1\xb5\xc4\xcc\x3c\x33\xf3\xcc\x33\xf7\x3c\xcf\xe7\xfe\xde\xf7\xdd\xc0\xb3\xe7\xea\x87\x39\x63\x45\x1e\x68\xd4\xce\x04\x1b\xaa\x28\x1b\x32\x03\xb6\x0a\x05\x5d\xba\xc4\xac\x8e\x75\x9a\x2c\xba\xb6\xdb\xdb\x46\xde\xc5\x88\xdf\x27\x57\x1c\xa0\x84\x2d\xa2\x46\x50\xc2\x16\x3e\x42\xf8\x08\xe1\x23\xec\x22\x1f\x21\x4a\xd8\xa2\x84\x2d\x7c\x33\xf0\xcd\xc0\x37\x03\xdf\x4c\x47\xf8\x66\xb6\x21\x39\x42\x91\x5c\xf0\x6e\x14\xc9\xdd\x3e\x81\x2e\xec\xab\x43\x74\xa0\x1e\xaa\xa8\x16\x72\xda\x4d\xe3\x13\xaf\xb3\xf7\x0e\xb1\x8f\x38\xb0\xe2\x46\x8d\x58\xd1\x6a\xa1\x49\x5c\x71\xb7\x37\x57\xb4\x4e\x03\xb0\xe8\x0d\x16\xcf\x06\x83\xc5\x3d\x6c\xd8\x03\x2c\x5a\x3d\x0b\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\x08\xb2\xd8\xcd\x64\xf1\x7d\xbb\xe8\xbc\x24\x8b\x76\x1a\xf1\xb1\x0d\xdf\xac\xce\x57\xad\xd4\xe2\x05\x2d\xad\x58\xa9\xc5\xe5\x4e\x2f\x8d\xe9\x5c\x04\xcc\xbe\xf8\x08\xfb\x62\x1f\xdd\xed\xaa\x82\x19\x0f\xed\x2b\xaa\x4a\x3a\x2c\x76\x31\x1f\x80\xfd\xbd\xf7\x2b\x84\x79\xd0\x38\xca\x59\x06\x33\xb8\x50\xb0\x90\x22\x37\x37\xc9\x43\x72\x8d\xce\x0b\xfc\x77\x9a\x16\x38\xfe\x9b\xa1\x69\x3a\x5e\x5b\x69\xd3\xc6\xab\x9a\xae\x04\x03\xc0\xe3\xec\x68\xad\x25\x4a\x3d\x93\xc6\x5f\x7b\xd4\x1b\x0a\xde\xce\xfa\x33\x6a\x89\x42\xbf\xb2\xb3\xe2\x49\x4e\x16\xd5\x42\x4e\x49\xa9\x75\x3f\xcc\xc3\xf2\xc0\xad\x7f\x9e\x89\x8b\xb4\x4c\x4f\x97\xe5\x23\xda\xfc\x03\x45\x0c\x3b\xb2\x13\x35\x98\x9d\xe8\x0b\x3d\x2d\xb1\x30\xcf\x88\x5c\x45\x4b\x74\xd6\xce\x55\xd4\x16\xd3\xe5\x6f\x56\x0a\xeb\x25\xaa\xd1\xb2\x05\xd8\xae\xea\x86\x2f\xf1\x85\xbb\x2a\x4c\xd7\x89\x82\x52\x34\x96\xff\xc6\x92\x99\x7f\x4a\xeb\xb6\x61\x87\x0a\xdc\x97\xb5\xa5\x16\xec\x91\xf2\x86\x46\xf9\x45\xed\xe1\x41\x13\xbb\x9c\x1b\xd7\xd4\x62\x46\x75\x6e\x1d\x70\x6e\xe5\x61\x1d\x6a\x26\x9b\x1a\xad\xd8\xcf\xd5\x8a\xf1\xf7\x4d\xb9\xd5\xb8\xca\xc4\x59\x5a\xa4\x64\x99\xf5\x9c\xa2\x83\x0d\x78\xc3\x96\xb8\x0f\x02\x66\x33\xc0\x6c\x7e\xb4\x8f\x5e\xe9\x63\x1f\xee\x0b\x7d\xd0\x72\xca\xbd\xdc\xd7\x3d\x66\xb3\x0c\xdb\x18\xfd\xcc\xdd\x10\x1c\x2d\x1a\x83\xd3\x76\x46\x0e\xf9\x0c\xdc\x61\xce\xe3\x85\xd7\x4a\xc9\xf1\x23\xf3\x5a\x7e\x54\x1c\xcd\xf7\xe0\x5e\x4b\x3d\x3c\x94\xd4\xb5\xfc\x92\xf0\xca\x9d\x31\x5e\x0b\xf9\xf7\xb2\xf9\xb2\xd8\x3f\x0e\xfb\xdb\xf3\xc4\x97\x7b\xe8\xb5\x1e\xf6\x6a\x4f\xe8\xf3\xd6\x7a\xe0\x43\x3d\xf3\x9a\xb1\xbc\xcd\xea\xe1\x8c\xc6\xbb\x5d\x0b\x47\x56\x8d\x9f\x22\xe1\x69\xd7\x5d\xf0\x95\x9e\xc8\x1b\xb2\xae\xdb\xfe\x87\x51\x25\xc5\x6f\x9c\x7b\x75\x72\xd9\x94\x0c\x08\x56\x73\x69\x3d\xac\xdd\x90\x7d\x2a\xbc\x1e\x05\x55\x2b\xe4\xd4\x58\x58\x9c\x91\xbb\x51\xcd\x67\xc9\x57\x5c\x9e\x1d\x60\x9d\x3e\x72\x1b\xbf\x2c\x97\x4b\x70\x6b\x66\xc0\x8f\x7b\x7f\x46\x76\xb0\xdb\xf9\x25\xd7\xfa\x21\xd9\x44\x61\xff\x38\x25\x67\x29\xc1\x4e\x44\x8e\x59\x28\x66\x37\x7f\xcf\xe4\x4b\xef\xd3\x42\xa4\xdf\xd8\xc9\x89\x5b\xb6\x1f\xd0\x61\x9f\x7d\x81\xc6\x82\x2b\x01\x8d\xa5\x72\xeb\x7a\xc9\x30\x96\x39\x55\x67\x3f\xfe\x02\xfb\xf0\x00\x3d\xe0\x95\xde\x2f\xa8\xd0\xcf\x8c\x68\xe7\xbc\x96\x53\xa3\x11\x9f\x42\x3f\x8e\x7d\x3a\x5c\x32\x82\xca\x3e\x50\x52\xa0\xb2\x0f\x94\x14\x50\x52\x40\x49\xd1\x45\x4a\x8a\x0e\x4a\x53\xd8\x31\x4a\x0a\xe4\xcf\x83\x92\x02\x4a\x0a\x28\x29\xa0\xa4\x40\x65\x1f\x24\xf8\xba\x75\x64\x09\x1d\x9f\xe0\x6b\x5b\x56\xf6\xb9\x4c\x33\x82\x34\x1e\xa1\x29\x4e\x1a\xf7\xd1\x04\x8d\x07\x15\xc4\x88\x39\xc8\x50\x53\x8a\xfa\xa4\x83\xc9\xe2\x34\x3b\x5e\x63\xf9\x0b\xc7\xc5\xb9\xd8\x62\xe4\xa7\x76\xfa\xb0\x32\xbb\x94\x8f\x13\x8b\x3d\xe9\x5b\xca\xa7\x15\x60\x4c\x70\xac\x04\x9d\xa0\x63\x65\xde\x9e\x18\x8d\xd4\xf3\x40\xe0\xe1\x81\x63\xbc\x41\xc7\xf8\x77\x7a\x68\x4e\x54\xc9\x39\x46\x47\x1c\x55\x72\xc6\xa9\xce\x31\xe8\x6b\x10\xe8\xb8\x30\x37\x07\xe9\x00\x37\x37\xf5\xb7\x3c\x2b\xbc\xec\x47\xe9\xb0\xed\x65\xaf\xbb\x95\x5a\xeb\xf4\xb4\xc5\x2e\x45\xff\x72\xc4\xc7\x2e\x79\x57\xe7\x71\xda\xa8\x98\x6f\x75\x1e\xbb\x30\x4f\xeb\xac\x15\xca\xf1\x00\xe3\x02\xe3\x02\xe3\x02\xe3\xa2\x1c\x0f\xca\xf1\xa0\x1c\x0f\xca\xf1\xc0\x9d\x00\x77\x02\xdc\x09\x70\x27\xc0\x9d\xd0\x14\x77\x02\xca\xf1\xa0\x1c\x0f\xca\xf1\xa0\x1c\x0f\xbc\x75\xf0\xd6\x6d\xf3\x72\x3c\xb5\xa1\x64\x8f\x28\xac\x7a\xb0\x72\x3d\x45\x7f\x9a\x2f\x61\xff\xc4\x30\x4d\xba\xb3\x27\xfa\x04\x37\x17\x55\x0e\x98\x0d\xcb\x22\xe3\x99\xd9\xf7\x87\xd8\x77\x7a\xed\xf4\x89\x8f\xf2\x08\x66\xf7\xb2\xf4\xbc\x38\x6a\x59\x2d\x45\x1f\xe3\xa1\xca\x65\x49\x0e\xed\xed\x4d\x0e\x48\x7e\xd6\xdf\x9d\x71\x4c\x8c\xa1\x49\xda\xcf\xc7\xd0\x18\x8d\xd2\x1e\xff\x38\x8d\x42\x41\x37\x46\x8c\x7d\xa1\xc1\x11\x7c\x19\xb5\x44\x0d\x27\x27\xb4\x4f\xe4\x72\x38\x84\x3e\xb6\xc3\xee\xe9\xb0\x19\x61\xec\xdb\xd9\x4f\x98\xa1\xc4\x6d\xea\xef\x04\x4f\xf7\x58\xe6\x04\xad\xaf\x5f\x41\xd4\xe0\x03\x6d\xd0\x07\xfa\xbe\x9e\xcd\xbe\xd4\x42\x52\x11\xe7\x92\x0a\xcb\x45\x59\x77\x23\x9b\x0c\xfa\xad\xcd\x64\x54\x35\x13\x4e\x7b\x12\x7d\xfb\xbd\xb6\xc9\xb8\x5f\xce\x67\x15\xa7\x95\x90\x93\xd2\xb6\x19\x89\xd6\xf8\x1e\x61\x37\x02\xec\x06\xf8\x77\x5b\xf8\x37\xc0\x07\xc0\x07\xc0\x47\xab\xc0\x47\xf2\xd3\x3d\x4d\x5e\xfd\x9d\x17\xb2\xa9\xd3\xb4\xe0\x90\x4d\xb5\x78\x45\xd9\xe4\x55\xc1\xb5\xb0\xf7\x8c\x62\x27\xbb\x43\x74\x3b\x25\xfe\xf0\x4e\x7b\x12\x30\x5c\x91\xde\xc3\x77\x01\xf1\x78\xc1\x2b\x27\x7d\x2b\x66\x06\xc8\xd6\xd1\x6d\xf3\x11\x64\xeb\x40\xb6\x8e\x2d\xce\xd6\xf1\xec\xa6\x17\x8c\x9b\xce\xcc\xd1\xe4\x4f\x41\x72\x92\xf6\xb3\xbd\x91\xb8\x95\x3f\xe3\xf5\xce\x2c\x1c\xf6\x41\xb7\x44\xe2\x8d\x1f\x1d\xa4\x5d\x82\x5a\xae\xf0\x5a\x2f\x66\x31\xef\x54\x51\xcb\x5f\xd3\x56\x74\xf6\x87\x03\xec\xeb\x7d\xf4\x3a\xbe\xd5\x2a\xe5\xfd\x54\x40\x7a\x8d\xa2\x96\x4f\x6a\x2b\xd1\x41\x63\xb7\x84\xb1\x8b\xac\xe7\x2d\x37\xcc\x6b\xc5\xe9\x5c\xce\xfa\x18\x36\x2f\x61\x55\x8b\x4a\xb2\xbc\x59\x08\xc3\xc7\xb9\x30\xdc\x18\xe3\x07\x68\x1f\x4d\xf8\x8e\x71\xde\x57\x31\xd9\x57\x31\x79\xcf\x35\x45\x8a\x3c\x1d\x3c\x92\x63\x6c\x44\x8e\x64\x7e\x1a\x13\x83\x8b\x93\x54\x96\xa4\x0f\x0a\x3e\x41\x15\x16\xe4\x0e\x41\x15\x16\x88\xce\x21\x3a\x87\xe8\xbc\x8b\x44\xe7\xa8\xc2\x82\x2a\x2c\x10\xfb\x42\xec\x0b\xb1\x2f\xc4\xbe\x1d\x21\xf6\x45\x8d\x14\xd4\x48\xd9\x2e\xf2\x46\xd4\x48\x69\x45\x8d\x94\x9f\x8f\xd2\x7e\x41\xe2\xf2\x6a\xe9\x86\x56\xbc\x6e\xcc\xd6\xac\xd4\xb7\x82\xca\x65\xf3\x99\xa2\xaa\xeb\xa9\x9c\xa2\xeb\xaa\xa5\x1e\xfc\xde\x30\x7b\x4f\x1f\x31\xfb\x30\x8b\xd3\x3d\xee\x21\x24\x5c\x10\x6d\xcc\x18\x6d\x44\x9f\x30\x76\x38\x6b\x1d\x28\x31\x9d\x73\x97\x26\xab\x09\x57\xe9\xb4\x40\x69\xb3\x94\xe0\x28\xed\x08\x55\xf1\x10\xc5\x1c\x5d\x61\xf2\x34\xe7\xc5\x6d\x42\x27\xc4\xa5\x85\x75\xe5\x74\xae\x78\x2c\x92\xbd\xb9\x2e\xa8\x02\xc0\x85\xfe\x7a\x87\xe7\xa3\x89\x78\x2b\x0f\x5d\x4f\xe7\x49\xb9\x4f\x1b\x1f\x50\xbd\x3e\xbc\xa0\x27\x04\x1f\x1e\xb4\x88\x0d\x6a\x11\x7f\xa5\xa7\xb9\xb6\x62\x49\x08\x13\x17\xe8\xa4\x2d\x4c\xdc\x2a\xeb\x53\x47\x69\x92\x4d\x59\x9f\xe8\x2f\xdc\xeb\x69\x7d\x5e\x6f\x8a\x18\xf3\x6e\x8b\xb3\x5b\xfc\xde\x4e\x83\x03\x29\x23\xa4\x8c\x90\x32\x42\xca\x08\x29\x23\xa4\x8c\xdd\x29\x65\x6c\xc3\x3c\xa0\x06\x79\xe3\x3f\xb9\xcb\x73\xa6\xb0\x27\x40\xe9\xe8\x9a\x3e\x44\xb8\x22\xa7\x4d\xb3\x07\xc8\x1d\xbb\x6d\xce\x02\xb9\x23\xe4\x8e\x5b\x2c\x77\x6c\x33\xbf\x6a\x6e\x55\xb2\xc6\xbe\x1d\xc9\x43\x34\xc9\xf6\x47\xf6\x5a\xb2\xc6\x37\x38\xf5\x90\xce\x63\x2b\x15\x91\x4d\xd7\x2b\x7e\x73\x0f\x9d\x14\x94\x54\x4c\x27\x2c\x34\xea\x13\x6c\x5d\xd0\xd2\xe9\xac\x5e\x5c\xe7\x23\x7e\x65\x3d\x9d\x71\x44\x5d\xbf\x7b\x0f\xfb\x85\x3e\xba\x5b\x34\x64\x7d\xf0\x06\x3c\x98\xe9\x92\x96\x9e\xb5\x5a\x49\xf0\x56\xa2\x31\x63\x3f\x31\x23\x91\x9f\x39\x5b\xdd\xef\xb1\x7f\x93\x39\x6a\x96\xce\x8a\x71\x78\x92\xe6\xf8\x38\x3c\x4e\x47\xe9\xb0\xef\x38\x94\xd3\x45\x73\x0c\x7a\x5c\xdf\x66\x51\xea\xe5\xe0\x81\x78\x98\x1d\x92\x03\x51\x5c\x8e\x1c\x7d\x5e\x17\x53\x89\x51\xdf\xbd\xb3\xe2\x49\x0d\x7b\x23\x54\xaf\x87\x15\x97\xbb\x6e\xd5\xf3\x4a\x3c\x4d\xc6\xab\xe0\x9e\x2b\x6c\xee\x81\x61\xba\x00\xb2\xda\x20\x59\xfd\x4c\x8f\x7f\x4e\x87\x66\x9b\x95\x65\x41\x5d\x17\x29\x69\x53\xd7\xcd\x36\x5a\x23\x5f\x6d\xb1\x49\x8a\x7e\xfc\xde\x0a\x93\xb4\xcb\x0a\x0e\xf7\xb2\x42\xe3\x62\xeb\x96\x19\x21\xa0\x56\xa0\x56\xa0\x56\xa0\x56\xa0\x56\xa0\xd6\x46\x50\xab\xef\xa4\xa1\xe3\x19\xac\x39\x63\x08\xc4\xa0\x35\x4e\x1a\x2a\x26\x03\xb5\xce\x22\x12\x1f\xbc\xab\x62\xd2\x30\x11\x80\x58\xbd\xa6\x12\x63\x7c\xfd\xbf\x15\x33\x09\x60\xd7\x6e\x9b\xbf\x00\xbb\x02\xbb\x6e\x31\x76\x6d\x3f\xee\x0a\x24\xaf\x2d\x5e\x5d\x26\x4f\xd0\x31\x76\x24\x32\x65\x51\xd7\xc7\x9d\xd4\xd5\xa3\x89\x5b\x22\x1c\xfd\xc7\x86\x28\x2e\xf0\xae\x5e\xd2\x8a\x4a\x46\x2d\x57\xc0\x72\xdd\xac\xb9\x51\xea\x60\xd9\x6f\x0f\xb2\x2f\xf5\xd3\x3d\xf2\x57\xeb\xbb\xfa\xa2\x0c\xef\xc8\xa7\xb3\x1b\xd9\xf4\xba\x92\x73\x0a\x7f\x15\x2b\x94\x6a\x59\x1c\xc6\x09\x76\xcc\x31\xdf\x9f\xb2\x56\x0a\x83\xbc\xa1\x41\x3b\x86\xd4\x15\x14\xa8\x15\x54\x6b\x19\xa7\x97\x54\x25\x1d\x8b\xee\xe6\x07\xc8\x86\xe5\xe7\xd9\x79\x9a\xc5\xac\xde\xbc\x2f\x72\x8b\x82\xde\xaf\x0b\xc1\xdc\x38\x17\xcc\x19\xaf\x1c\x4f\x4c\xd9\xc0\x57\x96\xeb\xae\xe7\x36\xd4\x7c\xf0\x4b\xb7\xdb\xfb\xa5\xbb\x8b\x11\xbf\x30\x51\x2e\xf1\x4a\xf0\x8b\x77\x84\x4d\xc9\x17\xcf\x3d\x8c\xe4\x0b\xe8\x7c\x14\x1e\x6f\x1e\x42\xe2\x11\x12\x8f\x90\x78\x84\xc4\x23\x24\x1e\x21\xf1\x08\x89\x47\x48\x3c\x42\xe2\x11\x12\x8f\x90\x78\x84\xc4\x23\x24\x1e\x21\xf1\x08\x89\x47\x48\x3c\x42\xe2\xdb\x14\x12\xff\xd7\xbd\xf4\xb0\xa0\x81\xea\x8b\x25\x35\xcf\x1f\x95\x45\x02\xd9\xef\xf6\xb2\xaf\xf7\x12\xb3\x37\x59\xe0\xef\xa1\x8c\x5a\x72\x7f\x68\xc5\x2d\x44\xc3\x19\xb5\x34\x67\xed\x2f\xc1\xdc\xf4\xd2\x82\xb9\xb8\x6b\x62\x74\x42\x45\x43\x53\x15\x0d\x4d\xd5\xd2\x50\xb2\x40\x17\x05\x87\x3b\x4b\x8b\x9c\xc3\xcd\xd3\x2c\x25\x1a\xe0\x70\x8e\xfb\xac\x25\x19\x25\xfb\xb7\x97\xe9\x80\xe8\xfd\xd5\x9c\x76\xc3\xf8\x14\x16\xb5\x5c\xcc\x42\x2b\xe5\x64\xd6\xd8\x49\x4f\x5d\x55\xd7\x14\x9d\xbd\xfd\x32\xfb\xd2\x00\xed\x72\x1c\x37\x6d\x1e\x66\x3d\xa4\xa1\xea\x39\x44\xe7\x73\xda\x8d\x65\xde\x5c\x74\xd8\xd8\x73\xde\xa3\x2d\xf9\x00\xed\x5d\x3b\x9c\xa9\x26\x40\x16\x41\x16\x13\x20\x8b\x20\x8b\x20\x8b\x20\x8b\x5d\x43\x16\x9b\x5e\xcf\xbe\x61\xb2\x88\xca\xfa\x20\x8b\x20\x8b\x20\x8b\x20\x8b\x5d\x4d\x16\x51\xfa\x1b\x20\xb0\x5b\x4b\x7f\x27\xb6\x21\x08\xac\x57\xfe\xe9\xe4\x55\xa6\x06\xd4\x86\x44\x35\x55\x62\x09\x28\x9b\x72\xed\x7a\xb0\x08\xed\x14\x9b\x97\x22\xb4\x6a\xfc\x4c\x4a\xd2\xec\xcb\xab\x14\xa4\x45\x7e\x67\x67\x00\x4b\xbb\x5f\x7c\xb1\xc2\x8a\x13\x9b\xed\x11\x3f\xb6\x17\x9c\x09\xce\x75\x86\x4e\xd3\x42\x99\x44\xff\x10\x4d\x36\xf8\xc0\xa0\xd0\x47\xa4\x73\x83\x91\xce\xef\xec\xa5\xa4\xb0\x1c\x33\x34\xcd\x2d\xc7\x61\x6a\x7c\x20\xd2\x39\x11\xcc\x7c\x8a\xe6\xed\x60\xe6\x4d\x35\xb8\x24\x42\x9d\x16\xe8\xa4\x23\xd4\x69\x53\x2d\x36\x6e\xd8\x0a\x5a\xbb\x0d\x5b\xf4\x5d\xa3\x01\x86\xed\x71\x19\x0d\xe7\x08\x2d\xd4\x56\x9d\x46\x6e\xbf\xd8\xa1\x8a\x91\x9b\xb1\x0e\x6d\x99\xb9\x6b\x4d\x5c\x35\x38\x31\x38\x31\x38\x31\x38\x71\xf7\x70\x62\xcc\xf3\x02\xe6\x79\x9d\x03\xd2\x91\xd3\xa2\x2d\x39\x2d\xe0\xaf\x80\xbf\x02\xfe\x0a\xf8\x2b\xe0\xaf\xe8\x6a\x7f\x05\x52\x1b\x21\xb5\x11\x52\x1b\xb5\x2a\xb5\x11\xdc\x81\x70\x07\x76\xab\x3b\x30\x99\x69\x72\xf2\xae\x20\xfe\x1c\xf5\xe6\xcf\xf7\xb3\xfb\xc4\xdb\x6c\x5b\xda\xf6\xb2\xe8\xe6\xe7\x32\x79\x4f\x1f\x0d\x09\xfd\x7c\x71\x45\x49\xc5\xcc\xae\xe0\x4f\xb2\x5c\x3c\xcf\xfe\xb8\x97\x7d\xb7\x97\x1e\x36\xf6\x9c\x76\xee\x18\x1c\xd3\x30\x98\x51\x4b\xe7\xcb\x0f\xdb\x2e\xa1\x0d\xbe\x19\xe5\x5a\x13\xf3\x60\x86\x36\xbc\x7b\x88\x62\xc1\x8f\x46\x26\x9b\x29\x6a\x39\x55\x67\xbf\x3b\xc8\x7e\xab\x9f\x1e\xf0\x7a\x40\xa1\x42\x6d\x89\x66\xce\x6b\xc6\xaa\xa3\x29\x09\x66\xc6\xf9\x01\x1e\x8f\xdd\x38\x87\x71\xa7\xf3\x5a\x71\x3a\x97\xb3\x52\xc2\x35\xef\xe9\xb7\x2c\xdb\x8c\xef\x50\x68\x7a\x1a\x9a\xba\xb2\xcd\xbc\x10\x6c\x83\xa6\xd8\x41\x69\x83\x7c\x47\x93\x34\x40\xc6\xd3\x71\x9a\x1e\xe4\x9a\x41\x44\x08\x72\xcd\xc0\xd3\x07\x4f\x1f\x3c\x7d\xdd\xe4\xe9\x43\xae\x19\xe4\x9a\x81\x87\x05\x1e\x16\x78\x58\xe0\x61\xe9\x08\x0f\x0b\x72\xcd\x20\xd7\xcc\x76\x61\xca\xc8\x35\xd3\x8a\x5c\x33\xff\x6b\x80\x42\x02\x09\x2a\x85\x82\x3e\xb6\x11\x1f\xd3\x4b\x4a\x49\x5d\x5d\xcf\x19\x2f\x29\xfb\xd6\x00\xfb\x8f\x7d\x74\x87\xb1\xed\xca\x46\x3c\x34\x5c\x3d\x79\xc9\xb2\x3c\x74\x59\x2d\x45\x9f\x32\x76\x9d\x2e\x14\xf4\x4b\x71\xc7\xcf\xdb\x8d\xcf\x5d\xa6\x19\x81\xe1\x8e\xd0\x14\xc7\x70\xfb\x68\x82\xc6\x7d\x45\xea\x46\x3f\x99\x4e\x01\x79\xc7\x4d\x09\xbb\x39\x17\x4c\xe3\x46\x58\x54\xd2\x38\xe3\x22\xac\x8c\xcf\xd6\x75\x80\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x81\xbf\x6d\x09\x7f\xfb\xbd\x5e\x7a\x48\xf0\xb7\x74\x56\x4f\x69\x86\xd1\x33\x95\x78\xec\x73\xbd\xec\xdf\xf7\xd2\x4e\x6b\x43\x28\x94\xe1\xca\xf7\x55\xad\xb8\x66\x75\xa2\x12\xe6\xd8\x27\xfa\x40\x46\x2d\xcd\x9a\x7b\x4e\x2f\x2d\x9c\x34\x7e\xed\x40\xf1\x63\x7d\x39\x6d\xaa\x6b\x1c\xf9\x3d\x06\x26\x74\xfe\xa7\xc3\x94\xf4\xe9\x62\x77\x79\x3d\xab\xd6\x9f\x3e\xf6\x77\xad\xbf\x5f\x1a\x53\xf3\xe9\x82\x96\xcd\x97\xf4\x5c\x36\xa5\xea\xec\xd7\x87\xd8\x37\xfb\xe9\x3e\xab\x2d\x4b\xaa\x7a\xb3\x36\x39\xe4\x9c\x6c\x6e\xd9\x68\xae\xa9\xba\x48\xeb\xf1\x57\x54\xc6\x75\x9d\x73\x7b\x54\xe1\xeb\x50\x5d\xe4\x4a\x30\x89\x3d\xce\x8e\x4a\x12\x5b\x3e\xde\x24\x95\x75\x3d\x0d\x14\xe2\x03\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\x05\x9c\xdd\x72\x38\xfb\x66\xba\xcc\x9e\x8f\x3c\xb7\xa3\x87\xf5\x17\x94\xd2\xd5\xd0\x94\x3c\xb3\xc8\x27\x6a\x4c\x70\xd6\x4b\x57\xc3\x7a\x4a\x2b\xa8\x23\x61\x7d\x3d\x75\xd5\xe8\x7d\x3e\x83\x55\x95\x35\x01\x93\x0a\x45\x8d\xdf\x69\x64\xa7\x05\x14\xa2\xd2\xbc\xbf\x07\xf8\x17\xf8\x17\xf8\xb7\xbb\xf1\xef\x8f\x45\x29\x21\xd8\x64\x5e\x2d\xdd\xd0\x8a\xd7\x8d\xf9\xa0\x1d\x89\xed\x43\x24\xb3\xf9\x4c\x51\xd5\x75\xf3\xd7\x97\xd8\xe7\x86\xd9\x0f\x7b\xe9\x75\x76\x1b\x57\x36\xe2\xa1\x50\x51\x55\xd2\x65\x2b\xde\x05\x71\x64\xf4\x09\x63\xdb\x59\x6b\xf7\x4b\x0e\x56\x28\x77\x69\x6e\xae\xd8\xe4\xf3\x34\x2d\xb8\xdd\x14\x1d\xe4\xdc\x6e\x82\xc6\x29\xe6\x2b\xa4\x74\xf4\xc6\x46\x3c\x26\x2f\x29\x50\x46\xf9\xc6\x60\x38\xb7\x9f\xed\x95\x70\xae\xa2\xc3\x25\x9d\x33\x4f\xe6\xd4\x4b\x5e\x7b\xd4\x9b\x0d\xde\xce\xfa\x33\x6a\x89\x42\x5f\xda\x51\xde\xf9\x8f\x16\xd5\x42\x4e\x49\xa9\x3e\xfd\xff\xa4\xdc\xdc\xc6\x47\x90\x98\xa5\x04\x9d\x28\xcb\x4e\x5e\xf7\x33\x40\xb2\x4a\x24\x25\x6f\x30\x29\xf9\xbf\xe8\x69\x86\x0d\x98\x17\xb9\xc8\x8f\xd3\x51\x3b\x17\x79\x2b\x6c\x89\xff\x1b\x5f\x58\x2f\x51\xeb\x4c\x4d\xf4\x1f\xdf\x5b\x6e\x4b\x64\x8a\x18\x63\x98\x9b\xf6\x63\xb7\xf8\xa9\x9d\xe6\xa3\x35\xd9\xbe\x61\x4e\x02\xcc\x09\x32\xce\xb6\x25\xe3\x2c\x52\x0d\x22\xd5\x20\x52\x0d\xb6\x2a\xd5\x60\xf2\xd3\x3d\x4d\xce\xb7\x76\x5e\x54\x10\x39\x4d\x0b\x8e\x0a\x22\x2d\xce\xe1\x16\xf6\x9e\x12\xec\x64\x77\x88\x6e\xaa\x75\x56\xe0\xfc\xdc\xd7\x38\x43\x48\xfc\xcf\x3b\xcb\x67\x05\x03\x05\xa5\x58\xca\x72\x07\xa4\x58\x93\xfa\x2c\x35\x22\x05\x63\xd5\xd9\xa6\x99\xc2\x23\xe5\x0d\x8d\xf2\xb3\xef\xe1\x8a\xa1\x5d\xce\x8d\x6b\x6a\x31\xa3\x3a\xb7\x0e\x38\xb7\xea\xa5\xa2\x52\x52\x33\xd9\xd4\x68\xc5\x7e\xae\x56\x8c\xbf\x6f\xca\xad\xc6\x55\x26\xce\xd2\x22\x25\xcb\x16\x39\x53\x74\xb0\x81\x41\xb1\xc4\x7d\xf3\x98\x9f\x04\xcc\x4f\x3e\xda\x47\xaf\xf4\xb1\x0f\xf7\x85\x3e\x68\x19\xf9\x97\xfb\xba\x67\xb9\x53\xe6\xce\x30\xfa\x99\xbb\xe7\xb9\xcb\xcd\x18\x9c\xb6\x48\x67\xc8\x67\xe0\x0e\xf3\x6f\x95\x50\x73\x28\x39\x7e\xa4\x31\x29\x13\x47\xf3\x3d\xf8\x04\x49\x0f\x0f\x25\x75\x2d\xbf\x24\xd4\x2a\x67\x8c\xd7\x42\xfe\xbd\x6c\xbe\x2c\xf6\x8f\xc3\xfe\xeb\xb0\xc4\x97\x7b\xe8\xb5\x1e\xf6\x6a\x4f\xe8\xf3\x16\x27\xfb\x50\xcf\xbc\x56\x4c\xf1\xb9\x5b\x46\xe3\xdd\xae\x85\x23\xab\xc6\x4f\x91\xf0\xb4\xeb\x2e\x38\x01\x15\xd3\xac\x75\xdd\xf6\xcb\x8f\x2a\x29\x7e\xe3\x5c\xed\x90\xcb\xa6\xe4\x67\x54\xcd\xa5\xf5\xb0\x76\x43\xf6\xa9\x50\x03\x14\x54\xad\x90\x53\x63\x61\x71\x46\x2e\x2f\x32\x9f\x25\x27\x91\x9e\x1d\x60\x9d\x3e\x72\x1b\xbf\x2c\x97\x54\xa6\x83\xd8\x92\xff\xba\xce\xd7\xd0\x5f\x7b\xdc\xfb\xb3\xb2\x83\xdd\xce\xef\x9d\x92\xfb\x68\x82\x8d\x47\x62\x96\x1f\xe2\x7e\xfe\x32\xc9\x37\x5b\x9e\x2b\xd2\x6f\xfc\xe8\xf4\x2d\x6c\x3f\xef\x05\xfb\x4f\xbd\xb4\x63\x4c\x29\x64\xc7\x36\xe2\x63\xec\x8b\xbd\xec\x73\xbd\x74\x47\x4a\x2b\xaa\xc6\xe7\xce\x37\x11\xe8\x83\x19\xb5\x34\xa3\x15\xd5\x4b\x9d\x9f\xf6\xb3\x35\xd9\x3d\x03\x05\xb0\x1f\x7c\x81\xc6\xdd\x31\xfe\x3e\x5c\xb9\xa8\xf2\xbb\xe0\x91\xff\x7f\xfe\x3c\x7b\xeb\x80\x1d\xf9\x3f\x54\x3d\xf2\xff\xbc\x38\x72\x59\x2d\x45\x1f\xb3\x03\xff\xed\x89\x86\xbd\xbd\xc3\x95\xa7\x09\x88\x2f\x21\xbe\x44\x0d\x3a\x88\x2f\x21\xbe\x84\xf8\xb2\x7b\xc4\x97\x1d\x54\x62\xad\x63\xc4\x97\xa8\xfd\x05\xf1\x25\xc4\x97\x10\x5f\x42\x7c\xb9\x15\xb5\xbf\xba\x5a\xc9\x88\xe2\x44\xdd\x5c\x9c\x28\xb1\x0d\x95\x8c\xc9\x17\x28\x21\xe8\xd6\x61\x3a\xc4\xe9\xd6\x5e\x8a\xd3\x58\x60\xa6\x44\x1b\x0c\xd5\x94\x28\xf1\x6c\x30\x85\xdd\xc3\x86\x65\xd5\x11\xab\x69\x2f\x10\xcb\xb3\x24\x06\x25\x5e\x8c\x7c\x6f\x87\x8d\xc0\xee\x17\xdf\x9c\xb0\xe2\xa4\x5d\xf2\x43\xd4\x06\xde\x25\xf0\x14\x0f\x77\x2e\xf3\x6f\x8d\xd2\x9e\x3a\xfa\x19\x2e\x2d\x28\xf8\x1a\x54\xf0\xfd\x7e\x0f\x1d\x13\x2f\xf9\x24\xed\xe7\x2f\xf9\x18\xd5\x37\xf8\x44\x3a\xd5\x38\x4f\xa7\x6a\xc9\xf7\xea\x6e\x64\x56\x38\xff\x8f\xd2\x61\x87\xf3\xbf\xee\x56\x9a\x63\x6b\xfc\x4c\x4b\x85\x0d\xaa\x62\x6b\x0a\x9a\x5e\xa2\xe8\x6f\x8c\xd8\xb6\xe6\x71\x29\xe4\x70\xa8\x62\xb4\x55\xa7\xdd\x89\x8a\x1d\x84\xdd\x99\xb1\xf6\x6a\x83\x05\x6a\x8d\x0e\x10\xc4\x15\xc4\x15\xc4\x15\xc4\xb5\x7b\x88\x2b\xa6\x61\x01\xd3\xb0\xce\x41\xd2\xd0\x60\xb7\x45\x83\x0d\xf2\x0f\xf2\x0f\xf2\x0f\xf2\x0f\xf2\xdf\xd5\xe4\x1f\xa1\x38\x08\xc5\x41\x28\x4e\xab\x42\x71\xe0\x58\x83\x63\xad\x5b\x1d\x6b\xc9\x4c\x93\xa3\xd0\xda\x8d\x90\xa3\xde\x08\xf9\x7e\x26\x43\xc4\x6d\xcb\x4d\xdb\x51\xff\xff\xed\x3d\x74\x4c\x08\xd5\x53\x6a\x51\x7a\x22\x55\xdd\x91\x0f\xc5\xf9\x73\x36\x93\xe7\x79\x50\xc4\x04\xcd\xcc\x84\xf2\xb3\x7b\xd8\x67\xfb\xe8\x1e\xe7\x8e\x57\x36\xe2\xa1\x11\x8f\x5c\x28\x33\xf6\x3e\xcb\xa2\xb1\xf3\xa2\xb1\xe8\x1e\x63\x6f\xc7\x66\xfd\x52\xdc\x77\xe7\x26\xe7\x49\xf1\x4f\x67\x5d\x57\xf4\x40\xcc\xd5\x81\x1b\xf1\x98\xef\xf5\x07\xe7\x3b\xc8\x18\x23\x2f\x17\x3c\x92\x17\xd8\x49\x39\x7a\x3d\x9e\x9e\x1c\xcc\xbe\x97\xe1\x72\xd1\x86\x3e\xb5\xb3\xf2\x11\x8e\x79\x67\x54\xf1\x7f\x8a\x31\x79\xc0\x96\x3c\xc8\xc4\x1b\xe9\x12\x5d\x28\x73\xd4\x36\xe5\x81\x01\x1c\xc2\x7f\xdb\xa0\xff\xf6\x37\x7a\x5a\x64\x44\xe8\x39\xe1\xd6\x5d\xa6\xa7\x6d\xb7\x6e\xb3\xda\xde\x64\xa6\x96\xb6\x5a\xae\xe8\xe7\xee\xad\xb4\x5c\x11\x33\x7f\x4b\x15\x63\x35\x2a\xf6\xd9\x1a\x5b\x85\xd4\x2e\x48\xed\x72\xeb\xba\x15\xc0\x93\xc0\x93\xc0\x93\x90\xda\x65\x73\xa9\x5d\xda\x3a\x8d\x48\xfc\xbb\xbb\x2a\xa7\x11\x07\x03\x12\xbe\xf8\x4f\x2e\x46\x78\x22\x81\xb6\xcf\x2d\x90\x0c\xa6\xdb\x66\x34\x48\x06\x83\x64\x30\x5b\x9c\x0c\xa6\xbe\x2c\x1b\x4d\x5c\x86\x06\xa5\x71\x69\xef\x17\x24\x39\x4f\xb3\x2c\x11\x39\x61\xe1\xdf\xa7\x9c\x49\x63\x7c\xdb\xa8\x4c\x23\xd3\x74\xc8\xfb\xfe\xcb\x74\x48\x40\x5e\xf5\xc5\x92\x9a\xe7\xae\x07\xab\x10\x5f\x50\xc2\x6b\xf6\xed\x17\xd8\xfb\x07\x88\xd9\x87\x5a\xe5\xf7\x9e\xaa\x9e\xa1\xc4\x4c\x87\x36\x60\xec\x36\x67\x1d\x5e\x51\x2a\xaf\xd9\x29\xd1\x90\xa6\xc4\xa1\x70\x42\x9a\x12\xa4\x29\x81\x68\x1e\xa2\x79\x88\xe6\x21\x9a\x47\x9a\x12\x88\x95\x21\x56\x86\x58\x19\x62\x65\x88\x95\xb7\xaf\x58\x19\x6a\x4a\xa8\x29\xbb\x54\x4d\xb9\x2d\xd3\x94\xa8\x94\x14\x78\x70\x86\xa6\x39\x1e\x3c\x4c\x87\x68\xd2\x17\x0f\xda\x9c\x29\x26\x39\x93\x99\x30\xba\xa6\x74\x25\x01\xe9\x45\xae\x5d\x0a\x46\x82\x7b\x59\x5c\x22\x41\xfb\x5a\xfc\xcb\x07\xf1\x4b\xa4\xc8\x07\x76\x7a\x22\xb2\xfb\xcc\x0c\x26\x76\x21\xa1\x21\xf1\x53\x1b\x81\x98\xe0\x57\x0b\x74\x92\xe6\xca\x5c\x33\xfb\x69\x6f\x03\x0f\x02\x5e\x19\xe8\xe1\x1a\xd4\xc3\xfd\x4d\x8f\x28\x27\x36\xce\xcb\x89\x19\xd6\x60\x92\x1a\x1b\x84\x74\x5a\x08\xe0\x66\x29\x61\x0b\xe0\x1a\x6e\x6c\x51\x78\xc0\xe7\x68\xc6\xe1\x01\x6f\xb8\xb5\xc6\x8d\x14\xcf\x4b\xd2\x2a\x23\x15\xfd\xfd\x11\x4f\x23\xb5\xcb\x33\xf5\x89\x69\xaf\x26\xc4\xd6\x0a\x7b\xe5\x95\x02\x65\x3b\xd5\x41\x03\xca\x05\xca\x05\xca\x05\xca\xed\x1e\x94\x8b\x69\x1b\xf2\x9f\x40\xa8\x8c\xfc\x27\x70\x29\xc0\xa5\x00\x97\x02\x5c\x0a\x70\x29\x20\x5e\x05\xf1\x2a\x88\x57\x41\xfe\x13\x78\xec\xe0\xb1\xbb\x35\xf2\x9f\xd4\x91\xaf\xa4\x55\x98\x79\x3b\xe6\x41\xf9\xd6\x10\x0d\x98\x75\x50\xf9\x50\x19\x33\xf1\x46\xbe\xb4\xa1\xe5\xd6\xd7\x54\x2b\xdf\xc9\x27\x86\xd8\x77\xfb\xed\x2a\xa9\x9f\xea\x91\x43\xcb\xf6\xbd\x2a\x79\x73\xea\x62\x4a\xe1\x97\xac\xc6\x2e\xf1\xc6\x62\x8e\xc9\xc1\x94\x35\xad\x18\xe4\x2d\x0d\xda\xd8\xd6\xc5\xe1\xb4\x82\x6a\x2d\xfd\xf5\x92\xaa\xa4\x47\xec\xf5\x0a\x5f\x93\xc9\xd9\xad\xb1\xe4\xb1\x17\x62\x83\x2e\xc4\xe0\x68\x3b\x16\x7d\x84\x9f\x4e\x14\x72\x2d\xbf\xc0\x0e\x17\xe3\x27\xaf\xfb\x27\x6d\x59\x12\xef\xdb\x02\x9d\xe4\xef\x1b\x2f\xdf\xd0\xc0\xfb\xc6\xbd\xea\x73\xc6\x82\x31\x38\xdc\xe4\x86\x08\x37\x39\x1f\xfc\x3e\x8d\xb1\x51\xf9\x3e\x45\x22\xf2\x3d\x2a\xef\x7a\x77\x50\x09\xa2\x0e\x10\x75\x90\x84\xab\x0a\xae\x2a\xb8\xaa\xe0\xaa\xea\x1a\x57\x55\xb2\x63\x3c\x31\x4d\xbf\x92\x86\x5d\x04\x49\xb8\x08\xe0\x22\x80\x8b\x00\x2e\x02\xb8\x08\xda\xef\x22\x48\x1e\xa5\xc3\xec\x50\x64\xd2\x62\x1a\xbb\x9c\xc1\xfd\xe5\x4b\xb8\xd6\xc7\xf4\x27\xbb\x9a\xa9\x26\xc1\x54\x5b\xc7\x54\x93\x1d\xcf\x54\xb7\x61\x14\x04\x7b\xd7\x10\x3d\xe9\x06\x8c\x45\xd5\x02\x5f\x86\x69\x2f\x6a\x86\x61\xd5\xd9\xef\x0d\xb2\xff\xe4\xc0\x8b\x6f\x93\x78\x31\x9b\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x22\x8d\xd6\x84\xf3\xbc\xdd\xda\x8c\xd5\x5a\x53\x30\x63\x2c\xba\xcf\x01\x0a\x3d\xcf\xb3\x98\xd5\x4b\xf3\x5a\x71\x3a\x97\xb3\xa4\xc0\x9d\x9e\xce\x23\x79\xbd\xf9\xa0\x30\x10\xce\x3f\x13\x0c\x08\xf7\xb1\x89\x72\x40\xe8\xd9\xe5\x2e\x4a\x78\x6d\xb7\x37\x9a\xbc\x8b\x11\xbf\x63\x1e\xfa\x02\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\x08\x94\xd8\x66\x94\x08\x16\x08\x16\x08\x16\xd8\xc5\x2c\xf0\x07\x03\xf4\xb0\xc8\xc7\xab\x14\x0a\xfa\xd8\x46\x7c\x2c\xad\x16\x72\xda\x4d\xe3\x1b\xab\xb3\xaf\x0f\xb0\x2f\xf7\xd1\x1d\xc6\xa6\x2b\x1b\xf1\xd0\x50\xf5\x24\xbb\xb3\xd6\x91\xd1\x27\x8d\x3d\xa7\x0b\x05\xfd\x52\xdc\xfe\x75\xbb\x61\xb9\x17\x28\x21\xb0\xdc\x61\x3a\xc4\xb1\xdc\x5e\x8a\xd3\x98\x6f\x12\x06\xa3\x97\x44\x68\xbf\x79\xc3\x35\x65\x89\x69\x46\x95\x40\xfb\x94\x14\x94\x75\x06\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\x0d\xe8\xad\x5d\xe8\xed\x7b\xbd\x14\x12\xe8\xcd\xa3\xdc\xd7\x18\xfb\xf5\x5e\xf6\xc5\x5e\xba\xcb\xb9\x2d\x14\xca\xf0\x34\x10\xab\x5a\x71\xcd\xea\x4a\x25\xcc\x79\x50\xf4\xa1\x8c\x5a\x72\x16\x79\x9c\x5e\x5a\x38\x69\x6c\x68\x5e\x02\xcc\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x96\xce\x0a\xb0\x76\x92\xe6\x38\x58\x3b\x4e\x47\xe9\x70\x03\x7a\x37\xf3\x1e\x83\x20\x1b\xfb\x91\x2b\x34\xe9\xdf\xd7\x1b\x71\xd7\xcf\xa2\x26\x9a\xf9\x4d\x64\xaf\x5e\x66\x5f\x1b\xa8\x2c\xc8\x39\x59\x1d\x86\xfa\xd7\xe3\xdc\x63\x1c\xd8\xee\x72\x9c\x28\x44\x06\x98\x88\x42\x64\x80\x89\x80\x89\x80\x89\x80\x89\x9b\x84\x89\x1d\x94\x9c\xb5\x63\x60\x22\xb2\x86\x02\x26\x02\x26\x02\x26\x02\x26\xa2\x10\x19\xd2\x1a\xde\x3a\xec\xaf\xe3\xd3\x1a\x6e\xcb\x42\x64\x25\x7a\x56\x10\xb0\xf3\xb4\xc4\x09\x58\x92\x4e\xd1\xbc\xaf\xb4\xcc\x05\xad\x36\xe2\x31\x5f\x5e\xd4\x94\xba\x64\xb9\x60\x45\xda\x02\x3b\x29\x55\x68\x1e\x3c\x4d\x8a\xd2\x7c\x2f\xd2\x15\x2f\x1a\xf9\x51\xaa\x64\x6b\x11\xb3\x54\x59\x15\x8c\x36\x2a\xf6\x69\x37\x48\x13\xdc\xeb\x8d\x74\x89\x2e\x94\x15\x30\x9b\xa5\xc4\xe6\x1f\x20\x0a\x63\xa0\x9e\x59\x83\xf5\xcc\x3e\xdc\x4b\x17\x85\x51\x39\x4b\x8b\xdc\xa8\xcc\x53\x53\xc6\x24\x3d\x27\xca\x9b\x2d\xd3\xd3\x76\x79\xb3\x66\xb5\xfd\x26\x51\xed\xec\x02\x9d\x77\x54\x3b\x6b\x56\xe3\x9b\x2d\x7e\x56\x9b\x25\xac\xc7\xdc\x55\xb1\x9a\xd1\x7f\x30\x5a\x69\x09\x63\x9e\xf5\xd0\xfc\xad\xe2\xa4\xd8\xbf\xcc\x2a\x5a\x07\xb7\xcb\x3e\xa2\x4c\x1a\x40\x33\x40\x33\x40\x33\x40\x33\xca\xa4\xa1\x4c\x1a\xca\xa4\xa1\x4c\x1a\x1c\x1e\x70\x78\xc0\xe1\x01\x87\x07\x1c\x1e\x4d\x71\x78\xa0\x4c\x1a\xca\xa4\xa1\x4c\x1a\xca\xa4\xc1\x9f\x08\x7f\xe2\x36\x2f\x93\xd6\x56\x77\x5b\x3d\x45\xd9\x9a\x5f\xda\xec\x07\x43\x74\x5c\xc8\xf0\xed\x12\x6e\x63\xb2\x56\x9b\x4c\x45\x6c\xd5\x58\x93\x45\xce\xf8\xdf\x2f\x8d\x65\x45\x85\x37\x55\x67\x9f\x1c\x62\x5f\xe8\x27\x66\x37\x70\x45\x36\x10\xd2\x6b\x4b\x4f\x2c\x8b\xc5\x35\x29\x21\xf1\x1e\x7e\xc0\x9c\x75\x35\x97\xc4\xc5\x58\x59\x4e\xd2\xf2\x74\x8b\xd9\x8e\x57\xf3\x6f\x49\x25\xb3\x5a\xd2\x05\xb7\xac\x3a\x20\xc2\x17\x10\xbe\x80\x5c\x28\xf0\x2a\xc1\xab\x04\xaf\x52\xf7\x78\x95\x90\x0b\x05\xb9\x50\x40\xf3\x41\xf3\x41\xf3\x41\xf3\x3b\x82\xe6\x6f\xc3\x2a\xed\xc8\xb6\x02\x42\x8a\x6c\x2b\xdb\x27\xe2\x82\xfd\x5e\x2f\xdd\x2b\xd0\xa3\xf0\x97\x8c\x6d\xc4\xc7\xd8\x6b\xbd\xec\xd5\x5e\xda\x29\x7e\xb9\xb2\x11\x0f\x3d\x94\x51\x4b\xee\x0f\xb7\xb8\x60\x9e\x5d\x45\xb8\x49\x2e\xc5\xa7\x97\x16\xcc\x35\x62\xf3\x72\x18\x37\x2f\xbb\x4a\xa1\x2e\x19\x78\xf5\xec\x2a\xe6\x7d\xd6\x12\x57\xc2\xfe\x6b\x2f\xbd\x41\x74\xb1\x9e\xba\xaa\xa6\xd7\x73\xc6\x94\xdb\x4c\x67\xf3\x85\x5e\xf6\x6b\xbd\x44\xf6\x96\xaa\xc9\x6c\x1e\xcc\xa8\xa5\x65\x6b\x57\xa4\xb2\x71\xf4\xf2\x27\x86\xe9\x69\xd1\xcb\xc5\x15\x25\x15\x33\x77\xe0\x97\x69\x27\xb4\xa9\x01\xa9\x17\xb5\x9c\xba\x92\xcd\xa7\xb3\xf9\x8c\xce\x7e\x77\x88\xfd\x59\x3f\x3d\x6c\x34\x39\xed\x6c\xd1\x82\xeb\x37\x6a\xac\xfd\xa7\xe5\xd4\x84\x68\xb4\x49\x80\xfd\x00\x3f\xe0\x7c\xf9\x85\x55\x70\x76\xc7\x99\xb7\x07\x6b\x6f\x7f\xcd\xbf\x6c\x30\x46\x9f\x67\xb3\x12\xa3\xfb\x8e\x2e\xb3\x14\xa0\xdd\xdf\x95\x64\x1d\x55\x00\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\x81\xdf\xbb\x0c\xbf\x7f\xf2\x01\xda\x67\x3c\xba\xb1\x8d\xb8\x1f\x8f\x34\x5e\xb8\xac\xf5\xe3\x4b\x63\x85\xa2\xf6\xe2\x4d\xf6\xd7\xf7\xb3\x9f\xed\xa5\x3b\x52\x5a\x51\xe5\x25\x08\x53\x5a\x3e\x6f\xd8\xa6\x93\x73\x17\x6c\x2c\x54\xd2\xc2\x7c\x6f\xe3\xe2\x97\x45\x33\xd1\x01\xb9\xe7\x8c\x56\x54\x2f\xc5\x4f\xaa\x25\x1b\x15\xca\x5d\x96\x8c\x43\x26\xfa\xa2\x63\x51\x81\xe4\x26\x69\x97\x40\x72\x0f\xd2\xfd\x1c\xc9\xbd\x8e\xee\xfc\x78\xcf\x0e\x92\x63\x23\x10\xaf\x3d\xe1\xcd\xbc\x88\xed\x90\x97\x42\xd7\x2e\x06\x13\xb8\x09\x36\x2e\x09\x5c\x24\x22\x51\x9b\xf3\x7a\x65\x2e\x0c\x97\xa8\x3b\xe4\xd9\x43\x4b\x17\xeb\xea\xa1\xa5\xf5\x6d\xd4\x43\x1e\x29\x55\xaa\xf6\x56\xe4\xe7\x1c\x3d\x34\x6c\xf5\xd0\xb9\xe5\x80\x2e\x1a\x74\x77\x91\xa6\xb7\xbe\x8f\x5a\x33\x44\x6a\xe8\xfa\xe8\xbf\x74\xf4\xd1\x1e\xb3\x8f\x66\xe7\x16\xe7\x2e\xcc\x55\xef\xa5\x61\x57\x2f\x89\x9c\x2d\xdb\x67\x2c\xd5\xdb\x95\x13\xbf\xe0\xe8\xa7\x11\xb3\x9f\xce\x2d\x5d\x58\x38\x77\x76\xb9\x7a\x47\x45\x5d\x1d\x25\x1b\xbf\x75\x7b\x6a\xca\xf3\xad\x3b\x35\x37\x3d\x5b\xcf\x5b\x77\x4a\x55\xd2\xb7\xee\x5b\x97\xf8\x79\x47\x1f\x45\x2d\xcb\x34\x7d\x61\xe6\x54\xf5\x4e\x1a\x72\x9b\x26\xe3\x8b\xdb\x21\xbd\x54\x5b\xdf\xd8\x7d\x59\x43\x2f\x25\x4f\xd0\x31\x76\x24\x32\x65\x2d\x51\x1e\xe7\x6b\x13\x39\xb9\xf2\x38\x55\xa4\xdf\xd8\xc1\xb9\x04\x69\xfd\x22\xe7\x2b\xbd\xf4\x1f\x7a\xd9\xaf\xf7\x86\xbe\x68\xcd\xca\x5f\xe9\x5d\x52\x4a\x62\x95\x7f\x55\x0d\x17\x94\x22\xe7\x34\x17\xcf\x2f\xca\xa5\xa9\x5c\x12\x87\xe5\xdc\x27\xac\xe6\xd3\x05\x2d\x9b\x2f\xe9\xc6\x25\xac\xae\x66\x5f\x54\x75\x31\x03\x73\xb8\x10\x8c\x99\xac\xae\x5a\x53\xd1\xd4\x7a\xb1\x68\xac\x0a\xc5\x00\x31\x17\x31\x25\xcd\x6c\x33\x16\x9e\xd7\x8a\x61\xf5\x45\x65\xad\x90\x93\xfc\xfa\xc6\x55\x2d\x67\x11\x24\xe3\x6a\xf8\x54\xbf\x54\x2a\x4c\x8d\x8d\xe5\xb4\x94\x92\xbb\xaa\xe9\x25\x8f\xd9\x9a\xf1\x88\x46\xf5\x9b\x7a\x49\x5d\xb3\x67\x6b\x6a\x4e\xd1\x4b\xd9\x94\xae\x2a\xc5\xd4\xd5\xd1\x9c\x96\xc9\x64\xf3\x99\xb1\x2b\xe2\xff\xc7\xdf\x72\x74\x5d\x57\x8b\x53\xd7\xb3\x6b\xa9\xab\x37\x63\x61\xb3\x37\xbc\x37\x47\xf8\x93\x71\x06\x8c\x7d\x73\x90\x1e\x15\xce\xee\x15\xee\xca\xde\x30\x7d\xda\xa9\xa2\x96\xbf\xa6\xad\xe8\xec\x57\x07\xd9\x47\xfa\x69\x07\xdf\x6c\xbc\x42\x35\x06\x81\xcd\x14\xb5\x7c\x52\x5b\x69\x92\x8f\x5a\x1c\x90\x30\xfe\xb9\x14\x97\x4d\x2f\x66\xf5\x6d\x57\xf1\x7a\x2b\x9c\xd2\x35\x05\x80\x2d\x06\x1b\x9e\x61\x36\x28\x4d\x0a\x1f\x0b\x66\x54\xa4\x78\x18\x2e\xcb\x03\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\xfc\xce\xf0\x3b\xc3\xef\x0c\xbf\x33\x4a\x60\xc3\x2b\x0c\xaf\x30\xbc\xc2\xed\xf2\x0a\x7f\xb5\x97\x1e\x90\xf9\xa0\x38\x5a\xb1\xa2\x85\x3e\xd3\xcb\x3e\xdd\x4b\xb7\x8b\x5f\xab\x46\x0a\xdd\x97\x51\x4b\x1c\x34\xa1\xe0\xb5\x33\x4a\xe8\x1d\x43\x34\x14\x90\x69\xcb\x4e\xa9\xf5\x9f\x07\xd9\x6f\x74\x50\x4a\xad\xb8\x77\x4a\x2d\x47\x22\x2d\x70\xd5\x26\x71\x55\x24\xd6\x02\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\x05\x61\xdd\xee\x84\xf5\x32\xcd\x07\x67\x0b\xaa\x29\x45\xd0\x8f\x5f\x66\x9f\x18\xa0\x07\xbc\x52\x04\x85\x86\xc5\x0c\xb2\x28\xbf\x7d\xa6\x71\xd4\x56\xc3\xd7\xb3\xf9\xb4\x33\x57\x4c\x74\xc4\xd8\xd5\x23\x9d\x8f\x67\x26\x9f\x0e\x07\x7b\x09\x70\x2e\x70\x2e\x94\x25\x06\xe7\x02\xe7\x02\xe7\xea\x1e\xce\xd5\x41\x55\x77\x3b\x86\x73\xa1\x1c\x2c\x38\x17\x38\x17\x38\x17\x38\xd7\x56\x94\x83\xed\x6a\x2c\x85\x7a\x95\xdd\x5c\xaf\x32\xb1\x0d\xb1\x54\xf2\x32\xcd\x08\x41\xd4\x11\x9a\xe2\x82\xa8\x7d\x34\x41\xe3\x7e\x82\xa8\x18\x67\x57\x1b\xf1\x58\x59\x8e\xe7\x40\x0d\x54\x3a\x58\xde\x34\xcd\x8e\x7b\x44\xa5\xd7\x93\xfc\xf8\xda\x63\xde\x4a\xab\x3b\xd8\x6d\x5c\x64\x15\xf9\xd9\x9d\x3e\xd4\xec\x01\xf1\x5d\x0a\x2b\x2e\x40\x16\x13\xbf\xb6\x1d\x91\x09\xa2\x95\xa0\x13\x74\x8c\xf5\xaf\x68\xe9\x9b\x21\xfe\x6f\xb8\x27\x1a\xa3\x91\x7a\x1e\x4d\xe2\x7d\xbd\xf4\xcf\x7a\xd9\x7b\x7a\x43\x3f\x65\xd9\xa3\x1f\xf4\x3c\x63\x7c\xed\xe5\x07\x60\x84\x2b\x0a\x79\x11\x53\x61\x40\x5c\x8b\x0e\x27\x88\x12\x65\xa5\xf9\x27\x32\x1d\x0b\x4f\xe7\xc3\xd9\xbc\x58\xee\x6b\xc5\xf0\x7a\xde\x22\x06\xe9\x70\xba\x78\xf3\xfc\x7a\x3e\x9c\xce\x16\x55\xe3\xad\x51\xad\x65\xa8\xf1\x35\xe1\x9f\x6b\xb9\x0e\x37\x67\xdd\x72\xe5\x13\x5e\x5d\x2f\xf2\x99\x5d\xa1\xa8\xa5\x54\x9d\x7f\x57\xe5\x4b\x2a\xbf\x00\xb1\xf0\x25\x7e\x46\x67\x1d\xe8\xd1\xf0\x74\x2e\x37\x25\xca\x2c\x17\x6f\x86\x8b\xeb\x79\x63\x45\x66\xbc\x66\x56\x31\x6c\xd1\x9c\x9a\x8e\xdc\x2e\x2e\xcd\x69\x53\x7e\xba\x97\xfe\x71\x2f\x7b\x77\x6f\xe8\xef\x5b\x1d\xf4\x47\x3d\x7c\xa2\x75\x46\xc9\x2b\x19\xb5\x28\x96\x0c\x22\x35\x81\xae\x6b\xa9\x2c\xff\x0a\x5a\x93\x73\x85\xaf\x6e\xb4\x62\xd8\x98\x24\x95\x6e\x5a\xd3\x82\x35\xe5\xba\x71\xfd\xa5\xab\xaa\xae\x9a\x2f\xbe\x28\xa6\x2d\xa6\xfb\x9c\x1c\xac\xa8\x61\x6e\x72\xf8\x44\x5c\x2b\x86\xe3\x13\x07\x8d\x7d\x8b\x4a\x8a\xf3\x1d\x63\x0d\x2b\x5e\x73\x3e\x59\x36\xe6\x35\x4a\x36\x2f\x9c\x42\x7c\x32\x6a\xef\xcb\xd7\xbc\x92\x3e\x19\x4b\x28\xd3\x74\x67\xb4\x9c\x92\xcf\xc4\xb4\x62\x66\xac\x70\x3d\x33\xb6\x9e\xcf\xa6\xb4\xb4\x3a\xb6\x7b\x41\x5f\x32\x5a\x89\x45\xee\x72\xde\xab\xd3\x07\xf0\x9d\x1e\x9a\x35\x0c\x43\x9c\x17\xdd\xbd\x63\x46\xcc\xdb\xd8\x38\xd5\x39\x04\x69\xce\x68\x65\x82\x1d\xa3\x23\xb4\x43\xd4\xf2\x6e\xa8\x19\xdf\x7a\xa8\xc7\x85\xf9\x3a\x48\x07\xb8\xf9\xaa\xbb\x65\xd3\x42\xf9\xdb\x8e\x82\xa6\x97\xa8\x46\x0b\x56\x35\x23\x7b\xb0\x4d\x8b\xfe\xef\x11\x1f\x0b\x65\x16\x28\x77\x54\x7b\x77\x27\xf9\x8f\x1e\x14\x7b\x78\x58\xab\x19\xeb\x98\x76\xd8\xad\x0b\x74\x9e\x96\x9c\x76\x2b\x9a\xa0\x13\x0d\x28\x6c\x45\xf6\x22\x99\x45\x04\x68\x17\x68\x17\x68\x17\x68\xb7\x8b\xd0\x2e\xe6\x6e\x01\x73\xb7\xce\x61\xdf\xbf\xdf\x4b\xff\xa5\x97\x7d\xab\x37\xf4\x0d\xeb\x51\xfd\x52\xef\x05\xe7\x6a\x33\x9b\x0f\xeb\x62\xc5\x18\x5e\x51\x57\x85\xa3\xd8\xa2\x32\xf6\x27\x4b\xbe\x25\xbc\xb3\x1c\xb3\xc4\xbc\x96\x1f\xcd\xab\x19\x85\x3f\x12\xb9\xe0\x74\xce\x26\x05\x9f\xb5\x06\x83\x9c\x2a\x64\xd7\xd6\xd4\xb4\x31\x5f\xcd\xdd\xb4\x3d\xb8\xb6\x69\xcf\xe6\x46\xe4\x3a\x94\xdf\x6e\x38\x53\x54\x52\x7c\x9c\x64\xb5\xb4\xf5\xe1\xb1\x3f\x0e\xdc\x39\x6e\x3e\x97\x75\xdd\xb8\x48\x67\x47\x29\xc6\x91\xe6\x0d\xc9\x93\xac\x8a\xf7\xcd\x6c\x22\x26\xae\x73\x4d\x55\xf2\x9e\xd7\x18\x61\xfc\x12\x96\xf8\x15\x78\xad\xaf\xe1\x62\x80\x8b\x01\x2e\x06\xb8\x18\xe0\x62\xe8\x6a\x17\xc3\x6f\xf5\xd2\x97\x7b\xd9\x6b\xbd\xa1\x57\xad\xaf\xed\xfb\x7b\x67\x1d\xf1\xae\x85\x9c\xaa\xe8\xaa\xf5\xea\x2f\x15\xb5\x82\x92\xe1\xdf\x61\x51\x38\xd2\x25\x30\x32\x1f\xb7\x1d\x30\x6b\x3c\xf0\x78\x6c\x32\x16\x5e\x16\x76\x44\x7c\x24\x0b\x6a\xde\x18\xa6\xf6\x57\x44\x0d\x6b\xc5\xc2\x55\x25\x6f\x0a\x9e\x8a\xeb\xea\xd8\xaa\x92\x33\x67\xff\x11\xb1\x35\x12\x5e\xcd\xe6\x95\x5c\xf6\xef\x98\xe6\x7b\x45\x0d\x2b\x69\xce\xeb\xb5\x31\x81\x6f\xd3\xf6\xd4\x52\x34\x3e\xa8\xdb\x07\x89\xf9\x76\x2c\x3c\x97\xe5\x26\xc9\x71\xe1\x5a\xb1\xf2\xce\x6c\x1f\x49\x49\x4c\xf7\xf9\xec\x4f\x2b\x5d\x8d\x45\xee\x15\xd7\x33\x6b\xde\x88\x5b\x39\xf5\xce\x7e\x7a\x47\x3f\x7b\x7b\x7f\xe8\x6f\x2d\xf9\xdc\x57\xfb\x9e\x91\x76\xd0\x18\xa2\x57\xb5\x1b\xe1\x8c\x52\x5c\x51\x32\x2e\x06\x61\x4d\xd4\xd4\xe2\xaa\x56\x5c\x33\xfa\xc2\xf3\x4a\xcf\x95\x9d\xdc\xff\x42\xf9\xb4\xc6\x9c\x93\x88\x7a\xa0\xc6\x88\x48\xab\xa9\x6c\xda\x9e\x58\xf3\x6f\x23\x5f\xe6\x58\xbd\xab\xf3\xd0\x74\xbe\xd5\xfc\xfa\xc5\x1c\xdd\x68\xda\x4d\xcb\x31\x61\x89\xe6\xdc\x27\x8b\x85\x05\xa5\xe2\xb6\xd8\x39\x5b\x1d\x14\xf7\x30\x68\xac\x79\xf8\x5f\xee\x81\xa1\x1f\x0e\x0f\x26\x94\xd4\xf5\x4c\x51\x5b\xcf\xa7\x8d\xbd\xb8\x5a\x8d\xef\x54\xd6\x71\x62\xb2\x22\x67\x40\xee\x46\xcc\x3b\x58\xb1\x5a\x3a\x1c\x1e\x9c\xd7\x8a\xaa\xa3\xd9\x70\x4a\xd1\x53\x4a\xda\xb8\x7b\xd9\x3f\x42\x9f\xc8\xdb\xd3\xc5\x74\xba\xa2\xc1\x55\xab\x8d\x58\xe4\xbe\x42\xf9\xb8\x71\xce\x6d\xe0\xc1\x83\x07\xaf\x4b\x3d\x78\xc9\x0c\x2d\x0a\x9c\x3c\x47\x33\x1c\x27\x1f\xa5\xc3\x74\xa8\x01\x78\xb9\x5c\x52\x4a\xeb\x7a\xa0\x5b\x2c\xea\x0d\x9d\xef\x67\xf7\x89\xb7\xd9\xb6\xb4\xb5\x02\xe8\xcd\xd5\x0c\xa5\x6d\x58\x81\x86\xbd\x77\x88\xf6\xd7\xa0\xac\x97\xe9\x8a\x73\xeb\x7a\x49\x2d\x16\xb5\x9c\xaa\xb3\x6f\x0f\xb2\xdf\xe9\xf7\x01\xee\x35\x96\xd9\x9d\x11\xed\x19\xfd\xd9\xd4\x14\xc6\x5e\x18\xdf\x3e\x15\xea\xea\x6e\x22\xd5\x46\xcb\x7c\xd1\x8e\x07\x84\xc4\x1b\x08\x48\x40\xe2\x0d\x78\xad\xe0\xb5\x82\xd7\xaa\x9b\xbc\x56\x48\xbc\x81\xc4\x1b\xf0\x16\xc0\x5b\x00\x6f\x01\xbc\x05\x1d\xe1\x2d\x40\xe2\x0d\x24\xde\xd8\x2e\x7c\x14\x89\x37\x5a\x91\x78\xe3\x0f\x87\x28\x6c\x96\x50\x33\x55\x50\xf9\xd2\x86\x96\x5b\x5f\xb3\x4a\xdc\xb2\x7f\x3f\xc4\xfe\xbb\xa3\xfc\xdf\xee\xa2\xaa\xa4\xcb\xd6\x99\x4b\xd6\xb1\x97\xf8\xb1\xd1\x90\xb1\x93\x2c\xfa\x57\xb6\xad\xb9\x92\xda\xe4\x15\xa1\xc5\x1e\xe7\x38\xba\xf7\xdc\x69\xb6\x9f\xf6\x52\xdc\x57\xe5\x6c\xdc\x45\x6c\x23\x1e\x2b\xbf\xaa\x40\x7c\xf6\xa8\x37\x3e\xbb\x9d\xf5\x67\xd4\x12\x5d\x3b\x1f\x0c\xce\xc6\xd8\x68\x79\x69\xc6\x8a\xab\x70\x15\xcc\x7d\x75\x87\xdd\xeb\x03\x45\xb5\x90\x53\x52\x6a\x50\xc7\x3f\x2a\xf7\x6b\x47\xdf\x27\x4e\xd2\x1c\xcd\x94\x85\x61\x34\xd2\xf9\xd0\xf3\x21\x16\xa3\xc1\x58\x8c\x5f\xec\x69\xd2\xfb\xbf\x20\x22\x3a\x12\x74\xc2\x8e\xe8\x68\x91\x29\x69\x81\xad\xa8\x62\x9e\x0a\xeb\x25\x8a\xfe\xe0\x1e\xdb\x94\x3c\x2c\xbd\xeb\x4a\xa5\xf5\xd8\x25\x36\xb5\xc5\x78\xb4\x26\x16\x02\x96\x24\xc0\x92\x40\x8f\xdb\x16\x3d\x2e\x84\x58\x10\x62\x41\x88\xd5\x2a\x21\x56\xf2\x5f\x35\xeb\xb3\x9f\x14\x21\x98\x33\x34\xed\x08\xc1\xdc\x46\xdf\xfd\xb0\xf7\x77\x7f\x27\xbb\x43\x74\x35\x25\xfe\xe2\x4e\xfb\xd3\x3f\x56\x50\x8a\xa5\x2c\xf7\xe9\x89\x85\x64\xd0\x72\xe2\x91\x82\xb1\x66\x6c\xf5\x7c\xe0\x91\xf2\x86\x46\xf9\x69\xf7\xf0\x6a\x36\xbb\x9c\x1b\xd7\xd4\x62\x46\x75\x6e\x1d\x70\x6e\xd5\x4b\x45\xa5\xa4\x66\xb2\xa9\xd1\x8a\xfd\x5c\xad\x18\x7f\xdf\x94\x5b\x8d\xab\x4c\x9c\xa5\x45\x4a\x96\x2d\x64\xa6\xe8\x60\x03\xb3\x11\x5e\xe2\x1e\xb3\x90\xa0\x59\xc8\x47\xfb\xe8\x95\x3e\xf6\xe1\xbe\xd0\x07\x2d\x53\xfe\x72\x5f\xf7\xac\x67\xca\x7c\x04\x46\x3f\x73\x9f\x37\xf7\x63\x19\x83\xd3\x56\xbe\x0c\xf9\x0c\xdc\x61\xfe\x45\x12\x12\x09\x25\xc7\x8f\x34\xa6\x5e\xe2\x68\xbe\x07\x9f\x06\xe9\xe1\xa1\xa4\xae\xe5\x97\x84\x04\xe4\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\x7f\xa1\x95\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\xc2\x5b\x1f\xea\x99\xd7\x8a\x29\x3e\x43\xcb\x68\xbc\xdb\xb5\x70\x64\xd5\xf8\x29\x12\x9e\x76\xdd\x05\x07\x97\x62\x32\xb5\xae\xdb\xce\xee\x51\x25\xc5\x6f\x9c\x4b\x08\x72\xd9\x94\xfc\x58\xaa\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\x2e\xf6\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\x35\x3b\xe6\xb3\xe4\x00\xd1\xb3\x03\xac\xd3\x47\x6e\xe3\x97\xe5\xd2\x9f\xb4\x0b\x1c\x3d\xee\x6d\xa1\x77\xb0\xdb\xf9\x45\xb6\x04\x1d\x25\x8f\xd2\x61\x76\x28\x32\x69\x49\x15\x77\xf1\x37\x49\xbe\xd6\xe5\x87\x46\xfa\x8d\xad\x2d\xd5\x21\x7e\x61\x98\x8e\x08\x1d\xa2\x52\x28\xe8\xb6\xe4\xd0\x27\xa5\x6f\x5a\x51\xd7\x0c\x13\x55\xb2\x20\xe4\x3b\x86\xd9\xff\xd3\x4f\x77\x18\x47\x1b\x1f\xb2\x8f\xf5\x48\xcc\xeb\xd0\x1d\xe6\xcd\x29\xbd\x99\xd0\x77\x96\xb7\xb2\xac\x96\x9a\xa2\x3e\x1c\xb1\xdd\xa4\x7c\x0d\x21\x9d\x6a\xd9\x92\xba\x66\xdb\xa5\x41\x97\xcb\xdd\xd1\x76\x2c\xfa\x18\x3f\xdd\x74\xa1\xa0\x3b\x73\xa4\x58\xd7\xd8\xf9\x92\x45\xdf\x34\x13\x4d\xd7\x32\x9a\xaf\xce\x99\xe0\x37\x23\xca\x86\xe4\x9b\x61\x0c\x0d\xf9\x6e\x58\x9d\xea\x9e\x2b\xf9\xbf\x89\xfc\x3e\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x84\x2e\x11\xba\x44\xe8\x12\xa1\x4b\x6c\xb7\x2e\xf1\x00\xed\x63\x13\x91\x71\x8b\x5e\x3c\xe8\xa4\x17\xd6\xe2\xae\x12\x5b\x6c\xbf\x00\x4d\x28\x26\xa1\x98\x84\x62\x72\x1b\x29\x26\xbf\x39\x6c\x96\x2a\x13\xd0\xc7\x0e\xa2\xe6\x45\xe5\xab\x63\x4d\x71\x88\x89\x34\xff\xd1\x30\xfb\xb3\x7e\xba\x5b\xfc\x78\x45\x36\x10\x7a\xa5\x16\xb2\xc9\x29\x59\x47\x50\xcd\x27\x6e\x58\xd4\x4e\xbf\x24\x6e\xc1\x86\x9b\xfc\xe7\xce\x07\x9b\xed\x8f\xc5\x7e\x26\x18\x6c\xee\x63\x13\x12\x6c\xba\x06\x9a\x24\x9c\xe2\x34\x0e\xba\xc9\x7b\x1e\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\x13\x88\xb3\xe3\x10\xe7\x04\x8d\xb3\x58\x64\xc4\x42\x95\xf7\x39\x11\x27\x5f\xdd\x01\x6f\x02\x6f\x02\x6f\x02\x6f\xb6\x15\x6f\xfe\xfa\xf3\xb4\x5b\xe0\xcd\xbc\x96\x56\x1d\x19\x22\x8b\xeb\x79\xe3\x56\x53\x39\x45\xd7\x55\x9d\x7d\xe0\x79\xf6\x8e\x01\xba\xc3\xd8\xe9\xca\x46\x3c\x14\x15\xf3\xd4\xa2\xfc\xc2\x9a\x26\xd8\xc4\x95\xe7\xc5\xc1\x33\xc6\xc1\xd1\xd7\x1b\xfb\x9e\xd5\xd2\xea\xa5\xb8\xf3\xf7\x0e\xc7\x84\x09\x80\x33\x80\x33\x54\xda\x02\x38\x03\x38\x03\x38\xeb\x1e\x70\xd6\x41\x85\xa4\x3a\x06\x9c\xa1\xc2\x11\xc0\x19\xc0\x19\xc0\x19\xc0\xd9\x56\x54\x38\xea\x6a\xa2\x84\x12\x2c\xdd\x5c\x82\x25\xb1\x0d\x89\x52\xbd\x61\xd6\x1c\x3b\x6d\xc4\x63\x4e\x34\xb4\x98\xd5\x83\x25\x55\xfe\x35\xca\x45\x65\x8b\xba\x24\x57\x0e\xf8\x65\x16\x85\x71\x5c\x8f\x2b\xaa\x34\xf2\x97\x3b\x6c\x0e\xf6\xa0\xf8\xfc\x84\x15\x37\xf2\x7a\x83\xf8\xb9\x85\xd0\x4b\x30\xaa\x19\x9a\xa6\xe3\x65\x69\x2c\xc6\x68\xb4\xae\xce\x46\xee\x0a\xe4\xe2\x6b\x30\x17\xdf\x1f\xf5\xd0\x9c\xc8\xa2\x77\x8c\x8e\xd8\x59\xf4\xe2\x54\xef\x18\xa4\x79\x91\x95\xe7\x38\x1d\x75\x64\xe5\x69\xa0\x1d\xdf\x90\xf5\x13\xc2\x26\x1d\xa2\x49\x6e\x93\xea\x6f\x3a\xd8\xec\x14\xb4\x56\x9a\x9d\xe8\x6f\x8e\xd8\x66\xe7\x09\x99\xa6\xc9\x91\xf3\x4a\x5b\x75\x9b\xa0\x88\xd8\x45\x98\xa0\x19\x6b\xbf\x16\x1a\xa3\xd6\xe4\xf7\x03\x81\x05\x81\x05\x81\x05\x81\xed\x1e\x02\x8b\xf9\x58\xc0\x7c\xac\x73\x10\x35\x72\xab\xb6\x25\xb7\x2a\x3c\x01\xf0\x04\xc0\x13\x00\x4f\x00\x3c\x01\x5d\xed\x09\x40\x8a\x6d\xa4\xd8\x46\x8a\xed\x56\xa5\xd8\x86\xa3\x0d\x8e\xb6\x6e\x75\xb4\x25\x33\xb4\x28\x00\xf1\x1c\xcd\x70\x40\x7c\x94\x0e\xd3\xa1\x06\xe0\xe5\x72\x49\x29\xad\xfb\x73\xe8\xfa\xf2\x01\x04\x20\x61\x0f\x88\x7c\x2d\xea\x8d\xa7\xef\x67\xf7\x09\x33\x61\x9b\x70\x6a\x7e\xd2\xdf\x5f\x92\x62\xf2\xb1\x8d\xb8\x5f\x46\x8c\x82\x96\xd6\xd9\xbb\x9e\x67\xdf\x7e\xca\x4e\x52\xff\x44\x75\x31\xf9\x92\x96\x8e\x3e\x64\xec\x22\xb2\xd2\xdb\xd9\x26\x96\xb4\x34\x44\xe4\x10\x91\x43\x44\x0e\x17\x06\x5c\x18\x70\x61\xc0\x85\xd1\x31\x2e\x8c\xce\x21\xf4\x40\xc7\x40\xc7\x40\xc7\x40\xc7\x40\xc7\x5d\x8d\x8e\xc1\xb6\xc0\xb6\xba\x94\x6d\x6d\x4b\x11\xf9\x25\x7f\x25\xe7\x61\x01\xea\xf6\xd1\x04\x07\x75\x23\x14\xa5\xa1\xe0\x22\x5e\x5a\x7a\x31\xab\x97\x6a\xd5\x8e\xcf\x05\xe3\xb9\x08\x0b\x57\x54\xe8\xd2\xd2\x6e\xa5\xf8\x2f\x3b\xea\xb9\xdf\x65\x29\xc5\x97\xb4\x74\xf4\x61\xf1\xbf\x56\x12\x2d\x01\xa0\xa6\xe8\x20\x1d\x28\x53\x88\x0f\xd0\x93\xb5\x74\x18\x84\x48\x10\x86\x37\x28\x0c\xff\xcd\x1e\xff\xf7\x77\x52\xbc\xbf\xe3\x14\xe3\xef\xef\x10\xd5\x38\x1c\xe9\x88\x90\x9a\xef\xa7\xbd\xb6\xd4\xbc\xf6\xa3\x8f\x0a\x85\xf9\x01\xda\xe7\x50\x98\xd7\x7c\xb8\x69\x38\x6a\x33\x0c\xde\xe6\xc0\x36\x17\x41\x22\xf2\xe8\xbf\x1e\xb1\x0d\xc7\x1b\x3c\xb5\xde\x86\x11\xd9\xed\x2c\xde\x6e\x4b\xbc\x5b\x69\x4e\xa0\xf1\x06\x20\x05\x20\x05\x20\x05\x20\x85\xc6\x1b\x1a\x6f\x68\xbc\xa1\xf1\x06\xa8\x07\xa8\x07\xa8\x07\xa8\x07\xa8\x87\xc6\x1b\x1a\x6f\x68\xbc\xa1\xf1\x86\x1f\x0c\x7e\xb0\x0e\xf4\x83\xb5\x5d\xe3\x5d\x87\x14\xbb\x49\x0e\xa7\x6d\x58\x30\x80\x7d\xeb\x79\x1a\x08\xd0\x8c\xeb\x6a\xaa\xa8\x96\x74\xf6\x89\xe7\xd9\x9f\x3a\x64\xe3\x4f\x56\x97\x8d\x2f\xf3\xa3\xa2\x21\x2f\xe5\xb8\xd8\x06\xf1\x38\xc4\xe3\x10\x8f\xc3\x37\x02\xdf\x08\x7c\x23\xf0\x8d\x74\x8c\x6f\xa4\x73\xd0\x3f\x98\x34\x98\x34\x98\x34\x98\x34\x98\x74\x57\x33\x69\x40\x33\x40\xb3\x2e\x85\x66\xdb\x52\x3c\xfe\x2c\x1d\x13\xa0\x6f\x92\xf6\x73\xd0\x37\x46\xa3\xb4\x27\x50\xe6\x29\xa0\x50\x53\x72\x8f\x9f\x0a\xc6\x79\x4f\xb1\xdd\xe5\x38\x4f\x5c\x80\x5b\x42\xfe\x9a\x43\x42\x7e\x8f\x25\x21\x97\x6c\x6b\x97\xb7\x8a\xbc\xc9\x74\x4b\xc0\x28\x0e\x4b\xcb\x84\xe4\xc3\x34\x58\x63\xaf\x42\xf0\x04\x2d\x79\x83\x5a\xf2\xff\xdc\x43\x53\xe2\x75\xde\x4b\x71\xfe\x3a\xef\xa1\xda\x07\x1e\x1d\x17\xaa\xf1\x83\x74\xc0\x56\x8d\xd7\xd5\xc0\x09\x21\x1c\x3f\x44\x93\x0e\xe1\x78\x5d\x2d\x34\x6e\x4d\x44\x4a\xf1\xda\xac\x89\xb7\xd4\xdc\x65\x59\xa2\x9f\x71\xe8\xca\x1f\xf1\xd4\x95\x4b\xcb\x32\x10\x24\x2d\x6f\x89\x8d\x81\xba\x1c\x04\x15\x04\x15\x04\x15\x04\x15\xea\x72\xa8\xcb\xa1\x2e\x87\xba\x1c\x24\x1f\x24\x1f\x24\x1f\x24\x1f\x24\x1f\xea\x72\xa8\xcb\xa1\x2e\x87\xba\x1c\x8e\x32\x38\xca\x3a\xd0\x51\xd6\xd1\xea\xf2\xa6\xb9\xa3\xb6\xa3\xc0\xfc\xdf\x0f\xd3\xac\x31\x3e\xf5\xb1\x94\x5a\x94\x3e\x45\x55\x97\x09\xd3\xc7\x36\xe2\x62\xc4\xb8\x36\x66\x33\xf9\x6c\x3e\x63\x4e\xd0\x84\x16\xfd\x25\xf6\x83\x21\xf6\x2f\x6e\xa3\x7b\x9c\x3b\x5e\xd9\x88\x87\x3e\xdb\x23\x87\x9c\xed\x0a\x55\xf2\xe6\x94\xc6\x14\xa3\xcf\xd8\x07\x2d\x8b\xd6\xcf\x9b\x70\x23\xed\x98\x7e\x98\xf3\x8e\x41\xde\xe4\xa0\xcd\x75\x5d\xa0\x4e\x2b\xa8\x16\x1b\xd0\x4b\xaa\x92\x1e\xb1\x17\x34\x7c\xd1\x26\xa7\xbf\xc6\x9a\xc8\x5e\xa9\x0d\xba\x18\x84\xa3\xed\x58\x74\x84\x9f\xce\x71\x8d\xfa\xa5\xb8\xef\x15\x77\xb8\x6a\x3e\x79\x9d\x96\xc4\x8b\xb8\x40\x27\xf9\x8b\x38\x4d\xc7\xe9\x68\x03\x2f\x22\xf7\x72\xcf\x19\x2b\xc9\xc0\x97\xf1\x71\xef\x97\x71\x07\xbb\x9d\x5f\x18\x5d\xcb\x05\xbf\x81\x0b\xec\xa4\x7c\x03\x3d\xc6\xa9\x7c\x25\x7d\x1f\x8a\xfb\x2d\x45\xe0\x00\x02\x07\x92\x70\x7b\xc1\xed\x05\xb7\x17\xdc\x5e\x5d\xe3\xf6\x4a\x76\x8c\x57\xa7\xe9\x57\xd2\xb0\xbb\x21\x09\x77\x03\xdc\x0d\x70\x37\xc0\xdd\x00\x77\x43\xfb\xdd\x0d\xc9\x79\x9a\x65\x89\xc8\x09\x8b\x96\x3c\xc5\x31\x89\xbc\x0a\xdf\xb5\x5c\xa4\xdf\xd8\xad\x95\x4c\x24\xd9\xd5\xa0\x36\x09\x50\xdb\x3a\x50\x9b\xec\x78\x50\xbb\x0d\x23\x1a\xd8\x9f\xf5\xd2\x83\x82\x61\x0a\xb7\xcd\xd8\x46\x7c\x45\x2d\x29\xf1\x31\xf6\xdb\xbd\xec\x3f\xf6\xd2\xdd\xe2\xe7\x2b\xf2\xe7\xd0\x43\x19\xb5\xe4\xfe\x50\x8b\x4b\x8f\xee\xca\xa8\x25\xe1\xb7\xb9\x24\x76\x9d\x5e\x5a\x30\x17\x86\x7a\xf3\xd4\xbc\x15\x0d\x4d\x55\x34\x34\x55\x4b\x43\xc9\x02\x5d\x14\x30\xef\x2c\x2d\x72\x98\x37\x4f\xb3\x94\x68\x00\xe6\x39\xee\xb3\x96\x08\x0f\xf6\xd3\xc3\x74\x54\xf4\xb8\x62\x2c\x97\x33\x59\xc3\x06\x72\x30\x65\x81\x63\xf1\x04\x04\x3d\x96\xbc\x26\x6b\xa5\x2e\x79\x89\xfd\xa7\x21\xf6\x0f\x6f\xa3\x87\xca\x0e\xb7\x1e\xd1\x2f\xd5\x82\x8d\xa7\x97\x16\x96\x45\xb3\x1d\xc1\x89\x9f\xe2\xa7\x9b\x76\xdf\x91\x3d\x90\xe4\xa5\x02\x10\x57\x02\x62\x35\x98\xff\x26\xd8\x09\x07\xc4\xe5\x7d\x2a\xa9\xaf\xdd\xb5\xa6\xb0\xdf\x7b\x4c\x52\x20\x87\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x06\x19\x6e\x33\x19\x9e\xa4\xfd\x6c\x6f\x24\x6e\x91\xe1\xd7\x3b\xc9\xb0\xbd\xde\x03\x0a\x06\x0a\x06\x0a\x06\x0a\x76\xa0\xe0\xaf\x0d\xd1\x94\x00\x93\x82\xc9\x54\x08\x59\x7d\x92\x28\x8b\xbd\xd9\xcf\x0c\xb1\x57\xfa\x69\xa7\xf8\xdf\x95\x8d\x78\xe8\x2d\xf2\xab\x98\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x22\x92\xd6\x0c\x94\x63\xae\xa6\x40\xc8\x58\x54\x7c\x88\x79\x8b\xba\x33\x6f\x0d\xff\x65\x31\x0b\x89\xa9\x17\x41\xdc\xed\x8d\xf6\xee\x62\xc4\x2f\x4c\xe4\x1d\x3a\x1f\x8c\x19\xc7\xd8\xa8\x84\x88\xae\xf1\x23\x51\xa3\xb8\x16\x88\x49\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\x81\x0c\xb7\x10\x19\x6e\xbf\xd0\x5b\xb0\x45\xb0\x45\xb0\xc5\x6d\xc4\x16\x7f\x38\x44\x23\x82\x2d\xea\x25\xad\xa8\x64\xd4\x72\xb1\x63\x4a\xcf\xe6\xb5\xb4\xad\x71\xfc\xd2\x10\xfb\x41\x2f\xdd\x23\xf7\xb6\xb4\x8d\xa1\xa2\xaa\xa4\xcb\x56\xb7\x33\xcb\x0b\x67\xb5\xb4\x1a\x7d\xd8\xd8\xb6\x2c\x0e\x90\xd2\x41\xb9\xa9\xb9\xc9\x64\x93\x97\x69\x46\x40\xba\x23\x34\xc5\x21\xdd\x3e\x9a\xa0\x71\xdf\x9c\xbd\xe6\x1d\xcb\x7b\x88\xc9\x8b\x0a\xe4\x72\x8f\x7a\x73\xb9\xdb\x59\x7f\x46\x2d\xd1\xb5\xe7\x82\x89\xdc\x24\xdb\x2f\x89\x9c\xbb\xd7\xcd\x98\x6f\x79\x21\x15\xe2\xc0\xd0\x6b\x3b\x2a\xbb\xfe\xd1\xa2\x5a\xc8\x29\x29\xd5\xa7\xf7\x77\xc9\xcd\x6d\x78\x00\x09\x2e\xd5\x2d\xcb\x18\xde\xc0\x13\x40\x36\x4b\xa4\x0e\x6f\x30\x75\xf8\x87\x7a\x9a\x63\x03\x4e\x89\x1c\xe2\xd3\x74\xdc\xce\x21\xde\x6e\x6b\x52\x58\x6f\xad\x35\x89\xfe\xcd\x3d\x95\xd6\xe4\x5e\x99\x69\x4a\xb1\x0c\x88\xcc\x1a\xde\x0e\xfb\xd1\x9a\x6c\xe0\xb0\x26\x01\xd6\x04\x19\x69\xdb\x92\x91\x16\xa9\x08\x91\x8a\x10\xa9\x08\x5b\x95\x8a\x30\xf9\xe1\x1e\x5a\x10\x85\x3b\x12\x74\xc2\x51\xb8\xa3\xb9\x9f\xed\xa6\x4c\x2f\xcc\x6f\x7f\xd8\xfb\xdb\xbf\x93\xdd\x21\x3a\xa5\xa5\x9f\xff\xc4\xf7\xef\xac\xfc\xfc\x0f\x14\x94\x62\x29\xcb\xbd\x8a\x62\xa1\xe9\xb3\xaa\x08\x15\x8c\xa5\x64\x8b\xe7\x04\x8f\x94\x37\x34\xca\xcf\xba\x87\x87\x17\xee\x72\x6e\x5c\x53\x8b\x19\xd5\xb9\x75\xc0\xb9\x95\x07\x4d\xa9\x99\x6c\x6a\xb4\x62\x3f\x57\x2b\xc6\xdf\x37\xe5\x56\xe3\x2a\x13\x67\x69\x91\x92\x65\xeb\x99\x29\x3a\xd8\xc0\x8c\x64\x89\x3b\xda\x31\x13\x09\x98\x89\x7c\xb4\x8f\x5e\xe9\x63\x1f\xee\x0b\x7d\xd0\x32\xe7\x2f\xf7\x75\xcf\xba\xa6\xcc\x37\x61\xf4\x33\xf7\xb5\x73\xff\x99\x31\x38\x6d\xc5\xcd\x90\xcf\xc0\x1d\xe6\x5f\x25\x21\xcd\x50\x72\xfc\x48\x63\xfa\x25\x8e\xe6\x7b\xf0\xa9\x90\x1e\x1e\x4a\xea\x5a\x7e\x49\x48\x4f\xce\x18\xaf\x85\xfc\x7b\xd9\x7c\x59\xec\x1f\x87\xfd\x17\x5c\x89\x2f\xf7\xd0\x6b\x3d\xec\xd5\x9e\xd0\xe7\x2d\xe8\xf5\xa1\x9e\x79\xad\x98\xe2\xb3\xb4\x8c\xc6\xbb\x5d\x0b\x47\x56\x8d\x9f\x22\xe1\x69\xd7\x5d\x70\x9c\x29\x26\x54\xeb\xba\xed\x64\x1f\x55\x52\xfc\xc6\xb9\x74\x21\x97\x4d\xc9\x0f\xa6\x9a\x4b\xeb\x61\xed\x86\xec\x53\xe1\xda\x2f\xa8\x5a\x21\xa7\xc6\xc2\xe2\x8c\x5c\x2b\x64\x3e\x4b\x8e\x15\x3d\x3b\xc0\x3a\x7d\xe4\x36\x7e\x59\x2e\xdd\x4b\x9b\x20\x92\x7f\xdc\x66\x41\xe4\x0f\xac\xcd\xf2\x07\xd8\x78\xef\x0f\x43\x72\x1f\x4d\xb0\xf1\x48\xcc\x72\x2c\xdc\xef\xca\x52\x21\x1a\x6b\xbd\x10\x99\xfd\x8f\x61\x3a\x20\xe0\x63\x71\x45\x49\xc5\xcc\x4e\x2a\x0b\xba\x1e\x4b\xe5\xd6\xf5\x92\x61\xa3\x72\x36\x86\xfc\xf4\x30\x7b\x77\x1f\x3d\x60\x1c\x37\xed\x3c\xec\xca\x46\x3c\xf4\x98\x17\x8b\x14\x6d\x9c\xd7\x72\x6a\x34\x62\x6c\x3f\x5f\x7e\xe4\xa5\xb8\x63\x9f\x26\x83\xc9\xe7\x44\x4d\xb2\x71\x5e\x93\xcc\x18\x53\xe3\x14\xa3\x11\xdf\x31\xc5\x7b\x63\x23\x1e\x73\x5c\xd0\x66\xa1\x64\x3a\x78\x34\x4d\xb3\xe3\x72\xb8\xf8\x3e\x0d\x73\x4a\xe1\xb8\x2e\xa7\x70\x30\xf4\x8d\x1d\x3e\x8f\xe4\x09\x1f\x46\xe9\x78\x2a\x4f\xc9\x5d\xda\xf9\x60\x12\xc6\x4c\xf1\x58\xd9\x07\xbe\xce\x27\x83\x8f\x3a\x60\x65\x83\xb0\xf2\xfd\x3d\x9b\xb7\x0b\xb3\x02\x54\x1e\xa5\xc3\x36\xa8\x6c\xbe\x75\x69\x8b\xf9\x08\x40\xa1\xd1\x5f\xbc\xd7\xc7\xba\x3c\x60\x33\x4b\x87\x41\x79\x52\xfc\xda\x56\x7b\x02\x80\x09\x80\x09\x80\x09\x80\x09\x80\x09\x80\x59\x37\xc0\xfc\x74\x4f\x93\x0b\x4a\x9c\x17\x38\xf4\x34\x2d\x38\x70\x68\x8b\x8b\x54\x04\x23\xcd\xb6\xcc\x25\x12\xff\xf0\x2e\x9f\xc9\x42\x34\x88\x70\x3a\xa6\x10\xbb\xf9\x5a\xbc\x5d\x33\x08\xe0\xce\x6e\x9b\xb7\x00\x77\x02\x77\x6e\x31\xee\x6c\x03\x9a\x0a\x44\x9d\xb5\x7d\x11\xaa\x1b\xfc\xc0\xef\x45\xf2\x20\x1d\x60\xfb\x22\x13\x16\xf4\x7c\xc8\x05\x3d\xed\x66\xdb\x00\x3e\xdf\x37\x48\x43\x35\x80\x4f\x4e\x3c\xd9\x9f\x0f\xb0\x3f\xf0\x43\x9d\x11\x11\xfb\x53\x94\x51\x0b\xe6\x14\xd9\x4c\x26\xc9\x3f\x62\x7b\x8c\x7d\x3c\xbe\x61\xc6\xc6\x79\xad\x38\x9d\xcb\x59\xf1\xd8\xcd\xcb\x07\xda\xa2\x30\xec\x67\xe8\x88\x18\xad\xfb\x69\x2f\x1f\xad\xa3\xb4\x87\x86\x03\x47\xab\x71\xab\xb5\xe4\x00\xbd\xf6\x98\xf7\x50\xbd\x83\xdd\x26\xa2\xad\x5f\x08\x1e\xa9\x53\xec\x60\x8d\x73\x97\x8a\x31\x8c\xc0\x6b\x04\x5e\x23\xf0\x1a\x81\xd7\x08\xbc\x46\xe0\x35\x02\xaf\x11\x78\x8d\xc0\x6b\x04\x5e\x23\xf0\x1a\x81\xd7\x08\xbc\x6e\x73\xe0\x35\xc2\xa2\x11\x16\x8d\xb0\xe8\x2e\x0e\x8b\xfe\xac\x95\x72\xb1\x1a\xa0\x73\x96\x83\x29\x6a\x39\x75\x25\x9b\x4f\x67\xf3\x19\x9d\xbd\x6d\x88\xfd\x55\x3f\x3d\xec\x85\xec\x84\xcc\xfe\x46\x6d\x29\x18\xb9\xbe\x4c\x34\xda\xa4\x44\x8c\x47\x6e\xf8\x78\xb4\xf8\x75\x39\xce\xb7\x98\xd5\x4b\xdb\x8d\x0e\x5e\xf7\x8f\xda\x68\x7a\xf6\xc6\xba\x92\x34\x66\x83\xb1\xe1\x3c\x9b\xad\x03\x1b\xca\x87\x54\x29\xf8\x05\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x04\x42\x6c\x17\x42\xfc\xc2\x30\x1d\x34\xcb\x49\x17\xf4\xb1\x8d\xb8\x5f\x99\x16\xbd\xa4\x94\xd4\xd5\xf5\x9c\xf1\xee\x9a\xe1\xcd\xef\x1a\x66\x7f\xdc\x4b\x77\x18\x47\xfa\x45\x34\x2f\xcb\xc3\x96\xd5\x52\xf4\x71\x63\xfb\x74\xa1\xe0\xaa\xad\xe2\xd8\x61\x6b\xc3\x99\x8d\xbb\x30\x23\x08\xe4\x05\x05\x0a\xf1\xce\x05\x13\xb3\x11\x16\xb5\x6a\x23\x17\x74\x09\xc7\x9c\xe7\xa8\x31\xb6\x30\xa3\x96\x28\xf4\xcb\x3b\xec\xde\xf6\x09\x56\x76\x76\x78\x44\xee\xd2\xb6\x3e\xaf\x3b\x52\xd9\xa3\xd3\xa1\xc7\x47\xa4\x72\x9b\x22\x95\xbd\x5e\xf9\xfa\x23\x95\x3b\xdc\x70\xf0\xa0\xe4\x77\xdc\x6b\x1b\x0e\x3b\x0e\xd9\x69\x2b\x9e\x10\xbf\xb6\xcf\x54\x20\x08\x19\x41\xc8\x08\x42\x46\x10\x32\x82\x90\x11\x84\x8c\x20\x64\xef\x20\xe4\x66\x4f\x13\x12\x7f\x74\xa7\x3d\x0f\x08\x0a\x31\x76\xce\x0e\x44\x8c\x5e\x5b\x26\x07\x88\x2f\xee\xb6\x29\x09\xe2\x8b\x11\x5f\xbc\xbd\xe2\x8b\x1b\x59\xf2\x05\xc6\x17\xd7\x66\xec\x3d\xa2\x89\x7d\x0c\x7f\xf5\x50\x62\xc7\x9e\x95\xa1\xc4\xdb\xaf\xa4\x13\xfb\xee\x20\x85\xdd\x20\x53\x28\x1e\x9d\xdc\x92\xfd\xda\x20\xfb\x54\xbf\xfd\x05\xac\x51\xdf\xe8\xe8\xaa\x26\xe9\x1b\xa3\x37\xec\xcf\xa9\xa3\xf5\xed\xa9\x66\x6c\x7f\xc9\xe9\xa6\xd3\x93\x5a\xe4\x91\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\x42\xb3\x08\xcd\x22\x34\x8b\xd0\x2c\xb6\x4b\xb3\xf8\xbd\x5d\xf4\x8c\x44\x7d\xeb\x25\x4d\x4f\x29\xb9\x6c\x3e\x33\xb6\x31\xb1\xa2\x96\x94\x09\x3f\xfd\x22\x47\x48\x5a\xbe\xa4\xe4\x0a\x5a\xda\x3c\x4e\x2d\x9a\x5a\x46\xce\x09\xd7\x75\xf6\xf7\x77\xb1\x6f\xf4\xd1\xfd\x8e\x86\xaf\xc8\x86\x43\xfb\xb8\xbc\x51\xec\x67\x3e\x0a\xfb\xbb\x7c\xca\x6a\x7f\x49\x4b\x4f\x5b\xed\x47\x8f\x72\xd1\xa3\xdd\xdc\x25\xd1\x9a\xed\x44\xf3\x39\x50\xf8\x10\x9b\x2c\x89\x2c\xd2\x33\x02\xd6\x2d\xd1\x59\x0e\xeb\x4e\xd1\x3c\xcd\xfa\x63\x6e\xfb\xb2\x63\xb2\x17\x62\x3e\x97\xbb\xd9\xca\x2f\x99\x60\xa4\x37\xcb\x12\x26\xd2\xb3\xaf\x4b\x92\x3d\xbf\xab\xb2\x29\x9f\xb8\x7c\x0a\xfd\xce\x4e\xef\xa7\x3b\x69\xca\x29\xeb\x7d\xc0\x27\x4c\x91\x65\x67\x3c\xe3\xc4\x73\xf4\x46\xba\x54\xe6\xbe\x6c\xd2\x43\x86\x2b\x13\xd2\xcc\x06\xa5\x99\x5f\xe9\x69\x9d\xe9\x79\x5e\x48\x36\x2f\xd2\xb2\x2d\xd9\x6c\x9f\x61\xab\xcd\x72\xd5\x69\xa6\x3c\x0c\x5d\x80\xc4\x33\xf1\xf5\xbb\xbc\x0d\xdb\x89\x0a\x99\x47\xbd\x16\xee\x98\x10\x7f\x6c\xbd\x7d\x83\x34\xa4\xdb\xec\x29\xa4\x21\x90\x86\x6c\xb1\x34\x64\x0b\xe7\xcc\x81\x92\x91\x76\xcd\x9a\x93\xb3\x94\x60\x27\x22\xc7\x2c\x41\xc8\x6e\xa7\x94\xc4\xa7\x99\x5b\x42\x56\xf2\xbb\xbd\x74\x8f\x58\x6b\xae\x70\x39\xc9\x46\x7c\x8c\x7d\xa9\x97\x7d\xa1\x97\x76\xf0\x1f\xae\x6c\xc4\x43\x0f\x65\xd4\x92\x1b\xe0\x8a\xa5\x71\xf4\xf5\x19\xb5\x94\x30\xf6\xba\x14\x9f\x5e\x5a\x30\x5d\x85\x4d\xfc\x20\x56\x34\x34\x55\xd1\xd0\x54\x2d\x0d\x25\x0b\x74\x51\x0c\x72\xe3\x0b\x67\x0c\xf2\x79\x9a\xa5\x44\x03\xdf\x35\xc7\x7d\xd6\x92\xca\x9e\xfd\xf0\x7e\x8a\x19\xfd\x5b\x25\xf2\xb0\xa0\xa5\xad\x55\x7a\x4e\xcb\xb0\x2f\xde\xcf\x3e\xd7\x4b\x77\xa4\xb4\xa2\x6a\xf4\xfe\xa3\x7c\x59\x9e\xd3\x32\x95\x13\x9a\x25\x2d\x1d\x0d\x19\x9b\x67\xb4\xa2\xea\x14\xae\x2e\x69\xe9\x45\x2d\x33\x41\x25\xf5\xc5\xd2\x58\x21\xa7\x64\xf3\x4d\x5e\x68\x4f\xd2\x2e\xd1\x9f\x0f\xd2\xfd\xbc\x3f\x5f\x47\x77\x7e\xbc\x67\x07\xc9\x91\x15\xf8\xe6\xcf\x05\xbf\xd8\x11\x16\x16\x6f\xf1\x92\x96\xf6\xaa\x31\x11\x89\x04\x85\x13\x26\xdf\xdd\x43\x7f\xbf\x87\xfd\xbd\x9e\xd0\x8f\x5a\xb6\xfa\xaa\xa9\x65\x50\x8c\x07\xcc\x5f\x3e\xe1\x90\x2d\x69\x26\xd4\xc9\x69\x99\x32\xa7\x99\xf3\xfb\x67\x7c\x92\xf9\x73\x28\x72\x83\xaf\xe5\x9d\xcd\x49\xcf\x4e\x41\x4b\xc7\x22\x3b\xad\x9f\x9d\xeb\x84\x67\xe8\x22\x5b\x0e\x3d\x6d\x5e\xce\xbe\x79\xcd\x12\xa8\x1b\x8f\xd8\xe6\x4a\x66\x3b\xae\x0b\xe1\xa1\x0d\xb1\xc8\xed\xab\xfc\x28\x97\x19\xff\xf1\xdb\xe8\x5d\xb7\xb1\xff\xe3\xb6\xd0\xcb\xb7\x99\x8d\xff\x66\x7f\x36\xaf\xab\xa9\xf5\xa2\xba\x7c\x3d\x5b\xb8\xb0\xb8\x7c\x49\x2d\x66\x57\x6f\x26\x94\xd4\x75\x35\x9f\x2e\x9f\x79\xf1\xe9\x84\x29\x20\x71\xce\xbc\xb8\x92\xa0\xb8\x66\x0a\x24\xb2\x69\x8e\xe0\x56\x2d\xc7\x1d\xf7\x79\xa8\x45\x89\xbb\x2c\xab\xb9\x62\x9e\x86\x9b\xa2\x94\x96\xcf\xab\xe2\xc3\x56\xd2\x62\x61\xf1\xe1\xe7\x9f\xbf\x35\xe5\xba\x00\xe7\xa7\x2e\x5c\x58\x5a\xb6\x76\xd4\xf2\xe1\x15\xb5\x74\x43\x95\x46\xcd\xbe\x32\xd3\x41\x64\xb5\x2f\xef\x51\x4e\x26\xc4\xd7\xd5\x7d\x48\x4a\xc9\x1b\x37\xb2\xc1\x6f\xdf\xea\x6b\xee\x3f\x14\x57\x27\x7c\x0e\xfc\x46\x0c\x53\x6d\xb9\xa0\x8b\xaa\x92\x0b\x1b\xe3\x2b\xa7\x96\x62\x61\x53\xd6\x20\x7f\x90\xb7\xc5\x55\x16\x82\x09\x3b\x4e\x60\x9d\x7c\x50\x0f\x5f\x58\x5c\x0e\xa7\x8a\x2a\xf7\x02\x29\x39\x7d\xc4\x25\x14\x31\xae\xd7\x74\x78\x99\x37\x2e\x69\xa4\xf3\xec\xc6\xc9\x36\xd6\x73\x79\xb5\xc8\x6d\x30\x77\x7b\xae\x29\x79\x2b\xd8\x22\x9b\x4e\xe7\xd4\xb0\x52\x2a\x29\xa9\xeb\xe1\x21\x35\x96\x89\x19\x13\x5d\xf1\x7f\xa3\x07\xac\xa7\xc9\xf5\x4d\x5c\xf4\x22\xe7\x8f\xeb\x4a\xce\xee\x8e\x94\xb6\xe6\x12\x35\x38\x2f\x61\x38\x16\xd9\x55\x6d\x40\xb9\x86\xe3\x5b\x7b\xe9\x7f\xf5\xb0\x1f\xf6\x84\xbe\x6f\xbd\x7a\xbf\xdd\xb3\xb0\x2a\x62\x4d\xb8\xc3\xd5\x72\x1d\xaf\xdc\x2c\x99\x6e\x63\x25\x5d\x2e\x16\xb2\x42\xb4\x38\x99\x57\x4a\x72\x56\x2b\xec\x21\xff\xd0\x99\xcf\x5d\xb9\xc9\xef\x2f\x9d\xd5\x0b\x39\xe5\x26\x77\x65\xac\x15\x78\x74\x07\x0f\x40\x09\xe7\xb2\x79\x3e\x36\x73\x5a\x26\x93\x35\x67\xb6\x0e\x8f\xae\x9e\xcb\x66\xae\x96\x72\x37\x85\x17\x51\x2b\xda\x3f\xd8\x93\x64\xb7\xf9\xe5\x08\x3b\x16\x11\x8e\xf1\x84\x71\x17\x2e\xf4\x3c\x4e\x31\x36\x12\x89\x5a\xb3\x81\x7b\x9c\x73\x8a\x25\x2d\x7d\x2b\xcc\x1f\x92\x2b\xf4\x66\x76\x39\xf4\xbc\xd9\xe0\xd1\xf3\xa2\x33\x2d\x15\x8b\xf9\xdc\xa4\xec\x49\x98\xc9\x4a\x0b\x2b\x0d\xdb\x0e\xf3\x38\xd7\x58\xfa\x0f\xbd\xf4\xeb\xbd\xec\x8b\xbd\xa1\xcf\x39\x62\xcd\xa6\xc3\x45\x35\x27\xa2\xf0\xb8\xeb\xcd\x3b\xaa\x2f\xb5\x5e\x2c\x72\x5f\x63\xd6\x7c\xad\x6d\x6b\x7f\x55\xbb\x21\xaf\xc4\x1d\x90\x57\x30\xac\x41\x5a\xd5\x6d\xb7\x9e\x62\x58\x62\xee\xc6\xe3\x52\x15\xee\x72\x35\x3e\x09\xc6\xd1\x61\x5d\x8a\xd9\xb8\xb9\x96\x5a\x16\x73\xed\x67\xf9\xf9\x2a\x63\xfe\xcc\x90\xa0\xf5\xd2\x7a\x51\x1d\x11\x0a\xb0\x8c\xee\x71\xe4\x39\xe3\x4c\x9a\x18\xbb\xfc\x5c\xd2\xcd\xc1\x87\xa8\xf1\xff\x0b\xc6\x25\x9a\x8e\x38\x2b\xc0\x2f\x72\x97\x73\x67\xd7\xc0\x7c\xb5\x87\x3e\xdf\xc3\xfe\xaf\x9e\xd0\xbf\xb3\xde\xcd\xf7\xf9\xbc\x9b\x39\xee\x0d\xb3\xde\x49\xc3\xde\xca\x01\xcc\xaf\x56\x76\x23\xbf\x3d\x57\x7c\xe1\x88\xd8\xce\x25\x9b\x57\xb5\x1b\x79\xbb\x09\xee\xbe\x76\x3a\x7b\xac\x51\x61\xde\x8f\xd7\xfd\x45\x76\x96\x94\x6c\x6e\xd1\xb8\x1a\xd7\xad\xfc\xb3\x1e\x7a\x4f\x0f\xfb\xa9\x9e\xd0\x4f\x58\xb7\xf2\x16\x19\x07\x38\x12\x56\xd2\x69\xc3\x08\x9e\x9f\x9f\xd9\xbb\x77\xef\x21\xa3\x3d\xf9\xe7\x59\x25\xaf\xf1\x27\xab\x97\x94\xb5\x82\xe9\xc1\x5d\x51\x33\xd9\x7c\x5e\x2e\xfb\x55\xe1\x6a\xb6\x6d\x86\x65\x6d\x3c\x86\x2d\x59\x6d\xb9\x06\x2e\xfb\xea\x20\xc5\xc5\xe4\xda\x5d\xfa\xdf\x4a\x5a\x9b\xd2\xb3\x72\x4b\x4a\x29\x28\xa9\x6c\x29\xab\xea\xec\xe7\x06\xd9\x4f\xf5\xd3\x3d\x72\x83\x95\xac\x76\xbc\x7a\x91\xa9\x99\xe5\x85\x65\x71\xc4\x8c\x68\xea\x66\x74\x9f\x71\x84\xfc\x51\xa6\x96\xad\xdc\x6b\xbb\xe9\xb1\xd7\x44\x28\xdb\x38\x0f\x65\x33\x66\x9e\x33\x34\x4d\xc7\x7d\x97\xab\x66\xc7\xcb\x5e\x8c\x55\x76\x40\x53\x2a\x52\xa9\xc1\xf3\xd9\x04\x3b\x21\x67\xae\xee\xc1\x60\x96\xd0\xac\xb8\x30\xa4\x95\x85\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\x86\x44\x1b\x12\x6d\x48\xb4\x21\xd1\xde\x3a\x89\xf6\x27\xae\xd0\xa9\xaa\x64\xcf\xc7\xd7\xeb\x09\xfc\xfe\xf0\x32\xfb\xe2\x40\x33\x80\x5f\xac\x12\xf8\xd9\x3e\xe1\xca\xfd\x3b\x1c\xf5\x25\x40\xbb\x40\xbb\x12\xa0\x5d\xa0\x5d\xa0\x5d\xa0\x5d\x5d\x43\xbb\x12\x1d\x43\xbb\x9a\x7e\x25\x0d\xd3\xae\x04\x68\x17\x68\x17\x68\x17\x68\x17\x68\x57\xfb\x69\x57\xa2\xab\xe1\x54\x02\x70\xaa\x75\x70\x2a\xd1\xe9\x70\x2a\xb1\x0d\xe1\xd4\xb6\x96\x48\x55\x68\x9e\xea\xd4\x4c\x45\x7e\x6f\x67\x25\x49\x7b\x44\x7c\xa2\xc2\x8a\x17\x34\x1b\x17\x1b\xb7\x00\x9b\x09\xca\xf5\x34\x9d\xa3\x33\x65\x31\x97\x47\xe9\xf0\x26\x1e\x17\xc2\x2e\x11\xc6\xde\x60\x18\xfb\x4f\xf6\xd2\x59\x61\x3b\x4e\xd2\x1c\xb7\x1d\xc7\x69\x73\x83\x91\x96\x45\xf4\xfa\x22\x25\xed\xe8\xf5\x4d\x37\x7a\x41\x94\x33\x38\x43\xa7\x1d\xe5\x0c\x36\xdd\x6a\x90\x89\x6b\x8f\xca\xb3\x8a\x25\x2d\x68\x7a\x89\xa2\x2f\x8f\x56\x9a\xb8\x41\x59\xc9\xc2\x51\x16\x44\x5b\xf5\x32\x77\x53\x62\xc7\x32\x59\xb0\x75\x54\x1b\x0d\x5f\x6b\x0a\x24\x81\x17\x83\x17\x83\x17\x83\x17\x77\x0f\x2f\xc6\x6c\x2f\x60\xb6\xd7\x39\x40\x1d\xc5\xe9\xda\x52\x9c\x0e\x7e\x0b\xf8\x2d\xe0\xb7\x80\xdf\x02\x7e\x8b\xae\xf6\x5b\xa0\x46\x29\x6a\x94\xa2\x46\x69\xab\x6a\x94\xc2\x2d\x08\xb7\x60\xb7\xba\x05\x93\x99\x26\x97\xe7\xed\x10\xf2\x1c\xf5\x26\xcf\xf7\xb3\xfb\x84\xd1\xb0\x0d\x3a\x6d\xc3\x64\x35\xec\x53\xf7\xd1\x13\x56\x32\x36\x2d\xad\x5a\x69\xd7\x0a\x45\xed\xc5\x9b\x63\x7f\xd7\xb8\x8f\x97\xd8\x3f\xba\x8f\xfd\xa4\x23\xff\xda\x53\x32\x31\x53\xf8\xe4\xdc\x05\x5b\x69\x5e\xd2\xc2\xfc\x20\x63\x10\x9d\xd5\xd2\x6a\xf4\x09\xb9\x9b\x48\xc5\x76\x52\x2d\x19\xbf\x2e\x19\xbb\x3c\x93\x2d\x5d\x5d\x52\x4a\x57\x27\xfa\xa2\x63\xd1\xe6\xa4\x4f\x7b\xc2\xfb\x39\x11\xdb\x21\xaf\x82\xae\x9d\x0f\x1e\x31\x63\x6c\xd4\xce\xa5\x26\x46\x89\x75\xd1\x12\xa7\xbb\x12\xaf\x85\x3c\xbb\x65\xe9\x62\xed\xdd\xb2\xb4\xbe\x3d\xba\xc5\x3b\xdd\x9c\x4f\x17\x45\x7e\xda\xd1\x2d\x03\x56\xb7\x9c\x5b\xae\xd6\x2f\x11\x77\xbf\x68\xfa\x2d\xd8\x31\xd1\x9f\x71\x74\xcc\x90\xd9\x31\xb3\x73\x8b\x73\x17\xe6\xaa\x74\xcd\x93\xae\xae\x11\xde\x9d\x6d\xd1\x39\x75\xbd\x4c\x13\xef\x75\x74\xce\xb0\xd9\x39\xe7\x96\x2e\x2c\x9c\x3b\xbb\x5c\xa5\x77\x9e\x72\xf5\x8e\x6c\xb9\x95\xdd\xd3\x82\x7b\xaf\xa1\xcb\xa7\x3c\x5f\xaa\x53\x73\xd3\xb3\x35\xbf\x54\xa7\x54\x25\x7d\xeb\x75\x4c\xe2\x3d\x8e\x8e\x19\xb4\xac\xcd\xf4\x85\x99\x53\x55\x7a\x66\xb7\xdb\xdc\x18\xb3\xa6\x5b\xef\x95\x4a\x1e\xa5\xc3\xec\x50\x64\xd2\x9a\x92\xec\x72\x66\xdc\x2b\x3f\xb4\x32\xfd\xde\x7e\xda\xcb\xe2\x91\x31\xeb\xf0\x07\x8c\x7f\xed\x64\x8c\x62\xca\x1a\xe1\xdb\x9c\x87\x95\xa5\xc0\x4b\x18\x7d\xc9\x01\xd8\x55\x35\x7c\xf1\xfc\x62\xd8\x6c\x65\x5d\x57\xad\xc9\xab\x99\x97\x4e\x3c\x25\x73\xd9\x53\xd2\xc2\xc6\xb4\x24\x26\xce\xe1\x9c\xb9\x7c\xfa\x32\x1d\x17\xf1\x86\xe9\xac\x9e\xd2\x36\x8c\xb9\xa4\x15\x71\xe8\x17\x6c\xa8\xe6\xd3\x05\x2d\x9b\x2f\xe9\xb9\x6c\x4a\xd5\xd9\xf7\x5f\x60\xbf\x30\x40\x77\x59\x0d\x18\x03\x68\x4f\xf5\x18\xc3\x39\xd9\xc2\xb2\xd1\x42\x74\xc0\xd8\x79\xd6\x3c\xdc\x99\x6f\xd6\xb5\x1f\xc2\x0a\x11\x56\x88\xb0\x42\xc8\x44\x20\x13\x81\x4c\x04\x32\x91\x8e\x91\x89\x74\x8e\x0a\x02\xee\x79\xb8\xe7\xe1\x9e\x87\x7b\x1e\xee\xf9\xae\x76\xcf\xc3\x7f\x08\xff\x61\x97\xfa\x0f\xb7\x65\x58\xa1\x4a\x49\x01\x05\x67\x68\x9a\x43\xc1\xc3\x74\x88\x26\x7d\xe3\x6d\x6c\x50\xb5\x11\x8f\xb9\x00\x51\x53\xc2\x09\x5f\x08\xe6\x87\x53\xec\xa0\xe4\x87\xe5\xd0\x4c\xd2\x44\xd7\x55\xb9\x50\x62\xe4\xc3\x3b\xcb\x48\xd9\x43\x66\x0c\x61\xbe\x8c\x8a\x0d\x89\x0d\x6d\xe4\x62\x02\x63\x2d\xd0\x49\x9a\x2b\x8b\x1b\xdc\x4f\x7b\x1b\x78\x1e\x50\x90\x23\x5e\xb0\xc1\x78\xc1\xbf\xe9\xa1\x79\x61\x14\x8e\xd3\x51\x6e\x14\x26\xa9\xb1\x41\x48\xa7\x45\x9c\xe0\x2c\x25\xec\x38\xc1\x86\x1b\x5b\x14\xf1\x81\x73\x34\xe3\x88\x0f\x6c\xb8\xb5\xc6\x6d\x15\x0f\xd8\x6b\xb1\xad\x8a\xfe\xf1\x48\x99\xad\x8a\x78\x06\x03\xba\xcd\xd6\x84\xd8\xc7\x61\xb6\xbc\x82\x00\x5b\x69\xc0\x10\xff\x07\xb0\x0b\xb0\x0b\xb0\x0b\xb0\x8b\xf8\x3f\xc4\xff\x21\xfe\x0f\xf1\x7f\x70\x30\xc0\xc1\x00\x07\x03\x1c\x0c\x70\x30\x20\xfe\x0f\xf1\x7f\x88\xff\x43\xfc\x1f\xfc\x77\xf0\xdf\x75\xa0\xff\xae\xed\xf1\x7f\x75\x04\xe6\xb5\x98\x36\x6f\xc7\xb8\xbf\x4f\xbc\x40\x51\x59\xad\x27\x75\x55\x4d\xaf\xe7\x8c\x55\x9b\x2d\x9f\x2f\x14\xb3\x5a\x31\x5b\xba\x99\xca\x29\xba\xae\xea\xec\x47\x5e\x60\x3f\x37\x40\xaf\xb3\xf7\xad\x41\x29\xbf\x24\xdb\x98\x31\xda\x88\x3e\xca\x0b\xf1\x58\xc7\x5f\x8a\xbb\x36\x43\x20\x0f\x81\x3c\x04\xf2\xf0\xa3\xc0\x8f\x02\x3f\x0a\xfc\x28\x1d\xe3\x47\xe9\x1c\x37\x01\xf8\x35\xf8\x35\xf8\x35\xf8\x35\xf8\x75\x57\xf3\x6b\x00\x36\x00\xb6\x2e\x05\x6c\xdb\x52\x20\xbf\x2a\x34\xac\xe3\x5c\xc3\xda\x7b\xee\x34\x3b\x42\x53\x74\xd0\xbf\x20\x85\xcd\xa2\x36\xe2\x31\x17\x21\xaa\x49\x21\x7f\x39\x98\xf3\x1d\x66\x87\xcc\x9c\x60\xe5\xe0\x4b\x82\x3e\xd7\x69\xdd\xb9\x48\x02\x14\xf8\x91\x7f\xb9\xb3\x9c\x91\xbd\xde\xaa\xb3\xe3\xc6\x61\x8f\xcb\x12\x3b\x2d\x07\x62\x82\x5f\x25\xe9\x14\xcd\x97\x29\xe3\x0f\xd0\xbe\x46\x1e\x04\xc4\x55\x90\xc6\x37\x28\x8d\xff\xdb\x1e\x3a\x29\xcc\xc1\x09\x3a\xc6\xcd\xc1\x41\x6a\x70\x14\x0a\x67\x43\x9c\x3b\x1b\x2c\x6d\x7c\xe3\xad\x9d\x11\xe2\xf8\x79\x9a\x75\x88\xe3\x1b\x6f\x6e\xb3\xea\xf8\x16\xdb\xb1\xe8\xef\x8f\x94\xdb\x29\x6f\x7d\xbc\xdb\x66\x0d\xcb\x3a\x39\x0e\x9b\x65\x0b\xe4\x5b\x69\xbd\x20\x8b\x07\xce\x05\xce\x05\xce\x05\xce\x85\x2c\x1e\xb2\x78\xc8\xe2\x21\x8b\x87\x5b\x01\x6e\x05\xb8\x15\xe0\x56\x80\x5b\x01\xb2\x78\xc8\xe2\x21\x8b\x87\x2c\x1e\x5e\x3b\x78\xed\x3a\xd0\x6b\xd7\x76\x59\x7c\xab\x5d\x60\xf5\xd4\xc3\x69\xba\x6a\xfd\xed\x7d\x14\xf6\x57\xad\xf3\x8a\x3d\x63\xec\x77\x7b\xd9\xd7\x7b\x89\xb9\xf8\xb6\xa8\x08\xff\x50\x46\x2d\xb9\xa7\xc5\xc2\x31\x1a\x0d\x67\x54\x97\x36\x9d\xef\x3e\xbd\xb4\x60\x22\xc1\x26\x02\xed\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x81\x2e\x8a\x81\x75\x96\x16\xf9\xc0\x9a\xa7\x59\x4a\x34\x30\xb0\x1c\xf7\x59\x8b\x93\x95\x7d\xf4\x51\x4a\x8a\x87\xa0\x14\xb2\xea\x8b\x25\x35\xcf\xdf\xe5\xf2\xe7\x90\x5a\xd7\x4b\xda\x9a\xd9\xc7\xce\xab\x92\x15\x86\x74\x3e\xa0\xd9\xef\xed\x62\x6f\xef\xa7\x07\x5d\x6d\x59\x4f\x6c\x7f\x51\x55\xd2\x61\xb1\xa7\xf9\x76\xda\x0b\x97\x19\x7e\x0a\xf3\xe2\x67\xad\x53\x44\x0f\x18\x87\x4d\x3b\x5b\x34\xab\xfa\xfb\x1c\x21\x5e\xae\xe6\xba\x2d\x92\x3f\xd1\x43\x37\xc4\x23\x2a\x50\x9e\x3f\xa2\xab\xb4\x4a\x69\xbf\x47\x64\x5f\xec\xa8\x25\x56\xb7\x9f\x96\xbb\xaf\x65\xff\xc4\xfc\xee\x27\xd0\x4c\x3c\xea\xfd\x1a\xdf\xce\xfa\x33\x6a\x89\xae\xbd\x25\xd8\x8a\x9c\x65\x8b\xd2\x8a\x78\x0d\x03\xb3\xc4\x96\xdf\xf5\x55\x14\xda\x0a\xfd\x1b\xf2\x1b\x04\x07\x8b\x6a\x21\xa7\xa4\xd4\xfa\xc7\xc1\x21\x79\xe4\x56\x0f\x85\xc4\xdf\xa1\x17\x69\xa3\xcc\xff\xde\xa6\xa1\x00\xea\x0b\x7f\x7d\x83\xfe\xfa\x77\xf7\x6e\x9d\x01\xfb\xff\x09\xff\xfe\x3a\xe9\xb6\x7f\x7f\x3b\x98\xcf\xc2\x7a\xcd\xe6\xb3\xc2\x06\x6e\xc2\x9e\x26\xde\xf6\x3a\x3f\xf3\x39\x5d\x50\x8a\xa5\x2c\xf7\xa3\x0a\x02\x53\xbf\x1d\x9d\x2c\x18\xb3\xe7\xad\xb4\xa2\x8f\x94\x37\x34\xca\x2f\x69\x0f\x9f\x41\xed\x72\x6e\x5c\x53\x8b\x19\xd5\xb9\x75\xc0\xb9\xd5\x58\x5b\x96\xd4\x4c\x36\x35\x5a\xb1\x9f\xab\x15\xe3\xef\x9b\x72\xab\x71\x95\x09\x63\x96\x95\x2c\xb3\xe0\x55\xa4\x6c\x55\xe6\x5b\xbc\xd4\x14\xac\x72\x90\x55\xfe\x68\x1f\xbd\xd2\xc7\x3e\xdc\x17\xfa\xa0\xc5\x8f\x5e\xee\xeb\x1e\xab\x5c\x46\xcf\x8d\x7e\xe6\xaa\x04\xee\xe1\x31\x06\xa7\x1d\x6a\x3a\xe4\x33\x70\x87\x39\x06\x13\x22\x16\x25\xc7\x8f\xcc\x6b\xf9\x51\x71\x34\xdf\x83\xbb\xe0\xf4\xf0\x50\x52\xd7\xf2\x4b\x22\xe6\xf2\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\xff\x73\x91\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\x5a\x8b\x7f\xa8\x67\x5e\x2b\xa6\xb8\x77\x30\xa3\xf1\x6e\xd7\xc2\x91\x55\xe3\xa7\x48\x78\xda\x75\x17\x1c\x62\x08\x47\xde\xba\x6e\xcb\x11\x46\x95\x14\xbf\x71\x2e\xf2\xc8\x65\x53\x92\xd0\xa9\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\x22\x88\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\x83\x64\xcd\x67\xc9\x61\x82\x67\x07\x58\xa7\x8f\xdc\xc6\x2f\xcb\xa5\x5e\xed\xe4\x09\xfc\xe3\xde\x5f\xa0\x1d\xec\x76\x7e\x63\x5b\xf1\x0d\x4a\xce\xd1\x0c\x9b\x8e\x1c\xb7\xe2\xe0\x9f\x74\x16\x9b\xf3\x3b\xac\xb2\xe8\x5c\xd3\xb1\xc1\x9f\xf5\xd2\x2e\xb9\x62\x5d\x37\x5a\x28\xc9\x97\xc5\x5c\xb2\x32\x0e\xff\xe9\x6e\xf7\xd6\x50\x28\xc3\xf9\xef\xaa\x56\x5c\xb3\xf0\x90\x12\xe6\x1d\x14\x7d\x38\xa3\x96\xa6\x5d\xbb\x4f\x2f\x2d\x9c\x34\x36\x75\x20\x2a\xc8\xd2\x59\x31\x8c\x4f\xd2\x1c\x1f\xc6\xc7\xe9\x28\x1d\x6e\x0c\x15\xf0\x7b\x0c\x64\x04\x7f\x3e\x44\xfb\x24\xa8\x71\x55\x5e\xb6\xe8\x00\xc7\x71\x63\x29\x3d\x9b\x2e\x66\x8d\x31\x28\xa1\x00\xfb\x95\x21\xf6\x97\xfd\x74\x8f\x3c\xca\x9a\xc3\x7c\xac\x47\xf2\x3b\x5b\xe4\x6e\x18\x66\xe1\x1f\x32\x13\x0e\xcc\x2c\x2f\xcc\xf2\xd6\x62\x0e\xd7\xcb\x94\xe5\xb4\x19\xe4\x4d\x0c\xda\xa2\x38\x97\xca\x49\x2b\xa8\x96\xb0\x42\x2f\xa9\x4a\x7a\xc4\xf6\x06\x73\x8f\xb7\xf4\x1d\x66\x4b\xea\x9a\xfd\x91\x19\x74\x09\x38\x1c\x6d\xc7\xa2\xbb\xf8\xe9\x64\x81\x69\x73\xb6\x64\x5e\x61\x87\xe7\x3b\x48\x5e\xa7\x25\x31\x62\x16\xe8\x24\x1f\x31\xd3\x74\x9c\x8e\x36\x30\x62\x78\x7c\xc2\xdc\x86\x9a\x0f\x16\xef\xfb\x5b\xb4\x1b\xc2\xa2\x3d\x1f\x6c\xd1\x0e\xb1\xc9\x80\x8a\xdf\xa2\xff\x2b\xf9\x43\x12\x29\x1e\x90\xe2\x21\x09\x4d\x30\x34\xc1\xd0\x04\x43\x13\xdc\x35\x9a\xe0\x64\xc7\x48\x5e\x9b\x7e\x25\x0d\x6b\x31\x93\xd0\x62\x42\x8b\x09\x2d\x26\xb4\x98\xd0\x62\xb6\x5f\x8b\x99\x3c\x40\xfb\xd8\x44\x64\xdc\x82\x48\x0f\xba\x20\x92\xb9\x80\x6b\x3d\x35\x4a\x76\xb5\x6a\x2d\x09\xd5\x5a\xeb\x54\x6b\xc9\x8e\x57\xad\x6d\xc3\x5c\x13\xec\xfb\x0f\xd3\xa4\x0f\x73\x1c\xdb\xd0\x72\xeb\x6b\xaa\x52\x2a\x29\xa9\xab\xc6\xb7\xba\x5c\x84\xf4\xe9\x87\xd9\x7b\xfa\x88\x6c\xec\x18\x1a\xad\xaa\x3c\xba\xc4\xdb\x9b\xb6\xda\x8b\xee\x36\x76\xb7\x60\x5f\xf9\xe6\x96\xc8\x8b\x56\xea\x0c\xa6\x97\x9d\xb2\x11\x8f\x95\x5f\xde\x66\xd5\x42\xf5\x69\x0e\xbd\xc0\x5c\xc5\x15\x39\x35\x87\xa1\xff\xbe\xc3\xf5\x68\xc6\x83\xf4\x40\x15\x4f\x67\x40\x1e\xd1\xd6\x07\x54\x7f\xd2\x0d\xff\x27\x04\x77\x31\x44\x3c\x0d\x8a\x78\x3e\x56\x6f\xd2\x8d\x2a\x76\xa2\x81\xa4\x1b\x2d\xb1\x3a\x5c\x64\xd3\x62\xab\x93\xf8\x27\x77\xb9\xac\xce\xa1\x9a\x65\x34\x15\xe6\xe7\xc9\x82\xcb\x15\xd4\x6a\xe3\x03\xad\x4c\xb7\x19\x3f\x68\x65\xa0\x95\xd9\x62\xad\x4c\x1b\x67\xa3\xb5\x19\xfe\x1a\x4c\xbc\xf7\xb7\x21\x50\x5a\x93\x3c\x4a\x87\xd9\xa1\xc8\xa4\x85\x28\x76\x39\x11\x45\xf9\x19\xdb\xa0\x6f\xf9\x93\x21\xda\xeb\xb7\xf2\x11\x42\x0b\xf9\xbb\x2c\xe7\x60\x8a\x2d\xfe\xf5\x10\xfb\xd3\x7e\xd7\x47\xee\x13\xb5\xe8\x2c\xe4\x87\x8c\x07\x07\x75\x84\xd4\x22\xe4\x96\x5a\x38\xaf\x0f\x42\x8b\xca\xf7\xe7\xb9\xe0\xf7\x67\x92\xed\xaf\x36\x71\x72\xf6\xb0\x3b\x3c\x2c\x48\xc4\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x05\x64\x16\x90\x59\x40\x66\x01\x99\x45\x9b\x65\x16\x87\x68\x92\xed\x8f\xec\xb5\x18\xc6\x1b\x9c\x0c\xc3\xb9\xbe\x83\xd2\x02\x4a\x0b\x28\x2d\xa0\xb4\x70\x28\x2d\x3e\xa0\x58\x19\x60\xd2\xc6\x2c\x38\xab\xe5\x8b\x6a\x26\xcb\xfd\x45\x8e\xb0\x3a\x33\xd6\x8b\xaf\x36\x15\x63\x8e\x73\x43\x5d\xb9\xaa\x69\xd7\x5d\xab\x46\x9d\xfd\xdf\x6f\x66\x1f\x1c\xa4\x47\x3d\xdb\xb2\x22\xc0\x8e\x54\x2f\x36\x7b\xc9\x3a\xc7\x33\xe2\x1c\x33\xce\x73\x44\x8f\x19\x47\x4f\x7b\x9d\x40\x46\x66\x55\x3f\xbe\xc3\x29\x22\xca\xd3\x02\xaa\xa1\x3c\x2d\xa0\x1a\xa0\x1a\xa0\x5a\x17\x41\xb5\x0e\x4a\xd7\xdf\x31\x50\x0d\x79\xe4\x01\xd5\x00\xd5\x00\xd5\x00\xd5\x50\x9e\x16\x89\xae\x6f\x1d\x90\xd5\xf1\x89\xae\xb7\x65\x79\xda\x1f\xed\xa1\x9c\x90\x5f\xa9\x94\xe2\xf2\xab\x17\xe8\x4d\xf4\xac\xaf\x6a\xd1\x1b\x77\x99\xb9\xbc\xaa\x33\xa4\x9a\x0a\xd8\x06\x14\x98\xbd\xf6\xff\x0f\x96\x6e\x3d\xcf\x9e\x33\x73\x78\x55\x81\x73\xa6\x02\xbe\xea\x25\x57\x66\xc9\x89\xfc\xf8\x9d\x41\xa0\x6e\xd0\xaa\x78\x1b\xc0\xe4\x4e\x88\x1d\x3b\x80\xca\x09\x88\x76\x9d\xb2\x94\x29\x53\xad\x3f\x43\x17\x5b\x32\x18\x20\x69\x47\x3c\x4f\x83\xf1\x3c\xdf\xee\xa5\xab\xc2\x66\x29\x74\x85\xdb\xac\x67\xa9\x55\xc3\x94\xd6\x44\xc0\xcf\x2a\xa5\xed\x80\x9f\x16\x9e\x2e\x2f\xca\xf0\x66\x48\x75\x94\xe1\x6d\xe1\xf9\x36\x5b\xa7\x77\xab\xcd\x71\xf4\x8b\xa3\x41\xe6\x78\xaf\x67\x61\xdf\x00\xd3\x9c\x14\x07\x55\x33\xcd\x76\xe5\xdf\xb6\x1a\x69\x94\x02\x06\x3a\x07\x3a\x07\x3a\x07\x3a\x47\x29\x60\x94\x02\x46\x29\x60\x94\x02\x86\x0b\x07\x2e\x1c\xb8\x70\xe0\xc2\x81\x0b\xa7\x29\x2e\x1c\x94\x02\x46\x29\x60\x94\x02\x46\x29\x60\x78\x48\xe1\x21\xdd\xe6\xa5\x80\xeb\x28\xd5\x5b\x23\xc9\x6e\x8c\x52\xd7\xc2\xbf\x9b\x9f\x14\xe5\x53\x44\x7b\xaa\x15\xfd\xd9\x88\x8f\x71\x2a\x56\x54\x37\xb2\xea\x0d\x9d\xfd\x28\x45\xfe\x67\x3f\xdd\xe7\xde\xf9\xca\x46\x3c\xf4\x80\xe5\xd0\xbc\x60\xec\x7f\x9e\xef\x1f\x7d\x42\x7a\x2f\x5d\xbb\x5f\x8a\x3b\x76\x69\x32\xf9\x5e\xa4\x24\x9d\x2a\x73\x4f\x1e\xa4\x03\xfe\x8e\x11\xf7\x5d\x6f\xc4\x63\x8e\x6b\x4b\xbe\xa3\x97\x16\xc4\x60\x4c\xd0\x09\x3e\x18\xa7\xa8\xe1\xd6\x44\x79\xa1\x38\x2f\x2f\x64\xb9\x89\x36\xd3\xde\x39\xe1\x07\x3a\x45\xf3\x0e\x3f\xd0\x66\x1a\xdc\xac\xa3\xe7\xcd\xc1\xaf\xc7\x51\x76\xd8\x1c\xe8\x5e\xe3\x4d\x7a\x78\x9c\x17\xe5\x4c\x9c\x92\x04\x90\xab\x0e\xe4\x92\x70\x08\xfb\x38\x84\x9b\x6e\x39\xff\x6a\x90\x26\x2c\xcb\xa9\xe9\x29\x25\x97\xcd\x67\xc6\x36\x26\x0c\x6b\x3e\x31\xc6\xdf\x1c\xe3\x06\x73\x05\x2d\x6d\xee\xa0\x16\x75\xf6\x99\x41\xf6\xf1\x7e\xba\xdf\x71\xcc\x15\x79\x4c\x68\x7f\xf5\xe0\xad\x53\x56\x93\x4b\x5a\x7a\xda\x6a\x32\x7a\x94\x47\x6d\xd9\xed\x5d\x12\xcd\xf9\xec\x3e\xaf\x15\xa7\x73\xb9\xb3\xca\x9a\xaa\x17\x94\x66\xd6\x6c\x6f\x51\xea\xa7\x0d\x7a\x93\xb0\xc0\x17\xe8\x3c\xb7\xc0\xdc\xc2\x57\x33\x70\x66\x3f\xc4\x64\xbf\xc6\x7c\x7a\xa2\x29\x52\xa3\x4c\xb0\xc9\x9b\x65\x09\xdb\xe4\x99\x17\x27\x0d\x9d\xcf\xa5\x39\x8c\x9e\xb8\x07\x64\x84\x42\xf0\x1a\x32\x42\xc1\x03\x0f\x0f\x3c\x3c\xf0\xdd\xe4\x81\x47\x46\x28\x64\x84\x82\xe7\x13\x9e\x4f\x78\x3e\xe1\xf9\xec\x08\xcf\x27\xd2\x3a\x21\xad\xd3\x76\xf1\xf5\x20\xad\x53\x2b\xd2\x3a\xfd\xf4\x15\x3a\x21\xb8\x9f\xf0\xfc\x5a\x09\x9c\xf2\x16\x53\x13\x99\xe3\xf9\xdf\x2f\x8d\x15\xb4\x74\x3a\xab\x17\xd7\xf9\xc2\x7c\x65\x3d\x9d\x51\x4b\x3a\xfb\xad\xcb\xec\xb3\x03\x74\xb7\x68\xc1\x8a\x42\x88\x57\x07\x80\x4b\x5a\x7a\xd6\x6a\x29\xc1\x5b\x8a\xc6\x8c\x43\x84\x03\x59\x86\x1c\x58\x68\x2f\xed\xb1\x7f\x87\xd3\x3e\xa4\x68\x02\xe5\x42\x8a\x26\x50\x2e\x50\x2e\x50\xae\x2e\xa2\x5c\x1d\x14\x46\xd1\x31\x94\x0b\xfa\x7e\x50\x2e\x50\x2e\x50\x2e\x50\x2e\xa4\x68\x82\x00\xf9\xd6\x81\x52\x1d\x2f\x40\xde\x96\x29\x9a\xd6\xe8\xbc\x50\x49\x9d\xa6\x05\xae\x92\x9a\xa1\x69\x3a\xee\xab\x92\x92\x61\x16\x66\xfe\x0f\x0f\x50\x54\x93\x38\xaa\xae\xda\xc2\xe2\x9c\x52\xf7\xe4\x71\xc6\x4a\x45\x74\x90\xf8\x2a\xf2\xb5\x9d\x15\x08\x6d\x97\x25\x43\xf6\xa2\x65\xe3\x62\xeb\x16\xf0\x32\x81\xb7\x9e\xa6\x73\x74\xa6\x4c\x9d\x7c\x94\x0e\x6f\xe2\x39\x21\x44\x1d\x29\x92\x1a\x54\xc4\xfe\x64\xaf\xef\x0b\x2e\xa4\xea\xe3\x5c\xaa\x6e\x58\x93\xe3\xb4\xb9\x51\x4a\xcb\x42\xfa\xbe\x48\x49\x5b\xfa\xbe\xe9\x46\x2f\x08\xfd\xfb\x19\x3a\xed\xd0\xbf\x6f\xb6\xd5\x46\xca\xe7\xd6\x64\xcd\xdc\x66\x30\x48\x4b\x1f\xfd\x9b\x91\x0a\xdb\x36\xe4\x99\xa4\xc8\xcb\xce\x4d\x89\x3d\x5d\x76\xce\x4e\x45\xd4\x4e\x8b\x87\x4c\x44\x20\xc4\x20\xc4\x20\xc4\x20\xc4\xc8\x44\x84\x4c\x44\xc8\x44\x84\x4c\x44\xf0\x54\xc0\x53\x01\x4f\x05\x3c\x15\xf0\x54\x34\xc5\x53\x81\x4c\x44\xc8\x44\x84\x4c\x44\xc8\x44\x04\x47\x20\x1c\x81\xdb\x3c\x13\x51\xab\xdd\x69\x75\x64\x3a\x4a\xbe\x99\x2e\xb3\xe7\x23\xcf\x59\x85\xcf\xa7\xe4\x07\x5d\xb8\x49\xf2\x69\x9e\xbe\x25\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\x49\x0d\x7f\x6a\xaa\xb2\x26\xec\x6b\xa1\xa8\xf1\x8f\x63\x64\xa7\xa5\x86\x6f\x65\x7d\x74\xf6\x97\x97\xe9\xb0\x10\xe6\x17\x57\x94\x54\xcc\xec\x5f\xcf\x62\xcb\xa9\xdc\xba\x5e\x52\x8b\x45\x2d\xa7\xae\x18\x4b\xe5\x7c\x46\x67\x9f\xbc\xcc\xbe\x36\x40\x0f\x1b\x07\x4f\x3b\x8f\xb5\xf8\xfb\x78\x75\x79\xfe\x8c\x68\xf3\xbc\x96\x53\x13\xa2\x4d\xa1\xce\x3f\x5f\xde\xa0\x09\xe4\x2b\xf6\x87\x3a\x1f\xea\x7c\xa8\xf3\xe1\x7b\x81\xef\x05\xbe\x17\xf8\x5e\x3a\xc6\xf7\xd2\x39\xae\x05\x30\x6f\x30\x6f\x30\x6f\x30\x6f\x30\xef\xae\x66\xde\x80\x72\x80\x72\x5d\x0a\xe5\xb6\xa5\x3a\xff\x9a\x48\xd5\x3c\xce\x53\x35\xf7\x9e\x3b\xcd\x4e\xd0\x31\x3a\xe2\x2b\x52\xe5\xf8\xca\x94\xa8\x56\x52\xa2\xa6\xe4\x2d\x2d\x04\xb3\xc6\x33\xec\xb4\x64\x8d\xbe\x3c\x4d\xe2\xc7\xca\x6b\xf4\xa8\x89\xfc\xbd\x9d\xd5\xd8\xda\x23\x96\x6e\xdf\x03\xa3\x49\xd9\xfe\x16\x80\x34\xc1\xbd\xce\xd2\x22\x25\xcb\x64\xfb\x53\x74\xb0\xd1\x07\x08\x31\x17\x34\xfb\x0d\x6a\xf6\x7f\xac\x97\x4e\x0b\x53\x32\x4b\x09\x6e\x4a\x8e\xd0\x26\x46\x22\x2d\x09\x5d\xfe\x02\x9d\xb4\x75\xf9\x9b\x6b\xf1\x69\x21\xca\x4f\xd2\x29\x87\x28\x7f\x73\x4d\x06\xd9\xba\xda\x6c\x59\xed\xa6\x2a\xd0\xea\x05\x8a\xf7\xdf\x33\x5a\xcd\xd6\x0d\x7a\xea\xf8\x3d\xec\x9e\x94\xf1\xfb\xda\x3d\xeb\xf8\x96\x5b\x40\xc8\xf8\x81\x92\x81\x92\x81\x92\x81\x92\x21\xe3\x87\x8c\x1f\x32\x7e\xc8\xf8\xe1\xd2\x80\x4b\x03\x2e\x0d\xb8\x34\xe0\xd2\x80\x8c\x1f\x32\x7e\xc8\xf8\x21\xe3\x87\xc7\x10\x1e\xc3\x0e\xf4\x18\x76\x74\x41\xe1\xb6\xa3\xeb\xe6\xcb\xee\x3f\x49\x34\x68\x8c\xb2\xb1\x0d\xdf\x14\xf8\x96\xc4\xfe\x9d\x14\x79\x4f\x3f\xdd\x91\xd2\x8a\xea\x95\x8d\x78\xe8\x5e\xcb\xe9\x67\x12\xef\x47\xc5\x2f\x33\x5a\x51\xbd\xe4\xc8\xcc\xd5\x1a\xa8\x7d\x8c\x8e\xd0\x54\x99\x5b\x2f\x4a\x43\xbe\x7e\x0a\xe3\xb2\x8d\x71\x20\xaf\x26\xf9\x8d\x1e\x3a\x2c\x46\xd6\x3e\x9a\xe0\x23\x6b\x84\xea\x38\x9e\x4e\x08\xe7\xcb\x21\x9a\xb4\x9d\x2f\xf5\xb5\x30\x2d\x9c\x2d\x53\x74\xd0\xe1\x6c\xa9\xaf\x89\xcd\xd6\xfc\x5d\x08\x1e\xc1\x03\xec\x49\x67\x11\x5f\x39\x46\x23\x11\xe9\x3d\x36\xaf\x04\xc5\x7d\x51\xdc\xb7\x41\xb7\xe8\x76\x8c\x56\x1a\xa6\x25\x59\x3e\xb8\x4a\xc5\x77\xc3\xa8\xf2\xef\xe6\xd8\xda\x7a\x89\x17\x93\xbf\x21\x8a\xc9\xbb\x3c\x2e\xd2\xda\xbe\xc4\x7e\x76\x98\xbd\x7a\x1b\xbd\xc1\xb3\x45\xc3\xe0\xfe\x5a\x8f\xfc\x08\xdb\x2a\x19\xe3\x61\x8a\xce\x32\xe3\x98\xce\xc8\x33\x79\x95\xad\x8f\x39\x96\x54\x53\xd6\x62\x6c\x90\xb7\x3a\x68\x3b\xbb\x5c\xde\x0b\xad\xa0\x5a\xc0\x54\x2f\xa9\x4a\x7a\xc4\xa6\x3c\x9c\x64\x49\x26\x90\x2d\xa9\x6b\xf6\x58\x1d\x74\x81\x59\x47\xdb\xb1\xe8\x41\x7e\xba\x69\xaf\x9b\xbc\x14\xaf\x76\xf5\x1d\x1e\x5f\x95\xbc\x2e\xfc\xf1\xe3\xdc\x1f\x6f\x7c\x4f\xa6\xe9\x38\x1d\x6d\x60\xa6\xc2\xf5\x50\x73\x1b\x6a\x3e\x58\x28\xf4\xb8\xb7\x7d\xdf\xc1\x6e\xe7\x17\x46\xd7\x5e\x0c\x36\xf0\x17\xd9\xb2\x59\xe1\xb8\xca\x58\x96\xe6\xbe\xda\x03\x72\x17\x7b\x47\xb8\x19\xc2\xcd\x50\xf2\x18\x1a\x01\x68\x04\xa0\x11\xe8\x1e\x8d\x00\x4a\x1e\xa3\xe4\x31\x7c\xb3\xf0\xcd\xc2\x37\x0b\xdf\x6c\x47\xf8\x66\x93\x0b\x74\x92\xcd\x45\x66\x2c\xba\x32\xc4\xb1\x8a\xbc\x8a\x6a\xcb\xb9\x48\xbf\xb1\x67\x2b\x31\x0a\xaa\x27\xc3\xb1\x85\xea\xc9\xdb\x27\x14\x8e\xfd\x9b\x61\x3a\x27\xb1\xe7\x7a\x49\xd3\x53\x4a\x2e\x9b\xcf\x8c\x6d\x4c\x88\xb4\x4c\x02\x75\xfa\x78\x91\x38\xb8\xd2\xf2\x25\x25\x57\xd0\xd2\xe6\xd1\x6a\x51\x67\xdf\x1d\x62\x3f\xec\xa7\xfb\x1d\x0d\x5e\x91\x0d\x86\x5e\x96\xc0\x33\x9b\x4f\x67\x37\xb2\xe9\x75\x25\xe7\x62\x9f\xd6\x9c\xf5\x94\xd5\xf6\x92\x96\x9e\xb6\xda\x6e\x0a\xee\x8c\x45\x8f\x08\x60\x69\x5f\xdf\xa5\x89\xb2\xd2\x33\x3e\xe7\x5f\xcc\xea\x9d\x5e\xb2\x79\x4b\xa0\x65\x26\x98\x49\xce\xb2\x84\xc9\x24\xed\x7e\x97\x08\xd2\xa7\xb7\x1d\xf4\x71\x42\xa6\x4c\xdb\xed\x4d\x47\xef\x62\xc4\x7b\x80\xc7\x52\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\x82\x53\xb6\x99\x53\x6e\x3f\x15\x18\xf0\x25\xf0\x25\xf0\xe5\x36\xc2\x97\xaf\x0c\xd3\xa4\xc0\x97\x2b\x1c\x55\x6e\x04\x30\xcb\x6b\xda\x8a\x25\xce\xfc\x6f\x43\xec\x2b\xfd\xb4\x83\x1f\x78\x65\x23\x1e\xfa\xc5\x5a\xc4\x98\x49\x6d\xa5\x23\x34\x97\x0f\xf3\xd3\x25\x8c\x7f\x9c\xc2\xfc\xa4\xb6\x02\x3e\xd9\x80\xa8\xf2\x54\x30\xc0\x7c\x8a\xed\x96\x00\x93\x8f\x18\x89\x2e\x93\xda\x0a\x44\x92\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x80\x8f\x5b\x09\x1f\xc7\x29\xc6\x46\x22\x51\x0b\x3e\xde\xe3\x14\x49\x26\xb5\x95\x4a\x2d\x24\x70\x25\x70\x25\x70\x25\x70\x65\x0b\x71\xe5\x07\x86\xe8\x80\x54\x5b\x1a\x0b\x41\xaf\xf0\x72\xa7\xf0\x52\x92\x88\x6c\x4a\xd5\xd9\x77\x06\xd9\x37\xfa\xe9\xa1\xb2\xe3\xac\x1c\xd6\x1b\xb5\xe9\x2a\xa7\x97\x16\x96\x45\x8b\x4d\x92\x52\x0e\x0b\x29\xa5\xfb\xaa\x64\x3e\x6c\xfb\x64\xd0\x4d\x7a\x73\x49\x35\x18\x3b\x26\xd8\x89\x8a\xac\x32\x02\x3d\xda\xdd\x6b\xa6\xf0\xf0\x1e\x54\x50\x4d\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x02\x5c\x76\x24\xb8\x04\x24\x04\x24\x04\x24\xec\x62\x48\xf8\xda\x65\x3a\x2c\x20\xa1\xc8\x3c\x5e\x25\x91\x6f\x41\x4b\xa7\xb3\x7a\x71\x9d\xaf\xc9\x57\xd6\xd3\x19\xb5\xa4\xb3\x1f\xbb\xcc\x5e\x19\xa0\x9d\xe2\xe0\x2b\x1b\xf1\x50\x5c\xcc\x15\x8b\xf2\x2b\x67\x9a\x41\x53\xd2\xb8\xa4\xa5\x67\xad\x46\x12\xbc\x91\xe8\xb0\x71\x88\x48\x5b\xee\x94\x17\x7a\xec\xda\xe1\x58\x2f\x01\xac\x05\xac\x85\xc2\x86\xc0\x5a\xc0\x5a\xc0\x5a\xdd\x83\xb5\x3a\xa8\x6e\x5f\xc7\x60\x2d\x14\x94\x03\xd6\x02\xd6\x02\xd6\x02\xd6\xda\x8a\x82\x72\x5d\x4d\xa1\x50\xf1\xaa\x9b\x2b\x5e\x25\xb6\x21\x85\x4a\x5e\xa5\x33\x42\x0e\x35\x4f\xb3\x5c\x0e\xc5\xab\x33\xf9\x96\x31\x92\x75\xfd\x36\xe2\x31\x0f\x46\xb4\x98\xd5\x83\xb5\x50\xcf\x06\x6b\xa1\x0e\xb0\x7d\x52\xe9\x24\x4e\x27\x85\x50\x1e\x67\x74\xc5\x64\x56\xa9\x99\xc4\xa5\x4f\x91\x5f\xde\xe9\xc4\x65\xbb\xac\x2a\x58\x5e\x64\x6c\x8f\xd8\xda\x5e\x36\x26\x50\xd6\x22\x25\xe9\x54\x59\x7d\xac\x83\x74\xa0\xb1\x67\x82\xd2\xe7\x41\xa5\xcf\x51\xdd\xc9\xa7\xba\xd3\x3b\x7a\x7d\x5f\x66\x5a\x10\x46\x23\x41\x27\xb8\xd1\x98\xa2\x86\x07\x28\x9d\x15\xe5\xd8\x4e\xd2\x9c\x5d\x8e\x6d\x33\xed\x9d\x13\xc5\xd9\x4e\xd1\xbc\xa3\x38\xdb\x26\x1a\xac\xb5\x22\x5b\xeb\x0c\x5b\xf4\x4f\x46\x9c\x86\x6b\x48\x56\x3b\x75\x94\x8e\xd5\x56\x3d\x8d\xd8\x7e\xb1\xa7\x69\xc4\x66\xac\x03\xda\x69\xce\x2e\xd0\x79\x5a\x72\x9a\xb3\x68\x82\x4e\x34\xa0\xb7\x9d\xe5\xf7\x72\x8e\x5f\xa8\x0e\xd4\x0b\xd4\x0b\xd4\x0b\xd4\xdb\x45\xa8\x17\x13\xb9\x80\x89\x5c\xe7\xb0\xf0\xdf\xef\xa5\xff\xd2\xcb\xbe\xd5\x1b\xfa\x86\xf5\xa8\x7e\xa9\xf7\x82\x73\xf5\x99\xcd\x87\x75\xb1\x82\x0c\xaf\xa8\xab\xc2\x71\x6c\x51\x1a\xfb\x93\x25\xdf\x12\xde\x59\x8e\x29\x63\x5e\xcb\x8f\xe6\xd5\x8c\xc2\x1f\x89\x5c\x80\x3a\xa7\x96\x82\xd7\x5a\x83\x41\xce\x17\xb2\x6b\x6b\x6a\xda\x98\xbc\xe6\x6e\xda\x1e\x5d\xdb\xb4\x67\x73\x23\x72\x5d\x2a\x4a\xb8\x67\x8a\x4a\x8a\x8f\x93\xac\x96\xb6\x3e\x3c\xf6\xc7\x81\x3b\xcb\xcd\xe7\xb2\xae\x1b\x17\xe9\xec\x28\xc5\x38\xd2\xbc\x21\x79\x92\x55\xf1\xbe\x99\x4d\xc4\xc4\x75\xae\xa9\x4a\xde\xf3\x1a\x23\x8c\x5f\xc2\x12\xbf\x02\xaf\xf5\x36\x5c\x0e\x70\x39\xc0\xe5\x00\x97\x03\x5c\x0e\x5d\xed\x72\xf8\xad\x5e\xfa\x72\x2f\x7b\xad\x37\xf4\xaa\xf5\xb5\x7d\x7f\xef\xac\x23\xea\xb5\x90\x53\x15\x5d\xb5\x5e\xfd\xa5\xa2\x56\x50\x32\xfc\x3b\x2c\x56\xc6\x2e\xc1\x91\xf9\xb8\xed\xb0\x59\xe3\x81\xc7\x63\x93\xb1\xf0\xb2\xb0\x23\xe2\x23\x59\x50\xf3\xc6\x30\xb5\xbf\x22\x6a\x58\x2b\x16\xae\x2a\x79\x53\x00\x55\x5c\x57\xc7\x56\x95\x9c\x39\xfb\x8f\x88\xad\x91\xf0\x6a\x36\xaf\xe4\xb2\x7f\xc7\x34\xdf\x2b\x6a\x58\x49\x73\x7e\xaf\x8d\x09\x9c\x9b\xb6\xa7\x96\xa2\xf1\x41\xdd\x3e\x48\xcc\xb7\x63\xe1\xb9\x2c\x37\x49\x8e\x0b\xd7\x8a\x95\x77\x66\xfb\x4c\x4a\x62\xba\xcf\x67\x7f\x5a\xe9\x6a\x2c\x72\xaf\xb8\x9e\x59\xf3\x46\xdc\x4a\xaa\x77\xf6\xd3\x3b\xfa\xd9\xdb\xfb\x43\x7f\x6b\xc9\xe9\xbe\xda\xf7\x8c\xb4\x83\xc6\x10\xbd\xaa\xdd\x08\x67\x94\xe2\x8a\x92\x71\x81\x08\x6b\xa2\xa6\x16\x57\xb5\xe2\x9a\xd1\x17\x9e\x57\x7a\xae\xec\xe4\xfe\x17\xca\xa7\x35\xe6\x9c\x44\x40\x10\x63\x44\xa4\xd5\x54\x36\x6d\x4f\xac\xf9\xb7\x91\x2f\x73\xac\xde\x35\x3e\x4e\xf2\xcb\x61\x7e\xfd\x62\x8e\x6e\x34\xed\xa6\xe5\xa8\xb0\x44\x74\xee\x93\xc5\xc2\x02\x22\x71\x5b\xec\x9c\xad\x0e\x8a\x7b\x18\x34\xd6\x3c\xfc\x2f\xf7\xc0\xd0\x0f\x87\x07\x13\x4a\xea\x7a\xa6\xa8\xad\xe7\xd3\xc6\x5e\x5c\xbd\xc6\x77\x2a\xeb\x38\x31\x59\x91\x33\x20\x77\x23\xe6\x1d\xac\x58\x2d\x1d\x0e\x0f\xce\x6b\x45\xd5\xd1\x6c\x38\xa5\xe8\x29\x25\x6d\xdc\xbd\xec\x1f\xa1\x57\xe4\xed\xe9\x62\x3a\x5d\xd1\xe0\xaa\xd5\x46\x2c\x72\x5f\xa1\x7c\xdc\x38\xe7\x36\xf0\xe8\xc1\xa3\xd7\xa5\x1e\xbd\x64\x86\x16\x05\xe8\x9e\xa3\x19\x0e\xba\x8f\xd2\x61\x3a\xd4\x00\xbc\x5c\x2e\x29\xa5\x75\xbd\x49\xce\x31\x27\x1b\xae\x95\x27\x5f\x8b\x7a\xe3\xeb\xfb\xd9\x7d\xc2\x50\xd8\x46\x9c\xb6\x61\x8a\x1c\xf6\x1f\xaf\xd0\xac\x47\x81\x33\x5f\x49\xbd\x6f\x55\xb3\x77\x5d\x61\x5f\x19\xa0\xbb\x5d\x55\xcd\xe2\xa1\xfd\xd5\xb5\xf5\x3e\x95\xad\xa2\x13\xc6\x61\xce\x02\x64\xc1\xb5\xc7\x20\xb4\x87\xd0\x1e\x42\x7b\x78\x5f\xe0\x7d\x81\xf7\x05\xde\x97\x8e\xf1\xbe\x74\x8e\x73\x01\xd4\x1b\xd4\x1b\xd4\x1b\xd4\x1b\xd4\xbb\xab\xa9\x37\xb0\x1c\xb0\x5c\x97\x62\xb9\x6d\x29\xb4\x7f\x0b\x5d\x12\x28\xf1\x1c\x9d\xe1\x28\xf1\x24\xcd\xd1\x8c\xaf\x24\xd5\xc1\x9f\x62\x1b\xf1\x58\x95\x42\xf5\x81\x50\x31\x40\x16\x7f\x6d\x25\x18\x3a\x1e\x67\x47\x37\x51\xd5\x3d\x4e\x91\xbf\xda\x59\x81\xd4\xc2\x96\xfe\xde\x8f\x9e\xed\x13\x7b\x6c\x11\x3f\x13\xb8\xeb\x22\x2d\xd3\xd3\x65\x62\xfc\x69\x3a\xbe\xc9\xe7\x06\x31\x17\x54\xf9\x0d\xaa\xf2\xdf\xdf\x4b\xe7\x85\x21\x39\x4d\x0b\xdc\x90\xcc\xd0\xe6\x07\x24\x3d\x23\x54\xf8\x4b\x74\xd6\x56\xe1\x37\xa5\xe1\x37\x0a\x39\xfe\xd3\x74\xce\x21\xc7\x6f\x4a\xcb\x8d\xdb\x3d\x21\xd8\xaf\xcd\xee\xd5\x6e\xe4\x3c\x2c\x64\xf4\x9d\xa3\x15\x76\x6f\xc4\x53\xbe\xef\x67\x03\x8f\x89\xbd\x5d\x36\xd0\x4b\xc7\xdf\x1e\x6b\x08\x2d\x3f\x68\x32\x68\x32\x68\x32\x68\x32\xb4\xfc\xd0\xf2\x43\xcb\x0f\x2d\x3f\xbc\x1a\xf0\x6a\xc0\xab\x01\xaf\x06\xbc\x1a\xd0\xf2\x43\xcb\x0f\x2d\x3f\xb4\xfc\x70\x1a\xc2\x69\xd8\x81\x4e\xc3\xb6\x6b\xf9\xeb\x10\xdc\xb7\xc3\x05\xb7\x1d\x45\xfd\xaf\x0c\xd1\x7e\x21\xea\x2f\xae\x28\xa9\x98\xd9\xc7\x65\xa5\x34\x65\x15\xcd\xa2\x96\x53\x57\x8c\x85\x72\x3e\xa3\xb3\xbf\x18\x64\x7f\xd8\x4f\x0f\x18\x87\x4d\x3b\x8f\xba\xb2\x11\x0f\xdd\xa8\xad\x86\xe6\x79\x2d\xa7\x26\x44\x7b\x4d\x2a\xa2\x39\xc9\x0f\x38\x5f\x7e\x4d\x97\xe2\x8e\x53\x2d\x66\xf5\xd2\xbc\x56\x9c\xce\xe5\x2c\xb6\xaf\x77\x78\x48\x40\xf2\xba\x7f\x9e\xa8\xa6\xd7\xda\x34\xdf\xae\x5a\x6a\x5d\x5e\x4b\x07\xbf\x56\xd3\xec\xb8\x7c\xad\x7c\x87\x98\x7c\xc9\x1c\x0f\xc9\xfd\x62\x21\x22\x02\x11\x11\xa8\xa8\x09\x1f\x16\x7c\x58\xf0\x61\x75\x8f\x0f\x0b\x15\x35\x51\x51\x13\xbe\x03\xf8\x0e\xe0\x3b\x80\xef\xa0\x23\x7c\x07\xa8\xa8\x89\x8a\x9a\xdb\x85\x96\xa2\xa2\x66\x2b\x2a\x6a\x7e\xe9\x79\x8a\x08\x5c\xa8\x97\xb4\xa2\x92\x51\x1d\x8c\x30\xa5\x67\xd3\xc5\xac\xf1\x00\xd9\x07\x9e\x67\xef\x18\x20\x92\xfb\x5c\xd9\x88\x87\x06\xab\x67\xf7\x98\x59\x5e\x98\xe5\xc7\x46\x5f\x6f\xec\xb8\x2c\x0e\xbc\x14\xb7\x7e\xef\x70\x40\x87\x9c\x1d\x20\x54\xc8\xd9\x01\x42\x05\x42\x05\x42\xd5\x45\x84\xaa\x83\x44\xc4\x1d\x43\xa8\xa0\x6e\x05\xa1\x02\xa1\x02\xa1\x02\xa1\x42\xce\x0e\xc8\xef\x6e\x1d\xa0\xd4\xf1\xf2\xbb\x6d\x99\xb3\xe3\x0a\xcd\x0a\xfd\xd2\x51\x3a\xcc\xf5\x4b\xfb\x69\x2f\xc5\x7d\xe3\xd6\x4d\xea\xb4\x11\x8f\x59\x68\xa8\xa6\x0c\x1d\xcf\x04\xeb\x94\xf6\xb1\x09\xa9\x53\x72\xb3\x2d\x29\x4e\xb2\xce\x57\x5f\x45\xcc\xbf\xdc\xe1\xe2\x60\xcc\x4a\xc9\x61\x23\xaf\x37\x88\xdf\x5a\x08\xbd\x04\xa3\xe2\x29\x01\xca\x12\x6d\x8c\xd1\x68\x5d\x9d\x8d\xb8\x4a\xa4\xd5\x68\x30\xad\xc6\x1f\xf5\xd0\x09\xf1\xae\x1f\xa2\x49\xfe\xae\xc7\xa9\xde\xe1\x47\x73\x22\x89\xc6\x31\x3a\x62\x27\xd1\x68\xa0\x99\x79\x91\x32\xe3\x38\x1d\x75\xa4\xcc\x68\xa0\x9d\x0e\x34\x3b\x3c\xf3\x46\xf4\x37\x47\x5c\x66\xe7\x31\xcf\x8c\x18\xb6\x09\x8a\x88\xed\xb6\x09\xb2\xf6\x6b\x95\x31\x42\x9e\x0b\x10\x58\x10\x58\x10\x58\x10\x58\xe4\xb9\x40\x9e\x0b\xe4\xb9\x40\x9e\x0b\x78\x02\xe0\x09\x80\x27\x00\x9e\x00\x78\x02\x9a\xe2\x09\x40\x9e\x0b\xe4\xb9\x40\x9e\x0b\xe4\xb9\x80\xa3\x0d\x8e\xb6\x2e\xca\x73\x51\x1b\x71\xf6\x48\xaa\x1c\x40\x9f\x9b\x9f\x7a\xe2\x0f\x76\x0a\x2d\xb9\x57\x09\xc9\x97\xc6\x4c\x9b\xcc\x3e\xb3\x33\xf4\x83\x3e\xba\x23\xa5\x15\x39\xc9\xde\x53\x54\x0b\x39\x63\x09\x6a\xee\x60\x3e\x60\x7b\xee\x6b\xa5\x75\x88\x3e\x26\x77\x9e\xd1\x8a\xaa\x23\xb1\xfd\xbc\x3c\xb4\xc9\x48\xfb\x04\x1d\xa3\x23\x65\xfe\xb5\x11\x8a\xfa\x7a\x14\x8c\x5b\x32\x46\x81\x75\x5d\xc9\xf7\xf6\xd0\x51\x31\xb2\x0e\xd0\x3e\x3e\xb2\x62\x54\x57\x0b\x94\x10\xfe\x91\xc3\x74\xc8\xf6\x8f\xd4\xdb\x46\xd0\x70\x7c\xd4\x7b\x38\xde\xce\xfa\x0b\xeb\x25\xba\x76\x3a\x78\x04\x0e\xb1\x01\x39\xea\x22\x11\x39\xd2\xec\xd3\xbb\x32\x3f\x00\x6f\x55\xc7\x5b\x49\xb8\x1b\x7d\xdc\x8d\x07\x68\x1f\x9b\x88\x8c\x5b\xc9\x78\x1e\xe4\x5d\x20\x9f\x87\x35\xda\x22\xfd\xc6\xcf\x2d\x4d\xb1\xf3\x6a\x2f\xdd\x2e\x62\x66\xd8\xbf\xed\x65\xbf\xda\x4b\xfd\xc6\x7f\x42\xa1\x8c\x5a\x72\xac\xe7\xa7\x97\x16\xac\xb9\x50\xf4\xee\x8c\x5a\x9a\x5e\x5a\x90\x1f\xc8\xe6\x65\xa7\x99\xaa\x68\x68\xaa\xa2\xa1\xa9\x5a\x1a\x4a\xae\xd5\x55\x22\xa1\xca\x27\x70\x7a\x69\xe1\xa4\x61\x0a\x6a\x51\x71\xb0\x77\x46\xe9\xa2\x2c\x41\x9c\x5e\xcb\xf2\xe0\x90\xa2\x9a\xc9\x1a\x93\x4b\x77\xc2\xa2\x15\xb5\xa4\x98\x59\x8b\xd6\xd6\x4b\x8a\xb1\x08\xb8\xa1\xae\x5c\xd5\xb4\xeb\x2e\xcf\x92\xf9\xb9\x61\x1f\x19\x66\x5f\xbd\x8d\x1e\xf5\x6c\xf6\x8a\x6c\x2f\xf4\x6b\x3d\x72\xc6\xe1\x48\x66\x94\x37\x57\xb4\x66\x28\xd3\x19\x79\xba\x67\xc4\xe9\x66\x9c\xa7\x6b\x4a\x96\xa3\x11\x1b\x69\x71\x6c\x27\x01\x48\xb6\xa4\xae\xd9\xaf\xf5\xa0\x8b\x42\x3b\xda\x8e\x45\x45\xd8\xd2\xb4\xd7\x9d\x5e\x12\x37\x5a\xed\x16\x3a\x3c\x10\x6b\x4b\x32\x25\x3d\xee\xfd\x41\xdc\xc1\x6e\xe7\x17\x46\xd7\x5e\x0a\xfe\x24\x3e\xc7\xde\xe8\xf8\xf0\xf1\xc7\x60\x95\xbb\xa8\x32\xd6\xe5\xd7\xb3\xda\x13\x43\xfa\x24\x04\xa7\x21\x7d\x12\xa4\x11\x90\x46\x40\x1a\xd1\x4d\xd2\x08\xa4\x4f\x42\xfa\x24\xb8\xa4\xe1\x92\x86\x4b\x1a\x2e\xe9\x8e\x70\x49\x27\x17\xe8\x24\x9b\x8b\xcc\x58\x48\x6a\xc8\x89\xa4\xaa\x2d\xe1\x5a\x4f\xa9\x90\x89\x09\xfe\x3c\x64\x62\xda\x3e\x81\x73\xec\xa3\x77\xd2\x94\x44\xa1\xde\x39\xdb\x05\x02\xd5\xd5\xdc\xaa\xbe\xce\x0d\x5c\x71\x3d\xa7\xea\xc6\x1a\x44\xbd\xa1\xb3\xff\x46\x91\x6f\xdf\x46\x0f\x2a\x65\x99\xdb\x05\xe7\x7c\xdc\x0a\x52\x5b\x56\x73\xab\xcb\xe2\xf0\xf3\xc6\xe1\xe7\xf9\xe1\xd1\x71\xab\x6c\xb4\x33\xc7\x3a\x3f\xd8\xfb\x88\x26\x7b\xda\xde\x44\xcf\xd2\x33\x65\x9e\xb6\x93\x34\x57\xad\xdc\xad\xa3\x8b\xe4\x6d\xc6\xbc\x2f\x35\xf9\xf1\x5e\x51\x51\x77\x9c\x57\xd4\xed\x3d\x77\x9a\x13\xc3\xe6\x34\x4e\x2f\x08\xff\xdc\x25\xba\x60\xfb\xe7\x9a\xd8\xfc\x65\x11\xd7\xf4\x0c\x5d\x74\xc4\x35\x35\xb1\xfd\xcd\x16\x04\xd6\x82\x41\xe8\x22\x4b\xda\x55\x18\xfc\x32\xc5\xfb\x5c\x5e\x05\x41\x85\xff\x10\xfe\xc3\x06\xfd\x87\x4d\xf7\x03\x7e\x69\x88\x0e\x5a\x16\xdb\x2c\x2f\x32\xb6\x31\x61\x8c\xd4\x09\xe9\xab\xba\x6a\x95\x19\x29\x68\x69\xc5\x2a\x33\xa2\xb3\x1f\x1f\x62\x6f\xbd\x8d\xee\x77\x15\xba\x16\x47\x86\x5e\xee\xa9\xad\xda\x86\x4f\x09\x93\x26\x55\xde\x48\x08\xaf\x92\xa3\x88\xb6\xb8\x3c\x9f\xb3\xa2\x08\x47\x13\x8b\x70\x64\x82\xad\xea\x2c\x4b\x6c\xa2\xb6\x8d\x78\x94\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xc1\x91\x04\x47\x12\x1c\x49\x70\x24\xa1\x0e\x07\xbc\x3f\xf0\xfe\xc0\xfb\xd3\x36\xef\xcf\xcf\xf5\xd1\x1e\xc1\x12\x57\x73\xda\x0d\xc3\x18\x17\xb5\x5c\xcc\x5a\xdc\x97\x7b\x81\xd8\x9f\xf7\xb2\x3f\xed\xa5\x5d\x8e\x9d\xa7\xcd\x7d\x2d\xaf\xcf\x43\xee\x80\x04\xeb\xf6\xa2\xd1\x8c\x5a\x9a\xf7\x38\x52\x7a\x7c\xa6\x97\x16\xcc\x25\x60\x27\x46\x2a\x14\xe8\xa2\x80\x73\x67\x69\x91\xc3\xb9\x79\x9a\xa5\x44\x63\x91\x0a\xe6\x7d\xd6\x14\xac\xf0\xe7\x7b\xe8\x7c\x70\x69\x65\xf1\x80\xca\xe3\xdf\xf8\xdf\x2f\xb9\x0a\x2e\x9b\x91\x0a\x3f\xb3\x87\x7d\xa4\x8f\x1e\xf6\xaa\xbb\x2c\x9e\xe3\x63\x45\x55\x49\x97\xf1\x04\x47\x65\xdd\x68\xdc\xd8\xee\x51\x22\x99\x1f\x6d\xd1\xd8\xb4\xe3\x90\xe6\x7a\xef\x92\x57\xfc\x39\x6a\x5d\xc9\x40\x79\xb7\x9a\x0e\x2b\xc7\xe5\x9a\xec\x34\x1b\x8c\x45\xe7\xd9\xac\x9f\xea\xbe\x9e\x62\xc5\x55\x42\xe2\x32\x6a\x89\x42\x2f\xef\xac\xf6\xc0\x9e\x30\x43\x1a\xfd\x9f\xd9\x3e\xb9\xcb\x16\x3e\xb6\xc4\x49\x9a\xa3\x99\x32\xa7\x6b\x23\x8f\x07\x29\xab\x90\x42\xb4\x41\x9f\xdc\x2f\xf6\x34\xc7\x42\xd0\x82\x70\xc3\x27\xe8\x84\xed\x86\x6f\xb0\xa9\x4d\x46\xcb\xd6\x66\xa4\x36\x57\x40\x5d\xd8\xb5\xe8\xaf\xdd\x5b\xcd\x0a\x3d\x20\x33\x4d\x28\x2e\xc3\xb3\x57\xfc\xba\x95\x76\xa7\x35\x99\x42\x61\x84\x02\x8c\x10\xb2\xd5\xb5\x25\x5b\x1d\xd2\x14\x21\x4d\x11\xd2\x14\xb5\x2a\x4d\x51\xf2\xd3\x3d\x4d\xce\xd5\x72\x5e\x28\xec\x4e\xd3\x82\x43\x61\xd7\xe2\xfc\x2f\x61\xef\x29\xc4\x4e\x76\x87\xe8\xa6\x76\xce\x22\x12\xff\xe7\x5d\xd5\x66\x11\xd1\x82\x52\x2c\x65\xb9\xf3\x59\x10\x8f\x2a\x8b\x9a\x89\x82\x52\x4a\x5d\xdd\xa2\xa9\xc5\x23\xe5\x0d\x8d\xf2\xab\xd9\xc3\x51\xc3\x2e\xe7\xc6\x35\xb5\x98\x51\x9d\x5b\x07\x9c\x5b\x79\x3c\xb6\x9a\xc9\xa6\x46\x2b\xf6\x73\xb5\x62\xfc\x7d\x53\x6e\x35\xae\x32\x71\x96\x16\x29\x59\xb6\x9c\x9a\xa2\x83\x0d\x8c\xa2\x25\xae\xd5\xc0\x84\x26\x60\x42\xf3\xd1\x3e\x7a\xa5\x8f\x7d\xb8\x2f\xf4\x41\xeb\xab\xf0\x72\x5f\xf7\xac\xaa\xca\xdc\x5b\x46\x3f\x73\xb9\x06\x77\xc1\x1a\x83\xd3\x16\x6d\x0d\xf9\x0c\xdc\x61\xfe\x71\x13\xea\x1e\x25\xc7\x8f\x34\x66\x71\xe2\x68\xbe\x07\x9f\x51\xe9\xe1\xa1\xa4\xae\xe5\x97\x84\x7a\xe9\x8c\xf1\x5a\xc8\xbf\x97\xcd\x97\xc5\xfe\x71\xd8\x7f\xb9\x97\xf8\x72\x0f\xbd\xd6\xc3\x5e\xed\x09\x7d\xde\x22\xb3\x1f\xea\x99\xd7\x8a\x29\x3e\xd9\xcb\x68\xbc\xdb\xb5\x70\x64\xd5\xf8\x29\x12\x9e\x76\xdd\x05\x67\xee\x62\x5e\xb6\xae\xdb\x3a\x8d\x51\x25\xc5\x6f\x9c\xab\x5f\x72\xd9\x94\xfc\xee\xaa\xb9\xb4\x1e\xd6\x6e\xc8\x3e\x15\xea\x90\x82\xaa\x15\x72\x6a\x2c\x2c\xce\xc8\xe5\x66\xe6\xb3\xe4\xec\xdb\xb3\x03\xac\xd3\x47\x6e\xe3\x97\xb5\x99\x6a\x37\x0d\xaf\x39\xdb\xf7\x39\xa8\x92\xfb\x82\xf7\x07\x25\x0f\xd2\x01\xb6\x2f\x32\x61\x05\x3d\x3d\xe4\x0c\x7a\x72\xb4\x5d\x19\xe3\xf4\x66\xba\xcc\x9e\x8f\x3c\x67\x1d\x39\x25\x67\xe2\xe2\x0d\xcd\xa7\xb9\x40\x3c\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\x37\x83\x4f\xf2\x55\x65\x4d\xcc\x91\x0a\x45\x8d\x4f\x70\x23\x3b\x2d\xaa\xda\xd2\x5c\x3f\xff\x34\x46\xe7\xea\x48\x50\x53\x53\x6a\x9a\xcf\x8f\xb2\x77\xf4\x07\xa5\xa6\x19\xf3\x80\xbe\xd5\x22\xca\xa2\x47\x8c\x03\xb6\x3c\x09\x8c\x00\xc2\x6f\xeb\xa1\x55\xf1\x5e\x5c\xa1\x17\xf8\x7b\xf1\x0c\x5d\xa4\x65\xff\x90\x05\xcf\xbe\x35\x5f\x94\xaa\xb9\x50\x1a\xa7\x35\x19\xb5\x54\x6b\x22\x97\x26\xe5\x6d\xa9\x78\xd9\x42\xff\x9c\x82\xc6\xc1\x84\x37\x4b\xae\x3a\x14\x8e\xcb\x63\x3a\x63\x34\x24\xb2\x94\x21\xb5\x6c\x62\xd4\x9a\xd1\x80\x39\x13\x48\x74\x83\x24\xfa\x4f\xdb\x67\xb2\xae\x0b\x56\x9d\xa6\x15\x9b\x55\x77\xa0\x7d\xe4\x34\x7b\x6b\xed\x63\xf4\xfb\xf7\x06\xd9\xc7\xa7\x2c\xca\x5d\xd5\x24\x1e\x13\xbb\x75\x88\x45\x04\x01\x07\x01\x07\x01\x07\x01\x07\x01\x07\x01\x07\x01\xf7\x26\xe0\x5b\x9b\x62\x33\xf1\x23\xaf\x0b\x9a\x79\x1c\x0e\x20\xe3\x55\xe7\x23\x47\x0b\x1d\x91\xb3\x15\xd4\xbc\xeb\x26\x41\xa0\xe6\xa0\xe6\x5b\x4c\xcd\x3b\x08\x0f\x6e\xed\xfa\x36\x18\xb6\x77\x70\x86\x31\xf6\x4f\xf6\xd0\x99\x60\x3d\x74\x3d\x52\xe8\xcf\x47\xd9\xcf\xf4\xd1\x03\x5e\xde\xe8\x40\x15\xf4\x88\x8f\x0a\xba\x1d\x02\xe8\xe7\xe8\xb8\x18\xcf\x07\xe9\x00\x1f\xcf\xe3\x14\xa3\x91\x20\x37\x50\x5d\x1e\xa0\x74\xf0\x40\x9d\x66\xc7\x37\xe7\x01\x0a\x94\x3d\xff\xc1\x0e\x9f\x87\x53\x83\xe2\x79\xcc\x5f\xf1\xdc\x0e\xd1\x61\x82\x4e\xd0\xb1\xb2\x79\x46\x9d\xcf\x08\x73\x0b\xd0\xe5\x06\xe9\xf2\xfb\x7b\x36\x6f\x21\x66\x05\x36\x36\x16\x66\x16\x36\xbe\xf5\xec\x4c\x61\xbd\x44\xd1\x4f\xde\xeb\x63\x67\xbc\x35\xcd\x31\x5f\x4d\x33\xe4\xcc\xb7\xac\xad\x01\xcc\x05\xcc\x05\xcc\x05\xcc\xdd\xf6\x30\xd7\x37\x76\xb2\xe3\x29\x6f\x7b\xe7\x0c\x81\xc8\x38\xf1\x4f\xef\xf2\x99\x36\xd4\x23\x62\x1e\xf5\x13\x31\x43\xbf\x0c\x12\x0b\x12\x0b\x12\x7b\x2b\x91\xd8\x5b\x06\x5c\x41\xb5\xec\x24\xb3\xff\x6f\x94\x4e\x37\x21\x53\x85\xc5\x65\xdf\x1b\x65\x3f\x51\x35\x45\xc5\x43\x3e\x70\x36\x1a\xad\x3d\x37\x45\x93\x99\xec\x1b\xeb\xab\xbc\x5c\x21\xcd\x0f\x1c\xd8\x2b\xc1\x03\xfb\x38\x3b\x6a\x8f\xdb\x4a\xfc\x1f\x38\xe8\x83\x78\xec\xd7\x76\x54\x7b\x28\x21\x7f\x28\x1b\x1d\xad\x2b\xff\xc4\x16\xd7\xd5\xae\x0c\x9b\xc0\xdc\x02\x24\xb6\x31\x12\x5b\x6f\x45\xf6\x4a\xbb\x50\x7f\x45\xf6\xfa\x6d\x4b\x80\x2a\xb7\x36\xd3\x53\xc7\x37\xd5\x43\x7a\xfb\x91\xaa\xc9\x25\x5e\xe7\x02\xb1\xd1\x91\x7a\xb2\x4a\x80\xbf\xde\x0a\x16\x06\xfc\x15\xfc\x15\xfc\x15\xfc\x75\xdb\xf3\xd7\x8e\xc7\xac\x4d\x5a\x89\x6c\x6a\x3a\x50\x03\x7d\xfd\x47\x55\xf3\x48\xec\xae\x01\xc1\x46\xf7\xd4\x91\x40\x02\xe4\x15\xe4\x15\xe4\x15\xe4\x75\x9b\x92\xd7\x96\xe3\xa9\x20\x22\xda\x8e\xaf\x46\x32\x4e\x63\x6c\x34\xb2\xc7\x62\xa7\xf7\x96\x53\xd7\x5b\x02\xb7\xfe\xef\x41\x1a\x15\xb8\x55\x2f\x69\x45\x25\xa3\x96\x33\x56\x51\x0b\x2e\xa5\x67\xd3\xc5\xac\xd1\x49\xec\x37\x06\xd9\x67\xfb\xe9\x1e\xb9\xbb\xf5\x91\x5c\xaf\xad\xf0\xdb\xcc\xf2\xc2\x2c\x6f\xa8\x49\xa5\xde\x44\x25\x84\x65\x71\x31\xf2\x63\x6b\x9d\x63\x31\xab\x97\x3a\xbf\x90\x5b\xd3\xeb\xb5\x05\xbe\x5f\x35\x15\x72\x7b\x3e\xf8\x1d\x3b\xc4\x26\xe5\x3b\xe6\x1e\x3c\xf2\xc5\xb2\x9e\x83\xc7\xdb\x85\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\xa8\xde\x86\xea\x6d\x4e\x4f\x23\xaa\xb7\xa1\x7a\x1b\xaa\xb7\xa1\x7a\x5b\x0b\xab\xb7\xfd\xf6\x1e\x4a\xd4\xaa\xb7\x4c\xe5\xd6\xf5\x92\xb1\x6e\xa9\x0c\x7f\xff\x07\x7b\xd8\x67\xab\xca\x2c\x9f\xf2\x90\x59\xce\x88\xf6\x5c\xf1\x90\xd5\x44\x97\x95\xfb\x37\x59\x78\xb9\xea\x1f\xd1\x72\x5a\x50\xba\x59\x4a\x70\x4a\x77\x84\xaa\x78\xb9\xdc\xc8\xbb\xf2\xaa\x4d\x0e\x57\x08\x46\x6c\x67\xd8\xe9\x1a\x31\x76\xe5\x69\x3c\x5c\xa1\x01\xa2\xcc\x9f\xaf\x5a\x1b\x6c\xc8\x5b\x94\xe9\xf1\x14\xe3\x01\x12\xcd\x56\x3f\xc8\x7a\xdd\x92\x41\x0f\x0c\x6e\x49\x88\x36\x1b\x14\x6d\xfe\x4a\x8f\x00\xfc\x71\x0e\xf8\x2d\xd5\xe5\xa6\xec\x47\x7b\xad\x54\x80\xa0\xb3\x36\x23\xd6\x68\x65\x43\x8f\x9b\x8f\x7e\xb9\xaa\xbc\xf3\x11\x4b\xde\xe9\x61\x98\xc6\xab\x8b\x3d\x5b\x6e\x97\x20\xf8\x84\xe0\x13\x82\x4f\x08\x3e\x21\xf8\x84\xe0\xb3\x3b\x05\x9f\xc1\xd9\x53\xdb\xbe\x2a\x4a\xfc\xbb\xaa\xf2\xcf\x78\x80\xfc\xd3\x63\x9a\x31\x56\x55\x0c\xda\xca\x59\x06\x04\xa1\xdd\x36\xb7\x81\x20\x14\x82\xd0\x2d\x16\x84\xae\x36\x75\xdd\xb9\x79\x79\x68\xdb\xbf\x20\xc9\xe3\x74\x94\x1d\x8e\x1c\xb2\x94\x9f\x8f\x39\xc5\xa2\x95\x2d\xb4\x21\xc3\xe9\xbb\x42\x74\x78\x4c\x29\x64\xab\xa5\x31\x95\x13\xae\xb7\xac\x6b\x25\xc5\x24\xb9\x63\x3a\xff\x8e\xb3\x2f\x3d\xcc\xde\xd6\x47\x77\xa4\xb4\xa2\xca\xd3\xd0\x70\x7c\x2b\xb6\x99\xf7\xe5\x88\x80\x90\x2d\x3d\x6d\xb4\x14\x1d\x34\xf6\x9d\xd1\x8a\xaa\x2b\xf1\x8c\x73\x17\x31\x57\x68\x32\xbc\x7d\x9e\xa6\xc5\x28\x9c\xa2\x83\x7c\x14\x4e\xd0\x38\xc5\x7c\x47\xa1\x71\x67\x3c\x21\x84\xf3\xc2\x36\x5b\x93\xeb\x5c\xf0\xc8\x1b\x61\x51\xa9\x3b\x76\x9d\xd8\x99\x12\x42\x8e\xcc\x48\x84\x42\x5f\xd9\x61\x3f\x03\x33\xf0\xbd\xc6\xc7\x10\x95\xbb\xb7\xfd\x49\x24\x0c\x33\x70\xa2\x6c\x0e\x50\xf7\xa3\xc0\x97\x1f\xcc\xb5\x41\xe6\xfa\x2f\x7a\x9a\x61\x0a\xe6\x05\xb6\x3d\x4e\x47\x6d\x6c\xdb\x0a\x93\x52\x9b\xcd\xf0\xb6\x0f\x5e\x96\x24\x00\xd8\x26\xde\x7a\x97\x6d\x52\x0e\x54\xac\x6d\x6a\xb3\x2d\x43\xfc\x4b\xdb\x56\xcb\x82\x95\x4d\xb7\xd9\x37\xac\x6c\xb0\xb2\xd9\xe2\x95\x4d\x5b\xe6\x94\x81\xeb\x99\xda\xbe\x10\xd5\xbf\x0a\xce\xef\x47\x72\x8a\x0e\xb2\x03\x91\x7d\xd6\x72\xe5\x61\x57\x6c\x9b\xf3\xb8\x5b\x22\xc8\xed\x0f\x1e\xa6\x63\xb2\x12\x72\xa1\xa0\x57\x59\x11\xa5\xd5\x42\x4e\xbb\xb9\xa6\xe6\x4b\xe5\xcb\xa1\x0f\x3c\xcc\xbe\xdf\x4b\x77\x18\xc7\x1b\xdf\xcd\xc1\xaa\xcb\xa1\x59\xab\x99\xe8\x93\xbc\xb4\x71\xa1\xa0\x3b\xbf\x93\xf6\xf6\x96\x2c\x84\x9e\xa5\x63\x62\xd0\x4e\xd2\x7e\x3e\x68\xc7\x68\x94\xf6\xf8\x97\x28\x29\x14\x74\xe1\x53\x34\xaf\x2a\x70\xc4\x9e\x0d\x1e\x90\x7b\xd8\xb0\x59\x7a\xa4\x50\xd0\xe5\x90\x74\x9c\xa2\x9e\xda\x0d\x9f\xdd\x61\xf7\x7c\x34\x68\x11\xe4\xe8\xfc\x41\xb3\x98\x70\x5b\xfb\x3f\xc1\x23\xf8\xca\x26\x0a\xf5\x3d\x00\xcc\x0d\xb0\xf6\x69\x70\xed\xf3\xbe\x9e\x4d\xbf\xfd\x33\x62\xe1\x73\x84\xa6\xec\x85\x4f\xd3\x4d\x48\x80\xaa\xa4\xc9\x16\x26\xf1\x3f\xee\xb4\x4d\xc8\xde\x9a\x17\x3d\x0e\x5b\xf2\x94\xa8\x7a\xd7\x36\x4b\x82\xe5\x4e\xb7\x99\x34\x2c\x77\xb0\xdc\xd9\xe2\xe5\x4e\xeb\x67\x8e\x81\x6b\x9d\xda\x0c\x7f\x55\x63\xef\xfc\x2a\x24\x27\x69\x3f\xdb\x1b\x89\x5b\xcb\x95\xd7\x3b\x97\x3a\x76\x03\xb7\xc4\x3a\xe7\x43\xc3\x94\x94\xeb\x9c\xf5\x92\xa6\xa7\x94\x5c\x36\x9f\x31\x96\x3b\x22\x89\x87\xcf\xa2\x87\x3f\x21\xe3\x85\xce\x15\xb4\xb4\x79\xa0\x5a\xd4\xd9\xd7\x86\xd8\x1f\xf7\xd3\xdd\x8e\xb6\x8c\xaf\xe7\xcb\x3d\xb5\x65\xfa\x38\x65\x35\xbb\xa4\xa5\xa7\xad\x66\x9b\x94\xf7\x63\x92\x1f\x30\x6d\x5f\x9a\xf3\xab\xec\x73\x6a\xa4\x03\x69\x42\x0e\x36\xc7\x68\x90\x53\x2e\x9f\xde\x76\xaf\xf0\x6a\x49\x39\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x48\x0a\x82\xa4\x20\x6d\x4e\x0a\xb2\xfd\xd0\x07\xd2\x8e\x20\xed\x08\xd2\x8e\x6c\xa3\xb4\x23\xef\x1d\x16\xf2\x74\x7d\x4c\xc0\x1b\x3b\xd5\x88\x1f\xa6\x14\xfb\x99\xf9\x46\xbe\x39\xc4\xbe\xdd\x4b\x3b\xc5\x8f\x57\x36\xe2\xa1\x37\x78\xe4\x17\xe1\xf8\x2b\xfa\x88\xb1\x85\xff\xe9\x72\xdd\xf1\x5f\x9a\xac\xbc\xb8\x44\x87\x05\xbd\xdb\x47\x13\x9c\xde\x8d\x50\x94\x86\x7c\xf9\xb9\xbc\xf5\x8d\x78\xac\x36\x50\x17\x20\x3e\x3f\x1f\xcc\xf1\xc6\xd8\xa8\xe4\x78\xae\x6e\x97\x24\x4f\x5c\x85\x93\xdb\x85\xfe\xe5\x0e\x67\x27\x3f\xe2\x9d\x01\x44\xf4\xf3\x63\x72\x63\x5b\xba\x3a\x71\x8c\x8e\xd0\x54\x99\x7b\xb2\x8e\xbe\x86\x3b\x12\x0a\x8b\x06\x15\x16\xef\xa9\x52\xf7\x7a\x53\xaf\xff\x09\xa1\xbb\x38\x44\x93\xb6\xee\xa2\xae\x16\x6a\xd4\x56\xb4\xc0\x4e\x44\xdf\x76\xaf\xd3\x4e\xdc\x63\xe6\xe0\xc8\x4b\xdb\xf0\xa8\xf8\xa1\x3d\xa6\x01\x49\x36\x90\x64\x03\x49\x36\x90\x64\x03\x49\x36\x90\x64\xa3\x91\x24\x1b\xed\x4c\x8b\xd1\xdc\x8c\x1e\xb5\x27\xd9\xa8\x6d\x0e\xe0\xf7\xb9\xf7\x9c\x1b\x24\xfe\xcb\x9d\xce\x39\xc0\x93\x01\x69\x33\xc4\xc4\x60\x57\xc1\xd2\x29\xb4\x72\x5e\x00\x35\x65\xb7\xcd\x46\xa0\xa6\x84\x9a\x72\x8b\xd5\x94\x2d\xa6\x41\x81\x52\xca\x16\xac\xf3\x92\x13\x34\xce\x62\x91\x11\xcb\x35\x70\x9f\x53\x4e\xc9\xf7\xbf\x25\x94\x94\x7f\xf6\x02\x4d\x09\x3c\x99\xd2\xb4\x62\x3a\x9b\x2f\xcb\x87\xec\x07\x29\xf9\xd4\x5b\x67\x1f\x7b\x81\xfd\xe3\x01\xba\xc7\x79\xac\xf1\x49\xdc\x2d\x3c\xe6\x45\xe9\xeb\x33\xe7\xd2\xda\x6a\xd8\xe8\xef\xf0\xa2\x71\x70\xf4\x09\x63\xa7\x19\xc7\x91\xce\xcf\x22\xdf\xa5\xc3\x35\x8c\x09\xc8\xf8\x20\xe3\x4b\x40\xc6\x07\x19\x1f\x64\x7c\x90\xf1\x75\x8d\x8c\x2f\xd1\x31\x32\xbe\xa6\x5f\x49\xc3\x32\xbe\x04\x64\x7c\x90\xf1\x41\xc6\x07\x19\x1f\x64\x7c\xed\x97\xf1\x25\xba\x5a\x13\x97\x80\x26\xae\x75\x9a\xb8\x44\xa7\x6b\xe2\x12\xdb\x50\x13\x97\x7c\xb3\xbf\x97\x68\x4e\x80\xc4\x63\x74\x84\x83\xc4\x03\xb4\x8f\x26\xaa\x64\xa1\x72\x20\xab\x8d\x78\x8c\x43\xa3\xc5\xac\x6e\xe9\x43\x1e\xf3\x26\x87\x77\xb0\xdb\x44\xe9\xf7\x37\x06\x83\xc3\xfd\x6c\xaf\x87\x43\xc8\x03\x96\x49\x94\xc8\xaf\x81\x22\xef\xd8\x59\x49\xc5\xee\x16\x1f\xa2\xb0\x22\x01\xd8\x6e\xf1\xff\xf6\x20\xb0\x46\x13\x96\x7a\xf4\x30\x7c\x32\x90\x94\x35\x28\x29\xfb\x93\x2a\x92\xb2\x3a\x13\xd0\x79\x0c\xcc\x86\x32\x99\x7a\xb5\x73\x52\x38\xc6\x4f\xd0\x31\x87\x63\xbc\x81\x86\x82\xed\x50\x41\xab\xdd\x0e\xd5\x68\x7b\x5c\x72\xb5\x6f\x8e\x54\xda\xa1\x90\x94\x24\x38\xf4\x1d\xda\xaa\xb4\x49\xa3\x62\x9b\xdb\x26\xcd\x58\x3b\xb6\xd6\x3a\xb5\x46\xcf\x06\x40\x0b\x40\x0b\x40\x0b\x40\xdb\x3d\x80\x16\xf3\xb3\x80\xf9\x59\xe7\x10\x6c\x68\x89\xdb\xa2\x25\x86\xa3\x00\x8e\x02\x38\x0a\xe0\x28\x80\xa3\xa0\xab\x1d\x05\x08\x29\x41\x48\x09\x42\x4a\x5a\x15\x52\x02\x3f\x1c\xfc\x70\xdd\xea\x87\x4b\x66\x9a\x5c\xb2\x38\x48\x14\x1f\xf5\x46\xca\xf7\xb3\xfb\xc4\xdb\x6c\x5b\xda\x16\xe2\xe5\xed\xa8\x78\x7f\x75\x90\x86\x85\xe2\x5d\x98\xc0\x31\x59\xdb\x72\xac\xa0\xa5\xd3\x59\xbd\xb8\xce\x61\xf0\xca\x7a\x3a\xa3\x96\x74\xf6\x33\x83\xec\x1f\xf4\xd3\xdd\x62\x57\xbb\x52\x72\x75\x7d\xfb\x92\x96\x9e\xb5\x5a\x4a\xf0\x96\xa2\xfb\x8c\x43\x84\xc9\x94\xd5\x91\x3d\xf6\x9a\xd7\x8a\xd3\xb9\x9c\x05\xd9\x9b\x97\x65\xbf\x45\x49\x7c\xd7\x44\x08\xe1\x38\x0f\x21\x34\x06\xfd\x0c\x4d\xd3\x71\x5f\x1f\x89\xfc\x4c\x9a\x15\x51\x3d\x3a\x60\x31\xab\x07\xc7\x83\x04\x79\x75\x2f\x07\x0f\xf7\xc3\xec\x90\x1c\xee\xe2\x9a\xe4\x08\xf7\xb8\x22\x8f\x1a\xa8\x90\xfd\x43\xf6\x8f\xec\xbd\xf0\x2a\xc1\xab\x04\xaf\x52\xf7\x78\x95\x90\xbd\x17\xd9\x7b\x41\xf3\x41\xf3\x41\xf3\x41\xf3\x3b\x82\xe6\x23\xb7\x2e\x72\xeb\x6e\x17\x7e\x89\xdc\xba\xad\xc8\xad\xfb\xd6\x61\x3a\x20\x50\x9e\x5e\xd2\x8a\x4a\x46\x75\xe4\xad\x10\x95\xc0\x36\xb4\xdc\xfa\x9a\xaa\x94\x4a\x4a\xea\xaa\xb3\xda\x31\xfb\xfc\x10\xfb\x61\x3f\x91\x3c\xee\xca\x46\x3c\xf4\x29\x59\xee\xcb\x59\xe3\x2b\x6f\x1a\x33\x93\xec\x5d\xe2\xed\x4d\x5b\xed\x35\xa5\xc8\xd7\x88\x3d\x83\xe1\xb3\x34\xf9\xbd\x33\x26\x41\xf6\xd4\x6c\xd0\x35\x1b\x76\xb4\x1d\x8b\x3e\xc6\x4f\xb7\x2c\x6e\xe5\x52\xbc\xfc\x1a\x3b\x1d\x22\x6e\x45\x25\xb0\xba\x10\xa1\x7b\x70\x49\x54\x58\xde\xcb\xee\x2a\x60\xfe\x29\x6b\xf8\x8d\x83\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\x82\x21\xb6\x9b\x21\x1e\xa5\xc3\xec\x50\x64\xd2\x12\x30\xed\x72\xa6\xf9\x2c\x5f\xe3\x55\x66\xfc\x04\x82\x04\x82\x04\x82\xec\x62\x04\xf9\x2d\x46\x93\xc6\xa3\xab\x92\x2a\xb7\xa0\xa5\x4d\xec\x38\x56\x28\x6a\x2f\xde\x1c\xfb\xbb\x86\xa9\x79\x89\x7d\x80\xb1\x7f\xd6\x4b\x77\xa4\xb4\x22\x07\x90\x4f\xa6\xb4\x7c\xde\xb0\x7a\x27\xe7\x2e\xd8\xd8\xa7\xa4\x85\xf9\x41\xc6\xf5\x2f\x69\xe9\x68\x54\xee\x35\xa3\x15\xd5\x4b\xf1\x93\x6a\xc9\x0e\xc9\x5f\xd2\xd2\x4b\xc6\xae\xcf\x64\x4b\x57\x97\x94\xd2\xd5\x89\xbe\xe8\x58\x54\x30\xb6\x49\xda\x25\x18\xdb\x83\x74\x3f\x67\x6c\xaf\xa3\x3b\x3f\xde\xb3\x83\xe4\xf0\x08\xe4\x65\x4f\x78\xf3\x2c\x62\x3b\xe4\xe5\xd0\xb5\xa7\x83\x91\x5a\x8c\x8d\x78\xe4\x52\x89\x44\x6c\xf5\x1d\xbf\x7e\x19\xb8\x4f\x21\xcf\xde\x59\xba\x58\x73\xef\x2c\xad\xb7\xa7\x77\x6a\xbb\xf5\xa0\xdb\x75\x01\xc4\xe0\x0e\x8f\xfc\x73\x47\xef\x3c\x65\xf5\xce\xb9\xe5\x2a\xdd\xb3\xc7\xdd\x3d\x9a\xbe\xcd\x46\x4f\x3d\x5d\x18\xfd\x39\x47\xff\x0c\x9a\xfd\x33\x3b\xb7\x38\x77\x61\xce\xbf\x87\x46\x5d\x3d\x24\x12\x49\xdc\xba\x7d\x34\xf1\xf3\x8e\x3e\x1a\x32\xfb\xe8\xdc\xd2\x85\x85\x73\x67\x97\xfd\x3b\x29\xe6\xea\x24\xd9\xf0\xf6\xea\xa5\xe0\xbe\xb1\xfb\x71\xca\xf3\x4d\x3b\x35\x37\x3d\x5b\xeb\x9b\x76\x4a\x55\xd2\xdb\xab\x7f\xea\x19\x45\x89\x9f\x75\xf4\xcf\x80\x65\x89\xa6\x2f\xcc\x9c\xf2\xef\xa0\x11\xb7\x29\x32\x3e\xac\xb7\x6e\x0f\x25\x8f\xd0\x14\x3b\x18\x39\x60\x2d\x33\x1e\x71\x2e\x33\xca\x8e\xdc\x8a\xba\x02\xfb\x69\x2f\x8b\x47\xc6\xac\x33\x3c\x60\xfc\x6b\xce\xb4\xcc\x79\x50\x84\x6f\x73\x1e\xa6\xd0\x15\xf6\x42\xe8\x4d\xe6\x6c\x6d\xda\x78\x56\x7c\x5d\x7f\x55\x0d\x5f\x3c\xbf\x18\x36\x5b\x59\xd7\x55\x6b\x8a\x99\x5a\x2f\x16\x8d\xa5\x9c\x18\x0d\xe6\xe2\xc4\x18\x1e\x5a\x3a\x26\x4e\xe1\x0c\xd7\xf8\x91\x41\x7a\xc8\x9c\x60\x19\x4b\x97\x6c\x4a\x55\x52\x29\x6d\x3d\x5f\xd2\xd9\x77\x07\xd8\x37\xfb\xec\xa1\x37\x52\x3d\x2a\x63\x59\x1c\x3d\x2d\x8e\x8e\x0e\x89\xf2\x03\xc6\xe8\x73\x6f\xd9\x6e\x41\x18\x8a\x48\x7b\x35\xce\xd3\x5e\x19\x6f\xc4\x24\xed\xa7\xbd\x55\x12\x55\x15\x55\x1e\x67\xe4\xba\xe9\x9a\x02\x2f\x96\x82\x5f\x8c\x51\xb6\xa7\xda\x14\xcf\x7d\x52\x0a\x0a\xe5\x80\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\x6e\x52\xb8\x49\xe1\x26\x85\x9b\x14\xa1\x16\xf0\x73\xc2\xcf\x09\x3f\x67\xbb\xfc\x9c\xbf\x7a\x99\xf6\x88\x50\x0b\xc5\x58\x74\x65\xb2\xbc\x40\xb4\xbb\x54\xa8\x5c\xea\x67\x53\xaa\xce\xfe\xde\x65\xf6\x99\x01\x62\x65\x3b\x73\x37\x43\x75\x4a\x37\xbd\xb4\x20\x21\x51\xf4\x71\x63\xcf\x69\x77\x0b\x97\xe2\xf6\x0e\x1d\x0e\xe6\x50\x1e\x14\xf0\x0a\xe5\x41\x01\xaf\x00\xaf\x00\xaf\xba\x08\x5e\x75\x50\x72\xf5\x8e\x81\x57\xc8\xfa\x0d\x78\x05\x78\x05\x78\x05\x78\x85\xf2\xa0\x48\x4b\x7c\xeb\xb0\xa6\x8e\x4f\x4b\xbc\x2d\xcb\x83\xbe\xe4\x5f\x23\x70\x45\x28\x9d\xde\x44\xcf\x72\xa5\xd3\x32\x3d\x4d\xe7\x3c\x95\x4e\xc6\x00\x19\x55\x32\x19\xa3\x17\x4b\x5a\xd1\x4e\x16\x51\x8e\xaf\x36\xe2\x31\x9b\x28\x39\x6b\x87\xbe\x39\x58\xec\x74\x94\x1d\x96\x02\x27\x6f\x28\xe6\xd2\x00\x0a\x01\x94\x7d\xae\x40\xf1\x53\xe4\x9d\xe4\x09\xd0\x1e\x30\xcb\x88\xe6\x9d\xb0\xec\x09\xf1\x6b\x3b\x70\x99\xa0\x5b\x0a\x5d\xa1\x17\xca\x4a\x89\x9e\xa1\xd3\x4d\x7c\x1a\xa8\x63\x85\x3a\xa3\x0d\xd6\x19\xfd\x5c\x2f\x5d\x16\xa6\xe2\x19\xba\xc8\x4d\xc5\x39\x6a\xee\xe0\xa4\x94\xa8\x35\xfa\x3c\x3d\x67\xd7\x1a\x6d\xfa\x49\xd2\xa2\x10\xe9\x0b\xf4\x26\x47\x21\xd2\xa6\x9f\xa5\xf1\x84\xdb\xa2\x7c\x69\x6d\xa6\xb2\xc2\x00\xd6\x6e\x3b\xa3\x7f\x34\xe2\x69\x0a\x1f\xf7\xac\x64\xea\xb0\x8a\x7b\xc4\x0e\x15\x56\xd1\xae\x68\xda\x32\xfb\x88\x62\xa6\xc0\xc9\xc0\xc9\xc0\xc9\xc0\xc9\x28\x66\x8a\x62\xa6\x28\x66\x8a\x62\xa6\x70\x6b\xc0\xad\x01\xb7\x06\xdc\x1a\x70\x6b\x34\xc5\xad\x81\x62\xa6\x28\x66\x8a\x62\xa6\x28\x66\x0a\xaf\x21\xbc\x86\x5d\x54\xcc\xb4\xe5\x7e\xb9\xe6\x97\x1c\xfd\x57\xbb\x68\x51\x88\xe7\x53\x6a\x51\xba\x45\x55\xdd\x56\xce\x8b\xfa\xa3\xce\x6d\xd9\x4c\x3e\x9b\xcf\x98\xb3\x2a\x33\x7b\x98\x52\x28\x14\xb5\x0d\x25\xc7\xbe\xfe\x08\xfb\x6e\x1f\x3d\xe0\x3c\xc2\xaa\x4d\x7a\xb0\xa8\x2a\xe9\xb0\xb9\xab\x39\x3a\xec\x89\xf3\x8c\x7d\xd0\xb2\x38\xcd\x79\x71\x9a\x28\x3f\xd2\xb1\x59\x97\x85\x4a\x7d\x8f\x98\x96\x27\x69\x2e\x39\x4f\xae\xd3\x73\x62\xf4\x2d\xd3\xd3\x7c\xf4\x9d\xa6\x05\x3a\xe9\x9f\xd0\xc2\xd9\xa7\x66\x6d\x51\xdf\x6b\x0e\x1c\x8b\x6f\x09\x1e\x5f\x67\xd9\xa2\x59\x2c\xb7\xf2\x79\xca\x01\xe5\x7f\x01\x15\x05\x45\xaf\x3d\xea\x3d\xfc\x6f\x67\xfd\x19\xb5\x44\xa1\xef\xed\xf4\x79\xd4\x87\x8b\x6a\x21\xa7\xa4\xd4\x86\x9e\xb6\x79\xf0\xd6\x3f\xf0\xc4\x0b\xf4\x26\x7a\xb6\xcc\x95\xdc\xbc\x27\x0e\x82\x08\x37\x72\x83\x6e\xe4\xdf\xe9\x69\xa9\x29\xba\x22\x5c\xc8\x6f\xa4\x4b\xb6\x0b\xb9\x7b\x6d\x5d\x61\xbd\x44\x89\xef\xdc\xe5\x63\xeb\x66\x0b\x4a\xb1\x94\xe5\x8e\x35\xb1\x24\x6f\xc8\xe8\x1d\x2a\x18\x33\xaa\xad\x35\x79\x8f\x94\x37\x34\xca\x2f\x6a\x8f\xf1\xe7\xd4\x2e\xe7\xc6\x35\xb5\x98\x51\x9d\x5b\x07\x9c\x5b\xf9\xa4\x46\xcd\x64\x53\xa3\x15\xfb\xb9\x5a\x31\xfe\xbe\x29\xb7\x1a\x57\x99\x38\x4b\x8b\x94\x2c\x33\xb7\x53\x74\xb0\x81\xe9\x1d\x4f\xdb\x06\xfb\x1a\x64\x5f\x3f\xda\x47\xaf\xf4\xb1\x0f\xf7\x85\x3e\x68\x51\x85\x97\xfb\xba\xc7\xbe\x96\x31\x55\xa3\x9f\xb9\xaf\x9a\x73\x7f\x63\x70\xda\x01\x90\x43\x3e\x03\x77\x98\xc3\x11\x21\x6d\x50\x72\xfc\xc8\xbc\x96\x1f\x15\x47\xf3\x3d\xb8\x63\x46\x0f\x0f\x25\x75\x2d\xbf\x24\x22\x01\xcf\x18\xaf\x85\xfc\x7b\xd9\x7c\x59\xec\x1f\x87\xfd\x0d\x7f\xe2\xcb\x3d\xf4\x5a\x0f\x7b\xb5\x27\xf4\x79\x6b\x85\xf6\xa1\x9e\x79\xcd\x58\xcf\x67\xf5\x70\x46\xe3\xdd\xae\x85\x23\xab\xc6\x4f\x91\xf0\xb4\xeb\x2e\xf8\xd2\x56\xb8\x77\xd6\x75\xdb\x49\x3d\xaa\xa4\xf8\x8d\x73\xd7\x7f\x2e\x9b\x92\xdc\x46\xcd\xa5\xf5\xb0\x76\x43\xf6\xa9\x70\x8d\x17\x54\xad\x90\x53\x63\x61\x71\x46\x1e\xba\x69\x3e\x4b\xbe\xc4\xf4\xec\x00\xeb\xf4\x91\xdb\xf8\x65\xb9\x34\x95\x5b\x3b\xa7\xf6\x2f\x87\xc5\x2f\x9d\x6a\xfc\x10\x55\x7c\x4d\x36\xf1\x65\x4a\xce\xd3\x2c\x4b\x44\x4e\x58\x29\x0f\x9f\x72\xa6\x64\xf4\x3d\xae\xf5\x29\xe0\xd9\x77\x86\x68\xc2\xa7\xaa\x9d\x58\x28\x8a\xd2\x76\x29\x3d\x9b\xd7\xd2\xaa\x55\xd1\xee\x63\x43\xec\x4f\xfb\xe9\x1e\xbb\xa2\x9d\xf8\x6e\x7e\xa4\x96\xb2\x76\x33\xcb\x0b\x67\xb5\xb4\xda\x11\xd5\xec\x42\xee\x6a\x76\xe2\xeb\x2c\xae\xaf\xc3\x03\xbe\xb7\xa4\x92\x5d\x50\xa5\xb9\x6b\xcf\x05\xbf\x5a\x93\x6c\x7f\xb5\x52\x77\xb2\xf7\x2b\x27\x73\x48\xcf\x88\x08\x77\xa4\x67\x84\x24\x11\x92\x44\x48\x12\xbb\x48\x92\x88\xf4\x8c\x48\xcf\x08\x29\x18\xa4\x60\x90\x82\x41\x0a\xd6\x11\x52\xb0\xe4\x3e\x9a\x60\xe3\x91\x98\xc5\x32\xee\x77\xb1\x0c\xb1\x7c\x43\xf1\x3a\x24\x75\xdc\xb6\x92\x19\x24\x75\x6c\x45\x52\xc7\x8f\x0e\xd2\xb0\x20\x8d\x79\xb5\x74\x43\x2b\x5e\x37\xe6\x78\x65\xb0\x91\xcb\x50\x74\x5d\xd5\xd9\xdb\x06\xd9\x5f\xf5\x11\xb3\x77\xb5\x18\xe3\x53\xd5\x53\x3a\x2e\x88\x26\xa2\xbc\x3e\xcb\x59\xeb\x70\xc9\xf6\xe4\xd6\xed\x56\x75\xc5\x3f\x6a\x96\x92\x02\x02\xce\xd0\x34\x87\x80\x87\xe9\x10\x4d\xfa\x92\x76\x47\xcf\x9b\x9c\x5d\xf6\x88\x33\x19\x41\x40\xaa\x80\x6b\x2f\x04\x43\xbe\x29\x76\x50\x42\xbe\x8a\x87\x2d\x39\x9f\x3c\x2f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\x1f\x38\xdf\x96\x73\x3e\x10\x3b\x10\x3b\x10\xbb\x2e\x26\x76\x6f\x8d\xd2\x29\x41\xec\x44\xc8\xeb\xd8\x86\x29\x07\xb4\xca\x3a\x4b\x41\x20\xff\xfb\xa5\xb1\x82\x96\x4e\x67\xf5\xe2\x3a\x5f\x99\xaf\xac\xa7\x33\xaa\x15\x4e\xc6\x3e\x31\xcc\x5e\xbe\x8d\x76\x8a\x96\xae\x6c\xc4\x43\xbf\x5a\x8b\x56\x70\x49\x4b\xcf\x5a\x2d\x26\x78\x8b\x1d\xa1\x1b\x8c\xf2\xd3\x89\x38\xde\x4b\x71\x57\x2d\xf1\xf2\xeb\xed\x74\xb6\xd8\x91\x3a\xc2\x67\x83\x11\xe3\x01\xb6\xcf\xa3\xf8\xb3\x18\x5f\x76\x95\xf4\xf2\xa7\x01\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\x08\xbc\xd8\x6e\xbc\x78\x82\x8e\xb1\x23\x91\x29\x4b\x46\xf8\xb8\x53\x46\xe8\xb1\x72\xab\x94\x14\xbe\x99\x2e\xb3\xe7\x23\xcf\x59\x2d\x4c\xc9\x6b\x17\xa1\xcd\xc6\x14\x69\xbd\x74\x35\xac\xa7\xb4\x82\x3a\x12\xd6\xd7\x53\x57\x8d\xe7\xc7\xe7\xc0\xaa\xb2\x26\x80\x4a\xa1\xa8\xf1\xbe\x8a\xec\xb4\x30\x06\x44\x8b\x40\xa0\x40\xa0\x40\xa0\x1c\x81\x7e\xeb\x11\x3a\x5b\x86\x40\x85\x52\xb1\x7e\x02\x3a\xa6\xf3\xf4\x64\xec\xc7\x1e\x61\x9f\xea\xa3\xbb\x2d\x10\x2a\x54\x8d\xe3\x3c\x91\x96\xd8\xa5\x32\xc7\x88\x87\x39\x8c\xee\x33\x8e\x30\x09\x24\x6f\xa4\x2a\x86\x14\xc9\xd1\x9a\x9c\x3c\x2b\x4b\x67\x05\x3b\x3c\x49\x73\x9c\x1d\x1e\xa7\xa3\x74\xd8\x57\x7e\x28\x93\x3d\x9a\xd2\x43\x2f\x3c\x17\x44\x0e\xab\x67\xaf\xba\x76\x39\x98\x1b\x1e\x66\x87\x6a\x65\x85\x15\xda\xc4\xd0\xfb\x77\x56\x3c\xb9\xbd\x66\x5e\xac\x7a\x1e\xde\xa4\x3c\x68\x6b\x9f\x5f\xe2\x69\x32\xbe\x70\xee\xe4\x2c\x9b\x7b\x80\xc8\xcf\x82\xfc\x57\x0d\xe6\xbf\xfa\x4c\x4f\xd3\xad\xc9\xb2\xc8\x79\xb5\x48\x49\x3b\xe7\xd5\x16\x9a\xa8\xc2\x7a\xeb\x4d\x54\xe2\x97\xef\xaa\x30\x51\x47\x2a\xd2\x59\xd5\x63\xab\xf6\x17\x9c\xbe\xae\xf6\x5b\x2a\xa4\xb0\xea\x36\x13\x89\x14\x56\x48\x61\xb5\xc5\x29\xac\xda\x3f\xb3\x0d\x4c\x5b\xd5\xe2\x0f\x47\x57\x02\x19\xf6\x13\xc3\x74\x44\xe6\xbf\x4a\x5d\x55\xd3\xeb\x39\x8f\xa8\x34\xa1\x79\x29\x14\xb3\x5a\x31\x5b\xba\x99\xca\x29\xba\x6e\x67\xc2\xfa\xad\x21\xf6\xae\xdb\x88\xd9\x47\x5b\x5f\xdd\x4f\xd6\x24\x70\x91\xad\xce\x18\xad\x76\x84\xb4\x65\xb7\x48\x89\x65\xdd\x8f\xfc\xe4\xbb\x2e\x14\x9a\x96\xca\xf7\x37\x15\xfc\x7a\x9e\x60\xc7\xcc\xd4\x57\xe5\x83\xcd\x7c\x53\x9d\xbd\xec\x91\xd0\x34\x48\x38\x03\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x0b\xd4\x2d\x50\xb7\x40\xdd\x02\x75\x4b\x9b\xd5\x2d\x53\x74\x90\x1d\x88\xec\xb3\x50\xc8\xc3\x2e\x98\xe2\x5c\xe5\x21\x55\x16\x54\x27\x50\x9d\x40\x75\xe2\x50\x9d\xbc\xb3\x8f\x22\xb2\x84\x9b\xa6\x15\xd3\xd9\xbc\xb3\x9e\x9c\x85\x25\x19\x2f\x7f\x4e\x0f\x38\xf7\xb1\xe0\xe3\x43\x19\xb5\xe4\xfe\x5e\x8b\xbb\x89\x46\x32\x6a\x69\xc6\x71\x84\xc4\x7b\xd3\x4b\x0b\xe6\x2a\xb1\x89\xae\xbb\x8a\x86\xa6\x2a\x1a\x9a\xaa\xa5\xa1\x64\x81\x2e\x0a\xa0\x77\x96\x16\x39\xd0\x9b\xa7\x59\x4a\x34\x00\xf4\x1c\xf7\xb9\x98\x0d\x2e\x26\xc1\xfe\xeb\xb0\x19\x03\xe9\x95\xb5\xac\x7a\x38\xa4\x95\xcd\xcc\x64\xc5\x3f\x3d\xcc\xfe\xa2\x9f\x5e\xe7\x4a\x6a\x56\x5b\xcd\x04\x99\x2d\xab\x23\x00\x71\x84\x9f\xce\x99\x5a\xcd\x76\x07\xcb\xeb\x04\x1f\x6e\x20\xe6\xf1\x8d\xc1\x00\x79\x3f\xdb\x5b\x7f\x5a\x35\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\x61\x40\xe1\x8e\xaa\x9c\x20\x57\x6e\xb7\x82\xaa\x0e\xc0\x19\xc0\x19\xc0\x79\x1b\x01\xe7\xbf\x37\x4c\x27\x1b\xa5\x9c\xf2\x08\x2e\x38\xce\xaa\x3a\xfb\xcc\x10\xfb\x4a\x05\xe4\xbc\x29\xbf\xc2\xf9\x74\x76\x23\x9b\x5e\x57\x72\x2e\xdc\x69\xcd\x78\x25\x54\x14\xb1\x26\x4d\x81\x9d\xb1\xe8\x48\x15\x5c\xe9\x3a\xdf\x62\x56\x47\xb2\x36\x0f\x70\x59\x9b\xee\x5c\xe0\x47\x57\x87\x92\x47\x7e\xb6\x4a\x6e\x79\x6d\xb7\x37\x18\xbd\x8b\x11\xbf\x71\x5e\x73\x02\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\x13\x08\xb3\xcd\x08\x13\x30\x12\x30\x12\x30\x12\x30\xb2\x85\x30\xf2\x5d\x7d\xb4\x5b\xc0\xc8\xe2\x8a\x92\x8a\x99\x40\xaa\x4c\x03\x6b\xc9\x5f\x8d\x9d\xa6\x9d\xfb\x5c\xd9\x08\x90\xbf\x9e\x2f\x3f\xe2\x12\xe4\xaf\x3e\xf2\xd7\xef\xbd\x81\xe2\xc6\xb3\x30\x3a\xdc\x3f\xe5\x5d\x79\x8a\xbb\x4f\xbc\x81\x7d\xad\x97\xee\x48\x69\x45\xd5\x78\x18\xe1\xa0\xdc\x76\xd1\x47\x8d\x3d\x66\xb4\xa2\x5a\x56\x4b\xa3\x25\x49\xeb\xce\xd3\xa4\xe8\xcc\x71\x8a\xf1\xce\x1c\xa2\x01\x7a\xd2\x37\xb5\x87\x71\x17\x3c\x77\x8f\x96\xde\x6c\x76\xba\xb9\x60\x92\x1a\x61\x61\x49\x4a\x23\x11\x3b\x7b\x87\x8b\xa4\x86\x7e\x72\x87\xdd\xb7\xbb\x6b\xc8\x3e\x17\x0d\xcb\x9d\xda\xd4\xc3\x89\x29\x3a\x48\x07\xca\x12\x26\xd5\xd8\xc5\x48\x8e\x84\xfc\x71\x0d\xe6\x8f\x7b\x77\x4f\xe3\x2f\xf6\x11\x91\x28\x6e\x3f\xed\xb5\x13\xc5\xb5\xc3\x2c\xf0\x8c\x70\xb5\x99\x05\x0f\x67\x8a\xcb\x44\x24\xfe\xf3\x9d\xb6\x59\x18\xa9\x27\xe3\x5b\xf4\x31\x9e\x61\xa8\x0d\xd6\x01\xa9\xdc\xba\xcd\x5a\x21\x95\x1b\x52\xb9\x6d\x71\x2a\xb7\x16\xce\xf7\x6a\xb3\xdc\xde\xd3\x38\xdb\x86\x07\xa6\x7e\x4b\x8e\x53\xec\xff\x63\xef\xcf\xe3\xe3\xc8\xaa\xbb\x61\xfc\x53\x2d\xaf\x77\x56\x0a\xc2\x30\x9a\xad\xa6\x3c\x63\x2d\x96\x5a\x96\xed\x19\xdb\xf2\x78\x3c\x6a\x49\xb6\x25\x6f\x42\xf2\xd8\xc3\x30\x33\x76\xa9\xfb\xaa\x55\xe3\x52\x55\x53\x55\x2d\x59\x2c\x09\x30\x84\x40\x58\x03\x09\x10\xc3\x43\x12\xe0\x19\x06\xc2\x12\x48\x42\x02\x24\x64\xe1\x47\x02\x21\x21\x04\x92\x90\x10\xc8\xf2\x23\x4f\x12\x92\xbc\x3c\x7c\x42\x12\xc2\x24\x6f\xf2\x7e\xee\xb9\xb7\x6e\xdd\xea\xae\x5e\xd4\x6e\xc9\xf2\xe8\xcc\x1f\x9e\x56\x2d\xf7\xde\xba\xcb\xb9\xe7\x7e\xcf\xf7\x9c\xa3\xf7\x99\xbd\x12\x75\xb9\xa1\x22\x34\xdb\x33\x81\x34\xa6\xff\x73\x17\xb9\x2d\x3a\x6b\x70\xc6\x49\x40\xfd\x05\x3b\x4f\xad\x7c\xde\x2b\xbb\x61\xa0\xff\x5e\x97\xfe\x99\x0d\xf1\x26\xf7\xe2\xe6\x48\x25\xd3\xbc\x94\x61\x5e\x4a\x9b\x58\x25\xfd\x8b\xf1\x96\x99\xac\x80\x9d\xab\x0e\x7b\xfe\xb0\xe3\xc8\xad\x14\xfd\xe1\x52\xd6\x4e\x33\xb4\x8f\xc7\x27\x1b\x2f\xb0\x7e\x7d\x07\x5f\x60\xc9\x61\xa8\xb1\xd6\x90\x48\x82\x44\x12\x24\x92\x20\x91\x04\x89\x24\x48\x24\x41\x22\x09\x12\x49\x90\x48\x82\x44\x12\x24\x92\x20\x91\x04\x89\x24\xab\x4c\x24\x41\x9a\x07\xd2\x3c\x90\xe6\xb1\x8e\x69\x1e\xbf\xfc\x28\xa7\x16\x04\x03\x56\xa9\x14\xd4\x21\x18\x04\xa1\x15\xd2\xd9\xb2\xc3\xd6\xae\xfe\x3f\x8f\xe8\xaf\xda\x4e\x36\xb3\x57\xce\x2d\x0c\x76\xf6\x70\xfd\xd0\x17\x3b\x5b\x24\xfa\xa2\xb0\x59\xd3\xe2\xd5\x69\x1a\xf6\xde\xc1\x1e\x1d\x2e\x95\x02\xd5\xc6\xa5\x3c\xb0\xc6\x31\xba\x1c\x02\x57\x08\x5c\xe5\x10\xb8\x42\xe0\x0a\x81\x2b\x04\xae\xd6\x0d\x70\x95\x5b\x33\xc0\x55\xdb\x5b\xd2\x32\x70\x95\x43\xe0\x0a\x81\x2b\x04\xae\x10\xb8\x42\xe0\x6a\xf5\x81\xab\xdc\xba\xc6\x99\x72\x88\x33\xad\x1c\xce\x94\x5b\xeb\x38\x53\xee\x2a\xc4\x99\x26\x1e\x23\x23\x9c\xdb\x74\x1f\x19\x02\x6e\xd3\x1e\xb2\x8b\xec\xac\x49\xff\xb3\x4a\xa5\x20\xbb\x30\x98\x55\x90\xa1\x66\x3c\x65\x1e\xbf\x3d\x9d\xce\xb4\x59\xdf\xc8\x99\x4c\xa7\x1a\x33\x99\xfa\xf4\x5e\x41\x54\x62\x8d\x10\xd4\x6e\xa5\x1d\x09\x4a\x93\xf9\xdd\x2d\x31\x0c\xf6\x1c\xbe\xeb\x18\x56\x02\xf1\xba\x93\x5f\x5d\x0d\xcc\x8b\x43\x54\x39\xf2\x00\xb9\xbf\x82\x5d\x9d\x25\x7d\xcb\xe9\x6b\x64\x54\xa3\xff\x47\x8b\xfe\x1f\x7f\xaf\xd5\x5c\xa4\xe4\x10\x17\x01\xfb\xc8\xbd\x20\x02\x76\x92\x65\x4e\x4b\x32\xca\x1d\x44\x0e\x92\x03\xb1\x83\xc8\xf2\x4b\x19\x63\xa5\xec\xd2\xef\x27\xf7\x91\x2d\xc3\x79\xb6\x91\xb4\x52\x4c\x63\x91\x53\xf2\x56\x42\xe4\xf4\xfe\x61\x5f\x2c\x72\x84\x4a\x6b\xe4\x3d\x87\x1d\x50\xc5\x86\xa3\x8a\x9f\x1d\xfc\x09\x2e\x7e\x46\xe4\x63\xab\x21\x88\x4e\x93\x29\x32\xa9\x0a\xa2\xde\x1c\x79\xa0\x05\x3a\xeb\x28\x7c\xc1\x29\x80\x54\x03\x04\x5f\x11\x7c\x45\xf0\x15\xc1\xd7\x75\x04\xbe\xa2\x32\xd6\x40\x19\x5b\x3b\xe8\xf4\xdf\x66\x08\x04\x44\xe8\xfc\x0b\x39\x54\x1f\xcb\x9c\x56\xcf\x83\xb6\x6b\x04\xfc\x4c\x67\xcc\xd0\x59\x6e\xca\x95\xb8\x49\xbc\x65\x89\x55\x02\x9d\xa5\xa8\x7d\xae\xe7\xf6\xbb\xb4\x68\xc1\x90\x88\x23\xa1\xaa\x1e\x72\x04\x55\x4e\x06\xa1\x1d\xd8\xf3\xf3\xb4\xc0\x14\x50\x67\x29\xb6\xb1\xc6\xa2\xdd\x76\xfa\xc4\x49\x11\x3e\xd7\x28\xfa\x56\x1e\xe6\x89\xed\x15\xe4\xc6\x13\x6f\x0e\x60\xbe\x8e\xc6\xa5\x1c\xb0\x46\xaa\x1d\x65\xb1\x37\xa3\x0f\x12\x95\xcc\xf2\xf5\x16\x15\x91\xe5\xed\xe4\x1e\x6a\x29\x6d\x34\x75\x68\xc2\x24\xb4\x20\xed\x04\x8c\x46\x00\x34\x02\xa0\x11\x00\x8d\x00\x68\x04\x58\xd7\x46\x80\x3f\xca\x90\x2f\x65\xf4\x2f\x66\x3a\x3f\x2f\x77\xdb\x9f\xcd\x8c\x2a\x8e\xa5\x25\x87\x5a\x01\x95\x4b\x7f\xd2\xf7\x4a\x56\x11\xf6\x61\x1e\x1b\x3b\x41\x01\x8a\x86\x3b\xf6\x4c\x65\x03\x3e\x98\xdd\x9b\x35\xa6\xb9\x1c\xe1\x9b\x64\x89\xba\x6c\x9a\xc6\xbb\x08\x35\x3c\xbf\x34\x67\xb9\x11\x25\xc9\x2f\xd3\x81\x59\xcb\x89\xb4\x7f\x93\xdf\x35\x8d\x59\xdb\xb5\x1c\xfb\xc5\x91\xf8\x9e\xa1\x86\x55\x00\x44\xdd\x1b\xe0\x00\x6b\x21\x56\x2d\x79\xe1\x5d\x41\xfc\x12\xd7\xb7\xb3\xc6\x98\x0d\x22\x49\x69\xb8\xe7\x57\x7f\x59\x6c\xc5\x08\xb9\xba\x0f\xda\x9f\x17\xce\x65\xcd\x1b\x79\x7b\x46\xa3\x0f\x49\x72\x9b\x5e\xb3\x81\xfc\xe8\x06\xfd\x95\x1b\x3a\xff\x47\x12\xdc\xbe\xd6\x71\x56\xc8\x41\x36\x45\xe7\xbc\x45\xa3\x68\xf9\x33\x56\x31\x01\x3b\x48\x45\x8d\xfa\xb3\x9e\x3f\xcf\xfa\x22\xb5\xa5\xa7\x2a\x2a\xaf\xdd\x50\x50\x6b\x22\x9d\xa4\xc4\xbf\xca\x66\xfa\x42\xde\x2e\xc4\x8a\x35\xec\x8d\xdc\x91\x3d\xea\x5d\xb6\x39\x89\x9d\x23\xda\xfd\xb2\x4a\x37\x46\x72\x53\x9a\x0e\x24\xad\x2d\x59\x59\xd6\xe0\xe0\x10\xc8\x62\x55\x5b\xed\xe2\xdf\xd0\xc5\xce\x3c\xf0\x2b\x39\x31\x82\x03\x46\x57\xce\xca\x5f\x28\xfa\x5e\xd9\x2d\xb0\xa7\x80\x4f\x06\x0f\x55\x74\x1c\x57\x56\x84\x06\x94\x2c\x24\xfa\x82\x19\x59\xd2\x01\xa3\xeb\xb0\xe7\x53\xa5\x58\x23\x6f\x05\x79\xab\xc0\xbe\x5e\xf4\x0f\x67\x10\x42\x79\x01\x57\xa7\xab\x0a\x9c\x95\x65\x64\xcd\x67\x95\x2a\xe7\x8d\xaa\xdb\xa0\x8d\x0d\x6d\x6c\xeb\xd4\xc6\x36\x51\x24\xc7\x39\x58\x3d\x46\x46\x00\xac\x3e\x48\x0e\x90\xfd\x2d\x80\x97\x3c\x78\x4f\x43\xc3\x55\x73\x28\x71\x7d\x64\x58\xc5\x90\x1f\xef\x4d\x87\xa5\x9f\xad\x3f\x8b\x8b\x87\x58\x74\x93\xab\x31\x4c\xc5\x7f\x67\x48\xa7\xe0\xad\x97\x43\x2f\xc8\x5b\x8e\xed\x16\x07\x16\x76\xcd\xd0\xd0\xda\x35\xa0\xff\x55\x46\xff\x46\x86\x3c\x5b\xb9\x77\x4e\xdc\xab\x1d\x94\xf0\xce\x22\x0d\x87\xe3\x17\xce\xf0\xe7\x31\x26\x61\x7a\x4c\xc2\xa7\x7a\xc9\x43\x8d\xe3\x43\xf2\x1c\xe9\x75\x33\xd7\xf8\x9e\x43\x67\x6c\x97\xed\x62\x32\x45\xf7\x17\x7b\xf4\xf7\x6e\x24\x37\xa7\x05\x95\xe4\x89\xd5\x3f\xde\x4c\xba\xee\x29\xcf\xa1\x39\x5e\xf2\x9a\x48\xd9\xbd\x0b\xaa\x4b\x89\x7b\x09\xdf\x14\x5b\x64\x94\x76\xaf\x71\x77\x88\x2b\x12\xb2\xc4\x6e\x2c\x2a\x0f\xeb\xa3\x42\x18\xd6\x9c\x9c\xc2\xca\xa6\xf4\xb5\x2a\x4b\x61\x44\xea\x85\x04\xe2\xd9\xc2\x31\x8e\x09\xba\x83\x60\x1c\x13\xb4\x48\xa2\x45\x12\x2d\x92\xeb\xc8\x22\x89\x71\x4c\x30\x8e\x09\x5a\x82\xd0\x12\x84\x96\x20\xb4\x04\xad\x09\x4b\xd0\xc4\x3e\x72\xaf\xbe\xc7\xdc\x25\x11\xac\x9b\xd4\xd0\xac\xca\x19\xef\x99\x10\xa2\x15\x63\xac\x20\x2e\x8f\x31\x56\xae\x1e\xdf\x17\xfd\x17\xbb\xc9\x5e\x0e\x95\x06\xa1\xe7\x5b\x45\x9a\x8e\x8f\xe6\xd9\x46\x00\xf7\xf3\x56\xc9\xca\xdb\xa1\x4d\x03\xfd\xfb\x5d\xfa\x3f\x6d\x20\x37\x88\x1b\x12\xff\xfc\xe1\xe6\x82\x2e\x8f\x4c\x8f\x4f\xf3\x37\x47\x78\x91\xed\x4a\xe7\xbd\x1f\x5e\x10\x65\x0b\x00\xb3\xba\x32\x0c\xc2\xdc\x1c\xa2\x49\x1b\x23\x9a\x39\xfd\x01\x81\x68\x26\xe7\x90\x80\x31\xab\xfb\x3e\x05\xcd\xc4\x14\xdf\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x88\x68\x22\xa2\x89\x88\x26\x22\x9a\x6b\x10\xd1\x44\xd4\x10\x51\x43\x44\x0d\xd7\x31\x6a\x78\x94\x6c\x1a\x70\xbc\x62\x30\xa0\xdf\xaf\xdf\x47\x36\xb0\x9f\xbd\xba\xe3\x15\x0f\xdb\x0e\x30\x34\x8f\x5a\x6e\xc1\xa1\xfe\xc4\xcd\x0d\xa9\x9a\xff\xb3\x83\x9c\xaa\x8b\x3f\xd6\x60\x66\xa6\x01\x92\x11\x43\xf3\xe7\x77\xe8\x1f\xe9\xa8\xc6\x25\xef\x86\x24\xd3\xc9\x83\x6e\x35\x36\xd5\x9b\x65\x8f\x25\xd1\xc3\x98\xfe\x58\xfd\x7c\x9b\x53\x4f\xdb\xe4\x24\x87\xf8\x8e\x90\x31\x80\xf8\x0e\x91\x83\xe4\x40\xcd\xd8\x1f\x51\xa7\x89\x6f\xcc\xa6\x60\x6d\x97\x99\x91\x7a\x75\xf0\xbf\xce\xb7\x6f\xad\x1e\xb0\xee\x28\x73\x75\xc3\x31\x1b\x14\x4f\x5e\xa9\x61\xcb\x3d\x9f\xb0\x3d\x31\x19\xd7\xe8\xf2\xc6\x0d\x3d\xeb\x31\xcc\x51\x8b\x61\x8e\x3e\xa3\xb5\x5d\x88\x4c\xf3\xe0\x46\xc7\xc9\x44\x1c\xdc\xe8\x0a\x4a\x26\x48\x8a\xdd\x9c\x64\x6a\x5e\x06\xa5\xcb\xb0\xde\x4f\xde\x58\x2d\x99\x6e\x11\x6e\x71\x56\x9a\x30\xda\xc9\x6f\x5e\x31\x59\xb4\x32\xa1\x8d\x50\x1c\x35\x10\x47\x18\x5e\x63\x55\xc2\x6b\xa0\x5f\x35\xfa\x55\xa3\x5f\xf5\x4a\xf9\x55\x4f\x7c\x5a\x6b\xb3\x73\xe9\x14\x0f\x68\x78\x8c\x8c\x2b\x01\x0d\x57\xd8\x61\xd5\x48\x57\x1c\xb6\xea\x9b\x79\x37\x35\xab\x3b\x34\xa9\x22\xd4\x54\x31\x72\x1f\xbe\xb6\x5a\x77\x18\x2c\x59\x7e\x68\x83\x7d\x94\x1f\xca\x1b\x1f\x6f\x06\x4a\xd5\x8c\x96\xd5\x51\x28\x6e\xa9\x2c\xa8\x1f\x9a\xb2\x03\xdc\x42\x6f\x55\x6f\xce\x53\xbf\x48\xd5\xbb\xdb\xd5\xbb\x41\xe8\x5b\x21\x2d\xda\xf9\xfe\xaa\xe7\x12\xa5\x40\xca\x7e\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\x07\xab\x21\xb2\xaf\x85\xb9\x33\x09\x94\x02\x54\x63\x1a\xa8\x31\x1f\xed\x20\x1f\xea\xd0\x3f\xd0\xd1\xf9\xa4\xdc\x0b\x9e\xe8\x58\x3f\xa7\xaa\x0a\x2b\x0c\xeb\x67\x60\x15\x80\xa5\x90\x4d\xce\x98\x5b\xd4\x5d\x63\xe2\xf6\xc0\x96\xc6\x49\x28\x96\x03\x6f\x32\xdd\x8d\xbf\x0d\x4f\x80\x1e\x15\x18\xdd\x13\x81\xe7\x4e\x72\x92\xcd\x09\xb6\x2c\xc4\xef\xe9\x68\xb1\xc4\x17\x7b\x6a\x1f\xf7\x72\x5f\xd2\xc8\x17\x35\xfd\xf3\x5a\xe7\xe7\x24\x80\xf8\x94\x76\xd8\xf3\xf3\xa0\xe2\x15\x3d\xe8\x76\xcf\x30\x67\xd9\x25\xd3\x18\x4e\x7c\x05\x40\xc3\x5c\x1b\x2b\x07\x31\x9d\xa0\xdf\xca\xc3\x87\x03\x49\xc3\xb1\xf3\x62\xb7\xa5\x4e\x21\x30\xbc\x45\xd1\xa7\x9c\xc4\x50\xa2\x5e\xc9\xa1\x59\x83\xd7\x08\xac\xa8\x68\x2c\x01\xa2\x4d\xed\x00\x59\xbd\xb9\x11\x9a\x95\x60\xf8\xac\x3e\x06\xb6\x3a\xdb\x41\x1d\x97\xdd\x12\x77\xd9\x3d\x44\x0e\xea\x07\xcc\xfd\x92\xf0\x7d\xbb\x4a\x15\xaf\x2e\xf1\x99\xc0\x18\xd7\xff\xf4\x51\x92\x1d\xb0\x4a\x76\xbd\xfc\x7e\xd4\x5f\xb0\xf3\xd4\xca\xe7\xbd\xb2\x1b\x06\xfa\x7b\x1f\xd5\xdf\xb8\x9d\x6c\xce\x7b\x3e\xdb\x56\x3b\xfb\x1a\xa4\xf8\xe3\x6f\x0f\xf3\xb7\x7b\x4d\xf6\xf4\x88\xe7\xd3\x44\xc4\xf3\xc4\x33\x6b\x9c\x07\x8a\x89\xfe\x90\x07\x89\x89\xfe\x90\x07\x89\x3c\x48\xe4\x41\xae\x23\x1e\xe4\x1a\x0a\xa5\xbc\x66\x78\x90\x18\xe3\x17\x79\x90\xc8\x83\x44\x1e\x24\xf2\x20\x31\xd1\x1f\x06\x21\x7d\xe6\xd0\x16\xd7\x7c\x10\xd2\xab\x32\xd1\x9f\x55\x3b\xfd\xd7\x61\x8e\x38\x1e\x22\x07\x01\x71\xdc\x4b\xee\x21\xbb\x6b\x22\x8e\x79\xcf\xa7\x60\x8e\x4a\xa0\x46\xc7\xed\x40\x26\xde\x9a\x6c\x0c\x28\xf6\xeb\x3b\x52\x02\xa4\x9a\x66\x94\x62\x2b\x51\x36\x69\x94\x3d\xd0\x7c\x62\x6b\x0c\x88\xdd\x14\x27\xfb\x4b\x62\x5f\x77\xf1\x1b\xab\x84\x7e\x71\xb0\x6a\x8c\x8c\x90\xe1\x0a\x0b\xce\x20\x19\x58\x66\xe7\xa2\xe1\x06\xe9\x70\x2d\xd2\xe1\xbe\xab\x91\x1c\x5f\xdd\x07\xc8\x7e\x58\xdd\xbb\xc9\xf2\x27\x20\x39\xc2\x29\x70\x0f\x90\xfb\x63\x0a\x5c\x4b\x05\x1d\xe5\x16\xf1\x61\x72\x48\xb1\x88\xb7\x54\x52\xeb\x19\x47\x79\xfa\xbf\xe6\xa4\x54\xaa\x3c\x4a\x17\x5d\xbd\x7f\xda\x17\x4b\xa1\x6d\xe9\xf9\xff\x92\x12\x29\xcb\x1f\xe2\x12\x29\x35\x05\xe0\x4a\xca\x26\xcc\x02\x88\xc8\x2c\x22\xb3\x88\xcc\x22\x32\x8b\x59\x00\x31\x0b\x20\xd2\x94\x31\x0b\x20\x5a\x08\xd0\x42\x80\x16\x02\xb4\x10\xa0\x85\xa0\x2d\x16\x02\xf4\x56\x41\x6f\x15\xf4\x56\xc1\x2c\x80\x68\x80\x43\x03\xdc\x55\x9e\x05\x70\x19\x49\xfb\x9a\x04\x96\x1b\x98\xbc\x54\x88\xf9\x6a\x24\xb6\xff\xd6\x8d\x3c\x0d\x20\x10\xdb\xbd\x82\x8c\x4f\x32\x50\xf2\xbd\x8b\x4b\xfa\x7b\x6e\xd4\x5f\x9f\x89\xd1\xf2\xbb\xf3\x9e\xeb\xb2\x2f\x3a\x32\x76\x3a\xe6\x6d\x87\x9e\x01\x4f\xb3\x89\x72\xd2\x2b\xd0\xde\x9b\xc5\x63\x1c\x30\x3f\x42\x43\x76\x75\x92\x3d\xb2\xab\xa3\x77\xa0\x97\x07\x11\xd9\x4b\x6e\xe5\x53\xe3\x87\xc8\xb3\x61\x6a\x5c\x47\xae\xf9\xb8\xb6\x85\x88\xc6\x35\x1c\xea\x3b\xd3\x87\x9a\xe8\x5b\x44\xed\xe4\xf1\xa9\xc6\x23\x3c\xa0\xf7\xf3\x71\x95\x4d\x14\x00\x79\x0d\xe3\x41\x67\x6a\x77\x4c\x3e\xd8\x7c\x77\x4c\x96\xd7\x76\x77\x54\x4e\xf8\xba\x1d\x63\xbe\x51\xe9\x8e\xed\xb2\x3b\x4e\x4d\xd7\xeb\x8f\xce\x64\x7f\x78\xc1\x33\xa8\x43\x7a\xdf\xa2\x74\x48\x77\xd4\x21\xa3\x63\xc7\xc7\x4e\x8f\xd5\xe9\x92\x5b\x13\x5d\xc2\x2d\x35\x2b\xd1\x29\x2b\xf0\xc5\x4d\x74\xf4\xae\x9f\x54\x3a\xa5\x27\xea\x94\x53\x93\xa7\xc7\x4f\x9d\x9c\xae\xd3\x2b\xb7\x25\x7a\x45\x54\xfe\xcc\xe9\x96\xa1\xd4\xc5\x73\x74\x6c\x78\xb4\xe9\xc5\x73\x94\x5a\x85\x67\x4e\x87\xe4\xde\xac\x74\x48\x97\x94\x26\xc3\xa7\x47\x8e\xd6\xe9\x91\x5b\x92\xe2\x84\x69\x3a\x57\xae\x4b\x96\xb5\x99\x34\xd1\x25\x13\x07\xc9\x01\x7d\xbf\xb9\x57\xea\x14\xb7\xaa\xde\x76\x95\xf5\x54\xfb\xda\xcd\x90\xf3\xfa\x63\x9d\x8f\x44\x0a\x43\x6e\xd2\x0a\x39\xea\x34\x47\x8d\x07\xa7\x8e\x1b\xac\x4c\x50\x38\x03\x2a\x35\xc6\x7c\xd9\xf7\xd9\xc9\x9c\x77\x73\x74\xd6\x08\x3d\x83\x29\x08\x59\x13\xda\xa1\xea\x10\x1f\x3e\x4f\x0e\xf3\xf0\x68\xb3\x8e\xb7\x98\xf7\xdc\xd0\xf7\x9c\xac\xf4\x1e\xaa\x0c\x96\x56\xf2\x6d\xcf\xb7\xc3\x25\x87\x2e\x50\x27\x61\xbd\x0c\xf4\xff\xff\x39\xfd\xb5\x5d\xe4\x56\xa5\x9c\xe1\xa8\x18\xe9\x9b\xbe\xaf\xbe\x27\xdd\xa4\x28\xfe\x38\x2b\x7e\x44\x2d\xbe\x77\x3f\x7b\xf3\x70\x4a\xd9\xc2\x5d\xbd\xf6\xab\xe8\x6c\x87\xce\x76\xe8\x6c\x87\x94\x0e\xa4\x74\x20\xa5\x03\x29\x1d\x6b\x86\xd2\xb1\x76\x18\x0b\x68\x4a\x47\x53\x3a\x9a\xd2\xd1\x94\x8e\xa6\xf4\x75\x6d\x4a\x47\x5b\x1f\xda\xfa\xd6\xa9\xad\xef\xaa\x74\xb6\xab\x1d\x75\x8b\x3c\xc6\xd1\xc2\xb3\xe4\x41\x40\x0b\x4f\x91\x13\xe4\x58\x4d\xdf\x17\x15\xf8\x8a\x42\x7c\xd5\x46\x93\x54\x27\xbc\x97\x34\x86\x15\x1f\xd2\xcf\x08\xcc\xb0\x1e\xbe\x26\x30\xd8\xda\xb5\xa6\x24\xb4\x6c\xe4\xaf\xf7\x3b\xa4\x01\x16\xb7\x4d\x3a\xf1\xd5\x81\xdd\x0e\xf0\x87\xae\x2c\xf0\xc6\x71\xb2\x47\xc9\x0b\xc9\x0b\x2a\xfc\xfc\xc6\xc9\x91\x36\x8d\x2b\x52\xcc\xd1\xff\xaf\x45\xff\xbf\x5f\xcd\x90\x87\xb9\xc0\x99\x26\xcf\x07\x81\x73\x8c\xb4\x6f\x62\x92\x73\xdc\x2f\xf0\x21\x72\x26\xf6\x0b\x6c\x6b\x05\xe7\xb9\xbf\xe0\x0b\xc8\x59\xc5\x5f\xb0\xad\x35\x5c\xae\x1f\x61\x73\x82\xb6\x56\xf8\xc4\xcb\x93\xbc\xbd\x9f\xec\x6f\x20\x48\x07\x52\xfd\x10\xeb\x08\xd5\x31\xfe\x42\x1d\xa1\x1a\x3b\x2a\xae\x9a\x78\x45\x57\x45\xc4\xb5\x11\xd7\x46\x5c\x1b\x71\x6d\x74\x55\x44\x57\x45\x74\x55\x44\x57\x45\xb4\xaf\xa0\x7d\x05\xed\x2b\x68\x5f\x41\xfb\x0a\xba\x2a\xa2\xab\x22\xba\x2a\xa2\xab\x22\x9a\x2f\xd1\x7c\xb9\x06\xcd\x97\x6b\xda\x55\xf1\x4a\x1a\x09\xdb\xef\x73\xf8\xbe\x6e\x32\xc0\xfd\x05\xb8\x0c\x93\x9e\x01\x30\xf4\x03\x25\xaf\x50\xb0\x03\xbf\x0c\x98\xee\x4c\xb9\x50\xa4\x61\xa0\x7f\xb7\x4b\xff\xdb\x0d\xe4\x7a\xfe\x82\x44\xcd\x7f\x44\xa8\xa6\x6e\xc1\x5e\xb0\x0b\x65\xcb\x51\xad\xcc\x96\x3c\x06\x4e\x7a\x85\x51\x59\x62\x0e\x4a\xcc\x2a\x9b\xfe\x90\x54\x17\xba\xa0\xbc\xae\x18\x8e\x4d\xe0\x6b\x5e\x89\xca\x23\x7d\x10\x52\xab\x90\xed\xdd\x0f\x2f\x70\x41\x1a\xd9\x32\xab\x2b\x3b\x6e\x07\xe1\x61\xcf\x1f\x76\x1c\x19\x32\x30\x58\xe3\x1e\x05\x13\x17\xc8\x24\x5f\x0e\xe3\xe4\x08\x2c\x87\x61\x72\x88\x1c\x6c\x61\x39\x00\x03\x60\x8c\x9d\xe7\x1a\x2e\x89\x6d\xe9\x4b\xe2\x5a\x9d\x40\xc3\xc0\x26\xfd\xf8\x63\x8d\xd7\xc2\x01\x7d\xbf\x58\x0b\x7c\xbe\x44\xb3\xbe\x7a\x64\x52\xa6\x3b\xba\x52\xa0\x2b\xc5\x04\x9a\x9c\xd0\xe4\x84\x26\x27\x34\x39\xad\x1b\x93\xd3\xc4\x9a\xb1\xa8\xb4\xbd\x25\x2d\x43\xfd\x13\x08\xf5\x23\xd4\x8f\x50\x3f\x42\xfd\x08\xf5\xaf\x3e\xd4\xdf\x76\xd8\x61\x62\x5d\x83\x9b\x13\x08\x6e\xae\x1c\xb8\x39\xb1\xe6\xc1\xcd\xab\xd0\x37\x43\xff\xce\xa3\xe4\x10\x87\x09\xfd\x19\x2b\x9f\x8d\xe0\x22\x28\x2a\x8e\x29\x52\x2b\x1d\xb7\xef\x39\x34\xd0\x3f\xf8\xa8\xfe\xf6\xed\xe4\x39\xac\x80\x61\xf5\xfd\x73\x0b\x83\x9d\x66\xfd\x38\x22\x53\x9e\x43\x7b\xef\x66\xcf\x4c\x55\xbe\xad\xa6\x25\x62\x8f\xad\x71\x2c\x0f\xa3\x83\x20\xa4\x85\xd1\x41\x10\xd2\x42\x48\x0b\x21\xad\x75\x04\x69\xad\x21\x92\xf0\x9a\x81\xb4\x90\xbd\x8a\x90\x16\x42\x5a\x08\x69\x21\xa4\x85\xd1\x41\x90\x5e\xf7\xcc\x41\xa0\xd6\x3c\xbd\xee\xaa\x8c\x0e\x72\xb6\x76\x74\x90\xfb\x38\x39\xea\x1e\xb2\x1b\xc8\x51\xfd\x64\x07\xe9\xa9\xe9\xe9\x0e\xf8\xd5\xc2\x60\x76\xca\x73\xa8\x1a\xfb\xe3\xd1\xc6\x54\xa6\x21\x7d\x9f\xa0\x32\xd5\x04\xc1\x04\xbb\x89\x15\x9e\x0c\xb8\xdc\x28\xba\xc7\x77\xb6\xd4\x40\xc6\xae\x93\x51\x3d\x00\x04\xeb\xe2\x7f\xae\x1e\x0c\xc6\x51\xab\x03\x64\x3f\xd9\x5b\x11\xab\xa3\x8b\xdc\xdd\x54\x2f\xa3\x07\x25\x46\xe2\x68\x31\x12\xc7\x57\xb4\xda\xab\x7e\x1f\x5f\xf5\x83\x64\x00\x56\x7d\x0f\x69\x76\x3e\x92\x83\x3c\x00\xc7\xbd\x64\x4f\x1c\x80\x63\x19\xaf\xdf\xcf\xc3\x6b\xec\x25\xf7\x28\xe1\x35\x9a\x7f\xbf\xd9\x18\x19\x2b\x2b\x90\x7a\xbf\xdd\x57\x43\xe0\xdc\x9c\x1a\xfd\x02\x84\xcf\x20\xbf\x95\x22\x7c\xd2\x12\x71\xaf\x80\x18\xc2\x98\x16\x88\xc6\x22\x1a\x8b\x68\x2c\xa2\xb1\x18\xd3\x02\x63\x5a\x60\x4c\x0b\x8c\x69\x81\x56\x01\xb4\x0a\xa0\x55\x00\xad\x02\x68\x15\x68\x8b\x55\x00\x63\x5a\x60\x4c\x0b\x8c\x69\x81\x31\x2d\xd0\xe8\x86\x46\xb7\xab\x3c\xa6\xc5\x0a\x1b\xb4\x96\x11\x32\xe3\x6a\xcc\xc5\xfd\x96\x6e\x92\xe5\x84\xf7\x82\x1d\xe4\x3d\xa6\xfc\x28\x3c\x77\x1e\x1c\x83\xba\x85\x92\x67\xbb\x61\xe0\xd8\x79\x1a\xe8\x7f\xd5\xa5\x7f\x75\x03\xb9\x56\x3e\x7f\x6e\x61\xb0\x73\xa9\xb9\xa0\x18\x63\xa2\xa4\x69\x56\x52\x9b\xc2\x61\x0c\xc2\x0b\xa3\x51\x6b\xce\x0c\x26\x2a\xc1\x30\x18\x6d\x0c\x83\xb1\xac\xa5\x56\x39\x9f\xc4\x0a\x4b\x8c\x4e\x32\x95\x3d\xba\x0c\xa0\xcb\x00\x46\xc1\x40\x23\x15\x1a\xa9\xd0\x48\xb5\x7e\x8c\x54\x18\x05\x03\xa3\x60\xa0\x71\x00\x8d\x03\x68\x1c\x40\xe3\xc0\x9a\x30\x0e\x60\x14\x0c\x8c\x82\x71\xb5\xc0\xa1\x18\x05\x63\x25\xa2\x60\xfc\xef\x47\x49\x0f\x07\x05\x5d\x1a\x2e\x7a\xfe\x05\xa6\xad\xc5\xa8\xa0\xed\x16\x7d\x1a\x04\x79\xc7\x0a\x02\x1a\xe8\xdf\x7f\x44\xff\x5f\xdb\xc9\x75\xf1\xa3\xe7\x16\x06\x3b\x7b\xeb\x07\xba\x18\xe7\x45\x8c\xb0\x22\x7a\x6f\x65\xcf\x9e\x94\xaf\x9f\x19\x54\xef\xae\x71\xb0\x0e\xe3\x5c\x20\x68\x85\x71\x2e\x10\xb4\x42\xd0\x0a\x41\xab\x75\x04\x5a\xad\x21\xe2\xf0\x9a\x01\xad\x90\xd1\x8a\xa0\x15\x82\x56\x08\x5a\x21\x68\x85\x71\x2e\x90\x72\xf7\xcc\xc1\x98\xd6\x3c\xe5\xee\xaa\x8c\x73\x41\xc9\x04\x27\x39\x8d\x90\x61\x20\x39\x41\xe8\x85\x9a\x9e\xe5\x0a\x10\xb5\x30\x98\x55\x01\xa2\xe3\x76\xd0\x98\xde\xd4\x20\x2c\xc5\xf2\x98\x4d\x55\xa0\x98\xa0\x36\xa9\xad\x4a\x30\x9b\xcc\x9f\xd9\x5a\x89\x8f\x3d\x37\x0a\x77\xe1\x26\xb1\xb0\xdb\xf9\xf5\x15\x47\xc3\x38\x78\x35\x4e\x8e\x90\xb1\x8a\x70\x17\xf7\x90\xdd\x2d\x8c\x02\xba\x5a\x62\xf0\x8b\x16\x83\x5f\xfc\x97\x46\x0e\x73\x51\x70\x88\x1c\x04\x51\xb0\x97\xb4\x36\x09\xc9\x31\x1e\xf1\x62\x94\xe4\xe2\x88\x17\x2d\x17\x76\x9c\xc7\xbf\x18\x23\x23\x4a\xfc\x8b\x96\x4b\x6b\x2b\x8d\x79\xd9\x12\xa8\x51\x14\x8e\xde\xbf\xe9\xab\x94\x50\x77\xa6\xc6\xc7\x48\x08\xab\x6e\xfe\x88\x2a\xac\xe2\x00\x19\x2b\x28\xb6\x30\x3c\x06\x82\xb8\x08\xe2\x22\x88\x8b\x20\x2e\x86\xc7\xc0\xf0\x18\x18\x1e\x03\xc3\x63\xa0\x31\x01\x8d\x09\x68\x4c\x40\x63\x02\x1a\x13\xda\x62\x4c\xc0\xf0\x18\x18\x1e\x03\xc3\x63\x60\x78\x0c\xb4\xd5\xa1\xad\x6e\x3d\x85\xc7\x58\x3e\xae\xbc\x9c\xf0\x18\x6d\x0f\x5e\xf1\xee\x1e\xb2\x8b\x4d\xa9\x3a\x29\x19\x4b\x5e\x21\xa4\xf3\x25\x80\xa2\xf8\x8d\x97\xe9\x7f\xdf\xad\x7f\x3b\x43\x36\xe7\x3d\x9f\x9e\x5b\x18\xec\xbc\xdd\xa7\x56\xa1\xe2\x28\x3a\xe9\x15\x4e\x8b\xd7\x7a\xef\x60\xf7\x47\x3c\x9f\xaa\xb1\xe7\x95\x07\xda\x0b\x6e\x4f\x3c\x4c\x0e\xf1\x09\xb2\x8f\xdc\x0b\x13\x64\x27\xc9\x92\xbe\x9a\x26\x07\xf6\x15\x6c\x3a\x28\x0d\x6a\x38\x27\x6e\x4b\x1f\xb4\x4d\xfa\x86\x22\x0d\xc9\xe3\x27\x1a\x4f\x99\x5e\xbd\x5b\x9d\x06\x62\xfa\x98\xa6\x98\x2f\x6a\x63\x3a\x7f\x69\x4b\xdc\xd7\x77\xfa\xb4\xe4\x58\x79\x5a\xa7\xbb\x4d\xf1\xc8\xaa\xf5\x78\x2e\x47\x1e\x20\xf7\x57\x58\x41\x97\xd9\xe5\x08\xa5\xa1\xf9\xb3\x45\xf3\xe7\xcf\x6a\x97\xbf\xe0\x47\xb9\xdd\x93\x6d\x25\xd2\xee\xb9\x9a\x62\xa3\x54\x6e\x5a\x6c\xd4\x13\x15\xc9\xc0\xfd\x37\xc4\x62\xe3\x39\x42\x93\xb5\x12\x92\x42\x58\x28\x57\x4f\x50\xac\x8c\xdd\x11\x45\x47\x03\xd1\x81\xd8\xf7\xaa\x60\xdf\x08\x7a\x20\xe8\x81\xa0\xc7\x4a\x81\x1e\x13\x3f\xa7\x91\x31\xce\x28\xba\x9f\xdc\xa7\x30\x8a\xda\xb7\x4f\x5f\xb6\x1e\x11\x6d\xf4\x46\xfa\x46\xbf\x55\xdf\xcc\x3b\xa3\xdd\x7b\x7d\xee\x1f\xae\x89\xf7\xfa\xde\x92\xe5\x87\x36\xd0\x3c\x38\x40\x5c\xe7\xac\x60\x94\xd8\x29\x7e\x55\x14\x80\x5b\x2a\x0b\xea\x87\xba\x77\xb0\x9f\x43\xb7\xaa\x37\xe7\xa9\x5f\xa4\xea\xdd\xed\xea\xdd\x20\xf4\xad\x90\x16\xed\x7c\x7f\xd5\x73\x89\x52\xd8\xef\x25\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\xa7\x94\x21\xb2\xaf\x05\xf5\x63\x12\x1c\x59\x51\xed\x68\xa0\x76\x7c\xb4\x83\x7c\xa8\x43\xff\x40\x47\xe7\x93\x52\x76\x3f\xd1\xb1\x7e\x4e\x2c\x15\xe6\x3a\xd6\xcf\x40\x83\x02\x93\x32\x9b\x9c\xb1\x47\x7b\x77\x8d\x89\xdb\x03\x5b\x10\x67\xcd\x59\x0e\xbc\xc9\x74\x2d\xfe\x36\x3c\x01\x7a\x4f\x60\x74\x4f\x04\x9e\x3b\xc9\x5d\xbb\x4f\xb0\x65\x21\x7e\x4f\x47\x8b\x25\xbe\xd8\x53\xfb\x28\x95\xfb\x92\x46\xbe\xa8\xe9\x9f\xd7\x3a\x3f\x27\xc1\xbf\xa7\xb4\xc3\x9e\x9f\x07\x95\xac\xe8\x41\xb7\x7b\x86\x39\xcb\x2e\x99\xc6\x70\xe2\x2b\x00\x35\xe5\xda\x53\x39\x88\xf9\x4f\xfd\x56\x1e\x3e\x1c\x58\x65\x8e\x9d\x17\xbb\x23\x75\x0a\x81\xe1\x2d\x8a\x3e\xe5\xac\xab\x12\xf5\x4a\x0e\xcd\x1a\xbc\x46\xf0\xc5\x8f\xc6\x12\xd0\xcb\xd4\x0e\x90\xd5\x9b\x1b\xa1\x59\x09\x92\xfc\x2a\x60\x41\xed\x05\x7b\x1e\xbf\x23\x7d\xeb\xd8\xa2\x6f\x82\xcf\x25\x13\xfb\xc8\xbd\xfa\x1e\x73\x97\x8c\x91\x7b\x13\xac\x1f\xb1\x98\x95\xa2\xcc\x0d\xec\x86\x1a\xfb\xf6\x2a\x8c\xae\xfb\xe7\xdd\xa4\xbf\x01\x40\x19\xd0\xbc\x4f\x43\x89\x4d\xbe\xbf\x5b\xff\x13\x05\x9b\xbc\x39\x05\x9b\x9c\x86\x37\x7a\x3b\xd3\x60\x49\x7e\xaf\xcd\x88\xe4\x83\x64\x88\xcf\xc2\xdd\x64\x10\x66\xe1\x0e\xd2\x43\xba\x1a\xce\x42\xde\x96\xcb\x05\x23\x8f\x36\x9e\x9f\x77\xeb\xdb\xf8\x4c\x14\x35\xa6\x4f\xd6\xce\xb7\x29\x38\xe4\xad\xe9\x38\xa4\xe8\xda\xdb\x6a\x40\x90\x2b\xd1\xbb\x39\xc0\xff\x2b\xf6\xf5\xe6\xbb\x17\xb7\x71\x04\x1e\x5b\x04\x1e\xdf\xa6\x5d\xd6\xba\x3e\xc4\x31\x47\xb6\x33\x49\xcc\x71\x95\x04\x03\xc0\x8d\xcd\x09\x86\xca\xcd\x2a\x45\x44\xf4\xfe\xab\x82\x34\xde\x20\x91\x46\x21\x0b\x6e\x4d\x07\x19\x57\x44\x14\x20\xbe\x88\xf8\x22\xe2\x8b\x88\x2f\x22\xbe\x88\xf8\xe2\xb2\xf1\xc5\x4f\x6b\x6d\x66\x96\x4c\x71\xb4\xf2\x18\x19\x57\xd0\xca\x15\x66\xab\x34\x46\x1e\x9b\xdb\xf6\xeb\x9d\x57\x85\x0a\x90\xfb\x63\x05\x74\xbc\xbb\x01\xe8\x28\x94\x81\x5b\x52\xf1\xc6\x76\xeb\x02\x08\x35\xae\x37\x0d\x04\xa1\x46\x84\x1a\xaf\x30\xd4\xb8\xb2\x20\x4f\x23\x58\xb0\x7d\xa7\xb9\x89\xdd\x64\x50\x1f\x30\xfb\x25\x4c\xa8\xab\x00\x23\x7f\xe1\x19\x81\x2d\xbe\xb6\x9b\xdc\x15\x61\x8b\x3c\x4f\x57\x24\x18\xdd\x70\xc1\x73\xca\xf3\x34\xef\x58\xf6\x7c\xa0\xff\x75\x97\xfe\xc7\x1b\xe2\xad\xee\x15\x5a\x73\xb9\xba\x26\x65\x69\x67\xa0\xb4\x11\x56\x5a\x9b\x72\x76\xed\x59\x8c\xf7\xd1\xd4\x7a\x30\x6d\x57\x1b\xd3\x76\x9d\x6d\xbc\xb6\xf6\xe8\xbb\xaa\x60\xfd\xb4\x71\xc1\x84\x5d\x18\xfb\x18\x13\x76\x61\xd8\x0c\x0c\x9b\x81\x61\x33\xd6\x6b\xd8\x0c\x4c\xd8\x85\x09\xbb\x30\x5c\x01\x86\x2b\xc0\x70\x05\x18\xae\x60\x4d\x84\x2b\xc0\x84\x5d\x98\xb0\xeb\x6a\x71\xd0\xc6\x84\x5d\x2b\x91\xb0\xeb\xb3\xb7\x90\xfb\x79\xc2\x2e\x8b\x1d\xba\x8a\x36\x98\x7e\xd8\xd3\x32\x6b\xd7\x0c\x0d\xad\xc1\x01\x71\xde\xb7\x25\x0b\xf1\x65\x03\x01\x58\xe6\xf4\x97\xdf\xa2\x7f\xa1\x83\xdc\x54\xf1\xfe\x39\xf1\x62\x67\x17\x10\x11\xf9\xb3\x51\xaf\xc7\x5b\xf0\xf0\xe4\xf8\x34\x2f\xb6\xb7\x97\x3d\x38\x9c\x2c\xe5\x0c\x2f\x24\x7e\x8a\x5b\x03\xdb\x4c\x53\xfc\x61\x92\xe7\xf8\xdb\x23\xe4\x61\xc0\xdf\x80\x4e\x93\x8a\xbf\xb1\x32\xfa\xad\x62\x91\xcd\x98\xd0\xf3\x63\x08\xae\xb2\xfb\xc4\xe7\x67\xe3\xa6\x37\x84\xe4\x68\x63\xb4\x2d\xa7\x3f\x20\xd0\xb6\xf4\xe1\x52\x51\x36\xa8\x5f\x40\x72\x4a\x2b\x1a\xd0\x26\x3b\xbf\xb1\xb5\xf6\x58\xf6\x46\xe4\xc7\x26\x86\xb3\x5f\x3c\x7b\x25\x46\x34\x37\x4b\x0a\x64\xa6\xc2\x0e\xb9\x02\x43\x8a\xf6\x49\xe4\x50\xb6\xc8\xa1\xfc\x07\x6d\x75\x84\xce\x1c\x27\x5b\x5a\xe4\x5c\x4c\xb6\x5c\xa7\xe2\xad\x54\x0e\x49\xee\xf3\xd7\xd6\x16\x6f\xbb\xab\xb8\x1c\x4d\xc8\xb9\x1d\x60\x87\x5c\x6d\x29\x87\x4c\x8f\xf5\x26\x49\x91\xe9\x81\x4c\x8f\x2b\xcc\xf4\x58\x5f\x7a\x72\x43\x87\xb4\xbd\xe4\x1e\x7d\xb7\x39\x28\xa9\x1f\xcf\x55\xf9\x22\x71\x49\xd5\x9c\x91\xb6\x33\x3a\xbe\xb1\x9d\xdc\x10\x31\x3a\x84\x5b\x98\xfe\xf9\xed\xfa\xaf\x75\xc4\xe4\x8d\xbb\xea\xa7\x55\x16\x34\x45\x38\x40\x73\x76\x05\xbf\x72\xb5\x51\x29\x5e\x40\xee\xe7\x53\x74\x2f\xb9\x07\xa6\xe8\x00\xe9\x27\x3b\x9a\x24\x23\xb5\x25\x21\x50\xdb\xdc\xce\x90\x24\x81\x24\x09\x24\x49\x20\x49\x02\x49\x12\x48\x92\x40\x92\x04\x92\x24\x90\x24\x81\x24\x09\x24\x49\x20\x49\x02\x49\x12\x48\x92\x40\x92\x04\x92\x24\x90\x24\xb1\x5a\x24\x89\xdf\x7b\x8c\x0c\x73\x92\x44\x55\x98\xfb\x3a\xf1\x99\xc4\xb3\xe0\xb1\x6d\xd3\x40\x7f\xd5\x63\xfa\xcf\x6f\xaf\xcc\x95\xba\xa3\x3e\x2c\x27\x12\xa4\x72\x9f\xed\xde\x2e\xf6\xb0\x9a\x33\x35\xf6\x24\x4e\x3c\xb8\xc6\x41\xba\x1c\x02\x5b\x08\x6c\x61\xd2\x5c\x04\xb6\x10\xd8\x42\x60\x6b\xfd\x00\x5b\x6b\x28\x27\xec\x9a\x01\xb6\x30\x59\x29\x02\x5b\x08\x6c\x21\xb0\x85\xc0\xd6\x95\x48\x56\xba\xae\x71\x28\xcc\xa6\xb8\x9e\xb3\x29\xe6\xae\x42\x1c\x6a\x62\x96\x1c\xe3\xe4\xa6\x51\x92\x03\x72\xd3\x7d\xa4\x0e\xe5\x36\xab\x80\x55\x0b\x83\xd9\x04\x42\xd4\x16\xa6\xd3\x63\x8d\x99\x4e\x07\xf4\xfd\x9c\xe9\x94\xa8\x3d\x8d\xf0\x54\x9d\x40\xd2\xfc\xe8\xd6\x4a\xb4\xec\xb9\x7c\x4b\x32\xac\x0a\x60\xac\x87\x5f\x5f\x4d\x68\x8c\x23\x59\x13\xe4\x28\x39\x5c\xc1\x82\xbe\x97\xec\x69\x65\x48\x90\x01\x8d\xbe\x24\x2d\xfa\x92\xfc\x8f\x46\x8e\x70\xc1\xf0\x00\xb9\x1f\x04\xc3\x3e\xd2\xe2\x2c\xe4\x91\x40\x07\x21\x12\xa8\xf4\x17\x69\xbd\xb4\x13\x3c\x12\xe8\x61\x32\xaa\x44\x02\x6d\xbd\xb8\xd6\x25\x56\xc9\x6b\x5e\x62\x35\x48\x69\x5b\x5b\x94\xf5\x7e\xa7\xaf\x52\x62\x99\x22\xe8\xab\x12\x41\xd7\x9b\xad\x90\x5e\xbb\xf9\x33\xaa\xf4\x1a\x91\x8f\xaf\x8e\x1c\x5b\x99\xf8\xe1\x08\xf1\x22\xc4\x8b\x10\x2f\x42\xbc\xeb\x07\xe2\x45\x1d\xae\x81\x0e\xb7\x76\x30\x70\xcc\xdd\xb0\x2a\xb9\x1b\xd0\xd4\x80\xa6\x06\x34\x35\xa0\xa9\x01\x4d\x0d\xeb\xda\xd4\x80\x29\x7c\x30\x85\x0f\xa6\xf0\x59\xa9\x14\x3e\x68\xc9\x43\x4b\xde\x7a\xb5\xe4\x4d\x14\xdb\x9c\xbd\xaa\x11\xc8\xbc\xc2\x20\xf2\xe3\xbd\xe9\x20\xf6\xb3\xf5\x67\x71\x69\x11\x4b\x72\x72\x35\x66\x1f\x79\xcf\xcd\xa4\x2b\x8a\x55\x51\x99\x77\xa4\x32\xb4\xe0\xbf\x3f\x4f\x7f\x42\x89\x61\xd1\x5f\x37\x94\x60\x65\xda\x89\x5e\x23\xce\x73\x5c\x79\x6f\x45\xc2\x08\x9e\x23\xa3\x7c\x22\xb2\x09\xc8\x26\xe2\x3d\x64\x37\x19\x6c\x9c\x73\xbb\xa2\x6d\x97\x9b\xf7\x78\xaa\xf1\xfc\x1c\xd0\xfb\x1b\x25\xed\x48\xcc\xc9\xce\x3f\x53\x32\x20\xef\x6c\x14\x04\xb0\x6a\x20\xb6\x25\xb2\x22\xaf\xc6\x58\xe4\x8e\x90\x31\x32\x52\x61\x98\x6d\x65\x30\x10\xd1\x43\xab\x6c\x8b\x56\xd9\x0f\x6a\x6d\x92\x07\xe3\xdc\x24\x9b\x23\x0f\xc4\x26\xd9\x15\x12\x2d\x2b\x20\x3b\x1a\x05\xe4\x7b\xe5\xb5\xb1\x68\xd9\xdf\x74\x00\xbe\x2a\x19\x73\x67\xa9\x76\x62\x28\x0c\xbe\x87\xc1\xf7\x30\xf8\x1e\x06\xdf\xbb\xaa\x83\xef\xad\x96\x76\xd9\x30\xe1\x62\x73\x7b\x44\x13\x3b\x83\x12\xea\xec\x20\x39\xa0\xef\x37\xf7\xca\x73\xcc\xad\x6a\x28\xbd\xca\x42\x56\x21\xa0\xde\x97\x7b\xc9\x01\xee\xf1\xeb\xcf\x58\xf9\x6c\xd4\x4b\xa9\x91\xd1\xf3\x4e\x39\x08\x99\xa8\x72\xe4\xf9\x45\x7f\x73\xaf\xfe\xbe\x0e\x72\x33\x7b\x79\x58\x7d\x57\x86\x9a\xbd\x1d\x8e\x32\xc9\x3d\x6d\x84\x17\x34\xe5\x39\xb4\x17\xa2\xa6\x4f\x55\xbe\x2e\xc2\xca\x2a\x0f\xb6\xfd\x08\x53\x6b\x7a\x2c\x6f\xf6\x41\xaf\x45\xa1\x1d\x95\xe6\x36\x79\x84\xb1\x1b\x4f\xb1\xc3\xfa\xa8\x98\x3f\x35\x47\x48\x68\x27\x4a\xf5\xd5\x61\x1f\x3b\x7f\xb0\xa5\xde\x30\xdd\x19\x9d\x75\x6a\x8f\x54\x14\x13\x7d\xd5\x07\x6b\xd9\x67\x9c\x5a\x83\x82\xdb\x3f\x9e\x71\x56\xe9\x8c\x53\x6b\x0a\xb6\x70\xc6\xa9\x59\x54\xeb\xf0\x09\x3b\x8f\xac\xa2\xec\xe9\xfd\xe4\x8d\xf5\x64\xcf\x73\x84\xb1\xc1\x4a\x88\x9b\x1e\x7e\x75\xf5\xa5\xcd\xca\x50\x44\x51\xf4\x34\x10\x3d\x48\x53\x5a\x15\x9a\x12\xda\xa7\xd1\x3e\x8d\xf6\xe9\x95\xb2\x4f\x4f\x7c\x5a\x6b\xb3\x91\x6e\x8a\x3b\x96\x1c\x23\xe3\x8a\x63\xc9\x0a\x1b\xfe\x8c\x74\xc5\x61\xab\xbe\x99\x77\xd3\x6a\xea\x0e\xb9\xf7\x5e\x5b\x4f\x77\xe8\xad\x02\x52\x6b\x1f\x60\xba\xe1\x5c\xbf\xaa\x0a\x05\x02\xa8\xeb\x4d\x8d\x41\x00\x15\x01\xd4\xab\x0b\x40\x6d\xf9\x7c\xb9\x7a\x9b\x40\xe3\x14\x25\xfb\xc8\xbd\xfa\x1e\x73\x97\xc4\x55\x6f\x52\x71\x55\xa5\xec\x55\x80\x54\xbf\xda\x43\x76\x72\x48\x35\x08\x3d\xdf\x2a\x52\x25\x82\x22\x67\x7f\x58\x61\x68\xe5\xe7\xe6\x99\x86\x11\xe1\xa8\xef\xee\xd1\x5f\xd3\x41\x88\x78\xe3\xdc\xc2\x60\xe7\xb6\x14\xe0\x94\xc3\xc2\xc3\xf2\xf5\xde\xdb\xd8\x43\xd3\xfc\xa5\x33\x83\x95\xb7\xdb\x8c\x99\xce\xd4\xc6\x4c\x97\xe5\x95\x1b\x75\xcb\xc2\x60\xb6\xb2\xc5\x2d\x51\x8f\x92\xdd\x2c\xe6\x53\x65\xc9\xcd\x9a\x6a\x21\x35\xe4\xb7\xb6\x24\x86\x62\x7b\x3a\x38\x5a\x35\x1a\x86\x78\x6e\x95\x06\x64\xd9\x4e\xf9\x75\x3a\x1e\x37\x76\x84\x46\x5b\x84\x46\x7f\x41\x6b\xc1\x97\xbe\xce\x54\x5c\x3d\x29\xd3\x00\x20\x5d\x61\x21\xd4\xfb\xe6\x1b\x13\x52\xe6\x66\x09\x83\x56\x09\x96\x3b\xf8\xad\xd5\x92\x2b\x88\x80\x22\x02\x8a\x08\x28\x22\xa0\x88\x80\x22\x02\xba\x6c\x04\xf4\x63\xcb\x8c\xd1\x53\x4f\x13\x68\x21\xaa\x4e\x2b\x8a\x45\xf3\xb8\x67\x73\x2a\x41\x0a\xf7\xa7\x39\xf5\x20\xf7\x63\xd7\x26\x54\x82\x81\x06\xe8\x66\x95\xa2\x70\x3b\x1c\x87\x57\x41\x4f\x40\x60\x73\xbd\x69\x27\x08\x6c\x22\xb0\x79\x85\x81\xcd\x99\xf6\xed\x2c\x97\x4d\x0e\x5d\xe1\xc3\x61\x7d\xa2\x68\xe5\xab\xab\x80\x6a\xbe\xbf\x8b\xdc\x1e\x79\xb3\xf9\x54\xce\x6f\xb6\xd4\x7c\xa6\x96\xf8\x81\xfe\xaa\x2e\xfd\x3f\x14\x27\xb6\xdd\xf5\x33\xbe\x4c\xc5\x85\x8c\xc8\x42\x7a\x07\xe2\xbc\xcc\xa9\x0f\x5c\x6d\x69\x9a\xe7\xb8\x0e\xb3\x13\x74\x18\x36\x65\xef\x27\xf7\x91\xa1\x86\x64\xe6\xd4\x6f\x6f\x4b\x2c\xd3\xb3\x8d\xe7\xed\x1e\x7d\x57\xa5\xe3\x4b\x6a\x7b\x92\x13\x16\x73\xdd\x60\xae\x1b\x4c\xe2\x8c\x81\x10\x31\x10\x22\x06\x42\x5c\x3f\x81\x10\x31\x89\x33\x26\x71\xc6\x00\x74\x18\x80\x0e\x03\xd0\x61\x00\xba\x35\x11\x80\x0e\x93\x38\x63\x12\xe7\xab\x25\xe4\x16\x26\x71\x5e\x89\x24\xce\xff\xfe\x08\xb9\xbb\x06\xff\x50\xf8\x71\x07\xb6\xeb\x15\x68\xa0\xff\xfe\x23\xfa\x4f\x6c\x27\x37\xc4\x06\x27\xce\xa9\xbf\xbb\x3e\x70\x37\x32\x3d\x7e\xd2\x2b\xd0\xde\x9b\xd9\x63\xd2\xd4\xc4\x39\xf4\xfc\xd6\x1a\x07\xe5\x30\x2d\x33\x42\x55\x98\x96\x19\xa1\x2a\x84\xaa\x10\xaa\x5a\x47\x50\xd5\x1a\x4a\x49\xb1\x66\xa0\x2a\xcc\x95\x80\x50\x15\x42\x55\x08\x55\x21\x54\x85\x69\x99\x31\x98\xfb\x33\x07\x59\x5a\xf3\xc1\xdc\xaf\xca\xb4\xcc\xed\x77\x00\x15\x4e\xc7\x1c\x36\x3a\x6e\x07\x61\xb3\x34\xa6\x87\x1b\xd3\x98\xf6\xea\xf7\xd4\xa3\xdf\x89\x4a\xab\x9d\x8d\xcd\xd7\x6e\xad\xc6\xc4\x6e\x94\x09\x99\x23\xf8\xeb\x16\x7e\x65\x65\x01\x30\x8e\x57\x1d\x26\xa3\x24\x57\xc1\x75\xde\x45\x76\x2e\xb7\x7f\x91\xe3\x8c\x3e\x9e\x2d\xfa\x78\x7e\x4f\xab\xbd\xf4\x47\xf8\xd2\xbf\x8f\x0c\xc1\xd2\xdf\x43\x5a\x98\x9a\xe4\x28\xf7\x20\x1d\x26\x87\x62\x0f\xd2\xd6\x4a\x1a\xe7\x3e\x23\x39\xf2\x80\xe2\x33\xd2\x52\x51\xcd\x26\x5b\x6e\x4e\x16\x55\xc9\x99\x66\x84\x53\xef\x9f\xf5\x55\xcb\xa2\x5b\x53\x53\x2d\x47\x72\xe9\xee\x0a\x5f\x51\x2e\x97\xe4\xa3\x2b\x23\xa1\x30\xad\x32\x42\xb4\x08\xd1\x22\x44\x8b\x10\x2d\xa6\x55\xc6\xb4\xca\xe8\xad\x8f\x69\x95\xd1\x54\x80\xa6\x02\x34\x15\xa0\xa9\x00\x4d\x05\x6d\x31\x15\x60\xd0\x16\x0c\xda\x82\x41\x5b\x30\xad\x32\x5a\xe2\xd0\x12\x77\x95\xa7\x55\x5e\x46\xda\xe3\x95\x34\x73\xb5\x3f\x44\xc4\x3f\x66\xc8\xf3\x6a\x05\xbe\xd5\xff\x20\xa3\xff\x5e\x26\x11\xdc\xe8\xa6\x22\x0d\x93\x2a\x30\x37\x6c\xf6\x3e\xaf\x48\x63\x5e\xf9\xf0\xe4\x78\x04\xfb\xb5\x31\xb1\x65\x55\x41\x43\x55\x05\x0d\x35\x53\xd0\x44\x89\x3c\xc8\x27\xcf\x49\x72\x1c\x26\x0f\xd8\xea\x5a\x98\x3c\xca\x77\x36\x13\xe7\x41\xff\xe3\x1e\x32\xce\x3b\xdb\x2a\xd9\xf4\x62\x48\x5d\x58\xaf\x95\x5c\x7f\x58\x54\x03\xf9\x72\x10\x7a\xf3\x51\x0f\xab\x6d\x13\xe1\x87\x5f\xdd\xa3\xff\xe2\x46\xf2\x43\x89\xa2\xa4\xbd\xe1\x37\x34\xb1\x34\x63\x9b\xb4\xe5\x46\xaa\x9f\xf4\x0a\x80\x2a\xa2\x4f\x18\x95\x55\x64\x15\x25\x6b\x48\xaa\x67\x5d\x50\x62\x57\x0c\x7f\x27\xf0\x4c\xaf\x44\x25\x84\x12\x84\xd4\x2a\xf4\xc5\xe7\x3e\x38\xdb\x8a\x53\x02\x3b\x3a\xc6\x07\xda\xae\x04\x54\xa3\x94\x9d\xed\x1d\x84\xea\x86\xd5\xaf\x8b\x0c\x23\x35\x9a\xbd\xc6\x5d\x18\x26\x2e\xd4\xb6\xc7\x4d\xf2\x09\x39\x4e\x8e\xc0\x84\x1c\x26\x87\xc8\xc1\x16\x26\x24\x70\x11\xc6\x16\x94\x70\xa9\xb5\x63\xe2\x2c\xf2\x98\x38\x2f\x6a\x2c\xad\x4e\xea\xc7\x6b\x19\xc2\xd2\xe6\x71\x24\xc4\x6a\x8c\x12\x46\x1d\x41\x57\x0e\x8c\x3a\x82\x76\x42\xb4\x13\xa2\x9d\x70\x3d\xd9\x09\x31\xea\x08\x46\x1d\x41\xfb\x0c\xda\x67\xd0\x3e\x83\xf6\x99\x35\x61\x9f\x99\x18\x23\x23\xfa\xb0\x79\x48\x86\x2b\xbd\x2b\x91\x7f\xa9\xc6\xf1\x6d\xe5\xc3\x96\x62\xf0\x12\x04\xb6\x31\x78\xc9\xd5\xe3\x62\xa2\xbf\xfa\x5c\x94\x3c\xcd\x62\x67\xb7\xa2\x0d\x01\xe2\xe3\x6c\x71\x12\xd8\x14\xb0\x81\x9d\xa7\x81\xfe\x47\x8f\xe9\x5f\xdd\x4e\x6e\xaa\x78\x43\xe2\x97\xdd\xf5\xe3\x99\x0c\x4f\x8e\x4f\xf3\x92\x7a\xef\x62\x4f\x0e\x27\x8b\x11\x40\x61\xfc\xd4\x1a\x87\x06\x31\xba\x09\x42\x62\x18\xdd\x04\x21\x31\x84\xc4\x10\x12\x5b\x47\x90\xd8\x1a\x62\x86\xaf\x19\x48\x0c\x29\xcb\x08\x89\x21\x24\x86\x90\x18\x42\x62\x18\xdd\x04\x39\x95\xcf\x1c\xe8\x69\xcd\x73\x2a\xaf\xca\xe8\x26\xaf\xd4\x48\x91\x53\xa7\xce\x93\xc7\x80\x3a\xf5\x10\x39\x43\x4e\xa7\x52\xa7\xd8\x44\xe8\xb7\x8a\x45\xd6\x5b\xa1\xe7\xc7\xec\xa9\x4a\xd4\x2a\x0a\x29\x10\xc3\x47\x6d\xc9\xe2\x44\x1b\x33\xad\x72\xfa\x03\x31\xb1\x2a\x05\x49\xab\x66\x84\x72\xae\x55\xdc\x52\x62\xfe\x3c\xa9\x8d\xaa\x3d\x27\x8a\x88\xe2\xaa\x08\xda\x76\x7e\x75\xd5\x30\x34\x0e\x79\xcd\x92\x02\x99\xa9\x08\x90\x32\x45\x26\xdb\x3d\x74\xe8\x9e\x8b\x01\x54\x5a\x0c\xa0\xf2\xd5\x4c\x6d\xc2\x66\x9e\x4b\x9d\x47\xc8\xc3\x20\x75\x20\x96\x46\xbb\xa7\x2e\x99\xe3\x01\x56\x2c\x72\x2e\x0e\xb0\xb2\x32\x35\xd9\x3c\x00\xcb\x0c\x39\xaf\x04\x60\x59\x91\xaa\x22\x69\xd9\x9c\x34\x6c\x2c\xef\xea\xcb\xcb\x46\x71\x60\x7a\x7f\xd0\x57\x5b\x5a\xde\x91\x1a\xb3\x45\x11\x9c\x3b\xf9\x03\xe9\x82\x33\x0e\xdf\xb2\x62\x22\x14\x23\xb8\x20\x0c\x8d\x30\x34\xc2\xd0\x08\x43\x63\x04\x17\x8c\xe0\x82\x11\x5c\x30\x82\x0b\x9a\x43\xd0\x1c\x82\xe6\x10\x34\x87\xa0\x39\xa4\x2d\xe6\x10\x8c\xe0\x82\x11\x5c\x30\x82\x0b\x46\x70\x41\x6b\x23\x5a\x1b\xdb\x1e\xc1\xa5\x26\xb6\xde\xd6\xd0\x2e\xad\x44\x70\x59\x1d\x4b\x5d\xfb\x83\xb9\xfc\x75\x17\xb9\x3d\x22\xe2\x97\x82\x81\x85\x28\x94\x48\xc1\xa2\xf3\xec\x44\x14\x06\xfa\xaf\x77\xe9\x1f\xdb\x40\x36\xb3\xfb\xe7\x16\x06\x3b\xcb\x42\xd9\x74\x0b\xf6\x82\x5d\x28\x5b\x4e\x22\x60\x88\x3c\xd8\x8d\x42\x01\xd3\x34\x6c\x4b\x64\x90\x6c\x6f\xb7\x88\xed\x51\x0a\xce\x0c\xca\xb2\x8f\xdb\x41\x78\xd8\xf3\x87\x1d\xe7\xa4\x35\x4f\x83\x92\xd5\xce\xe8\x31\x2b\x16\xd2\xa3\xed\x91\x3b\x1a\xda\x99\xb7\xa5\xcf\xe4\x6b\x75\x02\x0d\xe3\xc6\xe6\x13\x8d\xa7\x70\xaf\xde\x2d\xa7\x70\x29\x10\xf3\x53\x8e\x86\x3a\x81\x31\x64\x07\xfa\x27\x60\xc8\x0e\x34\x0c\xa1\x61\x08\x0d\x43\xeb\xc9\x30\x84\x21\x3b\x30\x64\x07\x02\xf2\x08\xc8\x23\x20\x8f\x80\xfc\x9a\x00\xe4\x31\xd6\x06\xc6\xda\xb8\x5a\x20\x48\x8c\xb5\xb1\x12\xb1\x36\x2e\x5d\x4b\x4e\x0a\x88\x4f\x00\x43\x15\x91\x36\x06\x5c\x09\x9e\xf1\x40\xc1\xf0\xfb\x65\x03\x8e\x97\xb7\x9c\xa0\x0c\x82\xca\xca\xe7\x69\x10\xb0\xc3\x04\x5d\x0c\xf4\xdf\xbd\xc6\xfc\xda\x46\x72\x63\xa2\xbc\x73\x0b\x83\x9d\x77\xca\xf4\xa9\xc7\xd9\xbb\xd3\xfc\xdd\x61\x78\x77\x0a\xde\xed\xdd\x2b\x3c\x07\xd4\x57\xcf\x0c\x4a\xf8\xae\x50\xeb\xc5\x36\xf3\x60\xc1\xe7\xa3\xc2\x95\xa0\x4e\x44\xe7\x6c\xb2\xeb\x16\x06\xb3\xb5\xda\x39\xf1\x81\x0c\x79\x21\xa7\x46\x9f\x26\x53\x0a\x35\xba\x6e\xc4\xe8\xe6\xcb\xaf\x8d\x81\x2f\x27\x42\xf5\x32\xea\x7b\x98\x33\xca\xa7\xc9\xf3\x63\x46\x79\x9b\xca\x6e\x36\xf3\xa6\xd3\x18\x99\x1c\xd7\x8f\x44\xc8\x64\xca\x24\x17\x48\x65\xcd\x6f\x4c\x00\x97\x48\xed\xab\x4f\xed\x9b\x40\xef\x8f\x1a\xde\x1f\xe7\xc9\x63\xfa\x23\xe6\xc3\x32\x3a\xda\x90\x50\xf2\x78\x4f\xb8\x05\x98\x9b\x46\x90\xf7\x4a\xb4\xcf\x08\xca\xf9\x39\xd6\x02\xd8\xd7\xa8\x35\xcf\xb7\x86\x92\xef\x81\x52\x69\x6e\x95\x82\x78\x25\x03\xa7\xe9\xff\x92\x21\xb7\xd5\x0d\xc4\xa4\x7f\x39\xa3\xff\x41\x86\xdc\x50\x71\xbb\xb3\xb3\x08\x16\xfd\x59\xcf\x9f\x97\xbb\xad\x65\xc0\x1a\xec\x65\xf7\x2a\x3c\x1c\x86\x27\xc7\x8f\xb0\x7b\x6b\x30\xb6\xbf\x4d\x4e\x72\xc9\x79\x84\x8c\x81\xe4\x3c\x44\x0e\x92\x03\xad\xc5\xf6\x87\x6f\x6c\x18\xd4\xff\x9f\x33\xe4\x39\xbc\xd3\x67\xc0\xd8\x16\x05\xbb\xd2\xbf\x9a\xd1\xbf\x9c\x21\xd7\xc1\x55\xe9\x53\x52\x33\x81\xc2\x2d\x45\x1a\xe6\xd8\xa3\xb1\xdf\x1d\xe6\x50\x48\xe9\xee\xff\xe8\x24\xfb\x1b\x04\x1b\x53\xe3\x8c\x89\x64\x09\x03\x01\x18\x83\xf5\x4f\x75\xea\xbf\xdc\x41\xf4\x6a\x8f\x9f\xce\x2e\x9f\x5a\x05\x83\x3f\x16\x49\xdd\x18\x79\x50\x9c\x7e\xee\x66\x0f\x56\xb9\xfc\xc4\x0f\x70\xb3\x73\x7b\x35\x9c\x89\x25\xf2\x18\xef\xee\xb3\xe4\x41\xe8\xee\x53\xe4\x04\x39\x76\xb9\xbe\x59\xaa\x07\x58\x23\xab\xe3\xf9\xc6\xdb\xf6\x41\xfd\x40\xd3\x36\xf1\x6a\x73\xf8\xe3\xb7\xa5\x2b\x0e\x9b\xf4\x0d\x45\x1a\x92\xce\xcf\x6c\x4d\x1d\xb7\x5e\x9f\x96\x1c\x2b\x4f\x9b\x19\xba\x6e\xf1\xec\x2a\x8f\x5e\xce\x22\xe7\xc8\xa3\x15\xfa\x69\x7b\x87\x0f\x5d\x18\xd0\xcb\xb5\x45\x3d\xe7\x2f\xb5\xda\xa7\x90\x95\x16\x3a\x79\x7e\x1c\x79\x84\x3c\x1c\x1f\x47\xda\x5d\x49\x24\xc0\x6a\x8b\x97\x52\x39\x24\x2b\x2f\xdf\x72\xbf\x74\x6d\xaa\x00\xdb\x5d\xb2\xfc\xd0\x06\xab\x2d\x87\x0a\x9a\x91\x64\xdb\x4b\x22\x39\xce\x6a\xc9\xb1\x5b\x2a\x0b\xea\x87\x16\xec\x00\x1d\xe2\x56\xf5\xe6\x3c\xf5\x8b\x54\xbd\xbb\x5d\xbd\x0b\x6d\xa5\x45\x3b\xdf\x5f\xf5\x5c\xa2\x14\xf6\x7b\x49\xdc\x65\xad\xcc\x31\x3d\x63\xa2\x42\x86\x0e\x91\x7d\x2d\x68\x1c\x93\xc0\x70\x40\x81\xd9\x40\x60\x7e\xb4\x83\x7c\xa8\x43\xff\x40\x47\xe7\x93\x92\xf2\xf3\x44\xc7\xfa\x11\x98\x15\x46\x21\xd6\xcf\x40\x72\x00\xc3\x25\x9b\x9c\x31\xd5\xa9\xbb\xc6\xc4\xed\x01\x6b\x3f\xe7\xc4\x58\x0e\xbc\xe9\x7a\x6e\x3f\x7f\x1b\x9e\x00\x4e\x54\x60\x74\x4f\x04\x9e\x3b\xc9\x39\x3f\x27\xd8\xb2\x10\xbf\xa7\xa3\xc5\x12\x5f\xec\xa9\x2d\xc9\x73\x5f\xd2\xc8\x17\x35\xfd\xf3\x5a\xe7\xe7\x24\x9e\xf9\x94\x76\xd8\xf3\xf3\xc0\x23\x29\x7a\xd0\xed\x9e\x61\xce\xb2\x4b\xa6\x31\x9c\xf8\x0a\x40\xaa\xb9\xc3\x58\x39\x88\xd9\x0d\xfd\x56\x1e\x3e\x1c\x38\x23\x8e\x9d\x17\x4c\x70\xea\x14\x02\xc3\x5b\x14\x7d\xca\x39\x15\x25\xea\x95\x1c\x9a\x35\x78\x8d\x40\xd2\x8a\xc6\x12\x10\xe3\xd4\x0e\x90\xd5\x9b\x1b\xa1\x59\x09\xc2\xd1\x95\xd7\x7a\x6b\xa7\xcf\x2a\xf1\xf4\x59\x2b\xbe\x6d\x4c\xec\x25\xf7\xe8\xbb\xcd\x41\x89\x43\x3c\x57\x8d\xd2\x1e\x3f\xb8\xf2\x71\xd9\xd9\x49\xf7\x96\x3a\xd8\xb3\xfe\xfb\x19\xfd\x0b\x19\x72\x5d\xe2\x66\x5d\x68\xe1\x79\x45\x1a\x26\xb0\x63\x04\x16\x94\x93\xee\xdf\x74\x47\x61\xb5\x5d\xaf\xa0\xe6\x65\xe4\xa4\x5e\xbf\xec\x86\xf6\x3c\xcd\x3b\x56\x10\xc8\x73\xae\xfe\xa1\x6e\xfd\xff\x6c\x20\x9b\xd9\x1b\x4c\xb9\xf8\xc5\x66\xd2\x00\x4e\xf1\x92\x46\x58\x49\x6b\x22\xf5\xdf\x4d\x50\xdd\x49\xaf\x40\xcf\x0c\xaa\x8d\x43\x36\xf0\x72\x24\x94\x48\xf0\x77\xb6\xb1\x84\xda\xa3\xef\xe2\x72\x47\xed\xec\x84\x58\x12\x02\x4c\x99\x88\xc8\x09\x46\x4e\x30\x72\x82\x91\x13\x8c\x9c\x60\xe4\x04\x23\x27\x18\x39\xc1\xc8\x09\x46\x4e\x30\x72\x82\x91\x13\x8c\x9c\xe0\xd5\xe6\x04\xef\x27\x7b\xf5\x7b\xcc\xdd\x12\x20\x7a\x9e\x0a\x10\xa9\x27\x3a\x4c\xdd\x87\x74\x62\xa4\x13\x23\x9d\x58\xa1\x13\xff\x4f\x17\xc9\xa6\x61\x8c\x9c\xc2\x94\x06\x34\xea\xbf\xdf\xa5\xff\xe6\x06\x72\xad\x40\x18\x39\xab\xe9\x62\x73\x61\x04\xda\x0e\x34\x66\x7b\x0d\x05\x2a\x84\xb6\xa8\x75\x1c\xb7\x83\x10\x31\xc3\x16\x23\x08\x3c\xd2\x18\x37\xdc\xaf\xef\x4d\x01\x06\xeb\x43\x89\x3c\x18\x06\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x08\x1e\x22\x78\x88\xe0\x21\x82\x87\x18\x50\x00\x11\x40\x44\x00\x11\x01\x5c\x2d\x04\xf0\x2d\x5d\xdc\x7d\x11\x42\x07\x78\x85\x98\x49\xf8\x83\xed\xfa\x67\x33\x64\x73\xde\xf3\x81\x49\x78\x13\xf8\xc7\x25\xcf\x96\x27\xbd\x02\xed\xbd\x9e\xdd\x18\xf1\x7c\x7a\x66\x90\xfd\xdd\x66\xc7\xb7\x69\xb2\x8f\xc3\x63\x83\x64\x00\xe0\xb1\x1e\xd2\x45\xee\xae\xe9\xad\xce\x5a\x9b\x5d\x18\xcc\xb2\x96\x34\x84\xc1\xea\x3b\x9c\x3d\x7e\xb8\x31\x00\xb6\x4d\xbf\x53\x00\x60\xa6\x29\x70\x2f\xa8\x59\xa5\xce\x75\xbe\x7c\x4b\xdc\x8b\x9d\x91\xb7\x5a\x4a\x47\x3e\x4b\xdc\x5b\xa9\xbe\xcc\x1d\x20\xfb\xc9\xde\x0a\x17\x8a\x66\x3b\x13\xfd\x25\xd0\xc1\xac\x45\x07\xb3\xb7\x68\x97\xb1\x86\x0f\x72\x0f\xb1\x7b\xc9\x9e\xd8\x43\xac\x8d\x22\xa0\x4d\x6b\xbc\x81\x73\x59\xef\xdf\xde\x10\x8b\x80\xeb\x44\x34\x7a\x8b\xaf\xfa\x1b\xf9\x9f\x2b\xb6\xe8\x57\x26\x47\x20\x4a\x83\x06\xd2\x00\xf3\x54\xad\x4a\x9e\x2a\x4c\x50\x82\x09\x4a\x30\x41\xc9\x4a\x25\x28\x99\xf8\x74\x1d\xdf\xf0\xb6\x66\x69\x20\x53\x3c\xca\xd6\x31\x32\xae\x44\xd9\x6a\x4f\xe6\x87\x76\xed\xf1\x46\xfa\x1e\xbf\x55\xdf\xcc\xbb\x9b\xe4\x7e\xfb\x9a\x78\x9b\xdf\x56\xe5\xd6\x9d\xa2\xf2\xdf\x00\x5e\x84\x2b\xb1\xf7\xa3\xbf\xf6\x7a\xd3\x38\xd0\x5f\x1b\xfd\xb5\xaf\xb0\xbf\xf6\x4a\x82\x35\x0d\x3d\xb1\x9b\x13\xf3\x35\x84\x7b\x2c\xfd\x27\x06\xc9\x80\xde\x6f\xee\x90\x74\xda\x1b\x55\x3a\x2d\x7b\x71\x15\x3c\xad\xbf\x9e\x21\xd7\x27\x13\xf9\xe8\xbf\x9b\xd1\xff\x7f\x99\x38\x71\x4f\xcd\x38\x62\x3f\x04\xe1\xda\x4a\xc1\x19\x8c\x20\x56\xc3\xaf\xfa\xff\x12\xb2\xab\x7e\x08\xd5\xd4\x30\xa9\xbf\x4a\xcc\x0f\xa6\x85\x49\xbd\x55\x86\x49\x4d\x8b\x90\xda\x9d\x1a\x21\x75\xe5\x43\xa2\x4e\x93\xe7\x93\x53\x15\xdb\x6f\x1d\x5e\x61\x75\x98\xcf\xb4\x68\xa8\x97\x32\xcb\x22\x2b\x36\x55\x28\x9f\x05\x83\x30\x0b\x24\xc2\xd3\x86\x62\xcf\x70\x85\xf2\x14\x39\xa1\x28\x94\x6d\x28\xb7\x91\x9c\x6a\x14\xfe\xb4\xd8\x58\x4c\x8d\xea\xb9\x14\xd9\x54\x27\x14\x6a\x5a\x3b\x31\xf2\x29\x46\x3e\x6d\x11\xb0\x6d\xfb\x76\xf6\xf6\x6b\xc8\xde\xba\x12\x97\xd3\xcd\x53\xc5\xee\x5f\x10\xf3\x0f\x36\x92\x1f\xaa\x14\xbb\x9c\x77\x5e\x5f\xf6\xf6\xa7\xca\x5e\x78\x73\xed\xc7\xa4\x86\x66\xa6\x4a\xe1\xf6\xc4\xa4\xae\x59\xfe\x0a\xc5\xa4\xae\x5d\xdf\xe5\xc7\xa4\xae\x59\x76\x24\x94\x9b\x8b\x39\x5d\x5b\x98\x56\xf1\xd7\xeb\xc9\xe4\x46\x5b\x00\x4a\x66\x94\xcc\x6b\x45\x32\xff\x5d\x0f\x19\x4a\x0b\x5e\x5c\x23\x89\x40\xde\xf7\xdc\xc7\xbd\x19\xc9\x11\x78\x7f\x8f\xfe\xbd\xaa\x10\xc7\x9d\x29\x4c\x81\x11\xdf\x73\x27\xbc\x99\xde\x3b\xd9\x3d\x35\xcc\x71\x9c\x2b\x40\x3c\xd2\x66\xfe\xc0\x23\x64\x98\x4b\xad\x21\xb2\x0f\xa4\xd6\x2e\xb2\x93\x64\x6b\x4a\x16\xf8\x12\x29\x51\x44\x93\x2e\x97\x48\xf0\xfc\xc6\xd2\x27\xab\xf7\x09\x91\x02\x2d\x10\x7a\x5d\x54\x7f\x95\xf8\xe9\xfc\xed\x2d\x95\xbd\x7e\x5b\x3a\xb3\x20\xea\xf8\xbb\xc4\xed\x55\xec\xfb\xdc\x28\xc9\x91\x07\x2a\xb6\xc0\x65\x77\x3e\x02\x7f\x48\x3c\x68\x51\x5a\xbe\x4f\x23\x87\xb9\x6e\x71\x88\x1c\x8c\x75\x8b\x76\x4a\x80\x36\x48\x97\x26\xe3\xd3\xb6\x5f\x88\xf4\xbe\xee\xc6\x4a\x21\x72\xa3\xe4\x26\x44\x72\x63\x1b\xbf\xb2\x9a\x62\x03\x19\x0b\xc8\x58\x40\xc6\x02\x32\x16\x90\xb1\x80\x8c\x85\xf5\xc9\x58\x68\xff\x5e\xdf\x04\x79\xe1\x5f\xae\xa9\xd4\x06\xb6\x37\xa0\x30\x44\x3a\x82\x09\x16\xb8\x55\x52\x11\x90\xd8\xb0\xde\x14\x13\x24\x36\x20\xb1\xe1\x0a\x13\x1b\x56\x05\x45\x6a\xc8\x70\x68\xff\xb6\x30\xb1\x87\xec\xd2\x77\x9a\x59\x49\x76\x78\xb6\x4a\x76\x10\xaf\x55\xf3\x1d\xae\xc2\xd4\x78\xbf\xda\x4d\xee\xe3\x40\xa7\x3f\x63\xe5\xb3\xb5\x2c\xff\x3c\xe2\x51\xde\x29\x07\x21\x13\x80\x0e\x9d\x61\xb2\xd7\x2d\x06\xfa\xf7\xbb\xf4\x7f\xda\x40\x9e\xc3\xde\x1e\xae\xa4\x00\xfc\x70\x73\xe1\x8f\x46\x78\xb1\x53\x9e\x43\x73\xbc\xd8\x36\x05\x41\xca\xc2\x0b\x53\x95\x4d\x3b\x33\x58\x5d\x23\x86\x44\xba\x8c\x90\x48\x17\x1a\x2f\xc0\xa3\xfa\x61\xb1\x00\x6b\xce\xb3\x68\x51\x56\x8d\x4d\x32\x73\x29\x46\x48\xc2\x08\x49\x18\x21\x09\x23\x24\x61\x84\x24\x8c\x90\x84\x11\x92\x30\x42\x12\x46\x48\xc2\x08\x49\x18\x21\x09\x23\x24\x61\x84\x24\x8c\x90\x84\x11\x92\x30\x42\x12\x46\x48\x5a\xa5\x08\x49\xbf\xdf\x4d\x86\x1b\x43\x87\x6a\xc4\xf4\x34\xfc\xf0\xd5\xdd\xfa\xd3\x1b\xc8\xcd\x69\xf8\x21\xb7\xb6\x5d\x69\x10\x71\x77\x2d\x10\x11\x9a\x87\x48\x62\x5b\x91\xc4\x52\x63\x24\xf1\x84\x7e\xac\x2d\x48\x22\x06\x5c\x47\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x44\x38\x11\xe1\x44\x84\x13\x11\x4e\x5c\x5d\x38\xf1\x4d\x3d\x64\x40\x06\x5c\x4f\x77\xb3\xa6\x6e\xa1\xe4\xd9\x6e\x28\xfd\xac\xff\xa2\x5b\xff\x1b\x25\x16\xfb\xad\x29\x1e\xd6\x63\xd1\x3b\xbd\xb7\x29\x01\xd9\x25\x0f\x5f\xde\x6e\xb3\x7f\xf5\x43\x3c\x42\xf3\x4e\x88\xd0\x9c\x39\x75\x4c\xcf\x92\x3e\xd2\xdb\x30\xe4\x97\x6c\xce\xe5\xfa\x56\x1f\x6b\x0c\xa4\x75\xeb\xdb\x2b\x83\x3b\xc6\xd5\x27\x22\xb5\x3f\xa5\x44\x6a\xbf\x23\xdd\x9f\x3a\xee\x66\x23\x19\xae\x7d\xa5\x7b\x3a\xf7\x00\xb9\x9f\xdc\x57\xe1\x77\xb0\xac\xae\x46\x4f\x03\xf4\xa4\x6e\xd1\x93\xfa\x5d\xda\xe5\x2e\xf3\x1c\x77\xc4\x3e\x40\xf6\xc7\x8e\xd8\xed\x16\x15\xed\x94\x05\x8d\x22\xba\xff\xa7\x12\xd1\x3d\xf2\x9a\x8e\x65\xc3\x1d\x89\xa0\xee\x2b\x2e\x1a\xd0\x63\x1a\x3d\xa6\xd1\x63\x1a\x3d\xa6\xd1\x63\x1a\x3d\xa6\x5b\xf1\x98\x5e\xf3\x8e\xd1\xab\xbb\xf5\x37\xf6\x95\xfe\x6b\x25\xd0\x7b\x77\x03\x2f\xe9\x58\x2b\xb8\x5d\x8d\xf6\xbe\x92\x4a\x01\xfa\x48\xaf\x37\x55\x04\x7d\xa4\xd1\x47\xfa\x0a\xfb\x48\xaf\x38\x12\xd4\x56\x19\xdf\xc8\xd9\x7a\xe2\x5e\xb2\x47\xdf\x65\xee\x94\x3e\xce\x3f\xa4\x7a\x46\xcb\x42\x9f\x11\xbe\xd1\xbf\xdf\x45\x6e\x4e\x06\x81\x14\x3c\xc6\xc7\xbd\x99\x40\xff\x48\x97\xfe\x9e\x0d\x64\x4b\x14\x1a\xa4\xd3\x6b\x8e\xa7\x38\xe1\xcd\xb4\x89\x98\xb8\x6d\x51\x09\x2f\x32\xe1\xcd\x1c\xb7\x83\xf0\xb0\xe7\x0f\x3b\x8e\xdc\x44\xdb\xb7\x77\xae\x37\x22\xe2\xd1\xc6\x8b\xea\x6e\x7d\x5b\x4a\x4c\x81\x8a\x78\x02\x48\x30\x44\x82\x21\x12\x0c\x91\x60\x88\x04\x43\x24\x18\x22\xc1\x10\x09\x86\x48\x30\x44\x82\x21\x12\x0c\x91\x60\x88\x04\x43\x24\x18\x22\xc1\x10\x09\x86\x48\x30\x5c\x35\x82\xe1\xbf\xf7\x90\x07\x38\x9c\xc7\xa1\x95\x4a\x1f\xe5\x5a\xa4\x43\x78\x38\x62\x1c\x7e\xac\x47\xff\xf7\x0c\xb9\x9e\x5f\x94\x3e\xca\xcf\x4b\x23\x1e\xb2\x47\x7a\x0d\x76\x07\x7e\x06\x55\x31\x80\xe1\x72\x9b\x79\x87\x2f\x24\x0f\x70\x40\x6d\x3f\xd9\x0b\x80\xda\x20\x19\x20\xfd\x35\xd1\x66\xd1\x13\x51\x48\xce\xe6\x00\xb4\x06\xd4\xc3\xb3\x8d\xa1\xb3\x3d\xfa\x2e\x01\x9d\x25\x86\x22\x82\xa6\xa1\x15\xd5\xc9\x5d\x3e\xbb\xa5\xaa\xe3\x6f\xa9\xc1\x46\x84\xbe\xdf\x26\x6e\xae\x5e\xf7\xe7\x46\xc8\x30\x39\x54\x61\xe0\x5b\x6e\xff\xa3\x55\x0f\xf9\x88\x2d\xf2\x11\xdf\xa3\xb5\x61\xf9\x8f\x71\x4a\xe2\xfd\xe4\xbe\x98\x92\xb8\x02\x52\xa4\x39\x31\x51\x57\x22\xa4\xca\x90\x46\x0c\xc5\x37\xdf\x58\x25\x45\x6e\x88\xd2\xbb\xb8\x42\x72\x98\xfc\xc2\x2a\x0a\x0e\xa4\x2a\x22\x55\x11\xa9\x8a\x48\x55\x44\xaa\x22\x52\x15\xd7\x27\x55\xb1\x21\xbb\x70\xc5\x0e\x16\xb9\x7f\xbb\xa6\x4a\x25\xb8\xab\x11\x7b\x11\xf4\x84\x3b\x4b\x92\x76\xb0\xe2\x6a\x02\x92\x17\xd7\x9b\x72\x82\xe4\x45\x24\x2f\x5e\x61\xf2\xe2\x6a\xc0\x49\x0d\xf3\xbb\xac\x94\xdc\x9f\xd8\x45\x76\xea\x59\xb3\x4f\x72\x12\x9f\x95\xe0\x32\xb2\x97\x9e\x11\x3c\xc6\x57\xee\x20\x39\x0e\x7c\x72\xe5\xa3\x8e\x87\x75\xc9\x2b\x14\xec\xc0\x2f\xc3\x8a\x99\x29\x17\x8a\x34\x86\x3e\x3f\xdd\xab\xbf\xb5\x83\x6c\xe5\x65\x9c\x5b\x18\xec\xdc\x9e\x82\x7a\x4e\x7a\x85\x51\x59\x40\x0e\x0a\xe8\xed\x61\xcf\x71\xad\x45\x25\xf8\xa7\x3c\xda\x66\x30\xb4\x40\xc6\xf9\xec\xcd\x91\x07\x60\xf6\x0e\x91\x7d\xe4\xde\x9a\xb3\x57\x68\x93\x6c\x83\xaa\x6e\x5a\xc3\x69\xfc\x82\xc6\xb3\xf4\x5e\x7d\x8f\x98\xa5\xbc\x2a\x31\x3d\xd3\x6a\x6b\xd2\xe7\x92\x3d\xda\xf9\x2f\x5b\xd4\x51\xe9\x49\x87\x44\xd3\x06\xa6\x4f\x3c\x7a\x05\xc6\x26\x77\x9c\x4c\x90\xa3\x15\xda\x44\xcb\x83\x83\xba\x04\x42\xa6\x2d\x42\xa6\xbf\xa4\xb5\x53\x48\x9c\xe4\xd8\xe9\x11\x32\x16\x63\xa7\x2b\x29\x74\x1a\x24\xc7\x5e\x39\x99\xd4\xfb\xde\x1b\x55\xa1\x73\xab\x4c\x90\x9d\x26\x67\x76\xf0\xbb\x57\x42\xcc\x20\xae\x8a\xb8\x2a\xe2\xaa\x88\xab\x22\xae\x8a\xb8\x2a\xe2\xaa\xe9\xb8\xea\xca\x69\x09\xb9\xb7\x5c\xab\x6a\x09\xbb\x1a\x80\xaa\x69\xba\x43\x2f\x80\x00\xab\xac\x3a\x20\xd6\xba\xde\x14\x16\xc4\x5a\x11\x6b\xbd\xc2\x58\xeb\x33\x05\xad\x6a\xe8\x42\xfe\x00\xb9\x5f\xbf\xcf\x1c\x92\x10\xea\x1d\x2a\xec\x9a\x52\xfc\x33\x02\x84\xfd\xda\x79\x32\xc6\x41\x58\xab\x30\x6f\x83\xf7\xaa\x4f\x8b\x36\xec\x10\xc9\x5c\xdb\x20\x4d\x2d\x36\xf5\x16\xe9\xcc\x9c\xe7\x5d\x48\xf8\x1c\x06\xfa\x1b\xce\xeb\x6f\xe9\x22\xcf\x4b\x2d\x86\xed\xb2\xf7\x71\x17\x26\x5f\x38\x5f\x44\x5a\xba\x37\x6b\xb0\x01\xe4\xa2\x13\x8a\x3f\xcb\x8b\x1f\x51\x8b\xef\xdd\xcf\xde\x1e\x4e\x2b\xfb\xcc\x60\xfd\x57\xd7\xb8\xaf\x79\x0e\x1d\xb1\xd1\x11\x3b\x87\x8e\xd8\xe8\x88\x8d\x8e\xd8\xe8\x88\xbd\x6e\x1c\xb1\x73\x6b\xc6\x11\xbb\xed\x2d\x69\xd9\x11\x3b\x87\x8e\xd8\xe8\x88\x8d\x8e\xd8\xe8\x88\x8d\x8e\xd8\xab\xef\x88\x9d\x5b\xd7\x7e\xd3\x39\xf4\x9b\x5e\x39\xbf\xe9\xdc\x5a\xf7\x9b\xce\x5d\x85\x7e\xd3\x13\xaf\xd4\x48\x91\x03\x93\xe7\xc9\x63\x00\x4c\x3e\x44\xce\x90\xd3\x35\x81\xc9\x74\x7c\x6b\x61\x30\x5b\x1f\x3e\x3a\x6e\x07\x8d\x61\xcb\xdb\xd3\xb1\xc5\xcd\xfa\x46\x1e\xb6\xef\xc5\x8d\x61\xcd\xb3\xfa\x83\x2a\x5c\x29\x20\xce\x7a\xa0\x9c\x00\x3e\xeb\x37\x9f\x98\xdf\x26\x75\x40\xb9\x2e\xbe\xad\x19\x56\x23\xfc\xed\x00\x7f\xf0\xca\x22\x70\x1c\x30\x9b\x25\x05\x32\x53\x61\x84\x9a\x22\x93\xed\x1e\x78\x34\x4e\x21\x79\xaf\x45\xf2\xde\x57\x33\x24\xcf\x45\xd3\x23\xe4\x61\x10\x4d\xc0\xf7\x6a\xf7\x0c\x25\x73\x9c\xd6\x67\x91\x73\x31\xad\x6f\x65\x6a\xb2\x39\x43\x60\x86\x9c\x57\x18\x02\x2b\x53\x55\x23\x59\xdb\x9c\x2c\x6d\x9b\xfc\x4c\xd8\x90\x6a\xcb\xf9\x92\x17\x84\xa4\xf7\x57\xfb\xeb\xc8\xda\xdd\x82\x4f\xa2\x90\x73\xbc\xd9\x46\x72\x77\x8c\xbf\x54\x43\xee\x8e\xc8\xa2\x56\x55\x02\xaf\x0c\x7b\x11\x31\x70\xc4\xc0\x11\x03\x47\x0c\x7c\xfd\x60\xe0\xa8\x61\x36\xd0\x30\xd7\x8e\x91\x00\x99\xe3\xab\xc2\x1c\x47\x5b\x0c\xda\x62\xd0\x16\x83\xb6\x18\xb4\xc5\xac\x6b\x5b\x0c\x3a\x10\xa1\x03\x11\x3a\x10\xad\x94\x03\x11\x9a\x3a\xd1\xd4\xb9\x5e\x4d\x9d\x13\xc5\x36\xfb\xce\x35\x82\xab\x7b\xd3\x21\xe3\x67\xeb\xcf\xe2\xab\x39\x96\xb4\xcd\x9a\x09\x97\x0d\x5b\x37\x83\x85\xb7\xdf\xb3\xe0\x3f\xb6\x47\x69\xea\xac\x52\x29\x18\x58\x18\x1c\xf0\x29\xe0\xcb\x4c\xb0\xe8\x5f\xdf\xae\x7f\xa9\x83\x6c\x66\xb7\x20\x2b\x6b\x7d\xe7\x80\x29\xfe\xe6\x34\x0d\x7b\xef\x02\x47\x80\x52\x29\x38\x33\x18\x5f\xbd\xda\xf2\xcb\x3d\xca\x13\xec\xef\x84\x04\xfb\x6c\x12\xee\x26\x83\x64\xa0\xb6\x29\xa5\x54\x0a\xd8\x94\x8b\x3f\xb8\x2d\x56\xe9\x93\x8d\xa7\xdb\x0e\xbd\x27\x9a\x3d\xa5\x52\x20\x2c\x26\x71\x33\x30\xa5\x1c\x7a\x32\x60\x4a\x39\xb4\xe2\xa0\x15\x07\xad\x38\xeb\xd5\x8a\x83\x29\xe5\x30\xa5\x1c\xa2\xe7\x88\x9e\x23\x7a\x8e\xe8\xf9\x9a\x40\xcf\x31\xa5\x1c\xa6\x94\xbb\x5a\xf0\x42\x4c\x29\xb7\x12\x29\xe5\x9e\xe8\x26\x03\x1c\x7a\x73\x69\xb8\xe8\xf9\x17\x98\xb6\x16\x47\xf2\x80\x17\x06\x6c\xb7\xe8\xd3\x20\xc8\x3b\x56\x10\xd0\x40\xff\xc3\x2e\xfd\xb3\x1b\xc8\x75\xf1\x0b\xe7\x16\x06\x3b\x2f\x8a\x5d\xcd\x2d\xd8\x0b\x76\xa1\x6c\x39\xea\xf7\x5a\x52\x83\x1c\xe7\x45\x8d\xb0\xa2\xb2\x8a\x99\x6d\x48\x6a\x17\x5d\x50\x50\x57\x7c\x74\x4e\x9c\x85\xbc\x12\x95\x24\x9a\x20\xa4\x56\x21\xdb\x7b\x27\xbc\x70\x52\xb6\xe6\xcc\xa0\x5a\xc9\x71\x3b\x68\x5f\x58\xad\x15\xc2\xf8\x2e\x90\x49\x8e\xf1\x8d\x93\x23\x80\xf1\x0d\x93\x43\xe4\x60\x0b\x40\xf3\x59\x99\xcc\xa1\x21\xe2\xb7\x2d\x1d\xf1\xbb\x56\x27\xd0\x30\x0e\xfb\x3d\xda\x18\xf6\x1b\xd2\xf7\x09\xd8\xaf\x6a\x02\x09\x0c\x50\x1d\x0d\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\x11\x05\x44\x14\x10\x51\x40\x44\x01\xaf\x08\x0a\xf8\x83\x0c\xb9\x8d\xa3\x80\x79\xcf\xf3\x0b\xb6\x5b\x19\xd1\x57\x87\x09\x4d\x6e\x50\x6f\x9f\x5b\x18\xec\xbc\xa9\x48\xc3\xe4\x4e\xcb\xbf\xa1\xf7\xb6\x22\x0d\x47\x94\x87\xcf\x0c\x0e\x4f\x8e\x47\x47\xbb\xf6\x91\xee\x86\xaa\x0a\x1a\xaa\x2a\x68\xa8\x99\x82\x26\x4a\xe4\x41\x8e\xc1\x9d\x24\xc7\x01\x83\x3b\x4c\x46\x49\xae\x05\x0c\x4e\xf9\xce\x66\xa8\x77\xfa\xa7\x1e\x23\x87\xea\xf5\x3d\x64\xfa\xab\x95\xed\x0e\x7c\x1b\x02\xfd\xdf\x1f\xd5\xdf\xbf\x9d\x3c\xa7\x62\x74\x78\x1e\xd8\x6d\xf5\xf9\x92\xc7\x59\x09\xbd\xdb\xd9\x43\xc9\xf1\xaa\xc8\x05\x0b\xcf\xad\x71\x20\x15\x03\x24\x23\xa0\x88\x01\x92\x11\x50\x44\x40\x11\x01\xc5\x75\x04\x28\xae\xa1\xd8\x07\x6b\x06\x50\x44\xa7\x7c\x04\x14\x11\x50\x44\x40\x11\x01\x45\x0c\x90\x8c\x5e\xc3\xcf\x1c\xfc\x6f\xcd\x7b\x0d\x5f\x95\x01\x92\x29\x99\xe0\xe0\xd7\x08\x19\x06\xf0\xeb\x00\xd9\x4f\xf6\xd6\x74\x32\x4d\x00\x55\x02\x67\xca\x02\x40\xd4\x16\x67\xd3\x65\xb1\xce\x52\x40\x33\xc1\x3b\x83\x06\xa9\x84\x33\x68\x27\x31\x9f\xda\x5a\x03\x29\xbb\x5e\x46\x38\xe6\xa0\x58\x37\xff\x7b\x15\x61\x31\x8e\x62\x8d\x93\x23\x64\xac\x22\x6a\xf1\x3d\x64\x77\x0b\xc3\x81\x61\xe3\x30\x30\x71\x8b\x81\x89\xff\x4b\x23\xc7\x78\xcc\xe0\x51\x92\x8b\x63\x06\xef\x25\xad\xcd\x44\x1e\x4a\x61\x17\x84\x52\x88\xc3\x02\xb7\x5c\x5a\x2d\x11\x43\x0e\x73\x39\x76\x88\x1c\x04\x39\xd6\x6a\x05\x8d\x45\x15\x44\xf1\x5d\x61\x51\xd5\xfb\x4f\x7d\x35\x44\x55\x67\x6a\x80\x60\x2e\xb6\x76\xf1\x7b\x29\x62\x2b\x8e\x01\xbc\xb2\x02\x0c\x83\xfe\x22\xae\x8b\xb8\x2e\xe2\xba\x88\xeb\x62\xd0\x5f\x0c\xfa\x8b\x41\x7f\x31\xe8\x2f\xda\x17\xd0\xbe\x80\xf6\x05\xb4\x2f\xa0\x7d\xa1\x2d\xf6\x05\x0c\xfa\x8b\x41\x7f\x31\xe8\x2f\x06\xfd\x45\xf3\x1d\x9a\xef\xae\xf2\xa0\xbf\x2b\x8b\x20\x2f\x27\xa6\xf0\xc4\x79\xf2\x98\xfe\x88\xf9\xf0\x16\x4d\xdf\x50\xb2\xc2\xb9\xce\x21\xb1\x9f\x73\xe3\x87\x5b\x30\x58\xeb\x8d\x20\xef\x95\x68\x9f\x11\x94\xf3\x73\x4c\xa7\x81\x41\xa3\xd6\x3c\x17\xaf\x25\xdf\x83\xbd\xd1\xdc\x2a\x49\xea\xbd\x62\xf4\xdf\xb1\x02\x8e\x46\xfa\xab\x65\xf8\x92\x20\xf4\x7c\xab\x48\xab\x62\x97\x2c\x78\x4e\x79\x9e\x5a\x61\x68\xe5\xe7\x98\x06\x1e\xe8\x5f\xe9\xd2\x7f\x67\x03\x21\xe2\x85\x73\x0b\x83\x9d\x2f\x6d\x2e\x76\xc9\x19\x28\x6a\x58\x16\xd5\xa6\xf8\x25\x26\xbc\x30\xcd\x9b\x73\x66\xb0\xb2\x96\xab\x23\x80\x49\x4d\x83\x4c\xdb\x23\x9b\x2c\x2b\x80\xc9\x63\x8d\x57\xd7\x01\x7d\xbf\x58\x5d\xc9\x29\x14\xe5\x7c\xac\x18\x0e\x8c\x60\x82\x0e\x07\x18\xc1\x04\x0d\x53\x68\x98\x42\xc3\xd4\x7a\x35\x4c\x61\x04\x13\x8c\x60\x82\x06\x01\x34\x08\xa0\x41\x00\x0d\x02\x6b\xc2\x20\x80\x11\x4c\x30\x82\xc9\xd5\x02\x81\x62\x04\x93\x95\x88\x60\xf2\xdd\x9b\xc9\xfd\xc9\x14\x62\x35\x22\x66\x04\xa1\x15\xd2\xd9\xb2\xc3\xd6\x2e\xbf\xf1\xb2\x81\x20\x6f\x39\x54\xff\xf0\xcd\xfa\x7f\x66\xe2\x3c\x63\x5d\x3e\xb5\x0a\x06\xdc\x8a\x3a\x39\xde\x71\xa7\x45\x29\x90\x66\x8c\x3d\xc8\xd3\x8c\xc5\xb4\x5a\xe5\x81\x69\x56\x44\x7b\x19\xb6\x13\x2f\x24\x0f\x70\x5c\x6d\x3f\xd9\x0b\xb8\xda\x20\x19\x20\xfd\xb5\xb3\x82\x95\x43\x8f\x7d\x09\x53\x61\x17\x06\xb3\xd0\xa2\x86\xc8\xf4\x64\x63\xec\xac\x5f\xdf\x11\xe5\xfc\x8a\x6b\x10\xc0\x19\xaf\x44\x45\xcb\x1e\xbf\x2d\x1d\xb2\xdb\xa4\x6f\x28\xd2\x90\x74\x7e\x7e\x4b\xdc\xfb\xbd\x3e\x2d\x39\x56\x9e\x36\x33\x00\x5d\xe2\xd9\xd5\x1d\x83\xdc\x08\x19\x26\x87\x2a\xdc\x34\x96\x3b\x08\x48\xf1\x43\x07\x8d\x16\x1d\x34\xde\xa3\xb5\x41\x06\x8c\x71\x17\x8f\xfb\xc9\x7d\xb1\x8b\xc7\x55\x2e\x4a\x4a\xe5\x90\xe4\x9e\xbe\x26\x16\x25\xbb\x4b\x96\xcf\x4e\xb1\xec\xe4\x07\x7b\x4e\x33\x32\xe5\xee\x12\xdb\x62\x56\x4f\xa2\xdc\x52\x59\x50\x3f\x34\x60\x07\x84\xb4\xba\x55\xbd\x39\x4f\xfd\x22\x55\xef\x6e\x57\xef\x42\xb2\x4e\x5a\xb4\xf3\xfd\x55\xcf\x25\x4a\x61\xbf\x97\xc4\x5d\xd6\xca\xdc\x49\x72\x9c\x4c\x54\x48\xb3\x21\xb2\xaf\x05\x53\xcd\x24\x20\xe5\x28\xd8\x1a\x08\xb6\x8f\x76\x90\x0f\x75\xe8\x1f\xe8\xe8\x7c\x52\x9a\x8e\x9e\xe8\x58\x3f\x82\xad\x02\x5c\x60\xfd\x0c\x60\x39\x00\x60\x6c\x72\xc6\x26\xb3\xee\x1a\x13\xb7\x07\x50\x63\x6e\x5b\xb1\x1c\x78\xd3\xf5\xdc\x7e\xfe\x36\x3c\x01\xb6\xb5\xc0\xe8\x9e\x08\x3c\x77\x92\xdb\x8e\x4e\xb0\x65\x21\x7e\x4f\x47\x8b\x25\xbe\xd8\x53\x5b\xe2\xe6\xbe\xa4\x91\x2f\x6a\xfa\xe7\xb5\xce\xcf\x49\xbd\xf8\x29\xed\xb0\xc7\x8e\x79\x76\x60\x14\x3d\xe8\x76\xcf\x30\x67\xd9\x25\xd3\x18\x4e\x7c\x05\x9c\x78\x38\xf1\xb9\x1c\xc4\x28\x79\xbf\x95\x87\x0f\x07\xdb\x83\x63\xe7\x05\xa3\x89\x3a\x85\xc0\xf0\x16\x45\x9f\x72\x6c\xbe\x44\xbd\x92\x43\xb3\x06\xaf\x11\x8c\x7d\xd1\x58\xc2\xc9\x23\xb5\x03\x64\xf5\xe6\x46\x68\x56\xc2\x70\xb5\x1a\x5a\xe4\x1d\xe9\x82\x7a\x8b\xbe\x09\x1a\x48\x9a\xdc\x1b\xd2\x92\x14\xd7\xd8\x27\x26\x76\x91\x9d\x7a\xd6\xec\x93\x3c\x86\x67\xc1\x1a\x12\x0b\x1a\x9e\x31\x37\xb0\x4b\x2a\x33\xe1\x2a\xe4\x3e\xbc\xb9\x8b\x98\xfc\xc8\xc3\xad\xc9\x95\x21\x03\xf9\x55\xfd\xdb\xdb\xf5\x6f\x76\x90\xeb\xf9\x5f\xcd\x46\x05\x04\x4b\x3b\x8f\x0a\x08\x3f\x03\xe1\x41\x08\x7f\x5c\x6d\x29\x94\xcf\x91\x51\x3e\xcd\x0f\x92\x03\x30\xcd\xef\x21\xbb\xc9\x60\xcd\x69\x2e\x7a\x33\xf2\x07\x85\x4f\x6e\x8b\x5f\xfb\xd9\xc6\x33\x7d\x8f\xbe\x4b\xcc\xee\xc4\x98\x8a\xf9\xcd\x33\xbb\x54\x91\x7c\x90\x85\x80\x2c\x04\x64\x21\x20\x0b\x01\x59\x08\xc8\x42\x40\x16\x02\xb2\x10\x90\x85\x80\x2c\x04\x64\x21\x20\x0b\x01\x59\x08\xc8\x42\x40\x16\x02\xb2\x10\x90\x85\xb0\x5a\x2c\x84\x57\x76\x10\xa3\x76\x36\x65\x0e\xcb\xe9\xdf\xcc\xe8\x5f\xcf\x10\x3d\x91\x3e\x99\x83\x72\x35\xb3\xa9\x18\x45\x1a\xaa\x09\x8e\xe1\x71\x4c\xa8\x92\x9e\x50\xe5\x1f\xbb\x48\x77\x7d\x9f\xb0\x7c\x60\x17\x7c\x9b\xad\x25\xfd\xd7\xbb\xf4\x8f\x25\x9d\xc1\xca\xcd\x39\x83\x8d\x4c\x8f\x8f\x42\x19\x6d\xf2\x02\xbb\x25\xe9\x05\x26\x8b\xbf\x3a\xdc\xbf\xd6\x68\xfe\xea\x65\x21\xae\xa9\xee\x5f\x72\x1c\xd0\xef\x0b\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\x15\x11\x57\x44\x5c\x11\x71\x45\xc4\xf5\xca\x20\xae\x3d\x64\x5f\xe4\xf7\x65\xfb\xb4\x68\x03\x01\x3e\x99\xbc\x9a\x83\x7e\xe2\xc0\x6f\x4b\x87\xb0\x97\xe9\x9f\xeb\xd6\x5f\xbe\x91\xe8\x15\x6f\x9e\x5b\x18\xec\xfc\x98\x26\x06\x41\x81\xfe\xdc\x48\xac\x45\x24\xc9\xe1\xc9\xf1\x69\x5e\x62\x5b\x30\xc0\xbe\x58\x8b\x01\x4d\x4d\xec\x79\x4c\x11\x8a\xd5\xb3\xae\x84\x46\xac\x94\x9d\xed\xe5\xfb\xf2\x70\xf2\x63\x20\xef\xb6\x68\x25\xc2\x88\xcb\xa1\x27\x2f\x72\x7a\xf2\xf9\xc6\x10\xe2\x41\xfd\x40\x44\x49\x4e\x9d\x83\x09\xe8\x90\xc3\x8a\xf1\xa0\x20\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\x88\x58\x22\x62\x89\x88\x25\x22\x96\xb8\xda\x58\xe2\x5e\x72\x8f\xbe\xdb\x1c\x94\x2e\xa0\xcf\x55\xdd\x46\xe3\x03\x5b\xb5\xef\x28\x82\x90\x08\x42\x22\x08\xb9\x8e\x41\xc8\xff\xce\x90\x4e\x01\x42\xc6\x3e\xe9\x03\x0b\xbb\x04\xe1\xf3\xaf\x32\xfa\x37\x32\xe4\xd9\xca\xbd\x73\xe2\x5e\x6d\xc6\xe7\x9d\x45\x1a\x0e\xc7\x2f\x9c\xd9\x85\x94\xcf\x3a\x94\xcf\xd7\x74\x44\xae\xf0\x79\xea\x8b\x61\xa4\x55\x0e\xf1\x3a\x64\xe8\x23\xcf\x51\x9f\x69\xcc\xbd\x35\x8b\x34\x1c\x51\xde\x40\xf6\x6d\xdd\xa1\xf8\xaf\x1e\x32\xcd\x87\x62\xd6\xf1\x16\x99\x46\xe3\x7b\x4e\x56\x22\x64\x95\x63\xc2\xb1\xf9\x92\x6f\x7b\xbe\x1d\x2e\x39\x74\x81\x3a\x09\x04\x45\x62\xf5\xef\xeb\xd1\xff\x70\x23\xb9\x55\x29\x74\x38\x2a\x53\x8e\xe1\x6f\x35\x83\xda\x4f\x8a\xba\x8e\xb3\xba\x46\xd4\xba\xd6\x04\x8a\x3f\x04\xd5\x1d\x4e\xf9\x4c\x31\xf1\x6a\xb7\x7f\xed\xe3\xfb\xab\x9f\x25\xe2\x25\x8d\xe1\xfb\x87\xf4\x33\x02\xbe\xaf\x37\x63\x05\x70\x5f\xbb\xf7\x53\x92\xaf\x34\x32\x2e\x20\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\x8f\xd0\x3f\x42\xff\x08\xfd\x23\xf4\xbf\xca\xd0\xff\x11\x32\xa6\x8f\x98\xc3\x12\xfa\xdf\xae\x42\xff\xb5\x8f\x7c\x68\x0a\x40\x53\x00\x9a\x02\xd0\x14\xa0\x98\x02\x3e\xdf\x43\x8e\x72\xf8\xd3\x9f\xb1\xf2\xd9\x08\xe2\xaa\xa0\x24\xab\xd8\x67\xde\x29\x07\x21\x3b\x06\x39\x74\xc6\x76\x0b\xb6\x5b\x94\x98\xe7\x7f\x76\xeb\x1f\xd9\x48\x6e\x66\x25\x0d\xab\x05\x49\xc0\xf3\x93\xcd\x00\x9e\x23\xbc\x82\x29\xcf\xa1\x39\x5e\xc1\x9a\x00\x3a\xf9\xe7\x4f\x55\x7e\x9b\x40\x39\xab\x1b\xbd\xf6\xd1\xcd\x35\xc8\x5e\x2e\x35\x86\x3f\x4f\xe8\xc7\x04\xfc\x59\x73\xc6\x46\xb1\x10\xaa\xc6\x04\x63\xd1\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x22\xa4\x89\x90\x26\x42\x9a\x08\x69\x5e\x71\x48\xf3\x10\x39\xa8\x1f\x30\xf7\x4b\x48\xf3\x76\x15\xd2\xac\x3e\xc9\x21\x94\x89\x50\x26\x42\x99\x08\x65\x26\xa1\x4c\x08\xad\x10\x87\x50\xa8\x91\x52\xb7\xe4\x15\x42\x3a\x5f\x82\x33\x4a\x04\x5d\xbe\xae\x47\xff\xd6\x06\xb2\x39\xef\xf9\x10\x54\xf5\xe3\x4d\x31\x33\xbd\xc2\x69\x51\xce\x9a\x40\x28\xf9\x76\x3e\xe2\xf9\x54\xcd\x01\xa9\xb4\x12\x21\xc9\x16\x20\xc9\x13\x8d\x21\xc9\x5e\xbd\x3b\x25\xdf\x9b\x69\x46\x1c\xcc\x78\x04\x10\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x44\xbc\x11\xf1\x46\xc4\x1b\x11\x6f\x5c\x6d\xbc\x71\x1f\xb9\x57\xdf\x63\xee\x92\x78\xe3\x4d\x09\x0a\x65\x7c\x62\x7b\x26\xa4\xde\x46\x28\x13\xa1\x4c\x84\x32\xaf\x22\x28\xf3\xdb\x37\x93\x83\x51\x94\xd8\x52\x30\xb0\x30\x58\x0b\xca\xf4\x29\xe0\x6c\x6c\xe9\x0a\x24\x73\x20\xc8\x5b\x0e\xd5\xdf\x7f\xb3\xfe\x83\x0c\xd9\xcc\x5e\x3f\xb7\x30\xd8\xb9\xdd\xa7\x56\xc1\x80\x5b\x51\x1f\xc7\xca\xc0\x14\x2f\x64\x9a\x86\xbd\xdb\xd8\x73\xc3\xa5\x52\xa0\x22\x88\xf1\xfd\x69\x56\x40\xfb\xa2\x07\x00\xe8\xf7\x42\xf2\x00\x07\xfd\xf6\x93\xbd\x00\xfa\x0d\x92\x01\xd2\x5f\x33\xdb\xbd\x12\x95\x22\xbb\x30\x98\x85\x16\x35\x04\xf9\x26\x1b\x63\x78\xfd\xfa\x8e\x28\x28\x6a\x5c\x83\x00\xf0\x78\x25\x2a\xc4\xf7\xf8\x6d\xe9\xb0\xe1\x26\x7d\x43\x91\x86\xa4\xf3\x77\xb6\xc4\x7d\xdf\xc3\x06\xc9\xca\xd3\x26\xba\x7f\xbb\x78\x74\x55\x47\x20\x37\x42\x86\xc9\x21\x7d\xc3\x8c\x57\x58\xea\x84\x7f\x0d\xad\x77\xb9\x43\x90\x7b\x77\x86\xbc\x33\xa3\xbf\x23\xd3\xf9\x53\x52\xc8\xfe\x87\x76\x96\xed\x56\x62\x0b\xef\x83\x14\x65\x10\x92\x82\x4b\xc5\xc4\xb1\x51\x85\x12\x67\xa8\x51\x62\x7d\xcd\x74\xf5\xac\x31\xec\x1a\xb6\xcb\x01\x1b\xcf\x37\xca\xae\xc4\x7c\x0a\x46\xc1\x5f\x9a\x2a\xbb\x46\xc1\xf6\x29\x13\x05\x54\x02\x09\x4c\x1f\x00\x85\x4b\x20\x29\xd1\xb9\x49\x9c\x5d\x8d\xd9\xb2\x0f\xba\x79\xc9\xf7\xf2\x34\x00\xcd\x48\x0c\x8b\xd8\xd6\xb2\xc6\x19\xa8\x11\xce\x3c\xa0\xca\x0c\x19\xfd\xc6\xb0\xe3\x0c\x81\xde\x53\xf0\x97\x0c\xbf\xec\xb2\x33\x35\x93\x1d\x91\xb2\x27\x8a\xa3\x05\x73\x13\x6f\x9a\x22\x28\x73\x6f\xcb\x90\xb7\x66\xf4\x37\x67\x3a\xdf\x20\x3b\xe8\x1f\x35\x50\x95\x4f\x58\xae\x55\xa4\x3e\x3f\xf4\x71\x2d\x22\x08\xbc\xbc\x0d\x7a\x8c\x3c\x5e\x59\x70\x3e\xf5\x7c\x83\xa9\xb9\xe1\x92\x54\xec\xe6\xad\x0b\xac\xfd\xe1\x1c\x0d\x68\x24\xcd\x98\x84\x8d\x80\x2f\xc0\x7e\x66\xa8\x01\x72\x14\x8e\x52\x9e\x6f\x0c\xee\xda\xc7\x9e\xf5\xad\x3c\x20\x74\x8e\xe7\x16\xb9\xec\x82\xe3\x0e\xd3\x4c\x2d\xdb\xe5\x2a\x05\x1c\x27\xe2\x67\x01\xb5\x10\xf8\x21\x3b\x04\x47\xfb\x51\xd1\x73\x2c\xb7\x98\xf5\xfc\xe2\x40\xe9\x42\x71\xa0\xec\xda\x79\xaf\x40\x07\xb6\x8d\x07\x93\xac\x94\xac\x79\xad\xfa\xad\xea\x0e\xf2\x1e\xad\x0d\x12\x60\x8c\x95\x30\xa8\xdf\x4f\xee\x23\x9b\x47\xb8\xee\xbe\x12\x82\xa4\xf6\xb2\x2f\x95\x43\xd2\x7e\x39\x93\xfb\x8f\x6b\x62\x41\xb2\xab\x64\xf9\xec\x70\xcd\x0e\xa4\xb0\xdd\x34\x21\x51\xee\x2a\xf1\x20\xdb\xab\x24\x4f\x6e\xa9\x2c\xa8\x1f\xea\xdf\x01\xa1\x61\x6e\x55\x6f\xce\x53\xbf\x48\xd5\xbb\xdb\xd5\xbb\x10\x91\x9a\x16\xed\x7c\x7f\xd5\x73\x89\x52\xd8\xef\x25\x71\x97\xb5\x32\x77\x92\x1c\x27\x13\x15\xb2\x6c\x88\xec\x6b\xc1\x86\x34\x09\xf0\x3d\x8a\xb5\x06\x62\xed\xa3\x1d\xe4\x43\x1d\xfa\x07\x3a\x3a\x9f\x94\xf6\xac\x27\x3a\xd6\x8f\x58\xab\x40\x3c\x58\x3f\x03\x82\x0f\xa8\x1c\x9b\x9c\xb1\x1d\xaf\xbb\xc6\xc4\xed\x01\x28\x9b\x1b\x7c\x2c\x07\xde\x74\x3d\xb7\x9f\xbf\x0d\x4f\x80\xc1\x2f\x30\xba\x27\x02\xcf\x9d\xe4\x06\xad\x13\x6c\x59\x88\xdf\xd3\xd1\x62\x89\x2f\xf6\xd4\x96\xb7\xb9\x2f\x69\xe4\x8b\x9a\xfe\x79\xad\xf3\x73\x52\x21\x7e\x4a\x3b\xec\xb1\xf3\x9d\x1d\x18\x45\x0f\xba\xdd\x33\xcc\x59\x76\xc9\x34\x86\x13\x5f\x01\x47\x9d\x79\x6a\xb9\x81\x51\x0e\x62\xe8\xbe\xdf\xca\xc3\x87\x83\x41\xc4\xb1\xf3\x1c\xb4\x07\x8c\xd6\xf0\x16\x45\x9f\x72\x83\x41\x89\x7a\x25\x87\x66\x0d\x5e\x23\x58\x20\xa3\xb1\x84\x23\x47\x6a\x07\xc8\xea\xcd\x8d\xd0\xac\x84\x35\x6d\x35\x34\xc8\xda\x66\xe2\x12\x37\x13\xb7\x5d\xf4\x4f\xec\x22\x3b\xf5\xac\xd9\x27\x71\x86\x67\xa9\x08\x05\x3c\xff\x4c\xc0\x26\xf4\x4b\xdd\x64\x4f\x8d\xf4\xb7\xaa\xdb\xd9\x82\xe7\x94\xe7\xa9\x15\x86\x56\x7e\x6e\x9e\xba\x61\xa0\xff\x4d\x97\xfe\x27\x1b\xc8\x0d\x71\x2a\x5c\xee\x63\xf6\xd2\xe6\xf2\xe1\x9e\x81\xf2\x86\x65\x79\x6d\x4a\x8b\xdb\x95\x4c\x8b\x0b\x4d\xaa\xac\x0a\x53\xe4\x5e\x46\x8a\xdc\x7c\xe3\x75\xf6\x80\x7e\x7f\xbd\x14\xb9\x95\xc3\x81\x4e\x61\x48\xd2\x40\x92\x06\x92\x34\x90\xa4\x81\x24\x0d\x24\x69\x20\x49\x03\x49\x1a\x48\xd2\x40\x92\x06\x92\x34\x90\xa4\x71\xc5\x49\x1a\x48\x84\x40\x22\x04\x12\x21\xd6\x2f\x11\x62\xe2\xd7\xbf\xbf\x93\xbc\x7f\x23\x31\x15\xf8\x36\xef\xf9\x34\xbb\x30\x98\x3d\x79\x78\x9a\x23\x39\xd3\x50\x8a\xfe\xf2\x8d\xe6\xcb\xb5\x29\x2a\x64\x11\x6b\xac\x71\xf2\xf0\xb4\xc1\x75\x10\x98\x7d\x4c\x8b\x0e\xc4\x38\xcc\x82\xe4\xe6\xa2\xb4\xe4\x15\xb2\xf0\x2c\xc7\x18\x83\x08\x9c\x89\xb6\x77\x6f\xd1\xa5\x7e\x30\x67\x97\x8c\x79\x40\xd3\x61\x83\xf7\x7c\x63\x7a\xec\xb8\xed\x96\x2f\x1a\x3e\x05\xed\x91\x29\x92\x97\xb4\x4d\x7c\xab\xbc\xa4\x01\x00\xfb\x71\x6d\x0b\xd9\xc4\xc5\xe5\xef\x69\x7f\xd9\x41\x5e\xae\x11\xb8\xae\x5f\x34\x2f\x4c\x5a\xa0\x93\x71\xc9\x4f\x2f\x8a\x0d\x58\xa8\xf1\xac\x39\x11\x46\x70\x02\x14\x45\x77\xd6\x1b\xaa\x37\xe9\xe5\xe4\x16\xa0\x97\x40\x4c\x83\x6d\xee\x6c\x00\xcd\xe0\x53\x95\x7c\x56\x23\x5b\x7c\x6a\x15\x4e\xb9\xce\x92\xfe\x09\xcd\x7c\xbf\x36\x25\xfe\x32\x60\xc9\xc1\xa6\x08\x20\xbb\x6c\x08\x6f\x1c\x9b\x19\x33\x94\x77\x68\xa4\x52\xb2\x82\xfa\x41\xfb\x2a\x31\x79\x01\x00\x4f\x85\x9a\x3d\x6b\x39\x01\x6d\xcf\x47\x6c\x25\xd1\xdc\x20\x6f\xd1\x88\xe8\x69\xfd\xc7\x34\xf3\xc5\x5c\x47\x03\xa5\x65\x8e\x1a\x73\x5e\x10\x72\xb0\xdc\x37\xc6\x27\xd9\xbc\xf4\xc5\xda\x59\xd9\xae\xfd\xbc\x46\xee\x52\x66\x6a\xc1\x0e\xf2\x1e\xdb\xa7\xb3\x02\x58\xcc\x1e\xf6\xfc\x87\x3d\x97\xea\x3f\xa3\x99\xc7\xc5\x6f\xa3\xe4\x7b\x0b\x76\x81\x06\xd0\x0c\x7f\x9e\x2f\x7f\x6b\x86\x89\x0d\x7e\x3e\x7e\xb1\xc7\xc4\xb0\xd0\x74\xd9\xa6\xc4\xf5\x3c\x36\x69\xdc\x42\xc9\xb3\xdd\x30\x7b\x49\x03\x4b\x40\x62\xb6\xdd\x47\x86\x08\x5c\xd5\x77\x99\x77\x43\x6f\xf8\xf1\xe2\x00\x3d\x5f\x31\x27\xb0\x3a\xb2\xea\xa7\x3c\x79\x07\xb9\x43\xf9\x14\x0e\x6c\xca\xef\x00\x3c\x57\x7f\xe5\x1d\xe6\x67\x3a\xe0\x27\x3f\x0a\xf9\x94\x2f\x97\x59\xb0\x50\xc2\x75\xa6\x22\x71\x49\x2e\x34\x7d\x11\x3d\x0e\x36\x8a\x18\xbf\x29\x50\xd7\x0b\x29\xd7\xa8\xd8\x19\x38\x8c\x4c\x7e\xd1\x6b\xc1\x52\x10\xd2\xf9\xac\x31\xc6\x01\xd6\x39\x6b\x81\x46\xba\x21\x48\x28\xa6\x69\xb1\x7e\x83\x45\x0d\x7a\xb3\x6f\x17\x8b\x4c\x6b\x67\x7f\xcc\xd3\x20\x00\x8b\x26\xdb\xa3\xe9\x82\xe7\x80\x4d\x95\xad\x3e\x7b\x9e\x66\x0d\x5e\x6a\xd4\xb5\x7e\x02\x31\xf5\xa9\xb3\x14\x1d\xb7\x42\x7b\x5e\x98\x54\xe5\xf7\x09\x1c\xa4\x68\x2f\x50\xd7\x98\xa2\x56\xe0\xb9\x4c\x19\x64\xc7\x48\xa1\x4a\xc5\x8a\x60\xd9\x2d\x50\xdf\x59\x02\xf3\x1a\x6f\x1d\xa8\xab\xaa\x86\x5f\xe0\x27\xc1\xe8\xf4\x92\x80\x93\x99\xa0\xe0\x35\x44\x2d\x0e\x14\xe4\x31\xe4\xaa\x30\x13\xc9\x72\x1e\x2d\xd0\x3e\x63\x86\x06\x61\x3f\x9d\x9d\xf5\xfc\xb0\x0f\x04\x1a\x87\x9b\x2d\xc7\x60\x67\xc6\xec\x25\x6d\x2b\x54\xc2\x36\xaa\xc4\xec\xf9\x9d\x4e\xf2\x52\xb2\xc9\x87\xfa\x74\xdf\xa4\xfc\x17\x1b\xe7\xc5\xb9\xa5\xc8\x70\xcb\x7a\x9c\x69\x74\xa1\xc5\xa1\x2e\xbe\xf7\x97\xe7\x2d\xb7\x9f\x09\x86\xaa\xd3\x06\xd3\x50\xf9\xd0\x85\xc6\xbc\x17\x84\x15\xf6\xda\xc4\x04\xfc\x23\x8d\x6c\x66\x82\x35\xa4\x05\xfd\x73\x1a\xd9\x59\xd3\x9c\x17\xed\x07\xa7\xa0\xe5\x53\xd1\xd6\x6f\xbe\x59\x13\xaf\x47\x52\x41\x5a\x58\x03\xd8\x1c\x2d\x7f\x29\x52\x64\xd9\xf6\x07\x07\xa6\xbc\x37\x5f\x72\xe8\x45\xf1\x6d\x41\xd6\x18\xcb\x16\xb3\x11\xa2\xcb\xf6\x60\x18\x7f\xa1\xfd\xca\x19\xc6\xcf\x21\xb0\x6b\x8b\xd3\x87\xd8\xc1\xa3\x06\xf0\x37\xb2\xe4\x93\x1a\x79\x36\x5f\x24\xb6\x5b\x1c\xe1\x89\x3b\x1c\xea\xeb\x3f\xa7\x99\x6f\xd5\x52\x6e\x44\x2d\x57\x57\x6a\x3e\xbe\x0b\x53\x82\xce\xdb\x61\x08\xfa\x95\x1d\xf0\x69\xd1\x67\x50\xd6\xea\xf3\x49\x41\xc6\xfe\x72\x68\x78\xbe\x72\x40\x04\x33\x01\x4e\x94\xdc\xf4\x4a\x17\xc5\xf4\x4a\x0a\x04\x8d\x6c\x12\x06\x99\x77\x6a\xe6\x1b\x34\x31\xfc\x30\x21\xd8\x51\xa6\x62\x36\x0c\xcc\x5a\xb6\x03\x4b\x33\xea\x36\xa1\x57\x54\xf6\x63\x34\x6d\x84\x09\xe9\xf2\x27\xce\x6b\x34\x72\x43\x6c\xca\x1b\x61\xbb\x95\x5e\xd6\x37\xda\x6e\xb8\x7b\x97\x79\xbe\xe2\x4e\xd4\xc3\xf1\x65\x51\x23\x3b\x4e\xc3\x69\x68\xc6\xca\x5f\x58\xb4\xfc\x02\xcc\x0d\x2b\xb4\x67\x6c\x87\xe9\x5d\xb0\x26\xc5\xd4\x13\xf2\x23\x5c\x2a\x31\x19\xba\x95\x44\x4a\x17\xf9\x0d\x8d\xdc\x14\x97\x7c\xdc\x0a\x60\x9d\x05\xa1\x35\x5f\xd2\xdf\xab\x91\xbd\x2d\x98\xd3\x58\x01\xe6\x5c\x8d\x42\xdb\xfe\x35\xe4\x2b\x1a\xd9\x12\x01\x4c\x6c\x19\xb6\x62\x01\xe4\x0b\xf3\x04\x0d\x2d\xf3\x09\x6d\x3a\xb4\xd8\xd2\x8b\xd6\x44\x57\x20\xf1\xab\xd4\xcd\xb8\x68\x87\x91\x39\x98\x1d\x25\xca\xae\x1d\x2e\x0d\xc0\x12\xb0\x67\xca\xa1\xe7\x07\x03\x05\xba\x40\x9d\x81\xc0\x2e\xf6\x5b\x7e\x7e\xce\x0e\x69\x3e\x2c\xfb\x34\x52\xf7\x17\xf8\xbe\x10\x64\xe7\x0b\xdb\xa2\x8a\xc8\x6f\x69\xe4\x79\x71\x17\x1d\x66\x87\xd4\x78\x5c\xde\x77\x19\xe3\x62\xd7\x2a\xb5\xfd\x03\xf3\x76\x8d\xc4\x92\x5b\x7f\xad\x46\xee\x6b\xa1\xd1\x27\xec\xbc\xef\x41\xcb\xc7\x65\x59\x51\x53\x61\x27\x5d\xe4\x87\xec\x48\xb2\xc0\xf2\xe6\x87\x7a\x6f\x86\x1f\x74\xa3\xe5\x1b\x11\x5f\xb2\xe4\x93\x19\xb2\x01\xcc\xb0\xbf\x90\x31\xdf\x93\x39\x66\xbb\x05\xae\x1d\xf0\xe5\x29\x51\x6b\xa1\x8a\x08\x8e\x8f\x31\x35\x36\x7d\x3a\x3e\x5e\x43\x95\x42\xce\xc6\x5a\x4b\x12\x8a\xb3\xdd\x59\x90\x81\xb6\x62\x55\x8b\x14\x22\xd5\x18\x12\x94\x67\xe0\x78\x25\x4d\xb5\xa1\x97\x35\x46\xa4\xe0\x13\xe0\x47\xd6\x18\x77\x8d\x11\x6b\x9e\x3a\x23\x56\x0d\x75\xb5\x9d\x73\x11\x08\x3d\x60\xad\x4e\x28\x90\x9f\xc9\x10\x62\x95\x6c\x71\x22\xd2\x3f\x9a\x31\x7f\x2e\x33\x3c\x39\x1e\x9d\x7e\xb9\x45\x30\x50\x21\x19\x5a\x30\x82\xfc\x1c\x9d\xb7\xf8\xfe\x00\x23\x21\xfa\x4b\x1e\x24\x65\xe4\x8a\xb8\x03\x63\x6d\x72\x81\xfa\x8a\x89\x2e\x2a\x4d\x1e\x03\x85\xcd\x06\x4c\xc1\x6c\xef\x84\xe1\xe3\xa7\x3b\xc5\xfe\x97\xa0\xaf\x71\x72\xd9\x8a\x77\xa1\x3c\x96\x56\xec\x52\x37\xc6\x8b\x4c\x9c\x0c\x7f\x42\x23\x7d\x0d\xd5\x07\x98\xe0\xfc\x05\xd3\xaa\x2c\xa2\xfd\xeb\xf7\x13\x19\xb2\x55\x6e\x85\xfa\x53\x99\x16\x14\x9c\xef\x69\xf1\x5e\x2a\xa8\x6d\x41\x12\x9e\x93\xeb\x96\x2d\x40\x76\xa2\x80\x59\x0e\x1b\x68\xde\x0a\xd8\x91\x83\x09\x60\xcb\x35\x4e\xc9\xa5\xc6\x55\x10\x55\xcb\x90\x14\x85\x40\x28\x16\x31\x79\x74\x24\xed\x29\xe5\x7e\x20\x20\x6c\x76\x54\x89\xda\x11\xe9\x2b\x33\x34\x6f\x95\x03\xb0\x14\x5b\xf9\x30\x60\x3a\x36\x68\xff\x11\x0c\x61\xbb\x86\xa5\x14\x25\x75\xa8\x9f\xe1\x07\x3f\x9b\x06\xfa\x4f\x6a\x64\x77\xcd\x5e\x4b\x3b\xb1\x4c\xc3\x7b\xe6\xa3\xfc\x7d\xd6\x1a\x30\x9c\xf0\xc3\x16\xeb\x39\xde\x5b\xe2\xb6\xd2\x6e\xe5\xe4\xc4\x34\x24\xdb\x31\xec\x59\xd1\x79\x02\xbb\x0e\x3d\x97\xbf\x9d\x25\xbf\xae\x91\x0d\xec\x38\xa3\xff\x92\x66\x3e\xa9\xb1\x5f\x5c\x00\x26\x15\x63\x01\xb0\x94\x54\xb4\x87\x9d\x7c\xca\x81\x5c\xc9\x92\x5e\x94\x35\x4e\x58\x17\xed\x79\xcb\x31\x1c\xea\x16\xc3\xb9\xe8\xf9\xa8\xec\xc1\x0b\x39\x6e\x6a\x75\xec\x19\xdf\x82\xc6\xc7\x27\x83\x92\x4f\x4b\x96\xc0\xa6\xe7\x2c\xb7\xe0\xd0\x88\xfe\xc9\xcd\x31\xf7\xee\xb9\x90\x4b\x28\x50\xbf\xad\x91\x67\xc9\x99\x30\xee\x06\xa1\xe5\xe6\xa9\xfe\x21\xcd\x7c\xb7\x56\x75\x39\x5a\x18\xe3\xa3\x29\xfa\xa9\x2d\x1e\x52\x15\x52\x87\x86\xfd\x17\x97\x5e\x3c\xbb\x1c\x3d\x14\x66\x91\x1d\x2e\x4b\x0b\x7c\xb5\x46\x36\xb0\x95\xa6\xff\xb0\xf9\x22\x60\xe2\x44\xdb\x1a\xfb\x1d\x75\x30\x1f\xdc\xee\x93\xec\xb8\xe4\xf4\x19\x67\x2d\xdf\xb5\xdd\x62\x4f\x1f\xd4\xcd\x39\x97\xf9\xa8\x1b\xad\x82\x62\x1d\x9e\x2d\x33\xa9\x54\x53\x75\x55\x1a\xf2\xb4\xf6\x68\x63\xc2\xd2\x90\xbe\xaf\xdf\x10\x94\x25\x31\x6f\x05\x63\xc9\x30\x38\x67\x89\x13\xa8\x0c\xa3\x8a\xaa\x44\xbe\xd3\x41\x0e\xa9\xc2\x42\xcd\x27\x1a\x4d\x7e\x25\x1d\xe8\xb4\x5d\x64\xdf\x38\xc5\x37\xc3\x69\x98\x70\xfa\x07\x3b\x12\x67\xbf\x77\x76\x90\x77\x68\xe4\x1a\xa5\x28\xfd\x35\x9a\xbe\x61\x66\x29\xa4\xe6\xa9\xf1\xd9\xd8\x76\x6e\x01\x0c\xec\x7b\x0b\xb4\xd0\x57\x39\xf8\x00\x23\x71\xbf\x17\x76\x47\x58\x5c\x94\x32\x01\x6d\x4a\x76\xd5\x36\xf2\xdc\x44\x57\x39\x76\x10\xf6\xc3\x28\x6e\xd5\x37\x5b\xa1\x37\x6f\xe7\x09\xf9\x7f\x35\x42\xd8\xf9\x8d\x2f\x79\xfd\x3b\x9a\x79\xff\x88\xfc\x53\x85\xa5\x15\x63\x64\xcc\x75\xe4\xed\xb5\x1c\x7e\x54\x73\x6d\xcb\xc9\x7e\x5c\xdb\x4c\x36\x5a\xbe\x6f\x2d\x7d\x4a\x3b\x4d\xa6\xc8\x64\x6d\x49\xbc\xac\xce\x95\xad\x7a\x5a\xeb\x22\x9d\xd5\x1f\x36\x6f\x95\xfa\x2f\xd0\xa5\x80\x7d\x5c\x3f\x4c\x37\xf2\xb4\x66\xd4\xec\x82\x4d\xfa\x86\x79\xab\x44\xc8\x47\x48\x2a\x1c\x3a\xe2\xcd\x97\x3c\x97\x09\x39\x3e\xa6\x3f\x46\xcc\xa5\x8a\x6b\x46\x37\x5b\x48\x15\x17\x8f\xdb\x41\xd8\x63\xcc\x79\x4e\x21\x50\x01\x1a\xce\xbe\x89\xc8\x8d\xb3\x5e\xd6\x18\x55\xe8\x91\xb0\x74\x87\x27\xc7\x41\x84\xc6\x7b\xa2\xed\x1a\x0b\x83\xd9\xc1\xfd\x3b\x12\xd3\xe9\xbd\x5b\x50\xaf\xb9\x5c\xbd\xe6\x4b\xc9\x49\xff\x1b\x9a\x79\xf7\x71\x41\x7a\xc8\x47\xe3\x69\xc4\x0f\x48\xf5\x5c\x9d\xdb\x7b\xc9\x3d\x75\xf6\xcb\xaa\x79\x94\x98\xbe\xb7\x26\x26\x25\x50\x9e\x85\x67\xc6\x05\xba\xa4\x6f\xd6\x37\x8a\xe9\xdb\x45\x6e\x49\x79\x52\x78\x73\x2c\xe9\x5b\xf4\x4d\xf0\x16\xc1\x53\xc2\x65\x9c\x12\x9e\x89\x87\xf2\xa7\xb5\xb3\x8d\xf7\xc9\x3d\xfa\x2e\xb9\x4f\x9a\xa6\xdc\x1c\x2b\x24\x5a\x72\x9b\x24\xe4\x1d\x9b\x48\x6f\x9a\xfd\xc8\x2b\xd0\x88\xf0\x33\xc5\x4f\xaf\x4c\x7f\xd5\xbf\xbd\xd1\x5c\x1c\x36\x5c\xaf\x40\x63\xc2\x91\x1f\xdf\x17\xd3\x54\x52\x91\x80\x69\x13\x69\xdf\x5c\x44\xf4\x19\x16\x67\xbf\x01\xe1\xde\x15\x7a\x5c\xf4\x30\x07\x05\xb9\xb0\xbb\x40\x97\xe0\x21\x21\x5a\x2e\x69\x1d\x17\xe8\xd2\x25\x6d\x4b\xf4\x46\x42\x8e\x7e\x79\x03\xf9\xcf\x0c\xd9\xc4\x9f\xd5\xbf\x9b\x31\xbf\x9a\x19\x76\x0d\x58\xdc\x4c\x0e\xa8\x2b\x27\x90\xbc\x43\x59\xb7\x1d\xb0\xb9\xeb\xf9\xc6\x49\x2f\x1c\x77\xfb\x62\x8e\x67\x20\x8a\x88\x9c\x30\x5c\xcf\xed\x07\x2d\x2c\xb5\x8c\xb1\x8b\x76\xc0\xb5\xe0\x51\x8f\x06\x27\xbd\x70\x2c\xa6\x2e\xa5\x16\x57\xbb\xa8\x23\x60\x44\x3b\x5e\xf3\x65\x01\xf2\x0b\x6e\x08\xe5\xc7\x8b\x88\x34\x18\x53\x37\x42\xea\x97\x7c\x2a\xb0\x6f\xcb\x35\x04\xf8\x26\xf4\x4b\x5e\x1e\xdf\x3e\x98\x32\xa2\xb0\x1c\xa4\x8f\x99\x01\x32\x89\x7b\x9a\x24\xb4\x81\xeb\xc8\x35\xea\xba\x3b\x44\xd8\xf0\xe8\xfb\xcc\x1d\xa7\x61\x07\x99\xa1\x0e\x8c\xa0\xa4\xc2\xc8\x59\xc1\xb5\x10\x10\x22\x6a\x01\x6f\xd4\x88\x1c\x5a\xfd\x15\x9a\x19\xaa\xe6\x4a\x56\x54\x57\xc0\xa7\x07\x5b\x1d\x73\x76\x49\x84\x81\xe4\x54\xac\x68\x60\xb9\x07\x57\x54\x0c\x67\x70\xb0\x01\x15\xe3\xca\x07\xa8\x2f\x31\x3c\x59\xe3\x88\xa0\x9f\x1c\x0f\x13\x0d\x7a\xcb\x3d\xa4\x2b\x65\x69\x4c\x0a\x37\x35\x37\x14\x16\xd6\x12\xcd\xeb\x7f\xb7\xc7\x1c\x4e\xbb\x11\x69\xd6\x11\x6d\x3c\xde\x9e\xa5\xbb\x9b\x1b\x0a\xd3\x6a\x36\x31\xa1\x7f\x72\x0f\xf9\xdf\x1a\xb9\x9e\x1d\x29\x16\x3d\xff\x22\x2f\x52\x7f\x8b\x46\xee\x69\xb8\x4b\x4d\x26\xde\x11\xc7\xf6\x17\x24\xaf\xaa\xa7\x36\xcb\x88\x6a\x11\x2d\x31\xb8\x27\x89\x60\x59\x45\x36\x4d\xcf\x35\xc4\x21\x25\x00\x23\x62\xa4\xda\x93\x27\x35\xb2\x19\x9c\x2d\xc7\x4f\xe9\x97\x34\x72\x7f\xc3\x06\x4e\xf3\x87\xab\x3a\x8c\xb7\xf4\x21\x71\x3b\xd9\xc4\xe8\x62\x55\xb7\xd5\x6c\xec\x31\x29\x2e\x41\x60\x05\x59\xf2\x8a\x0c\xd9\x2a\xac\x94\x5e\xa0\x7f\x4f\x23\x0f\x34\x6e\x2a\x7f\xfc\xd4\x74\x8d\xc6\x7e\x44\x93\x4f\x54\xb4\x57\x5e\x16\xcd\x8c\x8c\xd9\xb2\xb9\x42\xd9\x12\x7d\xda\x95\xec\xd4\xc4\xc7\xd8\xae\x78\xb6\xe4\x15\xd2\xf6\x1c\x7a\xd1\x9a\x2f\x39\x34\x90\xce\x41\xdc\x02\x3b\x20\xbf\x75\x60\x6a\x6c\x78\xf4\xc4\x58\x76\xbe\x40\xbe\xa3\x91\x6b\xa1\xdc\x53\x25\xae\x2e\x7d\x53\x33\x7f\x53\x1b\x96\x34\x51\x41\x4b\xe4\x37\xc5\xe1\xf4\x85\xa6\xef\x99\x7d\x86\x19\x78\xb3\xa1\xf9\x68\x96\xad\xa6\x48\x05\xa6\x05\xa3\x5f\xbc\xc3\x59\x99\xf6\x7c\xc9\x59\x32\x66\x2d\x0e\x03\x78\x2e\xe5\x14\x66\x78\xbc\x65\x93\x72\x3c\xe8\xfd\xd1\xb7\x6d\x83\x4a\xfb\x45\x43\xeb\x08\xa6\xdf\xd2\x48\x87\x3b\x1b\xe8\x9f\x6c\xc6\x4e\x56\xc1\x9b\x30\x5f\xa5\x9d\x3c\x9c\x1c\x58\x95\x38\x21\x4c\x9f\x6c\xdc\xb2\xc6\xa4\xef\x2d\xd8\x42\x3b\x9f\x61\x3b\x97\x61\x15\xe6\x6d\xb7\x1d\x66\x74\xf2\x36\x8d\x6c\xca\xd3\xd2\xdc\x6c\xa0\xbf\xae\x8e\x4a\x13\xeb\xa9\xb4\x34\x77\xb8\xd6\x94\x9d\xe0\x77\x93\xd3\x95\x5d\x33\xd2\x3e\x8c\xcf\xdb\x60\xce\xf2\x29\x97\x14\x85\xae\x40\x52\x44\xc8\xaf\x67\xc8\xb3\x8a\x79\x1a\xd7\x34\x6a\x07\x17\xf4\xf7\x67\x9a\x10\x02\x47\x46\xc6\x92\xaf\x25\x1a\xf9\xb7\x5a\xd5\xfd\x64\x83\x8f\x8c\x8c\x19\xe2\xaa\xd4\x78\xab\x17\x98\x55\x6f\x79\x01\x4b\x8e\x5e\x2c\x79\x41\xbc\x1a\x81\xee\xb2\x52\x43\x59\xcc\xd3\x78\x26\x17\xec\xe0\x02\xf9\x5b\x8d\x5c\xcb\x84\xd3\xf0\x2c\xf4\xd5\x92\xfe\xd5\x7a\xb0\x5d\xd4\x75\xbc\xa7\x4e\x2a\xef\x99\xef\xd4\xd4\x3f\xe5\xa1\x31\xa6\xe9\x09\x56\x25\xa7\x4f\x2e\x72\x22\x6c\x21\x02\xf2\x84\x88\x12\xa4\x68\x2b\xcf\x3d\x9a\x05\x4f\x4f\x65\xc4\xba\xb3\x4e\x99\xba\x79\xa1\xa1\xb1\x63\x63\xa1\xec\x08\xbb\x7f\xc9\x2b\x88\x4a\x38\xd9\x58\x96\x9b\x25\x1f\xcb\x90\xe7\x58\x8b\xc1\x98\x63\x05\xa1\x9d\xcf\x39\x5e\xfe\x02\x93\x8f\x54\x7f\x47\x86\x0c\x37\xfc\xdc\xe1\xb3\xd3\x55\x6f\x26\x26\xcb\x57\xb4\xb4\x47\x2a\x96\xed\xf0\xd9\xe9\x15\x9b\x30\x97\x39\x2f\xac\xc5\x80\xf2\xd6\xcf\xb0\xd6\xb3\xdb\x94\xfc\x69\x86\x6c\xc9\x3b\x96\x3d\x3f\x45\x67\xf5\x2f\xb4\x82\x81\xff\x64\x66\x44\xbc\x0f\x04\x50\x4b\xd0\x4f\x8c\x19\xbb\x5f\xb8\xcf\x83\xc5\x5f\x24\x2a\x34\x66\x68\xb8\x48\xa9\x6b\x54\x8a\x0d\xf8\xf4\xca\x8b\x50\x72\xd6\x18\xbb\x58\xa2\xf9\x90\xf7\x86\x50\x8f\x5d\xdb\xe1\xa6\xb1\x19\xaf\xec\x16\xb2\x06\x7c\x43\x34\x65\xad\xd8\x86\x26\x5c\x1c\x43\xe0\x62\x40\x23\xe2\x16\x9c\xe1\x75\x9e\x19\x69\xe3\x8e\xb1\x4d\x7c\x27\xf9\xa0\x46\x32\xb3\x79\xfd\xbd\x1a\x19\x68\xd8\xa5\x87\x47\x12\x13\xad\x74\x78\x24\x29\x85\x0e\xdb\x33\x3e\x35\x46\xe6\x2c\xd7\xa5\xce\x0a\xcc\x2c\xf2\xff\x68\x64\xf3\x2c\x9b\x14\xd4\xd7\xff\x46\x23\x7b\x1a\xb7\x98\x3f\x9c\x68\xf6\x53\x9a\xb8\x5a\xd1\x78\x71\xb1\x52\x8f\x6a\xd4\xd8\xea\x76\x02\x26\x6d\x87\x81\x51\x0e\xac\x62\xc4\x4e\x28\xd0\x12\x75\x0b\x41\xb4\x99\x44\xb5\x09\x18\x14\x58\x66\x76\x9e\x1a\x33\x94\x4d\x3e\xbf\xec\xba\x6c\x70\x7e\x34\x43\xb6\x16\x39\xca\x36\x1b\xe8\xdf\x6f\x46\x45\x3b\x12\x3d\x5e\x63\xbf\xfb\xb8\x26\x9f\xa8\xd8\x42\xe4\xe5\x3a\x2a\x9a\xc5\xbf\x3f\xfd\xbb\x97\xb7\x55\xd4\x52\xd3\xe4\xf7\x2a\x6a\xda\x4b\xc9\x46\xc7\xcb\x5b\x8e\x1e\x90\x5d\x0d\x7b\xe0\x38\x7b\x32\xf1\xcd\x07\xe1\x92\xfa\xb9\x7c\xc5\x3b\x4b\xfd\xf2\xe3\xc4\x52\xe1\x66\x38\x38\xd2\x5b\x62\xfb\x20\x5f\xd0\x08\xe1\xad\x3b\xe1\x15\xa8\xfe\x29\xcd\xfc\x90\x16\xff\x2d\x77\x17\x1b\xb8\xf6\xbc\xef\x40\xcb\x0b\x05\x9d\xd9\x4b\xfa\xd6\x58\x06\x27\x5d\x71\xd3\xa0\x43\x39\x61\xcd\x88\x9c\x95\xe6\x2d\x9b\x9d\x4c\x0d\xdf\x5a\x34\x40\x00\x72\x96\x1b\x9c\xe6\xb8\x9b\xe5\xe1\xf8\x25\x56\xcf\x3c\x87\xb1\x41\xca\x80\xa3\xb0\xe2\xa2\xc0\x4e\x5a\x89\x63\xdc\x77\x35\xb2\x25\x6f\x95\xac\x3c\xdb\x5e\xbf\xa5\x99\x6f\xd5\x86\xd3\xcc\x4b\x55\xe7\x0a\x38\x6e\xaa\xe4\xde\xa8\x90\x76\xca\xa4\xa8\xcc\x0f\x6a\x87\xc8\x41\x72\xa0\x69\xac\x2a\x1b\x35\x2d\xfb\xfc\xb2\x05\xb1\x41\x94\xc3\x23\xf9\x3a\x53\x17\x6d\xb7\x40\x7d\xfd\x0f\x9b\x52\x17\xe1\xd9\x1a\xcb\xe7\x0d\x1a\xbf\x9d\x5c\x3b\xbc\xf8\x96\xce\x8b\x4d\xad\x8d\xf9\xa5\xe0\x45\x4e\x3f\xaf\xa5\xbf\x54\x50\x56\xc6\x9b\x34\xb2\xf9\x45\x65\x6f\x66\x29\xa4\xfa\x13\xcd\x48\xc4\xe7\xf3\x87\x13\x1f\x75\x4c\x5c\x4c\x7e\x54\x74\x71\x99\x4a\xf0\xbb\x34\xb2\xd5\x7a\x71\xd9\xa7\xa0\xfc\xbe\x51\x23\xf7\x36\x56\x69\xa2\xc7\x13\xad\x3a\x2d\x2f\x57\xea\x2e\xec\xba\x31\x6a\x85\x16\x57\x61\xaa\x1b\x08\x2e\xf0\x76\xd4\xfb\x89\x2d\xe4\x4f\x34\xb2\xd1\x0e\xf2\x81\xad\x7f\xb1\x0e\x13\x46\x36\x6d\x7c\x7a\x64\x7a\xbc\xc6\x5c\xf8\x71\x0d\xee\x56\xb4\x8e\x5f\x5b\x6d\x65\x9c\x3c\xa5\x91\x1b\xc5\xd2\x1a\x71\xac\x20\x60\xca\x85\xfe\x56\xcd\xfc\x51\xed\xa4\xa0\x04\x4e\x2b\x77\x59\x99\x1c\x1d\x03\xcd\xb4\x1a\x46\x98\xa1\x8e\xe7\x16\x83\xac\x31\x06\x56\x56\x11\x48\x07\x82\xb9\x08\x0c\x2b\x56\x94\xa5\xfb\x36\x7f\x89\x67\x40\x59\x4a\xd4\x97\x90\x41\xbf\xa6\x91\x6b\xb8\x56\xcd\xe4\x67\xa0\x7f\x48\x33\xdf\xa4\x0d\xc7\x17\x62\x90\x14\xfc\xbb\xac\x25\x61\xee\x49\xa8\xe5\x62\x5d\xb5\x53\xfc\xf0\x36\xf5\xcf\xb3\x36\xd4\x39\x42\xff\x5b\x86\x6c\x61\x03\x36\x69\x85\x73\xfa\x3f\x64\x9a\x80\xa0\x8e\x8a\xa7\x93\x58\x49\x26\xba\x9c\x5c\x76\x7c\x6b\xf2\xfc\xa5\xfa\x07\x6a\x03\x80\x73\xaf\x44\x21\x22\x52\x48\x39\x55\x3a\xf2\x37\x2b\x07\x74\xb6\xcc\x03\x04\x71\x50\xb4\xdf\xe5\x5b\x15\xbc\x23\xdd\x0e\xd9\x6b\x70\x5e\x71\x9d\xa5\x3b\x8d\x53\x6e\x3f\x4c\xc4\x68\x2b\xac\xf6\xf8\xe3\x3e\x6f\x8b\x16\x87\xa2\xcf\x8e\x1f\x3f\x6e\x9c\x3c\x75\xda\x38\x7b\x6a\xea\x18\x67\x61\xcc\x97\x9d\xd0\xe6\x75\x49\xfa\xf6\x65\x1e\x07\x58\x93\x4a\x56\x38\x47\xbe\xaa\x91\x0e\x7f\xa6\xc0\xd6\xed\x50\xc3\x2e\x9f\xca\x8d\xd6\x58\xb5\xaf\xd7\xa6\x72\xa3\xc9\x2e\x9f\xb2\x0a\x5e\x60\xc0\x59\xc9\x18\xa5\xa0\x87\x2d\x4f\xe8\x2d\x4b\xc1\xf1\x67\x54\x01\xfe\x09\x8d\x90\x59\x87\x46\x90\xe6\xfb\xb5\xda\xfb\x9e\xa2\xd5\xd2\x8b\x35\xbe\x6e\xee\xb0\x2c\x2b\xf9\x8d\xc0\xa0\xb7\xf3\xd1\x2a\xaa\x12\x4d\xa5\x78\x7e\x0d\x48\x31\xc5\x9d\x0c\x2d\x26\x8a\x68\xde\x98\xb1\x98\x34\x2a\x39\xe5\x22\x13\x38\xbf\xd6\x41\x6e\x2b\x55\x34\x62\x8a\xc2\xf9\x66\xd2\x73\xec\xfc\x92\x7e\xa9\xc3\x7c\x7d\xc7\x59\x56\xfe\x9c\x55\x2a\x51\x57\x84\xd5\xa9\x16\x36\x82\x35\xed\x50\x2b\x3a\x67\x83\xfa\xcc\xcf\x4a\x12\xc5\x16\x56\x7b\x9f\x1a\x53\x14\x82\x73\x75\x17\xb8\xef\x08\x27\x65\x5b\x6e\x19\x1c\x04\x84\xa7\x67\xd5\x19\x2d\xe8\xe9\x33\x46\xc1\xdf\x33\xf9\x62\x61\xc9\xb5\xe6\xed\x3c\xbc\xab\x74\x42\xea\xfb\x6c\xd6\x4f\xd1\xfc\x52\xde\x81\x42\x22\x6b\x76\x4f\x56\x5e\x8d\x6c\x19\xf1\xa2\x11\x5e\x3a\xe2\x53\x79\xef\x25\x08\xfe\x6c\xc9\x56\x56\xd6\x4e\xb1\xe6\xf3\x41\xb1\xdd\x62\x85\x99\xf8\x39\xa5\x39\x2f\xf4\xdc\x0a\xb8\xea\x97\xb5\x26\x40\x88\xc9\x94\x37\x93\x67\xc3\xb4\x27\x92\x33\x92\x3f\xa1\x10\xc3\x94\x89\x51\x60\x4f\x2f\x0f\x77\xff\x90\x46\xae\x5b\x08\x4a\x73\x34\x82\x43\xf4\x4b\x1a\x39\xd4\x18\x3d\x12\xaf\xd8\x7e\x58\xb6\x9c\xaa\xef\x38\x7b\x46\x2d\x32\xf9\x01\x0b\xd3\x70\xab\x35\x33\xc1\x07\x22\x35\x89\x69\xf3\xfa\x3b\x9b\x39\xda\x0d\x47\x8f\xd7\x58\xfb\x67\xe5\x03\xa9\x0a\x13\xdc\x98\x16\xe7\xcc\x65\xe9\x4c\x6f\xd3\x48\x07\xd3\x98\xde\xd8\x8c\xe4\xad\xad\x2f\x4d\x56\x28\x4b\xd1\x3e\x13\x89\x20\x4e\x39\x8b\xf4\x1a\x7a\x51\xf0\x2d\xd8\x5b\x05\xdf\x5e\xa0\xbe\xd1\x9d\xa3\xa1\x15\x85\xf7\xe9\xc9\x92\x4f\x5c\x4b\x9e\x9b\x6a\xf2\x29\xe8\xef\xbc\xd6\x5c\x9c\xf4\x04\x55\x20\xcf\x26\x58\x3e\x3a\xe0\x08\xf5\x42\x06\x58\x62\x1a\x85\x5f\x76\x59\x6f\x58\x62\xb7\x3d\xcd\x69\x24\x81\xa4\x74\x46\x52\x65\x66\x49\xba\xd2\xb3\x0e\x13\x98\x1f\x0c\x74\xe8\xc1\xcb\x41\xd2\x72\xf5\x39\x82\x94\x96\xcb\xa5\xb4\x20\x03\x04\x19\x20\x09\xb7\x8c\x3f\xd5\xc8\x86\xa0\x44\xf3\xfa\x1f\x68\xa4\xbb\x09\x0b\x70\x61\xba\x44\xf3\xe6\xcf\x6a\xd3\x95\x86\x67\xe1\xbe\x0c\x41\x9a\x66\xe8\x9c\xb5\x60\x7b\xbe\xc4\x40\x6a\x60\xd9\xed\xfc\x22\xf6\x11\xfd\x96\x5b\xe8\xe7\x7c\x5e\xf2\xf6\x0c\x1b\x38\x60\xe5\xbd\x3e\x43\x7a\x9b\xfa\x34\x78\xdc\xfc\xa6\x76\xc2\x83\xe0\x09\x79\xea\x86\xce\x92\xa4\x75\x25\x98\xc2\xe2\xa3\x38\x20\xc9\xce\xcf\x6c\xd6\xcb\x59\x0b\xf1\x4e\x00\x6a\x9a\xf4\x4a\x22\xec\x42\x14\x2a\x48\x38\x55\x4e\x45\x4e\xbc\xab\xdd\x33\x4f\x6b\xc7\x1a\x93\x7e\xba\xf5\xed\xfd\x86\x4c\xa4\x58\x41\xee\x31\x14\x3a\x10\x79\xfb\xe6\x84\xcf\xaa\xd2\x9d\x92\xcb\xa6\x7f\x6f\x93\x39\xaa\x5e\x88\x8f\xa5\xc2\xf9\x5f\xfa\xea\xe7\xcb\xbe\x9f\x60\xd5\x49\xb1\xcd\xba\xfb\x92\x06\xf4\xe2\x4b\x9a\x18\xd9\xc4\xf6\xf0\xc6\x4d\xe4\x21\xb2\x59\x78\x9d\xea\x27\xcc\x07\x8e\x26\xa9\xdf\xe2\x4e\x14\x39\x98\xc9\xb6\xa8\x76\xce\x45\x87\x78\x4f\xa1\x6f\xb9\x01\xd4\x9c\x38\x68\x3f\x26\xdd\x32\x4f\x9b\x47\x1e\x74\xed\x17\x31\x21\xef\xb9\xb4\x7f\xd1\xf3\x0b\x7d\xb1\x6c\x32\x84\xcb\xe6\x6c\xec\x63\xca\xbf\x83\x1d\x71\xea\x94\xff\x2b\x9a\x9c\xad\xc0\xf9\x16\xdc\xd1\x88\xe5\x91\x98\x78\xb2\x4c\x90\x94\x6c\xc2\x9d\xf6\x59\x73\x0e\x5b\x4e\x40\xfb\x8c\x07\xdd\x0b\xae\xb7\xb8\x7c\xa3\xe2\xa2\xe7\x5f\x70\x3c\xab\x10\x0c\x94\x3c\xfe\x4f\x3f\x3b\x94\x81\x32\xbe\x8d\xfd\x15\x33\x1d\xd5\x96\xbf\x35\xe2\x7c\xff\xb8\x66\xbe\xec\x74\x2a\xe9\x3b\xd1\xe4\xd5\x69\x95\x4b\xae\x63\xdd\x3d\xe9\x7b\x33\x14\x9c\xb5\x1e\x6d\xdd\xc1\xcc\x3c\x0e\x03\x07\xae\x59\xe0\x39\x3e\x43\x0b\x15\x5f\x45\x7e\x42\x23\x3a\xab\xf0\xb4\x1c\x5e\xa8\xf5\x25\xad\xd7\xfa\x40\x5c\x6b\xa2\x2e\x65\x06\x45\x27\x3c\xcf\x95\x53\x04\x00\x23\x08\x3f\x97\x25\xdf\xce\x90\x8a\x08\xbc\x73\x3c\x0e\x10\x34\x99\xd5\xe3\x5d\xa0\x6e\x92\x94\xfe\xcb\x19\x73\x4f\xf5\xe5\x68\x48\x45\x3c\x19\x30\xf6\x45\x71\xec\x78\x88\xeb\x4b\xda\x46\xb8\x70\x49\x7b\x76\x1c\x2c\x50\x7a\xe2\x25\xd6\xe9\x57\x34\xa6\x05\xa7\x3d\xa6\xff\x48\xeb\xdd\x35\x3a\x56\x5d\x5e\xc2\xab\xce\x9b\x55\xc3\x18\xca\x08\xdd\x22\x7c\x12\x8f\x1b\x48\xf6\x12\xfe\x19\x7a\xd6\xbc\x13\xba\x21\x76\x63\xb6\x5e\x54\xa6\xc6\x0c\xb5\x7c\xa6\xd7\xc0\xd3\xea\x7c\xfb\xc0\x46\xb2\xb3\x56\xb4\xe3\x5d\x33\x34\xb4\x76\x65\x4f\xd0\xd0\xb7\xf3\x60\x7a\x10\x9d\xfd\xaf\x1b\xcc\x7b\xab\xae\xaa\xac\x70\x21\x0c\x45\xa0\x49\x88\x66\x36\x0f\xcf\x27\x3a\xf4\xc3\x1b\xc8\x3f\x6b\x44\xb7\x16\x28\x3b\x03\x3c\x18\xda\x8e\xfd\x62\xf8\x4a\xfd\x4f\xb4\xc8\x05\xf7\x37\x34\x51\xd8\x70\xd5\x53\xd1\x27\x26\x6b\x93\x61\xb3\xe0\xf1\xb8\xbf\x84\x0e\xc8\x9b\x61\x58\x79\xdf\x0b\x02\x11\x43\xcc\xa1\x0b\x96\x1b\x82\xb9\xbe\x2f\x56\x0c\x05\x45\x90\x1d\x49\xd9\x7e\x9a\x28\x2c\x8a\x3a\x96\xa8\x52\xd6\x11\xc9\x50\x56\x60\xd2\xc5\xf7\x57\x34\x72\xad\x68\x19\xf4\x9c\xfe\x64\x1d\xac\xa7\x09\x1b\x87\x59\x54\x4b\x5b\x4e\x87\x34\xe8\x07\xa3\x1b\xbe\xfd\x45\xa2\x9e\x1e\xf2\x0a\x8d\x6c\x84\xf2\xf4\x8b\x97\xd7\xe2\xfd\x0b\x0d\x9b\x2a\xda\x56\xd1\x04\x80\x9b\xee\x4c\x63\xa4\xf1\xc0\x2a\x11\x7d\xeb\x6d\x1d\xe6\x7d\xc9\x4b\x00\x18\x85\x11\x09\x33\x10\xd6\xb8\x0a\xdf\x0f\x79\x22\x4c\x4c\xd1\x2f\x64\xc8\xf3\xc9\x46\x87\xa9\x2c\xfa\x51\xf3\xc0\x71\xf6\x83\xb5\x3d\x0a\xe6\x02\x77\x04\xb9\x93\x07\xe9\x92\x5c\xce\x64\xa9\x89\x45\x37\x49\x36\xf8\x9e\x43\x59\x89\x53\x9e\x23\x1c\xbe\x64\x7c\x18\x76\xa5\x85\x12\x61\x2f\x3b\x6a\x1e\x88\xb6\xb2\xb8\x44\xd8\xd0\x5a\x28\xb1\x1c\x50\x9f\x95\xf8\x60\x10\xc5\xe5\x8f\x4a\x84\x60\xee\xcb\x2d\xf1\xaf\x33\xe4\xee\x1a\xf1\x4e\xb2\x63\xe2\x88\x75\xd4\x76\xc3\x40\xff\x44\xc6\x3c\x96\xb8\x12\x87\x3d\x99\x83\x3f\x45\xb8\x21\xa6\x0a\xcd\x79\x8b\x00\x15\x44\x67\xb4\xd8\x95\x4d\x44\xe8\x28\x24\x0f\xe3\x5f\xd7\xc8\xd7\x34\xb2\x65\x96\xc7\x53\x09\xf4\xdf\xd3\xcc\x42\xf4\x47\x22\x39\x03\x0f\x73\xd2\x1d\xf4\x24\xa3\xa7\xa4\x54\x00\x1a\xb2\x27\xe2\x09\x1b\xa1\x57\xf2\x1c\xaf\xb8\x64\x58\x8b\x10\x2f\xd9\x2b\x33\x95\x2d\xc1\x14\xae\x1f\x71\x3e\xd1\x31\x22\xee\x4b\x93\xde\x4e\xdf\xda\x4c\x72\x97\xef\x81\xa4\xbf\x6b\xb3\x50\x58\x13\x3d\xf7\xea\xcd\xe4\x13\x99\x54\x6d\xe1\x67\x32\xad\xef\x7f\xdf\xd2\xaa\x0b\x4c\xec\x7f\x49\x25\xa2\x42\x17\xad\xaf\x49\x18\xe3\xb3\x3c\x1e\x57\x1f\xc7\x97\x2d\x70\xd5\x53\x34\x92\x68\xa9\x80\xb7\x1e\xdb\xa6\x5c\x1e\x52\x45\x38\xb5\x4a\x0d\x38\x90\xda\x04\x77\x38\x2d\x24\xa2\x6f\x16\x64\xfc\x22\x36\x51\xa2\x35\x20\x24\x1b\xd8\x06\xc8\x4b\xc9\xf5\xac\xe5\x0f\x02\x2c\x00\x7d\xf6\x78\xeb\x5d\x36\x10\x4a\x45\x41\x86\x0a\x63\xdd\x22\xd2\xbc\x40\x03\xec\x20\xfe\x00\x32\x1d\x1f\x2f\x8e\x9a\x07\xc0\xb3\xd4\xa8\x3a\x5e\x00\x31\x21\x79\xb0\x50\x36\x3b\xce\x40\x50\x97\xf3\x7e\x79\xb2\x18\x30\xcd\x19\xdf\xa6\xb3\x95\x67\x88\x9a\xaf\x7e\x25\x3e\x34\xfc\xae\x66\x7e\x32\x3a\x34\x54\xea\xdc\x70\x50\x61\x57\xd3\x8f\x09\xc3\xd2\x99\x70\x94\xba\x10\xce\xd1\x72\x0b\xc6\x61\x1e\x49\x44\xf1\x6e\x52\x0e\xb8\x26\x94\x61\xb2\xa1\x36\x45\x39\x66\x32\xfe\x94\xc9\xea\x32\xd5\x99\x93\x1a\x35\x47\x3c\xa6\x7e\xd4\x9c\x10\xc1\xe7\xcd\xe9\x1a\x27\x88\x63\xac\x3e\xb5\x65\x82\xa6\x61\x98\xd1\xa7\x98\x7d\x86\xc9\x3f\xc6\xe4\x5f\x63\xf2\xcf\x49\xd6\xf4\x2a\x42\x96\xcb\x71\xd5\xbf\xbc\xd5\x7c\x43\x22\xde\x99\x20\xb8\xc6\x3c\x92\xe6\x42\x9f\xc1\x6b\x92\x20\x74\x79\xc1\xcf\xb6\xcc\x7b\xae\x1d\x7a\x7e\xf2\x38\xfc\xe4\x16\xf2\xa4\x46\xe4\x3d\xfd\xa7\x35\xf3\x65\xc2\xe3\xa6\x30\x64\x9c\x10\x97\xd3\x40\x5d\xf8\xa2\xe8\xbd\xe5\x98\xe3\x38\x93\x38\xb6\xc8\x6d\x9b\xf3\x16\xfb\x43\xaf\xbf\x1c\xd0\x7e\x3b\xac\x63\x07\xa6\x22\x3e\xdb\xa3\xe6\xe4\x29\x11\x2f\x68\xc8\x78\x30\xe0\x73\x04\x54\x19\x61\x03\xf0\x3d\x2f\xec\x33\x7c\x0b\xc2\xc7\xca\xe0\xb7\xb3\x65\xc7\xe1\xad\x0e\x7d\x4a\xfb\x22\x41\xc2\xbe\x6d\xa0\xc2\x50\x13\x07\x61\xfb\x2d\xcd\xfc\xb8\x16\xd7\x56\x15\x3c\xcd\xe8\x66\x8f\x0e\x2c\xfa\x76\x48\x7b\x38\x5c\x53\x33\x5c\x9b\xbc\x19\x88\x80\xbd\xb6\x2b\x12\x1e\x9c\x60\x0d\x4f\xc7\x7a\x5b\xed\x45\x25\x1e\xdb\x67\x34\x42\x02\x9a\xf7\x69\x08\xa6\x8f\x8f\x6a\xe6\xcf\x29\x9f\x34\x2d\xef\x44\x1b\x41\x09\x82\xdf\x79\xe0\x3f\x03\x78\x2f\x13\x31\x4c\x2d\x49\xf6\x19\x0d\xf3\xd0\x8a\x01\xa6\x9f\x64\x79\x05\xed\xfc\x82\x78\x44\xfe\x4e\x23\x5b\x79\xf9\x53\x74\x56\xff\xb3\x66\x98\xf4\xd3\xd1\xe3\x82\x8c\xfa\xde\xaa\x2f\x16\xbc\x54\x19\x8f\x32\xda\x4a\x92\x07\x60\x43\x7c\x57\x6a\x17\x08\xff\xa9\xb6\x7d\x33\x79\x87\x26\xf4\xc0\x37\x69\xe6\x2b\xb4\xc4\x24\x97\x01\xa7\x7c\xb0\x9d\x83\x4e\xe8\x5a\xf3\xc9\x79\x0c\xd4\x94\x95\x19\x83\xff\xec\x20\x9d\x69\x4c\x0b\x30\x21\xf9\xfa\x37\x3a\xcc\x7b\xc5\x6f\x69\x5f\xb1\xe2\x74\x15\x22\x04\x95\x30\xe9\x4b\x11\x6f\x5d\xa0\x6e\x42\x1c\xfd\x54\x07\xf9\x09\x8d\x6c\x0d\xf3\xa5\x69\x2f\x7f\x81\x86\xfa\x13\xcd\x0c\xf6\xe9\x91\x49\xfe\xf8\x30\x54\x63\x9e\x92\x17\x64\xc4\x66\x30\xcb\x45\x71\xb1\xdc\x05\xcf\x59\xe0\x8e\x66\xa7\x47\x26\xc1\xfd\x28\x0b\xbf\xe6\x3c\xef\x02\xe7\x60\x2c\x51\x85\x87\xc1\xda\xb4\x81\x5e\xa4\x79\xfd\x35\x1a\xd9\xd1\x38\x5c\xc9\x45\x9a\x17\x2d\x79\xc1\x29\xc1\x2f\x82\x38\x8c\x62\x83\x05\x61\xe4\x39\x8e\xb7\xc8\xda\xa0\x64\xa8\x88\xa2\x4b\x67\x0d\x56\x84\xd2\x76\x25\xa6\x1b\x9b\xa5\xd6\x05\x9a\x25\x17\xc8\x66\x36\xba\x47\x68\xa8\x9f\x27\xd9\xc6\x94\x98\xd3\xa7\x27\x8f\xc8\x1e\x8a\xfe\xac\xa8\x83\x15\x28\x15\x89\xd0\x63\xa7\xf1\x59\xcf\x9f\xcf\x92\xbf\xcf\x24\xe0\x5b\x7f\xc6\xca\x4b\x15\x97\x1d\xaa\xd8\xba\xfc\x6c\xc6\x3c\x24\x7e\xc7\xc8\xad\x1a\x38\x11\x46\x1f\xd4\x7a\xa9\xb7\xc1\xf1\x8b\x53\x70\xcb\x01\x2d\x5c\xd2\xb6\x58\x25\xfb\x88\xef\x95\x4b\x97\x34\xb0\x40\xa5\x45\x4f\xfc\xba\x46\x26\x89\x7c\x50\x1f\x35\xf7\x0e\x4f\x8e\xc3\xef\x68\x8d\x00\xf0\xac\x68\x46\x02\x2a\x10\x5c\xdf\x68\xc5\x17\xd4\xf9\x9d\x13\x16\xaf\x21\xb3\x3f\xb2\x77\xa9\xf0\x64\xb3\x65\x40\x50\xc7\x21\xb3\x5f\xa5\x9a\x47\x21\xe2\x9a\x2a\xe3\xcf\x3b\xc8\x76\xa5\xa7\xa3\x2c\x39\xf2\x3c\x31\x3d\x0e\xce\xb1\x25\x9a\xd7\x3f\xd2\x61\x3e\xa2\xfc\x2d\x20\xa1\xea\x50\x95\xe9\x1e\x80\x8e\x6a\xe8\x0d\x78\x40\x10\x87\x1b\x56\x99\xea\xee\x15\xe8\x25\x6d\xb3\xb8\x9b\xe8\xfe\x5f\xc9\x90\x5f\xca\x90\xe8\x96\xfe\x54\xc6\xfc\x71\x4d\x96\x12\x28\x69\x9c\xd4\x96\x28\x35\x8e\x8a\x67\xa5\xee\x2f\x2b\x04\x45\x90\x27\xbb\x8b\x1a\x25\xf4\xa2\x80\x27\x93\x28\xbb\xb2\x99\x22\x77\x0c\x27\xa7\xe5\xbd\xf9\xc8\x9b\x55\xd5\x1f\x86\xc8\xbe\x3a\x64\xc8\x1a\x5d\xcb\x9b\xd7\xbc\xbb\x7c\x53\x2e\xf8\x6c\x0a\x10\xf2\xca\x2d\xe4\x60\xcb\x07\xc6\xe3\x76\x10\xea\xbf\xb9\xf9\x92\xb6\x11\xe2\xf3\x27\x86\xe4\xe7\x37\x11\x8b\xf0\xeb\xfa\x43\x6a\x0f\x1c\x23\xe3\xe4\x48\x9b\x62\x66\xa0\x55\xf8\x32\xac\xc2\xe3\x8a\x51\x78\x39\x4c\xeb\xf8\x30\xca\xc6\xff\x04\x0d\x2d\x64\x37\x5c\x26\xbb\xe1\x69\xed\x25\x8d\x2d\x9b\x0f\xe9\x67\x64\x38\x83\xc4\x32\xa9\x08\xfe\x53\x77\xb9\xa6\x06\x05\xfa\xd7\x9b\xc8\xf3\x6a\xc5\x38\xd3\xbf\x76\x93\xf9\xda\x96\xc3\xf6\x62\x04\xde\xb6\x47\xe0\x95\x8b\xf6\x92\x76\x3d\x57\x1b\x69\x81\x93\x33\x92\xe1\x1f\x9e\x4d\x26\xc8\xc6\x3c\xc4\x33\x1d\x8e\x8c\x29\x7d\xa7\xd9\xde\x2f\x53\xcf\xf0\x6c\x14\x4a\x6c\xab\x39\x2b\x30\xbc\x3c\x20\x57\x85\xa4\xe1\xe2\xc1\x18\x41\x9a\x30\x0f\x0e\x5f\x4e\x74\xb2\x67\x3c\x33\xe5\x4d\x1a\xd9\xc4\xd7\xb8\xfe\xaa\xe5\xc6\x12\x3c\xcd\x33\xc6\x45\x31\x7a\xe2\x10\x7b\xf1\x28\x65\x8d\x69\x39\x8b\x2c\x36\xa3\xfc\xd8\x6f\x00\xa6\x6c\x00\x7d\xc0\x86\x85\xf7\x72\x16\xe5\xf3\xe5\xb2\xcf\x7e\x4a\xe3\x66\xf9\xd8\xe2\xfb\xc4\x65\x04\x7e\x3d\x7a\x3a\xc2\xb6\xad\x50\xba\x60\x50\x1e\xa4\x8e\x93\x77\xa2\x55\x28\xf3\x12\xc9\x25\xba\x68\x05\xd0\xad\x7e\x81\x16\xb2\xc4\x8f\xa3\x5e\x17\x5b\xf0\x87\xdd\x7d\x6a\xf9\x41\xae\x49\x89\xe8\x4a\xf0\x69\x31\x53\xf5\x87\xcd\x13\x27\xdb\x19\x77\x5a\xed\xfd\x07\xd3\x22\x0c\x3e\x60\xee\x6e\x21\x8c\x60\x45\x7c\x95\x28\x36\xe4\x13\xcd\xaf\x53\x1e\x14\x72\x7a\x74\x05\x42\x41\x9e\x91\x31\xb3\x8f\x9b\x87\xce\x2e\x2b\x4e\xf6\x54\x65\x9c\x6c\xf5\x43\x2d\x81\x4c\xbf\xc0\x3c\x7e\xba\x8d\x01\x0d\xd5\x2a\x7e\x5a\x93\xd6\x80\x37\x6a\xe6\xcb\x35\xa0\x97\x05\x95\x72\xaa\xaf\xbe\xa0\xe2\x53\x85\xed\xcd\x11\x6b\x23\x61\x4e\x88\xad\x3e\x71\xfc\x0f\x29\xe6\x23\x73\x0b\xdf\x76\x2a\x63\x91\x5f\x3f\x9b\x0c\xdb\xfc\xd6\xcb\x58\xbd\x0f\xa5\xaf\x5e\x5a\x11\xf2\x58\x2e\x52\xa3\xfb\xb4\x00\xd0\x85\xb9\x08\xf2\x34\x95\x78\x66\x29\xd7\x60\x23\xc2\x36\xaf\x6c\x0f\x79\x9c\x54\xec\xe8\xfa\x43\x2d\x2c\xea\xbb\x4e\x57\xe4\x5c\x4a\x46\x54\xe5\x91\x5d\xf1\xe4\x74\x19\x27\xa7\xb2\x1a\x4c\x7b\xee\x32\x63\x69\xf3\xd9\xd1\x44\xe8\xec\xa7\xb5\x13\x8d\x0f\x09\xbd\x7a\x77\x7f\xed\x20\xa0\x49\x02\xe4\xa7\x36\x91\xac\x32\x9f\x5c\x1a\x2e\x7a\xfe\x05\x9e\xe7\x9c\x1f\xbc\xc7\xdd\xa2\x4f\x83\x00\xdc\xf7\x00\xdf\xf9\xb1\x4d\xe6\x68\xe5\xc5\x7a\x29\x49\xf8\x00\x5b\x51\x26\x22\x43\xbc\x9b\xb4\xc8\x7f\x7c\x23\x79\xb2\x03\x02\x16\x46\x19\x0e\xde\xde\x61\xbe\xb6\x43\xf1\x0a\x01\x5c\x4a\xea\x0e\xf5\xf2\x1b\x08\x91\x23\x22\xd7\x72\x3c\x06\x9c\x0f\x45\x7c\x2f\xc7\xf1\x16\x45\xf6\x26\x7b\x16\x56\x4c\x68\x98\xb3\x8e\xb5\xe0\xf9\x81\xa9\xa4\x08\x8d\x8a\x8d\xd9\xaf\xac\xd2\xb8\x36\x48\x48\x6f\x08\x0c\xbb\xcf\x58\xf2\xca\x30\xdb\xe1\x9c\x13\x97\x3c\x19\x27\xcc\x8d\x84\x18\xcf\xa8\x18\x85\x3f\x4e\x06\x4f\x16\x8d\x4c\x81\x5f\x39\x13\xa9\xe0\xcd\x5b\xb6\xdb\x5f\xf2\xe9\xac\x7d\x91\x16\xb8\x55\x24\xca\xde\x07\x46\xa5\x5d\xf7\xec\x54\x42\xdc\x32\xf1\xc2\x43\x00\x8b\xcd\xd0\xb4\xf2\xf3\x94\xad\x0c\x9b\x8f\x43\x7f\x5c\xb7\x59\x99\xe8\xcf\x9e\x9f\x2f\x87\x95\xf1\x69\xc9\xab\x33\x84\xc4\x69\x80\xf5\xef\x6b\xe4\x58\x4d\x01\xd5\x60\x42\xc5\x9d\x13\xcb\xae\xf7\x6b\x4a\x97\x09\xe4\xce\xbd\xc0\x7d\xc6\xf2\xe5\x20\xf4\xe6\x63\xe9\x23\x00\x5d\x38\xb6\x15\xb8\x45\xd5\x72\x2a\xb2\xf7\x2a\x6c\xd6\x64\x1f\xc3\x89\x44\xbc\x62\x57\x4d\x25\x25\x19\x31\xd8\x1d\x0d\x7a\x31\xf4\x2d\x25\xff\x71\x96\xfc\xdd\x96\x44\x98\xc0\x54\x32\x4b\x1c\x68\x56\xff\x95\x2d\xe6\x48\xf5\xe5\xca\x1c\x3b\xa9\x24\x62\x85\xdc\x92\x5c\x37\xdf\xda\x4c\xbe\x9a\x21\x1b\xd9\x21\x6c\x49\xff\x42\xc6\xfc\x54\x06\x7e\x26\x48\x2c\x52\xfc\x47\x22\x97\x27\xbe\x93\x21\x9e\xa3\x9c\x81\xa1\x6f\xcd\xce\xda\xf9\x3e\xc3\xca\xb3\x6d\x4b\x68\x16\x8b\x73\x56\x48\xd9\x96\x15\x87\x1a\x00\xb3\x6e\xb4\x1d\xc8\x76\x19\xc3\xa0\xdb\x08\x6a\x97\xac\xdf\x72\x8d\x32\xb7\xb2\x47\x01\x0c\x92\x01\xc5\xab\x4e\xf0\x32\x3e\x1f\x6f\x75\xe2\x65\x03\x34\x5f\xab\xb0\xc4\xd7\x5e\x32\x72\x3a\x57\x15\x80\xbe\xc7\xba\x20\x02\x04\xa0\xf1\x33\xd4\x30\x43\xbf\x4c\x4d\x3e\x1d\x20\x53\x1d\xa7\x51\x47\xed\x17\x2c\xbd\xc8\x3a\xf9\xe7\x19\xb2\x19\x82\x71\xb8\x45\xfd\x0f\x32\xe6\x67\x32\xe2\x0f\x58\x16\x6a\x4a\x4a\x5e\x99\x48\x85\xcd\x5d\x98\xc2\x28\xe9\x5c\x32\x0b\x1b\xe8\x2f\x4a\xcd\xfc\x8b\xbc\x59\xa5\x09\x7c\x62\xc6\x43\x9f\xcc\x13\xce\x64\x9f\x2f\xc9\x94\xa2\xe2\x78\x1f\xe5\xde\x53\x4a\x0d\x00\x5c\xbb\xb6\xd3\x57\xdd\xc9\x05\x0a\x5b\x72\x14\xf2\x98\x95\xa4\x90\x14\x2a\xf2\xa8\xcc\x50\x99\x27\x5d\x66\x85\x8d\x26\xf2\xb4\x63\xe7\xe9\xe9\xb8\xce\x98\x26\xaf\x66\x5f\x4f\xf6\xed\x47\x32\xe4\x1a\xa5\x99\xfa\xbb\x33\xe6\x9b\x32\x6a\xcf\x34\x9a\xbd\x89\x6f\x6c\x76\xda\x8d\x2c\x6b\xa2\x85\x1e\xb8\xb9\xc7\x91\x1a\xd5\xfa\x21\x99\xab\xda\x86\x15\xee\xb0\x7f\xda\x42\x6a\x91\xc3\x44\xac\xfa\x55\x93\x36\xb8\x2e\x70\x5d\xac\x99\x75\x81\x5b\xdf\x4a\x6c\x7d\xbf\x90\x21\xb7\xa8\x2a\x9c\x57\xe0\x67\xcc\x05\xea\xcf\x51\xab\xa0\xbf\x39\x63\x4e\x45\x7f\xb0\xb3\x62\x19\xce\x4e\x95\x92\x45\xea\x68\x5e\xf4\xa8\x15\x04\x5e\xde\xb6\xe2\x4c\x90\x3c\xba\x95\x48\xa7\x99\xf4\x0a\xd0\xc8\x07\x35\xb2\xa5\xe4\x15\x0e\x33\x2d\x57\xff\x5f\x9a\x79\x72\x52\xfc\x51\x59\xd1\xac\xb8\xb8\xbc\xea\xda\x1b\x5b\xe8\xab\x5b\xc8\xee\x7a\xde\x2a\x5c\x4a\x0b\xdf\x94\x05\x9b\x2e\x0a\x27\x8a\x77\x6e\x31\x47\xab\xae\x56\x3b\xac\x80\x84\x04\x8f\x8e\x0a\x1a\x50\xe4\xc1\x92\x4c\xc4\xb7\x99\xbc\x65\x23\xd9\x6a\x95\x0b\x36\x44\x25\xd4\x5f\xb5\xd1\xfc\xfb\x0d\xc3\xd1\x9f\x3c\xb7\xb7\xf8\x4b\xc8\xec\x59\x9b\xcd\xc2\xfc\x9c\x17\x50\x37\x3a\xed\x28\x55\x45\x81\xa8\x2d\x81\x05\xb2\x89\xe7\x08\x73\xcc\x8c\x27\x16\xb2\xf2\x1d\xdc\x9a\x03\x7e\x26\xc6\xb0\xab\xd4\x01\xfa\xbc\xbb\x94\xb8\xc2\xe1\x24\x98\xfa\x41\xcc\xe3\xab\x28\x11\x0e\x99\x56\xfc\x09\x22\xcf\x39\xd4\xd1\x15\xc4\x77\xd8\x52\x14\x68\x42\x75\x21\x90\x7f\x80\x1f\x11\x69\x18\x87\x20\xce\xc6\xe5\x72\x51\x25\x96\x4f\x14\xcc\x55\x66\xde\x8e\xbf\x3c\xa5\xfb\xd4\xcc\xd4\x32\x07\x25\x07\xa2\x2a\xcb\x07\x9e\xb8\xc8\xba\x2d\xa4\xa8\xda\xca\x40\x66\x26\x95\xd5\x00\x8d\x9c\xf3\x10\x12\x8f\xf2\x0a\x41\xd2\xf0\x34\x28\x15\x35\x8a\x0a\xb9\x61\x4e\xde\x93\xe3\xca\x33\x1d\x72\xe9\xd0\xa7\xcc\x32\x3b\xe0\x1f\x6f\x58\x45\xcb\x76\x45\x46\x6f\x59\xa6\xe8\x58\x25\x92\x30\xeb\x57\x91\x1f\xb5\x0e\x51\xb2\x48\xae\x4b\xd4\xad\x9f\x31\x8f\x0e\x27\x1b\x53\x29\xba\xa3\x06\x41\xde\x90\x8a\xf5\x6c\x19\x5c\x3a\x02\xcf\x2f\x21\xc0\x8e\x92\x8d\xd4\xf7\x3d\x5f\x3f\x64\xee\x1a\x63\x3f\x6a\x17\x0c\xd8\xa6\xdb\x05\xf8\x52\x7e\x8e\xe6\x2f\x24\x69\x2f\x2f\x15\xc4\xb7\x90\xec\xab\x79\xc4\xad\xb1\xd8\x1f\x0c\xa8\x3f\xee\xce\x7a\xe6\x3e\x95\x26\x17\x5d\xad\xfa\x1a\x60\x38\x72\x10\x45\x3a\x74\x7d\xef\xda\x7a\xc4\x8c\x66\x48\xfc\x1f\xbb\xd6\x7c\xac\xf1\x63\x32\x73\xb3\xc8\x61\xae\x68\x82\xb5\x2d\xc9\x02\xf4\xab\xeb\xd5\xfa\xf1\x6b\xc8\x6c\x6c\x34\x7c\xa1\x79\x32\xe2\x99\xc7\x91\x9d\x8c\x36\x31\xd1\x8f\x4b\xec\x39\x67\xde\x13\xa5\x1e\x8d\x77\x62\x63\x79\xe4\xf4\xb7\xc5\xe4\xf4\xd7\x69\xe6\x0f\xd7\x70\x61\x5d\x25\x6e\xba\xda\xb0\x77\x6c\x14\x38\xfe\x9b\x36\x9a\xaf\xd8\xd8\x2c\xc7\x9c\xc9\xed\x26\xf8\xe5\x84\x0c\xbb\xca\x73\xca\x54\x90\xfe\x11\x0b\xb6\x05\xb5\x0d\xc8\xac\x38\x41\x79\x26\xda\x1a\xfb\x54\xf7\x64\xb5\x7f\xd5\xb4\x3f\x3c\x5e\x86\xd4\xdf\x45\x96\x9f\x08\x61\xb3\x8b\x2e\xf5\x59\x43\x64\x1b\xdb\xdb\x8a\x02\x14\xaa\xb6\x41\xf4\x7c\xed\x76\x88\xde\xa9\xdb\x0e\x31\x41\xea\xb5\x82\x17\x69\x08\xe3\x4d\xe8\xf1\x1a\xf9\xd0\xc5\x6b\x8c\x55\xa9\x76\x14\xef\x84\xca\xb1\x9c\x2f\x87\x3c\xc8\x11\xbd\x98\x77\xca\x81\xbd\x40\x9b\x9f\x6d\x71\xe2\x2c\x9e\x6b\xbd\x60\x78\xb0\xc3\x14\xc0\x98\x48\x4e\x45\x8c\xd0\x0a\x39\xc0\xd9\x12\xd2\x59\xc6\x71\xbc\xc5\xc8\xab\x4a\x4c\x4d\xf4\x0b\x6a\xd1\x2f\xe8\xf5\x5a\x95\x63\xd0\x8b\x5b\xef\xb3\x43\xc9\xa2\x2a\xdd\x88\x1b\x3b\x0a\xfd\xf5\xd6\x54\x0f\xcb\xe3\xf6\xbc\x1d\x4e\xb1\x0f\x04\xca\xdf\xa7\xb6\x9a\xfd\xc9\x4b\x49\x96\x65\x7c\xcf\x00\x02\x60\x36\x95\x21\xf8\x4e\x4c\xf4\x74\xd9\xbc\x84\x2f\x68\x11\xc7\xf2\x37\x34\xf3\xe5\xda\x38\xfb\x59\x73\x2c\x78\xa7\xa4\xb7\xb4\x5e\x24\x83\x04\xa4\x3e\xc0\xfd\x7a\xfa\x65\x73\xfa\xe3\x50\x4a\x03\xaa\x02\x38\x40\xfa\x9b\x20\xa6\xc7\xcd\x43\x8b\xe4\x65\x58\x24\xff\x50\xe5\x51\xfd\xf6\x72\x7c\xca\xab\xd9\x9c\xe6\x2b\x63\x16\x15\xcc\xa2\x55\x63\x50\x29\x1f\xf7\xb4\x76\xa6\xb1\xb1\x73\xb7\x3e\x98\x96\xe0\x29\x29\x9a\x2a\xf3\x3b\xbd\xaf\x8f\xdc\xa3\x6a\xf0\x85\x79\x3b\x60\x77\x7d\x5a\xb4\x81\x4a\x2d\x62\x4c\x9c\x11\x19\xed\xdc\xe2\x59\x3a\x33\xe7\x79\x17\xf4\x7f\xdc\x61\x9e\xaf\xba\xaa\xea\xcf\x3c\x10\x2b\x94\x66\x2c\x8a\xdb\xd1\x69\x35\x19\x39\x59\xb2\xe1\x02\xc8\x68\x1a\xe7\xff\x11\xce\x05\x97\xb4\x6b\xf9\x2c\x1c\x81\xb5\x77\x49\xbb\x26\xb0\x0b\x74\x6c\x76\x96\x2d\xe0\x4b\xda\x4d\xb2\x1e\x7e\x16\x14\x02\x33\x29\x5f\x3f\xdd\x4b\xfe\xad\x83\xa8\x2f\xea\xff\xa7\xc3\xfc\x5a\xc7\x74\x7c\x81\x2b\xbf\x01\xdb\x04\x85\x63\x9a\x1d\xc8\x96\xcf\x59\x81\xc1\x5e\x36\x28\x7f\x38\x6b\x0c\xe7\x99\x40\x00\x55\x5d\xe6\x5f\xa2\x43\xc6\x49\xcf\xa5\x7d\xf0\xef\x29\x77\xd4\x5f\x9a\x2a\xbb\x46\xb7\x28\x24\x0e\x9a\xc6\xd4\x25\x71\x3c\x82\x55\x68\x39\x81\x27\xec\x9b\x4b\xc6\xb4\xc7\x36\x28\x3f\x52\x9f\x7b\xb2\xc6\xd9\xe8\x7d\x38\x0b\xa8\xcd\x30\x4e\x3c\x38\x7d\x3a\xb6\xa0\x02\xe8\xcb\x44\x95\xed\xd8\xc2\x3d\x0a\x00\xbb\x3e\x23\xb0\x41\xb7\x91\x2a\x20\xab\x15\x34\x9f\xc7\x79\x80\x7e\x88\xa0\xca\x99\x2c\x46\x10\xd2\x52\x74\x70\x8f\xc7\x30\x3f\x67\x41\xb8\xd3\x82\x50\xe2\x94\x46\xb0\xee\xa2\xb3\x6c\x39\xb8\x34\x8e\xef\xed\x16\x3c\x97\x66\x8d\xa9\x48\x62\xc8\xd3\x5d\x81\x77\x8b\x15\xf2\x65\x41\x65\x42\x2a\xab\x1c\x7a\xfd\xb2\x49\xdc\x12\xb9\x64\xcc\x5b\x61\x9e\x1d\x72\xa3\xa1\x90\x9d\x10\x8d\xdb\xc1\x83\x51\x5f\x81\x73\xa5\x37\x9f\xb4\xd2\xbe\x2b\x43\xae\x67\x9b\xbe\x57\x0e\xa7\x81\xd8\x15\xe8\xaf\xcd\x44\x24\xd0\xef\x69\xa7\x13\xb7\x2a\x1c\x6e\xc4\x7b\xe2\x9c\x14\xcf\x87\xac\x31\x3c\x1b\x52\x3f\xf1\x4c\xc9\x0a\x02\x1a\x70\x9d\x27\x6a\x6b\x1e\x02\xf6\x46\xf9\xb6\x8a\xae\xe7\x73\x15\x8a\x3d\x33\x3c\x39\xae\xdc\x87\x94\x38\x3c\xa0\xa8\x20\xec\xb2\x2b\x6c\x38\x4a\x10\x3c\x34\x6b\x9c\x56\xea\x12\xe1\x87\x45\x6c\xcd\x28\x31\xc2\x20\x0c\xcf\xee\x9d\x82\xc0\x16\x48\x67\x5e\x36\x24\x83\xf1\xe5\x04\x99\xf5\x6d\x1b\x48\xad\x15\xa4\x3f\xdd\x61\x7e\xb3\x63\x38\xfd\x26\x47\xb0\x0c\xcf\x2f\x50\xf6\x51\xd1\x16\x5b\x02\x7a\x02\xbb\x72\xbe\xe2\xc5\xf3\x91\xe8\xe1\x5d\x1b\x89\x0c\x0a\x39\x22\xd8\x82\x92\xd8\x09\xef\x91\xd0\x87\x40\x02\xe5\x80\x0a\xf2\x87\x78\x3d\xe1\x75\xc2\x29\x47\xb6\x74\x06\xe3\xd9\xdb\x5c\xc5\x93\x4b\x56\x1a\xf3\x07\x6c\xc1\x2e\x81\x12\x12\x81\x49\xe3\x36\xf4\xa9\x59\x3c\xe3\x11\x92\x13\x21\x52\xaa\xc6\xd5\x64\x5d\x85\x78\xe0\x13\x96\x77\xc5\xcb\x8d\x9f\x17\xe2\x56\xb1\x11\x93\x16\xf6\xc8\x05\xda\x72\x97\xe2\x27\xf8\xcc\x16\x2a\x19\x6b\xe0\xb4\x68\x20\x9b\x3c\x52\x57\x8b\x57\x47\xd4\x54\x88\x5f\x49\xd9\xce\xcd\xd9\x4f\x5e\xda\xac\xaa\x83\x52\x7d\x48\x23\xd7\x89\xa7\xa3\xf8\xb5\x9a\xf9\x7a\xed\xb0\x7a\x49\x6a\xa5\x73\xde\x62\x52\x11\x04\xdc\x49\x51\x2a\x62\x41\x22\xd5\x0b\x76\x80\x8b\x42\x5c\xf6\xc7\x3d\x23\x85\xa9\x31\x0e\x0b\x86\xad\x17\x56\x69\xd2\x35\x1d\xae\xa8\xcd\xfd\x7b\x4d\x78\x77\xfd\xa5\x66\x7e\x59\x3b\x5d\x41\x8d\xa9\xda\x8b\xb2\x06\x30\x34\xe3\xf3\xf7\x6c\x99\x9d\x23\x5f\x54\xb6\x1c\x98\x24\x9c\x24\xd2\x67\xd8\xf3\x56\x91\x8a\xce\x4a\xe8\x85\x7d\x02\x4c\x34\x95\x27\xcc\x4a\x97\x32\x65\x64\xb8\xde\x9c\x28\x22\xed\x69\xcf\x2f\x5a\xae\x88\xe9\xc3\x85\xa7\xed\x57\x9c\x2f\xbf\xbd\x91\x5c\xcf\xa7\x5f\x94\x83\x51\xff\xd3\x8d\xb5\xc3\xa5\xd6\xd3\x72\xac\x19\xea\x44\x85\x98\x3f\xb1\xf1\x54\xa2\x54\xa3\x40\xf3\x40\x65\x92\x3b\xa2\x07\x61\x41\xd5\xe9\x26\x25\x96\xe0\x8d\x08\x75\x93\x6d\x97\x20\xb7\x99\x66\xca\x03\xcd\x64\x8d\x64\x9b\xc1\x41\x97\x0d\x36\x67\xfe\x0b\x7c\x55\x82\xe8\x9e\x23\x68\x7f\xd0\x6d\x2e\x5d\x3c\xa5\x90\xf8\x16\x63\xa3\x67\x1c\x99\x35\xd1\xcf\xfc\x20\xc7\x76\x09\x61\xe0\xe2\xbb\x88\x3d\x6b\x50\x1b\xbe\x45\x34\x14\x2e\x47\xf9\x8a\x44\xcb\xc0\x8a\x55\x76\x9c\xe8\x99\xee\xb8\x2d\x91\x4b\x87\x15\xc0\x80\xf1\xfd\x1c\x1c\x21\xe2\x16\x56\x3c\x53\x80\x10\xcb\x3d\xe2\xe0\xac\x52\x11\x05\x00\x01\x34\x29\x11\x8c\xa7\xdb\xb1\x2f\xb0\x6d\x7a\x94\x96\x1c\x6f\x89\x6d\xe9\x53\x9e\xe3\xcc\x58\xf9\x0b\xf0\xbe\x31\xe9\x15\x26\x7d\xef\xe2\x52\x14\xcb\x87\x17\xd7\x13\x99\x1c\x53\x3e\x39\x6b\x3c\x18\x50\x75\x68\x64\xa2\x45\x70\x79\xb5\x13\x73\x54\x30\x81\xfa\x6d\xb7\x4f\x26\x99\xa7\x6e\x01\x90\x65\x7e\x5e\x08\x2e\xd8\xa5\xf4\x05\xc5\xc4\x67\xe4\x38\x1f\xca\xf0\x42\x89\x2d\x08\x0e\x17\x80\xce\x27\x26\x5e\x94\x97\x32\x1a\x0b\xba\x40\xfd\xa5\x70\x0e\xc8\xfa\xdf\xde\x40\x36\xfa\x65\x87\x06\xfa\x5f\x6d\x30\x7f\x6c\xc3\x14\xfb\xa9\x68\x99\x90\xa9\x4a\xd1\x1f\x59\x73\x78\xa2\x50\xa1\x60\x0e\x28\x48\x54\x50\xb1\x35\x43\xe0\x72\x9e\xda\xff\x74\xfa\x8d\x38\x03\xa9\xcd\xa7\xb8\x1d\xcf\x98\x73\x96\xbb\x74\xce\x60\x0d\xca\x1a\x47\xbd\x45\x0a\x22\xd9\x16\x1b\x22\x38\xe7\xfa\x9c\x66\x1a\x6b\xc9\x72\x43\x94\x0a\x1d\x9b\xaa\x27\xca\x61\x8d\xbb\x20\x3c\x4b\xe5\xb8\x4f\xa3\x04\xd3\x10\x5a\x9e\x1b\x43\x79\xd7\xa9\x58\x16\x30\x22\x22\xc8\x87\x29\x4b\xec\x43\x38\x71\x3d\xa4\xce\x92\x51\xb0\x03\x6b\xc6\x89\x8a\xe4\xf1\xb7\xfb\x2e\xa3\x95\x16\xe8\x7d\x6c\xdb\xce\xc7\x0e\xaa\x72\x76\xc8\x03\x23\xdb\x39\xab\x0e\x0c\x23\x89\x6d\x52\xad\x27\xf5\x81\xe8\xd0\xae\xee\x5a\x47\xc9\x61\x32\x5a\xdb\x26\x51\xeb\x44\xc3\x06\xee\xac\x1d\xce\x9d\x92\x93\x87\xfc\xb4\x46\x12\x07\x0d\xfd\x35\x1a\x19\x5b\x7e\xc9\x51\xcb\x95\x92\xcc\x43\xea\x5f\x89\x4d\x33\xf4\x0c\x71\x54\x84\xc4\xee\x52\x49\xe6\x7b\x54\x24\xff\xc9\xbb\x36\x93\x6b\x60\xe6\x89\xad\xf8\xf5\x9b\xcd\xff\xde\xa4\x5c\x48\x96\x39\x47\x0d\x13\x56\x8d\xc9\x75\x1c\x9e\x00\x41\x95\x83\x6e\xde\x9b\xe7\x4e\xce\x7c\x78\xb2\xc6\x70\xf5\xfe\x6b\x8e\x5d\xb4\xf2\x21\x07\xe1\xc7\x5e\x54\xb6\x17\x2c\x87\xba\xa1\x99\x25\xa4\xdf\x80\x5b\x43\x52\x39\x8f\xce\x15\x91\x50\xb1\x43\x83\xb2\x27\x9c\x25\xb9\x60\x2c\x45\x03\xf3\x61\xd9\x24\x58\xa3\x36\x13\x95\x91\xd4\x0b\xe2\xac\x16\x05\xfe\x06\x3b\x32\x59\xa5\x52\x30\xb0\x30\xd8\x17\xfd\x80\x03\x54\x9f\x48\xbe\x14\x52\x17\xf4\xa5\xf8\xfa\x4c\x39\x94\xdd\xc0\xdb\x15\x25\x02\x3a\x1f\x39\xa7\x07\x43\x2f\x34\x59\x61\xe6\xa3\xac\xd0\x08\x7b\x63\x57\x17\x06\xd9\x35\x29\x3a\x86\x8c\x17\x9a\x4a\xf3\xcc\x47\xcf\xf7\x29\x5f\x1d\x7a\x89\x26\x19\xf0\x5d\x95\x0d\x12\xbb\x96\x58\xa7\x29\x3b\x17\xef\x57\xd9\xcf\xd5\x9d\x6b\xcf\x46\xfd\xc1\x7d\x0f\x05\xce\xe3\x70\xd5\xd3\x76\xa1\x5b\x83\x3e\xa0\xb7\xf3\x0e\xe3\x10\x2f\x68\x8d\xdc\xe7\xde\xf3\x23\xc5\x72\xc5\xbb\x1f\x2c\x2a\x6b\xae\xfb\x79\xa4\xb2\x05\xea\x8b\xb4\x74\xe2\x45\x6e\x08\x49\x1d\x93\x44\x40\x24\x65\x19\xa8\x2a\xd9\x37\xb6\x92\x67\x31\x2d\x2e\x28\x59\x79\x99\x19\x5b\xff\x9d\xad\x6d\xd0\xca\x5e\xb1\xf5\x64\x65\xc1\xcd\x28\x66\x20\x4e\xa3\x3d\x5f\x6a\x69\x31\xb6\xc1\xb5\x4e\x28\x56\x1c\x6a\xac\xb0\xbe\x52\x34\x9e\xd0\xf0\xec\x30\xa0\xce\x2c\x07\x25\x65\x49\xfc\xf0\x2b\x15\x3f\x9e\x48\x67\xd6\xf3\xe7\x79\xed\xe2\xcc\x24\x21\xb4\x48\x45\xa8\x28\x39\x90\xf3\x36\xda\xef\x82\xbc\x57\x52\xa8\x2d\x7d\x4c\xbc\xf0\x2d\x87\xe9\x23\x41\xc5\x80\x25\xe6\x75\xad\xae\x89\x7c\xbb\x58\x27\x7a\x81\xda\x1b\x42\x97\xaa\xb4\x4b\x9b\x7e\xd9\x85\x00\x87\x26\xd3\xea\xcc\x9d\x5c\x2c\x0e\x9a\x07\x0c\x20\xbc\xf3\xf4\xb6\xb4\x32\x99\x75\x20\x22\x89\x04\x43\x86\x59\x35\x41\xcc\x21\xe3\x25\xc4\x30\x4c\xe8\xb0\xb1\x8b\x25\x9f\xc2\x86\x12\x98\x43\xc6\x0b\x89\x61\x18\x70\x97\xfd\x67\x5e\xa0\x4b\xe6\x90\xd2\x84\xbe\xe8\x46\x94\xcb\x9a\xdd\x85\x2c\xd6\xf1\x2d\x2e\xc8\x65\x59\x70\x6d\xa7\xbc\x6d\xb0\xb6\x8b\xdf\x8f\xc2\xff\x5f\x46\xd8\xaf\x97\x11\x32\x3e\x0b\x7e\x63\xd4\x2a\xf0\x2f\xb3\xf8\xaa\x80\x35\xbc\xfc\xbe\x4c\xb3\xef\x9b\xd4\x5d\xb0\x7d\xcf\x65\x8b\x99\x77\x67\xc9\xf7\x0a\xbc\x47\x83\x10\x78\x65\xe6\x81\xd5\xeb\x56\xb5\x35\xa9\x3d\xdb\xa8\x5b\xa1\xf5\x4a\xcf\x46\xdf\x90\xde\xbf\xd3\x94\x36\x65\x6a\x60\x7a\xdc\x82\x4d\x17\x07\x84\xe3\x40\x3f\xeb\xbf\x7e\xd1\xd5\x03\xe2\xc4\x20\x5d\x13\xa3\x10\x42\xac\x3b\x79\x30\xca\xa8\xbb\x82\x58\x88\xb5\xa8\x85\xff\xdf\x2d\x89\xf0\x32\x33\x70\xb0\x58\x18\xcc\x8e\xf8\x9e\x3b\xe1\xcd\x80\x1d\xec\x8b\x5b\xcc\x1e\xe5\xef\xd4\x3c\x13\xbe\xe7\x1a\x8f\x7b\x33\x35\x6c\x60\xbf\xb0\x19\x6d\x60\x97\x6b\x03\xcb\x47\x26\xb0\x87\xcd\xdb\xed\xc8\x00\x26\xd1\x32\x6f\xd6\x10\x43\x94\xd4\xa1\xfb\xc9\x0e\xd2\x53\x53\xd3\xad\x1c\x6e\x34\x4e\x5d\x86\x71\xea\x8b\xaa\x71\xea\x33\x97\x69\x9c\xfa\x91\x2b\x64\x9b\x8a\x2a\x5a\xb6\x61\x0a\xa6\x52\x1c\x9c\x23\x16\x17\x95\x86\xa9\x5f\xd9\x48\x76\x29\x53\x70\xd6\xf1\x16\x85\x4b\x92\xe4\x95\x1d\x76\xbc\xc5\x69\x58\xac\x31\xcd\xeb\xe5\x1b\xcd\xa1\x94\xeb\x0a\x62\xa0\x10\x40\x38\x4b\x3e\x7e\x3c\x49\x1e\xfd\xe5\x0d\xe4\x23\xe9\xe1\xe0\xdf\x7e\x19\xfe\xb2\x8f\x9c\xaf\x2e\xf0\xbc\x5c\xa3\x97\x1b\x2b\xbe\x18\x73\xcc\x1e\x31\x4f\x9d\x17\xbf\xcf\xf3\xd5\x39\xd7\xc6\x44\x0a\x8e\x24\x99\xcd\x98\x0f\x9e\xe7\x3f\x45\x35\xe5\xf6\xa7\x55\x98\x95\x1c\x34\xf6\x55\xfc\xe7\xf9\xcb\xcb\xaa\x90\x0a\xac\x8e\x08\x4a\xd9\x01\x33\x7b\x9e\xfd\x38\xdf\x20\x09\x42\x6a\x21\x3f\xba\x91\xf4\x28\x33\x57\x40\xc7\xd1\xa4\x15\xa7\xec\x28\xd3\xa1\xfe\xb5\x0d\xe6\x9b\xb4\x8a\x8b\x89\x6d\x0e\x52\x51\x45\x99\x1e\xe3\xb9\xcb\x61\x50\x61\x58\x8a\x5c\x09\xc0\x88\xc7\x2b\x84\x3e\xe6\x29\xd7\xc1\x84\x92\x35\xc6\xa5\x03\x9f\x12\x45\x92\x7b\x4f\x0a\x8b\x1d\xaf\xb6\x82\x80\xfe\x89\x0e\xf2\x61\x70\x73\x0c\xe7\x26\xe1\x61\xfd\xdd\x19\xf3\xcd\x99\xf8\xef\x44\x54\xca\xa8\xbc\x88\x5b\xaa\xb6\x1e\xac\x55\x02\x93\x1c\x0f\x63\xa3\x47\x14\x2d\xf5\x7c\xef\xf9\xac\x71\xda\xb7\x6c\xc0\xa6\x02\xc7\x0a\xe6\x04\x0e\x11\xfa\xf6\xfc\x7c\x94\xd1\x77\x41\x62\x48\x55\xd5\x0a\x36\x2c\x54\xca\xae\x67\x09\x19\x13\x5a\xd1\x90\x71\x7e\x60\xd6\xf3\xce\x8b\x53\x20\x18\x1b\xc4\xa5\x3e\xfe\xff\x81\xf3\xb0\xa9\xf3\xdf\x33\x96\x7f\x3e\xf9\x06\x1c\x09\xe2\xb7\x0a\xe7\x99\xb2\x7a\x1e\x82\x6c\xb2\xa7\xd4\x19\xf0\x84\x1a\xa0\x74\xd1\xb4\xa1\xd9\x8a\x7b\x4e\x1f\x1f\x38\x5e\x9a\xd2\x43\x0a\x64\x1e\x7d\x99\xe8\xe2\x08\x55\xb1\x1c\x47\xf6\x26\x84\x24\x85\xee\x89\xea\x4a\x72\x7f\xbf\xb5\x95\x0c\xd6\x9e\x87\x93\x5e\x61\xd4\x0e\xfc\x32\xe0\xc8\xb9\x72\xa1\x48\x43\xf0\x69\xfe\xf0\x56\x33\x57\xe3\x1e\x5f\xde\x15\xc1\x6d\x00\x92\xae\x7c\xba\x22\xc6\xf8\x16\xf2\xdd\x0c\xb9\x7e\xde\xba\xf8\xa0\x6b\x2d\x58\xb6\xc3\x26\xab\xfe\xcd\x4c\xb3\xf1\x6d\xca\xa1\xed\x64\x6d\x37\x0c\x42\x3f\x3b\xee\x86\xa7\xfc\x69\xe8\x66\xf3\x9d\x99\x61\xd7\xa0\x0b\x76\x5e\x52\x11\x05\x82\xc5\x3a\x2a\xe4\xee\x25\x66\xb2\x56\x93\x2f\x09\xae\x18\xf3\x05\x63\x46\x5a\xb2\x29\x22\xd8\xc9\x87\x0d\x4b\x9a\x78\xa3\x5a\xfa\x0c\x3b\x4b\xb3\x1c\x5f\xb1\x5d\xc3\x9a\x09\x54\x1e\x38\x3c\x45\x0b\x3c\xa5\x50\xe2\x10\x0a\x34\x42\xcb\x95\x90\x70\x34\x8e\x6e\x68\xf9\x4b\xb2\xf4\x00\x20\x74\xce\x02\x60\x93\x60\x67\xec\x9e\x6b\xa5\x30\x1d\x25\xda\xce\x8f\xa7\xf3\xb6\x3b\x2c\xbf\x33\x4b\x7e\x37\x43\xae\x55\x2f\xe9\x9f\xb8\xec\x0e\xff\x57\xad\x6e\x87\x3b\xd4\x82\x1e\x57\xdb\x51\xb7\xbf\xf9\xd9\x2e\x8c\x8c\xff\xcd\xf7\x3b\xd8\x1f\xea\xf4\xbd\x31\xed\x81\xfc\x13\xfd\x0f\x07\xc9\xe5\x77\xbf\x39\xb8\x73\xe7\xdd\x66\x96\x5c\xea\x20\x5b\xa2\x46\xeb\x6f\xe8\x68\x03\xa4\xf3\xae\x0c\xfc\x6d\xbc\xa8\x4c\xfd\x25\xf0\xd3\xe1\xfd\xc4\x4f\xcf\x71\x7b\x80\xe1\x0a\x0c\x33\xc9\xc7\x2d\xc8\xa5\x66\xcc\xf0\xb5\x16\x19\xab\xe4\xe1\x98\xff\x60\xb2\x95\xe7\xdc\x30\x86\xa5\x4f\x44\xf4\x48\xf7\x4b\x5e\xd6\x23\x48\x27\xc9\x87\xa3\x43\x20\xf7\xda\x17\x6a\x77\x10\x29\x99\x6a\x42\x30\xfe\x22\xb8\x11\x39\x8e\xa8\x68\xdc\x15\xbb\x0f\x47\x09\xab\xaa\x15\x87\x79\x07\xac\x7a\xe2\xad\x68\x3c\xe5\x29\x3e\xfb\xb4\xd6\x53\x3f\xb4\x23\xd1\xb7\xf8\xb4\xe4\x58\x79\x4a\xc8\x87\x37\x54\x66\xc7\xa9\x91\xb1\x65\x5c\xfa\xa7\xe8\x3f\xe8\x30\x0f\x57\x5e\x4c\xec\xb9\x60\x8f\xe5\xcc\x24\xee\x15\xef\x28\x1f\xa1\x26\x70\x49\x8b\x7e\xfa\xce\x0e\xb2\x5f\x58\xa2\x07\xcd\xbb\xdc\x94\x38\xa3\xec\x37\x67\x11\x2b\x69\x60\xc4\xde\xf1\xcd\x8c\x32\xd9\xbe\x9c\x69\xc3\x64\x7b\x5d\x26\x50\x2c\xae\x5c\x63\x62\x55\xf5\x53\x37\xef\x15\x98\x42\xe9\xf9\xf3\x5c\x94\xcb\x81\x8e\xfb\xbe\x02\x4a\x90\xaa\x9b\xda\x7e\xe3\xac\xd8\xe0\xfa\x84\x67\x2b\x30\x61\x78\x98\x06\x57\x0d\x47\x20\x43\x06\x44\x87\x6b\xfe\x7e\x10\xd1\x3e\x24\x96\x21\xe3\x12\xcb\x07\xf2\x5e\x09\xfc\x28\xa1\x2a\xc1\x56\x7e\xbc\x2c\x1c\x72\xf8\x53\x60\xcf\x8f\x54\xa2\xc8\xdc\x51\xe4\x41\xc6\x45\x39\x59\xf2\x9a\x2d\x89\x73\x45\xc4\xbc\x3c\xc2\x81\xc6\xd9\xa0\x46\xc0\xf8\x3f\xda\x6c\xbe\x2e\x19\x30\x5e\xbe\xd1\x64\xa8\xf8\xac\xf2\x46\x3b\xc2\xc5\xff\x7f\xec\xbd\x0b\x94\x25\x59\x59\x26\xba\xe2\x64\x56\x55\xd6\xee\x87\x74\xc0\xc0\x2c\x70\x60\x1b\xcd\x58\x99\x90\x27\x2a\xb3\xb2\xaa\xba\x3b\x9b\xa6\xc9\xce\xac\xea\x4e\xba\x1e\x49\x66\x56\x37\x74\xd3\x90\x71\xce\xd9\x79\x32\xa8\x38\x11\x87\x88\x38\x95\x75\x9a\xee\xb9\x02\x32\x20\xf2\x94\x77\x31\x88\x30\x5e\xd4\x06\x01\x75\x68\x75\x8d\xa8\x3c\xbc\x3a\xea\x28\x17\x14\xf5\xaa\x80\x20\xea\x20\x73\xf5\xfa\x40\x6d\x07\xbd\x6b\xff\xff\xbf\x77\xec\x1d\x27\x4e\x66\x76\x67\x75\xb7\xcb\xc9\x5e\x0b\x2a\x4f\x3c\x76\xec\xe7\xbf\xff\xfd\x3f\xbe\xef\xa0\xce\x59\xbc\xe4\x00\xec\xba\x35\x09\x3f\xb0\x9f\xbd\xa3\xc6\x5c\xfd\x8c\x36\x21\xbb\xff\xe4\x78\x7f\xe9\x9c\x18\xb8\x6e\xce\x51\xbc\x80\x2e\x6a\x95\x9e\x52\x54\xbe\xc8\xf5\x5c\x24\x83\x8b\x46\xc9\x80\xe5\x8e\x36\x60\xf5\x85\xe2\x03\x2d\xc3\x8c\x9e\x2b\xec\x8f\xe2\x73\x04\x11\xdf\x48\x7a\x71\x8b\x2f\xdd\x31\xff\xb0\x60\xbb\xdb\xaa\x76\x06\x52\x36\xfa\xe6\xeb\x41\xbd\x9b\xb4\x4a\xda\x19\xc2\xd4\xbf\xc2\x8b\x41\xdb\xa6\x96\x97\x87\x07\x35\xc8\x47\xab\x16\x9f\x37\x75\xc4\x5f\x72\xbc\x07\x9d\x2d\xa1\xe9\x07\x2a\x87\x1a\xbb\x02\xd4\xc7\xb4\x4e\x45\x45\xc8\xbb\x22\x25\xdf\x64\xe6\x0f\x42\xe2\x5f\xe6\x36\x19\x2a\xe7\x87\x1d\x56\x4c\x4b\xf7\x7d\x8e\xf7\x66\x7b\xa6\xa9\xae\xd6\x36\x1c\x90\x88\x30\xd1\xd4\xd1\xb3\x68\xa8\x62\x8e\x79\xd4\x86\xe0\x8d\x57\xb3\x53\x85\x28\x28\x1c\x46\x75\x29\x4c\x31\x87\x4f\x8b\x56\xeb\x81\x21\x4e\x5e\xf7\xe7\xae\xf2\xee\xac\xb8\x5e\x2c\xa2\x7c\x43\xd8\x80\xdb\x09\xef\x04\x10\xef\xb1\x7a\x6a\x45\x3e\x16\x93\xad\x54\x1b\xca\x95\x53\xc3\x5a\xdc\xbf\x75\x25\xfb\xab\x31\x36\xd2\x4b\x23\xf7\x1b\x63\xde\x1f\x8c\xf5\xd2\xc8\xc0\x09\x8b\x12\x9b\xcd\x53\x87\xc5\x84\x71\x21\xe0\xcf\x2d\x9f\x42\xb9\x3f\xbe\x06\xf6\x4e\x31\x7b\xf8\xb0\x3c\x89\xcc\x4a\x41\x74\x58\xce\xfc\xb5\x09\x1f\x7d\xbc\x05\x2e\xfa\x5a\x2f\x8d\xf0\xd8\x93\x21\x69\xf2\x5a\xc1\xee\xad\xa1\xd1\x19\x5b\xdd\x10\x7c\x4d\x16\xb6\x66\x43\x91\x12\x9e\x40\xc0\xe9\x6d\x9d\x87\x6c\xe3\xa4\xde\x08\x11\x7f\xf2\x42\xf1\x19\x92\x30\xe8\x94\xc0\x68\x0d\xe4\x8e\x0e\xdb\x1b\x14\xf5\x90\x01\x52\x18\xf8\x29\x35\x51\xf2\xc2\x99\x15\x68\x75\x22\xb7\x73\x35\xa8\x19\x1f\xc7\xc8\x2e\x00\xc3\x2b\x06\x7b\x4d\x05\x51\x50\x59\x3c\x8c\xeb\xca\xff\x24\x0b\x0a\xb2\x52\xec\x51\xc0\xa3\xa0\x2f\xd0\xe2\x19\x26\x11\x74\xfa\x84\xaf\x9a\xae\xc3\x7a\xe5\x93\x31\x5f\x5c\x92\x1b\x21\xc0\x3d\x31\xb6\x04\xc4\xee\xb2\x5b\x68\xf6\x23\xad\xfc\x9a\x1c\xba\x08\x5f\x97\xbd\x3c\x7d\xe4\x3a\x7f\xca\x9f\xf2\xa7\xd7\x10\xf1\x88\x4a\x0e\x33\x9e\x86\xd9\xf9\x3e\xef\xc5\x00\x1c\x21\xb5\xdb\x5c\x4e\xa3\xb6\x9c\xe8\x10\xbe\x52\x78\xbd\x8c\x10\xe6\x24\x06\xa5\x0b\x28\x99\x49\xcd\x93\xcf\xc8\x2d\x5a\xf5\x81\x72\x01\x40\xb7\xaa\x58\x5e\x98\xa2\x46\xac\xa1\x19\x05\xbb\xd2\x83\x60\x02\xc0\xfc\x46\x7d\x35\x0a\xcf\x8b\xa8\x4f\xf2\x29\x4e\xe2\xba\x9c\x51\x52\xad\x47\x1d\x7e\x12\x26\x83\x08\x32\x78\x24\xef\xa5\x31\xef\x75\x31\x9e\x05\xb2\x8e\x08\x2b\x17\x67\x11\x4e\x4d\x3d\xc9\x3c\x58\xfd\xde\x8d\x98\x3f\xba\x7c\x4a\xdd\x68\x87\xb4\x62\x3c\x25\x1e\x20\x83\x0f\x4d\x03\x06\xb6\x11\x45\x86\x41\x8c\x2a\xb8\x7a\x29\x08\x3a\x88\xfb\xca\x74\xad\x24\xa7\x3c\x86\x40\xa5\xce\x2d\x9f\xf2\xf9\x8b\x08\xd0\x4a\x4d\x4c\x45\xc0\x21\xf5\x1c\xe8\xbf\xb4\x11\xe6\xa9\x3c\x4b\x28\xe8\xbe\x52\x44\xda\xba\x79\x18\x0c\x8a\x30\x1e\xad\x7e\xca\xfa\xe6\xb9\xdc\x3f\xe9\x75\xf9\xa9\x00\x59\x24\x92\x94\x37\x82\x2c\x6c\x42\x1e\x3a\x41\x57\xc9\x1b\xb3\xf2\xf3\x9b\x49\xda\x7a\x9e\xa7\x7d\x96\x94\x8d\xc6\x4f\xa6\x41\x1b\x1d\xf9\xe3\xde\xb5\xbe\xef\x7b\x13\xd0\x76\x3c\x70\x14\xc8\x4d\x7c\xdc\xbb\x99\xee\xa6\xc2\x2c\x61\x92\xc2\xe4\x2c\xcb\xd6\x67\x1c\x36\xd6\x0c\x6e\xe9\xc5\x2d\x79\x9c\x74\xdc\xd1\x46\x3f\x17\xde\x07\x1d\x75\x0d\x0f\xaa\x4b\x27\x4e\x73\xa5\x5a\xce\xcf\xf1\x06\xde\xc2\x89\x55\xd6\xce\x8c\xc4\x72\xdd\x5b\x87\xb4\x3a\x68\x66\x03\x52\x92\x9a\x12\x33\x93\x0a\x89\x22\x4f\xe5\x1c\x48\x93\x24\xcf\x54\xdc\x74\x31\x9b\xe1\x40\x9f\x95\xec\x73\xef\x54\xb8\x2d\x4d\xe1\xbe\xbe\xc6\xee\x1c\xa6\x60\x3f\xcc\x0d\x81\x78\xe4\x0b\xf4\xae\x8f\x3a\x4a\xce\x11\x52\x74\x89\xc7\x44\xdd\x1d\x0c\x2d\x3f\x81\x11\x8a\xea\x81\x24\xe5\x52\xc2\x57\x89\xda\xc5\x81\xe8\x3d\x25\x53\xe5\x7a\xb0\xe5\x2a\xe8\x65\x31\x48\x0b\x12\xcb\x72\x8e\x69\x19\xeb\xb3\x87\x6a\xec\x8e\x47\xda\x7c\x82\xa6\x07\x50\xb2\x65\x72\xf1\xdc\xa1\xe3\xa7\xdd\xf7\xd7\xbc\xd3\xc3\x6e\xda\x19\x5a\x46\xd0\x75\x47\xe4\x1b\xf2\x80\x28\x3b\xc8\x7e\xb9\x04\x99\xf7\x29\x87\xfd\xbc\xc3\xbe\x23\xe9\x8a\x78\x6e\x69\xf1\x8e\x19\xb4\xe6\xbb\x0f\x38\xec\xee\xcb\x33\xb8\xd8\xba\xe7\xaf\x9c\x3d\x83\x45\x2f\xa5\x49\x37\xf3\x6e\x2f\x7d\x50\x69\x37\x67\xf1\x32\xbf\x30\xa3\x3c\x93\x2a\x8a\x3d\x49\xcd\xf6\xc9\x05\xd9\x4d\x7b\x31\x78\x58\x2f\x3d\xc1\x64\x1e\xdd\xe2\x70\x37\xb7\xb4\xa8\xba\xc1\xfd\xfa\x77\x78\xcf\x37\x7e\x97\x72\x17\xd4\x71\xd3\x88\x14\x92\x9f\x54\x21\x20\x78\x54\xd3\x0a\x78\xcb\xc8\xb6\x91\xbb\x51\x2f\x0a\xd2\x33\xf0\x93\x15\xcf\x68\xd2\x8f\x7d\x17\x44\xda\xb0\xbd\xb7\xbf\x7b\x35\xdb\x60\x0c\x90\x4d\x41\xe9\x77\xef\xf2\x9e\x5b\xfc\xb2\x47\x39\xeb\xb5\xdb\xc8\x19\x8a\x88\xcd\xf0\x85\x32\x73\xe8\x56\xb1\xe9\xbf\x3e\xc2\x5c\xe2\x87\x20\xdf\xf0\x6d\x41\xb6\xe1\x7e\x62\xc4\xfb\x91\x11\xd0\x0e\x82\x6c\xc3\xa6\xd1\xa4\xa7\x95\x97\x69\xd2\xf4\x21\x2b\xbf\x31\xf5\x12\xc6\x0e\x17\x21\x42\x60\xbf\xdd\x4c\xc3\x3c\x17\x3a\x0e\x1f\xc8\xc2\x65\x99\xc2\xe7\x77\x58\xc9\x18\x06\x96\xb9\xa2\x9b\xed\x93\xa3\x32\xf3\x39\x68\xf8\x02\xa2\xcc\xf3\x3e\x02\x69\xa4\x61\x26\xb5\x35\x5c\xac\x9a\x0f\x14\x26\x8a\x61\x00\x94\x9b\x77\x77\x23\xd0\x18\x40\xca\x01\x8d\xa9\xb6\xb0\x49\x14\x89\xcc\x16\x32\x2d\xea\x4b\xfa\x90\xd6\x2d\x53\x99\x17\xf2\xd2\x8c\x08\x5e\x19\xe8\x5d\x0b\x7e\x08\x8e\x7b\xe8\x76\xb0\xc0\x8d\x40\xc2\xa7\xa2\x13\x84\x71\x81\x29\x88\x76\x3b\x08\x0a\x6c\xa7\x41\xab\x07\xb8\x0d\xe6\x70\x7e\xd8\x61\x38\xa3\xdc\x0f\x38\xde\xf7\x3a\xf0\x67\x79\xc6\xa8\x2c\x0d\xa9\xb5\x71\x7c\x62\x1c\xc6\x8d\xc2\xca\x32\xde\x16\xf9\x24\xbc\x30\xc9\x37\x83\xbc\xb9\x31\xa9\xe3\xb3\xd1\x03\x3c\xc9\xbb\x78\x19\x43\xb2\xd5\xbf\x45\x8c\xc2\x24\xad\xc9\xe4\x62\x7f\x62\x8b\xc9\x77\x13\x99\x77\x8e\x79\xe3\xa6\x79\xa7\x1b\xf5\xd2\x20\xb2\xac\x3c\xc6\x54\x2e\x5e\x5f\x65\xc6\x8a\x72\x4f\x7a\xd7\x17\xbf\x0c\xa0\x86\xd0\x5a\xb8\xd6\x4a\x85\x70\xf3\x24\xb7\xcd\xfd\x2d\x72\xc9\xbf\xd8\x3b\x7b\xde\xe0\xc7\x81\xbf\x07\x88\x76\x40\x03\xe6\x87\x4e\x26\xc9\xa1\x81\x07\x8d\xaf\x1e\x5a\x4f\x92\x43\x13\x66\xdd\x7f\xb0\xc6\x2c\xe9\xe0\xbe\xb1\xe6\xfd\xb3\x63\x5e\xd1\x46\x26\xba\x56\xdd\x1f\xdc\x42\x20\xa5\xd5\x21\xd7\x16\x61\x95\x52\x5f\x42\x50\x9e\x2a\x08\x57\x53\x44\x99\x50\xe5\x6f\x12\x3c\x77\x9a\x2a\xbc\xee\x02\x2d\x5e\x79\x08\x63\x0d\x33\x0d\x99\xd8\x98\x20\x93\x40\x32\x19\x7d\x02\x86\x9f\x3e\x2d\xd7\x18\xd9\xb7\x75\xf0\x81\x9c\x7b\xcd\x3c\xe2\xf3\xa7\x16\x31\x22\x64\x3d\x28\x0d\xee\xf7\xd5\xd8\x01\x92\x2a\xee\xb7\x1d\xef\x2f\x1c\x9d\xb4\x44\x93\x44\xa7\x47\xa9\x1b\x83\x5d\x73\x02\xac\xa6\x61\x87\xf2\x20\x0d\x39\x65\xe0\xbc\x12\xd8\xa7\x15\x04\x0a\x4e\x07\x33\xe0\x9d\x48\x78\x34\x18\x6b\x60\xc0\xb1\x52\x20\x8b\xa1\x9a\xce\xf2\x0b\xd3\x7c\x7c\x73\x03\xa8\xe6\x20\x91\x80\x17\x69\x8a\x03\x55\x48\x8b\x3a\x1f\xca\xd0\xbf\x3f\x61\x43\x74\xdc\xcf\x98\x9c\xcb\xed\x04\x50\xc5\x13\x6f\xa5\xf8\x65\x2f\xee\x5c\x51\x42\x19\x31\x7e\x59\x49\x28\x37\x44\x94\xc4\x6d\x98\x23\x34\x7b\x83\x28\x3a\xb4\xd5\x32\xfd\x65\x87\xed\x83\x52\xdd\x4f\x3a\xde\xc7\x9c\xb6\x49\x40\x55\x0c\x03\x85\xc5\xee\x60\x10\xac\x27\x87\x0d\x81\xbf\xeb\x31\x58\x69\x06\x51\x89\x4c\xf3\xfd\xfb\x4d\xf8\x9b\x9d\x5a\x7e\xc9\x3b\x2d\x8f\x01\xee\x1f\xee\xf3\x2e\xce\x95\x6d\xb9\x69\xf1\x00\xc5\xef\xa8\x3b\xb6\xed\x0f\xe3\x99\xe4\xc1\xe5\xbc\xe8\xa3\x8c\xd4\x79\x11\xea\x61\x04\xde\x27\x51\x22\xfa\xf0\x10\xc5\x41\x5d\x72\x46\xce\x8b\xfe\x25\x67\x4c\xbd\x61\xa9\x0d\x9f\x19\x65\x97\x1c\x26\x9f\x70\x7f\xc0\xf1\x8e\xc8\x77\x75\x34\x84\xac\xad\xbc\xa0\xdd\xc9\x45\x00\x60\x91\x24\x6c\x31\xc7\xec\x9c\x14\xea\xbb\xb7\x21\x85\xda\xef\x8e\x9e\x17\x7d\xc6\xde\xe4\x30\x5d\x71\xf7\x95\x8e\x97\xeb\x76\xa7\xa6\x39\xf8\xbc\xe8\x1f\xca\xb0\x17\xa4\xd2\xb8\x11\x76\x95\xad\x43\xa9\xb5\x10\x12\x06\x6a\xaf\xee\x3a\xca\x72\x8b\x27\x39\x84\x6e\x4e\xf2\x13\x17\x43\x79\x38\x07\xbc\x93\x44\x64\x67\x92\x1c\xae\x58\x93\xe1\x07\x6a\x6c\x3f\x16\xe7\xbe\xb6\xe6\x7d\xc3\xa1\x78\x7d\xd2\x11\xe4\x4a\x80\xfd\xd2\x08\xc5\x32\x22\x6c\x55\xdd\xc3\x8c\x2f\x42\xb6\x2c\x7d\x58\xab\x1e\x19\x15\xa1\xb4\x19\x79\x82\x27\x1a\xc5\x8a\x32\xa8\xbe\x49\x6a\x55\x77\x8b\xe2\xa8\x28\x14\xfe\x70\x07\x03\xf6\x22\xd8\xd7\x5a\xbd\x14\x71\xe9\x68\xc0\xc0\x01\x90\xb6\x05\xee\xdb\x5b\xe9\x83\x9f\xa8\xb1\xe3\x25\x24\xaa\x24\x55\x59\x74\x4a\x81\x3f\x93\xc4\x4a\x55\x9e\x53\xb9\xc7\x99\xfb\x90\xe3\xbd\xa2\xf2\x4e\xa1\x58\xe4\x04\x02\xa7\x8b\x2c\x72\x97\x33\xc3\x6f\xb9\x0e\xfb\x72\xac\xd1\x20\xcc\x78\x34\x28\x63\x8e\xca\x80\x0c\x1e\xda\x3d\xac\xc5\x90\xb0\xeb\xc9\x38\x3d\xe5\x5d\x6b\x1a\xa7\xcf\x2d\x9f\x42\xab\x83\x4d\xba\x6f\x76\xc1\x0c\x1b\x95\x5a\x91\xfb\x6c\xef\xe9\x77\x88\xb4\x61\x84\xc7\xa0\xc9\xef\xb6\xd5\xd5\x25\xd0\x9b\xcc\x97\x3e\x3e\xca\x5e\xf8\x88\x8f\xbc\xf6\xa1\x6c\xa5\x90\x79\x84\xe9\xf7\x85\x11\xef\x97\x46\xb6\x79\xa8\x9c\x0b\x03\x1f\x35\xe3\x7a\x0c\x51\x5a\x79\x12\xe4\x05\x54\xa0\x5e\x90\x85\x6e\xbb\xe6\xab\x68\x21\x79\x7a\x23\x8b\x10\x6e\x6d\x08\xea\x65\x95\xe6\x1b\x9e\xac\x67\x71\x71\xb1\x9b\x64\x90\x69\x51\x81\x6a\x54\xc4\x30\x95\x80\xb8\x9f\xc5\x97\xce\xad\x0e\x8c\x7c\x55\x09\x39\x9a\x7e\xcb\x05\xe0\x5c\x20\x5b\x15\x26\xc0\xa2\x8e\x4f\xa1\x5e\x18\x93\x5b\xe0\xc9\x16\x3d\x95\x07\xf1\xbd\x01\x56\xe0\xf0\xd2\xd9\x95\xd5\xc3\x4b\x73\xab\xf3\xb7\x0d\xd4\xa5\xfc\xc1\xc1\x8f\x0c\x14\x6a\x22\x3c\x7e\x8e\x59\x40\xf9\x55\x1e\xd7\xdb\x96\xe6\x56\xf0\x12\xe4\xeb\xb9\xef\x63\xde\xdb\x47\x4a\x17\x75\x86\xb4\xca\x33\xc0\x7b\x85\x8f\x79\x1d\x52\x14\x05\x6f\x85\x29\x6a\xe7\xa0\xf7\x65\x82\xe3\xeb\xa0\x9f\xc1\x2e\xd0\xa2\x80\x81\x66\x10\x35\xe5\xc9\x46\x96\xb2\x20\xb2\x30\x15\xad\x65\xd1\x8d\xc2\x66\x40\x7e\x6c\xe5\x4c\x54\x43\x77\xdb\xd2\x1c\x94\xd9\x87\xe0\x00\xa0\xe3\xb2\xaa\x72\x41\x44\x49\x53\x1e\xd3\xec\xb8\x00\x75\x1b\x5c\xdd\xa1\xc8\x8c\x32\x54\x80\xc1\x7a\x14\x74\xbb\xd0\x1a\xeb\x4d\xea\xd7\x46\x18\x29\x39\xb2\x19\xc6\xad\x64\x73\x92\x67\x49\xb1\xc9\x15\x94\x54\xa9\xaa\x3e\x99\xf7\xe4\x66\x82\x8c\x2e\x79\xd4\x9f\x54\xf6\x70\x42\x59\x0a\xd6\x45\xa6\x80\x01\xb4\xc2\x5a\xf5\x35\x04\x68\x4a\x32\x11\xdb\x66\x94\xbf\xdb\x2f\x8f\xd5\x4f\xb5\x5e\xb9\x13\xde\x50\xb0\x09\x3f\x3e\xa2\x60\x13\xde\x35\xb2\x32\xf4\x31\xed\x4a\xd4\xed\x20\xdc\x01\xe8\x78\x34\x04\x76\x03\x22\x05\xe9\x74\x44\xdc\xa2\xe4\xcd\x22\x17\xdb\xc8\x63\x45\x75\x54\xf5\x39\x66\x30\xa9\x5f\x2d\x08\xe5\xdb\xa2\x26\x6a\xdb\x01\xcb\xb8\xe2\x9a\x96\xca\x96\x3c\x80\xcb\x99\x7e\xaf\x48\x13\x58\x69\x60\x49\x1f\xb8\x3d\x73\x7c\x6a\x8a\x8f\xcb\x59\xb8\x91\xf4\xd2\x09\xc2\x16\xc8\x51\x42\x28\x6b\xb0\xe2\xf7\xc5\x0d\x6f\x96\xd7\x51\x05\x94\x6a\x1c\xef\x75\x67\xf9\x14\x1f\x87\xe8\x95\x38\x29\x0d\x47\x98\xf1\x56\x12\x8b\x09\xdf\x7a\x45\x36\x6a\x96\xcf\x4c\xa9\xd7\xb6\x1a\x46\xf9\x94\xea\x5c\xa9\x1e\x4f\xd8\xd0\x0e\x6f\xad\xb1\x31\x35\x4b\xdd\xef\xad\x79\x3f\xe5\xa8\x5f\xb6\xfe\xdd\x4d\x80\x81\x2e\x88\xec\xb9\x2d\xb2\x22\xbb\x54\x5b\x6d\x69\x8f\x56\x4b\x9e\xcf\xa9\xc0\x1f\xd9\x4b\x14\x7b\x38\x60\xaa\x9c\xe4\x10\xa0\xba\x19\x52\x97\x95\x65\x81\xb2\x0b\xb7\xc2\xac\x19\xa4\x2d\xc5\x04\x07\x36\x10\x73\xd7\x9f\x63\x37\x0f\x0f\x62\xda\x46\x14\x61\x9e\x24\x7b\xab\xc3\xae\x44\x35\x92\x32\x29\xbf\xc7\xf1\x32\xf3\x82\x99\x2c\xa9\x20\x59\x68\xd2\xe2\xfd\x62\x9a\x82\x6d\xd9\x9a\x13\x03\xf3\x81\x9f\x0e\x2e\x62\xb9\xa8\x96\xab\xd2\x6d\xe2\xb7\x7d\xec\x68\x15\x47\x36\x64\x3d\xe9\xad\xb3\x42\xad\x7f\xcf\x3e\xef\x2d\xce\x1c\xa5\x47\x15\x7a\xc7\x2e\x34\x7c\x28\x8a\x88\xab\xb7\x55\xf4\x8b\x87\x6d\x7d\xff\x20\xdc\x40\xeb\x61\xb5\xd6\xff\x95\x11\x88\x92\xd4\x8a\xf5\xa6\xf7\x32\x2b\xba\x02\x0a\xb8\x6c\x0a\xf5\xe4\x70\x6d\xfa\x34\x2b\x2a\xeb\x3e\xcf\x9b\x29\xe3\x46\x60\x13\x77\x7a\x00\x61\xaf\x2b\x94\xf3\x6f\x3b\xde\x57\x9c\xb9\xff\x7d\x55\xf2\x5f\xbc\x8a\xdd\xf9\x28\xa8\x96\x52\x46\xba\x7f\x7c\xa5\xf7\x92\xad\x1f\xd9\x42\xaf\x84\xdb\xdb\xa9\x95\x97\x9c\x27\xc8\xc5\xaf\x14\x08\xa9\x8b\x5f\x72\x5c\x54\x8a\xcc\x8b\xd6\xac\xfe\xef\x57\xb0\x3f\xda\xc7\xae\x89\xcc\x53\x38\x44\x79\xff\xda\x3e\xef\x93\xfb\x06\x2e\x5b\x31\x67\xd5\xfa\x69\x59\x57\xa3\x65\x9b\xa6\x22\xeb\x82\xd4\xcf\x13\x34\x18\x70\x0a\x8b\xf7\xd5\x0c\x5d\x23\x5b\xb3\x2e\x37\xd3\x58\x00\x70\x9c\x81\x91\x8e\x13\x4a\x92\x32\xac\x5d\x3e\x3f\x4d\x33\x23\xc0\x97\xa1\xaa\x40\x51\x66\xa8\xd3\x09\xfc\xe8\x8a\xe6\x5a\xf1\x3c\x85\x38\x6f\x26\x29\x81\x34\xdd\x26\x0f\x3b\x52\xc6\x44\x4b\x49\x6b\x8e\xa4\x33\xb2\xce\x28\x83\x34\xc4\x81\x28\x7d\x3d\xcc\x8c\x6e\xe8\xe8\x5a\xd0\xc2\xc1\x17\xc6\xc1\x4b\xa9\x89\xf8\x8a\xa8\x47\x80\x5f\x9f\x50\x3b\x56\x01\xab\x9b\x89\x34\x0c\x22\x48\xcc\x2a\xd9\x3f\x20\x20\x02\x8b\x4e\xd2\xce\x4e\x91\x00\xf3\x20\x3b\x9f\x1d\x0e\x9a\x4d\x91\x65\xa6\x01\x21\xe8\x86\x87\x71\xb8\x0a\x38\xc0\xf2\x85\xba\xb1\x73\x5d\x0b\x9d\x51\x37\x27\x22\x2e\xe7\x94\x52\x50\x69\x03\xc1\x9e\x2f\x62\xee\x68\x8e\x54\xa9\xf2\x93\x14\x36\x51\x9a\x09\x1a\x8e\x1f\x6f\x1f\x86\x0f\xaf\x59\x4b\x00\x36\xe0\x56\x55\x8e\x20\xb1\x66\x9a\x2b\xfb\x6b\x35\x36\xb0\x38\xdc\xdf\xa8\x79\xbf\x58\x2b\x5f\xbd\xcc\x33\xbc\x2b\x9a\xbe\xd2\x89\x1f\xad\xf9\x8d\x53\xfa\x32\x8d\xc4\xd0\xae\x46\xb8\x72\x08\x91\x05\x58\xee\x24\xe6\xb7\x9e\x58\xb5\x7a\xf9\x7b\xc0\xc5\x55\x96\x37\xee\xff\xa8\x79\xbf\x5f\x1b\xbc\xfe\xa8\xc8\x92\x47\xbb\xaf\x51\x96\x5c\xb6\xde\x2e\xd7\xfa\x11\xcc\xfb\x29\x6b\x08\xbe\x39\x6a\xd1\x5a\x6d\x83\x6f\xee\x7e\x72\xd4\xbb\x4b\xc3\x9a\x23\xd9\x7f\x39\xe2\xab\xc0\xef\x86\xd0\x8e\x58\x88\x16\x61\x20\x6b\x08\x3f\x75\xd3\x87\x62\x4a\x5e\x06\xb5\xd3\x7c\x7e\x84\xc5\x6c\x1f\x10\x71\xb9\xc2\xbb\x61\x2e\xee\x9b\x71\xb6\xe6\x17\x35\x94\x7a\x15\x99\x81\xff\x80\xf3\x9d\xec\xa9\xc3\x37\x71\xf3\xdc\xff\x02\xb6\x1f\x2c\xe0\x99\x7b\xab\xf7\x6c\xa5\x26\x81\xd3\x16\x2f\x13\x53\x07\x41\xbc\x03\x3f\x98\xd4\xd4\xb6\x52\x11\x3e\xea\xb0\x91\x5e\xd8\x72\x3f\xe4\x78\xef\x76\xe6\x28\x73\x8c\x46\x0d\xd9\x6a\x54\x80\x8c\x59\x7a\xd0\x4c\x13\x79\x58\x03\xf6\x6b\x15\x83\xaa\xbe\x8b\x2e\xbd\x16\xe9\xae\x88\x22\x00\xf7\x4c\xe6\x3a\xe5\xb5\x03\x44\x63\x98\x3c\x7d\x9c\x09\x25\xc6\xba\x73\x8b\x0b\xb6\x9f\xf2\xc5\x6c\x4c\x16\x06\xde\xbf\x25\x6f\x5e\x2b\x8b\x18\xc4\x05\xd5\x8f\xfa\x43\x6a\xdd\x49\x28\x56\x3e\x68\xe6\xe1\x05\x1c\x63\xbb\xf4\xff\x35\x62\x83\x71\x9a\xc7\x19\x48\xbe\xcd\x32\x72\xc7\x96\x58\x2e\xdd\x4f\x8f\x78\x8d\x2d\xee\x17\xdb\xa1\x88\x93\x5e\x7b\xa3\x1c\x84\x18\x89\x1c\xe2\x42\xa8\xe2\x7d\x32\x31\x92\x87\x44\x3b\x45\xb4\xf7\x7f\x30\xe8\xfd\x53\x35\xf6\x6e\x87\x3c\x90\x6f\x76\xbc\x57\x3a\x90\x14\xac\x8d\x95\xd8\x9f\x37\x3e\x86\x29\xb7\x9e\x9d\xad\x88\x0e\xdb\x96\x77\xe7\x19\xcb\x1b\x39\xa4\x5e\xd5\x1b\xbf\x1c\xb0\x7a\xbb\x17\xb6\xc4\x61\x83\x2b\xe4\x5a\x58\x06\xe6\xd7\x8e\x5b\x29\xec\xe3\xde\xd3\x20\x18\xa4\xec\xed\xc3\x4f\x5b\x18\x22\x07\x98\x67\x0e\x7f\xb7\x8b\x81\x45\x79\x90\x8b\xf5\x5e\xb4\x22\x80\xb3\xde\xfd\xc4\x01\x6f\xaa\x74\xad\x2a\xd7\xde\x78\x64\x48\xba\xfd\x5b\xf6\xef\xa5\xdb\xef\x36\xdd\xfe\xa4\x4a\xb7\xbf\xc9\x14\x73\x53\xcc\xdf\x82\x41\xb9\x62\x60\xf7\x32\xea\x77\x91\x51\xbf\x68\x24\xd4\x3f\x1c\x22\xa3\xc1\x7c\xfa\x87\x9c\x17\x6d\x9f\xce\x7e\xdc\x3d\xaa\xd3\xd9\xe5\x50\xea\x6c\xf6\xd2\xa2\x2c\x67\xb4\x7f\xed\x2a\x0b\x43\x83\xe2\x91\x40\xb2\xaf\x2c\x2e\xa4\xe1\x05\x91\xba\xbf\x70\x95\xf7\x1b\x35\xfd\x93\x37\x83\x6e\x0e\x06\xf2\x41\x15\x22\xe0\xf3\x0a\x69\x5c\x85\xea\xf0\x45\xa5\x2b\xf0\xf1\xf9\x95\xc5\x09\x95\x2a\xd0\xc2\xc2\x10\x3e\xa9\x80\x97\x55\xa1\xb6\x26\x7d\x4d\x90\xe7\x41\x13\xd9\x46\xe8\x10\x45\x1c\xa0\xbd\x4c\x6d\x66\x89\x46\x13\x6d\x09\xa4\xd0\x12\x3a\xa4\x8c\x5e\x0f\x33\x65\x78\x6a\x61\xe9\x72\x7f\xd9\x59\x09\xdd\xa4\x65\x35\x56\x2a\x48\x19\x05\x13\x53\x56\x51\x12\x63\xda\x83\xcf\x8b\x8e\x52\xf0\x33\x18\xc5\x1a\xd7\xed\xa8\x36\xa9\xd3\x5b\x92\xef\xef\x0f\xee\x49\xbe\xdd\x4a\xbe\x3d\x89\xf5\xc8\x25\xd6\x7b\x46\x0d\x91\xf5\x86\xd1\x9d\xe6\xe5\x5a\x32\x0b\x55\x3c\x40\x01\xf9\xd5\x11\x0d\x03\xa2\x00\xbc\x34\x10\x88\xfe\x0b\xe3\xa4\x0c\xf6\x27\xdb\xce\x39\xbf\xb2\xa8\x04\x45\x41\x16\xa8\x87\x86\x08\xa7\x6f\xe4\x61\x8e\x88\xe3\x0d\x51\xd2\xa6\x35\xe1\x17\xe9\xd9\xb2\xbc\x5b\x45\xbe\x04\xe8\x92\xf2\xdb\xe3\x13\x08\x76\xad\xb1\xc6\xf0\x6b\x68\x0b\xa2\x2f\x43\x49\xca\xee\x73\x7c\xc6\x24\x6f\x4e\x52\x70\xd1\x4c\x62\xb8\x3f\xd2\xd7\xc5\x2d\x39\x13\x74\x06\xb4\x0a\x91\x8c\x7b\x1d\x91\x86\xcd\xe2\x6d\x3e\x7e\x77\x50\xbf\x77\xaa\x7e\xc3\x5c\xfd\xae\x7b\x26\x88\x50\x09\xd1\x05\xc6\xeb\x13\x93\xbc\x95\xe4\x19\x1f\xf7\x27\xc8\xe2\x6d\x94\x91\x29\x68\xed\xc7\x0c\x51\x85\xdd\xc3\x40\x5e\xb9\xe7\xd8\xf4\x50\x0d\xa2\x6a\xef\x58\xe9\x8a\xa6\xc7\x57\x28\x71\xd2\xca\x00\x92\x63\x81\x0f\xf9\x0f\x39\xf7\x6c\xbf\xc3\xcd\xba\xd7\xeb\x1d\x4e\x7d\x0a\xdb\x59\x20\xb7\xa8\xcf\x96\x77\xb9\x4f\x5e\xc9\xea\x46\x4d\x2b\xc2\xa8\x6f\x5b\x5d\x5d\x22\xe6\x6b\x30\x68\x7c\xff\x95\x5e\x52\xba\x56\x60\x86\xe1\x41\x32\xdf\x50\xd0\x0e\x8d\xa0\x79\x5e\xc4\xb0\x8c\x09\xc0\xb2\x97\x46\x15\xb8\x09\xb0\x13\xac\x27\xe9\x26\x7a\x93\x48\xc4\xaa\xb7\x2f\x39\x07\xe8\x4f\x6b\x5b\x78\xe5\x15\xec\x87\x1d\xa6\x6e\xb9\xef\x76\xd8\xec\xd0\x21\xa8\x68\x18\x35\xe0\x16\x7c\xdd\xbb\x8b\xfe\xb0\xf6\x12\x9d\x05\xd0\xd2\xe1\xfd\x85\x30\x4b\xc8\x78\x29\x1f\x24\x1e\x4e\xed\x19\x33\xdb\xe2\xb3\x1f\xac\x51\x98\xc8\x3b\x6a\xde\x6b\x6b\x2a\x50\x04\x91\xbb\x6c\xae\x3a\x15\x34\x12\xc4\x03\x98\x9f\x3e\x9f\x47\xf6\x1d\x79\x64\x05\x34\x62\x75\x4e\x34\x17\x5e\x2b\xcc\x06\xc2\x20\x8b\xb9\x1b\x44\xdc\x93\x9f\xf0\xd4\x71\x1f\x53\x66\x78\xa0\x02\x3b\x40\x20\x2c\x9f\x9c\xe7\x33\x37\x5c\x7f\xdc\x07\xfb\x4f\x36\x90\xb7\x13\xf0\x43\x87\x0f\x15\xb9\xbd\x85\xd7\x10\x92\xc4\xe1\x15\xf8\xf6\x00\x6a\x29\x65\xc8\x43\xb3\x6d\x0a\xa6\x03\x6c\x4c\xbe\xb8\xda\xef\x0a\xf7\xc7\x0e\x78\xef\x3d\xb0\x44\xbf\x0a\xa5\x43\x59\x67\x88\x69\xd4\x5a\x32\xd0\xa5\x6a\x56\x61\xb5\xe1\x65\xf2\x84\x1a\xf0\xf2\x88\x43\x57\x38\x76\x66\xf9\xb3\x14\x36\xea\x69\x03\x46\x51\x07\xf0\x10\x2a\xaa\xcf\x9f\xc5\x11\xdc\xa3\x78\x4e\xa3\x34\x06\xc5\xe3\x84\x6c\x92\x75\xa3\x30\x97\x5d\x09\x1d\x75\xba\x00\x58\x64\x1c\x7c\xc8\xf8\x16\x7e\x80\xec\x48\x8d\x7e\xf1\x67\x90\x85\x40\x08\x69\x3d\x40\x62\x1d\xbd\xf5\x8c\x6b\x6f\x30\x01\xcb\x91\xd9\x0c\x5e\xd1\x9f\x97\x57\x0e\x1d\x3e\xc4\x33\xd1\x0d\xc0\xe5\x24\x4b\xd5\xf0\xa4\x19\x0f\x18\x27\xd4\x52\xc0\x9f\x81\x16\x00\xe8\xf6\x05\x48\x3c\xa2\x28\x35\xaa\x41\x1d\xfc\xc1\xd4\xc2\x64\x9d\xab\xe0\x4a\xc6\x75\x91\x98\x83\x7b\x46\x27\xca\x85\x06\x6f\x93\x6a\x07\x0d\x84\xca\xf6\x0a\xa4\x2a\x40\xd3\x80\x5b\x44\x4f\xea\x85\x30\xb6\xca\x57\x59\xeb\xe8\x58\xc0\xda\x63\x88\xa9\x82\x82\x51\x8d\x12\x99\xbe\x74\xb8\x11\xdc\x8b\x08\xb3\x1a\xc7\x06\xdf\x54\x0f\x34\x82\x7b\x27\x7c\xf6\x2c\xbe\xa8\x0c\x7b\x30\xbf\x94\x7c\x9e\x45\x65\x7d\xeb\x79\x07\xbe\xe2\x2e\xcf\xa5\xd8\x95\x37\x49\xc0\xcc\x47\x41\x96\xf9\xa5\x82\x11\xb1\x15\x72\x0f\x70\xef\x0e\xd0\xf7\x01\xc3\x24\xf4\x04\x96\x3d\x92\xd2\x63\x61\x5e\xf0\x54\x63\xc6\x9e\x42\x9b\x49\x71\x06\x53\x9e\x9b\xd4\x61\x7c\x56\xfe\x1c\x02\xcf\xa0\x96\x0f\x0e\x36\x4a\x62\x57\x4b\x96\xde\xb3\xd2\x8f\xab\xfb\xc2\x5a\xb8\x3f\xcc\x2c\xa6\xc7\x2a\xdc\xaf\xa5\x34\x4c\xd2\x30\xef\x9f\x92\x9b\xab\x85\x0f\x0d\xf6\x91\xaf\x1e\xf4\xce\x6e\xfd\x88\x1d\xfc\x30\xfc\x59\x0d\x37\x5d\x69\x3e\xf9\xff\x0e\xb0\xaf\x9a\x58\x6e\xbf\xbd\x4b\x2c\xb7\x77\x38\x6b\xaa\xac\xb5\x81\xe0\x3d\xfc\xe8\xa1\xec\xb1\x87\x78\xdb\x3b\x29\xed\xf6\xa4\xf4\x06\x4d\x4b\xf6\x2a\xc7\x1b\x5f\x83\x3f\xd7\xec\x39\x48\xe2\xa8\xde\xc5\xb9\x18\x0a\x1b\x9e\xf1\x76\xb6\xc8\x6e\x1d\xaa\x8a\x3c\xbc\x35\xb2\x77\x70\x7b\xe4\x07\xb7\x87\x9c\xd7\x38\xdb\xab\xcf\x0d\x77\x4d\xab\xcf\xe6\xd8\x14\x71\x0f\x25\x65\x7a\x6b\x69\x65\x6b\xd8\x30\xbc\x8c\xbd\xa5\xc6\xc6\x2b\x22\x86\xb4\x4d\x08\x6c\x51\x77\x06\x21\xb0\xe7\x7f\xcd\xf1\xae\xaf\xbc\x83\x03\xbf\x49\x3f\x90\x4f\x00\x5d\x85\xea\x69\xdb\xeb\x74\xc9\x61\x67\x0b\x84\xc1\x05\xef\xba\xd3\x84\x21\x98\x8a\x76\x80\x64\xf1\x9b\x1b\x7d\x33\x3f\x02\x9d\x32\x72\x28\xfb\x22\x57\xc9\xa9\x96\xc0\xbf\x55\x23\x09\xde\xe4\x4d\x8d\x03\x39\xed\x84\xc2\x09\x7c\x58\x05\xfd\xd7\xab\xd8\xb5\x15\x5d\x52\x06\x74\x71\xdf\x76\x95\xf7\x13\x4e\xf9\x2a\x1f\x5f\xba\x63\x42\xad\x03\xb4\xa6\xe9\xc9\x0e\x1e\x34\x92\x6b\x8d\xbe\x22\x36\x8b\x11\xf3\x1f\x80\xb1\x09\xb3\x3a\x88\x92\x76\x42\x88\x8c\x1c\xc8\xe2\x1f\x2e\xb9\x20\x7d\xfb\x70\x57\x57\xaf\x4e\xc8\x16\xd6\x38\xfc\x2d\xdb\x93\xca\x7b\xf6\xab\xc7\xcf\x7e\xf5\x79\x53\xef\xf9\x25\x67\xb7\xf6\xab\x57\x3b\x2b\xff\x02\xf4\x9c\xd7\xd7\xc8\xf2\xf2\xca\x1a\x3b\xb6\x2d\x55\xe7\x00\x4e\x54\x57\x34\xbd\x5f\x76\x00\x27\x51\x2d\x3e\x4d\x78\x51\x98\x63\x0a\xaa\xb0\x58\xe3\x62\x26\x9b\x86\xdd\x4c\x5b\xe5\x97\xb6\x93\x3a\x97\x4d\xb4\x5c\x3b\x78\x89\xbd\xad\xa6\x21\x57\x5f\xb7\x05\x6d\xf1\xf0\xee\x80\x77\xbd\x5f\x77\x28\x3b\xc3\xc8\x95\xca\x0d\xda\x5f\xc3\xd4\xaf\x32\x24\x54\x70\xfe\x40\x3f\xf9\x7c\xa9\x9c\xb9\x8c\x18\x10\x3e\x5f\x56\xc8\x47\x8f\x6e\xaf\x3c\xe4\xbc\x70\xfb\xdd\xff\x98\x3b\x53\x45\xc3\x59\xee\xa0\xb2\xdd\xec\x53\xfb\xd9\x73\xb7\x0b\x65\xae\x8e\xa6\xbb\x85\x12\x26\xdc\x7f\xda\xe7\xbd\xc7\xd9\xe6\xa1\x6d\xb3\x2e\xe8\x1c\x9a\x07\x69\x1b\x92\x0d\x30\x41\xf6\x5c\x97\x72\xd2\x36\xe3\x22\x1f\x23\xe3\xe3\x50\x38\xdd\x84\xbf\xe1\x09\x08\xd4\x83\xd4\xcd\xae\x80\x58\x87\xa8\x3f\x61\x2b\x12\x5f\x18\x65\x1f\xaf\xb1\x83\xfa\x15\xf7\x83\x35\xf6\x9c\x47\x18\xd7\x0d\x11\xe4\xde\x1f\x39\xc5\xf7\xc3\xcc\x8e\x63\x47\x30\x5c\x75\x69\x01\x92\x06\xb6\x0e\xda\x46\x82\x6a\x04\x68\x95\x67\x5b\x1d\x98\x0f\x78\x38\x61\xac\xf3\x4a\x08\x33\x11\x8d\x58\x45\x34\x7e\x75\xc0\xfe\x38\x02\xe0\xc8\xcf\x6d\x84\xed\x0d\x31\x90\x02\xa1\x27\x3f\x98\x2b\x66\xa6\xa6\x32\x44\x5d\xed\x65\xa2\x35\xe1\xb3\xf7\xd5\xd8\x01\xea\x71\xf7\xad\xbb\xed\xb0\xcf\x39\x6a\xf0\xb6\xee\xae\x73\xdd\x9d\x74\x96\x6a\x92\x9c\x40\xb3\x8c\xf3\x67\xf1\x30\x6e\xa6\x84\x72\x84\xb9\xd9\x90\x5c\x71\x14\x31\x1f\xbb\x22\xe5\xc7\x75\xea\x02\x3c\xdf\x4a\x7a\x8d\x48\x94\x12\x47\xaa\x1e\x3e\x53\x91\x46\x01\x11\xf5\xec\x9f\xc6\xd8\x33\x2b\x60\xeb\x09\x9b\xc4\xa0\x2a\xf8\xed\x5d\x53\x15\x7c\xe2\xc0\xbf\x2e\x20\xf7\x3d\x7d\x72\xb7\xfa\xe4\x86\x3a\xe4\xbf\xf4\xe1\x10\x2f\x1c\x61\x53\xcc\xdf\x96\x78\xc1\x9a\xc1\x7b\x9a\xeb\x6e\x0e\xf0\x77\x6f\xbf\x83\x5f\xef\x1e\x7f\xb8\x7c\x05\x74\x2a\xff\xed\x83\xec\xbb\xb6\xa4\x75\x5f\xcc\x45\xc7\xfd\xd8\x41\x6f\xc5\xbe\x64\x68\x8c\x9d\x30\x3e\xdc\x09\x2e\xf2\x1e\x9c\xab\x31\x27\x11\x50\x39\xe2\x7e\x29\x72\x57\x59\xa4\x93\x18\x6a\xe7\x5f\x72\x00\xbc\xde\x12\x53\x9f\x1d\x63\x3f\xe9\xb0\x03\x24\xaf\xdd\x0f\x39\xde\x9d\x8a\x08\xc6\x4a\x52\x56\x39\x42\xf8\x3d\x9c\x41\x0d\xe3\x83\x18\x30\xb9\x6e\x42\x1d\x74\xd0\x68\x9e\x74\xc2\x5c\x8e\xee\x03\xce\xcd\xec\xe1\x04\xdf\xf8\x3a\xaa\xf0\x05\xbd\x20\xce\xc3\xbc\x6f\xc6\x9a\x7e\xc1\x61\x57\x53\xa5\x89\x3e\xda\xfd\x45\xc7\x7b\xf9\x82\x75\x49\x2d\xb0\xd6\x56\x2d\x52\x86\xfe\x1d\xb4\xc9\x70\x63\x3c\x3a\xad\xfa\x7e\x87\x8d\x74\x82\x8b\xee\xab\x1d\xef\xe8\x69\x3d\xc6\xcd\x24\x96\x3a\x7d\x18\x2b\x04\xb3\x30\x43\x30\x96\x72\x65\x2f\x73\x6d\x7e\xa7\xc6\x9e\xd4\x09\x2e\xe2\x4c\xc4\xa6\x2f\x4b\xc1\xed\xfe\x7c\xcd\xfb\x7f\x9d\xd3\x15\x77\x64\x6f\x19\xce\x39\x15\x42\x50\x44\x88\xa2\x63\x8f\x50\x2e\x54\x77\x42\x76\x25\xe5\xd6\x06\x48\xfa\x0b\x3a\x65\x9c\xc4\x75\x48\xbf\x44\x1a\x5d\x7c\xa4\x15\xea\x60\x65\x63\x38\xaa\x93\x33\x51\x1e\xf5\x3a\x22\x45\x4e\x75\x39\xc2\x37\x96\x76\x22\x9c\x21\x72\x41\x35\x7a\x69\x96\x6b\x05\xcb\xae\xf7\xa3\x31\xce\x61\x8c\xe3\x1c\xc6\x8f\xf3\x38\xcf\x11\xa9\xc5\x0d\xde\xe4\x2a\xd1\x58\xd8\x82\x84\xa8\xb0\x3b\x36\xf7\xbe\xb9\xb7\x7d\xf6\x49\x56\x64\xaa\x11\x7e\x40\xa1\x67\xe0\x92\x72\xdf\xf7\x24\xef\x6b\x8e\x79\xc5\xa0\x5d\x41\x0f\x9d\xc6\x1d\x44\xa0\xa1\x26\x3c\x04\xa9\x71\x68\x73\x2b\x12\x84\xcb\xe7\x25\xcd\x48\xd8\xea\xc7\x41\x87\x5c\x56\x86\x65\xce\x67\xcc\xfc\xb2\xa8\x8a\x05\xbb\x71\x20\xea\x45\x7d\x17\x2b\x12\x34\x9b\x09\x5a\x31\xf3\x84\x8b\xbc\x09\xfb\x6a\x18\xf3\xc2\x54\x01\x51\x34\xfe\x25\xe7\x8a\xe2\xcb\x76\x5e\xe3\x4f\x5f\xc3\x62\xf6\x24\x38\x38\x60\xbd\x4f\x5c\xec\x06\x10\x27\xe0\xde\xe1\xdd\x36\x57\x71\x5d\x2a\x44\x9b\x99\x45\xcc\x57\xaa\x15\x9c\x42\xc8\x56\x20\xe4\x6b\x36\xe8\xee\x9e\xe6\xb6\x4b\xcd\xed\x9b\x0e\xbb\x12\x22\x0a\x89\x54\xd9\xfd\x7d\xc7\xfb\x79\x67\xa1\x7a\x9e\x55\x4c\x4c\xd5\x89\xa5\x61\x4b\x05\xc1\x8f\x15\xbc\x77\x19\x21\x36\xd3\x87\x90\x62\x9c\xdf\xed\xa5\x89\x37\xc9\xbd\x2c\x59\xcf\xbd\x7b\xc0\xdb\xad\x81\x31\x5b\xbc\x4e\xf8\xe2\xca\x41\x7c\x07\x65\x4b\x67\x61\xa7\x1b\xf5\x91\xe9\x3d\x5c\x87\x88\x84\x50\xe7\x4c\x6f\x95\x74\xf1\xf7\x0e\xbb\x06\x67\xd3\x2d\x21\x44\x4f\x9d\x4e\x5a\xc2\xfd\xaa\xe3\xfd\x96\x73\x47\xf9\xb2\x11\x30\xb6\x91\x6c\x0e\xb4\x7d\x3e\x0a\xc2\x8e\x99\xb7\x6f\x76\x14\xa2\x6b\xf5\xe2\x96\xcf\x2d\xd4\x76\xeb\x23\x8b\x9d\x8e\x68\x85\x84\x27\x87\xe9\xd4\xab\x16\xa4\x38\x40\xd2\x6d\x24\x71\x92\xe2\xae\xa0\x30\x7c\x41\x72\x21\x00\x1d\xf4\x0b\x99\x9d\x9a\x1b\xa2\xd5\x83\x73\x2b\x81\xd5\x59\x72\xec\xf5\x23\xec\x1a\x0a\x66\x59\x45\x74\xe9\x50\x64\xee\xdf\xd4\xbc\x0f\xd7\x96\x85\x7c\xa6\x49\x08\x0c\xb2\xe9\xb9\x7e\x82\x76\xa8\x0b\x3b\x13\x44\xfc\x44\xd0\xdc\xd0\x18\xe2\x10\xff\xa6\x17\xa1\x54\x93\x93\xcd\xd8\x40\xb3\x53\x28\xd7\xb6\xa9\xd0\x24\x6d\xa0\x9a\xf6\x55\xe6\xe8\xaa\x48\x3b\xea\x94\x18\x20\xa8\xb4\xce\x9c\xd2\xa5\xa5\xd4\x1c\x82\xcd\xb8\xcc\x3d\x5a\xcc\xad\x1b\xd8\x75\x3b\x30\x96\x56\x35\x61\xef\x18\xb3\x67\x80\xb7\x4d\x10\x6f\x75\x18\x2b\x54\x04\xf7\x55\x8e\x27\x96\x0a\x8d\xa1\xc8\xa7\x2b\xa9\x11\x70\xa9\xd8\x8e\x71\x1e\xab\xbd\x0a\x04\xb0\x5e\xb9\x95\x92\xda\x7f\x60\x8b\xa4\xb7\x33\xcc\xdc\xea\xdd\x9b\xbd\x23\x4b\xc6\xa7\xec\x70\x5a\x93\x24\xcc\x78\xc9\x92\x40\xef\x72\xd8\x55\xa9\x68\x4a\xb9\x49\xf0\x13\xaf\x71\xbc\x8b\x8f\xc2\x5e\x03\x9b\xba\xf1\x1d\x3b\x10\x67\x01\xb2\xe4\x6c\xe8\xb4\xb5\xed\x4f\xc6\x37\xb9\x37\x6e\x17\x18\x6a\x2a\x61\x65\x1b\xf7\x0f\x15\xb1\x3d\x08\xbd\xde\x6e\xa7\xa2\x0d\xde\x0c\x13\x09\xa0\xcc\xa7\x3e\xb7\xb4\x48\xe0\xca\xee\x97\x0e\x7a\x77\x17\x3f\x6d\x04\x36\x83\x43\x04\x93\x0f\xc3\x26\x60\x3a\x02\xd1\xf4\x1d\x8a\xf3\xfa\x8c\x19\x62\xec\x29\x2a\x6c\x68\x93\x67\xdb\xa8\xbf\x6f\x8c\xdd\x6e\xac\xb2\x2d\x80\x47\x76\xb4\xc8\xd8\x07\x1d\xf2\x2f\xbd\xc7\x61\x67\x2b\x8b\x7a\x64\x9d\x02\x9e\xa7\x93\xe0\x78\xd2\x69\x7e\x66\x0a\x85\xec\x10\xe4\x04\xa0\x98\xe9\x82\x6e\xbe\x08\x9d\xa6\xde\x93\xf3\x53\xf9\x7d\xde\xe0\xb0\x17\x5c\xce\x6a\xa2\x47\xe8\x3a\x72\x08\xe9\xaa\xb6\x44\x1a\x22\x64\xed\x40\x8a\x4b\x0c\xbc\xe5\x54\xb3\x3d\x35\x77\xcf\xe1\xfd\xf8\x99\x0d\xd7\xb7\x17\x8e\xf3\xee\x5c\x9d\x84\x60\x31\xeb\x4b\x22\x90\x17\x89\x63\xf6\x52\x21\x29\xca\xbe\xf0\x94\xed\x72\x40\x81\xa5\xef\x23\x4f\xf1\xae\x9f\xe3\xa5\xab\x3a\x68\x70\xd0\xe9\x6c\x3c\xe9\x5f\x72\x34\xc1\xd4\x25\x67\x2c\x17\x9d\xae\x9c\xc8\x97\x9c\x2b\x28\x20\xfd\x4c\x39\xb7\xf7\x17\x9e\xcc\xde\x5c\x63\x63\x2a\xad\xde\x7d\x55\x4d\xa1\x80\x7d\xd3\x31\x11\xca\xd0\x16\x07\xb8\x6b\x55\x18\x66\x16\xf1\xd5\x2a\x7d\x56\x61\xba\x61\x34\xa9\x2a\x0b\x23\x7f\x32\x11\x67\x05\xf4\x4e\x1f\x9e\x21\xf4\xb3\x90\x82\x50\xd5\x31\x5e\x0a\x75\x55\x24\x46\xe5\xca\xad\xf9\x42\xd8\xea\x05\x51\x51\x2e\xd0\x71\x90\x75\x0a\x10\xc6\xd0\xbd\x8c\x41\xb0\x04\xa7\x63\x85\x9f\x9b\x94\x45\xd3\x36\xb4\xd6\x8f\xd7\xd8\x93\x52\x81\x3b\xf5\x6d\xa1\xdc\x0c\xfb\x60\x2f\x73\xdf\xae\x7b\xe7\x9f\x9c\xaa\x07\x54\x4f\x75\x82\x8b\x61\xa7\xd7\xb1\x7a\x0a\x9f\x2e\x91\x7b\x76\x82\x10\x23\xa0\x34\xac\xb7\x31\x9a\x00\x91\x84\xaf\xf1\x0d\xfc\x0a\x66\xd4\x94\xaf\xaa\x06\x43\x9f\x05\x80\x40\xa1\xbe\x86\x9c\x27\x16\x74\x62\xa0\x3c\xf4\x51\x5f\x83\xec\x95\x67\x9b\xda\x3b\x31\x81\xa7\xec\x11\x9c\x9e\xb2\xfb\xeb\x47\x4d\x5e\xb3\xf7\x5e\x0e\x5e\xb3\x2f\x3a\x26\xaf\x59\x40\xe0\x2e\x65\x4a\x3d\x53\x1b\xc4\x00\x6d\x4c\xc3\x80\x29\xc1\x9b\x98\x48\xb8\x98\x1b\xe4\xa4\xa8\xbf\x25\x2d\xae\x96\xc6\x21\x22\x41\xab\x96\xdb\xbb\x25\x70\x3f\x7c\x2d\xfc\x5b\xd7\x64\xed\xec\x1f\x6b\xcc\x5c\x8b\xee\x9f\xd7\xbc\x3f\xac\x19\x17\xaa\xe8\xe4\x54\x32\x09\x34\xb7\x2d\xbf\x1b\x53\xb6\xa5\xb9\xf4\xf1\x24\xa8\x9e\x85\x26\x8b\x8b\x21\xe8\x42\xeb\xe8\xa2\xb5\x26\x17\x61\x50\xa2\x27\x5f\x4e\x1f\x05\x72\x0a\x5f\x17\x39\x00\xfd\xa8\xd5\x53\xd4\x24\xf7\xf9\x92\xec\xfa\xb6\xc8\xf9\xc2\x99\x15\xe0\x15\x42\xac\x08\xa8\x1d\x26\x4c\xa8\x90\x7d\xb9\x77\xce\xca\xee\xae\x2b\xb1\x55\x27\xc4\x19\xa3\xc5\x3e\x4d\x2f\x3f\xbb\xd0\xf4\x55\x84\x0c\x90\xe5\xd0\xd1\xdc\xab\x28\xc0\xc3\x94\x18\x8b\x3d\xd1\x68\x9c\x91\xdd\x6a\x69\xe8\x1f\xa9\x31\x2d\x14\xdd\xf7\xd7\xd8\xd4\xf6\xb1\x2f\x49\x4b\xc9\x1e\xd0\xc5\xbe\xe1\xa8\xf7\xd5\x48\xa9\x8c\x57\x24\xba\xb2\x4c\xa2\x72\x9e\x99\xab\x5d\xa9\xf1\xe1\xba\x94\x75\xbd\xf5\xf5\xb0\x19\xa2\x1f\x43\x09\xb1\x14\x53\x58\x9a\xb9\xb6\x35\xc8\x42\xb2\x3c\xe8\x74\x45\x8b\x4b\xc5\xa9\xa2\xb1\x48\x27\xd6\x8b\xd6\xe5\xbf\x30\x2f\x6c\x71\x49\x52\x91\x10\x38\xf4\x98\xea\x0d\x3c\x15\x05\x52\xb7\x39\xa3\xd8\xd7\x1d\x76\x35\x6e\xd5\x2b\x0a\x64\xf9\xf3\x5b\xe5\x4d\x55\xec\x68\xe7\xac\xd7\xbd\xb7\x39\x76\x79\xa5\x53\xd6\xd0\x17\x4b\x94\xc8\x1d\xca\x76\xce\x13\x52\x25\x70\x52\x0e\x8a\x50\xa4\x77\x08\x0a\x89\x09\xd3\x06\x0c\x40\xc5\x36\xc5\xfe\x69\x84\x3d\xe9\x42\x61\xf4\x52\x37\x32\xf7\xeb\x23\xde\x7b\x47\xaa\xee\xd8\x11\xde\x4d\x34\x95\x41\x1d\x41\x30\x99\xf8\xf2\x79\x52\x24\x86\xa1\x3c\xad\x9e\xa8\x55\x6b\xb1\x43\x48\xa3\xa5\xf5\x88\x56\x7c\xf5\x59\xa0\x32\xda\x0c\xfa\xca\x73\x18\x9a\x84\x64\xc6\x02\x26\xa6\xc2\x13\x90\xad\x03\xef\x62\x87\x81\x83\x20\xcb\x4d\xff\x8e\x09\xfb\xa8\x13\x56\xc6\x1b\x7d\x10\x4b\x2a\xf7\xfc\x34\x98\x2e\xc3\x18\x09\x70\x8b\x48\x5e\x1c\x84\x5c\x2b\x01\x73\x55\x1f\xcb\x83\xf3\x22\xe3\xdd\x54\x34\x45\x0b\xa9\x5e\x81\xd3\x27\xee\xeb\xf3\x7c\xa9\x9c\xc9\x82\x37\x4d\x27\xa6\x5a\xd6\xaa\x59\x76\x3d\x3b\xfe\xb0\x63\xd9\x60\x58\xd9\xcf\x8e\xb2\x27\x76\x93\xd6\x69\xcd\xcc\x48\xe7\xf7\x0f\x8c\x7a\x6f\x1b\xad\xb8\xa1\x86\x0d\x2d\xa7\x7a\xc8\xd5\xfa\x26\x5c\x3d\xa8\x07\xe1\x6e\x4a\x9d\x77\x12\x67\x23\xc2\xef\x61\x44\x4e\x0b\xdc\x45\x71\xd2\x12\xd9\x24\x07\xff\x88\x88\x4b\x08\xa8\xe6\x0e\xdc\xd5\x20\x96\x6b\x67\x53\x80\x50\x5d\x16\x41\xab\xbf\x36\x49\xa2\x72\xa0\x26\x61\xac\x62\x75\x64\x81\x89\x7c\x87\x8f\x4b\x79\x3a\x45\x8c\x41\xf2\xef\xe9\x49\x2e\xf2\x26\x92\x48\xa9\xa8\x6c\x9a\x93\xb0\xe2\x36\x83\x50\x1e\x75\xf2\x30\xe2\x42\x89\x24\x98\xac\x41\xab\xaf\x76\x17\xf9\x4e\x18\xf7\x0a\x1a\x4f\xb3\x11\x93\x4a\x1c\xaa\xcc\x22\x8b\xc8\x24\xe9\x76\x93\x2c\xcc\x05\x56\x0f\x1b\x1c\x44\x70\xee\x02\x2c\x1d\xa3\xd1\x4b\x41\x1a\x44\x91\x88\xd6\x4c\xca\x29\xb2\x03\x29\xbe\xd9\x2e\x3d\x83\xec\x66\x6a\xcf\x57\xba\x2b\x8e\x85\x02\xb8\xa2\xe8\x78\xdc\x0b\x93\xd8\x8c\x05\x23\xf0\xa8\x48\xe4\xa2\xa0\xb3\x0d\xe4\x92\x28\x91\x42\x3c\x38\xca\x26\xb7\xc2\x91\xf2\x57\x93\xf3\x22\x5e\x16\x52\x57\x00\xfd\xfe\x35\xa3\xde\x89\xd2\xb5\x4a\xf6\x6d\x98\xfd\xf2\x39\x6e\x97\xa9\x53\x3c\x2d\x45\xfe\x63\x23\xec\xaf\x6b\xec\x60\xd0\x6b\x85\x72\x3d\x65\xee\xd7\x6b\xde\xaf\xd4\xe6\xd4\xcf\x41\x4e\x06\x03\xe6\xa6\x80\xc0\x34\x50\x46\xc1\xe0\x52\x28\x8e\x7a\xf5\x61\x95\x0c\x18\xa4\x20\xf3\xb9\xfa\x4e\x3d\xd8\x44\x86\xba\x52\xb5\x93\x94\x3c\x1b\x17\x44\x8a\x18\x44\xf4\x41\x7c\x72\x13\x0e\x06\xb9\x88\x89\xb2\xd6\x96\x40\x54\xe1\xa0\x68\x8b\x21\x49\x28\x80\xcd\xb8\x2b\x2b\xa0\x80\xb1\x26\xad\x37\x2b\x91\xf0\xf4\x4d\xfa\x8c\x89\x98\xa1\x93\x3a\xb6\x70\xb9\x5c\xc7\xf6\x41\x23\x5c\xdf\xfb\xae\x55\xec\x1b\x52\x0c\x88\x20\x48\x04\x29\x90\x23\x9e\x57\x98\xcc\xf4\xe2\x7f\x74\xd9\xd3\xab\x80\x61\x51\x35\x5a\x4a\xd2\xdc\xfd\xda\x35\xde\x8c\xf1\xbb\xda\x06\x24\xe7\x2d\x3e\x73\x28\xe3\xdd\x24\x95\xa7\xc0\x51\xf9\xaf\x35\x3f\xde\x7d\x0d\xfb\xea\x28\x63\x18\xfb\x09\x85\x7f\x61\xc7\xd8\x04\xc3\x38\xc3\xdf\x3a\x7a\x86\x0e\x38\x36\x13\x0c\xe4\x0a\xe6\x09\x47\x1c\x45\x85\x49\x82\x2a\x3b\x7c\xdf\x88\xf2\xc5\x9a\xfb\x9c\x4a\x52\xd6\x3b\x92\x0d\x29\xf0\x1f\x4d\xcb\xc2\x8e\x1f\x3b\x36\x73\xac\x64\xe3\x0b\x62\xbe\x38\x77\x66\xee\xa5\x2b\x77\xcc\xbf\xf4\xcc\xdc\xe9\x13\x05\x64\x98\x61\xfd\x80\x14\x50\xa5\x3a\x44\x49\x72\x5e\xb4\x78\xaf\x8b\x39\x94\x18\x2a\x00\xf5\x55\xfb\x0d\x06\xc7\x2e\x25\xad\x43\x99\xb1\xab\xc9\x47\x32\xab\x78\x08\x9a\xb4\x03\x26\x2c\x4e\xaa\x43\xf2\x95\x43\x85\x6b\x06\x60\x87\xc7\x83\xb8\xd8\x93\x3b\x41\x77\xa2\xec\xc0\x41\xbc\x76\x5c\x04\xd4\x37\x88\xc7\xa7\x82\xc7\x17\x97\x6e\x3a\x93\xc4\x64\x8a\x2a\x9c\x73\x14\xd4\x02\x00\xda\x22\xb7\xe3\x28\xcc\x9a\x3c\xfc\x20\x6a\xaa\x44\x9d\x74\x90\x30\x6e\xab\x6b\x87\xaf\xc5\xc9\x13\xb7\xeb\x41\x9d\xae\xb1\x4f\x8e\xb0\x2b\x82\x6e\x77\x29\x4d\xf2\xa4\x99\x44\xee\x8f\x8f\x78\xef\x07\xd6\x2e\x38\x6a\x36\x35\x6e\x1d\xdc\x2d\xf8\xf1\x60\xde\x9a\x7d\x81\x27\x89\xac\xc8\x92\xbc\x7d\x80\xb6\xba\x1f\xe7\xc1\x45\x9f\x9f\x8b\xeb\x98\x66\x2c\x5a\x04\x5b\x87\x9b\x0c\x2c\x5d\xec\x49\x39\x49\x8a\x92\xd4\x19\x09\x1f\x1e\x0f\x30\x0a\x75\xf9\xe4\x7c\xfd\xf8\xcc\xcc\x31\xe8\x58\x02\x0a\xdb\xdc\xdc\xf4\xc3\x20\x0e\xfc\x24\x6d\x1f\x0e\xb2\x2c\x6c\xc7\x40\xbc\xa8\x7a\x00\xe3\x0f\x26\x7c\x7e\x26\x89\xeb\xba\x7c\xd5\xba\xcc\xe4\xe2\x2b\x55\x31\xeb\x35\x37\xe4\x14\xec\xf4\x81\x26\x2c\xee\xfb\xcd\xa4\x73\xb8\xd3\xaf\x13\xa8\xa8\x2a\xc3\x20\x09\xe3\x0d\x91\x07\xd4\x3b\x98\x2f\x9d\xf1\x76\x0f\x71\x03\xd4\xa9\x00\xab\x35\x57\xf4\xbf\xcd\xeb\x85\xa8\x1a\x40\xec\x25\x5f\x51\x27\x2f\x53\x2a\xfd\x64\x8d\xf0\xd4\x7e\xac\xe6\xbd\xb7\x66\x23\x26\xd3\x38\x99\xfc\x83\x7a\xfd\x42\x35\x0b\x58\xd7\x85\x33\x2b\x2f\x3d\x35\x77\xcb\x89\x53\x3e\x9f\x83\xdd\x33\xcd\x33\xf5\x5e\xc0\x0d\xeb\xb6\xa1\x76\xd2\x01\x05\x3a\x88\xb4\x08\x85\x15\xaf\x2c\x96\x9a\x80\x98\x5c\x01\x54\x90\xa2\xe1\xb1\xcf\xf9\x87\x64\x49\x7a\x05\x62\x7d\x15\x65\xf1\x12\xcc\xb7\xb3\x8a\xc4\x0c\x9c\xec\x44\x86\x6b\x0a\xdc\xb0\x80\x3a\x50\x61\x3d\xaa\xc5\x66\xa7\xbd\x6a\x1f\x1b\x93\x4a\x1c\xc8\xd5\xbf\x1d\x55\x46\xa2\x2f\x8f\xae\x2a\x69\x98\xc4\xa8\x3b\x81\xf7\x39\x89\x35\x18\x84\x71\x64\x0f\x33\x62\xa5\x68\xa1\x1a\x08\x2e\xa7\x30\xe3\x67\xa8\x60\xb9\xb6\x4f\x25\x41\xeb\x96\x20\x0a\xe2\xa6\xd4\x94\xf8\xb9\xac\x07\x7e\x25\x9c\x9a\x83\xb9\x13\x8b\x52\xeb\xd7\x66\x1b\x43\x5a\x85\x71\x1d\x44\x2b\x8a\x11\x29\xca\x20\x94\x49\x98\xa2\x52\x0a\xac\x32\xb6\x3b\x82\x51\x63\xd8\xbb\x3c\x74\x06\x61\xe4\x73\x1d\x42\x6e\x60\x3b\xa8\x89\x82\x45\xc9\xb3\x50\x53\x1d\x7d\xd1\x72\xa1\xbd\x3c\x10\xce\x27\x37\x09\x81\x25\xd9\xac\xe3\xba\x4c\xec\x13\xd0\xf5\x10\xb3\x5a\x95\x80\x3d\xa9\x13\xf5\x81\xd8\x36\xcc\x89\x1e\xae\x54\xd3\x32\x97\x5d\x43\xaa\x04\x5d\x55\x38\x1c\x25\xed\xc2\xf3\x44\xea\x16\x51\x12\xb7\x09\xd0\x53\x76\x10\xe2\x07\x00\xa5\x06\xcc\x4b\x39\x4e\x70\x98\xd6\x23\x95\x27\x7c\x5e\x89\xeb\x89\xcb\x2b\x72\xe5\xd7\xea\x72\x16\xe1\x0e\x6f\x58\xe1\x6e\x67\xb0\xeb\xbb\xf3\x6a\xfa\xf9\x7a\xf6\xd9\xa7\x67\x9a\x64\x0a\x95\xb9\x98\xd0\x46\x61\x2f\x63\x63\x4a\x04\xb9\x2f\xf1\x5e\x20\x4b\x5a\x5c\x1a\x2a\xb7\x57\x30\xe4\x21\xe3\xde\xea\xfc\x92\x37\xc9\xbd\x73\x0b\xf2\x1f\x39\xb7\xbc\x95\xf9\xd5\x25\x4f\x7b\x28\xe5\x98\xae\xce\x2f\x59\xab\xe7\x4f\x1d\x0b\x89\xb5\x2a\xe5\xf9\x5c\x26\xd2\x95\x1e\xa8\x32\xee\xcf\x38\xde\x4d\xc6\x6f\x72\x1e\x23\xc7\x78\xc9\xd7\x24\xab\x09\xc8\x8e\x10\x8b\x97\xe1\x0b\x7e\x15\xc6\x65\x8b\x35\x48\xee\xdd\xe5\x9d\x5e\x93\x7f\xe8\x3c\x7d\x05\x0a\x6a\x45\xe6\xc2\x69\xcd\x7b\x96\x57\x9c\x32\xe4\x21\x41\x3d\x9a\xf9\x7c\x59\x81\xa4\x59\x5c\x5f\xff\xc6\x4a\x62\x80\x34\x52\xd5\xc4\x65\x79\xc2\xea\x50\xb4\xdd\xb7\x9e\xe4\xfd\xee\x88\x79\xc5\x88\x22\xd6\x81\x75\x85\x76\x92\xe2\x93\x46\xe8\x49\x58\xc2\x81\x93\x03\x68\x95\x67\x10\x21\x98\x48\x6d\x06\xbe\xb6\x51\xae\xf1\x30\xb0\x4a\xcb\x53\x97\x7a\x88\x0c\x10\x60\x5b\x30\xbf\x40\xfb\xf0\xb8\x36\x36\x4f\xf0\x4e\x10\xa3\xbc\x32\xe0\x63\x0a\x1e\x64\x45\x9c\x6c\xb8\xd7\x71\x0a\x19\xb8\x3a\xd4\xac\xa5\xa4\x25\xf7\x0e\x6c\x96\x02\xa1\xab\xb0\x9f\x20\xdb\xb7\x76\x77\x19\xb5\x3b\x83\xb8\x56\x0a\x43\x95\x4e\xb1\x8a\x60\x97\xd4\x55\x9f\x03\x75\x07\x64\xb8\x10\x87\xfd\x24\xcf\x84\xa8\xf2\x4e\x89\x78\x43\x4a\x65\x54\x0f\xce\x8b\x6e\x06\x2e\x29\x39\xc2\x87\xa9\x17\xeb\x18\x91\xd0\x69\x5d\x72\x0e\x20\x13\xa2\x1d\x5e\xf8\xbe\x27\xec\xf9\x41\x77\xeb\x07\xfd\xdc\x28\x53\x7d\xeb\x7e\x76\xd4\x7b\x70\xf4\x36\xfc\x51\x62\xcf\x05\xf8\xe9\x08\x68\x7b\xd4\x14\x47\xe7\xb9\x09\x10\xa2\xcf\xa8\xf3\xcb\x8b\x05\x84\xb3\xb1\xa7\x00\x47\x4c\xc1\x6a\x09\xc6\x1c\x1a\x04\x1c\x6a\x8e\x02\x98\x28\xc7\x35\x41\x43\xe1\xc5\x53\xbd\x0c\x5a\xc1\x77\xc3\x87\xac\x3a\xc8\x1d\x11\x33\x98\xb2\xac\x27\x4f\x2a\x18\x65\x0d\x60\xc6\xd0\x2e\x32\x35\x6a\x96\x32\xa9\x66\x80\x7d\x4f\x96\x88\xc3\xa4\x9f\x34\xfd\x69\x48\xeb\x91\x0a\x79\x50\x08\x2f\x04\x11\x40\xed\x98\xef\x22\xd5\xa1\x41\x6b\x4e\xc5\x00\xce\x9b\x68\x71\x2f\xed\xc5\x4d\x8f\xc8\xe4\x15\x93\x4a\x61\x46\xe8\xc5\x4d\x7e\x76\x7e\x51\xf7\xee\x38\x92\xe0\x93\x45\xe7\x54\x18\xf7\x2e\x1a\x12\x64\x62\x80\x3b\x1c\xf9\xed\x45\xb5\x94\x91\xbd\xaa\xc6\x55\x69\x9c\x51\xb2\x29\xd2\x66\x90\x89\x49\xe8\xc1\x24\xed\xa8\xbe\x5d\x38\xb3\xc2\xc1\xb9\xc4\xc7\x97\x4f\xce\xf3\xe9\xe9\x23\x33\x13\x66\x16\x41\xa6\x3d\x21\x61\xa7\xd3\x03\x36\x7b\x7f\xcf\xb5\x7e\x79\x42\xd9\x3e\x61\x86\xb2\xfd\xe8\xae\x43\xd9\xda\x8f\x55\xb4\xda\xdf\xd4\xd8\x58\x72\x41\xa4\x1b\x22\x68\xb9\x7f\x5a\xdb\x22\x8b\xcb\xda\xc2\xcf\xd2\x2b\xde\x7f\xa9\xa9\x3f\xcb\xd9\x0a\x05\x13\x9c\x7a\x40\xc3\xe1\x91\x8d\x4d\xed\x41\x30\xd9\xe9\x98\x83\x7e\x75\x73\xff\xf2\x2f\xcb\xce\x74\x64\x6a\xfa\x86\xa9\x23\x47\x8e\xd7\xbb\x49\xab\xae\x6a\xe4\x77\x5a\x25\xa3\x04\xa0\x26\xd6\x23\xd9\x8f\x1c\x9d\xfd\xc6\x61\xfc\xc2\xb4\x3f\x7d\x4c\xaf\xa1\x9d\x06\xa0\x2e\x25\x2d\xdd\x45\x2a\xf6\x94\xbd\xb7\xc6\x58\xa6\x63\x52\xdd\x37\x6c\xe5\xa0\xb3\x3a\xbe\x08\x64\xf5\x7e\xc7\x31\xa2\x5a\x8b\xb8\xc2\xa2\x58\x2b\x57\x23\x4f\xb8\x88\xb3\x5e\x2a\x0c\xe7\x8d\xc9\xb2\x8f\xeb\xd1\x52\x9c\x40\x7e\x63\x69\x28\xab\xc0\x7a\x4f\xbe\x68\xc2\xc9\x0a\xd1\x2c\x69\x7c\x34\xcc\x78\x1c\x46\x93\x15\xe5\x99\xd2\x1d\xa0\x70\x0b\x25\x4e\xaa\x47\x51\x84\x1f\xf0\x1f\x72\x1a\xdb\xc7\xa9\xdc\xec\xde\xa4\x83\xf8\xa0\x87\x4a\x11\x7c\xe6\x97\x2b\xb3\xdc\x7e\x77\x8c\x3d\xc5\xe8\xe5\xb4\x11\x34\xe5\x22\x5c\x4e\x22\xe1\xfe\xdc\x98\xb7\x21\xff\x40\xf9\x57\xa4\x5e\x4c\xf2\x28\x69\x87\xcd\x20\xc2\x2f\x83\xa7\x61\x9d\xa3\xa7\x04\x29\xc0\x90\x8d\x02\x43\xab\x0d\x6d\x0e\x4c\x70\x72\xc5\xa2\x22\x28\xcb\xa6\xd0\x71\xdb\xb6\xfd\x87\x7b\x60\xe6\x7b\x11\x62\x8f\xe3\x36\xb6\x61\xec\x62\x2f\xde\xed\x26\xf6\xb4\x2d\xc2\xb1\x59\xce\xf6\xa5\xc0\xaa\x79\xde\xab\xe3\xd2\x41\x11\x16\x80\x67\x5f\x58\x8b\x4a\x9f\xc1\xe5\xba\x31\x1d\x14\x87\x59\x9d\x3d\x7b\xa8\xe0\x54\x4b\xba\x28\xea\x21\xa7\xb9\xbd\x64\x79\x9e\xfb\xdc\x7a\x75\xb8\x1b\x14\x68\x93\xf2\x96\xa5\x4e\x12\x09\xc6\x3e\x31\xca\xee\x79\xa4\x9c\x61\x94\x24\xbd\xc7\x49\xfb\xbf\x21\x27\xed\x67\xf6\xb1\x9b\xb7\xc4\xbf\x98\x1e\x86\x9e\x32\x9f\xc4\x48\x9b\xe3\xfe\xf3\xa8\x27\xb6\x7b\xa8\x14\xbd\x63\x20\xa6\x0d\x79\x93\x07\x40\x56\x26\x52\x80\xd5\x05\x09\xa7\x12\xb5\x2f\x39\x14\x69\x6d\xed\x63\xff\x30\xc2\x3e\xec\x30\x37\x0a\xb2\x7c\x35\x0d\xe2\x0c\x3e\xbb\x1a\x76\x84\xfb\x76\x67\x38\x0e\xcf\x16\x62\x45\xbe\xeb\xbd\x68\xb0\xbc\x82\x65\x3d\xcb\x81\x4b\x47\x1d\xa6\xa8\xa5\xb9\x7e\x5a\x21\xff\x26\xb1\x1e\x01\x18\x74\x30\xfb\xb2\x76\x01\x08\xf7\x62\xef\x2c\xfd\x89\xfb\xc6\x46\xaf\x13\xc4\xf5\x54\x04\x2d\xd0\xe9\xc4\xc5\x6e\x14\xc4\xb8\xb1\x1a\xf4\xf9\xa4\x9b\x1a\xd4\x48\xc5\xa7\x4d\x09\xbb\xa4\x81\xe2\x4e\x7a\x37\x10\x40\x5c\xa8\x34\x66\xf8\xa5\xa7\xbf\x6a\x04\x44\xee\xc9\xe6\xe9\x02\xad\x63\xdb\x8a\x8e\x75\x5f\xf4\x9e\x93\xe9\x25\x6b\xcc\xb4\x82\xec\x9f\x7a\x65\x7c\x35\x95\x3b\xf8\xc9\x20\x92\xc7\xc8\x73\xf1\xf9\x38\xd9\x8c\x27\xcc\x42\x6f\xa0\x74\xdb\x69\xef\x99\x39\xc2\x0d\x9b\x33\x46\x01\x1f\xe9\x12\xcd\x57\xbf\x72\x85\x15\xfc\x6b\xc4\x97\xcd\xc5\x79\x38\xb7\x0e\x23\xdf\x77\x7f\xf6\x0a\x6f\x71\x29\x69\xf1\x20\xce\x43\x1e\xd0\x55\xec\x71\x10\xb7\xb2\xd6\xa0\x72\xc0\xe9\xc0\x7e\xca\x50\x37\x61\x13\xb1\x95\xa8\x2f\x33\xf6\xb5\x51\xe6\x2b\x58\xd7\x05\x88\x51\x29\x74\xe5\x45\x74\x3c\xe2\xe5\x13\x17\x45\xb3\x07\x0b\xe7\xe3\xa3\xde\x37\x47\x88\x89\x52\x7e\xad\xae\xbf\x66\x1e\xa1\x0d\x33\xbd\xb2\x2a\xe3\xe1\x01\xf3\x74\x01\xf3\x44\xae\x16\xa3\x86\x72\x56\xea\xb8\x10\x3c\xff\xd3\xd6\x5f\x28\xd7\x49\x6c\xd8\x47\x34\x21\xe6\x23\xa8\x46\x13\xc0\x6a\x50\xbd\x56\x55\x49\x3a\x02\xd7\xac\x0a\xd7\x91\xf5\x10\xaa\xe1\x64\xe4\x6f\xf5\x04\x22\xfe\xc9\x9b\xe8\x76\x44\xcd\x64\x62\xd2\x70\xb4\x80\xe2\x03\xe1\x5a\xc0\x94\xc6\xf3\x14\x10\x77\x81\x2e\x1a\x0d\x9e\xe2\x82\x4a\x3f\x84\x43\x1d\xe0\x5d\xe7\x19\xb5\x0b\xf6\x00\xcc\xf4\x03\xc8\xeb\x5e\x94\x87\x5d\xb9\xa6\x22\x65\xa0\xc8\x09\x6a\x04\x26\x2d\x9e\x37\x0a\x6e\x37\x95\xd3\x4c\xa1\x39\x6a\x2a\x41\x2a\x21\x86\x55\xe7\x22\xcd\x20\xa6\x70\x92\x03\xeb\x30\x68\x13\x22\xed\x14\x0e\xbb\x2c\xc8\xc3\x4c\x76\x9c\x15\xe9\x70\x94\x1d\xd9\x59\x88\xa4\xf9\x4d\xf6\xad\x7d\xec\x70\x57\x11\x4c\xed\x70\x9a\x7d\x7a\x9f\xf7\x2d\x70\x96\xa9\xc1\xa7\xd0\x23\x2c\x07\x61\x9a\xf0\x06\x85\x11\xd8\xc7\x2e\xa8\x7d\xbf\x62\x76\x88\x8b\x72\x87\xc6\x50\xe8\x21\x93\x83\x42\xca\x73\x18\xbd\xe6\x46\x92\x64\x82\x10\x1e\xb1\xf0\x0b\x61\x82\x21\x7f\x10\x8a\x42\x67\x6e\x92\x1d\x46\xf1\x68\x96\x2a\x5e\x0b\x33\xde\x49\xb2\x9c\xeb\x9e\xd0\x61\x21\xb1\x28\x82\x69\x90\xbb\x3a\x93\xea\x70\x47\x16\xba\x29\xc2\xf6\x86\x1c\x71\x18\x27\x29\xf3\x0a\xaf\x21\xba\x1f\x84\xc8\x51\x1d\xd4\x1c\xb6\xc5\xa2\x37\x97\xc2\x78\x19\xfa\x62\x92\x0f\x5b\xfa\xc3\xfb\x0c\x02\xc3\xfc\x89\x49\x60\xe4\xec\xe5\xc0\xd7\xd9\xeb\xc8\xfe\x0b\x73\x70\x04\xc2\x31\x21\x05\xda\x31\xe8\x0f\x9a\xb1\xfa\xc8\x45\x52\x20\x6e\x01\x83\x5d\xdc\xe6\x1e\xb6\xd0\xd3\xbb\x7e\xaf\xa3\x70\xbf\xa1\x91\x1b\x84\xbb\x45\xae\x88\x8e\x81\xb2\x6e\xcf\xf8\xd2\x4c\xbf\x51\x17\x31\x9e\x4d\x14\xfd\xab\xa0\xb8\xe4\x67\x02\x0a\x82\xb6\x87\xc5\x9a\xf0\xcf\x61\xb3\xec\xfa\x6d\x27\xfc\x9d\xd0\x04\xd1\x2a\x4f\xfc\x9f\xbb\xba\x12\xb7\x95\xf0\xc4\x64\x71\xf3\x3a\xb2\xce\x7d\xf3\xd5\xde\xd9\xca\x3b\x03\x70\x7a\x36\x6a\xf5\x3a\x44\xb3\x16\xa1\x14\xe5\x48\x67\x25\xee\x7f\xf3\xca\xbd\x33\xf3\xde\x99\xf9\xf1\x3b\x33\x7f\xb9\x66\x1c\x9a\x3f\x5f\xdb\xed\xa9\xf9\x2d\x35\xda\xfd\x4f\x21\x81\x01\xac\x83\xea\xf5\x03\x6e\x8d\x4e\x37\xef\x4f\x16\xa9\x45\x14\xe9\xa2\x6d\x6c\xda\x11\x12\x64\xca\x1c\x29\xe5\x86\x11\x07\x59\xb5\xc2\x28\xe3\x00\xcf\x80\x8f\x7b\x4a\xf5\x1b\x14\xa6\xe9\xab\x6b\x5b\xc4\xe4\x6f\x29\x85\x20\xa5\xe1\xb3\x36\xb0\x69\x65\x96\x99\x19\x42\x5b\x86\x93\x1c\x22\x8d\x1e\xed\x7e\x90\x75\xac\x07\x71\xab\x8e\xea\x3c\xfb\x52\x81\x6a\xfa\x85\xad\xf0\x13\xb7\xee\x10\x4c\x64\xfd\x81\xda\x8a\x75\x62\x80\x2d\x23\x15\x4d\x4c\x9a\x4a\x1a\x14\x5a\x66\x1f\x24\x86\xf5\x03\xd8\xd2\xe5\x88\xc1\x5a\x6f\x08\x48\xe3\x48\xd6\x39\xe4\x2d\x34\xfa\xa8\x89\x12\x8a\xa4\x2c\x2a\xdc\x05\x1c\xea\xa3\xd8\xc1\x0f\x9b\x5d\xc8\x00\x48\xad\xec\xeb\x72\x06\xf9\x6b\x6a\x16\xc0\x1a\x86\x7d\x17\x04\x3c\x0b\x80\xa8\xe6\x7e\xd9\xf1\x8e\xd3\xdf\x2a\xca\xd7\x84\x56\xc3\x0d\x4a\xe5\x5e\x60\xf8\x68\xb2\xce\x17\x17\x32\xff\x92\x33\xd2\x09\x63\xf9\xff\xc1\x45\x6b\xab\x7c\x83\xc3\x4e\x20\xa8\xd3\x73\x21\x74\xe6\xf8\x51\x6f\xa2\x13\xc6\xc6\x71\x31\xd5\x51\xd3\x14\x35\x15\xc6\xcd\xa8\x97\x85\x17\x4a\x51\x33\xf3\x88\x01\xf6\x1c\x55\xcc\x21\x59\x25\x2a\x46\x18\x9c\xa9\x5b\x16\xf2\xae\xab\xd9\x0b\x76\x67\x27\xbb\x53\x34\x36\x92\xe4\xfc\x3c\xec\x1a\x88\x39\xef\x7e\xea\x2a\xef\xce\x8a\xeb\x45\x48\x71\x5e\x62\x33\x86\xc0\x16\x30\x18\xad\x9e\x5a\x91\x8f\xc5\x04\xa0\xa9\x95\xab\x4d\x2c\xce\xd6\x3b\x7e\xef\x4a\xf6\x19\x87\x8d\x35\x83\x5b\x7a\x71\x2b\x12\xee\x83\x8e\x3b\xda\xe8\xe7\xc2\xfb\xa0\xa3\xae\xe1\x26\xba\x74\xe2\x34\x17\x71\x33\x69\x89\x16\x9f\x9f\xe3\x0d\xbc\x65\xc4\xf5\x1b\xee\x60\x85\x98\x63\x7e\xf6\x50\xa6\x82\xd4\x9b\x22\xcd\x51\x5a\x89\xc1\x34\x4f\x3a\xa1\xe5\xa9\x3c\xe9\xa4\x49\x92\xeb\x78\x64\xdd\x9d\xb0\x43\x00\x3e\x8d\xb9\x81\xbd\xb7\xc6\x0e\x50\x68\x94\xfb\xe6\x1a\x7b\xf1\x30\x81\xf2\x48\x06\x88\xc2\xcb\x34\x87\xaf\xf7\x51\xc7\x88\x02\x0c\x8c\xc0\x14\xa5\x26\xd3\x5d\x6d\xf3\x55\x7d\xcf\x4f\x84\x00\x2d\xa5\x1e\x48\x52\xde\x4b\xa3\xe2\x5c\xa7\x3a\xc2\x67\x8c\x36\x50\x7a\x13\xec\x97\x86\xa7\xcb\x0e\x18\xa2\xec\x90\x7e\xd2\x33\x63\x58\xd7\xe8\x2b\x6b\x3e\xfb\xab\x31\x36\xd2\x4b\x23\xf7\x1b\x63\xde\x1f\x8c\xc9\x2f\xb6\xc3\x0b\xb4\x79\x20\x1e\x41\xb1\x6f\xd0\x07\x27\x91\x92\x9f\xf6\xcd\x73\xcb\xa7\x80\x98\x9f\x8f\xaf\x81\x8e\x28\x66\x0f\x43\x2e\xe1\x6c\x37\x49\xf3\xc3\xdd\x20\xdf\x58\x9b\xf0\x91\xa9\x86\xc2\x32\x93\x75\xbe\xd6\x4b\xa3\x35\xd9\x44\x5d\x91\xca\x86\xca\x83\xd8\x9a\x2c\x6c\x4d\x55\x1e\xb3\x60\xe9\x24\x19\xe8\xce\x52\xed\xb7\xdb\x7e\x23\x06\x76\x6c\x18\xed\xd5\x31\xa4\x59\x2e\x02\x8a\x40\x90\x1f\xa0\xf8\x87\x86\xa0\x48\x23\xa9\xaf\x86\x01\x97\x23\x0e\xfa\xed\xc2\x99\x15\x68\xb5\x94\xf0\x7a\x72\x64\x68\x5b\x98\xe4\x6b\x08\xb6\xa0\xae\xaf\xf1\x26\xaa\x72\x54\x16\x0f\xe3\xba\x8a\x89\x92\x05\x05\x2a\x77\x58\xc5\x7c\x07\x3c\x0a\xfa\x18\x1b\x8b\x87\xd4\x30\x89\x27\x7c\xd5\x74\xb9\xd9\x40\x52\x34\xc5\xc9\x2f\xc9\x23\x98\x3c\xd8\xf9\x8c\x2d\x45\x84\xde\xab\xa8\x97\x30\x3c\x63\x0d\xd2\x2e\xf1\x75\xd9\xcb\xd3\x47\xae\xf3\xa7\xfc\x29\x7f\x7a\x0d\x5d\x75\x54\xb2\x9c\x39\x61\x76\xbe\xcf\x7b\x31\x80\xf7\xc9\x59\x02\xb6\x65\x38\xcd\xf2\x26\x66\x80\x50\x0c\x47\x31\x57\x81\xc6\x2a\x8a\xa0\xe3\xd4\xf9\x0e\xa2\xc9\x62\x63\x29\xd2\xb1\x0f\xba\x15\xe2\x2d\x95\x18\x6a\x06\x51\x44\xe7\x08\x73\xfa\xaf\xf4\x9a\x1b\x98\x38\x2e\x6f\x07\x80\x35\x78\x5e\x20\xe3\x51\x03\x31\xe2\xe4\x8c\x0a\x1a\x91\xc0\x43\xf5\x24\x4c\x06\x11\x64\xf0\x08\x10\xf5\xf7\xba\x18\x5c\x12\x8b\x4d\x1d\x30\x87\xb3\x08\xa7\x66\x01\x29\x02\xdb\xac\x87\x67\x4d\x39\x83\xcb\x5c\x67\x9e\xda\x87\x3d\x9f\xb1\x39\xcd\x5a\x95\x50\x98\x31\xd9\xd8\xd7\x55\x5a\x8d\x52\x08\x82\xb8\xaf\xce\x14\x5d\x91\x76\x42\x0a\x18\x0a\x89\x2c\xcc\xe7\x2f\x4a\x7a\xf0\xac\x9a\x98\xc8\xc1\x94\x00\x6b\x2a\xf4\x5f\xda\x08\xf3\x34\x48\x75\x31\x24\x36\xf4\xd2\x5b\xb7\x83\x79\xd4\xb4\x2a\x72\x80\x64\x7d\xf3\x5c\xaa\xcd\xf4\x7a\x0f\xcc\x20\x2a\x36\xaf\x11\x64\x61\x13\x12\x7a\x10\xd6\xcc\x93\x37\x66\xe5\xe7\x37\x93\xb4\xf5\x3c\x4f\x53\x6c\xe1\xc6\xeb\xf3\x93\x69\xd0\x26\x43\x84\x77\xad\xef\xfb\x1e\xa6\x97\x61\x06\xb7\x01\xf2\x33\xee\xdd\x4c\x77\xc9\x52\x48\x25\x4c\x72\x01\x82\xcd\x12\xc9\x7f\xf9\x04\x76\xd4\xd4\xe4\x0a\xb9\x0f\x69\xa7\xf3\xc5\xef\x95\xb0\x2d\x57\xb6\xc2\x17\xfd\xe9\x27\x78\x1f\xd9\x37\xf4\xb6\x66\x98\x25\x7d\x42\xaa\x13\xa2\xb9\x11\xc4\x61\x06\x51\x44\x49\x03\x0c\xfc\x17\x8f\x4d\xdd\x60\xee\x35\x19\x28\x6f\x70\x24\xa3\xa8\x61\xe3\x26\xcf\xf0\x13\x85\xf5\x05\x63\xb1\x20\x18\x31\xcc\x79\x90\xf5\xe3\xe6\x46\x9a\xc4\x49\x2f\xc3\x3c\xfc\x14\x72\xe2\x30\x8c\x22\xeb\x81\x20\xa3\xc8\xc6\x8c\xc6\x3d\xcc\x00\x33\x45\xd7\x68\x96\xf1\x69\x5f\x9d\x0d\xad\x8a\x49\x29\x57\x24\x5f\xc1\x6a\xb4\x65\x0d\x1f\xd7\xbb\xb8\x67\x87\x22\xdb\xcf\xd5\xb1\x74\xd0\xfa\x22\x91\x7b\xd0\x2c\x91\x9e\x09\x3a\x62\xc2\x67\xfc\x88\x8f\xb2\x34\x6e\xdb\xdf\x97\xd3\x4d\x6a\x0d\x45\xb8\x7e\xe9\xf3\xc4\x47\x18\x13\x57\x70\x26\x9a\xbd\x54\xae\xda\x2d\xab\x15\x89\xbc\x4e\x9f\x2b\x55\x84\xad\xaa\xce\xa1\x20\x03\x1d\x47\x46\x23\xfc\x58\x74\x92\x55\x27\x88\x0f\x2e\xe6\x8e\xdd\x3b\xf2\x8c\x4f\x4e\x31\x29\xa0\x8c\x60\x1a\x2c\x21\xab\x24\x36\xfe\xf6\xc1\xcb\x8b\x59\xf4\x61\x75\x7e\xfc\x60\x8d\x9d\x1c\x7e\x5c\xda\xe9\x22\x83\xb3\xe4\xef\x38\x99\x85\x55\x04\xdb\xaa\xb1\x2a\xac\xd5\x60\x86\xdc\xf1\x60\x5d\x0a\x24\x15\xb4\xef\xf3\xb3\x71\xd4\xa7\x63\x15\xbd\x52\xf4\x2e\xbe\x0e\xc8\xab\x99\x22\x24\xa0\x81\xcf\x04\x04\x32\x1a\xe5\x80\x7a\x44\x0f\xa1\x29\x00\x31\x89\x1a\x7d\x2b\xd5\x2f\x6e\xa9\xed\xb7\x21\xcf\x7b\x2d\x6d\x29\x96\x92\x2e\xf3\xd9\xab\x8a\xe3\xe5\xdf\x39\xec\xb6\xcb\xd0\x5f\x78\xd4\x7c\xc0\xc9\x4a\xa0\x49\x83\x60\x49\x26\x7e\xa8\xc9\xc7\xa8\x84\x46\x92\xf2\x96\x88\x31\xf1\x42\xe5\xf0\x1a\x9d\x8e\xf2\x44\x1f\x24\xa1\x1b\x71\x7e\x6e\x08\x48\x8c\xe8\xa5\xa6\x1b\x8c\x52\xf2\x81\x35\x0a\x9e\x55\xcf\xf8\x7b\x16\xc5\x3d\x8b\xe2\xe3\x88\xd3\x94\x6e\x6f\x7f\x38\xeb\x9e\xd6\xf6\x07\x6b\x25\x96\x29\x8e\x87\xad\xca\xb2\x51\xe2\xa7\x47\x87\xb9\x6d\x4d\x58\x10\xf7\x2d\xa3\xde\x0b\x4a\xd7\x4a\xce\x61\x30\x00\xa1\x1f\x91\x26\x37\xe4\xbc\x15\x59\x4d\xca\x13\x1f\x68\xc8\x03\x4b\xfa\x7f\x74\x84\x7d\x51\x81\xcc\xfd\x77\x87\x8d\xef\xc4\x2d\x07\x22\xf9\x87\x9c\x4a\xde\xe8\x61\xd6\x3c\x88\xb0\x7e\x8c\x4d\x77\xff\x2a\x11\x2f\xbf\xf9\x94\x4a\xca\xba\x33\x49\x4b\xa0\xe9\x85\x82\x96\x3e\xfb\x14\xef\xce\xf2\xc5\x8a\x50\x14\x2b\x60\x61\x3d\x6c\x5b\x39\x7f\xf2\x7d\x1f\x32\x62\xa8\x14\x8c\x2e\xb2\x26\xd0\x1f\x3c\x99\x7d\xaa\xc6\xf6\x07\x40\xda\xe3\x3e\x58\xdb\x82\x82\xbc\xa2\xae\x50\xa0\xf7\x3d\xb5\x39\x78\x5d\xca\x1d\xc8\xf7\x82\xfa\x6c\x88\xe6\x79\x90\x2c\x42\xa5\x50\x14\xfe\x3c\x29\xdd\x88\x26\x08\x0f\x99\x3e\xa7\x22\xc0\xc6\xa3\xe5\x17\xa9\xfb\x56\x1c\x05\x2d\x44\xd5\xee\x39\xd5\x60\xfc\x86\xde\xc1\xd4\xe3\xa7\x82\x2c\xbf\x3d\x4e\x36\xe3\x5b\x93\xa4\x78\xa8\x25\xba\xc4\x23\x0f\x59\x97\xb8\x91\x06\x03\x47\x9d\x8a\x0f\x48\x89\x0b\x00\x61\x21\x9c\x51\x45\x9a\x26\xa9\xcf\xfe\x61\x94\x8d\xa9\xae\x77\xbf\x39\xfa\x48\x7a\xf1\xc1\x51\xfd\xa5\x1d\xf7\x23\xf4\x16\xc5\x15\xf4\x32\x15\x34\x50\x3d\xee\x48\x2d\x0c\x92\x7b\xb2\x28\xa1\x28\x1e\x3f\x67\xc4\x9d\xd3\xc7\xba\x41\x3f\x4a\x02\xd0\x9b\x11\x7f\xa9\x15\x66\xe7\x27\x79\x10\x25\x05\x94\xa4\xdc\x47\xd3\x96\xa9\x23\x68\xdc\x06\x2c\xc5\xf0\x83\x13\x07\xb5\x3a\xb3\xd3\xab\x79\xa2\xbc\xec\x72\xe3\xa1\x4f\x17\x95\x53\x29\x5f\xaa\x5f\x8a\x17\xc3\x58\x8f\x90\x5f\x8c\x15\x04\x9c\x63\x6b\x0b\x70\x39\x5c\x2f\xa8\x52\xa2\xd2\x04\x25\x6c\x04\x19\x6f\x08\x29\x70\xcd\xae\xce\x13\x68\x68\x11\x87\x51\xca\x28\xcb\x83\x14\x43\x27\x72\x9e\xa7\x04\xbd\x03\x26\x89\xaa\x39\x03\xd7\x70\x82\xd3\x95\x46\x9f\xcb\x5e\x55\x00\x9d\x64\xca\x54\x5b\xbb\x55\x13\x35\x00\xfa\x58\x0e\x8b\x5b\x37\x9a\xfd\xd0\x18\xdb\x07\xd3\xd0\x7d\xe7\x98\xf7\xba\xb1\x13\xf2\x4f\x43\x54\x04\x31\x20\xcc\x36\x22\xd1\xc1\x4e\x8b\x9b\x61\xa4\x3e\x34\x38\x4b\x48\x83\xb2\x6a\xeb\x73\x28\x14\x95\x88\xa4\xd9\xec\xa5\x65\xdb\x81\xb5\x72\x8a\xda\x0f\x2f\x1f\xa7\x92\x31\xe3\xe5\x50\x6c\x51\x10\xda\x37\xb0\x23\xca\xb9\x11\x03\x1f\x29\x97\x03\x6f\x25\xa9\x6d\x30\x1e\x10\x1c\x22\x6f\x0e\x36\x94\x07\x39\x6f\x85\xeb\x60\x78\xcd\x39\x2d\x94\xcd\x8d\x30\x12\x5c\x9e\xd5\x29\x73\x00\xfb\x28\x48\xa3\x50\xa4\x28\x12\x32\x15\x2a\x94\x6c\xc6\xea\xf3\x45\x73\x20\x72\x12\x1e\x9b\x28\x82\x9c\x50\xb0\xa0\x7d\x27\x4d\xa2\xa8\x11\x34\xcf\xcb\xda\x5b\x12\xcc\x54\x62\xd1\x1e\x18\x34\xd3\x24\xcb\xf4\xec\x4c\x05\x4c\x47\x9f\x9f\x0a\xf2\x72\x65\xd4\x8c\x2b\xba\x82\x2c\x14\x83\x32\x66\x42\x49\xe2\x1d\xd4\x09\x14\x41\x52\xbb\xe1\xb8\x06\x09\x57\x88\x7b\xd8\xa3\x5c\x74\x9d\xef\x06\xc7\x6f\xac\x39\xa8\x9f\x30\x5b\x1b\x7d\xbe\x1e\x5e\xd4\xb3\xbf\xb4\x95\x85\xf1\xe0\x10\xa3\xf5\x4b\x1e\xef\xd6\x43\x8a\x23\x51\x49\xfb\xa5\x4c\xdf\x96\x68\xf4\xda\x90\x92\x0d\x89\x27\xb0\x53\x2b\xdc\x00\xf8\xb8\x0e\x60\xb4\x97\x79\x94\xa8\x79\x5f\x19\xda\x58\x01\xcb\x83\xc5\x41\x84\xe8\x8d\x9c\x94\x12\x3c\x82\x42\x07\xeb\x7d\x26\x49\x61\xbc\x75\xd9\xe4\x96\x6e\xf4\x72\xdb\x32\x0d\x26\x6e\x25\xba\x1a\x61\x64\x40\xee\xe1\xbb\xb9\xb8\x98\x97\xc7\x9f\xb6\xc7\xcc\x32\x91\x7d\x6b\x3f\xbb\x2a\x32\x87\xcc\xfd\xe3\xfd\x8f\x64\x8f\xfa\xe8\x7e\x7b\x3b\x7d\x78\x1b\xd5\x7a\x10\x45\x5c\xcd\x20\x50\x71\xc3\x1c\x9c\x3d\x3d\x88\x45\xd3\xdb\xe9\xce\x36\x62\xdc\x52\xca\x92\xb6\x21\x9a\x49\x87\x14\xa4\xaa\xad\x9f\x40\x14\x54\xbd\x74\x92\xb3\x81\x76\x54\x2e\x12\xb0\xb7\xd1\x1a\x01\xd9\xa0\x69\x0a\x87\x52\x85\xc0\x51\xc0\x66\xea\x6c\x50\x95\xc4\x32\x3d\x55\xef\x84\x71\x2f\x17\x3c\x4b\x82\xf3\xbc\x2b\xd2\x10\x71\xfb\x52\xc4\x61\x56\x55\x41\x61\x48\xdb\x51\xb2\x5e\x55\x83\xe2\xcc\x55\xa9\xf6\xc8\x47\x48\x64\x53\x2b\xb4\x63\x31\xcc\xe8\xc3\xb0\x24\x87\xf6\x0f\x90\x50\xa8\x28\xb5\xf5\x0a\xc1\x8d\xdb\x9e\x00\xcb\x5c\x1c\x46\x7c\x5c\x8e\x0b\x69\x04\x04\x9a\x4a\xe1\x8f\x76\xbf\x87\x84\xc2\x1a\x2a\xde\x87\xa8\x6f\x15\x34\x29\xeb\x14\xa8\x41\xb6\x0a\x34\x1a\x17\x44\x9b\x41\xbf\xc8\x89\x6a\x43\x8d\x5f\x54\x38\xa2\x20\x9c\x14\x1c\x93\xf2\x09\x24\xdb\x30\xe2\x8b\xe5\x60\xa3\xbe\xbf\x91\x40\xbf\xa8\x81\x2f\x04\xb8\xb1\xc8\x8c\x71\x8e\x45\x96\x4d\xa2\x93\x25\xcc\x28\x18\x10\xdd\xc7\x29\xf5\x65\x11\x8a\x45\xd6\x79\xb0\x9f\xf4\x30\x77\xed\x1d\x57\xb3\xa9\x1d\x1d\x54\x0a\x7b\x49\xe6\x7e\xe5\x2a\xef\x8d\x8e\x71\x81\x82\x3c\x0d\xfb\x49\x56\x10\x2b\xe9\x2c\xdf\xc9\x82\xbf\x12\x8f\xf1\x19\xe9\x30\x4d\x00\xd1\x83\x49\xb3\xb4\x28\xa7\x87\x3c\xa0\x4c\x92\x4f\x45\x85\x53\x27\x49\x8e\xfe\x03\x12\x30\x91\x68\x07\xcd\x3e\xbf\x30\x2d\x5f\xf2\x2f\x39\x63\xea\xcb\x97\x9c\xa7\xa2\x7d\x73\x0e\xfd\x46\xb7\xf4\xc9\x71\xbc\xb8\xb0\x6c\xc7\xb5\x7f\xe6\x0a\xf6\x22\xa6\xdf\x73\x4f\x7b\xd3\xba\xf6\x2a\xe8\x2e\xe8\x86\x5b\x35\x69\x2b\x80\xad\x3d\xa3\xd3\x9e\xd1\xe9\x71\x0b\x63\xfb\xb3\x7d\x6c\x8b\x55\xe0\xfe\xb7\x7d\xde\xff\x18\x0d\x78\x27\xe8\x22\x0e\x28\xb4\x4f\xde\xd2\xa9\x45\xa9\x72\xbb\xea\xb0\x60\xe5\x31\x81\x8e\x02\x5b\x55\xb1\xc5\xe4\x09\xdf\x10\x51\x57\xaf\xeb\x14\xc2\x7f\x95\xdf\x98\x44\x0e\x44\x23\x11\x36\x4c\x5d\x68\x14\xd9\xcd\xa0\x50\xbe\x7c\x3e\x4f\x25\x48\xa5\x44\x89\x5c\x30\x18\x77\x53\xa0\xe4\x29\x55\x8e\x40\xb0\xe4\x53\x58\x7d\x8d\xcc\x0d\x21\xb8\x30\x18\x52\xdb\x93\xcd\xd4\x01\xea\x1a\x0b\x45\x55\xd7\x88\x15\x40\x11\x1f\xb7\x85\x82\x64\x92\x4d\x96\x45\xe3\x6e\x4e\x9f\x4f\x45\xde\x4b\x63\x4a\x1b\xce\x37\xe4\xa9\x10\x3a\x96\x3a\x0b\xf8\xcb\xe2\xf3\xc6\x96\xad\x1c\x39\x41\xac\x2a\x66\xe0\x14\xcc\x62\xf7\x04\xe0\xdb\x24\xad\x16\x3c\xbc\x41\x5c\x2c\xd6\xc5\x25\x6c\xa1\xfc\xe4\xa4\x8a\x3d\xa6\x62\xa1\xbb\x95\xd1\x05\x6b\x88\x9e\x71\xbb\x00\x35\xed\x01\x4d\x0e\x50\x21\x5f\x58\x3f\x99\xa4\x9b\x80\xc5\x25\xff\xe2\x1b\x22\x68\xa1\xfe\xf7\xc2\xfa\xb2\x08\xa2\xfa\x62\xd7\xb8\xa6\x00\x1c\x97\x45\x27\xc9\x85\x9c\x58\x7c\x3c\x24\xc0\x09\x00\xc1\x9c\x90\x13\xa1\x2d\xac\x26\x2f\x2e\x59\x42\x72\x89\x9d\x61\xa7\x1e\x81\x9d\x6c\x65\xd8\x64\x7e\xc8\x59\xd9\xde\xbe\x3a\xe5\xfa\x55\xf1\x5d\xc6\x16\x56\x36\xa0\xbe\x63\x84\x7d\x77\x25\xbd\x1c\x46\xc2\x10\x61\x1a\x1c\x6a\xbf\x51\xf3\x16\x8c\xdf\xbc\x19\x74\x73\x20\xb3\xd6\xea\xa2\x56\x21\x0b\x90\xd5\x40\x33\xad\x2b\x68\x2a\xdb\xec\xf5\x8e\x1a\xfb\xa8\x53\xa4\x31\x7d\xd0\xf1\xde\xee\x20\x7c\x21\x25\x27\xd9\x47\x84\x8a\x2f\xcc\xe5\xb9\x5c\x84\x49\xca\x17\x04\xfe\xa5\xbf\x44\x98\xdb\x58\x1c\x39\xf3\xa3\xa4\xdd\x86\xc0\xa3\x44\xce\x5f\x43\x69\x21\x07\x0f\x40\xdf\x87\xa0\xc0\x19\x07\x18\x4b\x89\x6f\xb0\xd1\x3c\xec\x08\xf7\xae\x47\x9e\x14\xf6\x8c\x55\x95\xf5\x85\xed\xda\x0c\x32\xb3\x6d\x3e\xfb\x15\x87\xad\xec\x2e\x88\xe9\xf9\x2b\x67\xcf\xac\xc0\xc6\xb8\x94\x26\xdd\xec\x6c\x7a\x4b\x92\x44\xee\xcb\xbd\xa4\xf2\x86\x19\xd6\x5e\x7a\x80\x03\xc6\x01\x51\xde\xe1\x76\x64\x33\xda\xe4\x69\xaf\xc8\x7f\x54\xcf\x49\x51\x26\xd2\xbc\xef\xb3\x37\x8e\x59\x81\x83\x0a\x85\x7a\x41\x74\xa3\xa4\x2f\xb5\x74\xe0\x85\xfe\xd3\x03\xde\xb8\x7d\xc9\xc6\x44\x2d\xee\x0d\xa1\x85\xfe\xb5\xbd\x2c\xf4\xcb\x49\xa4\xfc\x5d\x8b\x55\x44\xca\xe6\x28\xec\x3c\xa7\x79\x70\xc8\xf7\x94\x9e\x5d\x28\x3d\x0d\xc3\x1d\x73\xc7\xee\xb8\xcf\x9f\x32\x84\xfb\xfc\x21\xe7\x85\xdb\xef\x36\xc7\xdc\x99\x7a\x41\xaa\xd2\xcd\xf4\x7e\x63\xaf\xe3\xf2\x96\xf3\xc5\x27\x33\xbf\x2a\x90\xd8\x5f\x4a\x5a\x0b\x61\x96\xf6\xe0\xd0\x78\x4b\xaf\xd5\x16\xe4\x85\x77\xff\xf3\x93\xbd\xd7\x3b\x43\x6f\x9b\xb2\x6b\xd0\x3b\x6f\x7b\x68\x02\x5e\x51\x8c\x4e\x1a\x97\x33\x26\x4f\x83\x10\xb3\xf9\x83\x66\xde\x0b\x22\x33\xd3\x98\xa2\xbc\x2f\x39\x6e\x4b\x17\x91\xcd\x61\x48\xd4\x25\xe7\x6a\xb2\x40\xdc\x26\x82\x28\xdf\xe8\x5f\x72\xae\x26\x2f\x9e\xbe\x70\xa5\xb8\xd8\x85\x4c\xbf\xa5\xa4\x65\x4b\xaf\x4f\x3d\x89\x7d\xd5\x61\xae\x8a\x5d\xbf\x55\xc4\xb4\x89\xb9\xbf\xe6\xa8\x70\xe5\x4f\x38\xa7\x8b\x40\x77\xde\xd6\x8f\x14\x11\xef\x36\x4e\x22\xcc\xfa\xa5\x85\x5b\xa8\xf9\x3e\x5f\x18\xa8\x34\x22\x6b\x63\x88\x2a\x85\xd4\x1b\x1d\x18\x66\x68\x9e\x44\xfd\x2f\x5c\xe7\x83\xd5\x43\x28\x5b\x90\x77\x4b\x0b\xb7\x1c\xd2\xeb\xb1\xa8\x9d\x1d\x3d\xfd\x37\x63\x8c\xe9\x58\x86\xcc\xfd\xfa\x98\xf7\x37\xfb\x75\x8a\xb7\x8e\xb2\x28\xc2\x1d\x30\x58\x69\x69\xe1\x16\x42\x5a\xd7\x2d\x30\xf3\x3e\x32\x41\xa7\xf2\xa2\x81\xaa\x7d\xba\x20\x7c\x1f\x61\x6b\x41\x31\x49\x05\x87\x0c\x62\x05\xfc\xa5\x36\x30\x95\xd0\x0c\x21\xa5\xe3\x86\x3d\x13\x6f\xc8\x3a\xaa\x00\xcf\x56\xab\xc0\xbc\x43\x43\xc3\xc4\x2c\xaf\xf3\x95\x7e\xdc\x3c\x09\x68\x87\xb3\xf0\x51\xa3\xa6\xa6\xfe\x52\x58\xd9\xe2\x96\x54\x00\xe2\x43\x39\x0f\xc8\x32\x4b\x09\x7d\x8c\x5b\xff\x81\x01\x45\x73\xd6\xa8\x28\x7a\x63\x2a\x42\x23\x53\x04\xcb\x8b\x13\xf3\x8e\x6c\x6f\xa9\xb4\xc0\x98\x02\x95\x6e\x4c\x0a\x38\x51\xd1\xde\x90\x78\xed\xb3\x3a\x5f\x34\xc8\x31\xe4\x44\xc6\x56\x16\x15\xd3\x48\xf2\xe4\x34\x04\xb5\x99\x37\x84\xa2\x1e\xc1\x27\x4b\xb5\xc1\xff\x54\x0e\xa4\x8a\x86\xa9\x5c\xac\x67\xb6\x6b\xd9\x2e\xdb\xb7\x32\xd8\x3a\x95\xfb\x9b\x28\x14\x7f\x60\xc4\xde\x49\x6d\x2b\xaa\xb6\x5a\xf9\x79\xcc\x6e\x57\x95\x1d\x18\xe6\x8a\x72\x4a\x9d\xa0\x51\xd5\x55\x75\x06\x65\x54\xa1\x95\x99\x9b\xf7\xf3\xd8\x73\x87\x27\xe4\x6c\xb1\x8b\xe8\x75\xfb\x90\x73\x88\x3d\xd5\xda\x2d\xe4\x6e\x52\xef\x04\xdd\xfa\x79\xd1\xcf\xdc\x83\xee\x81\x3a\xe0\xb0\xb2\x87\x1c\xce\x9e\x3c\xf8\x24\x64\xed\xef\x77\x47\x3b\x41\x97\xc9\xc2\xbe\xd3\x7a\xa4\x2b\x4f\x92\xf5\x8e\x48\xdb\x42\x96\xe7\x1e\x70\xf7\x51\x61\x87\xd8\xd3\x2a\x9e\xcc\x14\x1b\xca\x98\xbb\x1f\xde\x62\xec\x04\x2b\x09\x67\x77\x46\xc1\xb0\x3e\x5d\x39\xa8\x8b\x2e\xdf\xc0\x67\x60\xa4\x2d\xe9\x75\x9a\x95\x44\xba\x7b\xa3\x2a\xe6\xbb\x3b\x61\x0c\xa4\x52\x83\x34\x5c\x43\x8b\x7b\xe3\x01\x76\x15\x0d\x12\x6e\x09\xee\x3f\xee\xf7\x3e\xb6\x7f\xc1\xbc\xb4\x55\xe0\x19\x65\xe2\xca\x63\x39\x64\xb0\xc3\x74\x0a\x20\x50\xb6\x29\xb2\xac\x98\x09\x05\x97\x5f\xf1\xa0\x09\x3d\xa2\xd0\x03\x91\x8e\x06\x63\x85\xfb\x22\x47\x6f\xac\xde\x5d\x86\xcf\x72\x2b\xa1\x6a\xae\x80\x0c\x50\x48\xf1\x60\xb1\xed\x16\x1a\x18\x60\x5e\x68\xab\xbb\x51\xbb\xa2\xe6\xa0\xa8\xa9\xba\xaa\xa8\x3a\xd2\xaa\xed\xd7\x89\xef\x22\x93\x75\x6d\xf4\x61\xc3\x33\x24\x6e\x90\xa9\xb0\x5e\x68\x4c\x27\x48\xcf\x13\xea\x38\xb0\x47\x00\x96\x80\x94\xc1\xe0\x8c\x0e\xa0\xe8\xa4\x97\x4f\xe0\x76\x71\x5e\xf4\xb5\x55\x27\xe8\x56\x91\x3f\x21\xcc\x03\x56\x57\x23\x39\xef\xa2\x89\xda\xaf\xa0\x6b\xd7\x0a\x5b\x72\x67\x20\x27\x68\xdc\xa2\x28\x25\x38\xd8\x22\xa3\x10\x70\x10\x17\x00\xc2\x8a\xbf\x43\xf7\x36\xa8\x76\x41\x2f\x4f\xe4\xe4\x41\xa6\x53\xd9\x4f\x5b\x0e\x23\x75\x08\xa4\x46\x60\xca\xdb\xe2\x3a\xe2\x4f\x22\xdc\x4c\x3b\x11\x19\xcf\x3a\x49\xa2\x40\xd8\x64\xff\x14\x78\xf7\x48\x9f\xac\xb6\x54\xb0\x88\x29\xca\x0c\x28\xec\x54\x90\xb6\x4d\x21\x27\x62\xf4\xdd\x1b\x9d\x8d\xda\x3b\xd2\x0f\x15\x7e\x73\xf0\x33\xcb\xf6\xab\xfe\xc9\xfc\x07\x9c\x1b\xd9\x0d\x8f\xf8\x28\x6e\x42\xd9\xac\xb1\x0a\xbd\xce\x7d\xbe\x5a\xe2\xc7\xce\x98\x5b\x9c\x25\x7e\xb5\xc9\xdc\xe0\x6e\xa3\x58\x7b\x6b\xc5\xdf\xcd\x2c\x15\xd0\xbd\x5d\x95\x7d\x3c\x4f\xf2\x20\x2a\x6f\xa2\xa8\x2c\x14\x88\x08\x86\xfa\xd3\x80\x11\xb3\x0a\xff\x23\x87\x3d\xa3\xc2\x79\x38\x1f\x74\xd1\x9f\x12\x8a\xcc\xfd\xa4\xe3\x3d\x67\xae\xd5\xca\x28\x8c\x43\xce\x94\x8c\x2f\x9d\x5d\x59\x7c\x21\x6f\x1a\xcf\xe1\xe4\x51\x09\x38\x05\xcc\xa7\x6d\xbc\x79\x39\x3b\xc6\x46\x82\x56\xcb\xf5\x3d\x77\x0e\x94\x21\xb3\x8c\x2d\x7c\x06\xd7\xb3\xd1\x56\x9a\x74\xdd\x29\xef\x49\xcb\x34\x5b\x77\xf8\xe6\x1b\xaf\xb6\xc2\xb6\x0a\x7b\x95\x3f\xbf\xb2\x78\x26\x69\x89\x85\x34\xbc\x20\x52\xf7\xeb\x57\x79\xf7\x58\x57\x08\xa9\x6b\xc8\xf9\xa0\x1c\x82\x97\xc4\x82\xcf\xaf\x2c\xf2\x16\xbe\x4b\x19\x2c\x08\x33\x8f\xe8\x13\x84\x52\x7d\xc9\xd9\x2f\x7f\x2d\x2e\x58\x1d\xf3\xa7\x57\xb2\x9f\x19\x65\x74\xc7\xfd\xf1\x51\xef\xfd\xa3\xf8\xb7\x5a\x05\xe0\xf3\xd4\x0b\x94\xbe\x82\x87\xd2\x64\x9d\x5f\x08\xc5\xa6\x85\x86\x8e\xc8\x8c\x99\x19\x11\x8d\x4a\x22\x91\xc9\x12\x64\x85\x62\x26\xc6\x63\x0a\xcd\xca\x56\x82\xe8\xef\x1b\xca\xd7\x83\x08\xb3\x49\x47\xc4\xcd\x08\xc9\x07\xd6\xc1\x11\xde\x12\x59\x09\x56\xd6\xf8\x1c\x5a\x2b\x74\x8a\x16\x22\x5e\x42\x2b\x82\x8c\x7b\xf2\x8f\x69\x0f\x3d\xe7\xa8\x6a\x99\x15\xb1\x5f\x36\xaa\x60\xbc\x3d\xe7\x51\x80\x8f\xf1\x4d\x08\x8c\x06\x48\xed\xa4\xd3\x01\x21\x9b\x54\x95\x2e\x2b\x84\x36\x40\x6d\x6c\xc4\x34\x32\x85\xe2\x8b\x60\xbb\x61\x6e\x18\xdb\x75\xcf\x2a\xfa\x2f\x0b\xea\x17\x04\x3c\x5a\x96\xe5\xb5\xc5\x85\xc2\xc0\x5d\xfa\x36\x02\x0d\xc7\x2d\x91\x42\xea\xdc\x24\xa5\xdf\x60\x8b\x54\x42\x9a\x1c\x52\xea\xa2\x32\x9f\x48\x5a\x05\x43\xfe\xe9\x7d\xec\x4a\xc5\x26\x7f\xbb\xd4\x9f\x7e\x62\x9f\xf7\xf6\x7d\xe6\x95\xb2\x59\x46\x6a\x59\x36\x30\x65\x31\xad\xa8\x5f\x03\x3d\x97\x33\xc5\x7c\x05\xe6\x26\x98\xd0\x3a\xad\x30\xcc\xcd\xac\x5d\x88\xd6\x5f\x2f\x98\xed\xe1\x33\xca\xf4\x5f\xb4\x5a\x45\xb5\x78\x26\x57\xc6\xbd\x49\x2c\xbc\x49\xfb\x5a\x2a\xda\x61\x12\x7b\x13\x3b\xa9\x92\x1e\x34\x5d\x1f\x3d\x71\xec\xfa\x18\xf1\x6f\xca\x74\xa6\x42\x30\x60\x74\x10\xb6\x4d\xbe\x9d\x0d\xbc\xaa\xd8\x25\xe5\x27\xc3\x3c\xe3\xf2\x38\x88\x14\x10\x64\xf0\x2b\x4f\x49\xe0\x31\xd0\x85\x20\x9b\x92\x06\x44\x57\x64\x36\xd6\x34\x43\x3a\xb5\x41\x14\x77\xfa\x70\x61\x83\xc6\x78\xa1\x0b\x86\x58\x30\x6a\x02\xe2\x1a\xd2\xc9\x54\xd8\x86\x39\xc0\x08\x42\xad\x23\x7b\x40\xb9\xd1\xa1\x52\x04\xc4\x83\xe1\x1b\xc5\x65\xab\x27\x68\x5a\x52\x92\x06\x6e\xde\xe1\xba\x1a\x1e\x4d\xde\xa0\xf0\x53\xd5\xbb\x5b\xb9\x85\x7f\xda\x61\x57\x10\xaf\x84\x94\x5d\xee\x8f\x6c\x01\xa1\x66\x8a\x71\xf4\x30\x48\xb9\xad\x31\xfd\xbc\xc8\x28\xa8\x8c\xbf\x42\x2b\x5e\x9b\x33\xd1\x50\x53\x20\xf2\xd8\x00\xdc\xc0\xdb\xa3\x91\x75\xca\xab\xb1\x21\xf5\x02\xf6\x80\x43\x54\x03\x1f\x70\xbc\xb7\x39\xda\xf5\x57\x52\xfc\x8c\xdd\x81\x84\x83\x69\x8c\xa4\xc8\x4a\xfa\xc0\xe9\x73\x2b\xab\x16\xac\x45\x8c\xf0\xf6\x79\x2f\x35\x58\x41\x64\x89\xb7\x8a\x7c\x29\xea\xb5\xc3\xf8\x4c\xd0\x11\xe3\x13\x90\x56\x49\x6a\x94\x14\xe5\x38\xde\x66\x37\xff\xf9\x18\x9b\xde\xd6\x7f\x83\x2e\x92\x8e\x88\x95\x3d\xed\x13\x63\xde\x7c\xf5\xad\x41\x10\xb6\x80\x97\x9f\xd4\xba\xea\x25\x67\x0c\x25\xaf\x68\x59\xdb\xdf\x17\x0f\xb0\x3f\x77\xd8\x15\x2d\xf0\xc7\xa0\xf3\xe8\xf7\x1d\x76\x74\x07\xc3\x3f\xe0\x75\xf2\x3e\xe8\xac\x2a\xa4\xbc\xa1\x2e\xa0\x56\xc9\xf1\x03\x7e\x43\x29\x74\xcc\xf1\x85\x64\x50\x30\x64\x51\x1e\x12\x75\x3b\xb1\x3d\x49\x39\x25\x35\x4a\x92\xf9\x15\x45\xfa\xc2\xc7\x17\x28\x7d\xb8\x4e\x6d\x4f\x7d\x68\x2d\xfe\x7a\x0c\x5a\x4b\x9b\xdd\xe5\x6c\x6d\x45\x91\x5b\xb4\xf6\x27\x1c\xa6\xc7\xdd\xfd\x61\xc7\x7b\x87\xb3\x68\xd1\x84\xd2\x92\x0c\x81\x46\x49\x9e\x75\xd6\x7b\xc0\x82\x43\xaf\x3c\x56\xf5\x04\xdd\x98\xdc\x51\xec\x33\x35\xe6\x06\x7a\x06\x9f\x56\xe6\xf3\x8f\xd4\xbc\x37\xd5\xce\x75\xe1\x38\xac\xaa\x4a\x5f\x99\x2c\x51\xdd\x74\x35\xe4\x07\xc6\x5a\xc7\x7d\x4b\x99\x2c\xaf\xe6\x72\x55\x09\x1f\x8c\x52\x95\xa5\x28\x07\xdb\x61\x9e\xc8\x83\x78\x26\x17\x54\x9c\xf3\x3b\x83\x30\x3f\x99\xa4\x85\x4b\x13\x49\x3c\x21\xb9\xfa\xb1\xea\xb6\x07\x4a\x92\xdc\x3c\x20\xfd\xcf\xe7\xb1\xd3\x97\xd5\x2b\xe9\xbe\xf7\x79\xde\xdd\x65\x7f\x23\x38\x82\xe4\xc5\x3a\x5e\x35\xac\xb6\x76\xae\xcc\x42\x1a\xac\xe7\xfc\x28\x1f\x27\x3e\xb0\x97\x65\x49\x5c\x47\x0f\x1c\x50\x82\x4d\x94\x38\x18\x6f\x66\x3f\x34\xca\xfe\x8d\x65\x31\xea\x04\x5d\xb4\x3e\xfd\xc7\x51\xef\xef\x47\x2a\x6f\x71\xf0\x02\x05\x98\x86\xa8\xf9\x84\x13\xbe\xde\x4b\xc1\xbc\xa9\x22\xbc\x41\x83\xd0\x5b\x23\x8e\x96\xee\x01\x7b\xc4\x7a\x03\x2c\x52\xc6\x36\x2f\xb5\x65\x48\x3e\x3a\x52\x26\xa7\x98\x65\x6c\x7a\x82\xaf\xb5\xd3\x20\xee\x45\x41\xba\x36\xcb\x94\x3d\x31\x83\x33\x33\xd1\x4d\xa0\xdb\x02\x7e\x8f\x9f\x17\xfd\x3a\xda\x25\xba\x41\x98\x66\x98\xe6\x0d\x51\x2b\x46\xce\x65\x18\x63\x1a\x86\x88\x73\x2c\x11\x54\x10\x78\x0a\x7d\x03\xe3\x10\x6a\x22\xd5\x03\xb8\x08\xcc\xe8\x71\x68\x40\xe0\x64\xa2\x1b\xa4\x40\x61\x06\x3c\xda\x13\x3a\x64\x86\x69\xc3\xb5\x0a\x25\xa4\x8c\xa6\x5e\x8a\xe0\xf9\x11\xd6\xd4\x67\x47\x26\xf8\x5a\x90\x27\x9d\xb0\xb9\x36\x5b\x28\xb7\x72\x3b\xa2\xf4\x2b\x88\xe4\x94\x4a\x79\xa4\xe6\xf9\x24\xa0\x09\xc8\xab\xcd\x20\x0a\x52\xb2\xb5\xce\x41\x21\xd8\x7e\x4d\xaa\x14\xe7\x61\x8a\x01\x8f\xdd\x28\x68\x5a\xae\x92\x92\xf6\x7d\x0d\xab\x85\x2d\xd7\xd2\x65\x3a\xca\x2d\xda\x62\x8d\xcb\x89\x33\x32\xe0\x89\x9f\x93\xaa\x14\x7b\x06\x1b\xeb\x04\x17\xc1\xff\xea\x3e\x91\x9c\x3f\xd6\x41\x9f\xb3\x83\x9d\xe0\xe2\x29\x11\xb7\xf3\x8d\xea\x27\x9e\xc9\xae\xea\x04\x17\x97\xd0\xda\x2b\xcf\xfd\x95\x4f\xf5\xd8\xbe\x24\x16\x67\xd7\xdd\xc8\x54\xe4\x5e\xca\xee\x61\x77\x3f\x8a\xcd\x64\x4f\x62\xfb\xf2\x30\x8f\x84\xdd\xc9\x4f\x66\x07\x9e\x89\x6b\xd7\xbe\x7e\x81\x7d\x47\xe1\x84\xc1\x4e\x69\xb2\xe0\x51\x1d\x86\x5b\x92\x24\x62\x4f\x95\x0a\x8c\x0e\x2d\xb7\xeb\xc4\xd9\x13\xc4\x45\x42\x07\x3a\x8d\x76\x5f\xf7\x4a\x6b\xbf\x69\xb1\x91\x38\xc9\xdd\x47\xb9\x27\x9f\xcc\x0e\x10\x8f\xbb\x5d\xbf\x27\xb2\xd1\x67\xa6\x62\xdd\xbe\xf8\x0a\xf6\xa4\xa2\x23\x8d\xa9\xf1\x98\xf4\x66\x8f\xed\x0b\xa2\xe8\x31\x9f\x6a\x4f\x67\x07\x3a\xc1\x45\x18\x9f\x27\xba\xfb\x5b\x49\xaf\x11\xa1\xc5\x8f\x7c\x50\xdf\xcd\xc6\xd4\x11\xdc\x7d\xea\x16\xa7\x99\x27\x12\xb2\xb0\x75\xf1\x4b\xfb\x87\xfa\x32\x3e\xb3\xdf\xfb\xc4\xfe\xea\x7b\xf6\x76\x02\x9f\xbb\x1c\xbb\x49\x12\x53\x74\xb2\xb5\x85\xcc\x0c\xd9\x42\x2e\xa7\xa0\xc5\xcf\xee\x50\xd2\x96\x1a\x82\x05\x51\x68\x96\x6a\x87\x54\xad\xa0\xa7\x92\x75\xac\xdb\x78\x96\xa7\xbd\x66\x3e\x49\x9f\x9f\xe4\xbe\xef\x4f\xe0\x8e\x91\x89\x5c\x6d\x83\x2b\x00\xbd\x9a\x0a\x1d\xa5\xad\xf4\x2d\x79\x74\x85\xde\xd0\x91\x91\x20\xcd\x4b\x8c\xe5\x14\xd8\x74\x22\x68\x6e\x60\x79\xb8\x6d\x16\x9c\x99\xea\xe3\x85\x12\x00\x05\x54\xeb\x0c\xaa\x87\x21\x78\x8a\x9a\x89\x63\x3d\xf8\x52\x31\x35\xd4\x5b\x3e\x9b\x99\xe0\x6b\x9d\xa0\x6b\x6f\xf1\x34\xc0\x84\xa2\x83\x3b\x5c\x58\x30\x61\x85\x69\x81\xf0\x8a\x44\xf1\x80\x5f\x21\x77\xf7\x8b\xf2\x98\x8f\x45\x29\xec\x0d\xca\x62\x03\xbd\xb1\xe3\x73\x20\x2c\x07\x3d\x57\x53\xb3\xf6\xa4\x5e\x0c\x0e\x34\xf4\x86\x74\x82\x2e\xcf\x83\x36\x8d\x59\xd5\x0c\xa4\x70\x2d\x68\xa2\x05\x36\x0b\xa3\x89\x36\x15\x66\x86\x8e\x61\x7b\x51\x13\x90\xbd\x63\x67\xcb\xfc\x56\x8d\x1d\x20\xb5\xc1\xfd\x95\x1a\x5b\xba\xdc\x92\xc2\xfb\x6b\xa7\x55\xf0\x1e\x06\x5a\x45\xc1\x91\x07\x76\xc2\x58\xf3\x8b\xe2\x90\xa3\xd6\xa4\xe3\xdf\x88\x3b\x46\x91\xbf\x12\x99\x2b\x98\xc6\xf0\x4c\x6f\xf1\x09\x18\x2f\x99\xbc\xaf\xfe\xe0\x63\xaa\x91\xd8\x95\x2a\xad\x43\x4f\x46\x95\x91\x5e\xd8\x28\x2f\x4c\x83\x1b\x2b\x16\x9b\x22\x9d\x18\x5a\x1e\xe4\x10\x80\xfa\x10\xc6\x5b\xa9\x0f\x1f\x1e\xdd\xd2\x9f\xfb\x86\x51\xef\x2f\x46\x86\xdf\xaf\x92\x70\x7a\xad\x0d\x9b\xf9\x72\xb2\x83\x26\x89\x64\x65\xaa\x5d\x50\x1e\x4c\xaf\x40\x61\xe0\xc9\xd9\x4c\x46\x98\x4e\xd0\x55\xe8\x32\x79\xd0\x46\x3b\x4b\xb5\x54\x84\x35\x02\x8b\x42\xbe\xe7\x55\xd7\xc2\x33\x24\x2c\xe5\xc5\x78\x9d\xa0\xeb\xf9\x7c\x2e\xca\x12\x83\x44\xda\x44\xab\xd6\x98\x6f\x41\x8e\x31\x5e\x83\x32\x03\xe6\x7f\x8b\x8e\x6e\x2a\xfe\x60\x23\x8c\x5a\x1c\x05\x9b\x9c\x08\xe3\x71\xc2\x63\x91\xa9\x19\xa5\x8d\xb9\x13\x84\x75\xd5\xd5\x1b\xb6\xf1\x6d\xf8\x10\x45\x59\x34\x44\x11\x8f\x90\xa4\x4a\x00\x58\x53\x7a\xd2\x22\x54\x4a\x32\xab\x54\x34\x65\x62\xb6\xb7\xd2\xcc\x71\x67\x90\xc2\x72\x2b\x53\xdf\xab\x1c\x76\x0d\xa9\x21\x86\x5a\xd1\x79\xe0\x51\xdf\xde\xcd\xa3\xe9\x2b\x18\xeb\x3e\x6e\x1f\xff\xc2\x08\x7b\xba\x35\xa5\x44\xa7\x21\x5a\x2d\xd1\xaa\x2b\xbb\xa4\xfb\xf1\x11\xef\x03\x23\x5b\x3f\x63\x04\xa8\x92\xb7\x41\x7b\x94\xe5\xc9\x8b\x1e\x37\xcd\xd1\xc4\xdf\x47\xe8\x0a\x93\xb8\xca\x56\xfb\x5d\x71\x5a\x8a\x23\xa9\x09\x14\xb8\x0b\x28\xc3\x61\xb1\xa9\xf9\xa9\xac\xdc\x44\x62\x48\x31\x22\x86\x32\x92\x0a\x39\xc4\x04\x8d\xaf\x2b\xa0\x5e\x3b\x1f\xc6\xad\x49\x5e\x04\xdc\xa2\xea\x41\xa6\x15\x98\x4f\x2a\xcf\xb7\x65\xbb\x9f\x7d\x5b\x0a\xa8\x1d\xa7\xde\x43\x4e\x87\x3a\x1d\x4d\xed\x3a\x35\x04\x04\x1a\xa3\x93\x49\x9b\xa4\x71\x49\xc3\x5d\xca\x15\x20\x41\x1d\x66\x1c\xcd\x4e\xc5\x6a\x19\xef\x75\x01\x45\xaa\x54\xed\x49\x5d\xe7\x09\xdb\x66\x14\xb2\x51\x11\xf7\x3a\x6e\x60\xce\xfd\x55\xb6\x7c\xf9\x37\x22\x96\xb1\x2b\x95\x25\x66\x21\x69\x5e\x76\x9d\xfc\x44\x51\x76\x4f\xb3\x64\xb2\x07\xaf\x61\xfb\xd1\x80\xe5\x7e\xf8\x1a\xef\x7d\xd7\xe0\xdf\x34\xdd\xce\x76\x45\x3c\xb7\xb4\xc8\x2f\xcc\x70\xba\x8e\xab\xdd\x57\xcc\x1b\x74\x99\x2c\x08\xc8\x1b\x50\x0e\xb2\x33\x1f\xd1\x73\x61\x96\xb1\x3a\x6f\x64\x49\x8c\x23\x15\xb6\x66\xe5\xfe\x99\x25\x5a\xad\x5a\x5c\x50\x44\x08\xfc\xc8\x51\xde\xdc\x08\xd2\xa0\x09\x79\xa9\x1b\xe2\xa2\x0a\x10\xae\xf3\x5e\x1a\xce\xca\x8a\x9e\x5b\x5e\x84\xf4\x98\x20\xa5\x80\x97\x5b\x93\x28\x88\xdb\x3c\x16\xf9\xe1\x5e\x1a\xf9\x4b\xf2\x06\xc1\xc7\xc8\x67\xeb\x5c\x74\x82\x30\x9a\xc5\x35\x15\x84\x91\x95\x64\x53\x55\x8a\x7c\x08\x8b\xa1\xbc\x0c\x5e\x07\x94\xc4\x38\xe8\x88\x59\x64\xf0\x0e\x5b\xe5\xc0\x71\x10\xa1\x31\x5f\x84\xc8\x6f\x91\x23\x1e\x65\x8c\xe8\x58\x99\xc9\xb0\x0b\xac\x97\x53\x33\x47\x27\x79\x46\x08\xae\x33\xfe\x34\xbf\x7b\xf9\xe4\xbc\xbc\x7a\x8f\xcf\xeb\x3c\xec\x5e\x38\x3a\x8b\x28\x91\x17\x8e\x02\x54\x64\x75\x4d\xb1\x92\x8b\x4b\xf8\xca\x71\xf5\xca\xf1\x9d\xbd\xd2\x0c\x5b\xa9\x6c\x0e\xa4\xdf\x6c\xf9\x38\x3c\x51\xe7\x9d\xa0\x29\x9f\x3f\x3d\x37\xbf\x5d\x17\xe2\x6b\xf2\xc1\x3a\xef\xf5\x60\xc4\x63\x7e\xee\x9c\x72\xac\xc2\x2a\xcf\x78\xaf\xdb\x45\x92\x50\xb3\x7b\x30\x24\xb3\x2d\x2e\xf2\xf1\x9b\xc3\x89\x97\xdc\x3d\x55\xbf\x21\xa8\xaf\xdf\xf3\x8a\xeb\xef\xaf\xdf\xac\x7f\x1c\xdd\xd9\x8f\xe9\x23\xf7\x3f\x93\x6a\x30\xa3\xab\x30\x73\x19\xeb\x30\xa3\x7f\xcd\xec\xa4\x12\x47\x75\x25\x8e\x5e\xc6\x4a\x1c\xb5\x2b\x71\xfd\x0d\x41\xe3\x9e\xea\x7a\x19\x55\x39\xa6\xab\x72\xec\x32\x56\xe5\xd8\xc3\xad\x4a\x98\x35\x62\x9c\xb6\x2b\xb7\x9c\x99\x9e\x92\x8a\x0c\xfc\x35\xa3\x22\x63\x68\xf9\xc3\xf9\xc7\x9b\x9a\x39\x32\x7d\xdd\xb1\xe9\xa9\xa3\x33\x1e\xf0\x7d\xdf\x70\xdd\xf5\x75\x7d\x6d\xda\xa3\xf2\xa6\xa7\xcc\x12\xb7\x2b\x87\xde\x99\x29\xde\xa9\xfe\xf6\xe0\xb7\x9a\xa9\x68\x85\x79\x33\x48\x41\xa0\xe1\x2f\x2e\x7f\xaa\xf7\x2b\x7b\xf0\x25\xe3\x37\xcf\xc2\x88\x41\x1f\x8c\xdf\x3c\x8b\x7f\xcf\xdc\x3f\x71\xf3\x7d\xc7\xee\x9e\xae\x1f\xbb\x87\x6e\x1e\xbd\xff\xbe\xe3\xe3\x37\xcf\x4e\x4d\x4f\xdf\x07\xdd\x8a\xd7\x27\xf4\xab\xf7\xcd\xdc\x7d\xf4\x3a\xf5\xf0\xcc\xfd\xf7\xcd\xc8\x87\xef\x9e\xaa\x1f\xbb\xe7\xbe\xbb\x8f\x5f\x6f\x3f\x3d\x7d\xff\x7d\xe3\x37\xcf\x1e\x99\x9e\x99\xbe\x6f\xfa\xfa\xa9\xa9\xfb\x66\x8e\xbd\xb8\x25\x3f\xf9\xe2\x96\xbc\x37\xf1\xcc\xc2\xc5\x11\x43\x04\x5a\x5b\xb6\xa4\x90\xc3\x9d\xf0\x22\x06\x3e\xd7\x79\x96\xc9\xf1\xe2\xe7\xfc\x15\x9f\x03\x18\x48\x84\x68\x91\x61\xde\x57\xcd\x2e\xb6\x03\xa3\xd5\xf0\xbd\xbb\xeb\xfc\x9e\x9b\x5f\xdc\x7a\xc5\x11\xfd\xd7\x51\x98\x05\x1b\xe2\x62\x33\x89\x92\x14\xc6\x60\x43\x5c\x0c\x5a\xa2\x19\x76\x82\x88\xc3\x55\xde\x4c\x5a\x74\x02\xf6\xae\x3d\x09\xff\xcd\x56\x7f\xe4\xda\x9b\xc7\x69\x82\xcd\xd5\x4f\xca\x3e\xbd\xcf\xfc\x79\x5c\x36\xb4\xce\xd3\x76\xa3\xf8\xd8\xf2\xad\xb7\x0c\x7c\x24\x6d\x37\xe8\x6b\x69\xbb\x31\x7e\xe4\xd8\xb1\x49\xfa\xdf\x0d\x72\xd4\x1b\xfd\x5c\xcc\xf2\x46\x90\x89\xe3\x47\x35\x60\x76\x23\x8c\x83\xb4\x8f\xa0\x62\x75\xae\x70\x58\x67\xa1\x47\x81\xeb\x3e\x59\x2f\x36\x32\xb9\x29\xca\x3e\x04\x40\x14\x6b\x8e\x1d\x99\x9a\x3a\x5e\x9f\x9a\xae\x4f\x1d\xf1\x4a\x9b\x86\x54\x6d\xea\xf0\x42\x18\xcb\x1d\x64\x66\x66\xe6\x06\x59\x14\xf1\x90\x40\x71\x8a\x93\xc4\x2e\xf2\x08\x8f\x33\xaf\x52\x4e\x83\x26\x09\x82\x7a\x41\xd3\x99\xa4\xe0\x4a\x0a\x72\xb0\x20\x21\xc6\x8b\x3c\xd1\x14\x85\x93\x6e\x80\xad\x90\x25\xe8\x96\x20\xe3\xbd\xdd\x9c\xe9\xa3\xf5\xe9\x23\xf5\xe9\x63\xab\xd3\x37\xcc\xce\x4c\xcd\x1e\x99\xf2\xa7\xa6\xa6\xee\x2a\x37\x4e\xbe\x5e\x47\x62\x7b\xdd\x38\xcb\x2e\xf0\x6f\xd9\x58\xdc\x8b\xc0\xa3\x5f\x32\xbb\xf6\xd8\xbe\x20\xee\x3f\xe6\x66\xc6\x7b\xd8\x01\x0a\x9a\x72\x1f\x0d\xed\xd0\x32\x37\x93\x39\xd3\x6e\xf7\x33\xd8\x58\x27\x8c\xb7\x70\x19\x3c\x9d\x1d\xa0\x00\xe5\x6a\x43\xe8\x6b\x47\x4a\x27\xfe\x30\xce\xeb\x49\x5a\xc7\x1e\x77\xff\xac\xe6\xfd\x5e\x6d\xf8\x7d\x8b\xbf\x5d\x05\x43\xe8\xc3\x8b\x4a\x03\xc0\x24\xdd\x36\x26\xd9\x06\x5a\x9f\x5c\xa4\xcc\x3b\xb0\x40\x62\x0c\x3c\x85\xa0\x28\xe7\x98\x15\xc9\x0f\x26\xd4\x8c\xce\xcf\x90\x9e\xd7\x3f\xbb\xce\x11\x5c\xa3\x13\xe6\xf2\xb0\x11\xae\x1b\xf2\x80\xc0\xc9\x73\x4b\x31\xa5\xe3\x2a\x99\x43\xa1\x08\xb0\xb4\x61\x98\xfa\x2c\xd7\x9e\x96\xe2\x12\xcd\xbd\x23\x13\x1c\x0c\xd9\xf4\x78\xf1\x6a\xe5\xcb\x03\xaf\xc3\x15\xdf\xf7\xf9\xbd\x22\x4d\x14\x5f\x95\x35\x94\xef\x1e\x61\xcf\xdc\xc9\xf1\xc8\xfd\x8b\x9a\xf7\x95\xda\x8e\x0e\x52\x59\x9e\x74\xb3\x72\x1c\x72\x4b\x34\x13\x00\x21\xca\x72\x41\xa1\xd9\xdd\xb4\x07\xf1\x9e\xf4\x1a\x06\x2a\x29\xe4\xe7\xe2\x1c\x45\x41\xba\x0a\xb9\x48\x8a\x18\xf4\xb9\xa2\x71\x37\x58\x5f\x07\xb8\x66\x2a\x25\x95\xdb\x41\x06\x10\x73\x04\xad\xb3\x19\x22\x6b\x94\x0a\x65\x8a\xa5\x0c\x89\xf4\xd7\x0b\x07\x61\xb8\x0e\x26\x91\x22\x6f\x41\x4e\xb0\x24\xe5\x55\x6e\x0c\x93\xb8\xbf\xa8\xa3\x55\x31\xf0\x5f\x6a\x63\x09\x64\xad\x9a\x26\x3e\x1f\x33\x40\xe0\xe4\x98\xa4\x8d\xb0\xd5\x12\xb1\x7d\x20\xbc\x8f\x5d\x61\xac\xec\xc7\xda\xc8\xf0\x7a\x87\x5d\xa9\xfc\xb4\xcd\x50\x64\xee\xbd\x0f\x38\x11\x7b\x19\xdb\x78\x54\xbd\x37\x98\x8c\x0d\x8e\x49\xb3\x32\xcf\x64\x57\x75\xc2\x78\x3b\x07\xe3\x77\x31\xa6\x6c\xee\x67\xd7\xab\x05\xcf\xd3\xd8\x15\xbd\x38\x7c\x79\x4f\xa0\xf0\xb2\xc5\xda\x4f\x5c\xc9\x66\x1f\x19\xb7\x28\xc0\x7e\xfe\xd5\x15\xde\x4b\xb7\xb8\x5f\x86\x00\xa5\xc4\x8d\xf5\x5e\xdc\xc4\xd9\x65\xe0\x3c\x0d\x29\xc6\xbf\xe4\x5c\x0d\x7f\xad\x06\x69\x5b\xe4\xcb\x62\xfd\x92\x73\x45\x27\xb8\x48\x8c\x2a\x76\x8e\xdf\xd7\x18\xfb\x31\x87\x99\xb7\xdd\xf7\x38\x2a\x00\xfc\xd5\x8e\x71\x5d\x45\x61\x81\xf6\xcd\xa3\xb0\x13\xe6\x3a\x98\xbe\x08\x11\x4f\xd5\xd3\x80\xe2\x24\xd7\x2a\x04\x7b\x14\x04\xa8\x72\xc2\xc3\x9f\xbc\xd7\x05\x2b\x4f\x01\xa1\x1c\x69\xc8\x8b\x4e\x18\xab\xcf\xda\xb1\xea\x0f\x8e\xb2\x03\x1d\x91\xa7\x61\x33\x73\x1f\x18\xf5\xbe\x3c\x42\x3f\x6c\xf8\x68\x2b\x74\x1a\xb3\xe8\xa8\x2e\x04\x18\x95\xf0\x66\x10\x35\x21\x54\xc0\xea\x66\xaa\x3d\xc6\xb8\x43\x84\x01\x27\x57\x5d\xe9\x16\xe1\x6a\x41\xa4\x00\xd5\xc0\x24\x20\x99\xf0\x31\xa3\xaa\xba\x5c\x58\xf6\xf4\xf9\x96\x72\x00\x69\xeb\x32\x28\x31\xbc\x21\xf2\x4d\x41\x89\x1a\x39\x8c\x23\xed\x5d\x1a\xad\x59\x21\x5e\xc2\x55\x52\xdf\x07\xd3\x86\xba\x49\x2b\xf3\x39\x3f\x91\xb6\x93\x49\x5d\x55\x30\x43\x83\xc1\xad\x25\x9a\x29\xf0\x3a\x90\x25\xbb\x0b\x58\x58\x54\xc9\x30\xc6\x9b\x84\x2b\x77\x21\x6c\x0a\x48\xb6\x0d\x7c\xce\x57\x84\x50\xa6\xef\xf0\x42\xd8\x82\xe0\x0e\x28\x9d\xab\x44\xe8\x7e\x97\x12\x18\x3b\x2a\x21\xd9\x8e\x71\xdf\x48\x36\x31\x72\x43\xb9\xd5\xe8\x7d\xa8\x17\xb1\xf6\x59\x16\xde\x2d\x33\x2a\x2a\xd7\xe1\x69\x28\x51\x2e\x2b\xf6\x57\x35\x76\x85\x31\xab\xdc\xaf\xd6\xd4\x24\xff\xf5\x9a\x71\x5d\x07\x31\x27\x9b\x97\x67\x92\xb7\x92\xcd\xd8\xe7\x72\x9e\xb7\x0c\x17\xd3\x34\x62\xe6\xf2\xd2\x97\x6d\xcb\xe2\x94\xb2\x1e\x06\x51\x77\x23\xb0\xbc\x33\xfc\xb6\xa5\xb9\x15\x58\xe2\xc9\x5d\x72\xcf\x96\x0a\x0d\x84\xe3\x13\x71\x62\xce\x23\x11\x80\x2f\x4c\x90\xb5\x55\xee\x2a\xca\xe2\xa6\x7a\x3a\xcc\x34\x3c\x95\xdc\x69\x40\x8d\x56\xce\x23\x82\x0b\xcb\x00\x90\x05\xbc\xaf\x66\x99\x54\x40\x61\x0a\x36\x40\x99\x8c\xd5\xfa\x1f\x6b\xac\x24\x89\xdc\xbf\xde\x0a\x08\xbd\x6a\x0c\xe7\xe5\x42\x23\xab\x28\x36\xa5\xa0\xc0\xf9\x90\x63\x97\xae\x20\x18\x55\x4a\x16\xae\x9b\x22\x37\x3f\xc1\x41\xd1\x50\xf2\xca\xed\x48\x33\xdf\x94\x14\x6a\xa9\x14\xe9\x43\xcd\x24\x8a\x88\x11\x35\xc8\xf8\xa6\x88\x22\x8e\x33\x00\x63\x9b\x22\x0d\xfe\x95\x17\xc4\x5e\xb8\x96\x7c\xf6\x3f\xed\x88\xd8\xaa\x76\x6a\xa3\xb8\x9c\xb1\x68\x9e\xff\xe9\x31\xef\xfb\x9c\xc1\xeb\x3a\x03\xa9\x20\x24\x87\xa9\x06\xbe\x4e\x1a\x19\xda\x45\x10\xed\xa4\xd0\xc6\x94\x35\x73\xdc\x02\xe8\xdc\x08\xf3\xac\xde\x15\x69\x3d\x13\xcd\x24\x26\x77\x37\x5f\x8c\xdb\x60\x3e\xc3\x57\x26\xfc\x4b\xce\x7e\xec\xd0\x4b\x0e\xc3\xaf\x9c\x81\x5c\x93\x2b\xf0\xea\x1d\x72\x2e\x58\x5b\xcb\xdf\xef\x67\x7f\x50\x63\x63\x99\x90\xdd\x96\xa4\xee\x6f\xd6\xd8\xf3\x1e\x09\x2e\x40\xd0\x10\xd1\x0a\x15\xe2\xbd\xbe\xa6\xca\x2b\xa2\x82\xa5\x32\x50\x57\xc7\x5c\x60\x08\xc2\xc4\x78\x05\x23\x60\xb4\x1f\xf9\x78\x75\x11\x6a\x69\x63\xea\x08\xf5\x5d\xc1\xaf\x8e\x28\x95\x14\x17\x19\xa0\xe7\xb0\xc8\xbd\xd6\x94\x24\x6a\x0a\xe9\x39\x83\xca\xac\x96\x7d\x3a\xe9\x43\x3f\xd0\x4c\xba\x72\x68\xe0\x4b\xbd\x18\xbe\xf5\x32\x29\xf6\x8a\x52\x64\xdf\x0e\x70\x5a\xb5\x03\x50\x14\xa9\x18\x9f\x7d\x8f\xc3\x68\x4c\xdc\x0b\x97\x71\x59\x3d\x8b\x16\x4e\xa8\x75\x10\xd0\x48\x2c\x2f\x8f\x72\x9c\xbf\xc1\x61\xe6\x04\x70\xef\x7f\x18\xd8\x0f\xbe\x5a\x99\xfe\x0b\x7a\x01\xc4\x74\x78\xcf\x35\xca\xd2\x59\x8b\xe6\xf6\xa7\x9c\xac\x38\x54\xe3\x10\x16\xf2\x72\x7a\x7b\xc2\x67\x0f\x3a\xec\xca\xe0\x82\x48\x83\xb6\xc0\xfa\xfc\x9f\xce\xee\x2a\xb4\x6e\x96\xb6\x55\x8d\xe8\xb9\x52\x05\x0d\x3d\x21\x15\x91\xb8\x10\xc4\x94\x21\x5b\xaa\x39\x3b\xc5\x8c\x45\xe5\x3e\xd7\x9b\x36\xa6\x41\x45\xa4\xbf\x92\xe0\x31\x07\x1f\x42\x19\x0d\xe8\xcd\x07\xd9\x84\x31\x01\x2a\x74\x6a\x5a\xdd\x00\x73\xf3\x47\x63\xde\x21\xe3\x37\x06\x0f\x90\xb8\xa3\xdc\x33\xba\x5d\x8d\x72\xf3\xf3\x07\xd8\xe7\x4c\x38\xf6\xcf\x3c\x9c\x3e\xaf\x00\x00\xf9\x97\x01\xc6\xbe\x07\xdc\xb3\x4b\xe0\x9e\x48\x45\xa8\x36\xbd\x7f\x57\x09\xdc\xa3\x26\x95\xa9\xe4\x5d\xc7\x8e\xb1\x99\xa1\x92\x6c\xf8\x44\xde\x03\xef\xd9\x0d\x4d\xc6\xda\xf6\xc0\x3a\x37\xb9\x37\x6a\x60\x9d\x62\x18\x34\xbc\x8e\x21\x3f\x6c\x6c\x1d\x18\x25\xc6\xfe\x74\x94\xfd\x7b\x7b\x4b\x52\x2c\x4a\x52\x76\x5d\x98\xf6\xcf\x65\x22\x5d\x8c\xd7\x13\xf7\x93\xa3\xde\x5d\xea\x07\x25\xc8\xe6\x1b\x55\x07\x08\x38\x8c\x66\x22\x05\xd2\x37\x8a\x1f\x53\x20\xbb\xfa\xa6\x0f\xc5\xc0\x92\x59\x0f\xca\xfc\x06\x9f\x1f\x61\x31\xdb\x27\x2e\xe6\x69\xe0\x0a\xef\x86\xb9\xb8\x3f\x0c\x2b\xba\x0c\x63\x61\xd4\x3f\x49\xfd\x07\x9c\xef\x64\x5b\x44\x6a\x9a\x36\x8a\x17\xb0\xfd\xd0\x89\x99\x7b\xab\xf7\xec\x55\x92\xea\x10\x8f\x86\x97\x71\x66\x41\xb3\x60\xfa\x76\x91\x48\x74\xab\x50\x97\x8f\x3a\x6c\xa4\x17\xb6\xdc\x0f\x39\xde\xbb\x9d\x39\x8e\x96\x0b\x9a\xf0\x98\x18\xa9\xb0\xe1\xcd\xd2\x69\x67\xd2\x79\xf4\xd6\x77\x21\x91\x5d\x1d\x26\x62\x8c\xb7\x87\x7b\x8a\x10\x48\x27\x8c\xc9\x4a\xb6\x5a\xc4\x1a\xd0\x47\x8d\x05\xe2\x1f\x8a\xac\xbe\x73\x8b\x0b\x76\x08\xdd\x8b\xd9\x98\x2c\x0c\xf2\xd9\x96\xbc\x79\xd5\x0b\x44\x2b\x08\xd5\x8f\xfa\x43\x6a\xdd\x81\xe3\x88\xd4\xbd\xf1\x84\x82\x54\x4b\x66\xe9\xdf\xcb\x2a\x33\xce\xcf\x24\x2d\xa1\xa8\xd7\xdd\xaf\x1c\xf4\x6e\x3c\x03\xa9\xbe\x8a\xc1\x1e\x3a\x1b\x86\x40\x8e\x45\x6c\xdd\x33\xf9\xf2\x7b\x91\x28\x25\x9c\xbf\xfd\x20\xfb\xd2\x3e\x76\x58\xb3\xc3\x97\xa9\xf2\x17\x31\x0c\x01\x2f\x9f\xb8\x28\x9a\x3d\x88\xdd\x7e\x60\x9f\xf7\xa5\xd1\xd5\x82\x8d\x5f\xc1\x4f\x76\x75\xea\xaf\xba\x41\xe0\x2e\x89\xca\x9a\x94\xbd\x94\x05\x79\x98\xad\xd3\x5c\xac\x60\xe1\x37\xac\x8e\x2a\x4f\x1f\x4c\x9f\x68\xed\x0c\x73\x02\x2b\x06\x4e\x05\x33\x33\x11\x49\x21\xe5\x84\x8c\x85\xb2\x04\x6b\x04\xf3\xa2\x78\x83\xb1\x41\x41\x94\xda\x14\xf9\x4a\xd4\xcb\x62\x74\x98\x1d\x70\x3d\x2a\x6a\xfd\x64\x9d\x23\xaf\x7f\x46\x81\x15\x70\x24\x09\x9a\x1b\x46\xb1\x1d\x01\xe1\xb3\x51\xa4\xaa\x60\x8e\x04\xc6\x95\x11\x61\xa0\x16\xe1\x9a\xfa\x4b\xc5\x9d\x95\x87\xa3\xb2\xbb\x10\xdf\x7f\x62\x52\x61\x1c\xc9\x7d\xa3\xd7\x91\x5d\x17\xe6\x90\x9f\x04\xdb\x45\x9a\xf4\xda\xd8\x12\x2b\x8e\xb4\xc8\x80\x0a\x08\x6c\x3e\x6e\x73\x0f\x1b\xe7\xe9\xfc\xf0\x5e\x47\x1d\xe7\xa1\x7d\x84\x83\x8a\x3b\x46\x92\x92\xbd\x03\x31\x21\xf3\xe6\xc6\x89\xa2\x6e\x37\xea\x97\xc6\x81\x10\x80\x3a\x73\x23\x6c\x6f\xa8\xbe\x54\x59\xf4\xf6\x18\x58\x32\xe3\x39\x6c\x96\x5d\xbf\x3d\x01\x90\x7a\xb7\xe8\xaf\x55\x91\x76\xd8\xc7\x47\x98\x3f\xac\x43\x87\xcc\xef\x6f\xd7\x58\x7d\x47\x18\xf2\xfa\x68\xf7\x6b\x8a\xaf\x5d\x8f\x90\x35\xc6\x43\x66\xb4\xf6\x05\x74\x44\xce\xe5\xca\x28\x46\x5a\xca\xb6\x49\x6d\xd6\xd2\x54\x0a\x8d\x62\xcd\xc9\xb3\xae\x91\x64\xaf\x81\x4e\x1e\x5e\x0d\x9a\x60\x41\x43\xa3\x8d\xaa\x45\xd2\x11\x84\x9d\x40\x19\x92\xb2\x0a\x42\xf5\x8e\xe2\x7f\xe8\x21\x2c\x80\x0a\x45\x27\x88\x74\x03\xa1\x40\x2e\xc1\xa0\x0f\xd5\x26\x26\x17\x21\xf7\x73\xb4\x37\x00\x4e\x8b\x6e\x1f\x68\x23\x52\xe3\x80\x96\xb0\xd7\x1e\x64\xcf\x34\x7a\x9c\xb0\x7f\xe1\x08\x68\x6b\xff\x5f\xda\xa5\xf6\xff\xb3\x07\xf6\x54\xe5\xdd\xaa\xca\x6d\xa5\x2a\xbf\xe4\x61\xa8\xca\x47\xd8\x14\xf3\x87\x2e\xb1\xca\x01\xdf\xd3\x92\x77\x01\x71\xf9\xaf\xef\x8c\xfb\x90\xd3\xd8\x5e\xf1\xbf\xd9\xbd\x49\x2b\xfe\xc6\xa4\x2a\xb1\xe3\x0d\xd5\xff\x19\xfb\x45\x9b\xa4\x5f\x43\x00\x29\x00\x9f\xc5\x4e\xd0\x16\xee\xa5\x9a\xf7\xd4\x05\x95\x67\x14\x14\xf0\x3e\x3c\x94\xb7\x2f\x39\xfb\x40\x51\xb6\x11\x6d\x1c\xf6\x01\x87\xe1\x0d\xf7\x5d\x8e\xf7\x8a\x33\xa0\x4b\x37\xfa\xda\x28\x0f\x74\xa1\x40\xdf\x92\x21\xb0\xa2\x8f\x60\x28\x77\x7b\xb2\x36\xed\x66\x2a\xbb\x73\xa3\xdf\x15\xa9\xec\x83\xd9\x0b\xd3\xfe\x94\x7f\x9d\x37\xc9\xbd\x56\xd2\x3c\x2f\xd2\x8d\x5e\x43\x3e\xd0\x4e\x92\x76\x24\x5e\x5a\x20\x0e\x0d\xbe\x72\xcf\x16\xfa\xf9\x1c\x3b\x98\x85\xf7\x8a\x5b\xfa\xb9\xc8\xdc\xa3\x0a\x38\xf3\x19\xa0\xfb\x85\xf7\x6a\xf5\x8a\x2a\x1a\x43\xf4\x4e\xc9\xed\xf5\x73\xfb\x2d\x44\x6c\xd5\x85\xb7\x86\xf9\xb2\xe8\x26\x98\xac\x4f\x46\xe3\xb7\xee\xf7\xfe\xae\xb6\x5c\xe0\x51\x14\xf8\x33\xa4\xa8\x95\x72\xc6\x73\x02\x83\x54\xea\x4c\xc0\xdb\x21\xac\xeb\x24\x0b\xf3\x24\xed\xfb\xfc\x56\xfa\x4d\x05\x65\x1a\xbd\x87\x90\x37\x92\x4d\xd9\x27\x1b\x61\x97\x77\x82\x38\x68\xc3\x66\x59\xf1\x96\x7a\x7c\xe5\xc4\xa9\x30\xee\x5d\xe4\xa9\x00\x63\xac\x9c\x4b\x8c\x2d\x9c\x58\x5a\x3e\x31\x3f\xb7\x7a\x62\x61\x96\x53\xab\xf0\x1c\xd2\x4d\x45\x93\x92\xb4\x92\x02\xd5\xc4\x9a\x20\x44\x33\xa6\xaa\x3d\xc9\x3b\xe8\xa2\x8b\xf9\x89\x4e\x37\xef\x2f\x84\x29\xe6\xb4\x83\x4d\x3b\xcc\xf5\xbc\xc3\x1e\x69\x46\x89\xda\x9b\xa0\xba\x98\xbe\xd2\x0e\x73\xe2\xb3\xc7\xc2\xe4\x6d\xbb\xb4\x1c\x51\xe7\x0e\x65\x45\x4d\xfc\x4b\x0e\x2b\x3a\xce\x9a\xaa\xff\x58\x63\xdf\x5f\x63\x07\x5b\x61\x0a\xba\x4e\xdf\xfd\xb6\xe3\xfd\x85\x83\x8e\x0b\xae\xaf\xc2\x31\xc8\xe7\xa7\x55\x82\x98\x42\x1e\x45\xe2\xa0\x94\x92\x98\x0e\xf9\xfe\x21\x9f\x4b\x55\xe5\x90\x7f\x48\xe5\x65\x44\xa1\x62\x6e\xa3\xe1\x2e\x0a\x55\x56\x64\x34\x74\xdb\x63\x8b\x5c\xb7\x9b\x21\x70\x32\xad\x17\x1a\x8e\x55\x14\x14\xa0\xea\x32\x58\x8a\x8e\x6b\xe8\x35\xcc\x8f\x2a\xa5\x1f\x51\x99\x64\xc3\xcc\x45\x31\xc1\x8c\xae\x72\x9f\xe6\x5d\xbd\x5c\x94\x77\x6e\xf9\x94\xf9\xe8\xf3\xd8\x58\x2a\x70\xdc\xdd\xa3\xde\xa1\xf9\xa4\xd3\x09\x01\x12\x70\x43\xdb\xef\x0b\xcd\x4c\x3d\x69\x7d\xec\x17\xc6\x2c\x74\x5f\x45\x7b\xd2\x2f\x62\xd1\x69\x6b\x5a\x89\xc2\xa6\x00\xad\xe8\x0d\x63\xde\xf1\x81\xab\x26\xce\x4b\x81\x02\xae\xf7\xb5\x4c\x3e\x97\x55\x2a\x49\xbf\xb1\x07\x04\xbe\x6b\x25\xe9\xbc\x52\x92\x1a\xde\x53\x4e\x55\xf7\xfd\xce\x4f\x3c\xdb\xcc\x81\x3d\x45\xe9\x5f\x3a\x16\x78\xb4\xbd\xe6\xb2\xe8\xde\x5a\x27\xf5\x64\x60\x29\x57\x19\x29\xb9\x52\x73\x8a\xc9\x41\x5a\x0e\xfb\xf4\x41\x6b\x03\xb6\x95\xeb\x33\xf8\x6b\x09\x40\xc3\xdd\x77\x1d\xf4\x16\xad\x2b\x46\x48\xcf\xa6\xdc\x71\xe8\x65\x9e\xa7\xf2\x98\xd9\x34\x1d\xff\xeb\x18\x84\x88\x10\x67\x03\x78\xdc\x5f\x3c\xf0\xaf\x93\xf6\xf6\x95\x8a\xa4\xb8\xbf\xc5\x82\xdd\xa2\xcb\x81\xb3\xf8\xa6\x9d\x51\x16\xeb\xcc\x48\xab\x84\x3d\x9a\xf2\x3d\xc6\xa8\xc7\xd3\xff\xd2\xda\x5e\x98\xcd\xb9\x37\x2b\x61\x66\x4d\xdd\xd2\x69\x8b\x0f\x3f\xaa\xb1\xcf\x8c\x5a\x07\xb1\x06\x90\x21\x5d\x80\x58\x80\xf8\xf9\x49\x83\x70\xd8\xde\x37\xea\xdd\x60\x5d\x29\xa3\xdb\xa9\x20\x33\x83\x83\xa0\x99\x26\x31\x7f\x59\xd2\xb0\x2d\xe3\x5f\x18\x91\xe7\x33\x45\x1f\xfd\x4e\xc7\xab\xcf\x69\xa5\x09\xb9\x20\x91\xea\xb7\xc0\xa7\x55\xe0\xae\x2f\x4b\x1a\xb6\xad\xe3\x28\x3b\xc2\xa6\xb6\x35\x27\x96\x02\x19\x1e\x72\xae\x1d\x0a\x86\x71\xd0\x3d\x80\x79\xfe\x8c\xbd\xd3\x61\x4f\x88\x82\x2c\x27\x93\xa6\x58\x0d\x3b\xc2\x7d\xe5\x16\xd0\x80\xdb\x11\xe9\x9c\x5c\x34\x3c\x47\x80\x34\xb1\x49\xe1\x75\x00\xa2\x96\x2b\x9a\x9d\x97\x25\x0d\xb8\x63\x21\x92\x69\xd3\xa4\xcf\xde\xe6\x30\x17\x2a\xa6\xef\x43\xd5\xee\x7f\xe4\x35\xbb\xe5\x61\xd4\xcc\xaa\x15\x81\x77\xc9\x5a\x7d\x71\x8c\x3d\xad\x6a\x16\x3d\x3f\x69\x80\xe6\xfc\xe0\x98\xc7\xe9\xef\x2a\x5b\x22\x0c\x6d\xa5\x8e\xfc\xa3\x7b\x86\xc4\x5d\x4b\xe1\xbb\x95\x8e\xbc\xec\x3d\x35\xac\x32\x24\x3e\xbf\xbc\xb2\x26\xd8\x21\xf6\xef\x87\xae\x2c\x73\x74\xf7\x44\xfc\x2e\x74\xe2\x5f\x33\x15\xb7\x9f\xdf\xa5\xf1\xf0\xff\x18\xa2\x15\x3f\x76\x76\xc3\xe5\xed\x37\xac\xc3\x6e\x5d\xdb\x0d\x61\x1a\x69\x5b\x21\x49\x87\xb2\x9d\xf0\x75\x8c\x95\xa2\xd6\x36\x92\x34\xbc\x57\x47\x08\xac\xf4\x60\xda\xcc\x81\x58\x5a\x16\x17\x42\xb1\xe9\xfe\xd6\x41\x6f\xa9\xe2\x3a\xf2\x0d\x67\x65\x52\xe5\x00\x9d\xc8\x49\x4a\x9e\xde\x66\x10\xf3\xae\x48\x21\x64\x30\x88\xc1\xa5\x9c\xc4\xfe\x25\x07\xb4\x51\x4b\x36\xfd\xaf\x03\xec\x47\x1c\x39\x98\xb0\x45\xfe\x27\x87\xcd\x6f\x15\x6d\xb7\x6d\xbd\x71\x63\xf5\xce\x15\xf8\xa6\xeb\x21\x40\x79\x83\xf9\x0f\x4d\x1a\x44\xb6\x18\xb7\x8c\x78\x4f\xd5\x1e\xb4\x56\x21\xff\x80\x71\x7c\xc0\x66\xee\x49\xd1\x3d\x5d\xf6\xf1\x13\x74\xb7\x1b\x72\xee\xe6\x5d\x9e\x4f\xd9\x6b\xd4\xc9\xf0\x7e\x36\xb7\xbb\x05\x27\x8f\x88\xd7\x43\x82\xcd\x56\x98\xfb\x6a\x4d\x35\x04\x90\xf0\xcb\x81\x96\x3d\xfb\x90\xd3\xd9\x5e\xde\x3d\xdf\xbd\xad\x60\x1e\xb3\xaa\x54\x72\x95\x54\x54\xaf\x2c\x0a\xbf\xef\x8a\xe1\xf1\xe2\x43\xd3\x8b\xdc\x2f\x30\xaf\xae\xf9\xa6\xf5\xb2\xe5\x1b\xfa\x71\x64\x06\x29\x12\x85\x2c\x11\xf7\xc0\xc1\x3d\xc1\xb1\x27\x38\xfe\xe5\xb8\x57\x77\x69\xda\x7a\x65\xd9\xb4\xf5\x38\x18\xb6\x7e\x4f\x89\xaf\xcf\x6d\xa3\x30\xec\x60\x75\x83\x04\x7b\x9d\x53\x24\xa2\xca\x95\x55\x2c\xe5\x47\xbb\x4d\xb2\x19\xf5\x20\x6e\xd5\x89\xb7\x8f\xdd\xa7\xb5\xa1\x94\x9d\xd8\x6d\xdb\x50\x1d\x9a\x50\x96\x85\x6a\xe1\x6c\xb4\xf6\x21\x67\x63\x7b\x81\x7c\xc2\x9d\xaf\x57\xdb\x46\x8c\x5a\x69\xa9\x3c\xa4\x6a\x8c\xbd\x7a\xd4\x64\xe9\x2f\xa8\x21\xd1\x6b\x70\x72\xe5\x56\x59\xe6\x0a\xd1\x7b\x9d\x45\xee\x1d\xf7\x37\x46\xbc\x17\x55\xdf\xb2\xa4\xa8\x62\x05\xa3\x0c\xf2\xb8\xc5\x13\x7a\x4a\xa5\x7c\x20\xaa\x9e\xf5\xb0\x2d\xb6\xff\xb8\xc6\xfe\xce\x61\xfb\xd3\x20\x6e\x8b\xcc\xfd\xa6\xe3\xfd\x98\x83\x7f\x17\x3c\xfa\xa4\x1d\xd2\xe5\x64\x9d\xaf\x13\x89\x78\x86\x6e\xc4\x7e\xd2\xe3\x9b\x20\x90\x01\x13\x21\x4f\xf8\x7a\x22\x25\x91\x06\xdc\x54\xcf\xa3\x47\x14\xdc\x8d\xfd\xe2\x2e\x94\x5b\x02\xae\x44\x77\x25\xe0\x3a\xc7\x2d\x9f\x2f\x2b\x10\xb8\xf5\x24\x05\xf7\xe6\x72\x2f\x9e\xb3\xcf\xa1\x33\x6c\x9a\x1d\x1e\x3a\x8f\x4a\xbd\xbe\xb8\xb0\x2c\x3f\xca\x36\xd8\x68\xda\x8b\x84\xbb\xe6\xad\xc8\x7f\x8d\x94\x20\xea\xd6\x8d\x80\x18\x37\x5a\x61\x13\xcc\x55\x60\x81\xa7\x91\xd1\x29\x60\xe4\xc0\x5c\x21\x90\x90\xf9\x24\xce\xc5\xc5\xdc\x72\x21\xfe\xd4\x41\x76\xc8\xa8\x4f\xda\x08\x9a\xba\x36\xcb\x49\x24\x6e\x09\x21\x7a\x0f\x2c\x20\xaf\x3d\xe8\xfd\xb0\x53\xba\x58\x65\x0a\x31\x1e\xc9\xf8\x82\x76\x75\xcb\xea\x5c\x98\xf6\xa7\xaf\x93\x7f\xac\x07\x17\x12\xcc\x39\x94\x5f\xac\xd2\x2b\x0e\x5f\x98\xe6\xa5\x8f\xe1\x06\x49\x01\x6f\x48\xa9\x9e\x22\x28\x3b\x60\x68\x62\xf9\x47\x8e\x54\x9b\x61\xbe\xb0\xe7\xaa\xbc\x9c\xa9\x0f\xcf\xd0\xf1\x5c\x85\xc7\xd8\x1c\x78\x73\x0d\x1c\x63\x33\x6c\x7a\xe8\x1a\x18\x36\xe7\xf6\xb4\x8e\x5d\x68\x1d\xeb\x86\xd2\x71\xd7\xee\xac\x32\x4f\xdb\xc2\x97\xf6\x90\x93\x6d\xbf\x61\x2d\xb9\x67\xf4\x09\x62\xe8\x72\xd7\x1b\x56\x69\xcd\x57\x66\x5d\xbc\x9b\xb1\x3b\x1f\x29\xf6\x82\x6f\x03\xb6\xce\x27\x51\xaf\x13\x17\xb0\xad\xee\xcf\x1d\xf4\x6e\xdf\xfa\x11\x03\x81\x05\x44\x5f\xaf\x83\x10\x74\x64\xda\xc8\xc2\x96\xe0\xdd\x34\x84\x29\xe9\x6b\xee\x32\x00\xb5\xbe\xe4\x8c\xbd\x2c\x4b\xe2\xa5\x20\xdf\xb0\x84\xd3\x2f\x8f\xb1\x37\xd6\xd8\x58\x37\x0d\x13\x29\xa9\xdd\xef\xd1\x69\xdc\xdf\x70\xd4\x45\x02\x0b\x54\xb8\x2e\x38\xa0\x1a\x84\x29\x0a\x90\x47\xbf\xd3\x4d\xd2\x3c\x88\x9b\x42\x4b\x2c\xaa\x21\x80\x0b\xa5\xb8\xfb\x42\xe6\x43\xe6\xf3\x53\x90\x0e\x8e\x09\xe0\xb8\xb1\x36\x93\x58\xd6\x5f\x3e\x07\x91\xd8\x29\x57\x9f\xf7\x39\xf6\x83\x82\x32\x40\x1c\xe9\x44\xc1\xc0\xc4\x98\x55\x2e\x45\x5c\x37\x68\x0a\x9e\x35\x45\x1c\xa4\x61\x62\xa6\x1a\x63\xcc\x4c\xa0\x8b\xa4\xc8\xf9\x14\x19\x5e\xa7\xec\xd8\xb0\x8f\x39\x84\x03\x0e\xf9\x1f\x1a\x9e\xa6\x40\x4b\x84\x4b\xc5\xb4\x2e\x5c\xa0\xd8\x60\x1f\x72\xf9\x8d\x25\xb7\xd1\x6b\x00\x33\xd6\xd9\xb9\xc5\xc3\x54\x46\xdd\x72\xae\x1e\x6e\x44\x49\xe3\x70\x27\xc8\x72\x91\x1e\xa6\x49\x97\x1d\x3e\xe2\x4f\xc9\x75\x26\xa7\x7b\xbd\x48\xfe\x6f\x89\x3c\x08\x23\x3b\x43\xe3\x4e\x1b\xc5\xfe\x36\xef\x46\xe3\x27\x8a\xae\x8d\x5e\x07\xb8\x6c\x83\x16\x50\x24\x99\xf7\xed\xe1\xb2\x0a\xfe\x99\x9a\x06\x8f\xfc\xf1\x9a\xf7\xfe\x9a\x05\x1e\x89\x9a\x55\x10\xed\xbc\x5f\x56\x37\x04\x3f\x24\x27\xe5\x21\x6e\x94\x84\xb1\x56\x3a\x6d\x3c\x0d\x3b\x41\x6a\x64\xab\xa4\x6a\x1e\xe5\x09\x0f\xb2\x0c\xb6\xfe\x98\x24\x63\xa6\x01\xae\x91\xc1\x10\x9e\x0b\x55\xf0\x19\x49\x62\x8c\x01\x7b\xac\xc7\xe4\x01\x87\xe9\x15\xe7\xbe\xcf\xf1\xde\xec\xa8\x5f\xb4\x97\x40\x6a\x15\x30\xa0\xf0\xae\xbc\x3a\x0e\x49\x1b\x18\x7b\x07\x68\xca\x00\xaf\x1c\x26\xf1\x04\x45\x5f\x86\x59\x61\x40\xe1\x41\x3b\x08\xe3\x2c\xc7\x04\x8f\x26\x48\x0d\x2b\x2f\xbf\x9b\x26\xad\x5e\x13\xf5\xd5\x02\xe9\x7a\xd8\x38\xdf\x42\x64\x58\xb3\x5e\x5d\x27\x21\x95\xa7\x0c\xdc\x50\xf1\x61\x15\x65\xfc\xd9\x08\xbb\x69\x47\xf2\x1d\x54\x45\x52\x7d\x4e\x26\xe9\x82\x8a\x0d\x71\x3f\x34\xe2\x6d\x9a\x37\x6d\x0c\x12\x0f\x04\xb9\x1a\x0a\x0f\x54\x15\x4f\xff\xa2\xad\x19\xec\x33\x74\x51\x41\xde\x76\x82\x96\xc0\xcd\xbb\x87\x9c\x2e\xe7\x85\xe8\xaa\x94\x3b\x60\xa3\xec\xfb\x97\x9c\x2b\xdb\xc6\x97\x2f\x39\x07\xa8\x10\x4b\x58\xbe\xa6\xc6\x42\x66\x3d\xe8\xbe\xc8\x3b\x65\xfe\xb6\x30\xb2\x10\x89\x09\x15\x7d\xc0\xfb\xa0\x67\x14\x99\x78\x92\x76\xca\xad\x32\x3b\xf4\x5d\x0e\x53\xb5\x70\xbf\xdf\xf1\xfe\xc3\x85\xca\x4f\x54\x15\x9a\xac\x17\x3d\xa3\x49\x5a\x20\x03\x4a\x61\x63\xab\xe5\x03\xc9\xd7\x29\xe0\xf5\x00\x5c\x5d\x37\x0a\x73\xad\xd0\x98\x63\x61\x0d\xf5\xff\x35\x66\x65\x43\x0f\xe6\x1e\xae\x26\xe7\x45\x4c\x70\xac\xee\xbb\xc7\xbc\x59\xf3\x42\xa1\xc6\x04\x3c\x97\xd7\x29\x4a\x07\x85\xb4\xdc\xcb\x42\x79\x56\x6a\x22\xd4\x43\x95\xf3\xe0\x0f\xf6\xef\xa9\x68\xff\x52\x2c\xca\x27\xc8\x22\x73\xd3\x70\x5d\x6f\x9b\x09\x02\x70\x32\x8b\xda\xfa\xb1\x45\x8d\xb6\x2b\x08\x0a\xd8\x3b\x6c\xed\xf2\xb0\xf5\x90\xd3\xde\x5e\xb5\x5e\x70\x6f\xb1\x8c\xf3\xc6\xa8\x94\xd4\x6a\x73\x84\xca\x66\xf9\x77\x8e\xb0\x99\xaa\xac\xb9\x8d\x24\x4f\xe2\x25\xf9\x64\x96\x8b\x38\x5f\x08\xb3\xf3\x56\x4c\xfe\x97\x6a\xde\xf5\x56\x48\x3e\xbe\xc1\xe7\x0b\x6a\xeb\xae\x7e\x9b\xb7\xc2\xec\xbc\x5e\xf5\x52\xa0\x74\x5b\x25\x2a\xdf\x37\xd5\xd8\x22\x83\xcb\xee\x9c\x77\x54\x21\x16\x1b\x09\xb3\xdb\x96\x6f\xae\xaf\x5f\x74\xd8\xfe\xf5\x6c\x55\xaa\x90\x9f\x70\xbc\x1f\x71\x4e\x86\x91\x50\x34\xb6\x52\x45\xca\x13\x0c\x82\xa7\xc0\x74\x48\xcf\x58\x2f\x3d\x33\xc0\xf3\x0a\xd0\xd2\x44\xee\x16\xb7\x29\xa5\xcd\xe7\x27\x2e\xfa\xdc\x13\x17\xf3\xa3\xde\x24\xf7\x2e\xae\x67\xf2\x9f\x38\x5f\xcf\x3c\x9f\x2f\x76\xba\x51\xd8\x0c\xf3\x88\xa4\x58\xaa\x81\x90\xf0\x05\x1e\xae\xf3\x5e\xac\x23\xbd\x2d\x09\xff\x9f\x0f\x6e\x83\xc9\x76\x64\x98\xe9\x11\x0c\x36\x7f\x3c\xe6\xdd\xbe\xc5\x7d\xfb\xf0\x3e\xd4\x9d\x42\x0b\x6e\x48\x74\xcb\x1b\x0e\xb0\x77\x3b\xca\x2c\xf0\x26\xc7\xbb\xae\x32\x3c\x63\xfb\xc2\x4d\x7b\xc1\x6d\xec\x24\x5b\x78\x18\xb0\x2f\x43\x7b\x61\x6f\x7f\xda\xc5\xfe\x94\x1a\xfb\xd3\xfa\xee\x4c\x08\x87\x34\x53\x41\x41\x79\x5a\x15\xe8\xb1\xb7\x69\xec\x7a\xd3\x78\xf9\xf6\x9b\xc6\x19\xf7\x54\xfd\x11\xb8\x0c\x06\xac\x31\xb8\xf6\x18\xfb\xc1\xa7\xb3\xeb\xcd\xed\x43\xa4\x39\x9e\xdf\x04\xda\x5b\x8a\xdf\x2b\x61\x3b\x0e\xe3\xb6\xa1\x71\xb8\x7f\xf4\xef\xbc\x9b\xb7\x7c\xc2\x3e\x7e\x18\x85\x1b\xd4\xb8\x07\xe8\xcf\x4b\x0e\xcb\xc2\x76\x2c\xd2\x33\x41\xc7\x06\xed\x7a\xe8\x3b\xd9\x5f\x39\x4c\x3d\xe7\xfe\x89\xe3\x8e\x36\xfa\xb9\xf0\x3e\xe2\x28\xdf\xb8\xfe\x4c\x10\xf3\x8b\xc7\xa6\x6e\xb0\x3e\x95\x61\xb5\xb4\x23\x5d\xa1\x72\x85\x31\x0f\xb8\x37\x7f\x62\x79\x75\xf1\xe4\xe2\xfc\xdc\xea\x09\xbe\x7c\xe2\x05\xe7\x4e\xac\xac\x7a\x7c\xe9\xc4\x69\xde\x88\x92\xe6\x79\x5f\x21\x6f\xa5\x8a\x74\x3b\xc8\xf0\xc0\x99\xa4\xfc\x45\x73\xa7\x4f\x61\x52\x92\x5a\x1e\x05\x52\x47\xd4\x27\xac\x6b\x05\x02\xe6\x5b\x23\xbd\xa3\x20\xd0\xb7\x7c\x07\x33\xba\xc4\x7d\xe5\x77\x78\x7f\x7d\x75\xf1\xdb\x08\xc1\x31\xc2\x04\xe4\x22\x80\x47\x34\xa0\x1c\x20\x3a\x45\x98\x89\x04\xe7\x78\xc6\xe4\x6c\x38\xbc\x19\xe4\xcd\x8d\x42\x98\xc9\x03\xc4\xd0\xb1\x44\x4c\xd8\xf5\x30\xca\xa5\xd4\x8f\xcd\x44\x73\xcc\x4d\x0b\xb8\x27\x77\x41\xbf\xa8\xde\x4d\x67\xe6\x4e\x9f\xf0\xf0\x21\x95\x4e\xef\x33\x76\xa7\x88\xa2\x3a\xf2\x62\x18\xc8\x5d\xf8\x1a\x58\xb1\x66\x19\x9f\xf6\xb9\x57\xf4\x8d\x5c\x6f\xf2\x57\x61\x1f\xac\xa3\x40\xf6\x66\x15\xf3\x3d\x09\x68\x73\xf2\x52\x22\x1d\x12\x75\x2b\xc7\x95\xa1\x65\x81\x0a\x61\x17\xeb\x33\xce\x97\xcd\xee\x80\x56\x62\xd5\x30\xa3\x5f\x40\xf4\x53\x2f\x4f\xea\x41\xb7\x9b\x26\x17\x50\xb5\x80\x52\x9a\x5a\xad\xa9\x63\xc6\x61\x3a\xa9\xbe\x0e\x95\xd4\x4a\x88\xd7\xcc\x52\x9a\x91\x1e\x2f\xde\x92\xb3\x71\x48\x41\x3e\xe3\x47\x76\xd6\x23\x30\xa3\x22\xb1\x93\x9e\xa1\x27\x33\x85\x3d\xba\x8b\xae\xa1\x66\x0e\xf4\x8b\x6a\x2d\x5e\xdb\x79\x7b\x71\xe6\x5e\xbe\xce\x9b\xa9\xec\xbc\x48\xe4\x75\x38\x28\xcb\xa2\xa8\xb7\xe8\xf7\x0e\xba\x0b\xba\x85\xaf\x9e\x5a\xd1\x9a\x42\x36\x49\x36\x26\xbb\xe7\xa0\x1d\xcd\x24\x8e\x89\x0c\x17\x40\xff\x45\xd4\xbf\xec\x93\xed\xb2\xf6\x19\x83\xed\x8f\x6c\x72\x25\x6a\xf8\x20\xd7\x3b\x22\xed\x86\xad\xa4\x99\x1d\x4e\x55\x84\xfb\xe1\x00\x82\x88\xea\x72\x46\xc5\xf0\xff\xf7\x1e\x36\x3a\xb4\x4e\x75\xa9\x2b\xc9\x73\xf8\x5a\x43\x0e\x92\x20\x60\x0c\xad\xf8\xbc\x90\x27\x28\x82\x82\x28\x03\xf5\xbb\x50\xb9\x39\xe6\x2c\x43\xbf\x91\x8a\x81\x22\x64\x35\x05\x30\xd9\x30\xc3\xfd\x19\xb6\x3d\xc0\xa6\x84\xeb\xe3\xf3\x73\xbc\xd1\x8b\x5b\x91\xc8\x26\xa0\x81\xfa\x41\xd1\xc2\x05\xb7\xa4\x61\xd2\x33\x0c\x8e\xca\x66\xa1\x93\x75\xda\x0e\xc4\xaa\x07\xf2\x45\xe5\xcd\xa6\x07\x79\x98\x15\xe2\x18\x27\xa0\x72\x36\x4f\x16\xe8\xeb\x93\x1c\x53\x7f\x10\x40\x1b\xb7\xad\xc2\xd9\xa1\x8c\x51\x6a\xd3\x1a\x0f\xe3\x66\xd4\x03\x30\x16\x15\x70\x49\x5f\x9b\x8b\x72\xec\x1f\x18\x26\xac\x89\x9a\x8b\xa0\x1d\x4e\x6a\x7a\x2a\x28\x38\x89\xb5\xf7\x1d\x95\x9d\x89\xed\x9a\x55\x90\xbd\x95\x1a\x76\x74\x27\x0d\x3b\x2f\xfa\xbc\x97\x05\x6d\x91\xf1\xc3\x58\x94\xdc\x7c\x8b\xab\x3e\xe3\xc7\xe4\x21\xac\x1b\x62\x80\x98\x39\x59\x78\x14\xae\x13\x5b\x82\x6a\x35\xe2\x5f\xae\x03\xb3\x86\x0a\x4b\xa5\x0d\x4f\xc7\x99\xc9\x69\xaa\x40\xb1\x5a\x9d\x30\xf6\x19\x3f\x0e\x3b\xb9\x19\x78\x6b\xef\x7c\x73\xf6\xa2\x37\xfa\xd2\x3a\xd4\xbd\x87\x70\xad\xde\xea\x78\xaf\x76\x7a\x61\xcb\x56\x70\xe4\x05\x4a\xf2\x82\xa0\x5e\xdc\x83\x88\x83\x50\x5e\x1d\xba\xc1\xfa\x7c\x29\x31\x68\xa2\x73\x1b\x82\x3e\x89\xb1\x14\xc5\x1d\x16\x76\x3a\xbd\x9c\xa0\x6d\x0d\x90\xa9\xfd\x6c\x3f\x76\xa9\xfb\x0f\xfb\xbc\x07\xf7\x51\xa7\x9b\x0e\x2f\xca\xe2\x33\x86\xa4\x50\x1b\x68\xc2\x91\xf0\x30\x7a\xc3\x67\xcc\x92\x54\x52\xea\x55\xee\x2b\xfd\x2e\xd2\x96\xa9\x42\x67\xb9\x07\x94\x28\x41\x04\x43\x04\x50\xc1\xf2\x70\x2d\x3f\x2f\xe2\x66\xd8\xdd\x10\x69\x47\x6e\xe4\x93\xdc\xa3\x02\xa5\xb8\xf0\xaa\x3e\x58\x2d\x9a\x2b\xbe\x58\x55\x78\x65\x2d\x54\x30\x33\x7d\xf1\x0e\x20\xa7\x22\xd6\x42\xd4\x43\x3c\x25\x36\x87\x15\x41\x18\x05\xbc\x09\xe9\xdf\xf8\x35\x56\x5d\x05\x79\x2d\x68\xa7\x42\xe8\x3a\x49\x95\xd1\x7e\x8a\x71\x4f\x36\x0f\xbe\x01\xc5\xa7\x91\xfe\x5b\x3d\x09\xb4\x8d\xf0\xbe\x28\x5d\x08\xe2\x3e\x14\x61\xb6\xab\xd4\xb1\xf0\x85\xa4\xa5\x55\x62\x28\x18\xa8\xbd\xba\x69\x92\x63\x10\x08\x74\xcd\xe1\x4e\xd8\x11\xf0\x78\xd8\xcd\x44\x53\x6e\x72\x64\x2e\x91\xb7\xf1\x5a\xde\x8b\x63\x11\x15\xbf\xe5\x8c\x87\x57\xe4\x7a\xcd\xf2\xa0\xd3\xa5\x2f\x24\xcd\xac\x6b\x7e\xb1\x13\x36\xd3\x24\x4b\xd6\x73\x9e\xb5\x9b\x60\x6c\x11\x79\xd6\x0c\xba\x02\x7e\x0f\x07\xad\xd8\xa1\xd6\xfc\xc3\x8e\x01\xe5\xf6\x2e\xc7\xfb\x3e\x47\xfd\xb2\x17\xab\x09\x5d\xfa\x38\xac\xd6\x5f\x72\x14\xca\xdf\x7f\x75\xbc\x37\x39\xf0\x67\x51\x41\xfc\xa9\x99\x32\xb3\xc7\xb8\xa2\x0f\x03\x3c\xf0\x0f\x1d\x8d\x1e\xf8\x79\xc7\x7b\xb3\x43\x90\x81\xba\x25\xe8\xbb\xe9\x08\x70\x53\x6f\x84\xdd\xc7\xbc\xcb\x77\x39\x9d\xbe\x6a\x07\x59\x69\xfb\xaa\xb6\x5d\xa2\x55\x15\xd3\xcc\x0e\x7a\x37\x54\xdd\xb0\x8d\x75\xe5\x27\x88\x38\xb4\xd2\x42\xf7\x9a\xb1\x3d\xb3\xca\x6e\x03\x9f\x7e\x4a\x9b\x38\x7f\xcc\xf1\x84\x42\x69\x30\x8c\xcf\x84\x06\x53\x59\x3b\xfb\xe0\x00\x9a\x6e\x33\x89\x9b\xa2\x9b\x67\x87\xb3\x3c\x49\x83\xb6\x38\x5c\x14\x55\xa7\xa2\x76\x1e\x40\x35\x6c\x3e\xed\x59\x3f\x77\x61\xfd\xfc\x4d\x33\x6c\xfb\xd3\xbb\x4c\x6c\x7b\x95\xf3\x38\x65\xb6\x19\x8d\x7b\xc8\x79\xf1\xf6\xa6\xc1\x1b\xdc\xeb\xb4\x69\xd0\xf3\xb4\x45\xb0\x4a\x20\x95\x9d\x48\x1f\xdc\xc7\x6e\xa7\x5e\xc1\xe3\x6b\xbb\x9d\x8a\x36\xe0\xc8\x9a\xb1\x58\xa9\x68\x87\x10\xc7\x8a\x9e\x43\x8c\xfa\x9b\x5b\x5a\x5c\x41\x87\xf3\x7c\x12\xa3\xf9\xcb\xfd\xfc\xa8\x77\xa6\xe2\x7a\x89\x48\xa6\x48\xd6\x06\xc2\xed\x15\xe5\xb6\xce\x09\x63\x36\x6c\xf6\xa2\x20\xc5\xb4\x6c\x1d\x83\x45\x3e\x4e\x9b\x30\x66\x84\xbd\x90\x1d\xe8\x88\x4c\xea\xb4\xee\x69\xef\x79\xb7\xf5\x3a\x41\x5c\xd7\x71\x17\x74\x47\x59\xcc\xe4\x62\xd1\x67\x5b\x08\xe5\xc6\x4c\xe3\x34\x88\xb3\x70\x00\xb7\xfc\x25\x6c\x7f\x2a\x82\x2c\x89\xdd\x55\xef\xd6\x73\x80\x04\x3b\xc9\x93\x58\xd4\x37\x93\xb4\x35\x59\x4c\x76\x8e\x4f\x19\xf1\x1d\xd4\xea\x43\xd9\x96\xe5\xdf\xa5\xdd\xb6\x4b\xde\x7c\x91\x7c\xa7\x3a\xa8\xa7\xf7\x7e\x5d\x20\xac\x3b\xb9\xe8\x56\x81\x06\x0c\xd8\x98\x26\x15\xdd\xac\x55\xf6\x75\x14\x86\x75\xd8\xf3\x56\x29\x08\x2b\x57\xe4\xc6\x03\xa5\x9a\x2f\xbe\x95\xd2\xbc\x57\x75\x9d\x21\xcd\xfb\x15\x8f\x3c\xcd\xfb\x79\xa7\xac\x6c\x6e\xfd\x59\xa3\x5b\x04\x01\x46\x26\xb1\x6e\x3a\x40\x64\x41\xc4\x9b\xcf\x3e\x5e\x2b\x27\x20\xd9\x29\x56\x67\x92\x58\x45\xfd\xcd\x69\xc5\xc9\x7d\xc8\xf1\x5e\x51\x79\x87\xe3\x89\x9a\xe6\xa2\x55\x9a\xa9\x78\x15\x86\x8f\x75\x38\x38\xc6\xf5\x32\xae\xab\xde\x17\xe7\xa8\x0c\x30\xae\x10\xb8\xb3\x35\x4f\x13\x76\x3d\x1b\xed\x06\xf9\x86\x3b\xe5\x5d\xab\xe2\x98\xe4\x9b\xe7\x96\x4f\x61\x04\x13\x0d\x0a\x95\x6c\x8e\xc8\x0c\x1b\xbd\x20\xd2\x86\xfb\x6c\xef\xe9\x77\x88\xb4\x31\xe0\x8c\xb9\x6d\x75\x75\x49\x2e\xea\x86\xf9\xd2\x6f\x8c\xb2\xeb\xb6\xcc\x4a\x13\xd1\xfa\x90\xcc\x34\xf7\x07\x46\xbd\x0f\x39\x5b\x3c\x80\xdb\xd1\x40\x14\x1c\x84\x9d\x88\x4c\x6f\x14\x3e\xe7\x27\x2e\x06\xcd\x3c\xea\x2b\x86\x39\x3d\x14\x66\x6d\x8c\x71\x91\x7a\x84\x39\x62\x43\x1e\x53\xe4\xdc\x99\xc8\xad\x4e\xfe\x7f\x6a\xec\x01\x87\xfd\x9b\xb8\x72\x36\xbc\xc5\x61\x37\xef\x3c\x69\xaf\x72\xde\x78\xa7\xab\xa7\x53\x21\xdb\xcc\x54\x11\x8c\xcb\xb1\xa6\x8d\xdd\x3f\xb2\xb2\x6e\x3a\x58\xd3\xb7\x39\xec\x39\x3b\xaf\x69\x45\x35\x57\xb6\xeb\xc0\xad\x2a\x3c\xac\xb2\xff\x3c\x66\xc1\x75\x90\x06\x04\x9e\xa2\x95\xc5\x33\x49\x0b\xf5\xe0\xdf\x1b\xf3\x0e\x1b\xbf\xab\xf2\x0c\xe8\xf6\xd6\xfe\xe9\x8f\xed\xa1\x2f\xec\x5a\xfb\x6d\x2a\xe5\xf7\x2e\xef\x3b\x2b\xdd\xfb\x34\x12\xa6\xca\x7a\x98\xd5\xd9\xb3\x87\x4e\xbe\xc1\x41\xdf\x53\x56\x77\xa1\xac\xfe\xaa\xa9\xac\x7e\x72\x97\xca\xea\x7f\xa8\xd6\x55\x1f\x3b\x10\x86\x97\x6e\xaf\xa7\x3e\xc7\x9d\xd5\x7a\xaa\x9a\x4b\xa5\x80\x27\x43\x78\x94\x55\xd5\x4f\x5d\xc1\xee\xd8\x1d\x75\x63\x39\x41\x20\x56\x11\xa2\x7f\xc2\xbc\xd3\xc3\x6e\x1a\xd2\x92\x08\xae\x94\xa4\x28\x48\x05\x54\x88\x33\x86\xd0\xce\x2f\xfb\x97\x9c\x31\x95\xf6\x65\xc9\xb5\x6f\x1f\x64\xff\x69\x94\xfd\xdb\xa6\x2e\x1d\x77\x55\x12\x6a\x99\xfb\xcf\x23\xde\x57\x47\x86\xdd\x55\xa1\xe3\x29\x46\xfa\x6b\xf0\x22\x0d\x73\xbf\x36\x5f\x7a\x73\xad\xa8\x99\x5c\x23\x77\x8a\xc6\x46\x92\x9c\xe7\xe2\x62\x17\x44\x2f\x78\x50\x0c\x63\x0a\xe4\x68\x81\x9f\x6b\x43\xf0\xf5\x30\xcd\xf2\x72\x84\x2c\x7c\x93\x22\xaa\x35\xe6\x6a\x06\x48\xe5\xb1\x41\x23\xab\xbf\x5a\xa2\x1b\x0d\x33\x2c\x01\x98\x48\xcd\x20\xad\xa2\x12\x93\xbc\x68\x3e\x56\x68\x3d\x08\xa3\x42\xb7\xb6\xa3\xb5\xe1\xcb\x81\x3e\xd2\xb7\x74\x13\xed\xcc\x73\xc3\x12\xae\x1c\x20\xaa\x86\x52\x7a\xb7\x12\x91\x81\x67\x80\x14\x43\x60\xa1\xd6\x4f\xa0\xcf\x5a\x69\x7a\x4b\x8b\x24\x97\x26\x79\x33\x88\x22\xbd\x39\x6c\xd2\x87\x75\x95\x7d\xbe\x60\x70\xec\xad\xdd\xed\xd1\x2c\xf4\xee\x59\xdb\x8a\x3f\xe3\xff\x1e\x61\x7a\xea\xb8\x9f\x1d\xf1\x1e\x1c\xd1\xf9\x83\x45\x2b\xe4\x44\x2c\xf5\x84\x4e\x04\x91\x53\x13\x30\xe6\x90\xb2\x51\x35\xc3\xe7\x73\x96\xef\x07\x2c\xdd\xbc\xce\xd7\xce\x24\xb1\x58\x9b\x85\xa9\xa0\xde\x46\xd3\xb2\xc9\x20\x57\x6c\xc4\x98\xcc\x07\x3b\x26\xe0\xc0\x27\xbd\x26\xf2\xa0\x23\x2f\x07\x86\x06\xd0\x6c\x19\x18\xac\x3a\x5f\xa3\x01\x5a\x9b\x35\xba\x92\x30\x5d\x83\x28\x22\x00\x7a\xa1\xb8\x01\x55\xaf\xe6\x09\x6f\x25\xea\xf8\xa0\x43\xd4\xe7\x2a\xe9\x51\x18\x97\x0b\x85\x68\x58\xb4\x83\x15\x13\x2e\x28\xa0\x9b\x80\xf4\x71\x7e\xfa\x8a\x14\x98\xce\x51\x27\x91\x95\x17\xa3\xfd\xd6\xf1\x88\x25\x1b\x0d\xcf\x1a\x9f\xa7\xba\xcd\xc3\xc6\x33\x0f\xf3\x8d\x5e\xca\x84\x9d\xae\xf9\xda\x1a\x7b\x62\xc5\xd3\xee\x5f\x38\xec\xa5\x97\x93\x9a\xf6\xce\xc1\x6f\x78\xdf\xef\x54\xd5\x33\x54\x34\x36\x18\xd8\xaf\x89\x49\x95\x84\x83\xa1\x30\x66\x75\xb8\x5e\xa4\xb1\x86\x59\x31\x8a\x46\x32\x2d\x78\x0f\xd7\xd4\x53\x6b\x00\x05\x2c\xc0\xf3\x5d\x3c\xcd\xfe\xf2\x2a\xe6\x55\xd9\xc0\x92\x96\x62\x43\x59\x15\x69\xc7\xfd\x6f\x57\x79\x5f\xae\x2d\x90\x86\xa7\x9d\x57\x48\x55\x16\xcb\x6d\xbb\xcf\xf3\x8d\x24\x23\xe2\x0a\xa5\x55\x44\x26\x37\x5f\x91\x5c\x45\x0b\xb4\x80\xfe\x85\x54\xa7\xf1\x6c\x62\xc2\xa0\xe2\xee\x26\x2d\x8b\x5d\xb1\x1e\x25\x98\xfe\x3a\xae\xd8\x17\x26\x94\xfb\xd0\xba\x19\xe7\x61\xbd\x78\x62\x33\xcc\x37\x26\x65\x4f\xa4\x56\x19\x61\x41\xde\x1e\x64\x1a\x56\x0e\x80\xa3\x81\x7e\x63\x13\xda\x62\x11\xb8\x21\x35\x20\x24\xb4\x9c\x17\x7d\xfe\x9c\x3c\xe9\x26\x51\xd2\xee\xdf\x2e\xfa\xcf\x35\xe8\x3a\x82\x9c\x08\xbe\xb1\x20\xc0\x51\x03\x4a\x6a\x68\x90\xe2\x29\x31\xba\x2f\xd4\xdf\xbf\xe4\x5c\x61\x14\x6a\xed\x52\xbf\xca\xd8\x9b\x1c\x76\x95\xd5\x9f\xee\xfd\x97\x81\x2f\xf1\x86\x39\x6a\xd8\xcb\x7b\x22\xed\xf3\x04\xdc\x55\xaa\x7e\x5a\x92\x4d\xea\xcd\xa2\x19\x64\x48\x38\xe3\xb3\xbf\x1d\x61\xd7\xe8\xc1\xd3\x95\xfa\xf2\xc8\x65\xa8\xd5\xa5\x91\x8a\x6a\x19\x1d\xa7\x3f\xab\xb9\xdb\x05\xcf\x45\xda\xa1\xec\x2b\xd4\x31\x57\xd5\xc5\xc1\xac\xac\x5e\x6c\x9c\x91\x8d\xc2\x90\xf8\x71\x90\x42\x84\x38\x75\x01\x09\x3c\x0a\x4d\x17\xad\xf1\x32\x3c\xeb\xf3\xb8\x17\x19\x0c\x92\xf2\x55\xb8\x92\xa4\x44\x10\x6f\xbc\x41\x7a\x61\x10\x67\xdc\x53\x73\xfe\x50\x56\x3c\xe1\xf9\x7c\x4e\xf1\xca\xeb\x12\xc7\x5f\x71\xff\x84\x9e\x6f\x52\x2a\x14\x05\x92\x2c\x25\x89\x9f\x21\x31\x6c\x3d\x92\xaa\xa3\x8a\x40\x83\x6d\x64\x23\x01\x4a\x16\x14\x10\xc6\x4a\x3f\x53\x1e\x4d\x4d\x2a\x5b\x10\xc8\xfa\xec\x97\x6a\x8c\x15\xdf\x74\x1f\xac\x79\xef\xa9\x99\x7d\x68\xfa\xb8\xe5\x31\xaf\xa9\xf5\x22\xfd\x14\xb1\x5a\x5d\xd6\xb1\x33\xc7\xa5\x7a\xe4\xcc\xd1\x1d\x98\xb8\xfe\x36\xc3\xa4\x07\x72\xe0\xcd\x2d\x47\x70\x0b\xbd\xe2\x5b\x35\x66\xae\x77\xf7\x4f\x6a\xde\xef\xd6\x56\x2f\xaf\xe8\xc3\x1c\x44\x29\x66\xb6\x90\xcb\x0a\x9f\x5d\x6b\x86\x45\xdb\x1f\x15\xd1\x69\x34\x7a\x27\x82\x33\xee\x17\x62\x93\x06\xb0\x24\x38\x7d\xc4\xde\xb7\x0a\x0e\x51\x7f\xac\x0a\x1c\xf9\xc8\x41\xcb\x78\xb9\x05\x72\x30\xb1\x56\x2c\xf7\x22\xe1\x7e\x6b\xcc\xfb\x2f\xce\xb0\xbb\xc6\x91\xc4\xb2\x97\x93\xbc\x52\x50\xce\x8a\x63\xc1\x20\x72\xb6\x07\x08\x27\x67\xc0\x07\xf0\x8b\x0f\xc1\xac\x28\x26\x2b\x2c\x10\x2a\x15\xac\x6f\xf0\x3a\x6f\x24\xf9\x06\x87\x13\x00\x4c\x58\x79\x30\xb7\xe1\x40\x3e\x7e\x80\xfd\xde\x08\x1b\x95\x37\xdc\xcf\x8d\x78\xdf\x3b\xa2\x7c\x70\x4a\x67\xc5\x4e\x2f\x66\x1f\x98\x5b\x81\xc5\xb8\x89\xf4\xeb\x54\x5d\x3d\x16\x5a\x9f\x4b\x7b\x91\xd4\xfe\xd1\xae\x51\x3e\x5b\x34\x93\x4e\x03\xe6\x8c\x8a\x51\x8d\x92\x76\xd8\x0c\x22\x7e\x76\x59\xa5\x81\x40\x8a\xa3\xc5\x97\x25\xa5\x0e\x0c\xac\x5c\x64\x61\x26\xdf\x9c\x2c\xbe\x65\x09\x41\x55\xfd\x71\xd5\x29\x18\x56\x84\xb1\x56\xd8\xab\xf8\xc8\x44\xc5\x47\xc8\xc0\x81\x71\x7b\x3a\x7c\xd9\x24\xb4\x0e\x73\xd1\x31\x3f\x0d\x03\x98\xe9\x11\x00\xa9\x4a\xf4\x5d\x7a\x54\x54\xed\xca\xe5\xe8\xdc\xc6\x34\xe9\x40\x07\x3d\x0c\x22\xae\x2d\xe6\xea\x92\x10\xa9\x3c\xab\xec\x83\xe1\x77\x7f\x79\xc4\xfb\xc7\x9a\x76\xb0\xc2\x8c\x28\x0f\x2d\x66\x92\xc2\xb8\x86\x0d\x24\x88\xde\x76\x78\x4f\x04\x70\xd0\x54\xad\x50\x43\x0c\x79\xb8\x43\x47\x78\x17\xe3\x8a\x35\xdf\x62\x54\xe5\x03\xbb\x1b\x53\x11\x5f\x86\x81\x05\xea\x12\xe3\x48\x7e\x99\xc6\x34\x49\x73\xf6\x87\xac\x92\xdc\x05\xf8\xdd\x17\xcf\x5a\x89\x64\x3f\xc9\xbc\xd9\x8a\xeb\x36\x2f\x85\xe1\x6d\xa7\x67\xc9\xeb\x7e\xc9\x39\xd0\x0e\x72\xb1\x19\xf4\x2f\x39\xfb\x31\xc4\xe8\x92\x73\x30\x13\xcd\x14\xd8\xd3\x2d\x39\xf2\x2b\x07\xd9\xe7\x1c\x56\xdc\x74\x3f\xed\xb0\x63\xdb\x7a\xd6\x4f\x25\xcd\x20\x2a\xd3\x49\xbf\xce\x59\x51\xa5\x70\x1d\xb9\xaa\x4f\xf1\xf8\x05\x98\x86\xaa\xb6\xc8\xf4\x18\xb7\xe8\x80\x9b\x09\xf0\x59\x5d\xb0\x38\x40\x8b\x19\x41\x1b\x81\x62\xe8\x9c\xe4\xa7\x92\x76\x18\x17\x42\xc7\xb0\x0f\xb0\x1f\x70\xd8\x15\x64\x06\x3b\x9d\xb4\x84\xfb\x2a\xc7\xeb\x2d\x56\xa2\x6b\xd2\x53\x64\xa2\x27\x22\x94\x62\x69\xad\x6e\x84\xcd\xf3\x4b\x8a\x8e\x06\xa1\x37\x57\x37\xc2\xd8\xb8\xa4\xad\x11\xb2\x86\xe5\x7b\xe6\x76\xf5\x81\x22\xff\xee\x9d\x8e\xf7\xba\xc7\x2b\xff\xce\xa8\x2d\xdc\xb1\xea\xb8\xc0\xd4\xd4\x71\x6f\xf0\x26\x57\xd5\x07\x82\x56\x0b\x39\xe2\x71\x05\xa9\x01\x9c\x5b\x5a\xe4\xb7\xe2\xe3\x56\x29\x6b\x8c\x65\x59\x74\x02\x15\x4d\x77\xd9\x5b\x38\x19\x05\x70\x82\x47\xdd\xf3\x70\x2b\xcc\x60\x3b\x5a\x59\x39\xc5\xc9\x4e\xda\x54\x63\x98\x6f\xa8\x22\x27\xa5\x7e\x02\x55\x05\x53\x01\x80\x61\x34\x92\x24\x12\x41\xcc\xee\xd6\xe3\xbb\x94\x24\x91\x7b\xca\xbb\x79\xd5\xa8\xd7\x0a\x0d\xaa\xbc\xc7\x83\x2c\x4b\x9a\xa1\x4d\x84\xf4\xff\xb3\xf7\xee\x61\x96\x64\x55\x9d\xe8\x17\x27\xb3\xba\x2a\x77\x3f\x68\x02\x1d\x1d\x07\x75\xdf\x00\xad\xcc\xe6\x9c\x93\xf5\xea\xa2\xbb\xfa\x81\xd9\x59\xd5\xdd\x09\x55\x59\x49\x66\x56\x23\xd3\x34\x9d\x91\x27\xf6\xc9\x13\x54\x9c\x88\xd3\x11\x71\x32\xeb\x20\x68\xf3\x10\xe4\x21\xa0\x80\x0c\xa5\x80\x30\x32\x8d\x2d\x82\x33\x82\x80\xe2\x8b\x0b\x0c\x17\x04\x01\xf5\x02\x8a\x0f\x50\xc0\xd7\xa7\x33\x57\x1d\xef\x6d\x75\xe6\x7e\x7b\xad\xb5\x5f\x71\x4e\x3e\xaa\xb2\x1f\x8c\x5f\xf6\x1f\xd5\x79\xe2\xb1\x63\x3f\xd6\x5e\x7b\x3d\x7f\xcb\x84\xe6\xf1\x28\xeb\x86\xb1\xeb\xa8\x3d\xcb\x68\xd7\xf8\xa7\x82\x1b\x96\x2b\x61\x6d\x8a\x60\x68\x55\xc2\x42\x1b\xc4\x50\x68\xa5\x3e\x38\x0d\xbe\xc8\x63\x0c\x49\x0b\x92\x4e\x8a\xa0\x6d\xb7\xaa\xc9\x2e\x4c\x72\x11\x46\x03\x1d\xbc\xa5\xe0\xaa\x68\x54\x8a\x0e\x94\xec\x31\x34\xae\xb8\xd0\x04\x8c\x56\x21\x17\x00\xe7\x5a\x33\xea\x93\x30\x68\x7f\x31\x38\x55\x1d\x9e\xfa\xd8\x82\x99\x21\x7c\xd8\xf6\xc1\xab\xe1\x2a\x4b\xb3\xfd\x9d\x0b\xec\x80\x1c\xc5\xd9\x34\x19\xf8\x49\xf0\x5c\xdb\x52\x07\xcb\xc8\x27\xe5\xed\xe9\x8d\x3c\x2e\xe5\x19\xbe\x48\xcf\x72\x10\x4f\x71\x0b\x67\x39\x21\x44\xe8\x9b\x85\xc0\xf4\xff\x38\xe5\xc8\x0f\xcf\xc8\x8d\x42\xc5\xb3\x14\x4d\xbc\xf6\x3b\x46\x5a\x40\x2a\x68\x5f\xfe\x9f\xff\xdb\xe0\xcb\x5e\xe5\x22\x81\x85\x16\x74\xb5\x62\xe3\x34\xe8\x62\x72\x4f\x1a\x2d\xc6\x2a\x4e\xd5\xe4\x4b\x59\x57\xe0\xa9\x85\xf6\x42\x75\x6e\xc5\x29\x0a\x73\xd5\x2f\x4a\xbe\xb7\x20\x25\x41\x17\x8b\x8c\x63\x72\x14\xbc\x02\xb6\x5c\x51\xd6\x0d\x5a\x06\x08\x64\xd5\x96\xca\xf0\x3c\x7c\xae\x25\x22\xc9\x71\x5d\x39\xf1\xa1\x6f\x63\xef\xf4\x18\xeb\xe5\xf1\x7a\x9c\x88\x35\x11\x49\xde\xf3\x72\x6f\xb1\x9f\xda\xa5\xd7\x52\x6e\x1e\xe0\x5d\xa8\x90\xb9\x90\x67\x52\xa0\xc0\x4f\x5a\x77\x4d\x75\x34\xe8\x9f\x7c\x24\x2d\x63\xac\x53\x79\x5f\x3f\x5e\x0f\x13\x28\xcb\x9c\xf1\x3c\xcb\x4a\x25\x8a\x48\x26\xe2\x5a\x6d\x81\x16\xdc\xf5\x7b\x65\x8d\x4d\xf4\xf2\xac\x05\x6b\xeb\xff\xb3\x17\xfc\x8d\xa7\x7f\xf2\x48\xa4\x99\x4a\xcb\x52\xa1\x16\xf2\xae\xaa\xdb\x95\x81\x75\xdd\xa2\x51\xea\x24\x4a\xd8\x91\xe1\x79\xd4\x89\x05\xdd\x32\x4a\x53\xfd\x42\x17\x69\x55\xb3\x92\xf7\x53\x08\xad\x88\x54\xb7\xdb\x60\xfb\x0a\x23\x10\x26\x7a\x61\xd9\x29\xc8\x43\x59\x9c\x97\xba\x8c\xbc\x50\xb5\x82\xca\x16\xf5\xa7\x20\x5c\x44\x69\xe2\x6d\x62\x89\xab\x42\x6b\xe4\xf6\x36\xfa\xd5\x31\x76\x55\xde\x4f\x67\x8a\xf9\x2c\x5d\xcc\xb2\xd2\x7f\xf7\x58\xf0\x96\xb1\x39\x2b\x3d\x8d\x54\x6e\xd3\x5f\x50\x1f\xf2\x7e\x2a\x79\x12\xb9\xc7\xe5\x12\x40\x75\x6c\x38\x45\x21\xb2\x45\xbe\xf3\x0c\xcc\xbc\x41\x9a\x5e\x0f\x93\x38\x52\xd8\x83\x58\x9c\x2e\x2c\xf5\xe0\x81\x69\x17\xfd\x5c\xd5\x95\x2b\x8d\x49\x9f\x3e\x75\x6e\xee\x24\x3f\xc4\x27\xe5\xb7\x30\xeb\x01\xbc\x0a\x65\x46\xd8\x80\x6e\x1f\xe3\xb6\x6a\x02\xba\xd4\x4f\x41\xb1\xca\x95\x31\x38\xcd\x78\xd1\x6f\x75\x54\x9f\xf4\xa9\xbe\x2a\x14\x7e\xb7\x3c\x6f\xcf\x84\x03\x93\xb4\x22\x60\x8b\x8d\xdc\x49\x73\x6d\x75\xfb\x12\x76\xa0\xb5\xdb\x5c\x1f\xcb\xa8\x6d\x57\xb8\xfb\xce\x22\xe6\x5f\xa8\xb1\x09\x58\xbf\x73\x85\xc8\xfd\x77\xd4\x54\x39\xc0\x57\xd7\x24\x3d\xca\x39\x93\x5b\xa4\x9f\x92\xbb\xb5\xcc\x07\xe8\x70\x35\x11\x44\x34\x63\x3d\xdc\x87\xee\xee\x01\xc9\xc9\xe9\x1d\x2e\x9c\x49\x2b\x76\x73\xe8\xbf\xa9\xa7\x4c\x01\x5c\xfd\x7d\x8d\x5d\x53\x08\x28\x1a\xa8\xe0\x35\xbf\x52\xdb\x02\x2b\x52\x33\xf8\x53\xf6\x3b\xc1\xcf\xc3\x0c\xab\xea\x83\x2d\xf5\xe9\xac\xc2\xbc\x9d\x59\x56\xc4\xe8\x96\xc5\x1b\x66\x05\x40\x8c\x52\xb5\x80\x44\x9a\x90\xe7\x61\x1a\x65\xdd\xa1\x8f\xe9\x12\xd7\xd6\x07\xbe\x59\x97\x80\x7d\xc3\x93\xd3\xde\x6a\x65\xdd\xde\x42\x9e\x49\x81\xd3\xff\x5d\x6f\x27\xd3\xee\xbc\x13\xfc\xb4\xb7\x8c\x52\xbe\xbc\xa8\xe1\x4d\x89\x2f\x2b\x33\xac\x3b\xe1\xd5\x87\xf1\xd8\xa4\x02\xfc\x61\x89\xe3\x27\x4d\x96\x7f\xaf\xb5\x1c\x60\x09\xad\xae\x91\x6a\x25\x5b\x17\x79\x1e\x47\x42\xbf\x49\x37\x9a\xec\xf7\x6a\xec\xdb\x41\x2f\x5c\x50\xc7\xd9\xa9\xa2\x15\x26\xc0\x67\xfc\x0f\xd6\x82\x9f\xad\xcd\x6c\x72\x57\xe5\xf8\x19\xdd\x21\x54\x1b\x13\x52\xe8\xd6\xa4\x80\x04\x35\xd4\xf5\x49\x59\x20\x88\x5b\x5c\x16\xbc\x17\x82\x2b\x5b\xef\x64\x38\x22\x24\xa3\xa0\xe2\x8d\x50\x77\x85\xda\xd7\xb5\xc3\xef\x4d\xc5\xc6\xbd\xb2\xb5\x02\x8f\x0a\xc5\x07\x81\x61\xa6\x9b\x31\x89\x4d\x07\x10\x17\xc0\xff\x79\x98\x6c\x84\x83\x02\x2d\xc6\x15\xd6\x5c\x9c\xe0\x87\xa7\x14\x57\x5f\x30\x27\xfe\x91\x29\xde\x09\x0b\x3e\x3b\xb3\x70\xef\xd2\xb3\x97\xee\x9d\x39\x79\x66\x6e\xde\xe1\x75\x1f\xf7\xd8\x55\xad\xb0\x17\x02\x68\x55\x2c\x0a\xff\xfd\xde\x0e\x6a\x82\xcf\x5a\x6f\x04\x2f\x01\xea\xb1\x1b\x01\x01\x2b\x8a\xa6\xa3\x3c\xeb\x61\x77\x95\x89\xd2\x3e\xdc\x6d\xa6\x58\x5a\x07\x3d\xd9\xeb\x9c\x06\xd7\xf2\x30\xb5\x34\xa7\xa1\xdd\xdd\x64\x1f\xad\xb1\x6b\x36\xe2\x34\xca\x36\x0a\xc5\x81\xfe\x73\x8d\xdd\xba\xed\x50\x9e\x85\xef\x54\xf6\x9a\x62\x48\x7f\x03\x63\xa3\x67\xd4\xee\x6c\x29\x99\xd6\xb1\x8b\x87\xa6\x00\x27\x0c\x6f\x14\x57\x52\x74\xae\x83\x75\x86\xb9\x81\x26\x96\x7e\x01\x11\x39\x8f\x32\x47\xb9\x8f\xfd\x1b\xa5\x02\x48\xd1\xc5\xe8\xb9\xfe\xb3\x82\xb9\x67\x69\xe5\xdb\xe6\x07\x40\x61\x21\x48\x57\x0d\x10\xaf\x40\x74\x31\xda\xaf\xa3\xb6\x8e\x90\x1d\x5f\x5f\x63\x0c\x8e\x5b\x00\x07\xf3\x5f\xaa\xcf\x5b\x9c\xfc\x3b\x2e\xe3\xbc\x3d\x27\x25\xc2\x8a\x0c\x48\xe7\xaa\x28\xff\xf7\x38\x51\x5f\xb6\x8f\xf1\xcd\x4b\x85\x2f\xdc\x96\x64\xad\xf3\xfe\x57\xc6\x83\x3f\xf5\xe8\xc7\x66\xe6\xef\xd9\xb9\x93\x8b\x7c\x12\x8c\x0a\x87\x6f\x3c\xd2\x3c\x7c\xfc\x86\xe6\xe1\xe6\xe1\xe9\x23\xc7\x82\x7a\x70\xe4\xd0\xa1\xc3\x27\xa2\xd5\x1b\x4f\x9c\x98\x3e\x7e\x2c\x98\x7a\x98\x6d\xe3\xe2\x42\x4b\xf4\x4a\x5c\x31\xab\x77\xb2\x43\x24\x04\x93\xb1\x86\xc2\xd0\x28\xce\x04\x75\xe2\xd8\xb2\x08\x36\x2f\x7a\xe3\xad\x38\xca\x1d\xed\xe8\x6b\x35\xb6\xce\xe0\xb2\x9f\x06\x21\x8c\xd2\x8e\xb1\x1b\x8a\xae\x9b\x5b\xe0\x38\x4f\x98\xd9\x28\x2e\x84\xdd\x5e\x42\x01\x22\xd5\x99\x91\x62\x6d\x65\x72\x6c\x01\xff\x2f\x3d\x76\x05\x0e\xce\xff\x63\x2f\xf8\x88\x77\x0a\x07\x8a\x9f\x4f\x62\xc4\x2b\xdd\xf1\x30\xc3\x74\xb7\x7d\xe3\xd4\x01\xd2\x33\x15\x07\xc1\xd0\x4b\x49\x7c\xb0\x51\x06\xd0\x5c\xd6\x2f\x0b\x75\xc2\xc2\xa4\x01\x34\xf8\x16\x2e\xb2\x0f\x4c\x38\x84\xd8\xca\xb2\x3c\x8a\x53\x1d\x69\x7b\x5a\x84\x85\xf0\x7f\x7c\x22\xf8\x2e\xf8\x4b\x47\xa0\x86\x60\x98\x85\xdd\x29\xfb\xe6\x6a\xb6\x2f\xde\x4b\xe3\xda\xab\x63\xf1\x18\xc6\x98\xbe\xdf\x8e\x31\x7d\xd7\xae\xeb\x58\xac\x3d\x5a\xc5\x2a\x3e\xa9\x8a\x55\xfc\xa6\xc7\x8e\x6c\x21\xda\x8c\xd8\xa2\x50\x9b\xe2\x95\xde\xc8\x0a\xac\xf0\xc0\xa3\x5d\x9e\xe2\x21\xef\xb9\xdb\xc7\xc6\xde\xe4\xdf\xa8\x63\x63\x9d\x61\x55\x02\x64\x61\x04\xd5\xd0\xd8\xd7\x8f\x8f\x34\x2a\x9a\x08\x0b\x4c\x33\xfa\xeb\xb1\xe0\x8e\xca\x35\xb9\x93\x46\x17\xb8\xb0\x0b\x6b\xf6\x29\xb2\x55\xbf\xec\x32\xb9\x37\x8c\xb1\x7f\xf0\x18\xd3\x99\x3d\x85\xff\x75\x2f\x38\xbd\xe8\x16\xea\x24\xa6\x63\xb2\x6a\xb2\xd5\x42\xe4\xeb\x61\x69\x02\x67\x75\x24\xc0\xc1\xc2\xad\xeb\xe9\xf8\xb7\x9e\xca\xae\x67\x47\xb7\x95\x76\x75\x57\x75\x0e\xda\x43\xde\x41\xf6\x44\x67\x19\x7a\xf2\xa0\x6f\x74\x45\xbe\x26\x1a\xe7\xc5\xc0\xdf\xef\xef\x93\xdb\x88\xc9\x27\xff\xdd\x88\x27\x75\x5c\xe6\x01\xff\x0a\x78\x8b\xb1\x37\x7b\x6c\x5f\xaf\x23\x0f\x86\xd7\x7a\xc1\x8b\xbc\x05\xf9\xa7\x8a\xae\x53\x43\x48\xe2\xb6\x68\x0d\x5a\x89\xe0\xf0\xe4\x50\x34\xc9\x4e\xd3\x4f\xcb\xb0\x38\x5f\x4c\x03\xae\x45\x5c\x94\x80\xfd\xd3\x07\x84\x65\x13\x41\x31\xed\xa4\x72\x3d\x9e\x7d\xe7\x26\xd5\x13\x89\x20\xfe\xf6\xda\xe0\xd0\xa5\x54\x56\x7d\x7a\xb5\xa8\xea\x7b\xae\x65\xbf\xb4\xcf\x59\xf9\x07\xf6\x05\x7f\x35\xb6\xbc\xa3\xf5\x4e\x0d\x34\xbd\xbb\xda\x68\x5d\x86\xcf\x81\x9d\xae\xa8\x73\x2b\xb8\xd8\x7c\x0c\xcf\xff\x0e\xe0\xf2\x0e\x7a\x82\x07\xb7\x87\x71\x22\x22\x84\x37\x56\x79\x64\x79\xdf\x6d\x30\x2e\x78\xd1\x2f\x7a\x00\x46\xb2\xd3\x76\x97\xd4\x0b\x43\x4d\xdf\x64\x94\x54\x6a\x3c\x17\x45\xbf\xab\xd4\x20\x3b\x8f\x0f\x35\x09\xca\x7d\x23\xc9\xa5\x05\xf6\x78\xd0\x14\x2a\x7d\xd4\x35\x4e\x77\xda\xc7\x59\x7a\x61\xc4\xe8\x2f\x31\xbb\x59\xca\xbb\x49\x16\x46\xc5\xb4\x41\x08\x2a\xa6\x9f\x97\xad\x16\x8d\xbc\x9f\x36\xca\xac\x41\x9d\x8b\xb3\x74\xda\xde\x99\x47\xd8\x21\xd6\xdc\x51\xf5\x4e\x6b\x53\xee\x24\x17\xff\x11\xd9\xba\x67\xd8\x15\x6d\xa0\x17\x7f\x56\xc1\xf6\x37\xc1\xd1\x04\xc0\xfa\x3a\x62\x12\x2d\xef\xb9\x08\x41\x27\xc0\x1d\x8c\x74\xe6\xaa\x31\x5f\xab\xb1\x09\x30\x26\x43\xbe\xe4\x17\x6a\x97\x9f\x30\xf9\x93\x35\x9b\x75\x82\x45\x4f\xd1\xd8\xf3\xb2\x55\x1b\xc9\x09\xbe\x27\x7b\x85\xea\x20\x46\x42\x3c\x2f\x5b\x1d\x22\x26\xd7\x57\xa7\xe9\x1f\xf7\x5b\xbd\x12\xcc\x20\xe5\x18\xa9\x0d\x4a\xad\x32\xb1\x72\x01\xa0\x2b\x71\x69\x11\x79\x35\x04\x50\x76\xba\xe4\x62\x5d\xe4\x03\x7c\x3a\xac\xec\x0a\x14\xac\xf0\xfb\x36\xcc\xb8\x66\x3d\xd8\xc9\xc5\xdb\x67\x8f\x1e\x3d\x7a\x23\xa7\x5a\x98\x11\x9e\x52\xfc\xdc\xf2\x6c\x93\x2d\xb1\x09\x28\x06\x2c\x22\x11\xf9\xb7\xab\x95\x3b\xbc\xc3\x95\x5b\x52\xaf\xba\x8b\x37\xab\x0b\x43\xdf\xa8\x5a\x7c\xb2\xdb\x22\xde\xb6\xaa\x42\x43\x58\xaa\xd3\xc8\x97\xc7\xd8\xb5\x7a\xdb\xce\xa5\x91\xb8\x20\x20\x32\xe6\x43\x63\xb3\x95\xab\xe4\xc9\xc3\x1d\x4d\xb7\x78\x4c\xf7\x60\xb1\x9b\x14\x6d\xae\xf6\xd9\x99\x2c\x12\xfc\x16\x1e\x60\x03\x51\x80\x18\x86\xca\x8e\xdb\x0d\x4b\x54\x44\x55\x1b\x52\xff\xb1\xe7\x34\x2c\x78\x24\x5a\x71\x17\x22\xe5\xa1\xb7\x05\x2f\x44\x2f\xcc\x15\xac\x86\x94\x79\x42\xf2\x43\xd9\x95\x25\x4c\x9c\x63\x9c\x4a\x2a\x02\x1a\x83\x0c\x14\xf9\x6c\x2e\x04\x44\xd5\x64\x54\x83\x42\xb4\xfa\x10\x1a\xe1\xd6\xa6\xe8\xca\x7e\x14\x02\xe3\x23\xed\x5e\x91\x8d\x0b\xa9\x4b\xde\x84\x6c\x69\x91\x00\x54\x8e\x09\xc3\xcb\x63\x51\xd4\xdd\xee\x86\xbc\x33\xe8\x75\x44\xda\xe4\xb7\x67\xb9\xd2\x22\xeb\xca\x2e\x39\x3c\xa7\xb2\x23\x87\xeb\xfc\x68\x9d\x1f\xab\xf3\xeb\xe1\x5b\x4f\xad\x1b\x55\xb1\x32\x55\xc1\xe1\xfa\xd1\xc6\xf5\xf5\xa7\xba\x51\x07\x1f\xa9\xb1\x6b\xcc\x82\xc0\x2e\x7f\xef\x2e\x76\xf9\xdf\x79\x5b\xee\xf2\x8d\xd0\x3a\x03\xd4\x36\x91\x3b\x73\xad\x1f\x82\x89\x50\x03\x12\x93\xe1\xa6\x13\xf6\xe4\xa6\x6a\xac\x8a\xb6\x5c\x0e\x58\x23\x1e\xb6\xf2\xac\x30\x4b\x6d\xe2\x50\x8a\x4b\xdf\x79\x94\x22\xa2\x26\x80\xd8\x01\x05\xf9\xca\x4e\x38\xfd\x97\x53\x52\x74\x84\x5b\x4f\xbc\xc9\xfe\xcf\x03\xec\x98\x75\x26\xb4\x93\x6c\x83\xf8\x99\xce\x62\xb0\x92\x6c\xd1\xea\x02\x01\x91\xaf\x3c\x10\x7c\xa0\x36\xf2\x16\x2a\x83\xbd\x5c\x44\x84\x61\x88\x85\x4e\x30\x6c\x6a\x74\xda\x76\xd8\x6a\x81\x84\xbd\x46\x1a\x71\x9c\x43\x02\xb5\x0e\xe0\x2d\xc3\x7c\x4d\x94\xee\xcb\xe7\x16\x4f\x37\xf9\x0c\x1f\xdd\x05\x1d\xa5\x65\x0a\xe1\xb6\x31\x68\x88\x42\xba\xc0\xac\x36\x19\x4e\xb9\x71\x5c\x08\x8e\x23\x29\x5d\x7e\xbe\xb0\xe2\x53\x0d\xfe\x9b\x6c\x65\x72\x75\xd3\x17\xad\x6c\xe7\x73\x8b\xa7\x47\x36\xd1\xbc\xe8\xed\x83\xf6\x2f\x7a\x8f\xab\x3c\xee\x08\x73\x0f\xec\x63\x9f\x1d\x63\xd5\x47\xfc\x0f\x8f\x05\xff\x5c\x5b\xa9\x5c\x5d\x21\x15\x1c\x2d\xd8\xfd\x3c\x81\x34\xb4\xf8\x82\x72\xfa\x52\x71\x63\x32\x49\x80\x98\xa2\x62\x3a\x33\x6d\x68\x20\x85\x19\xa2\xf3\x9c\x9d\x7c\x82\x71\xde\xe0\xc1\x74\x47\x84\x49\xd9\x79\x7e\x20\x3f\x96\x88\xb5\x30\x31\xd7\xaf\x83\x8b\x71\x52\xb9\x6c\x1e\xe5\xab\x7d\x9b\x0c\xca\x0e\x82\xe5\xd2\x73\xd3\xd7\x05\x68\x18\xdd\xf4\x09\xf9\x61\xf9\x94\x13\x1f\x28\x85\xee\xac\xdb\xcb\x52\xc9\xa0\xf0\x21\xaa\xee\xdc\x64\x41\xe5\x61\x87\x7a\xfa\x79\x52\x34\xc9\xb1\x6c\xe2\x05\xeb\xf2\xa7\x4a\x67\xc7\xc8\xf1\x64\x80\x66\x44\x93\x59\xb3\x25\x92\x11\xdf\x54\x7a\xba\xc2\x1f\x2f\x44\xc9\xd8\xe7\x3c\x86\xab\xef\xff\x57\x2f\x78\xb9\xb7\x02\x7f\xaf\xb8\xc0\x44\x3a\x5c\x1b\xc9\x70\xf4\xfa\x54\xc7\x07\xcf\x82\xdd\xfe\x51\x1f\xd3\x3f\x31\x76\xf7\xc3\x99\x0a\x6a\xaa\x44\x81\xda\xe8\xff\x24\x0b\xbe\x7f\xcb\x27\x2a\x10\xbc\x94\x60\xa0\xd0\x41\x41\x9c\xda\xec\xfd\x8b\xde\x15\xbd\xa4\x9f\x87\xc9\x45\x0f\xac\x5a\xce\x16\x7c\xc7\x04\xfb\x7b\xa9\x49\x4b\x59\x35\x93\xe7\x9e\xff\x35\x2f\xf8\x84\x67\x7e\xbb\xeb\x06\xf6\x02\x11\x59\x49\x80\xa8\x66\x54\x4a\xda\xac\x8a\x24\x4b\xd7\xa0\x83\x93\xa2\xb9\xd6\xe4\x07\xc3\x24\x39\x38\x65\xaa\x9b\xf4\xfa\xab\x89\xe4\xd6\x70\x04\xcc\x2c\xcc\xf1\x48\xd5\x95\xe1\x51\xd6\xea\xcb\xe3\xb8\x40\xfb\x20\x00\xea\x4a\x79\x41\xd5\x40\xc9\x54\xb4\x1f\x8f\xd3\xf5\xac\x45\xea\x1d\x94\x6e\x5c\x91\x6b\xd8\x2a\x13\x2e\x79\x69\x98\x24\x5b\xe6\x3d\xfe\x9a\x47\x46\x3e\x40\xfd\x3f\x4f\x46\x3e\x25\x00\x10\x04\x33\x5c\xd6\x48\x19\x3a\x05\x94\xce\xc6\xbc\x0b\x01\x3e\x06\x97\x05\x14\xa1\x38\x5d\xeb\x27\x61\xde\xa4\x05\x31\xb3\x12\xa7\x05\x94\xdc\x2a\xec\xbc\xd7\xb8\x20\x7b\x62\x88\x1f\x5f\x91\x9f\x5c\x31\xb0\x20\x6a\x82\x20\xf7\xd3\x11\x0f\xee\x63\x07\xe4\xb2\x3c\x43\x8e\x41\x04\xdf\xaf\xfe\xde\x66\x14\xb0\x92\x26\xea\x59\x8f\xc9\x76\x19\x06\xd8\x89\xd3\x71\x51\xba\x12\xc9\x8f\xd6\x18\xd1\x92\xff\xe2\x5a\xf0\xf7\x1e\xfe\xad\xbe\x48\xbf\xec\xb8\x39\xbb\xc8\x11\x90\x2a\x1d\xea\xa3\x52\x49\xa9\x3c\x63\x3f\x95\x72\xc4\xca\xb4\xdc\x4b\xd3\x37\x03\xc1\xdd\x3a\x7d\x33\x59\x9f\x6e\x9d\x6e\x36\x9b\xd3\x37\xe3\x97\x6e\x5d\xa1\x98\x50\x4c\x0e\x28\x2b\x31\x7b\x9b\xed\x07\x3e\x69\x57\xdf\x59\xb9\x19\xf6\x52\x93\x9a\x6c\xd2\x17\x57\xa6\xac\x78\xd3\x24\xe1\x49\xb6\x21\xf2\x56\x58\xb8\x51\x7d\x5f\xf1\x18\x2b\x3a\x59\x8e\xb0\xa8\xfe\xe7\xbd\xe0\xfd\x9e\xf9\x8d\xa3\x92\x3f\x69\xbf\xaa\x38\x2c\x35\xee\x3a\x17\x17\x7a\x59\xf1\x48\xee\x82\x9b\xe1\xfb\xf2\xf3\x72\xb6\xe6\x0c\xa3\xac\x0e\x6a\xd3\x7d\x72\xbf\xc7\x0e\x28\x9a\xf6\xcb\x60\x4d\xfd\xad\xe9\x4c\xfd\x1e\xb5\xee\x5b\x7c\xd2\xa1\x38\x7d\x39\xa2\x0d\xe0\x4c\xf3\x6f\x8d\xb3\xef\xb1\x21\x49\x7a\x3d\x40\x8c\x3f\x19\x8a\x6e\x96\x2e\x89\xd2\xa0\x41\xbd\x63\x3c\x98\x1b\xbe\xbc\x29\x18\x14\xd7\xcf\x22\x14\x54\x4b\xe4\x65\x18\xa7\x88\x03\xd5\xdc\x12\x08\xea\x83\x63\xdf\x94\xc8\x45\xcf\x36\xe0\x54\xf3\xc1\xcc\x4c\xb5\x2c\xd8\xb6\xf0\x54\x94\x09\x30\x0a\x3d\xea\x76\x8d\x4e\x75\x73\x30\xbd\xdc\xb9\x6c\x14\xaa\xd3\x1a\x85\xea\xb6\xe0\xfa\xa5\xd1\xb8\x53\xda\x06\xb5\x2d\xee\xd4\x61\xc2\x9d\x9a\x0a\x9e\xb8\x4c\x01\x90\x66\x51\x47\x23\x4e\xbd\xf5\x4a\xf6\x6d\x9b\x98\x89\xfc\x17\x5f\x19\x1c\x7e\x7a\xb6\x3a\x64\x9a\x1c\xae\x2b\x4f\xe5\x7f\x9f\x57\xb5\x50\xfe\xed\x04\xfb\xbc\xed\x03\xf9\xd8\xae\x7d\x20\x2f\xa9\xd6\xf2\xb6\x4b\x6b\x3e\x6a\xd5\xbc\x7f\x4f\x39\x48\x7e\xcb\x63\x53\x3b\xb2\xb9\x81\x5f\xe4\xad\xa3\xfd\x22\x91\x28\x20\x89\x5b\x63\x41\xc3\x9c\x82\x25\xe9\xd1\xf5\x95\xb0\x8f\x78\x9a\x1e\x3f\xe0\x6d\x81\x45\x33\x6c\xcd\x0e\x5e\xee\xcd\x8e\xf0\x59\x3c\x16\x83\xd8\x73\xf9\xee\xb9\x7c\x1f\x2b\x97\xef\x43\xde\xfc\xf6\xde\xc6\xa7\xf8\x53\xda\xdb\x08\x3b\x49\xfb\x17\x9f\x9e\xad\x56\xbd\x8b\x9f\x5f\x63\xdf\x35\x32\xb4\x12\x50\x1b\x01\x32\xee\xbd\x6b\xc1\xed\xd6\xef\xca\x09\x6f\x81\xea\xd9\xc6\x01\xb4\x4a\x23\x2e\xbd\x2a\x5d\xe8\x32\xef\x2f\xb6\xd9\x17\xf6\xb3\xc7\x27\x59\x18\xdd\x16\x26\x52\x58\xcf\x67\x93\xb0\x28\xfc\xdf\xdc\x1f\xfc\xe2\xfe\xa1\xcb\xda\xf1\x06\x3f\x94\x84\x9d\x85\x11\x5f\xa5\xc7\x38\x14\x0e\xed\xea\x5d\x05\x2b\xaf\xe0\x27\x8d\x9a\x84\xd1\x68\x6e\x44\x9b\x95\x63\xac\x4d\xde\x5a\x94\xc2\xa4\xe3\x46\x51\x0e\x12\x61\x55\x5f\xad\x53\x49\x52\xab\xde\x2b\x9a\x49\xea\x1c\xf4\xb0\x40\xed\xc7\xc6\x7a\xdc\xc3\x78\x17\xb2\x80\x40\x7d\x55\xe7\x6e\x93\x9f\x4b\xc9\xc6\x42\x39\xd3\x64\xba\x24\x41\x1d\xc2\x79\xd3\xa8\x21\xa7\xd6\xcd\xcd\x6f\xc9\xef\x4b\x25\x9c\x8c\x85\xda\x4e\xa7\x06\xae\xca\xf4\x1e\x3c\x6d\xcd\xe8\x41\x42\xf5\x29\x4d\x76\x87\x8a\x2f\xdb\x72\x4a\xa9\x8c\x7d\x9d\x97\x59\x14\x0e\x74\x56\x9c\x41\x6c\x8f\xa4\x2c\x51\x76\xf2\xac\xbf\xd6\xa1\xe5\xca\xfa\x91\x8a\xa9\x45\x04\xc5\x35\x3c\xda\xeb\x60\xc4\x21\x26\x17\x42\xa1\x7f\x48\x81\x4b\x07\x26\xd6\xcd\xf9\xba\x0a\x23\xac\x93\x4d\x22\x2c\xd0\xed\x40\x64\xb7\x5d\xc7\x37\x94\x1d\x04\x12\x00\x71\x76\x0a\x5a\x43\x63\x24\x01\xf2\x6a\xf2\x19\xab\x17\x5b\x36\x8c\x3a\xb7\x3b\xca\x62\x4a\x0d\x2b\x5e\x4b\x25\x9b\xd0\x5f\xc3\x38\x2a\x51\x5a\x74\xb6\xfd\x6a\x22\x06\x36\x98\xe6\x91\x19\xa1\x2b\x48\x2f\x70\x86\x6b\x5c\x5d\xe0\xb3\x69\x4b\xe8\xe9\x92\x0d\x13\x3f\x43\xe4\x1f\xf7\xbb\x2a\xd6\x6a\x23\xee\x29\x30\x07\xbd\x6b\x61\xd1\x91\x07\x62\xca\x51\x9a\xa5\x95\x8f\x41\x07\x1c\xb9\xef\x4f\x6b\xec\x1a\x7b\x0b\xcf\x2d\xf8\x9f\xad\x05\x1f\xa9\x41\x2e\x95\x81\x67\xd0\x83\x90\xf2\xe4\x09\x6e\x37\xea\xfe\x80\x0e\x4a\x25\x4b\x79\xbb\x74\x22\xdd\xdc\xc2\x08\x20\x2a\x67\x66\x29\xdd\x25\x12\x3d\x91\x46\x05\xc2\x01\x98\xf4\x4b\xd0\x81\x13\x2c\x93\x2c\x57\xb1\xa1\x69\x55\x21\x60\x51\xfb\x03\x0d\x79\xe0\x8c\x4b\xcd\x56\x85\x4a\xb4\x5f\x6e\xe4\x3c\x23\x5d\x44\xda\xa7\xe1\x7e\x58\xe7\xb7\x28\xbd\x13\x34\x68\x1c\x86\x33\xcb\xaf\x1f\x63\xdf\x6e\xf7\x06\x73\x74\x17\xe5\xfa\x16\xfe\xff\xa8\x05\x5f\xaa\xd9\xac\x0e\x4d\x26\xd5\xf4\xcd\x5e\x12\x96\x52\x3b\x27\x47\x21\xf4\x50\xe5\x45\x5b\x68\x03\x95\x1d\x6d\x3a\x2b\xbf\xdf\x58\x75\xd6\x09\x82\xf6\x74\x66\xb5\xca\xbe\xd5\xdd\xa0\x63\x77\x6e\xa1\x78\xb8\xe7\x26\xb8\xb4\x60\x0b\xaa\x68\x23\xa9\x11\x25\x66\x1d\x74\xa1\x33\x0c\x1b\xee\xe7\x1b\xed\x38\x17\x1b\x61\x92\x4c\x6f\xa1\xc5\xff\xdc\x18\x3b\xa0\x30\x56\xfc\xb7\x8e\x05\xf7\x8f\x2d\x66\xfd\x52\xe8\xfd\xa4\x27\x35\x23\x57\xa6\x24\x65\x04\xb6\x38\x2f\x06\x68\xa1\xa5\x18\x48\x0b\x6a\x23\x2e\x34\x70\x0b\x30\x42\x9d\xf6\x8e\x29\xc9\x64\x9e\x25\x6b\x94\xda\xb7\x9a\x45\x66\x64\xa6\xb7\xe0\xb7\x54\xf6\x00\x94\x07\x82\xd4\xc6\xb2\x18\xae\x7b\x64\x95\xf3\x82\x05\x92\x5f\xeb\x66\x51\xdc\x1e\x48\x0e\xe3\x6e\x66\xac\xfb\x3d\x8b\x73\x38\xb7\x50\xe7\xf3\x59\x24\x16\xb2\xbc\x44\x59\xd4\xde\xd0\x4d\x3e\x67\x2d\x33\x1d\x51\xa7\xa8\x6b\xf3\x50\x97\xfc\x52\x61\xdb\x89\xc7\x36\x4c\x8c\xb1\xba\x36\xfd\xe0\x16\x95\x0e\xde\x59\x63\x8f\x2b\x44\x21\x25\x22\x05\x5e\xe3\xff\x58\x2d\x78\x49\x6d\x49\x6d\xff\x00\xd1\xb5\xe6\x16\xa8\xb4\xf6\x7c\x96\x8a\x00\xa2\xb3\x61\x62\xbb\x61\x0c\x91\xdb\x9c\x5a\xe1\x0a\x37\xa5\xc9\x31\xff\xd8\x10\x3c\x14\x8f\x8b\x46\x3c\xa8\xcc\x5f\xea\x4b\x72\x5d\xe5\x67\x5c\xcb\x0d\x5e\x79\x18\xe7\xe5\x49\xeb\x71\x5e\xf6\xc3\xa4\x11\xf7\x0a\x54\x71\xf0\x86\xa4\xf7\x0b\xb1\x2b\xb5\xff\xde\x7e\x76\x95\x85\x8a\x52\xf8\x1f\xdd\x1f\x3c\xb0\xdf\xbe\xa2\x7d\x75\x94\x78\xdf\x40\x37\xa5\xb2\x67\xab\x47\x91\xc8\x09\x67\xd0\x39\x4c\x41\xac\x53\xfd\x55\x47\x28\x95\xe6\x52\xcd\x52\xa2\x67\x21\xb7\xbe\x26\x56\xe2\xc1\x2d\x15\x27\x61\x4b\x7e\xd5\xe3\x0f\xcc\x7b\x94\xb9\x58\x84\x5d\x41\xb1\x0c\x85\xde\x18\xcb\xb8\x3d\xd1\x01\x78\x0b\xe0\x0c\x34\xf9\xb2\xd3\x79\x25\x1a\x42\x92\x60\x75\xeb\x86\x72\x83\x14\x25\x3f\x7c\x9c\x1e\x0e\x07\x95\xda\x56\xa7\x74\xbf\xc1\x87\xde\xc9\x0a\x91\x12\x69\x50\x5e\x0d\xc5\x64\x58\x1f\x25\x41\x45\x07\x5c\xad\x86\xad\xf3\xf2\x38\x1b\x81\x57\xe1\x32\xfc\x30\x49\xc0\x41\x03\xd0\x82\x92\x07\xa4\x99\x7e\xd9\x72\xa7\xa2\x35\x4a\x7d\x50\xd9\x88\x80\x1c\x5d\xae\xd2\x09\x0b\xa7\x09\x34\x49\x85\xa5\xa2\x72\x42\xc9\x48\x05\x21\xcf\xd1\x32\x22\x6a\xe2\xb2\x3a\x08\x94\x96\x4a\x8e\xa7\x81\x5d\xcf\xaf\x2b\xc2\x14\x0a\xdf\xe8\xfe\xa8\x5a\xed\x2d\x08\xf7\x09\x13\xad\xe2\xc6\x6d\x92\x47\x41\x68\xea\x42\x2a\x42\x21\xd2\x42\x9b\xf8\xc1\x38\x86\x5f\xb2\x21\x35\xaa\x90\x0e\x66\xca\x14\x6a\x13\x64\x82\xea\xf9\x68\x65\x69\x51\xe6\x21\xd2\x9a\x9b\x86\x7d\xa9\x48\x59\xab\x03\x02\xc3\xa4\xd9\xc7\xd4\x5b\x5b\x64\xd7\xb4\xa6\x8e\xb5\xca\x17\x22\xa9\xef\x22\x82\x12\xe0\x35\xea\x23\xb7\x0b\xe5\xe4\x20\x78\xa4\xdd\x07\x99\x67\x5d\xd7\xa8\xdf\xf4\xb4\xfa\xcd\x31\xf6\xad\x23\x49\xdf\x7f\x60\x2c\x78\xf3\xd8\xc8\x5b\x3a\x17\x3a\x6e\xbb\x5a\x16\x9a\x9a\x0a\x4c\xbe\x96\x67\x9e\x3e\x6d\xac\x43\x2f\xcd\x22\x01\x18\x50\x80\x91\x45\x47\x6e\x63\x23\x8e\x8c\x7a\x5e\x34\x79\x00\x3b\x2f\xe0\x0a\xc0\xb1\x70\x54\x76\xb4\x02\xcc\x2d\x20\x89\xaf\x67\x71\x84\x1e\xeb\x56\x96\x46\xbc\x93\xf5\x80\x2c\x1d\x09\x12\xf1\xc7\x23\x81\x42\x03\x20\x59\x10\xa7\x41\x45\x24\x8f\x8b\xf3\x05\xef\x65\xa5\xe6\x31\x71\x97\xc4\x9a\x48\xf7\xbe\xe8\xe5\x22\x8c\x00\x27\x2a\xa0\x73\x2e\xe0\xd9\x6a\xd1\xea\xe7\x5b\x75\x50\x12\x78\x2b\x94\x9c\xcc\xe9\xa3\x31\x26\xc3\x9c\x38\x0a\x11\x6c\xd5\xb5\x2c\x8b\x20\x9b\x10\xcd\xf9\x61\xd4\x30\x1d\xb0\xd7\xf0\xaf\xae\x66\xac\xa5\x8e\xdd\xc2\xff\xf2\xd5\xc1\x9b\xaf\xd6\xc7\x70\xc5\xad\x28\xbb\x84\x58\x1a\x02\xe4\x83\x78\x2d\x55\x42\x5a\x5c\xa8\x39\xc1\x03\x5b\x72\xa7\x7e\xd1\x87\xc9\xd0\x4f\x62\xc2\x69\x32\xc0\xc4\xa2\x30\xd5\xc8\x1c\x0e\xe7\xe9\x86\x29\xbc\x57\xc7\x18\x93\x06\xa4\x67\xf0\xc9\xb0\xe0\x3d\x29\x59\x23\x8e\x84\x63\xe9\x9d\xd2\xa5\x4d\x11\xac\x55\x6e\x6c\xe0\xdd\x7a\xbf\x25\x0a\x37\x4c\xe3\xb9\x40\x5f\x6f\x42\xf0\x96\x8d\xb8\x10\xa6\x5c\x90\x89\x2f\x02\xba\xb4\x80\x5b\xad\xbd\x64\xb9\xc1\x49\x29\xd2\x82\x2e\x2a\x3c\x05\xef\xa7\x89\xc2\xaa\x02\x9a\xb1\xb6\x39\x24\x5e\x81\xda\xa0\xde\xcd\x1c\x09\x86\x4f\xaa\x18\x35\x9d\x89\xaf\xbf\x4c\x59\xf7\x92\xd1\x00\xfe\xda\x70\xfb\x6e\xd3\x60\xbf\x72\x1b\x8f\x15\xaa\x19\xe0\x28\x96\xee\xa8\x94\x45\x22\x71\x8f\x9e\x3a\xc6\x8a\xa1\xf9\x86\x87\xab\xd9\xba\x98\x6a\x72\x5e\x2d\x92\x46\x22\x4e\x5d\xe1\x05\xa2\x5d\x6e\x32\x08\xa6\xa0\x08\x60\x48\xe7\x9e\xa1\xa4\x26\xe7\x4b\x84\x8f\x01\x1d\x29\x33\x6a\x82\x58\x72\xc8\x83\x8e\x08\x23\x98\x4a\x5a\x92\x80\x4f\xa6\x19\x27\xf9\x83\xcf\x2d\x4c\x29\x81\x13\x4d\x0c\xed\x7e\x82\x87\x3a\xe6\xa7\x1a\xbb\x9d\x7d\xb4\x10\xc8\x05\x01\x24\x4b\xea\x91\x72\x0b\xe8\x69\x44\x46\xb9\x0a\x49\xe0\xbb\x14\x56\x37\x3f\x63\x5d\x15\xdd\xa8\xe5\x19\xc9\xb5\xf6\xaa\xd5\x0d\x81\x8e\xa6\xc8\x11\x7a\xf8\x16\x1a\xbf\x2b\x2f\x0f\x77\xd2\x39\xd9\x9c\xbd\x04\x46\x77\xf2\x58\x6b\xdb\xa8\xe6\x20\x4a\x7d\xde\x62\xd8\x75\xed\x1e\x05\x59\xc8\x06\x68\x30\x8c\xe8\xee\x43\xf7\xa0\x38\xa0\x1b\xc6\x90\x66\x25\x79\x01\xc5\x35\x19\x3b\x67\x36\x59\x30\xb7\xb0\x7e\xfc\x64\x3f\x4c\x96\xca\xb0\x75\x3e\xd0\xca\xfb\x5a\x58\xda\xd0\x91\xd5\xa8\xd6\x24\xee\xc6\xc4\x19\xb2\x54\x28\xe9\x00\x09\xca\x0e\x57\x81\xcf\x86\xc5\x56\xc3\x15\x3b\xfa\xa6\xdc\x64\x9d\x2c\x89\xc0\x74\x74\x21\xee\xf6\xbb\xb0\xe0\x1b\x99\x96\xb5\x26\x23\x29\x58\x17\x72\x18\x52\xd5\x05\xdc\x53\x11\x53\xa9\xca\x48\xe4\x72\xe3\x2d\x77\x44\x21\x0f\x09\x9a\xc5\x56\x96\xe7\xa2\xe8\xc9\xe3\x81\x58\x1c\xed\x49\xe2\x66\x71\xef\xf6\xb0\x1b\x03\x01\x53\x97\x6f\xcb\xca\x8e\x35\xe1\xc8\x41\xcd\x53\x72\x83\xac\xc9\xf3\x23\x35\xfa\x3e\xdd\x1e\xd0\x49\x4e\x0d\x3d\xaa\x4a\xc5\x2e\x6b\xb7\xbd\x71\x1f\x7b\x02\x86\x67\xcd\x76\x44\xeb\xbc\xda\xb7\xfe\xbf\x8c\xab\xf0\xde\x6f\x8c\x8f\xb8\x6f\xc1\x89\xca\x79\xc0\x27\x20\xbe\x0b\x4e\x5f\x78\x44\xf9\x57\x95\xc1\x1a\xf7\x66\x66\xb3\x0e\x34\xb0\x92\xc6\x4a\x20\xc8\x43\x82\xc6\x68\xa9\xc9\x7e\x01\xb4\x0a\xc0\x37\x27\xe9\xd4\xd9\x5c\xd6\xa1\xb9\xdd\xb1\x88\x09\xd6\xda\x9c\x6b\xb1\x7a\x6a\x59\x9f\x9f\xfd\x32\xeb\x86\x25\x19\x6a\xf5\x69\x0a\x95\x5c\x48\x48\xc3\x73\xb9\x20\xa3\xa6\x63\xd9\x29\xa6\x40\x89\xd2\x81\x34\x28\x46\x65\x3c\x12\xa5\xc8\xbb\x71\x2a\x20\x28\x52\x01\x31\x67\x91\xa0\x30\x68\xa3\xa3\x99\x72\xc8\x8a\x43\x82\xed\x62\x4b\x36\xb3\x29\x77\xc5\xad\xad\x8d\x41\xa9\x90\x82\x6f\xf9\xf0\xf1\xd7\x34\xe3\x49\x96\xae\x49\xc9\x0c\x9b\x56\x86\x5e\x79\x20\xc3\x39\x37\xe8\x89\x29\x37\x44\xfc\x7f\xd4\xd8\xb7\x2a\xab\xbe\x2b\x49\x7f\xb9\x16\x7c\xa6\x36\x37\xea\x96\x45\x94\xda\xde\x05\xbb\xd9\x78\xf3\xb4\xec\xa9\x21\xe1\x40\xb4\xd6\xd9\xfa\x66\x86\xb3\xdc\x96\xad\xad\xeb\xa9\x14\xd7\x8c\xc0\x0a\xef\x17\xc3\x5f\x00\xeb\xae\x35\x09\x4e\xeb\x46\x22\xa7\xd7\x47\x4b\xf4\xee\x57\xeb\xfa\x29\xa9\xb7\xe4\x59\xaf\x87\x16\x9f\x74\x93\x77\xd0\xe9\x11\x46\x03\x17\x34\x49\x6f\x11\x3d\x06\x47\xfc\xfd\x91\x7d\xec\x1a\x97\xad\xf9\xff\x30\x1e\x7c\x63\x7c\x6e\xc1\x61\x75\x95\x38\x03\xc3\x9f\x1b\xa9\x55\x0c\x07\x75\x40\x25\x38\x68\xdc\x90\x25\x5b\x30\x8e\x0b\x38\x1c\x4c\x31\xee\x2d\x4e\x2d\x7d\xae\x20\xf6\xb1\x14\x7a\x60\x34\x06\x45\xd0\xe0\x46\xba\x44\x4a\xbc\x62\x09\x82\x1f\xa0\xe5\xa6\xf1\x24\x50\x51\xf0\xc0\xba\x1b\xf0\x49\x1d\x2a\x21\x4f\x35\x18\xfb\x54\x9d\x07\x0b\x20\x23\x59\xfd\x9b\x94\x07\x95\x7a\x24\x46\x2f\x9d\x75\x5c\x59\xf8\x6a\x44\x8d\x05\xca\x7d\xd5\xc6\xe5\x7b\x78\x4d\xbd\x49\x8f\xa3\xa0\x18\x50\x44\xe8\xae\xbe\x5c\xb7\xc4\x7b\xb9\x9f\xa7\x28\x19\xc2\x3a\xe5\x6c\x11\xa3\x50\x08\x68\x68\xee\x57\x06\x95\x11\x0e\x3e\x38\x7f\x77\xc8\x19\x8a\xad\x24\x2f\x07\x10\x78\x1f\xfb\x76\x0a\xb8\x9c\xcf\xca\x45\x49\xca\x33\x4a\xdb\xf2\x5f\xbb\x2f\xb8\x7f\xdf\x66\x77\x9d\xa8\xd3\xb0\x04\x3f\x58\xb8\x26\x34\x3c\x58\x24\xc2\x84\x6c\xc5\x23\x78\xaa\xda\xb5\xc4\x24\xa2\xb8\xc8\xc5\x5a\x98\x47\xd0\x8c\x8a\x40\x22\x0b\x1b\x6c\xb0\xe9\x34\x2b\x1b\xd6\x56\xeb\xe5\x71\x37\xcc\x07\xc0\xe0\x41\xa3\x90\x4d\x17\xb6\x50\xaf\xb9\x33\x02\x55\x2e\x95\x61\x29\xc5\xf4\x25\x51\x1e\x2c\xf8\x9d\x4a\xbc\xb7\xd8\x47\x2f\xcf\x7a\x21\x08\x51\x4b\x8b\x77\xf1\x93\xf3\x4b\x10\xc2\x90\x93\xcd\x28\x2e\x0b\xbe\x90\x45\x26\x52\xaf\xd7\xcf\x7b\x19\x66\x50\xf6\x84\xc8\x4d\x80\x1e\x76\xd0\x32\x44\x5b\x99\x6b\x38\x57\x6b\x22\x15\x90\x02\x61\x59\xd6\xd2\x48\xff\x5a\x02\x30\x03\x13\x01\xe9\x38\x00\x81\x0b\xf6\x72\xe5\x93\x53\xf6\x27\x5c\x83\xa4\xca\x9c\x5a\x59\x5a\xc4\x58\xa2\x25\x80\xd9\x0b\xb8\x90\x27\x1e\x31\x6f\x18\x50\xd9\x11\xdd\x42\x24\xeb\x24\x80\xc1\x19\x37\xb3\x26\x52\x8d\x9b\x2b\x1b\xe9\x77\x29\x78\xda\x1a\x97\x1a\x46\x64\x7d\xd4\xf6\xbc\x9c\xb2\x39\xfd\x66\x83\x93\x8c\xa1\x08\xdb\x02\x75\xf6\x7e\x97\xce\x6b\x15\xfc\xe3\x82\x96\xbc\x62\x9c\x7d\xa7\x92\x04\x6c\x21\x46\xc9\x4c\x85\xff\x8d\xb1\xe0\x8b\x63\x5b\x3e\xa2\x23\x5e\xe2\x36\x37\x17\xb7\x91\x3a\x88\xbc\x6c\x27\x2c\x6c\x2c\x57\xed\x72\x90\x42\xcb\xbc\x2f\x02\x0c\x72\x0c\x07\x16\x7f\x0c\x20\xc5\x32\xa8\x9e\x9f\xae\x5f\xca\x40\xc6\x09\x64\x5b\xba\xa7\x4d\xbe\xf5\xe8\x40\x9d\xb6\x5c\xb2\x3b\xe8\xb8\x63\x96\x6b\x25\x22\xb4\xdc\x59\x4a\x72\xb4\x8c\x06\xa6\xc0\x0a\xb8\x51\x1f\x76\x7b\xe2\xe9\xdb\xd4\x68\x66\x71\xe3\x58\xbe\x44\x8b\x16\x2e\x7a\xec\x5b\x2b\x8e\x10\x2a\x65\x72\xbf\xc7\x8e\xef\x00\x8c\x6b\xc4\xab\xc1\xed\x23\x5b\x74\x4b\x76\x3b\x66\x20\xf2\x01\x54\x1c\x24\xec\xbf\x1f\x60\xcc\xb0\x7c\xff\xab\x07\x82\xb7\x1d\xa0\xe3\x7d\x28\x70\xde\x3e\x5e\x50\x6a\x9b\x5b\x58\x3f\x56\x97\xff\x1e\x9f\xda\xc6\xe4\x75\x89\x27\xbb\xbb\x54\x43\xb6\x32\x97\xf8\xb5\x85\x5f\x91\xa8\x1b\xe9\xa8\xf2\x93\x46\x2b\x68\x5b\xc8\xc8\xc6\xd6\x66\xe5\x05\xc9\x2d\x86\x67\x74\x6c\x57\xbb\x54\xc5\x7b\xb0\x07\x75\x5b\x61\x54\x1f\x24\xdc\xea\xb8\x1c\x52\x33\x2e\xd1\xd2\x56\x99\x1d\x1d\x20\x0a\x93\x41\x95\xbc\x4f\xc8\x6f\xd0\x17\xe1\x5c\x89\x22\x8a\x74\x00\x73\xb6\x3a\x7d\xe5\xbb\xf2\x74\xd2\x92\x07\xda\x4a\x6d\x2c\x48\x68\xc4\x92\xcf\xad\x33\xcd\x92\x57\xda\xf6\xc6\x18\x69\xfa\x92\xb4\x42\x8e\x3e\xb9\xf6\x81\x3b\x8e\x6c\x74\xfc\x42\xa1\xcc\x3d\x3b\xb4\x28\xd5\x4d\x69\x2a\x8c\x7c\x91\x7c\x4c\x99\xc8\x02\xcd\x5f\x2e\x45\x44\xd9\xd2\x38\xc4\xd8\xf2\xe5\xda\x2e\xd4\x56\xda\xc2\x80\xa1\x77\xdb\x8e\xac\x18\x55\x51\x0d\xbc\x38\x96\x77\xec\xe1\xb2\x69\xec\xda\xce\xf0\xff\xd4\xd8\x95\x4a\x91\x9f\x5b\x28\xfc\xaf\xd6\x82\x8f\xd5\xac\x0b\x5b\xd8\xd5\x25\x29\xe3\x59\x2f\xd5\x9c\xa2\xb2\xed\x14\x88\x63\x81\xb5\x10\x7a\x26\xce\xa2\xaa\x23\x3b\x36\x22\x12\x26\xd0\x61\x8f\x83\x37\xc2\x03\x3e\x89\xb1\x77\x98\x6c\xd2\x93\xa2\x8a\xaa\x70\x0b\x06\x3a\xdc\x17\xa1\xf9\x5c\x98\xe7\xf1\x3a\xe2\xcf\xab\x92\x1b\x1a\xc7\x79\x6e\xa1\xc9\xf9\x0c\xe4\x0e\x67\xa9\xca\xdd\x03\x73\x98\xb2\x16\xb8\xf6\x01\x92\x98\xa8\x8f\xbd\x30\xd7\x49\xbe\x96\x84\x43\x50\x6a\x5b\xb8\xa3\x3e\x58\x63\x57\x09\x8b\x74\xfd\x07\x6a\xc1\x9b\x6b\xf6\x15\x15\x08\xa8\xfb\xa1\x1d\xce\xd8\x05\x93\xd8\xd1\x15\x92\x1d\xc4\x45\x57\x87\xb5\x94\xfd\x1c\xc1\x69\x53\x1e\x26\x71\x38\xc2\x28\x81\x07\x46\x08\xe2\xea\xec\xfc\xcc\x99\x53\x24\xb4\x4e\x35\xf9\x7c\x66\xec\xcb\xc6\x90\xba\x9e\x25\xeb\x60\x45\x31\x90\xe9\x3a\xc3\x82\x2f\xde\x3e\xdb\x38\x7c\xf8\xc8\x51\x80\x1f\x86\xa4\x8d\x49\x65\x5e\x2b\xb3\x2c\x29\x9a\xb1\x28\xdb\xcd\x2c\x5f\x9b\xee\x94\xdd\x64\x3a\x6f\xb7\xe4\xd3\x53\x94\x4c\x4d\x7e\x83\x15\x49\x98\x2b\xe4\x33\x08\xec\x7d\xed\xaa\xc1\x6f\xd4\x15\x1b\x5e\x35\x16\xbc\x0d\x50\xe7\x12\xa7\x6a\x83\x5e\x21\x95\x0a\xa3\x94\x5b\x4d\x6d\x8f\x91\x19\xf0\x10\x6b\xb2\xfa\x0e\x24\x0c\x68\x40\x72\xd4\x87\xbc\x23\xec\x3b\x86\x77\x70\x37\xec\x35\xce\x8b\x41\xe1\x7f\x8b\xef\x37\x60\xd0\xac\x01\x48\xeb\x59\x2b\x4b\xd8\x36\xc9\x87\xdd\xb0\xb7\x33\x2c\x0a\x68\xf7\x12\xb0\x28\x5e\x75\x80\xf2\x26\x5e\x7c\x20\xf8\xfb\xfd\xc0\x9c\xb5\xd5\x8c\xea\x4e\x5a\xf1\x9a\xb0\xc3\x60\x79\xdc\xe0\x0f\x7d\xae\x34\xe9\xd0\xb2\x31\x4b\x5d\x27\xc3\x0e\x9d\x1a\x81\x7e\x2e\xd0\x32\x30\x94\xf4\x25\x8f\xac\xb6\x0f\x19\xd6\x06\xfb\xc5\xda\xf7\x94\x65\x6d\x19\x89\xdc\xd8\x06\x3d\x4e\xcd\xaa\x75\xf1\xa9\x2c\x47\x91\x38\x2c\x47\xb8\x2a\x56\x07\x24\xd5\x90\xe7\xbd\xdf\xb2\xe2\xe4\x2d\x35\x08\x03\xc0\x87\xb4\x21\x55\x7e\x58\x4a\x4d\xc6\xcc\x2f\x95\x08\x72\x6c\x39\xae\x27\x05\x15\x68\x5c\xea\x76\xa4\x38\xb9\x99\x74\x12\x65\x68\xa5\x46\x9b\x67\xf2\x90\x02\x0a\x25\x67\xb1\xda\x6e\xca\x4f\xe2\x12\x04\x7c\xb5\x1f\x27\x18\x80\xa8\x67\x5e\x85\x68\xe8\xc9\x07\xbb\xaa\x64\xb8\xc0\xc1\xa8\x0c\x12\xb8\x11\xc9\xea\x96\x19\x47\x86\xd5\xc5\x8a\x4b\x03\x8c\x75\x66\xad\xed\x4f\x6b\x73\x38\x98\x4d\x28\x4a\xdb\x8e\x0b\x73\x15\xa7\x49\x79\x38\xeb\x98\x41\x5d\xfb\x11\x53\x31\x20\x38\x6e\xea\x32\x3b\xe8\x30\x32\x64\xc7\xca\x49\x6a\x9b\x5b\x9c\xd0\x41\xe1\x78\xbc\x96\x04\xb8\xc6\xed\xea\x94\x05\x8f\x32\x14\x07\x95\x58\xe5\x78\x4d\x8d\x60\xf5\x70\x72\x3a\x22\x8e\x38\x5d\x6b\xe8\xe7\x14\xb7\x03\xa1\xd0\xc9\x63\x3c\xc0\x26\xf4\x34\xf8\xbf\x73\x20\xf8\xd8\x01\x87\x44\x29\xa6\xb5\x52\xef\x42\xcd\x08\xe9\x28\x5b\x78\xe5\xf7\x9c\xf2\xbb\x73\xca\xaf\x26\x61\x7a\xfe\x5f\x87\x53\x7e\xcf\x27\xff\x58\xfb\xe4\x1f\xa3\x58\xcd\x37\x3f\x81\x35\xb6\xc8\x7c\x6c\xea\x94\xe1\x67\xf6\xc3\xb4\x8c\xcb\x81\xff\x0d\x3f\xf8\x92\xaf\x7e\xa1\x62\x03\xc9\x28\x0d\x5c\xe1\x11\xf9\x6a\x84\x03\x04\x06\x39\xf2\x65\x14\x98\xab\x96\x42\x04\x54\x37\xcc\x8b\x4e\x98\xc8\x21\xf4\x53\xf3\x43\x32\x91\xa7\x2f\x9d\x9d\x87\x05\x7d\xf6\xcc\x99\xd3\xa0\x57\x86\x91\x4a\xbe\xcd\xf8\x12\x8c\x61\x12\x85\xe0\x99\x62\x2e\x2d\x8f\x1f\x93\xbf\x20\xba\x33\xcb\x0b\x50\x66\x4d\xce\x3d\xf6\x08\x71\x92\x78\x5c\x9c\x60\xec\xe6\xfb\x68\x1c\xb7\x72\xfa\xef\xc4\x89\x5b\xf8\xcd\xc8\x29\xe7\xa1\xd7\xb7\xde\x5c\xf4\xdb\xed\xf8\xc2\xad\x8c\xf3\xc9\xf9\x4c\x01\xcb\xa8\xab\xca\xc2\x48\x91\x80\x3a\x42\x22\x08\x70\x63\xc7\x29\xbf\x99\x20\x97\x96\xe6\x6e\x6d\x4e\xb1\x9b\xa3\x78\x2d\x2e\xf5\xf7\xe8\x93\x87\xf8\x0b\xf8\x61\xfe\x02\xde\x6c\x36\xf9\x0b\xf8\x8d\x1c\x9f\x2a\x6e\x75\x9f\x52\xef\xbe\x40\xfd\xa5\x1f\xbb\x19\xa7\x78\xe4\xf3\x85\x79\xa1\xb8\xb5\x39\xea\x9a\xfc\xb0\x69\x4a\x8e\xde\xee\x1f\x34\x15\x3c\x25\xe0\x2f\xe0\x41\x23\xa8\xcc\x8e\xfe\x94\xea\xc0\x0b\xa8\x01\x7d\x41\xcf\x94\xdb\xb5\xd5\x38\x0d\xf3\xc1\xd2\x1c\x76\x04\x67\xe8\xd4\x05\x84\x54\xb1\xaf\xc9\x27\xac\x87\xad\x26\x9e\x11\xf3\x17\xf0\x33\xf2\x9f\x3b\xe4\x3f\xcb\xf2\x9f\x05\xf9\xcf\xa9\x58\xae\x15\x39\x51\x29\xdf\x6a\x09\x8f\xac\xac\xcd\xfb\x69\x5c\x16\x37\xf1\x25\x21\x70\xa7\x9d\x98\x9e\xee\x75\x06\x45\xdc\x2a\x9a\x69\x5c\x94\xcd\xb5\x6c\x7d\xba\xd5\xef\x4f\x9f\x93\xcf\x4d\xe3\x97\x9b\x52\xe7\x92\x6b\x67\xfa\x64\xfa\xd1\x95\x13\x23\x67\xe7\xbc\xec\x8f\xec\x8e\xec\x8d\xec\x8c\xec\x8b\x4b\x36\x87\x0f\x1d\x39\xc6\x6f\xe1\x87\x9f\x11\x83\x55\xea\xf0\xa1\x43\x87\xe4\xcf\xf3\x37\xf1\x39\x1e\xc5\x51\x7a\xb0\xe4\xad\x4e\x96\x51\xed\xf5\x56\xd8\x8b\x4b\x4d\xb9\x4d\xd3\x01\x33\x51\xb0\x36\x62\x68\x55\x5e\xc0\x83\x53\xd5\x8b\x8c\xcd\x03\xce\x0d\x98\x15\x80\x59\xd3\x29\x5b\x02\x80\x97\xa0\x36\x61\x83\x14\x26\x7f\x2b\xcd\xb8\xda\x25\x94\x23\xaa\xab\xdc\x29\x5c\xb4\x35\x90\x0d\x49\xa6\x3d\xf2\xdc\xe3\x47\x1b\x87\x25\xe1\x77\xc3\xb5\x34\x2e\xfb\x11\xd4\x4a\xc9\x31\xd1\xb2\xc4\xc0\x1e\x80\x0a\x83\xc7\x8f\x6a\x44\xb2\x5e\x82\xe5\x64\xe7\x09\x35\x2c\x09\xf3\x35\xb0\x20\xa9\x62\x05\xa2\x25\x65\x04\x6d\x2d\x0f\xc1\x45\x9c\xe5\x52\x9c\x04\x14\xbb\x7e\xaf\xc9\x27\x4f\x35\xd7\x9a\x27\xf8\xa1\xe6\xe1\x2e\x69\xf2\xfa\xa6\xe4\x18\x87\xbb\xcd\x29\xe4\xd8\x6a\xdf\x5e\x28\x11\x02\x4f\xa1\x4f\x60\x34\x6c\xdc\xe6\x1b\x42\x9d\x3f\x56\x4f\x8a\x6e\x08\x88\x7b\x34\x23\xb1\x90\x3c\x86\x40\xf6\x6c\x9e\xd8\x0b\xf3\x42\x9d\xfb\x2a\x5d\xd5\x48\x43\xb9\x20\xe0\xa6\xd2\x2a\x10\x84\xdb\x04\x67\x28\xaa\x1b\xc7\x80\x2a\xc4\x8f\x11\xe8\xf2\xe1\x10\x2a\x38\xc0\xf1\x82\xe9\x6d\x06\x54\xa4\xc9\xd8\x6d\x08\xfc\xa5\xae\xc1\x87\x75\xd7\x74\x81\x9a\x3e\xc8\x68\x41\x2b\x4c\xb3\x14\x0a\x26\xca\x55\x57\xc1\xd3\x58\x5b\x16\x08\x56\x51\xda\x34\x75\x4f\x4b\x73\xd1\xf3\xfa\x60\x3a\xee\xf7\xe4\xbc\x44\xd9\x46\xca\x27\x29\x43\xce\x98\xf5\x90\x8b\x03\x60\x1c\x04\x71\x44\x82\xfe\x8e\x53\x7e\x46\x76\xa9\x28\xc2\x29\xac\xa2\x23\xbf\x76\x82\x71\x1e\x92\xf5\x44\x2e\x36\xa5\xe3\x25\x59\x51\x32\xce\x57\xe1\x4e\x3b\x0f\x5b\xb4\xa7\x91\x63\xe9\x2e\x89\x6e\x5c\x96\x22\x62\x9c\xb7\x14\x1c\x3b\x51\xf4\xa4\x5c\x39\xe8\xff\x14\xa6\xba\xe0\x8a\xca\x3f\x7a\x19\xd6\xa1\x6c\xe2\x49\x11\xaf\x99\x22\x3e\x19\xb6\x67\xcb\x90\x44\xef\x50\x57\x7e\x0d\xca\x8a\x37\x19\x3b\x45\xe0\xe5\xb2\xf7\x87\x9b\xd7\x5b\x4e\x79\x0d\xf5\x02\x60\x72\xd7\x1f\x3a\xd4\x0d\xf0\x99\x3b\xe2\xcd\x9f\x3a\x7a\xfc\x4c\x1c\xc8\xbd\xaa\x78\x86\xfc\xf0\x7d\xce\x02\xce\x9f\xba\xeb\xd4\x22\xda\x94\x50\x84\x48\x06\x55\x40\xbd\x90\xb7\x93\x0c\x25\x0f\x3c\x97\xd5\x19\xbc\x4c\x6a\xb4\x6c\x75\xa3\x93\x25\x82\x5b\xb5\x05\xc0\xa2\x20\x72\xb9\xcf\x9a\xb2\x0b\x69\xc3\x10\x88\x8d\xb5\x5e\x94\xf2\x5f\x20\x72\x98\xcd\x4c\x0a\x38\xd0\x26\x02\xe9\x6d\x08\x2c\x8d\x06\x00\xa8\x92\xd1\x99\xc8\xf3\x06\x2d\x13\x6d\xb8\x38\xe7\x2e\x0d\x36\xf9\xe4\x52\xa6\x2a\x7f\xa0\x8b\xd9\xbe\x5d\x47\x6a\x93\x8c\x32\x8a\xdb\xed\xe6\x94\xb2\x57\xab\x53\x1d\xe6\x04\x76\x34\x24\xdc\x9c\x07\xa8\x4a\xf9\x68\xdc\xea\x27\xba\xf6\x56\x09\xa6\x52\x85\x4f\x28\xe9\x36\x93\xbd\xcc\x63\x2c\x4c\x98\x41\x59\x3a\xb4\x4b\xaa\x24\x84\x4e\x98\x46\x09\x96\xf4\x88\xb4\x77\xa4\x93\xf5\x4c\x7d\x2b\x55\x78\x0d\xe3\xb7\x75\xc2\x4a\x96\x23\x18\x88\xd4\x38\x30\xb0\x1b\x93\x77\x71\xde\x2b\x89\xab\xb6\x6c\xf6\xa5\x71\xa7\x64\x70\xd8\x2f\xb3\xa2\x05\xa2\x51\x73\xfd\xc8\xaa\x28\xc3\x23\x06\x8f\x22\x8f\x5b\x54\x8e\xf3\x3f\x8e\x07\xaf\xf0\x86\xaf\x5b\x41\x03\x54\xdd\x5f\xb6\x25\x30\xeb\xba\x0b\x0f\x2a\xd5\x02\xc5\x55\x23\x7d\x2a\xe3\xc9\x64\xdb\x06\x59\xec\xc4\x65\xd1\xe8\x89\xbc\x41\x61\xea\x19\x02\xfb\x63\x79\x62\x7a\x65\xaa\x79\xd1\x7b\x9c\x52\x58\x22\xec\xd4\x45\xef\x0a\xc4\xd5\xbb\xe8\x5d\x81\xdf\x75\x72\xbd\xff\xac\xc6\xee\x61\xd5\x77\xfc\xa7\xb3\x3b\x37\x35\xfa\x8d\x9a\x97\xd9\x3c\x2b\x0a\xc2\x59\xa8\x94\xfe\x64\x2f\xf1\x18\x7d\xd8\x1f\x6c\x0e\x02\x32\xb2\x59\x9c\xd0\x39\x9d\xd8\x1d\xdc\x40\x33\xa7\x73\xbd\x49\xd7\x44\xe0\x40\xba\x49\x95\xbf\x31\xa9\x92\x8c\x5a\xec\x85\x8c\xa6\xc1\x2f\xd8\x8d\x97\xd1\x89\x65\x78\x39\x38\x4e\x9f\x72\x23\x16\xe9\x22\x86\xb2\xa8\xa8\x09\x0c\xb8\xc3\x3e\xb1\xf7\x8c\xb1\xc9\x11\x86\xd3\x99\xe7\xf7\x73\x71\x7b\x9c\x08\xa7\xc2\xeb\x8b\xc6\x82\x67\xe9\x3b\x4e\x5d\xd7\x94\xc3\x75\x0e\x37\x94\x82\x83\x55\xee\xac\x6a\x7a\x30\xf2\xd5\x38\x8d\x4c\x01\xbc\x12\xab\x6c\x34\x2f\x7a\x0c\x8b\xad\x4a\x2d\xe8\xa2\x37\x51\x74\xc2\x1c\x0a\x4f\x3a\x44\x71\x7f\xed\x31\x2c\xd5\xf8\x5c\x66\x75\xd1\x5f\x08\x66\x6d\x48\x2b\xaa\x14\x8b\xe1\xcc\xca\x55\x8d\x73\xa2\x0a\x7b\xce\xb4\x5a\x30\xea\x79\x45\x03\xcf\x10\x03\x7b\x9b\x3f\x99\x99\x51\xfb\xdf\x16\xb0\x25\xf9\x83\xeb\x39\xa0\xa7\x5e\x72\x0d\xab\x8f\x58\xb0\x05\x5d\x57\x17\x07\x30\x9b\x84\x71\x17\xb0\x18\x3e\x7f\x75\xf0\x22\x6f\xd3\xdb\x15\x68\x06\xf2\xdd\x58\x08\x0d\x72\x6c\x34\x80\x48\xa0\xe3\x52\x19\x20\x37\xa4\xce\x47\x5c\x45\x12\x97\x4e\x79\xd5\xe5\x82\x4c\x3b\xce\x32\xfe\xfa\x55\xec\x53\x1e\xbb\x12\xf5\xb3\x33\x59\x24\x0a\xff\x57\xbc\xe0\xad\xde\x8c\xb9\xe0\xfa\xfb\x15\x1e\x0d\x61\x46\x76\xe1\x09\xf0\x13\x3a\xb5\x6f\xa5\x48\x79\xe9\x1a\x34\x8e\x6e\xda\x54\x26\x6e\x60\xab\xc5\x93\x28\xdd\x17\x3e\xd7\x38\xbc\x85\x0b\xea\x77\xc7\x19\x8b\xc2\x32\xa4\x7d\xf2\xb1\x71\x76\x62\x5b\xdf\xc4\xf2\xa0\x27\xa2\x91\x35\x89\x5f\x36\x5e\xc9\xef\xb7\x32\xdd\x28\xb1\x9c\xdc\xaa\x27\xf8\x75\x7c\x26\xe5\xe2\x42\x5c\x00\xfd\xd2\x6e\x4d\xc3\x5e\xd1\xc9\x4a\xcd\xaf\x0b\xba\xd0\x54\xb5\x4f\x09\x72\xc4\x7d\x7c\xaa\xd2\xd8\xc2\x5d\xb3\x7c\x72\x24\xe1\x54\x9f\xac\x02\x0c\xa2\x89\x5e\x1d\x68\x05\x87\xea\x7e\xbd\xac\xd7\xa7\xba\x5e\x93\x33\x49\xaf\x13\x4e\xf1\xb9\x94\x70\x69\xe9\x34\x1e\x6a\x67\xa0\x4f\x55\xdd\x5a\xb5\x31\x0c\x61\x98\x49\x07\xd8\xbf\x93\x7a\x15\xdc\xa0\x7c\x15\xd2\xaf\xca\x56\xaa\xc8\xfd\x9e\xae\x7b\x0c\x72\xbd\x6d\xd5\xb6\x80\xb5\x21\x42\xca\xca\x1e\x37\x76\x23\xe8\x8d\xc2\x8b\x53\x72\x3d\xda\xc8\xa5\x5e\x24\x36\x14\x89\x3a\xc9\x9a\x50\x73\x0f\xdc\x11\xed\xcd\xdb\x6b\xb2\x3f\xf2\xd8\x84\x0e\xd3\xf2\x3f\xbb\x93\x22\xd7\x0a\x50\x8f\xe2\x28\x61\xfe\x83\x9f\xf0\x16\x75\xb0\x57\x25\xa4\xb5\x1b\xa7\xe0\xce\xb7\x21\x23\x1f\xe9\x6d\xa5\xbf\x25\x8f\x60\x93\xf7\xbe\xc1\xbe\xef\x32\x90\xb8\x4e\x87\xab\x22\x51\xe5\x97\x82\xa3\x33\x94\x5b\x7b\x5f\x5f\xe4\x03\x48\x84\xa3\xc1\xc0\x09\xa1\x62\xf1\x80\x5d\xc9\x83\x48\x9e\xa7\xec\x67\x3c\x76\x2d\x75\x17\x70\x63\x80\x01\x43\xfd\x86\x79\xbb\xc8\xb0\xf5\x44\x25\xd8\x17\x20\x66\xe2\xee\xc3\x39\x47\x00\x2a\x22\x79\x8e\x61\x32\x6f\xd1\x05\x99\xa1\x3c\xf8\x6b\xbc\xe0\x7e\xcf\xfc\xd6\x31\x75\x1b\x20\x84\x92\x32\x49\x0b\x19\x6f\xda\xe3\xbb\x54\x94\xab\x55\xd8\x5b\x0a\xcf\x5d\x2c\xef\x06\xca\x25\x1a\xf2\xa9\x76\x53\x9c\xe2\xab\x40\xb3\x8e\x98\xfa\x3c\xa7\x5e\xf4\x73\x02\xaa\x02\x6f\x3b\xe0\x69\xca\x6d\xff\x3b\x8a\x00\x55\x36\x03\xc9\xc2\xda\x10\x8d\x7d\xb5\xbf\xf5\xf1\x09\xdb\x5c\x39\x12\x37\xfa\xf6\x24\xdb\x58\x02\xd4\xab\xd3\x71\x51\xfa\x6f\x98\x08\xa6\xdd\x4b\x6e\x30\x86\xb9\xa7\x7d\x81\x17\xbd\x7d\x71\x29\xba\xee\xd9\xf5\xbb\xfb\xe5\xb6\x34\x00\x72\x9f\xf3\xd8\x4d\x97\x43\xb6\x71\x81\xf0\x71\x3f\xe6\xad\xa8\xb6\x56\x34\x68\xa3\x02\x94\x83\xce\x3d\xfa\x60\x72\x7b\x78\x65\xbb\xc4\x2b\x2b\x19\x52\x8e\x7f\x3e\xf8\x3f\x56\xe0\xaf\x95\xcd\xa8\xad\x70\x42\x5b\x6e\x62\x37\x6e\x8e\x4f\xb9\x0d\x99\xef\xa1\xa4\xed\x06\x25\xad\xbf\x3d\x4a\xda\xa2\xbf\xa0\x51\xd2\xec\xa5\x30\x28\xd3\x95\xe2\x4c\x2e\xbf\x71\x71\xd4\x60\xf5\x18\xfb\x9d\xab\xd9\x93\x37\xaf\x76\x88\x4a\x34\x00\xde\x3f\x78\x75\xf0\xd7\x9e\x75\xa1\x7a\x90\xe7\xfd\x04\xd0\x5f\x7a\x3d\x1d\xcb\x08\xc5\xbe\x11\xb0\x37\xb4\x44\x0c\xd0\xc4\x68\x5f\xe5\x22\xc1\xd8\x55\xc4\x66\xb0\xbc\xdd\x73\x69\x2b\xeb\x22\xaf\x56\x28\xf9\xb9\x42\x99\x10\x92\x94\x74\x4c\x76\x88\x2d\x02\x26\x04\xa5\xa6\x98\x74\x23\xe0\xfa\xd4\xf8\x70\xf1\x7f\x61\xe0\x6a\xac\xa1\xc1\x99\xe4\x22\xbf\xbd\xfb\x4a\xf6\x55\xc6\xc6\xe5\x87\xfc\x2f\xb1\xe0\x53\xec\xce\xac\xd0\xe6\x2b\xa8\x25\xc0\xef\xeb\x87\x09\xc9\x50\x58\xfb\x5f\xa9\x66\x52\x0c\x83\x59\x85\x7e\x92\xef\xb4\xad\x22\x4c\x16\x6f\x9f\xe5\x47\x6f\xbc\xe1\x78\x93\x93\xa5\x4d\xea\x32\x52\xb9\x41\xf4\xd5\xf5\x38\xac\x54\x2e\x0d\x64\x2b\x81\x13\xae\x76\x6e\x71\xce\x6e\x15\xeb\x26\x40\xab\x27\xf8\xe1\xa6\x13\x89\x47\x05\x26\x9b\x9c\xb0\x29\x93\x81\x65\x2d\xd1\x83\x37\xa8\x5e\x2a\x28\x81\x71\xae\xfc\xfc\x64\x72\x02\xed\x8d\x3a\x40\xc5\x7a\xa9\x99\x26\x3b\x82\x86\xcf\x95\x13\x2b\x3c\x12\x98\xe9\x9a\x1b\x67\xaa\x24\x05\x58\x74\x81\x16\x2a\x0c\xf5\xaa\xf6\x90\x4d\x70\xab\x93\xa8\xa7\xe3\x90\x2d\xf3\x8e\x12\x15\x5a\xb1\x7c\xe8\xc4\x0d\x87\x80\x22\xe4\xbe\x95\xbc\x59\x36\x71\xe2\xd8\xb1\xa3\xfa\x62\xd1\x64\xb7\x51\x7d\xe4\x42\x20\xc6\x01\x78\xc6\x5d\xab\xfb\x66\xc4\xa7\x0a\x71\x82\xdd\xbb\x28\x8d\x59\x81\x6a\x5c\xc0\xfc\x54\xc9\x48\x09\xfa\x1d\x22\x98\xa1\xd2\xb4\x6a\x28\x14\x8c\x12\x26\x26\xbb\xcd\x91\xd9\xcd\x06\x1a\xfa\x06\x43\x72\x54\x09\x56\xe4\xa1\x08\x8c\x2b\x3c\x74\x68\x52\x99\x19\xc1\x42\x03\xc1\x4e\x84\xf5\x9b\x95\xc3\xf4\x4a\xe1\x85\x41\x3b\xcb\x9a\xab\x61\xde\x6c\x65\xdd\x00\x62\x0d\x82\x8d\x38\x89\x5a\x61\x1e\x05\xf5\xcd\x3e\xa4\xf1\x01\xc9\x20\x4f\xc9\x58\xea\x45\x12\x95\xe9\x03\xd7\x35\xe5\x27\xa0\x79\xa4\x1e\xfd\x58\xab\x13\xe6\x61\x4b\x92\xd0\xc1\xeb\x0e\xa2\x26\x15\xf6\x7a\x22\xcc\xe5\xfe\x89\xcb\x42\x24\x6d\x15\xad\x83\xfc\xe1\xe4\xfc\x12\xb5\x8d\x07\x34\x16\x09\x40\x7a\x56\x9d\x80\xfb\x4d\xfe\xec\xac\x2f\xe7\x4d\x12\x1e\xc2\x4d\x55\x7b\x67\x3e\x81\xfd\x84\x99\xbe\xe5\x16\x1e\x5c\x17\x4c\x61\x01\x01\xa0\x0f\x65\x58\x1e\x45\x23\xf0\x0a\xf9\xfc\xd3\xca\x0e\xdf\x08\x07\xb8\x47\xdb\x5c\xb1\x14\x5a\x3e\x27\x36\xde\xaa\xa3\x41\xa5\x59\x55\x76\x06\xd0\x3a\x2c\x54\x47\x84\x11\x6e\x33\x21\x79\x91\xe4\x7e\xb2\xc9\x26\x3f\xe2\x34\x6f\x46\xa8\xf3\xf8\x2e\xf3\x33\x65\x66\xbe\x04\x14\x8a\xae\x99\x49\x1d\x07\x6f\x56\x04\xe6\x72\x4a\xb1\x0b\x3d\xc5\x50\x63\xd6\x16\x5c\x4e\xb1\x71\xf9\x25\xff\x96\xcd\x85\xda\xca\x19\x75\xe7\xf2\xf2\x42\x75\x43\xb0\x5f\xbe\xda\x81\x04\x77\xde\x40\xb1\x85\x5e\xf1\x5f\x77\x75\x70\x7f\xcd\xe2\x26\x21\x6f\x49\x95\x5b\x07\xef\xe1\xb1\xa6\x52\xab\xb2\x0d\x1e\xa7\xab\x59\xbf\x02\x18\x54\x66\x58\xd6\xa9\x12\x85\x67\x71\xf9\x50\x1d\x42\x4d\x3e\x63\xb8\x17\x6d\x58\x2b\x85\xb0\xcc\xc0\x3c\x6a\xd2\x75\x94\x35\x20\x19\x34\xe0\x13\x90\x12\xd1\xcf\x93\xa2\xee\xc0\xf7\x29\x96\x51\xd7\x1b\x5a\xf0\xa5\xa5\xd3\x75\x9e\xb5\xa5\xac\x04\xbb\x11\xb9\x89\x8a\x95\x91\x6b\x29\xd7\x48\x94\x2d\xf7\xa8\xfb\x0f\x6c\x4f\xfe\xde\xc3\x0b\x7e\xec\x4a\xc4\xfe\xab\x84\x47\xff\x43\x05\x8f\xfe\xbb\xde\x16\xfa\xd5\xe6\x7c\x0a\xc0\xd2\xff\x03\x80\xa5\x2b\xa9\x53\xd9\xa4\x75\xbd\x02\x4b\x98\x78\xd4\x11\xc6\xff\xd4\xc0\xa4\x7f\xd1\xdb\xc2\x8f\xb4\xc5\x08\x11\x34\xfd\xa2\x67\x0a\xc1\x96\xa3\xaa\x7e\x3e\x86\xa3\x7c\xc8\x6b\x6d\xaf\xa4\x7d\x9f\x7f\xab\x56\xd2\xac\xd1\x56\x34\x33\x1a\xc1\x48\x95\xec\xcf\x0e\x54\xea\x7e\xa3\x65\x55\xc7\x90\x83\x39\xe9\xd7\x0f\x04\xdf\xe3\x5c\x71\xf5\x7b\x13\xde\x3e\xd2\x88\xf4\xb3\xfb\xd9\x6f\xdb\xdb\xec\x23\xbb\x34\x22\xbd\xd8\x6c\xb2\x47\xd7\x64\x64\xf1\x90\xbd\x53\x6b\xb7\xa7\xd6\xf7\x2b\xab\xd1\xd9\xc0\x3f\x3d\x44\x48\xb6\x99\xa8\xc9\xea\xec\xba\x6d\x7d\x01\x9a\x3e\xf7\xce\xc3\xdd\x58\x86\xce\x6d\xcf\x74\x8e\xf8\x87\x1a\x0e\x48\x3e\x57\x2c\x28\x08\x34\xcf\x71\xd8\x05\x63\x1f\xbd\x6a\x64\x91\xee\x8a\x33\xd0\x7f\xcb\x55\xc1\x3d\x95\x6b\xc6\x37\x2a\x52\x88\x72\xb7\x2b\x76\x97\x19\x4f\x44\xc9\x07\x59\x9f\xc7\xa0\xea\x96\x18\x39\x17\xc5\xed\x01\xa9\x1a\x14\x69\x4d\xdb\xca\x61\x4c\xef\xbd\x92\xbd\xd4\x63\xe3\x52\x5e\xf5\x5f\x10\x64\xf3\x4e\xd1\x20\x44\x53\xbd\x64\x2f\x47\xb6\x2e\x85\x69\xb1\x31\x4d\xbc\xb8\x21\xb5\xd1\x06\x19\xd9\xb1\x58\xf5\xf4\x93\xe0\x7f\xf6\x66\x78\x8d\xc7\x26\x74\x21\x6b\xff\x7e\x2f\x28\x74\x09\xef\x47\xa3\x47\xc3\xe5\xb3\xbf\xee\xb1\xc7\xa9\xcd\xa0\x78\xdc\xe7\xbd\xe0\xa3\xba\x82\x0a\xaf\xdc\x95\x4b\x81\x8a\x39\xb1\x36\xb5\x7c\x10\x75\x18\x21\x16\x69\x98\x0e\x1e\x71\xc2\x96\xe3\x86\x63\xbc\x35\x68\x90\xcd\x12\x4e\x55\xf0\x86\x15\xa5\xbc\x6e\x0f\xf4\x45\x1e\x1b\xeb\xc7\x91\xff\xfc\xa0\x7b\x6e\xee\xe4\xa3\xb3\xfc\xfd\xd8\x15\x42\x9f\xea\x1c\x25\x53\xc1\x13\x67\x16\xe6\xd4\x06\x1b\xea\x51\xc5\x13\x3f\x01\xaa\xfe\x42\x58\x76\xfc\x8f\x8f\x07\x1f\x1c\x9f\x6b\x13\xcd\x53\xea\x59\xc8\x7b\xb1\x40\x2a\xd2\x87\x0b\x54\x7f\x13\x61\x44\x17\xe5\xe4\xe5\x2a\x29\x8c\x50\xdc\x88\x57\x9a\xc3\x07\x10\x9c\x55\x12\xc5\xd3\x97\xce\xce\x4f\xdf\x91\x91\x99\x81\xe2\x14\x40\x68\xea\x02\x1e\x2e\xc4\x36\x62\xd6\x86\x94\x1a\x01\x0a\xa5\xd9\x0d\xd3\xb8\x2d\x8a\xb2\x49\xad\x89\xbc\xb8\xfb\xc8\x3d\xa3\x8b\xd8\x6a\xce\x6b\x51\x11\x0c\x46\xbf\x0b\x56\x1e\xe8\x52\x2f\x53\xd0\x73\x1b\xd0\xd9\x32\x3c\x4f\x01\x5e\xc8\xe9\x93\xf8\xbc\x38\xc1\x03\xaa\x29\xac\x3e\xfd\x03\x72\x2d\x5e\x18\xf0\xc9\x0d\x88\x95\x09\x52\xc8\xb2\x82\x0f\xea\x13\xd5\xae\x22\x66\x3e\x4c\x19\xc2\xf1\xda\x1a\xc0\x9c\x00\xd7\x97\x04\x38\x45\x29\x7b\x69\x66\x3d\x9c\x92\x3f\xd0\xd8\xd3\xaa\x1d\xb9\xfb\xc8\x3d\x01\x9f\x74\xc7\x85\xa5\x7b\xf9\x11\x8d\xd7\xdf\xcb\x22\x55\xb1\xb0\x18\xa4\x65\x78\x01\x21\x32\x00\x18\x19\x2c\x4d\x0a\xc0\x1c\x82\xf8\x36\x44\x92\x34\x94\x3d\x60\x23\x1c\x20\xa8\x0d\x4e\x25\x86\xb9\x29\x7b\xae\x91\x37\x6c\xb2\x7a\x93\x2a\x47\x08\x5e\xd7\x67\x38\x75\x07\xb7\xd8\x17\x8f\x82\xba\xf6\x0b\x13\xac\x39\x32\x0e\x40\x43\xd4\xcf\xea\x38\x06\x2a\xf3\xff\x2f\x07\x82\xbb\xb6\xb8\xbf\x55\xe1\x7f\x55\x45\x29\x37\xaf\x5b\x71\x12\xcd\x8b\xde\x01\xba\xe3\xca\xbb\xaf\x3a\xc0\x5e\xe7\xb1\xc7\x6b\x50\x09\xfa\x7a\xe1\xff\x80\xc2\xdf\x6b\x57\xca\x6b\x6b\xf8\x09\xd5\x1e\xc6\x75\x51\xc1\x0f\x55\xfb\xb6\x1b\xa7\x00\x89\xb4\x04\xa1\x87\xc5\x94\x5d\x3a\x71\x64\x07\x1d\xf4\xb5\xd7\xd4\x18\x33\x15\xf4\xfd\xff\xe5\x05\xcf\x5e\x74\x87\x4e\x02\xa4\xe9\x4d\xb6\x5a\x88\x7c\xdd\xc0\x8e\x6c\x36\x13\x07\x0b\x57\x73\x72\xa4\xb7\x59\x36\xc3\x9e\xb6\x83\x48\x8e\x11\x2b\x64\x15\xca\x7f\x04\x4a\xe0\xbf\xc9\x63\xdf\x02\xce\x14\x08\xaa\x10\x91\x5e\xa6\x1f\x52\xcb\xf4\xbc\x11\x75\xd5\x61\xf7\xc3\x56\x03\x2b\xa3\x53\x82\x40\x5f\x53\x8e\x8a\x2c\xe2\xa5\xe8\xf6\x12\x4b\x9b\xdc\xc9\x52\xbd\xca\x63\x3e\xce\xbd\x88\xee\x40\xcc\x23\x79\x30\xf4\xa1\x5f\xc7\x8f\x05\x2b\x67\x87\x6e\xca\x9d\x99\xc8\x33\x06\x83\x1e\xcd\x75\xfa\x2c\x20\xae\xe7\xa2\x85\xfe\x0d\xd5\xf8\x8e\x7a\xd3\x62\x57\x03\x31\xea\xf9\x59\x54\xf3\x73\x8b\x3b\x3f\x48\xb2\x9a\x84\x2f\x89\x3a\xbf\xe0\x31\xbd\x99\xfc\x4f\x7a\xea\x0b\xef\xf3\xd4\x57\x95\x8a\x5e\x1d\x08\x8e\xc3\xee\x04\x3e\x7f\xc9\x27\xb7\x3c\xb0\x93\x2c\x8c\x8a\x69\x0b\x3e\x6b\xda\xea\xbb\xb9\xfc\xa4\x8d\x4e\x58\x36\xe2\xa2\x11\x36\x46\xde\x77\x46\xf6\x07\x57\xb1\xeb\x76\x64\x93\xc0\xe2\x4e\xef\xbe\x2a\xf8\xbb\x9a\x7d\x65\x88\x41\xd9\xf5\x9d\xe8\xc1\xba\x39\x29\x75\xc8\x8b\x32\xfb\x4a\x81\x8d\x1c\x64\x31\x5e\xc2\x12\x3e\xee\x5c\xc4\x45\x83\xc0\x04\x1b\x70\x7b\x85\x83\x7e\x42\x8b\xe6\x46\xe5\xa9\x98\x6a\x85\xc3\xc6\x9d\xee\x1a\x18\x46\x0b\x0b\x8c\xda\x6e\x72\xca\x1a\x51\x40\x79\xee\x38\x49\xf7\xea\x84\xe4\x12\xb0\xba\x40\x58\x56\x25\x94\x60\x4c\xc5\x86\x71\x64\xe9\x50\x2e\xe5\x68\x0a\x69\x8a\xac\x74\x47\x95\xbe\xa1\xa1\x8d\x3a\x00\x13\x8f\xd8\x59\x38\x1d\x0e\x07\xff\xf0\x81\x3d\xfd\x7e\xcf\x2a\xbd\x67\x95\x7e\x58\xad\xd2\xdf\x50\x56\xe9\x3f\xf2\xd8\xcd\x97\x61\xb3\x05\x2e\x01\xa6\xe9\xb7\xec\xd8\x34\x3d\x8b\xd5\xca\x1e\x6d\xcb\x6d\x67\x7b\x23\xca\x29\x7f\xb6\x31\x6c\x8e\xe5\x3b\x36\xe6\xc2\xc8\x18\xfb\x7a\x8d\x1d\xb4\x66\xaf\x07\x00\x4f\x7a\xe6\xee\xcc\x8a\x72\x21\xcb\x4b\xa8\x78\xe5\xff\x72\x2d\x78\x9d\xe7\x5c\xd2\x6c\x2c\xe4\x88\x75\x90\xb5\xd1\xed\x6a\xe1\xe1\xe8\x44\x33\x8c\x25\x46\xff\x62\x8f\x80\xa4\xb2\x9c\xa4\x22\x08\x69\x6e\x72\x3e\x57\x1a\xe8\x80\x55\x0a\x7e\x90\x2b\x43\x78\x1a\x22\x55\x30\x02\xa4\x9e\x34\x2f\x7a\x63\xdd\x38\x95\xff\x86\x17\x1c\x1e\xfc\x6a\x8f\xcd\x32\x79\xd5\xbf\x59\x49\x03\x07\xbb\xa8\xf8\xd0\x16\xd7\x22\x15\xc2\x40\x43\xd0\x66\x11\xaf\x0b\x57\xb2\x38\xc5\xe4\x07\xfc\x5b\x55\x23\x53\xdd\x38\xb5\x42\x0f\x4d\x5c\xcb\xd6\xcd\xfc\xcd\x04\x3b\xb6\xa3\x7d\x37\xb3\x30\xa7\xe2\x8f\xc1\x76\xfe\xfe\x89\xe0\x3f\x79\x95\x8b\xae\xf9\xdc\xba\xa9\x4a\xf7\xa9\xa3\x16\x91\x6e\x86\x94\x51\x73\xe8\x39\xd0\x23\x3a\xee\xa9\x85\x64\x84\x95\xb2\x90\xc6\x08\xa8\xa2\x52\x0a\x3d\x2e\xb8\x36\x00\xc9\xb5\xb8\x0a\xde\xa3\x43\xee\xa2\x37\xe1\x72\x76\xb5\x34\x3f\xb2\x9f\x3d\xe0\x04\x6b\xbf\xd9\x0b\xee\xb4\x10\x36\xed\x64\x86\xd1\xdd\x36\x7d\xc1\xd4\x39\xab\x13\xb6\xee\x70\x1b\xfb\x3e\x76\xeb\x65\xf0\x3e\x6b\x46\xf7\x0e\xf2\xdd\x1e\xe4\xf7\x32\x87\x2a\xfc\xb3\xc1\x6d\xf6\x6f\xb5\x97\x86\x28\x0e\xa7\x6e\x04\xe5\xb7\x01\x65\x75\x4f\x52\x78\x58\xec\xf5\xcf\xda\xfe\xa8\x39\xe6\x1f\xd9\xde\x5e\x5f\x59\x27\xc6\x3e\x7d\x80\x3d\x71\x94\x9b\x45\x76\x0a\x18\xdb\xbb\x0f\x04\xdf\xa5\x7f\x55\x1c\x82\xeb\x62\x53\x6f\xe0\xdb\xf7\xef\x6d\xc9\xdd\x6e\xc9\x05\xe5\x3b\xbb\x23\xb8\xe6\xb4\x33\xe7\x36\xf7\xbc\x8e\x4d\xb2\xef\xdd\xde\x6f\x26\xdf\xdb\xdb\x83\xbb\x90\xd6\xff\xd5\x39\xb7\x1f\xf2\x9e\xb9\x3d\x57\x69\xfa\xf5\xc6\x28\xbf\x9f\xe2\x08\xd5\x42\xda\xff\xe0\xb1\x27\x8d\x4a\xe5\xcc\xa2\x45\xa8\xd8\x25\x8a\xe2\x8e\xb0\x14\xfe\xa7\xbd\xe0\x44\xf5\xa2\x2b\x52\x38\xf9\x34\x60\xff\x37\xd8\xb9\x17\xbd\xab\xf5\xdf\xcb\x83\x9e\x9b\x50\x5b\xb0\xfb\x98\x7b\xdb\x5f\x09\x96\x66\xed\x0b\x96\x07\x20\x34\xad\xaa\x48\xca\x5e\x16\x1d\xb4\x80\x7a\x71\x85\xc0\x60\x6f\xac\x80\xd5\x4a\xbf\x1f\xbb\x9a\x3d\xc7\x8c\x1b\x90\x37\xe4\xa4\x14\x0d\x13\x48\xaf\xa9\xc1\x79\x40\x4b\xf1\xb3\x90\x28\xa8\xb8\xf3\x52\x7f\x55\xed\xb8\xa5\x56\x98\x08\xff\xcf\xae\x0a\x9e\xbb\xf5\x23\x9a\xa3\xaa\x1c\x78\xf9\x59\x14\x80\xe1\x76\x61\x9e\x07\x91\xde\x6d\x4d\xf2\xf1\x6b\xa5\x60\xa9\x4c\x71\x0b\x61\xd9\xb9\xe8\xf9\xa8\xec\xd8\x17\x9d\xc9\xfe\xf4\x95\xec\xfe\x31\x36\xe2\x29\xff\x2f\x6a\xc1\x1f\xd4\x86\xaf\x3b\x7c\x1f\x20\x90\x7a\x21\xb8\x42\x8a\x38\xa2\xd0\xf6\x91\xa9\x97\x06\x78\x03\x11\x87\x61\x48\x2b\xd8\x7e\x53\x99\x03\x57\xa8\x1a\xab\x6e\xb7\x70\x02\x93\x81\x63\x72\x6d\x6d\x92\x22\xa9\x8e\x5d\x37\xb8\xa5\xf0\x32\x74\x15\xf3\x0c\x56\x9a\xf8\x95\x95\xe6\xe8\x12\x16\xf8\x94\xc9\x42\xa7\xf1\x90\x9f\xc1\x19\x0a\xc6\xdf\x0e\xf5\xda\x2d\xcd\xb8\x32\x0d\xeb\xb5\xe2\x2c\x18\xe8\x67\xca\x96\x55\x66\xfc\x90\x43\x7d\x5f\xd9\xc7\x1e\x9f\xd8\x49\x83\xb0\x02\x9f\xda\x17\xfc\xea\xbe\xa1\xcb\x8f\xc8\x02\xa8\x84\xc7\x47\x76\x01\x78\x06\x3f\x7a\xa2\xb5\x62\x9e\x27\x9b\x21\x04\x97\xc3\x26\xbd\x33\xcb\xe3\xe7\x4b\x4e\x92\x2c\x64\xd1\x0c\x81\x0c\x20\x3c\x88\x02\xb1\x83\x83\xc8\x42\x7e\x35\xd3\x60\xca\xdd\xd3\x99\x88\x2f\x4c\x42\x16\x01\x6f\x65\xdd\x5e\x22\x2e\x18\xf8\x4e\x04\xe5\x9c\x32\x15\x0d\x90\x7f\x85\x36\xf4\x09\xc6\x7c\xeb\x57\xe2\x54\x37\x0d\x90\x20\x97\x51\xab\xd9\x62\xd9\x61\x2f\x9e\xc6\xe5\x6a\x68\x19\xa2\x7a\xa1\x61\x9d\x53\x4f\x82\xc9\x68\xd8\xa4\xf5\xf0\x12\xb5\xa6\x84\xcb\x20\x6a\x10\x13\x2c\x5c\xbf\x6a\x2d\xf5\x21\xfe\xe4\x7f\xa6\x16\xfc\x46\xad\x7a\xf5\x61\xa6\xf0\x9e\x68\x3d\xe2\x0c\x06\x49\xfa\x61\x5a\x89\x4d\xa7\x5a\x21\x3f\xa7\x5c\xe4\x79\x96\xf3\x2c\xe5\x77\x9c\x5a\x76\x66\xf9\x65\xfb\xd9\xa1\x1d\x89\x32\xe8\x57\x9d\x0d\xfb\x85\xf0\x3f\x77\x45\x70\xc1\xfa\x6d\x80\xf0\xba\x8a\xb6\x55\x24\x4f\xb8\x0a\xb6\xfb\x94\x4b\xe1\x80\x5c\xb3\xed\x30\x4e\xfa\xb9\xb2\xc9\x40\x2e\x6d\x0b\x40\x50\x21\x51\xb7\xdb\x4f\xca\xb8\x97\x08\xec\x32\x26\xcd\x88\x14\x50\x27\x44\x0e\x86\x04\xeb\x34\xfa\xc4\x3e\xf6\x4b\x63\x6c\x1f\xec\x59\xff\xdd\x63\xc1\x5b\xc7\xcc\x9e\xaf\x58\x27\x94\x8b\xaf\x40\x48\x1b\xf2\x16\xc0\x47\x20\x9d\x2a\x0d\xbb\xc8\x20\xa4\x7c\x0a\x2b\xe6\x40\xed\x35\xf9\x19\x90\x73\x21\x83\x18\xb2\x5c\x00\xe4\x31\x2b\xca\x76\x7c\xc1\x50\x80\x3c\x67\x53\xac\x43\x60\x70\x23\x9a\x7c\x46\xd2\x09\x8e\xe5\xf9\x22\xcf\x1a\x10\x08\x00\x58\x90\xb7\x23\x7c\xab\x14\xa2\x29\x1f\xc5\xc0\x89\x65\x10\x22\x01\xeb\x87\x84\x96\xb5\xb1\xf3\x05\x8f\xfa\x20\x26\x11\xf8\x6b\x27\x84\x54\x89\xca\xd4\x35\xf9\x59\x82\xde\xac\x00\x3b\x51\x54\x44\x83\x72\x2b\xe4\x64\xd1\xa5\xcc\x05\xba\x55\x73\x27\xdf\x01\xcd\xe4\xee\x43\xf7\x34\xb7\x7b\x19\x93\x35\xb0\xc3\x22\x2d\xf3\x01\x80\x73\xc1\xeb\x81\x4d\x79\x3f\xc4\xf6\x77\x45\x51\x84\x6b\xc2\x2f\x83\xb5\x19\xde\xe9\x77\xc3\x14\x6a\xf3\x80\x97\x1a\x31\x3d\x7a\xb6\xb7\x13\x33\xbd\xe8\x07\x8c\xd1\xad\x14\x40\x30\x68\x06\x3b\x2a\x2c\x1a\x2a\xc2\x24\x87\x8c\x13\x87\xf4\x5f\xe5\xb1\x2b\x72\x11\x16\x59\x0a\xa1\x59\x33\x9c\xa8\xff\x92\xfb\xa0\x20\x39\x75\xbd\x2e\xe4\x69\xf6\xd6\x76\xf6\x84\xf2\xc4\x3b\xbd\x79\xf0\x5a\xf6\x6f\x47\xa2\x7f\xb7\x72\x51\xfa\xaf\xbe\x56\xaa\x10\x88\xcf\x82\x15\xe6\x08\xac\x05\xb0\x16\x90\xc5\x89\x1c\xa2\x79\x54\x35\x15\x49\x20\x65\x98\xf0\xd5\x41\x69\xaa\x10\x10\xf0\x15\xb1\x93\x93\xf2\x65\x9a\x3b\xe2\x56\x04\x0f\x16\xa6\xfc\x4c\x78\x01\x3f\xb8\x14\x3f\x5f\x60\x2b\xee\xe6\x7b\xe0\x9a\x3d\xfd\x72\xcf\x1b\xe4\x7a\x83\x3e\x59\x63\x0c\xc7\x27\x69\xcb\xff\x95\x5a\xf0\x96\x9a\xf9\xad\x10\x77\x08\x00\x46\xd2\x43\x9a\xa5\x0d\xc4\xa5\x74\x28\xba\x2a\x34\xcd\x51\x56\x1b\x16\x8f\x43\x34\x72\x80\x47\x6a\x40\x9c\x54\x9c\xf6\xfa\x2a\x3d\x4e\xb2\x60\x0d\xc8\xda\x12\x4d\x3e\x93\x58\x65\xea\x2d\x64\x61\x08\x18\x89\x78\x9c\x92\x24\x12\x99\xdd\x90\xa5\xd8\x7a\x1d\xd0\x37\x14\x94\x5a\x98\x0e\x0c\x5e\x8c\x32\x14\x01\xd4\x9e\x19\xa1\xa9\x42\x2b\xd6\x45\xce\xb3\x7e\x29\x7b\x06\x27\x1b\x95\xb0\x36\x14\x3c\xb3\x30\xd7\x7c\xb0\x02\xc3\x63\xed\x30\x76\x86\x00\xf4\x4f\x05\x37\x9c\x23\xcf\x41\x3b\x6c\xc5\x49\x0c\x2e\xb1\x5e\x9e\xad\xe5\x61\x17\x0a\xed\x18\x40\x37\x03\xe3\x04\x0b\x6f\x13\xdc\x9e\x7d\x6e\x97\xf6\xb9\xcf\xd4\xd8\x38\xee\x56\x39\x75\xb0\xdc\x8e\x05\xc3\x9e\x78\x7e\x2a\x6c\x75\x24\xd9\xa9\xea\x30\x10\xa6\x0a\x13\x96\xf4\x3a\x61\xda\xef\x8a\x3c\x6e\x99\xb4\xd4\xa2\xce\x0f\x36\x0e\xd6\xf9\xc1\x7b\x0f\x4a\xad\xe7\x60\xf3\x20\x91\x96\xd1\x2b\xe4\x4e\x30\x60\xe2\xd6\x5e\x29\x20\x35\xb0\x10\xc7\x8f\x81\xa4\x14\x81\xd7\x14\x51\x3a\x87\x78\x6f\x98\xaf\xc6\x65\x2e\xb7\xdb\x24\xc1\x45\x0e\x60\x0f\xe2\x0b\x53\xd8\x22\xf2\x6d\x79\x7c\x35\xf9\x49\x85\x5e\x27\xf7\xe4\x36\x55\x3c\x8e\x1d\x3f\x76\xc3\x93\x0a\xcc\x68\x6c\x1c\x7b\xd0\x7b\x02\x7b\xbc\x3f\x2e\x4f\x8e\x4d\x08\xfc\x6b\x1e\x9b\x88\xbb\x54\x13\xc9\xff\x82\x17\x7c\xc2\x9b\x53\x3f\xb1\x3e\x8e\x1d\x1f\x82\xd5\x96\xc9\x7f\x89\x18\x43\x25\xd4\x02\x53\xc9\xe4\x38\x27\xad\x2a\xbb\xe7\x93\xc0\x23\xe8\x88\x51\xac\x4a\x85\xbf\x40\x54\x79\x2c\xa2\xa9\xa6\x2e\x26\x6b\x7f\xd4\x48\x39\x95\xe7\x39\x15\x2b\x2c\xe3\xae\xd0\x25\x2b\x70\x93\xa6\x71\xe2\xa0\xae\x3d\xe4\xcd\x6f\x6f\x78\x7b\x8a\x3f\xb5\xbd\x39\x1f\x87\xc8\xd8\xd7\x26\xd8\x91\x51\xc2\x02\x62\xf1\x9c\x5d\xaa\x42\xd1\x10\xa6\xd7\x7b\x26\x82\x23\x56\x74\x60\xc8\xf5\x0b\xdc\xc0\xf7\x28\xbc\x1d\x8d\x96\xed\x1c\xfa\x7f\x75\x80\xfd\x86\xc7\xae\x68\x17\x60\x67\x7b\xbf\x17\x3c\xe0\x59\xa8\x3b\x00\xd9\x53\x66\x08\x8d\x67\xab\x40\xed\xca\x33\xc6\xc1\x49\x71\x4d\xe0\x9f\xce\x7a\x10\xdf\x96\xae\xa9\x8a\x39\xfc\xd4\x85\x26\x0f\xc4\x85\xf2\x58\x50\xe7\xc1\x85\x76\x21\xff\x97\x96\xed\x22\x68\xf2\x39\x93\xb3\x0f\xe2\x01\xa5\xbe\xae\x0a\x7a\x41\xd2\x8f\x95\x28\xef\xb0\xc2\xc7\x0e\x80\xef\x93\x1e\x9b\xc0\xcd\xbb\x28\xda\xfe\x87\x3d\x76\x68\x5b\x53\x7e\x15\x5a\xed\xe5\x24\x08\x2e\x8a\x76\x05\x2a\x51\x01\xf8\x21\x12\x99\x3c\x08\xb3\x55\xc9\x9e\xd4\xe6\x37\xcb\x3d\xb3\x30\xc7\x5b\xb9\x00\xa4\xc7\x30\x29\x46\x56\x52\x76\xca\xd0\x5a\xa5\x0d\xcb\x52\xca\xb7\x22\x6a\x4a\x09\xda\x86\x4b\x7a\x61\xd0\x1b\x86\x4b\xaa\x88\xf5\xe9\x30\x1a\xd5\xd9\x25\x22\xb9\x26\xa7\x89\x43\xc7\x31\x1c\xd2\xb0\x75\xfb\x69\x7c\x5f\x5f\x98\xd8\x70\xed\x57\x76\x16\xf5\xb3\x63\xec\x71\xa6\x37\x98\x73\xf1\xe1\xb1\xe0\x3d\x63\x77\xb9\x17\xab\x93\xd6\xca\x7a\xba\x4b\x44\xfb\xf4\x25\xdd\x41\x35\x3f\xe6\xcb\x6e\xf4\xb7\xce\x81\x5f\x00\x53\xb2\x79\xaa\x52\xae\x1a\x94\x15\x12\x82\x4a\xb7\x46\x14\x4c\x8c\xec\x0b\x45\xf8\x4b\x56\x13\x4b\xfd\x82\xa0\x0f\xec\xee\x60\x10\x66\xbc\xd6\x51\x15\x93\xd7\x72\x52\x52\x97\x44\xc9\xad\x35\xa0\x32\x8b\x29\xfd\x2d\x85\x99\x3c\x8e\x04\x05\xd8\xe0\xf2\x52\x89\xcc\x7e\x8e\x6f\x97\x19\x0f\xe8\x16\x6c\xa1\x41\xd6\xd7\xb0\x1a\xfd\x02\x44\x36\x9d\x5b\x32\x62\x9e\xe6\xcd\x4d\xe4\xd3\x58\x97\xa4\x97\x8b\x06\x88\x4e\xc3\x63\xd1\x18\xd8\x00\x38\xe7\xee\xd3\xff\xfe\x2d\xec\xbb\xed\x28\xa2\x2c\xc2\xb0\xe2\x7e\x2a\xd9\x2e\x86\x56\x7e\xfa\x5b\x82\x4f\x8d\xd9\x57\xac\xf0\x17\x1d\x55\x69\x02\xf1\x73\x7c\x72\x44\x75\x17\xac\xbf\x80\xc7\xae\xd3\x9e\x15\xb9\x61\xea\x7e\x3b\x16\x40\xab\x5d\xeb\xe1\xbc\x9f\x02\x14\x87\xc9\x0a\xe0\x2a\xb5\xa1\xe9\x7c\x41\x09\xa4\x54\xa8\xc4\x4d\xfa\x87\xda\x66\x52\xa6\xa5\x2a\x6a\x16\xda\x5f\x9d\x2a\x66\xe9\x20\xd1\x58\x53\xa1\x89\x0f\x95\x34\x96\x88\x72\x54\x79\x34\xc9\xe2\x13\x8d\xb2\x60\xf7\x08\xa8\xc7\x78\x64\x08\x9c\x24\xef\xa7\x9a\x97\xc0\x20\x20\xcb\x03\x0c\x16\x91\x28\xc3\x38\x29\xea\xbc\x10\x62\x47\x81\xb9\x66\x52\xa6\x69\xea\x30\x44\x75\xfa\xa2\xb7\x1f\xa4\x59\x91\x3b\x07\xcf\xcb\xae\xdd\x13\x60\x77\x2b\xc0\x7e\x76\x9c\xa9\xb9\xf5\x3f\x3a\x1e\xfc\xd2\xf8\x9d\xf8\xa3\xc2\x11\xc1\x02\x99\x80\x7a\xa6\xa8\x3a\x44\xb4\x0a\xab\x6e\xa7\x86\xf3\x9e\x5d\x9c\xab\x00\x3f\x5b\x58\xef\x19\x6a\x26\x02\xe3\xc9\xd4\x22\x60\x6c\x2e\x16\x60\x26\xcc\x72\x5b\x31\xd3\xe1\x4e\x2a\x61\x27\x8b\x04\xff\x5e\xf8\x90\xd3\x07\x0c\x4c\x03\x10\xf4\xa2\xdf\x05\x36\x4c\xd5\x8b\x69\x90\xd8\x9c\x95\xf9\x60\x17\x98\xc2\x65\xd2\x4f\x2a\xc1\x3a\xa4\xe3\x07\x0d\x8f\xf7\xf5\xe3\xf5\x30\x11\x69\xa5\x38\x55\x25\xbd\x29\x54\xcd\xf0\x56\x98\x24\x50\x24\xb9\x9f\xb6\x02\xde\x95\x2c\x5a\xc3\x9d\xea\x19\x93\x37\xf9\xd9\xd9\x39\x3d\xbb\x93\x8a\xb1\x96\xf1\xba\xe0\xa7\xe3\xb4\x7f\xc1\x62\x1a\x53\xce\x29\xa2\x18\x8b\x93\xbd\x64\x33\x16\x39\xab\x6a\x5d\xb5\x55\x47\x95\xe6\xab\xc3\x0c\x4a\x45\x82\xe6\xf6\xe4\xfc\x12\x3f\x8d\x10\x3a\x8b\xb7\xcf\x72\xac\xc3\x97\x5b\xc0\x9b\xba\x14\x92\x16\xd4\xf7\xa2\x7c\x1e\x26\x0b\xd0\xfb\x6d\x0b\xd0\xbb\x76\x6d\x01\x5a\x7b\xb4\x8c\x3c\x5f\xad\xb1\x03\x52\x94\xe8\x88\x30\xf2\x7f\xaf\xc6\xa6\x36\x0f\xfb\xa5\x03\xfb\x2c\x3d\x1d\x3c\x50\x53\x7f\x0e\x61\xbf\x29\x6a\x50\x2d\x0f\x41\xad\xa9\xd3\x07\x63\x03\x10\xb5\x0d\x5d\x24\xf6\xc9\xd5\x1c\x7d\x26\xb1\x9d\x81\x99\xb6\x3a\x22\xea\x27\x71\xba\xd6\x10\xeb\x31\xe8\xb1\xd3\xbd\x2c\x6a\xa8\x3e\x4d\x33\xb7\xb8\x6f\x2c\x55\x42\x50\x44\xc3\x1c\xad\x42\x87\x9b\x87\x6f\xb8\xd4\x82\xd5\x0b\x59\xa4\x67\x45\xd5\xa8\x66\x3f\x51\x63\xcc\x74\xc7\x7f\x79\x8d\x3d\x65\xdb\x69\x5e\xd2\xcf\x07\x5f\xf0\xcc\x0f\xb2\x18\xa3\xb0\xab\x2f\x62\x89\xc1\x10\xcb\xad\x67\xa4\x5d\x63\xdf\x80\x59\xab\xe9\x36\xb5\x51\x1d\xa1\x08\x18\x35\xb6\x46\x5a\x2f\x01\x5a\x87\xa5\x86\x19\x8e\x4b\x50\xaa\xad\x8f\xc6\x85\xd4\x8e\xeb\x23\xda\xb3\xd9\x38\x48\xbf\x8e\x8a\x28\x99\x3a\x7c\xa0\xf9\x90\x77\xcf\xf6\xca\xf4\x09\xff\x06\x03\xa0\x21\x27\xa7\x12\x6d\x6d\x7f\xb9\x1a\xd1\xf2\x4f\x1e\xfb\xae\x11\x5a\xd8\x7c\x16\x89\x19\x2c\x31\xe6\x7f\xd1\x0b\x6e\xb0\x7e\x1b\x2b\x90\x6d\xe6\x57\x50\xf5\xf2\xfb\x07\x0b\x5d\x9e\xec\xa2\x07\x46\xbd\x8b\xde\x7e\xba\xe2\x48\x39\x3f\xc4\xa6\x98\xba\xe1\x7f\x57\xf0\xf8\x65\x75\xfc\xa9\xd7\x6d\xfe\xb1\x48\xf6\xc1\xa7\x07\xb7\xcc\x5b\xcf\x80\x86\x5d\xe7\x59\x0a\x5a\xcd\x9d\x54\x82\xb5\xae\x6b\x74\xcd\x2d\x48\x71\x92\x4a\x0a\x25\x73\x0b\x4e\x9b\x3f\xc9\x76\x0e\xcd\x0e\xf1\x82\x7f\x39\x11\xcc\x6e\x7a\xd7\x8d\x1f\x1c\xf9\x18\x07\xcf\xd0\xe8\xa0\xc2\x07\xf7\x12\x76\x76\x2d\xf3\x7d\xd1\x53\x51\x85\x9f\xf1\x82\x97\x7a\x33\xa6\x38\xee\x90\xc5\x07\x20\x8a\x2f\xa3\x48\xe4\xe6\x08\xd0\xe6\x12\x5e\xc1\x2f\xd8\xd1\x8c\x27\xd8\x0d\x3b\xa8\xb2\x3f\x92\x72\xf6\x64\x8f\xbd\xe8\x46\x3b\xba\x31\xdc\xfe\x5c\xb8\xd5\xbf\xb9\x41\x47\xc0\xa6\x3c\xab\x72\x1e\xd8\x66\x58\xf6\xd6\x31\x27\xeb\x33\xec\xf5\x0a\x39\x11\x27\x43\xd1\xcd\xd2\x25\x51\x9e\x83\x25\x5e\x52\x59\xc9\x7f\x5b\x0b\xbe\x7f\x93\x7b\x9a\x52\xfb\x92\x59\x90\x5c\x4f\xb9\xa6\xa8\x84\xc1\xe3\x5c\x65\x38\x93\xbc\xa3\x5b\x73\xad\xb2\x2f\xab\xb1\x8c\x0e\x83\xb5\xe0\xdf\x2f\x13\x70\x7a\x04\x0f\x83\x3d\x1b\x5b\x03\x6a\x04\x0b\xe9\x62\x96\xc8\xf3\x18\xfb\x14\x00\x14\xe7\xd9\xf4\xa4\x48\x44\x29\x02\x6d\xcd\x96\x7d\x74\x1e\x74\x4e\x8a\x1f\xf7\xd8\xd5\xb9\x7d\xd7\xbf\x7f\x2b\x5c\x32\x35\x57\x4e\x83\x7a\x38\xc1\x29\xba\xae\xc6\x8d\x8a\x1e\xef\x85\x79\x28\x59\xd2\x02\x95\x69\x43\x6f\x1f\xd5\xb3\xbc\xa5\x3a\x8e\x26\xfb\xb3\x27\x8c\x3c\xbe\x66\x97\xe6\x36\x31\x89\xff\xe2\x13\x82\x45\xcb\x24\xae\xca\x84\xa8\x02\xcd\x56\xd1\x79\xbb\xac\xc2\xec\xd2\x9c\x62\x9a\x51\x1e\xaf\x8b\x9c\x4f\xde\x26\xe5\x40\x92\xde\xa6\x2e\x7a\x57\xe0\xf5\x8b\xde\x55\xf8\x1c\x6a\x64\xce\xa2\x7d\xd0\x67\x3f\x3f\xc6\xbe\xc3\x24\x18\x2f\x60\x41\x5d\x6d\xdd\xf5\x5f\x33\xb6\x03\xf3\xb0\x7e\x9c\xcc\xc3\x5f\xaa\xcd\x6e\xda\x22\x52\xdd\x10\x72\x3d\xd9\x8d\x89\x0d\x92\x34\x03\x66\x78\x91\x16\x31\x28\xa5\x15\x78\x9e\x9e\x14\xd9\xe8\x6d\x39\x19\x34\x0b\x40\xc3\x52\x27\x26\x14\x62\x79\x6b\xa8\x37\x64\xe3\x95\x07\xa6\xb9\x77\x2e\xed\x39\x77\xa5\x22\x5d\x38\x05\x49\x25\x9f\xa6\x78\x16\x73\xda\xaa\x6a\x95\x84\xd0\x41\x03\xb1\x4a\x05\x68\xec\xdc\x91\x63\x2c\x9c\x68\x1b\xf5\x50\x1d\xc4\x4d\xfc\x9b\x4a\xbb\x86\x45\x21\xa2\x26\xfb\x2f\x1e\x73\xd6\xd3\x7f\xbb\x17\xbc\xde\xbb\xcb\xba\xa2\xcc\xde\x64\xb2\x5e\x37\xf6\x6c\x8a\xc6\x32\x2e\x0f\x8b\x88\x7a\x49\x7f\x2d\x4e\xbf\x7a\xff\x9b\x0b\x3e\x0b\x66\x50\x9a\x05\x00\x05\x6d\xe3\xc4\x5a\xe6\xe9\x0c\xed\x8a\x45\x7f\xb5\x90\x47\x4d\x5a\xaa\xe9\x5a\x54\xa3\xae\xa0\x10\x29\x7f\xcd\x4b\xbc\x60\xfd\xb1\x71\xd7\x54\x2a\xf6\x7f\x8b\x14\x6a\x87\xe8\xfd\x9f\x6b\x97\x41\xef\xff\xb5\x36\x3f\xa2\xad\xc7\x82\xd2\xad\x7e\x58\x34\x2e\xaf\xfe\xef\x41\xdd\x6f\x1f\x63\xbe\x5c\x97\xa5\x32\x5c\x13\x66\x55\x5e\x79\x39\x5c\xe8\xf7\x60\x55\xdc\x96\x1e\xab\x35\x81\x5e\x54\x56\x64\xd4\xb5\x73\x69\x61\x5d\xfd\xe6\x5c\xa3\x8a\xe7\x52\x45\xf8\x9d\x00\xb3\x1f\x4a\xbc\xd6\x04\x6d\xc2\x7b\x09\x71\x5a\x1f\xf4\x9b\x39\x3e\x1d\xcf\xe5\x39\x76\x2d\xb2\x9f\x19\x1d\xd8\xe8\xcf\x04\x4f\x9e\x71\xca\x6c\x59\x4c\x4a\x76\x03\x3f\xba\x65\x90\xcb\x17\xc6\xd8\xbf\x35\x47\xe0\xa9\x0b\xbd\x30\x8d\x0c\xed\x7d\xe8\x72\x68\xef\xa5\x63\xb3\x9b\x35\xf8\xd8\x1e\x80\xd8\x19\x8b\xbe\x88\xbc\x00\x14\x03\x03\x43\x14\xf8\x16\xf8\x75\x28\xe3\x1a\x4c\x45\xb2\x37\xf8\xfe\xec\xd2\xdc\x5d\x54\x0e\xc8\x2e\x0f\xf5\x4d\x47\xaa\xcf\x66\x24\x04\xf9\x67\x83\xdb\x4e\xe2\xfc\xc4\xc3\xe9\xc3\x66\xe6\x94\xd3\x1a\x83\x29\xc9\x25\x3c\xf2\x48\xfb\xd2\x3e\x76\xdb\x36\x35\x45\x16\xf2\x38\xcb\xe3\x72\x70\x5a\x2a\x13\xb3\xb6\xdb\x40\x67\x06\xf9\x3f\xbe\x2f\x38\xbd\x83\xe7\x1c\x2b\x83\x49\x13\x92\x3a\x34\xbd\xcc\x13\xf9\xb6\x2b\x93\xbf\x7f\x9c\xad\x99\x10\xd7\xe7\x04\x67\x57\xe8\x6f\x2a\xa3\x52\x71\x8c\xd3\x4d\x05\xc3\x82\x95\x1b\xc0\x7e\x49\x41\xd4\x49\x58\x94\xbc\xcc\x43\x20\xc8\x4a\x75\xcd\x44\x47\xb2\xae\x06\xe7\x56\xf0\x4f\xfa\x0c\x0a\x22\x60\x0e\x6a\x6c\x64\x79\x54\x37\xba\x27\xc7\x07\xb5\xa5\x4a\x0f\xed\x60\xb1\xe5\xd7\xda\x1a\xa7\x57\x8e\x4a\xe5\x6a\x98\xe4\x7b\x42\xd8\x72\x9a\xd4\xaa\xc7\x32\x84\xd5\xdc\x2e\x99\x4d\x9d\x9f\x4b\xcf\xa7\xd9\x46\xba\xc9\x2a\xcf\x92\x4a\x73\x53\xd0\x5c\x91\x7f\xe8\x6f\xa8\xca\x50\x95\x2f\x8c\x6c\xe4\x3d\x1e\xf3\xe5\x60\x96\xf5\x58\x96\xe3\xae\xf0\xdf\xb4\x85\xae\xb2\x85\xca\x2b\xdf\x0d\x9e\xb3\x32\xdc\xa0\xee\x1b\x4e\x5c\xdc\x15\x15\x6a\x31\x73\xa9\x6a\x29\xc3\x1e\xc2\xd9\x02\x3f\x7d\x56\x76\x44\xde\x64\x6f\x1c\x67\x36\x93\x53\xe5\xee\x14\x5d\xdf\xa5\x78\x70\xd8\xea\x74\x45\x5a\x42\x7d\xc4\xaf\x8c\x05\x77\x8e\xba\xa1\x17\x85\x3c\x6a\x56\x1d\xfb\xea\xe3\xca\x6a\xd1\xbc\xe8\x1d\x08\xe1\xaa\xd4\x5e\xae\x40\x33\xc9\x45\xef\x80\x14\x0c\x86\x6a\x59\xfe\x45\x8d\xbd\xc9\x63\xfa\x79\xff\x95\x5e\xf0\xc2\x19\xfa\x61\x15\x69\xad\x6e\x79\x57\x75\x02\x5d\xeb\xcc\xb9\xa5\x65\xe5\x2b\x24\xa3\x1d\x9d\x51\x8a\x43\xea\x46\x6c\x39\xfa\x0e\x51\x2e\x80\xec\x2c\xbb\x36\x39\xe5\xac\xfc\x9d\x4c\x77\xda\xbf\x39\x98\xd6\xa6\x54\xed\x87\x73\x2b\xc4\x61\x68\x4b\x08\x95\x17\xca\xcc\x69\xe9\xc5\x1e\xa3\x89\xf0\x2f\x6c\x81\x7a\xb6\xed\x52\x41\x13\xc1\xf5\x54\xdb\xaf\xe2\x00\x51\xc7\x26\x18\xd0\x87\xba\xd4\x64\xff\x74\xad\x53\x8f\x20\x8a\x8b\x56\xb6\x2e\x89\xd4\x42\xc9\x5d\x4a\xe2\x96\xf0\x3f\x77\x6d\xf0\x65\xcf\xb9\xe4\xd4\x39\x45\xbd\x41\x03\x64\x98\x5a\x03\x95\x22\x85\xa1\xaa\x20\x80\x2e\x15\xe5\x6c\xa1\x8b\x14\xde\x4e\xe7\x8a\x4e\x3d\x70\x3f\x4b\x08\x99\x75\xca\x86\xc2\x35\x43\x34\x35\x55\xf0\x43\xb9\x28\x9f\x97\x41\xc8\x83\x3c\x5a\xf3\x2c\xea\x53\x70\x55\xbb\x0f\x87\xcb\x10\x1e\xf5\x95\x64\xeb\x5e\x06\x53\xfa\x84\xbe\xe5\x50\xe7\x9f\x5e\xcd\xfe\x5b\x8d\xd9\x8f\xfa\x7f\x52\x0b\x3e\x5f\xb3\x2e\x54\x6b\xcd\x12\x63\x51\x96\xf4\x56\x98\xe7\xb1\x95\x37\xe6\x8c\x0e\x23\x8b\xe9\x51\x15\x54\x1f\x17\xbc\x80\xa1\xab\x71\x95\x76\xb9\xf3\xea\x19\xad\x7d\xaa\x3c\x6c\x97\x22\xc7\x18\x18\xe0\x65\xcb\x4e\x85\x0f\xdb\xb2\x8f\x87\x6c\x4b\x57\xb5\xd1\xba\xd9\x09\x7e\x1d\x9f\x5b\x58\x3f\x76\x82\x2f\x3a\x55\x6d\xe5\x35\x4e\xae\x8a\x26\x3e\x73\x7c\xc4\x33\xc7\xed\x67\x6e\x7f\xe6\xc9\x79\xf7\x19\x7e\x3b\x54\x28\x7a\xa6\xae\x50\x74\x12\x8b\xb4\xc8\xed\xb5\x17\x66\xfc\x70\x5a\xec\xff\xd8\x63\x86\xa0\xfd\xcf\x79\xc1\xf3\xcc\x16\x75\xfc\x29\x64\x63\xb0\xee\xda\x14\x48\x21\xc8\x44\x8d\x56\xf2\x52\xc8\xbb\xe1\x05\x28\x98\x99\xb5\xf9\xe1\x43\x87\x0e\x6d\x02\xd0\x7d\x84\x1d\x62\xcd\x4d\x99\xdd\x48\xfe\xf3\x90\xf7\x24\xf6\x6f\x1c\x23\xac\xec\x6b\x03\x4e\xf1\x09\x7f\x7f\x58\x66\xdd\xb8\xc5\xf6\x0c\xf7\xbb\x30\xdc\x77\x2c\xbb\xfd\x73\x76\x1b\x32\xf0\xef\xb6\xc8\x19\x61\x3f\x33\xc6\xf6\x01\x62\x94\x7f\x71\x2c\x78\x4f\x0d\xc1\xa3\x5c\x7e\xa9\x28\x51\x15\x7b\xc2\x67\x10\xde\x08\xb8\x26\x54\xb4\xd1\x53\x3e\x8a\x3e\xc1\x51\x0c\xcc\x92\x6a\x27\x11\x55\xcb\xa3\x9e\x80\x05\xb1\x55\x95\x57\x85\x60\x4a\x96\x6c\x81\xa7\x79\x2e\x28\x4c\x51\x47\xcf\xc1\x6b\x1a\x9b\x10\x1d\xd2\xa6\xa0\x0e\x95\x93\x4a\xe3\x04\x6f\x11\x53\x70\xda\x0e\xa4\x6a\x03\xcd\x04\x3b\xde\x4d\xf4\x59\x7b\x23\x1d\x67\xc7\xd8\x91\x4b\xdb\x48\x0b\x59\xbe\xc3\xcd\x74\xc9\x05\x25\xcc\xf7\x2a\x4e\x71\xe7\x70\xab\x7a\xc5\xbf\x36\xe6\x20\x92\x55\x45\x9d\xe5\xec\xbc\x48\xc9\xac\xe0\x7f\x68\x2c\xb8\xd9\xbe\x60\x14\x48\x30\xe7\x8b\x92\xe2\xad\xb4\x80\xc1\x43\x2a\x2b\x5e\xca\xb7\x40\x02\xed\x47\x90\xbd\xe3\x9c\xe7\x5f\xa9\xb1\x4f\x78\xec\xf1\xe2\x42\x2f\x46\x0d\x8d\x20\x73\xfd\xff\xe2\x29\x0c\xd5\x9f\xf2\x4e\x55\xef\x6a\x40\xb9\xbe\xc1\x4e\x05\xbc\x6b\xa9\xb7\x91\x0c\x04\xdf\x85\x3c\x45\xbb\xdf\x80\x4a\x07\xb9\x47\x1d\x2a\x0d\x06\x07\xb9\x13\x17\x2d\x5b\x08\x86\xbe\x19\x8c\x6e\xcb\x81\x1e\x7b\xbd\x14\x9c\x69\x98\xfe\xcb\xbc\x60\x30\x43\x3f\x54\x87\xe5\x83\x29\x64\x3b\xa9\x1b\x3b\xec\xed\xa8\x34\x6b\xd5\x06\x4c\xbc\x24\x16\x6e\x80\x2a\x6c\xf6\xf2\x8d\xab\x47\x42\x31\xcf\x2d\x6d\xee\x42\x79\xdf\xd5\xc1\x7b\xbc\x2d\x1e\xa8\x14\xd9\x87\x27\x25\x15\x9e\x6f\xd2\xdf\xaa\xb8\xb1\x2e\x18\xb8\x4a\x75\xf7\x31\xd3\xcb\x58\xa4\x20\x23\xb6\xfa\x96\x0a\x36\xc9\x36\x52\x91\x17\x9d\xb8\x47\x4e\x1b\x94\x61\xd3\x88\x2f\x9d\xc2\x88\xba\x5c\x80\xe4\x19\xa7\x6b\xcd\x8b\xde\x55\x65\x98\xaf\x09\xd8\x67\x61\x72\xd1\x1b\x8b\xef\x4b\x2f\x7a\x63\x49\x3f\x75\x28\xee\x4b\x57\xb2\xbb\xd8\xe3\x5b\x9d\xb0\x37\xd3\x2f\x3b\x27\xd5\xce\xf1\x67\x82\xa3\x1b\x1d\x21\xb9\x8e\x89\x75\x81\x4e\xe9\x47\xf8\xec\x9d\x33\x0b\x3c\xec\x97\x1d\xc9\xd2\x51\xf1\x72\xcc\x69\xef\xaf\x69\xab\xfc\x83\xb5\xe0\xa7\x6a\x55\xb3\x7c\xc5\x98\x26\xb9\xdc\x20\xeb\xf3\x8d\x10\xb6\x89\x32\xd9\x2f\xc7\x3d\xb9\x71\x4d\xe8\x0e\xe6\xab\xb8\x4d\xc5\xc5\x25\x18\xf0\x29\x4d\xf8\xe1\xca\xba\xb8\xdc\x60\x02\x15\x41\x10\x17\xad\x22\x76\xc0\xf1\x3d\x76\x35\xb0\xd1\xb0\xcc\x72\xd0\xed\x3e\xe2\x05\xef\xf3\x10\xdc\x84\x56\x61\x4e\xdd\x47\xe9\x94\xcf\xb5\xb9\xf3\x8a\x1b\xbc\x8f\xd0\xec\xf2\x3b\x10\x13\xd3\x86\x14\x81\x58\x6a\x34\x61\x2a\xb2\x7e\x91\x0c\x10\x9b\x16\xdb\x8e\xf5\x33\x37\x23\x09\x01\xc3\x0f\x93\x5b\x4f\xdc\x6c\x39\x7b\x6e\xad\x86\xb5\xdb\x46\x16\xaa\xf9\xe6\xec\xbb\x43\x4c\x92\xa0\x3f\x15\x3c\x71\x19\x5b\xc5\xaf\x19\x71\x7b\x48\xce\x4e\xd9\x35\x6e\xa7\xfd\xe7\x04\x67\xd5\xf8\x55\x1f\x31\x0b\x40\x12\x06\xa4\x8d\x87\x29\xb5\x0b\xd6\x08\xd9\x71\xd7\x06\x7c\x90\xb8\xc6\x41\x3e\x59\xb6\x7a\xae\x3a\x7d\x8c\xc9\xed\xe1\x37\x14\xe2\xe2\xb7\x63\x4b\xd4\xdd\xd3\xfd\x94\xe0\x9a\x5d\x80\xc5\x5f\xf4\xd8\x7e\x9c\xa0\xc2\x7f\xc0\x0b\x5e\xe9\x39\x6f\xe1\xf6\xe3\xa7\x63\x54\xf4\x85\xba\x20\xcf\xfa\x18\xb6\x17\xe8\x26\x00\xc1\xdf\xbb\x57\x6a\x41\x27\x70\xb3\x29\x24\x6e\x3c\xd3\xc1\x72\x82\x86\x49\xc5\xf6\x26\xcb\x41\x2f\x6e\x41\x34\xfd\xf2\xec\x02\x89\x10\x37\x1c\x3f\x04\x1c\xe1\xe8\x91\xe3\x87\xa6\x9c\x23\xda\xb5\x4f\xb3\xf3\x96\x95\xfd\xde\xe0\x99\xbb\xcb\xff\x19\xb6\xb2\xbb\x86\xf5\xe7\xdb\x19\x41\xdd\xcb\xb0\x77\xdf\x08\xbc\x86\xd2\xdf\x24\x9d\xd1\x1a\xe3\x1c\x43\x30\xa2\xde\x10\x2e\x47\x62\x3f\xe3\x31\x87\x13\xfa\xaf\xf7\x82\x1f\x1e\xb5\x46\x8f\xc5\xf2\xd8\x91\x6e\x8f\x53\x4c\x78\x49\x14\xa0\x57\x3e\x2d\x38\x3c\x9a\x05\xd3\x03\xdb\x32\xe0\xaf\x4e\x8c\x2c\x91\xa5\x13\x58\x20\xba\xed\x57\x27\x82\xef\x75\xae\xb8\x1a\x98\xc9\x76\x19\x1d\xc0\xf6\x9f\xf6\x02\xd8\x76\xad\x0e\xff\xae\x0e\x60\xfb\xa4\x17\xbc\xda\x9b\x93\x7f\x6a\x63\x6b\x75\x1d\x94\xc5\x49\x65\xc2\x24\xc0\x59\x1e\xb9\xd2\x3a\x97\x5a\xce\x4a\x77\x74\x4f\x07\xde\x0b\x5e\xb3\x83\xd7\x76\x5a\xa0\x0b\x55\x35\x87\x25\x6d\x15\xb0\xf6\xce\x09\x1b\xde\xa7\x52\xf6\x76\x1e\x7f\x2d\x00\xea\xf3\x29\x53\xa6\xfd\xbf\x1d\x08\x3e\xeb\x6d\x72\x93\x30\x51\x56\x21\xbd\xae\x17\xe6\x65\xdc\xea\x27\x61\xae\x6c\xb4\xaa\xea\xb4\x8a\x9f\x22\x34\x24\x9e\xf5\x4b\x5d\x6b\x43\x95\x37\x86\xec\x36\xe7\x33\x52\x85\x39\x08\x65\x71\x14\x80\x19\x01\x99\x50\xab\x60\x26\x80\xd7\x11\x85\x9a\x8a\x7e\x03\xfa\x34\x99\x56\x95\xc0\x2b\xd5\xd2\x06\x78\xe5\x24\x2b\x38\xdc\xbc\xc1\xe1\xcb\xaf\xd9\xcf\xde\xab\xad\x1b\xef\x1c\x0b\xbe\x54\x53\x78\x9b\x91\x28\x4a\xa8\x65\x9d\x29\xbb\x03\xa4\xd1\xf6\xcb\xb5\x0c\xf6\x20\xf6\x84\xac\x01\x92\x2d\x69\xa3\x46\x42\xa7\x43\x2b\xeb\xae\x82\x85\x01\x93\x7a\x42\x9e\x64\x6b\xf2\xa8\xe3\x67\x17\x0d\x54\x8c\xb6\x00\xa3\x43\x36\xcb\x79\x37\x2e\x0a\x48\xd9\x37\x65\x93\x55\x21\x65\x6d\x85\xe0\x93\x6a\x26\xa8\x08\x7a\x99\xc7\xca\xaa\x2e\x1f\x98\x1a\xf1\x01\xe2\x0a\x2a\x83\x8b\xf0\xca\x54\xf1\x99\x2c\x15\x30\x0a\x5d\xc6\x59\x7d\x5b\x25\xa9\xd2\xf7\x74\xdc\x9d\xbd\x1a\xaa\x7b\x76\x63\x78\x10\x5b\xcc\xd7\xe6\x91\x37\xb3\x13\xec\x86\x1d\xd6\x64\x76\x08\x43\xca\x1d\xec\x4b\x63\xac\x56\x66\xfe\xe7\xc7\x82\x97\x8d\x8d\x58\xae\xd1\x2b\xa5\xa9\x4e\x7b\x20\x4c\x01\x93\x7e\x22\x75\x03\x3c\x4f\xec\x45\x04\xfb\xfa\xe6\xab\xa8\xd4\xa6\x2c\xdd\xc5\x7a\x3a\x1d\xdf\x62\x59\xad\xe7\x76\xb7\xba\xbb\x5d\x58\x43\xeb\x10\x35\xf1\x30\xae\xad\x10\x39\x7b\x8d\xc7\x8e\xdb\xc1\xa2\xfd\xb2\x93\xe5\x0a\x7a\x0b\x44\xde\xa4\xbd\xd4\xc7\x44\xf8\x7e\x22\x8a\x45\x21\x0f\x68\xf0\x7d\x2e\x3b\x3b\xfb\x76\x76\xd2\xae\xb9\xf7\xd4\xe0\x3a\x23\x1b\x94\x19\x17\xf2\x5c\x0d\x4b\x41\x35\xb9\xdb\x92\xc3\x8c\x74\x1b\x3f\x74\x80\xfd\xbb\x4d\xb2\x40\x40\x30\xfc\xfd\x03\xc1\x59\xf5\x43\x49\x23\x1b\x9d\x2c\x31\x32\x89\x5c\xe5\x79\xc8\x89\x41\x47\x17\x98\x37\x57\x05\x00\xc1\xac\xc5\x05\xa0\x99\x29\x94\x51\x48\x3c\x1e\x29\x41\xbe\x6d\xaf\xca\xea\x9e\x4c\x3c\x24\x13\xcf\x2b\x91\xf8\x54\x70\xb5\x62\x85\x90\x1e\x65\xef\xc8\x29\x76\x90\x7d\xcf\xf6\x12\x69\x16\xed\x09\xa3\xbb\xc2\x6a\x5f\xd8\x5e\x74\x6b\xf8\x4f\x19\x85\xaa\xac\x18\x48\xd5\xd8\xfe\xc6\x71\xf6\xe4\x11\x4b\x75\x3a\x6b\x85\x89\x63\x7a\xfd\xeb\xb1\xe0\x34\x5c\xb5\x6d\xac\x51\x9c\x8b\x56\x99\x0c\x1a\x3a\x9c\x41\x45\xb5\x03\xb7\xc1\x74\xb2\x36\x10\xc5\x60\x28\x6e\x7d\xbc\x57\x45\xfc\xfd\x91\x31\x76\xbf\xb1\x55\xfe\x83\x17\x7c\x63\x0b\xc4\x97\xb9\x92\x87\xbd\x5e\x12\x0b\xca\x7e\xdc\xd0\xc0\x18\x80\x62\x09\x48\x45\x49\xd6\x3a\xcf\x23\x81\x91\x05\x8f\x28\x44\xcc\x72\xa7\x6a\xad\x27\x38\xc0\x7e\x99\x35\x50\x20\xa0\x0f\xe3\x77\xb7\x40\x8c\x79\xb1\xc7\x60\x6a\xfc\xe7\x07\xdd\x65\x15\x98\x00\xd0\x9c\x43\xa1\xd9\x2a\xe9\x0f\x66\x83\x50\x83\x94\xb9\x84\x16\x27\xcb\x41\x46\xb0\xa7\x82\x4f\x46\x71\x71\xbe\x8e\x32\x75\x09\xa5\x3d\x9a\xcd\xa6\x6b\x06\xf9\xc3\xab\xd9\xd4\x8e\x8a\xea\x80\x18\xff\xde\xab\x83\xbf\xf6\xac\x0b\x43\x19\xb7\x70\x04\x76\xc3\x5e\x4f\x63\x3a\x00\xc0\x29\x02\x90\x86\x96\x85\x14\x66\x9e\xc6\x99\x8b\x04\xec\x99\xab\x61\xeb\xbc\x48\x23\xe5\xc2\x29\xe4\x66\x6c\x65\x5d\x00\x0d\x50\xbb\x56\x0a\x52\x08\x07\xa9\xce\x5d\x95\xb7\x0b\x2d\x82\x9c\x41\x92\x67\x9e\xf5\x09\x3d\x49\x7e\x44\x35\x5e\x4d\x01\x96\xf7\x34\x26\xb7\x35\xb4\xbb\xe4\xe2\xba\xe1\x77\xff\xf9\x4a\xf6\x55\xc6\xc6\xe5\x87\xfc\x2f\xb1\xe0\x53\xec\xce\xcc\x9c\xd4\x50\x20\x90\xdf\xa7\x8d\xab\x11\xc6\x32\xa8\x18\xa5\x50\x3b\x34\xe5\xeb\x75\xac\x79\xaa\x21\x39\x16\x6f\x9f\xe5\x47\x6f\xbc\xe1\x78\x93\xcf\x67\x14\xe6\x69\x22\x35\xe4\x62\x2a\x71\x54\x71\xb8\x40\xb6\x12\xe8\xea\x9c\xf2\xd2\xb9\xc5\x39\xbb\xd5\x38\xd5\xad\x9e\xe0\x87\x9b\x7c\x6e\xa1\xd0\xa0\x2b\x1a\x50\x76\x56\x87\x7c\x98\xe2\x6c\x7a\xf0\xc6\x79\x22\xf7\xdf\x80\x97\x19\xe3\x1c\x3e\x35\xb7\xa0\x01\xb2\x7a\xa2\xa5\x8b\x18\x86\x80\xf0\xa9\xaa\xe0\xb3\x23\x54\x4c\xee\xc4\x0a\x8f\x44\x12\x77\xe3\x12\xa3\x35\x49\x22\xed\x51\xf4\x8e\x40\xfc\x4b\x52\xbc\x2a\x3d\x64\x13\xdc\xea\xa4\xb6\x00\xe2\xd1\xac\x2a\xbb\x41\xd4\x8b\xf6\x21\x9c\xb8\xe1\x10\x50\x84\xe4\xd7\xf2\xb4\x95\x4d\x9c\x38\x76\xec\xa8\xbe\x58\x34\xd9\x6d\x54\x70\xa8\x40\xc7\x6b\xab\x03\x35\x8d\x68\x4c\xed\x3e\xa4\x4b\x6f\x42\x7c\x4a\xd5\x0c\xd7\xa4\x60\x5c\x1a\x36\x42\x80\x26\xa5\xa9\x29\x65\xc8\x48\x05\xc1\x76\x88\x60\x2c\x96\x50\xb7\xdf\x40\x9a\x45\x71\x5e\x89\xce\xab\x61\x21\x22\xc5\x04\xcc\x06\x1a\xfa\x06\x43\x72\x24\xee\x10\xf4\x72\xd1\x8a\x0b\x11\x90\xa8\x08\x7c\xd2\xa6\x49\x1b\x73\x18\x01\x68\x28\x42\x34\x2b\x87\xe9\x95\x4f\x8a\xe6\x5a\x93\x07\xed\x2c\x6b\xae\x86\x79\xb3\x95\x75\x03\xa8\x62\x1b\x6c\xc4\x49\xd4\x0a\xf3\x28\xa8\x6f\xf6\xa1\x5e\x2e\xda\xf1\x05\xe3\x1e\xa7\x8a\x7e\xea\x45\xc2\xb6\xa6\x0f\x5c\xd7\x94\x9f\x80\xe6\x91\x7a\xf4\x63\x1a\xd6\x8e\x1f\xbc\xee\x20\xaa\xed\x84\x6e\x8b\x00\xbb\x22\x69\x73\x72\xa9\x22\x7f\x38\x39\xbf\x44\x6d\xa3\xc8\x85\x0a\x08\xd2\xb3\xea\x04\xdc\x6f\xf2\x67\x67\x7d\x85\xf1\x46\x11\x03\x95\xde\x99\x4f\x60\x3f\x61\xa6\x6f\xb9\x85\x07\xd7\x05\x53\x28\xed\x03\x7d\x28\x07\xcd\x28\x1a\x81\x57\x48\xc9\x4a\x2b\x3b\x7c\x23\x1c\xe0\x1e\xc5\xdc\x6a\xd2\xc2\xe4\xf2\xd5\x89\x41\xa2\xd3\x5b\x0d\xc2\xa8\x5e\xa4\x66\x01\xad\xc3\x42\x75\x00\x94\x16\xd4\x46\xc9\x8b\x24\xf7\x93\x4d\x36\xf9\x11\xa7\x79\x33\x42\xad\xa6\x5f\xe6\x67\xa4\x06\xa4\xbe\x04\x14\xda\x6f\xb7\xe3\x0b\x7c\x32\x17\xdd\x4c\xe3\x00\xe1\x8a\xc0\x5c\x4e\x29\x76\xa1\xa7\x18\x94\x66\xfb\x4c\x7a\x3a\x1b\x97\x5f\xf2\x6f\x63\xdf\x77\x29\xd5\xdf\xee\x5c\x5e\x5e\xa8\xee\x0a\xf6\x62\xd7\x24\x9f\xaf\x86\x2d\xfd\xc2\x62\x96\xa0\xe6\xf5\x87\x07\x82\xd7\x7a\xea\x17\x4e\x4f\x2b\x4b\x12\xf4\xa9\xc9\xfe\xca\x7b\x05\x3f\x29\x0f\xbb\x56\x48\x00\x4f\xeb\x87\x9b\x87\x9f\x2a\xff\x68\x87\xeb\x19\x56\x14\x95\x8d\xbb\x7a\x26\x09\x8a\xeb\x87\xb9\x6a\x1e\x35\x00\xa0\x94\x34\xe3\x49\x96\xae\x89\x1c\x31\xe8\xa1\x3e\x29\x36\x7c\xe4\xc8\x68\xd5\xed\x63\x57\xb0\xb6\xa5\xb9\xfd\xfb\xdd\x29\x6e\x5b\x86\xea\xec\x29\x54\xbb\x54\xa8\x9e\xab\x14\xaa\x73\xc1\xb7\x6b\x0f\x83\xf1\xf3\x00\x49\xed\xdc\xda\x3f\x44\xb8\x7b\x0a\xd6\x6e\x14\xac\x64\x7b\x05\x6b\xce\xbf\x43\x2b\x58\x9b\xee\x6c\x03\xff\x41\xdb\xdb\xd5\xbb\xb0\x56\x23\x7b\xcd\x04\xfb\xde\x2d\x22\x9d\x66\x97\xe6\xb4\x11\xe8\x4f\x0f\x04\xd3\xd6\xef\x51\xcc\x88\x6e\x2b\xbf\xd4\x68\x4e\xf1\xbe\xbd\xe2\x59\xbb\xde\xc1\x1d\xb5\x83\xef\x0d\x9e\x18\x8f\xf2\x11\xd2\x4a\xd8\xbb\xf8\x18\x3b\xb2\x85\xbb\x7d\x93\x95\xdf\xdb\xcb\xbb\xf0\xdc\x7d\xd2\xb6\x65\xfe\xea\x2e\x6d\x99\x3f\x38\xda\x94\xf9\x68\x81\x9d\x3f\xe4\x45\xdb\x33\xa6\x19\xff\x69\xca\x69\x67\x71\x8a\x51\x8c\x47\xfb\xed\x14\xdd\x11\xd3\x62\x9f\x3e\xc0\x8e\x6e\x69\x1b\x47\xbb\xf8\x0c\xd4\x8a\xb1\x0c\xe3\x6f\x3c\x10\xbc\xc3\xdb\xe4\x26\x49\xfe\xc3\xf5\x0d\xb0\xe2\x8c\xc9\xbe\xe1\xa7\x2e\x84\x2d\xa8\xc9\x8e\x70\x42\xaa\x7c\xd4\x8c\xdd\x0b\x2b\x07\x14\x73\x69\xd3\xed\x1e\xeb\x9a\x62\x3e\x6e\x88\xe7\x15\xec\x41\x8f\x7d\x6b\x6a\xb5\x60\xb2\x4d\x5f\xe7\x6d\x91\x7c\x33\x34\x2d\xf3\xa3\xda\x08\xce\x8c\xbc\x6c\x79\x35\xab\x10\x4e\x21\xc0\x63\xeb\x8d\xeb\xce\x8f\xec\xac\x9f\x0f\xf7\xf4\xf5\x5b\xd5\x42\x1e\xea\xe9\x88\x6e\x2e\x6d\x37\x81\x5b\x75\x78\xb3\xce\xde\xca\xc6\xfa\x71\xe4\x3f\x35\xb8\xee\xdc\xdc\xc9\x11\x65\x5a\x2c\xb5\x02\x90\x38\x8a\x4a\x6c\xe8\xcf\x79\x6c\x5c\x5e\xf4\xdf\xe1\x05\x6f\xf0\xce\x15\x26\x9f\x13\x30\x4a\x07\x59\xff\xa0\xd4\xa9\xe9\xf5\x36\x95\xc6\x18\x64\x7d\x0d\x81\x18\xc8\x97\x02\xbe\xda\x2f\xc1\x70\x10\xdc\x21\x29\xbe\x08\x48\xad\x89\x0b\x0c\xbf\x2e\x45\xde\xcb\x05\x45\x7f\x06\xcf\x02\x57\x72\x9b\xc3\xf7\x36\x84\xb2\x39\xf0\xae\xe8\xae\x8a\x1c\x4f\xb9\x01\xee\x1d\x87\xd5\x7c\xdc\x63\xfb\xc4\x85\x32\x0f\xfd\x0f\x7b\xc1\x6b\xbd\x53\xf2\xcf\x6a\xc9\x1f\xd5\xf7\xe6\x5c\xda\xce\x9a\x77\x88\x12\x9e\x9a\x9c\x92\xbc\xa4\x93\x45\x86\xef\x5a\x71\x44\x50\x75\x64\x29\x4e\x5b\x06\x25\x04\xcb\x0f\xe8\x48\x5b\x5c\x31\x39\x3b\x25\x4f\x85\x88\x28\xe5\x58\x49\x05\x80\xab\xfe\xa0\xf7\x44\xf6\x1d\x9b\x47\xa0\xd9\x19\xd2\xf3\xec\x0a\x1c\x9d\x7f\x32\x98\xc4\x19\x73\xaa\xb3\x16\xa3\x66\x7e\x8b\xe0\xb6\x17\x8d\x8d\x04\x38\x83\x12\x7f\x4b\x22\x8f\x45\xe1\xff\x51\x2d\xb8\xcf\xfa\xad\x5c\x8b\x0e\xcd\x00\xb2\x0c\xdc\xd5\x65\x2a\xeb\x3c\x6e\x8a\xa6\x3c\xb2\xe0\xd0\x0b\x4b\xbe\x11\x16\xd3\x71\xc1\x3b\x52\xfb\x4f\x09\x75\xae\x8c\xd3\x3e\x84\x55\x02\xb9\x16\x59\x57\x20\x88\xba\xc3\x08\xbe\xec\xb1\x15\xb6\x0f\xa2\xc2\xfd\x67\xa9\x90\xc3\xdb\xe6\xfb\x6a\xcd\xb3\x16\x66\x40\xb5\xec\xc4\x2b\xec\x4e\xbf\x67\x44\x18\xd4\x7e\xf3\x72\x55\x84\x98\x95\xe9\x04\x27\x5e\x60\xd7\xca\x47\xce\xae\xa2\x3e\x07\x89\xa1\xd1\xe6\x3b\x77\x8b\x33\xe9\x4c\xdc\xca\x33\x48\x0e\x7d\xb2\xfc\x57\x71\x53\xe8\x80\xe9\x2a\xcf\xe8\x4b\xec\xf3\xae\x25\x77\x44\x79\x40\x52\x8e\x81\x93\xff\xcc\xd5\xc1\x4d\xd6\x6f\x6b\xf3\xdb\xe6\x28\xbd\x11\x37\xe2\x02\x2c\x02\x19\x56\xab\x70\x27\xf6\x8b\x57\xb1\x5f\xae\xb1\xfd\x64\x61\xf5\xdf\x53\x63\x27\x36\xe5\x54\x9b\x77\xeb\x36\x7c\x3d\xf8\x5b\x6f\xc6\x00\x49\x93\xd1\xb6\x15\xf6\x10\x6d\xb5\x4d\xc6\x61\xc7\x2c\x47\xa8\xd0\xe9\x41\x15\xc9\x21\x77\x2f\xba\xe2\x67\x6c\x7f\x73\xd6\xe6\x07\xa9\x45\xac\x88\x00\xe6\xea\x83\xe6\xe4\x30\x21\xc6\xa3\xf3\xde\xc1\xd0\x9f\x24\xd9\x06\xae\x44\x16\x46\xab\x61\x12\xa6\x2d\x91\x73\x83\x37\x20\x5b\xa6\xfe\xcb\x5e\x82\x93\x1f\x6a\x29\x12\xc3\x0a\xf9\x5a\x92\xad\x86\x3a\x9c\xbe\xc9\xde\xb7\x8f\x5d\x1b\x5b\xc5\xda\x21\x04\xf9\x6d\xfb\x82\x1f\xdb\x37\x57\xb9\x3a\x2a\xd9\xdd\x7e\x46\x23\x3a\x6b\xa4\x7d\x30\xa2\x59\x36\x6f\xe7\x69\xa5\x02\x18\xe0\x69\x1a\x02\x98\x27\x4c\xda\x66\x69\x81\x69\xd2\xdc\xe4\xa2\x97\x10\x24\xb7\xe0\x91\x31\x8c\xac\xb8\x51\x70\x34\xac\x26\xc0\xf3\xae\x70\x90\x20\x29\xce\xe1\xf6\x2c\x87\xf5\xdd\x08\xf3\x08\x42\x5c\x7a\x61\x19\xaf\xc6\x49\x5c\x0e\xea\xca\xc9\x03\x05\x11\x74\x25\x2c\xd8\x8f\x25\x24\xd4\xa8\x25\xa3\x7a\x66\xb9\x68\x89\x08\xb7\xc3\xba\x16\x70\xe5\xea\xe1\xf8\xad\x91\x49\x29\x58\x74\x63\xc9\xed\x37\xc2\x1c\xf8\x07\x19\xb7\x0c\x4a\x82\xf5\x49\x30\x07\x46\x71\x1b\xe2\x62\x4b\xad\x8d\xcc\x39\xe0\xc4\x06\x85\x78\x66\x61\x4e\x69\x43\xf1\x5a\x2a\x65\x46\x9a\x6f\x61\x8a\xbc\x29\x08\x71\x8b\xda\x66\x52\x77\x5d\xf4\x69\xab\x52\x61\xc3\xfc\x3c\x1e\x5d\x44\x33\xca\xd8\x4a\xc6\x5e\x05\xf6\x55\x88\x12\x44\x30\xdb\x3d\xa5\x63\x53\x68\x3e\x34\x94\xa9\xc5\x78\xeb\x2e\x24\x90\x4b\x23\x59\xab\xaf\x47\xda\xac\xc2\x00\xc2\x0e\xf2\x3f\xe3\x05\x2f\xb1\x60\x00\xc1\x42\x88\xae\x20\x0b\x86\x0c\x50\x10\x1c\xfb\x38\x9c\xe5\x8e\x29\x3c\xcb\x79\x9a\x39\x91\x2d\x75\xc7\x16\x0e\x14\x90\xea\x73\xb1\xc2\x26\x9c\x13\xea\x26\x76\xe3\x16\xd0\x61\x9b\xb3\xa1\xc5\x7e\x22\xd8\xcb\xc6\xd8\x58\x99\x14\xfe\xff\xac\x05\xef\xab\x2d\x9f\x5e\xaa\x82\x44\xbb\x2e\x09\xc5\x2d\xc1\xb6\x4c\x3e\xc6\xc2\x18\x99\xe5\xfb\xf2\x52\x9d\x1f\x3b\x76\x14\xc6\xac\x53\x9b\x51\xe0\x30\xf4\x03\x33\xa8\x18\x85\x21\x3b\x39\xa1\x05\x48\x34\x03\x63\x63\xa6\x36\x2e\x58\xce\x01\x30\xb7\x67\x79\x09\xc9\x4f\x79\x44\xb0\xff\xca\xf1\x80\xe5\x00\xac\x02\x03\x79\xd6\x5f\x43\x07\xd8\xd2\xfc\x1c\x74\x53\x4f\x4b\x5d\xed\x0a\xda\xc0\xf6\x16\x6a\xf7\x93\x76\x8c\xc8\x6a\xf6\x13\x7a\xe0\x4b\xf3\x73\xcd\x9d\xe3\x31\x6e\xbe\x12\xcb\xa7\x97\xd8\x03\x13\x0e\x3a\xde\x16\x31\x3f\x60\x3d\xf9\x7f\x0f\x04\xd7\x0f\x5d\xad\xc4\x57\xdb\xb7\xb7\xb6\xa1\xfc\xfa\x9e\x0d\x65\xd7\x36\x94\x5c\xd9\x50\xe2\x20\x18\x61\x05\x55\x53\x45\xcb\x60\x93\xcd\x0d\xec\x38\x3b\x76\x39\xd1\x5f\x7b\xd6\x94\x5d\x58\x53\x3e\x65\x5b\x53\x7e\x6d\x97\xd6\x94\x1f\x7a\x8c\x02\xc3\x8c\x39\xa5\xb3\xbd\x39\xe5\x94\x3f\x6b\x80\x9d\x0d\x55\x55\xec\xbb\x43\x5c\xa5\x1a\x60\xf3\x79\x8f\xdd\x72\xb9\xd5\xbb\x9b\x4f\x5f\x3a\x3b\xef\xbf\xce\x0b\x7e\xd4\x83\x32\xa1\x4e\x76\xe3\x00\x53\x4b\xb1\x80\xe8\x3a\xba\x93\x97\xc1\x75\x6d\xa0\x1b\x2c\xc0\x86\xd5\x2c\x4b\xea\x1c\x52\x57\xeb\xbc\x9d\x64\x21\xfc\xa1\x8a\x77\xdd\x7d\x8f\x4e\x36\xfb\x81\x17\xd6\x79\x37\xec\xdd\x8d\xb7\xec\xeb\xc0\x4c\xd2\x38\x69\xb2\xf7\x5f\x61\x17\x85\xda\x6a\xc9\xed\x12\xd1\xfe\xff\xdc\x17\x7c\x4a\xca\x03\x95\xaa\xc5\xb0\xf1\xe1\xda\x7d\x7d\x91\x0f\x50\x56\x0b\x55\x9c\xb7\x66\x1f\x28\xb3\xe5\xa2\x90\x47\x7b\xd6\x46\x49\x00\x3e\x50\x18\x57\xee\xa9\x0b\x72\x8a\x60\x02\x61\x06\x66\xe6\x4f\x92\x24\x85\xe1\xb2\x95\x6f\xdb\x71\xb2\x8a\xd9\xf0\x19\x9e\xf6\x93\x64\xb3\x47\xd3\xcc\x62\x4b\xd6\xa9\xf0\xcf\x63\xec\xff\xf2\xd8\xb5\xd5\x5e\xf8\xef\xf3\x82\xbb\x86\xba\xe6\x30\xbb\xca\x87\xec\x92\x08\x6a\xcc\xe6\x8a\x35\x2a\x9b\x2b\x9e\x65\x67\xd8\x33\x2e\x67\x4f\xda\x0b\xb4\x68\xbe\xc3\x7e\xbe\xc6\xae\xb4\x66\xd8\x7f\x4b\x2d\xf8\x5f\x9e\x3d\xe5\x30\x84\x6e\xd8\x93\x23\xf8\x81\xf3\x62\x50\x07\x1a\x7c\x21\xef\x85\x71\x0e\x93\x48\x62\x8e\x7d\x8f\x3c\xdc\x76\x33\xb2\x05\xf4\x4a\xab\xf2\x17\x80\x50\xc4\x05\xe9\x18\x6a\xa1\xad\xd9\x93\x52\x6e\x56\x08\x28\x79\xa7\x75\xb1\xe0\xbc\x18\xa0\x75\x87\x02\xb7\x90\xb2\x82\xb9\x34\xc0\x53\xb0\xec\x58\x95\x3f\xf2\x70\x60\x82\x98\x41\x3e\x0b\xe0\x5e\xb0\xe5\x84\x6f\x01\x2e\xf7\x90\x17\xb0\x6f\x75\x58\x4a\x37\xec\x0d\xa1\x51\xbc\x72\xdc\x71\xf8\x28\x7b\x88\xb2\xc0\x3d\xb3\x9f\x95\x21\x96\x2e\xf6\xff\x78\x2c\xb8\x7d\xc4\x75\x47\xb4\x10\x29\xe4\x06\x46\xbc\x83\xbc\x14\x4e\x13\x39\x56\xa5\xfc\x4b\x39\xbb\x59\x0d\xb1\xfb\x13\x8f\x8d\xcb\x17\xfc\x2f\x78\xc1\xcb\xbd\x3b\xe5\xab\x0a\xbb\x49\xa1\xdf\x8c\x68\x56\xea\x0b\x00\xb1\x80\xd5\x8b\x8d\xda\x77\x89\x19\x4f\x3d\xe0\x94\xd3\xba\x80\xf8\x7d\x72\x6c\xc5\xf4\x83\xde\xd3\xd8\x2d\x97\x70\xaa\x34\x75\x07\x9e\xd9\x0f\xd3\x32\x2e\x07\xb6\x1d\xeb\x1d\x68\x3e\x8c\xfc\x37\x7b\xc1\xd3\xa1\xa0\x25\x8d\x50\x95\x1b\xd6\x13\x84\x85\x6b\xfb\x80\x87\x56\x2d\xe3\x4c\xd4\x6a\x4a\x80\x3d\xbc\x9d\xfc\x7d\x17\xe1\x59\x11\xc3\xb3\x04\x54\xdb\x8a\x16\xb2\x68\x86\x42\x27\x97\x45\xde\xf5\x7f\x6e\x2c\x58\x87\xc8\x17\xb8\x5f\xa8\xb8\x6f\xea\xb4\x0a\x2d\xd9\xe4\x6d\x55\xbe\x19\x8a\xd4\x44\x91\x88\x78\x4f\xe4\x0d\xc4\xa8\xca\x78\x3b\xa6\xfd\xd1\x95\x1a\x5a\x0f\x94\xbe\x5c\x44\x10\x5a\x38\x59\x4c\x5d\xf4\xae\xc0\x8f\x5e\xf4\x1e\xd7\x73\xdb\x75\x68\xeb\x15\x35\xd6\x67\xf4\xa8\x7f\x5e\x59\xd2\xee\xc2\x0b\x43\x01\x76\x3a\xb8\x0e\x53\x95\x95\xb1\x54\x5e\xa9\x7c\xa4\xae\x56\x22\x87\x70\xac\xc3\x8d\xc3\x87\x0e\xb9\xa9\xbf\xaf\xf5\x58\xb5\x67\xfe\x0b\x76\x90\xde\x5a\x99\xa5\xe0\x4e\x1d\xa0\xcf\x67\xa0\xf4\x87\x0e\x5e\x2d\xa1\x1f\xa3\x82\x04\xdd\xae\xe3\x60\x9b\xec\x43\xd7\xb2\xc3\xdb\xc0\x06\xaa\xdd\x8d\xb2\x03\xc4\x51\xbe\xe4\xda\xe0\xa7\xc7\x86\xaf\x23\xaf\xed\xe5\x02\xd1\x42\xd0\x00\xa2\xce\x23\xb0\x6a\x6a\x9a\x55\xb2\x64\x5d\x9b\x68\x2d\x53\xfb\xc1\x42\xca\x26\xab\x9a\x1d\x52\xda\xae\xd9\xcb\x33\x7c\xc4\xc7\xf5\x19\x39\xf4\x15\xa9\x0c\x02\xbb\xc1\xcc\x8e\x13\x7c\x32\x9c\x72\x53\x39\x8c\xe5\x5c\x7e\xb8\xb0\x42\x88\x74\x23\x75\x3e\xb9\xba\xe9\x5b\x61\x2f\x26\x33\xf4\xe8\x37\x5b\x9b\xbe\xa9\xc5\x86\xd1\x6f\xca\x6e\x4f\x46\x53\x23\x5f\xb5\xaa\xce\x8d\x78\x57\xea\x84\x30\x98\x8b\xde\x84\xee\xde\x45\x6f\xc2\x55\x73\x74\x6c\xe8\x55\xec\x7d\x35\x76\x15\xd9\xdf\x96\x5a\x59\x4f\xf8\xff\xb1\x16\xbc\xa1\xb6\x62\x5f\x5a\xb1\x90\x60\x54\xaa\x71\x99\x91\xd5\xb2\x6a\xcf\xb4\x8a\x27\x0e\xec\x0a\x85\x7c\x52\x65\x7f\xf4\x7a\x22\xd5\x79\xd3\x2a\x90\xd2\x65\x6d\x18\x6e\xa9\xdf\x8d\x38\x61\x06\xa8\x95\x45\xd2\x40\xc1\xc8\xcc\xc7\xa8\xbc\xa0\xac\x1b\x97\x25\x36\x80\xb8\xae\x3a\x6e\x6c\xc5\xbc\xb8\x62\xd7\xfe\x56\x26\x7e\xf4\x77\x91\x5c\x86\xd6\x63\x2b\x69\xfa\x1f\xc7\x18\x33\x0d\xf8\x7f\x3e\x16\xbc\x6b\xcc\x69\xd1\x91\xa1\x88\x94\xd3\x4a\x4d\x40\x95\xe1\xa4\x57\xb2\xc9\xf9\x8c\x19\x24\x00\xe0\x69\x98\xa1\x70\xa8\x15\x37\x3c\x30\x6e\xab\x39\x95\x74\x6e\x0c\x33\x56\x65\xde\xb0\x1c\x6e\x23\xcb\x81\xc2\x47\x3c\x1f\x5c\x17\x34\xb9\x0a\xed\x0d\x4b\xf9\xdb\xec\xb6\x74\x60\x19\x65\x4c\x6b\xab\x7d\x49\x03\x02\xd7\x8f\xcc\xda\xee\x80\xee\xd5\xb7\x89\x48\xee\x75\xa9\xa4\x10\x48\x0c\x15\x0a\x34\x25\xad\x65\x2b\x53\x64\xcf\x45\x05\xcd\x42\x74\xad\x43\x0f\xd4\x7c\x54\xa9\xb8\x80\x5a\xb6\x5b\xb8\x84\x1e\xf2\xf8\xa6\x48\x43\x57\xf8\xe3\x85\x28\x19\xfb\x74\x8d\x99\xdd\xe4\xff\xba\x14\x3c\x57\xf4\xef\xca\xba\xeb\x53\xc4\xec\xf7\xc9\xb8\x29\x9a\x75\x53\x88\x0c\xf6\x7a\x2f\xe9\xe7\x61\x32\x05\x6c\x1b\x8c\x58\x91\x28\x24\xa3\xaf\x4b\x2d\xdc\x30\x40\xb7\xd8\xda\xdd\x3c\x50\x31\xe7\x10\xea\x9f\x45\xa2\x98\x46\x1c\xcd\x80\xdf\xa3\x8a\x6c\xea\x29\x22\xbd\x1d\xa6\xa9\xe9\x2e\x66\x92\x58\x1d\x0c\xd3\x08\xba\x40\xca\x5c\xdd\x01\xf0\x83\x99\x15\x69\x99\x0f\x9c\x74\xb1\xdd\xcc\xe7\x6f\x79\x0c\x39\x96\xff\x11\x2f\x78\xb1\xb7\x02\x7f\x6f\x36\x8f\xc8\xa7\x95\xd9\x68\xeb\x21\xe9\x67\x1f\xd5\xe1\xfc\x91\xc7\x0c\xe3\xf5\x3f\xeb\x05\xaf\xf3\x56\xf4\xef\xcd\x86\x35\xb3\x30\xa7\x5c\x98\x3b\x1b\x9b\xfb\xc2\xa3\x3a\xc0\x7f\x9c\x60\x0d\x4b\x76\x40\x89\xd9\xa0\x0d\x67\xd1\xc9\xb8\xc8\xfb\xe0\x7b\xba\xad\x1f\xad\x89\xd2\xff\xd8\x44\xd0\x19\x71\x9d\xd0\x9e\xc9\x5c\x55\x2a\xbc\x32\x12\x18\x2f\xf0\x48\x3f\x8f\x9c\x83\xdc\x06\x70\x5e\x80\x79\xbe\x1a\x62\xd6\xcb\x22\xf7\x78\xfb\xda\x9e\x29\x74\xd7\xa6\xd0\x3d\xb3\xe4\xe5\x9b\x25\x9f\x61\x59\x25\x9f\xb6\x4b\x88\x42\xf6\xa3\x1e\x1b\x97\x47\xa6\xff\xd2\xad\xa2\x7f\xb6\xdf\x8e\x00\x8f\x36\xb3\x54\x05\x42\x46\xcf\x14\x9c\x3a\xaa\x12\x72\xae\xae\x8f\x68\xa5\xc9\x7e\xc4\xd3\xe8\xd7\x3f\xc8\x66\x76\xd3\x21\x3c\xb2\x6e\x3c\x03\x0e\x38\xd1\x42\x17\x95\xd6\x81\x5d\x1c\xed\x51\x5d\xd9\x79\xfc\x19\x19\x4c\xb1\x4f\xda\x4a\x3a\xa2\xcd\x91\x01\xb1\x3f\x5c\x67\x27\xec\xf0\xa5\x08\x52\xdb\xb3\x14\xd3\x98\x73\x15\xc6\x44\x98\xc7\x61\x12\x47\x90\x9c\xf2\x2c\xb1\xda\xc9\xb2\xf3\xfe\xc7\x9f\x12\xac\x0c\x5d\xb5\x61\x24\x52\xae\x9b\xe4\x1b\x74\x5b\x29\x43\xce\xf9\x6c\x12\xef\x21\x50\x48\x25\x1a\x96\x59\xf3\xa2\x37\x2e\x65\xa9\x8b\xde\x55\xb8\x5d\x10\xc7\xdd\xf5\x0f\x5d\xc7\xfe\x62\x1f\xbb\x06\x7f\x6a\xe3\xe7\xff\xbd\x6f\xf3\xb4\x85\x9d\x1a\xe8\x82\x1f\xdb\x77\xd6\x69\x95\x47\xa2\x15\x47\xae\xd6\xa0\x4a\xb6\xaa\x01\xea\x44\x21\x72\xdd\x11\x9b\xe8\x84\x85\x39\x1e\x11\x28\xb9\xc9\xdd\x3e\x83\x61\x4e\xa7\xd3\xa9\xac\x95\x55\x4a\x92\xe2\x59\x12\x61\x6f\xd0\x30\x2c\x36\xe8\x17\x86\xe3\x28\x58\x69\xdb\x31\x4b\x5d\xd2\x85\x5e\x5b\x59\x5a\xc4\x91\x20\x64\x37\x94\x66\x8d\x94\x4d\x1d\xb5\x75\xb0\x42\x83\x75\x90\x91\x96\x9e\x99\x34\x7d\x51\x35\xb6\xa5\xe4\x97\xb5\x09\x14\x0d\x5d\xc8\xba\x87\x95\x67\x22\xa8\x46\x05\x89\x4b\xd6\x71\x49\x27\xa2\xce\xfe\xc1\x39\xe2\x93\x49\x7c\x5e\xf0\x90\x9f\x14\xbd\x24\x1b\x74\x45\x5a\x2e\x66\x49\xb2\x1a\xb6\xce\xc3\xfb\x92\xd6\x17\xf2\xec\xc2\x00\xeb\x65\x28\xae\x3c\xa5\x54\xae\x11\x43\x6e\xf2\x73\xa4\x9f\xd1\xa7\xb5\x29\xd8\x86\x4c\x50\xcb\x89\x71\x27\x8d\x38\xad\x6b\xd5\x4e\xa4\x60\xe9\x23\x3e\x5f\x9c\x8f\x7b\x18\x1e\x36\x44\xeb\xab\x06\x3a\x0c\x0f\x4a\x5c\xf5\x93\x2e\x80\x23\x6a\x64\x0e\xe1\x69\x08\x6d\x5a\x0b\xa8\x4f\x0c\xc1\x57\x4d\xf6\x37\xe3\xca\xdf\xff\x67\xe3\xc1\xcb\xc7\x01\x34\xc1\xda\x74\x1b\x72\x1e\xad\xed\x24\xbb\x43\xaa\x19\xee\xb7\x69\x4b\x02\x2f\x9c\xa1\xb6\xc2\x5c\x50\x4d\x02\xca\xfa\x1a\xbe\x01\x2b\xa6\x5a\x97\x73\x15\x1b\x8a\xb9\x37\x4c\x07\xf7\xf2\x45\x88\xf8\xb9\x33\xdb\x90\x9d\x06\x5b\x52\x96\x47\xb8\x55\x7a\x39\x44\x93\x71\xc3\x34\x66\xd4\x9c\x11\xf7\x40\x6e\x70\xa6\x5f\x6e\x72\x17\x4e\xd2\x5e\xdf\xcc\xa9\x8a\xb4\x01\xfd\x56\x72\x56\x61\x62\x32\xe8\x04\x95\x72\xc7\x3a\x50\x00\xbc\xad\x02\x40\x54\x35\x8f\x64\x20\x05\x33\xaa\xc3\x01\xa9\x8d\x00\x3b\x5f\xdf\x45\x2f\x21\x7d\x52\x0e\x5f\x55\x8d\xce\x6c\x4e\xa8\x0f\x7a\xa9\xfc\x0d\xf1\x4f\xa7\x50\x85\xf3\x9d\x91\x0f\x8c\x72\xd9\x9e\x61\xcf\x60\x73\x9b\x07\xa9\x6e\xc9\xe5\xe5\xea\x3d\x2b\x2e\x3b\x67\x35\x05\xb1\x9f\xaa\xb1\x6b\xca\xb8\x2b\xb2\x7e\xa9\x60\x59\x5f\x51\x53\xe6\xc6\xbf\xf3\x96\x9d\x5b\x55\xd8\x75\xbc\x69\xc2\x5f\x88\xa4\x9a\x7c\x06\x60\xd1\xed\x67\xa0\xba\x08\xc6\x57\x58\x94\x97\x24\x3a\xd6\x02\x63\x79\xb4\xed\x44\xaa\x0c\xe6\x7e\x3b\x8c\x13\x37\x49\x53\x5e\xe9\xe7\x82\x0e\x47\xc2\x1b\xa2\x6f\xa1\x94\xa7\x14\x8b\x55\x51\x6e\x08\x91\xf2\xc3\x08\x52\x77\x88\x17\x38\x18\x67\xab\x5a\x97\x1d\x63\xe8\x2f\x8c\xb3\x6f\xd3\x73\x8a\x71\xd8\x24\x8c\x17\xfe\x1b\xc6\x83\x7f\x1c\x9b\x19\x7d\x53\x69\x0b\x39\x72\x27\x5d\xbc\x53\x9b\x83\x57\x2a\x2f\xae\xa8\x13\x1c\xa7\x56\x9d\xb7\xe2\x42\x8f\xfc\x68\x0b\x73\x54\x88\x18\x67\xa4\xcc\x07\xba\xf6\x0a\x24\xfe\xd1\xeb\x36\x88\x8f\xca\x16\xd5\x95\x7d\x31\x1a\x28\xa5\x38\x3d\x4b\x8b\xb0\x71\x35\x1d\x4c\x1d\x27\x9b\xdf\xf4\xa1\x8e\xfe\x52\xab\x6c\x3c\xac\x90\x26\x04\xa5\x6e\xcc\xb5\x79\xa8\x2b\x96\x46\x66\xe1\x1d\x2a\xb7\x8c\x46\x04\x3b\xa5\x7b\x25\x57\x4c\x5b\x60\x34\x74\x73\x3a\x30\x4f\x40\x21\x12\xc5\x6c\x65\x07\x97\xa8\x83\x50\x07\xaa\x72\x56\x5a\x5d\x95\x2d\x43\xb5\x62\xad\xcf\x8d\xa2\x2a\x8b\x42\x56\xee\x3e\x48\xdb\xe8\xe0\x3d\x2b\x5b\xc5\xe9\xbe\xd5\x63\x8e\x38\xe3\xff\xa8\xc7\x9e\x7e\x99\x1b\x56\x71\x05\xab\xb9\xe0\x69\xf6\x2f\xad\x12\x76\xb2\x0d\xaa\x62\x24\x75\x03\xb0\x6c\x6b\xab\x3a\xee\x49\xa5\x50\xb3\x37\xed\x27\x6f\x24\xda\xa5\xfd\x97\xef\x0f\xfe\xbf\x2b\xac\x0b\x6e\x9b\x1d\xc1\x03\x38\x91\x02\x0d\x95\xa5\x34\x5a\x92\x31\xaa\x29\xdc\x50\x60\x01\xd7\x51\xb9\x08\x05\x0f\x20\x21\x01\x4b\x56\x9e\xd2\xfe\xc9\xa0\xc9\x58\x03\x73\x15\x4e\x0c\x19\xe0\xd4\x81\x1d\x97\x5c\x50\x36\x83\x31\x9f\x1b\x7a\xc5\x20\x54\xc7\xd6\x04\x26\x29\x25\x51\x14\x4a\x15\xef\x66\x11\xbe\xb1\x1e\x87\x52\x0a\x2d\xa6\xd7\x0f\xd7\xd5\x1f\x30\xdf\x28\x4b\x99\xb0\x01\x73\x7d\xb5\x5f\xea\x69\xc0\x7e\x21\x31\x46\xdc\x98\x4b\x4e\xdc\x1d\xc8\xc6\x82\x7b\x64\xa3\x4a\x87\x97\x57\xd7\x0f\xcb\x6b\xfa\x58\x3e\xc1\xef\x0e\xac\xee\x05\xf7\xac\xd4\x6d\xb3\x63\xe6\x74\x89\xc3\xb8\xaa\x1d\x22\x89\x90\xce\xc0\x11\x52\x21\xce\xab\x9e\xe7\xe1\xc9\x8d\xdb\x6a\x3e\x1c\x67\x44\x82\x1b\x35\x4e\x31\xb6\xb0\x0e\x11\xe2\x38\x61\x58\xe8\xc6\xd8\x72\x64\xcf\x68\x1b\x3e\xe2\xd3\x2f\xaf\x7f\xf3\x4d\xff\xaa\x50\x06\x14\xb2\xf0\xe0\x8b\xd0\xdb\xd1\x6b\x62\x43\xca\xd2\x8e\x70\xa2\x3d\xc7\xd8\x95\x52\xa0\x3d\xd5\x6e\x4b\xae\xef\x7f\x62\x2c\xf8\xe5\xb1\x25\x73\x01\x65\x20\x4b\x41\xb1\x0e\x5d\xd0\x41\xe4\xcb\x5c\xe0\xc3\x4d\x3e\xd3\x6a\x89\x1e\xd6\x29\x31\x3b\xf1\x84\xaa\xde\x54\xe7\xf3\x59\x2a\xea\x7c\x29\xeb\x0a\xfc\xfb\x6c\x7a\x32\x1f\x2c\xf6\x53\xae\x65\x1d\x60\x21\x76\xa3\x58\xf0\xc7\x2e\x36\x23\x05\xb0\xb4\x15\x27\x31\x31\x73\x80\x64\xa9\xf3\x02\x32\x2d\x42\x2b\xdf\x7d\x80\xe2\xda\xf3\x74\x41\x99\x90\x50\x20\x78\x51\x8a\x9e\x3a\xb7\x8c\x24\xd5\xea\x80\x5f\x83\x34\x4a\xa7\x13\x50\x37\x00\x90\x20\x52\xa1\x81\xac\xfb\x69\x94\xa5\xc2\x41\x0a\x20\xfe\x17\xe1\xa8\x42\x95\x86\xa3\x65\x0e\x00\x94\xd1\x5d\x42\xdd\x60\xa0\xb7\x8a\x39\x34\x68\x12\xd4\x2a\xdc\x72\x8b\x9a\x43\x49\x1e\x72\xfe\x5c\xb0\x60\x55\x1e\xab\x52\xcf\xea\x6a\x3a\x5d\x88\xed\xfe\x94\x17\xbc\xc6\xbb\xdd\xbe\xe4\x30\x5e\xc7\xa4\x26\xf2\x3c\xcb\x2d\x53\x93\x99\x25\x6d\x74\x92\x4c\x16\x0b\x31\x45\xbc\x61\x4e\x52\xc3\x81\xe7\x30\x58\x3a\xcb\xb9\xfc\xa8\xdb\x63\xbc\xe7\x22\xca\x7b\x0c\x94\x73\xff\x8f\xbc\xe0\xb3\xde\x72\x25\x20\x7e\x48\x1d\x6a\x22\x66\xb5\xa9\x80\x54\xc1\x6a\xa9\x73\xd1\x5c\x6b\xd6\x79\xdc\x0d\xd7\x04\x1d\xaf\x4e\x68\x03\xc4\xa3\xcb\x83\xc2\x7a\x22\x18\x15\x8b\xef\xe8\xbd\x4e\x13\xa3\x9e\xce\xf2\xb5\x30\x55\x49\x5b\xa3\x31\xe3\xbe\x3c\xc1\x1e\xaf\x5d\x3a\xda\xc4\xf0\xf1\x89\x87\xc1\xc4\xf0\xa2\x89\xf9\x6a\xc3\x3b\xb1\x32\x80\x6e\xa0\x14\x58\x2d\xf6\x9a\x5d\x6f\xc5\x51\x68\x27\xd3\xd6\x1a\xfe\x9c\x63\xae\x20\x9c\x0d\xb0\x8c\xea\x96\xea\x26\xf6\x01\x22\xf6\x0b\x29\xb8\xb5\xb3\xbc\x8b\x5f\x27\x91\x4e\xc7\x17\x2a\x7d\xb7\xd2\x72\xa1\x0f\x0a\xa5\xbc\x15\xad\xac\x67\x05\xb9\xd4\x31\xbd\x4a\x0a\xb2\x52\xb9\x2e\x2a\x1c\xd2\x39\x48\x36\x9b\x1a\x1d\x53\x4c\xc1\x4b\x66\x36\xc8\x30\x50\x8d\x2d\x08\xf2\x7e\x0a\xa8\xa2\x01\x14\x7e\x38\x84\x72\xc8\xe1\xe0\x26\x8e\xe8\xfc\x31\x95\xab\xb2\x27\x8d\x87\x05\xc1\x87\x14\x27\x78\x30\x44\x20\xc1\x09\xfe\x03\x8c\xf3\xa0\x1a\x50\x15\x9c\xe0\x77\x33\xce\x39\xdc\x95\xff\x41\x30\xd5\x09\xab\x0b\x75\x75\x43\xc5\x56\xc9\xbb\xf3\x59\x39\x97\x9a\x5b\xb8\x6f\x75\x5b\x70\xed\x90\xbe\xcd\x65\xdf\xe9\xef\x7b\xe0\xff\x2f\x64\xf2\xaf\x17\x32\x06\x98\xf9\x45\x29\xc2\xc8\xa9\x3b\x00\x87\xe6\xa5\xcf\xe5\xa8\x18\x8d\x40\xa4\xeb\x71\x9e\xa5\x92\xff\xe3\x74\xf6\xf2\x2c\xc2\x19\x2d\xca\x70\x2d\x4e\xd7\x82\x9b\x1e\xbd\x69\xb5\x7b\x33\x72\x66\xb7\x9b\x56\xe8\xbd\x35\xb3\x6a\x0c\xa3\xe7\x77\x49\x88\x87\x01\x8c\x9a\xcc\x5f\x6d\x95\x27\x42\x14\x5f\x0c\x47\x30\x16\x46\x6a\xb8\x4c\x93\xd2\x0f\x4f\x54\x50\xe9\x20\x6b\x41\x67\xb1\x9e\x16\x61\x81\xb0\x08\x5f\x3e\x10\x7c\x8f\xfe\xe5\xba\xfe\xe0\xf2\xd6\x81\xfc\x1f\xda\xf3\x5e\xed\xda\x7b\x95\xa8\x40\xfe\xd6\xa5\x06\xf2\x6f\x5d\xf4\x6b\xe4\x9a\xef\xf9\xca\xf6\x42\xf8\x55\x08\xff\xea\xf6\x1e\xa9\xa7\xf9\xb7\x34\x46\x03\x96\x3b\xd4\x55\x09\xe9\xd7\xfc\x84\xb1\x9f\x9b\x60\xdf\xb9\x69\x55\x0c\x60\x40\xaf\x98\x08\xbe\xdb\xfc\x74\x69\x1f\xaf\x8f\x66\x3d\xff\xbc\xc7\x7a\x76\xcd\x7a\x1e\xd4\xe5\x1a\x7e\xda\x0b\xda\xa3\x98\x8f\x5d\x5b\x7a\x74\x27\xb7\x3a\x0f\x1d\x93\xdf\x34\x36\x66\x33\xb0\xa7\xb0\x29\x76\x70\x87\x25\x54\xf6\x38\xd7\x5e\x11\x06\xbb\x08\xc3\xe2\xf6\xdc\x6b\xda\x6f\x8c\x42\xf2\x35\xdc\xa6\x9a\x6a\xf4\xba\x09\xf6\x24\x3b\x15\x2e\x8b\x30\xbb\xa0\x9f\x96\x71\x57\x40\xda\x2e\xf0\xac\x3f\x3f\x10\x1c\xad\x5e\xac\x80\x90\x59\x77\xb7\x16\xa1\x3e\xb8\xc7\xc7\x76\xcd\xc7\xce\x2b\x36\xb6\x7a\xa9\x22\xd4\x61\x36\xcd\x1a\x9b\xe7\x42\x8e\x20\x80\x3d\x3e\xb4\x27\x41\x29\x09\x2a\xdc\x9e\x07\xdd\xea\xdf\x6c\x92\x20\x25\x39\x55\xe1\xed\x2a\x6c\xa4\xca\x92\xde\x76\x45\x15\x50\x2a\x2b\x5a\x21\x14\x46\x5c\x3f\x82\xfe\xa2\x53\x17\x70\x97\x9e\x11\x65\x1e\xb7\x28\xfb\xe9\x1b\xfb\x82\x74\xd4\x8d\x4a\xa5\x77\x95\xce\xa3\xeb\x63\x6a\x10\x8d\x2e\xbc\x34\xd2\xb0\x12\xa6\x03\xfe\x0c\x3d\x6a\xc5\x65\x2e\x7a\x0c\xdf\x99\xa7\xe8\x1e\x6c\x1a\xd0\x42\x1d\x8e\xf7\x5b\xe3\xec\x35\x1e\x73\xee\xfb\x3f\xb8\xab\xa4\xa0\xe0\x69\x76\x63\xd5\x54\x25\x3d\x36\x30\x75\xe1\xb0\x26\x43\xb9\x65\xef\xa3\xf7\xa7\x58\xc4\xac\xce\xfb\x77\x05\x73\xe6\x57\xd5\xc0\x18\xaa\x36\xc0\x23\xd6\xc6\x3a\x6d\x6a\x51\x78\x9c\xaa\xdb\x84\x79\x6e\x93\xff\x03\x1e\xbb\x06\xef\x6a\x8b\xe3\x1b\xbc\x87\xc1\xe2\xb8\xe0\x36\x6a\xbb\xeb\xe2\x48\x52\x2e\xe4\x39\x90\xf7\xac\x05\x2e\x73\x05\xc0\x23\x17\x14\x22\x2d\x10\xf0\x03\x1b\x6a\xb2\x77\x79\xec\x09\x34\x7f\x33\xeb\x22\x0f\xd7\x10\xf5\xd5\x7f\xdd\xa5\xec\xd9\x11\x0b\xf5\xcc\x11\x8d\x6e\xba\x5e\x34\x91\x21\x3e\x1b\x51\x5a\x2b\x4d\x36\x14\x0d\x8e\x8a\x26\xfb\xeb\x6b\xd9\x53\xb6\xdc\x21\x47\x9a\xce\xce\xf8\xf0\xb5\xc1\xad\xce\x8e\x70\x11\x7a\x92\xb0\x28\x1b\xb9\x08\x23\x8a\x3d\xc1\xda\xb7\x98\x89\x49\xb3\x73\xd1\x1b\x97\xfc\xcd\x21\xea\xaf\x3f\x8e\x7d\x6a\x8c\x3d\x9e\x32\x13\x44\xae\xd2\x80\xfc\xf7\x8f\x6d\xe5\x08\x1e\xd1\xd9\xd9\x6a\x13\x76\x67\x83\xaf\xd7\xf4\x27\xec\x6c\xa2\xb6\x3c\x35\x20\xde\xd8\x40\x9c\x10\xa5\x17\xfd\x56\x07\x01\x9c\xb3\x42\xb8\x2e\x7f\x83\xbf\x9d\xaa\x34\xc5\x29\xe3\x5c\xb7\xb6\x38\x4d\x11\x56\xd7\xa1\xc9\x30\xfd\x88\x53\x4c\x6c\xec\x65\x1a\x82\x59\xad\x25\xac\x94\xca\xe8\x40\x88\xe7\xd9\x85\x73\x50\x73\x47\x74\xb3\x7c\x30\xd5\xe4\x4b\xb2\x7f\xd8\x59\xf4\x59\xac\xf6\xe3\x04\x23\xcc\xec\x3e\xa0\xf4\x01\x71\x64\x30\x86\x30\xe1\x6a\xcf\x65\x3d\x1d\x18\x55\x66\x3d\xdc\xe9\x72\xac\xe1\x7a\x18\x27\xe0\x09\x2b\x33\x9e\x66\x79\x37\x4c\x20\x6b\x4f\xf6\x53\x7d\x10\x4b\x06\x81\x89\x53\x92\x53\xc0\x89\x62\xd9\xdf\xd7\xd8\x01\x41\x0c\xd4\xff\x46\x6d\x8b\xf0\xd1\x51\x8b\x38\x8a\xf5\x06\x6f\xaf\xa9\x06\x9d\x15\x73\x19\xae\xc2\x29\xdb\x39\xe3\x85\x42\x0e\x58\x29\xc8\xe6\x44\x26\x6a\xd1\x02\x02\x23\xaf\x3d\x08\x14\xad\xac\xdb\xcb\x52\xf0\xd6\xe6\xfd\x14\x10\x7b\xb2\x7e\x09\x3e\xb7\xac\xad\x2d\xf9\x93\x6d\x63\x9c\xe7\x89\x48\xd7\xca\x8e\xbc\x7d\x5f\x5f\xf4\x21\xc1\xb3\x95\x64\x7d\x39\x9d\x45\x01\x16\x54\x55\x63\x00\xe2\x05\x9f\xb9\xb0\x84\x9f\x72\x10\x9d\x36\xff\xd8\x54\x93\x7d\xc4\x53\x7b\xca\xff\xc0\x36\x10\x82\x43\x93\xae\x23\x91\xcd\x94\x97\x5a\xc8\x32\xf3\x4d\x13\x3d\x8a\xa6\xcf\x57\x27\xd7\x19\x7e\x9d\x77\xe2\xb2\x68\x48\x12\xc2\xb8\x21\xf2\xd9\x68\x98\x1a\x0c\x54\x6c\xb2\x37\xd6\xd8\xb8\xa4\x26\xff\xd5\xb5\xcd\x43\xaa\x47\x0e\x61\x21\x8b\x0a\x67\x00\x9f\xf4\xa0\x22\xd6\xd6\xfd\xdf\xd9\xee\x73\x46\x02\x45\x65\x43\xc8\x4b\x28\x1a\xbd\x3c\x6b\x89\xa2\x10\x91\x35\xb6\x29\xc8\xce\xd1\x4e\x64\xed\x3d\x55\xcc\xb8\xcc\xd6\x04\xa5\xc7\x81\x53\x76\x55\x20\x64\x5c\xb7\x17\xe6\xa6\x38\x04\x7d\x1b\xd1\x15\xd8\x9b\xc7\xd8\x01\xc5\x9f\xfc\x57\x8f\x5d\xe2\x9e\x1a\xc9\x0f\x3f\x5e\x7b\x4c\xb8\xe0\xbf\x3e\x7e\xf7\xce\x1a\x83\x53\xcd\xff\xa9\x5a\xf0\x9a\x9a\x2a\xcd\x07\x6b\x48\x25\xae\x95\x5c\xa3\x32\xbd\x54\xf5\xf2\x55\xa1\x40\xe0\x82\xa1\xb3\x2b\xa8\xf3\x40\xf1\x42\xf9\x37\x6e\x51\xf9\xd7\x02\x7c\x3d\xcb\x79\x60\x3d\x0b\xd3\x5a\xc1\x7d\x0c\x8d\x7b\xd2\x41\xf9\x57\xdc\x6f\x3e\x2b\xc5\x89\x51\x9f\xd6\xf5\x05\xcd\xbc\xa0\x43\x95\x82\x09\xb1\x8e\x4e\x63\x4d\x9e\xf2\x77\x2e\xcc\xe8\x06\xce\xd0\x54\xc5\x05\x17\xa9\x7c\x2d\xb2\x65\xb8\xbf\xd9\xef\xd8\x08\x94\x91\xea\xf6\x44\x5c\x70\xca\xfd\x7c\x7c\x7f\xd0\x31\x17\x1d\xe4\x11\xbe\x26\x52\x21\xa7\x72\x5d\xdd\xd3\x6a\x61\x48\x35\x0a\xb2\xf5\x18\xf5\xfc\x69\x5d\x18\x88\x8a\xdb\xa5\x5c\x5c\x10\xaa\x78\x05\x06\xb6\x36\x2f\x7a\x57\x44\x79\xbc\x2e\x72\x47\x24\xf9\xe8\x15\xec\xa3\x9e\x2e\x06\xf4\x21\x2f\xf8\xb9\x2d\x8a\x01\x3d\x6a\xb5\x7d\xac\xe6\x23\xd1\x13\x72\x91\xb3\x94\x5b\x33\x85\x30\xb7\x8e\xdc\x7c\x96\xed\x27\x9a\xf7\x4f\x06\x07\xcf\x12\x68\xe0\x09\xae\x70\x42\xbb\x5d\xcc\x38\xa0\x74\x03\x40\x19\xdd\x0a\x6b\x82\xbd\xd8\xb3\x8a\x46\xaf\x07\x1d\xd3\xe4\x50\xfd\x67\x3e\x69\x6a\xda\x43\x49\x8a\xdd\x94\x97\x76\xf2\x73\x7f\xa7\x66\x17\x93\xfe\x58\x8d\x5d\xbf\xad\x29\x14\xea\x47\xe1\x1e\x32\x25\xa5\x5f\x55\x33\xdd\xd7\xe5\xa6\x79\x4c\x87\x06\x80\xf7\xa9\x12\x12\xb6\x39\x57\x09\x70\x78\x68\xa7\x45\x5c\xc6\xeb\x0e\x78\x1d\xc4\x77\x87\x85\x36\x0a\x21\xb1\xd1\xfa\x14\x94\xde\x6a\x67\xb6\xca\x99\x4f\xb3\xca\x57\x62\x07\x90\x8f\x02\x07\x46\x76\xa4\x40\xb7\x28\xd4\x9e\x96\x0c\x05\x1f\x42\x9c\x3a\xfc\x1b\xf9\x25\x44\x15\x47\x9b\xf4\x8a\x9d\x65\xb4\x17\xfc\x53\xc1\x0d\x27\xe1\xaf\x51\x21\x22\xf8\x8c\x8e\xa6\x55\x31\xac\xb8\x23\x1d\xe2\x7b\xe7\x18\x7b\xda\x36\x40\x04\x0b\x79\x9c\xe5\x71\x39\x38\x2d\xd6\x45\xe2\x44\x73\x93\xce\xf1\x95\x5a\x70\xd7\x76\x0f\x55\x4b\x3e\xe9\x23\xc5\xa8\x21\x01\x1d\x55\x8d\x1e\xb5\x15\xb8\xd8\x24\x0f\x79\xec\x1f\x3d\xc6\xe4\xf1\x8d\x34\xe4\xff\xb9\x17\xdc\xb0\x62\x7e\xaf\x54\x75\x2d\xdd\xf8\xc8\xa6\x8d\x9d\x6c\x99\x2d\xb2\x85\x4d\xc9\xf3\xd2\xe6\x64\x56\x75\xe7\x21\xef\x20\xfb\x8e\xe1\x54\xce\x6e\xd8\x6b\x9c\x17\x83\xc2\x9f\xf0\xf7\x37\x80\x07\xb1\x6d\x92\x3e\xbb\x61\x8f\xb1\x57\x5f\xc9\xbe\x67\xb8\xae\x43\x73\x16\x45\xcb\xc5\x2c\x11\xb7\xc5\x00\x31\xe1\x7f\x95\x05\x6f\xf3\x86\xaf\x9b\xfd\x22\x79\xb4\x75\xbf\xae\x41\x90\x35\xb6\x6e\x89\xe7\x5f\x2b\x4c\xad\x5d\xe6\xbc\xa4\x8e\x29\x92\xee\xad\x88\x1b\x40\xc2\x8c\x22\x88\xbd\x70\xf6\xdb\x7a\x1c\x72\xc2\x00\x6f\x5e\xf4\xf6\xe7\x59\x22\x16\x45\xdb\x59\xe1\x5f\xdc\x2b\x52\xbe\x97\x2e\xfa\x18\x1a\x70\x3b\x96\xfd\xf6\x39\xbb\x4c\x17\xdd\xba\x4c\xce\x47\x3c\xa6\x76\x80\xff\x4b\x1e\x9b\xdc\xae\x80\x0b\xd4\x6e\x59\x14\xed\xe0\x15\x1e\xfd\x65\xca\xac\x5d\xe2\x16\xd5\xc7\x94\xd5\x90\xce\x3c\x2a\xb2\x64\x5d\x15\x17\x9b\x31\xf0\xe1\x90\x78\x92\x8b\xb2\x9f\x83\x4a\x08\xb1\x9b\x4d\xf6\x52\x8f\x1d\xa0\x6c\x83\xc2\xbf\x10\xdc\x42\xbb\xbb\xe0\x9d\x2c\x89\x0a\x9b\xe1\xd0\x56\x52\x61\x59\x90\x4f\x29\xbb\x68\x25\x4e\xda\xfc\xb8\xce\xae\xdb\xc1\x94\xd0\xe7\x1e\xf2\xee\xdb\xde\x50\x3d\xef\x9f\xbe\x84\xaa\x2c\xc3\xdc\xb3\x6a\xb8\xfe\x17\xe6\x78\xfe\x55\x97\x2c\xac\x9e\x3f\x60\xc1\xdb\x3d\x0b\x26\x07\xe7\xc4\x11\x40\x00\xaf\xc5\x2e\x62\x8e\x21\xb3\x79\x5f\x31\x65\x9d\x27\x32\x0a\xf5\x1c\xd3\xdb\x24\x97\x2d\xa9\x84\xa2\x35\x9d\x52\xf5\xc0\xf8\x29\x13\xfc\x36\xe2\x31\x0d\x56\xe3\xb0\xe1\x9f\x9e\x60\x7f\xe7\x80\x28\x7c\xcd\x0b\x3e\xe1\xcd\x2c\xcc\xb9\x90\xef\xb6\xc0\xa1\x6e\x52\x5a\xa4\x41\x3c\x11\x36\x40\x9f\x03\x62\x6b\x23\x28\xe4\x96\xd2\x5a\x07\x43\x10\x2a\xef\x8a\x6b\x58\xe9\xa5\x56\xa6\x8f\x48\xfb\x5d\x29\xa7\x5b\xa1\x98\x00\xc1\x2e\xdf\x37\x31\xfd\x5a\xb7\xa7\xda\x80\x5b\xe4\xb9\x7c\x78\x8c\x3d\xce\x2a\xf8\x70\x6e\xf1\x74\xe1\xbf\x6b\x2c\x78\xd5\xd8\xbc\x7b\x91\x38\x2a\xc2\xa1\x41\x99\xcc\x30\xe1\xfd\x3c\x21\x88\x97\x10\xc1\xcf\xe9\x84\xc1\xd2\x70\x58\xff\x40\xf2\x3e\x7e\x1d\xe1\x6c\x61\x7f\x2c\xc0\x94\xd0\x94\x84\xac\xf3\x76\x2c\x0f\x1b\x3b\x8e\x1c\x6a\x7c\x22\xdc\xbf\x53\x08\x02\x7a\xa4\x2a\x20\x1a\xc8\x9e\x7a\x15\x88\x47\x95\x64\x8c\x5b\xa0\x2d\x4a\xa9\xd0\x22\x74\x6b\xbf\x52\xe2\x61\x38\x62\x1f\x34\x39\xe6\x6f\x4a\xe6\xa3\x2a\x89\x52\x95\x47\x98\x72\x0b\x66\x45\xd9\x24\x48\x13\x87\x58\x4a\x94\x73\xb1\x06\x60\x75\x0c\x54\xf3\xd3\xbc\x27\x19\x77\x30\x55\xe7\x5a\x3e\x59\xcd\xca\xce\x56\xcb\xf7\x2e\x8f\x5d\xad\x5a\x84\x20\x65\xff\x27\xbc\xe0\xf9\x8b\xf6\x15\x95\xc4\xa6\x90\xd9\x37\xe4\x31\xa1\x5d\xa9\x30\x79\x04\xd3\x33\x62\xb3\x70\x83\x13\x29\xd7\xbe\x2b\x42\x05\xea\x63\x82\x13\xe1\x03\xdb\x53\xda\xcb\x3c\x1b\xc3\x66\x10\xdc\xb3\x68\x08\xd8\x76\xee\xda\x89\xaf\xba\x6e\xba\xdd\x23\x5d\x9d\x23\x71\x2a\xef\x3a\x88\x32\x5b\x75\xe4\x7d\x1a\xfc\xe5\x41\x2f\xf8\x51\xef\x2e\x80\x6c\x71\xba\x80\x97\x90\xb0\xf5\x52\x9f\x3e\x4d\x2a\x21\x7e\x42\x8a\x19\x68\x61\xd2\x85\x41\x16\x09\x5a\x09\x94\x56\x65\x4d\x37\xa9\x78\x98\xe2\x04\x8d\x8f\xe8\x3a\x9c\xcc\x5b\x75\xfb\x4f\xae\x61\x4f\xdd\xa2\x90\x09\x0a\xe9\xa3\x4b\xb5\xfb\x3f\x73\x4d\xf0\x23\xfb\x46\xdf\x33\x2c\xc5\x41\x3c\x24\x4b\xa2\xa3\x5b\xc0\x16\x97\xdb\x80\x42\xca\x8d\xaf\xc9\x3a\x69\x11\x2c\x52\x1e\x9b\x56\xc6\xa4\x6a\x8d\x94\x4b\x48\x36\x83\xcc\x5e\x32\x19\x80\x11\x8c\xa0\xb9\x41\xe0\x3a\x58\x70\x67\x80\xbc\x9b\x45\x4a\xd2\x4e\x07\x2a\x93\x42\x5c\xe8\x89\x3c\xc6\xfd\x1b\xf5\x73\x25\xd9\x51\x82\x3e\xe4\x0a\x6c\x32\x68\x93\xe1\x00\x7e\xb5\xd5\x01\x3f\x37\x07\x87\x48\xd1\xc9\x36\xa6\x3b\x71\x24\x54\x9f\xc1\xee\x5d\x66\xfc\xbe\x7e\xdc\x3a\x9f\x0c\x78\x22\x20\xc1\x5a\x25\x98\xf3\x5c\x84\x85\x5d\xc4\x25\xce\xe5\xf4\x50\x5e\x45\x01\xb6\x7c\xfa\xd8\xfc\xd9\x65\x7e\x9b\xf9\xa0\x76\x1d\xa0\xf1\x04\xbe\x0e\x4a\x6c\x65\xe4\x91\x68\xc5\x94\x47\xa9\xb6\x44\x18\x17\x58\x17\xa4\x0d\x8d\x45\xa2\xd7\x2f\x07\x75\xde\x0a\x5b\x90\x33\xda\x16\x65\xdc\x15\xd3\xb9\x58\xcf\x5a\x84\x5a\x2f\x27\x0e\xcc\x70\xad\x32\x25\x90\xf2\x96\xc8\x65\xff\x46\xd4\x28\xc2\xc7\xc1\x34\x61\x5f\x06\x86\x5b\x2a\x7c\xbf\x56\xc9\x37\xc2\x01\x41\xe8\xa0\x1b\x6f\x64\xa7\xad\xa4\x4e\x02\xf7\xbd\xe8\x01\xa6\x88\x73\xfe\xbe\x6a\x4f\x0d\xda\x53\x83\xfe\xb5\xa0\xe6\xbc\x56\xa1\xe6\xbc\xcc\xdb\x2a\xc9\xff\x12\x18\x38\xe0\xe7\xdc\x08\xe5\x67\x86\x85\xea\xa1\xfa\x51\xe4\xba\xd1\x38\x25\x4d\xf6\x6e\x83\x9b\xf3\x76\x8f\xdd\x71\xa9\x7d\x1a\xee\x0f\xfa\x6a\xee\x52\x21\x28\x52\xe6\x02\x14\x85\x38\x55\x46\x65\x4a\x73\x07\x58\x13\x27\x42\xa5\x72\xc0\x84\x43\xc7\x4a\xf3\x21\xaf\xbf\xbd\x7a\xb3\xe8\x2f\x68\xf5\x66\x4b\xcd\x66\xf4\x8c\x8e\x04\xdb\xf9\xc8\x95\xec\xbb\x37\xf3\x59\x1d\x6e\x2e\xb5\xc2\x44\xf8\x6f\xbd\x32\x38\x02\x7f\xb9\x1e\x00\xe5\xca\x51\x4b\xe0\x16\x03\x73\xad\x7a\x2f\x66\x7b\x7b\x75\x17\x7b\xf5\x73\x76\xcc\xd9\x47\xbd\xdd\x1a\x2d\xac\xe8\x57\x95\x7c\x47\x8d\xdf\xf4\x68\x05\x9e\x35\xe5\x98\x90\x65\x7c\xc2\x63\x87\x77\xe6\x44\x25\x82\x04\xd6\xf0\xe3\x9e\x7d\x3c\x56\xa1\xb4\xc0\x87\xf9\x88\xaf\x96\xec\x7e\x23\x4c\xa3\x06\x32\x9a\x26\xfb\x7d\xc3\x74\x7e\xdb\x63\x47\x2f\x6d\x54\xc8\x60\xde\xe4\xd9\x76\x6d\x83\xc8\xf5\xd8\x8c\x08\xdc\x41\x0d\xa9\x54\xee\x15\x7d\xde\xad\xb4\xf2\x90\x77\xd7\xf6\x3c\xfe\xa8\x7f\xd8\xe6\xf1\x8a\x4a\x0c\x6b\x97\x64\x50\xb5\x53\xfd\xf9\x38\x9b\xbb\xec\xf2\x12\x4b\x18\xec\xa2\x7d\x71\xfe\xc5\xf1\xe0\xa6\xea\x45\x3a\x83\x43\xd7\x1f\x47\x4f\x35\x13\xb1\x16\xb6\x06\x34\x79\x17\xbd\x09\xad\x1b\x11\x4e\x9a\x73\x14\xfc\xca\x18\xbb\x95\x32\xb4\x8f\x07\x53\xe9\x26\x85\xcb\x28\x04\xc7\x64\x3e\xdb\xec\xf0\x0c\x33\x9f\xf0\xbf\x2f\x38\xea\xa4\x7e\xba\x59\xc6\x3b\x69\xee\xd9\x6c\xbc\x17\x96\x1d\xff\x99\xc1\x49\xb0\xbe\x54\xac\x07\xca\x6a\xc1\x43\x05\x4c\x33\x84\xcc\xb2\x4a\xa1\x64\xad\xb2\x92\xa2\xfd\x19\x8f\x8d\xf7\xb2\xbc\xf4\x3f\xe6\x29\x6c\xa2\xf7\x7a\x50\x85\xa9\xf2\x11\xea\x20\x55\x68\xda\xd9\x87\xf8\x8a\x7c\x7a\xc5\xd2\xec\x42\x2a\x07\x02\xad\xa4\x58\xbc\x70\xf2\x70\xe3\xf8\xf5\xd7\x1f\xbd\xbe\x8e\xd8\x13\x45\xbc\x2e\xa6\xdc\x24\xfa\x63\xc7\x8e\xc2\xe1\xad\x0a\xae\xb9\xf5\xd6\x5c\x5c\xa1\xcf\x8f\xb1\x59\x22\x35\x49\xc8\x8d\x70\x6d\x2d\x17\x6b\x50\xa5\xd2\x26\xb1\x0a\x28\xcc\x30\x91\xbd\x72\x6c\x57\x44\xe6\x50\xd4\xaf\xd5\xd8\x31\xa2\xa8\x7a\xf0\xdd\x9b\x95\xc2\xa3\x19\xb6\x57\x67\xd6\xa6\xa3\xe3\xc1\xd4\xfc\x4e\xe9\xc8\x6e\xe4\x37\xd4\x12\x7f\x40\x2f\xf1\xdb\xbd\xb9\xb6\x6d\xea\x04\xbb\x9e\x5c\x12\x4b\xe1\x8f\x55\xac\x44\x27\x43\x88\x76\x8d\x47\x60\x65\xcd\x6e\xb3\x32\xbb\x20\x00\x67\x51\x7f\xcd\xc5\x9a\xb5\x8a\x8f\xd2\xf2\x2d\x67\xe7\x45\x4a\xf8\x14\x50\x21\xf2\xd5\x13\xc1\x9d\xd5\x8b\xc6\x20\x4c\x12\x16\x84\x80\x40\x99\x81\x30\x0f\xbb\xa2\xa4\x62\x66\x21\x2f\xe5\x9b\x16\x94\xfa\x44\xd8\x8f\xc0\xa6\xe1\x5a\xa8\x1f\x38\xc0\xde\x38\xc6\xcc\x4d\xff\xe5\x63\xc1\x5f\xd6\x66\xd4\x4f\xad\x9c\xcb\x61\xa4\x91\x48\x23\xae\x1f\x55\xeb\x05\x5f\x6a\x02\xda\x77\x2b\xee\xc5\x54\x4b\x44\xf5\x00\x1c\x1e\x18\x5d\x5c\xb6\x41\x86\xef\x02\xbe\x00\x05\x2a\xaa\xc0\xe3\x18\xe3\x43\x4b\xab\xb8\xf7\xe8\x0f\xe1\xd1\x03\x28\x02\x1b\x71\xa1\x41\x25\xe8\x1c\x72\xfa\x83\x1d\x88\x8b\xa2\x4f\x01\xd8\xda\x62\x6e\x9a\x26\xd3\x91\xc6\xe1\x35\xcb\x22\xb4\xa1\x1c\xf2\xe0\x09\xda\x42\xbf\x48\x60\x38\xab\xfd\x12\x10\x4f\x10\x2a\xa7\x13\xaf\x75\x78\x24\xd6\x72\x81\xd4\x9c\x63\xb4\x0c\x62\x8c\x59\x71\x6e\xba\x99\xad\x2c\x73\xaf\x19\x63\xd7\xac\x66\xfd\x34\xd2\x81\x1c\xfe\x3f\xd5\xb6\xa9\x96\xec\x92\xd4\x6d\xce\xdb\x14\x06\xf2\x81\x9a\x7b\x19\x35\x04\x87\x1d\x54\xb0\x19\xf5\xa4\x6a\xfe\x08\xdd\x02\x61\x7e\xd9\xbd\x07\xa6\xf1\x55\x41\x3b\xa4\x8d\x19\xfd\x49\x96\xae\x29\x93\x3c\xbe\x49\xad\x43\x29\xd3\xa2\xc9\xe7\xcf\x2e\x9f\x3a\x01\x4d\x19\x7b\xce\xc1\x82\x13\xf1\x93\x39\x91\xb4\x0b\xf8\x0c\x01\x8c\x21\x69\xba\xc3\x21\x2f\x00\x1a\xd4\x9d\x65\x4e\xb3\xb2\xc9\x9f\x21\x44\x8f\x9f\xba\xd0\x8b\x29\xa4\x42\x61\xd7\x75\xc3\x24\xe1\x71\xdb\xe0\x22\xf4\xf2\xac\xdb\x93\x82\x91\xb2\x76\x35\xd9\x3f\x79\xec\xf1\xa2\xfa\xaa\xff\x35\x64\x49\xc7\x8f\x05\xbf\xed\x0d\x37\x1c\x3b\x25\x0d\xd0\xa0\xa8\xe5\x32\x18\x46\x5c\x0e\x4c\x41\x14\xaa\xd0\x6d\x66\x15\xa8\x37\x27\x51\x0b\xbd\x86\x7a\xbe\xe5\x06\x72\x6b\x63\x62\x6b\xfa\x13\x05\x00\x4b\x23\xa3\xc0\xa2\xc5\x65\xc6\x5b\x1d\xd1\x3a\x0f\x9f\x3b\x68\x06\x73\xd0\xc4\xcc\x81\x7a\xd9\xcb\x52\x28\x68\x63\x31\xb0\xaf\xef\x67\x37\x6c\x5a\xff\xcd\xae\x58\xb9\xa0\x39\x91\x39\x8a\x7e\x76\x7f\xf0\xc2\xff\x9f\xbd\x3f\x81\x8e\x24\xab\xee\x84\xf1\x13\x52\x2d\xaa\xd7\x0b\xdd\x01\x63\x7b\xc6\x78\x78\x13\x6d\xbb\x4a\x45\x66\xaa\x54\xd5\x1b\xd5\x4d\xd3\x6a\xa9\xaa\x5b\x50\x55\x2d\x24\x55\x35\x0d\x63\x50\x28\xe3\xa5\x32\x50\x64\x44\x12\x11\x29\x55\x82\x99\xe9\x61\x31\x86\xb1\x59\x3d\x78\x28\x0c\xc6\x36\x06\x1b\x63\x33\x98\xcd\x18\x83\x17\xdc\x36\x98\x01\xfc\xe7\xcf\x62\x1b\x9b\x61\x3c\x8c\x57\xbc\x8c\x61\xfc\xd9\xfd\x79\xf9\xce\xbb\xf7\xbe\x2d\x32\x53\x52\x95\xba\x1b\x8e\x8f\x38\x87\x2e\x65\xc4\x8b\xb7\xbf\xfb\xee\xfa\xbb\xdb\x94\x31\x94\x00\x6e\x6d\xb9\x13\x14\xd3\x0a\x1e\x44\xd5\x54\x9b\x3a\x2f\x83\xf2\x40\xce\x72\x73\x97\xd4\x2b\xc0\x22\x8d\x4b\x1e\x08\xc6\xc3\x98\xa5\x1f\x3c\xc0\x7e\xcd\xb3\x6f\xa9\xf7\x7a\xc1\xdb\xbc\xed\xef\x29\x2d\x31\xa3\x5e\xc4\x18\x7d\xaa\xd9\x6b\x29\xc9\x51\x84\x3e\x85\xd0\x33\x4a\xa5\x0a\x50\x4f\xba\xa5\x00\xb9\x6a\xf2\xb0\xeb\xa5\xb2\xc0\xf0\x4f\xc8\x9c\x14\x38\x7c\xd0\x97\x3c\xb6\x1f\x4a\xfa\x9f\xf5\x82\xdf\xf0\x20\x53\x80\xad\x4d\x88\xb5\x7c\x60\xfc\x5f\x87\xcd\x5d\x15\x94\xc5\xf5\xe0\xaa\x76\x81\x1f\x21\x8f\x3d\x30\x45\x59\x83\x69\xf0\xd3\x30\x01\xb4\x6e\xe4\x22\x89\xdb\xb6\x9a\x56\x17\xed\x6c\xb0\x29\x0a\xe5\x70\xc9\xd7\xc2\xd2\xf5\xb0\xfa\x3d\x8f\x4d\x28\x53\xaa\xff\x49\x2f\xf8\x65\x6d\x49\x75\x72\x67\x93\x97\xd6\x96\x0b\x34\xdf\xe2\xf6\xb7\x26\x87\x83\xe6\x25\x8c\xeb\x2f\xa8\x51\xd4\xaa\x28\x3f\x5e\x29\xda\x68\xcb\x28\x42\x9c\xc1\x35\xa1\xa0\xb7\xf2\xa8\xde\x0d\xf3\xb2\x8f\x39\xe2\x6a\x4e\x6b\xf9\x30\xa0\xa1\x59\xd2\xdc\xdc\x16\x34\x94\xde\xc6\x76\xaa\x1d\x3d\x96\x4a\x25\xc0\xa2\xdd\x16\x34\x86\xb1\x68\x3b\xab\xe4\x3f\xf9\xec\xdb\x86\xa5\xf0\xc9\xb3\x55\xe1\x7f\xe5\xfa\xe0\x01\x0f\xfe\x74\x0c\xee\x6d\x11\x26\x65\x5b\xd1\x16\x80\xdc\x32\x00\x41\xfa\x1e\xb5\x62\x41\x40\xc1\x5f\x8a\xbc\x13\xa7\x42\x83\x17\xc5\xc8\xb2\x27\xf1\x06\x40\x51\xe5\x22\x8c\xc0\x14\x90\x8b\xa6\x90\xcf\x28\x0b\xad\xab\xf6\xfa\xcc\x75\xec\x35\x1e\xdb\x27\x2e\x8a\xa6\xff\xfd\x1e\x7b\xe2\xb6\xce\x91\xa7\x2e\x8a\xe6\x0c\xa8\x09\x83\xfb\xef\x4d\x85\x49\xac\x63\x19\xc4\x11\x84\x06\x5c\x1e\x35\xdf\x67\xb9\x27\xca\x2a\x2a\x78\xa7\x64\x66\x97\x52\x73\xb8\x2e\x1a\xec\xed\x1e\xbb\x8e\x30\xbd\x96\xdb\xb9\x28\x24\xdf\xed\xbf\x56\xb3\xaf\x2f\x3c\x1b\xa7\x71\xa7\xd7\x01\x98\x62\xd1\xec\x81\x53\x25\x95\x2f\xf4\x0e\xee\xc2\x44\xe3\x7c\x5a\x78\xc6\xb2\x9c\x9c\x57\x00\x52\x6d\x87\x1b\xd0\xcf\x5e\xb3\x29\x44\x24\x7b\x67\xcb\x1d\x27\x1a\x5c\xb5\xb4\xa1\x82\xa8\xa6\x5d\xc2\xbe\xce\x0e\x4a\xf1\xfc\x6e\x51\xfa\x2b\x5b\xe2\x84\xe0\xf4\xdd\xb3\xbc\xbc\x70\xb7\x28\x69\x06\xd5\xcf\xca\x6c\xc8\x0a\x6d\xd8\x3c\xa5\x83\x65\x2f\x64\xd7\x74\x45\x1e\x67\x91\xba\x3e\x13\x35\x23\xf7\xdd\x93\x6d\xf2\xac\x55\x8a\x94\x1f\x89\x53\x85\xb8\x3a\x69\x7d\x6d\xa6\xc4\x61\xe0\xa7\x2d\xd4\xd6\xed\xc6\xfa\x87\xde\x00\xa2\xed\xa7\xf5\x9a\x7c\xd0\x33\xb9\xe8\xa9\x46\x9a\x63\x23\x29\xd2\x8a\xc4\x1d\xc9\x96\xf6\x4a\x77\xb2\xa7\xe9\xb3\xa1\xfd\xb8\x5c\x50\x04\x79\xbb\x26\x59\x18\x15\x53\xdd\x0c\xff\x53\x4f\xe2\x96\x68\xf6\x9b\x89\xb8\x41\x1f\xa4\x3a\x74\xa8\xa8\x0e\xf2\xb1\xb0\x82\x61\x32\x27\x92\xb0\xaf\x46\xfa\x5b\x7a\xa4\xef\x1d\x39\xd2\xb2\x6d\x47\x6c\x01\x6c\x60\x19\xa2\x57\x37\xc6\x6f\xc8\xc3\x09\xb6\x3e\x6c\x18\x04\x04\x6c\x0c\xc4\xe5\x47\x6d\x90\x9f\xf2\xd8\x75\xb0\xe7\x8b\xc2\x9c\xaf\x0f\xea\x11\xfe\x84\x37\xec\x80\xd1\x07\xdb\x9f\x30\x2a\xd8\xea\x25\xee\x29\xc3\x93\x57\x59\x75\xe3\x15\x3f\x0d\xf5\xea\x29\x02\xac\x47\x39\x7d\xf2\x8a\xd8\x6e\x6b\xbe\xc6\x63\x87\xca\x66\x77\x29\x6b\xae\x8b\xd2\x7f\xb1\xb7\x83\xac\x6a\xcb\xb3\x0b\x58\x9c\x0e\xe3\xbd\xfa\x81\x8d\x9b\x9b\x2a\xda\x14\xa7\x1b\x59\xb2\x81\x81\x4c\xcb\xb3\x0b\x20\xc0\x36\xe0\x2f\x04\x74\x94\xb7\x60\x5f\x58\xb8\xbe\xec\x6f\xf7\xb3\xef\x40\x22\x0d\x5c\xe2\xdd\x79\xd8\x14\x0b\xce\xf1\xfd\xec\x7e\xc5\xfd\x7e\x64\xbf\x72\x2f\x37\x0c\xa8\x39\xc7\x24\x9f\x47\x86\x0f\x55\xf5\xca\x5b\x3b\x6c\x0a\x84\x04\xec\x75\xb3\x94\xd6\x84\x88\x21\x32\xc3\x50\x84\x23\xe5\x50\xb7\xda\xb0\x56\xcc\x26\x56\xb1\x4a\x26\x68\x4d\x39\xff\x64\x11\xba\x49\x21\x44\xa5\x35\x3c\x5e\xc4\x6b\xb2\xfb\x3a\x6b\x5b\xdc\x11\x26\x0e\xc4\x54\x28\xbf\x6e\x65\x79\x33\x5e\x4d\xfa\xbc\x1d\x26\x26\xee\x8e\xaf\x03\xaa\x19\x54\xd3\xe0\x4b\x80\x6e\x16\x17\xb4\xe4\x52\x0c\x82\xce\x85\x58\x21\xc2\x37\x8b\x88\x37\x13\x11\xa6\xbd\x2e\xb6\x27\x37\x50\x3f\xeb\xe5\xaa\x3d\x93\x08\x4c\x6f\x9c\x34\x4e\x94\xbe\x23\x3a\x5c\xf0\x2d\x17\x48\x8b\x6c\x92\x6f\x6e\xf0\x7b\x95\xdc\x5c\xb3\xeb\xcc\x36\x44\x9e\x03\xee\x60\xa9\x22\xb9\x8c\x62\x81\x0c\x6f\x72\xda\xe4\xa6\x6a\xf0\x0b\x0e\x82\x76\x9a\xa5\xf5\x54\xac\x85\x14\x15\x00\x7b\xb9\x61\x22\xc2\xf8\xf3\x45\x9e\x59\xa6\xba\xa2\xcc\xba\x3c\xee\x74\x44\x24\x09\x46\xd2\x07\x67\x66\x59\xbf\x35\x73\xfc\x48\x9a\xf1\x0c\xf6\x60\x0f\x73\x02\x66\xbc\x68\x83\x17\xdf\x66\xaa\xf2\x65\xa1\x6e\x2f\x4c\xba\xed\x90\x38\x6d\xb9\x6c\xc4\x5a\x51\x44\x8e\x5c\x75\xe0\x55\x96\x87\x4e\x51\x95\xd3\xb4\x0e\xe3\xef\x4f\xb0\x9a\x75\xe0\x8a\x32\xcb\xc3\x35\x38\x73\x18\xa7\x31\x03\xd1\x36\x1d\x91\x52\xca\x0f\xff\x67\x26\x82\xd9\xe1\xaf\x74\xce\x4f\x6d\x6a\x08\x79\xb5\xa4\xa5\xa7\x99\x50\x81\x3c\x6e\x2c\xfc\x41\xf6\x47\x1e\xbb\x0a\xdf\x9d\xca\xf3\x2c\xf7\x3f\xef\xb1\xa9\x91\x14\x62\xa0\xc3\xf0\x4d\xf0\xe3\x80\xd5\x99\x84\x45\x89\xbe\x2e\x5c\xa4\xcd\xac\x97\x96\x40\xf3\xc8\xd5\x05\xdb\x30\x50\xff\x35\x15\x28\x63\x4b\x35\xb0\xfa\x4a\xd8\x97\x22\x01\xed\x12\x50\xf3\xf4\x15\xc2\xbe\x32\x30\x0e\xa9\xb2\x21\x1a\x74\x08\xd0\xae\x50\xa7\x61\xe7\x0d\xf6\x6e\xc9\xe6\xd3\x24\xf8\x6f\xf5\x82\xff\xe2\xcd\x3b\x96\x5e\x8a\x86\x92\xe2\x90\xa6\xd2\x49\x9f\xab\x4f\x1e\xad\x7e\x3a\x31\x3a\x1f\x1d\x63\x7e\xa8\x97\xf3\xac\x32\x23\xbe\x73\x2c\x78\xe5\xd8\x79\x49\xd3\xec\x0b\x05\xca\x55\x9d\x0a\xbb\x59\xb7\x97\xb8\x21\xbc\xb6\x35\x5e\xfb\x3e\xd1\x00\xaa\x5d\xa5\x54\x95\x74\x28\x29\xf4\x25\x4e\xe5\xc9\xe9\xad\x16\x72\x77\xa5\x25\xbf\x2f\x8c\xcb\xd3\x59\x3e\x43\xdf\xe6\x1c\xc2\x8d\x10\x0d\xfd\xd1\x9a\xb6\xad\xc2\xad\xe4\x16\x8f\xc4\x23\xbf\xc5\xb1\x8d\x87\x75\x8b\x0f\xa9\x72\x8b\x2d\xfe\xf2\x7d\xec\xf0\x30\xd6\x3a\x2b\xca\x85\xb0\x6c\x3b\x01\x82\x7f\x30\x1e\x6c\x2c\xda\x3e\x01\x10\x57\x07\xc6\x92\x4e\xd8\xed\xaa\x65\x0e\x25\x85\x6e\xf0\x7b\xf4\x4b\x3c\x26\x85\xce\x63\x89\x97\x3a\xcf\x36\x53\x91\x17\xed\xb8\xcb\x3b\x61\x1a\xae\x51\xee\xe7\x9c\x2f\x9d\x3a\x13\xa7\xbd\x8b\x3c\x17\x80\x31\x19\xa7\x6b\x8d\x4b\x1e\xd8\x6c\x1c\x42\xf4\xe9\x31\xf6\xa0\x47\xb6\x9c\x5f\xf2\x82\x9f\xf3\x64\x7f\x75\xb0\x54\x9c\x03\xb0\x44\x5f\x29\xe1\x65\x57\xb5\x97\xbc\xb6\xfb\xf0\xa2\xdf\x49\xe2\x74\x1d\xd0\x5e\x29\x34\x4e\x8a\x5b\xa4\xfd\x4d\xd7\x95\xed\x31\x17\x61\x02\x9f\x5d\x36\x5f\x49\x9b\x63\x8a\x26\xe1\x06\xd9\x11\x3d\x16\x92\x73\x5f\xe2\x51\x24\xeb\xf7\x06\xd9\xb2\x14\xb3\xe5\xd5\xab\x96\x80\x48\xb4\xc3\xe8\x05\xc1\x23\xd1\x8d\xdf\xb8\xa6\x02\xc1\x89\x7b\x61\x7e\x69\x76\x69\xde\xd9\x08\x6f\xba\x26\x78\xad\x67\xef\x84\x94\x43\x21\x1e\xc5\xc5\x7a\x83\xfe\x56\xab\xae\x63\x1a\x00\x5c\x5d\xee\xff\x88\x87\x05\x37\x31\x8a\x5c\xf6\xb1\xfa\xd5\x96\x9b\x44\xde\xaf\x43\x77\xc9\xd5\xa8\xd5\x5e\xc8\xf2\x32\x4c\x2e\x79\xe3\xf1\xf3\xd2\x4b\xde\x78\xd2\x4b\x9d\x9d\xf3\xa5\xab\x58\xca\xae\x8d\x8b\x66\x11\xcf\xab\x54\xf7\xfe\xbf\x0f\xee\x8d\xa1\x07\xfa\x11\x42\x45\x03\x35\xeb\x15\xc8\xbe\x62\x09\x88\x44\x47\x96\xd5\x5e\x94\xc3\xa4\x7e\x3a\xcc\x8f\x94\xcd\xee\xa4\xa3\xc9\xb8\x91\xc9\x5e\xf8\x75\x25\x14\x7c\x1b\xd6\xb4\x8c\x4a\xf8\x33\xbd\x94\xcc\x37\xee\xdd\xff\x1f\xed\x70\xcb\xfc\x4a\xa3\x2d\x9f\x34\x7b\xcf\xcc\x02\xc5\x59\xc2\xce\xa2\x51\x90\x01\x00\xfc\x97\x40\x6a\x42\x60\x18\x4b\x73\xcf\x8e\x31\x39\x85\xfe\x64\xf0\x78\xea\x29\x7e\xfa\x74\x05\x97\x0d\x53\xe4\x0c\xf4\x3d\x1e\x3b\xd8\x85\xe9\x2f\xfc\xb7\x7b\xc1\x2b\x3c\x67\xa0\xb8\x30\xfc\x4c\xac\x54\xcb\x58\x14\x02\x97\xc9\xf3\x3c\xe5\xf3\x0b\x92\x0a\xc4\xdd\xe7\x84\x51\x94\x9f\x44\xf3\x69\xcb\x58\xd5\xe2\x42\xeb\xb6\xc2\x54\x07\xe9\x1e\x29\xfb\xdd\x58\x5e\x1f\x7d\x2d\x50\x14\xfc\xd6\x9b\x8f\x61\x36\x95\xe3\x37\x1f\x9b\xdc\xca\xc0\xb1\x6e\x05\xd7\x3e\x27\x78\xfa\xee\x42\x66\x07\x23\x72\xdd\x1b\xfa\xad\x1e\x73\xf6\xa9\xff\x3a\x2f\x78\xe9\xb0\x79\xc2\x29\x5a\x78\x54\xa7\xc8\xcc\xc9\x05\x76\x7d\xb3\x1d\x76\x67\x7a\x65\x7b\x2e\x2e\x20\x7d\x51\xdf\x9f\x09\x4e\x28\x15\x99\x3a\xa1\xd8\x71\x5d\x84\xc3\x6e\x73\xf7\x91\x33\xfc\x45\xf6\x18\x55\xef\x12\xa2\x26\xfb\x4f\x09\xa6\x87\xd7\x4a\x05\xb6\xad\xf3\x7d\x63\x3a\x6a\xfc\x1d\x63\xc1\x8f\x8c\x55\xa3\xc6\x55\x1a\x19\xa4\xa4\x70\xa4\x6d\xd8\x69\x8a\x28\x5f\x8e\xbb\x27\xf9\xa9\xb4\xe8\xe5\xc2\x98\x9b\xaa\xc1\xe5\x71\x71\x19\xf1\xe5\x08\x97\x7c\x72\x54\x94\xf9\x7c\xa7\x9b\xc4\xcd\xb8\x4c\xc8\x8f\x2d\xd7\x59\x02\xf0\x03\xb9\xa8\xbd\xd4\xd2\xf6\xed\x92\xe8\x03\xc9\xb3\xd7\xf8\xb3\x1e\xbb\x46\x1f\x7e\x00\x92\xfa\x35\x2f\x78\xaf\x37\xdb\x2b\xca\xac\xc3\x15\x3d\x54\xc4\x01\x0e\x3b\x07\xe8\x6e\xeb\x13\x27\x5e\x1a\x59\x46\x97\xb4\xf2\x22\xee\xf4\x92\x32\x4c\x45\xd6\x2b\x92\x7e\x8d\xa7\x62\x93\xea\x8e\x75\x99\xdb\x89\x1c\x21\x41\xb8\xe3\xe4\xed\xb4\x56\x69\xd8\x11\x77\x18\x6f\x08\xc8\xec\x16\x69\x9d\x49\x33\x4b\x53\x4c\x55\xea\x6c\xdd\xd7\x0f\x67\x6a\xe4\x49\xda\xcc\x72\x17\xf5\xe0\xcf\xc6\x83\xdb\x86\xbd\x70\xbd\x1f\x55\x89\x2a\x00\x82\x14\x93\xf0\xd1\xfc\x9c\x73\xc7\xbc\x6e\x9c\x7d\xd2\x40\x19\xc0\xac\x9e\x5e\x82\xbb\xbd\x12\x34\x5d\xdd\x5f\x6a\x3b\x3e\x12\xf8\x06\x97\xbf\xe3\xec\x59\xbd\x68\x11\xc9\x24\x78\xf6\xa3\x88\x3b\x70\x37\xd3\x93\xec\xdf\x16\x10\x93\x3d\x3f\xc7\x7b\x69\xfc\xbc\x9e\x14\xdd\x6d\x83\x5d\x75\xad\xec\x21\xbc\xf3\x2a\x76\xe7\x0e\xb2\x1a\x35\xb6\x4a\x77\xe6\xff\x31\x0b\x5e\xe4\x6d\x99\x10\xcd\xc5\xe7\x72\xd3\x48\x65\x2d\x0a\xa7\xae\x26\xea\xc3\x68\x1c\xc8\x85\x82\x26\x07\x9d\x66\xb1\x13\xf6\x79\xb3\x1d\xa6\x6b\x76\xc6\xc0\x8a\xe9\x61\x62\xcf\xe3\x76\xcf\xe3\xd6\xf1\xb8\xfd\x27\x8f\x4d\xd0\xde\x2a\xfc\xff\xe3\x05\xf3\x3a\x5d\x8e\x13\x0a\xb6\x69\xa7\x13\x04\x19\x1a\xd2\xc7\x38\xf1\x97\x6e\x76\x54\x87\x91\x3a\xc5\x66\xb7\x02\x45\xda\xe1\x01\x7b\xc8\x3b\xcc\xbe\xdd\x71\x96\xec\x86\x65\xb3\x5d\x87\x4f\xc4\x5a\xdf\x9f\xf0\x0f\x74\x44\xbe\x26\x98\x2c\xf9\xf8\x21\x25\xe1\x6d\x7d\x5d\xf4\xfd\x83\xfe\x7e\x79\x69\xb0\x3d\x0f\xd6\x5d\x7b\xb0\xfe\x87\xed\x3d\x58\x9f\xe5\xdf\x6f\x3c\x58\x87\xae\x76\x25\x5a\x61\x2b\xc2\x59\xf5\x74\xfd\xa5\x03\x6c\x72\x74\x7e\x00\x8c\xdd\x00\xe8\x76\xf0\x52\x7b\xe5\x81\xe0\x88\xfe\x45\xb4\xaf\x9a\x90\x39\x44\xa8\x77\x97\x78\x7e\x6e\x3f\x13\xec\xda\x76\x96\x44\x22\x9f\x47\xff\xb0\xbe\xbf\x14\x9c\x76\x9f\xb8\x11\xd0\xb1\x7a\x4a\xac\x25\x96\xc5\x26\x94\x4b\x77\x62\x9a\x22\x3a\xf3\x31\x8f\x3d\x0e\x9e\xce\xf5\x5c\xd7\x9d\x77\x69\x73\xd1\x1b\xbc\x61\x05\x70\x38\xda\xce\xa0\x12\xd5\x46\xe0\x7b\x54\x50\x30\x06\x7c\xa8\x73\x4d\x6d\x86\x31\x30\xb7\x78\xe9\x86\x4d\x50\x47\x03\x0e\x88\xd2\x5a\x77\x44\x08\xbc\xae\xb2\x8a\x83\xd6\x1f\x52\x7b\x48\xd2\xa0\x52\x45\x2f\x8a\x54\x6c\x2e\xc7\x9d\x8a\x5e\x3a\x67\xd7\x41\x7b\xcb\x52\x18\x26\xec\x96\x67\xab\x41\xcc\x57\x5f\x69\xfb\xbf\x36\xf6\x95\xd6\x4b\x98\x35\xec\xbd\x72\x51\xc3\xf9\xac\xa4\xb9\x7c\x0b\x44\xd8\x52\x77\xfc\xd7\x7a\xec\xf6\x2b\xa0\xd3\x67\xe3\x66\x9e\xc9\x0a\x82\x45\x5d\x17\x4e\xaf\x6b\x65\x51\xab\x68\xaf\x2c\xf6\xb1\x1d\x16\x38\x47\x74\x87\xe1\xd9\x86\xc5\x66\x2f\xf7\xd8\x55\x34\xd7\xd0\xc9\xe7\xef\xb2\x8f\x27\xad\xca\xb6\xea\x25\xf6\x6c\x33\x2c\xd4\x4a\x47\x0d\xf6\x0b\xfb\x1c\xd3\x41\xd8\xed\xa2\x0b\x78\x19\x96\xa2\xd5\x4b\x96\x44\x79\x1e\x06\xb0\xa4\xa8\xec\xcb\xf6\x05\x9f\xf6\x46\xbe\xae\x86\x39\xa9\xc7\x5a\x54\xb2\xbe\xe4\x04\xae\x93\xa8\x44\xa0\xbd\x42\xd8\xf6\x73\x9c\x39\x8c\x1e\xa5\x24\x79\x05\x62\x04\x44\x88\xb4\x03\xea\x36\xed\x47\x9a\x8a\xa6\x28\x8a\x10\x93\x89\xda\x36\x78\xac\x47\xcb\x03\xaa\x87\x91\xee\x9d\x7b\xd2\xdf\x36\xc6\x3e\xe8\xb1\x6b\x64\xc7\xe2\x74\x0d\x87\xe7\xbf\xdd\xdb\xea\x06\xa3\x49\x5b\xb4\x3f\xb1\x06\xaa\x26\x27\x58\x75\x4a\xd8\x80\xb6\x76\xb2\x4b\x6b\x4c\xb0\x84\xcb\x24\x52\x6e\x57\xbd\x2c\xd7\x60\x6d\x52\x13\xae\x04\x28\x4a\xb8\x0b\x62\x4b\xba\x23\x17\xd1\xf8\x2b\x54\x5b\x75\x08\xd5\xcf\x5f\xc7\x9e\x6c\x53\x5e\x91\x97\x48\x47\x45\xa1\x29\xef\xac\x79\xb8\x14\xaf\xa5\x71\xba\x66\xfb\x0c\xff\xf5\x63\x82\x8f\x78\x48\x69\x2c\xe3\x81\xfc\xd9\xe9\xf4\x30\xdb\x9f\x31\x91\xea\x74\x8f\x85\x12\xf1\x1a\x1c\xc4\x03\x94\x15\xf0\xa5\xbc\x26\xcf\x17\xe1\x9a\x20\xbd\xb8\x76\xc4\x83\x80\xbb\x14\xbf\x04\x85\x37\x2a\x3f\xa8\x50\x98\x0b\x1e\x89\x3c\xde\x40\x79\xc9\x42\x47\x84\x98\x61\xcd\x90\xea\xc4\x8f\xab\x7d\xcc\xac\x0d\x88\x46\xd8\xb6\xb3\x89\x5e\x7f\x2d\x7b\xeb\x7e\x76\xa0\x07\x5d\xf1\xdf\xb0\x3f\xf8\xfc\x3e\x42\x07\xa0\xde\x59\x16\x6f\x15\x0c\x08\x85\xe1\x50\x88\x8b\x24\xf8\xad\x8b\xbe\x96\x6b\xb5\x93\xaa\x64\x2a\x84\xb9\xe2\xcb\x2c\x4b\x8a\x46\x2c\xca\x56\x23\xcb\xd7\xa6\xda\x65\x27\x99\xca\x5b\xcd\x9b\x8e\xdf\x7a\xec\x86\x02\x05\xdf\xfa\x8d\x8d\xe3\x8d\xe9\xc6\x09\xcc\x03\x75\xf9\x1f\x4e\x1f\x67\x90\xff\xd9\xce\xbd\xc8\x78\x50\xe0\x8a\x06\x35\xc6\x83\x28\x5e\x8b\xcb\x90\x6c\xa2\x92\x83\x80\xa7\x30\x98\x14\x72\x58\x77\xe2\x52\x25\xb6\x0a\xe4\xb0\x44\xda\x8c\xbb\x6d\x91\x3b\x0f\xc3\xb5\x5c\x08\xfd\x44\xf2\xa8\x83\xe5\xe4\x3e\x83\x66\xf0\x57\x9e\x98\x1f\xaa\x2c\xe8\x92\xb1\x0a\x51\x7d\x12\xa6\xf8\xaf\x0a\xcd\xec\x95\x6d\xac\x08\x25\x12\xf3\x3b\x8b\x04\xb7\x47\x28\x3a\x61\x9c\xf0\x6e\x9e\x95\x38\x37\x58\xcb\x54\x47\x52\x60\xf9\x67\xdc\x2d\x44\x13\x42\xe2\x51\xb6\xb6\x1e\x96\xbd\x34\xc5\x6c\x69\xf4\x40\xee\x1d\xf8\x09\xae\x39\x65\xd8\xe9\xaa\x56\xb2\x66\xd1\x75\x9a\xed\x48\x32\x5f\x64\xad\x92\x17\x6b\x4d\x78\x92\x8a\xb2\x68\x86\x52\xc6\x5f\x6b\x06\xa3\x15\x96\x0f\x79\x37\x8c\x44\x17\x3b\xe4\x1f\x0c\xcb\xac\x13\x37\x19\x8b\xd8\x84\xec\x0d\x38\xe2\x3d\x23\x78\xda\xfc\x56\x31\xb5\x52\x20\x94\x85\x61\x07\xe2\x5f\xb2\xbc\xa5\xa2\x69\x41\x56\xc0\x32\x8c\x93\xa2\x51\xc1\xbd\xd8\x2f\x2e\x96\x79\xe8\xbf\x30\x78\x3a\x02\x1c\x6e\x19\xbd\x7b\x79\x2d\xbd\xc3\x7b\x3c\xfb\x37\xa3\x67\xc2\x36\xda\xbd\xd9\x63\x07\x10\x7d\xc6\x7f\x9d\x17\x3c\x9d\xbc\x1c\x1f\xce\x41\xef\x72\x3d\x9a\x4c\x11\x14\xff\x19\xfe\xbe\xd5\x7e\x29\x82\x27\xdc\x15\x16\xe2\xe6\x1b\xeb\x22\x95\x9b\x32\xe2\x0b\x4f\x9b\x5d\xba\x61\xfa\x18\x9f\x5d\x5a\xe4\xf2\x8c\x5c\x7e\x23\xaf\xdd\xc7\x98\xdc\x64\x02\x15\x7a\x2f\xde\x17\xfc\xdf\xf1\x45\xed\xf4\x8d\x6f\x2c\xc7\x54\xf2\xf3\x9e\xa7\x74\x20\x3a\x13\x26\xba\x6a\x92\xa7\x8a\x9c\xc2\x93\x7c\x05\xdc\x71\xeb\xed\xac\x28\xe5\x4b\x29\x78\xc8\x7f\x57\x40\x27\x08\x18\x2a\xc6\x8e\xb6\xaa\xf1\x33\x45\x74\x92\xf1\x69\xd4\x1b\x96\x87\x65\x1b\x72\x04\x89\xe4\x11\xf0\x58\x5a\x97\x4b\x4d\x39\x5e\x16\xd0\xcf\x88\x61\x0a\x3d\x47\xc5\x89\x81\x48\x2a\xd4\xad\x8e\x95\xd4\xa9\xce\xa0\xc1\xf8\xf1\x61\x6d\x41\x10\x4e\xba\x76\x25\x8d\x25\xa2\xac\xd3\xe7\xb2\xfa\x13\x8e\xef\x8a\x5b\x45\xf5\x73\x8c\x62\xaa\xf7\x30\xd3\x6a\xd0\x60\x73\x52\x2e\x92\xe2\x19\xc9\x23\x18\x97\x21\x57\x03\x17\xa6\xe0\xed\xb0\xdb\x15\x29\xb8\xf4\xc9\x02\xab\x61\x1a\x35\xf8\xfd\x59\x0f\x2e\x3b\x4c\xb7\x87\x36\x4d\x6d\x1e\x46\x98\xd5\x15\x70\x89\x31\x0b\xbf\xe2\x9c\xd1\x26\x1b\xef\xc5\x91\xff\xef\x83\x7b\xcf\xcf\xcf\x3d\xbc\x67\xc2\x34\xf2\x7f\xf7\x0d\x05\x9a\x45\x75\xdd\x42\x9e\x3d\x17\x89\xab\xff\xc9\x7d\xc1\x3d\xe6\x27\xf9\x0b\xa0\x4f\x77\x17\x1f\x8b\x88\x87\x10\xab\x01\xea\xe4\xcc\xb6\x0c\x48\x99\x98\xd4\xf8\xfd\x6e\x25\x84\xe8\xeb\xe3\xec\xb5\x1e\x7b\x2c\x05\x5c\xcd\x34\xc1\xdc\x0e\xb1\x1b\xfe\x0b\xd8\x1d\x3b\x48\xdb\x34\xf0\x9d\xe9\x66\xf0\xa4\xe1\xb3\x36\xa4\x31\x38\xb8\xc0\xa9\xe2\xd7\xac\x64\x87\x50\x09\x78\x36\xec\xfa\x6b\xec\xc6\x6d\x7b\x32\xab\x4a\x5b\xed\x4f\x0d\x6f\x5f\x57\x3c\xd0\xea\xf3\xd9\x55\x51\xb6\x99\x6e\x86\x79\x34\xb3\x30\xef\xaf\xb3\x9b\xb7\x6d\x77\xce\x94\xb7\x5a\x9e\x1e\xde\xb2\x55\xf9\x40\xdb\xeb\xec\x00\x5a\x2e\xfd\x70\x8b\x70\x6f\x37\x5f\x96\xd5\x62\x6d\xd4\x5c\x83\x0d\xb3\xda\xd8\x07\xaf\x66\xa7\x76\x9c\xab\x7e\x4b\xd5\xee\x5f\x5d\x15\xfc\xf3\x37\x81\x6a\x97\xcf\x89\x6e\x2e\x50\x90\x89\x53\xbe\x31\xdd\x98\xbe\xb9\xc6\xbb\x49\x98\xa6\x64\xfc\xc8\x45\x27\xdb\x08\x13\xf5\xf6\x49\x0d\x7e\xbe\x10\x5b\x2a\x60\xa6\x36\xa6\xb7\xd4\xbd\xa8\x7c\xac\xae\xc0\xf4\x85\x3d\xd8\x9a\x3d\xd8\x9a\x3d\xc5\xfc\xc3\xaa\x98\x7f\xf1\x98\xa5\x98\xff\xdb\x47\x4a\x31\xff\x54\x76\x0f\x3b\x7d\xd9\x8a\xf9\xa1\x34\x72\xe7\x3a\xf7\xcb\xd1\xe3\xbf\xd8\xdb\x5e\xbb\xbc\xe2\x3f\xfb\x91\xd2\x2e\x13\x22\xce\xc7\xae\x66\x77\xef\x78\x5e\x2e\x60\xb0\xe7\xa8\xdb\xe3\x1f\xae\x0a\xbe\x7f\x6c\xeb\x32\x0f\xf7\xfd\x41\xbb\x58\xb2\x49\xf2\x92\x84\xab\x04\xcc\xa9\x8f\xdc\x25\xb2\xcd\x00\x87\x5e\x23\xbf\xbb\x77\x8d\xec\x5d\x23\x7b\xd7\xc8\xc3\x7a\x8d\xbc\xd4\xbe\x46\xfe\xee\x91\xba\x46\xce\xb0\xa7\xb2\x7b\xae\xf0\x1a\x19\xa0\x14\x8f\x84\x99\xf7\x21\xef\xa5\x3b\xb8\x48\x56\xfd\x95\xfa\x20\xf5\xe7\x97\x75\xb7\x6c\x4d\xf8\x18\xfb\xe9\x43\x4e\x5a\x37\xe3\x15\x4e\x20\x73\xf8\xdb\xe4\x64\xfd\xfb\x89\xe0\xc6\xea\x43\x5c\xbb\x66\x96\x24\x24\x1c\x67\x2d\x4e\x15\xf1\xa6\x2c\x24\x46\x24\x65\xfd\x95\x83\xec\xb7\xec\x4d\xfe\xe1\x5d\xa6\xaa\xfc\x0f\xc3\x53\x55\x3e\x5a\xdb\x7b\xef\xba\xd8\xed\x75\x51\xaa\x0c\xb3\xeb\xc1\x0d\x3a\xc3\xac\x0d\x6a\x62\x6f\x3d\xf9\xa9\x39\xf3\x4f\x62\xb7\x6c\xe1\x6b\xbc\xd5\xbe\xde\xbb\xa4\xae\xfc\x92\x7a\xc8\x8b\xb7\xa7\x63\xa7\xfd\x39\xcd\x10\xab\x85\xa8\xc2\x41\x56\x48\xca\x50\xb6\xf7\xbd\x8c\xdd\x75\xf9\xc0\x4e\xb8\xe0\x33\x0b\xf3\xa4\x29\xf3\xff\xe2\x50\xf0\x2c\xf3\xb3\x02\x18\x89\x46\x18\x74\x4d\x00\x40\xf5\x66\x2f\x09\x73\x0e\x6a\x79\x3a\xc7\x0d\xf4\xb1\x57\xc1\x42\x01\x75\xb4\x01\x23\xac\xa4\x8a\x79\xdd\x1e\x0f\xb9\xc7\x43\xfe\x4b\x41\xd0\x7d\xbb\x82\xc3\x7c\xb3\xc7\x96\x87\x56\xb5\x8b\x63\x09\x88\x99\xa7\x5d\x90\x2e\x5b\xa1\x0a\x91\xe1\x80\x25\x04\xe9\xd9\x22\xcb\x43\x21\x56\x3a\x77\x75\x7e\xd9\x8f\x18\x90\xcb\xd7\x78\xec\xc2\xc3\xde\x57\xc4\xc1\xbc\x85\x22\x54\x75\x7f\x95\xc5\x7e\x50\x11\x4c\x88\x3c\xd8\xbd\x87\xbc\xf5\xed\x89\xe6\x3d\xfe\x69\xa3\x45\xa8\xf4\xa8\x42\x3c\x4d\xc7\x86\x92\xcd\x77\xef\xdb\x26\xb7\xf5\x40\x1e\x55\x74\x32\xff\xfb\xf1\xe0\xb7\xbd\x61\x6f\x2c\x17\x8e\x76\xb6\x09\xe1\xc5\x00\xbd\x2b\x47\x7b\xd9\x09\xad\x1f\xe5\xcc\xa7\x97\xbc\x03\xd8\xc3\x4b\xde\x01\xf4\xde\x77\xe8\xf5\x4b\xc7\xd8\x8b\x3d\x46\x45\xfc\xfe\x65\xa6\x15\xc5\x49\x9a\xd7\x90\x6c\xc1\xad\x34\x1b\x96\xab\xb7\x05\x63\x46\x2f\x57\xfb\x68\xb6\x04\xb8\x03\xca\x2d\xcd\x5e\xc8\xa8\x7b\x7e\xc1\x9e\x74\x05\x9d\xc0\x98\x9c\xe0\x66\x6a\xca\x85\x17\xb1\xd3\x85\x6a\xab\xaa\x9d\x99\x9a\xbd\x92\xb1\xa3\x23\xd1\xaa\xce\xe1\x2f\xcc\x29\xb3\x20\x44\xee\xff\x8f\x43\x41\x32\xf0\xd4\x4d\x29\x23\x10\xb5\x26\xc4\x48\x45\x44\xa2\xe1\x65\x36\x25\x97\x8f\xfc\x66\x9a\x22\x87\xe4\x32\xcd\xac\xb3\x4a\x1e\x93\xe0\x66\x67\xf9\xc4\x90\xcf\x8a\xb3\x66\x7f\x38\xc1\x7e\xc6\x63\x07\xe3\xee\x5d\x49\xd6\x5c\xf7\x7f\xd4\xdb\x02\x85\xa5\x02\xbb\xb5\x00\x9f\x04\x1d\xfa\x43\x5f\xc6\x94\x00\x07\x36\xb4\xc5\x05\x50\x31\x83\x29\xa0\xc3\x8f\x01\xd6\xa9\x2d\x52\x9e\x52\xbc\x13\xb9\x34\x39\x4e\x3d\xe8\xf9\xd3\x60\xbf\x37\xce\xae\xd7\x70\x51\x3a\x45\xf9\xaf\x8f\x3f\x0c\x29\xca\xff\x79\x0c\xff\x2c\xb8\xc6\x85\x52\xc9\x48\xe9\x08\x28\x68\x2f\x08\x40\x74\xc3\x96\x31\x8c\x14\x20\x4b\x48\x8a\x92\x65\xf4\x9e\xe4\x85\xe8\x84\x69\x19\x37\x8b\xdb\x78\xdc\xe2\x74\x89\x02\x5e\x9c\xb1\xa3\x17\xd4\x7c\x98\x58\x99\x9e\x8a\x06\x63\xf3\x2d\xbe\x90\x45\x76\xee\xf4\x30\x29\x32\x39\x71\x35\x9c\x39\x39\x5d\x83\x7b\x08\x12\xc8\x6f\xb6\xb3\x44\xe8\xaa\x4b\x88\x2f\x8b\x0a\x93\xb0\xd4\xa9\x98\x6a\x32\xc3\xc7\xef\xd0\x47\xea\x5c\x75\xda\x2d\xbb\x78\xb5\xfb\xd0\xc6\xe5\x56\xc7\x3e\x3b\xce\xae\xea\x9a\xfe\x3c\x5c\xcb\xaa\x41\x1b\xaa\x8b\x82\xd8\x3a\xaa\xdf\xb2\xcf\x8f\xe8\x9a\x62\x32\x78\xb9\x9a\x03\x63\xff\x66\x5f\xd3\x1d\xb5\x81\x27\xff\x70\xc1\xb3\xcd\xd4\xd4\xdc\x60\x7f\x72\x88\x1d\x19\x06\x86\xd5\x6d\x8b\x8e\xc8\xc3\xc4\x09\xcf\xfa\xd0\xa1\xe0\xa9\x6e\xa4\xb1\x50\xe5\x9c\x70\xbe\xb8\xe0\xed\x30\x8d\x12\x1c\x47\xa8\x92\x09\x2b\xdd\x09\x26\xcf\x74\x05\x8a\x2f\x4f\xb0\x3f\x98\x60\x8f\xc5\x5a\x66\x93\x30\xee\x2c\x8b\x4e\x57\x72\xf4\xfe\x83\x13\x3b\x70\x17\x58\x90\xec\x41\x51\x8a\xb4\xbc\x30\x58\x45\xf0\xa2\x89\xfb\x2c\xbc\x13\xf0\x03\x05\xcf\x46\xe0\xb6\xc3\x34\xaa\x87\x49\x96\x0a\xbe\x70\x61\x96\x4c\xd9\x98\x3f\xd7\x8a\x53\x54\x11\xb2\xa0\xbe\x57\xb8\x4f\x71\xc1\x87\x4e\x14\xc4\x87\x76\x56\x45\x14\x01\x8b\x80\x2d\x03\xd9\xdc\x4c\x0d\x0d\x5d\xb8\x30\x6b\xc1\x01\xc8\xb6\x8d\xb3\x4e\x22\x4a\x3b\x49\x36\xb0\x19\x04\xb7\x42\x89\xb5\x6d\x7c\x5d\xfb\xdb\x95\xdb\x01\x4e\x27\xec\x88\x3b\xea\x4e\xdc\xde\x0a\xdf\x84\xe0\xaf\x95\xca\x53\x1b\x0c\x4e\xcb\x07\x2b\x72\x0b\x75\x45\x93\xfc\x45\x8a\x15\x0e\xea\x08\x2e\xd2\x32\xef\x37\xe4\x06\x53\x60\x9b\x60\x1a\x89\x21\xc3\x90\x86\x5a\x85\x69\x6a\x29\xa3\x8a\xe4\xa8\x52\xe0\x96\x14\xe2\xb4\x64\xa2\x2c\x28\x50\xe8\x7f\x25\xbf\x78\x96\x01\x30\xce\x64\x83\xb1\x99\x14\x11\x41\x61\x67\xc3\x48\x61\x32\x42\xcc\xc5\xe5\x64\xbc\x97\xf3\xeb\x40\xd3\x40\xcf\x8e\xa6\x59\x79\x54\x2f\xbe\x86\x78\xca\x10\xda\x75\x23\x8b\xad\xec\xc8\x52\x3a\x44\xbc\x0d\x9a\xa5\xd5\x3e\xef\xc4\x05\x80\xb7\xf1\xa5\x52\xde\x99\x24\x88\x75\x35\xe4\x50\xca\x57\xe5\xf5\x29\x22\xde\x4b\xcb\x38\x41\x5f\x68\x5d\x8f\xec\x32\x88\xba\x9d\x6c\x83\x30\x06\x31\x03\x97\xa4\x4a\x75\x15\x44\x49\xa5\x3a\x82\xa2\x60\xad\x5c\x41\xd4\x58\x4d\x2f\x75\x1b\x45\x5e\xe5\xf0\xae\x20\x73\x71\x73\x0d\x64\xed\x95\xfd\xcc\x52\x0a\xf5\x93\x3f\x34\xbc\x2a\x9c\x4a\xf0\xeb\x8d\xb5\x94\x4d\xc2\x9e\xf6\xf1\x46\xdc\xd4\xb8\xb4\x10\x71\x5b\xbd\x04\xfd\xa5\x3b\x61\xda\x83\x0a\xa4\x40\x9d\x16\x65\xde\x6b\xa2\x14\xc3\x57\x73\x70\xbd\xa1\xab\xb9\xc1\x58\x15\xf9\x92\x90\xed\x81\x37\x4c\x33\xf2\xba\x30\xa8\x44\x9d\x30\x12\x15\xff\x60\x1a\x8d\x1c\x3f\xba\x2a\xc7\x25\x4c\xc4\xaa\x10\xa9\xf6\x53\x66\x4c\x81\x8c\xd7\x50\x8f\xa1\x86\x13\x27\x0d\xf6\xb7\x57\xb1\xc7\x0f\x0b\xd3\x57\xc0\x62\xfe\xe7\xae\x0a\xde\x31\xa6\x7f\xda\x6c\x9e\x4e\x4f\x45\xce\xf5\x16\xfc\x01\xc5\x82\xd2\xf4\xc9\x7d\x82\x49\xe1\x11\x2b\x15\x5d\xce\x15\x6e\x9a\xc6\x30\xe3\x62\x03\xe5\xf4\xd3\xb4\x19\x17\xb2\xa2\x84\xdd\x05\x33\xb2\x90\x8b\xa5\x32\xeb\x5a\xe5\x91\x9c\xe6\x45\xcd\x81\xe7\xd0\x47\x8c\xea\x87\x6d\x58\x58\xbb\x50\x21\x7c\x15\x0a\x97\x44\xd4\x78\x2f\x4d\x20\x53\x9e\xf3\x25\xa1\x4a\x01\xba\x56\x51\x33\x34\xae\x19\x16\xb8\x71\xa8\x03\x70\x17\xae\x82\xe7\x97\x4b\xbf\xdf\x70\x88\xfd\xa7\x71\x76\xa8\xab\xc6\xe1\x7f\x6d\x6c\x8b\x0c\x93\x1a\xd9\x04\x6b\x0d\x7e\x63\xcc\x4c\x00\x60\xba\x62\x7a\x17\x0b\x0f\x0a\xd7\xdc\x86\x8a\xb4\xdd\xd3\x09\x4a\x44\x75\x92\x46\xe1\x0e\x31\x36\x90\x58\x42\xa1\x42\x29\x10\xbb\xb0\xd9\x84\x68\xa6\x35\xb9\x5e\xa8\x03\x81\x57\x74\x6d\xd2\xc5\x7b\x79\x73\x0f\xc6\x62\x35\xed\xc3\x55\x4c\x5b\x85\x8b\xeb\x9a\xad\x3f\x0d\x08\x5e\x1d\xcc\x48\x53\x16\x16\x1e\x3c\x60\xaf\x3d\xc0\x0e\x76\x71\xf7\xf8\xdf\x77\xe0\x32\x56\xe0\x77\xf7\xab\x4d\x37\x7c\xfe\x09\xe6\x2f\x1c\x39\xa1\x51\x4f\x61\x44\x63\x9a\x42\x0c\x13\xc8\x9c\x49\x83\x5d\xcf\x55\xfe\x41\x85\x87\x37\x45\x58\x78\x2e\xc0\x5b\x4d\x92\x47\xc9\xab\x41\x10\x81\x56\x78\x91\xa3\x3b\x3c\x14\x65\x13\xaf\x65\x6b\x73\x42\x32\x4f\xea\x7e\x75\x89\x9a\x79\x58\xb4\xa5\x80\x2e\x2f\x9a\x18\x73\x90\x0b\x95\x52\x0d\xae\x05\x0b\xf4\x2d\x2e\x2a\x99\xc2\xa9\x11\x85\x03\x51\x81\x58\x73\xa1\xe8\xc0\xfd\x30\x92\xac\xd6\xaa\x58\x8b\xd3\x42\x4d\x1f\x1c\x75\x9a\x67\xb9\x60\x02\xc8\xa1\xb8\x28\x9a\x3d\xd8\xc7\x8b\x62\x2d\xcc\x23\x38\x9f\x4a\xd0\xea\x95\xcd\xcc\xdc\xf4\xd4\x89\xea\xde\x06\xba\x09\xb3\x8b\x04\xd9\x80\xe8\x51\xd2\xbc\x72\xdb\x3e\x3f\x0c\x7b\x5c\x4e\xac\x79\x37\x72\x72\xf0\x02\x40\x4c\xae\x47\xe5\x50\xfc\xbe\xe7\x08\xfd\x74\xa6\xb5\xfa\x0b\x45\xef\xd9\xa5\x79\x4c\xf7\xee\xff\xac\x17\x2c\x56\x1f\x56\xb4\xe9\x71\xba\x06\xf9\x7f\x93\x38\x15\x1c\x10\x37\x28\x1f\x3c\xf1\x22\x24\xce\x5b\x17\x79\x63\x18\xc4\xf4\x1c\xbb\x8b\x90\x79\x4f\x06\x75\x1b\x99\x17\xb5\x62\x80\x4d\x65\xf3\x79\x80\xea\x03\x2d\xd9\xba\xd0\x57\xec\x73\x86\xb7\x15\x28\x5d\x57\x34\xfd\x2f\x8e\x07\xf7\x0c\x7b\xa1\x01\xe9\x06\xc3\x34\x77\x80\x4b\x97\x5f\xf2\x0e\xe0\x11\xbd\xe4\x4d\xa4\x59\x04\xd9\x40\x9d\xc1\xfe\xaf\x31\xf6\xc3\x06\xc2\x2d\xf7\x5f\xe1\x05\x2f\x9c\xa1\x1f\x95\xe0\x29\x7b\xcc\xc4\x86\x45\xd6\x04\x9f\x3d\xbf\xb4\x4c\x27\x41\x99\x11\x34\x40\x7a\xec\x66\xcf\xb5\xf1\xd1\xee\x16\xe5\x02\x64\xfb\x97\x5d\x3b\xe2\xe2\xab\xdc\xc3\x74\xa7\xfd\xdb\x83\x29\x60\xb0\xb3\xc8\x42\x1e\xa1\x6e\x58\xe9\x1e\x08\x57\x0e\x53\x2b\x9b\x9a\x5e\xc8\x68\x1e\xfc\x82\x9d\xdc\x39\x4a\x99\xb5\x16\xf0\x75\x70\xd3\x20\xf2\x45\x15\x35\x65\xb0\x33\x0d\xf6\x8b\x57\x69\x5b\xd2\x96\x31\xdf\xdb\x78\x4f\x7d\x8d\x05\x2f\xf7\xbe\x69\xbc\xa7\x9c\x7d\xf4\xd9\x3d\xd3\xd3\x9e\xe9\x69\xcf\x7d\xe9\x61\x75\x5f\x7a\xc0\x76\x5f\xfa\xda\x23\xe5\xbe\x74\x37\x3b\xc5\x66\x2f\x1f\x9e\x62\xa8\xe7\xd2\xc3\xef\x02\xfb\xc0\x0e\x3c\x97\xbe\xc7\x7f\xd6\xe5\xb9\xc0\x6e\xe3\xa6\x54\x81\x58\xf8\x9d\x43\xdb\x58\xb4\xa6\x1b\x2a\x21\x34\xd9\xad\xd0\x16\xf8\x96\x43\xc1\x1f\x8c\x0d\x7b\x53\xb9\x57\x55\x7c\x3a\xc1\xfb\xb6\xac\x9c\x91\xca\x68\x03\xb1\x51\x92\xaa\x19\xd1\xbb\x26\x99\x75\x03\x2a\x15\xa7\xe6\x98\xca\xc5\x4e\x62\x79\x74\x6b\xea\x3a\x80\x5c\xa0\x61\xb3\xad\x74\x65\x76\xbb\x68\x4e\x23\x2b\xcd\x11\xd1\x58\x6b\xf0\xd9\x85\xf3\x20\x24\x88\x4e\x96\xf7\x27\x1b\x9c\x2f\x49\xe9\x00\x3b\x83\xa6\x91\xd5\x5e\x9c\x94\x50\x53\xa5\x53\x29\xa5\x7e\x87\xae\x85\x89\x4e\x8a\x89\x89\xbd\x0a\x08\xcc\xca\xba\x48\xf0\xb3\x42\xf0\x70\x23\x8c\x13\x88\x75\x2e\x33\xa5\x92\xec\x8a\xbc\x2e\x3b\xaa\x1a\x44\x3d\x90\xec\x33\x65\x55\x37\x79\x42\xe4\x86\xba\xe4\x3d\x96\xc6\x32\xb3\x21\xe4\x05\x0e\xa0\xc7\xce\xf5\xf4\x43\x07\xd8\x17\xc6\xd8\xbf\x76\x8b\x9d\x2f\xe3\x84\x12\x86\xfa\x1f\x1c\xd3\x60\xe4\x63\x23\x4b\x29\x26\x66\x60\xc5\xe0\xd4\x61\xf1\x81\x84\x23\xb4\x84\x61\x33\xcf\x0a\x95\xa1\x3c\x11\x1b\x90\xb6\x26\x8b\x8a\x9a\x21\xd3\x88\xfa\x18\xca\xe1\x37\xe5\x15\x68\x57\xa6\x82\x13\x9d\x26\x75\x1b\x96\xf6\xac\x68\x70\x3e\x5f\xba\x09\x7e\x94\xa2\x3d\x6e\xf1\x15\x5c\x67\x7b\xa2\x56\x00\x13\xa1\x10\xa5\x95\x2f\x03\x35\x25\x20\x7b\x53\xff\x1d\x06\xd4\xc5\x9c\xf8\xda\x18\x1b\xb6\x00\xfe\x17\xc7\x2e\xc3\xc1\xae\xa1\xf1\xc2\x9e\xde\x0b\x01\x37\x24\x78\xe3\xd8\x90\x5a\x1f\x99\x35\x80\x79\xcf\xc3\x4d\xaa\xee\x08\xb9\x68\xc3\x69\xdc\x72\x49\x26\x6b\xbc\x88\x3b\x71\x12\xe6\x8a\xe9\xa0\x2d\xaa\xa6\x8d\xae\xe5\x7e\x57\x34\xf4\xba\x84\xc9\x66\xd8\x2f\x28\x2e\x5f\x6e\x80\xaa\x7c\xb9\x83\x15\xb0\x85\x94\x51\x39\x03\xf5\xf8\xe3\x94\x63\xe0\x62\x05\x05\xee\x35\x63\xec\xbb\x46\x86\x23\x9e\xcb\x22\x31\xd3\x82\xc5\xeb\xfb\x7f\xec\x05\xcf\x1e\x7c\xac\x99\x3a\xd4\x34\x86\x31\x32\xc4\x61\x89\xf4\x87\x6f\x82\x3e\x38\x8b\x54\x22\x7f\xe2\x93\x09\x94\x20\x44\x7c\xff\x08\xb8\x10\x97\x9d\xec\xb3\x4d\x36\xa1\x52\xaf\xf8\xeb\xac\xbe\xad\xca\x44\x76\x4b\x5b\xb0\x4e\x2a\x85\xa3\x65\x8a\x6e\xcb\xcb\x1c\xc4\x87\x81\xce\x2a\xe7\xaa\x8e\x28\x1b\xec\x7d\x63\x8c\xdb\x36\xdc\x2c\x32\x8e\x7c\xf7\x6e\x88\xbc\x2d\xc2\xc8\x7f\xf5\x58\xb0\xa8\x7e\x70\xd4\xb1\xf6\xf2\x01\xb1\x40\xcf\x7f\xa6\x8a\x56\x9d\x14\x94\xf3\x00\x02\x02\x3b\x53\xf0\xb3\x1e\x7b\x87\xc7\x26\xba\x59\x74\x3a\xbe\x28\x22\xff\x4d\x5e\x70\x6e\x81\x7e\x0c\x22\xe4\x5d\xb4\xae\xfb\x9d\x36\xf7\x0e\xef\x29\xec\xc9\xbb\x3a\xa2\x76\x68\xf9\x7f\xbd\xd6\x81\xc6\x1d\x02\xa5\x42\xf7\xe2\x5f\x5d\x13\xdc\x39\xf0\xb4\x3a\x22\x3b\xe7\x2b\x5d\x8a\xd6\x37\x52\xc4\xcd\x45\x37\x89\x9b\xa1\xeb\xe3\xfb\xba\x6b\xd8\xdf\x7b\x8c\x35\xe5\xc9\x41\xc0\x9d\x3f\xf3\x82\x73\x8b\x6e\xdd\x24\x16\x98\x9b\x07\x81\x7c\x42\x0b\x69\xa7\xa0\xb6\x0a\x51\x1e\x2e\xdc\xce\x34\x76\xee\x07\x3a\x64\x0e\x66\x55\xcf\x76\xc4\x2e\x49\xb2\x71\x19\xec\x12\x7b\xab\xc7\x1e\x43\x9d\x5d\x14\x68\x2d\xf3\x5f\xed\x05\x2f\xf2\x2a\x0f\x01\x43\x5b\xb2\xf1\xca\xec\xea\x62\xb6\x93\xc4\x36\x08\x94\xa2\x0d\x75\x6b\x22\x95\xcc\xa4\x70\xcc\xd6\x88\x5c\xde\x14\xfc\x59\xc7\x6a\xba\x41\x5c\x24\x57\xae\x7f\x97\xc7\x1e\x43\xd2\x83\x2a\xe0\xbf\x51\xc3\x3b\xbd\xd4\xab\xbc\x1b\x44\x46\x82\x56\x95\x91\x86\x8c\x31\x23\xa0\x75\xb4\x84\x63\xbf\x57\x23\x34\x60\x38\xab\x7d\x92\x67\xd4\x14\xb9\x57\x5c\x8b\xe9\xfd\xe6\x3f\x53\x75\xf4\x54\xfe\x30\x74\xd0\x6d\xe7\xdd\x1e\xbb\xd6\xed\x87\xff\x66\x2f\x78\xb5\xe7\x3e\x7b\xa4\x97\x4f\x8d\xab\x5e\x59\x88\x9a\x7a\x31\x69\xaf\xe6\x3f\x79\xec\xda\x66\x96\x24\xd0\xb5\xd9\xac\x97\x96\xfe\x9f\xeb\xc5\xfc\x9c\xe7\xbe\xd2\xd7\x37\xfc\xc8\x5a\xbc\x1d\x16\x6d\xae\xcb\x98\x5c\x2f\xf6\x69\x07\xe5\xee\x88\xf5\x05\xdc\x69\xcb\x3d\x26\x54\xd1\x01\x68\x2b\x06\x43\x62\x98\x02\x0f\xd0\x6c\x87\x69\x5c\x74\xd0\x4c\x16\xdb\x59\xf6\xd0\xec\x6c\x0c\xae\xd4\x87\x54\x6c\x4a\x42\x31\xab\x5b\x1b\xbe\x39\xfe\x9b\x7d\xea\x68\x93\xfc\x88\x9e\x81\xef\xf3\x2a\xef\x1e\xa5\xed\x5c\x39\xf2\x95\x94\x19\x1e\xf3\x15\x7c\xd9\xdd\xb8\x19\xe4\x5e\x7b\x50\xa7\x47\x7c\x97\x37\xf8\x5a\x75\xbc\x93\x15\xa0\x75\x91\x24\x71\xcd\xbc\xd5\x70\x68\x38\x7d\x71\xe1\xae\xe1\x7c\x69\xb1\x35\x5a\x45\x63\x15\x39\x5c\x58\xb5\xd5\xc8\xd4\x15\x17\xda\xa2\x9a\xa5\xbc\xd3\x23\xc5\x10\x4d\xd2\xcc\xc2\x3c\x69\x36\xdc\xe1\xfd\x80\xc7\xae\x81\x84\x64\x7a\x3d\x5e\xa0\x96\xa3\xe5\x3c\xdf\xd5\x5a\x60\xb6\x5a\x29\xec\x84\x80\xd6\xda\xe7\x9a\xba\xbb\xdd\x79\x9d\xc7\x6e\xab\xe4\xfe\xcc\x72\x92\x29\x4c\x90\x80\x48\x5a\x4b\x3d\x04\x26\xef\x25\xa2\xc0\x5c\x9a\xa0\x1c\x5e\x76\xee\xb8\xd3\x6c\xce\x4e\x80\x78\x4b\x70\xd4\xa4\x3f\x2c\x33\x2e\x24\x0b\x2b\xb7\x73\x2e\x6b\x41\xc4\xa4\xc5\x61\x49\xec\x5e\x32\xe1\x00\x58\xb5\x92\x6c\x93\x06\xa7\xfb\xb4\x90\xc7\x59\x1e\x97\xfd\x33\x62\x43\x24\x8e\x90\x0c\xfd\xfa\xb5\x83\xc1\xbd\x5b\x17\xa9\xb8\x02\x0e\xaa\x23\x79\x97\xbe\xe7\x89\xac\x40\x8a\x74\xf2\xd2\x73\x06\xfc\x77\xfb\xd9\x57\x3d\x76\x10\x58\x4a\x11\xf9\x5f\xf6\xd8\xb9\x91\x57\xee\xb0\x51\x9c\xc1\x0f\x47\xf7\x34\xf8\x41\x6f\x85\x6a\x5f\xb1\x39\xc6\x6c\xd3\x12\xaa\x73\xa1\xdd\x67\xd0\x3f\x82\xaa\xad\x8e\x60\x20\x2d\x05\xe5\xdd\x01\x5a\x8d\xb9\x2b\x28\x85\x1d\x88\x63\xfd\xae\x00\x6f\x8f\x95\x80\xea\x0b\x56\x1a\xec\xfb\xf6\x11\x8c\xd9\x3f\x8e\x07\x7f\x35\xae\x0a\x69\x2a\xaf\x90\xc0\xe1\x90\xb9\xcd\x23\xf8\x36\xe5\x83\xcd\x90\x0d\xa7\xd9\xd6\x1a\x02\x32\x6d\x41\x70\x01\x9f\x31\x12\xd4\x4a\x70\xea\xa2\xec\x65\xb0\x02\x1e\x0f\xc4\x1c\xeb\x19\x50\x3a\xda\x4a\x83\x72\x62\x30\x67\x85\x6e\x35\x24\xf6\xff\x08\x6a\xa4\x7a\x38\x7b\xa9\xd8\x10\x39\x7a\xda\x46\x93\x30\x0b\x94\xed\x22\x12\x65\x1e\x36\x4b\x43\xdb\x9a\x61\x37\x6c\xca\x16\xc0\xe3\xc0\xd1\x10\xa0\x8b\xa3\xdb\x85\xa2\x3a\x0c\x3d\x93\xf6\x38\x8e\x84\x93\xdb\x8e\xe5\x39\x61\x2e\x9e\x33\x30\x7f\xa8\x51\x39\xb2\x3a\xc9\x8b\xcc\x4d\x9f\x0d\x99\x6f\x69\xe7\x98\x5e\x43\xfe\x4d\xa7\xe3\xe2\x22\xe5\x99\x4e\xfa\x48\xf8\x06\x9a\x1e\x7e\x46\x1f\xf2\x56\xd8\x63\x1d\xd6\xaf\x97\x02\x57\x3b\xef\xdf\x5d\xe7\x51\x5c\x34\xf3\x18\xcc\x79\x59\x7e\x12\x64\x4c\xc6\xc9\xfd\xb3\x5e\x66\x75\xeb\xbd\xb8\xab\x7f\x12\xc0\x7b\xa8\xb3\x27\xd5\xee\x65\xec\x8d\xfb\xd8\xf1\xd1\x76\xb8\xc5\x5e\x3a\x53\x9c\x2f\x44\xae\xd0\xf1\x30\x6f\x58\xe1\x7f\x65\x3c\x78\xce\xa8\x97\x8e\xae\xdf\x80\x20\xf6\xbb\xe8\x76\x0c\xb9\x37\xa9\x64\xc5\xf3\xcb\xfe\x40\xd2\x02\x49\xc3\x1c\x5a\xf0\x17\x63\xec\x1f\x3d\x76\x20\x07\xcf\x14\xff\x6f\xbc\xe0\x5d\x1e\xfe\xad\x93\x5f\x2b\x2b\x1f\x3d\xce\x5a\xbc\x17\x47\x85\x03\xa1\x83\xe9\xb5\xe6\x29\x81\x30\x18\x13\x92\x78\x5d\x58\x50\xa0\xca\x98\xd8\x8b\x23\xf4\x25\x2a\x7a\xdd\x6e\xd2\x37\x2f\xa0\x76\xe3\x01\x56\x48\xb6\xa1\xd0\xae\x22\x22\x8d\xcc\x82\x02\xb9\x38\xdb\x2b\x4a\x98\x2e\x47\x7c\x38\xc1\xa6\xb7\x48\x9a\x53\x59\x8a\xf9\xb9\x45\xd9\x28\x5b\x67\x30\x2d\x7e\x33\xb8\x20\xff\x35\x29\xab\x6c\xb0\x49\xd0\x33\x44\x71\xb3\x54\xb3\x0a\xd3\x02\x9b\x51\xaf\x9a\xc2\xb3\xb3\xa7\xa6\x10\xa5\x73\x49\xfc\xae\xc7\xbe\x63\x44\x5e\xc9\x7b\x44\x18\x89\xdc\xff\x80\x17\xdc\x61\x7e\x3a\x6e\xd8\x4d\x04\xc9\x6f\xe3\x1b\xcb\x7f\x2a\x4e\xb9\xfc\x84\xd2\x12\x6a\x35\xde\xfe\x8d\x01\xc5\xdd\x33\xd9\x51\xd2\x73\x04\xc1\xbf\x02\xaf\x02\xac\x0c\xe9\xab\xb6\xdd\x52\x6f\x6b\x0c\xab\xf0\x6f\x08\xbe\x65\xa0\xb0\xa9\x9c\x4a\xff\xb5\xc7\xbe\x7b\x84\x26\x61\x2e\x14\x9d\x2c\x3d\x45\x46\x91\xc2\x7f\xd0\x0b\x4e\x0f\x79\x0e\x3a\xf8\x82\xf2\x44\x64\x5d\x41\x36\xcd\x08\x4a\x99\x64\x76\xe4\xb3\x28\x2b\x70\x65\xfc\x8c\x75\xd8\x63\x08\x40\x4b\x55\xea\x3f\x73\x8b\x2d\xa1\x51\x88\x9c\x7e\x04\x87\xd5\x5f\xb2\x29\x64\x9c\x9e\x46\xa8\x5e\x31\x65\x3f\x97\x1d\x69\xb0\xff\x3a\xc6\xfe\xdd\x90\xea\xc8\xe2\x1b\xa1\x86\x47\x1e\xab\x1b\xdd\x47\xce\xb2\x92\x16\xc7\xb2\xb5\x82\x37\x69\x24\xf4\x42\xb2\x48\x6c\xc4\x4d\xb1\x50\x4d\x48\xf4\x06\x8f\x09\x66\xbd\xf4\xef\x0b\x9e\x3a\xa7\x7f\x55\x75\x00\x58\x0e\x53\x11\xa1\x97\xe4\x70\x9b\xaf\x22\xb3\xf6\xda\x1e\xa3\x5d\x73\x24\xf8\xf6\x73\x96\x46\x4c\xf7\x79\x10\xf8\xfe\xf3\xc3\x7d\x6e\x2d\xbc\x27\x9c\x8a\xd3\x71\x22\xfc\x9f\x3e\x14\x3c\x63\xe8\x1b\x27\x87\xb3\x15\x98\xe3\x92\xb8\x96\x2c\x49\x0e\x11\xb6\xe7\x22\x6c\xd4\x61\x99\x9c\x3e\x38\xc1\xfe\xd2\x63\xd7\x29\x05\x0c\x24\x6b\x5e\x14\x2d\xff\x77\xbd\x1d\x40\x56\x2d\xda\x5f\x69\x1d\xd9\x9b\x3d\xe5\xbc\x6f\xd9\x1b\xaa\xce\x25\x27\x91\x53\x31\x86\x24\xeb\x42\xd4\x97\xe9\x11\x7c\xd8\x68\x76\x7b\x35\x2a\xd0\x40\xd3\x41\x4d\x17\x92\x2f\x9d\xaf\xa8\xc4\x24\xd0\x6d\x92\x55\x92\xbe\x81\x30\x6b\xb0\xb7\x79\x6c\xa2\xa5\x06\xfa\x06\x6f\x07\x98\x60\x68\xc0\x73\x87\x19\x2a\x32\x7c\x92\x9b\xf1\x22\x41\xc8\x54\x3e\x98\x88\x86\x09\xa6\x4d\x54\x03\xd5\x28\x64\xa1\x66\xa2\x65\x4c\xce\x6d\xc8\x48\x69\x3a\xfa\xa1\x71\xb6\xaf\x93\x45\xc2\xff\xf9\x71\x25\x65\xfc\xc8\xb8\xca\xaf\x79\x92\xcb\x57\x7c\x55\xce\x9a\x4e\x87\x2e\x4a\xde\x15\x39\x59\xaa\x0a\x0b\xac\x2e\x11\x35\xcd\x34\x86\x29\xcf\x9a\xa5\x32\x5b\x6b\xd8\xe7\x63\xc7\x8e\x61\x3e\x9a\x63\xb7\xdc\x72\x0b\x07\x4e\x34\x12\xcd\xb8\x33\x58\x10\x4a\xdd\x34\x3d\xdd\xe0\xf7\xcf\x9c\x3d\x43\xf6\xfd\x82\xaf\x66\x65\x9b\x6a\x06\x26\xcc\xfe\xb8\xa8\xf1\xa7\x2e\xdd\x7b\xce\xa4\x66\x74\xdf\xc2\x55\xa6\xc7\x03\x57\xe8\x90\x6c\xdc\xca\x39\x04\xc1\x0d\xcf\xca\xe2\x6e\x62\x4b\x4c\x51\x1e\xaf\xb5\x55\x96\x6e\x29\x17\x24\x31\xf9\x19\x10\x8f\xa7\x38\x04\xf4\x4d\x00\x93\xa6\x39\x3b\xb2\x0f\x35\xbc\xb4\x5b\x05\x84\xcb\xd6\xb4\xf9\x33\x17\x45\x2f\x29\x95\x92\x19\x2b\x33\x6b\x80\x17\x9c\x25\x9c\x7d\x49\x65\x48\xfb\x9c\x17\xfc\xa6\x67\x76\xcb\x02\x65\x40\xa3\x3a\x13\x4c\x9a\x09\xc4\xc8\xd6\xb1\x43\x77\x28\x25\xad\x72\x7c\x3c\x6b\x39\xb9\x86\xab\x45\x96\xf4\x4a\xc8\x91\x4d\xc7\x0a\xbe\x3b\xdc\x68\x1c\x56\xe9\xd2\x54\x12\xf9\xb2\x55\xbf\x95\x13\xcc\x25\x2a\x3d\x5a\x71\x5e\x94\x3c\x2e\x45\xc7\xe8\xf4\xed\x9e\x68\x77\x5a\xe4\x3d\x60\xfa\x64\xcd\x36\x61\x7b\xdb\xf5\x43\x69\xbe\x0b\xe5\xe7\x3f\x70\x7d\xf0\x8b\x9e\xfb\x8c\xaf\xc6\x28\xa9\xa3\xbf\xfb\x49\x7e\x54\xd2\xf9\xb0\x03\xee\xaa\x91\xc8\x8b\x32\xcb\x0c\x16\x30\x2e\x40\x57\xe4\xed\xb0\x5b\xc8\xa7\x5d\x91\x03\xf8\x6c\x98\x90\x3b\x6e\x51\x43\xc9\x29\x35\xd0\xf0\x47\x51\x02\x4c\x9b\x71\x37\x4c\x34\x66\x3b\xcc\x9b\x49\x65\x44\x8e\xa1\x4a\x6c\x16\x11\x7c\x46\xb0\xc1\x08\x78\xe7\x6a\x81\xbf\x78\xed\x9e\x33\xca\x6e\x9d\x51\xbe\xe0\xb1\xc7\x87\xbd\x32\x83\x4c\x3b\x43\x60\x1f\xfd\xf7\x7b\xc1\xdb\xbd\x99\x2d\x4a\x0c\x11\x58\xbb\x59\x64\xb8\xa2\x90\xf4\x76\x14\x62\x09\xee\xbe\x72\xd7\xd1\x8c\xa2\x62\x05\x1d\x57\x4b\xa8\x0f\xba\x13\x96\x94\xa0\x8b\x12\xe5\x81\x47\x0a\x1c\x74\xcc\x8b\x1b\xc9\x82\x26\xe0\x01\x85\x2b\x27\x55\xce\xff\x1e\x67\xd7\xc5\x9d\x70\x4d\x2c\xf4\x92\x04\x71\x15\x0b\xff\xb7\xc7\x83\x97\x8d\xcf\x57\x9e\xba\x7e\x16\xda\x87\xbf\x40\x1a\x4e\x45\x52\x23\x00\xa4\xb6\x1e\xa6\x57\xa0\x22\xb1\xdb\x03\x04\x71\x4c\x12\xda\x01\xf4\xeb\x38\xc5\x99\x20\xf9\x5a\x87\x06\x80\xce\xcc\x99\xc8\x06\x1f\xe8\x13\x80\x75\x43\xe0\x85\x12\x99\xd5\x9b\x55\xd1\x0c\x65\xab\xea\x37\x9d\x24\x95\x51\xd0\xa4\x54\xc6\xf0\x81\xa1\x35\xe3\x3d\xa8\x0c\x73\xa4\xff\x22\x0e\x75\x37\x8e\xa1\x38\xf2\xa9\x1b\xf0\xaa\xe8\xc7\xe9\x5a\x1d\x1e\xc9\xd9\xa1\xa9\xac\x67\x69\x3d\xac\x77\xb3\x68\xe7\x06\x96\xad\x92\xfa\xed\xb9\x53\xed\xc2\x9d\xea\x33\xb6\x3b\xd5\x83\xbb\x76\xa7\x7a\x71\xd5\x9d\xea\x70\xa1\x1d\xaa\x1e\xf1\x21\x6a\xc0\x9c\x5f\x1f\x63\x07\x69\xaf\xf9\xbf\x30\x16\xbc\xc5\xb3\x8e\x79\x69\xc1\xbe\xa8\xa3\x3d\xe8\x2f\x0c\xd7\x9a\x4d\xc3\x94\x67\xca\x90\x83\x7b\xf9\x67\xc5\x28\x24\xa7\xb0\x0b\xf6\x41\xb8\x91\x1d\xdf\x41\x92\xf9\xca\x19\x78\x64\xd0\xa4\x2e\x6c\xef\x92\x75\xc2\x9f\xae\x2b\xb0\x15\x67\x5e\x2a\xce\x55\x1a\x5e\x2a\x08\x18\xfb\xb9\x09\x16\x58\x63\xca\x57\xc3\x26\x20\xfd\x62\xbc\xd2\x62\x96\x08\x00\x85\x7a\xd9\x44\x30\x55\x79\x36\x0c\x13\xca\x2a\x52\x0c\xc5\x83\xfa\xd4\x81\x3d\x2e\x61\xb7\x5c\xc2\x9a\x82\x50\x7a\x76\xf0\x04\x0d\xa1\x64\xae\x4c\x7b\x0d\xec\xcd\x7c\x8c\x35\x58\x6d\xe4\x66\x1e\xb2\xf0\x7b\xc4\x7c\x17\xc4\xbc\x65\xd1\xf2\x67\xee\x0e\xf3\xec\xdb\xb7\xa0\xe3\x0f\x79\xe9\xf6\x84\xe1\x69\xfe\x7c\x7d\x38\x05\x80\x55\x77\x4d\x63\x15\xb7\xcd\xca\xa1\x67\xec\xa3\x87\xd8\x33\x4d\xff\xc5\xc5\x52\xa4\x20\x50\x1b\xec\x7b\x07\x67\xc5\x14\x30\x09\x5a\x40\x43\xa9\x14\x24\x73\x7a\x5e\x80\xd0\x7c\x65\x22\x78\xda\x56\x05\x2a\x7b\x7d\x44\x49\x9a\xa9\x11\xa0\x74\x2f\x3a\xb8\x47\x84\x76\x4b\x84\x3e\xe0\x29\x2a\xf4\xb3\x5e\x70\x33\xfc\x85\xab\x22\x05\x90\x8d\x38\xea\x85\xc9\xb6\xab\x63\x53\xa7\x36\x6b\xb1\x68\xd4\x29\x79\x38\x77\xd9\x1e\x55\xdb\x05\x55\x9b\xb7\xa8\xda\xe5\x78\xb1\x0d\x52\xb5\x87\xbc\x17\x6c\x4f\xb8\x9e\xe1\x5f\xb0\x11\x92\xac\x55\xae\x52\xa9\x2d\x28\xc6\x50\xc4\xa4\xb7\x5f\xcb\x6e\xde\x89\xc7\xfd\x62\x2f\x11\xf7\xc5\x65\xfb\x5e\xed\xc7\xef\x7f\xf5\x9a\xe0\x45\xde\xe0\x73\xca\x82\xd6\xeb\x26\xa0\xa6\xb2\x5e\xc8\x23\xac\xba\x56\xa8\x94\x26\xf2\x18\x77\x3a\x22\x8d\x90\xd7\xed\x84\xeb\x82\x9b\x0c\xcf\x61\x42\x91\x83\x50\x9d\xb8\xd8\x0d\x71\xdc\x20\x2e\x02\x5e\x80\x6b\xd3\xf8\x9d\xab\xd9\x2f\x79\xec\x2a\x43\xd1\x0a\xff\x9d\x5e\xf0\x2a\xcf\x90\x34\xcd\x70\x4b\xd1\x7e\x43\x3d\xb3\x1d\x26\xa5\x2c\x0b\xc9\x2d\xe4\xfe\x3b\x7c\xf4\x30\x45\xef\xe9\xc2\xa0\x79\xa4\xe7\xb4\xe3\x51\xf5\x68\x10\x9d\x40\x28\x4f\xe2\xa6\x81\xce\xcb\x52\xe1\x58\x59\x47\xa6\x3a\x7f\xcb\x18\x63\x26\x58\xc2\x7f\xcd\x58\xf0\x75\xcf\x9d\x5c\x88\x01\x35\x4f\xc0\xb2\xa0\x83\xaa\x30\xfc\x32\xcc\x45\x41\x70\x5c\x75\x3e\xbb\x78\x6a\x66\xf9\x54\x8d\x9f\x5f\x98\x83\x7f\xe7\x4e\x9d\x39\x25\xff\x9d\xbd\xf7\xdc\xb9\x53\xb3\xcb\x3c\xcb\xf9\x51\xd4\x8d\x25\x89\x71\x8d\xcf\xdc\x75\x0b\xd3\x3e\x6f\xf5\xc0\xcf\xd4\x34\xe6\xf4\x42\xae\x16\xbc\x8d\xc8\xbe\xf9\x88\x4d\xd1\xeb\xf7\xb1\x43\x7a\xb1\xfc\xef\xdf\x17\xfc\xf9\xb8\xde\x56\x55\xad\x89\x7a\x8c\x17\x55\x2f\x11\x3c\xec\x76\x13\x70\x09\xc9\x1a\x8c\x9d\x36\x08\x13\x27\xf9\x61\x29\x5d\x1d\x26\xb3\x3d\x7a\xb3\xc3\xa3\xa9\x24\x5b\x3b\xac\xad\xf9\x82\x27\xd9\x9a\x24\x56\xb6\xdd\x82\x4a\x1f\x55\xc5\xd0\xcb\x9b\x1a\x47\x8d\x07\xb9\x29\xe4\xe6\x00\x60\xe5\xce\x37\x76\x01\xbb\xde\x29\x88\x93\x70\x4a\x42\xe0\x44\xa5\xc2\xa3\x53\xc3\x7b\xa0\xd4\xd3\x71\xee\x7e\x01\xe8\x36\x9b\x71\x12\x35\x25\x57\x55\x5d\x2c\x0b\xce\x03\x66\x0e\x43\x8a\x31\xff\xba\xa9\x9a\xfc\x28\xb2\x0d\x91\x27\x61\x17\xb5\xc0\x10\xed\x01\xca\xef\x06\x63\x73\xa2\x2b\xd0\x97\x9c\x4c\x91\x22\x6d\x26\x19\xc8\xae\x78\x6c\x6b\xee\xb0\x51\x37\xaf\x34\xd8\x28\x06\xef\x6c\x63\xfc\xc4\x38\xdb\x0f\x98\x4f\xfe\x1b\xc6\x83\xff\x3c\x0e\x7f\x56\x9c\x80\xf0\x99\xe6\x5c\x7a\x89\x68\xf0\x6a\x7e\x35\x1e\x10\xb3\x17\xd4\x78\xa0\xdd\x9b\xa2\x00\x99\x90\xe0\x68\x60\x0a\xd8\x3e\x1e\xa0\xbd\xaa\x40\x4f\x99\x51\xc1\xe4\x01\x1c\x8f\xdd\xb4\x71\x9e\x92\xe4\x88\xd8\x01\xb4\x4a\x39\x15\x35\x9c\x8e\x0c\xb4\xaa\x75\x7f\xdb\xb7\x28\xbb\x6f\x7d\x5e\x82\x69\x13\xdd\x68\x68\x72\x72\x21\xa7\x13\xf1\x2d\x1a\x7c\xc9\x59\x1a\xaa\xcd\x99\x47\xb9\xab\xba\x61\x8e\x41\xc0\xe4\xa3\x6d\x67\x31\x0c\x8e\x06\x8e\x55\xff\xbd\x1e\x3b\x14\x76\xe3\xbb\x31\x13\xd8\xdb\xbc\xe0\xe5\x92\x3c\xe3\x4f\x9b\x38\x63\xaa\xb0\x1d\x91\x66\x2c\xfa\xc8\x52\x9d\x5f\x1a\x73\x23\xb1\x76\x98\x78\xd2\x7f\xc9\x58\xb0\xbe\x5d\xa1\x6d\xd3\x51\x02\x7d\xde\x51\x12\x4a\xe7\x3a\xfc\x7e\x8f\xbd\xd4\x63\x87\x00\xd7\x0d\x7c\x2c\x2f\x2a\x1b\x61\x73\x41\x3d\xab\x38\xf0\x62\x0a\xdf\x84\x87\xa5\xc6\x34\x72\x7d\x10\x8d\xed\x5b\x57\x2b\xf7\xa7\x5a\xf0\x0d\x15\x27\x73\xac\xe2\xf4\x39\xc1\xfe\xed\x68\x43\x10\x88\x3c\x1f\x9c\x08\xbe\xcb\xfa\x0d\x99\x5d\x6d\x6a\x4e\xba\xfa\x11\xc2\xcc\x4f\x1e\xdc\xe3\x68\x77\xc1\xd1\x7e\xda\x56\xba\xfe\xda\x2e\xd1\xc9\xad\x08\x56\x07\x9e\xfc\xd1\x1c\xdc\x9e\x68\xbb\x5b\xd1\x76\x59\x49\xb6\x4f\x0b\xae\x3b\x53\x39\x83\x36\xa1\xac\xb1\xa3\x3b\x80\x95\xa1\x93\xfd\x90\xb7\xb4\xbd\xbc\x73\xcc\x6f\x54\x34\xb8\x83\x02\x8c\xab\xbe\xfd\xd4\x35\x8e\xfa\xb6\x0a\x82\x3e\xbb\x34\x7f\x2e\x8b\x84\xff\xf6\x6b\x82\xdf\xda\x3f\x77\x6a\x61\xf1\xd4\xec\xcc\xf2\xa9\x39\x5e\x47\x77\x00\xa8\xc8\x8e\x5d\xa0\xf2\x92\x7c\x44\x26\x4d\xcb\x6a\x5f\x01\xd6\x4d\x6d\x4c\x4f\x51\x19\xcc\xc3\x47\xd6\x71\xcc\xf0\x9d\x95\xda\x5b\x81\x56\x8d\x3c\x71\x1a\xba\x62\xa4\x6d\x43\xd0\x73\x93\xc4\xc2\xf4\x28\x20\x5d\x0b\x62\xd7\x00\x42\x27\x04\x84\x39\x05\x88\xfd\x52\x59\xc5\x2d\x3f\x1f\xd5\x14\x11\xb3\x28\xce\x45\xb3\x4c\xfa\x0d\x3e\x53\x00\x90\x1a\xda\x40\x45\x1f\x73\x3f\x13\xbc\x45\x1d\xeb\xad\x2b\xf9\x2f\xe7\x45\x1c\x89\x66\x98\x1b\xb7\x9c\x9a\x6d\x96\xa3\x98\x42\xc7\x38\xda\xcd\xba\xbd\x64\x44\x2f\x54\x74\x83\x19\x82\xec\x86\xbc\x49\xe4\xb4\xab\x4a\xbb\x00\xca\xc1\x1d\x21\xd4\x4c\x5d\x58\xb8\x56\x4f\x0c\xbb\xc0\xa9\x21\xd8\x27\x6a\x0d\x3c\x3d\x0a\xc9\x6a\x02\xba\x23\xf2\x3d\x04\x5b\xea\x70\x3e\x06\xb0\xa5\xb0\x43\xb3\x52\x3d\x2f\x80\xc1\x2b\x7f\x28\xd7\x36\x1d\xf6\x20\x27\x73\x93\x8b\x34\xeb\xad\x11\x06\x5d\x5c\xf2\x28\x13\x45\x7a\xb8\x34\xcb\xa1\x2f\x15\x77\x1c\x61\xca\xef\xdd\x4c\x45\xbe\x68\xd9\x61\xc3\x92\x93\x83\x1f\x91\x0d\x37\x20\x33\x35\xb3\xd9\xb8\xe4\x01\x4a\xb5\x73\x0f\xfe\xcf\x03\xec\x7b\x2d\x52\xde\xdd\xad\xf9\x6c\x4a\x13\xef\xd4\xc6\x82\x57\x73\x41\x58\x6c\xd0\x2b\xc8\x3a\xca\x22\x82\xce\xfe\xf7\x5b\x38\x4d\x8d\x38\x9f\x80\x8c\xfd\x9d\xc5\x56\xd0\x33\x54\x72\x8f\xba\xef\x01\x7e\x7c\x03\x53\x41\xac\x6c\x7f\x87\x3d\xd9\xbf\x6d\xbb\x54\x10\x6a\x2f\x0f\x53\xcc\x7d\xe0\x80\x13\xd1\xda\xcc\x90\x31\x57\xfa\xb8\x33\xf2\xa6\x81\x38\x98\x57\x1e\x08\x8e\xe8\x5f\xb4\x84\x83\x78\x4d\x50\xc2\x15\x0e\x3e\xb7\x9f\xbd\xdc\x63\x57\x85\x4d\x90\x7d\x96\xe3\x8e\xf0\x9f\xcf\x6e\xbf\x02\x62\x71\x36\x6e\xe6\x99\xfc\x3e\x38\x69\x55\x46\x7a\x40\xf9\xd7\xa6\x02\xc8\x55\xb1\xac\x78\x4f\x6e\x4a\x02\xd8\x24\xc9\x8b\x09\x76\xad\xbc\x14\x45\x3e\x4f\xfe\x59\xfe\x52\x70\xda\x7d\x62\xe0\xe7\x65\x65\xda\x8f\x4b\x01\xa1\x41\x59\x1c\xae\xd3\x90\x23\x7d\x7e\xcc\x63\x8f\x83\xa7\x73\x2a\x52\x48\x34\xb3\x34\x2a\xfc\x77\xe9\xa0\xb9\x37\x78\xc3\x0a\xe0\x78\x22\x15\x3f\xa4\xdc\xc5\xa2\x38\x0a\xd5\x75\x1f\xd2\xc0\xd4\x65\xbc\x19\xc6\xa5\xe5\xd7\x8f\x43\x85\xdc\x6f\x0a\x95\xaa\x23\x42\x50\xa7\x84\x6b\x72\x58\x25\x4e\x57\xd6\xe2\x49\x28\xd9\x2d\x15\xd3\xb6\x28\x52\xb1\x29\xe7\xd4\x15\xa9\x72\x76\x1d\xb4\xb7\x9c\x87\x69\x41\x11\xc7\xcf\x56\x83\x98\xaf\xbe\x1a\x8c\x36\x2b\xad\x97\x30\x6b\xd8\x7b\xe5\xc2\x89\xf3\x59\xb8\x6d\xbe\xc5\x63\x87\x72\xd5\x1d\xff\xb5\xde\x2e\x37\xcc\xa2\xae\x6b\xab\xed\x62\xaf\x2c\xf6\x51\xde\x9d\x30\x47\x2a\x3e\x0f\xc5\x7c\xb9\xd8\xec\x6d\x63\x43\x41\x3d\xef\xc9\x8a\x72\x26\x89\xc3\xc2\x7f\xe9\x58\x90\xe9\x5f\xc4\x89\x41\x68\x61\xd8\xed\x4a\x3a\xa7\x26\x60\x7e\x01\x11\x45\x28\x9f\x76\x61\x05\x37\x80\xe7\xa8\xca\x84\x8c\xb0\xc7\x69\x99\xf7\x2d\x37\xa7\xc3\x05\x7c\x88\x7e\xb5\xee\xc1\x7b\xa9\xc7\xce\xb0\x43\xba\x5a\xff\x29\xc1\x0d\xf7\xe8\x36\x14\x83\x14\xae\x66\x1b\x02\xba\x10\x45\xb9\x28\xb6\xca\x6e\xce\x6e\x62\x63\x71\xd7\x9f\x0a\x02\x53\xdc\x1c\x8a\xa2\x44\x37\x51\xc4\xe9\xb5\x3f\x7b\xf1\xfe\x6d\xb3\x25\x0c\xc5\x96\xf9\xc4\xbe\x3d\x6c\x99\x47\x09\x5b\xe6\x20\x8d\xc5\xd9\x3f\x9f\xf0\xd8\x4b\x3c\xa6\x5e\xf9\xfd\x2d\xb0\xb0\x47\x67\x4d\x00\x3c\x13\x95\xdd\x43\xcd\x98\x43\x5f\xdd\xe5\x1b\x9a\x3b\x61\x04\x56\xe1\x65\xc1\x80\xfc\xb5\x37\x34\xf4\x61\x56\x89\x1b\xa0\x7b\x5a\x44\x97\x27\xff\xa3\x5e\x70\xeb\xd0\x37\x48\x3e\x94\x67\x94\x05\xdc\xa0\xc5\x16\xf7\x0c\xbe\x80\xf5\xd9\x21\xc2\x7a\x9d\x29\xfd\x84\xdd\x72\x05\x74\x0c\x48\xd8\x34\x50\x2f\x47\x5d\x66\xa1\x70\x2a\x3a\x75\x24\x17\xf5\x49\x6a\x8f\xbd\x68\xdc\xc9\x44\xe7\x66\x6a\x20\x81\xf7\xae\xb0\xb9\x2e\xd2\x68\x21\xcb\x4b\xff\x33\x63\xc1\xad\x83\x8f\x35\x8b\x4c\x2e\xac\x5d\xf9\x6c\x55\xc8\xf1\x6b\xb7\xce\x8a\x79\xec\xe5\x63\xec\x55\x1e\x3b\x80\x57\x80\xff\x12\x7d\xe3\x65\xe7\xf0\x52\x30\x57\x84\xc8\xa5\x30\x87\x75\xd2\x8d\x81\x27\xe8\xd6\x63\x93\x4a\x2e\xa2\x2e\x99\xdb\x2c\xe4\x9d\x1e\xc1\x8d\xea\xa0\x43\x5e\x88\xd2\xa4\xad\x01\x2d\x76\xe0\x5e\x29\x3d\xda\x44\x9d\x60\x65\xd4\x26\x82\x6e\xec\xa6\x55\x18\x81\xab\x86\xfe\xc4\x3e\x56\x1b\xb5\x08\x14\xf3\x96\xae\x49\x52\x4a\x53\xee\x5f\xda\x17\xcc\xb9\x8f\xec\xc0\x24\x30\x8d\xa8\xc8\x2c\x64\x06\xf0\xa8\x68\x0f\xe3\x34\x82\x71\xb8\x2b\xf2\xe0\x38\xfb\x3b\x8f\x4d\xa8\x53\xe2\xff\xb9\xb7\x05\x44\xa4\x3a\x1b\xcb\xfd\xae\x88\x86\xb9\x9d\x06\xef\xf4\x16\xf5\x79\x43\xe9\x52\x15\x40\x24\x5e\x0c\x48\xb0\xe4\x36\xfb\x78\xaa\x59\x47\x83\x04\x4d\x3d\x8d\x58\x8b\x45\xf3\x2d\xeb\x9b\xc2\x8e\xbe\xa0\x81\x9e\x33\x09\x5e\xe0\x37\x6c\x55\x1b\x79\x5b\x7f\xd2\x60\xf3\xec\x2a\xeb\x2b\x49\x46\x96\x1c\x6b\x8d\x4b\x48\xd4\x9e\x56\x35\x57\x40\x36\xaf\xb2\x1a\xf4\xd3\x9d\x8a\xbd\xbd\x32\x4e\x1a\x72\xd1\xca\xbc\x31\x9f\x96\xf7\xe6\x4b\x50\x5f\xb5\x27\xb8\x03\x47\xf6\x84\xbd\xf7\x20\x7b\xc2\xa0\x17\x19\x05\xd7\x63\x48\xaf\xff\xea\x83\xc1\x6f\x78\xf4\xc3\x90\xda\x70\x10\x9f\x9d\x24\xaa\x0c\x00\x26\x72\xc5\xe8\xc6\x10\xff\x96\x67\x89\x80\xd8\x08\x70\xeb\x36\xb6\x4c\x8e\xe7\xa1\x29\x59\x11\x54\x70\x48\xc6\x46\x72\xac\xa0\xf7\xb1\xec\x4b\xa6\xbd\x1a\x46\xf0\x18\x02\x9f\x66\x69\x5d\x19\xa1\x14\x26\x33\x74\x41\xae\x27\x2a\xc9\x60\x83\xc8\x0b\x4a\x8a\x30\xc3\x10\x6c\xdf\xb1\x9f\x7d\xd4\x63\x13\xca\xc2\xe3\xbf\xdf\x0b\x7e\x4a\x1b\x78\x2c\x6e\x4b\x9b\x78\x86\x4d\x6b\x4f\x27\xda\x07\xab\x02\xc8\xd8\x41\x00\x7d\xac\x84\x89\x50\xd1\xa2\x52\x76\xa4\x43\x17\x56\x72\x5e\x0d\x0a\x7b\xa5\x2b\xb1\x77\xd4\x97\x3d\x12\x90\xbf\xe0\x05\x1f\xf7\x40\x40\xce\x5a\x6a\x0e\x07\xe8\x2c\xbf\x80\xf6\x43\x54\x3c\x90\xf7\x7a\x5c\x58\xc3\x04\xcb\xa2\x6c\x38\xa8\xf1\x00\xda\x55\x16\x45\x77\x48\x81\xd6\x62\xcd\xa8\xa0\x93\x1c\x14\x4a\x70\x80\x2c\xed\x01\xa8\xe1\x64\xb7\x48\xd3\x50\xf9\x84\x14\x17\xb9\x80\xbd\x2b\xf7\x45\x9e\x67\xb9\x33\xc4\x27\x11\xe9\x9d\x0e\xbe\xd3\x0e\x54\x1c\x35\x46\xfb\xd3\x8f\x7a\x36\x0e\xc4\xfb\xbc\xe0\xed\xde\xb9\x2a\xed\xb0\x56\x54\x91\x8f\x8a\x82\x6e\x9d\xd4\x0e\x72\xe3\xe9\xda\x6a\x7a\xef\xe1\x74\xc9\x5d\xea\x4c\x18\xc2\x79\x29\x43\x93\xc6\xa2\xb9\x82\x09\xf8\xa1\x6f\x65\x33\x97\x9f\x24\xad\x92\xcb\xcd\xff\xd4\xb7\x04\x3f\xe1\xb9\xcf\x76\x9f\xd9\x8d\x32\x45\x81\x56\x03\x81\x15\x28\xe6\x4f\x2e\x34\x28\x1b\xfb\x59\x0f\x5d\x2e\x88\xc9\x8c\xe2\x02\xfe\x6c\x8a\xbc\x44\xf1\x1f\x74\x5f\x06\xb6\xed\x92\xf7\x38\xd8\x8a\x0a\x8c\xe2\x6c\x9c\xc6\x9d\x5e\xe7\x92\xf7\x18\xd2\x3f\xa8\x17\xce\x81\xfe\xeb\xc7\xb1\xaf\x7a\x6c\xa2\x19\xde\xd5\x4b\xa3\x44\xf8\xff\xc3\xf3\xf7\xad\xf6\x4b\x11\xfc\xa4\x37\x3b\x83\xcf\xf0\x1a\x5e\x38\x75\x56\x05\x90\xf1\xd9\x19\xbe\x8a\xaf\x90\x2d\xda\xac\x24\x5b\x21\xdf\x02\xe1\xa6\x8b\x3b\x4c\x01\x39\xe9\x9a\x3d\x08\x38\x0f\xbd\xd4\xbe\x6a\x30\xc3\x42\x99\xcb\x6b\x25\xcf\xb2\xb2\x50\xdc\x81\x76\x8b\x83\x99\x81\x88\x3f\x47\x71\x73\x03\xfb\x16\x47\x71\x93\xc4\x45\x59\x07\xb4\x8b\x43\xfe\xc1\xb0\xcc\x3a\x71\x93\xb1\x59\xb6\x1f\xe6\x49\x5e\x48\x48\x20\xaa\x66\x69\x95\x67\x84\x22\x88\x80\xda\x16\xa5\xa3\x5f\x7b\xf7\x7e\x36\x74\xb6\xfd\xff\xba\x5f\xb1\x5d\x2f\xda\x7f\x77\xb5\x40\xda\xeb\xa8\xc6\x34\x46\x43\x69\x4c\x14\x4e\x78\x12\xaa\x37\xca\x06\xbf\x27\x5e\x73\x80\x29\x5c\xfb\x3e\x7d\x8a\x46\xf1\x96\xc8\x73\x82\xe8\x01\xb5\x5b\x01\x8e\x1b\x3c\xc9\x36\xed\x0a\xb2\x54\x40\x36\x90\x92\xf4\xd1\xc8\x36\x68\x6f\x29\xa5\x3f\xc5\x8a\xd1\x5f\x83\x62\x6b\x00\x72\x9e\xb7\xb1\x43\x43\x47\x47\x7e\x16\x70\xc4\x75\x17\x31\x45\x12\xd6\xb7\x06\xe1\x0f\xaa\x0e\xd5\x27\xca\xb6\x93\xc7\x9d\x30\xef\xf3\x82\xf8\xdf\xd5\xb0\x40\xd3\xc8\x40\x53\x9d\x5e\x47\x5e\x6f\x11\x20\xa6\x43\x5d\x85\xe6\x64\xcb\x0c\x06\x2c\xd9\xf2\xe3\xc7\x14\x10\xff\xf4\xb1\x49\x6c\xa3\x00\x7d\xcf\xd0\x56\x10\xcb\xa0\xdb\x0e\x57\x05\x18\x3b\x00\xe8\x3e\xcc\xe3\xc2\x20\x5e\xa5\x03\x74\xb4\xc1\xf9\x91\x8d\xe9\xc6\x6a\x98\xab\xa6\x36\xa6\x1b\xad\x2c\x9b\xe4\xf7\x89\xc3\x91\x71\x80\x03\x80\x8f\x12\xb2\x35\x25\xf1\xba\x38\xc9\x8f\xd2\x95\xc5\x8f\x88\x8b\x80\x8e\x6d\xfc\xfe\x26\xe5\xea\x4f\xdf\xaa\xa2\x71\x17\xc2\x70\x49\x14\xfc\xc8\xbd\x5d\x91\x2e\xb5\xe3\x56\x59\xe3\x73\x22\x2e\x30\xbe\xb9\xe2\x61\xb7\xaa\x79\xbd\xe3\xc7\x8e\x1d\x2b\x1c\x56\xfc\x93\x1e\xfb\x57\x71\x5a\x88\x66\x2f\x17\x4b\xeb\x71\x77\xf9\xcc\xd2\x05\x49\x40\xfa\xfe\x7b\xbc\xe0\xad\xde\xfc\xb0\x57\x8a\xec\x14\x7c\xf9\xcc\xd2\x48\xda\x83\x4a\x9d\x21\xe4\xce\x3a\x43\x86\xa5\x2f\xca\x3c\x4b\xd7\x12\xa8\xbb\x99\xf5\xf2\x70\x4d\xde\xb0\xfc\xfe\xac\xa7\x4e\x80\xb2\x59\x19\x0a\x84\xa0\x99\x6e\xb4\xdd\xd7\x21\xe8\x06\x73\xe1\xfe\xc9\x18\x7b\xfa\x6e\xb3\x63\x2a\xe1\xcc\x30\xdc\xaf\x1d\x53\xc9\x75\xe3\xa1\xac\x9c\xe2\xfe\x35\x2c\x95\x21\x76\x88\x95\x0a\x9c\xb1\xed\xf3\x91\xa5\xc8\x6c\xde\x78\xe3\x09\xcd\x08\x58\x6d\xa4\x71\x52\x23\xd0\x0c\xed\x90\x06\xd0\x40\x72\x46\x95\x90\xae\xe9\x94\x65\xa5\x52\xf8\x41\xf2\xfe\x91\xb2\x92\x8a\xfb\x36\x73\x2f\x20\x4d\x06\x92\xea\x22\xee\x74\xe5\xfc\x8b\x44\xce\x8a\x1e\x0e\xe9\x31\x54\x76\x8d\x66\x3b\x44\x4d\xc9\xaa\xe0\xad\x5e\xd2\x8a\x93\x44\xb2\xf5\xcf\x60\x07\xa9\x61\xff\x6c\x70\xe7\x05\xd3\x87\x8a\xdf\xe5\x20\x01\x6d\x70\x7e\xda\x4e\xfa\x14\x6c\x4c\x07\x36\x51\xfd\xca\x41\x56\xbd\xab\xfc\xdf\x3e\xa8\xe8\xe9\x2f\x1e\xbc\xe0\xbe\x53\x80\x59\xda\xb5\x45\x80\x6d\x43\xd1\x2f\xbb\x2b\x71\xaa\x12\x68\xc6\x25\x51\xb6\x06\xd7\xd1\xd1\x6b\x60\xc7\x03\xd4\xad\x94\x3f\x5f\xe4\xd9\x36\xe4\xa8\xd2\x8f\x41\x4a\x34\x9a\x04\x2d\xc5\x72\xfb\xc4\xe5\xe1\xc2\xea\x53\x88\x3d\xaa\xd9\x1a\x5c\x8a\xb0\x2c\x3a\x61\x92\xd4\x00\xcd\x24\x5c\x4d\xb4\x0a\x72\xfa\x58\x01\xb6\x12\x48\xd7\x93\xb5\xb8\x78\x5e\x2f\xd4\x3e\xac\x8a\xaa\xc6\x82\x72\xe2\xa8\xe7\x64\xfc\xa9\xde\xd6\x92\xcc\xf5\xc8\xa0\x0b\x23\x51\x5d\x0b\xd5\x4c\xd1\x46\xad\xd4\x13\x17\x3c\x80\xe3\x25\x09\x5a\x00\x36\x58\xdc\x5d\xc0\x90\x81\x86\x33\xcd\x52\xbb\x4c\xa5\x86\x42\x41\xb1\x41\x78\x28\xcd\x61\x22\x2e\xc6\xcd\x6c\x2d\x0f\xbb\x6d\xb4\x38\x37\x78\xf0\xb4\x81\x1a\x0a\x3b\x2c\x3d\xe4\xc1\x46\x40\x99\xfa\x64\x55\x98\x2b\x50\x27\xa3\x23\x05\x07\x2a\x81\x9f\x9b\xe9\xab\x6e\x92\x3e\xc9\x08\x4f\x21\x41\x1e\x93\x46\x17\xc0\x55\x80\xec\xa9\x94\xf4\x02\xf2\x94\xc5\xdb\xd2\xa9\x34\x4e\xad\x4a\x61\xef\x14\x84\xe4\x00\x2c\x1d\x85\xda\xaf\xf6\xf9\xdd\x33\xfc\x0e\x2e\x2b\xe3\x77\xe0\x4d\xc3\x8f\x20\xfa\xc8\xdd\x33\x48\x61\xd4\xfc\xc0\xb0\xd2\x8c\x17\xbd\x56\x2b\xbe\xa8\x39\x66\xf8\x14\x7c\x79\xbb\xed\x70\x52\xe3\x12\x00\x68\x1d\x5d\x56\xe9\x9a\x3b\x48\x1a\xa3\xd3\xc7\x06\x87\x14\x6b\x98\xa9\x96\xfa\xa8\xdc\xb0\xd4\xfc\x9e\xe4\x1b\xd3\xc7\x6a\x7c\xe3\x78\x8d\x6f\x4c\xcb\xff\x83\xb8\x0b\xbf\x8e\xc9\xbf\x4e\xd4\xf8\xc6\x09\x90\x80\xe5\xa3\xe3\xd0\x23\x2c\x07\x7f\x1e\xaf\xf1\x56\x96\x4d\xe3\x7f\x2b\xce\x62\x7f\x7b\x0d\xbb\x7d\x07\x5e\xe9\x28\x5e\x2b\x18\x75\xe0\x67\x10\x5a\xcd\x7f\xdf\x35\xc1\x85\x21\xcf\x2b\x06\x24\x17\x22\x05\x5c\xcf\x43\xbc\xc5\xb2\x34\xa5\x60\x3e\x8d\xb2\x44\x48\xf7\x6e\x14\xdf\xd5\xec\x41\x9b\x35\xfe\x05\xc5\x1a\xbf\xd5\x5b\x51\x0f\x57\x76\xc1\x1c\x5b\xed\x1e\xd6\x84\xf2\x11\xe1\x8c\xd9\x0f\x58\x57\xe5\x03\x63\xec\xee\xcb\x06\xe5\x57\x40\x82\x95\x0b\xf2\xbd\xde\x0a\x55\xbb\xb2\xd3\x2b\x92\x46\xdc\xe0\xa7\x50\x91\x61\x2a\xc8\x72\xbe\xd2\xcb\x93\x15\xed\x85\x60\xe9\x92\x18\x91\x20\x95\x56\x24\x36\x81\xb2\x56\xc6\x23\x72\xab\xa5\x3d\xdf\x77\x19\x0a\xdd\x50\x83\x7d\x7d\x82\x8d\xf7\xf2\xc4\xff\xea\x44\xf0\xa5\x09\x6c\x73\x2d\xde\x10\xca\x01\xdc\x98\x56\xad\x26\x21\x49\x9a\xce\x3e\x7a\x7e\xf1\x8c\x1c\x52\x87\x1f\x59\x01\x47\x01\x71\x72\x6a\x4a\xde\x71\x27\xe5\xed\x3e\xd5\x0d\xcb\xf6\xca\x64\x83\x9f\xba\x18\x36\x4b\xb8\x8d\x11\x3e\x0e\x5a\xca\xec\x31\x0f\x1b\xaa\xbc\x7b\x56\x64\x65\x2b\x76\x92\x3e\x98\x59\x04\x44\x52\x73\xaa\x66\xc0\x1d\xfd\x6d\x9a\x7d\x32\xcd\x50\x26\x3e\xe2\xa2\x30\x87\x56\x56\x94\x06\x29\x25\x17\x45\x96\x6c\x88\x88\x6f\xc4\x21\x70\xa2\xe0\xe4\x30\x77\x6e\x09\x46\x9d\x75\xac\x1d\x56\xa0\xae\xb8\xc6\x57\x90\xb7\x52\xcf\x57\xe4\x9d\x85\x3d\x85\xba\x78\x9c\xd6\xa9\x4b\x50\x51\xa8\x4c\x6c\x1a\x5d\x89\x27\x61\x1f\xef\xec\x8d\x38\x4b\x60\xd2\x27\x1b\x6a\xe8\x9d\xb0\x8f\x59\x58\x11\xaf\xc6\xb2\x95\x31\xb6\x60\x5c\xb1\xb0\x4e\x34\xb5\xac\x00\xf7\x83\x9f\xcb\x59\x9e\x3e\x7e\x4b\xe3\x58\xe3\x58\x63\x7a\x05\x9d\x88\xa8\x66\xb9\x77\xe2\x62\xbd\xaf\x32\xe3\xc9\x7d\x02\x79\xfc\x80\x0f\x80\xf8\x0a\x39\xcf\x79\x2f\x75\x76\x2c\xf8\x68\x25\x09\x19\xfe\xf0\x6c\xcb\x32\x61\x6a\x9d\x3e\x7c\x4c\x4e\xee\xc2\x8a\x7a\x91\x57\x59\xa1\x11\xfa\xf4\x21\x00\x0b\x15\xb9\x81\xa1\x89\x4a\x5e\x73\x88\xe5\x47\xe8\x8e\x72\x47\x49\x16\x1c\x73\x87\xd6\x50\x23\x12\x16\x08\xf7\xd7\xcb\x53\x2e\xc5\x3f\x70\x1f\x13\x9b\x4e\x06\x46\x81\x3e\x2c\xc6\xab\x27\x00\x75\x43\x70\x1b\x6c\x0e\xb9\x83\xe9\xc5\x5a\x4c\x94\x30\x50\x5e\x16\x41\x83\xb1\x19\xc4\x81\x89\x0b\x7d\x41\xe2\x85\x63\xa5\xd7\x25\x64\xb7\x30\xed\xab\x5b\x53\x61\x0f\xad\x02\xd3\xce\x43\xd9\x4c\x03\x58\x7b\x59\x56\x6d\x4c\xa8\xb8\xcc\x20\xe1\x1a\xcc\x5f\xbe\x1a\x97\x39\xf0\x5a\x58\x0d\x11\x0f\x7d\xf4\x9c\x5c\xa1\xa1\x1a\xa5\x49\x47\x2e\x07\x3c\x53\x96\x90\x3e\x0e\x3f\x97\x4d\x85\xa8\xde\xcc\x72\xc9\xba\xc5\x4d\x80\x79\xe1\x60\xe7\x08\xe4\x8b\x93\xb2\xf9\xcd\x2c\x8f\xee\x0c\x94\xa6\x49\x07\x24\x9c\xce\xc3\xb5\x0e\x48\xd0\x47\x82\x1b\x1a\x8d\x46\x80\xb0\x92\xcf\xeb\x89\xbc\x6f\x1c\xb7\xe5\xdb\xa7\xd0\x5b\xc2\xaa\xa4\x1a\x6a\xa4\xa7\x75\xa8\xf0\x67\xf7\xb1\xc3\x3b\xc4\xf0\xf6\x7f\x6a\x5f\x70\x76\xd8\x8b\x4a\x16\x26\xcb\x16\x66\x01\x8b\x4b\xf9\x31\xd4\x69\xc8\xc1\x6c\xa1\xe0\x4f\x2f\x79\x07\x0a\xb0\x0b\x3a\x57\xdd\x2f\x8e\xb3\x13\x84\x0b\xfa\xc4\xe0\xdf\x2e\xf7\xd1\xfb\xdf\xae\xb1\x69\xe1\xcf\x5a\x28\xff\x1e\xf3\x93\xb0\x28\x8d\x27\x02\x78\x0e\xbc\xe0\xca\x0d\x6e\x77\x9e\x09\x95\xa7\x04\x19\xdb\x68\xdc\xc6\x9f\x81\x60\xfd\x81\xaa\xe2\x58\x2c\xf3\x47\x83\xdd\xcf\x0e\x62\x92\x7d\xe1\x9f\x0b\x66\x66\x78\xbb\xd7\x09\x53\x48\x41\x0a\xfa\x33\x7a\xa7\xac\xd9\x72\xbb\x44\xa2\x0c\xe3\x44\xc5\x54\x41\x44\x9a\x6e\xcc\x19\xee\x69\x76\x00\xb3\x07\xaa\x9c\x61\x76\x2e\x41\xbb\xb7\x87\xc9\x30\x38\xa2\x9e\x33\x8c\x16\xc1\xbf\x2b\xb8\x89\xac\xeb\x06\x1f\x0d\xab\xa8\xa9\x5b\x63\x39\xef\x89\x1a\x3f\x1d\x26\x85\xa8\xf1\xf3\x29\x18\xd5\x9d\xda\xfe\xc6\x63\x93\x3b\x9e\x60\xff\xd7\x3d\xff\x90\x64\x3f\xea\x72\x8e\x83\x9f\xf1\x8c\x7b\xc6\x66\x1e\x76\xbb\xc0\x41\x64\x3d\xc9\x58\xc6\x1d\x01\x9f\xa8\xd4\xdc\xa8\xa2\x2c\xd0\x63\xb1\x29\x4f\x7f\x5e\xb4\xd1\x4c\x5e\x66\x04\x04\x96\x46\x80\xf2\xd5\xe0\xfc\x3e\xac\x0d\x89\x1a\x64\x58\x8e\x08\xb0\xb2\x03\x28\x9d\x84\x71\x15\x36\xcb\x2c\xef\xf3\x8e\x28\xdb\x1a\xb7\x06\x56\x40\x36\xdc\x0d\x9b\xeb\x98\x18\xa3\x85\xbe\x2a\x16\x88\xd0\x38\xbb\xe7\xf2\x45\xfc\xe1\x6c\x8c\xff\x8a\xf1\xe0\xb6\xea\x43\x1d\xa0\xe0\xb0\x34\xca\x3e\x29\x05\xe7\x66\x9f\x54\x38\xce\x51\xfa\xc8\x18\xbb\x91\x14\xef\xb5\xe0\x09\xa3\x6c\x9e\x74\x33\xdb\x23\x9a\xb5\x55\xee\x37\x07\x93\x46\xe1\x6e\x7d\xef\x68\xe0\x87\x54\xf2\x2b\x1e\xdb\x27\x57\xc9\xff\x80\x36\xff\xfe\x98\x37\xdf\xaa\xe2\xa8\xd9\x26\x57\xc5\x4d\x20\xe6\x74\x86\x79\x97\xf5\x05\xa5\x22\x3f\xca\x8c\xdf\x78\xe3\x09\x58\xbf\xd5\xb0\xb9\xbe\x29\x99\x20\x10\x39\xca\x78\x35\x4e\x40\x85\xb7\x22\x6b\x5d\xb1\xe1\x13\x29\xe9\xb3\x63\x67\x9e\xae\xdf\x7c\xd3\x4d\x27\x6e\x92\xec\x14\x99\x73\x27\x5d\xf1\xe0\xeb\x13\x4e\x96\x0c\xcb\x65\xa0\x15\xaf\x9d\x0d\xbb\x10\x4d\xf2\xe9\x89\x60\xd6\x79\xa2\xd8\x4f\x2b\x6d\x28\x21\x20\x5a\x71\xf4\xea\x83\xad\x03\xe7\xdf\x78\x90\xb5\x94\x73\xfc\xf7\x04\x5c\x83\x4f\x94\x16\x90\x8b\xae\xca\x75\xdd\x69\xb0\x1a\x3b\xba\xad\x85\x57\x7f\xbc\xe7\xa6\xb9\x8b\x98\x96\xf7\xd8\x31\x2d\x6f\xdb\x65\x4c\xcb\xda\xa3\x85\x14\xb4\xe7\xd9\xbc\x3b\xcf\xe6\x87\xbc\xf3\xdb\x7b\xe7\x1e\xf7\x8f\xa9\x08\x13\x87\x48\x6c\x15\x63\xf2\xd1\xab\x1d\x38\x62\x2b\x61\xa7\x0a\x2f\xf9\xb1\xab\x83\x4f\xed\xdb\x0b\xf1\xd8\x0b\xf1\x78\x64\x43\x3c\x7e\x7f\x0f\x3c\x6a\x2f\xfc\xe1\x1b\x78\xaf\x7e\x63\xe3\x8b\x9e\x43\xf1\x45\xf7\x6d\x01\x55\x3e\x48\x9b\x77\x1e\x5a\xf4\x90\xf7\xac\xed\xef\x8f\x5b\xfd\x9b\xaf\x28\xba\x83\xb1\x3f\x1a\x67\xc7\x46\xe3\xec\x2f\x9d\x3a\x13\xa7\xbd\x8b\xd5\x84\x07\xef\x1e\x0f\xbe\x67\xf8\xab\x47\x30\xdd\xc1\x2f\x8d\xb1\x90\xe0\xfe\xef\x0f\xce\x5c\x11\xdc\x3f\xe2\x58\x6f\x09\xf2\xff\x79\x8f\x5d\x5b\x08\x18\x9a\x1a\xed\x47\xbd\x1d\xa0\xd0\xd3\x74\xd0\x37\xc1\xab\x3c\xb7\x12\x85\x22\x1d\x29\x45\x5d\x58\xdc\x66\x9e\x39\x59\x11\x76\x88\x96\x58\x86\xc5\xba\x81\x4a\x14\xf5\x6e\x16\xd5\xf5\x8d\x39\x05\x96\xf1\xb8\xec\xc3\x23\x71\xb1\x9c\x62\x7f\xb1\x8f\x9d\xdb\x1d\x74\xd3\x80\x14\x7a\x69\xdf\xae\xa4\xd0\x4b\x9e\x91\x1f\x87\xb9\xee\x7d\x68\x9c\xdd\x41\x82\xe9\xcd\xc1\xe4\xa8\xc4\x8e\xca\xe7\x51\xa3\x26\xd8\xab\x79\xd6\x16\x51\xef\x0c\x4e\xa4\x3b\x15\x51\x87\x57\x77\x3f\xc1\x63\x3f\x3d\x98\x53\xaa\xc6\xd0\x98\xe3\x40\x43\x09\xcf\x1d\xf7\x6b\xa5\x8d\x55\x66\x15\x58\xa4\x66\x59\x31\x78\x7c\x4a\xc9\xc1\x0f\x6a\x39\xf8\x5d\x5e\x97\x0c\xb9\x76\x23\x8e\x7f\xf5\x0e\x1b\xda\x85\xa4\xeb\xf8\x31\x6e\x23\x50\x3b\x52\xf1\xff\x6f\x6c\xa8\x54\xbc\xd4\xcc\xba\x3a\x39\xa5\xff\xce\xb1\x20\x9d\x21\xf4\x8e\x82\x1e\x56\x53\x1f\xcc\x9c\x9b\x33\x8b\x83\x45\x0a\x27\x51\x2c\x21\xf3\x22\x34\x49\x5d\x5f\x87\x56\x7d\xb0\x92\xa0\x1d\x1d\x96\x57\xf2\x3a\xc0\x11\x39\x75\x51\xd6\x88\x20\x4d\xff\xc5\x0b\xee\x9c\x31\x40\x0f\xd5\xee\x99\xea\x20\x06\xdb\xc2\x1e\x31\xd0\x20\x8e\x94\x7d\x9a\xcd\xb1\xbb\xb6\x27\x21\x30\x00\xe5\x31\xad\xe6\x68\xd1\x34\xc7\x1e\x3c\xc4\xb6\x0a\x5b\xad\x26\xea\x07\xc5\xc3\x6b\x0e\x05\x33\xc3\x5e\x0c\xc3\x09\xad\x96\xdb\x5a\xed\xf0\x9b\x7b\x78\x7d\xbb\xe6\xfb\x5e\xa0\xf4\x36\x79\xf0\xdd\x43\xf5\x36\xd5\x25\x71\xa0\x0e\x9e\xcc\x6e\x63\x4f\xda\x71\x54\x73\xb5\xaa\x3d\xa6\x73\x17\x4c\xe7\x6f\xd9\xca\x9c\x0f\xef\x52\x99\xf3\x1f\x86\xe3\x93\x3c\x5a\x68\xd0\x0f\x79\x9d\xed\x59\xcc\xa7\xfa\xf7\x6c\xc7\x62\x0e\x23\x33\x43\xa3\x89\xff\x9a\xb9\x0e\x15\x43\xd2\xc8\xeb\xb0\xaa\xa1\x31\x7f\xef\x62\xc1\x3f\x8c\x6d\x59\xe4\x1b\x14\xfc\xa7\x93\x62\x99\xa0\xab\x38\xfd\x97\x1c\x12\x38\x2c\xdb\xf9\x25\xef\x90\x1e\xbe\x9b\xbd\x70\x2f\xf5\xfc\x5e\xea\xf9\xbd\xd4\xf3\x55\xeb\xea\x2a\x33\xe7\xc5\x3f\x1f\xdc\x63\xd1\x8e\xc1\xda\x1c\xc2\xa2\x76\x9b\x66\x90\xe9\xc8\xe3\xf6\x72\x5c\x55\x0f\x39\x88\x44\xda\xb2\xb3\x44\x09\xbb\x96\x30\xe0\xef\xc3\x87\x82\x65\x2b\x45\x78\xa8\x66\xce\xf6\x31\xd2\x59\xcf\xca\x0c\x13\x6a\xd4\x78\x27\x4c\xc3\x35\xf2\x5f\x4c\x8d\x3b\x8e\xd1\xb9\x5e\xf2\x0e\xe0\x1f\x0e\x3d\xf8\xf4\x04\xfb\x71\x8f\xd1\x1b\xff\x87\xbd\xe0\xe5\x1e\xea\x44\x87\x0d\xdc\x52\xe0\x52\xb6\xd9\x54\xae\x96\x9d\x4d\xbf\xc1\x67\xb3\x14\x32\x1e\x81\x77\x48\x3f\xeb\xe5\x80\x0f\x6a\x1b\xbc\xd1\x14\xac\xb4\xb8\xa8\xf0\x05\x3f\x4e\xd7\x29\xc9\x0d\xce\xf4\xd8\x81\x56\xb1\xdc\xef\x0a\xff\x57\xbc\xe0\xe7\xbd\xd3\x71\x22\x94\x6b\x5b\xbf\x6b\x26\xa2\xc1\x4f\x5d\x6c\xf0\x40\x5c\x2c\x6f\x0c\x6a\x3c\xb8\xd8\x2a\xe4\x3f\x69\xd9\x2a\x02\x9d\x20\x4a\x59\x96\x51\xa9\x8d\x91\x42\x3a\x78\xa8\x1b\x16\xa4\x15\x81\x73\x64\x52\xd6\x5b\x83\xb7\x9c\xf4\x22\x51\x8a\xbc\x13\xa7\xa8\xe7\xa0\x24\x53\x10\x5f\xaf\x7a\x97\x41\x50\x9e\x1b\x68\xff\x93\xe3\xec\x71\x69\x16\x89\x85\xde\x6a\x12\x17\x6d\xcc\xfc\xb0\x28\x5a\xfe\x0f\x8c\x5f\x61\x7e\x91\xe0\x33\x63\xe7\x86\x54\x38\xd2\xc3\x4e\xbe\x57\x4c\xa3\x65\xf8\x2c\x04\xf8\x1e\x6c\x0c\xf8\x42\x82\xdb\x0d\x7d\x6d\x6f\x03\x74\x05\x4e\x84\xd1\xfc\x73\xab\x1f\x94\xae\x4f\xde\x8b\xf2\xe9\xf9\xb4\xeb\x3c\x07\x07\x27\x27\x45\xed\x80\xe7\x90\x52\x12\xe9\x7c\xb5\xa9\x4a\x76\x83\x58\xc1\x04\x16\xa2\x6c\x00\x43\x07\x56\x20\xec\x16\xb8\x6a\x83\x03\x08\x14\xaa\x21\x6a\x2a\x7e\x60\x65\xd3\x01\xdf\x03\xd8\x04\x0d\xd6\x61\x13\xb9\x08\xa3\x7b\xd3\xa4\xef\x87\xc1\x92\x89\x00\x0d\xc1\x39\xa4\x8e\x08\x9f\x4e\x1a\x61\xb5\xcd\xd5\x71\xb0\x85\xf7\x56\x98\x14\x82\x1f\x91\x9f\x4e\x6d\xe6\x71\xa9\xcc\xd8\x2a\x3a\xe1\xd7\x3c\x76\xdd\x86\xe2\xe0\x80\x9b\x14\x80\x22\xfe\x2a\xef\x42\xe5\x29\xf0\x7f\xa2\xa0\x65\xa8\x2b\x8a\x28\xb7\x76\x57\xe4\x65\x2c\x2c\x00\x5e\x77\x47\x9b\xc5\x33\x47\x15\x4e\x29\x3e\x3c\x5c\xf0\x28\x6b\xf6\x3a\x5a\x18\x94\xe3\xd1\x91\x66\x4a\x50\x7b\x47\x05\x70\xc2\x22\x29\xec\xa5\x87\xd8\xad\xf6\xa6\x35\xce\xa9\xe0\xb9\x34\x6b\x7e\x2f\xc5\x6b\x72\xd3\x2d\xe2\x05\x02\xa2\xf2\xc7\x26\x82\xc5\x2d\x4b\x0c\xcd\xad\x31\xea\x03\x25\x3c\x0f\x95\x9d\xbf\xb2\x67\x33\xd9\xb5\xec\xfc\x06\x8d\x75\xff\x2a\x2f\x38\x19\x9b\x94\x1b\x97\xb9\x40\x97\xa1\xa9\xd9\xe9\x76\xda\x13\xad\xbf\x49\xd0\xec\x37\xb6\x17\x6c\x97\xfc\xa7\x6b\xc1\xd6\x59\xe0\xaa\x01\x65\x2b\xca\x50\x35\xab\x7c\xe9\x50\x05\x2f\xcb\x4d\x3f\xfa\xf4\x5e\x56\x86\x40\x73\xde\x77\x28\x38\x31\xf0\xd4\x85\x0d\x77\x5e\x43\x02\xc4\x11\x0a\xb9\x1f\x9c\x60\x1f\xd2\x67\xe2\xdd\x5e\xd0\x1d\x92\x86\xc6\xad\x4c\xe9\xf7\x2e\x37\x43\x13\x9a\x89\xa6\xd4\x56\xad\x3f\x4f\xd6\x56\x4c\xd9\x27\xe9\x38\x3b\xc6\x1a\x3b\xce\xc7\x0a\xdd\xd9\x3b\x35\x7b\x88\xb9\x7b\x88\xb9\x0f\xa3\xe7\xd1\xfd\xdb\x53\xbf\x9b\xfd\x1b\xeb\x96\x57\x91\x22\x76\x03\x24\xa9\x4a\xe0\x5e\x7f\xc8\xf6\xe1\xdd\x02\xaf\x06\xa8\xdc\x9f\x4c\x04\x87\xad\xdf\xc3\xae\x69\x7a\x3d\x9c\xb2\x7d\x64\xcf\xd4\xb0\x6b\x76\x29\x51\x37\x43\x33\xf8\x8e\xa1\xa6\x06\xb5\x02\x36\x15\xbf\x85\xdd\xc4\x4e\x8c\xa4\xe2\xa3\x57\x7d\x8f\x94\xef\x82\x94\xff\xb6\x4d\xca\x3f\xba\x4b\x52\xfe\x4d\x91\x6f\xf2\x21\x6f\x6d\x7b\x52\x34\xe7\xdf\xa5\x9c\x20\x2d\x5a\x31\xcc\x80\xa0\xfd\x20\xad\x0d\x48\xdc\x1a\x7b\xed\x21\x36\xbd\x8d\x6d\x41\xbb\xfb\x18\x83\xc2\xef\x4f\x04\xaf\xf4\x06\x9f\x6f\x6f\x45\x20\xad\xa0\x63\x02\x30\xc3\x54\xbb\xf7\x88\x13\x0f\xd4\x8e\xcb\xa2\xde\x95\x92\x33\x60\x3b\x80\xa3\x65\x5a\x81\xb6\x9a\x6c\x5c\xf2\x0e\xa0\x1a\xef\x92\xc7\xb0\x95\x73\xa0\x71\xbf\x9a\x7a\x01\x7a\x58\x87\x4a\xfe\xf0\x41\xf6\x01\x8f\x5d\x1d\xda\xda\xdf\xcb\xf2\x33\x1e\xa2\xfd\x5d\x0b\xaf\x50\xeb\xbb\x8d\xb2\x97\x1f\x01\x8d\xee\xf3\xa8\x9d\x49\xf6\x2a\x8f\x39\x23\xf3\xff\xe3\xee\x3a\x7e\xa7\x5d\xd9\x96\x1d\xa7\x9e\x56\x3a\xd4\x60\x67\x98\x35\xef\xfe\x1d\xc1\xb4\xf9\x35\x4c\x3f\x49\xd5\x8c\x52\xf2\xfe\x3f\x63\x6c\x42\xf9\x10\xf8\x7f\x36\xc6\xee\xbc\x92\x43\x1d\xae\x8a\x44\xa7\xf3\xff\xc9\x31\xed\x93\x60\x1c\xa1\xe2\x74\xad\xae\x02\x7b\x21\xde\x53\x85\x5a\x21\x09\xb0\xb6\x26\x38\x43\x19\xb7\x86\x61\x88\x8a\xfc\xbe\x36\x40\xc6\x69\x9b\x84\x73\x42\x60\xc2\xc1\xcd\xd5\x68\x2e\xd1\xc3\x34\x8c\x30\x24\x28\x4c\xac\x9c\x21\x74\x6b\x2a\xcb\x12\xc5\x1f\x6a\x5c\x7a\xad\x45\xd2\x05\x9a\x59\x57\x9e\x5a\xec\x44\x2f\x05\x25\xfd\x73\x7b\x45\x69\x55\x03\x6b\x51\x8d\x57\x5e\x0b\x31\xcf\x3d\xd6\xd3\x60\x0f\x78\x8c\x4e\x92\xbf\xc1\xee\xb9\x0c\x70\xca\xe9\xc6\xac\xdc\xbc\xc4\x62\x54\x75\x9e\x47\xc9\x6e\x47\x73\xaf\xc2\xdc\x22\xdb\x4f\x90\x78\x0b\xf6\xc0\x3e\xb6\x1d\x0e\xe6\x42\x16\x15\x0e\x49\xfa\xef\xe3\xc1\x25\xaf\xfa\xf4\x4a\x08\xd2\xce\xac\x8f\x0e\x85\x82\x30\xb0\x10\x93\xee\xd4\xbb\x79\x86\x39\xb0\x2d\x9a\x05\xe4\x09\x9b\x1a\x01\x0b\xfa\x83\x63\xdf\x2c\xb0\xa0\x2f\xf6\x18\x75\xd5\xef\x8f\x76\x0f\xdd\xa2\x17\xf3\x3a\x6a\x33\xb8\x55\x9d\x72\xf5\x08\x7b\x41\x93\x48\x2f\x57\xfb\x64\x5f\x00\xd8\x41\x3c\x5f\xec\xe7\x0f\x38\x8e\x96\x4a\x00\xbe\x2f\x4e\xa3\x6c\xb3\x58\x22\x7f\xbd\x59\x74\xd7\x53\xae\x87\xff\xb8\x3f\xb8\x77\xcb\x12\x6a\x32\x38\x95\x32\xca\x58\x65\xf5\x05\x5c\xaf\x5c\x40\x7f\xc3\xa4\xe2\x00\xf5\xa6\xfd\xac\xc3\xbe\x65\xad\x53\x84\xb3\xba\xc8\x52\x57\x20\xc5\x5b\x0a\x4e\xdf\x7d\x76\x69\x66\xf0\xcd\x30\xea\x27\x4b\x5a\xed\xc0\x71\xa6\xb0\x56\x87\x0c\xfe\xf2\x18\xbb\x26\xef\xa5\x33\xc5\xf9\x42\xe4\xd0\xcc\xcf\x8e\x05\x3f\x3a\xb6\xdc\x16\x5c\x3d\xe1\x66\x38\x26\xac\x99\x10\x83\x91\xaf\x1b\x30\x85\xd1\x16\x75\x15\xde\xb2\x08\xc4\xd3\x3a\x16\x7c\x48\xb5\x6e\x5c\x2c\x62\x07\xb1\xa0\xc1\xcf\x5a\x51\xdc\x44\xf8\x16\xb2\xa8\x32\xf9\xa0\xf1\xa7\xb7\xab\x59\xd9\xe6\x95\xf7\x88\x82\x34\xf0\x99\xce\x63\xd6\x13\x6e\x9f\xaa\x9f\x97\xe1\xba\x00\x7c\xac\xa6\x9c\xcf\x0a\xb4\xe4\x9f\x7a\xcc\x1f\x5c\x31\xff\x33\x5e\xf0\xeb\xde\xe0\x7a\xc9\xb5\x42\xc8\x0e\xbd\x4a\x26\x63\x9e\xf2\x18\x3c\x62\xf1\x7e\xed\xde\x6a\xa3\x99\x75\x2c\xf5\x4f\xbd\x88\xd7\x8a\xa9\x4d\xda\x60\xb2\xe9\x49\x1e\xa7\x89\x16\xb7\xc0\xc5\x14\xb0\xbb\xb6\xd8\x0a\x72\xaf\x68\x57\xbd\x11\xdb\x0a\xac\x30\xce\x58\x7f\xfc\x80\x13\xe3\x02\x11\x17\xe0\x29\xd7\x16\x51\x4f\x9e\x54\xff\x81\x03\xc1\xb2\xf9\x39\x90\x5e\x4d\xbf\x68\x66\x69\x51\xe6\xa1\xc6\x43\x95\x55\x69\x14\x3b\x64\xdb\x16\x7b\x69\x19\x77\xc4\x6c\x12\x16\x95\x63\xf2\xc6\xfd\xec\x8f\xc7\xd8\xd5\xf2\x1b\xed\xba\xf8\xf9\xb1\xe0\x17\xc6\xec\x27\x20\x47\x15\xae\x8f\x31\x79\x8f\x2b\xcb\x7f\x96\x52\xbb\xf0\x96\x1a\x47\xe1\xc5\x69\x5c\xee\x9d\xc2\x4e\xa8\x6e\xbf\x05\xa4\x1d\xe5\x53\x40\x23\xc4\x8b\x0f\x43\x52\x30\x2d\x9a\x85\xf9\xa8\x48\x10\xc2\x28\x38\x55\x39\xfd\x07\x00\xf8\x7c\x4d\x44\x0a\xa4\x06\x71\xc3\xc5\xc5\x18\x43\x2c\xed\xc2\x0d\x3e\x93\xa2\xf1\x29\x89\x9b\x25\x65\x77\x6b\x86\x3a\x5e\x3e\x53\xe0\x5e\x28\x05\xe3\x36\xd7\x1b\x6f\x4b\x13\xce\xcf\x8d\xb1\xab\xca\x2c\xd1\x39\x27\xdf\x3c\x16\x7c\xd0\xb3\x1e\x20\xc8\x60\xb7\x8b\x10\x62\x47\x00\x64\x17\x0c\xf4\x51\xaf\x9b\xe0\xdd\x38\x09\x46\x43\x3b\x39\xbd\x01\xf7\x72\xc6\x1f\xf5\x40\x1a\xd5\x1d\xab\x71\xd1\x6a\x89\x66\x19\x6f\x88\xa4\xcf\x7b\x69\x9c\xa5\x4a\x34\x95\xc7\x3d\x6b\xa9\xf5\xc3\xee\x98\x1d\x2d\x07\x4c\xe0\x36\xd5\x7d\x64\x84\xe9\x29\x56\x67\x4f\xdc\x1e\x4e\x57\x0f\x75\x87\xf8\x80\x2f\x3b\x64\x03\xa7\x6f\x15\xe6\xe0\x04\xfe\xf8\x9f\x9e\x08\x7e\xd3\xab\x04\x03\xe9\xbb\x95\xc2\x8b\x2a\x86\xd8\x44\x80\xbd\x4e\x5d\x7f\x60\xed\xcf\x36\x53\x93\x3c\x11\x90\x7a\x9c\x27\xfa\x10\x10\xf7\xa1\x83\xa8\xd0\xed\x3a\x54\xdc\x13\xac\x67\x5a\x42\xd8\xd3\x6a\x35\xe1\x60\x8d\x17\x19\xc5\x4f\x01\xf0\x81\x55\x01\x12\x8d\x4b\x9e\xa5\x1c\x72\xe1\x60\x2f\x79\xe3\xbd\x38\x72\x73\x4d\x1c\x60\x09\xf9\x6d\x44\xc1\x7d\xe7\x06\x61\x7d\xcb\x01\xc9\x78\xb8\x42\x5c\x5e\x2f\xf5\xb5\x5e\x1c\x89\x29\x03\xed\x50\xdc\x00\xbd\xb3\xe9\x58\xcc\x64\x1f\xfc\xd5\xe0\xfc\xf9\xf9\xb9\x87\xb7\xad\x5e\xec\x2a\x0f\x6e\x71\xd4\x64\x93\xc1\xe3\x6d\x58\xb1\x6a\xcb\x8e\x07\xfa\x18\xf3\x57\x93\xac\xb9\x0e\x5b\x62\x4e\x24\x02\x5c\xb2\x3e\x30\x16\xfc\xd4\xd8\x7c\x8b\x97\x10\xd5\x3f\x73\x6e\x4e\x5e\x99\x10\xf1\x26\x8b\xe9\xd8\xb8\xa0\x95\xe5\x62\x0d\x02\xf1\xd5\xa7\x01\x6f\xc5\x69\x98\xc4\xcf\xd7\x00\x37\xe6\xb3\xa6\xd6\xbc\x44\xb2\xb4\x42\x48\x80\x38\x3f\xd1\xaf\xd3\x1d\x59\xca\x79\x91\xa7\x29\x51\xfa\x3b\xb5\x4f\xe1\x47\x27\xdb\xb0\x72\xfd\x19\x23\x77\x83\x2f\x67\x70\x5e\x4b\x6d\xdb\xaf\x29\x6c\x8d\x54\x88\xa8\xe0\x01\xb6\x1a\x68\xf8\x0f\x33\x37\xd0\xbf\x1a\x62\x4c\x6e\xc6\x85\xe0\x37\x1e\x3f\xce\x8f\x9c\x4f\x89\xc5\x00\x7f\xb9\x53\x28\x22\x6a\xc9\x23\x17\x65\x2f\x4f\x45\x05\xee\xef\x02\x63\x04\xf8\x96\x88\xdc\xbf\x27\x38\xa9\x67\xb1\x32\x18\x37\xf8\x0e\x7c\x69\xe8\xca\xa2\x8f\xdd\x7a\x7f\x58\x21\x01\xbf\xd2\x0b\x1e\xd0\x48\xc0\x5b\xee\xa8\x47\x49\x71\xf5\x33\x87\xd8\x77\x6f\x15\x3e\xbe\x90\x67\xcf\x45\x8d\xaf\xff\xc0\xa1\xe0\x7f\x8f\xcd\x44\x61\x17\xbc\x8c\x4c\xa0\x7b\x9c\xc2\x45\xd6\xc5\x92\x22\x52\xae\x0c\x88\x0f\x53\x65\x35\x88\xef\xd6\x9f\x1f\x2e\xf8\x9c\xe4\xea\xd0\x9f\x43\x2d\x8f\x71\xec\x03\x84\x97\x6a\xdd\x92\x06\x81\xcf\x8c\xe5\xed\xb8\x2e\xfa\x85\xa2\x58\x56\x8d\xb4\xd9\x21\x83\x05\x1c\xf2\x9a\xc2\xe4\x91\x8f\xd1\x04\x2d\x12\x70\xd6\x07\xa1\x98\xe2\x52\xe9\x46\x35\x22\x2e\xa6\xf6\x80\x61\x40\x4b\xe0\xe3\x52\xb6\x1d\x94\xd3\x92\xd0\x27\xf1\xb0\x37\xc3\x04\xaf\x78\x74\xf8\xe8\x84\x5d\xd5\x7b\x52\x96\xca\x16\x14\x1a\x88\xf2\x04\xea\x48\x7e\xc9\x85\xdc\x3f\xc0\xde\xb1\x4f\x29\x82\xdf\xb2\x2f\xf8\xc3\xf1\x2a\x64\x17\x48\x8b\xe6\x0c\x76\xc3\x38\x1f\x32\x11\x83\x90\xca\x66\x09\xcd\xb4\x67\xfa\xee\xa7\xbd\x6d\x26\x3c\xc4\x49\xdc\x04\x4f\x54\xdb\x73\x6e\x5d\xf4\x09\x8b\x18\x96\x5a\x3d\x86\xde\x20\xdf\xed\x22\x43\xc8\x2b\x51\x44\x38\x8d\x5b\xb4\x6c\xf8\x6d\x98\x68\x54\xd3\xf7\xd2\x81\xaf\x89\x2a\xd1\x96\x81\x06\x43\xe8\x93\x8d\x2e\x4f\x3e\x58\x84\xc1\xa3\xfd\x3a\x71\x96\xf4\x44\xd4\xec\x21\x17\xa2\xec\xd1\xd4\x00\xee\xb3\xda\x37\xa8\x3d\xe9\x84\xf9\xba\x88\xb4\xf7\x51\x83\x2f\xc8\x4e\xea\xab\x33\x17\x49\x08\x7e\x51\xca\xb6\x20\x9b\x55\x92\x9f\x6c\xe4\x70\xa3\x71\x18\x43\x8f\xb2\xdc\x06\x1a\x94\xcf\xaf\x00\xef\xe1\x69\xa2\xbf\x9c\xc9\x2e\x48\x11\x1e\xef\xc9\xef\x0d\xb2\x1d\xdd\x93\xdb\x59\x8e\xb3\x0d\x91\x6f\xc4\x62\x73\x8a\xf4\xb6\x75\xd9\x4f\x85\xf2\x3e\x05\x67\x6a\x6a\xf0\xfe\x5c\x62\x13\x6a\x6e\xfc\xbb\x83\x27\x2d\x11\xba\xef\x66\x5b\xa8\xc8\x6a\x1b\x2b\x23\x07\xd0\x4c\x58\x53\x35\x83\x84\x83\xee\xd0\xd1\x9f\x1a\x63\x37\x0c\x19\xfc\xb9\x2c\x12\x58\x19\xf9\x44\x3e\x30\x16\xf4\xaa\x0f\x2d\x41\x43\xfb\x48\x12\x77\xe8\xba\x64\xb9\x98\x6a\x45\x6f\x15\xcf\x8f\xc5\xb6\x2a\x51\x74\x52\x77\x16\xe0\xc7\xe3\x64\x48\x8a\x90\xa6\x1a\xa4\x9f\xec\x20\x31\x83\x9e\x92\x6a\xef\x83\x86\x45\x70\x07\x7c\xf4\x42\x70\x97\x3b\x5c\x98\x29\x65\x7f\x74\xc0\x49\x11\x32\x5a\x55\xb2\x8c\x7a\xb6\xf7\x1f\x08\x42\xfb\x81\x63\x9e\x23\xa2\xad\xcc\x65\xa4\x36\xa6\x9f\x59\xae\x9f\xf4\x2c\x97\x6f\xd4\x62\xba\x2a\x42\x02\x88\x72\x66\xe9\xc3\xfb\xd9\x03\x1e\xdb\x0f\x95\xf9\x9b\xbb\xd3\x20\xdf\xba\x61\xab\x8e\xed\x5e\x6f\xa7\x39\x7e\xc3\x18\xf3\xc3\x41\xef\xf6\x17\x69\xef\xf6\xaf\x7a\x83\xaf\xb7\x6a\xe8\x9b\xc7\xab\x7d\x16\xf5\x6d\xb0\x9f\x93\x3e\x45\x11\x42\x3a\xe8\x4a\x9f\x2c\x97\x6b\xc7\x4d\xfd\xfd\x55\x0b\xc5\x4f\xee\xd2\x42\xd1\x1a\x66\xa1\xd8\xc1\x24\x5e\xae\x81\xa2\x49\x78\x63\xcf\x0a\xce\x81\xd3\xaf\x15\xa6\x68\xd3\x21\xaa\x16\x8a\xc4\x05\xb7\x16\xb8\x86\x49\x19\x60\x8f\xdb\xbe\xf4\x36\xa1\xfb\xab\x27\xb0\xfa\xd6\x89\x29\x97\xf0\xd1\x6c\xd8\x0d\x9b\x71\xd9\xf7\x3f\xfc\x84\xe0\x4b\x07\x07\x9f\x2b\x1f\x4d\x5a\x4a\xc9\x0d\x64\x2d\xa0\x41\xb3\x4b\xf3\xfc\x6e\x51\xea\x82\xcd\x30\x49\x1a\x80\x73\xac\x72\xc4\xa8\xaa\xa4\x00\x4b\xcc\xaa\x0b\xe2\x66\x22\x47\x9a\xaa\x16\xe4\xac\xc2\xbc\x8c\x9b\x3d\x74\xc3\xef\x66\x49\xb6\xd6\xe7\x85\x00\x5c\x3a\x3b\x23\x88\xd2\xd5\x13\x08\x37\x60\xf7\x22\xd0\x2f\x2a\xaa\x32\x04\x21\x49\xcb\x38\x2c\x05\xa0\x04\x2e\x48\xf9\xa5\x90\xfc\x00\xfa\xa2\x16\x0d\xc6\x2c\x64\x66\xec\x23\x24\x1b\xc1\x28\x4e\x0e\xc0\xe5\x05\x21\x97\xd7\x9d\x11\xf1\x40\x59\x43\x02\x90\x5e\x82\xe9\xe3\x27\x6e\xe4\x77\xc7\x77\x05\xd6\xb8\xe2\x94\x07\x6a\x08\x0d\xf7\x3e\x7b\x7e\x96\x8a\x27\xf7\x8a\xba\x08\x8b\x72\x3a\x18\xa8\x1c\x20\x1d\x8b\x42\x57\x7e\x6c\x58\xd5\x6e\x8d\x2a\xf7\xda\x93\xd7\x01\x10\x25\x5c\x6d\x4e\x1f\x3f\x11\x20\xc7\x8b\xd0\xc0\xc8\x96\xe6\x42\x00\x80\x32\xee\x56\x84\xc4\x06\x56\x31\xcd\xac\x85\xb0\xf1\x44\x30\xf3\x8f\xc2\xd5\x6b\x66\x9d\x55\x4a\xda\x28\x27\x25\xcd\x94\x88\x0e\x2a\x9e\x82\x98\xd4\x5e\x5c\x52\x50\x10\xad\x20\xa8\xb1\x71\x8c\xbc\x89\x6a\x23\xc9\x09\xd4\x09\xe5\x37\x75\x6b\xa9\xf1\x55\xe2\x42\xed\x2e\x81\xf9\xe6\xf2\x3e\x79\xbe\xc8\x33\x9c\x83\x6e\x9e\x45\xbd\x26\x65\x09\x04\xac\x62\x95\x15\x46\x2e\x79\x24\x9a\x71\xa4\x30\xdf\xc2\x6e\x37\xcf\x42\xe4\xcd\xd0\xac\x44\xc3\x41\x01\xa2\x0f\xca\x23\xb9\xe5\x7a\x96\x3a\x12\xf0\xd8\x94\x26\x2d\x57\xf2\xed\x90\x33\x05\x70\xc6\x2d\x11\x4a\xb1\x88\x03\x10\x79\x5c\x70\x91\xca\xfa\x23\x52\x4f\x00\xca\x81\xed\xa4\x9e\x49\x09\x07\xd8\x50\x35\xb8\x7a\xb8\x09\x58\xcb\x46\x39\x09\x13\x3f\xbb\x34\x8f\xc1\x0f\x8d\x4a\xb3\x8d\x4b\xde\x75\x85\xb5\xc7\xce\x55\x03\xe5\xff\xfb\xb7\xb0\xdf\x24\xf5\xe4\x32\x2d\x9a\xff\xfe\x87\xc3\xc2\xf8\x7f\xbc\x73\x56\x9d\xfa\x12\xc7\xa9\x46\x4d\x18\xe6\x7e\x68\x36\x85\xf1\xd0\x57\x7b\x45\x6e\x3e\x2c\xaa\x97\x75\x13\x42\x2e\xd0\x9d\x5b\x47\x44\x80\x61\xcf\xfe\x50\x61\x5b\x42\xad\x80\xcc\x09\xca\x81\x30\xed\x23\x83\x55\x89\xd4\x90\xf5\x80\x87\xfe\x40\x2d\x03\x35\x00\x83\x1f\x89\x01\xb7\xff\xb8\xd3\xe9\xd1\x36\xf9\xec\x18\x1b\x98\x6d\xff\x97\xc7\x82\x77\x83\x8d\xc2\x36\x79\x38\xe7\x5e\xe3\x00\xaa\xe1\x99\x41\xdb\x69\x91\x14\xc4\x7e\x47\x88\xd2\xa8\xc3\x9c\x90\xf2\xd0\x35\xae\x84\x6e\x3b\xca\xa1\x40\xf2\x88\x34\xe8\xb9\x73\x4b\x92\xb1\x8c\xb2\x4e\x18\xa7\x93\x14\x8d\x10\xea\x38\x84\x34\x03\xf0\x25\x91\xeb\xd3\x36\x62\x77\x1b\x08\xa3\x6c\xb5\xc8\x20\xaa\x02\x8e\xbe\x06\x0d\x20\x8d\x8b\x3c\x36\x92\xc1\x06\xe0\x8e\x2c\x1f\x3d\x97\xf6\xc5\xb6\xe7\xbe\xb5\x4b\xf7\xad\xcf\x8c\xb3\x09\xb5\xa5\xfc\x07\xc7\x77\xc7\x33\xbd\x74\x7c\xd6\xa2\xb4\xc6\x2a\xa5\x37\x2f\x51\x46\x8b\x8e\xc5\x29\x2c\xba\xc5\x39\x2c\x42\x6c\x5c\xa1\x6e\x19\xe7\x0d\x3a\xd8\xa3\xd6\xdd\xbe\x47\x2c\x24\x5a\x42\x61\x29\x09\xbd\xa2\x9b\x8b\x8d\x38\xeb\xd1\x46\x2a\x14\x20\xb0\xe8\xc8\x2e\x83\x19\xab\xa9\x59\xcf\x23\xb2\x5f\x60\x56\x9a\x6e\x1c\x9f\xd4\x49\xae\xc2\xe2\x24\x98\x38\x06\xd9\x13\xc0\xc2\x5e\xed\x43\x9c\xac\x0a\x95\x23\x32\xa1\x32\xe7\xda\x1e\x04\x10\xa3\x05\xfb\x72\x83\xd8\x8d\x0a\xad\x0a\x4b\x47\x33\xee\x74\xae\x97\x9a\xf6\xc1\x24\x00\xf8\x36\x11\xf0\x22\x70\xa9\xe9\x5e\x35\xf6\xbc\xe4\x76\xa1\x6c\x7c\xff\x3e\x76\x7d\x27\xbc\x18\x77\x7a\x1d\x0a\x61\x8c\x9f\x2f\xfc\xb7\xec\xdb\xdd\xc9\xf8\xf2\xf8\xd9\x6a\x9d\xdf\xd4\x47\x04\x75\x84\xea\x04\x14\x90\xad\xc3\x3a\x1d\x37\x36\x8e\xa9\x0b\x25\x91\x22\x51\x51\xf2\x42\x0e\xc9\x86\x40\x82\x5d\x0f\xfc\xfb\x2c\x6c\x55\x1c\x39\x75\xb0\xa1\x36\xeb\x73\xf2\x30\x5d\x13\x0d\x15\xf4\xf6\x1c\x38\x4d\x44\xf5\x0d\x8a\x93\x8e\x0d\xd5\x89\x0a\xe0\x82\xb3\xc6\x04\xbd\xc9\x0a\xb8\xc5\x07\xe7\x83\x12\xbf\x38\x81\xb7\x24\x86\xe3\xa5\x6f\x39\xd7\xcc\x2c\xcc\xcb\xb1\x2b\xc1\x73\xd1\x86\x79\x59\x54\x1b\x18\xc6\x45\x7d\x6a\x26\x61\xdc\x69\xb0\x37\xed\xb3\xdc\x2b\x5f\xbd\x6f\xb7\x88\x61\x9f\x1a\xdf\xca\xc1\x52\x33\x0d\x52\x1a\x48\x33\x5b\x44\xea\x88\x30\x05\x07\xa7\x79\x63\x24\x03\x68\x1e\xe7\x42\xe7\x47\xa2\xac\x2c\x0c\x4c\xf7\xf1\x9b\x4e\xf0\x66\x3b\xcc\xc3\xa6\x9c\xce\x49\xb0\x75\x88\x14\xd2\x76\x2b\x1e\xc4\xa0\x0c\xda\x06\xda\xb2\x4d\x89\xb3\x6c\x30\xc7\x6c\x30\x0f\x81\xc9\xd0\x64\xd4\x12\x08\x4f\xde\x2c\xe2\xa2\x59\xbf\xbd\xd7\x8b\xa3\x3b\x6a\x52\x5a\x14\x29\x59\x41\xe5\x08\x29\x7d\x63\x2e\x64\xc5\xa2\x4e\xbd\x87\xb1\x23\x17\x28\xd2\xa8\x30\xfb\xa2\x97\xc6\xcf\xeb\x39\xc7\x07\xf1\xd4\xd8\xbd\xc4\xdb\xc3\x10\x94\x99\x2f\x6a\x30\xf6\xa8\xf9\xaa\xae\x6f\xef\xab\x7a\x8f\x7f\x7a\x07\x80\x6b\x15\x0e\x6b\x28\x16\xc6\x57\x0f\xb0\x7f\x37\x0c\x0c\x48\x34\x9b\x59\xa7\xbb\x90\x67\xad\x38\x11\xfe\x6f\x1c\x08\x5a\xee\x23\xcd\x32\x81\x9d\x7e\x4a\xfb\xc2\x40\x66\x0e\x28\x28\xaf\x31\x28\x49\xd9\x67\x0b\xca\xe1\x97\xa5\xc2\xbc\x22\x9d\x8d\x01\x43\x1b\xa6\x55\xfb\xff\xef\x63\xef\x1a\x63\xd7\xe9\x6c\x05\xaa\x57\x97\xc6\x82\x1f\x18\xab\x3e\xb5\x5c\xd4\x42\xdd\x8e\x22\x50\x70\x1c\xe1\x89\x05\x75\x69\xb1\x98\x90\x08\x84\x92\x19\xe1\x97\x96\x0f\x85\x06\x3b\x8b\x9c\xaf\xcb\x8c\x6f\x66\xf9\x7a\x43\xa7\x47\x0a\x41\x5d\x21\x90\x7a\x74\xc3\xb2\x5d\x33\x1a\x74\x62\xfe\x08\xf7\xf3\x70\xc1\xad\x4a\xab\xf3\xa6\x82\xde\xa9\x66\xed\x73\x21\x00\xc3\x41\x69\x78\x82\x33\x6a\x02\xdc\x8c\xbe\x6f\x1e\x23\x85\xd1\x7f\x19\x0b\x5e\x36\x86\xa5\xf5\xcc\xe0\x89\x58\x27\xdb\x5d\xb5\x61\x65\xc7\x40\xc9\x01\xb3\x79\xc6\x91\x71\xe9\xca\xc5\x49\xc6\x74\xb3\xbc\x7e\xc5\x13\x4d\xae\x0a\x0a\x33\xbb\x5e\x71\xab\xca\xf1\xb5\xb6\x27\xe9\x5d\x53\xa9\xe6\x7c\x0a\xb3\x28\xdb\x05\xb5\xc2\x60\x39\x35\x12\x27\x3c\x25\x67\x8f\x75\xce\x19\xf8\x5b\x14\xfe\xb3\xfc\xfb\xeb\x90\x6a\x2d\x8f\x3b\x71\x2a\x45\x8c\x93\x30\xd9\x8c\xd3\xc5\x57\x2f\xb3\xba\xf5\x5e\xdc\xd5\x3f\xc9\x38\xe7\xbc\xba\x13\x4f\xf2\x33\x95\x27\x8c\xfd\x89\xcf\xbe\xcb\x3a\x6e\x90\xd1\x6d\x43\x92\x78\xa5\x62\x3b\x45\x6c\x91\xff\x11\x3f\x38\xad\x7e\xd8\xca\x3e\x0d\xf1\x92\x64\x6b\x60\x96\x0b\x56\x31\xff\x72\x00\x2a\x19\xb8\x80\x08\x0a\x86\xb0\xe4\x2e\x79\x87\x28\x15\x88\x70\xc3\x5a\xbe\x78\x3d\xfb\x21\x8f\xed\x6f\xc7\x69\x59\xf8\xaf\xf0\xd8\xad\x23\x55\xfa\xa3\xfb\x79\x8f\xfc\x38\x38\x07\x75\x0c\x4f\xf3\x69\xc1\x08\x00\xf5\x6d\x67\x9b\x80\xd2\xa0\xc6\x66\x56\x49\x29\x46\x1a\xec\x53\x63\x6c\x42\xa9\xa5\xfc\x5f\x1d\x0b\xde\x33\xa6\x7e\x69\x69\x4c\x7d\xef\xc8\x7f\x36\x4b\x01\x39\x9e\xa0\xc2\x1c\x2c\x9d\x26\x21\x35\x66\x07\x95\xb3\xd4\x8b\x8b\xb6\x9d\xa9\x5a\x32\xa7\x60\x81\xc4\xab\x0a\x31\x71\xe2\x14\xae\x44\xb8\x0c\x26\xe5\x61\x4c\xca\xb8\x9b\x08\xeb\x3b\x3c\x4e\xca\xfb\x08\x58\x0e\xdd\x5f\x77\x78\x31\x26\xed\x6a\xf5\xd2\x35\xd0\x0b\x60\x0b\x1d\x55\xe5\x8c\x4a\x08\x89\x6d\x4e\x1a\xa2\x02\x39\x29\x21\x7d\x19\x32\x69\x45\x01\x9d\x02\x85\x09\x3f\xb2\x78\x7a\x96\x4f\x4f\x1f\x3f\x31\xa9\xb2\x25\x55\xdd\xbf\x7f\xcf\x63\x13\xf2\x08\x82\x3a\xe1\x93\x5e\xf0\xcb\x9e\xfa\x55\xc5\xbb\xb3\x55\x0c\x84\xdc\x5c\x94\xda\x13\xac\x32\xeb\x15\xc1\xc5\x00\x42\x98\xb9\x81\x53\x61\xec\x3a\xce\x72\xd1\xe7\x4a\x85\xa5\x2f\x67\xb5\xb9\x96\x92\xb8\x29\xce\xa9\x8e\xda\x9a\x2f\x67\x70\xaf\xf6\xd8\x21\xd4\xb8\x2f\x8a\x96\xff\x22\x8f\x1d\xdb\xd6\x36\x55\xf5\xa6\x3e\xa7\xbf\x1f\x6a\x91\x1a\xf0\xa9\x46\x66\xc7\x99\x3a\x7b\x76\xd8\xd7\x0e\xb0\x09\xc5\x56\xfb\x7f\x74\x20\xf8\xd8\x01\xcd\x64\x9b\x5c\xd7\x3a\x8b\x8b\x7e\xb7\xd5\xb9\xb1\x85\x26\x95\x34\x6d\x5d\xf4\xa7\x8c\xa1\xbc\x50\xf9\x13\xa1\x16\xf3\x15\xba\xda\x63\xcd\x8d\x87\xc1\x4c\x4a\x3e\x86\x5a\x31\x87\x22\x5e\x33\xe9\x41\x0e\x3c\x12\x8a\xe4\x1e\x9a\xbe\xb9\xda\x43\x95\xd5\x12\x4b\x93\xea\x95\x14\x6e\x80\x67\x65\xc0\x1a\x8c\xea\x79\x53\x24\x09\xe1\x63\xad\x8b\x7e\x71\x92\x1f\xe5\xc3\x35\xd8\x27\x2d\x41\xc9\xf5\x54\x77\xc9\x07\x5e\x47\x8c\x5b\xae\xa9\x9a\x1c\xc5\xb8\x65\x4b\x64\x04\x62\xad\xd1\x31\x72\x90\x23\x1e\x30\x8e\x57\x1b\xcc\x49\x83\x1d\xe5\x5b\xa8\xed\x47\x77\x4f\xbe\x35\x9d\x61\xfc\x8a\xbb\xb3\xb3\xce\xe4\x62\x0d\xb8\xc0\x51\xdd\xc1\xf7\x0f\x7f\x87\x5c\x4d\x5d\x24\x4f\x0f\xd4\x04\x34\xcd\x78\x33\xa1\x9a\x2f\x4e\x79\xab\x07\x07\x3e\xec\xc6\x3a\xcf\xde\x96\xbe\x9b\x7f\x39\xc6\xcc\x55\xe7\x7f\x79\x2c\x78\xcb\x98\xfe\x39\xf4\xe2\xa8\xba\xf4\xe8\xee\x85\xc0\xeb\x97\x22\xef\xe6\xe0\x1e\x16\x36\x9b\x59\x1e\x59\xa9\x96\xdc\x41\x3a\x04\x4b\x25\xde\x82\xb4\x40\xe8\x1f\x88\x68\x23\x70\x13\xc1\x11\x45\xf0\x20\x1e\xc5\x2d\xf4\x63\x00\x06\x03\xfa\x60\xfa\xab\x71\xb8\xd0\x29\x1b\x37\x6e\x9c\x73\x79\x0c\xa4\x54\x0c\xa8\xa7\xb1\x56\x26\xab\xa3\x0f\xa6\x16\x95\x0d\x19\x98\x6d\xaa\x12\x8e\x5a\x9a\x59\x78\x30\xd3\xc7\x8e\x39\xde\x19\xee\xc4\x3e\xe4\xf1\x91\xee\x9f\x07\xfc\x7d\x85\x28\x19\x7b\x83\x07\x4e\x66\x18\x6e\x03\x3c\xc4\xe8\x00\x87\xd1\x3c\x84\x4e\xd6\x54\x04\xf3\xa6\xb6\x11\xdc\x84\xce\x39\xa4\xe3\x48\x9c\x7c\x40\x86\x04\xff\xe8\x21\x76\x64\xd0\x79\x1b\x5b\xb6\x7d\x64\x21\x42\xf8\x6f\x26\x82\x13\xd5\x87\x15\xe4\x02\xdb\x71\x77\x4b\x60\xd2\x0f\x1f\x64\x5d\xe5\xe3\xb4\x16\x04\x43\x50\x10\x94\x62\x59\xe7\xd9\x37\x6b\x70\x33\xbb\x91\x1d\x1f\x1d\xf1\x3a\x6a\x10\x7b\xaa\xbc\x5d\xa8\xf2\x3e\x61\x07\xbc\x7e\x64\x97\x01\xaf\xff\xf1\x1b\x04\x5d\xb0\x97\x31\xe5\x61\xc3\x2d\x68\x6d\xaf\x80\x99\xf5\x67\xb4\x02\x06\x0e\x65\x45\xfb\x52\xa5\x25\x43\x75\x2f\x1f\x3a\xc4\x6a\xc3\xc0\xef\x1b\x0b\x59\x34\x17\x17\x79\x0f\x04\xee\xbb\x7a\xd1\x9a\x40\x84\xa8\x57\x1c\x0a\xee\x1c\xf1\x6e\x18\xa6\xc1\x90\xa2\x23\x48\xd6\x27\x0e\xee\x11\x90\xbd\x88\xf9\x3d\x2a\xf2\x30\x1a\x4c\xfb\x8a\x05\xe8\x06\x87\x87\xb0\x00\xc3\xce\xa6\xcd\x07\x9c\x64\xb7\xb2\x9b\x47\xf2\x01\x5b\x92\x8a\x87\xbc\xe6\xf6\x04\xec\x4e\xff\x0e\x4d\xc0\xb0\x36\x4d\xbb\x46\x50\x98\x2a\x04\xcb\xff\x1c\x77\x20\x3d\xad\x24\x23\xcb\xd9\xba\x48\xc9\x04\xe2\xff\xe2\x78\x70\xbb\xfd\xc0\xb0\x75\x96\x55\x06\xfd\x2b\x29\xb5\x80\xe4\xb5\x7b\x92\x18\xc8\xaf\x1a\x97\xbc\x89\xb0\x17\xc5\x52\x16\x77\x48\xd6\x1f\x8e\xb1\xd7\x79\x4c\xbf\xf3\xbf\xcf\x0b\xfa\x33\xf4\x43\x99\xcc\xe4\x5e\x81\x30\x2d\x55\x4a\x3b\xee\xcb\xaa\xc1\x15\xca\xee\x1a\x64\x45\x31\x00\xad\x91\x49\xe5\x07\x5e\x67\x54\x47\xa1\x12\x37\x99\x34\xb6\x8e\x36\xe2\xe3\x1e\xbb\x5e\x5c\xec\xc6\xe8\x80\xbb\x04\xf1\xca\x85\xff\x1e\xcc\xab\x70\xf3\x8d\xc1\x9b\xbc\x53\xd5\xb7\x3a\x88\x5b\x01\x29\x66\x2d\x54\xe4\x80\x5f\xc4\xce\xba\xec\x64\x89\x52\x5d\xd7\x0e\x88\xc1\x40\x9b\xc1\x88\xba\x1c\x6f\xc9\xbf\x99\x18\x0a\xdb\xba\x90\x45\xcb\xa2\xd3\x95\x27\x12\xee\xa5\x4f\x4c\x04\x47\x2b\xcf\x06\x76\xbb\x7a\x39\xe2\x06\xfa\xb9\x3d\x88\x9d\x5d\x93\x9c\xef\x51\x24\x67\x39\xf8\x57\x67\x68\xe6\x21\x14\x52\x4d\xbd\x4d\x60\x8e\xb1\x06\xab\x6d\xab\x27\xb3\x16\x6e\x8f\x43\xd8\x83\x47\x33\x83\x7b\xc8\xbb\x6f\xfb\x4b\xe6\x46\xff\xf8\x30\x74\xaf\x0a\xa9\xa8\x5e\x2c\x3f\xb1\xdf\x89\xba\x36\x5b\x31\x2f\x09\x9b\xe2\x3f\xed\xbf\xe4\x41\xba\x9a\x4b\xde\x44\x37\xcf\xca\xac\x99\x25\x0e\x35\xf9\xf2\x3e\x16\x53\x42\x9b\x50\x39\xbd\x9f\x59\xa0\x74\x36\xa5\x4a\xe8\x4a\x89\x67\xdc\xd4\x3b\x94\xeb\xb5\xa5\xb2\xf8\x12\xee\x45\x01\x64\x22\x97\x97\x49\x5b\xe4\xae\x4f\xf9\xeb\x3d\xa6\xbb\xe1\xbf\xdc\x0b\xbe\x77\x81\x7e\xe8\xd6\xd4\xef\x2b\x69\x0a\xd4\x54\x55\x14\x5a\x30\xc2\xf1\x60\x79\x76\x21\xa8\xf1\xe0\xfc\x1c\xfc\xb3\x34\xbb\xbc\x10\xd8\xbb\xee\x77\xc7\xd8\x7e\x08\xf7\xf1\x3f\x3d\x16\xfc\xea\xd8\x29\x88\xfc\x41\x83\x3a\x36\xa1\x7a\xb7\x9a\x08\x4b\x5f\xec\x74\x0f\xbd\x80\xf3\x4e\xa8\x71\x0f\x30\x80\xa8\x68\x87\x49\x82\x00\xc8\x7d\xf3\xa9\x51\xda\xe6\xbd\x44\x14\x27\x79\x1d\x13\x06\xd4\xe3\x94\xbe\xa3\xfe\xe3\xe7\xab\x15\x24\x02\xd2\xc0\x29\xd7\x25\x70\xd4\xc0\x92\xbd\x42\x30\x6e\xce\x31\x5a\x63\x58\x9d\x37\x93\xac\x17\x29\x54\xeb\xdc\xc4\x68\x38\x8d\x91\xce\x6d\x83\x3e\x23\xa7\x2b\xb7\xeb\x8c\xab\x61\xb6\xb2\xac\x41\x9e\xdd\x00\x45\x60\x88\x87\x3d\xb7\x7f\xf9\x44\x47\xbd\x34\xc4\x55\x1e\xdd\x69\x01\x1d\xe1\x57\x9f\x18\x1c\x77\x9e\x8c\x4c\xbb\x16\x5a\x8e\xb8\xce\x96\xfe\xa7\xa3\xec\xa7\xaf\x62\xd7\x76\xb3\x68\x3e\x6d\x65\xf7\xa6\x67\x25\x8f\xe4\xbf\xfe\xaa\xe0\x65\x57\x11\x1a\x84\xbc\xb4\x20\xbe\xd3\x2d\xe3\xe8\x76\xe3\x02\x5c\x1e\xc8\x23\x85\x3c\x1f\xc8\xa9\xa6\x70\x80\x73\x00\xb0\xc5\xe8\xdd\x8e\x80\xff\x58\x37\x8b\xce\x81\xaf\x45\x37\x8b\xce\xcf\xcf\xd5\xb8\x28\x9b\x8d\x49\x15\xc7\x0e\x20\xe4\x3c\xeb\xaa\x50\x79\x8d\x53\xa1\x22\x63\x6b\x03\xd5\x3a\x41\x6f\x88\xe1\x93\xa5\x0a\xcd\x5c\xd9\x85\xe5\x9e\xa0\xc0\x5a\xd7\xe3\xc9\x44\x41\x55\x86\x6c\xa5\xd8\xa4\xa2\x91\xe8\x26\x59\xbf\xa3\x82\xea\x70\xa2\x9e\x66\xe7\xf4\x04\x9b\x5a\xb5\x7f\x61\x41\x69\x45\x14\x36\x86\x8a\xb2\x1b\x86\xf5\x7d\x64\xd2\xa0\x7a\xbb\x9e\x59\xf2\x48\x83\x2b\x56\xac\xdc\xe2\xbb\x61\x0e\xd1\x9e\x72\x9f\x2b\x9b\x1d\xdd\x98\x76\xfb\x34\x27\xf1\x60\x4f\x1a\xdc\xf5\xcf\xd7\x2f\x65\x2f\x75\x24\x22\x7d\xde\x1a\xd8\x13\x85\xbd\x65\x48\x85\x8c\x97\x49\xbc\xd6\x2e\x25\xd1\xde\x34\x7e\xf1\xdd\x5c\xb4\xe2\x8b\x0e\xd2\x51\x83\x07\xcd\xc2\x6c\x7b\xba\x61\xba\x59\x04\x89\x0b\x03\x29\x54\x44\x0d\x30\xdb\x6d\x55\x0e\x9c\x6b\xac\xc2\x18\x53\x3f\xea\x8b\x5e\x1c\x05\x27\x89\xdd\x38\x22\x1f\x9c\x9f\x9f\x9b\x1c\x5a\x5a\x74\xdb\xa2\x23\xf2\x30\x09\x4e\xf2\x40\x8e\x30\x50\x6e\xf5\xb4\xf3\x31\xab\x99\x2e\x46\x80\x22\xf4\x16\xac\xf9\x5b\xfd\x4f\x79\x39\xac\xf6\xf1\xbc\xda\x39\x0c\xec\xd8\xed\x00\xb6\x6d\xc0\xd8\xd6\x7d\x44\x36\x2a\x15\x9b\xda\xc4\x19\xa7\xb6\xc9\x71\xba\x31\x7d\x33\xf0\xf8\x92\x77\x4a\x93\xbe\x9b\xb9\x4f\xf9\x52\x39\x59\xe7\x11\x17\x46\x0e\x38\x30\xc1\x2b\x01\xec\xb6\xe0\x94\x69\x18\x3b\x7e\x26\x6e\x89\x66\xbf\x99\x88\xb3\x60\xa0\xbd\x17\x6c\xdf\xaa\xda\x66\x98\xf2\x44\x48\xda\xa9\xce\x06\x8f\xe2\x02\x0d\xb6\x61\x1a\x4d\xc9\x1b\x65\x2d\x45\x9b\x82\x32\x9f\x40\xca\x5d\x77\x00\x37\xe9\x14\xb1\x0e\xee\x08\x45\xc7\xdb\x8d\xc1\x08\x55\xa1\x2c\x15\x10\x46\x8c\xc1\x3a\x78\x88\x91\x46\x60\x28\x87\x72\x1d\xd3\xe8\x17\xe6\x9c\x1b\x6b\xb4\x9a\x1b\xa8\x08\xbd\x67\x8b\x1a\xb7\x10\xa7\xf8\x46\x1c\x82\xf6\xac\xd3\xc1\xc4\x3a\xa9\xe5\x33\xa8\xae\x3d\x02\x8e\x67\x6c\xb4\xbf\xb9\x15\xdd\xf9\xcf\xe3\xec\x7a\x45\x57\x17\x05\x41\xff\xfb\x7f\x3a\x1e\xfc\xde\xf8\x62\xf5\x71\xc5\xfa\x66\x27\x5b\x08\xd3\xb2\xe0\x2b\x03\x94\x66\x85\xaf\x0a\xf0\x2e\x12\x79\x9c\x45\x94\x86\xb8\x89\x79\x93\xe1\x72\x6f\x25\x92\xc3\x0e\xd3\x3e\xef\x66\x14\x82\xd0\x6c\x87\xe9\x9a\x76\x64\x04\x12\x6b\xe2\xdb\x6d\xab\x7c\x34\x00\x68\xc0\xd8\xb9\xac\x14\x27\xf9\x4c\x0b\xa6\x5a\xce\x7d\x53\x14\x45\xab\x27\x0f\x4e\x0c\x28\x3b\x83\x89\x0f\x64\x77\x6a\x92\x49\x2f\x24\x7f\x9e\x96\x48\x1b\x65\xa5\x83\x65\x49\x22\x83\xa5\x47\xbe\xdd\xd8\xbe\xac\x78\x7b\xd5\xd9\x73\x62\x93\x2e\x1b\xe5\x80\x61\x5d\x23\x85\x10\x29\x9e\x4c\x85\xbe\xa2\x3d\x8a\x2c\x97\xd5\xd0\x8d\xa6\x09\x53\x6a\xdd\x38\x4f\x6f\x2a\xc8\x88\xd9\xa5\x79\x4a\x20\x39\x83\x9a\x09\x10\x9a\xcd\x59\xd5\x31\x38\xee\x0e\x78\xe0\x00\x7b\x4c\x51\x89\x96\xfb\xea\xfe\xe0\x0f\xf6\x57\xaf\xeb\x4a\x21\x67\x37\x50\x54\xc7\xe0\x9d\x8d\x3b\x43\x1e\x49\x2b\x90\x07\x32\x52\xa0\x93\x89\xe3\x64\xae\x63\x41\x74\x85\x03\xb7\x22\x4e\x21\x7a\x17\x83\xeb\x4c\x2e\xf0\x46\x1a\x19\xa9\x41\xce\x94\x56\x08\x9e\xbe\xb6\x14\x5c\x42\x5b\x34\xd7\xab\x4e\x1e\x71\xa7\x23\xa2\x38\x2c\x45\xd2\xb7\x0f\x35\xba\x2c\xa9\xe4\x0c\xf3\xa9\x72\x8c\x07\xa6\x41\xf9\xc3\x83\x3d\x59\x6c\x2a\xb7\x78\xec\x00\x64\xde\x5e\x8d\xd1\x10\x4b\x37\x79\xaf\x30\xc0\x1d\xc3\x06\xdb\x96\x0c\x02\xee\x40\x29\xf5\x67\x1d\x13\xa9\x35\x7a\xc0\x0d\xc6\x66\x12\xd0\x04\x20\x40\x4f\xcd\xae\x9c\x46\xa9\x29\x94\xe1\x88\xe1\x4c\x61\x00\x5a\x96\x53\x1a\x0c\xb9\xdd\x62\xed\xf7\xdf\x4a\xe2\x6e\x57\x44\x30\x92\x1c\x27\x65\x60\xe5\x6c\xa6\x40\xf6\x7e\x55\xee\x72\x3d\x84\x2d\xa8\xd2\xe0\x96\x47\x03\xf7\x36\x1b\xbe\x32\x03\x43\x36\x3b\xf0\x1f\x51\x95\x45\x73\x8e\xc0\x9f\x1d\x60\xd7\x94\x96\x86\xa9\xf0\x7f\xe7\x40\xf0\xa7\xfb\x6d\xa5\x53\x15\x52\xd0\x76\xc8\x05\xac\x94\x6e\x16\x15\x87\x87\xeb\x06\x35\x7c\x81\x7c\x04\x2a\x08\x3c\x22\x10\x32\x9c\x41\xa6\x78\x01\xa0\x29\x79\x9f\x87\xbd\xb2\x8d\x40\x16\xe8\x52\x39\xc8\xfa\x69\x25\x1b\x98\xde\x77\xce\xf5\x8d\xe0\xf9\x88\xa4\x49\x3e\x4f\xd8\x5c\x9e\xa8\xc8\x49\x4e\x43\x27\x87\x72\x33\x85\x43\x7d\x1a\xd8\xc9\xe0\x24\x7f\x01\xe3\x3c\xb8\x5d\xe9\x25\xef\xa0\x27\x9c\x07\x50\x22\x38\xc9\x6f\x87\x3f\xee\xa8\xe1\x53\xa3\x94\x5c\x8e\x3b\xa2\x28\xc3\x4e\x57\x96\x31\x8f\x79\xa9\x9e\xcb\x01\x2f\x9e\x9e\x3d\x71\xe2\xc4\x93\xe0\xeb\x17\xca\xff\x34\x1a\x0d\xf6\x42\x7d\x15\x68\x55\x2b\xe5\x97\x73\x74\xbc\xc6\xe9\xcd\xb8\x38\x40\x68\x62\xc9\x3b\x19\xb9\x25\x90\x42\xb3\xa0\xf4\x36\xc8\xd6\x81\x3f\x79\x2e\x9a\x02\xe0\x26\xe0\xb0\x63\xb9\x10\xae\x1e\xe8\x6b\xbf\xc6\x07\xaf\xd0\x8a\x27\x5a\x99\xc7\x6b\x6b\x22\x1f\xb2\x5a\xf6\x95\xf9\xc8\xdf\x07\x46\xdf\xf6\x24\x76\xcb\x16\xe9\x8d\xaa\xe2\xa3\x3d\x9b\x3b\xc4\xe1\x7a\xcf\x01\xf6\xb8\x8d\x41\x7e\xae\xf0\x2f\x1d\x08\xfe\x71\xff\x10\x4e\xaf\xb0\x22\x2a\xc3\x52\x7b\x03\x2b\xe2\x3a\x42\x58\x24\xce\xac\xa8\x9c\x7f\xbc\xa0\x13\xd2\xfc\x52\xc6\xa2\xc2\xe1\x3e\x6b\x06\xb7\x04\x3c\xf0\x0b\x49\xe0\x2c\x56\x5a\x9d\x30\x57\x26\x06\x52\xa9\x1c\x5b\x51\x14\xb2\x38\x4b\xc9\xb8\x61\x65\xbd\x30\xe1\x0b\x17\xa6\x16\x2e\xcc\xf2\x8e\x90\xbc\x4e\x5c\x74\xb0\x8f\xe8\xcb\x09\xcc\x9f\xec\x91\x61\x7f\xe9\x9e\x01\x0a\x12\x89\x9a\x1e\x79\x98\xdb\x8e\xcc\xc0\x0d\xc6\x70\xab\x92\xea\x28\xc2\xf0\x16\x15\x36\x6b\x73\xff\x8a\x0f\x8d\x73\x9e\xa8\xb9\x86\x01\xc7\xc6\xb1\xcd\xbc\xc8\x28\x54\x52\xca\x32\x7c\x46\xcd\x70\x1b\x15\xd0\xab\x82\x63\xa4\xae\xd2\x6d\xaf\x0a\x44\xb8\x8b\x8d\x20\xb0\x96\xd1\xb5\xbf\x26\x4a\x72\xb0\x1c\xa4\x4d\x94\xc6\x08\xd8\x65\xc5\x41\x9d\x56\xb8\xb7\x83\xbe\x35\x8e\x17\xb1\x35\x3b\x85\x10\x43\x7c\x07\xeb\x92\x5e\x11\x6e\xa3\x72\x23\xd4\x92\x4d\x1d\x9c\x3f\xeb\x2a\x8a\xad\x5d\x76\x12\x33\x4c\x79\x62\x6d\x36\x5f\xf5\x48\x47\x59\x77\x60\x8f\x82\xb2\x5d\x3e\xc7\x9f\xe4\xe1\x1b\x46\x91\xc9\x99\x86\x6e\x62\x5b\x72\xe6\xa3\x9c\x9c\xd8\xc7\xf7\xb3\x6b\x43\x48\x19\xaa\x32\x6e\xfb\xef\xdf\x1f\xbc\x7d\xbf\xfb\xec\x72\x74\x28\x29\xc7\x6f\x8d\x22\x84\x1f\xb1\x97\x4e\x4d\xaf\xb9\xef\x66\x35\xd2\x56\x55\x9d\xd0\x11\x65\x3b\x8b\x26\x6b\xb4\xad\x88\x79\xb3\xf6\x3f\x35\x15\x09\xf8\xc7\x40\x76\x69\x1b\x87\x5c\x7f\xb0\x5e\x61\x41\x25\xfe\xa6\xa5\xc8\x5b\x52\xd6\xa6\x08\x69\xc9\xa9\x15\x16\x8f\x1d\x9a\x24\xcc\xa4\x96\x04\x17\xbd\x30\x2e\x0b\x8b\xb1\xb2\x84\x69\x28\x2f\xcf\xb1\x68\xc9\xc5\x02\xb8\x32\xa1\x1c\xe6\xd4\x05\x6d\x2e\x49\x95\xa3\xaf\x4e\x1f\xe6\xbc\x99\x81\x83\x1d\x86\x27\xd0\xc9\xaa\xcc\x31\x60\x26\x81\x74\xb0\x75\x57\x35\xa5\x1e\x58\x88\xb8\xd0\x29\xdb\x74\xda\x34\xad\x6f\x5b\x84\x64\x7c\x79\x7f\x64\x88\xbd\x92\x31\x35\x30\x8b\xd1\x5d\x1a\x0d\xd7\xd0\x76\x95\xe6\xa4\x58\x07\x4e\x8f\x64\x6c\xd0\x11\x6c\x59\x1e\x45\xba\x9d\xca\x9c\x5f\x1c\x63\xd7\xb4\x8a\xbb\xf3\xac\xd7\x5d\x00\x93\xae\xff\xf1\xb1\xe0\x43\x63\x73\x44\xe5\x89\x46\xf7\xd2\x48\xe4\x49\xdf\xe2\x97\x14\x49\x47\x11\x11\xb0\x13\x37\x53\x91\x17\xed\xb8\x8b\xde\xe6\x03\x28\x75\xf4\x21\x2d\x36\xca\xa2\x24\x51\x36\x38\x78\x55\x73\x17\xf8\xaa\xc9\x4f\x2f\x59\x1d\x53\x8a\x59\x88\x4b\x34\x4a\x47\xb9\x8d\xe3\xc1\xac\x78\x61\xd2\x6d\x87\xf5\x44\x6c\x08\x4a\x8c\xa7\xc8\x5f\x3b\x4b\xb3\x1c\x2f\x8f\x82\x0c\x48\x70\x48\x70\xc1\xd4\xea\xe2\x69\x72\xdb\x77\x7c\xc9\xb7\x9a\x5e\x0b\xa0\xf0\x71\xec\xf0\x16\x37\xb6\x1d\x26\xef\xff\xf8\xe3\x82\xff\xe5\x39\x81\xf3\x2e\x82\x89\x65\xfa\x26\x8c\x0c\x74\x2b\x6c\x0d\x41\x2f\x18\x00\x1f\xd1\xb2\x46\x3f\x0d\x3b\x24\xfb\x6b\x11\x09\x76\x8b\xdd\x32\xdd\x67\x00\xea\xa4\xc3\xd9\x6e\x1b\x70\xf5\x77\x11\x36\x1c\x77\x57\x51\x36\x71\x5a\x52\x03\xc0\x1e\x82\xba\xae\x71\xc9\xbb\xca\xb4\xec\x26\xd7\xfc\xc0\xf5\x2c\x65\x8f\x83\xb8\x41\xec\xf7\xa9\x8b\xdd\x30\x05\xcb\xee\x85\xe0\x9e\x99\x21\xcf\x25\xcd\xda\x74\xd1\x6c\x2a\xbd\x92\x1f\xa9\xbd\x27\xe4\x67\x2e\xa2\xd6\x2b\xc6\xd9\xf5\x14\xa8\x48\xbe\xe9\xb1\x28\xfc\xaf\x8f\x05\x3f\x33\xb6\x28\xe4\x2a\x36\x4b\x3b\x6c\x4b\x95\x20\x3f\xe7\x8d\x9d\xcd\x2e\x3f\x65\xd1\xd1\x6e\xd2\x5b\x8b\x8d\x69\x5a\x52\xc7\x6c\x33\xb5\xac\x35\x06\x87\xc6\x66\x6a\x0a\xc0\x29\x45\x26\x49\x79\xd1\x2b\xd4\x8b\x65\x91\x77\x94\x59\x2f\x44\x94\x71\x0d\x3b\xaa\x6b\xcb\x69\x38\x20\xca\x54\x52\x48\xee\xf0\x60\x10\xd7\x62\x94\x07\x74\x24\x2e\x83\x69\x35\x90\xb1\x83\x43\xd8\xb3\xe6\xef\xd6\x9a\xbf\x67\x6e\xbf\x72\x73\xfb\x57\x3d\x76\x35\xdc\x47\x0a\xc9\xfe\x8b\x5e\xf0\x11\x6f\x6e\xf8\x91\x1e\x42\x61\xd5\x06\xac\xd0\x9f\x5c\x50\xa0\xb9\xd1\xef\x14\xa4\x4a\xa5\x86\x6a\x1c\x02\xba\x9e\x15\xe4\x59\x50\xe3\x41\x91\xb5\xca\xe0\x7b\x00\x56\x53\xcb\xff\x11\xaf\x2b\x4b\x19\x92\xde\x85\x0b\xa4\xc0\x2c\x10\x53\xa9\x15\xc6\x89\xbc\xac\x25\x53\x0c\x64\x17\xbe\xdc\x8a\x89\xfd\x8c\xed\x5d\xf0\xe0\x16\x4e\xf8\x3b\x0b\x29\xff\xe6\xf0\x40\x7c\x8d\xc7\x98\xb9\x27\xfd\x17\x79\x81\x58\x30\xd7\x66\x3b\x4b\xa2\xa1\x77\x29\x59\xb4\xd5\x9d\x44\x58\xe7\x44\x23\x10\x25\x60\x63\xab\x55\xde\x32\xc0\xe4\x1c\xb3\xef\x3b\xff\x29\xc1\xf1\x05\xab\x29\x57\x93\x05\x21\xb7\xb4\xc4\xd6\x47\x0e\x4f\xf1\xc3\x1e\xbb\x26\x17\x00\x0c\x40\x1c\xdb\x4b\xbd\xe0\xe2\x23\xb0\x4f\xd1\xa9\xc0\xb4\xe3\xc2\x16\x03\x64\xb2\xcb\xed\xfc\x9d\xc7\xae\xc7\x79\xba\x0b\x55\xab\x67\xb3\x48\xf8\x7f\xe8\x05\x9f\xa5\x7c\xbc\xd6\x63\x6b\xe0\xed\x6c\x10\x2d\x6d\x56\x36\x5b\x58\x3a\x21\x7b\x4c\x92\xfa\xae\x66\xbd\x34\x6a\x70\x27\xd3\x8a\xd3\xc8\xbc\xd2\x19\x03\x96\x57\xa1\x43\x8f\x1e\xce\x4b\xcf\xf2\xff\x16\xdb\x7b\xb6\xdc\xe5\xdf\xb9\x5d\x00\xbe\xcd\x84\x0d\x75\xff\x7e\xa7\xc7\x9e\x69\x8e\xa6\x94\x88\x80\x0d\x2a\xea\xc6\xaf\x50\x9f\x52\xa7\x80\xe6\x39\x9f\xba\x74\xef\xb9\x25\xb8\xe4\x16\xf2\xac\x5b\xdc\x9b\x2f\xc1\x08\x66\x24\x91\xf0\xcf\x05\x67\xb6\x7a\xef\xc6\x14\x57\x4a\x22\x96\x02\xdd\x34\x40\x73\x1a\xec\xab\xd7\xb0\x5b\x6c\x10\x4e\x05\x5a\x8f\x39\xcc\x09\x6e\x74\x63\xba\x71\x1f\x66\x75\x98\x85\x5b\x03\x31\x3c\xfd\xff\x76\x4d\x70\x61\xc8\x73\x37\x97\x4a\x05\xec\xbd\x13\xae\x0b\x1e\xf2\xe5\x33\x4b\xb2\x58\x4a\x6e\xed\x5a\xaf\x4e\xc9\x23\x1c\x9e\xf3\xe3\x57\xb3\x07\x3d\x36\xd1\x0c\xef\xea\xa5\x51\x22\xfc\x5f\xf0\xfc\x7d\xab\xfd\x52\x04\x6f\xf5\x56\xd4\xc3\x15\xbc\x45\x17\x4e\x9d\xe5\x2a\x51\xd1\xec\x0c\x5f\x85\x77\x76\x72\x73\x4b\x99\xe8\x68\x6e\xa9\xdd\xc3\x3a\x85\x90\x95\xb4\x15\x64\x4a\x07\xce\x58\x25\x42\xcf\x7b\x45\xc9\xf3\x2c\x2b\x35\xe6\x85\x5e\x64\x38\xae\xb0\xa9\xed\xf3\xf7\xb2\x31\x76\x90\xf4\xbe\xfe\xff\xeb\x6d\x91\x14\x78\xe4\x3a\x90\x8e\xd2\xc4\xb8\xbe\xd7\x5b\xa1\x1a\x57\x46\xa6\x46\x47\x2d\x3b\xd2\xd1\xb8\x50\x83\x6d\xf0\x53\x31\xf0\xe4\xa6\x82\x2c\xe7\x2b\xbd\x3c\x59\xd1\x00\x09\x26\x89\x09\x63\x24\x59\xab\xfc\x1e\xb1\x9b\x08\x21\x1e\x04\xfd\x48\x01\xd6\x9f\x28\x44\xaf\x10\xa6\xa1\x06\xfb\xfa\x04\x1b\xef\xe5\x89\xff\xd5\x89\xe0\x4b\x13\xd8\xe6\x5a\xbc\x41\x44\x56\x61\x24\x28\x42\x4b\x4d\x02\xe0\x92\xce\x3a\x75\x7e\xf1\x0c\x26\xa3\x3a\xb2\x02\x2c\xa1\x38\x39\x05\x21\xa3\x27\x25\x93\x3e\xd5\x0d\xcb\xf6\xca\xa4\x0b\x94\x9b\xb5\x68\x74\x99\x3d\xe6\x61\x43\x5d\x6e\x0b\xbe\x22\x2b\x5b\x51\xdd\x97\xfc\x50\xae\x44\x60\xe3\xd5\xac\x66\xc0\x1d\xfd\x6d\x3a\x6a\xdc\x34\x43\x54\x2d\x2d\x4a\x11\x92\x99\x05\x70\x16\xd0\x33\x63\x15\xb1\x51\x93\x0d\xc9\x9e\xc6\xa1\xd6\xa4\x40\x38\xb8\x1c\x75\xd6\xb1\x36\x57\x81\x11\xe6\x35\xbe\x02\x28\x83\xfa\xf9\x8a\x82\xc0\xa7\xba\x78\x9c\xd6\x95\x29\x5d\x56\x14\x12\xed\xdc\xd4\x08\x0a\x3c\x09\xfb\x08\x93\xb9\x11\x67\x09\x4c\xfa\x64\x43\x0d\xbd\x63\xa5\xad\x09\x53\x3e\xbf\xa0\x82\x0e\x1b\x8c\x2d\x24\x02\x1c\xb6\x34\xb2\x38\xc2\x9c\xaf\x68\xb8\x04\x9c\xe5\xe9\xe3\xb7\x34\x8e\x35\x8e\x35\xa6\x57\x10\x29\x96\x6a\x96\x7b\x27\x2e\xd6\xfb\x0a\xb0\x5a\xee\x93\x52\x52\x86\x35\x79\xc1\xf1\x66\x88\x88\x9d\x98\xa5\xc7\xec\x58\x48\x6a\x97\x24\x30\x71\xca\xfc\x2f\xcb\x84\xa9\x75\xf0\xc8\x2b\x00\xa6\x35\x15\x78\xd6\x81\xea\x68\x4b\xb5\x7b\x08\x96\x7a\xcd\x36\x62\x83\xca\xd7\xb2\xe5\x24\x5e\x17\x49\x9f\xb4\xb5\x52\xc4\x96\x3b\x4a\xde\x36\x35\x1e\x37\x44\xa3\x06\x9b\x41\x84\x05\x14\x29\x7b\x79\xca\x7b\x5d\xc4\xc6\x48\xc5\xa6\x46\x10\x24\xac\x31\xd8\x9a\x7a\x93\x05\xc0\x5c\x05\x28\xa9\xcb\x1d\x4c\x2f\xa4\xbc\x09\x44\x30\x50\xdc\x57\xd0\x60\x6c\x06\xe1\xb7\xe5\x55\x48\x40\xd5\xa4\x29\x69\x69\x7c\x70\xa5\x39\x4d\x95\xad\x45\xeb\x75\x08\x16\x34\x94\xcd\x34\xf8\xfd\x59\x0f\xca\xea\x64\x2a\x21\x40\x44\xa1\x91\x4c\xce\x9f\x0e\x5b\xa7\x6a\x88\x78\xe8\xa3\xe7\xa4\xf2\x32\x1e\x1a\x26\x6b\x84\xec\x6f\x59\x4a\xf1\x97\x3e\x97\x4d\x51\x82\x84\x2c\xe7\xab\x61\x11\x37\xc1\x60\x87\xcc\x74\x20\x5f\x9c\x94\xcd\x6f\x66\x79\x74\x67\xa0\x01\x1a\x51\xd4\x6f\xf0\xd3\x79\xb8\x86\x1a\xd5\x23\xc1\x0d\x8d\x46\x23\x98\x84\xb1\x3f\xaf\x27\xf2\xbe\xcd\x1e\x1e\x09\x9e\x42\x6f\x41\x21\x52\x1a\x54\x23\x01\xe4\xcd\x21\xc0\x2f\xd9\x57\xc5\x9c\x6e\x67\x39\x41\xe9\x22\x4e\x77\xaa\xa1\x9f\x7a\x89\xf0\x3f\x3b\x1e\x9c\xa9\x3c\x23\x26\xd5\xb9\xd7\xe4\x01\x30\xba\xa0\x10\xdc\x24\x35\xdf\x2a\x77\x90\x92\xdd\x2e\x79\xfb\x37\x44\xbe\xea\x7a\xc9\xff\xd5\x18\xfb\x84\xc7\x1e\x93\x9a\x76\xce\x2f\x9e\x29\xfc\x0f\x78\xc1\x25\xef\x9c\xfb\x90\x84\x45\x4c\x1b\x03\xb0\x4f\x61\xc2\x7b\xb9\xca\x0d\x44\xd3\x4d\x34\xcb\x85\xd1\x6c\x70\x7e\x94\xf2\xdc\xa8\x09\x5a\xed\x11\x00\x8d\x4a\x41\xd0\x4b\x92\x1a\x26\xd8\xe0\x45\x29\xba\x8a\xac\xc9\xcd\xd2\xe0\x3c\x38\x1a\x90\xfa\x22\x4c\x92\xad\x24\x97\x37\x7b\x0c\x87\xe9\xff\x90\x17\x5c\xbc\x20\xf2\x55\x37\x70\xc0\x4a\x18\x68\x4f\x0e\xa7\xac\x22\xab\x45\x8d\x40\x76\xd7\x24\xd3\xd8\xcd\x0a\xf9\xdf\x5e\x59\xa3\xbc\x1e\x35\xd9\xa1\x66\xbb\xc6\xdb\x22\x8c\x6a\x0a\xc1\xe6\x72\x3a\xf8\x63\xe3\x8c\x0f\x51\x79\x9c\x4a\x37\x4e\xe7\x59\x87\x20\xda\xff\x61\x2c\x38\xe9\x3c\xa9\x82\x6a\x18\x88\x76\xbd\x24\x1a\xdd\xdc\x5d\xe1\x77\x8f\xb1\x26\xbb\x5a\x03\xad\x2f\x8a\x96\xbf\xb4\x45\x0a\xdc\x01\xac\xf5\x53\xe9\x06\x81\xac\x3f\x7e\xd9\x81\xa5\x2f\x33\xca\xc4\x04\x52\x3e\x4b\xd9\x01\xf4\xea\xf3\xa3\xe0\xbe\x99\x54\x93\x0d\xeb\x98\x22\x14\x21\x64\xc6\x01\x35\x20\x65\x66\x18\x48\x34\x60\x23\x1f\xcd\x3e\x67\x7e\xee\xd4\xb9\xe5\xf9\xd3\xf3\xa7\x16\x9d\xe3\xf4\x4c\x76\xa8\x10\xcd\x1c\x21\x3a\xce\xee\x00\xa1\x63\x09\x4a\x9b\xe1\xfc\x6b\x39\x1c\x7c\x58\x1d\xcb\x1b\xf7\x0d\x75\x18\x3f\x75\x51\x34\x67\x30\xdd\xc7\xdf\x8f\x07\xd3\xe6\xa7\x73\x00\x03\x79\x2d\x00\x3a\x31\x39\x09\x05\x1c\x33\x0f\xba\xee\xb7\x1f\x18\x67\xef\x1d\x67\x07\xc9\x45\xcc\xff\xa9\xf1\xe0\x3f\x8f\xcf\x92\xbf\x98\xca\xee\x69\xbb\x8f\xc9\x09\xbb\x28\x9a\xbd\xd2\xb1\x1d\xea\x46\xd0\x4e\x40\xe8\x1a\x3c\x8a\x73\x50\x9c\xf5\x35\x25\x50\x75\xc1\xfd\x97\x65\x25\x3f\x72\x78\xea\xf0\xa4\x8d\x09\xa0\xd0\xb6\x20\x75\x08\x70\x99\x0a\xd0\x40\x77\x8a\xf4\x09\xb2\x1f\x87\x23\x95\x29\x13\x2e\x7d\x18\x32\xf4\x2a\xe4\x45\x5b\x80\xa3\x56\xc6\xcb\x3c\xd4\xaa\x78\x78\x0a\x97\x5d\xde\xc3\x44\x8c\xfc\xc8\xe1\xef\x3d\x0c\x1e\xbf\x93\x7c\x33\x4b\x0f\x97\x04\x7b\xb5\xac\xe8\x37\x55\x24\x6f\x68\x75\x9b\x8a\x8b\xdd\x24\x6e\xc6\x25\x79\xa7\x71\x88\xdd\xcf\x94\x4c\x2e\x92\x44\xb2\x5d\xb1\x1d\xc3\x7f\x0c\x66\x93\x84\xd7\xb0\xe0\x49\xbc\x21\xa6\xda\x22\x4c\xca\x36\xe2\x13\x4a\x32\x00\x30\x96\x00\xeb\x4c\x6f\xb6\x3a\xc1\x7f\x7f\x68\xe8\xee\x38\x13\x77\xe2\x72\x31\x4c\xd7\x84\xff\x85\x43\xc1\xbd\xe6\xa7\x3c\xa0\x85\x51\xa1\xa1\x99\x1a\xb0\x49\x50\xc1\x80\xe7\x80\x8c\xe5\xba\x18\xdc\x9f\xda\x85\xd5\xdd\x3b\x3f\x3e\xb1\xa7\x0d\xdd\xd3\x86\x7e\xe3\xb4\xa1\xff\x22\xd5\x83\x9f\xf4\xd8\x3e\x29\x88\xf9\xbf\xee\xb1\xa9\x6d\x6f\x13\x73\xbc\x21\xca\xf1\xd5\x1e\x04\x61\xd8\xc7\x8e\x4e\xb8\x90\xcc\x5a\x13\x52\x71\x3e\xb2\x03\x91\x7d\xaf\x87\x69\x54\x47\xda\xf7\x90\xb7\xb8\xbd\xd6\x69\xca\xaf\x0f\x8b\xa7\x32\x83\xab\x86\x52\x7d\x7c\x82\x35\x76\x94\x30\xdf\x20\xa1\xbc\x7e\x22\x38\x51\x7d\x38\x0c\x5c\xc0\x2e\x33\x2a\xa8\xf3\x8b\x07\xf6\x08\xdf\x6e\x09\xdf\x45\x15\xd4\x99\x05\xdf\xa9\xe3\xc8\xb5\xaf\xd5\xe0\x42\xd8\x37\xe1\xed\xec\xe4\x16\xa0\x7e\xdb\xec\x86\x3d\x92\xbb\x0b\x92\xbb\x6a\x51\xdc\x0b\xbb\x8b\xf6\xfc\xd6\x11\xc1\x9e\x0f\x79\xc9\xf6\x14\x63\xde\xbf\xdb\xe0\x94\x98\xf5\xae\xa8\xaa\xab\xe7\x7d\xa8\xba\xfa\xfb\xaf\xb3\x73\xc3\x6c\xd1\xf3\x99\x85\x79\x70\xb5\xf0\x3f\xff\x98\xe0\x7e\xf5\xc3\x55\xf5\x22\x60\x6f\xe9\x06\x36\x12\xc2\x57\x4d\xfb\xd9\x74\x41\x8d\x96\x9b\x77\x28\x40\xc1\x70\x1a\x3a\xbd\xe6\x84\xfa\xd0\x21\x3d\x2f\xbb\x76\x8f\xf4\xec\xf1\x5c\xdf\x38\x02\x70\x82\x12\xd7\x3d\x31\xf8\xb7\xe9\x88\x9c\xe5\xb8\x8f\xed\x8f\x7e\xd3\x63\xd7\xe9\x4d\xaf\xf6\xed\xcf\x7b\xec\x69\x57\x40\x3f\xe0\xd4\x51\x1d\xa7\xb3\x7c\x4e\xa1\xaf\x05\xcd\x6a\x0b\x1a\x60\x9e\x7e\x9a\x63\x47\x4e\xb9\x33\x0b\xf3\x64\xec\x50\x2e\xbc\xdd\x3c\x5b\x0d\x57\x13\x9d\xbe\x41\xd9\x1f\xa9\x8a\x06\xfb\x93\xfd\xec\xdf\xe0\x27\x33\xa8\x08\xbe\xab\x4f\x86\x9f\xf9\xb9\xc5\xc2\xff\xf8\xfe\xe0\x4f\xf7\x85\xbc\x13\x76\xe5\x64\xd0\xf2\xca\x57\x28\xda\xa3\x59\x84\x60\xeb\x28\x60\x0b\x15\xe9\xca\x25\x15\xe7\x8e\x2b\xef\xed\x32\xe3\x6d\x91\x74\xa9\x26\xb9\x43\xa4\x90\xa6\x54\xe0\x3a\xe4\xa9\x28\x15\x11\xac\x8b\x56\x2b\x6e\x42\xb3\x9b\xa1\x09\x92\x6a\xf0\x59\xaa\xa1\x19\xa6\x5a\x03\x0a\x59\x7d\xba\x39\x18\x20\x2b\x9d\x0b\x0b\xde\x55\x19\x00\xa1\xfb\xe4\xa3\xd9\x47\x3c\x44\xd8\x8b\x80\xda\x9a\xb5\x0c\xca\x2b\x66\xc8\x2e\x6a\xba\xbb\x96\xe1\x03\x8d\x1a\x29\x40\xe5\x43\x39\x88\xc1\x99\x9f\x5b\x44\xe9\x9e\x9a\xc7\x8c\xaf\x64\xf7\xc4\x30\x69\x98\x58\x9a\x2c\x08\xae\x4b\xd7\xad\x00\x22\x9a\x62\x39\x2a\xea\x98\x95\xbf\x0a\x81\x20\x3b\x21\xa8\x69\x29\x0e\x08\x94\xd5\x61\x6a\x68\xd5\xfc\x02\x8e\x50\x36\x59\x53\xbe\x84\x54\x2d\x4c\xb7\x4a\x7a\x8e\x3d\xec\x51\x74\xab\x5d\x81\x3a\xf5\x3c\xc9\xb2\xf5\x82\x87\x25\x7f\x46\xfd\x74\x96\x6f\x86\x79\x24\x22\xf9\x17\xa8\xe9\x50\x09\xfc\x8c\xfa\xa2\x08\x93\xfa\x7c\xd7\x7a\x46\xe7\xbe\xb1\x28\x3a\x59\x29\xe4\xc6\xe2\x47\x62\xd2\xa9\x66\x79\x24\xf2\x49\xe5\x0a\x6d\xf5\x6d\x7e\xc1\x61\x89\x16\xd8\x39\x76\xe6\x0a\x8e\xd3\xd2\xa8\xcd\xcc\xde\xe4\x31\x7d\x05\xf9\xaf\xf6\x82\xe3\xea\x07\x68\x50\xad\x83\x55\x58\x97\x9d\x8a\x75\x57\x34\xc0\x74\xf0\x5e\x76\xf6\x61\x3d\xef\x0f\x79\x0b\xdb\xb3\x09\x75\xff\x89\xc3\x04\x0b\x75\x79\x57\xc5\x8a\xdf\x19\x67\xdf\x39\xaa\x53\x8a\x04\xcc\xa7\xad\xcc\x7f\xd7\x78\xb0\x2c\xff\x30\xb7\x3f\xbd\x46\x4b\x98\x09\x18\x03\xc7\x81\x4d\x71\x38\x49\x20\xb2\x4d\x41\x34\x03\x3d\x16\x03\x19\x4f\xa4\xb4\xd1\x09\x9f\x9b\xe5\xf2\xdf\x38\x95\xff\xb2\xb5\xb8\xd4\xf9\xb7\x0f\xad\xc5\xe5\x6c\xd6\xe9\xc4\xe5\x25\xef\xea\xb5\xb8\x5c\xce\x85\x58\x2a\xc3\x52\x5c\xf2\x0e\xad\xf6\xe2\x24\x9a\xc3\xbf\xd7\x32\xfd\xc9\x44\x33\xeb\x74\xe3\x44\xe4\x97\xbc\x89\x6e\x12\x96\xb2\x2d\x87\xa1\xf8\x8a\xc7\xbe\x8d\x99\xaf\x7d\x47\xc7\xf4\x6d\xcc\x34\xe9\xbe\xf9\x76\xe6\x74\xc0\x7d\xf9\xaf\x99\xd5\x6d\xf7\xd5\xe3\x18\x8e\xd0\x7d\xfa\xad\x4c\xf7\x73\xb0\x03\xd9\xc8\x8a\xe4\x14\x0d\x54\xa4\x46\xe9\xbe\xf8\xd8\x7e\x27\x87\x72\xd8\xed\x16\x72\x77\xcd\xe9\xd8\x39\x0d\xd6\xe9\xbf\x69\x7f\xf0\xb4\x21\xcf\x2b\xae\xae\x52\xbc\x25\xcd\xb7\x15\x80\x07\x16\x08\x95\x18\x0e\x01\x3b\x09\xf9\xff\x92\x77\x00\x25\x62\x57\x2d\xbe\x8f\xdd\xcf\x0e\x76\x44\x51\x84\x6b\xc2\x3f\x17\xcc\xcc\xf0\x76\xaf\x13\xa6\x92\xf4\x44\xe0\xde\x41\xef\x94\x2f\x0a\xa8\x55\xd1\x9d\xd8\xc2\x0c\x2d\xf3\x30\x2d\xe2\x01\x74\xec\xd3\xec\x40\x2e\xc2\x22\x4b\xfd\xdb\x83\xa9\x65\x00\xc0\x95\xbf\x2c\x6d\x2c\x8d\xed\x70\xc1\x93\xb0\x28\x47\xd5\x73\x86\x51\xdf\xfd\xbb\x82\x9b\x96\x1c\x5c\x52\x5d\x45\x4d\x19\x98\x97\x21\xf8\xf3\x34\x7a\x8d\x9f\x4f\x01\xdf\xd8\xa9\xed\x38\x01\xf8\x1f\x0d\xbe\x63\x99\x7c\x89\xac\x19\xd4\x15\x3a\xdf\xbc\xc6\x63\xbe\xec\xe1\xb2\xee\xe0\x72\xdc\x11\xfe\x0b\xd8\x2d\x57\x40\x52\xe4\xa7\xc1\x9d\x67\x60\xc0\x71\x47\xb8\xe3\xb0\xe6\x40\xa5\x4f\x87\x14\xb3\x38\xea\x32\xe3\x61\x0a\x81\x37\x0d\xb6\xc1\xae\x95\x5d\x3a\x0f\xec\x19\x74\x27\xba\xf2\xee\x4c\x2e\x03\x1f\x6d\xba\x04\x2e\xfd\xaa\x4f\x9b\x61\xa1\xd9\x40\xf6\xb9\xef\x66\xdf\x6e\x6d\xe5\x55\xb8\xf7\x36\xa6\x1b\x4f\xcd\x56\x01\x94\xe3\x7d\xdf\x1d\xdc\x42\x7f\x5b\x7b\x56\x12\x22\x39\xd0\xe7\x66\xab\xa4\xc1\xd7\x0e\xf9\xf2\xda\x02\x73\x53\xe3\x92\x37\xa1\x40\x95\x5c\x50\xb2\xef\x62\x5f\xf4\x98\x7e\xe7\x7f\x6a\x27\x58\xe4\x16\x1c\x0e\x28\xa7\xde\xe0\xcd\xb9\xce\xe2\x19\xc5\x7e\xe8\xa8\x00\xe5\xdb\xd5\x16\xa9\xea\x23\x84\xcf\x3e\x37\x5b\xbd\xec\x8c\xc8\x92\x1b\x4a\xb2\x30\x2a\xa6\x4c\xf4\x48\x31\xf5\xdc\x6c\xb5\xa8\xe7\xbd\xb4\x5e\x66\x75\x8a\x98\x88\xb3\x74\x8a\x7d\x6d\x1f\xfb\xd6\xb2\x4c\x08\x43\x0c\xe2\xc1\x4f\xc7\x29\xc4\xa0\xfa\x5f\xd8\xa7\xa0\x76\x7e\x75\xdf\x88\x32\x4a\xcb\xa6\xc2\xa0\x60\x0d\x81\x36\x3c\x35\x5b\xc5\x41\xb6\x21\x1d\x3a\x15\x37\x0b\x70\x04\x4d\xb4\x7c\x96\xc2\x37\x24\x3f\x70\x3a\x8c\x13\x11\xa9\x94\x73\xb6\x3f\x18\xe6\xc9\x1a\xd1\x07\x0c\x25\x94\x5d\x90\x8d\x52\x5b\x85\xb2\x8f\x88\x24\x46\x68\x7e\x0a\xc1\xea\x95\x99\xbc\x74\xd0\x1b\x0f\xad\x8a\x51\x03\x5d\xd5\x54\x15\x10\x9b\x85\x04\x07\x5e\xd7\xc0\x11\xdc\x84\x79\xad\xf5\xc2\x3c\x4c\x4b\x21\xc8\x1b\x03\xed\xa6\xf1\xf3\x45\x5e\x98\x24\xfe\xe4\xbd\x36\x64\x30\xe4\x11\xa7\x5a\x43\xdb\xcb\xe8\xae\x0d\x9b\x0c\x39\x98\xe7\x8b\x3c\x33\xb5\xac\x8a\x66\xd6\x11\x03\xc3\xa5\x5a\x9c\x28\x6d\x9c\xaf\xb8\xd4\x53\xb5\x45\x7c\xc6\xe5\x86\x67\x2c\x2f\x9f\x71\x17\xc7\x38\xe4\x59\x00\x4b\xbf\x7c\x90\x5d\x6b\x76\x21\x78\x22\xbe\xf3\x60\xf0\xe6\x83\xb3\xce\x33\x0b\x0e\x06\xdc\x10\xb3\x88\x9b\x8f\x88\x1b\xcb\xc3\xe6\x3a\x4c\x92\x0e\xbe\x5e\x39\x97\xa5\xf3\x69\x24\x2e\x8a\x68\x85\x1f\xa1\x78\xc6\x49\x70\x49\x51\x8f\x1b\x8c\x39\xa5\x94\x63\x3e\xf1\xd6\xb4\x05\xac\xf4\x0e\x2a\xc6\x48\x47\x22\xe5\x02\x4d\xec\x10\xb5\xdd\x90\xfd\x6c\xd8\x5d\x33\x78\x0a\x49\x5f\x7f\x1c\xc9\x11\x14\x14\x6f\xe0\x0e\x46\x36\xd7\xce\x3a\x59\x92\xad\x65\x48\x6c\x4d\xd2\x0a\xd9\xd9\x51\x3d\x95\x15\x9a\xe3\x06\x31\x83\x4e\x9e\x01\xbb\x05\x59\x05\x92\xf5\x63\xb2\x81\x23\x83\xbd\xae\xf3\xe9\xc9\x9a\x9b\x59\x16\xa4\x25\x29\x8f\xa3\xba\x04\x49\xae\x4b\x7d\x9e\x9b\xad\x5a\x14\xa5\x0e\xed\xa0\x6c\xb3\xb3\x79\x84\xcd\x25\xb6\x98\x32\x63\xa4\xa3\xba\xe1\xac\xea\x98\x2d\x3d\x39\xb5\x21\x0b\x31\xe0\xe1\x05\xfb\x79\x05\x0b\x76\xc3\x3c\x4c\x12\x91\xc4\x45\xc7\xf8\x82\x25\x24\xa2\xa6\x72\xc7\x88\xe7\xf5\x30\xd7\xc5\xf4\xb1\x67\xdf\x34\x10\x56\xb4\x8b\x63\x42\x7d\x06\x7a\x65\x47\x2e\x21\xb1\xb7\x96\x0d\x83\x24\x69\x6b\x0f\x0b\x92\x54\x51\x6f\xb2\x2a\x2b\x5c\x30\x5b\x85\xa6\x0b\x1e\xda\x28\x29\xa5\x06\x6d\xd1\x1a\xa9\x9a\x36\x40\xab\x40\xc3\xf5\xb8\x5b\xe8\xb0\x3c\xc5\x31\x3d\x35\x5b\x75\xf8\x92\xdf\x1e\x67\x57\x59\x13\xed\xff\xca\xb8\xba\x2b\xde\x31\xbe\xa4\x8f\x2d\xe0\x29\x88\x02\x22\x2e\x0d\x38\x9b\xb3\xd4\xfa\x6a\x80\x24\xd9\xea\xa2\xb6\x92\x84\xf6\xd0\x3d\xaa\xc1\xff\x3f\xf6\xde\x05\x3a\x92\xec\xac\x0f\x3f\xd5\xd2\xbc\xee\xec\xc3\x2e\x13\xfe\x09\x10\xb8\x29\xaf\x19\x69\xd3\xdd\x92\xe6\xb9\xa3\x5d\xef\xa2\x91\x66\x76\x64\xcf\x43\x96\xb4\x6b\xbc\x0f\xef\x5c\x75\xdf\x96\xca\x53\x5d\xd5\xae\xaa\x96\xa6\xd7\xde\x84\x78\xb1\x79\xd8\x3c\x8c\x6d\x1e\x63\xcc\xcb\x76\x00\x1b\x42\x1c\xec\x04\x63\x07\x30\x8e\x71\x0e\x26\x86\x40\x0e\xe1\x61\x13\x63\xc0\xf8\x4f\x62\x20\x81\x84\xb0\xbc\xfe\xe7\x7e\xdf\x77\x6f\xdd\x5b\x5d\x2d\x69\x56\xbb\x6b\xfe\xe7\x8c\x0f\x9c\x1d\x55\x57\xdd\xf7\xfd\xee\x77\xbf\xc7\xef\xc7\x57\x90\x77\x4a\xcd\x47\x1c\x46\xe5\xbd\x40\xa5\xa2\x49\x6f\x80\x59\xbd\xe1\x7a\x2c\xa2\x6c\xe8\xe7\x28\x22\x3a\x73\x48\x61\x8f\xa2\x64\x0b\xc1\x4b\x69\x31\x80\xf5\x01\x02\x68\x10\x6e\x25\x04\xa6\x27\x58\x70\x6e\x2b\x66\xec\x36\xd8\x05\x00\xf6\x92\x21\xbf\x98\x31\x06\x50\xab\x11\x3a\x4f\x78\x54\x23\x69\x24\x9e\xdd\xe3\xdf\x11\xca\x1f\xdc\xc7\x6e\xeb\x8a\xb8\x2f\x0c\x61\xaf\xff\x2f\xf7\x05\xdf\xb5\xcf\x7d\xa6\x97\x4a\xa6\xe9\xda\xc8\x8c\xaa\xba\x42\x3c\x22\x90\x62\xa8\x7a\x46\x9f\x64\x4d\x7e\x01\x00\x87\xae\xb8\x45\x5d\x21\x14\x0d\x2b\x12\x10\x22\xdd\xe9\x16\x01\x49\xec\xfa\x61\x3b\x81\x74\x53\xd8\xfa\x08\xb9\x91\xa4\xf6\x41\x4a\x71\xb9\xbd\xb0\x75\x55\x37\x83\x18\xe1\x74\xd4\x9f\x5a\x56\x30\xdf\xbd\x1e\x30\xc7\xa1\x95\x85\xde\x25\x7b\xae\x0d\xae\xa9\xe3\xd7\x11\xd3\x05\x73\xd2\x47\x40\x7f\x85\x2d\x88\xfa\xa0\x0a\xad\x51\x40\xb1\x33\xd0\x96\x54\x3d\x20\x4d\x0e\xaa\x4e\x1f\x43\x1d\xa1\xcd\xc2\xf9\x1a\xac\xa8\x98\x61\x0c\x6d\x07\xf4\x02\x50\x97\xd4\x44\xc2\x06\x48\x72\xde\xe9\xc7\xe8\xbd\x03\xee\x8a\x56\x1e\x0d\x9a\x9c\x9f\x4f\xb6\x24\x18\xf6\x74\xd8\x5f\x26\x87\x06\xfe\xc5\xaa\x4f\x57\x94\x20\xc1\xe2\x40\x17\x95\x15\xc9\x30\x3c\x89\xda\xfc\x4a\x11\xa8\x3e\x45\xce\x83\x2b\x7c\x6e\x69\xf1\xd9\x5d\x9a\x2f\x2c\xc6\xae\x31\x48\xfa\x69\x23\xd9\x8a\x1b\xbd\xa4\xdd\xd0\x83\xe8\x64\x0a\xfe\xcb\x31\x76\xd8\xda\x80\xfe\x77\x1a\x71\xf4\x75\x25\x71\xa4\xd9\x6c\x86\xc5\x52\x95\x00\x82\x10\x53\xc4\x5d\x42\x2e\x7b\xa5\xe0\xe2\xe9\x26\x5a\xb9\x3a\x1c\x4a\xdf\x5b\x51\xc1\x10\xee\x3b\xa0\xfb\xb2\xd6\x0a\x8b\xe3\x05\x26\x96\xbe\x86\xe3\x70\xa2\xf2\x48\x6e\xe2\x05\xac\x59\x08\xcd\x49\x7e\x0f\x1f\x3a\xc0\x26\x31\x40\xb5\x48\x95\x56\x83\xcd\x23\xd9\xc9\x09\x39\x45\x89\x24\x53\x77\x57\x5c\xb3\xe5\xd5\x73\x28\x64\xde\x51\x63\x07\xf5\x0c\xfa\xdf\xfe\x4c\x90\x8a\x7f\xc2\x9b\xa3\x4d\x83\xf1\xa1\xc9\xa6\x4c\xf5\x5c\x16\x99\x42\x16\xeb\x29\x68\x5e\x80\x47\x78\x29\x49\xbb\x4a\xd7\x76\x44\x08\x44\x0b\x59\x0a\xb7\xda\xe1\x83\xa4\x7f\xc3\x63\xb4\x1b\xca\xa5\xa9\x17\xc2\x7f\xcd\x9a\xce\xd8\x5b\xf7\xb1\x03\x59\x3f\x53\x22\xca\xff\xc6\x7d\xc1\x5f\x8e\xaf\xe0\x1f\x96\x2e\x6c\xe7\xd3\x96\x4e\x7d\x37\x2d\x0a\xb5\xc3\x54\xc9\x0a\x50\x13\x84\xd1\xc8\xec\x6d\x9e\xe9\x0a\x6c\x08\xab\x38\xc1\xaf\xed\xcc\x23\x72\x1e\xb8\x55\xba\x05\x53\x59\xe6\x4e\x86\xa0\x53\xea\xb6\x07\x8b\x13\xd4\x96\x48\xac\xf3\xf5\x44\x92\x6b\x08\x65\x39\xd5\x3b\x59\xaf\xea\x14\x61\x77\x23\x81\x78\x14\x41\x34\xdf\x26\xf5\x6e\x98\x53\x2b\xcc\x40\x57\xe1\x0f\x64\x86\x9c\x47\x6d\xf5\x75\xd8\x15\x61\xca\xf5\xd2\x05\xcb\x72\x2a\x5a\x12\xd5\x10\x22\xf0\x51\xdf\x37\x39\x8d\x39\xde\xc1\xe1\x8a\x86\x36\xf4\x8c\x2c\xd1\x2b\xb9\x48\xf3\x55\x75\xd5\xc5\x25\x92\x18\x15\xac\xce\x65\xa7\x23\x5b\x88\x27\x85\x5f\x18\x3f\xda\x1c\x3c\x5e\x90\xa2\x1d\x85\xb1\xd4\x48\xe1\x4a\xa0\xa4\x3c\x4f\x92\xc2\xf9\xa1\x74\x78\xa5\x5a\x5a\xc8\x4e\x06\x8d\x02\xaa\xc7\xe6\x95\x95\x47\xba\xf1\x11\xb8\xc1\xdd\x16\x6c\x61\xee\x12\xea\x19\x5c\x35\x0b\x2f\x72\x61\x08\x23\xce\x91\xaf\x9f\xab\xb1\x7f\x20\xaa\xda\xef\xff\x52\x4d\xe3\xa0\xff\xdb\x5a\x49\xf1\xd3\xe0\xe7\x4a\x16\x52\x6f\xcb\xbc\x99\x99\x19\x49\xa3\xc7\x29\xe9\x4b\xa1\xed\x6a\x11\x84\x71\x3f\xe9\x67\xea\xd6\x8a\xd3\x4e\x10\x05\xd6\x86\xcd\x53\x64\xc3\xe7\x88\x0e\x08\x59\x65\xf9\xdd\x74\x41\x30\x74\x9f\x5a\x8d\x23\x41\x34\x6a\xdd\x4e\x88\xbc\x58\xb5\xa0\xfb\xa6\x49\x7f\x7d\x43\xcd\x09\xaa\xc4\xb0\x46\x43\x3d\x6f\xb0\x30\xec\x29\x5f\x03\xdf\x19\xa0\x7f\xe1\xbc\xa9\x51\xde\x2a\x19\x17\x52\x09\xb4\x88\x5c\xac\x8b\x30\x76\x6f\xc6\x29\xbb\x65\x4d\xb4\xae\x26\x9d\x0e\x04\x01\xf9\x6b\xfa\x1c\xbb\xe8\x0e\x6e\x71\xec\xa4\x12\x07\x80\x06\xa6\x2b\x30\x04\xd5\xe8\x3c\x1d\x30\xaa\xb8\x33\x7c\xd2\xa9\xf3\x3b\x9e\xc7\xbe\xf6\xe9\xe6\xad\x35\xe7\xfb\x59\x9e\x74\x75\xa0\xfa\x82\x91\xe5\xda\x76\xfd\x81\xdb\x83\x7b\x76\x78\xc7\x09\xdf\xd5\x4e\x4b\x25\x76\xe7\x97\x17\x8a\xb0\x80\xfd\xd0\x94\xf6\x75\xef\x00\x39\x27\x1d\x43\xdd\x27\x6f\x63\xef\x1b\x63\xff\xb0\xc0\x9e\x58\x4a\xc1\x51\x35\x9f\x44\xfd\x6e\x9c\xf9\x6f\x1d\x0b\xde\x5e\x1b\xf5\xab\x25\x5c\x2d\xf0\x8a\x16\xfd\x88\xbe\x33\xbc\x78\xad\xc2\x0d\x2e\xe9\xe7\xbd\x3e\xc4\x0b\x54\x21\xe8\x98\xa3\xc0\xa4\x63\x4d\x81\xf3\x4c\x0d\xa7\x76\x38\xe3\x11\xf1\x42\x04\xc6\x52\xbf\x19\x7f\x7d\x43\x64\x0d\xc8\x38\xc1\xbb\x97\x41\xd0\x00\xc2\x78\xd3\x26\x25\x97\xad\xac\x34\xc3\x21\x8a\xbf\xf3\x76\x98\xf5\x22\x61\xf4\x4e\xb1\x6e\x7c\xd4\x2d\x98\x0a\x2b\xcc\x35\xd3\xa9\x6a\x85\xc7\x2a\x64\xeb\x4c\x8e\x3a\x97\xf7\xb4\x3c\x70\xbc\x8b\x05\xc0\x3e\xe5\x31\x56\xd0\xc6\xf9\xff\xc9\x0b\x7e\xc6\xb3\x68\xe4\x4a\x28\x3d\x56\xd4\x48\x55\x5f\x88\xc0\xbb\xf8\x9e\xee\x0b\xce\xc9\xa6\x5e\xb2\xe2\x0d\xdc\x82\x0b\xa0\xb2\x2d\x91\x82\x1e\x47\xce\x4a\xba\x73\x1b\x6f\x2d\xd2\xb0\xef\x28\x36\xff\x75\x8d\xf9\xba\x39\x61\x12\xbf\x1c\x0b\xf5\xbf\xa7\x16\xbc\xb1\x36\xfc\x1c\x54\x97\x34\x6c\x9b\x8b\x33\x42\x71\xe9\xa6\x98\x75\x98\x27\xd0\x0b\x72\x36\x37\xf9\x45\x31\x70\xc8\x84\x41\xdc\x5c\x29\x86\xe1\x0a\x86\x60\xf7\xa5\x0b\xf1\xa5\xcb\x1d\x31\xc8\xc3\x84\x7e\x86\xc8\x1b\xd6\x8c\x61\x5e\x94\x5b\x80\x10\x07\xbb\xd3\x9e\x22\x34\x9e\x24\x29\x66\x76\x29\xed\x24\x47\x8e\x3b\x74\x37\x27\xb1\xe4\xf2\x5a\x98\x01\x5f\x5a\x61\x58\xf8\xb0\x47\x81\x16\x3f\xe9\x05\xef\xf6\xec\x50\x0b\x5d\x34\xc6\x1a\x81\xdd\xf5\xb3\x5f\xf7\xbd\x9b\x33\x9f\xfd\xba\x77\xd4\xe1\x5f\x47\xe1\x6e\x02\x7f\xca\xbc\x45\xd1\xf3\xee\x1a\xa1\x9d\x83\x6d\x05\xe0\x1c\xb7\xd3\x22\xe7\x57\xd4\x1e\xcd\xa6\xee\x01\xef\xe9\xbd\x53\xf7\xd0\x4f\xf7\x4e\x35\x9b\xcd\x2b\xaa\xe1\x57\xf0\xf3\x62\x54\xed\xe6\xff\x8e\xc7\xf6\x63\x90\x90\xff\x6b\x1e\x7b\xec\x59\xd9\x45\x0f\x1a\x4a\xd8\xa0\x47\xe1\x4d\x25\x17\x1d\x3e\x84\x74\xd7\x0e\xa2\xa6\xd3\x07\x75\xde\x4b\xfb\x6a\xd6\xd1\xf6\x41\x4b\x01\xd6\x5e\x67\x37\x7b\xac\xc9\x36\x18\x09\x62\xff\x95\xc1\x12\x0d\x24\x04\x11\x81\x62\x07\xca\x47\x18\xaf\x4f\x21\xa4\xb0\x39\x88\x8c\x54\x57\x3a\x1f\xda\xd6\xf5\x82\x09\x05\x46\x18\xcd\x2d\x2d\x66\xce\xe6\x79\x8f\xc7\xb4\xa8\xf7\xbf\xcf\x0b\xbe\xcd\xd3\x41\x29\x23\x16\xac\xcb\x22\x8d\xbb\xa0\x87\xa9\xeb\x00\x1a\x5b\x5e\x09\x79\x62\x32\xbd\xd5\x52\x49\x0b\x65\x41\x5a\x99\xa3\xba\x74\xd4\x95\xf1\xfd\x17\xd3\xb4\x5b\x8d\xfd\xa4\xc7\x6e\xc9\xfa\x6b\xa6\x74\xff\xdf\x7b\x4c\x3c\x2b\xb3\xbf\x62\xd5\x12\x7c\xad\x5d\xa7\x36\x37\xa0\xe5\xc4\xf9\xa5\x6a\x6a\x35\x22\x5e\x59\x8c\x6e\x88\x4d\xd9\x64\x1f\x3c\xc8\xce\x51\x8b\x31\xd3\x74\x7d\x3d\x95\xeb\x22\x4f\xdc\x96\x96\x92\x94\x31\xea\x74\x6e\x49\x03\x2a\x42\x04\xf2\x1f\x1f\x08\xa6\xdc\x47\x6e\x4e\x58\xf1\xdb\xf6\x3c\x8c\xef\xdf\xcf\x5e\xa5\x83\x67\x85\x7d\x60\xad\xb2\x65\xb6\x54\x39\xd8\x7b\x68\xfa\xcd\x68\xb9\x3d\x44\xcb\x2d\x5a\xe1\xb2\x2f\xde\x53\xb8\xec\xcd\xa8\xcf\x3d\xd3\x1f\x26\x3b\xc7\x0b\x5d\xf0\x5f\xd2\x28\x62\x84\xac\x9d\x5a\x15\x39\xcc\x75\x64\x51\x79\x13\x51\x14\x32\xfb\xf6\x03\x6c\xca\x4d\xb5\x4d\xb2\x96\x88\x20\x30\x1d\x0f\xe9\xa6\xba\xbd\x5f\x54\x37\x97\x16\x51\xc0\x7c\x6a\x7f\x70\xdd\x2b\x3f\x2d\x21\xb0\x68\x86\x58\xc3\x82\x25\x78\x17\xde\xd6\xe7\x9f\xda\x84\xe0\x29\x42\x68\x7b\xe7\x23\xd5\x02\xc9\x91\x16\x9c\x4f\x38\x39\xcd\x10\xf9\x80\x49\x82\x59\x03\x90\x0e\xb3\x4c\xb6\x1b\x3d\x99\x36\xf0\xe2\x3a\xd9\xbc\xee\x31\xac\xea\x12\x5c\x46\x5e\x40\xa5\xce\x6d\x4a\x75\x20\x3c\xa8\x1a\xe4\xc8\xaa\x6f\xd9\xc7\x3e\xe6\xb1\xaa\xd7\xfc\x1f\xbf\x11\xb6\xa0\xa6\x39\x79\x5f\xd6\x17\x71\x1e\xe6\x83\x20\xae\x28\xd4\xa4\x2c\x96\x47\x08\xd4\x7f\x7c\x51\xff\x49\x43\x26\x5a\x69\x82\x18\x6c\xea\x56\x2e\x37\x05\xa0\xaf\xb7\x33\x3e\x01\xe9\xfa\xaf\xa6\xea\x26\xd9\x4b\x99\xd5\x75\xff\xc5\xc1\x74\xf1\x57\x55\x14\x2c\x15\x1f\xc6\x1c\xc4\x54\x98\xc4\xb6\x60\xf8\xdf\xb6\xfd\xef\xf3\xcf\x84\xfd\xef\x9d\x35\x5d\x5e\x11\xbc\xaa\xaa\x6a\x68\x34\x10\x40\x8a\xc0\x4c\x5d\x1d\x78\x6f\x65\x21\xa3\xe9\xd0\x14\xa1\xfd\x5d\x68\xed\xa5\xbe\x98\x5b\x04\x2d\x29\x6b\x99\x12\x45\x04\x86\x1a\x10\x3b\x87\x40\x13\x8e\xc5\xbd\x62\xa8\x07\x48\x82\x60\xb9\x06\x71\xa4\xa3\xa1\x52\x0d\xb8\xa2\x79\xa1\x95\xf4\x0a\xc7\x07\xf9\x3b\x5e\xa5\xd4\x94\xa2\x18\x98\x88\x32\xc4\xc9\xba\x40\x90\x5c\x2c\xa7\xc9\xfe\xb4\xe6\x6c\xc9\x4e\x94\x6c\x91\x89\xcd\x1c\x7d\xe7\xa2\x64\x0b\x21\x63\x68\x4b\x7e\xb8\x16\xdc\x5b\x7e\x58\x4e\x84\xb6\x49\x9b\x69\x4b\x16\x9f\xb8\x59\x93\x5f\xf0\xd8\x1f\xb9\xf4\xd2\xbf\xed\x05\x77\x5f\x29\xfe\xbe\xe2\xaa\x05\x43\xc5\x83\x5f\xcc\x29\xbd\x50\x01\x16\xd8\x99\xd1\x6b\x69\x87\xee\x9a\x48\xb7\xa7\xbc\x23\xec\xcb\x86\x81\x99\xbb\xa2\xd7\xb8\x2a\x07\x99\x7f\xc8\x3f\xd0\x00\x18\x28\xb6\x03\x97\x76\x57\xf4\x18\xfb\xe0\x38\x7b\xd1\x28\x29\x38\xd3\x5c\x51\xe2\x88\x06\xfa\xdb\xc6\x83\x39\xeb\xef\xed\xc6\xb8\xaf\xb9\x15\x41\x9a\x59\x3a\x5e\xf3\xba\x77\x30\x95\xbd\x28\x6c\x09\x57\x6b\xfa\x37\x63\xec\x21\x66\x7e\xf2\x2f\x69\x83\xd2\xe9\x21\x07\x06\xf9\x8c\x11\xaa\x44\x68\x66\x44\xbc\x50\x88\x48\xea\xec\x40\xd7\x60\xf5\x6b\xf6\x86\xfe\x85\x5a\xf0\x53\xb5\x1b\x31\xc6\xeb\x66\x69\x8b\xbc\x36\x81\x02\xe9\x21\x41\x13\x94\x76\xe8\x5a\xdf\xec\x43\xd2\xc4\x88\xe6\x29\x4f\xb8\xd8\x4c\x42\xd5\xfc\x3c\x4d\xd4\x56\xc2\x98\x85\x41\x71\x53\x5e\x2d\x3e\xd2\x1b\x46\x17\x25\xba\x86\x16\x8b\xea\x85\x1e\x34\x60\xef\xf2\x6c\x10\xe7\xe2\x9a\x75\x7e\x53\x0c\xa2\xdb\xb6\x0c\x4f\xf5\x6a\x6b\x50\x3f\x93\x69\x63\xbd\x1f\xb6\x25\x19\xff\xcb\xb6\x7f\x5b\x4c\x7e\x74\x9c\x4d\x56\x45\x96\x95\x90\xb8\x68\xfd\xbc\x6d\x3c\x58\xa8\xfe\xa9\x7c\x2e\xd8\x4b\xa8\x67\xbe\xd0\x28\xd2\xce\xba\xf9\xb9\x31\xf6\xaa\x22\x42\xf3\xb1\x60\x99\x22\x34\x1b\xbb\x8f\xd0\xdc\xda\x40\x97\x41\x01\x2b\xac\xc3\xa4\x61\x3f\x3b\x17\xe7\x0f\x79\x6c\x5f\x6f\x43\x64\xd2\x7f\x9f\x17\xbc\xd3\x5b\x52\xff\xb4\x8e\xff\xb0\x63\xc0\xae\x41\x4a\xe8\x20\x95\x3a\x82\x8d\x21\x34\x0f\xe0\xa1\xd5\x31\xb2\x1c\x40\x6a\x88\xd1\x07\x9e\xdf\xb0\x03\x87\x2e\x7b\x53\xc5\x38\x69\xe0\xeb\x17\x42\x43\xed\xd6\xbf\xc5\x33\x11\xa7\xdf\xe8\x05\xaf\x59\xc6\x70\x53\x84\xa1\x4f\x43\xd9\xb1\x88\xce\x34\xc8\x4a\x09\x38\x24\x46\x9c\x40\x8d\x55\x1f\x66\x10\x5b\x90\xe3\xd9\x80\x67\xa1\xc3\x31\x95\x87\xed\x81\xb6\xf3\x19\x04\x87\x0b\x8b\xce\x98\xfe\xec\x98\x83\x70\x9b\xae\x89\x56\x71\xd1\xa1\x4b\x51\x98\xc4\x00\x77\xf2\x96\xb1\xe0\xc1\xd2\xb3\x72\x10\x65\x82\xe8\x4c\x92\xcf\x23\x02\xcc\x72\x12\xe1\x35\x5a\x5f\xb0\xc0\xba\x8e\x27\x9c\xf5\x8a\xb3\xaa\x7e\xac\xc6\x7e\xb4\xc6\xbe\xa4\x55\xfc\xac\x0f\xf2\xcc\xff\xf6\x5a\xf0\x61\x6f\xbe\xe2\x17\xc2\x5d\xb1\xf8\xf6\xcd\x2f\xd5\x00\x5f\x1d\x75\x59\x73\x5a\xa9\x86\x8c\xdc\x62\x20\x77\xfa\x91\x44\xa3\xaa\x1a\x78\xc3\xe2\xa7\x4b\xed\x22\xc8\x48\x6e\x18\x02\x8a\xa2\x8e\x64\x16\x7c\x72\x66\x6a\x86\xd0\x9c\x5d\x1f\x48\xbb\x55\x6e\xd8\xfb\x0e\x8d\x9e\x41\xab\x51\x70\xcd\x7e\xfd\xa1\xe0\x87\xbc\xd2\xc3\xaa\x44\x5f\x7b\x5c\x9a\x7c\xc1\xb6\xb6\xf2\xcd\x99\xe6\xcc\x29\xf5\x8f\x8e\xd8\x4c\xd0\xbd\xa0\xaa\x74\xc1\x72\xe8\xb6\xb2\x39\xe3\x14\x85\x17\x20\x22\xee\xc1\x94\x97\x14\x2d\x92\x74\xa6\xa8\xc2\x8f\x1e\xad\xbe\xda\xff\xda\xcd\xc4\xe2\x3d\x67\xf7\x45\xda\x36\xd2\x0a\xbe\xaa\x82\xa0\xda\x9e\x2b\x7b\xa1\x9e\x60\xc7\xd8\xcc\x48\xcd\x69\xd4\x8a\xbb\x69\x1d\xd9\x83\x75\xa4\x63\x59\x47\x1e\xda\x5b\x32\xf1\x97\x6f\x03\xdd\xf0\x94\x97\xed\x7c\xf3\x5f\xf2\x2f\x99\x4c\xa1\x91\x7b\xdd\x24\x10\x95\xc4\x4b\x65\x5e\xf1\x77\xdf\xc2\xbe\xa2\x2a\xe3\x44\xc8\x6e\x12\xaf\xc8\xdc\xff\x8b\xc3\xc1\x29\xf3\xd7\x90\xb2\x0b\x28\x44\x16\x6f\xb6\xe0\x6d\x78\x57\x5d\xc0\x5c\x0d\xe5\x37\xd9\xcd\x55\x78\x13\x45\xc4\x45\x11\xf9\x35\x8d\x22\xf2\x8b\x1e\x6b\x8e\xc6\xd8\x2c\xaf\x49\xc8\xd3\xf8\x2e\x6f\xd5\x8a\x57\x5d\x93\x1b\x62\x33\x4c\x52\x73\xb8\x58\xcb\xf0\x39\xc6\x12\x61\xff\xaa\x66\x12\x91\xde\x59\xdb\x26\x03\x65\xb8\x5f\xf0\x51\xf0\xc7\xde\x6a\xe5\x25\x60\xa8\x5f\xab\xf8\x20\x17\x3a\x04\x43\xa9\xf1\x49\x87\x03\x5a\xea\xda\x00\xc1\x28\xb7\xc2\xb8\x9d\x6c\xc1\xf7\x10\x0d\xb7\x94\xf4\xfa\x91\x1d\x22\xa4\xe1\xab\x96\xa5\x68\x37\x92\x38\x1a\x3c\xe7\x03\x76\x53\x99\xd8\xab\xd1\x78\x65\xe7\xa3\x63\xda\x6f\x36\x0a\x53\x70\x2f\x33\xa7\x84\x59\x7e\xe5\x3c\xd3\xb7\xb9\xd0\x5d\xc3\xc9\x88\xfe\x9f\x1d\x0c\xbe\xa6\xf8\x93\x82\x99\x32\xde\x96\xad\x48\xa4\x18\x3a\x64\x87\xa6\x63\x10\x58\xdc\xe6\xcb\x68\x48\x58\x91\xda\x9d\xac\x0f\x89\x4f\x1c\x60\x89\xd9\x3c\x72\x1b\x4d\x67\xb8\x31\xb4\x79\xa6\x2f\x26\x19\xcc\xac\x8c\xc1\x29\xa8\xad\x24\x99\x93\x0f\x58\x7c\xd6\xbc\xb9\xfa\x6e\x02\x55\xfc\x7d\x51\x2e\xf7\x78\xa8\xff\xa3\xd2\x99\x5e\x9c\xe8\x2c\xa3\x83\xf6\xea\x36\x68\x5d\x15\x7b\x4a\x1d\xb4\x77\xad\x94\x59\xd2\xf3\x91\x07\xaf\xb3\xb3\x9e\xf2\x56\x77\x16\x4b\x33\xfe\xd4\x08\xb1\x64\x0a\x2a\xcb\xa5\x2f\x3c\xcc\xbe\xac\x3a\x91\x13\x12\x4b\x3f\xf9\x70\x10\xd0\xbf\x71\x1d\xa2\x61\xa4\x57\xa8\xa8\xbd\xa4\xdd\xbc\xee\x31\x83\xe3\xe8\xde\x6e\xbf\xf5\x61\xf6\x77\xe3\xec\x05\x86\x46\x6d\xde\xbc\xe6\xff\xe1\x78\xf0\x4b\x63\x17\xe8\x8a\x56\xd0\x57\x17\x05\x11\xb6\x23\x2e\x52\xe0\x95\x3b\x5b\xf5\x16\x1d\xd7\xf4\xb2\x88\x31\xb4\x06\x40\x81\x13\x30\x89\xf4\x64\x0a\x8e\x10\x30\x43\x22\xc9\x2f\xc4\xf5\xb4\x4c\xc6\xda\x06\x17\x4a\xd0\xae\xf5\xd7\xd7\x89\xda\x4b\x53\x88\xb7\xcc\x4a\x2f\xf2\xa8\x20\xbc\xc2\x90\xca\xc2\x08\xd4\x2d\x1a\x54\x7a\xbf\x9b\xb4\xf1\xf5\x35\xe2\x01\xd6\x7b\x55\x93\xee\xc1\x9e\x01\xac\x07\x30\x24\xb5\xdb\x2e\x8d\xb7\xe9\x21\x26\x20\x3b\xbd\xaa\x17\x88\xc6\x49\xfb\x48\x56\x7c\x65\x0d\x8b\x6d\x20\x7f\xe6\x92\x1c\xcf\x0e\x4f\x64\x25\xdb\xce\x29\x76\x62\x17\x50\xaf\xc3\xa5\x3d\xe5\x1d\x61\x5f\xe1\x2c\x73\x40\xbd\x6d\x74\x65\xba\x2e\x1b\x57\xe5\xc0\x3f\xe0\xef\x8b\x45\x57\x32\xf5\xe6\x97\x57\xbc\x09\x2e\x59\xb9\x3e\xf0\x0f\xfa\xfb\xe1\x2b\xc6\xde\xe0\xb1\x83\x1b\x49\x96\x43\x70\xd5\xe3\x41\xd7\x8d\x27\xd5\xbf\x18\x0e\x93\xa4\x8d\x21\x87\xb9\x1d\x67\x58\x0c\xb6\x79\xdf\x30\xa1\x61\x90\x9d\x20\xe5\xaf\xa1\xa3\x4b\x30\x6d\xca\x16\x50\xdf\x74\x90\xdd\xa6\xc6\xc3\xda\x05\xff\xe7\x40\xf0\xfb\xfb\xf5\x2e\x20\x06\x6a\xba\x81\xda\x8b\x7c\x4d\x46\x09\xf2\x99\x15\xf9\x3a\x6a\x01\x85\xb9\xfd\x96\x48\xa5\x86\x6a\x05\xb3\x13\xae\xae\x5e\x1a\x22\x8b\xac\x53\x1e\x04\x22\xe5\x22\xd5\x89\xb6\x22\x1e\x40\xfd\xd6\xc2\xeb\x88\x30\xca\x4c\xd7\x4b\x09\x8d\x3a\x53\x0c\x83\x6c\xf5\x3a\xc2\x60\xf2\xb6\xcb\xba\x85\xe7\x07\x54\xa6\x29\x3b\x56\xb5\xeb\x14\x38\xc3\xe2\x72\xcd\x10\xba\x9f\x76\x9d\x6d\xa0\x43\x94\x28\x5b\x48\x74\x13\xb5\xfb\x22\x5b\x16\x0c\x8f\x88\x0e\xfa\x86\xa6\x1a\xca\x50\xbd\xf7\xeb\xa0\xa7\x2b\x8d\x24\x03\x1c\x20\x99\xd5\xf9\x85\x70\x53\x3a\x0f\x92\x14\xa3\xde\xfb\x3d\x7a\x84\xad\xd7\x9b\x8b\x78\x15\xbb\x9a\xdc\x7b\xb8\x33\x90\xad\x2b\x80\x21\x36\x56\xeb\x84\x78\x7f\xdb\x7d\x38\xd1\x2d\xce\xeb\x35\xc8\x09\x6c\x6b\x41\xb1\x11\xae\x6f\x48\xd0\xbf\xe0\xe8\x9d\x82\xbc\xba\x22\x25\xb4\x38\xee\x07\x3d\x69\x90\xc6\x62\x82\xab\xa1\x84\x1f\x70\x6e\x51\xca\x1d\x79\xc6\x89\x8e\xac\xdf\x35\x61\x8c\xa5\x91\xce\x9a\x08\xc3\x48\xb8\xd9\xbd\x5e\x44\xb4\x80\x61\x69\x70\x01\x28\x36\x0b\xbb\x61\x24\xd4\x62\xc9\x36\x00\xfe\xa4\x3c\x05\x24\x12\xe9\x0a\x16\x59\x9c\x97\xe0\xad\xe8\x26\x9b\x6a\x05\x56\xa8\x14\x4f\x3b\x33\xa7\x97\xb4\xb3\x29\xd5\xd8\x46\xd1\x8c\x29\x5b\x3a\x35\x59\x9d\xdd\xb9\x1b\x20\xea\x67\x51\x28\xfd\xd5\x18\x7b\x7e\x26\xf3\xf3\x24\x4d\xe6\xb2\x73\x2f\x5b\xb8\xe4\xff\xc1\x58\xf0\xeb\x63\x8b\x1d\x88\xae\xdc\x4e\xe6\x68\x5b\x11\xfa\xdc\x8b\x17\x55\x21\x75\x9e\x0a\x4a\x93\x11\x68\xc4\x8f\xa4\xe8\xe0\x76\x9b\xb0\xc2\x6b\x27\xe1\x04\xba\x10\xc6\xfd\x6b\xd6\x7c\x51\x90\x3f\xa6\x77\xda\x49\x1c\xaa\x68\xed\x6e\x31\xed\x71\xb2\x40\xae\xaa\x4e\x47\x58\x47\x9c\xb4\xa5\xfb\x06\xc2\x2f\xf3\x7e\x9e\xa9\xe7\x58\xf9\xcb\xe1\x3e\x9d\xed\xa6\xfa\x54\x53\x5a\x9a\x00\x8f\xa2\x11\xb4\xa6\xcd\x2b\x57\xe5\x80\x9f\x7f\xe9\xd9\x57\x3c\x76\xe1\xf2\xfc\xdc\x85\xc7\x2e\xce\xcd\x9f\x5f\xbc\x74\xf6\x91\x95\x57\xac\xac\x9e\xbd\xf8\xc8\x3c\xae\x44\xa2\x2a\x5d\x91\xf9\x23\x14\xf5\x93\x3d\xb2\xda\xea\x85\xbd\x47\x2c\x6e\xa6\x3c\x81\x7e\x53\xce\x84\x92\x82\xed\x44\x66\x85\x48\xc1\xf1\x86\x26\x6f\x08\x20\xb6\xc3\x94\x08\x13\x1f\x3d\x22\x3c\xfa\xff\xd4\xd8\xa1\x76\x9c\x11\x53\xd2\xe7\x6b\xc1\x6f\xd5\x56\x64\x0e\x7c\x15\x3d\xa2\x75\xd4\x04\x50\x49\x29\x83\x21\x20\x4b\xe4\xb9\x30\xcd\xf2\xa0\xc9\x21\x26\x56\xb3\x50\xaa\x1d\x7b\xc4\x7e\xe1\xe5\x61\xbe\xa1\xd6\xd8\x25\x99\x1f\xa9\xbb\x3f\xa9\xbf\xa9\xe0\x23\x6a\x2f\x1e\xb9\x94\xc4\xf2\x48\x13\x1b\x51\x0c\x01\xc6\x83\x84\xb1\x7a\x4e\x5c\x37\x7a\x15\xc2\x52\xb6\x72\x26\xa9\xe9\xe8\x4d\xd2\x3f\x2c\x5c\x5a\x31\x52\x9f\xce\x0c\x55\x03\x01\xd8\xc3\xe9\x29\xd4\xe1\x86\x6f\x6f\x60\x5b\xd5\x66\x46\xfc\x6d\xf8\x20\x4f\x4c\x84\xa7\x35\x44\x16\x24\x77\x9e\x8c\xee\xb6\x73\x04\xff\xb6\xc7\x7c\xd4\x67\x4c\xa8\x57\x7c\x35\xf3\xff\x83\x17\x7c\xc0\x3b\x3b\xf4\xdc\x72\xc3\xea\xdc\xb3\x61\x96\x61\x62\x3b\xb1\x69\xa1\xc2\xf8\x55\x38\x02\x20\xf1\x49\x49\x8b\x37\xc3\x34\x89\xbb\x18\xa4\x94\x86\x70\xbd\xaf\x17\xc8\x68\x68\x3e\x8a\x73\x14\xda\x0b\x49\xeb\xaa\x4c\x79\xa4\x5a\xd1\xe4\x97\x09\xd2\x7e\xd6\x59\x09\xc3\xb1\xb8\x6f\xf1\xd8\x6d\x2e\xc5\xba\xff\x75\x5e\x90\x15\x9e\x2e\x97\xed\x5b\xab\xf4\xea\x57\x52\x8a\xa3\x50\xa0\x7d\xc1\x7d\x13\x28\x32\x2d\x8f\xd9\x2c\x7f\x20\x33\x24\x3b\xd6\x3b\x86\xeb\xc5\x1e\xf3\xbf\x19\x67\xff\x58\x67\x28\x85\x49\x7c\x7f\x2a\x5a\x72\x09\xb8\xcb\x75\x2a\xd5\x6f\x8f\xeb\x54\xaa\x8f\x8d\xeb\xbe\x56\x66\x51\x69\x5d\x04\x09\xf5\x9d\xcc\xa7\x22\xa5\x0d\xf3\x02\x00\x02\x44\xa9\xe9\x19\x2a\x43\x94\x47\xa7\x91\xd7\xf8\x83\x4e\x96\x14\x90\x8a\x82\x07\xd8\xce\x94\x5a\x35\x14\xb9\x88\xd3\x6e\x56\x43\x96\x27\x3d\x07\x59\x44\xb3\x77\x5f\x45\xf6\xbb\x75\xd5\x81\x89\x38\xe1\x09\xc0\xa4\xc1\x6d\x17\x56\xf1\x46\x3f\xe7\xed\x64\x2b\xb6\xa0\x5e\x0c\x9e\x43\x1c\x46\x75\x27\xff\x01\xba\x44\x34\xef\xae\xa7\xd7\xa1\xd4\x71\x5e\x0b\x47\xa7\xa0\x15\x68\x31\x3a\xd2\x2f\x2b\x73\xf9\xa8\xb1\xc5\x3c\x81\x38\xe7\x82\x5b\xb3\xa6\x3b\xa5\x13\xfa\x01\xef\xc6\xa4\x77\x15\x05\xaa\xaf\x3b\x49\xda\x0a\xd7\x20\xb7\x30\x32\x72\x40\xd8\x63\xd3\xe4\x2b\x90\x51\x68\xba\x4f\x5e\x53\x73\x64\xc9\x6b\x3d\xdc\x41\x2d\xb5\xb0\xfb\x3d\xac\x8f\x32\x52\x53\x5d\x9f\x2b\x19\x8f\x4d\xeb\xae\xba\x81\x3a\x6f\x1d\x63\xcf\x07\x25\x38\xcc\x07\x00\x0c\x0b\xe1\x7c\x7f\x5b\x0b\xfe\xb4\xb6\xd8\xb1\x95\x7c\x37\xe6\x12\xb7\xad\xfe\xb0\xc9\x03\xd2\xef\xd5\xd1\xd6\x68\xa5\x21\xc0\xd5\x04\x30\x20\xfa\x27\x72\xee\xdb\xbf\x2a\xe5\x6f\x8b\xc4\x97\x88\xd4\xd1\xb4\x95\xa4\x6d\xed\xbe\xd7\x35\x3a\x0a\x1f\x55\x19\x6a\xfa\x68\x48\x1e\x4d\xd2\x2e\x78\x95\xcb\xda\x61\xd1\xbe\xb9\x78\x40\xa9\xf2\x70\x2a\xea\x95\x6d\xd1\xd2\x5b\x97\xd6\x25\x7b\x3c\xb4\x89\x83\x6a\x13\x39\x94\xd0\x1c\x7d\x0d\x32\xb5\x9a\x55\xa9\x97\x6c\x92\xd2\x56\x01\x95\xc0\xd0\xbd\xd2\xcf\x8e\x58\xf8\x9f\x63\xec\x79\x69\x3f\x56\x13\x5b\xcc\xca\xa7\xc6\x82\x4f\x8e\x2d\x97\x9e\x22\x09\x15\x06\x5c\x70\xfb\x47\xdd\x70\x5a\xbd\x6a\x66\xc8\xc8\x84\x66\x10\x0d\xf2\x59\x4a\x90\xb0\x59\x96\xe0\x7c\xa5\x1c\x33\xa7\x68\xa3\x5f\x13\xc6\xa5\x09\xf7\x6c\x23\x37\x61\x31\x18\xe4\xf9\xcf\xc9\x0c\xa1\xa9\xd3\x24\x8c\x06\x50\xe3\xe2\xbb\x41\x24\xd7\x45\x6b\x10\xb8\xf5\xd8\xfb\x5a\xb7\x17\x53\x61\xc3\x2e\x9e\x6f\xc4\x85\x88\xbb\x48\x93\xed\x16\xca\xab\xa6\xa2\x2a\x25\x4f\xd1\xd0\xd2\x95\x2c\xdd\xc9\x28\x27\xe3\x0d\x11\xb7\xf0\x1e\x33\x75\x55\xf6\x32\xb0\xc4\xa9\x11\x9d\xa2\x92\x1a\x48\x2a\xd9\x6d\x17\xe9\xba\x7c\x4d\xe6\xc2\xa4\xe2\x0a\xb8\x00\x59\x94\xee\x9b\x33\xcd\x99\xe3\xce\x9c\xaf\xb3\x83\xa2\x03\x0d\x1f\xf8\x0f\xb3\xc9\x1d\x75\xf0\x39\x7a\x39\x68\xba\x3b\xb5\xd8\x9f\xd6\xfd\x49\xdd\x4e\xf3\x54\x84\x71\x9e\xb1\x9f\xf3\xd8\x61\x4b\x97\xf0\xff\xb5\x17\xfc\xa0\x77\xde\x82\x4d\xc5\xbc\x32\x38\x0b\x28\x57\xa8\x58\x0e\x0f\x90\x75\x45\x15\x70\x24\xd3\x5f\x70\x43\x3a\x5d\xc8\x6e\xd4\x62\x0a\x9c\x2e\x68\x56\x9a\x67\x2e\xca\x19\x2c\xba\x61\xca\xb5\x1d\x74\xc4\x65\x76\x40\x35\x60\x69\x71\xc1\xbf\x3f\x38\x5d\x6a\x53\x2f\x6c\xdb\xed\x19\x52\x10\x46\x94\xf9\xcb\x35\x76\x50\xef\x5d\xff\xe7\x6b\x3a\x22\xf2\xc7\x6a\xab\x20\xc4\x69\x53\x13\xe0\xcb\x83\x22\x0d\x93\x7e\xa6\xb3\x8d\x5b\x49\xb7\x97\xc4\x70\xcf\xed\xbb\xa9\xd5\x3a\xee\x28\xb7\x0b\xd1\x7c\xa1\x89\x4e\x46\xd4\x22\x87\xcf\x69\x9e\x3f\x3e\x5f\xe4\xba\x17\xe4\xf4\x10\x53\xdc\x4b\xe5\xa6\xae\x2a\x25\x1b\x75\x71\x1d\xd0\x35\x13\x1e\x85\x29\xcf\xca\x9d\xef\x91\x6b\xce\x45\x34\x50\xc5\x2c\x95\x8f\x02\x22\xa6\x53\x02\x15\x8f\x47\xf2\x11\xe4\xee\x53\x23\x69\x9d\xc3\xe5\xd5\xec\x70\x9e\x44\x04\x07\x93\xf9\x6b\xc1\x1d\xa3\x56\xaa\xf5\x9a\x63\x2b\x9b\x62\x0d\xf6\x4f\x77\xc1\x4c\xad\xbf\x66\x1f\xaa\xe1\xda\x9e\x53\xca\x9a\xcc\xfc\xf7\xd6\x82\xb7\xc3\xda\xa6\x07\x24\x3e\x0c\x0f\x92\x8e\x83\x41\x06\x39\x75\x5e\x2d\x2e\x95\x56\xa8\xab\xb0\xba\x17\x4f\x24\xe6\x51\x12\xdd\x5a\xba\x5a\x04\x80\xe1\x10\xb2\xec\x60\x0f\x29\x35\xca\xda\x76\x10\x00\xdb\xbc\xf1\xab\xb7\xe9\xcc\x53\xde\x8b\x76\xb8\x7a\xef\xf3\xc7\xc2\xde\x8d\x5c\xbc\x69\x5b\x2d\x2e\xcd\x57\x6c\xab\xb0\xd7\x7a\x3a\xdb\xea\xbf\x8e\xb3\xe7\x85\x5d\xb1\x2e\x97\xfa\x51\x84\xcc\x4e\x99\xff\xf3\xe3\xc1\xbb\xc7\x16\x4b\x4f\x47\xcd\x8d\xc9\x98\xc6\xec\x3c\xfd\xb2\x15\xa2\x6b\x9a\xa5\x69\xe6\x00\x80\xa7\x1f\x45\x18\x17\x69\x36\x1c\xb4\x03\x73\x9b\xd1\x2b\x1d\x66\x9c\x4c\xf8\x20\xb7\xdc\xb5\x09\x5a\x3c\x56\xa6\xd7\x02\xc5\xf2\xe7\xa8\xef\x6e\x86\xed\xbe\x88\xa0\x22\xb5\x4b\xbb\xbd\x08\xce\x08\x5c\xc7\xfa\x96\xda\xa5\x36\x39\x58\xcc\x75\x93\x87\x42\xa8\xd1\x6d\xb8\xd3\xd4\x71\xcd\xe0\x05\x87\x2e\x94\x40\x30\xac\xdb\xa1\x54\x26\x03\x21\x78\x83\x46\x20\xcb\xe0\x83\xe3\x60\x83\xe9\xc0\x13\xd5\x11\xaa\xa9\x91\xc4\x0d\xd1\xe8\x25\xed\x1b\xe7\x89\xbf\x90\xb4\x44\x84\xde\x22\xc3\x4a\xba\xfb\x35\xb8\x7b\x83\x12\xfb\xde\x1a\xbb\x45\x1d\xc2\x06\x98\xea\x8d\xb5\xe0\x0b\xde\x25\xeb\x89\x66\xc7\xa3\xbf\x88\x09\x92\x0e\x1b\xb0\x23\x59\xa6\x04\x14\xd5\x39\x70\x4a\xa2\xba\xc4\x57\x2a\xbe\xc4\x30\x75\x7c\xe3\x48\xa6\x71\x9d\x4a\xe5\xac\x49\x7d\xf8\xca\x36\xd7\x6a\x08\x96\x79\xe3\xb3\x56\x44\x3e\x4d\x89\x4c\xdd\x11\x00\xf1\x08\xd4\x8f\xed\x58\xac\xbf\xbe\x06\x30\xf3\x40\xc0\x98\xc4\x64\x4e\xf9\x13\x2f\xf8\x5d\x6f\xa9\xf4\x54\x5f\x8c\x96\x0a\xf3\x8a\xfe\x10\x9d\x2a\xa4\x60\x45\xc9\x96\xb6\x99\x83\x56\x7d\x19\x21\x6e\x2f\x21\xb4\x14\x95\x7a\x41\xbd\xb4\x64\xde\xb1\x2f\x21\x55\x6f\x28\xd9\x09\x0a\x61\xd9\x13\xa3\xd4\x27\x74\xc4\xd4\x01\xc8\xc4\xc4\x91\x5c\x4a\xe2\x25\xd3\x3a\x53\x0c\x29\x5a\x8d\xf5\x72\x08\xf9\x9f\xd7\xd8\x3f\xc8\x36\x44\x2a\x97\xf0\x5e\x64\xd8\xbb\xfc\xdf\xaa\x05\x9f\xa8\xad\x6c\x80\x25\x57\x43\x25\xd0\xe5\xc9\x92\x28\x6b\x32\xdf\x92\x12\x79\x46\x0b\x94\x5f\xc7\xce\x5b\x9c\xe3\xb9\xce\x54\x90\x8e\x9d\xd7\xc4\x03\x13\x04\xe7\x66\x28\xb7\x10\x0a\x0c\x2f\x8e\xc5\x15\x11\x11\x76\xe1\xa6\xe2\xd6\x62\x64\x9d\x71\xa9\xc1\xd5\x27\x4c\xe1\x9e\x83\x8d\x0e\x63\x34\x7f\x17\xf6\x75\x5b\xfd\xc6\xb5\x23\xdb\x7c\x69\x71\x81\xcf\x34\xf9\x79\x54\xa0\xa0\xac\x95\xaa\x01\x32\x1e\xbb\x24\xdf\x20\x67\xce\xee\xc5\xfe\xdf\x8e\xb1\x7f\x94\x27\xbd\x24\x4a\xd6\x07\x2b\xbd\x54\x8a\xf6\x7c\xa1\x82\xfa\x9f\x19\x0b\x7e\xc5\x5b\x1d\xf5\x73\x29\xc4\x9c\xb8\x40\x0c\x9a\x56\xd2\x5f\xdf\x40\x76\x40\xf8\x50\xe7\xac\xe9\xda\x78\x3b\xe9\x8a\x30\xce\x9a\x9c\x18\xc0\xf5\x38\xe8\x1d\x89\xa5\xc0\xcc\x6d\x89\x01\xed\x6d\xb1\x06\x10\x0b\xb4\xc6\x2c\x75\xb9\xc9\xe7\xa2\x88\x8f\xec\x0a\x88\xe4\xb9\x4b\x0b\x25\xb4\x8c\x17\xb3\xbb\xd9\xe9\x5d\x28\x2e\xd5\xa5\x3e\xe5\x9d\xd9\x36\xe5\xe8\x0e\x3f\x68\x98\x26\xbd\x54\x0e\x58\x03\xcc\x0d\x0f\xc4\x99\xc8\xc3\xac\x03\xf6\xb3\xdd\x64\x23\x3d\xe5\x35\x77\x10\xb6\xb7\xf9\xb7\xd8\xf5\xdc\x80\x2e\xf1\x36\x8f\x7d\x05\x60\xd7\x26\xfd\x38\x77\x2d\x66\xab\xc9\x55\x19\xfb\xfd\x60\x7d\x6e\x9b\xdf\x2b\xec\x8b\x05\xcd\xb2\x76\x14\xe5\xf0\x66\x71\x85\x75\xc1\x72\xa1\x68\x98\x18\x6b\x61\xfe\x82\x07\xe6\x65\xa2\x2c\xff\x29\x8f\x35\x76\x03\xdd\x6c\x0c\xbc\xc1\x1b\x3c\xd7\x47\x5a\x32\x09\x1b\xc7\x3f\xb7\x4c\xe5\x85\x83\x1c\xee\xfd\x25\x1b\x31\x69\x95\x84\x9c\x28\xdb\x50\xa4\x1b\xf1\xba\x06\x96\xba\x24\xb6\x2c\xc6\xec\x93\x1e\x3b\x94\xf5\xd7\x70\xb5\xfb\x3f\xe7\x05\xff\xc6\x1b\x56\xaf\x11\xc7\xea\xd5\x7d\x11\x61\xfd\x4b\x49\x7b\xd8\x63\x12\xdc\xa3\x1f\xdd\xdb\xbc\xc7\x14\x79\x6f\xf3\x1e\x30\x27\x6a\x71\x70\x6f\x33\xdb\x6c\x35\xef\xd1\x44\xbf\xf4\x52\xb0\x9d\x29\xc4\x88\x1f\x04\xce\xa4\x6f\xa0\x6e\x91\x13\x27\x6b\x21\xa9\x7f\xd7\x63\xb7\x3a\xbe\x50\xff\x97\xbd\xe0\x23\xde\x32\x3e\xb2\x8d\xff\xae\x6b\xd3\xa6\x1b\x87\x91\xa7\x73\x69\x2e\xda\x12\x83\xac\xce\x2f\xc7\x84\xab\x58\xc7\xa3\xca\xb9\x5c\xe2\x4b\x7b\xf5\xa8\xa9\x03\xd9\x20\x41\x4f\xbd\x90\x7a\xd1\xc0\x26\xdb\x7d\x7c\xa7\xc7\x6e\xd5\x72\x28\x05\xab\xce\x9b\xbd\xe0\xc9\x8a\x89\xeb\x59\x66\xcd\x76\x98\xc1\x36\xa3\xf8\x03\xb3\x98\x4c\x41\x3b\xce\xc1\x50\x21\xda\x12\x52\x14\x61\xb7\xf2\xcf\x6a\xec\xb6\x54\xbb\x7f\xef\x57\x7b\xd0\xff\x4c\x2d\x78\x7b\xc9\x24\x88\x49\xc2\xda\x49\xbc\x8e\x5b\x95\x6a\x93\xea\x9e\x28\xb4\xf9\x40\xb5\xc3\xbc\xd9\xe4\x73\xda\x67\x9e\x02\x16\x22\x58\x4a\x55\x61\x61\x9e\x95\x5d\xf6\xf8\xc6\xdc\xa5\x05\x3d\xe7\x94\x15\x6a\x8d\x02\xcd\x7c\xb9\x25\xb0\xe4\x28\x1a\xcf\x20\xf6\x06\xab\x69\x5f\x06\x4f\xcf\xdc\x83\xd7\xb6\xa9\xe9\xe9\xe9\x53\xa0\x80\x41\xd3\x5e\x74\xf4\xcc\x8b\x8e\x9e\x69\x76\xdb\xbb\x4f\x9e\xb0\xa4\xca\xb2\x3d\xc6\xec\x57\x3c\xe6\x0f\xbb\x0d\xfc\x0f\x7a\xc1\x7b\xbd\x61\x97\x43\x55\x96\x75\xc9\x85\x41\x97\xa1\x21\x93\xde\xee\xd6\x7a\x2e\xb2\xab\x85\xfe\x29\xa1\xcf\x66\x76\xac\xe7\xd4\xe4\x06\xc9\xe4\x29\x7b\x21\xfd\x17\x8f\x1d\x54\x8a\x2a\x74\xe4\xe3\x5e\xf0\x41\x50\xcf\x75\xf3\x85\xb6\x32\xc1\x61\xae\x4f\x67\xdd\x4e\x9e\xc4\x18\x3a\xa2\xd3\x9f\x51\x7f\x5e\xec\x18\x8a\xdb\xb8\x61\x59\x10\xcd\x4a\xd6\x84\xb8\xfa\x41\x56\x2a\xd1\xe8\xe2\x75\xa5\x12\xf5\xbb\x26\xef\x0e\xb0\xcf\x6d\x52\xd8\xd4\x8a\x5f\x70\xf6\xc7\x9f\xee\x67\x07\x93\x4d\x99\x6e\x48\xd1\xf6\x7f\x6f\x7f\xf0\x96\xfd\x97\xe9\xaf\x72\xe2\x82\x29\x4b\xbf\x3e\x04\x4e\xa8\xbd\x0c\xe8\x42\x05\xe9\x46\x7e\x45\xdb\x14\xea\x68\xc7\x46\x9d\xec\xab\xb3\x59\x87\x59\x2b\x89\x6a\xac\x3d\x60\xde\x24\x65\xc6\x31\xa9\x56\x19\x84\x0c\x5c\xf4\x8e\x6f\x3a\xa6\x28\xd3\x25\xb8\x17\x59\xf8\x81\x61\x8c\x48\xe6\x98\x59\xa7\xc3\x23\xd1\x94\xb4\x73\x15\x04\xab\x08\xc6\xeb\x8a\x62\x48\x5f\x43\xdf\xe7\x86\x3d\xb0\x11\x0a\x0b\x50\x53\x17\x3b\x6e\x4d\x18\xa0\x63\xe2\x02\xe2\x76\xe1\x89\x2d\xd2\xf7\xd5\xc1\x5e\xe7\x66\x2a\x4b\x41\x4c\xc6\xfa\x65\xdc\x06\x86\xa7\x39\x45\xec\x2f\x08\x4f\xb1\xab\xad\x5b\x70\x8b\x61\xae\x7b\xa6\xce\x40\x32\x82\x83\x1e\x5f\xd0\x20\x3f\x2e\xd3\x64\x0f\xc6\xe8\xa3\xd3\x33\xa7\xa7\x8f\x1e\x3d\x09\x5b\x55\x8f\x8b\x31\x4a\x57\xc7\xb8\x55\xd9\xa5\x4f\xd6\x6f\x34\xf6\x6d\x29\x69\x9b\x61\xd3\x31\x6f\xef\xf1\xee\x63\x37\x82\xf2\x32\x0c\x6a\x61\xdf\x66\xff\xcc\x63\xb7\x67\xb2\xd5\x07\xeb\x64\x12\xe7\xf2\x5a\xee\xff\x37\x6f\x17\x81\x74\x4b\xe0\x4a\xb5\xbf\x0b\x7e\xd8\x2b\x3d\xa1\x54\x52\x38\xc5\x61\x58\x74\x4d\x5c\xe4\xc4\x4e\x44\xc9\xa2\x49\xb7\x6b\x47\x9f\x69\xbb\xeb\x48\x3f\x34\x08\x28\xc0\x07\xc7\x60\x24\x27\x48\x14\xa1\xfc\xf0\x20\xa6\x20\x85\xa4\x83\x57\x38\x34\xe1\xb2\x1f\xab\xb1\x03\x94\x5e\xec\xff\x40\x2d\x78\x83\xa7\xc3\xe1\xe8\x21\x4e\x04\x01\xc1\x93\xba\x0b\xde\xac\x9d\xc2\xe3\x9e\x66\xd6\x33\x55\x6b\x1f\x76\xff\x94\x4d\xb2\x23\x3b\xce\x02\xa6\x9f\xdf\x48\xb4\xd0\xd1\xed\x2f\x1a\x2f\xf0\x9f\x0f\x5f\xd5\x53\xa9\x7a\xfa\x52\x39\xc8\x18\xfb\x6b\x6f\x14\x20\xe9\x67\x3d\xed\x45\xff\x25\x6f\x57\x5e\x74\x0a\x9d\x25\x7c\xd1\xa4\x70\xa2\x39\x68\xa5\x05\xe6\xeb\x30\x02\x29\xec\x76\xa1\x21\x40\xf3\x14\x9c\xdc\x5d\x91\x5e\x85\x83\xa6\x08\x0d\x04\xd7\xaf\x43\xcf\x50\x04\x9b\xb9\x8e\x78\x31\x0c\x58\xea\xd8\xdb\x3f\x5c\x63\x56\xb0\xb1\xff\xe3\xb5\xe0\xed\x66\xc1\xec\xb8\x22\xe6\x6f\x34\x2c\xcd\x45\x47\x13\x39\x8f\xa4\x50\x75\xc5\x96\x81\x04\x6f\xd9\x4b\x49\x65\x14\xdb\xdf\xb7\xb0\xb3\x9f\x3e\xe8\xc0\x2b\x38\xc4\xb9\xc3\x0c\xca\x6f\x7a\x06\x19\x94\x7f\x7d\xff\xcd\xe4\x86\xbf\xdf\x34\xbc\x37\xb3\x77\xf6\x9a\xbd\x93\xe9\x44\xf4\x57\xdd\x38\xc3\xf5\xf6\x21\xf3\xa3\x37\xea\x53\xde\xfa\xce\x99\x21\x0b\xfe\x99\x3d\x93\x27\x33\xf6\xc7\x87\x59\x30\x2a\x43\x1e\xad\x19\x00\xa8\xf1\xf1\xc3\xc1\x0f\x7a\xc5\xdf\xa4\x78\xd8\x81\x73\x65\x08\x10\x6d\xf7\x48\xfb\x80\x6b\xd2\xcf\x8b\x30\x4b\x12\xb3\x15\x71\x77\x5b\x1b\x89\x41\xb4\xa0\x30\x65\x58\x37\xc6\x95\x61\x79\xcc\x86\x5f\x53\x42\x6a\x53\xa6\x6b\xae\x90\x7a\x13\x53\x4a\xd8\x21\xd1\x0b\x81\x2d\x32\xf3\xff\xc0\x0b\xfe\xa3\xa7\xc9\x23\xb3\xaa\xfb\xa8\xa1\x85\x46\x35\xc5\xe6\x86\x36\x6b\x04\x23\x4c\x0c\x6b\xea\xdc\xd2\x22\x4e\xc6\x30\x9c\x71\x3c\xa0\xe0\x74\x2b\x38\x01\xc0\xb2\xe9\xd4\xa1\x4a\x65\xdc\xef\x92\x21\xad\x80\xba\x84\xf4\x97\x41\x51\x7a\x71\x87\x8a\xa2\x64\xab\x74\x18\xb9\x3e\x15\xf6\xe1\x31\x76\x7b\x9c\xc4\x1a\x6a\xf3\x81\xe5\x0b\x99\xff\x23\x63\xc1\x1b\xc7\x2e\xb9\x0f\xb5\xb7\x09\x56\x73\x4f\xa4\x79\x28\x22\xde\x4f\x23\xd2\xd2\x04\x52\x85\xd0\xfe\x46\x8b\x18\x12\xbb\x28\xd1\xca\xef\xa4\x98\x72\x6c\x0f\xce\x34\xa8\xdf\x14\xc4\xdc\xe9\x47\x51\x1d\x39\xc5\x78\x96\xcb\x9e\x09\x4b\x13\xf9\x06\x5f\x09\xe3\x16\x06\xea\x99\xc3\x00\x5a\xa4\x4a\x54\x2b\xc5\x4c\x77\xbb\x5e\xa2\x0d\xc3\x2a\x7a\x90\x27\xa9\xa9\x4b\x1c\x8c\x14\xe3\x7d\xa5\x10\x01\x61\xff\x7c\x06\x63\xf2\x9b\x7c\x19\x2e\xda\x4a\x11\x25\x06\x37\x55\xe4\x40\x83\x12\x17\xf3\x30\xa1\x53\x8a\x82\x5e\xd2\xce\x02\xb5\x20\x03\x72\x39\x06\x93\x9c\xbc\xe4\x76\x1f\xa0\x7f\xf6\x77\x4a\xe0\x04\x93\x75\x0e\x03\xa4\xdd\x13\xdb\x4d\xdf\x8f\xa0\x59\x11\x4a\x04\xdf\x86\xff\x9d\x5e\xf0\xf8\xb2\xfd\xa4\xec\x79\xde\x52\xe2\xcd\x08\x26\x18\xbc\x02\x8a\xbe\xbc\x59\x38\x9f\xd3\x81\x47\x6a\xee\x2d\xf2\x1f\xb9\x29\xd3\x41\x0e\x11\xac\x70\xed\xda\x71\xa5\xfd\x2f\x8f\x1d\x2a\xc0\x62\x7f\xdf\x0b\x3e\xee\x2d\x17\x4b\xd8\xc6\xed\x28\x81\xb8\x0e\xb7\xe9\xc8\x9d\x47\x6c\x5b\x04\xda\xea\xac\xdd\x00\x8a\x6a\xc1\x7f\xa5\x37\x75\x93\x1f\xb9\x73\xaa\x93\x24\x47\xca\x86\x0c\x2b\x67\x8a\x1f\x81\x17\xb4\x21\x76\x57\xc5\x6e\xd3\xe9\xf7\x7b\x0c\xa5\x8d\xff\x1e\x2f\xf8\x16\xef\x41\xf5\x4f\xb7\xb3\xf8\x08\x37\x91\x59\x56\x17\x2e\xa0\x06\x44\xb5\x2b\x8d\x09\xef\x68\x73\xfa\xca\xb6\x2c\x55\x0d\x94\xca\xa6\x55\xd2\x82\x94\x57\x8d\x59\x93\x43\xe1\x73\xd0\x0d\x67\xb0\x40\xc9\xd8\xae\xd9\xbf\x3c\xc6\xfe\x89\x25\xf0\x35\x68\xb0\xd2\x52\x57\x16\xc1\x09\xdd\x93\x2d\xff\x47\xc7\x82\x47\xac\xbf\x2b\xe4\x7d\x41\x5b\x9a\x95\xf3\x1f\x55\x3b\xe6\x57\x16\x79\x3b\x0d\x89\xe1\x3a\xcb\x45\x44\x2e\x65\xf4\x40\x5f\xf7\x0e\xd0\xaf\x2e\xbc\x5b\x8d\xfd\x44\x8d\xe9\x9f\xfc\x77\xd6\x82\x6f\xf6\x4c\x29\xf6\xd0\xda\x2d\xb1\x6a\x5c\xa0\x77\x4d\x66\x9d\xe5\x14\x5f\xc4\xd7\x8a\x46\x15\xa7\xb8\x12\x37\xfd\xd8\x34\x93\x64\x0d\x5e\x4f\x5b\x49\x57\xd2\x75\x78\xf7\xb6\xd2\xe1\x51\xc5\x96\x3d\x2b\xfa\xff\x17\x3c\x76\xf9\x69\xc3\x31\xbf\x64\xe5\xf2\x25\x04\x0e\x5c\x4a\x93\x5e\x76\x39\x9d\x53\xfd\xf3\xbf\xc7\x0b\xbe\xd3\xab\xfe\xcd\x59\x71\xa4\xe0\x9b\xeb\x3c\x49\x51\xb8\xf4\x95\x3e\xe7\x98\x16\x06\xe3\xa7\xe6\xac\xf4\x73\x93\x5f\x14\x21\x98\x6d\x24\x86\x1b\xf3\x4c\xa6\x56\xe6\x5c\xaf\x9f\xf6\x12\xa5\x60\xb1\x5f\x18\x67\x47\xab\xe2\x0a\x1f\xef\xa7\xf2\x5c\x18\xc9\x21\xf0\x38\xd8\x68\xfe\xb7\x8d\x07\x2f\x37\xef\x38\x9d\x88\x39\x3c\xe7\xf0\x83\x06\x6f\x06\xab\x84\xbe\x40\x6f\x24\x19\x1a\xbd\xd6\xd4\x05\xa7\xab\xad\xd4\xfa\x12\x7a\xdd\x63\x78\x18\x20\x9e\xea\x21\xf0\xdb\xab\x7f\xbb\x89\xb3\x63\xec\x1a\x3b\x98\x4a\xd1\xbe\x1c\x47\x03\x3f\x0a\x5e\x39\x04\xb8\xcf\x27\xd4\xcf\x53\x5b\x69\x98\xcb\x49\x84\x9c\xb8\x6c\xc6\x04\x8e\xfe\x4e\x92\x92\xf2\x63\x7e\xd4\x31\x74\x61\xcc\xb1\xc3\x17\x55\xfb\x32\xd7\x7d\xf8\x4a\x66\x35\xd1\x5f\x0a\xe6\x6d\x9d\x07\x7f\x29\x69\x3b\x38\x26\x2b\x04\x53\xae\x6d\xf3\x60\x03\x57\x23\xf1\x52\xe9\x38\x88\xde\x88\x76\x2e\xaa\x00\x03\x15\xae\x05\x57\x75\x2d\xa8\xb3\x19\x68\xb2\xa7\x55\x9d\xb1\x39\x69\x64\x54\x0b\x56\x71\x29\x69\xdb\xad\xb9\x83\x15\x73\xe0\xff\x3f\x01\xc3\x68\x09\x33\x23\xda\xa9\x75\x68\x54\xa2\x34\xdc\x94\xbf\xfe\x50\xf0\x65\xf4\x6f\x57\xf8\x00\xf3\x65\xe5\x85\xf8\xef\x0e\xdc\xbc\x70\xed\xf5\xc2\xf5\xe3\x9e\xbe\x71\xbd\xd3\x0b\x22\x6d\x07\x82\xa8\xc3\x67\xb9\x3d\xb6\x7c\x9f\x60\x5f\xcd\xee\xd8\x8d\x91\xf6\xa6\x05\x64\x0f\x16\x90\x5f\xb6\x51\x9b\x7e\xfe\x46\xa0\xa4\x2b\x6c\x20\xaf\xf3\x46\x18\x41\x9e\xc3\xce\x3d\xe5\x5d\xde\xf9\xe6\x5e\xf7\xef\x34\x37\xf7\x20\x30\x57\x75\x92\x35\xe5\x1b\xfa\xeb\x0e\xb1\x17\x5a\x4b\x0f\x63\xa8\xcd\x1d\xfd\xac\xfa\x13\xc4\xd5\x6f\x1d\x0c\x5e\x64\xfe\x72\x05\x16\x3c\xde\x9e\x8e\xe0\xa7\x6e\x4a\xae\x3d\x4b\xae\xab\x5a\x70\xad\x05\x41\x38\x8c\x59\xa8\x87\x8a\xa6\xc1\x96\x36\x33\x6c\x6a\x9b\x78\x9e\xaa\x29\xbf\x29\x76\xf6\x20\x76\x3e\x61\x8b\x9d\x9f\xd9\xa3\xd8\xf9\xe7\x5f\x24\xa9\xa3\x2b\x7a\xca\x13\x3b\x8b\x9c\x7b\xfd\x7b\x1a\xdb\x70\x1f\xd0\x0a\x2b\xd9\x0e\x8d\x34\x61\xec\x33\x87\xd8\xd7\xec\x00\x41\x7e\x01\x39\x82\x75\x64\xeb\x05\xd5\x91\x79\x3b\x1a\xcc\x7f\xfb\xa1\xe0\xf3\xde\x8e\xaf\x95\x88\xd2\x01\x94\x02\xe8\x0c\x8b\x95\x05\x37\xea\x14\x2e\xf7\xb0\x76\xf3\x84\xa8\xfb\x81\x3a\x5d\xb4\xdb\x29\x46\xa5\xe6\x5b\x09\x0f\xb3\xac\x2f\xb3\x59\xc6\xef\xe4\xe7\x93\x2d\x0a\xce\xa1\x82\x8a\x14\x21\x1d\x8e\x8b\x6e\x54\xa2\x3b\xbe\x4f\x7d\xf4\x72\x0b\xea\x7b\x4d\xf2\x76\x12\x4b\x0a\x80\x70\x9a\x23\xaf\xb5\xa4\x6c\xd3\x95\xb2\x1b\xe6\xf7\x39\xd2\xf5\x07\x0f\xb0\xff\xb3\x8f\xfd\x43\x91\x65\xfd\x54\xb6\xe7\x13\x62\x3d\x68\x0d\x40\x31\xcd\xfc\xdf\xdc\xa7\xd3\x76\x3e\xba\xef\xca\xa8\xb7\xae\xf0\x89\xb9\xf9\x95\xc9\x22\x20\x20\xa3\xb4\x4a\xd9\xea\xc3\xc0\x41\xc5\x76\xbe\x19\x3e\x31\x5e\x40\x8b\x65\x8f\x9a\xae\xc5\x76\xa9\xff\xd0\x23\xf2\x24\xca\x6b\xb2\xdf\xc2\x0c\xc3\xdc\x84\x78\x20\x54\x1e\x9f\x9b\x5f\xa9\x72\xf2\x61\x45\x04\x50\x0e\xa2\xe4\x08\x18\x32\x74\x77\xa8\x59\x13\x2b\xf3\x17\x26\x81\x99\x2b\xdc\x0c\x81\x66\x13\xf0\x3f\x28\x8e\x55\xbf\xdc\x30\x21\x16\xed\x52\x33\xe1\x0e\xdf\x4b\x93\x5e\x92\xa2\x05\x1a\x0e\x8d\x30\xe5\x34\x80\x4e\x95\x70\x1d\xd0\xe1\x28\xbd\x34\x69\xf7\x5b\x34\x7e\x55\x6f\xa3\xf4\x9c\x98\x9b\x7f\x70\x92\x37\x1a\x8d\x51\xc3\x57\x1a\x27\x35\x0d\x7a\x9c\x20\x90\x45\x7d\x6a\xc0\x3d\xc0\x12\xe8\xf6\x60\x96\x31\x6e\xfd\x6f\x6e\xfe\xc1\x89\x68\x92\xbf\x98\xb7\x64\x18\x4d\xf0\x95\xf9\x0b\xfc\x4e\x35\xc6\xea\xe1\x14\x9f\xe0\x59\xbf\xfb\x70\x79\x08\xae\x3e\x0a\x6f\x5c\x9d\xe4\x93\x7c\x92\xb1\xb5\x70\x7d\x5d\xa6\xd4\x56\x98\x5f\x98\x23\x29\x62\xe4\x64\x50\x22\x1e\xf0\xde\x4c\x6f\xf3\xa2\x3b\x13\x64\x29\x94\xd7\x7a\x32\xc6\xfc\x0e\x30\x05\x52\x60\xf7\xd2\x85\x49\x27\x9c\x67\x43\x60\xaa\xb9\x15\x08\xa0\x3e\x39\x36\xed\x7a\x77\xdf\xed\xb1\x5b\x61\xc2\x97\x89\x68\xce\x7f\x8b\xc7\x66\x6f\x88\xdd\xe0\x82\xfd\x79\xf0\xc0\x15\xa7\xb8\x2b\x4e\xc4\xad\xd0\x14\xc1\x15\x7b\xb4\x25\x62\x1d\xee\x63\x20\x75\xd2\x70\x7d\x23\xe7\x71\xb2\xc5\xde\x7f\x1b\xbb\x63\x27\xef\x0c\xd8\xc6\xde\x78\x5b\x70\xb7\xf5\x77\x89\xae\x8c\x7e\x81\x7f\x83\xe1\x7c\x2b\xcc\x36\xd0\x8b\x01\x56\x29\x17\xd0\xef\x67\x6f\x65\xff\xad\xc6\x6e\xa3\x41\x3c\x23\x5a\x57\x65\xdc\xf6\x7f\xa9\xb6\x4d\xbe\x4a\x65\xc3\xe8\xcb\xe0\x3b\x6a\x0b\x4e\x51\xfa\xae\xbc\x46\x7f\xda\xc4\x05\x95\x62\xb5\x9d\xc4\x47\x4c\xb2\x48\x3c\x20\x6b\x23\x84\x25\x45\xb2\x30\xcc\x5b\xfe\x8d\x52\x85\x15\x39\x91\x8b\x9d\xf2\x4b\x21\x3a\x82\x4c\x82\x25\x34\x85\x88\xdb\xca\xed\x81\x37\x8b\x06\x91\x0d\x01\x30\xcf\x8b\x6c\xcc\x9e\x56\x19\xf5\xf0\x5b\x51\x62\xec\xfd\xfb\xd8\xf3\x42\xcb\x0f\x06\x56\x81\xef\xdf\x17\xbc\x79\xdf\x62\xe9\x69\x95\x33\xc8\x7e\x87\xeb\x28\x62\x1b\x87\x4b\xda\x51\x10\xce\xdb\x5a\x65\x46\x89\x5c\x8e\x15\x33\x89\x57\x8e\x63\x89\xb6\x58\x2a\x7b\x91\x68\x99\xfc\x5f\x03\x6b\x7e\xc5\x0d\x77\xa1\x6e\x35\x21\x8f\xf7\x0a\x07\x75\x0b\xb1\x8e\x21\x6d\x4b\x4d\xfb\x96\x48\xdb\x19\x64\x7a\x8a\x3c\xd4\x94\x85\x94\xe5\x0f\x6c\xe0\xfa\x13\x93\xf2\x1a\xe6\x66\x16\x51\xdc\xab\xda\x65\x5b\xc6\x14\x0f\x38\x94\xad\x69\xf5\x4c\x49\x43\xa9\xa4\x7b\xc1\x3a\x89\x79\xe3\x16\xff\xaf\x55\x25\xb8\x93\xda\x61\x07\x7c\x35\xb9\xd1\xde\x17\x4b\x39\x69\xfa\x9c\x9a\x5b\x5a\xd4\xab\x37\x5c\x8f\x95\x40\xa3\xf1\xa6\xbc\xfa\xa4\x9f\x23\x43\x42\x96\xd9\x0b\x70\x2e\x76\xe7\xc5\xca\x03\x07\xd9\xdd\x15\xe9\x55\x8c\x64\xa3\x8d\xa8\x0f\x51\x8a\x50\xd2\x19\xe6\x10\xfa\x56\x92\x78\x46\x87\xa0\xf1\x38\xa7\xe9\x6f\x2c\x13\x75\x1d\xbd\x51\xa5\x35\x4a\x6b\x24\x69\xf5\x4d\x4f\x9d\x68\xcd\xbf\xf4\xd8\x3e\x58\xe6\xfe\x9f\x78\xc1\x93\xde\x9c\x93\xf4\x49\x1b\x40\xb7\xcc\xe8\x04\x76\x05\x3a\x6b\xbd\xd8\xab\xe0\xa8\x42\xaf\x0b\xa5\xc0\x63\x38\x74\x9e\x8a\x4e\x27\x6c\xe1\x0a\x28\x6c\x9b\xba\xa7\x24\x3d\x9c\x2b\xcb\x49\x76\x9c\x1d\xbd\x31\x21\xa5\x44\xc8\x53\xde\x0b\x47\x66\x77\x1c\xf2\x0f\x88\x3c\xe9\x86\x2d\xc6\x7e\x78\x8c\x8d\xe5\x51\xe6\x7f\xff\x58\xf0\xfe\xda\xea\x85\x52\x5e\x41\x93\xcf\x9b\x18\x1f\x7b\xd3\x83\x53\x30\xeb\xf7\x30\x5f\xdb\x24\x47\xa9\xef\xd5\xa3\x3a\x3f\x7e\xfc\x58\xd3\x71\xdb\x76\xa5\x39\x28\x73\x83\x10\xa8\x71\x69\x8a\x75\x09\x39\xb3\x20\xaa\x0a\x78\x04\x5d\xc6\x35\x9d\x2a\x67\x12\x9d\xd2\xdc\x05\x4b\xcb\x6d\x78\xa5\xc2\xcb\xa4\xd9\x98\x21\x02\xfa\xd2\x22\x34\xd3\x18\xe7\xeb\x7a\xdb\x84\x43\x02\x8d\x77\xfa\x51\x27\x8c\x22\x7d\xa7\xd3\x6f\x98\x8e\xaf\x5c\x5a\xbc\x01\x5f\x45\xe5\x54\xad\x5e\x58\xd9\xe5\x4c\x3d\x79\x1b\x9b\xa8\xf4\x7c\x10\xca\xbe\xed\xfe\xf0\x7f\xfd\xd6\xe0\x51\xe7\xc9\x8d\x39\x96\x94\xee\x5d\x38\x96\xaa\xfd\x4a\x9a\x60\x59\xfd\xb5\xb8\xe0\x1c\xb6\xbf\x71\x0b\xfb\x11\x8f\x1d\x16\x11\x30\x7f\x88\xb5\x48\xfa\xdf\xed\xb1\x7b\x76\xe1\xc5\xc1\xbe\xa0\x75\x5d\x35\x7e\xb9\xe0\xac\xb4\x4a\x2b\xfb\x1e\x89\xe1\xa5\x70\x34\x42\x92\x0d\x04\xe3\x99\x2b\x8c\xe1\x7e\x41\x97\x87\x41\x3e\x68\xb2\xf7\x68\xee\xd8\x1f\xf4\x82\xb7\x78\x3a\x39\xbb\x7c\x3a\x59\xc3\x41\x9e\x5e\xfb\x4a\x4f\x10\x1b\x74\xa6\x5c\x7c\x60\x65\x15\x32\x48\xed\xfc\xe3\x82\x89\x97\xc2\xae\x55\x89\xf7\xcb\x7c\x29\xea\xaf\x87\xb1\x3a\x14\x27\x26\x79\x4b\xa0\xeb\x81\xce\x64\xa8\xcf\x91\x55\x3f\x35\xce\x68\xc4\xfd\x1f\x1f\x0f\xbe\x7f\x1c\xff\x5d\xc0\xd1\xb5\x65\x61\x3d\xa0\xe6\xa2\x05\x21\xe9\x40\x56\xa1\xa3\x58\x6a\x9c\x64\x2b\xbc\x17\x44\x1c\x5c\x98\x01\x5a\xc5\xe6\x2f\xa5\xb8\x45\x57\x5f\x00\x75\xdf\xea\x68\xd2\x95\x71\x2b\x42\x4c\x0b\x4c\x6a\x6f\xab\x73\xc6\x49\x6d\xb6\xaa\x43\xeb\x12\x89\x6c\x7d\xe9\x81\x5e\x88\x8c\x07\xea\x1f\x33\x01\x86\x3a\x40\x15\x4e\x43\xdc\x8f\xad\x26\x58\x5f\xcf\x05\x94\x78\x69\xd5\x89\x17\x55\x88\xc3\xeb\x76\x45\xdc\x2e\x58\xe5\x9d\xd2\x55\x83\xf2\x5c\x40\x2e\x2f\x2d\xb0\xe1\x74\x83\x3a\x01\x97\x56\xa0\x3a\x38\x2d\x83\x46\xc1\x2a\x28\x20\x06\x17\x17\x8a\x98\x81\x52\xdd\x20\xfa\x80\x68\x18\xc8\xe7\x88\xb7\x98\x7a\xa4\x01\x8c\xd4\x94\xd2\x10\x95\x73\x63\x29\x31\xc1\x85\x92\xfa\xf9\x7d\xcc\xce\xd5\xcb\xfc\xf7\xed\x0b\xde\xba\xcf\x7e\x52\x8e\xb8\xba\xaa\x9e\x91\xb4\x2b\xd6\x2d\xad\x4a\x1c\x57\x61\x64\x44\x56\x40\x70\x6a\x41\x41\x4a\x1c\x81\x52\x24\x9b\x90\x41\x69\x22\x60\x4c\x3e\x26\x54\xa3\x33\x2c\x8a\x5e\x67\x7c\x02\xbb\x0d\x2a\x55\x3c\x68\xb6\x92\xee\xd4\xe3\x49\x2c\x83\xba\xfb\x2c\x95\xeb\x61\x12\x07\x93\xbb\x69\x92\x99\x34\xd3\x1e\xb3\x70\xdc\xf6\x58\xb8\x6a\x5a\x59\x52\x6b\x28\x92\x14\xa6\x2f\xaf\xf5\x12\xc4\x3f\xc8\x86\x3e\x35\x59\xdf\x4a\xd7\x53\xb7\xff\x2d\x5a\xd4\xda\x40\x5b\x5e\x92\x10\xb1\x65\x0a\x11\x5b\x6a\x4f\x41\x03\xd5\x09\x05\xbc\xcb\xe5\x65\x06\x53\xa4\x2e\x60\x12\x71\xa6\x24\x29\x52\x54\x71\x68\x2e\x1f\x48\xf4\xbf\x69\x89\x05\xab\x25\xa0\x25\xf6\x94\x76\xa4\x34\x0f\xa3\x8d\xd0\x04\x2f\x22\x3d\x61\x92\x65\xa1\x96\x9b\xc5\x49\x0d\x1b\x5b\x67\x10\x15\x8f\x9d\x91\xa0\x65\x49\xca\x1d\x86\xc0\x84\x1d\x3d\x3d\x26\x4c\x8d\x56\x98\xf9\x76\xbb\xa8\x8a\x1f\xf6\xd8\x03\xcf\x9c\x0f\x7e\x05\x0a\x45\x4f\xfc\xa5\xe0\xc2\x76\xbf\xbb\xde\xf8\x2a\x97\xbb\xb6\x08\x43\xc3\x9b\xec\x3b\x6f\x61\xc7\x5d\x22\x3f\x8b\x20\x45\xc3\x20\xac\xa0\x61\x6d\x0e\xe2\xbc\x96\xa5\x92\xd0\xfe\xa7\x0f\x07\x7f\xe8\x8d\xfa\x95\xb7\x36\x64\xeb\x6a\x91\xf2\x0a\x22\xd6\xc4\x8e\x01\x6d\x7a\xd2\xef\xc1\x90\x6b\xec\x66\x11\xeb\xb0\x38\x08\xb6\x26\x19\x5b\x00\x75\x9c\x17\x9b\x98\x5f\x54\xf8\x8f\xb3\x56\xd2\xb3\xc2\xe3\x78\x57\x5c\x95\x19\x5e\x57\x5a\x1b\x5c\x8a\x2c\x44\xd1\xb6\x9e\x8a\x38\x1f\xfe\x8e\x22\x12\x71\x4b\xc7\xad\xa8\xaf\x96\x8a\xcd\x7f\x05\x9d\x50\x87\xef\x75\x0f\xe0\xc0\x1d\xed\xe1\xf3\x07\xd5\x2c\x6b\xf0\xfd\xef\xf5\xd8\xfc\x68\xa4\xf0\xf2\xa0\x56\x8c\x18\xe1\xf1\x3f\x50\x50\xdb\x29\x9d\x0e\xe3\x7c\x34\xf3\x04\x12\x6a\x42\x4e\xcb\x50\x52\x31\xde\x19\x31\x0d\xad\x88\xd2\xa2\x81\xbf\xe9\xcb\xb9\x09\xda\xff\xc5\x73\xaf\xbc\xd4\xf2\xae\xdc\xb7\x47\xd0\x7e\xf6\x3f\x35\x07\xce\xe7\x3d\x36\xb7\xb7\x1d\xd7\x93\xad\xe0\x87\xbc\x1d\xe3\xd9\xf4\xae\x42\x60\x3e\x93\x11\xdc\xe4\x88\xf1\x5e\x88\x15\xc3\xb0\xaf\xd3\x74\xdd\x68\x97\x41\xd2\xe7\x5d\xd1\x96\x4e\xa1\x14\xf8\x8b\xd1\xc3\x94\x06\x8a\x79\xa1\x74\xd9\x96\xed\xe6\x53\x5e\xba\xb3\x47\xe7\xb2\x7f\xb1\x20\x06\xd8\x8e\xe5\x6a\x94\xc8\x2e\xfb\x99\xdf\x71\x88\x1d\xdb\x66\x44\xf1\x0a\xa4\x2f\x3e\x26\x58\x31\xf3\xff\xe0\x60\x90\x0f\x3f\x2e\x04\x2c\xd8\xd8\xed\xc2\x9c\xe4\x34\xe7\xfa\xe3\x64\xb0\xd2\x2a\xc7\x80\x6c\xfa\x1e\x2e\x7d\xb9\x4c\x3b\xa2\xe5\xc6\x56\x7d\xe6\x00\x7b\x9d\xbe\x2f\x3d\x1e\x74\x47\xd9\xf2\x4c\x05\x38\xb7\x2e\x58\x9c\xe0\xc1\xba\xcc\x21\xb6\x17\x81\x45\xcd\x63\xfc\x33\x68\xf2\x20\xe0\x13\x30\x69\x93\x14\x2f\x5b\xc6\x02\xf8\xf3\x1a\x3b\x64\x56\x80\xff\xb9\x5a\xf0\x1b\xb5\x02\x97\xc4\x6a\x90\x13\x0f\x45\xc7\x60\xa9\x4d\x4d\x5e\x58\x39\xc0\xf4\x50\x20\x2f\x42\x70\xa3\xfe\x08\x61\x5e\xe2\xc4\x2a\x17\x8c\x6c\x51\x54\x3c\xc9\xec\x96\xdb\x6b\x0d\x7a\x38\x6a\x85\x94\xbf\x42\x4d\x49\x7d\xa1\x41\x31\x4b\x07\x72\x36\x3c\x40\x81\x88\xa2\x00\xaf\x5c\xa3\x8e\xf1\x4c\x07\x68\x57\xe9\x15\x00\x5b\x1b\x75\x2a\x7e\xb2\x87\xfd\x6b\xd9\x41\x5d\x9a\x7f\x21\xb8\x4f\x2f\x47\x0c\x14\x2f\x22\xec\x75\x54\xa8\x83\xb3\x9e\x35\x39\x0f\xee\x0c\x46\x4c\xe8\x2b\xd9\x61\x2b\x84\xd8\xbf\x1c\x9c\x59\xb1\x22\x8a\x77\x5d\xbe\x2e\x3e\x4e\x62\x17\xe6\xe7\x49\x8f\x8d\x6f\xca\x74\xcd\x7f\x4d\x10\x3f\x28\xd3\x35\x3c\x65\x2c\x4a\x6f\x53\xd6\xdc\xd2\xa2\xda\xb0\x6b\x75\x1e\x85\x57\xe5\x2c\x5f\x97\x79\x1d\xf4\xed\x3a\xdf\x42\x86\x4f\xcc\x38\xae\xd3\x61\x50\xa7\x55\x5c\x57\x2a\xfb\xb5\xc1\xb6\xbd\x5c\x61\x07\x48\x16\xf8\xe7\x83\xbb\xb5\x96\x40\xeb\x55\x55\xac\x1f\x51\x4f\x97\x8d\xb1\x7a\x9b\x42\x2f\xb2\x7d\x20\x9f\xfc\x85\xe0\x14\xa6\x53\x58\x05\xde\xaf\xa1\x71\x76\x5d\xdc\x5f\x7b\xec\xab\x77\xf4\xcf\xa0\x72\xf6\x9f\xbd\xe0\x2e\xe7\x89\xf1\xd1\xe0\x91\x5a\xa6\xf9\xb6\x6d\xa6\x8e\x58\xf9\x46\x8f\xbd\xde\x63\xb7\x44\x89\x68\x9f\x11\x91\x88\x5b\x32\xf5\xfb\xbb\x48\xde\xbd\x60\x7d\x40\x8a\xde\xbd\xf6\x33\x37\xa7\xa4\x8a\xca\x4c\x72\x55\x69\x63\x8d\x3e\x68\xb2\xdf\xfe\x52\x47\x3c\xa3\x2e\x6b\xa5\xea\xb4\x17\xc2\x2c\xed\x43\x26\xc0\x99\x7e\x7b\x5d\xb3\xa5\xf9\xef\xfc\xd2\xe0\x9b\xbd\x91\x3f\xdb\xd7\x87\x11\x46\x38\x8b\x64\xb9\xa2\x98\x26\xa7\x82\x94\x32\x93\xa7\x22\x8c\xb4\x48\xeb\x43\xc2\x87\x21\x52\x27\x1a\xb5\xeb\x9e\xdf\x36\x45\x64\x73\xa8\xb5\x5e\xf7\x6e\xa3\x31\x38\x2f\x45\x94\x6f\x0c\xae\x7b\xb7\x11\x81\x8e\x79\x70\x8b\x86\x0f\x5e\x4a\xda\x6e\xe8\xd2\x47\xbe\x84\xfd\xf9\x41\x87\x8a\xfd\x0f\x0e\x06\x7f\xbe\x7f\xbe\x00\xdd\xd0\x09\x47\x16\x0e\x07\xf0\x6d\x2d\x9c\x41\xff\x45\xd1\x22\xdb\xcc\x9a\x49\xb2\xe3\x15\x7d\xa6\xf6\x16\x05\xe1\xf7\x9d\x44\x3d\xc7\x4b\x96\xe4\x57\x63\x75\xb1\xa6\xc4\xe8\x02\xc8\x1e\x48\x94\xd1\x14\x32\x61\xd1\xe9\xe3\x0f\xc0\x19\x4e\x58\x40\x90\xb1\x4a\xe1\xe9\x9d\xbe\xd2\xbd\x26\x67\x79\x83\xaf\x0c\xe2\xd6\x39\x48\xbf\x9d\x2d\x3b\x5d\x64\x0c\xd1\xb2\x12\x31\x02\xb8\x4c\xd3\x04\xaf\x0d\x5b\x22\x8b\x8f\xe4\x06\xbf\xab\x95\x74\x7b\xfd\x5c\x3a\x4e\x67\x5e\x72\x6e\xeb\x8b\x84\x35\x4b\x94\x33\x0b\x89\xc2\x78\xfc\xe8\x5f\x54\x7f\x4b\xa5\xe9\xef\x35\xd4\x97\xbb\xa8\xcd\xc0\x19\x33\xfa\x39\xc0\xe0\x62\x0d\xbe\x18\x67\xfd\x4e\x27\x6c\x29\x75\x57\xcd\x31\xf6\xb2\x68\x18\xa0\x5f\x01\x1d\x0a\x65\xea\x00\x16\xef\x9a\x8c\x92\x2d\xab\x0b\xa5\xd6\xe0\xff\xb4\xdd\x49\x5f\xac\x2a\xd7\xf1\xa5\x9d\x7a\xb6\xc7\xfe\xad\x0c\xf7\x2e\x95\xd0\x21\x70\x17\x69\x5e\xf9\x78\x57\xad\xad\x68\xda\x6a\x65\xf5\xab\x69\xbf\x60\x12\x19\x9e\xe6\x8a\x72\x4a\x83\xa0\x2d\x52\x85\x9d\x6d\x68\xfb\x42\x10\x86\x4c\x4b\x19\x12\x5f\xc3\xee\x1d\x6d\x5b\xdf\x46\xf7\x37\xfb\xf6\x29\xef\xc8\xb6\x68\x62\x87\xfc\x03\x0d\x38\x61\x77\x07\x19\xb6\x8b\xcc\x0b\x2a\x6c\xd7\x99\x17\x67\x59\x49\x6e\xf9\xc7\x74\x1c\xcf\x57\x6a\xa1\x5e\x0c\xf9\x06\xbe\x03\x33\xed\x44\x48\x5c\x64\x25\x69\xe7\xdf\xad\x8b\xf9\xea\x6e\x18\x87\xdd\x7e\xd7\xf0\x89\xed\xa2\xb8\x6f\x39\xc0\x6e\xa5\x49\x42\x69\xe9\xff\xd5\xfe\xe0\x27\xf6\x2f\xd8\x8f\x8a\x03\x68\x58\xea\x23\x70\xe2\x46\x92\x49\x2e\x37\x31\x0f\x49\x09\x12\x83\xf6\x67\x56\x02\x78\x63\xd1\x46\x61\x5e\xb4\xf3\xad\x08\xa6\x1a\xec\xe4\x48\xa5\x91\xf3\x81\x54\x57\x26\x19\x17\xcc\x83\xa3\x57\xb9\x03\xf5\x32\xe7\xa0\x42\xe9\x64\xa8\xae\xe8\x15\xf7\x66\x17\xbf\xde\x6a\x5d\xd1\x72\x50\xd3\x74\x5b\x2d\x14\x9f\xe1\xcf\x09\xea\x29\x53\x6d\x5d\x1b\xa8\xb3\xc2\x96\xb8\x02\x80\x9a\x80\xe1\x47\xbd\x40\x0e\xe4\x8e\xbe\x3a\xa8\xd2\x27\x94\x0c\x06\x78\x7e\x8c\x06\x4a\xfa\xf9\x24\x1e\x17\x57\xa5\x21\xb9\x57\xed\xaf\xb8\xa7\x00\x66\x3f\xed\x59\xc3\x25\xb0\x87\x2e\x1a\xa4\x1c\xd3\xba\x76\xd8\x56\x27\x43\xd2\x6a\xf5\xf1\xa8\x10\xa6\xc7\xb9\x1a\x63\xba\x6f\x14\x70\xc2\x84\x9f\x50\x8c\x36\x66\x4e\x39\xc0\x75\x6a\x9c\xb6\x9d\x46\x1a\x10\x20\x5e\xc5\x18\xb2\xc5\x8e\x9d\x6e\xb8\x9e\xc8\x8c\x67\xdd\x24\x01\xd0\x7a\x9a\xdf\x22\xf8\xae\xb8\x80\xc0\xd8\x25\xe8\x0e\xd0\xe3\xd2\xe4\x17\x44\xba\x6e\x0b\x39\x19\xe7\x69\x58\x24\xf8\xa9\xc2\xd0\xe6\x42\x08\xfd\xbd\x34\x59\x8b\x64\x97\x60\x42\x81\x0a\x86\xc6\x27\x6b\xbe\xc7\xbb\x9b\x9d\x66\xa7\x9e\x86\x00\x5b\x0d\x9d\xc4\x1f\x76\x85\x55\xa8\x3c\xfe\x4b\xf4\x16\x3f\x71\xc9\x3e\xe2\x1c\xf1\x6b\xbc\x84\x05\xa4\x45\x91\x8d\x69\xed\xf8\x87\x99\xa3\x1d\xf9\x2f\xd5\x65\x9f\xcc\x93\x5c\x44\xe5\x43\xb4\x55\x00\xae\x20\x67\x6e\xa1\xfe\xac\xc1\x8c\x39\x85\x7f\xd6\x63\xbe\xde\xac\xf7\x23\xd6\x9f\xba\x27\x7c\xc2\x20\x93\x7c\xc0\xb3\x38\x45\x35\x1c\x20\x5c\x16\xf4\x16\x87\x05\x6b\x31\xe6\x85\x19\xec\x27\x3c\x3a\x9b\x96\x7e\x65\x4e\x14\xb5\x22\x31\xea\x8c\xce\x57\x5b\x4c\x21\xc3\x44\xd8\x46\x7f\x7f\xd8\xe1\xc3\xcd\x43\x9b\x0c\xa2\xb7\x2e\x9c\x39\x62\xcc\x70\x45\xeb\xdc\x11\xfc\xf4\xed\x4e\xf0\x57\x85\x17\x9b\x3c\xd8\xef\xbf\x3d\xf8\xe0\xb8\xf9\x93\xb7\x44\x2f\x87\x48\xcc\x61\x31\x2a\x0a\x68\x12\x93\xd6\xb4\xa8\x8d\x17\x7c\x62\x7e\x65\x71\x52\x3b\xf0\xb4\xe7\x01\x28\x1d\x8b\x70\x02\xba\x65\x37\x9d\x64\x4a\x72\x70\xc6\x92\x02\x3f\x10\x65\x8a\x1c\xb7\xd4\x2a\xea\x6c\x3b\x4c\x65\x2b\x8f\x06\x4d\xa5\x5b\x81\x6b\x0e\x02\x18\xd4\x16\xd0\x64\x83\xfa\x22\x8f\xa5\x37\x88\x6e\x49\xa4\x3c\x0b\xdb\xb2\x25\x2c\x34\x57\xf2\x0e\x99\x36\x12\x01\x88\xed\x8e\x2f\x8b\x03\x6c\x5b\x86\x6f\xb9\x4d\x1b\xb2\x9c\x6a\xe7\x8e\xe5\x7d\x22\x37\x67\x5b\xe6\xc2\x8d\x9e\x22\x5e\x84\xc2\xb8\x5a\x72\x38\x11\xea\x26\x7e\x6e\xbb\x1d\x8d\xab\x6c\x77\x25\x80\x40\xb4\xe6\xd5\x30\xd4\x14\x88\xda\x49\x8c\xd9\x80\xcd\xa1\x2e\xea\x58\xb9\xb8\x51\x24\xb1\x57\xfa\x15\xfe\xe6\xd0\x4d\x6b\xfd\x4d\x6b\xfd\x17\xcf\x5a\xff\x3d\xe3\x96\xb9\xfe\x4d\xe3\x7b\x25\xd9\xfd\xc5\xb1\x91\x2c\xbb\xc5\xbf\x88\x57\xca\xa6\xe6\xb9\xe1\xa0\x96\xbb\x95\xc0\x79\x86\x43\x5a\xd0\x1a\x80\x35\x3b\x8c\x3b\x27\x8f\xf1\xd6\x86\x48\x45\x0b\xc1\x72\x53\x1e\xc9\x2c\xab\xf3\x35\xb9\x1e\x12\x0c\x62\xdc\x56\x2b\x21\xd4\xce\x79\x11\x23\x5e\x1d\x80\x7a\x84\xad\xe2\x6b\x3e\xf1\xb0\x68\x3c\x3e\xdd\x38\x3d\xd7\x78\xe8\xd1\x49\x7c\xb9\x2d\x20\x44\x78\xa2\x31\x59\xe7\xed\x24\xcf\xf8\x44\x73\xb2\x4e\x56\xdc\xa2\x8c\x4c\x1b\x7b\x9f\xb3\xd4\x12\xb6\x46\xbe\x97\x87\xd8\xc9\x5d\x47\x49\x19\x41\x08\xfe\x16\x5e\xc9\x8e\x5c\xe4\xea\x37\x9f\xf2\xd6\x76\x76\x76\xdc\xe7\xbf\xd8\x38\x3b\x74\x7d\x25\x37\x87\xa9\xd6\xf5\x6b\x60\xa2\x0b\x7b\xfd\x2d\xec\xf4\x8e\xce\x0d\x32\x32\x43\xa4\xb3\xed\xa4\xf5\x3f\x7e\x38\xf8\xc3\xda\xa8\x5f\x87\xf0\x61\x80\x33\xa9\xc3\x05\x85\x68\x82\x53\x59\x87\x1c\xa8\x7f\xeb\xc0\x83\x30\x6e\x25\xdd\x1e\x30\x98\xb5\x65\x8f\x16\x8f\x8e\x24\xc4\x58\x14\x61\xfc\x1e\x99\xed\x11\x76\x51\x21\x69\xbd\xb5\x21\x3c\x1a\x6c\x3f\x19\x84\xf0\xa7\x21\xc2\x9f\x10\x2b\x29\x39\xb2\xc0\x68\x75\x46\xb6\x84\x52\x01\x5c\xbf\x4c\x6a\x42\xbc\xd1\x3e\xb5\x29\x21\x0a\x51\x18\x98\x0e\x29\x34\x74\x3c\x28\xff\x61\x7e\x24\xe3\x99\xe8\x60\x04\x52\x96\x41\x2c\xd2\x46\x91\x96\xb3\x21\x48\x85\x2d\x7c\xec\x75\x48\x35\xc2\xd8\x46\x91\x53\x31\x99\x35\x14\xcd\xeb\x9e\x41\x3d\x81\xa1\xbe\xee\x3d\xcf\x02\xb1\xa1\x47\xac\xf8\xc0\x39\x4b\xbf\xef\x20\x7b\x53\x8d\xdd\x5e\x74\xf5\xac\x1a\x0e\xff\xff\x7a\xc1\x1f\x79\x67\xdd\x87\x30\x0b\xd8\x27\x0e\xa6\xc1\xee\x9a\xa6\x45\x83\x01\x85\x9a\x30\xd8\xc4\xc8\x29\x63\x5b\x83\x6b\x53\x5a\x8c\x2d\x0c\x50\x51\x6b\xdd\x30\x50\xab\x3a\x0a\xdf\x15\x45\xa8\x49\x30\xca\xe9\xf0\x92\xa1\x6f\x85\x8e\xd3\x77\x3a\xad\x1e\x4f\x25\x29\xbf\x54\x1a\x0c\x1d\xc3\x6c\x0d\xa1\x2d\xdd\x3f\xed\x31\x6b\xb0\xfc\x4f\x7a\xc1\xcf\x7a\x8b\xc5\xc2\x53\xd7\xca\xb4\x6f\x5d\x29\x71\x0d\xb8\x02\x14\x62\x65\xa2\x08\x56\x86\x55\x8d\x21\x8c\x81\x8b\x18\x42\x4c\x46\x03\xc7\x18\x89\x10\xc9\xf6\x18\x38\x43\x23\xaf\x91\x7a\x61\xff\x5e\x35\x3e\x99\xbd\x7a\x1d\x5c\x83\xb7\xd7\xd8\xd0\xfa\xf0\xdf\x50\x0b\xde\xef\x0d\x0d\x54\x29\x8a\x4c\x93\x85\xdb\x2b\xd6\x0a\xa4\xb0\x58\xc6\x95\xea\x67\xc1\xfb\x10\x22\x2c\x96\x93\xb6\x65\x8a\x40\x39\xd0\xe6\x70\x3d\x06\x61\x17\xe7\x75\x98\x18\x6d\x79\x6e\xf7\x01\xa9\x28\x87\x80\xeb\xb8\xad\xa3\x97\x86\x67\xae\xb0\x9f\x9d\x61\x5f\xc3\xee\xdd\xb5\xc3\x1b\x25\x58\xa9\xcf\xec\x5b\x6b\xcc\xdd\x4d\xfe\x5f\x7b\xc1\x8f\x7b\xcf\xdc\xb8\x3c\xc7\x63\xb2\x2d\x32\xeb\x0e\x2e\x6b\x18\x90\x6f\xbb\xc5\x89\x56\x76\x9d\x48\xe7\x57\x57\x97\xc8\x0d\xb4\x24\xf2\x0d\xff\xb3\x87\x83\xa4\xf4\xac\x48\xf5\x00\x88\x33\xf5\x84\x2e\x42\x3a\x46\x9e\xc3\xee\x52\xdd\x07\x08\x2d\x87\x0b\x14\xde\x27\x36\xc5\x2d\x91\xb6\x0b\x10\x7d\xfd\xf5\x75\xef\x00\xfd\xd3\x8d\x5c\x66\xec\xfb\x3d\xa6\x7f\xf2\xdf\xe2\x3d\xdd\xfc\xa0\x87\x74\x06\x8e\x7d\xa7\xb0\xa0\xb2\x34\x51\x41\xa1\xd4\x26\x14\xc1\x07\x56\x16\x4a\x13\xd0\x36\x21\xbb\x1b\x4d\xf6\x7d\x35\x36\xae\x7a\xe8\xbf\xad\x16\x7c\x43\x0d\x46\x2b\xa4\x01\xb0\x10\xcf\xcc\x38\x68\x62\x6d\x1a\x2d\x63\xa9\x2a\x42\xfb\x29\xb8\xd0\x78\x6f\x0a\x05\xac\x1d\x66\x7a\x3d\x1a\x3d\xbc\xd0\x61\x44\xc4\x03\x55\x45\x00\x68\x66\x78\x16\x3f\xb0\x7c\x81\xf2\x3b\x34\x73\xe2\xf2\xb9\x79\x7e\xec\xf4\x5d\x27\x9b\x7c\x09\xa0\xba\x48\xd5\x5b\x0f\x63\x3d\xa5\x47\xa6\x8e\xd0\xad\xd7\x49\xa2\x50\xa2\x10\xd1\xbd\xa0\xee\x72\x0f\xf0\x04\xa5\x6e\x3b\xb2\xf8\x3b\x0e\xb0\x83\xea\xc3\xd5\x41\x4f\xfa\xaf\x3f\x10\xfc\xc5\xfe\x25\xfa\xab\xb8\x7c\x66\x14\xd2\x9f\xcb\xb4\x97\xca\xdc\xd1\x9a\x60\x48\xf5\x82\xc2\x66\xc3\xc7\xa4\x4f\x58\x9e\xe8\xc2\x21\x85\xb7\xb2\x59\x7e\x27\x3f\x7b\x4d\xb4\xf2\x59\x7e\xd1\xa2\x3e\xd4\x38\x65\x5c\xaa\xdf\xa2\x41\x93\xdf\xc9\x97\x52\xd9\x09\xaf\x15\xef\x19\x0a\x07\x51\xbc\xde\x83\x77\x78\xd6\x8b\xc2\x5c\x0d\x25\x0c\xd4\x45\xbd\xd2\xc3\x8c\x71\xcc\x93\x85\xaf\xb0\x02\xca\x74\x5a\x1b\x14\xff\x14\x59\x88\xa0\xfa\xf6\x0b\xa4\xde\xa3\x4c\x62\xdc\x48\x25\x1d\x40\x6a\x81\xc7\x99\xea\xd5\x93\x23\x53\x47\x78\x26\x7b\x22\x15\x79\x02\xd6\x62\x3b\x36\x8e\x71\x4a\x20\x03\x50\x7f\xe8\x81\x52\x41\x30\xb9\xb1\x47\x28\x6a\xd4\x82\x06\xa0\x5e\x53\x0f\x93\x0e\xd7\x4e\x6a\xc6\x4d\x91\xaa\x84\x26\xbf\x94\xe4\x14\xc7\x4f\x99\x1a\x91\xc8\x72\xd3\x0f\x6d\xc8\xa5\x5d\x20\x94\x28\xa5\x65\xc0\x8d\x87\xd7\xfe\x20\x8c\x9d\xf2\xeb\x06\x2d\x3e\xe7\x82\x5a\x8f\x71\xc7\x53\x9d\x24\x99\x5a\x13\xa9\xee\x94\xcc\xcc\xa3\xa9\x35\xf1\x78\x09\x6b\x11\xbf\xd4\x2f\xac\x89\xc7\x27\x9b\xec\xce\x52\x7e\x95\x56\xd1\x67\xd1\x3e\xb5\xfd\xba\x53\x8d\x82\x74\x3b\xc6\x79\x39\x99\x69\x38\x71\x4b\x2d\x4d\x00\x0a\x47\x35\x42\x60\x9c\x35\x4c\x93\x34\x0b\x58\x8d\x48\x4a\xaf\xa9\x5e\xb7\xd5\x36\x46\x13\x12\xb2\x2f\xc1\x54\xa4\xb8\x82\x71\x48\x31\xb0\x82\x95\xab\xd3\xd9\xdd\xe0\x2a\xc9\x13\xa3\x43\xe8\x2d\x4b\xdf\xd9\x9b\xf2\x77\xf6\x31\x5e\x85\xb5\x80\x30\x0b\x2b\x4a\x8b\xce\xfc\x0f\xee\x0b\x3e\x5f\xb3\x1e\x54\x42\x58\x26\x31\x40\x56\x11\x1a\x36\x94\x53\xe7\x61\x53\x36\x79\xbe\x61\xc0\xfa\xb7\x44\x36\x05\xcc\xe2\xbd\x9e\x8c\x89\xe1\x32\x0f\xe3\x7e\xd2\xcf\x22\x34\x6d\x5b\xc6\xf1\xf3\xc9\x16\x4f\x3a\xb9\x84\xdc\x66\x34\x1a\xc0\x98\xdb\x2d\xd1\xd3\x41\x76\x7f\xdc\x43\x10\x19\x9f\xd2\xa1\xac\xb3\xb8\xdc\x1f\xd5\x82\x0b\xf4\x85\x11\xac\x16\x8d\xf5\x64\x2a\x4f\x92\x28\x9b\xc2\xc6\xe3\x7f\x1e\x5b\x4b\x13\xd1\x6e\x09\xb0\x44\xae\x27\x01\xcf\x36\x92\x2d\x4a\xcd\xdf\x00\x77\x01\x70\xc0\x43\x33\xc0\xaa\xa1\xc6\x61\x43\x8a\x34\x5f\x93\x82\xb8\x09\xd5\x2a\x58\xef\x87\x6d\xc9\x5b\xfd\x2c\x4f\xba\x60\x2f\x2a\x1a\xe2\x4e\x62\xf3\xba\xb7\x0f\x34\xc8\xeb\xde\xf3\xd4\x0e\xb9\x4c\xc6\xdd\x92\x59\xfd\x17\xbd\x77\xd5\x58\xcc\xf0\x55\x5f\x6a\x8b\xf7\x92\x61\xc1\x76\xfd\x9d\xa4\xb1\xc7\x06\xef\x0f\x7c\x3b\x30\x82\xc5\xf0\xc1\x86\x34\x6d\xc7\x49\x70\xcc\xc4\xef\xf3\xd8\x50\x9b\xfc\xef\xdd\x26\x87\x68\x1b\x9b\xc9\xc5\xb0\x95\x26\xaa\x80\xe0\x91\x72\x91\xc3\xde\x1e\x68\x19\xc2\xb8\x98\x03\x8f\x9a\xbf\x25\xb4\x97\x0a\x3d\xf4\x6e\x27\x9a\xec\x8d\x2e\x7e\x8c\x0b\x4d\x87\x57\x66\xc0\x8f\xf9\xbd\x83\xc1\x31\xe7\x49\x15\x2a\xf4\x90\x95\xb3\x1a\x4d\xe6\x27\x0f\xdc\x34\xc9\xed\xc1\x24\xf7\x8b\x36\x3e\xc9\xbf\xdf\x23\x3e\xc9\x3f\xab\xc6\x27\x79\xce\x6c\x48\x37\x8d\xdb\x7b\x34\x6e\xaf\x6b\x58\xa1\x57\x06\x5f\x19\x56\x21\x50\x9b\x4d\xb9\x7b\x48\xa1\x2a\x29\xb0\x7b\x20\x99\x5d\x5a\xe2\xaa\xd0\xac\xfe\xa7\xc7\x56\x9e\x6e\xa2\x0c\xc1\x1f\x91\xd1\x60\xc1\x4e\x9c\xf6\xbf\xc7\x0b\x5e\x51\xf9\x0b\x5e\x5c\x0b\x3c\x60\x34\xd6\x16\xa6\x07\x23\x6c\x00\xa8\x43\x55\xa7\xee\x33\x15\x59\xd9\x5a\xb6\x4d\xb3\x2f\x63\x87\x2d\x3a\x0c\xdf\x49\x04\xf2\xd9\x58\x3f\x8d\xdc\x67\x7f\x77\x90\x9d\x70\xaf\xa9\x49\xd6\x12\x91\xbe\x75\xaa\x2b\xab\x52\x27\xa2\xa5\xa4\x3d\x47\xbf\xa1\xf5\xd4\xff\xd8\xc1\xa0\x31\x0c\xaf\xca\x37\xcc\x27\x18\x29\x60\x3e\x6a\x5e\xf7\x6e\x83\x7f\xad\x8a\x74\x5d\xe6\xcb\xb2\x73\xdd\x3b\xdc\x15\xd7\x96\x25\x5c\xb5\x5d\x21\xfd\xf9\x03\xec\xbf\x7a\xec\x2b\x73\x78\x75\x7e\xe9\x81\x07\xf2\x50\xa3\x6d\x2e\xc9\xb4\xa5\x7a\xbf\x2e\xfd\xf7\x7b\xfa\x68\xfd\x3e\x0f\x5f\xe5\x62\x53\x82\x37\x73\x7e\xe9\x01\xde\x2f\x3e\xe2\x13\x66\x9b\x62\x32\xbd\xe0\x3d\x53\x8e\x85\xec\x20\xdb\xea\xcb\x49\x84\x12\x10\x18\x6b\x00\x8e\xe9\xbb\x95\x26\xed\xa0\x4b\x50\xcc\x02\xea\x2f\xd6\xb8\xe9\x54\x1e\x9b\x8d\xdb\x3d\xa9\xbf\xc5\x63\x76\xc7\xfd\x7f\xa6\x7b\x11\xf6\x7b\x3d\x99\x12\x04\x8d\x0e\x25\x28\x39\xc8\x6d\x76\x92\x4c\x9a\x3b\x46\x31\xce\x77\x1b\x8e\x49\xc9\xb3\xae\x00\xaf\x24\xc4\x6e\x5d\x0c\x63\x5d\xa5\xdb\x9e\xff\x55\x63\x87\xbb\xc5\x8f\xfe\x67\x0d\x51\xf7\x2f\xd5\xac\xe7\x66\x6b\x03\x65\xe9\xa8\x46\xa6\xfa\x6d\xe7\x76\x5e\x34\x0f\xda\x0e\xff\xe4\xed\x64\x2b\x6e\x72\xbe\x98\xeb\x61\x84\x8f\x66\x88\x23\xbf\x54\xb3\x65\xe3\x59\x93\x7c\x5a\x5f\x6c\xc0\x09\x61\x28\xe1\xd7\x95\x16\x7a\x7e\x69\x6e\x05\xd6\x59\xf2\x90\x4c\x13\x8b\x5e\x09\x0d\xd1\x36\xa9\x06\xfa\x86\x50\x7f\xa7\x3d\xd7\x95\x79\x8a\x68\x03\x85\x19\xbb\xc9\xf9\x0a\x4d\xae\x6a\x09\xf2\x97\x88\x8c\x43\xbe\xa3\x5a\x4c\x76\x99\x54\x80\x09\x8d\x31\x69\x04\xee\xa0\xbf\xa1\xc6\x4a\xdb\xc1\xff\xb3\x1d\xf2\xb6\xec\x9d\x39\x9f\x26\x59\x46\xe7\x54\x89\x18\x38\x78\xaf\x67\xac\x26\xc8\x02\x26\x22\x2b\xa4\xfd\xee\xd1\x5b\x14\xd7\x6c\x24\x45\x1a\x3b\xc1\xbf\x46\x0e\xb5\x92\x38\xeb\x23\xcd\x2d\xc6\x70\x02\x07\xa8\xcc\x69\x2f\x94\xc3\xc0\x60\xc1\xae\x0d\x28\x81\x57\x69\x38\x30\x31\x76\x20\x56\x93\xfd\x34\x63\xf7\x8c\xea\xe7\x51\x25\x56\x8f\x8e\x14\x43\xe8\x01\xf9\xcb\x43\xc1\x43\xdb\xbe\x51\x42\xc1\x19\x0e\x69\xde\x5e\x6a\xdd\x4e\x1f\xe8\xd5\x78\xdd\xbb\x9d\xba\x5a\x3c\xb1\x22\x7c\x1d\x39\xf6\xe9\x83\xec\x5d\x1e\x2b\xbf\xef\x7f\xbb\x11\x5c\xaf\x29\xfd\xa4\x37\xd9\xf0\x60\x9a\x8d\xa5\x07\xb6\x2b\x62\xb1\x6e\xd9\xc1\x8b\x46\xd7\x31\x9f\x36\x53\x82\x22\x6a\x11\x97\xd9\x90\xa0\x70\xd7\xe3\x1f\x7b\xec\x56\xf5\x09\x6e\x1d\x75\x77\xf8\x94\xf7\xb4\x43\x8c\x82\x1f\xf0\x9c\xb2\x8c\xe8\x50\x6d\x82\x9b\x83\xfa\x6b\xc4\xa4\xe9\x05\x3b\x2c\xfc\xea\x16\xcd\xb8\x23\x53\x10\x65\x24\x4f\x93\x08\x2e\x7f\x74\x2f\x1d\x16\x9e\xe0\xe6\x12\xf1\xba\x6c\x37\xd9\xb5\xca\xd0\xa1\x35\x1d\x39\x74\xb1\x22\x70\x87\x7a\xd1\xdd\x21\xa4\x68\x78\x42\xdc\xa1\xfe\x6b\xcf\x89\x08\xff\x82\x17\xbc\xc9\xb3\xc2\xbf\x35\x84\xb0\xd4\x24\x43\xfa\x07\x63\x3d\x30\xb8\x2e\xee\x10\xa0\x54\x55\xdb\x0c\x0f\xc3\xfa\x88\xf4\x4c\x4a\x80\xcd\x21\x8c\xd2\x2a\x1f\x6c\x83\x32\x77\xac\xda\x2f\x63\x97\xd9\xc5\xdd\x09\xa5\xed\x37\xab\x09\x9d\x65\x3f\xe6\x99\xd0\xd4\x8b\x20\x2b\x33\xa5\x21\x5d\x74\x1f\x39\x2b\x06\x28\x89\x9d\x8c\x88\x2e\xbd\xe5\xd0\xce\x3b\xe3\xbd\x5b\xde\xe0\xaa\x2e\x60\x1b\x50\x78\xb0\xeb\x1e\x2b\x4b\x00\xff\x0d\x66\xff\xbe\xba\xf4\x13\x2c\xb1\xa1\xf0\xda\xa7\xb5\x77\x75\x78\xe7\x76\xbb\xf6\x7f\xef\x77\x10\xf3\x75\x8e\xc7\xb9\x79\x07\x5e\xfc\x97\xf7\x07\xef\xf5\x96\xed\x64\xec\x73\xe1\x5a\x2a\xf9\xfc\x86\x88\x63\x19\x51\xa8\x57\xb3\xf2\x29\xda\xc9\xc0\x7b\x66\xf1\xa1\x09\x24\x1a\x45\x34\x70\x9e\xc4\xad\x91\x5f\x6b\x33\x57\xb2\x15\xcb\x34\xdb\x08\x7b\xd4\x77\x30\x2c\x02\x4f\xf6\xd9\x0b\x61\xdc\xbf\x06\x1c\x60\x6b\x12\xe6\xc1\x11\xa1\xdf\xb1\x8f\xfd\x9c\xc7\xf6\x77\x32\x30\x4d\x7f\xc0\x0b\x7e\xd8\x3b\x17\x46\x52\x43\x4e\x0c\x7a\x70\xc8\x51\xa4\xd3\x45\x83\xf8\xd7\x29\xbd\x33\x84\xc9\x00\x48\x45\x49\x0f\x76\x6f\xbc\xae\x73\x40\xf8\xd9\x6b\x4d\x1e\xc8\x6b\xf9\xf1\xa0\xce\x83\x6b\x9d\x4c\xfd\x27\xce\x3b\x59\x80\x06\xc4\xb0\x15\x82\xf9\x5f\xdd\xec\x53\xa3\x8e\xe0\x07\xc4\xbb\x6e\xb0\x9d\x6c\x3d\x7b\x96\x8d\x45\xfd\xd8\x8a\xc1\x2e\xb8\xed\xce\xcd\xd3\x7e\xe5\x51\x3f\xa6\x45\xe3\x4c\xf2\xeb\x3c\x0b\x9a\x7d\x33\xd8\xa8\xa6\xc5\x7b\x96\x41\xda\x57\x19\xc3\x56\xbe\xfc\xe5\x97\x32\xff\x5c\x70\x67\x55\x07\xb6\x92\x34\x6a\x6f\x85\x04\xdc\x91\xf1\x09\xf5\xf2\xe4\x36\xd8\x04\x1f\xf0\xd8\xbe\xad\xad\xb0\x9d\xf9\xef\xf5\x82\x6f\xf5\x9c\x32\x29\x00\x11\xca\xe4\x50\x28\x5a\x5f\x3b\xa1\xba\x51\x4f\xc0\x67\x93\xfc\x2c\x66\x5c\xc0\x5f\x4a\xb2\xd9\xce\x72\x25\x2c\x4c\x9b\x61\xb1\xa9\x11\x36\x28\x70\x4a\x42\xda\x8c\x27\x3c\x0b\xbb\xfd\x28\x17\xb1\x04\x8b\xe7\x76\x98\x0a\xdf\x7d\x0b\xbb\x73\x14\x35\xd1\x30\x97\x8b\xff\xff\x1e\x0e\xbe\xab\x36\xfc\xbc\xf0\x6e\x65\x2e\x07\x4c\xd1\x2e\x63\xcc\xcd\x51\x53\x6e\x41\x12\x86\xd6\xee\x9c\x8f\xb4\x03\x62\x3d\x4a\xd6\x84\x95\x60\x49\xd1\x3a\x6d\x8c\x9c\x77\xcc\xc2\x9b\xa1\xc9\x6c\x6c\xf2\x85\x02\xc9\x2d\x8c\x81\xb4\xf2\x94\xfa\x47\x47\x6c\x26\x28\xc4\x54\x27\xab\xd2\x79\xa7\x36\x67\x2a\x08\x6c\xea\x85\x86\x18\x27\xa0\x2a\x23\xf9\x02\x1d\x92\x58\xc5\xd1\xa3\xcd\xeb\xde\x81\x34\x89\xe4\xb2\xec\x38\xdb\xfe\xdf\x1f\xbc\x69\x9d\xb9\x19\x7a\xf8\xc5\xb3\x73\x6e\x58\x66\xce\x47\xf6\x1a\x78\xf8\xe5\xa5\xb8\xc3\x23\x99\x45\x83\xf7\x71\x8f\xe9\x1d\xe0\x7f\x68\x3b\xee\x7c\x47\xca\x2c\xe3\x17\xc1\x37\x79\xf4\xaf\xe2\x9c\xbe\x41\xf9\x50\x50\x15\x17\x05\xd1\x8c\xa8\x55\x10\x6d\x6a\xea\x73\x2b\xd3\x1d\x64\x28\x46\xe2\x98\xc8\xa3\x26\xfb\x26\x8f\x1d\xa4\xb0\x8c\xcc\x7f\x22\x78\x31\x89\x96\x8c\x20\x0d\x2c\x69\x47\xfb\x49\x87\x23\x83\xa7\x3f\x71\xf9\x96\x76\x6f\x30\x74\xc6\x85\xea\x7c\xca\xdb\xdc\xd9\x60\xb8\xe2\xbf\xcc\x18\x0c\x47\x4a\xb7\xc2\x76\x38\x24\xe2\x2a\xc3\xf9\x9e\xbc\xc5\xf1\x69\x88\x5e\x0f\x5c\x76\x0b\x10\x9c\xae\xb4\x1e\xba\xb6\xfe\xf6\xe1\xe0\x7c\xf9\x61\xc5\x0d\x23\x1a\x14\x17\x0b\x37\x9f\xaf\xf8\xd8\x55\x98\x5e\x77\x98\x3d\xca\x6e\x05\xe2\x66\xa3\xb0\x5e\xd0\x7a\xc7\xa9\xd5\x52\xd6\x05\x12\x3c\xa3\x69\x09\xce\x4a\x3b\xf9\xc2\xae\xc1\x52\x48\x9e\x04\x85\x84\x8a\xde\xd2\x45\xaf\x95\x8b\x8e\x93\xb8\x81\xa1\x03\x70\xa8\xec\x54\x07\x9f\x40\x88\x64\x72\xa7\xa3\x77\x18\x6f\x42\x91\x6c\xe5\x49\x3a\xe9\xb6\xe2\x23\x35\xf6\x82\x7e\x6c\xcc\x2b\xa6\xaf\x3f\x6a\xcc\x57\x6f\xa9\x95\x9b\x64\xbd\xbf\x73\x9f\xb9\x0d\x6c\x57\x99\xad\x52\xa0\x7d\xe7\xc8\x43\xed\x5c\xd0\xa4\xdd\x39\xc0\x0a\xdf\x94\x7c\x66\x7a\xfa\x45\x16\xb4\x44\x4b\xf4\x44\x2b\xcc\x07\xe0\x0e\xc5\xfc\x87\x82\xa7\xc8\xad\x43\xb3\x9a\x6b\xd5\x60\x00\xe6\x4e\x5d\x50\x92\x5a\xaf\x63\x73\xa0\x3e\xdc\xc9\x32\xa6\x8c\x87\x92\x29\xf2\x4d\x1e\xbb\x9d\xc4\xae\x19\xbf\x81\x1e\xbe\xf6\x5e\x27\x14\xda\x62\x58\xc5\xb5\x49\x23\x97\xdd\x9e\x3a\x48\x11\xb2\xc4\x69\xce\x37\x7b\xec\xf9\xc3\x13\xda\xd7\x0d\xba\x52\x6e\x50\x69\x32\x27\x70\x31\x03\x32\x86\x36\xc9\x81\x19\x51\xb4\x07\xc4\x5a\x3c\xb9\xfb\x55\xfe\x3b\xea\x9e\x9a\x44\x11\x20\x8a\xcd\x83\x2b\xf7\x13\xe6\xde\xf7\x01\x6f\x1e\x49\x98\x3a\x7c\x43\x64\x1b\xdc\xbc\x58\xa4\x55\x2f\x38\x2b\xc9\xfe\xbb\x3a\x61\x84\x40\x68\xb5\x63\x13\x4a\xe3\x62\x33\x09\xdb\x42\xc9\xf2\xae\x6c\x6d\x88\x38\xcc\xba\xe8\x75\x0d\xf3\x22\xe7\xc3\x4a\xb4\x81\xc8\x70\x63\x95\x95\x5b\x4a\x5d\xa1\x81\x5c\x91\xa5\x0e\xfe\x85\x6b\x87\xf8\xbc\x17\x5c\x5c\x76\x51\x22\x49\xdf\xb1\x56\x19\x88\xa2\x02\xf9\x56\x58\xa3\x77\x24\x73\xd1\x0b\x1c\x09\x7e\x17\x3b\xc9\x8e\x8f\xbe\x84\x0f\x09\x49\x27\xd3\xf6\x19\x4f\x8e\xbd\x52\x69\xfb\x79\x89\xb6\xfd\x9c\x50\xd3\x35\xd2\xb2\xe3\x6c\x6b\x2b\x0d\xd4\x15\x4e\x5e\xe5\xc5\x7c\x41\xc8\x6e\x12\x9f\x25\xdd\xc8\x7f\xbb\x17\xcc\xbb\x8f\xb6\x4b\x7e\x35\xa0\xb1\xf8\x89\x51\xb1\x9a\xd7\xbd\xf1\xa5\x24\xcd\x9d\x53\x60\x8e\xdd\xc7\xe0\xa9\x7f\x4a\xaf\xd9\x40\xfd\x69\xed\x1e\x50\x06\x00\xda\xcc\x94\xe4\xf4\xe1\x17\x6a\x0e\xaa\x85\xee\x03\xea\x35\xe7\xd4\x6a\x5d\x21\xc9\xec\xbf\xbd\x16\xdc\x57\xf1\x9c\x44\x37\xf2\x98\x19\xcd\x5d\x09\x48\x58\xeb\x8e\x36\x7e\xdd\x3b\x04\x4f\x97\x44\xbe\xe1\xe2\x90\x7b\x6c\xc3\xb9\x08\x3c\x14\x5c\x2c\x61\x7e\x90\xd2\xaf\xfe\x79\x4e\x97\xa1\x04\xb7\xba\x07\xe7\x12\x50\xdc\x94\xdc\x52\x4b\xb6\xee\x38\x1b\x82\xcd\x99\xa0\x84\x36\x52\xb4\xc2\x3f\x17\x9c\x5e\xa2\x70\xc0\xdc\xa0\x44\x03\xd6\x72\x04\x91\xa7\x65\x6e\x46\x82\x41\xc9\xca\x68\xc9\xbf\xbf\xdf\xc9\xe0\xd3\x03\xa9\xa3\x3f\x5f\xd6\x4f\x72\x01\x3e\xb5\x0f\xed\x0f\xee\x1f\x7a\xea\x5c\x74\xb4\x10\xdd\x40\xa7\x39\xa8\xd3\x79\xc2\x65\x8c\xf7\x7a\xb5\xf3\xe1\x43\x57\x25\xf8\xbd\x7d\xec\xbf\x79\x6c\x5c\x7d\xe4\xff\xba\x17\xbc\xc1\x83\xcf\x5d\x43\x63\x55\xc9\x86\x20\x40\x89\x95\xb6\x85\x03\x7e\x83\x5c\xf7\xe8\x12\x9b\xd2\xdf\x37\x5e\xad\x9a\x98\x4d\xbd\x67\xfb\xa0\xd9\x21\xdd\xba\x69\x1a\xf0\xb2\xbe\x88\xf3\x30\x1f\xd8\xb9\xac\x9f\xaa\xb1\x5b\x01\xbe\xc7\xac\xca\x5f\xac\xb1\xe6\x8e\x78\x28\x2b\xf6\x27\xc1\x77\xd5\x9c\x22\xd0\xf3\x94\x25\x43\xc1\x26\x9d\x30\x82\x68\xcf\x28\xbc\x4a\xa0\x41\x9a\x72\x41\x69\xc6\xa8\xbb\xc0\xc8\xe9\x24\xbe\x54\xb4\xae\xa2\x04\x11\x1c\xba\x0f\xe7\xb8\xbc\xd6\x4b\x31\x35\x1a\x7d\x24\x4e\x63\x2e\x83\x71\x2a\xa9\xce\x01\x30\x18\x93\xfa\x82\x79\x0e\xf0\xa0\x8a\x7b\x5b\x82\xad\xa8\x93\x69\x03\x9b\x38\x77\x69\x81\xbb\x1d\x9c\x08\x3b\xd6\x0a\x0e\x91\xe2\x64\xb2\x6e\xac\x24\x3a\x58\x94\x7d\xbf\xc7\xf6\x63\x29\xfe\x5b\xbd\xe0\xda\xdc\x88\x01\xb9\xb1\x41\x80\xbb\x47\x09\xb4\x5f\xad\x49\x1c\x21\x1d\x43\x28\xa2\xa8\x92\x9a\xa8\x64\x94\xf9\xd3\xdb\x9d\x70\xb9\x76\x98\xb5\x92\x4d\xb5\x7c\x36\x67\x9a\x46\xe4\x7e\xe2\xf6\xe0\x9c\x11\xb6\x0e\x40\x25\x09\xd7\x28\x59\x0f\x5b\x22\xe2\x01\x45\x34\x07\x45\x10\x18\x62\x3e\x52\x1c\xb2\x12\x58\x86\xce\xc5\x75\x5e\xdf\xc6\xfe\xb8\xc6\x8a\x1f\xfd\xcf\xd4\x82\x1f\xa8\x15\xd4\x2f\xda\x36\x61\xa4\xae\xc1\x4c\x81\x96\xe8\x9f\x49\x1f\x48\xad\x90\x5b\xd9\x1e\x46\xef\x6e\x25\x69\x0a\x74\x13\xf0\x50\x77\x6d\x25\x0a\x5b\x52\xd3\xcd\x40\x24\x2e\x61\xc0\xcf\x83\x0b\x0f\x6e\xee\x6a\x92\x88\x68\xc1\x42\x23\x55\xd7\x61\x90\xcc\xa6\xbd\x24\xe7\xa0\x81\xd7\x74\xf8\x68\x98\x02\x46\xab\xd2\x5f\x01\xb8\x3f\x34\x0c\x26\x50\xae\xb6\x5b\x39\xae\x51\x2a\x92\x34\x58\xc4\x16\x01\xd7\xf4\xcc\xf4\xf4\x36\x13\xbb\x03\x84\x46\x26\x73\xc6\xde\xea\xea\x32\xaf\xf7\xd8\x5d\x23\x77\x7e\xe5\xc2\x28\x20\x79\x82\xc5\xd6\x10\x3c\xcf\x28\x04\xa2\x6a\x78\x24\x33\xb1\xec\x67\xc6\x98\x5f\x30\x24\xac\x12\x5a\xab\xff\xc3\x63\xc1\x37\x8d\x0d\x3f\xb7\xd2\xb5\xf4\x13\xbb\x5a\x1d\x31\x0e\x06\x2f\xbc\x6e\xaa\x23\xa7\x8c\x64\x5c\x94\x6b\x99\xe0\x2c\x94\x04\x93\x4f\x63\x95\x81\xa9\xc8\xf8\xfb\x44\x9c\xf0\x2c\x49\x62\x1d\x37\x60\x01\x7e\x6d\xce\x34\x8f\x1e\x9f\x6c\x72\xfe\xf2\x8d\x30\x72\xd0\x9b\x5b\x22\x86\x5b\x3e\x89\x23\x3b\x44\x58\x1d\xc2\x88\xf2\x63\x81\xca\x6f\x42\xb5\x75\x93\x1b\x26\x72\x75\x2d\xc0\xc3\x0c\x9d\x0a\x79\x62\x43\x3c\x64\x61\x44\x81\xf7\xc0\xad\xd0\x6e\xf2\xd5\xaa\x21\xa2\xc0\x88\x4e\xd2\x8f\x0d\x4e\xd1\xe3\xb0\xf4\xe2\x36\xe0\xef\x42\x76\x27\x34\x39\xd3\xa0\xd0\xcd\xf7\x94\xd6\x9b\x7d\xa8\x7c\x9b\xc7\xf6\x6d\x84\x71\x0e\x4b\x6a\x34\xb8\x56\xe5\x92\x3a\xaf\xbe\x0b\x2e\xc1\xe7\x23\x16\x52\x41\xce\x01\x42\x7d\x23\xd9\x02\x73\x8a\x96\x4f\x05\xbc\x04\x7a\xde\x95\x1c\xfe\x64\x8d\x1d\xd4\x88\xfd\xfe\x47\x6a\xc1\x4f\xd6\x0c\x7e\x7f\x95\x60\x31\x33\x44\xb9\x58\xda\x63\xd6\x32\x72\x00\xc0\x28\xf0\x03\x18\x7e\x84\xf0\x5b\xef\x87\xd9\x86\xf5\x03\x18\xf6\x50\x98\xc3\xf5\x14\x03\xbe\xc3\x98\x2f\x5c\x5a\x41\x5b\xd2\x64\x93\x5f\xd4\xdc\x05\xc5\x77\x18\x03\xa2\x73\xfa\x21\x0f\xb6\xe0\x1b\x70\xba\x17\xb6\x21\x2f\xab\xd3\x8f\xd7\xe1\x60\xc3\x1a\x0a\x16\x7b\x0d\x5b\x85\x75\x4e\x16\xce\x1e\x08\x48\x69\x89\x4c\x16\xd8\xcc\xaa\x51\x17\xc4\x9a\x8c\xf8\xc4\xf2\xb9\x79\x3e\x33\x73\xf4\xd8\x24\x02\x33\x0c\x73\x59\xfc\x96\xc7\x0e\xea\xa5\xe1\xff\x27\x2f\xf8\x59\xcf\x2c\x94\x12\x68\xbe\x9d\x07\x7c\x29\x69\x63\x4f\x0c\x6c\x44\x69\xd4\x4b\xfc\x1c\x45\x0a\x7f\x31\x36\x51\xd2\x42\x70\x4e\x01\xc5\x39\xd3\xa5\x11\xa0\x29\x74\x05\x96\x07\xc4\x57\xdb\x02\xfe\x92\x59\xd1\x56\x00\x8c\xd3\xb9\x6f\xf7\xd8\xa1\xdc\x44\x98\xbc\xce\x63\xd3\x3b\x2a\x44\xe5\x70\x92\x4b\xe6\x7b\xb4\x1e\x3b\xc1\x25\xc2\x46\x45\xd0\xc7\xbc\x52\x01\x9c\xa1\xb3\x47\x87\xbd\x84\x8d\xab\x2d\xe9\x9f\x09\x4e\xc0\xd6\xac\xc0\x98\x79\x48\x3d\x77\x3e\x43\x00\x43\x35\xf9\x4e\xf7\xde\x51\x63\x27\x77\x20\x68\x3a\x17\x25\x5b\x0b\xc5\x92\x96\xe9\x45\x99\x6f\x24\x6d\xff\xb3\x5e\x70\x76\xc4\x6f\x16\xcd\x1b\x39\x9b\xd5\x43\xb8\xee\xaa\x1a\xec\x1d\x02\x11\x22\xe3\xea\x28\x72\x54\x80\xd7\x7b\x80\xf9\x09\x47\xd4\xe3\x41\xf7\x8a\xfa\xc7\x15\x63\x4a\x52\xc7\xb1\x52\x99\x86\xca\xd2\x55\x01\x3b\x99\x71\x58\xe2\x91\xac\x14\x81\xe0\xcc\xe0\x81\x4c\xa6\x01\x2c\xf4\xe0\xcc\xc0\xe0\x77\x06\x4d\xbe\x5c\x05\x60\xff\xa7\x35\xf6\xb2\xa7\x8d\xfd\x3d\x0f\x01\xf1\xfa\x3e\xf2\xa0\xd9\x3d\xfe\xf5\x5a\x70\x71\xd4\x8f\x2e\xaf\x64\xb1\xe5\xa8\x6b\x78\xa7\x70\x3f\x2e\x01\x1b\x7e\xd8\x63\x1f\xf4\xd8\xed\x49\x4f\xc6\xea\xce\x78\x0c\x41\xc3\xfd\x77\x7b\xec\xc1\x51\x6b\x77\x6f\xa0\xe6\xc1\x4b\x4b\x75\xe9\x89\xba\x8c\x8f\xf9\xe6\x31\x73\xc3\x44\xf0\x76\xd5\x07\xab\x6b\x20\x76\xd2\x7e\x0c\xdc\x18\xff\xf9\x90\x73\xf3\xd7\xa6\x8d\xc2\x08\x03\x11\xed\xef\x3d\x14\x94\x1e\x55\x85\xb4\x17\x6f\x8c\x08\x66\xff\xa6\x9b\x5e\xb2\x3d\x7b\xc9\xfe\x9d\x21\x75\xfe\x71\x2f\x48\x34\xa9\xb3\x3d\xf4\x37\x7a\xdd\xdd\x4a\xd2\xab\x51\x22\xda\xd9\x54\x61\x1e\xca\xa6\xc8\x62\xae\x1a\x53\x3c\xb6\xb5\xde\x29\xd6\x60\xff\x74\x47\x1b\x59\xd1\xb0\x9b\xfe\xbd\x9b\xf4\xce\x36\xbd\xf3\xd7\xee\xec\xf1\x3a\xe1\x1f\x2b\x90\xb9\x7b\xbd\xcc\x38\xb7\x5c\x59\x54\x8e\x8c\xff\xc2\x61\xe7\x66\xbd\xa6\xee\xe5\x45\xbc\x43\x9a\xc4\x2f\x49\xd6\xfc\xff\x78\x38\x98\xa5\x7f\x97\x15\x27\x87\x21\x8b\x30\x57\xf1\xb6\xdd\x4a\x93\x98\xbf\x2a\x59\x73\x8f\x80\x77\xb2\x9b\x6b\x7b\x0f\x6b\xfb\x57\xed\xb5\xfd\x31\x6f\xaf\xde\xeb\x27\xbd\x6d\xdc\xd7\xcf\x59\xae\xce\x5f\x69\xb0\xfd\xff\xe5\x6d\x43\xee\x56\xb9\x34\x01\xed\xe5\x43\x5e\x25\xdc\x8b\x36\x7b\xae\xc9\x0d\xb1\x19\x62\xa4\x8b\x30\xcb\xb2\x4e\x58\xf1\x7a\x7d\x11\x09\xd6\xb3\x3f\xb3\xaa\xa7\x0d\x11\xb7\x1b\x68\x59\x60\xbf\x52\xd0\x7b\x7c\xcc\xdb\xc6\x93\x52\xdd\x7f\x84\x79\x7e\x93\x37\x5f\x11\xfa\x6c\x76\xe0\x73\xdd\xa5\x9b\x8a\xcb\xde\x14\x97\xa7\xbc\x97\xef\x2c\xf0\x8f\xfb\x47\x8d\xc0\x87\xb5\x51\x84\x33\xe0\xda\xa8\x8c\x61\xf8\x8d\x83\x6c\x72\x38\xc0\xa2\x22\xb2\x0d\x74\xd9\xf7\x1c\x0c\x5e\x5c\xfd\x53\x65\x9a\xe6\xd0\x9b\x59\xa5\x6a\xfb\xa9\xfd\x37\x57\xc8\x5e\x55\xdb\xbe\xd6\x6c\xa3\xe0\xab\x17\x87\x59\xff\x2b\xa6\xc2\xd6\x47\x4f\xb1\x13\xdb\x98\xbc\x46\x2f\x8a\x9b\x67\xf7\x1e\xce\xee\x8e\x75\x74\x3f\xb4\x37\xad\x74\xbb\xa8\xb3\xa7\xbc\xfe\xce\xc2\x63\xd9\x5f\xda\x53\x7c\x54\x95\x2a\xf9\x23\xfb\xd9\x63\x7b\x4b\xb2\x74\x8d\x07\x0b\x66\x78\x8c\x05\xdf\xff\x0f\xfb\x82\x57\xec\xf8\x56\x61\x91\x6d\xcb\x5c\x84\x51\x11\xb8\xa1\x8d\xfa\x05\x62\xb9\xe1\xa2\x4f\xda\xda\xdc\x73\xdd\xa3\xf3\xd8\x11\x5a\xbf\x38\xce\x5e\x4d\x66\x9f\x30\x78\x04\x0c\x3d\x25\xa3\x4f\x6e\x43\xa1\x37\xf9\x2a\xd8\x76\x88\x90\x86\x9f\xcd\x72\xb1\x16\x85\xd9\x86\x6c\xd7\x39\x18\x77\xe6\x5a\xea\x4a\x49\xb9\x6b\xab\x14\x7b\x63\x62\xe4\x69\xcd\xbc\xdb\x63\x7e\x24\xb2\x7c\x35\x15\x71\x06\x05\x43\x02\xcf\xb7\xee\x21\x81\x67\x65\xb8\xbc\x52\xf6\x4e\x31\x3a\xb9\x79\x4d\x63\xde\x24\xb1\x01\x9f\xcf\x13\x2e\x62\x30\x19\x37\x99\x64\x07\xba\x32\xcb\xc4\xba\xf4\x1f\x0a\x2e\xd2\x3f\x51\x34\x6c\xf4\xbb\x22\x6e\xa4\x52\xb4\xc1\x55\x60\x7e\xc3\xe4\x15\x25\x22\xf4\x2c\xa1\xf3\x05\xdb\x62\x2a\x76\x86\xe3\x55\x6c\x3f\x32\x17\xf8\x57\x82\x15\x22\x37\x80\x4a\xfa\x71\xf8\x6a\x25\xae\x93\x58\x36\xb6\x92\xb4\x5d\x2f\xb6\xbb\x21\x41\xd0\x6b\x40\xf7\xee\x48\xb6\x6d\x5d\x0f\x19\xb5\x6c\x29\x98\xcf\x9c\x20\xbe\x11\xe8\xfb\x20\x79\x0a\xf8\x7b\xc0\xe0\xaf\xf3\x07\x62\xa0\x66\x70\xca\xfe\xc3\x71\x36\xb3\x43\xa6\x8a\xd1\xd2\x4d\xbe\x8a\xff\xbe\xf1\xe0\x5b\xbd\xe1\xe7\x25\x48\x4b\xbd\xc6\x0d\x35\xbe\xd0\x89\x8b\x94\x2c\x87\xbe\xce\xab\x43\xc6\xdd\x89\x8e\xcd\x4b\xba\x11\xe6\x59\xa3\x27\xd3\x46\x06\xe1\x55\x80\xaa\x13\x17\x9c\xc7\xf0\xc9\x64\xf3\xba\xb7\x1f\x0b\xbf\xee\x1d\xa0\x8a\x31\x89\x0e\xb2\xf2\xda\xd8\x58\x67\x1f\xfd\x8f\x1a\xfb\x7a\x8f\xe9\x97\xfd\xc1\xf6\x68\x63\x23\x12\x78\x1e\x54\x7d\x23\xdd\xf7\x94\xb5\xa9\x87\xd9\x4d\x6c\xba\x6c\x1d\x13\x83\x2d\x66\x8f\xb2\x72\x43\xfd\x97\xb0\xf3\x37\xd4\x9a\x6d\x72\x35\xd9\x93\x1e\xa3\xb1\xf1\x07\xa3\xef\x69\xdb\x74\x72\xd1\xe4\x44\x04\x77\xe9\xdc\x55\xfd\x88\x24\x0f\xe6\x66\xd0\x8f\x6b\x03\xb4\xb4\x2b\x79\xa2\x03\x2b\xd9\xf7\xec\x67\xff\xa8\xc2\x13\x70\x36\xde\x7c\x50\xa4\xfe\x5f\xed\x0b\xe6\xf0\x9f\x8e\xc3\x3c\xe6\x32\xde\x0c\xd3\x24\xee\xe2\x10\xa6\x21\x46\xe2\xe1\x0b\x88\xc5\x68\x60\xa6\x9b\xc4\x7e\xec\xcc\xf2\x0f\xed\x63\x97\x88\x18\xeb\x5c\x70\xfa\x92\xe5\x00\xa8\x2a\xd9\xce\xee\x99\x7f\x6c\x71\xe1\xec\xa5\xd5\xc5\x73\x8b\x67\x97\x9d\x3d\xf3\xa1\x31\xb6\x0f\x66\xd3\x7f\xdf\x58\xf0\xce\xb1\x07\x75\xab\xac\xd8\xe3\x3b\x26\x1e\x9c\x5b\x7e\xec\xd2\xdc\xc5\xb3\x93\xc8\xd9\x71\xad\x27\x20\xb1\xbe\xe0\x99\xed\xa5\x72\x33\x4c\xfa\x05\x26\x57\x55\x7b\x1c\xc7\x38\x62\x69\x6b\x6f\x66\x01\x55\x56\xf1\x19\xc4\x3c\x88\x62\xc0\x46\x85\x5b\x17\x7e\x16\xaa\x27\x8c\x7b\xfd\x5c\x2b\x51\x26\xbd\x3c\xd6\x19\x8d\xe0\x35\xb0\x3b\x97\x0d\xe2\x5c\x5c\x33\x9e\xa4\xac\x25\x7a\x05\x38\x76\x3b\xe9\xab\xca\xef\xb8\xa3\xce\x43\x39\xcb\xef\xb0\x3e\x6c\xf2\xb3\xf4\xae\x35\x6a\x98\xc8\x21\x37\x31\x32\x55\x8f\x59\x9d\xa7\x72\x5d\xa4\xed\x08\xb6\x7b\xc7\x61\x80\x34\x1d\x24\xd7\x0d\xa6\x1d\x36\x9d\xa4\xa5\xc0\x8d\xbe\x7a\xb3\xc7\x0e\xc1\xec\x9d\x4b\x93\xae\xff\xe4\x76\xc1\xf0\xee\x1a\xc5\x44\xb7\x60\x79\xa5\xc0\x4b\x18\xb5\x8c\x8e\x64\xb8\xdd\x1d\x0d\x30\x93\x6d\x1e\x76\x8a\xa4\x6d\xf5\x1c\x10\xfd\x9b\xec\xf7\x5d\x10\x26\x5d\xef\xf9\xd5\xd5\xa5\xfb\x65\x3e\x07\xf7\x1a\xff\x67\xf7\x05\x2f\x76\x9e\x58\x39\xc7\x05\x99\xa8\xc1\x2b\x53\xaf\xf2\xfb\x65\x6e\x34\x52\xb5\x3d\x7a\xe5\x10\xbe\x3f\x1a\x67\xa7\x08\xb6\x6e\x2a\x08\x20\x12\x4d\x9d\xa6\xc0\x33\xa6\xc1\x58\xa1\x24\xd2\x9b\xec\x91\xfc\xb8\xc7\xa0\x40\xff\x67\x76\x6d\xfe\xe9\xe7\x61\xd4\x0c\xe3\x3c\xcb\xd3\xe6\x62\x9c\x6b\x2a\xd7\xe0\x09\xdc\x98\x69\x29\x72\x90\xf8\x67\x4b\xed\xb1\x30\xd9\x89\x3b\x40\x07\x12\xd1\x22\x4e\xd5\x62\xe5\x33\xea\xcb\x93\x27\x4e\x1c\x3b\xd1\x04\x3d\xc7\xbc\xa5\x4e\x8f\xb9\x4b\x73\x8f\xad\x3c\x38\x0f\x8b\xb1\xc9\x96\xd9\x7e\xb8\x84\x49\xff\x7c\x70\x37\xf8\x67\xa4\xed\x86\x69\x25\x71\xac\x2e\x97\x2e\x9d\xbd\xbb\xca\xd4\x20\x39\xa3\xf3\x04\x1b\x57\x6f\xf9\xfd\x60\xe3\x7c\x92\x21\x1d\x2b\x25\x11\xc7\x08\xb9\xee\x86\x09\x12\x0a\x04\x5f\x5c\x6a\xf2\x57\x24\x7d\x20\x67\x10\x6b\xd1\x80\x6f\x09\x0c\xed\xce\x64\xce\x03\x55\x54\xa0\xfa\xa9\xae\x0b\xe7\xa5\x68\x03\x5a\x1c\x05\x19\x94\x96\xf9\x61\xeb\x1d\xff\x5f\x78\xc1\x3c\xea\xab\x7c\x83\x3e\xa3\x32\xf5\xa0\x69\x00\x42\x98\x6e\x83\x1a\xd2\x83\x88\x6e\xfd\x4d\x73\xf7\xbe\x04\x7b\x11\x63\x23\xd8\xf7\x1d\x60\xcd\x8a\x37\x96\xd4\xb1\x95\xe5\x32\xce\x31\x35\x70\x3e\x12\x61\x97\x34\x8d\xff\xbe\x3f\xb8\xbc\xcd\xef\x5a\x0f\xaa\xca\xb7\xef\x99\xcf\x74\x9a\x5f\x4b\x7d\xe8\x5a\x81\xdf\xb8\x9f\xfd\xaa\xc7\x0e\xe3\x02\xbb\x98\xb4\x65\xe6\xff\xbc\x17\xbc\xdb\x9b\x2b\x1e\xb8\xc7\x39\x31\x7b\xd1\x8a\xec\x26\x9a\xe2\x91\xaa\x58\x13\xc0\xa0\x0b\x8f\x96\x1e\x9c\xe7\x1b\xe2\xc6\x5d\x3b\x84\x2b\x33\x55\x74\xa0\x41\x99\xae\x2f\xc4\x6a\x1b\x50\x6d\x63\x66\x9b\x38\xb5\xb7\x79\xec\xa0\x8e\xfb\xf7\xbf\xd1\x0b\x4e\x97\xa2\xae\xa9\x1b\x0e\x37\xbf\x7a\x0e\x3c\xdf\xd1\x00\xae\xd0\x98\xb1\xfb\xcc\x06\x50\x7e\xbc\xe6\xc4\x50\xfd\x54\x2d\x78\xb3\xb1\x18\xce\xdb\x77\xa1\x51\xb3\xa7\x0e\x36\xab\x91\xc3\xaf\x85\x99\x61\x92\xcc\xc0\x38\x92\xeb\x58\xa4\xf9\x21\x76\x28\x80\x95\x48\xf8\x91\x65\x78\x75\x25\x17\x69\x2e\xdb\x47\x9c\x45\x3e\xcf\xe6\xd8\x7d\x3b\x2e\xf2\xca\x25\xfa\xec\xc6\x97\x2f\xb3\x7d\xbd\x0d\x91\x49\x7f\x31\xb8\x67\x69\x03\xaf\x17\xae\x43\x84\x86\x15\xde\x52\x43\x5a\xd9\x48\x47\x68\x7c\xf6\x40\x65\x34\xf6\xcb\xfa\xc9\xda\x20\x97\x4e\xbe\xf7\xbf\x3b\x10\x7c\x83\x9b\xef\x4d\x6f\x61\x9a\x34\xe1\x5b\x8b\x4c\x47\xf9\x87\x1d\x09\xd7\x3a\xdc\x9a\x49\xbb\x69\xde\xd7\x59\xdc\xc4\xec\xb1\x6d\x32\x77\x92\x56\xe5\x72\x5f\xf7\x0e\x12\x73\xc7\xe0\xba\xb7\x1f\xcb\x73\x76\xf9\x37\xef\x67\x2f\x63\xe3\xfd\x4c\xa6\x6a\xb4\x1e\xc8\x10\xcb\xa0\x2b\x7a\x7a\xd1\xd0\x76\xce\x13\x47\xa6\x67\x32\x0d\x37\x5b\x52\xb4\x10\x54\x4f\x7d\x6f\x8f\x56\x9b\x51\x5d\x10\x2d\x6e\x56\x9f\xb1\x41\x51\x8c\x4a\x91\x7e\x1b\x73\x11\x61\xfa\x08\x25\xca\x94\xc6\x40\x2b\xce\xce\x9c\xdc\xaf\x69\x24\xef\x0d\x66\x90\x35\x72\x87\xa6\x13\x4b\x2a\x7c\x64\x17\x54\x4e\xf1\xde\x36\x71\xbb\xd4\x30\x4c\x41\xd7\x99\xf9\xa0\xde\xa9\xa2\x1a\x90\x0b\x68\x51\x88\x37\x87\xd3\xc5\xdd\x14\xef\xdf\x85\x46\xe0\x5c\xf9\xff\xc5\x0b\x7e\xc1\x5b\xa6\xbf\x2a\x03\x65\x93\xb4\x08\xce\xd2\x4d\x32\x1f\x90\x06\x9c\x59\xb1\xc5\xc2\x1a\x7e\x91\xc1\x31\x3d\x0b\xab\xa9\x27\xc2\x94\x4f\x74\x8b\xd8\x31\x64\x46\x82\xbc\x2a\xc2\xe3\xa4\x7e\xb5\x92\x6e\x57\x64\x93\x14\x54\x26\x20\xb3\x80\x36\x94\xfa\x0a\x84\x26\x35\x00\x42\x34\x70\xf5\xda\x03\xfd\xbd\x1e\xdb\x9f\xcb\x58\xc4\xb9\xff\x66\x2f\x78\xd2\x5b\x85\x7f\xab\x05\xad\x4f\x06\xbc\xfd\x95\xc6\x98\xce\x61\x8d\x50\xfc\x40\xa6\x5b\xd4\x1e\xc4\xa2\x4b\x80\xa0\xc0\x46\x47\x56\xe8\xd2\x06\xaa\x17\xaa\xa5\x05\xda\xd4\x03\xd2\x07\xbb\x79\x7f\x74\x1f\x3b\xff\x4c\x85\xb5\xf8\xef\xb8\x2f\x78\xb8\xcc\xba\x1f\x6a\x2a\xfe\x06\x85\xba\x14\x70\xbc\xae\x7b\x6c\x21\x15\x9d\x9c\x1f\xe7\x13\xea\x54\x9c\x9d\x9a\x7a\x55\x96\xc4\x0d\xb4\x86\x37\x93\x74\x7d\x6a\xd2\x3d\xab\xdf\x77\x2f\xbb\x83\xdd\xda\x0d\xe3\x25\xe4\xdb\x0b\x65\xe6\xbf\x80\xf2\x69\x9c\xa4\x92\x1e\xdb\x27\xe2\xc1\xe5\x8e\xbf\x6e\x4b\xf2\x87\xd8\xd7\x3e\x5b\xd1\x3d\xdb\x42\xa2\x7d\x2d\x3b\x40\xb6\x0c\xff\x22\x7b\xe9\x33\xd8\x00\xb6\xa1\x4d\xef\x8f\xb1\x47\x9f\x9d\x8e\x5d\x4e\xe7\xd4\xe0\xb1\xaf\x62\x07\xbb\xe2\x1a\x98\xf7\xab\x87\x9c\xb3\x43\x5d\x71\xed\x82\x8c\xd7\xf3\x8d\xea\x37\x9e\x60\xcf\xef\x89\x3c\x97\xa9\x3d\x7d\x1b\xef\x79\x36\xa7\xc5\x56\x3c\x62\x76\x8b\x2c\xf0\xf1\x32\xff\x95\xec\x91\x67\xa8\xd2\x4a\xd8\x3d\x58\xa9\xe2\xda\x4e\x2b\x55\x8d\x6b\x18\x6f\x33\xae\x5f\xc9\x0e\x10\x05\xa2\xff\x02\x7f\x3f\x5e\xa8\xa1\x5b\x44\xf7\xf9\x4f\x18\xd3\x42\xed\x72\xa7\xfa\x95\x2f\x65\x07\x68\xe0\xdd\x75\xf9\x02\x36\x7e\x47\x2a\x3b\xee\xc3\x36\x1b\x97\x71\xbf\xeb\x3f\x62\xef\x9c\xcb\xec\x19\x5e\xb8\x5f\xad\x0e\x01\x0c\x25\xf4\xbf\x6c\x1b\x2d\x56\xf5\x5e\x5c\x1b\xdd\x7b\xb5\xea\xc2\x78\xbb\x55\xf7\x02\xb2\x94\x3b\xc5\x7e\xc3\x58\x89\x58\x33\x8c\xf3\x46\x92\x36\xf0\x67\xff\xf3\xb5\xe0\x37\x6b\xa3\x7f\x77\x22\x37\x35\xb2\xb3\x11\xbd\x9a\x9d\x35\xe6\xd4\x04\x0e\x39\x33\xf8\x29\xa5\xc1\x53\xc6\x2f\x51\x93\x12\xad\x9f\x36\xe4\x3b\x04\xab\xea\x99\xc8\x78\x6b\x23\xd4\xa9\x6c\x83\xcb\x10\x22\x0b\x67\x6e\x9e\xa3\x49\xa1\x90\xaf\x95\x18\xe8\x34\xfb\xd9\x2c\x63\x33\x93\x58\xc4\x2c\xe3\x9c\x23\x7b\xe8\x2c\x37\x7b\xb8\x78\x44\x03\x75\x74\x52\x35\xc7\xbc\x5e\x7c\x5a\xf9\xf1\xd0\xe7\xf0\xa4\xd9\x6c\xf2\xc7\x65\x9a\xc0\x59\x9e\xa4\xd2\x51\x07\x7e\x67\xff\xc8\xac\x8b\x8f\xee\x0f\x3e\xb0\xbf\xfa\x37\x0e\x46\x15\x4d\x49\x02\x4b\x07\xd4\x8d\x7e\x0a\x63\x6f\xc8\xae\x31\x71\x0d\x43\xf8\x29\xf0\xd9\x2c\x46\xb4\x06\x68\xcc\xa1\x3e\x19\x4d\x22\xb0\x22\x69\x57\x2b\xa4\x15\x1f\x2b\xa7\x41\xe1\x30\x5e\x11\x79\xd2\x0d\x5b\x57\x66\x49\xbd\x45\x47\x74\x4e\x7a\x9d\xb0\x74\x18\x09\x97\x20\xa4\x2d\x57\x4f\x5b\x22\x12\x29\x31\xd8\xce\x41\x21\x54\xad\xbe\x95\xa8\x0f\x52\x09\x20\x0b\xbd\x48\xb4\x1c\x02\x41\xb4\xc1\xd9\x1d\xc1\x82\xec\xc8\x7b\x30\x90\x0f\x8c\x37\x08\xda\x36\x81\x38\xd5\x75\xaa\xbe\xae\xa6\x65\xb2\xa9\x26\xf8\x4a\x26\xf3\x2b\x34\xa9\x2b\x92\xe0\xfb\xb1\x41\x45\x9e\x95\x52\xcc\x61\x34\x8c\x06\x85\x48\xac\x26\x64\x1c\x82\xee\xc9\xe6\x75\x56\x40\x08\x00\xe7\xb4\x2b\x8c\xdd\xc5\x54\x6e\xdc\xe3\x58\x80\x33\xcb\x5d\xd1\xc3\x49\xd6\x23\x0c\x1b\x88\xba\x89\x73\x3d\xfc\x51\xb1\x34\xf4\x57\x4d\x76\x6c\x92\x5f\xe9\x8a\x9e\xee\xdb\xea\x86\xcc\x74\xc7\xb0\x8b\x57\x81\x12\x93\x4c\xac\xb0\x91\x65\x98\x6a\x40\xfa\x0c\xfb\x2b\x20\x21\x3d\x8c\xdb\xf2\x1a\xbf\x2a\x07\x58\x94\x8e\xb7\x27\x23\x38\x28\x5a\xdd\x26\xbf\x9c\xb6\x91\x9c\x08\xf4\x58\x48\xe6\xed\xf7\x20\x2a\x39\x5d\x97\x68\x3a\x55\x7a\x7b\x2e\xd6\x69\xce\xaa\x56\x20\x79\xce\xa1\x8b\xa6\x29\x6a\x4b\xc3\x6c\x62\x4c\x01\xb3\x95\x6c\xec\x2f\x26\xa4\xab\xd1\x71\xe1\xdd\xb7\x94\x62\x62\xc4\xf6\x73\x78\xde\x6e\x32\xd6\xfb\x62\x9c\xf3\x5f\xc2\xf6\xe5\x61\x1e\x95\x24\xfe\x7b\xc7\xb7\xa5\x52\x7e\xd3\x78\xf0\x27\x63\xa3\x7f\xaf\x92\x37\x66\xe5\x8f\x5a\x87\x6a\xe9\x29\x25\x1c\x4f\x8b\x81\x56\xfd\xa1\x3c\x98\x6c\xa1\xb9\x2e\xd4\xda\xd2\x98\x73\xa2\xd7\x64\x0c\x36\x78\x2e\xd6\x91\xde\xad\x5a\x46\xb9\xb8\x07\x41\x75\x2b\x02\x4b\xde\x91\xad\x23\xe8\x8a\x5e\xd0\xe4\x73\x51\x96\xd4\xc9\x84\x0e\x19\x2f\xc5\x1d\xaa\x40\xfe\xcb\x31\xe6\x60\x78\x07\xc3\x6a\xb4\x32\xac\xe1\x76\x04\x67\x14\x8a\x99\x7e\x2a\x21\xc5\x2b\x96\x98\xbb\x12\x66\x45\xaa\xc1\x24\x74\x50\xf2\x62\x75\x58\x75\x43\x45\x05\x38\x85\x01\xbb\x48\x52\xbd\x1d\x35\x1a\x2e\x45\xc5\x40\x5e\x72\xd6\x87\x24\xbf\x24\x73\x4a\x45\xf2\x6e\x74\x14\xc1\xee\x88\x22\xcd\xdb\x25\xbb\xdb\x26\x79\xbe\xde\x63\xb7\x20\x25\x99\x8c\x5b\x6a\xf9\xf6\xdf\xe3\xad\x33\xc9\x5a\xcf\x96\x92\x8d\x56\x70\x50\xb5\xed\xb5\xcc\xd9\xf3\xe4\xb5\x56\xd4\xcf\xc2\x4d\x79\x91\xb4\xc0\x5b\x9c\xf3\xb3\xc7\xf6\x25\xb1\x7c\x2e\x6f\x3a\xdf\x3d\xc6\xee\x70\x0d\x54\x24\xec\x1a\x7d\x74\x2f\x37\x30\xf3\xcd\xff\x93\x5a\xf0\x99\xda\x6e\xde\xe4\x59\xae\x6e\x8d\xb9\x4b\xe8\xdc\x96\xad\x04\x42\x22\xb3\x5c\x12\xc7\x35\xa5\x3f\xe8\xd4\x3a\xba\xa0\xa7\xb2\x84\x99\x4c\xf7\x68\x2b\x77\x82\xae\x94\x78\x70\x8a\x4e\x07\xe0\x02\xa8\x94\x54\xb6\xfa\xa9\x1a\xe0\x68\x80\x88\x68\xd9\x56\xa8\x99\x5f\x5a\x57\xd5\xfa\x8a\x93\xb4\x2b\x22\x53\x3b\x05\x71\xf6\x53\x40\x6b\x46\x3c\x67\x6b\xd5\xa9\x85\xd6\x46\xb3\x9f\x88\x96\xdc\xd5\x38\xd4\x46\xa7\x61\x2d\xa5\x0a\x9a\xa5\x0f\xb4\x64\x49\x0a\xb6\x4e\xf0\x0f\x36\xd1\x8d\xaf\xf6\x52\x27\x49\xd7\xc2\x76\x5b\x96\xb8\xc0\x5e\xcd\x6e\x2f\xaa\xc6\x3b\xc5\x33\x77\xcb\x19\x5a\xb3\x67\x92\x24\x82\x9b\xb6\x52\x10\x9f\xbb\xf5\xf7\x8e\x1a\x3b\x40\x32\xc0\x7f\x73\xed\x19\xbd\x96\x04\x1f\xf1\xda\x85\x09\xad\x24\x6a\x40\x84\x98\xc9\xd0\xea\x0b\x2e\x22\x63\xf5\xd2\xe8\xcd\x7c\x4d\xe6\x05\x62\x34\x98\xab\xd1\x02\x5d\x0e\x18\xd2\x1f\x39\xb9\x75\x76\x69\x24\x01\x51\x46\x36\xf5\x0e\xa2\x48\x8e\x73\xb8\x84\xd1\x38\x87\xc6\x36\xf6\x7c\x56\x0b\xdb\xee\xe1\xf7\x0f\xd9\xc1\xb8\x1f\x01\xb8\x4a\x49\x7c\xfc\xda\x18\xfb\x4a\x67\x8b\xca\xee\x9a\x6c\xb7\x65\xdb\x90\xbd\xf9\xff\x7a\x2c\xf8\xc1\xb1\xed\xdf\xb1\x82\x24\x51\x8b\xb2\x80\xa9\xd5\xed\x06\x5f\xb7\x93\xf8\xd2\x7e\x0c\xe4\x22\x18\xa9\x50\xc7\xc3\x74\x75\xd0\x93\x17\xd5\xb8\x29\xf5\xbb\x08\x0d\x47\xc5\x09\xce\x54\x7d\x0c\xe9\xd0\xca\xc5\x32\x33\x9b\xbe\x01\xa4\x52\x75\xbd\x85\x8d\x31\x0d\xd0\x9f\x5d\x0d\xe3\x76\x9d\x17\x41\x9f\xa8\xef\x6b\x5e\x08\xb5\x51\x49\x76\xc8\xb6\xcb\xe8\xdc\xe4\xbb\x92\x67\x43\x48\xe2\x78\xd3\x73\x78\x89\xf0\xe4\x86\x5f\x09\x65\x3c\x31\x54\x73\x9d\x7e\x14\x0d\x2c\x61\x31\x81\x36\xdf\x72\xb3\xeb\xa6\xcd\x93\xae\x1c\xf8\x81\x71\xf6\x0f\x2a\x55\x6a\xff\x0d\xe3\xc1\xff\x1d\xab\xd6\xb6\x1d\x15\xa7\x60\x85\xde\xeb\x9d\x0a\x13\xc1\xe9\x6a\x4b\xc5\x3a\xd7\xab\xa3\x23\xae\x57\xeb\xa9\x88\xfb\x91\x48\x5d\xf5\x1d\xf4\x75\x60\xe8\x44\xff\x15\xfc\x3d\x71\x55\x0e\x1a\xb8\xe4\x7a\x22\x4c\xb3\x49\x64\xa3\x15\xad\x0d\x2d\xe4\x11\xe0\x40\x1f\xe9\x39\x96\x38\x94\x6d\x0c\xec\xe0\x20\x85\xd5\x43\xc0\xa5\x88\xc3\x5e\x01\x6d\x6d\x88\x9b\x44\x2b\x4f\xd2\x6c\xd2\x80\x77\x61\x79\xb9\x85\xd5\x5f\x1c\x12\x5a\xf3\x50\x2d\xc5\xfb\xd6\x33\x79\x71\x84\xfe\xef\xf2\xde\x68\x8b\x84\x2f\x65\x07\xee\xc0\xc3\xc7\x15\x15\x9b\xec\x4b\xaa\x4e\xaf\x67\xfd\x1c\x71\x34\x1d\xb2\xf8\xb8\xa2\xea\xdf\x3e\x9f\xed\xc7\xa4\x76\xff\xbd\xcf\x0f\xde\xf1\x7c\xfc\x37\xc9\x18\x2b\x89\x92\x9e\x6b\x7b\x0b\x49\x4a\x7a\x4c\x2b\xc1\xa4\xf7\x3b\x66\x12\xfb\x15\x23\x00\x66\x19\x6b\xf0\xb5\x2c\x89\x71\xed\x86\xed\x59\x25\xdd\xb3\xc4\xec\x91\xc5\x05\x22\xb9\x12\xfc\xe8\x71\x9b\xa3\x6f\x43\x5e\xd3\x9e\x88\x06\xef\xa7\xe1\xac\x6a\xe8\x03\xcb\x8b\x6a\x8a\x7b\x22\xa5\x14\xf9\xfb\x93\x48\xc4\xeb\x3c\x96\xf9\x54\x3f\x8d\x9a\x4b\xea\x87\x65\xf4\xc4\xab\x77\x1b\x5c\x76\x45\x18\xcd\xa2\x20\x15\x61\x64\xf0\x2d\x46\x95\xa2\x5e\xc2\x62\xe6\xe8\xcd\x86\x49\x86\x9f\x85\x90\xa0\x28\x6c\x97\x23\xd6\x61\x91\xc6\x48\x7f\x16\xcb\x1c\x71\x8b\xd5\x17\xf5\x0a\xd2\xc0\x99\xe9\x63\xc7\xeb\x3c\xa3\x68\xfb\x63\xcd\x19\xfe\xf0\xf2\xb9\x79\xf5\xf4\xd1\x26\x6f\xf0\xb0\xb7\x79\x1c\xda\xbb\xb8\xb4\x79\x9c\x2f\x2e\x8d\x6a\x29\x36\x72\x71\x09\x3f\x39\xa9\x3f\x39\xb9\xbb\x4f\x5a\x61\x3b\x55\xdd\x99\x5f\x5c\x58\xde\xfe\x75\x78\xa3\xc1\xbb\xa2\xa5\xde\xbf\x38\x37\xbf\xd3\x10\xe2\x67\xea\xc5\x06\xef\xf7\x61\xc6\x63\xfe\xc0\x03\x8b\x0b\x04\x93\x87\x91\x11\x40\xa3\x01\x80\x00\xd6\xf0\x60\x1c\xc5\xba\xbc\xc6\x27\xee\x0b\x27\x5f\xf9\xf0\x74\xe3\xb4\x68\x74\x1e\x7d\xcd\x5d\x4f\x34\xee\x33\x7f\x1c\xdf\xdd\x1f\x33\x47\x9f\xb8\x83\x5a\x70\xcc\x34\xe1\xd8\x33\xd8\x86\x63\xe6\xaf\x63\xbb\x69\xc4\x71\xd3\x88\xe3\xcf\x60\x23\x8e\xbb\x8d\xb8\xeb\xb4\x58\x7b\xb4\xba\x5d\x56\x53\x4e\x98\xa6\x9c\x78\x06\x9b\x72\xe2\x46\x9b\x12\x66\x6b\x31\x2e\xdb\x95\x33\x97\x66\xa6\x95\xb6\x0e\xff\x3a\xa6\xa3\x98\x68\xfb\x83\xfc\x0e\xa6\x8f\x1d\x9d\x39\x75\x62\x66\xfa\xf8\xb1\x40\xbd\x19\x9c\x3e\x75\x57\xc3\x3c\x9b\x09\xa8\xbc\x99\x69\xbb\xc4\x9d\xca\xa1\x6f\x8e\x15\xdf\x54\xd7\x3d\x5c\x57\x2b\x95\xed\x30\x6f\x89\x14\x04\x1a\xfe\xc5\xd5\x9f\xfa\xfb\xca\x11\x7c\xe5\xc4\x7d\xb3\x30\x63\x30\x06\x13\xf7\xcd\xe2\xbf\x8f\x3d\x31\x79\xdf\x6b\x4f\x3c\x3c\xd3\x38\xf1\x28\xfd\x78\xfc\x89\xd7\x9e\x9c\xb8\x6f\x76\x7a\x66\xe6\xb5\x30\xac\xf8\x7c\xd2\x7c\xfa\xda\x63\x0f\x1f\x3f\xa5\x5f\x3e\xf6\xc4\x6b\x8f\xa9\x97\x1f\x9e\x6e\x9c\x78\xf4\xb5\x0f\x9f\xbc\xcb\x7d\x7b\xe6\x89\xd7\x4e\xdc\x37\x7b\x74\xe6\xd8\xcc\x6b\x67\xee\x9a\x9e\x7e\xed\xb1\x13\x8f\xb4\x55\x95\x8f\xb4\xd5\x6f\x93\x77\x68\x02\xf0\x01\x8f\x93\x98\xb7\xc3\x75\xd5\x93\x42\x0e\x77\xc3\x6b\x78\xe1\x6a\xf0\x2c\x53\xf3\xc5\x1f\x68\xae\x34\x39\x80\xa2\x44\x4a\x8c\xf5\xd3\x30\x1f\xe8\x6e\x17\xc7\x81\xd5\x6b\xa8\xef\xe1\x06\x7f\xf4\xbe\x47\xda\xaf\x39\x6a\xfe\x75\x1c\x56\xc1\x86\xbc\xd6\x4a\xa2\x24\x85\x39\xd8\x90\xd7\x44\x5b\xb6\x42\x75\x61\x84\xa7\xbc\x95\xb4\xc9\xd6\x18\xbc\xf0\x1c\xfc\x6f\xb6\xba\x92\x17\xde\x37\x41\x0b\x6c\xae\x71\x4e\x8d\xe9\x6b\xed\x3f\x4f\xaa\x8e\x36\x78\xba\xbe\x56\x54\xb6\x7c\xff\x99\xa1\x4a\xd2\xf5\x35\xaa\x2d\x5d\x5f\x9b\x38\x7a\xe2\x44\x9d\xfe\xff\xb4\x9a\xf5\xb5\x41\x2e\x67\x21\x44\xf0\xe4\x71\x20\xaa\x56\x6a\xf1\x5a\x18\x8b\x74\xc0\x41\xf9\x6d\x00\xb4\xc9\x56\x02\xcb\x22\x1e\x80\xce\xc9\x93\x4e\x71\x90\xa9\x43\x51\x8d\x21\x70\x31\x3a\x6b\xec\xe8\xf4\xf4\xc9\xc6\xf4\x4c\x63\xfa\x68\x50\x3a\x34\x94\x3e\xdb\x80\x0f\xc2\x58\x9d\x20\xc7\x8e\x1d\x3b\xad\x8a\xa2\x5c\x5d\x28\x4e\xe7\xed\xba\x45\x1e\xe5\x71\x16\x54\xca\x69\xb8\x3e\x80\xa0\x5e\x30\x29\xbf\x00\xcc\xde\x13\x39\x28\x93\xb0\x28\x56\x94\xca\x54\x14\x4e\xba\x01\xf6\x42\x95\x60\x7a\x02\xa1\x29\xa5\xee\xcc\x1c\x6f\xcc\x1c\x6d\xcc\x9c\x58\x9d\x39\x3d\x7b\x6c\x7a\xf6\xe8\x74\x73\x7a\x7a\xfa\xa1\x72\xe7\xd4\xe7\x0d\xf8\xbc\xe8\x9c\xa3\x6a\x3d\xc6\xc6\xe2\x24\xf7\x9f\xbd\x1b\xf1\x97\xb3\xc3\x98\x74\x80\x57\x7e\x57\x6d\x7a\xd3\x01\x76\xea\xc6\xb9\xb7\x30\xf6\xee\x57\xf6\x07\x8d\x1b\x22\xb2\xd9\x0d\x8f\x8d\xe3\xd1\xff\x63\xc0\x0c\xfc\x2a\xfa\x68\x24\x07\xd7\x87\x0c\x24\xea\xbb\x3d\xdd\xa0\x51\x24\x5c\x86\x55\x0b\xc9\x5c\x6e\x84\x92\xab\xce\x01\x0d\xe8\xd4\x34\xef\x4a\x11\x6b\x54\xdc\xd8\x54\xa5\x3a\x1b\x66\x14\xc2\x1d\x27\x5b\xfc\xd4\xf4\x8b\x54\x21\x56\xda\x17\x16\xe4\x42\x5c\x76\x86\xb9\x3d\x56\x74\x7f\xee\xdd\x13\x8f\xc7\x50\x3d\x65\x0e\xa0\xa2\x9e\x3d\x71\xfd\xb8\xf5\xfc\xe6\x10\x8b\xcf\xc7\xf7\x90\x04\xf4\x46\x6f\x8f\x84\x3d\x77\x3f\x93\x84\x3d\xaf\xac\x04\x6d\x3d\xaf\x41\x5b\x8f\xed\x95\x96\xe7\xa3\xfb\xd8\x7d\x7b\xe4\xb6\xf1\xff\x6e\x3c\x90\x3b\xbd\x54\xa2\xa3\x32\xbc\x36\x62\xe4\xf8\xaa\xa5\xce\x5b\x32\x05\x44\x3d\x03\xf9\x3a\x3a\x0b\xed\x2f\xc7\xd8\x7b\xab\x53\xc2\xde\xba\x87\xd5\xf0\x8a\x8a\x94\xb0\x4a\x5e\xa7\x1b\xce\x0c\x63\xeb\x45\x62\xd8\x23\xc1\xe5\xed\x12\xc3\xe4\xb5\x5e\x24\x08\x07\x93\x62\x7f\x87\x93\xc3\x72\xe4\x83\xa7\xaa\x6d\x81\xbf\x64\x52\xc3\xce\x05\xa7\x8b\xd4\x30\x3c\xea\x9f\x56\x02\xd8\x8a\x49\x00\x5b\x0c\xee\xd9\x55\x02\x18\x9f\xa8\xca\xfc\x9a\xb4\x0b\x3d\x4d\x91\x11\x33\xc1\x1d\x39\x52\xb0\x57\x11\x98\x99\x12\xed\x4f\xdf\xbe\x7f\x47\x3a\x35\x93\x94\xa3\x8d\x9d\x4e\xfe\xd8\x6f\xed\x0b\xfe\xba\xb6\xed\x2b\x3b\xa7\x92\x19\xeb\x23\x25\x1d\xe1\x3d\x3f\x4f\x2c\x3b\x23\xdc\x5e\x1d\xa3\x7b\xc1\x51\x1f\x6b\x00\xda\xba\x9b\x8d\xa6\x31\x43\x4c\xbe\x4d\x48\xf6\x20\x90\xfe\x2e\x67\x1d\x92\x61\x51\xee\x13\x42\xc9\xa9\xe3\x28\x49\x79\x57\x76\x93\x74\x30\xd9\xe4\x7c\xa5\xdf\xda\x30\x54\x52\x22\x95\x7c\xad\x1f\x46\x18\x74\x5f\x6a\x6a\xdc\x46\x8b\x18\x34\x58\xa9\xa6\x44\x07\x98\xf4\x10\x26\x52\xad\xf5\x84\xe8\xd8\x93\x4c\x5a\x88\xd9\x96\x93\x42\xa6\x0d\xd5\xd0\x82\xbb\x4a\x6b\x99\x81\x92\x75\x01\xa7\xd0\x6c\xca\x94\xb2\x73\xe5\x0e\x99\x2e\x3b\xfb\xfc\x27\xfe\xde\x64\xc9\x9d\xa1\x34\xae\xd9\xa0\x01\xe9\x1c\x15\x98\x6e\x66\x4d\x84\x31\x87\x89\x2e\xef\xa4\x35\x56\x74\xd3\x7f\x20\x38\x3f\x5f\x4c\xf3\x70\x69\xce\x1a\xa0\xf4\x8c\xac\x80\x83\xc6\xd9\xc1\xd9\x77\x90\x98\xc7\xd9\x11\x6b\x54\x62\x99\x6f\x25\xe9\x55\xd2\xb8\x28\x6d\x91\x82\x3c\xfd\x9f\x1a\x0f\x16\xdc\x47\x76\x52\x4f\x14\xd9\xe0\x88\x10\x47\x84\x23\xa2\x73\xbf\x00\x14\x2c\x49\x4b\xe4\x0c\xbf\x37\xc6\xde\x57\x63\x07\x8d\x09\xff\x5d\x35\x36\xbb\x63\x04\xfb\xea\xa0\x27\xdb\x17\x92\x96\x88\xca\xd8\x7c\x7f\xe0\x2d\x9b\x61\x45\x6b\x9b\x7e\xc1\x12\xaf\x8e\x75\xdf\x9a\x05\x3d\xa6\x80\x20\xa7\xc7\xce\xcd\xdd\x84\xa0\xa8\xd4\xaa\xc2\xc2\xe9\x2d\x90\x70\x2f\x15\x09\x85\xf8\x00\x80\xc6\x4d\x70\xca\x9a\xe5\x5d\x2b\x48\x15\x04\xef\xf6\xf3\x3e\x04\xce\x1a\xf3\xa2\xa1\xa2\x82\x1b\x42\xb0\x82\xc5\x05\x4d\xf6\x63\x1e\x3b\x40\x85\xfb\x3f\xb0\x0d\xa7\x79\xf5\x8c\x52\x39\x34\x8b\xc1\x15\xfa\xdb\xa5\x5f\xd2\x0f\x41\x13\xa5\x57\x6f\xa8\xb5\x7a\x26\x82\x26\xfb\xcd\x71\xf6\xe5\x15\xf3\x38\xd7\x81\x36\x0f\xfc\x0f\x8e\x07\x33\xfa\x0f\x2c\x1d\x22\xc2\x41\x78\xea\xc7\x04\x35\x03\x8e\xa6\x7e\x54\x06\xc9\xfb\x8b\x31\xf6\x7e\x8f\x1d\xee\x25\x6d\x53\xe8\xbb\x3c\x56\xdf\x39\x19\xa2\xf8\x20\xc8\x17\xcc\x72\x86\xbb\xc2\xa8\x9a\x49\x7c\xb6\x92\x46\x94\xb4\x90\x68\x00\x73\xe1\x8d\xab\x54\xcd\x7f\x9c\xb4\x65\x1d\xc0\x56\xeb\x5c\xe6\xad\x26\xc8\xf7\x44\xed\x58\x58\x83\xbd\xa4\x3d\x91\x4d\x4e\x36\xd9\xc7\x3c\x76\xbb\x6a\x76\x9c\x87\xa6\xe9\xef\xdb\x0d\x2e\xe5\x92\xfb\x51\xf0\x44\xa9\xf9\x71\x1e\x36\x76\xea\x03\xd0\x29\xf0\x5e\x3f\x2f\x60\x3b\x9f\x6e\x3f\x36\xd9\x2d\xea\x55\xd3\x87\xce\x2e\x92\x15\x2f\x59\x1f\x04\x27\x8a\xf6\xab\x82\xb6\x19\x7f\x2d\x72\x7b\x49\xbb\xc9\x3e\xb7\x8f\x4d\x54\x14\x7d\x3f\xa2\x2f\x74\x32\x27\x13\xe4\x83\xfb\x82\x37\xba\x99\x20\xe6\xbd\x5d\xe7\x82\x14\x5f\x3c\x13\xd9\x20\x87\x8c\xd4\xbc\xee\x41\x6e\xa3\x8b\x67\x38\xae\x34\xd7\xe2\x1d\xff\x1d\x5e\xf0\x6d\x9e\xc6\x3c\xcd\xec\xb3\xc5\x00\x7d\x60\xf2\x9e\xea\x86\xd6\x02\x8b\x16\x17\xde\xb0\x8a\x3c\x2f\x8a\xfc\xce\x0c\x8d\x19\x76\x6f\x6a\x5d\x7f\x3e\xb5\x7c\x76\x6e\xe1\xe2\xd9\x66\xb7\xfd\x42\x4c\x0a\x69\x08\x75\x82\xdb\x07\xca\x93\x1e\x65\x68\xbe\x26\x88\x35\xeb\x80\x6a\x5d\x79\xd0\xb8\x7a\xe9\x59\x6b\xc5\xaf\xda\xe9\x23\x1f\xf3\x82\x7f\xeb\x6d\x9b\x40\x32\xd4\xb8\xbd\xa4\x90\x3c\xb3\x7d\xb2\xcc\x23\xff\xfd\x10\x7b\x51\x15\x5e\x3f\xca\xe9\x39\x4c\xfc\x01\x00\xa2\x8f\x1c\x0a\x4e\x0e\x3f\x76\xb1\x6e\xdc\xdf\x35\x9c\x7c\x25\xf2\xd0\xdb\x0e\xb2\x8f\x1a\x4c\xc8\x0f\x7a\xc1\xd6\x85\xca\x32\x76\x9d\x3c\x98\x8b\xec\x2a\xa4\x10\x22\x9d\xb4\xea\x68\xc3\xe8\x2f\xd6\x73\x3a\xe0\x1a\x94\xd3\x34\x65\x87\x6d\x1c\x63\x33\x6c\x6a\x67\x2e\x03\xa7\x81\x37\x71\x78\x6e\xe2\x43\x16\x9d\xbb\x89\xa6\xb5\x67\xbc\xb5\x87\x76\x86\x4c\x3a\xe5\x9f\x68\x38\x80\x47\x5c\x03\x28\x05\x81\x41\x4a\x1a\x96\x55\x8c\xfd\xea\xad\x0e\xe4\x9a\xa3\xc7\x22\xee\x91\x56\x66\x7b\xb2\xe5\xbf\xeb\xd6\xe0\x6e\xeb\xef\x92\x81\x40\xeb\xf0\x90\x34\x9c\x01\xaf\x7b\xb6\x81\xac\x7b\x80\xc5\xe0\xaa\x92\xbf\x71\x0b\x7b\xff\x3e\xf6\xbc\x10\x3f\x9a\x8f\x44\x06\xe7\xac\xff\xfd\xfb\x82\x37\xef\x5b\x2c\x3d\xad\xba\x8b\xd9\xef\xf0\x16\x8a\x78\x8b\x2b\x66\x75\x43\xda\x40\xf7\xce\xdb\x7a\xd1\x61\xbc\xa0\x45\x8b\x05\x27\x96\x21\xde\x70\x2e\x90\xa4\x94\x53\x20\x85\xa6\xc5\x31\xdc\xa5\x57\x5c\x09\x4c\xdd\x6a\xb6\x54\x7d\x57\x74\x28\x0d\xe0\xf0\x9c\x4b\x52\x08\x24\xdc\x12\x69\x3b\x33\xfe\x89\x30\x82\xc0\x0e\x62\x49\x00\x2b\xb3\xfe\x84\xd2\xf7\x80\xdc\x40\xc7\x3b\xe1\xa5\x4f\xd5\x2e\xdb\x00\xd6\x01\x46\xee\x82\x19\xa1\x20\xf7\xa0\x9e\x01\xc5\x5b\x37\xcc\xb9\xe0\x5b\x22\x05\xeb\x55\x68\xf3\x0b\x21\x86\x88\xa9\x12\xcc\x0e\x05\x3d\x87\x5e\xff\x8b\x7a\x68\x0a\x2e\x2e\xa8\x13\xa2\x34\x71\xff\x61\x28\x85\x1e\x6f\x89\x09\x01\xc8\x23\x05\x83\x61\x5f\xca\xe6\x62\x77\x5e\x0a\x03\x0e\xe6\x2e\x74\x45\x7a\x15\xad\xf4\x14\x45\x53\xd7\x53\xe6\xa2\xdc\x67\x32\xaf\x0c\xce\xb3\xc7\xe3\x1c\x25\x9b\xd8\x4c\x08\x75\xbc\x8b\x69\xc1\xe0\xae\x11\x3b\x77\xcb\xb1\x18\xfc\x86\xc7\xf6\x81\x86\xec\x7f\xd2\x0b\x9e\xf4\xe6\xcc\x61\x0f\x31\x12\xa8\x3b\xeb\x96\x99\x63\xd6\xae\x80\x32\xd6\xad\x4b\x2d\x80\x94\xc0\xa7\x9a\x7d\xa6\x0e\x77\xfd\x3c\x55\xea\x79\x0b\x57\x00\x62\x3e\x38\x31\x45\x74\x5f\xb4\x8f\xec\xbb\xd9\xe9\xd1\xc6\xd6\x6d\x36\xf8\x72\x3f\x92\xec\x0d\x63\x6c\x2c\x8f\x32\xff\x6f\x6b\xc1\xfb\x6b\xab\x17\x56\x5c\x08\xdd\x26\xa7\xbc\xfc\x68\xe0\x5e\xda\x81\xce\x19\xd5\x72\x2b\x58\x49\x7d\xaf\x1e\xd5\xf9\xf1\xe3\xc7\xa0\xcf\x26\x55\xa4\x2b\xbb\x6b\x44\x02\x01\x73\x04\x23\x48\x61\xf1\xd6\xb2\x53\x03\x9a\x41\x4c\xfa\xc0\x84\x34\xe9\x32\xae\x61\xe8\xbb\xb9\x40\xc1\x9d\x60\x88\xa6\xa6\x20\x7d\x30\x36\x3f\x9b\x0f\x64\xe5\xd2\x22\x34\xd3\xb8\xd3\xea\x7a\x57\xd0\x06\xb6\xb7\x50\xa7\x1f\x75\xc2\x28\xd2\x0a\x8b\x7e\xc3\x74\x7c\xe5\xd2\xa2\x33\x13\xb3\xec\x2e\x76\xf2\x69\xcc\xc4\xea\x85\x15\xf6\xd3\x35\x76\x80\x66\xd7\xff\x57\xdb\x19\x6b\x46\x17\xa3\xed\x0e\x7f\xe2\xcd\x95\x17\x0c\xf2\xe7\x44\x20\x4a\x51\xfd\xd3\x81\xa5\xd2\x24\x12\xb4\x93\xf8\x88\x66\x53\x12\xf1\x00\x16\x67\x93\xcf\xd9\xc4\x3a\x49\x87\x1f\xa1\x12\x8f\xa8\x25\x7c\x04\xd6\xfe\x91\x82\xea\xba\x64\x7e\x31\x5c\x31\x09\x11\x6e\x83\xb5\x28\x8a\x92\x2d\x3c\x97\x13\xd1\x5e\x13\x91\x88\x5b\x32\xb5\xc7\x3d\x49\x75\xfb\xc1\x17\x9b\xac\x87\x2d\xd8\xf4\xb4\x5c\x84\xa6\x96\xa5\x97\x9a\xec\xbb\x0f\x39\xa0\x22\x2e\x7c\xa0\xc5\x80\x36\xa7\xb3\x19\x32\xff\x0f\x0e\x06\xf9\xf0\x63\x8d\x90\x97\x69\x47\x52\x51\x4e\x91\x0a\x91\x59\x66\x57\x25\x74\x8c\x10\xb3\xf4\x4d\x0c\x65\x2f\x88\x6c\x41\xf7\xe8\x88\x96\x8b\x49\xf0\x99\x03\x70\xb1\xdb\x94\xe9\x9a\xba\xd8\x3d\x28\xd3\x35\xd4\x9c\xaf\x56\x58\xd2\x88\xf5\x6d\x0d\x83\x01\x67\xf9\xba\x3a\x21\xd4\x3e\xaa\xf3\x2d\x64\xe0\xc2\x2b\x4e\x9d\x14\xdc\x3a\x6f\xcb\x48\xaa\xff\xf6\xd2\xe4\xda\xa0\xc9\x79\x70\x67\x40\x6e\x4d\x11\x45\x25\xef\xc2\x01\x52\x26\xfc\xf3\xc1\xdd\x5a\x55\x0b\x8b\x88\xfc\x12\x11\xde\xb2\x39\x23\xb7\x29\xf4\xa2\x46\x2d\x58\x08\x4e\x21\x6a\x81\x55\xe0\xfd\xda\x10\xb5\xeb\xe2\x5e\xe7\x91\xf1\xf7\xf1\xa0\xbb\xa3\xf1\x57\xc3\x7f\x68\x8f\x2c\x5a\x4e\x83\x75\x99\x07\xb8\xbc\x22\x69\x3d\xc6\x3f\x83\x26\x0f\x02\x3e\x01\xa9\x98\x93\x23\x1a\xf1\xe7\x35\x76\xc8\xd8\x32\xfd\xcf\xd5\x82\xdf\xa8\x19\x72\x0c\xbb\x41\x8e\xad\x53\xc3\x32\xb9\x6d\x6a\xf2\x42\xba\x82\xc8\x4b\x09\x12\x8a\xb8\x3a\xf4\x47\xf9\x96\x94\xb1\x7a\x5c\x94\x0b\x67\x77\x64\x71\x2b\x67\x76\xcb\x43\x73\x7a\x52\x0f\xc1\xa4\x4b\x84\xc5\x08\x6a\xb3\x2c\x37\x43\xb9\x55\xfe\x0a\x93\x50\x01\xed\x08\xb5\xab\x06\x10\xb1\xb5\x2d\x88\x98\xa1\x01\x0a\x44\x14\x05\xf0\x4d\xd1\xbc\xa1\xaf\xe0\xb6\x66\x28\xe0\xed\x26\x80\xfd\x46\x46\x9d\x8a\x9f\xdc\xfc\xf9\xc2\x94\x7d\x21\xb8\xcf\x36\x46\x5b\xe9\xae\xa0\x74\x12\xec\x0b\xdd\x2a\xd5\xbd\x64\xdb\x55\xf5\x4a\x76\x38\xeb\xaf\x99\xc2\x2f\x07\x67\x56\x8a\x3f\x77\x5f\xbe\x2e\x3e\x4e\x62\x17\xba\xe3\xad\x87\x1c\x7d\xbb\x95\xc0\x71\xa5\x25\x13\xca\xef\x0b\x52\x64\x12\x2c\x0c\x9f\x3b\x18\xbc\xc8\xfc\xe5\x1a\x16\xe0\xb1\xa1\xa7\xab\x34\x28\xfc\xcc\x81\x9b\x97\xaf\xbd\x42\x19\xbf\x5a\x1b\x64\x36\x82\xa0\x02\xca\x58\x0f\x55\x05\x4b\xe0\xf6\x30\xc6\xa3\x27\xfe\xa6\xf9\x64\x0f\xe6\x93\x4f\xd8\xe6\x93\x9f\xd9\xa3\xf9\xe4\x9f\x7f\x91\xac\x27\xba\xa2\xa7\xbc\xf5\x9d\x6f\xfe\x0b\xfe\x19\x03\x96\xec\x2c\xaa\x12\x4c\xb2\x11\x23\x95\xc8\xeb\x3f\xe2\x55\x1a\x3d\x97\x92\xf6\xc2\xa5\x95\x79\xb8\x03\x5c\x46\x1c\x93\x7f\x1e\x9c\x1e\x7e\x6a\x04\xc9\xc2\xa5\x15\x0d\x27\x99\x16\x5e\x6a\x6d\xd3\x77\xa4\xd3\x49\xf6\x95\x74\x80\x7f\x69\x70\xa8\x92\x45\xea\x4b\x34\xa6\xa6\x93\x8f\xf0\xeb\x87\x2b\x81\x11\x1d\xfe\x5a\xff\x7d\x87\x83\x73\xce\x13\x75\x45\xcc\xb8\x58\x5f\x4f\xe5\xba\xc8\x35\xd3\xa7\x4e\x0a\x82\x66\x12\x99\x6d\x9b\xf7\xa4\x75\x7a\xb9\x1c\xf7\xec\xa6\x44\xdd\xab\x44\xbd\x29\xde\x6e\x32\xac\x38\x0c\x2b\x1f\xd5\x0c\x2b\x3f\xbd\x1d\xc3\xca\x48\xf6\x6a\xd5\x8b\x51\x74\xd5\x44\xf6\xfb\x5c\xd0\x8a\xfc\x61\xc1\x94\xf2\xa9\xed\x98\x52\xaa\xfb\x81\x71\x30\xef\xf4\x28\xd2\xc9\xee\x0b\xa5\xb5\x19\xe9\x84\x92\x4b\xed\x6e\xb5\x6a\x75\x90\x4c\x3f\x13\xeb\xf2\x39\xe9\xe9\x53\xde\x03\x3b\x9f\x4a\x47\xfd\xe9\x46\x85\x05\xda\xe9\x74\x19\xa2\xff\xdd\xb7\x8c\x70\xbc\xb5\x52\x99\x3b\xee\xe5\xbf\x3a\x1c\x7c\xc1\x9b\x6b\x8b\x5e\x8e\x11\x14\xea\x05\x25\xff\x12\x2e\x34\x44\x25\x02\x0a\xb8\xe4\xc6\x26\x2e\x0b\xbf\x38\x92\xf1\x05\x91\x0b\xb2\x4a\x68\xf3\x52\x11\x1b\x0c\x48\xd2\x1a\x51\x2f\xe3\x9d\x10\xed\x7a\x0e\x6a\x03\x79\xf0\xad\x72\x08\xc2\x41\xbd\x8d\x87\x48\x53\x37\x50\xbb\xb1\xb7\xf5\x5f\xab\x79\xad\x70\x60\x3b\xa7\xd0\x5f\x1f\x62\x7f\x34\x06\x20\x1e\xea\x52\x77\x31\x69\x4b\xff\xb7\xc6\x74\x58\xef\x7f\x18\xbb\x4c\xc6\x95\x59\x80\x22\xe5\x6b\x6a\x99\xd8\x86\x52\xcb\xb1\xca\x93\xd8\xe0\x0e\x62\xff\xd6\x06\xc6\x8c\x52\xe0\x5e\xc7\x3c\x69\xe5\xfa\x64\x31\x57\xd0\xe9\xe9\xe9\x69\x68\xef\xf4\xa9\x53\xa7\x10\xd2\x48\xe7\x39\x94\x5e\x84\xb7\x4e\xcc\xcc\x34\xf9\x2b\xe6\x2e\x5e\x00\x78\x42\x35\x75\xc0\x10\x8e\x25\x0b\x88\x72\xb2\x3e\xce\xea\x00\x17\x57\x24\x3b\xbb\xbf\xc2\x0d\xd3\x74\xcf\xf5\x0f\x4f\x9f\x3c\x7e\xbc\xc9\x17\xc2\x14\x40\xc6\x43\xb2\x40\xeb\x78\x2d\x91\x17\x00\x01\x98\xf7\x6f\xc5\xe8\x52\x64\x8d\x66\x94\x0e\xd7\x37\x34\x86\x70\x2b\x89\x3b\x51\xa8\xd1\x69\x30\x26\x43\xeb\x37\x68\xae\x87\xb2\x8a\xb9\xef\x42\x3c\x07\x24\x0e\x74\x32\xb0\x6e\xe0\x91\x4c\x66\x89\x7e\x94\x6b\x23\x36\x16\x56\xcc\x55\x26\x73\x37\x42\xf8\x5d\xe3\xfa\x12\x72\x7d\x3c\xf8\xd4\x58\xd9\x76\x0c\xa1\x88\x6e\xbe\x6b\xc5\xba\x34\x16\x11\x8a\x3d\x6a\xeb\x65\x59\x2c\xfc\xe4\x55\x38\x1a\xb0\x93\x2c\x00\x5b\x08\x4d\x82\x4e\x6d\x41\x94\x61\x6c\x59\x5b\xae\xca\x01\x74\x8b\x76\x9a\x7e\x4c\xb0\x3f\x8b\x9d\x32\xc3\xba\xd2\xa4\x65\x1b\x37\xcf\x36\x35\x17\xd6\x5a\x35\x61\x14\x0a\xd9\x8f\x87\xbe\xa6\x43\x9a\x36\x2d\x41\x9c\xab\x36\xd9\x31\x63\xe4\x33\x20\x7c\x6d\x0b\x28\x1e\x2c\xc0\x30\x0a\x75\xbb\xbf\x99\xcc\xfb\x3d\x2c\x5f\xa6\x29\xe4\xf8\x03\xd0\x38\x72\x4b\x93\x4f\x42\x9b\x30\x9b\x7c\x49\xb5\xd0\xd8\x3c\xd5\xa6\xcd\xc3\x4d\x69\xf4\x2f\x55\xa7\xa6\x25\x57\x95\x1c\x69\x36\x8f\xe0\x32\x4c\x52\x9e\xe5\x22\xa5\x35\xa5\x9e\x3b\x17\xc8\x26\xab\xb3\x3b\x77\x3c\x47\x5e\x2a\x07\xab\x89\x6a\x02\x5b\x62\x07\x75\xa3\xfc\x85\xe0\xe4\x0a\x99\x47\x6d\x6c\x74\x9a\xf2\x24\x85\xb3\x03\x86\x51\xb7\x9b\xf2\x57\x9c\x50\x88\xb7\x78\x8c\x65\xf0\x09\x78\xe6\xbe\xde\x0b\xb6\x6c\xb4\xfc\x4c\x0b\x5e\x1d\x25\x74\x24\xb3\xac\x3e\x08\x96\xfd\xb4\x91\x8e\x35\xbc\x31\x56\xe2\x40\xb1\xdc\xca\xbe\x6c\x74\x10\x82\xff\xb9\x5b\x82\x3f\xf4\x74\x54\x1d\x68\x96\xaa\x4d\x6d\x2e\xd6\xb2\x3c\x15\x86\x0f\x2a\x4b\x3a\xf9\x16\x62\x7d\xe2\xab\x2e\xc3\x44\x77\x90\xbd\x3a\x9a\x44\x82\x68\x34\xf2\x24\x1d\x22\x4e\x06\xe1\x6d\xbf\xcd\x8f\x1d\x9b\x3e\x39\x59\x40\x1d\x80\x7d\x15\x57\x3a\x88\xd8\x62\xe3\x6b\xe6\x03\x13\x37\x84\xdc\xcc\xda\x11\x09\xc1\xa4\xb0\xee\x44\x9c\x6d\x81\x37\x93\x74\x52\x74\xfe\x58\x8e\x0b\xb4\xe1\x3a\xc7\xc2\xdb\x19\xfb\xdb\x42\x09\xf9\x33\x8f\x35\x77\x1b\xb8\x41\xea\xc7\xcf\x79\x17\x8b\x5c\x86\x68\x50\xa4\x30\xb8\x11\xe5\x3a\xda\x92\x2f\x25\x56\x26\x3c\xfc\x32\xc8\x72\xd9\x6d\xf2\x65\x1d\xc4\x73\x93\xdc\xed\xe6\xed\xec\xe6\xed\xec\xff\xd7\xb7\xb3\x8f\xe9\xdb\xd9\x87\x77\x13\xe7\xab\x05\x8a\xba\x97\xbd\x71\xf8\x5e\xe6\xb2\x5d\x1a\x41\xf2\x9c\xdc\x5a\x2e\xef\x7c\x6b\xa9\xfb\x77\x56\xdd\x5a\xa8\x53\xe5\xfb\xca\xa7\xdd\xd0\x99\x0a\xca\x30\xcb\xb3\xee\xff\xc4\xad\xc1\xff\xf0\xac\x07\x65\x68\x76\x0c\x1b\xe8\x8a\x5e\xcf\xb0\xc1\x80\x5e\x81\x48\x41\xc2\xd2\x66\x20\xca\x80\xa4\x0b\x68\x1b\x4a\x00\x93\x5f\x57\xe3\x5f\xab\x0d\xd1\x4a\xba\x8e\x57\x57\x1d\x76\x9d\x30\xcd\x72\x2e\xd5\x36\x16\x85\xc3\x0b\x4a\xec\xa2\xd3\x10\xa0\xf1\xd3\xa4\x9f\xe3\x85\x01\x66\x8d\x0a\xb7\xa2\x69\x0c\xd4\x1d\x7c\xa5\xaa\xb1\xba\x06\xa9\x1d\x25\x9c\xe6\xc3\xec\x25\x6c\x5c\xcd\xb3\x7f\x86\x7d\xcd\xc8\x65\x54\x31\x86\xe7\x57\x57\x97\xca\x65\xb3\xcf\x32\x62\xd2\xf8\x4d\x16\x7c\x82\x01\x97\x06\x29\x9e\x08\x94\xf3\xea\xbe\x88\x70\xb0\xda\x49\x57\x29\x5e\xda\x29\x28\x38\xf9\xcb\xa1\xcf\x55\x50\x16\xc7\x4e\xdf\x75\xb2\xc9\x2f\x25\x39\x46\x6c\x14\x79\xd9\x6d\xb9\x19\x52\xd4\x8b\x91\x58\xc1\x06\x70\x6f\xf4\x94\x12\x47\xa7\x23\xc1\x79\xe8\x52\x31\x03\x18\x4a\x9d\xe5\x33\x4d\xbe\xb8\x94\x15\xd7\x0f\x44\x04\xb2\xa3\x2a\x0a\x16\x2b\xd3\x59\xb8\x26\x40\x84\x85\xe8\xf5\xa2\x01\xcf\x13\x46\xc8\x32\x8b\x4b\x46\x89\x55\x1b\x4d\x13\xa4\x08\x30\x08\xe8\x50\x13\x76\x14\x43\x81\xae\xcc\x5e\xe1\x6d\x09\xf9\x4d\x98\xda\xa2\x5a\x90\x4a\xb5\xac\x60\x01\xc9\x96\xe8\x67\x18\x45\x31\xdc\x42\x76\x88\x97\x42\x3f\xf0\x06\xdb\xb1\x69\xb7\xc2\x0c\x22\xa7\xc2\x56\xa8\x5e\x9a\xbd\x6b\x1a\x56\x97\x9a\x73\x75\xda\xa9\x22\x66\x8f\x1f\x3f\x66\x1e\x66\x4d\x76\x26\xc1\x55\x94\x61\xc0\x0f\xa6\x5c\xea\x3e\x75\xfa\x6a\x6b\x8f\x5a\xc8\x18\x25\xd3\xe6\x62\x5d\x84\x71\x96\x9b\x58\x0f\xbe\x26\x3b\x89\x1b\x6d\x53\x2c\x49\x84\xda\xa5\x17\xc3\xcc\xbd\x46\xd9\x01\x2d\xb0\xfe\x33\x27\x02\xc7\x90\xe8\xb8\xd7\x93\xa1\x3a\x18\x2e\x47\xba\xdb\x05\xbd\x54\xb6\xc2\x4c\x06\xc5\x1d\x44\x38\x6b\x52\x07\x47\x81\x75\xa2\xe0\xd9\xe3\xed\x24\x1f\x5e\xaf\x94\x4d\x10\x74\x92\xa4\xb9\x26\xd2\x66\x2b\xe9\x06\x93\x80\x1c\xb1\x15\x46\xed\x96\x48\xdb\x41\x7d\x54\x45\xbd\x54\x76\x00\xf6\x80\x88\x98\x28\x46\x47\x7f\xc8\xc1\xd4\xa0\x2b\xb8\xb3\xa9\xaa\x80\xe2\x71\xf5\x98\xd7\x0c\x8a\x02\x3f\x72\x27\x05\x7a\x88\x5e\x4f\x8a\x54\xed\x9f\x30\xcf\x64\xd4\x29\x4c\x20\x4a\xd6\x2c\x5c\x5a\xa1\xb2\x51\xe5\x41\x20\x3d\x5c\xcf\xba\x11\xf0\x3b\x52\xdc\x10\x2b\x15\x21\x3b\x96\x5a\x57\x54\x81\xed\x84\x91\x7e\xf1\x8b\x79\x70\xa7\x6a\xe7\xb2\x5e\x1f\x26\x52\xa8\x62\x8d\xc0\x27\x14\x87\x12\x97\x76\xf8\x96\x18\xe0\x1e\xed\x70\x2d\x52\x68\xfa\x34\x33\x16\x54\x60\x3a\x81\xda\xa2\x92\xe5\x14\x33\x04\x6b\x1d\x26\x0a\xb9\x71\xc0\x89\xae\x64\x11\xb0\x01\x01\x3f\xd0\x51\xa7\xf8\xa2\x87\x24\x78\x9f\x76\x35\x79\x52\xd4\x04\x2b\xb4\xdf\xe9\x84\xd7\xf8\x44\x2a\xbb\xc9\xa6\x3e\x51\x70\x46\x60\x2c\x27\xb5\xb8\x30\x43\x0c\xf1\x3d\x4e\x8e\xc1\x21\xf6\x4f\x2a\x99\xaf\x50\x4b\x5b\xe9\xaf\x65\x32\xf7\x3f\x7d\x30\xf8\xc9\x31\xf7\x59\x39\xb5\x08\xb1\x75\xc8\x0e\x03\xc4\xbc\xdd\x2e\xa1\x8f\x42\xc2\x75\xaa\x94\xc3\xd5\x0d\x8b\x12\x8d\x7e\x2a\x32\xdd\x48\xba\xcf\x8b\x34\x97\x59\x28\x62\x75\xff\x69\xf7\x5b\xf0\xd6\x9c\x29\xff\x1a\x5f\xc2\xc2\xce\xd9\x57\x39\x08\x95\x9c\x65\x9c\xbf\x06\x70\xb2\xcc\xeb\xb3\xfc\xe1\xd7\x04\x61\x2f\x98\xe5\xc1\xcc\x74\x53\xfd\x5f\x73\x26\x78\xa2\xce\xdd\x87\x47\x9b\x47\x83\x27\x1e\xad\xc3\xa7\x50\xfa\x2c\x80\x6d\x3d\xfc\x9a\x40\x6d\x2b\xf5\x9e\x08\xea\x3c\x50\xbd\x08\x66\xf9\x5d\x27\x4f\x9d\x80\x22\xf4\x8f\x6b\xd6\x8f\xc7\xa6\x4f\x3f\xf1\x28\xe3\xfc\x09\xb0\x4d\xa2\x11\x08\xe0\x2c\xcb\xbd\x25\xe1\xb1\x19\x4a\x40\xfd\xce\x10\xef\x4c\xcc\xf2\x87\xb9\x69\xe9\xac\xaa\xaa\xce\x4d\x23\xe1\x6f\x4e\x0d\x5d\x73\x5f\x3d\x36\x7d\xda\x7e\xf3\xd8\xf4\x69\xfe\xa8\x73\x3c\x7f\xf7\x3e\xf6\xdf\x3d\x76\xc8\xcc\x94\xff\x69\x2f\xf8\x1e\x6f\x71\xc9\x9e\x3b\x10\x2b\x49\xa7\x43\xa6\x04\xad\x79\xe0\x81\x81\x26\xb0\xd4\x8e\xd8\x04\x56\x93\x26\x81\xb4\x15\x7d\xa3\x8b\xd3\x9a\xc4\xbb\x75\x5b\xa6\x6a\xbe\x45\x07\x63\xa7\xa2\x44\x28\x65\x06\x63\xc0\x30\x25\x17\x2f\x02\xb0\xc2\x11\xd4\x41\x3a\x56\x92\xe3\xec\xe8\x2e\x92\xb8\xf4\x02\xa5\xc9\x67\x3f\x5a\x63\xcf\x8f\x93\x5c\x5d\x54\x07\x66\x41\xf8\x6f\xa9\x05\xbf\x7c\x23\xbd\x5e\xeb\xe7\xe6\xa8\x6c\x99\xe3\xb1\x34\x04\xe6\x68\x85\x28\x46\x10\x6c\xea\xfd\x81\x54\x72\x28\x06\xd2\x55\x34\x03\x85\xf1\x7a\x1d\x7f\x37\x37\xf0\x8e\x08\x23\x55\x14\x94\xa4\xb4\xe8\x8c\xb7\x36\x64\xeb\x6a\xdd\xa0\xdf\x0e\xbf\x1a\xa9\xe5\x6e\xde\x7c\x06\xc6\xea\xb5\x6c\x1f\x74\xd7\xcf\x82\x63\x90\x61\x89\x60\x09\x76\xd8\x5b\x12\x3b\xa3\x63\x0f\xa1\xd3\x80\x19\x36\xb5\x2b\x6e\x3d\x6c\x80\xaa\x8c\xfd\x8f\xb1\x4a\xfe\xa1\x73\x51\xd2\xba\x2a\x53\xc7\x2d\xf0\x91\xb1\xe0\xa3\x6e\xd6\x19\xbd\xa5\x0d\x7b\x3a\xd3\x88\xcc\x15\xfa\x57\xb1\x0e\xb6\xc3\xcb\x31\x1a\xed\xe0\x6c\xa2\x30\x1f\x75\x05\xca\xd0\xfc\x85\x36\x6a\xfc\x1b\xa0\xbf\x8a\x95\x9c\xc9\xbc\x59\xaa\x6b\x2f\xd9\x6a\x2e\x25\xa9\xc7\xbe\xd1\x63\x87\xad\x86\xf8\x83\x20\xb2\xcd\x70\xf4\x13\xcf\xf2\x24\xc5\x75\x67\x80\x2b\x1b\xf7\x92\xe6\x1b\x3b\x6f\xaa\x9d\xa6\x9b\x5b\xb9\x1f\x41\x81\xd5\xa1\xed\x2e\x72\xcd\x61\x6b\x08\xfc\xa5\x60\x1e\x86\xc2\x6d\x49\x91\xbe\x8a\x20\x34\x05\x33\x28\x5d\xfc\x74\xdd\xf4\xbe\x5d\xc1\x9b\x6e\x71\xa6\x9b\xac\x81\x6a\xc6\x71\xaa\xe7\xf2\x5c\xb4\x36\xd4\xe0\xf9\xbf\x7b\x38\xf8\x2e\xaf\xfc\x94\xb7\x44\x4f\xe9\x8d\x1a\x48\x3b\xa7\xa8\x69\x01\x6f\x60\xac\x1f\xfc\xcb\x55\xe3\x4c\x42\xda\x94\xd1\xed\x8b\x1f\xe3\xa4\xad\xf4\xba\xa1\xaa\x28\xea\x87\x44\x40\xdc\x30\xb6\x4f\x60\x6b\x56\xdf\xbb\x24\xcd\x87\xd8\xaf\xd8\x16\x82\x8f\xee\xd9\x42\xf0\x2f\xca\x16\x82\x2f\x82\x7d\xe0\x5d\xda\x3e\xf0\x76\x8f\xdd\x35\x72\x6b\x6f\x33\x8f\x60\x2b\x78\xcc\x65\x01\xd2\xeb\x89\xdc\xb8\x38\x79\x53\x34\x73\x9a\x18\x8b\x6c\x09\x15\x76\x48\x2b\xf1\x9c\x4c\x92\x6a\xe4\xb5\x65\xf4\x63\xde\x36\xe1\xd4\xdb\x35\x14\xad\xa4\x6f\xd0\x4e\x5a\x6a\xe4\xd0\xb2\x30\xac\x89\x43\xed\x42\xf4\x4e\x48\xf9\x88\xa4\x31\x9e\x0d\x2d\xcd\xa4\x47\x20\x32\x04\x23\x89\xb1\x86\x68\x3f\x6c\xe0\xdb\x32\x6d\xde\xb4\x75\xde\xb4\x75\x7e\xd1\x6c\x9d\x4f\x79\xed\x9d\xcd\x69\x73\xfe\x7d\xc6\x9c\xa6\xf7\x55\x29\x2a\xad\xbc\x79\xca\x36\xb6\x6f\x1f\x73\xee\x20\x43\xbb\xf3\x6c\x9a\x26\xa9\xff\x47\xb5\x60\xc1\xfa\xbb\x38\x03\x44\x4c\x1e\x3c\x19\x43\xce\x1b\x1c\x6e\xed\x3e\x72\xc1\x69\x41\x62\xb6\x9b\x7b\xf0\xbe\xad\xc6\xfe\x95\x57\x00\x04\xfd\x90\x17\xbc\xd5\x43\x50\x7e\x4a\xf8\xd6\x0b\x62\x64\x0d\x73\x66\x63\x2f\x94\x36\x36\x9d\x90\xb4\xd0\x28\xd9\x29\x4a\xd6\xd7\x65\xbb\xce\xb3\x84\x87\xb9\xde\x74\xb6\xf7\x30\x93\x80\x04\xb4\xe9\xa4\x30\x95\xb0\x4c\xc6\xf3\xb0\x2b\xfd\x87\x9e\x3e\xdc\xd2\x57\xad\x6a\x3c\x25\xec\xd7\x96\xc8\xec\xbe\x35\xd9\x17\x0e\xd8\xf4\xf0\xdb\x14\x37\xb7\xb4\x08\x7e\x6f\x88\x64\xfe\x77\x07\x82\x65\xfb\x81\x1b\x46\xab\x7f\xa9\x17\x09\x21\x96\xda\xdf\x0e\xb3\x16\xa5\xb7\x61\xb2\x80\xc8\xf9\x14\x54\x75\xdd\xdb\x0f\xeb\xcb\x8d\x7b\xfe\xf3\x7d\x37\x65\xe3\x5e\x65\x63\x9f\xd1\xc8\xfa\x57\x83\x7f\x8c\xff\xaa\x9e\x32\x47\xbf\xbf\x31\x5a\xd8\xe1\xa5\x72\x53\x24\xef\x45\x24\xaf\xee\x2c\x92\x67\xfc\xa9\x2a\x0f\x87\xbd\x33\xcb\x22\xf8\x1b\x6e\x67\x5f\xb1\xcd\x25\x2d\xf3\x3f\x77\x5b\xf0\x37\xb5\xb3\xb6\xa9\x46\xf0\x56\x12\x45\xd2\xf8\xda\x8b\xdb\x3f\xd8\x09\xdc\xfc\x5a\x8a\x6f\x33\xce\xa0\xb3\x68\xb7\x99\x65\xfc\xff\x63\xef\x4d\xc0\x24\xb9\xaa\x33\xd1\x2f\xb2\xaa\xba\xbb\x6e\x4b\x02\x62\xc6\x33\xf3\x8c\xe7\xf9\x4e\xc8\xb8\xbb\x44\x56\x56\x6f\x6a\x49\x8d\x90\x28\xf5\x82\x0a\xf5\x52\xaa\xaa\x16\x66\xaf\xa8\xcc\x9b\x95\x41\x45\x46\xa4\x22\x22\xab\x3a\xc5\x60\x23\x04\x03\x06\xc6\xec\x3c\x28\x16\x83\x6d\x04\x02\x06\x8f\xcd\x66\x56\x03\x7e\x5e\xb0\xc1\x30\x5e\xb0\xdf\x78\x81\xf1\xb0\x3c\x83\x17\xc6\x60\x6c\x7a\x6c\xbf\xf7\xdd\x73\xce\xdd\x22\x33\x6b\xe9\x6e\x49\xd8\x5f\xd9\x1f\xea\xca\x58\x6e\xdc\xf5\xdc\x73\xcf\xf2\xff\x40\xd1\x7d\x8c\x07\xed\x5e\xbe\x5a\x0f\xaa\x8c\x73\xb4\x2f\xe5\xc7\xf8\xd3\xc0\xcc\x81\x06\x9d\xcb\x32\xe9\x68\xa3\xce\xe5\x18\x74\x38\x7f\x6e\x75\x8b\x15\x3a\x5c\x3b\xbc\xe5\x6f\xdf\x74\x78\xe8\x97\x6f\x38\x6a\x7d\xd8\xb5\xe5\xdc\xb7\x77\x47\xfa\xed\x68\x86\x3b\x5e\xf0\x2b\x7a\xca\x7d\xef\x28\xdb\x9d\xa3\xf0\xf1\x7f\x66\x34\xf8\xd2\xc8\x42\x4b\x28\xbb\xad\x8b\xc9\x46\x96\xea\x6e\xa2\x56\x4d\x1c\x73\x7a\xb3\x66\x99\xaa\x81\x89\x0a\x19\x19\x20\xe8\x8d\x1e\xe9\x4f\x60\x9e\x99\xcd\xd1\x72\x98\xb7\xc2\x4c\xd4\xf8\xb4\x72\x9a\x28\xc8\x7a\x30\xaa\xeb\xc4\x6a\xb0\xd4\x55\x09\x39\xaa\x69\x11\x22\xa1\x2d\x12\xd0\xd2\xfa\xee\xc9\x69\xb4\xdf\x31\x53\xd6\xe5\x33\x30\x25\x4d\x32\xb6\xc6\x8e\xc9\x27\xd0\xc5\x42\x61\x8c\xe4\x47\x51\xf5\xc1\xb4\xc6\x46\x94\x77\xe2\xb0\x87\x1e\x50\x53\x86\x6a\xa6\x82\x96\x32\x77\xc8\x0d\x70\x36\xb5\x1a\x16\xc7\xca\xb9\x14\x25\x18\x2d\x6a\x75\x60\xd2\xe0\x67\xcb\x16\x5c\x07\x51\x0b\xbf\x55\x43\x06\x43\xc7\x0f\xa1\x30\xf2\x68\x3f\x92\xe7\xf1\x2c\xca\x85\x15\x92\xb0\x7d\x0c\x1c\xd7\x05\x72\xd1\xbb\x73\xf3\xcd\xb8\xe6\x57\x07\x6d\xc6\x7a\x2b\x2d\xef\xc4\x3f\x33\x3a\x30\xf3\xc5\x09\xe2\xf2\xff\x71\x24\xb8\xc9\xb9\x32\x8c\x03\xde\x86\x6f\x36\xcd\xb6\x36\x92\xf7\x8d\xb0\xd7\xb8\xd4\xfc\x2f\xac\x04\x3f\xa0\x98\xf9\x55\xd8\x1c\xe0\xc8\xda\xdd\xf5\x04\x76\xcb\x70\xa0\xbc\x0d\xd6\xbc\x43\x8d\xbf\x11\x33\xdf\xb8\xbf\x1b\x49\x45\xd9\x45\x8f\x0f\xe5\x0a\xdd\xe5\x8f\xb6\xc3\x0e\x7b\x50\x78\xf6\xdf\xe0\xb1\xab\xe2\x34\x6c\xdc\x46\x8e\x0a\xff\xc5\xde\x86\xa9\x7e\x38\x4e\xa7\xad\x37\xc8\x96\x74\xa7\x7d\x6d\x30\xfa\xa5\x1b\x7b\x27\xbf\x3a\xa9\xfc\x23\x80\x55\x90\x26\x42\xf3\x4b\x26\x45\x8d\xbd\xb9\x32\xd0\x6b\x77\x3a\x6a\x47\xc5\x5c\x98\x2c\x43\x6c\x8e\xff\x77\x5e\x70\xd6\xbd\xa4\xb5\x82\x90\xb7\xa3\x64\xaa\x1d\x5e\xc0\x9c\x02\x84\x44\x75\x12\xdb\x15\x0b\x28\x40\x03\xa4\x09\x4c\x5b\x79\x14\x43\xf0\x54\x67\x0e\xbd\xdc\x63\x2f\xf3\x18\xdd\xf1\xef\xf5\x82\x5b\xe1\xab\x5a\x4c\xea\x6c\x56\x5d\x97\x99\x42\xb4\xb5\x65\x55\xbb\x95\x54\xf6\xc3\x25\x2c\x4c\xb7\x68\xf6\xf1\xab\xd8\xe4\xc6\xf0\x09\x56\xc4\xc9\x6c\x58\xb4\xfc\x97\x5e\x15\xa4\xa5\x6b\x26\x14\x06\xf0\xc3\xe5\x15\xf2\x6d\x2a\x44\x0e\x13\xb6\xd0\xcd\xe2\xdc\x84\xc9\x38\x31\xe8\xcd\x34\x5b\x0b\xb3\x46\x5f\xa4\x4d\x6d\xdd\x53\xe0\x0f\x4e\x6f\xde\xbb\x97\xfd\x9c\x67\x70\x21\x5e\xbf\x91\x21\x73\x73\x5c\x88\xa7\x1a\x78\x51\xa3\x0f\x5a\xf1\xe1\x6a\x85\x1b\x85\x24\xa5\x3d\xa3\x40\xa0\x63\x88\x8b\x50\xce\x76\xbb\x2d\x35\xf6\x96\x0a\xe1\xd3\xbd\xb6\x12\xbc\xa8\xa2\x10\xea\x06\x39\xe4\x31\x12\xba\x89\xec\xc8\x6e\xa4\x87\x1d\x18\x13\x61\x48\x85\x32\x85\x58\x64\x0e\x8d\x28\x57\xd4\x5a\x5a\x87\x32\xdb\x78\x18\xf3\x40\x7e\xc2\x04\xe9\x84\xfc\xfc\xdc\xe9\xa1\x81\x3f\x4e\x30\xf7\x72\x94\xa8\x71\xdd\x37\xb5\xaf\xc6\x9f\x0c\xdc\x49\x76\xd0\x08\xa0\xca\xc3\x2b\xf0\xed\x72\x0b\x9c\x58\x15\xc7\x52\xf3\xc1\xdd\x6c\x8f\x7c\x71\x41\xca\xaa\x07\x76\x07\x6f\xdc\x3d\x4b\xbf\xec\xb0\x60\xe5\xc3\xc8\x3a\x99\x28\x1c\xd3\x38\x74\xa9\x9a\x55\x58\x6d\x78\x59\xe5\x14\x0c\x22\x7d\x26\x32\x2d\x7e\x9d\x3c\x63\xd5\x8b\x63\xfc\x8c\x8e\x30\x10\xd0\x29\x30\x16\x42\xde\x8b\x7b\x35\x7e\x1d\x9f\x85\x98\x11\xf3\x9c\x8e\x81\x09\xcd\xe3\x18\x57\xc2\xf3\x4e\x1c\x15\xb2\x2b\xa1\xa3\xce\xa8\xe9\x0e\x44\x58\x0d\xa8\x4d\xa2\x56\x0a\x51\xd8\xca\x87\xf5\x9f\x61\x1e\x49\xf5\xc8\x7d\x00\xe6\xa2\x12\x15\x8c\x6b\x61\x01\x8e\x32\xbd\xd7\xc3\x2b\xfa\xf3\x10\x61\x3f\xb5\x4f\x11\x73\xa5\x99\x2c\x55\x45\x54\x48\x1d\x9e\x71\x12\x5c\x52\xa2\x61\x0b\xa4\x18\x15\xab\x22\xeb\xf1\x8e\x22\xa8\xc3\x1a\x4c\xae\x45\xb9\x8a\x9c\x81\x50\x05\xea\x53\xc6\x75\x91\x88\xaf\x48\xe1\x62\xf2\x6c\x4b\x72\x3a\xcc\x0b\xdd\x0e\x1d\x98\x55\x50\x5c\x8e\xd4\x4c\x14\x1d\x76\x3a\xe0\x05\x83\x4a\x0d\x2f\x55\x29\xf3\x00\x22\xb2\xa8\xf6\x18\x00\x33\xd5\x4c\xd3\xa9\xa5\x30\x53\x8d\x12\xb9\xbe\x34\xb5\x14\xde\x53\x22\x98\xc3\x37\xd5\x03\x4b\xe1\x3d\x13\x35\x76\x5d\x09\xd2\x49\xf9\x61\x8e\x21\xf3\xd3\xc6\xf3\x0e\x5c\x7c\x1d\x8c\x48\x2b\x4a\xf8\x49\xfd\x58\x51\x72\x6a\x02\xa7\x19\xe1\xe1\x43\x4f\x28\xfe\x34\x35\x81\x65\x8f\x64\xf4\x98\x6c\x35\x78\x0e\x81\x69\x4f\x8a\x9f\x59\x1a\x8a\x0c\x67\x30\x76\x29\x82\x2e\xb0\xf2\xe7\x50\xe9\x25\xb2\x58\xd0\xb0\xd1\x11\xab\x96\xac\x02\x6b\xb0\x53\x87\x06\xf7\x85\xb3\x70\xff\x71\x9c\x3d\xd6\x12\xb3\x9d\x34\x8e\xea\x3d\x2d\x62\x67\xd3\xc6\x3c\xd1\xc7\xcc\xc2\x1d\xff\x73\xe3\xc1\xeb\xbd\xbe\xcb\x7c\x39\x5d\x15\x19\x6d\xf5\x21\x82\x7f\xc9\x0a\xb4\xc3\x15\x51\xc2\xe1\xb1\x12\x8b\x54\x19\xfc\x78\x9a\x14\xe2\x02\xa1\xa8\x2a\x09\x1c\x76\x3a\x71\x84\x6d\x0d\x09\x9a\xb6\x61\x94\x76\xd9\x50\x0d\x56\x16\x25\xfc\x60\xed\xd0\xc1\x5a\x19\x2e\xe2\xd9\xe4\xcb\x5b\x1a\x7e\x6a\xdb\xb4\xc5\xe0\xcf\xfb\x0f\x79\x39\xf4\x17\x5f\x33\x1b\xf9\x8e\x91\x62\xc7\x48\xb1\x63\xa4\xb8\xb2\x70\x11\x4b\x9b\x9f\x39\x6f\xf5\x1f\xaf\xcf\x9c\xb8\x24\xf5\xb9\xb3\x6f\x25\x0f\x44\x8a\xf8\x1f\x8f\x74\x03\x34\x34\x68\x34\xe0\x45\x64\x51\x2a\xdf\x87\x1d\xc0\xff\xe0\x23\x83\xe7\x38\x57\xf4\xa2\x56\x61\xee\x04\x04\xd4\xa1\x87\x08\x20\x10\x91\x95\x53\xca\x73\xa2\x5b\x94\x0c\xa9\x32\x0b\x17\x34\xa5\x2c\x69\x3c\x61\xd2\x23\x22\x43\x7a\xb2\xb6\xee\x21\x7c\x84\x23\xe4\x3e\x7a\xcd\xce\xba\xd9\x59\x37\xae\x71\xef\x05\x15\xf6\xc8\x4e\x26\x44\x1b\xb2\x27\x69\xdf\xfe\x6b\x2f\xf8\x1f\xde\x6c\xe9\xaa\x3a\xb6\xd2\x2f\x50\x21\xe9\x91\x64\x59\xa5\xef\x15\x2d\x2e\x8f\x23\x99\x9e\xbb\x18\x5a\x96\x36\xf9\x59\xa9\x65\x56\x39\x95\x7a\x5a\x3e\x34\xab\x9f\xb1\xf5\x90\x41\x4f\x48\xd5\xb2\x9b\x98\xf0\x2a\x0d\xa6\x27\x17\xe6\x64\x2c\x9b\x5d\x05\xb2\x68\x1d\x6e\x72\x36\x4d\x66\x75\xed\x74\x31\xc4\x2b\x3d\x09\xbc\xd2\xf6\xd8\xbe\xd3\x53\x78\x2b\x6f\xd1\xe4\x5a\x2f\xf6\xcc\x42\x53\x9b\xae\xbb\x5a\x4d\xb0\x97\xe5\xcc\xd1\x8f\x80\x82\x02\xfd\x92\x89\xba\x88\x56\x85\x02\x38\x55\xa1\x90\x85\x83\xd8\x16\xe5\x24\x02\x50\xb7\x8f\x00\xf7\x1e\x79\xae\x9d\x8c\xe8\x1d\xdd\xe1\x32\x75\x87\x97\x7a\x6c\x2f\x82\xf7\x22\xaa\xcf\x7f\x0c\x52\xeb\x27\x9d\x82\xc2\x6c\x29\x2a\xb2\x30\xeb\x29\xd1\x08\xa3\xd9\xcd\x91\x8f\xa2\x93\xa5\xab\x51\x43\xe4\x7c\xb9\x1b\x35\x44\x0c\x1d\x9e\x26\x6a\x7c\xfb\xe6\x89\x15\x68\xd8\xcd\x4b\x87\xe1\xfb\x47\xd8\xd5\x88\xe1\x48\x8b\xc0\x7f\xcd\x48\xf0\xc2\x11\xe7\x92\x8e\xc7\xcb\xad\x8c\xe6\x28\xe7\xee\x06\x33\x2c\x9a\xb1\xb0\x40\x53\x75\xbd\x60\xf9\xca\xb9\x49\x78\x97\x86\x85\x5b\x6e\x26\xe5\x69\x7e\x4e\x85\x85\xba\x5f\xa4\xed\xc7\x04\xfd\x2e\x3a\xd5\x5e\xac\xf1\xdb\xd3\x35\x5c\xf7\x51\x13\x01\x68\x8b\x16\x64\xf4\x94\x4a\x12\x39\x02\xca\xe5\x3a\xb9\x2a\xca\xca\x85\xd1\xa2\xcf\x05\x26\x80\x01\x9f\x13\xd8\xbb\xdb\x61\x1c\xcb\xf9\xa7\x57\x6a\xde\xad\xb7\x4a\xb8\x98\x7d\x9f\x53\x07\x07\x00\x87\x18\xd2\x49\x0e\x8d\xf8\xf6\xa3\x7e\x8c\x76\x50\x0a\xfc\x71\xea\x52\x36\x74\x7f\x77\x2f\x3b\xb2\x11\x7e\x27\xa1\x03\xce\x75\x63\x41\xe0\x80\x64\xfc\xfe\xf8\xde\xe0\xeb\x95\x61\x77\x5d\xfb\x2a\x39\x2f\x90\x37\x0a\x72\xef\x30\x5e\x1a\xc5\x19\xfc\xad\xc6\x16\xac\x3a\x9d\x58\x14\x00\xf8\x2c\x12\x70\xcf\xa8\x4c\x20\xf2\x01\x69\x68\x4f\xe2\xe0\x02\xf9\x01\x3c\x72\x0a\x00\x58\x65\xde\x00\xce\x72\x0f\xa3\x6b\xe4\x90\x77\x44\x16\xa1\xc1\x8d\xc2\x86\x28\x3b\x0f\xc2\x84\x6e\x23\xa7\x8c\x0b\x3d\x8a\xf5\x05\xce\x73\x60\xe6\x5e\x15\x30\xb9\xb0\x21\xe4\x32\xc9\x11\xbf\x04\xc9\xc4\xe5\xbe\x0a\x31\xf6\xf2\x6c\x98\xe7\x5d\x8a\xf0\xc9\xb1\xa7\x78\x2b\xa4\x35\x60\xa0\x41\xaa\x5c\xac\x8a\x04\xcd\x19\x61\xa1\x39\xc9\x4d\x57\xd4\xd6\xbd\xab\x95\x68\x81\xae\x5e\xf7\x1e\x99\xa4\xc9\x9c\x7b\x89\x99\x17\x1c\x35\xec\x35\x7b\xd8\xcb\x2a\xec\x11\xa6\xa9\x18\xc8\xf5\xf7\x5e\xf0\x0d\xef\xa4\x7b\x11\x46\xc1\xb8\x81\xea\x69\x7b\x89\x20\xce\xb0\x43\xe1\x4b\x48\xfc\xaf\xf9\xc1\x74\xdc\x57\x5a\x07\x3b\xba\xee\x5b\xe8\x20\xf3\xd5\x2a\xae\x93\x10\xc5\x9d\x81\x67\x25\x81\x20\xf2\x64\x9f\x89\xe0\xee\x7b\x17\xb3\xfa\xc3\x82\x3b\x8d\x96\x97\xa7\xd2\x4c\xee\xbe\xee\x75\x0a\xf3\xb2\xba\xd0\x96\x81\x7f\xe2\x31\xab\xb3\xfc\xdf\xf6\x82\x5f\xf6\x66\xcc\xc4\x03\x3e\xf8\xae\xd9\x3e\x69\x0e\x64\xa2\xe8\x66\x89\x85\x60\x52\x0f\xe3\x98\xb8\xed\xf5\x67\xf4\x0e\x0d\x54\x85\x98\x7d\x13\xf7\x9c\x88\x35\x28\xd6\xe9\x03\xa7\x6b\x54\xf4\xa9\x73\x7f\x50\xff\xe4\xf6\xec\x75\xb0\x24\x5e\x57\x61\x7d\xf3\xc3\xbf\xb7\x12\xbc\xdf\xeb\xeb\xa8\x92\x6f\x20\xac\x2b\x98\x15\x33\x63\xa3\x5c\xe5\x26\xca\x29\xdd\x11\x59\x33\xcd\xda\x72\x4d\x26\x69\x32\xa9\x77\x3c\x3c\x26\x60\x39\x59\x43\x64\x68\xb2\x82\x3a\x47\xcb\x09\x84\x1b\x27\x45\x15\x73\x0f\xc9\xb0\xdc\xe8\x02\x05\xa6\xa6\x5f\xeb\xa4\x79\x1e\x2d\xc5\xfd\x23\x67\xdc\x10\x8f\x67\x8f\x63\x37\x6d\xc4\x80\xe6\x0a\xaf\x52\x73\xd9\x4f\x56\x98\xbb\x90\xfc\xbf\xf3\x82\xff\xe2\x5d\xb9\x2e\x79\x88\xbb\x63\x63\xd4\xeb\xa1\x58\xcc\xd8\x17\xa3\xec\xc0\x06\x0f\xa3\xc5\xa9\xd4\x81\xfe\xef\x8d\x04\xa7\x4b\xd7\x78\x2b\x8d\x1b\xb9\x1d\x26\xa9\x10\x37\x34\x91\x1a\x2e\x67\xe5\x87\xb6\xa7\x8d\x3c\x37\x8a\x6c\xc9\x75\x64\xfd\x75\x85\xfd\x96\xc7\x1e\x61\xcd\xe0\xf3\x73\xa7\x73\xff\x43\x5e\xb0\x6e\x4f\x60\x79\x91\x4e\x93\x94\xdd\x16\x66\x45\x14\xc6\xe8\x05\x42\x7b\x1e\x72\x23\x90\xa6\x82\xea\x06\xc0\xdc\xc2\xb9\x8f\x5f\x47\x82\x1d\x87\x12\x2d\xb8\x98\x2d\x69\x12\x9c\xab\xbc\x19\xc9\xd5\x98\x17\xa2\x63\x9b\xc1\x07\x20\xdb\x9a\x71\xb9\x9a\x39\x30\x8a\x6f\x91\xda\xbe\x6c\xa6\xff\x1a\x2f\xb8\x60\xa0\xa6\xd5\x14\xb3\x20\xa7\xed\xce\xd1\xb0\xd3\xb9\x83\x3b\xdd\x81\x6c\xea\x4e\xb7\xb0\x50\xa6\x31\x9f\xbc\x25\xc2\x46\x55\x41\x25\x6d\xa7\x82\xff\xe5\x11\xec\xd8\xa5\xf1\xa2\x82\x87\xf3\xaf\xae\x09\x9e\xb5\xc1\xfd\x12\x75\x85\xca\x34\x68\x76\x11\x67\x39\x04\x83\x2c\xd9\xbc\x87\x14\x53\x5b\xf7\xae\x81\xbf\x16\x00\x55\x6c\x4e\x34\xd7\xbd\xbd\xed\xf0\xc2\x40\x5a\xe3\x2f\x5d\xcd\xde\x5b\x61\x7b\x54\xd2\x82\xff\xb6\x0a\x3b\xbd\x2d\xd6\xc4\x21\x95\xb8\x8d\x0a\x0c\xbe\xe0\x69\x70\x05\xad\x72\x90\x80\x20\x5a\x42\x1b\x7c\xa1\x30\x60\x68\x2a\xb4\xe2\x3c\xa4\x69\xf3\x13\xe9\x5a\xc2\x1b\x00\x9e\x05\x22\x66\x3f\x7c\x87\x6e\xc2\xdf\xf0\x04\x28\xa2\xb9\x4a\x20\x8f\x56\x45\xdc\x9b\x80\xd4\x56\xc8\x79\x52\x80\x4a\x4a\x9b\xbc\x7d\x76\x7a\x1e\x6b\x31\xa7\x99\xc5\x90\x29\xb3\x6b\x15\xcc\x1b\xb2\x64\x39\xfb\xe1\x84\xc0\x1e\xf0\x98\xdd\x9f\xfe\x1b\xf4\xb1\xf4\x3e\xcf\xba\xae\x43\x6e\x3a\x1d\x91\x59\xee\xea\xc2\xe1\xf5\xd5\xdc\xc6\x8e\x17\xd3\xe2\x06\x96\x6a\x86\xaa\x13\xa8\x13\x75\x6d\x82\x89\x91\xd5\x24\x2c\x78\x3b\x4a\xd4\x67\xdd\x13\xe9\xbd\x63\x6c\x37\x31\x6c\xfa\x7f\x3b\x1a\xbc\x6b\x54\xd1\x6d\x3a\x4a\x67\x6e\x67\xb9\x60\x37\x50\x5d\x00\x2c\x09\x08\x23\xc2\xb8\x0e\x59\x23\xce\xbc\xa4\xda\x73\x64\x91\xda\x5f\x00\xf2\xc2\x85\xa8\xdd\x6d\x97\x6e\x85\xf5\x2c\xcd\x31\x73\x5d\xd5\xc0\x56\xf3\x27\x6a\x1c\x36\x81\xc1\xe5\xa2\xfe\x50\xa7\xa4\x15\x8a\x29\xea\x69\x52\x7a\x59\x6b\x0d\xea\x66\xcd\x20\x3c\x74\x28\x8c\x23\x97\xb6\x93\x4c\x11\xfd\x9c\xd6\xf2\xe0\x55\xe3\xfc\x64\xb6\x9c\x56\x2d\x6e\x52\xf8\x6e\x2e\x25\x75\x3d\x03\x84\xeb\x50\xb9\x0f\x1a\xa6\x92\x51\x82\x37\x1b\xb8\x29\x01\x7b\x95\x3c\x40\x84\x35\xce\xe7\x85\x20\xb7\x69\x23\x5a\x8d\x1a\xdd\x50\x75\x04\xb7\x31\xba\x09\x3f\xce\x65\x03\x21\x1a\xdf\x56\xba\x86\x98\x6a\xc0\x81\x9b\x36\xd5\xfb\x50\x2f\x39\xe1\x53\xf0\xef\x0f\x99\xea\xf4\xb0\xea\x74\x3a\xaa\xdd\x78\xe0\x31\xc3\xe8\xc9\xb7\x41\xde\x31\x9c\x4d\x55\x8a\x34\xf6\x37\x15\xb6\xd7\x9a\xa0\xfe\x9f\x55\xd4\x7a\xf9\x6c\xc5\xba\xae\x95\x09\x30\x52\x5d\x81\xf5\x22\x97\x6d\x8d\xcb\x25\xd3\xb0\x6c\x58\x07\x91\xc6\x8f\x97\xbe\x6c\xe9\x28\x4b\x82\x1f\x50\x0e\xd3\x30\xee\xb4\x42\x65\x9b\x02\x33\x96\x12\x1a\x62\x21\x7d\xaa\xc8\x52\xc8\xa5\x4f\xc2\x25\x48\x72\x95\x67\x28\x9b\x88\x02\x4d\x8a\xe8\x17\x24\x4d\x95\xc6\xc1\x39\x81\xc9\xe9\x41\xc2\x50\xd6\xa4\x8e\x38\x6d\x39\x8f\xd3\x64\x19\x34\x5d\xbb\x4c\x2a\x00\xa7\x71\x64\x65\xbb\xba\x0b\xff\x3f\x55\x58\x69\x17\xf0\xbf\xed\xb1\xdb\xb7\x35\x86\xc7\xe5\x9a\x25\xe3\x55\x99\x6a\xf5\x7e\xcf\x2d\x9d\xab\x48\xea\xd4\x5e\x82\xc6\x30\x9d\xe2\xa0\xe0\xca\x88\x0c\xf2\x63\xa1\xc8\x6a\x8d\xd0\x51\xab\xce\x36\x9a\x40\xd8\x36\x2c\xac\x9c\xaf\x09\x79\x96\x40\xc6\xec\x3a\xb1\x90\x12\x46\x07\x9e\xa0\x2d\xd9\x51\x63\x1f\x1d\x63\xc1\xe6\xd9\xc4\xfe\x6b\xc6\x82\x9b\x4b\xd7\x50\xf1\x28\xba\x9d\x58\x94\xd5\x34\x8a\x75\x34\x09\xc5\xb5\x75\xaf\x12\x75\x9c\xad\xf5\xd3\xa3\xec\x28\xdb\xa3\x88\x5e\xfc\xeb\x82\x7f\xbf\x40\x40\x0f\x8e\x61\x51\x99\xde\x6d\x1d\xe3\xad\x15\x56\x89\x3a\xfe\x1b\x2a\xc1\x4b\x2b\x0b\x88\xa8\x52\x7e\xbc\xc6\xcf\x10\x88\x1f\xa4\xe8\xa4\x9d\xa5\xb0\xbe\xc2\xf7\x1f\x3c\x74\x43\xed\x80\xfc\xff\xa9\x1b\x27\xa4\x26\x94\xac\x4c\x22\x3a\xdc\xfe\x83\x47\x6f\xaa\x1d\xba\xfe\x08\xdc\x3b\x78\x74\x02\x52\xb5\xad\xfb\x20\x55\xeb\x72\x92\xed\xdf\x7f\xe8\xd0\x11\x2a\xe4\xd0\x11\xb9\x7b\xce\xae\x1e\xc5\x25\x92\xa7\x04\x92\x29\x4f\x76\x5d\xa4\xb3\x45\x64\x1b\x3a\x6c\x51\x18\x46\x1c\xf3\x4e\x1c\x16\x52\x82\xe5\x35\x3e\x1d\xe7\x69\x55\x13\xb6\x5b\x0a\x9c\xd4\xd3\xd3\x44\x24\x05\x29\x6d\x70\x6f\x12\x20\xe4\xaa\x3a\x00\x14\xbe\x8e\x49\xfb\x76\x17\xad\xb1\x3d\x49\xda\x10\x90\x78\xbc\x12\x3c\xd3\x80\x8b\x9e\x4d\x1b\x88\xa4\xa2\x29\x4d\x4d\x97\xa1\x0d\xc5\xe5\x68\xd2\x61\x2d\x56\xb0\x2c\x76\x09\x38\xac\x21\xc9\xd6\xfe\x70\xcc\xc6\x0b\xbd\xa4\x9e\xb5\x85\xbc\xf5\xf2\xca\x79\xac\xfe\x53\x7e\x81\x9c\x35\x68\xb5\xd4\xa9\x5b\xaa\xc6\xec\x1d\xbb\x9c\xd9\x0b\xb5\x51\x07\x8e\x79\x6d\xc5\xf2\x9f\xb7\x2b\x58\x30\x3f\x2d\x9b\x24\x2a\x5a\xfa\x46\x3d\x4d\xf2\x22\x0b\x35\x4b\xb3\x2c\x4f\x23\xbf\x62\xf6\xd9\x5c\x37\x29\xa2\xb6\xc0\x60\x09\x17\xc8\x6f\x8c\x7d\xbd\x82\x34\xaf\xf3\x04\x18\xe8\x7f\xb1\x12\xfc\x52\xc5\xbe\x02\x8a\x7a\xae\x62\x61\x50\x39\x21\x28\x47\x85\x70\x09\xc7\xe1\x86\x0a\xd7\x53\xc7\x74\x18\x2a\xe7\xe3\x7c\x56\xca\x05\x85\x6c\x5b\xba\x6b\xe0\x87\x96\x74\x0b\x55\x90\x01\xf0\xc7\xaa\xa0\x2e\x83\xa1\x8a\x15\xc4\xd3\xa6\x53\x94\x53\xff\x28\xe7\x10\x4e\xa9\x11\x69\x10\x40\x52\x93\x6a\xd8\x0f\xd7\xf8\x74\xd2\xd3\x18\xac\xa4\xd2\xe8\x70\x65\x50\x0e\x70\x3f\x41\x3b\x3b\x81\xf7\x36\xc8\x96\x55\x7b\x57\xe9\x6c\x61\xf5\xb6\xd4\xca\xf7\x16\x69\x4c\x89\x79\xb9\xff\x96\x4a\xf0\x61\xcf\xba\x80\xa7\xb1\x4e\x47\x00\x30\xc9\x7e\x60\x61\x86\xf9\x63\x8e\xc6\x13\x70\xe0\x06\x27\x47\x37\x49\x34\x33\x73\x7f\x57\xaa\xcc\xc3\x86\x31\xb2\x41\x70\x07\xa8\xcf\x18\x32\xae\x66\x26\x1d\x1f\x69\xfc\xb0\x3a\xc6\xb3\xa3\xa2\x3b\x8a\x52\x0f\x3b\xba\xc4\x14\x9b\x64\x8f\xdd\x9c\xe4\x5b\x37\xf5\xa2\x77\xed\xd0\x68\xda\x71\x7f\x77\x58\xa4\xed\xa8\xce\xd8\xdb\x18\x3b\x65\xef\x67\xaa\x31\x99\x58\x8e\x20\x56\x96\x0e\xf6\x77\x85\x71\xd4\x00\x30\xa3\x27\x8b\xa5\x56\x9a\xae\x1c\xb7\xa9\xc4\x20\x29\xf0\x8b\xe3\xc1\xb9\xcd\x1f\x73\xcf\xa5\x1b\x3f\x3f\x98\x08\xe5\x6b\x3b\x44\x28\x97\xed\x31\x7a\x8d\xa6\xa6\x7d\x89\x17\xec\x3b\xbd\xb5\xd1\xb0\xa7\xe3\x02\x9b\x63\xb3\xc3\xd5\xa2\x4b\x9b\x46\x3b\xce\xfc\x1d\xae\x59\xd3\xb8\x8b\xde\x0b\xbc\xcd\x1d\x54\xa1\xff\xac\x21\x5c\xa9\x83\x27\x61\x39\x65\x7d\x53\x81\xc5\xd8\x67\xaf\x61\x87\x36\x74\x60\x19\x8a\x2b\xcb\x4d\xe5\xbf\xf6\x9a\xe0\xc5\x63\x83\xef\x71\x91\x74\xdb\xb0\x09\xe4\x8e\xdf\xc9\x32\x04\x1b\x2a\x00\x3a\x9d\x29\x1b\x30\xc1\x9f\x87\x06\x9c\x19\xf7\x66\xed\x3c\x28\x9b\x95\xfb\x3c\x15\x83\xfc\x5e\x72\x6d\xec\xcb\x4b\x9e\x29\x44\x3d\xdf\xdc\xc7\x05\xcb\xc7\xf2\x73\x0d\x69\xb4\xeb\x33\x96\xbb\xdf\xf9\x19\x10\xa0\x79\x2b\x5d\x9b\x6a\x45\x0d\x45\xa6\x96\x83\x9a\x5d\xa4\xfc\xee\x6e\x54\x5f\x89\x7b\x3c\x16\x05\x38\x2e\x92\x06\xf6\x47\x26\xc2\x5c\x9f\xf0\x29\xb4\xc0\x26\x18\x9f\xd1\x19\xf7\x67\xcf\x2d\xf0\xdb\xcc\x07\xb5\xeb\x03\x91\x44\x30\x21\x3d\x83\x83\xa3\xd3\xf2\x86\xa8\x47\x88\xa9\x1f\x2a\xc8\xb6\x30\xca\x05\x1e\x3f\xa1\xb0\x86\xe8\x74\x8b\x5e\x95\xd7\xc3\xba\xc5\x78\x3f\x95\x89\xd5\xb4\x6e\x79\x94\xea\x69\x96\x89\x7a\x91\x10\xf9\x64\x5d\x64\xb2\x7e\x03\x08\xd1\xf0\x71\x20\x73\x73\x28\xd4\x42\x82\x3f\xa4\x82\xf8\x5a\xd8\x43\xfd\x5b\x4a\xb0\x61\x95\x56\x14\x85\xb3\x33\x34\xb4\x03\x21\x6c\xee\xdd\xc3\xee\xb0\x64\xc6\xad\x97\x19\xff\xc3\x5e\xa2\xc0\x63\xee\xf5\xd8\x89\xad\xfb\x0c\x06\xcf\x16\x08\x3c\xbd\x09\x8c\xbb\xfd\xe6\x7f\x3d\xf0\x3a\xb2\x1a\xf3\xd4\x34\x14\x6a\x8d\xbd\xc3\x40\xc4\xbc\xc9\x63\xb7\x6d\xa3\x3a\x43\x1c\xce\xc1\x5d\xe4\x78\x86\x68\x9d\x38\x46\xb5\x54\x61\x65\xa3\x87\x18\x4e\xe9\xda\x6f\x39\x60\x65\x87\x7d\xeb\x79\x27\x74\x76\x27\x74\xf6\xe1\x84\x19\xe8\x6c\xbe\xc5\x9e\xf1\xef\x98\xd4\xe0\xc9\x83\xd6\x6a\x29\xe2\xc3\xec\xc0\xce\xda\xa2\x9d\x97\x7d\xf2\x2a\x76\xad\xb5\x00\xb3\xa5\xb0\xae\x0f\xe7\xc7\x91\x9a\x72\x2e\x8d\x85\xff\xfa\xab\x82\xef\x79\xd6\x05\xc2\x22\x20\x6a\x70\x0a\x91\x03\xfe\xd8\x30\xc6\x2f\x12\xb0\x3f\xc6\xf3\xa1\x6f\x02\x53\x42\xd1\x76\x61\x65\x43\x41\xba\x82\xec\x4f\xb9\x80\x43\x2e\x8b\xbf\x2d\xa2\x2d\x31\xe3\xd6\x47\xe9\x6a\x39\xde\x7e\xf5\x60\xed\xe0\x0d\xf2\x8f\x66\xb8\x8a\x3e\x18\x68\xc6\xa0\x06\x4f\xad\x1e\xb4\x0b\xc4\x65\x44\x74\x17\x60\xab\x14\x19\x9a\x96\x01\x9c\x1f\xcb\x3e\x74\xa8\x64\x43\x18\x97\x27\xdb\x47\x28\xc2\xb3\x28\x4d\xc0\x57\xba\x5e\x61\xd7\x0f\x15\x6c\x4e\xbf\x4e\xbb\x6f\x06\x5f\xf6\x4a\x57\x28\x48\x4c\x53\xf9\x62\x68\x52\xc9\x7e\xd7\x4a\xd7\xe0\x64\xde\x8d\x62\x75\x5a\x55\xfe\x1f\x58\x15\x56\x33\xc1\xa4\x3e\xe0\x1b\xca\xc2\x9e\x58\xef\xcb\x2d\xce\xe1\x36\x4f\xc2\x65\xb2\x0b\xa3\xeb\x8a\xec\x94\x20\x9f\xf0\x15\x6d\x90\x2f\xd2\x76\xc7\x9c\xa4\x4d\x29\x3b\x62\x75\x47\xac\x3e\x8c\x87\xb1\x96\xa5\x57\x3d\xfd\x72\xe3\xaa\x1f\xbd\x41\x58\x35\x7b\x9e\xa6\xaf\x5f\x0b\x8e\xe0\xe2\x40\x7d\x09\xe0\xae\x75\x74\xf3\xf0\x95\xba\x75\x48\x51\x47\xa2\x98\x62\x2f\x7a\xe9\xe6\x7b\xc8\x69\xff\x49\x3a\x8e\x70\xa8\xa8\xd4\xa7\x32\xab\x7a\x03\xd3\x16\xbe\xb7\x8b\xfd\x98\xa9\x98\xc1\x99\x9f\x94\x5d\x88\x0a\xaf\xee\x50\xe7\x01\xb3\xd1\x74\xa5\xe8\x50\x81\x1e\x16\x2b\x70\xee\xbf\x69\x57\xf0\x94\xe1\xb7\x1d\xc1\x41\xe9\xdc\xc6\xe7\x9d\xdb\x4f\xca\xde\x76\x0b\x2a\x99\x86\x7f\x71\x8c\xfd\x95\xc7\xc6\xe0\x55\xff\x2b\x1e\x7b\xf6\xb0\xae\xbf\xa2\x2d\x04\x37\x5c\xb0\x8a\x15\x76\xb5\xd5\x3a\xbc\x63\x96\x2f\x89\x36\xf8\x20\x0f\xf9\xe2\x14\xbc\xb4\x68\x37\x13\xf7\x08\x3c\x7c\xc2\x16\xb2\x68\xf9\xc4\xa6\x56\x0f\x2e\x82\x93\x4e\x71\x1b\xd7\xd8\x27\x46\xb4\x5e\xfe\xbe\x11\xb6\xf2\xd0\xb4\x18\x15\xf8\x5f\xa9\xd0\x78\x6d\xb7\xd1\xf0\x96\xd3\x6a\xca\x1e\x26\x17\x26\xe0\x8c\x97\xf9\xe1\xcb\xc5\x76\xb2\xa8\x1d\x66\x3d\x23\xda\xa2\xe5\x44\xca\x26\x6b\x6f\x93\xaf\x2d\xea\xaf\x15\x61\x72\x4f\xa8\xc2\x3b\xd4\xa6\x73\x68\xf3\x0f\x0d\xac\xf0\x80\xaf\x85\x49\xaf\x80\xbc\xcf\x94\xe2\xaf\xc3\x64\x0b\x35\x60\x9f\xd9\xd3\x47\xc7\x8f\x59\x9d\xea\x00\xb5\x90\xae\x88\xc4\x09\xe4\x7d\xdd\x9e\xe0\x44\xdf\x55\xe5\xb8\x36\xa1\xbb\xe0\x01\x95\x8f\x71\xb7\x50\x9d\x41\xee\x2c\x9e\x4f\xed\x66\xaf\x1a\x63\xe3\x61\xb7\x01\xc6\x88\xdc\x7f\xc1\x58\xf0\xf5\xd1\x69\xf5\x13\x2d\xfd\xf4\xcb\xc2\xac\xcd\x79\xbd\x95\xe6\x42\x9f\xdc\xac\x4f\x29\x26\x27\xd4\x47\xda\x9d\xb0\x88\x96\x62\x04\xf5\xc7\xa0\x1a\xf9\xbc\xd5\x0e\x34\xda\xcb\xdf\x35\x3e\x9d\xd8\xb8\xb8\xa0\x4c\xf5\x9c\x2b\x89\x49\xff\xce\x0d\x96\x56\xa9\x44\x38\xee\x86\xa6\x09\xe4\x14\x80\x6f\x80\x75\x86\xee\xd4\xf8\xb4\xda\x15\xfb\x0b\x81\x63\x3f\x3a\x89\x44\x61\x22\x55\x6a\xa6\x5c\x8a\x3b\xc7\x79\xbe\x8a\x16\x30\xa1\xe2\xd9\xac\x96\x0f\xe8\x3e\x1e\x59\x61\xaa\x0a\x9f\x05\xc6\xb3\xaf\xfc\x22\xe5\x22\xc9\xbb\x99\x30\x5c\x5a\x76\x2d\x4d\x50\xb5\xfe\x4c\xb8\x06\xa0\x38\x40\xfb\x66\x3f\x6a\x49\x17\x64\xb1\x2f\x7d\x51\x91\x3e\x02\xcb\xbe\xbe\xa7\xc7\x55\x80\xe2\x12\x14\x59\x57\x04\x55\x6b\x96\x45\x39\xe5\x98\xd9\x08\x06\xba\x4c\xea\x58\x0b\x7d\xd6\x32\xa7\x6c\x10\xe9\xb6\xcc\xae\x76\xbe\xed\xdf\x15\xdc\x3e\xed\x56\xc6\x12\x3f\xd4\x31\x58\xa1\x35\x79\x2c\x29\xd1\xb2\x84\x7c\x25\x49\xd7\x12\xb0\x1b\xb8\x31\xb8\xb7\xb3\x31\x30\xc9\xf9\xb7\x06\x87\x30\xb6\x7a\x68\xc1\x75\x39\xd2\xc9\x3e\xd0\x93\x20\x18\xde\xc5\x81\x5e\x63\xa3\xb2\x78\x3f\xdd\x00\xf7\xa4\x7f\x9d\x9f\xcf\x45\x36\x93\x34\xd3\xe0\x46\xf9\x97\x5a\xce\xea\xea\x40\x7e\x19\xca\x32\x51\xab\x86\x3d\x7f\xcc\x46\x9f\xb4\xd8\x54\xd1\x19\x17\xa5\xc9\x71\xad\xd1\x6b\x44\x19\xff\xb3\xa3\xc1\xd2\xc6\x8f\x94\xe2\x01\x01\xd5\x86\x92\x03\xcc\x7b\xf6\x99\x03\x67\x3e\xf9\xda\xd1\x89\xbc\xee\x8d\x4a\xe5\x6e\xdd\xa3\xed\xca\x11\x3e\x9f\x19\x61\xa7\xf5\x3e\x76\x5b\x70\xbd\x0b\x22\xac\x41\x76\xaa\x0a\xba\x61\x01\x92\x3b\x4e\x85\x71\x2e\xaa\xfc\x7c\x02\x43\xea\xf8\xc7\x6f\x61\xf0\x35\xff\x68\x30\xb1\x40\x81\x4a\x43\xaa\xaa\x0b\x77\xde\x7f\xad\xc7\xfc\x38\xcc\x8b\x85\x2c\x04\x58\xd1\x34\x59\x88\xda\xc2\xff\x89\x4b\x87\x0e\x3d\xb1\xa0\x80\x0c\x0a\x85\x21\xaa\x3f\xcd\x0b\xfd\x19\x05\xd4\x21\x1b\x4a\xdb\x2b\xec\x2d\xb0\xa9\xd4\xd8\x53\x0c\xe6\xea\xd9\x60\x7a\x9a\xb7\xba\xed\x30\x81\xc0\x04\x80\x9a\xa7\x7b\x6a\xe6\x1a\x38\xd6\xdc\xb2\xf1\x99\x8f\x39\x4d\x3e\xc5\x76\xa1\x1d\xd8\xbf\x39\x98\x42\x0b\x38\x58\x85\x55\xf4\x93\xae\xed\xbe\x9c\xda\x31\xb8\x9c\xaf\x56\xd8\xbe\x01\x93\x10\x1d\x01\x67\xc2\xce\x1d\xa2\xa7\x1d\xf7\x1f\xae\x04\x3f\x8c\x3f\x72\xa2\xa6\xa4\xa4\x57\xfd\x74\x6d\xdd\x1b\x59\x11\x3d\x17\xc4\xaf\xc2\x7e\x94\xc9\xab\xfe\x0f\x07\xfe\x02\xf1\x6c\x02\x7f\xab\x2c\xc9\xa9\xcc\x0b\x3c\xa2\x51\xff\x8f\x41\x6a\xc3\xc2\x93\xed\xa2\xd8\x36\x03\x63\xba\x2a\x32\x29\x44\xa7\x08\x3f\x66\x52\x2e\xc6\x49\x82\xe4\x99\x02\x1f\xc2\xd4\xb5\xf0\x8f\x5d\x8d\x39\x8b\x7d\xf2\x54\x70\xe3\x20\xf6\x49\xdd\x62\x8b\x80\x72\x43\xfe\xc9\x5f\xdb\xcd\xaa\x1b\xf5\xf3\xd9\xb4\x21\xf0\x07\x31\x00\xbc\x76\x77\x10\x0f\xbd\xeb\x86\x62\x3a\xb1\xe1\xa9\xb1\xf4\xd8\x23\x83\x46\x1f\x8c\x1f\x53\xe1\x83\x6a\xae\xc8\xd2\x6b\xeb\xde\xb8\xf6\xa9\xac\x7b\x30\x0c\xeb\xde\x23\x65\xe7\xc6\xa2\xc0\x62\xee\x28\x8d\xec\xdf\x8c\xb1\x0f\x7b\xac\xef\x19\xff\xe7\xbc\xe0\x75\xde\x1d\xa5\xab\xbc\x21\xea\x71\x98\x69\x22\x0a\xd9\x61\xfd\x44\xae\xa6\xbe\x60\xf2\x87\x00\x45\xad\xeb\x39\x45\x92\x93\x4a\x1e\xc8\xbb\x70\x40\x2d\xa5\x92\x6a\xbc\x8c\x08\x83\x8b\xea\x61\xae\x4e\x20\x34\xcc\x1d\x9a\x6c\xad\xe0\x69\x67\x2d\x1a\x58\x7d\xba\x4c\xfa\x67\xa0\x53\xc5\x72\xf2\xea\xe6\x5f\xfc\x09\x66\xfa\xd8\xcf\x02\x88\x44\x42\x86\xd1\x41\xdf\xc6\x3b\x57\xb4\x02\xbf\xe0\xb1\x47\x28\xa5\x58\xd9\x86\xde\xec\x05\x2f\xd7\x29\x1a\xca\x40\x54\xae\x4f\xf9\xfe\x36\x6a\xd5\x4c\xb3\xa5\xa8\xd1\x90\x2a\x47\x82\x53\x4d\x2e\x28\xb4\xfc\xd8\x35\xc6\x5b\xa8\xbf\x38\x34\x0a\x1e\x1b\xe9\x46\x0d\xa0\x6c\x3d\x3f\x73\xa2\xaf\x6a\x16\x69\xc3\x43\x51\x9d\x2f\x8f\xb3\xfd\x83\x90\xeb\x10\xce\xfb\xdc\xbc\x43\xe3\xf1\xbe\xf1\xe0\x90\xc3\xe2\xa1\x1f\xe3\x1d\xd9\x93\x39\x70\x3a\x10\x78\xb7\x3e\x5e\x39\x8b\xec\x5b\x7b\xd8\x27\x3d\xb6\xab\x99\x03\xbc\xd2\x07\xbc\xe0\x1d\xde\xa9\x28\x16\xe8\xc2\xc3\xb8\xde\x22\x45\x3a\x10\x8b\xe6\x1a\x29\xb0\xad\x67\x4c\xb0\x1d\xa9\xfe\x40\xba\x44\x28\xde\xc9\xb2\xe6\x3b\x3d\x79\xa1\xc6\x03\x71\xa1\x38\x12\x54\x79\x70\xa1\x99\xcb\x7f\x92\xa2\x99\x07\x08\x82\x43\x8c\x68\x60\xb5\xca\x74\xe8\x2b\xbe\x40\x59\xdd\x0a\x51\xca\xe9\xb5\x0b\x6c\x8f\xdc\xf6\xce\x25\x71\xcf\x8f\x83\x67\xda\x09\xe2\x4d\xa9\x17\xf0\xfd\xf2\xf6\xd4\x5a\x16\x15\x62\x02\x59\x57\x21\x49\x15\x94\x5a\xb0\x77\x02\xd6\x0a\x1a\xd9\xd4\x4d\xa2\xb8\x96\xa3\x85\xbd\x7e\x46\xf6\x42\xee\x2a\x8a\x9f\xf7\xd8\x38\x12\xef\xce\x89\xa6\xff\x29\x6f\x03\xa3\xb1\x41\xb7\xab\x87\x71\x39\x04\xef\x45\xde\xbc\x2a\xa5\x1c\x2b\x87\xdc\xc1\x14\xf7\x2e\x85\x6a\xba\x24\x85\xb3\x32\x0a\x9a\x31\x97\x3a\x74\x3d\x13\x70\x9e\x08\xe3\xbc\xc6\x75\xe8\xb5\x81\xe1\x52\xc1\xd7\x44\x0e\xae\x11\x71\x8a\x42\x6a\xff\xa2\x51\x63\x2f\xf5\x18\xc3\x29\x03\x91\x8c\xcf\x0d\x3a\x77\xe9\x5f\x6a\x75\x80\xa6\x31\xa9\x35\x0d\x5b\x94\x99\xea\x10\xbf\x3c\xa7\xde\x43\x9f\x3a\x1c\x00\x21\x48\x8e\x18\x4f\x06\xb8\xdc\xed\x91\xfd\xc2\x08\x7b\x84\xa9\x0d\x8a\xb6\x8f\x8d\x04\xef\x1d\xb9\xcb\xbd\xd8\x17\x60\x98\x76\x74\x95\x68\x01\xd0\x97\x74\x05\x55\xff\x58\x4c\xcc\x0e\x17\xb6\xb6\xa4\xcf\x96\xf8\x9a\xed\x34\x01\xc8\x12\x50\xc1\xda\x79\xf9\x54\x03\x1d\x23\xeb\x42\x30\xa5\x4b\x82\xb7\x23\x79\x9c\x20\xc5\xdd\xae\x0e\xee\x97\xd1\x72\x0b\x58\x07\x93\x42\x2c\x67\xda\xe5\x5f\x70\x6b\x0c\xd0\xbc\xa0\xb1\x3f\xa4\x12\x92\x45\x0d\xe1\xc4\xd6\x53\x06\x4b\x37\xc3\xb7\x8b\x94\x07\x74\x0b\xd6\x51\x2f\xed\xea\x68\x56\x8c\x66\xd4\xad\xcb\x07\xf4\xd3\x59\x73\xd3\x4e\x00\xef\x64\x62\x12\x82\x10\xfb\xdb\xa2\xba\x88\x28\xf3\x9d\x21\xfd\xa3\x71\x27\x80\xb4\x84\x92\x74\x72\x35\x82\x13\xbc\xff\xfe\xf1\xe0\x77\x3c\xf5\x8b\x8b\xd5\x08\xf5\xc2\x4e\x4a\x4a\xb1\x54\x8b\x20\xac\x52\xa5\xf5\x15\xa9\x75\xca\x90\xa2\x84\x4e\xf9\x79\xd8\x14\xc0\x25\xa2\x03\x4d\x4d\x9e\x67\xe8\xd8\x71\xc0\xbf\x25\x87\xd4\x00\xa1\x41\x9e\x89\x5c\x78\x98\xe3\x49\x15\xa1\x3d\x8c\x5a\x27\x65\xde\xec\xb9\xf9\x05\x1a\xe4\x5a\xad\x36\xd5\x49\x1b\xf9\xd4\xcd\xb2\xae\xb2\x63\x6f\x99\x52\x6f\x95\x8c\x94\xdf\xd9\xb5\xe3\x4a\xb9\x5c\x57\x4a\xc6\xae\xc6\x44\x3a\x0c\xb8\xce\xfd\x70\x38\x6d\xea\x06\xe7\xb2\x13\x76\x19\xc1\xbf\x77\x7e\xaa\x30\x1f\x75\xc4\xde\x71\xdf\x5c\x86\xfb\xe6\x79\x76\x2c\x5d\x71\xb9\xfe\x9b\xc3\xe6\xef\x92\x61\x02\x42\x9d\x01\x68\x30\xd7\x11\x2c\x51\x5d\x76\xc3\x45\xef\x29\x9b\x3b\x55\x8e\xfa\x47\x86\xc1\x3f\x29\xa1\x34\xd0\x7d\xf2\xd6\xab\x1c\xd4\x3b\xc3\xc3\x82\xe2\xad\x8f\x9b\xeb\x5b\xff\xcc\xb8\xb9\x7e\x6f\x7c\x47\x64\xed\x78\x7f\x1f\x3e\xf1\xf1\x2f\x90\x18\xee\x01\x15\xdb\xf7\xd6\x0d\x9a\xb3\xa9\x24\x79\x68\xd8\xe1\x7e\xdf\x84\xfe\xfd\xa6\xc7\x6e\xbd\xf4\xda\x7e\x7f\x51\xc4\x5d\xf4\xa2\xcd\xb7\x84\x53\xfe\x89\xcb\x63\xe9\xa2\x2d\xe2\xab\x3e\x3b\x7f\xa9\xde\xd8\x92\x23\xf6\x84\xee\x7d\x48\xe5\x7f\xa9\x1f\xcc\x6e\xf4\x40\x29\xde\x88\x22\x26\xd7\x42\x42\xbc\x8f\x32\x27\x3d\x12\xa1\x64\xd6\xbd\x31\x68\xf3\xba\x37\x06\x5b\xc3\xba\x37\x06\xa7\xab\x75\x6f\x0f\x35\xcd\x35\xdf\xbf\xe8\x51\xec\xed\x1e\x80\xe1\xd3\x6d\xff\x75\x1e\x7b\xd6\x95\xf1\x45\x97\x5a\x7f\x5c\x7f\x23\x38\x6c\xbe\xa7\x37\x20\xeb\x12\x9d\xe5\x0d\x9d\xc2\xf1\xb9\x13\x35\xf6\x55\x8f\x61\xdb\xfc\x3f\xf2\x82\xcf\x79\xc8\xc3\x4c\x47\x5c\x79\x98\xd6\xc4\xcc\x74\xb4\x02\x10\xec\x92\x4b\x18\x03\xc4\x4b\x17\x71\x37\xa5\xb0\xb3\x6e\xd2\x10\x19\x5f\x04\x1e\xae\xa9\x9b\xa1\xcc\x5b\xa6\x6a\xb5\xda\x22\x19\x54\x10\x6c\xb8\x68\xb9\xe7\xe8\x61\xc3\xc8\xf7\x6b\x36\xee\xac\xcd\x17\x6f\x86\x31\xa9\x75\xe2\x6e\x16\xc6\xb7\xd4\xa8\xf8\xc5\x09\xe7\xc4\xf5\x7e\x8f\xe1\xd8\xf9\xef\xf2\x58\xe3\x41\x19\x0a\x53\x41\x38\x2c\x06\xb7\xe1\x69\x3f\x27\xe3\x36\x39\xa3\x71\x6a\xc9\x6d\x59\x2e\x17\xb2\x08\x68\x9f\x42\xa9\x63\xd9\x03\xa3\xec\x07\x60\x63\xcb\x56\x05\xf9\x75\x4e\x01\x98\x82\xff\xf2\xd1\xe0\x79\xa3\x03\x6f\x95\xfd\x74\x24\xd4\x09\x84\xc1\x25\xf2\x30\xba\x11\x75\xe9\xb9\x8e\x48\xc0\x11\x89\xba\x8a\x89\xa9\x57\x9f\x22\xf8\x1f\x32\xae\xd1\x79\x4f\x89\x02\x6e\x74\xa2\x2a\xb4\xaf\x6a\xe8\x65\xa1\xc9\x89\x05\x07\x11\x01\xe6\x9a\xf5\x00\x20\x99\xac\x85\xbd\xdc\x7c\xac\x6c\x5b\x6c\x38\x61\x92\x3a\x3a\x52\xd9\xa9\x16\x2f\x4c\xaa\x57\x27\xbb\xd8\x27\x93\xf8\xb5\x45\x85\x81\x26\xdf\x5b\x04\x87\xb5\x5a\xba\x4f\xbb\xee\x19\x35\x6c\x6e\x2d\xc5\xd6\xdf\x75\x78\x1e\x7e\x2f\xd6\x00\x21\x60\x03\x3f\x48\x11\xe6\x2b\xf9\x14\x42\xb2\xd8\xa2\x33\xec\x44\x53\x38\x98\x06\x60\xa8\x7c\x61\xd2\x9e\x83\xd7\x76\xb2\x6e\x12\x25\xcb\x20\x6e\xbb\xb9\x6a\x86\xbc\xe2\x36\x04\xe6\x0a\x39\xb1\x5c\x3b\xdc\x1b\x21\xd6\x27\xed\x08\xff\x95\x5e\x70\x9f\x87\xf6\x1f\x33\x17\x6c\xe7\xca\x90\x85\x0c\x07\x7a\x8c\x8d\x9a\x94\xfb\x87\xd6\x83\x27\xa1\xb0\x46\x8d\x4f\x53\x42\x3e\xd9\xce\xe4\x90\x2d\x52\x34\xd5\x22\x8c\xf0\xa2\x36\x94\x34\x16\x9d\x05\xf8\xed\x5d\x4c\x0b\x4b\xff\x6b\xbb\x82\xbf\x18\x53\xbf\xfa\xf0\x8a\xe2\x58\x01\xc7\xe0\xfd\xcd\xa4\x8f\xd2\xba\x8d\x75\x4d\xa5\x11\xcb\x9d\xb1\x4b\xe8\x18\x80\x62\x24\x47\x1f\x57\x00\x4d\x66\xfd\x11\xf9\x9a\xac\x01\xce\x2c\xf9\x7d\xc5\x24\xd8\x83\x90\x01\x4b\x95\x57\x4a\x6a\x94\xf3\x00\x92\xa3\xe3\x68\x45\x04\x00\xbc\x0e\x46\x9f\x1c\x90\xc3\x97\x52\x20\xef\x4e\xec\x67\x4a\x25\xe4\x55\x6b\x39\x42\xfd\x44\x83\xc7\xe2\x42\x54\x4f\x97\xb3\xb0\xd3\x42\x2c\xf3\x1a\x0f\xee\xe8\x2b\x21\x47\x1a\x70\xe5\xc4\x0f\x56\x03\x8a\x7b\x45\xaa\x08\x1a\x26\x88\x3e\x26\x98\x06\xc2\x01\x79\x76\x9a\xa9\x32\x26\xe8\x15\xe5\x8a\x8b\x29\xd9\x00\x5b\x17\x00\xca\x42\x20\xe7\x41\x20\x77\xed\x80\x32\x75\x30\x9c\xc7\x29\x34\x4a\xac\x42\x15\x8b\x3b\x88\x7f\x34\x88\x37\xa3\x2c\x87\x50\xe8\x27\x4e\xf3\x5b\x00\x82\x94\xdf\x42\x20\x0e\xfb\x31\xaa\xe2\x89\xd3\xa8\xfe\xab\xfe\x81\x66\x25\x29\xcf\xbb\x4d\x20\x0c\x20\x74\x31\x78\x35\xcd\xf0\xdd\x09\x05\xaa\x86\xd1\x36\x10\x58\x42\x14\x99\x56\x23\xa9\x8d\x4e\x1d\x21\x9e\x86\x28\xff\x55\x1d\xd5\xec\x53\xfd\x2b\x95\x95\x03\x55\xbe\x7a\xa8\xca\x57\x0f\xca\xff\x81\xea\x02\xbf\x0e\xc8\xbf\x0e\x57\xf9\xea\x61\xd0\x66\xe4\xa5\x43\x50\x23\x7c\x0e\xfe\x3c\x54\xe5\xcd\x34\x3d\x88\xff\x3d\xe0\x04\x74\x3c\x9b\xb5\x58\xf3\x41\xde\x81\x68\x49\xb0\x2f\x8e\xba\xe0\x88\xc3\x12\x27\x89\x04\x48\x1b\xe3\xfd\x37\x8f\x06\x8f\x2b\x5f\x54\x91\x9f\x96\xff\xb3\x48\x39\x3d\x55\x8b\xc5\x72\x58\xef\x91\x36\x38\xc0\xd7\xe9\xc2\xc7\x8f\xb0\x27\x90\x73\xf0\xc6\xe0\xb1\x8b\xf2\x8f\x45\x25\x07\x6c\x15\x40\x13\xfd\xcd\x91\xe3\xc8\x16\x29\xe7\x6c\x67\xdf\x6d\xc1\xf5\x8b\xfa\x97\x53\x96\xe3\xe5\xdb\xb0\xc0\x26\xf1\x90\x3c\x33\xb8\x73\x51\xfe\xb1\x58\x0e\x5b\xd7\x44\x16\xb8\x6c\x0d\x6e\x0b\xf2\x30\x84\x49\xcf\xb6\x9a\x52\x86\xbb\xc5\x96\x44\xdf\xf9\xa4\xc7\x46\x3b\x69\x56\xf8\x1f\xd2\x20\x45\x6f\xf3\x66\x9a\xb6\x93\x02\xcd\x37\x59\x61\xa7\xd0\x45\x2a\x1c\x52\x01\x29\xac\x61\x4e\xa1\x86\x03\x96\x1f\x3d\x72\xe4\x30\x6c\x11\x4b\x61\x7d\x65\x4d\x9e\xe9\x54\xc0\x15\xd0\x06\xd4\xf8\xa2\x2c\x75\xd1\xda\xd8\x43\x8a\x52\xea\x18\xb6\x7e\xbe\xff\xe0\xe4\xd1\xeb\xaf\x3f\x7c\x7d\x95\x47\x89\xdc\x10\xa2\x55\x31\x51\x02\xd5\xdd\xcd\x36\x06\x2a\x01\xb0\xff\x9c\x00\x67\xd0\x57\xf7\x92\xdd\xc1\x57\xbd\xf2\x55\x6b\x87\xa2\xf8\x7f\x8c\x1c\x05\x0a\x10\x82\x55\x21\x95\x1d\x0c\x58\xf2\x40\xd3\x49\xb5\xbe\xa2\x99\x8f\xe0\x25\x02\x38\xd9\x2f\x3b\x80\xd6\x77\x15\xe3\x32\x28\x43\x6a\xb2\x93\xa5\x72\xaf\x16\x8d\xc9\x8e\xc8\x26\x73\x51\x4f\x93\xc6\x84\x85\x10\x6e\xf9\x83\x10\x81\x47\xee\x23\xcb\xb8\x73\x2e\x89\xa6\x3c\x0e\xa3\x25\x0d\xc5\x8d\x81\x4b\xb1\xe1\x8d\x6a\xeb\x1e\xc3\xaa\x9f\x05\x27\xbf\x8f\x37\xa7\xb1\xc4\xbb\xfa\x70\xc6\xff\xd7\x28\xbb\x83\x59\x6f\xf8\x8f\x0f\x0e\x98\x5f\x83\xd6\x85\x02\xac\x49\x38\xcc\xb6\x28\x4d\xec\xf9\xf5\xc7\x15\xb6\x47\x21\x2b\xf8\x9f\xaf\x5c\x92\x31\xf8\x74\xb8\x24\x62\x15\x98\x12\xbc\xa4\x92\x5b\x50\x0c\x66\x97\x98\x14\x49\x3d\x6d\x48\x11\x0f\xf8\x81\x40\x0f\xa6\x8c\x09\x16\xa6\x08\x00\x4f\x68\xb0\x07\xad\xee\x2e\x47\xab\x52\x34\x63\x5b\x20\xe2\x15\xf2\x37\x90\xc0\xa4\x13\xe6\x04\x35\x1b\x26\x04\x5d\x0a\x6b\xb0\x13\x66\x61\x5b\x14\x22\x53\x3d\xaf\x91\x69\x30\xe2\x4f\x83\x35\x29\xfc\x2c\xf3\x00\x79\xa1\x14\x33\x8f\xfc\xd6\xb3\xbb\x14\x98\x67\xf5\xb7\x03\x75\x5b\xa4\x7c\x39\x84\xe1\xa7\x62\x6a\xec\xd3\x1e\x1b\x30\xa2\xfe\xbb\xb7\x93\x14\x5d\xd3\xea\xcb\x9d\xdd\x10\x8e\xf1\x41\xdc\x5f\xa6\xea\x6c\x07\x3b\x8b\xa6\x80\x42\x88\x72\x67\x84\x05\xe9\x95\x89\x58\xac\x86\x09\x41\x6a\xef\x87\xf0\x94\xbb\xe9\x63\x13\xec\x57\x1f\x65\x53\x5b\x6d\x21\x69\xdb\x7f\xf5\xa3\x82\x9f\xf5\xd4\x2f\xeb\x18\xad\x15\x78\x0c\x0a\xed\x25\x45\x4b\x14\x51\xdd\x3a\x09\x42\xd8\x4e\x2b\x04\xe4\xd9\x44\x41\x62\x20\x24\x09\x40\x72\x85\x59\x94\x76\x73\xcd\x5e\x86\xd6\x58\xe4\xe2\x21\xc5\xb4\x1d\x12\x04\x78\xaa\x80\x95\xd3\x26\x7f\x8e\x31\x62\x55\xb9\xaa\xd8\x73\x5d\xf7\xd2\x9f\x3e\x82\x7d\x65\x94\xed\xa9\xa7\x49\x11\x25\x5d\xe1\xff\xc1\x68\xf0\x99\x51\xf5\x4b\x39\x35\x72\xa1\xb9\x78\x10\x6e\x51\x14\x00\x22\xd1\x8e\xb4\xfc\x35\x58\x57\x80\x6b\xa0\x83\x54\xab\x7d\x49\x99\x14\x19\x49\xb3\xb1\x15\xe6\x38\x1b\xf1\x88\xa3\x61\xa1\x2c\x4e\x82\x28\xe7\x69\x27\xbc\x9b\x50\xd1\xa8\x4a\x6a\xee\x45\x79\x0e\x37\x50\xeb\x72\x36\x17\xc7\x90\x19\x16\x4a\xa3\x85\x5d\x07\xb4\x19\x88\x54\x2a\xb2\x48\x28\xe8\x74\x71\xa1\xd0\x19\xa3\xaa\x26\xa6\xbb\x8f\x63\xaf\x20\xe0\x0c\x20\x62\x63\xf0\x04\x66\xe8\x1b\x5c\x23\x82\xf5\x14\xaa\xcb\xa8\xa5\x75\x27\x68\x48\xb6\x1b\x83\xc1\x1b\x5c\x2d\x48\x08\x01\x0f\x79\x53\xac\x49\x75\xac\x0b\x22\x5f\x8e\x29\xae\x74\x95\x66\xee\x86\xc1\xe0\xc9\x4f\x87\x04\xc3\xd9\xd3\x02\x9f\xd1\x23\x89\x5d\xa9\x56\xae\x66\x02\x52\x3d\x45\x3d\x4d\x66\x03\x50\x47\x31\xf6\x29\x17\x55\xde\x4d\x00\xb3\xaf\x97\x76\xb1\x3e\x84\x3e\x4f\x5d\x89\x21\xae\x18\x87\xa7\x90\x82\x29\xae\xd0\xd9\xd4\xbf\x34\xc6\xfc\x4c\xb4\x31\x2c\x61\xa6\x10\xed\xe3\x69\x37\x29\xfc\xdf\x18\x83\x2d\xfe\xe8\x91\xe0\x17\xc7\xfa\x6f\x6b\xd9\xae\xa7\x17\x10\x51\xde\xdd\x05\x8d\x02\x66\x1a\x55\x1a\x46\xc1\x3d\xbc\xe3\x5a\x52\x67\x77\x35\xea\xaa\x5d\xfa\xd4\x42\x57\x71\xe6\x28\x8a\x9f\x06\xc9\x64\x29\x8d\x09\x26\x1c\x85\x73\x6e\xe5\xcf\xd9\x00\x6f\x54\x73\x55\xa9\x9c\xd3\xb1\x54\x47\x91\x53\x90\x34\x8d\x40\x2c\x9a\x05\xca\x58\x78\x20\x6d\x47\x45\x61\x32\xfa\x73\x91\x45\xa1\xc6\xb4\x73\x2a\x1a\xe5\x5c\x03\x09\xec\x17\x11\x6d\xbc\xe8\x80\x36\xcc\x56\xf5\x56\x37\x59\xa1\x74\x4a\xc3\x45\x6a\xa8\x05\x20\x20\x13\x1e\x9a\x30\xed\xc9\x04\x75\x1d\x4e\xc7\x72\x9b\xb0\x21\xda\xda\x70\x49\x2d\x51\xae\x87\x34\x6e\xa8\x9c\x87\xd5\x83\xb5\x83\xd7\xab\x78\x01\x40\xf8\xd3\xdf\xc0\x29\x0f\xbe\x2d\x39\x8c\xb2\x11\x3a\xce\x6a\xd0\x4c\xb9\x4e\x6e\xf5\x6d\x08\x27\xba\x0e\x97\x5e\x74\x0f\x05\x1e\x1b\x0e\xed\x1a\x3f\x4e\x6c\xf8\xa4\xe3\xc9\xef\x66\x02\xc4\xe6\xb0\xb2\x31\x2e\x03\x44\x43\x46\x3f\x80\xd9\xcd\xd5\xf9\xde\x3e\xd2\x1f\xdb\xf6\xca\x91\xe0\xbe\x91\x79\x0b\xf1\x5f\xc7\xf2\xdb\xd8\xe6\xfb\x72\xcb\x31\x65\x07\xb8\x19\x07\x8e\x9d\x49\xab\xe0\x14\x6c\x5a\x7f\x0d\x08\x06\x22\x40\x79\xec\x60\xbd\x92\x9c\xa9\x71\xdc\x33\x55\x90\x68\x41\xa1\x09\xa1\x96\xaf\x56\x91\x80\x4f\x8c\x1a\x46\x37\x69\xa7\x0d\x34\x82\x01\x5c\x1b\x89\x0c\x3a\x7b\xf5\x5b\xdd\x55\x20\xd7\x9c\x08\x1b\x93\x72\x3f\x7a\xd0\xdd\x24\xf5\x34\x41\x3d\xb7\xde\x9b\xa4\x50\xed\xc9\x30\x69\x4c\x6a\x21\x5d\xef\xd9\x92\xe8\x1b\x1e\xa8\x7f\xcd\xd3\x51\xb2\xe2\xff\x89\x17\x7c\xde\x53\xbf\xf0\x90\x2d\x4f\x31\x25\xd7\x9a\x1e\x87\x2d\xb5\x97\xb1\x13\x27\x67\xe7\x4e\x1e\x9f\x5e\x38\x79\xc2\xf6\x90\xa0\xf5\xa3\x48\x3b\xbc\x93\xa5\x9d\x70\x39\x34\xa5\x93\x05\x0f\xa8\xc4\x0e\x80\x6a\x02\x78\x9d\x8e\xec\x90\x4a\x5f\x1c\x26\x89\x30\x00\x5d\xed\x74\xd5\x30\x90\xa9\xd7\x1c\xb1\xfb\x9d\xbd\xec\xdf\x0e\x88\x30\x3b\x9b\x36\x84\xff\x87\x7b\x83\x08\x90\xe7\xa0\xd9\x6b\x69\xb6\x22\x10\x5d\x4d\x96\x68\xea\x5d\xe3\x27\xe5\xa9\x02\x6e\x40\x13\x10\x67\x59\x85\x67\xf5\xa7\xd9\x20\x28\xc7\x7e\x70\xa6\x44\x09\x17\x45\xbd\x31\xe1\xaa\x1d\x2f\x67\x3b\x2e\xe2\x1d\x17\xf1\x0e\xf5\xd2\x15\x75\x12\xff\xb2\x72\x12\x7f\xd0\x63\x13\x9b\xc6\x98\xca\x85\x0f\x0e\xe1\x17\x7b\xf3\x65\x7e\x41\x1b\xdd\x9a\xd0\x24\x1f\x94\xaa\xcb\xda\x82\xa4\xc6\xa3\x0d\xfb\x7b\xe3\x3a\xfe\x4b\x6f\x0b\x78\x7b\xd0\x06\x74\x13\x7f\xdc\x3b\x93\x82\x1e\x57\x47\x8e\xdb\x74\x89\xf4\x7d\x97\xf3\x19\xdb\xf2\x7d\xb0\x67\x95\x9a\x7e\xd1\x3b\xbd\xb9\x77\x79\xc2\xdf\x37\x88\xe3\x5c\xf6\x42\x99\xf5\xe5\x1f\xaf\x1a\x98\xed\x31\x77\xdb\x89\x59\x1d\xf6\xed\x04\x8a\x7f\xf6\xaa\xe0\xc5\x9e\x13\x29\x3e\x17\x36\xd2\x9c\xdf\x16\xa7\xf5\x15\x7e\x42\x80\x75\xad\x8d\xda\x10\x90\x98\x84\x79\xa1\xfc\x12\x08\xbe\x84\x93\x05\x70\x8a\xe7\x6e\x3b\x41\xb1\x03\x1a\xa7\x93\xa7\x6b\x89\xc8\xf2\x56\xd4\x21\x84\x09\xf0\xdd\x4b\xd9\x3a\x7f\xf2\x74\x94\x74\x2f\xc8\xdd\x4b\xaa\xdc\x51\xb2\x5c\x5b\xf7\xf6\xb4\xd3\x24\x92\x5d\xba\xee\x8d\x45\xed\x70\xd9\x35\x08\xfd\xf4\x5e\xf6\x3c\xb0\x11\xa6\xb1\x7f\x21\x58\x81\x83\x11\xd4\x56\x5e\x01\x43\x90\xb1\xf9\xc9\x6d\x62\xa9\x31\x70\x3c\xc9\x04\x96\x6b\xa8\x10\xac\xf2\x54\xb6\xd4\x98\x9a\x3b\x39\x7d\xe2\xcc\x49\x39\x52\xad\x74\x6d\xb2\x48\x27\xbb\xb9\x98\x8c\x8a\x92\xcf\xd4\xc4\x94\xbf\xc3\x0b\x5e\xef\x5d\x5e\xd4\x38\xef\x0b\x4a\xbf\x72\xb5\xb6\xfc\x60\xdf\x71\xe2\xd1\xbf\xe6\x6d\x01\x0d\x56\x07\x9e\x53\x28\xfa\x2f\x58\xa1\xe8\x51\xee\x58\xde\x4a\xb9\xc3\x14\x9a\xde\x4c\x33\x39\x29\xce\xe7\x52\x63\x9c\x69\x9a\x4c\x44\x15\x9a\x0c\xf9\x4b\x19\x41\xbd\xe8\x81\x4b\xa2\xf8\x4a\x75\x01\x7b\xbe\x47\x69\x96\xf7\x04\x6d\x33\x61\xc0\x9e\xd1\x37\x61\xc2\x46\x3b\x4a\x1e\x8c\x29\xf3\xbe\x8a\x4e\xa4\x78\x67\x25\x58\xaf\x94\x13\x29\xdc\x70\x74\x58\x68\xf2\xd8\xbd\x16\xe2\x21\x84\x92\x2c\x16\xa2\xce\x31\x7e\xb2\x94\xdc\x5b\xce\xb7\x88\xf2\x6d\xa4\x5c\x60\xa3\x8e\x5d\xa9\xc4\x8b\xed\x66\xc9\x91\x7f\x5c\xf5\xe6\xb5\xd9\x52\xc3\x8d\xdf\x45\x19\xe0\x47\xc1\xd3\xcd\xd0\xc1\x25\x1a\xbb\x2b\x3f\x52\xef\xf6\xd8\x6e\x9a\x92\xfe\x4f\x7b\xc1\x2b\xbd\x3b\xf0\x87\x3a\x41\x23\xeb\x71\x0a\x59\x64\x70\xdd\x99\xe2\xd6\x5c\x9a\x12\x45\x7d\xaa\x2e\x3a\xad\x29\x3d\xc3\xaf\x7c\x6d\x7f\x4a\xea\x33\x24\x31\xfd\x7b\xbd\x40\x4c\x5b\x27\x5e\x39\xab\x8e\x8b\x4e\x8b\xab\x27\xae\x5c\x0d\x86\xa6\x61\x7f\x73\x84\x3d\xc6\x12\x24\x62\x15\xf4\x4a\x13\xc1\x2f\x92\x62\x5e\x64\x91\xc8\xfd\x4f\x8d\x04\x77\x5b\xbf\x35\x5b\x8e\x9d\x53\x08\x82\x04\xee\xa6\xc0\x2e\x0e\xe0\xdb\x14\xab\xa5\x4f\xd6\x6b\x61\x3e\x15\xc9\x23\x6f\xa7\x23\x12\xc2\x8d\x2e\xa2\xa4\x9b\x76\xf3\x18\xf9\xe9\xf2\x54\x2e\xaa\xa8\x2d\x6a\xeb\xde\x18\x20\xad\xaf\x7b\x8f\x94\x1b\xd9\x39\x52\x16\x16\xa2\x92\x1f\xee\xe7\x2a\x2c\x61\xf8\xa8\x2f\x94\x2f\x6a\xb6\x3e\xd8\x34\x45\xfc\x58\x90\x83\xaf\x4c\x4e\x54\x6d\x20\xf6\x36\x96\x97\x96\x08\xb3\x62\x09\xd8\xbb\x65\x6d\x1c\x2b\xc2\x2f\x78\xac\xaf\x4e\xfe\x9b\x3c\x76\xf3\x25\xa8\xa8\x67\xa2\x7a\x96\x42\x3a\xf1\xd3\xcb\x45\x6a\xd3\xb9\xfc\x1b\x6c\x06\x50\x33\x18\x09\xa3\xe7\x53\xf5\xd7\x42\xd9\x12\x91\x28\x17\x8f\xdb\x88\x1a\xfb\xde\x1e\x47\xdb\xd0\xf9\x1a\xb5\xd9\xb4\x71\x22\xca\xb3\x2e\x38\x08\x6f\xeb\x36\x96\x05\x04\x21\xfa\xbf\xb1\x27\xb8\x6d\xc8\x3d\x3c\xc4\xd8\x04\x8a\xa0\x57\x0c\x78\xda\x3d\x52\xfe\xed\x6e\xf6\xeb\x15\x76\x55\x3b\x4a\xa6\x95\xed\xd6\xff\x60\x65\xab\x9a\x7d\xb7\x88\xe2\x5a\x94\x14\x79\x91\xd5\x66\x92\xe2\x5c\x86\x36\x9b\xe0\x3b\xde\xb4\x9b\xd0\xa1\x28\x17\xa2\xa6\x61\x38\x08\xec\x8f\x06\xe8\x4f\x40\x7b\x21\x8a\xde\x40\x19\x0f\x03\x65\x02\xd0\x3e\x34\x65\x65\x0e\x9b\x05\xc5\x9e\xa8\x8f\xd1\x04\x47\xe6\x38\x3c\x57\x87\x4b\xb9\x8d\x8d\x40\xc1\xea\x44\x0d\x31\x9f\x72\xcb\xad\x07\xdb\x06\xe0\x1c\x66\xb0\x5e\xc0\xe3\x21\x97\x74\x52\x00\x0a\x8a\x4a\x36\x91\xd5\xa3\x08\x2c\x08\x6a\x38\x78\xe0\xc0\x63\x82\x1a\xfb\x80\xed\x21\x7b\xe7\x95\xf0\x90\x7d\xc8\x83\xdf\xfc\xee\xae\xc8\x7a\xb0\xed\x13\xc5\x6b\x2b\xcd\x85\x55\x9f\x30\x13\x1a\x82\x8c\x76\xad\x86\x1e\x77\xbe\x84\x03\xcf\xa7\x79\xd2\x8d\x2d\x8f\x19\x74\x2b\x46\xc9\x25\x08\x1f\x0e\xa1\x23\xb2\x63\x15\x68\xc5\xfe\xe7\x3c\x77\xa2\xf4\x02\xfe\x42\xe4\x7f\x45\x37\x4b\x5d\x6d\x52\xcd\x2e\x7a\x13\xec\xd1\x8e\x66\x0e\x64\x4c\x93\x10\x1e\x20\x96\x7b\x3e\xf3\xf7\x64\xa2\x13\x87\x75\xc1\xd8\xb7\x2a\xec\x9a\x76\x78\xe1\x7c\xa2\x47\xd6\xff\x93\xcb\x9e\x83\x6f\xac\x6c\x38\x07\x81\x88\x2e\x70\xbf\xba\xf1\x24\x84\x10\xa0\x64\x1b\x93\x6f\xa3\x89\x77\xca\xf6\x25\xa7\x89\xb8\x84\x59\x77\xc0\xce\xb6\x6a\x77\x89\x1d\x03\xd0\xe1\xf3\x68\x55\x68\x85\x19\xa2\x5e\xdc\xc5\x56\x63\xdf\xd8\xc5\xe6\xaf\x50\x7c\x88\x83\x43\xf5\xaa\x87\x0c\x87\xea\x9d\x63\xec\xcf\x35\x0e\xd5\x97\x3c\x26\x1e\x94\xe0\x97\xef\x1b\x08\xaa\x0f\x1b\x08\xaa\xf7\x8e\x3c\x48\x91\x3e\x3b\xe8\x53\x0f\x0e\xfa\xd4\x9b\xc7\x34\x5f\x01\x44\xed\x29\x48\xcc\xd4\x1d\x9a\x72\xf8\xd4\xf4\xec\x0c\x85\x41\x19\x18\x99\xdf\x19\x0d\xce\x0e\xb8\x3e\x14\x3b\x06\x82\x0e\xe9\x69\x04\x8c\x01\x3a\xc0\x7a\x37\x0e\x33\xc4\x8c\xd9\x10\x32\xe6\x7f\x8e\xb0\x57\x0e\x06\x69\x79\xce\xa5\x83\xb4\x3c\xe1\xf4\xe5\x02\xb4\xfc\x98\x01\x68\x39\x13\x3c\xe1\x76\x37\x69\x7a\x53\x78\x96\x8d\x70\x55\x9e\xa9\xf1\x59\x16\x82\x27\x9e\x07\x53\x3d\xc8\xe7\xc9\xb5\x34\x6b\x54\x8d\x09\xf6\x52\x71\x5b\x9e\xaa\x57\xf1\x6c\x70\xdc\xc5\x14\xcb\x07\xc3\xf1\x80\x35\x58\xaa\x3d\x9b\xc2\xf1\xdc\x40\x70\x3c\x53\x41\xb0\x40\x67\x59\xd0\x55\xad\x23\xf2\x60\x1c\x9e\xff\x67\x2f\x7b\xb4\xa5\x88\x2e\xc9\x9d\x1a\xa4\x43\x96\x26\x4f\x4a\x97\xfc\x0f\xef\x0d\x8e\xd1\xdf\x96\xbd\x5b\x15\x68\xf9\xe7\x31\x54\x07\x09\x93\xea\x59\x9a\xf0\x67\xa7\x4b\xae\xd4\x7e\x03\xdb\xb1\xc0\xef\x58\xe0\x5d\x0b\xfc\x77\x95\x05\xfe\x2f\x3d\x36\x39\xd4\xaa\x56\x9e\x95\x60\x85\xff\xa8\xb7\x61\x5e\x96\x6b\x91\x57\x33\xd2\x8e\x17\x2a\x0c\x69\xd2\x83\x3f\xa8\x65\xc3\xfd\x6f\x19\xc3\xfd\x27\x3d\x36\xb5\xf5\xa6\xe3\xe6\xfc\x32\xef\xb8\x8a\x53\xd4\xa2\xc3\xb4\xf2\x21\x6f\xcd\x8e\x6b\xf2\xf2\x5c\x93\x17\xbd\xb9\xcd\x9d\x19\x53\xfe\xa4\x76\x66\xc0\xb4\x30\xf0\xb3\x38\x37\xca\x2e\x8d\xfb\x77\x39\x69\xd3\x16\x80\x15\x44\xec\x64\x72\x2e\x89\x05\x88\x82\x00\xe0\xbf\xef\x8e\x05\xb7\x0c\xbb\x49\x2c\x79\xe6\xb7\x85\x51\xa7\x42\x80\xb2\xda\xba\xb7\x47\x5c\x88\x8a\xe3\x69\xc3\xb5\x0a\xbd\x69\x8c\xdd\xeb\xb1\x71\xc8\x30\x10\x8d\xe9\xc2\x2f\x2e\x5d\x85\xb8\x09\x8c\x31\xa1\x8a\x5d\x92\x07\x27\x08\xf6\x13\x17\x44\xbd\x6b\x4b\x02\x5d\x2d\x4e\xdf\x65\x73\x6c\xaf\xbe\x38\x73\xc2\x3f\x1e\x1c\xd5\xcd\xdd\x97\xf3\x99\x13\xdc\x4a\x03\x0b\x0b\xbe\xaf\x91\xd6\x57\x44\x76\x6c\x6a\xea\x66\xfd\xda\xb3\xa2\xc6\x2d\xfb\x6c\xb1\xfc\x64\xa6\x9b\xec\xdf\xa1\x0c\x5e\x47\x4f\x5e\x88\xf4\xd2\xd4\x3b\x10\x2a\x07\xd4\x85\x83\x2a\xea\x98\xb5\x0a\xc6\x64\xf7\xe4\x2d\xe8\xb0\xe6\xa5\x77\xd8\x63\xdd\x0e\x73\xbb\xc6\xa9\x93\x68\xb0\x73\x46\xbd\x3a\x11\xdc\x70\x86\xf4\x29\xa9\xb2\x66\x5a\x68\x6e\xa1\x1d\xa6\x7f\x66\xb5\x56\x75\x2a\xb8\x69\xff\x52\x16\x89\xe6\x84\xd6\xa0\xb6\xd1\x33\x4e\x89\x79\xb4\x0c\x48\x6f\xaa\xbf\x0f\xce\xc3\x85\x4b\xed\xea\x57\xfc\x08\xfb\xa1\x01\x0b\x65\x36\x6d\x10\x20\xec\x5f\x5f\x1b\x7c\xd0\xd3\x3f\x6d\x45\x68\x30\xcb\x87\x2d\x94\xe1\xcc\x4f\x2f\x4a\xd1\x53\x64\x61\x84\x48\xd7\x48\x6b\x69\xaf\x24\xf4\x2f\x54\x39\xf0\x1a\x47\x70\xa8\x8f\x8c\x1b\xd6\xc4\xea\x5b\xac\xb4\xa8\xac\x40\xbb\xea\x85\x6e\x63\x96\x02\x37\x63\x52\x42\xa6\x7a\x47\xc0\x96\xd9\x2e\x59\xc2\xcc\xac\xff\x8c\x60\xd6\x30\x5b\xaa\x0e\x02\x87\x87\x43\xba\x0a\xb1\xf1\x80\xf3\x19\x2d\x27\x52\x19\x3a\x09\xd6\xa1\x08\x61\x90\x7a\xa2\x30\xbc\x7c\x2e\x24\x8d\x5a\xf0\x70\x66\xf8\x9c\x77\xe9\x13\xf8\x95\xde\xdc\xa9\xe3\xfc\xf0\xe1\xc3\x37\x71\x00\x7e\x85\x20\x9f\xbe\x39\x4d\x2a\x21\x60\x92\xd6\xa5\x86\x1c\x8b\xc6\xb2\x9b\x77\x1d\x8b\xc2\x18\x4e\xc8\x32\x6b\xdd\xe3\x9d\x2e\xd0\xa4\xb8\x2b\x04\xbc\x26\xfb\xf3\x09\xad\xef\xcb\x01\x65\x17\xd8\x58\x27\x6d\xcc\xcc\xfa\x69\xb0\x64\xf5\x62\x18\xc7\x29\x66\x13\x1a\xd2\xd3\x1a\x9f\x4b\xbb\x05\xda\x8d\x94\x01\xd4\x32\x9c\x51\x7e\xdc\x80\x7e\xd5\x85\x39\xfd\xfa\xc6\x0a\x24\x02\xa3\x2e\x9f\xfb\x2f\xab\x04\x17\xb4\x2e\x40\x87\x3d\x3d\xa3\xe0\xeb\xdb\x74\x2d\xad\xa5\xd9\x4a\x9c\x86\x8d\x1c\x01\x77\x3a\x69\x63\x32\x8e\x9a\xa2\xde\xab\xc7\xe2\x5a\xf9\xcb\x7c\xdc\x76\x67\x1c\x64\x53\x1b\x68\x70\xd6\x92\xd2\x07\xd7\x8b\xde\x3e\xf6\x43\x03\xec\x84\xc0\xcb\x38\xb9\x22\x7a\xfe\x6e\x7f\x4c\x2a\xc3\x4c\x3e\xb9\xa1\x45\x71\x8f\xbf\x0b\xde\x62\xec\x3d\x15\xf6\xa8\xba\xbd\x87\x75\x73\x91\xfb\xaf\xab\x04\xbf\xe3\x2d\xa8\x88\xd0\x56\x98\xc3\xe9\x52\x24\x45\xd6\xe3\x1d\x0c\x35\x56\xa3\x8d\x83\xd2\x0e\x93\xa8\x09\x39\xf2\x10\xc9\x85\x4f\x46\xb9\xca\x0e\xa1\xc4\xb6\xb4\x5b\x74\xba\x10\xfd\xbc\x88\x5b\x05\x8f\xc0\xa7\x57\x2c\x5e\xf9\x5e\xa7\xf0\x3c\xac\xe6\xa4\x3a\xaf\x6f\x15\x0a\x7f\xe0\xde\xdf\xcd\xd9\x4f\x56\xd8\x0f\x8a\x4e\x4b\xb4\x45\x16\xc6\xc7\xfb\xfa\xed\x1b\x5e\x70\xbf\x42\x13\x90\xd3\x1f\x68\xb5\xd4\xe3\xa6\xd7\x28\x4a\x1d\x63\x9d\xbb\x89\xf6\xe5\xc0\xf4\x73\xf3\x6d\x21\x97\x6d\x12\xc8\x50\x14\x47\x30\x44\xe0\x77\xec\x00\x93\x9c\xb4\x3d\x28\x15\xad\x46\xd0\xdf\x27\xfb\x6a\x9a\x2b\xd2\xe6\xda\xe5\xf7\xc5\x3f\x54\xd8\x0f\xc8\xe7\xfb\xbb\xe1\xcf\x2a\xc1\x5b\x2a\x1b\x4c\x1f\xf9\xd6\x46\x73\x48\xbe\xda\x36\xc1\x36\x3c\xef\x42\x7e\x6f\xb3\x1b\x97\x5f\x35\xd1\x82\xc0\x85\xcb\x1f\x0f\x29\xc6\x98\xbd\xd5\x76\xc2\x75\x48\xa7\x19\xf8\xae\x16\xbb\x3c\x17\xdb\x47\x60\x7d\x98\xa6\xe2\x8a\xd1\x3c\x16\x83\xf9\xed\x23\xef\xae\xb5\x7a\xf6\x7e\xa5\xe6\xe0\x60\xb3\xc7\xe7\x46\xd9\xa3\x92\x94\x94\x9e\xb3\x8a\x61\xf8\x43\xa3\xc1\x03\xa3\x7d\x97\x89\x06\x06\xe7\xe9\x1a\x86\x7e\xe3\xe4\x96\xca\xa7\x68\x77\x8a\x9c\x8c\x82\xe0\x42\x50\xf9\x1d\xc0\x45\xb7\xd4\x2d\x78\x64\x93\xf9\x1b\x0e\xdb\x2c\x5a\x6e\x15\x3c\x5c\x0b\x7b\x3c\xcc\x55\x49\x52\x8d\x00\x9b\x3f\x64\x84\x40\xd6\x00\x47\x10\x89\xe5\x2c\xac\x0b\x39\x63\x6c\xad\xa6\x23\xb2\x08\x98\xec\xad\x45\xd6\x48\x05\x86\xb4\x2f\x77\xc3\x2c\x4c\x0a\x61\x85\x3c\xc8\x3a\xeb\x1c\x43\x5d\x93\x94\x5a\x84\xa1\x5e\x44\x30\x0c\xc4\x36\x00\x01\x0b\x38\x78\x29\x07\x87\x8d\x2e\x45\xc4\xb9\xc0\x4c\xdb\xa8\x49\xad\x47\xb6\xd8\x25\x51\x4f\xdb\xb6\xa3\x2e\x4f\x53\x79\x34\x28\x95\x0b\x2c\xd3\xa6\xf0\x65\x6a\xa8\x95\xe3\x63\xd7\x0a\x09\x7f\x5b\xd1\x32\xf4\x72\x16\xa5\x59\x54\xf4\x1c\x34\x2a\x05\x1b\x87\x9e\x19\xd3\x9b\x35\x3e\x8d\x09\xa6\x79\x37\x06\x26\x1f\xdd\x4f\x94\x17\xd3\x88\x9a\x88\x54\x8c\x26\x5d\xa9\xe4\x75\x44\xbd\xa6\x58\xa7\xd5\x80\xeb\x79\x35\x58\xd9\xf9\xb5\x71\x36\xd6\x69\x85\xb9\xf0\x3f\x36\x1e\xbc\x77\x5c\x2e\x78\xf8\xa9\x5d\xb1\x64\xe7\x8a\xd0\xeb\x23\x5b\x42\x42\x30\xef\xb6\xc1\xd0\x9d\x36\x09\x0f\xbe\x40\x74\x44\x9a\xc3\x51\x91\x73\xbd\xfa\x08\x17\x43\xef\xbf\x1c\x16\x5c\x95\x3a\x0e\x29\x06\xe5\x01\x97\x96\x0a\xe6\xf7\xeb\xa4\x66\x58\x3a\xab\x51\xa3\x6b\x8b\x6e\xed\x8a\x91\x25\x99\x58\x02\xcc\x30\x82\xf5\x65\xa9\xb5\xc8\x91\x4c\x80\xf5\xb2\x2e\x94\x00\xd1\x94\xa3\xa7\xb3\x78\xb0\xe1\x78\x9a\x3e\xc6\xd8\x2c\x52\x37\x1e\x83\xba\xcb\x4e\x6c\x41\xde\xb5\x48\x2c\x92\xf1\x21\xd0\x38\xb8\x7e\x20\x39\x8b\x32\x7e\xfa\x8e\x76\xa0\x9d\xe5\x50\x26\xae\x30\x91\x68\x80\x44\x52\xf5\x30\xa9\x25\x47\x95\xd1\x49\xb9\x34\x4b\xc0\xe6\x9b\x07\xb9\xd9\x91\x33\xa2\x91\xae\x25\x52\x12\x42\x14\x0b\x7e\x08\xfc\xb0\x98\xfb\x54\x48\x41\xa9\x12\xee\x01\xb1\x9e\x17\xe1\x8a\xe0\x21\x3a\x52\x6b\x7c\x0e\xf9\x98\x07\xb4\x7c\x29\xed\x26\x16\x8b\x35\x71\x56\xc6\x71\x5f\xfb\x28\x21\xc1\x6d\xd6\xb4\xd2\x22\xc1\x79\x68\xba\x22\x27\x3f\x39\xf1\x40\x03\x29\x65\xa4\xf3\x7d\x28\x51\x15\x52\x82\xe4\xfe\x40\xc9\x2e\x99\x50\xbf\x6a\x7c\x5e\xee\x4b\xa2\x21\x1a\xc7\xf8\x74\xec\xec\xef\x91\x59\x03\x50\x21\xcb\x10\x10\x25\x6a\x3f\x73\xa8\xc2\x0a\x8c\xb7\xa7\x6d\xaa\xc6\x4f\x85\x51\xbc\xad\x82\xa9\x53\x06\xb7\x55\xf6\xa4\x5b\x87\x66\x18\xc5\x52\x0f\x50\x4b\x84\x1e\xa4\x84\x1f\x79\x44\x57\xc0\xfe\x49\x9a\x4c\xde\x23\xb2\x54\x9f\xd2\x32\x38\x34\x58\xc5\x95\x62\x5c\xc9\xe0\x7e\x0c\x3c\xb7\x10\x12\x43\x8b\xcd\xf1\xb7\xe8\x13\x99\xce\x91\x59\x12\x04\x2b\x0b\xf9\xd7\xbd\x0e\xa2\x2f\xf0\x46\x97\xf0\x46\x29\xf7\x2b\x4a\x38\x19\x95\x68\x5f\xd3\xf4\x03\x18\x7d\xd6\x34\xa7\x0e\x76\xa5\xb7\x72\x58\xab\xb6\x20\x7b\xd1\x08\xdb\x05\x07\x9b\xdc\xff\x87\x4a\xf0\x2d\x0f\xff\xa6\x44\x7d\x59\x0f\x73\xd8\x11\xc3\x8e\x3b\x33\x4d\x27\x45\x23\x2f\xa7\xa1\x1f\x28\x94\x46\xdd\x76\xb1\x7a\xe0\x63\x2a\x93\x09\x68\xe1\x49\x48\x9b\xef\x28\xf7\xfd\x41\x72\x16\x40\x04\x07\x60\x52\x35\xf9\xcc\xec\xea\x11\x98\x34\x33\xb3\xab\x47\x69\xf5\xab\x14\x30\x61\x0e\x57\x1c\x1a\xa4\x97\x95\x29\xbb\x07\x11\x32\x46\x8f\xb9\x8e\xed\x67\x3f\xba\x95\x23\xcd\xcc\xec\x45\xef\x31\x9b\x9c\x65\xc6\xfc\x91\xa8\xb3\x9d\x93\xcc\x7d\x15\xb6\xe7\xee\x34\x07\x66\x75\xff\xbb\x5e\xf0\xff\xc2\x01\xe6\xce\x6e\x18\xcb\xbd\x2f\x6d\x2a\x9c\x04\xbe\xff\xce\x73\xf3\x13\xbc\x2e\x9f\x33\xd6\x70\x75\x5c\xb7\x06\x86\x2f\x85\x39\xee\xf6\xda\x97\x42\xe8\xd9\x6d\x30\x65\xcc\x0b\xd8\x78\xee\x3c\x37\x8f\x7c\xf1\xe0\x3c\x02\xad\x5f\xef\xe5\x77\x9e\x9b\xc7\x0f\x89\xfc\x52\xcd\xa4\xb2\x5a\x93\x9d\x2c\xed\xa4\x79\x18\xe7\x53\x52\xfc\x4d\x69\x00\x9b\xbb\xd3\xbc\xd6\x76\x22\x19\x57\xb5\xf9\x28\x0e\x9e\x35\xcd\xc1\x7e\x64\xb9\xe2\x2e\x55\x2b\x84\x55\x5b\xe3\xa2\xb6\x5c\xe3\xfb\x4e\x62\x74\x86\x63\xd6\xfb\xec\x38\x7b\xfa\x95\x64\x77\xb2\x30\xc3\xd0\xa4\xf4\xcd\x3d\xc1\xdc\xc6\x8f\x94\x99\x59\x6d\x41\x33\xec\x4d\xc7\xda\xf3\xe2\x3d\xec\x7b\x1e\xbb\x5a\x6d\xb3\x00\xa4\xe3\x7f\xdd\x63\xd1\x83\x47\x62\x55\x86\xac\xba\xc7\xf9\xb8\x26\x07\x46\x60\x1d\x4d\x5e\x84\x86\xb0\xb8\x47\xdb\xb2\x4a\x55\xc6\x98\x02\x0b\x35\x67\xa1\x25\x7a\x43\xf4\x36\x53\xaa\xdc\x8f\xa4\x06\xc7\xde\xe5\x1a\x4a\xde\x58\x09\xce\x5a\xaa\x93\xea\x5c\xea\x57\x39\xcf\x2d\xf7\x78\x08\xc7\x78\xb2\xe0\x0d\xef\x6c\x23\x2b\xee\x66\x29\x6b\x3f\x14\xfd\x6a\x99\x4f\x38\xfb\x37\x8e\x28\x91\xb2\x6e\x12\xdc\xc0\xbb\xfc\xd1\x76\x88\xd2\xe6\x07\xfb\x1f\x69\x87\x1d\x29\x92\x72\x7f\xdc\xdf\x3d\x09\xcb\x9c\xb1\x3f\x1e\x61\xd7\xe4\x45\x9a\x89\xc6\x5d\x0a\x53\xe9\x33\x23\xc1\x7b\x46\xdc\x6b\x2a\xc7\x3e\x8e\x1d\x30\xa5\x52\xb0\x0e\x45\x97\x4a\xed\x50\x40\xd8\x1a\x25\x50\x48\x8d\x2c\x0b\xeb\x2b\x64\x47\xce\x85\x05\x96\x84\x50\xdf\x21\x6f\x47\x04\xd1\x8d\xf1\xc2\x10\x84\x0a\x55\x30\xcf\x52\x82\x1c\xee\xf4\x7a\x8f\x69\x93\x89\x2d\x4f\x9d\x52\x6c\x22\x9a\x30\xe1\x68\x51\x77\x9e\x30\xc1\x05\x3a\x93\x74\x3f\xf0\x40\x01\x84\x77\xca\xd3\xb8\xe1\xe0\xb9\x42\xfa\xae\x9c\x64\x18\x82\x6d\x83\x06\x61\x7a\xa1\x3a\xc7\xe8\xad\x5b\xd7\x9c\xcc\xd3\xb4\x2d\x69\x9c\xa9\xdc\x4e\x86\x57\x29\x8a\xf0\xac\x8b\x2b\xb6\x48\x11\x7a\x85\x5c\x06\x08\x12\x6e\x27\x6a\x6f\x44\xf2\xf4\xfe\x23\xec\xf0\x56\x60\x7b\xce\x74\x0b\x9b\x5c\xde\xff\x87\xc3\xc1\x33\x4b\xd7\xac\x78\x13\xc0\xd1\xa0\x92\x14\x76\x8c\x3e\x6d\x58\xb8\x7d\x49\xc3\x40\x46\xe6\xf2\x3c\x1c\x76\x3a\x31\x24\xf4\xa6\x35\x4d\x5c\x72\x15\xfa\xe4\x91\x05\x62\xdd\xdb\x9b\x47\x0d\x71\xb2\xd9\x94\xfd\xbe\xee\xfd\x5b\xfd\x1d\xa4\xd8\xba\x6b\x10\x4a\xe2\xe7\x0f\xb1\x37\x55\xd8\x35\x52\x81\x4f\xbb\xc5\x3c\x40\xb1\xe4\xfe\x4f\x56\x94\x97\xe0\xdb\xde\x82\x73\xab\x84\x6f\x4f\xef\x19\xd2\x49\x8d\x86\x33\xad\xc3\xfd\xd4\x33\x90\xe9\x8b\x99\xed\xba\xe1\x52\xbb\x33\x80\x01\x10\x40\x04\x50\x05\x05\x21\x1f\x9a\xfb\x52\x57\x35\xbb\x31\x78\x9c\x50\x7b\x25\x54\x64\x9c\xda\xea\x5b\xab\x4e\x12\xf2\x92\x28\xd6\xa4\xda\x72\x10\xba\xf5\xf0\x01\x8e\x90\x33\xb9\x83\xd9\x73\xd0\x5c\x76\x1c\x1d\xaf\x1b\x65\xc3\x7a\xd2\xbf\x38\x12\xfc\xc9\xc8\xf4\xe0\x9b\x0a\xb6\x48\x21\x8a\x11\xb4\x55\x07\x70\x9b\xe4\x95\xc5\xd2\x8b\x8b\x66\xd2\xcb\xe6\xa9\xa9\x23\x2e\x74\x08\x89\x43\x53\x93\x61\x8f\x48\x65\x50\xb1\x31\x00\x98\x82\x5a\x8a\xfd\x60\x05\x51\xa1\xd2\x34\xf2\x1a\x92\x0d\x24\xa2\x6f\xa5\x95\x60\x08\x95\x22\xe8\xe4\x77\x98\x3a\x54\x15\xa9\x1c\x22\x85\xa9\x11\xd2\x13\x41\x79\xa1\x81\xe8\x4d\x4b\x33\x33\xf0\x2e\xbb\x8d\x9e\x54\x2a\xea\xd4\x48\xb9\xc4\x32\xcf\xd0\xb9\x14\x6c\xaa\xfa\x09\x44\x40\xb0\xe8\xf0\xe7\xa9\x82\x72\xf2\x68\xe7\xb6\xfa\xb0\xa9\xaa\x2c\x79\xc9\x81\xed\x1f\x30\xab\x36\x90\x0f\xef\xf1\xd8\xd5\xf4\x34\x12\xa5\xfa\xeb\x5e\xf0\x32\xef\x94\x7d\x49\xbb\xf1\x5b\xe9\x9a\xeb\x39\x87\x73\x8c\xe5\xe8\x34\x42\x41\x07\xdd\x48\xc9\xd9\x0a\x93\x86\x3c\x6c\x4f\x9a\x9e\x31\xa8\x7f\x33\x18\x71\x97\x66\x70\x52\x74\x53\xbb\xe0\x8a\x5d\xdd\x3f\x1f\x63\xd7\xe0\xa0\x68\xa6\xab\x2f\x8e\x5d\x81\x98\xeb\x57\x8e\x9d\x73\x4a\x25\x0b\x95\x85\x75\x98\x82\x81\xdb\x1e\x04\xbd\x8e\x23\x3b\xf2\x0f\x71\x5a\xa4\x6e\x0f\xd0\x34\xf2\x2b\x79\x8d\xbb\x75\x86\x73\x89\xec\x02\x3c\xd9\x10\xa9\x9f\x66\x6e\x4c\xe3\x06\xd6\x06\x46\x37\x11\x6b\xe7\x2c\x60\x83\x35\x85\xb6\x95\x13\x8c\xb9\x55\xa5\xaa\xb2\xac\x43\x3a\x3f\x2e\xd9\x22\xa5\x73\x56\xd4\x54\x67\x62\x85\xcd\x2c\x2f\x6b\x70\x05\xac\x99\x8e\x17\xa7\x67\xf6\x9b\xba\xe8\x8c\x75\x34\x6e\xa1\x51\x02\x4c\x0d\xa6\x86\xa5\x67\x90\x4a\x60\x02\x70\xf6\x92\x32\x3c\x83\x5c\x0a\x70\x18\xc3\x3e\xe2\xfb\xe3\x08\x6c\x28\x27\x44\x27\x4e\x7b\xf2\x64\x32\x97\xc6\x31\xe0\x28\xc8\xf7\xe5\x09\x65\x36\x4b\x2f\xf4\x14\x8d\x00\x16\x37\xa1\x71\x3c\xfa\x9b\x5c\xe3\xe7\x73\x61\x0f\x8d\x8e\x69\x07\x8b\x2e\x0d\x9b\x1a\x4e\x00\xcf\x29\x26\xa3\xa4\xaa\x71\x40\x44\x02\x50\x1a\x14\x5b\x96\xaf\x44\x9d\xd2\x2c\xd7\x53\xc1\xa4\x2a\xa2\x13\x1a\x47\xdd\x12\xcc\x10\x88\x06\x47\x51\x67\xe2\x29\x2b\x92\x1a\x0b\xa9\x36\x61\xb8\x69\x8d\xfd\xf9\xa8\x22\x4c\xfe\xd2\x68\xf0\xa2\x51\x24\x46\x36\x7b\xf0\x1a\x20\xb2\x9a\xdd\x55\x56\x07\xc3\x8b\x15\x4a\xa8\x13\x5b\xed\x6e\x58\x99\xa0\x73\x12\xee\x38\x03\x6e\x20\x5a\x1d\x95\x2e\xfb\x2a\x32\x33\xe6\x59\x61\xd2\x7b\x16\x10\x9c\xd7\xf8\xed\xe9\x9a\x00\x41\x15\xd1\x36\x01\x26\x63\x0a\x6a\xbf\x8b\xa4\x6b\xb2\xac\xb7\x09\xda\x11\x50\x26\x2a\x0d\xa3\xff\x2e\x88\x94\x4e\xd7\xf4\xa9\xa2\xd3\x07\x7a\x1b\x54\xdd\xc9\x00\xa7\x4d\xec\x52\x30\xad\xc2\x0c\x80\xb7\xd7\xa2\xa2\x25\x1b\xa2\x40\x60\xe2\x9e\x3c\x52\x84\x4b\xb1\x2a\xb2\x13\x77\x97\xe5\x70\x5f\x7a\x2d\x01\x04\x06\x54\x5d\x29\xa6\x51\x1a\x98\xd9\xa1\x83\x0b\xe5\x7e\x62\x3e\x42\x6f\xbb\xd4\x68\xf6\x77\x06\x3e\xa0\xc0\x95\x6c\x59\x7e\x3b\x3b\xc5\x4e\x0c\x27\xc2\x1c\xa6\xeb\xc9\x81\x7b\x72\x54\xb4\xce\xe9\xc9\xc3\x5e\xb1\x87\xf9\x99\x88\x92\xd5\x14\xcd\x08\xb4\x17\x7c\x6f\x77\xf0\xcd\xdd\xfd\xd7\x07\x62\xc1\x1a\xbd\xc9\x82\x04\xa4\x6e\x69\x77\xe3\x22\xea\xc4\xa8\xda\xe4\xe0\xf6\x08\xb3\xc2\x09\x1d\xb5\xb6\x0e\x94\x8c\x68\xc3\xef\xdf\x2f\x82\xb3\xb2\xc3\x11\x43\x34\x98\x69\x9e\x05\xbb\x65\x50\x63\x0c\xae\x1f\xeb\xdf\x27\x69\x76\xa8\xaa\x68\xfc\xa8\x14\x08\x63\x93\x4d\xaa\xc0\x98\xfa\xc6\x80\xa2\x4d\xb1\x8e\xb9\xd2\xc2\x98\xc3\x70\x05\xd3\xde\xd2\x2e\xa9\xbf\x53\xda\x44\xf0\x3c\x2c\x1f\x2c\x28\x06\xcb\x20\xcb\xf4\xc8\xed\x62\x8a\xc1\x89\x9c\x5b\xd9\x29\x30\x1f\xc2\xd8\x51\x51\x6b\x5c\xcf\x5b\x44\xf9\xd2\x70\xd2\x28\xfa\x64\x49\xd7\x49\x6d\xf3\x3a\x02\xbe\x6a\x77\xd2\x42\x24\x45\x95\xa3\x1f\x36\x35\x96\x64\x3a\x15\xc1\x79\x44\xc5\x61\xc5\x3d\x5d\xdf\x1a\x3f\x9b\x16\xe2\x18\x47\x68\x21\x93\xf6\x67\xf5\x8b\x99\x52\xb9\x92\xe0\xda\x6d\xd5\xb0\x81\x83\x10\xa4\xad\xc6\xaf\x83\x1c\x9e\xc1\x05\x10\x33\x73\x94\xf0\x66\x37\x43\x84\x3d\xe8\x2d\x75\x9f\xe4\x2f\x56\xbb\xaa\x3a\x25\xd7\xf0\x57\x7d\x5f\x96\x85\xaf\xa8\xad\x59\x7e\x7b\xcd\xe9\x39\x8d\x11\x45\xbd\x46\x96\x89\x4c\x28\x3d\x59\xee\x40\x51\x12\xb5\xa3\x7b\xc4\x96\xba\x40\x7e\xa2\x48\x0d\xc3\xb1\xd9\x2d\x71\x48\xe5\x01\xa2\xdd\x2d\x42\x93\xf8\x65\x55\x59\xc9\xb7\x2a\xd4\x2b\xd4\x2a\x2d\x4d\x20\x77\xa7\x92\x9a\x86\x08\x1b\x35\xc6\x6c\x3d\x8b\xd6\x94\xa3\x6a\xfd\xed\x08\xb3\x8f\x62\xfe\x57\x47\x82\x3f\x18\x99\x37\x17\x50\x08\x0f\x91\x00\x52\x09\x02\x4c\x6e\x81\x0f\xd7\xf8\x34\xd8\x83\x60\x26\x99\xc5\x7c\x8c\x9f\x4d\x13\x51\x85\xff\x9e\x4b\x4e\x64\xbd\xb9\x6e\xc2\xf7\xeb\xce\x56\xbe\xbd\xd5\x28\x54\x80\xff\xc6\x87\xa8\xa6\xef\x7c\xda\x06\xed\x91\x8c\xf5\x13\xd6\x34\x07\x7b\xba\x5d\x0d\x7e\xe6\xfc\xfc\x02\x07\x5f\x1c\x82\x2a\xc0\x9e\x91\xd4\xa3\x38\x22\x1d\x9e\xdc\x4f\x79\x84\x9c\x9c\x0a\xec\x4c\x8f\xf0\xb3\x75\x96\x58\xc8\x9b\x5d\xe0\xb2\xcc\x0b\xd1\xd1\x79\x87\xba\xc3\xeb\xad\x30\x32\x90\x66\x4e\x25\x00\x40\x0c\xbc\x51\x89\x99\x72\xdd\xa4\x01\xf3\x7c\x4e\x6d\x1a\xda\x19\xd0\xc0\x6e\x09\x0b\xb4\xa6\x1a\x6c\xba\xb0\x5b\xa4\x93\xba\x4a\x28\x40\x7a\xa4\xed\x85\x96\xa0\xa2\x4e\x50\xe3\xf6\xf8\xc7\xab\xbe\x92\xdd\x26\xbb\xcf\x19\xf7\x37\x78\xcc\x39\x91\xfb\x2f\xf6\xd8\xc9\xed\x6f\x32\x6a\x13\xb3\x4a\x0a\x6e\xb5\x7f\x39\xa7\x0a\x44\xd8\x26\x57\x88\xb0\x1d\x21\xf2\x18\xae\x10\x76\xd9\x9b\x76\xb3\xbd\xd0\x3e\xda\x9f\x5e\xb6\x3b\xf8\xa7\x5d\xd6\x05\xb7\xcc\x96\xe0\x01\x28\x50\x81\xf6\x06\x28\x0b\x23\xa9\xc4\x49\x3d\x6d\xcb\x75\xa2\x76\xea\xc1\x1b\xce\x49\x29\x87\x10\xbe\xfa\xe4\xdd\xdd\x68\x35\x8c\x45\x52\xc8\x1d\x67\x92\xc3\xad\x63\xba\xcf\xd5\x74\x51\xfa\x65\x54\x68\x21\xa6\x74\xa7\xd0\x3a\xa2\x66\xa0\x41\x39\x69\x81\x91\xd4\x9a\x95\x02\x9c\x2b\x18\x33\x2d\xfc\xe5\x4a\x08\x3b\x9d\x7c\x6a\xf5\x60\x55\xfd\x41\xd0\xd1\x72\xaa\x19\x73\xa2\xb9\xbe\xd4\x2d\x74\x37\x60\xbd\x14\xd8\xdf\x62\xd8\x89\x9e\x98\xa5\xdd\x4e\x7e\xec\x69\x81\x2c\x2c\x78\x46\xd5\xc2\xdd\x97\x57\x57\x0f\xca\x6b\x5a\x8b\x3c\xc6\x9f\x16\x58\xd5\x0b\x9e\xb1\x58\xb5\x5a\x8d\x2c\x17\xfa\xd3\x1c\xda\x55\xae\x10\x1d\x60\x54\x54\x44\xff\x21\x06\xfb\x55\xf7\x73\x7f\xe7\x46\x4d\xd5\x1f\xe4\xe0\x47\x97\x86\x81\x5c\x87\xc6\x56\x31\x25\x13\x3a\x8c\xac\x7c\x16\x0b\x85\x05\xe0\xfd\x20\x77\x3f\xa8\x29\xdf\x77\xdd\xbf\x24\x54\x28\x3d\xae\x07\x7a\x11\x13\x33\x07\x8e\x89\xb3\x5d\x58\xcb\xc0\x16\x1d\x5f\x57\x9c\xd0\x7f\xea\x05\x5f\x00\xaf\x95\x83\x77\x52\xde\x8c\x90\x0b\xd1\xd2\x16\x9b\xdd\x38\xee\xf1\xbb\xbb\x61\x4c\x4e\x43\x51\x5b\xae\x55\xd1\x03\x4f\xa6\x0c\xc7\xe9\x59\xa5\xc8\x89\xc0\x7a\x22\x18\x04\x72\xec\x9c\x8f\x9d\x22\x06\x3d\x9d\x66\xcb\x61\xa2\x81\x18\x95\xf0\x71\x84\xe4\x9f\x8c\xb3\x47\xe9\xc4\x67\x6d\x8a\xf8\xf5\xf1\x2b\x60\x8a\x78\xfe\xf8\xd9\x72\xc1\x5b\xb1\x46\xc0\x19\x42\xab\x8f\xca\x34\x61\x53\x35\x18\x04\x73\xb4\x6f\x19\x42\x8f\xc1\x96\x80\x19\x47\x23\x8d\x8a\x5c\xc4\x4d\x8c\x66\xd1\x25\x51\x7c\x9a\xb2\x76\x44\x39\xef\x88\xac\x99\x66\x6d\xfc\x3a\x99\xcf\x74\x76\x91\x3a\x17\x97\x4a\xce\xf5\x0a\x55\x87\x3c\x24\x89\xd0\x13\x1f\x80\x9c\xf1\x9c\x25\x0f\xe1\x79\x69\x6a\x3a\x2b\x78\x58\xd7\xf4\xb4\xd6\x8a\x79\xf4\x0e\x4f\xa9\x94\x46\x61\x9e\xa7\xf5\x28\xd4\xd1\x02\x41\xd6\x4d\x20\x52\x27\x90\xf3\x22\x38\x80\x1b\xc0\xc1\xe0\x71\x1c\x81\x66\x30\x2d\xbe\x70\x3a\x4d\x6a\xfa\x48\x99\x90\x1f\xe3\x41\xdf\x04\x09\x8e\xf1\xe7\x30\xce\x03\xe8\xb0\x93\x17\x3a\x99\x80\xf5\x90\x07\xc7\xf8\xd3\x18\xe7\x1c\xee\xca\xff\x0b\x56\x44\x2f\x38\x66\x55\xa1\xaa\x6e\xe0\x91\x1c\x8a\x0a\xce\xa6\xc5\x4c\x62\x6e\xe1\x96\xa5\xcb\x82\x6b\x07\xf4\x6d\x2e\xeb\x4e\x7f\x3f\x03\xfe\x7d\x2e\x93\x7f\x3d\x57\x1e\x70\x94\x5a\xe8\x40\xe8\x80\xb4\xda\x7e\x5f\x96\xfb\x11\xb6\x61\x91\xac\x46\x59\x9a\x48\xb1\x85\xdd\xd9\xc9\xd2\x06\xf6\x68\x5e\x84\xcb\x51\xb2\x1c\x3c\xee\xa1\xeb\x56\xbb\x36\x03\x7b\x76\xb3\x6e\x85\xda\x5b\x3d\xab\xda\x30\xb8\x7f\x37\x61\x7e\xd9\x22\x03\x3e\x2e\x9e\x29\x83\x4a\xae\x60\x68\x64\x7f\xba\xb0\xe8\xb9\x91\xd7\x97\x68\x7b\xfa\xd0\x5e\xc6\x6d\x2d\xaf\xd3\x81\xd4\xf1\x13\xa1\x68\xa7\xc9\x3c\x41\x93\xbc\x6a\x6f\x70\xd8\xb9\xa2\xb3\x5a\xcb\xf9\x79\x21\x6f\xc0\x73\x10\x96\xba\xee\x69\xc0\x8c\x75\x6f\x4f\x21\xda\x9d\x38\x2c\xdc\xb4\xa1\x5f\x62\xec\x55\x15\xf6\x88\x76\x94\xcc\x89\xb0\xd1\x53\x1e\x9d\x7f\xd2\x24\x07\x18\x13\x01\x67\xac\x6e\xdb\xc6\x3c\x26\x07\x8f\xec\x24\x82\x38\xe6\x89\x58\x8b\x7b\xfa\x2c\xa1\x2b\x0c\x91\x01\x66\xef\xc1\xb0\x5b\x65\x33\x82\x39\xde\x84\x20\x3c\x13\x52\x54\xcf\xc2\xbc\x05\xf1\x55\xb2\xf8\x48\x81\xdd\x5a\x96\x47\x0b\x95\xdb\xde\x2f\x0f\xf0\xfd\x76\x00\xe6\xa0\x17\xe4\x14\xcf\x53\x88\xdf\x20\x70\x62\xa8\x50\x89\x2b\xe1\x97\x3d\xf6\xaf\xe5\x71\x5b\x4e\xef\xdb\xa3\xbc\x48\xb3\xde\xe9\xa8\x1d\x15\xfe\xfd\xba\x67\x5e\x81\xfb\xae\x81\xda\x89\x1b\xbc\x85\x8f\x12\x8c\xb7\x3c\x97\xc8\x2d\x5f\xae\x27\x9e\x91\x8d\xd5\xc6\x95\x00\xc3\x3d\xee\x32\x0d\x64\x66\xea\x46\x79\x4b\x3b\xa0\xc4\x05\x84\xb8\xe2\x10\x4b\x05\x26\x6a\x9b\xff\xc9\x6d\x3a\x30\x96\x58\x2d\xf8\x94\x0d\x97\xf2\xfe\x2b\x01\x97\xf2\xd7\xde\x34\x4d\xff\x32\x60\x8a\x0e\x33\x28\xa3\xa4\x98\xb9\x68\x93\x86\xd9\x06\xcc\x25\x61\x1c\xc8\x8d\x1a\x9f\x29\x06\x44\x2c\x71\x35\x75\xf7\xe5\xda\xe2\xbb\xcd\x30\xad\x2d\xad\xf8\x6b\xe1\xdf\x49\xbd\xb8\xd9\x0b\x46\x98\x5e\x36\xfe\xdf\x55\xb6\x10\x72\x3d\x9b\x36\x16\xe8\x05\x48\xa1\xfd\x74\x65\xda\xb5\xc7\x0f\x61\x7b\x2d\x33\x4f\x83\xb1\xd8\xac\x20\xb8\x8d\xf7\x6c\x63\x0d\xaf\xa7\x9d\x9e\x4e\xef\x94\x85\x81\xa9\x4b\x0e\x8e\xc9\x66\xb2\x75\x0e\xab\x23\x91\x84\x5a\xc9\xfd\xfd\x60\xab\xb7\xdf\xc5\x40\x2e\xf7\x29\x3b\xd0\x6c\xe2\x32\xa2\xde\x4d\xc8\x40\x3e\x95\x09\x39\xc9\x41\x80\x99\xcb\x10\x39\xa7\x2a\xcb\x5e\xed\xb1\x6b\x30\x51\x7c\x5e\x05\x71\x3d\xcf\x63\x37\x0e\x3f\x2a\x97\x85\xe8\x79\xe7\xe5\xe0\xc4\x74\x42\x89\xe7\x5c\x45\x85\xe1\x8a\xc5\x00\x6c\xf0\xfb\x4b\x2d\xcb\x91\x60\x64\x27\x48\xc4\x1a\xfc\xaa\xb1\x2f\x56\xd8\x0f\x0f\x98\x01\x08\x9f\x88\xe0\x94\xfe\x2f\x56\x82\x27\xad\x5a\x17\x6c\xcf\x3e\x6f\x87\x1d\xe0\xb6\x00\xb1\x9d\x85\x6b\x7c\x09\x70\x2d\x1b\xf8\xa4\x66\x98\xb7\x73\x3f\xc9\x91\xcf\xf0\x99\xd9\xb0\x68\x39\xd2\xfc\x57\x3c\x16\x33\xeb\xa6\xff\xcc\xe0\x4e\xf3\xcb\x81\x89\x23\x26\xb7\xbe\x68\x5f\x1d\xc8\xae\xab\x81\x13\x53\x56\x16\x4e\x30\x8e\x76\x3e\x4f\xc7\x90\x3b\x82\x5b\x40\xaf\x6f\x0f\x66\x06\x34\x2e\x5d\x85\xf0\x79\x3c\x0e\xa3\xb6\x15\x9a\x6a\x17\xfa\xc0\x38\xbb\xce\xe6\xe4\xc4\x10\x62\xa0\xa9\x39\x58\x9b\xa5\xd0\x74\x08\xa0\x3b\x1d\xe5\x85\x7f\x71\x4f\x70\xb4\xef\x2a\xca\x57\x17\x6f\x4e\x47\xb5\x53\x7c\x5d\x6d\xdd\x1b\x03\x18\x79\xa7\x0f\x3f\xb9\x7b\x27\xd7\xfa\x72\x61\xa0\x0b\x86\x1d\xeb\xaf\x04\x3f\xa2\xc9\x07\x0a\x8b\x2f\xce\x19\x2f\xe1\xa4\xb6\xdc\xc8\x8e\xb2\x23\xc3\x09\x5a\x87\x4f\x86\x1d\xe8\x8b\xcb\x80\xbe\xf8\x4d\x1b\xfa\xe2\xe3\xdb\x61\xc5\xe9\x67\x9d\x09\x7e\x5c\xe3\x5e\x20\x0f\x89\x22\x9b\x79\x88\x20\x2f\x2e\x7a\xad\xcd\x53\xfd\x4f\xfa\xc7\x27\x9d\x5c\x7e\xae\x39\x72\xcd\x14\x2b\xd1\xe4\xf6\x49\x19\xc6\x3e\x58\x92\x55\x9a\x3f\xb8\x8f\x3a\x18\x64\xd5\x8b\xc6\x83\xe9\x41\x37\x06\x89\xab\x61\x94\xe7\x83\xc5\xd6\xa7\x77\xc4\xd6\x65\x8b\xad\x55\x25\xb6\xda\xc1\x8f\xce\x0c\x12\x5b\xe5\x21\xd9\x8e\xe0\x1a\x3e\x33\x76\x04\xd7\x8e\xe0\xda\xa6\xe0\xda\x1e\x9d\x37\x88\xaa\x12\x72\xc9\xbb\xaf\x62\x77\x3d\x38\xe1\xd3\xfe\x17\xf6\x06\x2f\xac\x0c\x25\x82\xce\x6c\x3c\x77\x17\xaf\xcf\xd8\x08\xc4\x85\x4e\x6a\xc5\x6e\x9a\x38\xc2\x1a\xe7\x33\x05\xa1\x7b\x83\x8b\x71\x49\x94\x20\x45\x6e\xae\x41\x44\xaf\x7c\xe2\x96\x1a\xfd\x40\x7a\x69\x79\x5e\xb6\xa9\x88\x57\x0f\xd6\x0e\x1e\xad\x6a\xfe\x92\x26\xa4\x6a\xb5\xd3\x55\xf0\x18\xcb\xbb\x87\x0e\x61\x60\x93\xdb\x7e\x85\x45\x7c\x70\x38\xd9\xb5\xf2\xfd\xae\x7b\x00\xbd\xe4\x5a\x5c\xf6\xb0\x3b\xac\x29\x7b\xeb\x65\xa2\x4c\xb1\xf7\x2a\x7c\xa7\xb7\x7b\xac\xf5\x50\x84\xc7\xc3\xb9\xf6\xa6\xbc\x9f\x97\xbd\x50\x5c\x6c\x9a\x99\xdd\x8a\x50\xd6\xc4\xec\xec\x23\x06\x97\xe9\xe7\x3d\xf6\xec\x87\xa4\xca\x08\xe9\x34\x3d\x10\x6e\xb1\x8c\x11\xb2\x51\xf2\xc7\xce\x1e\xbb\xc3\x10\xf3\xb0\xed\x75\x17\xbd\xb5\xcd\xb7\x87\x05\x7f\x6e\x52\x61\x56\x0d\x9b\xc4\xce\x56\x00\x2b\xc7\x68\xbf\x83\x64\x1d\x63\x7f\xcc\x6c\xe6\xc9\x9a\x4b\xa8\xa0\x97\xdf\x42\xba\x22\x28\x3a\xdd\x7f\x17\x0b\xde\xe1\x59\x17\x78\x58\x14\x98\xc8\x2f\x25\x81\x79\x5f\xf0\x90\xe8\xfa\x20\x57\x17\xa3\x25\xba\x00\x58\x8f\xa1\x4d\x76\x19\x7a\x90\x28\x4a\x04\x48\x9d\xb4\xb5\x51\x79\x4e\xb0\x38\xeb\x1b\x69\x46\x81\x5b\x6a\xab\x40\x9c\x50\x2d\x55\x06\x89\xe9\x7f\xd8\xd1\xa7\x77\xd6\xfa\xc3\xa8\xd7\x5e\x51\x1d\xe1\x3e\xa5\x23\x3c\x87\xdd\x3a\xdc\x6a\xba\xe9\xa2\x86\x9d\xff\x46\xf0\x3f\x61\xb6\xf2\x60\x68\x2e\x15\x26\x81\xa1\x95\x3a\xfc\x9e\x3d\x60\x36\xfe\xb7\x78\x6c\xfa\x72\x2a\x82\xfb\xf9\x53\x0c\xc4\x6b\x33\x82\xe0\xd0\x28\xd1\x99\xe5\x98\xfa\xe2\x32\xbd\xda\x4e\x7a\xcd\xae\x89\x91\x27\xb6\x48\x6a\xd4\x2e\x7a\x2b\x9b\x8b\xda\xdb\xfd\x53\x5a\x13\x2f\xd5\xb9\xa4\x90\x5b\x55\x1f\x24\x7c\xd9\x5f\x3c\xd2\x81\x11\x1c\xc4\xcc\x4d\xfc\xdb\xd8\x7d\x1f\x7b\x64\x70\x8b\x7d\xa1\xe4\x55\x88\xc3\xbc\x00\xc4\x5e\x07\xf8\x0c\x43\x6f\x91\x73\xb8\x46\xb8\xc4\x8e\xc8\xfb\xda\x23\xd8\x77\x2a\x6c\x8f\x14\xff\x52\xba\xf8\x5f\xaf\x6c\x3c\x48\x7d\x75\x3c\x49\x6f\xda\x55\x0b\xde\x56\x51\x05\x22\x07\x3d\x6e\x00\x7c\x39\x4e\x97\xc2\x58\x51\x20\x2b\x8c\x91\x41\xe1\x01\x61\xd2\xb3\x71\x2b\x74\xa6\x50\xa1\x53\x1a\x4d\x55\xac\x54\x11\x6b\x6a\x52\xec\x19\xc8\x86\x7a\xda\xee\xa4\x09\x1c\x3f\x08\xc4\x81\xa7\xdd\x42\xd9\xc2\x55\x58\x84\xcd\x46\xce\x63\x91\x2c\x17\x90\xfe\x7e\x77\x57\x20\x25\x6d\x3d\x4e\xbb\x0a\x05\x84\x28\x45\x57\xa3\x3a\x26\x69\xdc\x39\x3b\x8f\x9f\x8a\xd3\xb0\xb1\x14\xc6\x61\x52\x17\xd9\x06\x1f\x9b\x00\x76\x6a\x1a\x05\xff\x43\xde\xc6\x4b\xb4\xaf\xd3\xf5\x32\x37\x5d\x5e\x68\x79\x69\xfa\xbb\x9f\x96\x5d\x4f\x89\x95\x72\xe7\x96\xc8\xd8\x5b\x51\x91\x5b\xd4\xeb\x14\x00\x33\x93\x2c\x67\x26\x44\x79\xa2\xc6\x5e\x5b\x61\xa3\x9d\xb4\x91\xfb\x2f\xdb\x80\x5d\x60\x33\xd6\x79\x6c\xc0\x6f\x7a\xe0\x70\xd9\xb8\xfe\x0f\x12\xad\xfc\x95\xe6\x95\x67\x6f\x18\x61\x7b\xd4\x76\xe6\xbf\x6c\x64\x9b\x6b\x4a\xa9\x6f\x4e\xff\xfc\x5a\xc5\xc2\x17\x30\x7d\x64\xa8\xb7\xb1\xb3\xf6\xe7\xdd\x7a\x0b\x00\x57\x20\x78\xc4\xc9\xd8\xd3\x7b\xa0\x94\x90\x40\x9b\x9d\x4f\x98\xdc\x38\x6b\xbd\x6d\xbb\xc7\x21\xe3\xff\xf8\xec\x79\x40\x94\x11\xed\x34\xeb\x4d\x00\xee\x49\x4b\x93\xba\x87\xb2\xe7\xba\x11\x06\x92\x3b\x5f\x43\x5d\x06\x11\xb6\x10\x9f\x91\xab\x95\x9d\x76\x74\xf6\x4d\x91\x76\x50\xc1\x92\xad\x32\x8e\xfd\x22\xe5\x89\x5c\xf3\x31\x97\x03\x2a\xeb\xa9\x3e\xa8\xd8\xa7\x05\x0f\xe4\xc4\x0a\x38\x81\xe6\xb3\xb7\x57\x08\xd5\xfb\x4d\x95\xe0\xa7\x2a\xc5\x00\x5c\x6f\xea\x4a\x85\xb2\x2f\xc5\x8e\x9a\x15\x94\x15\x19\x68\x98\x2d\x35\x56\x41\x95\x07\x4a\x16\xca\xbf\x71\x89\xca\xbf\x66\xe1\xeb\x69\xc6\x03\xeb\x59\xe8\xd6\x7a\x9a\x21\x0b\x74\x43\x4d\x78\x15\xeb\xa5\x69\x58\x0b\x0b\x76\x1f\x75\xe3\x01\x9f\xd6\x44\x5b\x16\x5b\x78\x62\x20\x96\x08\xcb\x6d\x72\x59\xee\x0b\xb7\xcf\x4e\xeb\x02\xce\x50\x57\x45\xb9\x22\x11\xb0\xb5\x91\xdf\x1a\xb1\x30\xff\xd4\xb7\xfc\x0f\x8c\xb0\x27\x6d\x6b\x32\xf7\x55\xd7\x99\xd5\x5f\xab\x18\x37\xe4\xc3\x32\xbf\x0d\xba\xba\x0d\x34\xf7\x2f\x6f\xd6\xbf\x75\xd4\x21\xc2\x32\x70\x71\xb4\x35\x1a\x42\x84\xef\x8e\x04\x53\x33\x03\x95\x3c\xc3\x2b\x40\x00\xc5\xf4\x6e\x6d\x43\xc6\x83\xfb\x47\x58\x6e\x40\xe8\x5a\xc1\xd3\x14\xfc\xed\xa0\x82\x01\x18\xc5\x2a\xb9\x14\x40\xdc\x57\xad\x90\xb7\x44\x18\x17\x2d\x5e\x6f\x89\xfa\x8a\xe3\xa7\xbe\x47\x6b\x9e\x9d\x40\xe9\x4c\x65\xd0\xfe\xfe\xef\x41\x26\x99\xda\x0b\xe4\xdd\xe0\x76\xf8\x00\x84\xb6\x2d\x64\x5d\x58\xe8\x40\x19\x10\xc0\xce\x1f\x50\xb4\xbf\x9b\xde\x71\x96\x44\xcc\xa9\xe0\xa6\x05\x12\x2a\x5b\xfb\xe6\x31\xf3\x3d\xbb\xbc\x3a\x1b\x83\x6c\x60\xff\xa9\xc1\x19\x43\x51\x81\x40\x47\xf5\xb4\x21\x36\xe9\x37\xb7\x97\xac\xf7\x9c\x4a\xbf\x65\x8c\xed\x1f\x14\xde\x92\xa5\x98\x04\xe1\xf0\x74\xfe\xaf\xd1\xe0\x47\x1c\x9a\xce\x8e\x7a\x4c\xb1\x06\xe2\xcc\x73\xa6\xc2\xc7\x46\xd9\x6f\x8f\xb0\xbd\x0d\x0c\x61\x3a\x93\x36\x84\xff\x89\x11\x15\x5b\xf5\xce\x11\x79\x81\x2f\xc9\xd3\x9a\xc1\x2a\x29\xe4\x14\xa7\xd0\x66\x58\x12\x2a\xd4\x0c\x78\x06\xa5\xe6\x4f\xa5\x51\xb4\xd1\x12\xe6\xf7\xd4\x0b\x75\x54\xd6\x91\x55\x07\x0e\x1c\x38\x00\x8b\xee\xc0\x0d\x37\xdc\x80\x59\xaf\x0d\x51\x8f\xda\xfd\x0f\xc2\x53\xd7\x1f\x3c\x58\xe3\x4f\x99\x3e\x73\x9a\x00\xd5\x72\x4c\x21\xc6\x92\x21\xe5\xdc\x7e\x39\xaf\xf2\x27\xcd\x9f\x3b\xab\xa0\x7f\xf2\xd2\x5d\x8a\x2b\xa4\xe6\xd5\xf8\x89\x28\x83\xe8\x1a\x20\x35\x33\xa0\xb5\x10\xa5\xa1\xf2\xa6\x42\xc8\x28\x51\xa6\x0e\x44\x4b\x44\x40\x31\x08\x26\x6b\x03\xd0\x21\x9a\xc2\xeb\x69\xd2\x8c\xa3\x3a\x02\xe0\x52\x02\x9b\x92\x22\x18\xa7\x05\x65\xe1\x6e\x10\xc5\x10\x73\x2f\xaa\x1c\x72\x82\x9b\x39\x84\xc9\x57\x6d\x84\x89\x6e\xac\xcf\x48\xa9\xca\xf8\xa2\x91\xc9\x45\x89\x6d\x3e\x62\xbb\x15\x55\xd1\x33\x83\x1f\x54\x5e\x33\x9a\x03\x34\x29\xca\xa8\xb6\xd7\xb3\xc3\xec\xe0\xa6\x71\x55\x38\xdf\x66\x75\x11\xec\xe5\x23\x8e\xe3\xd5\x40\xd8\x68\x3e\x3f\x32\x00\xdc\x1e\x25\x45\xee\x7f\xb9\x12\xdc\xe1\x5c\x51\x74\x9f\x39\x6f\xc1\x4f\x6b\x1b\x68\xa5\x6b\x00\x1d\xa6\x2c\x08\x56\x92\x65\x9a\xe4\xdd\xb6\x8a\x50\x57\x33\xf9\x05\x15\x76\x6f\x85\xed\x69\xa6\xd9\x53\xd3\x44\xe4\xfe\x77\xbc\xe0\xc5\x9e\xfa\x55\x32\x36\xdf\x93\x26\x80\x74\x0c\x83\xb8\xc1\x17\x60\xa0\x53\x8d\xcc\x9a\x76\xd2\x38\x5d\xee\xf1\x70\x4d\xce\x88\x2c\xed\xe2\xe0\x9f\x09\x7b\x1a\x4f\x50\x6a\x0c\x17\x20\x48\x33\x6d\xf2\x1b\x01\xfd\x2b\x12\x6e\x16\xeb\x51\x76\x84\x1d\x1a\xda\xd5\xfd\x5d\x78\x0a\xdb\x70\xd1\xbb\x76\x28\x0c\xce\xb8\xbf\x3b\x2c\xd2\x76\x54\x67\xec\xa7\xf7\x3a\x00\x28\xcd\x38\x5d\xa3\x80\x2e\x5d\xe0\x9d\x5d\xd1\x8d\x92\x65\x27\xdf\xd6\xff\x3a\x0b\x8e\x0f\xba\x61\x21\xa2\xb9\xf0\x0f\x9d\x30\x0b\xdb\xa2\x00\x68\xda\x34\x83\x43\x59\x94\x2c\x3b\x43\xf2\x6a\xc6\x7e\x66\x8c\xed\x69\x85\x49\x63\x3e\xba\x47\xf8\xaf\x1d\x53\x92\xe5\xff\x1b\x5d\x54\x57\x17\xc9\x1a\xd5\x46\xb2\xb5\x3c\x2a\xa2\x55\x1d\xd0\x89\xc9\xf3\xf4\x5d\x15\xb1\xdf\xea\x36\x9b\xb1\xfc\x97\xa0\xda\xd3\xa6\xd1\x33\xa2\xa4\x48\xf1\x80\x98\xd7\xb8\x62\x63\xa2\xba\x59\xb9\x23\x10\x5d\x15\xe5\x26\x18\x09\x31\x2a\x2d\x8b\xc4\xbe\x9c\xcb\xbe\xb3\x39\xec\xf7\x6b\x9b\x59\x27\x8c\x32\xc8\xc4\x6f\x85\x79\x4b\x34\xf4\x42\x95\x3f\x49\x74\x59\xc9\x57\xaa\xc2\xb6\x0f\x1b\xab\x48\x52\x4b\x8a\x2f\x00\x8d\x50\xbb\x61\x1e\xdd\x63\x2b\x52\x2d\x91\x09\x3a\x12\xe9\xa4\xa0\x9c\x77\xba\x05\x36\xd7\xc2\x05\xc9\x5b\x69\x06\xc6\x49\x2a\x1f\xa4\x18\x20\x16\x27\x8d\x1a\xb7\xfa\x5c\xa1\xac\x24\x29\x8f\xa5\xee\x44\x44\x4f\x8b\xf8\xde\x22\xca\x1e\xb3\x20\xf2\x68\x39\x81\x08\x67\x84\xe4\x95\x63\x25\x3b\x24\x4f\x49\x98\xf1\xa6\x58\x93\x3b\xda\x6a\x0f\x7a\x2d\xe7\x8d\x14\xa3\x64\xa5\x9e\x2b\x95\xdc\xb6\x85\xf0\x87\xdf\x90\x87\xbc\x79\x21\xb4\xbf\x6a\xb2\x19\xd6\x01\xd6\x2c\xad\x77\xdb\xda\x54\x6b\x45\x7f\x83\x39\x7c\x55\xf0\xe5\x6e\xd4\x08\x81\x73\x2e\xb1\x50\x08\x14\x0c\x1f\xf4\x93\xc6\xe4\x6b\x85\x48\x19\x89\xb1\xe1\x38\x32\x72\x61\xba\x02\xf3\xd5\x15\xf6\x48\xa8\xd4\x69\xb0\x31\x60\x88\xb1\x1d\x7c\xbd\x58\xbe\xbb\xa8\x0e\x28\x6a\xb5\x9b\x00\x64\xa3\xf2\x52\x6a\x1d\x86\xd7\xae\x85\x91\xa2\x76\x0e\x01\x05\x36\x21\x3b\x86\x8e\x1b\x75\xa7\x22\xf4\x6a\x11\xb5\xc5\xe3\xb8\xb8\x00\x59\xc8\xa6\xe0\xcc\x64\x66\xaa\xe6\xba\xd8\x39\x6a\x19\xc9\x93\x52\xd3\x0d\x57\x86\xdc\x12\x75\x76\xa2\x8e\xc1\x4a\x5e\x5f\x0a\x5d\xfe\xfd\x0a\xdb\x85\x43\xe5\xff\xa6\x86\x16\x7a\x7f\x45\x4d\x91\x7e\x96\x53\x9a\x73\x1a\x4d\xc6\x6d\x11\x06\xd3\xd2\x33\x0a\xd4\xa9\x21\x3a\x22\x69\x20\xd0\x73\x58\xa0\x92\x6f\x3c\x02\xc6\x08\x30\xa8\x65\xf3\x8a\x2c\x1b\x91\x80\x28\xdd\x34\x5a\x15\x31\x24\x69\x13\x18\x2a\x2d\x3e\x2d\x2c\x70\xa9\x02\x45\xc1\x0a\x09\x14\x2b\xe8\x5b\x6e\xac\xa2\x68\xa5\xb0\x12\x2d\x13\x18\x88\x02\xe5\x06\x88\xb2\x4c\xc4\x62\x35\x94\x4a\xdd\x16\x26\xdb\xd1\x23\x6e\xbf\xae\x8f\xb3\x1f\x1d\x1c\x92\x32\x8f\x7f\x9a\xa0\xca\xbf\xde\x13\x1c\x29\x5f\x1c\x14\xa4\x44\x65\x6c\x1c\x52\xf9\xd1\xdd\x3b\xae\x80\x9d\x10\x17\xa4\xa3\xda\x71\xaa\x5d\xa6\x53\x2d\x55\x41\x6a\xcd\xe0\xda\x81\x41\x6a\xf6\xb2\x15\xdb\x40\x8d\x1f\x22\x0e\x2e\x7a\x8d\xcd\x5d\x21\xd3\xfe\xad\x9b\x05\x25\x95\xa5\x49\x39\x20\xe9\xe2\x38\xbb\xf9\x12\xcd\x47\x78\x0a\xfd\xf0\x78\xf0\xbb\x23\x1b\x3e\x62\xe9\xe2\x94\x0a\x8f\x36\x9c\x34\x19\x60\x5c\x1a\x60\x2b\xaa\x42\xee\xd0\x26\x56\xa6\xea\x15\xb2\x98\x5e\x31\x3b\xb4\xdc\xb0\xbe\x2f\xed\x50\x9c\x9f\x4b\x28\x8f\x25\xc0\xaa\x92\xf5\xd2\xd2\xfe\x20\x8b\x8d\xb2\x1e\xc6\x5d\xae\x22\xb5\xbb\x7c\x6a\x8c\x2d\x31\x73\xcf\x3f\x1f\xdc\xee\x20\x76\x97\x93\x8e\xfb\x58\x24\x90\x53\x80\xd4\x58\x6a\x2f\xd6\xc7\x5e\x77\xb7\x51\xaa\xc3\xb1\x60\x32\x09\x0d\x57\xb9\x5d\xb2\xe1\x36\x05\x15\x2b\x2f\xca\x9c\x08\xdf\xf2\xd8\xbf\xc3\x92\xa7\x71\x24\xcf\x17\x51\x4c\xf9\xcf\xfe\xef\x6a\xb5\xef\xe3\xde\xb0\x87\xb4\x75\xda\xf2\x30\xe8\xac\x6f\x7c\xba\xaf\x32\x34\x9f\xc3\x7a\x96\x22\x7d\x0e\x57\x4a\x04\x91\x52\x6b\x71\x8a\x28\xed\x90\xac\x51\x97\xd2\xd5\x2e\x0c\xda\xa3\x44\x5f\xdf\x37\x2c\xe2\x9e\x12\x1e\xe2\xcf\x56\x98\xef\xb4\xe6\x2e\x59\x80\xff\xb2\xca\x36\xb6\xb1\x9a\x66\xb9\xbd\xb3\x1b\x26\x45\x54\xf4\x82\xcf\x7a\xfd\x85\x3e\x28\x9d\x03\x1d\x92\x85\x6b\x54\xdc\x7e\x95\xbf\x0b\x5a\xda\x46\x7d\x35\x51\xe5\x79\xd4\x8e\xe2\x30\x53\xcb\x91\x66\xbf\xe3\x51\x80\x09\x5f\x63\x3f\x3d\xce\x8e\x6d\x22\xfc\x6e\x4f\xb3\xe8\x1e\x39\x75\xe3\xd9\xb4\x31\x4d\x0f\x88\x0c\xb4\xb5\x2f\xef\x09\x9e\x38\xe4\x3e\xaa\x59\x6a\x6f\x68\xe9\x87\x40\x2a\x85\xe6\xb1\x0d\x83\xcb\x5f\xb6\x13\x0c\x73\xd9\xfb\xf6\xeb\x3d\xb5\x71\xff\x94\x17\xdc\x30\x30\x2b\x66\xf3\xd1\xd9\x06\x26\xd9\xd6\xa7\xd0\x8e\x72\x7e\x19\xca\x79\x66\xe9\xe6\xcd\xcb\x53\xcd\xf7\x69\x65\xdc\x70\x16\x0f\x50\xd5\x6b\x17\xbd\xbb\x37\xd7\xc8\xce\xfa\xa7\xed\xe0\x14\x35\x17\xb4\x3a\xb6\x81\x38\x71\x34\xb3\x43\x14\xa2\xf2\xd5\x51\xc7\x21\xa0\x48\x53\x71\x62\x3d\x29\x5d\xb2\xb3\x5e\xfd\x5f\x1a\x0d\xee\x2c\x5d\x2b\x85\xa8\x40\x33\x43\xfe\xa4\x74\x49\x2d\x78\x50\x3b\xc0\x4f\xa9\xad\xfa\x72\x8e\x84\x7c\x60\xde\xfa\x17\x47\xd8\xf7\xec\x63\xd1\x5f\x5c\x36\x5b\xef\xbb\x36\x60\xeb\x55\xa2\xfd\xd9\xe9\x52\xee\x56\x0f\x26\xb3\xaa\xe1\x43\x47\xea\xfb\x07\x2a\xa0\xeb\xb7\x3d\x36\xb1\x39\xb3\xad\x22\xf4\x7d\xeb\xd6\x09\x7d\xa9\xb9\x0f\x39\xcf\xed\x4f\x57\xd8\xbf\x1b\x46\x01\xe1\x3f\xbf\x12\xdc\xef\x59\x5c\x80\xb6\x0f\x10\x02\x3d\xd0\xe8\xad\x14\xbb\xfd\x9d\xb8\x9b\x85\xf1\x04\x9f\x45\x8a\x0d\x32\xd3\xd9\x7c\x73\xc4\x5c\x73\x8c\x71\xce\x67\x66\x8f\xf1\xe9\x84\x5f\x19\xae\x41\x67\xb6\xde\xc1\x66\x58\x25\xea\xf8\xc7\x83\xa3\x51\x87\x90\x9e\xad\xcf\xec\x07\x5a\x8d\x34\x03\x56\x8d\x89\x41\xc4\x12\xb6\xc4\xf9\xe6\xd5\x6c\x62\x13\x3b\xfb\xa9\x38\x5d\x9b\x87\xdd\xd2\xff\xf8\xd5\xc1\xd7\x3c\xf3\xdb\xd9\xa8\xcd\xf6\x1c\x2a\xb8\xa6\x26\x5a\x51\x31\xc0\x40\x9b\x58\xc1\x1c\x2d\x65\x78\x43\x4a\x5f\x8a\x27\x13\xb0\x67\x45\x09\x32\xed\x4c\xcf\xce\x18\x79\x4d\x48\x68\xa8\xfd\x68\x38\xb5\x5c\x81\xe6\x6a\xcb\x36\xc1\xbb\x75\xc2\x08\x31\x25\xa0\x81\xf9\xb1\x3e\xc5\xda\xaa\x3f\x30\xd6\xf0\x00\xaa\xe4\x98\xcf\x02\xb7\xcb\xff\x1b\xdb\x51\x59\x76\xe2\x77\x1f\x3e\xbd\xe0\x2b\xf6\xee\xf4\x07\x97\xbd\x3b\xbd\xd6\x5b\x54\xa5\x2d\xf6\xa9\x07\x0f\x23\xbb\xfc\x3f\xa8\x8d\xe8\xdb\x1b\xd8\x25\x37\x91\x51\xb0\x35\xbd\xcf\x03\x26\x86\xc5\xa1\xc8\x36\xc3\x36\xaa\xd0\x92\x0e\x0f\xf9\x6e\xf5\x4d\x13\xd2\xfc\xe5\x0d\xc6\x78\xb3\x0e\xc0\xf8\xa7\xb7\x78\x8b\x58\x96\xee\x84\xfa\x00\x06\xfa\x87\xaf\xb5\x5b\xd7\x3b\x87\xa7\x97\xd8\x1d\x61\xdc\x2d\x25\x53\xa1\x69\x22\x93\x9a\xce\x6d\x97\x97\x14\xf6\xa4\xf9\x73\x67\xfd\x57\x78\xc1\x7f\xf6\x28\x2a\xc3\x04\xaa\x24\x3d\xc4\x70\xc5\x78\x0d\x8c\xd7\xe4\x0b\xc0\x9b\x02\xcb\x1a\x6c\x65\x9a\xd1\xe0\x18\x5f\x4a\xd3\xb8\x2a\xc5\xf7\xd1\x23\x55\xd9\x94\x10\xfe\xc0\x15\x5f\xe5\x4f\x7b\x06\x08\xf6\x66\x58\x17\xcf\x79\x6e\x95\xb7\xc3\xce\xd3\xf0\x96\x7d\x1d\x61\x7c\xa2\xb8\xc6\xbe\x55\x61\x07\x37\x8a\x7a\xaf\xdd\x26\x37\x56\x94\x01\x73\x02\x98\x78\xea\xc2\xff\x48\x25\x78\xd2\xa0\x1b\x28\x99\x33\xfd\x13\xe9\xcf\x6c\xe4\x19\x95\x67\x13\xe5\x9a\x1c\xcf\xdd\x32\xbf\xe4\xb1\x1b\x9c\x1d\x73\x22\xf8\x21\xb9\xad\x2b\xa2\x08\x6d\xdf\x40\x56\xa0\x72\x90\x13\x0c\xff\xa9\xe0\x26\xd8\x27\xca\xcf\x52\x5c\x13\x88\x49\xe8\xd5\x7d\xb3\x69\x63\x1f\x74\xc6\xbe\x79\x51\xcf\x44\xb1\xcf\x29\xef\x3a\xb2\xb6\x05\xc1\x0f\x9c\x75\x2c\x6c\x03\xbe\xbd\x9f\x8d\x74\xa3\x86\xff\x1f\x82\x7f\x7d\x7e\xe6\xc4\x86\x4f\xbe\x99\xb1\x23\xa5\x2e\x97\xc7\x20\x37\xcf\x60\x1e\x19\x1e\xa6\x81\x70\x8f\xb2\x99\xbe\x32\x1e\xcc\x0e\xb8\x8e\x31\x54\x26\xaf\x20\xcd\x30\x5a\x07\xd3\x20\xd3\x8c\xb4\xaa\x7a\x98\x28\xb8\x3e\x20\x74\x01\xef\xd9\xc0\xac\xa3\x17\xed\xd9\xd1\x5a\x76\xb4\x96\x7f\x21\x59\x47\x2f\x55\xba\xc1\xf3\x3d\x76\x6a\xc3\x6c\x9f\x2d\x2d\xc2\xcb\xcc\x3e\x7a\x8f\xd9\xaa\xdf\xe6\xb1\xdb\xaf\x40\x7d\x70\xd7\x3e\x7f\x25\x92\x90\x22\x13\xb4\x81\x32\xe4\xa2\x97\x6d\xbe\xd7\x9e\xf3\xcf\x6c\xb4\xd7\xba\x2d\x29\xbb\xe3\xfa\x1b\xc4\xd8\x5f\xed\xd9\x18\x8c\x10\x8c\xcd\x9f\xd9\x13\x4c\x3a\x57\x06\xc5\x05\x18\xe4\xb7\x21\x26\xe5\x07\x76\x4c\xca\x97\x2d\xe9\x9e\xae\x2c\xca\xf3\xc1\xbf\x99\xd6\x56\x64\xbb\xeb\x6d\x7b\x71\x8d\x55\xd9\x75\x5b\xc7\x4c\xdb\x91\xa3\x97\x21\x47\x7f\xcb\x3e\xfd\x7d\xe2\x32\x43\x36\x7e\x62\x70\xc8\xc6\x43\x76\xc8\xbb\xe8\x3d\x79\x73\x59\x74\xc4\x3f\x64\xec\xcd\x9d\x4e\xae\x05\x8d\x23\x2a\xca\x4e\xff\xb7\x5d\xcd\x6e\xda\xe4\x98\xa4\x40\x97\x4e\xcb\x7a\xbb\x91\xa3\xff\xf3\xaa\xe0\xf4\xf0\xdb\xb6\xa6\xdf\x1f\x44\x8a\xa8\x74\x6e\x9c\x98\x23\xa0\xee\xdd\xbb\x23\xa0\x76\x54\xb1\x1d\x03\xd2\x83\x6c\x40\x7a\x4d\x85\x94\xc4\x97\x56\xd8\x1d\xdb\xb2\x9f\x0c\x5f\xf9\xa0\x29\x7e\xf4\xd2\x0d\x4a\x01\xcd\x8f\x49\x25\x1f\x82\x87\xdc\xb0\x74\x5f\x45\x6b\xab\x7f\xef\xb1\x33\x57\xaa\x63\x50\x65\xbd\x7f\x4b\x86\xa6\x87\xbf\x17\x2e\x7a\xf7\x7a\x9b\xef\x3c\xcf\xf4\x9f\x3e\xb9\x2d\xf3\xd2\xf0\xfe\x19\x98\x9c\xff\xcd\xdd\xec\xf1\x56\x8f\x27\xa2\x20\x0c\x61\xdd\xe1\x94\x0a\x0d\xa1\x6d\xb3\x3a\x39\xc1\xd8\x6c\x1e\xd8\x1d\x3c\x77\x93\x67\x8c\x4f\x04\x9c\x43\xd3\xb3\x33\x7a\x93\x80\x38\x5f\xca\xc0\xd1\x81\xfd\x44\xc9\x13\xea\x8c\x75\x79\x6c\x50\x70\xed\x93\x25\x54\xff\xda\xba\x07\x62\x98\x22\xa9\x9c\x6d\xee\x3f\xef\x62\x9f\xf6\xd8\xb8\x7e\xd7\x7f\xbf\x17\xdc\xef\x9d\xb5\x71\xe6\x0b\x87\xd2\xa0\x1c\x41\x83\xe7\x2c\x6d\x78\x6a\xd4\xec\xc0\xe4\x28\x57\x59\x50\x0d\xf4\xed\x42\xcd\x38\x26\x30\x21\x1f\x92\x2a\x18\x79\xc6\x54\xb4\x75\x37\x91\x0f\x0c\x7e\xe5\x38\x36\xd9\xcd\xb2\xfb\x53\x8f\x8d\xc1\x93\xfe\xef\x79\xc1\xaf\x79\xf3\xf0\x92\xa5\x01\x44\x7a\x3f\x36\xf9\xa4\x83\xfa\xae\xcc\x88\xa0\x32\xac\x10\x70\xa6\x5c\x05\xbe\x9f\x82\xae\x81\x7a\xd1\x6a\x4c\x8d\x9f\x82\x0e\xa0\x71\xa3\x94\x5a\x74\x8c\xd9\x53\x41\xbf\xd1\x80\x49\x91\xab\x04\x5d\xbe\x1c\x16\x6e\x46\xde\x7f\xf7\xd8\x1e\xc5\x63\xe2\x7f\xce\x0b\x7e\xd9\x9b\x9e\x9d\x81\x5f\x6a\x8c\xd0\xd8\xa4\x42\xb1\x36\x18\xa0\x99\x26\xb7\xdf\x2d\x45\xe9\x5b\xc2\x52\x34\x38\x6c\xda\x6a\x54\x94\x8f\x53\x4a\x01\xcd\xf1\x82\xf9\x85\x80\xe3\xae\xe8\xa9\xb2\xc6\x64\x27\xcc\x8a\x1e\x5a\x51\xab\xce\xd7\xb2\x41\x2c\x1f\xc7\x49\x4f\x78\x5c\x50\x53\x5a\x82\x9d\x84\x3d\xbc\x2d\xa5\x42\xc0\x66\xf8\xb8\xa0\x76\x76\x40\x84\xde\xd6\x0a\xf9\xcb\x31\x76\xbd\xb5\xda\x89\x0c\x45\xad\xf4\xb9\x6e\x52\x44\x6d\x0c\x62\x55\x70\xd2\x44\x93\xe9\xbf\x6f\x2c\x88\x36\xb8\x4f\xea\x22\x6d\xbc\x0a\x75\x5a\x63\x7f\x37\xa2\x3a\x60\x75\x40\xb0\x5a\x1c\xa7\x6b\xe0\x61\xb6\xcb\xa3\x04\x87\x10\x9c\xd0\xeb\xde\xbf\x23\x83\x81\xfd\x08\xcc\x26\x67\x79\xbf\x65\x94\x7d\xa4\xc2\x86\x3e\xeb\xbf\xb9\x12\x3c\xaf\x32\xec\x2e\x79\xaa\xe1\xb6\x3a\x5d\xda\x0f\xd9\x24\xf3\x6a\x81\xe8\x89\x03\x41\xb5\xe0\x2f\x9f\x36\xa1\x78\xc1\x75\x01\x6f\x8b\x50\xa7\x22\x26\xbd\xfe\x02\x2d\x63\x48\xd5\x91\x09\x90\xff\x0e\xc4\x3e\x85\x68\xdb\xb4\xc5\x35\x3e\x9d\x10\xef\x02\x54\x53\x27\x5e\x82\x36\x59\x6a\x15\x49\x26\xc5\x05\x86\x39\x8c\x43\x59\x7b\xff\xd4\x63\xff\x96\x96\x78\xb9\x20\xff\xd3\x5e\xf0\x7e\x6f\xc8\x4d\x35\xf9\x54\x4e\x46\xdf\x7d\x4a\x68\x4d\x13\x13\x57\xb0\x60\x3d\xaf\xb0\x0d\x95\x55\x88\x0c\x4a\x43\x47\x8a\xba\xc1\xf4\x74\x12\xc5\x86\x08\x19\x18\xed\xb0\x03\x67\x53\x77\xbe\xdf\xbf\x97\xdd\x79\xa9\xfe\x95\x0d\x20\x20\x59\xf0\x1a\xef\xfb\x11\x02\x72\x90\xd1\xfd\xbd\x7b\x76\x0e\x2a\xdf\x2f\x36\xe3\x07\x94\xcd\xf8\xad\x1e\xab\x5f\x19\x68\xc8\x07\x0d\xc8\xf2\x03\xc6\xa2\xfc\x2e\x8f\x89\x07\xbb\xb6\x3b\x18\x96\xdf\x27\x66\x8d\xad\xdb\xe6\x37\xc2\x54\xe4\xdb\x42\x69\x64\xec\x35\xbb\x6c\x08\xc6\x0d\x56\x13\x28\x9e\xf9\x5d\x07\xfd\x3f\x1b\x0b\x7e\x6f\x4c\xfd\x82\xb4\x1c\x64\x45\xc4\xc0\x2d\xd8\x06\x73\xcc\x0a\x85\x18\xc7\xbc\xc8\xba\xd0\x0f\x9c\xf8\xc1\x17\xb2\x08\x70\x36\xd0\x3b\x8e\xb2\xb5\xc6\x18\x84\xcf\xad\x88\x1e\x40\xc5\x20\xcf\x79\xc8\xf7\xd5\xf6\xf5\xcb\x47\x3a\x03\x00\x9f\x19\x8e\x26\xa8\x3a\x61\xbc\x16\xf6\xa4\x3c\xec\x90\x97\x1a\xb7\xee\x5c\x14\x55\x84\x62\x20\xa9\xeb\x94\x17\x4a\x99\x38\x89\x25\x02\x27\x90\x68\xe3\x8e\x49\x0f\x23\x51\x3f\x50\x57\x59\x69\xc9\xb9\xdc\x13\xba\x19\x55\x3e\x3f\xc6\xf7\x35\x8f\xdd\x0c\xfb\xc2\x3e\x45\x69\x87\x3f\xcb\xca\x62\x68\x60\x77\x54\xcf\x40\xe5\xa0\xdd\x98\x6c\xdf\xe1\xfb\x56\x8f\xdd\x0c\xf3\xd0\x2a\x0d\x7f\xab\xe2\x80\xab\x85\x3f\x3b\xc7\xf8\xc4\x76\x58\x38\x29\x14\x14\x97\x0f\xea\xcc\xbe\xe8\xd8\xcd\x51\xd2\x10\x17\xac\xb2\xf0\x37\x64\x5c\x43\xf2\xa9\x32\x5b\x2a\xfd\x87\xde\xdf\xb7\x72\xec\xe6\x15\xd1\xcb\xad\x37\xe1\x27\x6e\x61\xb2\xa2\x69\x93\xdb\x1f\xdb\x97\x43\x3b\x68\x06\xe0\x1a\x8c\x32\xde\x4d\xa2\xbb\xbb\x3a\xe7\x68\x46\x7e\x69\x05\x68\x4e\x3b\xb9\x33\x50\x38\xa5\xd4\x22\x35\x03\x0d\x1b\xb8\x7c\xc3\x3e\x76\xb9\x84\xcc\x52\xdb\x62\x6c\x41\xf7\x0c\x6d\xd8\x91\xd2\x8e\xa1\xc3\xf3\x68\x59\xa3\x2c\xeb\x49\xd9\x98\x6c\x8b\x6c\x59\x4c\x36\xa2\x66\xd3\xda\xbd\xd9\x47\x47\x37\x8e\xa2\x18\x08\x62\xe8\xbf\x70\x34\x38\x59\xba\x86\xbd\x85\x1b\x41\xc7\xb6\x11\xf5\xc1\x89\x5a\x8c\xe3\xae\xc9\xf8\xe7\x47\xd8\xb7\x2b\x6c\x3c\xec\x36\x22\x79\xb0\xc8\xfd\xaf\x56\x82\xdf\xa8\x4c\xab\x9f\x6e\x2a\x86\x2c\xda\xa4\xf8\xe7\x86\x78\x45\x2b\x14\xe4\x3d\x34\xc9\x39\x9a\xe5\x8d\x02\x39\x2c\x93\x41\x5e\xe3\xea\x3b\x93\x08\x12\x31\x00\x05\x95\x12\xc9\x56\x45\x86\x6c\xd4\xf4\x41\x7c\x72\x2d\x04\x0c\x03\x91\x34\x08\x0b\xdb\x21\xda\x56\x69\x34\xa6\x2d\x09\x6e\x04\xa8\x78\x42\xae\xb7\x75\x57\x56\x80\x00\x36\xe8\x44\xa9\xee\xd1\x69\xc7\xe5\x4c\xd3\x37\xe9\x33\x16\x3c\x93\xd9\x32\x37\xd0\xd2\x6f\x60\x63\xd0\x08\xbf\x16\xfc\x87\x05\x15\xe4\x02\xc7\x85\x4e\x78\x37\xa0\xb9\x84\x19\xd0\x4d\xad\x08\x37\x21\xeb\x85\x57\xb3\xa3\x1b\x26\x4d\x1c\x1a\x96\x34\xe1\xff\xe6\x55\xc1\x6f\x7b\x1b\x24\xdd\xf4\xbb\x1c\xf0\xf4\x36\x34\xc9\x43\xb1\xc4\xc9\x2b\xed\x50\x0e\x59\x0c\x6c\xb6\x49\xb8\x2c\x94\x12\x02\x54\x49\xbc\x9e\x76\x13\xe4\x74\x4f\x7a\x56\xd2\x99\x22\x5b\x56\xe2\x17\x93\x0c\xf3\xee\x92\x39\xf9\x86\x96\x46\xad\xd2\xf3\x0c\x9f\x98\x33\x99\x2f\x8e\xef\x28\x0a\x3b\xfe\x8f\x87\xef\x58\xf1\x65\xdb\xff\xf1\xbb\x97\xed\xff\x78\xa5\x37\x34\xbb\x46\x71\xb3\x3e\xe4\xbe\x8f\x17\x28\xdf\xc7\xff\xde\x24\x20\x65\xab\x42\x09\x4e\x34\xef\xf5\xf2\xa1\x0c\x91\xca\x38\x48\xfe\x8e\x6e\x66\x04\xbb\x2a\xe3\xa1\x36\xf2\xd7\xd8\x2b\xcc\x39\xea\x85\xde\xb6\x10\x05\x87\x77\x04\x1e\x96\x6e\xc8\x75\x6c\x8e\xed\xe5\x18\x1c\x38\x64\x75\xc1\x45\xaf\xbd\xb9\x86\xff\x24\xff\xf6\x4b\xc9\xb0\xea\xcf\xae\x3a\xc4\xd8\x6f\x8c\x0c\x84\x5b\x53\xa7\x02\xd0\xb8\x34\xf9\xf1\x1b\x47\x82\xa7\x0e\xbc\x63\x2b\x5e\xfd\x50\x8a\x39\xdf\x5f\xef\x74\xab\x2a\xc3\x5c\x41\x07\x45\x19\x4f\xbb\x45\xa7\xab\x94\xb1\x75\x4f\xa3\x95\x3a\xfb\xc1\xdb\x2b\xec\x29\xec\x6a\x5d\x2c\x58\xc0\x6e\x0f\x1e\xa7\x13\xee\x41\x75\x3e\x66\xcc\xfd\x72\xaa\x21\xf2\x57\x5e\xa5\xf4\xf1\x30\xa6\x2c\x9d\x55\xbe\x1a\x66\xce\x6a\x7f\x85\xc7\x76\x37\xa2\xd5\x28\x4f\x33\xff\x05\xdb\x89\x97\x18\x90\x1b\x7c\x92\x92\x9c\x68\x6b\x72\x5a\xa7\xe6\xbb\xb2\x2e\xe9\xce\xa9\x2a\x9d\x04\x79\xb7\x0f\x06\xec\x7a\x0b\xb6\x75\x22\xf8\x21\xc5\x4e\x7d\xcc\x12\xcd\x29\x51\x23\xda\x2d\x79\xfe\x2e\xb6\x6f\x83\xa1\xa4\x62\x80\x3d\xc8\xff\xe2\x58\x30\x3d\xe8\x46\x29\x59\xae\x9e\xb6\x3b\xdd\x42\xd8\xa0\x98\xe6\xd9\x12\x16\xd9\x18\xfb\xae\xc7\x76\x21\x14\x81\xff\x4d\x2f\x78\xa3\x07\xb0\x41\xe5\x22\x15\x7a\x50\xd8\x56\xba\x44\xf9\x23\xda\x08\xbb\x6d\x9e\x47\x47\xeb\x99\x42\x05\x66\x52\x17\x3b\xa9\xa7\x50\x3e\xf5\x2e\xef\x56\xf6\xf8\xcb\x1a\x6c\xfb\x28\xf0\x62\x00\xda\xc5\x9d\xcd\xff\xdf\x95\xe0\xdd\x95\x39\xb5\xcf\x95\x1a\x4f\x6c\xb6\x1b\x35\x5e\xbb\x29\xa4\x6e\xab\xcb\x91\x5b\x71\x3b\x82\x53\x9c\x42\x59\xa4\xc6\x00\xba\x91\x3d\x85\xa8\xdb\xc1\xef\x84\x47\x1c\x45\xe7\x1a\xf7\x6c\x77\x0b\x38\x4d\xd6\xa2\x5c\x85\x6c\x6b\x35\x0e\xba\x6f\x52\x9d\x8b\x28\x38\xfd\x9f\xc9\x50\xbc\x73\xc4\xc1\x82\x53\x8b\x60\x81\x70\xec\x94\xc0\x02\x7e\x59\x6b\xe2\xfb\xdf\xaa\x04\x3f\x3e\x6d\xe0\xee\x72\x23\xd8\xf4\x33\xa4\x41\xa9\x3b\x0e\xc5\x29\xa2\x5b\x01\x8b\xab\x45\xb3\x9b\xf0\x30\xee\xb4\x42\xed\x5a\x53\xda\x62\xbd\x15\x26\xcb\xc6\x76\xdc\x95\x37\x6b\xeb\xde\xc8\x8a\xe8\xad\x7b\xbb\x50\x6f\x74\x16\xd7\xef\x78\xec\x56\x26\x6f\xfb\x37\x06\x8f\x5d\x00\x75\x74\x49\xc4\x70\xe4\xd5\x87\x29\xc3\xa4\xdd\xe9\xc4\x20\x82\x5c\xc6\xcc\x9f\xf2\x18\x15\xed\xdf\xe7\x05\xcb\xd3\x09\x87\x23\x8d\x49\x7f\xd3\x0a\xeb\xb9\xc4\x81\xa0\x32\xac\x9a\xf8\x55\x74\x60\xe0\xe7\x44\x39\xab\x91\xdf\x85\x87\xf8\x28\xe7\xe7\xe6\x40\xb3\x1f\x7a\x76\xba\x6f\x94\x1d\xb2\x86\x6a\x40\x02\xc5\xed\x0b\x0b\xb3\xe4\xb3\x9c\xeb\xc6\x04\xe0\xf0\xd9\x91\xe0\x67\x2b\x83\xee\x94\x00\x07\x8a\xa2\x63\xd8\xb2\x91\xf0\x18\xf4\xdc\x94\x2f\x85\xf5\x15\x91\x34\x72\x50\x37\xc9\x58\x22\xe7\x3e\xce\xec\x63\x53\x53\x37\xb7\xd2\xbc\xb8\x65\xea\xe6\x4e\x58\xb4\x6e\xb9\xf5\xe6\x5c\x48\xcd\xa2\x13\x66\xc5\x2d\x7c\xf2\x16\xf5\x3a\x59\x3c\xf0\xbf\xf2\xa6\x86\xf2\xe8\x66\xb1\x85\xaa\x2c\xbf\x38\x77\xea\x38\x3f\x7c\xd3\x8d\x47\xab\xea\x68\x42\xe2\x54\xc1\xab\x28\xef\x3a\x76\x75\xb8\x1c\x46\x49\x5e\x58\x6c\xdd\x3c\x6c\x16\x14\xb8\x1b\xcb\x83\xf1\xbe\x29\xcc\x60\x20\x10\x16\xb4\x84\x64\xf2\xc6\xad\xfb\x78\x9a\xf1\x7d\xd7\xee\xab\xad\x7b\x63\xb2\xfe\xee\x44\x7a\xb9\xc7\x5e\xe6\x31\xbc\xe1\x3f\xdf\x0b\x8e\x4c\x97\xa9\x4a\xe5\x1d\x35\xb7\x3b\xb6\xbe\x6e\xba\xcd\x1e\xd3\x0d\xd7\xee\x26\x63\x3a\x1b\x16\x2d\x76\xff\xd5\x4e\xe4\xaf\x13\xe4\xa0\xe2\x1b\xfc\x7b\xaf\x0e\x9e\x57\x51\xb8\xef\x03\x82\x7e\xb3\x6e\xac\xdc\x81\xc8\x79\xad\x92\x43\xeb\x69\x92\x10\xf4\x27\x12\xed\x86\x34\x95\xd5\x21\xc5\xd8\x7f\x20\x21\x94\xda\x08\x7e\x3d\xf5\x3d\xf2\xa4\x6b\x48\x46\x18\x29\xb9\xe0\x15\xf8\x7e\xce\x15\xd1\x40\xdc\x9b\x84\x4f\x80\x0b\xb5\x9b\xc5\x79\x15\xb0\xf8\x39\x81\xf1\xf3\x22\x0b\x9b\xcd\xa8\x5e\xe5\x85\xc8\xda\x51\x12\x16\x82\xcf\xcf\x9f\xae\xf2\xb4\xd9\x24\x3d\x86\x4e\xca\xab\x51\x06\x76\x75\x39\x11\x21\x9a\xbc\xa8\xbb\xdb\xed\x4f\xed\x64\x99\xee\x1c\x92\x1f\xc6\x43\xf2\xef\xd8\x87\xe4\x5f\xbd\xec\x43\xf2\x7d\x1b\x60\x20\x3c\x74\xc7\xe2\x3f\x54\x3e\xc0\xcf\x7b\x1b\xc0\xd5\x0e\x14\x51\x70\x00\x7e\xbd\x37\x6f\x1d\x80\x55\x88\x9f\xe3\x1b\xa3\xc7\x1f\xf2\xb0\xbe\x3f\x35\x47\xdd\xdf\xf5\x36\x60\x0b\x1d\xdc\x38\x3c\xd4\xae\x7b\xf3\x03\x4f\xb5\xdf\x0f\x0d\xbc\xe8\x3d\x73\xf3\x83\xf3\xe3\xfc\x9b\xf4\xc1\xd9\x6a\x68\xc9\x2f\x46\x2d\x28\xbb\xc1\xbe\x38\xea\x60\x58\xaa\xb4\x85\x39\x34\x8d\xce\x0b\x0b\xbc\xfe\xdd\xa3\xc1\xe9\x01\xd7\x4b\x87\x01\x8b\x22\x47\xd9\x57\x73\x51\x20\x0a\x6a\x5d\x64\x80\xad\x0c\x32\x62\x63\x64\xfb\x4f\x8c\xb0\xd7\x7a\xcc\x97\x7a\xc1\x42\x16\x26\xe8\xae\x59\x88\xda\xc2\xff\x09\x76\xc3\x25\xac\x4a\xf9\x6a\x70\x62\x41\xa9\x1a\x45\xd4\x16\xca\xa4\x4c\xcd\x28\xf4\x67\x14\x18\x49\x9a\x08\x15\xc1\x09\x67\x09\x38\x5a\xd4\xd8\x53\x0c\xe2\xfe\xd9\x60\x7a\x9a\xb7\xba\xed\x30\x91\x9b\x70\x03\x36\x48\xba\xa7\x3c\xca\x80\x84\x2b\x8a\x30\x8a\x73\xcb\x38\x62\x3e\xe6\x68\xb3\xa7\xd8\xae\x4c\x84\x79\x9a\xf8\x37\x07\x53\x88\x12\x1c\xe6\x96\x9d\x49\xd7\x76\x5f\x4e\xed\x18\x5c\xce\x69\xbd\x2c\x6e\x0b\xae\x1f\x82\xcf\x5f\x55\x8e\x88\x85\x4c\x6e\x67\x80\xbb\x5f\xe5\x04\xb9\xef\x94\x76\x98\x10\xf7\x1f\x1b\xfc\x9f\x0b\x3a\x82\xcc\x0c\xad\x2e\xd1\x79\xe9\x63\x7b\x1c\x13\x4c\x39\x0d\xcc\x1c\xe0\xbb\xb1\xf0\x5f\xbe\x27\x78\x8f\x67\x5f\x29\x43\x39\x85\x4a\xdb\x69\x81\x05\x1e\x36\xa6\xc8\x41\xe6\x55\x09\xa1\xe0\x4c\xa2\x6d\x11\x3d\x9a\x58\x46\xd6\x10\xb0\xff\x45\x79\xb2\xaf\xb0\x61\x90\xab\x78\x78\x21\xd8\xef\x46\x17\x1a\xa6\xd1\xfb\x3a\x69\x9e\x47\x4b\x71\x0f\xa3\x62\xe4\xb9\x36\x16\x85\x3c\xd6\x8c\xad\x8a\x6c\xc9\x9d\xb3\x9f\xd9\xc5\x3e\xec\xb1\xab\xd5\xe7\x31\x22\xec\x1d\x5e\xf0\x12\xdd\x34\x3b\x0c\x4c\xdb\x70\xd6\xa4\x44\xd0\x2d\xb5\x62\xc0\xc0\x47\x21\x3b\xc3\x3a\xfb\x70\x13\x9b\x25\xfb\xde\x0a\xfe\xb2\xf4\xea\xc8\x32\x36\x58\x31\x62\x61\x1c\x6f\x74\x72\xf9\x8a\xc7\xc6\x75\xd7\xf9\x5f\xf4\x82\x0f\xeb\x7a\x97\x7c\x6d\x56\xf4\x06\xa8\x5b\x7d\x75\x74\xbe\xa9\x4e\x84\x26\x96\x4d\xc5\x5d\xe6\x35\xc6\x83\xeb\xa6\x9a\x69\x1a\x94\xb3\x4b\x6c\x37\xcb\xbe\x66\x9a\xee\x43\x03\x01\x00\xca\xe9\x3a\x0d\x2f\x77\x83\x66\xbe\xd9\x63\x38\x76\xfe\xab\xbd\x60\xed\x2e\x91\x2d\xb9\x8d\xb3\xe8\x9b\x74\x0d\x28\x6d\x7b\x29\x47\x60\xff\x63\x7c\x59\x14\x55\x78\xa3\xca\xd7\xe4\xe9\xa6\x4a\x30\x46\x55\xd2\x67\xaa\xbc\x21\xe4\x44\xa9\xf2\x4e\x96\x5e\xe8\x6d\x67\x18\xee\xab\xb0\x71\xdd\x10\xff\x6f\xbd\xe0\x0f\x75\x64\x6a\x3e\x08\x25\x51\x07\x83\x2a\x88\x75\x39\x8f\x4b\x51\x36\x08\x1f\xdd\xee\xc6\x45\xd4\x89\xad\x58\x53\xca\xc8\x37\xd6\x93\x30\xe9\xd1\x5a\xb3\x30\x0a\xd5\xc9\xcd\x72\x5c\x8a\xa4\xdb\x16\x19\x40\xf9\x38\xe3\x21\xdf\xd7\xa5\x1b\x9c\xcd\xed\x4f\xc6\x6f\xed\x65\x37\x6e\x9e\x45\x2a\xe2\xe6\xa0\xf4\xf2\xf7\xed\x0d\xbe\xeb\x0d\xb9\x39\x20\xc7\xdc\xde\xf5\x21\x4e\x69\x70\x82\x39\xe7\x67\xd3\x02\x92\x52\x35\xfc\xb7\x8e\x8b\xc3\x58\x67\x6c\x59\x10\x41\x8c\xa7\x89\x81\xce\x03\x00\xb9\x8e\x9b\xa4\x88\x13\x16\x68\x3d\x94\x02\x77\x49\xd4\xc3\x6e\x8e\x01\x52\xfa\x50\x42\x21\x1d\xb2\xeb\x08\x0b\x14\xd9\x45\xac\x5c\xd7\xde\xe0\x5a\x0e\x0a\xc8\x7b\xf7\x4e\x16\xfc\xce\xa9\xea\x5f\x4a\x44\xe3\xcf\xab\xd3\xcc\xfd\x9b\xf8\xb6\xb6\x2e\x2f\xe0\x94\xf3\x63\x97\x9a\x09\x5f\xe3\x28\x34\xe4\xcc\x25\xa1\xaa\x22\xac\x61\x9f\xfe\x67\x97\x29\xbf\xba\xf9\x91\x63\xde\xbf\x73\x72\x6b\x69\xf1\x83\x7b\x7c\x60\x62\xd0\xbd\xa3\x9b\x80\xb6\x1e\xaa\x1d\xcf\xd2\x3c\x27\xa1\x55\x46\x72\xf9\xf4\x48\xb0\xb4\xc1\x7d\xb3\x33\x8a\x24\xed\x2e\xb7\x9c\x41\x2e\x52\x1e\x8b\x82\xf7\xd2\xae\x8a\x02\xea\x71\x8d\x7a\x92\x6d\x31\xf5\xe7\x53\x15\xf6\x7a\x8f\xa4\xc4\xcb\xbd\xe0\x5e\x6f\x10\x72\xcb\xe3\x1e\xc2\x35\xe8\xd0\x5c\xc5\x94\xcd\xd1\x08\x9e\x3c\x08\x01\xa6\xaf\x5e\x83\x3d\x21\xc0\xef\xb1\xdc\x8d\x1a\x62\xca\x0a\xb6\xba\x36\xd1\x89\x12\xf4\xb5\xa3\xce\x76\xb3\x3f\x78\xf4\x06\xc0\x37\xf6\x7b\xbf\xbe\x97\x1d\x18\xe0\xe8\x78\xe2\xf1\x93\xb3\xf2\xe5\xbc\x10\x49\x71\x22\xca\x57\x1c\xbe\xac\x57\xed\x0d\x3e\x55\x71\x08\xb3\xcc\xc3\x5c\x3e\xed\x20\x49\x3f\x31\x4d\x97\x63\xc1\x8f\x93\x8b\xea\x64\xb2\x1c\x25\xa2\xc6\xd8\x34\x7f\xe2\xf1\x93\x7c\xf6\x04\xae\x5e\xe4\xb5\x20\x4b\x34\xf8\xb5\xc8\xcc\x6e\xf9\xa8\x28\xc5\x40\x7e\x00\xde\x09\xe3\x3c\xb5\xa2\xe7\x73\xd9\xcd\xb2\x4c\x62\x6a\x82\xd5\x78\x8f\x54\xa2\x42\xdc\x69\x65\xff\xc6\x02\xf2\x0c\xe8\xd3\x72\x4b\x87\x94\x8c\x25\xfa\x28\x42\x48\xcb\xb3\xe5\xd4\x5a\x26\x8f\x09\x29\x84\x75\x65\x70\x69\x12\x1e\x6d\x4b\x9d\x4b\x9e\x67\xf3\x1a\x15\x93\x2b\x8c\x25\x9e\xae\x25\x22\xcb\x5b\x51\x87\xe2\x9e\xc0\xe1\x23\xab\x31\x7f\xf2\x74\x94\x74\x2f\xf0\x4c\x80\xf7\x43\xae\xb1\x75\x6f\x57\xa7\x71\xb6\x3c\xa9\x3f\xb8\x87\xfd\xa2\xc7\xe8\x8e\x3c\xcc\xbc\xc1\x3b\x8f\x71\x8d\xb6\x0e\x3a\x7b\xc2\xed\xe2\xe3\x27\x6b\xfc\x3c\x59\xff\x9d\x05\x05\x9d\xa5\x9e\xd8\xa6\xf3\x8d\x80\xf0\xa7\xc8\x0b\x7e\xed\x72\x5d\x74\xf4\x38\xcb\x82\xed\x89\xf4\x09\x8f\xed\x91\x7d\x74\x2e\x89\x7b\xfe\x2f\x78\xc1\xcf\x78\x73\xf4\x8b\xa3\x83\x03\xe3\x5b\x71\x5b\x16\x5c\xdf\x54\x3c\x34\x51\xc2\x71\x8e\x9d\x91\xc3\x90\xd7\xf8\x09\xcb\x17\xd9\x94\x67\xe5\x07\xa3\xfe\xe3\x6c\xf7\x52\x9a\xc6\x22\x4c\xd8\xa7\x2a\x6c\x57\x33\x97\xe7\x6d\xff\x83\x95\xe0\x9d\x95\x53\x51\x2c\xf2\x5e\x5e\x88\xb6\x4e\xe3\x02\x6d\x0d\xc9\xc0\x40\xf7\x97\xe2\x6b\x2d\x4c\x20\x0c\x10\x66\x4f\x8d\x2f\x44\x9d\x63\xfc\x64\x92\x77\x33\x61\xce\x94\xcd\x52\x51\x51\x6e\x40\xb9\xd4\x06\xd2\x02\x9a\x9f\x8e\xd4\xf1\x81\x90\x17\x1e\xaf\xf1\x93\xe8\x53\xca\x8f\xf1\x40\x5c\x28\x8e\x04\x55\x1e\x5c\x68\xe6\xf2\x9f\xa4\x68\x4a\x3d\x77\xa6\xad\x9d\xb2\xa0\xca\x64\x9a\x37\x07\x5f\xe0\x51\x93\x77\x13\x13\x23\xf7\xa0\x4e\x82\xef\x55\xd8\x78\x27\xcc\x0a\xb4\x5f\x7d\x53\x73\xdf\xfc\x7e\x65\xa1\x85\xde\x2d\x34\xfd\xd0\x82\xdd\xa4\x2f\x67\x9a\xca\x59\x5d\x75\x72\x91\xa2\x5c\x3f\x24\x7b\x8f\x4a\x91\xcb\xc3\xee\xaf\x53\x3a\x7e\x83\x4b\x69\x3e\x95\x37\xc2\x83\x55\xf8\x8c\x4a\x3e\x2d\x9c\x3a\x85\x39\x0f\x0e\x06\x35\x3e\x8f\xb0\x9f\x71\xaf\x6a\xd7\xd1\x3c\x27\x8f\xc5\xaa\x40\x59\x95\xe0\x40\xc0\xf7\xa7\x19\x94\x2c\xc5\x49\x2c\xc2\x55\x9c\xe3\x9d\x4c\x8e\x67\xd1\x43\xb5\x64\xe2\x41\x9a\xbf\x0a\xa8\xfe\x2b\xbb\xd8\x0f\x0f\x06\x9e\x3d\x71\x76\x1e\xb3\x84\xfd\x4f\xee\x0a\x9e\x65\x5f\x70\xce\x21\x27\xce\xce\xdb\xd4\x64\x08\x30\x81\xd4\x0f\x61\x43\xd9\xec\x52\xe2\x4d\x58\x16\x09\x1d\x47\x41\x6b\x3e\x71\x76\x7e\x16\x33\x0d\x1d\x61\xf6\x85\x31\xf6\x7f\x7b\x6c\x2f\xec\x56\xa8\x73\xfb\xef\xf7\x82\xff\xcb\x33\x60\x2f\xf2\xa3\x20\xd8\x48\x81\x32\xa8\xb2\x68\x4d\x8a\x2c\xf2\x88\x4e\x07\x83\x7b\xe9\x40\xb3\x14\xe6\x94\xd7\x4b\xea\xfc\xd0\x3a\xf1\x13\xca\xc8\xd4\x70\x5e\x50\x25\x67\xa2\x9d\xae\x6e\xec\x65\xfe\x40\x85\xed\x26\x0e\x09\xff\x81\x4a\xf0\x67\xa5\x26\x48\x61\x1c\xaf\x1a\xa6\xc2\x52\xd5\x21\xf4\xdb\x8a\x7f\x86\xaa\x2b\x4a\x8a\x2d\x55\x5b\x21\x03\x97\xab\xcc\xe7\xe4\x97\xbb\x78\x40\x54\x05\x42\x14\x41\x94\x70\x95\xb9\x09\x2f\xa5\xab\x22\xcb\xa2\x86\xa0\x01\x44\x2f\x27\x24\x02\xa9\xe5\x08\xb5\xb2\x47\xd2\xf4\xc6\x0d\xec\x7a\x76\x78\x53\x92\x43\x7b\x6a\xe1\xb7\xd9\x6f\x7b\x6c\x0f\x3a\xbe\x45\xee\x7f\xca\x0b\x7e\xae\xd4\x71\x78\x8f\x37\xd2\x36\xa8\x8a\x72\x71\x49\x49\x88\x14\x15\x71\x9a\xae\x74\x3b\x5b\x99\x06\x54\x0c\xba\x9d\xb7\xd4\xa1\xce\x1b\xdb\x98\x08\xdf\x64\x03\x15\xa6\xf9\x7a\x18\x8b\x99\x73\x46\x0f\x72\x14\xa6\x0f\xb2\xe0\xc4\x86\x4f\xb8\x29\x85\x66\x95\x73\x7a\x8b\xc4\xd0\xba\xb7\x7b\x39\x2c\xc4\x5a\xd8\x5b\xf7\x76\xe1\x16\xb1\xee\x8d\xe7\x80\x3f\x38\x27\x9a\xce\xda\xfb\xf4\x38\x7b\x1a\xdb\x4b\x32\x64\x36\x4d\x63\xff\x74\x70\xab\x14\xc3\xaa\x48\x22\xb4\xe1\xf2\x5e\x1f\x69\x3d\xc9\xaf\x82\x9c\xe3\x38\x3e\x8e\xbd\xf9\x5e\x8f\x31\xac\x15\x68\x2a\x79\xd0\x5c\x70\xf2\x4f\x48\x70\x86\xb1\xd4\x0a\x7a\x1a\x75\x9c\xe6\x9a\xaa\x84\xda\x16\x29\xc4\xa8\xbf\x1a\x51\xee\x72\xb0\x3a\x75\x68\xb2\x47\x9a\x4a\x9e\x80\x3a\xfa\x73\xc1\xc9\x85\x92\xc5\x4e\x7d\x6c\xd6\x34\x08\x1f\xb6\xed\xfc\xca\x2b\xaf\xe8\x7f\xec\xef\x5c\xb0\x74\x9b\x38\x78\x66\x9f\x6a\xc2\xf7\x1b\x8d\x71\xa2\xc6\x2f\x4f\xf3\x71\xb4\x92\x45\xc6\xf2\x3c\x3e\x89\xe9\xf7\xfe\x5c\x70\xe2\x54\x1c\x2e\x1b\x66\xcd\xa9\x46\x94\x83\xc5\x6a\x7e\xfe\x34\xa7\xa3\x0c\x85\xca\x42\xff\x3d\x11\x67\x8b\x0e\x0e\xc4\xea\x3a\x5f\x78\x95\xa7\x67\x09\x90\xd8\x3e\xdf\x0b\xba\x33\x03\x8f\xb0\x8a\x2b\x0d\x23\xc7\xd4\xa8\xe8\x84\xd7\x85\x56\x54\x5f\x99\xcd\xd2\xd5\x88\xcc\x59\x69\x26\xaf\x25\xd6\x25\xad\xd5\xc9\xb1\x2e\xdf\xb3\x3b\xfc\x1c\xa3\xe9\xed\x9f\x0c\x6e\x2c\x0f\xa7\xaa\x07\xcd\x9d\x30\xb7\x87\x2f\x4a\xd4\x70\x3b\x05\xbe\xd5\xd3\xda\xdd\x6b\xbd\xe0\x45\x5e\x59\xbb\x33\x5a\x87\x66\xde\xed\x53\xdb\xb6\xae\xb3\xd5\x86\x69\x6b\x56\xf3\xe1\x8e\x5d\xc5\x13\x4c\x2d\x6e\xff\xa6\xa0\xba\xa0\xca\x57\x20\xeb\xa5\xb9\x2c\xcf\x77\x34\xba\xb5\x12\x72\x97\x11\x08\xfe\xc7\xbd\x0d\x08\xb3\xb4\xec\x52\x8f\xe3\xc1\x3d\x78\xb1\xa7\xaf\x18\x94\x01\x6d\x47\xc4\xc2\x61\x12\xa8\xba\x68\x73\x0c\x02\x28\xe4\x22\x21\x2e\x52\xeb\xc8\x0f\xea\x5c\x41\x21\x6d\x49\x5a\x58\xe9\x35\xa7\xd3\xe5\x28\x51\xfd\x08\x33\x57\x2e\x98\x30\x8a\x6b\xec\x7d\xa3\xac\x3a\x28\x0e\xaf\xd7\x11\x8d\xd3\x69\x3d\x8c\xcb\x46\x89\xe7\x8f\x06\x3f\x3e\xf4\xee\x56\x4d\x12\x08\x9a\x8f\x7e\xc3\x1e\x82\x69\x28\xac\x05\x65\x4e\x8c\x92\x1c\xf7\x52\x3a\x76\x6a\xdb\xf3\x46\x06\x8b\xaf\x56\xfe\x65\xa3\x60\xdc\x46\xc6\x98\x63\xc1\xe4\xb6\x50\x30\x86\xd0\x54\x6d\x0b\x04\xc3\x2e\xe3\x8f\x46\x1d\x54\xb6\xb0\x41\x9c\xdb\x99\x58\x8e\x00\xba\xc2\xb5\x51\x42\xf4\x95\x99\x42\x6f\x1e\x0d\x1e\x57\xbe\x48\x76\xca\x12\x40\x31\x3d\x55\x8b\xc5\x72\x58\xef\x91\x45\x69\xdd\x33\x60\x34\x83\x26\xc1\x27\x46\xd8\x13\xa8\x8d\x37\x06\x8f\x5d\x94\x7f\x2c\x0e\x72\x33\x51\x54\x58\x8d\xab\xc0\x6d\x57\x3e\x5a\x88\x37\xb7\x05\xd7\x2f\xea\x5f\x8b\x43\x11\x6f\x36\x2c\xb0\xc9\x46\xa5\x2a\xe4\x3f\x33\xb8\x73\x51\xfe\xb1\x58\x76\x9a\x9e\x9f\x3b\x8d\x94\xde\x98\xe4\xa5\x34\xa6\x1c\xf3\x11\x28\x93\x0b\x4d\x9c\x20\x28\x00\xef\x06\x3f\x68\x7f\xe7\x93\x1e\x1b\x95\x42\xd4\xff\x90\x66\x0b\x7b\x9b\x37\xd3\x2c\xcf\x5c\x34\xa6\x24\x76\xbd\x89\x8e\x97\x22\xd9\xd6\xc4\x52\x2b\x4d\x57\x8c\x44\x2d\x52\x7e\xe4\xc8\x61\x58\x37\x4b\x61\x7d\x65\x2d\xcc\x1a\xc8\x27\x57\x44\x4b\x51\x1c\x15\xbd\x1a\x5f\x94\xa5\x2e\x5a\x3b\x56\x48\xe8\xd9\xf0\x35\x62\x63\xdd\x7f\x70\xf2\xe8\xf5\xd7\x1f\xbe\xbe\x8a\xdc\x1a\x79\xb4\x2a\x26\x4a\x9c\xb7\x23\xec\x31\x83\x80\x27\x45\x27\x4e\x7b\x6d\x91\x14\x0a\x38\xc5\xff\xf3\x4a\x70\x7b\xff\xe5\x72\xb2\x7e\x0a\xce\x7d\x39\x50\x60\x03\x03\x96\xe4\xb4\x41\x24\x14\x89\x80\x74\xe0\x52\x94\xfc\x2b\x2a\xac\x45\x31\x02\x8b\xc1\xbc\x8a\x11\x68\xe8\x4f\x81\x67\x02\x6c\x00\x73\x02\x15\xaf\x00\xf0\x7d\xe6\x52\xf0\xa5\x9d\x07\x67\x85\xbb\x1d\x39\xb7\x9c\x21\xfb\x59\x8f\x5d\x9d\xd9\x77\xfd\x57\x7a\xec\xc6\x4d\x81\x38\x9d\x02\x4d\x2f\x04\xe7\xe9\x06\xb9\x4c\x68\xef\xc6\x93\x67\x5e\xe3\xb3\xa8\x06\x13\x50\x4a\x93\xf7\xf7\x1f\x34\xf7\xf1\xa5\x0a\xb3\x57\x7b\x36\x9f\xfa\x06\xae\x8d\xd9\xb0\xa8\xb7\x7c\x11\xfc\x18\xfc\x01\x09\xbe\xb4\x13\xe9\x80\x4c\x30\x39\xca\x5d\x8e\x56\x24\x64\x9a\x90\x96\x50\x4a\xef\x9c\x9d\x5e\x38\x7e\xbb\xf1\x54\xa4\x0d\xe7\x04\xcc\xfe\xbb\xcf\xfe\xfd\x80\xfd\xeb\x6c\xda\x10\xe8\x4c\xf0\x7f\xc9\x0f\x1e\x6f\x7e\x02\xbb\xc8\x40\x67\xc8\x20\x84\xb3\x24\x6d\x08\x77\x62\x7c\xe3\x51\xec\x6e\xb6\x2b\x6a\x87\xcb\x22\xf7\x97\x83\xc7\x9c\xa6\xa3\x96\xc5\x19\x08\xf7\x70\x6d\xc1\xae\xd1\x10\xf6\x69\xe7\x30\x3b\xc8\xa6\x36\xd5\x18\x74\xd2\xcc\x8c\x2c\x8d\xfd\xbc\xc7\xf6\xc8\x82\x66\x92\x66\xea\xff\x8c\xb7\x85\x02\xa0\xc5\xa0\x2e\xc9\x77\x82\x74\x9e\xc8\x58\x1a\xf9\x54\xb7\x1b\x61\x52\x37\xa6\x73\xcb\x59\x60\x1b\x34\xa1\xcd\xdb\xb5\xa4\xc8\x97\xf0\xbf\x53\xd7\xca\xb7\x58\x83\x5d\x45\x56\x95\x99\xe4\x7c\x2e\xfc\x85\xe0\x46\xd5\x55\x61\x51\xa8\xd0\x5b\x7a\x44\xca\xb7\xae\x54\xf2\xc9\x42\x3c\xa1\xf4\x3f\xea\xff\xa1\x67\xc5\xb7\x57\x18\xd3\xc1\x3a\xb9\xff\xba\x4a\xf0\x3c\x4f\x87\x71\xe9\xd8\x7e\x15\x3e\xaf\x46\x38\x5d\x02\xfb\x44\x03\x8a\x37\xc1\x3e\x83\xfd\xb0\x5b\x6d\xb5\x2e\xc6\xae\xee\x21\x76\x80\xd5\xb6\x34\x56\xba\xd6\x17\xbd\x7d\xec\x87\x1c\x6f\x55\x47\x2e\x23\x4a\x6e\x5f\x11\x3d\x7f\xb7\x3f\x26\xd7\x0a\x93\x4f\x3e\x7a\xc0\x93\x0a\x3b\xca\xdf\xe3\xef\x82\xb7\x18\x2b\xd8\x23\x10\xf4\xf7\xa4\x0a\xa7\xf6\xc3\x0d\x82\x0b\xed\x8a\x9d\x70\xdf\x0b\x26\xf4\x9f\x06\x4a\x38\xe7\x59\x37\x49\x80\x05\x14\x77\x14\xf9\x62\x8d\xfd\x99\xc7\xf6\xd4\xc3\x4e\x58\x8f\x8a\x9e\xff\xfb\x5e\xf0\x42\xef\x38\xfd\x2a\xc7\xc6\x14\x69\x11\xda\x71\x30\x66\xf1\x5d\xaa\x49\xcf\x9c\xf0\x27\x95\x75\x4f\x55\xe5\xca\x26\xb2\xbc\xd2\x63\xbb\x50\xc2\xfa\xff\xc9\x63\x07\xb7\x3a\xd8\xcd\x68\x99\x9c\x9e\x77\xf6\x45\xb3\x49\x69\x5d\xa6\x78\x82\xa9\xba\x1a\x85\x68\xa7\xed\x25\x61\x3b\xaa\x83\x98\x8c\x31\x5e\x4d\xbe\x43\xe9\x2b\x35\xf6\x39\x8f\x8d\x75\x5a\x61\x2e\xfc\x5f\xf1\x82\x0f\x78\xf2\x93\xb3\xf2\xa7\xd2\x5c\x32\x51\x47\x5e\x73\xbd\x12\xe2\xa8\x29\xea\xbd\x7a\x2c\x38\xbc\xa7\x2a\x73\xd9\xb2\x00\x4b\x5b\x30\x50\x1f\x39\x4f\x04\x60\x16\xa4\x9d\x6e\x1c\x16\x0a\xc1\x2b\x41\xfe\xa8\x86\x9c\x16\x60\x3e\x72\x36\xc8\xfb\x3c\xf6\x08\x1a\xc5\x69\x10\x1e\xa2\xe1\x77\x82\x9a\x12\x28\x4a\x8a\xa0\xc5\x2d\x13\x24\x61\xdc\xce\xab\x6d\x5f\x08\xab\x6f\xa1\xf1\x80\xdd\x3f\xca\xc6\xb5\xe9\xd4\x7f\xfd\x68\xf0\x82\x11\x2d\xd2\xd4\x65\x6e\xd2\x0a\xec\x6f\xf3\x3b\xbb\x22\x8b\x94\xbd\xac\x1e\xa7\xdd\x86\xda\x14\xb3\xaa\xdc\x84\x35\x4b\xee\x65\xf5\xb6\xa9\xc6\xd9\xb4\x10\xc7\x4a\x38\x8b\x0d\x51\x8f\x81\xfc\x37\xcc\xd1\x5e\x2a\xbf\x57\xe5\x4b\xb4\xff\xc1\x25\x05\xdb\x02\x67\x9d\x6e\xb3\x19\xd5\x23\x9c\x29\xb8\x57\x28\x04\x82\x7a\x98\x70\x0c\xf2\x81\x7c\xe9\x7a\x9a\x65\x5d\x84\xc4\x00\x40\xc6\x08\x14\x1e\xb4\xc9\x4a\x4d\x29\x8e\xad\x40\x1a\xc5\x8f\x2a\xdf\x0e\x79\xb3\x1b\xc7\x93\xa4\x9e\x81\x2f\x0f\x64\x58\x8d\xcf\x0b\xa1\x9c\xb6\x1d\x85\xcf\x39\x75\xc3\x4d\x87\x6f\x3a\x88\xd6\x91\x44\x25\x03\x39\xe3\x7a\x80\xd5\x58\x75\x4b\x4b\x70\x1a\xbb\x6a\xeb\x32\x74\xeb\x72\x99\xfd\x9a\xc7\xf6\x12\x31\x9c\xec\x62\xff\x83\x5e\xb0\x3c\x6d\x7e\x97\x85\xdf\x00\xb1\x67\x4d\x65\x4d\x9f\x2c\x9b\x9d\xcb\xe9\xd8\x05\xe7\xa6\xe3\xbe\x53\x72\xb5\x76\x65\x65\xdb\x47\x46\x58\x60\xf5\x5f\xb6\x14\xd6\x61\x5d\x2c\x2f\x67\x62\x19\xf4\x27\x88\x75\x7d\xf5\x48\x70\x57\xe9\x5a\xbf\x0a\x4e\x47\x7e\xc2\xc5\x9c\x4b\x63\x42\xca\xa2\xf7\xe4\x94\xa7\x15\x63\x3d\xe2\xa8\x5e\xef\xa9\xb0\x07\x2a\xec\x5f\xd7\xcd\x6d\x95\x25\x98\xfb\xaf\xa8\x04\x1f\xf3\x8e\x0f\xb8\xa3\xcf\x95\xca\x26\x6e\x52\xcd\xdc\x73\x96\x4a\xed\x6a\xca\x73\xb5\x53\x4b\x29\x9f\x50\xc7\xd7\xf1\xab\x39\x18\x07\xe0\x2c\xdf\x74\x92\xfa\x72\x4c\x0d\x83\x33\x56\x52\x6e\xcd\xbe\x9c\x77\x44\x46\x47\x65\xcb\xde\xde\x68\xc8\xa3\xa2\x99\xc5\x27\xd8\x6d\xec\x09\x97\x82\x07\x1f\x2e\x89\x58\xb5\x9c\x7d\xb9\xe2\x0c\xde\x10\x5b\x94\xff\xe1\x4a\x10\x97\xae\xb9\xb6\x72\xbc\xc9\xf5\xdd\x1a\x9f\x29\x78\x2b\x1c\x66\xe2\xc9\x44\x91\x45\x62\x55\x9b\xb1\xe8\xe8\xaa\x0f\xcb\xce\x90\x7e\xcc\x63\x77\xd1\x51\xfd\x6c\x30\xad\xcc\x11\x04\x33\x44\x9c\x89\xa1\x75\xd0\x86\xf2\x55\x2d\x43\xf5\x09\x3d\x87\xed\x3d\x63\xc9\x3e\xc0\x9f\x0f\x6e\x37\x80\xb5\x0e\xc1\x21\x5c\xa1\x2f\xe1\x84\xb0\x4c\x70\x70\x36\x31\x80\xb3\xb2\x56\xce\x37\x7e\x8e\xb1\x99\x2d\x9b\x41\xce\x74\x0b\xb0\x62\x3e\x19\x0f\xd6\x0e\xac\x30\xd0\x66\x7c\x71\x3c\xb8\x63\xb3\x87\xdc\xc0\xde\x8d\x9e\x1e\x4c\xaa\xf1\xf5\x1d\x52\x8d\xcb\x0e\x9c\x7c\xad\xe6\x69\x7e\xa9\x67\x0e\x80\x1b\x8e\x85\xbd\xba\x9f\xcc\xce\xb3\xf9\xe1\x87\xfb\x4b\x9e\x43\x3b\x01\x9d\x97\x11\xd0\xf9\x79\x3b\x4d\xee\xd3\x97\x49\xc7\xf1\x7c\xef\x61\xe2\xe3\xb0\x1a\x77\xd1\x7b\xd1\x16\x90\xd1\x1b\xfe\xd2\x86\xfc\x40\x03\x27\x63\x29\x20\x72\x33\x91\xc5\xd8\x1f\x8e\xb0\xe3\xd4\x83\xb2\x3a\x93\x6a\xcf\x4f\x5d\x94\xcb\xd2\x8c\xaf\x4d\xcf\xce\x90\xfd\x97\x2c\x39\xaf\x18\x09\xa6\xcb\x17\x8d\xc7\xa1\x21\xb2\x68\x15\xfc\x53\x65\xeb\x0e\xc1\xa5\x63\x50\x82\x6b\x2a\xae\xb0\x8f\xba\x26\x84\xf7\x54\x82\x1f\x39\xae\x2c\x41\x64\x17\x35\x09\x60\x9d\x68\x5e\x9b\x5c\xcd\x8a\xfe\x31\x76\x17\x5b\x18\x38\x61\x2e\xad\xb9\x8e\x2d\xe0\x07\x9d\x31\x94\xf3\x69\xb2\x1d\x76\xa4\xc2\x99\xfb\xe3\xfe\xee\x49\x4e\xb6\x00\xce\xfe\x4d\xff\x93\x60\xc0\xdc\xe5\x8f\xb6\xc3\xce\x36\x14\xd8\x6d\x18\x16\xbe\xf1\x68\xc7\x54\x6b\xc5\x29\xcc\x8b\x7a\x37\x8b\x8a\xde\xf1\x34\x29\xc4\x85\xc2\xff\xe4\xa3\x83\xef\x78\xfd\xd7\x49\x3f\xeb\xa4\x8d\x49\xa0\x58\x91\x5b\x2f\xdc\x2f\xb3\x02\xcb\xc5\x91\x26\x96\x9d\x8d\xbc\xbb\x52\x38\xa5\x0a\xb4\x19\xb3\x3f\x20\x6a\x91\x64\x97\xd4\x3f\x4c\x78\x63\xee\x7e\xbc\xc6\x09\x84\x9d\x10\x0d\x6d\x3b\x5e\xf9\x59\x5e\x84\x2b\x42\x96\x5a\x17\x0d\x44\xa2\x93\xc7\xd8\x66\xe9\xf5\xfe\x06\xba\xe6\xc3\x8f\xfc\x1f\xec\x37\x46\xd8\xee\x66\x8e\xfe\xa9\x8f\x8d\x80\x8d\xfe\xe8\x91\xe0\xfe\x91\x69\x9d\x46\x91\x77\x3b\x0a\xe1\x23\x26\x6f\x95\x0a\x26\xa1\x84\x24\xc8\xc6\x30\xd8\x1c\x98\xba\x01\x10\xd1\xd0\x17\x2a\xec\x0b\x19\x2a\x21\xd1\x5e\x59\x55\x63\xc4\xa7\x27\x64\x0b\x40\xbf\xd1\x11\x95\x29\x21\x91\xa8\xd7\x21\xc8\x4d\xde\xd6\xfe\xd8\x4e\xda\x38\xc6\xd8\x41\x0c\x13\x4d\xd7\xc0\xe4\xf3\xc4\x99\x13\x5a\x95\x95\xcf\x9c\x9a\x47\x1f\xd6\x21\x42\xdf\x14\xc5\x72\xd4\xe0\x4b\x78\x26\xcc\x45\xc1\xf7\x27\x62\x0d\x5d\xbf\xe5\x98\x05\xfa\xb0\x2a\x4d\x7f\x9a\x8a\x9c\xe0\x87\xb1\x4c\xa3\x45\xcb\x72\x71\xd0\xcf\xcd\xed\xa3\x90\x86\x6c\x6d\x32\x5b\x9b\x9c\x9c\x9c\x64\x6c\xa6\x89\x00\xde\x55\xa7\xfd\x50\x3e\xa0\x5e\xa7\x0d\x65\xf5\x34\xbd\x00\x39\x72\x96\x9a\x4e\x28\x7a\x58\x37\xd7\x51\xf1\x5f\x47\xd8\xbf\xa2\xa1\x3c\x0e\x1d\x8a\x61\x30\xfe\xeb\x47\x82\x97\x8c\x0c\xb8\xa1\x95\x2b\x9b\x4d\x04\x86\x02\x6c\x67\x43\xaa\x50\x0a\x8c\xa4\x08\x5e\x8a\xd9\x27\x94\x22\xf2\x96\xce\xa6\x2e\xbb\x02\xc6\x25\x25\x71\x0f\xe6\x4e\x4f\x0e\xa9\x33\x37\x50\xe3\x55\xb1\xb5\x54\x63\x05\x02\xa8\xaa\xb3\xbf\xd4\x23\x13\x70\x02\x80\xa2\x81\x92\x3f\x49\xb9\x68\x36\xa5\xc6\x90\x26\x5c\x74\x5a\xa2\x2d\x32\xa9\xc5\xd9\x1f\xca\xbb\xf5\x16\x0f\xf3\x63\xa4\x59\x57\xc9\x64\x05\xc8\xa1\xb2\x78\x08\xe0\x6b\x44\x99\xa2\x01\xa5\x15\x25\x07\x36\x38\x97\xcc\xa5\x69\x71\x26\xca\xe1\x68\x85\x2c\x10\xc1\x34\xe4\x13\x05\x04\x2c\xe9\x38\x66\xd5\x3d\x38\x4a\xe4\x25\x53\xd2\x27\x2b\x6c\x3c\xeb\x26\xd3\xf9\xf9\x5c\x64\xfe\x2f\x56\xd4\xfa\x7b\x13\x04\x50\x9e\x9f\x39\x01\x67\x8c\x2e\xe1\x8d\x24\x45\xd6\x43\xbd\xc6\x58\xe7\x48\xfc\x74\xb2\xb4\x0e\xf9\xd3\xf6\x39\x1c\xfc\xf4\xc6\x29\x1c\x25\xe8\x0d\xe0\x06\x59\xae\x1c\x2b\x1a\xf6\x74\x90\x75\x8e\xa7\xa5\xb2\xfc\x80\x44\x37\xba\xb7\x94\x16\xad\xf2\x03\xd0\x1f\xfd\x72\x87\x82\x2b\x41\xe9\x73\x6a\x54\x7e\x5d\xca\xb5\xdc\x16\x6c\x4d\x05\x9a\x63\x64\xa1\x33\xeb\x5f\x38\xc2\xae\xc9\x05\x44\x5b\x2b\x66\x83\xbf\xa9\x6c\xc1\x9c\x46\x11\xda\xf4\x4e\xf0\x09\xe8\x71\x15\xb6\x5d\x57\xb5\x49\x29\x04\x2d\x8e\xf0\x3c\xee\x4a\x3a\x18\x6f\xab\x07\xab\xa5\x51\xc9\x10\xf7\x5e\xc1\x08\x93\xd1\x21\xe4\x59\x98\x34\xd2\x76\xdf\xd7\x00\x6c\x2c\xac\xb7\xec\x08\xf8\x7f\x2e\x63\xc2\x3e\x57\x61\xd7\xac\x45\x49\x23\x5d\xcb\xd5\x38\x7c\xa4\xc2\x6e\xd9\x74\x1c\x9e\x8c\xef\x94\xbe\xa9\x86\xe5\xef\x3c\x39\x2c\xf4\x8c\x06\x07\xd4\xbb\xed\x76\x87\x26\xd5\x11\x92\x74\x98\xd7\x2f\xec\xcb\xfb\x9a\x6d\xdb\x62\x6a\x0f\x71\x17\xd7\xd8\xcf\x56\x18\x03\xd1\x80\x7b\xf3\x6b\xb4\x6c\xf8\x27\xe8\x92\x27\x5e\x82\x6c\x38\x0f\x26\x61\x9a\x93\x3a\xba\x9a\x36\xa5\x7f\x9e\xab\xff\x23\x23\xec\x2a\xe8\xa5\xb3\x29\xc8\x65\xff\x81\x91\x60\x7d\x64\xc6\x02\x9b\xa7\x98\x7c\xd3\x1d\x60\x41\x91\xfd\x16\xe6\x60\xdf\x4c\x26\xb3\x34\xc5\xc4\x54\x0c\x5a\xca\x14\x4c\xb4\xb3\x43\x43\xe8\x80\xb2\xba\xa1\x1c\x0d\x0b\xdd\x9b\x10\xa1\x67\xb2\x00\xa2\xc2\x90\x59\xd0\xa7\xa4\x30\x3f\xc0\xf7\xcb\x6f\x21\x96\x61\x33\x8c\x00\x15\x2b\x2f\xc2\xac\x5c\xc7\xa8\xa9\x8a\x50\xf3\x58\x14\x3c\xcd\x30\x9c\xaf\x2a\xf7\x38\xd8\xc2\xa8\x4e\x3a\x88\x6a\x49\xa8\x84\xd5\xef\x53\x69\xee\x06\x3b\xfe\xb8\x94\xdc\xf5\x7a\xda\xee\xcc\x66\xa9\x54\xc1\xfc\x78\x2b\x82\xdb\x79\x25\xb8\x09\xd5\x3a\xb8\xa6\xd7\x37\x6e\x7e\x4a\x4f\x74\x55\x53\x30\x15\x48\xed\x94\x7d\xdd\x63\xbe\xad\xdd\x52\x4a\xf8\x17\xbc\xe0\xdd\x56\xd8\xb2\x4a\xe4\x36\x92\xa6\xd0\xc0\x59\xb4\xb4\x60\x8c\xa3\xa4\x24\xbc\xab\xfd\xa1\xf4\xc2\x11\x38\x9d\x2c\x6a\x87\x59\x4f\xae\x65\x1c\x09\x47\x5e\x25\xa9\xfa\xb4\x63\x9a\x45\xa8\x8c\x9e\xb3\x20\xcc\xe1\xef\x07\xd8\xbf\x22\x39\xe1\x2c\x93\xff\xe6\xb1\xdd\x79\x2f\xaf\x17\x71\xee\xff\xaa\x17\xbc\xc4\x9b\xc7\x1f\x70\xde\xb1\x4c\x78\xda\x46\xd9\xe0\xf4\x38\x5a\xa2\x55\x78\x1a\x28\xf5\xb3\x3a\x5a\xa5\x9b\x98\x18\x49\xf5\xfc\xfe\x72\xa7\xab\x35\x32\xc1\xdb\xd1\x72\xab\xd0\xf3\x3e\x0e\xbb\x49\xbd\xe5\xd4\xfe\xb1\x6c\x82\xed\xdb\x7c\x02\xc0\x97\xd8\x9b\x46\xd8\x8f\x0c\xb5\x28\xdf\x21\x34\x68\x9f\xff\xed\x4a\x50\xed\xbb\x4a\x36\xf2\x9c\x40\xe3\xc1\xd7\x81\x0f\x11\xa4\x9e\x73\x50\xfa\xaf\x15\xf6\x02\x8f\x4c\xc3\xff\x31\x48\x07\x52\xbc\x6f\xd7\x55\x26\x4f\x6c\xab\x91\x58\x9b\x22\x40\x99\x49\xd9\xa5\x93\xf8\xc5\x7c\x0a\x46\x62\xaa\x3f\xf1\xef\x1c\xdb\xa3\x62\xb4\xfc\xe3\xc1\xf5\xf3\x94\xdb\x62\xc7\xed\x92\x89\x1c\x58\x07\x10\x39\x5f\x19\x8d\x09\xb4\xcc\x59\x84\x77\x21\x42\xe0\xb9\xe0\x36\xb9\x90\xa8\x2f\x2c\xab\xb3\x06\x0d\x05\xf3\x9a\x54\x48\x74\xc0\xec\xff\xcf\xde\x9f\x80\xd9\x71\x95\x77\xc2\xf8\x53\xb7\xb5\x1e\xd9\x2c\x35\x84\xc9\x3f\xf9\xcf\xcc\x49\x79\x88\x24\x4f\x77\xb5\x24\xef\xb2\xb1\xd3\xea\x6e\xd9\x8d\xa5\x56\xd3\xdd\xb2\x43\x1c\x06\x55\xdf\x7b\xba\xbb\xac\xba\x55\xd7\xb5\x74\xeb\x9a\x90\x00\x36\x4b\xc2\x4e\x58\x95\x10\x08\x81\x4c\x86\x21\x90\x61\x86\x84\x75\x60\x42\x18\x08\x84\x30\x84\x6f\x12\xf8\x12\xb2\xf3\x65\x27\x1b\x49\xc0\xf9\x92\xef\x7b\xce\xfb\xbe\x67\xab\x5b\xb7\x17\xb5\x6c\xf3\xcd\x23\x9e\x07\xab\x6f\x2d\xe7\x9c\x3a\xeb\xbb\xfc\xde\xdf\x8b\x68\x2a\x7a\xee\xbc\x70\x81\xa9\xaf\x69\x35\x52\xc4\x2e\x08\x10\xdb\x27\x96\x61\x88\xfb\x14\xa8\xf2\x87\x5e\x70\x57\xe3\x9d\x0d\x93\xa2\x16\xe8\x41\x41\xb5\x24\xa2\xf7\x5c\x0d\xf7\x65\x1e\x7b\xa9\xc7\xf6\xa1\x0d\x70\x66\xce\xff\x81\xad\xa0\x5d\xe8\x61\x6c\x41\x30\xa3\x5e\x76\xb9\x1f\x06\x5b\x82\xef\xf1\x99\x39\x52\x59\x06\x5a\xc6\xde\xb6\x8b\x1d\xb6\x2a\x54\xd0\xf3\xb5\xa3\x21\x3a\x75\x67\xb3\x8e\xd0\x94\x20\xfe\xdf\x8c\x04\xcf\x68\xb8\xae\x08\x25\x1d\xa6\x10\x8e\x0c\xaa\x35\xb7\x9c\xe5\x8e\x76\xbb\xe5\x8d\x23\xec\x75\x23\x6c\x37\x10\xb3\xfb\x3f\x32\xa2\xa0\x79\x5f\x6f\x9d\x26\x9e\x55\x42\xc7\x65\xcb\x3a\xcb\x02\x79\xb5\x31\xce\x51\xab\xe0\x93\x0b\x33\xbc\x93\xc7\x6b\x42\x1d\xd3\x56\xde\x3f\xc8\xa8\x85\x0e\xe7\x09\x27\xf6\x2b\x2e\xf0\xb0\xd1\x8e\x71\xb0\xad\x53\x38\xa6\x7e\x4b\x3e\xd6\xce\x40\x93\x34\x41\x6e\x54\x70\x1b\x0e\xc1\x92\x97\xeb\x31\xa6\xbc\x23\x58\xae\xc3\x94\x82\xb8\x75\xa7\xfd\xba\xfe\x62\x15\x7d\xcf\xdd\x2c\x5d\x31\xbc\x1d\x80\xc3\xcb\xac\xe8\x52\x6c\xbd\x42\x32\x1b\xd0\xc0\x00\xf6\x96\xde\xd1\xbb\xa1\xe9\x3f\xd5\x71\x36\x02\x0b\xdd\x4a\xc0\x35\x08\x0a\xa1\xb5\x53\xff\xd1\x6e\x87\x89\xb4\x29\x48\x5b\xcd\x84\xd3\x40\x88\x4f\x21\x27\xef\xdd\x1d\x7c\x66\xa4\xe9\x8e\x15\x9f\x4e\xbe\x4f\xe4\xd9\x87\x7e\xd6\xd3\x07\xc9\xf5\x39\x70\x13\xc9\x67\x0c\xe4\x6d\x54\x0a\x2f\xce\x21\xaf\x2d\xe8\x72\xd8\x70\xde\x8d\x2a\x0f\x2b\x58\x01\xe4\x29\x48\x91\x64\x0e\x94\x0d\xea\x2d\xa3\x7c\x45\x94\xfc\x90\x08\x57\x42\x3e\x39\x77\x56\xee\x53\x44\xf1\x1c\x72\x18\x49\xd2\xb6\xf5\xa9\xb7\x26\x72\x98\x72\x65\xb6\x82\x9b\x9c\x63\x73\x00\xd0\x67\x6e\x0e\x66\x2c\x3f\xe4\x7c\x41\x4a\x48\x2a\x69\x80\x54\xdd\x97\xaa\x38\x01\x49\xa7\xfe\x7d\x69\x07\x4d\x07\xda\xe2\x85\x1d\xae\xa5\x09\x38\xbd\xc9\x20\x95\x15\xb6\x17\xbc\xcc\x78\x9a\xe5\xdd\x28\x91\x72\xd7\x98\xfc\x66\x55\x61\x55\x28\x97\x46\x20\x67\x55\xa0\xc2\x59\x38\x87\x60\x90\x2c\x15\x3c\xc0\xa6\x06\x14\x6d\xa0\x61\xaa\x05\x9c\x41\x70\xd8\x5c\xf4\xf6\xe0\x43\xce\xea\xfd\x84\x67\xc3\xa6\xd3\x06\xd8\xb4\x03\x25\x8f\x53\x0e\x03\x56\x67\x90\x7a\x1e\xa3\xc2\xfd\x82\xdd\xb2\x2d\x16\x73\x9c\x5f\x8b\xd8\xfc\x1b\x69\x44\x0b\x87\xc5\x9a\x2e\xa2\x8c\xa8\xc4\x07\x8c\x54\xc3\x2e\x62\x9f\x76\x99\xd1\x96\x00\x69\xa1\x5c\x4b\x93\x79\x96\x3e\x23\x5b\x22\x53\xfb\x5b\x76\x05\xb7\x38\x57\x06\x8e\x85\x3a\xa7\x5c\xc4\xdb\x79\x96\xf2\xfb\xb3\x25\x77\xe3\xfb\xe2\x08\xfb\x51\xa2\x3d\x5b\xa8\x80\x30\x61\xb9\x4a\x80\xf6\xec\x79\x97\x4e\x7b\x76\x62\xc6\x32\xf2\x03\xe4\x64\x9d\x22\xd0\x5d\x2e\xb4\xfb\xb3\x25\x29\xb7\x53\xad\x49\x9f\x2b\xba\xab\x4e\xc8\x7e\xd2\x63\x7b\xa2\x76\x19\xaf\x09\xff\x0d\x5e\x30\x66\xc4\x4f\x50\xea\x28\x05\x28\x7d\x66\xd2\xd7\x08\xb7\xfb\xb3\x25\x97\x8c\xe9\x7a\x76\x6c\x0b\x21\x20\xb5\x40\x89\x47\xbc\x6b\x86\xda\xeb\xf7\xfb\x7b\xa3\x32\xeb\xc6\x6d\xc6\xde\xe0\xb1\x27\x41\xcf\xe1\x01\x23\xa0\xdf\x5e\xe0\x5d\x7a\xc7\x9d\xdc\x46\xc7\xc9\x3b\x4e\xe7\xd1\x31\x27\x3b\xef\x55\xfb\xec\x5c\x53\xfa\x2b\x4f\x26\xe2\xc2\x90\x08\xbd\xaf\xec\x0d\x1e\xf2\x86\xdf\x77\x31\x07\x10\x60\x18\xb7\xed\x38\x3d\x3a\x4e\xdc\x64\x80\x0a\x5b\x8c\x5e\xea\x71\x7d\xbc\xe1\x5e\x00\x20\x21\xd1\x26\xe1\xa0\x97\x54\x2b\x71\x1a\x5e\xf4\xf6\xe0\xf1\xe9\xcc\xd2\x8f\xed\x61\x67\x18\xdd\xf0\xa7\x83\x9b\xa7\xf0\x84\x6d\x58\xe4\xea\xec\x45\x7d\x07\xd7\x99\x0e\xa1\x73\x56\xfb\x2f\x99\x88\xa8\x0f\x4a\x05\xe7\x71\x8a\x88\xb2\x93\x46\x5a\xc5\x77\x44\x4f\xa4\x78\xf8\xca\x51\xb9\x87\x82\xcd\x20\xb7\x51\x2d\x52\x4c\xc7\xe5\x4e\x05\x07\xcf\x90\x28\x7c\x9c\x4f\x5f\x28\xf3\x08\xdc\x32\x10\x98\x44\x3b\x77\x0c\xd6\xf2\xf0\x5d\x35\xa4\xae\x8d\x2a\x7a\xa1\x4d\x64\xb0\x16\xac\x9a\x22\x1f\xc3\xb0\xbf\x5f\x6d\xd9\x51\x5c\x1f\x6f\x5d\x42\x14\xd7\xcb\x5a\xa6\xe5\x26\x9e\x4b\x65\x10\x56\x21\x2c\x96\x60\x4f\x7e\x75\x12\x6a\x61\xf8\x9a\x02\xb9\x80\xfb\x2f\x2a\x34\x3c\x02\x27\x2e\x0d\x4d\xe1\xa6\x1b\x46\xde\xbc\x18\x92\x2b\xb9\xb5\xc4\x76\xde\x1e\x14\xa8\x86\x34\xa4\xe0\x5d\x24\xa7\x06\xaa\x0e\xa1\x4d\xf4\x51\x92\xd0\xdf\x94\xae\x29\x2a\x0a\x73\xea\xd7\x5a\xc5\x1e\xde\xc7\xbe\xb3\x01\x2b\x36\x9f\x25\x02\xd0\x2d\x7f\xb8\x37\xf8\x2e\xf5\xa3\x89\x1a\x1a\xb0\x56\x8d\x98\x95\x8f\xef\x61\xcb\x96\x77\xfe\xfb\x76\xe6\x9c\xff\xce\x0d\x08\x6c\xaf\x60\x63\x76\x8a\x8d\x79\x96\x82\xc6\xcc\x05\xdf\x3e\x23\xff\x70\x01\x4b\x30\xc8\xf6\xe1\x79\x98\x1d\x64\x4f\x1b\xba\xf2\xec\x49\x74\x05\xde\x72\xe9\xf0\x96\x47\xbc\x95\xcd\xb1\x20\x53\xfe\x09\xcd\x80\x05\x1d\xbf\x21\x0d\x96\x5a\xca\x75\xf6\xdd\x4d\x29\xaf\x8e\x7e\xcb\x53\x5e\xfd\x7f\x83\x57\xea\x5b\x98\x98\xeb\xa1\xbd\x8d\x44\x29\x2a\x70\x64\x2e\xcb\x4b\xff\x77\xf6\x04\x37\xd8\x17\x70\x2d\x97\x55\x2f\x21\xd1\xce\x00\x88\x23\x2e\xa5\xb9\x04\x63\x16\xe5\xd8\xc9\x7f\x9d\x41\x7b\xed\x1e\xb6\xc4\xf6\xf5\xf2\xac\xcc\xda\x59\xe2\xdf\x13\xcc\x48\xa1\x67\x66\x8e\xab\x4b\x46\x4e\x83\x32\xb4\xc0\x75\x76\x6a\x6e\x94\x2f\x4e\xce\x41\xe6\xce\x85\xc9\xc5\x39\x37\x7e\x7e\x72\xce\x91\x84\x3e\x3a\xc2\x0e\x44\xbd\xde\x9c\xaa\xe7\x67\x47\x82\xb7\x8e\xc8\x9a\xc0\xfe\x41\xac\x00\xc3\xaa\xb4\xbc\xf2\x98\x84\xb4\x30\xf9\xc5\xac\x70\x37\x4c\xdd\x51\xf4\xd3\x32\xba\x10\xf2\xb3\xe9\x58\x2f\x17\xcb\xf1\x05\xc5\xab\x02\x07\x71\x2e\x28\x6a\x43\x56\x31\x33\x31\x3b\x61\x4a\x52\x90\x25\x7c\xf8\x50\x04\x88\x63\x3e\x7f\x72\x72\xec\xc6\xeb\xae\xbb\x01\x15\x6f\x9c\xb2\xeb\xeb\xeb\x61\x1c\xa5\x51\x98\xe5\x2b\xe3\x18\x6d\x02\xd9\x82\xc6\xa9\x08\xd0\x72\x8b\xc3\x21\x9f\xcd\xd2\x31\x5d\xbe\xfa\x3a\x7d\x82\x49\x21\xb8\xd6\x44\xf2\xf5\xf3\x6e\x1f\x2c\x05\x69\x3f\x6c\x67\xdd\xf1\x6e\x7f\xac\x0d\x89\x6c\xc7\x54\x19\x56\x02\x16\x2e\x77\x06\x3b\x49\x68\x5c\xf0\x95\x2a\xca\x3b\x46\xf0\x25\x6c\xd4\x84\xe9\x7f\x9d\xae\x05\xe0\xe3\x80\x22\x40\x16\x07\xf9\x0a\x49\xbc\xce\xf8\xbd\x5b\x19\x94\x7f\xca\x0b\x5e\xef\xb9\xa4\x07\x7a\x9c\x48\xbc\x72\x13\xaa\x1c\x94\x0f\x1e\x34\x19\x5f\x29\xba\x9b\x32\x87\xc8\xb3\x86\x9a\x37\xe7\x4c\xaf\x88\x4f\xcd\x2e\x3c\xe7\xd4\xc4\x89\xe9\x53\x21\x57\xc2\xa2\x0e\xbc\x94\xb2\x56\x8f\xa6\x3e\xd9\x89\x9d\xe6\x3e\x9d\x02\x79\x6f\x50\xc6\x42\xc4\xbe\x58\xa1\xb4\x9a\xba\x16\xd7\x51\xcd\x51\xc7\xd8\x6d\x9b\xec\xc4\x1b\xe6\x46\xf3\xbf\xb9\x3f\xf8\xbe\x0d\x9f\xa8\x27\xa1\x6a\x08\xa0\x1c\x9a\xcb\x32\xbc\xe8\x3d\x91\x5e\x20\x06\xf6\xe2\xa2\xf7\x44\xa2\xe2\x37\x57\x2c\x68\x9e\xb3\xe2\xbf\xb2\x8f\xfd\xdf\x9e\x03\xdc\xfb\x0b\x2f\x78\xb9\xd7\x76\x62\xff\x50\xe2\x55\xe1\x99\xea\x86\x93\x7f\x0c\x06\xde\xb4\xca\x18\xeb\xe4\xc9\x8e\x16\x95\xd1\x21\x9c\x93\x48\x2e\x49\x06\x2a\xab\x7c\xb9\x42\xbb\xa2\x74\x6c\x04\xcf\x64\x67\xd8\xe9\x6d\x18\x7c\x86\x0e\x8d\x86\x06\xca\xc9\xfc\x04\xea\x40\x34\x0e\x15\xfe\x9b\xbd\xe0\xb4\x7b\x49\x93\x8e\x4b\xe5\x5e\xaa\x52\x6e\x0e\x00\x63\x3a\x53\xeb\xcc\xe9\x0d\xe7\x13\x9e\xce\x6e\xdd\x96\xcd\xea\x28\xd9\xac\x70\xaa\xb0\x8b\x1e\xab\x8f\xb7\xff\x62\x1d\xa1\xfe\x40\xed\x16\x58\xa2\x69\x3a\x99\xb9\x9e\xab\xbb\x60\xa4\xe9\xd4\x4c\xe3\x4e\xd3\xc1\x86\x0a\x5f\x5d\x08\xa1\x39\x44\x9d\x4f\xb3\x96\xca\x3b\x3c\x56\x9f\x7a\xfe\xab\x75\xe3\x9e\x5b\xbb\x55\xcf\x1b\xb1\xc3\x06\xb6\xa3\xa4\x8d\xa1\x70\x9b\x35\xf3\x6b\x1e\xbb\x1a\xad\x41\x11\x99\x82\x7e\x6b\x07\xa6\xa0\xb7\x79\x4e\x59\xce\x54\xd1\x76\xa0\x61\xe9\x6b\xe1\x9f\x0e\x1a\x47\xf4\xe7\xcb\x4f\x1e\xb5\x26\x93\xa8\xad\x2c\x10\x33\xb2\x04\xac\xe2\xd9\x72\x49\x26\x7c\xf7\x7d\x18\x79\x80\xcc\x75\x42\x76\x81\xf9\x2a\x42\xf1\x4e\xa4\x9c\x92\x32\xd2\x92\xc2\x65\x9c\x1e\xbc\xa9\xbe\xa2\x9b\xc1\x84\x6f\xcb\x09\xb4\x62\xee\xea\x78\xc7\xc6\xc9\x6e\x75\xf5\x4f\xec\x62\xdf\xb5\x51\x58\xb6\x9c\xd5\xc2\xff\xc6\x48\xf0\x4e\xcf\xbd\xa6\xe3\x8d\x88\x66\xdf\x42\x0f\x5b\x18\x23\x6d\x91\xce\x96\x61\xa7\xe9\x0a\xd9\x07\x5a\xab\x77\x15\xf7\xd4\xb0\x94\x77\x1d\xb5\xde\x25\xed\x93\x4f\xc5\x05\x77\x9b\x73\x6f\x14\x4b\x55\x28\xac\xcb\xb8\xcb\x6c\x2f\x19\x34\xfd\xfb\xd8\x8d\x5b\x0f\x47\x87\x42\xe7\xf1\xcd\xe0\xbb\xa6\x9c\x2c\x10\x91\xb6\x91\xea\x2f\x65\x19\x63\x3a\x85\x52\xc7\x8f\x36\xd8\x41\x9a\xab\x5a\xd4\x2f\x07\xff\xb6\x5e\x9b\x29\xd8\xaa\x70\x99\xed\x5d\xc7\x6f\xbe\x84\x0f\xa3\xde\x1a\xfc\x30\x2a\xd2\xaa\xe7\x8f\x0f\x34\x46\x57\x39\xe5\x55\x85\xff\xdf\x0f\x04\xcf\xa8\x5d\xb3\x11\xeb\x58\xcb\x72\x8d\xb1\xbd\xb0\x02\x82\x63\x2b\x51\xa7\xf1\x51\xec\x06\xca\xaf\x8b\xde\x55\xb9\x00\x30\xcb\x64\x56\xa5\xe5\x45\x6f\x37\xa0\x64\x2e\x7a\x7b\xe1\xdf\x99\x29\x97\xf7\x94\xb1\x05\x76\x40\x17\x36\x33\xe5\x4f\x05\x37\x4d\x5a\xe0\x88\x99\x29\x9d\xe9\x0e\x33\x61\x1e\xec\x64\xed\xf3\x22\x3f\x3e\x3e\x7e\x9b\x7e\xed\x39\x71\xe7\xf6\x83\x8e\x98\xf2\x20\xc3\x6a\xfd\x07\x82\xce\xa2\x46\xea\xd4\xd0\x35\x3a\x42\xfc\x52\x12\x14\xaa\x0c\x84\xc8\xac\x60\xd7\xfd\xb1\x16\x73\xba\xc0\x7f\x8f\x66\xc4\x7c\x13\xc0\x0b\x2d\x41\x29\xee\xea\x64\x99\xaa\x59\xab\x51\xc1\x97\xe4\xf9\x40\x65\xc8\x25\x65\x2c\xfe\x4e\x2e\x6c\x53\x50\x47\x1e\xa3\x16\xc0\x05\x59\x53\x10\x08\x5b\xf2\xbe\x28\x55\x91\xc4\x1f\x38\x9b\x95\x9a\xa9\x14\xc5\x5d\x6b\xc7\x07\x0b\x43\xad\xc4\x90\x9f\xa8\x2c\xb9\x42\xd5\x03\x79\x0d\x28\x51\x48\x99\xf1\x95\x28\x5f\x92\x1d\x6d\xac\x68\x24\x4f\xa3\x21\x04\x8c\xa3\x2b\x42\x1e\x2f\xbd\x9e\xe8\xf0\xa8\xe4\x37\xc8\x5d\xef\xce\x49\x77\xa3\xbb\x85\xa9\xc9\xe2\x87\xc1\x77\xcd\xe0\x9f\x03\x88\xb6\x83\x05\x0e\xab\x33\xf0\x7d\xb6\x1f\x4e\x10\xd8\x0a\xb7\x82\x23\x72\x17\x5b\x70\xcb\xd4\x40\x12\x19\xbb\x42\x3c\x88\x68\x8d\xc7\x08\xfd\xa7\xac\x2c\x2c\x27\x41\xfe\xfe\xe0\xd9\x46\x5c\xaf\x0b\xdc\xd3\x0e\x36\x48\x63\xe4\xf1\x61\x18\x30\xed\xab\x46\x6a\xd3\x41\xe3\x8d\xfd\xb9\xf7\x30\x5c\x75\xfe\xe9\xe0\x0e\x93\x3f\xd6\x86\x81\xb8\x13\x8b\xcc\xa5\x68\x22\x8a\x3a\x71\x2a\x0a\xf0\x56\x2c\xd5\x30\x59\x3f\xd7\x62\x7b\x69\xf6\xf9\xef\x68\x05\xaf\x6f\x6d\xb3\x70\x78\xb7\xea\x51\xd1\x7c\x46\x0e\x40\x94\x80\x25\x30\x2a\x14\x7e\x6d\x49\xb4\x33\x98\xff\x79\x25\x28\x49\x21\xbd\x37\x27\x5f\xab\x79\xfe\x8d\xd7\x07\xe8\x2f\x85\x6d\x91\x5f\x57\xae\x77\x77\x75\x9b\x05\x94\x01\x98\x8e\x98\xa0\x79\x92\x15\xa2\xa0\x33\xb0\x14\xdd\x5e\x96\x47\x79\x9c\xf4\x43\x3e\x53\xa8\x9c\x10\xd0\x26\x28\x36\xcd\x06\x5a\x65\x14\x23\xab\xcb\x12\xb6\x1b\x4a\xf4\xdb\xdb\x9f\x75\x47\x36\x9e\x75\x6a\x0f\xb6\x26\xdb\x7f\xdc\xed\xb8\x4d\x55\xb9\xa7\xb2\xa8\x73\x02\xf3\x05\xe6\x2a\xff\xe1\x3f\xef\x0a\x5e\xed\x35\xdc\x18\xc8\x05\x63\xa9\x48\x49\x16\x75\xc6\x28\xf1\xa0\x9c\xa5\xf8\x02\x28\x74\xc7\x55\x22\x42\xb0\xff\x02\x27\xa7\x3a\x2b\x74\x6c\x92\xe5\xc4\x46\x6e\xdf\x28\x75\x0b\x71\xcf\xfe\xdf\x1a\x61\xcf\x65\xfb\x56\xb3\xa2\x84\x05\x94\x05\x4b\x77\xd1\xdf\x2a\x3c\x43\xd6\xb0\x41\x9b\x2c\x9a\x85\xa9\xd9\x05\xda\x24\x0f\x95\xfd\x5e\xdc\x8e\x92\xa4\xcf\x27\xee\x5d\x70\x5f\x2f\x0e\xdb\xab\xe8\xb9\xac\x15\xf7\xfc\x2a\x58\x9d\x99\xdb\x7e\x85\x1a\xe8\x63\xd5\x77\xe7\xe4\xb4\x9c\x72\x67\x7a\x22\x5d\x28\xa3\xf6\xf9\x8d\x2a\xff\x1d\x8f\xed\x96\xfa\x73\xe1\xff\x2f\x2f\x78\x40\xea\xea\x03\x69\x80\xda\x59\xde\x21\x94\x13\x76\x30\x3c\x0f\x50\xc1\x42\xce\x6e\xc8\x49\x84\x4a\xb8\x4a\x48\x19\xa7\x4d\x23\x82\x1b\x4c\x6a\x12\xae\xc6\xa5\xad\x4e\x8d\xb3\x31\xf6\xef\xb6\xc0\xf7\x9a\x97\x0b\x94\x37\x6d\x4b\x0e\xe3\x17\xee\xb2\x49\x9a\x4c\x39\xca\x06\xba\xa0\x91\x4a\x52\xb2\xf2\xbf\x38\x12\xbc\xc7\xd3\xe9\x97\x7a\xda\x52\x6a\x01\x9a\xe4\x0e\xac\xd3\xe7\x46\x49\x42\xe6\x73\xc2\x23\xc6\x44\x8e\xcd\xd7\x05\x40\x0d\x8f\xf0\x43\x71\x28\x42\x1e\x97\x07\x11\xeb\x3b\x96\xf5\x0e\x87\x7c\x82\xa7\x55\x92\x6c\xa1\x82\x34\xd3\xe5\x53\x41\x05\x22\x6a\x75\x59\x17\xbd\x3d\x58\xd7\x45\x8f\xf5\xb4\xa7\xcd\x99\xe3\xff\xe4\xb1\x17\x7a\xcc\xba\xeb\x97\x5b\x24\x66\x51\x58\x45\xd9\x39\xc1\x1d\x13\x08\x1d\x32\x99\x84\x45\xde\x1d\x6d\x24\x72\x75\x6d\x41\xd8\xbe\x90\xad\x31\x6a\xaa\x9f\x28\xa9\xe4\xde\x7b\xb1\x9f\xea\x85\xc0\xf7\x2b\x9f\x85\x5b\x5a\x5a\x6b\xd7\xa8\x9a\x70\x39\x84\x70\x1d\x1d\x3b\x7a\xe4\x88\x7b\xa6\xff\xd8\x2e\x16\x36\x82\xde\x50\x2f\x6f\x42\xbe\xfd\xf1\xa3\x87\x7c\x7b\xc5\x08\xfb\x11\x8d\x7c\x7b\xbe\x46\xbe\xfd\xe9\x15\xe4\xdb\xd6\x90\x6f\x71\x72\x79\xf1\x6e\xaf\xbf\xde\xcd\x43\xb5\x9d\x80\x73\xff\x4b\xd7\x05\xff\xbe\x76\xcd\xb6\xd4\xa7\x26\x64\x58\x11\x08\x22\xb7\x9b\x43\x73\x82\x78\x01\xa1\x80\x9c\xb1\x1d\xd9\x68\x74\x9c\xab\xd0\xcf\x86\x98\x50\x17\x52\x74\x8c\xfd\xdc\x2e\xf6\x2f\x75\x55\x98\x81\x85\x5c\x28\x85\xff\xba\x5d\xc1\x3f\x8c\x4c\x34\xdf\x54\xa4\x8b\x39\x0e\xb4\x86\xfc\xe8\x8d\xe9\x5c\xed\xc5\x73\xca\x17\x83\x07\xb7\xfa\x66\x71\xa1\x27\x37\xa9\xd0\x0a\x2c\x46\x91\x5b\x6e\xf6\x0a\x1b\x02\x80\x75\xe5\xca\xa1\x45\x0b\x35\x62\xd8\x5d\x5c\xaa\xe1\x2c\xea\x7a\xbe\xa9\xd4\xc1\x01\xc2\xf0\x42\x09\x0e\x2e\xc4\xb4\x61\x74\x20\x40\x01\xb0\xdf\xda\xd2\xa9\xdc\xd0\x33\xcb\x16\x09\x76\x47\x0f\x95\x83\xb0\xb5\xe0\x65\x2a\x9f\x8e\x6e\x95\x1c\x41\x1d\x6e\x01\x34\x8e\x1d\x81\x51\x92\xea\x09\x8d\x6b\x2c\x31\xa1\x1b\xb9\x58\x47\xa5\xf2\x93\x68\xef\xb6\xaa\xd8\x34\x15\xb3\x65\xdb\x8a\x0e\x28\xa4\x51\x9c\x54\xb9\x5c\x34\x44\x33\x6e\x38\x29\xcf\xdd\x77\x90\x26\xeb\xc1\x67\x9f\xdb\x88\x2b\xee\x27\x3c\xe6\x4c\x29\xff\x15\x1b\xa6\x5b\xda\x70\x59\xa8\x58\x77\xab\xb8\xe0\x0e\xfb\x97\x86\x0a\x10\x02\xd4\x30\x47\x0b\x73\x6a\x20\xbf\xa6\x22\x0b\x65\x7f\xa4\xdc\x13\xbf\xed\x05\xff\xd3\xab\x73\x32\x0f\x2c\xac\x90\x83\x77\xd2\x08\x80\x08\xd2\x7a\xa0\x8a\x12\xb2\x0e\x89\x70\x25\x1c\x45\xc5\x8d\x3a\xce\x51\xb4\x47\x29\x27\x7a\x60\x3d\x11\x34\x41\x9e\xa8\x42\x34\x84\x3b\x45\x34\x3d\x9d\xe5\x2b\x51\xaa\xbc\xc6\xfa\xeb\x1c\x55\xea\x2b\xfb\xd9\x93\x75\xe0\x83\x8e\x1a\xf8\xd4\xfe\x9d\xb3\xde\x04\x2f\xdc\x3f\x5b\x2f\x98\x77\x44\x3b\xee\xd8\xea\x94\x89\xe2\x52\x13\x50\x9e\x04\x0a\xa5\x61\x14\x7f\x5b\xff\x32\x24\x34\x3a\x42\x8a\x1e\x57\xb2\x8b\xcd\x03\xa4\x11\x37\x0a\x8d\x53\x16\x3a\x5b\x9e\x2e\x09\xed\x77\xfa\xe8\x8f\x0b\x13\x4b\xc4\x33\x8d\x19\xd1\xe8\x14\x70\x0d\x16\x03\x25\x17\x2a\x8f\x2b\x27\x66\x24\x5e\xb4\xb3\x9e\xe5\xee\x1e\x95\x3b\x0d\xb2\xae\x15\xe7\xe3\x5e\x61\x7f\x78\xc8\xd8\xc9\x2c\x57\x5c\x5a\xa3\x43\xbb\xa6\x6f\xc4\x3e\xb0\x4b\x98\xde\x20\x70\x76\x5d\xa0\x09\xf2\x2a\x85\x80\xfe\x40\xce\x8b\xe0\x08\xd2\xa3\x1e\x0d\x6e\xe5\x98\x88\x24\x06\x70\x51\xe9\x74\x1a\xe8\xab\xe8\x1b\x3d\xce\x83\x81\x09\x12\x1c\xe7\xcf\x65\x9c\x07\xd0\x61\xd3\x17\xa4\x42\x05\x7b\x4d\x70\x9c\xdf\xc7\x38\xe7\x70\x57\xfe\x2f\x38\x2f\xfa\xc1\x71\xab\x09\xa3\xea\x06\x9e\x3a\x50\x54\x30\x9b\x95\x33\xa9\xb9\x85\xa8\x19\x5d\x16\x5c\x3b\xa2\x6f\x73\xd9\x76\xfa\xfb\xd9\xf0\xef\xf3\x98\xfc\xeb\x79\x10\x63\xae\x28\xcd\xec\x14\x2b\xe0\xe5\xdb\x7e\x5f\x36\x49\x97\x81\x48\xd7\xe2\x3c\x03\xff\x2c\x76\x67\x2f\xcf\x3a\xd8\xa3\x45\x19\xad\xc4\xe9\x4a\x70\xeb\x63\xd7\xad\x76\x6b\x1a\x7b\x76\xb3\x6e\x85\xd6\x5b\x3d\xab\xbe\xa1\xb9\x7f\x15\x13\xdc\xce\xa2\x7b\x70\xf1\x8c\xc3\xe2\x05\xb8\x1b\x4d\x79\xd0\xf5\xc8\xe9\xae\x38\xbc\x42\xc6\xac\x03\x06\x3c\xac\xa0\x1f\x39\x3b\x8d\xa2\xc2\x53\xab\xdf\x24\xab\x0d\xd9\x9f\xec\x66\x4f\xc0\x8a\xf5\xe6\xf6\xeb\xbb\x2f\xc3\xe6\xf6\x9a\xdd\x67\x9c\x52\xb7\xb2\xb3\xe9\xcd\x2c\x76\xb6\x8d\xd5\xa8\x30\x3b\x8f\xda\x59\xdc\x36\xcb\xe9\xa8\x73\x02\xea\x94\xa9\x20\x4d\x43\x41\x49\x07\x5b\x83\x04\x8e\x62\x9d\x7e\xc1\xd6\xb8\x5e\xb7\x4a\x0c\x9c\x23\x03\x12\x37\x7a\xdb\xe3\x65\x2e\x62\xf4\xaf\x6e\xb4\xbb\x92\x42\x49\xcf\x1c\x32\x6d\x51\xce\x79\x22\xb1\x54\x39\x6c\xb3\xdc\x6a\x61\xed\x19\xcc\x6b\x7b\x98\x23\xad\x60\x66\x7d\x45\x1b\x0d\x82\xa0\xca\x63\x1f\xf1\x43\x49\x7c\x1e\xec\x8c\x9a\x35\x79\x3e\x4b\x92\xa5\xa8\x7d\x1e\xde\xe7\x73\x59\x67\x2e\xcf\x2e\xf4\x55\x66\x18\x2c\xee\xb0\xda\x26\x1b\x3e\x19\xa2\x84\xed\xa1\xd1\xeb\x56\x01\x05\xec\xe1\x94\x42\x5c\xaf\x1c\x8b\x53\x93\x67\x55\xa4\x1d\xca\xb5\xda\x8d\xfa\xb0\xc5\x37\x0b\x0c\x52\x54\x54\xd8\x58\xf4\xf4\xe1\xa8\xef\x6c\xae\xbf\x7a\x1f\xf3\x73\x11\xa7\x6b\x19\x02\x60\x88\x02\xe3\x9b\x7b\x83\x3f\xdb\x3b\x78\xbd\x31\x77\x63\x5c\xe8\x26\x1a\x69\x46\xca\x89\xa2\x63\xf4\x25\xb4\xdf\x83\xe9\x33\x47\xce\x4d\x05\x0b\x32\x1f\x4a\xb3\x15\x04\x8f\x09\x25\xb3\x5a\x4c\x12\xb3\xb2\xe1\x44\x20\x31\xb3\x3c\x2b\x44\x47\x74\x82\x90\x31\xb8\x7e\x7c\x50\x22\x25\x6b\xb0\x6a\x8a\x85\x92\xc5\x20\x8f\x8d\x9b\x20\x8f\x06\xac\xa3\xa1\x68\x53\x6c\x54\xf2\x44\x44\x94\x8c\x58\x05\xaf\x46\x09\xfa\x60\xad\xef\x75\xc7\xd4\xd4\x53\x5b\xd8\x18\xa3\x23\x1f\x2c\x81\x59\xa5\x40\x96\x93\x18\x55\x05\x14\x14\x4c\x31\x88\xe2\x2d\xc8\x24\x0c\x81\xd6\x68\x3f\x36\x3a\x41\x94\x24\xa1\xd2\x7b\xc8\x16\x67\xf2\x7b\xe1\x74\x94\x25\x5d\xdb\xad\x8a\xf2\x5a\xc8\x7e\xd0\x11\xdd\x5e\x56\x8a\xb4\x1c\xd5\xc9\x7e\x55\xd8\xae\x3a\xf9\x20\xdd\x6f\x2f\x17\x6b\x71\x56\x15\x49\x5f\xb7\x37\x24\xe6\xd2\x6b\x6b\x4e\x17\xab\x5f\xcc\x94\xd2\x99\x2e\x56\xaa\x28\x8f\xd2\x52\x68\xd5\x5d\x5c\x88\xda\x25\xba\x58\x43\x7e\x2d\x80\xd2\x9b\x0b\xc8\x45\x51\x61\x88\xd2\x72\x95\x43\xdf\x60\x6f\xa9\xfb\xb4\x26\xb0\xd9\xa3\xaa\x53\x70\x3a\x35\xd6\x2c\x0b\x3f\xaf\xb6\x4b\x59\xf7\xba\xd3\x73\x55\x21\x9c\x5e\x23\x87\x6f\x2e\x94\x46\x2a\x77\x85\x38\x8d\xbb\xf1\x83\x62\x4b\x5d\x20\xab\x28\x33\x13\x2b\x6f\x76\x30\x1c\xd2\x28\x49\x78\xb7\x2a\x23\x83\x4d\xb1\x9a\xac\xa2\x61\x46\x89\x8c\x55\x29\x8f\x34\x81\xdc\xdd\x83\x84\x1c\x73\x38\x42\xef\xd0\x9a\x72\xc4\xfb\xaf\xed\x62\xbb\x81\x25\xd3\xff\xc3\x5d\xc1\x4b\x76\xcd\xcb\x3f\x2d\x2b\xc1\x3a\xc8\xce\x46\xff\x07\x41\x3b\x32\x34\x8e\xc5\xb8\x95\x2a\xdd\x91\x56\x79\x3b\xca\x05\x59\xee\xd1\x12\xd3\x70\x03\x93\x2a\x68\x3c\x00\xc4\xf5\xab\x8d\xeb\x39\x51\xda\x7f\x0e\x97\x0d\x0a\xf9\x5d\xd9\xba\x58\xa3\x98\x71\xe8\x7d\x9c\xa7\x62\x4d\x9e\x58\xf7\xe8\x9e\xd0\xf6\x00\xbd\x04\xe4\xf6\xa1\x6c\x20\x83\x77\xc1\xa3\xd7\xab\xcc\x36\xab\xa4\x72\xdc\x2f\xc0\x11\xa2\x49\x74\x69\x83\xc9\x45\x5b\x4a\x2f\xca\x1f\x28\x05\x17\xf9\x21\x6a\x78\x92\x3e\xc7\x2c\x44\xaa\x48\x5c\xb5\xa3\x3b\x68\x25\xcc\x5f\x50\x09\x68\x17\xca\x6c\xd3\x8d\x86\x34\x4b\x69\xc9\x54\xd2\xc4\xf0\xe6\xd4\xd3\xf8\x00\x2d\x79\x47\x35\x3f\xcd\xee\x66\x33\x97\xa8\x7b\xcb\xd1\xbb\x37\x2e\x57\xcf\xe8\x19\xc4\x7e\xbc\xc5\x9e\x20\xb7\xcb\xac\x2a\x17\x44\x3b\x4b\x3b\x85\xff\xc3\xda\x11\xfc\xb7\xde\xa2\x73\xab\x1e\x36\x87\x37\x8d\x8d\x44\xab\xd7\x13\x7a\x4f\x54\xcf\x80\xd7\xad\x18\xad\x4d\xc9\x24\xd1\x5b\x7a\xbc\x92\x66\x39\x26\x66\x52\x76\x0f\x73\x1f\xec\x1b\x8e\x53\xb9\x6e\xd6\x58\xb4\xea\x42\x37\xae\x72\x6c\x2e\x89\x72\x5d\x88\x94\x1f\x85\xfe\xbe\xee\x08\x2f\xf0\x63\x9c\xd3\xdb\xba\xec\x58\xfc\xde\xe3\xb1\xab\xa9\x2a\x3a\x9d\x7f\xdc\x0b\x5e\xe9\x9d\xb4\x2f\x39\x06\x0b\x27\x9c\x40\xe4\x79\x96\x5b\x58\x78\xeb\x0c\x52\xa8\x78\x39\x9b\x56\xa3\xb4\x23\x27\xd2\x98\xb1\x16\x99\x93\x77\x06\xfa\x45\x76\x8b\xac\xd4\xe5\x4c\xc2\x7b\xce\x06\xf2\xc6\xbd\xec\x00\x2c\x59\x6a\xee\x4b\xf6\x06\xdf\xdc\x63\x5d\x70\xad\x2b\x52\x43\x82\xed\x26\x40\xdb\x18\xd1\x3e\x59\x32\x65\xda\xce\xba\x98\xcc\x06\xe7\x75\xb3\x74\x30\x2d\x0f\x0d\xd4\xaa\xa6\x1f\xa8\xe2\xb5\x28\x91\x1a\x4e\xc8\xd8\x18\x87\x5b\xc7\xa9\xb8\x48\x67\xa3\x50\x02\x5a\x5c\xea\x13\x47\x7b\x4a\x2c\xcb\x5d\x0e\xfb\x8d\xa3\x67\xc7\x76\x32\x91\x42\x99\xb2\xf5\x49\xbd\x16\x47\x3c\xea\xf5\x8a\xf1\xb5\xa3\xa3\xea\x0f\x98\xfd\x28\x3b\x8b\x0b\xa5\x48\x41\x49\x33\xd7\x97\xaa\x52\x77\x03\xb6\x0b\xcd\x72\x1d\x7e\x4e\xa5\x43\x2a\x8e\xdf\x17\xc8\xc2\x82\x67\xcb\x42\x15\xe6\x5c\x5e\x5d\x3b\x2a\xaf\xe9\x3d\xf7\x38\xbf\x2f\xb0\x9a\x17\x3c\xfb\xdc\xa8\xf5\xd5\x65\xe6\x34\x89\xc3\x77\xd5\x1b\x44\x1a\x00\x6d\x70\x0d\x5a\x00\xf6\xab\xee\xe7\xc1\xce\x8d\x97\x55\x7f\x14\x76\xdc\x74\x82\x26\xcb\x38\x45\x22\x66\xf0\xc8\xa5\xd8\x61\x64\x06\xd1\x19\x97\x64\xcb\xc8\x20\xf9\xa8\x77\x3f\xc8\x94\xdf\x72\xdd\xbf\x24\x54\x88\x11\xd1\x98\xe0\x8b\xd0\xda\xe6\x31\x71\xce\x76\x5c\x11\xf6\xca\xfc\xd2\x08\x3b\x20\x15\x98\x69\x20\x7c\x2b\xfc\x4f\x8f\x04\x1f\x1a\x59\x30\x17\xf0\x80\x1b\x22\xdc\x4b\x9d\x13\x68\xea\x90\x2e\x4e\x2e\xc3\xb6\xd4\xdd\x31\x15\x88\x5e\x89\xc7\xf9\xd9\x14\xcc\xc7\xa3\x7c\x36\x4b\xc5\x28\x70\x1a\xe2\xdf\x67\xd2\xa9\xbc\x3f\x5f\xa5\x46\x1e\x05\x23\x89\x5d\x28\x3f\x7d\x76\x61\x11\xfc\x92\x94\x1b\x1a\x4e\xd7\xb4\x1d\x27\x31\x99\xb5\x21\xfe\x71\x54\x8a\xee\x40\x22\xad\xfa\x55\x8b\x62\xf2\xb8\x42\x69\x39\xe2\xcb\x15\x20\xcc\x8b\x52\xf4\x94\xda\x68\xf6\xbf\xf6\x6a\x14\xa7\xda\xbf\xe1\x34\x42\x7e\x3c\xc6\xcc\xa7\x46\x36\xac\xd2\x0e\x08\xa4\xf3\xea\x78\xd5\x16\x9e\x0e\x7e\x95\xa6\xbc\x34\xa1\xf8\x55\x99\x8d\xe9\x26\xa1\xa4\xdf\xd7\x4b\xc5\x68\x14\xd4\x09\x6a\x14\x9e\xfe\x74\xd5\x87\x10\xd8\x90\x75\x85\xbb\xe7\xd2\x4d\x67\xd3\x7d\xd1\xd5\xec\xc6\x4b\x03\x25\xfb\x9f\xb9\x2a\xf8\x55\x6f\x18\x54\x34\x6e\x60\xef\x20\x7f\xd9\x50\x74\xb8\x52\x38\xe5\x95\x6e\x54\x92\xab\x1f\xfd\x81\x8a\x34\x1f\xa0\xb6\x1c\xdc\x8a\x8a\xa3\xd1\x04\xe0\xab\xe1\x57\x12\x13\x82\xba\x2d\xb9\xd2\x3d\x88\x15\x10\xda\x00\x2f\x1d\x87\xd3\x23\xfb\xd9\xc3\x2d\xb6\x4b\xde\xf5\xff\xd1\x63\x77\x5d\x0e\x24\xf7\x42\x4f\xb4\x83\xf7\x78\xb2\x4c\x8d\x55\x27\xb2\x35\xd3\x45\xf2\x2a\x71\x45\x56\x1a\xee\x6f\x61\x56\x1f\xed\x08\x1f\xd9\xa2\xb1\x28\xed\x8c\x21\x60\x25\x64\xaf\xf6\xe4\x7c\x01\x68\xe3\x8b\x36\x74\x9f\x6c\x37\xda\x20\xb8\xa9\xd0\xf9\x99\x6c\x2c\x64\x73\xae\x26\xab\x0b\xae\xc4\x6c\xee\x34\x66\xf3\x4a\x60\xe5\xa5\xf3\x86\xff\xae\xcd\x1b\xfe\x45\x8f\x3d\xfd\x12\x6c\xbc\x68\x95\x84\xe0\xe4\xd7\x78\x86\x29\x54\x23\xc5\xec\x68\xe5\xc7\x8e\x4b\x5c\x55\xf4\x88\xd7\xdd\x3c\x76\xf4\x19\xfe\x5d\x3a\x76\xd4\x5a\xfa\x3a\x5a\x74\xc8\xd2\x77\x82\x47\x71\x97\x60\xec\x8b\xfb\xd9\x4d\x5b\xea\xb7\xd3\x08\x0f\x01\x06\xe7\x62\x3a\x2d\xf3\xbe\xff\xc6\xfd\x41\x31\x78\x19\xa7\xf3\x7a\x96\x9f\x5f\x4e\xb2\xf5\xb1\xb8\x23\xc5\x29\xb8\xbf\x20\x4a\x7d\x7e\xa3\xc8\x38\x10\x79\x69\xd3\x4d\x94\x2a\x8f\x51\x21\x1c\xcc\x82\x73\x58\xfc\xe8\x3e\xf6\x16\x8f\xed\xc3\xe7\xee\x39\xea\xbf\xfa\xd2\xd8\xe4\x4f\xd2\xfb\xc1\x33\xd5\x5f\x14\x5a\x50\x6a\x2e\xbc\x67\x2c\x9c\x99\xd5\x0d\x26\xcc\x76\x64\x2c\x2d\x1a\x99\x16\xe8\xb2\x80\x54\x22\x64\xf7\xb2\xbd\x78\x96\xe6\xfe\xa9\xe0\x0e\xec\xb0\x9c\xa0\x11\x26\x58\x55\xbb\x7f\xa9\xe3\xf0\xfc\xa5\xf5\x5f\xa8\x9e\x70\x64\x88\xf7\x79\x6c\xbf\xb6\xbd\xf8\xef\xf0\x82\x37\x78\x67\x7a\xb5\xd0\x0c\x95\xac\xd4\x4a\x47\x0b\x67\x7d\x22\xa2\x8e\xce\x6c\xd9\x30\x88\x44\x3e\x84\x8c\xd1\xc4\x40\x2d\x05\xed\x35\x9b\x30\x58\x6b\xf1\x88\x9f\x91\x7a\xdd\xc1\x89\x5e\x2f\xe9\x1f\x84\x71\x3e\x88\xc9\x0c\x5d\x00\xfb\x4f\x7b\x6c\x97\xd4\xba\xfd\xb7\xec\x20\x9a\x66\x49\xc7\xd0\xc4\x5d\x51\x94\x51\x17\xd8\x8b\x14\x58\x56\xf7\x16\x5f\x17\x39\xf2\x0d\xf1\x99\x52\x9d\x28\x84\x83\xb5\xe9\x1c\x9c\x5e\xa3\x2f\x60\x6f\x70\x4f\xba\x97\xb4\x82\x6f\x7a\x1b\x9f\x74\xd6\x01\xe7\xce\x63\xdd\x43\xb5\x99\x8c\xa9\xba\x70\x2a\xc5\x05\x0f\x60\x51\x8c\x53\x69\x01\xbf\xbf\x2a\x4a\x0e\x1e\x10\x18\xc9\xac\x47\xa4\xed\x56\x2b\xa0\x58\xf8\x3a\xc8\xf5\xd5\x16\x45\x11\x21\x26\xa6\xcc\xa3\xf6\xf9\x7a\xeb\x22\xab\x1d\xca\xa1\x11\x97\x96\x6d\xcc\x15\x01\xb5\x36\x53\xcf\x3d\xcd\xb0\x7f\x81\x6d\xe5\x35\x5e\xf0\x90\x77\x52\xff\xd6\xf1\x5a\xb1\x5c\x17\x00\x27\xcf\x72\x2d\x5e\x75\xe2\x65\x0c\x97\x56\x23\xa4\x16\x52\xda\x31\xca\xe3\x22\x00\x25\x4c\x50\x1a\x98\x96\x29\x84\x47\x07\xfa\xc0\x14\x3c\x6e\xad\x36\xbb\x89\x3f\x33\xc1\xb6\x7b\x1a\xf8\x5f\xff\x9e\x20\x31\x3f\x31\xa5\x16\x9d\x0e\x08\x89\x4d\x12\x0b\xc4\x63\x2c\xa6\x1a\xe0\xae\xc4\x68\xd2\x45\x5d\xfc\x26\xb9\x8c\xe4\xb3\xb8\xa8\xdc\x6d\xec\x1f\xee\x60\x6f\x1f\xb1\x73\xe8\xbc\x6e\x24\x78\xf1\xc8\x96\xb3\xe8\x00\x25\x59\x53\xfe\x1c\xae\xe1\xa6\x8e\xdf\x5b\x68\x4b\x80\x92\xa2\x02\x0a\x6c\x0a\x6c\xc0\x04\x58\x39\xf4\x0d\x25\x2b\x46\x69\x96\xca\x09\x52\x93\xe3\xc0\x99\xe0\x7c\x33\x46\x4f\x53\xfc\x27\x2a\x65\x04\x96\x28\x33\x27\xd1\xd0\x18\xce\x53\x10\x7d\x32\x07\x92\x87\xf3\x26\x2b\x84\x05\x84\x45\x5d\x0d\xbe\x2a\x64\xac\x31\xfa\xb7\x41\x7e\xd9\x2e\x8d\x80\x6e\x9d\x23\x81\xfc\x97\x16\x1b\xa9\xe2\x8e\xff\x9f\x5a\xc1\x5b\x5a\x67\x67\xa6\x54\xa7\x10\x16\x51\x1e\x01\x31\x65\x58\xc5\x4f\xb3\x09\xc2\x6c\x48\x18\x2c\x58\x83\xab\xa6\xa8\x39\x03\xbf\x24\x94\x9b\xd4\xa0\x75\x78\x00\xce\x1c\xbd\x94\xf5\x2e\x43\x0e\xde\x14\xbb\x1f\x2c\x6d\x26\xe9\x40\x96\xf2\xb9\xb3\x8b\x96\x07\x20\x64\x6c\x4e\xa5\x03\xd4\xb5\x11\xb1\xd1\xbc\x88\x3a\x63\x72\xad\x6d\xbf\xbf\x6c\xda\x85\x2a\x76\xe5\xb6\x8f\xb7\xd8\x01\x18\x11\x6c\x81\x14\x7d\x5f\xdb\x9a\x30\x17\xe8\x30\xac\xd2\xa2\xcc\x2b\x90\x91\x3a\xc0\xd4\x49\x56\xd9\xa8\x07\x39\xf2\x15\x48\x23\xaa\xed\xaf\x2a\x8c\x4f\xee\x69\x7d\xb0\xce\x80\x1e\x50\x66\x19\x42\xdf\xe0\x5d\xe8\x24\x9d\x2d\x2b\xca\x97\xe2\x32\x97\x3b\xa5\x91\xf0\x16\xa5\xae\xaf\x3c\x4d\x0f\x54\x22\xef\x83\xa5\x04\x86\x52\xfb\x49\x7b\x9a\x0d\x00\x0e\x1b\x4c\x69\x00\x78\x5c\xb2\xbb\x6f\xbb\xdf\xac\x7e\xd9\x88\xc6\xe9\x2d\x2d\x76\x80\x7c\x1b\x72\x57\xf0\x5f\xd1\x0a\xfe\x9f\x01\xd4\x9a\x72\x7e\x98\xd4\x5a\xda\x4d\x99\x64\xe9\x8a\x3a\x73\x30\x2e\x4a\x59\x6d\x3b\x98\xa4\xb9\x8a\x8b\x55\x6b\x57\x43\x23\x87\x4a\x05\x8f\xa0\x03\xb3\x83\xa4\xd6\x46\x4e\x95\x16\x61\x2d\x01\x22\x90\x48\x82\xc4\xd7\x47\xe4\x5b\x0e\x58\xec\x34\x5b\x87\xd2\xe4\x36\x8c\x73\x3c\x2e\xf8\x4a\x06\x82\x4e\x46\x26\x7d\x48\x69\xa8\x89\x9b\x29\x1b\x5c\x96\xab\x14\xcb\xa4\xaa\xb8\x5e\xb0\x11\xf6\x64\xb5\x3c\x16\x95\x50\xe0\x7f\x69\xe4\xd2\x65\x8c\x1f\x1f\x99\xac\x97\x47\xb4\x19\xfa\xe7\x80\x9a\x46\x5f\x84\xa4\xf8\x28\x8d\x18\x4d\x6d\x3d\x2a\x8c\x40\x45\x27\x76\x93\x53\x93\x3e\x7b\x35\xea\xf5\x44\x5a\x8c\x11\x1b\x24\x3a\xcd\xa2\x76\x9e\x15\x05\x2f\x44\x2f\xca\xa1\x53\xcc\xb2\x26\x7e\x56\xd4\xfe\x54\xe7\x97\x3a\x46\x4d\x55\xa9\xdb\x8c\x12\xeb\xfc\xc9\xc9\xeb\xae\xbb\xee\x16\x38\x87\xd5\x46\x12\xa7\xfc\xec\xe2\xe4\x16\xf7\x89\xd9\x0a\x79\xc1\xc0\x54\xfc\xe8\xeb\xd4\x6a\xbd\xb2\xdf\xde\x2b\xa5\x90\x14\x62\xaf\xf2\xc2\xff\xfc\xde\xe0\xa5\x7b\xd5\x59\x80\x27\x1e\x75\x9c\x8b\xde\x43\xf8\x49\xc7\xe8\xc4\xe4\xf5\xea\x53\x04\x9b\xd0\x2a\x8c\x23\x9c\x2b\xf9\x05\x23\x05\x50\x02\x69\x67\xdd\x5e\x96\xc2\x19\x0a\x20\x1c\x79\x30\x61\x1c\x22\x29\xdb\xb2\x24\x5d\x8f\xec\x1e\x8d\x26\x84\x56\x38\x33\x2b\xab\xc3\x0c\xd3\x2c\x1d\x03\x34\xba\x2c\x27\x16\x85\x8b\x48\x6e\x03\x2e\x22\x21\x1b\x2a\xc5\x3e\x9e\xd4\xdd\xa1\xf6\x44\x02\x02\x10\x10\x9f\x1e\x54\x49\x02\x61\x46\x85\x9c\x9f\x81\x99\x15\x17\x7c\xf6\xcc\x22\x17\x29\x70\xbc\x75\x6c\xf1\x30\x4e\xcb\x3c\xeb\x54\x72\x5b\x28\xe2\x95\x14\x8c\x66\x69\xc9\xf3\xb8\x38\x0f\xb1\x3b\x65\xd5\x3e\xcf\xcd\x58\x84\xd6\xdf\x64\xdb\x40\x4c\x3e\x6c\x0d\xa3\x50\x77\x04\x90\x1b\xd8\x64\xac\xd4\x2b\xf2\xab\xc8\x39\xcf\x63\xd3\x5b\xba\x38\xed\x71\x32\xdf\xa5\xdc\xc9\x1a\xb5\x1f\xa3\x83\x41\xe9\x37\x11\x2f\xe2\x52\x41\x37\xec\xa4\x83\x66\xf4\xec\x31\x55\xe3\x8c\x2a\x9f\xa9\xd8\xc6\x93\xc7\x85\x8e\x50\x46\xc3\xaa\xec\x94\x28\xe1\x87\xac\xf4\x44\xa3\xe6\x1c\x52\x16\xf0\x2c\x47\x3c\xc8\x61\xd9\x7a\xd9\x9b\x64\xf4\x1e\xde\x90\xc8\xfe\xf2\xa8\x74\x9b\x31\x4a\x68\x0a\xe2\xde\x8b\x20\xae\x35\xc9\xda\xe7\x43\x7e\x2f\x79\xb4\xf5\x58\x42\x0f\x41\x7b\xcd\xc0\xc8\x93\x6e\x39\x17\x80\x17\xa1\xbd\xa5\x2b\xcf\x08\xd0\xbb\xbb\x85\x48\xd6\x28\x76\x40\x1d\x89\x6b\x55\x22\x65\x14\x82\x98\xe8\x22\x51\xcc\x28\xec\xa6\x6d\x80\x0b\xdf\x46\xb2\xab\x9f\xdf\xcb\xae\x52\x62\x11\x1c\x79\xef\xdc\x1b\xbc\x71\xef\x9d\xd6\x15\x15\x5e\xa0\xa8\x5e\x90\x19\xc7\xe5\x44\x50\x48\xfd\x32\xd3\x32\x96\x1b\x88\xca\xcf\xcc\x9e\x7a\x16\x9f\x39\x09\x4f\x43\xa9\x38\x8c\xab\x51\x41\xfe\x34\x91\xea\x94\xfa\x0d\x11\x23\x18\xa8\xa6\x61\xd9\xb9\x28\xab\xdc\xca\x24\x4d\x56\x36\x25\xb5\x9a\x63\x13\xa0\x4d\xfa\x35\x8c\x30\x1d\x8c\x29\x56\xf9\x0d\xda\x59\x77\x09\xc2\xdf\x48\x02\xa2\x0f\x80\xa4\xc1\x17\x28\x4d\x93\x4a\xfb\x8f\xaf\xaf\x12\xd3\x28\x9c\xe1\x56\x9c\x02\x78\xcd\x38\xdd\x34\xdf\x6b\x0c\xa6\x4b\x82\x97\x79\x95\xb6\xed\x7d\x3f\x11\xe9\x4a\xb9\xaa\x99\xd3\xa1\x56\x47\xb4\xef\x46\xa4\xa5\x62\xe5\xd4\xbc\x2c\xb5\xc6\x00\x10\x5a\xb5\xce\x33\x5e\x5b\x6d\x17\xd2\x82\x30\xf4\x8b\xb8\x20\x4f\x95\x51\xfb\x70\x85\x7e\x91\x5b\x15\x76\x35\x8f\xf8\xf5\x47\x6e\xe1\x63\x0a\x31\x03\xf8\x6b\x78\x86\x90\x8d\xf4\xd8\xb1\x23\x47\xf9\x24\x25\xc0\xca\x72\x7e\xc3\x91\x23\xd8\x97\xf3\x22\x2a\xb2\x94\x4c\xa7\x84\x5d\x50\xb8\x39\x80\xe6\x38\x93\xa5\x6d\xfb\x59\x97\xb3\x2a\xd5\x66\x1f\x94\xfb\x93\x24\x2b\x75\x9a\x6d\xdb\xca\x8a\x12\xa4\x14\x40\xfb\xfc\x90\x9a\xb1\x49\xdf\x82\x82\x41\x01\x0a\xb0\xa7\x8b\x9d\x97\x6f\x8c\x21\x38\x62\x55\x44\x1d\x91\x1f\x0e\x19\x9b\xa0\x64\x0d\xca\x25\xae\x56\x83\x43\xdc\xfd\xa8\x9f\xc5\x1a\x7a\xd6\xee\xdb\xa2\xd8\x0b\x5b\x6c\x0f\xa2\x1d\xfd\x7f\xf0\x82\x2f\x7b\xa7\xa3\x1e\x1e\x13\xb0\x5f\x9c\x17\x7d\xdc\x57\xc8\x86\x34\x10\x5c\x06\x9b\x0b\x04\x35\xa0\xd8\x29\xbb\x63\x25\xcb\xe5\xcf\x43\xa0\x3e\x92\x3f\x35\x01\xa4\xa7\x91\xbb\x23\xe5\xa9\x33\xd9\x81\x0d\x49\x8c\x0a\x69\x2f\xf3\x0c\xd3\x63\x63\x19\x10\x43\x7a\x09\x42\x3b\x7e\xde\x46\xf2\xfa\x9f\x7a\x6c\x5f\x21\x92\xe5\x53\x71\x7a\xde\xff\x8a\x17\x7c\xde\x5b\xa0\x5f\x78\x24\x9e\x9d\x3f\x55\x17\x1f\x2d\xf5\x70\x0b\x82\x17\x63\x53\xd3\x73\xf3\xd3\x93\x13\x8b\xd3\x53\x36\xa5\x19\x82\xd2\xcb\x0c\x42\xd4\x7b\xd1\x4a\x64\x4a\xd7\x84\x5a\x47\xc3\x63\x47\x78\x2e\x12\x11\x15\x42\xcf\x54\xbd\x28\x7b\x49\x94\xa6\x5a\x1a\xb5\x84\x86\xa3\xe1\xb1\xa3\xea\x35\x47\xf8\xfe\x2b\x8f\x7d\x87\x12\x69\xee\xcc\xa3\xb6\x98\x13\x79\x0c\x59\x55\x00\x1d\xf4\x05\x4f\x71\xc8\x7c\xd8\x9b\xd5\x08\x3b\x02\xcf\x68\x95\xb5\xa6\x23\xc3\x8e\x2d\xcb\xc2\x40\x1b\x4d\x3f\xa2\xc4\xba\xd8\x6c\xaa\xaa\x89\x5a\xd6\x52\xbd\xa5\x08\x6a\x51\x16\x1f\x14\xba\x54\xb8\xab\x4e\x0f\xa4\x44\xaa\x62\x35\xcb\x4b\x91\xca\x35\x64\x7a\xdc\x25\x31\x3a\xc0\x9e\x3c\x50\xa0\xff\xca\x03\x97\xae\x6f\xfc\x1a\x9b\x6a\x6a\xe0\xfc\xc9\x49\x0e\x12\x7a\x47\xf1\xae\xe1\x4e\x53\x6a\x59\xc6\x36\x38\xea\x73\x06\xc5\xdc\xba\x4e\x46\x3a\xb2\xbd\x9b\xca\x9e\x89\x74\x4f\xeb\x4e\x42\x55\x01\xf4\x2c\x33\x0b\xe5\x0a\x18\xb5\xcd\x0d\x9d\x38\x17\x00\xc4\x29\x44\x89\xc0\x02\x14\x69\x60\xd3\xc3\x63\xc9\x78\x89\x0b\x8a\xe3\xd3\x53\x4b\xc9\xe2\x87\xd2\x8c\x4b\xfd\x54\xe4\x7c\x2d\x26\xf1\x47\x0e\xa5\x83\x42\x21\x22\x7b\xc8\x38\xa4\xb3\xfe\x2f\xa1\x5d\xeb\xf0\xe0\x36\x6a\xcd\xf8\x51\x44\x10\x3b\x92\x64\xa1\x45\x39\xb4\x23\xf1\x89\x02\x9a\xa0\x0e\xc6\xfa\x83\x9a\x45\x06\xf8\x56\x47\x9d\x6e\x5a\x92\x52\x97\xec\xeb\x33\xaa\x9a\xc6\x99\x46\x89\x11\xf5\xf9\xae\xd4\x34\x30\xd6\x51\xfe\x23\xd2\xfe\x14\x3a\x56\x27\x69\x47\x60\xc4\x28\x8f\x12\x29\xd9\xad\xac\x22\xca\xd2\x9d\xaa\xdc\xa8\x28\x94\xf3\x00\x1f\x50\xbd\xdc\xcb\xe3\x2c\xd7\x26\x7f\xd9\x4d\x35\x98\x4e\x84\x09\xf5\xd0\x69\x4a\xe8\x17\x30\x7c\x62\xb2\x03\xa3\x3b\xc5\xa9\x83\x89\x5b\xac\xa7\x92\x92\xe3\x53\x22\xfe\x1d\x83\xaa\xad\xf9\x65\x53\x8c\x90\xdc\x5c\xcf\x1c\xa4\x65\x49\xc8\xc6\xa3\x70\x81\x51\x69\x55\xda\x90\xbf\x4a\xd6\xc5\x23\xbe\x1a\xe5\x9d\xa6\x4a\x0e\x2d\xcc\xdc\x79\xf7\xcc\xa9\x53\x87\x07\xaa\x43\x21\x17\x6a\x69\x27\x22\x4a\xab\xde\xa8\xad\xc6\xc9\x6f\xd7\x1b\xcb\xc4\xdc\x0c\x78\x42\xe1\x06\xec\xdd\x6d\x30\xbe\xa4\xa2\x5c\xcf\xf2\xf3\x80\x1e\xc7\x85\x3f\xea\xec\x65\x10\x2a\x50\x82\x50\x22\x05\x1a\x3d\x5d\x6d\x0f\xc6\x28\xaf\xd2\x12\x62\x32\x01\xf4\x92\x22\x16\x33\x03\xea\x3b\x32\xcb\xc3\x28\x22\xb4\x5b\x9e\x98\x1d\x81\x1f\x2a\xdc\x71\x97\xf3\xde\xdd\x33\x3b\x26\x71\xa3\x9c\x84\x83\x8b\x3d\x1b\x88\x56\xd1\xa2\xaf\xde\x04\x86\xdb\x03\xb6\xb6\x89\x6c\x64\x5d\x7c\xd4\xac\x04\xaf\xf5\x18\x33\x8c\x64\xfe\x43\xfa\x24\x4a\x27\x78\x21\x5b\x26\x07\x90\x50\xdf\xce\x71\x1c\x99\x64\x7c\x36\xa3\x99\x52\xdf\x91\x8b\x0e\xe0\x57\x5b\x3a\xad\x9d\xb3\xe3\x1b\x23\xec\x89\x90\xef\x53\x33\xed\x16\xfe\x1f\x8e\x04\x1f\x69\xa9\xec\xe6\xca\xd6\x8d\xac\xf1\x16\x81\x9a\x15\x51\x3c\x71\xea\x94\x7e\xce\xd6\x4e\x21\x7c\x06\x46\x8e\x96\xab\x3b\x13\xd5\x01\x51\x23\x34\xb2\x55\x1b\x63\x83\xb0\x28\x01\x22\x4b\x7a\x22\x5d\xdb\xa6\xdb\x30\x96\x09\xa8\x80\x50\x06\x99\xa1\xd4\x52\x6f\x5a\x24\x0e\xea\xa2\xe5\x93\x02\xbf\x55\x25\x94\x0b\xc8\xf8\xa5\x5c\xce\x74\xed\x1a\x35\x85\x38\x3a\xe7\x34\x9b\x64\x13\x97\x82\x0d\x70\x06\x65\xeb\xba\xea\x23\xde\x77\x6f\x92\xec\x79\x8f\xbf\xab\x8a\x3b\x8c\x3d\xb4\x8b\x5d\xdd\xb5\xbd\xad\xfe\x5f\x8f\x04\x6f\x1a\x71\x1c\xb0\x1c\xf2\xb4\x5a\x0e\x74\xdb\x3b\x66\x48\xee\x61\xa6\x90\x17\x4d\x73\xb6\x38\x24\x0e\x10\x19\x86\xa5\x18\xb3\x6f\x37\x2b\xe4\x81\x2d\xa5\x2d\x0d\x99\x59\xcd\xaa\x42\x9c\x17\xa2\x17\xa7\x2b\x78\xcc\xa2\xbb\xca\xf8\x27\x50\x7f\x49\x0f\x96\x1a\x61\x47\x27\x56\x95\x76\x44\x0e\xb0\x09\xeb\xc4\x0d\xf9\x84\xf1\x63\x93\x6c\xaf\xe4\x87\x83\x05\x1c\xd9\xa3\xce\x8c\xd2\x17\x33\x13\xfe\x4b\x51\x47\x6a\x15\x62\x4a\xdd\x5e\x54\xae\xa2\x4b\x34\x68\xc7\x63\xed\x4e\xa0\xd3\x1e\x5b\xbd\x11\x6b\xb2\x23\x95\xe9\x58\xf5\x9d\x82\x15\xe8\xc6\x81\xc6\x51\x33\xe5\x9b\x9d\xd0\x99\x54\x33\xec\x4e\x36\x7d\x09\x93\x6a\xd0\xb9\xce\xfe\xae\x45\xb1\xe7\x7f\xde\x0a\x7e\xbb\x35\x3b\xe8\xb7\x33\x09\x3c\xb5\xd1\x1d\x38\x9c\xb4\xca\x0d\x4d\x46\x7b\x37\x20\xad\xc9\x6c\x6f\x49\x08\x45\xd6\xb5\x59\x20\xba\x90\x2c\x51\x7e\xb2\x12\xcf\x20\x7c\x51\x9f\xf3\xa2\xb6\xcd\xc9\x53\xa8\x27\x35\x88\x3c\x96\x72\x27\x3a\x01\x6c\xe7\x70\xa8\x95\x4e\x4c\xf3\x17\x03\x0a\xd7\xe2\x4d\xd2\xce\x2a\xa3\x26\x92\x42\xe7\x60\x13\x4d\x7f\x5e\x16\xb7\xdd\x86\xec\xdf\xaf\xd9\xcd\x9e\xa8\xba\x44\xf9\xf5\xff\x69\x57\xf0\x97\xbb\x26\x52\x9e\xf5\x22\x60\x13\x01\xd9\xac\xc4\x08\x19\x87\x45\xca\x00\xcc\x6a\xde\xfe\x5a\x0c\xa3\x56\x64\x97\xfa\xd4\xd3\xe0\x85\x32\x87\x35\x8c\x9d\xda\xba\x61\xbb\x56\x14\x9c\xa0\x83\xa8\xd7\x65\x1f\x66\xbd\x32\xee\xc6\x45\x19\xb7\x65\xaf\xa1\x3b\xbc\xdd\x1f\x55\xbe\x3d\x59\x26\x90\xd1\x19\x7b\xc3\x3a\xa8\xc0\x06\xed\xe1\xa6\xc1\x82\xbc\x80\x0e\xbd\x8c\xed\x37\x90\x53\xb0\x94\xa3\x46\x20\x0a\x05\x12\x2e\x54\xe7\x40\x6a\x6a\xe4\x42\xab\x52\x13\xe8\x06\x40\x83\xcc\x36\xf5\xa0\x33\xad\x6b\x69\x54\x88\x1b\x41\xab\x26\x48\x49\xed\x2a\x89\xf2\x8d\x5b\xb6\x35\x07\xc4\x3d\x4e\xe8\x46\x49\x26\x1e\xd3\x68\x6b\x18\x64\xfb\x1f\x75\xd9\xc3\x1a\xa8\x31\xda\xe1\x00\xd4\x09\xc1\xa8\xc5\x80\xb5\xe4\x33\xfb\xd8\x35\x36\x94\xb3\xd7\x2b\x20\x09\x03\xda\x2d\x16\x04\x31\x52\xf9\x6f\xdf\x17\xdc\x51\xbf\xb8\x51\x9a\x28\x45\x78\x66\xde\x09\x2f\x7a\xfb\x14\x67\xae\x03\x3e\xf8\xd4\x5e\xf6\x25\xc8\x12\x43\x64\xbc\x9f\xd5\x64\xbc\xef\xf7\xea\x34\xbc\x16\xd5\x6b\xd2\xe7\xd9\x12\x3a\x43\x07\x49\x79\xb7\xcd\x3c\x29\xb7\xe4\x24\x8b\x3a\xc8\x41\x49\x66\x9a\x71\xcb\x7c\x63\x2e\x8f\x5f\xb3\xbe\x1a\x95\x63\x71\x31\x16\x8d\x35\x3e\xe0\x26\xd0\xf6\xd8\x93\x75\x46\x33\x4d\x38\xdc\x53\x9f\x78\x9f\x4b\x5c\x69\x72\x9f\x69\x7a\x61\xc8\x8a\x83\x27\xa6\x8e\x1e\xed\xc6\xa9\x9c\x82\x7d\x32\x71\x1c\x36\xd6\x0b\x05\x95\x2e\x44\x8d\x21\xfc\x1b\x2e\x83\xf6\x9f\x78\xc1\xec\xbc\x3b\x7c\x84\x64\x35\x4d\x40\x02\x5d\x93\x81\x31\xb2\x4b\xb7\xe8\xf3\x50\x0e\xb5\x0f\xab\x9b\xd9\x8d\xec\xfa\xe1\x78\xe1\x81\x49\xa6\x99\xae\xa5\xd0\xb3\xb1\x28\xb3\xd7\xdf\x5d\xf6\x7b\x52\xe8\xd9\xb2\x29\xff\x65\x1e\x7b\x0a\xa8\x24\x10\xe7\x6c\xd1\x3e\x17\x6a\x14\xfe\xfd\xe2\x20\x37\xb1\xa1\xfa\xa4\x68\x70\x87\xb6\x8b\xae\x91\x44\x2e\xb5\xb4\x52\x74\x7b\x89\xc5\xb7\xad\x06\xb0\x3e\x10\x3f\xd4\xc8\x73\x1c\x2b\xcd\x60\xf1\xcc\x20\xcf\x71\x2e\x96\x13\x15\x69\xd0\xa0\x0f\xd4\x17\x05\x41\x04\xac\xa5\xe7\x34\xe0\x7b\xd9\xd5\x30\xa5\x74\x37\xdc\xa9\xba\xe1\x98\xdb\x0d\x38\xf1\xf4\x44\xdc\x7c\x8e\xbd\x7c\x97\xb3\x99\x0c\x23\x5b\x93\xda\xc6\x3b\x3d\x15\xd5\x9f\x2b\x84\xd0\x00\xfd\x5a\x03\x51\x9c\x32\xea\x80\x1c\x82\xf1\x3c\x8a\x2c\x59\xca\x9f\x13\xb3\x53\x0a\x2e\xb8\x98\xf5\xb2\x24\x5b\xe9\xdb\x15\x23\x1c\x51\xc7\x0b\x80\x6f\xb0\x5a\xa2\x8d\x1f\x1c\x12\xb5\x96\xba\x28\xa9\x9f\x6d\x41\x8e\xb6\x3a\x77\x86\xff\x02\x2f\xb8\xd1\x64\x94\x73\xbf\xc3\x69\xea\x12\x7e\xe5\xc1\x42\x85\xe3\xdb\x6b\xe6\x36\x76\x9c\xdd\xbc\x2d\xe2\xba\x79\x53\x36\x7b\x8d\x47\x51\x74\x24\xd7\x5f\x42\x9b\x34\xc4\xf3\x72\xb5\xe9\xab\xfb\x1d\x6a\x3a\x4a\xf0\x43\x79\x61\x10\xb6\x31\x9f\x25\xe2\x44\x0c\x66\x1a\x48\x1c\xf5\xbe\xfd\xc1\x87\xbc\xe6\x7b\x4d\x79\xa4\x06\x9f\x84\x20\xc9\x5e\x2e\xb4\x17\x63\xed\x68\x78\xf4\x26\x88\xf9\x8e\xd6\x32\x9c\xd6\xc3\xf2\xdd\x8c\xaf\x1d\x6d\x28\xf1\x14\x78\x3b\xe5\xd9\x4d\x34\x01\xca\x58\xb8\x44\xf2\x86\xaa\xe6\xd8\xb1\xb0\x31\xa5\xd5\xef\xed\xb9\x12\xb6\xb0\xd3\xb0\x85\x07\x55\xaa\xa9\x07\x82\xef\x6e\x48\x35\xd5\x30\x0f\xb6\x3e\x8d\x37\x99\x97\x57\x42\x26\x76\x10\x32\xf1\x18\xe5\x72\x7b\xc4\x7b\x70\xf3\xb8\x85\x7b\xfd\xb3\xdb\xc8\x79\xd5\xbc\x11\xb8\x19\xb0\x28\x88\xe1\xa3\xfb\xd9\xbd\xe6\x5b\x4c\x7c\xe6\x98\x06\x99\x99\xcf\x72\x1e\x00\xc6\x62\xc8\x93\xa3\x48\x38\xa7\x74\xf7\x90\xdc\xfd\x7b\xfb\x82\xf9\x8d\x1f\xb1\x58\x56\x28\x86\xc4\xc8\x20\xc3\xde\x74\xf6\xa7\x7f\xde\xcb\xde\xd9\x72\x84\xc3\x37\xb4\x82\x59\x3b\xbb\x0a\x55\x40\x65\x4b\x39\xc0\xd2\xa1\xa2\x02\xd8\x11\x51\x40\x1c\x5e\xa1\x59\x8d\x09\xbb\x9f\xad\x0e\x9b\x09\x97\xa9\xf7\x1c\x81\xf2\x3b\x06\xa9\x74\xbb\x51\x4f\x4a\x93\x85\xbf\xdf\xdf\x3b\xc6\x49\xa0\xe4\x43\x49\x77\xf7\xf8\xbb\xba\x51\x8f\xb1\xdf\x1a\x61\x4f\x40\x2c\xa8\x26\xa0\xfc\xe5\x91\xe0\xdd\x23\xee\x35\x74\x18\x01\x16\x59\x53\x24\xca\x4d\xca\x69\x2b\x09\x98\x10\x22\x00\xdc\x0c\x1a\xdc\x1d\xf2\xc5\x3c\x6a\x9f\x37\xb1\x17\x86\x89\x11\x53\x49\x45\xbc\x1b\xaf\x90\x08\x08\x16\x29\x20\x67\x45\x88\xaa\x7e\x36\x4e\xb9\x28\xdb\x24\x0c\x69\x0f\x5c\xb7\x42\x3f\x19\x90\xec\x9a\x52\x2c\x6b\x68\x3b\x4a\xb9\xec\xc5\x62\xd5\x79\x02\xb8\xa6\x31\xe4\x5a\x19\x20\x0e\x89\xb4\xa8\x72\x64\xad\xe5\x59\xd2\x71\x80\xd7\x89\x58\x06\x18\x21\xf1\xd1\x1e\xd6\x26\x82\xd4\xf6\x6e\xe4\xa2\x28\x07\x58\x30\x69\xf3\x23\x8b\x6e\xc8\x75\xb7\x5a\x2e\x2b\xc7\xe7\x7a\x4e\xce\xc0\x50\xbd\x7f\x8e\xaf\xaf\xc6\x90\x58\x4c\xf4\xc9\xdf\x61\x5b\x88\x37\x62\x8d\xfc\xba\xc7\xae\x8e\x20\x4a\x59\x74\x00\xfc\xee\xff\xbe\xc7\x3a\x8f\xf2\x54\x85\x8a\x82\x07\x9d\x7a\xa1\x0b\x95\x25\xd2\xb2\xaf\x46\xed\xb2\x02\x83\x28\xc6\xc7\x28\xc0\x02\xd4\x0d\x21\x0f\xd9\x9a\xdc\x44\x8d\xfd\x63\x38\xe6\x07\x66\x08\x74\x1c\x7b\x3d\x63\x53\x5b\x60\xe4\xa8\xf3\xc3\x3a\xcc\x1f\x20\xbd\xfd\xca\xfe\xe0\xee\xcd\x1e\x72\x0f\xee\x8d\x9e\x6e\x96\xa6\x7e\x7f\xef\x15\x69\x6a\xa7\xd2\xd4\xab\x3d\x25\x4e\xbd\xd8\x0b\x9e\x76\x6a\x2b\x63\x61\xaf\x9a\x79\x36\xc7\x66\xb7\x4d\xe8\xb2\xe1\xf4\xb9\x22\x64\xed\x40\xc8\xfa\xbc\x1d\x97\xfa\x8b\x97\x16\x81\xa8\xc5\xac\x17\x7a\x5a\xce\x82\x45\xfa\x98\xc5\xa0\x5a\x1f\xf7\x88\xf7\x42\x6f\x73\x79\xee\x39\xfe\xb3\x4d\x1c\x6a\xe3\xa4\xab\x89\x74\x9b\x6d\x4d\xf5\xf4\xa6\x3f\xcf\x9c\xbc\x50\x0d\xb6\xd1\x9e\x68\xfb\xaf\x66\xc1\xf5\xee\xa5\xe6\x10\xff\x06\x73\xa8\xd2\xc8\xdd\x0c\xc8\xfb\xd9\x43\x2d\xf6\xc4\x9a\x89\xcf\xff\x4b\x6d\x15\xfd\xb2\x77\x3a\x4e\x6b\x64\xea\x0a\xcd\x24\x25\x01\x62\x53\xe0\xa9\x58\x4f\xfa\x0a\xf2\x0f\x26\x2a\x13\x48\x82\xa6\x1d\xc5\x3d\x05\x70\x6c\x4c\x4e\x65\x70\x09\xed\x3c\x2a\x56\xc1\x23\x07\xce\xba\x92\x50\x33\x16\xa9\xa1\xb6\x14\xba\x7c\x13\x47\xf8\x21\x59\x99\x66\xbe\x6b\x78\x81\x47\x05\x2f\xb2\x2c\x95\xff\xc6\x14\x17\x10\x75\xfa\x87\x1d\x6b\xd2\x4f\xb6\x2c\xa3\xf0\xeb\x34\xc5\xd3\x3f\x0f\x18\x85\xed\x74\x3d\xe8\x19\x37\x66\x60\x93\x75\x92\x32\xfd\xd7\x63\x4e\x14\xd9\x92\xb8\x40\xc9\x0d\x1e\x14\x79\x86\x4e\xc8\xd4\xc2\x32\xda\x1f\x78\xf4\x5b\xc7\xba\xfc\x4f\x2d\xa6\x67\x91\xff\x57\xad\xcb\x40\x3b\xfa\x9f\x5a\x36\x25\x68\x44\x74\xa9\x10\x90\xc4\x33\x90\x53\xb5\x71\x94\xa6\x93\xc9\x9c\xe9\xf0\x74\x84\x48\x2b\xd9\x8c\xb8\xb4\x52\x6e\xda\x8c\x6c\x4b\x96\x63\xde\xc0\x0e\x6c\x7b\x23\x9f\x29\xeb\xf9\x3a\x6d\xe3\xab\x31\xad\x6d\x77\x88\xb6\xc4\x28\x7b\x0d\xfc\x3b\xa6\x21\x9e\xec\x47\x5b\x6c\x9f\xaa\xdb\x7f\xf1\x56\x12\xcb\xcf\x65\x9d\x45\x7a\x01\x58\x41\xbe\xe0\xa9\x9f\x6a\x3a\xdb\x0e\x3d\x37\xe9\x26\x7c\xa9\x0e\xf6\x90\x9d\x45\x8b\x3b\x06\x5a\xe2\x6a\x79\x39\x6e\xc7\x08\xe5\xa7\x15\x22\x85\x46\x74\xd3\x0d\x01\xe4\x5e\xa6\x59\x7b\x4d\x2f\xeb\x8c\xa9\x8e\x60\x5f\x6e\xb1\xa7\x6d\x92\x44\x87\xd4\xdb\xf7\xb6\x82\xdb\x06\x2f\x6f\x39\x83\x8e\x6b\x9f\xfd\x7d\x8f\xfd\x8e\x27\xd7\x06\xe6\xe7\xf9\xa2\x17\xbc\xcc\x53\x39\x79\x8c\xd4\x69\x65\xe4\xaf\xa5\x9e\x51\xd1\x17\x6e\x15\x52\x1b\xdb\x6e\x5a\x1e\xd4\xdb\xdc\xe2\xb7\xe1\x20\xd9\x20\xeb\x10\xfb\xec\x2e\x36\x6a\x3d\xea\xe8\x18\x68\xc2\xa2\x27\x4f\x44\xed\xf3\x22\xed\xf8\x17\x77\x05\x53\xee\x25\x3b\x89\x43\x92\x68\xf1\x47\x25\xb6\x58\x89\xd7\x44\xaa\x3f\x0e\x9c\xae\x59\x5e\xcb\x2c\xf4\xc9\x11\xf6\x0d\xf0\xd9\xa1\xe8\xe5\xff\x99\xc7\x8e\x6f\xfa\x39\x8b\xfd\x9e\xe8\x9c\xca\xda\x51\x52\xcb\xf4\x1d\xbc\xdb\x9b\xb7\xe0\x63\x51\xca\xf5\x03\xb6\xe2\x69\xc1\x8c\x0d\xda\xcc\xd2\x68\x20\x38\x90\xb4\x49\x35\xee\x16\x64\xc9\x46\xa8\x59\x69\x15\xe9\x43\x67\x55\x9c\x61\x61\x92\xfb\xe2\x4e\xa3\x68\xcd\xf4\x61\xc0\x66\xd8\x01\xeb\x2d\xff\x78\x30\xb6\xe0\xd0\x0c\xa6\x83\x99\xc4\xdb\x42\x97\xec\x60\x97\x9f\xa7\x8b\x82\x4c\xd9\xe9\x56\x49\x45\xaa\x32\x4e\x42\x39\x68\x65\x1e\xce\xa4\xe5\x99\x7c\x01\xca\xab\xb7\x04\x72\x17\x0d\x6f\x09\xfb\xd0\x01\xf6\xaf\x1b\x72\xf0\x5b\xc6\x2f\xff\x8d\x07\x82\x97\xda\x26\x79\xb2\xc3\x53\xac\x27\x50\x02\x8c\xf2\x24\x5b\x81\x98\x6c\x10\xc7\x28\x41\x0c\xd2\xf7\x21\x21\xa8\x8d\x4e\xb0\xda\x21\x77\x28\x2e\xa5\x46\xc4\x78\x59\xc6\x36\x9e\xe5\x0d\x26\x38\x77\x12\xbe\x7a\x3f\xfb\x8f\x2d\xf6\xc4\x68\x65\x25\x17\x2b\xb0\x21\xc9\xca\xfc\xd7\x6f\xb4\x0d\xab\x2f\x9c\x70\x5f\x0a\x7e\xd7\xab\x5d\xa9\x47\xf7\x58\xf9\xaa\xcd\xf2\xa1\x84\x0f\x4b\x55\x9c\x20\xfe\x01\xbf\x56\x7b\xca\xac\x2f\x40\xd4\xdc\x60\x1d\x84\xcb\xa5\x94\x2f\xf8\xbe\xdc\xb5\x2d\x93\x8c\x42\x55\x41\x22\x0e\x80\x3c\xeb\xb0\xa7\x32\xa3\x57\xd4\x89\x50\x94\x59\xb7\x67\x00\x0b\x16\x42\xed\x8a\xda\x7c\x85\x3b\xe9\xf1\xd3\x51\x57\x2d\x15\xf5\xfb\x77\xca\x9c\xb4\x91\x2b\x80\x3d\x57\xf1\x11\xe7\xc1\xf5\xb8\x36\x28\x4b\x6f\x92\x40\xe7\xd9\xdb\x52\xd3\x42\xdd\x7a\xe2\x36\xb5\x97\x98\x12\x1f\xf1\xee\xdf\x5c\x6f\xbd\xd3\x9f\xbe\x34\x3f\x44\x5d\x3f\x7d\x1d\x73\x36\xef\x06\x09\xd3\xff\xeb\xfd\xc1\x8c\xf5\xdb\x3e\xf9\x0d\x60\xc1\xc0\xe5\x00\xd3\xda\x8b\x05\xc9\x5a\xbd\x5c\xa8\xbc\x77\xbd\xac\x46\x93\xf7\xdf\xf7\x5d\x59\x0f\x3b\x58\x0f\xbf\x66\xdb\x6c\x3e\xb9\x63\x2e\xb1\x87\xbc\x0d\x96\xc4\x63\x06\x77\xff\x73\xcf\xd2\x86\x7e\xc7\xbb\x04\x6d\xe8\x5d\x9e\x35\x55\xcd\x79\x64\x74\xce\xba\xe6\x63\x9c\x05\xb6\x1a\x18\x3e\x16\x04\x89\x57\x0e\xd4\x1d\x1e\xa8\x8f\x78\x0b\x9b\xef\x96\x47\xfc\x50\xef\x96\x41\xa0\xb7\x45\x6b\xe2\xd4\xb7\xc5\x0f\xee\x62\xb7\x5a\x53\x8d\xf8\xb6\x95\x76\xb4\x50\xf5\x08\xfe\x13\x25\xc8\xd4\xbb\x40\x88\x31\xca\xe2\xe1\x7f\x73\x24\xe8\x6c\xfa\x94\x4b\x89\x44\xf7\x10\x5f\x84\x19\xef\xf0\x29\xe5\xa1\x21\x12\x11\xfb\x61\x77\x3b\x7d\x78\x84\xbd\xac\xc5\xf6\x40\x9a\xc7\xc2\x7f\x7e\x2b\xf8\xa8\x87\x7f\x6b\x57\x90\x0a\x54\xa4\xcb\xd9\x32\xe4\x85\x53\x8d\xc4\x2e\x2a\x42\x2e\xc5\x4c\xc8\x0e\x04\x53\x06\xe9\xbb\x32\x0e\x91\xf8\x26\x85\xc5\xe0\x9b\x28\x82\xc2\xf5\xbe\x79\x0e\xb3\x4e\xea\xa0\x09\x08\xe6\x86\xa4\xbd\x48\x8d\x9c\x76\x4c\xce\x2f\x38\x45\x4e\x57\x45\x39\x5f\xa5\x13\xae\xb2\x7b\x1d\x3b\xba\x41\xea\xde\xda\xf8\xcc\x4c\xcd\xcb\x4a\x59\xc9\x76\xc9\x63\xdc\x4f\x82\xe7\xe4\x24\x2a\xbb\x5d\xad\x77\x83\x4e\xdc\x26\xa2\xfd\xa8\x6c\xea\x13\xcd\x36\x43\xba\xe2\x82\x68\x57\x79\x5c\xf6\x27\xb3\xb4\x14\x17\x5c\x1e\x97\x5f\x7b\x32\xfb\x77\x76\x36\x4d\x9d\xf1\x52\xb7\x6f\x2e\x8f\x33\x78\x3b\x89\x8a\xc2\x7f\xfb\x93\x83\xdf\xf3\xac\x48\xd8\x31\x34\x38\x0e\xd0\x0b\x3a\x6f\x61\x30\x9b\x06\x29\x2d\xf5\xad\xcc\x9a\x06\x8a\x34\xee\xbc\x13\xd6\x8a\x50\xd3\xaf\x1b\xf5\x40\xdf\x82\x7d\x30\xc2\x28\xbb\xb8\xec\xf3\x36\x3c\x05\x8a\x28\xed\x0d\xfa\x16\xd9\x0e\x15\x2f\xcb\xa2\x0e\x9b\x27\xfd\x0c\x52\xfb\x01\x5e\x9a\x9e\x0c\x2f\x7a\xbb\xe1\x09\x67\xc6\x7e\xf8\x09\xec\xa7\x47\xd8\xd5\x2b\x49\xb6\x14\x25\x64\x1e\xf5\x5f\x37\x12\xbc\x68\xc4\xb9\x64\x31\xf0\x3b\x3c\xd1\xee\xe7\x58\xa9\x60\x2c\x73\x31\x51\xb9\x51\x41\xfa\x03\x00\x80\xa0\x4f\x84\x4e\xc6\x75\xde\x1e\xd9\x74\xb7\x0b\x28\x0a\x37\x4b\x45\xad\x46\x45\x03\x1e\xe5\xe7\xb1\xaa\x73\x4e\xb3\xcf\xd9\x39\x23\x96\x6b\x01\x40\x4e\x49\xa2\x20\x9a\x00\xbd\x4e\xe2\xbc\x5e\xd8\x60\x8c\x11\x71\x0a\x74\xa3\x24\x91\x3b\xb6\x26\x1f\x2b\xaa\xf6\x2a\xc7\x97\xf5\x87\xd7\xab\x53\x67\x20\x4c\xea\x21\x9d\xe4\xe6\xd0\xbe\x22\xa9\x5d\x91\xd4\x1c\x49\xed\xe1\x16\x7b\x52\x2f\x17\xa2\x0b\xe7\x14\x65\x5e\xf8\x4b\x2f\xf8\x3d\x6f\xae\x76\x55\x6d\xbc\xf4\x0b\xd6\x1e\x3d\x92\xae\xe0\x32\x84\x79\x2f\x0f\xa7\xdc\x4c\x3f\x7e\x06\xf3\x9b\xce\xe2\x12\xa2\x52\x4f\xc9\x87\xe6\xf4\x33\xb6\x53\xa5\xe9\x09\xb9\xf2\x20\x38\xb9\x1e\x48\x2e\xb7\xe2\x31\x32\x3d\xad\xd8\x01\x1a\xb3\x59\x3a\xa7\x5b\xa7\x8b\x59\x16\x91\xec\x91\xb1\x15\x4d\x7c\xa8\x88\x1a\x3d\x86\x3b\x9b\xff\x13\xda\xbd\xf6\x52\x6f\x71\x80\x0d\xb0\xbe\xa7\x28\xaf\x12\x9c\xcb\x80\xc9\x30\x8f\xc0\xa6\x04\xfd\x92\x8b\xb6\x88\xd7\x4c\x16\xfd\x3e\x6e\x52\xae\x85\x30\x2e\x68\xaf\xc6\xd3\x29\xce\xd1\x53\xd7\x13\x6d\x17\x5b\x7d\x45\xd8\xdc\xa1\xf5\xe6\x65\x1e\x3b\x80\xea\x2f\xcc\x6e\xff\x07\x82\xcc\xfa\x49\xe6\x3e\xc3\xcc\x47\x5b\x23\x25\x72\x42\xd4\x0d\x71\xdc\x14\x1c\x82\xbd\x12\xe8\x70\xcc\x1c\x9a\x36\xcd\x13\xeb\x54\x93\x5b\x75\xe8\x88\xbe\xf1\xe6\xa2\xef\x49\x7f\x4a\x8b\xbe\x03\x12\x82\x91\x84\xed\xd3\xa1\x11\x9f\xf8\x81\xfd\x36\x1d\xe9\xa6\x42\x0d\x40\x79\x1e\xde\x1f\xdc\x38\x70\xb5\x09\x82\xed\x7e\xb2\x28\x9a\x51\x3b\x9f\xbc\x82\xda\xd9\xf1\x04\xee\x2b\xd0\x4e\x2f\xf8\xb7\xb1\xc2\x40\xeb\xc0\xeb\xba\x90\x29\x1c\x04\xf4\xd3\xd9\xad\xec\x96\xa1\x22\xf8\x66\x33\xe2\x8a\xfc\xb0\x03\xf9\xe1\x33\xb6\xfc\xf0\xd1\x1d\xa2\x73\x7e\xb0\x19\x9c\xf3\x2d\xcb\x0f\xbf\xc5\x6d\x6b\x28\xb4\xfa\x6f\x3c\xb6\x78\xa9\x88\x4b\x9c\xc8\xcf\x58\x38\x33\xbb\x00\xeb\x7e\x2e\xcf\x7a\xc5\x99\x7c\x42\xae\x08\xff\xcd\x5e\xf0\x06\xaf\xf9\x9e\xed\x7d\x8e\xec\x88\x5c\xa9\x32\x10\xab\x17\x30\xfe\xd6\x5e\xa7\x9c\xa2\xb0\xe2\xe4\x72\xac\xdd\x0e\xf9\xe9\x28\x96\xba\x08\x70\x0b\x00\x64\x57\xe4\x71\x94\x90\xdd\x97\xf7\xaa\xbc\x97\xc9\x0d\x94\xfd\xf0\x13\x1a\x71\x47\x26\x0b\x29\xe0\x8e\xfe\xe0\xea\x60\xd6\xbd\x34\x14\x77\x64\x93\x46\x50\x86\x11\x4d\xf8\x6e\x8a\xb0\x11\x49\x17\x3d\x6d\xc8\x73\xf6\xf1\xaf\x5d\x75\x05\x9c\x04\xe2\xd8\xf7\xb0\x3d\xbd\x48\x9e\xea\xfe\x8d\xc1\xa1\x19\x0b\x81\x4f\x21\xfe\x26\xa5\x13\xc4\xa8\x47\x24\x00\x58\x3a\xd9\xdb\x46\xd8\xbf\xec\xe5\x19\xb8\xa9\xa7\x44\xd4\x91\xe2\x84\xea\xcf\x87\x47\x54\x7f\x7e\xad\xb5\x08\x69\xc3\x2f\x40\x9f\x2a\x76\x21\xbb\x47\x23\xbb\x2e\xc5\x85\xa7\x0a\xb6\xe8\xaa\x06\x72\xf0\x2e\x61\x4e\x3a\x15\x30\x67\x95\x62\xf9\x1e\xa1\xa3\xe4\xef\x38\xad\x9c\xe4\x9e\xf8\xaa\x93\x59\x0b\x98\x6c\xb8\x0e\x1c\x50\x64\x81\x73\xb5\x8f\x9c\xbe\xd0\x86\x44\xa9\xb2\x5b\x0b\x78\x8c\x5c\x97\x55\xbe\x1c\xb5\x8d\x9d\xc6\x6a\x10\x65\xa4\x81\x7c\xa1\x24\x60\xab\x0f\xb4\x73\xb7\x8a\xa2\x8c\x91\xa7\xa6\x53\xe5\xea\x14\x42\xbe\xaa\xe6\x01\x71\xa6\xc6\x8d\x47\x8e\xd4\x72\xe9\xbd\xd6\x0e\x4b\x7e\x91\x9e\xe3\xbd\xd9\x01\xc0\x99\x94\xf7\x77\x04\x36\xab\x51\xe7\xb9\x70\x33\xa7\x51\x9f\xf0\xd8\x53\x72\xb1\x16\xcb\x6d\xee\xae\xb8\x28\xb3\xbc\x7f\x2a\xee\xc6\xa5\xff\x2e\xdd\xc0\xd7\x79\x6e\x20\x67\x96\xd8\xd1\xa0\x05\x52\x2f\xc8\x95\x04\xe8\x0a\xa0\x65\xc8\x29\xb1\xf1\xa3\xf6\x11\x47\xdc\xaf\xf8\x7b\xcf\x02\xae\xfd\x89\x77\x19\x80\x6b\xef\xf0\x4e\x39\x99\xbd\xb5\x99\x28\xe4\xd3\x17\xb0\xf9\x4e\x27\x60\x3e\x76\x50\xd4\xa2\x5c\x45\x47\x5a\xa8\x33\x35\x2d\x01\x92\x25\x25\xd3\x08\xf2\x6d\x59\x4f\x98\x29\xb5\x75\x58\x1a\xfb\xa0\xfc\x70\x15\xa3\xfc\x6e\x8f\x5d\xb7\x69\x98\xb4\xb5\xc9\xd3\x7b\xc1\xc9\xc5\xfa\xfa\x50\x56\xd1\x0c\xb3\xce\x66\x00\x01\x8b\xda\x44\x61\xe9\xaa\xea\xa9\x58\x87\x2f\x0a\x1f\xf1\x46\x37\x8e\xa1\xbe\xda\x3f\x80\x13\xe5\x6e\xd1\x2f\x18\x7b\xc0\x72\xef\x88\x4b\xf0\xee\x1c\x6d\xf0\x43\x6e\xe8\xde\x09\xd9\x5b\x47\xd8\xbf\xd9\x24\xe4\xd4\xff\xc7\x56\xf0\x11\x6f\x62\x20\xc8\xd5\x81\x90\x55\xa9\x9b\xe8\x05\xe6\xa5\x5c\x1a\x29\x90\x3f\x80\x7d\xcf\x40\x1d\xc1\x03\xba\x26\x80\x5d\x57\xe8\x08\xda\xe2\x56\x6c\x64\x5c\x00\xcb\x67\xad\x86\x33\xf3\x9a\xa0\x54\x33\x40\xda\x6c\xd7\x64\xa1\x18\x0c\x73\x96\x2a\xd3\x93\xd3\x5a\xe4\xb1\xab\x3e\xbd\xd9\x63\x6f\xf0\xd8\xe0\x43\xfe\xf3\xbd\xe0\x36\x65\x81\x0f\xf9\xb0\x80\x5f\xac\x05\x33\x8e\xca\x3f\x61\xc2\x9f\x99\x87\x13\xc9\xe8\x08\x37\xb0\xeb\xd8\xd1\x6d\x05\xfb\xca\x36\xb0\x57\x8f\xb0\xeb\xad\xe7\x96\x93\x6c\x9d\xce\x0f\xe3\x73\x41\xb8\xd1\x44\x1b\x80\xa1\x0b\x15\x7c\x95\xff\x1b\xad\x60\xbe\xf1\x0e\x39\xec\x3b\x72\xe6\x25\x70\x1e\x98\xb4\x60\x24\x37\xc9\x97\xc6\x22\x7c\x0b\xa4\x4e\xa9\x12\x80\x1a\x78\xd1\x33\x69\x2c\x2e\x7a\xc0\x73\xe3\x46\xe3\x7a\xac\x4f\xf4\x37\x0f\x04\x9d\x73\xf2\x8f\x73\x1a\x48\x4c\x56\x19\x1d\xe9\xef\x36\x4f\x05\x38\x01\x4f\x50\x70\x6d\x60\x92\x8e\xe6\x62\x25\xca\x3b\x09\x00\xce\x96\xa1\x18\xe3\x18\x71\x0c\x4e\x1d\x3b\xc9\xc6\xbd\xc1\x33\xce\xe9\x5f\x4e\x23\x34\x94\x6d\x93\x96\x0c\xa9\xe5\xa1\x5d\xec\x98\x35\x24\x44\x0f\x67\xab\x77\x77\x2d\x2e\xce\x11\x44\x6e\xbe\x4a\x04\x90\x98\xf8\xbf\x32\x12\xfc\x54\xab\xe9\x8e\x1b\xb3\x23\x15\x0c\x6b\x8e\xc3\x29\x41\xfc\xf9\x4b\x08\x30\x2c\x34\x4b\x1d\xb1\xfb\x69\xf6\x9c\xdb\x56\xb3\xa2\xbc\x7d\xfc\xb6\x5e\x54\xae\xde\x7e\xc7\x6d\x85\x90\x9a\x47\x2f\xca\xcb\xdb\xf9\xd8\xed\xea\x75\x8e\x84\xfd\xf8\x5f\x79\x53\xf3\x2c\x54\xb9\x14\x46\x72\x64\xaa\x06\x21\x06\xf8\x29\x6f\xb9\xf9\xc6\xd1\x21\x4c\x94\x6e\x72\x58\x48\xd4\x5d\x94\x56\x4e\x7b\x8b\xba\x31\x89\x8a\x92\x1f\x1c\xc7\xe4\x41\x16\x7b\x3b\x92\x71\x1f\xbc\xe3\xa0\x1c\xf6\x83\xd7\x1c\x0c\x2f\x7a\xbb\x65\xfb\xdd\x25\xfa\x2a\x8f\xbd\xdc\x63\x78\xc3\x7f\xa1\x17\x5c\x3f\x51\x37\x94\xc8\x3b\x2a\x65\x44\xcf\x56\x5d\x4d\xb7\xd9\xcb\xf1\x0e\xf6\xf4\xe1\xba\xe2\x26\x63\x3a\x17\x95\xab\xec\x2d\x8c\x7d\xff\xce\x74\x27\x37\x64\x6d\x32\x4b\xaa\x6e\x6a\x02\xd7\xfc\x8f\xec\x0f\xee\xde\xf8\x11\xcb\xf9\x03\x76\xa3\xaa\x6b\x56\xb0\xc8\x31\x8b\x66\x2f\xc7\xf9\x13\xd2\x6a\xbd\xe8\xed\x92\x9a\xf4\x45\x6f\x9f\x54\xa0\xe4\x97\xb8\x6c\x31\xfb\xd8\xbb\x3c\xa6\xef\xf9\x6f\xf1\x82\x57\x79\xea\x17\x59\x25\x80\xe1\x01\x33\x66\x41\x7c\xe4\xa1\x38\x14\x21\x89\xa3\xa0\x9d\xa9\x9c\x17\x87\x55\xce\x9c\x42\xe5\xd8\x57\xd9\xdc\xe5\x24\x89\xda\xab\xbc\x0d\xdf\x67\x59\x31\x32\xc5\x9f\x8e\x96\x2a\x37\xbf\x0a\x7e\xa2\xb3\x16\xef\x75\xad\x8e\x77\x05\xb7\xd6\xad\x8e\x7c\xb5\xea\x02\xf3\x7c\xd4\x01\xf5\xc3\xbe\xaf\x4d\xc4\x83\x05\x7f\xa0\xc5\xf6\xe0\xbe\xe8\xff\x6c\x2b\x78\x6b\xcb\x24\x72\xb2\x61\x8b\x67\x7a\x22\x9d\x98\x9b\x41\xcf\xb4\x99\x4b\x03\x4d\x86\xc3\xe1\xa0\xec\xff\x83\x56\x4a\xa8\x88\x88\x9e\x8d\x0b\xb1\x1b\xe5\x7d\x3b\x33\x01\x0d\xaa\x94\x23\x8b\x82\x62\x2d\x15\xdf\x11\x3d\xd6\x47\x58\x11\x3c\x17\xab\x84\x9e\xd4\x9d\xb8\x55\x2e\x08\x61\x9b\x2d\x56\xab\xa5\xb0\x9d\x75\xc7\xcf\x4c\xcc\x8c\x53\xfb\x15\xac\x15\x75\xda\xf1\xa5\x24\x5b\x1a\xef\x46\x45\x29\x72\x95\xaf\xaa\x18\x3f\x16\x1e\x09\xbb\x9d\x6b\x3a\x51\x19\x41\xd4\x2e\xaa\x47\x78\x8a\xb8\x99\xcb\x4e\xd0\x01\x70\x3c\x18\x4b\x15\x91\x7b\x7d\x14\xe0\x86\x42\x7a\x37\x74\xff\x2b\x5a\x6c\x9f\xb2\x7d\xfa\xcf\xd7\xd1\x29\x7f\xea\x19\x3f\x2b\x66\x71\x20\x6f\x2b\xf6\x3d\xe9\x24\xb9\x48\xa2\x32\x5e\x03\x2e\x92\x2c\x2f\xa3\xb4\x2d\x6a\x43\x0d\xbc\xfc\x11\x69\x6a\x00\x7f\x2e\x42\x0e\xce\x11\x92\xeb\x35\x4a\x54\x69\x74\xab\xf1\xca\xaa\xe3\x81\xc1\xc5\x58\x38\x59\x6a\xb2\x6e\x5c\x12\x31\x46\x22\x95\x06\xa1\x12\x05\x15\x6d\x91\x46\x79\x9c\xd9\x46\x6b\x04\x82\x5b\x4e\xe5\x15\x90\xca\x72\x74\x84\xd6\x04\xfa\xf7\x7a\x0c\xd6\xad\xff\xd3\x5e\xf0\x26\xaf\xa4\x54\x5c\x51\xba\xf5\x19\xf8\x58\xcf\x82\xbf\xb8\x9a\xfd\xab\x0d\xc3\xbb\xfc\xcf\x5e\x1d\x3c\xcb\xfc\xe4\x10\xef\xac\xc3\x71\x2d\xf6\x78\x87\x39\xc8\x0d\xbe\xc8\xab\x14\x46\x3d\x42\x43\x06\x76\x29\xb0\xdf\x3a\xbb\xda\x8f\x5c\xc5\xfe\xce\xa3\xa4\xb3\x7f\xee\x6d\x80\x96\x68\x0e\x42\x0b\x3e\xe0\x81\x01\xc8\xcd\xd3\xb5\x0d\x2b\x90\x15\x97\xf6\x18\xa7\x99\x65\x9f\x6a\xe9\x2c\xb3\x1f\x69\x6d\x20\x80\x0e\xa3\x26\x0b\x5e\xdc\x5a\x70\xb2\xc9\x0e\xa1\x43\x32\x41\x24\xf5\x0f\x06\x8d\x17\xcc\xa8\x6a\x95\x54\x20\xe8\x00\xe5\xf5\x52\x1f\xb9\x0c\xd7\xe3\xb4\x93\xad\xc3\xeb\xc0\x5d\x7c\x09\x49\xac\xae\xe0\xd1\xbe\xc5\x3d\x2c\x57\xdc\x1c\x97\xee\xe6\xf8\x74\xcb\x72\x73\x7c\xb8\xb5\x53\x98\xc4\x37\x3d\xca\xbe\x73\x4a\x13\xad\xd9\xd1\xb3\xb0\xb7\x02\x6f\xd8\x28\x7a\xd6\x31\xd0\x0d\xec\x4d\xda\xba\xa9\x21\x6b\x91\x82\x30\x74\x0e\x15\x87\x8d\x8d\xd6\x2a\x8e\xb2\x8d\x87\xfc\x5b\x00\x9c\xf1\x88\xb7\xb8\xb9\x93\xe5\xa8\x3f\x6e\x82\x9f\x7b\xbd\x42\xfb\x55\xcc\x47\xd5\x71\x91\x7f\xbb\xcf\x81\x8b\x8b\x35\x98\x98\x6b\x47\xc3\x69\xf9\x17\x78\x7d\xff\xe7\xbe\xe0\x69\xfa\x97\xab\xf5\xc1\x65\xad\x77\x36\x3a\x79\xff\xcb\x15\x27\xef\x8e\xb7\xa0\x65\xe5\xe4\x7d\x76\x10\xc4\x83\x44\x57\xaa\xab\x68\x18\x6c\x7d\x71\x94\x5d\xcb\x0e\x0d\x3d\x3d\x6b\xa3\x7d\x65\xab\xdb\xc1\x56\xf7\x59\xdb\xa3\xfb\xdf\x76\xe8\xd1\xfd\xa1\xc7\x89\x6e\xc1\xec\x36\xdf\xbf\xf9\x6e\x73\x8b\x7f\x93\xde\x6d\x68\x26\xd5\xdc\xb9\x7a\xd7\xa8\xef\x3a\xef\xda\xcd\xb8\x35\x0f\x97\xa2\xb2\xbd\x2a\x3b\xe0\x19\xd9\x92\x26\x69\xf2\x5f\xb4\x3b\x70\x2e\x58\xf6\x61\x87\x64\x14\x8f\x81\xfb\xb3\xa5\x50\x5b\x09\x48\x76\x74\x36\xa2\x9f\xdf\xc5\xee\x20\x6d\xe4\xa6\xe0\xda\x45\xca\x41\x7d\x7f\xb6\x64\x9c\x53\xa3\x7c\x32\xeb\xf6\x12\x81\x99\x1d\x4f\xa2\x1f\xcc\x1e\xe4\x1e\xbb\x3a\x89\x8a\x72\x2e\xcf\x96\xc4\x62\xdc\x15\xfe\x73\x2e\x3d\xb7\xca\xbf\x3d\x15\x15\x25\x3a\xa2\x28\x28\x4f\x79\xc8\xa2\x82\xb7\x57\x05\xe4\xef\x60\x2f\xf7\x98\x2f\xab\x5c\xcc\xa3\xb4\x80\xfb\x50\xef\xda\xa5\xd7\x7b\xeb\xb0\x7a\x4b\xac\x02\x97\x64\x96\xea\x08\x6b\x13\x6c\x1b\xb2\xef\x65\x7b\xbb\xa2\x28\xa2\x15\xe1\x9f\x0e\xbe\xe7\x2e\x57\x3b\xa6\x3b\x76\xa6\x2a\x52\xb1\x78\xb4\x24\xc5\x67\x30\xa6\x95\xfa\x4b\x9c\xae\x7d\x06\xdb\x83\xae\x3f\xff\x7b\x82\xeb\x0e\x2d\xe5\xb1\x58\x3e\xac\x9c\x81\x46\xe3\xa6\xb6\x82\xeb\x64\x78\x59\xa7\xb4\xf2\x70\x22\xb8\x61\xc1\x11\xf1\xad\xb1\xce\x10\x8c\xb8\x08\xc0\xdb\x93\x51\x52\x88\x51\x7e\x36\x3d\x9f\x66\xeb\x6e\x69\x9f\xf0\x1c\x6f\x83\x61\x54\x5a\x3b\x1a\x9e\xcc\xf2\xef\xcb\x52\xe1\xbf\xd5\x0b\x4e\xd1\xdf\x06\x10\x66\x9b\xa8\xb1\x03\xd0\xb0\xf4\x20\x78\x8e\xcc\x61\x55\x54\x5d\xda\x37\xd5\x26\x18\x36\x19\xa9\x6f\x63\xc7\xc9\x44\x71\x2c\x78\x1a\x25\x76\x73\x9c\x0d\x76\x84\xb1\xac\xc3\xf9\x8a\x2f\x3e\x85\x5d\x3b\xcc\x54\x18\xce\xe2\x2f\x84\x73\x02\x90\xe0\x1d\x4f\x09\xee\x18\xb8\x6a\x3e\x6d\x08\x93\x89\xf3\xc6\x45\xef\x40\x2f\xeb\x2c\x34\xd1\x99\xfc\x8f\x7f\xc1\x3e\xbf\x8b\xed\x11\x18\x93\xff\x4b\xbb\x82\xbf\x19\x51\x84\x43\x78\x8d\x52\xc2\xa1\xc8\x56\x33\x38\x69\xa7\x1c\xfa\xf1\xce\x54\x25\xa5\x6a\x55\x21\xf9\x26\x7f\x53\x0c\x9d\x91\x0b\x4a\x18\xe8\xb4\x2f\x96\x63\x00\x45\xa9\x83\x4c\xea\xe9\x87\x80\x0d\x9e\xe2\x98\x31\x0a\x01\x2d\x2d\xeb\x71\x21\x14\xd7\x1a\x78\x90\xb1\xb6\xc3\xa3\xfc\xcc\x3c\xd5\xa3\x5b\xa0\x28\x6a\x35\x35\xb3\x9c\x16\xd6\x87\xa9\x94\xa9\x90\x98\x9a\x48\x66\xed\x9e\x33\x89\xa5\x95\x3b\x52\xd3\x6f\xa8\xa2\x4b\x95\x8b\x66\x20\x7f\x1d\x12\xe7\x9a\xcc\x93\x6e\xc9\x60\xe0\xa1\x9a\xeb\x1d\x77\x48\x45\xba\xcb\x9e\xc9\x12\x91\x80\xeb\x10\x0d\x1c\x46\x40\x06\xbf\x5c\x5c\x52\xdf\xa1\x41\x23\x2e\x32\xad\xf6\x92\xc0\x7d\x78\x38\x3c\x17\xf3\x76\xdd\x6c\xcb\x29\x27\xd8\xf7\xb0\xdb\xb7\x66\xd7\x76\x27\xeb\xb4\x76\x4a\xb0\x3f\xd8\x65\x68\x1e\x7e\x63\x57\xf0\xf0\x2e\x35\xa5\x14\xe5\xc2\xd6\xe7\xd4\xe2\xe0\x54\x82\xbc\x9d\x90\x74\xe8\xf1\x99\x53\x86\xa6\x80\x8a\x95\x7b\x60\xd6\x8e\x12\x70\xeb\x6d\x79\x16\xda\x7d\xf1\x38\x4e\xc3\x4e\x26\xac\xe4\xe0\x60\x05\x7b\x74\x66\xa1\x3d\xc9\x26\xd9\x04\xbb\xe3\x52\x26\x99\xe5\xfa\x62\xbf\x39\xc2\xec\x6d\xcd\xff\xec\xc8\x65\x80\x29\xbc\x78\x64\x41\x18\x32\x6f\xf4\x7c\x67\x76\x32\xb5\xa6\x71\xa1\x39\x4c\x3e\x5c\x8d\x30\x73\x67\xbb\x6b\xaf\x87\x50\x18\x59\xfa\x00\xb0\x81\x72\xa4\x9c\xae\x92\x32\xee\x25\xc2\x64\x8f\x52\xd3\xba\x1d\xa5\xf4\x96\x15\xf5\x85\x6e\x70\x5c\x33\x33\x3a\xd3\x6d\x41\x81\x2c\x6e\x4b\xe4\x21\x0e\xde\x13\x34\x51\x53\xee\xd0\xa8\x23\x8f\xe3\x35\x91\xf4\xeb\xfb\xc5\xec\x99\x45\xe3\xb1\x90\x73\x62\x39\xc3\x95\x52\x68\xd9\xd8\x85\x76\x14\xa2\x1b\xa5\x65\xdc\x2e\x42\x3e\x91\xd2\xfc\x6b\x9a\xb3\x11\x24\x03\xea\x98\xec\xc5\x26\x9f\x09\xfb\xd9\x3d\x72\x74\x65\x27\x4b\x01\xb1\xf0\xdf\xb2\x27\x78\xfe\x1e\xb5\x8f\xc0\x9a\x41\xf3\xb1\x9e\x87\xee\xc0\x80\x09\x5f\xa0\x9e\x72\x0f\x44\x4b\xa9\x98\x3f\xf9\xd1\xf7\x05\x34\x91\x82\x67\x8f\xf2\xfb\x82\x69\xfd\x77\x96\x5b\xf7\x46\xb9\xbe\xd3\xb0\xac\x1c\x34\x8d\xc9\x2b\xaa\x22\x7d\x96\xa2\x02\x52\x70\x92\x9f\x15\x73\x3b\x80\x50\xa0\xb9\x4f\x72\x3e\x6d\x0d\xcb\xad\x66\x84\x11\xce\x88\x68\x3a\xa9\x5d\xd3\x63\x05\x79\x2b\x81\x6a\xb2\x90\xb2\x0a\x4e\x25\x00\xbe\xd0\x43\xa8\x3a\x63\xc7\x52\x69\x87\x54\x60\x57\x96\x43\xa3\xc1\x20\x63\x95\xae\xda\x43\xc5\x1f\x1e\x52\x3e\x3d\x16\xea\x08\xc6\x08\x01\x6d\xeb\x79\x0c\xa9\x07\xe9\x58\x05\xdb\x2a\xed\xad\xa3\xf0\x20\x00\x6f\x14\x1a\x29\xe9\x53\xa7\xa9\x67\x60\x74\xf9\x7d\xba\xab\xf9\xb3\x43\x7e\x2a\x3e\x2f\xe4\x8e\x0c\xb1\x5d\x0d\x75\xa9\xad\x1b\x69\xae\x2c\x46\x95\xa8\x94\xe7\x80\x30\x9c\x42\x78\x64\x58\xed\x50\x95\x47\x4e\xf5\x16\x8a\x34\x4e\xdb\x49\xd5\x11\xa6\x3d\x87\x8a\x58\x0e\x1c\x44\x7e\xe9\x9a\xd7\x75\xa6\x57\xf5\x7c\xc3\x30\xa5\x1d\x7a\xce\x1c\x31\x6a\x76\x94\x19\xbf\x5f\x36\xe7\x3e\xae\x67\x1b\x7f\xf6\xf6\x0e\xea\x1a\x39\xea\x8b\x02\xf6\x7d\x97\xd3\x9d\x6c\xf1\x18\x4b\x29\xf4\xa7\xbf\x2b\x98\xdb\xe8\x81\x1a\xeb\x0a\x65\x0b\x94\xe3\x56\x50\xdc\x8c\xed\xa3\x8d\x7a\x3d\x11\xe5\x17\xbd\xdd\xa0\xb4\x5e\xf4\x76\xc3\xc2\xbf\xe8\xed\x86\x14\xae\x2e\xab\x3f\x67\x5f\xd8\xcd\xbe\x0d\xc4\xeb\x7c\x4d\x90\x5a\x40\x34\xfa\xbf\xb0\x3b\xf8\x99\xdd\x8d\xb7\x1c\xda\xe5\x48\x59\xc6\x54\x0e\x28\x82\xb9\x52\xee\x6a\xe3\x29\x22\x68\xa3\xf2\x89\x91\x39\xc7\xb8\xdc\x54\x55\x94\x62\x89\x38\x81\x09\x5d\x41\x5c\xba\x21\x37\x16\xb6\x51\x50\xbf\x47\x0d\x10\x5c\xce\x09\x68\xa5\xce\x46\x05\x0e\x42\xeb\x01\xb9\xf6\x30\x3d\x95\xae\x0c\x96\xdc\x32\xaa\x45\xca\x7c\xa6\x32\xda\x28\x02\x08\x80\x9a\x5a\x8c\xc6\x2e\xbc\xaf\xcc\x2b\x81\x34\xf8\x72\xa8\xe1\xe1\xa5\xa8\x7d\x7e\x3d\xca\x3b\x05\xba\x32\xcb\x78\x29\x4e\x28\xea\x4b\x85\xbe\x1e\xb7\x72\xa8\x9a\x64\xce\x80\x4b\x4d\x0a\x2a\x2f\xe4\x73\xd8\x4c\xad\x7b\x54\xa9\xf3\x81\x14\xc8\x39\xd0\xc7\x56\xd2\x69\xea\xe6\xaa\x50\xa2\xda\x39\x17\xf4\x46\xfd\x30\x46\x25\x8f\x61\xc9\xc7\xe1\xab\xce\x71\x3d\x93\x5d\x17\x65\x03\x73\x5a\x19\x15\xe7\x8b\xf1\xa8\xdd\x96\xdb\x94\x55\x41\xd4\x8b\xc7\x11\x48\x30\xa6\x8d\x7e\xf5\x0b\x63\xb6\x5c\x71\x4d\x2f\xaf\xd2\x38\x5d\x01\x2b\x4c\xa5\x5b\x28\xaf\xb8\x6d\xac\x39\x37\x2d\x78\xf1\x7f\xf5\x18\x4e\x76\xff\x5d\x5e\xf0\xe3\x1e\xa6\x2e\x36\x73\xd6\xc4\xe2\x9a\x21\xae\x63\x1d\x20\x34\x0d\x44\xd9\x31\xd8\xda\xd5\xd9\x39\x06\x85\x75\x42\x3e\x41\x02\xb3\xca\xd4\x94\x0b\x7e\x8e\xf8\x4a\xce\xc1\x4c\x3c\x37\xab\xde\xe9\x9c\xd3\x13\x46\x96\xeb\xdc\x70\x34\xf0\x16\xbb\xaa\xa8\x96\x74\x37\xf9\xef\x6b\xb1\xe5\xcb\xc3\xc0\xdc\xb4\x09\x2d\x58\x55\x05\x9f\xf2\xec\x9a\xf5\x4e\x4e\x71\xe5\xd6\x9d\x8d\x3a\x6d\x35\xc2\x13\x8c\xd4\xf5\x51\xfb\x50\x57\xa9\xc7\x64\xe1\x76\x79\x83\x6b\x6b\x31\xeb\xd1\xbe\x0c\xfc\x6b\x22\x57\xf6\x38\xf7\x45\xc8\xb9\x57\x11\x27\xb4\xb8\x20\x47\x2b\x5e\x13\x21\x7b\x17\x26\xfb\xa1\x77\xfc\x1f\xbb\x6c\x2c\xd6\xcd\xb8\x20\x55\x51\x70\x9d\xa9\x54\xdb\xfa\xad\x4b\x85\x28\xe5\x5e\x66\x98\xf6\x26\xe7\xa7\x42\xf6\x55\x8f\xe1\x36\xed\xff\xa6\x17\x7c\xce\xc3\xd8\x79\x52\x7e\xe4\x26\x89\x17\xb4\x03\xbb\xb1\xdb\x51\x30\xae\x5d\x54\xc0\x5e\xd8\x4f\x21\x53\x20\x3f\x37\x2e\x3f\x6b\xfc\x36\x28\xf3\xf6\xf1\x30\x0c\xcf\x85\xc0\x5a\x60\x01\x77\x6d\xdb\xca\xb0\x13\x89\x1f\xa2\x5d\x66\x39\xcb\xbb\xfc\xdc\x6d\xb0\x36\xc2\x5e\x52\xe5\x51\x72\x7b\x48\xc5\x9f\x3b\xec\x4c\xed\x0f\x7a\x0c\x8f\x21\xff\xbd\x1e\x8b\x1f\xbd\xf1\xa8\x53\x8b\x9f\x40\xba\x6f\x35\x9d\x1d\xfc\x0d\x1c\x17\x71\xda\x21\x4a\x70\x6d\x7d\xab\xf5\x2e\x7b\xcb\x3e\xb6\x4f\xcd\x4e\xff\xd5\xfb\x82\xd7\xec\x35\x44\xf3\x6e\x10\x9a\x9c\xc7\x72\xd4\x6c\xe6\xfb\x0d\x07\xee\x8c\x12\xfc\xe3\x65\x7e\x8e\xde\x3a\xe7\x70\xf4\xe1\xe0\xda\xc3\x82\x90\xbc\xb8\x14\x5d\xb5\xdb\x9f\x33\xf4\xef\x68\x47\x77\xc7\xd4\x14\x4c\xb2\x8f\x5d\x17\xec\x54\xe6\x7d\x39\x69\x96\xb2\x72\xd5\x6e\x80\x72\x60\xa5\x9a\x9d\x5d\x33\x7b\x64\xdd\x5e\x45\xd4\x1e\xc8\x63\x1a\xa7\x74\xfc\xd3\xcc\x33\xf4\xfd\x39\x76\x13\x9e\x51\xb2\x93\x2c\xca\xf6\x19\x87\x05\x5f\xf9\x61\xe2\x82\x07\xf2\x20\x19\x4b\xe2\xf3\x22\x30\x4a\x40\x91\xe5\x25\x8f\x96\xb2\x35\x29\x60\xa4\xf6\x33\xb5\x12\x8a\x51\x4b\x16\x81\xf6\x89\x0e\x4f\xc4\x85\xb8\x9d\xad\xe4\x51\x6f\x55\x65\x53\x0c\xee\x1e\x28\xa1\x20\xaa\x0f\x0a\xe3\x08\xd6\x02\x95\x79\x15\xe2\x97\x68\xef\x07\xe2\x3e\x02\xc0\x1c\x02\xf8\x45\x74\x7f\xa6\x93\x04\x1c\xa6\x57\x94\x76\x97\xf4\x15\x8b\x87\xfc\xba\x20\x4a\x7a\xab\x51\x00\x70\x5a\x39\x93\x03\xd4\x2d\x88\xee\xd1\x29\x34\x4e\xad\x42\x61\x42\x14\x68\x96\x91\x3d\x21\xc5\x13\x98\x11\x4b\x7d\x7e\xe7\x04\xbf\x1d\xe4\x5a\x7e\x3b\x87\xe2\x41\x3d\xc9\x85\xbc\x01\x1e\x2e\xd5\x3f\x08\x85\xcf\x38\xd0\xa6\x5e\x20\xf1\x1b\x45\x62\x88\xe4\x92\xef\xda\x69\x0b\x96\xfa\x84\xc9\x92\x2d\x77\x3e\x92\xbe\xd1\x69\x23\x2a\xa6\x88\x7e\x55\x6d\x54\x4b\x44\xf5\xef\x71\xbe\x76\xf4\xc8\x28\x5f\x3b\x36\xca\xd7\x8e\xca\xff\xc3\x72\x86\x5f\x47\xe4\x5f\xd7\x8d\xf2\xb5\xeb\x60\x85\xcb\x4b\xc7\xa0\x45\xf8\x1c\xfc\x79\x6c\x94\x2f\x67\xd9\x51\xfc\xef\x11\xc7\x17\x98\xb1\x2e\x3b\xff\x58\xec\x30\xb4\x2e\xd8\x27\x77\xb1\x6f\x47\xfd\x5e\x8e\xf2\x5c\x0e\xee\x56\x02\xa0\xf9\x3f\xb3\x2b\x78\xd7\xc8\xb0\xbb\x36\x44\x54\x3f\x42\x98\xb0\x82\xe7\xa2\xac\xf2\x14\x17\xcc\x22\x26\xa5\xab\xca\x5e\x55\x6e\x2a\x8a\x69\x92\xc9\x71\x90\xfa\x40\x04\x23\x2f\x18\x92\xdb\x5e\x83\xd1\xf9\xf2\x9e\x3e\x2f\xc6\xa2\x62\x0c\xf2\x63\xb8\x72\xd5\x16\x8e\x73\xd5\xde\xed\x9c\xe4\xea\x9d\x21\x87\x38\xe6\xcc\xe6\xa5\x7e\x3f\xcb\x87\xbe\x6e\x99\x09\x34\x77\x0f\xe1\x08\x3b\x71\xd1\x4b\x22\x9d\x59\x36\x5a\xd1\x9b\x68\x83\xb8\x47\x51\x6a\x66\x22\xa5\x2c\x61\xf7\x3f\x9a\xa2\x83\x8b\x17\x66\xbf\xda\x62\xcc\x08\xee\xfe\xc7\x5a\x8f\xa6\xe0\x72\x8f\xae\x28\xf8\x75\xcf\x52\x17\xdc\xe0\x14\xad\x3c\x90\x12\x64\x3d\x08\x23\x8a\x92\xfa\x90\x4e\x6d\x98\x3b\x83\x7a\x49\x6c\x78\xa2\xe8\xa6\xd8\xba\x38\x48\xea\xda\x30\x49\xf0\xf3\x2d\xa6\x8e\x6a\xff\x13\xad\xe0\xfd\x2d\xf5\xa2\x25\x60\x39\x19\x65\x2f\xb7\x88\x75\x1b\x95\xbe\x05\x61\x6b\xf3\x53\x7d\xbb\xc7\x76\x93\x6c\x51\xd4\x85\x0b\x5b\x1f\xad\x0a\xa7\xd2\x38\x2d\x4a\x11\xb9\x8e\xe1\xff\xb5\x8f\xdd\x60\xc3\x12\xab\x32\x2b\xda\x11\x05\xcf\x87\x77\x65\x79\xfc\x60\x96\x96\x51\x32\x97\x75\x26\xe8\x9e\xc8\x01\x5d\xf3\x63\xfb\x82\x6b\x75\x10\x85\x7e\x0e\xfc\x06\x91\x7e\x72\x63\x88\xcd\x9f\x5c\xc9\x25\xb7\x63\x88\xcd\x8b\x74\xf6\x93\x1f\xd8\xce\x78\x6c\xdd\xbd\xb0\xb5\x29\x71\x05\x82\xb3\x03\x08\xce\x92\x85\xc0\xb9\x67\x67\x00\x9c\x7f\x39\x04\x80\xf3\x88\x97\x6c\x0e\x8c\x99\xf1\xef\x34\x30\x3c\x33\xec\x1a\x16\xb3\xc1\x76\x50\x07\xca\xfc\xc9\x1e\x76\xdb\xb0\x49\x74\x0c\x04\xc3\x70\x52\xc5\xbf\xab\x13\xec\xb4\x28\xf3\xb8\xbd\x80\x1c\xec\x3f\xb3\x27\xf8\xe2\xc8\x86\x8f\x58\xf6\x1f\x62\xae\x86\xe6\xd4\xb2\x74\x77\xe1\x0d\xb2\x22\x96\x99\x45\xbb\x3e\x0a\xa1\xf1\xb6\xa1\x4d\xcf\x15\xb9\xd8\xd1\xe1\x3c\xaa\xce\x4f\x39\x63\xc1\x0b\x04\xae\xd4\x94\x8e\x47\x42\xf3\x40\xbd\x65\x94\xaf\x88\x92\x1f\x12\xe1\x4a\xc8\x27\xe7\xce\x42\x24\xa6\xe8\x66\x79\xff\x70\xc8\x0d\x31\x9d\x89\xc5\x8d\xd6\x44\x0e\x54\xd8\x65\xb6\x22\x88\x88\x01\xe2\xb4\x30\x1f\x96\x1d\x33\x01\xee\x51\x28\x3f\xe4\x7c\x41\x0a\xf7\xf8\x5d\x78\x62\x2d\x55\x71\x82\x79\xc1\x6a\xdf\x97\x76\x90\xa4\x09\xbe\x32\x4a\x38\x0d\x81\x76\xee\x40\x2a\x34\xb2\x46\x64\x52\x05\xd1\xac\x01\x65\xc6\xd3\x2c\xef\xca\x0d\x44\xe4\x63\xf2\x9b\x55\x85\xc6\xee\x18\xf4\xb2\x4e\x11\x70\x75\xa0\x1a\x6e\xba\x00\x9b\x1a\x60\x94\x84\x9d\x50\xa0\x34\x71\x51\x7b\xf0\xa1\x8b\xde\x7e\x4d\x84\xe0\x1c\x0e\xff\xa1\xc5\x96\x98\xb9\xe7\x9f\x0d\xee\x32\x8c\x09\xf1\x20\x70\xc4\xba\x99\x1a\x6f\xa4\x0a\x62\xa5\x0f\xc7\x3a\x37\x89\x9e\xa9\x97\x6c\xd3\xf3\xc3\x04\xa9\xc3\x76\x9e\xc7\xe8\x63\xfc\x62\x03\x5e\x9a\xa6\x35\x80\xf3\x79\x11\xbb\xeb\x46\x9a\x41\x85\x43\x7a\x4f\x17\xed\xd8\x2c\x15\xcc\x82\x43\xc2\x7e\x63\x3f\xbb\xc5\x8e\x6d\x15\x79\x89\xf0\x16\x61\xc9\x8a\xe6\xe2\x42\xbc\x22\x65\xbc\x79\x9c\xec\xfe\x9b\xf7\x07\x07\xa7\x2c\x22\x65\xeb\x75\x5e\xe0\xa3\x6a\x61\x38\xe3\xf3\x47\x57\xf0\xb1\x57\x20\xfa\x8f\xe3\xa1\x79\xb7\x75\x68\xde\xb1\x43\x80\x3e\x7b\x83\x0a\x57\x7a\x85\xc7\xee\x1e\x1e\x35\xbe\xad\x95\x05\xa1\x4c\xb7\x83\x9a\x61\x2d\x29\xea\x5a\x1e\x97\x85\x48\x96\xc9\x44\xd4\xb7\xad\x05\x16\xfa\x2e\x64\x2f\xf0\x34\x24\x70\x9d\x9d\xbe\x5c\x2d\xc3\x50\xa3\xef\x9e\x12\x79\xbc\x56\x0b\x49\x47\xbc\x5f\xb9\xaa\x5b\x1a\x3e\xe2\xad\x6f\x2e\x3a\x2c\xfa\xf3\x5a\x74\x70\x1a\x53\x27\x80\x1f\xd6\xa6\x46\xc2\xa4\x7f\xde\xcf\xbe\xa3\x21\x6a\x9f\xf2\x67\xf8\xbf\xb3\x3f\xf8\x49\x4f\xa5\xd8\x28\x81\xe6\x20\x35\x19\x87\x34\xfa\xf3\x56\x84\x70\xa0\xf9\x6a\x54\xa1\xa1\x0a\xbe\x94\x55\x29\xe1\xa3\x80\x61\x00\x8c\x7f\xc4\xf1\x24\xf2\x7a\xea\xed\xa3\xe1\x4d\xa3\xbc\x97\x88\xa8\x10\xc8\x4a\xb1\x2a\xf8\x12\xa5\x67\xb6\xfd\x18\x3a\xe5\xbe\x52\xb7\xf4\x51\xe7\x6c\x9f\x5f\xb8\xb2\x7d\x5e\xd9\x3e\xaf\x10\xc1\x5e\x5e\x22\x58\x5b\x10\xdb\x9c\xd0\xa5\x9e\xb7\xe9\x8e\x45\x23\x6e\xd9\x69\xcb\x6c\x48\x8d\x5c\xf1\x1a\x7b\xe9\x7e\x71\xf8\x88\x77\x66\xf3\x8d\x72\xd4\xbf\xb6\x89\x01\x5e\xa5\x67\xaf\xa9\x51\x6f\xdf\xcb\x0e\x36\xb4\x7c\xba\xdb\x2b\xfb\x53\x71\x7e\x4f\x96\x54\x5d\x41\x1a\xd3\xdf\xef\x09\xaa\x79\x8b\xec\x4d\x41\xc9\x30\xc9\x4e\x96\xf7\x89\x60\x0b\x60\x8f\xd3\xb5\x5b\x6b\x50\x52\x01\x8c\xe3\x90\x65\x69\x3d\x15\x79\xb1\x1a\xf7\x28\x98\x0c\x88\x79\xe4\x3e\xb0\x30\x7d\x2a\x4e\xab\x0b\x80\x18\x5b\x12\xc9\x40\x1a\xa3\xbf\xda\xcd\x5e\xd4\x62\x7b\xba\xa2\x13\x57\x5d\xff\x11\x2f\xf8\x73\xef\x5e\xc0\x9c\x51\xdc\x02\xc1\x3e\x38\x3e\xa0\x95\x83\xa8\x7d\x9e\x68\x88\x54\x93\x14\x8f\x97\xf6\xb2\x07\x01\x39\x7f\xba\x22\x4a\x0b\x4d\x0e\x44\x2c\x34\x07\x0b\xfd\x2c\x16\x4d\xc6\xb9\x25\x61\x7a\x82\xf6\x85\x43\x0a\x63\x29\x35\xb4\xd3\xa0\xa1\x6d\x3b\x9b\x1c\x7d\xc6\x38\xf5\xdb\x35\x50\x41\x27\xce\xed\x25\xf6\xd5\x11\xb6\xbf\x88\x1f\x14\x48\x68\xf5\x1b\x23\xdb\xd0\xec\x43\x6d\xa7\x7c\x66\x15\xa5\x65\x5c\xf6\x83\x37\x8e\x2c\x66\x65\x94\xf0\xa8\x8b\x9c\x29\xcb\x84\xa2\x55\x1d\x9a\xdb\xd4\xf5\xd0\x95\x6a\x96\xd0\xe0\x62\x87\xca\x06\xa1\x6e\x8b\x88\xaf\x22\x43\x9c\x65\x1b\xd4\xbe\x65\xad\xb3\xea\x5e\xb4\x19\xdb\x2a\x08\x93\xc8\x52\xf7\x19\x53\xd1\xba\xd2\xf4\xc8\xcb\x05\x2f\xe1\x36\xac\x78\xb6\xe4\x9d\x05\xd5\x29\x96\xfa\x8d\xc8\x64\x74\x4f\xf1\xa2\xea\x02\x5f\x0c\xd6\x42\xd0\x6f\x72\xc7\x6a\x3d\x0f\x70\x90\x34\x9d\x6b\x53\x25\x8d\x13\x77\xae\x28\xd4\xa3\xfe\xf0\x2a\x25\xc3\xf0\xc0\xc8\x37\x0f\x7c\x55\x88\x7c\x0c\x88\x72\x07\x86\x9c\x7d\x62\x37\x3b\xd2\xc4\x17\x45\x29\xd0\xd3\x12\x97\xe9\x64\x12\xc5\x5d\x9d\xcb\xe6\x95\xbb\x83\x62\xc3\x27\x6c\x43\xba\x22\xe9\x68\x7c\xc1\x64\x2a\x2f\x80\x5f\x86\x84\x80\xe9\xde\xaa\xe8\x8a\x3c\x4a\xec\x4d\x42\xaa\xdf\xb2\xcf\x9d\x25\xfb\xd0\x2e\xf6\xc7\xf6\x69\xf0\x9b\x3b\x3e\x0d\xde\xec\x9d\x8e\x0c\x68\x12\xc9\xc2\x48\xd4\x55\x64\x25\x75\x8a\xac\xac\x87\x46\x18\xda\x5b\xe7\xee\x99\x44\xd0\x98\x4e\xe5\x13\x97\x21\x9f\x25\xf6\x08\x85\x96\x42\xf8\x17\xba\x6e\x01\x3f\xa8\x01\x58\xf7\x23\x4a\x98\x98\xf3\x8c\x97\x22\x64\xaf\x6f\x91\xa8\xff\xf2\xd6\x16\xb2\xfc\x35\xf6\x38\x48\xf6\x9f\x03\x5a\x3a\x37\x96\x44\xa9\xe7\x8d\x6f\xe1\x2c\x95\xc7\x16\x25\x44\x23\xf6\x3e\xfa\xf4\x2a\xc5\x34\x68\xb5\x4e\x80\x5e\x5a\x11\x65\xd1\x90\x24\xc6\x24\x88\x59\x54\xc8\x66\xd5\x31\xb4\x38\x9a\x27\x0c\x76\x5b\x41\x0e\x1a\x58\x7a\x21\xfb\xbb\x7d\x8d\xb3\xd8\xa5\x6a\x5a\xcc\xce\x8b\x74\x2e\xcf\xee\x47\xd0\xa6\xff\xf1\x7d\xc1\x9f\x7b\x1b\x3e\xe2\xf2\x8f\xf6\xf0\xba\x49\xda\xc7\x89\xf6\x8a\x97\xf2\x35\x6b\xa7\x02\xfe\x69\x5d\x08\xc1\xe2\xd4\x7a\x88\xd3\x42\x0a\xb2\xd1\x90\x52\x74\x07\x22\x71\x79\x95\x42\xd0\xd8\x72\x9c\x08\xa4\x35\x80\x71\x92\x87\x87\x22\xc7\x99\x98\x9b\x29\xf8\x21\x2b\x23\xe3\xc4\xdc\x0c\x49\x80\xf2\x8c\xd0\x80\xd4\xc3\x72\xfd\xf4\xea\x24\x3e\x1f\xde\xc3\x5e\xdb\x62\xfb\xa2\xaa\x13\x4b\x39\xc2\x7f\x51\x2b\xf8\x07\x6f\x82\x7e\x29\x83\x92\xce\xb7\xa9\x1e\x53\xd6\x25\x68\x72\xc8\x27\xa4\x58\x1e\xf7\x40\x8e\x84\x90\x24\xfc\x14\x40\x7e\x28\xea\x19\xa5\x34\x22\x86\x21\xb5\x99\x6b\x06\x00\x83\x8d\xd5\xa0\x28\x6f\xf0\xb5\x74\xfa\x92\x5c\x6f\xb5\x66\xd1\x2e\xa1\x63\x43\x23\xe5\xa7\x98\x6a\xa9\x70\xe3\xb2\x74\xc4\xf3\x11\xf6\x64\x71\xa1\x17\x63\x4e\x6a\xc5\x06\xfa\x53\xc8\x06\x7a\xe3\xf5\xc1\x2b\x46\xa6\xeb\x77\x0d\xa5\x0e\x48\xd0\xb8\x82\xb5\x6a\x03\xd3\x35\x2e\xfb\x86\x9a\xae\x61\xf4\x43\x3e\x51\x98\x4f\x91\x87\x5b\x9e\x45\x80\x9f\x37\x6d\x41\x98\xbf\xdc\xe6\x13\x51\xd2\xa4\xe3\xbd\xa4\x5a\x89\x89\xc0\x13\xde\x41\x78\x3f\xcf\xb3\x52\x67\xbb\x69\xae\x70\xd1\x2a\x0c\x01\x2d\x00\x35\x29\xf3\x3e\x61\x5d\xad\x22\x68\x86\x2e\xdb\x3f\x0a\x9e\x25\x1d\xc5\x44\x73\xf3\x11\xde\x13\x79\x9b\xe6\x81\x3c\xf8\x30\xe4\x31\xe3\x49\xbc\x06\xf1\x9d\x1b\xbc\x7c\xec\x7a\xbe\x9a\x55\x79\x11\x3a\x6c\x95\x70\x0d\xb5\x38\x25\x12\xa9\xd0\x9a\xa3\x47\xe4\x39\x5d\xc9\xa3\xce\x21\xc0\x59\x65\x30\xcf\xfd\x73\xc1\x82\xa2\xa2\x82\x05\x25\xff\xd6\x7c\x3f\x34\x1f\x50\x20\x41\x6d\x48\x3b\x3f\x13\xc5\x2e\xe5\x4e\x2d\x58\x9b\xce\x2c\xf9\x8d\x11\x76\xdd\x26\x56\xd2\xe9\x0b\xa8\x8f\x92\xf5\x1f\xcd\x21\x6f\x1d\x09\xd2\xa6\x1b\x0e\x94\xd9\xd8\xe8\x75\x0a\x84\x48\x25\x24\x21\xcf\x00\x04\xf3\x14\x45\xd6\x8e\x61\x77\xa5\xb5\xd5\xb7\xf3\xb3\x66\x8a\x8c\x6f\x0f\xbe\x73\xd1\xdb\x4b\xc5\x3a\xfb\xc0\x2b\x5a\xec\x61\x8f\xa9\x5b\x7e\x7f\x83\xc0\xb0\xe1\xb6\x60\xa0\xa8\x23\x03\xcd\x4d\xaa\xf1\x74\x92\x36\x7d\x51\xa3\x45\xf8\x21\x8f\x51\x53\xfd\xfe\xf0\xb3\x7c\x83\x56\xcc\xe8\x25\x1e\xdc\x4c\xfd\xa4\x57\xbd\x63\x96\xa6\x9b\x4b\x7d\xb4\x98\x63\x08\x14\xc6\xad\xb0\x5f\xdc\xc5\x36\xab\x6d\x2e\xeb\x14\x8e\xdb\xe7\x95\xbb\x82\xaf\x7a\xf5\xab\x1b\x7a\x7a\xa8\x05\xdb\x76\xd3\x38\x36\x21\x88\xc7\x8d\xe0\xac\x29\xc6\x88\x14\x58\x74\xc6\x7a\x22\x1f\x43\x76\xe2\xc3\xe1\x65\xf3\xe0\x50\xaa\x22\x6b\x36\x35\xd9\x87\x5e\xd4\xfa\x16\x19\xc5\xc7\xd9\xb9\xf1\xf6\x5b\xd8\xff\xaf\x41\x2c\x41\x71\xc6\x7f\xf8\x96\xe0\x3e\xfc\xd3\x95\x33\xe4\x67\x74\xd4\xc6\xae\xd4\x04\x87\x3b\x0c\x71\xed\x04\xf9\x4b\xfb\x8d\xee\xa3\xc6\x68\xe6\xd7\xdc\xcc\x5e\xe5\xb1\xbd\x0f\x54\xd9\x52\xbf\x14\xfe\x43\xde\x16\x52\x5f\x3f\x13\x1f\xb6\x25\xf1\xe0\x6e\xba\xe8\x36\x5c\x5d\x24\x25\x0f\x9b\xb2\x9a\x15\xa5\x4a\x52\x1f\xe5\x02\xd9\x8c\x21\x8e\x32\x5e\x16\xf2\x74\x60\x6f\xf5\xd8\xfe\xe8\xc1\x2a\x17\x27\xe3\x44\xf8\xaf\xf1\xd8\x8d\x9b\xb6\x69\x42\x3d\xee\xb4\xea\x5e\x7d\xd9\x69\x57\xca\xe1\x3a\x87\x1b\x24\xef\x35\xb4\x11\xb8\x26\x63\x79\xce\xd0\xf1\xa8\x7b\x92\xfd\x4f\x8f\xed\x69\xc7\x69\x47\xe4\xfe\x27\x37\xe2\x09\x56\xcd\x9b\x84\x67\x9d\xb6\xbd\xc2\xc3\x8b\x6e\x8f\x61\xa1\x6a\xac\xa3\xb2\x94\x87\x3d\xaa\x03\xd0\x0a\x0c\x2b\xa3\xe3\xb9\xc0\x76\x92\x16\xd3\xa8\xf5\xd3\x9e\xa0\x2c\xd7\xe3\xdd\x7e\xf1\x40\x32\x86\xb5\x8c\xf5\x3a\xe3\xf3\xd3\x13\x53\xa7\xa7\xc3\x6e\x87\xbd\xd4\x03\xff\xe4\x72\xbc\x72\x3a\xea\xf9\xcf\xdd\x42\x9f\x4f\xaa\xa7\x9d\xef\x9a\xd0\x97\x6b\x5f\xa6\x2f\xd3\xd8\x83\xb0\xd6\x23\xaa\x2e\xc2\x5f\x41\x41\xec\x97\x3c\x36\x92\x2e\x17\xfe\x47\xb6\x92\xa6\x72\xf6\xe4\x82\x53\xff\x4b\xbc\xd9\x93\x0b\xb5\xe1\x96\x57\xb6\x37\x07\x77\x6a\x41\x49\x97\x0b\xf6\xab\x1e\x7b\x4a\x6f\x35\x2b\xb3\xd4\x28\x2e\x53\x71\x71\xde\x7f\xbf\xc7\x26\x36\xd7\xd5\x1a\xde\x74\x3e\xb4\xd7\xf4\x84\xdb\xe7\xf8\xc4\xa4\xa1\x8c\xef\xe9\x87\x79\x47\x3e\xbd\xad\x09\xc6\x3e\xbc\x9f\xed\x17\x4a\x11\xf7\x7f\x76\xff\x16\xe6\x48\xa3\xde\x1e\xfc\xcd\x3e\x7d\xbd\x96\xd1\x01\xe7\x3d\x51\x39\xf3\xd5\x28\xed\x24\x0a\xc8\xac\x42\xb7\x95\x89\xa8\x93\xc7\x52\x46\xc7\x93\x0c\xde\xa3\xf1\x6b\xf7\xdb\x94\x94\xd0\xe6\xc7\xcc\x74\x86\x70\x74\x44\xc4\x25\x1f\xd3\x98\x6d\x2b\x6b\xa9\xc5\x2e\x0b\xa9\x0f\xa4\xf0\x4b\xe8\x83\x8e\xec\x13\x15\xff\xa5\x1e\x00\xb7\x45\x37\x5b\x13\x9d\x90\xb1\xb3\x05\xcd\xe4\x78\xf9\x38\x8f\x0e\xa3\xb7\x83\xf6\xed\x82\x43\x74\x64\x8a\x04\xfb\xeb\xab\x20\x54\x52\x21\x79\x95\x16\xa3\x7c\xe9\xb0\x4a\x87\x85\x5c\xc5\x08\x59\x50\xc6\x4c\xc8\x17\x99\x0b\xf9\xf9\x3a\xab\x60\x91\x46\xbd\x62\x35\x2b\xa5\x20\xdd\x8e\x7a\x51\x3b\x2e\xfb\x8c\x73\x29\x01\xb4\xcf\x03\xb7\x61\x2e\xa8\xc6\x51\xd6\x3e\x4c\x86\x5e\xbb\xff\x1c\xc0\x1d\x2f\x57\xf3\xac\x5a\x59\x05\xaf\x03\x3e\x05\xa9\x83\xe8\xf3\x1b\xdf\x27\x1b\x6b\xc1\x3b\xfd\x34\xea\xc6\x6d\xad\x80\xe4\x19\x12\xe1\xa3\xa7\x02\xca\x95\x4d\x1b\xa6\xc6\x1f\x2a\x84\x68\x36\xf3\xa0\x1d\x2f\xcb\x85\x7c\xdd\xf6\xee\xd1\x62\x6e\x67\x69\x4a\x9a\xb5\xb1\xcb\xe9\xdd\x04\x6c\xb5\x50\x71\xda\x69\xae\xfa\x30\x0d\xdc\x10\x7b\x54\xae\x28\x4a\xd0\x75\x95\x76\xb2\x7c\x4c\x19\x4a\x50\xd7\x06\xe8\x29\x8d\x12\x66\x40\xc0\x92\xe0\x46\x92\xa5\x2b\x4a\xa1\x41\xa3\x9d\x9a\xa1\x68\xd9\x92\xd2\xe0\x5a\xdc\xa9\x10\xdd\x46\x4d\x99\x5c\x98\xc1\x97\xe3\x95\xd5\x72\x6c\x5d\xc8\x7f\xc8\x42\xaa\x17\xa0\xae\x92\x34\x28\xf9\x8e\x19\xd3\xae\x50\x36\x7e\x65\x68\x00\x03\x55\xd4\xe7\x63\x5c\xf6\x34\xa0\x49\xb3\x76\xd5\xb5\xbd\x6d\x70\x11\x8b\x50\x7d\xee\x3a\x70\xd9\x04\x4c\xd7\x76\x94\x82\xc5\x01\x30\x9d\x18\x8a\x9d\x2d\x37\xb4\x8c\x10\xb1\x6a\xcb\xd1\x97\xad\xe0\x75\x60\x6c\x64\xcc\x64\x36\xc0\x20\x45\x5c\x06\xa8\xe0\xcb\x55\x63\xb0\x3c\x7a\xf1\xdd\x29\x52\x91\xc7\xed\xda\x94\xd1\xaf\xae\x90\xd5\x51\xa4\xf2\xb5\x4e\xc8\xbe\xe4\xb1\xfd\x2b\xb8\x87\x2c\x17\xfe\x67\xb6\x22\x55\xdc\xa9\x1e\x77\x76\xaf\x57\x79\xfa\xba\xbb\x7b\x99\xcb\xdb\x3b\x6c\xb6\x74\x72\x53\xe7\x8d\xeb\x4f\xb0\xce\xee\x5f\xf6\xd8\x48\xbe\xd4\xf1\xff\xfb\x56\x0e\xcc\xf9\x13\x53\xce\xe7\xbc\xdc\x9b\x3f\x31\xe5\x7e\xc8\x7c\xd4\xc9\x0a\x7e\x22\xc9\xda\xe7\xf9\x94\x18\x22\x1e\x5d\xb6\x2f\xca\x97\x6c\x39\xe4\xc7\x95\xf0\x07\x47\xe5\x2b\xb7\x2c\xfc\x0d\x9c\x8f\x8b\xfa\x72\xa3\xf0\x37\x15\x95\x11\x87\xbb\xdb\x92\xfc\x7e\xc2\x63\x07\x3a\xd9\x7a\xba\x1e\xe5\x9d\x89\xb9\x19\xd9\xc0\x9b\x37\x6d\xe0\x94\x79\xc1\x69\xe2\xbc\x75\xc3\x6e\xa4\xaa\x00\x2c\x77\x06\xc3\xa0\xcf\xb0\x8d\x84\xa7\x5f\x6e\xb1\xbd\x2b\x71\x39\x2f\x7a\x99\xff\xd1\xd6\x16\xc4\xf9\x3b\xf1\x61\xa7\x61\x0f\xb7\xe8\xaa\x3b\x2f\x56\x30\xb5\x42\x56\xc4\xe0\x66\x03\xaa\xdd\x5e\x94\x97\x71\xbb\x4a\x22\x29\xc9\xe2\x8e\x1f\x72\x93\x76\xf7\x38\x57\x25\x39\x99\x75\x43\xbe\x98\x99\x23\x02\xc5\x43\xd2\x58\x28\xa6\x49\xd5\x35\x4a\x83\x10\xa5\xc6\x33\x03\x26\x51\x60\x2f\x88\x4b\x8d\xaa\x24\xe6\x84\x24\x53\x30\x03\xf9\x36\x01\xfc\x56\xe2\x52\x45\x02\xe1\x88\xae\x8a\x5a\x69\x25\x92\x50\x1e\xb4\x32\x19\x85\x72\x2e\xee\x05\x3d\x7b\xe6\x8c\xff\xea\xad\xa8\x46\x0b\xf8\xb0\xd3\x97\xdf\x4b\x17\xdd\xae\x54\x17\x07\xb6\xc7\xa1\x32\x99\x65\xc2\x81\x8c\x17\x21\x7b\xdd\x08\xdb\x27\xe7\x2b\x90\xad\xbf\x64\x84\xdd\xb0\x69\xfb\xee\xa2\xa7\x9d\x06\x7e\xae\xa5\x2e\xd7\xcd\xdb\x62\x4c\xa7\x28\x01\x1b\x58\x96\x5b\x4e\x56\x7b\xc1\x90\x84\xa8\x05\x37\x7c\x0a\xc2\x1d\x7a\x59\x61\xa4\x30\xd3\xb7\x3a\x97\xcd\x8a\xdc\xc6\x21\x34\x42\x87\x71\x90\x5d\x3b\x5a\x81\x86\x28\x93\x35\xef\xe5\xf1\x5a\x9c\x08\xb0\x50\xac\x02\x50\x05\xd9\x9e\x2d\xb7\x49\x99\xe9\xc3\xad\xae\x1a\x15\xa5\xed\x6c\x03\xa9\x6f\xf6\xcc\x22\x08\x47\xb0\x7e\x76\xec\x34\x95\x15\xf6\xa2\x72\x95\xbd\xc7\x23\x14\xe6\x3b\xbd\xe0\x8d\xde\x3d\x4a\x34\x45\x3e\x75\xed\xc6\xe5\x53\xb3\x0b\xcf\x39\x35\x71\x62\xfa\x14\x0c\x74\x95\xc6\x0f\x54\x98\xcf\xdb\x52\xd9\xb7\xdb\xa6\x6c\x4d\x6a\xb3\x62\x7d\x9c\x38\x74\xc6\x64\x79\x63\xe4\x52\x1b\x87\x08\xc9\xf1\x6b\xe0\x1f\xdb\x68\xf9\xee\x16\xfb\xb6\x5e\x93\xf0\xe3\xbf\xb6\xc5\x4e\x5c\x9a\x57\xc9\x99\x61\x9f\xf5\x36\x7d\xc6\x9d\x7a\x3a\x44\x0c\x01\x4d\xcd\x92\x19\xf5\x13\x88\x11\x86\x3c\xe6\x52\x87\xd1\x74\xc0\x98\x1a\x51\x73\x09\xaf\xb4\x65\xb5\x05\x7b\x47\x8b\x3d\x79\xa5\x2d\x6a\x4a\xdd\x2b\x5b\x1b\x58\x48\xf5\x5e\x3b\x39\xbd\x81\x46\xf7\x59\x6f\xe0\x7e\x4d\xc0\x98\x9c\xe6\x74\x55\x03\x7e\x28\x1b\x80\xda\x34\xa0\xbf\x48\x7d\x3b\xe8\xea\x6f\x26\x5e\xb2\xb6\x2a\x2f\x65\xa6\xd5\x67\xff\x4a\x5b\x98\xee\x92\xba\x25\xfb\x0b\x8f\xed\x8e\x8b\x76\x11\xfb\x7f\xe0\xb1\x63\x9b\x76\xcd\xcc\xc2\xe4\x82\x7b\x3a\xbe\xdb\x83\x6b\xb5\xd3\x1b\xaf\x3d\x86\xbd\x30\x4c\x6c\x81\x6f\xb3\x04\x97\x4f\x7a\x6c\x4f\x21\xda\xb9\x28\xfd\x0f\x6d\xc5\x26\xb4\x00\xcf\x3a\x5f\xfc\x42\x0f\x2f\xba\xa3\x8e\x85\x6e\x7a\xf2\xef\x78\x08\xb1\x1e\xf6\x6e\x8f\xb1\xe5\x44\x5c\x20\xa3\xe4\x5b\xbc\x2d\x64\x1e\x3a\xa9\x9f\xa7\x2f\x59\x35\x57\x6a\x22\x04\x4a\xed\xea\xb0\x1b\x18\x42\x2d\x13\x88\xce\xb8\x1e\x4e\x3c\xc4\x23\x39\x64\xa2\x4d\xec\x4a\xe8\xe0\x0a\xd9\x7f\x6e\xb1\xa7\x44\xeb\xc5\x74\x12\x15\x65\xdc\x06\x99\x75\xa1\xcc\x72\xe1\xbf\xa9\xb5\x05\x2b\xcb\xc4\xbd\x0b\x03\x6f\x3a\x1f\xf2\x6b\x5e\xd3\x23\x75\x89\xf2\xde\x85\x6f\xd5\x75\x19\xad\x17\x02\x5b\xbf\x24\x5b\x2f\x6f\x0b\xf6\x21\x8f\x8d\xc8\x85\xf9\xbe\xad\xe8\x0b\xf5\x65\xf9\x83\x72\xfd\x1d\x32\x62\xd7\x02\xd9\x03\x66\x52\xa9\x96\x44\x6d\x71\xd8\xee\x1d\xa3\x14\x2a\xbb\x41\x83\x71\xa7\x2d\x72\xc0\x56\x08\xf2\x80\x59\xba\x6c\xc1\x0f\x9d\xb0\x34\xc2\xc3\x21\x7b\x99\xc7\xf6\x6b\xcf\xbb\xff\x83\x5b\xd0\x0f\xe6\xd4\xd3\xce\x77\x4c\xcd\x00\x87\xb3\x0a\x0b\x8e\x53\xd0\xf3\x2d\x8e\x11\x58\x0e\xc5\x28\x59\x2e\xbb\x51\x4f\xd9\x41\x2c\xe9\x5c\xae\x96\xab\xd7\x8a\xde\xaa\x50\xf3\xc6\xbf\xe8\x6d\x10\x7f\xa6\x2d\xfe\xf4\x4a\x9c\x97\x55\x94\x0c\x9c\x04\xf7\xde\x63\x17\x59\xb3\x91\x2d\xc0\xad\x4b\xb2\x11\xb3\x37\x7b\x6c\x3f\x0d\x44\x56\xf8\x2f\xdb\x8a\x76\x45\xe3\x7b\xc6\x35\xb3\x3e\x53\x5f\xae\xc9\xb5\xfa\xf2\xb6\xc5\xd9\x97\x7b\x6c\x4f\x5b\xf4\x56\x97\x0b\xff\x05\x5b\x32\xaa\x8b\xde\x6a\xcd\xf8\xfb\x0c\xbc\xe6\x36\x49\x5e\xe3\xdb\xb6\x00\xb3\x5f\xf7\xd8\x3e\x41\x3a\x82\xff\xcb\xde\x16\xa4\xeb\x26\x20\x63\xf0\x2a\x4f\x2b\x1a\x4e\xab\x4a\xd1\xed\x65\x90\xce\xdc\x88\xd4\xdb\x56\xa9\x2f\x05\xd4\xc7\xde\xe5\xb1\xd6\x72\xdb\xff\xa9\x8d\x72\x99\xe8\x8d\x7d\xd2\xb5\x39\x9f\x9c\x74\xbf\xe2\x64\xbc\x94\x0b\x3e\xb9\x1a\xa5\xa9\x48\x1e\x85\xed\x8f\x7d\xda\x63\x7b\x97\xe5\xce\x25\x72\xff\x23\x5b\x51\xc1\x4e\xe2\xc3\x4e\xb3\x1f\xf2\xe8\x6a\xad\xf1\x74\xb1\x3e\x53\x37\x68\xac\xca\x48\x22\x7a\x22\xed\x14\x6a\x32\xa9\x82\x28\xb9\x9e\x46\x56\xa0\xe3\x94\xf2\xcc\xb0\x77\x7a\xec\x09\xbd\x2c\x2f\xd7\xb3\x5c\x1d\xae\xaf\xdd\xca\xb4\x9a\x73\xde\xa1\x4f\x7a\x96\x7b\xb5\xa6\xb9\xd1\xbd\x4b\xdb\x23\xfe\xf6\x49\x2c\x68\xca\x75\x19\x89\x6e\x96\xea\xdc\x2e\xfe\xaf\x3c\x29\xb8\xbd\x76\xad\x4e\x85\x6c\x13\x84\x57\x94\x28\xa2\x03\xaf\x50\xf4\xdc\x53\xe9\x09\xcc\xda\xba\x40\xd1\x0a\x9d\x8b\x9e\x8f\x0c\x23\xa7\xe3\xa2\x30\x17\x9f\x4a\x29\x72\x06\x9e\x3e\x80\x4f\x43\xde\x63\xc7\xbd\xf9\x33\x4f\x64\x6f\xf2\x98\x7d\xdb\x7f\xa9\x4e\xc5\x5a\xb8\x99\x58\x61\x17\x72\xa4\xac\x25\x93\x23\x08\x2c\xa3\xd8\x72\x88\x41\x56\xb1\x88\x76\x8e\x4a\x65\x40\x35\x8f\xe9\x0c\x43\x69\x07\x13\x15\xbb\xb0\x94\x4f\x7a\xec\xc9\x58\xff\xd9\x54\x1b\x38\xfd\xf7\xea\x06\xbe\xd9\xbb\x0c\x2d\x4c\x2d\xeb\xf5\x90\xa6\x19\xe3\xea\x21\xcc\xef\x0c\x67\xa2\x02\xd5\x14\x3d\xd1\x0e\x6b\x59\xa5\xdd\x84\xcb\x7f\x87\x94\x56\x18\xf3\x53\xf8\xff\x97\x17\x9c\x9a\x77\x27\x02\x85\x62\x98\x8a\x30\xf5\x0f\x61\x27\x61\x5e\xe8\xa9\x74\xb0\x46\x2c\xef\x44\x77\xdf\xc4\x6e\xd8\x4a\x5a\x56\x55\x96\x66\xad\x7f\xc4\x3b\xc8\xfe\xff\x0d\xe9\x54\xbb\x22\x5f\x11\x63\xe7\x45\xdf\xdf\xeb\xef\x06\x4f\x81\x7c\x72\xc3\xc4\xab\xfb\xfc\x3d\xf0\x16\x63\x7f\xe0\xb1\x21\x13\xd8\xff\xb4\x1e\xc4\xf7\x0d\x1f\xc4\x5a\x12\x2a\xc2\x30\xd5\x47\x11\x58\x1c\xaa\x9e\xde\x1a\xf3\x2a\xad\x0d\xe6\xb6\x8f\x86\xf5\x2c\x3f\x9f\x64\x51\xa7\x18\x37\xe9\xa4\x8b\x71\x2c\xb0\x10\xe5\xb8\x33\xba\x9f\xf1\xd8\x13\xb1\xf9\x13\x7a\x8e\xfe\xbc\xfe\xbc\xb7\x5d\x8e\x39\xba\xf5\x55\xb4\xd3\xa9\xfa\x15\x8f\x35\x6c\x2d\xfe\xff\xd0\xdf\xf3\x73\x5b\x1b\x2e\xb7\x89\xa3\x7c\xa9\x2a\x0d\xa5\xe4\xe3\x38\x58\x7f\xe8\xb1\x27\xb4\xb3\x24\x01\x15\x6a\x52\xee\xf4\xfe\x17\xf4\xb7\x7d\xd8\x9b\x54\x68\xfb\xd5\xa8\x58\xe5\xfa\x41\xc3\x2e\xa6\x57\x0e\xfa\x55\xf5\x4f\x3b\xef\x78\x55\x40\x8f\x68\xae\x9d\x88\x32\x48\x26\x64\xcb\x5d\xcb\xe2\x0e\xa4\xcd\xeb\x8a\xf6\x6a\x94\xc6\x45\x17\x9d\x36\x71\x09\xd6\x36\x40\xf1\xa1\xb7\xd5\x04\x27\xab\xfa\x53\xb1\x2e\x37\x0a\xe3\xb2\x9e\x57\x36\x65\xe7\x33\xbf\xee\xb1\x21\x87\x81\xff\x65\xfd\xb9\x9f\x80\xa1\x2c\x21\xce\xe0\xd2\x26\xe8\x21\x24\x78\x95\x77\xf0\x35\x48\x70\x0a\x86\xcd\xe6\x37\x0e\x3f\xba\xa3\x9b\x30\x5f\xe5\x4c\x03\xef\x17\x32\xf1\xdc\xa3\x20\xa8\x13\x8b\x6e\x8a\x35\xb2\xad\xa2\x77\x4f\xe5\x5a\xa3\x94\x68\xe6\x18\xb6\x86\x36\xac\xd5\xf6\x54\x0a\xf2\xaa\xf7\xf1\xbc\xea\xe2\xa7\x6f\xd2\xc3\xf6\x92\xa1\xb2\xac\xde\x72\x6a\xfb\x94\xc7\xae\x19\x4e\xd4\x01\xe6\x72\x20\xa3\x7d\xab\x17\x1c\xd7\xbf\x6a\x7c\x40\x51\x89\x01\x57\x82\xce\x14\xc4\xc8\x59\xe1\x8c\x6e\x74\xcf\x59\xb6\x60\x25\x91\xbf\x53\x7d\xd4\x31\x95\x89\xcf\x7c\x52\x9c\x16\x90\x09\xd2\x2c\x14\x28\x5a\x07\x4b\x39\x5f\xf2\xa7\x8c\x1d\xb2\xbe\x04\x59\x83\x29\xe7\xf6\x54\x5c\xe4\x15\xf0\x15\x9c\xa8\x3a\x2b\xa2\xf4\x3f\xca\x82\xd5\x86\xeb\x2a\x57\xa8\x8e\xfe\x44\xd8\x02\x22\x54\xa3\x0b\xbc\xa3\x9f\x27\xb7\x07\x42\xca\xdb\x91\x02\x95\x47\xf5\x14\xb7\x59\xc7\xa5\xab\xf9\xfd\x7d\xff\x7b\x46\xcd\xbd\x44\x05\x3f\xff\xd0\x06\x01\x11\x1b\x8e\x09\x04\x44\x4c\x2c\x6c\x27\x47\x63\x43\x29\x21\x20\x1e\x29\xda\xb9\xcf\x6e\xbb\xc4\xb6\x20\x76\xf6\x96\xd3\x5b\x49\x9c\xd8\xd8\x8a\x2b\x71\xb9\x57\xe2\x72\x1f\xaf\xb8\xdc\x47\xbc\xe7\x6c\x1e\x43\x7a\x9b\x7f\x7c\x8c\xe2\x46\x1b\x26\x70\x2d\x86\x94\xab\x68\x53\x5c\x35\x8c\xbd\xf7\x2a\x27\xa1\x8e\xce\x44\x2a\xc5\x91\x74\xe5\x2c\x74\xc6\x94\xe8\x25\x59\xbf\x2b\xd2\xd2\x7f\xfe\x55\xc1\x4d\x70\x70\x00\x3d\x28\x6a\xeb\xc3\x16\x76\x8e\x65\x50\x8f\xba\x47\xc7\x07\x0e\xb0\xaf\xee\x66\xfb\xba\xd1\x85\x85\x2a\x5f\x11\xfe\x97\x76\x6f\x75\xf7\xac\xca\x38\x09\xe3\xb4\x2c\xca\x3c\x9c\x49\xcb\x33\xf9\x02\x74\x55\xf0\x86\xdd\x76\x6c\xa2\x93\xb6\xb6\x70\xf6\x78\x2d\xb5\x12\xc9\xa8\xdd\x7c\xf7\x35\xc8\x7e\x50\x09\xf5\x62\x94\xf2\x68\xa9\xc8\x92\xaa\xd4\x02\xee\x21\x71\xe1\x38\xbf\x01\x42\x47\x23\x15\xa8\x41\x34\x84\xaa\x48\xa8\x1f\x9e\x3b\x7a\xe4\x69\x8a\xa5\x5e\x96\x48\xf3\xed\x08\x8f\x97\xf9\xe9\xe8\x82\xa5\xc2\xca\xf5\x71\x24\xe4\x13\xb5\xca\xe0\xbd\xa4\x4d\xa9\x59\x61\x8e\x5b\x55\x2e\xf5\x79\x9e\x55\xc8\x7e\x50\xf5\x5c\x0a\xf3\x63\x37\x3c\x2d\xe4\xd3\x2a\x5f\xfd\xba\xce\x66\x12\x17\x20\xc0\x94\x19\xbf\xee\xc8\xd3\x46\x95\x00\x69\x27\x8f\xd4\x7d\x06\xa7\x75\xd5\xe3\x71\xb7\x2b\x3a\x71\x54\x8a\xa4\x6f\xa0\x44\xee\x48\x6b\xcc\x1f\xf0\x8e\xea\x68\xcb\xba\x98\x93\x25\xa8\xc1\xc8\x1a\xa1\x93\x3a\x19\xf4\x89\xb8\xd0\x16\xa2\xc3\x8f\x5e\x77\xe4\x69\xf5\x7e\x0c\xf9\x19\x08\x62\x4a\xa8\x5b\x41\xf9\x59\x12\x22\xe5\xe7\xe3\x24\x11\x9d\xd1\x4d\x9b\xbf\x5c\xe5\xe5\xaa\xc8\x47\x31\x13\x0b\x6e\x36\xb2\x7d\xb5\xb6\xa9\x50\x31\x3b\xbf\x31\xc0\x5a\x3b\xea\x25\xb5\x51\xa0\x95\x0e\xa5\xc6\xc6\x26\xb3\xcf\xed\x66\x4f\xe8\x3a\xe3\xeb\x7f\x68\xc7\xb3\xfd\x1b\xbb\xb6\x38\xdb\x2b\x6b\x5a\x0d\x34\xfe\x51\x99\xe0\x97\x3e\x6d\x3b\xd9\x7a\x3a\x7c\x81\xc0\x46\x41\x4b\xe3\x12\x27\xb7\x9c\x38\x43\x67\x47\x87\x38\xc1\x6e\x1a\x1c\xc4\x6d\xcc\x7a\x9a\xa2\x7a\x52\x83\x04\x2f\xd5\xe9\xd1\x2d\xd4\xae\x67\xa7\x4d\x41\xac\xd8\xaa\xaa\x5e\xc3\x02\x1d\x98\xc8\x0d\x0b\x0d\xdb\xa1\x67\x41\x04\xe9\x8a\x60\x3a\x17\x43\xe7\x33\xda\x03\x1a\xba\x22\x64\xdf\xd8\xb7\x49\x88\xd6\xd1\xb0\x91\xc3\xed\xe3\xfb\x82\xcf\x8c\x5c\xa1\x6e\xfb\xdf\x8c\xba\xcd\x39\xd5\xbf\xb2\xeb\xb2\x30\xa8\xfd\x95\xc7\xbe\x1d\x6b\x9e\xc0\x9e\x3d\x5b\xc6\x49\xfc\x20\x6a\xeb\x5f\xd4\xf6\x89\x8f\x7a\xc3\x1e\x52\xb5\x3a\x01\x45\x2a\x3a\x15\x9f\x1e\x68\x0c\xcd\x2f\x2b\x99\x58\x2e\x12\xb1\x16\x41\x30\x63\xa7\x18\x35\x72\xa7\x20\x93\x8d\xbb\x1d\xba\x81\xaa\x4e\x95\xba\x0e\xa5\xfc\xc2\x42\x72\x74\xde\x9f\x6a\x31\xdf\xf9\x1a\xd8\x98\xfd\x97\xb7\x76\x46\x13\xf1\x2b\xde\x60\xa1\x8f\x4a\xe7\x40\x87\xe4\xd1\x3a\x15\x77\x88\xe8\x8e\x40\xd5\xd9\xb0\xaf\x0e\x8f\xf2\x22\xee\xc6\x49\x94\xab\xe5\x41\xb3\x91\xaa\x54\x0a\x40\xbf\x27\x42\xf6\x5f\xaf\x72\xd2\x3c\xe7\x4b\x51\x9b\x84\x55\xa1\x58\xa0\x5e\x73\x55\xf0\x0b\x2d\xeb\x82\x81\x42\x41\x0b\xb3\x44\xa0\xb1\x51\xa7\x6e\x53\xbc\x04\xb1\x5c\x91\x33\xb8\x2d\x1b\xf8\x54\xc4\x65\x59\xcd\x50\x29\x3c\x14\x29\x29\x88\xfd\x18\x85\x94\x5a\x98\xaa\x99\x92\x47\x1d\xc8\x9d\x93\x39\x08\xfc\xb5\x38\xe2\x0b\x95\x62\x6c\x50\xb9\x0a\xa0\x70\xfb\xb1\xa5\x3e\x11\x58\x58\xb7\x4b\x4c\x8c\x55\xf0\x38\x0d\x39\xb7\xbe\x98\x82\xfd\x31\x6e\xce\x6a\xac\x5c\xd4\xb0\x89\x08\xcc\x49\x15\x93\xe9\xc3\x34\xf3\xa2\xb7\x57\x76\xd0\xbc\x58\x76\xc9\xa9\xf6\xb1\xdf\xf5\x98\xba\xe5\xff\x1f\xde\x06\xb9\x98\xed\x21\x99\x17\xcb\xc1\x7f\xf0\xe8\xaf\x0d\xfb\x55\xed\xbf\x97\xd4\xb5\x38\x9d\xac\x6a\x48\x6e\x90\x93\x37\x59\x93\x42\xa1\xbc\x3f\x51\x95\xc0\x83\x2b\x72\x0c\x7b\x46\xf6\x75\xc0\xc4\xe4\x79\x96\x87\xec\x61\x8f\xed\x2b\x68\x28\xfc\x0b\xc1\xd3\xf5\xb0\xac\x66\x89\x14\x06\xcd\x34\xa2\x79\xaa\x88\x36\x48\x14\x50\xc9\x18\x41\x9f\xdc\x7a\xf2\x6a\xd5\x61\x54\xdd\x15\x73\xc3\x15\x73\xc3\xe3\x47\x03\xb6\x6a\xd9\x33\xbf\x7f\xa7\xe6\xcc\xef\xdc\xc0\x9a\xf9\x88\x77\xff\xe6\x86\x8d\x3b\xfd\x69\x4d\x8e\x05\xcb\x24\xa2\x35\x8c\xc1\x34\x35\x2e\x41\x6b\x07\xac\xf3\x66\xfd\x1c\x63\x77\xdb\x12\x6b\xa7\x1b\x17\xf2\x6e\x2e\x56\x62\x70\x4b\xca\xe2\x14\x4f\xa2\x62\xce\x4f\x57\xee\x15\x4b\xab\x59\x76\x7e\x92\x52\x21\xc0\x63\x40\x76\xfe\xbb\xfb\x83\x33\x9b\x3f\xe6\x66\xb7\xdf\xf8\xf9\x66\x46\xf4\x3f\xbb\xc2\x0a\xb8\xe3\xed\xe0\xcd\x9a\x11\xfd\x55\x5e\x70\xf0\xd4\xd6\x46\xc3\xde\xbe\x9f\xc5\xee\x65\x67\x87\x7b\xcc\x77\x30\x97\xae\x6c\x55\x3b\xd8\xaa\x3e\x6f\xfb\x5e\x7e\xd1\xdb\x19\x4f\xfa\x0b\xbd\x21\x44\xe9\x8f\xe1\xc7\x3d\xe2\xfd\xb0\xb7\xf9\x9e\xb8\xec\x77\x0c\x29\x7b\xe3\xdc\xab\x6d\x8b\x9b\xef\x53\x8d\x5c\xab\x0f\x3f\x91\x1d\x1f\xce\x28\xbb\x19\x99\xac\xff\xc9\x27\x04\xaf\xf4\x36\x79\xc8\xf0\x98\x18\xec\x8b\xc5\xe9\x84\x26\x01\x64\xec\x59\x13\x9d\xf1\x8e\x48\x63\xd1\x19\x5f\x8e\xe2\x64\xc0\x71\x43\x13\x56\x67\x34\xe2\x71\x51\x54\xa2\x63\x73\xcf\xba\xe6\xe7\x77\x5e\xcd\x7e\xe4\x00\x3b\x60\xdd\xf7\x1f\x61\xfe\xae\xa5\x7e\x29\x82\x8f\x33\x9b\xa1\x37\x2e\x34\x58\xbc\x63\xa8\x96\x06\x8a\x57\x6e\xe1\x22\x5e\x49\x45\xce\xa3\xe5\x52\xfe\x37\xe5\x13\xd4\x7c\xf3\x8d\x08\xd2\x86\x65\x5a\x4f\x59\x5a\x48\x75\x2c\x8e\xa0\xa0\x71\xfa\x42\xdb\xf9\x8a\xa6\x25\xdd\x9c\xd1\x5a\x52\xdd\xb8\xdb\xad\x20\xc5\x4f\xc8\x18\x49\xc5\x1b\xd0\x77\x63\x3c\x59\x4a\x89\x75\x4c\xf3\x64\x97\x4a\x6d\x3f\x98\x82\x9b\x01\x6c\x49\x9d\x0e\x81\xdf\xac\x1a\x73\xd1\x85\xd1\x03\x5c\xa4\x96\xc3\xa9\x03\x48\x0c\x87\x8e\xaa\xb7\x64\x48\x7d\x27\x61\x64\xb7\x5a\x1f\x63\x26\xc5\x8d\x62\x3b\xec\xca\xad\xef\x38\xe3\x47\x43\xe7\xc3\x41\xde\x57\x6a\x9e\x0d\x95\x99\x9b\x3e\xcd\x11\xd5\x1d\x32\x7e\x0c\x72\x3e\x5a\xd7\xf0\x3d\xd0\x98\x40\x2d\x9d\x9c\x9e\x5f\x9c\x39\x39\x33\x39\xb1\x38\x1d\x20\x8b\xdd\xa8\x2e\x35\xcd\xf8\xaa\x88\x3a\x22\x2f\xcc\x1c\x14\x69\x3b\xeb\x80\xbf\xbe\x8c\x18\x37\x64\x4b\xfc\xc4\xf4\xfc\x98\xba\x39\xb1\x30\x1b\x1e\xb5\x79\x90\xe5\xe6\x5f\xb5\x31\x78\xb7\xd0\xee\x79\xb0\x54\xa9\xdc\xb8\xd7\xcb\x3e\x9b\x3f\x39\x79\xc3\xb1\x9b\x8f\x84\x8c\x5f\x17\xf2\xd9\x2c\x1d\x93\x0d\x57\x3c\x72\x72\xd3\xc7\x34\xb1\xca\x12\x95\xa9\x39\x39\xf8\x29\xd6\x17\x47\x78\x02\x55\xa9\xca\xd5\xd3\x19\x65\x1c\xbc\xe1\x90\xdf\x1c\x49\x72\x7a\x49\x94\x46\x08\xb7\x15\x17\xca\xa1\xad\xbc\x21\x3c\x46\xed\xbc\xe9\xfa\x1b\x6f\xc6\x29\xd9\x45\x66\x80\x08\x87\x41\x57\x6c\x2d\x09\xd3\x7d\x66\x37\x1f\xb4\xae\x00\x4e\x09\x67\xda\xac\x54\xc9\xb5\x32\xaf\xb7\x0d\xcd\x6a\x86\xda\x1f\xa5\x50\x53\x95\x35\x6f\x11\x58\x77\x51\x2d\x15\xb2\xa2\xb4\x54\xbd\x62\xec\x5e\x25\x71\x1c\x00\xa1\x5e\x29\x72\x32\x0a\x3b\x1c\xd7\x94\x39\x49\x59\x8a\xe2\x94\x2f\x9e\x5a\x00\xb0\x7e\xb1\x1a\x9d\x17\x05\x04\x6b\xbb\x2b\x13\xa2\xac\x71\x3e\xc4\x29\x74\x0b\xaa\xfe\x21\x63\xf7\xae\x0a\xd9\xa5\x79\x1c\x25\x20\x4a\x45\x05\x7f\xc6\xc2\x99\x59\x39\x9e\xcf\x9a\x38\x7d\x6a\x94\xb0\x28\x65\x44\xcb\x86\x68\xc3\x93\x3e\x44\x79\xdc\x78\xbd\x9a\x68\xa3\xbc\xc8\x78\x0c\xcb\xa0\x00\xab\x41\xb6\x7c\x9c\x31\xce\x39\x3d\x77\x08\xfe\x1e\x93\xff\x3b\x31\x7d\xe7\xcc\x2c\xb7\xa6\x08\x5c\x85\xfb\x61\x18\x9a\xe7\xa6\x67\xa7\x9a\x9f\x3a\xec\x78\x30\xaf\x61\x4f\x75\x0e\x35\x79\xc0\x8e\xc9\x15\xef\xef\xf7\xf7\x46\x65\xd6\x8d\xdb\x8c\xbd\xbe\xe5\x20\x20\x5f\xdc\x0a\xee\xb3\x0e\x05\x2b\xf5\xbb\x35\x0f\x42\x7e\x37\xd8\x82\xed\x07\x73\xc1\x03\xb5\xe5\x06\xa3\x7a\x0f\xc3\x91\x55\x3b\x8c\x23\xde\x9d\x61\xa7\xb7\xce\xf1\x3e\xfc\xdc\x73\x80\x92\xdf\x31\xf8\xc1\xdd\xa8\x37\x76\x5e\xf4\x0b\xf9\xd1\x63\x9c\x80\x92\x7c\x68\xd7\xec\xf1\x77\x75\xa3\x1e\x63\x2f\x68\xb1\x7f\x37\x2c\xb9\x3f\x8a\x98\x94\x01\x9b\xce\xdd\x2f\x78\xc1\xcd\xce\x15\xbd\x36\x07\xf0\xc4\xda\x10\xa7\x72\x93\x3b\x07\xe4\x4b\x3d\xf6\x22\x8f\x5d\x95\x64\x51\xe7\x44\x94\x44\x69\x5b\xe4\x7e\xb5\x85\x98\x82\x53\xd6\x0b\x84\xbd\xb8\xdd\xbe\xd6\x4c\x5e\xe6\x9e\xe6\xb2\xd2\xb1\x25\x7a\x21\x64\x17\xf7\x3b\x70\x20\x95\x29\x5a\xf3\xda\x2f\xcc\x4c\x41\xa4\x0b\xa8\x66\x7f\xb1\x2f\xb8\xce\xb9\x82\x12\xb5\x8b\xe5\xd1\x0f\x6c\x9c\x90\xea\x03\x57\xd4\xaf\x1d\xab\x5f\x89\xd2\xbe\xda\xc1\xbf\x86\x3f\xea\x39\x55\xf5\x58\xd8\x8b\xf2\x46\x76\xfd\x06\x11\x8f\x43\x67\xc0\x15\x85\x6a\x07\x0a\xd5\x67\x6c\x85\xea\xa3\x3b\x54\xa8\x7e\xb0\x59\x9f\x7a\xac\x40\x6c\x8f\x78\xcb\x9b\xab\x52\x93\xfe\xc4\xd8\xa0\xe6\xa3\x01\x32\x6a\x96\xd5\x53\x56\xd8\x9b\x0b\x63\x7f\xcf\xd8\x3d\x97\x9a\xb7\x71\xe3\xdc\xc6\xfe\x8f\xb1\xe0\x7b\x37\x7c\xa2\xc6\x6d\x89\xf9\x7b\x21\x82\x3f\x5f\xa3\x79\x3c\xec\xfd\x8b\xde\x1e\x4c\xe8\x7c\xd1\x83\x05\xe3\xec\x7b\x6f\xdf\xcf\x1e\x60\xfb\xe4\xc0\xc9\x15\xe4\x8b\xe0\x7b\xd5\xdf\x6a\xf1\x5a\x02\x09\x64\x58\x56\x1b\xb7\xe2\xec\xa1\x7d\x4f\xa9\x2d\xb6\xb7\x3e\x38\x27\xdf\x38\x27\x7b\x2f\x70\x9c\x7e\xaf\x68\x31\x6a\x93\xff\xc2\x56\xf0\x75\x0f\xff\xd6\x54\xa3\xf8\xab\xd1\x8d\xa8\x3e\xf9\x72\x64\x71\x1c\xbf\x8d\x12\x5d\x3f\xba\xb9\xb3\x0d\x8d\x41\x92\xf0\x24\x5b\x17\x79\x5b\x2e\x7d\xbb\x3f\x7e\xcf\x63\xac\x58\xcd\xf2\x12\x67\xc3\xaf\x79\xc1\xfb\x3d\xf3\x1b\xbf\x4a\xfe\xac\xa5\xb7\x56\xdf\x3d\xaa\xa3\xc1\xea\xf9\x98\x35\x6d\x11\xe9\x2a\x15\xf1\x1e\xe2\x9e\x85\x33\x88\x78\xff\xe3\x74\x2d\x6b\x53\x90\x09\xd0\x67\x9d\x93\x4b\xaa\x5d\x26\x7c\x45\x94\xfc\x36\xa8\x5f\x56\x2f\x7b\x6b\xa6\x34\x2a\x4e\xed\xa3\xcc\xc6\x7e\x35\x3b\x60\x7f\xe3\xf3\x3d\xb6\xaf\x88\xd3\x95\x2a\x89\x72\xbf\x0c\x56\xd4\xdf\x7a\x9e\xa9\xdf\x4d\xe3\xbe\x41\x95\xce\x8c\xd3\x97\x3b\x1c\xe7\x9e\xd3\xcd\x5f\xf7\x18\x93\x6b\x68\x25\xcb\x63\x51\xf8\x5f\xf5\x82\x4f\x7b\xe6\xb7\x6b\xc3\x85\xe1\x13\x1d\x6e\x67\xcb\x8f\x8b\x81\x64\xb3\x4b\x22\xc9\x80\x5d\x23\x23\x0c\xc1\xc1\x28\x49\x0e\x1e\x36\x94\x1d\xbd\x6a\x29\x89\x8b\xd5\x47\x73\x6c\xa2\x24\x39\xb7\x51\xcf\xff\x37\x8f\x4e\xca\xf7\x7b\xc1\x7f\xf0\xce\x6f\xbe\xb6\x9d\x5e\x8f\x0b\x02\x15\x24\x7d\x73\x70\xa1\xf6\x44\x23\x16\xd2\x12\xb1\x9d\xfd\x0a\x02\x0e\xb0\x89\x4a\x31\xbd\xe1\xa1\x1c\x61\xe5\x38\x40\x06\x87\xae\x3a\xa8\x1d\x25\x49\xe1\x8c\xdb\x97\x0f\xb0\x70\x4b\x67\x92\x96\xcc\xfd\x9f\x3e\x10\x2c\xea\x5f\x46\x10\xa5\x54\xc8\xb0\x82\xa4\x5a\x1a\x49\xed\xb2\x34\x49\x6f\x07\x44\xe6\x18\x19\xc1\xd5\xea\x0f\x2f\x7a\xbb\xe4\x99\x7a\xd1\x23\xb4\xf2\x45\xcf\x4f\xa2\xa2\x5c\xcc\xa3\xb4\x80\xba\x16\x63\x48\x71\x97\x8b\xa8\x90\x5b\xef\xde\xae\x28\x8a\x68\xc5\x85\x4e\xfc\x30\x63\xa7\x34\xdc\xf9\x44\x70\x83\x2b\x12\x6b\x1d\x67\x54\x91\xa9\x2d\xe6\x52\xec\x3b\x19\x25\x52\xc5\x3d\x9b\x02\x2c\xc6\xe9\xa0\x45\x06\xad\xf2\x4f\x05\x77\xa8\x6c\x1b\x96\x0d\xca\x12\x38\x80\x44\x3a\xe5\xcb\x59\x16\x12\x55\x43\xd8\xce\xba\xe3\x46\x20\xb1\x4b\xfd\x40\x8b\x35\x7c\x9c\xff\x93\x2d\x76\xd3\x25\xc8\x0b\xf2\xdd\xe0\xab\xde\x60\x81\x5a\x4a\x8c\x8a\x92\x18\xaf\xed\x5e\x40\x86\x5e\xf8\x53\x41\xca\x64\xb7\x50\x9f\x99\x5c\x4f\xb4\xe4\x8c\x02\xaf\xb1\x5b\x70\x12\x24\x7d\x84\xe7\xe8\x29\x81\x94\xfb\x21\x47\x63\x56\x44\x13\xbd\x44\xd0\x11\x11\x20\x19\xd8\x0c\xb4\x4b\x97\x28\xa7\x04\xe5\xce\x56\xcc\xfd\x05\xf0\xca\xf6\xc8\x26\xf7\x02\x8f\xa9\x91\xf7\xd7\x82\x98\xfe\xc4\x1d\x66\xb5\xea\x82\x7b\x3c\xea\x00\x68\x47\xdf\xc3\x03\x1e\xb0\x71\x34\x4b\x0d\x9b\x95\xe9\x03\xfa\x4c\xc5\x65\xeb\x26\x38\x71\x86\xef\xd3\xad\xc6\x08\x98\xff\xdc\x52\x21\x30\x3f\xd6\x1a\xbc\x5d\x8f\x4a\x0d\xb5\x79\xdc\x8a\x8f\xd1\xe8\x33\xd3\x9d\xeb\x11\x9a\x34\x91\x6f\xa2\xea\xc9\x86\x9e\x84\xc9\x86\x3b\xc1\x28\x8f\x97\x9b\x0b\x8b\x75\x08\x63\xd2\xe7\x47\x8f\x21\x62\x03\xaa\xc6\x21\x0e\x8d\xce\x7f\xdf\x85\x67\x87\x0d\x4d\x8e\x0b\x7e\xcb\x68\xad\x3d\x52\xae\xaf\x60\x61\x03\xd0\x0d\x8c\xb9\xb9\xc0\xd5\xae\xf8\x95\x9a\x14\x64\xd5\x5e\x17\xb1\xf3\xa5\x16\xa3\x15\xed\x7f\xae\x15\x7c\xac\x85\x7f\x9b\x6d\x05\xd2\x1b\xac\xe4\x51\xb7\x1b\x95\x36\xd5\x72\x6e\x8f\x2a\xee\xac\xf0\xa2\x3a\xc0\x75\x7b\x0f\x16\x34\xfd\xad\x71\x9e\xc3\xd4\x1f\x39\x6c\x0c\x9a\x44\xd1\x5a\x17\xc0\x25\x28\x27\x02\xc5\xbb\x88\x0b\x3d\xcc\xb0\x40\x90\x35\xd0\x13\x45\x94\x02\x4e\x44\x8b\x6a\x30\x6f\xf1\xc4\x59\x5f\x45\x04\x5b\x69\x60\x6e\x11\x66\xa8\x28\xe2\x8e\xc8\x45\x87\x47\x7c\xa5\x8a\xf2\x28\x2d\x85\x00\x0a\x07\x8b\x0b\xdb\x5a\x69\x91\xb5\xc1\xd0\x44\xb4\xad\xdd\xb2\x89\xa4\x05\xa1\x3d\xd7\x9e\xa5\xbf\xd8\x62\xdb\x05\xc4\xfa\xaf\x6c\xf9\x57\xc7\x69\x39\x96\xe5\x63\x58\x4a\xf0\xd7\x9e\x75\x1f\x97\x19\x6c\x84\x1a\x1d\xbb\x8a\x08\x64\x0e\x68\x32\x44\x9c\xa8\x96\xf2\x7b\x71\xa9\xe3\x11\x6d\x5b\xdc\x78\x37\xca\x8b\xd5\x08\x91\x9f\x48\x3c\x65\x5d\x19\xe5\x71\xa9\xf2\xb3\x00\xf3\x96\xec\x37\xe2\xb5\x94\x13\x09\x68\xd6\xfa\x3d\x01\x38\x42\xc8\xb8\x93\x64\xeb\x05\xe4\x94\x2a\x33\xb0\x35\x8f\xd6\xd3\xd3\x41\xe5\xd8\x69\xba\xe5\xb8\xad\x10\xb3\xb5\xac\x06\xc1\x9e\x4e\x27\xfe\xc4\x01\x07\x2b\xa5\x80\xfd\x0b\x72\x66\x2f\x57\xc9\x82\x28\xfd\x7f\x64\xc1\x5b\x5b\xd6\x85\x3a\x6d\x4e\xa9\xd1\xa3\xb0\x56\xc8\x76\x08\x89\x4a\x60\x36\x97\xb1\x28\x42\x3e\xa3\xff\x86\x99\xa2\x52\xac\x47\xc5\x71\xc6\xc7\xf8\x2c\x9a\xac\x8e\xf3\x09\x95\xbc\xbf\x80\xfd\x90\x4f\xcd\x2e\x20\xae\x31\x2b\x40\x86\x0c\xe5\xd3\xc4\x7e\x71\x9c\x4f\xc8\x59\x9c\xf6\xb9\xc5\x57\x05\x79\x4c\xb4\x0d\x38\x04\x2b\xaa\xdd\x78\x3d\x2b\x55\xec\x9c\x82\x40\x61\x0b\x54\x9b\xfb\x28\x7f\x44\xc9\x7a\xd4\x97\x95\xf4\x74\x02\x2f\xd9\x97\x8a\x64\x45\x3d\xec\x5a\xc5\xfe\x66\xef\xe5\x4d\x34\x59\x52\xa8\x55\xb2\x01\x8d\x4c\xc3\xc0\x41\x80\xd5\xcd\x14\xbf\x67\x2c\x50\x0a\xa6\x6b\x06\xc7\xca\x3e\x88\x0b\xbd\x10\x65\xc8\xde\x6b\xe2\xaa\xde\xb1\x11\xb3\x54\x53\xcd\x68\xd2\x4b\x55\x72\x85\x61\x66\xbc\x39\xbb\x52\xeb\x7d\x45\xff\x10\x95\x91\x3a\xae\xec\x2d\x79\xa9\xcf\x8b\x4c\x1e\xaa\x71\xda\xc9\xd6\x61\xff\x05\x7a\xd3\x2b\x66\xb8\x2b\xa0\xa8\xc7\x2f\x06\xeb\xec\xe6\xb6\xa4\x63\xfe\x11\xe3\x96\xef\xf5\x0a\x6d\x2e\xb2\xe6\x7e\x1d\x95\xf4\xb1\x11\x87\x26\xc4\xa5\x35\x9b\x4e\xd7\x08\x36\xff\xa6\x91\xe0\x83\x5e\xed\x22\xe5\x63\x00\xbe\x20\x22\x37\xcb\x6c\x4e\x33\xd9\xe9\x6b\x71\x9e\xa5\x5d\x4c\x0d\x92\xc7\x72\xcb\xc5\x6d\x5c\xf9\x9f\xd0\x55\xa8\x35\x0c\x42\x03\x63\x71\x07\x0b\xa4\x77\xc5\x63\x07\xf6\x4b\x3d\xe2\xf0\xf4\x79\xd1\x1f\xc3\x49\xd3\x8b\xe2\x1c\x76\xe6\xc6\x1a\xdd\xed\xf3\x73\x1e\x7b\x58\x71\x3b\xfe\x40\x90\xcd\x3a\x4a\x3d\xc0\x2b\xcb\xc7\x88\xb1\x71\x8a\xed\x43\xe8\x7c\x94\xf8\x37\x07\xd7\x62\xac\x6a\xdf\x11\x7e\xa8\x63\x95\x81\x81\x8e\x35\x10\x01\x97\xb2\x2c\x11\x51\xca\xfe\xcc\x73\x8e\x58\x4d\x63\x24\x27\x15\x8d\xde\xa7\xbd\xc0\xfe\x6d\xc4\x43\x1b\xde\x0b\x1c\x0c\x29\x17\xf2\x39\xb7\xc7\x7e\xd8\x63\x27\xd9\xfe\x76\xd6\xed\x65\xa9\x48\x4b\xff\x96\x60\x74\x52\xfd\xc0\x15\x86\xb8\x60\x18\xf2\x35\x4a\x21\x46\x82\xb4\xe8\x38\xf2\xc0\x1d\x6c\x97\x3c\x6a\xfd\x9b\x82\x6b\x67\xb3\x8e\x32\x67\xa5\x5b\x2f\xe0\x65\xbb\xd9\x77\x5b\x5f\xbb\x9c\x64\xeb\x14\x01\xa8\x2d\xf1\x04\x62\xf5\x7f\x77\x57\xf0\x5f\x3d\xfa\x81\x16\x34\xda\x9d\xb3\x3c\x5e\x89\xc1\x7b\x8c\x01\xe6\x06\xb8\x51\x18\x09\x59\xc7\xd8\x2b\xa4\x42\x54\x49\xcd\xab\x54\xb1\xc4\x48\x6f\x0a\x62\x67\x2e\x40\xe6\x28\x57\x73\x21\x38\x1c\xe8\xd9\x32\x56\x48\x84\x77\xa6\xc2\x5b\x65\xa9\x55\x21\xf2\x51\x5c\xa8\xa3\x52\x6e\xaa\xa5\x70\x0a\x9b\xcc\xa1\x2f\x68\xb1\x29\xb6\x1b\xde\xf1\x6f\xdd\x20\xe9\x49\x53\x87\xdc\x29\xdf\x52\xd0\xde\x7f\x45\x7b\xf0\xb7\x05\xfb\xe6\x29\x3d\xa3\xdd\xbf\xf7\xb0\x27\x14\x4e\xee\x34\x7f\x6a\x03\xf2\xd0\xc6\xee\x77\x5e\x57\xd5\x9e\x60\xbb\xe4\x67\xfb\xc7\x37\x20\x5a\x6e\x2a\xed\x6c\x21\x72\x2a\xe3\x11\xef\x95\x1e\xfb\x17\xce\x26\x58\xa5\xe0\xa9\x5d\xf7\xab\x31\x4a\x33\x37\x56\x66\x63\x9d\xb8\x68\xe7\x71\x57\xf6\xb8\x38\xd1\x3f\x0e\xee\x60\xda\x16\xa1\x2b\xe0\x82\xfb\x95\xc7\xb9\xdb\x6c\x78\x44\x36\xf8\x38\x97\x2d\x60\x9c\x5b\x85\x66\xf9\x71\xd8\x58\x19\x7b\x25\x63\xdf\xd9\x94\xcd\x22\xeb\x20\xcd\xc1\xd7\xf6\x07\xb7\xab\x1f\xc3\x59\x0e\x48\x50\x84\x84\xcf\xb1\x49\xaa\x07\xfb\xa4\x33\x09\xde\xba\x9f\x7d\xde\x63\x57\x57\x29\x45\x8f\x42\x18\xdf\x47\xbd\xe0\x3d\xde\x59\xfb\x92\x8a\x89\x45\x4e\x36\xae\xef\xc4\x09\x25\x2a\x53\x71\x61\x21\x3f\xd1\x57\xa9\xd4\x46\x75\xfd\x56\x49\xdb\xde\x08\x81\x35\x02\xfe\x3b\x7e\x4d\x37\x4a\xab\x28\x19\x93\x3f\xc6\xa2\x4e\x37\x4e\x35\x3c\xcc\xd9\xbf\x7e\xdd\x63\x57\x21\x39\x1f\xed\x56\x9f\xdc\x0a\x57\xa5\xec\xd5\x49\xeb\xad\xe0\x55\xde\xcc\xb2\x89\xbf\x42\xad\xdb\x98\xe6\xe5\xa9\x02\xdf\xd7\xb6\x81\x67\xb8\x79\x01\x45\x0a\xa6\x3d\xb8\x1b\xa9\xb4\xb0\x60\x97\x84\x5e\x6d\xc1\xc4\x44\xaf\x35\x65\x7a\xc5\xe4\x7e\x55\xda\x25\x7b\xb1\xc7\x98\xe2\x42\x9c\x99\xf2\x2f\x04\xe7\xa7\x2c\xe6\xec\xd9\x0c\x23\xe0\x34\x7b\x17\x66\x69\x03\x8a\x50\x55\x44\xc8\xe7\x21\x29\x85\xa2\x68\x01\xec\xcc\xd1\xf0\xe8\x75\x21\x2f\x84\x30\x23\x02\x28\x12\x4d\x6d\x7a\xe3\xd1\x5b\x6e\xbc\xd1\x5e\xd3\xcf\x64\x7b\x7b\x59\x67\x72\x66\x6a\xde\x3f\x19\xdc\x32\x87\x7f\xd6\xed\x29\xbd\xac\xc3\x67\xe6\x78\x1e\xa5\x2b\x82\x47\x05\xe0\x5a\x34\xd8\x41\x76\x5d\x58\x23\x1b\xde\x47\x65\x16\xfe\x5b\x5b\xc1\x97\x3c\xf5\xab\x5e\xae\x2a\xb3\x68\x2c\x94\xd2\x1e\x52\x0c\x26\x08\xec\xca\x8c\x03\x75\xa2\x0d\xcc\x81\xa7\xb9\x43\x7c\xa4\x5c\xe5\x22\x2d\xf3\x3e\x0e\x90\x71\x94\x50\x7b\x54\x47\xce\x20\x1e\x49\x41\xa5\x74\xb0\xac\x95\xe7\x09\xe2\xf1\xb2\x65\x3e\x33\xb7\x76\x3d\xc8\xd0\x33\x73\x6b\x37\x6e\x60\xbe\xde\x06\xc7\xd4\x0b\x3c\xc6\x80\x13\xb5\x23\xf2\x99\x29\xbf\x08\x96\x67\xa6\x94\xd0\x01\xdd\xa0\xfb\x86\x0e\x9d\x76\x92\x55\x1d\xae\x5e\xe1\x96\x3f\x27\x2a\x8f\xf3\xdb\xe6\xe8\x86\x14\x5e\x6e\x3f\x3e\x3e\xae\x2f\x28\xbe\x0b\xb9\x3c\x66\xa6\x6e\xb7\x87\xac\xcd\xf6\xc8\x4f\x2f\x0b\xff\x59\x01\x1f\x5c\x2b\x94\xb0\x18\x1f\x71\xbe\xfa\x5a\x76\x88\x7d\xf7\xa6\x0b\x72\x51\xbe\xc8\xfe\x76\xa4\x31\x39\xf4\x62\xd6\xcb\x92\x6c\xa5\xbf\x40\x19\xbc\x16\x45\xde\xf5\x3f\x35\x12\xbc\xa6\x35\xc1\x4b\xba\xa7\xd3\x7b\xf1\x52\xe4\xdd\xfa\x34\xca\x45\x51\x25\x98\x62\x38\x5a\x12\x09\x7f\xa0\x12\x39\x28\xfe\x13\x3c\xad\x92\x44\x1e\xa3\x68\x6f\x1c\x52\x9c\x3a\xff\xd3\x4c\xc3\x2d\x60\xe1\xdb\xa0\x3d\x1a\x11\x4c\x46\x3a\x31\x3b\x25\x70\xde\xd0\x28\x80\xa6\x52\x2d\x91\x41\x62\xb9\x4a\xdb\x28\xba\xc9\x3d\x35\x2a\x38\x6c\xf3\xd6\xe7\x19\x47\x4b\x94\xf2\x28\xe9\xad\xba\xf9\x30\x60\x32\x82\x89\x56\x0f\x6e\x25\x6f\xba\x1b\xfe\x3b\x3c\xf6\x93\x1e\xfb\x36\x68\xfc\x29\xf9\xdd\xd3\x17\x64\xaf\x80\xef\xd6\x7f\x89\x17\x5c\x37\xa1\xdd\x42\x83\xdf\xed\x7c\xda\x52\x9f\x72\xde\x3a\x43\x3b\xcd\x26\xb7\x40\xaf\x5b\x1f\x3d\x68\xc9\xbc\x29\x9d\xfd\xd5\x01\x76\xe3\x26\xe7\xf8\x1c\x30\x3d\xcc\x57\x89\x28\xee\x8d\xcb\x55\x15\xd7\xe4\xbf\xff\x40\xf0\xfa\x91\x21\x37\x01\xc0\x46\x47\x66\xc4\x41\xd5\xc5\xa3\x52\x87\x38\x19\xe1\x0d\xed\xed\x56\xd6\x4f\x18\x5d\x78\x47\x59\x0d\xc9\xb3\xa4\x05\xc2\xf3\xc6\xf6\x49\xf2\x1f\xa9\xee\x4b\x8a\xf2\x51\x99\x79\x0c\x1e\xd0\x76\xf7\x42\xc6\xb6\x52\x1b\x95\x61\xb8\x87\x7d\x89\x9a\x7e\xa6\xbd\xf1\xb2\xc9\x8b\x12\x2f\x63\x12\x96\x43\xd1\x61\x13\xf6\x9c\xa5\x82\x77\x85\x0a\x9f\x2e\xea\x25\x39\xa2\x69\xda\xe1\x87\x96\x86\xbe\xab\x1a\x0d\xcd\x02\x43\x5d\x96\xce\x3b\xd7\x1a\x0a\x0d\x2f\x7a\x3a\x12\xcd\x4d\xcd\xbc\x8f\x7d\xb9\xc5\xae\x76\x0a\xf5\x3f\xd5\x0a\x7e\xd5\x3b\xe7\x5c\x3b\x47\xca\x7d\x12\x63\xc6\x57\x55\xa3\xd5\x45\xe4\xde\x50\xa9\x64\xb5\xc8\x6c\x22\xa7\xdb\xed\x2c\xef\x50\xc6\xd2\x72\x55\xc4\x39\x8e\x8f\x1a\x0e\xd2\x17\x8d\x5b\x70\xc2\xee\x81\x6c\x99\xd7\x9b\x24\x5f\x3c\x57\xff\xfc\x73\x7c\x15\x6d\x2a\x4b\x40\xb4\x38\xa6\x6c\xc1\x66\x9d\x4c\xb2\x89\x0d\xe8\x80\x9b\xe6\xfb\xe0\xd7\x6e\x11\x84\xf8\x82\x11\x2b\x02\xf0\xeb\xad\xe0\xc5\x2d\x3d\xf4\x35\xd0\x12\x45\x54\xa3\x36\x41\xe2\x2c\xa9\x10\xa0\x56\x80\xc8\xab\x5c\x22\x71\xc1\xf3\x4a\x8a\x86\x48\x4b\xbb\x94\x55\xa5\xd2\x5d\x06\x12\xb0\x5a\xb3\x47\x9b\xec\xe4\x28\xca\xcd\x16\x87\x13\xc7\x0d\x68\xd5\x44\x41\x09\x84\xe4\xda\x02\x9d\xe8\xb8\xa5\x29\x11\x80\x9a\x6e\x54\xa9\x7b\x4b\x36\x1d\x9b\x69\xa6\xa0\x00\x0f\xb4\x46\x57\x2a\x1d\xc5\x19\x8e\x9b\xd9\x8d\x1b\x70\xc8\x6e\xa0\x13\x6e\x71\x0c\xde\xd6\x62\x4f\xaa\x4f\x12\xff\x65\xad\xe0\x55\x5e\xc3\xdc\x71\x9c\xf3\xb3\xe6\xf6\xa3\x30\xcf\xe5\xe4\xd4\x3b\xd0\xd9\xf9\x53\x4e\xa7\x9c\x64\xdb\xd5\xd4\x1a\x1b\xbb\xc5\x2e\xfa\x85\xfd\xac\x91\xfe\x4a\xed\xf6\x9d\x05\xd1\xae\xf2\xb8\xec\x63\xc9\x00\x8b\x7c\x68\x7f\xf0\xf4\xc6\x3b\x6e\x1f\x0e\x3c\xb2\x31\x40\xf2\x97\xae\x00\x24\x77\x6c\x99\x5d\x57\x00\xc9\x34\x08\x34\x40\xd2\x8c\x88\xea\x2a\x1a\x06\x7b\xd6\x3d\x9d\x6d\x64\x8d\xd8\x6c\x5a\x5c\x31\x09\xef\x00\x2b\xf9\x59\x1b\x2b\xf9\xdf\x76\x88\x95\xfc\xa1\xc7\x29\xf6\xec\x72\x82\x25\x89\x4d\x8c\x1b\x1e\xb2\xc1\xad\x86\xb1\xaf\x86\xdb\xda\xb9\xc0\x8e\xf3\x9f\xc3\xe0\x58\xe3\x1d\x67\x6f\xc1\xa2\xb8\x48\x97\xb3\xbc\x2d\x3a\xe1\x45\x6f\x6f\x21\x4e\xc5\x69\x75\xe1\xa2\xb7\x3f\xaf\xd2\x89\xe2\x6c\x21\xf2\x8b\x9e\x5f\x54\xbd\x5e\x02\xa2\x73\x94\x80\x45\xaa\xb8\xe8\xed\x5d\x2e\xe0\x4f\x67\x6f\xfb\xe0\x18\x7b\x87\xc7\xbe\x1d\x1c\xb4\x73\x2a\x71\xd2\x74\xd1\x8e\x12\x84\x4c\xbc\xc4\x0b\xfa\xc3\x6e\xf2\x8e\x90\x9a\x0f\xa6\xc9\x5c\xa6\x74\xc3\xc8\x7f\x60\x24\x66\x88\xa8\xd1\x29\x99\xb8\xd0\x6f\x83\xe6\x5d\xa5\x96\x92\xe8\xa4\xdc\xcf\x2b\x02\x22\x28\x2b\xce\x2f\xb4\x98\x4f\xf9\x9b\x4c\xd2\x90\xc2\x7f\x5b\x2b\xf8\xa2\x37\x78\x5d\xab\x45\x49\xb6\xae\x36\x19\x79\x9b\x58\xee\x43\x8e\x79\xbd\x40\x56\x8d\x13\x07\x62\x4a\xc4\x41\xd6\xd3\xca\x87\x57\x15\x80\x9a\x01\x39\xbc\x17\xe5\x51\x57\x7e\x3f\x84\xb5\x00\xd5\x04\x64\xaa\x4f\x6d\xea\x24\xb4\x3b\x90\x1a\x6e\x17\xa8\x7c\xe2\x42\x73\xf3\x04\x74\x2b\x20\x7b\xc2\x25\x6f\x81\x13\xf5\xbe\x60\x1f\xf3\xd8\x93\xa8\x36\x95\xc1\xab\xf0\xdf\xe5\x05\xe7\xea\x17\x9b\x3a\x0d\x28\xdf\x7b\xf2\x6e\x48\x5d\xd6\xd0\x57\xe6\x21\xa7\xab\xec\x6f\xb8\x95\xdd\x32\x1c\x3b\x35\xe4\x1b\x54\xc3\xd8\x6b\x47\xd8\x53\x69\x76\x4c\x74\x3a\x93\x51\x0f\x4d\x8d\xb1\x28\xfc\x7f\x68\x05\xff\x67\xab\xf9\x9e\x12\x67\xe9\xae\xf2\xf4\xb7\xed\x47\x30\xdd\xa5\x22\x38\x82\x78\xbc\x7a\x0e\x32\x5e\xa5\x89\x28\x8c\x0d\x4b\xce\x58\x0d\x4a\x01\x6c\x60\x27\xcf\x7a\xe4\x22\x56\x65\xf7\x43\xce\x9f\x95\x55\x1a\x00\x02\xdd\x19\x59\xf7\xe5\xb8\x83\x58\x3b\xa4\xed\xc8\x05\x8f\xa2\xe9\x54\x9e\xf5\xec\x9b\xf2\xc0\xb0\x1f\x85\x66\x6b\x2f\x41\xdc\xed\x25\x71\x3b\x2e\x93\xbe\x9a\x63\xa3\x44\x40\x27\x3a\x0a\x8c\x42\x92\xb5\x9e\x7d\xf4\xa0\x53\xac\x6c\xf2\x46\xd8\xca\x5f\xf0\xd8\xbf\x51\x8d\x1f\xb6\x7d\xfc\xa8\x17\x3c\xec\x6d\xf2\x90\x31\x26\xd7\x06\x0b\x13\xca\x65\xb9\xf6\x57\x01\xd6\xa8\x2d\xc7\x42\xee\x32\x2b\x51\x9c\x62\xa8\x9d\xde\x5e\x0a\x8c\xba\x93\xe7\x6b\x2f\x02\x5f\x3d\xbd\xe0\x6e\x25\xaf\x18\x61\x4f\x5a\xce\xf2\xa5\xb8\xd3\x11\xe9\x42\xbf\x68\x97\x49\xe1\x7f\xa3\x15\xfc\x66\xab\x7e\xd5\x95\x52\xc4\x05\xdd\xb3\xfa\x41\xa9\x79\xc8\x27\xdd\xed\x2b\xcd\x52\x11\xf2\xe9\xa8\xad\x6c\x87\x72\x93\x88\xd5\x47\x24\xb2\xe5\xf8\x9e\x86\xb6\x40\x9e\x88\x38\xe5\xc1\xb5\x81\xfc\x07\xdd\x55\xed\xa8\x00\x0a\x9c\xb8\x70\x90\x49\x94\x75\x6f\x39\xbe\x00\x86\xa2\x7a\x53\x42\xbe\x80\x10\x94\x6b\x01\x03\x85\x44\x46\x74\x0f\x66\x88\x7e\x23\x64\x8c\x18\xe5\x8a\xe3\x1c\x30\xbc\xc1\x72\x96\x8d\x5f\x1b\xd0\x23\x05\xfe\x5e\x8a\xf2\x60\x54\xfd\xf9\x60\x30\xca\x45\xd9\x0e\xcd\xf3\x61\xed\xf9\xd0\x3c\x1f\x9a\xe7\x37\x98\x49\x3d\x76\x40\xee\x20\x84\xa1\xf1\xa3\x60\xc1\xfa\x59\x3b\x65\xac\x63\x90\x50\x45\xb8\xd1\xc2\x36\x7b\x97\xf5\x9a\x49\x8f\x87\x71\x94\xce\x0c\x78\x0e\x63\x26\x4d\xa0\xff\xcc\x60\xd2\x4a\x1a\xb8\x85\x53\x0d\xa9\xc0\xe5\x40\x98\xf7\xdc\x0a\xfe\xbe\xc5\x9e\x9a\x8b\xa8\x73\x26\x4d\xfa\xf3\x59\x56\x9e\x8c\x13\x81\x3a\xaa\xff\x9b\xad\xe0\x57\x5a\xcd\xf7\xf0\xe4\x20\x3a\x3f\x79\x04\xe2\xd6\x04\xa7\xbd\x9d\x96\x90\x18\xe3\x29\x05\x66\x0e\x0c\x54\xf2\xe0\xc9\xb3\xac\xc4\x14\x8c\xca\x79\xa8\xe2\x95\xcd\x6e\xe6\xec\x5c\x96\x14\x6a\x97\x88\x6a\xe0\xb0\x52\xa1\xc0\xb9\x85\x39\xa5\xac\x74\x44\xda\x57\x7d\x0d\xa7\x3a\x7d\xc0\x72\x94\x14\xa2\x56\x3b\xe8\x26\x5b\x69\xba\xec\x7b\x48\xbb\x5d\x48\x9d\x7d\xa9\x2a\x75\x12\x6e\xda\xc2\x50\x04\x42\x16\x22\xab\xe3\x3f\xd7\x62\x57\xe5\x55\x5a\xc6\x00\xa7\x2a\x0a\xff\x23\x2d\x36\xb9\xd5\x73\x67\xde\x7a\x71\x81\x8c\xec\x67\x90\x7b\x2e\xf8\xba\x67\x17\xab\x61\xe4\xf4\x94\x75\x90\x74\xe2\x76\xa9\xf0\x09\x30\x45\xc1\x63\x66\x17\x4d\x71\x0c\x91\xee\x30\xd7\x01\x91\x75\xe3\xb2\x54\x56\x73\xcc\xee\x63\x57\x0d\x78\x02\xfd\xb0\xd4\xf0\xe4\x32\x6a\x83\xd6\x30\x8d\x92\x21\xa0\x13\x32\xa7\xdc\x5a\x2a\x1a\xbb\x39\xae\x1b\x0a\x2d\x93\x3a\x1d\xf2\x3b\x3d\xb6\x97\x44\x13\xff\xcd\x5e\xf0\xbc\xb5\xe1\xf2\x95\xca\xe8\x0d\x19\xd7\x86\x89\x0b\x69\xc6\x1b\xa5\xaa\x45\x25\x2b\xca\xcd\x4a\x3d\xd1\xa7\x13\x54\x2e\xef\x83\xd7\x1e\xdc\x68\x0f\x79\x5f\x8b\xfd\x8b\x86\x53\xcc\xbf\xd8\x0a\xfe\xc9\x6b\x3a\xde\x9c\x9d\x7d\x50\x26\x20\xda\x4a\x13\x8c\x2d\x85\xd9\x4e\x53\x86\x52\xb7\xd4\xd4\xee\x74\x05\x55\xc6\x38\x7f\x93\x9d\x17\x19\x7e\x0e\x16\xe8\xf3\x15\x28\x0e\x83\xb8\x50\x15\xe5\x26\xf2\x42\xd3\xb7\x6c\x28\x2c\x6c\xd0\x69\x5f\xfb\x7f\xd9\x7b\x17\x30\x49\xb2\xaa\x4e\xfc\x8b\xac\xea\xd7\xed\x19\x90\x00\x05\x5d\xf7\xff\xdd\x7f\x0c\x6c\x75\x0d\x99\x59\x55\xdd\xf3\xa2\x19\x86\xa9\xa9\xaa\x66\x8a\xe9\xee\x29\xaa\xaa\x67\x00\x77\x96\x8e\xca\xb8\x95\x15\x53\x91\x11\x49\x44\x64\x55\xe7\xac\x7c\xcb\x63\x17\x84\x05\x59\x56\x50\xe8\xe5\x29\x2f\x1d\x44\x50\x50\x41\x50\x51\x77\xe0\x0f\xe2\xa2\x20\xb8\xa0\x82\x22\xae\xe2\x63\x5d\xdf\xee\xb0\xae\xff\xef\x9e\x73\xee\x2b\x33\x2a\xab\xaa\x7b\x06\x10\x5b\x3e\xa7\x2b\xe3\x71\xe3\x3e\xcf\x3d\xf7\x3c\x7e\xbf\x31\xf6\x18\x2a\xef\x5c\x5a\x84\xeb\x42\x6d\x86\x9f\x1d\x0b\x3e\x30\x56\x75\x67\xc7\x0d\x51\xa9\xb3\x3d\x78\xfa\x1b\xbf\x2b\xaa\xfa\x8c\xda\x13\xdd\xba\xda\x0c\xb1\x4d\xed\x75\x25\xc3\xad\x99\xe8\x21\x44\x55\x56\x35\xd6\xee\x0e\xf9\xca\x56\x16\x47\x64\x88\x41\x56\xf4\x1d\xf6\x5a\xda\xc7\xf6\xba\xd5\x5a\x8f\xef\x7b\xa7\x95\xab\x99\x8e\x81\xfe\xeb\xbc\x11\x4c\xa4\x03\x82\xf1\xd4\x0a\x86\x78\x0c\xc8\xc4\xbb\xa9\xac\x3d\x48\xc3\x6d\x79\x65\xbd\x20\x9b\x71\x5c\xe8\x9c\x1f\x0a\x42\x82\x63\xef\x5c\x96\x96\xe2\x42\xd9\x64\x11\x3b\x04\x8c\xc5\x8b\xf3\xfe\xb3\x82\x3b\xe8\xcf\xfd\x6a\x02\xf2\x95\x91\x5a\xc0\xeb\x3d\x76\x04\xca\xce\xf2\xb2\xf0\xbf\xdf\x0b\x4e\xe9\x5f\xf6\xb7\x70\xd6\xe1\x19\x27\xcb\x4b\xed\x6d\x76\x09\x85\xd7\x84\x4a\x45\x73\x06\xe0\x49\xec\xc6\x11\xdc\x5d\x03\xdd\x7c\x3b\x7d\x7e\x59\x7e\x81\xbd\xdb\x63\xe6\x50\xef\xbf\xc9\x63\xb7\xee\x63\x1f\xc3\xb7\x06\x07\xec\x7b\x74\x79\x97\xb2\x81\xd1\x9b\x14\x2f\x0f\x2f\x90\x84\x83\x80\xdb\x37\x78\x4c\x99\x23\xfc\x57\xed\x63\x72\xad\x2c\xc0\x3b\x83\x75\xbd\x93\xca\xda\x77\x4d\xd1\x0d\x39\x5c\xbf\x4f\x7b\xac\xc2\x30\xe2\x7f\xc8\x63\x8b\x7b\xae\xea\xd0\xeb\x83\xb5\x4e\x87\xbf\xb0\xd7\xd5\x61\xbf\xa9\x9c\x16\x72\x92\x8d\x5c\x29\xaf\x1e\x63\x8f\x52\x5b\x82\xca\xd9\x2d\xfc\xff\x5b\x0b\x7e\xb2\x36\x3b\x78\xb9\x6a\xd3\x8e\xd3\x24\x4e\x85\xc3\xa4\x89\x1d\xa7\xa2\x51\x8c\x4c\x23\xb5\x0e\x72\x19\xd6\x04\xec\x69\xc4\x43\x1d\x9a\x05\xc6\x67\x55\x5e\x0e\x9a\x56\x07\xad\x05\x69\xdf\xfa\x96\x46\xef\x56\x94\xde\x54\x1b\xc3\x06\xaa\xed\x35\xda\xd7\xcd\xd7\x84\x0a\xd9\xac\x2b\x24\x17\x04\xfd\xcc\xd2\x0c\xe2\xc2\xd7\x75\xa2\x12\x7a\x6a\x49\x99\xc1\x41\x98\x5b\x59\x5c\x84\x8f\x10\x21\x9e\xad\xfb\x38\x0b\xf7\x66\x36\x2a\x92\xac\xda\x60\x61\x52\xf4\xdf\x5f\x63\x0c\xd6\x1a\xca\xda\xb7\x8f\x22\x99\xad\x5a\xbc\x95\xe2\xf6\x4b\x9e\xb9\x77\x69\xeb\x17\x5f\xdd\x61\x01\xef\x49\x13\xb5\x8a\x91\x83\x57\x86\x9b\x02\x06\x15\xca\x74\x72\x5f\x48\x21\x29\x94\xbe\xa9\x5e\x73\xb4\x4d\x9a\x4f\x4a\xdb\x7c\xd0\x63\xdf\x4e\xb3\x79\x29\xcf\x5a\x67\xb2\x5e\x5a\xae\xf6\xbb\xa2\xf0\x7f\xd7\x0b\x7e\xd9\x9b\xad\xba\x55\x35\xab\x95\x5c\x76\x9f\x6c\x8e\x34\xfa\xc1\x24\x92\x75\xa5\xac\x5a\xe7\xdd\x01\x65\x15\xfd\x39\x56\xfb\xdc\x87\x55\x13\xd7\x93\xb0\x3d\xd0\xc4\x11\x9b\x33\x6d\x7a\x8b\x4b\x73\x6a\xd3\x5b\x5c\x9a\xdb\xef\xa6\x27\x5f\x19\xb9\xe9\x7d\xcc\x63\x8f\xdb\x49\x57\xf4\xef\xf7\x82\x57\x78\x3b\xdd\xa5\x18\x54\x31\xc2\x82\x16\xe5\x59\xb7\xab\x72\x15\x07\xf4\x64\xbe\xba\x21\x0a\x41\x48\xf1\xf8\x05\xea\x1b\xf5\x96\x5c\xcd\x06\xd8\x16\xb4\xe6\x51\xfd\xf5\xe5\x31\x76\x3b\x2d\xa3\xcd\xde\x9a\x68\x84\xed\x76\x2e\xda\x61\x99\xb9\x60\x04\x95\x90\x85\xb3\x4b\x8b\x14\x8f\x49\x90\x32\xaf\x19\x0b\x66\x07\x2f\xda\xc9\xb3\x72\x59\x47\x4e\x38\x33\xa6\x28\x86\xa9\x25\x69\x1c\xd3\xfa\x2f\xd7\xd8\x47\x5c\xbc\x9f\x9f\xa8\x05\x8f\x9f\x53\x49\x24\x14\x92\xab\x53\xf0\xc2\x6e\x4c\x1f\x77\xda\x7c\x0f\xfb\x1e\xf6\xac\x4a\xd1\x71\x19\x6d\xb6\x60\x7c\x76\x05\xe7\x79\x38\x28\x11\xf7\x8e\x1e\xc4\xfe\xf1\x08\x7b\xc2\x9e\x48\x7d\xfd\xcf\x1e\x09\x5e\xe1\x2d\x0f\x33\xfa\x1a\xeb\x0a\x32\xfb\xc2\x84\x4d\xc2\x42\x71\x4e\x12\x71\x2e\x46\x6a\xcb\x35\x33\x07\xe4\xc2\xfa\x10\x4a\x7c\x1d\x2a\x21\x3d\xdb\x4e\x45\x5e\x6c\xc4\x5d\xde\x09\xd3\xb0\x4d\x67\xed\x9c\x93\x16\xc3\x73\x01\xfa\x47\x9c\xb6\x9b\x17\xbd\xc3\x9d\x2c\x8d\xcb\x2c\x77\x1d\xca\xef\x3a\xcc\x5e\xeb\x51\xb8\xf2\x2b\xbd\xe0\x05\xde\x9d\x14\xa4\x8f\xb1\xc0\x4a\xb4\xe7\x61\x94\x15\x18\xc2\x20\xcf\x43\xfa\x2c\x85\x18\x58\x9d\x38\xdd\x0f\x0d\x3d\x32\x26\x1b\x1e\xfa\x6b\x36\xb2\xed\x46\x99\x35\x7a\x85\x68\xc4\xa5\xbd\xac\xde\xe1\x31\x5d\x6d\x38\xf2\xab\x08\x89\x93\xfc\x0c\x5d\xae\x44\x1b\x92\x9d\xad\xde\x7b\x28\x6b\xb6\xe3\xfa\x17\x6c\xbc\x1b\x96\x1b\xfe\x3d\xc1\x92\xd3\x81\x91\x4a\xb3\x57\x14\xb6\x79\x96\x95\x75\x9e\x87\x94\xf4\x10\xaa\x70\xb8\x24\xc1\x5a\x97\xb9\x70\x7b\x77\xca\xfe\xcc\x7f\xf3\xd8\x61\x65\xae\xf3\x7f\xd1\x0b\x7e\xd2\x1a\x2e\x1b\x80\x01\xcd\x5d\xc0\x37\x39\xb5\x9d\xc7\xa5\x98\x6c\xf2\x65\x7a\x0f\xad\xf3\x96\x31\x0f\xf6\x44\x75\x53\xd9\xba\xe3\x94\x12\x01\x61\x27\xa9\xf6\xd4\x5f\x6a\x2f\x5a\x3b\xc0\xcf\x7b\x8c\x21\x6b\xb9\x5c\x1b\xfe\x7b\xbc\xe0\x2d\x56\x93\x56\xf4\x1d\x0d\x4a\x12\x96\x1b\xb2\x81\x9b\xa2\xcf\x73\x65\x93\x3f\x07\x41\x41\x76\x9f\x89\xb2\x05\xb5\x98\x92\x33\xb6\x89\x1f\x78\x78\x66\xe8\x9f\x78\xec\x08\x96\xbf\x2c\xd6\xfd\xdf\xd9\x0b\x39\xf2\xe9\xac\x15\x26\x98\x92\xb8\xac\x20\xce\x83\xb7\x0e\x35\x7b\x59\xac\xf3\xd8\x42\x41\x57\xe6\x9e\xc1\xd4\x0c\x6c\x5c\x65\x3f\x10\x4e\xe4\x43\xd6\x70\xf6\xe0\x55\x0e\x30\x98\x96\x80\x10\x42\x7e\x26\xec\x3a\x42\xf0\x57\xaf\x0a\x1e\xa8\xcd\x46\x61\x17\x05\xa0\x7a\x86\xc7\x29\xc4\x32\xe2\x27\x47\xe7\x46\xe9\x97\x2a\xd2\xa3\xd6\x84\x8b\xf9\x17\x6a\xea\xe8\x02\x8c\xb7\x36\xdd\x86\x94\xe4\x4a\x15\xb1\xca\xa1\xb5\x09\xa6\x5e\x48\x58\xaa\xdb\x0e\x36\x8c\x0d\x11\x78\x0c\xaa\x40\x25\xd5\xc9\xe0\x9d\xb0\xdb\x85\xec\xee\x6c\x1d\xbf\x54\x66\xca\x4d\x69\x5a\xad\x44\xf8\x48\xd9\x2d\xb5\x8e\x0a\xe1\xed\x48\xec\xbf\x3d\xc2\xfe\x78\x8c\x1d\xa5\x61\x3e\x93\x45\xc2\xff\xc2\x98\x22\xe8\xf8\xaf\x63\x66\x1a\x75\xb2\x48\xf0\xb5\xb8\x34\x10\xaf\xf2\xd4\xd4\x95\x1a\x1c\x06\xd5\xf2\x2c\xd5\xf9\x17\xd8\x63\x6b\x3a\x43\xc2\xc2\xcb\x49\x79\xd6\x2a\x55\x58\x8f\x3c\xf2\x6c\x0b\x91\xf2\xe9\xe9\xe9\x69\xa8\xef\xf4\x8d\x37\xde\x88\xa9\xdc\x91\x68\xc5\x9d\xe1\x07\xe1\xa9\xeb\x67\x66\x9a\x98\xcd\x8d\x99\xd4\x14\x48\x87\x25\xcb\x07\x9c\x97\x8b\x3a\x26\x61\x6b\xbd\xd6\xbd\x0b\xb3\x5d\x37\xcf\xc5\x9e\x99\xbe\xe1\xba\xeb\x9a\x7c\x9e\x08\xea\x63\x4a\xc1\x53\x6a\xa8\x14\x1f\x8a\xf4\x36\x04\x4f\xb9\x3a\xcf\x62\xaa\x6e\x69\xb2\xe6\x3b\x71\x7b\x83\x1c\x94\x90\x48\x91\xc4\xad\x12\x07\x1e\x80\x2e\x34\x11\x0c\x9e\x25\x91\xe0\x41\xcf\x26\x59\xb9\x3a\x82\xc4\x90\x5d\xca\x09\xab\x95\xeb\x93\xce\x9b\x58\x98\x19\x2b\x79\xfa\x71\x50\x0f\xee\x1f\x57\xf1\x4a\x6f\x1e\x0f\xbe\x3c\x36\x18\xa9\x00\x81\xfc\x6e\x72\x60\xc5\x4c\x77\x73\xfe\x5a\x22\xb2\x66\xa6\x59\x4d\xd9\xbd\xd8\x21\xb0\x42\x21\x80\x4c\xaf\xa8\x10\xdb\xb5\x0d\x5c\x37\x36\xcd\x8c\x94\xc4\xa0\x2c\x13\x10\x2a\x5d\xa6\x33\xd8\x70\xe8\xbd\xd4\xae\x44\x84\xeb\x64\xc4\x97\x0d\xb9\x10\xac\x24\xc2\xe6\x49\x87\xde\x26\x05\x5d\xc3\xfb\x2e\x4a\xcd\x49\xd6\xc9\xce\x9e\x20\xb3\x19\x41\x8b\xa8\xac\x4a\xea\x25\xdd\x11\x75\xbb\xc9\x85\x28\x7b\xd4\x35\xc0\x56\xa1\x04\x03\xda\x7a\x3b\x61\xbe\x29\x22\xae\x12\x1a\x9b\x1c\x63\x16\x94\xa1\x42\x2e\x5d\x08\xc1\x50\x21\x70\x36\xeb\x89\xfc\xc8\x44\xb3\x39\x81\x93\x31\xcb\x91\xc5\x0a\x67\x96\xbc\xee\xa8\xdc\x4d\x56\x67\xd7\xee\xba\xa3\xdc\x21\xfa\xab\x19\x44\x27\x7c\x93\x24\x7b\xae\x58\xc9\x9e\x4f\x0b\x9e\x54\x95\xec\x69\xe6\x5f\x96\x83\x97\x1c\xc6\x74\x54\xee\xe7\x2b\x9f\xc2\xbe\xbb\x7a\xf3\xc1\x63\x9d\xff\x3f\x6f\x0e\x66\x35\xe6\x01\xc4\xcd\xb7\x42\x1b\x78\x08\x35\xae\x12\x5c\x39\xdb\x61\x5a\xda\x9e\x46\x65\x39\xaa\x24\x59\x7a\xcd\xcd\xec\x85\x35\x76\x75\x12\x6f\x89\x54\x14\xc5\x52\x9e\xad\x09\xff\x7f\x79\x7b\x48\x14\x81\x47\x83\x07\xbc\x25\x91\xc7\x59\x14\xb7\xe4\x54\x5f\x53\xc8\x40\x54\x27\x55\x2c\xec\x16\x74\x4d\xad\x8c\x5c\xc0\xec\x30\xa6\x24\x7c\x7f\x3d\x8c\x93\xa2\x32\x56\xef\x92\xb9\x9c\xbb\x19\xfe\xa7\x21\x0f\x21\xad\x7e\x2b\x11\xd7\xe8\x2a\x36\xe0\xab\x05\x7b\x4b\x8d\x3d\x42\xea\x94\xb1\xe9\x85\xef\xaf\xed\xb9\x17\x7e\x7f\x64\x2f\xa8\x43\xa8\x2e\xbf\xba\x3b\x3a\x00\xed\x0d\x67\x7a\xf5\x86\x0a\x6d\x2c\xbe\x29\xfa\xe8\xcb\x1e\x3b\xa2\xc3\x4e\xfd\xdf\xd8\x8b\x42\xa8\x63\xac\xad\x1c\x96\xe0\xa2\x37\x97\x75\xba\xbd\x52\xe8\x5c\x82\xc2\xd8\x2a\xd4\x8e\xe5\xb8\xfe\x2e\xb7\x9d\x4e\xb6\xe0\x14\x6a\x25\x3a\x02\xbb\x68\x18\x9f\xff\x14\xfb\x4f\x35\xf6\xc8\xc2\x35\xff\xfa\xff\xc7\x1b\x01\xa9\x61\xa5\xda\xdb\x2f\x05\x1f\xf3\xd4\x15\x6b\x3f\x25\x73\x11\x7a\xf4\xd5\x02\xdd\x77\x73\xd0\x34\x35\xa5\xaa\x09\xf5\x17\x17\xca\xa9\x3d\x96\x53\x86\xc5\xa6\xe9\x13\xd1\x90\xc3\xae\xbb\x60\xb8\x54\xf6\x1b\xe3\xec\x2a\x58\xab\xbd\x2e\xae\x8c\x5f\x1e\xdf\xf3\xca\x78\xed\xf8\x8a\xf5\xe6\xa0\x31\xb0\x44\x9e\x64\x70\xff\x15\xbd\x56\x4b\x14\x85\x3c\x2f\xf6\x39\x14\x8c\xc0\x71\x83\x3b\x6d\x9a\x91\x62\x81\xb3\x12\x74\x1e\x71\x41\xb4\x7a\x90\x89\x90\x96\x71\xa2\x26\x90\x3c\x06\x94\xc2\x2d\xd9\x98\x5f\xad\xa5\x54\xd7\x15\x19\x12\x4e\x75\x7e\xaf\x94\xdb\xa1\x5e\x81\x8e\xa4\xe4\x48\x20\x60\xd1\x4c\x2a\x33\xbb\xd4\x93\x31\xdf\x8c\x47\xf1\x3a\xee\x50\xf4\x49\x1d\xd3\x58\x28\x67\xf5\x9a\x68\xc7\xc8\x0e\x0a\xd6\x91\x25\x30\x01\xeb\x85\x58\xd7\x84\xfd\xa8\xb7\xa1\x31\x98\x27\x99\x3c\x01\x00\x9a\x59\x06\x28\xc7\x08\x84\x92\xe5\x7c\x3b\xcc\x3b\xe0\xd5\x6e\x6d\x00\x62\x79\x98\x2a\x66\x46\xa0\x51\xeb\x37\xc8\x1a\xd6\x25\x7c\x2b\x53\xfd\xaf\xab\x38\x79\x60\x8c\x7d\x07\x1a\x5d\xa1\x16\x67\x10\xa6\x4c\xee\xf5\xfe\xfd\x63\xc1\xeb\x2d\x75\x7f\x09\x74\xdb\xd2\x42\x17\x00\x8d\xad\xcc\xac\x2b\xba\xf8\x89\x82\x5b\xa5\x6a\xf4\x33\x35\xb2\xdb\x79\x5c\x96\x02\xf0\xbb\x94\xe1\x42\x6b\x66\x76\x19\xeb\xda\xa0\xd5\xe4\x67\x54\x19\xe6\x5d\xa9\xc2\xa6\x91\xb6\xad\xae\xe5\xb1\x58\xe7\xeb\x71\x1a\x26\x04\x5c\x43\x84\xb5\x21\x5a\xcd\x8b\x42\xe4\x98\xa9\x1c\xc6\x49\x2f\xd7\xa0\x6c\x4d\x7e\x37\xd5\xab\xcc\x7b\x29\x66\xd3\x90\x0f\x0a\xd3\xb8\xd7\x79\x1b\x8e\x31\x64\x51\xb9\x6e\xfa\x49\x37\xf0\xb5\x7e\x29\x28\xed\x11\xd9\x39\x55\x1b\x13\x91\xb6\x65\x4f\x19\x62\x3d\x2b\x9a\x49\x75\x00\x30\x58\x62\xc5\x67\x8e\x6f\xae\xb9\x47\x8c\xa9\x48\x6c\x4d\x59\xdd\xd7\x48\xb2\x76\x95\x00\xb6\x35\xa2\xbf\xf0\xd8\x55\x5b\x96\x41\xc5\xff\x5d\x2f\xb8\x5d\x2e\x26\x75\x2e\x2c\x33\xb2\x09\xee\xda\xd1\x55\x1f\x32\x1a\xe3\x34\x6b\xb2\xfa\xae\x72\xc7\xb2\xed\x3c\xe8\xd5\x77\x31\xaa\x5e\xe5\x33\xa8\x1a\x68\x98\xfb\x48\x04\xfe\xdc\x18\x3b\x24\xd2\xad\x53\x79\xd6\xf1\x3f\x31\x16\x7c\xdf\x98\xe2\x02\xd2\x58\x9e\x16\x84\x4a\x35\x7c\x8a\x62\xab\x33\xfb\xdc\xaa\x3a\xce\x2b\xd4\x2b\xad\xbd\x29\xe2\x44\xcd\xfa\x30\xf7\x9c\xc5\xf9\x85\xb3\xab\x8b\xa7\x16\x17\x96\x91\x6a\x22\x46\x9a\x05\xf7\xf4\x91\x0b\x79\x20\xa7\xb0\x0d\xc2\x04\x31\x71\xd3\x46\x43\x91\x27\x0a\x29\xef\xe0\x88\x08\x68\x65\x78\xd2\xd0\xa4\x80\xbc\xd3\x4b\xca\xb8\x9b\xa8\x5c\x7c\x12\x99\x0a\x6e\xb3\xc8\x5a\xb1\xb1\x1e\x94\x0a\x6b\x91\xaa\x0d\xb5\x01\xa9\xd5\xcd\x45\x4b\x44\xf2\x94\x46\x64\xc1\xa6\xad\x6b\xf2\xac\xc5\x17\xd2\x2d\x15\xb4\x16\xf5\x50\xcb\xc5\x73\x58\x75\x19\xa3\xe7\xcb\x71\x36\xcd\x9a\xbb\xce\x97\x05\x1c\x46\xb4\xec\xb0\x4f\x79\xec\x40\x51\x46\x71\xea\x3f\xe0\x05\x3f\xed\xdd\xad\xd5\x7a\x5b\x25\x51\x1b\x78\x98\x24\x19\xf2\xca\xf0\xb5\x9e\x14\xf2\x70\x7a\x87\xd7\x87\x86\x57\x05\x97\x99\x0d\x88\xce\x6c\x85\x28\xeb\xa0\x1a\x52\x4a\xcb\x0e\xaf\xdb\x38\x63\x74\xcc\x8e\x53\xbe\x70\xe7\x29\xbd\x80\x65\x81\x60\x1d\x75\x3d\x51\x2f\xf0\xd8\x58\x59\xf6\xfd\xfb\x82\x64\xcf\xad\x59\x5d\x7d\x16\x3a\x8a\xcb\x42\x24\xeb\x75\x1e\x26\x45\x66\x2c\x16\x13\x50\xc5\x09\x12\x7d\x90\x43\xb0\x4b\x1d\xfe\xca\x63\x57\xa3\x34\x98\x17\x52\xb1\x2d\xfc\xdf\xf3\x82\xa7\x39\x57\x06\xb3\x22\x91\x5e\x23\xa2\x9b\xf8\x29\xdb\x45\x6f\xd6\x8d\x3d\xe4\x33\x6c\x8a\x35\xf6\x28\x22\xf0\xc3\x0f\x7a\x8d\x5d\x64\xc4\xd5\xfe\x51\xac\xc6\x7e\x85\xc4\x47\x3c\xc6\xe8\x6c\x39\x1f\xe7\xfe\x4f\x78\xc1\x5b\xbd\x39\x4b\xf2\xd1\x3d\x1e\x91\x45\x07\x95\x13\x98\x13\xae\x61\x61\x68\x12\x4d\x14\xda\x16\xaa\x96\xba\xec\x9b\x3a\xed\x87\xda\xbe\xa3\x75\xbc\x68\x78\x42\xc5\x1d\xd8\x7f\x46\xcb\xf6\x57\xd4\xd8\x01\x78\xd0\x7f\x51\x2d\xf8\x1b\x6f\x3e\x6b\x6d\xaa\x57\xc1\x54\x72\x29\x9a\xb8\x52\xb5\xa1\x94\x62\x80\xb5\x48\x9d\xad\x4d\x56\xcb\x46\xdc\x96\x73\x36\x11\x5b\x22\xa1\x06\xd9\x76\xc5\x32\xd3\x5d\x91\xe5\x5c\x9e\xe9\xf3\x38\x1a\x6a\x27\xc8\x30\xa5\x9e\xa8\x50\xf8\x44\x6e\x8b\x60\xc8\x9a\x17\xdd\x24\xeb\x63\x86\x3d\x18\x2a\x0d\xd0\x96\x0b\x14\xfc\x25\x8f\x8d\x89\x74\xcb\xff\x4d\x2f\x58\x54\x22\xbf\x5a\xbc\x93\x4d\x72\x58\xca\x8f\x96\x59\x4f\x64\x93\x6c\x62\x2f\x32\xeb\xae\x30\xdf\x93\xcf\x50\x8e\xd2\x7e\x26\xed\x8f\x78\xec\x88\x56\xda\xfc\x8b\xde\x1e\x6c\x34\xa7\xd5\xe3\x41\x32\xdb\xb2\x2c\x87\xe0\x1c\x32\x23\x45\xee\x41\x92\x36\x20\xcb\x81\x5d\xbb\xe8\x66\x69\x01\xda\x9c\x6d\x38\xa0\x22\x71\xcf\xaa\x3c\xec\xb2\xd7\x28\x8b\xd0\xcb\xbd\xe0\xdf\xd9\x26\xa1\xa1\x30\x6c\x15\xb8\x38\x7f\x76\xe5\x39\xa7\x67\x6f\x5b\x38\x4d\xf1\x91\xd6\x2c\x51\xe1\x35\x86\xa7\x29\xe4\xbd\x34\x7e\x6e\x8f\x6c\x82\xc7\xf4\xbb\x93\xbb\x2d\x9a\xaf\x8d\xb3\x43\xad\xac\xd3\x09\xd3\xc8\xff\xf3\xf1\xe0\xd3\xe3\x0b\x69\x99\xf7\x31\x47\x11\x86\x19\x51\x63\xf4\xa1\xc5\x6c\xf3\x1b\x22\x49\x50\x0f\x88\xac\x95\x36\x51\xf0\x85\xb3\xab\xcb\xcf\x5a\xba\x73\xf1\xec\xaa\x0e\xea\x8b\xdd\x6d\x84\x4e\x1b\x91\xdc\x58\x71\x0e\xda\x2c\xb3\x8f\x3f\x76\xd7\xec\xf2\x73\xce\xce\x9e\x59\x98\xa4\x03\x53\x37\x04\xf5\xd5\x38\x12\x6c\x9d\xcc\x9a\xd2\x64\x77\x54\x13\x7b\x47\x4a\x5c\xe3\xcc\xa1\x29\x1f\xa7\xdd\x5e\xa9\x12\x40\xb5\x94\x4a\x35\x2c\xb2\x6c\xa5\x5d\xad\xa2\x9f\x96\xe1\x05\x75\x88\x12\x45\x2b\xec\x6a\x92\x34\x1e\x65\x3d\xf9\xf1\xc7\x3f\xbe\xce\x63\x71\x92\x3f\xde\x7a\xb1\xc9\x17\xe8\x59\xab\xbd\x68\x40\x15\x5b\xc0\x9e\xae\x5b\x2b\xf7\xd9\x76\x98\x47\x60\xee\xcc\xd6\x07\xe0\x69\xa9\x81\xa4\xf3\x00\xbc\x42\x79\x19\xc6\x07\x3c\x65\xc7\xe9\xbd\xa2\x55\x36\xe4\xd1\xac\x61\xd9\xed\x70\x49\x89\x06\x4d\x93\x46\x98\xb7\x01\xa9\xdd\x3a\x87\x5f\x93\xf7\xe0\x4c\xd8\x08\xf5\x53\x71\xda\x08\x1b\x30\x49\x46\xf8\x6b\x5f\x52\x63\x8f\x84\x69\xb3\xd4\x4b\x12\xcc\x70\xf4\xff\xca\x0b\xfe\xc0\x5b\x04\xa9\xdd\xed\x25\x09\xc5\xb6\x34\xf9\x9d\x88\xae\x30\x0b\x6a\x45\x9d\x9f\x95\x1d\x56\xe7\x8b\xeb\x67\xb3\x72\x49\x99\x9d\xed\xe3\x01\x3e\x28\xa7\xde\x49\xca\x8c\x2e\xc3\xf6\x00\x9a\x4f\x96\x3b\x05\x18\xf2\xac\x87\xc8\x90\xe3\x6e\x1f\xd7\x40\x49\xb2\x9b\xf0\xb7\xdd\x13\xaf\x3e\xc0\x0e\x74\x21\xe8\xf4\x65\x07\x82\x97\x69\x15\x1d\x2e\xc9\xd6\x60\x20\x69\x65\x14\xcd\x82\xbc\x05\xa8\x6f\x18\x8c\x0a\x8e\xe5\x76\xbc\x45\x71\x48\x24\xca\x0c\x45\x56\x45\xc8\x0a\x9c\xe1\x28\x4b\xa6\x95\xa5\xa9\x20\xd1\x18\xda\x39\x6f\x85\xd4\xa4\x21\xed\x02\x92\x5c\x3a\x61\x1e\x83\xf5\x43\x17\x16\x26\x28\x2c\xb0\x83\xfb\x83\x55\x9a\xbf\x73\x61\x85\x9f\xbd\x73\x55\x6a\xc5\x5b\x42\x85\x5d\xc0\x7d\x68\x16\xa5\x19\x50\xc4\x2c\x9f\x4d\xfb\x78\x53\x7b\x0d\xc0\xeb\x80\xa6\x87\xd4\xc9\x0c\x0b\xa6\x9b\xf0\xbf\x40\xb6\x32\x07\xff\x00\x04\x81\x3b\xf5\xd7\x29\x7d\x60\x60\x89\xe5\xf2\xd1\xbd\x49\x6d\x7f\x68\x94\x74\xad\x36\x2d\x65\x79\xf9\xa0\xf7\xe4\x91\x71\x2d\xff\xd2\xff\x17\x0d\x53\x49\xf9\x06\x6b\x48\xf9\x58\x66\xad\x2c\xd9\x0b\x53\xd6\x83\xde\xf4\x2e\x1b\xeb\xb7\xf9\x8f\x70\x3f\xb0\x8f\x1d\xf6\x37\xc7\xd9\x11\xd0\xa0\xef\x4c\x5b\xc2\xff\xf8\x78\xf0\xb3\xe3\x77\x5b\x82\x68\x48\xd9\xd3\x68\x05\x49\x46\x89\x3e\x78\x44\x90\x92\x34\x15\x09\xc1\x89\xc5\x18\x44\xbf\x26\x44\xca\xb3\xae\x50\x47\x2a\xed\x33\x28\xcb\xb0\xb5\x41\x87\x3b\x3a\x62\x14\x98\xfc\x64\x4a\x2c\xca\x5c\x84\x1d\x05\xd1\xd9\x01\x86\xc3\xae\x3c\x0c\xa2\x41\x41\x9f\x01\xb1\x30\x5e\x10\x82\x11\x5a\xe8\x54\x8b\x14\xf7\x24\xe5\x56\xd5\xcd\xd7\xa8\x5a\x8e\xd7\x02\x8e\x9d\x75\xed\xd1\xd7\x06\x3c\xc5\xb2\x47\xf9\xfc\xf8\x45\x52\xab\x64\x79\xda\xe7\x98\x6a\x2a\x47\xac\x6a\x1a\x69\x37\x2c\xd8\xc3\x4c\x81\x54\x14\xd0\x63\xc0\x72\x2c\xea\x96\x51\x09\x3a\x5a\xd5\x14\xba\x3a\xa2\x84\x0f\x2c\x9d\x2e\x59\xc5\xd9\xa7\x67\x6d\x2f\xb4\xc2\x3b\x13\x14\x8d\xeb\xc8\xaa\x60\x2f\x1b\x4a\x97\x54\x56\xd0\xa1\xc3\x9f\xb5\x7b\xc9\xc3\x2e\xba\xdb\xaa\xcf\x7a\xce\x31\xeb\x7f\x8c\xb1\xc7\x55\x58\xd4\x70\x0f\xf8\xf8\x58\xf0\xa1\xb1\x45\x45\x69\xb8\x91\x6d\x63\x34\x42\x85\xa9\xcc\xe0\xae\xeb\xb0\x80\x26\x04\x78\xd9\x64\x1b\x03\x81\x0d\x95\x76\xbc\x21\x20\x59\x67\xdc\xcb\x5e\xa1\x3f\x99\x51\xda\x0d\x99\x6a\xa1\xe7\xc9\x54\xd6\xe4\xa7\xc2\x24\x59\x0b\x5b\x9b\xab\xd9\xe9\xac\x5d\xdc\x99\x2e\x80\xd7\xd2\xa9\x0b\x98\x1b\x5a\x1b\xbd\x74\x73\xc0\x01\x95\xb5\x79\xd6\x2b\xa5\x26\x42\xf6\xdb\xaa\x06\xaf\x53\x18\x0e\x4e\x41\xe5\xcc\x36\xa5\x88\x0b\xb1\x4d\xd8\x8a\x1c\xff\xa0\xc0\xd8\xe5\x17\xb6\x69\xed\xf8\xf4\x75\x37\xa1\xa1\x4e\x6e\x88\x37\x4d\xf3\x24\x4e\xa5\xac\x87\xd9\x06\x23\x2b\x97\x49\x27\x94\x87\x10\x77\x8f\x95\x1d\xbd\x9b\x86\xf9\xa5\x71\x36\x1e\xe6\xed\xc2\xff\xdc\x78\xf0\xc1\xf1\x59\x52\x1e\x34\x6a\x89\xd0\xfa\x66\xa5\x32\x39\x77\x66\xfe\x8a\x16\x79\x45\x8b\x1c\xa9\x45\x7e\xa2\xc6\x78\x15\x5c\x67\xd8\x11\x45\x37\x6c\x21\x2c\xea\xdb\x6b\xc1\x0d\xce\x95\x9d\xb1\x51\xa5\x5a\xc4\xf5\xb3\x6e\xd8\xcf\x17\x3d\xf6\x5b\x1e\x63\x60\x3d\x8f\xef\x13\x79\xe1\x7f\xd2\x0b\xde\xe3\x9d\xd2\xbf\x29\xf6\x3c\xeb\x86\xf2\x38\xa6\x13\x21\xed\xf8\x7a\x95\x47\x41\xd8\x81\x10\x0b\x14\xa6\xc8\xf9\x81\xae\x55\x05\x2d\x43\x72\x16\xf9\xd8\xf6\x35\x0a\x0a\xfc\x54\xe4\x8d\x56\xd2\x93\xff\x62\x94\x80\x6c\x51\x31\x35\xa2\x33\x3f\x79\x95\x13\x5d\xeb\x10\x6f\x2a\xce\x4d\x4c\xa3\xfd\xe1\xab\x82\xbf\xaa\xd9\x57\x06\xf1\x13\x5b\x70\xd1\x25\xdb\xac\xdb\xc1\x2f\x64\x1e\xa3\x5b\x7c\x05\xb2\x45\xe4\x2a\x39\x1f\xe3\x25\x28\xa1\xe9\x36\x32\x2e\x1a\xa4\xf7\x35\xe0\xf6\x79\x0e\xf3\x95\x42\x0c\x5c\xb7\x96\x66\xc5\xa5\x4c\x13\xee\x54\xd7\xec\x1d\x56\xd2\xa0\x0e\xbc\x22\xd3\x32\xe9\x24\x03\xed\x24\x6b\x31\xa4\x02\x02\x9d\x85\xa9\x82\xa3\x4f\xa4\x62\x5b\x37\xcf\x90\x67\xc9\x25\x0e\x91\xe2\xd4\x45\x56\x84\x8c\x52\x52\x35\x6e\x29\xb0\x06\xd0\x46\x8a\xdd\xe1\xcc\xc7\x9f\x39\x7c\x05\x89\xea\x0a\x47\xc0\x37\x0e\x10\xea\xd3\x36\x20\xd4\x03\xde\x65\xf2\x82\x04\x2f\xf2\x34\x26\x14\x76\xe6\x44\xf1\xf5\xc7\x85\x62\x5f\xf6\x88\x9e\xe4\xf3\xde\x08\x84\x9a\x9d\x45\x23\xd0\x94\xbc\xc1\x83\x5d\x26\x76\x29\x4a\xaa\x08\x88\xe1\x9d\x87\xbd\x75\xb2\x41\x0d\xb9\xa7\xa2\x3a\xfb\xa0\xd7\xda\x1d\xfc\xea\x56\xff\x16\x07\xfc\xca\xe0\x5e\x59\x8d\x1f\xe0\x09\xb5\x1b\xc5\xd8\xa7\x8f\x38\xd1\x62\xf9\x5a\xd8\x32\x69\x6d\x59\x22\xfc\x9f\x38\x12\x7c\xda\x93\x7f\xe1\x9a\xd3\x9b\x54\x54\x97\x0a\x6b\xdc\x52\x89\x8f\x14\x71\x30\x84\x70\xa8\xb3\xf2\xf5\xae\x02\xd6\x53\xd9\x55\x78\xa8\x94\x65\xdf\x26\x37\x82\xb4\x2d\x95\x57\x85\x86\x2d\x95\xb6\xad\x99\xe6\xcc\x8d\x40\x01\x17\x6e\x21\x30\x3f\xd4\x0f\x73\xf1\xe3\xfb\x30\xe0\x40\x85\x66\xcf\x40\x49\xc4\x15\x85\x31\x8f\x10\xd7\x80\x0a\x17\xf1\x6c\x62\xa1\xc7\x8f\xbb\x42\xfa\xcb\x07\xaf\x08\xe9\x2b\x42\xfa\x1b\x27\xa4\x37\x2c\x19\xfd\xaf\x2f\x57\x44\xff\x8b\x11\x12\x9a\xf5\xd9\x81\x1c\x90\x4b\xbb\x41\x03\x17\xe9\x46\x96\x44\x18\xdf\x81\x71\x4b\x66\xf9\x6a\x12\x36\xb9\xae\x6c\x8d\xf4\x3a\x76\x7c\x44\x0c\x9b\x23\x42\x6c\x0c\xd1\x8d\xdd\xe5\xd9\x82\x3f\xd7\x20\x31\x25\x3f\xea\x12\xd3\x0c\x20\xfb\xed\x28\x0a\x18\xfb\xd4\x51\xf6\x78\xab\x46\x6b\x61\xd9\xda\x30\xa4\xdc\x79\x96\x3e\x3d\x5b\x83\x43\xc7\x3b\x8e\x06\xcf\xb2\x7e\x5b\x47\x0e\x65\xd3\xb8\x37\x5b\x23\xe7\x0a\x10\x07\xc6\xc0\xe6\x9a\x6d\xa2\xab\x8f\x68\xe9\x52\x0d\x74\x13\xb6\xca\x1e\xa2\xf4\xf4\x52\x00\x4b\x46\xda\x04\x71\xd1\x3b\x7a\x6f\xb6\xb6\x2a\x3a\x5d\xb9\xaa\x1d\xd9\xf3\x56\xc6\x7e\xc1\x63\xdf\x65\xe2\xca\x9e\x9e\xad\x15\xb7\xc7\xf2\x50\xd1\x3f\x1d\x77\xe2\xd2\x7f\xb3\xa7\xd2\x16\x5e\xe6\x49\xe5\x1b\x29\xd5\x10\x00\x5a\xbd\xc4\xe5\x50\x00\x71\xeb\xbd\xd9\x1a\x62\x03\x09\x79\x6a\xb3\xb3\xb0\x61\x89\xc8\xb5\x93\xf1\x28\x2e\xe4\x12\xec\xc5\xc5\x86\x4e\x40\x50\x69\xe3\xfc\x3e\x91\x67\x08\x3f\x66\x7b\x8f\x5d\xc3\xc2\x09\x37\xf8\xfe\xcd\x1e\x3b\x54\xf4\x8a\xae\x48\x23\xff\xd5\x5e\xf0\x1f\xbc\x55\x6d\xb5\x2a\x45\x42\x38\x61\xc6\x53\x8a\x6c\xb1\xf0\x38\xc2\xa7\x3f\xb7\x27\x97\xac\xee\xe7\x02\xd8\xea\xa2\x4c\xa0\x21\x41\x9e\x52\x11\x9f\x23\xc9\x45\x18\xf5\xb9\x0a\xf6\x35\x2f\x34\xf9\x70\x62\x97\x1b\x36\xf0\xc9\x1a\x7b\x54\x2b\x4b\x91\x11\xac\x45\x70\x8d\xfe\x4f\xd7\x82\x1f\xa9\x11\x40\xbe\x1a\x75\x79\x36\x10\x21\x44\xa2\x2b\xfe\x30\xf3\x21\x8c\xaa\x7b\x7a\xb6\x06\x41\x27\x71\x64\x51\x11\x9e\xe4\x0d\x1e\x40\xbe\x73\xc0\x8f\xd1\x91\x60\xf2\xa4\x4a\xfa\xa5\x69\xa6\x71\x9b\x4c\xe9\x49\xff\xc9\xf2\xcd\x53\x80\xc7\x15\x9c\xd4\xc0\x5c\xd6\xf7\xf3\x9e\xec\x93\x62\x33\x86\x0c\x1a\x9e\x8a\x0b\x70\x8d\xc7\xeb\x60\xac\x8f\xb3\x1e\x00\x0e\xc9\xf3\x4e\x3a\x51\x9a\xc9\xd0\x17\x25\x94\xbd\x2c\xba\x49\xd8\x12\xc1\x49\xb9\x1d\xb7\x44\x62\xb3\x58\xd2\xa1\x1e\x66\x3a\x1a\x29\xe1\xd9\x02\x27\x35\x82\x4b\x89\x6d\x9e\xa5\x62\x00\x4a\xee\x3b\x30\x60\x71\x68\xbe\xbe\x5e\xcf\xd7\x17\x0f\xcc\x57\x7c\xe1\xeb\x3d\x57\x67\xdc\xb9\xfa\x52\x8f\xd9\x8b\xd1\xbf\x8f\xdd\xb0\xa3\x2c\x73\x25\xc7\xd3\xcd\x5b\xa0\x41\xde\x6a\x26\x8e\x12\x15\x4e\x6a\xb5\x26\x6d\xd9\x80\x2a\xc3\x14\x02\x9f\x0b\xcd\x85\x26\xbb\x87\x69\x11\xe1\x3f\x23\x98\x97\xbd\xa5\x7e\x03\x13\x6e\x8e\x1c\x4c\x9d\xb0\xac\xf3\x42\x08\x93\x97\x96\x36\xb7\xe3\xcd\xb8\x2b\xa2\x38\x6c\x66\x79\x7b\x4a\xfe\x9a\x92\x8f\x3b\xa6\xbd\x8f\x79\xec\xb1\x2a\x16\x6b\x5e\x84\x51\x12\xa7\x62\x45\xb4\xb2\x34\x2a\xfc\x77\x79\x8a\x59\xf5\x35\x3a\xa7\x8e\x47\xf4\x90\xfc\x78\x81\x0f\x52\x18\x12\x16\xa2\xdb\x89\x50\x5f\x9d\x18\x0c\xcf\xaa\xca\x11\x5a\xbe\x91\x34\xaa\x4f\xf4\xa1\x4d\xce\xcf\xc8\xc7\x68\xb4\xad\x95\xa4\xbb\x89\x42\x27\xc3\x42\x4d\x90\x2c\x15\x85\x3b\x68\xff\x6d\xac\x3a\xa7\x58\x65\x47\x18\x56\xb2\xb7\x8d\x05\xbf\xe4\x0d\x5f\xb7\x88\xc9\x4c\x4a\xc5\x43\xc5\x4d\x36\x2a\xff\xee\xa1\xa0\x27\xfb\xb5\x6f\x1a\x7a\xb2\xa7\x59\x19\x2b\x4f\x0e\x1a\xa3\x33\x56\x46\x65\xa9\x7c\xf2\x70\x25\x43\x99\x15\x70\xe9\xff\xe8\xe1\xe0\x56\xeb\xb7\xb5\x39\x87\x18\x03\xaa\x83\x9c\x09\x18\x44\xc7\x3e\x18\xe7\x2b\xa5\xa9\x5c\xf4\x8e\xe8\xd0\x4c\xa7\x67\x1f\x38\xc4\x4e\x52\xc7\x1e\x0f\x9e\x80\x09\x6d\x2e\x67\x8c\xea\x6c\xf5\x15\x67\x81\x95\x56\x9e\xf1\x46\xf0\xec\x33\x2a\x7b\x59\x84\x51\x43\xb1\x38\xa0\xa1\x09\x2e\x41\x8e\xb1\x71\x62\xf3\x63\x98\x80\x0c\x69\x53\x5a\x78\x4d\x36\x77\xdb\xca\x5e\x04\xbb\xed\x1a\x44\x37\x5f\x08\x36\xc1\x3b\x62\x65\xef\x51\x6a\xd6\x00\x09\x9b\x6d\x4c\x57\xc9\x5b\xda\xbe\x46\xd1\xcb\xee\x97\x83\x80\x1f\xc3\x27\x27\x0a\x48\xc8\x9e\x74\xda\xfe\x0b\x35\x76\x94\x6a\xb1\x70\xa1\x9b\xe3\x91\x69\x41\x59\xf1\xbb\x0f\x61\xa5\x6e\x13\x1b\xe1\x96\x94\x33\x71\x27\x4e\xc2\x1c\x75\x81\x15\xfc\x34\x38\xbc\xab\x96\xd0\x43\xe5\x6b\xd8\xa5\x47\x54\x3d\x64\x17\x60\xb8\x17\xd5\x2b\x04\x16\x05\x52\x07\xc5\x85\x56\xd2\x2b\xe2\x2d\x77\xf6\x3c\x97\x99\x59\xe9\x47\xc1\xdd\x83\x03\x69\x9c\x46\x4e\xbc\xfa\xce\x1d\x85\xc9\xa8\x76\x16\xdd\xc4\xc9\x09\xe7\x93\x9f\xf5\xd8\xb7\xe1\x37\xf3\xac\x1b\xb6\x11\xf2\xf5\x23\x5e\xf0\x93\xde\xe0\x55\x1b\xc5\x44\xaa\x45\x70\x1f\x33\x24\xba\xf4\x94\x8d\x1a\x02\x58\x5b\x4e\xd8\x95\x72\x7d\x61\x82\xc5\x76\xd8\xe7\x61\x9e\xf5\xd2\x88\x2c\xb7\x3a\x5c\xf5\xcc\xc0\x87\xcf\x66\xa9\x50\x2e\xa5\xe6\x40\x44\x1f\x00\x09\xc5\x29\x9f\x69\xce\x4c\x3b\xed\x7a\xff\x98\x4d\xba\x5f\x6d\xfa\x21\x24\x8d\xdb\xc2\xd6\xa6\xd4\x53\x5f\x30\x16\xcc\x55\xde\xb1\x67\x4e\x08\xa8\x72\x28\x43\x15\x1d\x1c\x1a\x30\xe8\xe1\xca\x44\xb8\x77\xd4\xd8\x05\x92\x2a\xdd\xa0\x75\xd6\x4a\x03\xb5\xcc\x20\x94\x97\x85\x06\x75\x95\xa4\x05\xc2\x07\xfc\x3d\xca\x69\x05\xe4\xbf\xda\xea\xa2\x72\xb1\x95\xcd\x9a\xac\x0b\x76\x57\xfc\xa8\xc7\xc6\xbb\x59\x2e\xcf\x0d\x23\x20\xa8\xdd\x1e\x72\x3b\x60\x29\xcb\xcb\xa0\xb5\x04\xe9\xd7\x43\x09\xb1\xba\xda\xb3\x18\xfd\xa1\x70\xff\xf0\x07\xaa\x7a\xb1\x95\x83\x85\xb0\x99\x95\x1d\xdd\x64\x3f\x73\x90\xcd\x58\x95\x52\x9e\x14\xa5\x70\xa1\xc4\x9d\x05\x7f\x7d\xc7\x50\x57\xbe\xe0\x60\xf0\x3b\x5e\xf5\x3d\x97\x28\x9a\x56\x0a\x28\x65\x16\x01\x38\xfa\xff\xa3\x26\x5f\x86\xd8\xd6\x34\xdb\x46\x24\xa1\x25\x79\xd6\x2c\x4a\x91\x2a\x44\x72\xb2\x5d\xa9\x17\xf8\x56\x1c\x72\xc5\xde\xa6\xae\xe6\x75\x30\x50\x01\x51\x13\xdf\x46\xd4\x21\x05\x8b\x59\x64\x0a\x1e\x4b\x63\x70\xa6\x44\xb2\xb7\x70\x21\x6c\x49\xed\xdb\xe2\x55\xa1\xaf\x61\x66\xb3\x35\x9b\xfe\xf3\x38\xfb\xc8\x18\xfb\xb6\xd8\xc2\xc0\x82\xc3\xeb\xbb\xc6\xf6\x90\x34\xa7\xdb\x54\x9a\x37\x83\xbf\xa8\x0d\x16\x66\xb1\xc3\x93\x25\xc0\x0e\x42\x4a\x85\x3c\x66\x86\x39\x1e\xc2\x30\x60\x23\xe4\x5d\x5d\xb4\xea\x68\x3b\xfe\x9e\xc0\xa7\xa8\xfd\x36\xe2\xc1\xe0\xa2\x36\x78\x01\x30\x0a\x8a\x44\x6f\x6e\x65\xf1\x4c\xdc\x56\xa4\x7c\x08\xcf\x04\xdc\x5b\xba\xaa\xc0\x3f\x9f\x50\x5e\xbe\x48\x54\xdc\xc3\x88\x4f\x23\x3d\x54\x55\x9f\x54\x49\x9a\x06\xc6\x09\x57\x21\x96\xad\xf5\x09\x3f\x88\xac\x9c\x8a\x01\x70\xc7\x8a\xb3\x33\xec\x31\xdd\x81\xef\x4a\xc1\xe0\x5f\x1f\x1c\xb3\xf5\xb9\xe1\x4e\xd5\x5d\xee\xac\xf2\xb7\x1e\x64\xcf\x36\xc3\x2d\x27\x65\x0a\xf1\x33\x0d\xc3\x76\x65\xa3\x0b\x99\x07\x40\x6d\xee\x15\x65\xd6\x51\x09\x93\xf3\x7a\x06\x69\x90\x21\xff\xbf\x1e\x08\x9e\xb5\xeb\x53\x36\xd8\x52\x19\xc6\x49\xa1\xc7\x4e\x9d\x5b\x0d\xff\xbf\xb2\x91\x52\xee\x70\xd9\xef\x8a\x8b\x1e\x91\x7d\x3b\xb3\xfd\x13\xe3\x4c\xb0\x43\x14\x4d\xe1\x3f\x3b\x38\xa3\x02\x2b\xe0\x5c\xb8\xd1\xeb\x84\x08\x74\x0c\x7b\xbc\xbe\x87\x7e\x44\x08\x80\xa7\xaa\x60\xe0\x1c\xc4\x72\xc0\x3c\x81\x6a\x38\x5d\x78\x2f\x3b\x88\x47\x14\xff\x7c\xb0\x82\x7f\xe1\x47\x30\x54\xb7\x2e\xd7\x66\x63\x3b\xcb\xa3\xba\xb1\x10\xd2\xa1\xc6\x34\x54\x35\x70\xa2\x18\xf9\xad\x67\x6b\x62\xf3\xa5\x60\xae\x70\x38\xca\x0d\x37\xb9\x53\x20\x18\x2b\xa5\x3c\x58\x05\xfd\xf1\x14\x46\xfe\x9c\x4b\x37\xd3\x6c\x3b\x1d\x50\x23\xa0\x3b\xfd\x38\xf8\xd7\xf2\x5f\x55\x2e\xfc\x3d\x5c\x2a\x01\xb0\x21\x9a\x3c\x5f\x00\xce\x7b\x38\x8d\xd7\xd1\xa5\x3e\x0b\x01\x4f\x14\xb0\xb4\xaa\x02\x5c\x14\xba\x86\x01\x25\xf5\x65\x73\x57\x75\x6b\x57\xe3\x8e\xf0\xbf\x7f\x84\x3b\x66\x84\xf1\x52\xbe\x1b\xac\x0c\x97\x47\x3d\x0a\x69\x89\x76\x23\xac\x4e\x56\x2a\x88\x14\xa3\xd4\x91\x40\xfa\x06\x4a\x47\x93\xfd\xed\x0d\x95\xc7\xc6\x05\x05\x56\x68\x92\xe2\x3f\x79\x43\xf0\xa2\x03\xb3\x29\x1f\xbe\xa5\x90\x93\x9c\xdc\x78\x07\x26\xb8\x14\x9d\x6e\x96\x63\xb8\x25\x52\xce\xc1\x0e\x2e\x67\x63\x37\x8b\x88\xce\x52\xe4\x0d\x4c\x44\x85\xbe\x6d\x95\xf1\x16\x82\xb1\xa9\xcc\xbe\x48\xac\xf5\xda\x6d\x70\x82\xe8\x3a\xd8\x29\x77\x10\x46\x9e\x66\xc6\x58\x2e\x8f\xe5\x78\xf0\x96\x1f\x6a\xf7\xc2\x3c\x4c\x4b\x21\x0a\x1d\xcd\xd6\x77\xa0\x1f\x4c\x8a\xbc\xca\xd9\x82\x94\x2c\xc8\x74\xd8\x46\x57\xba\xac\x2c\x6c\xdd\x98\x3d\x0e\x74\x81\x76\x28\x9a\x6c\xd8\x70\xd5\x78\x2b\xec\x15\xa2\xa0\xf7\x21\x14\xb6\x25\x44\xc4\xd1\xf8\x4e\x95\xa5\x7c\xa0\x38\x4b\x35\x32\xa1\xea\x43\xb1\xa5\x90\xb0\xab\x9a\xad\x60\x21\x74\x67\xaf\xf5\x29\xc7\x25\xe9\x73\x15\xaf\x6b\x92\xa1\x55\x84\x42\xdf\xe4\xb7\xc1\x5b\x72\xe7\x2e\x35\x22\xa2\x6e\x85\xf5\xa1\xa2\xb7\xa6\x6a\x3b\xd8\x83\x61\xb7\x2b\xc2\x7c\x10\xa3\x8f\xcb\x93\x34\x41\xde\xed\xcc\xeb\xa8\x36\x06\x0a\xa5\x18\x9e\x5e\x85\x03\x3d\x58\xa9\x4e\xbe\x77\xe6\x4a\x8e\xe0\xb7\x6a\x8e\xe0\x95\x08\x7b\xfb\xdc\x02\x47\xa6\x37\x7b\xc1\x7f\xf6\x6c\x9d\xa8\x4a\xe8\xec\x9c\x8c\x03\x4b\x11\x4e\x25\x6a\xfa\x52\xea\x4d\xd8\xc9\xd2\xf6\x40\x26\x73\x1d\xd0\x01\x6c\x81\x23\x97\x7e\xc5\x07\xdd\xd4\xad\x7f\x37\x8c\xeb\x90\x5c\x02\xac\xc3\x4d\x03\x17\x54\xe4\xa4\xc2\x42\x05\x06\xe2\xaa\xba\xb0\x3f\xab\xb1\x47\xa3\xf1\x51\x0b\x12\xd0\x26\x3f\x5b\x0b\x3e\x56\x43\x3e\x07\xa2\xf0\xad\x4c\x65\x82\x3d\x73\x29\x8b\x40\xf5\x37\x6c\x90\x55\x1d\x8d\x5f\xa1\x14\xf1\xaa\x07\xf4\xda\xef\xe9\x4c\x53\x13\xc9\xc6\x8f\x2d\x2e\xcd\xd5\xf9\xd2\xe2\x3c\x00\x9d\x4f\x6a\x3d\xd0\x12\x43\x2a\x4f\x11\x68\xae\x49\x54\x54\x7d\x28\x2e\xd4\x37\xb6\x37\xc2\x12\x22\x29\xad\x0f\x85\xb9\xe0\xc5\x46\x98\x5b\x34\xdc\xc0\xd5\x70\x36\x53\xe1\x65\xd5\x01\xf1\x30\x49\x14\xda\x18\xba\x95\x49\x65\xb7\x07\xfc\x9f\x67\xd2\xe9\x95\xd0\xe0\x2b\xa1\xc1\x0f\x6f\x68\xf0\x95\xf4\xc6\x2b\xb3\xef\x1b\x37\xfb\xbe\x05\x92\xea\x7f\xd1\xc1\xd1\x7a\xdf\x25\xe3\x68\xdd\x67\xe0\xb3\x34\xf0\xe3\x6e\x5a\x48\xf5\x89\xad\x57\x08\x5e\x74\x11\x33\x5c\x17\x49\x81\x1b\x0a\x16\x42\x93\xf2\xc8\x2d\x9a\xdd\x3b\x00\x09\xf5\xec\x3d\x23\x42\x4d\x2f\x19\xdc\xa6\xbd\x29\x4e\xff\x1c\x01\x66\xbe\xf5\x81\x06\x92\x21\xc0\xbd\x87\x73\x0e\x7d\xeb\xe1\xba\x5c\x49\x23\xbd\x92\x46\x7a\x25\x8d\xf4\x4a\x1a\xe9\x65\xa4\x91\x7e\x33\x40\x43\x75\x6c\xb8\x99\xf3\xfb\x42\x9b\x39\xae\xff\xdc\xbb\x11\x66\x73\x10\xeb\xf6\xe1\xdc\x74\xae\x20\x1c\x7e\x6b\x20\x1c\xc6\x0a\x04\xeb\x7c\xb0\xf2\x30\x40\x60\xd9\x9f\xea\x2b\xc8\x92\x6e\x30\x85\x14\x79\x7b\x9e\x6e\x97\x89\xaa\xc1\x7e\xa6\xc6\x26\xf6\xc8\xe9\xe0\xff\xc7\x5a\x50\x54\xdd\x30\xee\x65\x91\x66\xbd\xf6\x86\x13\x92\x50\x66\x3c\x11\x88\x51\x4d\xe2\x64\x20\x4e\x85\xd2\x48\x08\x68\x64\x38\x92\xc6\x8d\xb1\x78\xc9\x37\x4d\x84\xe5\x7b\x6b\xec\x36\xab\xe7\xd6\x93\x6c\x9b\x02\xe7\x4d\x52\x45\x1e\x67\x79\x5c\xf6\x4f\x8b\x2d\x91\xcc\xd9\x70\xc4\xa6\x53\xbf\xea\x05\xf7\xee\xe1\x39\xd3\xc7\x4e\xe7\x22\xf0\x4b\x6c\xd9\xfa\x02\xca\xa3\x69\x74\xa9\xd0\x80\xf0\x60\x20\x4c\xab\xca\x6b\xb5\xc1\xd6\xa9\x43\xff\x4d\xf0\x8c\xf3\xf2\x8f\xf3\xca\x44\x6a\x1b\xa5\x55\x79\x0e\x28\x1b\x55\x93\x3e\x61\x8d\xaa\x22\xb6\x71\x96\xd4\x07\xaf\x66\xd7\x8c\xca\x61\xa3\xec\x32\xff\x55\x57\x07\x3f\x32\x66\x5d\x70\x03\xbd\x72\xc8\x1e\x5b\xeb\x59\x89\x07\x2a\x8a\x2e\x2e\x9b\x1c\x22\x4f\x80\x53\x5a\x75\x1d\xa6\xae\xed\x10\xa7\x05\x51\x4f\x73\x98\xd9\x6d\x3f\xd6\x4e\xb2\xb5\x30\xb1\xa6\xa1\x2c\x37\x8c\xa2\x82\x6f\x6f\x64\xce\x20\x6c\xc5\x21\x5f\xe9\xe1\x6c\xc1\x10\x77\x5d\xb8\xfd\xd8\x5a\x9f\xc4\xba\x75\xbb\x34\x8e\xb4\x26\xb7\x13\xec\x0a\xc4\x26\x6b\xcb\x5d\xcb\xae\x2c\x84\xb6\x84\x5b\x82\x0b\x24\x68\x88\x69\x0e\x58\xd5\xbc\xec\xcc\x3c\xaa\xc2\x5e\x13\xf4\x2e\x7a\x87\xe4\x88\x2c\x8b\x75\x67\x56\xfd\xd6\x61\xf6\x52\x8f\x1d\x2e\xa8\x63\xfc\xe7\x05\x4f\xd1\x9d\x84\xa9\x4c\xd6\xa0\xd2\xdc\xa5\x25\x87\xab\x39\x53\xa0\xf7\x70\x7f\x1f\xb6\x77\x67\x5a\xd1\x37\xaf\xa4\x0d\x5e\x49\x1b\xfc\xe7\x90\x36\xf8\x07\x1e\x53\xab\xd1\xff\xbc\xb7\xd7\x45\xb2\x8c\x6f\x04\xef\xf4\xe8\xaf\x91\x02\x54\xc5\x8c\x5d\x92\x0c\xc5\xbd\xc4\xfa\x4c\xa5\xe1\x7d\x96\xc4\x93\xc8\xd1\xed\x97\x8b\xb2\x97\xa7\xe6\xfc\xf4\xa0\x97\xed\x9e\xa3\x78\xda\x7f\x7a\x63\xf7\x1c\x44\x6e\xa5\x31\x92\xe4\xab\xca\x66\x64\x3f\x58\x63\xc7\xf7\x34\x54\x4b\xb9\xb0\x78\x09\xbf\xe4\x05\xcf\x76\xae\x68\x67\xf7\x7a\x2f\x59\x8f\x13\x08\x39\x11\xeb\x72\x5a\x02\xd8\x09\xa1\xb3\xf3\x63\x38\x81\xeb\x3c\x12\x89\x90\xff\x8a\xb2\xd5\x9c\x04\xfb\x42\x98\xe7\xb1\xd4\x9b\x7a\x03\xe1\xa7\x3d\xd6\x60\x63\xbd\x38\xf2\xff\x55\xf0\x9d\x6e\xc2\x13\x65\xbf\x9c\x5b\x9c\x77\xb6\xe3\x79\xf6\x48\xb5\x34\x95\x5c\x9c\x09\x1e\x5f\xf9\xea\xb2\xfb\x9c\x5d\xca\x1f\x3e\x72\x27\x1a\x13\xcc\x2e\xf1\x3f\xfa\xc8\xe0\x46\x93\x6b\x82\xb2\xdf\xd5\x1e\xc0\xd8\xb2\x0e\xb1\xc9\x51\x41\xc1\xe9\x85\x4e\xe1\x50\xed\xbb\xff\x11\xec\xb5\x63\x8c\xad\xc5\x69\x98\xf7\xe7\xe5\x5a\x7a\xe9\x58\xf0\x07\xb5\xdb\xf4\x6f\x2b\xe0\x74\x43\x70\x7c\x8e\x23\xe0\xc1\x02\xb1\x0a\x61\xef\x03\x4a\x89\x62\x33\xed\x6e\x84\x69\xaf\x23\xf2\xb8\xc5\x5b\x1b\x61\x1e\xb6\x4a\x08\x37\x98\x68\x4c\xd4\xf9\xc4\x73\x26\xe4\xe4\x9e\x68\x4e\x34\xb9\xfd\x9d\x50\x9b\xa1\xe0\xd4\xc2\x31\x31\xb2\xa5\x99\x78\x49\x7b\xa7\x65\x70\x6e\xf5\x54\xe3\x26\xa4\xb6\xb6\x62\x79\x8a\x32\x23\x6f\x82\x55\xb2\x26\xa9\x97\x3a\x69\x02\x64\x46\x14\x37\x93\xa5\xa2\x82\xf2\xab\xae\xad\x8f\x22\x05\xf6\xbb\x48\xa1\xfe\x43\xd0\x0f\x76\x2f\x99\x8c\x9a\xfc\x1c\x39\xc6\x74\xfc\x2c\x59\xeb\x40\x55\x83\x58\xfd\x27\x72\x1d\x96\x0a\x3b\xd1\x26\x52\xb5\x37\xef\xf7\x1e\xcd\x1e\xe5\x8f\xcb\xc6\x5a\x63\x6f\x0d\x0f\xfb\x54\x8d\x8d\x83\x80\xfb\x68\x2d\xf8\x91\xda\xf0\x70\x0c\x8f\xf8\x43\x32\x2a\x14\x2c\x04\xdd\x94\x66\x69\x03\xfb\x7a\x60\x50\xa0\x78\x65\xee\xb1\x7a\x1b\x3a\xa1\x72\x48\x76\x19\x0c\x9b\x7f\x6d\xb0\xbc\x7d\x0d\xc9\xfd\x03\x9e\x2e\xbb\x47\xff\xc8\x63\x47\xe2\x4e\xa7\x57\x86\x6b\x89\xf0\xbf\xe0\x05\xbf\xe2\x2d\xaa\x9f\x75\x79\x84\x76\x2c\xa5\x22\x2d\x7a\xb9\x9a\x80\xb0\xa0\x4c\x6b\xdc\x6c\xaf\x21\xca\x07\x7e\x0c\xf4\x4a\xda\x98\xd5\x66\xa2\xbc\x96\x9d\x2c\x52\xe9\x4e\x76\x00\x88\xfa\x2e\x9a\x2d\xe4\x64\x1a\x78\x9e\x13\x25\x35\xda\xc9\xe9\x34\x8e\x07\xf4\x34\x4e\x5c\x7b\xd0\x15\xe5\xe2\x0a\x70\x8c\x03\x1c\x73\x45\x5d\xbf\x3c\x75\xfd\x41\xef\x19\xbb\x2b\x48\x4d\xbf\xae\x15\xa4\x20\xd0\x9a\x90\x96\x14\xae\x1e\xc4\xd8\x67\xc6\x9d\x24\x20\xed\x1a\x2d\xba\x1b\x22\x17\x77\xc5\x79\xd9\x0b\x93\xf9\xb8\xd8\x74\x68\x33\xdf\x30\x1e\x3c\xc1\xa1\x0e\xde\x5a\x81\xe7\x55\xda\x84\xaa\x7e\xf3\xa2\xc7\xf0\xd2\x50\xf2\xe7\x17\xc6\xd8\x47\x3c\x76\x70\xbd\x58\xed\x77\x85\xff\x53\x5e\xf0\x4e\xcf\xa2\x1e\x86\xf8\x79\xe5\x0d\xb6\x78\x1e\x2d\x5b\x27\x3e\x43\xc1\x63\xc6\x16\x09\xb9\x70\xa4\x73\xa5\x6d\xae\xec\xa2\x0b\x17\x9a\x3c\x10\x17\xca\xeb\x82\x3a\x0f\x2e\xac\x17\xf2\x9f\xb4\x5c\x2f\x82\x26\x5f\xec\x68\xca\x7e\x90\x25\x86\x68\x1b\x5f\x90\x62\xd9\x4a\x11\x75\xd4\xad\x0b\xec\x91\x94\x37\x85\x5e\x95\xc5\x79\x5f\x04\xcf\x5c\xc1\x4b\x04\xe8\xc1\x6f\x0b\x0b\x11\xf1\x33\x06\x40\xfd\xd8\xca\xd2\x6d\x67\x26\xe5\x86\x01\xc6\xe1\xc5\xf9\xca\xa8\xda\x15\xbb\xe0\xb3\xe1\x40\xf6\xeb\x5d\xec\x51\xc5\xe0\x03\xfe\x6c\x70\xdd\x3e\xbf\x9d\x0e\x96\x3b\xc7\xac\x11\xf3\xaf\x0f\x8e\xa1\xe3\x46\xee\x40\x71\x24\x67\x28\xa8\x91\x03\xe3\xbd\xd5\x89\x36\x9d\x8c\xc0\x03\xec\xba\x3d\xe4\x43\xcd\x25\x61\xdc\x71\x26\xd6\xd7\xc6\x83\x37\xd6\x76\x7d\xcc\x31\x33\x20\x9f\x7b\x3e\x51\xf0\xa5\xbb\xe6\xaa\x0d\x42\x14\x97\xaa\xd2\x60\xa5\xb4\x45\x75\x32\xeb\xa5\x11\x5f\xba\x0b\x57\x3c\xe6\x58\x42\x4b\xd5\x93\x76\x2c\xe3\xec\x50\xea\xd2\x70\xbd\xe2\xa2\xce\x45\x01\xfb\x59\x98\x24\xfd\x3a\x0f\xf9\x76\x1e\x76\xbb\x52\xf3\x82\xfc\x4b\x95\x1d\xa1\x13\x44\xec\x2c\x39\xb9\xd7\x6d\x93\xa3\xb6\xc8\x3a\x22\x4b\x05\x17\x40\x92\x5c\x6a\xa8\xea\xc9\xe6\x45\xef\x48\x4b\x7e\xf8\xec\xa0\xcd\xef\x17\x6a\xec\xf7\x3c\x66\x6e\xfa\x9f\xf1\x82\x07\xbc\x39\xf5\x73\xd0\xfe\x37\x9c\x8a\x05\x8f\x8e\x4e\x7d\xec\x66\x26\x14\x4b\xf7\xe8\xbe\x8d\xb3\x34\x71\xa7\x4c\xbe\x55\x83\x22\x40\xae\x31\x97\xf0\x0a\xb4\xc6\xd9\x1b\x9f\x65\xa5\x7d\x9f\x09\x9e\x7a\xf7\x7e\x49\xa2\x95\x17\xab\xc2\x85\xf5\xde\x83\x6c\x72\xcf\x18\x66\xfe\x0b\x0f\x06\xf3\x83\x17\x55\x78\x5b\xb1\x03\x8e\xb8\x46\x7d\x34\x70\x8b\xee\x81\xe8\xdd\x07\xd8\x3b\xc6\x80\x05\x9f\xe0\x5a\xfc\x1f\x1a\x0b\x5e\x3a\x36\x67\xe0\x5b\x60\xee\xeb\x2d\x6c\x30\xc4\x58\x61\xbc\x58\x59\x97\x1b\x61\x1a\x25\xa4\x4b\x21\x48\x22\x2e\x07\xc2\x46\x91\x93\xdc\x30\x9b\x05\xeb\x49\xb8\x95\xe5\x45\x60\x4e\x3d\xba\x58\x2d\x63\x61\x6e\x98\xaf\x35\xf9\xa9\x2c\xe7\x44\xd7\x5c\x07\xb7\x80\xdc\x3e\xc1\xa6\x69\x4a\x5e\x32\x6c\x69\x6a\x5d\x41\x39\xb1\x7c\xab\x43\x2a\xa0\x5d\x28\x54\xd2\xf8\x9e\x07\x82\xce\xa3\xac\x13\xc6\x69\xa3\x9b\x8b\xf5\xf8\x82\xca\x79\x4f\xe5\x8e\x91\x0b\x74\x40\x1d\xbf\x7e\xda\x3a\x67\xc8\x89\x80\x4e\xa7\x3a\x17\xcd\x76\x93\x07\x61\xab\x23\x00\x33\x13\xc7\xa1\x61\xbe\x1d\x0c\x26\x24\x6a\x95\xdd\xf5\xba\xd6\x18\x33\x1c\x70\xfe\x5f\x7a\xec\xd4\x25\xe0\xe1\x99\x7e\x31\x4c\xdb\xef\xf4\xac\xde\x02\xad\x39\x89\xd3\x4d\x4c\xa0\x6c\x41\x66\xa0\xd1\x91\xe9\x44\x06\xe0\x26\x06\xc6\xde\x3d\x9a\x59\x19\x73\x6e\xf7\xda\x44\x2d\xf1\xd0\x2c\xd2\xb6\x78\x75\x9c\x14\x17\xca\x3c\xb4\x78\xef\x9a\xec\xc7\x1e\xc1\x9e\x6c\x35\x33\x8c\x88\xb8\x39\x17\xed\x18\x62\x85\xe2\x2c\x35\x36\xa9\x5e\x22\xee\x8e\xcb\x8d\x3b\x95\x49\xa4\xf0\xff\xf4\xea\xe0\x85\xde\xf0\x75\x6c\x74\xd9\xeb\x26\x30\xbb\xad\x1b\x52\x54\xeb\x70\x39\x30\xe0\x83\x5a\x28\x35\x2e\xed\xe5\xec\x84\x9b\x52\x33\xc8\x15\xb4\x29\x65\xd5\x62\x71\x10\x64\x89\xdc\xd2\x72\x76\xc3\x01\xce\x5d\x83\xff\xfd\x2a\xf6\x7e\x8f\x1d\x09\xbb\x31\xb0\x22\x17\xfe\x3b\xbc\xe0\xa5\xde\xec\xd2\x22\xfe\x54\x82\x74\x76\x69\x11\x35\x2d\x95\x5d\xae\x02\xee\xd6\x04\x52\xfa\x65\x4d\x3e\x71\xed\x04\xc7\xa5\x46\x8f\xc2\x81\x8b\xae\x92\xfe\x44\x9c\xc3\xe8\x10\xa5\xa5\x5c\x24\xb1\x95\x02\x94\xa5\xa2\x69\x7b\x5f\x76\x8c\xa9\xfc\xb0\xc7\x8e\x1a\x15\xbb\xf0\x7f\xcc\x0b\x5e\xe9\x19\x1d\xdb\xa9\xfa\x96\xba\xb6\x97\xca\xab\x87\x1f\xde\xea\xbf\xb9\xc6\x58\x66\xe6\xc6\xab\x6a\xc1\x5f\x7b\xee\x9c\x00\xab\x89\xb9\x22\x7f\xea\x29\xc7\x37\xb2\x6c\x93\xb7\x42\x79\x62\x46\x89\xdb\xe0\x73\xcb\x0b\xb3\xab\x0b\x75\x7e\x6e\x69\x1e\xfe\x9d\x5f\x38\xbd\x20\xff\x9d\xbb\xf3\xec\xd9\x85\xb9\x55\x9e\xe5\xfc\x5a\xcc\x92\x4f\x12\xac\x7c\x56\x38\x5f\x80\xf8\xa1\xb4\xaf\x72\xcc\xcd\xc7\x9c\x5a\x90\xa4\xa4\x7c\xb4\x87\xb3\x8b\x7e\x70\xdc\x0e\x39\xfd\xbe\xf1\xe0\x4f\xc6\x4c\xf0\x28\x49\x0a\xb4\xb7\x98\x21\xc5\x93\x53\xcf\xf5\xbd\x30\x66\x09\xed\x93\x7c\xa2\x9b\x45\xc5\x04\xef\x88\x30\x2d\x28\x4b\x1e\x2e\x4d\x25\x59\x5b\x5d\x2e\x29\xc0\xc5\xca\xd6\x43\x1a\x0e\x78\xfa\x5a\xf5\x58\x08\xf6\x27\x9d\x3a\xb6\xd6\x43\x83\x8b\xf5\x96\x2e\xdc\x79\xc7\x7e\xc0\x2e\x77\xaa\x68\x85\x89\x70\x9e\x94\x17\x06\x0b\xbc\x76\xaa\xba\x06\x2a\x7e\x27\xce\xdd\x37\x18\x5b\x5c\xe7\xdb\x71\x12\xb5\xe4\xb9\x78\x70\xb0\x2c\xbb\x0e\xf4\x1c\xb2\x6c\x83\x3d\xc6\x2a\x3a\xca\x86\x6d\x49\x40\x76\x4e\x29\xb0\x6c\x5e\x74\x05\xba\x3b\x89\x95\x43\xa4\xad\x04\x09\x49\x50\xda\xd4\xdd\x66\x77\x08\x14\x01\x4f\x3b\x18\x28\xb0\xb7\x89\xf1\xd6\x31\x76\xa0\x68\x65\x5d\xe1\xbf\x6e\x2c\xf8\x8f\x63\xf0\xa7\xde\x33\x29\xd9\x19\xae\xe9\xa3\x74\x2f\x11\xc3\x38\x6a\x3c\x20\x9b\xbf\x3c\x20\x69\x98\xef\x28\xc0\x53\x71\x70\x6d\x60\x1e\xd0\xb3\x22\x2c\xd1\x89\x49\x58\xda\x0d\xf8\x4e\xe4\x40\x3a\x27\x89\x46\xf5\xd1\x9f\xd6\xa5\x83\x38\x52\x7e\x42\xd0\x38\x9c\x82\x9a\x4e\x45\x86\xbe\x6a\x40\x51\x77\xfd\xa2\xac\xbe\xf5\x7a\x09\x47\x18\x34\xec\x52\xe7\xe4\x42\x76\x67\x8b\x60\xed\x56\x9c\xa1\xd1\xa8\x44\x56\x3f\xca\x59\xd5\x0d\x11\x26\x4e\x9d\x79\xed\x38\xa9\xe0\xda\xc0\x51\x19\x7e\xf2\x40\x35\x1a\x7b\x16\x09\x93\xff\xff\x8a\x03\xc1\x4d\xce\x15\x63\x75\x35\x69\xd8\xb6\x7e\x89\x30\x1f\x69\x16\x89\xd1\xe9\xfd\xef\x1f\x67\x75\xca\x57\x7f\x7c\xf0\xd8\x55\x3a\x82\x40\xf4\x8e\x49\x52\xb7\xab\xfb\x7c\x8f\x3d\x2a\x09\x8b\xf2\x76\x11\xe6\xe5\x9a\x08\x4b\xc8\x34\xdf\xbc\xf4\x44\xf3\xe9\xd3\x3a\xab\x7c\x5b\xf0\x76\x06\xb8\xe3\x68\x7a\x43\x64\x79\xf4\x8e\x9b\xda\xb0\x97\x57\x67\xbb\x6f\x5d\x7a\x1d\x9e\x7c\x7a\x74\x66\xfb\xc8\xa4\xf6\x67\x1a\x78\x84\x33\xc1\xad\xb7\xf7\x3a\xe0\x54\x7b\x28\x10\x11\x9e\xae\x11\x11\x6e\x0d\x4e\x1c\x83\x28\xad\xc9\x4b\x45\x3c\x38\xad\x11\x0f\x6e\x0b\xae\x5f\xa9\xc6\x38\x00\x88\x05\x79\x75\x57\x8c\x83\x2f\x1c\x66\x37\xd9\x3a\x9e\xe3\x72\x1b\x70\xca\xcf\x42\xbc\xe6\xb2\xd8\x8a\xc5\x36\x9c\x92\xde\x70\x38\xf8\x61\x6f\x87\x9b\xb8\x61\x21\xb4\x58\xd7\x20\x55\x28\x1a\x22\x65\xaa\x6d\x72\x07\xb1\x25\x5b\xd7\x0a\xe0\xac\x5d\x95\x59\x43\x52\x20\x65\xd5\xd9\x2c\xdd\xed\x31\xb5\xfb\x16\xa2\x74\xd6\xc9\x57\x0f\xb2\x8f\x7a\xec\x00\x68\xbb\xfe\x87\xa5\x0e\xb5\x00\x8a\x6f\x2b\xcb\x91\xe5\x2e\xd2\xe7\xaf\x5e\x21\xf2\xe6\x62\xba\x9e\x35\x9f\x26\x4a\x78\xea\xd8\x24\xef\x88\x72\x23\xb3\xf0\x99\x64\x8f\xc9\x03\x4e\x2b\x2c\xb3\xbc\xc9\xf9\x4a\x9c\xb6\xcc\x99\x1f\x13\x90\xa8\xbc\xd0\x78\x49\xe3\x92\xa7\x42\x44\x10\x1e\x23\xd6\x13\xa4\x9d\x02\xb6\xa8\xe6\xfd\xde\x77\xb3\xef\xda\x79\x33\xb0\x3d\x0e\x67\xd8\x01\xd0\x3c\xfd\xf9\xe0\x98\xab\xbf\x92\xee\xda\xcf\x7a\x13\x52\x53\x16\x08\x9a\xb0\x9e\xe5\xa3\xb6\x99\xf7\x78\xec\xdb\x53\xab\x67\x75\x67\xfa\xaf\xf1\xd8\xfc\x8e\xc7\x9f\xea\x39\x73\xb6\xaa\xa0\xe0\x4c\xe5\x65\x0b\x81\xae\x4a\xf4\xa5\x0d\x03\x77\xe0\x4c\x1e\x59\x63\x3f\x1f\xae\xee\x6b\x3d\x36\xbb\xcf\xea\x56\xd4\x75\x65\xb7\x29\x36\xaa\xd6\x3b\xd5\xf8\x16\x74\xf9\xde\x18\x5c\x7b\x6e\x71\x7e\x07\x43\x02\x3d\x4b\x41\x60\xb9\xb3\x5e\xef\xf7\xd8\xb8\xbc\xe8\xbf\xc5\x0b\x7e\xc0\x3b\x57\x60\x70\xb1\x9a\xad\x55\x03\x2e\x55\x56\x79\x6c\x27\x72\x32\x1e\xc8\x97\x02\xad\xba\x05\x30\x71\x82\x3a\xc6\xd7\xc7\x80\x4e\x0a\x46\xf3\x6e\x2e\x08\x70\x20\xb8\x1b\x66\xf3\x3a\x87\xcf\x6d\x0b\x15\xeb\xa8\xf0\x95\xc0\xe4\xd1\xa7\x39\x67\x57\xf6\xcb\x35\xf6\x5d\xc3\x31\x0c\x2a\x7c\xc1\xff\xe5\x5a\xf0\x54\x1d\x59\xb0\xc7\x70\x39\x08\x33\x32\x01\x72\x17\xbd\xc3\xea\x28\x77\xd1\x03\x97\x54\x55\xc4\xdc\x17\x3c\xb6\xc4\xf4\x83\xfe\x7c\x70\xa3\x3a\xf0\x39\xeb\x45\x8b\x62\x3d\x78\x83\x61\x72\x76\xe3\x6e\x23\x17\xd8\xc9\xa0\xa1\x1c\x60\xa5\x85\x0e\xb3\xd7\x32\x20\x90\xef\x64\xd0\xa8\x32\xe3\xed\xa9\x8c\xff\x52\x77\x82\xf4\x0c\xd4\x57\x73\x6e\x65\x71\x3e\x8f\xb7\x44\x0e\xc2\xfa\xaf\x9e\x18\x1c\x77\xae\x68\x9c\x1c\x54\x24\x5b\xc6\xed\xc2\xf5\x73\xee\xe1\xf9\xbd\x4f\x64\xcf\x3f\xa8\xad\xe2\x73\x61\x37\x6c\xc5\x65\xdf\xff\xd3\x03\xc1\xef\x1c\x58\x5c\x1f\xcc\x04\x71\x1e\xd2\x8c\x24\x16\xed\xe8\xdc\xca\xa2\x06\xb8\x82\xaf\xf1\xed\x50\x0e\x35\x00\x81\x18\x04\x16\x8a\x2f\x88\x23\x4a\x9a\xa1\x92\x79\x4b\x15\xad\x0b\xa4\x52\x22\x4d\x14\xab\x91\x42\xb3\x1c\x40\xf1\x01\x38\x56\x96\x39\xb7\xb2\xb8\x32\x50\x41\xa5\xa4\x82\xa2\xdf\x32\xd5\xd6\xd3\x51\x41\x95\x6e\x88\xd6\xa6\x4e\x11\x25\x14\x92\xb8\xd3\x11\x51\x1c\x96\x22\xe9\x23\x2c\x07\xd6\x01\x51\x69\xb1\x5a\xe0\x7d\x24\xe4\x7e\xb9\x1b\x83\x35\x51\x1e\x37\x11\x78\x78\x5b\x27\xca\x41\x05\x20\x8d\x62\x8d\xc2\x29\xa1\x15\xdd\xb0\x57\x08\x2b\x27\x65\xb8\xb1\x1b\x61\xc1\xbb\x3d\x42\x1d\x02\x2b\x33\x2f\x7a\x31\xd8\xb6\x76\x6e\x70\x93\xb1\xd9\x04\x7c\x64\x65\xbc\x25\x92\x7e\xdd\x2e\x9c\x5a\x89\xdf\xb0\xfd\x17\x68\x3d\xeb\xa5\x72\xc8\xb3\x1c\xed\xad\x88\xe7\xa5\x89\x09\xd6\x93\xb8\x2b\x8f\x0a\x09\x84\x8d\x6f\x63\x2e\xd2\xc0\xc8\xd9\x8b\x5d\x67\x34\xe9\x26\x40\x87\x57\x9b\xea\xe8\x0e\xe8\x18\x80\x5d\x88\xcf\xc8\x1a\xc0\xc1\x21\xdc\x0a\xe3\x04\x1a\xae\x41\x52\x2a\x7a\x40\x01\xc4\x80\xef\x1f\x06\x92\x12\x9f\x47\x26\x43\xfc\xc1\x41\x76\x75\x99\x6d\x8a\x74\x99\xbc\xcd\xfe\x67\x0e\x06\x5f\x3d\xb0\x6a\x5f\x72\xa6\x3b\xce\x74\xea\x52\xdc\xf6\xf1\x44\xae\xc0\x09\xc3\x16\x40\xf5\x72\x28\x15\x25\x70\x61\x90\x58\x6d\x87\x45\x06\xc7\x52\x8d\x1a\x67\x29\x1f\x80\x41\x75\x07\x86\x7f\xa8\x09\x53\x90\x48\xa2\x62\x95\xb5\x5c\x83\x62\xe8\x8e\xe1\xf2\x48\xb2\x84\xfd\x4e\x98\xaf\xad\x30\x49\x28\xba\xdf\xaa\x3d\x99\x6c\xbb\x61\x4e\xe3\x4d\x67\x69\x54\xb7\xd7\x33\x79\xaa\x95\x75\x76\x3e\x74\x92\x07\xad\xc2\x48\x26\xf2\xa3\x52\xe3\x67\xb1\xed\x4d\xac\x64\x70\x92\xff\x5b\xc6\x79\x70\x73\xd8\x8b\x62\x29\xea\x6e\xa1\x2b\x9c\x07\xf0\x44\x70\x92\xdf\x0c\x7f\xdc\x52\xc7\xab\xe2\x42\x37\x46\x63\x8d\x3c\x00\x14\x65\xd8\xe9\xca\x67\xcc\x65\x38\x0d\xc0\x75\xd9\xe0\xe5\x53\x73\x27\x4e\x9c\x78\x12\xbc\xfd\x3c\xf9\x9f\x66\xb3\xc9\x9e\xc7\xd8\xd9\xac\x14\x27\xf9\x2c\x7d\x55\x3e\x09\x67\x7d\x7b\x50\x2d\x7b\xb5\xb1\x7c\x83\x0d\xa9\xe4\x1d\xf0\x4c\xa6\xd4\xd7\x26\xbf\x08\x65\x74\x93\xaf\x66\x26\xbb\x0b\x16\x3b\x3e\x87\xe9\x7c\x50\xd7\x7e\x5d\x99\x02\x8a\x65\x41\x4b\x60\x90\xd5\xa9\xcc\xe3\x76\x5b\xe4\x15\xa3\xd5\x15\x79\x9c\xc9\x19\x97\x24\xfd\x8a\xc5\x41\xf3\x7c\xb7\xe5\xe1\x8c\x08\x34\xbd\x6a\x89\xec\x9d\xb1\xc0\xda\x8b\xec\x8e\x7c\xd0\xbb\x66\x47\x72\xcf\x23\xfe\xa1\xb0\xcc\x3a\x71\x8b\xb1\x3f\x3e\xc8\x1e\x83\x73\x5f\xa7\x10\x9d\xc9\x22\x51\xf8\xbf\x7e\x30\x78\xd5\xc1\xaa\x3b\x3a\xce\x60\x5b\x8a\x59\xb9\x3b\x1b\x37\x1c\x99\xca\x86\xf7\x1c\xf2\x32\x17\x03\x4b\x1f\x0f\x2b\x60\x70\xd3\xa3\x29\x0f\xfd\xc6\xb1\x16\xd4\x0d\x43\x2b\x2a\x60\x52\xb6\x59\x30\x48\x6a\x71\xb9\x1b\x2c\x48\x49\xe5\x17\xc1\x78\x1f\x0b\x0a\x55\xe1\x69\xf5\x8a\x5e\x98\xf0\xa5\xbb\xa6\x96\xee\x9a\xe3\x1d\xd1\xda\x08\xd3\xb8\xe8\x60\x1d\xd1\xcb\xd8\x81\xc4\x9c\x82\x07\x3a\x59\x3c\xa0\x2d\x06\x84\x47\x24\xea\xba\xe5\x61\x6e\xea\x45\xe0\x8d\x56\xfa\x86\xc6\xdd\x02\xe9\x3e\xb7\xb2\xe8\xb8\x3d\x8d\x85\x2d\xb1\x13\xb9\xca\xd8\xe4\x9a\x9b\x1b\x70\xc4\x03\x9d\x0d\x9c\xaa\xd4\xc3\x1b\xa1\x82\x69\x09\xb7\x65\x55\x94\x95\x6a\x4d\x00\xc2\x19\xc9\x3b\x98\x98\xed\x8c\x76\xfc\xb6\x90\x0a\x66\xb5\x58\xc2\x44\x5f\x48\x6b\xd2\x5e\xca\x53\x59\x8e\xee\xa1\x61\x95\xda\x71\x42\x59\xbd\x63\xe3\xbe\x5b\x73\x51\x8a\xaa\x76\x5c\x6e\xf4\xd6\xb4\x73\x53\x67\xf2\x34\x92\xac\x15\x26\xca\xa1\xd9\xdc\x28\x3b\x89\x69\xa6\x5c\xac\x0a\xef\x06\xce\xb2\x54\x23\x3c\xf7\x16\x10\x69\x45\xe7\x57\xb8\x8e\x3f\x1d\xc0\x3b\x92\xc8\x68\x90\xae\x42\xce\x1c\xb1\x25\xee\x7c\xb0\xdb\x85\x4c\xb7\x10\x25\x63\x1f\x3f\xc0\x1e\x81\x89\xb7\xca\x20\xe9\xff\xf4\x81\xe0\x9d\x07\xdc\x6b\xce\xb6\x56\xb9\x9a\x74\x92\x61\x98\xaa\xd4\x61\x2b\x48\xd6\x1e\x71\x35\x2a\x66\x87\x34\x8e\x50\x67\xcc\xf5\xa1\x7b\x52\x25\x02\x93\xba\x67\x2d\x1b\xfa\x54\x24\x4a\xc5\x18\x4f\x6e\x2e\x15\x2f\xa4\xfc\x44\xf4\x20\x55\x1a\x0e\x3a\xeb\x61\x4b\xd0\x4a\x06\xdd\x8e\xc2\x94\xe0\x89\x50\xc3\xe0\x2a\x83\x11\x24\x59\x84\x71\x59\x58\xaa\x98\x2a\xad\x30\x88\xb6\x14\x23\x0c\x71\x83\x22\xa2\x49\xad\xb6\x74\xb3\xad\x2a\xd0\xdb\x86\x02\xbd\xe5\xad\x2c\xcb\xa3\x38\x85\x3e\x56\x0b\x72\xa0\x8f\x65\x15\xd0\xae\x36\xba\xaa\x5a\xb6\x0f\x0d\x04\xa4\x8f\xca\x01\x28\x4d\x8c\xb7\xd6\xf9\x97\xd1\xbd\x67\xd4\xa3\xb6\xdc\xdf\xcd\x06\xa0\x93\x66\x31\xcc\xcf\x86\x3d\xd3\xb8\xea\xf5\xea\xef\xaa\xe4\x3f\x20\xdc\x90\xda\xd6\x9d\x1a\xb2\x7d\xe4\xf3\x72\xf8\x46\xea\x83\x8e\x82\xf6\x5b\x35\x76\xf5\x7a\x01\xe7\x3b\x95\x0f\x5d\x0b\x3e\x54\x9b\xa7\xcd\x81\x44\x7b\x2f\x8d\x44\x9e\xf4\x2d\x0d\x4b\xed\x04\x90\x6d\xdf\x06\x3b\xfe\x76\x2a\xf2\x62\x23\xee\x42\x9b\xbb\x22\xd7\x1e\xa2\x75\x7b\xe0\x69\xb0\xf1\x94\xa6\x41\xc3\xc1\xe5\xab\x64\xa4\xda\x03\xf8\xa9\x15\xab\x62\xca\x38\x0f\x36\x03\xe3\xe0\x25\xc3\xe2\xa0\x00\x80\x28\x5b\xc4\xce\xad\xef\x03\x3c\x57\x8d\x2e\xae\x26\xf7\xfb\xf6\x10\x8f\xec\x5e\x0b\x4e\xee\x28\x7b\x44\x37\x8b\x16\xd3\xf5\xec\xce\x14\x09\x05\x7e\xf0\x68\xf0\x92\xa3\x83\x07\x40\xf7\x99\xfd\x48\x0e\xd3\x11\x00\x9c\x69\x09\xf4\x63\xc0\x0e\xd4\xcd\x22\x79\x5a\x86\x4f\x9c\x23\x00\xb4\xe6\xa4\x8a\xda\x45\x90\x11\xe3\xc2\x43\xc4\x02\xac\x19\xcd\xcd\xc1\x62\x6d\x38\x4f\xa9\x35\x23\x70\x01\xc5\xa7\x0d\x65\x46\x0f\xe9\xc4\xda\x11\x33\xd0\x64\x79\x1c\x0b\x11\xeb\x7b\xe8\xb0\x86\xcb\x0e\x3a\x6a\x58\x69\x1f\xac\x5f\x58\xec\x43\x73\x3f\x36\xb9\x83\xee\x8e\xd0\x05\x5d\x79\x94\x06\x0e\xf8\x0c\xdc\x1b\x48\xa0\x6f\x34\x79\x15\xac\x6b\x7f\x9f\xfa\x24\x1e\xae\x09\x7e\xa4\x42\xef\x97\xb5\x54\xab\x57\xbd\xbe\x3e\x34\x27\x1c\xf4\x08\x9a\xee\xa0\x72\xa1\xaf\xac\x9d\x67\xdb\xe8\x64\xc4\x84\x46\xb1\x1e\x5f\x70\x60\x7f\x9a\x95\x27\x0b\xa9\x7d\xa4\x61\x47\x04\x27\x41\x11\x01\xcb\xca\xa8\xe7\xc0\xc3\x64\x3d\x8c\x8e\xab\x9d\xde\xe8\x01\x97\x10\x2e\x86\x63\xf2\xc2\xb9\xc5\xf9\xc9\xca\xa7\xb5\xda\x10\x9c\xe4\x81\x6c\x61\xa0\x64\x8f\xb5\x61\xd8\xd0\xaf\x0e\xa6\x39\x1c\x6f\x46\xfd\x9f\x03\x0a\x3e\xa0\xb6\xd5\x2d\x32\x8c\x00\xa6\x6d\xc0\xd8\xe8\x3a\x12\x0d\xa1\xd8\x36\x3a\xbf\xa3\x99\xce\x34\x67\x6e\x50\x31\x19\x20\x75\x1c\x24\x7a\x9c\x63\x05\xed\xa3\x4a\x0d\x02\x9c\x07\xc8\x72\xb5\xd4\x66\xf4\x36\x1a\xad\x95\x26\x8d\xa3\xca\xd3\xce\xa0\x8b\x95\xba\x55\x22\xc2\x2d\xa1\xd7\x06\x8f\xe2\x42\x6f\x47\x53\x59\xce\xe3\x76\x8a\xe1\x41\x4a\x84\x35\xf9\x6c\x31\xd0\x80\xeb\x21\xec\x25\x9d\x18\x04\x26\xc4\x3c\x00\xfb\x63\xd0\x42\x5b\x9b\x03\x75\xdb\x32\xed\xa0\x8c\x20\x2d\x94\x9c\x9a\x7a\x67\xb4\x8c\x32\x16\xdb\x03\x41\x54\x65\x91\xf6\x0f\xd4\x31\x51\x1c\x1d\xf5\xa0\xfb\x87\x9c\x80\xb6\x00\x44\xc2\x84\xe3\xa8\x1d\x87\x6c\x49\x7b\xdc\x09\xff\x71\x8c\x3d\x2a\x1f\x3c\x55\xfa\x5f\x1d\x0b\xbe\x30\x36\x7c\xd8\xdc\xd1\x64\x81\x56\xb9\xf3\x43\x92\xe6\x3c\xed\x78\xf6\xe1\x93\xb6\x6a\x24\x9f\x02\xc7\x06\xd8\x86\xbb\x59\x81\x52\x07\xa1\xd7\x94\x00\x53\xd0\x07\x4a\x8b\xb7\x1a\x15\x0d\x51\xb5\xe8\x43\x3a\x1c\x9a\x43\x9b\xa4\x0d\x01\xa0\x93\x1d\xce\x0b\x75\x9b\x0b\x0d\x64\xa3\x2c\x74\xf8\x59\xd2\x15\x61\xe8\xc9\x6f\x59\x56\x70\x13\xa9\xca\x9e\x15\x44\xde\xa1\x4c\xd4\xf6\x36\x52\x08\x91\xe2\xca\x54\x34\x60\x06\xf4\xe9\x61\x3f\x9f\x5b\x33\xe0\x4f\x3d\x76\xf6\x92\xe1\xec\x17\x48\x3b\x9d\xcf\x5a\x80\x0c\x87\xac\x26\xaf\xf3\x82\x67\x55\xde\x51\x51\x87\xca\x4e\x8d\x3b\x8b\x21\x76\xd0\xe6\x6c\x9c\xf4\x84\x5c\x11\xd9\x45\xb8\xf6\xe6\x69\xe6\xb3\xb1\x5e\x9e\xf8\x8e\x9b\xea\xbb\xd8\x51\xcb\xad\xe8\xde\x7b\xd1\x21\xf6\xf4\x4b\x6e\xee\xdd\x62\x6d\x23\xcb\x36\xe7\x20\xb7\x00\xf2\x18\xde\x7f\x30\xb8\x79\xe8\xea\x20\x99\x61\x86\xa7\x8b\x90\x92\x12\xe0\x91\x6d\x7c\xe9\xa2\xf7\x38\x73\x11\x7d\xa3\x2a\x5c\xcb\x69\xe8\x27\x0f\xb0\x07\x3c\x76\x15\x66\xb3\x60\x3c\xbf\xff\x7e\x8f\x3d\x7b\x27\xcb\xca\x25\x36\xcc\x2a\x3e\xb8\xcb\xfe\x98\x32\x61\xc4\x69\x51\xe6\x3d\x0c\x91\x80\x51\xb2\x1b\x28\x1f\xa0\x76\x41\x36\x13\xa1\x85\xc9\x77\xcf\xd3\x17\xce\x37\xd9\x0b\xc6\xd9\x8e\x6d\xf6\xbf\x32\x16\x7c\x6c\x6c\xa7\xbb\x8a\x40\x3e\x47\x3e\x72\x15\xeb\xd4\x85\xe9\x24\xaf\x9c\x9f\x1b\x78\xf3\xbc\x1b\xe8\x46\x95\xe0\xe2\x42\x57\xb4\x94\x41\x67\x76\x69\x91\x94\x62\x17\x45\x08\x21\xa7\xd4\x78\x91\x3c\x82\x6f\x92\x51\xa7\xb4\x2c\x43\x90\x48\x95\xea\x60\x5c\xfd\x55\x73\xf0\x89\xc9\xf0\x02\x25\x00\x64\xae\x9d\xbc\x60\x2a\x51\x77\x66\x09\xc4\x37\x87\x71\x62\xf1\x3b\x38\x01\xa0\x04\x7c\xa9\x02\xa7\x23\xdd\x44\x37\x04\xd4\x68\xa0\x0a\x7f\x44\xd7\x50\x8a\x14\x1d\xea\xa9\xc8\x09\xa4\x44\xd6\x4f\x40\x4c\x80\x3a\xa6\xc8\x8a\xae\xa8\x8a\x2a\x49\x69\x0f\xbc\xae\xf2\x28\x47\xf2\x6f\x1f\x65\x27\x46\x78\x5c\x9b\x2b\x22\x59\xaf\x08\x1b\xf0\xdf\x76\x34\xf8\x5b\x6f\x87\x9b\xea\x6c\xae\xf0\x32\x07\x08\x31\xc0\xfb\x29\x37\xee\xae\xc8\xa5\xe2\x0a\xf6\x87\x16\x5a\xc5\x01\xe9\x74\x3d\x4e\x12\x8a\x19\x0f\x11\xce\xde\x04\xc0\x63\xdc\x50\x10\x83\x04\xb3\xb0\x8f\x83\x26\xe7\xb2\x3a\x94\xdc\x26\x7b\x39\x4c\xc8\x7d\xa3\x4c\x19\xf2\xc3\x85\x81\x60\x02\x88\xb8\x35\xc1\xf1\xe0\x95\x91\xb7\xc8\x02\xf9\xec\x57\xd7\xf2\xa2\x07\xc4\xdb\x8e\x54\x78\xcb\x15\x8a\xfb\x2b\x30\x08\xdf\xc0\x4c\xc5\x3b\xac\x44\xc5\xa7\x5e\x66\x9e\x22\x04\x2e\x00\xb5\xfc\x5b\x3c\xb6\xb0\xe7\xe0\x8c\x9d\x44\x05\xb0\x2d\x3d\x13\xbc\xd8\x98\xa0\x3e\x32\x92\x82\xf4\x54\x21\x47\x1b\xbb\x17\xe5\x85\x9c\xb4\x14\x29\xa3\xc2\x85\xc0\xd0\xcf\xde\xe9\xe9\x20\xab\xd7\x7b\x6c\x6e\x1f\xd5\xad\xa8\x2a\x94\x13\x9c\x5b\xd1\xe4\x34\x04\x23\x00\xc9\xe8\x68\x1c\x32\x09\xdc\x46\x09\xb7\x81\x81\x55\x3b\x62\x23\xe1\x11\x1b\xf8\x41\xef\xb9\xbb\xe7\x0d\x9e\xf5\x4f\xeb\xbc\xc1\x91\x98\x0a\x3b\x74\xf6\x60\x5e\xe1\xef\x8c\xb3\x9b\x77\x8f\x19\xdb\x79\xe0\xfc\xd7\x8f\x07\xef\xd8\x49\xce\x7f\x33\xc7\x8e\x7d\xa5\x76\x25\x46\xea\xeb\x10\x23\xf5\x9e\x23\x0e\xcb\x38\x80\x78\x6e\x49\xf9\x02\x58\xb7\x28\x53\x97\xb2\xbc\xf4\x5f\x7c\x24\xb8\xd1\xbe\xe0\x92\xd4\xc1\x15\x45\x0c\x00\x94\x24\xf8\xe4\x4a\x12\xb7\xdc\xf8\xa0\x9f\x3f\xcc\x3e\x5f\x63\x47\xc3\x6e\x77\x29\xcf\xca\xac\x95\x25\x68\x31\x96\xfa\xa3\x05\x98\xcd\xbb\x74\xd7\x30\xb8\x4b\x15\xcf\x39\xb6\xa2\x29\x0c\x58\x58\x30\x29\xdb\x32\x40\x24\xe1\x9a\x48\x08\x63\xbc\xc9\xcf\x59\x09\x4e\xa0\x72\x70\x82\x76\x46\xbc\x26\xf9\x89\xc5\xd9\xb3\xb3\xa6\x24\x15\x2d\x80\x0f\x1f\x0b\x0b\xa9\x45\xf0\xe5\x53\x73\x8d\x1b\x4e\x9c\xb8\x1e\xe6\xb6\xdc\x1c\x4e\x4e\x4d\x6d\x6f\x6f\x37\xe3\x30\x45\x06\xe3\xb0\x28\xe2\x36\xe0\x11\x17\xca\xe7\xde\x80\x22\x26\x9b\x72\x2d\x34\x74\xf9\xaa\x75\x5a\x19\x90\xea\xcd\x40\x15\x15\x98\x60\xa7\xdf\xca\x3a\xdd\x30\xed\x37\x5b\x59\x67\xaa\xd3\x6f\xa0\xe2\xda\x50\x65\x38\x16\xe3\x07\xc6\x28\xcc\xe9\xc3\x63\xc1\x8f\x8f\xad\x3a\x99\x6d\xba\x0f\x67\x81\x8f\x25\x47\x92\x9a\xc1\xd1\xc2\x15\x09\x49\x67\x8a\x45\x8c\x60\xfd\xc8\x79\xe1\x3e\x1d\xcb\x79\x97\x6f\xc5\x8a\xc4\xca\x21\x9b\xa4\x3e\xa8\x2b\x14\xcd\xa1\xb0\x4f\x3a\x66\x37\xa1\x36\xdf\x73\x4f\x13\x3f\x74\x56\x13\x9f\x88\x18\xe4\xf2\x1a\x20\xc0\xd8\x6e\x7e\x60\x6b\x0c\x8b\xc2\x90\xa6\x58\xa9\x06\x27\xf9\xb5\x5a\xae\x38\xa9\x6c\x37\x9c\xb0\x33\xd9\x92\x2c\x6d\x37\xd5\xa3\x16\xc2\x86\x14\xfa\x39\xa8\x9e\x3b\x81\x6d\x00\xc4\x46\x63\x42\xbf\x0c\x20\xb5\xc8\xba\x92\x1a\x3c\xd3\xea\x97\x1d\x2b\xb7\x13\xb9\x60\x8f\xe3\xfb\x14\x01\xe6\xfd\x9a\x88\xfc\xd5\x40\x44\x6e\x53\x54\x2a\x6a\x19\x1a\x90\x61\xc4\x65\x03\xf0\xde\x75\xa0\x13\x55\x78\x3e\x39\x98\x54\x5f\xd9\xb1\x88\x16\x2e\xb3\xb8\xa0\x39\x34\xb5\x6b\x85\x50\x68\x72\x97\xe1\x7a\x8d\x1d\x56\xb3\xd2\xbf\x2b\x58\x94\xf5\x5d\x5c\xda\x71\x29\xab\x6c\xf4\x73\xf3\x4b\x75\xbe\x3a\xb7\x04\x44\x3e\x2b\x73\xab\x4b\x4e\x17\xad\xce\x2d\x39\x3d\xf3\x43\x8f\x76\x92\x4b\xc3\x6e\xb7\xa0\x40\x47\x79\xe6\x38\x07\x4a\xdd\x7c\x28\x3a\x59\xba\x22\x4a\xff\xab\x7e\x70\x1b\x12\xc4\x64\xca\x55\x49\x56\xc3\x02\xec\xa9\x6b\x62\x23\xdc\x8a\x11\xfd\x2d\x82\xb7\xc0\x4c\x9e\x63\x69\xa4\x23\xba\x96\x92\x1f\xf4\xd9\x6f\x32\x76\xb8\x13\x5e\x58\xe9\xe5\x6d\xe1\x7f\x82\xed\x55\x5f\xeb\x95\x71\xd2\x8c\xd3\xb2\x28\xf3\xe6\x62\x5a\xde\x99\xaf\x40\x93\x82\xef\x83\x60\xb7\x4e\x78\x21\xee\xf4\x3a\xd6\xe0\xa6\xe0\xb5\xd6\xf0\xb8\x8a\x8f\xcd\x58\xac\x74\x3b\x91\xb6\x0c\x03\xde\x52\x5a\xbc\xa9\xc6\x30\x71\x1f\x23\xdf\x0d\xfd\xa3\x1f\x23\xbc\x18\xcd\x17\x2a\x75\xbb\x22\x4b\x7a\xa5\x26\xbf\x3f\x26\x2e\x9c\xe4\xd7\x4f\x22\xa4\x55\x57\xe4\x2d\x79\xce\x69\x83\x70\x51\xdd\x09\x20\x45\xf0\xdc\xcc\xf4\x13\x26\x49\x5a\xcb\x12\x49\xe7\x9e\xe6\xf1\x3a\x3f\x13\x5e\x38\x97\x9a\x46\xc4\x05\x9f\x6e\xf2\xd9\x81\x8f\xc1\x7b\x49\x8b\x48\x35\x41\xb4\x58\x9f\x5c\xeb\x73\xc8\x03\xc7\x31\xc2\x84\xce\x4e\x9c\x42\xff\x65\xeb\x7c\xc6\xcc\x20\xed\x38\x9d\x06\xbe\x52\xcc\xd2\x22\x4b\x1f\xae\x14\x72\x8b\x9c\x98\x7e\x42\x5d\x87\x17\x9d\x98\x7e\x82\xa6\x47\x07\xbc\xd5\xc1\x41\x19\xa0\x63\x55\x86\x47\x98\x5a\x38\x8d\x64\x57\x1f\x8b\x9b\xa2\x49\x2e\xe2\x26\xf5\xd1\x59\x28\x69\x45\xd1\xcd\x4f\x9a\x11\xc3\xd0\x0f\xf4\x0b\xc8\xb7\x15\xf5\x3e\xb9\x3c\x21\x67\x2f\x89\x14\xc3\x5d\x27\xcc\x37\x31\x66\x18\x61\xb0\x28\x9e\x8e\x8c\xa9\x20\x91\x0a\xd9\x4f\x49\xd8\x4b\xe5\x24\x6c\xab\x72\x0b\x9e\xa5\xaa\x81\xd0\x98\x26\x07\x7c\x71\x6b\xc2\xd0\x27\xcc\x18\x1d\x5b\x06\xea\x03\xd0\x25\x4a\x9e\x88\x10\xfc\x46\x29\x5c\x25\x32\xfe\x49\x5d\x41\x77\xba\xa9\xd8\xe2\x94\x62\x68\xa8\xde\xba\xd2\xb4\xab\xa8\x96\xad\x89\x56\x26\x77\xbf\x9e\x35\x43\x5c\x32\x7e\x55\x19\x93\xb3\x51\x58\xfe\x46\x29\x54\x91\x8c\x0f\xc4\x89\xdc\x9e\xf2\x30\x4e\x65\x47\x0f\x37\x50\x87\x92\x46\x49\x5f\x77\xb7\x53\x61\xb9\xf8\xe4\x09\x47\x45\xc5\x02\x16\x86\x5c\xf6\x08\xaa\x5b\xc0\x66\x8a\xfe\x38\xbc\x1c\x77\x28\x35\x10\x64\x75\x51\xc4\x6b\x71\xe2\x04\xce\x9a\x4c\x28\x92\xa1\x3a\x7e\x09\x27\x0e\x84\x79\xa6\x18\xe5\x8d\x10\x97\x90\x57\x14\xa6\x8a\x14\x25\x56\x90\xae\xc4\x15\x40\x76\x8f\xf5\x30\x4e\x88\x37\xb1\xb0\x18\x16\x01\xb5\xb8\x88\xb7\xac\xe2\xb5\xd2\x01\xd4\x70\x00\x85\xac\xa3\x22\xa9\x96\x7d\x38\x68\xa3\xd5\x05\xba\x13\x7a\x59\x49\x8e\xb8\xc8\x7b\x5d\xb4\xf7\x0c\x73\x06\xea\xe0\x50\xed\x64\x06\x63\xb9\x7c\x51\x4f\x0c\x94\xd2\x20\x3e\x07\xdc\xe2\x1f\x3c\xc4\x1e\xd1\x71\xe4\x83\xff\x8e\x43\x97\x2b\x5f\xbf\x72\xb0\x5a\xbe\x3a\x13\xb5\x30\xf2\x13\x88\x6b\xcc\xf4\xa3\x66\x97\x7a\x75\x5d\x96\xa8\x1c\x94\x27\x03\x95\xa0\x59\x82\x1a\x05\x89\x20\x5a\xd3\x96\x5c\xbd\x74\x69\x19\x91\x05\xd2\x91\x97\x90\x36\xab\x64\xf5\x80\xa8\xc6\x51\x92\x02\x74\x58\xa6\xce\xfc\x13\x91\xa9\xd0\xb3\x45\x99\x41\x90\x34\x4a\x13\xd5\xa9\x84\xc4\x85\x4b\x0d\xf1\xb8\x2a\xc5\x28\xbc\x0d\x1b\xe6\x60\x73\xb2\x42\x0c\x0d\xa2\xe2\x50\x58\xcb\x01\xb0\xb6\xd7\x05\xe1\x3b\xf0\x14\xaa\x58\xb2\x7a\x09\x80\xab\xdc\x99\x12\xf8\x86\x16\xd4\x90\x0c\xad\xe6\x61\x9d\xc7\x44\x2e\x47\x91\x4e\x52\x90\x97\x19\x85\x28\xba\x65\x4b\x8d\xbb\x57\x60\xa2\x2d\xf6\xa1\x6c\xa7\x92\xdc\x37\x62\xd5\xb3\x3c\x6e\x03\x7c\xf9\xce\x93\xd1\xfe\x3e\x57\x10\x00\xb1\x94\xcf\xc3\x8b\x82\xfd\xea\x38\x1b\x38\xd8\x66\x45\x2b\x4c\x00\xab\xe1\xb8\x3c\xd6\x1e\x6f\xde\xbe\x34\xbb\x82\x97\x28\x5a\xe8\x75\xe3\xc1\xdd\x83\x17\xc9\x6a\x88\x04\x1b\xc8\x1b\xa9\xfc\xb9\x70\x34\x91\x5b\x05\x30\x6c\xe0\xd1\xd6\x38\x06\xba\xa1\xb2\x96\x6e\x85\x89\x49\xe1\x3c\x00\xf3\xf5\xa2\x77\x35\x3a\x4f\x69\xbf\x72\xe9\xc9\xc7\xd8\x27\x3c\xe6\x3e\xe0\x7f\x40\xab\xde\x3f\xec\x2d\xd9\x77\x06\xf2\x81\xb7\xe3\x34\xca\xb6\x61\x32\xc4\x14\x3c\x6e\x40\xea\xa9\xfe\x0a\x43\x44\xd5\xbd\xc9\xdd\x12\x95\x0a\xee\x40\xbf\xdf\x27\xf2\x0c\xe6\x12\x10\x58\xc1\xa5\x2c\xe7\xe2\xb9\xbd\x30\x01\x2c\xf7\x9b\xa6\xa7\xf9\xb1\x13\xd3\x72\x25\x4f\xba\x8a\xf8\xad\x94\x9e\x7a\x53\xf0\xc4\x55\xa2\x53\x56\x81\xcd\x2a\x37\x09\x33\x70\xa1\xdb\x15\x39\xe7\x40\xca\x2a\xf6\x9b\xbf\xad\x7a\x61\x8d\xa4\x9e\x0d\x5d\x18\x52\x08\xd0\xba\xf2\x36\xeb\x30\x5d\x88\xe0\x2a\x2d\x44\x29\xc5\x00\xba\x58\xee\xdc\x5a\xa7\x11\x6f\x1c\x77\x5c\x1b\xf4\xbe\x01\xc1\x48\x67\x31\xf0\x6c\x85\xbc\x63\xc8\x1e\x50\xf8\xff\x63\x2c\x38\xbf\xe3\x5d\xc7\x8e\xaf\xfd\x6a\x90\x49\xa4\x30\x0a\x32\x7a\x52\xf5\x18\x2a\x06\xce\x0b\x72\x72\xe5\xbd\xc4\x35\x6d\xfc\xcf\x1a\xfb\x07\x8f\x1d\x04\x30\xcb\xc2\xff\x4b\x2f\x78\x8f\x87\x7f\xc3\x3a\x82\xde\x22\x83\x22\x5d\xce\xd6\x79\x3b\x56\x1b\x0f\x05\xa7\x62\xa8\x0d\xe5\x91\x6d\xc3\xa4\x81\x40\x2c\xa9\xe1\x00\x3a\x8f\x5e\x19\xed\x98\x84\x4c\xd1\xeb\x76\x13\x8b\x93\x26\xc7\x81\x50\xf9\x23\x80\x0e\xe3\x9c\x50\x4d\x26\x3c\x4c\x56\x79\x0e\x83\xfe\x72\xfc\x4c\x27\xd8\x0c\x9b\xda\xd1\x6a\x35\x30\x18\x8b\xf3\xcb\xf2\xa3\x2c\x61\xd0\x2d\x7e\x14\xdc\x0d\xe9\xfe\xf1\x60\x3f\xcb\x96\x82\x5f\x2b\x8a\x5b\xa5\xea\x55\xe8\x16\x10\x31\x66\xd8\x54\xb8\x9e\xdd\x37\x85\x28\xdd\x04\xbd\xc3\x6c\x96\xea\xb4\xd9\x5b\x13\x8d\xb0\xdd\xce\x45\x1b\x92\x43\x6d\x07\xed\x00\x86\x4a\x73\x76\x49\xb9\xf7\x4f\xc7\x45\xe9\x7f\xe5\x50\x30\xe5\x5e\x72\x01\x20\xcc\x3d\x95\xb7\xd4\xbc\xe8\x1d\x88\x4b\xd1\x71\x65\xc8\x7b\x0e\x5e\x71\x21\x5d\xae\x0b\x49\x30\xec\x58\xff\x5f\xdb\x53\xf1\x4e\x76\x86\xdd\x51\x39\x15\x2f\x6d\xd8\xaf\x78\xaa\x2e\xc3\x53\xb5\x68\x79\xaa\x9e\xc2\x9e\x7c\x09\x9e\x2a\xb9\xc4\xce\x88\x32\x7c\xd0\xbb\x77\x77\x87\xca\xd3\xfc\x05\xe3\x50\x19\x18\xd4\x01\x97\x8a\xbb\x88\x07\x3d\x29\x9f\x3e\x34\xe8\x28\x1f\xd0\x4e\x4c\x0c\xce\x19\x51\xe6\x71\x8b\xa0\xf4\x2e\x1e\x0a\xfe\xb7\x57\x75\xc7\xf2\x1f\x51\xe8\x06\xe2\xa9\x00\xfe\x42\x07\x1e\xc4\xdc\xdd\x01\x4c\x42\xb9\xc5\x58\x36\x52\x9a\x42\xc7\xec\xe8\x34\x03\x71\xf3\xdc\x9e\xe8\x41\x08\x57\x2b\xc9\x7a\x11\x21\x23\xc0\x69\x53\x99\x56\xb3\x9c\x3f\x63\x69\x05\xe7\x57\x92\x85\xd1\x5a\x98\x84\x69\x0b\x69\xce\x40\x7f\xce\x7a\x25\xe4\x9f\xc8\x3d\x1a\x63\xe7\x26\x9b\x8e\x33\x27\x40\x20\xeb\x80\x90\x20\x0d\x52\x98\x28\x9b\x17\x3d\x86\x4d\x19\x82\xc9\x7b\xe1\x01\x76\x9a\x59\x37\xfd\x5b\x82\x19\xf3\xab\x8a\x25\x83\xfa\x24\x4e\x39\xe6\x5c\x0f\x80\x2d\xbc\xd3\x63\x8f\xc0\x47\x56\x44\x02\x54\x95\xfe\xab\x3d\x76\xeb\xa5\x4c\xb0\x70\x4d\x24\xaa\x90\x60\xc9\x2d\xd4\xd6\x85\x08\x89\xb1\x6f\xb4\xc8\x16\x31\x96\x89\x3c\x26\xd3\x9b\x45\x36\x81\x05\x35\xd9\xaf\x78\xcc\xc7\x3e\x9b\xdd\x12\x79\xd8\x16\xa0\x18\xf9\xef\xf7\xf6\xb1\x1c\x9a\x3a\xee\xe4\x19\xbd\x30\x2d\xe3\xb2\x1f\xf4\x86\xcb\xd4\x99\xce\x08\x35\xde\x15\x79\x43\x9e\x81\x50\x40\x49\xf5\x01\x51\xe4\xa9\x67\x8f\x01\xa2\xdb\x73\xa9\xbc\xc9\x26\x3f\xd3\x2b\x7b\x10\x29\x28\x2e\xc8\xa1\x8f\xb7\x48\x2d\x58\x85\xe2\xe0\x0b\x4d\xf6\x41\x8f\x1d\x2d\xcd\x05\xff\x47\x2f\xb3\x19\xf7\x5a\x85\x0d\xd4\x5f\xd7\xdb\x9a\x0e\xfb\xac\xb4\xdd\x3b\x4d\xf6\xa9\x43\xec\xda\x1d\xd1\xe1\xce\xe2\x2f\x3c\x54\x80\x13\xeb\xcd\x87\x82\x1b\x86\xae\x5a\x7e\xb3\x10\xcd\xeb\xf2\x78\x2c\x55\x12\x5e\xe6\xe1\xba\x9c\x13\x84\xea\xae\xa6\xfe\xe7\x0f\xb2\xd7\x8d\xb1\x43\x22\x8d\xa0\xd4\x57\x8c\x29\x0d\xf9\xef\x34\x6d\x79\x45\x0a\x36\xaa\x65\x00\xc8\x24\xcf\x94\x78\x48\xa7\xcf\x51\x51\x75\x0c\x1b\x92\x6d\xae\x5b\x0b\x51\xa9\x8d\x03\x8a\xb4\xe5\x0a\x33\xc7\x76\x9d\x7b\x46\xcc\x34\xf2\x03\x3a\x74\x55\x3e\xa3\x1e\x90\x2b\xa1\xea\x19\x75\x1f\x86\x45\x2e\xdf\x88\x1f\xc3\x15\x3a\xa9\x5d\x70\x42\x55\xd8\xf8\xf2\xe1\x50\x92\xe5\xae\x4a\x6f\xbb\xec\x4c\xf0\x64\x9c\xf2\x59\xb0\x15\x15\xa0\x01\x82\xc5\x4a\xb7\x55\x25\xbe\x18\xa2\xe2\x53\xf4\xe6\xd3\xe4\xc3\x81\x33\x7c\x0b\x58\x8b\xc0\x3d\xfc\xfc\x74\x8d\x7c\x27\xef\xae\x5d\xae\xe5\xe8\x4f\x8c\xcf\x85\x80\xa7\x50\x12\x68\xdf\x9b\xb1\x70\x5b\xae\x2a\x4e\x4e\x1f\xec\x11\xec\x43\x55\x46\x88\x09\x7b\x9a\xcd\xd0\x1e\x1a\xc5\xe9\x4c\xfe\x32\x40\x4a\xc2\x40\x33\x72\xfb\xa0\xeb\x32\x8d\xe8\xc4\x8e\xd1\x72\x1a\x6f\x0b\xc2\x59\xcd\x94\xb5\x1d\x36\xc2\xb8\x1c\xf9\xec\xd9\x79\x2c\x4e\x45\xf7\xe3\x77\xa2\x26\x7b\x81\x67\xf9\x6f\x7a\xc1\x06\xb4\x5d\xbd\x76\x0c\x3c\x34\xe0\xab\x21\x37\xcd\xa4\x3a\xe6\xd2\x27\x61\x2e\x40\x61\xd5\x14\xc3\x95\xf1\xc6\x83\xee\x9d\x7f\x18\x67\x8f\xab\x40\x76\x5a\x0d\xe3\xb4\xf4\x7f\x77\x3c\x38\xbf\xaa\x88\xd2\xa0\x40\xb8\xee\x64\x83\x95\x19\x26\x41\x6e\x08\x1e\x20\x13\x50\xa0\xec\xa9\xda\x49\xa2\xa3\xf4\xca\x2c\x11\xb9\x3a\x86\x40\x59\xcd\x8b\xde\xd8\xa6\xe8\x5f\xf4\x0e\xe2\xcb\xce\xc2\xff\xdd\x31\xf6\x66\x8f\xd1\x1d\xff\x35\x5e\xf0\x12\x4f\x63\x8a\xe1\xb2\x40\xea\x21\x65\xe6\x82\xca\xa1\xdd\x4a\xa1\xcf\x67\xc3\xdf\x85\xc7\x14\x84\x18\x96\x80\x47\xc6\xb3\x99\x32\x69\xd5\xf9\x12\x84\x66\x9a\x2b\x14\x5f\xb1\x80\xa4\xe2\x03\xdc\x15\xb2\x05\xfe\x53\x82\x69\xb7\x72\x58\x9d\x4d\xd1\x57\x19\xa2\x80\x62\x17\xa1\x35\x10\x50\xaf\xec\x52\xde\xed\xb1\x23\x72\x2f\x9c\x8d\x22\x11\xf9\x6f\xf2\x2e\x1d\x28\x2a\x5a\x55\xc5\xd8\x41\x03\xd0\x72\xb9\xd7\x3a\x2c\x7f\x58\xc7\xed\xb0\xd0\x20\x80\x26\x09\x42\x71\xf1\x49\x4d\x49\xb7\x1c\xdf\x28\x9a\x6c\x41\xd9\x2b\x6e\x0e\xa6\x4c\x6b\xb7\xc8\x64\xa1\x3c\xcf\x94\x1d\x58\xda\xdd\xe1\x34\xfb\xbd\x87\x1d\xf7\x62\x65\x40\x04\x78\xbe\xe1\xec\xf8\xc2\xc3\xc1\x0d\x43\x57\xdd\xd0\x88\x44\x93\x15\x93\xde\x0f\x88\x85\x45\xe5\x11\xf2\xe3\x57\x8e\x90\x97\x7d\x84\x5c\x57\x47\xc8\x7b\x82\xc7\x9e\xae\xee\x7b\xfb\x6c\x79\x23\xbb\x9e\x9d\xd8\xd1\xcc\xb1\xf3\xf0\x5f\x39\x43\x5e\xc6\x19\x72\xcd\x3a\x43\xde\x75\x59\x67\xc8\xe0\xb1\x9a\x92\x01\x93\xd9\x14\x1d\xc3\x83\x5e\x7b\xf7\xc3\xe5\xbc\x7f\x9b\x3e\x5c\x9a\xa1\x1e\x38\x56\x0e\xad\xef\xc1\x93\xe5\x0b\x6a\xec\x89\xd6\x9c\x71\xf2\x01\xc8\x3c\x86\x38\xc5\x18\x96\xe8\xff\xba\x17\xdc\xe4\x5c\xd1\x1a\xa8\x13\x66\x8d\xda\x11\x6d\x25\x95\x20\xd7\xdf\xe7\xb1\xff\xe0\xb1\xab\xe4\xa9\xef\x36\x3a\xf5\xf9\xbd\x11\xb3\xd9\x30\x58\x9a\x17\x28\x64\xf2\x16\xfb\xda\x00\x3b\x8d\x55\x1f\x83\x7f\x27\x3f\xda\x50\x67\xcd\x26\x7b\xed\x21\x76\xfd\x25\x05\x6b\xfa\x5f\x3c\x18\x7c\xe7\x8e\x77\x2f\x7a\x87\x48\xf9\x75\xe9\x8e\x0e\xb2\x16\x53\x77\xfc\x67\x06\x4f\x9f\x25\x0d\x39\x2e\x74\xaa\x5c\x13\x00\xf9\x94\x8e\x8b\x91\xdf\x64\x50\x35\x2a\x75\x9d\xe0\x74\x74\x06\x9f\x9b\xd1\xf3\xc2\x1a\x3b\x18\x89\x34\x16\x91\xff\x77\x5e\xf0\x47\xde\x3c\xfc\x6d\xa3\x3d\x8f\xfe\x0a\xbe\x6b\x27\x08\x52\x5a\xeb\xe2\x3a\xe6\xeb\x85\xa6\xde\x06\xd7\x27\xd2\x5f\x31\xf9\xdd\x94\x5c\x6e\x50\xed\xa4\x8e\x93\x66\x3c\xeb\xc6\x29\xc8\xf8\xd4\x04\xb1\x66\xe6\x39\xab\x56\x4d\x4e\xb5\x97\x42\x85\x84\x42\x49\x75\xb7\xba\x0f\x9c\x13\x4e\x27\x7c\xb1\xc6\x1e\x49\xe1\xbc\x71\x86\x24\xd1\xfe\x27\x6a\xc1\x87\x6b\x0b\xee\x45\x72\x03\x2b\xd0\x46\xe5\x46\x07\x6c\x24\xa0\x26\xe3\x59\x0b\xe6\x52\x64\x3b\x8f\x9c\x99\x82\xae\x6c\xb5\xe9\x4b\x39\x92\x8b\xc4\xca\x68\x53\x60\x15\xc4\x75\x06\xbd\x65\x27\x00\x64\x52\xd0\xf6\x84\x49\x04\x1c\x28\x9e\xa6\x70\x9c\xf2\xa2\x1b\xe3\xe2\x8a\x4b\x04\xb4\x88\xd3\xa2\x94\x73\xb9\xce\x97\x6f\x9b\x9d\xd3\x84\x3d\x71\x81\x49\xbb\x16\xb3\x26\x11\xb9\xca\x0b\xa8\xa6\x15\x25\x64\x13\xa3\xf4\xc6\x3a\x01\x47\x01\xe4\xe5\x41\xc4\xc2\x50\x94\xb4\xa3\x72\xdc\xa3\x11\x2b\x57\x82\x53\xcb\xf8\x86\x33\xc5\xa0\x3f\xac\x60\x65\x48\x75\xa3\x30\x65\x50\x95\x4c\x9c\x32\xce\x1d\x37\x60\x6a\x8c\x05\x55\x1a\xf5\xdc\xd2\x4a\xd6\xda\x14\xe5\x2c\x4c\x0f\xff\x7f\xd5\x82\xa7\x0c\x5c\xb3\x4f\xc6\x2a\x79\x82\xaf\x85\x94\xb3\x9d\x75\x05\xa2\xa5\xf3\x02\xde\xb9\xe8\xc1\xa9\xcb\x59\xa8\xff\xa5\xc6\x3e\xa6\x22\xd9\x7e\x7e\xcf\xfc\x3b\x3b\x9d\xc6\x9e\x77\x96\x1c\x95\xb9\xcb\xbe\xaa\xce\xec\x18\xda\x9a\x99\xc8\x35\xcc\x01\xe4\xf4\x9a\x09\x73\xb3\xce\xe3\x33\xf2\xcd\x1b\xae\xbf\xfe\xc4\xf5\x76\xdc\x21\x7a\xf5\x17\x67\xcf\xce\x3e\x67\xe5\xae\xb9\xe7\x9c\x9d\x3d\xb3\xd0\x64\x77\xb2\xf1\x8d\xac\x28\xfd\xa7\x05\x27\x0d\x51\xf5\xed\x59\x81\x07\x33\x9a\x80\xa9\xdc\xcb\xcb\xac\xee\x1c\x72\x14\xf4\xcb\xa2\x7b\xd6\x79\xdf\x63\xd8\x3d\x97\x9a\x68\x86\x1b\xcb\x1c\x84\x82\xaa\xc0\xe0\x79\xdd\xb7\x4a\x7d\xfc\xf5\x47\x07\x37\xef\xf2\x8c\x63\xfe\x50\xd9\x52\x52\xc5\x9e\x5b\x9e\x57\x9c\xb8\x17\xbd\x83\x18\x2a\x7b\xd1\x3b\x44\x49\xcd\xce\x30\xff\xb1\xcf\x5e\x34\xc6\x0e\xa2\xe2\xe8\xff\x7d\x8d\x45\x0f\x4d\x36\x5d\x55\x23\xef\xd2\x61\x9e\xc1\x2b\x6b\xa4\xf8\x9a\x26\xa0\x57\x13\x2e\x82\x91\x4f\x36\xc4\xc2\xa0\x06\x68\x89\xbc\x87\x76\x51\xd2\x96\x55\x9b\x15\xb0\xeb\x60\x5a\xd8\x6a\xd6\x45\x20\x08\x05\x4c\xa1\x74\x08\xad\x28\x4b\x21\xd0\x19\xb2\x5a\x81\x8b\x77\xe8\x59\x4d\x9c\x16\x12\x3c\x07\x46\x4a\xa0\x25\xb2\xa5\xd4\xeb\x82\x1f\x2b\xf5\x67\xad\xfa\x53\xd3\x8c\xb9\xa4\x87\x60\x01\x45\x29\xc2\x68\xb2\xc9\x36\x18\x0d\x94\xff\x6f\x82\x25\xc5\x46\x2b\x07\x76\x3d\x09\xdb\x3a\x10\x67\x0a\xf3\xb9\x0d\xfd\x88\x1a\x75\xa9\x5f\x62\xfe\x06\xbd\xbb\x15\x87\xa8\xb2\xce\x2e\x2d\x16\xce\xae\x70\xbf\xc7\xd4\x54\xf0\xdf\xe8\x05\xaf\xf4\x14\xe0\xdc\x00\xf8\x84\x6e\xbf\x5b\x65\x88\x16\xa1\x5c\x3b\xc8\xd8\x75\x7b\x1d\x56\x8d\x4a\x9f\x97\x87\xd7\xdc\x2c\x4c\x61\x99\xae\x4d\x76\x5f\xb9\xa1\x9e\x7f\xca\xf0\x16\xf6\x1f\xc6\xd8\x55\x36\x3e\xb8\xff\xd7\x35\xb6\xfe\xf0\x4d\x51\x1b\xef\x3a\x78\x69\xcd\x41\x26\x57\xee\x77\x80\xcd\x72\xee\x54\x4d\x46\x65\x8c\x1b\x24\xab\xd8\x08\xb7\x46\xcf\x4c\xbb\xe0\x3d\x4d\x4f\x07\xa2\x7b\xff\x73\xd4\x6d\xe3\x4e\xd3\xf3\x2f\xc6\xd9\xe3\x0c\xe4\xc8\x52\x0e\x67\xca\xb9\x2c\xe9\x75\xd2\xc2\xff\x8d\xf1\xe0\x73\x63\x3b\xdd\xb5\xf3\x2e\x6d\x76\x0e\xbc\x89\x1c\xa8\x18\xb5\xbc\x0a\xda\x40\xd6\x2b\xbb\x3d\x38\xed\x56\x01\x4f\x69\xb4\x29\x0d\xf3\x39\x05\xf6\x46\x39\xe0\xea\x18\x83\x14\x3b\xd7\x20\x94\x9c\xbc\xa7\xdb\xd7\x08\x8b\x06\x00\x00\x10\xe9\x8b\x46\x90\xd9\x71\x38\x54\x3d\xf7\x32\x12\xea\xd9\x4b\x18\x04\xf5\xea\x4e\xfd\x8f\x56\x39\x6e\x5e\xc8\xf2\x1d\xab\x69\x59\xee\x74\x60\x01\xde\x97\x27\xa5\x6e\x12\xf6\xb5\x06\xd7\x16\x3b\xc8\x4e\xe5\x6a\x71\xe2\x0a\x52\x96\xb0\x7b\x1f\xbe\xb5\x87\xf3\xc5\xec\x72\xec\xb7\x3d\xc6\x22\xcd\xfb\xed\xff\xaa\x17\xfc\xbc\x17\xd9\x3c\xe0\x95\xe2\x6a\x87\x06\xcd\x2e\x2d\xa2\x8d\x5c\xbd\xdf\xe4\x77\x43\x08\x86\x8d\xc6\x23\x1f\xb2\x4e\xe1\x6e\xc1\x06\x9a\x70\x3b\xcc\x61\x1f\xda\x10\x61\x24\x72\xcd\x17\x85\xf9\x69\x84\x1e\x63\x50\xf0\x2d\x70\x06\x97\x6b\xa9\xc6\x7c\x55\x9d\x38\x4b\xef\xc6\x42\xfd\xd7\xd5\x82\xff\x58\x1b\xbe\x0e\x14\x0b\x79\x1c\xd1\x4e\xa9\x10\xf8\x54\x55\xf4\x3a\x2a\x33\x68\x05\x9a\x16\x8a\x26\x3f\x13\xf6\xd1\x06\x47\x13\x11\xc4\xf7\x79\xd3\x0d\xe7\xf5\xd1\xc1\x41\xf6\x53\xe5\xee\xd0\xc9\x4e\x4f\x52\xcc\x28\x11\xd0\xc0\xc4\x51\xa3\x90\x8a\x6d\xc0\x84\xa4\x3d\xc9\x0c\xd1\x90\xd7\xa1\x28\x43\x8c\xb7\x05\x12\x50\x20\xfe\x02\x12\xf9\xe6\x00\xbb\x0b\xe6\xc8\xbc\xcf\x0b\xde\xee\xa5\x96\xb7\x52\x15\x9d\x02\xe4\x11\xd0\x1b\x7d\xf9\xf9\xaf\xdf\x9a\xf9\xf2\xf3\xdf\x50\x87\xbf\xd0\x51\x0c\x3f\x45\xd9\xc2\xc6\x0e\x6d\x5d\xb0\x7c\xb0\xae\x00\x7c\xe5\x36\x3a\x2c\xf9\x79\x29\x63\x8a\xa9\x9b\xc1\xf2\x70\xcb\xd4\xcd\x74\xeb\x96\xa9\x66\xb3\x79\x5e\x56\xfc\x3c\xbe\x7e\xde\x3a\x90\x99\xea\x7f\xd5\x35\x37\xac\x27\xd9\x36\x65\x36\xe8\x25\x81\x81\x4f\x78\xa8\xf6\x3f\x58\x0b\x9e\x6a\x5f\xa0\x2c\x4e\x14\x5b\x22\x1a\x4a\x16\x43\x3b\x09\x20\x3a\x12\x43\x7d\xb3\x0a\xe8\xf9\xcb\x1e\xfb\x92\xea\xc8\xcf\x79\xc1\xff\xe7\x74\x24\xa4\x7c\x22\xd0\x33\x05\xf0\x80\x2b\x03\x5c\x07\xc1\xb5\x01\x92\x0b\x95\x2d\x38\x00\x5b\x0f\x17\xae\xc0\x26\x68\xc0\x56\xd6\xb1\x64\xf7\x94\x16\x0c\x53\x6b\x49\xb6\x36\xd5\x09\x8b\x52\xe4\x53\xdd\xcd\xf6\x94\x0b\xd1\x3a\x25\xcb\x85\xff\x34\xdb\x19\xe2\x18\x66\xc0\x97\x90\x24\x0d\x4c\xc4\xc7\x0a\x82\x57\xc5\x21\x07\xb1\x20\xfb\x3d\xa7\xaf\x07\xa2\x9e\xe8\xd8\x7c\x2a\x11\x17\x10\xd6\xc4\xbf\xdf\x0b\x4e\x0f\x5d\x75\xed\xc1\x24\x4b\xe5\xed\x01\xd2\x3a\x75\x8c\x43\xeb\x3c\x08\xce\x8b\xde\x41\x04\x86\x71\xba\x7e\x81\xcd\x31\xba\xee\x3f\x29\xa8\x1b\xcc\xa9\x41\x8f\xbb\xf5\x91\xc8\xc2\x98\xa6\xc6\xbd\xf2\x60\x25\x67\x65\x25\x9d\x9d\x61\xd5\xf8\xfc\x81\xe0\xb6\xd1\x8f\xd0\xd1\x2b\x29\x06\x58\x1b\xb4\x41\xab\xbb\xd5\x1a\xc9\xaf\xf1\xb7\xe3\x2c\x65\x57\x27\x61\x51\x2e\xe5\xd9\x9a\x00\xa2\x8a\x7b\x2e\xdd\xff\x10\x38\x64\x19\x5d\x59\x64\xa4\x8e\x88\x8a\x1e\xe3\x55\xd5\xf4\x18\xff\xf6\xd2\xbf\x7a\xeb\x2e\xf4\x18\x68\xb9\xdf\x27\x47\x46\xe3\xa1\xe1\xc8\xf8\xaa\xa7\x4d\x0e\x5f\xf4\x82\x5f\xf3\xce\x41\x9a\x1f\xf9\xe8\x2c\xbf\xb3\xfc\x3b\x2f\xeb\x9c\xda\x8a\xe2\x0c\x93\x18\x65\x1d\xc8\xd4\x0d\xf3\xb7\x1d\x6f\x09\xc5\x81\xa5\xb9\x36\x46\xf1\x6c\x48\x65\x24\x2e\x09\x30\xbc\xe0\xc1\xb2\x28\xe2\xfb\xc4\x4a\x19\xe6\xa5\x88\x88\x36\xcf\xf0\x25\x59\x08\x82\x86\xda\xd0\xc2\xf6\x52\xa8\xed\xb2\x0c\x77\x09\x7f\xbb\x4e\x2f\x77\x70\x33\x1e\x4d\x11\xb2\xce\xc5\x2f\x30\xf6\x2f\xab\x4c\x25\xe8\xad\x93\xb3\xff\x03\x2c\x78\x05\xf9\x84\x23\xf2\x40\xea\x9b\x83\x6e\x48\xe5\xe4\x2b\x90\xeb\x39\x8c\x55\x82\x85\x72\xec\x82\x17\x2a\x8f\xbb\x89\xe0\x37\x6f\x8a\x7e\x1d\x3d\x2b\xe8\x01\xbc\xc5\xf2\x80\xc3\xf3\xb0\x7b\x03\xd2\x5e\x96\xf3\x9b\xd5\x5f\xb7\xb8\x16\xe1\xd7\x1d\x61\x1f\x30\x0e\xca\x77\x7b\xc1\x9b\xbc\x05\x74\x49\xba\x88\x53\x58\x19\xf2\x56\x2a\x61\xdc\xe4\x0b\x90\x8e\x88\xbd\x6e\xe4\xb3\xfd\x70\xa1\x14\x1e\x4b\x3d\x54\x38\x28\x86\xfc\xe8\x12\x1d\x97\x9f\xf1\xd0\x73\xf9\x2b\x5e\xf0\x73\xde\x1d\xa2\x6f\xa2\x47\xb4\xe3\x52\x05\x53\x94\xa6\xd7\x2d\x32\xae\x91\x0d\xd8\x14\xfd\x42\xa7\x1b\x6d\x62\xe9\x90\x7f\x59\x37\xfd\xaa\xce\x98\x0b\xa0\x35\x3c\x59\xe5\xad\x76\xd6\xe2\x14\x3f\x46\x33\xd2\xde\xbe\x54\xbb\xd3\x08\x7e\xc2\x67\xec\x56\xfd\xad\xc7\x0e\xab\x0f\xf8\x5f\xf5\x82\xdf\x22\x2e\xb6\x2c\x77\x37\x86\x4d\xd1\x9f\x90\x47\x99\x04\xb1\x14\x37\xe2\xae\x32\x1d\xc1\x17\x94\x83\x58\x15\x85\x3d\x8d\x15\x85\x8f\x2f\x48\x65\xc8\xd5\x17\xe9\x12\x3d\x24\xdb\xfb\xdc\x5e\xbc\x15\x26\x02\x00\xd0\x0d\x6b\x17\x59\x49\x80\x4b\x20\xa3\x64\x01\x4c\x41\x0b\x53\xe3\xab\xd6\x5d\x89\xcc\x9b\x00\xb8\x18\xb7\x7a\x49\x98\x73\x39\xb3\xda\x59\xee\xba\x52\xff\xb0\xc6\x1e\x65\xc6\x49\x45\xd5\xff\x7a\x0d\xa2\x65\x6e\xb8\x2e\xf8\x50\x6d\x75\xf0\xee\xa0\x83\x18\x03\xf2\x75\x68\xfd\xc0\xc8\x1f\xb3\xb2\x02\xd6\x60\x67\xa1\x19\xad\xa7\x97\x6d\x7a\x77\xe3\x2d\x10\xc2\x2e\x9a\xb4\x56\xa9\xe5\x8b\xbf\xad\xaf\x74\xd8\x3a\x41\x26\x13\xb9\xbb\xc2\xa1\x56\xf3\x60\xd0\x8d\x2f\xbb\x52\xc8\xdd\xf8\x18\x79\xfa\x21\x7b\x6a\xb2\xc9\x9f\xad\x62\xf9\x53\xd1\x06\xf8\x7f\x35\x6f\x54\x14\x46\x49\xe9\x67\x61\xc1\xa7\xf9\x31\x78\xcd\xa6\x3a\x98\xd4\x00\x16\xc8\xc4\xec\x44\xbc\xfc\xb0\x0e\xd6\x7f\xad\x17\xbc\xcc\x1b\x08\xbd\x32\x7e\xf0\x81\xfe\xd3\x72\x28\x33\x69\x78\x6a\x6a\xc6\x05\x4d\x9b\xba\x99\x82\x76\x98\x0e\x2d\x1c\xdd\xbb\xf7\xca\x41\x08\x79\x2e\xda\x30\x21\x2a\x52\x9a\x7f\xe2\x28\xab\x57\x08\xd7\x65\xa1\x93\xfe\x0d\x28\x31\x40\x57\x3c\xff\x68\x70\xc7\x8e\x77\x47\x30\x6a\xe4\xe6\x1d\x9b\xa9\xd3\x11\x94\x6f\x63\xec\x45\x35\xf6\xc8\x81\x1c\x46\xff\xcf\x75\xca\xc7\xe7\xbd\x33\x94\x1f\x65\xb2\x63\x0a\x9a\xa4\x26\xc3\x03\x92\x35\xad\xdc\x41\xc0\xf7\x36\x19\x4c\x90\xa7\xa8\x52\x08\x21\xb5\x40\xee\x79\x85\xb1\x4d\xf3\x56\x1e\x16\x52\xb4\x23\x3a\x61\x5c\x92\xf2\xa7\xd2\x0d\xe5\x7c\x50\xf9\x37\xee\xd2\x9e\xe6\xc7\xe4\xc7\x34\x6a\x6f\xc5\x0b\x72\x2a\x15\x19\x62\x9a\xc6\xc4\xef\x19\x46\xfd\x49\x67\xea\xbc\xb9\xc6\x0e\x53\x87\x15\xfe\x0f\xd4\x54\xf3\xff\xc1\xa3\x9e\xd7\x34\x47\xa6\x1b\x54\xb2\xaf\x7a\xcd\xca\x02\x44\x78\x3e\x74\x42\x45\x68\xda\xeb\xc5\xc5\x06\x5f\x13\xe5\xb6\x10\x29\x17\x17\x90\x23\xdc\xa4\xb6\xd8\x8c\xe0\x4e\x03\x67\xf6\x4d\x87\xbc\x9d\xe5\x9b\x49\x16\x46\xc5\x94\x19\xf5\x62\xca\x9a\x0d\xe6\xf2\x35\xdb\x1b\x61\xd9\x88\x8b\x46\xd8\xa8\xbc\xef\x74\xd1\x07\xc6\xd8\xe1\x42\x85\xa4\xbe\x6b\x2c\x78\xc5\x98\x1d\x4b\x1a\x12\xd6\xc4\x73\x7b\x22\xef\xc3\xf9\xda\x0a\xf7\xa1\xb9\x60\x38\xef\x74\xaf\x22\x13\x83\x5c\x76\x76\x61\xb4\xac\x70\xb4\x48\x02\x59\xe0\xef\xf2\x43\x9a\x60\x51\x39\x3a\x96\xa4\x26\x22\x3a\xdd\x04\x32\x13\x21\xf6\x15\x36\x21\x85\x34\x6b\xb2\x28\x74\x7c\x16\x8f\x09\xfb\xcd\x4c\x37\x87\x9a\x18\x63\x48\x2a\x16\x11\x1c\xab\x11\xb4\xc0\xa9\x1d\xd5\x2c\x4b\x07\x6a\xb3\xcf\x11\x94\xbd\xb7\x15\x8b\xed\x29\x8a\xe2\x6c\xc8\xb5\xd3\xa0\xac\x8b\x29\xfc\xc8\xd4\x35\xf0\x6f\x43\x8d\x48\x71\xff\x08\xd6\xae\x9f\xab\xb1\xc3\xaa\x36\xfe\x7b\x6b\x23\xf8\x13\xf4\xe9\x27\x8b\x56\xe9\x05\x00\x3e\xfa\x9a\xa7\x7e\x6a\xde\x54\x3c\x45\x63\x38\x97\xe3\x78\xd0\xf1\x65\x7a\x55\x92\x58\x88\xd7\x79\x9c\x16\xbd\xf5\xf5\xb8\x15\x23\xc7\x21\xcd\x02\x64\x0b\x28\x45\x8b\xf2\xb7\xe5\x27\xc2\x4d\x01\x63\xdc\x12\x11\xf0\x63\xc0\x94\x0a\xb9\xaa\xc6\xb2\x58\x7f\x58\x57\x46\x37\x8b\x1a\xaa\xcb\xd8\x27\x3c\xf6\x9d\x15\x9d\xb4\xd2\x2f\x5a\x65\xe2\xff\x98\x17\x3c\x11\xff\xd4\x71\x49\x52\x8d\xc9\x53\x91\x58\x68\xaa\x38\xc5\x0a\x70\x10\xa2\x33\x09\xf7\x2a\x47\x1e\xaf\xb1\x69\xb5\x85\x4d\x04\xdf\x75\x97\x8a\x13\x0e\xe5\x71\xad\x2b\xf2\x12\x62\xd6\x14\x46\x10\x6d\x28\x4d\xb2\x3e\xfc\xab\xe0\x3b\xcf\x6a\x32\xf6\x11\xcf\x7f\xff\x63\x9c\xc3\xbc\xd1\xee\xbb\x59\x92\xb5\xfb\x2b\x5d\x29\x1e\xe7\xb2\xb4\x28\x73\x88\x36\xfc\xe2\xa3\x83\x67\xee\x74\xd3\xb2\x47\xab\xe0\x7f\x78\xc2\xe8\xea\x98\x40\xd9\xc9\x48\x87\xa7\x04\x53\x2a\xae\x79\xd1\x3b\xd4\x09\x2f\xac\x6c\x8a\xed\x8b\xde\x51\x75\xf5\x0e\xd1\xbf\xe8\x3d\x6a\x7b\x43\xa4\xe7\xd2\x22\x2c\xe3\x62\x3d\x96\x72\xdc\x0d\x11\xf3\xd9\x27\x0f\x32\xf5\xb2\xff\x91\x83\x4a\x62\xdf\x7f\xf0\x0c\x5e\x1b\x98\x94\x91\x68\xe7\x02\xbc\x93\xb8\x65\x41\xbd\x54\xb2\x59\x2a\xb6\x44\x9a\xf4\x41\x56\x23\x8c\x90\xb2\x68\x9e\x1f\xaa\xc6\x53\xe6\xb3\xb3\x59\xa9\xd4\xf8\xf3\x4a\x4a\x95\x56\x6a\xb5\xc9\xf9\x53\xac\x2d\x40\xa8\x85\xb2\xdf\xdd\x44\xdc\x7e\x22\xe3\x27\x85\x89\xab\xfe\xd0\x18\xbf\x2a\xcc\x1d\x77\xe4\x01\x9e\x74\x08\xd0\x3f\xd1\xb8\x4f\x9e\xa2\x29\xc1\xa1\xce\x55\x5f\x98\x5c\xe4\x19\x0c\x59\x83\xcf\xb9\xb9\x71\x89\x9d\x2e\xa0\xc6\x31\x2c\xf8\xcc\xd4\xcc\xd4\xf4\x49\xfe\xbd\x5c\x16\x3d\x43\xff\x1e\xa7\x7f\x4f\xf0\xef\xe5\xdf\xcb\x39\x5f\xe2\xdc\xf9\x97\xc3\xbf\x0d\x95\x3c\x4d\x75\x98\x81\xc8\xee\xac\x43\x0d\x36\xb0\xc7\x6b\x42\xd1\x6f\xa1\x20\xc5\xa2\x61\xc9\xb4\xb2\x8e\x80\x3a\xcc\x3c\xd9\xa6\xe8\x8a\x4b\x4c\xfb\x85\x4a\x1d\x83\x2a\x4d\x52\xc4\x09\xf0\x75\xcb\x66\xcd\xb6\xca\x5e\x98\xc8\x8f\x1f\x3b\xde\x98\x9e\x94\x72\xd9\x79\x7c\x2b\xce\x40\xa2\x51\x0d\x8f\xcd\x4c\x36\x87\xaa\x7c\xbc\xa2\xca\x4e\x6d\xa1\x16\x52\xa9\xb9\x0f\xd2\xc7\x77\x9a\x35\x6a\xc2\xcc\xa6\xfd\xed\xb0\xaf\xa7\x8d\x4a\xc1\x90\xeb\x82\x6f\xc4\xed\x0d\xb9\x6f\x1a\xa1\x07\xc7\x67\x98\x05\xb1\xce\x0c\x87\x42\xfb\x10\xb1\xb1\x58\x4e\x14\x14\x04\x81\x69\x8c\x08\x42\x3d\x9c\xa0\x0e\x63\x3e\xad\x14\x78\xc5\x04\xec\x6c\xef\xef\xac\x31\x7b\x05\xfa\x3f\x54\x0b\x5e\x5a\x5b\x35\x17\xd4\x24\x97\x47\x46\x45\xf3\x8a\x5b\x51\x13\x80\x8d\xa9\x7a\x84\x98\x84\xca\x00\x4d\xb0\xb8\x80\xb7\x00\x6c\x6e\xd0\x6f\x03\x04\xbd\x46\x6b\x43\x29\xa9\x9c\x00\x18\x4f\x40\xb2\x82\xdf\x6d\x9e\x44\xaa\x24\xb0\x16\x60\x41\xb7\x60\xa0\x7e\xb0\xd6\x6b\x6d\x8a\x92\xf8\x85\xcb\x1c\xe4\x5f\xb7\x57\x72\x0a\xd1\x8a\xac\xa5\x47\x2b\xae\xcc\xb0\x30\x7c\x73\xa7\x3e\xb5\x05\xe8\xa7\x0e\xb1\x61\xe9\xe4\x7f\xf0\x50\xf0\xae\x43\x77\x0f\x5e\x1e\xce\x8e\x8a\x44\x48\x1d\x83\x67\xcb\x18\xec\x3f\x1a\x24\x9c\x46\x17\x75\x7a\x58\x82\x2d\x2d\x6d\xe5\xec\x74\xa4\x0f\x3f\x46\xea\xc7\x24\x2f\x05\x40\xa7\x6e\x98\xa9\x99\x53\x88\xb5\xbe\x00\x53\xa6\xc1\xdd\x99\x58\xf9\xa2\xfd\x92\xda\xd1\x63\x0c\x1e\x4f\x32\xdc\x2a\xeb\x8c\x43\x18\x50\x1b\xbc\x82\x7b\x9b\xba\xb8\x3c\x37\x44\xd2\xe5\xb9\x88\x7a\x98\xe6\xcf\x38\x2f\x36\xc5\x76\x93\xcd\x5a\x2d\x45\xba\x10\x3d\x2b\x02\xa7\x4f\x03\x85\x5d\xe0\x2c\xcc\x78\xdd\x80\x59\x4b\xed\x6c\x4b\xea\xa1\x3a\x64\x0a\xa6\x2b\xe0\x92\x01\x44\x3a\x42\x30\x21\x6d\x10\x55\x4b\x09\x83\x80\x16\x3f\x84\xcb\x83\xa9\xdc\xcc\xc0\xaf\x8f\xc0\x3d\x21\x85\xdd\x68\x81\xbb\x04\xff\x1b\x16\xbc\x8b\xeb\xbc\x62\x0a\xea\xba\x38\x93\x67\x3f\xb2\xf8\x38\x88\xcc\x13\x93\x96\x48\x3e\x31\x75\x7c\x6a\xe6\x98\xac\xeb\xf1\x49\x59\x6b\x47\xd8\xce\x68\x61\xab\xdf\xa4\x1a\x89\xc2\x11\xb7\x8b\x29\x01\x37\x6c\x67\x79\x44\x87\x6c\x05\x6d\x0f\xec\x46\x25\xe9\x90\x71\x47\x2d\x61\x0c\x3f\x33\x93\x75\x3b\x93\x0b\x07\x84\x7e\x5c\xf2\x6b\x3b\x59\x2e\xae\xb5\x1e\xdf\xcb\x8a\xfe\x9a\xc7\xae\x76\x46\xc3\xff\xea\x43\x91\x72\xf7\x36\xcf\xf9\x6d\xcb\xfb\xf5\x38\x1d\x50\x92\x9a\xf2\xcc\x50\x58\x96\x51\x42\x77\x46\x04\x3f\x55\x04\x8a\x4b\x84\xb0\x07\x61\xa2\x22\xfc\x5c\xb5\xc2\x05\xd6\x18\x8c\xfb\x27\xb5\x22\xca\x3a\x61\x9c\x36\xd9\xf7\x79\xac\xb9\xa7\xd6\x9d\x89\x5b\x79\x06\x0e\x81\xbb\xfc\x23\x51\x58\x8a\x46\x19\x77\x44\x70\x8b\xbe\xce\x5d\xd7\x31\x5c\x82\x39\xdf\x91\x4f\xa0\xdd\x80\xa3\xcf\x5d\x4a\x0a\xe0\xa2\x74\x06\xe2\xdf\x1f\x64\xdf\x5d\xa1\x9b\xde\x21\xfa\xab\xd9\x52\x58\x6e\xf8\xbf\x7f\x20\xa8\x9f\x09\xbb\x56\x84\x39\x25\x72\x84\xbc\x1b\x96\x1b\x26\x55\x91\x20\xf3\x55\x1a\xcb\xb8\xbc\xeb\xda\x88\x0f\xb0\x09\xb4\xb3\xf2\xe0\xd1\xab\xb4\xb1\xc9\xdd\x22\xcf\xc0\xd9\x67\x57\xeb\x43\x63\x6c\xbc\x93\x45\xc2\xff\x49\x9d\xe3\xf6\xfa\x31\x13\xfc\x06\xfc\x0a\x6b\x40\xd0\xa4\xd0\x25\x30\x4b\x91\xb8\x7b\x28\x18\x0f\x71\x58\x85\x41\x7c\x93\x2b\xae\x55\xaa\xbd\x50\x6b\x88\xd3\xd3\xd3\xd3\xb8\x61\xdf\x78\xe3\x8d\x88\x9d\x13\x89\x56\xdc\x19\x7e\x10\x9e\xba\x7e\x66\xa6\xc9\x9f\x35\x7b\xe6\x34\x44\xfe\x75\xcb\x02\x63\x6a\xb1\x64\x0c\xa4\xb5\x5e\x2e\xea\xfc\xe9\x2b\x77\x9e\x35\xb0\x44\xee\x5d\x90\x8c\xba\x3d\xd5\x09\x4c\x9a\x4c\x84\x36\x9f\x33\x88\x10\x65\x73\xa4\xc0\x11\x0e\x19\x55\x70\x3b\x6f\x65\xe9\x7a\x12\xb7\x4a\x9c\x0e\xb8\xe4\x15\xc0\x04\x1a\x5a\xc9\x08\x0f\x38\xe9\x89\x20\xc2\x34\xc0\x7c\x20\x62\xa5\xba\xd6\x83\x73\x51\x48\xf5\x86\x54\x31\x8b\x9b\x0e\xc6\x00\xe1\x11\x2c\xcd\xe6\x3d\x1e\x83\xe1\xf7\xdf\xe1\x05\xaf\x05\xaf\x05\x5a\x97\xb7\x04\xce\x19\xf2\x12\xc2\x67\xc1\xa4\xdd\xd5\x8a\x4e\x99\xa1\xd3\x9f\x02\x85\x6d\x88\x23\xf9\xaa\xb9\x49\xa6\x2c\xdc\x2d\x65\xa1\x02\xa9\xc6\xf8\x44\xb3\x39\x61\x1e\x43\xfc\x09\xb3\x0d\xe0\x14\x86\x67\xec\xf9\xf6\xea\x31\xf6\x84\x2a\x5e\x7f\x05\x13\x6e\xdc\x90\x7f\x5c\x0b\x9e\x32\x7c\xd9\x44\xae\xef\xe0\x7a\xd4\x80\xe3\xa3\x19\xfe\x5f\x5e\x63\xdf\x61\xbc\x6f\x47\x07\xfc\x49\xe4\x3a\x3b\xfa\xf0\x51\xc5\xdf\x4c\xde\xa9\xeb\x82\x89\x55\x22\x39\x36\x10\xea\x16\xe5\x9a\xf1\x60\xda\x6f\xdf\x59\xe9\xcb\x7c\xd2\x25\xfb\x32\xd9\xef\x1d\x61\xff\xaa\x62\x58\xe6\xb2\x4e\x37\x4b\x45\x5a\x62\x7b\x21\x23\xea\xa7\x8f\x04\x2f\xf0\x4c\xfb\x15\x99\x81\xae\x68\x61\x91\xf0\xd3\xdb\xa8\xc1\xaa\x3c\xa9\x81\x42\x35\xe6\x06\x9f\xd7\xa1\x22\x27\x71\x99\x0d\x05\xe3\xc8\xf5\xb6\x35\xd3\x9c\x79\xd2\x13\x2b\xb3\xab\x7e\xee\x10\x4b\x54\x72\x50\x2b\xe0\xa7\x77\xf9\xe0\xde\xb9\x37\x77\xe8\x8f\x2b\x29\x42\x97\x91\x22\xf4\x29\xcf\xca\x11\xfa\xa5\xfd\xa4\xa4\x57\x24\x09\xbd\xd0\xdb\x21\x4b\xe8\xeb\xd8\xb8\x2b\x99\x7d\x97\x99\xd9\xf7\xa0\xf7\x3d\xbb\x67\x74\xdd\xe4\xdf\xa0\x33\xba\x82\x40\xe7\x70\x55\x48\xaa\xc1\x2c\xae\x5f\xba\x8a\x1d\xdb\x6b\x34\x8c\xff\x9a\xab\x82\xb3\x95\x77\x70\x81\xf7\x0a\x91\x4f\xe8\x75\x46\xa7\xb6\x88\xb7\xe0\x09\xd4\xd9\x06\x83\x18\x1c\x49\xf5\x39\x76\x65\xb6\x5c\x61\xa3\xf8\xc6\x09\xdf\x4f\xdb\xc2\xf7\x81\x3d\xe7\xed\xec\xc0\x47\x11\xbc\xc8\x88\x5f\xec\xcc\x89\xe2\xeb\x27\x82\xd5\x87\xd8\xdf\x2b\x56\x8c\x3f\xf7\xd8\xc9\xdd\xfd\x40\x55\xab\x1b\x3c\x42\xef\xf5\xc0\xff\x6c\xaf\x40\xe5\x11\xd5\x20\xdf\x71\x51\xc6\x2d\x0a\x93\xd8\x52\x41\x80\x30\xee\x8a\x44\xb0\x9b\x45\x94\x9c\xb6\x6f\x6f\x0e\xe5\x39\x4c\x19\x19\xa2\x58\x92\xaf\x31\x97\xf0\x0a\x48\x9c\x82\xbd\xb8\xa6\xb5\xd3\xaf\x79\xec\xe6\x4b\x6c\x3c\x66\x8a\xfe\xac\xd2\xee\x06\x42\x35\x54\x9a\xa8\x15\x4e\x3a\x65\x52\x46\x2b\x24\x1e\x8a\xc3\x26\x5f\x16\x61\xd4\xc8\xd2\xa4\xff\xf0\x77\xc4\x83\xde\x3d\xbb\x6f\x21\x27\xfd\x9b\x1a\xb4\x6d\x54\xf6\xc3\xc0\xc6\xc1\xad\xed\x86\xbd\xf2\xa0\xb3\x89\xec\x9c\x0a\xbc\x7a\x7a\xc5\xff\xf2\x81\xe0\x8c\xf9\x39\xe0\xb6\x81\x48\x39\xc8\x6c\x4b\xc2\xbe\xc8\x79\x21\x5a\xbd\x3c\x2e\xfb\x15\x70\x52\xd5\xc9\xc1\xff\xfe\x00\xbb\x58\x63\x07\x36\xb2\xa2\x2c\xfc\xff\x54\x0b\xfe\xca\xbb\x3d\x2b\x08\x58\xc2\x68\xdb\x70\x5b\x91\x55\x69\xd4\x77\x59\x9d\x96\xc8\x4b\x0c\xac\xa0\xa0\x6e\x3a\x27\x3b\xec\x5b\x96\x4b\x59\xc5\x9e\x4e\x15\x2a\xeb\x00\xdb\x91\x14\x2b\xa2\x95\x8b\xd2\xf5\xee\x97\x80\x9b\x49\xe1\x47\xb2\x12\xf2\xf4\x0a\x52\x58\x1d\x0f\x1c\x2c\x2b\xeb\xc8\xb3\xde\x4b\x14\xbf\x14\xd4\x83\x1a\x0f\x9e\xe9\x44\xac\x97\x4e\x44\xc1\x08\xe2\xac\xaf\xd4\x18\x2b\xa0\x66\x80\x5e\xf5\xd9\x5a\xf0\xb1\xda\x8a\xfe\x5d\x15\x4d\x8b\x4f\x6b\x53\x07\x1a\xa0\xe4\xb9\x72\x65\xe5\xb4\x8d\xbb\x72\xdd\x75\x27\x9a\xfc\x94\x0a\x34\x82\x3a\xa9\x5c\x4e\x03\x2d\x24\xdf\xc9\xb3\x1e\x34\x59\xa7\x54\xae\x9c\x5d\x84\xce\x80\xaf\x86\x09\xf8\x55\x28\x30\x47\xdd\x42\xeb\x6b\x02\xb3\x12\x3b\x06\xcc\x0b\x96\x89\x35\x90\xe3\x1c\xa8\xb4\x02\x0c\x78\xb2\xa8\x39\xa8\xbf\x96\xc1\x10\xea\x96\x5c\x98\x9c\x39\xd5\x38\x95\x34\xe7\x20\x37\x41\xce\xa3\x4a\x5b\xb0\x5e\xa2\xf6\x38\x67\xd1\x37\x8d\xb3\xc6\x8e\x08\x4d\xb7\xaf\xae\x2e\x59\xf5\x41\xfc\xa9\x3f\x1b\x0b\xde\x5a\xab\xba\xe3\xc2\x32\x4a\x01\xa1\xcd\x83\x05\x06\x9e\x10\xba\xc7\x5a\xd8\xda\x14\x69\x54\x10\x47\xbf\x50\xa6\xeb\x93\x8a\xb4\xe3\x66\xd9\xde\x5b\xa6\x6e\xee\x86\xe5\xc6\x2d\x4f\xbd\xb9\x10\x72\x13\xe9\x86\x79\x79\x0b\x6f\xdc\xa2\x5e\xe7\xdb\x90\x76\x86\xff\xed\x02\x0e\xb0\xc2\x63\xce\x13\xcb\xb4\x28\xbf\xb8\x7c\x6a\x8e\x9f\x78\xd2\x4d\x37\xd4\x95\xe2\x45\x0a\x84\x6d\x1c\xb2\xa2\x06\xdb\x61\x9c\x16\x25\x9a\xea\x4b\x30\x84\x86\xeb\x25\xf1\x0f\x41\x9c\xec\xc4\xd4\x04\x25\x37\x6b\xe8\x77\x24\xd1\x9b\x78\xea\x04\x90\x4f\x5c\x33\xd1\xbc\xe8\x1d\x90\xf5\x77\xcf\xb8\xef\xf5\xd8\xbb\x3d\x86\x37\xfc\xb7\x7a\xc1\x75\xb3\xbc\x25\xd7\x4d\x4b\x69\x80\x70\x47\x19\x5b\xbb\x4e\x9e\x8a\xee\x36\x7b\xd5\x9c\x64\x37\xb1\x1b\x76\xdc\x30\x76\x1c\xce\xa5\xb0\xdc\x78\xd0\xbb\x66\x47\x2e\xfc\x23\xfe\xa1\xb0\xcc\x3a\x71\x8b\xb1\xd7\x1d\x76\xc2\xd0\x07\x62\xec\x97\xb2\x68\x5e\xe3\x8d\xdf\xd6\x8b\xda\xa2\x04\x3b\xc3\xef\x1f\x0a\x6e\xdd\xe1\x1e\xce\x13\xb7\xd9\x15\x8f\xee\x00\xe3\xf9\xa6\x2b\x18\x2c\x97\xad\x7b\x9f\x53\x66\x96\xd3\xf6\x54\x7a\x2a\x1b\x81\x17\xb9\x87\x71\xbf\xa2\xd2\x7f\x93\xc0\x76\x6e\xec\xae\x44\x2d\xf8\x73\x5a\x89\xaa\x5e\xa5\xae\x1a\x05\x83\x6e\x74\x29\x9c\x0c\x8c\x7d\xf6\x20\x7b\xc6\x25\x53\xb1\x0e\x26\x06\x6a\xaa\xd9\x7f\x3c\x10\x9c\xd9\xe9\x66\x05\xe3\x2c\xad\x4e\x15\xd2\x52\x1a\x3e\x4f\x50\x6c\xe7\x96\x9b\x17\xbd\xc3\x0a\xe2\xd8\xa5\x8a\x39\xc0\x1e\x18\x63\xfa\x9e\xff\x81\xb1\xe0\xfe\x31\x0d\x86\xec\x86\x10\x55\xa6\x91\xd1\xb7\x81\x04\x04\x5d\x1f\xea\xdb\x4d\x0d\xda\x61\xe2\x09\x4e\xf2\x06\x3f\x7f\x36\x4b\xc5\xf9\x93\x98\x99\x46\x6f\xe7\xe8\xdf\x24\x84\x6e\xc8\xd9\xd4\xd2\x0d\x64\x08\x3a\x82\xd1\x6b\x0e\xac\x53\x69\x9f\xbc\x0b\x14\x2f\x9d\x56\xa7\xc6\x37\x0c\x1b\xed\x49\x8b\xcf\x14\xb7\x3d\x24\xb2\xcd\x1c\x5a\x62\x45\x6d\x5a\x66\x3c\xca\x94\x61\x98\x9a\xd4\xe4\xb3\x26\xb3\xd7\x3a\x45\x30\x0e\xe1\x1b\x42\x44\x4a\x37\xd9\xd0\xe8\x18\xe4\x70\xd1\x3e\x1d\x20\x1b\xed\x12\xb1\x17\x19\xd6\x41\x13\x2b\x28\xc0\x82\x10\x55\x00\x73\x50\x3e\x6b\x7d\xde\xaa\x5b\x05\xd6\xf4\xaf\x78\xec\x10\x3d\xe1\xff\x82\xc7\x9e\xf9\x10\xd3\x05\xeb\x6a\x04\x2d\x55\x8f\x6a\xea\x63\xb7\xcf\x54\x87\x5a\x88\xde\x98\x9a\xa9\x26\xd9\x79\xcb\x09\x6e\x31\x07\x7f\xf4\xc8\x80\x9f\x25\xcb\x23\x52\xf7\xb4\x04\x3e\x2d\xc2\x42\xf8\xaf\x3f\x12\xfc\x3f\xf0\x97\x15\xe2\x97\xc0\x6f\x3a\x86\xb9\xa7\x8e\x97\x1c\xbe\x22\xa5\x2f\x43\x4a\xff\x94\x6d\x78\xf9\x91\xcb\x36\xbc\xb4\xbf\x5e\xb6\x95\x4f\x29\xdb\xca\x47\x47\xe0\x04\x8e\x98\x66\x60\x58\x79\x19\x18\x56\x9c\x60\x7e\x39\x8c\xf0\xc0\xc3\x3e\x20\xb2\xf6\x8d\x30\x8d\x1a\x68\xb3\xb8\xa2\x03\x5e\xb6\xb5\xbe\xb5\xbb\x96\x70\xab\x7f\x8b\xb6\xd6\x3b\x93\x63\x00\x82\x0d\xa6\x40\x95\xc2\xc0\xde\x74\xa8\xd2\x6a\x3f\x7b\x5f\x2f\x17\xf3\x71\xb1\x89\x76\x1b\x82\xf2\xfe\xcb\x83\xc1\xaa\xbe\xe3\x24\x5f\xa5\x1c\xae\xf3\xf9\xb0\x0c\x39\xdc\x25\x5e\x0b\xdc\xf8\xe0\x78\x0c\xe7\x31\x88\x5e\x41\xaa\x24\x0d\xeb\x23\xb7\xff\x28\x2e\x36\xcf\x42\x70\xf3\x21\xf9\xe7\xb9\xe5\x45\x47\x2c\xfe\xfd\x01\xf6\x11\x8f\x1d\x5c\x2f\x56\xe5\xe1\xe7\xa7\xbc\xe0\x9d\xde\xa9\x38\x11\x98\xcb\x83\xb8\xdb\xf2\x74\x88\x39\x01\x3a\x4a\x02\x3c\xf3\xf6\x33\x0e\xd1\xb9\xae\x18\xe6\xec\x00\x6a\x0b\xe6\x06\xf1\x85\x0b\x4d\x1e\x88\x0b\xe5\x75\x41\x9d\x07\x17\xd6\x0b\xf9\x4f\x5a\xae\x17\x41\x93\x2f\x76\x30\x03\x23\x21\x01\x6a\x62\x0f\xf1\x05\x1e\xaf\x0f\x58\x50\x8c\x74\xfa\x5d\x8f\x24\xfb\x6f\x7a\xc1\xc7\xbd\x05\xa0\x7e\x37\x0a\xc8\xca\x46\x98\x8b\xe8\x24\xef\xf4\x92\x12\x72\x1a\xd7\x92\x6c\x8d\xcb\xde\x40\xf6\x4c\x05\x10\xa3\xb8\xa6\xf8\xbc\xc0\x08\xc1\xe8\xa4\x4a\x8a\xd6\x6f\x54\xbf\x70\x26\x4c\xc3\xb6\x7c\x3c\x84\xc1\xea\xe0\x4f\x2e\x25\x10\xbe\x75\x0c\x83\xe0\x52\x7d\x8b\x72\x61\x90\x82\xab\x10\xe5\x64\xd3\xc1\x65\x2a\xa0\xca\x76\x13\x2f\xb0\xc3\xb9\x08\xa3\x3b\xd3\xa4\xef\x27\xc1\xbf\x19\x02\x5f\xe0\xc7\xe4\xed\xa9\xed\x3c\x2e\xc5\x24\xda\x2e\xe5\xb3\x1c\x4d\x05\x40\xd8\x9e\xe5\x44\xe3\xa3\x6f\x2a\xd3\x56\x9c\x72\x9c\x8f\x67\x64\x7b\x0a\x17\xc8\xe1\x0e\x76\xb4\x05\x42\xbd\x7d\x26\x8b\x00\xc5\x14\xcc\x2c\x73\x78\x0d\xc2\x3c\x4e\x72\xa9\xdc\xd5\xa1\x60\x2e\x4b\xa6\x3f\xef\x96\xb5\x71\x46\xea\x14\xd3\x33\xd2\x3f\x19\x34\xa4\x32\x78\xd6\xb2\x64\x99\x1e\x23\xcd\x0e\x3a\xde\x46\x76\xa2\x72\x66\x99\x9a\xce\xfe\x0d\xc1\xa4\x2c\xe6\xdc\xf2\xe2\xfe\x8a\xf8\xda\xa3\x5c\xbe\xc6\x0a\xdc\x7d\x42\xd5\x97\xfb\xc7\xaf\x3e\x2a\xf8\x5e\xf3\xb3\x22\xca\x1e\x20\xf6\xb5\xc1\x4c\xa7\xd3\x2b\x30\x71\x98\x00\xe7\xe5\x62\x39\x4f\x51\x91\x3a\x4e\x46\xc5\x9c\xa1\x4a\xeb\xc0\xdc\xf3\x50\x2e\xf5\x96\x98\x54\x51\x21\xce\xe2\xfd\xe0\xb7\xb1\x5f\xf2\xd4\x4f\xff\x67\x3c\xf6\xd4\x51\x64\xbe\x43\xad\xd3\xfb\xb1\x66\x0e\x08\x4a\xad\xda\xac\xcb\x2d\x00\xe9\xb8\xb0\x05\xa4\xf5\x11\xb0\x1a\x36\x6e\x73\x24\x5b\x40\x9d\x6f\xc4\x65\xd1\xe8\x8a\xbc\x41\x81\x66\xa0\xd5\x2b\x43\x1f\xbd\x32\xd9\x64\xaf\x01\x5c\xec\xa8\xf0\x5f\x3e\x02\x17\xbb\xb2\x09\x4b\x59\x54\x38\x0d\xf8\x84\x07\x81\x76\xa3\xeb\x0f\xd1\xc5\x14\x41\x6b\x7b\x08\x70\x0c\x29\xd6\xdf\x6d\x09\x58\xbd\x11\x68\xae\x68\x00\xcd\x55\x51\x88\xc8\x6a\xdb\x64\x93\xdb\xc6\x68\x65\x5f\x0b\x11\x15\x5e\x8a\xb2\xb6\x20\x1c\x6e\xb0\x9c\x61\x5e\x38\x10\xe8\xe6\x26\x91\xca\x86\xa3\x6f\xb2\xd7\x8d\xc9\x45\x8f\x5b\x98\xff\xf2\xb1\xd1\x5c\xcd\x43\x7d\xa3\x8e\x90\x4e\xff\x7c\xb4\xa6\x55\x59\xbb\x8f\xf4\x45\x35\x5d\x15\xc7\x2f\xb2\x88\x19\xb0\xee\x38\x35\xea\x2a\x10\x40\x01\xd9\xe0\x24\x47\xdc\x8a\x32\xb3\x09\x24\xf6\xdd\xe3\x80\x6b\x32\xb7\x74\x8e\x67\x39\xef\x88\x4e\x96\xf7\x27\x9b\x7c\xa5\x07\x59\xad\xb2\x5a\x78\xf4\x5c\xeb\xc5\x09\x58\x9b\x9d\xaf\xa1\xbe\x01\xb1\xee\x50\xdb\x30\xd1\x24\x52\x2a\xaa\x2d\x83\x34\x17\xc3\x8d\x66\xf2\x11\xcb\x8c\xa7\xf2\x54\x97\x68\x22\x03\xf5\x41\x93\xeb\x1e\xc8\x89\x15\x70\x3a\x61\xb2\xb7\xd6\x28\x12\xea\x62\x2d\x78\x79\xad\x24\x2e\x2b\x18\x43\x8a\x8b\xa2\xae\x54\x47\x52\xbe\x68\x73\xc8\x51\xbc\x55\x30\xa7\x12\x2e\xd5\x68\xc9\x1d\x51\x91\x7a\xc8\xbf\x71\x91\xca\xbf\x96\xe0\xfb\x59\x0e\x88\x04\xea\x59\xe8\xd8\x4e\x88\x0c\x70\x38\xdd\x5d\x71\x42\x1d\xae\x94\xbb\xb3\x59\x29\x4e\x56\x7d\x96\xab\x26\x98\x5e\x41\xe8\x4e\x7c\x9f\x50\xf2\x1b\xed\xb0\x14\xfc\xf6\xa5\x59\x5d\xc0\x19\xea\xa8\xb8\x50\x08\xf9\xb6\x8c\x7d\xf3\x38\x7b\x54\x6b\xf0\x5b\xfe\xcb\xc6\xd9\xd3\xf7\x35\x95\x87\xaa\xeb\xcc\xe9\x0f\x8d\x99\xb4\xd5\x6f\xc8\xec\xb6\x70\xa8\x54\x3d\xe2\xd4\xcc\x79\x0d\xd9\xf4\x4f\x7c\xce\x57\x70\x6a\x12\x03\x02\xc4\x90\x60\xec\xa7\xa2\x49\x20\x3d\xb0\x6a\xaa\xa8\xb7\xd6\x93\xb0\xdd\x64\x7f\x5d\x63\x87\x95\x19\xc6\xff\xc3\xda\x3e\x85\x5c\x15\xff\x4d\xf0\x96\x9a\xb6\xeb\xd8\xd3\xc0\xe5\x24\x51\xe0\x36\x7b\x66\xc2\x01\xf4\xd7\x10\x99\xdd\xad\xaa\x98\x3d\xdf\xc6\x2b\xa2\x30\x7e\x38\xff\xeb\x78\xc2\x62\x04\xf5\xcd\xd7\x99\x67\x67\x77\xed\xe7\xf8\x3f\x01\xed\xe7\x72\x36\xc8\xe3\x57\x36\xc8\x2b\x1b\xe4\xb7\xc6\x06\x79\xfc\xca\x06\xf9\x4d\x31\xe7\xbf\xf9\x36\xc8\xe3\x57\x36\xc8\x4b\xdd\x20\x2f\xfd\x64\x7d\xfc\x9f\xfe\xc9\xfa\xf8\xb7\xf8\xc9\xfa\x1d\x87\x2b\xd3\x79\xe6\xe2\x34\x12\xb9\x63\x9a\xfd\x3f\x87\x82\x3f\xf1\x96\x6d\x38\xac\x16\x3c\x64\xa2\x27\x35\x9f\x3d\xbf\xb3\x2b\xd2\xa2\x0c\x5b\x9b\x4d\x3e\xcb\xe7\x9c\xc7\x20\x1e\x0d\x20\x3f\x55\x35\xc1\xa6\xaa\x37\x25\x0b\x14\x7e\xd5\xa4\x73\xc1\x5b\x61\x52\x0c\xa5\x60\xe7\xa2\x1d\x23\x7e\x0e\xe4\x45\xf5\xd6\x44\x22\xca\xa6\xfb\xcd\x42\x59\x65\x79\xb6\x9d\x8a\x1c\x70\xbb\xd0\xfc\xd8\x51\x74\x00\x2b\x0b\xa7\xe3\xb4\x77\x01\xb2\xaf\xd6\x04\x8c\xff\x45\xef\x30\xbe\xbe\x38\xef\x68\x5b\x7f\x7d\x80\xbd\xa8\xa6\x0d\xc5\x7f\xef\x05\x7f\xfc\x30\x1b\x8a\x61\x7a\x14\x27\x1f\x2a\x73\x71\x95\xab\x81\xe6\x60\xa1\xfc\x0d\x9d\x7e\xf1\xdc\xa4\x81\xe3\xdb\xe8\x46\x53\xcb\x0b\xb3\xf3\x67\x16\x9a\x1d\x67\xc7\xfe\x45\xcf\xb2\xc4\xbe\xdf\x0b\xde\xee\x99\xb4\xc3\x87\xd7\x2a\x7b\x99\x4d\xb0\x4c\xba\x6f\xf4\xd8\x11\x0c\x1a\x5c\x16\xeb\xfe\x7f\xf2\xd8\xf5\x7b\xa0\x66\x69\x85\x09\xca\xb5\x65\x85\x4d\x1d\xdc\x6d\x9a\x0e\xde\x4d\x92\x0b\x14\x8f\x48\x82\x8b\xa6\x36\x64\xd5\x2a\xec\x15\x8b\xc3\x5a\x33\x13\xc0\xf2\x59\x81\xe5\xc3\x5e\xec\x31\x3d\x0d\xfd\xfb\x82\x8e\xc2\x53\x8c\x86\x19\x32\xad\xec\x47\xb9\x09\x40\xcb\x1f\xba\xd1\xfe\xe8\x61\x76\x4d\x15\xce\x0c\xb4\x70\x09\x13\x53\xe3\x2c\xf5\xdf\x78\x38\x78\x45\x6d\x36\x0a\xbb\x08\xa5\x8a\x1d\x00\x50\x06\xa1\xca\x5f\x15\x91\x4a\x81\x65\x8c\x82\x20\x4a\x91\x9a\xe0\x3d\x92\x50\x58\xf4\x44\x81\x2e\x1f\xd4\x51\x95\xcc\x23\x29\x84\x8a\xd8\x70\xc1\x52\x1e\xc0\x82\xb3\x34\x14\x00\x5c\x22\xd1\x61\x95\x48\x92\x03\x32\x2c\x09\x67\x56\x6a\xbe\x0a\xc7\x10\xd5\x18\x03\x0d\x61\x0f\x2b\x7d\x4b\x07\x12\x22\x88\x58\x69\xa1\x2b\x77\x34\x65\x9b\x92\x1e\xff\x78\x80\xbd\x6d\x5c\xc5\x5e\x5d\x1c\x0f\x7e\x7b\x6c\xd1\x59\x9e\xa4\xa7\x6f\x8a\x7e\x03\xdd\xf0\xdd\x30\xce\x2b\xaa\x4d\x5d\xa5\xd1\xd1\x23\xea\x2e\xab\x87\x54\x97\x40\xe7\x5b\x93\x03\x72\xf9\xa0\xbd\xdb\xa0\xe8\xd9\xa8\xc0\x0a\x0b\x83\x86\x44\xa3\x2e\x23\xbc\xe1\xe2\xfa\x60\xb6\x2d\x44\xb9\x46\xd8\xb7\x23\xbe\x6c\x71\x1c\x86\xe5\x06\x69\xa3\xbd\x74\xe8\x6d\x72\xf8\xd3\xe8\xc2\x07\x43\x05\x04\x69\xca\xd0\x04\xf6\xc8\xc8\x88\x50\x5b\xd4\x45\xd8\x0b\x4e\x2a\x70\x21\xca\x5e\x17\xcb\x47\x4e\x9a\x5e\x0a\x6c\xfd\x88\x72\xd2\x09\xf3\x4d\xa9\x94\x69\x2a\x97\x25\x08\xbf\x54\x88\x85\x3a\x1d\x57\x39\x71\x07\x33\x6a\x27\x9a\xcd\x09\xca\xd5\xcd\xed\x1c\x5a\x4a\x9c\x35\xb1\x75\x4d\x56\x67\xd7\xee\x2a\x5d\x74\x3a\x39\xfb\xf7\x0a\xba\xf9\x7b\x83\xcc\xf6\x0c\xd1\x90\x97\x0f\x31\x74\x17\xcc\xfd\xa9\x6b\xe0\x1f\x37\x53\xf5\xb0\xea\x1b\x7f\x2e\xb8\x7e\x45\x93\x23\x10\x95\x91\xee\x73\xa0\x2b\x2d\x11\x4e\x45\xf5\x1e\x91\x23\x38\x22\xf7\xfd\x47\x76\xa4\xef\x23\x4b\x16\x45\x88\x00\x73\xeb\x8b\x8f\x04\x37\xda\x17\x5c\x40\x4e\xb8\x62\x45\x4e\x3b\x44\x60\xce\xba\xfb\xf9\xc3\xec\xf3\x35\x76\x34\xec\x76\x97\x14\x7d\xe6\xc7\x6b\xc1\x87\x6a\xab\x1b\xc4\xb2\x48\x11\x0d\x9a\x4c\x53\x87\x31\xd9\x0c\xa9\xb0\xf4\xd6\x33\xd4\xec\x0b\x95\x31\x63\xe9\xff\x04\x89\xd0\x4f\xcb\xf0\x42\x93\x9f\x4b\x1b\xdd\x5c\xac\xc7\x17\x44\xa4\x98\x41\x73\x50\x94\x10\x7a\x5c\x7e\x62\x71\xf6\xec\xac\x29\x89\x34\x75\x7a\xf8\x58\x88\x6e\xd9\xe5\x53\x73\x8d\x1b\x4e\x9c\xb8\x1e\xcf\x70\x18\x1f\xbd\xbd\xbd\xdd\x8c\xc3\x34\x6c\x66\x79\x7b\x0a\xc0\x43\x52\xa9\xcc\x14\x53\x54\x44\x03\x8a\x98\x94\xc2\x2c\x6d\xe8\xf2\x55\xeb\x74\x4c\x43\xaf\x80\xd5\x66\x57\x51\x9d\x78\x3b\x7d\xd0\x1c\xd3\x3e\xa0\x7b\x77\xfa\x0d\x8c\x2d\x6b\x68\x62\x55\x7b\x96\x3c\x30\x46\x93\xf5\xc3\x63\xc1\x8f\x8f\xad\x3a\x61\xf9\xba\x0f\x67\x89\x25\xb5\x40\xc0\x16\x77\xb4\x70\xce\x10\x44\x4f\x0f\xd0\x8e\xa1\x0c\x1d\x5e\xef\x3e\x0d\x59\xc5\x72\x3a\x13\x40\x73\x68\x8f\x82\x3e\xf0\x10\x38\xac\x8a\x03\xd7\x81\x1a\x44\x42\xde\x84\xda\x7c\xcf\x3d\x4d\xfc\x90\x21\x17\xb2\x98\x62\x53\x02\xd3\xa3\xd8\xa8\x2c\xe7\xdd\xb0\x28\xf8\xfc\xd9\x95\xe7\x9c\x9e\xbd\x6d\xe1\xb4\xc5\xfd\x72\x92\x5f\xab\x67\x7e\x2a\x55\x40\x88\x0b\x0f\x53\x7e\xc3\x09\x93\x77\x54\xf0\x24\x4b\xdb\x4d\xf5\x28\x20\xc9\x60\xb8\x7c\x92\x6d\x03\xb2\x88\x3c\x7b\xcb\x33\x33\x51\xd4\xda\xaf\x66\x39\x9f\x68\x4c\xe8\x97\x51\xdc\xc8\x59\x01\xc1\xf0\x94\x6b\x52\xfd\xb2\x81\x5e\x52\x20\x86\x55\x08\xa0\xef\x53\x54\x50\xf7\x6b\x98\xcd\x57\x1b\x82\x5d\x03\xe2\x61\x47\x72\x19\xaa\x5c\x05\xc2\x6a\xf6\x08\x1c\x6e\x39\xeb\xe5\x8d\x5c\xc8\xcf\xb4\x14\x95\x80\x61\x7b\x2a\x45\xde\xcd\x45\x69\x72\x52\x60\xff\xb9\xa0\x69\x5a\x35\xf5\xb7\xec\x2e\xd9\x32\x17\x45\x61\xcd\x22\xc5\xbd\x2b\x58\x94\xf5\x5d\x5c\xda\x71\x29\x2b\x9d\x1c\x88\x72\x81\x32\x97\xd8\x72\x9d\x2e\x1a\x64\xbd\xfd\x89\xef\x66\x7b\x0b\xee\xba\x3b\x2c\x5b\x1b\x0b\x5b\x22\x2d\xfd\x7f\xf8\x17\xc1\x0d\xf0\x57\x25\xbe\xbc\xd8\x22\x90\xdf\x90\x6f\x23\xbf\xaf\x89\xdb\x34\xd0\x07\x28\xc0\x1c\x59\xf6\x9b\x35\xf6\x0b\x35\x7d\x26\x7f\x7f\x6d\xe7\x5c\x39\xb7\x9a\xb9\x3c\x67\x75\x44\x73\x39\xdc\x5e\x50\x21\x8e\xc1\xdf\x78\xa8\xcb\xf2\xb8\x38\xc9\xf8\xb5\x72\x2c\x57\xc9\xbe\x87\x84\xb0\x59\xce\xcf\x64\x11\x8c\xe7\x49\x4c\xb8\x11\xdb\x2e\xf3\x21\x19\x3d\x06\xde\x9e\x97\x27\x31\xf5\x4e\xc5\xf3\x36\x74\xae\x3a\x0a\x46\xf2\x1d\x40\x7b\x77\xcb\x02\xf6\xba\x93\xfc\x5a\xca\x6b\x83\xc0\x2d\xa2\xa1\x10\xd1\x93\xc9\x80\x0e\x01\x7b\xb0\x47\x03\xe0\x4e\x21\x52\x88\x48\xe2\x91\xe8\x0a\x84\x97\x21\xf4\x09\x71\xa1\x6c\x56\xa2\x8b\x3f\xe8\xfd\xca\xe3\x76\x0f\x89\x7a\xe7\xe3\xfc\xb7\x3d\xae\x2a\x85\xd9\x8c\xfc\x40\x02\x5a\xa3\x3a\x1d\x2d\x8c\x08\x84\x65\x30\x98\xca\x2a\xa8\xb1\x9f\x87\x2b\xc2\xaf\x86\xdf\x97\x27\x66\x88\x3d\xdd\x47\x59\x0f\x51\x31\x83\x55\x72\x42\x6d\xf7\x5e\x95\xbd\x7c\x84\x8f\xfc\x88\x5d\x85\xcb\xec\x8f\x4b\x2b\x60\xa8\x27\xba\xc5\xbe\x3e\xba\x87\xc7\x2f\xe5\x13\x60\xf1\xda\xb5\x87\xad\xce\x75\xe8\x3c\x86\x7b\xb7\xf2\xf6\x5e\x2b\xbe\x9f\x4a\x18\x26\xd3\xaa\x3a\x0c\xdd\xdd\x6f\xdf\x19\xb3\xe0\x65\xcf\xcf\xe3\x83\xf3\xd3\x2a\xfb\x52\x3e\x78\x5c\x8d\x19\xbd\xba\x26\x1f\xdb\xc7\x5c\xda\xdb\xf3\x03\x1d\x62\x65\x9e\xee\x67\xe1\x5e\xc6\xdb\x83\x15\x18\x11\x8a\xba\x87\x0a\x5c\xc2\xdb\x03\x15\xd8\x91\x8b\x78\xf7\xaf\xef\xfb\xd5\x81\x4f\x83\xde\x70\x09\xdd\xbe\xbf\xf7\x06\x3f\xaa\x65\xe8\x43\xb4\x7e\x41\x4b\xb5\xd6\x81\x4d\x92\x64\xd2\x32\x06\x57\xf3\xc8\xa7\xf6\xd9\xa4\xb8\x13\xb6\x05\xe5\xb4\xed\xb1\x04\xaa\xf4\x7e\xdb\xa6\x02\xc2\x47\x34\xcc\x4a\xd3\xdc\xf7\xc0\xee\xff\xdd\x81\x9e\x48\xb3\x48\xec\xe3\xb3\x23\x5a\xba\x4b\x49\x97\xf4\x45\x55\xd9\x4a\xe1\x4f\x69\x68\x95\xdf\xda\x35\x79\xad\xf2\xad\xbd\x6e\x3b\xf9\x5a\xd8\x6a\xee\xb0\xf7\x8c\xe8\xa1\x9d\x5f\x1b\xd5\x5f\xfb\x7a\x6b\xd4\x50\x1b\x98\xe2\xfd\xcf\xb3\xfd\xbf\xab\xd7\xcb\x25\x97\x30\x58\x7d\x22\x1c\xdd\x7f\xdd\xf7\xf7\xe2\x50\xc5\xf7\xf7\x3a\xa5\x3e\xfc\xe2\x61\x27\xb3\x7e\x90\x72\xdd\x8d\x4e\x5d\xee\x25\xc2\x7f\xe5\xe1\xe0\xc7\x3c\xfb\x8a\xb2\xc0\xaa\x9c\x7a\xf2\x0f\xe2\xa1\xaa\xa7\x4e\x6e\x36\x31\x59\x57\xe4\xeb\x59\xde\xe1\xc0\x64\x48\x59\x1f\xe8\x4b\xc3\x32\xf2\x48\x80\x25\x23\x46\x50\xdf\xb8\x9d\xc2\x5e\x9c\x02\x89\x54\x5f\xdb\x36\xa3\x1e\x1a\xc5\x54\xec\x00\xc1\xd5\xf6\xf1\xc0\xde\xca\x3a\x5d\x79\xbc\x6b\x5e\xf4\x0e\x6c\x89\x7c\xcd\x4d\xd0\xfe\xf8\x41\xf6\xa2\x1a\x3b\x12\x76\x63\x40\x47\x2c\xfc\xbf\xf1\x82\xff\xee\xcd\x2e\x2d\xe2\xcf\x2a\xe4\x06\x75\x13\xed\xee\x0e\xbb\xbd\xd5\x0a\x79\x26\xd4\xc9\x0b\xb3\x4b\x8b\xc4\x49\x37\x44\x87\x99\xf6\x15\x17\xb6\xc1\x74\x51\x29\xfd\x14\x4f\x83\x16\x8c\x5e\x07\xd8\x61\x22\x2b\xa9\x93\xc0\x84\x75\xe9\xc6\xcf\x4a\xd0\xd4\x1c\xf8\xf1\x90\x5e\x26\x4c\x92\x51\x08\x16\x1f\xf4\xd8\xd5\xaa\x64\x80\x42\xf4\xdf\xe9\x05\x2f\xd3\x03\x0c\x97\x28\x4c\x42\xe3\x4f\x6c\x6f\xc4\xa5\x19\x6f\xb4\xc9\x69\x52\xa5\x1c\xe8\x99\x2c\x3a\x25\x3e\xab\x0d\x54\xc2\xb0\x71\x85\x0e\x72\x81\x99\x1f\xfb\xa9\xfb\x57\x3c\x76\xc4\xd0\xf1\x7e\xce\x0b\x3e\xa8\xeb\x5d\xb8\x38\x0f\x03\x04\xb9\xc3\x75\x74\xbe\xa9\xdd\xb7\xda\x9e\xaf\xe7\x49\x93\xf1\xe0\xda\xa9\xf5\x2c\x0b\x06\xa1\x6b\x2c\xf2\x5a\x3e\xb1\x9e\x65\x13\x88\xd8\x95\x24\xee\xc0\xed\x54\xee\x88\x66\xbe\xc1\x63\x38\x83\xfd\x1f\xf0\x82\xed\xbb\x44\xbe\xe6\x36\xce\x8a\x3f\x70\x38\x46\xe1\x1d\x44\x01\x3d\xc9\xdb\xa2\xac\xc3\x1b\x75\x34\xe5\xd4\x89\x57\xa2\x4e\xb9\x8b\x75\xb4\x6c\x88\x3a\xef\xe6\xd9\x85\xfe\x7e\x86\xe1\x0d\x87\xd8\xc9\x5d\x65\x08\xf1\x46\xce\x02\xbd\xfa\xb2\xd8\x8a\xc5\x36\x9a\x4a\xfc\x2f\x1e\x0c\xbe\x73\xc7\xbb\x17\xbd\x43\x34\x31\x9c\xe5\x7b\xff\x41\xf6\xc2\x1a\x3b\x88\x44\xf5\xfe\xdf\x79\xc1\x1f\x79\xf3\xf0\xb7\xcb\x79\xbf\x9a\xf7\x04\x8f\x71\x25\xd1\x6a\xdb\x56\x41\x6b\xf8\xae\xcd\x3e\x84\xc4\xa8\x72\x01\x03\x04\xac\x12\x58\x71\x41\xfe\x61\x44\x83\x55\x5f\xa1\x24\xe0\x52\x05\x95\xa9\x66\x8b\x9c\x6f\x84\x05\x4f\x33\x9e\x75\xe3\x14\x52\xf6\x52\xe3\x8b\xc8\xcc\x73\x56\xad\x9a\x9c\x6a\xdf\x31\x68\xa9\x25\xd5\x7d\xd6\x54\x63\x98\x93\xfa\x8b\x35\xf6\x48\xb1\x15\x26\x3d\xe8\x6c\xb0\x41\xf9\x9f\xa8\x05\x1f\xae\x2d\xb8\x17\x69\x05\x2b\x9e\x3f\xc8\x48\x0b\x4b\x04\xe8\x46\x8f\x53\xd6\x82\xf8\x8f\x88\x47\xbd\x5c\x93\xf2\xda\x23\xc9\x5b\x1b\xa2\xb5\x09\x71\x43\x10\x1e\x57\xc6\xb9\x48\x2c\x8c\xf0\x32\x93\x73\x0c\xac\xd1\x50\x20\x22\x8f\x70\x15\x9e\x25\xe5\x65\x9c\xf6\x84\x05\xba\xec\x16\x4f\x30\x4f\x71\xca\x8b\x6e\x8c\x96\xb8\xb8\x44\xd0\x70\x29\x14\xc3\xb4\x25\xea\x7c\xf9\xb6\xd9\x39\x15\x9c\x05\x56\x1e\x88\xc3\xc9\xb3\x44\x20\xae\xb5\x48\xb3\x5e\x7b\x03\x2e\x90\xc8\x05\x04\x6c\xe5\x81\x83\x3a\x65\x3d\x84\x5b\x21\x8a\x41\xc4\x76\x45\x29\x0e\x82\xd8\xb1\xa9\xde\xa3\x81\x5a\x57\x82\x53\xcb\xf8\x86\x33\xc5\xa0\x3f\x34\x4a\xfd\xf6\x46\x9f\xb0\xb2\x45\x51\xf2\xed\xd0\x6c\x7b\xc0\xf1\x9c\x0e\x26\xc3\xb5\x98\x9a\xde\xfe\x33\x83\xa7\x5b\x43\xad\xe0\xb6\x47\xcf\x61\x7a\xb7\x4e\x13\x54\x4f\x65\x77\x92\xbc\xf1\xb1\xec\x14\xad\x4f\x29\x2a\x1a\x61\xbb\x9d\x8b\x76\x58\x66\x6e\x4e\xb9\x63\x24\xd2\xec\xa4\x4b\x8b\xe4\x89\x80\xd8\xe2\xcf\x7c\x47\xf0\x56\xcf\xbd\x66\x76\xc2\x41\x0e\x58\x04\xbb\x97\x23\x04\xee\x5a\xc8\x0f\xa5\x2b\x84\xe0\x4f\x27\x0d\x8e\x71\x16\x65\x89\x1b\xaf\x8e\x3b\x91\xab\x0b\xc6\xb3\x9f\xf5\x10\x72\x8a\x26\x13\x52\xcf\x0b\xfb\x98\x2e\xa5\x9d\xce\xfa\x6d\x5e\xf4\x1e\x03\x3b\xe3\x52\x1e\x67\x79\x5c\xf6\x89\x86\xeb\xa2\xf7\x48\x52\x81\xd4\x0d\x47\xaa\xfc\xcd\x63\xd8\x9f\x7a\xec\x70\x2b\xbc\xad\x97\x46\x89\xf0\xbf\xe4\xf9\xe3\x6b\xfd\x52\x04\x6f\xf7\xe6\x66\xf1\x1a\x4a\xde\xa5\x85\x33\x5c\xa4\xad\x2c\x12\x11\x9f\x9b\xe5\x6b\x78\x0b\x9d\xbe\x83\x68\x3d\xe4\x7c\x01\x3f\x8d\x94\xca\xd8\xe6\x09\x72\x01\xa5\x6d\x17\x23\x6b\xd0\xd5\xae\xe2\x71\xf2\x5e\x51\xf2\x3c\xcb\xca\x42\xa5\x93\xea\x83\x1a\xf4\x0c\x31\x64\x5b\x76\xe2\x3d\xc1\xe6\xcc\xb1\x03\xd0\x4f\xfe\xc9\xa0\x81\xca\x0d\x29\x3e\x46\xb7\x00\x15\x08\x39\x3d\xf1\x73\x80\xf6\xe5\xf8\x1d\x0e\xb0\xca\xde\xf6\x5f\x7b\x40\x79\x68\x5e\x78\xe0\x69\x83\x0f\xa4\xbd\x8e\xfa\x58\x97\x2e\xe3\x67\xf0\xb3\xe4\xfd\x43\x6f\x5b\x09\x68\x01\x65\x93\xdf\xae\x88\x12\xe8\x05\x4b\x9b\x90\x05\xb5\x55\x13\xba\xe0\x82\xce\xd1\xeb\x4a\x04\xd4\xc8\x81\x84\x2e\x2c\x5d\x40\x96\xba\xe1\x14\x68\xa7\xb7\xb1\x39\xac\x3a\x21\x24\xb7\x22\xdf\x17\x5b\x22\x55\xcc\x0d\x95\xad\xa3\x20\x38\xf0\x56\xea\x2a\x6e\x6f\x64\x89\xaa\x68\x5b\x80\xb3\x65\xc3\x6d\x14\x6a\xc2\xdd\x3c\xee\x84\x79\x9f\x17\x59\x0e\x02\x57\x07\x66\x0e\x7d\xaa\xd3\xeb\xd4\x51\x67\x16\x11\x96\x55\x68\x3f\x58\x99\x41\x83\x8b\x92\x1f\x3b\x3e\xad\x5c\x18\x33\xd3\x93\xf8\x0d\x8c\xd9\xab\xfc\x0a\xcc\x30\x79\xc2\x58\x13\x18\x55\x82\x31\x7a\x71\x61\x52\xea\x6d\xdd\x58\x05\x95\xf2\x63\x5b\x33\xcd\xb5\x50\xc7\xf7\x6d\xcd\x34\xd7\xb3\x6c\x92\xdf\x2d\x26\x2c\x5e\x6e\xd8\x77\x50\xf1\x43\xe5\xe4\x5a\x3a\xb5\xf0\x63\xe2\x42\x4b\x74\x4b\xcb\x96\x33\x29\x47\x7f\xe6\x26\x05\xea\xbe\x14\x86\x2b\xa2\xe0\xc7\x20\xfe\x68\x23\x5e\x2f\xeb\x7c\x5e\xc4\xf2\x29\x70\x5b\x6b\x8f\x8b\x4b\x85\x72\x7c\x7a\x7a\xba\x70\xfc\x71\xbf\xea\xb1\x6f\x8f\x53\xc0\xc3\x13\x2b\x9b\x71\x77\xf5\xf4\xca\x5d\x52\x80\xf4\xfd\xf7\x79\xc1\xdb\xbc\xc5\xaa\x5b\x4a\xec\x14\x83\xd0\x76\x8e\xec\xc1\x30\xf3\x0a\x71\x67\xad\x21\x13\x7d\x5c\x94\x79\x96\xb6\x91\x3c\xa9\x95\xf5\x20\x4a\xb2\xc9\xf9\xb3\xb2\x9e\xed\xff\x96\x6d\x30\x12\x08\x99\xf8\x5d\x19\xff\xbf\x6b\xec\x10\xf9\x94\xfd\x3f\xab\xb1\xbb\x2a\xdd\x6d\xfb\x96\xfe\x24\xe6\x4d\x10\xd9\x7f\xae\xd1\x25\x94\x83\x3a\xb6\x47\x79\xad\x55\x74\x80\xf6\x67\x1a\x89\x87\x5b\x25\x79\x94\x55\xe7\x40\x5c\x3e\x38\x6e\x01\xef\x4e\xc1\xd4\x99\x6f\xa4\x71\x52\x1f\xa4\xf1\xdd\x08\xd3\x28\xb1\x51\xfe\xb4\xb0\xb2\x38\xe1\xe1\x21\x11\xc1\x26\x94\x24\x7d\xcd\x21\x60\x06\x40\x20\x16\x0a\xc8\xeb\x22\xee\x74\xe5\x20\x88\x44\x40\x52\x00\x35\x87\x62\xca\xb1\xac\x9c\xb7\x36\x42\x8c\x5a\x5f\x13\x0a\x41\x50\x44\x40\xb1\xac\x40\x81\xce\x04\xb7\xde\x65\xea\xa0\xea\xa6\xaa\x35\x24\x45\x9b\xdc\x25\x45\x09\xb6\x66\x02\xe7\x80\x73\x88\x0d\x6e\x58\xfe\xaf\x1d\x52\x42\xf5\x67\x0f\xdd\xe5\xde\x53\x08\x87\x44\x31\xa7\x8e\xd1\x4a\x88\xd9\x55\x89\x53\x15\x45\x1d\x97\x24\xde\x9a\x5c\xfb\x9d\x15\x13\x3e\x84\x06\xdc\x27\xf2\x6c\x17\x99\x34\x50\x8f\x61\x71\xb4\xb3\x1c\x5a\x89\xe5\xf4\x89\xcb\x89\xc2\xaa\x53\x88\x35\xc2\x18\x29\x12\x65\x8a\x3a\xaa\x13\x26\x09\x1c\x52\xd6\xc2\x35\xcc\xd3\x97\x0f\xcd\x4c\x23\x50\x1f\xc4\x26\x68\x52\x7f\xd5\x5a\x12\xad\xb1\x50\x44\xa4\x74\x9d\x22\x26\x06\xb7\x6c\x29\xeb\x7a\x44\xc8\x8a\x0c\x87\x54\xb5\x50\xf5\x14\x4d\xd4\x81\x72\xe2\x82\x07\xb0\xc6\xa4\x54\x0b\x80\xa4\x0a\x67\x97\xec\xaf\x70\x2d\xdb\x92\x33\x2a\xb5\x9f\x19\x28\xa1\x50\xcc\xb0\x52\x9a\xa9\x3e\x4c\xc4\x85\xb8\x95\xb5\xf3\xb0\xbb\x11\xc3\x5c\x6e\xf2\xe0\x8e\xa1\x12\x0a\x3b\xb2\x2b\xe4\xc1\x56\x40\x67\x13\x59\x14\xc6\x03\x29\xd4\x58\xea\xd0\x63\x25\x90\xae\xdd\x9b\xe9\xfd\x6e\x92\x5e\x51\xda\x6d\x42\x4c\x4a\xd8\xba\x00\xf6\x03\x4c\xda\x91\xe2\x21\x40\xb6\x62\x24\x1a\x77\x0b\x8d\x53\xab\x50\x98\x3b\xf2\xf8\x24\xd5\x71\x8c\x27\x46\x18\xc2\xb5\x3e\x7f\xda\x2c\xbf\x85\xcb\xc2\xf8\x2d\x94\x85\x71\x0c\xa1\x12\x9f\x36\x8b\x12\x46\x43\x14\xc9\x66\xa5\x19\x07\xfe\xc3\x0b\x3a\x02\x08\x5e\x85\x63\x76\x77\x23\x9c\xd4\x1c\x17\x29\x6c\xfb\xb8\x63\xa5\x6d\xb7\x91\xd4\x46\xa7\x8e\x4d\xb0\x51\x50\xba\x02\xd5\x51\x9d\xae\x55\xff\x9e\xe4\x5b\x33\xd3\x75\xbe\x75\xbc\xce\xb7\x66\xe4\xff\xa3\x2b\x52\xfe\x35\x2d\xff\x3a\x51\xe7\x5b\x27\x40\x6c\xca\x4b\xc7\xd1\x3c\x07\xcf\xc1\x9f\xc7\xeb\x7c\x3d\xcb\x66\xf0\xbf\xd3\x6e\x70\xc8\xcf\x1c\x65\xff\x6f\x15\x61\x45\x16\x89\x15\xd0\xff\x16\xd3\xf5\xcc\x7f\xd5\xd1\x60\xce\xbd\x44\x90\x48\x02\xea\x19\x47\xc5\x54\xaf\x17\x63\x04\x11\x46\x27\xc9\xe5\x61\x87\xde\x82\x49\xfb\xa2\x77\x84\x62\x2e\x16\xe7\x2f\x7a\x0c\x15\xcc\x73\xe7\xe4\x8f\x83\x6b\x59\x56\xca\x3f\xae\x46\xfe\x45\x5a\xd6\x17\xbd\x43\x59\xb1\xd8\x09\xdb\xe2\xa2\xf7\x58\x93\x00\x85\xa1\x1a\xfa\x99\x47\x50\x64\xbb\xbe\xf0\x6d\xf2\xc2\x52\x9e\x5d\xe8\xeb\x4b\x8f\xd4\xc1\xe3\xd8\x88\x8b\xde\x55\x36\x2c\x8c\xa3\x8c\xff\xf0\x11\x76\x3b\x1b\x2a\xc3\xbf\x2e\x98\xb8\x43\x5d\x53\x72\x87\xf8\xdf\x4d\xa0\x7a\xaa\x83\x5a\x49\x90\xce\xb3\x81\xea\xf9\xc7\x83\x27\xdc\x81\x57\xf6\x5e\xca\x97\x3c\x66\xfa\xce\xff\x75\x2f\xf8\x65\xef\x8c\xfa\x59\xfd\x36\x88\x77\x0a\x15\x53\xfc\xf7\x34\x24\x4a\x5d\x50\xe1\x44\x94\x39\xe3\x12\x4c\x6b\x3d\xb6\xc9\x4f\x8b\x30\x4f\x31\x62\x0b\xc2\xc9\x3a\x61\x7a\xec\xfa\x49\x55\x6a\x23\x8e\x34\x30\x69\x27\x4c\x6f\x84\xa0\xbb\x24\x4e\x7b\x17\xe4\xcf\x46\x37\x6c\x8b\x42\xfe\x75\xfd\x94\x79\xa1\x79\x7d\x73\xa3\xec\x24\x2e\xc0\xdf\xe0\x10\x29\xc8\x8e\x3b\x75\xd8\x3f\x5e\xaf\x6c\xaf\x5d\xd4\xff\xf5\x98\x35\xb9\xfc\x3f\xf7\x82\xdf\xf3\x56\xf4\xef\x4b\xee\x2e\xd3\xe1\x6e\xf7\xac\x3a\xfd\xa6\xa3\xb1\xca\x8c\x2f\x8b\x88\xdf\x1e\x96\x84\x52\xac\xc2\x50\x43\x30\x35\x35\x73\x11\x6d\x84\x25\xc4\x0f\x46\x59\xab\xd7\x51\x38\x4b\x53\x22\x6d\xf4\x8a\xa9\x5c\x44\xcf\xd9\x08\xcb\xe7\x14\xbd\xb5\xa2\x95\xc7\x20\x17\x9f\x63\x12\x33\xa6\x66\xa6\x64\x0f\x4e\xe5\x1b\x45\x07\x16\x9f\xdd\x01\x29\x73\x97\x91\x7f\x4f\xb0\x74\x07\xf2\x9a\x8e\x9a\x71\x38\xba\x13\x3d\x50\xaf\x1b\xf9\x04\x65\xd5\x9d\x68\xce\xdc\xd0\x9c\x6e\x4c\x37\xd7\xba\x59\xf3\xba\x46\xd8\x89\x6e\xb8\x6e\xd2\x99\x9d\xd7\x31\x5a\xbf\xfe\xb5\xc1\xbf\xbc\x2d\xcb\x4a\xbe\x53\x37\xdb\x6f\xbd\xc4\x63\x3b\xad\x69\x3f\x09\x9e\x33\x37\x70\x6b\x74\xd5\xcb\x8d\x1c\xed\x2f\xf4\x70\x2e\x3a\xf2\x64\x25\x15\x0f\x6c\x45\x94\xb5\x36\x45\x7e\x72\x6a\x6a\xa6\x79\x7d\x73\xda\xad\x7f\xca\x94\x98\xf1\x5b\xc1\x5d\x77\xae\x70\xf8\x7b\x44\x1f\x4d\x89\xb2\x35\x95\x15\x8d\x5c\x20\x96\x1c\x7e\x62\x5e\xac\xc5\x61\xca\x9f\x76\xf6\xdc\x14\x26\xcc\xdc\x08\x7b\x8a\xb8\xaf\x3f\xe9\x7e\xef\x36\xe6\x08\x1f\x29\x11\xe4\x44\x9f\xb5\xae\xed\x3a\xc9\xdf\x3e\xce\x6e\xd9\x53\xc8\x1d\x02\x75\xcd\x46\x51\x2e\x8a\xe2\xb6\xfe\x1c\x1c\x49\xe7\x16\xe7\x97\xfd\x2f\x8f\x05\xaf\xf0\x76\xbc\x0d\x7c\x7f\x85\x8d\x44\x37\xc4\x5b\xa6\xac\x00\xf8\xb2\x3e\x69\xf6\xad\x03\x44\xdd\x8d\x30\x33\xa5\xc1\x27\xcc\x1b\x90\x6e\xdb\xbc\xe8\x31\x73\xf7\xa2\x77\x75\x61\x57\xce\x91\xd1\xef\xa8\xb1\xe7\x7b\xcc\x7a\xda\xcf\x03\x21\x3b\x11\xca\x85\x3d\x1b\xf5\x19\x75\x04\x97\x4a\x9c\x46\xfa\x8e\x73\xbe\xb8\x84\x74\x6e\x6d\xd9\xd9\xca\x0e\xb7\x87\x06\x39\x03\xf9\x66\x8f\xb9\x75\xf4\xbf\xdf\x0b\x9e\xef\xd1\x0f\xad\xfe\xe2\x23\x75\x5e\xf4\xe2\x12\xac\x47\x60\x9f\xd7\xdd\xaa\x99\xe3\x08\x90\x0d\xf5\x35\xd9\x10\x12\x2e\xa4\x80\x86\x1a\x5c\xbb\xae\xff\x3a\x29\x67\x49\x5d\xb6\x26\x93\x6d\x82\x9f\x4e\x15\x7f\xa3\x56\x89\x30\x36\x9f\x6d\xa7\xdb\x61\x1e\xcd\x2e\x2d\x5a\xf9\x29\xef\xac\x05\xaf\xb3\xd3\xd8\x22\x7a\x0a\xb9\x8a\xe4\xbe\x2f\x6b\x4e\x39\x0c\x98\x7c\x54\x9d\xbb\xb2\x7b\x9a\x48\x64\x2a\x70\x49\xb9\x22\xcf\x63\xff\x56\x65\x8a\xe4\xc1\xe4\xa2\xfc\xc3\xf5\x4d\x58\x2d\xc4\xfc\x28\x48\xeb\xd8\x3b\x36\x74\x45\x4f\x61\x39\xa7\xe2\x44\xb0\x17\x1e\x62\xd7\xee\xe5\x61\xca\x0f\xfc\xcc\xc1\xe0\x07\xbc\x1d\x6e\xba\xf1\xaf\x8a\x5c\xc0\xa4\x43\x0d\x0d\x42\x53\xb7\x8d\x9b\xde\xbb\xb4\x3c\x3e\xa7\x4b\x7f\xfc\x00\xfb\xb1\x71\x76\xd4\x62\x87\xf3\x5f\x3f\xae\x8e\x7c\x2f\x1e\xaf\xe2\xcd\x93\x0a\x5f\x01\x47\x69\xc5\x15\x8e\x99\x45\x6b\x9a\x60\xdd\x4e\xf3\xdb\x27\xf3\xde\x1e\x8a\xfc\xe6\x27\xe2\xb3\x93\xfd\xa6\x6f\xb8\xee\xba\x26\x9f\x8f\x73\x00\x7d\x8f\x45\xa1\x68\x0f\x4b\xc5\x3e\xa7\x82\xc1\x91\x55\xcf\xe2\xb3\xa7\x6c\xbf\x6f\x32\x86\xbe\xe7\xa9\x25\x58\x06\x4f\xac\x58\x82\xd1\xf0\x34\x7d\x48\x17\xe1\xbb\x0e\xb3\x4a\x1e\x33\x48\xd6\x1b\x24\xbf\xa0\x95\xf8\x77\x57\x32\x75\x61\xb1\xff\xf9\xff\xcf\xde\xb7\x07\x59\x76\x94\xf7\xe5\xdc\x7d\xf7\xea\x79\x48\xc5\x41\x24\xa1\x73\x48\x79\x77\xed\x3b\x77\x77\xf5\x42\x1a\x3d\x60\x76\x67\xd7\x1a\x49\xbb\x3b\xda\x99\x95\xa2\x18\xc2\xf4\xbd\xa7\xef\xbd\x47\x73\xee\xe9\xcb\x79\xcc\xec\x95\xcb\xae\x60\x93\xc4\x2e\xca\x96\x08\xb8\x80\x8d\x1f\x82\x28\x42\x41\x2a\x08\x46\x26\x26\x89\x08\x08\x6c\x12\x83\x95\x82\xb2\x11\x26\x31\x45\x30\x2a\x87\x20\x57\xd9\xd8\xa1\x94\x4d\x5c\x95\xea\xef\xeb\xee\xd3\x7d\xee\xbd\x33\x77\x66\x56\x2b\x0a\xcf\x7f\x33\xe7\x9e\xd3\xa7\x4f\xf7\xd7\x5f\x7f\xfd\x3d\x7e\xbf\x5d\x3f\x14\x35\xaa\x1f\x70\x6a\x54\xdf\xe5\x4d\x40\x73\xb7\xa0\x6f\xff\x6b\x53\x9e\xba\x5d\x92\x2d\x47\xe1\xc5\x5d\xa4\x6e\x89\x83\x9d\x2d\x69\xc0\x7c\xa3\x5e\x94\x9f\x85\x7a\xa8\x8c\xfb\xcf\xec\x0a\xe6\x9d\x2b\x06\x36\x57\xe1\x19\xa1\x77\xd6\x42\x66\x86\xf4\x1c\x96\xe8\x40\x3a\x3f\xcf\x5b\x05\x24\xd0\x80\xbe\x4e\xc4\xea\x48\x88\xa2\xef\xec\x20\x9f\xf3\xc8\x9e\xb7\x17\xbc\x88\x92\x8e\xff\xef\xbc\x35\xc0\x3b\x46\xf5\xfa\x3e\x7c\xf0\xb8\x48\xc0\x9c\x85\x53\x64\x90\x2e\xa9\xf6\x96\x68\x57\x00\x80\x38\x56\x0e\x95\xb7\xd8\x82\x2c\x37\x2d\x75\xbf\x73\xa0\xed\xb1\x01\x16\x6c\x25\x53\x98\x48\xa3\x69\xba\x15\x4a\x53\x94\xd1\xa5\x40\xbe\x9f\x07\x4b\x0d\xf2\x98\x06\xf3\x01\x0e\xfa\xf2\x16\x75\x87\x02\xdd\x01\x20\x9e\x86\xb9\x68\x05\xd2\xd6\x1f\xc8\xa2\x2f\xb5\x64\x9a\x46\x2b\x72\x6b\x4e\xb9\x3c\xa4\xa8\x32\x67\x44\xf8\x90\x3a\x38\x46\x9b\x5d\x23\xa9\xe8\x67\xc1\x0e\x50\x1f\x89\x90\x34\x18\xee\x66\xad\xae\x14\x33\xdd\xb3\x2d\x76\x08\x71\x8c\x65\x83\x1a\xd2\xdc\x0d\x8e\x2e\x91\xd7\x38\xc1\xd1\x22\x91\x53\xec\xcf\xf9\x3f\x31\x05\x91\x98\x34\x02\xe2\x1a\x91\x4e\xc3\xba\x23\x14\x67\x22\x9b\xca\xc5\x94\xf5\x3b\x3f\x36\x98\x26\x94\x52\xfd\x41\xd3\x54\x49\x01\x21\xcf\xec\x23\xe7\x2e\x11\xe9\xc0\xac\x11\x42\x20\x2d\xf9\xfa\xde\xe0\x9e\xb5\x6e\x70\x77\xff\x71\x77\x1a\x86\xd2\x91\xfc\x25\x7f\xb5\xcd\x5f\xb2\x65\xfe\x92\xdf\xf0\xb4\x5d\xf6\xa4\x17\xdc\x0c\x7f\xe1\xac\x44\x49\x18\xad\x44\x61\xc1\xe2\x75\x67\xc7\xb6\xd1\x5a\x84\x91\xb7\x5d\x22\xc6\x80\x71\xef\xdd\xc6\xdd\xff\x01\x61\x47\x59\x59\xbf\xc8\x6f\xc1\xbf\x6f\xb2\x3a\xb5\xb5\x94\x45\x95\xc0\xf4\x0b\xc4\x71\x54\x54\xca\xa3\x56\x8e\x36\x16\xc5\x32\x4f\x30\x43\xcf\xbf\x40\x82\x0f\x7b\xd6\x05\xca\xf2\x5c\x6e\x50\x99\xce\x73\x53\x8f\x4a\x4b\x26\x97\xb7\xa1\x4d\x87\x00\x64\x45\x26\x8d\x2b\x84\x70\xb3\xdb\x30\x33\xad\x76\xbd\x16\xec\x0c\xda\xde\x29\xf9\x35\x64\x73\xd6\x3b\x44\x4a\xfb\x71\xd1\x89\x8c\x43\x1d\x83\xdd\x66\x2d\x5c\xf0\x80\x5b\xc0\xd1\x72\x7f\xbe\x87\xdc\x63\xcd\xd9\x9b\xb6\xc8\x94\x40\x7e\x46\xf1\x17\xac\xac\x41\x0d\xb9\xe6\x88\x02\x83\xc1\x2d\x90\x55\x85\xe6\x82\x9d\x52\x35\x94\xa8\xa6\xd0\x93\x54\xfe\x1f\x0f\xc9\xe3\x9e\x61\x68\xfc\xc0\x5a\x0c\x8d\x6b\xf7\x01\x19\x1a\x1f\x2c\x0b\x59\x31\xce\x2d\xc7\x55\x4d\x82\x76\xd0\x49\xe5\x60\xa5\xbe\x95\x70\x0b\xba\x83\xda\x65\x66\x89\x42\xd8\xd8\xde\x59\xb6\x59\x69\x5f\x35\x25\x7d\xd1\x6b\xaf\xaf\x59\x8f\xfb\x33\xe3\xea\xa1\xd7\x2c\x17\xb5\x56\x11\x21\x1f\xb9\x82\xdc\xba\x6e\x56\x34\x20\x35\x8d\x48\x7e\xf6\x5f\xda\x1f\xfc\x89\x37\xee\x57\x4c\xc5\x2d\x97\x9c\x48\xd1\x5d\x05\x3a\x55\xfe\x87\xe9\x65\x72\xf5\xe9\x52\x0b\x96\xe8\xe4\x51\x30\xd3\x3b\xd1\x0a\x4f\x30\x73\xbf\xcf\x5a\xbc\x41\xef\x62\x2b\x98\x4b\x6b\xae\xd1\xac\x25\xfa\x56\xd9\x01\x94\xac\x03\x24\x4d\xaf\x68\x75\x29\x67\x59\x84\x09\x66\x9d\x94\x25\xf9\xf0\x73\x58\xc0\xa4\x90\x09\x91\x1a\x34\x73\x7c\x8b\xf0\x11\xe8\x1c\x19\x56\xcd\xdf\xdb\x4b\xbe\xaf\xe9\x60\xfe\xd4\x23\x27\xd7\xd4\x65\x93\x65\x9b\x4b\xdd\xfa\x21\x6f\xb3\xca\xb5\x41\x91\xeb\xa9\xfc\x4e\x8d\x0d\x81\xa9\x26\x3a\x63\xc8\xfc\x3c\x10\x05\xed\xb1\x90\x3b\x8d\xaa\x0a\x0f\x2c\x13\x81\xb3\x5c\x5d\x81\xfc\x28\xaf\xaa\xd4\x8f\x4f\x97\x6a\xfc\x83\x1e\xb9\xeb\x12\x7c\x3a\xaa\xf4\x73\x97\x42\xa5\x47\x4e\x4a\x73\x22\xf2\x6d\x75\xbe\xad\xce\x5f\x3d\x9b\xfb\x52\xda\x6f\x17\xbd\xd5\xf5\xf7\x86\x45\xff\xec\x64\x85\xfb\xe3\x94\xf7\xc8\x32\xbc\xf7\x10\xc7\x2b\xa6\x9d\xa4\x67\xb9\x81\x7d\x3a\x6e\xc8\x8b\xc1\x09\xf0\xad\x7d\xc1\x89\xb1\xbf\x8e\xe2\x2e\x4d\xcb\x9b\x2d\x22\xe4\x31\xc7\xff\xc7\xb6\x09\xd8\xb6\x22\x94\xff\xd5\x26\x60\x7b\xce\xdb\xd2\x51\x30\xf8\xd9\x92\xf7\x1e\xd9\xb2\x2f\x17\xe7\xbd\xf5\x71\xdb\x3a\x7e\xab\x3a\xfe\x79\xe3\x0c\xfa\xbc\x17\xfc\xd4\xbd\xa6\x2c\x71\xf4\xa2\xdc\x28\x6e\xde\xaa\x48\x97\x63\xc1\xc2\xec\xb0\xd5\xca\x61\xab\xf5\xf2\xf2\xc6\xa3\x7e\x23\xd5\xcc\x45\x8f\xad\xaf\x2b\xef\xf4\x6f\xd7\xc5\xea\x63\x75\xd5\x5a\x44\xf8\x9f\xbe\xca\x41\xfe\x1d\x4f\x84\xef\xbf\xf7\xaa\xe0\x5d\x3b\x34\xa2\xf2\x28\xed\x57\xc4\xba\x46\x15\x99\xd3\xa3\x04\xeb\xc0\x54\xcc\x08\xe3\xb4\x02\xfd\xd0\x8e\x0e\xca\x34\x42\x20\xe6\xce\x2a\x7a\x6b\x48\x18\xd5\xef\x53\xa7\x5c\xed\xd6\xc7\x48\x8a\xb4\xb0\x75\x3a\x7c\x66\xb8\x4b\xe3\xc1\x14\xbc\x02\xf2\x4f\x8a\x34\xce\xea\x80\x72\x4d\x15\xcc\xb5\x26\x80\xaf\xbb\xbc\xf0\x75\x2a\xda\x52\x4b\x42\x4a\x18\x26\x5d\xaf\x44\x69\x2e\xcd\xce\xae\xc8\x40\xf9\xf2\xbc\xd5\xa0\xb3\x27\xe6\xcf\x9e\x38\x3e\xb3\x78\x62\x96\x4e\x61\xfc\x00\x0f\x02\x3a\x89\x56\xb4\xa9\x35\x46\xa1\x5c\x8f\x70\x24\x97\x9f\x36\x84\xd0\x70\x58\x8d\xb1\x7e\x44\xae\x51\x6d\xcc\x62\xbe\x55\x22\x72\x13\x69\x57\xe2\xaa\xcc\x69\x37\xa3\xe1\xfd\x64\x5b\x7f\x6c\xdb\x88\xaf\xde\x76\xfc\x15\x7b\x3b\xfe\xed\x2d\xf3\xa1\xfe\x5c\xb9\x21\xe3\x60\x1e\xc8\x2e\xdf\xa6\x6c\xc8\x52\xff\x48\x9f\x8e\x7f\x7f\x2d\xb2\xd4\xf1\x2a\x13\x8e\xc3\xef\xc7\xe3\xb0\x2a\x55\x09\x79\x06\xe4\xbf\x0e\x12\x9e\x59\xfd\x97\x99\x3a\xf5\x8f\xcb\x43\xf0\xd7\x3c\x72\xeb\x66\xbe\x10\x4f\xbd\x17\xbc\xf2\xd8\x9b\xdb\x30\xf7\x3f\x00\x5f\x79\xd1\x7b\xcb\xfa\xbb\xe8\xad\xfe\x1b\xd7\xc2\x38\x52\x5d\x1f\x79\xac\xf8\x9c\x47\x4e\x6f\x3a\x46\x74\xf7\xc2\x99\xd3\x0b\xa0\x34\xe7\x53\xd1\xcf\xce\xa4\xc7\x84\x88\xfd\xb7\x07\x62\xe4\x0f\x76\xfe\x5c\xe5\x06\x8c\xf9\xaa\x5c\x11\x0d\xd4\x6c\xa7\xb6\x40\xa9\xbb\x2e\xe6\xd2\xf7\xf5\x53\xd1\xe7\x69\x3e\x68\x90\x97\x9d\xc3\xd1\xfa\x80\x91\xfe\x17\x48\xf0\x29\x62\x5f\x91\x73\xaf\xb3\x3d\xba\x22\x0e\xad\x71\x04\x72\x13\x4d\xb0\x61\x78\xd1\x09\x59\x14\xaa\xf2\x2e\xca\xea\x88\xd6\x68\x00\xbe\x21\xa3\xb5\xcb\x32\xea\xbc\x82\x65\x50\x4a\x85\xcc\x33\x09\x1d\x88\x22\x35\x0d\xd7\xed\x5d\x2d\x4f\x8b\x56\x8e\x3b\x8d\xc6\xb5\x54\xb7\x9b\xcd\x08\xef\x69\x40\x19\x20\x24\x2a\x25\x9c\xab\x9a\xf5\x4e\x04\x65\x02\x70\xff\x0a\x4b\x23\x51\x64\x3a\xf0\x01\xea\xaf\x41\xc8\xe1\xc3\x74\x4e\xb7\xd4\x67\xad\x65\xd6\xe1\x18\xc6\xa6\xa7\x06\x33\xf3\x73\xea\xa5\xf8\x0e\xfa\x53\x64\x9f\x1e\xc3\xc5\x41\x9f\x4b\x0d\x47\x97\x1e\xca\x44\x32\x1d\xd4\xa3\x24\x8e\x12\x1e\x2c\x91\x7d\xa7\x06\xf3\xf8\x0e\x7d\xaf\x6a\x44\xdd\xd9\x53\x3f\x07\x4b\xe4\xa7\xf1\x4d\xf8\xff\x8c\xf5\x96\x19\x4c\xf0\xd1\x3b\x96\x7a\x92\xe1\x55\xf9\x20\x74\x5c\x53\xa0\xbc\x62\x1d\x77\xe6\xec\x92\x77\xff\x0c\xc6\x9e\x56\xa3\x14\xa1\x21\x30\x49\x11\x12\xb3\x62\x21\x96\x2b\x85\xaf\x20\x5d\xd3\xb2\xf5\x40\xae\xe5\x60\x3a\xb0\xbe\x33\xa8\x93\x7d\x41\x69\x33\x05\xd3\xc1\xca\x51\xb8\x66\x7a\x0b\x4f\x9a\x47\x55\x97\xe5\x2d\xfb\x4c\xbf\xa6\x83\xb6\x10\xf2\xd2\x4f\xd7\x65\x0f\x17\x04\x5d\x95\x36\x70\x97\xf5\xfb\x3c\xc9\xde\x44\x67\x79\x0b\xd2\xe9\xa1\x1e\xab\xc8\x78\x46\x1f\x82\x0a\xdf\x94\x0e\x58\x2f\xc6\x4a\xa2\x1e\x4b\xb3\x2e\x8b\xb5\x9b\x30\x62\x31\x58\x43\xc0\xdd\x0a\x99\xc7\x8e\xa8\xdb\x53\xd5\xa0\x8b\x98\xb1\x01\x2d\x83\xe9\xc8\x56\x71\x48\x14\x3f\x7e\x2e\x52\x1e\x22\x74\x83\xb4\x1c\x8a\x44\x4e\x3b\x96\x73\x70\x9a\xf0\xf3\x72\xb6\x39\x16\xa5\x0b\xda\x12\xfd\x01\x3d\x88\x70\xf9\xfd\xe5\xce\xe1\x92\xc1\xfe\x50\x89\xe3\x3e\xb4\x86\x16\x01\x93\x06\xeb\x11\x94\x50\x1d\xc8\xb4\xfa\x01\x2d\xc5\x61\x31\x5b\x7c\xf8\xed\x22\x51\x47\x02\x40\x9e\x00\x57\xa9\x55\xdc\x8f\xbd\x2c\xa7\x17\xbf\x42\xae\x62\x5b\xb8\xea\x34\x2f\x52\x48\x55\x8b\xf2\xb2\x7b\x80\xf4\xdc\x32\x09\x6d\x52\xd8\x50\x15\xc8\x46\xcc\xcd\x70\xab\x1e\xc3\x83\x8b\x67\x66\xcf\x48\x3d\x8f\x0d\x48\xcb\x1b\x6b\xe4\x6c\xa0\xda\x4c\xd9\xc3\x45\xa2\xe8\x9d\xb0\x61\x23\xf6\xe7\xd4\x75\x75\xbf\xae\x78\xd4\xc9\xbd\xba\x07\x3c\x6c\x1c\xb2\x6c\x77\xf2\xbf\x09\x79\xbd\xb5\xd9\x02\x12\x23\xe4\x0f\xa4\x22\xb9\x5b\x34\x01\x13\xe2\xcb\x24\x78\xd0\xfa\x5f\x53\xcc\xe8\x04\xad\x2e\xa7\x0f\x89\xa6\xca\xd5\xc1\x52\x3e\xbd\x1a\x60\x0d\xc8\x57\x43\xc9\xb4\xae\x96\x64\x2d\x79\xb2\x89\x07\xb2\xef\x8d\x0b\xde\x5e\x85\xc8\xc5\x2f\x78\xfb\x1f\x12\xcd\x45\xde\xeb\x4b\xdb\xdd\x39\x61\x3c\xbf\x8f\x7c\xc1\x23\x3f\x02\x15\x90\x51\xd2\x99\xe5\x2c\x94\x0a\x60\x01\xea\xdb\x33\xff\x29\x44\x8a\xbe\xf9\xc6\xe0\x97\x4d\x72\x25\x0d\xd5\x4d\x80\x38\x82\x37\xc2\x1e\xa4\x1b\x31\x3d\x8f\xda\x10\xf4\x88\x32\x29\xc4\xba\x33\x21\x05\x81\x82\x12\x82\x64\xa0\xb0\x44\x1a\x94\x9e\x92\xb7\x85\xf2\xb9\xac\xfc\xe4\x92\x78\x00\x38\xa8\x39\x50\x3a\xb4\x59\x14\x43\xf5\x2c\xcf\xdc\x74\xde\xf7\x79\xe4\xba\xac\x00\x8f\x61\xbb\x88\xef\x16\xcd\xec\xae\x48\xce\xcd\x00\xb2\xe0\xfc\x81\xce\x05\x0f\x17\xcb\xe2\x58\xd1\xa6\xe5\x23\x54\x1a\x4a\x59\x57\x77\x03\xb6\x8d\x9c\x45\x49\x83\xde\x0f\xc7\x84\x12\x00\x3c\x99\x4a\x78\x07\xc9\x03\xd4\xdb\xdd\x8d\xf9\x06\xb7\x67\x8f\x79\x64\x4f\x56\x64\x7d\x9e\x84\xfe\x7b\xbd\xe0\x9f\x7a\x98\xa3\x16\xb3\x0e\xcd\x79\x1c\x9b\xec\x36\x75\xbc\x87\x84\x72\xbc\x5d\x9e\x17\x32\x79\x54\x48\x72\x6b\x58\x20\xf6\x11\x0a\xae\x78\xab\xfa\xfd\x78\x00\x19\x02\x71\xca\x59\x38\xc0\x99\xe0\xa1\xf5\x40\x83\x0e\xa7\xc4\xba\x75\xf0\x5f\xaa\x01\x47\x1b\x1a\x79\xad\xc1\x3c\x04\xa1\xfc\x4f\xd6\x82\x27\x6b\x0b\x55\x22\xc4\x5c\x0a\x3f\x35\x77\xdb\x3d\xc3\x22\xe4\xbb\x45\x13\xc6\x2c\x32\xf4\xe4\x2c\xe5\xd3\x74\x8a\x06\x80\xd4\x12\xd0\x83\x2a\x6a\x73\x68\x5a\x73\x69\xa9\x85\x80\xa3\x5e\x24\x56\xeb\xf1\xe0\x36\xf9\xe4\x49\x91\x36\xa3\x30\x98\x96\xa2\xd3\x8c\xc2\xcc\x7e\x7f\x5a\xc8\x31\xc9\x96\x23\x64\xc0\x03\xfd\x27\x1b\x89\xda\xb4\x9f\xf2\x15\xd8\xeb\xe5\xff\x5d\x06\xc0\x68\x66\x9a\x07\x3c\x87\xb6\xcf\xf2\x7e\xcc\x5a\x3c\x98\xa6\x2d\x96\xb4\x78\x9c\x51\xf3\x6e\xc3\x9f\x25\x25\x5a\x2e\xb9\x14\xef\xcd\x70\xd9\x41\xcd\x70\xc2\x57\xa5\x38\xda\x47\xa7\x47\x3c\xf2\xb7\x50\x50\x87\xe4\xb0\xd0\x72\xb8\xe4\xca\xa1\x92\xeb\x4b\x26\x83\x47\x5d\x19\x7c\xa7\x47\x6c\x35\xe0\x17\xe4\xe8\xd8\xb3\x81\x51\x57\x77\x97\x0f\xc0\xb9\xe7\xcd\xa5\x2c\xe8\x55\x0e\xbe\xa1\xaa\x5a\x04\xbd\xa4\xa4\x02\xa2\xa3\x6a\x7a\x1b\xe4\xad\xc4\xe8\x25\xff\xbe\x60\x16\xd0\x34\xd4\xff\x52\xa1\xc8\xfb\x28\xba\x43\xea\x34\xe3\xbc\xcc\x99\x4d\x1a\xab\xd1\x72\xd4\xe7\x61\x84\xc4\x08\xf2\xbf\xc3\xf2\x76\x97\x24\x7f\xa7\x43\x65\x33\xee\x43\xfc\xdf\xda\x19\xdc\x57\xb9\x66\xe9\xdf\x5c\x53\xac\x83\x28\x3b\x90\x2a\x08\x52\xa1\x4b\x3b\x90\x9e\x20\x1f\xa5\x5a\xbf\xba\x83\xfc\x1f\xfb\xfc\xfc\xd2\x96\xcf\xcf\x1f\x59\xe3\xfc\xac\xcf\x63\x20\x34\x4e\xf7\xc0\x25\xa1\x7b\x78\xf9\x8e\xd9\x2f\xe8\x63\xf6\xf3\x1e\x39\x34\x91\xa0\x81\x80\x3d\xe6\x29\x09\x6b\x19\x67\x95\x7d\xc2\x6e\xf2\x2e\x5b\x89\x44\x6a\x7d\xee\x65\x3f\x60\xbf\x7c\x05\x09\x46\x79\x7b\x8f\xcd\x3a\x95\x1a\x5f\xbe\x22\xf8\x79\xb7\x52\xe3\x2c\x0b\x45\x46\x8f\xc5\xa2\xb5\x4c\x67\x39\x00\x75\x40\xde\x3a\x2e\xa1\x98\x65\xb9\xc6\x83\x6c\x73\xd8\x24\x41\x97\xf6\x45\xd8\xa0\x67\x8f\xcd\x6e\xb5\x8c\xa2\x27\x92\x48\x7e\xf9\x05\x6f\x17\xa0\xe3\x3a\xc2\xfa\xf8\x7e\xf2\xb3\x1e\xd9\x59\x64\x3c\xf5\x1f\x0e\x7a\x60\xfa\x41\x6f\x21\x31\x02\x29\x34\x2c\x02\x05\x16\xf6\xa4\x46\x9a\x20\xb5\x5d\x75\xfa\x70\xda\xb4\xd2\xda\xdf\xd0\x15\xab\x53\xb9\x98\x2a\x32\x3e\x15\xe5\x0e\x47\x45\x99\xea\xff\x64\x2d\xb8\x50\xab\xa6\xfa\xab\x69\x57\xb5\x06\x30\x6e\x03\x51\xd0\x55\x86\xf5\x9d\xaa\x0c\x60\x31\xea\x4f\xd3\x13\x49\x56\xa4\xbc\xc4\x0f\xaa\x56\x04\xd8\x78\x59\x3f\x08\x45\x01\x6b\x85\x29\x14\x44\xa9\x1e\xcd\x37\xa4\x4d\xa7\x34\x20\x25\x38\xa5\x7e\x14\xbc\xa5\x9c\x3a\xb8\xa4\xe6\xee\xd2\xcf\xd4\x53\x1e\xd9\xb3\xcc\x07\xf2\x6f\xff\xd7\xbd\xe0\xdd\xde\x3d\xf8\x8f\x81\xa6\x62\x79\x57\x8e\xc1\x32\x1f\xd0\x54\x63\xce\x9c\x3d\x36\x7b\x2e\xab\xf0\x95\x40\x31\x72\x8b\xf7\xbb\x87\x55\x73\xaf\x44\x6f\x7f\x49\x6a\x62\xb5\x00\xfc\x77\x78\x01\x9f\xa9\xc4\x39\x8e\xf3\x7e\x97\xea\x3b\x2e\x5d\x0f\xc6\x42\x3f\xfe\x13\x20\x63\x11\xb1\x7f\x3e\x58\x2e\xa7\x4c\x5e\x19\x5e\x6d\x69\x73\xb2\x32\x92\x0d\x8e\xc9\x33\x76\xfd\xd4\x87\xbd\xe0\xfd\xde\x16\xab\xa2\x86\x2d\xcc\x4b\xd6\x6b\x1b\xb0\xc9\x29\x99\xfa\xee\xa6\x69\xfd\x3e\xee\x99\x4a\x2a\xc0\x4b\xb2\x40\xb9\xdc\x64\x35\x5d\x4a\xe5\x08\xf0\x9c\xb4\x2c\xc5\x4a\x04\x2c\x2a\x2b\x3c\x4d\xa3\x90\x03\x3f\x16\x4a\xb0\x35\x7b\x49\x14\x5f\xaa\x71\x20\x8f\x5c\xeb\x94\xed\x8e\xe7\xd7\x02\x22\x25\xff\x9b\xd7\x04\xff\xdd\x73\xb9\x95\x5c\xb2\x1a\x79\xb6\xc8\xab\x9c\x3f\x2a\xdc\x17\xc9\xde\xe1\x9e\xa2\xc3\x71\x08\x33\xa1\x93\xe0\x34\x64\x55\x0e\xd2\xa2\x92\x8e\x0d\x82\xaf\xfb\x5a\x95\x95\x2f\x4d\xba\xd8\x54\x86\xc2\xee\x64\x90\x7b\xb4\x61\xfb\x90\x80\xa0\x61\x2e\xe4\x00\x87\x85\x92\xbe\x76\x11\xc7\x1a\xb0\xc5\x74\xb4\x71\xc1\xdb\xaf\x8a\xdd\x17\x81\x51\x67\x9f\xf9\xc9\xd9\xdd\xfe\xf4\x4a\xf2\x67\x35\x62\xdf\xea\x7f\xb3\x16\x7c\xa5\x66\x5d\xb0\xd8\xde\x73\x8b\xbd\x5b\x97\xd2\xb7\x58\x9a\x46\x56\x3d\xab\xf3\x75\xc8\x7e\xa5\x6e\xd5\x60\xb5\x72\x7b\x29\xb9\xaf\x9a\xbc\x2c\x96\x94\x6d\x57\x61\x37\xa2\x5e\xaf\xc0\xda\x7a\xd6\xce\x79\x8a\x16\x1c\xe0\xeb\x48\xe5\x80\x28\x44\x60\x48\xeb\xd2\x7e\xe0\xc3\x61\x29\xb7\x0e\x2a\x66\x37\x9b\xa6\x3f\x46\xe7\xe6\x57\x6e\x84\xe0\xb1\x99\xed\x04\xae\x51\x55\xdc\xdf\xc0\x7b\x6e\x1e\x71\xcf\xcd\xf6\x3d\x27\xef\x9b\x3d\xed\xde\x43\x4f\x16\x71\x3c\xa0\xf7\x15\x2c\x46\x28\xde\x59\xd1\x63\x51\x02\x0c\x5b\x8e\x29\xbe\x1d\xba\xdc\x62\xe8\xf2\xdb\x1e\x29\x05\xda\xff\xaa\x17\x3c\x54\x2e\x51\xa7\x54\x49\x01\xbf\x58\xbf\xda\x12\xd8\xa0\x27\x58\xab\xab\xa5\x11\x42\x95\x90\x54\x0a\x2c\xf1\xe7\xa3\x5e\xd1\x93\x6d\x1c\x3d\x72\xe4\x88\xb5\xb2\xec\xad\xeb\x8d\xe4\x26\x72\xc3\x58\x25\x3b\x5e\x09\x4d\x08\xa5\xb9\x1d\xa1\xdd\x7c\x84\xb6\x6b\x1d\x30\xdf\xb2\xd5\xf3\xe5\xeb\xd6\x08\xcf\x92\x7f\xb3\x83\xec\x02\xc6\x37\xff\xd7\x77\x04\x1f\xad\x21\xf9\x9b\xab\x34\x0d\xae\x39\x66\x44\x28\x82\x38\x7e\xbe\x2f\x14\x8b\x23\xe4\x88\x98\x21\x1f\x25\xa4\x70\xb0\x19\xcb\x16\xf8\x80\x3c\x7b\x2b\x96\xc1\xcc\xce\x02\x36\x89\xb7\xda\xda\x4f\xb9\xc2\x22\x30\x49\x28\xf0\x98\x6a\x82\xe1\x7b\xa2\x32\x45\x45\x3b\x72\x22\x64\x31\xd4\x9a\xc1\x69\x3b\x60\x9a\xe3\x30\x98\x78\x49\xa9\xd7\xda\xab\xe9\x36\x72\xeb\x1a\x71\xe7\xb5\x29\x33\x27\x5b\x51\x17\xbd\xee\xfa\xc1\xd1\x13\xfe\xf1\xb5\x58\x34\xc6\x12\xd9\x38\x3b\x1f\x21\xbf\xb9\xdb\xf1\xb7\x58\xc9\x30\x2b\x26\x9e\xbc\x78\xef\x82\xff\x8b\xbb\x83\x53\xe5\xbf\x15\x57\x0b\xb0\xa3\xc3\xb8\xc7\x6c\xc0\x53\x0a\x10\xa2\x51\x3e\x18\xc1\xc8\x6f\x02\xce\xce\x06\xff\xb1\x5d\xe4\x33\x35\xb2\x0b\x80\xaa\xfc\x4f\xd6\x82\xbf\xf0\xee\x02\xcc\x2a\x80\x3e\x36\x72\x89\x38\x56\x6a\xaa\x0c\x1d\x61\x05\x92\xb4\x61\xd3\xb0\x6b\x11\xc5\xfc\x41\x29\x96\x06\x83\x07\x44\xf2\xb0\x8a\x8e\xaa\xa6\xf2\x38\x43\x9b\xb2\x12\xa5\x85\xc0\x56\x1c\xb6\xe4\xd2\x82\x23\xa6\x36\xa1\x75\xe8\xd6\x21\xec\xb7\xfc\xc0\x0a\x2b\x13\x75\x5e\x94\xe9\x8f\xaf\xcb\xf3\x64\xcc\xdb\xb9\x73\xa8\x1c\x7f\xda\x98\x50\x11\x7f\xa7\x46\x08\xda\xba\x72\x2f\xf7\xbf\x5e\x0b\xbe\x54\x5b\x30\xff\x8f\x62\x76\x50\x96\xb1\x8e\x10\x97\xb9\x57\x72\x50\x55\x4a\x96\x0b\x54\x7a\x52\x5b\x3c\xd0\x7d\x43\x8c\x00\xce\xeb\x58\xac\xc2\x83\xa9\x40\xaf\xa1\x41\xc9\x5c\x38\x3d\x67\x10\x83\x28\x8b\x45\x52\x32\x87\xea\x9f\xb0\x3a\x03\x48\x87\x13\x1c\x43\x40\x15\xc9\x34\x82\x2c\xa7\x81\x14\x89\x80\x76\x39\x0b\xe5\xc8\x42\x3f\x2c\x7a\x59\x35\xb4\x67\x8b\x58\x05\x20\xcb\x96\xd5\x24\xc3\x64\xa9\x2f\x84\xb8\x75\xa2\xcc\x03\x3d\x1a\xf2\x05\xba\x7d\xfb\x21\xf5\x3d\x8e\x71\xf4\xd1\xbd\x8e\x13\x09\x38\x60\x56\x8e\x36\xce\x8a\x98\x1f\x8b\x00\x6f\x0a\xb2\x95\xff\xf9\xde\xe0\x70\xe5\xda\xa8\x2c\x3d\xeb\x96\x6c\x64\x5e\xf2\xf3\xdb\x65\xc9\x5b\x36\xc7\x3a\x3a\x11\xf5\x1f\x07\xaf\x1f\x81\x16\x63\xcf\x81\xbd\x14\x8f\x90\x06\xa9\x8f\xd5\xf7\x23\x26\x7e\xdb\x20\xda\x82\x41\xd4\xb6\x0c\xa2\x7f\xb4\xb5\xfc\xf1\xb5\xcc\xa1\x8b\x5e\xb2\xfe\x16\x7b\x8f\x3f\xb7\x01\x92\xa7\xca\x32\xaf\xd6\x17\xbf\x78\x05\xb9\x7e\x32\xc0\x3c\xf0\x52\xcf\xf2\x9c\x45\x71\xe6\x7f\xf4\x8a\xe0\x3b\x35\xe7\x92\x83\x7d\xca\xc2\x30\x52\x2a\x58\xa5\x0d\x45\xda\x8a\x3a\x35\xf3\x20\x64\x1a\xf0\xbc\x52\xea\x84\x27\xf3\x15\x80\xf5\x2d\x1f\x1f\xae\x09\x63\x34\x55\xc0\x23\xb8\xa7\x2a\x12\x08\xc3\x71\xcf\xa8\xca\x2f\x53\x62\xaa\x35\x10\x24\x5a\xb0\x1c\x85\x82\x97\x21\xe0\x0c\x20\x85\x14\x1e\x1e\x6c\xc6\x51\x27\x01\x54\x4f\x40\x98\xc0\x5e\x87\x02\x42\xa2\xe5\x36\xad\x2d\x3c\x7d\xa2\x07\x1b\xd4\xb4\xae\x52\x08\x50\x63\xb1\x2c\x33\x5e\x65\xa0\x19\xd2\x77\x69\xe7\x86\xb6\x38\x13\xa0\x26\x00\x6e\xe1\x02\x10\x8e\xd4\x4b\x5c\xa3\xe4\x13\xfb\xc8\x2f\xea\x95\xfc\xce\x5a\xf0\x7d\xe0\x5a\x96\xff\x59\x0d\x1b\xde\x77\xb5\x6c\xab\x06\x4f\xae\xf8\x75\x8b\x4c\x0d\xd6\x59\x15\x2f\x3f\x93\x20\x07\x89\x72\x56\x8b\x04\x97\x74\x18\x41\xbe\xb3\x59\xce\x25\x45\x92\x79\x85\xd4\x27\xaf\xd6\xea\x7c\x9f\xe6\xbd\x07\x9c\x41\x43\x25\xbe\xe5\xf1\x00\xa0\xca\x44\x19\xfe\x91\xc5\xc3\x0c\xcd\x2b\x24\x45\x4c\x36\xd7\x96\x67\xe8\x62\x5a\xbe\xaf\x46\xae\x4d\x79\x9e\x0e\x66\xda\x39\x4f\x75\xfe\xc3\x3b\x6a\x3a\x56\xfb\x5d\x6f\xae\x6d\xd3\x50\x81\xb9\x17\xf5\x9c\x24\x08\x85\xa4\x05\xd9\x25\x7a\x5a\xb4\x6c\x35\xe5\x47\xe5\x29\x38\xff\x17\x0c\x79\x8c\xd6\xc3\x78\xc4\xb0\x75\x2e\xc8\x77\x0e\xd9\x73\x09\x65\x31\xec\x90\xb9\xe1\x31\x99\x52\x96\xa3\xc8\x4c\x43\xb9\x8b\x7a\x63\xda\xec\x8a\x55\x60\x25\x97\xcb\x76\x95\x45\x06\xef\x2b\x67\xcb\x86\xad\xa6\xd2\xbc\x1b\x37\xfe\xd7\x1e\xd9\x51\x44\xa1\xff\xab\x5e\xf0\x88\x77\x6e\x6e\xb6\x3a\x47\x8d\xb1\x83\x6f\x66\x71\xdc\x04\x54\xa5\x70\x74\x14\xa4\xc8\x78\x3a\xd5\x29\xa2\x90\x1f\xd6\x90\xb6\x3c\xcd\xde\x50\x44\xae\x6c\x7d\xd3\x23\xbb\x31\x61\xca\xff\x03\x2f\xf8\x39\x90\xae\xe3\x98\x40\x05\x3b\x71\x59\x4b\xdb\x43\x3a\x6a\xd4\x86\xa3\x24\xcc\x11\xad\x36\x8b\xe2\x22\x45\x4c\x48\x60\xa5\xb2\x7f\xc5\x09\xd4\xea\x10\xdb\xe4\xa1\x4a\xdc\x72\x2c\xf2\x63\xe4\xcd\xe4\xce\x4d\x6c\x47\xf8\x36\xf8\x10\xd2\xd4\xa4\x23\x0f\x06\xf7\x2e\x1a\xd6\x8e\xad\x6b\x13\x7b\x18\x7f\xfe\x6a\xa7\x74\x84\xf5\xfb\x88\x7b\x62\x0e\x25\x67\xf9\x4a\x04\x16\xe4\x37\xae\x0a\x3e\xbe\x6b\xf8\x7a\xe9\x38\x46\xe6\x24\xe3\xd9\xcc\x12\xd6\xcf\xba\x02\xf6\x1d\xcc\x21\xc6\xc4\x6f\xad\xd2\x11\x7e\x08\x76\x8c\x48\xa3\x8c\xea\xb4\x39\x4d\x86\x13\x72\xfb\x4a\x99\xc7\x95\x39\xdc\x72\x14\x31\x52\xad\x8c\x36\x38\xd8\x9d\x49\xe4\x98\xd0\x11\x5d\xee\x02\x22\x3a\x4f\xac\x5c\xa0\x78\xa0\xc3\xe8\xe0\x06\xb0\xc0\x93\x8c\xbd\xb3\xa8\x58\x0a\xd0\xa6\x52\xf1\x12\x16\xc5\x9a\xb9\x46\x9b\xc8\xc0\x64\x66\x23\x31\x29\xb4\x0f\x88\x58\x16\xb9\x5e\xf9\xb3\x2c\x57\x99\xb2\x8d\x11\x7d\x04\x49\xab\xcb\xe5\xcc\x01\x8c\xb5\xa9\x18\xd5\x65\x47\x0c\x5a\x69\x9d\x86\x05\xe0\xa1\x29\x68\x4a\xb9\x73\x03\x18\x24\xb6\xcf\x7b\x22\x59\xe0\x2a\x48\x2c\xdf\xdb\x2e\x62\xf9\xbf\x55\xfb\x04\xa3\x8e\x5f\x88\xd9\x2e\x22\x8e\x9b\xac\xb5\x5c\x77\x2c\xca\x08\x01\xe4\x1b\xf4\x2e\xdd\x9d\x28\xd7\x9b\xa4\x66\x2e\xcc\x85\x52\xee\x98\x33\x63\x9f\x1b\x5a\x5d\x96\x74\xf0\x78\xdd\x2e\x14\x5c\x30\x54\xc6\x28\x3e\x42\x0d\x7a\xab\x74\xa7\x1c\x77\x84\xe1\x95\x87\x41\x40\x72\xcc\x59\x33\x8a\x81\xf2\x05\x59\xb5\x90\x60\x21\x8a\x07\xd0\x7f\x33\xf1\x6a\x08\xdc\xb2\xcd\xbd\xa9\x1a\x52\x67\xb7\xfe\xf8\x76\xe5\xe6\x76\xa9\x48\x25\x87\xa5\x49\x8c\xac\xf8\xf7\xeb\x4c\xc8\x99\x52\xd1\x59\x6e\x47\x29\x18\xea\xb2\xf6\x8d\xc0\xc2\x36\x32\x80\x8e\x06\xb9\xc6\xdd\xed\x75\xfb\x58\xbe\xc5\x63\xf9\x80\xec\x04\xa1\x7b\xfb\x78\xec\xa0\xf5\x2b\x1f\x82\x1b\x40\xfb\x2a\x17\x97\x95\xac\x3d\x3c\xb4\x66\x6e\x1b\x1b\x2e\x42\x71\x78\xfa\x87\x55\x7c\xf5\xc8\xf7\x8d\xdd\x84\x8e\xc2\x87\xd5\xd8\xac\xf3\x22\xcd\xfd\x4f\xed\x0e\xee\x74\xae\xb8\x21\x5e\xdb\x17\x8f\x3e\x32\x65\x9c\x95\x08\xaf\x17\xbc\x2b\x5b\x76\x03\x8e\x5a\xfc\xfa\x2e\x32\x43\x76\x77\x45\x96\xcf\xcd\xfb\x6f\x0c\x7e\xec\x81\xae\x22\x04\x50\x08\xe4\xcd\x48\x41\xef\x9a\x34\x76\x78\x53\x2e\x1c\xa3\xe2\x45\x8f\xec\x95\x0f\x41\x8f\xbf\xe6\x69\xa3\xfa\x39\xef\xb4\xc9\x7e\x54\x8f\xa9\x70\x81\x06\x5b\x97\x0f\x81\xaf\xcf\x31\xbd\xa3\xcc\x44\x55\x19\x6e\xb6\xf8\x38\xe6\x52\xd6\xe9\x11\x7a\x3b\x3d\x4f\x6f\xa7\x37\xdf\x74\xd3\x0d\x37\xc3\xe3\x77\x89\x2c\x3f\xad\x86\xa2\x64\x39\x70\x5b\xc3\x33\xa3\x33\x96\x52\xa2\xb3\xbc\x1c\xab\x4c\x9f\x2f\xb1\xac\xa4\x1b\x55\x32\x90\x7f\x47\x9f\x6f\x9e\xf5\x82\x8f\x0d\x9d\x18\xec\x6e\x27\x74\x6e\xe6\xf4\xcc\xdb\x16\xee\x3f\xfe\xb6\xd3\x33\xa7\x4e\xc0\xea\x52\xb1\x0e\x1b\x54\x59\x84\x2a\xd4\x20\x5b\x0d\xad\x59\xec\x8b\x70\x7c\x9c\x04\xdc\xb5\xda\xb7\x8c\x03\xab\x01\x20\xe1\x1c\x62\x65\x28\x0d\x4c\xa9\xad\x33\x61\x0f\x92\xbd\xfd\x54\xe4\xa2\x25\x62\xff\x54\xf0\xe6\x79\xf5\x37\xe2\xa7\xe3\xc0\xa8\x2f\x39\x37\x3b\x5f\xa7\x8b\xc7\xe7\xe1\x34\xbc\x70\x7c\x71\xde\xf5\x7d\x07\x8b\xc7\xe7\x03\xd7\xc0\xf4\x88\x2b\x6f\xfe\xaa\x96\x87\xe6\x7a\xe2\xd0\x17\xe1\x81\x4c\x4a\x1e\xd3\x11\xea\xc5\x0d\x0a\x83\x33\x5d\x4f\x12\x72\xd4\x5a\x60\x9a\x08\x5a\x47\x5e\x8e\x2f\xcc\x2d\xe0\xa5\xe3\xac\xcf\x5a\x51\x3e\x00\x9f\xec\xf7\xf6\x05\x27\x46\xff\x34\xca\x35\x3b\x7c\xe7\xda\x00\x92\x1f\xda\xbb\xbd\x25\x6c\x75\x4b\xf8\x03\x83\x19\xf0\x45\x2f\x38\x62\x7c\xb5\x76\x8c\x72\x8d\x69\xb1\x4f\x6d\x6f\x22\x6b\xe0\x11\x4e\x20\x30\x17\xbd\x03\xe4\xba\xe1\xc8\x4b\x8f\xf5\xa7\x96\xf9\x20\xf3\xf7\xf9\x7b\xa6\x60\xd1\x92\x8b\x1e\x1d\x1b\xa3\xd9\xed\xef\xec\xb1\xfe\x76\xa4\x7c\x2b\x06\xea\xef\xda\x06\xea\xb3\x5b\x84\x16\xf9\x99\xd1\xc8\x22\x97\xcb\x30\xbd\xe8\x89\xf5\x0d\x8f\x7b\xfd\xbb\xd7\xa3\xb8\x1f\xad\xc5\x46\x16\xc4\x3e\x7d\x35\xf9\xf1\x0d\xf8\x2b\xfc\xff\x77\x55\x70\xbc\x2c\x1f\x66\x34\xe5\x79\x91\xaa\x1a\x56\xd8\x45\x5a\x0c\xeb\x5e\xc0\x67\x9b\x1c\xc8\xf5\x1d\x8a\x01\xc0\xac\x45\x4b\x35\xbe\x70\x25\x39\x47\xf6\xf4\x78\x96\xb1\x0e\xf7\xef\x0e\xee\x98\xa1\xdd\xa2\xc7\x92\xa9\x94\xb3\x10\x5c\x0c\xe8\x5b\xea\x57\x4d\xb5\xa2\xe4\x32\x31\x8e\xb9\xc6\x0f\x37\xee\xcc\xb7\x3d\xc3\xbf\xfc\x87\x5e\xf0\x45\x6f\xc6\xf0\x5d\x8d\x1b\xac\xd5\xee\xa0\x32\x44\x90\x98\x86\x1b\x6f\x70\x12\xbd\x60\x81\x1a\x4f\x15\x7f\x8d\x32\x35\xa3\x3a\x1d\xa3\xf4\x02\x26\xc2\x0d\x09\xac\xb0\x28\x96\xaf\x6d\xd0\x19\x1d\x09\x68\xc5\x2c\xc5\xec\x11\x96\xd0\xbb\x16\x17\xe7\xf5\x64\x41\x69\x65\xb3\xb0\x4a\x9c\x74\x8a\x25\x8d\x5c\x7a\x98\xcf\x94\xc5\xee\xbf\xe9\x05\x1f\xd6\x15\xeb\x9a\x5c\xd5\x4c\x36\x3d\x93\x70\x2a\xda\xd3\x34\x58\x40\x0f\x0f\xa2\x79\xeb\xaf\xba\xdc\x35\x04\xdb\x69\x72\x97\x70\xb7\xbf\x9f\xec\x94\x02\xe3\x9f\xd6\x66\xe4\xad\x0b\x45\xa7\x83\x51\x0f\x90\x2a\xa5\x59\xb0\x60\x57\xf3\xab\xe2\x44\x48\xf3\x30\x6a\x83\x88\x0d\xb1\x83\x3c\x5d\x23\x7b\x94\x97\xd8\x7f\xac\x46\xde\xbc\x69\xe7\xad\x0a\xbc\x05\xff\xcd\x83\xf3\x66\xa8\x6b\x80\x47\xb9\x67\x4d\x3d\x24\x58\xfd\x8a\x69\x1d\x22\x3b\x20\x07\xe0\xfd\x12\xab\x58\x79\x8f\x2d\x61\xe3\xd5\x84\x52\x93\x59\xa1\xa9\x51\xe0\x8d\x38\x12\x48\x94\x2e\xbf\xb9\x53\xb0\x94\x25\x39\x37\x34\x10\x00\x79\x99\x0b\x08\x7f\x29\x19\x53\xc4\xc2\xa8\xa9\x4b\x44\x9f\xb2\xb3\x98\xd0\xba\x6d\x9c\x6c\x05\x5b\xf5\xf4\xfa\xfb\xf9\x8f\xfb\x87\xa6\x2c\x8c\x27\xbd\x87\xa3\x88\x55\x5d\x07\xbf\x7a\x05\x99\x5a\x87\x76\xe1\x64\x2c\x56\x11\x6b\x02\x0a\xe2\xbe\xbb\x3f\xf8\x09\xf7\xd2\x88\x7a\xe4\xf2\x86\x03\x25\x55\x20\xea\x9c\x58\x88\xe5\x0c\x0a\x93\x1b\x17\xbc\xeb\x34\x25\xf7\xbd\x72\x64\x1c\x66\x07\x67\x47\xff\x3e\x21\x7f\x59\x23\xbb\x00\x64\xca\xff\x5f\xb5\xe0\x25\x6f\x09\xfe\x5e\xb2\xde\x8d\xc1\x23\x33\x8b\xe0\x65\xd7\xe1\x5d\x28\xa2\x15\xab\x4a\x54\xd5\x1a\x28\x3b\x69\x68\xc9\x58\x89\xc2\xd9\x86\x15\xa1\x79\x20\x34\x41\x3a\x15\x09\xa7\x3d\xae\x4f\x9f\x88\x7a\x65\x93\x9a\xa9\xe7\x1b\xaa\xa8\x39\x82\x3d\x0b\xb7\x3c\xc8\x02\xac\xab\x9d\x4f\x07\xab\x13\x61\xe3\x71\xe7\xad\xae\x16\xf8\xb2\x77\xce\x41\xe3\x2e\x72\x92\xcc\x6e\x88\x36\x03\x2b\x74\xcf\xca\x9e\x3e\x10\xe5\x5d\x05\x98\x98\x4d\x98\xeb\xf5\x44\x8d\xbc\x26\x8c\x00\x02\xab\x88\xb2\x2e\x4f\x4f\xf1\xbc\x2b\x42\xff\x97\x6a\x1b\xec\x86\xfc\x9e\xd9\xe1\x86\x82\xdf\xf6\x96\x46\xb4\xbf\x54\xe5\x20\xb1\x19\x83\x61\x2a\x9d\x87\x30\x7d\xca\x89\x9d\x58\x53\xaf\x67\x7d\x29\x89\xe2\x25\x27\x17\x55\x95\x7c\xb9\x6d\x45\x99\xe6\x21\x0f\x95\x56\x2c\x94\x38\xb1\x78\x95\x0d\x32\x9d\xa4\xaf\x66\x15\x56\x66\x83\x3c\xb2\x83\xf8\x7a\x02\xe7\x53\xde\xe2\x21\x4f\x5a\xdc\x7f\xd9\x44\x86\xbf\x55\x5b\x1a\xfe\x7d\xc9\x06\x4e\x69\x75\x85\xc8\x38\x65\x3d\x31\x24\x03\xce\x47\xe9\xc2\x0a\x23\x6b\x40\xb5\xdd\x15\x19\x4f\x6c\xa1\x96\xb2\xa7\x9a\x92\xcd\x9a\xad\x23\x29\x7a\x3c\x45\xa2\x63\xc3\x19\xad\xc0\x17\x38\x86\x92\xb1\x24\x2d\x16\x1d\x75\x97\x22\x99\x3e\x44\x4f\x0d\x7d\x80\xde\x81\x86\x7f\x51\x9a\x5c\xfb\x5c\x52\x96\x74\x30\x03\xf2\x27\x8f\xd6\x8f\x1e\x39\x72\xe4\xc8\x5b\x6d\xfa\xbc\x08\x2d\xb1\x7e\xf9\xb8\xda\x7a\x2c\xcf\x58\x94\xdb\x39\x1e\x50\xba\x0c\x0c\x68\x06\xdb\xd7\xdd\x97\x3f\x5b\x23\x6b\xe8\x17\xff\x43\x35\x32\xbf\xb1\x85\x34\xb6\xad\xb2\x58\xe8\xf7\xbc\xa5\xf1\xaf\x5c\xd2\xa6\x55\xc9\xea\xce\xe8\xf8\x56\x2b\xc4\xb5\x26\x95\xb1\x7c\xba\x65\x76\x29\xb9\x33\xc6\x2b\x3a\xe1\xc0\x12\x02\x3d\x60\x98\x02\x13\x2a\xe3\x2c\x5d\x46\x88\x04\x95\xa1\x22\xdf\xa4\xc2\x65\x60\xb3\x1b\x4a\x17\xf2\xde\xdd\x0e\x5b\x81\x93\xb6\xeb\x60\x41\x2d\xde\xbb\xe0\xff\xc9\xae\x57\x32\x77\xf7\x17\x76\x91\x0b\x26\x77\xf7\xd1\xed\xdc\xdd\x6a\xa5\xe0\x76\x56\xee\xe5\xcb\xca\xfd\xf4\x7e\xf2\xf7\x46\x44\x5c\xe6\x45\x38\xd3\x06\x7d\x32\xf0\xff\xe5\xfe\xe0\x4d\xf3\x22\xa4\x4c\x5d\x40\x23\x17\x33\x31\x44\x1b\x0f\x4d\xe0\x9d\x37\x37\x28\x78\x03\x39\x76\x60\x57\xb8\xe2\xff\x45\x42\x5e\xda\x45\x0e\x1b\x42\xe6\xd9\x42\xf6\x64\xc1\x3c\x33\x87\x0b\x1c\x2f\x9f\xd0\x38\x1b\xfe\x6f\xed\x0a\x5e\xda\x69\x83\x27\xa8\xfc\x03\x6c\x07\x00\x44\x34\xaa\x42\x5f\x20\xb5\x79\x22\x42\xbd\x39\x66\x2c\x8f\x32\xc5\xdb\x66\xfa\xc9\xcf\x4b\x83\x5b\x51\xe2\x6b\xc9\x34\x15\x6f\x30\x35\x08\x38\xa4\x62\xfd\x7a\x5b\xd3\x0c\xc6\x2c\xa7\x2b\x91\x80\xc3\x23\x98\x53\x1a\xde\x52\x97\x17\x96\xcd\x2b\x94\x22\xf3\x58\x94\xd1\x9e\x9c\x25\x33\x08\x5a\xaa\x65\x33\x46\x54\x3a\x90\x8e\x21\x57\x20\x96\x57\xac\xf2\xa8\xd3\xcd\xe5\x82\x6a\xf0\x06\x4c\x29\xe4\xf6\x95\xcd\xf6\x38\xcf\x01\x74\xdd\x2c\x0c\x6b\x26\x50\x15\x62\x9a\xca\x41\x73\x00\x51\x5b\x6f\x5d\xff\x3e\x34\x1d\x23\x87\xab\x0e\x28\xa2\x87\xea\xc6\x9a\x61\xd0\xc7\xe6\x80\x46\xb9\xae\x25\xd7\x0c\xcf\x30\x14\x3a\x3f\x46\x9f\xdf\x51\xee\xa5\xe8\xb2\x10\xb8\x86\x03\xfc\xb8\x40\xab\x20\xd9\x9c\xda\x4a\xe1\xfb\xba\x2c\xc3\x79\x55\xb5\x93\x96\xa5\x0a\x40\x49\x59\x5f\x20\x69\x71\xbf\x14\xdd\x45\x9e\xf6\x6e\x33\x4d\x1c\xcc\x0e\x95\x43\xab\x0c\x01\x78\x0d\x53\x29\x6c\xee\x8c\x38\x1a\xea\x76\x32\x4d\x6e\x59\xb7\xea\xf6\x01\xf8\x04\x1e\xce\xbb\x5d\x20\x7f\xb8\x93\x34\xc6\x0d\xef\x18\x69\x7f\x62\x67\xf0\xad\x1d\x4a\xb7\x98\x09\x70\xa6\x70\x8c\xc0\x1a\x46\xd2\x1e\xcf\xa5\xb1\x6f\x49\x40\x1e\xf5\x94\x4e\x91\xab\x15\x16\x8f\xda\x74\x4b\xa8\x22\xa1\xd1\xa7\x90\x64\x7d\x53\x3d\x68\x01\xe4\x2b\x9a\x5e\xba\x17\xa2\xc7\x91\xac\x91\x86\xf0\xa5\xd0\x85\x12\xe8\x49\x51\x7e\x63\x2a\x0f\xc6\xfa\xa0\x56\x56\x1d\x5a\x0f\x61\xb7\x15\x98\x81\x5c\x8a\x72\xa9\xb1\x01\xf4\x3f\x4f\x01\x0a\x88\xcb\x53\x27\xa2\x41\xf1\x95\x48\xf1\xa7\xca\x86\xe0\xcc\x2c\x8d\x02\xfc\xa4\x07\xca\xd4\x3d\x39\x54\xa6\x7c\x57\x8b\x68\xdd\x44\x4d\x40\x5a\x51\x87\xb8\x22\x26\xdf\x86\xb5\x5b\xce\x3c\x43\x7b\xa0\x0e\x33\xa8\xf8\x55\xeb\x54\x2e\x47\xa9\xaf\xcb\xa8\x1d\x2a\xa3\xea\x2e\x78\x23\xb9\x7e\x02\x32\xcc\xaa\x6c\x7d\x6c\x0f\xb9\x6e\x44\x76\xbd\x3a\x1c\xf9\x8f\xee\x09\x7e\xc7\x53\xff\xe8\xa8\x2e\x9e\x0e\xb5\xe9\xa5\xe6\x5b\xf9\x20\x44\x8a\x00\x18\x98\x77\x08\xb9\xd1\x8c\xa6\x22\xe6\x10\xf7\x06\x75\xd0\xef\xc7\x70\xe6\x10\x0d\x5a\xb2\x5d\xf3\x08\xbc\xd8\x80\x98\xc8\x68\x08\x8c\xb9\x90\x2a\x66\x7c\x1b\xea\x7d\x75\x84\x78\x2c\xdd\xe2\x89\x48\xa6\x74\x4a\x5b\x56\xc8\x43\x81\xc2\xe0\x90\xca\x01\x77\x19\x60\xca\x68\x5c\xf0\xc0\xdb\x72\xc1\x83\x80\xb3\xb3\xa5\x7c\x64\x17\xb9\x55\xc5\xa1\x8f\x06\xff\xe0\xb4\x65\x19\xa8\xd7\x23\x43\x87\xe9\x84\x43\xf1\x47\x3e\xe7\x91\x7d\x86\x8c\x03\xbd\xaa\xa7\x0d\x37\x87\xa8\x98\xaa\xa1\xf1\x32\xea\xc5\xa1\x5e\xb1\xac\xfc\x3f\x00\x53\xa4\x1f\xaf\x9b\x4f\x0a\xce\x65\x3c\x45\x1f\x2c\x50\xf8\x06\x9a\xc3\xd7\xf6\x28\x4b\x71\x36\x5e\x65\x3a\xa3\x92\xe7\xa5\x8d\xa9\xcd\x6d\xb0\x60\xe4\x78\xa7\xa9\x48\xab\x5f\xb1\x97\xf5\x23\x68\xdc\xff\xa4\x17\x3c\xe9\xcd\xcc\xcf\xc1\x7f\x16\x9f\xa4\x9c\x11\xb3\x73\x57\xbe\x4b\xa5\xb1\x55\xa2\xd9\x01\x4c\xd2\x02\x86\xcc\x67\x5a\x80\x4a\xa6\x6f\xad\x20\x20\x04\x63\x53\xfe\xb1\x91\x73\x7a\x56\xb1\x57\xa6\x91\x4a\x4e\x2b\xfa\xd4\x5e\xf0\x82\xff\xe2\x81\x4f\x4d\xb4\xc7\xce\x22\x22\x44\x65\xae\x97\x2e\xca\xac\xcf\x94\x4b\x12\x87\xbe\xee\x0e\x7c\xe0\x7e\x52\x60\x74\x9d\x35\xea\xc6\x19\x6f\xf9\x7d\x73\x9d\xd2\xae\x7c\xc4\x1b\x9f\xa8\xa7\xf6\x91\x43\x13\xe5\x9b\x42\xec\xfd\xaf\xf6\x06\xe7\x46\xff\xa4\xc3\x4c\x6a\x23\xb7\x08\x6f\x2d\x4a\xc7\xe1\xcc\xcf\x35\x63\xf1\x4f\xef\xd9\xf6\xce\x6f\xd5\x3b\xbf\xaa\x43\xf1\x49\x70\x70\x74\x24\x7e\x38\xd5\x75\xf2\xe2\xf3\xf1\xe2\xb2\xed\x8f\xde\x42\xb0\xfc\x13\x76\x3c\xf4\x89\x2d\xc6\x43\x3b\x97\x2d\x2a\xbe\xb4\xbe\x17\xfd\x0e\xff\xb6\x49\xd3\xf1\x46\x55\x61\xfd\xb3\xfd\xe4\x86\x11\x66\xc8\xcc\x03\x0b\x27\x62\x96\xe5\x51\x0b\xd0\xbd\x16\x72\x91\x72\x07\x0c\xec\x79\x12\x7c\xb0\xe6\xa0\x68\x94\xfc\xee\x74\x36\xca\x96\x1d\xe2\xf6\x99\x07\x16\x1a\x84\xcc\xc0\x1f\xf4\xc4\xb1\x05\x1a\xca\x3b\x36\xc8\xd9\x5e\x3e\x33\x8a\xb1\x5d\xb6\xfc\xb0\x3c\x5e\x55\x39\xdb\xab\x6f\x95\xe6\x0c\x78\xcb\x9b\xea\x7d\xe8\x61\x2a\xd9\xd4\xa9\x00\x77\xa1\x7e\xe8\x95\x20\x7b\x7f\x74\x2f\xf9\x7c\x09\x0c\xf6\xa9\x5a\xf0\xd4\x36\x30\xd8\x68\x60\x30\xb6\x9a\x71\x14\xc4\xa6\x14\x44\x40\xa6\xb5\x17\xf6\x93\x35\xb2\xaf\xcf\xd2\x1c\x16\xb2\x7f\xc1\x38\xb1\xdf\x59\x5b\x04\xcc\x2e\xf5\x8b\x16\x95\x75\x86\x73\xae\x4d\x45\x2f\xca\x73\xed\x9f\x0c\x4b\xd4\x23\x7d\x93\x1c\x40\xd5\x0a\xe6\x26\x96\x43\x76\x52\xa4\xfa\x27\xb9\xda\x0f\x67\x21\x3b\x5a\x87\xd7\xe0\x78\xe0\xc8\x97\x7d\x92\x66\xe3\xd1\xa0\x41\x17\xa2\x5e\x14\xb3\x34\x1e\xd4\xed\x3e\x96\xf7\x49\xe3\x4a\x37\x08\xf4\xdd\x47\x02\x7a\x50\x00\xf2\x37\x48\x73\xcc\xd9\x0a\x57\x5e\x69\x44\x4a\x47\x2b\xf3\x90\xeb\x66\xfe\xb6\x0d\x8f\xf5\x82\x17\xfc\x67\x85\x4c\x38\xa0\x41\x9e\x16\x1c\x8e\xe6\x88\x8e\x05\x25\x84\x1c\x85\xc9\xa0\x64\x99\xb6\x2b\x30\x59\x60\x1a\x42\x03\x6b\x8e\x5f\x00\x00\x5a\xa3\x13\x13\xb6\x2e\x10\x16\x9c\xd6\x33\x36\xcb\xff\x87\xbd\xe0\x03\xde\x39\x4c\x25\x2d\x2b\xbd\xfa\xa5\xaa\x0a\x47\xa8\x2a\x7a\x70\xa6\xc7\x1e\x16\x89\xb5\xfc\x87\x4b\xbb\x2e\xb5\x20\xff\x59\x8d\xfc\xfd\x51\xb9\xd1\xb0\xd7\xce\xcd\xa3\xc3\xdd\xff\xdd\x5a\x70\x9f\x7b\xc9\xce\x8e\xce\xab\x94\xf2\x70\xc4\xc5\xfb\xe9\xdc\xbc\xf2\x74\x66\xe8\xe4\x31\xa7\x7e\xd7\x7d\xf7\x3f\x3d\xf2\xa2\x47\xae\xca\xa3\x1e\x17\x45\xae\xeb\x06\xbf\x62\x52\x9c\xff\xa3\xe7\xfe\x54\x81\x4c\xd1\xa5\x83\xe6\xbd\x73\xf3\xa8\x84\xf4\x5b\xe5\x08\x2c\x0f\xc0\x59\x61\x79\xb7\xcd\xd9\xf9\xce\x23\xf4\x47\x7f\x94\xde\x7e\xc7\x2d\x37\xdf\x78\xe4\xc8\x41\x29\xf9\x47\x69\xc8\x06\x87\xa4\x5e\xd1\x26\xbd\xf6\x56\xdc\x71\x07\x0d\xf4\x4b\x82\x12\xa2\xcc\x1c\xb7\x8e\x1e\xb9\x45\xb5\x71\x03\xed\x8a\x22\xcd\x2a\x0b\xe2\x7b\xf5\x09\x2b\x90\x67\xa1\x2e\x09\xf1\xa2\x33\xff\x3f\xd4\x83\x69\xe7\x8a\x2e\x14\x32\xf8\x69\x50\x3e\x08\xc5\x4c\x58\xe6\x65\x9d\x94\xdd\xc1\x7e\x97\xbf\x6d\x8f\x6f\xd5\x1e\x7f\xac\x46\x76\x87\xe9\xe0\x6c\x91\xf8\xbf\x5c\x0b\x5e\xf6\x10\x53\x07\xc7\xa3\x5e\x45\xd2\xe9\x89\xd0\x44\xf8\x9d\x72\xac\x66\xa9\x15\x90\xd2\x49\x47\x9c\xa0\x24\xda\xfa\x54\x7c\x95\x72\x81\x44\x2b\x2a\x40\x9e\xf2\x0c\xf4\x5c\x62\xce\x84\xa6\x56\x1c\x06\x2e\x11\xb4\x5d\xa4\xe0\x43\xe9\xa7\xa2\x25\xd7\x42\xd2\x29\x0f\xe9\x2a\x3c\x3a\x0a\x60\x7a\x26\x8e\x01\x52\x5a\xbe\x18\x20\x9f\xb3\x9c\x75\xac\x22\x72\xd5\x1c\x0f\xd7\x88\xb8\x7c\xa3\x46\xfc\x4e\xca\x5a\x7c\x9e\xa7\x91\x08\xf5\xa2\xfe\x42\x4d\x97\x00\x7d\x1c\x76\xcb\xd0\x8a\xe7\x8d\x2a\x01\x56\xa4\x0b\xa6\xfe\xd7\x94\xeb\x4d\x02\xe4\x5c\x2e\xf5\x87\x79\x2a\xac\x79\xc1\x56\x68\xd4\xeb\xf1\x30\x62\x39\x8f\x07\x23\x72\xf1\x92\x28\x76\x77\x14\xf8\x1c\x39\x65\x91\x08\x4d\xe4\xaa\xf4\x58\x82\xca\xd1\x43\x54\x64\xb2\x93\xb6\x2b\x83\xc9\x27\xf5\x07\xa9\x97\xb4\xdd\x28\x6e\x03\xfb\xd9\xe3\x2c\x19\xd9\x47\x47\x93\x6c\x1f\xcd\x36\x7f\x34\xfb\x7c\x8d\x5c\x23\xd2\x7e\x97\x25\xb3\x50\x12\x29\xbf\x5a\xaa\xc1\xc7\x6a\xb3\x86\x96\x6c\x9a\xf6\x91\x68\x0c\x89\x58\x38\x9d\x4f\x45\x9f\x75\x40\x5a\x31\x6d\xa4\x6e\x7b\xa8\xf5\xc4\x5b\xbc\x66\x51\x42\x8f\x36\xde\xd8\xa0\x0b\x28\xbd\x28\x4a\xea\x75\xa6\xe4\xb6\xc9\x29\xf6\x04\xc6\xa6\x0d\x6c\x34\x87\xc1\x6e\x41\xe1\x0b\xf0\xd7\x80\xb6\xa3\x04\xca\xa9\x52\xf3\x2a\x16\x86\x60\x09\x1f\x4e\x79\x4f\xac\x94\x50\xd5\xbc\x2c\xf7\x33\x0f\x61\x08\xb7\x41\x4f\x44\x8a\x53\xd7\x74\x5c\xa4\xc3\x5f\x66\xca\x50\x79\x5e\xd2\x63\x34\x45\xde\x75\xe1\xee\x9f\xf3\xc8\x95\xf2\x6b\x45\x82\x08\x16\x99\xff\x6f\xbd\x4d\xa5\xf8\xcd\xdb\x8d\x04\xb1\x2e\x8b\x51\xd1\x5f\x80\xac\x06\x95\xc0\xd4\x0e\x87\x69\xb5\x1a\x4f\x52\x14\x68\x46\xcb\x4e\xf6\x45\x06\x85\xcf\x75\xca\xe8\x8d\x47\x6e\x95\x27\x52\x88\x96\xea\xac\x58\x3d\x76\x3a\x89\xaf\x41\xfe\xef\x0e\x72\x6d\xbf\x3a\x00\xfe\x8b\x3b\x82\x17\x76\x3c\xa0\x18\x88\xa5\x36\xed\x8a\x55\xda\x61\x69\x93\x75\xb8\x5d\x9c\x62\x54\x22\x32\x5d\xcb\x49\x1c\x39\xc4\x67\x2a\xd2\x36\x7e\x84\xf1\xdc\xa9\x54\x8e\xa2\xb1\x06\x90\xb5\x16\xec\xf3\xea\x2c\x05\x47\x58\x88\xa0\x1b\xb1\x90\xd6\xb3\x3a\x72\x98\x6c\x69\x6b\xfe\x75\x0e\xa3\x5e\xfc\x53\x3a\xf5\xac\xf2\xb2\x06\x9d\x69\x49\x73\x12\xd2\x9b\xed\x7d\xe1\x00\x7e\xc3\x01\x3a\xa5\x24\xd6\x95\xe8\xec\x36\x7a\xe0\x18\x6b\x2d\x77\x52\x51\x24\xa1\xbc\x0b\xc3\xde\x10\x75\x74\x07\x4e\x40\x6c\x55\x29\x38\xb7\x11\xfd\x05\x4d\xd3\xd2\x6d\xf4\xc0\x49\x91\x72\xab\x59\xda\x62\x59\x8b\xa9\xc8\x5c\x49\xf3\x8d\xed\x61\xac\x72\xb8\xc1\xb6\x69\xa3\xe1\x24\x0d\xfe\x8f\xd7\xae\xef\xef\x78\xf6\xb5\xfe\xbf\x7f\xed\xa8\xbc\x41\xc7\x24\xab\xb8\x39\x4a\x0f\x49\xa8\x48\xc7\xab\x95\x03\x6b\x3f\x3d\x1e\x56\x6e\xc2\x06\x87\x3b\x80\xfc\x4d\xe9\x48\xe4\x9c\x8d\x7d\xca\x26\x5b\xc2\x0f\x99\x9a\xe0\x95\xe5\xc7\x3a\xc4\x60\xea\x55\x53\x6b\xfe\xba\x81\x8e\x94\xcd\x6c\x7e\x6c\x26\x7c\x19\x5d\xe7\x65\xe3\x38\xff\x6d\xff\xda\xb8\x09\x1e\x7f\xcf\xda\x5f\x3d\xf9\x63\xd7\x13\x87\x77\xba\x04\x76\xde\x9c\x1c\x6d\xb6\x09\xfd\x05\xa3\x87\x6a\x2d\x64\xa8\x71\x43\x37\xf9\x33\x6b\x0e\x65\x91\x8b\xac\xc5\x62\x69\x5c\x6c\x74\x24\x36\xf0\xe0\xf5\xc3\xdf\x7f\x3d\xce\x0e\x9d\xbc\x41\xf3\x6e\xe0\x8d\xd8\x58\x77\x27\x7e\xa4\x32\x3e\x56\x7e\xd9\x46\x96\xe9\x26\x56\xd7\xa8\x37\x95\xdd\x10\x22\x0d\x55\x92\xd3\xa6\x04\x77\x93\x0d\x6c\x42\xef\x0d\x61\x87\x4e\xad\x8b\x2a\x3a\xf9\x74\x40\x62\xc3\x06\x27\x62\xb3\x8f\x4e\xfc\xed\x95\x89\xb4\xc8\x26\x9d\xf5\xce\xe2\x7e\xd7\xbe\xcf\xce\x46\x2d\x89\x25\x27\x5b\xfd\x9b\x78\x76\xad\x61\x05\xb2\x08\x65\x45\x4d\xde\x88\xfa\xa0\xb2\x15\xe5\x04\xd9\x54\x8f\x4c\x63\x1b\x10\xb5\x21\xf2\xe5\x4d\xcc\xd6\xa8\x36\xf4\x4f\x22\x1c\x2a\x9a\x9c\x48\xd4\x36\xf8\x60\x75\x1c\x37\xf8\xf8\x26\xd6\x28\x4e\xf5\x9a\xb6\x9a\xba\x65\x1d\x39\x5c\x1f\xd8\x70\x62\x5b\xb1\xba\x3c\x36\xda\xf4\x5a\x1f\xb3\xf1\xb6\x36\x30\x98\x65\x56\xd9\x90\x04\x0d\xff\xb4\x11\x71\x18\xff\x3d\x93\xb6\xbb\x5e\x09\xf0\x44\xd2\xbc\xf1\x67\xab\x02\xbd\xf1\x16\x54\xdd\xf1\x7b\xa8\x93\xd0\xa5\x54\xf8\xca\xd1\xc6\x09\xf9\x97\xff\x97\xaf\x0f\x3e\xbd\x03\xfe\xd4\xf9\x1f\x18\x74\x04\x97\x2e\xdc\x0c\xc9\x76\x48\xfb\x38\x94\x77\x9f\xd3\x0e\x4f\x78\x0a\x59\x72\x21\x47\x56\x76\xc8\xcd\x43\xec\x1e\x84\xa9\x32\x61\x53\x1d\xf3\x83\x2e\x68\xdc\x8d\x38\xea\x45\x08\xaf\x98\xa3\xef\x06\x51\x01\xe1\xc4\x9a\x46\x9d\x8e\x3e\xbe\xaa\xaa\x65\x3c\x3c\xf3\x15\x11\xaf\xe8\xcc\x56\xf0\xec\x63\xab\xb4\x25\x92\xac\xe8\x59\xee\x67\x4c\xb7\x89\x07\x1a\x00\x23\x8f\x7a\xca\x13\x6a\xbe\x4f\x41\x97\x63\xe9\x88\xaa\xac\x4d\x79\x1b\x4e\xf9\x90\xfd\x22\x1b\x55\xe1\x1b\x40\xab\x8c\x07\xe0\x51\xc3\xde\x41\x02\x9a\x0a\x84\xe4\x51\x52\x00\x6b\x20\xdc\x8d\xd9\x5e\x38\xe0\x3a\x53\x94\xe5\xf4\xac\x29\x50\x5c\xb1\x31\xba\x9a\x1c\x59\x01\x75\xfd\x81\xaa\xfc\x5d\xe1\x75\xda\xe4\x59\x3e\xc5\xdb\x6d\x91\xe6\x75\x88\xac\x62\x6a\x21\x8b\x11\xff\xed\x82\xb7\x0f\x5e\xb2\x18\x55\xd2\xd8\x9e\x7d\x1d\x79\xce\x23\xd7\xe2\x94\x46\x49\x67\x2e\xc9\x72\x96\xb4\xb8\xff\xb4\x17\xfc\x9a\x37\x74\x59\xe7\x95\x94\x71\x2b\x2b\x19\x3f\x52\x37\xd5\x29\xa4\x56\x2e\xa9\x70\xf7\xd4\xf9\xc1\xc3\xed\x25\xa7\x76\xb2\xac\xbd\xc0\xd4\x33\x48\xca\xe3\xab\xfa\x73\xe5\x5c\x2a\x38\x38\x94\x80\x1c\x13\x65\x8f\x5e\x7f\x8b\x94\x97\x94\xb5\x72\x9e\xba\x49\x5c\x5f\xf2\xc8\x6e\x04\x56\xf4\x3f\xeb\x05\x9f\xf0\x14\x86\x63\xa4\x91\x4e\x95\x37\x86\x65\x50\xa4\x93\x1c\x56\x3c\x80\x29\xef\xb0\x54\x27\x58\xa2\xf7\x43\x5f\xd0\xb1\x0a\xc4\x3e\xab\x16\x76\xbf\xc2\x9f\xb3\xed\xbc\xdd\x46\x49\x73\x50\xd2\xbe\xec\x91\x3d\x29\x8f\xe5\x28\xcb\x6f\x5a\x3f\x69\xb7\xca\xc4\xf4\xa8\xa7\x1e\x37\x69\xff\xba\x00\x05\xc3\x2a\x2c\xd5\xe0\x2c\x20\xbe\x50\x54\xd0\x12\xbd\x7e\xcc\xcf\xab\xd5\x93\x35\xe8\x09\xb9\xae\x21\x92\x58\x5d\x27\x96\x22\x36\xbc\x3a\x52\xeb\x19\x7f\xac\x68\x53\xdd\x01\xb5\xb2\xc8\xa7\x3c\xf2\x1a\xa3\x61\xca\xd4\x20\xff\x83\x5e\xf0\x1e\x6f\xc4\x0f\xa3\xca\x70\x6c\x3e\x57\xb9\xd0\x39\x86\xfa\x15\x81\xd0\x0a\xc4\xdb\x4a\x6d\x54\x06\xc6\x95\x6e\xda\x88\x5a\xaa\x02\x2c\x5d\x5d\xba\xf2\x8f\x8b\x22\xb1\x39\x47\x2b\xbf\xe8\x8e\x5b\xbe\x7f\x95\x38\x9f\x65\x98\x9a\xde\x64\xad\xe5\x55\x29\x62\x72\xc8\x59\x1e\x21\xf0\x22\xee\x08\x6a\x46\xd5\xee\x05\x75\xe0\x4e\xa0\xe7\x09\x8f\x5c\x53\xb6\xac\x72\xa1\xde\xed\xad\x81\x87\xae\x65\x04\x5a\xc4\x07\x02\x56\x6d\xe2\x92\x77\x9a\x3c\x5e\xc2\x65\x7c\xc0\x0b\xde\xe5\xa9\xca\x76\xd0\xd1\xaa\x4c\xa6\xa2\xa6\xb5\xf6\x75\x11\x48\x5e\x61\xdd\x7b\xc1\x23\xbb\x33\x9e\x46\x3c\xf3\x1f\xf1\x48\x63\xec\x28\x56\xcc\xa4\x05\x78\x24\x78\x2b\x3e\x0a\x2e\x79\xc0\x1f\x00\x98\x6e\xf9\x71\x38\x14\xea\x67\x90\x4f\xb4\x2d\xac\x64\x09\xd9\xf7\x28\xc6\xf2\xe7\x03\x25\xc8\x6f\x2e\x12\x7c\xba\xb1\x1d\x9a\xdf\x6a\x68\xfe\x7d\x1e\x29\x4d\x21\xff\x17\x3c\x72\xfb\x26\xb6\x87\x53\x51\x2b\x15\xb2\x81\x60\xce\xb4\xa5\xd7\x0b\x98\xa6\x0a\xac\x59\xeb\x20\x90\x68\xa4\xb1\x17\x4d\x38\xb3\x87\x5a\xb4\x53\x53\x2e\xfa\xac\x47\x76\x4a\xf3\xd8\x7f\xc6\x0b\x9e\xf0\xe4\x5f\xb8\xe7\x6f\x01\x7e\x87\x9e\x62\xe7\xa3\x1e\x8b\x69\xcc\x93\x4e\xde\xd5\xf7\xeb\xb6\x8f\x2e\x1f\xc3\xe0\x52\x1c\x35\x53\x06\x72\x59\x5a\x9a\xfd\x94\xf7\x99\x4a\xa5\xeb\xb2\x24\x2c\xa3\x3d\x45\x5f\x5e\xbb\xf9\xc6\xe5\x63\xce\xba\xf9\x64\x8d\xec\x33\xdb\x82\xff\x64\x6d\x13\x9b\xd4\x5f\x78\xe5\xbe\x62\x2a\x47\xac\x38\xbf\x35\xa2\x72\x68\x9a\x18\xd9\x4b\x70\x49\xb7\x18\xf0\xc2\xc1\xc2\x49\x14\x3f\x3d\x35\xdb\x88\x63\xa8\x1a\xf0\x64\xb5\x39\x9c\xe5\xfd\x38\x6a\xb1\x05\x9e\x1f\x1f\x75\x97\xf5\x7b\x56\x96\x50\x70\xdd\x0f\xbd\xe7\x34\x39\x40\x52\x4b\x7d\xc3\x5a\x72\x35\x2b\xf8\x78\x0b\x89\x97\x59\x4d\x99\x7d\xf0\x13\x1e\xd9\x09\xd0\x01\x1f\xf1\x82\x5f\xf1\x74\x7a\x64\x6e\x31\xe4\x59\xef\x3b\x78\x5a\x1a\xfd\x71\x9d\x3e\xc0\x80\xbf\xff\x50\x1d\xd4\x1d\x72\xd5\xb5\xf4\xe4\x61\xe8\x57\x87\xb6\x00\xfe\xf7\x12\x58\xb2\xce\x74\x7f\xd6\x23\x7f\xbb\xdc\x1b\x4e\x4a\xe1\x96\xcb\x20\xcb\x59\xaf\xef\x3f\xee\x8d\xa7\x5f\x5a\x63\x5d\xc1\x92\x8a\xc6\xb5\x7a\xe9\x77\xa4\xff\xe4\x91\x1f\x29\x5b\xbb\x97\xd9\x9f\xf0\xaf\xb6\xf0\x09\xdd\x31\x8d\x5e\xf2\x2f\xb8\xe8\xfd\xc3\xf5\xc3\x93\x37\xf9\x37\x68\x4f\x0b\x3c\x3a\xce\xc3\xe2\xba\x6e\xc9\x6f\xec\x26\xf5\x91\x38\x7c\x0d\x4c\xb5\x9c\xc9\x73\xd6\xea\xf6\x8c\x09\xe1\xbf\x63\x77\xf0\x47\xde\xe8\xdf\x5c\xbc\x54\x3b\xe3\xb5\x54\x38\x0c\x9e\x91\x9a\xf1\x6c\xd4\xe9\xe6\x34\x11\xab\x98\x14\x6d\xb2\xb8\xef\x57\x69\xcf\x0a\x63\x53\x3f\x40\x57\x22\x56\x42\xa3\xaa\xab\x69\xdd\x42\xbe\x5e\x45\x76\x09\x0c\x38\x43\xa6\x76\x94\xc4\x51\xc2\x4d\x22\x75\x94\x40\xa5\x27\x64\xce\xb6\x72\x70\x05\x18\xa8\x12\xf5\x36\x84\x2e\xb2\x8e\xce\xff\x62\x27\xf9\xcc\x0e\x72\x0d\xb6\xa4\x12\xd1\xfb\xbc\xe5\x3f\xb5\x63\x02\xb6\xd4\x32\x33\xbd\x7c\x32\xf8\xf3\x5a\xb5\x31\xab\x7e\x2e\x8e\x41\x74\x6c\xbc\xaf\x84\xb7\x78\x96\x31\x2c\x46\xc4\xef\xc6\x34\x22\xed\x8a\x50\x03\x6d\xd5\x2a\x31\x05\xef\xa9\xbe\xdf\xce\x9f\xaf\xa2\x1b\xf5\x45\xbf\x50\x06\x7b\xa2\x30\xbf\x65\x07\x8e\x2f\xcc\x9d\x8a\x3a\x2a\x2b\xab\xcd\x99\xd1\x2d\xa5\xc2\x4e\x59\x92\xc5\xa5\x74\x67\x9a\xc2\x7d\xec\xab\x31\xff\x69\xd4\x98\x54\x3b\xd5\xe4\x39\x9b\x8a\xa5\x09\x80\xa6\x5d\x86\x9d\xeb\x0a\x44\x68\x50\x50\xab\x3c\x55\xb9\x75\x3c\x41\x28\x92\xb1\x1d\x27\xa7\xc8\xdf\xec\x57\xde\x0b\x10\x00\x37\x05\x07\xed\xa2\xbe\xe1\x41\x35\x43\xee\x68\xc5\x5f\xd9\x43\x5e\x3f\xca\xd2\x4e\x56\xee\x67\xa9\x5a\x27\x2f\xef\x0e\x6e\xb7\x2f\x54\xf8\x62\xf1\x9a\x1e\x6e\x53\x66\xcf\x12\x8a\x0f\xb9\x52\xf8\xd4\x6e\x12\x91\xab\x31\xc3\xf6\x14\xeb\xdf\xc3\x07\x67\x79\xdb\xbf\x7f\x02\x11\x3c\x6e\x3d\xb3\xc0\x31\xef\x22\xf8\xbb\xf8\x97\xec\xc8\x32\x1f\x20\x83\x8c\xb9\xb1\x41\x7e\xad\x46\xf6\xc2\x5c\xc8\x97\xbc\xbb\x46\x6e\x9c\x70\x8b\x07\xec\x03\xf3\x92\xaf\x79\xe5\x5b\x0c\x53\x8d\xaa\x9d\x9d\xd6\x75\x01\xd6\x29\x5b\x1e\xf8\xea\xee\xbf\xaa\xd4\x71\xc9\x5c\x44\x9e\xdb\x9f\x3c\x70\xfb\x3d\x27\x1e\xbc\xf3\xc0\x5b\x97\xec\xdf\x60\x53\xc3\xfc\x4a\xfb\x86\x4c\xca\x57\x22\x42\x98\x70\xf5\x6f\xe6\x94\xe8\xa9\x1f\x10\xd9\x03\xf1\x99\xcd\xbf\x7d\x11\x56\xff\xcb\x1a\xe4\xf1\x1a\xb9\x46\xdb\x9d\x27\xf5\x40\x3d\x52\x23\x37\xaf\x3b\x50\x67\xed\xa7\xcc\x50\xfd\xbe\x35\x54\xc6\xb3\x63\x9d\x7d\xa1\x16\x65\x1a\x17\x81\xb1\x77\xd1\x61\x9a\x29\x56\x00\xe5\xb1\x39\x88\x17\x1b\xad\x7e\x51\x57\x37\x34\x7a\xbc\x27\xd2\x81\xf9\x97\xf7\xbb\xbc\xc7\x53\x16\x4f\x29\x65\x5f\x37\x8f\xe3\x63\xe6\x3f\x7c\xd0\x79\xc1\xf0\xd3\x87\xc6\x71\xe7\x36\xc8\x0a\xb9\x02\x01\x34\x94\xbc\xb6\xc9\xf5\xeb\x0e\xd0\x82\x7e\xc0\x0c\xce\x91\x11\xc2\xaa\x70\x39\x22\x1b\xcb\xd8\x08\x0c\xf9\xe3\xfd\xe4\xef\x8c\x68\xda\xd4\xde\xfa\xcf\xed\x0f\x4e\x95\x95\xb8\x2a\x7b\x1a\x96\x65\x4b\xf4\x71\x55\xc2\xcf\x0d\x7a\x2e\x83\x89\x30\xc5\xdc\xe6\x25\x99\x0d\x0d\xe7\x2e\xd6\x47\x09\xf9\x56\x09\xa6\xf8\xc2\x24\x7e\x1c\xd3\x19\xc4\x20\x0b\x3e\xa4\xe1\x17\x5d\x84\x18\x35\xca\xd6\x51\x80\x51\xf3\xe8\xe5\x46\x5e\xdc\x3e\xa5\x6e\xf5\x94\xba\xed\xff\xdd\xf6\xff\x3a\xfe\xdf\xaf\x7a\x64\xa7\x5c\x65\xfe\xef\xad\xe5\x92\x1a\x56\x1a\xd2\xac\xbc\xe0\x29\xa4\xc1\x72\xd5\x35\x79\x97\xad\x44\x22\xd5\x5b\xc9\xab\xa6\x2a\x2e\x7a\xf7\xad\x7f\x80\x69\xf8\xf5\x51\xd9\x95\xa6\xd3\x95\x03\x4d\xf3\x5a\x72\x35\xd9\x7f\x8c\xb3\x94\xa7\x8b\x62\x99\x27\xfe\xdf\x78\xe8\x0c\x39\xe5\x5e\xba\xd3\xbf\x9d\xec\x66\xfd\xe8\x1e\x3e\xf0\xaf\x74\x62\xd6\xd7\xed\x46\x20\xa3\xe0\x75\x78\x3f\x85\x07\x2a\x39\x69\xff\x3f\x00\x00\xff\xff\x78\xfb\xb7\x2b\xa3\xf0\x34\x00") + +func kubernetesapiV1_21_2SwaggerPbBytes() ([]byte, error) { + return bindataRead( + _kubernetesapiV1_21_2SwaggerPb, + "kubernetesapi/v1_21_2/swagger.pb", + ) +} + +func kubernetesapiV1_21_2SwaggerPb() (*asset, error) { + bytes, err := kubernetesapiV1_21_2SwaggerPbBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "kubernetesapi/v1_21_2/swagger.pb", size: 3469475, mode: os.FileMode(420), modTime: time.Unix(1658180420, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +// Asset loads and returns the asset for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func Asset(name string) ([]byte, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) + } + return a.bytes, nil + } + return nil, fmt.Errorf("Asset %s not found", name) +} + +// MustAsset is like Asset but panics when Asset would return an error. +// It simplifies safe initialization of global variables. +func MustAsset(name string) []byte { + a, err := Asset(name) + if err != nil { + panic("asset: Asset(" + name + "): " + err.Error()) + } + + return a +} + +// AssetInfo loads and returns the asset info for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func AssetInfo(name string) (os.FileInfo, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) + } + return a.info, nil + } + return nil, fmt.Errorf("AssetInfo %s not found", name) +} + +// AssetNames returns the names of the assets. +func AssetNames() []string { + names := make([]string, 0, len(_bindata)) + for name := range _bindata { + names = append(names, name) + } + return names +} + +// _bindata is a table, holding each asset generator, mapped to its name. +var _bindata = map[string]func() (*asset, error){ + "kubernetesapi/v1_21_2/swagger.pb": kubernetesapiV1_21_2SwaggerPb, +} + +// AssetDir returns the file names below a certain +// directory embedded in the file by go-bindata. +// For example if you run go-bindata on data/... and data contains the +// following hierarchy: +// data/ +// foo.txt +// img/ +// a.png +// b.png +// then AssetDir("data") would return []string{"foo.txt", "img"} +// AssetDir("data/img") would return []string{"a.png", "b.png"} +// AssetDir("foo.txt") and AssetDir("notexist") would return an error +// AssetDir("") will return []string{"data"}. +func AssetDir(name string) ([]string, error) { + node := _bintree + if len(name) != 0 { + cannonicalName := strings.Replace(name, "\\", "/", -1) + pathList := strings.Split(cannonicalName, "/") + for _, p := range pathList { + node = node.Children[p] + if node == nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + } + } + if node.Func != nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + rv := make([]string, 0, len(node.Children)) + for childName := range node.Children { + rv = append(rv, childName) + } + return rv, nil +} + +type bintree struct { + Func func() (*asset, error) + Children map[string]*bintree +} + +var _bintree = &bintree{nil, map[string]*bintree{ + "kubernetesapi": &bintree{nil, map[string]*bintree{ + "v1_21_2": &bintree{nil, map[string]*bintree{ + "swagger.pb": &bintree{kubernetesapiV1_21_2SwaggerPb, map[string]*bintree{}}, + }}, + }}, +}} + +// RestoreAsset restores an asset under the given directory +func RestoreAsset(dir, name string) error { + data, err := Asset(name) + if err != nil { + return err + } + info, err := AssetInfo(name) + if err != nil { + return err + } + err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) + if err != nil { + return err + } + err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) + if err != nil { + return err + } + err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) + if err != nil { + return err + } + return nil +} + +// RestoreAssets restores an asset under the given directory recursively +func RestoreAssets(dir, name string) error { + children, err := AssetDir(name) + // File + if err != nil { + return RestoreAsset(dir, name) + } + // Dir + for _, child := range children { + err = RestoreAssets(dir, filepath.Join(name, child)) + if err != nil { + return err + } + } + return nil +} + +func _filePath(dir, name string) string { + cannonicalName := strings.Replace(name, "\\", "/", -1) + return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb new file mode 100644 index 0000000000..910436fc58 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi/v1_21_2/swagger.pb @@ -0,0 +1,44195 @@ + +2.0 + +Kubernetesv1.21.2BÝè¢ð& +/api/v1/limitrangesØ&Ì +core_v1(list or watch objects of kind LimitRange*$listCoreV1LimitRangeForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J] + +401 + + Unauthorized +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.LimitRangeListRhttpsj +x-kubernetes-actionlist +jL +x-kubernetes-group-version-kind)'kind: LimitRange +version: v1 +group: "" +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ³( +)/api/v1/watch/namespaces/{namespace}/pods…(— +core_v1owatch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedPodList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ñ( +@/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases¬(¾ +coordination_v1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoordinationV1NamespacedLeaseList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÷\ +&/apis/storage.k8s.io/v1/storageclassesÌ\‘& + +storage_v1*list or watch objects of kind StorageClass*listStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.StorageClassList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +"‰ + +storage_v1create a StorageClass*createStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF +D +Bbodybody *2 +0#/definitions/io.k8s.api.storage.v1.StorageClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jó +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass +H +201A +? +Created4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass +I +202B +@ +Accepted4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +*Ø, + +storage_v1!delete collection of StorageClass*%deleteStorageV1CollectionStorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ê +/api/À½ +coreget available API versions*getCoreAPIVersions2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJl +Q +200J +H +OKB +@ +>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIVersions + +401 + + UnauthorizedRhttps©[ + /api/v1/nodes—[Ü% +core_v1"list or watch objects of kind Node*listCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JW +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.core.v1.NodeList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +"³ +core_v1 create a Node*createCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.core.v1.NodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÒ +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.core.v1.Node +> +2027 +5 +Accepted) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsjF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +j +x-kubernetes-actionpost +*®, +core_v1delete collection of Node*deleteCoreV1CollectionNode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ü( +;/api/v1/watch/namespaces/{namespace}/replicationcontrollers¼(Î +core_v1watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.*.watchCoreV1NamespacedReplicationControllerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ô) +@/apis/batch/v1beta1/watch/namespaces/{namespace}/cronjobs/{name})ë + batch_v1beta1®watch changes to an object of kind CronJob. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the CronJob"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean —] +//apis/apps/v1/namespaces/{namespace}/daemonsetsã\ü% +apps_v1'list or watch objects of kind DaemonSet*listAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.apps.v1.DaemonSetList + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(version: v1 +group: apps +kind: DaemonSet +j +x-kubernetes-actionlist +"â +apps_v1create a DaemonSet*createAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.apps.v1.DaemonSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Já +C +202< +: +Accepted. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + Unauthorized += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSetRhttpsj +x-kubernetes-actionpost +jM +x-kubernetes-group-version-kind*(version: v1 +group: apps +kind: DaemonSet +*É, +apps_v1delete collection of DaemonSet*)deleteAppsV1CollectionNamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ó +;/api/v1/namespaces/{namespace}/serviceaccounts/{name}/token³ "ˆ +core_v1 create token of a ServiceAccount*)createCoreV1NamespacedServiceAccountToken2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM +K +Ibodybody *9 +7#/definitions/io.k8s.api.authentication.v1.TokenRequestJˆ +P +202I +G +Accepted; +9 +7#/definitions/io.k8s.api.authentication.v1.TokenRequest + +401 + + Unauthorized +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.authentication.v1.TokenRequest +O +201H +F +Created; +9 +7#/definitions/io.k8s.api.authentication.v1.TokenRequestRhttpsja +x-kubernetes-group-version-kind> +< +:#/definitions/io.k8s.api.core.v1.ReplicationControllerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +"´ +core_v1create a ReplicationController*+createCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.core.v1.ReplicationControllerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J… +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController +O +202H +F +Accepted: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +*ë, +core_v1*delete collection of ReplicationController*5deleteCoreV1CollectionNamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string õ +?/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/status±û +apps_v1(read status of the specified StatefulSet*%readAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +Æ +apps_v1+replace status of the specified StatefulSet*(replaceAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.apps.v1.StatefulSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +Bú +apps_v14partially update status of the specified StatefulSet*&patchAppsV1NamespacedStatefulSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +J8 +64"2pathname of the StatefulSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ß +/apis/autoscaling/ÈÅ + autoscalingget information of a group*getAutoscalingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsâ +/api/v1/nodes/{name}/statusÂÓ +core_v1!read status of the specified Node*readCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsjF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +j +x-kubernetes-actionget + +core_v1$replace status of the specified Node*replaceCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.core.v1.NodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J’ +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jF +x-kubernetes-group-version-kind#!kind: Node +version: v1 +group: "" +BÒ +core_v1-partially update status of the specified Node*patchCoreV1NodeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +J1 +/-"+pathname of the Node"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ä' +/apis/apps/v1/watch/deploymentsÀ'´ +apps_v1vwatch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.*)watchAppsV1DeploymentListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: Deployment +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‹^ +4/apis/rbac.authorization.k8s.io/v1beta1/clusterrolesÒ]½& +rbacAuthorization_v1beta1)list or watch objects of kind ClusterRole*'listRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jc +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleList + +401 + + UnauthorizedRhttpsji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +j +x-kubernetes-actionlist +"¸ +rbacAuthorization_v1beta1create a ClusterRole*)createRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jö +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole +J +202C +A +Accepted5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole + +401 + + Unauthorized +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleRhttpsj +x-kubernetes-actionpost +ji +x-kubernetes-group-version-kindFDkind: ClusterRole +version: v1beta1 +group: rbac.authorization.k8s.io +*ƒ- +rbacAuthorization_v1beta1 delete collection of ClusterRole*3deleteRbacAuthorizationV1beta1CollectionClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +ji +x-kubernetes-group-version-kindFDkind: ClusterRole +version: v1beta1 +group: rbac.authorization.k8s.io +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ÷( +>/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions´(Æ +apps_v1~watch individual changes to a list of ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead.*+watchAppsV1NamespacedControllerRevisionList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean …) +E/apis/coordination.k8s.io/v1beta1/watch/namespaces/{namespace}/leases»(Í +coordination_v1beta1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*+watchCoordinationV1beta1NamespacedLeaseList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean –( +'/apis/storage.k8s.io/v1/csinodes/{name}ê'ä + +storage_v1read the specified CSINode*readStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jU +x-kubernetes-group-version-kind20group: storage.k8s.io +kind: CSINode +version: v1 +­ + +storage_v1replace the specified CSINode*replaceStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.storage.v1.CSINodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jU +x-kubernetes-group-version-kind20version: v1 +group: storage.k8s.io +kind: CSINode +*ã + +storage_v1delete a CSINode*deleteStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string JŸ +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode +D +202= +; +Accepted/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20version: v1 +group: storage.k8s.io +kind: CSINode +j +x-kubernetes-action delete +Bã + +storage_v1&partially update the specified CSINode*patchStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20group: storage.k8s.io +kind: CSINode +version: v1 +j +x-kubernetes-actionpatch +J4 +20".pathname of the CSINode"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¥) +1/api/v1/namespaces/{namespace}/limitranges/{name}ï(å +core_v1read the specified LimitRange*readCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jL +x-kubernetes-group-version-kind)'version: v1 +group: "" +kind: LimitRange +® +core_v1 replace the specified LimitRange*!replaceCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.core.v1.LimitRangeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jL +x-kubernetes-group-version-kind)'version: v1 +group: "" +kind: LimitRange +*€ +core_v1delete a LimitRange* deleteCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +j +x-kubernetes-action delete +Bä +core_v1)partially update the specified LimitRange*patchCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +J7 +53"1pathname of the LimitRange"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Â* +@/apis/extensions/v1beta1/namespaces/{namespace}/ingresses/{name}ý)‡ +extensions_v1beta1read the specified Ingress*&readExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +à +extensions_v1beta1replace the specified Ingress*)replaceExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.extensions.v1beta1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress + +401 + + UnauthorizedRhttpsjV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +j +x-kubernetes-actionput +*› +extensions_v1beta1delete an Ingress*(deleteExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj +x-kubernetes-action delete +jV +x-kubernetes-group-version-kind31kind: Ingress +version: v1beta1 +group: extensions +B† +extensions_v1beta1&partially update the specified Ingress*'patchExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress + +401 + + UnauthorizedRhttpsjV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +j +x-kubernetes-actionpatch +J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ƒ) +A/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets½(Ï + policy_v1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*.watchPolicyV1NamespacedPodDisruptionBudgetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×' +/api/v1/watch/endpoints»'¯ +core_v1uwatch individual changes to a list of Endpoints. deprecated: use the 'watch' parameter with a list operation instead.*(watchCoreV1EndpointsListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ß + +0/apis/authentication.k8s.io/v1beta1/tokenreviewsª +"œ +authentication_v1beta1create a TokenReview*&createAuthenticationV1beta1TokenReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewJ” +N +200G +E +OK? += +;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview +S +201L +J +Created? += +;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview +T +202M +K +Accepted? += +;#/definitions/io.k8s.api.authentication.v1beta1.TokenReview + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: authentication.k8s.io +kind: TokenReview +version: v1beta1 +j +x-kubernetes-actionpost +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string á] +9/apis/events.k8s.io/v1beta1/namespaces/{namespace}/events£]& +events_v1beta1#list or watch objects of kind Event* listEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.events.v1beta1.EventList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +"ÿ +events_v1beta1create an Event*"createEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.events.v1beta1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jê + +401 + + Unauthorized +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event +F +202? += +Accepted1 +/ +-#/definitions/io.k8s.api.events.v1beta1.EventRhttpsj +x-kubernetes-actionpost +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +*Ù, +events_v1beta1delete collection of Event*,deleteEventsV1beta1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¬) +C/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/flowschemas/{name}ä(Ÿ +flowcontrolApiserver_v1beta1±watch changes to an object of kind FlowSchema. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jk +x-kubernetes-group-version-kindHFkind: FlowSchema +version: v1beta1 +group: flowcontrol.apiserver.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J7 +53"1pathname of the FlowSchema"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ë( +//api/v1/watch/namespaces/{namespace}/configmaps—(© +core_v1uwatch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.*"watchCoreV1NamespacedConfigMapList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jK +x-kubernetes-group-version-kind(&version: v1 +group: "" +kind: ConfigMap +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean À) +D/apis/apiextensions.k8s.io/v1/watch/customresourcedefinitions/{name}÷(¤ +apiextensions_v1¿watch changes to an object of kind CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*,watchApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ð) +>/apis/apps/v1/watch/namespaces/{namespace}/statefulsets/{name})å +apps_v1²watch changes to an object of kind StatefulSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J8 +64"2pathname of the StatefulSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ú +/apis/storage.k8s.io/À½ +storageget information of a group*getStorageAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi + +401 + + Unauthorized +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupRhttps•' +#/apis/coordination.k8s.io/v1/leasesí&á +coordination_v1#list or watch objects of kind Lease*'listCoordinationV1LeaseForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.coordination.v1.LeaseList + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean «\ + /apis/storage.k8s.io/v1/csinodes†\ý% + +storage_v1%list or watch objects of kind CSINode*listStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.storage.v1.CSINodeList + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20kind: CSINode +version: v1 +group: storage.k8s.io +j +x-kubernetes-actionlist +"æ + +storage_v1create a CSINode*createStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.storage.v1.CSINodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jä +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode +D +202= +; +Accepted/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20group: storage.k8s.io +kind: CSINode +version: v1 +j +x-kubernetes-actionpost +*É, + +storage_v1delete collection of CSINode* deleteStorageV1CollectionCSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20version: v1 +group: storage.k8s.io +kind: CSINode +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ñ& +/api/v1/componentstatusesÓ&Ç +core_v1$list objects of kind ComponentStatus*listCoreV1ComponentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.core.v1.ComponentStatusList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jQ +x-kubernetes-group-version-kind.,version: v1 +group: "" +kind: ComponentStatus +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ä' +/apis/apps/v1/watch/replicasetsÀ'´ +apps_v1vwatch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.*)watchAppsV1ReplicaSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ä +group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean * +N/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies/{name}®)„ + networking_v1´watch changes to an object of kind NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*(watchNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J: +86"4pathname of the NetworkPolicy"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ð\ +%/api/v1/namespaces/{namespace}/events¦\ê% +core_v1#list or watch objects of kind Event*listCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.EventList + +401 + + UnauthorizedRhttpsjG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +j +x-kubernetes-actionlist +"Å +core_v1create an Event*createCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B< +: +8bodybody *( +&#/definitions/io.k8s.api.core.v1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÕ +9 +2002 +0 +OK* +( +&#/definitions/io.k8s.api.core.v1.Event +> +2017 +5 +Created* +( +&#/definitions/io.k8s.api.core.v1.Event +? +2028 +6 +Accepted* +( +&#/definitions/io.k8s.api.core.v1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +*», +core_v1delete collection of Event*%deleteCoreV1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string á +//api/v1/namespaces/{namespace}/pods/{name}/exec­  +core_v1#connect GET requests to exec of Pod*!connectCoreV1GetNamespacedPodExec2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jP +x-kubernetes-group-version-kind-+group: "" +kind: PodExecOptions +version: v1 +"’ +core_v1$connect POST requests to exec of Pod*"connectCoreV1PostNamespacedPodExec2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: "" +kind: PodExecOptions +version: v1 +j! +x-kubernetes-action +connect +Ju +sqoqueryRCommand is the remote command to execute. argv array. Not executed within a shell."command2string J˜ +•’querypContainer in which to execute the command. Defaults to only container if there is only one container in the pod." container2string J; +97"5pathname of the PodExecOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜Jq +omkqueryNRedirect the standard error stream of the pod for this call. Defaults to true."stderr2boolean Jq +omkqueryORedirect the standard input stream of the pod for this call. Defaults to false."stdin2boolean Jr +pnlqueryORedirect the standard output stream of the pod for this call. Defaults to true."stdout2boolean Jx +vtrqueryXTTY if true indicates that a tty will be allocated for the exec call. Defaults to false."tty2boolean ¨, +K/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}Ø+· +autoscaling_v1*read the specified HorizontalPodAutoscaler*2readAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +¨ +autoscaling_v1-replace the specified HorizontalPodAutoscaler*5replaceAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU +S +Qbodybody *A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÆ +W +201P +N +CreatedC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + Unauthorized +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerRhttpsj +x-kubernetes-actionput +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +*¾ +autoscaling_v1 delete a HorizontalPodAutoscaler*4deleteAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +B¶ +autoscaling_v16partially update the specified HorizontalPodAutoscaler*3patchAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ú& +/apis/batch/v1/jobsÂ&¶ +batch_v1!list or watch objects of kind Job*listBatchV1JobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JW +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.JobList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ü( +;/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims¼(Î +core_v1watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.*.watchCoreV1NamespacedPersistentVolumeClaimList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42version: v1 +group: "" +kind: PersistentVolumeClaim +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Î- +C/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/{name}†-ò +apiextensions_v1beta1+read the specified CustomResourceDefinition*0readApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J’ + +401 + + Unauthorized +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionRhttpsj +x-kubernetes-actionget +jq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +¬ + +apiextensions_v1beta1.replace the specified CustomResourceDefinition*3replaceApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bz +x +vbodybody *f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J + +401 + + Unauthorized +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition +| +201u +s +Createdh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionRhttpsj +x-kubernetes-actionput +jq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +*Ó +apiextensions_v1beta1!delete a CustomResourceDefinition*2deleteApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +Bñ +apiextensions_v1beta17partially update the specified CustomResourceDefinition*1patchApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J’ +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‚ +#/apis/flowcontrol.apiserver.k8s.io/Ú× +flowcontrolApiserverget information of a group*getFlowcontrolApiserverAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsõ& +/api/v1/podtemplatesÜ&Ð +core_v1)list or watch objects of kind PodTemplate*%listCoreV1PodTemplateForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.core.v1.PodTemplateList + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¾) +6/api/v1/watch/namespaces/{namespace}/configmaps/{name}ƒ)Ý +core_v1°watch changes to an object of kind ConfigMap. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J6 +42"0pathname of the ConfigMap"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ï( +I/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations¡(• +admissionregistration_v1ˆwatch individual changes to a list of MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*createAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bi +g +ebodybody *U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÜ + +401 + + Unauthorized +f +200_ +] +OKW +U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration +k +201d +b +CreatedW +U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration +l +202e +c +AcceptedW +U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationRhttpsj +x-kubernetes-actionpost +j} +x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1beta1 +*Á- +admissionregistration_v1beta11delete collection of MutatingWebhookConfiguration*HdeleteAdmissionregistrationV1beta1CollectionMutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j} +x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È' +/api/v1/watch/events¯'£ +core_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*$watchCoreV1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ï_ + +<bodybody *, +*#/definitions/io.k8s.api.rbac.v1beta1.RoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Já +C +202< +: +Accepted. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role + +401 + + Unauthorized += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.rbac.v1beta1.RoleRhttpsj +x-kubernetes-actionpost +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +*ø, +rbacAuthorization_v1beta1delete collection of Role*6deleteRbacAuthorizationV1beta1CollectionNamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ž( +1/apis/apiregistration.k8s.io/v1/watch/apiservicesØ'Ì +apiregistration_v1vwatch individual changes to a list of APIService. deprecated: use the 'watch' parameter with a list operation instead.*$watchApiregistrationV1APIServiceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j` +x-kubernetes-group-version-kind=;kind: APIService +group: apiregistration.k8s.io +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean þ' +)/apis/coordination.k8s.io/v1/watch/leasesÐ'Ä +coordination_v1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*,watchCoordinationV1LeaseListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ü +/apis/authorization.k8s.io/v1/ÙÖ +authorization_v1get available resources*getAuthorizationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsù( +L/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/prioritylevelconfigurations¨(œ +flowcontrolApiserver_v1beta1†watch individual changes to a list of PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*>watchFlowcontrolApiserverV1beta1PriorityLevelConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj{ +x-kubernetes-group-version-kindXVkind: PriorityLevelConfiguration +version: v1beta1 +group: flowcontrol.apiserver.k8s.io +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean —) +F/apis/policy/v1beta1/watch/namespaces/{namespace}/poddisruptionbudgetsÌ(Þ +policy_v1beta1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*3watchPolicyV1beta1NamespacedPodDisruptionBudgetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ’) +0/api/v1/namespaces/{namespace}/configmaps/{name}Ý(á +core_v1read the specified ConfigMap*readCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +¨ +core_v1replace the specified ConfigMap* replaceCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.ConfigMapBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +*ý +core_v1delete a ConfigMap*deleteCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj +x-kubernetes-action delete +jK +x-kubernetes-group-version-kind(&version: v1 +group: "" +kind: ConfigMap +Bà +core_v1(partially update the specified ConfigMap*patchCoreV1NamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +j +x-kubernetes-actionpatch +J6 +42"0pathname of the ConfigMap"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ž +6/api/v1/namespaces/{namespace}/pods/{name}/portforwardÓ¥ +core_v1*connect GET requests to portforward of Pod*(connectCoreV1GetNamespacedPodPortforward2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: PodPortForwardOptions +version: v1 +j! +x-kubernetes-action +connect +"§ +core_v1+connect POST requests to portforward of Pod*)connectCoreV1PostNamespacedPodPortforward2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: PodPortForwardOptions +version: v1 +j! +x-kubernetes-action +connect +JB +@>"<path!name of the PodPortForwardOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JY +WUSquery7List of ports to forward Required when using WebSockets"ports2integer ° +B/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/scaleé +core_v11read scale of the specified ReplicationController*.readCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +Ü +core_v14replace scale of the specified ReplicationController*1replaceCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionput +BŽ +core_v1=partially update scale of the specified ReplicationController*/patchCoreV1NamespacedReplicationControllerScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +J2 +0.",pathname of the Scale"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ï( +0/api/v1/watch/namespaces/{namespace}/limitrangesš(¬ +core_v1vwatch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.*#watchCoreV1NamespacedLimitRangeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jL +x-kubernetes-group-version-kind)'kind: LimitRange +version: v1 +group: "" +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ó( +-/apis/storage.k8s.io/v1/watch/csinodes/{name}¡(ß + +storage_v1®watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jU +x-kubernetes-group-version-kind20group: storage.k8s.io +kind: CSINode +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the CSINode"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ì' +/api/v1/watch/secrets²'¦ +core_v1rwatch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.*%watchCoreV1SecretListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¹` +C/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurationsñ_Š' +admissionregistration_v1:list or watch objects of kind MutatingWebhookConfiguration*7listAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J€ +e +200^ +\ +OKV +T +R#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jx +x-kubernetes-group-version-kindUSversion: v1 +group: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +"Û + +admissionregistration_v1%create a MutatingWebhookConfiguration*9createAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bd +b +`bodybody *P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÍ +a +200Z +X +OKR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration +f +201_ +] +CreatedR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration +g +202` +^ +AcceptedR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jx +x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1 +*²- +admissionregistration_v11delete collection of MutatingWebhookConfiguration*CdeleteAdmissionregistrationV1CollectionMutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jx +x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string –` +7/apis/apiextensions.k8s.io/v1/customresourcedefinitionsÚ_÷& +apiextensions_v16list or watch objects of kind CustomResourceDefinition*+listApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J‘ +v +200o +m +OKg +e +c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jl +x-kubernetes-group-version-kindIGkind: CustomResourceDefinition +version: v1 +group: apiextensions.k8s.io +"û + +apiextensions_v1!create a CustomResourceDefinition*-createApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu +s +qbodybody *a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J€ +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition +w +201p +n +Createdc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition +x +202q +o +Acceptedc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +*Ž- +apiextensions_v1-delete collection of CustomResourceDefinition*7deleteApiextensionsV1CollectionCustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ô, +>/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}±,Þ +apiextensions_v1+read the specified CustomResourceDefinition*+readApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J + +401 + + Unauthorized +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionRhttpsj +x-kubernetes-actionget +jl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +Ž + +apiextensions_v1.replace the specified CustomResourceDefinition*.replaceApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu +s +qbodybody *a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J† +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition +w +201p +n +Createdc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jl +x-kubernetes-group-version-kindIGversion: v1 +group: apiextensions.k8s.io +kind: CustomResourceDefinition +*Ä +apiextensions_v1!delete a CustomResourceDefinition*-deleteApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +BÝ +apiextensions_v17partially update the specified CustomResourceDefinition*,patchApiextensionsV1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string É) +0/apis/networking.k8s.io/v1/ingressclasses/{name}”)„ + networking_v1read the specified IngressClass*readNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j +x-kubernetes-actionget +Ý + networking_v1"replace the specified IngressClass*replaceNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.networking.v1.IngressClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j +x-kubernetes-actionput +*˜ + networking_v1delete an IngressClass*deleteNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j +x-kubernetes-action delete +Bƒ + networking_v1+partially update the specified IngressClass*patchNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j +x-kubernetes-actionpatch +J9 +75"3pathname of the IngressClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ñ) +L/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles/{name} )ÿ +rbacAuthorization_v1«watch changes to an object of kind Role. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*&watchRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J1 +/-"+pathname of the Role"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean §' +/api/v1/persistentvolumeclaims„'ø +core_v13list or watch objects of kind PersistentVolumeClaim*/listCoreV1PersistentVolumeClaimForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh +M +200F +D +OK> +< +:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ã) +7/api/v1/watch/namespaces/{namespace}/limitranges/{name}‡)à +core_v1±watch changes to an object of kind LimitRange. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J7 +53"1pathname of the LimitRange"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean µ( +3/apis/autoscaling/v1/watch/horizontalpodautoscalersý'ñ +autoscaling_v1ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*=watchAutoscalingV1HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×( +6/apis/apps/v1/watch/namespaces/{namespace}/replicasetsœ(® +apps_v1vwatch individual changes to a list of ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead.*#watchAppsV1NamespacedReplicaSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ð + /apis/policy/¾» +policyget information of a group*getPolicyAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps) +;/apis/networking.k8s.io/v1beta1/watch/ingressclasses/{name}Í(† +networking_v1beta1³watch changes to an object of kind IngressClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J9 +75"3pathname of the IngressClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean “ +I/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/statusÅ£ + policy_v10read status of the specified PodDisruptionBudget*/readPolicyV1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd + +401 + + Unauthorized +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetRhttpsj +x-kubernetes-actionget +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +‚ + policy_v13replace status of the specified PodDisruptionBudget*2replacePolicyV1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J´ +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jY +x-kubernetes-group-version-kind64kind: PodDisruptionBudget +version: v1 +group: policy +B¢ + policy_v1<":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ( +./apis/policy/v1beta1/watch/podsecuritypoliciesÚ'Î +policy_v1beta1}watch individual changes to a list of PodSecurityPolicy. deprecated: use the 'watch' parameter with a list operation instead.*'watchPolicyV1beta1PodSecurityPolicyList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ñ' +/api/v1/namespaces/{name}Ó'× +core_v1read the specified Namespace*readCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +ž +core_v1replace the specified Namespace*replaceCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.NamespaceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + Unauthorized += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.NamespaceRhttpsj +x-kubernetes-actionput +jK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +*ó +core_v1delete a Namespace*deleteCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +j +x-kubernetes-action delete +BÖ +core_v1(partially update the specified Namespace*patchCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +j +x-kubernetes-actionpatch +J6 +42"0pathname of the Namespace"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¢( +/api/v1/watch/nodes/{name}ƒ(Ä +core_v1«watch changes to an object of kind Node. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J1 +/-"+pathname of the Node"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ð +/apis/discovery.k8s.io/v1/ÑÎ + discovery_v1get available resources*getDiscoveryV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps…) +E/apis/discovery.k8s.io/v1/watch/namespaces/{namespace}/endpointslices»(Í + discovery_v1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*+watchDiscoveryV1NamespacedEndpointSliceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j] +x-kubernetes-group-version-kind:8kind: EndpointSlice +version: v1 +group: discovery.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean å* +2/apis/apiregistration.k8s.io/v1/apiservices/{name}®*¥ +apiregistration_v1read the specified APIService*readApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jy +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +® +apiregistration_v1 replace the specified APIService*"replaceApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba +_ +]bodybody *M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÞ + +401 + + Unauthorized +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService +c +201\ +Z +CreatedO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj +x-kubernetes-actionput +j` +x-kubernetes-group-version-kind=;version: v1 +kind: APIService +group: apiregistration.k8s.io +*¡ +apiregistration_v1delete an APIService*!deleteApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +B¤ +apiregistration_v1)partially update the specified APIService* patchApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jy + +401 + + Unauthorized +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj +x-kubernetes-actionpatch +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string í( +?/apis/events.k8s.io/v1beta1/watch/namespaces/{namespace}/events©(» +events_v1beta1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*%watchEventsV1beta1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ž +$/apis/authentication.k8s.io/v1beta1/åâ +authentication_v1beta1get available resources*$getAuthenticationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps”] +'/apis/storage.k8s.io/v1beta1/csidriversè\™& +storage_v1beta1'list or watch objects of kind CSIDriver*listStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.storage.v1beta1.CSIDriverList + +401 + + UnauthorizedRhttpsj\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +j +x-kubernetes-actionlist +"— +storage_v1beta1create a CSIDriver*createStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH +F +Dbodybody *4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriverBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jù +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver +J +201C +A +Created6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver +K +202D +B +Accepted6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j\ +x-kubernetes-group-version-kind97kind: CSIDriver +version: v1beta1 +group: storage.k8s.io +*Þ, +storage_v1beta1delete collection of CSIDriver*'deleteStorageV1beta1CollectionCSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¿+ +7/apis/apiregistration.k8s.io/v1beta1/apiservices/{name}ƒ+¹ +apiregistration_v1beta1read the specified APIService*$readApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~ +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionget +Ì +apiregistration_v1beta1 replace the specified APIService*'replaceApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf +d +bbodybody *R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jè +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService +h +201a +_ +CreatedT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionput +*° +apiregistration_v1beta1delete an APIService*&deleteApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-action delete +B¸ +apiregistration_v1beta1)partially update the specified APIService*%patchApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J~ + +401 + + Unauthorized +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionpatch +J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ã( +9/apis/batch/v1beta1/watch/namespaces/{namespace}/cronjobs¥(· + batch_v1beta1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*&watchBatchV1beta1NamespacedCronJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ƒ) +E/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/roles¹(Ë +rbacAuthorization_v1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.**watchRbacAuthorizationV1NamespacedRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj] +x-kubernetes-group-version-kind:8version: v1 +group: rbac.authorization.k8s.io +kind: Role +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ö' ++/apis/storage.k8s.io/v1beta1/watch/csinodesÆ'º +storage_v1beta1swatch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1beta1CSINodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jZ +x-kubernetes-group-version-kind75version: v1beta1 +group: storage.k8s.io +kind: CSINode +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean š] +*/api/v1/namespaces/{namespace}/limitrangesë\þ% +core_v1(list or watch objects of kind LimitRange*listCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.LimitRangeList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +"ç +core_v1create a LimitRange* createCoreV1NamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.core.v1.LimitRangeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jä +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange +D +202= +; +Accepted/ +- ++#/definitions/io.k8s.api.core.v1.LimitRange + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +*Ê, +core_v1delete collection of LimitRange**deleteCoreV1CollectionNamespacedLimitRange2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjL +x-kubernetes-group-version-kind)'group: "" +kind: LimitRange +version: v1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ˆ] +./apis/batch/v1/namespaces/{namespace}/cronjobsÕ\ø% +batch_v1%list or watch objects of kind CronJob*listBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.batch.v1.CronJobList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +"Û +batch_v1create a CronJob*createBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B? += +;bodybody *+ +)#/definitions/io.k8s.api.batch.v1.CronJobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÞ +A +201: +8 +Created- ++ +)#/definitions/io.k8s.api.batch.v1.CronJob +B +202; +9 +Accepted- ++ +)#/definitions/io.k8s.api.batch.v1.CronJob + +401 + + Unauthorized +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.CronJobRhttpsj +x-kubernetes-actionpost +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +*Æ, +batch_v1delete collection of CronJob*(deleteBatchV1CollectionNamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jL +x-kubernetes-group-version-kind)'version: v1 +group: batch +kind: CronJob +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ò +E/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/statusˆÐ +certificates_v16read status of the specified CertificateSigningRequest*1readCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +Ç +certificates_v19replace status of the specified CertificateSigningRequest*4replaceCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÌ +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj +x-kubernetes-actionput +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +BÏ +certificates_v1Bpartially update status of the specified CertificateSigningRequest*2patchCertificatesV1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj +x-kubernetes-actionpatch +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string  +J/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}/statusÎä +certificates_v1beta16read status of the specified CertificateSigningRequest*6readCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +å +certificates_v1beta19replace status of the specified CertificateSigningRequest*9replaceCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B] +[ +Ybodybody *I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÖ +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest +_ +201X +V +CreatedK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jq +x-kubernetes-group-version-kindNLkind: CertificateSigningRequest +version: v1beta1 +group: certificates.k8s.io +Bã +certificates_v1beta1Bpartially update status of the specified CertificateSigningRequest*7patchCertificatesV1beta1CertificateSigningRequestStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: certificates.k8s.io +kind: CertificateSigningRequest +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Û( +7/apis/apps/v1/watch/namespaces/{namespace}/statefulsetsŸ(± +apps_v1wwatch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.*$watchAppsV1NamespacedStatefulSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ´/ +/api/v1/namespaces/ð% +core_v1'list or watch objects of kind Namespace*listCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.NamespaceList + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +j +x-kubernetes-actionlist +"Ö +core_v1create a Namespace*createCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.NamespaceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Já += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.Namespace +C +202< +: +Accepted. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +j +x-kubernetes-actionpost +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ð' +/api/v1/watch/servicesµ'© +core_v1swatch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoreV1ServiceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean  +S/apis/authorization.k8s.io/v1beta1/namespaces/{namespace}/localsubjectaccessreviewsê "ú +authorization_v1beta1!create a LocalSubjectAccessReview* +<bodybody *, +*#/definitions/io.k8s.api.core.v1.ConfigMapBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Já += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap +C +202< +: +Accepted. +, +*#/definitions/io.k8s.api.core.v1.ConfigMap + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +j +x-kubernetes-actionpost +*Ç, +core_v1delete collection of ConfigMap*)deleteCoreV1CollectionNamespacedConfigMap2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¼) +O/apis/autoscaling/v2beta2/watch/namespaces/{namespace}/horizontalpodautoscalersè(ú +autoscaling_v2beta2ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.* +< +OK6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +× + node_v1beta1"replace the specified RuntimeClass*replaceNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH +F +Dbodybody *4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¬ +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass +J +201C +A +Created6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +*” + node_v1beta1delete a RuntimeClass*deleteNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +Bÿ + node_v1beta1+partially update the specified RuntimeClass*patchNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +J9 +75"3pathname of the RuntimeClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string å* +G/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses/{name}™*Ž +networking_v1beta1read the specified Ingress*&readNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +j +x-kubernetes-actionget +ç +networking_v1beta1replace the specified Ingress*)replaceNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.networking.v1beta1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +j +x-kubernetes-actionput +*¢ +networking_v1beta1delete an Ingress*(deleteNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +j +x-kubernetes-action delete +B +networking_v1beta1&partially update the specified Ingress*'patchNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ´) +C/apis/rbac.authorization.k8s.io/v1/watch/clusterrolebindings/{name}ì(Ÿ +rbacAuthorization_v1¹watch changes to an object of kind ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J? +=;"9pathname of the ClusterRoleBinding"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‘) + +< +OK6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver + +401 + + UnauthorizedRhttpsj\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +j +x-kubernetes-actionget +× +storage_v1beta1replace the specified CSIDriver*replaceStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH +F +Dbodybody *4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriverBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¬ +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver +J +201C +A +Created6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver + +401 + + UnauthorizedRhttpsj\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +j +x-kubernetes-actionput +*† +storage_v1beta1delete a CSIDriver*deleteStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J­ +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver +K +202D +B +Accepted6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +Bÿ +storage_v1beta1(partially update the specified CSIDriver*patchStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +J6 +42"0pathname of the CSIDriver"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ”) +;/apis/storage.k8s.io/v1beta1/watch/volumeattachments/{name}Ô(‰ +storage_v1beta1·watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jc +x-kubernetes-group-version-kind@>kind: VolumeAttachment +version: v1beta1 +group: storage.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J= +;9"7pathname of the VolumeAttachment"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean •] +(/apis/node.k8s.io/v1beta1/runtimeclassesè\™& + node_v1beta1*list or watch objects of kind RuntimeClass*listNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.node.v1beta1.RuntimeClassList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +"— + node_v1beta1create a RuntimeClass*createNodeV1beta1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BH +F +Dbodybody *4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jù +K +202D +B +Accepted6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass + +401 + + Unauthorized +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass +J +201C +A +Created6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClassRhttpsj\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +j +x-kubernetes-actionpost +*Þ, + node_v1beta1!delete collection of RuntimeClass*'deleteNodeV1beta1CollectionRuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ”* +S/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindings/{name}¼)” +rbacAuthorization_v1²watch changes to an object of kind RoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*-watchRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J8 +64"2pathname of the RoleBinding"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean à' +/api/v1/watch/podtemplatesÁ'µ +core_v1wwatch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.**watchCoreV1PodTemplateListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(kind: PodTemplate +version: v1 +group: "" +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‚ + /apis/apiregistration.k8s.io/v1/ÝÚ +apiregistration_v1get available resources* getApiregistrationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps‹ +#/apis/authorization.k8s.io/v1beta1/ãà +authorization_v1beta1get available resources*#getAuthorizationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsü* +H/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}¯*’ + networking_v1 read the specified NetworkPolicy*'readNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j^ +x-kubernetes-group-version-kind;9kind: NetworkPolicy +version: v1 +group: networking.k8s.io +í + networking_v1#replace the specified NetworkPolicy**replaceNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicyBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J° +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +*¤ + networking_v1delete a NetworkPolicy*)deleteNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j^ +x-kubernetes-group-version-kind;9kind: NetworkPolicy +version: v1 +group: networking.k8s.io +B‘ + networking_v1,partially update the specified NetworkPolicy*(patchNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +j +x-kubernetes-actionpatch +J: +86"4pathname of the NetworkPolicy"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string †) +F/apis/networking.k8s.io/v1beta1/watch/namespaces/{namespace}/ingresses»(Í +networking_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*+watchNetworkingV1beta1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ˆ] +(/api/v1/namespaces/{namespace}/endpointsÛ\ú% +core_v1'list or watch objects of kind Endpoints*listCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.EndpointsList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +"Þ +core_v1create Endpoints*createCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.EndpointsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Já +C +202< +: +Accepted. +, +*#/definitions/io.k8s.api.core.v1.Endpoints + +401 + + Unauthorized += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Endpoints +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.EndpointsRhttpsj +x-kubernetes-actionpost +jK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +*Ç, +core_v1delete collection of Endpoints*)deleteCoreV1CollectionNamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jK +x-kubernetes-group-version-kind(&version: v1 +group: "" +kind: Endpoints +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¿( +,/api/v1/watch/namespaces/{namespace}/secretsŽ(  +core_v1rwatch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedSecretList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean é +=/apis/apps/v1/namespaces/{namespace}/deployments/{name}/scale§ù +apps_v1&read scale of the specified Deployment*#readAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ + +401 + + Unauthorized +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionget +Æ +apps_v1)replace scale of the specified Deployment*&replaceAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + Unauthorized +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleRhttpsj +x-kubernetes-actionput +jP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +Bø +apps_v12partially update scale of the specified Deployment*$patchAppsV1NamespacedDeploymentScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionpatch +J2 +0.",pathname of the Scale"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string î& +/apis/batch/v1/cronjobsÒ&Æ +batch_v1%list or watch objects of kind CronJob*"listBatchV1CronJobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.batch.v1.CronJobList + +401 + + UnauthorizedRhttpsjL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‰ +C/api/v1/namespaces/{namespace}/replicationcontrollers/{name}/statusÁ¡ +core_v12read status of the specified ReplicationController*/readCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +j +x-kubernetes-actionget +€ +core_v15replace status of the specified ReplicationController*2replaceCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.core.v1.ReplicationControllerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J´ +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +j +x-kubernetes-actionput +B  +core_v1>partially update status of the specified ReplicationController*0patchCoreV1NamespacedReplicationControllerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationController + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jW +x-kubernetes-group-version-kind42version: v1 +group: "" +kind: ReplicationController +JB +@>"<path!name of the ReplicationController"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¦] +0/apis/apps/v1/namespaces/{namespace}/deploymentsñ\€& +apps_v1(list or watch objects of kind Deployment*listAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J] + +401 + + Unauthorized +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.apps.v1.DeploymentListRhttpsj +x-kubernetes-actionlist +jN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +"é +apps_v1create a Deployment* createAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.DeploymentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jä +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment +D +202= +; +Accepted/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +*Ì, +apps_v1delete collection of Deployment**deleteAppsV1CollectionNamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +jN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: Deployment +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ÷& +/apis/events.k8s.io/v1/eventsÕ&É + events_v1#list or watch objects of kind Event*!listEventsV1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.events.v1.EventList + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ’* +F/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/roles/{name}Ç)þ +rbacAuthorization_v1read the specified Role*%readRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.rbac.v1.Role + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +j +x-kubernetes-actionget +» +rbacAuthorization_v1replace the specified Role*(replaceRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.rbac.v1.RoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J’ + +401 + + Unauthorized +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.rbac.v1.Role += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.rbac.v1.RoleRhttpsj +x-kubernetes-actionput +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +*Ÿ +rbacAuthorization_v1 delete a Role*'deleteRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +Bý +rbacAuthorization_v1#partially update the specified Role*&patchRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.rbac.v1.Role + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +J1 +/-"+pathname of the Role"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¢* +U/apis/storage.k8s.io/v1beta1/watch/namespaces/{namespace}/csistoragecapacities/{name}È)™ +storage_v1beta1¹watch changes to an object of kind CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J? +=;"9pathname of the CSIStorageCapacity"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ø' +/api/v1/watch/configmaps»'¯ +core_v1uwatch individual changes to a list of ConfigMap. deprecated: use the 'watch' parameter with a list operation instead.*(watchCoreV1ConfigMapListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Õ +=/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}/status“ó +apps_v1&read status of the specified DaemonSet*#readAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jM +x-kubernetes-group-version-kind*(kind: DaemonSet +version: v1 +group: apps +º +apps_v1)replace status of the specified DaemonSet*&replaceAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.apps.v1.DaemonSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ + +401 + + Unauthorized += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSetRhttpsjM +x-kubernetes-group-version-kind*(kind: DaemonSet +version: v1 +group: apps +j +x-kubernetes-actionput +Bò +apps_v12partially update status of the specified DaemonSet*$patchAppsV1NamespacedDaemonSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +J6 +42"0pathname of the DaemonSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¼* +V/apis/autoscaling/v2beta2/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}á)­ +autoscaling_v2beta2¾watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Û) +1/apis/scheduling.k8s.io/v1/priorityclasses/{name}¥)ˆ + scheduling_v1 read the specified PriorityClass*readSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +ã + scheduling_v1#replace the specified PriorityClass* replaceSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J° +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +j +x-kubernetes-actionput +*š + scheduling_v1delete a PriorityClass*deleteSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +B‡ + scheduling_v1,partially update the specified PriorityClass*patchSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j^ +x-kubernetes-group-version-kind;9kind: PriorityClass +version: v1 +group: scheduling.k8s.io +J: +86"4pathname of the PriorityClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ò( +A/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses¬(¾ + networking_v1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*&watchNetworkingV1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jX +x-kubernetes-group-version-kind53kind: Ingress +version: v1 +group: networking.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ´' +/api/v1/watch/nodesœ' +core_v1pwatch individual changes to a list of Node. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jF +x-kubernetes-group-version-kind#!version: v1 +group: "" +kind: Node +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean á` +path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ô) +L/apis/coordination.k8s.io/v1beta1/watch/namespaces/{namespace}/leases/{name}£) +coordination_v1beta1¬watch changes to an object of kind Lease. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j] +x-kubernetes-group-version-kind:8kind: Lease +version: v1beta1 +group: coordination.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J2 +0.",pathname of the Lease"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¦( +3/apis/discovery.k8s.io/v1beta1/watch/endpointslicesî'â +discovery_v1beta1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*6watchDiscoveryV1beta1EndpointSliceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: discovery.k8s.io +kind: EndpointSlice +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¼^ +@/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses÷]§& +networking_v1beta1%list or watch objects of kind Ingress*&listNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je + +401 + + Unauthorized +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.networking.v1beta1.IngressListRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +"© +networking_v1beta1create an Ingress*(createNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.networking.v1beta1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +j +x-kubernetes-actionpost +*ë, +networking_v1beta1delete collection of Ingress*2deleteNetworkingV1beta1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ©0 +'/api/v1/namespaces/{namespace}/servicesý/ò% +core_v1%list or watch objects of kind Service*listCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.ServiceList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +"Ò +core_v1create a Service*createCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.core.v1.ServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÛ +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.core.v1.Service +A +202: +8 +Accepted, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È' +/api/v1/watch/namespaces«'Ÿ +core_v1uwatch individual changes to a list of Namespace. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespaceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ó( +1/api/v1/watch/namespaces/{namespace}/podtemplates(¯ +core_v1wwatch individual changes to a list of PodTemplate. deprecated: use the 'watch' parameter with a list operation instead.*$watchCoreV1NamespacedPodTemplateList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean À' +/api/v1/watch/pods©' +core_v1owatch individual changes to a list of Pod. deprecated: use the 'watch' parameter with a list operation instead.*"watchCoreV1PodListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" kind: Pod +version: v1 +group: "" +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¿( +=/apis/certificates.k8s.io/v1/watch/certificatesigningrequestsý'ñ +certificates_v1…watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.*0watchCertificatesV1CertificateSigningRequestList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÷ +N/apis/networking.k8s.io/v1beta1/namespaces/{namespace}/ingresses/{name}/status¤ž +networking_v1beta1$read status of the specified Ingress*,readNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j] +x-kubernetes-group-version-kind:8kind: Ingress +version: v1beta1 +group: networking.k8s.io +÷ +networking_v1beta1'replace status of the specified Ingress*/replaceNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.networking.v1beta1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j] +x-kubernetes-group-version-kind:8version: v1beta1 +group: networking.k8s.io +kind: Ingress +B +networking_v1beta10partially update status of the specified Ingress*-patchNetworkingV1beta1NamespacedIngressStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8version: v1beta1 +group: networking.k8s.io +kind: Ingress +j +x-kubernetes-actionpatch +J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ÿ) +L/apis/rbac.authorization.k8s.io/v1/watch/namespaces/{namespace}/rolebindingsÎ(à +rbacAuthorization_v1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*1watchRbacAuthorizationV1NamespacedRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‡( +0/apis/scheduling.k8s.io/v1/watch/priorityclassesÒ'Æ + scheduling_v1ywatch individual changes to a list of PriorityClass. deprecated: use the 'watch' parameter with a list operation instead.*"watchSchedulingV1PriorityClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ü( +*/apis/node.k8s.io/v1/runtimeclasses/{name}­(ì +node_v1read the specified RuntimeClass*readNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jW +x-kubernetes-group-version-kind42version: v1 +group: node.k8s.io +kind: RuntimeClass +¹ +node_v1"replace the specified RuntimeClass*replaceNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.node.v1.RuntimeClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42version: v1 +group: node.k8s.io +kind: RuntimeClass +j +x-kubernetes-actionput +*… +node_v1delete a RuntimeClass*deleteNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jW +x-kubernetes-group-version-kind42group: node.k8s.io +kind: RuntimeClass +version: v1 +Bë +node_v1+partially update the specified RuntimeClass*patchNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jW +x-kubernetes-group-version-kind42version: v1 +group: node.k8s.io +kind: RuntimeClass +J9 +75"3pathname of the RuntimeClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ç( +,/api/v1/namespaces/{namespace}/events/{name}–(Ñ +core_v1read the specified Event*readCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JT +9 +2002 +0 +OK* +( +&#/definitions/io.k8s.api.core.v1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jG +x-kubernetes-group-version-kind$"version: v1 +group: "" +kind: Event + +core_v1replace the specified Event*replaceCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B< +: +8bodybody *( +&#/definitions/io.k8s.api.core.v1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J” +9 +2002 +0 +OK* +( +&#/definitions/io.k8s.api.core.v1.Event +> +2017 +5 +Created* +( +&#/definitions/io.k8s.api.core.v1.Event + +401 + + UnauthorizedRhttpsjG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +j +x-kubernetes-actionput +*ò +core_v1delete an Event*deleteCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +j +x-kubernetes-action delete +BÐ +core_v1$partially update the specified Event*patchCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JT +9 +2002 +0 +OK* +( +&#/definitions/io.k8s.api.core.v1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J2 +0.",pathname of the Event"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string à) +G/apis/coordination.k8s.io/v1/watch/namespaces/{namespace}/leases/{name}”)ò +coordination_v1¬watch changes to an object of kind Lease. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J2 +0.",pathname of the Lease"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ’( +./apis/coordination.k8s.io/v1beta1/watch/leasesß'Ó +coordination_v1beta1qwatch individual changes to a list of Lease. deprecated: use the 'watch' parameter with a list operation instead.*1watchCoordinationV1beta1LeaseListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ã +/apis/networking.k8s.io/Æà + +networkingget information of a group*getNetworkingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsÑ +/apis/node.k8s.io/º· +nodeget information of a group*getNodeAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsÍ& + /api/v1/pods¼&° +core_v1!list or watch objects of kind Pod*listCoreV1PodForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.PodList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ì\ +*/apis/batch/v1/namespaces/{namespace}/jobs\è% +batch_v1!list or watch objects of kind Job*listBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JW +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.JobList + +401 + + UnauthorizedRhttpsjH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +j +x-kubernetes-actionlist +"¿ +batch_v1 create a Job*createBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.batch.v1.JobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÒ +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.batch.v1.Job +> +2027 +5 +Accepted) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +*º, +batch_v1delete collection of Job*$deleteBatchV1CollectionNamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Õ) +I/apis/certificates.k8s.io/v1beta1/watch/certificatesigningrequests/{name}‡)³ +certificates_v1beta1Àwatch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*1watchCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: certificates.k8s.io +kind: CertificateSigningRequest +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ä+ +K/apis/discovery.k8s.io/v1beta1/namespaces/{namespace}/endpointslices/{name}ô*¢ +discovery_v1beta1 read the specified EndpointSlice*+readDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf + +401 + + Unauthorized +K +200D +B +OK< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsjb +x-kubernetes-group-version-kind?=kind: EndpointSlice +version: v1beta1 +group: discovery.k8s.io +j +x-kubernetes-actionget +… +discovery_v1beta1#replace the specified EndpointSlice*.replaceDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¸ +P +201I +G +Created< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice + +401 + + Unauthorized +K +200D +B +OK< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsj +x-kubernetes-actionput +jb +x-kubernetes-group-version-kind?=kind: EndpointSlice +version: v1beta1 +group: discovery.k8s.io +*± +discovery_v1beta1delete an EndpointSlice*-deleteDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jb +x-kubernetes-group-version-kind?=group: discovery.k8s.io +kind: EndpointSlice +version: v1beta1 +B¡ +discovery_v1beta1,partially update the specified EndpointSlice*,patchDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jb +x-kubernetes-group-version-kind?=group: discovery.k8s.io +kind: EndpointSlice +version: v1beta1 +J: +86"4pathname of the EndpointSlice"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string  +6/apis/authorization.k8s.io/v1/selfsubjectaccessreviewsÔ +"Æ +authorization_v1 create a SelfSubjectAccessReview*,createAuthorizationV1SelfSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BW +U +Sbodybody *C +A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReviewJ¦ +T +200M +K +OKE +C +A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview +Y +201R +P +CreatedE +C +A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview +Z +202S +Q +AcceptedE +C +A#/definitions/io.k8s.api.authorization.v1.SelfSubjectAccessReview + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jk +x-kubernetes-group-version-kindHFgroup: authorization.k8s.io +kind: SelfSubjectAccessReview +version: v1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¦ + /api/v1/componentstatuses/{name}ï +core_v1"read the specified ComponentStatus*readCoreV1ComponentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.core.v1.ComponentStatus + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jQ +x-kubernetes-group-version-kind.,group: "" +kind: ComponentStatus +version: v1 +J< +:8"6pathname of the ComponentStatus"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string á +/apis/node.k8s.io/v1/ÇÄ +node_v1get available resources*getNodeV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps°( +:/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterrolesñ'å +rbacAuthorization_v1beta1wwatch individual changes to a list of ClusterRole. deprecated: use the 'watch' parameter with a list operation instead.*,watchRbacAuthorizationV1beta1ClusterRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ì( +./api/v1/namespaces/{namespace}/services/{name}¹(Ù +core_v1read the specified Service*readCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jI +x-kubernetes-group-version-kind&$kind: Service +version: v1 +group: "" +œ +core_v1replace the specified Service*replaceCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.core.v1.ServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J˜ +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +*÷ +core_v1delete a Service*deleteCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +j +x-kubernetes-action delete +BØ +core_v1&partially update the specified Service*patchCoreV1NamespacedService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +J4 +20".pathname of the Service"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string –] +4/apis/events.k8s.io/v1/namespaces/{namespace}/eventsÝ\û% + events_v1#list or watch objects of kind Event*listEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.events.v1.EventList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +"Ü + events_v1create an Event*createEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.events.v1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÛ +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.events.v1.Event +A +202: +8 +Accepted, +* +(#/definitions/io.k8s.api.events.v1.Event + +401 + + Unauthorized +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.events.v1.EventRhttpsj +x-kubernetes-actionpost +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +*Ê, + events_v1delete collection of Event*'deleteEventsV1CollectionNamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string —( +4/apis/networking.k8s.io/v1beta1/watch/ingressclassesÞ'Ò +networking_v1beta1xwatch individual changes to a list of IngressClass. deprecated: use the 'watch' parameter with a list operation instead.*&watchNetworkingV1beta1IngressClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: IngressClass +version: v1beta1 +group: networking.k8s.io +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ë' +)/apis/node.k8s.io/v1/watch/runtimeclasses½'± +node_v1xwatch individual changes to a list of RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead.*watchNodeV1RuntimeClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jW +x-kubernetes-group-version-kind42version: v1 +group: node.k8s.io +kind: RuntimeClass +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean À( +)/apis/storage.k8s.io/v1/csidrivers/{name}’(ì + +storage_v1read the specified CSIDriver*readStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +j +x-kubernetes-actionget +¹ + +storage_v1replace the specified CSIDriver*replaceStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.storage.v1.CSIDriverBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +*í + +storage_v1delete a CSIDriver*deleteStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J£ +F +202? += +Accepted1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver + +401 + + Unauthorized +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriverRhttpsj +x-kubernetes-action delete +jW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +Bë + +storage_v1(partially update the specified CSIDriver*patchStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +J6 +42"0pathname of the CSIDriver"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ÿ& +/api/v1/resourcequotasä&Ø +core_v1+list or watch objects of kind ResourceQuota*'listCoreV1ResourceQuotaForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.core.v1.ResourceQuotaList + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean  ) +0/api/v1/watch/namespaces/{namespace}/pods/{name}ë(Ë +core_v1ªwatch changes to an object of kind Pod. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J0 +.,"*pathname of the Pod"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÿ +/apis/authentication.k8s.io/v1/ÛØ +authentication_v1get available resources*getAuthenticationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsŒ) +5/apis/batch/v1/namespaces/{namespace}/cronjobs/{name}Ò(ß +batch_v1read the specified CronJob*readBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JW + +401 + + Unauthorized +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.CronJobRhttpsj +x-kubernetes-actionget +jL +x-kubernetes-group-version-kind)'kind: CronJob +version: v1 +group: batch +¤ +batch_v1replace the specified CronJob*replaceBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B? += +;bodybody *+ +)#/definitions/io.k8s.api.batch.v1.CronJobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jš +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.CronJob +A +201: +8 +Created- ++ +)#/definitions/io.k8s.api.batch.v1.CronJob + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +*ü +batch_v1delete a CronJob*deleteBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +j +x-kubernetes-action delete +BÞ +batch_v1&partially update the specified CronJob*patchBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JW +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.batch.v1.CronJob + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +J4 +20".pathname of the CronJob"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ß( +4/api/v1/watch/namespaces/{namespace}/serviceaccounts¦(¸ +core_v1zwatch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.*'watchCoreV1NamespacedServiceAccountList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jP +x-kubernetes-group-version-kind-+group: "" +kind: ServiceAccount +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ã( +-/api/v1/watch/namespaces/{namespace}/services‘(£ +core_v1swatch individual changes to a list of Service. deprecated: use the 'watch' parameter with a list operation instead.* watchCoreV1NamespacedServiceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jI +x-kubernetes-group-version-kind&$version: v1 +group: "" +kind: Service +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‹ +#/apis/apiextensions.k8s.io/v1beta1/ãà +apiextensions_v1beta1get available resources*#getApiextensionsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsö +/apis/events.k8s.io/v1beta1/ÕÒ +events_v1beta1get available resources*getEventsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsù( +6/apis/networking.k8s.io/v1/watch/ingressclasses/{name}¾(÷ + networking_v1³watch changes to an object of kind IngressClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J9 +75"3pathname of the IngressClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ”* +M/apis/policy/v1beta1/watch/namespaces/{namespace}/poddisruptionbudgets/{name}Â)’ +policy_v1beta1ºwatch changes to an object of kind PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J@ +><":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean €) +-/apis/storage.k8s.io/v1/storageclasses/{name}Î(ø + +storage_v1read the specified StorageClass*readStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +Ë + +storage_v1"replace the specified StorageClass*replaceStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF +D +Bbodybody *2 +0#/definitions/io.k8s.api.storage.v1.StorageClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¨ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass +H +201A +? +Created4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +*ü + +storage_v1delete a StorageClass*deleteStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J© +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass +I +202B +@ +Accepted4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass + +401 + + UnauthorizedRhttpsjZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +j +x-kubernetes-action delete +B÷ + +storage_v1+partially update the specified StorageClass*patchStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +J9 +75"3pathname of the StorageClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ý] +./apis/storage.k8s.io/v1beta1/volumeattachmentsÊ]µ& +storage_v1beta1.list or watch objects of kind VolumeAttachment*"listStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +"È +storage_v1beta1create a VolumeAttachment*$createStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JŽ +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment +R +202K +I +Accepted= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +j +x-kubernetes-actionpost +*ó, +storage_v1beta1%delete collection of VolumeAttachment*.deleteStorageV1beta1CollectionVolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ý) +5/api/v1/namespaces/{namespace}/serviceaccounts/{name}£)õ +core_v1!read the specified ServiceAccount*"readCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jP +x-kubernetes-group-version-kind-+version: v1 +group: "" +kind: ServiceAccount +Æ +core_v1$replace the specified ServiceAccount*%replaceCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BE +C +Abodybody *1 +/#/definitions/io.k8s.api.core.v1.ServiceAccountBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¦ +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount +G +201@ +> +Created3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jP +x-kubernetes-group-version-kind-+kind: ServiceAccount +version: v1 +group: "" +*ø +core_v1delete a ServiceAccount*$deleteCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J§ +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount +H +202A +? +Accepted3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: "" +kind: ServiceAccount +version: v1 +j +x-kubernetes-action delete +Bô +core_v1-partially update the specified ServiceAccount*#patchCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: "" +kind: ServiceAccount +version: v1 +j +x-kubernetes-actionpatch +J; +97"5pathname of the ServiceAccount"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string »( ++/api/v1/watch/namespaces/{namespace}/events‹( +core_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*watchCoreV1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ë* +?/apis/apps/v1/namespaces/{namespace}/controllerrevisions/{name}‡*‡ +apps_v1%read the specified ControllerRevision*&readAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision + +401 + + UnauthorizedRhttpsjV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +j +x-kubernetes-actionget +à +apps_v1(replace the specified ControllerRevision*)replaceAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevisionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jV +x-kubernetes-group-version-kind31kind: ControllerRevision +version: v1 +group: apps +*š +apps_v1delete a ControllerRevision*(deleteAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +B† +apps_v11partially update the specified ControllerRevision*'patchAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +J? +=;"9pathname of the ControllerRevision"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string –' +$/apis/networking.k8s.io/v1/ingressesí&á + networking_v1%list or watch objects of kind Ingress*'listNetworkingV1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.networking.v1.IngressList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jX +x-kubernetes-group-version-kind53version: v1 +group: networking.k8s.io +kind: Ingress +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean å +>/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/status¢÷ +apps_v1'read status of the specified ReplicaSet*$readAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +À +apps_v1*replace status of the specified ReplicaSet*'replaceAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: ReplicaSet +j +x-kubernetes-actionput +Bö +apps_v13partially update status of the specified ReplicaSet*%patchAppsV1NamespacedReplicaSetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +J7 +53"1pathname of the ReplicaSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ó) +E/apis/apps/v1/watch/namespaces/{namespace}/controllerrevisions/{name}©)ú +apps_v1¹watch changes to an object of kind ControllerRevision. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J? +=;"9pathname of the ControllerRevision"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean æ' +#/apis/events.k8s.io/v1/watch/events¾'² + events_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*&watchEventsV1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ó +/apis/scheduling.k8s.io/v1/ÓÐ + scheduling_v1get available resources*getSchedulingV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsŒ +"/.well-known/openid-configuration/åâ + WellKnownWget service account issuer OpenID configuration, also known as the 'OIDC discovery doc'**getServiceAccountIssuerOpenIDConfiguration2application/jsonJ7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsö' +*/api/v1/namespaces/{namespace}/pods/{name}Ç'É +core_v1read the specified Pod*readCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JR +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +j +x-kubernetes-actionget +„ +core_v1replace the specified Pod*replaceCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B: +8 +6bodybody *& +$#/definitions/io.k8s.api.core.v1.PodBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod +< +2015 +3 +Created( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +j +x-kubernetes-actionput +*Á +core_v1 delete a Pod*deleteCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J‘ +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod += +2026 +4 +Accepted( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +BÈ +core_v1"partially update the specified Pod*patchCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JR +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" version: v1 +group: "" +kind: Pod +j +x-kubernetes-actionpatch +J0 +.,"*pathname of the Pod"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ­ +3/api/v1/namespaces/{namespace}/pods/{name}/evictionõ +"Î +core_v1create eviction of a Pod*!createCoreV1NamespacedPodEviction2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF +D +Bbodybody *2 +0#/definitions/io.k8s.api.policy.v1beta1.EvictionJó + +401 + + Unauthorized +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.policy.v1beta1.Eviction +H +201A +? +Created4 +2 +0#/definitions/io.k8s.api.policy.v1beta1.Eviction +I +202B +@ +Accepted4 +2 +0#/definitions/io.k8s.api.policy.v1beta1.EvictionRhttpsj +x-kubernetes-actionpost +jS +x-kubernetes-group-version-kind0.group: policy +kind: Eviction +version: v1beta1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J5 +31"/pathname of the Eviction"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ª +;/api/v1/namespaces/{namespace}/services/{name}/proxy/{path}ê§ +core_v1(connect GET requests to proxy of Service*.connectCoreV1GetNamespacedServiceProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20kind: ServiceProxyOptions +version: v1 +group: "" +§ +core_v1(connect PUT requests to proxy of Service*.connectCoreV1PutNamespacedServiceProxyWithPath2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +"© +core_v1)connect POST requests to proxy of Service*/connectCoreV1PostNamespacedServiceProxyWithPath2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +*­ +core_v1+connect DELETE requests to proxy of Service*1connectCoreV1DeleteNamespacedServiceProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +2¯ +core_v1,connect OPTIONS requests to proxy of Service*2connectCoreV1OptionsNamespacedServiceProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +:© +core_v1)connect HEAD requests to proxy of Service*/connectCoreV1HeadNamespacedServiceProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +B« +core_v1*connect PATCH requests to proxy of Service*0connectCoreV1PatchNamespacedServiceProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +J@ +><":pathname of the ServiceProxyOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜J5 +31"/pathpath to the resource"path*string˜JÐ +ÍÊÇquery¬Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy."path2string û* +=/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/{name}¹*¬ +rbacAuthorization_v1%read the specified ClusterRoleBinding*)readRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +… +rbacAuthorization_v1(replace the specified ClusterRoleBinding*,replaceRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +*¿ +rbacAuthorization_v1delete a ClusterRoleBinding*+deleteRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +j +x-kubernetes-action delete +B« +rbacAuthorization_v11partially update the specified ClusterRoleBinding**patchRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +J? +=;"9pathname of the ClusterRoleBinding"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¿^ +5/api/v1/namespaces/{namespace}/persistentvolumeclaims…^ª& +core_v13list or watch objects of kind PersistentVolumeClaim*)listCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jh +M +200F +D +OK> +< +:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimList + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42version: v1 +group: "" +kind: PersistentVolumeClaim +j +x-kubernetes-actionlist +"´ +core_v1create a PersistentVolumeClaim*+createCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J… + +401 + + Unauthorized +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim +O +202H +F +Accepted: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimRhttpsj +x-kubernetes-actionpost +jW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +*ë, +core_v1*delete collection of PersistentVolumeClaim*5deleteCoreV1CollectionNamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ó( +B/apis/certificates.k8s.io/v1beta1/watch/certificatesigningrequestsŒ(€ +certificates_v1beta1…watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.*5watchCertificatesV1beta1CertificateSigningRequestList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÿ +/apis/discovery.k8s.io/v1beta1/ÛØ +discovery_v1beta1get available resources*getDiscoveryV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps¡' +"/apis/extensions/v1beta1/ingressesú&î +extensions_v1beta1%list or watch objects of kind Ingress*,listExtensionsV1beta1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.extensions.v1beta1.IngressList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean  ' +!/apis/apps/v1/controllerrevisionsú&î +apps_v10list or watch objects of kind ControllerRevision*,listAppsV1ControllerRevisionForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.apps.v1.ControllerRevisionList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean —( +0/apis/networking.k8s.io/v1/watch/networkpoliciesâ'Ö + networking_v1ywatch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.*2watchNetworkingV1NetworkPolicyListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean —) +J/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolesÈ(Ú +rbacAuthorization_v1beta1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*/watchRbacAuthorizationV1beta1NamespacedRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: Role +version: v1beta1 +group: rbac.authorization.k8s.io +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ·* +5/apis/storage.k8s.io/v1beta1/volumeattachments/{name}ý)œ +storage_v1beta1#read the specified VolumeAttachment*"readStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +j +x-kubernetes-actionget + +storage_v1beta1&replace the specified VolumeAttachment*%replaceStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jº +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +j +x-kubernetes-actionput +*© +storage_v1beta1delete a VolumeAttachment*$deleteStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment +R +202K +I +Accepted= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +B› +storage_v1beta1/partially update the specified VolumeAttachment*#patchStorageV1beta1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>version: v1beta1 +group: storage.k8s.io +kind: VolumeAttachment +j +x-kubernetes-actionpatch +J= +;9"7pathname of the VolumeAttachment"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ª) +2/api/v1/watch/namespaces/{namespace}/events/{name}ó(Ñ +core_v1¬watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J2 +0.",pathname of the Event"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean »( +/api/v1/watch/namespaces/{name}—(Ó +core_v1°watch changes to an object of kind Namespace. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1Namespace2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +jK +x-kubernetes-group-version-kind(&kind: Namespace +version: v1 +group: "" +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J6 +42"0pathname of the Namespace"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean „ +#/apis/admissionregistration.k8s.io/ÜÙ +admissionregistrationget information of a group* getAdmissionregistrationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps÷) +M/apis/networking.k8s.io/v1beta1/watch/namespaces/{namespace}/ingresses/{name}¥) +networking_v1beta1®watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*'watchNetworkingV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ù + /apis/rbac.authorization.k8s.io/ÔÑ +rbacAuthorizationget information of a group*getRbacAuthorizationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsÝ( +//apis/storage.k8s.io/v1/watch/csidrivers/{name}©(å + +storage_v1°watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J6 +42"0pathname of the CSIDriver"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÿ' +*/apis/networking.k8s.io/v1/watch/ingressesÐ'Ä + networking_v1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*,watchNetworkingV1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ð] +./apis/networking.k8s.io/v1beta1/ingressclasses½]±& +networking_v1beta1*list or watch objects of kind IngressClass*!listNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jj +O +200H +F +OK@ +> +<#/definitions/io.k8s.api.networking.v1beta1.IngressClassList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +" +networking_v1beta1create an IngressClass*#createNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J‹ +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass +P +201I +G +Created< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass +Q +202J +H +Accepted< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +*ð, +networking_v1beta1!delete collection of IngressClass*-deleteNetworkingV1beta1CollectionIngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string …* +Q/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/roles/{name}¯)Ž +rbacAuthorization_v1beta1«watch changes to an object of kind Role. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*+watchRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J1 +/-"+pathname of the Role"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ƒ) +N/apis/admissionregistration.k8s.io/v1beta1/watch/mutatingwebhookconfigurations°(¤ +admissionregistration_v1beta1ˆwatch individual changes to a list of MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*AwatchAdmissionregistrationV1beta1MutatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j} +x-kubernetes-group-version-kindZXkind: MutatingWebhookConfiguration +version: v1beta1 +group: admissionregistration.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean É( +8/apis/autoscaling/v2beta1/watch/horizontalpodautoscalersŒ(€ +autoscaling_v2beta1ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*BwatchAutoscalingV2beta1HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean è +0/api/v1/namespaces/{namespace}/pods/{name}/proxy³“ +core_v1$connect GET requests to proxy of Pod*"connectCoreV1GetNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +“ +core_v1$connect PUT requests to proxy of Pod*"connectCoreV1PutNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +"• +core_v1%connect POST requests to proxy of Pod*#connectCoreV1PostNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +*™ +core_v1'connect DELETE requests to proxy of Pod*%connectCoreV1DeleteNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +2› +core_v1(connect OPTIONS requests to proxy of Pod*&connectCoreV1OptionsNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,version: v1 +group: "" +kind: PodProxyOptions +:• +core_v1%connect HEAD requests to proxy of Pod*#connectCoreV1HeadNamespacedPodProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +B— +core_v1&connect PATCH requests to proxy of Pod*$connectCoreV1PatchNamespacedPodProxy2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +J< +:8"6pathname of the PodProxyOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜Ja +_][queryAPath is the URL path to use for the current proxy request to pod."path2string Ç] +-/api/v1/namespaces/{namespace}/resourcequotas•]Š& +core_v1+list or watch objects of kind ResourceQuota*!listCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.core.v1.ResourceQuotaList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +"ü +core_v1create a ResourceQuota*#createCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jí +G +202@ +> +Accepted2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + Unauthorized +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuotaRhttpsj +x-kubernetes-actionpost +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +*Ó, +core_v1"delete collection of ResourceQuota*-deleteCoreV1CollectionNamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ®' +(/apis/discovery.k8s.io/v1/endpointslices'õ + discovery_v1+list or watch objects of kind EndpointSlice*,listDiscoveryV1EndpointSliceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.discovery.v1.EndpointSliceList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¤( +3/apis/rbac.authorization.k8s.io/v1beta1/watch/rolesì'à +rbacAuthorization_v1beta1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*5watchRbacAuthorizationV1beta1RoleListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Í + /version/¿¼ +versionget the code version*getCodeVersion2application/json:application/jsonJ` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.apimachinery.pkg.version.Info + +401 + + UnauthorizedRhttpsü +/apis/apiextensions.k8s.io/v1/ÙÖ +apiextensions_v1get available resources*getApiextensionsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttpsÀ( +1/apis/batch/v1/namespaces/{namespace}/jobs/{name}Š(Ï +batch_v1read the specified Job*readBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsjH +x-kubernetes-group-version-kind%#version: v1 +group: batch +kind: Job +j +x-kubernetes-actionget +Œ +batch_v1replace the specified Job*replaceBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.batch.v1.JobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J’ +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsjH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +j +x-kubernetes-actionput +*ð +batch_v1 delete a Job*deleteBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj +x-kubernetes-action delete +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +BÎ +batch_v1"partially update the specified Job*patchBatchV1NamespacedJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +J0 +.,"*pathname of the Job"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¼, +C/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}ô+Ô +certificates_v1beta1,read the specified CertificateSigningRequest*0readCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +Õ +certificates_v1beta1/replace the specified CertificateSigningRequest*3replaceCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B] +[ +Ybodybody *I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÖ +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest +_ +201X +V +CreatedK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsjq +x-kubernetes-group-version-kindNLkind: CertificateSigningRequest +version: v1beta1 +group: certificates.k8s.io +j +x-kubernetes-actionput +*Ó +certificates_v1beta1"delete a CertificateSigningRequest*2deleteCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jq +x-kubernetes-group-version-kindNLkind: CertificateSigningRequest +version: v1beta1 +group: certificates.k8s.io +BÓ +certificates_v1beta18partially update the specified CertificateSigningRequest*1patchCertificatesV1beta1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‚ +/logs/{logpath}o8 +logs*logFileHandlerJ + +401 + + UnauthorizedRhttpsJ3 +1/"-pathpath to the log"logpath*string˜` +I/apis/autoscaling/v2beta2/namespaces/{namespace}/horizontalpodautoscalersÏ_ä& +autoscaling_v2beta25list or watch objects of kind HorizontalPodAutoscaler*7listAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jv +[ +200T +R +OKL +J +H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +"˜ + +autoscaling_v2beta2 create a HorizontalPodAutoscaler*9createAutoscalingV2beta2NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ +X +Vbodybody *F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¯ + +401 + + Unauthorized +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler +\ +201U +S +CreatedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler +] +202V +T +AcceptedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +j +x-kubernetes-actionpost +*—- +autoscaling_v2beta2,delete collection of HorizontalPodAutoscaler*CdeleteAutoscalingV2beta2CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string â' +&/apis/storage.k8s.io/v1/watch/csinodes·'« + +storage_v1swatch individual changes to a list of CSINode. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1CSINodeList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jU +x-kubernetes-group-version-kind20group: storage.k8s.io +kind: CSINode +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ù +/apis/storage.k8s.io/v1beta1/×Ô +storage_v1beta1get available resources*getStorageV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttps‰ +C/api/v1/namespaces/{namespace}/persistentvolumeclaims/{name}/statusÁ¡ +core_v12read status of the specified PersistentVolumeClaim*/readCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +€ +core_v15replace status of the specified PersistentVolumeClaim*2replaceCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J´ +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +j +x-kubernetes-actionput +B  +core_v1>partially update status of the specified PersistentVolumeClaim*0patchCoreV1NamespacedPersistentVolumeClaimStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +j +x-kubernetes-actionpatch +JB +@>"<path!name of the PersistentVolumeClaim"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ” +&/apis/admissionregistration.k8s.io/v1/éæ +admissionregistration_v1get available resources*&getAdmissionregistrationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsÓ( +B/apis/apiextensions.k8s.io/v1beta1/watch/customresourcedefinitionsŒ(€ +apiextensions_v1beta1„watch individual changes to a list of CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead.*5watchApiextensionsV1beta1CustomResourceDefinitionList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¼* +V/apis/autoscaling/v2beta1/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}á)­ +autoscaling_v2beta1¾watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean õ' +2/apis/autoscaling/v2beta1/horizontalpodautoscalers¾'² +autoscaling_v2beta15list or watch objects of kind HorizontalPodAutoscaler*=listAutoscalingV2beta1HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jv +[ +200T +R +OKL +J +H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean à +G/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval”Ô +certificates_v18read approval of the specified CertificateSigningRequest*3readCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsjl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +j +x-kubernetes-actionget +Ë +certificates_v1;replace approval of the specified CertificateSigningRequest*6replaceCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÌ +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +BÓ +certificates_v1Dpartially update approval of the specified CertificateSigningRequest*4patchCertificatesV1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jp +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¯' +$/apis/policy/v1/poddisruptionbudgets†'ú + policy_v11list or watch objects of kind PodDisruptionBudget*/listPolicyV1PodDisruptionBudgetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh +M +200F +D +OK> +< +:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ©] ++/api/v1/namespaces/{namespace}/podtemplatesù\‚& +core_v1)list or watch objects of kind PodTemplate*listCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.core.v1.PodTemplateList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +"î +core_v1create a PodTemplate*!createCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.core.v1.PodTemplateBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jç +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate +E +202> +< +Accepted0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +j +x-kubernetes-actionpost +*Í, +core_v1 delete collection of PodTemplate*+deleteCoreV1CollectionNamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +jM +x-kubernetes-group-version-kind*(version: v1 +group: "" +kind: PodTemplate +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ö* +"<path!name of the ReplicationController"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ’* +W/apis/admissionregistration.k8s.io/v1beta1/watch/validatingwebhookconfigurations/{name}¶)Ý +admissionregistration_v1beta1Åwatch changes to an object of kind ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*?watchAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JK +IG"Epath*name of the ValidatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‡ +5/apis/authorization.k8s.io/v1/selfsubjectrulesreviewsÍ +"¿ +authorization_v1create a SelfSubjectRulesReview*+createAuthorizationV1SelfSubjectRulesReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BV +T +Rbodybody *B +@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewJ£ + +401 + + Unauthorized +S +200L +J +OKD +B +@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview +X +201Q +O +CreatedD +B +@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReview +Y +202R +P +AcceptedD +B +@#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewRhttpsj +x-kubernetes-actionpost +jj +x-kubernetes-group-version-kindGEgroup: authorization.k8s.io +kind: SelfSubjectRulesReview +version: v1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ) +8/apis/storage.k8s.io/v1beta1/watch/storageclasses/{name}Ä(ý +storage_v1beta1³watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J9 +75"3pathname of the StorageClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×) +;/api/v1/watch/namespaces/{namespace}/serviceaccounts/{name}—)ì +core_v1µwatch changes to an object of kind ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+kind: ServiceAccount +version: v1 +group: "" +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J; +97"5pathname of the ServiceAccount"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÷( +K/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations§(› +admissionregistration_v1Šwatch individual changes to a list of ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*>watchAdmissionregistrationV1ValidatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjz +x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean †_ +D/apis/discovery.k8s.io/v1beta1/namespaces/{namespace}/endpointslices½^»& +discovery_v1beta1+list or watch objects of kind EndpointSlice*+listDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jj +O +200H +F +OK@ +> +<#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jb +x-kubernetes-group-version-kind?=group: discovery.k8s.io +kind: EndpointSlice +version: v1beta1 +"Ì +discovery_v1beta1create an EndpointSlice*-createDiscoveryV1beta1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J‹ + +401 + + Unauthorized +K +200D +B +OK< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice +P +201I +G +Created< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice +Q +202J +H +Accepted< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceRhttpsjb +x-kubernetes-group-version-kind?=kind: EndpointSlice +version: v1beta1 +group: discovery.k8s.io +j +x-kubernetes-actionpost +*ú, +discovery_v1beta1"delete collection of EndpointSlice*7deleteDiscoveryV1beta1CollectionNamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: EndpointSlice +version: v1beta1 +group: discovery.k8s.io +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ©^ +6/apis/rbac.authorization.k8s.io/v1/clusterrolebindingsî]Å& +rbacAuthorization_v10list or watch objects of kind ClusterRoleBinding*)listRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +"Æ +rbacAuthorization_v1create a ClusterRoleBinding*+createRbacAuthorizationV1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.rbac.v1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jk +x-kubernetes-group-version-kindHFgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1 +*‰- +rbacAuthorization_v1'delete collection of ClusterRoleBinding*5deleteRbacAuthorizationV1CollectionClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jk +x-kubernetes-group-version-kindHFkind: ClusterRoleBinding +version: v1 +group: rbac.authorization.k8s.io +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ð* +"<path!name of the PersistentVolumeClaim"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ½- +J/apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/{name}î,ð +admissionregistration_v1/read the specified MutatingWebhookConfiguration*7readAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J| +a +200Z +X +OKR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jx +x-kubernetes-group-version-kindUSkind: MutatingWebhookConfiguration +version: v1 +group: admissionregistration.k8s.io +ÿ +admissionregistration_v12replace the specified MutatingWebhookConfiguration*:replaceAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bd +b +`bodybody *P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jä +f +201_ +] +CreatedR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration + +401 + + Unauthorized +a +200Z +X +OKR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationRhttpsjx +x-kubernetes-group-version-kindUSkind: MutatingWebhookConfiguration +version: v1 +group: admissionregistration.k8s.io +j +x-kubernetes-actionput +*è +admissionregistration_v1%delete a MutatingWebhookConfiguration*9deleteAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jx +x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1 +Bï +admissionregistration_v1;partially update the specified MutatingWebhookConfiguration*8patchAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J| + +401 + + Unauthorized +a +200Z +X +OKR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationRhttpsj +x-kubernetes-actionpatch +jx +x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1 +JI +GE"Cpath(name of the MutatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ä +E/apis/apiextensions.k8s.io/v1/customresourcedefinitions/{name}/statusšî +apiextensions_v15read status of the specified CustomResourceDefinition*1readApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jl +x-kubernetes-group-version-kindIGkind: CustomResourceDefinition +version: v1 +group: apiextensions.k8s.io +ž + +apiextensions_v18replace status of the specified CustomResourceDefinition*4replaceApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bu +s +qbodybody *a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J† +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition +w +201p +n +Createdc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jl +x-kubernetes-group-version-kindIGkind: CustomResourceDefinition +version: v1 +group: apiextensions.k8s.io +Bí +apiextensions_v1Apartially update status of the specified CustomResourceDefinition*2patchApiextensionsV1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J +r +200k +i +OKc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsjl +x-kubernetes-group-version-kindIGgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1 +j +x-kubernetes-actionpatch +JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string “( +//apis/networking.k8s.io/v1beta1/watch/ingressesß'Ó +networking_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*1watchNetworkingV1beta1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ²] +)/apis/storage.k8s.io/v1/volumeattachments„]¡& + +storage_v1.list or watch objects of kind VolumeAttachment*listStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.storage.v1.VolumeAttachmentList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j^ +x-kubernetes-group-version-kind;9version: v1 +group: storage.k8s.io +kind: VolumeAttachment +"¥ + +storage_v1create a VolumeAttachment*createStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jÿ +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment +M +202F +D +Accepted8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +j +x-kubernetes-actionpost +*ä, + +storage_v1%delete collection of VolumeAttachment*)deleteStorageV1CollectionVolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9kind: VolumeAttachment +version: v1 +group: storage.k8s.io +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ä) +2/apis/storage.k8s.io/v1beta1/storageclasses/{name}­)Œ +storage_v1beta1read the specified StorageClass*readStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jc +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +é +storage_v1beta1"replace the specified StorageClass*!replaceStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BK +I +Gbodybody *7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J² +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass +M +201F +D +Created9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +*• +storage_v1beta1delete a StorageClass* deleteStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J³ +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass +N +202G +E +Accepted9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +B‹ +storage_v1beta1+partially update the specified StorageClass*patchStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jc +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass + +401 + + UnauthorizedRhttpsj_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +j +x-kubernetes-actionpatch +J9 +75"3pathname of the StorageClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ý\ +/api/v1/persistentvolumes¿\Œ& +core_v1.list or watch objects of kind PersistentVolume*listCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jc +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.core.v1.PersistentVolumeList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +"‡ +core_v1create a PersistentVolume*createCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jö +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +J +202C +A +Accepted5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jR +x-kubernetes-group-version-kind/-version: v1 +group: "" +kind: PersistentVolume +*Ò, +core_v1%delete collection of PersistentVolume*&deleteCoreV1CollectionPersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ê + /apis/apps/º· +appsget information of a group*getAppsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps¿( +0/apis/batch/v1/watch/namespaces/{namespace}/jobsŠ(œ +batch_v1owatch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.*watchBatchV1NamespacedJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean á* +F/apis/coordination.k8s.io/v1beta1/namespaces/{namespace}/leases/{name}–*Ž +coordination_v1beta1read the specified Lease*&readCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.coordination.v1beta1.Lease + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +ç +coordination_v1beta1replace the specified Lease*)replaceCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.coordination.v1beta1.LeaseBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.coordination.v1beta1.Lease +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.coordination.v1beta1.Lease + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +*¡ +coordination_v1beta1delete a Lease*(deleteCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +j +x-kubernetes-action delete +B +coordination_v1beta1$partially update the specified Lease*'patchCoordinationV1beta1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.coordination.v1beta1.Lease + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: coordination.k8s.io +kind: Lease +version: v1beta1 +j +x-kubernetes-actionpatch +J2 +0.",pathname of the Lease"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ê& +/api/v1/endpointsÔ&È +core_v1'list or watch objects of kind Endpoints*#listCoreV1EndpointsForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.EndpointsList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×& +/api/v1/eventsÄ&¸ +core_v1#list or watch objects of kind Event*listCoreV1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.EventList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jG +x-kubernetes-group-version-kind$"group: "" +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‹) +P/apis/admissionregistration.k8s.io/v1beta1/watch/validatingwebhookconfigurations¶(ª +admissionregistration_v1beta1Šwatch individual changes to a list of ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead.*CwatchAdmissionregistrationV1beta1ValidatingWebhookConfigurationList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ˆ) +5/apis/policy/v1beta1/watch/podsecuritypolicies/{name}Î(‚ +policy_v1beta1¸watch changes to an object of kind PodSecurityPolicy. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*#watchPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J> +<:"8pathname of the PodSecurityPolicy"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ì +/apis/apiextensions.k8s.io/ÌÉ + apiextensionsget information of a group*getApiextensionsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps„ +8/apis/batch/v1/namespaces/{namespace}/jobs/{name}/statusÇß +batch_v1 read status of the specified Job*readBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +œ +batch_v1#replace status of the specified Job*!replaceBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.batch.v1.JobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J’ += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + Unauthorized +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.JobRhttpsj +x-kubernetes-actionput +jH +x-kubernetes-group-version-kind%#kind: Job +version: v1 +group: batch +BÞ +batch_v1,partially update status of the specified Job*patchBatchV1NamespacedJobStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.batch.v1.Job + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +J0 +.,"*pathname of the Job"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ü +T/apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurations/{name}/status£€ +flowcontrolApiserver_v1beta17read status of the specified PriorityLevelConfiguration*?readFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j{ +x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +version: v1beta1 + + +flowcontrolApiserver_v1beta1:replace status of the specified PriorityLevelConfiguration*BreplaceFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B] +[ +Ybodybody *I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÖ +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration +_ +201X +V +CreatedK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j{ +x-kubernetes-group-version-kindXVversion: v1beta1 +group: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +Bÿ +flowcontrolApiserver_v1beta1Cpartially update status of the specified PriorityLevelConfiguration*@patchFlowcontrolApiserverV1beta1PriorityLevelConfigurationStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j{ +x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +version: v1beta1 +JG +EC"Apath&name of the PriorityLevelConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ( +*/apis/policy/v1/watch/poddisruptionbudgetsá'Õ + policy_v1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*4watchPolicyV1PodDisruptionBudgetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ò) +:/api/v1/watch/namespaces/{namespace}/resourcequotas/{name}“)é +core_v1´watch changes to an object of kind ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsjO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J: +86"4pathname of the ResourceQuota"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¯) +3/api/v1/watch/namespaces/{namespace}/secrets/{name}÷(Ô +core_v1­watch changes to an object of kind Secret. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J3 +1/"-pathname of the Secret"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Í + /apis/batch/¼¹ +batchget information of a group*getBatchAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps‡* +A/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases/{name}Á)ú +coordination_v1read the specified Lease*!readCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +É +coordination_v1replace the specified Lease*$replaceCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.coordination.v1.LeaseBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¤ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +j +x-kubernetes-actionput +*’ +coordination_v1delete a Lease*#deleteCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +Bù +coordination_v1$partially update the specified Lease*"patchCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +J2 +0.",pathname of the Lease"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string –* +//apis/policy/v1beta1/podsecuritypolicies/{name}â)• +policy_v1beta1$read the specified PodSecurityPolicy*"readPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +ú +policy_v1beta1'replace the specified PodSecurityPolicy*%replacePolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jº +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyRhttpsj +x-kubernetes-actionput +j\ +x-kubernetes-group-version-kind97version: v1beta1 +group: policy +kind: PodSecurityPolicy +*¢ +policy_v1beta1delete a PodSecurityPolicy*$deletePolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy +R +202K +I +Accepted= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +B” +policy_v1beta10partially update the specified PodSecurityPolicy*#patchPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy + +401 + + UnauthorizedRhttpsj\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +j +x-kubernetes-actionpatch +J> +<:"8pathname of the PodSecurityPolicy"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ú) +B/api/v1/watch/namespaces/{namespace}/persistentvolumeclaims/{name}³) +core_v1¼watch changes to an object of kind PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchCoreV1NamespacedPersistentVolumeClaim2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JB +@>"<path!name of the PersistentVolumeClaim"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean  ) +6/apis/apps/v1/namespaces/{namespace}/daemonsets/{name}å(ã +apps_v1read the specified DaemonSet*readAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +ª +apps_v1replace the specified DaemonSet* replaceAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.apps.v1.DaemonSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +*ÿ +apps_v1delete a DaemonSet*deleteAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +j +x-kubernetes-action delete +Bâ +apps_v1(partially update the specified DaemonSet*patchAppsV1NamespacedDaemonSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.apps.v1.DaemonSet + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +j +x-kubernetes-actionpatch +J6 +42"0pathname of the DaemonSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¨* +Q/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalers/{name}Ò)ž +autoscaling_v1¾watch changes to an object of kind HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*3watchAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‚- +P/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalers/{name}­,Ë +autoscaling_v2beta1*read the specified HorizontalPodAutoscaler*7readAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jg +x-kubernetes-group-version-kindDBversion: v2beta1 +group: autoscaling +kind: HorizontalPodAutoscaler +Æ +autoscaling_v2beta1-replace the specified HorizontalPodAutoscaler*:replaceAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ +X +Vbodybody *F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÐ +\ +201U +S +CreatedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + Unauthorized +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerRhttpsj +x-kubernetes-actionput +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +*Í +autoscaling_v2beta1 delete a HorizontalPodAutoscaler*9deleteAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +j +x-kubernetes-action delete +BÊ +autoscaling_v2beta16partially update the specified HorizontalPodAutoscaler*8patchAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBkind: HorizontalPodAutoscaler +version: v2beta1 +group: autoscaling +j +x-kubernetes-actionpatch +JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È) +A/apis/events.k8s.io/v1/watch/namespaces/{namespace}/events/{name}‚)à + events_v1¬watch changes to an object of kind Event. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J2 +0.",pathname of the Event"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÷' +,/apis/storage.k8s.io/v1/watch/storageclassesÆ'º + +storage_v1xwatch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1StorageClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ² + /api/v1/namespaces/{name}/statusç +core_v1&read status of the specified Namespace*readCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jK +x-kubernetes-group-version-kind(&version: v1 +group: "" +kind: Namespace +® +core_v1)replace status of the specified Namespace*replaceCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.NamespaceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +j +x-kubernetes-actionput +Bæ +core_v12partially update status of the specified Namespace*patchCoreV1NamespaceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jK +x-kubernetes-group-version-kind(&version: v1 +group: "" +kind: Namespace +J6 +42"0pathname of the Namespace"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ó& +/apis/apps/v1/daemonsetsÖ&Ê +apps_v1'list or watch objects of kind DaemonSet*#listAppsV1DaemonSetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.apps.v1.DaemonSetList + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ë) +=/apis/apps/v1/watch/namespaces/{namespace}/replicasets/{name}‰)â +apps_v1±watch changes to an object of kind ReplicaSet. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J7 +53"1pathname of the ReplicaSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ó] +3/apis/batch/v1beta1/namespaces/{namespace}/cronjobs›]Œ& + batch_v1beta1%list or watch objects of kind CronJob*!listBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.batch.v1beta1.CronJobList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +"þ + batch_v1beta1create a CronJob*#createBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jí +G +202@ +> +Accepted2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob + +401 + + Unauthorized +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJobRhttpsj +x-kubernetes-actionpost +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +*Õ, + batch_v1beta1delete collection of CronJob*-deleteBatchV1beta1CollectionNamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ç +/apis/events.k8s.io/v1/ËÈ + events_v1get available resources*getEventsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsþ] +//apis/scheduling.k8s.io/v1beta1/priorityclassesÊ]µ& +scheduling_v1beta1+list or watch objects of kind PriorityClass*"listSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jc +x-kubernetes-group-version-kind@>version: v1beta1 +group: scheduling.k8s.io +kind: PriorityClass +"È +scheduling_v1beta1create a PriorityClass*$createSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JŽ +L +200E +C +OK= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass +R +202K +I +Accepted= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jc +x-kubernetes-group-version-kind@>group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +*ó, +scheduling_v1beta1"delete collection of PriorityClass*.deleteSchedulingV1beta1CollectionPriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jc +x-kubernetes-group-version-kind@>version: v1beta1 +group: scheduling.k8s.io +kind: PriorityClass +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ë& +/api/v1/configmapsÔ&È +core_v1'list or watch objects of kind ConfigMap*#listCoreV1ConfigMapForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ConfigMapList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jK +x-kubernetes-group-version-kind(&group: "" +kind: ConfigMap +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÿ + +2/api/v1/namespaces/{namespace}/pods/{name}/bindingÈ +"¢ +core_v1create binding of a Pod* createCoreV1NamespacedPodBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.core.v1.BindingJÛ + +401 + + Unauthorized +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Binding +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.core.v1.Binding +A +202: +8 +Accepted, +* +(#/definitions/io.k8s.api.core.v1.BindingRhttpsjI +x-kubernetes-group-version-kind&$group: "" +kind: Binding +version: v1 +j +x-kubernetes-actionpost +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J4 +20".pathname of the Binding"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string é +W/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalers/{name}/statusÛ +autoscaling_v2beta14read status of the specified HorizontalPodAutoscaler*=readAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +j +x-kubernetes-actionget +Ö +autoscaling_v2beta17replace status of the specified HorizontalPodAutoscaler*@replaceAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ +X +Vbodybody *F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÐ +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler +\ +201U +S +CreatedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +BÚ +autoscaling_v2beta1@partially update status of the specified HorizontalPodAutoscaler*>patchAutoscalingV2beta1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +j +x-kubernetes-actionpatch +JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ç' +-/apis/discovery.k8s.io/v1beta1/endpointslices•'‰ +discovery_v1beta1+list or watch objects of kind EndpointSlice*1listDiscoveryV1beta1EndpointSliceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jj +O +200H +F +OK@ +> +<#/definitions/io.k8s.api.discovery.v1beta1.EndpointSliceList + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: EndpointSlice +version: v1beta1 +group: discovery.k8s.io +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ý +/openid/v1/jwks/èå +openid\get service account issuer OpenID JSON Web Key Set (contains public token verification keys)*#getServiceAccountIssuerOpenIDKeyset2application/jwk-set+jsonJ7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsþ) +R/apis/admissionregistration.k8s.io/v1/watch/validatingwebhookconfigurations/{name}§)Î +admissionregistration_v1Åwatch changes to an object of kind ValidatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*:watchAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjz +x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JK +IG"Epath*name of the ValidatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean · +;/apis/authorization.k8s.io/v1beta1/selfsubjectaccessreviews÷ +"é +authorization_v1beta1 create a SelfSubjectAccessReview*1createAuthorizationV1beta1SelfSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B\ +Z +Xbodybody *H +F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewJµ +_ +202X +V +AcceptedJ +H +F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview + +401 + + Unauthorized +Y +200R +P +OKJ +H +F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview +^ +201W +U +CreatedJ +H +F#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewRhttpsj +x-kubernetes-actionpost +jp +x-kubernetes-group-version-kindMKgroup: authorization.k8s.io +kind: SelfSubjectAccessReview +version: v1beta1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ï( +4/apis/batch/v1/watch/namespaces/{namespace}/cronjobs–(¨ +batch_v1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*!watchBatchV1NamespacedCronJobList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean À) +;/apis/batch/v1/watch/namespaces/{namespace}/cronjobs/{name}€)Ü +batch_v1®watch changes to an object of kind CronJob. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchBatchV1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the CronJob"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ž^ +8/apis/apps/v1/namespaces/{namespace}/controllerrevisionsá] & +apps_v10list or watch objects of kind ControllerRevision*&listAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je + +401 + + Unauthorized +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.apps.v1.ControllerRevisionListRhttpsj +x-kubernetes-actionlist +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +"¡ +apps_v1create a ControllerRevision*(createAppsV1NamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevisionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision + +401 + + UnauthorizedRhttpsjV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +j +x-kubernetes-actionpost +*ä, +apps_v1'delete collection of ControllerRevision*2deleteAppsV1CollectionNamespacedControllerRevision2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jV +x-kubernetes-group-version-kind31group: apps +kind: ControllerRevision +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ü' +-/apis/autoscaling/v1/horizontalpodautoscalersª'ž +autoscaling_v15list or watch objects of kind HorizontalPodAutoscaler*8listAutoscalingV1HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jq +V +200O +M +OKG +E +C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=version: v1 +group: autoscaling +kind: HorizontalPodAutoscaler +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ü +D/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/{name}/status³À +flowcontrolApiserver_v1beta1'read status of the specified FlowSchema*/readFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema + +401 + + UnauthorizedRhttpsjk +x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io +kind: FlowSchema +version: v1beta1 +j +x-kubernetes-actionget +¡ +flowcontrolApiserver_v1beta1*replace status of the specified FlowSchema*2replaceFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM +K +Ibodybody *9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¶ +O +201H +F +Created; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema + +401 + + Unauthorized +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaRhttpsjk +x-kubernetes-group-version-kindHFkind: FlowSchema +version: v1beta1 +group: flowcontrol.apiserver.k8s.io +j +x-kubernetes-actionput +B¿ +flowcontrolApiserver_v1beta13partially update status of the specified FlowSchema*0patchFlowcontrolApiserverV1beta1FlowSchemaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jk +x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io +kind: FlowSchema +version: v1beta1 +J7 +53"1pathname of the FlowSchema"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ­ +1/api/v1/namespaces/{namespace}/pods/{name}/attach÷ – +core_v1%connect GET requests to attach of Pod*#connectCoreV1GetNamespacedPodAttach2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: PodAttachOptions +version: v1 +"˜ +core_v1&connect POST requests to attach of Pod*$connectCoreV1PostNamespacedPodAttach2*/*:*/*J7 + +401 + + Unauthorized + +200 + +OK + ² +stringRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: PodAttachOptions +version: v1 +Jœ +™–“querytThe container in which to execute the command. Defaults to only container if there is only one container in the pod." container2string J= +;9"7pathname of the PodAttachOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜Jƒ +€~|query_Stderr if true indicates that stderr is to be redirected for the attach call. Defaults to true."stderr2boolean J +}{query_Stdin if true, redirects the standard input stream of the pod for this call. Defaults to false."stdin2boolean Jƒ +€~|query_Stdout if true indicates that stdout is to be redirected for the attach call. Defaults to true."stdout2boolean Jð +íêçqueryÌTTY if true indicates that a tty will be allocated for the attach call. This is passed through the container runtime so the tty is allocated on the worker node by the container runtime. Defaults to false."tty2boolean á& +/api/v1/servicesÌ&À +core_v1%list or watch objects of kind Service*!listCoreV1ServiceForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.ServiceList + +401 + + UnauthorizedRhttpsjI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ü +/apis/extensions/Æà + +extensionsget information of a group*getExtensionsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsâ] +(/apis/policy/v1beta1/podsecuritypoliciesµ]®& +policy_v1beta1/list or watch objects of kind PodSecurityPolicy*"listPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j\ +x-kubernetes-group-version-kind97version: v1beta1 +group: policy +kind: PodSecurityPolicy +"Á +policy_v1beta1create a PodSecurityPolicy*$createPolicyV1beta1PodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicyBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JŽ +L +200E +C +OK= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy +R +202K +I +Accepted= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j\ +x-kubernetes-group-version-kind97version: v1beta1 +group: policy +kind: PodSecurityPolicy +*ì, +policy_v1beta1&delete collection of PodSecurityPolicy*.deletePolicyV1beta1CollectionPodSecurityPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j\ +x-kubernetes-group-version-kind97group: policy +kind: PodSecurityPolicy +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È) +4/api/v1/namespaces/{namespace}/resourcequotas/{name})ñ +core_v1 read the specified ResourceQuota*!readCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jO +x-kubernetes-group-version-kind,*version: v1 +group: "" +kind: ResourceQuota +À +core_v1#replace the specified ResourceQuota*$replaceCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¤ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +*ó +core_v1delete a ResourceQuota*#deleteCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J¥ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota +G +202@ +> +Accepted2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +Bð +core_v1,partially update the specified ResourceQuota*"patchCoreV1NamespacedResourceQuota2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J\ + +401 + + Unauthorized +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuotaRhttpsj +x-kubernetes-actionpatch +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +J: +86"4pathname of the ResourceQuota"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¿. +Q/apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations/{name}é- +admissionregistration_v1beta11read the specified ValidatingWebhookConfiguration*>readAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jƒ +h +200a +_ +OKY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +© + +admissionregistration_v1beta14replace the specified ValidatingWebhookConfiguration*AreplaceAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bk +i +gbodybody *W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jò + +401 + + Unauthorized +h +200a +_ +OKY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration +m +201f +d +CreatedY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationRhttpsj +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +j +x-kubernetes-actionput +*ý +admissionregistration_v1beta1'delete a ValidatingWebhookConfiguration*@deleteAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +BŒ +admissionregistration_v1beta1=partially update the specified ValidatingWebhookConfiguration*?patchAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jƒ +h +200a +_ +OKY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +JK +IG"Epath*name of the ValidatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¸( +group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +j +x-kubernetes-actionget + +scheduling_v1beta1#replace the specified PriorityClass*%replaceSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BO +M +Kbodybody *; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jº +L +200E +C +OK= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass +Q +201J +H +Created= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jc +x-kubernetes-group-version-kind@>group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +*© +scheduling_v1beta1delete a PriorityClass*$deleteSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +j +x-kubernetes-action delete +B› +scheduling_v1beta1,partially update the specified PriorityClass*#patchSchedulingV1beta1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.api.scheduling.v1beta1.PriorityClass + +401 + + UnauthorizedRhttpsjc +x-kubernetes-group-version-kind@>group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +j +x-kubernetes-actionpatch +J: +86"4pathname of the PriorityClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ³) +7/apis/apps/v1/namespaces/{namespace}/deployments/{name}÷(ç +apps_v1read the specified Deployment*readAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +° +apps_v1 replace the specified Deployment*!replaceAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.DeploymentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + Unauthorized +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.DeploymentRhttpsj +x-kubernetes-actionput +jN +x-kubernetes-group-version-kind+)kind: Deployment +version: v1 +group: apps +*‚ +apps_v1delete a Deployment* deleteAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: Deployment +j +x-kubernetes-action delete +Bæ +apps_v1)partially update the specified Deployment*patchAppsV1NamespacedDeployment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +j +x-kubernetes-actionpatch +J7 +53"1pathname of the Deployment"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ù +/apis/certificates.k8s.io/v1/×Ô +certificates_v1get available resources*getCertificatesV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsé +/apis/coordination.k8s.io/ÊÇ + coordinationget information of a group*getCoordinationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps´' +*/apis/networking.k8s.io/v1/networkpolicies…'ù + networking_v1+list or watch objects of kind NetworkPolicy*-listNetworkingV1NetworkPolicyForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Â] ++/apis/storage.k8s.io/v1beta1/storageclasses’]¥& +storage_v1beta1*list or watch objects of kind StorageClass*listStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.api.storage.v1beta1.StorageClassListRhttpsj_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +j +x-kubernetes-actionlist +"¬ +storage_v1beta1create a StorageClass* createStorageV1beta1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BK +I +Gbodybody *7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J‚ +N +202G +E +Accepted9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass + +401 + + Unauthorized +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass +M +201F +D +Created9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClassRhttpsj +x-kubernetes-actionpost +j_ +x-kubernetes-group-version-kind<:version: v1beta1 +group: storage.k8s.io +kind: StorageClass +*ç, +storage_v1beta1!delete collection of StorageClass**deleteStorageV1beta1CollectionStorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ü' +/api/v1/watch/limitranges¾'² +core_v1vwatch individual changes to a list of LimitRange. deprecated: use the 'watch' parameter with a list operation instead.*)watchCoreV1LimitRangeListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjL +x-kubernetes-group-version-kind)'version: v1 +group: "" +kind: LimitRange +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Û( +3/api/v1/watch/namespaces/{namespace}/resourcequotas£(µ +core_v1ywatch individual changes to a list of ResourceQuota. deprecated: use the 'watch' parameter with a list operation instead.*&watchCoreV1NamespacedResourceQuotaList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*kind: ResourceQuota +version: v1 +group: "" +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ê* +F/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices/{name}Ÿ*Ž + discovery_v1 read the specified EndpointSlice*&readDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +ç + discovery_v1#replace the specified EndpointSlice*)replaceDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSliceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J® +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +*¢ + discovery_v1delete an EndpointSlice*(deleteDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +B + discovery_v1,partially update the specified EndpointSlice*'patchDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +j +x-kubernetes-actionpatch +J: +86"4pathname of the EndpointSlice"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ú' +(/apis/events.k8s.io/v1beta1/watch/eventsÍ'Á +events_v1beta1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.*+watchEventsV1beta1EventListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean © +5/api/v1/namespaces/{namespace}/services/{name}/statusïé +core_v1$read status of the specified Service*!readCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +¬ +core_v1'replace status of the specified Service*$replaceCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.core.v1.ServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J˜ +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +Bè +core_v10partially update status of the specified Service*"patchCoreV1NamespacedServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Service + +401 + + UnauthorizedRhttpsjI +x-kubernetes-group-version-kind&$group: "" +kind: Service +version: v1 +j +x-kubernetes-actionpatch +J4 +20".pathname of the Service"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ã- +L/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations/{name}’-ø +admissionregistration_v11read the specified ValidatingWebhookConfiguration*9readAdmissionregistrationV1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~ +c +200\ +Z +OKT +R +P#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jz +x-kubernetes-group-version-kindWUgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1 +‹ + +admissionregistration_v14replace the specified ValidatingWebhookConfiguration* +< +OK6 +4 +2#/definitions/io.k8s.api.networking.v1.IngressList + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53kind: Ingress +version: v1 +group: networking.k8s.io +j +x-kubernetes-actionlist +"† + networking_v1create an Ingress*#createNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.networking.v1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jí +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress +G +202@ +> +Accepted2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +*Ü, + networking_v1delete collection of Ingress*-deleteNetworkingV1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ú) +B/api/v1/watch/namespaces/{namespace}/replicationcontrollers/{name}³) +core_v1¼watch changes to an object of kind ReplicationController. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchCoreV1NamespacedReplicationController2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +jW +x-kubernetes-group-version-kind42version: v1 +group: "" +kind: ReplicationController +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JB +@>"<path!name of the ReplicationController"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ·' +-/apis/rbac.authorization.k8s.io/v1beta1/roles…'ù +rbacAuthorization_v1beta1"list or watch objects of kind Role*0listRbacAuthorizationV1beta1RoleForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.rbac.v1beta1.RoleList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ` +I/apis/autoscaling/v2beta1/namespaces/{namespace}/horizontalpodautoscalersÏ_ä& +autoscaling_v2beta15list or watch objects of kind HorizontalPodAutoscaler*7listAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jv +[ +200T +R +OKL +J +H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jg +x-kubernetes-group-version-kindDBversion: v2beta1 +group: autoscaling +kind: HorizontalPodAutoscaler +"˜ + +autoscaling_v2beta1 create a HorizontalPodAutoscaler*9createAutoscalingV2beta1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ +X +Vbodybody *F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¯ +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler +\ +201U +S +CreatedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler +] +202V +T +AcceptedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta1 +*—- +autoscaling_v2beta1,delete collection of HorizontalPodAutoscaler*CdeleteAutoscalingV2beta1CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jg +x-kubernetes-group-version-kindDBversion: v2beta1 +group: autoscaling +kind: HorizontalPodAutoscaler +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ó +/apis/networking.k8s.io/v1/ÓÐ + networking_v1get available resources*getNetworkingV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps¢_ +K/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/rolebindingsÒ^Ç& +rbacAuthorization_v1beta1)list or watch objects of kind RoleBinding*1listRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jc +H +200A +? +OK9 +7 +5#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +" +rbacAuthorization_v1beta1create a RoleBinding*3createRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jö +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding +J +202C +A +Accepted5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +ji +x-kubernetes-group-version-kindFDversion: v1beta1 +group: rbac.authorization.k8s.io +kind: RoleBinding +*- +rbacAuthorization_v1beta1 delete collection of RoleBinding*=deleteRbacAuthorizationV1beta1CollectionNamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +ji +x-kubernetes-group-version-kindFDkind: RoleBinding +version: v1beta1 +group: rbac.authorization.k8s.io +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‘ +%/apis/apiregistration.k8s.io/v1beta1/çä +apiregistration_v1beta1get available resources*%getApiregistrationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsÓ( +5/apis/apps/v1/watch/namespaces/{namespace}/daemonsets™(« +apps_v1uwatch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.*"watchAppsV1NamespacedDaemonSetList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×( +6/apis/apps/v1/watch/namespaces/{namespace}/deploymentsœ(® +apps_v1vwatch individual changes to a list of Deployment. deprecated: use the 'watch' parameter with a list operation instead.*#watchAppsV1NamespacedDeploymentList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ž +R/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers/{name}/statusÇÇ +autoscaling_v14read status of the specified HorizontalPodAutoscaler*8readAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: HorizontalPodAutoscaler +version: v1 +group: autoscaling +j +x-kubernetes-actionget +¸ +autoscaling_v17replace status of the specified HorizontalPodAutoscaler*;replaceAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU +S +Qbodybody *A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÆ +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler +W +201P +N +CreatedC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jb +x-kubernetes-group-version-kind?=version: v1 +group: autoscaling +kind: HorizontalPodAutoscaler +BÆ +autoscaling_v1@partially update status of the specified HorizontalPodAutoscaler*9patchAutoscalingV1NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string À] +//apis/rbac.authorization.k8s.io/v1/clusterrolesŒ]©& +rbacAuthorization_v1)list or watch objects of kind ClusterRole*"listRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.rbac.v1.ClusterRoleList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: ClusterRole +version: v1 +"• +rbacAuthorization_v1create a ClusterRole*$createRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.rbac.v1.ClusterRoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jç +E +202> +< +Accepted0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole + +401 + + Unauthorized +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRoleRhttpsj +x-kubernetes-actionpost +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: ClusterRole +version: v1 +*ô, +rbacAuthorization_v1 delete collection of ClusterRole*.deleteRbacAuthorizationV1CollectionClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?version: v1 +group: rbac.authorization.k8s.io +kind: ClusterRole +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ³) +7/apis/apps/v1/namespaces/{namespace}/replicasets/{name}÷(ç +apps_v1read the specified ReplicaSet*readAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY + +401 + + Unauthorized +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSetRhttpsj +x-kubernetes-actionget +jN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +° +apps_v1 replace the specified ReplicaSet*!replaceAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jN +x-kubernetes-group-version-kind+)kind: ReplicaSet +version: v1 +group: apps +*‚ +apps_v1delete a ReplicaSet* deleteAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +j +x-kubernetes-action delete +Bæ +apps_v1)partially update the specified ReplicaSet*patchAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jN +x-kubernetes-group-version-kind+)group: apps +kind: ReplicaSet +version: v1 +J7 +53"1pathname of the ReplicaSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‡' +/apis/batch/v1beta1/cronjobsæ&Ú + batch_v1beta1%list or watch objects of kind CronJob*'listBatchV1beta1CronJobForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J` +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.batch.v1beta1.CronJobList + +401 + + UnauthorizedRhttpsjQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean £* +5/apis/networking.k8s.io/v1beta1/ingressclasses/{name}é)˜ +networking_v1beta1read the specified IngressClass*!readNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +û +networking_v1beta1"replace the specified IngressClass*$replaceNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¸ +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass +P +201I +G +Created< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +*§ +networking_v1beta1delete an IngressClass*#deleteNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +j +x-kubernetes-action delete +B— +networking_v1beta1+partially update the specified IngressClass*"patchNetworkingV1beta1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jb +x-kubernetes-group-version-kind?=group: networking.k8s.io +kind: IngressClass +version: v1beta1 +J9 +75"3pathname of the IngressClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ü+ +G/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgets/{name}+§ +policy_v1beta1&read the specified PodDisruptionBudget*.readPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 + +policy_v1beta1)replace the specified PodDisruptionBudget*1replacePolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¾ + +401 + + Unauthorized +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget +S +201L +J +Created? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetRhttpsj +x-kubernetes-actionput +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +*² +policy_v1beta1delete a PodDisruptionBudget*0deletePolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj +x-kubernetes-action delete +j^ +x-kubernetes-group-version-kind;9version: v1beta1 +group: policy +kind: PodDisruptionBudget +B¦ +policy_v1beta12partially update the specified PodDisruptionBudget*/patchPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +J@ +><":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‹( +1/apis/storage.k8s.io/v1beta1/watch/storageclassesÕ'É +storage_v1beta1xwatch individual changes to a list of StorageClass. deprecated: use the 'watch' parameter with a list operation instead.*#watchStorageV1beta1StorageClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j_ +x-kubernetes-group-version-kind<:group: storage.k8s.io +kind: StorageClass +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean û +/apis/extensions/v1beta1/ÝÚ +extensions_v1beta1get available resources* getExtensionsV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps½^ +6/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas‚^É& +flowcontrolApiserver_v1beta1(list or watch objects of kind FlowSchema*)listFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jk +x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io +kind: FlowSchema +version: v1beta1 +"Ö +flowcontrolApiserver_v1beta1create a FlowSchema*+createFlowcontrolApiserverV1beta1FlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BM +K +Ibodybody *9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jˆ +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema +O +201H +F +Created; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema +P +202I +G +Accepted; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jk +x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io +kind: FlowSchema +version: v1beta1 +*‰- +flowcontrolApiserver_v1beta1delete collection of FlowSchema*5deleteFlowcontrolApiserverV1beta1CollectionFlowSchema2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jk +x-kubernetes-group-version-kindHFgroup: flowcontrol.apiserver.k8s.io +kind: FlowSchema +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ˜ +(/apis/rbac.authorization.k8s.io/v1beta1/ëè +rbacAuthorization_v1beta1get available resources*'getRbacAuthorizationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListRhttps( +./apis/rbac.authorization.k8s.io/v1/watch/rolesÝ'Ñ +rbacAuthorization_v1pwatch individual changes to a list of Role. deprecated: use the 'watch' parameter with a list operation instead.*0watchRbacAuthorizationV1RoleListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ý& +/apis/apps/v1/statefulsetsÞ&Ò +apps_v1)list or watch objects of kind StatefulSet*%listAppsV1StatefulSetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.apps.v1.StatefulSetList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean à +/apis/discovery.k8s.io/ÄÁ + discoveryget information of a group*getDiscoveryAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps™) +J/apis/discovery.k8s.io/v1beta1/watch/namespaces/{namespace}/endpointslicesÊ(Ü +discovery_v1beta1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*0watchDiscoveryV1beta1NamespacedEndpointSliceList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jb +x-kubernetes-group-version-kind?=group: discovery.k8s.io +kind: EndpointSlice +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‹* +B/apis/networking.k8s.io/v1/namespaces/{namespace}/ingresses/{name}Ä)ú + networking_v1read the specified Ingress*!readNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +j +x-kubernetes-actionget +É + networking_v1replace the specified Ingress*$replaceNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.networking.v1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¤ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +*“ + networking_v1delete an Ingress*#deleteNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jX +x-kubernetes-group-version-kind53version: v1 +group: networking.k8s.io +kind: Ingress +Bù + networking_v1&partially update the specified Ingress*"patchNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress + +401 + + UnauthorizedRhttpsjX +x-kubernetes-group-version-kind53kind: Ingress +version: v1 +group: networking.k8s.io +j +x-kubernetes-actionpatch +J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ô +/api/v1/ÇÄ +core_v1get available resources*getCoreV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps¦] +0/apis/apps/v1/namespaces/{namespace}/replicasetsñ\€& +apps_v1(list or watch objects of kind ReplicaSet*listAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.apps.v1.ReplicaSetList + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)kind: ReplicaSet +version: v1 +group: apps +j +x-kubernetes-actionlist +"é +apps_v1create a ReplicaSet* createAppsV1NamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.ReplicaSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jä +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet +D +202= +; +Accepted/ +- ++#/definitions/io.k8s.api.apps.v1.ReplicaSet + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: ReplicaSet +j +x-kubernetes-actionpost +*Ì, +apps_v1delete collection of ReplicaSet**deleteAppsV1CollectionNamespacedReplicaSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: ReplicaSet +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string â+ +>/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}Ÿ+À +certificates_v1,read the specified CertificateSigningRequest*+readCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jp + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestRhttpsj +x-kubernetes-actionget +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +· +certificates_v1/replace the specified CertificateSigningRequest*.replaceCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÌ +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +*Ä +certificates_v1"delete a CertificateSigningRequest*-deleteCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +B¿ +certificates_v18partially update the specified CertificateSigningRequest*,patchCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jp +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string  ^ +9/apis/extensions/v1beta1/namespaces/{namespace}/ingressesâ] & +extensions_v1beta1%list or watch objects of kind Ingress*&listExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.extensions.v1beta1.IngressList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +"¢ +extensions_v1beta1create an Ingress*(createExtensionsV1beta1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.extensions.v1beta1.IngressBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +*ä, +extensions_v1beta1delete collection of Ingress*2deleteExtensionsV1beta1CollectionNamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Þ( +&/api/v1/watch/persistentvolumes/{name}³(è +core_v1·watch changes to an object of kind PersistentVolume. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +jR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J= +;9"7pathname of the PersistentVolume"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‰( +$/api/v1/watch/replicationcontrollersà'Ô +core_v1watch individual changes to a list of ReplicationController. deprecated: use the 'watch' parameter with a list operation instead.*4watchCoreV1ReplicationControllerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ø& +/apis/apps/v1/deploymentsÚ&Î +apps_v1(list or watch objects of kind Deployment*$listAppsV1DeploymentForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J] +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.apps.v1.DeploymentList + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)version: v1 +group: apps +kind: Deployment +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean é +/apis/certificates.k8s.io/ÊÇ + certificatesget information of a group*getCertificatesAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps„_ +7/apis/certificates.k8s.io/v1/certificatesigningrequestsÈ^Ù& +certificates_v17list or watch objects of kind CertificateSigningRequest*+listCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jt +Y +200R +P +OKJ +H +F#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +"‡ + +certificates_v1"create a CertificateSigningRequest*-createCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J© +U +200N +L +OKF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest +[ +202T +R +AcceptedF +D +B#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jl +x-kubernetes-group-version-kindIGkind: CertificateSigningRequest +version: v1 +group: certificates.k8s.io +*Ž- +certificates_v1.delete collection of CertificateSigningRequest*7deleteCertificatesV1CollectionCertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ø( +?/apis/extensions/v1beta1/watch/namespaces/{namespace}/ingresses´(Æ +extensions_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*+watchExtensionsV1beta1NamespacedIngressList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean à +/apis/policy/v1/ËÈ + policy_v1get available resources*getPolicyV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsã +/apis/scheduling.k8s.io/Æà + +schedulingget information of a group*getSchedulingAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps³) +Q/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolebindingsÝ(ï +rbacAuthorization_v1beta1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*6watchRbacAuthorizationV1beta1NamespacedRoleBindingList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ´ +4/api/v1/namespaces/{namespace}/services/{name}/proxyûŸ +core_v1(connect GET requests to proxy of Service*&connectCoreV1GetNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +Ÿ +core_v1(connect PUT requests to proxy of Service*&connectCoreV1PutNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20version: v1 +group: "" +kind: ServiceProxyOptions +"¡ +core_v1)connect POST requests to proxy of Service*'connectCoreV1PostNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +j! +x-kubernetes-action +connect +*¥ +core_v1+connect DELETE requests to proxy of Service*)connectCoreV1DeleteNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +2§ +core_v1,connect OPTIONS requests to proxy of Service**connectCoreV1OptionsNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +:¡ +core_v1)connect HEAD requests to proxy of Service*'connectCoreV1HeadNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20group: "" +kind: ServiceProxyOptions +version: v1 +j! +x-kubernetes-action +connect +B£ +core_v1*connect PATCH requests to proxy of Service*(connectCoreV1PatchNamespacedServiceProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjU +x-kubernetes-group-version-kind20kind: ServiceProxyOptions +version: v1 +group: "" +j! +x-kubernetes-action +connect +J@ +><":pathname of the ServiceProxyOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JÐ +ÍÊÇquery¬Path is the part of URLs that include service endpoints, suffixes, and parameters to use for the current proxy request to service. For example, the whole request URL is http://localhost/api/v1/namespaces/kube-system/services/elasticsearch-logging/_search?q=user:kimchy. Path is _search?q=user:kimchy."path2string Ü' +/apis/batch/v1/watch/cronjobsº'® +batch_v1swatch individual changes to a list of CronJob. deprecated: use the 'watch' parameter with a list operation instead.*'watchBatchV1CronJobListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jL +x-kubernetes-group-version-kind)'group: batch +kind: CronJob +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean × +/apis/events.k8s.io/¾» +eventsget information of a group*getEventsAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttps…( +(/apis/extensions/v1beta1/watch/ingressesØ'Ì +extensions_v1beta1swatch individual changes to a list of Ingress. deprecated: use the 'watch' parameter with a list operation instead.*1watchExtensionsV1beta1IngressListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jV +x-kubernetes-group-version-kind31group: extensions +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ×^ +F/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindingsŒ^³& +rbacAuthorization_v1)list or watch objects of kind RoleBinding*,listRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.rbac.v1.RoleBindingList + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?version: v1 +group: rbac.authorization.k8s.io +kind: RoleBinding +j +x-kubernetes-actionlist +"Ÿ +rbacAuthorization_v1create a RoleBinding*.createRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.rbac.v1.RoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jç +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding +E +202> +< +Accepted0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding + +401 + + Unauthorized +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBindingRhttpsj +x-kubernetes-actionpost +jd +x-kubernetes-group-version-kindA?kind: RoleBinding +version: v1 +group: rbac.authorization.k8s.io +*þ, +rbacAuthorization_v1 delete collection of RoleBinding*8deleteRbacAuthorizationV1CollectionNamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string œ( +5/apis/rbac.authorization.k8s.io/v1/watch/clusterrolesâ'Ö +rbacAuthorization_v1wwatch individual changes to a list of ClusterRole. deprecated: use the 'watch' parameter with a list operation instead.*'watchRbacAuthorizationV1ClusterRoleList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jd +x-kubernetes-group-version-kindA?version: v1 +group: rbac.authorization.k8s.io +kind: ClusterRole +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean æ( + /api/v1/persistentvolumes/{name}Á(ó +core_v1#read the specified PersistentVolume*readCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +È +core_v1&replace the specified PersistentVolume*replaceCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jª +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +j +x-kubernetes-actionput +*ø +core_v1delete a PersistentVolume*deleteCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J« +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +J +202C +A +Accepted5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +j +x-kubernetes-action delete +Bò +core_v1/partially update the specified PersistentVolume*patchCoreV1PersistentVolume2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +J= +;9"7pathname of the PersistentVolume"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Æ) + +< +Created1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass +F +202? += +Accepted1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass + +401 + + Unauthorized +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClassRhttpsj +x-kubernetes-actionpost +jW +x-kubernetes-group-version-kind42group: node.k8s.io +kind: RuntimeClass +version: v1 +*Ï, +node_v1!delete collection of RuntimeClass*"deleteNodeV1CollectionRuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42kind: RuntimeClass +version: v1 +group: node.k8s.io +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ±\ +#/api/v1/namespaces/{namespace}/pods‰\â% +core_v1!list or watch objects of kind Pod*listCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JV + +401 + + Unauthorized +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.PodListRhttpsj +x-kubernetes-actionlist +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +"¶ +core_v1 create a Pod*createCoreV1NamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B: +8 +6bodybody *& +$#/definitions/io.k8s.api.core.v1.PodBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÏ + +401 + + Unauthorized +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod +< +2015 +3 +Created( +& +$#/definitions/io.k8s.api.core.v1.Pod += +2026 +4 +Accepted( +& +$#/definitions/io.k8s.api.core.v1.PodRhttpsjE +x-kubernetes-group-version-kind" kind: Pod +version: v1 +group: "" +j +x-kubernetes-actionpost +*µ, +core_v1delete collection of Pod*#deleteCoreV1CollectionNamespacedPod2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Þ\ +&/api/v1/namespaces/{namespace}/secrets³\î% +core_v1$list or watch objects of kind Secret*listCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.SecretList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +"Ë +core_v1create a Secret*createCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B= +; +9bodybody *) +'#/definitions/io.k8s.api.core.v1.SecretBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JØ +: +2003 +1 +OK+ +) +'#/definitions/io.k8s.api.core.v1.Secret +? +2018 +6 +Created+ +) +'#/definitions/io.k8s.api.core.v1.Secret +@ +2029 +7 +Accepted+ +) +'#/definitions/io.k8s.api.core.v1.Secret + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jH +x-kubernetes-group-version-kind%#version: v1 +group: "" +kind: Secret +*¾, +core_v1delete collection of Secret*&deleteCoreV1CollectionNamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Á) +D/apis/certificates.k8s.io/v1/watch/certificatesigningrequests/{name}ø(¤ +certificates_v1Àwatch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*,watchCertificatesV1CertificateSigningRequest2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jl +x-kubernetes-group-version-kindIGgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ï +/apis/policy/v1beta1/ÕÒ +policy_v1beta1get available resources*getPolicyV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps–) +=/apis/apiregistration.k8s.io/v1beta1/watch/apiservices/{name}Ô( +apiregistration_v1beta1±watch changes to an object of kind APIService. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*%watchApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@version: v1beta1 +kind: APIService +group: apiregistration.k8s.io +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ù( +:/apis/events.k8s.io/v1/watch/namespaces/{namespace}/eventsš(¬ + events_v1qwatch individual changes to a list of Event. deprecated: use the 'watch' parameter with a list operation instead.* watchEventsV1NamespacedEventList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ú( +,/apis/storage.k8s.io/v1beta1/csinodes/{name}É(ø +storage_v1beta1read the specified CSINode*readStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +Ë +storage_v1beta1replace the specified CSINode*replaceStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF +D +Bbodybody *2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¨ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode +H +201A +? +Created4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +*ü +storage_v1beta1delete a CSINode*deleteStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J© +I +202B +@ +Accepted4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode + +401 + + Unauthorized +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINodeRhttpsj +x-kubernetes-action delete +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +B÷ +storage_v1beta1&partially update the specified CSINode*patchStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jZ +x-kubernetes-group-version-kind75kind: CSINode +version: v1beta1 +group: storage.k8s.io +J4 +20".pathname of the CSINode"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ö) +6/apis/rbac.authorization.k8s.io/v1/clusterroles/{name}») +rbacAuthorization_v1read the specified ClusterRole*"readRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: ClusterRole +version: v1 +Û +rbacAuthorization_v1!replace the specified ClusterRole*%replaceRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.rbac.v1.ClusterRoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: ClusterRole +version: v1 +j +x-kubernetes-actionput +*ª +rbacAuthorization_v1delete a ClusterRole*$deleteRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: ClusterRole +version: v1 +B +rbacAuthorization_v1*partially update the specified ClusterRole*#patchRbacAuthorizationV1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jd +x-kubernetes-group-version-kindA?kind: ClusterRole +version: v1 +group: rbac.authorization.k8s.io +J8 +64"2pathname of the ClusterRole"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ž' +(/apis/rbac.authorization.k8s.io/v1/rolesñ&å +rbacAuthorization_v1"list or watch objects of kind Role*+listRbacAuthorizationV1RoleForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JW +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.rbac.v1.RoleList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean À( +:/apis/rbac.authorization.k8s.io/v1beta1/watch/rolebindings(õ +rbacAuthorization_v1beta1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*bodybody *. +,#/definitions/io.k8s.api.apps.v1.StatefulSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +j +x-kubernetes-actionput +*… +apps_v1delete a StatefulSet*!deleteAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +Bê +apps_v1*partially update the specified StatefulSet* patchAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jO +x-kubernetes-group-version-kind,*version: v1 +group: apps +kind: StatefulSet +J8 +64"2pathname of the StatefulSet"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string è' + /apis/apps/v1/watch/statefulsetsÃ'· +apps_v1wwatch individual changes to a list of StatefulSet. deprecated: use the 'watch' parameter with a list operation instead.**watchAppsV1StatefulSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean é +W/apis/autoscaling/v2beta2/namespaces/{namespace}/horizontalpodautoscalers/{name}/statusÛ +autoscaling_v2beta24read status of the specified HorizontalPodAutoscaler*=readAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +Ö +autoscaling_v2beta27replace status of the specified HorizontalPodAutoscaler*@replaceAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BZ +X +Vbodybody *F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÐ +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler +\ +201U +S +CreatedH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsjg +x-kubernetes-group-version-kindDBkind: HorizontalPodAutoscaler +version: v2beta2 +group: autoscaling +j +x-kubernetes-actionput +BÚ +autoscaling_v2beta2@partially update status of the specified HorizontalPodAutoscaler*>patchAutoscalingV2beta2NamespacedHorizontalPodAutoscalerStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jr +W +200P +N +OKH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +JD +B@">path#name of the HorizontalPodAutoscaler"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ý +/apis/batch/v1/ÉÆ +batch_v1get available resources*getBatchV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsú +./api/v1/namespaces/{namespace}/pods/{name}/logÇÄ +core_v1read log of the specified Pod*readCoreV1NamespacedPodLog2 +text/plain2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" kind: Pod +version: v1 +group: "" +j +x-kubernetes-actionget +J +Š‡queryhThe container for which to stream logs. Defaults to only container if there is one container in the pod." container2string JW +USQquery4Follow the log stream of the pod. Defaults to false."follow2boolean JŒ +‰†ƒqueryÏinsecureSkipTLSVerifyBackend indicates that the apiserver should not confirm the validity of the serving certificate of the backend it is connecting to. This will make the HTTPS connection between the apiserver and the backend insecure. This means the apiserver cannot verify the log data it is receiving came from the real kubelet. If the kubelet is configured to verify the apiserver's TLS credentials, it does not mean the connection to the real kubelet is vulnerable to a man in the middle attack (e.g. an attacker could not intercept the actual log data coming from the real kubelet)."insecureSkipTLSVerifyBackend2boolean J€ +ýú÷queryÕIf set, the number of bytes to read from the server before terminating the log output. This may not display a complete final line of logging, and may return slightly more or slightly less than the specified limit." +limitBytes2integer J0 +.,"*pathname of the Pod"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jb +`^\query=Return previous terminated container logs. Defaults to false."previous2boolean JÍ +ÊÇÄquery A relative time in seconds before the current time from which to show logs. If this value precedes the time a pod was started, only logs since the pod start will be returned. If this value is in the future, no logs will be returned. Only one of sinceSeconds or sinceTime may be specified." sinceSeconds2integer JÈ +Å¿queryžIf set, the number of lines from the end of the logs to show. If not specified, logs are shown from the creation of the container or sinceSeconds or sinceTime" tailLines2integer J› +˜•’queryqIf true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line of log output. Defaults to false." +timestamps2boolean ×' +1/apis/storage.k8s.io/v1beta1/csistoragecapacities¡'• +storage_v1beta10list or watch objects of kind CSIStorageCapacity*4listStorageV1beta1CSIStorageCapacityForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +je +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ³_ +H/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacitiesæ^Ç& +storage_v1beta10list or watch objects of kind CSIStorageCapacity*.listStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +je +x-kubernetes-group-version-kindB@version: v1beta1 +group: storage.k8s.io +kind: CSIStorageCapacity +"à +storage_v1beta1create a CSIStorageCapacity*0createStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J” +N +200G +E +OK? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity +S +201L +J +Created? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity +T +202M +K +Accepted? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +j +x-kubernetes-actionpost +*ƒ- +storage_v1beta1'delete collection of CSIStorageCapacity*:deleteStorageV1beta1CollectionNamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string · +!/api/v1/nodes/{name}/proxy/{path}‘” +core_v1%connect GET requests to proxy of Node*!connectCoreV1GetNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +” +core_v1%connect PUT requests to proxy of Node*!connectCoreV1PutNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-version: v1 +group: "" +kind: NodeProxyOptions +"– +core_v1&connect POST requests to proxy of Node*"connectCoreV1PostNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-version: v1 +group: "" +kind: NodeProxyOptions +*š +core_v1(connect DELETE requests to proxy of Node*$connectCoreV1DeleteNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +2œ +core_v1)connect OPTIONS requests to proxy of Node*%connectCoreV1OptionsNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +j! +x-kubernetes-action +connect +:– +core_v1&connect HEAD requests to proxy of Node*"connectCoreV1HeadNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +j! +x-kubernetes-action +connect +B˜ +core_v1'connect PATCH requests to proxy of Node*#connectCoreV1PatchNodeProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +J= +;9"7pathname of the NodeProxyOptions"name*string˜J5 +31"/pathpath to the resource"path*string˜Jb +`^\queryBPath is the URL path to use for the current proxy request to node."path2string »^ +?/apis/discovery.k8s.io/v1/namespaces/{namespace}/endpointslices÷]§& + discovery_v1+list or watch objects of kind EndpointSlice*&listDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.discovery.v1.EndpointSliceList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +"© + discovery_v1create an EndpointSlice*(createDiscoveryV1NamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSliceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +*ë, + discovery_v1"delete collection of EndpointSlice*2deleteDiscoveryV1CollectionNamespacedEndpointSlice2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ³] +*/apis/scheduling.k8s.io/v1/priorityclasses„]¡& + scheduling_v1+list or watch objects of kind PriorityClass*listSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.scheduling.v1.PriorityClassList + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +j +x-kubernetes-actionlist +"¥ + scheduling_v1create a PriorityClass*createSchedulingV1PriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jÿ +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass +M +202F +D +Accepted8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +*ä, + scheduling_v1"delete collection of PriorityClass*)deleteSchedulingV1CollectionPriorityClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: scheduling.k8s.io +kind: PriorityClass +version: v1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‚ + /apis/scheduling.k8s.io/v1beta1/ÝÚ +scheduling_v1beta1get available resources* getSchedulingV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps¯ +J/apis/apiextensions.k8s.io/v1beta1/customresourcedefinitions/{name}/statusà‚ +apiextensions_v1beta15read status of the specified CustomResourceDefinition*6readApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J’ +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jq +x-kubernetes-group-version-kindNLgroup: apiextensions.k8s.io +kind: CustomResourceDefinition +version: v1beta1 +¼ + +apiextensions_v1beta18replace status of the specified CustomResourceDefinition*9replaceApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bz +x +vbodybody *f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition +| +201u +s +Createdh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: apiextensions.k8s.io +kind: CustomResourceDefinition +B +apiextensions_v1beta1Apartially update status of the specified CustomResourceDefinition*7patchApiextensionsV1beta1CustomResourceDefinitionStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J’ +w +200p +n +OKh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: apiextensions.k8s.io +kind: CustomResourceDefinition +JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ï +/apis/authentication.k8s.io/ÎË +authenticationget information of a group*getAuthenticationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsñ( +4/apis/storage.k8s.io/v1beta1/watch/csidrivers/{name}¸(ô +storage_v1beta1°watch changes to an object of kind CSIDriver. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J6 +42"0pathname of the CSIDriver"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÷ +7/apis/storage.k8s.io/v1/volumeattachments/{name}/status»˜ + +storage_v1-read status of the specified VolumeAttachment*#readStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +ó + +storage_v10replace status of the specified VolumeAttachment*&replaceStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J° +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +B— + +storage_v19partially update status of the specified VolumeAttachment*$patchStorageV1VolumeAttachmentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9kind: VolumeAttachment +version: v1 +group: storage.k8s.io +j +x-kubernetes-actionpatch +J= +;9"7pathname of the VolumeAttachment"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string í( +3/apis/storage.k8s.io/v1/watch/storageclasses/{name}µ(î + +storage_v1³watch changes to an object of kind StorageClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1StorageClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: StorageClass +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J9 +75"3pathname of the StorageClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¢a +J/apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurationsÓ`¦' +admissionregistration_v1beta1listAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J‡ +l +200e +c +OK] +[ +Y#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +"Œ +admissionregistration_v1beta1'create a ValidatingWebhookConfiguration*@createAdmissionregistrationV1beta1ValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bk +i +gbodybody *W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jâ +h +200a +_ +OKY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration +m +201f +d +CreatedY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration +n +202g +e +AcceptedY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j +x-kubernetes-group-version-kind\Zgroup: admissionregistration.k8s.io +kind: ValidatingWebhookConfiguration +version: v1beta1 +*Ç- +admissionregistration_v1beta13delete collection of ValidatingWebhookConfiguration*JdeleteAdmissionregistrationV1beta1CollectionValidatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j +x-kubernetes-group-version-kind\Zkind: ValidatingWebhookConfiguration +version: v1beta1 +group: admissionregistration.k8s.io +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string · + ++/apis/authentication.k8s.io/v1/tokenreviews‡ +"ù +authentication_v1create a TokenReview*!createAuthenticationV1TokenReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.authentication.v1.TokenReviewJ… +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.authentication.v1.TokenReview +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.authentication.v1.TokenReview +O +202H +F +Accepted: +8 +6#/definitions/io.k8s.api.authentication.v1.TokenReview + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j` +x-kubernetes-group-version-kind=;group: authentication.k8s.io +kind: TokenReview +version: v1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string õ' +2/apis/autoscaling/v2beta2/horizontalpodautoscalers¾'² +autoscaling_v2beta25list or watch objects of kind HorizontalPodAutoscaler*=listAutoscalingV2beta2HorizontalPodAutoscalerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jv +[ +200T +R +OKL +J +H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean –_ +@/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgetsÑ^À& +policy_v1beta11list or watch objects of kind PodDisruptionBudget*.listPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetList + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +j +x-kubernetes-actionlist +"Ù +policy_v1beta1create a PodDisruptionBudget*0createPolicyV1beta1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J” + +401 + + Unauthorized +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget +S +201L +J +Created? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget +T +202M +K +Accepted? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetRhttpsj^ +x-kubernetes-group-version-kind;9kind: PodDisruptionBudget +version: v1beta1 +group: policy +j +x-kubernetes-actionpost +*ü, +policy_v1beta1(delete collection of PodDisruptionBudget*:deletePolicyV1beta1CollectionNamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ô^ +;/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings´^Ù& +rbacAuthorization_v1beta10list or watch objects of kind ClusterRoleBinding*.listRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jj +O +200H +F +OK@ +> +<#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jp +x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1beta1 +"é +rbacAuthorization_v1beta1create a ClusterRoleBinding*0createRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J‹ +K +200D +B +OK< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding +P +201I +G +Created< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding +Q +202J +H +Accepted< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsjp +x-kubernetes-group-version-kindMKkind: ClusterRoleBinding +version: v1beta1 +group: rbac.authorization.k8s.io +j +x-kubernetes-actionpost +*˜- +rbacAuthorization_v1beta1'delete collection of ClusterRoleBinding*:deleteRbacAuthorizationV1beta1CollectionClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jp +x-kubernetes-group-version-kindMKkind: ClusterRoleBinding +version: v1beta1 +group: rbac.authorization.k8s.io +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ´ + +'/api/v1/namespaces/{namespace}/bindingsˆ +"˜ +core_v1create a Binding*createCoreV1NamespacedBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.core.v1.BindingJÛ +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.core.v1.Binding +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.core.v1.Binding +A +202: +8 +Accepted, +* +(#/definitions/io.k8s.api.core.v1.Binding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jI +x-kubernetes-group-version-kind&$version: v1 +group: "" +kind: Binding +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ô) +P/apis/admissionregistration.k8s.io/v1/watch/mutatingwebhookconfigurations/{name}Ÿ)È +admissionregistration_v1Ãwatch changes to an object of kind MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*8watchAdmissionregistrationV1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jx +x-kubernetes-group-version-kindUSgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JI +GE"Cpath(name of the MutatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¼) +O/apis/autoscaling/v2beta1/watch/namespaces/{namespace}/horizontalpodautoscalersè(ú +autoscaling_v2beta1ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.* +< +:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetList + +401 + + UnauthorizedRhttpsjY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +j +x-kubernetes-actionlist +"¶ + policy_v1create a PodDisruptionBudget*+createPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J… + +401 + + Unauthorized +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget +O +202H +F +Accepted: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetRhttpsj +x-kubernetes-actionpost +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +*í, + policy_v1(delete collection of PodDisruptionBudget*5deletePolicyV1CollectionNamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjY +x-kubernetes-group-version-kind64version: v1 +group: policy +kind: PodDisruptionBudget +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ò_ +D/apis/autoscaling/v1/namespaces/{namespace}/horizontalpodautoscalers‰_Ð& +autoscaling_v15list or watch objects of kind HorizontalPodAutoscaler*2listAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jq +V +200O +M +OKG +E +C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +"õ +autoscaling_v1 create a HorizontalPodAutoscaler*4createAutoscalingV1NamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BU +S +Qbodybody *A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +R +200K +I +OKC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler +W +201P +N +CreatedC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler +X +202Q +O +AcceptedC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jb +x-kubernetes-group-version-kind?=kind: HorizontalPodAutoscaler +version: v1 +group: autoscaling +*ˆ- +autoscaling_v1,delete collection of HorizontalPodAutoscaler*>deleteAutoscalingV1CollectionNamespacedHorizontalPodAutoscaler2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¬( +5/apis/rbac.authorization.k8s.io/v1/watch/rolebindingsò'æ +rbacAuthorization_v1wwatch individual changes to a list of RoleBinding. deprecated: use the 'watch' parameter with a list operation instead.*7watchRbacAuthorizationV1RoleBindingListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean É\ +"/apis/storage.k8s.io/v1/csidrivers¢\…& + +storage_v1'list or watch objects of kind CSIDriver*listStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.storage.v1.CSIDriverList + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +j +x-kubernetes-actionlist +"ô + +storage_v1create a CSIDriver*createStorageV1CSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.storage.v1.CSIDriverBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jê +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver +F +202? += +Accepted1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriver + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +j +x-kubernetes-actionpost +*Ï, + +storage_v1delete collection of CSIDriver*"deleteStorageV1CollectionCSIDriver2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jW +x-kubernetes-group-version-kind42version: v1 +group: storage.k8s.io +kind: CSIDriver +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string å +"/api/v1/namespaces/{name}/finalize¾ ø +core_v1+replace finalize of the specified Namespace*replaceCoreV1NamespaceFinalize2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.core.v1.NamespaceJœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Namespace +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.Namespace + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jK +x-kubernetes-group-version-kind(&group: "" +kind: Namespace +version: v1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J6 +42"0pathname of the Namespace"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È +/apis/½º +apisget available API versions*getAPIVersions2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJm +R +200K +I +OKC +A +?#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList + +401 + + UnauthorizedRhttpsˆ* +U/apis/admissionregistration.k8s.io/v1beta1/watch/mutatingwebhookconfigurations/{name}®)× +admissionregistration_v1beta1Ãwatch changes to an object of kind MutatingWebhookConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*=watchAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +j} +x-kubernetes-group-version-kindZXversion: v1beta1 +group: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JI +GE"Cpath(name of the MutatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¯ +:/apis/authorization.k8s.io/v1beta1/selfsubjectrulesreviewsð +"â +authorization_v1beta1create a SelfSubjectRulesReview*0createAuthorizationV1beta1SelfSubjectRulesReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B[ +Y +Wbodybody *G +E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewJ² +X +200Q +O +OKI +G +E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview +] +201V +T +CreatedI +G +E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview +^ +202W +U +AcceptedI +G +E#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jo +x-kubernetes-group-version-kindLJgroup: authorization.k8s.io +kind: SelfSubjectRulesReview +version: v1beta1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string É( +8/apis/autoscaling/v2beta2/watch/horizontalpodautoscalersŒ(€ +autoscaling_v2beta2ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*BwatchAutoscalingV2beta2HorizontalPodAutoscalerListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj# +x-kubernetes-action  +watchlist +jg +x-kubernetes-group-version-kindDBgroup: autoscaling +kind: HorizontalPodAutoscaler +version: v2beta2 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¡ ++/apis/flowcontrol.apiserver.k8s.io/v1beta1/ñî +flowcontrolApiserver_v1beta1get available resources**getFlowcontrolApiserverV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsñ+ +R/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/rolebindings/{name}š+® +rbacAuthorization_v1beta1read the specified RoleBinding*1readRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_ + +401 + + Unauthorized +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingRhttpsji +x-kubernetes-group-version-kindFDversion: v1beta1 +group: rbac.authorization.k8s.io +kind: RoleBinding +j +x-kubernetes-actionget +ƒ +rbacAuthorization_v1beta1!replace the specified RoleBinding*4replaceRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jª +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +*à +rbacAuthorization_v1beta1delete a RoleBinding*3deleteRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +B­ +rbacAuthorization_v1beta1*partially update the specified RoleBinding*2patchRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding + +401 + + UnauthorizedRhttpsji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +j +x-kubernetes-actionpatch +J8 +64"2pathname of the RoleBinding"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ™. +O/apis/admissionregistration.k8s.io/v1beta1/mutatingwebhookconfigurations/{name}Å-… +admissionregistration_v1beta1/read the specified MutatingWebhookConfiguration*deleteAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j} +x-kubernetes-group-version-kindZXversion: v1beta1 +group: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +B„ +admissionregistration_v1beta1;partially update the specified MutatingWebhookConfiguration*=patchAdmissionregistrationV1beta1MutatingWebhookConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J +f +200_ +] +OKW +U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration + +401 + + UnauthorizedRhttpsj} +x-kubernetes-group-version-kindZXgroup: admissionregistration.k8s.io +kind: MutatingWebhookConfiguration +version: v1beta1 +j +x-kubernetes-actionpatch +JI +GE"Cpath(name of the MutatingWebhookConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string —+ +M/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolebindings/{name}Å*š +rbacAuthorization_v1read the specified RoleBinding*,readRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +j +x-kubernetes-actionget +å +rbacAuthorization_v1!replace the specified RoleBinding*/replaceRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.rbac.v1.RoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +j +x-kubernetes-actionput +*´ +rbacAuthorization_v1delete a RoleBinding*.deleteRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +j +x-kubernetes-action delete +B™ +rbacAuthorization_v1*partially update the specified RoleBinding*-patchRbacAuthorizationV1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding + +401 + + UnauthorizedRhttpsjd +x-kubernetes-group-version-kindA?group: rbac.authorization.k8s.io +kind: RoleBinding +version: v1 +j +x-kubernetes-actionpatch +J8 +64"2pathname of the RoleBinding"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ì* +K/apis/rbac.authorization.k8s.io/v1beta1/namespaces/{namespace}/roles/{name}œ*’ +rbacAuthorization_v1beta1read the specified Role**readRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=kind: Role +version: v1beta1 +group: rbac.authorization.k8s.io +j +x-kubernetes-actionget +Ù +rbacAuthorization_v1beta1replace the specified Role*-replaceRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B@ +> +<bodybody *, +*#/definitions/io.k8s.api.rbac.v1beta1.RoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +*® +rbacAuthorization_v1beta1 delete a Role*,deleteRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +j +x-kubernetes-action delete +B‘ +rbacAuthorization_v1beta1#partially update the specified Role*+patchRbacAuthorizationV1beta1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jb +x-kubernetes-group-version-kind?=group: rbac.authorization.k8s.io +kind: Role +version: v1beta1 +J1 +/-"+pathname of the Role"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string þ' +-/apis/storage.k8s.io/v1beta1/watch/csidriversÌ'À +storage_v1beta1uwatch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.* watchStorageV1beta1CSIDriverList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j\ +x-kubernetes-group-version-kind97group: storage.k8s.io +kind: CSIDriver +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Õ+ +B/apis/rbac.authorization.k8s.io/v1beta1/clusterrolebindings/{name}Ž+À +rbacAuthorization_v1beta1%read the specified ClusterRoleBinding*.readRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jf + +401 + + Unauthorized +K +200D +B +OK< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingRhttpsjp +x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1beta1 +j +x-kubernetes-actionget +£ +rbacAuthorization_v1beta1(replace the specified ClusterRoleBinding*1replaceRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BN +L +Jbodybody *: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¸ +P +201I +G +Created< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding + +401 + + Unauthorized +K +200D +B +OK< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBindingRhttpsj +x-kubernetes-actionput +jp +x-kubernetes-group-version-kindMKversion: v1beta1 +group: rbac.authorization.k8s.io +kind: ClusterRoleBinding +*Î +rbacAuthorization_v1beta1delete a ClusterRoleBinding*0deleteRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jp +x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1beta1 +B¿ +rbacAuthorization_v1beta11partially update the specified ClusterRoleBinding*/patchRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jp +x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1beta1 +J? +=;"9pathname of the ClusterRoleBinding"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‰ +;/api/v1/namespaces/{namespace}/resourcequotas/{name}/statusÉ +core_v1*read status of the specified ResourceQuota*'readCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jO +x-kubernetes-group-version-kind,*kind: ResourceQuota +version: v1 +group: "" +Ð +core_v1-replace status of the specified ResourceQuota**replaceCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.core.v1.ResourceQuotaBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¤ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*version: v1 +group: "" +kind: ResourceQuota +j +x-kubernetes-actionput +B€ +core_v16partially update status of the specified ResourceQuota*(patchCoreV1NamespacedResourceQuotaStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.core.v1.ResourceQuota + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jO +x-kubernetes-group-version-kind,*group: "" +kind: ResourceQuota +version: v1 +J: +86"4pathname of the ResourceQuota"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string å +>/apis/apps/v1/namespaces/{namespace}/deployments/{name}/status¢÷ +apps_v1'read status of the specified Deployment*$readAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsjN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +j +x-kubernetes-actionget +À +apps_v1*replace status of the specified Deployment*'replaceAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BA +? +=bodybody *- ++#/definitions/io.k8s.api.apps.v1.DeploymentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jž +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment +C +201< +: +Created/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jN +x-kubernetes-group-version-kind+)group: apps +kind: Deployment +version: v1 +Bö +apps_v13partially update status of the specified Deployment*%patchAppsV1NamespacedDeploymentStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jN +x-kubernetes-group-version-kind+)kind: Deployment +version: v1 +group: apps +J7 +53"1pathname of the Deployment"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¨) +J/apis/autoscaling/v1/watch/namespaces/{namespace}/horizontalpodautoscalersÙ(ë +autoscaling_v1ƒwatch individual changes to a list of HorizontalPodAutoscaler. deprecated: use the 'watch' parameter with a list operation instead.*7watchAutoscalingV1NamespacedHorizontalPodAutoscalerList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsjb +x-kubernetes-group-version-kind?=group: autoscaling +kind: HorizontalPodAutoscaler +version: v1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean œ) +;/apis/events.k8s.io/v1/namespaces/{namespace}/events/{name}Ü(â + events_v1read the specified Event*readEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.events.v1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +¥ + events_v1replace the specified Event*replaceEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B> +< +:bodybody ** +(#/definitions/io.k8s.api.events.v1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J˜ + +401 + + Unauthorized +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.events.v1.Event +@ +2019 +7 +Created, +* +(#/definitions/io.k8s.api.events.v1.EventRhttpsj +x-kubernetes-actionput +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +* + events_v1delete an Event*deleteEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj +x-kubernetes-action delete +jR +x-kubernetes-group-version-kind/-kind: Event +version: v1 +group: events.k8s.io +Bá + events_v1$partially update the specified Event*patchEventsV1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JV +; +2004 +2 +OK, +* +(#/definitions/io.k8s.api.events.v1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jR +x-kubernetes-group-version-kind/-group: events.k8s.io +kind: Event +version: v1 +J2 +0.",pathname of the Event"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ï] +:/apis/coordination.k8s.io/v1/namespaces/{namespace}/leases°]“& +coordination_v1#list or watch objects of kind Lease*!listCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J` + +401 + + Unauthorized +E +200> +< +OK6 +4 +2#/definitions/io.k8s.api.coordination.v1.LeaseListRhttpsj +x-kubernetes-actionlist +jX +x-kubernetes-group-version-kind53version: v1 +group: coordination.k8s.io +kind: Lease +"… +coordination_v1create a Lease*#createCoordinationV1NamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.coordination.v1.LeaseBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jí + +401 + + Unauthorized +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease +G +202@ +> +Accepted2 +0 +.#/definitions/io.k8s.api.coordination.v1.LeaseRhttpsj +x-kubernetes-actionpost +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +*Ü, +coordination_v1delete collection of Lease*-deleteCoordinationV1CollectionNamespacedLease2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jX +x-kubernetes-group-version-kind53group: coordination.k8s.io +kind: Lease +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string È' +)/apis/policy/v1beta1/poddisruptionbudgetsš'Ž +policy_v1beta11list or watch objects of kind PodDisruptionBudget*4listPolicyV1beta1PodDisruptionBudgetForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jm +R +200K +I +OKC +A +?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean €) +6/apis/storage.k8s.io/v1/watch/volumeattachments/{name}Å(ú + +storage_v1·watch changes to an object of kind VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J= +;9"7pathname of the VolumeAttachment"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Þ +7/api/v1/namespaces/{namespace}/pods/{name}/proxy/{path}¢› +core_v1$connect GET requests to proxy of Pod**connectCoreV1GetNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,version: v1 +group: "" +kind: PodProxyOptions +› +core_v1$connect PUT requests to proxy of Pod**connectCoreV1PutNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +j! +x-kubernetes-action +connect +" +core_v1%connect POST requests to proxy of Pod*+connectCoreV1PostNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +*¡ +core_v1'connect DELETE requests to proxy of Pod*-connectCoreV1DeleteNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +2£ +core_v1(connect OPTIONS requests to proxy of Pod*.connectCoreV1OptionsNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,kind: PodProxyOptions +version: v1 +group: "" +: +core_v1%connect HEAD requests to proxy of Pod*+connectCoreV1HeadNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +BŸ +core_v1&connect PATCH requests to proxy of Pod*,connectCoreV1PatchNamespacedPodProxyWithPath2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jQ +x-kubernetes-group-version-kind.,group: "" +kind: PodProxyOptions +version: v1 +J< +:8"6pathname of the PodProxyOptions"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜J5 +31"/pathpath to the resource"path*string˜Ja +_][queryAPath is the URL path to use for the current proxy request to pod."path2string „' +/api/v1/serviceaccountsè&Ü +core_v1,list or watch objects of kind ServiceAccount*(listCoreV1ServiceAccountForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Ja +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.core.v1.ServiceAccountList + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+version: v1 +group: "" +kind: ServiceAccount +j +x-kubernetes-actionlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean º^ ++/apis/apiregistration.k8s.io/v1/apiservicesŠ^¾& +apiregistration_v1(list or watch objects of kind APIService*listApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J} + +401 + + Unauthorized +b +200[ +Y +OKS +Q +O#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceListRhttpsj` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +j +x-kubernetes-actionlist +"ˆ + +apiregistration_v1create an APIService*!createApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba +_ +]bodybody *M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÄ +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService +c +201\ +Z +CreatedO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService +d +202] +[ +AcceptedO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j` +x-kubernetes-group-version-kind=;kind: APIService +group: apiregistration.k8s.io +version: v1 +*ê, +apiregistration_v1delete collection of APIService*+deleteApiregistrationV1CollectionAPIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string « +L/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/{name}/approvalÚè +certificates_v1beta18read approval of the specified CertificateSigningRequest*8readCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsjq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +j +x-kubernetes-actionget +é +certificates_v1beta1;replace approval of the specified CertificateSigningRequest*;replaceCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B] +[ +Ybodybody *I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÖ +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest +_ +201X +V +CreatedK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsjq +x-kubernetes-group-version-kindNLgroup: certificates.k8s.io +kind: CertificateSigningRequest +version: v1beta1 +j +x-kubernetes-actionput +Bç +certificates_v1beta1Dpartially update approval of the specified CertificateSigningRequest*9patchCertificatesV1beta1CertificateSigningRequestApproval2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ju +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequest + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: certificates.k8s.io +kind: CertificateSigningRequest +JF +DB"@path%name of the CertificateSigningRequest"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ç( +2/apis/storage.k8s.io/v1beta1/watch/csinodes/{name}°(î +storage_v1beta1®watch changes to an object of kind CSINode. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the CSINode"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¯' +)/apis/networking.k8s.io/v1beta1/ingresses'õ +networking_v1beta1%list or watch objects of kind Ingress*,listNetworkingV1beta1IngressForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Je + +401 + + Unauthorized +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.networking.v1beta1.IngressListRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: Ingress +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean €* +H/apis/policy/v1/watch/namespaces/{namespace}/poddisruptionbudgets/{name}³)ƒ + policy_v1ºwatch changes to an object of kind PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.**watchPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jY +x-kubernetes-group-version-kind64version: v1 +group: policy +kind: PodDisruptionBudget +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J@ +><":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Þ +N/apis/policy/v1beta1/namespaces/{namespace}/poddisruptionbudgets/{name}/status‹· +policy_v1beta10read status of the specified PodDisruptionBudget*4readPolicyV1beta1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +  +policy_v1beta13replace status of the specified PodDisruptionBudget*7replacePolicyV1beta1NamespacedPodDisruptionBudgetStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¾ +N +200G +E +OK? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget +S +201L +J +Created? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +B¶ +policy_v1beta1<":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ’) +group: scheduling.k8s.io +kind: PriorityClass +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J: +86"4pathname of the PriorityClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ˆ +"/apis/coordination.k8s.io/v1beta1/áÞ +coordination_v1beta1get available resources*"getCoordinationV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsã) +H/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/ingresses/{name}–)ò + networking_v1®watch changes to an object of kind Ingress. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*"watchNetworkingV1NamespacedIngress2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jX +x-kubernetes-group-version-kind53group: networking.k8s.io +kind: Ingress +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J4 +20".pathname of the Ingress"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Š) +G/apis/networking.k8s.io/v1/watch/namespaces/{namespace}/networkpolicies¾(Ð + networking_v1ywatch individual changes to a list of NetworkPolicy. deprecated: use the 'watch' parameter with a list operation instead.*,watchNetworkingV1NamespacedNetworkPolicyList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9kind: NetworkPolicy +version: v1 +group: networking.k8s.io +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‰ +#/apis/rbac.authorization.k8s.io/v1/áÞ +rbacAuthorization_v1get available resources*"getRbacAuthorizationV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsé +1/api/v1/namespaces/{namespace}/pods/{name}/status³Ù +core_v1 read status of the specified Pod*readCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JR +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jE +x-kubernetes-group-version-kind" group: "" +kind: Pod +version: v1 +” +core_v1#replace status of the specified Pod* replaceCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B: +8 +6bodybody *& +$#/definitions/io.k8s.api.core.v1.PodBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod +< +2015 +3 +Created( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jE +x-kubernetes-group-version-kind" version: v1 +group: "" +kind: Pod +BØ +core_v1,partially update status of the specified Pod*patchCoreV1NamespacedPodStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JR +7 +2000 +. +OK( +& +$#/definitions/io.k8s.api.core.v1.Pod + +401 + + UnauthorizedRhttpsjE +x-kubernetes-group-version-kind" kind: Pod +version: v1 +group: "" +j +x-kubernetes-actionpatch +J0 +.,"*pathname of the Pod"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ì' +/api/v1/watch/serviceaccountsÊ'¾ +core_v1zwatch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.*-watchCoreV1ServiceAccountListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jP +x-kubernetes-group-version-kind-+kind: ServiceAccount +version: v1 +group: "" +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean µ] +1/apis/apps/v1/namespaces/{namespace}/statefulsetsÿ\„& +apps_v1)list or watch objects of kind StatefulSet*listAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J^ +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.apps.v1.StatefulSetList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +"ð +apps_v1create a StatefulSet*!createAppsV1NamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.apps.v1.StatefulSetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jç + +401 + + Unauthorized +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet +E +202> +< +Accepted0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSetRhttpsj +x-kubernetes-actionpost +jO +x-kubernetes-group-version-kind,*group: apps +kind: StatefulSet +version: v1 +*Ï, +apps_v1 delete collection of StatefulSet*+deleteAppsV1CollectionNamespacedStatefulSet2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjO +x-kubernetes-group-version-kind,*kind: StatefulSet +version: v1 +group: apps +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string þ +/apis/autoscaling/v2beta2/ßÜ +autoscaling_v2beta2get available resources*!getAutoscalingV2beta2APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttps¨* +X/apis/rbac.authorization.k8s.io/v1beta1/watch/namespaces/{namespace}/rolebindings/{name}Ë)£ +rbacAuthorization_v1beta1²watch changes to an object of kind RoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*2watchRbacAuthorizationV1beta1NamespacedRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: RoleBinding +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J8 +64"2pathname of the RoleBinding"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ³( +7/apis/storage.k8s.io/v1beta1/watch/csistoragecapacities÷'ë +storage_v1beta1~watch individual changes to a list of CSIStorageCapacity. deprecated: use the 'watch' parameter with a list operation instead.*9watchStorageV1beta1CSIStorageCapacityListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +j# +x-kubernetes-action  +watchlist +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean H +/logs/>< +logs*logFileListHandlerJ + +401 + + UnauthorizedRhttpsÿ+ +O/apis/storage.k8s.io/v1beta1/namespaces/{namespace}/csistoragecapacities/{name}«+® +storage_v1beta1%read the specified CSIStorageCapacity*.readStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +je +x-kubernetes-group-version-kindB@group: storage.k8s.io +kind: CSIStorageCapacity +version: v1beta1 +— +storage_v1beta1(replace the specified CSIStorageCapacity*1replaceStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BQ +O +Mbodybody *= +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¾ +N +200G +E +OK? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity +S +201L +J +Created? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +je +x-kubernetes-group-version-kindB@kind: CSIStorageCapacity +version: v1beta1 +group: storage.k8s.io +*¹ +storage_v1beta1delete a CSIStorageCapacity*0deleteStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +je +x-kubernetes-group-version-kindB@version: v1beta1 +group: storage.k8s.io +kind: CSIStorageCapacity +B­ +storage_v1beta11partially update the specified CSIStorageCapacity*/patchStorageV1beta1NamespacedCSIStorageCapacity2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Ji +N +200G +E +OK? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacity + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@version: v1beta1 +group: storage.k8s.io +kind: CSIStorageCapacity +j +x-kubernetes-actionpatch +J? +=;"9pathname of the CSIStorageCapacity"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ö] +./api/v1/namespaces/{namespace}/serviceaccounts£]Ž& +core_v1,list or watch objects of kind ServiceAccount*"listCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ja + +401 + + Unauthorized +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.core.v1.ServiceAccountListRhttpsjP +x-kubernetes-group-version-kind-+version: v1 +group: "" +kind: ServiceAccount +j +x-kubernetes-actionlist +"ƒ +core_v1create a ServiceAccount*$createCoreV1NamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BE +C +Abodybody *1 +/#/definitions/io.k8s.api.core.v1.ServiceAccountBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jð +B +200; +9 +OK3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount +G +201@ +> +Created3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount +H +202A +? +Accepted3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jP +x-kubernetes-group-version-kind-+kind: ServiceAccount +version: v1 +group: "" +*Ö, +core_v1#delete collection of ServiceAccount*.deleteCoreV1CollectionNamespacedServiceAccount2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jP +x-kubernetes-group-version-kind-+group: "" +kind: ServiceAccount +version: v1 +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Á +/api/v1/nodes/{name}/proxy¢Œ +core_v1%connect GET requests to proxy of Node*connectCoreV1GetNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-kind: NodeProxyOptions +version: v1 +group: "" +Œ +core_v1%connect PUT requests to proxy of Node*connectCoreV1PutNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +"Ž +core_v1&connect POST requests to proxy of Node*connectCoreV1PostNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsj! +x-kubernetes-action +connect +jR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +*’ +core_v1(connect DELETE requests to proxy of Node*connectCoreV1DeleteNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +j! +x-kubernetes-action +connect +2” +core_v1)connect OPTIONS requests to proxy of Node*connectCoreV1OptionsNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +j! +x-kubernetes-action +connect +:Ž +core_v1&connect HEAD requests to proxy of Node*connectCoreV1HeadNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: NodeProxyOptions +version: v1 +j! +x-kubernetes-action +connect +B +core_v1'connect PATCH requests to proxy of Node*connectCoreV1PatchNodeProxy2*/*:*/*J7 + +200 + +OK + ² +string + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-kind: NodeProxyOptions +version: v1 +group: "" +j! +x-kubernetes-action +connect +J= +;9"7pathname of the NodeProxyOptions"name*string˜Jb +`^\queryBPath is the URL path to use for the current proxy request to node."path2string ­` +F/apis/flowcontrol.apiserver.k8s.io/v1beta1/prioritylevelconfigurationsâ_‰' +flowcontrolApiserver_v1beta18list or watch objects of kind PriorityLevelConfiguration*9listFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jy + +401 + + Unauthorized +^ +200W +U +OKO +M +K#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationListRhttpsj{ +x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +version: v1beta1 +j +x-kubernetes-actionlist +"Æ + +flowcontrolApiserver_v1beta1#create a PriorityLevelConfiguration*;createFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B] +[ +Ybodybody *I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¸ +Z +200S +Q +OKK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration +_ +201X +V +CreatedK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration +` +202Y +W +AcceptedK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j{ +x-kubernetes-group-version-kindXVversion: v1beta1 +group: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +*¹- +flowcontrolApiserver_v1beta1/delete collection of PriorityLevelConfiguration*EdeleteFlowcontrolApiserverV1beta1CollectionPriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +j{ +x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¤( +//apis/policy/v1beta1/watch/poddisruptionbudgetsð'ä +policy_v1beta1watch individual changes to a list of PodDisruptionBudget. deprecated: use the 'watch' parameter with a list operation instead.*9watchPolicyV1beta1PodDisruptionBudgetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j^ +x-kubernetes-group-version-kind;9group: policy +kind: PodDisruptionBudget +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean î] +?/apis/rbac.authorization.k8s.io/v1/namespaces/{namespace}/rolesª]—& +rbacAuthorization_v1"list or watch objects of kind Role*%listRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean JW + +401 + + Unauthorized +< +2005 +3 +OK- ++ +)#/definitions/io.k8s.api.rbac.v1.RoleListRhttpsj] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +j +x-kubernetes-actionlist +"î +rbacAuthorization_v1 create a Role*'createRbacAuthorizationV1NamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.rbac.v1.RoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÒ + +401 + + Unauthorized +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.rbac.v1.Role += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.rbac.v1.Role +> +2027 +5 +Accepted) +' +%#/definitions/io.k8s.api.rbac.v1.RoleRhttpsj +x-kubernetes-actionpost +j] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +*é, +rbacAuthorization_v1delete collection of Role*1deleteRbacAuthorizationV1CollectionNamespacedRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: rbac.authorization.k8s.io +kind: Role +version: v1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ’( +./apis/discovery.k8s.io/v1/watch/endpointslicesß'Ó + discovery_v1ywatch individual changes to a list of EndpointSlice. deprecated: use the 'watch' parameter with a list operation instead.*1watchDiscoveryV1EndpointSliceListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j] +x-kubernetes-group-version-kind:8group: discovery.k8s.io +kind: EndpointSlice +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ¥] +)/apis/networking.k8s.io/v1/ingressclasses÷\& + networking_v1*list or watch objects of kind IngressClass*listNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Je +J +200C +A +OK; +9 +7#/definitions/io.k8s.api.networking.v1.IngressClassList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +"Ÿ + networking_v1create an IngressClass*createNetworkingV1IngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BI +G +Ebodybody *5 +3#/definitions/io.k8s.api.networking.v1.IngressClassBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jü +F +200? += +OK7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass +K +201D +B +Created7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass +L +202E +C +Accepted7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClass + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j +x-kubernetes-actionpost +*á, + networking_v1!delete collection of IngressClass*(deleteNetworkingV1CollectionIngressClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj] +x-kubernetes-group-version-kind:8group: networking.k8s.io +kind: IngressClass +version: v1 +j* +x-kubernetes-actiondeletecollection +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ž) +2/api/v1/namespaces/{namespace}/podtemplates/{name}ç(é +core_v1read the specified PodTemplate*readCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jM +x-kubernetes-group-version-kind*(version: v1 +group: "" +kind: PodTemplate +´ +core_v1!replace the specified PodTemplate*"replaceCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BB +@ +>bodybody *. +,#/definitions/io.k8s.api.core.v1.PodTemplateBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J  +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate +D +201= +; +Created0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +*é +core_v1delete a PodTemplate*!deleteCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J¡ +E +202> +< +Accepted0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate + +401 + + Unauthorized +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplateRhttpsj +x-kubernetes-action delete +jM +x-kubernetes-group-version-kind*(group: "" +kind: PodTemplate +version: v1 +Bè +core_v1*partially update the specified PodTemplate* patchCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JZ +? +2008 +6 +OK0 +. +,#/definitions/io.k8s.api.core.v1.PodTemplate + +401 + + UnauthorizedRhttpsjM +x-kubernetes-group-version-kind*(version: v1 +group: "" +kind: PodTemplate +j +x-kubernetes-actionpatch +J8 +64"2pathname of the PodTemplate"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ù( +-/api/v1/namespaces/{namespace}/secrets/{name}§(Õ +core_v1read the specified Secret*readCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JU +: +2003 +1 +OK+ +) +'#/definitions/io.k8s.api.core.v1.Secret + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jH +x-kubernetes-group-version-kind%#kind: Secret +version: v1 +group: "" +– +core_v1replace the specified Secret*replaceCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B= +; +9bodybody *) +'#/definitions/io.k8s.api.core.v1.SecretBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J– +: +2003 +1 +OK+ +) +'#/definitions/io.k8s.api.core.v1.Secret +? +2018 +6 +Created+ +) +'#/definitions/io.k8s.api.core.v1.Secret + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +*ô +core_v1delete a Secret*deleteCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jH +x-kubernetes-group-version-kind%#version: v1 +group: "" +kind: Secret +BÔ +core_v1%partially update the specified Secret*patchCoreV1NamespacedSecret2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JU +: +2003 +1 +OK+ +) +'#/definitions/io.k8s.api.core.v1.Secret + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jH +x-kubernetes-group-version-kind%#group: "" +kind: Secret +version: v1 +J3 +1/"-pathname of the Secret"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‰( +$/api/v1/watch/persistentvolumeclaimsà'Ô +core_v1watch individual changes to a list of PersistentVolumeClaim. deprecated: use the 'watch' parameter with a list operation instead.*4watchCoreV1PersistentVolumeClaimListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jW +x-kubernetes-group-version-kind42group: "" +kind: PersistentVolumeClaim +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ã +>/apis/apiregistration.k8s.io/v1beta1/apiservices/{name}/status€É +apiregistration_v1beta1'read status of the specified APIService**readApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J~ +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionget +Ü +apiregistration_v1beta1*replace status of the specified APIService*-replaceApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf +d +bbodybody *R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jè +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService +h +201a +_ +CreatedT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionput +BÈ +apiregistration_v1beta13partially update status of the specified APIService*+patchApiregistrationV1beta1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J~ +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService + +401 + + UnauthorizedRhttpsje +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +j +x-kubernetes-actionpatch +J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ü& +/api/v1/secretsÈ&¼ +core_v1$list or watch objects of kind Secret* listCoreV1SecretForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*JY +> +2007 +5 +OK/ +- ++#/definitions/io.k8s.api.core.v1.SecretList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jH +x-kubernetes-group-version-kind%#kind: Secret +version: v1 +group: "" +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Ê^ +A/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies„^«& + networking_v1+list or watch objects of kind NetworkPolicy*'listNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jf +K +200D +B +OK< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +j^ +x-kubernetes-group-version-kind;9kind: NetworkPolicy +version: v1 +group: networking.k8s.io +"¯ + networking_v1create a NetworkPolicy*)createNetworkingV1NamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicyBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jÿ +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy +M +202F +D +Accepted8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +j^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +*î, + networking_v1"delete collection of NetworkPolicy*3deleteNetworkingV1CollectionNamespacedNetworkPolicy2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj^ +x-kubernetes-group-version-kind;9group: networking.k8s.io +kind: NetworkPolicy +version: v1 +j* +x-kubernetes-actiondeletecollection +J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¢ +'/api/v1/persistentvolumes/{name}/statusöƒ +core_v1-read status of the specified PersistentVolume* readCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +Ø +core_v10replace status of the specified PersistentVolume*#replaceCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.core.v1.PersistentVolumeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jª +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsjR +x-kubernetes-group-version-kind/-group: "" +kind: PersistentVolume +version: v1 +j +x-kubernetes-actionput +B‚ +core_v19partially update status of the specified PersistentVolume*!patchCoreV1PersistentVolumeStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jR +x-kubernetes-group-version-kind/-kind: PersistentVolume +version: v1 +group: "" +J= +;9"7pathname of the PersistentVolume"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ð* +;/apis/rbac.authorization.k8s.io/v1beta1/clusterroles/{name}*¤ +rbacAuthorization_v1beta1read the specified ClusterRole*'readRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J_ + +401 + + Unauthorized +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleRhttpsj +x-kubernetes-actionget +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +ù +rbacAuthorization_v1beta1!replace the specified ClusterRole**replaceRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BG +E +Cbodybody *3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jª +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole +I +201B +@ +Created5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +*¹ +rbacAuthorization_v1beta1delete a ClusterRole*)deleteRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +ji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +B£ +rbacAuthorization_v1beta1*partially update the specified ClusterRole*(patchRbacAuthorizationV1beta1ClusterRole2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole + +401 + + UnauthorizedRhttpsji +x-kubernetes-group-version-kindFDgroup: rbac.authorization.k8s.io +kind: ClusterRole +version: v1beta1 +j +x-kubernetes-actionpatch +J8 +64"2pathname of the ClusterRole"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ó) +0/apis/storage.k8s.io/v1/volumeattachments/{name}ž)ˆ + +storage_v1#read the specified VolumeAttachment*readStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jb + +401 + + Unauthorized +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentRhttpsj^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +j +x-kubernetes-actionget +ã + +storage_v1&replace the specified VolumeAttachment* replaceStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BJ +H +Fbodybody *6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J° +L +201E +C +Created8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + Unauthorized +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachmentRhttpsj +x-kubernetes-actionput +j^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +* + +storage_v1delete a VolumeAttachment*deleteStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J± +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment +M +202F +D +Accepted8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +j^ +x-kubernetes-group-version-kind;9version: v1 +group: storage.k8s.io +kind: VolumeAttachment +B‡ + +storage_v1/partially update the specified VolumeAttachment*patchStorageV1VolumeAttachment2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jb +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j^ +x-kubernetes-group-version-kind;9group: storage.k8s.io +kind: VolumeAttachment +version: v1 +J= +;9"7pathname of the VolumeAttachment"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string §' +/api/v1/replicationcontrollers„'ø +core_v13list or watch objects of kind ReplicationController*/listCoreV1ReplicationControllerForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jh +M +200F +D +OK> +< +:#/definitions/io.k8s.api.core.v1.ReplicationControllerList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jW +x-kubernetes-group-version-kind42group: "" +kind: ReplicationController +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ö\ +%/apis/storage.k8s.io/v1beta1/csinodesÌ\‘& +storage_v1beta1%list or watch objects of kind CSINode*listStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean Jb + +401 + + Unauthorized +G +200@ +> +OK8 +6 +4#/definitions/io.k8s.api.storage.v1beta1.CSINodeListRhttpsj +x-kubernetes-actionlist +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +"‰ +storage_v1beta1create a CSINode*createStorageV1beta1CSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BF +D +Bbodybody *2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jó + +401 + + Unauthorized +C +200< +: +OK4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode +H +201A +? +Created4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode +I +202B +@ +Accepted4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINodeRhttpsj +x-kubernetes-actionpost +jZ +x-kubernetes-group-version-kind75version: v1beta1 +group: storage.k8s.io +kind: CSINode +*Ø, +storage_v1beta1delete collection of CSINode*%deleteStorageV1beta1CollectionCSINode2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj* +x-kubernetes-actiondeletecollection +jZ +x-kubernetes-group-version-kind75group: storage.k8s.io +kind: CSINode +version: v1beta1 +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ê +/apis/storage.k8s.io/v1/ÍÊ + +storage_v1get available resources*getStorageV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsÔ) +I/apis/apiextensions.k8s.io/v1beta1/watch/customresourcedefinitions/{name}†)³ +apiextensions_v1beta1¿watch changes to an object of kind CustomResourceDefinition. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*1watchApiextensionsV1beta1CustomResourceDefinition2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj +x-kubernetes-actionwatch +jq +x-kubernetes-group-version-kindNLversion: v1beta1 +group: apiextensions.k8s.io +kind: CustomResourceDefinition +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JE +CA"?path$name of the CustomResourceDefinition"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean †_ +0/apis/apiregistration.k8s.io/v1beta1/apiservicesÑ^Ó& +apiregistration_v1beta1(list or watch objects of kind APIService*$listApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*B‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Bï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer B± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J‚ +g +200` +^ +OKX +V +T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +je +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +"« + +apiregistration_v1beta1create an APIService*&createApiregistrationV1beta1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Bf +d +bbodybody *R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÓ + +401 + + Unauthorized +c +200\ +Z +OKT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService +h +201a +_ +CreatedT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService +i +202b +` +AcceptedT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceRhttpsje +x-kubernetes-group-version-kindB@version: v1beta1 +kind: APIService +group: apiregistration.k8s.io +j +x-kubernetes-actionpost +*ù, +apiregistration_v1beta1delete collection of APIService*0deleteApiregistrationV1beta1CollectionAPIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string Bž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer B‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Bú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string Bû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string BÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Bž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer Jg + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsj* +x-kubernetes-actiondeletecollection +je +x-kubernetes-group-version-kindB@group: apiregistration.k8s.io +version: v1beta1 +kind: APIService +JO +MKIquery-If 'true', then the output is pretty printed."pretty2string à' +/apis/apps/v1/watch/daemonsets½'± +apps_v1uwatch individual changes to a list of DaemonSet. deprecated: use the 'watch' parameter with a list operation instead.*(watchAppsV1DaemonSetListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jM +x-kubernetes-group-version-kind*(group: apps +kind: DaemonSet +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean š +N/apis/authorization.k8s.io/v1/namespaces/{namespace}/localsubjectaccessreviewsÇ "× +authorization_v1!create a LocalSubjectAccessReview*7createAuthorizationV1NamespacedLocalSubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReviewJ© +[ +202T +R +AcceptedF +D +B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReview +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.authorization.v1.LocalSubjectAccessReviewRhttpsj +x-kubernetes-actionpost +jl +x-kubernetes-group-version-kindIGgroup: authorization.k8s.io +kind: LocalSubjectAccessReview +version: v1 +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ò +/apis/apiregistration.k8s.io/ÐÍ +apiregistrationget information of a group*getApiregistrationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsì +/apis/batch/v1beta1/ÓÐ + batch_v1beta1get available resources*getBatchV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsø +9/apis/apiregistration.k8s.io/v1/apiservices/{name}/statusºµ +apiregistration_v1'read status of the specified APIService*%readApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jy +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService + +401 + + UnauthorizedRhttpsj` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +j +x-kubernetes-actionget +¾ +apiregistration_v1*replace status of the specified APIService*(replaceApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Ba +_ +]bodybody *M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JÞ + +401 + + Unauthorized +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService +c +201\ +Z +CreatedO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceRhttpsj +x-kubernetes-actionput +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +B´ +apiregistration_v13partially update status of the specified APIService*&patchApiregistrationV1APIServiceStatus2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jy +^ +200W +U +OKO +M +K#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIService + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ì +/apis/authorization.k8s.io/ÌÉ + authorizationget information of a group*getAuthorizationAPIGroup2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJi +N +200G +E +OK? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup + +401 + + UnauthorizedRhttpsá( +0/apis/node.k8s.io/v1/watch/runtimeclasses/{name}¬(å +node_v1³watch changes to an object of kind RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*watchNodeV1RuntimeClass2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jW +x-kubernetes-group-version-kind42kind: RuntimeClass +version: v1 +group: node.k8s.io +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J9 +75"3pathname of the RuntimeClass"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ÿ' +./apis/node.k8s.io/v1beta1/watch/runtimeclassesÌ'À + node_v1beta1xwatch individual changes to a list of RuntimeClass. deprecated: use the 'watch' parameter with a list operation instead.* watchNodeV1beta1RuntimeClassList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +j\ +x-kubernetes-group-version-kind97group: node.k8s.io +kind: RuntimeClass +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ’' +/api/v1/nodes/{name}ù&à +core_v1read the specified Node*readCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +€ +core_v1replace the specified Node*replaceCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*B; +9 +7bodybody *' +%#/definitions/io.k8s.api.core.v1.NodeBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J’ +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node += +2016 +4 +Created) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsjF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +j +x-kubernetes-actionput +*ä +core_v1 delete a Node*deleteCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjF +x-kubernetes-group-version-kind#!group: "" +kind: Node +version: v1 +j +x-kubernetes-action delete +B +core_v1#partially update the specified Node*patchCoreV1Node2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JS +8 +2001 +/ +OK) +' +%#/definitions/io.k8s.api.core.v1.Node + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jF +x-kubernetes-group-version-kind#!kind: Node +version: v1 +group: "" +J1 +/-"+pathname of the Node"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ú +/apis/apps/v1/ÇÄ +apps_v1get available resources*getAppsV1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsï + +2/apis/authorization.k8s.io/v1/subjectaccessreviews¸ +"ª +authorization_v1create a SubjectAccessReview*(createAuthorizationV1SubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BS +Q +Obodybody *? +=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewJš +P +200I +G +OKA +? +=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview +U +201N +L +CreatedA +? +=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview +V +202O +M +AcceptedA +? +=#/definitions/io.k8s.api.authorization.v1.SubjectAccessReview + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpost +jg +x-kubernetes-group-version-kindDBversion: v1 +group: authorization.k8s.io +kind: SubjectAccessReview +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string — +7/apis/authorization.k8s.io/v1beta1/subjectaccessreviewsÛ +"Í +authorization_v1beta1create a SubjectAccessReview*-createAuthorizationV1beta1SubjectAccessReview2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BX +V +Tbodybody *D +B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewJ© +[ +202T +R +AcceptedF +D +B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReview + +401 + + Unauthorized +U +200N +L +OKF +D +B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReview +Z +201S +Q +CreatedF +D +B#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewRhttpsjl +x-kubernetes-group-version-kindIGkind: SubjectAccessReview +version: v1beta1 +group: authorization.k8s.io +j +x-kubernetes-actionpost +Jž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string J– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string JO +MKIquery-If 'true', then the output is pretty printed."pretty2string æ) +:/apis/batch/v1beta1/namespaces/{namespace}/cronjobs/{name}§)ó + batch_v1beta1read the specified CronJob*!readBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 + + batch_v1beta1replace the specified CronJob*$replaceBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BD +B +@bodybody *0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJobBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¤ +F +201? += +Created2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob + +401 + + Unauthorized +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJobRhttpsj +x-kubernetes-actionput +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +*‹ + batch_v1beta1delete a CronJob*#deleteBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» + +401 + + Unauthorized +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusRhttpsjQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +j +x-kubernetes-action delete +Bò + batch_v1beta1&partially update the specified CronJob*"patchBatchV1beta1NamespacedCronJob2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J\ +A +200: +8 +OK2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jQ +x-kubernetes-group-version-kind.,group: batch +kind: CronJob +version: v1beta1 +J4 +20".pathname of the CronJob"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ¸( + +<bodybody *, +*#/definitions/io.k8s.api.core.v1.EndpointsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string Jœ += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Endpoints +B +201; +9 +Created. +, +*#/definitions/io.k8s.api.core.v1.Endpoints + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +j +x-kubernetes-actionput +*û +core_v1delete Endpoints*deleteCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +j +x-kubernetes-action delete +Bà +core_v1(partially update the specified Endpoints*patchCoreV1NamespacedEndpoints2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean JX += +2006 +4 +OK. +, +*#/definitions/io.k8s.api.core.v1.Endpoints + +401 + + UnauthorizedRhttpsjK +x-kubernetes-group-version-kind(&group: "" +kind: Endpoints +version: v1 +j +x-kubernetes-actionpatch +J6 +42"0pathname of the Endpoints"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Ì' +/apis/batch/v1/watch/jobs®'¢ +batch_v1owatch individual changes to a list of Job. deprecated: use the 'watch' parameter with a list operation instead.*#watchBatchV1JobListForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jH +x-kubernetes-group-version-kind%#group: batch +kind: Job +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ö) +@/apis/events.k8s.io/v1beta1/namespaces/{namespace}/events/{name}±)ö +events_v1beta1read the specified Event* readEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionget +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +à +events_v1beta1replace the specified Event*#replaceEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.events.v1beta1.EventBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event + +401 + + UnauthorizedRhttpsjW +x-kubernetes-group-version-kind42kind: Event +version: v1beta1 +group: events.k8s.io +j +x-kubernetes-actionput +* +events_v1beta1delete an Event*"deleteEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +Bõ +events_v1beta1$partially update the specified Event*!patchEventsV1beta1NamespacedEvent2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +J2 +0.",pathname of the Event"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ‚+ +B/apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}»*“ + policy_v1&read the specified PodDisruptionBudget*)readPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsjY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +j +x-kubernetes-actionget +ò + policy_v1)replace the specified PodDisruptionBudget*,replacePolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BL +J +Hbodybody *8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J´ +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget +N +201G +E +Created: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +*£ + policy_v1delete a PodDisruptionBudget*+deletePolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BT +R +Pbodybody*B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptionsBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string Bä +áÞÛquery±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately."gracePeriodSeconds2integer BÑ +ÎËÈquery Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both."orphanDependents2boolean Bˆ +…‚ÿquery×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground."propagationPolicy2string J» +L +200E +C +OK= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status +R +202K +I +Accepted= +; +9#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Status + +401 + + UnauthorizedRhttpsj +x-kubernetes-action delete +jY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +B’ + policy_v12partially update the specified PodDisruptionBudget**patchPolicyV1NamespacedPodDisruptionBudget2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean Jd +I +200B +@ +OK: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudget + +401 + + UnauthorizedRhttpsjY +x-kubernetes-group-version-kind64group: policy +kind: PodDisruptionBudget +version: v1 +j +x-kubernetes-actionpatch +J@ +><":pathname of the PodDisruptionBudget"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ×` +E/apis/admissionregistration.k8s.io/v1/validatingwebhookconfigurations`’' +admissionregistration_v1/apis/apps/v1/namespaces/{namespace}/statefulsets/{name}/scale­û +apps_v1'read scale of the specified StatefulSet*$readAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionget +È +apps_v1*replace scale of the specified StatefulSet*'replaceAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionput +Bú +apps_v13partially update scale of the specified StatefulSet*%patchAppsV1NamespacedStatefulSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jP +x-kubernetes-group-version-kind-+version: v1 +group: autoscaling +kind: Scale +J2 +0.",pathname of the Scale"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string ' +"/apis/events.k8s.io/v1beta1/eventsé&Ý +events_v1beta1#list or watch objects of kind Event*&listEventsV1beta1EventForAllNamespaces2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*J_ +D +200= +; +OK5 +3 +1#/definitions/io.k8s.api.events.v1beta1.EventList + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionlist +jW +x-kubernetes-group-version-kind42group: events.k8s.io +kind: Event +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‚ + /apis/networking.k8s.io/v1beta1/ÝÚ +networking_v1beta1get available resources* getNetworkingV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsê' +(/apis/storage.k8s.io/v1/watch/csidrivers½'± + +storage_v1uwatch individual changes to a list of CSIDriver. deprecated: use the 'watch' parameter with a list operation instead.*watchStorageV1CSIDriverList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jW +x-kubernetes-group-version-kind42group: storage.k8s.io +kind: CSIDriver +version: v1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean ‚) +8/apis/apiregistration.k8s.io/v1/watch/apiservices/{name}Å(€ +apiregistration_v1±watch changes to an object of kind APIService. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchApiregistrationV1APIService2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +j` +x-kubernetes-group-version-kind=;group: apiregistration.k8s.io +version: v1 +kind: APIService +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J7 +53"1pathname of the APIService"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean þ +/apis/autoscaling/v2beta1/ßÜ +autoscaling_v2beta1get available resources*!getAutoscalingV2beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsˆ +"/apis/certificates.k8s.io/v1beta1/áÞ +certificates_v1beta1get available resources*"getCertificatesV1beta1APIResources2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json:application/yaml:#application/vnd.kubernetes.protobufJp +U +200N +L +OKF +D +B#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceList + +401 + + UnauthorizedRhttpsü) +S/apis/flowcontrol.apiserver.k8s.io/v1beta1/watch/prioritylevelconfigurations/{name}¤)Ï +flowcontrolApiserver_v1beta1Áwatch changes to an object of kind PriorityLevelConfiguration. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*:watchFlowcontrolApiserverV1beta1PriorityLevelConfiguration2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk + +401 + + Unauthorized +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventRhttpsj{ +x-kubernetes-group-version-kindXVgroup: flowcontrol.apiserver.k8s.io +kind: PriorityLevelConfiguration +version: v1beta1 +j +x-kubernetes-actionwatch +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JG +EC"Apath&name of the PriorityLevelConfiguration"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean È) +H/apis/rbac.authorization.k8s.io/v1beta1/watch/clusterrolebindings/{name}û(® +rbacAuthorization_v1beta1¹watch changes to an object of kind ClusterRoleBinding. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.*/watchRbacAuthorizationV1beta1ClusterRoleBinding2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jp +x-kubernetes-group-version-kindMKgroup: rbac.authorization.k8s.io +kind: ClusterRoleBinding +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J? +=;"9pathname of the ClusterRoleBinding"name*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean È) +8/api/v1/watch/namespaces/{namespace}/podtemplates/{name}‹)ã +core_v1²watch changes to an object of kind PodTemplate. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.* watchCoreV1NamespacedPodTemplate2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionwatch +jM +x-kubernetes-group-version-kind*(version: v1 +group: "" +kind: PodTemplate +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer J8 +64"2pathname of the PodTemplate"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean é +=/apis/apps/v1/namespaces/{namespace}/replicasets/{name}/scale§ù +apps_v1&read scale of the specified ReplicaSet*#readAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsjP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +j +x-kubernetes-actionget +Æ +apps_v1)replace scale of the specified ReplicaSet*&replaceAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:*/*BC +A +?bodybody */ +-#/definitions/io.k8s.api.autoscaling.v1.ScaleBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B– +“queryêfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint." fieldManager2string J¢ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale +E +201> +< +Created1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionput +jP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +Bø +apps_v12partially update scale of the specified ReplicaSet*$patchAppsV1NamespacedReplicaSetScale2application/json2application/yaml2#application/vnd.kubernetes.protobuf:application/json-patch+json:application/merge-patch+json:&application/strategic-merge-patch+json:application/apply-patch+yamlBN +L +Jbodybody *: +8#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.PatchBž +›˜•queryøWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed"dryRun2string B¯ +¬©¦queryƒfieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch)." fieldManager2string BÎ +ËÈÅquery¨Force is going to "force" Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests."force2boolean J[ +@ +2009 +7 +OK1 +/ +-#/definitions/io.k8s.api.autoscaling.v1.Scale + +401 + + UnauthorizedRhttpsj +x-kubernetes-actionpatch +jP +x-kubernetes-group-version-kind-+group: autoscaling +kind: Scale +version: v1 +J2 +0.",pathname of the Scale"name*string˜J` +^\"Zpath:object name and auth scope, such as for teams and projects" namespace*string˜JO +MKIquery-If 'true', then the output is pretty printed."pretty2string š( +4/apis/storage.k8s.io/v1beta1/watch/volumeattachmentsá'Õ +storage_v1beta1|watch individual changes to a list of VolumeAttachment. deprecated: use the 'watch' parameter with a list operation instead.*'watchStorageV1beta1VolumeAttachmentList2application/json2application/yaml2#application/vnd.kubernetes.protobuf2application/json;stream=watch20application/vnd.kubernetes.protobuf;stream=watch:*/*Jk +P +200I +G +OKA +? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEvent + +401 + + UnauthorizedRhttpsj# +x-kubernetes-action  +watchlist +jc +x-kubernetes-group-version-kind@>group: storage.k8s.io +kind: VolumeAttachment +version: v1beta1 +J‚ +ÿüùqueryÎallowWatchBookmarks requests watch events with type "BOOKMARK". Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server's discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored."allowWatchBookmarks2boolean Jï +ì é æ queryÇ The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the "next key". + +This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications."continue2string J‡ +„query\A selector to restrict the list of returned objects by their fields. Defaults to everything." fieldSelector2string J‡ +„query\A selector to restrict the list of returned objects by their labels. Defaults to everything." labelSelector2string Jú + +÷ +ô +ñ +queryÔ +limit is a maximum number of responses to return for a list call. If more items exist, the server will set the `continue` field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true. + +The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned."limit2integer JO +MKIquery-If 'true', then the output is pretty printed."pretty2string Jû +øõòqueryÌresourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersion2string JÚ +×ÔÑquery¦resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details. + +Defaults to unset"resourceVersionMatch2string Jž +›˜•querypTimeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity."timeoutSeconds2integer J± +®«¨query‹Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion."watch2boolean J½÷0 +§ +"io.k8s.api.core.v1.NFSVolumeSource€"€Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.šserveršpath² +objectÊÞ +€ +pathx"kPath that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs² +string +à +readOnly¶"§ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs² +boolean +’ +server‡"zServer is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs² +string +È +$io.k8s.api.discovery.v1beta1.ForZoneŸ"LForZone provides information about which zones should consume this endpoint.šname² +objectÊ< +: +name2"%name represents the name of the zone.² +string +¦ +io.k8s.api.events.v1beta1.Event‚"¾Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time. Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason. Events should be treated as informative, best-effort, supplemental data.š eventTime² +objectÊÆ +| +reasonr"ereason is why the action was taken. It is human-readable. This field can have at most 128 characters.² +string +Ñ +relatedÅ +0#/definitions/io.k8s.api.core.v1.ObjectReference"related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object. +¹ +reportingController¡"“reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.² +string +¦ +action›"action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field can have at most 128 characters.² +string +ˆ +deprecatedCountuint32"`deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.² +integer +¿ +deprecatedLastTimestamp£ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"hdeprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Á +deprecatedFirstTimestamp¤ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ideprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. +— + eventTime‰ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"IeventTime is the time when this Event was first observed. It is required. +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¦ +deprecatedSource‘ +,#/definitions/io.k8s.api.core.v1.EventSource"adeprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. +¶ + regarding¨ +0#/definitions/io.k8s.api.core.v1.ObjectReference"óregarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object. +Ÿ +series” +3#/definitions/io.k8s.api.events.v1beta1.EventSeries"]series is data about the Event series this event represents or nil if it's a singleton Event. +½ +note´"¦note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.² +string + +reportingInstance¬"žreportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.² +string +† +type~"qtype is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable.² +stringú] +x-kubernetes-group-version-kind:8- group: events.k8s.io + kind: Event + version: v1beta1 + +î +?io.k8s.api.certificates.v1beta1.CertificateSigningRequestStatusª² +objectÊ› +˜ + certificateˆbyte"OIf request was approved, the controller will place the issued certificate here.² +stringú# +x-kubernetes-list-type atomic + +ý + +conditionsî">Conditions applied to the request, such as approval or denial.² +arrayºT +R +P#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap + +® + +"io.k8s.api.core.v1.ComponentStatus‡ +"yComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+² +objectÊ£ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Î + +conditions¿"%List of component conditions observed² +arrayº7 +5 +3#/definitions/io.k8s.api.core.v1.ComponentConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúW +x-kubernetes-group-version-kind42- group: "" + kind: ComponentStatus + version: v1 + +˜ +*io.k8s.api.core.v1.NodeSelectorRequirementé"wA node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.škeyšoperator² +objectÊÐ +û +valuesð"ÓAn array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.² +arrayº + ² +string +? +key8"+The label key that the selector applies to.² +string +Ž +operator"tRepresents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.² +string +’5 +'io.k8s.api.core.v1.PersistentVolumeSpecæ4"APersistentVolumeSpec is the specification of a persistent volume.² +objectÊ”4 +¥ +portworxVolume’ +5#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"YPortworxVolume represents a portworx volume attached and mounted on kubelets host machine +¦ +scaleIOš +>#/definitions/io.k8s.api.core.v1.ScaleIOPersistentVolumeSource"XScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. + + storageosó +@#/definitions/io.k8s.api.core.v1.StorageOSPersistentVolumeSource"®StorageOS represents a StorageOS volume that is attached to the kubelet's host machine and mounted into the pod More info: https://examples.k8s.io/volumes/storageos/README.md +î + mountOptionsÝ"ÀA list of mount options, e.g. ["ro", "soft"]. Not validated - mount will simply fail if one is invalid. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#mount-options² +arrayº + ² +string +Á +nfs¹ +0#/definitions/io.k8s.api.core.v1.NFSVolumeSource"„NFS represents an NFS mount on the host. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs +– +cephfs‹ +=#/definitions/io.k8s.api.core.v1.CephFSPersistentVolumeSource"JCephFS represents a Ceph FS mount on the host that shares a pod's lifetime +½ +gcePersistentDisk§ +>#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"äGCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +ä + nodeAffinityÓ +3#/definitions/io.k8s.api.core.v1.VolumeNodeAffinity"›NodeAffinity defines constraints that limit what nodes this volume can be accessed from. This field influences the scheduling of pods that use this volume. +± +awsElasticBlockStore˜ +A#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"ÒAWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +Ö +claimRefÉ +0#/definitions/io.k8s.api.core.v1.ObjectReference"”ClaimRef is part of a bi-directional binding between PersistentVolume and PersistentVolumeClaim. Expected to be non-nil when bound. claim.VolumeName is the authoritative bind between PV and PVC. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#binding +ª +fc£ +/#/definitions/io.k8s.api.core.v1.FCVolumeSource"pFC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. +í +flockerá +4#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"¨Flocker represents a Flocker volume attached to a kubelet's host machine and exposed to the pod for its usage. This depends on the Flocker control service being running +… + glusterfs÷ +@#/definitions/io.k8s.api.core.v1.GlusterfsPersistentVolumeSource"²Glusterfs represents a Glusterfs volume that is attached to a host and exposed to the pod. Provisioned by an admin. More info: https://examples.k8s.io/volumes/glusterfs/README.md +| +locals +2#/definitions/io.k8s.api.core.v1.LocalVolumeSource"=Local represents directly-attached storage with node affinity +É + +volumeModeº"¬volumeMode defines if a volume is intended to be used with a formatted filesystem or to remain in raw block state. Value of Filesystem is implied when not included in spec.² +string +ð +capacityã"“A description of the persistent volume's resources and capacity. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +Ú +cinderÏ +=#/definitions/io.k8s.api.core.v1.CinderPersistentVolumeSource"Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md + +quobyteƒ +4#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"KQuobyte represents a Quobyte mount on the host that shares a pod's lifetime +œ + azureDiskŽ +6#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +Õ +iscsiË +<#/definitions/io.k8s.api.core.v1.ISCSIPersistentVolumeSource"ŠISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Provisioned by an admin. +¨ +storageClassName“"…Name of StorageClass to which this persistent volume belongs. Empty value means that this volume does not belong to any StorageClass.² +string +¼ + accessModes¬"AccessModes contains all ways the volume can be mounted. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes² +arrayº + ² +string +õ +hostPathè +5#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"®HostPath represents a directory on the host. Provisioned by a developer or tester. This is useful for single-node development and testing only! On-host storage is not supported in any way and WILL NOT WORK in a multi-node cluster. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +Ó +rbdË +:#/definitions/io.k8s.api.core.v1.RBDPersistentVolumeSource"ŒRBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md +¶ + +flexVolume§ +;#/definitions/io.k8s.api.core.v1.FlexPersistentVolumeSource"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. +¼ +persistentVolumeReclaimPolicyš"ŒWhat happens to a persistent volume when released from its claim. Valid options are Retain (default for manually created PersistentVolumes), Delete (default for dynamically provisioned PersistentVolumes), and Recycle (deprecated). Recycle must be supported by the volume plugin underlying this PersistentVolume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#reclaiming² +string +Î +photonPersistentDiskµ +A#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"pPhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine +¬ + vsphereVolumeš +?#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"WVsphereVolume represents a vSphere volume attached and mounted on kubelets host machine +© + azureFile› +@#/definitions/io.k8s.api.core.v1.AzureFilePersistentVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod. +– +csiŽ +:#/definitions/io.k8s.api.core.v1.CSIPersistentVolumeSource"PCSI represents storage that is handled by an external CSI driver (Beta feature). +¶ +io.k8s.api.core.v1.Pod› "wPod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.² +objectÊÅ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ö +specÍ +(#/definitions/io.k8s.api.core.v1.PodSpec" Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +— +statusŒ +*#/definitions/io.k8s.api.core.v1.PodStatus"ÝMost recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúK +x-kubernetes-group-version-kind(&- kind: Pod + version: v1 + group: "" + +— +io.k8s.api.core.v1.PodConditionó"DPodCondition contains details for the current condition of this pod.štypešstatus² +objectÊŽ +X +messageM"@Human-readable message indicating details about last transition.² +string +^ +reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.² +string +· +status¬"žStatus is the status of the condition. Can be True, False, Unknown. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions² +string +“ +typeŠ"}Type is the type of the condition. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions² +string +n + lastProbeTime] +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time""Last time we probed the condition. +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +é +/io.k8s.api.authentication.v1.TokenRequestStatusµ"4TokenRequestStatus is the result of a token request.štokenšexpirationTimestamp² +objectÊÒ +– +expirationTimestamp +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DExpirationTimestamp is the time of expiration of the returned token. +7 +token."!Token is the opaque bearer token.² +string +© +0io.k8s.api.autoscaling.v2beta2.MetricValueStatusô"6MetricValueStatus holds the current value for a metric² +objectÊ­ +ì +averageUtilizationÕint32"¿currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.² +integer +· + averageValue¦ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"gaverageValue is the current value of the average of the metric across all relevant pods (as a quantity) + +valuex +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"9value is the current value of the metric (as a quantity). +¼ +!io.k8s.api.core.v1.SELinuxOptions–"shortNames is a list of suggested short names of the resource.² +arrayº + ² +string +Ì +storageVersionHashµ"§The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.² +string +« +verbs¡"„verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)² +arrayº + ² +string += +name5"(name is the plural name of the resource.² +string +T + +namespacedF"8namespaced indicates if a resource is namespaced or not.² +boolean +d +kind\"Okind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')² +string +ž + singularName"ÿsingularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface.² +string +‰ +versioný"ïversion is the preferred version of the resource. Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)".² +string +} + +categorieso"Scategories is a list of the grouped resources this resource belongs to (e.g. 'all')² +arrayº + ² +string +Ç +group½"¯group is the preferred group of the resource. Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale".² +string +Ÿ +=io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirementÝ"xA label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.škeyšoperator² +objectÊà +š +key’"2key is the label key that the selector applies to.² +stringú' +x-kubernetes-patch-strategymerge +ú& +x-kubernetes-patch-merge-keykey + +Ž +operator"toperator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.² +string +’ +values‡"êvalues is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.² +arrayº + ² +string +µ +6io.k8s.api.authorization.v1beta1.NonResourceAttributesú"{NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface² +objectÊo +8 +path0"#Path is the URL path of the request² +string +3 +verb+"Verb is the standard HTTP verb² +string +° +Xio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatusÓ"ÅCustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza² +object +Ð + +.io.k8s.api.autoscaling.v2beta2.HPAScalingRules +"”HPAScalingRules configures the scaling behavior for one direction. These Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.² +objectÊ÷ +Ì +stabilizationWindowSeconds­int32"—StabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).² +integer +‘ +policies„"³policies is a list of potential scaling polices which can be used during scaling. At least one policy must be specified, otherwise the HPAScalingRules will be discarded as invalid² +arrayºA +? +=#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingPolicy +‘ + selectPolicy€"sselectPolicy is used to specify which policy should be used. If not set, the default value MaxPolicySelect is used.² +string +Ò +4io.k8s.api.core.v1.ScopedResourceSelectorRequirement™"A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.š scopeNamešoperator² +objectÊà +ƒ +operatorw"jRepresents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.² +string +M + scopeName@"3The name of the scope that the selector applies to.² +string +ˆ +valuesý"àAn array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.² +arrayº + ² +string +À +Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScaleä "^CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.šspecReplicasPathšstatusReplicasPath² +objectÊÍ +á +labelSelectorPathË"½labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.² +string +ã +specReplicasPathÎ"ÀspecReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.² +string +€ +statusReplicasPathé"ÛstatusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.² +string +ì +*io.k8s.api.authentication.v1beta1.UserInfo½"ZUserInfo holds the information about the user needed to implement the user.Info interface.² +objectÊÒ +n +extrae"9Any additional information provided by the authenticator.ª +² +arrayº + ² +string² +object +Q +groupsG"+The names of groups this user is a part of.² +arrayº + ² +string +® +uid¦"˜A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.² +string +\ +usernameP"CThe name that uniquely identifies this user among all active users.² +string +ü +5io.k8s.api.autoscaling.v1.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.škindšname² +objectÊÁ +˜ +kind"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"² +string +l +named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names² +string +6 + +apiVersion("API version of the referent² +string +Ü +"io.k8s.api.apps.v1.StatefulSetListµ"0StatefulSetList is a collection of StatefulSets.šitems² +objectÊ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +F +items=² +arrayº0 +. +,#/definitions/io.k8s.api.apps.v1.StatefulSet +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +I +metadata= +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaúY +x-kubernetes-group-version-kind64- group: apps + kind: StatefulSetList + version: v1 + +ã +io.k8s.api.storage.v1.CSIDriver¿ "ÎCSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.šspec² +objectÊø +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +™ +metadataŒ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÊStandard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +] +specU +1#/definitions/io.k8s.api.storage.v1.CSIDriverSpec" Specification of the CSI Driver.ú] +x-kubernetes-group-version-kind:8- group: storage.k8s.io + kind: CSIDriver + version: v1 + +½ +-io.k8s.api.extensions.v1beta1.HTTPIngressPath‹ "oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.šbackend² +objectÊ +¤ +backend˜ +:#/definitions/io.k8s.api.extensions.v1beta1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to. +ž +path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.² +string +¶ +pathType©"›PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is + done on a path element by element basis. A path element refers is the + list of labels in the path split by the '/' separator. A request is a + match for path p if every p is an element-wise prefix of p of the + request path. Note that if the last element of the path is a substring + of the last element in request path, it is not a match (e.g. /foo/bar + matches /foo/bar/baz, but does not match /foo/barbaz). +* ImplementationSpecific: Interpretation of the Path matching is up to + the IngressClass. Implementations can treat this as a separate PathType + or treat it identically to Prefix or Exact path types. +Implementations are required to support all path types. Defaults to ImplementationSpecific.² +string +¤ + +=io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationListâ "OPriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.šitems² +objectÊñ +â +metadataÕ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"•`metadata` is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Œ +items‚"(`items` is a list of request-priorities.² +arrayºK +I +G#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfiguration +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringú… +x-kubernetes-group-version-kindb`- group: flowcontrol.apiserver.k8s.io + kind: PriorityLevelConfigurationList + version: v1beta1 + + +(io.k8s.api.core.v1.ContainerStateWaitingã"8ContainerStateWaiting is a waiting state of a container.² +objectÊš +O +messageD"7Message regarding why the container is not yet running.² +string +G +reason="0(brief) reason the container is not yet running.² +string +» +#io.k8s.api.core.v1.PersistentVolume“ "±PersistentVolume (PV) is a storage resource provisioned by an administrator. It is analogous to a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes² +objectÊõ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Š +spec +5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"ÇSpec defines a specification of a persistent volume owned by the cluster. Provisioned by an administrator. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumes +“ +statusˆ +7#/definitions/io.k8s.api.core.v1.PersistentVolumeStatus"ÌStatus represents the current information/status for the persistent volume. Populated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistent-volumesúX +x-kubernetes-group-version-kind53- group: "" + kind: PersistentVolume + version: v1 + +Á +>io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehaviorþ"™HorizontalPodAutoscalerBehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).² +objectÊÓ +° + scaleDown¢ +<#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingRules"áscaleDown is scaling policy for scaling Down. If not set, the default value is to allow to scale down to minReplicas pods, with a 300 second stabilization window (i.e., the highest recommendation for the last 300sec is used). + +scaleUp‘ +<#/definitions/io.k8s.api.autoscaling.v2beta2.HPAScalingRules"ÐscaleUp is scaling policy for scaling Up. If not set, the default value is the higher of: + * increase no more than 4 pods per 60 seconds + * double the number of pods per 60 seconds +No stabilization is used. +þ +$io.k8s.api.batch.v1beta1.CronJobListÕ")CronJobList is a collection of cron jobs.šitems² +objectʵ +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +h +items_"items is the list of CronJobs.² +arrayº2 +0 +.#/definitions/io.k8s.api.batch.v1beta1.CronJob +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringú[ +x-kubernetes-group-version-kind86- group: batch + kind: CronJobList + version: v1beta1 + +Õ +!io.k8s.api.core.v1.LimitRangeItem¯ "SLimitRangeItem defines a min/max usage limit for any resource that matches on kind.štype² +objectÊÄ +² +default¦"WDefault resource requirement limit value by resource name if resource limit is omitted.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +Ó +defaultRequestÀ"qDefaultRequest is the default resource requirement request value by resource name if resource request is omitted.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +‹ +maxƒ"4Max usage constraints on this kind by resource name.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +× +maxLimitRequestRatio¾"îMaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +‹ +minƒ"4Min usage constraints on this kind by resource name.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +A +type9",Type of resource that this limit applies to.² +string +Ä +"io.k8s.api.storage.v1.StorageClass"ãStorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned. + +StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.š provisioner² +objectÊ· +n +allowVolumeExpansionV"HAllowVolumeExpansion shows whether the storage class allow volume expand² +boolean +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +ì + mountOptionsÛ"¾Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.² +arrayº + ² +string +ø +volumeBindingModeâ"ÔVolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.² +string +Š +allowedTopologiesô"«Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.² +arrayº9 +7 +5#/definitions/io.k8s.api.core.v1.TopologySelectorTerm +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +‘ + +parameters‚"eParameters holds the parameters for the provisioner that should create volumes of this storage class.ª + ² +string² +object +N + provisioner?"2Provisioner indicates the type of the provisioner.² +string +— + reclaimPolicy…"xDynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.² +stringú` +x-kubernetes-group-version-kind=;- group: storage.k8s.io + kind: StorageClass + version: v1 + +  + +=io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceÞ "[APIService represents a server for a particular GroupVersion. Name must be "version.group".² +objectʉ +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +¢ +spec™ +O#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpec"FSpec contains information for locating and communicating with a server +— +statusŒ +Q#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"7Status contains derived information about an API server +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúf +x-kubernetes-group-version-kindCA- kind: APIService + version: v1 + group: apiregistration.k8s.io + +Ó +"io.k8s.api.apps.v1.StatefulSetSpec¬"8A StatefulSetSpec is the specification of a StatefulSet.šselectorštemplateš serviceName² +objectÊ¿ + +replicas‚int32"ìreplicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.² +integer +­ +revisionHistoryLimit”int32"þrevisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.² +integer +¨ +selector› +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Öselector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors +û + serviceNameë"ÝserviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where "pod-specific-string" is managed by the StatefulSet controller.² +string +¬ +templateŸ +0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"êtemplate is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. +å +updateStrategyÒ +:#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy"“updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template. +þ +volumeClaimTemplateså"›volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.² +arrayº: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim +¹ +podManagementPolicy¡"“podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.² +string +¶ +,io.k8s.api.authentication.v1.TokenReviewSpec…"ETokenReviewSpec is a description of the token authentication request.² +objectʯ +ó + audienceså"ÈAudiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.² +arrayº + ² +string +7 +token."!Token is the opaque bearer token.² +string +† +io.k8s.api.core.v1.ServicePortã"3ServicePort contains information on service's port.šport² +objectʘ +â + +targetPortÓ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"‘Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service +½ + appProtocol­"ŸThe application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol. This is a beta field that is guarded by the ServiceAppProtocol feature gate and enabled by default.² +string +² +name©"›The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service.² +string +‚ +nodePortõint32"ßThe port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport² +integer +K +portCint32".The port that will be exposed by this service.² +integer +j +protocol^"QThe IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.² +string +ç +*io.k8s.api.flowcontrol.v1beta1.UserSubject¸"=UserSubject holds detailed information for user-kind subject.šname² +objectÊd +b +nameZ"M`name` is the username that matches, or "*" to match all usernames. Required.² +string +Ÿ +$io.k8s.api.node.v1beta1.RuntimeClassö"ØRuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are (currently) manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://git.k8s.io/enhancements/keps/sig-node/runtime-class.mdšhandler² +objectÊ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Ð +handlerÄ"¶Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +µ +metadata¨ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +ô +overheadç +.#/definitions/io.k8s.api.node.v1beta1.Overhead"´Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.15, and is only honored by servers that enable the PodOverhead feature. +› + +schedulingŒ +0#/definitions/io.k8s.api.node.v1beta1.Scheduling"×Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.úb +x-kubernetes-group-version-kind?=- group: node.k8s.io + kind: RuntimeClass + version: v1beta1 + +Ø +io.k8s.api.rbac.v1.Role¼"hRole is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding.² +objectÊÝ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. +t +rulesk"-Rules holds all the PolicyRules for this Role² +arrayº/ +- ++#/definitions/io.k8s.api.rbac.v1.PolicyRuleúc +x-kubernetes-group-version-kind@>- version: v1 + group: rbac.authorization.k8s.io + kind: Role + +µ +]io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceStatusÓ"ÅCustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources. Status is represented by the `.status` JSON path inside of a CustomResource. When set, * exposes a /status subresource for the custom resource * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza² +object +à +?io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerConditionÿ"eHorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.štypešstatus² +objectÊù +« +lastTransitionTime” +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"YlastTransitionTime is the last time the condition transitioned from one status to another +g +message\"Omessage is a human-readable explanation containing details about the transition² +string +P +reasonF"9reason is the reason for the condition's last transition.² +string +S +statusI"int64")min is the start of the range, inclusive.² +integer +C +max<int64"'max is the end of the range, inclusive.² +integer +— +Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfigÁ "WWebhookClientConfig contains the information to make a TLS connection with the webhook.² +objectÊÙ +à +caBundle¶byte"¢caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.² +string +› +service +\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ServiceReference"®service is a reference to the service for this webhook. Either service or url must be specified. + +If the webhook is running within the cluster, then you should use `service`. +ò +urlê"Üurl gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. + +The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. + +Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. + +The scheme must be "https"; the URL must begin with "https://". + +A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. + +Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.² +string +ð +4io.k8s.api.certificates.v1.CertificateSigningRequest·"¬CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued. + +Kubelets use this API to obtain: + 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). + 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName). + +This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.šspec² +objectÊý +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +« +spec¢ +F#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestSpec"×spec contains the certificate request, and is immutable after creation. Only the request, signerName, and usages fields can be set on creation. Other fields are derived by Kubernetes and cannot be modified by users. +‚ +status÷ +H#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestStatus"ªstatus contains information about whether the request is approved or denied, and the certificate issued by the signer, or the failure condition indicating signer failure. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúr +x-kubernetes-group-version-kindOM- group: certificates.k8s.io + kind: CertificateSigningRequest + version: v1 + +· +"io.k8s.api.core.v1.PodTemplateSpec"QPodTemplateSpec describes the data a pod should have when created from a template² +objectÊ® +Ö +specÍ +(#/definitions/io.k8s.api.core.v1.PodSpec" Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +ì +#io.k8s.api.core.v1.NodeConfigStatusÄ"WNodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.² +objectÊÜ +Á +active¶ +1#/definitions/io.k8s.api.core.v1.NodeConfigSource"€Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error. +ù +assignedì +1#/definitions/io.k8s.api.core.v1.NodeConfigSource"¶Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned. +  +error–"ˆError describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.² +string +ö + lastKnownGoodä +1#/definitions/io.k8s.api.core.v1.NodeConfigSource"®LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future. +• +0io.k8s.apimachinery.pkg.apis.meta.v1.APIVersionsà "APIVersions lists the versions that are available, to allow clients to discover the API at /api, which is the root path of the legacy v1 API.šversionsšserverAddressByClientCIDRs² +objectÊà +Y +versionsM"1versions are the api versions that are available.² +arrayº + ² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +è +serverAddressByClientCIDRsÉ"éa map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.² +arrayºP +N +L#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDRúS +x-kubernetes-group-version-kind0.- group: "" + kind: APIVersions + version: v1 + +• +&io.k8s.api.storage.v1beta1.VolumeErrorê"DVolumeError captures an error encountered during a volume operation.² +objectÊ• +® +message¢"”String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.² +string +b +timeZ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Time the error was encountered. +È +Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrBoolq"oJSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property. + +!io.k8s.api.apps.v1.DeploymentListç"(DeploymentList is a list of Deployments.šitems² +objectÊË +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +h +items_"!Items is the list of Deployments.² +arrayº/ +- ++#/definitions/io.k8s.api.apps.v1.Deployment +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.úX +x-kubernetes-group-version-kind53- group: apps + kind: DeploymentList + version: v1 + +Ö +.io.k8s.api.policy.v1.PodDisruptionBudgetStatus£"ŠPodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.šdisruptionsAllowedšcurrentHealthyšdesiredHealthyš expectedPods² +objectÊÁ +â +observedGenerationËint64"µMost recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.² +integer +ô + +conditionså"ôConditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute + the number of allowed disruptions. Therefore no disruptions are + allowed and the status of the condition will be False. +- InsufficientPods: The number of pods are either at or below the number + required by the PodDisruptionBudget. No disruptions are + allowed and the status of the condition will be False. +- SufficientPods: There are more pods than required by the PodDisruptionBudget. + The condition will be True, and the number of allowed + disruptions are provided by the disruptionsAllowed property.² +arrayº@ +> +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +E +currentHealthy3int32"current number of healthy pods² +integer +M +desiredHealthy;int32"&minimum desired number of healthy pods² +integer + + disruptedPodsû"¯DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.ª; +9 +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time² +object +` +disruptionsAllowedJint32"5Number of pod disruptions that are currently allowed.² +integer +[ + expectedPodsKint32"6total number of pods counted by this disruption budget² +integer +á +io.k8s.api.core.v1.Capabilities½"targetValue is the target value of the metric (as a quantity). +¶ + averageValue¥ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"faverageValue is the target value of the average of the metric across all relevant pods (as a quantity) +L + +metricName>"1metricName is the name of the metric in question.² +string + +)io.k8s.api.extensions.v1beta1.IngressListá"'IngressList is a collection of Ingress.šitems² +objectʾ +Ð +metadataà +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +l +itemsc"Items is the list of Ingress.² +arrayº7 +5 +3#/definitions/io.k8s.api.extensions.v1beta1.Ingress +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringú` +x-kubernetes-group-version-kind=;- group: extensions + kind: IngressList + version: v1beta1 + +ç +%io.k8s.api.authentication.v1.UserInfo½"ZUserInfo holds the information about the user needed to implement the user.Info interface.² +objectÊÒ +n +extrae"9Any additional information provided by the authenticator.ª +² +arrayº + ² +string² +object +Q +groupsG"+The names of groups this user is a part of.² +arrayº + ² +string +® +uid¦"˜A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.² +string +\ +usernameP"CThe name that uniquely identifies this user among all active users.² +string +„ + +io.k8s.api.core.v1.NodeAffinityà ";Node affinity is a group of node affinity scheduling rules.² +objectÊ” +Þ +/preferredDuringSchedulingIgnoredDuringExecutionª"ÞThe scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.² +arrayº< +: +8#/definitions/io.k8s.api.core.v1.PreferredSchedulingTerm +° +.requiredDuringSchedulingIgnoredDuringExecutioný +-#/definitions/io.k8s.api.core.v1.NodeSelector"ËIf the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. +‡ +$io.k8s.api.networking.v1.IngressListÞ"'IngressList is a collection of Ingress.šitems² +objectʹ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +g +items^"Items is the list of Ingress.² +arrayº2 +0 +.#/definitions/io.k8s.api.networking.v1.Ingress +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ð +metadataà +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúb +x-kubernetes-group-version-kind?=- group: networking.k8s.io + kind: IngressList + version: v1 + +À +!io.k8s.api.core.v1.ContainerImageš"Describe a container imagešnames² +objectÊç +¡ +names—"{Names by which this image is known. e.g. ["k8s.gcr.io/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]² +arrayº + ² +string +A + sizeBytes4int64"The size of the image in bytes.² +integer +¼ +&io.k8s.api.core.v1.GitRepoVolumeSource‘"÷Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling. + +DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.š +repository² +objectÊû +‹ + directoryý"ïTarget directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.² +string +) + +repository"Repository URL² +string +@ +revision4"'Commit hash for the specified revision.² +string +¿ +.io.k8s.api.discovery.v1beta1.EndpointSliceListŒ"6EndpointSliceList represents a list of endpoint slicesšitems² +objectÊÎ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +k +itemsb"List of endpoint slices² +arrayº< +: +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointSlice +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.úl +x-kubernetes-group-version-kindIG- kind: EndpointSliceList + version: v1beta1 + group: discovery.k8s.io + + +&io.k8s.api.networking.v1.NetworkPolicy— "INetworkPolicy describes what network traffic is allowed for a set of Pods² +objectÊÖ +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + +specy +8#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec"=Specification of the desired behavior for this NetworkPolicy. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúd +x-kubernetes-group-version-kindA?- kind: NetworkPolicy + version: v1 + group: networking.k8s.io + +à +!io.k8s.api.batch.v1.CronJobStatus"9CronJobStatus represents the current state of a cron job.² +objectÊÓ +¡ +active–"-A list of pointers to currently running jobs.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ObjectReferenceú# +x-kubernetes-list-type atomic + +– +lastScheduleTime +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"FInformation when was the last time the job was successfully scheduled. +“ +lastSuccessfulTime} +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"BInformation when was the last time the job successfully completed. +Ö +io.k8s.api.batch.v1.JobList¶" JobList is a collection of jobs.šitems² +objectʨ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +[ +itemsR"items is the list of Jobs.² +arrayº) +' +%#/definitions/io.k8s.api.batch.v1.Job +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúR +x-kubernetes-group-version-kind/-- group: batch + kind: JobList + version: v1 + +ˆ + +/io.k8s.api.authorization.v1.SubjectAccessReviewÔ "PSubjectAccessReview checks whether or not a user or group can perform an action.šspec² +objectÊü +§ +statusœ +C#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +… +spec} +A#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"8Spec holds information about the request being evaluatedúm +x-kubernetes-group-version-kindJH- group: authorization.k8s.io + kind: SubjectAccessReview + version: v1 + +‰ +1io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerÓ +"-configuration of a horizontal pod autoscaler.² +objectʪ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ð +metadataà +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ù +specÐ +C#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpec"ˆbehaviour of autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. +| +statusr +E#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatus")current information about the autoscaler.úh +x-kubernetes-group-version-kindEC- version: v1 + group: autoscaling + kind: HorizontalPodAutoscaler + +ƒ +0io.k8s.api.policy.v1beta1.FSGroupStrategyOptionsÎ"YFSGroupStrategyOptions defines the strategy type and options used to create the strategy.² +objectÊä +÷ +rangesì"©ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.² +arrayº3 +1 +/#/definitions/io.k8s.api.policy.v1beta1.IDRange +h +rule`"Srule is the strategy that will dictate what FSGroup is used in the SecurityContext.² +string +³ +'io.k8s.api.rbac.v1beta1.RoleBindingList‡ "¤RoleBindingList is a collection of RoleBindings Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBindingList, and will no longer be served in v1.22.šitems² +objectÊÓ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +l +itemsc"Items is a list of RoleBindings² +arrayº5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.RoleBinding +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ús +x-kubernetes-group-version-kindPN- group: rbac.authorization.k8s.io + kind: RoleBindingList + version: v1beta1 + +˜ + +Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition¼ "KCustomResourceColumnDefinition specifies a column for server side printing.šnameštypešjsonPath² +objectÊÇ + +priority€int32"êpriority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.² +integer +¯ +type¦"˜type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.² +string +W + descriptionH";description is a human readable description of this column.² +string +¸ +format­"Ÿformat is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.² +string +ª +jsonPath"jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.² +string +B +name:"-name is a human readable name for the column.² +string +è +=io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery¦"wGroupVersion contains the "group/version" and "version" string of a version. It is made a struct to keep extensibility.š groupVersionšversion² +objectÊ… +i + groupVersionY"LgroupVersion specifies the API group and version in the form "group/version"² +string +— +version‹"~version specifies the version in the form of "version". This is to save the clients the trouble of splitting the GroupVersion.² +string +Æ +)io.k8s.api.authentication.v1.TokenRequest˜":TokenRequest requests a token for a given service account.šspec² +objectÊÜ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +E +spec= +;#/definitions/io.k8s.api.authentication.v1.TokenRequestSpec +I +status? +=#/definitions/io.k8s.api.authentication.v1.TokenRequestStatus +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúg +x-kubernetes-group-version-kindDB- group: authentication.k8s.io + kind: TokenRequest + version: v1 + +– +3io.k8s.api.core.v1.PhotonPersistentDiskVolumeSourceÞ"8Represents a Photon Controller persistent disk resource.špdID² +objectÊŽ +I +pdIDA"4ID that identifies Photon Controller persistent disk² +string +À +fsTypeµ"§Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.² +string +£ +:io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerListä"KHorizontalPodAutoscalerList is a list of horizontal pod autoscaler objects.šitems² +objectÊŒ +˜ +itemsŽ"7items is the list of horizontal pod autoscaler objects.² +arrayºH +F +D#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscaler +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +r +metadataf +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"'metadata is the standard list metadata. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúq +x-kubernetes-group-version-kindNL- group: autoscaling + kind: HorizontalPodAutoscalerList + version: v2beta2 + +ž +8io.k8s.api.certificates.v1.CertificateSigningRequestSpecá"?CertificateSigningRequestSpec contains the certificate request.šrequestš +signerName² +objectÊú +ò +requestæbyte"¬request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.² +stringú# +x-kubernetes-list-type atomic + + + +signerName"ósignerName indicates the requested signer, and is a qualified name. + +List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. + +Well-known Kubernetes signers are: + 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. + Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. + 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. + Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. + Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. + +More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers + +Custom signerNames can also be specified. The signer defines: + 1. Trust distribution: how trust (CA bundles) are distributed. + 2. Permitted subjects: and behavior when a disallowed subject is requested. + 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. + 4. Required, permitted, or forbidden key usages / extended key usages. + 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. + 6. Whether or not requests for CA certificates are allowed.² +string +™ +uid‘"ƒuid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.² +string +„ +usagesù"¶usages specifies a set of key usages requested in the issued certificate. + +Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". + +Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". + +Valid values are: + "signing", "digital signature", "content commitment", + "key encipherment", "key agreement", "data encipherment", + "cert sign", "crl sign", "encipher only", "decipher only", "any", + "server auth", "client auth", + "code signing", "email protection", "s/mime", + "ipsec end system", "ipsec tunnel", "ipsec user", + "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +¤ +username—"‰username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.² +string +Å +extra»"Žextra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.ª +² +arrayº + ² +string² +object +Ý +groupsÒ"groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +â +'io.k8s.api.core.v1.PersistentVolumeList¶ "9PersistentVolumeList is a list of PersistentVolume items.šitems² +objectÊ… +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +³ +items©"eList of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes² +arrayº5 +3 +1#/definitions/io.k8s.api.core.v1.PersistentVolume +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú\ +x-kubernetes-group-version-kind97- group: "" + kind: PersistentVolumeList + version: v1 + +¢ +Kio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceConditionÒ"NAPIServiceCondition describes the state of an APIService at a particular pointštypešstatus² +objectÊã +X +messageM"@Human-readable message indicating details about last transition.² +string +^ +reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.² +string +Z +statusP"CStatus is the status of the condition. Can be True, False, Unknown.² +string +7 +type/""Type is the type of the condition.² +string +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +° +1io.k8s.api.authorization.v1.NonResourceAttributesú"{NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface² +objectÊo +8 +path0"#Path is the URL path of the request² +string +3 +verb+"Verb is the standard HTTP verb² +string +Î +7io.k8s.api.authorization.v1.SelfSubjectAccessReviewSpec’"¦SelfSubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set² +objectÊÚ +ª +nonResourceAttributes +?#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request +ª +resourceAttributes“ +<#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request +ÿ +!io.k8s.api.storage.v1.CSINodeListÙ"/CSINodeList is a collection of CSINode objects.šitems² +objectʯ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +c +itemsZ"items is the list of CSINode² +arrayº/ +- ++#/definitions/io.k8s.api.storage.v1.CSINode +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú_ +x-kubernetes-group-version-kind<:- group: storage.k8s.io + kind: CSINodeList + version: v1 + +Á +Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversionæ +"MCustomResourceConversion describes how to convert different versions of a CR.šstrategy² +objectÊý +œ +conversionReviewVersionsÿ"âconversionReviewVersions is an ordered list of preferred `ConversionReview` versions the Webhook expects. The API server will use the first version in the list which it supports. If none of the versions specified in this list are supported by API server, conversion will fail for the custom resource. If a persisted Webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail. Defaults to `["v1beta1"]`.² +arrayº + ² +string +Ñ +strategyÄ"¶strategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information + is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhookClientConfig to be set.² +string +‡ +webhookClientConfigï +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.WebhookClientConfig"‹webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`. Required when `strategy` is set to `Webhook`. +ð +"io.k8s.api.core.v1.PodAffinityTermÉ "ßDefines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is runningš topologyKey² +objectÊÊ + +Ž + labelSelector} +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"9A label query over a set of resources, in this case pods. +õ +namespaceSelectorß +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"šA label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. This field is alpha-level and is only honored when PodAffinityNamespaceSelector feature is enabled. +Å + +namespaces¶"™namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace"² +arrayº + ² +string +ö + topologyKeyæ"ØThis pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.² +string +¬ +1io.k8s.api.networking.v1.NetworkPolicyIngressRuleö"´NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.² +objectÊ° +Ù +fromÐ"„List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.² +arrayº< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer +Ñ +portsÇ"ûList of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.² +arrayº< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort +Ý + +&io.k8s.api.core.v1.ScaleIOVolumeSource² +":ScaleIOVolumeSource represents a persistent ScaleIO volumešgatewayšsystemš secretRef² +objectÊÈ +Ð + secretRef +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"ˆSecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. +’ + storageMode‚"uIndicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.² +string +¡ +fsType–"ˆFilesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs".² +string +D +gateway9",The host address of the ScaleIO API Gateway.² +string +` + +sslEnabledR"DFlag to enable/disable SSL communication with Gateway, default false² +boolean +[ + storagePoolL"?The ScaleIO Storage Pool associated with the protection domain.² +string +O +systemE"8The name of the storage system as configured in ScaleIO.² +string + + +volumeNames"fThe name of a volume already created in the ScaleIO system that is associated with this volume source.² +string +f +protectionDomainR"EThe name of the ScaleIO Protection Domain for the configured storage.² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean + +"io.k8s.api.core.v1.SecurityContextè"ÜSecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.² +objectÊú +¥ + +privileged–"‡Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.² +boolean +Š + procMountü"îprocMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled.² +string +½ + runAsNonRoot¬"Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.² +boolean +° + runAsUser¢int64"ŒThe UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.² +integer +ô +seLinuxOptionsá +/#/definitions/io.k8s.api.core.v1.SELinuxOptions"­The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +ç +seccompProfileÔ +/#/definitions/io.k8s.api.core.v1.SeccompProfile" The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. +Õ +allowPrivilegeEscalation¸"©AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN² +boolean +Æ + capabilitiesµ +-#/definitions/io.k8s.api.core.v1.Capabilities"ƒThe capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. +Ä +windowsOptions± +>#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"îThe Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +q +readOnlyRootFilesystemW"IWhether this container has a read-only root filesystem. Default is false.² +boolean +“ + +runAsGroup„int64"îThe GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.² +integer +† + io.k8s.api.networking.v1.IPBlocká"ãIPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.šcidr² +objectÊå +v +cidrn"aCIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"² +string +ê +exceptß"ÂExcept is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range² +arrayº + ² +string +· + io.k8s.api.coordination.v1.Lease’ "Lease defines a lease concept.² +objectÊ‚ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +µ +metadata¨ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ê +specÁ +2#/definitions/io.k8s.api.coordination.v1.LeaseSpec"ŠSpecification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú^ +x-kubernetes-group-version-kind;9- group: coordination.k8s.io + kind: Lease + version: v1 + +“ +"io.k8s.api.core.v1.NamespaceStatusì"GNamespaceStatus is information about the current status of a Namespace.² +objectÊ” +õ + +conditionsæ"LRepresents the latest available observations of a namespace's current state.² +arrayº7 +5 +3#/definitions/io.k8s.api.core.v1.NamespaceConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +™ +phase"Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/² +string +‘ +io.k8s.api.batch.v1.JobStatusï"0JobStatus represents the current state of a Job.² +objectÊ® +¶ + +conditions§"ëThe latest available observations of an object's current state. When a Job fails, one of the conditions will have type "Failed" and status true. When a Job is suspended, one of the conditions will have type "Suspended" and status true; when the Job is resumed, the status of this condition will become false. When a Job is completed, one of the conditions will have type "Complete" and status true. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/² +arrayº2 +0 +.#/definitions/io.k8s.api.batch.v1.JobConditionú# +x-kubernetes-list-type atomic +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +M +failedCint32".The number of pods which reached phase Failed.² +integer +å + startTime× +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"›Represents time when the job controller started processing a job. When a Job is created in the suspended state, this field is not set until the first time it is resumed. This field is reset every time a Job is resumed from suspension. It is represented in RFC3339 form and is in UTC. +S + succeededFint32"1The number of pods which reached phase Succeeded.² +integer +C +active9int32"$The number of actively running pods.² +integer +Ü +completedIndexesÇ"¹CompletedIndexes holds the completed indexes when .spec.completionMode = "Indexed" in a text format. The indexes are represented as decimal integers separated by commas. The numbers are listed in increasing order. Three or more consecutive numbers are compressed and represented by the first and last element of the series, separated by a hyphen. For example, if the completed indexes are 1, 3, 4, 5 and 7, they are represented as "1,3-5,7".² +string + +completionTime¯ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"óRepresents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. The completion time is only set when the job finishes successfully. +à +4io.k8s.api.flowcontrol.v1beta1.NonResourcePolicyRuleŠ"·NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.šverbsšnonResourceURLs² +objectʧ +Ð +nonResourceURLs¼"ü`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example: + - "/healthz" is legal + - "/hea*" is illegal + - "/hea" is legal but matches nothing + - "/hea/*" also matches nothing + - "/healthz/*" matches all per-component health checks. +"*" matches all non-resource urls. if it is present, it must be the only entry. Required.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +Ñ +verbsÇ"‡`verbs` is a list of matching verbs and may not be empty. "*" matches all verbs. If it is present, it must be the only entry. Required.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +û + +[io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames› +"XCustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinitionšpluralškind² +objectÊ¢ +ô + +categorieså"Ècategories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.² +arrayº + ² +string +¾ +kindµ"§kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.² +string +q +listKinde"XlistKind is the serialized kind of the list for this resource. Defaults to "`kind`List".² +string + +plural‚"ôplural is the plural name of the resource to serve. The custom resources are served under `/apis///.../`. Must match the name of the CustomResourceDefinition (in the form `.`). Must be all lowercase.² +string +á + +shortNamesÒ"µshortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get `. It must be all lowercase.² +arrayº + ² +string +€ +singulart"gsingular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.² +string +Ì +%io.k8s.api.apps.v1.DaemonSetCondition¢"IDaemonSetCondition describes the state of a DaemonSet at a certain point.štypešstatus² +objectʸ +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +Y +messageN"AA human readable message indicating details about the transition.² +string +F +reason<"/The reason for the condition's last transition.² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +1 +type)"Type of DaemonSet condition.² +string +ž +io.k8s.api.batch.v1.Job‚ "1Job represents the configuration of a single job.² +objectÊï +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Õ +specÌ +)#/definitions/io.k8s.api.batch.v1.JobSpec"žSpecification of the desired behavior of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status + +status· ++#/definitions/io.k8s.api.batch.v1.JobStatus"‡Current status of a job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúN +x-kubernetes-group-version-kind+)- group: batch + kind: Job + version: v1 + +Òg +io.k8s.api.core.v1.ServiceSpec¯g"FServiceSpec describes the attributes that a user creates on a service.² +objectÊØf +× +loadBalancerClassÁ"³loadBalancerClass is the class of the load balancer implementation this Service belongs to. If specified, the value of this field must be a label-style identifier, with an optional prefix, e.g. "internal-vip" or "example.com/internal-vip". Unprefixed names are reserved for end-users. This field can only be set when the Service type is 'LoadBalancer'. If not set, the default load balancer implementation is used, today this is typically done through the cloud provider integration, but should apply for any default implementation. If set, it is assumed that a load balancer implementation is watching for Services with a matching class. Any default load balancer implementation (e.g. cloud providers) should ignore Services that set this field. This field can only be set when creating or updating a Service to type 'LoadBalancer'. Once set, it can not be changed. This field will be wiped when a service is updated to a non 'LoadBalancer' type.² +string +ã +loadBalancerIPÐ"ÂOnly applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.² +string +“ +loadBalancerSourceRangesö"ÙIf specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature." More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/² +arrayº + ² +string +« +selectorž"€Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/ª + ² +string² +object +¥ +sessionAffinity‘"ƒSupports "ClientIP" and "None". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies² +string +Õ + topologyKeysÄ"§topologyKeys is a preference-order list of topology keys which implementations of services should use to preferentially sort endpoints when accessing this Service, it can not be used at the same time as externalTrafficPolicy=Local. Topology keys must be valid label keys and at most 16 keys may be specified. Endpoints are chosen based on the first topology key with available backends. If this field is specified and all entries have no backends that match the topology of the client, the service has no backends for that client and connections should fail. The special value "*" may be used to mean "any topology". This catch-all value, if used, only makes sense as the last value in the list. If this is not specified or empty, no topology constraints will be applied. This field is alpha-level and is only honored by servers that enable the ServiceTopology feature. This field is deprecated and will be removed in a future version.² +arrayº + ² +string +Á +externalTrafficPolicy§"™externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. "Local" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. "Cluster" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.² +string +ë + +clusterIPsÜ "™ ClusterIPs is a list of IP addresses assigned to this service, and are usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be empty) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. If this field is not specified, it will be initialized from the clusterIP field. If this field is specified, clients must ensure that clusterIPs[0] and clusterIP have the same value. + +Unless the "IPv6DualStack" feature gate is enabled, this field is limited to one value, which must be the same as the clusterIP field. If the feature gate is enabled, this field may hold a maximum of two entries (dual-stack IPs, in either order). These IPs must correspond to the values of the ipFamilies field. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +• +healthCheckNodePortýint32"çhealthCheckNodePort specifies the healthcheck nodePort for the service. This only applies when type is set to LoadBalancer and externalTrafficPolicy is set to Local. If a value is specified, is in-range, and is not in use, it will be used. If not specified, a value will be automatically allocated. External systems (e.g. load-balancers) can use this port to determine if a given node holds endpoints for this service or not. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type).² +integer +ö +internalTrafficPolicyÜ"ÎInternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. "Cluster" routes internal traffic to a Service to all endpoints. "Local" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is "Cluster".² +string +ˆ +ipFamilyPolicyõ"çIPFamilyPolicy represents the dual-stack-ness requested or required by this Service, and is gated by the "IPv6DualStack" feature gate. If there is no value provided, then this field will be set to SingleStack. Services can be "SingleStack" (a single IP family), "PreferDualStack" (two IP families on dual-stack configured clusters or a single IP family on single-stack clusters), or "RequireDualStack" (two IP families on dual-stack configured clusters, otherwise fail). The ipFamilies and clusterIPs fields depend on the value of this field. This field will be wiped when updating a service to type ExternalName.² +string +¬ +publishNotReadyAddresses"€publishNotReadyAddresses indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready. The primary use case for setting this field is for a StatefulSet's Headless Service to propagate SRV DNS records for its Pods for the purpose of peer discovery. The Kubernetes controllers that generate Endpoints and EndpointSlice resources for Services interpret this to mean that all endpoints are considered "ready" even if the Pods themselves are not. Agents which consume only Kubernetes generated endpoints through the Endpoints or EndpointSlice resources can safely assume this behavior.² +boolean +‰ +allocateLoadBalancerNodePortsç"ØallocateLoadBalancerNodePorts defines if NodePorts will be automatically allocated for services with type LoadBalancer. Default is "true". It may be set to "false" if the cluster load-balancer does not rely on NodePorts. allocateLoadBalancerNodePorts may only be set for services with type LoadBalancer and will be cleared if the type is changed to any other type. This field is alpha-level and is only honored by servers that enable the ServiceLBNodePortControl feature.² +boolean +š +sessionAffinityConfig€ +6#/definitions/io.k8s.api.core.v1.SessionAffinityConfig"FsessionAffinityConfig contains the configurations of session affinity. +ñ + +ipFamiliesâ"ŸIPFamilies is a list of IP families (e.g. IPv4, IPv6) assigned to this service, and is gated by the "IPv6DualStack" feature gate. This field is usually assigned automatically based on cluster configuration and the ipFamilyPolicy field. If this field is specified manually, the requested family is available in the cluster, and ipFamilyPolicy allows it, it will be used; otherwise creation of the service will fail. This field is conditionally mutable: it allows for adding or removing a secondary IP family, but it does not allow changing the primary IP family of the Service. Valid values are "IPv4" and "IPv6". This field only applies to Services of types ClusterIP, NodePort, and LoadBalancer, and does apply to "headless" services. This field will be wiped when updating a Service to type ExternalName. + +This field may hold a maximum of two entries (dual-stack families, in either order). These families must correspond to the values of the clusterIPs field, if specified. Both clusterIPs and ipFamilies are governed by the ipFamilyPolicy field.² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +ò + externalIPsâ"ÅexternalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.² +arrayº + ² +string +¸ + externalName§"™externalName is the external reference that discovery mechanisms will return as an alias for this service (e.g. a DNS CNAME record). No proxying will be involved. Must be a lowercase RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires `type` to be "ExternalName".² +string +• +ports‹"ŸThe list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies² +arrayº0 +. +,#/definitions/io.k8s.api.core.v1.ServicePortú2 +x-kubernetes-list-map-keys- port +- protocol +ú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keyport +ú' +x-kubernetes-patch-strategymerge + +‹ +type‚"ôtype determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. "ClusterIP" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object or EndpointSlice objects. If clusterIP is "None", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a virtual IP. "NodePort" builds on ClusterIP and allocates a port on every node which routes to the same endpoints as the clusterIP. "LoadBalancer" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the same endpoints as the clusterIP. "ExternalName" aliases this service to the specified externalName. Several other fields do not apply to ExternalName services. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types² +string +á + clusterIPÓ"ÅclusterIP is the IP address of the service and is usually assigned randomly. If an address is specified manually, is in-range (as per system configuration), and is not in use, it will be allocated to the service; otherwise creation of the service will fail. This field may not be changed through updates unless the type field is also being changed to ExternalName (which requires this field to be blank) or the type field is being changed from ExternalName (in which case this field may optionally be specified, as describe above). Valid values are "None", empty string (""), or a valid IP address. Setting this to "None" makes a "headless service" (no virtual IP), which is useful when direct endpoint connections are preferred and proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. If this field is specified when creating a Service of type ExternalName, creation will fail. This field will be wiped when updating a Service to type ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies² +string +™ +-io.k8s.apimachinery.pkg.api.resource.Quantityç"ÙQuantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors. + +The serialization format is: + + ::= + (Note that may be empty, from the "" case in .) + ::= 0 | 1 | ... | 9 ::= | ::= | . | . | . ::= "+" | "-" ::= | ::= | | ::= Ki | Mi | Gi | Ti | Pi | Ei + (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) + ::= m | "" | k | M | G | T | P | E + (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) + ::= "e" | "E" + +No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. + +When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized. + +Before serializing, Quantity will be put in "canonical form". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that: + a. No precision is lost + b. No fractional digits will be emitted + c. The exponent (or suffix) is as large as possible. +The sign will be omitted unless the number is negative. + +Examples: + 1.5 will be serialized as "1500m" + 1.5Gi will be serialized as "1536Mi" + +Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise. + +Non-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.) + +This format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.² +string +Ù +1io.k8s.api.autoscaling.v2beta2.ObjectMetricSource£"‰ObjectMetricSource indicates how to scale on a metric describing a kubernetes object (for example, hits-per-second on an Ingress object).šdescribedObjectštargetšmetric² +objectÊä +] +describedObjectJ +H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector +} +targets +9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric +® +(io.k8s.api.core.v1.AzureFileVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.š +secretNameš shareName² +objectÊ€ +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +^ + +secretNameP"Cthe name of secret that contains Azure Storage Account Name and Key² +string +$ + shareName" +Share Name² +string +ƒ +,io.k8s.api.core.v1.PersistentVolumeClaimSpecÒ "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes² +objectÊ¿ +Ë + accessModes»"žAccessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1² +arrayº + ² +string +Ô + +dataSourceÅ +:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"†This field can be used to specify either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) * An existing PVC (PersistentVolumeClaim) * An existing custom resource that implements data population (Alpha) In order to use custom resource types that implement data population, the AnyVolumeDataSource feature gate must be enabled. If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. +Þ + resourcesÐ +5#/definitions/io.k8s.api.core.v1.ResourceRequirements"–Resources represents the minimum resources the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources +ƒ +selectorw +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"3A label query over volumes to consider for binding. +¤ +storageClassName"Name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1² +string + + +volumeModeŽ"€volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.² +string +j + +volumeName\"OVolumeName is the binding reference to the PersistentVolume backing this claim.² +string +Æ +-io.k8s.api.flowcontrol.v1beta1.FlowSchemaList” "/FlowSchemaList is a list of FlowSchema objects.šitems² +objectÊÔ +Þ +metadataÑ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‘`metadata` is the standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +t +itemsk"!`items` is a list of FlowSchemas.² +arrayº; +9 +7#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchema +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúu +x-kubernetes-group-version-kindRP- group: flowcontrol.apiserver.k8s.io + kind: FlowSchemaList + version: v1beta1 + +Ó +$io.k8s.api.networking.v1.IngressRuleª "ìIngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.² +objectʬ +â + +hostÙ +"Ë +Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + the IP in the Spec of the parent Ingress. +2. The `:` delimiter is not respected because ports are not allowed. + Currently the port of an Ingress is implicitly :80 for http and + :443 for https. +Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. + +Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.² +string +E +http= +;#/definitions/io.k8s.api.networking.v1.HTTPIngressRuleValue +º +%io.k8s.api.networking.v1beta1.Ingress "€Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.² +objectʘ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ý +specÔ +7#/definitions/io.k8s.api.networking.v1beta1.IngressSpec"˜Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +ã +statusØ +9#/definitions/io.k8s.api.networking.v1beta1.IngressStatus"šStatus is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúc +x-kubernetes-group-version-kind@>- group: networking.k8s.io + kind: Ingress + version: v1beta1 + +ä + io.k8s.api.core.v1.EndpointsList¿"%EndpointsList is a list of endpoints.šitems² +objectÊ© +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +X +itemsO"List of endpoints.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.Endpoints +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúU +x-kubernetes-group-version-kind20- version: v1 + group: "" + kind: EndpointsList + +Ä +"io.k8s.api.core.v1.ObjectReference "]ObjectReference contains enough information to let you inspect or modify the referred object.² +objectʯ +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +Ž + namespace€"sNamespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/² +string +æ +resourceVersionÒ"ÄSpecific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency² +string + +uidz"mUID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids² +string +7 + +apiVersion)"API version of the referent.² +string +Ô + fieldPathÆ"¸If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.² +string +— +kindŽ"€Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +° +.io.k8s.api.core.v1.ReplicationControllerStatusý"VReplicationControllerStatus represents the current status of a replication controller.šreplicas² +objectÊ‹ + +availableReplicas{int32"fThe number of available replicas (ready for at least minReadySeconds) for this replication controller.² +integer +Ž + +conditionsÿ"YRepresents the latest available observations of a replication controller's current state.² +arrayºC +A +?#/definitions/io.k8s.api.core.v1.ReplicationControllerConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +— +fullyLabeledReplicasint32"jThe number of pods that have labels matching the labels of the pod template of the replication controller.² +integer +‹ +observedGenerationuint64"`ObservedGeneration reflects the generation of the most recently observed replication controller.² +integer +c + readyReplicasRint32"=The number of ready replicas for this replication controller.² +integer +× +replicasÊint32"´Replicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller² +integer +Û +*io.k8s.api.networking.v1beta1.IngressClass¬ "óIngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.² +objectʼ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +ç +specÞ +<#/definitions/io.k8s.api.networking.v1beta1.IngressClassSpec"Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúh +x-kubernetes-group-version-kindEC- version: v1beta1 + group: networking.k8s.io + kind: IngressClass + +æ +'io.k8s.api.policy.v1beta1.HostPortRangeº"HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.šminšmax² +objectÊŒ +C +max<int32"'max is the end of the range, inclusive.² +integer +E +min>int32")min is the start of the range, inclusive.² +integer +î +4io.k8s.apimachinery.pkg.apis.meta.v1.APIResourceListµ "¦APIResourceList is a list of APIResource, it is used to expose the name of the resources supported in a specific group and version, and if the resource is namespaced.š groupVersionš resources² +objectʈ +§ + resources™"Hresources contains the name of the resources and if they are namespaced.² +arrayºB +@ +>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIResource +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +_ + groupVersionO"BgroupVersion is the group and version this APIResourceList is for.² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúW +x-kubernetes-group-version-kind42- version: v1 + group: "" + kind: APIResourceList + +Í +io.k8s.api.core.v1.EventList¬"EventList is a list of events.šitems² +objectÊ¡ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +P +itemsG"List of events² +arrayº* +( +&#/definitions/io.k8s.api.core.v1.Event +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsúQ +x-kubernetes-group-version-kind.,- group: "" + kind: EventList + version: v1 + +õ +#io.k8s.api.core.v1.PodReadinessGateÍ":PodReadinessGate contains the reference to a pod conditionš conditionType² +objectÊs +q + conditionType`"SConditionType refers to a condition in the pod's condition list with matching type.² +string +Å +\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresourceScaleä "^CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.šspecReplicasPathšstatusReplicasPath² +objectÊÍ +€ +statusReplicasPathé"ÛstatusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status`. If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource will default to 0.² +string +á +labelSelectorPathË"½labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.status` or `.spec`. Must be set to work with HorizontalPodAutoscaler. The field pointed by this JSON path must be a string field (not a complex selector struct) which contains a serialized label selector in string form. More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale` subresource will default to the empty string.² +string +ã +specReplicasPathÎ"ÀspecReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`. Only JSON paths without the array notation are allowed. Must be a JSON Path under `.spec`. If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.² +string +† +0io.k8s.apimachinery.pkg.apis.meta.v1.StatusCauseÑ"xStatusCause provides more information about an api.Status failure, including cases when multiple errors are encountered.² +objectÊÈ +¶ +field¬"žThe field of the resource that has caused this error, as named by its JSON serialization. May include dot and postfix notation for nested attributes. Arrays are zero-indexed. Fields may appear more than once in an array of causes due to fields having multiple errors. Optional. + +Examples: + "name" - the field "name" on the current resource + "items[0].name" - the field "name" on the first array entry in "items"² +string + +messaget"gA human-readable description of the cause of the error. This field may be presented as-is to a reader.² +string +‹ +reason€"sA machine-readable description of the cause of the error. If this value is empty there is no information available.² +string +ª +io.k8s.api.core.v1.SecretŒ"‚Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.² +objectʧ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ê + +stringData»"stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API.ª + ² +string² +object +M +typeE"8Used to facilitate programmatic handling of secret data.² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Î +dataÅ"¡Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4ª +byte² +string² +object +å + immutable×"ÈImmutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.² +booleanúN +x-kubernetes-group-version-kind+)- version: v1 + group: "" + kind: Secret + +å +2io.k8s.api.core.v1.StorageOSPersistentVolumeSource® "2Represents a StorageOS persistent volume resource.² +objectÊë +À +fsTypeµ"§Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +Ê + secretRef¼ +0#/definitions/io.k8s.api.core.v1.ObjectReference"‡SecretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. +‹ + +volumeName}"pVolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.² +string +Ð +volumeNamespace¼"®VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.² +string +ñ +io.k8s.api.node.v1.RuntimeClassÍ"ËRuntimeClass defines a class of container runtime supported in the cluster. The RuntimeClass is used to determine which container runtime is used to run all containers in a pod. RuntimeClasses are manually defined by a user or cluster provisioner, and referenced in the PodSpec. The Kubelet is responsible for resolving the RuntimeClassName reference before running the pod. For more details, see https://kubernetes.io/docs/concepts/containers/runtime-class/šhandler² +objectʆ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Ð +handlerÄ"¶Handler specifies the underlying runtime and configuration that the CRI implementation will use to handle pods of this class. The possible values are specific to the node & CRI configuration. It is assumed that all handlers are available on every node, and handlers of the same name are equivalent on every node. For example, a handler called "runc" might specify that the runc OCI runtime (using native Linux containers) will be used to run the containers in a pod. The Handler must be lowercase, conform to the DNS Label (RFC 1123) requirements, and is immutable.² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +µ +metadata¨ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +â +overheadÕ +)#/definitions/io.k8s.api.node.v1.Overhead"§Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. For more details, see + https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/ +This field is in beta starting v1.18 and is only honored by servers that enable the PodOverhead feature. +– + +scheduling‡ ++#/definitions/io.k8s.api.node.v1.Scheduling"×Scheduling holds the scheduling constraints to ensure that pods running with this RuntimeClass are scheduled to nodes that support it. If scheduling is nil, this RuntimeClass is assumed to be supported by all nodes.ú] +x-kubernetes-group-version-kind:8- group: node.k8s.io + kind: RuntimeClass + version: v1 + +û +io.k8s.api.core.v1.NodeAddressØ"8NodeAddress contains information for the node's address.štypešaddress² +objectÊ +) +address"The node address.² +string +R +typeJ"=Node address type, one of Hostname, ExternalIP or InternalIP.² +string +› + +,io.k8s.api.core.v1.PersistentVolumeClaimListê "CPersistentVolumeClaimList is a list of PersistentVolumeClaim items.šitems² +objectʪ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Ø +itemsÎ"„A list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims² +arrayº: +8 +6#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsúa +x-kubernetes-group-version-kind><- kind: PersistentVolumeClaimList + version: v1 + group: "" + +ž +*io.k8s.api.apps.v1.DaemonSetUpdateStrategyï"XDaemonSetUpdateStrategy is a struct used to control the update strategy for a DaemonSet.² +objectʆ +o +typeg"ZType of daemon set update. Can be "RollingUpdate" or "OnDelete". Default is RollingUpdate.² +string +’ + rollingUpdate€ +7#/definitions/io.k8s.api.apps.v1.RollingUpdateDaemonSet"ERolling update config params. Present only if type = "RollingUpdate". +ä +,io.k8s.api.core.v1.CSIPersistentVolumeSource³"RRepresents storage that is managed by an external CSI volume driver (Beta feature)šdriverš volumeHandle² +objectʸ +­ +controllerPublishSecretRefŽ +0#/definitions/io.k8s.api.core.v1.SecretReference"ÙControllerPublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerPublishVolume and ControllerUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed. +² + volumeHandle¡"“VolumeHandle is the unique volume name returned by the CSI volume plugin’s CreateVolume to refer to the volume on all subsequent calls. Required.² +string +Ž +fsTypeƒ"vFilesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs".² +string +• +nodePublishSecretRefü +0#/definitions/io.k8s.api.core.v1.SecretReference"ÇNodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed. +¡ +nodeStageSecretRefŠ +0#/definitions/io.k8s.api.core.v1.SecretReference"ÕNodeStageSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeStageVolume and NodeStageVolume and NodeUnstageVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed. +x +readOnlyl"^Optional: The value to pass to ControllerPublishVolumeRequest. Defaults to false (read/write).² +boolean +U +volumeAttributesA"$Attributes of the volume to publish.ª + ² +string² +object +× +controllerExpandSecretRef¹ +0#/definitions/io.k8s.api.core.v1.SecretReference"„ControllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an alpha field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed. +Y +driverO"BDriver is the name of the driver to use for this volume. Required.² +string +Ù +Bio.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationCondition’"LPriorityLevelConfigurationCondition defines the condition of priority level.² +objectʵ +g +message\"O`message` is a human-readable message indicating details about last transition.² +string +l +reasonb"U`reason` is a unique, one-word, CamelCase reason for the condition's last transition.² +string +f +status\"O`status` is the status of the condition. Can be True, False, Unknown. Required.² +string +C +type;".`type` is the type of the condition. Required.² +string +® +lastTransitionTime— +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"\`lastTransitionTime` is the last time the condition transitioned from one status to another. +• +/io.k8s.api.storage.v1beta1.VolumeAttachmentSpecá"HVolumeAttachmentSpec is the specification of a VolumeAttachment request.šattacheršsourcešnodeName² +objectÊé +— +attacherŠ"}Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().² +string +H +nodeName<"/The node that the volume should be attached to.² +string +‚ +sourcex +?#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentSource"5Source represents the volume that should be attached. +û +%io.k8s.api.discovery.v1.EndpointSliceÑ"ÜEndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.š addressTypeš endpoints² +objectÊã +ð + addressTypeà"ÒaddressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +ß + endpointsÑ"jendpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.² +arrayº2 +0 +.#/definitions/io.k8s.api.discovery.v1.Endpointú# +x-kubernetes-list-type atomic + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. +¤ +portsš"®ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates "all ports". Each slice may include a maximum of 100 ports.² +arrayº6 +4 +2#/definitions/io.k8s.api.discovery.v1.EndpointPortú# +x-kubernetes-list-type atomic +úc +x-kubernetes-group-version-kind@>- group: discovery.k8s.io + kind: EndpointSlice + version: v1 + +å +'io.k8s.api.storage.v1beta1.TokenRequest¹": will be created for the connection.² +string +0 +iqn)"Target iSCSI Qualified Name.² +string +n +iscsiInterface\"OiSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).² +string +4 +lun-int32"iSCSI Target Lun number.² +integer +³ +portals§"ŠiSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).² +arrayº + ² +string +k +readOnly_"QReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.² +boolean +z + secretRefm +0#/definitions/io.k8s.api.core.v1.SecretReference"9CHAP Secret for iSCSI target and initiator authentication +¤ + targetPortal“"…iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).² +string +R +chapAuthSession?"1whether support iSCSI Session CHAP authentication² +boolean +â + io.k8s.api.core.v1.NamespaceList½ "&NamespaceList is a list of Namespaces.šitems² +objectʦ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Ô +itemsÊ"ŒItems is the list of Namespace objects in the list. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.Namespace +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsúU +x-kubernetes-group-version-kind20- kind: NamespaceList + version: v1 + group: "" + +¥ +0io.k8s.api.networking.v1.NetworkPolicyEgressRuleð"ÐNetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8² +objectÊŽ +¯ +ports¥"ÙList of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.² +arrayº< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort +Ù +toÒ"†List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.² +arrayº< +: +8#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer +Ž +6io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpecT² +objectÊF +D + namespace7"*Namespace to evaluate rules for. Required.² +string +ú +io.k8s.api.core.v1.NodeListÚ"ONodeList is the whole list of all Nodes which have been registered with master.šitems² +objectÊŸ +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +N +itemsE" List of nodes² +arrayº) +' +%#/definitions/io.k8s.api.core.v1.Node +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúP +x-kubernetes-group-version-kind-+- group: "" + kind: NodeList + version: v1 + +• +$io.k8s.api.core.v1.LocalVolumeSourceì"LLocal represents directly-attached storage with node affinity (Beta feature)špath² +objectʈ +€ +fsTypeõ"çFilesystem type to mount. It applies only when the Path is a block device. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default value is to auto-select a fileystem if unspecified.² +string +‚ +pathz"mThe full path to the volume on the node. It can be either a directory or block device (disk, partition, ...).² +string +Ý +)io.k8s.api.networking.v1beta1.IngressRule¯ "ìIngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.² +objectʱ +â + +hostÙ +"Ë +Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + the IP in the Spec of the parent Ingress. +2. The `:` delimiter is not respected because ports are not allowed. + Currently the port of an Ingress is implicitly :80 for http and + :443 for https. +Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. + +Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.² +string +J +httpB +@#/definitions/io.k8s.api.networking.v1beta1.HTTPIngressRuleValue +‚ + io.k8s.api.rbac.v1beta1.RoleListÝ"RoleList is a collection of Roles Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleList, and will no longer be served in v1.22.šitems² +objectÊÅ +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +^ +itemsU"Items is a list of Roles² +arrayº. +, +*#/definitions/io.k8s.api.rbac.v1beta1.Role +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúl +x-kubernetes-group-version-kindIG- group: rbac.authorization.k8s.io + kind: RoleList + version: v1beta1 + +Ž +&io.k8s.api.storage.v1beta1.CSINodeListã"/CSINodeList is a collection of CSINode objects.šitems² +objectÊ´ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +h +items_"items is the list of CSINode² +arrayº4 +2 +0#/definitions/io.k8s.api.storage.v1beta1.CSINode +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúd +x-kubernetes-group-version-kindA?- kind: CSINodeList + version: v1beta1 + group: storage.k8s.io + +Í +3io.k8s.api.authorization.v1.SubjectAccessReviewSpec•"¢SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set² +objectÊá +ª +nonResourceAttributes +?#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request +ª +resourceAttributes“ +<#/definitions/io.k8s.api.authorization.v1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request +> +uid7"*UID information about the requesting user.² +string +« +user¢"”User is the user you're testing for. If you specify "User" but not "Groups", then is it interpreted as "What if User were not a member of any groups² +string +Æ +extra¼"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.ª +² +arrayº + ² +string² +object +N +groupsD"(Groups is the groups you're testing for.² +arrayº + ² +string + +io.k8s.api.core.v1.EventSeriesÞ"qEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.² +objectÊÜ +` +countWint32"BNumber of occurrences in this series up to the last heartbeat time² +integer +x +lastObservedTimed +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"$Time of the last occurrence observed +Ò +)io.k8s.api.extensions.v1beta1.IngressSpec¤ ";IngressSpec describes the Ingress the user wishes to exist.² +objectÊØ +º +backend® +:#/definitions/io.k8s.api.extensions.v1beta1.IngressBackend"ïA default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default. +´ +ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.² +string +Ø +rulesÎ"ƒA list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.² +arrayº; +9 +7#/definitions/io.k8s.api.extensions.v1beta1.IngressRule +† +tlsþ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.² +arrayº: +8 +6#/definitions/io.k8s.api.extensions.v1beta1.IngressTLS +§ +*io.k8s.api.networking.v1.NetworkPolicyListø"5NetworkPolicyList is a list of NetworkPolicy objects.šitems² +objectÊ¿ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +r +itemsi""Items is a list of schema objects.² +arrayº8 +6 +4#/definitions/io.k8s.api.networking.v1.NetworkPolicy +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúh +x-kubernetes-group-version-kindEC- group: networking.k8s.io + kind: NetworkPolicyList + version: v1 + +Ò +=io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"JSON represents any valid JSON value. These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil. +µ +2io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorþ"ËA label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.² +objectÊü +É +matchExpressions´"VmatchExpressions is a list of label selector requirements. The requirements are ANDed.² +arrayºO +M +K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement +­ + matchLabels"ÿmatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.ª + ² +string² +objectú" +x-kubernetes-map-type atomic + +Š +&io.k8s.api.core.v1.ResourceQuotaStatusß"FResourceQuotaStatus defines the enforced hard limits and observed use.² +objectʈ +à +hard×"‡Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +¢ +used™"JUsed is the current observed total usage of the resource in the namespace.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +Ú +*io.k8s.api.core.v1.WeightedPodAffinityTerm«"vThe weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)šweightšpodAffinityTerm² +objectʉ +u +weightkint32"Vweight associated with matching the corresponding podAffinityTerm, in the range 1-100.² +integer + +podAffinityTerm| +0#/definitions/io.k8s.api.core.v1.PodAffinityTerm"HRequired. A pod affinity term, associated with the corresponding weight. +¹ +1io.k8s.api.flowcontrol.v1beta1.ResourcePolicyRuleƒ" ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) least one member of namespaces matches the request.šverbsš apiGroupsš resources² +objectʱ +´ + clusterScope£"”`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list.² +boolean +÷ + +namespacesè"¨`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains "*". Note that "*" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +Í + resources¿"ÿ`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ "services", "nodes/status" ]. This list may not be empty. "*" matches all resources and, if present, must be the only entry. Required.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +Ì +verbsÂ"‚`verbs` is a list of matching verbs and may not be empty. "*" matches all verbs and, if present, must be the only entry. Required.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +Þ + apiGroupsÐ"`apiGroups` is a list of matching API groups and may not be empty. "*" matches all API groups and, if present, must be the only entry. Required.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +÷ +-io.k8s.api.policy.v1beta1.PodDisruptionBudgetÅ "hPodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods² +objectÊå +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + +spec„ +?#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetSpec"ASpecification of the desired behavior of the PodDisruptionBudget. +ˆ +status~ +A#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudgetStatus"9Most recently observed status of the PodDisruptionBudget.úd +x-kubernetes-group-version-kindA?- group: policy + kind: PodDisruptionBudget + version: v1beta1 + +…, +:io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookÆ+"`ValidatingWebhook describes an admission webhook and the resources and operations it applies to.šnameš clientConfig² +objectÊ¿* +é +objectSelectorÖ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. +î +rulesä"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.² +arrayºM +K +I#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations +œ +timeoutSeconds‰int32"óTimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 30 seconds.² +integer +° +admissionReviewVersions”"÷AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy. Default to `['v1beta1']`.² +arrayº + ² +string +ž + clientConfig +J#/definitions/io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required +— + matchPolicy‡"ùmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". + +- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + +- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + +Defaults to "Exact"² +string +Ø + sideEffectsÈ"ºSideEffects states whether this webhook has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.² +string +® + failurePolicyœ"ŽFailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.² +string +ç +nameÞ"ÐThe name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.² +string +Ü +namespaceSelectorÆ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector" NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. + +For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] +} + +If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] +} + +See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels for more examples of label selectors. + +Default to the empty LabelSelector, which matches everything. +… +$io.k8s.api.coordination.v1.LeaseListÜ"%LeaseList is a list of Lease objects.šitems² +objectʹ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +l +itemsc""Items is a list of schema objects.² +arrayº2 +0 +.#/definitions/io.k8s.api.coordination.v1.Lease +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúb +x-kubernetes-group-version-kind?=- version: v1 + group: coordination.k8s.io + kind: LeaseList + +« +io.k8s.api.core.v1.SecretList‰ "SecretList is a list of Secret.šitems² +objectÊü +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +ª +items "fItems is a list of secret objects. More info: https://kubernetes.io/docs/concepts/configuration/secret² +arrayº+ +) +'#/definitions/io.k8s.api.core.v1.Secret +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsúR +x-kubernetes-group-version-kind/-- group: "" + kind: SecretList + version: v1 + + +#io.k8s.api.node.v1.RuntimeClassListè"3RuntimeClassList is a list of RuntimeClass objects.šitems² +objectʸ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +k +itemsb""Items is a list of schema objects.² +arrayº1 +/ +-#/definitions/io.k8s.api.node.v1.RuntimeClass +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúa +x-kubernetes-group-version-kind><- group: node.k8s.io + kind: RuntimeClassList + version: v1 + +Ÿ +3io.k8s.api.autoscaling.v2beta1.ExternalMetricStatusç"nExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.š +metricNameš currentValue² +objectÊÌ +Ž + currentValue~ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"?currentValue is the current value of the metric (as a quantity) +d + +metricNameV"ImetricName is the name of a metric used for autoscaling in metric system.² +string +§ +metricSelector” +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"PmetricSelector is used to identify a specific time series within a given metric. +¨ +currentAverageValue +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"QcurrentAverageValue is the current value of metric averaged over autoscaled pods. +ì ++io.k8s.api.autoscaling.v2beta2.MetricStatus¼">MetricStatus describes the last-read state of a single metric.štype² +objectÊæ +Ë +containerResourceµ +J#/definitions/io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricStatus"æcontainer resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +ô +externalç +A#/definitions/io.k8s.api.autoscaling.v2beta2.ExternalMetricStatus"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). + +object· +?#/definitions/io.k8s.api.autoscaling.v2beta2.ObjectMetricStatus"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). +• +podsŒ +=#/definitions/io.k8s.api.autoscaling.v2beta2.PodsMetricStatus"Êpods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. +™ +resourceŒ +A#/definitions/io.k8s.api.autoscaling.v2beta2.ResourceMetricStatus"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +¥ +typeœ"Žtype is the type of metric source. It will be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled² +string +î +#io.k8s.api.core.v1.FlexVolumeSourceÆ"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.šdriver² +objectÊÄ +Ä +fsType¹"«Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.² +string +O +optionsD"'Optional: Extra command options if any.ª + ² +string² +object +‚ +readOnlyv"hOptional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +Ó + secretRefÅ +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"‹Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. +O +driverE"8Driver is the name of the driver to use for this volume.² +string +¥ +?io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationStatusá"VPriorityLevelConfigurationStatus represents the current state of a "request-priority".² +objectÊú +÷ + +conditionsè"8`conditions` is the current state of "request-priority".² +arrayºT +R +P#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap + +Œ +%io.k8s.api.rbac.v1.ClusterRoleBindingâ +"ŸClusterRoleBinding references a ClusterRole, but not contain it. It can reference a ClusterRole in the global namespace, and adds who information via Subject.šroleRef² +objectʳ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. + +roleRef¶ +(#/definitions/io.k8s.api.rbac.v1.RoleRef"‰RoleRef can only reference a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. +„ +subjectsx"=Subjects holds references to the objects the role applies to.² +arrayº, +* +(#/definitions/io.k8s.api.rbac.v1.Subjectúq +x-kubernetes-group-version-kindNL- group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + version: v1 + +ý + +io.k8s.api.rbac.v1.PolicyRuleÛ +"¡PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.šverbs² +objectÊ  +ó + apiGroupså"ÈAPIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.² +arrayº + ² +string +¼ +nonResourceURLs¨"‹NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.² +arrayº + ² +string +¨ + resourceNames–"zResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.² +arrayº + ² +string +† + resourcesy"]Resources is a list of resources this rule applies to. ResourceAll represents all resources.² +arrayº + ² +string +´ +verbsª"Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.² +arrayº + ² +string +à +7io.k8s.api.authorization.v1beta1.SelfSubjectRulesReview¤"ˆSelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.šspec² +objectÊ‹ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta + +spec† +I#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpec"9Spec holds information about the request being evaluated. +¬ +status¡ +G#/definitions/io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatus"VStatus is filled in by the server and indicates the set of actions a user can perform.úu +x-kubernetes-group-version-kindRP- group: authorization.k8s.io + kind: SelfSubjectRulesReview + version: v1beta1 + + +io.k8s.api.autoscaling.v1.Scalež "2Scale represents a scaling request for a resource.² +objectÊ‚ + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ñ +metadataÄ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. +Ñ +specÈ +1#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec"’defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. +Ú +statusÏ +3#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus"—current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúV +x-kubernetes-group-version-kind31- group: autoscaling + kind: Scale + version: v1 + +è +Iio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReferenceš";ServiceReference holds a reference to Service.legacy.k8s.ioš namespacešname² +objectÊ» +> +name6")name is the name of the service. Required² +string +M + namespace@"3namespace is the namespace of the service. Required² +string +Y +pathQ"Dpath is an optional URL path at which the webhook will be contacted.² +string +Î +portÅint32"¯port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.² +integer +Ò +Cio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReferenceŠ";ServiceReference holds a reference to Service.legacy.k8s.io² +objectʾ +4 +name,"Name is the name of the service² +string +C + namespace6")Namespace is the namespace of the service² +string +À +port·int32"¡If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).² +integer +¾ +-io.k8s.api.authentication.v1.TokenRequestSpecŒ "HTokenRequestSpec contains client provided parameters of a token request.š audiences² +objectʧ +• + audiences‡"êAudiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.² +arrayº + ² +string +Ž +boundObjectRefû +?#/definitions/io.k8s.api.authentication.v1.BoundObjectReference"·BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation. +û +expirationSecondsåint64"ÏExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.² +integer +æ +8io.k8s.api.networking.v1.IngressClassParametersReference©"}IngressClassParametersReference identifies an API object. This can be used to specify a cluster or namespace-scoped resource.škindšname² +objectÊ + + namespace´"¦Namespace is the namespace of the resource being referenced. This field is required when scope is set to "Namespace" and must be unset when scope is set to "Cluster".² +string +Þ +scopeÔ"ÆScope represents if this refers to a cluster or namespace scoped resource. This may be set to "Cluster" (default) or "Namespace". Field can be enabled with IngressClassNamespacedParams feature gate.² +string +Ú +apiGroupÍ"¿APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.² +string +C +kind;".Kind is the type of resource being referenced.² +string +C +name;".Name is the name of resource being referenced.² +string + +io.k8s.api.core.v1.Probeä"€Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.² +objectÊÒ +‘ +execˆ ++#/definitions/io.k8s.api.core.v1.ExecAction"YOne and only one of the following should be specified. Exec specifies the action to take. +§ +failureThreshold’int32"}Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.² +integer +k +httpGet` +.#/definitions/io.k8s.api.core.v1.HTTPGetAction".HTTPGet specifies the http request to perform. +} + periodSecondslint32"WHow often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.² +integer +â +timeoutSecondsÏint32"¹Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes² +integer +â +initialDelaySecondsÊint32"´Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes² +integer +Î +successThreshold¹int32"£Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.² +integer +‘ + tcpSocketƒ +0#/definitions/io.k8s.api.core.v1.TCPSocketAction"OTCPSocket specifies an action involving a TCP port. TCP hooks not yet supported +ö +terminationGracePeriodSecondsÔint64"¾Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is an alpha field and requires enabling ProbeTerminationGracePeriod feature gate.² +integer +Ü +,io.k8s.api.storage.v1.VolumeAttachmentStatus«"CVolumeAttachmentStatus is the status of a VolumeAttachment request.šattached² +objectÊÌ +æ + attachErrorÖ +/#/definitions/io.k8s.api.storage.v1.VolumeError"¢The last error encountered during attach operation, if any. This field must only be set by the entity completing the attach operation, i.e. the external-attacher. +± +attached¤"•Indicates the volume is successfully attached. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.² +boolean +à +attachmentMetadata¬"ŽUpon successful attach, this field is populated with any information returned by the attach operation that must be passed into subsequent WaitForAttach or Mount calls. This field must only be set by the entity completing the attach operation, i.e. the external-attacher.ª + ² +string² +object +æ + detachErrorÖ +/#/definitions/io.k8s.api.storage.v1.VolumeError"¢The last error encountered during detach operation, if any. This field must only be set by the entity completing the detach operation, i.e. the external-attacher. +‰ +'io.k8s.api.core.v1.HostPathVolumeSourceÝ"vRepresents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.špath² +objectÊÏ +Å +path¼"®Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath² +string +„ +type|"oType for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath² +string +Æ +$io.k8s.api.core.v1.ISCSIVolumeSource "’Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.š targetPortalšiqnšlun² +objectÊÞ +n +iscsiInterface\"OiSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).² +string +4 +lun-int32"iSCSI Target Lun number.² +integer + + secretRefr +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"9CHAP Secret for iSCSI target and initiator authentication +0 +iqn)"Target iSCSI Qualified Name.² +string +³ +portals§"ŠiSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).² +arrayº + ² +string +k +readOnly_"QReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.² +boolean +¤ + targetPortal“"…iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).² +string +V +chapAuthDiscoveryA"3whether support iSCSI Discovery CHAP authentication² +boolean +R +chapAuthSession?"1whether support iSCSI Session CHAP authentication² +boolean +µ +fsTypeª"œFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi² +string +Ô + initiatorNameÂ"´Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.² +string +– +'io.k8s.api.core.v1.PortworxVolumeSourceê";PortworxVolumeSource represents a Portworx volume resource.švolumeID² +objectÊ“ +Í +fsTypeÂ"´FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified.² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +G +volumeID;".VolumeID uniquely identifies a Portworx volume² +string +¬ +@io.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationç +"‚MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.² +objectÊÒ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ñ +metadataÄ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. +þ +webhooksñ"IWebhooks is a list of webhooks and the affected resources and operations.² +arrayºE +C +A#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-patch-merge-keyname + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringú~ +x-kubernetes-group-version-kind[Y- group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + version: v1 + +¼ +)io.k8s.api.coordination.v1beta1.LeaseSpecŽ"(LeaseSpec is a specification of a Lease.² +objectÊÕ +e +holderIdentityS"FholderIdentity contains the identity of the holder of a current lease.² +string +È +leaseDurationSeconds¯int32"™leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.² +integer +r +leaseTransitions^int32"IleaseTransitions is the number of transitions of a lease between holders.² +integer +  + renewTime’ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"RrenewTime is a time when the current holder of a lease has last updated the lease. +‰ + acquireTimez +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":acquireTime is a time when the current lease was acquired. +¸ +,io.k8s.api.apps.v1.StatefulSetUpdateStrategy‡"ÏStatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.² +objectʦ +¹ + rollingUpdate§ +A#/definitions/io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy"bRollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType. +h +type`"SType indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate.² +string +² +=io.k8s.api.certificates.v1beta1.CertificateSigningRequestSpecð"¾This information is immutable after the request is created. Only the Request and Usages fields can be set on creation, other fields are derived by Kubernetes and cannot be modified by users.šrequest² +objectÊ– +¤ +usages™"ÖallowedUsages specifies a set of usage contexts the key will be valid for. See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3 + https://tools.ietf.org/html/rfc5280#section-4.2.1.12 +Valid values are: + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc"² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +d +usernameX"KInformation about the requesting user. See user.Info interface for details.² +string +† +extra}"QExtra information about the requesting user. See user.Info interface for details.ª +² +arrayº + ² +string² +object +ž +groups“"QGroup information about the requesting user. See user.Info interface for details.² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +c +requestXbyte"Base64-encoded PKCS#10 CSR data² +stringú# +x-kubernetes-list-type atomic + +’ + +signerNameƒ"õRequested signer for the request. It is a qualified name in the form: `scope-hostname.io/name`. If empty, it will be defaulted: + 1. If it's a kubelet client certificate, it is assigned + "kubernetes.io/kube-apiserver-client-kubelet". + 2. If it's a kubelet serving certificate, it is assigned + "kubernetes.io/kubelet-serving". + 3. Otherwise, it is assigned "kubernetes.io/legacy-unknown". +Distribution of trust for signers happens out of band. You can select on this field using `spec.signerName`.² +string +c +uid\"OUID information about the requesting user. See user.Info interface for details.² +string +õ +#io.k8s.api.core.v1.VolumeProjectionÍ"HProjection that may be projected along with other supported volume types² +objectÊô +’ +serviceAccountToken{ +>#/definitions/io.k8s.api.core.v1.ServiceAccountTokenProjection"9information about the serviceAccountToken data to project +t + configMapg +4#/definitions/io.k8s.api.core.v1.ConfigMapProjection"/information about the configMap data to project +z + downwardAPIk +6#/definitions/io.k8s.api.core.v1.DownwardAPIProjection"1information about the downwardAPI data to project +k +secreta +1#/definitions/io.k8s.api.core.v1.SecretProjection",information about the secret data to project +¹ +Eio.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationï "ÿMutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.² +objectÊ× +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ñ +metadataÄ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. +ƒ +webhooksö"IWebhooks is a list of webhooks and the affected resources and operations.² +arrayºJ +H +F#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge +úƒ +x-kubernetes-group-version-kind`^- group: admissionregistration.k8s.io + kind: MutatingWebhookConfiguration + version: v1beta1 + +È +Gio.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationü "ˆValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.² +objectÊÙ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ñ +metadataÄ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. +… +webhooksø"IWebhooks is a list of webhooks and the affected resources and operations.² +arrayºL +J +H#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-patch-merge-keyname +ú… +x-kubernetes-group-version-kindb`- version: v1beta1 + group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + +© ++io.k8s.api.storage.v1beta1.StorageClassListù"4StorageClassList is a collection of storage classes.šitems² +objectÊÀ +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +t +itemsk"#Items is the list of StorageClasses² +arrayº9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.StorageClass +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúi +x-kubernetes-group-version-kindFD- group: storage.k8s.io + kind: StorageClassList + version: v1beta1 + +´ + +Bio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceí "[APIService represents a server for a particular GroupVersion. Name must be "version.group".² +objectÊ“ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +§ +specž +T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpec"FSpec contains information for locating and communicating with a server +œ +status‘ +V#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus"7Status contains derived information about an API serverúk +x-kubernetes-group-version-kindHF- group: apiregistration.k8s.io + kind: APIService + version: v1beta1 + +± +3io.k8s.api.autoscaling.v2beta2.ExternalMetricSourceù"ÐExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).šmetricštarget² +objectÊ… +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector +} +targets +9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric +Ž + +*io.k8s.api.networking.v1.NetworkPolicyPeerß "lNetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed² +objectÊâ +« +ipBlockŸ +.#/definitions/io.k8s.api.networking.v1.IPBlock"mIPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. +Ú +namespaceSelectorÄ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ÿSelects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. + +If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector. +Ô + podSelectorÄ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ÿThis is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. + +If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace. +è +(io.k8s.api.core.v1.EphemeralVolumeSource» "JRepresents an ephemeral volume that is handled by a normal storage driver.² +objectÊà +Ý +volumeClaimTemplateÅ +>#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimTemplate"‚Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long). + +An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster. + +This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created. + +Required, must not be nil. +ö +io.k8s.api.core.v1.LifecycleÕ "ªLifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.² +objectÊ™ + + postStartó +(#/definitions/io.k8s.api.core.v1.Handler"ÆPostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks +’ +preStop† +(#/definitions/io.k8s.api.core.v1.Handler"ÙPreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod's termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod's termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks +Ü +*io.k8s.api.policy.v1beta1.AllowedCSIDriver­"RAllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.šname² +objectÊD +B +name:"-Name is the registered name of the CSI driver² +string +Š +*io.k8s.api.storage.v1.VolumeAttachmentSpecÛ"HVolumeAttachmentSpec is the specification of a VolumeAttachment request.šattacheršsourcešnodeName² +objectÊã +— +attacherŠ"}Attacher indicates the name of the volume driver that MUST handle this request. This is the name returned by GetPluginName().² +string +H +nodeName<"/The node that the volume should be attached to.² +string +} +sources +:#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSource"5Source represents the volume that should be attached. +º +Bio.k8s.api.admissionregistration.v1.ValidatingWebhookConfigurationó +"‰ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.² +objectÊÔ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ñ +metadataÄ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‚Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata. +€ +webhooksó"IWebhooks is a list of webhooks and the affected resources and operations.² +arrayºG +E +C#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhookú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge +ú€ +x-kubernetes-group-version-kind][- group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + version: v1 + +Ø +3io.k8s.api.autoscaling.v2beta1.ResourceMetricStatus  "ÝResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.šnamešcurrentAverageValue² +objectÊ” +× +currentAverageUtilization¹int32"£currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. It will only be present if `targetAverageValue` was set in the corresponding metric specification.² +integer +ó +currentAverageValueÛ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"›currentAverageValue is the current value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. It will always be set, regardless of the corresponding metric specification. +B +name:"-name is the name of the resource in question.² +string +‘ +%io.k8s.api.core.v1.VolumeNodeAffinityç"^VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.² +objectÊy +w +requiredk +-#/definitions/io.k8s.api.core.v1.NodeSelector":Required specifies hard node constraints that must be met. +µ + io.k8s.api.node.v1beta1.Overhead"ROverhead structure represents the resource overhead associated with running a pod.² +objectÊ­ +ª +podFixed"NPodFixed represents the fixed resource overhead associated with running a pod.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +˜ +$io.k8s.api.apps.v1.StatefulSetStatusï "@StatefulSetStatus represents the current state of a StatefulSet.šreplicas² +objectÊ“ +ù + +conditionsê"NRepresents the latest available observations of a statefulset's current state.² +arrayº9 +7 +5#/definitions/io.k8s.api.apps.v1.StatefulSetConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +¤ +currentRevision"‚currentRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [0,currentReplicas).² +string +¯ +updatedReplicas›int32"…updatedReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by updateRevision.² +integer +f +replicasZint32"Ereplicas is the number of Pods created by the StatefulSet controller.² +integer +± +updateRevisionž"updateRevision, if not empty, indicates the version of the StatefulSet used to generate Pods in the sequence [replicas-updatedReplicas,replicas)² +string +þ +collisionCountëint32"ÕcollisionCount is the count of hash collisions for the StatefulSet. The StatefulSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.² +integer +° +currentReplicasœint32"†currentReplicas is the number of Pods created by the StatefulSet controller from the StatefulSet version indicated by currentRevision.² +integer +Ü +observedGenerationÅint64"¯observedGeneration is the most recent generation observed for this StatefulSet. It corresponds to the StatefulSet's generation, which is updated on mutation by the API Server.² +integer +Œ + readyReplicas{int32"freadyReplicas is the number of Pods created by the StatefulSet controller that have a Ready Condition.² +integer +“ +;io.k8s.api.authorization.v1beta1.SelfSubjectRulesReviewSpecT² +objectÊF +D + namespace7"*Namespace to evaluate rules for. Required.² +string +„ +=io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationSpecÂ"OPriorityLevelConfigurationSpec specifies the configuration of a priority level.štype² +objectÊø +ì +limitedà +N#/definitions/io.k8s.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration"`limited` specifies how requests are handled for a Limited priority level. This field must be non-empty if and only if `type` is `"Limited"`. +† +typeý"ï`type` indicates whether this priority level is subject to limitation on request execution. A value of `"Exempt"` means that requests of this priority level are not subject to a limit (and thus are never queued) and do not detract from the capacity made available to other priority levels. A value of `"Limited"` means that (a) requests of this priority level _are_ subject to limits and (b) some of the server's limited capacity is made available exclusively to this priority level. Required.² +stringú` +x-kubernetes-unionsIG- discriminator: type + fields-to-discriminateBy: + limited: Limited + +› +2io.k8s.api.policy.v1beta1.RunAsUserStrategyOptionsä"_RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.šrule² +objectÊí +ý +rangesò"¯ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.² +arrayº3 +1 +/#/definitions/io.k8s.api.policy.v1beta1.IDRange +k +rulec"Vrule is the strategy that will dictate the allowable RunAsUser values that may be set.² +string +Ù +io.k8s.api.core.v1.HTTPHeader·">HTTPHeader describes a custom header to be used in HTTP probesšnamešvalue² +objectÊZ +* +name""The header field name² +string +, +value#"The header field value² +string +ð +&io.k8s.api.core.v1.NodeDaemonEndpointsÅ"FNodeDaemonEndpoints lists ports opened by daemons running on the Node.² +objectÊo +m +kubeletEndpointZ +/#/definitions/io.k8s.api.core.v1.DaemonEndpoint"'Endpoint on which Kubelet is listening. +˜ +!io.k8s.api.core.v1.AttachedVolumeò"4AttachedVolume describes a volume attached to a nodešnameš +devicePath² +objectÊ™ +e + +devicePathW"JDevicePath represents the device path where the volume should be available² +string +0 +name("Name of the attached volume² +string +Ö +(io.k8s.api.core.v1.DownwardAPIVolumeFile© "XDownwardAPIVolumeFile represents information to create the file containing the pod fieldšpath² +objectʹ +î +resourceFieldRefÙ +6#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"žSelects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported. +¦ +fieldRef™ +4#/definitions/io.k8s.api.core.v1.ObjectFieldSelector"aRequired: Selects a field of the pod: only annotations, labels, name and namespace are supported. +» +mode²int32"œOptional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +Þ +pathÕ"ÇRequired: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'² +string +¦ +!io.k8s.api.core.v1.ServiceAccount€"ºServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets² +objectÊÛ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +× +automountServiceAccountToken¶"§AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level.² +boolean +å +imagePullSecretsÐ"‡ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod² +arrayº9 +7 +5#/definitions/io.k8s.api.core.v1.LocalObjectReference +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ä +secrets¸" Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount. More info: https://kubernetes.io/docs/concepts/configuration/secret² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ObjectReferenceú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-patch-merge-keyname +úV +x-kubernetes-group-version-kind31- kind: ServiceAccount + version: v1 + group: "" + +® +"io.k8s.api.rbac.v1.ClusterRoleList‡"/ClusterRoleList is a collection of ClusterRolesšitems² +objectÊÎ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +g +items^"Items is a list of ClusterRoles² +arrayº0 +. +,#/definitions/io.k8s.api.rbac.v1.ClusterRole +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ún +x-kubernetes-group-version-kindKI- version: v1 + group: rbac.authorization.k8s.io + kind: ClusterRoleList + +à +Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionListä"KCustomResourceDefinitionList is a list of CustomResourceDefinition objects.šitems² +objectÊ‚ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +· +items­"6items list individual CustomResourceDefinition objects² +arrayºh +f +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinition +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +I +metadata= +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaú{ +x-kubernetes-group-version-kindXV- group: apiextensions.k8s.io + kind: CustomResourceDefinitionList + version: v1beta1 + +§ +6io.k8s.api.admissionregistration.v1.RuleWithOperationsì "‚RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.² +objectÊØ +¼ + apiVersions¬"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +  + +operations‘"ôOperations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +– + resourcesˆ"ëResources is a list of resources this rule applies to. + +For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. + +If wildcard is present, the validation rule will ensure resources do not overlap with each other. + +Depending on the enclosing object, subresources might not be allowed. Required.² +arrayº + ² +string +£ +scope™"‹scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".² +string +´ + apiGroups¦"‰APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +¼ +3io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy„"kRollingUpdateStatefulSetStrategy is used to communicate parameter for RollingUpdateStatefulSetStrategyType.² +objectʈ +… + partitionxint32"cPartition indicates the ordinal at which the StatefulSet should be partitioned. Default value is 0.² +integer +Ü +io.k8s.api.core.v1.ServiceList¹"%ServiceList holds a list of services.šitems² +objectÊ¥ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +T +itemsK"List of services² +arrayº, +* +(#/definitions/io.k8s.api.core.v1.ServiceúS +x-kubernetes-group-version-kind0.- kind: ServiceList + version: v1 + group: "" + +Î +"io.k8s.api.storage.v1beta1.CSINode§ "ÊDEPRECATED - This group version of CSINode is deprecated by storage/v1/CSINode. See the release notes for more information. CSINode holds information about all CSI drivers installed on a node. CSI drivers do not need to create the CSINode object directly. As long as they use the node-driver-registrar sidecar container, the kubelet will automatically populate the CSINode object for the CSI driver as part of kubelet plugin registration. CSINode has the same name as a node. If the object is missing, it means either there are no CSI Drivers available on the node, or the Kubelet version is low enough that it doesn't create this object. CSINode has an OwnerReference that points to the corresponding node object.šspec² +objectÊá +| +metadatap +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"/metadata.name must be the Kubernetes node name. +d +spec\ +4#/definitions/io.k8s.api.storage.v1beta1.CSINodeSpec"$spec is the specification of CSINode +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringú` +x-kubernetes-group-version-kind=;- group: storage.k8s.io + kind: CSINode + version: v1beta1 + +· +$io.k8s.api.coordination.v1.LeaseSpecŽ"(LeaseSpec is a specification of a Lease.² +objectÊÕ +‰ + acquireTimez +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":acquireTime is a time when the current lease was acquired. +e +holderIdentityS"FholderIdentity contains the identity of the holder of a current lease.² +string +È +leaseDurationSeconds¯int32"™leaseDurationSeconds is a duration that candidates for a lease need to wait to force acquire it. This is measure against time of last observed RenewTime.² +integer +r +leaseTransitions^int32"IleaseTransitions is the number of transitions of a lease between holders.² +integer +  + renewTime’ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"RrenewTime is a time when the current holder of a lease has last updated the lease. +¦ +io.k8s.api.core.v1.HostAlias…"oHostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file.² +objectÊ… +L + hostnames?"#Hostnames for the above IP address.² +arrayº + ² +string +5 +ip/""IP address of the host file entry.² +string +ƒ +3io.k8s.api.autoscaling.v2beta2.ResourceMetricStatusË"ÝResourceMetricStatus indicates the current value of a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source.šnamešcurrent² +objectÊË +„ +currenty +>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric +B +name:"-Name is the name of the resource in question.² +string +ð +(io.k8s.api.core.v1.ContainerStateRunningÃ"8ContainerStateRunning is a running state of a container.² +objectÊ{ +y + startedAtl +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"1Time at which the container was last (re-)started +‚ ++io.k8s.api.networking.v1.ServiceBackendPortÒ"8ServiceBackendPort is the service port being referenced.² +objectʉ + +number„int32"oNumber is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with "Name".² +integer +u +namem"`Name is the name of the port on the Service. This is a mutually exclusive setting with "Number".² +string +Ë +,io.k8s.api.networking.v1beta1.IngressBackendš"DIngressBackend describes all endpoints for a given service and port.² +objectÊÅ +ø +resourceë +:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"¬Resource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, serviceName and servicePort must not be specified. +I + serviceName:"-Specifies the name of the referenced service.² +string +} + servicePortn +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"-Specifies the port of the referenced service. +´ +io.k8s.api.rbac.v1beta1.Subject"ÆSubject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.škindšname² +objectʪ +à +apiGroup¶"¨APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.² +string +à +kind×"ÉKind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.² +string +9 +name1"$Name of the object being referenced.² +string +à + namespaceµ"§Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.² +string +” +Aio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceSpecÎ"£APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.šgroupPriorityMinimumšversionPriority² +objectÊð +ì +caBundleßbyte"¥CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.² +stringú# +x-kubernetes-list-type atomic + +C +group:"-Group is the API group name this server hosts² +string +± +groupPriorityMinimum˜int32"‚GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s² +integer +Í +insecureSkipTLSVerify³"¤InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.² +boolean +ô +serviceè +Q#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference"’Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. +X +versionM"@Version is the API version this server hosts. For example, "v1"² +string +ä +versionPriorityÐint32"ºVersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.² +integer +ö + +name6")name is the name of the service. Required² +string +M + namespace@"3namespace is the namespace of the service. Required² +string +Y +pathQ"Dpath is an optional URL path at which the webhook will be contacted.² +string +Î +portÅint32"¯port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.² +integer +Ñ + io.k8s.api.core.v1.ScopeSelector¬"nA scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.² +objectÊ­ +ª +matchExpressions•"@A list of scope selector requirements by scope of the resources.² +arrayºF +D +B#/definitions/io.k8s.api.core.v1.ScopedResourceSelectorRequirement +Å +/io.k8s.api.storage.v1beta1.VolumeAttachmentList‘ "AVolumeAttachmentList is a collection of VolumeAttachment objects.šitems² +objectÊÇ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +{ +itemsr"&Items is the list of VolumeAttachments² +arrayº= +; +9#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachment +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúm +x-kubernetes-group-version-kindJH- group: storage.k8s.io + kind: VolumeAttachmentList + version: v1beta1 + +ð + +"1metricName is the name of the metric in question.² +string +÷ +selectorê +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"¥selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the ObjectMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. +€ +targetv +H#/definitions/io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReference"*target is the described Kubernetes object. +€ +/io.k8s.api.autoscaling.v2beta2.PodsMetricStatusÌ"šPodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).šmetricšcurrent² +objectÊ +„ +currenty +>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector +² +0io.k8s.api.core.v1.WindowsSecurityContextOptionsý"OWindowsSecurityContextOptions contain Windows-specific options and credentials.² +objectÊ +m +gmsaCredentialSpecNameS"FGMSACredentialSpecName is the name of the GMSA credential spec to use.² +string +¿ + runAsUserName­"ŸThe UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.² +string +é +gmsaCredentialSpecÒ"ÄGMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.² +string +¢ +io.k8s.api.node.v1.Scheduling€"TScheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.² +objectÊ› +ç + nodeSelectorÖ"¸nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.ª + ² +string² +object +® + tolerationsž"¹tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.² +arrayº/ +- ++#/definitions/io.k8s.api.core.v1.Tolerationú# +x-kubernetes-list-type atomic + +‡ +3io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReferenceÏ"ÇOwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.š +apiVersionškindšnamešuid² +objectÊÕ +l +named"WName of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names² +string +i +uidb"UUID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids² +string +7 + +apiVersion)"API version of the referent.² +string +Î +blockOwnerDeletion·"¨If true, AND if the owner has the "foregroundDeletion" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. Defaults to false. To set this field, a user needs "delete" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.² +boolean +V + +controllerH":If true, this reference points to the managing controller.² +boolean +— +kindŽ"€Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +« +&io.k8s.api.core.v1.ConfigMapProjection€ "åAdapts a ConfigMap into a projected volume. + +The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.² +objectʉ +ª +items "âIf unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.KeyToPath +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +S +optionalG"9Specify whether the ConfigMap or its keys must be defined² +boolean +¨ +#io.k8s.api.core.v1.NodeConfigSource€"uNodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil.² +objectÊ{ +y + configMapl +:#/definitions/io.k8s.api.core.v1.ConfigMapNodeConfigSource".ConfigMap is a reference to a Node's ConfigMap +æ ++io.k8s.api.autoscaling.v2beta2.MetricTarget¶"aMetricTarget defines the target value, average value, or average utilization of a specific metricštype² +objectʽ +€ +valuew +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"8value is the target value of the metric (as a quantity). +™ +averageUtilization‚int32"ìaverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods. Currently only valid for Resource metric source type² +integer +¶ + averageValue¥ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"faverageValue is the target value of the average of the metric across all relevant pods (as a quantity) +c +type["Ntype represents whether the metric type is Utilization, Value, or AverageValue² +string +ï +-io.k8s.api.storage.v1beta1.CSIStorageCapacity½"ÞCSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment. This can be used when considering where to instantiate new PersistentVolumes. + +For example this can express things like: - StorageClass "standard" has "1234 GiB" available in "topology.kubernetes.io/zone=us-east1" - StorageClass "localssd" has "10 GiB" available in "kubernetes.io/hostname=knode-abc123" + +The following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero + +The producer of these objects can decide which approach is more suitable. + +They are consumed by the kube-scheduler if the CSIStorageCapacity beta feature gate is enabled there and a CSI driver opts into capacity-aware scheduling with CSIDriver.StorageCapacity.šstorageClassName² +objectÊÌ +Ç + nodeTopology¶ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ñNodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable. +Ô +storageClassName¿"±The name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Ò +capacityÅ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"…Capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields. + +The semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable and treated like zero capacity. +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +¶ +maximumVolumeSize  +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"àMaximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields. + +This is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim. + +metadata +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÎStandard object's metadata. The name has no particular meaning. It must be be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name. + +Objects are namespaced. + +More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúk +x-kubernetes-group-version-kindHF- group: storage.k8s.io + kind: CSIStorageCapacity + version: v1beta1 + +ì +!io.k8s.api.core.v1.SeccompProfileÆ"fSeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.štype² +objectÊÓ +¯ +localhostProfileš"ŒlocalhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost".² +string +ž +type•"‡type indicates which kind of seccomp profile will be applied. Valid options are: + +Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.² +stringúr +x-kubernetes-unions[Y- discriminator: type + fields-to-discriminateBy: + localhostProfile: LocalhostProfile + +è +%io.k8s.api.discovery.v1beta1.Endpoint¾"FEndpoint represents a single logical "backend" implementing a service.š addresses² +objectÊÛ +” +hintsŠ +8#/definitions/io.k8s.api.discovery.v1beta1.EndpointHints"Nhints contains information associated with how an endpoint should be consumed. +Î +hostnameÁ"³hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.² +string +Ú +nodeNameÍ"¿nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node. This field can be enabled with the EndpointSliceNodeName feature gate.² +string + + targetRef‚ +0#/definitions/io.k8s.api.core.v1.ObjectReference"NtargetRef is a reference to a Kubernetes object that represents this endpoint. +ó +topologyæ"Ètopology contains arbitrary topology information associated with the endpoint. These key/value pairs must conform with the label format. https://kubernetes.io/docs/concepts/overview/working-with-objects/labels Topology may include a maximum of 16 key/value pairs. This includes, but is not limited to the following well known keys: * kubernetes.io/hostname: the value indicates the hostname of the node + where the endpoint is located. This should match the corresponding + node label. +* topology.kubernetes.io/zone: the value indicates the zone where the + endpoint is located. This should match the corresponding node label. +* topology.kubernetes.io/region: the value indicates the region where the + endpoint is located. This should match the corresponding node label. +This field is deprecated and will be removed in future api versions.ª + ² +string² +object +î + addressesà" addresses of this endpoint. The contents of this field are interpreted according to the corresponding EndpointSlice addressType field. Consumers must handle different types of addresses in the context of their own capabilities. This must contain at least one address but no more than 100.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +™ + +conditionsŠ +=#/definitions/io.k8s.api.discovery.v1beta1.EndpointConditions"Iconditions contains information about the current status of the endpoint. +Ÿ +(io.k8s.api.node.v1beta1.RuntimeClassListò"3RuntimeClassList is a list of RuntimeClass objects.šitems² +objectʽ +p +itemsg""Items is a list of schema objects.² +arrayº6 +4 +2#/definitions/io.k8s.api.node.v1beta1.RuntimeClass +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúf +x-kubernetes-group-version-kindCA- group: node.k8s.io + kind: RuntimeClassList + version: v1beta1 + +» +,io.k8s.api.policy.v1.PodDisruptionBudgetListŠ "@PodDisruptionBudgetList is a collection of PodDisruptionBudgets.šitems² +objectÊË +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ð +metadataà +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +y +itemsp"'Items is a list of PodDisruptionBudgets² +arrayº: +8 +6#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetúc +x-kubernetes-group-version-kind@>- group: policy + kind: PodDisruptionBudgetList + version: v1 + +á +"io.k8s.api.storage.v1.TokenRequestº"": { + "token": , + "expirationTimestamp": , + }, + ... +} + +Note: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically. + +This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.² +arrayº9 +7 +5#/definitions/io.k8s.api.storage.v1beta1.TokenRequestú# +x-kubernetes-list-type atomic + +³ +volumeLifecycleModesš"ýVolumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. + +This field is immutable.² +arrayº + ² +string +É +attachRequired¶"§attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called. + +This field is immutable.² +boolean +Û + fsGroupPolicyÉ"»Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate. + +This field is immutable.² +string +Î +'io.k8s.api.storage.v1beta1.StorageClass¢"ãStorageClass describes the parameters for a class of storage for which PersistentVolumes can be dynamically provisioned. + +StorageClasses are non-namespaced; the name of the storage class according to etcd is in ObjectMeta.Name.š provisioner² +objectÊ· +n +allowVolumeExpansionV"HAllowVolumeExpansion shows whether the storage class allow volume expand² +boolean +Š +allowedTopologiesô"«Restrict the node topologies where volumes can be dynamically provisioned. Each volume plugin defines its own supported topology specifications. An empty TopologySelectorTerm list means there is no topology restriction. This field is only honored by servers that enable the VolumeScheduling feature.² +arrayº9 +7 +5#/definitions/io.k8s.api.core.v1.TopologySelectorTerm +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +ì + mountOptionsÛ"¾Dynamically provisioned PersistentVolumes of this storage class are created with these mountOptions, e.g. ["ro", "soft"]. Not validated - mount of the PVs will simply fail if one is invalid.² +arrayº + ² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +‘ + +parameters‚"eParameters holds the parameters for the provisioner that should create volumes of this storage class.ª + ² +string² +object +N + provisioner?"2Provisioner indicates the type of the provisioner.² +string +— + reclaimPolicy…"xDynamically provisioned PersistentVolumes of this storage class are created with this reclaimPolicy. Defaults to Delete.² +string +ø +volumeBindingModeâ"ÔVolumeBindingMode indicates how PersistentVolumeClaims should be provisioned and bound. When unset, VolumeBindingImmediate is used. This field is only honored by servers that enable the VolumeScheduling feature.² +stringúe +x-kubernetes-group-version-kindB@- group: storage.k8s.io + kind: StorageClass + version: v1beta1 + +¬ +Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaPropsOrStringArrayN"LJSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +ì +7io.k8s.api.admissionregistration.v1.WebhookClientConfig° "VWebhookClientConfig contains the information to make a TLS connection with the webhook² +objectÊÉ +Å +caBundle¸byte"¤`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.² +string +‡ +serviceû +B#/definitions/io.k8s.api.admissionregistration.v1.ServiceReference"´`service` is a reference to the service for this webhook. Either `service` or `url` must be specified. + +If the webhook is running within the cluster, then you should use `service`. +ô +urlì"Þ`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified. + +The `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address. + +Please note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster. + +The scheme must be "https"; the URL must begin with "https://". + +A path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier. + +Attempting to use a user or basic auth e.g. "user:password@" is not allowed. Fragments ("#...") and query parameters ("?...") are not allowed, either.² +string +„ ++io.k8s.api.authorization.v1.NonResourceRuleÔ"LNonResourceRule holds information that describes a rule for the non-resourcešverbs² +objectÊï +Ë +nonResourceURLs·"šNonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. "*" means all.² +arrayº + ² +string +ž +verbs”"xVerb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.² +arrayº + ² +string +¡ + io.k8s.api.core.v1.EnvFromSourceü":EnvFromSource represents the source of a set of ConfigMaps² +objectʱ +c + configMapRefS +3#/definitions/io.k8s.api.core.v1.ConfigMapEnvSource"The ConfigMap to select from +n +prefixd"WAn optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER.² +string +Z + secretRefM +0#/definitions/io.k8s.api.core.v1.SecretEnvSource"The Secret to select from +› +io.k8s.api.core.v1.ExecActionù"1ExecAction describes a "run in container" action.² +objectÊ· +´ +command¨"‹Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.² +arrayº + ² +string +ù +io.k8s.api.core.v1.LimitRange× "OLimitRange sets resource usage limits for each kind of resource in a Namespace.² +objectÊ¢ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Í +specÄ +/#/definitions/io.k8s.api.core.v1.LimitRangeSpec"Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúR +x-kubernetes-group-version-kind/-- group: "" + kind: LimitRange + version: v1 + +É +.io.k8s.api.networking.v1beta1.IngressClassList–"3IngressClassList is a collection of IngressClasses.šitems² +objectÊÛ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +x +itemso"$Items is the list of IngressClasses.² +arrayº< +: +8#/definitions/io.k8s.api.networking.v1beta1.IngressClass +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.úl +x-kubernetes-group-version-kindIG- group: networking.k8s.io + kind: IngressClassList + version: v1beta1 + +ˆ +-io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupÖ"YAPIGroup contains the name, the supported versions, and the preferred version of a group.šnamešversions² +objectʇ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +3 +name+"name is the name of the group.² +string +Ç +preferredVersion² +K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"cpreferredVersion is the version preferred by the API server, which probably is the storage version. +è +serverAddressByClientCIDRsÉ"éa map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.² +arrayºP +N +L#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR + +versions"2versions are the versions supported in this group.² +arrayºO +M +K#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscoveryúP +x-kubernetes-group-version-kind-+- group: "" + kind: APIGroup + version: v1 + +Ø +$io.k8s.apimachinery.pkg.version.Info¯"TInfo contains versioning information. how we'll want to distribute that information.šmajoršminorš +gitVersionš gitCommitš gitTreeStateš buildDateš goVersionšcompileršplatform² +objectÊä + + buildDate ² +string + + gitCommit ² +string + + gitTreeState ² +string + + +gitVersion ² +string + +major ² +string + +compiler ² +string + + goVersion ² +string + +minor ² +string + +platform ² +string +È +&io.k8s.api.apps.v1.DeploymentCondition"KDeploymentCondition describes the state of a deployment at a certain point.štypešstatus² +objectʱ +Y +messageN"AA human readable message indicating details about the transition.² +string +F +reason<"/The reason for the condition's last transition.² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +2 +type*"Type of deployment condition.² +string +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +v +lastUpdateTimed +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time")The last time this condition was updated. +Õ& +io.k8s.api.batch.v1.JobSpecµ&"7JobSpec describes how the job execution will look like.štemplate² +objectÊâ% +Û +templateÎ +0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"™Describes the pod that will be created when executing a job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/ +ó +ttlSecondsAfterFinished×int32"ÁttlSecondsAfterFinished limits the lifetime of a Job that has finished execution (either Complete or Failed). If this field is set, ttlSecondsAfterFinished after the Job finishes, it is eligible to be automatically deleted. When the Job is being deleted, its lifecycle guarantees (e.g. finalizers) will be honored. If this field is unset, the Job won't be automatically deleted. If this field is set to zero, the Job becomes eligible to be deleted immediately after it finishes. This field is alpha-level and is only honored by servers that enable the TTLAfterFinished feature.² +integer +¿ +completionMode¬"žCompletionMode specifies how Pod completions are tracked. It can be `NonIndexed` (default) or `Indexed`. + +`NonIndexed` means that the Job is considered complete when there have been .spec.completions successfully completed Pods. Each Pod completion is homologous to each other. + +`Indexed` means that the Pods of a Job get an associated completion index from 0 to (.spec.completions - 1), available in the annotation batch.kubernetes.io/job-completion-index. The Job is considered complete when there is one successfully completed Pod for each index. When value is `Indexed`, .spec.completions must be specified and `.spec.parallelism` must be less than or equal to 10^5. + +This field is alpha-level and is only honored by servers that enable the IndexedJob feature gate. More completion modes can be added in the future. If the Job controller observes a mode that it doesn't recognize, the controller skips updates for the Job.² +string +Ð + completionsÀint32"ªSpecifies the desired number of successfully finished pods the job should be run with. Setting to nil means that the success of any pod signals the success of all pods, and allows parallelism to have any positive value. Setting to 1 means that parallelism is limited to 1 and the success of that pod signals the success of the job. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/² +integer +¹ +manualSelector¦"—manualSelector controls generation of pod labels and pod selectors. Leave `manualSelector` unset unless you are certain what you are doing. When false or unset, the system pick labels unique to this job and appends those labels to the pod template. When true, the user is responsible for picking unique labels and specifying the selector. Failure to pick a unique label may cause this and other jobs to not function correctly. However, You may see `manualSelector=true` in jobs that were created with the old `extensions/v1beta1` API. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#specifying-your-own-pod-selector² +boolean +¦ + parallelism–int32"€Specifies the maximum desired number of pods the job should run at any given time. The actual number of pods running in steady state will be less than this number when ((.spec.completions - .status.successful) < .spec.parallelism), i.e. when the work left to do is less than max parallelism. More info: https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/² +integer + +selector +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ËA label query over pods that should match the pod count. Normally, the system sets this field for you. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors +” +suspendˆ"ùSuspend specifies whether the Job controller should create Pods or not. If a Job is created with suspend set to true, no Pods are created by the Job controller. If a Job is suspended after creation (i.e. the flag goes from false to true), the Job controller will delete all active Pods associated with this Job. Users must design their workload to gracefully handle this. Suspending a Job will reset the StartTime field of the Job, effectively resetting the ActiveDeadlineSeconds timer too. This is an alpha field and requires the SuspendJob feature gate to be enabled; otherwise this field may not be set to true. Defaults to false.² +boolean +æ +activeDeadlineSecondsÌint64"¶Specifies the duration in seconds relative to the startTime that the job may be continuously active before the system tries to terminate it; value must be positive integer. If a Job is suspended (at creation or through an update), this timer will effectively be stopped and reset when the Job is resumed again.² +integer +r + backoffLimitbint32"MSpecifies the number of retries before marking this job failed. Defaults to 6² +integer +’ +Xio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersionµ"//...` if `served` is true.² +string +Þ +schemaÓ +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation"pschema describes the schema used for validation, pruning, and defaulting of this version of the custom resource. +h +served^"Pserved is a flag enabling/disabling this version from being served via REST APIs² +boolean +ª +storagež"storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.² +boolean +Î + subresources½ +a#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources"Xsubresources specify what subresources this version of the defined custom resource have. +¹ +Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceListî"/APIServiceList is a list of APIService objects.šitems² +objectÊ´ +j +itemsa² +arrayºT +R +P#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIService +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +I +metadata= +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúo +x-kubernetes-group-version-kindLJ- kind: APIServiceList + version: v1beta1 + group: apiregistration.k8s.io + + +/io.k8s.api.autoscaling.v2beta1.PodsMetricStatusÜ"šPodsMetricStatus indicates the current value of a metric describing each pod in the current scale target (for example, transactions-processed-per-second).š +metricNamešcurrentAverageValue² +objectÊ +Å +currentAverageValue­ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ncurrentAverageValue is the current value of the average of the metric across all relevant pods (as a quantity) +K + +metricName="0metricName is the name of the metric in question² +string +õ +selectorè +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"£selector is the string-encoded form of a standard kubernetes label selector for the given metric When set in the PodsMetricSource, it is passed as an additional parameter to the metrics server for more specific metrics scoping. When unset, just the metricName will be used to gather metrics. +ð +/io.k8s.api.flowcontrol.v1beta1.FlowSchemaStatus¼">FlowSchemaStatus represents the current state of a FlowSchema.² +objectÊí +ê + +conditionsÛ";`conditions` is a list of the current states of FlowSchema.² +arrayºD +B +@#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowSchemaConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap + +¹ +%io.k8s.api.autoscaling.v1.ScaleStatus"AScaleStatus represents the current status of a scale subresource.šreplicas² +objectʲ +Z +replicasNint32"9actual number of observed instances of the scaled object.² +integer +Ó +selectorÆ"¸label query over pods that should match the replicas count. This is same as the label selector but in the string format to avoid introspection by clients. The string will be in the same format as the query-param syntax. More info about label selectors: http://kubernetes.io/docs/user-guide/labels#label-selectors² +string +à +)io.k8s.api.core.v1.PersistentVolumeStatus•"DPersistentVolumeStatus is the current status of a persistent volume.² +objectÊÀ +j +message_"RA human-readable message indicating details about why the volume is in this state.² +string +» +phase±"£Phase indicates if a volume is available, bound to a claim, or released by a claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#phase² +string +“ +reasonˆ"{Reason is a brief CamelCase string that describes any failure and is meant for machine parsing and tidy display in the CLI.² +string +¿ +'io.k8s.api.rbac.v1beta1.AggregationRule“"VAggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole² +objectʬ +© +clusterRoleSelectors"¼ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added² +arrayºD +B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector +± +'io.k8s.api.rbac.v1beta1.ClusterRoleList… "¢ClusterRoleList is a collection of ClusterRoles. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoles, and will no longer be served in v1.22.šitems² +objectÊÓ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +l +itemsc"Items is a list of ClusterRoles² +arrayº5 +3 +1#/definitions/io.k8s.api.rbac.v1beta1.ClusterRole +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ús +x-kubernetes-group-version-kindPN- group: rbac.authorization.k8s.io + kind: ClusterRoleList + version: v1beta1 + +˜ +io.k8s.api.apps.v1.DaemonSet÷ "7DaemonSet represents the configuration of a daemon set.² +objectÊÙ + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ó +specÊ +.#/definitions/io.k8s.api.apps.v1.DaemonSetSpec"—The desired behavior of this daemon set. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +® +status£ +0#/definitions/io.k8s.api.apps.v1.DaemonSetStatus"îThe current status of this daemon set. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúS +x-kubernetes-group-version-kind0.- group: apps + kind: DaemonSet + version: v1 + +• +io.k8s.api.apps.v1.Deploymentó"@Deployment enables declarative updates for Pods and ReplicaSets.² +objectÊË +o +statuse +1#/definitions/io.k8s.api.apps.v1.DeploymentStatus"0Most recently observed status of the Deployment. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object metadata. +s +speck +/#/definitions/io.k8s.api.apps.v1.DeploymentSpec"8Specification of the desired behavior of the Deployment.úT +x-kubernetes-group-version-kind1/- group: apps + kind: Deployment + version: v1 + +í[ +io.k8s.api.core.v1.PodSpecÎ[""PodSpec is a description of a pod.š +containers² +objectÊŽ[ +ÿ +ephemeralContainersç"ÌList of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature.² +arrayº7 +5 +3#/definitions/io.k8s.api.core.v1.EphemeralContainerú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +† +hostnamez"mSpecifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value.² +string +‰ +initContainersö"äList of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.Containerú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +û +setHostnameAsFQDNå"ÖIf true the pod's hostname will be configured as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the nodename field of struct utsname). In Windows containers, this means setting the registry value of hostname for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters to FQDN. If a pod does not have FQDN, this has no effect. Default to false.² +boolean +ö + dnsPolicyè"ÚSet DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'.² +string +Û +enableServiceLinksÄ"µEnableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. Optional: Defaults to true.² +boolean +“ +serviceAccount€"sDeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.² +string +ý +terminationGracePeriodSecondsÛint64"ÅOptional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds.² +integer +” +priorityClassNameþ"ðIf specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.² +string +ñ +runtimeClassNameÜ"ÎRuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.² +string +g +affinity[ +)#/definitions/io.k8s.api.core.v1.Affinity".If specified, the pod's scheduling constraints +À + hostNetwork°"¡Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false.² +boolean +R +hostPIDG"9Use the host's pid namespace. Optional: Default to false.² +boolean +Ï +priorityÂint32"¬The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.² +integer +q + tolerationsb"$If specified, the pod's tolerations.² +arrayº/ +- ++#/definitions/io.k8s.api.core.v1.Toleration +» + hostAliases«"›HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.HostAliasú% +x-kubernetes-patch-merge-keyip +ú' +x-kubernetes-patch-strategymerge + +R +hostIPCG"9Use the host's ipc namespace. Optional: Default to false.² +boolean +× +imagePullSecretsÂ"¥ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod² +arrayº9 +7 +5#/definitions/io.k8s.api.core.v1.LocalObjectReferenceú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-patch-merge-keyname + +œ + nodeSelector‹"íNodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ª + ² +string² +object +„ +preemptionPolicyï"áPreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.² +string +ô +shareProcessNamespaceÚ"ËShare a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false.² +boolean +þ +topologySpreadConstraintsà"ÐTopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. All topologySpreadConstraints are ANDed.² +arrayº= +; +9#/definitions/io.k8s.api.core.v1.TopologySpreadConstraintúB +x-kubernetes-list-map-keys$"- topologyKey +- whenUnsatisfiable +ú +x-kubernetes-list-typemap +ú. +x-kubernetes-patch-merge-key topologyKey +ú' +x-kubernetes-patch-strategymerge + +• +automountServiceAccountTokenu"gAutomountServiceAccountToken indicates whether a service account token should be automatically mounted.² +boolean +Æ + dnsConfig¸ +-#/definitions/io.k8s.api.core.v1.PodDNSConfig"†Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. +Î + subdomainÀ"²If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all.² +string +á + restartPolicyÏ"ÁRestart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy² +string +£ + schedulerName‘"ƒIf specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler.² +string +ó +readinessGatesà"›If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md² +arrayº5 +3 +1#/definitions/io.k8s.api.core.v1.PodReadinessGate +Ð +serviceAccountName¹"«ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/² +string +Ô +nodeNameÇ"¹NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements.² +string +ð +overheadã"“Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +ó +securityContextß +3#/definitions/io.k8s.api.core.v1.PodSecurityContext"§SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field. +¬ +volumes "†List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes² +arrayº+ +) +'#/definitions/io.k8s.api.core.v1.Volumeú' +x-kubernetes-patch-merge-keyname +ú2 +x-kubernetes-patch-strategymerge,retainKeys + +ü +activeDeadlineSecondsâint64"ÌOptional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer.² +integer +¼ + +containers­"›List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.Containerú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +º +)io.k8s.api.networking.v1.IngressClassListŒ"3IngressClassList is a collection of IngressClasses.šitems² +objectÊÖ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +s +itemsj"$Items is the list of IngressClasses.² +arrayº7 +5 +3#/definitions/io.k8s.api.networking.v1.IngressClassúg +x-kubernetes-group-version-kindDB- group: networking.k8s.io + kind: IngressClassList + version: v1 + +î +"io.k8s.api.rbac.v1beta1.PolicyRuleÇ "¡PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.šverbs² +objectÊŒ + +ó + apiGroupså"ÈAPIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.² +arrayº + ² +string +¼ +nonResourceURLs¨"‹NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.² +arrayº + ² +string +¨ + resourceNames–"zResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.² +arrayº + ² +string +ò + resourcesä"ÇResources is a list of resources this rule applies to. '*' represents all resources in the specified apiGroups. '*/foo' represents the subresource 'foo' for all resources in the specified apiGroups.² +arrayº + ² +string +´ +verbsª"Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds.² +arrayº + ² +string +Ï +!io.k8s.api.storage.v1.CSINodeSpec©"\CSINodeSpec holds information about the specification of all CSI drivers installed on a nodešdrivers² +objectʲ +¯ +drivers£"Šdrivers is a list of information of all CSI Drivers existing on a node. If all drivers in the list are uninstalled, this can become empty.² +arrayº5 +3 +1#/definitions/io.k8s.api.storage.v1.CSINodeDriverú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +í +Oio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray™"–JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps or an array of JSONSchemaProps. Mainly here for serialization purposes. +Æ +2io.k8s.api.core.v1.AzureFilePersistentVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod.š +secretNameš shareName² +objectÊŽ +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +^ + +secretNameP"Cthe name of secret that contains Azure Storage Account Name and Key² +string +‹ +secretNamespacex"kthe namespace of the secret that contains Azure Storage Account Name and Key default is the same as the Pod² +string +$ + shareName" +Share Name² +string +£ +io.k8s.api.core.v1.PodList„ "PodList is a list of Pods.šitems² +objectÊÿ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +­ +items£"lList of pods. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md² +arrayº( +& +$#/definitions/io.k8s.api.core.v1.Pod +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsúO +x-kubernetes-group-version-kind,*- group: "" + kind: PodList + version: v1 + +‚ +#io.k8s.api.events.v1beta1.EventListÚ"%EventList is a list of Event objects.šitems² +objectʸ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +k +itemsb""items is a list of schema objects.² +arrayº1 +/ +-#/definitions/io.k8s.api.events.v1beta1.Event +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúa +x-kubernetes-group-version-kind><- version: v1beta1 + group: events.k8s.io + kind: EventList + +à +@io.k8s.api.flowcontrol.v1beta1.LimitedPriorityLevelConfiguration› "èLimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues: + * How are requests for this priority level limited? + * What should be done with requests that exceed the limit?² +objectÊ¡ +ö +assuredConcurrencySharesÙint32"Ã`assuredConcurrencyShares` (ACS) configures the execution limit, which is a limit on the number of requests of this priority level that may be exeucting at a given time. ACS must be a positive number. The server's concurrency limit (SCL) is divided among the concurrency-controlled priority levels in proportion to their assured concurrency shares. This produces the assured concurrency value (ACV) --- the number of requests that may be executing at a time --- for each such priority level: + + ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) ) + +bigger numbers of ACS mean more reserved concurrent requests (at the expense of every other PL). This field has a default value of 30.² +integer +¥ + limitResponse“ +:#/definitions/io.k8s.api.flowcontrol.v1beta1.LimitResponse"U`limitResponse` indicates what to do with requests that can not be executed right now +´ +$io.k8s.api.networking.v1.IngressSpec‹";IngressSpec describes the Ingress the user wishes to exist.² +objectÊ¿ +ß +defaultBackendÌ +5#/definitions/io.k8s.api.networking.v1.IngressBackend"’DefaultBackend is the backend that should handle requests that don't match any rule. If Rules are not specified, DefaultBackend must be specified. If DefaultBackend is not set, the handling of requests that do not match any of the rules will be up to the Ingress controller. +´ +ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.² +string +ù +rulesï"ƒA list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.² +arrayº6 +4 +2#/definitions/io.k8s.api.networking.v1.IngressRuleú# +x-kubernetes-list-type atomic + +§ +tlsŸ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.² +arrayº5 +3 +1#/definitions/io.k8s.api.networking.v1.IngressTLSú# +x-kubernetes-list-type atomic + +ƒ +(io.k8s.api.storage.v1beta1.CSINodeDriverÖ "]CSINodeDriver holds information about the specification of one CSI driver installed on a nodešnamešnodeID² +objectÊØ +¨ + allocatable˜ +<#/definitions/io.k8s.api.storage.v1beta1.VolumeNodeResources"Xallocatable represents the volume resources of a node that are available for scheduling. +ª +name¡"“This is the name of the CSI driver that this object refers to. This MUST be the same name returned by the CSI GetPluginName() call for that driver.² +string +¸ +nodeID­"ŸnodeID of the node from the driver point of view. This field enables Kubernetes to communicate with storage systems that do not share the same nomenclature for nodes. For example, Kubernetes may refer to a given node as "node1", but the storage system may refer to the same node as "nodeA". When Kubernetes issues a command to the storage system to attach a volume to a specific node, it can use this field to refer to the node name using the ID that the storage system will understand, e.g. "nodeA" instead of "node1". This field is required.² +string + + topologyKeys±"”topologyKeys is the list of keys supported by the driver. When a driver is initialized on a cluster, it provides a set of topology keys that it understands (e.g. "company.com/zone", "company.com/region"). When a driver is initialized on a node, it provides the same topology keys along with values. Kubelet will expose these topology keys as labels on its own node object. When Kubernetes does topology aware provisioning, it can use this list to determine which labels it should retrieve from the node object and pass back to the driver. It is possible for different nodes to use different topology keys. This can be empty if driver does not support topology.² +arrayº + ² +string +§ +Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArrayN"LJSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array. +– +4io.k8s.api.authorization.v1.LocalSubjectAccessReviewÝ "çLocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.šspec² +objectÊè +§ +statusœ +C#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +ñ +specè +A#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec"¢Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace you made the request against. If empty, it is defaulted.úr +x-kubernetes-group-version-kindOM- group: authorization.k8s.io + kind: LocalSubjectAccessReview + version: v1 + + +3io.k8s.api.authorization.v1beta1.ResourceAttributeså"tResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface² +objectÊà +‚ +namez"mName is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.² +string +ô + namespaceæ"ØNamespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview² +string +X +resourceL"?Resource is one of the existing resource types. "*" means all.² +string +^ + subresourceO"BSubresource is one of the existing resource types. "" means none.² +string +ƒ +verb{"nVerb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.² +string +S +versionH";Version is the API Version of the Resource. "*" means all.² +string +M +groupD"7Group is the API Group of the Resource. "*" means all.² +string +ü +&io.k8s.api.networking.v1.IngressStatusÑ"8IngressStatus describe the current state of the Ingress.² +objectʈ +… + loadBalanceru +3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer. +Û +3io.k8s.api.policy.v1beta1.PodDisruptionBudgetStatus£"ŠPodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.šdisruptionsAllowedšcurrentHealthyšdesiredHealthyš expectedPods² +objectÊÁ +ô + +conditionså"ôConditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute + the number of allowed disruptions. Therefore no disruptions are + allowed and the status of the condition will be False. +- InsufficientPods: The number of pods are either at or below the number + required by the PodDisruptionBudget. No disruptions are + allowed and the status of the condition will be False. +- SufficientPods: There are more pods than required by the PodDisruptionBudget. + The condition will be True, and the number of allowed + disruptions are provided by the disruptionsAllowed property.² +arrayº@ +> +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +E +currentHealthy3int32"current number of healthy pods² +integer +M +desiredHealthy;int32"&minimum desired number of healthy pods² +integer + + disruptedPodsû"¯DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.ª; +9 +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time² +object +` +disruptionsAllowedJint32"5Number of pod disruptions that are currently allowed.² +integer +[ + expectedPodsKint32"6total number of pods counted by this disruption budget² +integer +â +observedGenerationËint64"µMost recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.² +integer +Ý +$io.k8s.api.storage.v1beta1.CSIDriver´"¹CSIDriver captures information about a Container Storage Interface (CSI) volume driver deployed on the cluster. CSI drivers do not need to create the CSIDriver object directly. Instead they may use the cluster-driver-registrar sidecar container. When deployed with a CSI driver it automatically creates a CSIDriver object representing the driver. Kubernetes attach detach controller uses this object to determine whether attach is required. Kubelet uses this object to determine whether pod information needs to be passed on mount. CSIDriver objects are non-namespaced.šspec² +objectÊý +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +™ +metadataŒ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ÊStandard object metadata. metadata.Name indicates the name of the CSI driver that this object refers to; it MUST be the same name returned by the CSI GetPluginName() call for that driver. The driver name must be 63 characters or less, beginning and ending with an alphanumeric character ([a-z0-9A-Z]) with dashes (-), dots (.), and alphanumerics between. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +b +specZ +6#/definitions/io.k8s.api.storage.v1beta1.CSIDriverSpec" Specification of the CSI Driver.úb +x-kubernetes-group-version-kind?=- group: storage.k8s.io + kind: CSIDriver + version: v1beta1 + +… +9io.k8s.api.authorization.v1beta1.SubjectRulesReviewStatusÇ "çSubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.š resourceRulesšnonResourceRulesš +incomplete² +objectÊž +Œ +evaluationErrorø"êEvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.² +string +Ý + +incompleteÎ"¿Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.² +boolean +› +nonResourceRules†"´NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.² +arrayºB +@ +>#/definitions/io.k8s.api.authorization.v1beta1.NonResourceRule +Ž + resourceRulesü"­ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.² +arrayº? += +;#/definitions/io.k8s.api.authorization.v1beta1.ResourceRule + +(io.k8s.api.networking.v1.HTTPIngressPathâ "oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.šbackend² +objectÊØ + +Ÿ +backend“ +5#/definitions/io.k8s.api.networking.v1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to. +ž +path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.² +string +’ +pathType…"÷PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is + done on a path element by element basis. A path element refers is the + list of labels in the path split by the '/' separator. A request is a + match for path p if every p is an element-wise prefix of p of the + request path. Note that if the last element of the path is a substring + of the last element in request path, it is not a match (e.g. /foo/bar + matches /foo/bar/baz, but does not match /foo/barbaz). +* ImplementationSpecific: Interpretation of the Path matching is up to + the IngressClass. Implementations can treat this as a separate PathType + or treat it identically to Prefix or Exact path types. +Implementations are required to support all path types.² +string +Þ + io.k8s.api.events.v1.EventSeries¹"èEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time. How often to update the EventSeries is up to the event reporters. The default event reporter in "k8s.io/client-go/tools/events/event_broadcaster.go" shows how this struct is updated on heartbeats and can guide customized reporter implementations.šcountšlastObservedTime² +objectʤ +n +counteint32"Pcount is the number of occurrences in this series up to the last heartbeat time.² +integer +± +lastObservedTimeœ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"\lastObservedTime is the time when last Event from the series was seen before last heartbeat. +‹ +#io.k8s.api.storage.v1.CSIDriverListã"3CSIDriverList is a collection of CSIDriver objects.šitems² +objectʳ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +g +items^"items is the list of CSIDriver² +arrayº1 +/ +-#/definitions/io.k8s.api.storage.v1.CSIDriverúa +x-kubernetes-group-version-kind><- group: storage.k8s.io + kind: CSIDriverList + version: v1 + +ñ +Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.ExternalDocumentation™"YExternalDocumentation allows referencing an external resource for extended documentation.² +objectÊ0 + + description ² +string + +url ² +string +ÿ +5io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerSpecÅ"-specification of a horizontal pod autoscaler.šscaleTargetRefš maxReplicas² +objectÊè +× +targetCPUUtilizationPercentage´int32"žtarget average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used.² +integer + + maxReplicas~int32"iupper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.² +integer +ò + minReplicasâint32"ÌminReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.² +integer +† +scaleTargetRefó +C#/definitions/io.k8s.api.autoscaling.v1.CrossVersionObjectReference"«reference to scaled resource; horizontal pod autoscaler will learn the current resource consumption and will set the desired number of pods by using its Scale subresource. +º + +#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric +] +describedObjectJ +H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector +™ +io.k8s.api.core.v1.EnvVarû"AEnvVar represents an environment variable present in a Container.šname² +objectÊ¢ +N +nameF"9Name of the environment variable. Must be a C_IDENTIFIER.² +string +» +value±"£Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".² +string +‘ + valueFromƒ +-#/definitions/io.k8s.api.core.v1.EnvVarSource"RSource for the environment variable's value. Cannot be used if value is not empty. +ä + io.k8s.api.core.v1.HTTPGetAction¿"=HTTPGetAction describes an action based on HTTP Get requests.šport² +objectÊê +7 +path/""Path to access on the HTTP server.² +string +Ç +port¾ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. +R +schemeH";Scheme to use for connecting to the host. Defaults to HTTP.² +string +} +hostu"hHost name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.² +string +‘ + httpHeaders"CCustom headers to set in the request. HTTP allows repeated headers.² +arrayº/ +- ++#/definitions/io.k8s.api.core.v1.HTTPHeader +ž +.io.k8s.api.core.v1.PersistentVolumeClaimStatusë"OPersistentVolumeClaimStatus is the current status of a persistent volume claim.² +objectÊ‹ +Ò + accessModesÂ"¥AccessModes contains the actual access modes the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1² +arrayº + ² +string +• +capacityˆ"9Represents the actual resources of the underlying volume.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +Ç + +conditions¸"‘Current Condition of persistent volume claim. If underlying persistent volume is being resized then the Condition will be set to 'ResizeStarted'.² +arrayºC +A +?#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +R +phaseI""1Group to map volume access to Default is no group² +string +‚ +readOnlyv"hReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.² +boolean +á +registryÔ"ÆRegistry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes² +string +œ +tenant‘"ƒTenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin² +string +ê? +Hio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps?"[JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).² +objectʱ> +$ + minPropertiesint64² +integer +p +anyOfg² +arrayºZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps + + description ² +string +X +exampleM +K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON +h +items_ +]#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrArray + +maxItemsint64² +integer + + maxLengthint64² +integer +} +patternPropertieshªZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps² +object +n + externalDocs^ +\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation +$ + maxPropertiesint64² +integer + +minItemsint64² +integer + +minimumdouble² +number +! + +multipleOfdouble² +number + +pattern ² +string + +$ref ² +string +d +enum\² +arrayºO +M +K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON +& +required² +arrayº + ² +string + +maximumdouble² +number + + minLengthint64² +integer + +type ² +string +‡ +x-kubernetes-int-or-stringè"Ùx-kubernetes-int-or-string specifies that this value is either an integer or a string. If this is true, an empty type is allowed and type as child of anyOf is permitted if following one of the following patterns: + +1) anyOf: + - type: integer + - type: string +2) allOf: + - anyOf: + - type: integer + - type: string + - ... zero or more² +boolean +Þ +x-kubernetes-list-typeÃ"µx-kubernetes-list-type annotates an array to further describe its topology. This extension must only be used on lists and may have 3 possible values: + +1) `atomic`: the list is treated as a single entity, like a scalar. + Atomic lists will be entirely replaced when updated. This extension + may be used on any type of list (struct, scalar, ...). +2) `set`: + Sets are lists that must not have multiple items with the same value. Each + value must be a scalar, an object with x-kubernetes-map-type `atomic` or an + array with x-kubernetes-list-type `atomic`. +3) `map`: + These lists are like maps in that their elements have a non-index key + used to identify them. Order is preserved upon merge. The map tag + must only be used on a list with elements of type object. +Defaults to atomic for arrays.² +string +w + definitionshªZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps² +object +v + +propertieshªZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps² +object + +title ² +string +« +x-kubernetes-list-map-keysŒ"ïx-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used as the index of the map. + +This tag MUST only be used on lists that have the "x-kubernetes-list-type" extension set to "map". Also, the values specified for this attribute must be a scalar typed field of the child structure (no nesting is supported). + +The properties specified must either be required or have a default value, to ensure those properties are present for all list items.² +arrayº + ² +string +… + dependenciesuªg +e +c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrStringArray² +object + +exclusiveMinimum ² +boolean +p +oneOfg² +arrayºZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps +˜ +$x-kubernetes-preserve-unknown-fieldsï"àx-kubernetes-preserve-unknown-fields stops the API server decoding step from pruning fields which are not specified in the validation schema. This affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.² +boolean +q +additionalItems^ +\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool +p +allOfg² +arrayºZ +X +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps + +default‘ +K#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSON"Ádefault is a default value for undefined object fields. Defaulting is a beta feature under the CustomResourceDefaulting feature gate. Defaulting requires spec.preserveUnknownFields to be false. + +id ² +string + +nullable ² +boolean +Ó +x-kubernetes-embedded-resource°"¡x-kubernetes-embedded-resource defines that the value is an embedded Kubernetes runtime.Object, with TypeMeta and ObjectMeta. The type must be object. It is allowed to further restrict the embedded object. kind, apiVersion and metadata are validated automatically. x-kubernetes-preserve-unknown-fields is allowed to be true, but does not have to be if the object is fully specified (up to kind, apiVersion, metadata).² +boolean +  +x-kubernetes-map-type†"øx-kubernetes-map-type annotates an object to further describe its topology. This extension must only be used when type is object and may have 2 possible values: + +1) `granular`: + These maps are actual maps (key-value pairs) and each fields are independent + from each other (they can each be manipulated by separate actors). This is + the default behaviour for all maps. +2) `atomic`: the list is treated as a single entity, like a scalar. + Atomic maps will be entirely replaced when updated.² +string + +$schema ² +string +v +additionalProperties^ +\#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool + +exclusiveMaximum ² +boolean +¶ +format«"format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated: + +- bsonobjectid: a bson object ID, i.e. a 24 characters hex string - uri: an URI as parsed by Golang net/url.ParseRequestURI - email: an email address as parsed by Golang net/mail.ParseAddress - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034]. - ipv4: an IPv4 IP as parsed by Golang net.ParseIP - ipv6: an IPv6 IP as parsed by Golang net.ParseIP - cidr: a CIDR as parsed by Golang net.ParseCIDR - mac: a MAC address as parsed by Golang net.ParseMAC - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$ - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$ - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041" - isbn10: an ISBN10 number string like "0321751043" - isbn13: an ISBN13 number string like "978-0321751041" - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$ with any non digit characters mixed in - ssn: a U.S. social security number following the regex ^\d{3}[- ]?\d{2}[- ]?\d{4}$ - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$ - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559" - byte: base64 encoded binary data - password: any kind of string - date: a date string like "2006-01-02" as defined by full-date in RFC3339 - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.² +string +_ +notX +V#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps + + uniqueItems ² +boolean +Œ +7io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerStatusÐ"-current status of a horizontal pod autoscaleršcurrentReplicasšdesiredReplicas² +objectÊî +ß +currentCPUUtilizationPercentage»int32"¥current average CPU utilization over all pods, represented as a percentage of requested CPU, e.g. 70 means that an average pod is using now 70% of its requested CPU.² +integer +f +currentReplicasSint32">current number of replicas of pods managed by this autoscaler.² +integer +f +desiredReplicasSint32">desired number of replicas of pods managed by this autoscaler.² +integer +Ù + lastScaleTimeÇ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"‹last time the HorizontalPodAutoscaler scaled the number of pods; used by the autoscaler to control how often the number of pods is changed. +^ +observedGenerationHint64"3most recent generation observed by this autoscaler.² +integer +à +?io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerConditionÿ"eHorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.štypešstatus² +objectÊù +« +lastTransitionTime” +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"YlastTransitionTime is the last time the condition transitioned from one status to another +g +message\"Omessage is a human-readable explanation containing details about the transition² +string +P +reasonF"9reason is the reason for the condition's last transition.² +string +S +statusI"#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric +B +name:"-Name is the name of the resource in question.² +string +b + containerU"HContainer is the name of the container in the pods of the scaling target² +string +ä +'io.k8s.api.networking.v1.IngressBackend¸"DIngressBackend describes all endpoints for a given service and port.² +objectÊã +± +resource¤ +:#/definitions/io.k8s.api.core.v1.TypedLocalObjectReference"åResource is an ObjectRef to another Kubernetes resource in the namespace of the Ingress object. If resource is specified, a service.Name and service.Port must not be specified. This is a mutually exclusive setting with "Service". +¬ +service  +<#/definitions/io.k8s.api.networking.v1.IngressServiceBackend"`Service references a Service as a Backend. This is a mutually exclusive setting with "Resource". +Ù +io.k8s.api.core.v1.Affinity¹"1Affinity is a group of affinity scheduling rules.² +objectÊ÷ +´ + podAffinity¤ +,#/definitions/io.k8s.api.core.v1.PodAffinity"tDescribes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). +Å +podAntiAffinity± +0#/definitions/io.k8s.api.core.v1.PodAntiAffinity"}Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). +v + nodeAffinityf +-#/definitions/io.k8s.api.core.v1.NodeAffinity"5Describes node affinity scheduling rules for the pod. +æ +(io.k8s.api.core.v1.GlusterfsVolumeSource¹"‹Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.š endpointsšpath² +objectʉ +« + endpoints"EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod² +string +ƒ +path{"nPath is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod² +string +Ò +readOnlyÅ"¶ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod² +boolean +ë +%io.k8s.api.core.v1.ServiceAccountListÁ "6ServiceAccountList is a list of ServiceAccount objectsšitems² +objectÊ• +à +items¹"wList of ServiceAccounts. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/² +arrayº3 +1 +/#/definitions/io.k8s.api.core.v1.ServiceAccount +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúZ +x-kubernetes-group-version-kind75- version: v1 + group: "" + kind: ServiceAccountList + +Ò +)io.k8s.api.networking.v1beta1.IngressSpec¤ ";IngressSpec describes the Ingress the user wishes to exist.² +objectÊØ +´ +ingressClassNameŸ"‘IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.² +string +Ø +rulesÎ"ƒA list of host rules used to configure the Ingress. If unspecified, or no rule matches, all traffic is sent to the default backend.² +arrayº; +9 +7#/definitions/io.k8s.api.networking.v1beta1.IngressRule +† +tlsþ"´TLS configuration. Currently the Ingress only supports a single TLS port, 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.² +arrayº: +8 +6#/definitions/io.k8s.api.networking.v1beta1.IngressTLS +º +backend® +:#/definitions/io.k8s.api.networking.v1beta1.IngressBackend"ïA default backend capable of servicing requests that don't match any rule. At least one of 'backend' or 'rules' must be specified. This field is optional to allow the loadbalancer controller or defaulting logic to specify a global default. +˜ +.io.k8s.api.authorization.v1.ResourceAttributeså"tResourceAttributes includes the authorization attributes available for resource requests to the Authorizer interface² +objectÊà +ƒ +verb{"nVerb is a kubernetes resource API verb, like: get, list, watch, create, update, delete, proxy. "*" means all.² +string +S +versionH";Version is the API Version of the Resource. "*" means all.² +string +M +groupD"7Group is the API Group of the Resource. "*" means all.² +string +‚ +namez"mName is the name of the resource being requested for a "get" or deleted for a "delete". "" (empty) means all.² +string +ô + namespaceæ"ØNamespace is the namespace of the action being requested. Currently, there is no distinction between no namespace and all namespaces "" (empty) is defaulted for LocalSubjectAccessReviews "" (empty) is empty for cluster-scoped resources "" (empty) means "all" for namespace scoped resources from a SubjectAccessReview or SelfSubjectAccessReview² +string +X +resourceL"?Resource is one of the existing resource types. "*" means all.² +string +^ + subresourceO"BSubresource is one of the existing resource types. "" means none.² +string +” +)io.k8s.api.coordination.v1beta1.LeaseListæ"%LeaseList is a list of Lease objects.šitems² +objectʾ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +q +itemsh""Items is a list of schema objects.² +arrayº7 +5 +3#/definitions/io.k8s.api.coordination.v1beta1.Lease +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúg +x-kubernetes-group-version-kindDB- group: coordination.k8s.io + kind: LeaseList + version: v1beta1 + +¨ +%io.k8s.api.core.v1.PodDNSConfigOption"9PodDNSConfigOption defines DNS resolver options of a pod.² +objectÊ6 + +name" Required.² +string + +value ² +string +Ö + io.k8s.api.core.v1.ResourceQuota± "FResourceQuota sets aggregate quota restrictions enforced per namespace² +objectÊ‚ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +à +specº +2#/definitions/io.k8s.api.core.v1.ResourceQuotaSpec"ƒSpec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +ç +statusÜ +4#/definitions/io.k8s.api.core.v1.ResourceQuotaStatus"£Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúU +x-kubernetes-group-version-kind20- group: "" + kind: ResourceQuota + version: v1 + +¥ +%io.k8s.api.core.v1.SecretVolumeSourceû "íAdapts a Secret into a volume. + +The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.² +objectÊü +ê + defaultModeÚint32"ÄOptional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +¤ +itemsš"ÜIf unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.KeyToPath +P +optionalD"6Specify whether the Secret or its keys must be defined² +boolean +“ + +secretName„"wName of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret² +string +… +io.k8s.api.core.v1.Serviceæ "çService is a named abstraction of software service (for example, mysql) consisting of local port (for example 3306) that the proxy listens on, and the selector that determines which pods will answer requests sent through the proxy.² +objectÊ› + +þ +statusó +.#/definitions/io.k8s.api.core.v1.ServiceStatus"ÀMost recently observed status of the service. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Å +spec¼ +,#/definitions/io.k8s.api.core.v1.ServiceSpec"‹Spec defines the behavior of a service. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúO +x-kubernetes-group-version-kind,*- group: "" + kind: Service + version: v1 + +Ý +)io.k8s.api.extensions.v1beta1.IngressRule¯ "ìIngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.² +objectʱ +J +httpB +@#/definitions/io.k8s.api.extensions.v1beta1.HTTPIngressRuleValue +â + +hostÙ +"Ë +Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to + the IP in the Spec of the parent Ingress. +2. The `:` delimiter is not respected because ports are not allowed. + Currently the port of an Ingress is implicitly :80 for http and + :443 for https. +Both these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. + +Host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. "*.foo.com"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.² +string +ƒ +!io.k8s.api.core.v1.EndpointSubsetÝ"³EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given: + { + Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], + Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] + } +The resulting set of endpoints can be viewed as: + a: [ 10.10.1.1:8675, 10.10.2.2:8675 ], + b: [ 10.10.1.1:309, 10.10.2.2:309 ]² +objectʘ +ë + addressesÝ"™IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.EndpointAddress +© +notReadyAddresses“"ÏIP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.EndpointAddress +| +portss"3Port numbers available on the related IP addresses.² +arrayº1 +/ +-#/definitions/io.k8s.api.core.v1.EndpointPort +ì +&io.k8s.api.core.v1.FlockerVolumeSourceÁ"ÃRepresents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.² +objectÊì +ˆ + datasetNamey"lName of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated² +string +_ + datasetUUIDP"CUUID of the dataset. This is unique identifier of a Flocker dataset² +string +Œ +&io.k8s.api.storage.v1.VolumeAttachmentá "—VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node. + +VolumeAttachment objects are non-namespaced.šspec² +objectÊÊ +Ð +metadataà +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¤ +spec› +8#/definitions/io.k8s.api.storage.v1.VolumeAttachmentSpec"_Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system. +Ð +statusÅ +:#/definitions/io.k8s.api.storage.v1.VolumeAttachmentStatus"†Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúd +x-kubernetes-group-version-kindA?- group: storage.k8s.io + kind: VolumeAttachment + version: v1 + + +!io.k8s.api.storage.v1.VolumeErrorê"DVolumeError captures an error encountered during a volume operation.² +objectÊ• +® +message¢"”String detailing the error encountered during Attach or Detach operation. This string may be logged, so it should not contain sensitive information.² +string +b +timeZ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Time the error was encountered. +í +1io.k8s.apimachinery.pkg.apis.meta.v1.APIGroupList·"RAPIGroupList is a list of APIGroup, to allow clients to discover the API at /apis.šgroups² +objectÊô +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +u +groupsk"groups is a list of APIGroup.² +arrayº? += +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúT +x-kubernetes-group-version-kind1/- group: "" + kind: APIGroupList + version: v1 + +‡ +io.k8s.api.core.v1.Endpointsæ"ýEndpoints is a collection of endpoints that implement the actual service. Example: + Name: "mysvc", + Subsets: [ + { + Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}], + Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}] + }, + { + Addresses: [{"ip": "10.10.3.3"}], + Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}] + }, + ]² +objectʃ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +® +subsets¢"ßThe set of all endpoints is the union of all subsets. Addresses are placed into subsets according to the IPs they share. A single address with multiple ports, some of which are ready and some of which are not (because they come from different containers) will result in the address being displayed in different subsets for the different ports. No address will appear in both Addresses and NotReadyAddresses in the same subset. Sets of addresses and ports that comprise a service.² +arrayº3 +1 +/#/definitions/io.k8s.api.core.v1.EndpointSubsetúQ +x-kubernetes-group-version-kind.,- group: "" + kind: Endpoints + version: v1 + +¢ + io.k8s.api.core.v1.ServiceStatusý"9ServiceStatus represents the current status of a service.² +objectʳ +” + +conditions…"Current service state² +arrayº@ +> +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Conditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +™ + loadBalancerˆ +3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus"QLoadBalancer contains the current status of the load-balancer, if one is present. + +!io.k8s.api.core.v1.LimitRangeSpec÷"NLimitRangeSpec defines a min/max usage limit for resources that match on kind.šlimits² +objectÊ +Œ +limits"?Limits is the list of LimitRangeItem objects that are enforced.² +arrayº3 +1 +/#/definitions/io.k8s.api.core.v1.LimitRangeItem +½ +-io.k8s.api.networking.v1beta1.HTTPIngressPath‹ "oHTTPIngressPath associates a path with a backend. Incoming urls matching the path are forwarded to the backend.šbackend² +objectÊ +¤ +backend˜ +:#/definitions/io.k8s.api.networking.v1beta1.IngressBackend"ZBackend defines the referenced service endpoint to which the traffic will be forwarded to. +ž +path•"‡Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. When unspecified, all paths from incoming requests are matched.² +string +¶ +pathType©"›PathType determines the interpretation of the Path matching. PathType can be one of the following values: * Exact: Matches the URL path exactly. * Prefix: Matches based on a URL path prefix split by '/'. Matching is + done on a path element by element basis. A path element refers is the + list of labels in the path split by the '/' separator. A request is a + match for path p if every p is an element-wise prefix of p of the + request path. Note that if the last element of the path is a substring + of the last element in request path, it is not a match (e.g. /foo/bar + matches /foo/bar/baz, but does not match /foo/barbaz). +* ImplementationSpecific: Interpretation of the Path matching is up to + the IngressClass. Implementations can treat this as a separate PathType + or treat it identically to Prefix or Exact path types. +Implementations are required to support all path types. Defaults to ImplementationSpecific.² +string +ý ++io.k8s.api.policy.v1beta1.PodSecurityPolicyÍ "˜PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21.² +objectʾ +j +specb +=#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicySpec"!spec defines the policy enforced. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúb +x-kubernetes-group-version-kind?=- group: policy + kind: PodSecurityPolicy + version: v1beta1 + +á +&io.k8s.api.scheduling.v1.PriorityClass¶"{PriorityClass defines mapping from a priority class name to the priority integer value. The value can be any valid integer.švalue² +objectÊ» +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +„ +preemptionPolicyï"áPreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is beta-level, gated by the NonPreemptingPriority feature-gate.² +string +¨ +valuežint32"ˆThe value of this priority class. This is the actual priority that pods receive when they have the name of this class in their pod spec.² +integer +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +‹ + description|"odescription is an arbitrary string that usually provides guidelines on when this priority class should be used.² +string +¦ + globalDefault”"…globalDefault specifies whether this PriorityClass should be considered as the default priority for pods that do not have any priority class. Only one PriorityClass can be marked as `globalDefault`. However, if more than one PriorityClasses exists with their `globalDefault` field set to true, the smallest value of such global default PriorityClasses will be used as the default priority.² +booleanúd +x-kubernetes-group-version-kindA?- group: scheduling.k8s.io + kind: PriorityClass + version: v1 + +ö +4io.k8s.api.authorization.v1.SubjectRulesReviewStatus½ "çSubjectRulesReviewStatus contains the result of a rules check. This check can be incomplete depending on the set of authorizers the server is configured with and any errors experienced during evaluation. Because authorization rules are additive, if a rule appears in a list it's safe to assume the subject has that permission, even if that list is incomplete.š resourceRulesšnonResourceRulesš +incomplete² +objectÊ” +Œ +evaluationErrorø"êEvaluationError can appear in combination with Rules. It indicates an error occurred during rule evaluation, such as an authorizer that doesn't support rule evaluation, and that ResourceRules and/or NonResourceRules may be incomplete.² +string +Ý + +incompleteÎ"¿Incomplete is true when the rules returned by this call are incomplete. This is most commonly encountered when an authorizer, such as an external authorizer, doesn't support rules evaluation.² +boolean +– +nonResourceRules"´NonResourceRules is the list of actions the subject is allowed to perform on non-resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.² +arrayº= +; +9#/definitions/io.k8s.api.authorization.v1.NonResourceRule +‰ + resourceRules÷"­ResourceRules is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.² +arrayº: +8 +6#/definitions/io.k8s.api.authorization.v1.ResourceRule +‰ +0io.k8s.api.authorization.v1beta1.NonResourceRuleÔ"LNonResourceRule holds information that describes a rule for the non-resourcešverbs² +objectÊï +Ë +nonResourceURLs·"šNonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. "*" means all.² +arrayº + ² +string +ž +verbs”"xVerb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. "*" means all.² +arrayº + ² +string +­ +:io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpecî"_HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.šscaleTargetRefš maxReplicas² +objectÊß +® +behavior¡ +L#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerBehavior"Ðbehavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively). If not set, the default HPAScalingRules for scale up and scale down are used. +© + maxReplicas™int32"ƒmaxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up. It cannot be less that minReplicas.² +integer + +metricsõ"ªmetrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used). The desired replica count is calculated multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and vice-versa. See the individual metric source types for more information about how each type of metric must respond. If not set, the default metric will be set to 80% average CPU utilization.² +arrayº; +9 +7#/definitions/io.k8s.api.autoscaling.v2beta2.MetricSpec +ò + minReplicasâint32"ÌminReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod. minReplicas is allowed to be 0 if the alpha feature gate HPAScaleToZero is enabled and at least one Object or External metric is configured. Scaling is active as long as at least one metric value is available.² +integer +† +scaleTargetRefó +H#/definitions/io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReference"¦scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics should be collected, as well as to actually change the replica count. +» +"io.k8s.api.core.v1.EndpointAddress”" +type6")Type of replication controller condition.² +string +• +lastTransitionTime +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DThe last time the condition transitioned from one status to another. +Y +messageN"AA human readable message indicating details about the transition.² +string +F +reason<"/The reason for the condition's last transition.² +string +å +'io.k8s.api.core.v1.ConfigMapKeySelector¹"Selects a key from a ConfigMap.škey² +objectʃ +& +key"The key to select.² +string +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +R +optionalF"8Specify whether the ConfigMap or its key must be defined² +boolean +Æ +,io.k8s.api.core.v1.ConfigMapNodeConfigSource•"lConfigMapNodeConfigSource contains the information to reference a ConfigMap as a config source for the Node.š namespacešnameškubeletConfigKey² +objectÊò +¹ +kubeletConfigKey¤"–KubeletConfigKey declares which key of the referenced ConfigMap corresponds to the KubeletConfiguration structure This field is required in all cases.² +string +p +nameh"[Name is the metadata.name of the referenced ConfigMap. This field is required in all cases.² +string + + namespacer"eNamespace is the metadata.namespace of the referenced ConfigMap. This field is required in all cases.² +string +± +resourceVersion"ResourceVersion is the metadata.ResourceVersion of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.² +string +Œ +uid„"wUID is the metadata.UID of the referenced ConfigMap. This field is forbidden in Node.Spec, and required in Node.Status.² +string +à +(io.k8s.api.core.v1.StorageOSVolumeSource³ "2Represents a StorageOS persistent volume resource.² +objectÊð +À +fsTypeµ"§Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +Ï + secretRefÁ +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"‡SecretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. +‹ + +volumeName}"pVolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.² +string +Ð +volumeNamespace¼"®VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.² +string +Û +"io.k8s.api.policy.v1beta1.Eviction´ "ÒEviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods//evictions.² +objectÊô +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +r + deleteOptionsa +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions"DeleteOptions may be provided +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +€ +metadatat +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"3ObjectMeta describes the pod that is being evicted.úY +x-kubernetes-group-version-kind64- group: policy + kind: Eviction + version: v1beta1 + +  ++io.k8s.api.storage.v1beta1.VolumeAttachmentð "—VolumeAttachment captures the intent to attach or detach the specified volume to/from the specified node. + +VolumeAttachment objects are non-namespaced.šspec² +objectÊÔ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ð +metadataà +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +© +spec  +=#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentSpec"_Specification of the desired attach/detach volume behavior. Populated by the Kubernetes system. +Õ +statusÊ +?#/definitions/io.k8s.api.storage.v1beta1.VolumeAttachmentStatus"†Status of the VolumeAttachment request. Populated by the entity completing the attach or detach operation, i.e. the external-attacher.úi +x-kubernetes-group-version-kindFD- group: storage.k8s.io + kind: VolumeAttachment + version: v1beta1 + +å +Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec‹"PCustomResourceDefinitionSpec describes how a user wants their resource to appearšgroupšnamesšscopešversions² +objectʇ +¥ + +conversion– +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversion"3conversion defines conversion settings for the CRD. +å +groupÛ"Ígroup is the API group of the defined custom resource. The custom resources are served under `/apis//...`. Must match the name of the CustomResourceDefinition (in the form `.`).² +string +´ +namesª +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"Bnames specify the resource and kind names for the custom resource. +© +preserveUnknownFields"€preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. This field is deprecated in favor of setting `x-preserve-unknown-fields` to true in `spec.versions[*].schema.openAPIV3Schema`. See https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#pruning-versus-preserving-unknown-fields for details.² +boolean +› +scope‘"ƒscope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`.² +string +ó +versionsæ"ìversions is the list of all API versions of the defined custom resource. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.² +arrayºj +h +f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion +Ö +4io.k8s.api.admissionregistration.v1.ServiceReference";ServiceReference holds a reference to Service.legacy.k8s.ioš namespacešname² +objectʾ +@ +name8"+`name` is the name of the service. Required² +string +O + namespaceB"5`namespace` is the namespace of the service. Required² +string +f +path^"Q`path` is an optional URL path which will be sent in any request to this service.² +string +À +port·int32"¡If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).² +integer +¾ +/io.k8s.api.autoscaling.v2beta1.PodsMetricSourceŠ"åPodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.š +metricNameštargetAverageValue² +objectÊñ +K + +metricName="0metricName is the name of the metric in question² +string +Ü +selectorÏ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"Šselector is the string-encoded form of a standard kubernetes label selector for the given metric When set, it is passed as an additional parameter to the metrics server for more specific metrics scoping When unset, just the metricName will be used to gather metrics. + +targetAverageValue« +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ltargetAverageValue is the target value of the average of the metric across all relevant pods (as a quantity) +Å +-io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta“"£ListMeta describes metadata that synthetic resources must have, including lists and various status objects. A resource may have only one of {ObjectMeta, ListMeta}.² +objectÊÞ +ä +continue×"Écontinue may be set if the user set a limit on the number of items returned, and indicates that the server has more data available. The value is opaque and may be used to issue another request to the endpoint that served this list to retrieve the next set of available objects. Continuing a consistent list may not be possible if the server configuration has changed or more than a few minutes have passed. The resourceVersion field returned when using this continue value will be identical to the value in the first response, unless you have received this token from an error message.² +string +ß +remainingItemCountÈint64"²remainingItemCount is the number of subsequent items in the list which are not included in this list response. If the list request contained label or field selectors, then the number of remaining items is unknown and the field will be left unset and omitted during serialization. If the list is complete (either because it is not chunking or because this is the last chunk), then there are no more remaining items and this field will be left unset and omitted during serialization. Servers older than v1.15 do not set this field. The intended use of the remainingItemCount is *estimating* the size of a collection. Clients should not rely on the remainingItemCount to be set or to be exact.² +integer +¥ +resourceVersion‘"ƒString that identifies the server's internal version of this object that can be used by clients to determine when objects have changed. Value must be treated as opaque by clients and passed unmodified back to the server. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency² +string +ê +selfLinkÝ"ÏselfLink is a URL representing this object. Populated by the system. Read-only. + +DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.² +string +ô +io.k8s.api.core.v1.NodeØ "iNode is a worker node in Kubernetes. Each node will have a unique identifier in the cache (i.e. in etcd).² +objectÊ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¿ +spec¶ +)#/definitions/io.k8s.api.core.v1.NodeSpec"ˆSpec defines the behavior of a node. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +ø +statusí ++#/definitions/io.k8s.api.core.v1.NodeStatus"½Most recently observed status of the node. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúL +x-kubernetes-group-version-kind)'- group: "" + kind: Node + version: v1 + +ý +,io.k8s.api.core.v1.RBDPersistentVolumeSourceÌ "ˆRepresents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.šmonitorsšimage² +objectÊŸ +€ +poolx"kThe rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +´ +readOnly§"˜ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +boolean +ô + secretRefæ +0#/definitions/io.k8s.api.core.v1.SecretReference"±SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +‚ +userz"mThe rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +³ +fsType¨"šFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd² +string +r +imagei"\The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +« +keyringŸ"‘Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +Ž +monitors"eA collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +arrayº + ² +string +ë +%io.k8s.api.events.v1beta1.EventSeriesÁ"qEventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time.šcountšlastObservedTime² +objectʤ +n +counteint32"Pcount is the number of occurrences in this series up to the last heartbeat time.² +integer +± +lastObservedTimeœ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"\lastObservedTime is the time when last Event from the series was seen before last heartbeat. +ù +,io.k8s.api.policy.v1.PodDisruptionBudgetSpecÈ"BPodDisruptionBudgetSpec is a description of a PodDisruptionBudget.² +objectÊõ +Ç + minAvailable¶ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ôAn eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%". +µ +selector¨ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"·Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.ú) +x-kubernetes-patch-strategy +replace + +ð +maxUnavailableÝ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"›An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable". +ê +Sio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources’"YCustomResourceSubresources defines the status and scale subresources for CustomResources.² +objectʨ +é +scaleß +e#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale"vscale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object. +¹ +status® +f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"Ãstatus indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object. + +Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceConditionÒ"NAPIServiceCondition describes the state of an APIService at a particular pointštypešstatus² +objectÊã +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +X +messageM"@Human-readable message indicating details about last transition.² +string +^ +reasonT"GUnique, one-word, CamelCase reason for the condition's last transition.² +string +Z +statusP"CStatus is the status of the condition. Can be True, False, Unknown.² +string +7 +type/""Type is the type of the condition.² +string +Ù +io.k8s.api.batch.v1.CronJob¹ ":CronJob represents the configuration of a single cron job.² +objectÊ™ + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +ö +specí +-#/definitions/io.k8s.api.batch.v1.CronJobSpec"»Specification of the desired behavior of a cron job, including the schedule. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +Ë +statusÀ +/#/definitions/io.k8s.api.batch.v1.CronJobStatus"ŒCurrent status of a cron job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúR +x-kubernetes-group-version-kind/-- group: batch + kind: CronJob + version: v1 + +¦ ++io.k8s.api.core.v1.ContainerStateTerminatedö">ContainerStateTerminated is a terminated state of a container.šexitCode² +objectÊœ + + startedAtt +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"9Time at which previous execution of the container started +R + containerIDC"6Container's ID in the format 'docker://'² +string +W +exitCodeKint32"6Exit status from the last termination of the container² +integer +t + +finishedAtf +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"+Time at which the container last terminated +O +messageD"7Message regarding the last termination of the container² +string +P +reasonF"9(brief) reason from the last termination of the container² +string +P +signalFint32"1Signal from the last termination of the container² +integer +$ +io.k8s.api.core.v1.PodStatusï#"¶PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.² +objectʧ" +g +hostIP]"PIP address of the host to which the pod is assigned. Empty if not yet scheduled.² +string +Û + startTimeÍ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"‘RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod. +x +podIPo"bIP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.² +string +› + +conditionsŒ"xCurrent service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions² +arrayº1 +/ +-#/definitions/io.k8s.api.core.v1.PodConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +¬ +containerStatuses–"ÒThe list has one entry per container in the manifest. Each entry is currently the output of `docker inspect`. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ContainerStatus +‰ +ephemeralContainerStatusesê"¦Status for any ephemeral containers that have run in this pod. This field is alpha-level and is only populated by servers that enable the EphemeralContainers feature.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ContainerStatus +ü +initContainerStatusesâ"žThe list has one entry per init container in the manifest. The most recent successful init container will have ready = true, the most recently started container will have startTime set. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ContainerStatus +k +message`"SA human readable message indicating details about why the pod is in this condition.² +string +Í +nominatedNodeName·"©nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled.² +string +Æ +phase¼ "® The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values: + +Pending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod. + +More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase² +string +‡ +podIPsü"ðpodIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.² +arrayº* +( +&#/definitions/io.k8s.api.core.v1.PodIPú% +x-kubernetes-patch-merge-keyip +ú' +x-kubernetes-patch-strategymerge + +ƒ +qosClassö"èThe Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md² +string +v +reasonl"_A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'² +string +Ì +\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatusë"RCustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition² +objectʈ +ù + acceptedNamesç +i#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames"zacceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec. +ª + +conditions›"Nconditions indicate state for particular aspects of a CustomResourceDefinition² +arrayºq +o +m#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionConditionú +x-kubernetes-list-typemap +ú' +x-kubernetes-list-map-keys - type + +Ü +storedVersionsÉ"¬storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.² +arrayº + ² +string +´4 +3io.k8s.api.admissionregistration.v1.MutatingWebhookü3"^MutatingWebhook describes an admission webhook and the resources and operations it applies to.šnameš clientConfigš sideEffectsšadmissionReviewVersions² +objectÊÏ2 +œ +timeoutSeconds‰int32"óTimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.² +integer +– +admissionReviewVersionsú"ÝAdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.² +arrayº + ² +string +¬ + failurePolicyš"ŒFailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.² +string +é +objectSelectorÖ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. +é +rulesß"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.² +arrayºH +F +D#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations + +reinvocationPolicyù"ëreinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". + +Never: the webhook will not be called more than once in a single admission evaluation. + +IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + +Defaults to "Never".² +string +õ + sideEffectså"×SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.² +string +™ + clientConfigˆ +E#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required +œ + matchPolicyŒ"þmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". + +- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + +- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + +Defaults to "Equivalent"² +string +ç +nameÞ"ÐThe name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.² +string +Ý +namespaceSelectorÇ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‚ NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. + +For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] +} + +If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] +} + +See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors. + +Default to the empty LabelSelector, which matches everything. +· + io.k8s.api.apps.v1.DaemonSetSpec’ "3DaemonSetSpec is the specification of a daemon set.šselectorštemplate² +objectʸ + +’ +minReadySecondsþint32"èThe minimum number of seconds for which a newly created DaemonSet pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready).² +integer +¿ +revisionHistoryLimit¦int32"The number of old history to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.² +integer +Á +selector´ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"ïA label query over pods that are managed by the daemon set. Must match in order to be controlled. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors +„ +template÷ +0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ÂAn object that describes the pod that will be created. The DaemonSet will create exactly one copy of this pod on every node that matches the template's node selector (or on every node if no node selector is specified). More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template +“ +updateStrategy€ +8#/definitions/io.k8s.api.apps.v1.DaemonSetUpdateStrategy"DAn update strategy to replace existing DaemonSet pods with new pods. +Ö +io.k8s.api.core.v1.VolumeDevice²"JvolumeDevice describes a mapping of a raw block device within a container.šnameš +devicePath² +objectÊà +l + +devicePath^"QdevicePath is the path inside of the container that the device will be mapped to.² +string +S +nameK">name must match the name of a persistentVolumeClaim in the pod² +string +© +*io.k8s.api.scheduling.v1.PriorityClassListú"6PriorityClassList is a collection of priority classes.šitems² +objectÊÀ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +t +itemsk"$items is the list of PriorityClasses² +arrayº8 +6 +4#/definitions/io.k8s.api.scheduling.v1.PriorityClass +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúh +x-kubernetes-group-version-kindEC- version: v1 + group: scheduling.k8s.io + kind: PriorityClassList + +¶ +*io.k8s.api.storage.v1.VolumeAttachmentList‡ "AVolumeAttachmentList is a collection of VolumeAttachment objects.šitems² +objectÊ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +v +itemsm"&Items is the list of VolumeAttachments² +arrayº8 +6 +4#/definitions/io.k8s.api.storage.v1.VolumeAttachment +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúh +x-kubernetes-group-version-kindEC- group: storage.k8s.io + kind: VolumeAttachmentList + version: v1 + +« +Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionÐ "…CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format <.spec.name>.<.spec.group>. Deprecated in v1.16, planned for removal in v1.22. Use apiextensions.k8s.io/v1 CustomResourceDefinition instead.šspec² +objectʸ +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +® +spec¥ +h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec"9spec describes how the user wants the resources to appear +º +status¯ +j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionStatus"Astatus indicates the actual state of the CustomResourceDefinition +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúw +x-kubernetes-group-version-kindTR- kind: CustomResourceDefinition + version: v1beta1 + group: apiextensions.k8s.io + +Ü + +-io.k8s.api.authentication.v1beta1.TokenReviewª +"§TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.šspec² +objectÊü +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +ƒ +spec{ +?#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewSpec"8Spec holds information about the request being evaluated +© +statusž +A#/definitions/io.k8s.api.authentication.v1beta1.TokenReviewStatus"YStatus is filled in by the server and indicates whether the request can be authenticated.úk +x-kubernetes-group-version-kindHF- group: authentication.k8s.io + kind: TokenReview + version: v1beta1 + +ì ++io.k8s.api.autoscaling.v2beta1.MetricStatus¼">MetricStatus describes the last-read state of a single metric.štype² +objectÊæ +ô +externalç +A#/definitions/io.k8s.api.autoscaling.v2beta1.ExternalMetricStatus"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). + +object· +?#/definitions/io.k8s.api.autoscaling.v2beta1.ObjectMetricStatus"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). +• +podsŒ +=#/definitions/io.k8s.api.autoscaling.v2beta1.PodsMetricStatus"Êpods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. +™ +resourceŒ +A#/definitions/io.k8s.api.autoscaling.v2beta1.ResourceMetricStatus"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +¥ +typeœ"Žtype is the type of metric source. It will be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each corresponds to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled² +string +Ë +containerResourceµ +J#/definitions/io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricStatus"æcontainer resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +  +%io.k8s.api.core.v1.ComponentConditionö"/Information about the condition of a component.štypešstatus² +objectʦ +s +messageh"[Message about the condition for a component. For example, information about a health check.² +string +z +statusp"cStatus of the condition for a component. Valid values for "Healthy": "True", "False", or "Unknown".² +string +N +typeF"9Type of condition for a component. Valid value: "Healthy"² +string +c +errorZ"MCondition error code for a component. For example, a health check error code.² +string +ž +(io.k8s.api.core.v1.ProjectedVolumeSourceñ"$Represents a projected volume source² +objectʼ +Î + defaultMode¾int32"¨Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +i +sources^"list of volume projections² +arrayº5 +3 +1#/definitions/io.k8s.api.core.v1.VolumeProjection + +*io.k8s.api.discovery.v1beta1.EndpointHintsà"KEndpointHints provides hints describing how an endpoint should be consumed.² +objectÊ„ + +forZonesô"ˆforZones indicates the zone(s) this endpoint should be consumed by to enable topology aware routing. May contain a maximum of 8 entries.² +arrayº6 +4 +2#/definitions/io.k8s.api.discovery.v1beta1.ForZoneú# +x-kubernetes-list-type atomic + +Ÿ +3io.k8s.api.flowcontrol.v1beta1.QueuingConfigurationç +"CQueuingConfiguration holds the configuration parameters for queuing² +objectÊ“ + +¢ +handSize•int32"ÿ`handSize` is a small positive number that configures the shuffle sharding of requests into queues. When enqueuing a request at this priority level the request's flow identifier (a string pair) is hashed and the hash value is used to shuffle the list of queues and deal a hand of the size specified here. The request is put into one of the shortest queues in that hand. `handSize` must be no larger than `queues`, and should be significantly smaller (so that a few heavy flows do not saturate most of the queues). See the user-facing documentation for more extensive guidance on setting this field. This field has a default value of 8.² +integer +“ +queueLengthLimitþint32"è`queueLengthLimit` is the maximum number of requests allowed to be waiting in a given queue of this priority level at a time; excess requests are rejected. This value must be positive. If not specified, it will be defaulted to 50.² +integer +Õ +queuesÊint32"´`queues` is the number of queues for this priority level. The queues exist independently at each apiserver. The value must be positive. Setting it to 1 effectively precludes shufflesharding and thus makes the distinguisher method of associated flow schemas irrelevant. This field has a default value of 64.² +integer +š +&io.k8s.api.storage.v1.StorageClassListï"4StorageClassList is a collection of storage classes.šitems² +objectÊ» +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +o +itemsf"#Items is the list of StorageClasses² +arrayº4 +2 +0#/definitions/io.k8s.api.storage.v1.StorageClassúd +x-kubernetes-group-version-kindA?- group: storage.k8s.io + kind: StorageClassList + version: v1 + +ú +.<.spec.group>.šspec² +objectÊ® +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +© +spec  +c#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec"9spec describes how the user wants the resources to appear +µ +statusª +e#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus"Astatus indicates the actual state of the CustomResourceDefinition +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúr +x-kubernetes-group-version-kindOM- group: apiextensions.k8s.io + kind: CustomResourceDefinition + version: v1 + +” +-io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1â"ÔFieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. + +Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:', where is the name of a field in a struct, or key in a map 'v:', where is the exact json formatted value of a list item 'i:', where is position of a item in a list 'k:', where is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set. + +The exact format is defined in sigs.k8s.io/structured-merge-diff² +object +» +1io.k8s.api.authentication.v1beta1.TokenReviewSpec…"ETokenReviewSpec is a description of the token authentication request.² +objectʯ +ó + audienceså"ÈAudiences is a list of the identifiers that the resource server presented with the token identifies as. Audience-aware token authenticators will verify that the token was intended for at least one of the audiences in this list. If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver.² +arrayº + ² +string +7 +token."!Token is the opaque bearer token.² +string +… +6io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerÊ "ÎHorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.² +objectÊú +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +à +metadataÓ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‘metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +„ +specû +H#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerSpec"®spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + +status… +J#/definitions/io.k8s.api.autoscaling.v2beta2.HorizontalPodAutoscalerStatus"7status is the current information about the autoscaler.úm +x-kubernetes-group-version-kindJH- group: autoscaling + kind: HorizontalPodAutoscaler + version: v2beta2 + +È +(io.k8s.api.core.v1.ResourceFieldSelector›"ZResourceFieldSelector represents container resources (cpu, memory) and their output formatšresource² +objectÊ¥ +Y + containerNameH";Container name: required for volumes, optional for env vars² +string + +divisor„ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ESpecifies the output format of the exposed resources, defaults to "1" +5 +resource)"Required: resource to select² +string +‚ +'io.k8s.api.core.v1.ResourceRequirementsÖ"AResourceRequirements describes the compute resource requirements.² +objectÊ„ +ö +limitsë"›Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +ˆ +requestsû"«Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +¨ +3io.k8s.api.core.v1.TopologySelectorLabelRequirementð"~A topology selector requirement is a selector that matches given label. This is an alpha feature and may change in the future.škeyšvalues² +objectÊÒ +? +key8"+The label key that the selector applies to.² +string +Ž +valuesƒ"gAn array of string values. One value must match the label to be selected. Each entry in Values is ORed.² +arrayº + ² +string +ƒ +2io.k8s.api.extensions.v1beta1.HTTPIngressRuleValueÌ"£HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.špaths² +objectÊ +Œ +paths‚"4A collection of paths that map requests to backends.² +arrayº? += +;#/definitions/io.k8s.api.extensions.v1beta1.HTTPIngressPath +¦ + io.k8s.api.networking.v1.Ingress "€Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc.² +objectÊŽ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ø +specÏ +2#/definitions/io.k8s.api.networking.v1.IngressSpec"˜Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +Þ +statusÓ +4#/definitions/io.k8s.api.networking.v1.IngressStatus"šStatus is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú^ +x-kubernetes-group-version-kind;9- group: networking.k8s.io + kind: Ingress + version: v1 + +Ö +&io.k8s.api.apps.v1.ReplicaSetCondition«"LReplicaSetCondition describes the state of a replica set at a certain point.štypešstatus² +objectʾ +• +lastTransitionTime +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"DThe last time the condition transitioned from one status to another. +Y +messageN"AA human readable message indicating details about the transition.² +string +F +reason<"/The reason for the condition's last transition.² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +3 +type+"Type of replica set condition.² +string +¼ +(io.k8s.api.authorization.v1.ResourceRule"¬ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.šverbs² +objectÊÉ +¹ + resourceNames§"ŠResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.² +arrayº + ² +string +ä + resourcesÖ"¹Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.² +arrayº + ² +string + +verbs“"wVerb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.² +arrayº + ² +string +ƒ + apiGroupsõ"ØAPIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.² +arrayº + ² +string +ð +8io.k8s.api.authorization.v1beta1.SelfSubjectAccessReview³ "öSelfSubjectAccessReview checks whether or the current user can perform an action. Not filling in a spec.namespace means "in all namespaces". Self is a special case, because users should always be able to check whether they can perform an actionšspec² +objectÊ« +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +¯ +spec¦ +J#/definitions/io.k8s.api.authorization.v1beta1.SelfSubjectAccessReviewSpec"XSpec holds information about the request being evaluated. user and groups must be empty +¬ +status¡ +H#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or notúv +x-kubernetes-group-version-kindSQ- group: authorization.k8s.io + kind: SelfSubjectAccessReview + version: v1beta1 + + +:io.k8s.api.autoscaling.v2beta2.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.škindšname² +objectÊÁ +˜ +kind"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"² +string +l +named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names² +string +6 + +apiVersion("API version of the referent² +string +Ç +0io.k8s.api.core.v1.GCEPersistentDiskVolumeSource’ "ÁRepresents a Persistent Disk resource in Google Compute Engine. + +A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.špdName² +objectʶ +² +pdName§"™Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk² +string +¾ +readOnly±"¢ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk² +boolean +Á +fsType¶"¨Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk² +string +ù + partitionëint32"ÕThe partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk² +integer +ä +io.k8s.api.core.v1.PodDNSConfigÀ"_PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.² +objectÊÐ +Ä + nameservers´"—A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.² +arrayº + ² +string +µ +options©"âA list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.² +arrayº7 +5 +3#/definitions/io.k8s.api.core.v1.PodDNSConfigOption +Î +searchesÁ"¤A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.² +arrayº + ² +string +ë + +0io.k8s.api.core.v1.ScaleIOPersistentVolumeSource¶ +"DScaleIOPersistentVolumeSource represents a persistent ScaleIO volumešgatewayšsystemš secretRef² +objectÊ +[ + storagePoolL"?The ScaleIO Storage Pool associated with the protection domain.² +string + + +volumeNames"fThe name of a volume already created in the ScaleIO system that is associated with this volume source.² +string +f +protectionDomainR"EThe name of the ScaleIO Protection Domain for the configured storage.² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +` + +sslEnabledR"DFlag to enable/disable SSL communication with Gateway, default false² +boolean +’ + storageMode‚"uIndicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.² +string +O +systemE"8The name of the storage system as configured in ScaleIO.² +string +  +fsType•"‡Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs"² +string +D +gateway9",The host address of the ScaleIO API Gateway.² +string +Ë + secretRef½ +0#/definitions/io.k8s.api.core.v1.SecretReference"ˆSecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. +³ +,io.k8s.api.core.v1.TypedLocalObjectReference‚"~TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.škindšname² +objectÊå +Ú +apiGroupÍ"¿APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.² +string +B +kind:"-Kind is the type of resource being referenced² +string +B +name:"-Name is the name of resource being referenced² +string +Û +9io.k8s.api.admissionregistration.v1beta1.ServiceReference";ServiceReference holds a reference to Service.legacy.k8s.ioš namespacešname² +objectʾ +@ +name8"+`name` is the name of the service. Required² +string +O + namespaceB"5`namespace` is the namespace of the service. Required² +string +f +path^"Q`path` is an optional URL path which will be sent in any request to this service.² +string +À +port·int32"¡If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).² +integer +“ +%io.k8s.api.apps.v1.DeploymentStrategyé"HDeploymentStrategy describes how to replace existing pods with new ones.² +objectÊ +h +type`"SType of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.² +string +£ + rollingUpdate‘ +8#/definitions/io.k8s.api.apps.v1.RollingUpdateDeployment"URolling update config params. Present only if DeploymentStrategyType = RollingUpdate. +“ +*io.k8s.apimachinery.pkg.apis.meta.v1.Patche"XPatch is provided to give a concrete name and type to the Kubernetes PATCH request body.² +object +Ú +io.k8s.api.core.v1.NodeStatus¸"=NodeStatus is information about the current status of a node.² +objectÊê +q +imagesg"%List of container images on this node² +arrayº3 +1 +/#/definitions/io.k8s.api.core.v1.ContainerImage +¯ +nodeInfo¢ +/#/definitions/io.k8s.api.core.v1.NodeSystemInfo"oSet of ids/uuids to uniquely identify the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#info +d + volumesInUseT"8List of attachable volumes in use (mounted) by the node.² +arrayº + ² +string +¥ + +conditions–"€Conditions is an array of current observed node conditions. More info: https://kubernetes.io/docs/concepts/nodes/node/#condition² +arrayº2 +0 +.#/definitions/io.k8s.api.core.v1.NodeConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +t +daemonEndpointsa +4#/definitions/io.k8s.api.core.v1.NodeDaemonEndpoints")Endpoints of daemons running on the Node. +â +capacityÕ"…Capacity represents the total resources of a node. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#capacityª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +‘ +config† +1#/definitions/io.k8s.api.core.v1.NodeConfigStatus"QStatus of the config assigned to the node via the dynamic Kubelet config feature. +Í +phaseÃ"µNodePhase is the recently observed lifecycle phase of the node. More info: https://kubernetes.io/docs/concepts/nodes/node/#phase The field is never populated, and now is deprecated.² +string +ƒ +volumesAttachedp".List of volumes that are attached to the node.² +arrayº3 +1 +/#/definitions/io.k8s.api.core.v1.AttachedVolume +¦ + addresses˜"„List of addresses reachable to the node. Queried from cloud provider, if available. More info: https://kubernetes.io/docs/concepts/nodes/node/#addresses Note: This field is declared as mergeable, but the merge key is not sufficiently unique, which can cause data corruption when it is merged. Callers should instead use a full-replacement patch. See http://pr.k8s.io/79391 for an example.² +arrayº0 +. +,#/definitions/io.k8s.api.core.v1.NodeAddressú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-patch-merge-keytype + +Æ + allocatable¶"gAllocatable represents the resources of a node that are available for scheduling. Defaults to Capacity.ª? += +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity² +object +º +"io.k8s.api.rbac.v1.AggregationRule“"VAggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole² +objectʬ +© +clusterRoleSelectors"¼ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added² +arrayºD +B +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector +à +"io.k8s.api.core.v1.SecretReference¹"lSecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace² +objectʼ +V +nameN"AName is unique within a namespace to reference a secret resource.² +string +b + namespaceU"HNamespace defines the space within which the secret name must be unique.² +string +¤ + +Iio.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfigurationListÖ "KMutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.šitems² +objectÊç +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +• +items‹"%List of MutatingWebhookConfiguration.² +arrayºW +U +S#/definitions/io.k8s.api.admissionregistration.v1beta1.MutatingWebhookConfiguration +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú‡ +x-kubernetes-group-version-kinddb- version: v1beta1 + group: admissionregistration.k8s.io + kind: MutatingWebhookConfigurationList + +Ø +Cio.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceStatus"AAPIServiceStatus contains derived information about an API server² +objectʾ +» + +conditions¬"$Current service state of apiService.² +arrayºX +V +T#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.APIServiceConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +ê +%io.k8s.api.core.v1.PodSecurityContextÀ"ôPodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.² +objectʺ +È +fsGroup¼int64"¦A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: + +1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- + +If unset, the Kubelet will not modify the ownership and permissions of any volume.² +integer +° +fsGroupChangePolicy˜"ŠfsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.² +string +À + runAsUser²int64"œThe UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.² +integer +… +seLinuxOptionsò +/#/definitions/io.k8s.api.core.v1.SELinuxOptions"¾The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. +Í +windowsOptionsº +>#/definitions/io.k8s.api.core.v1.WindowsSecurityContextOptions"÷The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +£ + +runAsGroup”int64"þThe GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container.² +integer +º + runAsNonRoot©"šIndicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.² +boolean +~ +seccompProfilel +/#/definitions/io.k8s.api.core.v1.SeccompProfile"9The seccomp options to use by the containers in this pod. +ç +supplementalGroupsÐ"«A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container.² +arrayº +int64² +integer +Ñ +sysctlsÅ"ŠSysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch.² +arrayº+ +) +'#/definitions/io.k8s.api.core.v1.Sysctl +œ +$io.k8s.api.core.v1.SecretKeySelectoró",SecretKeySelector selects a key of a Secret.škey² +objectÊ° +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +O +optionalC"5Specify whether the Secret or its key must be defined² +boolean +V +keyO"BThe key of the secret to select from. Must be a valid secret key.² +string +‘ +(io.k8s.api.core.v1.SessionAffinityConfigä"HSessionAffinityConfig represents the configurations of session affinity.² +objectÊ‹ +ˆ +clientIP| +/#/definitions/io.k8s.api.core.v1.ClientIPConfig"IclientIP contains the configurations of Client IP based session affinity. +  +)io.k8s.api.storage.v1.VolumeNodeResourcesò"JVolumeNodeResources is a set of resource limits for scheduling of volumes.² +objectÊ— +” +countŠint32"ôMaximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.² +integer +ç +3io.k8s.api.autoscaling.v2beta2.ResourceMetricSource¯"ÊResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). The values will be averaged together before being compared to the target. Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. Only one "target" type should be set.šnameštarget² +objectÊà +B +name:"-name is the name of the resource in question.² +string +} +targets +9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric +È +&io.k8s.api.batch.v1beta1.CronJobStatus"9CronJobStatus represents the current state of a cron job.² +objectÊÓ +“ +lastSuccessfulTime} +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"BInformation when was the last time the job successfully completed. +¡ +active–"-A list of pointers to currently running jobs.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ObjectReferenceú# +x-kubernetes-list-type atomic + +– +lastScheduleTime +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"FInformation when was the last time the job was successfully scheduled. + +-io.k8s.api.core.v1.FlexPersistentVolumeSourceÝ"ƒFlexPersistentVolumeSource represents a generic persistent volume resource that is provisioned/attached using an exec based plugin.šdriver² +objectÊ¿ +O +driverE"8Driver is the name of the driver to use for this volume.² +string +Ä +fsType¹"«Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script.² +string +O +optionsD"'Optional: Extra command options if any.ª + ² +string² +object +‚ +readOnlyv"hOptional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +Î + secretRefÀ +0#/definitions/io.k8s.api.core.v1.SecretReference"‹Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts. +„ +io.k8s.api.rbac.v1.RoleListä"!RoleList is a collection of Rolesšitems² +objectÊÀ +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Y +itemsP"Items is a list of Roles² +arrayº) +' +%#/definitions/io.k8s.api.rbac.v1.Role +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúg +x-kubernetes-group-version-kindDB- group: rbac.authorization.k8s.io + kind: RoleList + version: v1 + + +:io.k8s.api.autoscaling.v2beta1.CrossVersionObjectReferenceÂ"bCrossVersionObjectReference contains enough information to let you identify the referred resource.škindšname² +objectÊÁ +l +named"WName of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names² +string +6 + +apiVersion("API version of the referent² +string +˜ +kind"Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"² +string +ƒ +io.k8s.api.core.v1.EndpointPortß"5EndpointPort is a tuple that describes a single port.šport² +objectÊ’ +b +protocolV"IThe IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.² +string +½ + appProtocol­"ŸThe application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol. This is a beta field that is guarded by the ServiceAppProtocol feature gate and enabled by default.² +string +¬ +name£"•The name of this port. This must match the 'name' field in the corresponding ServicePort. Must be a DNS_LABEL. Optional only if one port is defined.² +string += +port5int32" The port number of the endpoint.² +integer +º + +'.² +string +z +imageq"dThe image the container is running. More info: https://kubernetes.io/docs/concepts/containers/images² +string +¿ + restartCount®int32"˜The number of times the container has been restarted, currently based on the number of dead containers that have not yet been removed. Note that this is calculated from dead containers. But those containers are subject to garbage collection. This value will get capped at 5 by GC.² +integer +9 +imageID."!ImageID of the container's image.² +string +y + lastStatel +/#/definitions/io.k8s.api.core.v1.ContainerState"9Details about the container's last termination condition. +r +namej"]This must be a DNS_LABEL. Each container in a pod must have a unique name. Cannot be updated.² +string +V +readyM"?Specifies whether the container has passed its readiness probe.² +boolean +° +started¤"•Specifies whether the container has passed its startup probe. Initialized as false, becomes true after startupProbe is considered successful. Resets to false when the container is restarted, or if kubelet loses state temporarily. Is always true when no startupProbe is defined.² +boolean +l +statec +/#/definitions/io.k8s.api.core.v1.ContainerState"0Details about the container's current condition. +© +&io.k8s.api.core.v1.LoadBalancerIngressþ"LoadBalancerIngress represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.² +objectÊÜ +{ +hostnameo"bHostname is set for load-balancer ingress points that are DNS based (typically AWS load-balancers)² +string +{ +ipu"hIP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers)² +string +ß +portsÕ"qPorts is a list of records of service ports If used, every port defined in the service should have an entry in it² +arrayº/ +- ++#/definitions/io.k8s.api.core.v1.PortStatusú# +x-kubernetes-list-type atomic + +‚ +*io.k8s.api.core.v1.PreferredSchedulingTermÓ"®An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).šweightš +preference² +objectÊý +‚ + +preferencet +1#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"?A node selector term, associated with the corresponding weight. +v +weightlint32"WWeight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.² +integer +› +.io.k8s.api.storage.v1beta1.VolumeNodeResourcesè"JVolumeNodeResources is a set of resource limits for scheduling of volumes.² +objectÊ +Š +count€int32"êMaximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is nil, then the supported number of volumes on this node is unbounded.² +integer +•4 +8io.k8s.api.admissionregistration.v1beta1.MutatingWebhookØ3"^MutatingWebhook describes an admission webhook and the resources and operations it applies to.šnameš clientConfig² +objectÊÓ2 +° +admissionReviewVersions”"÷AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy. Default to `['v1beta1']`.² +arrayº + ² +string +ž + clientConfig +J#/definitions/io.k8s.api.admissionregistration.v1beta1.WebhookClientConfig"?ClientConfig defines how to communicate with the hook. Required +ç +nameÞ"ÐThe name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization. Required.² +string +Ý +namespaceSelectorÇ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‚ NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook. + +For example, to run the webhook on any objects whose namespace is not associated with "runlevel" of "0" or "1"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "runlevel", + "operator": "NotIn", + "values": [ + "0", + "1" + ] + } + ] +} + +If instead you want to only run the webhook on any objects whose namespace is associated with the "environment" of "prod" or "staging"; you will set the selector as follows: "namespaceSelector": { + "matchExpressions": [ + { + "key": "environment", + "operator": "In", + "values": [ + "prod", + "staging" + ] + } + ] +} + +See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors. + +Default to the empty LabelSelector, which matches everything. +é +objectSelectorÖ +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"‘ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything. + +reinvocationPolicyù"ëreinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded". + +Never: the webhook will not be called more than once in a single admission evaluation. + +IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead. + +Defaults to "Never".² +string +î +rulesä"‡Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.² +arrayºM +K +I#/definitions/io.k8s.api.admissionregistration.v1beta1.RuleWithOperations +œ +timeoutSeconds‰int32"óTimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 30 seconds.² +integer +® + failurePolicyœ"ŽFailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Ignore.² +string +— + matchPolicy‡"ùmatchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent". + +- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook. + +- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook. + +Defaults to "Exact"² +string +Ø + sideEffectsÈ"ºSideEffects states whether this webhook has side effects. Acceptable values are: Unknown, None, Some, NoneOnDryRun Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some. Defaults to Unknown.² +string +… +6io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerÊ "ÎHorizontalPodAutoscaler is the configuration for a horizontal pod autoscaler, which automatically manages the replica count of any resource implementing the scale subresource based on the metrics specified.² +objectÊú +„ +specû +H#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec"®spec is the specification for the behaviour of the autoscaler. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. + +status… +J#/definitions/io.k8s.api.autoscaling.v2beta1.HorizontalPodAutoscalerStatus"7status is the current information about the autoscaler. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +à +metadataÓ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"‘metadata is the standard object metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúm +x-kubernetes-group-version-kindJH- group: autoscaling + kind: HorizontalPodAutoscaler + version: v2beta1 + +Ó +7io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry— "sManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.² +objectÊ“ + +fieldsV1 +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1"QFieldsV1 holds the first JSON version format as described in the "FieldsV1" type. +W +managerL"?Manager is an identifier of the workflow managing these fields.² +string +² + operation¤"–Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.² +string +¦ +time +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"bTime is timestamp of when these fields were set. It should always be empty if Operation is 'Apply' +– + +apiVersion‡"ùAPIVersion defines the version of this resource that this field set applies to. The format is "group/version" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.² +string +  + +fieldsType‘"ƒFieldsType is the discriminator for the different fields format and version. There is currently only one possible value: "FieldsV1"² +string +¨A +/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMetaô@"lObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.² +objectÊ÷? +¢ + namespace”"†Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the "default" namespace, but "default" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. + +Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces² +string +³ +uid«"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. + +Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids² +string +À + annotations°"’Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotationsª + ² +string² +object + + clusterName"ÿThe name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.² +string +î +creationTimestampØ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"œCreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + +Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Þ + +finalizersÏ"ˆMust be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.² +arrayº + ² +stringú' +x-kubernetes-patch-strategymerge + +¶ + generateName¥"—GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. + +If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). + +Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency² +string +‚ +labels÷"ÙMap of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labelsª + ² +string² +object +ê +selfLinkÝ"ÏSelfLink is a URL representing this object. Populated by the system. Read-only. + +DEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release.² +string +ð +deletionGracePeriodSecondsÑint64"»Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.² +integer +¤ +deletionTimestampŽ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"Ò +DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested. + +Populated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +’ + +generationƒint64"nA sequence number representing a specific generation of the desired state. Populated by the system. Read-only.² +integer +ø +ownerReferencesä"¼List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.² +arrayºE +C +A#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReferenceú' +x-kubernetes-patch-strategymerge +ú& +x-kubernetes-patch-merge-keyuid + +ƒ + managedFieldsñ"˜ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like "ci-cd". The set of fields is always in the version that the workflow used when modifying the object.² +arrayºI +G +E#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry +õ +nameì"ÞName must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names² +string +‘ +resourceVersioný"ïAn opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. + +Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency² +string +Ê +#io.k8s.api.apps.v1.ReplicaSetStatus¢"?ReplicaSetStatus represents the current status of a ReplicaSet.šreplicas² +objectÊÇ +Ø +replicasËint32"µReplicas is the most recently oberved number of replicas. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller² +integer +… +availableReplicaspint32"[The number of available replicas (ready for at least minReadySeconds) for this replica set.² +integer +ø + +conditionsé"NRepresents the latest available observations of a replica set's current state.² +arrayº8 +6 +4#/definitions/io.k8s.api.apps.v1.ReplicaSetConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +‹ +fullyLabeledReplicassint32"^The number of pods that have labels matching the labels of the pod template of the replicaset.² +integer + +observedGenerationiint64"TObservedGeneration reflects the generation of the most recently observed ReplicaSet.² +integer +X + readyReplicasGint32"2The number of ready replicas for this replica set.² +integer +Œ +#io.k8s.api.core.v1.NodeSelectorTermä"¥A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.² +objectÊ­ +– +matchExpressions"6A list of node selector requirements by node's labels.² +arrayº< +: +8#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement +‘ + matchFields"6A list of node selector requirements by node's fields.² +arrayº< +: +8#/definitions/io.k8s.api.core.v1.NodeSelectorRequirement +å +.io.k8s.api.rbac.v1beta1.ClusterRoleBindingList² "ºClusterRoleBindingList is a collection of ClusterRoleBindings. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 ClusterRoleBindingList, and will no longer be served in v1.22.šitems² +objectÊá +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +z +itemsq"&Items is a list of ClusterRoleBindings² +arrayº< +: +8#/definitions/io.k8s.api.rbac.v1beta1.ClusterRoleBinding +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.úz +x-kubernetes-group-version-kindWU- group: rbac.authorization.k8s.io + kind: ClusterRoleBindingList + version: v1beta1 + +½ +Wio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatusá"RCustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition² +objectÊþ +¥ + +conditions–"Nconditions indicate state for particular aspects of a CustomResourceDefinition² +arrayºl +j +h#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap + +Ü +storedVersionsÉ"¬storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.² +arrayº + ² +string +ô + acceptedNamesâ +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames"zacceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec. +• + +Dio.k8s.api.admissionregistration.v1.MutatingWebhookConfigurationListÌ "KMutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.šitems² +objectÊâ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string + +items†"%List of MutatingWebhookConfiguration.² +arrayºR +P +N#/definitions/io.k8s.api.admissionregistration.v1.MutatingWebhookConfiguration +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú‚ +x-kubernetes-group-version-kind_]- group: admissionregistration.k8s.io + kind: MutatingWebhookConfigurationList + version: v1 + +¶ + +!io.k8s.api.apps.v1.ReplicaSetSpec +"4ReplicaSetSpec is the specification of a ReplicaSet.šselector² +objectÊÀ +ƒ +minReadySecondsïint32"ÙMinimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)² +integer +¡ +replicas”int32"þReplicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller² +integer +ý +selectorð +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"«Selector is a label query over pods that should match the replica count. Label keys and values that must match in order to be controlled by this replica set. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors +“ +template† +0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ÑTemplate is the object that describes the pod that will be created if insufficient replicas are detected. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template +Ù +%io.k8s.api.core.v1.LoadBalancerStatus¯"/? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.špaths² +objectÊ +Œ +paths‚"4A collection of paths that map requests to backends.² +arrayº? += +;#/definitions/io.k8s.api.networking.v1beta1.HTTPIngressPath + + +\io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition¼ "KCustomResourceColumnDefinition specifies a column for server side printing.šnameštypešJSONPath² +objectÊÇ +ª +JSONPath"JSONPath is a simple JSON path (i.e. with array notation) which is evaluated against each custom resource to produce the value for this column.² +string +W + descriptionH";description is a human readable description of this column.² +string +¸ +format­"Ÿformat is an optional OpenAPI type definition for this column. The 'name' format is applied to the primary identifier column to assist in clients identifying column is the resource name. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.² +string +B +name:"-name is a human readable name for the column.² +string + +priority€int32"êpriority is an integer defining the relative importance of this column compared to others. Lower numbers are considered higher priority. Columns that may be omitted in limited space scenarios should be given a priority greater than 0.² +integer +¯ +type¦"˜type is an OpenAPI type definition for this column. See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.² +string +í +io.k8s.api.apps.v1.ReplicaSetË "YReplicaSet ensures that a specified number of pod replicas are running at any given time.² +objectÊŠ +õ +specì +/#/definitions/io.k8s.api.apps.v1.ReplicaSetSpec"¸Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +Ç +status¼ +1#/definitions/io.k8s.api.apps.v1.ReplicaSetStatus"†Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +È +metadata» +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ùIf the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúT +x-kubernetes-group-version-kind1/- group: apps + kind: ReplicaSet + version: v1 + +ó +io.k8s.api.events.v1.EventListÐ"%EventList is a list of Event objects.šitems² +objectʳ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +f +items]""items is a list of schema objects.² +arrayº, +* +(#/definitions/io.k8s.api.events.v1.Event +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú\ +x-kubernetes-group-version-kind97- group: events.k8s.io + kind: EventList + version: v1 + +ª + io.k8s.api.batch.v1.JobCondition…".JobCondition describes current state of a job.štypešstatus² +objectʶ +? +type7"*Type of job condition, Complete or Failed.² +string +p + lastProbeTime_ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"$Last time the condition was checked. +Œ +lastTransitionTimev +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time";Last time the condition transit from one status to another. +X +messageM"@Human readable message indicating details about last transition.² +string +J +reason@"3(brief) reason for the condition's last transition.² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +à +io.k8s.api.discovery.v1.ForZoneŸ"LForZone provides information about which zones should consume this endpoint.šname² +objectÊ< +: +name2"%name represents the name of the zone.² +string +Ó +*io.k8s.api.networking.v1.NetworkPolicySpec¤"?NetworkPolicySpec provides the specification of a NetworkPolicyš podSelector² +objectÊÆ +Ï +egressÄ"òList of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8² +arrayºB +@ +>#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule +ã +ingress×"„List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)² +arrayºC +A +?#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule +Û + podSelectorË +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"†Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace. +­ + policyTypes"€List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8² +arrayº + ² +string +…" +Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionSpec¦!"PCustomResourceDefinitionSpec describes how a user wants their resource to appearšgroupšnamesšscope² +objectÊ­ +Ñ +preserveUnknownFields·"¨preserveUnknownFields indicates that object fields which are not specified in the OpenAPI schema should be preserved when persisting to storage. apiVersion, kind, metadata and known fields inside metadata are always preserved. If false, schemas must be defined for all versions. Defaults to true in v1beta for backwards compatibility. Deprecated: will be required to be false in v1. Preservation of unknown fields can be specified in the validation schema using the `x-kubernetes-preserve-unknown-fields: true` extension. See https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#pruning-versus-preserving-unknown-fields for details.² +boolean +´ +scopeª"œscope indicates whether the defined custom resource is cluster- or namespace-scoped. Allowed values are `Cluster` and `Namespaced`. Default is `Namespaced`.² +string +à + subresources² +f#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceSubresources"Çsubresources specify what subresources the defined custom resource has. If present, this field configures subresources for all versions. Top-level and per-version subresources are mutually exclusive. +ª + +conversion› +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceConversion"3conversion defines conversion settings for the CRD. +å +groupÛ"Ígroup is the API group of the defined custom resource. The custom resources are served under `/apis//...`. Must match the name of the CustomResourceDefinition (in the form `.`).² +string +¹ +names¯ +i#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionNames"Bnames specify the resource and kind names for the custom resource. + +versions"‘versions is the list of all API versions of the defined custom resource. Optional if `version` is specified. The name of the first item in the `versions` list must match the `version` field if `version` and `versions` are both specified. Version names are used to compute the order in which served versions are listed in API discovery. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.² +arrayºo +m +k#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersion +Å +additionalPrinterColumns¨"ªadditionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If present, this field configures columns for all versions. Top-level and per-version columns are mutually exclusive. If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.² +arrayºn +l +j#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceColumnDefinition +Î + +validation¿ +d#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceValidation"Övalidation describes the schema used for validation and pruning of the custom resource. If present, this validation schema is used to validate all versions. Top-level and per-version schemas are mutually exclusive. +Ï +versionÃ"µversion is the API version of the defined custom resource. The custom resources are served under `/apis///...`. Must match the name of the first item in the `versions` list if `version` and `versions` are both specified. Optional if `versions` is specified. Deprecated: use `versions` instead.² +string +Õ +5io.k8s.api.autoscaling.v1.HorizontalPodAutoscalerList›"*list of horizontal pod autoscaler objects.šitems² +objectÊé +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +… +items|"*list of horizontal pod autoscaler objects.² +arrayºC +A +?#/definitions/io.k8s.api.autoscaling.v1.HorizontalPodAutoscaler +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.úl +x-kubernetes-group-version-kindIG- group: autoscaling + kind: HorizontalPodAutoscalerList + version: v1 + +é +The certificate request itself and any additional information. + +statusw +M#/definitions/io.k8s.api.certificates.v1beta1.CertificateSigningRequestStatus"&Derived information about the request.úw +x-kubernetes-group-version-kindTR- group: certificates.k8s.io + kind: CertificateSigningRequest + version: v1beta1 + +þ +io.k8s.api.core.v1.Bindingß "¡Binding ties one object to another; for example, a pod is bound to a node by a scheduler. Deprecated in 1.7, please use the bindings subresource of pods instead.štarget² +objectÊÑ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +} +targets +0#/definitions/io.k8s.api.core.v1.ObjectReference"?The target object that you want to bind to the standard object.úO +x-kubernetes-group-version-kind,*- group: "" + kind: Binding + version: v1 + +¢ +'io.k8s.api.core.v1.EmptyDirVolumeSourceö"uRepresents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.² +objectÊð +… +mediumú"ìWhat type of storage medium should back this directory. The default is "" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir² +string +å + sizeLimit× +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"—Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir +à +0io.k8s.api.core.v1.PersistentVolumeClaimTemplateŽ"sPersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.šspec² +objectʃ +è +metadataÛ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"™May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation. +• +specŒ +:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"ÍThe specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here. +õ +0io.k8s.api.core.v1.ServiceAccountTokenProjectionÀ"ìServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).špath² +objectÊ» +’ +audience…"÷Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.² +string +¹ +expirationSeconds£int64"ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.² +integer +h +path`"SPath is the path relative to the mount point of the file to project the token into.² +string +× +3io.k8s.api.autoscaling.v2beta2.ExternalMetricStatusŸ"nExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.šmetricšcurrent² +objectÊ +„ +currenty +>#/definitions/io.k8s.api.autoscaling.v2beta2.MetricValueStatus"7current contains the current value for the given metric +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector + +/io.k8s.api.autoscaling.v2beta2.PodsMetricSourceŽ"åPodsMetricSource indicates how to scale on a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value.šmetricštarget² +objectÊ… +ƒ +metricy +=#/definitions/io.k8s.api.autoscaling.v2beta2.MetricIdentifier"8metric identifies the target metric by name and selector +} +targets +9#/definitions/io.k8s.api.autoscaling.v2beta2.MetricTarget"6target specifies the target value for the given metric +¢9 +io.k8s.api.core.v1.Volume„9"[Volume represents a named volume in a pod that may be accessed by any container in the pod.šname² +objectÊ‘8 + +quobyteƒ +4#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource"KQuobyte represents a Quobyte mount on the host that shares a pod's lifetime +Ÿ + azureFile‘ +6#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource"WAzureFile represents an Azure File Service mount on the host and bind mount to the pod. +Ð +cinderÅ +3#/definitions/io.k8s.api.core.v1.CinderVolumeSource"Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md +ˆ + configMap{ +6#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource"AConfigMap represents a configMap that should populate this volume +Ä +nfs¼ +0#/definitions/io.k8s.api.core.v1.NFSVolumeSource"‡NFS represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs +Î +photonPersistentDiskµ +A#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource"pPhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine +» + ephemeral­ +6#/definitions/io.k8s.api.core.v1.EphemeralVolumeSource"òEphemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed. + +Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity + tracking are needed, +c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through + a PersistentVolumeClaim (see EphemeralVolumeSource for more + information on the connection between this volume type + and PersistentVolumeClaim). + +Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod. + +Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information. + +A pod can use both types of ephemeral volumes and persistent volumes at the same time. + +This is a beta feature and only available when the GenericEphemeralVolume feature gate is enabled. +Ø + glusterfsÊ +6#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource"Glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md +É +rbdÁ +0#/definitions/io.k8s.api.core.v1.RBDVolumeSource"ŒRBD represents a Rados Block Device mount on the host that shares a pod's lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md +œ + azureDiskŽ +6#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. +ž + downwardAPIŽ +8#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource"RDownwardAPI represents downward API about the pod that should populate this volume +É +gitRepo½ +4#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource"„GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container. +œ +scaleIO +4#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource"XScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. +” +hostPath‡ +5#/definitions/io.k8s.api.core.v1.HostPathVolumeSource"ÍHostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +® +name¥"—Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +¬ +persistentVolumeClaim’ +B#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource"ËPersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims +¤ +gcePersistentDiskŽ +>#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource"ËGCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +í +iscsiã +2#/definitions/io.k8s.api.core.v1.ISCSIVolumeSource"¬ISCSI represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md +Å +secretº +3#/definitions/io.k8s.api.core.v1.SecretVolumeSource"‚Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret +¬ + +flexVolume +1#/definitions/io.k8s.api.core.v1.FlexVolumeSource"hFlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. +± +awsElasticBlockStore˜ +A#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"ÒAWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +º +csi² +0#/definitions/io.k8s.api.core.v1.CSIVolumeSource"~CSI (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). +‹ + projected~ +6#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource"DItems for all in one resources secrets, configmaps, and downward API +¬ + vsphereVolumeš +?#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"WVsphereVolume represents a vSphere volume attached and mounted on kubelets host machine +™ + storageos‹ +6#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource"QStorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. +Œ +cephfs +3#/definitions/io.k8s.api.core.v1.CephFSVolumeSource"JCephFS represents a Ceph FS mount on the host that shares a pod's lifetime +Ö +emptyDirÉ +5#/definitions/io.k8s.api.core.v1.EmptyDirVolumeSource"EmptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir +ª +fc£ +/#/definitions/io.k8s.api.core.v1.FCVolumeSource"pFC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. +È +flocker¼ +4#/definitions/io.k8s.api.core.v1.FlockerVolumeSource"ƒFlocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running +¥ +portworxVolume’ +5#/definitions/io.k8s.api.core.v1.PortworxVolumeSource"YPortworxVolume represents a portworx volume attached and mounted on kubelets host machine +ó +"io.k8s.api.apps.v1.DaemonSetStatusÌ">DaemonSetStatus represents the current status of a daemon set.šcurrentNumberScheduledšnumberMisscheduledšdesiredNumberScheduledš numberReady² +objectʨ +˜ + numberReadyˆint32"sThe number of nodes that should be running the daemon pod and have one or more of the daemon pod running and ready.² +integer +Å +numberUnavailable¯int32"™The number of nodes that should be running the daemon pod and have none of the daemon pod running and available (ready for at least spec.minReadySeconds)² +integer +õ + +conditionsæ"LRepresents the latest available observations of a DaemonSet's current state.² +arrayº7 +5 +3#/definitions/io.k8s.api.apps.v1.DaemonSetConditionú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge + +ã +currentNumberScheduledÈint32"²The number of nodes that are running at least 1 daemon pod and are supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/² +integer +Ê +numberAvailable¶int32" The number of nodes that should be running the daemon pod and have one or more of the daemon pod running and available (ready for at least spec.minReadySeconds)² +integer +Ý +numberMisscheduledÆint32"°The number of nodes that are running the daemon pod, but are not supposed to run the daemon pod. More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/² +integer +ä +collisionCountÑint32"»Count of hash collisions for the DaemonSet. The DaemonSet controller uses this field as a collision avoidance mechanism when it needs to create the name for the newest ControllerRevision.² +integer +ô +desiredNumberScheduledÙint32"ÃThe total number of nodes that should be running the daemon pod (including nodes correctly running the daemon pod). More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/² +integer +l +observedGenerationVint64"AThe most recent generation observed by the daemon set controller.² +integer +l +updatedNumberScheduledRint32"=The total number of nodes that are running updated daemon pod² +integer +Ç +#io.k8s.api.autoscaling.v1.ScaleSpecŸ":ScaleSpec describes the attributes of a scale subresource.² +objectÊU +S +replicasGint32"2desired number of instances for the scaled object.² +integer +ê + +(io.k8s.api.policy.v1.PodDisruptionBudget½ +"hPodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods² +objectÊâ +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +‡ +spec +:#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec"ASpecification of the desired behavior of the PodDisruptionBudget. +ƒ +statusy +<#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus"9Most recently observed status of the PodDisruptionBudget. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringú_ +x-kubernetes-group-version-kind<:- kind: PodDisruptionBudget + version: v1 + group: policy + +¯ +*io.k8s.api.apps.v1.RollingUpdateDeployment€ "7Spec to control the desired behavior of rolling update.² +objectʸ +å +maxSurgeØ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"–The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods. +Í +maxUnavailableº +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"øThe maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods. +ø +3io.k8s.api.autoscaling.v2beta1.ResourceMetricSourceÀ"ÊResourceMetricSource indicates how to scale on a resource metric known to Kubernetes, as specified in requests and limits, describing each pod in the current scale target (e.g. CPU or memory). The values will be averaged together before being compared to the target. Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. Only one "target" type should be set.šname² +objectÊÝ +B +name:"-name is the name of the resource in question.² +string +ð +targetAverageUtilizationÓint32"½targetAverageUtilization is the target value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods.² +integer +£ +targetAverageValueŒ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"ÌtargetAverageValue is the target value of the average of the resource metric across all relevant pods, as a raw value (instead of as a percentage of the request), similar to the "pods" metric source type. +´ +io.k8s.api.rbac.v1.RoleBinding‘ "·RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace.šroleRef² +objectÊÑ +à +roleRefÔ +(#/definitions/io.k8s.api.rbac.v1.RoleRef"§RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error. +„ +subjectsx"=Subjects holds references to the objects the role applies to.² +arrayº, +* +(#/definitions/io.k8s.api.rbac.v1.Subject +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata.új +x-kubernetes-group-version-kindGE- group: rbac.authorization.k8s.io + kind: RoleBinding + version: v1 + +° + +Kio.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfigurationListà "OValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.šitems² +objectÊë +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +™ +items"'List of ValidatingWebhookConfiguration.² +arrayºY +W +U#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingWebhookConfiguration +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindsú‰ +x-kubernetes-group-version-kindfd- group: admissionregistration.k8s.io + kind: ValidatingWebhookConfigurationList + version: v1beta1 + +„ +:io.k8s.api.certificates.v1.CertificateSigningRequestStatusÅ"ŽCertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.² +objectÊ¥ +Š + certificateú +byte"À +certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable. + +If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. + +Validation requirements: + 1. certificate must contain one or more PEM blocks. + 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data + must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. + 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, + to allow for explanatory text as described in section 5.2 of RFC7468. + +If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. + +The certificate is encoded in PEM format. + +When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: + + base64( + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + )² +stringú# +x-kubernetes-list-type atomic + +• + +conditions†"[conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".² +arrayºO +M +K#/definitions/io.k8s.api.certificates.v1.CertificateSigningRequestConditionú' +x-kubernetes-list-map-keys - type +ú +x-kubernetes-list-typemap + + ++io.k8s.api.networking.v1beta1.IngressStatusÑ"8IngressStatus describe the current state of the Ingress.² +objectʈ +… + loadBalanceru +3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer. +š +(io.k8s.api.storage.v1beta1.CSIDriverListí"3CSIDriverList is a collection of CSIDriver objects.šitems² +objectʸ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +l +itemsc"items is the list of CSIDriver² +arrayº6 +4 +2#/definitions/io.k8s.api.storage.v1beta1.CSIDriver +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúf +x-kubernetes-group-version-kindCA- version: v1beta1 + group: storage.k8s.io + kind: CSIDriverList + +ö + +Vio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames› +"XCustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinitionšpluralškind² +objectÊ¢ +q +listKinde"XlistKind is the serialized kind of the list for this resource. Defaults to "`kind`List".² +string + +plural‚"ôplural is the plural name of the resource to serve. The custom resources are served under `/apis///.../`. Must match the name of the CustomResourceDefinition (in the form `.`). Must be all lowercase.² +string +á + +shortNamesÒ"µshortNames are short names for the resource, exposed in API discovery documents, and used by clients to support invocations like `kubectl get `. It must be all lowercase.² +arrayº + ² +string +€ +singulart"gsingular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.² +string +ô + +categorieså"Ècategories is a list of grouped resources this custom resource belongs to (e.g. 'all'). This is published in API discovery documents, and used by clients to support invocations like `kubectl get all`.² +arrayº + ² +string +¾ +kindµ"§kind is the serialized kind of the resource. It is normally CamelCase and singular. Custom resource instances will use this value as the `kind` attribute in API calls.² +string +Ù +.io.k8s.apimachinery.pkg.apis.meta.v1.Condition¦ "TCondition contains details for one aspect of the current state of this API Resource.štypešstatusšlastTransitionTimešreasonšmessage² +objectʉ + +L +statusB"5status of the condition, one of True, False, Unknown.² +string +T +typeL"?type of condition in CamelCase or in foo.example.com/CamelCase.² +string +¸ +lastTransitionTime¡ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ålastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + +messagev"imessage is a human readable message indicating details about the transition. This may be an empty string.² +string +È +observedGeneration±int64"›observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.² +integer +Ø +reasonÍ"¿reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.² +string + +/io.k8s.apimachinery.pkg.util.intstr.IntOrStringŽ int-or-string"ñIntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.² +string +ž +io.k8s.api.apps.v1.StatefulSetû +"ŸStatefulSet represents a set of pods with consistent identities. Identities are defined as: + - Network: A single stable DNS and hostname. + - Storage: As many VolumeClaims as requested. +The StatefulSet guarantees that a given network identity will always map to the same storage identity.² +objectÊò +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +t +specl +0#/definitions/io.k8s.api.apps.v1.StatefulSetSpec"8Spec defines the desired identities of pods in this set. +¯ +status¤ +2#/definitions/io.k8s.api.apps.v1.StatefulSetStatus"nStatus is the current status of Pods in this StatefulSet. This data may be out of date by some window of time. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúU +x-kubernetes-group-version-kind20- group: apps + kind: StatefulSet + version: v1 + +¿ +"io.k8s.api.core.v1.SecretEnvSource˜"¹SecretEnvSource selects a Secret to populate the environment variables with. + +The contents of the target Secret's Data field will represent the key-value pairs as environment variables.² +objectÊÍ +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +D +optional8"*Specify whether the Secret must be defined² +boolean +ë +io.k8s.api.core.v1.EventSourceÈ".EventSource contains information for an event.² +objectʉ +F + component9",Component from which the event is generated.² +string +? +host7"*Node name on which the event is generated.² +string +‹ +&io.k8s.api.flowcontrol.v1beta1.Subjectà"´Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.škind² +objectÊ +D +group; +9#/definitions/io.k8s.api.flowcontrol.v1beta1.GroupSubject + +kind"Required² +string +V +serviceAccountD +B#/definitions/io.k8s.api.flowcontrol.v1beta1.ServiceAccountSubject +B +user: +8#/definitions/io.k8s.api.flowcontrol.v1beta1.UserSubjectúŽ +x-kubernetes-unionswu- fields-to-discriminateBy: + group: Group + serviceAccount: ServiceAccount + user: User + discriminator: kind + +Ž + +io.k8s.api.core.v1.NodeSpecî ">NodeSpec describes the attributes that a node is created with.² +objectÊŸ +Ï + unschedulable½"®Unschedulable controls node schedulability of new pods. By default, node is schedulable. More info: https://kubernetes.io/docs/concepts/nodes/node/#manual-node-administration² +boolean +Ö + configSourceÅ +1#/definitions/io.k8s.api.core.v1.NodeConfigSource"If specified, the source to get node configuration from The DynamicKubeletConfig feature gate must be enabled for the Kubelet to use this field +† + +externalIDx"kDeprecated. Not all kubelets will set this field. Remove field after 1.13. see: https://issues.k8s.io/61966² +string +Q +podCIDRF"9PodCIDR represents the pod IP range assigned to the node.² +string +¬ +podCIDRsŸ"ØpodCIDRs represents the IP ranges assigned to the node for usage by Pods on that node. If this field is specified, the 0th entry must match the podCIDR field. It may contain at most 1 value for each of IPv4 and IPv6.² +arrayº + ² +stringú' +x-kubernetes-patch-strategymerge + + + +providerIDs"fID of the node assigned by the cloud provider in the format: ://² +string +c +taintsY" If specified, the node's taints.² +arrayº* +( +&#/definitions/io.k8s.api.core.v1.Taint +ó +'io.k8s.api.core.v1.TopologySelectorTermÇ"‘A topology selector term represents the result of label queries. A null or empty topology selector term matches no objects. The requirements of them are ANDed. It provides a subset of functionality as NodeSelectorTerm. This is an alpha feature and may change in the future.² +objectʤ +¡ +matchLabelExpressions‡"3A list of topology selector requirements by labels.² +arrayºE +C +A#/definitions/io.k8s.api.core.v1.TopologySelectorLabelRequirement +ð +6io.k8s.api.flowcontrol.v1beta1.PolicyRulesWithSubjectsµ "•PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member of resourceRules or nonResourceRules matches the request.šsubjects² +objectʃ +Ù + resourceRulesÇ"Î`resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the target resource. At least one of `resourceRules` and `nonResourceRules` has to be non-empty.² +arrayºC +A +?#/definitions/io.k8s.api.flowcontrol.v1beta1.ResourcePolicyRuleú# +x-kubernetes-list-type atomic + + +subjectsô"†subjects is the list of normal user, serviceaccount, or group that this rule cares about. There must be at least one member in this slice. A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request. Required.² +arrayº8 +6 +4#/definitions/io.k8s.api.flowcontrol.v1beta1.Subjectú# +x-kubernetes-list-type atomic + +  +nonResourceRules‹"`nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb and the target non-resource URL.² +arrayºF +D +B#/definitions/io.k8s.api.flowcontrol.v1beta1.NonResourcePolicyRuleú# +x-kubernetes-list-type atomic + +· +/io.k8s.api.policy.v1beta1.PodSecurityPolicyListƒ "=PodSecurityPolicyList is a list of PodSecurityPolicy objects.šitems² +objectÊÄ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +w +itemsn""items is a list of schema objects.² +arrayº= +; +9#/definitions/io.k8s.api.policy.v1beta1.PodSecurityPolicy +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ë +metadata¾ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúf +x-kubernetes-group-version-kindCA- version: v1beta1 + group: policy + kind: PodSecurityPolicyList + +å. +/io.k8s.api.policy.v1beta1.PodSecurityPolicySpec±."2PodSecurityPolicySpec defines the policy enforced.šseLinuxš runAsUseršsupplementalGroupsšfsGroup² +objectʹ- +¤ +allowPrivilegeEscalation‡"yallowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.² +boolean +· +allowedFlexVolumes "ÓallowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.² +arrayº= +; +9#/definitions/io.k8s.api.policy.v1beta1.AllowedFlexVolume +¿ +allowedHostPathsª"`allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.² +arrayº; +9 +7#/definitions/io.k8s.api.policy.v1beta1.AllowedHostPath +’ +defaultAddCapabilities÷"ÚdefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.² +arrayº + ² +string +· +defaultAllowPrivilegeEscalation“"„defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.² +boolean + +forbiddenSysctlsø"ÛforbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. + +Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.² +arrayº + ² +string +p + hostNetworka"ShostNetwork determines if the policy allows the use of HostNetwork in the pod spec.² +boolean +_ + +privilegedQ"Cprivileged determines if a pod can request to be run as privileged.² +boolean +ö +readOnlyRootFilesystemÛ"ÌreadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.² +boolean +Í + runtimeClass¼ +C#/definitions/io.k8s.api.policy.v1beta1.RuntimeClassStrategyOptions"ôruntimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled. +¥ +volumes™"}volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.² +arrayº + ² +string +² +allowedCapabilitiesš"ýallowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.² +arrayº + ² +string +î +allowedUnsafeSysctlsÕ"¸allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection. + +Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.² +arrayº + ² +string +¥ +fsGroup™ +>#/definitions/io.k8s.api.policy.v1beta1.FSGroupStrategyOptions"WfsGroup is the strategy that will dictate what fs group is used by the SecurityContext. +d +hostPIDY"KhostPID determines if the policy allows the use of HostPID in the pod spec.² +boolean +œ + hostPortsŽ"FhostPorts determines which host port ranges are allowed to be exposed.² +arrayº9 +7 +5#/definitions/io.k8s.api.policy.v1beta1.HostPortRange +­ + runAsUserŸ +@#/definitions/io.k8s.api.policy.v1beta1.RunAsUserStrategyOptions"[runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. + +seLinux‘ +>#/definitions/io.k8s.api.policy.v1beta1.SELinuxStrategyOptions"OseLinux is the strategy that will dictate the allowable labels that may be set. +Ò +supplementalGroups» +I#/definitions/io.k8s.api.policy.v1beta1.SupplementalGroupsStrategyOptions"nsupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. +” +allowedCSIDriversþ"²AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.² +arrayº< +: +8#/definitions/io.k8s.api.policy.v1beta1.AllowedCSIDriver +´ + +runAsGroup¥ +A#/definitions/io.k8s.api.policy.v1beta1.RunAsGroupStrategyOptions"ßRunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled. +ú +allowedProcMountTypesà"ÃAllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.² +arrayº + ² +string +d +hostIPCY"KhostIPC determines if the policy allows the use of HostIPC in the pod spec.² +boolean +Ç +requiredDropCapabilitiesª"requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.² +arrayº + ² +string +â +Hio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceStatus•"AAPIServiceStatus contains derived information about an API server² +objectÊà +À + +conditions±"$Current service state of apiService.² +arrayº] +[ +Y#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceConditionú +x-kubernetes-list-typemap +ú' +x-kubernetes-patch-merge-keytype +ú' +x-kubernetes-patch-strategymerge +ú' +x-kubernetes-list-map-keys - type + +ÿ +%io.k8s.api.core.v1.CephFSVolumeSourceÕ "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.šmonitors² +objectÊ« +˜ +user"Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it² +string +¦ +monitors™"}Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it² +arrayº + ² +string +e +path]"POptional: Used as the mounted root, rather than the full Ceph tree, default is /² +string +Î +readOnlyÁ"²Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it² +boolean +¾ + +secretFile¯"¡Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it² +string +ë + secretRefÝ +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"£Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it +ú +(io.k8s.api.core.v1.ConfigMapVolumeSourceÍ "ÅAdapts a ConfigMap into a volume. + +The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.² +objectÊö +ê + defaultModeÚint32"ÄOptional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +ª +items "âIf unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.KeyToPath +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +S +optionalG"9Specify whether the ConfigMap or its keys must be defined² +boolean += +io.k8s.api.core.v1.Containerî<"AA single application container that you want to run within a pod.šname² +objectÊ•< +‚ + livenessProbeð +&#/definitions/io.k8s.api.core.v1.Probe"ÅPeriodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +¡ +readinessProbeŽ +&#/definitions/io.k8s.api.core.v1.Probe"ãPeriodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +â + resourcesÔ +5#/definitions/io.k8s.api.core.v1.ResourceRequirements"šCompute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + +securityContextü +0#/definitions/io.k8s.api.core.v1.SecurityContext"ÇSecurity options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +Ô + startupProbeà +&#/definitions/io.k8s.api.core.v1.Probe"˜StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod's lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +Å +terminationMessagePathª"œOptional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.² +string +ñ + volumeMountsà"HPod volumes to mount into the container's filesystem. Cannot be updated.² +arrayº0 +. +,#/definitions/io.k8s.api.core.v1.VolumeMountú, +x-kubernetes-patch-merge-key  +mountPath +ú' +x-kubernetes-patch-strategymerge + +Ö +envFromÊ"ˆList of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.² +arrayº2 +0 +.#/definitions/io.k8s.api.core.v1.EnvFromSource +Ï +stdinÅ"¶Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.² +boolean + +ttyz"lWhether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.² +boolean +ó + volumeDevicesá"GvolumeDevices is the list of block devices to be used by the container.² +arrayº1 +/ +-#/definitions/io.k8s.api.core.v1.VolumeDeviceú- +x-kubernetes-patch-merge-key  devicePath +ú' +x-kubernetes-patch-strategymerge + +À + +workingDir±"£Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.² +string + +imageƒ"õDocker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.² +string +ß +env×"IList of environment variables to set in the container. Cannot be updated.² +arrayº+ +) +'#/definitions/io.k8s.api.core.v1.EnvVarú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +¨ + lifecycleš +*#/definitions/io.k8s.api.core.v1.Lifecycle"lActions that the management system should take in response to container lifecycle events. Cannot be updated. +• +nameŒ"Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated.² +string +û +commandï"ÒEntrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell² +arrayº + ² +string +‡ +imagePullPolicyó"åImage pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images² +string +” +portsŠ"ŠList of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.² +arrayº2 +0 +.#/definitions/io.k8s.api.core.v1.ContainerPortú; +x-kubernetes-list-map-keys- containerPort +- protocol +ú +x-kubernetes-list-typemap +ú0 +x-kubernetes-patch-merge-keycontainerPort +ú' +x-kubernetes-patch-strategymerge + +× + stdinOnceÉ"ºWhether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false² +boolean +æ +terminationMessagePolicyÉ"»Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.² +string +ß +argsÖ"¹Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell² +arrayº + ² +string +Ê + io.k8s.api.core.v1.NamespaceSpec¥"6NamespaceSpec describes the attributes on a Namespace.² +objectÊÞ +Û + +finalizersÌ"¯Finalizers is an opaque list of values that must be empty to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/² +arrayº + ² +string +Ì +%io.k8s.api.networking.v1.IngressClass¢ "óIngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class.² +objectÊ· +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +â +specÙ +7#/definitions/io.k8s.api.networking.v1.IngressClassSpec"Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúc +x-kubernetes-group-version-kind@>- version: v1 + group: networking.k8s.io + kind: IngressClass + +Ò +io.k8s.api.rbac.v1beta1.Role± "ÒRole is a namespaced, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 Role, and will no longer be served in v1.22.² +objectÊâ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. +y +rulesp"-Rules holds all the PolicyRules for this Role² +arrayº4 +2 +0#/definitions/io.k8s.api.rbac.v1beta1.PolicyRuleúh +x-kubernetes-group-version-kindEC- kind: Role + version: v1beta1 + group: rbac.authorization.k8s.io + +Ï +$io.k8s.api.batch.v1beta1.CronJobSpec¦ "YCronJobSpec describes how the job execution will look like and when it will actually run.šscheduleš jobTemplate² +objectÊ£ + +¿ +successfulJobsHistoryLimit int32"ŠThe number of successful finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 3.² +integer +  +suspend”"…This flag tells the controller to suspend subsequent executions, it does not apply to already started executions. Defaults to false.² +boolean +Ì +concurrencyPolicy¶"¨Specifies how to treat concurrent executions of a Job. Valid values are: - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one² +string +· +failedJobsHistoryLimitœint32"†The number of failed finished jobs to retain. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.² +integer +‰ + jobTemplatez +6#/definitions/io.k8s.api.batch.v1beta1.JobTemplateSpec"@Specifies the job that will be created when executing a CronJob. +] +scheduleQ"DThe schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.² +string +Ç +startingDeadlineSeconds«int64"•Optional deadline in seconds for starting the job if it misses scheduled time for any reason. Missed jobs executions will be counted as failed ones.² +integer +Î +%io.k8s.api.core.v1.ConfigMapEnvSource¤"ÂConfigMapEnvSource selects a ConfigMap to populate the environment variables with. + +The contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.² +objectÊÐ +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +G +optional;"-Specify whether the ConfigMap must be defined² +boolean +Ì +io.k8s.api.core.v1.VolumeMount©"@VolumeMount describes a mounting of a Volume within a container.šnameš mountPath² +objectÊÅ +: +name2"%This must match the Name of a Volume.² +string +t +readOnlyh"ZMounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.² +boolean +ƒ +subPathx"kPath within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).² +string +¿ + subPathExpr¯"¡Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.² +string +q + mountPathd"WPath within the container at which the volume should be mounted. Must not contain ':'.² +string +Õ +mountPropagationÀ"²mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.² +string +´ +.io.k8s.api.networking.v1.IngressServiceBackend"CIngressServiceBackend references a Kubernetes Service as a Backend.šname² +objectʦ +x +namep"cName is the referenced service. The service must exist in the same namespace as the Ingress object.² +string +© +port  +9#/definitions/io.k8s.api.networking.v1.ServiceBackendPort"cPort of the referenced service. A port name or port number is required for a IngressServiceBackend. +· +1io.k8s.api.storage.v1beta1.VolumeAttachmentSource"ÝVolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.² +objectÊ’ +À +inlineVolumeSpec« +5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"ñinlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature. +M +persistentVolumeName5"(Name of the persistent volume to attach.² +string +£ +Zio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionConditionÄ"YCustomResourceDefinitionCondition contains details for the current condition of this pod.štypešstatus² +objectÊÊ +e +messageZ"Mmessage is a human-readable message indicating details about last transition.² +string +j +reason`"Sreason is a unique, one-word, CamelCase reason for the condition's last transition.² +string +Z +statusP"Cstatus is the status of the condition. Can be True, False, Unknown.² +string +q +typei"\type is the type of the condition. Types include Established, NamesAccepted and Terminating.² +string +¥ +lastTransitionTimeŽ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"SlastTransitionTime last time the condition transitioned from one status to another. +ö6 +%io.k8s.api.core.v1.EphemeralContainerÌ6"ƒAn EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag.šname² +objectÊ°1 +Ö +envFromÊ"ˆList of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated.² +arrayº2 +0 +.#/definitions/io.k8s.api.core.v1.EnvFromSource +‡ +imagePullPolicyó"åImage pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images² +string +© +name "’Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers.² +string + +securityContextl +0#/definitions/io.k8s.api.core.v1.SecurityContext"8SecurityContext is not allowed for ephemeral containers. +í +targetContainerNameÕ"ÇIf set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature.² +string +ó + volumeDevicesá"GvolumeDevices is the list of block devices to be used by the container.² +arrayº1 +/ +-#/definitions/io.k8s.api.core.v1.VolumeDeviceú- +x-kubernetes-patch-merge-key  devicePath +ú' +x-kubernetes-patch-strategymerge + +ß +argsÖ"¹Arguments to the entrypoint. The docker image's CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell² +arrayº + ² +string +û +commandï"ÒEntrypoint array. Not executed within a shell. The docker image's ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container's environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell² +arrayº + ² +string +À + +workingDir±"£Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated.² +string +Á + resources³ +5#/definitions/io.k8s.api.core.v1.ResourceRequirements"zResources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. +j + startupProbeZ +&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers. +ñ + volumeMountsà"HPod volumes to mount into the container's filesystem. Cannot be updated.² +arrayº0 +. +,#/definitions/io.k8s.api.core.v1.VolumeMountú, +x-kubernetes-patch-merge-key  +mountPath +ú' +x-kubernetes-patch-strategymerge + +ß +env×"IList of environment variables to set in the container. Cannot be updated.² +arrayº+ +) +'#/definitions/io.k8s.api.core.v1.EnvVarú' +x-kubernetes-patch-merge-keyname +ú' +x-kubernetes-patch-strategymerge + +l +readinessProbeZ +&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers. +Ï +stdinÅ"¶Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false.² +boolean +× + stdinOnceÉ"ºWhether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false² +boolean +æ +terminationMessagePolicyÉ"»Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated.² +string + +ttyz"lWhether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false.² +boolean +m + lifecycle` +*#/definitions/io.k8s.api.core.v1.Lifecycle"2Lifecycle is not allowed for ephemeral containers. +k + livenessProbeZ +&#/definitions/io.k8s.api.core.v1.Probe"0Probes are not allowed for ephemeral containers. +Å +terminationMessagePathª"œOptional: Path at which the file to which the container's termination message will be written is mounted into the container's filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.² +string +i +image`"SDocker image name. More info: https://kubernetes.io/docs/concepts/containers/images² +string +y +portsp"/Ports are not allowed for ephemeral containers.² +arrayº2 +0 +.#/definitions/io.k8s.api.core.v1.ContainerPort +· +'io.k8s.api.core.v1.LocalObjectReference‹"sLocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.² +objectʇ +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +° +Bio.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationReferenceé"jPriorityLevelConfigurationReference contains information that points to the "request-priority" being used.šname² +objectÊh +f +name^"Q`name` is the name of the priority level configuration being referenced Required.² +string +¹ +#io.k8s.api.rbac.v1beta1.RoleBinding‘ "¨RoleBinding references a role, but does not contain it. It can reference a Role in the same namespace or a ClusterRole in the global namespace. It adds who information via Subjects and namespace information by which namespace it exists in. RoleBindings in a given namespace only have effect in that namespace. Deprecated in v1.17 in favor of rbac.authorization.k8s.io/v1 RoleBinding, and will no longer be served in v1.22.šroleRef² +objectÊÛ +‰ +subjects}"=Subjects holds references to the objects the role applies to.² +arrayº1 +/ +-#/definitions/io.k8s.api.rbac.v1beta1.Subject +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. +å +roleRefÙ +-#/definitions/io.k8s.api.rbac.v1beta1.RoleRef"§RoleRef can reference a Role in the current namespace or a ClusterRole in the global namespace. If the RoleRef cannot be resolved, the Authorizer must return an error.úo +x-kubernetes-group-version-kindLJ- group: rbac.authorization.k8s.io + kind: RoleBinding + version: v1beta1 + +– +2io.k8s.apimachinery.pkg.apis.meta.v1.Preconditionsß"ZPreconditions must be fulfilled before an operation (update, delete, etc.) is carried out.² +objectÊu +- +uid&"Specifies the target UID.² +string +D +resourceVersion1"$Specifies the target ResourceVersion² +string +ç +io.k8s.api.core.v1.ConfigMapÆ"7ConfigMap holds configuration data for pods to consume.² +objectʪ +˜ + +binaryData‰"åBinaryData contains the binary data. Each key must consist of alphanumeric characters, '-', '_' or '.'. BinaryData can contain byte sequences that are not in the UTF-8 range. The keys stored in BinaryData must not overlap with the ones in the Data field, this is enforced during validation process. Using this field will require 1.10+ apiserver and kubelet.ª +byte² +string² +object +Ï +dataÆ"¨Data contains the configuration data. Each key must consist of alphanumeric characters, '-', '_' or '.'. Values with non-UTF-8 byte sequences must use the BinaryData field. The keys stored in Data must not overlap with the keys in the BinaryData field, this is enforced during validation process.ª + ² +string² +object +è + immutableÚ"ËImmutable, if set to true, ensures that data stored in the ConfigMap cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.² +boolean +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúQ +x-kubernetes-group-version-kind.,- group: "" + kind: ConfigMap + version: v1 + +Ó +1io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource"%Represents a vSphere volume resource.š +volumePath² +objectÊÚ +À +fsTypeµ"§Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.² +string +x +storagePolicyIDe"XStorage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.² +string +V +storagePolicyNameA"4Storage Policy Based Management (SPBM) profile name.² +string +C + +volumePath5"(Path that identifies vSphere volume vmdk² +string +´ +4io.k8s.api.core.v1.PersistentVolumeClaimVolumeSourceû"žPersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).š claimName² +objectÊ¿ +á + claimNameÓ"ÅClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims² +string +Y +readOnlyM"?Will force the ReadOnly setting in VolumeMounts. Default false.² +boolean +° +)io.k8s.api.networking.v1.IngressClassSpec‚"DIngressClassSpec provides information about the class of an Ingress.² +objectÊ­ +¦ + +controller—"‰Controller refers to the name of the controller that should handle this class. This allows for different "flavors" that are controlled by the same controller. For example, you may have different Parameters for the same implementing controller. This should be specified as a domain-prefixed path no more than 250 characters in length, e.g. "acme.io/ingress-controller". This field is immutable.² +string + + +parametersò +F#/definitions/io.k8s.api.networking.v1.IngressClassParametersReference"§Parameters is a link to a custom resource containing additional configuration for the controller. This is optional if the controller does not require extra parameters. +¬ +;io.k8s.api.admissionregistration.v1beta1.RuleWithOperationsì "‚RuleWithOperations is a tuple of Operations and Resources. It is recommended to make sure that all the tuple expansions are valid.² +objectÊØ +´ + apiGroups¦"‰APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +¼ + apiVersions¬"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +  + +operations‘"ôOperations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.² +arrayº + ² +string +– + resourcesˆ"ëResources is a list of resources this rule applies to. + +For example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources. + +If wildcard is present, the validation rule will ensure resources do not overlap with each other. + +Depending on the enclosing object, subresources might not be allowed. Required.² +arrayº + ² +string +£ +scope™"‹scope specifies the scope of this rule. Valid values are "Cluster", "Namespaced", and "*" "Cluster" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. "Namespaced" means that only namespaced resources will match this rule. "*" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is "*".² +string +² + io.k8s.api.core.v1.NodeCondition"8NodeCondition contains condition information for a node.štypešstatus² +objectÊ´ +, +type$"Type of node condition.² +string +€ +lastHeartbeatTimek +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"0Last time we got an update on a given condition. +Œ +lastTransitionTimev +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time";Last time the condition transit from one status to another. +X +messageM"@Human readable message indicating details about last transition.² +string +J +reason@"3(brief) reason for the condition's last transition.² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +Ú +8io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec"¢SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set² +objectÊé +Æ +extra¼"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.ª +² +arrayº + ² +string² +object +M +groupD"(Groups is the groups you're testing for.² +arrayº + ² +string +¯ +nonResourceAttributes• +D#/definitions/io.k8s.api.authorization.v1beta1.NonResourceAttributes"MNonResourceAttributes describes information for a non-resource access request +¯ +resourceAttributes˜ +A#/definitions/io.k8s.api.authorization.v1beta1.ResourceAttributes"SResourceAuthorizationAttributes describes information for a resource access request +> +uid7"*UID information about the requesting user.² +string +ª +user¡"“User is the user you're testing for. If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups² +string +â +io.k8s.api.rbac.v1.RoleRefÃ"?RoleRef contains information that points to the role being usedšapiGroupškindšname² +objectÊÚ +P +apiGroupD"7APIGroup is the group for the resource being referenced² +string +B +kind:"-Kind is the type of resource being referenced² +string +B +name:"-Name is the name of resource being referenced² +string +›, +#io.k8s.api.storage.v1.CSIDriverSpecó+"2CSIDriverSpec is the specification of a CSIDriver.² +objectÊ°+ +€ +storageCapacityì"ÝIf set to true, storageCapacity indicates that the CSI volume driver wants pod scheduling to consider the storage capacity that the driver deployment will report by creating CSIStorageCapacity objects with capacity information. + +The check can be enabled immediately when deploying a driver. In that case, provisioning new volumes with late binding will pause until the driver deployment has published some suitable CSIStorageCapacity object. + +Alternatively, the driver can be deployed with the field unset or false and it can be flipped later when storage capacity information has been published. + +This field is immutable. + +This is a beta field and only available when the CSIStorageCapacity feature is enabled. The default is false.² +boolean +å + tokenRequestsÓ"éTokenRequests indicates the CSI driver needs pods' service account tokens it is mounting volume for to do necessary authentication. Kubelet will pass the tokens in VolumeContext in the CSI NodePublishVolume calls. The CSI driver should parse and validate the following VolumeContext: "csi.storage.k8s.io/serviceAccount.tokens": { + "": { + "token": , + "expirationTimestamp": , + }, + ... +} + +Note: Audience in each TokenRequest should be different and at most one token is empty string. To receive a new token after expiry, RequiresRepublish can be used to trigger NodePublishVolume periodically. + +This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.² +arrayº4 +2 +0#/definitions/io.k8s.api.storage.v1.TokenRequestú# +x-kubernetes-list-type atomic + +ê +volumeLifecycleModesÑ"‘volumeLifecycleModes defines what kind of volumes this CSI volume driver supports. The default if the list is empty is "Persistent", which is the usage defined by the CSI specification and implemented in Kubernetes via the usual PV/PVC mechanism. The other mode is "Ephemeral". In this mode, volumes are defined inline inside the pod spec with CSIVolumeSource and their lifecycle is tied to the lifecycle of that pod. A driver has to be aware of this because it is only going to get a NodePublishVolume call for such a volume. For more information about implementing this mode, see https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html A driver can support one or more of these modes and more modes may be added in the future. This field is beta. + +This field is immutable.² +arrayº + ² +stringú +x-kubernetes-list-typeset + +É +attachRequired¶"§attachRequired indicates this CSI volume driver requires an attach operation (because it implements the CSI ControllerPublishVolume() method), and that the Kubernetes attach detach controller should call the attach volume interface which checks the volumeattachment status and waits until the volume is attached before proceeding to mounting. The CSI external-attacher coordinates with CSI volume driver and updates the volumeattachment status when the attach operation is complete. If the CSIDriverRegistry feature gate is enabled and the value is specified to false, the attach operation will be skipped. Otherwise the attach operation will be called. + +This field is immutable.² +boolean +Û + fsGroupPolicyÉ"»Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. Refer to the specific FSGroupPolicy values for additional details. This field is alpha-level, and is only honored by servers that enable the CSIVolumeFSGroupPolicy feature gate. + +This field is immutable.² +string +© +podInfoOnMount– "‡ If set to true, podInfoOnMount indicates this CSI volume driver requires additional pod information (like podName, podUID, etc.) during mount operations. If set to false, pod information will not be passed on mount. Default is false. The CSI driver specifies podInfoOnMount as part of driver deployment. If true, Kubelet will pass pod information as VolumeContext in the CSI NodePublishVolume() calls. The CSI driver is responsible for parsing and validating the information passed in as VolumeContext. The following VolumeConext will be passed if podInfoOnMount is set to true. This list might grow, but the prefix will be used. "csi.storage.k8s.io/pod.name": pod.Name "csi.storage.k8s.io/pod.namespace": pod.Namespace "csi.storage.k8s.io/pod.uid": string(pod.UID) "csi.storage.k8s.io/ephemeral": "true" if the volume is an ephemeral inline volume + defined by a CSIVolumeSource, otherwise "false" + +"csi.storage.k8s.io/ephemeral" is a new feature in Kubernetes 1.16. It is only required for drivers which support both the "Persistent" and "Ephemeral" VolumeLifecycleMode. Other drivers can leave pod info disabled and/or ignore this field. As Kubernetes 1.15 doesn't support this field, drivers can only support one mode when deployed on such a cluster and the deployment determines which mode that is, for example via a command line parameter of the driver. + +This field is immutable.² +boolean +ÿ +requiresRepublishé"ÚRequiresRepublish indicates the CSI driver wants `NodePublishVolume` being periodically called to reflect any possible change in the mounted volume. This field defaults to false. + +Note: After a successful initial NodePublishVolume call, subsequent calls to NodePublishVolume should only update the contents of the volume. New mount points will not be seen by a running container. + +This is a beta feature and only available when the CSIServiceAccountToken feature is enabled.² +boolean +ì +Nio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation™"YExternalDocumentation allows referencing an external resource for extended documentation.² +objectÊ0 + +url ² +string + + description ² +string +ƒ +Jio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion´""1metricName is the name of the metric in question.² +string +§ +metricSelector” +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"PmetricSelector is used to identify a specific time series within a given metric. +Ë +targetAverageValue´ +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"utargetAverageValue is the target per-pod value of global metric (as a quantity). Mutually exclusive with TargetValue. +¹ + targetValue© +;#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"jtargetValue is the target value of the metric (as a quantity). Mutually exclusive with TargetAverageValue. +Ï +*io.k8s.api.networking.v1.NetworkPolicyPort "6NetworkPolicyPort describes a port to allow traffic on² +objectÊÙ +™ +endPortint32"÷If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Alpha state and should be enabled using the Feature Gate "NetworkPolicyEndPort".² +integer +¶ +port­ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"ëThe port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched. + +protocolu"hThe protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.² +string +ý +io.k8s.api.core.v1.Taintà"`The node this Taint is attached to has the "effect" on any pod that does not tolerate the Taint.škeyšeffect² +objectÊà +  +effect•"‡Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.² +string +D +key="0Required. The taint key to be applied to a node.² +string +­ + timeAddedŸ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"dTimeAdded represents the time at which the taint was added. It is only written for NoExecute taints. +E +value<"/The taint value corresponding to the taint key.² +string +° +)io.k8s.api.discovery.v1.EndpointSliceList‚"6EndpointSliceList represents a list of endpoint slicesšitems² +objectÊÉ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +f +items]"List of endpoint slices² +arrayº7 +5 +3#/definitions/io.k8s.api.discovery.v1.EndpointSlice +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +b +metadataV +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard list metadata.úg +x-kubernetes-group-version-kindDB- group: discovery.k8s.io + kind: EndpointSliceList + version: v1 + + ++io.k8s.api.extensions.v1beta1.IngressStatusÑ"8IngressStatus describe the current state of the Ingress.² +objectʈ +… + loadBalanceru +3#/definitions/io.k8s.api.core.v1.LoadBalancerStatus">LoadBalancer contains the current status of the load-balancer. +˜ +5io.k8s.api.authorization.v1.SubjectAccessReviewStatusÞ"SubjectAccessReviewStatusšallowed² +objectʪ +c +allowedX"JAllowed is required. True if the action would be allowed, false otherwise.² +boolean +‚ +denied÷"èDenied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.² +boolean +Þ +evaluationErrorÊ"¼EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.² +string +] +reasonS"FReason is optional. It indicates why a request was allowed or denied.² +string +— +"io.k8s.api.core.v1.TCPSocketActionð"=TCPSocketAction describes an action based on opening a socketšport² +objectÊ› +Ç +port¾ +=#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString"}Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. +O +hostG":Optional: Host name to connect to, defaults to the pod IP.² +string +³ +]io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.CustomResourceDefinitionVersionÑ"//...` if `served` is true.² +string +é ++io.k8s.api.flowcontrol.v1beta1.GroupSubject¹"?GroupSubject holds detailed information for group-kind subject.šname² +objectÊâ +ß +nameÖ"Èname is the user group that matches, or "*" to match all user groups. See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some well-known group names. Required.² +string +Ú ++io.k8s.api.policy.v1beta1.AllowedFlexVolumeª"LAllowedFlexVolume represents a single Flexvolume that is allowed to be used.šdriver² +objectÊE +C +driver9",driver is the name of the Flexvolume driver.² +string + +1io.k8s.api.core.v1.PersistentVolumeClaimConditionÙ"BPersistentVolumeClaimCondition contails details about state of pvcštypešstatus² +objectÊö +n + lastProbeTime] +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time""Last time we probed the condition. +‘ +lastTransitionTime{ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"@Last time the condition transitioned from one status to another. +X +messageM"@Human-readable message indicating details about last transition.² +string +é +reasonÞ"ÐUnique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized.² +string + +status ² +string + +type ² +string +Ú + +io.k8s.api.core.v1.Toleration¸ +"The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator .² +objectÊ™ +¸ +effect­"ŸEffect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.² +string +Ó +keyË"½Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.² +string +ö +operatoré"ÛOperator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.² +string +ç +tolerationSecondsÑint64"»TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.² +integer +¢ +value˜"ŠValue is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.² +string +± +,io.k8s.api.core.v1.ReplicationControllerSpec€ "KReplicationControllerSpec is the specification of a replication controller.² +objectʤ + +ƒ +minReadySecondsïint32"ÙMinimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)² +integer +  +replicas“int32"ýReplicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller² +integer +¸ +selector«"Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectorsª + ² +string² +object +½ +template° +0#/definitions/io.k8s.api.core.v1.PodTemplateSpec"ûTemplate is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template +Ê +io.k8s.api.core.v1.Sysctl¬"+Sysctl defines a kernel parameter to be setšnamešvalue² +objectÊb +0 +value'"Value of a property to set² +string +. +name&"Name of a property to set² +string +Ž ++io.k8s.api.core.v1.TopologySpreadConstraintÞ"XTopologySpreadConstraint specifies how to spread matching pods among the given topology.šmaxSkewš topologyKeyšwhenUnsatisfiable² +objectÊÉ +Ì +maxSkewÀint32"ªMaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.² +integer +§ + topologyKey—"‰TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. It's a required field.² +string +Ï +whenUnsatisfiable¹"«WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, + but giving higher precedence to topologies that would help reduce the + skew. +A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assigment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.² +string +û + labelSelectoré +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"¤LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. +ˆ +.io.k8s.apimachinery.pkg.apis.meta.v1.MicroTimeV date-time">MicroTime is version of Time with microsecond level precision.² +string +„ +io.k8s.api.core.v1.KeyToPathã",Maps a string key to a path within a volume.škeyšpath² +objectÊ™ +' +key "The key to project.² +string +» +mode²int32"œOptional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +¯ +path¦"˜The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.² +string +” +%io.k8s.api.core.v1.NamespaceConditionê"=NamespaceCondition contains details about state of namespace.štypešstatus² +objectÊŒ + +message ² +string + +reason ² +string +L +statusB"5Status of the condition, one of True, False, Unknown.² +string +< +type4"'Type of namespace controller condition.² +string +O +lastTransitionTime9 +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time +á +&io.k8s.api.core.v1.ComponentStatusList¶ "Status of all the conditions for the component as a list of ComponentStatus objects. Deprecated: This API is deprecated in v1.19+šitems² +objectʽ +l +itemsc" List of ComponentStatus objects.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.ComponentStatus +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringú[ +x-kubernetes-group-version-kind86- group: "" + kind: ComponentStatusList + version: v1 + + +(io.k8s.api.core.v1.PersistentVolumeClaim• "NPersistentVolumeClaim is a user's request for and claim to a persistent volume² +objectÊÖ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +ø +specï +:#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimSpec"°Spec defines the desired characteristics of a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims +† +statusû +<#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimStatus"ºStatus represents the current information/status of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaimsú] +x-kubernetes-group-version-kind:8- kind: PersistentVolumeClaim + version: v1 + group: "" + + +(io.k8s.api.extensions.v1beta1.IngressTLSâ"MIngressTLS describes the transport layer security associated with an Ingress.² +objectÊ„ +š +hosts"óHosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.² +arrayº + ² +string +ä + +secretNameÕ"ÇSecretName is the name of the secret used to terminate SSL traffic on 443. Field is left optional to allow SSL routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.² +string +Ÿ +-io.k8s.api.networking.v1.HTTPIngressRuleValueí"£HTTPIngressRuleValue is a list of http selectors pointing to backends. In the example: http:///? -> backend where where parts of the url correspond to RFC 3986, this resource will be used to match against everything after the last '/' and before the first '?' or '#'.špaths² +objectÊ° +­ +paths£"4A collection of paths that map requests to backends.² +arrayº: +8 +6#/definitions/io.k8s.api.networking.v1.HTTPIngressPathú# +x-kubernetes-list-type atomic + +™ +1io.k8s.api.policy.v1beta1.PodDisruptionBudgetListã"@PodDisruptionBudgetList is a collection of PodDisruptionBudgets.šitems² +objectÊŸ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +U +itemsL² +arrayº? += +;#/definitions/io.k8s.api.policy.v1beta1.PodDisruptionBudget +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +I +metadata= +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaúh +x-kubernetes-group-version-kindEC- kind: PodDisruptionBudgetList + version: v1beta1 + group: policy + +Õ +Qio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceConversionÿ"MCustomResourceConversion describes how to convert different versions of a CR.šstrategy² +objectÊ– +Å +strategy¸"ªstrategy specifies how custom resources are converted between versions. Allowed values are: - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource. - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information + is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.² +string +Ë +webhook¿ +X#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookConversion"cwebhook describes how to call the conversion webhook. Required when `strategy` is set to `Webhook`. +Æ +%io.k8s.api.coordination.v1beta1.Leaseœ "Lease defines a lease concept.² +objectʇ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +µ +metadata¨ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ï +specÆ +7#/definitions/io.k8s.api.coordination.v1beta1.LeaseSpec"ŠSpecification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +stringúc +x-kubernetes-group-version-kind@>- group: coordination.k8s.io + kind: Lease + version: v1beta1 + +Ÿ +(io.k8s.api.core.v1.AzureDiskVolumeSourceò"TAzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.šdiskNamešdiskURI² +objectÊø +À +fsTypeµ"§Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified.² +string +à +kind×"ÉExpected values Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared² +string +x +readOnlyl"^Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.² +boolean +K + cachingMode<"/Host Caching mode: None, Read Only, Read Write.² +string +F +diskName:"-The Name of the data disk in the blob storage² +string +A +diskURI6")The URI the data disk in the blob storage² +string +û +)io.k8s.api.autoscaling.v2beta1.MetricSpecÍ"|MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).štype² +objectʹ + +object· +?#/definitions/io.k8s.api.autoscaling.v2beta1.ObjectMetricSource"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). +• +podsŒ +=#/definitions/io.k8s.api.autoscaling.v2beta1.PodsMetricSource"Êpods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. +™ +resourceŒ +A#/definitions/io.k8s.api.autoscaling.v2beta1.ResourceMetricSource"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +£ +typeš"Œtype is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled² +string +  +containerResourceŠ +J#/definitions/io.k8s.api.autoscaling.v2beta1.ContainerResourceMetricSource"»container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. +ô +externalç +A#/definitions/io.k8s.api.autoscaling.v2beta1.ExternalMetricSource"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). +û +)io.k8s.api.autoscaling.v2beta2.MetricSpecÍ"|MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).štype² +objectʹ +™ +resourceŒ +A#/definitions/io.k8s.api.autoscaling.v2beta2.ResourceMetricSource"Æresource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. +£ +typeš"Œtype is the type of metric source. It should be one of "ContainerResource", "External", "Object", "Pods" or "Resource", each mapping to a matching field in the object. Note: "ContainerResource" type is available on when the feature-gate HPAContainerMetrics is enabled² +string +  +containerResourceŠ +J#/definitions/io.k8s.api.autoscaling.v2beta2.ContainerResourceMetricSource"»container resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the "pods" source. This is an alpha feature and can be enabled by the HPAContainerMetrics feature flag. +ô +externalç +A#/definitions/io.k8s.api.autoscaling.v2beta2.ExternalMetricSource"¡external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster). + +object· +?#/definitions/io.k8s.api.autoscaling.v2beta2.ObjectMetricSource"tobject refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object). +• +podsŒ +=#/definitions/io.k8s.api.autoscaling.v2beta2.PodsMetricSource"Êpods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value. +¦ +%io.k8s.api.core.v1.CinderVolumeSourceü"ëRepresents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.švolumeID² +objectÊô +ƒ +fsTypeø"êFilesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +string +Á +readOnly´"¥Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +boolean +ž + secretRef +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"WOptional: points to a secret object containing parameters used to connect to OpenStack. +† +volumeIDz"mvolume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +string +Æ +#io.k8s.api.core.v1.SecretProjectionž"Adapts a secret into a projected volume. + +The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.² +objectÊÿ +¤ +itemsš"ÜIf unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.² +arrayº. +, +*#/definitions/io.k8s.api.core.v1.KeyToPath +„ +name|"oName of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names² +string +O +optionalC"5Specify whether the Secret or its key must be defined² +boolean +´ +)io.k8s.api.discovery.v1beta1.EndpointPort† "7EndpointPort represents a Port used by an EndpointSlice² +objectʾ +Ù + appProtocolÉ"»The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol.² +string +Å +name¼"®The name of this port. All ports in an EndpointSlice must have a unique name. If the EndpointSlice is dervied from a Kubernetes service, this corresponds to the Service.ports[].name. Name must either be an empty string or pass DNS_LABEL validation: * must be no more than 63 characters long. * must consist of lower case alphanumeric characters or '-'. * must start and end with an alphanumeric character. Default is empty string.² +string +³ +portªint32"”The port number of the endpoint. If this is not specified, ports are not restricted and must be interpreted in the context of the specific consumer.² +integer +b +protocolV"IThe IP protocol for this port. Must be UDP, TCP, or SCTP. Default is TCP.² +string +± +/io.k8s.apimachinery.pkg.apis.meta.v1.WatchEventý"6Event represents a single event to a watched resource.štypešobject² +objectÊ× +¿ +object´ +:#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"õObject is: + * If Type is Added or Modified: the new state of the object. + * If Type is Deleted: the state of the object immediately before deletion. + * If Type is Error: *Status is recommended; other types may make sense + depending on context. + +type ² +stringúË +x-kubernetes-group-version-kind§¤- group: "" + kind: WatchEvent + version: v1 +- version: v1 + group: admission.k8s.io + kind: WatchEvent +- group: admission.k8s.io + kind: WatchEvent + version: v1beta1 +- group: admissionregistration.k8s.io + kind: WatchEvent + version: v1 +- group: admissionregistration.k8s.io + kind: WatchEvent + version: v1beta1 +- group: apiextensions.k8s.io + kind: WatchEvent + version: v1 +- kind: WatchEvent + version: v1beta1 + group: apiextensions.k8s.io +- group: apiregistration.k8s.io + kind: WatchEvent + version: v1 +- group: apiregistration.k8s.io + kind: WatchEvent + version: v1beta1 +- group: apps + kind: WatchEvent + version: v1 +- group: apps + kind: WatchEvent + version: v1beta1 +- group: apps + kind: WatchEvent + version: v1beta2 +- kind: WatchEvent + version: v1 + group: authentication.k8s.io +- group: authentication.k8s.io + kind: WatchEvent + version: v1beta1 +- kind: WatchEvent + version: v1 + group: authorization.k8s.io +- group: authorization.k8s.io + kind: WatchEvent + version: v1beta1 +- group: autoscaling + kind: WatchEvent + version: v1 +- kind: WatchEvent + version: v2beta1 + group: autoscaling +- group: autoscaling + kind: WatchEvent + version: v2beta2 +- group: batch + kind: WatchEvent + version: v1 +- group: batch + kind: WatchEvent + version: v1beta1 +- group: certificates.k8s.io + kind: WatchEvent + version: v1 +- group: certificates.k8s.io + kind: WatchEvent + version: v1beta1 +- group: coordination.k8s.io + kind: WatchEvent + version: v1 +- group: coordination.k8s.io + kind: WatchEvent + version: v1beta1 +- group: discovery.k8s.io + kind: WatchEvent + version: v1 +- group: discovery.k8s.io + kind: WatchEvent + version: v1beta1 +- group: events.k8s.io + kind: WatchEvent + version: v1 +- group: events.k8s.io + kind: WatchEvent + version: v1beta1 +- group: extensions + kind: WatchEvent + version: v1beta1 +- kind: WatchEvent + version: v1alpha1 + group: flowcontrol.apiserver.k8s.io +- group: flowcontrol.apiserver.k8s.io + kind: WatchEvent + version: v1beta1 +- group: imagepolicy.k8s.io + kind: WatchEvent + version: v1alpha1 +- kind: WatchEvent + version: v1alpha1 + group: internal.apiserver.k8s.io +- group: networking.k8s.io + kind: WatchEvent + version: v1 +- group: networking.k8s.io + kind: WatchEvent + version: v1beta1 +- group: node.k8s.io + kind: WatchEvent + version: v1 +- version: v1alpha1 + group: node.k8s.io + kind: WatchEvent +- group: node.k8s.io + kind: WatchEvent + version: v1beta1 +- version: v1 + group: policy + kind: WatchEvent +- version: v1beta1 + group: policy + kind: WatchEvent +- kind: WatchEvent + version: v1 + group: rbac.authorization.k8s.io +- version: v1alpha1 + group: rbac.authorization.k8s.io + kind: WatchEvent +- group: rbac.authorization.k8s.io + kind: WatchEvent + version: v1beta1 +- group: scheduling.k8s.io + kind: WatchEvent + version: v1 +- group: scheduling.k8s.io + kind: WatchEvent + version: v1alpha1 +- group: scheduling.k8s.io + kind: WatchEvent + version: v1beta1 +- group: storage.k8s.io + kind: WatchEvent + version: v1 +- group: storage.k8s.io + kind: WatchEvent + version: v1alpha1 +- group: storage.k8s.io + kind: WatchEvent + version: v1beta1 + +Á +-io.k8s.api.authorization.v1beta1.ResourceRule"¬ResourceRule is the list of actions the subject is allowed to perform on resources. The list ordering isn't significant, may contain duplicates, and possibly be incomplete.šverbs² +objectÊÉ +ƒ + apiGroupsõ"ØAPIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "*" means all.² +arrayº + ² +string +¹ + resourceNames§"ŠResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. "*" means all.² +arrayº + ² +string +ä + resourcesÖ"¹Resources is a list of resources this rule applies to. "*" means all in the specified apiGroups. + "*/foo" represents the subresource 'foo' for all resources in the specified apiGroups.² +arrayº + ² +string + +verbs“"wVerb is a list of kubernetes resource API verbs, like: get, list, watch, create, update, delete, proxy. "*" means all.² +arrayº + ² +string + +:io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatusÞ"SubjectAccessReviewStatusšallowed² +objectʪ +‚ +denied÷"èDenied is optional. True if the action would be denied, otherwise false. If both allowed is false and denied is false, then the authorizer has no opinion on whether to authorize the action. Denied may not be true if Allowed is true.² +boolean +Þ +evaluationErrorÊ"¼EvaluationError is an indication that some error occurred during the authorization check. It is entirely possible to get an error and be able to continue determine authorization status in spite of it. For instance, RBAC can be missing a role, but enough roles are still present and bound to reason about the request.² +string +] +reasonS"FReason is optional. It indicates why a request was allowed or denied.² +string +c +allowedX"JAllowed is required. True if the action would be allowed, false otherwise.² +boolean +ž +Fio.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.APIServiceSpecÓ"£APIServiceSpec contains information for locating and communicating with a server. Only https is supported, though you are able to disable certificate verification.šgroupPriorityMinimumšversionPriority² +objectÊõ +ì +caBundleßbyte"¥CABundle is a PEM encoded CA bundle which will be used to validate an API server's serving certificate. If unspecified, system trust roots on the apiserver are used.² +stringú# +x-kubernetes-list-type atomic + +C +group:"-Group is the API group name this server hosts² +string +± +groupPriorityMinimum˜int32"‚GroupPriorityMininum is the priority this group should have at least. Higher priority means that the group is preferred by clients over lower priority ones. Note that other versions of this group might specify even higher GroupPriorityMininum values such that the whole group gets a higher priority. The primary sort is based on GroupPriorityMinimum, ordered highest number to lowest (20 before 10). The secondary sort is based on the alphabetical comparison of the name of the object. (v1.bar before v1.foo) We'd recommend something like: *.k8s.io (except extensions) at 18000 and PaaSes (OpenShift, Deis) are recommended to be in the 2000s² +integer +Í +insecureSkipTLSVerify³"¤InsecureSkipTLSVerify disables TLS certificate verification when communicating with this server. This is strongly discouraged. You should use the CABundle instead.² +boolean +ù +serviceí +V#/definitions/io.k8s.kube-aggregator.pkg.apis.apiregistration.v1beta1.ServiceReference"’Service is a reference to the service for this API server. It must communicate on port 443. If the Service is nil, that means the handling for the API groupversion is handled locally on this server. The call will simply delegate to the normal handler chain to be fulfilled. +X +versionM"@Version is the API version this server hosts. For example, "v1"² +string +ä +versionPriorityÐint32"ºVersionPriority controls the ordering of this API version inside of its group. Must be greater than zero. The primary sort is based on VersionPriority, ordered highest to lowest (20 before 10). Since it's inside of a group, the number can be small, probably in the 10s. In case of equal version priorities, the version string will be used to compute the order inside a group. If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version), then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing major version, then minor version. An example sorted list of versions: v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.² +integer +· +!io.k8s.api.core.v1.NodeSystemInfo‘ "CNodeSystemInfo is a set of ids/uuids to uniquely identify the node.š machineIDš +systemUUIDšbootIDš kernelVersionšosImagešcontainerRuntimeVersionškubeletVersionškubeProxyVersionšoperatingSystemš architecture² +objectÊ¢ +H +kubeProxyVersion4"'KubeProxy Version reported by the node.² +string +D +kubeletVersion2"%Kubelet Version reported by the node.² +string +ß + machineIDÑ"ÃMachineID reported by the node. For unique machine identification in the cluster this field is preferred. Learn more from man(5) machine-id: http://man7.org/linux/man-pages/man5/machine-id.5.html² +string +I +operatingSystem6")The Operating System reported by the node² +string +þ + +systemUUIDï"áSystemUUID reported by the node. For unique machine identification MachineID is preferred. This field is specific to Red Hat hosts https://access.redhat.com/documentation/en-us/red_hat_subscription_management/1/html/rhsm/uuid² +string +n + kernelVersion]"PKernel Version reported by the node from 'uname -r' (e.g. 3.16.0-0.bpo.4-amd64).² +string +4 +bootID*"Boot ID reported by the node.² +string +‡ +containerRuntimeVersionl"_ContainerRuntime Version reported by the node through runtime remote API (e.g. docker://1.5.0).² +string +n +osImagec"VOS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 (wheezy)).² +string +B + architecture2"%The Architecture reported by the node² +string +¥ +>io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDRâ"ServerAddressByClientCIDR helps the client to determine the server address that they should use, depending on the clientCIDR that they match.š +clientCIDRš serverAddress² +objectʦ +€ + +clientCIDRr"eThe CIDR with which clients can match their IP to figure out the server address that they should use.² +string +  + serverAddressŽ"€Address of this server, suitable for a client that matches the above CIDR. This can be a hostname, hostname:port, IP or IP:port.² +string +Ô +(io.k8s.api.core.v1.DownwardAPIProjection§"™Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.² +objectÊ} +{ +itemsr")Items is a list of DownwardAPIVolume file² +arrayº: +8 +6#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile +‚ +*io.k8s.api.core.v1.DownwardAPIVolumeSourceÓ"“DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.² +objectÊ® +¬ + defaultModeœint32"†Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.² +integer +} +itemst"+Items is a list of downward API volume file² +arrayº: +8 +6#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeFile +« +/io.k8s.api.core.v1.CinderPersistentVolumeSource÷"ëRepresents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.švolumeID² +objectÊï +Á +readOnly´"¥Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +boolean +™ + secretRef‹ +0#/definitions/io.k8s.api.core.v1.SecretReference"WOptional: points to a secret object containing parameters used to connect to OpenStack. +† +volumeIDz"mvolume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +string +ƒ +fsTypeø"êFilesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md² +string +å +,io.k8s.api.flowcontrol.v1beta1.LimitResponse´"PLimitResponse defines how to handle requests that can not be executed right now.štype² +objectÊé +à +queuing· +A#/definitions/io.k8s.api.flowcontrol.v1beta1.QueuingConfiguration"r`queuing` holds the configuration parameters for queuing. This field may be non-empty only if `type` is `"Queue"`. +  +type—"‰`type` is "Queue" or "Reject". "Queue" means that requests that can not be executed upon arrival are held in a queue until they can be executed or a queuing limit is reached. "Reject" means that requests that can not be executed upon arrival are rejected. Required.² +stringú` +x-kubernetes-unionsIG- discriminator: type + fields-to-discriminateBy: + queuing: Queuing + +´ +Uio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionListÚ"KCustomResourceDefinitionList is a list of CustomResourceDefinition objects.šitems² +objectÊý +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +² +items¨"6items list individual CustomResourceDefinition objects² +arrayºc +a +_#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +I +metadata= +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMetaúv +x-kubernetes-group-version-kindSQ- group: apiextensions.k8s.io + kind: CustomResourceDefinitionList + version: v1 + +Ç + +(io.k8s.api.authentication.v1.TokenReviewš +"§TokenReview attempts to authenticate a token to a known user. Note: TokenReview requests may be cached by the webhook token authenticator plugin in the kube-apiserver.šspec² +objectÊñ +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta +~ +specv +:#/definitions/io.k8s.api.authentication.v1.TokenReviewSpec"8Spec holds information about the request being evaluated +¤ +status™ +<#/definitions/io.k8s.api.authentication.v1.TokenReviewStatus"YStatus is filled in by the server and indicates whether the request can be authenticated. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúf +x-kubernetes-group-version-kindCA- version: v1 + group: authentication.k8s.io + kind: TokenReview + +ª +9io.k8s.api.authorization.v1beta1.LocalSubjectAccessReviewì "çLocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.šspec² +objectÊò +ö +specí +F#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewSpec"¢Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace you made the request against. If empty, it is defaulted. +¬ +status¡ +H#/definitions/io.k8s.api.authorization.v1beta1.SubjectAccessReviewStatus"UStatus is filled in by the server and indicates whether the request is allowed or not +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +K +metadata? +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMetaúw +x-kubernetes-group-version-kindTR- group: authorization.k8s.io + kind: LocalSubjectAccessReview + version: v1beta1 + +“ + +,io.k8s.api.core.v1.ReplicationControllerListâ "EReplicationControllerList is a collection of replication controllers.šitems² +objectÊ  +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Î +itemsÄ"{List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller² +arrayº: +8 +6#/definitions/io.k8s.api.core.v1.ReplicationControllerúa +x-kubernetes-group-version-kind><- kind: ReplicationControllerList + version: v1 + group: "" + +¾ +%io.k8s.api.extensions.v1beta1.Ingress”"‹Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable urls, load balance traffic, terminate SSL, offer name based virtual hosting etc. DEPRECATED - This group version of Ingress is deprecated by networking.k8s.io/v1beta1 Ingress. See the release notes for more information.² +objectʘ + +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ý +specÔ +7#/definitions/io.k8s.api.extensions.v1beta1.IngressSpec"˜Spec is the desired state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +ã +statusØ +9#/definitions/io.k8s.api.extensions.v1beta1.IngressStatus"šStatus is the current state of the Ingress. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusú\ +x-kubernetes-group-version-kind97- group: extensions + kind: Ingress + version: v1beta1 + +à +Nio.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBoolq"oJSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property. +ø + +,io.k8s.apimachinery.pkg.runtime.RawExtensionÇ +"¹ +RawExtension is used to hold extensions in external versions. + +To use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types. + +// Internal package: type MyAPIObject struct { + runtime.TypeMeta `json:",inline"` + MyPlugin runtime.Object `json:"myPlugin"` +} type PluginA struct { + AOption string `json:"aOption"` +} + +// External package: type MyAPIObject struct { + runtime.TypeMeta `json:",inline"` + MyPlugin runtime.RawExtension `json:"myPlugin"` +} type PluginA struct { + AOption string `json:"aOption"` +} + +// On the wire, the JSON will look something like this: { + "kind":"MyAPIObject", + "apiVersion":"v1", + "myPlugin": { + "kind":"PluginA", + "aOption":"foo", + }, +} + +So what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)² +object +õ + +io.k8s.api.batch.v1.CronJobSpecÑ +"YCronJobSpec describes how the job execution will look like and when it will actually run.šscheduleš jobTemplate² +objectÊÎ +Ç +startingDeadlineSeconds«int64"•Optional deadline in seconds for starting the job if it misses scheduled time for any reason. Missed jobs executions will be counted as failed ones.² +integer +— +successfulJobsHistoryLimityint32"dThe number of successful finished jobs to retain. Value must be non-negative integer. Defaults to 3.² +integer +  +suspend”"…This flag tells the controller to suspend subsequent executions, it does not apply to already started executions. Defaults to false.² +boolean +Ì +concurrencyPolicy¶"¨Specifies how to treat concurrent executions of a Job. Valid values are: - "Allow" (default): allows CronJobs to run concurrently; - "Forbid": forbids concurrent runs, skipping next run if previous run hasn't finished yet; - "Replace": cancels currently running job and replaces it with a new one² +string + +failedJobsHistoryLimituint32"`The number of failed finished jobs to retain. Value must be non-negative integer. Defaults to 1.² +integer +„ + jobTemplateu +1#/definitions/io.k8s.api.batch.v1.JobTemplateSpec"@Specifies the job that will be created when executing a CronJob. +] +scheduleQ"DThe schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.² +string +à +#io.k8s.api.batch.v1.JobTemplateSpec¸"QJobTemplateSpec describes the data a Job should have when created from a template² +objectÊÖ +ù +metadataì +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ªStandard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +× +specÎ +)#/definitions/io.k8s.api.batch.v1.JobSpec" Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +ø +"io.k8s.api.core.v1.RBDVolumeSourceÑ "ˆRepresents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.šmonitorsšimage² +objectʤ +‚ +userz"mThe rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +³ +fsType¨"šFilesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd² +string +r +imagei"\The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +« +keyringŸ"‘Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +Ž +monitors"eA collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +arrayº + ² +string +€ +poolx"kThe rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +string +´ +readOnly§"˜ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it² +boolean +ù + secretRefë +5#/definitions/io.k8s.api.core.v1.LocalObjectReference"±SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it + +*io.k8s.api.discovery.v1beta1.EndpointSliceà"ÜEndpointSlice represents a subset of the endpoints that implement a service. For a given service there may be multiple EndpointSlice objects, selected by labels, which must be joined to produce the full set of endpoints.š addressTypeš endpoints² +objectÊí +ð + addressTypeà"ÒaddressType specifies the type of address carried by this EndpointSlice. All addresses in this slice must be the same type. This field is immutable after creation. The following address types are currently supported: * IPv4: Represents an IPv4 Address. * IPv6: Represents an IPv6 Address. * FQDN: Represents a Fully Qualified Domain Name.² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +ä + endpointsÖ"jendpoints is a list of unique endpoints in this slice. Each slice may include a maximum of 1000 endpoints.² +arrayº7 +5 +3#/definitions/io.k8s.api.discovery.v1beta1.Endpointú# +x-kubernetes-list-type atomic + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +h +metadata\ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"Standard object's metadata. +© +portsŸ"®ports specifies the list of network ports exposed by each endpoint in this slice. Each port must have a unique name. When ports is empty, it indicates that there are no defined ports. When a port is defined with a nil port value, it indicates "all ports". Each slice may include a maximum of 100 ports.² +arrayº; +9 +7#/definitions/io.k8s.api.discovery.v1beta1.EndpointPortú# +x-kubernetes-list-type atomic +úh +x-kubernetes-group-version-kindEC- version: v1beta1 + group: discovery.k8s.io + kind: EndpointSlice + +µ +#io.k8s.api.networking.v1.IngressTLS"MIngressTLS describes the transport layer security associated with an Ingress.² +objectʯ +À +hosts¶"óHosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.² +arrayº + ² +stringú# +x-kubernetes-list-type atomic + +é + +secretNameÚ"ÌSecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.² +string +® +"io.k8s.api.rbac.v1.RoleBindingList‡"/RoleBindingList is a collection of RoleBindingsšitems² +objectÊÎ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +g +items^"Items is a list of RoleBindings² +arrayº0 +. +,#/definitions/io.k8s.api.rbac.v1.RoleBinding +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +f +metadataZ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"Standard object's metadata.ún +x-kubernetes-group-version-kindKI- group: rbac.authorization.k8s.io + kind: RoleBindingList + version: v1 + +å +2io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails® "éStatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined.² +objectʳ + +kind„"öThe kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +— +nameŽ"€The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described).² +string +— +retryAfterSecondsint32"ëIf specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action.² +integer +¥ +uid"UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids² +string +à +causesÕ"ƒThe Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes.² +arrayºB +@ +>#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusCause +b +groupY"LThe group attribute of the resource associated with the status StatusReason.² +string +ˆ +%io.k8s.api.apps.v1.ControllerRevisionÞ"±ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers.šrevision² +objectʱ +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +b +revisionVint64"ARevision indicates the revision of the state represented by Data.² +integer +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +y +dataq +:#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension"3Data is the serialized representation of the state.ú\ +x-kubernetes-group-version-kind97- group: apps + kind: ControllerRevision + version: v1 + +Þ + io.k8s.api.core.v1.ContainerPort¹">ContainerPort represents a network port in a single container.š containerPort² +objectÊÚ +A +hostIP7"*What host IP to bind the external port to.² +string +å +hostPortØint32"ÂNumber of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this.² +integer +Æ +name½"¯If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.² +string +Y +protocolM"@Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".² +string +ˆ + containerPortwint32"bNumber of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536.² +integer +¨ + +1io.k8s.api.storage.v1beta1.CSIStorageCapacityListò "ECSIStorageCapacityList is a collection of CSIStorageCapacity objects.šitems² +objectÊ¢ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +Õ +itemsË"0Items is the list of CSIStorageCapacity objects.² +arrayº? += +;#/definitions/io.k8s.api.storage.v1beta1.CSIStorageCapacityú' +x-kubernetes-list-map-keys - name +ú +x-kubernetes-list-typemap + +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ê +metadata½ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"~Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataúo +x-kubernetes-group-version-kindLJ- group: storage.k8s.io + kind: CSIStorageCapacityList + version: v1beta1 + +¬ ++io.k8s.apimachinery.pkg.apis.meta.v1.Statusü"CStatus is a return value for calls that don't return other objects.² +objectÊ× +U +messageJ"=A human-readable description of the status of this operation.² +string +Ï +metadata +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"‚Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds +ä +reasonÙ"ËA machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it.² +string +À +statusµ"§Status of the operation. One of: "Success" or "Failure". More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status² +string +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +V +codeNint32"9Suggested HTTP return code for this status, 0 if not set.² +integer +¬ +details  +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.StatusDetails"ÛExtended data associated with the reason. Each reason may define its own extended details. This field is optional and the data returned is not guaranteed to conform to any schema except that defined by the reason type. +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +stringúN +x-kubernetes-group-version-kind+)- group: "" + kind: Status + version: v1 + + +-io.k8s.api.flowcontrol.v1beta1.FlowSchemaSpecë "GFlowSchemaSpec describes how the FlowSchema's specification looks like.špriorityLevelConfiguration² +objectÊö + +ô +rulesê"ì`rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if at least one member of rules matches the request. if it is an empty slice, there will be no requests matching the FlowSchema.² +arrayºH +F +D#/definitions/io.k8s.api.flowcontrol.v1beta1.PolicyRulesWithSubjectsú# +x-kubernetes-list-type atomic + +¦ +distinguisherMethodŽ +D#/definitions/io.k8s.api.flowcontrol.v1beta1.FlowDistinguisherMethod"Å`distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema. `nil` specifies that the distinguisher is disabled and thus will always be the empty string. + +matchingPrecedenceøint32"â`matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen FlowSchema is among those with the numerically lowest (which we take to be logically highest) MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000]. Note that if the precedence is not specified, it will be set to 1000 as default.² +integer +Á +priorityLevelConfiguration¢ +P#/definitions/io.k8s.api.flowcontrol.v1beta1.PriorityLevelConfigurationReference"Í`priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot be resolved, the FlowSchema will be ignored and marked as invalid in its status. Required. +” +(io.k8s.api.networking.v1beta1.IngressTLSç"MIngressTLS describes the transport layer security associated with an Ingress.² +objectʉ +š +hosts"óHosts are a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.² +arrayº + ² +string +é + +secretNameÚ"ÌSecretName is the name of the secret used to terminate TLS traffic on port 443. Field is left optional to allow TLS routing based on SNI hostname alone. If the SNI host in a listener conflicts with the "Host" header field used by an IngressRule, the SNI host is used for termination and value of the Host header is used for routing.² +string +¾ +io.k8s.api.core.v1.PodAffinity› "?Pod affinity is a group of inter pod affinity scheduling rules.² +objectÊË + +ì +/preferredDuringSchedulingIgnoredDuringExecution¸"ìThe scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.² +arrayº< +: +8#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm +Ù +.requiredDuringSchedulingIgnoredDuringExecution¦"âIf the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.² +arrayº4 +2 +0#/definitions/io.k8s.api.core.v1.PodAffinityTerm +¯ +io.k8s.api.rbac.v1.Subject"ÆSubject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names.škindšname² +objectʪ +9 +name1"$Name of the object being referenced.² +string +à + namespaceµ"§Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.² +string +à +apiGroup¶"¨APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.² +string +à +kind×"ÉKind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.² +string +« +)io.k8s.api.apps.v1.ControllerRevisionListý"UControllerRevisionList is a resource containing a list of ControllerRevision objects.šitems² +objectʬ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +w +itemsn"(Items is the list of ControllerRevisions² +arrayº7 +5 +3#/definitions/io.k8s.api.apps.v1.ControllerRevision +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +³ +metadata¦ +;#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"gMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadataú` +x-kubernetes-group-version-kind=;- group: apps + kind: ControllerRevisionList + version: v1 + +† +3io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSourceÎ +"¡Represents a Persistent Disk resource in AWS. + +An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.švolumeID² +objectÊ +Ä +fsType¹"«Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore² +string +¨ + partitionšint32"„The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).² +integer +ä +readOnly×"ÈSpecify "true" to force and set the ReadOnly property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore² +boolean +´ +volumeID§"™Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore² +string +ð +!io.k8s.api.core.v1.ClientIPConfigÊ"QClientIPConfig represents the configurations of Client IP based session affinity.² +objectÊè +å +timeoutSecondsÒint32"¼timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be >0 && <=86400(for 1 day) if ServiceAffinity == "ClientIP". Default value is 10800(for 3 hours).² +integer +ò, +2io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions»,":DeleteOptions may be provided when deleting an API object.² +objectÊ‹ +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +  +dryRun•"øWhen present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed² +arrayº + ² +string +Þ +gracePeriodSecondsÇint64"±The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.² +integer +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ä +orphanDependents¯" Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the "orphan" finalizer will be added to/removed from the object's finalizers list. Either this field or PropagationPolicy may be set, but not both.² +boolean + + preconditions° +@#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Preconditions"lMust be fulfilled before a deletion is carried out. If not possible, a 409 Conflict status will be returned. +û +propagationPolicyå"×Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: 'Orphan' - orphan the dependents; 'Background' - allow the garbage collector to delete the dependents in the background; 'Foreground' - a cascading policy that deletes all dependents in the foreground.² +stringúá +x-kubernetes-group-version-kind½º- group: "" + kind: DeleteOptions + version: v1 +- group: admission.k8s.io + kind: DeleteOptions + version: v1 +- version: v1beta1 + group: admission.k8s.io + kind: DeleteOptions +- group: admissionregistration.k8s.io + kind: DeleteOptions + version: v1 +- group: admissionregistration.k8s.io + kind: DeleteOptions + version: v1beta1 +- kind: DeleteOptions + version: v1 + group: apiextensions.k8s.io +- group: apiextensions.k8s.io + kind: DeleteOptions + version: v1beta1 +- group: apiregistration.k8s.io + kind: DeleteOptions + version: v1 +- kind: DeleteOptions + version: v1beta1 + group: apiregistration.k8s.io +- version: v1 + group: apps + kind: DeleteOptions +- group: apps + kind: DeleteOptions + version: v1beta1 +- group: apps + kind: DeleteOptions + version: v1beta2 +- group: authentication.k8s.io + kind: DeleteOptions + version: v1 +- group: authentication.k8s.io + kind: DeleteOptions + version: v1beta1 +- version: v1 + group: authorization.k8s.io + kind: DeleteOptions +- group: authorization.k8s.io + kind: DeleteOptions + version: v1beta1 +- group: autoscaling + kind: DeleteOptions + version: v1 +- group: autoscaling + kind: DeleteOptions + version: v2beta1 +- version: v2beta2 + group: autoscaling + kind: DeleteOptions +- group: batch + kind: DeleteOptions + version: v1 +- group: batch + kind: DeleteOptions + version: v1beta1 +- group: certificates.k8s.io + kind: DeleteOptions + version: v1 +- kind: DeleteOptions + version: v1beta1 + group: certificates.k8s.io +- group: coordination.k8s.io + kind: DeleteOptions + version: v1 +- group: coordination.k8s.io + kind: DeleteOptions + version: v1beta1 +- kind: DeleteOptions + version: v1 + group: discovery.k8s.io +- group: discovery.k8s.io + kind: DeleteOptions + version: v1beta1 +- group: events.k8s.io + kind: DeleteOptions + version: v1 +- group: events.k8s.io + kind: DeleteOptions + version: v1beta1 +- kind: DeleteOptions + version: v1beta1 + group: extensions +- version: v1alpha1 + group: flowcontrol.apiserver.k8s.io + kind: DeleteOptions +- group: flowcontrol.apiserver.k8s.io + kind: DeleteOptions + version: v1beta1 +- group: imagepolicy.k8s.io + kind: DeleteOptions + version: v1alpha1 +- group: internal.apiserver.k8s.io + kind: DeleteOptions + version: v1alpha1 +- kind: DeleteOptions + version: v1 + group: networking.k8s.io +- kind: DeleteOptions + version: v1beta1 + group: networking.k8s.io +- group: node.k8s.io + kind: DeleteOptions + version: v1 +- group: node.k8s.io + kind: DeleteOptions + version: v1alpha1 +- group: node.k8s.io + kind: DeleteOptions + version: v1beta1 +- kind: DeleteOptions + version: v1 + group: policy +- version: v1beta1 + group: policy + kind: DeleteOptions +- group: rbac.authorization.k8s.io + kind: DeleteOptions + version: v1 +- version: v1alpha1 + group: rbac.authorization.k8s.io + kind: DeleteOptions +- version: v1beta1 + group: rbac.authorization.k8s.io + kind: DeleteOptions +- kind: DeleteOptions + version: v1 + group: scheduling.k8s.io +- group: scheduling.k8s.io + kind: DeleteOptions + version: v1alpha1 +- version: v1beta1 + group: scheduling.k8s.io + kind: DeleteOptions +- group: storage.k8s.io + kind: DeleteOptions + version: v1 +- group: storage.k8s.io + kind: DeleteOptions + version: v1alpha1 +- group: storage.k8s.io + kind: DeleteOptions + version: v1beta1 + +“ +io.k8s.api.events.v1.Eventô"¾Event is a report of an event somewhere in the cluster. It generally denotes some state change in the system. Events have a limited retention time and triggers and messages may evolve with time. Event consumers should not rely on the timing of an event with a given Reason reflecting a consistent underlying trigger, or the continued existence of events with that Reason. Events should be treated as informative, best-effort, supplemental data.š eventTime² +objectʽ + +reportingInstance¬"žreportingInstance is the ID of the controller instance, e.g. `kubelet-xyzf`. This field cannot be empty for new Events and it can have at most 128 characters.² +string +Ì +actionÁ"³action is what action was taken/failed regarding to the regarding object. It is machine-readable. This field cannot be empty for new Events and it can have at most 128 characters.² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ñ +relatedÅ +0#/definitions/io.k8s.api.core.v1.ObjectReference"related is the optional secondary object for more complex actions. E.g. when regarding object triggers a creation or deletion of related object. +¹ +reportingController¡"“reportingController is the name of the controller that emitted this Event, e.g. `kubernetes.io/kubelet`. This field cannot be empty for new Events.² +string +ˆ +deprecatedCountuint32"`deprecatedCount is the deprecated field assuring backward compatibility with core.v1 Event type.² +integer +¦ +deprecatedSource‘ +,#/definitions/io.k8s.api.core.v1.EventSource"adeprecatedSource is the deprecated field assuring backward compatibility with core.v1 Event type. +¤ +reason™"‹reason is why the action was taken. It is human-readable. This field cannot be empty for new Events and it can have at most 128 characters.² +string +š +series +.#/definitions/io.k8s.api.events.v1.EventSeries"]series is data about the Event series this event represents or nil if it's a singleton Event. +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +— + eventTime‰ +<#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime"IeventTime is the time when this Event was first observed. It is required. +½ +note´"¦note is a human-readable description of the status of this operation. Maximal length of the note is 1kB, but libraries should be prepared to handle values up to 64kB.² +string +¶ + regarding¨ +0#/definitions/io.k8s.api.core.v1.ObjectReference"óregarding contains the object this Event is about. In most cases it's an Object reporting controller implements, e.g. ReplicaSetController implements ReplicaSets and this event is emitted because it acts on some changes in a ReplicaSet object. +³ +typeª"œtype is the type of this event (Normal, Warning), new types could be added in the future. It is machine-readable. This field cannot be empty for new Events.² +string +Á +deprecatedFirstTimestamp¤ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"ideprecatedFirstTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type. +¿ +deprecatedLastTimestamp£ +7#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"hdeprecatedLastTimestamp is the deprecated field assuring backward compatibility with core.v1 Event type.úX +x-kubernetes-group-version-kind53- kind: Event + version: v1 + group: events.k8s.io + +² +,io.k8s.api.storage.v1.VolumeAttachmentSource"ÝVolumeAttachmentSource represents a volume that should be attached. Right now only PersistenVolumes can be attached via external attacher, in future we may allow also inline volumes in pods. Exactly one member can be set.² +objectÊ’ +À +inlineVolumeSpec« +5#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec"ñinlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature. +M +persistentVolumeName5"(Name of the persistent volume to attach.² +string +œ +io.k8s.api.core.v1.EnvVarSourceø"']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. +¤ +resourceFieldRef +6#/definitions/io.k8s.api.core.v1.ResourceFieldSelector"ÔSelects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. +v + secretKeyReff +2#/definitions/io.k8s.api.core.v1.SecretKeySelector"0Selects a key of a secret in the pod's namespace +ã +io.k8s.api.core.v1.Namespace "MNamespace provides a scope for Names. Use of multiple namespaces is optional.² +objectÊ + +â +status× +0#/definitions/io.k8s.api.core.v1.NamespaceStatus"¢Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status +¾ + +apiVersion¯"¡APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources² +string +¹ +kind°"¢Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds² +string +Ò +metadataÅ +=#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"ƒStandard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata +Ö +specÍ +.#/definitions/io.k8s.api.core.v1.NamespaceSpec"šSpec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-statusúQ +x-kubernetes-group-version-kind.,- group: "" + kind: Namespace + version: v1 +b + + BearerTokenjO +M + BearerToken>< +apiKey authorizationheader"Bearer Token authentication \ No newline at end of file diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go new file mode 100644 index 0000000000..421f70f7c2 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.go @@ -0,0 +1,248 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Code generated for package kustomizationapi by go-bindata DO NOT EDIT. (@generated) +// sources: +// kustomizationapi/swagger.json +package kustomizationapi + +import ( + "bytes" + "compress/gzip" + "fmt" + "io" + "os" + "path/filepath" + "strings" + "time" +) + +func bindataRead(data []byte, name string) ([]byte, error) { + gz, err := gzip.NewReader(bytes.NewBuffer(data)) + if err != nil { + return nil, fmt.Errorf("Read %q: %v", name, err) + } + + var buf bytes.Buffer + _, err = io.Copy(&buf, gz) + clErr := gz.Close() + + if err != nil { + return nil, fmt.Errorf("Read %q: %v", name, err) + } + if clErr != nil { + return nil, err + } + + return buf.Bytes(), nil +} + +type asset struct { + bytes []byte + info os.FileInfo +} + +type bindataFileInfo struct { + name string + size int64 + mode os.FileMode + modTime time.Time +} + +// Name return file name +func (fi bindataFileInfo) Name() string { + return fi.name +} + +// Size return file size +func (fi bindataFileInfo) Size() int64 { + return fi.size +} + +// Mode return file mode +func (fi bindataFileInfo) Mode() os.FileMode { + return fi.mode +} + +// ModTime return file modify time +func (fi bindataFileInfo) ModTime() time.Time { + return fi.modTime +} + +// IsDir return file whether a directory +func (fi bindataFileInfo) IsDir() bool { + return fi.mode&os.ModeDir != 0 +} + +// Sys return file is sys mode +func (fi bindataFileInfo) Sys() interface{} { + return nil +} + +var _kustomizationapiSwaggerJson = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xe4\x56\xc1\x6e\xdb\x30\x0c\xbd\xe7\x2b\x04\x6d\xc7\xd8\x45\x6e\x43\x6e\xc3\x0e\x3b\x14\x05\x0a\x74\xb7\xa1\x07\xc6\xa1\x5d\xce\x8e\xa4\x51\xb4\xb1\x6c\xc8\xbf\x0f\xd6\x62\xd7\x4a\xec\x75\x0b\x1a\xac\x4b\x0f\x06\x0c\x99\x7c\x4f\xe4\x7b\x24\xfc\x63\xa6\x94\x5e\x63\x4e\x86\x84\xac\xf1\x7a\xa9\xda\x23\xa5\x34\xd9\xb4\x7c\xe7\x53\x70\x94\x82\x73\x3e\x6d\x16\xe9\x07\x6b\x72\x2a\x6e\xc0\xbd\xe7\xe2\x31\x52\x29\xed\xd8\x3a\x64\x21\x1c\x9e\x2a\xa5\x3f\xa2\x41\x06\xb1\x7c\x90\x10\x3e\xbe\x65\xcc\xf5\x52\xe9\x37\x57\x03\xfe\xab\x11\xda\x18\xa5\x87\xd8\xed\xdf\x76\xf3\xee\x1a\xb0\x5e\x07\x14\xa8\x6e\x87\x17\xca\xa1\xf2\xd8\x07\xc9\xd6\x61\x4b\x6b\x57\x5f\x30\x13\xdd\x9f\x7f\x4b\xca\x7a\x85\x6c\x50\xd0\x27\x05\xdb\xda\x25\x0d\xb2\x27\x6b\x92\x92\xcc\x5a\x2f\xd5\xe7\x9e\x3a\xaa\x23\xc4\xb6\x88\x65\xed\xc5\x6e\xe8\x3b\xa6\x59\x68\x54\x28\x84\x6c\x4f\x11\xa2\xf7\x58\x3a\xee\x65\x14\xb2\xa7\x6d\xa3\x9a\xc5\x0a\x05\x16\xc7\x45\xdf\xcf\x06\xa5\x8f\x69\x75\x87\x19\xa3\xbc\x0c\xa1\x1e\xab\xeb\xba\x1f\xe1\x77\x8a\x78\x61\x32\xc5\xa5\x08\x3c\x10\xe0\xf9\xd5\x9d\xd2\x6b\x52\x60\x03\x1b\xf4\x0e\xb2\x3f\x6f\xfe\x3c\x4e\x3e\x25\x6f\x85\x0f\xd0\x90\xe5\x53\x72\xaf\x9b\x5b\x20\xbe\xb3\x35\x67\x78\xba\x23\x63\x94\x0b\x71\x56\x2c\xfe\xf3\x9b\xeb\x7a\x7f\x19\x90\x5f\x50\xbd\xb9\x18\xbf\xd6\xc4\x18\x17\xa4\x3f\x6d\x1d\xde\xa0\x40\xc7\x74\x3f\x7f\xca\x8c\x59\xb7\xfb\xfa\x4a\x0e\x05\x26\xc1\xcd\xa1\xea\x7f\xa3\x7b\xbc\x5d\x07\x20\xbb\xf9\x98\x11\x81\x19\xb6\x71\x27\x23\x4d\x1d\x48\xf6\x90\x6c\x90\x0b\x4c\x4a\xdc\xb6\x29\x61\x26\x9e\xca\xf0\xc2\x20\x58\x84\x84\x90\x3d\xee\x75\x1f\x56\xc5\xd9\x9a\x31\xd8\x44\x2f\xb2\x13\xff\xf5\x30\xc6\xc3\x72\x86\x61\x9c\xd8\x83\x93\xc3\x55\x91\x20\x43\x75\xb4\x33\x27\x5c\x34\xb5\x8b\x7f\x6f\x90\x51\x1b\xe7\x54\x1d\xaf\xea\xf3\xd3\xa2\x69\xfe\x0d\xeb\xeb\xf8\x8f\x89\x0d\x78\xaa\xc1\x67\xed\xb3\xfb\x19\x00\x00\xff\xff\x2f\x39\x79\xd0\x6e\x0c\x00\x00") + +func kustomizationapiSwaggerJsonBytes() ([]byte, error) { + return bindataRead( + _kustomizationapiSwaggerJson, + "kustomizationapi/swagger.json", + ) +} + +func kustomizationapiSwaggerJson() (*asset, error) { + bytes, err := kustomizationapiSwaggerJsonBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "kustomizationapi/swagger.json", size: 3182, mode: os.FileMode(420), modTime: time.Unix(1615228558, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +// Asset loads and returns the asset for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func Asset(name string) ([]byte, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) + } + return a.bytes, nil + } + return nil, fmt.Errorf("Asset %s not found", name) +} + +// MustAsset is like Asset but panics when Asset would return an error. +// It simplifies safe initialization of global variables. +func MustAsset(name string) []byte { + a, err := Asset(name) + if err != nil { + panic("asset: Asset(" + name + "): " + err.Error()) + } + + return a +} + +// AssetInfo loads and returns the asset info for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func AssetInfo(name string) (os.FileInfo, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) + } + return a.info, nil + } + return nil, fmt.Errorf("AssetInfo %s not found", name) +} + +// AssetNames returns the names of the assets. +func AssetNames() []string { + names := make([]string, 0, len(_bindata)) + for name := range _bindata { + names = append(names, name) + } + return names +} + +// _bindata is a table, holding each asset generator, mapped to its name. +var _bindata = map[string]func() (*asset, error){ + "kustomizationapi/swagger.json": kustomizationapiSwaggerJson, +} + +// AssetDir returns the file names below a certain +// directory embedded in the file by go-bindata. +// For example if you run go-bindata on data/... and data contains the +// following hierarchy: +// data/ +// foo.txt +// img/ +// a.png +// b.png +// then AssetDir("data") would return []string{"foo.txt", "img"} +// AssetDir("data/img") would return []string{"a.png", "b.png"} +// AssetDir("foo.txt") and AssetDir("notexist") would return an error +// AssetDir("") will return []string{"data"}. +func AssetDir(name string) ([]string, error) { + node := _bintree + if len(name) != 0 { + cannonicalName := strings.Replace(name, "\\", "/", -1) + pathList := strings.Split(cannonicalName, "/") + for _, p := range pathList { + node = node.Children[p] + if node == nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + } + } + if node.Func != nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + rv := make([]string, 0, len(node.Children)) + for childName := range node.Children { + rv = append(rv, childName) + } + return rv, nil +} + +type bintree struct { + Func func() (*asset, error) + Children map[string]*bintree +} + +var _bintree = &bintree{nil, map[string]*bintree{ + "kustomizationapi": &bintree{nil, map[string]*bintree{ + "swagger.json": &bintree{kustomizationapiSwaggerJson, map[string]*bintree{}}, + }}, +}} + +// RestoreAsset restores an asset under the given directory +func RestoreAsset(dir, name string) error { + data, err := Asset(name) + if err != nil { + return err + } + info, err := AssetInfo(name) + if err != nil { + return err + } + err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) + if err != nil { + return err + } + err = os.WriteFile(_filePath(dir, name), data, info.Mode()) + if err != nil { + return err + } + err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) + if err != nil { + return err + } + return nil +} + +// RestoreAssets restores an asset under the given directory recursively +func RestoreAssets(dir, name string) error { + children, err := AssetDir(name) + // File + if err != nil { + return RestoreAsset(dir, name) + } + // Dir + for _, child := range children { + err = RestoreAssets(dir, filepath.Join(name, child)) + if err != nil { + return err + } + } + return nil +} + +func _filePath(dir, name string) string { + cannonicalName := strings.Replace(name, "\\", "/", -1) + return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json new file mode 100644 index 0000000000..7441a5ee64 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi/swagger.json @@ -0,0 +1,130 @@ +{ + "definitions": { + "io.k8s.api.apps.v1.ConfigMapArgs": { + "properties": { + "GeneratorArgs": { + "$ref": "#/definitions/io.k8s.api.apps.v1.GeneratorArgs" + } + }, + "additionalProperties": false, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "kustomize.config.k8s.io", + "kind": "ConfigMapArgs", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.apps.v1.SecretArgs": { + "properties": { + "GeneratorArgs": { + "$ref": "#/definitions/io.k8s.api.apps.v1.GeneratorArgs" + }, + "type": { + "type": "string" + } + }, + "additionalProperties": false, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "kustomize.config.k8s.io", + "kind": "SecretArgs", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.apps.v1.GeneratorArgs": { + "properties": { + "namespace": { + "type": "string" + }, + "name": { + "type": "string" + }, + "behavior": { + "type": "string" + }, + "KvPairSources": { + "$ref": "#/definitions/io.k8s.api.apps.v1.KvPairSources" + } + }, + "additionalProperties": false, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "kustomize.config.k8s.io", + "kind": "GeneratorArgs", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.apps.v1.Kustomization": { + "required": [ + "TypeMeta" + ], + "properties": { + "configMapGenerator": { + "items": { + "$ref": "#/definitions/io.k8s.api.apps.v1.ConfigMapArgs" + }, + "type": "array", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + }, + "secretGenerator": { + "items": { + "$ref": "#/definitions/io.k8s.api.apps.v1.SecretArgs" + }, + "type": "array", + "x-kubernetes-patch-merge-key": "name", + "x-kubernetes-patch-strategy": "merge" + } + }, + "additionalProperties": false, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "kustomize.config.k8s.io", + "kind": "Kustomization", + "version": "v1beta1" + } + ] + }, + "io.k8s.api.apps.v1.KvPairSources": { + "properties": { + "literals": { + "items": { + "type": "string" + }, + "type": "array" + }, + "files": { + "items": { + "type": "string" + }, + "type": "array" + }, + "envs": { + "items": { + "type": "string" + }, + "type": "array" + }, + "env": { + "type": "string" + } + }, + "additionalProperties": false, + "type": "object", + "x-kubernetes-group-version-kind": [ + { + "group": "kustomize.config.k8s.io", + "kind": "KvPairSources", + "version": "v1beta1" + } + ] + } + } +} \ No newline at end of file diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go new file mode 100644 index 0000000000..aa1c8d4a85 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/openapi/openapi.go @@ -0,0 +1,823 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package openapi + +import ( + "encoding/json" + "fmt" + "os" + "path/filepath" + "reflect" + "strings" + "sync" + + openapi_v2 "github.com/google/gnostic-models/openapiv2" + "google.golang.org/protobuf/proto" + "k8s.io/kube-openapi/pkg/validation/spec" + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/openapi/kubernetesapi" + "sigs.k8s.io/kustomize/kyaml/openapi/kustomizationapi" + "sigs.k8s.io/kustomize/kyaml/yaml" + k8syaml "sigs.k8s.io/yaml" +) + +var ( + // schemaLock is the lock for schema related globals. + // + // NOTE: This lock helps with preventing panics that might occur due to the data + // race that concurrent access on this variable might cause but it doesn't + // fully fix the issue described in https://github.com/kubernetes-sigs/kustomize/issues/4824. + // For instance concurrently running goroutines where each of them calls SetSchema() + // and/or GetSchemaVersion might end up received nil errors (success) whereas the + // seconds one would overwrite the global variable that has been written by the + // first one. + schemaLock sync.RWMutex //nolint:gochecknoglobals + + // kubernetesOpenAPIVersion specifies which builtin kubernetes schema to use. + kubernetesOpenAPIVersion string //nolint:gochecknoglobals + + // globalSchema contains global state information about the openapi + globalSchema openapiData //nolint:gochecknoglobals + + // customSchemaFile stores the custom OpenApi schema if it is provided + customSchema []byte //nolint:gochecknoglobals +) + +// schemaParseStatus is used in cases when a schema should be parsed, but the +// parsing may be delayed to a later time. +type schemaParseStatus uint32 + +const ( + schemaNotParsed schemaParseStatus = iota + schemaParseDelayed + schemaParsed +) + +// openapiData contains the parsed openapi state. this is in a struct rather than +// a list of vars so that it can be reset from tests. +type openapiData struct { + // schema holds the OpenAPI schema data + schema spec.Schema + + // schemaForResourceType is a map of Resource types to their schemas + schemaByResourceType map[yaml.TypeMeta]*spec.Schema + + // namespaceabilityByResourceType stores whether a given Resource type + // is namespaceable or not + namespaceabilityByResourceType map[yaml.TypeMeta]bool + + // noUseBuiltInSchema stores whether we want to prevent using the built-in + // Kubernetes schema as part of the global schema + noUseBuiltInSchema bool + + // schemaInit stores whether or not we've parsed the schema already, + // so that we only reparse the when necessary (to speed up performance) + schemaInit bool + + // defaultBuiltInSchemaParseStatus stores the parse status of the default + // built-in schema. + defaultBuiltInSchemaParseStatus schemaParseStatus +} + +type format string + +const ( + JsonOrYaml format = "jsonOrYaml" + Proto format = "proto" +) + +// precomputedIsNamespaceScoped precomputes IsNamespaceScoped for known types. This avoids Schema creation, +// which is expensive +// The test output from TestIsNamespaceScopedPrecompute shows the expected map in go syntax,and can be copy and pasted +// from the failure if it changes. +var precomputedIsNamespaceScoped = map[yaml.TypeMeta]bool{ + {APIVersion: "admissionregistration.k8s.io/v1", Kind: "MutatingWebhookConfiguration"}: false, + {APIVersion: "admissionregistration.k8s.io/v1", Kind: "ValidatingWebhookConfiguration"}: false, + {APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "MutatingWebhookConfiguration"}: false, + {APIVersion: "admissionregistration.k8s.io/v1beta1", Kind: "ValidatingWebhookConfiguration"}: false, + {APIVersion: "apiextensions.k8s.io/v1", Kind: "CustomResourceDefinition"}: false, + {APIVersion: "apiextensions.k8s.io/v1beta1", Kind: "CustomResourceDefinition"}: false, + {APIVersion: "apiregistration.k8s.io/v1", Kind: "APIService"}: false, + {APIVersion: "apiregistration.k8s.io/v1beta1", Kind: "APIService"}: false, + {APIVersion: "apps/v1", Kind: "ControllerRevision"}: true, + {APIVersion: "apps/v1", Kind: "DaemonSet"}: true, + {APIVersion: "apps/v1", Kind: "Deployment"}: true, + {APIVersion: "apps/v1", Kind: "ReplicaSet"}: true, + {APIVersion: "apps/v1", Kind: "StatefulSet"}: true, + {APIVersion: "autoscaling/v1", Kind: "HorizontalPodAutoscaler"}: true, + {APIVersion: "autoscaling/v1", Kind: "Scale"}: true, + {APIVersion: "autoscaling/v2beta1", Kind: "HorizontalPodAutoscaler"}: true, + {APIVersion: "autoscaling/v2beta2", Kind: "HorizontalPodAutoscaler"}: true, + {APIVersion: "batch/v1", Kind: "CronJob"}: true, + {APIVersion: "batch/v1", Kind: "Job"}: true, + {APIVersion: "batch/v1beta1", Kind: "CronJob"}: true, + {APIVersion: "certificates.k8s.io/v1", Kind: "CertificateSigningRequest"}: false, + {APIVersion: "certificates.k8s.io/v1beta1", Kind: "CertificateSigningRequest"}: false, + {APIVersion: "coordination.k8s.io/v1", Kind: "Lease"}: true, + {APIVersion: "coordination.k8s.io/v1beta1", Kind: "Lease"}: true, + {APIVersion: "discovery.k8s.io/v1", Kind: "EndpointSlice"}: true, + {APIVersion: "discovery.k8s.io/v1beta1", Kind: "EndpointSlice"}: true, + {APIVersion: "events.k8s.io/v1", Kind: "Event"}: true, + {APIVersion: "events.k8s.io/v1beta1", Kind: "Event"}: true, + {APIVersion: "extensions/v1beta1", Kind: "Ingress"}: true, + {APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "FlowSchema"}: false, + {APIVersion: "flowcontrol.apiserver.k8s.io/v1beta1", Kind: "PriorityLevelConfiguration"}: false, + {APIVersion: "networking.k8s.io/v1", Kind: "Ingress"}: true, + {APIVersion: "networking.k8s.io/v1", Kind: "IngressClass"}: false, + {APIVersion: "networking.k8s.io/v1", Kind: "NetworkPolicy"}: true, + {APIVersion: "networking.k8s.io/v1beta1", Kind: "Ingress"}: true, + {APIVersion: "networking.k8s.io/v1beta1", Kind: "IngressClass"}: false, + {APIVersion: "node.k8s.io/v1", Kind: "RuntimeClass"}: false, + {APIVersion: "node.k8s.io/v1beta1", Kind: "RuntimeClass"}: false, + {APIVersion: "policy/v1", Kind: "PodDisruptionBudget"}: true, + {APIVersion: "policy/v1beta1", Kind: "PodDisruptionBudget"}: true, + {APIVersion: "policy/v1beta1", Kind: "PodSecurityPolicy"}: false, // remove after openapi upgrades to v1.25. + {APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRole"}: false, + {APIVersion: "rbac.authorization.k8s.io/v1", Kind: "ClusterRoleBinding"}: false, + {APIVersion: "rbac.authorization.k8s.io/v1", Kind: "Role"}: true, + {APIVersion: "rbac.authorization.k8s.io/v1", Kind: "RoleBinding"}: true, + {APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRole"}: false, + {APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "ClusterRoleBinding"}: false, + {APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "Role"}: true, + {APIVersion: "rbac.authorization.k8s.io/v1beta1", Kind: "RoleBinding"}: true, + {APIVersion: "scheduling.k8s.io/v1", Kind: "PriorityClass"}: false, + {APIVersion: "scheduling.k8s.io/v1beta1", Kind: "PriorityClass"}: false, + {APIVersion: "storage.k8s.io/v1", Kind: "CSIDriver"}: false, + {APIVersion: "storage.k8s.io/v1", Kind: "CSINode"}: false, + {APIVersion: "storage.k8s.io/v1", Kind: "StorageClass"}: false, + {APIVersion: "storage.k8s.io/v1", Kind: "VolumeAttachment"}: false, + {APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIDriver"}: false, + {APIVersion: "storage.k8s.io/v1beta1", Kind: "CSINode"}: false, + {APIVersion: "storage.k8s.io/v1beta1", Kind: "CSIStorageCapacity"}: true, + {APIVersion: "storage.k8s.io/v1beta1", Kind: "StorageClass"}: false, + {APIVersion: "storage.k8s.io/v1beta1", Kind: "VolumeAttachment"}: false, + {APIVersion: "v1", Kind: "ComponentStatus"}: false, + {APIVersion: "v1", Kind: "ConfigMap"}: true, + {APIVersion: "v1", Kind: "Endpoints"}: true, + {APIVersion: "v1", Kind: "Event"}: true, + {APIVersion: "v1", Kind: "LimitRange"}: true, + {APIVersion: "v1", Kind: "Namespace"}: false, + {APIVersion: "v1", Kind: "Node"}: false, + {APIVersion: "v1", Kind: "NodeProxyOptions"}: false, + {APIVersion: "v1", Kind: "PersistentVolume"}: false, + {APIVersion: "v1", Kind: "PersistentVolumeClaim"}: true, + {APIVersion: "v1", Kind: "Pod"}: true, + {APIVersion: "v1", Kind: "PodAttachOptions"}: true, + {APIVersion: "v1", Kind: "PodExecOptions"}: true, + {APIVersion: "v1", Kind: "PodPortForwardOptions"}: true, + {APIVersion: "v1", Kind: "PodProxyOptions"}: true, + {APIVersion: "v1", Kind: "PodTemplate"}: true, + {APIVersion: "v1", Kind: "ReplicationController"}: true, + {APIVersion: "v1", Kind: "ResourceQuota"}: true, + {APIVersion: "v1", Kind: "Secret"}: true, + {APIVersion: "v1", Kind: "Service"}: true, + {APIVersion: "v1", Kind: "ServiceAccount"}: true, + {APIVersion: "v1", Kind: "ServiceProxyOptions"}: true, +} + +// ResourceSchema wraps the OpenAPI Schema. +type ResourceSchema struct { + // Schema is the OpenAPI schema for a Resource or field + Schema *spec.Schema +} + +// IsMissingOrNull returns true if the ResourceSchema is missing or null +func (rs *ResourceSchema) IsMissingOrNull() bool { + if rs == nil || rs.Schema == nil { + return true + } + return reflect.DeepEqual(*rs.Schema, spec.Schema{}) +} + +// SchemaForResourceType returns the Schema for the given Resource +// TODO(pwittrock): create a version of this function that will return a schema +// which can be used for duck-typed Resources -- e.g. contains common fields such +// as metadata, replicas and spec.template.spec +func SchemaForResourceType(t yaml.TypeMeta) *ResourceSchema { + initSchema() + rs, found := globalSchema.schemaByResourceType[t] + if !found { + return nil + } + return &ResourceSchema{Schema: rs} +} + +// SupplementaryOpenAPIFieldName is the conventional field name (JSON/YAML) containing +// supplementary OpenAPI definitions. +const SupplementaryOpenAPIFieldName = "openAPI" + +const Definitions = "definitions" + +// AddSchemaFromFile reads the file at path and parses the OpenAPI definitions +// from the field "openAPI", also returns a function to clean the added definitions +// The returned clean function is a no-op on error, or else it's a function +// that the caller should use to remove the added openAPI definitions from +// global schema +func SchemaFromFile(path string) (*spec.Schema, error) { + object, err := parseOpenAPI(path) + if err != nil { + return nil, err + } + + return schemaUsingField(object, SupplementaryOpenAPIFieldName) +} + +// DefinitionRefs returns the list of openAPI definition references present in the +// input openAPIPath +func DefinitionRefs(openAPIPath string) ([]string, error) { + object, err := parseOpenAPI(openAPIPath) + if err != nil { + return nil, err + } + return definitionRefsFromRNode(object) +} + +// definitionRefsFromRNode returns the list of openAPI definitions keys from input +// yaml RNode +func definitionRefsFromRNode(object *yaml.RNode) ([]string, error) { + definitions, err := object.Pipe(yaml.Lookup(SupplementaryOpenAPIFieldName, Definitions)) + if definitions == nil { + return nil, err + } + if err != nil { + return nil, err + } + return definitions.Fields() +} + +// parseOpenAPI reads openAPIPath yaml and converts it to RNode +func parseOpenAPI(openAPIPath string) (*yaml.RNode, error) { + b, err := os.ReadFile(openAPIPath) + if err != nil { + return nil, err + } + + object, err := yaml.Parse(string(b)) + if err != nil { + return nil, errors.Errorf("invalid file %q: %v", openAPIPath, err) + } + return object, nil +} + +// addSchemaUsingField parses the OpenAPI definitions from the specified field. +// If field is the empty string, use the whole document as OpenAPI. +func schemaUsingField(object *yaml.RNode, field string) (*spec.Schema, error) { + if field != "" { + // get the field containing the openAPI + m := object.Field(field) + if m.IsNilOrEmpty() { + // doesn't contain openAPI definitions + return nil, nil + } + object = m.Value + } + + oAPI, err := object.String() + if err != nil { + return nil, err + } + + // convert the yaml openAPI to a JSON string by unmarshalling it to an + // interface{} and the marshalling it to a string + var o interface{} + err = yaml.Unmarshal([]byte(oAPI), &o) + if err != nil { + return nil, err + } + j, err := json.Marshal(o) + if err != nil { + return nil, err + } + + var sc spec.Schema + err = sc.UnmarshalJSON(j) + if err != nil { + return nil, err + } + + return &sc, nil +} + +// AddSchema parses s, and adds definitions from s to the global schema. +func AddSchema(s []byte) error { + return parse(s, JsonOrYaml) +} + +// ResetOpenAPI resets the openapi data to empty +func ResetOpenAPI() { + schemaLock.Lock() + defer schemaLock.Unlock() + + globalSchema = openapiData{} + customSchema = nil + kubernetesOpenAPIVersion = "" +} + +// AddDefinitions adds the definitions to the global schema. +func AddDefinitions(definitions spec.Definitions) { + // initialize values if they have not yet been set + if globalSchema.schemaByResourceType == nil { + globalSchema.schemaByResourceType = map[yaml.TypeMeta]*spec.Schema{} + } + if globalSchema.schema.Definitions == nil { + globalSchema.schema.Definitions = spec.Definitions{} + } + + // index the schema definitions so we can lookup them up for Resources + for k := range definitions { + // index by GVK, if no GVK is found then it is the schema for a subfield + // of a Resource + d := definitions[k] + + // copy definitions to the schema + globalSchema.schema.Definitions[k] = d + gvk, found := d.VendorExtensible.Extensions[kubernetesGVKExtensionKey] + if !found { + continue + } + // cast the extension to a []map[string]string + exts, ok := gvk.([]interface{}) + if !ok { + continue + } + + for i := range exts { + typeMeta, ok := toTypeMeta(exts[i]) + if !ok { + continue + } + globalSchema.schemaByResourceType[typeMeta] = &d + } + } +} + +func toTypeMeta(ext interface{}) (yaml.TypeMeta, bool) { + m, ok := ext.(map[string]interface{}) + if !ok { + return yaml.TypeMeta{}, false + } + + apiVersion := m[versionKey].(string) + if g, ok := m[groupKey].(string); ok && g != "" { + apiVersion = g + "/" + apiVersion + } + return yaml.TypeMeta{Kind: m[kindKey].(string), APIVersion: apiVersion}, true +} + +// Resolve resolves the reference against the global schema +func Resolve(ref *spec.Ref, schema *spec.Schema) (*spec.Schema, error) { + return resolve(schema, ref) +} + +// Schema returns the global schema +func Schema() *spec.Schema { + return rootSchema() +} + +// GetSchema parses s into a ResourceSchema, resolving References within the +// global schema. +func GetSchema(s string, schema *spec.Schema) (*ResourceSchema, error) { + var sc spec.Schema + if err := sc.UnmarshalJSON([]byte(s)); err != nil { + return nil, errors.Wrap(err) + } + if sc.Ref.String() != "" { + r, err := Resolve(&sc.Ref, schema) + if err != nil { + return nil, errors.Wrap(err) + } + sc = *r + } + + return &ResourceSchema{Schema: &sc}, nil +} + +// IsNamespaceScoped determines whether a resource is namespace or +// cluster-scoped by looking at the information in the openapi schema. +// The second return value tells whether the provided type could be found +// in the openapi schema. If the value is false here, the scope of the +// resource is not known. If the type is found, the first return value will +// be true if the resource is namespace-scoped, and false if the type is +// cluster-scoped. +func IsNamespaceScoped(typeMeta yaml.TypeMeta) (bool, bool) { + if isNamespaceScoped, found := precomputedIsNamespaceScoped[typeMeta]; found { + return isNamespaceScoped, found + } + if isInitSchemaNeededForNamespaceScopeCheck() { + initSchema() + } + isNamespaceScoped, found := globalSchema.namespaceabilityByResourceType[typeMeta] + return isNamespaceScoped, found +} + +// isInitSchemaNeededForNamespaceScopeCheck returns true if initSchema is needed +// to ensure globalSchema.namespaceabilityByResourceType is fully populated for +// cases where a custom or non-default built-in schema is in use. +func isInitSchemaNeededForNamespaceScopeCheck() bool { + schemaLock.Lock() + defer schemaLock.Unlock() + + if globalSchema.schemaInit { + return false // globalSchema already is initialized. + } + if customSchema != nil { + return true // initSchema is needed. + } + if kubernetesOpenAPIVersion == "" || kubernetesOpenAPIVersion == kubernetesOpenAPIDefaultVersion { + // The default built-in schema is in use. Since + // precomputedIsNamespaceScoped aligns with the default built-in schema + // (verified by TestIsNamespaceScopedPrecompute), there is no need to + // call initSchema. + if globalSchema.defaultBuiltInSchemaParseStatus == schemaNotParsed { + // The schema may be needed for purposes other than namespace scope + // checks. Flag it to be parsed when that need arises. + globalSchema.defaultBuiltInSchemaParseStatus = schemaParseDelayed + } + return false + } + // A non-default built-in schema is in use. initSchema is needed. + return true +} + +// IsCertainlyClusterScoped returns true for Node, Namespace, etc. and +// false for Pod, Deployment, etc. and kinds that aren't recognized in the +// openapi data. See: +// https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces +func IsCertainlyClusterScoped(typeMeta yaml.TypeMeta) bool { + nsScoped, found := IsNamespaceScoped(typeMeta) + return found && !nsScoped +} + +// SuppressBuiltInSchemaUse can be called to prevent using the built-in Kubernetes +// schema as part of the global schema. +// Must be called before the schema is used. +func SuppressBuiltInSchemaUse() { + globalSchema.noUseBuiltInSchema = true +} + +// Elements returns the Schema for the elements of an array. +func (rs *ResourceSchema) Elements() *ResourceSchema { + // load the schema from swagger files + initSchema() + + if len(rs.Schema.Type) != 1 || rs.Schema.Type[0] != "array" { + // either not an array, or array has multiple types + return nil + } + if rs == nil || rs.Schema == nil || rs.Schema.Items == nil { + // no-scheme for the items + return nil + } + s := *rs.Schema.Items.Schema + for s.Ref.String() != "" { + sc, e := Resolve(&s.Ref, Schema()) + if e != nil { + return nil + } + s = *sc + } + return &ResourceSchema{Schema: &s} +} + +const Elements = "[]" + +// Lookup calls either Field or Elements for each item in the path. +// If the path item is "[]", then Elements is called, otherwise +// Field is called. +// If any Field or Elements call returns nil, then Lookup returns +// nil immediately. +func (rs *ResourceSchema) Lookup(path ...string) *ResourceSchema { + s := rs + for _, p := range path { + if s == nil { + break + } + if p == Elements { + s = s.Elements() + continue + } + s = s.Field(p) + } + return s +} + +// Field returns the Schema for a field. +func (rs *ResourceSchema) Field(field string) *ResourceSchema { + // load the schema from swagger files + initSchema() + + // locate the Schema + s, found := rs.Schema.Properties[field] + switch { + case found: + // no-op, continue with s as the schema + case rs.Schema.AdditionalProperties != nil && rs.Schema.AdditionalProperties.Schema != nil: + // map field type -- use Schema of the value + // (the key doesn't matter, they all have the same value type) + s = *rs.Schema.AdditionalProperties.Schema + default: + // no Schema found from either swagger files or line comments + return nil + } + + // resolve the reference to the Schema if the Schema has one + for s.Ref.String() != "" { + sc, e := Resolve(&s.Ref, Schema()) + if e != nil { + return nil + } + s = *sc + } + + // return the merged Schema + return &ResourceSchema{Schema: &s} +} + +// PatchStrategyAndKeyList returns the patch strategy and complete merge key list +func (rs *ResourceSchema) PatchStrategyAndKeyList() (string, []string) { + ps, found := rs.Schema.Extensions[kubernetesPatchStrategyExtensionKey] + if !found { + // empty patch strategy + return "", []string{} + } + mkList, found := rs.Schema.Extensions[kubernetesMergeKeyMapList] + if found { + // mkList is []interface, convert to []string + mkListStr := make([]string, len(mkList.([]interface{}))) + for i, v := range mkList.([]interface{}) { + mkListStr[i] = v.(string) + } + return ps.(string), mkListStr + } + mk, found := rs.Schema.Extensions[kubernetesMergeKeyExtensionKey] + if !found { + // no mergeKey -- may be a primitive associative list (e.g. finalizers) + return ps.(string), []string{} + } + return ps.(string), []string{mk.(string)} +} + +// PatchStrategyAndKey returns the patch strategy and merge key extensions +func (rs *ResourceSchema) PatchStrategyAndKey() (string, string) { + ps, found := rs.Schema.Extensions[kubernetesPatchStrategyExtensionKey] + if !found { + // empty patch strategy + return "", "" + } + + mk, found := rs.Schema.Extensions[kubernetesMergeKeyExtensionKey] + if !found { + // no mergeKey -- may be a primitive associative list (e.g. finalizers) + mk = "" + } + return ps.(string), mk.(string) +} + +const ( + // kubernetesOpenAPIDefaultVersion is the latest version number of the statically compiled in + // OpenAPI schema for kubernetes built-in types + kubernetesOpenAPIDefaultVersion = kubernetesapi.DefaultOpenAPI + + // kustomizationAPIAssetName is the name of the asset containing the statically compiled in + // OpenAPI definitions for Kustomization built-in types + kustomizationAPIAssetName = "kustomizationapi/swagger.json" + + // kubernetesGVKExtensionKey is the key to lookup the kubernetes group version kind extension + // -- the extension is an array of objects containing a gvk + kubernetesGVKExtensionKey = "x-kubernetes-group-version-kind" + + // kubernetesMergeKeyExtensionKey is the key to lookup the kubernetes merge key extension + // -- the extension is a string + kubernetesMergeKeyExtensionKey = "x-kubernetes-patch-merge-key" + + // kubernetesPatchStrategyExtensionKey is the key to lookup the kubernetes patch strategy + // extension -- the extension is a string + kubernetesPatchStrategyExtensionKey = "x-kubernetes-patch-strategy" + + // kubernetesMergeKeyMapList is the list of merge keys when there needs to be multiple + // -- the extension is an array of strings + kubernetesMergeKeyMapList = "x-kubernetes-list-map-keys" + + // groupKey is the key to lookup the group from the GVK extension + groupKey = "group" + // versionKey is the key to lookup the version from the GVK extension + versionKey = "version" + // kindKey is the to lookup the kind from the GVK extension + kindKey = "kind" +) + +// SetSchema sets the kubernetes OpenAPI schema version to use +func SetSchema(openAPIField map[string]string, schema []byte, reset bool) error { + schemaLock.Lock() + defer schemaLock.Unlock() + + // this should only be set once + schemaIsSet := (kubernetesOpenAPIVersion != "") || customSchema != nil + if schemaIsSet && !reset { + return nil + } + + version, versionProvided := openAPIField["version"] + + // use custom schema + if schema != nil { + if versionProvided { + return fmt.Errorf("builtin version and custom schema provided, cannot use both") + } + customSchema = schema + kubernetesOpenAPIVersion = "custom" + // if the schema is changed, initSchema should parse the new schema + globalSchema.schemaInit = false + return nil + } + + // use builtin version + kubernetesOpenAPIVersion = version + if kubernetesOpenAPIVersion == "" { + return nil + } + if _, ok := kubernetesapi.OpenAPIMustAsset[kubernetesOpenAPIVersion]; !ok { + return fmt.Errorf("the specified OpenAPI version is not built in") + } + + customSchema = nil + // if the schema is changed, initSchema should parse the new schema + globalSchema.schemaInit = false + return nil +} + +// GetSchemaVersion returns what kubernetes OpenAPI version is being used +func GetSchemaVersion() string { + schemaLock.RLock() + defer schemaLock.RUnlock() + + switch { + case kubernetesOpenAPIVersion == "" && customSchema == nil: + return kubernetesOpenAPIDefaultVersion + case customSchema != nil: + return "using custom schema from file provided" + default: + return kubernetesOpenAPIVersion + } +} + +// initSchema parses the json schema +func initSchema() { + schemaLock.Lock() + defer schemaLock.Unlock() + + if globalSchema.schemaInit { + return + } + globalSchema.schemaInit = true + + // TODO(natasha41575): Accept proto-formatted schema files + if customSchema != nil { + err := parse(customSchema, JsonOrYaml) + if err != nil { + panic(fmt.Errorf("invalid schema file: %w", err)) + } + } else { + if kubernetesOpenAPIVersion == "" || kubernetesOpenAPIVersion == kubernetesOpenAPIDefaultVersion { + parseBuiltinSchema(kubernetesOpenAPIDefaultVersion) + globalSchema.defaultBuiltInSchemaParseStatus = schemaParsed + } else { + parseBuiltinSchema(kubernetesOpenAPIVersion) + } + } + + if globalSchema.defaultBuiltInSchemaParseStatus == schemaParseDelayed { + parseBuiltinSchema(kubernetesOpenAPIDefaultVersion) + globalSchema.defaultBuiltInSchemaParseStatus = schemaParsed + } + + if err := parse(kustomizationapi.MustAsset(kustomizationAPIAssetName), JsonOrYaml); err != nil { + // this should never happen + panic(err) + } +} + +// parseBuiltinSchema calls parse to parse the json or proto schemas +func parseBuiltinSchema(version string) { + if globalSchema.noUseBuiltInSchema { + // don't parse the built in schema + return + } + // parse the swagger, this should never fail + assetName := filepath.Join( + "kubernetesapi", + strings.ReplaceAll(version, ".", "_"), + "swagger.pb") + + if err := parse(kubernetesapi.OpenAPIMustAsset[version](assetName), Proto); err != nil { + // this should never happen + panic(err) + } +} + +// parse parses and indexes a single json or proto schema +func parse(b []byte, format format) error { + var swagger spec.Swagger + switch { + case format == Proto: + doc := &openapi_v2.Document{} + // We parse protobuf and get an openapi_v2.Document here. + if err := proto.Unmarshal(b, doc); err != nil { + return fmt.Errorf("openapi proto unmarshalling failed: %w", err) + } + // convert the openapi_v2.Document back to Swagger + _, err := swagger.FromGnostic(doc) + if err != nil { + return errors.Wrap(err) + } + + case format == JsonOrYaml: + if len(b) > 0 && b[0] != byte('{') { + var err error + b, err = k8syaml.YAMLToJSON(b) + if err != nil { + return errors.Wrap(err) + } + } + if err := swagger.UnmarshalJSON(b); err != nil { + return errors.Wrap(err) + } + } + + AddDefinitions(swagger.Definitions) + findNamespaceability(swagger.Paths) + return nil +} + +// findNamespaceability looks at the api paths for the resource to determine +// if it is cluster-scoped or namespace-scoped. The gvk of the resource +// for each path is found by looking at the x-kubernetes-group-version-kind +// extension. If a path exists for the resource that contains a namespace path +// parameter, the resource is namespace-scoped. +func findNamespaceability(paths *spec.Paths) { + if globalSchema.namespaceabilityByResourceType == nil { + globalSchema.namespaceabilityByResourceType = make(map[yaml.TypeMeta]bool) + } + + if paths == nil { + return + } + + for path, pathInfo := range paths.Paths { + if pathInfo.Get == nil { + continue + } + gvk, found := pathInfo.Get.VendorExtensible.Extensions[kubernetesGVKExtensionKey] + if !found { + continue + } + typeMeta, found := toTypeMeta(gvk) + if !found { + continue + } + + if strings.Contains(path, "namespaces/{namespace}") { + // if we find a namespace path parameter, we just update the map + // directly + globalSchema.namespaceabilityByResourceType[typeMeta] = true + } else if _, found := globalSchema.namespaceabilityByResourceType[typeMeta]; !found { + // if the resource doesn't have the namespace path parameter, we + // only add it to the map if it doesn't already exist. + globalSchema.namespaceabilityByResourceType[typeMeta] = false + } + } +} + +func resolve(root interface{}, ref *spec.Ref) (*spec.Schema, error) { + if s, ok := root.(*spec.Schema); ok && s == nil { + return nil, nil + } + res, _, err := ref.GetPointer().Get(root) + if err != nil { + return nil, errors.Wrap(err) + } + switch sch := res.(type) { + case spec.Schema: + return &sch, nil + case *spec.Schema: + return sch, nil + case map[string]interface{}: + b, err := json.Marshal(sch) + if err != nil { + return nil, err + } + newSch := new(spec.Schema) + if err = json.Unmarshal(b, newSch); err != nil { + return nil, err + } + return newSch, nil + default: + return nil, errors.Wrap(fmt.Errorf("unknown type for the resolved reference")) + } +} + +func rootSchema() *spec.Schema { + initSchema() + return &globalSchema.schema +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go b/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go new file mode 100644 index 0000000000..57bc865039 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/order/syncorder.go @@ -0,0 +1,121 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package order + +import ( + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// SyncOrder recursively sorts the map node keys in 'to' node to match the order of +// map node keys in 'from' node at same tree depth, additional keys are moved to the end +// Field order might be altered due to round-tripping in arbitrary functions. +// This functionality helps to retain the original order of fields to avoid unnecessary diffs. +func SyncOrder(from, to *yaml.RNode) error { + // from node should not be modified, it should be just used as a reference + fromCopy := from.Copy() + if err := syncOrder(fromCopy, to); err != nil { + return errors.Errorf("failed to sync field order: %q", err.Error()) + } + rearrangeHeadCommentOfSeqNode(to.YNode()) + return nil +} + +func syncOrder(from, to *yaml.RNode) error { + if from.IsNilOrEmpty() || to.IsNilOrEmpty() { + return nil + } + switch from.YNode().Kind { + case yaml.DocumentNode: + // Traverse the child of the documents + return syncOrder(yaml.NewRNode(from.YNode()), yaml.NewRNode(to.YNode())) + case yaml.MappingNode: + return VisitFields(from, to, func(fNode, tNode *yaml.MapNode) error { + // Traverse each field value + if fNode == nil || tNode == nil { + return nil + } + return syncOrder(fNode.Value, tNode.Value) + }) + case yaml.SequenceNode: + return VisitElements(from, to, syncOrder) // Traverse each list element + } + return nil +} + +// VisitElements calls fn for each element in a SequenceNode. +// Returns an error for non-SequenceNodes +func VisitElements(from, to *yaml.RNode, fn func(fNode, tNode *yaml.RNode) error) error { + fElements, err := from.Elements() + if err != nil { + return errors.Wrap(err) + } + + tElements, err := to.Elements() + if err != nil { + return errors.Wrap(err) + } + for i := range fElements { + if i >= len(tElements) { + return nil + } + if err := fn(fElements[i], tElements[i]); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// VisitFields calls fn for each field in the RNode. +// Returns an error for non-MappingNodes. +func VisitFields(from, to *yaml.RNode, fn func(fNode, tNode *yaml.MapNode) error) error { + srcFieldNames, err := from.Fields() + if err != nil { + return nil + } + yaml.SyncMapNodesOrder(from, to) + // visit each field + for _, fieldName := range srcFieldNames { + if err := fn(from.Field(fieldName), to.Field(fieldName)); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// rearrangeHeadCommentOfSeqNode addresses a remote corner case due to moving a +// map node in a sequence node with a head comment to the top +func rearrangeHeadCommentOfSeqNode(node *yaml.Node) { + if node == nil { + return + } + switch node.Kind { + case yaml.DocumentNode: + for _, node := range node.Content { + rearrangeHeadCommentOfSeqNode(node) + } + + case yaml.MappingNode: + for _, node := range node.Content { + rearrangeHeadCommentOfSeqNode(node) + } + + case yaml.SequenceNode: + for _, node := range node.Content { + // for each child mapping node, transfer the head comment of it's + // first child scalar node to the head comment of itself + if len(node.Content) > 0 && node.Content[0].Kind == yaml.ScalarNode { + if node.HeadComment == "" { + node.HeadComment = node.Content[0].HeadComment + continue + } + + if node.Content[0].HeadComment != "" { + node.HeadComment += "\n" + node.Content[0].HeadComment + node.Content[0].HeadComment = "" + } + } + } + } +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go b/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go new file mode 100644 index 0000000000..0289cadd78 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/resid/gvk.go @@ -0,0 +1,255 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resid + +import ( + "strings" + + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// Gvk identifies a Kubernetes API type. +// https://git.k8s.io/design-proposals-archive/api-machinery/api-group.md +type Gvk struct { + Group string `json:"group,omitempty" yaml:"group,omitempty"` + Version string `json:"version,omitempty" yaml:"version,omitempty"` + Kind string `json:"kind,omitempty" yaml:"kind,omitempty"` + // isClusterScoped is true if the object is known, per the openapi + // data in use, to be cluster scoped, and false otherwise. + isClusterScoped bool +} + +func NewGvk(g, v, k string) Gvk { + result := Gvk{Group: g, Version: v, Kind: k} + result.isClusterScoped = + openapi.IsCertainlyClusterScoped(result.AsTypeMeta()) + return result +} + +func GvkFromNode(r *yaml.RNode) Gvk { + g, v := ParseGroupVersion(r.GetApiVersion()) + return NewGvk(g, v, r.GetKind()) +} + +// FromKind makes a Gvk with only the kind specified. +func FromKind(k string) Gvk { + return NewGvk("", "", k) +} + +// ParseGroupVersion parses a KRM metadata apiVersion field. +func ParseGroupVersion(apiVersion string) (group, version string) { + if i := strings.Index(apiVersion, "/"); i > -1 { + return apiVersion[:i], apiVersion[i+1:] + } + return "", apiVersion +} + +// GvkFromString makes a Gvk from the output of Gvk.String(). +func GvkFromString(s string) Gvk { + values := strings.Split(s, fieldSep) + if len(values) < 3 { + // ...then the string didn't come from Gvk.String(). + return Gvk{ + Group: noGroup, + Version: noVersion, + Kind: noKind, + } + } + k := values[0] + if k == noKind { + k = "" + } + v := values[1] + if v == noVersion { + v = "" + } + g := strings.Join(values[2:], fieldSep) + if g == noGroup { + g = "" + } + return NewGvk(g, v, k) +} + +// Values that are brief but meaningful in logs. +const ( + noGroup = "[noGrp]" + noVersion = "[noVer]" + noKind = "[noKind]" + fieldSep = "." +) + +// String returns a string representation of the GVK. +func (x Gvk) String() string { + g := x.Group + if g == "" { + g = noGroup + } + v := x.Version + if v == "" { + v = noVersion + } + k := x.Kind + if k == "" { + k = noKind + } + return strings.Join([]string{k, v, g}, fieldSep) +} + +// stableSortString returns a GVK representation that ensures determinism and +// backwards-compatibility in testing, logging, ... +func (x Gvk) stableSortString() string { + stableNoGroup := "~G" + stableNoVersion := "~V" + stableNoKind := "~K" + stableFieldSeparator := "_" + + g := x.Group + if g == "" { + g = stableNoGroup + } + v := x.Version + if v == "" { + v = stableNoVersion + } + k := x.Kind + if k == "" { + k = stableNoKind + } + return strings.Join([]string{g, v, k}, stableFieldSeparator) +} + +// ApiVersion returns the combination of Group and Version +func (x Gvk) ApiVersion() string { + if x.Group != "" { + return x.Group + "/" + x.Version + } + return x.Version +} + +// StringWoEmptyField returns a string representation of the GVK. Non-exist +// fields will be omitted. This is called when generating a filename for the +// resource. +func (x Gvk) StringWoEmptyField() string { + var s []string + if x.Group != "" { + s = append(s, x.Group) + } + if x.Version != "" { + s = append(s, x.Version) + } + if x.Kind != "" { + s = append(s, x.Kind) + } + return strings.Join(s, "_") +} + +// Equals returns true if the Gvk's have equal fields. +func (x Gvk) Equals(o Gvk) bool { + return x.Group == o.Group && x.Version == o.Version && x.Kind == o.Kind +} + +// An attempt to order things to help k8s, e.g. +// a Service should come before things that refer to it. +// Namespace should be first. +// In some cases order just specified to provide determinism. +var orderFirst = []string{ + "Namespace", + "ResourceQuota", + "StorageClass", + "CustomResourceDefinition", + "ServiceAccount", + "PodSecurityPolicy", + "Role", + "ClusterRole", + "RoleBinding", + "ClusterRoleBinding", + "ConfigMap", + "Secret", + "Endpoints", + "Service", + "LimitRange", + "PriorityClass", + "PersistentVolume", + "PersistentVolumeClaim", + "Deployment", + "StatefulSet", + "CronJob", + "PodDisruptionBudget", +} +var orderLast = []string{ + "MutatingWebhookConfiguration", + "ValidatingWebhookConfiguration", +} +var typeOrders = func() map[string]int { + m := map[string]int{} + for i, n := range orderFirst { + m[n] = -len(orderFirst) + i + } + for i, n := range orderLast { + m[n] = 1 + i + } + return m +}() + +// IsLessThan returns true if self is less than the argument. +func (x Gvk) IsLessThan(o Gvk) bool { + indexI := typeOrders[x.Kind] + indexJ := typeOrders[o.Kind] + if indexI != indexJ { + return indexI < indexJ + } + return x.stableSortString() < o.stableSortString() +} + +// IsSelected returns true if `selector` selects `x`; otherwise, false. +// If `selector` and `x` are the same, return true. +// If `selector` is nil, it is considered a wildcard match, returning true. +// If selector fields are empty, they are considered wildcards matching +// anything in the corresponding fields, e.g. +// +// this item: +// +// +// is selected by +// +// +// but rejected by +// +// +func (x Gvk) IsSelected(selector *Gvk) bool { + if selector == nil { + return true + } + if len(selector.Group) > 0 { + if x.Group != selector.Group { + return false + } + } + if len(selector.Version) > 0 { + if x.Version != selector.Version { + return false + } + } + if len(selector.Kind) > 0 { + if x.Kind != selector.Kind { + return false + } + } + return true +} + +// AsTypeMeta returns a yaml.TypeMeta from x's information. +func (x Gvk) AsTypeMeta() yaml.TypeMeta { + return yaml.TypeMeta{ + APIVersion: x.ApiVersion(), + Kind: x.Kind, + } +} + +// IsClusterScoped returns true if the Gvk is certainly cluster scoped +// with respect to the available openapi data. +func (x Gvk) IsClusterScoped() bool { + return x.isClusterScoped +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go b/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go new file mode 100644 index 0000000000..cddbcdde60 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/resid/resid.go @@ -0,0 +1,145 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package resid + +import ( + "reflect" + "strings" + + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// ResId is an identifier of a k8s resource object. +type ResId struct { + // Gvk of the resource. + Gvk `json:",inline,omitempty" yaml:",inline,omitempty"` + + // Name of the resource. + Name string `json:"name,omitempty" yaml:"name,omitempty"` + + // Namespace the resource belongs to, if it can belong to a namespace. + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` +} + +// NewResIdWithNamespace creates new ResId +// in a given namespace. +func NewResIdWithNamespace(k Gvk, n, ns string) ResId { + return ResId{Gvk: k, Name: n, Namespace: ns} +} + +// NewResId creates new ResId. +func NewResId(k Gvk, n string) ResId { + return NewResIdWithNamespace(k, n, "") +} + +// NewResIdKindOnly creates a new ResId. +func NewResIdKindOnly(k string, n string) ResId { + return NewResId(FromKind(k), n) +} + +const ( + noNamespace = "[noNs]" + noName = "[noName]" + separator = "/" + TotallyNotANamespace = "_non_namespaceable_" + DefaultNamespace = "default" +) + +// String of ResId based on GVK, name and prefix +func (id ResId) String() string { + ns := id.Namespace + if ns == "" { + ns = noNamespace + } + nm := id.Name + if nm == "" { + nm = noName + } + return strings.Join( + []string{id.Gvk.String(), strings.Join([]string{nm, ns}, fieldSep)}, separator) +} + +func FromString(s string) ResId { + values := strings.Split(s, separator) + gvk := GvkFromString(values[0]) + + values = strings.Split(values[1], fieldSep) + last := len(values) - 1 + + ns := values[last] + if ns == noNamespace { + ns = "" + } + nm := strings.Join(values[:last], fieldSep) + if nm == noName { + nm = "" + } + return ResId{ + Gvk: gvk, + Namespace: ns, + Name: nm, + } +} + +// FromRNode returns the ResId for the RNode +func FromRNode(rn *yaml.RNode) ResId { + group, version := ParseGroupVersion(rn.GetApiVersion()) + return NewResIdWithNamespace( + Gvk{Group: group, Version: version, Kind: rn.GetKind()}, rn.GetName(), rn.GetNamespace()) +} + +// GvknEquals returns true if the other id matches +// Group/Version/Kind/name. +func (id ResId) GvknEquals(o ResId) bool { + return id.Name == o.Name && id.Gvk.Equals(o.Gvk) +} + +// IsSelectedBy returns true if self is selected by the argument. +func (id ResId) IsSelectedBy(selector ResId) bool { + return (selector.Name == "" || selector.Name == id.Name) && + (selector.Namespace == "" || selector.IsNsEquals(id)) && + id.Gvk.IsSelected(&selector.Gvk) +} + +// Equals returns true if the other id matches +// namespace/Group/Version/Kind/name. +func (id ResId) Equals(o ResId) bool { + return id.IsNsEquals(o) && id.GvknEquals(o) +} + +// IsNsEquals returns true if the id is in +// the same effective namespace. +func (id ResId) IsNsEquals(o ResId) bool { + return id.EffectiveNamespace() == o.EffectiveNamespace() +} + +// IsInDefaultNs returns true if id is a namespaceable +// ResId and the Namespace is either not set or set +// to DefaultNamespace. +func (id ResId) IsInDefaultNs() bool { + return !id.IsClusterScoped() && id.isPutativelyDefaultNs() +} + +func (id ResId) isPutativelyDefaultNs() bool { + return id.Namespace == "" || id.Namespace == DefaultNamespace +} + +// EffectiveNamespace returns a non-ambiguous, non-empty +// namespace for use in reporting and equality tests. +func (id ResId) EffectiveNamespace() string { + // The order of these checks matters. + if id.IsClusterScoped() { + return TotallyNotANamespace + } + if id.isPutativelyDefaultNs() { + return DefaultNamespace + } + return id.Namespace +} + +// IsEmpty returns true of all of the id's fields are +// empty strings +func (id ResId) IsEmpty() bool { + return reflect.DeepEqual(id, ResId{}) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go b/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go new file mode 100644 index 0000000000..777d3f87cc --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/runfn/runfn.go @@ -0,0 +1,508 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package runfn + +import ( + "fmt" + "io" + "os" + "os/user" + "path" + "path/filepath" + "sort" + "strconv" + "strings" + "sync/atomic" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/container" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/exec" + "sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil" + "sigs.k8s.io/kustomize/kyaml/kio" + "sigs.k8s.io/kustomize/kyaml/kio/kioutil" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// RunFns runs the set of configuration functions in a local directory against +// the Resources in that directory +type RunFns struct { + StorageMounts []runtimeutil.StorageMount + + // Path is the path to the directory containing functions + Path string + + // FunctionPaths Paths allows functions to be specified outside the configuration + // directory. + // Functions provided on FunctionPaths are globally scoped. + // If FunctionPaths length is > 0, then NoFunctionsFromInput defaults to true + FunctionPaths []string + + // Functions is an explicit list of functions to run against the input. + // Functions provided on Functions are globally scoped. + // If Functions length is > 0, then NoFunctionsFromInput defaults to true + Functions []*yaml.RNode + + // GlobalScope if true, functions read from input will be scoped globally rather + // than only to Resources under their subdirs. + GlobalScope bool + + // Input can be set to read the Resources from Input rather than from a directory + Input io.Reader + + // Network enables network access for functions that declare it + Network bool + + // Output can be set to write the result to Output rather than back to the directory + Output io.Writer + + // NoFunctionsFromInput if set to true will not read any functions from the input, + // and only use explicit sources + NoFunctionsFromInput *bool + + // EnableExec will enable exec functions + EnableExec bool + + // DisableContainers will disable functions run as containers + DisableContainers bool + + // ResultsDir is where to write each functions results + ResultsDir string + + // LogSteps enables logging the function that is running. + LogSteps bool + + // LogWriter can be set to write the logs to LogWriter rather than stderr if LogSteps is enabled. + LogWriter io.Writer + + // resultsCount is used to generate the results filename for each container + resultsCount uint32 + + // functionFilterProvider provides a filter to perform the function. + // this is a variable so it can be mocked in tests + functionFilterProvider func( + filter runtimeutil.FunctionSpec, api *yaml.RNode, currentUser currentUserFunc) (kio.Filter, error) + + // AsCurrentUser is a boolean to indicate whether docker container should use + // the uid and gid that run the command + AsCurrentUser bool + + // Env contains environment variables that will be exported to container + Env []string + + // ContinueOnEmptyResult configures what happens when the underlying pipeline + // returns an empty result. + // If it is false (default), subsequent functions will be skipped and the + // result will be returned immediately. + // If it is true, the empty result will be provided as input to the next + // function in the list. + ContinueOnEmptyResult bool + + // WorkingDir specifies which working directory an exec function should run in. + WorkingDir string +} + +// Execute runs the command +func (r RunFns) Execute() error { + // make the path absolute so it works on mac + var err error + r.Path, err = filepath.Abs(r.Path) + if err != nil { + return errors.Wrap(err) + } + + // default the containerFilterProvider if it hasn't been override. Split out for testing. + (&r).init() + nodes, fltrs, output, err := r.getNodesAndFilters() + if err != nil { + return err + } + return r.runFunctions(nodes, output, fltrs) +} + +func (r RunFns) getNodesAndFilters() ( + *kio.PackageBuffer, []kio.Filter, *kio.LocalPackageReadWriter, error) { + // Read Resources from Directory or Input + buff := &kio.PackageBuffer{} + p := kio.Pipeline{Outputs: []kio.Writer{buff}} + // save the output dir because we will need it to write back + // the same one for reading must be used for writing if deleting Resources + var outputPkg *kio.LocalPackageReadWriter + if r.Path != "" { + outputPkg = &kio.LocalPackageReadWriter{PackagePath: r.Path, MatchFilesGlob: kio.MatchAll} + } + + if r.Input == nil { + p.Inputs = []kio.Reader{outputPkg} + } else { + p.Inputs = []kio.Reader{&kio.ByteReader{Reader: r.Input}} + } + if err := p.Execute(); err != nil { + return nil, nil, outputPkg, err + } + + fltrs, err := r.getFilters(buff.Nodes) + if err != nil { + return nil, nil, outputPkg, err + } + return buff, fltrs, outputPkg, nil +} + +func (r RunFns) getFilters(nodes []*yaml.RNode) ([]kio.Filter, error) { + var fltrs []kio.Filter + + // fns from annotations on the input resources + f, err := r.getFunctionsFromInput(nodes) + if err != nil { + return nil, err + } + fltrs = append(fltrs, f...) + + // fns from directories specified on the struct + f, err = r.getFunctionsFromFunctionPaths() + if err != nil { + return nil, err + } + fltrs = append(fltrs, f...) + + // explicit fns specified on the struct + f, err = r.getFunctionsFromFunctions() + if err != nil { + return nil, err + } + fltrs = append(fltrs, f...) + + return fltrs, nil +} + +// runFunctions runs the fltrs against the input and writes to either r.Output or output +func (r RunFns) runFunctions( + input kio.Reader, output kio.Writer, fltrs []kio.Filter) error { + // use the previously read Resources as input + var outputs []kio.Writer + if r.Output == nil { + // write back to the package + outputs = append(outputs, output) + } else { + // write to the output instead of the directory if r.Output is specified or + // the output is nil (reading from Input) + outputs = append(outputs, kio.ByteWriter{Writer: r.Output}) + } + + var err error + pipeline := kio.Pipeline{ + Inputs: []kio.Reader{input}, + Filters: fltrs, + Outputs: outputs, + ContinueOnEmptyResult: r.ContinueOnEmptyResult, + } + if r.LogSteps { + err = pipeline.ExecuteWithCallback(func(op kio.Filter) { + var identifier string + + switch filter := op.(type) { + case *container.Filter: + identifier = filter.Image + case *exec.Filter: + identifier = filter.Path + default: + identifier = "unknown-type function" + } + + _, _ = fmt.Fprintf(r.LogWriter, "Running %s\n", identifier) + }) + } else { + err = pipeline.Execute() + } + if err != nil { + return err + } + + // check for deferred function errors + var errs []string + for i := range fltrs { + cf, ok := fltrs[i].(runtimeutil.DeferFailureFunction) + if !ok { + continue + } + if cf.GetExit() != nil { + errs = append(errs, cf.GetExit().Error()) + } + } + if len(errs) > 0 { + return fmt.Errorf(strings.Join(errs, "\n---\n")) + } + return nil +} + +// getFunctionsFromInput scans the input for functions and runs them +func (r RunFns) getFunctionsFromInput(nodes []*yaml.RNode) ([]kio.Filter, error) { + if *r.NoFunctionsFromInput { + return nil, nil + } + + buff := &kio.PackageBuffer{} + err := kio.Pipeline{ + Inputs: []kio.Reader{&kio.PackageBuffer{Nodes: nodes}}, + Filters: []kio.Filter{&runtimeutil.IsReconcilerFilter{}}, + Outputs: []kio.Writer{buff}, + }.Execute() + if err != nil { + return nil, err + } + err = sortFns(buff) + if err != nil { + return nil, err + } + return r.getFunctionFilters(false, buff.Nodes...) +} + +// getFunctionsFromFunctionPaths returns the set of functions read from r.FunctionPaths +// as a slice of Filters +func (r RunFns) getFunctionsFromFunctionPaths() ([]kio.Filter, error) { + buff := &kio.PackageBuffer{} + for i := range r.FunctionPaths { + err := kio.Pipeline{ + Inputs: []kio.Reader{ + kio.LocalPackageReader{PackagePath: r.FunctionPaths[i]}, + }, + Outputs: []kio.Writer{buff}, + }.Execute() + if err != nil { + return nil, err + } + } + return r.getFunctionFilters(true, buff.Nodes...) +} + +// getFunctionsFromFunctions returns the set of explicitly provided functions as +// Filters +func (r RunFns) getFunctionsFromFunctions() ([]kio.Filter, error) { + return r.getFunctionFilters(true, r.Functions...) +} + +// mergeContainerEnv will merge the envs specified by command line (imperative) and config +// file (declarative). If they have same key, the imperative value will be respected. +func (r RunFns) mergeContainerEnv(envs []string) []string { + imperative := runtimeutil.NewContainerEnvFromStringSlice(r.Env) + declarative := runtimeutil.NewContainerEnvFromStringSlice(envs) + for key, value := range imperative.EnvVars { + declarative.AddKeyValue(key, value) + } + + for _, key := range imperative.VarsToExport { + declarative.AddKey(key) + } + + return declarative.Raw() +} + +func (r RunFns) getFunctionFilters(global bool, fns ...*yaml.RNode) ( + []kio.Filter, error) { + var fltrs []kio.Filter + for i := range fns { + api := fns[i] + spec, err := runtimeutil.GetFunctionSpec(api) + if err != nil { + return nil, fmt.Errorf("failed to get FunctionSpec: %w", err) + } + if spec == nil { + // resource doesn't have function spec + continue + } + if spec.Container.Network && !r.Network { + // TODO(eddiezane): Provide error info about which function needs the network + return fltrs, errors.Errorf("network required but not enabled with --network") + } + // merge envs from imperative and declarative + spec.Container.Env = r.mergeContainerEnv(spec.Container.Env) + + c, err := r.functionFilterProvider(*spec, api, user.Current) + if err != nil { + return nil, err + } + + if c == nil { + continue + } + cf, ok := c.(*container.Filter) + if ok { + if global { + cf.Exec.GlobalScope = true + } + cf.Exec.WorkingDir = r.WorkingDir + } + fltrs = append(fltrs, c) + } + return fltrs, nil +} + +// sortFns sorts functions so that functions with the longest paths come first +func sortFns(buff *kio.PackageBuffer) error { + var outerErr error + // sort the nodes so that we traverse them depth first + // functions deeper in the file system tree should be run first + sort.Slice(buff.Nodes, func(i, j int) bool { + if err := kioutil.CopyLegacyAnnotations(buff.Nodes[i]); err != nil { + return false + } + if err := kioutil.CopyLegacyAnnotations(buff.Nodes[j]); err != nil { + return false + } + mi, _ := buff.Nodes[i].GetMeta() + pi := filepath.ToSlash(mi.Annotations[kioutil.PathAnnotation]) + + mj, _ := buff.Nodes[j].GetMeta() + pj := filepath.ToSlash(mj.Annotations[kioutil.PathAnnotation]) + + // If the path is the same, we decide the ordering based on the + // index annotation. + if pi == pj { + iIndex, err := strconv.Atoi(mi.Annotations[kioutil.IndexAnnotation]) + if err != nil { + outerErr = err + return false + } + jIndex, err := strconv.Atoi(mj.Annotations[kioutil.IndexAnnotation]) + if err != nil { + outerErr = err + return false + } + return iIndex < jIndex + } + + if filepath.Base(path.Dir(pi)) == "functions" { + // don't count the functions dir, the functions are scoped 1 level above + pi = filepath.Dir(path.Dir(pi)) + } else { + pi = filepath.Dir(pi) + } + + if filepath.Base(path.Dir(pj)) == "functions" { + // don't count the functions dir, the functions are scoped 1 level above + pj = filepath.Dir(path.Dir(pj)) + } else { + pj = filepath.Dir(pj) + } + + // i is "less" than j (comes earlier) if its depth is greater -- e.g. run + // i before j if it is deeper in the directory structure + li := len(strings.Split(pi, "/")) + if pi == "." { + // local dir should have 0 path elements instead of 1 + li = 0 + } + lj := len(strings.Split(pj, "/")) + if pj == "." { + // local dir should have 0 path elements instead of 1 + lj = 0 + } + if li != lj { + // use greater-than because we want to sort with the longest + // paths FIRST rather than last + return li > lj + } + + // sort by path names if depths are equal + return pi < pj + }) + return outerErr +} + +// init initializes the RunFns with a containerFilterProvider. +func (r *RunFns) init() { + if r.NoFunctionsFromInput == nil { + // default no functions from input if any function sources are explicitly provided + nfn := len(r.FunctionPaths) > 0 || len(r.Functions) > 0 + r.NoFunctionsFromInput = &nfn + } + + // if no path is specified, default reading from stdin and writing to stdout + if r.Path == "" { + if r.Output == nil { + r.Output = os.Stdout + } + if r.Input == nil { + r.Input = os.Stdin + } + } + + // functionFilterProvider set the filter provider + if r.functionFilterProvider == nil { + r.functionFilterProvider = r.ffp + } + + // if LogSteps is enabled and LogWriter is not specified, use stderr + if r.LogSteps && r.LogWriter == nil { + r.LogWriter = os.Stderr + } +} + +type currentUserFunc func() (*user.User, error) + +// getUIDGID will return "nobody" if asCurrentUser is false. Otherwise +// return "uid:gid" according to the return from currentUser function. +func getUIDGID(asCurrentUser bool, currentUser currentUserFunc) (string, error) { + if !asCurrentUser { + return "nobody", nil + } + + u, err := currentUser() + if err != nil { + return "", err + } + return fmt.Sprintf("%s:%s", u.Uid, u.Gid), nil +} + +// ffp provides function filters +func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser currentUserFunc) (kio.Filter, error) { + var resultsFile string + if r.ResultsDir != "" { + resultsFile = filepath.Join(r.ResultsDir, fmt.Sprintf( + "results-%v.yaml", r.resultsCount)) + atomic.AddUint32(&r.resultsCount, 1) + } + if !r.DisableContainers && spec.Container.Image != "" { + // TODO: Add a test for this behavior + uidgid, err := getUIDGID(r.AsCurrentUser, currentUser) + if err != nil { + return nil, err + } + + // Storage mounts can either come from kustomize fn run --mounts, + // or from the declarative function mounts field. + storageMounts := spec.Container.StorageMounts + storageMounts = append(storageMounts, r.StorageMounts...) + + c := container.NewContainer( + runtimeutil.ContainerSpec{ + Image: spec.Container.Image, + Network: spec.Container.Network, + StorageMounts: storageMounts, + Env: spec.Container.Env, + }, + uidgid, + ) + cf := &c + cf.Exec.FunctionConfig = api + cf.Exec.GlobalScope = r.GlobalScope + cf.Exec.ResultsFile = resultsFile + cf.Exec.DeferFailure = spec.DeferFailure + return cf, nil + } + + if r.EnableExec && spec.Exec.Path != "" { + ef := &exec.Filter{ + Path: spec.Exec.Path, + WorkingDir: r.WorkingDir, + } + + ef.FunctionConfig = api + ef.GlobalScope = r.GlobalScope + ef.ResultsFile = resultsFile + ef.DeferFailure = spec.DeferFailure + return ef, nil + } + + return nil, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go b/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go new file mode 100644 index 0000000000..d590e53288 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/sets/string.go @@ -0,0 +1,64 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package sets + +type String map[string]interface{} + +func (s String) Len() int { + return len(s) +} + +func (s String) List() []string { + val := make([]string, 0, len(s)) + for k := range s { + val = append(val, k) + } + return val +} + +func (s String) Has(val string) bool { + _, found := s[val] + return found +} + +func (s String) Insert(vals ...string) { + for _, val := range vals { + s[val] = nil + } +} + +func (s String) Difference(s2 String) String { + s3 := String{} + for k := range s { + if _, found := s2[k]; !found { + s3.Insert(k) + } + } + return s3 +} + +func (s String) SymmetricDifference(s2 String) String { + s3 := String{} + for k := range s { + if _, found := s2[k]; !found { + s3.Insert(k) + } + } + for k := range s2 { + if _, found := s[k]; !found { + s3.Insert(k) + } + } + return s3 +} + +func (s String) Intersection(s2 String) String { + s3 := String{} + for k := range s { + if _, found := s2[k]; found { + s3.Insert(k) + } + } + return s3 +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go b/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go new file mode 100644 index 0000000000..2d75978fcf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/sets/stringlist.go @@ -0,0 +1,44 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package sets + +// StringList is a set, where each element of +// the set is a string slice. +type StringList [][]string + +func (s StringList) Len() int { + return len(s) +} + +func (s StringList) Insert(val []string) StringList { + if !s.Has(val) { + return append(s, val) + } + return s +} + +func (s StringList) Has(val []string) bool { + if len(s) == 0 { + return false + } + + for i := range s { + if isStringSliceEqual(s[i], val) { + return true + } + } + return false +} + +func isStringSliceEqual(s []string, t []string) bool { + if len(s) != len(t) { + return false + } + for i := range s { + if s[i] != t[i] { + return false + } + } + return true +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go b/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go new file mode 100644 index 0000000000..23e3ad7c21 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/sliceutil/slice.go @@ -0,0 +1,25 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package sliceutil + +// Contains return true if string e is present in slice s +func Contains(s []string, e string) bool { + for _, a := range s { + if a == e { + return true + } + } + return false +} + +// Remove removes the first occurrence of r in slice s +// and returns remaining slice +func Remove(s []string, r string) []string { + for i, v := range s { + if v == r { + return append(s[:i], s[i+1:]...) + } + } + return s +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go b/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go new file mode 100644 index 0000000000..6ce1f899d5 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/utils/pathsplitter.go @@ -0,0 +1,71 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package utils + +import "strings" + +// TODO: Move these to kyaml + +// PathSplitter splits a delimited string, permitting escaped delimiters. +func PathSplitter(path string, delimiter string) []string { + ps := strings.Split(path, delimiter) + var res []string + + // allow path to start with forward slash + // i.e. /a/b/c + if len(ps) > 1 && ps[0] == "" { + ps = ps[1:] + } + + res = append(res, ps[0]) + for i := 1; i < len(ps); i++ { + last := len(res) - 1 + if strings.HasSuffix(res[last], `\`) { + res[last] = strings.TrimSuffix(res[last], `\`) + delimiter + ps[i] + } else { + res = append(res, ps[i]) + } + } + return res +} + +// SmarterPathSplitter splits a path, retaining bracketed elements. +// If the element is a list entry identifier (defined by the '='), +// it will retain the brackets. +// E.g. "[name=com.foo.someapp]" survives as one thing after splitting +// "spec.template.spec.containers.[name=com.foo.someapp].image" +// See kyaml/yaml/match.go for use of list entry identifiers. +// If the element is a mapping entry identifier, it will remove the +// brackets. +// E.g. "a.b.c" survives as one thing after splitting +// "metadata.annotations.[a.b.c] +// This function uses `PathSplitter`, so it also respects escaped delimiters. +func SmarterPathSplitter(path string, delimiter string) []string { + var result []string + split := PathSplitter(path, delimiter) + + for i := 0; i < len(split); i++ { + elem := split[i] + if strings.HasPrefix(elem, "[") && !strings.HasSuffix(elem, "]") { + // continue until we find the matching "]" + bracketed := []string{elem} + for i < len(split)-1 { + i++ + bracketed = append(bracketed, split[i]) + if strings.HasSuffix(split[i], "]") { + break + } + } + bracketedStr := strings.Join(bracketed, delimiter) + if strings.Contains(bracketedStr, "=") { + result = append(result, bracketedStr) + } else { + result = append(result, strings.Trim(bracketedStr, "[]")) + } + } else { + result = append(result, elem) + } + } + return result +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go new file mode 100644 index 0000000000..5908cd7bd2 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/alias.go @@ -0,0 +1,109 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "bytes" + "io" + + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +const ( + WideSequenceStyle SequenceIndentStyle = "wide" + CompactSequenceStyle SequenceIndentStyle = "compact" + DefaultIndent = 2 + // BareSeqNodeWrappingKey kyaml uses reader annotations to track resources, it is not possible to + // add them to bare sequence nodes, this key is used to wrap such bare + // sequence nodes into map node, byteio_writer unwraps it while writing back + BareSeqNodeWrappingKey = "bareSeqNodeWrappingKey" +) + +// SequenceIndentStyle holds the indentation style for sequence nodes +type SequenceIndentStyle string + +// EncoderOptions are options that can be used to configure the encoder, +// do not expose new options without considerable justification +type EncoderOptions struct { + // SeqIndent is the indentation style for YAML Sequence nodes + SeqIndent SequenceIndentStyle +} + +// Expose the yaml.v3 functions so this package can be used as a replacement + +type Decoder = yaml.Decoder +type Encoder = yaml.Encoder +type IsZeroer = yaml.IsZeroer +type Kind = yaml.Kind +type Marshaler = yaml.Marshaler +type Node = yaml.Node +type Style = yaml.Style +type TypeError = yaml.TypeError +type Unmarshaler = yaml.Unmarshaler + +var Marshal = func(in interface{}) ([]byte, error) { + var buf bytes.Buffer + err := NewEncoder(&buf).Encode(in) + if err != nil { + return nil, err + } + return buf.Bytes(), nil +} +var Unmarshal = yaml.Unmarshal +var NewDecoder = yaml.NewDecoder +var NewEncoder = func(w io.Writer) *yaml.Encoder { + e := yaml.NewEncoder(w) + e.SetIndent(DefaultIndent) + e.CompactSeqIndent() + return e +} + +// MarshalWithOptions marshals the input interface with provided options +func MarshalWithOptions(in interface{}, opts *EncoderOptions) ([]byte, error) { + var buf bytes.Buffer + err := NewEncoderWithOptions(&buf, opts).Encode(in) + if err != nil { + return nil, err + } + return buf.Bytes(), nil +} + +// NewEncoderWithOptions returns the encoder with provided options +func NewEncoderWithOptions(w io.Writer, opts *EncoderOptions) *yaml.Encoder { + encoder := NewEncoder(w) + encoder.SetIndent(DefaultIndent) + if opts.SeqIndent == WideSequenceStyle { + encoder.DefaultSeqIndent() + } else { + encoder.CompactSeqIndent() + } + return encoder +} + +var AliasNode yaml.Kind = yaml.AliasNode +var DocumentNode yaml.Kind = yaml.DocumentNode +var MappingNode yaml.Kind = yaml.MappingNode +var ScalarNode yaml.Kind = yaml.ScalarNode +var SequenceNode yaml.Kind = yaml.SequenceNode + +func nodeKindString(k yaml.Kind) string { + return map[yaml.Kind]string{ + yaml.SequenceNode: "SequenceNode", + yaml.MappingNode: "MappingNode", + yaml.ScalarNode: "ScalarNode", + yaml.DocumentNode: "DocumentNode", + yaml.AliasNode: "AliasNode", + }[k] +} + +var DoubleQuotedStyle yaml.Style = yaml.DoubleQuotedStyle +var FlowStyle yaml.Style = yaml.FlowStyle +var FoldedStyle yaml.Style = yaml.FoldedStyle +var LiteralStyle yaml.Style = yaml.LiteralStyle +var SingleQuotedStyle yaml.Style = yaml.SingleQuotedStyle +var TaggedStyle yaml.Style = yaml.TaggedStyle + +const ( + MergeTag = "!!merge" +) diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go new file mode 100644 index 0000000000..55709322a1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/compatibility.go @@ -0,0 +1,100 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "reflect" + "strings" + + "k8s.io/kube-openapi/pkg/validation/spec" + y1_1 "sigs.k8s.io/yaml/goyaml.v2" + y1_2 "sigs.k8s.io/yaml/goyaml.v3" +) + +// typeToTag maps OpenAPI schema types to yaml 1.2 tags +var typeToTag = map[string]string{ + "string": NodeTagString, + "integer": NodeTagInt, + "boolean": NodeTagBool, + "number": NodeTagFloat, +} + +// FormatNonStringStyle makes sure that values which parse as non-string values in yaml 1.1 +// are correctly formatted given the Schema type. +func FormatNonStringStyle(node *Node, schema spec.Schema) { + if len(schema.Type) != 1 { + return + } + t := schema.Type[0] + + if !IsYaml1_1NonString(node) { + return + } + switch { + case t == "string" && schema.Format != "int-or-string": + if (node.Style&DoubleQuotedStyle == 0) && (node.Style&SingleQuotedStyle == 0) { + // must quote values so they are parsed as strings + node.Style = DoubleQuotedStyle + } + case t == "boolean" || t == "integer" || t == "number": + if (node.Style&DoubleQuotedStyle != 0) || (node.Style&SingleQuotedStyle != 0) { + // must NOT quote the values so they aren't parsed as strings + node.Style = 0 + } + default: + return + } + + // if the node tag is null, make sure we don't add any non-null tags + // https://github.com/kptdev/kpt/issues/2321 + if node.Tag == NodeTagNull { + // must NOT quote null values + node.Style = 0 + return + } + if tag, found := typeToTag[t]; found { + // make sure the right tag is set + node.Tag = tag + } +} + +// IsYaml1_1NonString returns true if the value parses as a non-string value in yaml 1.1 +// when unquoted. +// +// Note: yaml 1.2 uses different keywords than yaml 1.1. Example: yaml 1.2 interprets +// `field: on` and `field: "on"` as equivalent (both strings). However Yaml 1.1 interprets +// `field: on` as on being a bool and `field: "on"` as on being a string. +// If an input is read with `field: "on"`, and the style is changed from DoubleQuote to 0, +// it will change the type of the field from a string to a bool. For this reason, fields +// which are keywords in yaml 1.1 should never have their style changed, as it would break +// backwards compatibility with yaml 1.1 -- which is what is used by the Kubernetes apiserver. +func IsYaml1_1NonString(node *Node) bool { + if node.Kind != y1_2.ScalarNode { + // not a keyword + return false + } + return IsValueNonString(node.Value) +} + +func IsValueNonString(value string) bool { + if value == "" { + return false + } + if strings.Contains(value, "\n") { + // multi-line strings will fail to unmarshal + return false + } + // check if the value will unmarshal into a non-string value using a yaml 1.1 parser + var i1 interface{} + if err := y1_1.Unmarshal([]byte(value), &i1); err != nil { + return false + } + if reflect.TypeOf(i1) != stringType { + return true + } + + return false +} + +var stringType = reflect.TypeOf("string") diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go new file mode 100644 index 0000000000..6a2cc45166 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/const.go @@ -0,0 +1,30 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +const ( + // NodeTagNull is the tag set for a yaml.Document that contains no data; + // e.g. it isn't a Map, Slice, Document, etc + NodeTagNull = "!!null" + NodeTagFloat = "!!float" + NodeTagString = "!!str" + NodeTagBool = "!!bool" + NodeTagInt = "!!int" + NodeTagMap = "!!map" + NodeTagSeq = "!!seq" + NodeTagEmpty = "" +) + +// Field names +const ( + AnnotationsField = "annotations" + APIVersionField = "apiVersion" + KindField = "kind" + MetadataField = "metadata" + DataField = "data" + BinaryDataField = "binaryData" + NameField = "name" + NamespaceField = "namespace" + LabelsField = "labels" +) diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go new file mode 100644 index 0000000000..f4b7e6664e --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/datamap.go @@ -0,0 +1,121 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "encoding/base64" + "sort" + "strings" + "unicode/utf8" +) + +// SortedMapKeys returns a sorted slice of keys to the given map. +// Writing this function never gets old. +func SortedMapKeys(m map[string]string) []string { + keys := make([]string, len(m)) + i := 0 + for k := range m { + keys[i] = k + i++ + } + sort.Strings(keys) + return keys +} + +func (rn *RNode) LoadMapIntoConfigMapData(m map[string]string) error { + for _, k := range SortedMapKeys(m) { + fldName, vrN := makeConfigMapValueRNode(m[k]) + if _, err := rn.Pipe( + LookupCreate(MappingNode, fldName), + SetField(k, vrN)); err != nil { + return err + } + } + return nil +} + +func (rn *RNode) LoadMapIntoConfigMapBinaryData(m map[string]string) error { + for _, k := range SortedMapKeys(m) { + _, vrN := makeConfigMapValueRNode(m[k]) + // we know this is binary data + fldName := BinaryDataField + if _, err := rn.Pipe( + LookupCreate(MappingNode, fldName), + SetField(k, vrN)); err != nil { + return err + } + } + return nil +} + +func makeConfigMapValueRNode(s string) (field string, rN *RNode) { + yN := &Node{Kind: ScalarNode} + yN.Tag = NodeTagString + if utf8.ValidString(s) { + field = DataField + yN.Value = s + } else { + field = BinaryDataField + yN.Value = encodeBase64(s) + } + if strings.Contains(yN.Value, "\n") { + yN.Style = LiteralStyle + } + return field, NewRNode(yN) +} + +func (rn *RNode) LoadMapIntoSecretData(m map[string]string) error { + mapNode, err := rn.Pipe(LookupCreate(MappingNode, DataField)) + if err != nil { + return err + } + for _, k := range SortedMapKeys(m) { + vrN := makeSecretValueRNode(m[k]) + if _, err := mapNode.Pipe(SetField(k, vrN)); err != nil { + return err + } + } + return nil +} + +// In a secret, all data is base64 encoded, regardless of its conformance +// or lack thereof to UTF-8. +func makeSecretValueRNode(s string) *RNode { + yN := &Node{Kind: ScalarNode} + // Purposely don't use YAML tags to identify the data as being plain text or + // binary. It kubernetes Secrets the values in the `data` map are expected + // to be base64 encoded, and in ConfigMaps that same can be said for the + // values in the `binaryData` field. + yN.Tag = NodeTagString + yN.Value = encodeBase64(s) + if strings.Contains(yN.Value, "\n") { + yN.Style = LiteralStyle + } + return NewRNode(yN) +} + +// encodeBase64 encodes s as base64 that is broken up into multiple lines +// as appropriate for the resulting length. +func encodeBase64(s string) string { + const lineLen = 70 + encLen := base64.StdEncoding.EncodedLen(len(s)) + lines := encLen/lineLen + 1 + buf := make([]byte, encLen*2+lines) + in := buf[0:encLen] + out := buf[encLen:] + base64.StdEncoding.Encode(in, []byte(s)) + k := 0 + for i := 0; i < len(in); i += lineLen { + j := i + lineLen + if j > len(in) { + j = len(in) + } + k += copy(out[k:], in[i:j]) + if lines > 1 { + out[k] = '\n' + k++ + } + } + return string(out[:k]) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go new file mode 100644 index 0000000000..b58811cf8b --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/doc.go @@ -0,0 +1,49 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package yaml contains libraries for manipulating individual Kubernetes Resource +// Configuration as yaml, keeping yaml structure and comments. +// +// Parsing Resources +// +// Typically Resources will be initialized as collections through the kio package libraries. +// However it is possible to directly initialize Resources using Parse. +// resource, err := yaml.Parse("apiVersion: apps/v1\nkind: Deployment") +// +// Processing Resources +// +// Individual Resources are manipulated using the Pipe and PipeE to apply Filter functions +// to transform the Resource data. +// err := resource.PipeE(yaml.SetAnnotation("key", "value")) +// +// If multiple Filter functions are provided to Pipe or PipeE, each function is applied to +// the result of the last function -- e.g. yaml.Lookup(...), yaml.SetField(...) +// +// Field values may also be retrieved using Pipe. +// annotationValue, err := resource.Pipe(yaml.GetAnnotation("key")) +// +// See http://www.linfo.org/filters.html for a definition of filters. +// +// Common Filters +// +// There are a number of standard filter functions provided by the yaml package. +// +// Working with annotations: +// [AnnotationSetter{}, AnnotationGetter{}, AnnotationClearer{}] +// +// Working with fields by path: +// [PathMatcher{}, PathGetter{}] +// +// Working with individual fields on Maps and Objects: +// [FieldMatcher{}, FieldSetter{}, FieldGetter{}] +// +// Working with individual elements in Sequences: +// [ElementAppender{}, ElementSetter{}, ElementMatcher{}] +// +// Writing Filters +// +// Users may implement their own filter functions. When doing so, can be necessary to work with +// the RNode directly rather than through Pipe. RNode provides a number of functions for doing +// so. See: +// [GetMeta(), Fields(), Elements(), String()] +package yaml diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go new file mode 100644 index 0000000000..e7d4b5f7b8 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/filters.go @@ -0,0 +1,146 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "fmt" + "regexp" + "sort" + "strings" +) + +// Filters is the list of serializable Pipeline Filters +var Filters = map[string]func() Filter{ + "AnnotationClearer": func() Filter { return &AnnotationClearer{} }, + "AnnotationGetter": func() Filter { return &AnnotationGetter{} }, + "AnnotationSetter": func() Filter { return &AnnotationSetter{} }, + "LabelSetter": func() Filter { return &LabelSetter{} }, + "ElementAppender": func() Filter { return &ElementAppender{} }, + "ElementMatcher": func() Filter { return &ElementMatcher{} }, + "FieldClearer": func() Filter { return &FieldClearer{} }, + "FilterMatcher": func() Filter { return &FilterMatcher{} }, + "FieldMatcher": func() Filter { return &FieldMatcher{} }, + "FieldSetter": func() Filter { return &FieldSetter{} }, + "PathGetter": func() Filter { return &PathGetter{} }, + "PathMatcher": func() Filter { return &PathMatcher{} }, + "Parser": func() Filter { return &Parser{} }, + "PrefixSetter": func() Filter { return &PrefixSetter{} }, + "ValueReplacer": func() Filter { return &ValueReplacer{} }, + "SuffixSetter": func() Filter { return &SuffixSetter{} }, + "TeePiper": func() Filter { return &TeePiper{} }, +} + +// YFilter wraps the Filter interface so the filter can be represented as +// data and can be unmarshalled into a struct from a yaml config file. +// This allows Pipelines to be expressed as data rather than code. +type YFilter struct { + Filter +} + +func (y YFilter) MarshalYAML() (interface{}, error) { + return y.Filter, nil +} + +func (y *YFilter) UnmarshalYAML(unmarshal func(interface{}) error) error { + meta := &ResourceMeta{} + if err := unmarshal(meta); err != nil { + return err + } + filter, found := Filters[meta.Kind] + if !found { + var knownFilters []string + for k := range Filters { + knownFilters = append(knownFilters, k) + } + sort.Strings(knownFilters) + return fmt.Errorf("unsupported Filter Kind %s: may be one of: [%s]", + meta.Kind, strings.Join(knownFilters, ",")) + } + y.Filter = filter() + + if err := unmarshal(y.Filter); err != nil { + return err + } + return nil +} + +type YFilters []YFilter + +func (y YFilters) Filters() []Filter { + f := make([]Filter, 0, len(y)) + for i := range y { + f = append(f, y[i].Filter) + } + return f +} + +type FilterMatcher struct { + Kind string `yaml:"kind"` + + // Filters are the set of Filters run by TeePiper. + Filters YFilters `yaml:"pipeline,omitempty"` +} + +func (t FilterMatcher) Filter(rn *RNode) (*RNode, error) { + v, err := rn.Pipe(t.Filters.Filters()...) + if v == nil || err != nil { + return nil, err + } + // return the original input if the pipeline resolves to true + return rn, err +} + +type ValueReplacer struct { + Kind string `yaml:"kind"` + + StringMatch string `yaml:"stringMatch"` + RegexMatch string `yaml:"regexMatch"` + Replace string `yaml:"replace"` + Count int `yaml:"count"` +} + +func (s ValueReplacer) Filter(object *RNode) (*RNode, error) { + if s.Count == 0 { + s.Count = -1 + } + switch { + case s.StringMatch != "": + object.value.Value = strings.Replace(object.value.Value, s.StringMatch, s.Replace, s.Count) + case s.RegexMatch != "": + r, err := regexp.Compile(s.RegexMatch) + if err != nil { + return nil, fmt.Errorf("ValueReplacer RegexMatch does not compile: %v", err) + } + object.value.Value = r.ReplaceAllString(object.value.Value, s.Replace) + default: + return nil, fmt.Errorf("ValueReplacer missing StringMatch and RegexMatch") + } + return object, nil +} + +type PrefixSetter struct { + Kind string `yaml:"kind"` + + Value string `yaml:"value"` +} + +func (s PrefixSetter) Filter(object *RNode) (*RNode, error) { + if !strings.HasPrefix(object.value.Value, s.Value) { + object.value.Value = s.Value + object.value.Value + } + return object, nil +} + +type SuffixSetter struct { + Kind string `yaml:"kind"` + + Value string `yaml:"value"` +} + +func (s SuffixSetter) Filter(object *RNode) (*RNode, error) { + if !strings.HasSuffix(object.value.Value, s.Value) { + object.value.Value += s.Value + } + return object, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go new file mode 100644 index 0000000000..e0802a897f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/fns.go @@ -0,0 +1,889 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "fmt" + "regexp" + "strconv" + "strings" + + "github.com/davecgh/go-spew/spew" + "sigs.k8s.io/kustomize/kyaml/errors" + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// Append creates an ElementAppender +func Append(elements ...*yaml.Node) ElementAppender { + return ElementAppender{Elements: elements} +} + +// ElementAppender adds all element to a SequenceNode's Content. +// Returns Elements[0] if len(Elements) == 1, otherwise returns nil. +type ElementAppender struct { + Kind string `yaml:"kind,omitempty"` + + // Elem is the value to append. + Elements []*yaml.Node `yaml:"elements,omitempty"` +} + +func (a ElementAppender) Filter(rn *RNode) (*RNode, error) { + if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil { + return nil, err + } + for i := range a.Elements { + rn.YNode().Content = append(rn.Content(), a.Elements[i]) + } + if len(a.Elements) == 1 { + return NewRNode(a.Elements[0]), nil + } + return nil, nil +} + +// ElementSetter sets the value for an Element in an associative list. +// ElementSetter will append, replace or delete an element in an associative list. +// To append, user a key-value pair that doesn't exist in the sequence. this +// behavior is intended to handle the case that not matching element found. It's +// not designed for this purpose. To append an element, please use ElementAppender. +// To replace, set the key-value pair and a non-nil Element. +// To delete, set the key-value pair and leave the Element as nil. +// Every key must have a corresponding value. +type ElementSetter struct { + Kind string `yaml:"kind,omitempty"` + + // Element is the new value to set -- remove the existing element if nil + Element *Node + + // Key is a list of fields on the elements. It is used to find matching elements to + // update / delete + Keys []string + + // Value is a list of field values on the elements corresponding to the keys. It is + // used to find matching elements to update / delete. + Values []string +} + +// isMappingNode returns whether node is a mapping node +func (e ElementSetter) isMappingNode(node *RNode) bool { + return ErrorIfInvalid(node, yaml.MappingNode) == nil +} + +// isMappingSetter returns is this setter intended to set a mapping node +func (e ElementSetter) isMappingSetter() bool { + return len(e.Keys) > 0 && e.Keys[0] != "" && + len(e.Values) > 0 && e.Values[0] != "" +} + +func (e ElementSetter) Filter(rn *RNode) (*RNode, error) { + if len(e.Keys) == 0 { + e.Keys = append(e.Keys, "") + } + + if err := ErrorIfInvalid(rn, SequenceNode); err != nil { + return nil, err + } + + // build the new Content slice + var newContent []*yaml.Node + matchingElementFound := false + for i := range rn.YNode().Content { + elem := rn.Content()[i] + newNode := NewRNode(elem) + + // empty elements are not valid -- they at least need an associative key + if IsMissingOrNull(newNode) || IsEmptyMap(newNode) { + continue + } + // keep non-mapping node in the Content when we want to match a mapping. + if !e.isMappingNode(newNode) && e.isMappingSetter() { + newContent = append(newContent, elem) + continue + } + + // check if this is the element we are matching + var val *RNode + var err error + found := true + for j := range e.Keys { + if j < len(e.Values) { + val, err = newNode.Pipe(FieldMatcher{Name: e.Keys[j], StringValue: e.Values[j]}) + } + if err != nil { + return nil, err + } + if val == nil { + found = false + break + } + } + if !found { + // not the element we are looking for, keep it in the Content + if len(e.Values) > 0 { + newContent = append(newContent, elem) + } + continue + } + matchingElementFound = true + + // deletion operation -- remove the element from the new Content + if e.Element == nil { + continue + } + // replace operation -- replace the element in the Content + newContent = append(newContent, e.Element) + } + rn.YNode().Content = newContent + + // deletion operation -- return nil + if IsMissingOrNull(NewRNode(e.Element)) { + return nil, nil + } + + // append operation -- add the element to the Content + if !matchingElementFound { + rn.YNode().Content = append(rn.YNode().Content, e.Element) + } + + return NewRNode(e.Element), nil +} + +// GetElementByIndex will return a Filter which can be applied to a sequence +// node to get the element specified by the index +func GetElementByIndex(index int) ElementIndexer { + return ElementIndexer{Index: index} +} + +// ElementIndexer picks the element with a specified index. Index starts from +// 0 to len(list) - 1. a hyphen ("-") means the last index. +type ElementIndexer struct { + Index int +} + +// Filter implements Filter +func (i ElementIndexer) Filter(rn *RNode) (*RNode, error) { + // rn.Elements will return error if rn is not a sequence node. + elems, err := rn.Elements() + if err != nil { + return nil, err + } + if i.Index < 0 { + return elems[len(elems)-1], nil + } + if i.Index >= len(elems) { + return nil, nil + } + return elems[i.Index], nil +} + +// Clear returns a FieldClearer +func Clear(name string) FieldClearer { + return FieldClearer{Name: name} +} + +// FieldClearer removes the field or map key. +// Returns a RNode with the removed field or map entry. +type FieldClearer struct { + Kind string `yaml:"kind,omitempty"` + + // Name is the name of the field or key in the map. + Name string `yaml:"name,omitempty"` + + IfEmpty bool `yaml:"ifEmpty,omitempty"` +} + +func (c FieldClearer) Filter(rn *RNode) (*RNode, error) { + if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil { + return nil, err + } + + var removed *RNode + visitFieldsWhileTrue(rn.Content(), func(key, value *yaml.Node, keyIndex int) bool { + if key.Value != c.Name { + return true + } + + // the name matches: remove these 2 elements from the list because + // they are treated as a fieldName/fieldValue pair. + if c.IfEmpty { + if len(value.Content) > 0 { + return true + } + } + + // save the item we are about to remove + removed = NewRNode(value) + if len(rn.YNode().Content) > keyIndex+2 { + l := len(rn.YNode().Content) + // remove from the middle of the list + rn.YNode().Content = rn.Content()[:keyIndex] + rn.YNode().Content = append( + rn.YNode().Content, + rn.Content()[keyIndex+2:l]...) + } else { + // remove from the end of the list + rn.YNode().Content = rn.Content()[:keyIndex] + } + return false + }) + + return removed, nil +} + +func MatchElement(field, value string) ElementMatcher { + return ElementMatcher{Keys: []string{field}, Values: []string{value}} +} + +func MatchElementList(keys []string, values []string) ElementMatcher { + return ElementMatcher{Keys: keys, Values: values} +} + +func GetElementByKey(key string) ElementMatcher { + return ElementMatcher{Keys: []string{key}, MatchAnyValue: true} +} + +// ElementMatcher returns the first element from a Sequence matching the +// specified key-value pairs. If there's no match, and no configuration error, +// the matcher returns nil, nil. +type ElementMatcher struct { + Kind string `yaml:"kind,omitempty"` + + // Keys are the list of fields upon which to match this element. + Keys []string + + // Values are the list of values upon which to match this element. + Values []string + + // Create will create the Element if it is not found + Create *RNode `yaml:"create,omitempty"` + + // MatchAnyValue indicates that matcher should only consider the key and ignore + // the actual value in the list. Values must be empty when MatchAnyValue is + // set to true. + MatchAnyValue bool `yaml:"noValue,omitempty"` +} + +func (e ElementMatcher) Filter(rn *RNode) (*RNode, error) { + if len(e.Keys) == 0 { + e.Keys = append(e.Keys, "") + } + if len(e.Values) == 0 { + e.Values = append(e.Values, "") + } + + if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil { + return nil, err + } + if e.MatchAnyValue && len(e.Values) != 0 && e.Values[0] != "" { + return nil, fmt.Errorf("Values must be empty when MatchAnyValue is set to true") + } + + // SequenceNode Content is a slice of ScalarNodes. Each ScalarNode has a + // YNode containing the primitive data. + if len(e.Keys) == 0 || len(e.Keys[0]) == 0 { + for i := range rn.Content() { + if rn.Content()[i].Value == e.Values[0] { + return &RNode{value: rn.Content()[i]}, nil + } + } + if e.Create != nil { + return rn.Pipe(Append(e.Create.YNode())) + } + return nil, nil + } + + // SequenceNode Content is a slice of MappingNodes. Each MappingNode has Content + // with a slice of key-value pairs containing the fields. + for i := range rn.Content() { + // cast the entry to a RNode so we can operate on it + elem := NewRNode(rn.Content()[i]) + var field *RNode + var err error + + // only check mapping node + if err = ErrorIfInvalid(elem, yaml.MappingNode); err != nil { + continue + } + + if !e.MatchAnyValue && len(e.Keys) != len(e.Values) { + return nil, fmt.Errorf("length of keys must equal length of values when MatchAnyValue is false") + } + + matchesElement := true + for i := range e.Keys { + if e.MatchAnyValue { + field, err = elem.Pipe(Get(e.Keys[i])) + } else { + field, err = elem.Pipe(MatchField(e.Keys[i], e.Values[i])) + } + if !IsFoundOrError(field, err) { + // this is not the element we are looking for + matchesElement = false + break + } + } + if matchesElement { + return elem, err + } + } + + // create the element + if e.Create != nil { + return rn.Pipe(Append(e.Create.YNode())) + } + + return nil, nil +} + +func Get(name string) FieldMatcher { + return FieldMatcher{Name: name} +} + +func MatchField(name, value string) FieldMatcher { + return FieldMatcher{Name: name, Value: NewScalarRNode(value)} +} + +func Match(value string) FieldMatcher { + return FieldMatcher{Value: NewScalarRNode(value)} +} + +// FieldMatcher returns the value of a named field or map entry. +type FieldMatcher struct { + Kind string `yaml:"kind,omitempty"` + + // Name of the field to return + Name string `yaml:"name,omitempty"` + + // YNode of the field to return. + // Optional. Will only need to match field name if unset. + Value *RNode `yaml:"value,omitempty"` + + StringValue string `yaml:"stringValue,omitempty"` + + StringRegexValue string `yaml:"stringRegexValue,omitempty"` + + // Create will cause the field to be created with this value + // if it is set. + Create *RNode `yaml:"create,omitempty"` +} + +func (f FieldMatcher) Filter(rn *RNode) (*RNode, error) { + if f.StringValue != "" && f.Value == nil { + f.Value = NewScalarRNode(f.StringValue) + } + + // never match nil or null fields + if IsMissingOrNull(rn) { + return nil, nil + } + + if f.Name == "" { + if err := ErrorIfInvalid(rn, yaml.ScalarNode); err != nil { + return nil, err + } + switch { + case f.StringRegexValue != "": + // TODO(pwittrock): pre-compile this when unmarshalling and cache to a field + rg, err := regexp.Compile(f.StringRegexValue) + if err != nil { + return nil, err + } + if match := rg.MatchString(rn.value.Value); match { + return rn, nil + } + return nil, nil + case GetValue(rn) == GetValue(f.Value): + return rn, nil + default: + return nil, nil + } + } + + if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil { + return nil, err + } + + var returnNode *RNode + requireMatchFieldValue := f.Value != nil + visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) { + if !requireMatchFieldValue || value.Value == f.Value.YNode().Value { + returnNode = NewRNode(value) + } + }, f.Name) + if returnNode != nil { + return returnNode, nil + } + + if f.Create != nil { + return rn.Pipe(SetField(f.Name, f.Create)) + } + + return nil, nil +} + +// Lookup returns a PathGetter to lookup a field by its path. +func Lookup(path ...string) PathGetter { + return PathGetter{Path: path} +} + +// LookupCreate returns a PathGetter to lookup a field by its path and create it if it doesn't already +// exist. +func LookupCreate(kind yaml.Kind, path ...string) PathGetter { + return PathGetter{Path: path, Create: kind} +} + +// ConventionalContainerPaths is a list of paths at which containers typically appear in workload APIs. +// It is intended for use with LookupFirstMatch. +var ConventionalContainerPaths = [][]string{ + // e.g. Deployment, ReplicaSet, DaemonSet, Job, StatefulSet + {"spec", "template", "spec", "containers"}, + // e.g. CronJob + {"spec", "jobTemplate", "spec", "template", "spec", "containers"}, + // e.g. Pod + {"spec", "containers"}, + // e.g. PodTemplate + {"template", "spec", "containers"}, +} + +// LookupFirstMatch returns a Filter for locating a value that may exist at one of several possible paths. +// For example, it can be used with ConventionalContainerPaths to find the containers field in a standard workload resource. +// If more than one of the paths exists in the resource, the first will be returned. If none exist, +// nil will be returned. If an error is encountered during lookup, it will be returned. +func LookupFirstMatch(paths [][]string) Filter { + return FilterFunc(func(object *RNode) (*RNode, error) { + var result *RNode + var err error + for _, path := range paths { + result, err = object.Pipe(PathGetter{Path: path}) + if err != nil { + return nil, errors.Wrap(err) + } + if result != nil { + return result, nil + } + } + return nil, nil + }) +} + +// PathGetter returns the RNode under Path. +type PathGetter struct { + Kind string `yaml:"kind,omitempty"` + + // Path is a slice of parts leading to the RNode to lookup. + // Each path part may be one of: + // * FieldMatcher -- e.g. "spec" + // * Map Key -- e.g. "app.k8s.io/version" + // * List Entry -- e.g. "[name=nginx]" or "[=-jar]" or "0" or "-" + // + // Map Keys and Fields are equivalent. + // See FieldMatcher for more on Fields and Map Keys. + // + // List Entries can be specified as map entry to match [fieldName=fieldValue] + // or a positional index like 0 to get the element. - (unquoted hyphen) is + // special and means the last element. + // + // See Elem for more on List Entries. + // + // Examples: + // * spec.template.spec.container with matching name: [name=nginx] + // * spec.template.spec.container.argument matching a value: [=-jar] + Path []string `yaml:"path,omitempty"` + + // Create will cause missing path parts to be created as they are walked. + // + // * The leaf Node (final path) will be created with a Kind matching Create + // * Intermediary Nodes will be created as either a MappingNodes or + // SequenceNodes as appropriate for each's Path location. + // * If a list item is specified by a index (an offset or "-"), this item will + // not be created even Create is set. + Create yaml.Kind `yaml:"create,omitempty"` + + // Style is the style to apply to created value Nodes. + // Created key Nodes keep an unspecified Style. + Style yaml.Style `yaml:"style,omitempty"` +} + +func (l PathGetter) Filter(rn *RNode) (*RNode, error) { + var err error + fieldPath := append([]string{}, rn.FieldPath()...) + match := rn + + // iterate over path until encountering an error or missing value + l.Path = cleanPath(l.Path) + for i := range l.Path { + var part, nextPart string + part = l.Path[i] + if len(l.Path) > i+1 { + nextPart = l.Path[i+1] + } + var fltr Filter + fltr, err = l.getFilter(part, nextPart, &fieldPath) + if err != nil { + return nil, err + } + match, err = match.Pipe(fltr) + if IsMissingOrError(match, err) { + return nil, err + } + match.AppendToFieldPath(fieldPath...) + } + return match, nil +} + +func (l PathGetter) getFilter(part, nextPart string, fieldPath *[]string) (Filter, error) { + idx, err := strconv.Atoi(part) + switch { + case err == nil: + // part is a number + if idx < 0 { + return nil, fmt.Errorf("array index %d cannot be negative", idx) + } + return GetElementByIndex(idx), nil + case part == "-": + // part is a hyphen + return GetElementByIndex(-1), nil + case part == "*": + // PathGetter is not support for wildcard matching + return nil, errors.Errorf("wildcard is not supported in PathGetter") + case IsListIndex(part): + // part is surrounded by brackets + return l.elemFilter(part) + default: + // mapping node + *fieldPath = append(*fieldPath, part) + return l.fieldFilter(part, getPathPartKind(nextPart, l.Create)) + } +} + +func (l PathGetter) elemFilter(part string) (Filter, error) { + name, value, err := SplitIndexNameValue(part) + if err != nil { + return nil, errors.Wrap(err) + } + if !IsCreate(l.Create) { + return MatchElement(name, value), nil + } + + var elem *RNode + primitiveElement := len(name) == 0 + if primitiveElement { + // append a ScalarNode + elem = NewScalarRNode(value) + elem.YNode().Style = l.Style + } else { + // append a MappingNode + match := NewRNode(&yaml.Node{Kind: yaml.ScalarNode, Value: value, Style: l.Style}) + elem = NewRNode(&yaml.Node{ + Kind: yaml.MappingNode, + Content: []*yaml.Node{{Kind: yaml.ScalarNode, Value: name}, match.YNode()}, + Style: l.Style, + }) + } + // Append the Node + return ElementMatcher{Keys: []string{name}, Values: []string{value}, Create: elem}, nil +} + +func (l PathGetter) fieldFilter( + name string, kind yaml.Kind) (Filter, error) { + if !IsCreate(l.Create) { + return Get(name), nil + } + return FieldMatcher{Name: name, Create: &RNode{value: &yaml.Node{Kind: kind, Style: l.Style}}}, nil +} + +func getPathPartKind(nextPart string, defaultKind yaml.Kind) yaml.Kind { + if IsListIndex(nextPart) { + // if nextPart is of the form [a=b], then it is an index into a Sequence + // so the current part must be a SequenceNode + return yaml.SequenceNode + } + if IsIdxNumber(nextPart) { + return yaml.SequenceNode + } + if nextPart == "" { + // final name in the path, use the default kind provided + return defaultKind + } + + // non-sequence intermediate Node + return yaml.MappingNode +} + +func SetField(name string, value *RNode) FieldSetter { + return FieldSetter{Name: name, Value: value} +} + +func Set(value *RNode) FieldSetter { + return FieldSetter{Value: value} +} + +// MapEntrySetter sets a map entry to a value. If it finds a key with the same +// value, it will override both Key and Value RNodes, including style and any +// other metadata. If it doesn't find the key, it will insert a new map entry. +// It will set the field, even if it's empty or nil, unlike the FieldSetter. +// This is useful for rebuilding some pre-existing RNode structure. +type MapEntrySetter struct { + // Name is the name of the field or key to lookup in a MappingNode. + // If Name is unspecified, it will use the Key's Value + Name string `yaml:"name,omitempty"` + + // Value is the value to set. + Value *RNode `yaml:"value,omitempty"` + + // Key is the map key to set. + Key *RNode `yaml:"key,omitempty"` +} + +func (s MapEntrySetter) Filter(rn *RNode) (*RNode, error) { + if rn == nil { + return nil, errors.Errorf("Can't set map entry on a nil RNode") + } + if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil { + return nil, err + } + if s.Name == "" { + s.Name = GetValue(s.Key) + } + + content := rn.Content() + fieldStillNotFound := true + visitFieldsWhileTrue(content, func(key, value *yaml.Node, keyIndex int) bool { + if key.Value == s.Name { + content[keyIndex] = s.Key.YNode() + content[keyIndex+1] = s.Value.YNode() + fieldStillNotFound = false + } + return fieldStillNotFound + }) + if !fieldStillNotFound { + return rn, nil + } + + // create the field + rn.YNode().Content = append( + rn.YNode().Content, + s.Key.YNode(), + s.Value.YNode()) + return rn, nil +} + +// FieldSetter sets a field or map entry to a value. +type FieldSetter struct { + Kind string `yaml:"kind,omitempty"` + + // Name is the name of the field or key to lookup in a MappingNode. + // If Name is unspecified, and the input is a ScalarNode, FieldSetter will set the + // value on the ScalarNode. + Name string `yaml:"name,omitempty"` + + // Comments for the field + Comments Comments `yaml:"comments,omitempty"` + + // Value is the value to set. + // Optional if Kind is set. + Value *RNode `yaml:"value,omitempty"` + + StringValue string `yaml:"stringValue,omitempty"` + + // OverrideStyle can be set to override the style of the existing node + // when setting it. Otherwise, if an existing node is found, the style is + // retained. + OverrideStyle bool `yaml:"overrideStyle,omitempty"` + + // AppendKeyStyle defines the style of the key when no existing node is + // found, and a new node is appended. + AppendKeyStyle Style `yaml:"appendKeyStyle,omitempty"` +} + +func (s FieldSetter) Filter(rn *RNode) (*RNode, error) { + if s.StringValue != "" && s.Value == nil { + s.Value = NewScalarRNode(s.StringValue) + } + + // need to set style for strings not recognized by yaml 1.1 to quoted if not previously set + // TODO: fix in upstream yaml library so this can be handled with yaml SetString + if s.Value.IsStringValue() && !s.OverrideStyle && s.Value.YNode().Style == 0 && IsYaml1_1NonString(s.Value.YNode()) { + s.Value.YNode().Style = yaml.DoubleQuotedStyle + } + + if s.Name == "" { + if err := ErrorIfInvalid(rn, yaml.ScalarNode); err != nil { + return rn, err + } + if IsMissingOrNull(s.Value) { + return rn, nil + } + // only apply the style if there is not an existing style + // or we want to override it + if !s.OverrideStyle || s.Value.YNode().Style == 0 { + // keep the original style if it exists + s.Value.YNode().Style = rn.YNode().Style + } + rn.SetYNode(s.Value.YNode()) + return rn, nil + } + + // Clearing nil fields: + // 1. Clear any fields with no value + // 2. Clear any "null" YAML fields unless we explicitly want to keep them + // This is to balance + // 1. Persisting 'null' values passed by the user (see issue #4628) + // 2. Avoiding producing noisy documents that add any field defaulting to + // 'nil' even if they weren't present in the source document + if s.Value == nil || (s.Value.IsTaggedNull() && !s.Value.ShouldKeep) { + return rn.Pipe(Clear(s.Name)) + } + + field, err := rn.Pipe(FieldMatcher{Name: s.Name}) + if err != nil { + return nil, err + } + if field != nil { + // only apply the style if there is not an existing style + // or we want to override it + if !s.OverrideStyle || field.YNode().Style == 0 { + // keep the original style if it exists + s.Value.YNode().Style = field.YNode().Style + } + // need to def ref the Node since field is ephemeral + field.SetYNode(s.Value.YNode()) + return field, nil + } + + // create the field + rn.YNode().Content = append( + rn.YNode().Content, + &yaml.Node{ + Kind: yaml.ScalarNode, + Value: s.Name, + Style: s.AppendKeyStyle, + HeadComment: s.Comments.HeadComment, + LineComment: s.Comments.LineComment, + FootComment: s.Comments.FootComment, + }, + s.Value.YNode()) + return s.Value, nil +} + +// Tee calls the provided Filters, and returns its argument rather than the result +// of the filters. +// May be used to fork sub-filters from a call. +// e.g. locate field, set value; locate another field, set another value +func Tee(filters ...Filter) Filter { + return TeePiper{Filters: filters} +} + +// TeePiper Calls a slice of Filters and returns its input. +// May be used to fork sub-filters from a call. +// e.g. locate field, set value; locate another field, set another value +type TeePiper struct { + Kind string `yaml:"kind,omitempty"` + + // Filters are the set of Filters run by TeePiper. + Filters []Filter `yaml:"filters,omitempty"` +} + +func (t TeePiper) Filter(rn *RNode) (*RNode, error) { + _, err := rn.Pipe(t.Filters...) + return rn, err +} + +// IsCreate returns true if kind is specified +func IsCreate(kind yaml.Kind) bool { + return kind != 0 +} + +// IsMissingOrError returns true if rn is NOT found or err is non-nil +func IsMissingOrError(rn *RNode, err error) bool { + return rn == nil || err != nil +} + +// IsFoundOrError returns true if rn is found or err is non-nil +func IsFoundOrError(rn *RNode, err error) bool { + return rn != nil || err != nil +} + +func ErrorIfAnyInvalidAndNonNull(kind yaml.Kind, rn ...*RNode) error { + for i := range rn { + if IsMissingOrNull(rn[i]) { + continue + } + if err := ErrorIfInvalid(rn[i], kind); err != nil { + return err + } + } + return nil +} + +type InvalidNodeKindError struct { + expectedKind yaml.Kind + node *RNode +} + +func (e *InvalidNodeKindError) Error() string { + msg := fmt.Sprintf("wrong node kind: expected %s but got %s", + nodeKindString(e.expectedKind), nodeKindString(e.node.YNode().Kind)) + if content, err := e.node.String(); err == nil { + msg += fmt.Sprintf(": node contents:\n%s", content) + } + return msg +} + +func (e *InvalidNodeKindError) ActualNodeKind() Kind { + return e.node.YNode().Kind +} + +func ErrorIfInvalid(rn *RNode, kind yaml.Kind) error { + if IsMissingOrNull(rn) { + // node has no type, pass validation + return nil + } + + if rn.YNode().Kind != kind { + return &InvalidNodeKindError{node: rn, expectedKind: kind} + } + + if kind == yaml.MappingNode { + if len(rn.YNode().Content)%2 != 0 { + return errors.Errorf( + "yaml MappingNodes must have even length contents: %v", spew.Sdump(rn)) + } + } + + return nil +} + +// IsListIndex returns true if p is an index into a Val. +// e.g. [fieldName=fieldValue] +// e.g. [=primitiveValue] +func IsListIndex(p string) bool { + return strings.HasPrefix(p, "[") && strings.HasSuffix(p, "]") +} + +// IsIdxNumber returns true if p is an index number. +// e.g. 1 +func IsIdxNumber(p string) bool { + idx, err := strconv.Atoi(p) + return err == nil && idx >= 0 +} + +// IsWildcard returns true if p is matching every elements. +// e.g. "*" +func IsWildcard(p string) bool { + return p == "*" +} + +// SplitIndexNameValue splits a lookup part Val index into the field name +// and field value to match. +// e.g. splits [name=nginx] into (name, nginx) +// e.g. splits [=-jar] into ("", -jar) +func SplitIndexNameValue(p string) (string, string, error) { + elem := strings.TrimSuffix(p, "]") + elem = strings.TrimPrefix(elem, "[") + parts := strings.SplitN(elem, "=", 2) + if len(parts) == 1 { + return "", "", fmt.Errorf("list path element must contain fieldName=fieldValue for element to match") + } + return parts[0], parts[1], nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go new file mode 100644 index 0000000000..52f32be88a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/copied.deepcopy.go @@ -0,0 +1,44 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/zz_generated.deepcopy.go + +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package labels + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Requirement) DeepCopyInto(out *Requirement) { + *out = *in + if in.strValues != nil { + in, out := &in.strValues, &out.strValues + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Requirement. +func (in *Requirement) DeepCopy() *Requirement { + if in == nil { + return nil + } + out := new(Requirement) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go new file mode 100644 index 0000000000..300014eac0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/labels.go @@ -0,0 +1,192 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/labels.go + +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package labels + +import ( + "fmt" + "sort" + "strings" +) + +// Labels allows you to present labels independently from their storage. +type Labels interface { + // Has returns whether the provided label exists. + Has(label string) (exists bool) + + // Get returns the value for the provided label. + Get(label string) (value string) +} + +// Set is a map of label:value. It implements Labels. +type Set map[string]string + +// String returns all labels listed as a human readable string. +// Conveniently, exactly the format that ParseSelector takes. +func (ls Set) String() string { + selector := make([]string, 0, len(ls)) + for key, value := range ls { + selector = append(selector, key+"="+value) + } + // Sort for determinism. + sort.StringSlice(selector).Sort() + return strings.Join(selector, ",") +} + +// Has returns whether the provided label exists in the map. +func (ls Set) Has(label string) bool { + _, exists := ls[label] + return exists +} + +// Get returns the value in the map for the provided label. +func (ls Set) Get(label string) string { + return ls[label] +} + +// AsSelector converts labels into a selectors. It does not +// perform any validation, which means the server will reject +// the request if the Set contains invalid values. +func (ls Set) AsSelector() Selector { + return SelectorFromSet(ls) +} + +// AsValidatedSelector converts labels into a selectors. +// The Set is validated client-side, which allows to catch errors early. +func (ls Set) AsValidatedSelector() (Selector, error) { + return ValidatedSelectorFromSet(ls) +} + +// AsSelectorPreValidated converts labels into a selector, but +// assumes that labels are already validated and thus doesn't +// perform any validation. +// According to our measurements this is significantly faster +// in codepaths that matter at high scale. +func (ls Set) AsSelectorPreValidated() Selector { + return SelectorFromValidatedSet(ls) +} + +// FormatLabels convert label map into plain string +func FormatLabels(labelMap map[string]string) string { + l := Set(labelMap).String() + if l == "" { + l = "" + } + return l +} + +// Conflicts takes 2 maps and returns true if there a key match between +// the maps but the value doesn't match, and returns false in other cases +func Conflicts(labels1, labels2 Set) bool { + small := labels1 + big := labels2 + if len(labels2) < len(labels1) { + small = labels2 + big = labels1 + } + + for k, v := range small { + if val, match := big[k]; match { + if val != v { + return true + } + } + } + + return false +} + +// Merge combines given maps, and does not check for any conflicts +// between the maps. In case of conflicts, second map (labels2) wins +func Merge(labels1, labels2 Set) Set { + mergedMap := Set{} + + for k, v := range labels1 { + mergedMap[k] = v + } + for k, v := range labels2 { + mergedMap[k] = v + } + return mergedMap +} + +// Equals returns true if the given maps are equal +func Equals(labels1, labels2 Set) bool { + if len(labels1) != len(labels2) { + return false + } + + for k, v := range labels1 { + value, ok := labels2[k] + if !ok { + return false + } + if value != v { + return false + } + } + return true +} + +// AreLabelsInWhiteList verifies if the provided label list +// is in the provided whitelist and returns true, otherwise false. +func AreLabelsInWhiteList(labels, whitelist Set) bool { + if len(whitelist) == 0 { + return true + } + + for k, v := range labels { + value, ok := whitelist[k] + if !ok { + return false + } + if value != v { + return false + } + } + return true +} + +// ConvertSelectorToLabelsMap converts selector string to labels map +// and validates keys and values +func ConvertSelectorToLabelsMap(selector string) (Set, error) { + labelsMap := Set{} + + if len(selector) == 0 { + return labelsMap, nil + } + + labels := strings.Split(selector, ",") + for _, label := range labels { + l := strings.Split(label, "=") + if len(l) != 2 { + return labelsMap, fmt.Errorf("invalid selector: %s", l) + } + key := strings.TrimSpace(l[0]) + if err := validateLabelKey(key); err != nil { + return labelsMap, err + } + value := strings.TrimSpace(l[1]) + if err := validateLabelValue(key, value); err != nil { + return labelsMap, err + } + labelsMap[key] = value + } + return labelsMap, nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go new file mode 100644 index 0000000000..73c5ae6a65 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels/selector.go @@ -0,0 +1,925 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/labels/selector.go + +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package labels + +import ( + "bytes" + "fmt" + "sort" + "strconv" + "strings" + + "log" + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection" + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets" + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation" +) + +// Requirements is AND of all requirements. +type Requirements []Requirement + +// Selector represents a label selector. +type Selector interface { + // Matches returns true if this selector matches the given set of labels. + Matches(Labels) bool + + // Empty returns true if this selector does not restrict the selection space. + Empty() bool + + // String returns a human readable string that represents this selector. + String() string + + // Add adds requirements to the Selector + Add(r ...Requirement) Selector + + // Requirements converts this interface into Requirements to expose + // more detailed selection information. + // If there are querying parameters, it will return converted requirements and selectable=true. + // If this selector doesn't want to select anything, it will return selectable=false. + Requirements() (requirements Requirements, selectable bool) + + // Make a deep copy of the selector. + DeepCopySelector() Selector + + // RequiresExactMatch allows a caller to introspect whether a given selector + // requires a single specific label to be set, and if so returns the value it + // requires. + RequiresExactMatch(label string) (value string, found bool) +} + +// Everything returns a selector that matches all labels. +func Everything() Selector { + return internalSelector{} +} + +type nothingSelector struct{} + +func (n nothingSelector) Matches(_ Labels) bool { return false } +func (n nothingSelector) Empty() bool { return false } +func (n nothingSelector) String() string { return "" } +func (n nothingSelector) Add(_ ...Requirement) Selector { return n } +func (n nothingSelector) Requirements() (Requirements, bool) { return nil, false } +func (n nothingSelector) DeepCopySelector() Selector { return n } +func (n nothingSelector) RequiresExactMatch(label string) (value string, found bool) { + return "", false +} + +// Nothing returns a selector that matches no labels +func Nothing() Selector { + return nothingSelector{} +} + +// NewSelector returns a nil selector +func NewSelector() Selector { + return internalSelector(nil) +} + +type internalSelector []Requirement + +func (s internalSelector) DeepCopy() internalSelector { + if s == nil { + return nil + } + result := make([]Requirement, len(s)) + for i := range s { + s[i].DeepCopyInto(&result[i]) + } + return result +} + +func (s internalSelector) DeepCopySelector() Selector { + return s.DeepCopy() +} + +// ByKey sorts requirements by key to obtain deterministic parser +type ByKey []Requirement + +func (a ByKey) Len() int { return len(a) } + +func (a ByKey) Swap(i, j int) { a[i], a[j] = a[j], a[i] } + +func (a ByKey) Less(i, j int) bool { return a[i].key < a[j].key } + +// Requirement contains values, a key, and an operator that relates the key and values. +// The zero value of Requirement is invalid. +// Requirement implements both set based match and exact match +// Requirement should be initialized via NewRequirement constructor for creating a valid Requirement. +type Requirement struct { + key string + operator selection.Operator + // In huge majority of cases we have at most one value here. + // It is generally faster to operate on a single-element slice + // than on a single-element map, so we have a slice here. + strValues []string +} + +// NewRequirement is the constructor for a Requirement. +// If any of these rules is violated, an error is returned: +// (1) The operator can only be In, NotIn, Equals, DoubleEquals, NotEquals, Exists, or DoesNotExist. +// (2) If the operator is In or NotIn, the values set must be non-empty. +// (3) If the operator is Equals, DoubleEquals, or NotEquals, the values set must contain one value. +// (4) If the operator is Exists or DoesNotExist, the value set must be empty. +// (5) If the operator is Gt or Lt, the values set must contain only one value, which will be interpreted as an integer. +// (6) The key is invalid due to its length, or sequence +// of characters. See validateLabelKey for more details. +// +// The empty string is a valid value in the input values set. +func NewRequirement(key string, op selection.Operator, vals []string) (*Requirement, error) { + if err := validateLabelKey(key); err != nil { + return nil, err + } + switch op { + case selection.In, selection.NotIn: + if len(vals) == 0 { + return nil, fmt.Errorf("for 'in', 'notin' operators, values set can't be empty") + } + case selection.Equals, selection.DoubleEquals, selection.NotEquals: + if len(vals) != 1 { + return nil, fmt.Errorf("exact-match compatibility requires one single value") + } + case selection.Exists, selection.DoesNotExist: + if len(vals) != 0 { + return nil, fmt.Errorf("values set must be empty for exists and does not exist") + } + case selection.GreaterThan, selection.LessThan: + if len(vals) != 1 { + return nil, fmt.Errorf("for 'Gt', 'Lt' operators, exactly one value is required") + } + for i := range vals { + if _, err := strconv.ParseInt(vals[i], 10, 64); err != nil { + return nil, fmt.Errorf("for 'Gt', 'Lt' operators, the value must be an integer") + } + } + default: + return nil, fmt.Errorf("operator '%v' is not recognized", op) + } + + for i := range vals { + if err := validateLabelValue(key, vals[i]); err != nil { + return nil, err + } + } + return &Requirement{key: key, operator: op, strValues: vals}, nil +} + +func (r *Requirement) hasValue(value string) bool { + for i := range r.strValues { + if r.strValues[i] == value { + return true + } + } + return false +} + +// Matches returns true if the Requirement matches the input Labels. +// There is a match in the following cases: +// (1) The operator is Exists and Labels has the Requirement's key. +// (2) The operator is In, Labels has the Requirement's key and Labels' +// value for that key is in Requirement's value set. +// (3) The operator is NotIn, Labels has the Requirement's key and +// Labels' value for that key is not in Requirement's value set. +// (4) The operator is DoesNotExist or NotIn and Labels does not have the +// Requirement's key. +// (5) The operator is GreaterThanOperator or LessThanOperator, and Labels has +// the Requirement's key and the corresponding value satisfies mathematical inequality. +func (r *Requirement) Matches(ls Labels) bool { + switch r.operator { + case selection.In, selection.Equals, selection.DoubleEquals: + if !ls.Has(r.key) { + return false + } + return r.hasValue(ls.Get(r.key)) + case selection.NotIn, selection.NotEquals: + if !ls.Has(r.key) { + return true + } + return !r.hasValue(ls.Get(r.key)) + case selection.Exists: + return ls.Has(r.key) + case selection.DoesNotExist: + return !ls.Has(r.key) + case selection.GreaterThan, selection.LessThan: + if !ls.Has(r.key) { + return false + } + lsValue, err := strconv.ParseInt(ls.Get(r.key), 10, 64) + if err != nil { + log.Printf("ParseInt failed for value %+v in label %+v, %+v", ls.Get(r.key), ls, err) + return false + } + + // There should be only one strValue in r.strValues, and can be converted to an integer. + if len(r.strValues) != 1 { + log.Printf("Invalid values count %+v of requirement %#v, for 'Gt', 'Lt' operators, exactly one value is required", len(r.strValues), r) + return false + } + + var rValue int64 + for i := range r.strValues { + rValue, err = strconv.ParseInt(r.strValues[i], 10, 64) + if err != nil { + log.Printf("ParseInt failed for value %+v in requirement %#v, for 'Gt', 'Lt' operators, the value must be an integer", r.strValues[i], r) + return false + } + } + return (r.operator == selection.GreaterThan && lsValue > rValue) || (r.operator == selection.LessThan && lsValue < rValue) + default: + return false + } +} + +// Key returns requirement key +func (r *Requirement) Key() string { + return r.key +} + +// Operator returns requirement operator +func (r *Requirement) Operator() selection.Operator { + return r.operator +} + +// Values returns requirement values +func (r *Requirement) Values() sets.String { + ret := sets.String{} + for i := range r.strValues { + ret.Insert(r.strValues[i]) + } + return ret +} + +// Empty returns true if the internalSelector doesn't restrict selection space +func (lsel internalSelector) Empty() bool { + if lsel == nil { + return true + } + return len(lsel) == 0 +} + +// String returns a human-readable string that represents this +// Requirement. If called on an invalid Requirement, an error is +// returned. See NewRequirement for creating a valid Requirement. +func (r *Requirement) String() string { + var buffer bytes.Buffer + if r.operator == selection.DoesNotExist { + buffer.WriteString("!") + } + buffer.WriteString(r.key) + + switch r.operator { + case selection.Equals: + buffer.WriteString("=") + case selection.DoubleEquals: + buffer.WriteString("==") + case selection.NotEquals: + buffer.WriteString("!=") + case selection.In: + buffer.WriteString(" in ") + case selection.NotIn: + buffer.WriteString(" notin ") + case selection.GreaterThan: + buffer.WriteString(">") + case selection.LessThan: + buffer.WriteString("<") + case selection.Exists, selection.DoesNotExist: + return buffer.String() + } + + switch r.operator { + case selection.In, selection.NotIn: + buffer.WriteString("(") + } + if len(r.strValues) == 1 { + buffer.WriteString(r.strValues[0]) + } else { // only > 1 since == 0 prohibited by NewRequirement + // normalizes value order on output, without mutating the in-memory selector representation + // also avoids normalization when it is not required, and ensures we do not mutate shared data + buffer.WriteString(strings.Join(safeSort(r.strValues), ",")) + } + + switch r.operator { + case selection.In, selection.NotIn: + buffer.WriteString(")") + } + return buffer.String() +} + +// safeSort sort input strings without modification +func safeSort(in []string) []string { + if sort.StringsAreSorted(in) { + return in + } + out := make([]string, len(in)) + copy(out, in) + sort.Strings(out) + return out +} + +// Add adds requirements to the selector. It copies the current selector returning a new one +func (lsel internalSelector) Add(reqs ...Requirement) Selector { + var sel internalSelector + for ix := range lsel { + sel = append(sel, lsel[ix]) + } + for _, r := range reqs { + sel = append(sel, r) + } + sort.Sort(ByKey(sel)) + return sel +} + +// Matches for a internalSelector returns true if all +// its Requirements match the input Labels. If any +// Requirement does not match, false is returned. +func (lsel internalSelector) Matches(l Labels) bool { + for ix := range lsel { + if matches := lsel[ix].Matches(l); !matches { + return false + } + } + return true +} + +func (lsel internalSelector) Requirements() (Requirements, bool) { return Requirements(lsel), true } + +// String returns a comma-separated string of all +// the internalSelector Requirements' human-readable strings. +func (lsel internalSelector) String() string { + var reqs []string + for ix := range lsel { + reqs = append(reqs, lsel[ix].String()) + } + return strings.Join(reqs, ",") +} + +// RequiresExactMatch introspect whether a given selector requires a single specific field +// to be set, and if so returns the value it requires. +func (lsel internalSelector) RequiresExactMatch(label string) (value string, found bool) { + for ix := range lsel { + if lsel[ix].key == label { + switch lsel[ix].operator { + case selection.Equals, selection.DoubleEquals, selection.In: + if len(lsel[ix].strValues) == 1 { + return lsel[ix].strValues[0], true + } + } + return "", false + } + } + return "", false +} + +// Token represents constant definition for lexer token +type Token int + +const ( + // ErrorToken represents scan error + ErrorToken Token = iota + // EndOfStringToken represents end of string + EndOfStringToken + // ClosedParToken represents close parenthesis + ClosedParToken + // CommaToken represents the comma + CommaToken + // DoesNotExistToken represents logic not + DoesNotExistToken + // DoubleEqualsToken represents double equals + DoubleEqualsToken + // EqualsToken represents equal + EqualsToken + // GreaterThanToken represents greater than + GreaterThanToken + // IdentifierToken represents identifier, e.g. keys and values + IdentifierToken + // InToken represents in + InToken + // LessThanToken represents less than + LessThanToken + // NotEqualsToken represents not equal + NotEqualsToken + // NotInToken represents not in + NotInToken + // OpenParToken represents open parenthesis + OpenParToken +) + +// string2token contains the mapping between lexer Token and token literal +// (except IdentifierToken, EndOfStringToken and ErrorToken since it makes no sense) +var string2token = map[string]Token{ + ")": ClosedParToken, + ",": CommaToken, + "!": DoesNotExistToken, + "==": DoubleEqualsToken, + "=": EqualsToken, + ">": GreaterThanToken, + "in": InToken, + "<": LessThanToken, + "!=": NotEqualsToken, + "notin": NotInToken, + "(": OpenParToken, +} + +// ScannedItem contains the Token and the literal produced by the lexer. +type ScannedItem struct { + tok Token + literal string +} + +// isWhitespace returns true if the rune is a space, tab, or newline. +func isWhitespace(ch byte) bool { + return ch == ' ' || ch == '\t' || ch == '\r' || ch == '\n' +} + +// isSpecialSymbol detect if the character ch can be an operator +func isSpecialSymbol(ch byte) bool { + switch ch { + case '=', '!', '(', ')', ',', '>', '<': + return true + } + return false +} + +// Lexer represents the Lexer struct for label selector. +// It contains necessary informationt to tokenize the input string +type Lexer struct { + // s stores the string to be tokenized + s string + // pos is the position currently tokenized + pos int +} + +// read return the character currently lexed +// increment the position and check the buffer overflow +func (l *Lexer) read() (b byte) { + b = 0 + if l.pos < len(l.s) { + b = l.s[l.pos] + l.pos++ + } + return b +} + +// unread 'undoes' the last read character +func (l *Lexer) unread() { + l.pos-- +} + +// scanIDOrKeyword scans string to recognize literal token (for example 'in') or an identifier. +func (l *Lexer) scanIDOrKeyword() (tok Token, lit string) { + var buffer []byte +IdentifierLoop: + for { + switch ch := l.read(); { + case ch == 0: + break IdentifierLoop + case isSpecialSymbol(ch) || isWhitespace(ch): + l.unread() + break IdentifierLoop + default: + buffer = append(buffer, ch) + } + } + s := string(buffer) + if val, ok := string2token[s]; ok { // is a literal token? + return val, s + } + return IdentifierToken, s // otherwise is an identifier +} + +// scanSpecialSymbol scans string starting with special symbol. +// special symbol identify non literal operators. "!=", "==", "=" +func (l *Lexer) scanSpecialSymbol() (Token, string) { + lastScannedItem := ScannedItem{} + var buffer []byte +SpecialSymbolLoop: + for { + switch ch := l.read(); { + case ch == 0: + break SpecialSymbolLoop + case isSpecialSymbol(ch): + buffer = append(buffer, ch) + if token, ok := string2token[string(buffer)]; ok { + lastScannedItem = ScannedItem{tok: token, literal: string(buffer)} + } else if lastScannedItem.tok != 0 { + l.unread() + break SpecialSymbolLoop + } + default: + l.unread() + break SpecialSymbolLoop + } + } + if lastScannedItem.tok == 0 { + return ErrorToken, fmt.Sprintf("error expected: keyword found '%s'", buffer) + } + return lastScannedItem.tok, lastScannedItem.literal +} + +// skipWhiteSpaces consumes all blank characters +// returning the first non blank character +func (l *Lexer) skipWhiteSpaces(ch byte) byte { + for { + if !isWhitespace(ch) { + return ch + } + ch = l.read() + } +} + +// Lex returns a pair of Token and the literal +// literal is meaningfull only for IdentifierToken token +func (l *Lexer) Lex() (tok Token, lit string) { + switch ch := l.skipWhiteSpaces(l.read()); { + case ch == 0: + return EndOfStringToken, "" + case isSpecialSymbol(ch): + l.unread() + return l.scanSpecialSymbol() + default: + l.unread() + return l.scanIDOrKeyword() + } +} + +// Parser data structure contains the label selector parser data structure +type Parser struct { + l *Lexer + scannedItems []ScannedItem + position int +} + +// ParserContext represents context during parsing: +// some literal for example 'in' and 'notin' can be +// recognized as operator for example 'x in (a)' but +// it can be recognized as value for example 'value in (in)' +type ParserContext int + +const ( + // KeyAndOperator represents key and operator + KeyAndOperator ParserContext = iota + // Values represents values + Values +) + +// lookahead func returns the current token and string. No increment of current position +func (p *Parser) lookahead(context ParserContext) (Token, string) { + tok, lit := p.scannedItems[p.position].tok, p.scannedItems[p.position].literal + if context == Values { + switch tok { + case InToken, NotInToken: + tok = IdentifierToken + } + } + return tok, lit +} + +// consume returns current token and string. Increments the position +func (p *Parser) consume(context ParserContext) (Token, string) { + p.position++ + tok, lit := p.scannedItems[p.position-1].tok, p.scannedItems[p.position-1].literal + if context == Values { + switch tok { + case InToken, NotInToken: + tok = IdentifierToken + } + } + return tok, lit +} + +// scan runs through the input string and stores the ScannedItem in an array +// Parser can now lookahead and consume the tokens +func (p *Parser) scan() { + for { + token, literal := p.l.Lex() + p.scannedItems = append(p.scannedItems, ScannedItem{token, literal}) + if token == EndOfStringToken { + break + } + } +} + +// parse runs the left recursive descending algorithm +// on input string. It returns a list of Requirement objects. +func (p *Parser) parse() (internalSelector, error) { + p.scan() // init scannedItems + + var requirements internalSelector + for { + tok, lit := p.lookahead(Values) + switch tok { + case IdentifierToken, DoesNotExistToken: + r, err := p.parseRequirement() + if err != nil { + return nil, fmt.Errorf("unable to parse requirement: %v", err) + } + requirements = append(requirements, *r) + t, l := p.consume(Values) + switch t { + case EndOfStringToken: + return requirements, nil + case CommaToken: + t2, l2 := p.lookahead(Values) + if t2 != IdentifierToken && t2 != DoesNotExistToken { + return nil, fmt.Errorf("found '%s', expected: identifier after ','", l2) + } + default: + return nil, fmt.Errorf("found '%s', expected: ',' or 'end of string'", l) + } + case EndOfStringToken: + return requirements, nil + default: + return nil, fmt.Errorf("found '%s', expected: !, identifier, or 'end of string'", lit) + } + } +} + +func (p *Parser) parseRequirement() (*Requirement, error) { + key, operator, err := p.parseKeyAndInferOperator() + if err != nil { + return nil, err + } + if operator == selection.Exists || operator == selection.DoesNotExist { // operator found lookahead set checked + return NewRequirement(key, operator, []string{}) + } + operator, err = p.parseOperator() + if err != nil { + return nil, err + } + var values sets.String + switch operator { + case selection.In, selection.NotIn: + values, err = p.parseValues() + case selection.Equals, selection.DoubleEquals, selection.NotEquals, selection.GreaterThan, selection.LessThan: + values, err = p.parseExactValue() + } + if err != nil { + return nil, err + } + return NewRequirement(key, operator, values.List()) + +} + +// parseKeyAndInferOperator parse literals. +// in case of no operator '!, in, notin, ==, =, !=' are found +// the 'exists' operator is inferred +func (p *Parser) parseKeyAndInferOperator() (string, selection.Operator, error) { + var operator selection.Operator + tok, literal := p.consume(Values) + if tok == DoesNotExistToken { + operator = selection.DoesNotExist + tok, literal = p.consume(Values) + } + if tok != IdentifierToken { + err := fmt.Errorf("found '%s', expected: identifier", literal) + return "", "", err + } + if err := validateLabelKey(literal); err != nil { + return "", "", err + } + if t, _ := p.lookahead(Values); t == EndOfStringToken || t == CommaToken { + if operator != selection.DoesNotExist { + operator = selection.Exists + } + } + return literal, operator, nil +} + +// parseOperator return operator and eventually matchType +// matchType can be exact +func (p *Parser) parseOperator() (op selection.Operator, err error) { + tok, lit := p.consume(KeyAndOperator) + switch tok { + // DoesNotExistToken shouldn't be here because it's a unary operator, not a binary operator + case InToken: + op = selection.In + case EqualsToken: + op = selection.Equals + case DoubleEqualsToken: + op = selection.DoubleEquals + case GreaterThanToken: + op = selection.GreaterThan + case LessThanToken: + op = selection.LessThan + case NotInToken: + op = selection.NotIn + case NotEqualsToken: + op = selection.NotEquals + default: + return "", fmt.Errorf("found '%s', expected: '=', '!=', '==', 'in', notin'", lit) + } + return op, nil +} + +// parseValues parses the values for set based matching (x,y,z) +func (p *Parser) parseValues() (sets.String, error) { + tok, lit := p.consume(Values) + if tok != OpenParToken { + return nil, fmt.Errorf("found '%s' expected: '('", lit) + } + tok, lit = p.lookahead(Values) + switch tok { + case IdentifierToken, CommaToken: + s, err := p.parseIdentifiersList() // handles general cases + if err != nil { + return s, err + } + if tok, _ = p.consume(Values); tok != ClosedParToken { + return nil, fmt.Errorf("found '%s', expected: ')'", lit) + } + return s, nil + case ClosedParToken: // handles "()" + p.consume(Values) + return sets.NewString(""), nil + default: + return nil, fmt.Errorf("found '%s', expected: ',', ')' or identifier", lit) + } +} + +// parseIdentifiersList parses a (possibly empty) list of +// of comma separated (possibly empty) identifiers +func (p *Parser) parseIdentifiersList() (sets.String, error) { + s := sets.NewString() + for { + tok, lit := p.consume(Values) + switch tok { + case IdentifierToken: + s.Insert(lit) + tok2, lit2 := p.lookahead(Values) + switch tok2 { + case CommaToken: + continue + case ClosedParToken: + return s, nil + default: + return nil, fmt.Errorf("found '%s', expected: ',' or ')'", lit2) + } + case CommaToken: // handled here since we can have "(," + if s.Len() == 0 { + s.Insert("") // to handle (, + } + tok2, _ := p.lookahead(Values) + if tok2 == ClosedParToken { + s.Insert("") // to handle ,) Double "" removed by StringSet + return s, nil + } + if tok2 == CommaToken { + p.consume(Values) + s.Insert("") // to handle ,, Double "" removed by StringSet + } + default: // it can be operator + return s, fmt.Errorf("found '%s', expected: ',', or identifier", lit) + } + } +} + +// parseExactValue parses the only value for exact match style +func (p *Parser) parseExactValue() (sets.String, error) { + s := sets.NewString() + tok, lit := p.lookahead(Values) + if tok == EndOfStringToken || tok == CommaToken { + s.Insert("") + return s, nil + } + tok, lit = p.consume(Values) + if tok == IdentifierToken { + s.Insert(lit) + return s, nil + } + return nil, fmt.Errorf("found '%s', expected: identifier", lit) +} + +// Parse takes a string representing a selector and returns a selector +// object, or an error. This parsing function differs from ParseSelector +// as they parse different selectors with different syntaxes. +// The input will cause an error if it does not follow this form: +// +// ::= | "," +// ::= [!] KEY [ | ] +// ::= "" | +// ::= | +// ::= "notin" +// ::= "in" +// ::= "(" ")" +// ::= VALUE | VALUE "," +// ::= ["="|"=="|"!="] VALUE +// +// KEY is a sequence of one or more characters following [ DNS_SUBDOMAIN "/" ] DNS_LABEL. Max length is 63 characters. +// VALUE is a sequence of zero or more characters "([A-Za-z0-9_-\.])". Max length is 63 characters. +// Delimiter is white space: (' ', '\t') +// Example of valid syntax: +// "x in (foo,,baz),y,z notin ()" +// +// Note: +// (1) Inclusion - " in " - denotes that the KEY exists and is equal to any of the +// VALUEs in its requirement +// (2) Exclusion - " notin " - denotes that the KEY is not equal to any +// of the VALUEs in its requirement or does not exist +// (3) The empty string is a valid VALUE +// (4) A requirement with just a KEY - as in "y" above - denotes that +// the KEY exists and can be any VALUE. +// (5) A requirement with just !KEY requires that the KEY not exist. +// +func Parse(selector string) (Selector, error) { + parsedSelector, err := parse(selector) + if err == nil { + return parsedSelector, nil + } + return nil, err +} + +// parse parses the string representation of the selector and returns the internalSelector struct. +// The callers of this method can then decide how to return the internalSelector struct to their +// callers. This function has two callers now, one returns a Selector interface and the other +// returns a list of requirements. +func parse(selector string) (internalSelector, error) { + p := &Parser{l: &Lexer{s: selector, pos: 0}} + items, err := p.parse() + if err != nil { + return nil, err + } + sort.Sort(ByKey(items)) // sort to grant determistic parsing + return internalSelector(items), err +} + +func validateLabelKey(k string) error { + if errs := validation.IsQualifiedName(k); len(errs) != 0 { + return fmt.Errorf("invalid label key %q: %s", k, strings.Join(errs, "; ")) + } + return nil +} + +func validateLabelValue(k, v string) error { + if errs := validation.IsValidLabelValue(v); len(errs) != 0 { + return fmt.Errorf("invalid label value: %q: at key: %q: %s", v, k, strings.Join(errs, "; ")) + } + return nil +} + +// SelectorFromSet returns a Selector which will match exactly the given Set. A +// nil and empty Sets are considered equivalent to Everything(). +// It does not perform any validation, which means the server will reject +// the request if the Set contains invalid values. +func SelectorFromSet(ls Set) Selector { + return SelectorFromValidatedSet(ls) +} + +// ValidatedSelectorFromSet returns a Selector which will match exactly the given Set. A +// nil and empty Sets are considered equivalent to Everything(). +// The Set is validated client-side, which allows to catch errors early. +func ValidatedSelectorFromSet(ls Set) (Selector, error) { + if ls == nil || len(ls) == 0 { + return internalSelector{}, nil + } + requirements := make([]Requirement, 0, len(ls)) + for label, value := range ls { + r, err := NewRequirement(label, selection.Equals, []string{value}) + if err != nil { + return nil, err + } + requirements = append(requirements, *r) + } + // sort to have deterministic string representation + sort.Sort(ByKey(requirements)) + return internalSelector(requirements), nil +} + +// SelectorFromValidatedSet returns a Selector which will match exactly the given Set. +// A nil and empty Sets are considered equivalent to Everything(). +// It assumes that Set is already validated and doesn't do any validation. +func SelectorFromValidatedSet(ls Set) Selector { + if ls == nil || len(ls) == 0 { + return internalSelector{} + } + requirements := make([]Requirement, 0, len(ls)) + for label, value := range ls { + requirements = append(requirements, Requirement{key: label, operator: selection.Equals, strValues: []string{value}}) + } + // sort to have deterministic string representation + sort.Sort(ByKey(requirements)) + return internalSelector(requirements) +} + +// ParseToRequirements takes a string representing a selector and returns a list of +// requirements. This function is suitable for those callers that perform additional +// processing on selector requirements. +// See the documentation for Parse() function for more details. +// TODO: Consider exporting the internalSelector type instead. +func ParseToRequirements(selector string) ([]Requirement, error) { + return parse(selector) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go new file mode 100644 index 0000000000..29c443df45 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/selection/operator.go @@ -0,0 +1,36 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/selection/operator.go + +/* +Copyright 2016 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package selection + +// Operator represents a key/field's relationship to value(s). +// See labels.Requirement and fields.Requirement for more details. +type Operator string + +const ( + DoesNotExist Operator = "!" + Equals Operator = "=" + DoubleEquals Operator = "==" + In Operator = "in" + NotEquals Operator = "!=" + NotIn Operator = "notin" + Exists Operator = "exists" + GreaterThan Operator = "gt" + LessThan Operator = "lt" +) diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go new file mode 100644 index 0000000000..24d040e06c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors/errors.go @@ -0,0 +1,252 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/errors/errors.go + +/* +Copyright 2015 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package errors + +import ( + "errors" + "fmt" + + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets" +) + +// MessageCountMap contains occurrence for each error message. +type MessageCountMap map[string]int + +// Aggregate represents an object that contains multiple errors, but does not +// necessarily have singular semantic meaning. +// The aggregate can be used with `errors.Is()` to check for the occurrence of +// a specific error type. +// Errors.As() is not supported, because the caller presumably cares about a +// specific error of potentially multiple that match the given type. +type Aggregate interface { + error + Errors() []error + Is(error) bool +} + +// NewAggregate converts a slice of errors into an Aggregate interface, which +// is itself an implementation of the error interface. If the slice is empty, +// this returns nil. +// It will check if any of the element of input error list is nil, to avoid +// nil pointer panic when call Error(). +func NewAggregate(errlist []error) Aggregate { + if len(errlist) == 0 { + return nil + } + // In case of input error list contains nil + var errs []error + for _, e := range errlist { + if e != nil { + errs = append(errs, e) + } + } + if len(errs) == 0 { + return nil + } + return aggregate(errs) +} + +// This helper implements the error and Errors interfaces. Keeping it private +// prevents people from making an aggregate of 0 errors, which is not +// an error, but does satisfy the error interface. +type aggregate []error + +// Error is part of the error interface. +func (agg aggregate) Error() string { + if len(agg) == 0 { + // This should never happen, really. + return "" + } + if len(agg) == 1 { + return agg[0].Error() + } + seenerrs := sets.NewString() + result := "" + agg.visit(func(err error) bool { + msg := err.Error() + if seenerrs.Has(msg) { + return false + } + seenerrs.Insert(msg) + if len(seenerrs) > 1 { + result += ", " + } + result += msg + return false + }) + if len(seenerrs) == 1 { + return result + } + return "[" + result + "]" +} + +func (agg aggregate) Is(target error) bool { + return agg.visit(func(err error) bool { + return errors.Is(err, target) + }) +} + +func (agg aggregate) visit(f func(err error) bool) bool { + for _, err := range agg { + switch err := err.(type) { + case aggregate: + if match := err.visit(f); match { + return match + } + case Aggregate: + for _, nestedErr := range err.Errors() { + if match := f(nestedErr); match { + return match + } + } + default: + if match := f(err); match { + return match + } + } + } + + return false +} + +// Errors is part of the Aggregate interface. +func (agg aggregate) Errors() []error { + return []error(agg) +} + +// Matcher is used to match errors. Returns true if the error matches. +type Matcher func(error) bool + +// FilterOut removes all errors that match any of the matchers from the input +// error. If the input is a singular error, only that error is tested. If the +// input implements the Aggregate interface, the list of errors will be +// processed recursively. +// +// This can be used, for example, to remove known-OK errors (such as io.EOF or +// os.PathNotFound) from a list of errors. +func FilterOut(err error, fns ...Matcher) error { + if err == nil { + return nil + } + if agg, ok := err.(Aggregate); ok { + return NewAggregate(filterErrors(agg.Errors(), fns...)) + } + if !matchesError(err, fns...) { + return err + } + return nil +} + +// matchesError returns true if any Matcher returns true +func matchesError(err error, fns ...Matcher) bool { + for _, fn := range fns { + if fn(err) { + return true + } + } + return false +} + +// filterErrors returns any errors (or nested errors, if the list contains +// nested Errors) for which all fns return false. If no errors +// remain a nil list is returned. The resulting silec will have all +// nested slices flattened as a side effect. +func filterErrors(list []error, fns ...Matcher) []error { + result := []error{} + for _, err := range list { + r := FilterOut(err, fns...) + if r != nil { + result = append(result, r) + } + } + return result +} + +// Flatten takes an Aggregate, which may hold other Aggregates in arbitrary +// nesting, and flattens them all into a single Aggregate, recursively. +func Flatten(agg Aggregate) Aggregate { + result := []error{} + if agg == nil { + return nil + } + for _, err := range agg.Errors() { + if a, ok := err.(Aggregate); ok { + r := Flatten(a) + if r != nil { + result = append(result, r.Errors()...) + } + } else { + if err != nil { + result = append(result, err) + } + } + } + return NewAggregate(result) +} + +// CreateAggregateFromMessageCountMap converts MessageCountMap Aggregate +func CreateAggregateFromMessageCountMap(m MessageCountMap) Aggregate { + if m == nil { + return nil + } + result := make([]error, 0, len(m)) + for errStr, count := range m { + var countStr string + if count > 1 { + countStr = fmt.Sprintf(" (repeated %v times)", count) + } + result = append(result, fmt.Errorf("%v%v", errStr, countStr)) + } + return NewAggregate(result) +} + +// Reduce will return err or, if err is an Aggregate and only has one item, +// the first item in the aggregate. +func Reduce(err error) error { + if agg, ok := err.(Aggregate); ok && err != nil { + switch len(agg.Errors()) { + case 1: + return agg.Errors()[0] + case 0: + return nil + } + } + return err +} + +// AggregateGoroutines runs the provided functions in parallel, stuffing all +// non-nil errors into the returned Aggregate. +// Returns nil if all the functions complete successfully. +func AggregateGoroutines(funcs ...func() error) Aggregate { + errChan := make(chan error, len(funcs)) + for _, f := range funcs { + go func(f func() error) { errChan <- f() }(f) + } + errs := make([]error, 0) + for i := 0; i < cap(errChan); i++ { + if err := <-errChan; err != nil { + errs = append(errs, err) + } + } + return NewAggregate(errs) +} + +// ErrPreconditionViolated is returned when the precondition is violated +var ErrPreconditionViolated = errors.New("precondition is violated") diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go new file mode 100644 index 0000000000..ef404add15 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/empty.go @@ -0,0 +1,24 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/sets/empty.go + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package sets + +// Empty is public since it is used by some internal API objects for conversions between external +// string arrays and internal sets, and conversion logic requires public types today. +type Empty struct{} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go new file mode 100644 index 0000000000..8af1bac2a2 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets/string.go @@ -0,0 +1,206 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/sets/string.go + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package sets + +import ( + "reflect" + "sort" +) + +// sets.String is a set of strings, implemented via map[string]struct{} for minimal memory consumption. +type String map[string]Empty + +// NewString creates a String from a list of values. +func NewString(items ...string) String { + ss := String{} + ss.Insert(items...) + return ss +} + +// StringKeySet creates a String from a keys of a map[string](? extends interface{}). +// If the value passed in is not actually a map, this will panic. +func StringKeySet(theMap interface{}) String { + v := reflect.ValueOf(theMap) + ret := String{} + + for _, keyValue := range v.MapKeys() { + ret.Insert(keyValue.Interface().(string)) + } + return ret +} + +// Insert adds items to the set. +func (s String) Insert(items ...string) String { + for _, item := range items { + s[item] = Empty{} + } + return s +} + +// Delete removes all items from the set. +func (s String) Delete(items ...string) String { + for _, item := range items { + delete(s, item) + } + return s +} + +// Has returns true if and only if item is contained in the set. +func (s String) Has(item string) bool { + _, contained := s[item] + return contained +} + +// HasAll returns true if and only if all items are contained in the set. +func (s String) HasAll(items ...string) bool { + for _, item := range items { + if !s.Has(item) { + return false + } + } + return true +} + +// HasAny returns true if any items are contained in the set. +func (s String) HasAny(items ...string) bool { + for _, item := range items { + if s.Has(item) { + return true + } + } + return false +} + +// Difference returns a set of objects that are not in s2 +// For example: +// s1 = {a1, a2, a3} +// s2 = {a1, a2, a4, a5} +// s1.Difference(s2) = {a3} +// s2.Difference(s1) = {a4, a5} +func (s String) Difference(s2 String) String { + result := NewString() + for key := range s { + if !s2.Has(key) { + result.Insert(key) + } + } + return result +} + +// Union returns a new set which includes items in either s1 or s2. +// For example: +// s1 = {a1, a2} +// s2 = {a3, a4} +// s1.Union(s2) = {a1, a2, a3, a4} +// s2.Union(s1) = {a1, a2, a3, a4} +func (s1 String) Union(s2 String) String { + result := NewString() + for key := range s1 { + result.Insert(key) + } + for key := range s2 { + result.Insert(key) + } + return result +} + +// Intersection returns a new set which includes the item in BOTH s1 and s2 +// For example: +// s1 = {a1, a2} +// s2 = {a2, a3} +// s1.Intersection(s2) = {a2} +func (s1 String) Intersection(s2 String) String { + var walk, other String + result := NewString() + if s1.Len() < s2.Len() { + walk = s1 + other = s2 + } else { + walk = s2 + other = s1 + } + for key := range walk { + if other.Has(key) { + result.Insert(key) + } + } + return result +} + +// IsSuperset returns true if and only if s1 is a superset of s2. +func (s1 String) IsSuperset(s2 String) bool { + for item := range s2 { + if !s1.Has(item) { + return false + } + } + return true +} + +// Equal returns true if and only if s1 is equal (as a set) to s2. +// Two sets are equal if their membership is identical. +// (In practice, this means same elements, order doesn't matter) +func (s1 String) Equal(s2 String) bool { + return len(s1) == len(s2) && s1.IsSuperset(s2) +} + +type sortableSliceOfString []string + +func (s sortableSliceOfString) Len() int { return len(s) } +func (s sortableSliceOfString) Less(i, j int) bool { return lessString(s[i], s[j]) } +func (s sortableSliceOfString) Swap(i, j int) { s[i], s[j] = s[j], s[i] } + +// List returns the contents as a sorted string slice. +func (s String) List() []string { + res := make(sortableSliceOfString, 0, len(s)) + for key := range s { + res = append(res, key) + } + sort.Sort(res) + return []string(res) +} + +// UnsortedList returns the slice with contents in random order. +func (s String) UnsortedList() []string { + res := make([]string, 0, len(s)) + for key := range s { + res = append(res, key) + } + return res +} + +// Returns a single element from the set. +func (s String) PopAny() (string, bool) { + for key := range s { + s.Delete(key) + return key, true + } + var zeroValue string + return zeroValue, false +} + +// Len returns the size of the set. +func (s String) Len() int { + return len(s) +} + +func lessString(lhs, rhs string) bool { + return lhs < rhs +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go new file mode 100644 index 0000000000..20229a5b6c --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/errors.go @@ -0,0 +1,275 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/field/errors.go + +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package field + +import ( + "fmt" + "reflect" + "strconv" + "strings" + + utilerrors "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/errors" + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/sets" +) + +// Error is an implementation of the 'error' interface, which represents a +// field-level validation error. +type Error struct { + Type ErrorType + Field string + BadValue interface{} + Detail string +} + +var _ error = &Error{} + +// Error implements the error interface. +func (v *Error) Error() string { + return fmt.Sprintf("%s: %s", v.Field, v.ErrorBody()) +} + +// ErrorBody returns the error message without the field name. This is useful +// for building nice-looking higher-level error reporting. +func (v *Error) ErrorBody() string { + var s string + switch v.Type { + case ErrorTypeRequired, ErrorTypeForbidden, ErrorTypeTooLong, ErrorTypeInternal: + s = v.Type.String() + default: + value := v.BadValue + valueType := reflect.TypeOf(value) + if value == nil || valueType == nil { + value = "null" + } else if valueType.Kind() == reflect.Ptr { + if reflectValue := reflect.ValueOf(value); reflectValue.IsNil() { + value = "null" + } else { + value = reflectValue.Elem().Interface() + } + } + switch t := value.(type) { + case int64, int32, float64, float32, bool: + // use simple printer for simple types + s = fmt.Sprintf("%s: %v", v.Type, value) + case string: + s = fmt.Sprintf("%s: %q", v.Type, t) + case fmt.Stringer: + // anything that defines String() is better than raw struct + s = fmt.Sprintf("%s: %s", v.Type, t.String()) + default: + // fallback to raw struct + // TODO: internal types have panic guards against json.Marshalling to prevent + // accidental use of internal types in external serialized form. For now, use + // %#v, although it would be better to show a more expressive output in the future + s = fmt.Sprintf("%s: %#v", v.Type, value) + } + } + if len(v.Detail) != 0 { + s += fmt.Sprintf(": %s", v.Detail) + } + return s +} + +// ErrorType is a machine readable value providing more detail about why +// a field is invalid. These values are expected to match 1-1 with +// CauseType in api/types.go. +type ErrorType string + +// TODO: These values are duplicated in api/types.go, but there's a circular dep. Fix it. +const ( + // ErrorTypeNotFound is used to report failure to find a requested value + // (e.g. looking up an ID). See NotFound(). + ErrorTypeNotFound ErrorType = "FieldValueNotFound" + // ErrorTypeRequired is used to report required values that are not + // provided (e.g. empty strings, null values, or empty arrays). See + // Required(). + ErrorTypeRequired ErrorType = "FieldValueRequired" + // ErrorTypeDuplicate is used to report collisions of values that must be + // unique (e.g. unique IDs). See Duplicate(). + ErrorTypeDuplicate ErrorType = "FieldValueDuplicate" + // ErrorTypeInvalid is used to report malformed values (e.g. failed regex + // match, too long, out of bounds). See Invalid(). + ErrorTypeInvalid ErrorType = "FieldValueInvalid" + // ErrorTypeNotSupported is used to report unknown values for enumerated + // fields (e.g. a list of valid values). See NotSupported(). + ErrorTypeNotSupported ErrorType = "FieldValueNotSupported" + // ErrorTypeForbidden is used to report valid (as per formatting rules) + // values which would be accepted under some conditions, but which are not + // permitted by the current conditions (such as security policy). See + // Forbidden(). + ErrorTypeForbidden ErrorType = "FieldValueForbidden" + // ErrorTypeTooLong is used to report that the given value is too long. + // This is similar to ErrorTypeInvalid, but the error will not include the + // too-long value. See TooLong(). + ErrorTypeTooLong ErrorType = "FieldValueTooLong" + // ErrorTypeTooMany is used to report "too many". This is used to + // report that a given list has too many items. This is similar to FieldValueTooLong, + // but the error indicates quantity instead of length. + ErrorTypeTooMany ErrorType = "FieldValueTooMany" + // ErrorTypeInternal is used to report other errors that are not related + // to user input. See InternalError(). + ErrorTypeInternal ErrorType = "InternalError" +) + +// String converts a ErrorType into its corresponding canonical error message. +func (t ErrorType) String() string { + switch t { + case ErrorTypeNotFound: + return "Not found" + case ErrorTypeRequired: + return "Required value" + case ErrorTypeDuplicate: + return "Duplicate value" + case ErrorTypeInvalid: + return "Invalid value" + case ErrorTypeNotSupported: + return "Unsupported value" + case ErrorTypeForbidden: + return "Forbidden" + case ErrorTypeTooLong: + return "Too long" + case ErrorTypeTooMany: + return "Too many" + case ErrorTypeInternal: + return "Internal error" + default: + panic(fmt.Sprintf("unrecognized validation error: %q", string(t))) + } +} + +// NotFound returns a *Error indicating "value not found". This is +// used to report failure to find a requested value (e.g. looking up an ID). +func NotFound(field *Path, value interface{}) *Error { + return &Error{ErrorTypeNotFound, field.String(), value, ""} +} + +// Required returns a *Error indicating "value required". This is used +// to report required values that are not provided (e.g. empty strings, null +// values, or empty arrays). +func Required(field *Path, detail string) *Error { + return &Error{ErrorTypeRequired, field.String(), "", detail} +} + +// Duplicate returns a *Error indicating "duplicate value". This is +// used to report collisions of values that must be unique (e.g. names or IDs). +func Duplicate(field *Path, value interface{}) *Error { + return &Error{ErrorTypeDuplicate, field.String(), value, ""} +} + +// Invalid returns a *Error indicating "invalid value". This is used +// to report malformed values (e.g. failed regex match, too long, out of bounds). +func Invalid(field *Path, value interface{}, detail string) *Error { + return &Error{ErrorTypeInvalid, field.String(), value, detail} +} + +// NotSupported returns a *Error indicating "unsupported value". +// This is used to report unknown values for enumerated fields (e.g. a list of +// valid values). +func NotSupported(field *Path, value interface{}, validValues []string) *Error { + detail := "" + if validValues != nil && len(validValues) > 0 { + quotedValues := make([]string, len(validValues)) + for i, v := range validValues { + quotedValues[i] = strconv.Quote(v) + } + detail = "supported values: " + strings.Join(quotedValues, ", ") + } + return &Error{ErrorTypeNotSupported, field.String(), value, detail} +} + +// Forbidden returns a *Error indicating "forbidden". This is used to +// report valid (as per formatting rules) values which would be accepted under +// some conditions, but which are not permitted by current conditions (e.g. +// security policy). +func Forbidden(field *Path, detail string) *Error { + return &Error{ErrorTypeForbidden, field.String(), "", detail} +} + +// TooLong returns a *Error indicating "too long". This is used to +// report that the given value is too long. This is similar to +// Invalid, but the returned error will not include the too-long +// value. +func TooLong(field *Path, value interface{}, maxLength int) *Error { + return &Error{ErrorTypeTooLong, field.String(), value, fmt.Sprintf("must have at most %d bytes", maxLength)} +} + +// TooMany returns a *Error indicating "too many". This is used to +// report that a given list has too many items. This is similar to TooLong, +// but the returned error indicates quantity instead of length. +func TooMany(field *Path, actualQuantity, maxQuantity int) *Error { + return &Error{ErrorTypeTooMany, field.String(), actualQuantity, fmt.Sprintf("must have at most %d items", maxQuantity)} +} + +// InternalError returns a *Error indicating "internal error". This is used +// to signal that an error was found that was not directly related to user +// input. The err argument must be non-nil. +func InternalError(field *Path, err error) *Error { + return &Error{ErrorTypeInternal, field.String(), nil, err.Error()} +} + +// ErrorList holds a set of Errors. It is plausible that we might one day have +// non-field errors in this same umbrella package, but for now we don't, so +// we can keep it simple and leave ErrorList here. +type ErrorList []*Error + +// NewErrorTypeMatcher returns an errors.Matcher that returns true +// if the provided error is a Error and has the provided ErrorType. +func NewErrorTypeMatcher(t ErrorType) utilerrors.Matcher { + return func(err error) bool { + if e, ok := err.(*Error); ok { + return e.Type == t + } + return false + } +} + +// ToAggregate converts the ErrorList into an errors.Aggregate. +func (list ErrorList) ToAggregate() utilerrors.Aggregate { + errs := make([]error, 0, len(list)) + errorMsgs := sets.NewString() + for _, err := range list { + msg := fmt.Sprintf("%v", err) + if errorMsgs.Has(msg) { + continue + } + errorMsgs.Insert(msg) + errs = append(errs, err) + } + return utilerrors.NewAggregate(errs) +} + +func fromAggregate(agg utilerrors.Aggregate) ErrorList { + errs := agg.Errors() + list := make(ErrorList, len(errs)) + for i := range errs { + list[i] = errs[i].(*Error) + } + return list +} + +// Filter removes items from the ErrorList that match the provided fns. +func (list ErrorList) Filter(fns ...utilerrors.Matcher) ErrorList { + err := utilerrors.FilterOut(list.ToAggregate(), fns...) + if err == nil { + return nil + } + // FilterOut takes an Aggregate and returns an Aggregate + return fromAggregate(err.(utilerrors.Aggregate)) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go new file mode 100644 index 0000000000..44cdf997a3 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field/path.go @@ -0,0 +1,94 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/field/path.go + +/* +Copyright 2015 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package field + +import ( + "bytes" + "fmt" + "strconv" +) + +// Path represents the path from some root to a particular field. +type Path struct { + name string // the name of this field or "" if this is an index + index string // if name == "", this is a subscript (index or map key) of the previous element + parent *Path // nil if this is the root element +} + +// NewPath creates a root Path object. +func NewPath(name string, moreNames ...string) *Path { + r := &Path{name: name, parent: nil} + for _, anotherName := range moreNames { + r = &Path{name: anotherName, parent: r} + } + return r +} + +// Root returns the root element of this Path. +func (p *Path) Root() *Path { + for ; p.parent != nil; p = p.parent { + // Do nothing. + } + return p +} + +// Child creates a new Path that is a child of the method receiver. +func (p *Path) Child(name string, moreNames ...string) *Path { + r := NewPath(name, moreNames...) + r.Root().parent = p + return r +} + +// Index indicates that the previous Path is to be subscripted by an int. +// This sets the same underlying value as Key. +func (p *Path) Index(index int) *Path { + return &Path{index: strconv.Itoa(index), parent: p} +} + +// Key indicates that the previous Path is to be subscripted by a string. +// This sets the same underlying value as Index. +func (p *Path) Key(key string) *Path { + return &Path{index: key, parent: p} +} + +// String produces a string representation of the Path. +func (p *Path) String() string { + // make a slice to iterate + elems := []*Path{} + for ; p != nil; p = p.parent { + elems = append(elems, p) + } + + // iterate, but it has to be backwards + buf := bytes.NewBuffer(nil) + for i := range elems { + p := elems[len(elems)-1-i] + if p.parent != nil && len(p.name) > 0 { + // This is either the root or it is a subscript. + buf.WriteString(".") + } + if len(p.name) > 0 { + buf.WriteString(p.name) + } else { + fmt.Fprintf(buf, "[%s]", p.index) + } + } + return buf.String() +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go new file mode 100644 index 0000000000..5e1ddbc469 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/validation.go @@ -0,0 +1,506 @@ +// Code generated by k8scopy from k8s.io/apimachinery@v0.19.8; DO NOT EDIT. +// File content copied from k8s.io/apimachinery@v0.19.8/pkg/util/validation/validation.go + +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package validation + +import ( + "fmt" + "math" + "net" + "regexp" + "strconv" + "strings" + + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/util/validation/field" +) + +const qnameCharFmt string = "[A-Za-z0-9]" +const qnameExtCharFmt string = "[-A-Za-z0-9_.]" +const qualifiedNameFmt string = "(" + qnameCharFmt + qnameExtCharFmt + "*)?" + qnameCharFmt +const qualifiedNameErrMsg string = "must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character" +const qualifiedNameMaxLength int = 63 + +var qualifiedNameRegexp = regexp.MustCompile("^" + qualifiedNameFmt + "$") + +// IsQualifiedName tests whether the value passed is what Kubernetes calls a +// "qualified name". This is a format used in various places throughout the +// system. If the value is not valid, a list of error strings is returned. +// Otherwise an empty list (or nil) is returned. +func IsQualifiedName(value string) []string { + var errs []string + parts := strings.Split(value, "/") + var name string + switch len(parts) { + case 1: + name = parts[0] + case 2: + var prefix string + prefix, name = parts[0], parts[1] + if len(prefix) == 0 { + errs = append(errs, "prefix part "+EmptyError()) + } else if msgs := IsDNS1123Subdomain(prefix); len(msgs) != 0 { + errs = append(errs, prefixEach(msgs, "prefix part ")...) + } + default: + return append(errs, "a qualified name "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc")+ + " with an optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')") + } + + if len(name) == 0 { + errs = append(errs, "name part "+EmptyError()) + } else if len(name) > qualifiedNameMaxLength { + errs = append(errs, "name part "+MaxLenError(qualifiedNameMaxLength)) + } + if !qualifiedNameRegexp.MatchString(name) { + errs = append(errs, "name part "+RegexError(qualifiedNameErrMsg, qualifiedNameFmt, "MyName", "my.name", "123-abc")) + } + return errs +} + +// IsFullyQualifiedName checks if the name is fully qualified. This is similar +// to IsFullyQualifiedDomainName but requires a minimum of 3 segments instead of +// 2 and does not accept a trailing . as valid. +// TODO: This function is deprecated and preserved until all callers migrate to +// IsFullyQualifiedDomainName; please don't add new callers. +func IsFullyQualifiedName(fldPath *field.Path, name string) field.ErrorList { + var allErrors field.ErrorList + if len(name) == 0 { + return append(allErrors, field.Required(fldPath, "")) + } + if errs := IsDNS1123Subdomain(name); len(errs) > 0 { + return append(allErrors, field.Invalid(fldPath, name, strings.Join(errs, ","))) + } + if len(strings.Split(name, ".")) < 3 { + return append(allErrors, field.Invalid(fldPath, name, "should be a domain with at least three segments separated by dots")) + } + return allErrors +} + +// IsFullyQualifiedDomainName checks if the domain name is fully qualified. This +// is similar to IsFullyQualifiedName but only requires a minimum of 2 segments +// instead of 3 and accepts a trailing . as valid. +func IsFullyQualifiedDomainName(fldPath *field.Path, name string) field.ErrorList { + var allErrors field.ErrorList + if len(name) == 0 { + return append(allErrors, field.Required(fldPath, "")) + } + if strings.HasSuffix(name, ".") { + name = name[:len(name)-1] + } + if errs := IsDNS1123Subdomain(name); len(errs) > 0 { + return append(allErrors, field.Invalid(fldPath, name, strings.Join(errs, ","))) + } + if len(strings.Split(name, ".")) < 2 { + return append(allErrors, field.Invalid(fldPath, name, "should be a domain with at least two segments separated by dots")) + } + for _, label := range strings.Split(name, ".") { + if errs := IsDNS1123Label(label); len(errs) > 0 { + return append(allErrors, field.Invalid(fldPath, label, strings.Join(errs, ","))) + } + } + return allErrors +} + +// Allowed characters in an HTTP Path as defined by RFC 3986. A HTTP path may +// contain: +// * unreserved characters (alphanumeric, '-', '.', '_', '~') +// * percent-encoded octets +// * sub-delims ("!", "$", "&", "'", "(", ")", "*", "+", ",", ";", "=") +// * a colon character (":") +const httpPathFmt string = `[A-Za-z0-9/\-._~%!$&'()*+,;=:]+` + +var httpPathRegexp = regexp.MustCompile("^" + httpPathFmt + "$") + +// IsDomainPrefixedPath checks if the given string is a domain-prefixed path +// (e.g. acme.io/foo). All characters before the first "/" must be a valid +// subdomain as defined by RFC 1123. All characters trailing the first "/" must +// be valid HTTP Path characters as defined by RFC 3986. +func IsDomainPrefixedPath(fldPath *field.Path, dpPath string) field.ErrorList { + var allErrs field.ErrorList + if len(dpPath) == 0 { + return append(allErrs, field.Required(fldPath, "")) + } + + segments := strings.SplitN(dpPath, "/", 2) + if len(segments) != 2 || len(segments[0]) == 0 || len(segments[1]) == 0 { + return append(allErrs, field.Invalid(fldPath, dpPath, "must be a domain-prefixed path (such as \"acme.io/foo\")")) + } + + host := segments[0] + for _, err := range IsDNS1123Subdomain(host) { + allErrs = append(allErrs, field.Invalid(fldPath, host, err)) + } + + path := segments[1] + if !httpPathRegexp.MatchString(path) { + return append(allErrs, field.Invalid(fldPath, path, RegexError("Invalid path", httpPathFmt))) + } + + return allErrs +} + +const labelValueFmt string = "(" + qualifiedNameFmt + ")?" +const labelValueErrMsg string = "a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character" + +// LabelValueMaxLength is a label's max length +const LabelValueMaxLength int = 63 + +var labelValueRegexp = regexp.MustCompile("^" + labelValueFmt + "$") + +// IsValidLabelValue tests whether the value passed is a valid label value. If +// the value is not valid, a list of error strings is returned. Otherwise an +// empty list (or nil) is returned. +func IsValidLabelValue(value string) []string { + var errs []string + if len(value) > LabelValueMaxLength { + errs = append(errs, MaxLenError(LabelValueMaxLength)) + } + if !labelValueRegexp.MatchString(value) { + errs = append(errs, RegexError(labelValueErrMsg, labelValueFmt, "MyValue", "my_value", "12345")) + } + return errs +} + +const dns1123LabelFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?" +const dns1123LabelErrMsg string = "a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character" + +// DNS1123LabelMaxLength is a label's max length in DNS (RFC 1123) +const DNS1123LabelMaxLength int = 63 + +var dns1123LabelRegexp = regexp.MustCompile("^" + dns1123LabelFmt + "$") + +// IsDNS1123Label tests for a string that conforms to the definition of a label in +// DNS (RFC 1123). +func IsDNS1123Label(value string) []string { + var errs []string + if len(value) > DNS1123LabelMaxLength { + errs = append(errs, MaxLenError(DNS1123LabelMaxLength)) + } + if !dns1123LabelRegexp.MatchString(value) { + errs = append(errs, RegexError(dns1123LabelErrMsg, dns1123LabelFmt, "my-name", "123-abc")) + } + return errs +} + +const dns1123SubdomainFmt string = dns1123LabelFmt + "(\\." + dns1123LabelFmt + ")*" +const dns1123SubdomainErrorMsg string = "a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" + +// DNS1123SubdomainMaxLength is a subdomain's max length in DNS (RFC 1123) +const DNS1123SubdomainMaxLength int = 253 + +var dns1123SubdomainRegexp = regexp.MustCompile("^" + dns1123SubdomainFmt + "$") + +// IsDNS1123Subdomain tests for a string that conforms to the definition of a +// subdomain in DNS (RFC 1123). +func IsDNS1123Subdomain(value string) []string { + var errs []string + if len(value) > DNS1123SubdomainMaxLength { + errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength)) + } + if !dns1123SubdomainRegexp.MatchString(value) { + errs = append(errs, RegexError(dns1123SubdomainErrorMsg, dns1123SubdomainFmt, "example.com")) + } + return errs +} + +const dns1035LabelFmt string = "[a-z]([-a-z0-9]*[a-z0-9])?" +const dns1035LabelErrMsg string = "a DNS-1035 label must consist of lower case alphanumeric characters or '-', start with an alphabetic character, and end with an alphanumeric character" + +// DNS1035LabelMaxLength is a label's max length in DNS (RFC 1035) +const DNS1035LabelMaxLength int = 63 + +var dns1035LabelRegexp = regexp.MustCompile("^" + dns1035LabelFmt + "$") + +// IsDNS1035Label tests for a string that conforms to the definition of a label in +// DNS (RFC 1035). +func IsDNS1035Label(value string) []string { + var errs []string + if len(value) > DNS1035LabelMaxLength { + errs = append(errs, MaxLenError(DNS1035LabelMaxLength)) + } + if !dns1035LabelRegexp.MatchString(value) { + errs = append(errs, RegexError(dns1035LabelErrMsg, dns1035LabelFmt, "my-name", "abc-123")) + } + return errs +} + +// wildcard definition - RFC 1034 section 4.3.3. +// examples: +// - valid: *.bar.com, *.foo.bar.com +// - invalid: *.*.bar.com, *.foo.*.com, *bar.com, f*.bar.com, * +const wildcardDNS1123SubdomainFmt = "\\*\\." + dns1123SubdomainFmt +const wildcardDNS1123SubdomainErrMsg = "a wildcard DNS-1123 subdomain must start with '*.', followed by a valid DNS subdomain, which must consist of lower case alphanumeric characters, '-' or '.' and end with an alphanumeric character" + +// IsWildcardDNS1123Subdomain tests for a string that conforms to the definition of a +// wildcard subdomain in DNS (RFC 1034 section 4.3.3). +func IsWildcardDNS1123Subdomain(value string) []string { + wildcardDNS1123SubdomainRegexp := regexp.MustCompile("^" + wildcardDNS1123SubdomainFmt + "$") + + var errs []string + if len(value) > DNS1123SubdomainMaxLength { + errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength)) + } + if !wildcardDNS1123SubdomainRegexp.MatchString(value) { + errs = append(errs, RegexError(wildcardDNS1123SubdomainErrMsg, wildcardDNS1123SubdomainFmt, "*.example.com")) + } + return errs +} + +const cIdentifierFmt string = "[A-Za-z_][A-Za-z0-9_]*" +const identifierErrMsg string = "a valid C identifier must start with alphabetic character or '_', followed by a string of alphanumeric characters or '_'" + +var cIdentifierRegexp = regexp.MustCompile("^" + cIdentifierFmt + "$") + +// IsCIdentifier tests for a string that conforms the definition of an identifier +// in C. This checks the format, but not the length. +func IsCIdentifier(value string) []string { + if !cIdentifierRegexp.MatchString(value) { + return []string{RegexError(identifierErrMsg, cIdentifierFmt, "my_name", "MY_NAME", "MyName")} + } + return nil +} + +// IsValidPortNum tests that the argument is a valid, non-zero port number. +func IsValidPortNum(port int) []string { + if 1 <= port && port <= 65535 { + return nil + } + return []string{InclusiveRangeError(1, 65535)} +} + +// IsInRange tests that the argument is in an inclusive range. +func IsInRange(value int, min int, max int) []string { + if value >= min && value <= max { + return nil + } + return []string{InclusiveRangeError(min, max)} +} + +// Now in libcontainer UID/GID limits is 0 ~ 1<<31 - 1 +// TODO: once we have a type for UID/GID we should make these that type. +const ( + minUserID = 0 + maxUserID = math.MaxInt32 + minGroupID = 0 + maxGroupID = math.MaxInt32 +) + +// IsValidGroupID tests that the argument is a valid Unix GID. +func IsValidGroupID(gid int64) []string { + if minGroupID <= gid && gid <= maxGroupID { + return nil + } + return []string{InclusiveRangeError(minGroupID, maxGroupID)} +} + +// IsValidUserID tests that the argument is a valid Unix UID. +func IsValidUserID(uid int64) []string { + if minUserID <= uid && uid <= maxUserID { + return nil + } + return []string{InclusiveRangeError(minUserID, maxUserID)} +} + +var portNameCharsetRegex = regexp.MustCompile("^[-a-z0-9]+$") +var portNameOneLetterRegexp = regexp.MustCompile("[a-z]") + +// IsValidPortName check that the argument is valid syntax. It must be +// non-empty and no more than 15 characters long. It may contain only [-a-z0-9] +// and must contain at least one letter [a-z]. It must not start or end with a +// hyphen, nor contain adjacent hyphens. +// +// Note: We only allow lower-case characters, even though RFC 6335 is case +// insensitive. +func IsValidPortName(port string) []string { + var errs []string + if len(port) > 15 { + errs = append(errs, MaxLenError(15)) + } + if !portNameCharsetRegex.MatchString(port) { + errs = append(errs, "must contain only alpha-numeric characters (a-z, 0-9), and hyphens (-)") + } + if !portNameOneLetterRegexp.MatchString(port) { + errs = append(errs, "must contain at least one letter or number (a-z, 0-9)") + } + if strings.Contains(port, "--") { + errs = append(errs, "must not contain consecutive hyphens") + } + if len(port) > 0 && (port[0] == '-' || port[len(port)-1] == '-') { + errs = append(errs, "must not begin or end with a hyphen") + } + return errs +} + +// IsValidIP tests that the argument is a valid IP address. +func IsValidIP(value string) []string { + if net.ParseIP(value) == nil { + return []string{"must be a valid IP address, (e.g. 10.9.8.7)"} + } + return nil +} + +// IsValidIPv4Address tests that the argument is a valid IPv4 address. +func IsValidIPv4Address(fldPath *field.Path, value string) field.ErrorList { + var allErrors field.ErrorList + ip := net.ParseIP(value) + if ip == nil || ip.To4() == nil { + allErrors = append(allErrors, field.Invalid(fldPath, value, "must be a valid IPv4 address")) + } + return allErrors +} + +// IsValidIPv6Address tests that the argument is a valid IPv6 address. +func IsValidIPv6Address(fldPath *field.Path, value string) field.ErrorList { + var allErrors field.ErrorList + ip := net.ParseIP(value) + if ip == nil || ip.To4() != nil { + allErrors = append(allErrors, field.Invalid(fldPath, value, "must be a valid IPv6 address")) + } + return allErrors +} + +const percentFmt string = "[0-9]+%" +const percentErrMsg string = "a valid percent string must be a numeric string followed by an ending '%'" + +var percentRegexp = regexp.MustCompile("^" + percentFmt + "$") + +// IsValidPercent checks that string is in the form of a percentage +func IsValidPercent(percent string) []string { + if !percentRegexp.MatchString(percent) { + return []string{RegexError(percentErrMsg, percentFmt, "1%", "93%")} + } + return nil +} + +const httpHeaderNameFmt string = "[-A-Za-z0-9]+" +const httpHeaderNameErrMsg string = "a valid HTTP header must consist of alphanumeric characters or '-'" + +var httpHeaderNameRegexp = regexp.MustCompile("^" + httpHeaderNameFmt + "$") + +// IsHTTPHeaderName checks that a string conforms to the Go HTTP library's +// definition of a valid header field name (a stricter subset than RFC7230). +func IsHTTPHeaderName(value string) []string { + if !httpHeaderNameRegexp.MatchString(value) { + return []string{RegexError(httpHeaderNameErrMsg, httpHeaderNameFmt, "X-Header-Name")} + } + return nil +} + +const envVarNameFmt = "[-._a-zA-Z][-._a-zA-Z0-9]*" +const envVarNameFmtErrMsg string = "a valid environment variable name must consist of alphabetic characters, digits, '_', '-', or '.', and must not start with a digit" + +var envVarNameRegexp = regexp.MustCompile("^" + envVarNameFmt + "$") + +// IsEnvVarName tests if a string is a valid environment variable name. +func IsEnvVarName(value string) []string { + var errs []string + if !envVarNameRegexp.MatchString(value) { + errs = append(errs, RegexError(envVarNameFmtErrMsg, envVarNameFmt, "my.env-name", "MY_ENV.NAME", "MyEnvName1")) + } + + errs = append(errs, hasChDirPrefix(value)...) + return errs +} + +const configMapKeyFmt = `[-._a-zA-Z0-9]+` +const configMapKeyErrMsg string = "a valid config key must consist of alphanumeric characters, '-', '_' or '.'" + +var configMapKeyRegexp = regexp.MustCompile("^" + configMapKeyFmt + "$") + +// IsConfigMapKey tests for a string that is a valid key for a ConfigMap or Secret +func IsConfigMapKey(value string) []string { + var errs []string + if len(value) > DNS1123SubdomainMaxLength { + errs = append(errs, MaxLenError(DNS1123SubdomainMaxLength)) + } + if !configMapKeyRegexp.MatchString(value) { + errs = append(errs, RegexError(configMapKeyErrMsg, configMapKeyFmt, "key.name", "KEY_NAME", "key-name")) + } + errs = append(errs, hasChDirPrefix(value)...) + return errs +} + +// MaxLenError returns a string explanation of a "string too long" validation +// failure. +func MaxLenError(length int) string { + return fmt.Sprintf("must be no more than %d characters", length) +} + +// RegexError returns a string explanation of a regex validation failure. +func RegexError(msg string, fmt string, examples ...string) string { + if len(examples) == 0 { + return msg + " (regex used for validation is '" + fmt + "')" + } + msg += " (e.g. " + for i := range examples { + if i > 0 { + msg += " or " + } + msg += "'" + examples[i] + "', " + } + msg += "regex used for validation is '" + fmt + "')" + return msg +} + +// EmptyError returns a string explanation of a "must not be empty" validation +// failure. +func EmptyError() string { + return "must be non-empty" +} + +func prefixEach(msgs []string, prefix string) []string { + for i := range msgs { + msgs[i] = prefix + msgs[i] + } + return msgs +} + +// InclusiveRangeError returns a string explanation of a numeric "must be +// between" validation failure. +func InclusiveRangeError(lo, hi int) string { + return fmt.Sprintf(`must be between %d and %d, inclusive`, lo, hi) +} + +func hasChDirPrefix(value string) []string { + var errs []string + switch { + case value == ".": + errs = append(errs, `must not be '.'`) + case value == "..": + errs = append(errs, `must not be '..'`) + case strings.HasPrefix(value, ".."): + errs = append(errs, `must not start with '..'`) + } + return errs +} + +// IsValidSocketAddr checks that string represents a valid socket address +// as defined in RFC 789. (e.g 0.0.0.0:10254 or [::]:10254)) +func IsValidSocketAddr(value string) []string { + var errs []string + ip, port, err := net.SplitHostPort(value) + if err != nil { + errs = append(errs, "must be a valid socket address format, (e.g. 0.0.0.0:10254 or [::]:10254)") + return errs + } + portInt, _ := strconv.Atoi(port) + errs = append(errs, IsValidPortNum(portInt)...) + errs = append(errs, IsValidIP(ip)...) + return errs +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go new file mode 100644 index 0000000000..a7d9016727 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/kfns.go @@ -0,0 +1,137 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "sigs.k8s.io/kustomize/kyaml/errors" + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// AnnotationClearer removes an annotation at metadata.annotations. +// Returns nil if the annotation or field does not exist. +type AnnotationClearer struct { + Kind string `yaml:"kind,omitempty"` + Key string `yaml:"key,omitempty"` +} + +func (c AnnotationClearer) Filter(rn *RNode) (*RNode, error) { + return rn.Pipe( + PathGetter{Path: []string{MetadataField, AnnotationsField}}, + FieldClearer{Name: c.Key}) +} + +func ClearAnnotation(key string) AnnotationClearer { + return AnnotationClearer{Key: key} +} + +// ClearEmptyAnnotations clears the keys, annotations +// and metadata if they are empty/null +func ClearEmptyAnnotations(rn *RNode) error { + _, err := rn.Pipe(Lookup(MetadataField), FieldClearer{ + Name: AnnotationsField, IfEmpty: true}) + if err != nil { + return errors.Wrap(err) + } + _, err = rn.Pipe(FieldClearer{Name: MetadataField, IfEmpty: true}) + if err != nil { + return errors.Wrap(err) + } + return nil +} + +// k8sMetaSetter sets a name at metadata.{key}. +// Creates metadata if does not exist. +type k8sMetaSetter struct { + Key string `yaml:"key,omitempty"` + Value string `yaml:"value,omitempty"` +} + +func (s k8sMetaSetter) Filter(rn *RNode) (*RNode, error) { + _, err := rn.Pipe( + PathGetter{Path: []string{MetadataField}, Create: yaml.MappingNode}, + FieldSetter{Name: s.Key, Value: NewStringRNode(s.Value)}) + return rn, err +} + +func SetK8sName(value string) k8sMetaSetter { + return k8sMetaSetter{Key: NameField, Value: value} +} + +func SetK8sNamespace(value string) k8sMetaSetter { + return k8sMetaSetter{Key: NamespaceField, Value: value} +} + +// AnnotationSetter sets an annotation at metadata.annotations. +// Creates metadata.annotations if does not exist. +type AnnotationSetter struct { + Kind string `yaml:"kind,omitempty"` + Key string `yaml:"key,omitempty"` + Value string `yaml:"value,omitempty"` +} + +func (s AnnotationSetter) Filter(rn *RNode) (*RNode, error) { + v := NewStringRNode(s.Value) + // some tools get confused about the type if annotations are not quoted + v.YNode().Style = yaml.SingleQuotedStyle + if err := ClearEmptyAnnotations(rn); err != nil { + return nil, err + } + return addMetadataNode(rn, AnnotationsField, s.Key, v) +} + +func SetAnnotation(key, value string) AnnotationSetter { + return AnnotationSetter{Key: key, Value: value} +} + +// AnnotationGetter gets an annotation at metadata.annotations. +// Returns nil if metadata.annotations does not exist. +type AnnotationGetter struct { + Kind string `yaml:"kind,omitempty"` + Key string `yaml:"key,omitempty"` + Value string `yaml:"value,omitempty"` +} + +// AnnotationGetter returns the annotation value. +// Returns "", nil if the annotation does not exist. +func (g AnnotationGetter) Filter(rn *RNode) (*RNode, error) { + v, err := rn.Pipe( + PathGetter{Path: []string{MetadataField, AnnotationsField, g.Key}}) + if v == nil || err != nil { + return v, err + } + if g.Value == "" || v.value.Value == g.Value { + return v, err + } + return nil, err +} + +func GetAnnotation(key string) AnnotationGetter { + return AnnotationGetter{Key: key} +} + +// LabelSetter sets a label at metadata.labels. +// Creates metadata.labels if does not exist. +type LabelSetter struct { + Kind string `yaml:"kind,omitempty"` + Key string `yaml:"key,omitempty"` + Value string `yaml:"value,omitempty"` +} + +func (s LabelSetter) Filter(rn *RNode) (*RNode, error) { + v := NewStringRNode(s.Value) + // some tools get confused about the type if labels are not quoted + v.YNode().Style = yaml.SingleQuotedStyle + return addMetadataNode(rn, LabelsField, s.Key, v) +} + +func addMetadataNode(rn *RNode, field, key string, v *RNode) (*RNode, error) { + return rn.Pipe( + PathGetter{ + Path: []string{MetadataField, field}, Create: yaml.MappingNode}, + FieldSetter{Name: key, Value: v}) +} + +func SetLabel(key, value string) LabelSetter { + return LabelSetter{Key: key, Value: value} +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go new file mode 100644 index 0000000000..31b41b40fb --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/mapnode.go @@ -0,0 +1,40 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +// MapNode wraps a field key and value. +type MapNode struct { + Key *RNode + Value *RNode +} + +// IsNilOrEmpty returns true if the MapNode is nil, +// has no value, or has a value that appears empty. +func (mn *MapNode) IsNilOrEmpty() bool { + return mn == nil || mn.Value.IsNilOrEmpty() +} + +type MapNodeSlice []*MapNode + +func (m MapNodeSlice) Keys() []*RNode { + var keys []*RNode + for i := range m { + if m[i] != nil { + keys = append(keys, m[i].Key) + } + } + return keys +} + +func (m MapNodeSlice) Values() []*RNode { + var values []*RNode + for i := range m { + if m[i] != nil { + values = append(values, m[i].Value) + } else { + values = append(values, nil) + } + } + return values +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go new file mode 100644 index 0000000000..8e40d4c2b2 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/match.go @@ -0,0 +1,333 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "fmt" + "regexp" + "strconv" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// PathMatcher returns all RNodes matching the path wrapped in a SequenceNode. +// Lists may have multiple elements matching the path, and each matching element +// is added to the return result. +// If Path points to a SequenceNode, the SequenceNode is wrapped in another SequenceNode +// If Path does not contain any lists, the result is still wrapped in a SequenceNode of len == 1 +type PathMatcher struct { + Kind string `yaml:"kind,omitempty"` + + // Path is a slice of parts leading to the RNode to lookup. + // Each path part may be one of: + // * FieldMatcher -- e.g. "spec" + // * Map Key -- e.g. "app.k8s.io/version" + // * List Entry -- e.g. "[name=nginx]" or "[=-jar]" or "0" + // + // Map Keys and Fields are equivalent. + // See FieldMatcher for more on Fields and Map Keys. + // + // List Entries are specified as map entry to match [fieldName=fieldValue]. + // See Elem for more on List Entries. + // + // Examples: + // * spec.template.spec.container with matching name: [name=nginx] -- match 'name': 'nginx' + // * spec.template.spec.container.argument matching a value: [=-jar] -- match '-jar' + Path []string `yaml:"path,omitempty"` + + // Matches is set by PathMatch to publish the matched element values for each node. + // After running PathMatcher.Filter, each node from the SequenceNode result may be + // looked up in Matches to find the field values that were matched. + Matches map[*Node][]string + + // StripComments may be set to remove the comments on the matching Nodes. + // This is useful for if the nodes are to be printed in FlowStyle. + StripComments bool + + // Create will cause missing path parts to be created as they are walked. + // + // * The leaf Node (final path) will be created with a Kind matching Create + // * Intermediary Nodes will be created as either a MappingNodes or + // SequenceNodes as appropriate for each's Path location. + // * Nodes identified by an index will only be created if the index indicates + // an append operation (i.e. index=len(list)) + Create yaml.Kind `yaml:"create,omitempty"` + + val *RNode + field string + matchRegex string +} + +func (p *PathMatcher) stripComments(n *Node) { + if n == nil { + return + } + if p.StripComments { + n.LineComment = "" + n.HeadComment = "" + n.FootComment = "" + for i := range n.Content { + p.stripComments(n.Content[i]) + } + } +} + +func (p *PathMatcher) Filter(rn *RNode) (*RNode, error) { + val, err := p.filter(rn) + if err != nil { + return nil, err + } + p.stripComments(val.YNode()) + return val, err +} + +func (p *PathMatcher) filter(rn *RNode) (*RNode, error) { + p.Matches = map[*Node][]string{} + + if len(p.Path) == 0 { + // return the element wrapped in a SequenceNode + p.appendRNode("", rn) + return p.val, nil + } + + if IsIdxNumber(p.Path[0]) { + return p.doIndexSeq(rn) + } + + if IsListIndex(p.Path[0]) { + // match seq elements + return p.doSeq(rn) + } + + if IsWildcard(p.Path[0]) { + // match every elements (*) + return p.doMatchEvery(rn) + } + // match a field + return p.doField(rn) +} + +func (p *PathMatcher) doMatchEvery(rn *RNode) (*RNode, error) { + if err := rn.VisitElements(p.visitEveryElem); err != nil { + return nil, err + } + + return p.val, nil +} + +func (p *PathMatcher) visitEveryElem(elem *RNode) error { + fieldName := p.Path[0] + // recurse on the matching element + pm := &PathMatcher{Path: p.Path[1:], Create: p.Create} + add, err := pm.filter(elem) + for k, v := range pm.Matches { + p.Matches[k] = v + } + if err != nil || add == nil { + return err + } + p.append(fieldName, add.Content()...) + + return nil +} + +func (p *PathMatcher) doField(rn *RNode) (*RNode, error) { + // lookup the field + field, err := rn.Pipe(Get(p.Path[0])) + if err != nil || (!IsCreate(p.Create) && field == nil) { + return nil, err + } + + if IsCreate(p.Create) && field == nil { + var nextPart string + if len(p.Path) > 1 { + nextPart = p.Path[1] + } + nextPartKind := getPathPartKind(nextPart, p.Create) + field = &RNode{value: &yaml.Node{Kind: nextPartKind}} + err := rn.PipeE(SetField(p.Path[0], field)) + if err != nil { + return nil, err + } + } + + // recurse on the field, removing the first element of the path + pm := &PathMatcher{Path: p.Path[1:], Create: p.Create} + p.val, err = pm.filter(field) + p.Matches = pm.Matches + return p.val, err +} + +// doIndexSeq iterates over a sequence and appends elements matching the index p.Val +func (p *PathMatcher) doIndexSeq(rn *RNode) (*RNode, error) { + // parse to index number + idx, err := strconv.Atoi(p.Path[0]) + if err != nil { + return nil, err + } + + elements, err := rn.Elements() + if err != nil { + return nil, err + } + + if len(elements) == idx && IsCreate(p.Create) { + var nextPart string + if len(p.Path) > 1 { + nextPart = p.Path[1] + } + elem := &yaml.Node{Kind: getPathPartKind(nextPart, p.Create)} + err = rn.PipeE(Append(elem)) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to append element for %q", p.Path[0]) + } + elements = append(elements, NewRNode(elem)) + } + + if len(elements) < idx+1 { + return nil, fmt.Errorf("index %d specified but only %d elements found", idx, len(elements)) + } + // get target element + element := elements[idx] + + // recurse on the matching element + pm := &PathMatcher{Path: p.Path[1:], Create: p.Create} + add, err := pm.filter(element) + for k, v := range pm.Matches { + p.Matches[k] = v + } + if err != nil || add == nil { + return nil, err + } + p.append("", add.Content()...) + return p.val, nil +} + +// doSeq iterates over a sequence and appends elements matching the path regex to p.Val +func (p *PathMatcher) doSeq(rn *RNode) (*RNode, error) { + // parse the field + match pair + var err error + p.field, p.matchRegex, err = SplitIndexNameValue(p.Path[0]) + if err != nil { + return nil, err + } + + primitiveElement := len(p.field) == 0 + if primitiveElement { + err = rn.VisitElements(p.visitPrimitiveElem) + } else { + err = rn.VisitElements(p.visitElem) + } + if err != nil { + return nil, err + } + if !p.val.IsNil() && len(p.val.YNode().Content) == 0 { + p.val = nil + } + + if !IsCreate(p.Create) || p.val != nil { + return p.val, nil + } + + var elem *yaml.Node + valueNode := NewScalarRNode(p.matchRegex).YNode() + if primitiveElement { + elem = valueNode + } else { + elem = &yaml.Node{ + Kind: yaml.MappingNode, + Content: []*yaml.Node{{Kind: yaml.ScalarNode, Value: p.field}, valueNode}, + } + } + err = rn.PipeE(Append(elem)) + if err != nil { + return nil, errors.WrapPrefixf(err, "failed to create element for %q", p.Path[0]) + } + // re-do the sequence search; this time we'll find the element we just created + return p.doSeq(rn) +} + +func (p *PathMatcher) visitPrimitiveElem(elem *RNode) error { + r, err := regexp.Compile(p.matchRegex) + if err != nil { + return err + } + + str, err := elem.String() + if err != nil { + return err + } + str = strings.TrimSpace(str) + if !r.MatchString(str) { + return nil + } + + p.appendRNode("", elem) + return nil +} + +func (p *PathMatcher) visitElem(elem *RNode) error { + r, err := regexp.Compile(p.matchRegex) + if err != nil { + return err + } + + // check if this elements field matches the regex + val := elem.Field(p.field) + if val == nil || val.Value == nil { + return nil + } + str, err := val.Value.String() + if err != nil { + return err + } + str = strings.TrimSpace(str) + if !r.MatchString(str) { + return nil + } + + // recurse on the matching element + pm := &PathMatcher{Path: p.Path[1:], Create: p.Create} + add, err := pm.filter(elem) + for k, v := range pm.Matches { + p.Matches[k] = v + } + if err != nil || add == nil { + return err + } + p.append(str, add.Content()...) + return nil +} + +func (p *PathMatcher) appendRNode(path string, node *RNode) { + p.append(path, node.YNode()) +} + +func (p *PathMatcher) append(path string, nodes ...*Node) { + if p.val == nil { + p.val = NewRNode(&Node{Kind: SequenceNode}) + } + for i := range nodes { + node := nodes[i] + p.val.YNode().Content = append(p.val.YNode().Content, node) + // record the path if specified + if path != "" { + p.Matches[node] = append(p.Matches[node], path) + } + } +} + +func cleanPath(path []string) []string { + var p []string + for _, elem := range path { + elem = strings.TrimSpace(elem) + if len(elem) == 0 { + continue + } + p = append(p, elem) + } + return p +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go new file mode 100644 index 0000000000..3b23019e1a --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/merge2.go @@ -0,0 +1,187 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package merge2 contains libraries for merging fields from one RNode to another +// RNode +package merge2 + +import ( + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/walk" +) + +// Merge merges fields from src into dest. +func Merge(src, dest *yaml.RNode, mergeOptions yaml.MergeOptions) (*yaml.RNode, error) { + return walk.Walker{ + Sources: []*yaml.RNode{dest, src}, + Visitor: Merger{}, + MergeOptions: mergeOptions, + }.Walk() +} + +// MergeStrings parses the arguments, and merges fields from srcStr into destStr. +func MergeStrings(srcStr, destStr string, infer bool, mergeOptions yaml.MergeOptions) (string, error) { + src, err := yaml.Parse(srcStr) + if err != nil { + return "", err + } + dest, err := yaml.Parse(destStr) + if err != nil { + return "", err + } + + result, err := walk.Walker{ + Sources: []*yaml.RNode{dest, src}, + Visitor: Merger{}, + InferAssociativeLists: infer, + MergeOptions: mergeOptions, + }.Walk() + if err != nil { + return "", err + } + + return result.String() +} + +type Merger struct { +} + +// for forwards compatibility when new functions are added to the interface +var _ walk.Visitor = Merger{} + +func (m Merger) VisitMap(nodes walk.Sources, s *openapi.ResourceSchema) (*yaml.RNode, error) { + if err := m.SetComments(nodes); err != nil { + return nil, err + } + if err := m.SetStyle(nodes); err != nil { + return nil, err + } + if yaml.IsMissingOrNull(nodes.Dest()) { + // Add + ps, _ := determineSmpDirective(nodes.Origin()) + if ps == smpDelete { + return walk.ClearNode, nil + } + + // If Origin is missing, preserve explicitly set null in Dest ("null", "~", etc) + if nodes.Origin().IsNil() && !nodes.Dest().IsNil() && len(nodes.Dest().YNode().Value) > 0 { + return yaml.MakePersistentNullNode(nodes.Dest().YNode().Value), nil + } + + return nodes.Origin(), nil + } + if nodes.Origin().IsTaggedNull() { + // clear the value + return walk.ClearNode, nil + } + + ps, err := determineSmpDirective(nodes.Origin()) + if err != nil { + return nil, err + } + + switch ps { + case smpDelete: + return walk.ClearNode, nil + case smpReplace: + return nodes.Origin(), nil + default: + return nodes.Dest(), nil + } +} + +func (m Merger) VisitScalar(nodes walk.Sources, s *openapi.ResourceSchema) (*yaml.RNode, error) { + if err := m.SetComments(nodes); err != nil { + return nil, err + } + if err := m.SetStyle(nodes); err != nil { + return nil, err + } + // Override value + if nodes.Origin() != nil { + return nodes.Origin(), nil + } + // Keep + return nodes.Dest(), nil +} + +func (m Merger) VisitList(nodes walk.Sources, s *openapi.ResourceSchema, kind walk.ListKind) (*yaml.RNode, error) { + if err := m.SetComments(nodes); err != nil { + return nil, err + } + if err := m.SetStyle(nodes); err != nil { + return nil, err + } + if kind == walk.NonAssociateList { + // Override value + if nodes.Origin() != nil { + return nodes.Origin(), nil + } + // Keep + return nodes.Dest(), nil + } + + // Add + if yaml.IsMissingOrNull(nodes.Dest()) { + return nodes.Origin(), nil + } + // Clear + if nodes.Origin().IsTaggedNull() { + return walk.ClearNode, nil + } + + ps, err := determineSmpDirective(nodes.Origin()) + if err != nil { + return nil, err + } + + switch ps { + case smpDelete: + return walk.ClearNode, nil + case smpReplace: + return nodes.Origin(), nil + default: + return nodes.Dest(), nil + } +} + +func (m Merger) SetStyle(sources walk.Sources) error { + source := sources.Origin() + dest := sources.Dest() + if dest == nil || dest.YNode() == nil || source == nil || source.YNode() == nil { + // avoid panic + return nil + } + + // copy the style from the source. + // special case: if the dest was an empty map or seq, then it probably had + // folded style applied, but we actually want to keep the style of the origin + // in this case (even if it was the default). otherwise the merged elements + // will get folded even though this probably isn't what is desired. + if dest.YNode().Kind != yaml.ScalarNode && len(dest.YNode().Content) == 0 { + dest.YNode().Style = source.YNode().Style + } + return nil +} + +// SetComments copies the dest comments to the source comments if they are present +// on the source. +func (m Merger) SetComments(sources walk.Sources) error { + source := sources.Origin() + dest := sources.Dest() + if dest == nil || dest.YNode() == nil || source == nil || source.YNode() == nil { + // avoid panic + return nil + } + if source.YNode().FootComment != "" { + dest.YNode().FootComment = source.YNode().FootComment + } + if source.YNode().HeadComment != "" { + dest.YNode().HeadComment = source.YNode().HeadComment + } + if source.YNode().LineComment != "" { + dest.YNode().LineComment = source.YNode().LineComment + } + return nil +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go new file mode 100644 index 0000000000..f38b188eac --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective.go @@ -0,0 +1,101 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package merge2 + +import ( + "fmt" + + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// A strategic merge patch directive. +// See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md +// +//go:generate stringer -type=smpDirective -linecomment +type smpDirective int + +const ( + smpUnknown smpDirective = iota // unknown + smpReplace // replace + smpDelete // delete + smpMerge // merge +) + +const strategicMergePatchDirectiveKey = "$patch" + +// Examine patch for a strategic merge patch directive. +// If found, return it, and remove the directive from the patch. +func determineSmpDirective(patch *yaml.RNode) (smpDirective, error) { + if patch == nil { + return smpMerge, nil + } + switch patch.YNode().Kind { + case yaml.SequenceNode: + return determineSequenceNodePatchStrategy(patch) + case yaml.MappingNode: + return determineMappingNodePatchStrategy(patch) + default: + return smpUnknown, fmt.Errorf( + "no implemented strategic merge patch strategy for '%s' ('%s')", + patch.YNode().ShortTag(), patch.MustString()) + } +} + +func determineSequenceNodePatchStrategy(patch *yaml.RNode) (smpDirective, error) { + // get the $patch element + node, err := patch.Pipe(yaml.GetElementByKey(strategicMergePatchDirectiveKey)) + // if there are more than 1 key/value pair in the map, then this $patch + // is not for the sequence + if err != nil || node == nil || node.YNode() == nil || len(node.Content()) > 2 { + return smpMerge, nil + } + // get the value + value, err := node.Pipe(yaml.Get(strategicMergePatchDirectiveKey)) + if err != nil || value == nil || value.YNode() == nil { + return smpMerge, nil + } + v := value.YNode().Value + if v == smpDelete.String() { + return smpDelete, elideSequencePatchDirective(patch, v) + } + if v == smpReplace.String() { + return smpReplace, elideSequencePatchDirective(patch, v) + } + if v == smpMerge.String() { + return smpMerge, elideSequencePatchDirective(patch, v) + } + return smpUnknown, fmt.Errorf( + "unknown patch strategy '%s'", v) +} + +func determineMappingNodePatchStrategy(patch *yaml.RNode) (smpDirective, error) { + node, err := patch.Pipe(yaml.Get(strategicMergePatchDirectiveKey)) + if err != nil || node == nil || node.YNode() == nil { + return smpMerge, nil + } + v := node.YNode().Value + if v == smpDelete.String() { + return smpDelete, elideMappingPatchDirective(patch) + } + if v == smpReplace.String() { + return smpReplace, elideMappingPatchDirective(patch) + } + if v == smpMerge.String() { + return smpMerge, elideMappingPatchDirective(patch) + } + return smpUnknown, fmt.Errorf( + "unknown patch strategy '%s'", v) +} + +func elideMappingPatchDirective(patch *yaml.RNode) error { + return patch.PipeE(yaml.Clear(strategicMergePatchDirectiveKey)) +} + +func elideSequencePatchDirective(patch *yaml.RNode, value string) error { + return patch.PipeE(yaml.ElementSetter{ + Element: nil, + Keys: []string{strategicMergePatchDirectiveKey}, + Values: []string{value}, + }) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go new file mode 100644 index 0000000000..b4f937f0e1 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/merge2/smpdirective_string.go @@ -0,0 +1,26 @@ +// Code generated by "stringer -type=smpDirective -linecomment"; DO NOT EDIT. + +package merge2 + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[smpUnknown-0] + _ = x[smpReplace-1] + _ = x[smpDelete-2] + _ = x[smpMerge-3] +} + +const _smpDirective_name = "unknownreplacedeletemerge" + +var _smpDirective_index = [...]uint8{0, 7, 14, 20, 25} + +func (i smpDirective) String() string { + if i < 0 || i >= smpDirective(len(_smpDirective_index)-1) { + return "smpDirective(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _smpDirective_name[_smpDirective_index[i]:_smpDirective_index[i+1]] +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go new file mode 100644 index 0000000000..4e01c64895 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/order.go @@ -0,0 +1,107 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +// fieldSortOrder contains the relative ordering of fields when formatting an +// object. +var fieldSortOrder = []string{ + // top-level metadata + "name", "generateName", "namespace", "clusterName", + "apiVersion", "kind", "metadata", "type", + "labels", "annotations", + "spec", "status", + + // secret and configmap + "stringData", "data", "binaryData", + + // cronjobspec, daemonsetspec, deploymentspec, statefulsetspec, + // jobspec fields + "parallelism", "completions", "activeDeadlineSeconds", "backoffLimit", + "replicas", "selector", "manualSelector", "template", + "ttlSecondsAfterFinished", "volumeClaimTemplates", "service", "serviceName", + "podManagementPolicy", "updateStrategy", "strategy", "minReadySeconds", + "revision", "revisionHistoryLimit", "paused", "progressDeadlineSeconds", + + // podspec + // podspec scalars + "restartPolicy", "terminationGracePeriodSeconds", + "activeDeadlineSeconds", "dnsPolicy", "serviceAccountName", + "serviceAccount", "automountServiceAccountToken", "nodeName", + "hostNetwork", "hostPID", "hostIPC", "shareProcessNamespace", "hostname", + "subdomain", "schedulerName", "priorityClassName", "priority", + "runtimeClassName", "enableServiceLinks", + + // podspec lists and maps + "nodeSelector", "hostAliases", + + // podspec objects + "initContainers", "containers", "volumes", "securityContext", + "imagePullSecrets", "affinity", "tolerations", "dnsConfig", + "readinessGates", + + // containers + "image", "command", "args", "workingDir", "ports", "envFrom", "env", + "resources", "volumeMounts", "volumeDevices", "livenessProbe", + "readinessProbe", "lifecycle", "terminationMessagePath", + "terminationMessagePolicy", "imagePullPolicy", "securityContext", + "stdin", "stdinOnce", "tty", + + // service + "clusterIP", "externalIPs", "loadBalancerIP", "loadBalancerSourceRanges", + "externalName", "externalTrafficPolicy", "sessionAffinity", + + // ports + "protocol", "port", "targetPort", "hostPort", "containerPort", "hostIP", + + // volumemount + "readOnly", "mountPath", "subPath", "subPathExpr", "mountPropagation", + + // envvar + envvarsource + "value", "valueFrom", "fieldRef", "resourceFieldRef", "configMapKeyRef", + "secretKeyRef", "prefix", "configMapRef", "secretRef", +} + +type set map[string]interface{} + +func newSet(values ...string) set { + m := map[string]interface{}{} + for _, value := range values { + m[value] = nil + } + return m +} + +func (s set) Has(key string) bool { + _, found := s[key] + return found +} + +// WhitelistedListSortKinds contains the set of kinds that are whitelisted +// for sorting list field elements +var WhitelistedListSortKinds = newSet( + "CronJob", "DaemonSet", "Deployment", "Job", "ReplicaSet", "StatefulSet", + "ValidatingWebhookConfiguration") + +// WhitelistedListSortApis contains the set of apis that are whitelisted for +// sorting list field elements +var WhitelistedListSortApis = newSet( + "apps/v1", "apps/v1beta1", "apps/v1beta2", "batch/v1", "batch/v1beta1", + "extensions/v1beta1", "v1", "admissionregistration.k8s.io/v1") + +// WhitelistedListSortFields contains json paths to list fields that should +// be sorted, and the field they should be sorted by +var WhitelistedListSortFields = map[string]string{ + ".spec.template.spec.containers": "name", + ".webhooks.rules.operations": "", +} + +// FieldOrder indexes fields and maps them to relative precedence +var FieldOrder = func() map[string]int { + // create an index of field orderings + fo := map[string]int{} + for i, f := range fieldSortOrder { + fo[f] = i + 1 + } + return fo +}() diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go new file mode 100644 index 0000000000..07c782d730 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/rnode.go @@ -0,0 +1,1385 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "encoding/json" + "fmt" + "log" + "os" + "regexp" + "strconv" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/sliceutil" + "sigs.k8s.io/kustomize/kyaml/utils" + "sigs.k8s.io/kustomize/kyaml/yaml/internal/k8sgen/pkg/labels" + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// MakeNullNode returns an RNode that represents an empty document. +func MakeNullNode() *RNode { + return NewRNode(&Node{Tag: NodeTagNull}) +} + +// MakePersistentNullNode returns an RNode that should be persisted, +// even when merging +func MakePersistentNullNode(value string) *RNode { + n := NewRNode( + &Node{ + Tag: NodeTagNull, + Value: value, + Kind: yaml.ScalarNode, + }, + ) + n.ShouldKeep = true + return n +} + +// IsMissingOrNull is true if the RNode is nil or explicitly tagged null. +// TODO: make this a method on RNode. +func IsMissingOrNull(node *RNode) bool { + return node.IsNil() || node.YNode().Tag == NodeTagNull +} + +// IsEmptyMap returns true if the RNode is an empty node or an empty map. +// TODO: make this a method on RNode. +func IsEmptyMap(node *RNode) bool { + return IsMissingOrNull(node) || IsYNodeEmptyMap(node.YNode()) +} + +// GetValue returns underlying yaml.Node Value field +func GetValue(node *RNode) string { + if IsMissingOrNull(node) { + return "" + } + return node.YNode().Value +} + +// Parse parses a yaml string into an *RNode. +// To parse multiple resources, consider a kio.ByteReader +func Parse(value string) (*RNode, error) { + return Parser{Value: value}.Filter(nil) +} + +// ReadFile parses a single Resource from a yaml file. +// To parse multiple resources, consider a kio.ByteReader +func ReadFile(path string) (*RNode, error) { + b, err := os.ReadFile(path) + if err != nil { + return nil, err + } + return Parse(string(b)) +} + +// WriteFile writes a single Resource to a yaml file +func WriteFile(node *RNode, path string) error { + out, err := node.String() + if err != nil { + return err + } + return errors.WrapPrefixf(os.WriteFile(path, []byte(out), 0600), "writing RNode to file") +} + +// UpdateFile reads the file at path, applies the filter to it, and write the result back. +// path must contain a exactly 1 resource (YAML). +func UpdateFile(filter Filter, path string) error { + // Read the yaml + y, err := ReadFile(path) + if err != nil { + return err + } + + // Update the yaml + if err := y.PipeE(filter); err != nil { + return err + } + + // Write the yaml + return WriteFile(y, path) +} + +// MustParse parses a yaml string into an *RNode and panics if there is an error +func MustParse(value string) *RNode { + v, err := Parser{Value: value}.Filter(nil) + if err != nil { + panic(err) + } + return v +} + +// NewScalarRNode returns a new Scalar *RNode containing the provided scalar value. +func NewScalarRNode(value string) *RNode { + return &RNode{ + value: &yaml.Node{ + Kind: yaml.ScalarNode, + Value: value, + }} +} + +// NewStringRNode returns a new Scalar *RNode containing the provided string. +// If the string is non-utf8, it will be base64 encoded, and the tag +// will indicate binary data. +func NewStringRNode(value string) *RNode { + n := yaml.Node{Kind: yaml.ScalarNode} + n.SetString(value) + return NewRNode(&n) +} + +// NewListRNode returns a new List *RNode containing the provided scalar values. +func NewListRNode(values ...string) *RNode { + seq := &RNode{value: &yaml.Node{Kind: yaml.SequenceNode}} + for _, v := range values { + seq.value.Content = append(seq.value.Content, &yaml.Node{ + Kind: yaml.ScalarNode, + Value: v, + }) + } + return seq +} + +// NewMapRNode returns a new Map *RNode containing the provided values +func NewMapRNode(values *map[string]string) *RNode { + m := &RNode{value: &yaml.Node{ + Kind: yaml.MappingNode, + }} + if values == nil { + return m + } + + for k, v := range *values { + m.value.Content = append(m.value.Content, &yaml.Node{ + Kind: yaml.ScalarNode, + Value: k, + }, &yaml.Node{ + Kind: yaml.ScalarNode, + Value: v, + }) + } + + return m +} + +// SyncMapNodesOrder sorts the map node keys in 'to' node to match the order of +// map node keys in 'from' node, additional keys are moved to the end +func SyncMapNodesOrder(from, to *RNode) { + to.Copy() + res := &RNode{value: &yaml.Node{ + Kind: to.YNode().Kind, + Style: to.YNode().Style, + Tag: to.YNode().Tag, + Anchor: to.YNode().Anchor, + Alias: to.YNode().Alias, + HeadComment: to.YNode().HeadComment, + LineComment: to.YNode().LineComment, + FootComment: to.YNode().FootComment, + Line: to.YNode().Line, + Column: to.YNode().Column, + }} + + fromFieldNames, err := from.Fields() + if err != nil { + return + } + + toFieldNames, err := to.Fields() + if err != nil { + return + } + + for _, fieldName := range fromFieldNames { + if !sliceutil.Contains(toFieldNames, fieldName) { + continue + } + // append the common nodes in the order defined in 'from' node + res.value.Content = append(res.value.Content, to.Field(fieldName).Key.YNode(), to.Field(fieldName).Value.YNode()) + toFieldNames = sliceutil.Remove(toFieldNames, fieldName) + } + + for _, fieldName := range toFieldNames { + // append the residual nodes which are not present in 'from' node + res.value.Content = append(res.value.Content, to.Field(fieldName).Key.YNode(), to.Field(fieldName).Value.YNode()) + } + + to.SetYNode(res.YNode()) +} + +// NewRNode returns a new RNode pointer containing the provided Node. +func NewRNode(value *yaml.Node) *RNode { + return &RNode{value: value} +} + +// RNode provides functions for manipulating Kubernetes Resources +// Objects unmarshalled into *yaml.Nodes +type RNode struct { + // fieldPath contains the path from the root of the KubernetesObject to + // this field. + // Only field names are captured in the path. + // e.g. a image field in a Deployment would be + // 'spec.template.spec.containers.image' + fieldPath []string + + // FieldValue contains the value. + // FieldValue is always set: + // field: field value + // list entry: list entry value + // object root: object root + value *yaml.Node + + // Whether we should keep this node, even if otherwise we would clear it + ShouldKeep bool + + Match []string +} + +// Copy returns a distinct copy. +func (rn *RNode) Copy() *RNode { + if rn == nil { + return nil + } + result := *rn + result.value = CopyYNode(rn.value) + return &result +} + +var ErrMissingMetadata = fmt.Errorf("missing Resource metadata") + +// IsNil is true if the node is nil, or its underlying YNode is nil. +func (rn *RNode) IsNil() bool { + return rn == nil || rn.YNode() == nil +} + +// IsTaggedNull is true if a non-nil node is explicitly tagged Null. +func (rn *RNode) IsTaggedNull() bool { + return !rn.IsNil() && IsYNodeTaggedNull(rn.YNode()) +} + +// IsNilOrEmpty is true if the node is nil, +// has no YNode, or has YNode that appears empty. +func (rn *RNode) IsNilOrEmpty() bool { + return rn.IsNil() || IsYNodeNilOrEmpty(rn.YNode()) +} + +// IsStringValue is true if the RNode is not nil and is scalar string node +func (rn *RNode) IsStringValue() bool { + return !rn.IsNil() && IsYNodeString(rn.YNode()) +} + +// GetMeta returns the ResourceMeta for an RNode +func (rn *RNode) GetMeta() (ResourceMeta, error) { + if IsMissingOrNull(rn) { + return ResourceMeta{}, nil + } + missingMeta := true + n := rn + if n.YNode().Kind == DocumentNode { + // get the content is this is the document node + n = NewRNode(n.Content()[0]) + } + + // don't decode into the struct directly or it will fail on UTF-8 issues + // which appear in comments + m := ResourceMeta{} + + // TODO: consider optimizing this parsing + if f := n.Field(APIVersionField); !f.IsNilOrEmpty() { + m.APIVersion = GetValue(f.Value) + missingMeta = false + } + if f := n.Field(KindField); !f.IsNilOrEmpty() { + m.Kind = GetValue(f.Value) + missingMeta = false + } + + mf := n.Field(MetadataField) + if mf.IsNilOrEmpty() { + if missingMeta { + return m, ErrMissingMetadata + } + return m, nil + } + meta := mf.Value + + if f := meta.Field(NameField); !f.IsNilOrEmpty() { + m.Name = f.Value.YNode().Value + missingMeta = false + } + if f := meta.Field(NamespaceField); !f.IsNilOrEmpty() { + m.Namespace = GetValue(f.Value) + missingMeta = false + } + + if f := meta.Field(LabelsField); !f.IsNilOrEmpty() { + m.Labels = map[string]string{} + _ = f.Value.VisitFields(func(node *MapNode) error { + m.Labels[GetValue(node.Key)] = GetValue(node.Value) + return nil + }) + missingMeta = false + } + if f := meta.Field(AnnotationsField); !f.IsNilOrEmpty() { + m.Annotations = map[string]string{} + _ = f.Value.VisitFields(func(node *MapNode) error { + m.Annotations[GetValue(node.Key)] = GetValue(node.Value) + return nil + }) + missingMeta = false + } + + if missingMeta { + return m, ErrMissingMetadata + } + return m, nil +} + +// Pipe sequentially invokes each Filter, and passes the result to the next +// Filter. +// +// Analogous to http://www.linfo.org/pipes.html +// +// * rn is provided as input to the first Filter. +// * if any Filter returns an error, immediately return the error +// * if any Filter returns a nil RNode, immediately return nil, nil +// * if all Filters succeed with non-empty results, return the final result +func (rn *RNode) Pipe(functions ...Filter) (*RNode, error) { + // check if rn is nil to make chaining Pipe calls easier + if rn == nil { + return nil, nil + } + + var v *RNode + var err error + if rn.value != nil && rn.value.Kind == yaml.DocumentNode { + // the first node may be a DocumentNode containing a single MappingNode + v = &RNode{value: rn.value.Content[0]} + } else { + v = rn + } + + // return each fn in sequence until encountering an error or missing value + for _, c := range functions { + v, err = c.Filter(v) + if err != nil || v == nil { + return v, errors.Wrap(err) + } + } + return v, err +} + +// PipeE runs Pipe, dropping the *RNode return value. +// Useful for directly returning the Pipe error value from functions. +func (rn *RNode) PipeE(functions ...Filter) error { + _, err := rn.Pipe(functions...) + return errors.Wrap(err) +} + +// Document returns the Node for the value. +func (rn *RNode) Document() *yaml.Node { + return rn.value +} + +// YNode returns the yaml.Node value. If the yaml.Node value is a DocumentNode, +// YNode will return the DocumentNode Content entry instead of the DocumentNode. +func (rn *RNode) YNode() *yaml.Node { + if rn == nil || rn.value == nil { + return nil + } + if rn.value.Kind == yaml.DocumentNode { + return rn.value.Content[0] + } + return rn.value +} + +// SetYNode sets the yaml.Node value on an RNode. +func (rn *RNode) SetYNode(node *yaml.Node) { + if rn.value == nil || node == nil { + rn.value = node + return + } + *rn.value = *node +} + +// GetKind returns the kind, if it exists, else empty string. +func (rn *RNode) GetKind() string { + if node := rn.getMapFieldValue(KindField); node != nil { + return node.Value + } + return "" +} + +// SetKind sets the kind. +func (rn *RNode) SetKind(k string) { + rn.SetMapField(NewScalarRNode(k), KindField) +} + +// GetApiVersion returns the apiversion, if it exists, else empty string. +func (rn *RNode) GetApiVersion() string { + if node := rn.getMapFieldValue(APIVersionField); node != nil { + return node.Value + } + return "" +} + +// SetApiVersion sets the apiVersion. +func (rn *RNode) SetApiVersion(av string) { + rn.SetMapField(NewScalarRNode(av), APIVersionField) +} + +// getMapFieldValue returns the value (*yaml.Node) of a mapping field. +// The value might be nil. Also, the function returns nil, not an error, +// if this node is not a mapping node, or if this node does not have the +// given field, so this function cannot be used to make distinctions +// between these cases. +func (rn *RNode) getMapFieldValue(field string) *yaml.Node { + var result *yaml.Node + visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) { + result = value + }, field) + return result +} + +// GetName returns the name, or empty string if +// field not found. The setter is more restrictive. +func (rn *RNode) GetName() string { + return rn.getMetaStringField(NameField) +} + +// getMetaStringField returns the value of a string field in metadata. +func (rn *RNode) getMetaStringField(fName string) string { + md := rn.getMetaData() + if md == nil { + return "" + } + var result string + visitMappingNodeFields(md.Content, func(key, value *yaml.Node) { + if !IsYNodeNilOrEmpty(value) { + result = value.Value + } + }, fName) + return result +} + +// getMetaData returns the *yaml.Node of the metadata field. +// Return nil if field not found (no error). +func (rn *RNode) getMetaData() *yaml.Node { + if IsMissingOrNull(rn) { + return nil + } + content := rn.Content() + if rn.YNode().Kind == DocumentNode { + // get the content if this is the document node + content = content[0].Content + } + var mf *yaml.Node + visitMappingNodeFields(content, func(key, value *yaml.Node) { + if !IsYNodeNilOrEmpty(value) { + mf = value + } + }, MetadataField) + return mf +} + +// SetName sets the metadata name field. +func (rn *RNode) SetName(name string) error { + return rn.SetMapField(NewScalarRNode(name), MetadataField, NameField) +} + +// GetNamespace gets the metadata namespace field, or empty string if +// field not found. The setter is more restrictive. +func (rn *RNode) GetNamespace() string { + return rn.getMetaStringField(NamespaceField) +} + +// SetNamespace tries to set the metadata namespace field. If the argument +// is empty, the field is dropped. +func (rn *RNode) SetNamespace(ns string) error { + meta, err := rn.Pipe(Lookup(MetadataField)) + if err != nil { + return err + } + if ns == "" { + if rn == nil { + return nil + } + return meta.PipeE(Clear(NamespaceField)) + } + return rn.SetMapField( + NewScalarRNode(ns), MetadataField, NamespaceField) +} + +// GetAnnotations gets the metadata annotations field. +// If the annotations field is missing, returns an empty map. +// Use another method to check for missing metadata. +// If specific annotations are provided, then the map is +// restricted to only those entries with keys that match +// one of the specific annotations. If no annotations are +// provided, then the map will contain all entries. +func (rn *RNode) GetAnnotations(annotations ...string) map[string]string { + return rn.getMapFromMeta(AnnotationsField, annotations...) +} + +// SetAnnotations tries to set the metadata annotations field. +func (rn *RNode) SetAnnotations(m map[string]string) error { + return rn.setMapInMetadata(m, AnnotationsField) +} + +// GetLabels gets the metadata labels field. +// If the labels field is missing, returns an empty map. +// Use another method to check for missing metadata. +// If specific labels are provided, then the map is +// restricted to only those entries with keys that match +// one of the specific labels. If no labels are +// provided, then the map will contain all entries. +func (rn *RNode) GetLabels(labels ...string) map[string]string { + return rn.getMapFromMeta(LabelsField, labels...) +} + +// getMapFromMeta returns a map, sometimes empty, from the fName +// field in the node's metadata field. +// If specific fields are provided, then the map is +// restricted to only those entries with keys that match +// one of the specific fields. If no fields are +// provided, then the map will contain all entries. +func (rn *RNode) getMapFromMeta(fName string, fields ...string) map[string]string { + meta := rn.getMetaData() + if meta == nil { + return make(map[string]string) + } + + var result map[string]string + + visitMappingNodeFields(meta.Content, func(_, fNameValue *yaml.Node) { + // fName is found in metadata; create the map from its content + expectedSize := len(fields) + if expectedSize == 0 { + expectedSize = len(fNameValue.Content) / 2 //nolint: gomnd + } + result = make(map[string]string, expectedSize) + + visitMappingNodeFields(fNameValue.Content, func(key, value *yaml.Node) { + result[key.Value] = value.Value + }, fields...) + }, fName) + + if result == nil { + return make(map[string]string) + } + return result +} + +// SetLabels sets the metadata labels field. +func (rn *RNode) SetLabels(m map[string]string) error { + return rn.setMapInMetadata(m, LabelsField) +} + +// This established proper quoting on string values, and sorts by key. +func (rn *RNode) setMapInMetadata(m map[string]string, field string) error { + meta, err := rn.Pipe(LookupCreate(MappingNode, MetadataField)) + if err != nil { + return err + } + if err = meta.PipeE(Clear(field)); err != nil { + return err + } + if len(m) == 0 { + return nil + } + mapNode, err := meta.Pipe(LookupCreate(MappingNode, field)) + if err != nil { + return err + } + for _, k := range SortedMapKeys(m) { + if _, err := mapNode.Pipe( + SetField(k, NewStringRNode(m[k]))); err != nil { + return err + } + } + return nil +} + +func (rn *RNode) SetMapField(value *RNode, path ...string) error { + return rn.PipeE( + LookupCreate(yaml.MappingNode, path[0:len(path)-1]...), + SetField(path[len(path)-1], value), + ) +} + +func (rn *RNode) GetDataMap() map[string]string { + n, err := rn.Pipe(Lookup(DataField)) + if err != nil { + return nil + } + result := map[string]string{} + _ = n.VisitFields(func(node *MapNode) error { + result[GetValue(node.Key)] = GetValue(node.Value) + return nil + }) + return result +} + +func (rn *RNode) GetBinaryDataMap() map[string]string { + n, err := rn.Pipe(Lookup(BinaryDataField)) + if err != nil { + return nil + } + result := map[string]string{} + _ = n.VisitFields(func(node *MapNode) error { + result[GetValue(node.Key)] = GetValue(node.Value) + return nil + }) + return result +} + +// GetValidatedDataMap retrieves the data map and returns an error if the data +// map contains entries which are not included in the expectedKeys set. +func (rn *RNode) GetValidatedDataMap(expectedKeys []string) (map[string]string, error) { + dataMap := rn.GetDataMap() + err := rn.validateDataMap(dataMap, expectedKeys) + return dataMap, err +} + +func (rn *RNode) validateDataMap(dataMap map[string]string, expectedKeys []string) error { + if dataMap == nil { + return fmt.Errorf("The datamap is unassigned") + } + for key := range dataMap { + found := false + for _, expected := range expectedKeys { + if expected == key { + found = true + } + } + if !found { + return fmt.Errorf("an unexpected key (%v) was found", key) + } + } + return nil +} + +func (rn *RNode) SetDataMap(m map[string]string) { + if rn == nil { + log.Fatal("cannot set data map on nil Rnode") + } + if err := rn.PipeE(Clear(DataField)); err != nil { + log.Fatal(err) + } + if len(m) == 0 { + return + } + if err := rn.LoadMapIntoConfigMapData(m); err != nil { + log.Fatal(err) + } +} + +func (rn *RNode) SetBinaryDataMap(m map[string]string) { + if rn == nil { + log.Fatal("cannot set binaryData map on nil Rnode") + } + if err := rn.PipeE(Clear(BinaryDataField)); err != nil { + log.Fatal(err) + } + if len(m) == 0 { + return + } + if err := rn.LoadMapIntoConfigMapBinaryData(m); err != nil { + log.Fatal(err) + } +} + +// AppendToFieldPath appends a field name to the FieldPath. +func (rn *RNode) AppendToFieldPath(parts ...string) { + rn.fieldPath = append(rn.fieldPath, parts...) +} + +// FieldPath returns the field path from the Resource root node, to rn. +// Does not include list indexes. +func (rn *RNode) FieldPath() []string { + return rn.fieldPath +} + +// String returns string representation of the RNode +func (rn *RNode) String() (string, error) { + if rn == nil { + return "", nil + } + return String(rn.value) +} + +// MustString returns string representation of the RNode or panics if there is an error +func (rn *RNode) MustString() string { + s, err := rn.String() + if err != nil { + panic(err) + } + return s +} + +// Content returns Node Content field. +func (rn *RNode) Content() []*yaml.Node { + if rn == nil { + return nil + } + return rn.YNode().Content +} + +// Fields returns the list of field names for a MappingNode. +// Returns an error for non-MappingNodes. +func (rn *RNode) Fields() ([]string, error) { + if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil { + return nil, errors.Wrap(err) + } + var fields []string + visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) { + fields = append(fields, key.Value) + }) + return fields, nil +} + +// FieldRNodes returns the list of field key RNodes for a MappingNode. +// Returns an error for non-MappingNodes. +func (rn *RNode) FieldRNodes() ([]*RNode, error) { + if err := ErrorIfInvalid(rn, yaml.MappingNode); err != nil { + return nil, errors.Wrap(err) + } + var fields []*RNode + visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) { + // for each key node in the input mapping node contents create equivalent rNode + rNode := &RNode{} + rNode.SetYNode(key) + fields = append(fields, rNode) + }) + return fields, nil +} + +// Field returns a fieldName, fieldValue pair for MappingNodes. +// Returns nil for non-MappingNodes. +func (rn *RNode) Field(field string) *MapNode { + if rn.YNode().Kind != yaml.MappingNode { + return nil + } + var result *MapNode + visitMappingNodeFields(rn.Content(), func(key, value *yaml.Node) { + result = &MapNode{Key: NewRNode(key), Value: NewRNode(value)} + }, field) + return result +} + +// VisitFields calls fn for each field in the RNode. +// Returns an error for non-MappingNodes. +func (rn *RNode) VisitFields(fn func(node *MapNode) error) error { + // get the list of srcFieldNames + srcFieldNames, err := rn.Fields() + if err != nil { + return errors.Wrap(err) + } + + // visit each field + for _, fieldName := range srcFieldNames { + if err := fn(rn.Field(fieldName)); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// visitMappingNodeFields calls fn for fields in the content, in content order. +// The caller is responsible to ensure the node is a mapping node. If fieldNames +// are specified, then fn is called only for the fields that match the given +// fieldNames. +func visitMappingNodeFields(content []*yaml.Node, fn func(key, value *yaml.Node), fieldNames ...string) { + switch len(fieldNames) { + case 0: // visit all fields + visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool { + fn(key, value) + return true + }) + case 1: // visit single field + visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool { + if key == nil { + return true + } + if fieldNames[0] == key.Value { + fn(key, value) + return false + } + return true + }) + default: // visit specified fields + fieldsStillToVisit := make(map[string]bool, len(fieldNames)) + for _, fieldName := range fieldNames { + fieldsStillToVisit[fieldName] = true + } + visitFieldsWhileTrue(content, func(key, value *yaml.Node, _ int) bool { + if key == nil { + return true + } + if fieldsStillToVisit[key.Value] { + fn(key, value) + delete(fieldsStillToVisit, key.Value) + } + return len(fieldsStillToVisit) > 0 + }) + } +} + +// visitFieldsWhileTrue calls fn for the fields in content, in content order, +// until either fn returns false or all fields have been visited. The caller +// should ensure that content is from a mapping node, or fits the same expected +// pattern (consecutive key/value entries in the slice). +func visitFieldsWhileTrue(content []*yaml.Node, fn func(key, value *yaml.Node, keyIndex int) bool) { + for i := 0; i < len(content); i += 2 { + continueVisiting := fn(content[i], content[i+1], i) + if !continueVisiting { + return + } + } +} + +// Elements returns the list of elements in the RNode. +// Returns an error for non-SequenceNodes. +func (rn *RNode) Elements() ([]*RNode, error) { + if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil { + return nil, errors.Wrap(err) + } + var elements []*RNode + for i := 0; i < len(rn.Content()); i++ { + elements = append(elements, NewRNode(rn.Content()[i])) + } + return elements, nil +} + +// ElementValues returns a list of all observed values for a given field name +// in a list of elements. +// Returns error for non-SequenceNodes. +func (rn *RNode) ElementValues(key string) ([]string, error) { + if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil { + return nil, errors.Wrap(err) + } + var elements []string + for i := 0; i < len(rn.Content()); i++ { + field := NewRNode(rn.Content()[i]).Field(key) + if !field.IsNilOrEmpty() { + elements = append(elements, field.Value.YNode().Value) + } + } + return elements, nil +} + +// ElementValuesList returns a list of lists, where each list is a set of +// values corresponding to each key in keys. +// Returns error for non-SequenceNodes. +func (rn *RNode) ElementValuesList(keys []string) ([][]string, error) { + if err := ErrorIfInvalid(rn, yaml.SequenceNode); err != nil { + return nil, errors.Wrap(err) + } + elements := make([][]string, len(rn.Content())) + + for i := 0; i < len(rn.Content()); i++ { + for _, key := range keys { + field := NewRNode(rn.Content()[i]).Field(key) + if field.IsNilOrEmpty() { + elements[i] = append(elements[i], "") + } else { + elements[i] = append(elements[i], field.Value.YNode().Value) + } + } + } + return elements, nil +} + +// Element returns the element in the list which contains the field matching the value. +// Returns nil for non-SequenceNodes or if no Element matches. +func (rn *RNode) Element(key, value string) *RNode { + if rn.YNode().Kind != yaml.SequenceNode { + return nil + } + elem, err := rn.Pipe(MatchElement(key, value)) + if err != nil { + return nil + } + return elem +} + +// ElementList returns the element in the list in which all fields keys[i] matches all +// corresponding values[i]. +// Returns nil for non-SequenceNodes or if no Element matches. +func (rn *RNode) ElementList(keys []string, values []string) *RNode { + if rn.YNode().Kind != yaml.SequenceNode { + return nil + } + elem, err := rn.Pipe(MatchElementList(keys, values)) + if err != nil { + return nil + } + return elem +} + +// VisitElements calls fn for each element in a SequenceNode. +// Returns an error for non-SequenceNodes +func (rn *RNode) VisitElements(fn func(node *RNode) error) error { + elements, err := rn.Elements() + if err != nil { + return errors.Wrap(err) + } + + for i := range elements { + if err := fn(elements[i]); err != nil { + return errors.Wrap(err) + } + } + return nil +} + +// AssociativeSequenceKeys is a map of paths to sequences that have associative keys. +// The order sets the precedence of the merge keys -- if multiple keys are present +// in Resources in a list, then the FIRST key which ALL elements in the list have is used as the +// associative key for merging that list. +// Only infer name as a merge key. +var AssociativeSequenceKeys = []string{"name"} + +// IsAssociative returns true if the RNode contains an AssociativeSequenceKey as a field. +func (rn *RNode) IsAssociative() bool { + return rn.GetAssociativeKey() != "" +} + +// GetAssociativeKey returns the AssociativeSequenceKey used to merge the elements in the +// SequenceNode, or "" if the list is not associative. +func (rn *RNode) GetAssociativeKey() string { + // look for any associative keys in the first element + for _, key := range AssociativeSequenceKeys { + if checkKey(key, rn.Content()) { + return key + } + } + + // element doesn't have an associative keys + return "" +} + +// MarshalJSON creates a byte slice from the RNode. +func (rn *RNode) MarshalJSON() ([]byte, error) { + s, err := rn.String() + if err != nil { + return nil, err + } + + if rn.YNode().Kind == SequenceNode { + var a []interface{} + if err := Unmarshal([]byte(s), &a); err != nil { + return nil, err + } + return json.Marshal(a) + } + + m := map[string]interface{}{} + if err := Unmarshal([]byte(s), &m); err != nil { + return nil, err + } + return json.Marshal(m) +} + +// UnmarshalJSON overwrites this RNode with data from []byte. +func (rn *RNode) UnmarshalJSON(b []byte) error { + m := map[string]interface{}{} + if err := json.Unmarshal(b, &m); err != nil { + return err + } + r, err := FromMap(m) + if err != nil { + return err + } + rn.value = r.value + return nil +} + +// DeAnchor inflates all YAML aliases with their anchor values. +// All YAML anchor data is permanently removed (feel free to call Copy first). +func (rn *RNode) DeAnchor() (err error) { + rn.value, err = deAnchor(rn.value) + return +} + +// deAnchor removes all AliasNodes from the yaml.Node's tree, replacing +// them with what they point to. All Anchor fields (these are used to mark +// anchor definitions) are cleared. +func deAnchor(yn *yaml.Node) (res *yaml.Node, err error) { + if yn == nil { + return nil, nil + } + if yn.Anchor != "" { + // This node defines an anchor. Clear the field so that it + // doesn't show up when marshalling. + if yn.Kind == yaml.AliasNode { + // Maybe this is OK, but for now treating it as a bug. + return nil, fmt.Errorf( + "anchor %q defined using alias %v", yn.Anchor, yn.Alias) + } + yn.Anchor = "" + } + switch yn.Kind { + case yaml.ScalarNode: + return yn, nil + case yaml.AliasNode: + result, err := deAnchor(yn.Alias) + if err != nil { + return nil, err + } + return CopyYNode(result), nil + case yaml.MappingNode: + toMerge, err := removeMergeTags(yn) + if err != nil { + return nil, err + } + err = mergeAll(yn, toMerge) + if err != nil { + return nil, err + } + fallthrough + case yaml.DocumentNode, yaml.SequenceNode: + for i := range yn.Content { + yn.Content[i], err = deAnchor(yn.Content[i]) + if err != nil { + return nil, err + } + } + return yn, nil + default: + return nil, fmt.Errorf("cannot deAnchor kind %q", yn.Kind) + } +} + +// isMerge returns if the node is tagged with !!merge +func isMerge(yn *yaml.Node) bool { + return yn.Tag == MergeTag +} + +// findMergeValues receives either a MappingNode, a AliasNode or a potentially +// mixed list of MappingNodes and AliasNodes. It returns a list of MappingNodes. +func findMergeValues(yn *yaml.Node) ([]*yaml.Node, error) { + if yn == nil { + return []*yaml.Node{}, nil + } + switch yn.Kind { + case MappingNode: + return []*yaml.Node{yn}, nil + case AliasNode: + if yn.Alias != nil && yn.Alias.Kind != MappingNode { + return nil, errors.Errorf("invalid map merge: received alias for a non-map value") + } + return []*yaml.Node{yn.Alias}, nil + case SequenceNode: + mergeValues := []*yaml.Node{} + for i := 0; i < len(yn.Content); i++ { + if yn.Content[i].Kind == SequenceNode { + return nil, errors.Errorf("invalid map merge: received a nested sequence") + } + newMergeValues, err := findMergeValues(yn.Content[i]) + if err != nil { + return nil, err + } + mergeValues = append(newMergeValues, mergeValues...) + } + return mergeValues, nil + default: + return nil, errors.Errorf("map merge requires map or sequence of maps as the value") + } +} + +// getMergeTagValue receives a MappingNode yaml node, and it searches for +// merge tagged keys and return its value yaml node. If the key is duplicated, +// it fails. +func getMergeTagValue(yn *yaml.Node) (*yaml.Node, error) { + var result *yaml.Node + var err error + visitFieldsWhileTrue(yn.Content, func(key, value *yaml.Node, _ int) bool { + if isMerge(key) { + if result != nil { + err = fmt.Errorf("duplicate merge key") + result = nil + return false + } + result = value + } + return true + }) + return result, err +} + +// removeMergeTags removes all merge tags and returns a ordered list of yaml +// nodes to merge and a error +func removeMergeTags(yn *yaml.Node) ([]*yaml.Node, error) { + if yn == nil || yn.Content == nil { + return nil, nil + } + if yn.Kind != yaml.MappingNode { + return nil, nil + } + value, err := getMergeTagValue(yn) + if err != nil { + return nil, err + } + toMerge, err := findMergeValues(value) + if err != nil { + return nil, err + } + err = NewRNode(yn).PipeE(Clear("<<")) + if err != nil { + return nil, err + } + return toMerge, nil +} + +func mergeAll(yn *yaml.Node, toMerge []*yaml.Node) error { + // We only need to start with a copy of the existing node because we need to + // maintain duplicated keys and style + rn := NewRNode(yn).Copy() + toMerge = append(toMerge, yn) + for i := range toMerge { + rnToMerge := NewRNode(toMerge[i]).Copy() + err := rnToMerge.VisitFields(func(node *MapNode) error { + return rn.PipeE(MapEntrySetter{Key: node.Key, Value: node.Value}) + }) + if err != nil { + return err + } + } + *yn = *rn.value + return nil +} + +// GetValidatedMetadata returns metadata after subjecting it to some tests. +func (rn *RNode) GetValidatedMetadata() (ResourceMeta, error) { + m, err := rn.GetMeta() + if err != nil { + return m, err + } + if m.Kind == "" { + return m, fmt.Errorf("missing kind in object %v", m) + } + if strings.HasSuffix(m.Kind, "List") { + // A list doesn't require a name. + return m, nil + } + if m.NameMeta.Name == "" { + return m, fmt.Errorf("missing metadata.name in object %v", m) + } + return m, nil +} + +// MatchesAnnotationSelector returns true on a selector match to annotations. +func (rn *RNode) MatchesAnnotationSelector(selector string) (bool, error) { + s, err := labels.Parse(selector) + if err != nil { + return false, err + } + return s.Matches(labels.Set(rn.GetAnnotations())), nil +} + +// MatchesLabelSelector returns true on a selector match to labels. +func (rn *RNode) MatchesLabelSelector(selector string) (bool, error) { + s, err := labels.Parse(selector) + if err != nil { + return false, err + } + return s.Matches(labels.Set(rn.GetLabels())), nil +} + +// HasNilEntryInList returns true if the RNode contains a list which has +// a nil item, along with the path to the missing item. +// TODO(broken): This doesn't do what it claims to do. +// (see TODO in unit test and pr 1513). +func (rn *RNode) HasNilEntryInList() (bool, string) { + return hasNilEntryInList(rn.value) +} + +func hasNilEntryInList(in interface{}) (bool, string) { + switch v := in.(type) { + case map[string]interface{}: + for key, s := range v { + if result, path := hasNilEntryInList(s); result { + return result, key + "/" + path + } + } + case []interface{}: + for index, s := range v { + if s == nil { + return true, "" + } + if result, path := hasNilEntryInList(s); result { + return result, "[" + strconv.Itoa(index) + "]/" + path + } + } + } + return false, "" +} + +func FromMap(m map[string]interface{}) (*RNode, error) { + c, err := Marshal(m) + if err != nil { + return nil, err + } + return Parse(string(c)) +} + +func (rn *RNode) Map() (map[string]interface{}, error) { + if rn == nil || rn.value == nil { + return make(map[string]interface{}), nil + } + var result map[string]interface{} + if err := rn.value.Decode(&result); err != nil { + // Should not be able to create an RNode that cannot be decoded; + // this is an unrecoverable error. + str, _ := rn.String() + return nil, fmt.Errorf("received error %w for the following resource:\n%s", err, str) + } + return result, nil +} + +// ConvertJSONToYamlNode parses input json string and returns equivalent yaml node +func ConvertJSONToYamlNode(jsonStr string) (*RNode, error) { + var body map[string]interface{} + err := json.Unmarshal([]byte(jsonStr), &body) + if err != nil { + return nil, err + } + yml, err := yaml.Marshal(body) + if err != nil { + return nil, err + } + node, err := Parse(string(yml)) + if err != nil { + return nil, err + } + return node, nil +} + +// checkKey returns true if all elems have the key +func checkKey(key string, elems []*Node) bool { + count := 0 + for i := range elems { + elem := NewRNode(elems[i]) + if elem.Field(key) != nil { + count++ + } + } + return count == len(elems) +} + +// GetSlice returns the contents of the slice field at the given path. +func (rn *RNode) GetSlice(path string) ([]interface{}, error) { + value, err := rn.GetFieldValue(path) + if err != nil { + return nil, err + } + if sliceValue, ok := value.([]interface{}); ok { + return sliceValue, nil + } + return nil, fmt.Errorf("node %s is not a slice", path) +} + +// GetString returns the contents of the string field at the given path. +func (rn *RNode) GetString(path string) (string, error) { + value, err := rn.GetFieldValue(path) + if err != nil { + return "", err + } + if v, ok := value.(string); ok { + return v, nil + } + return "", fmt.Errorf("node %s is not a string: %v", path, value) +} + +// GetFieldValue finds period delimited fields. +// TODO: When doing kustomize var replacement, which is likely a +// a primary use of this function and the reason it returns interface{} +// rather than string, we do conversion from Nodes to Go types and back +// to nodes. We should figure out how to do replacement using raw nodes, +// assuming we keep the var feature in kustomize. +// The other end of this is: refvar.go:updateNodeValue. +func (rn *RNode) GetFieldValue(path string) (interface{}, error) { + fields := convertSliceIndex(utils.SmarterPathSplitter(path, ".")) + rn, err := rn.Pipe(Lookup(fields...)) + if err != nil { + return nil, err + } + if rn == nil { + return nil, NoFieldError{path} + } + yn := rn.YNode() + + // If this is an alias node, resolve it + if yn.Kind == yaml.AliasNode { + yn = yn.Alias + } + + // Return value as map for DocumentNode and MappingNode kinds + if yn.Kind == yaml.DocumentNode || yn.Kind == yaml.MappingNode { + var result map[string]interface{} + if err := yn.Decode(&result); err != nil { + return nil, err + } + return result, err + } + + // Return value as slice for SequenceNode kind + if yn.Kind == yaml.SequenceNode { + var result []interface{} + if err := yn.Decode(&result); err != nil { + return nil, err + } + return result, nil + } + if yn.Kind != yaml.ScalarNode { + return nil, fmt.Errorf("expected ScalarNode, got Kind=%d", yn.Kind) + } + + switch yn.Tag { + case NodeTagString: + return yn.Value, nil + case NodeTagInt: + return strconv.Atoi(yn.Value) + case NodeTagFloat: + return strconv.ParseFloat(yn.Value, 64) + case NodeTagBool: + return strconv.ParseBool(yn.Value) + default: + // Possibly this should be an error or log. + return yn.Value, nil + } +} + +// convertSliceIndex traverses the items in `fields` and find +// if there is a slice index in the item and change it to a +// valid Lookup field path. For example, 'ports[0]' will be +// converted to 'ports' and '0'. +func convertSliceIndex(fields []string) []string { + var res []string + for _, s := range fields { + if !strings.HasSuffix(s, "]") { + res = append(res, s) + continue + } + re := regexp.MustCompile(`^(.*)\[(\d+)\]$`) + groups := re.FindStringSubmatch(s) + if len(groups) == 0 { + // no match, add to result + res = append(res, s) + continue + } + if groups[1] != "" { + res = append(res, groups[1]) + } + res = append(res, groups[2]) + } + return res +} + +type NoFieldError struct { + Field string +} + +func (e NoFieldError) Error() string { + return fmt.Sprintf("no field named '%s'", e.Field) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go new file mode 100644 index 0000000000..9ee592f847 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/schema/schema.go @@ -0,0 +1,44 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +// Package schema contains libraries for working with the yaml and openapi packages. +package schema + +import ( + "strings" + + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// IsAssociative returns true if all elements in the list contain an +// AssociativeSequenceKey as a field. +func IsAssociative(schema *openapi.ResourceSchema, nodes []*yaml.RNode, infer bool) bool { + if schema != nil { + return schemaHasMergeStrategy(schema) + } + if !infer { + return false + } + for i := range nodes { + node := nodes[i] + if yaml.IsMissingOrNull(node) { + continue + } + if node.IsAssociative() { + return true + } + } + return false +} + +func schemaHasMergeStrategy(schema *openapi.ResourceSchema) bool { + tmp, _ := schema.PatchStrategyAndKey() + strategies := strings.Split(tmp, ",") + for _, s := range strategies { + if s == "merge" { + return true + } + } + return false +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go new file mode 100644 index 0000000000..73f5d8406d --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/types.go @@ -0,0 +1,299 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "bytes" + "strings" + + "sigs.k8s.io/kustomize/kyaml/errors" + "sigs.k8s.io/kustomize/kyaml/sets" + yaml "sigs.k8s.io/yaml/goyaml.v3" +) + +// CopyYNode returns a distinct copy of its argument. +// Use https://github.com/jinzhu/copier instead? +func CopyYNode(n *yaml.Node) *yaml.Node { + if n == nil { + return nil + } + c := *n + if len(n.Content) > 0 { + // Using Go 'copy' here doesn't yield independent slices. + c.Content = make([]*Node, len(n.Content)) + for i, item := range n.Content { + c.Content[i] = CopyYNode(item) + } + } + return &c +} + +// IsYNodeTaggedNull returns true if the node is explicitly tagged Null. +func IsYNodeTaggedNull(n *yaml.Node) bool { + return n != nil && n.Tag == NodeTagNull +} + +// IsYNodeEmptyMap is true if the Node is a non-nil empty map. +func IsYNodeEmptyMap(n *yaml.Node) bool { + return n != nil && n.Kind == yaml.MappingNode && len(n.Content) == 0 +} + +// IsYNodeEmptySeq is true if the Node is a non-nil empty sequence. +func IsYNodeEmptySeq(n *yaml.Node) bool { + return n != nil && n.Kind == yaml.SequenceNode && len(n.Content) == 0 +} + +// IsYNodeNilOrEmpty is true if the Node is nil or appears empty. +func IsYNodeNilOrEmpty(n *yaml.Node) bool { + return n == nil || + IsYNodeTaggedNull(n) || + IsYNodeEmptyMap(n) || + IsYNodeEmptySeq(n) || + IsYNodeZero(n) +} + +// IsYNodeEmptyDoc is true if the node is a Document with no content. +// E.g.: "---\n---" +func IsYNodeEmptyDoc(n *yaml.Node) bool { + return n.Kind == yaml.DocumentNode && n.Content[0].Tag == NodeTagNull +} + +func IsYNodeString(n *yaml.Node) bool { + return n.Kind == yaml.ScalarNode && + (n.Tag == NodeTagString || n.Tag == NodeTagEmpty) +} + +// IsYNodeZero is true if all the public fields in the Node are empty. +// Which means it's not initialized and should be omitted when marshal. +// The Node itself has a method IsZero but it is not released +// in yaml.v3. https://pkg.go.dev/gopkg.in/yaml.v3#Node.IsZero +func IsYNodeZero(n *yaml.Node) bool { + // TODO: Change this to use IsZero when it's avaialable. + return n != nil && n.Kind == 0 && n.Style == 0 && n.Tag == "" && n.Value == "" && + n.Anchor == "" && n.Alias == nil && n.Content == nil && + n.HeadComment == "" && n.LineComment == "" && n.FootComment == "" && + n.Line == 0 && n.Column == 0 +} + +// Parser parses values into configuration. +type Parser struct { + Kind string `yaml:"kind,omitempty"` + Value string `yaml:"value,omitempty"` +} + +func (p Parser) Filter(_ *RNode) (*RNode, error) { + d := yaml.NewDecoder(bytes.NewBuffer([]byte(p.Value))) + o := &RNode{value: &yaml.Node{}} + return o, d.Decode(o.value) +} + +// TODO(pwittrock): test this +func GetStyle(styles ...string) Style { + var style Style + for _, s := range styles { + switch s { + case "TaggedStyle": + style |= TaggedStyle + case "DoubleQuotedStyle": + style |= DoubleQuotedStyle + case "SingleQuotedStyle": + style |= SingleQuotedStyle + case "LiteralStyle": + style |= LiteralStyle + case "FoldedStyle": + style |= FoldedStyle + case "FlowStyle": + style |= FlowStyle + } + } + return style +} + +// Filter defines a function to manipulate an individual RNode such as by changing +// its values, or returning a field. +// +// When possible, Filters should be serializable to yaml so that they can be described +// declaratively as data. +// +// Analogous to http://www.linfo.org/filters.html +type Filter interface { + Filter(object *RNode) (*RNode, error) +} + +type FilterFunc func(object *RNode) (*RNode, error) + +func (f FilterFunc) Filter(object *RNode) (*RNode, error) { + return f(object) +} + +// TypeMeta partially copies apimachinery/pkg/apis/meta/v1.TypeMeta +// No need for a direct dependence; the fields are stable. +type TypeMeta struct { + // APIVersion is the apiVersion field of a Resource + APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"` + // Kind is the kind field of a Resource + Kind string `json:"kind,omitempty" yaml:"kind,omitempty"` +} + +// NameMeta contains name information. +type NameMeta struct { + // Name is the metadata.name field of a Resource + Name string `json:"name,omitempty" yaml:"name,omitempty"` + // Namespace is the metadata.namespace field of a Resource + Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` +} + +// ResourceMeta contains the metadata for a both Resource Type and Resource. +type ResourceMeta struct { + TypeMeta `json:",inline" yaml:",inline"` + // ObjectMeta is the metadata field of a Resource + ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` +} + +// ObjectMeta contains metadata about a Resource +type ObjectMeta struct { + NameMeta `json:",inline" yaml:",inline"` + // Labels is the metadata.labels field of a Resource + Labels map[string]string `json:"labels,omitempty" yaml:"labels,omitempty"` + // Annotations is the metadata.annotations field of a Resource. + Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` +} + +// GetIdentifier returns a ResourceIdentifier that includes +// the information needed to uniquely identify a resource in a cluster. +func (m *ResourceMeta) GetIdentifier() ResourceIdentifier { + return ResourceIdentifier{ + TypeMeta: m.TypeMeta, + NameMeta: m.NameMeta, + } +} + +// ResourceIdentifier contains the information needed to uniquely +// identify a resource in a cluster. +type ResourceIdentifier struct { + TypeMeta `json:",inline" yaml:",inline"` + NameMeta `json:",inline" yaml:",inline"` +} + +// Comments struct is comment yaml comment types +type Comments struct { + LineComment string `yaml:"lineComment,omitempty"` + HeadComment string `yaml:"headComment,omitempty"` + FootComment string `yaml:"footComment,omitempty"` +} + +func (r *ResourceIdentifier) GetName() string { + return r.Name +} + +func (r *ResourceIdentifier) GetNamespace() string { + return r.Namespace +} + +func (r *ResourceIdentifier) GetAPIVersion() string { + return r.APIVersion +} + +func (r *ResourceIdentifier) GetKind() string { + return r.Kind +} + +const ( + Trim = "Trim" + Flow = "Flow" +) + +// String returns a string value for a Node, applying the supplied formatting options +func String(node *yaml.Node, opts ...string) (string, error) { + if node == nil { + return "", nil + } + optsSet := sets.String{} + optsSet.Insert(opts...) + if optsSet.Has(Flow) { + oldStyle := node.Style + defer func() { + node.Style = oldStyle + }() + node.Style = yaml.FlowStyle + } + + b := &bytes.Buffer{} + e := NewEncoder(b) + err := e.Encode(node) + errClose := e.Close() + if err == nil { + err = errClose + } + val := b.String() + if optsSet.Has(Trim) { + val = strings.TrimSpace(val) + } + return val, errors.Wrap(err) +} + +// MergeOptionsListIncreaseDirection is the type of list growth in merge +type MergeOptionsListIncreaseDirection int + +const ( + MergeOptionsListAppend MergeOptionsListIncreaseDirection = iota + MergeOptionsListPrepend +) + +// MergeOptions is a struct which contains the options for merge +type MergeOptions struct { + // ListIncreaseDirection indicates should merge function prepend the items from + // source list to destination or append. + ListIncreaseDirection MergeOptionsListIncreaseDirection +} + +// Since ObjectMeta and TypeMeta are stable, we manually create DeepCopy funcs for ResourceMeta and ObjectMeta. +// For TypeMeta and NameMeta no DeepCopy funcs are required, as they only contain basic types. + +// DeepCopyInto copies the receiver, writing into out. in must be non-nil. +func (in *ObjectMeta) DeepCopyInto(out *ObjectMeta) { + *out = *in + out.NameMeta = in.NameMeta + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy copies the receiver, creating a new ObjectMeta. +func (in *ObjectMeta) DeepCopy() *ObjectMeta { + if in == nil { + return nil + } + out := new(ObjectMeta) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto copies the receiver, writing into out. in must be non-nil. +func (in *ResourceMeta) DeepCopyInto(out *ResourceMeta) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) +} + +// DeepCopy copies the receiver, creating a new ResourceMeta. +func (in *ResourceMeta) DeepCopy() *ResourceMeta { + if in == nil { + return nil + } + out := new(ResourceMeta) + in.DeepCopyInto(out) + return out +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go new file mode 100644 index 0000000000..8c9439342f --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/util.go @@ -0,0 +1,70 @@ +// Copyright 2021 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package yaml + +import ( + "strings" +) + +// DeriveSeqIndentStyle derives the sequence indentation annotation value for the resource, +// originalYAML is the input yaml string, +// the style is decided by deriving the existing sequence indentation of first sequence node +func DeriveSeqIndentStyle(originalYAML string) string { + lines := strings.Split(originalYAML, "\n") + for i, line := range lines { + elems := strings.SplitN(line, "- ", 2) + if len(elems) != 2 { + continue + } + // prefix of "- " must be sequence of spaces + if strings.Trim(elems[0], " ") != "" { + continue + } + numSpacesBeforeSeqElem := len(elems[0]) + + // keyLine is the line before the first sequence element + keyLine := keyLineBeforeSeqElem(lines, i) + if keyLine == "" { + // there is no keyLine for this sequence node + // all of those lines are comments + continue + } + numSpacesBeforeKeyElem := len(keyLine) - len(strings.TrimLeft(keyLine, " ")) + trimmedKeyLine := strings.Trim(keyLine, " ") + if strings.Count(trimmedKeyLine, ":") != 1 || !strings.HasSuffix(trimmedKeyLine, ":") { + // if the key line doesn't contain only one : that too at the end, + // this is not a sequence node, it is a wrapped sequence node string + // ignore it + continue + } + + if numSpacesBeforeSeqElem == numSpacesBeforeKeyElem { + return string(CompactSequenceStyle) + } + + if numSpacesBeforeSeqElem-numSpacesBeforeKeyElem == 2 { + return string(WideSequenceStyle) + } + } + + return string(CompactSequenceStyle) +} + +// keyLineBeforeSeqElem iterates through the lines before the first seqElement +// and tries to find the non-comment key line for the sequence node +func keyLineBeforeSeqElem(lines []string, seqElemIndex int) string { + // start with the previous line of sequence element + i := seqElemIndex - 1 + for ; i >= 0; i-- { + line := lines[i] + trimmedLine := strings.Trim(line, " ") + if strings.HasPrefix(trimmedLine, "#") { // commented line + continue + } + // we have a non-commented line which can have a trailing comment + parts := strings.SplitN(line, "#", 2) + return parts[0] // throw away the trailing comment part + } + return "" +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go new file mode 100644 index 0000000000..5cea8d92f6 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/associative_sequence.go @@ -0,0 +1,385 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import ( + "strings" + + "github.com/go-errors/errors" + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/sets" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// appendListNode will append the nodes from src to dst and return dst. +// src and dst should be both sequence node. key is used to call ElementSetter. +// ElementSetter will use key-value pair to find and set the element in sequence +// node. +func appendListNode(dst, src *yaml.RNode, keys []string) (*yaml.RNode, error) { + var err error + for _, elem := range src.Content() { + // If key is empty, we know this is a scalar value and we can directly set the + // node + if keys[0] == "" { + _, err = dst.Pipe(yaml.ElementSetter{ + Element: elem, + Keys: []string{""}, + Values: []string{elem.Value}, + }) + if err != nil { + return nil, err + } + continue + } + + // we need to get the value for key so that we can find the element to set + // in sequence. + v := []string{} + for _, key := range keys { + tmpNode := yaml.NewRNode(elem) + valueNode, err := tmpNode.Pipe(yaml.Get(key)) + if err != nil { + return nil, err + } + if valueNode.IsNil() { + // no key found, directly append to dst + err = dst.PipeE(yaml.Append(elem)) + if err != nil { + return nil, err + } + continue + } + v = append(v, valueNode.YNode().Value) + } + + // When there are multiple keys, ElementSetter appends the node to dst + // even if the output is already in dst. We remove the node from dst to + // prevent duplicates. + if len(keys) > 1 { + _, err = dst.Pipe(yaml.ElementSetter{ + Keys: keys, + Values: v, + }) + if err != nil { + return nil, err + } + } + + // We use the key and value from elem to find the corresponding element in dst. + // Then we will use ElementSetter to replace the element with elem. If we cannot + // find the item, the element will be appended. + _, err = dst.Pipe(yaml.ElementSetter{ + Element: elem, + Keys: keys, + Values: v, + }) + if err != nil { + return nil, err + } + } + return dst, nil +} + +// validateKeys returns a list of valid key-value pairs +// if secondary merge key values are missing, use only the available merge keys +func validateKeys(valuesList [][]string, values []string, keys []string) ([]string, []string) { + validKeys := make([]string, 0) + validValues := make([]string, 0) + validKeySet := sets.String{} + for _, values := range valuesList { + for i, v := range values { + if v != "" { + validKeySet.Insert(keys[i]) + } + } + } + if validKeySet.Len() == 0 { // if values missing, fall back to primary keys + return keys, values + } + for _, k := range keys { + if validKeySet.Has(k) { + validKeys = append(validKeys, k) + } + } + for i, v := range values { + if v != "" || validKeySet.Has(keys[i]) { + validValues = append(validValues, v) + } + } + return validKeys, validValues +} + +// mergeValues merges values together - e.g. if two containerPorts +// have the same port and targetPort but one has an empty protocol +// and the other doesn't, they are treated as the same containerPort +func mergeValues(valuesList [][]string) [][]string { + for i, values1 := range valuesList { + for j, values2 := range valuesList { + if matched, values := match(values1, values2); matched { + valuesList[i] = values + valuesList[j] = values + } + } + } + return valuesList +} + +// two values match if they have at least one common element and +// corresponding elements only differ if one is an empty string +func match(values1 []string, values2 []string) (bool, []string) { + if len(values1) != len(values2) { + return false, nil + } + var commonElement bool + var res []string + for i := range values1 { + if values1[i] == values2[i] { + commonElement = true + res = append(res, values1[i]) + continue + } + if values1[i] != "" && values2[i] != "" { + return false, nil + } + if values1[i] != "" { + res = append(res, values1[i]) + } else { + res = append(res, values2[i]) + } + } + return commonElement, res +} + +// setAssociativeSequenceElements recursively set the elements in the list +func (l *Walker) setAssociativeSequenceElements(valuesList [][]string, keys []string, dest *yaml.RNode) (*yaml.RNode, error) { + // itemsToBeAdded contains the items that will be added to dest + itemsToBeAdded := yaml.NewListRNode() + var schema *openapi.ResourceSchema + if l.Schema != nil { + schema = l.Schema.Elements() + } + if len(keys) > 1 { + valuesList = mergeValues(valuesList) + } + + // each element in valuesList is a list of values corresponding to the keys + // for example, for the following yaml: + // - containerPort: 8080 + // protocol: UDP + // - containerPort: 8080 + // protocol: TCP + // `keys` would be [containerPort, protocol] + // and `valuesList` would be [ [8080, UDP], [8080, TCP] ] + var validKeys []string + var validValues []string + for _, values := range valuesList { + if len(values) == 0 { + continue + } + + validKeys, validValues = validateKeys(valuesList, values, keys) + val, err := Walker{ + VisitKeysAsScalars: l.VisitKeysAsScalars, + InferAssociativeLists: l.InferAssociativeLists, + Visitor: l, + Schema: schema, + Sources: l.elementValueList(validKeys, validValues), + MergeOptions: l.MergeOptions, + }.Walk() + if err != nil { + return nil, err + } + + exit := false + for i, key := range validKeys { + // delete the node from **dest** if it's null or empty + if yaml.IsMissingOrNull(val) || yaml.IsEmptyMap(val) { + _, err = dest.Pipe(yaml.ElementSetter{ + Keys: validKeys, + Values: validValues, + }) + if err != nil { + return nil, err + } + exit = true + } else if val.Field(key) == nil && validValues[i] != "" { + // make sure the key is set on the field + _, err = val.Pipe(yaml.SetField(key, yaml.NewScalarRNode(validValues[i]))) + if err != nil { + return nil, err + } + } + } + if exit { + continue + } + + // Add the val to the sequence. val will replace the item in the sequence if + // there is an item that matches all key-value pairs. Otherwise val will be appended + // the sequence. + _, err = itemsToBeAdded.Pipe(yaml.ElementSetter{ + Element: val.YNode(), + Keys: validKeys, + Values: validValues, + }) + if err != nil { + return nil, err + } + } + + var err error + if len(valuesList) > 0 { + if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend { + // items from patches are needed to be prepended. so we append the + // dest to itemsToBeAdded + dest, err = appendListNode(itemsToBeAdded, dest, validKeys) + } else { + // append the items + dest, err = appendListNode(dest, itemsToBeAdded, validKeys) + } + } + + if err != nil { + return nil, err + } + // sequence is empty + if yaml.IsMissingOrNull(dest) { + return nil, nil + } + return dest, nil +} + +func (l *Walker) walkAssociativeSequence() (*yaml.RNode, error) { + // may require initializing the dest node + dest, err := l.Sources.setDestNode(l.VisitList(l.Sources, l.Schema, AssociativeList)) + if dest == nil || err != nil { + return nil, err + } + + // get the merge key(s) from schema + var strategy string + var keys []string + if l.Schema != nil { + strategy, keys = l.Schema.PatchStrategyAndKeyList() + } + if strategy == "" && len(keys) == 0 { // neither strategy nor keys present in the schema -- infer the key + // find the list of elements we need to recursively walk + key, err := l.elementKey() + if err != nil { + return nil, err + } + if key != "" { + keys = append(keys, key) + } + } + + // non-primitive associative list -- merge the elements + values := l.elementValues(keys) + if len(values) != 0 || len(keys) > 0 { + return l.setAssociativeSequenceElements(values, keys, dest) + } + + // primitive associative list -- merge the values + return l.setAssociativeSequenceElements(l.elementPrimitiveValues(), []string{""}, dest) +} + +// elementKey returns the merge key to use for the associative list +func (l Walker) elementKey() (string, error) { + var key string + for i := range l.Sources { + if l.Sources[i] != nil && len(l.Sources[i].Content()) > 0 { + newKey := l.Sources[i].GetAssociativeKey() + if key != "" && key != newKey { + return "", errors.Errorf( + "conflicting merge keys [%s,%s] for field %s", + key, newKey, strings.Join(l.Path, ".")) + } + key = newKey + } + } + if key == "" { + return "", errors.Errorf("no merge key found for field %s", + strings.Join(l.Path, ".")) + } + return key, nil +} + +// elementValues returns a slice containing all values for the field across all elements +// from all sources. +// Return value slice is ordered using the original ordering from the elements, where +// elements missing from earlier sources appear later. +func (l Walker) elementValues(keys []string) [][]string { + // use slice to to keep elements in the original order + var returnValues [][]string + var seen sets.StringList + + // if we are doing append, dest node should be the first. + // otherwise dest node should be the last. + beginIdx := 0 + if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend { + beginIdx = 1 + } + for i := range l.Sources { + src := l.Sources[(i+beginIdx)%len(l.Sources)] + if src == nil { + continue + } + + // add the value of the field for each element + // don't check error, we know this is a list node + values, _ := src.ElementValuesList(keys) + for _, s := range values { + if len(s) == 0 || seen.Has(s) { + continue + } + returnValues = append(returnValues, s) + seen = seen.Insert(s) + } + } + return returnValues +} + +// elementPrimitiveValues returns the primitive values in an associative list -- eg. finalizers +func (l Walker) elementPrimitiveValues() [][]string { + // use slice to to keep elements in the original order + var returnValues [][]string + seen := sets.String{} + // if we are doing append, dest node should be the first. + // otherwise dest node should be the last. + beginIdx := 0 + if l.MergeOptions.ListIncreaseDirection == yaml.MergeOptionsListPrepend { + beginIdx = 1 + } + for i := range l.Sources { + src := l.Sources[(i+beginIdx)%len(l.Sources)] + if src == nil { + continue + } + + // add the value of the field for each element + // don't check error, we know this is a list node + for _, item := range src.YNode().Content { + if seen.Has(item.Value) { + continue + } + returnValues = append(returnValues, []string{item.Value}) + seen.Insert(item.Value) + } + } + return returnValues +} + +// fieldValue returns a slice containing each source's value for fieldName +func (l Walker) elementValueList(keys []string, values []string) []*yaml.RNode { + keys, values = validateKeys([][]string{values}, values, keys) + var fields []*yaml.RNode + for i := range l.Sources { + if l.Sources[i] == nil { + fields = append(fields, nil) + continue + } + fields = append(fields, l.Sources[i].ElementList(keys, values)) + } + return fields +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go new file mode 100644 index 0000000000..afeec0a5a7 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/map.go @@ -0,0 +1,184 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import ( + "sort" + + "sigs.k8s.io/kustomize/kyaml/fieldmeta" + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/sets" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// walkMap returns the value of VisitMap +// +// - call VisitMap +// - set the return value on l.Dest +// - walk each source field +// - set each source field value on l.Dest +func (l Walker) walkMap() (*yaml.RNode, error) { + // get the new map value + dest, err := l.Sources.setDestNode(l.VisitMap(l.Sources, l.Schema)) + if dest == nil || err != nil { + return nil, err + } + + // recursively set the field values on the map + for _, key := range l.fieldNames() { + var res *yaml.RNode + var keys []*yaml.RNode + if l.VisitKeysAsScalars { + // visit the map keys as if they were scalars, + // this is necessary if doing things such as copying + // comments + for i := range l.Sources { + // construct the sources from the keys + if l.Sources[i] == nil { + keys = append(keys, nil) + continue + } + field := l.Sources[i].Field(key) + if field == nil || yaml.IsMissingOrNull(field.Key) { + keys = append(keys, nil) + continue + } + keys = append(keys, field.Key) + } + // visit the sources as a scalar + // keys don't have any schema --pass in nil + res, err = l.Visitor.VisitScalar(keys, nil) + if err != nil { + return nil, err + } + } + + var s *openapi.ResourceSchema + if l.Schema != nil { + s = l.Schema.Field(key) + } + fv, commentSch, keyStyles := l.fieldValue(key) + if commentSch != nil { + s = commentSch + } + val, err := Walker{ + VisitKeysAsScalars: l.VisitKeysAsScalars, + InferAssociativeLists: l.InferAssociativeLists, + Visitor: l, + Schema: s, + Sources: fv, + MergeOptions: l.MergeOptions, + Path: append(l.Path, key)}.Walk() + if err != nil { + return nil, err + } + + // transfer the comments of res to dest node + var comments yaml.Comments + if !yaml.IsMissingOrNull(res) { + comments = yaml.Comments{ + LineComment: res.YNode().LineComment, + HeadComment: res.YNode().HeadComment, + FootComment: res.YNode().FootComment, + } + if len(keys) > 0 && !yaml.IsMissingOrNull(keys[DestIndex]) { + keys[DestIndex].YNode().HeadComment = res.YNode().HeadComment + keys[DestIndex].YNode().LineComment = res.YNode().LineComment + keys[DestIndex].YNode().FootComment = res.YNode().FootComment + } + } + + // this handles empty and non-empty values + fieldSetter := yaml.FieldSetter{ + Name: key, + Comments: comments, + AppendKeyStyle: keyStyles[val], + Value: val, + } + _, err = dest.Pipe(fieldSetter) + if err != nil { + return nil, err + } + } + + return dest, nil +} + +// valueIfPresent returns node.Value if node is non-nil, otherwise returns nil +func (l Walker) valueIfPresent(node *yaml.MapNode) (*yaml.RNode, *openapi.ResourceSchema) { + if node == nil { + return nil, nil + } + + // parse the schema for the field if present + var s *openapi.ResourceSchema + fm := fieldmeta.FieldMeta{} + var err error + // check the value for a schema + if err = fm.Read(node.Value); err == nil { + s = &openapi.ResourceSchema{Schema: &fm.Schema} + if fm.Schema.Ref.String() != "" { + r, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema()) + if err == nil && r != nil { + s.Schema = r + } + } + } + // check the key for a schema -- this will be used + // when the value is a Sequence (comments are attached) + // to the key + if fm.IsEmpty() { + if err = fm.Read(node.Key); err == nil { + s = &openapi.ResourceSchema{Schema: &fm.Schema} + } + if fm.Schema.Ref.String() != "" { + r, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema()) + if err == nil && r != nil { + s.Schema = r + } + } + } + return node.Value, s +} + +// fieldNames returns a sorted slice containing the names of all fields that appear in any of +// the sources +func (l Walker) fieldNames() []string { + fields := sets.String{} + for _, s := range l.Sources { + if s == nil { + continue + } + // don't check error, we know this is a mapping node + sFields, _ := s.Fields() + fields.Insert(sFields...) + } + result := fields.List() + sort.Strings(result) + return result +} + +// fieldValue returns a slice containing each source's value for fieldName, the +// schema, and a map of each source's value to the style for the source's key. +func (l Walker) fieldValue(fieldName string) ([]*yaml.RNode, *openapi.ResourceSchema, map[*yaml.RNode]yaml.Style) { + var fields []*yaml.RNode + var sch *openapi.ResourceSchema + keyStyles := make(map[*yaml.RNode]yaml.Style, len(l.Sources)) + for i := range l.Sources { + if l.Sources[i] == nil { + fields = append(fields, nil) + continue + } + field := l.Sources[i].Field(fieldName) + f, s := l.valueIfPresent(field) + fields = append(fields, f) + if field != nil && field.Key != nil && field.Key.YNode() != nil { + keyStyles[f] = field.Key.YNode().Style + } + if sch == nil && !s.IsMissingOrNull() { + sch = s + } + } + return fields, sch, keyStyles +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go new file mode 100644 index 0000000000..91b187e5bf --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/nonassociative_sequence.go @@ -0,0 +1,13 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import ( + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +// walkNonAssociativeSequence returns the value of VisitList +func (l Walker) walkNonAssociativeSequence() (*yaml.RNode, error) { + return l.VisitList(l.Sources, l.Schema, NonAssociateList) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go new file mode 100644 index 0000000000..1a26f6dffe --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/scalar.go @@ -0,0 +1,11 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import "sigs.k8s.io/kustomize/kyaml/yaml" + +// walkScalar returns the value of VisitScalar +func (l Walker) walkScalar() (*yaml.RNode, error) { + return l.VisitScalar(l.Sources, l.Schema) +} diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go new file mode 100644 index 0000000000..153ac29455 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/visitor.go @@ -0,0 +1,28 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import ( + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" +) + +type ListKind int32 + +const ( + AssociativeList ListKind = 1 + iota + NonAssociateList +) + +// Visitor is invoked by walk with source and destination node pairs +type Visitor interface { + VisitMap(Sources, *openapi.ResourceSchema) (*yaml.RNode, error) + + VisitScalar(Sources, *openapi.ResourceSchema) (*yaml.RNode, error) + + VisitList(Sources, *openapi.ResourceSchema, ListKind) (*yaml.RNode, error) +} + +// ClearNode is returned if GrepFilter should do nothing after calling Set +var ClearNode *yaml.RNode diff --git a/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go new file mode 100644 index 0000000000..68de1324e0 --- /dev/null +++ b/vendor/sigs.k8s.io/kustomize/kyaml/yaml/walk/walk.go @@ -0,0 +1,186 @@ +// Copyright 2019 The Kubernetes Authors. +// SPDX-License-Identifier: Apache-2.0 + +package walk + +import ( + "fmt" + "os" + "strings" + + "sigs.k8s.io/kustomize/kyaml/fieldmeta" + "sigs.k8s.io/kustomize/kyaml/openapi" + "sigs.k8s.io/kustomize/kyaml/yaml" + "sigs.k8s.io/kustomize/kyaml/yaml/schema" +) + +// Walker walks the Source RNode and modifies the RNode provided to GrepFilter. +type Walker struct { + // Visitor is invoked by GrepFilter + Visitor + + Schema *openapi.ResourceSchema + + // Source is the RNode to walk. All Source fields and associative list elements + // will be visited. + Sources Sources + + // Path is the field path to the current Source Node. + Path []string + + // InferAssociativeLists if set to true will infer merge strategies for + // fields which it doesn't have the schema based on the fields in the + // list elements. + InferAssociativeLists bool + + // VisitKeysAsScalars if true will call VisitScalar on map entry keys, + // providing nil as the OpenAPI schema. + VisitKeysAsScalars bool + + // MergeOptions is a struct to store options for merge + MergeOptions yaml.MergeOptions +} + +// Kind returns the kind of the first non-null node in Sources. +func (l Walker) Kind() yaml.Kind { + for _, s := range l.Sources { + if !yaml.IsMissingOrNull(s) { + return s.YNode().Kind + } + } + return 0 +} + +// Walk will recursively traverse every item in the Sources and perform corresponding +// actions on them +func (l Walker) Walk() (*yaml.RNode, error) { + l.Schema = l.GetSchema() + + // invoke the handler for the corresponding node type + switch l.Kind() { + case yaml.MappingNode: + if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.MappingNode, l.Sources...); err != nil { + return nil, err + } + return l.walkMap() + case yaml.SequenceNode: + if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.SequenceNode, l.Sources...); err != nil { + return nil, err + } + // AssociativeSequence means the items in the sequence are associative. They can be merged + // according to merge key. + if schema.IsAssociative(l.Schema, l.Sources, l.InferAssociativeLists) { + return l.walkAssociativeSequence() + } + return l.walkNonAssociativeSequence() + + case yaml.ScalarNode: + if err := yaml.ErrorIfAnyInvalidAndNonNull(yaml.ScalarNode, l.Sources...); err != nil { + return nil, err + } + return l.walkScalar() + case 0: + // walk empty nodes as maps + return l.walkMap() + default: + return nil, nil + } +} + +func (l Walker) GetSchema() *openapi.ResourceSchema { + for i := range l.Sources { + r := l.Sources[i] + if yaml.IsMissingOrNull(r) { + continue + } + + fm := fieldmeta.FieldMeta{} + if err := fm.Read(r); err == nil && !fm.IsEmpty() { + // per-field schema, this is fine + if fm.Schema.Ref.String() != "" { + // resolve the reference + s, err := openapi.Resolve(&fm.Schema.Ref, openapi.Schema()) + if err == nil && s != nil { + fm.Schema = *s + } + } + return &openapi.ResourceSchema{Schema: &fm.Schema} + } + } + + if l.Schema != nil { + return l.Schema + } + for i := range l.Sources { + r := l.Sources[i] + if yaml.IsMissingOrNull(r) { + continue + } + + m, _ := r.GetMeta() + if m.Kind == "" || m.APIVersion == "" { + continue + } + + s := openapi.SchemaForResourceType(yaml.TypeMeta{Kind: m.Kind, APIVersion: m.APIVersion}) + if s != nil { + return s + } + } + return nil +} + +const ( + DestIndex = iota + OriginIndex + UpdatedIndex +) + +// Sources are a list of RNodes. First item is the dest node, followed by +// multiple source nodes. +type Sources []*yaml.RNode + +// Dest returns the destination node +func (s Sources) Dest() *yaml.RNode { + if len(s) <= DestIndex { + return nil + } + return s[DestIndex] +} + +// Origin returns the origin node +func (s Sources) Origin() *yaml.RNode { + if len(s) <= OriginIndex { + return nil + } + return s[OriginIndex] +} + +// Updated returns the updated node +func (s Sources) Updated() *yaml.RNode { + if len(s) <= UpdatedIndex { + return nil + } + return s[UpdatedIndex] +} + +func (s Sources) String() string { + var values []string + for i := range s { + str, err := s[i].String() + if err != nil { + fmt.Fprintf(os.Stderr, "%v\n", err) + } + values = append(values, str) + } + return strings.Join(values, "\n") +} + +// setDestNode sets the destination source node +func (s Sources) setDestNode(node *yaml.RNode, err error) (*yaml.RNode, error) { + if err != nil { + return nil, err + } + s[0] = node + return node, nil +} diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v2/README.md b/vendor/sigs.k8s.io/yaml/goyaml.v2/README.md new file mode 100644 index 0000000000..9a8f1e6782 --- /dev/null +++ b/vendor/sigs.k8s.io/yaml/goyaml.v2/README.md @@ -0,0 +1,71 @@ +# goyaml.v2 + +This package provides type and function aliases for the `go.yaml.in/yaml/v2` package (which is compatible with `gopkg.in/yaml.v2`). + +## Purpose + +The purpose of this package is to: + +1. Provide a transition path for users migrating from the sigs.k8s.io/yaml package to direct usage of go.yaml.in/yaml/v2 +2. Maintain compatibility with existing code while encouraging migration to the upstream package +3. Reduce maintenance overhead by delegating to the upstream implementation + +## Usage + +Instead of importing this package directly, you should migrate to using `go.yaml.in/yaml/v2` directly: + +```go +// Old way +import "sigs.k8s.io/yaml/goyaml.v2" + +// Recommended way +import "go.yaml.in/yaml/v2" +``` + +## Available Types and Functions + +All public types and functions from `go.yaml.in/yaml/v2` are available through this package: + +### Types + +- `MapSlice` - Encodes and decodes as a YAML map with preserved key order +- `MapItem` - An item in a MapSlice +- `Unmarshaler` - Interface for custom unmarshaling behavior +- `Marshaler` - Interface for custom marshaling behavior +- `IsZeroer` - Interface to check if an object is zero +- `Decoder` - Reads and decodes YAML values from an input stream +- `Encoder` - Writes YAML values to an output stream +- `TypeError` - Error returned by Unmarshal for decoding issues + +### Functions + +- `Unmarshal` - Decodes YAML data into a Go value +- `UnmarshalStrict` - Like Unmarshal but errors on unknown fields +- `Marshal` - Serializes a Go value into YAML +- `NewDecoder` - Creates a new Decoder +- `NewEncoder` - Creates a new Encoder +- `FutureLineWrap` - Controls line wrapping behavior + +## Migration Guide + +To migrate from this package to `go.yaml.in/yaml/v2`: + +1. Update your import statements: + ```go + // From + import "sigs.k8s.io/yaml/goyaml.v2" + + // To + import "go.yaml.in/yaml/v2" + ``` + +2. No code changes should be necessary as the API is identical + +3. Update your go.mod file to include the dependency: + ``` + require go.yaml.in/yaml/v2 v2.4.2 + ``` + +## Deprecation Notice + +All types and functions in this package are marked as deprecated. You should migrate to using `go.yaml.in/yaml/v2` directly. diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v2/yaml_aliases.go b/vendor/sigs.k8s.io/yaml/goyaml.v2/yaml_aliases.go new file mode 100644 index 0000000000..8c82bc2cb9 --- /dev/null +++ b/vendor/sigs.k8s.io/yaml/goyaml.v2/yaml_aliases.go @@ -0,0 +1,85 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package yaml + +import ( + gopkg_yaml "go.yaml.in/yaml/v2" +) + +// Type aliases for public types from go.yaml.in/yaml/v2 +type ( + // MapSlice encodes and decodes as a YAML map. + // The order of keys is preserved when encoding and decoding. + // Deprecated: Use go.yaml.in/yaml/v2.MapSlice directly. + MapSlice = gopkg_yaml.MapSlice + + // MapItem is an item in a MapSlice. + // Deprecated: Use go.yaml.in/yaml/v2.MapItem directly. + MapItem = gopkg_yaml.MapItem + + // Unmarshaler is implemented by types to customize their behavior when being unmarshaled from a YAML document. + // Deprecated: Use go.yaml.in/yaml/v2.Unmarshaler directly. + Unmarshaler = gopkg_yaml.Unmarshaler + + // Marshaler is implemented by types to customize their behavior when being marshaled into a YAML document. + // Deprecated: Use go.yaml.in/yaml/v2.Marshaler directly. + Marshaler = gopkg_yaml.Marshaler + + // IsZeroer is used to check whether an object is zero to determine whether it should be omitted when + // marshaling with the omitempty flag. One notable implementation is time.Time. + // Deprecated: Use go.yaml.in/yaml/v2.IsZeroer directly. + IsZeroer = gopkg_yaml.IsZeroer + + // Decoder reads and decodes YAML values from an input stream. + // Deprecated: Use go.yaml.in/yaml/v2.Decoder directly. + Decoder = gopkg_yaml.Decoder + + // Encoder writes YAML values to an output stream. + // Deprecated: Use go.yaml.in/yaml/v2.Encoder directly. + Encoder = gopkg_yaml.Encoder + + // TypeError is returned by Unmarshal when one or more fields in the YAML document cannot be properly decoded. + // Deprecated: Use go.yaml.in/yaml/v2.TypeError directly. + TypeError = gopkg_yaml.TypeError +) + +// Function aliases for public functions from go.yaml.in/yaml/v2 +var ( + // Unmarshal decodes the first document found within the in byte slice and assigns decoded values into the out value. + // Deprecated: Use go.yaml.in/yaml/v2.Unmarshal directly. + Unmarshal = gopkg_yaml.Unmarshal + + // UnmarshalStrict is like Unmarshal except that any fields that are found in the data that do not have corresponding struct members will result in an error. + // Deprecated: Use go.yaml.in/yaml/v2.UnmarshalStrict directly. + UnmarshalStrict = gopkg_yaml.UnmarshalStrict + + // Marshal serializes the value provided into a YAML document. + // Deprecated: Use go.yaml.in/yaml/v2.Marshal directly. + Marshal = gopkg_yaml.Marshal + + // NewDecoder returns a new decoder that reads from r. + // Deprecated: Use go.yaml.in/yaml/v2.NewDecoder directly. + NewDecoder = gopkg_yaml.NewDecoder + + // NewEncoder returns a new encoder that writes to w. + // Deprecated: Use go.yaml.in/yaml/v2.NewEncoder directly. + NewEncoder = gopkg_yaml.NewEncoder + + // FutureLineWrap globally disables line wrapping when encoding long strings. + // Deprecated: Use go.yaml.in/yaml/v2.FutureLineWrap directly. + FutureLineWrap = gopkg_yaml.FutureLineWrap +) diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md b/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md new file mode 100644 index 0000000000..318a00923b --- /dev/null +++ b/vendor/sigs.k8s.io/yaml/goyaml.v3/README.md @@ -0,0 +1,70 @@ +# goyaml.v3 + +This package provides type and function aliases for the `go.yaml.in/yaml/v3` package (which is compatible with `gopkg.in/yaml.v3`). + +## Purpose + +The purpose of this package is to: + +1. Provide a transition path for users migrating from the sigs.k8s.io/yaml package to direct usage of go.yaml.in/yaml/v3 +2. Maintain compatibility with existing code while encouraging migration to the upstream package +3. Reduce maintenance overhead by delegating to the upstream implementation + +## Usage + +Instead of importing this package directly, you should migrate to using `go.yaml.in/yaml/v3` directly: + +```go +// Old way +import "sigs.k8s.io/yaml/goyaml.v3" + +// Recommended way +import "go.yaml.in/yaml/v3" +``` + +## Available Types and Functions + +All public types and functions from `go.yaml.in/yaml/v3` are available through this package: + +### Types + +- `Unmarshaler` - Interface for custom unmarshaling behavior +- `Marshaler` - Interface for custom marshaling behavior +- `IsZeroer` - Interface to check if an object is zero +- `Decoder` - Reads and decodes YAML values from an input stream +- `Encoder` - Writes YAML values to an output stream +- `TypeError` - Error returned by Unmarshal for decoding issues +- `Node` - Represents a YAML node in the document +- `Kind` - Represents the kind of a YAML node +- `Style` - Represents the style of a YAML node + +### Functions + +- `Unmarshal` - Decodes YAML data into a Go value +- `Marshal` - Serializes a Go value into YAML +- `NewDecoder` - Creates a new Decoder +- `NewEncoder` - Creates a new Encoder + +## Migration Guide + +To migrate from this package to `go.yaml.in/yaml/v3`: + +1. Update your import statements: + ```go + // From + import "sigs.k8s.io/yaml/goyaml.v3" + + // To + import "go.yaml.in/yaml/v3" + ``` + +2. No code changes should be necessary as the API is identical + +3. Update your go.mod file to include the dependency: + ``` + require go.yaml.in/yaml/v3 v3.0.3 + ``` + +## Deprecation Notice + +All types and functions in this package are marked as deprecated. You should migrate to using `go.yaml.in/yaml/v3` directly. diff --git a/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go b/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go new file mode 100644 index 0000000000..8826ffefeb --- /dev/null +++ b/vendor/sigs.k8s.io/yaml/goyaml.v3/yaml_aliases.go @@ -0,0 +1,130 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package yaml + +import ( + gopkg_yaml "go.yaml.in/yaml/v3" +) + +// Type aliases for public types from go.yaml.in/yaml/v3 +type ( + // Unmarshaler is implemented by types to customize their behavior when being unmarshaled from a YAML document. + // Deprecated: Use go.yaml.in/yaml/v3.Unmarshaler directly. + Unmarshaler = gopkg_yaml.Unmarshaler + + // Marshaler is implemented by types to customize their behavior when being marshaled into a YAML document. + // Deprecated: Use go.yaml.in/yaml/v3.Marshaler directly. + Marshaler = gopkg_yaml.Marshaler + + // IsZeroer is used to check whether an object is zero to determine whether it should be omitted when + // marshaling with the omitempty flag. One notable implementation is time.Time. + // Deprecated: Use go.yaml.in/yaml/v3.IsZeroer directly. + IsZeroer = gopkg_yaml.IsZeroer + + // Decoder reads and decodes YAML values from an input stream. + // Deprecated: Use go.yaml.in/yaml/v3.Decoder directly. + Decoder = gopkg_yaml.Decoder + + // Encoder writes YAML values to an output stream. + // Deprecated: Use go.yaml.in/yaml/v3.Encoder directly. + Encoder = gopkg_yaml.Encoder + + // TypeError is returned by Unmarshal when one or more fields in the YAML document cannot be properly decoded. + // Deprecated: Use go.yaml.in/yaml/v3.TypeError directly. + TypeError = gopkg_yaml.TypeError + + // Node represents a YAML node in the document. + // Deprecated: Use go.yaml.in/yaml/v3.Node directly. + Node = gopkg_yaml.Node + + // Kind represents the kind of a YAML node. + // Deprecated: Use go.yaml.in/yaml/v3.Kind directly. + Kind = gopkg_yaml.Kind + + // Style represents the style of a YAML node. + // Deprecated: Use go.yaml.in/yaml/v3.Style directly. + Style = gopkg_yaml.Style +) + +// Constants for Kind type from go.yaml.in/yaml/v3 +const ( + // DocumentNode represents a YAML document node. + // Deprecated: Use go.yaml.in/yaml/v3.DocumentNode directly. + DocumentNode = gopkg_yaml.DocumentNode + + // SequenceNode represents a YAML sequence node. + // Deprecated: Use go.yaml.in/yaml/v3.SequenceNode directly. + SequenceNode = gopkg_yaml.SequenceNode + + // MappingNode represents a YAML mapping node. + // Deprecated: Use go.yaml.in/yaml/v3.MappingNode directly. + MappingNode = gopkg_yaml.MappingNode + + // ScalarNode represents a YAML scalar node. + // Deprecated: Use go.yaml.in/yaml/v3.ScalarNode directly. + ScalarNode = gopkg_yaml.ScalarNode + + // AliasNode represents a YAML alias node. + // Deprecated: Use go.yaml.in/yaml/v3.AliasNode directly. + AliasNode = gopkg_yaml.AliasNode +) + +// Constants for Style type from go.yaml.in/yaml/v3 +const ( + // TaggedStyle represents a tagged YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.TaggedStyle directly. + TaggedStyle = gopkg_yaml.TaggedStyle + + // DoubleQuotedStyle represents a double-quoted YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.DoubleQuotedStyle directly. + DoubleQuotedStyle = gopkg_yaml.DoubleQuotedStyle + + // SingleQuotedStyle represents a single-quoted YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.SingleQuotedStyle directly. + SingleQuotedStyle = gopkg_yaml.SingleQuotedStyle + + // LiteralStyle represents a literal YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.LiteralStyle directly. + LiteralStyle = gopkg_yaml.LiteralStyle + + // FoldedStyle represents a folded YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.FoldedStyle directly. + FoldedStyle = gopkg_yaml.FoldedStyle + + // FlowStyle represents a flow YAML style. + // Deprecated: Use go.yaml.in/yaml/v3.FlowStyle directly. + FlowStyle = gopkg_yaml.FlowStyle +) + +// Function aliases for public functions from go.yaml.in/yaml/v3 +var ( + // Unmarshal decodes the first document found within the in byte slice and assigns decoded values into the out value. + // Deprecated: Use go.yaml.in/yaml/v3.Unmarshal directly. + Unmarshal = gopkg_yaml.Unmarshal + + // Marshal serializes the value provided into a YAML document. + // Deprecated: Use go.yaml.in/yaml/v3.Marshal directly. + Marshal = gopkg_yaml.Marshal + + // NewDecoder returns a new decoder that reads from r. + // Deprecated: Use go.yaml.in/yaml/v3.NewDecoder directly. + NewDecoder = gopkg_yaml.NewDecoder + + // NewEncoder returns a new encoder that writes to w. + // Deprecated: Use go.yaml.in/yaml/v3.NewEncoder directly. + NewEncoder = gopkg_yaml.NewEncoder +)